Sas Swart
52722b800b
Renames the `coder boundary` CLI subcommand to `coder agent-firewall` as part of the Boundaries → Agent Firewall rebrand. `coder boundary` is retained as a hidden, deprecated alias that prints a deprecation notice to stderr before running. Both commands use separate builder functions backed by the same boundary base command and license verification logic. Closes https://linear.app/codercom/issue/AIGOV-236 <details><summary>Implementation notes</summary> **Approach:** Two separate `*serpent.Command` objects (not `Aliases`) so the deprecated `boundary` path can print a stderr warning while `agent-firewall` stays clean. **Changes:** - `enterprise/cli/boundary.go`: Split old `boundary()` into `buildAgentFirewallCmd()` and `buildBoundaryAliasCmd()`. Error messages in `verifyLicense` now reference "agent-firewall". - `enterprise/cli/root.go`: Register both commands. - `cli/root.go`: Update YAML-only option validation bypass for the new command name. - Tests: Rename to `TestAgentFirewallSubcommand`, add `TestBoundaryAlias`, update license verification tests to use `agent-firewall`. - Golden files and CLI reference docs regenerated. - `docs/ai-coder/agent-firewall/version.md` and `docs/manifest.json` updated. </details> > Generated with [Coder Agents](https://coder.com/agents) by @SasSwart
4.9 KiB
Generated
agent-firewall
Network isolation tool for monitoring and restricting HTTP/HTTPS requests
Usage
coder agent-firewall [flags] [args...]
Description
boundary creates an isolated network environment for target processes, intercepting HTTP/HTTPS traffic through a transparent proxy that enforces user-defined allow rules.
Options
--config
| Type | yaml-config-path |
| Environment | $BOUNDARY_CONFIG |
Path to YAML config file.
--allow
| Type | string |
| Environment | $BOUNDARY_ALLOW |
Allow rule (repeatable). These are merged with allowlist from config file. Format: "pattern" or "METHOD[,METHOD] pattern".
--
| Type | string-array |
| YAML | allowlist |
Allowlist rules from config file (YAML only).
--log-level
| Type | string |
| Environment | $BOUNDARY_LOG_LEVEL |
| YAML | log_level |
| Default | warn |
Set log level (error, warn, info, debug).
--log-dir
| Type | string |
| Environment | $BOUNDARY_LOG_DIR |
| YAML | log_dir |
Set a directory to write logs to rather than stderr.
--proxy-port
| Type | int |
| Environment | $PROXY_PORT |
| YAML | proxy_port |
| Default | 8080 |
Set a port for HTTP proxy.
--pprof
| Type | bool |
| Environment | $BOUNDARY_PPROF |
| YAML | pprof_enabled |
Enable pprof profiling server.
--pprof-port
| Type | int |
| Environment | $BOUNDARY_PPROF_PORT |
| YAML | pprof_port |
| Default | 6060 |
Set port for pprof profiling server.
--jail-type
| Type | string |
| Environment | $BOUNDARY_JAIL_TYPE |
| YAML | jail_type |
| Default | nsjail |
Jail type to use for network isolation. Options: nsjail (default), landjail.
--use-real-dns
| Type | bool |
| Environment | $BOUNDARY_USE_REAL_DNS |
| YAML | use_real_dns |
Use real DNS in the jail instead of the dummy DNS (allows DNS exfiltration). Default: false.
--no-user-namespace
| Type | bool |
| Environment | $BOUNDARY_NO_USER_NAMESPACE |
| YAML | no_user_namespace |
Do not create a user namespace. Use in restricted environments that disallow user NS (e.g. Bottlerocket in EKS auto-mode).
--disable-audit-logs
| Type | bool |
| Environment | $DISABLE_AUDIT_LOGS |
| YAML | disable_audit_logs |
Disable sending of audit logs to the workspace agent when set to true.
--log-proxy-socket-path
| Type | string |
| Environment | $CODER_AGENT_BOUNDARY_LOG_PROXY_SOCKET_PATH |
| Default | /tmp/boundary-audit.sock |
Path to the socket where the boundary log proxy server listens for audit logs.
--version
| Type | bool |
Print version information and exit.