shishantbiswas/coder
1
0
Fork 0
mirror of https://github.com/coder/coder.git synced 2026-06-05 14:08:20 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
658a04d28fa07dea4c1e2bcdfc1c0b2e1ef86c94
coder/docs/reference/cli/agent-firewall.md
T
Sas Swart 52722b800b chore: rename boundary command to agent-firewall (#25889) 
Renames the `coder boundary` CLI subcommand to `coder agent-firewall` as
part of the Boundaries → Agent Firewall rebrand.

`coder boundary` is retained as a hidden, deprecated alias that prints a
deprecation notice to stderr before running. Both commands use separate
builder functions backed by the same boundary base command and license
verification logic.

Closes https://linear.app/codercom/issue/AIGOV-236

<details><summary>Implementation notes</summary>

**Approach:** Two separate `*serpent.Command` objects (not `Aliases`) so
the deprecated `boundary` path can print a stderr warning while
`agent-firewall` stays clean.

**Changes:**
- `enterprise/cli/boundary.go`: Split old `boundary()` into
`buildAgentFirewallCmd()` and `buildBoundaryAliasCmd()`. Error messages
in `verifyLicense` now reference "agent-firewall".
- `enterprise/cli/root.go`: Register both commands.
- `cli/root.go`: Update YAML-only option validation bypass for the new
command name.
- Tests: Rename to `TestAgentFirewallSubcommand`, add
`TestBoundaryAlias`, update license verification tests to use
`agent-firewall`.
- Golden files and CLI reference docs regenerated.
- `docs/ai-coder/agent-firewall/version.md` and `docs/manifest.json`
updated.

</details>

> Generated with [Coder Agents](https://coder.com/agents) by @SasSwart
2026-06-04 11:14:36 +02:00

158 lines
4.9 KiB
Markdown
Generated
Raw Blame History

<!-- DO NOT EDIT | GENERATED CONTENT -->
# agent-firewall
Network isolation tool for monitoring and restricting HTTP/HTTPS requests
## Usage
```console
coder agent-firewall [flags] [args...]
```
## Description
```console
boundary creates an isolated network environment for target processes, intercepting HTTP/HTTPS traffic through a transparent proxy that enforces user-defined allow rules.
```
## Options
### --config
| | |
|-------------|-------------------------------|
| Type | <code>yaml-config-path</code> |
| Environment | <code>$BOUNDARY_CONFIG</code> |
Path to YAML config file.
### --allow
| | |
|-------------|------------------------------|
| Type | <code>string</code> |
| Environment | <code>$BOUNDARY_ALLOW</code> |
Allow rule (repeatable). These are merged with allowlist from config file. Format: "pattern" or "METHOD[,METHOD] pattern".
### --
| | |
|------|---------------------------|
| Type | <code>string-array</code> |
| YAML | <code>allowlist</code> |
Allowlist rules from config file (YAML only).
### --log-level
| | |
|-------------|----------------------------------|
| Type | <code>string</code> |
| Environment | <code>$BOUNDARY_LOG_LEVEL</code> |
| YAML | <code>log_level</code> |
| Default | <code>warn</code> |
Set log level (error, warn, info, debug).
### --log-dir
| | |
|-------------|--------------------------------|
| Type | <code>string</code> |
| Environment | <code>$BOUNDARY_LOG_DIR</code> |
| YAML | <code>log_dir</code> |
Set a directory to write logs to rather than stderr.
### --proxy-port
| | |
|-------------|--------------------------|
| Type | <code>int</code> |
| Environment | <code>$PROXY_PORT</code> |
| YAML | <code>proxy_port</code> |
| Default | <code>8080</code> |
Set a port for HTTP proxy.
### --pprof
| | |
|-------------|------------------------------|
| Type | <code>bool</code> |
| Environment | <code>$BOUNDARY_PPROF</code> |
| YAML | <code>pprof_enabled</code> |
Enable pprof profiling server.
### --pprof-port
| | |
|-------------|-----------------------------------|
| Type | <code>int</code> |
| Environment | <code>$BOUNDARY_PPROF_PORT</code> |
| YAML | <code>pprof_port</code> |
| Default | <code>6060</code> |
Set port for pprof profiling server.
### --jail-type
| | |
|-------------|----------------------------------|
| Type | <code>string</code> |
| Environment | <code>$BOUNDARY_JAIL_TYPE</code> |
| YAML | <code>jail_type</code> |
| Default | <code>nsjail</code> |
Jail type to use for network isolation. Options: nsjail (default), landjail.
### --use-real-dns
| | |
|-------------|-------------------------------------|
| Type | <code>bool</code> |
| Environment | <code>$BOUNDARY_USE_REAL_DNS</code> |
| YAML | <code>use_real_dns</code> |
Use real DNS in the jail instead of the dummy DNS (allows DNS exfiltration). Default: false.
### --no-user-namespace
| | |
|-------------|------------------------------------------|
| Type | <code>bool</code> |
| Environment | <code>$BOUNDARY_NO_USER_NAMESPACE</code> |
| YAML | <code>no_user_namespace</code> |
Do not create a user namespace. Use in restricted environments that disallow user NS (e.g. Bottlerocket in EKS auto-mode).
### --disable-audit-logs
| | |
|-------------|----------------------------------|
| Type | <code>bool</code> |
| Environment | <code>$DISABLE_AUDIT_LOGS</code> |
| YAML | <code>disable_audit_logs</code> |
Disable sending of audit logs to the workspace agent when set to true.
### --log-proxy-socket-path
| | |
|-------------|----------------------------------------------------------|
| Type | <code>string</code> |
| Environment | <code>$CODER_AGENT_BOUNDARY_LOG_PROXY_SOCKET_PATH</code> |
| Default | <code>/tmp/boundary-audit.sock</code> |
Path to the socket where the boundary log proxy server listens for audit logs.
### --version
| | |
|------|-------------------|
| Type | <code>bool</code> |
Print version information and exit.
Reference in New Issue View Git Blame Copy Permalink