feat(coder-templates/firewalled): add landjail-firewalled Claude Code template + AOI remediation plan#42
Open
ausbru87 wants to merge 3 commits into
Open
feat(coder-templates/firewalled): add landjail-firewalled Claude Code template + AOI remediation plan#42ausbru87 wants to merge 3 commits into
ausbru87 wants to merge 3 commits into
Conversation
… template Add a new "firewalled" workspace template: the claude-code template with the Coder Boundary agent firewall enabled. Claude Code runs inside a landjail (Landlock LSM) process-level network egress jail that denies all HTTP(S) egress except an allowlist (the in-boundary AI Gateway and in-cluster GitLab). Every denied request is audit-logged to coderd with owner, workspace, agent, URL, and template attribution. Wiring (claude-code module 4.7.3): enable_boundary=true, use_boundary_directly=true (standalone boundary binary; the coder boundary subcommand needs a logged-in CLI session the agent lacks), and a pre_install_script that writes ~/.config/coder_boundary/config.yaml with the allowlist and jail_type=landjail before Claude Code launches. Validated live on dev.usgov.coderdemo.io: build succeeds, the process tree shows agentapi -> boundary -> claude, allow/deny enforced (gateway 200, gitlab 302, example.com 403, github.com 403), and coderd emits boundary_request audit lines for Claude Code's own blocked telemetry egress. Generated by Coder Agents.
Add the AOI gap remediation plan (firewall + authenticated MCP, with the firewall section updated to as-built and validated) and three execution-ready briefs so the remaining tasks can be run in parallel: - brief-github-auth-mcp.md: stand up an authenticated MCP (GitHub hosted MCP via PAT/OAuth), including the 200/202-vs-204 client gate to check first and an in-boundary datastore-mcp fallback. - brief-observability-audit-readiness.md: verify the boundary and AI Gateway Grafana dashboards and the Coder audit log show live demo data; confirms the boundary forwarded-batch metric name from source. - brief-template-golden-path-e2e.md: WS-25 per-template build + connectivity matrix, including the GitLab external-auth gate and the admin REST create-for-authenticated-owner workaround. Generated by Coder Agents.
…owlist
Replace the minimal gateway+gitlab allowlist with the Red Hat Summit 2026 demo
allowlist (coder/demo-aigov-rhaiis-rhsummit-2026): Claude Code's default
allowed domains (most package managers, GitHub, container registries, cloud
SDKs) plus this deployment's Coder host and the in-cluster GitLab. npm is
intentionally omitted so `npm install` is the obvious DENY in the demo.
- Add boundary.config.yaml.tftpl (175 allow rules), rendered with
templatefile() so ${coder_host} resolves from the access URL, and written
via a base64 round-trip in pre_install_script.
- Set BOUNDARY_CONFIG and BOUNDARY_JAIL_TYPE=landjail agent env vars so
boundary loads the config and uses landjail reliably (boundary v0.9.0
dropped config auto-discovery).
Validated live: firewall-test rebuilt on the new version, Claude Code still
jailed, ALLOW gateway/pypi/github = 200, DENY registry.npmjs.org/example.com
= 403.
Generated by Coder Agents.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Addresses the critical AOI gap: no agent firewall. Adds a new
firewalledworkspace template (theclaude-codetemplate with the Coder Boundary agent firewall enabled) and lands the AOI gap remediation plan plus execution-ready briefs for the remaining tasks.Claude Code now runs inside a landjail (Landlock LSM) process-level network egress jail that denies all HTTP(S) egress except an allowlist (the in-boundary AI Gateway and in-cluster GitLab). Every denied request is audit-logged to coderd with owner / workspace / agent / URL / template attribution. This is the data-exfiltration / DLP guardrail story for the AOI.
What changed
coder-templates/firewalled/(new): copy ofclaude-codewith, inmodule "claude_code",enable_boundary = true,use_boundary_directly = true,boundary_version = "latest", and apre_install_scriptthat writes~/.config/coder_boundary/config.yaml(allowlist +jail_type: landjail) before Claude Code launches. Pushed live to thecoderorg.aoi/plan-firewall-and-auth-mcp.md: remediation plan; the firewall section is updated to as-built and validated.aoi/brief-github-auth-mcp.md,aoi/brief-observability-audit-readiness.md,aoi/brief-template-golden-path-e2e.md: execution-ready briefs so the remaining tasks (authenticated MCP, observability/audit readiness, template golden-path e2e WS-25) can be run in parallel.Why
use_boundary_directly = trueThe default
coder boundarysubcommand verifies the deployment license through an authenticated client, but the workspace agent carries only an agent token (no user session), so that path errors with "not logged in". The standaloneboundarybinary (MIT) has no license/login dependency. The 4.7.3 module passes no--allow/--jail-typeflags, so the allowlist and jail type come only from the config file written bypre_install_script.Live validation on dev.usgov.coderdemo.io
lockdown,capability,landlock,yama,safesetid,selinux,bpf,ima(landlock present); AL2023 kernel 6.18 exceeds the Landlock 6.7 floor. landjail needs no added pod capabilities, so the pod security context is unchanged.firewalledtemplate builds to a healthy, connected workspace (austenplatform/firewall-test).agentapi server ... -- boundary -- claude --session-id ...(Claude Code is a child of boundary).--proxy-portsince the agent's boundary owns 8080): gateway buildinfo200(allow), gitlab302(allow), example.com403(deny), github.com403(deny).boundary_requestlines with full attribution. Real captured denies include Claude Code's own calls toapi.anthropic.com(eval + event_logging) andraw.githubusercontent.com(update check), while inference through the allowlisted gateway works. The shipped boundary Grafana dashboard parses these via Loki.Rollback: use the un-firewalled
claude-codetemplate, or setenable_boundary = falseand re-push. Running pods survive (ignore_changes = all).Notes
--occurrences are literalboundary -- <cmd>CLI syntax inside code fences.firewalledtemplate inherits the required GitLab external-auth fromclaude-code; the WS-25 brief documents the build gate and the admin REST create-for-authenticated-owner workaround used here.Generated by Coder Agents, on behalf of @ausbru87.