From da4071241d0399c76cae35a0b02c2dd6d58f2cd6 Mon Sep 17 00:00:00 2001
From: Austen Bruhn <asbru17@gmail.com>
Date: Tue, 9 Jun 2026 13:40:27 +0000
Subject: [PATCH 1/3] feat(coder-templates/firewalled): add landjail-firewalled
 Claude Code template

Add a new "firewalled" workspace template: the claude-code template with the
Coder Boundary agent firewall enabled. Claude Code runs inside a landjail
(Landlock LSM) process-level network egress jail that denies all HTTP(S)
egress except an allowlist (the in-boundary AI Gateway and in-cluster GitLab).
Every denied request is audit-logged to coderd with owner, workspace, agent,
URL, and template attribution.

Wiring (claude-code module 4.7.3): enable_boundary=true,
use_boundary_directly=true (standalone boundary binary; the coder boundary
subcommand needs a logged-in CLI session the agent lacks), and a
pre_install_script that writes ~/.config/coder_boundary/config.yaml with the
allowlist and jail_type=landjail before Claude Code launches.

Validated live on dev.usgov.coderdemo.io: build succeeds, the process tree
shows agentapi -> boundary -> claude, allow/deny enforced (gateway 200,
gitlab 302, example.com 403, github.com 403), and coderd emits boundary_request
audit lines for Claude Code's own blocked telemetry egress.

Generated by Coder Agents.
---
 coder-templates/firewalled/README.md | 238 ++++++++++++
 coder-templates/firewalled/main.tf   | 527 +++++++++++++++++++++++++++
 2 files changed, 765 insertions(+)
 create mode 100644 coder-templates/firewalled/README.md
 create mode 100644 coder-templates/firewalled/main.tf

diff --git a/coder-templates/firewalled/README.md b/coder-templates/firewalled/README.md
new file mode 100644
index 0000000..7506ed5
--- /dev/null
+++ b/coder-templates/firewalled/README.md
@@ -0,0 +1,238 @@
+# Firewalled Claude Code on Coder Agents (GovCloud demo template)
+
+Coder workspace template that runs **Claude Code as a Coder Agent** inside a
+Kubernetes pod on the EKS cluster, wired through the **Coder AI Gateway (AI
+Bridge)** and wrapped in the **Coder Boundary agent firewall**. The workspace
+never holds a raw Anthropic API key: every request is
+proxied through Coder using the workspace owner's session token and routed to
+the configured provider (Anthropic-direct primary, Bedrock secondary)
+in-boundary.
+
+This is the `claude-code` template with the agent firewall turned on. Claude
+Code runs inside a process-level network egress jail (`landjail`, Landlock
+LSM) that denies all HTTP(S) egress except an allowlist. The agent can reach
+the in-boundary AI Gateway and the in-cluster GitLab; every other destination
+is denied and audit-logged. This is the data-exfiltration / DLP guardrail
+story for the AOI.
+
+Launching the template as a **Coder Task** opens the Claude Code chat UI and
+seeds the agent with the task prompt.
+
+- `main.tf`: the template (providers `coder` + `kubernetes`).
+- Workspace image: `codercom/enterprise-base:ubuntu-noble-20260601`, pulled
+  from the ECR mirror.
+
+## Agent firewall (Coder Boundary)
+
+The `module "claude_code"` block sets `enable_boundary = true` and
+`use_boundary_directly = true`, so the module installs the standalone
+`boundary` binary and launches `boundary -- claude`. The allowlist and jail
+type are read from `~/.config/coder_boundary/config.yaml`, written by the
+module `pre_install_script` before Claude Code starts:
+
+```yaml
+allowlist:
+  - "domain=dev.usgov.coderdemo.io"   # AI Gateway egress (REQUIRED)
+  - "domain=gitlab.usgov.coderdemo.io" # in-cluster GitLab SCM
+jail_type: landjail
+log_dir: /tmp/boundary_logs
+log_level: warn
+```
+
+Why `use_boundary_directly = true`: the default `coder boundary` subcommand
+verifies the deployment license via an authenticated client, but the agent
+carries only an agent token (no user session), so the subcommand errors with
+"not logged in". The standalone binary (MIT) has no license/login dependency.
+landjail needs no added pod capabilities; the AL2023 node kernel (6.18) is
+well past the Landlock 6.7 floor and `landlock` is in the node LSM stack.
+
+### Verify allow vs deny in a workspace terminal
+
+```bash
+# Allowed: the AI Gateway host returns 200
+boundary -- curl -sS -o /dev/null -w '%{http_code}\n' \
+  https://dev.usgov.coderdemo.io/api/v2/buildinfo
+
+# Denied: anything off the allowlist is blocked (boundary returns 403)
+boundary -- curl -sS -o /dev/null -w '%{http_code}\n' https://example.com
+```
+
+Claude Code itself keeps working because its `ANTHROPIC_BASE_URL` points at
+the allowlisted gateway host. To roll back to an un-firewalled workspace, use
+the `claude-code` template instead (or set `enable_boundary = false`).
+
+## What's inside
+
+| Piece | Resource | Notes |
+|---|---|---|
+| Agent | `coder_agent.main` | startup script, metadata, `display_apps` (VS Code Desktop, web terminal, SSH) |
+| Claude Code | `module.claude_code` (`registry.coder.com/coder/claude-code/coder` **4.7.3**) | `enable_aibridge = true`, bundles AgentAPI + Claude Code web app, outputs `task_app_id` |
+| Coder Task | `coder_ai_task.claude_code` | binds the Task UI to the Claude Code app; only created in a Task context |
+| Browser IDE | `module.code_server` (`code-server` 1.3.1) | extra `coder_app` tile |
+| Compute | `kubernetes_pod_v1.workspace` + `kubernetes_persistent_volume_claim_v1.home` | sizing from `cpu` / `memory` / `disk_size` parameters |
+| AI auth | `coder_env.anthropic_auth_token` | exports `ANTHROPIC_AUTH_TOKEN` = session token |
+
+Parameters: `cpu`, `memory`, `disk_size`, and `ai_prompt` (fallback prompt for
+non-Task builds).
+
+## AI Gateway wiring (end to end)
+
+1. The `claude_code` module is configured with `enable_aibridge = true`. On the
+   agent it sets:
+   - `ANTHROPIC_BASE_URL = <access_url>/api/v2/aibridge/anthropic`
+   - `CLAUDE_API_KEY = <workspace owner session token>`
+
+   With `CODER_ACCESS_URL=https://dev.usgov.coderdemo.io` the base URL resolves
+   to `https://dev.usgov.coderdemo.io/api/v2/aibridge/anthropic`.
+2. This template additionally exports `ANTHROPIC_AUTH_TOKEN` (the same session
+   token) to match the AI Gateway client contract in `deploy/CONVENTIONS.md`.
+3. Claude Code calls `ANTHROPIC_BASE_URL`. The Coder AI Gateway authenticates
+   the session token, applies governance/audit, and forwards the request to the
+   active provider:
+   - **Anthropic-direct** (primary): egress via the NAT gateway.
+   - **Bedrock** (secondary): IRSA on the `coder/coder` service account, model
+     `us-gov.anthropic.claude-sonnet-4-5-20250929-v1:0`, in-region only.
+
+No Anthropic key is stored in the workspace; the session token is the only
+credential and it is scoped to the workspace owner.
+
+### Model selection
+
+Model is left at the module default on purpose, because the requested model
+name must match whichever provider the Gateway has live:
+
+- Anthropic-direct: an Anthropic id, e.g. `claude-sonnet-4-5-20250929`.
+- Bedrock (GovCloud): the inference profile
+  `us-gov.anthropic.claude-sonnet-4-5-20250929-v1:0`.
+
+Pin one by uncommenting `model = "..."` in the module block once the live
+provider is confirmed. Bedrock Claude access was still gated at authoring time
+(see `STATUS.md`), so the safe default is to let Claude Code/Gateway negotiate.
+
+### Why module 4.7.3 and `enable_aibridge` (not `enable_ai_gateway`)
+
+Verified against the Coder registry:
+
+- `deploy/CONVENTIONS.md` and `versions.lock.yaml` pin the claude-code module
+  to **4.7.3**.
+- In **4.7.x the input is `enable_aibridge`**. The `enable_ai_gateway` rename
+  (and an `ANTHROPIC_AUTH_TOKEN` the module sets itself) only appear in the
+  **5.x** line.
+- The 5.x refactor **removed** the bundled AgentAPI integration and the
+  `task_app_id` output, which `coder_ai_task` requires. Staying on 4.7.3 is what
+  makes the Coder Tasks wiring in this template work.
+
+If the project later moves to claude-code 5.x, switch `enable_aibridge` →
+`enable_ai_gateway`, drop the explicit `coder_env.anthropic_auth_token`, and add
+a standalone `agentapi` module to supply `task_app_id` for `coder_ai_task`.
+
+## Cluster prerequisites
+
+The platform layer (Coder server + ingress + namespaces) is out of scope for
+this directory. Before pushing/using the template, ensure:
+
+1. **Coder server** 2.34.0 with the AI Governance add-on license and the AI
+   Gateway providers configured (Anthropic-direct + Bedrock). See
+   `deploy/coder/`.
+2. **Wildcard access URL** set so subdomain apps work
+   (`CODER_WILDCARD_ACCESS_URL=*.usgov.coderdemo.io`). The Claude Code web app
+   and code-server use `subdomain = true`.
+3. **Workspaces namespace** exists:
+
+   ```bash
+   kubectl create namespace coder-workspaces
+   ```
+
+4. **Provisioner RBAC**: the Coder provisioner (service account `coder` in the
+   `coder` namespace) must be able to manage pods/PVCs in `coder-workspaces`.
+   Example (apply with the platform layer, not from this directory):
+
+   ```yaml
+   apiVersion: rbac.authorization.k8s.io/v1
+   kind: Role
+   metadata:
+     name: coder-workspace-provisioner
+     namespace: coder-workspaces
+   rules:
+     - apiGroups: [""]
+       resources: ["pods", "persistentvolumeclaims"]
+       verbs: ["create", "get", "list", "watch", "update", "patch", "delete"]
+     - apiGroups: [""]
+       resources: ["pods/exec", "pods/log"]
+       verbs: ["get", "create"]
+     - apiGroups: [""]
+       resources: ["events"]
+       verbs: ["get", "list", "watch"]
+   ---
+   apiVersion: rbac.authorization.k8s.io/v1
+   kind: RoleBinding
+   metadata:
+     name: coder-workspace-provisioner
+     namespace: coder-workspaces
+   roleRef:
+     apiGroup: rbac.authorization.k8s.io
+     kind: Role
+     name: coder-workspace-provisioner
+   subjects:
+     - kind: ServiceAccount
+       name: coder
+       namespace: coder
+   ```
+
+5. **Image pull**: the EKS node IAM role needs ECR read
+   (`ecr:GetAuthorizationToken`, `ecr:BatchGetImage`,
+   `ecr:GetDownloadUrlForLayer`) for
+   `430737322961.dkr.ecr.us-gov-west-1.amazonaws.com`. With that on the node
+   role, no `imagePullSecret` is required on the pod. The image must already be
+   mirrored into ECR (`scripts/mirror-images.sh`).
+
+## Pushing the template
+
+From the repo root:
+
+```bash
+# First time: create the template.
+coder templates push claude-code \
+  --directory coder-templates/claude-code \
+  --variable namespace=coder-workspaces
+
+# Subsequent updates push a new version.
+coder templates push claude-code \
+  --directory coder-templates/claude-code
+```
+
+Override the image or namespace at push time if needed:
+
+```bash
+coder templates push claude-code \
+  --directory coder-templates/claude-code \
+  --variable namespace=coder-workspaces \
+  --variable workspace_image=430737322961.dkr.ecr.us-gov-west-1.amazonaws.com/docker-hub/codercom/enterprise-base:ubuntu-noble-20260601
+```
+
+Template variables:
+
+| Variable | Default | Purpose |
+|---|---|---|
+| `namespace` | `coder-workspaces` | namespace for workspace pods |
+| `workspace_image` | ECR-mirrored `enterprise-base` | workspace container image |
+| `use_kubeconfig` | `false` | use a host kubeconfig instead of in-cluster config |
+
+## Using it
+
+- **As a workspace**: create a workspace from the template, open VS Code /
+  terminal / code-server, and run `claude` in the workspace.
+- **As a Task**: create a Coder Task from this template and enter a prompt.
+  Coder injects the prompt via `data.coder_task.me.prompt`, the
+  `coder_ai_task` resource binds the Task UI to the Claude Code app, and the
+  agent reports status back to the Coder UI through AgentAPI.
+
+## Verification status
+
+| Item | Source | Status |
+|---|---|---|
+| claude-code 4.7.3 inputs (`enable_aibridge`, `workdir`, `ai_prompt`, `report_tasks`, `subdomain`) and `task_app_id` output | module `main.tf` / `README.md` at tag `release/coder/claude-code/v4.7.3` | verified |
+| `coder_ai_task.app_id` + `data.coder_task` (`enabled`, `prompt`) | `coder/terraform-provider-coder` docs; first shipped in provider **v2.13.0** | verified |
+| Workspace image tag | Docker Hub `codercom/enterprise-base` | verified (`ubuntu-noble-20260601`) |
+| `code-server` 1.3.1 | registry tag `release/coder/code-server/v1.3.1` | verified (latest is 1.5.0) |
+| Live AI Gateway routing / Bedrock model access | runtime cluster | NOT verified here (no live infra access; Bedrock Claude access gated per `STATUS.md`) |
diff --git a/coder-templates/firewalled/main.tf b/coder-templates/firewalled/main.tf
new file mode 100644
index 0000000..4a19f44
--- /dev/null
+++ b/coder-templates/firewalled/main.tf
@@ -0,0 +1,527 @@
+# =============================================================================
+# Firewalled Claude Code on Coder Agents, GovCloud demo workspace template
+# =============================================================================
+# Identical to the claude-code template, with the Coder Boundary agent
+# firewall enabled. Claude Code runs inside a process-level network egress
+# jail (landjail / Landlock LSM) that enforces an HTTP(S) allowlist. The
+# agent can reach the in-boundary AI Gateway and the in-cluster GitLab, and
+# every other egress is denied and audit-logged. This is the data-exfil /
+# DLP guardrail story for the AOI.
+#
+# Boundary wiring (claude-code module 4.7.3 inputs):
+#   - enable_boundary       = true     wraps Claude Code with the firewall.
+#   - use_boundary_directly = true     installs the standalone boundary
+#     binary (MIT) instead of the `coder boundary` subcommand. The subcommand
+#     path needs a logged-in coder CLI session (license check); the agent has
+#     only an agent token, so the standalone binary is the reliable path.
+#   - The module adds no --allow / --jail-type flags, so the allowlist and
+#     jail type come from ~/.config/coder_boundary/config.yaml, written by
+#     pre_install_script below before Claude Code launches.
+#
+# Allowlist (config.yaml): dev.usgov.coderdemo.io (AI Gateway egress,
+# REQUIRED or Claude Code breaks) and gitlab.usgov.coderdemo.io (SCM).
+# jail_type landjail needs no added capabilities (AL2023 kernel 6.18
+# exceeds the Landlock 6.7 floor; landlock is in the node LSM stack).
+#
+# Runs Claude Code as a Coder Agent inside a Kubernetes pod on the EKS
+# cluster. Claude Code is wired through the Coder AI Gateway (AI Bridge)
+# so the workspace never holds a raw Anthropic key: requests are proxied
+# through Coder using the workspace owner's session token and routed to
+# the configured provider (Anthropic-direct primary / Bedrock secondary)
+# in-boundary.
+#
+# Launching this template as a Coder Task surfaces the Claude Code chat UI
+# (via the bundled AgentAPI app) and seeds the agent with the task prompt.
+#
+# VERSION / INPUT NAMING, verified against the Coder registry:
+#   - claude-code module is pinned to 4.7.3 (the version in
+#     deploy/CONVENTIONS.md / versions.lock.yaml).
+#   - In 4.7.3 the AI Gateway input is named `enable_aibridge` (NOT
+#     `enable_ai_gateway`). The `enable_ai_gateway` rename landed in the
+#     5.x line, which also REMOVED the bundled AgentAPI integration and
+#     the `task_app_id` output that `coder_ai_task` depends on. Staying on
+#     4.7.3 is what makes the Coder Tasks wiring below possible.
+#   - `enable_aibridge = true` makes the module set, on the agent:
+#       ANTHROPIC_BASE_URL = <access_url>/api/v2/aibridge/anthropic
+#       CLAUDE_API_KEY     = <workspace owner session token>
+#     With CODER_ACCESS_URL=https://dev.usgov.coderdemo.io the base URL
+#     resolves to https://dev.usgov.coderdemo.io/api/v2/aibridge/anthropic.
+#   - We additionally export ANTHROPIC_AUTH_TOKEN (session token) to match
+#     the AI Gateway client contract in deploy/CONVENTIONS.md.
+#
+# See README.md for the end-to-end AI Gateway wiring and cluster
+# prerequisites (namespace + provisioner RBAC).
+# =============================================================================
+
+terraform {
+  required_providers {
+    coder = {
+      source = "coder/coder"
+      # `data.coder_task` and `coder_ai_task.app_id` require provider >= 2.13.0.
+      version = ">= 2.13.0"
+    }
+    kubernetes = {
+      source  = "hashicorp/kubernetes"
+      version = ">= 2.23"
+    }
+  }
+}
+
+# -----------------------------------------------------------------------------
+# Providers
+# -----------------------------------------------------------------------------
+
+provider "coder" {}
+
+variable "use_kubeconfig" {
+  type        = bool
+  description = "Use a host kubeconfig instead of in-cluster config. Leave false when the Coder provisioner runs inside the cluster."
+  default     = false
+}
+
+variable "namespace" {
+  type        = string
+  description = "Kubernetes namespace that hosts workspace pods. The platform layer must create this namespace and grant the provisioner RBAC (see README)."
+  default     = "coder-workspaces"
+}
+
+# Workspace container image (ECR mirror).
+#
+# Upstream ref : docker.io/codercom/enterprise-base:ubuntu-noble-20260601
+# ECR mirror   : per deploy/CONVENTIONS.md the docker.io -> ECR mapping is
+#                docker.io/<repo>:<tag> -> <registry>/docker-hub/<repo>:<tag>
+#
+# codercom/enterprise-base is Coder's maintained Kubernetes workspace base
+# image: runs as user `coder` (uid 1000), ships git/curl/sudo, and is the
+# canonical base for Coder's official Kubernetes template. Claude Code and
+# AgentAPI install as standalone binaries into $HOME/.local/bin, so no
+# Node.js/npm is required in the base image.
+variable "workspace_image" {
+  type        = string
+  description = "Fully-qualified workspace image. Defaults to the ECR-mirrored codercom/enterprise-base."
+  default     = "430737322961.dkr.ecr.us-gov-west-1.amazonaws.com/docker-hub/codercom/enterprise-base:ubuntu-noble-20260601"
+}
+
+provider "kubernetes" {
+  config_path = var.use_kubeconfig ? "~/.kube/config" : null
+}
+
+data "coder_provisioner" "me" {}
+data "coder_workspace" "me" {}
+data "coder_workspace_owner" "me" {}
+
+# Populated when the workspace is created as a Coder Task. `enabled` is
+# false for a normal workspace build, and `prompt` carries the task prompt.
+data "coder_task" "me" {}
+
+# -----------------------------------------------------------------------------
+# Git external auth: in-cluster GitLab (in-boundary)
+# -----------------------------------------------------------------------------
+# Every workspace authenticates git against the in-cluster GitLab through
+# Coder's external-auth provider `gitlab` (configured on the Coder server, see
+# deploy/coder/values.yaml CODER_EXTERNAL_AUTH_0_*). Declaring this data source
+# makes the workspace REQUIRE a GitLab login: the dashboard surfaces a "Login
+# with GitLab" control and the agent only reports the auth as satisfied once
+# the owner has completed the OAuth flow. The Coder agent's git credential
+# helper then injects the short-lived OAuth token for any clone/fetch/push to
+# gitlab.usgov.coderdemo.io. No PATs or SSH keys live in the workspace, and no
+# auth path leaves the GovCloud boundary.
+#
+# id MUST match CODER_EXTERNAL_AUTH_0_ID on the Coder server ("gitlab").
+data "coder_external_auth" "gitlab" {
+  id = "gitlab"
+}
+
+# -----------------------------------------------------------------------------
+# Parameters: sizing and the AI task prompt
+# -----------------------------------------------------------------------------
+
+data "coder_parameter" "cpu" {
+  name         = "cpu"
+  display_name = "CPU Cores"
+  description  = "CPU limit for the workspace pod."
+  type         = "number"
+  default      = "4"
+  mutable      = true
+  icon         = "/icon/memory.svg"
+
+  option {
+    name  = "2 Cores"
+    value = "2"
+  }
+  option {
+    name  = "4 Cores"
+    value = "4"
+  }
+  option {
+    name  = "8 Cores"
+    value = "8"
+  }
+}
+
+data "coder_parameter" "memory" {
+  name         = "memory"
+  display_name = "Memory (GB)"
+  description  = "Memory limit for the workspace pod."
+  type         = "number"
+  default      = "8"
+  mutable      = true
+  icon         = "/icon/memory.svg"
+
+  option {
+    name  = "4 GB"
+    value = "4"
+  }
+  option {
+    name  = "8 GB"
+    value = "8"
+  }
+  option {
+    name  = "16 GB"
+    value = "16"
+  }
+}
+
+data "coder_parameter" "disk_size" {
+  name         = "disk_size"
+  display_name = "Disk Size (GB)"
+  description  = "Persistent /home/coder volume size. Cannot be changed after creation."
+  type         = "number"
+  default      = "20"
+  mutable      = false
+  icon         = "/icon/database.svg"
+
+  option {
+    name  = "10 GB"
+    value = "10"
+  }
+  option {
+    name  = "20 GB"
+    value = "20"
+  }
+  option {
+    name  = "50 GB"
+    value = "50"
+  }
+}
+
+# Fallback prompt for non-Task workspace builds. When the workspace is
+# launched as a Coder Task, data.coder_task.me.prompt takes precedence.
+data "coder_parameter" "ai_prompt" {
+  name         = "ai_prompt"
+  display_name = "Initial AI Prompt"
+  description  = "Seed prompt for Claude Code. Ignored when launched as a Coder Task (the Task prompt is used instead)."
+  type         = "string"
+  default      = ""
+  mutable      = true
+  icon         = "/icon/claude.svg"
+}
+
+locals {
+  # Prefer the Coder Task prompt; fall back to the parameter for plain builds.
+  effective_prompt = data.coder_task.me.prompt != "" ? data.coder_task.me.prompt : data.coder_parameter.ai_prompt.value
+
+  # For documentation/readme parity. The claude-code module derives the
+  # same value internally from data.coder_workspace.me.access_url.
+  ai_gateway_anthropic_url = "${data.coder_workspace.me.access_url}/api/v2/aibridge/anthropic"
+}
+
+# -----------------------------------------------------------------------------
+# Agent
+# -----------------------------------------------------------------------------
+
+resource "coder_agent" "main" {
+  arch = data.coder_provisioner.me.arch
+  os   = "linux"
+
+  # Claude Code + AgentAPI are installed by the claude-code module's own
+  # coder_script (native binaries into $HOME/.local/bin). This startup
+  # script only normalizes PATH and signals readiness.
+  startup_script = <<-EOT
+    #!/bin/bash
+    set -e
+    touch ~/.bashrc
+    grep -qF '$HOME/.local/bin' ~/.profile 2>/dev/null || \
+      echo 'export PATH="$HOME/.local/bin:$PATH"' >> ~/.profile
+    echo "=== Workspace ready ==="
+  EOT
+
+  env = {
+    EDITOR = "code"
+    VISUAL = "code"
+
+    # No docker socket in the pod; opt out of devcontainer auto-detection
+    # so the dashboard does not hang polling `docker ps`.
+    CODER_AGENT_DEVCONTAINERS_ENABLE = "false"
+  }
+
+  metadata {
+    display_name = "CPU Usage"
+    key          = "cpu_usage"
+    script       = "coder stat cpu"
+    interval     = 10
+    timeout      = 1
+  }
+
+  metadata {
+    display_name = "Memory Usage"
+    key          = "mem_usage"
+    script       = "coder stat mem"
+    interval     = 10
+    timeout      = 1
+  }
+
+  metadata {
+    display_name = "Disk Usage"
+    key          = "disk_usage"
+    script       = "coder stat disk --path /home/coder"
+    interval     = 60
+    timeout      = 1
+  }
+
+  display_apps {
+    vscode                 = true
+    vscode_insiders        = false
+    web_terminal           = true
+    ssh_helper             = true
+    port_forwarding_helper = true
+  }
+}
+
+# -----------------------------------------------------------------------------
+# AI Gateway client auth
+# -----------------------------------------------------------------------------
+# The claude-code module (enable_aibridge = true) already sets
+# ANTHROPIC_BASE_URL and CLAUDE_API_KEY. We additionally export
+# ANTHROPIC_AUTH_TOKEN with the workspace owner's session token to match
+# the AI Gateway client contract documented in deploy/CONVENTIONS.md. Both
+# carry the same session token, so there is no conflict; no raw Anthropic
+# API key is ever placed in the workspace.
+resource "coder_env" "anthropic_auth_token" {
+  agent_id = coder_agent.main.id
+  name     = "ANTHROPIC_AUTH_TOKEN"
+  value    = data.coder_workspace_owner.me.session_token
+}
+
+# -----------------------------------------------------------------------------
+# Claude Code (Coder registry module) + Coder Task
+# -----------------------------------------------------------------------------
+
+module "claude_code" {
+  source   = "registry.coder.com/coder/claude-code/coder"
+  version  = "4.7.3"
+  agent_id = coder_agent.main.id
+
+  # Required by the module: directory Claude Code runs in. Pre-created and
+  # trust-accepted by the module.
+  workdir = "/home/coder"
+
+  # Route Claude Code through the Coder AI Gateway (AI Bridge) instead of
+  # talking to api.anthropic.com directly. Sets ANTHROPIC_BASE_URL +
+  # CLAUDE_API_KEY (session token) on the agent. Mutually exclusive with
+  # claude_api_key / claude_code_oauth_token.
+  enable_aibridge = true
+
+  # ---------------------------------------------------------------------------
+  # Coder Boundary agent firewall (this is the "firewalled" variant)
+  # ---------------------------------------------------------------------------
+  # Wrap Claude Code in a process-level network egress jail. The module
+  # launches boundary as a wrapper around the claude process, denying all
+  # egress except the allowlist below. landjail uses the Landlock LSM and
+  # needs no added pod capabilities.
+  enable_boundary = true
+
+  # Install the standalone boundary binary (MIT) rather than using the
+  # `coder boundary` subcommand. The subcommand verifies the deployment
+  # license via an authenticated client; the agent only carries an agent
+  # token (no user session), so the subcommand path errors with "not logged
+  # in". The standalone binary has no license/login dependency.
+  use_boundary_directly = true
+  boundary_version      = "latest"
+
+  # The 4.7.3 module passes no --allow / --jail-type flags to boundary, so
+  # this config file is the ONLY source of the allowlist and jail type. It
+  # must exist before Claude Code starts, so it is written in
+  # pre_install_script (runs before the start script that launches boundary).
+  # Allowing dev.usgov.coderdemo.io is REQUIRED: it is the AI Gateway egress
+  # that Claude Code depends on. Everything not listed is denied + audited.
+  pre_install_script = <<-EOT
+    #!/bin/bash
+    set -e
+    mkdir -p "$HOME/.config/coder_boundary" /tmp/boundary_logs
+    cfg="$HOME/.config/coder_boundary/config.yaml"
+    {
+      echo 'allowlist:'
+      echo '  - "domain=dev.usgov.coderdemo.io"'
+      echo '  - "domain=gitlab.usgov.coderdemo.io"'
+      echo 'jail_type: landjail'
+      echo 'log_dir: /tmp/boundary_logs'
+      echo 'log_level: warn'
+    } > "$cfg"
+    echo "[firewalled] wrote boundary config:"
+    cat "$cfg"
+  EOT
+
+  # Coder Tasks: seed the agent and report task status to the Coder UI via
+  # AgentAPI. Empty string for plain builds -> Claude Code starts idle.
+  ai_prompt    = local.effective_prompt
+  report_tasks = true
+
+  # Serve the Claude Code web app on a subdomain. Requires the wildcard
+  # access URL (*.usgov.coderdemo.io) configured on the Coder server.
+  subdomain = true
+
+  # Model selection is intentionally left at the module default. With the
+  # AI Gateway, the requested model name must match the active provider:
+  #   - Anthropic-direct (primary): an Anthropic model id, e.g.
+  #     "claude-sonnet-4-5-20250929".
+  #   - Bedrock (secondary): the GovCloud inference profile, e.g.
+  #     "us-gov.anthropic.claude-sonnet-4-5-20250929-v1:0".
+  # Pin one explicitly only after confirming which provider is live:
+  # model = "claude-sonnet-4-5-20250929"
+}
+
+# Marks this workspace build as a Coder AI Task and binds the Task UI to the
+# Claude Code AgentAPI app. Only created in a Task context so normal
+# workspace builds are unaffected.
+resource "coder_ai_task" "claude_code" {
+  count  = data.coder_task.me.enabled ? data.coder_workspace.me.start_count : 0
+  app_id = module.claude_code.task_app_id
+}
+
+# code-server: VS Code in the browser (an additional coder_app tile).
+module "code_server" {
+  count     = data.coder_workspace.me.start_count
+  source    = "registry.coder.com/coder/code-server/coder"
+  version   = "1.3.1"
+  agent_id  = coder_agent.main.id
+  folder    = "/home/coder"
+  subdomain = true
+  order     = 1
+}
+
+# -----------------------------------------------------------------------------
+# Kubernetes resources
+# -----------------------------------------------------------------------------
+
+resource "kubernetes_persistent_volume_claim_v1" "home" {
+  metadata {
+    name      = "coder-${data.coder_workspace.me.id}-home"
+    namespace = var.namespace
+    labels = {
+      "app.kubernetes.io/name"     = "coder-workspace"
+      "app.kubernetes.io/instance" = "coder-${data.coder_workspace.me.id}"
+      "app.kubernetes.io/part-of"  = "coder"
+    }
+  }
+  wait_until_bound = false
+  spec {
+    access_modes = ["ReadWriteOnce"]
+    resources {
+      requests = {
+        storage = "${data.coder_parameter.disk_size.value}Gi"
+      }
+    }
+  }
+
+  lifecycle {
+    ignore_changes = all
+  }
+}
+
+resource "kubernetes_pod_v1" "workspace" {
+  count = data.coder_workspace.me.start_count
+
+  metadata {
+    name      = "coder-${data.coder_workspace.me.id}"
+    namespace = var.namespace
+    labels = {
+      "app.kubernetes.io/name"     = "coder-workspace"
+      "app.kubernetes.io/instance" = "coder-${data.coder_workspace.me.id}"
+      "app.kubernetes.io/part-of"  = "coder"
+    }
+  }
+
+  spec {
+    # enterprise-base runs as the `coder` user (uid/gid 1000).
+    security_context {
+      run_as_user = 1000
+      fs_group    = 1000
+    }
+
+    container {
+      name              = "dev"
+      image             = var.workspace_image
+      image_pull_policy = "IfNotPresent"
+      command           = ["sh", "-c", coder_agent.main.init_script]
+
+      security_context {
+        run_as_user = 1000
+        # enterprise-base grants the coder user passwordless sudo. The
+        # claude-code/agentapi module installs the agentapi binary to
+        # /usr/local/bin via sudo, which requires privilege escalation.
+        # Disabling it sets the kernel no_new_privs flag and breaks that
+        # install (and the Coder Tasks chat UI it powers).
+        allow_privilege_escalation = true
+      }
+
+      env {
+        name  = "CODER_AGENT_TOKEN"
+        value = coder_agent.main.token
+      }
+
+      env {
+        name  = "CODER_AGENT_URL"
+        value = data.coder_workspace.me.access_url
+      }
+
+      resources {
+        requests = {
+          "cpu"    = "500m"
+          "memory" = "${max(2, floor(data.coder_parameter.memory.value / 2))}Gi"
+        }
+        limits = {
+          "cpu"    = "${data.coder_parameter.cpu.value}"
+          "memory" = "${data.coder_parameter.memory.value}Gi"
+        }
+      }
+
+      volume_mount {
+        mount_path = "/home/coder"
+        name       = "home"
+        read_only  = false
+      }
+    }
+
+    volume {
+      name = "home"
+      persistent_volume_claim {
+        claim_name = kubernetes_persistent_volume_claim_v1.home.metadata[0].name
+      }
+    }
+
+    affinity {
+      pod_anti_affinity {
+        preferred_during_scheduling_ignored_during_execution {
+          weight = 1
+          pod_affinity_term {
+            topology_key = "kubernetes.io/hostname"
+            label_selector {
+              match_expressions {
+                key      = "app.kubernetes.io/name"
+                operator = "In"
+                values   = ["coder-workspace"]
+              }
+            }
+          }
+        }
+      }
+    }
+  }
+
+  # The agent token is baked into init_script; ignore_changes keeps a
+  # running pod intact across template re-applies / prebuild claims.
+  lifecycle {
+    ignore_changes = all
+  }
+}

From b44344706988a3f758c8167cc14d2a879d43656c Mon Sep 17 00:00:00 2001
From: Austen Bruhn <asbru17@gmail.com>
Date: Tue, 9 Jun 2026 13:46:41 +0000
Subject: [PATCH 2/3] docs(aoi): add AOI gap remediation plan and task briefs

Add the AOI gap remediation plan (firewall + authenticated MCP, with the
firewall section updated to as-built and validated) and three execution-ready
briefs so the remaining tasks can be run in parallel:

- brief-github-auth-mcp.md: stand up an authenticated MCP (GitHub hosted MCP
  via PAT/OAuth), including the 200/202-vs-204 client gate to check first and
  an in-boundary datastore-mcp fallback.
- brief-observability-audit-readiness.md: verify the boundary and AI Gateway
  Grafana dashboards and the Coder audit log show live demo data; confirms the
  boundary forwarded-batch metric name from source.
- brief-template-golden-path-e2e.md: WS-25 per-template build + connectivity
  matrix, including the GitLab external-auth gate and the admin REST
  create-for-authenticated-owner workaround.

Generated by Coder Agents.
---
 aoi/brief-github-auth-mcp.md               | 303 +++++++++++++++++++++
 aoi/brief-observability-audit-readiness.md | 261 ++++++++++++++++++
 aoi/brief-template-golden-path-e2e.md      | 215 +++++++++++++++
 aoi/plan-firewall-and-auth-mcp.md          | 284 +++++++++++++++++++
 4 files changed, 1063 insertions(+)
 create mode 100644 aoi/brief-github-auth-mcp.md
 create mode 100644 aoi/brief-observability-audit-readiness.md
 create mode 100644 aoi/brief-template-golden-path-e2e.md
 create mode 100644 aoi/plan-firewall-and-auth-mcp.md

diff --git a/aoi/brief-github-auth-mcp.md b/aoi/brief-github-auth-mcp.md
new file mode 100644
index 0000000..5a2d268
--- /dev/null
+++ b/aoi/brief-github-auth-mcp.md
@@ -0,0 +1,303 @@
+# Brief: Authenticated MCP Server in Coder Agents (GitHub hosted MCP)
+
+## 1. Objective and demo narrative
+
+Stand up an authenticated MCP server in Coder Agents on
+`https://dev.usgov.coderdemo.io` that demonstrates real authentication plus
+need-to-know. The approved backend is GitHub's hosted MCP
+(`https://api.githubcopilot.com/mcp/`), accessed read-only with a fine-scoped
+GitHub token. Narrative: "Coder Agents reaching an authenticated internal
+service. The agent can only call tools the credential is allowed to call, and
+each user sees only what their identity can access." Attribution (WS-23) is out
+of scope. The single highest risk is a client/server protocol mismatch on
+`notifications/initialized` (the 204 gate, see section 3), so verify the gate
+before committing the demo to GitHub.
+
+## 2. Prerequisites
+
+- Admin Coder session token in `$TOKEN` and `CODER_URL=https://dev.usgov.coderdemo.io`.
+  Environment and admin token setup is documented elsewhere; assume it is ready.
+- A fine-scoped GitHub Personal Access Token (PAT) from the user. Use a throwaway
+  demo org/repo to keep blast radius small.
+- Recommended PAT scopes:
+  - Fine-grained, read-only: Contents Read, Metadata Read, Issues Read,
+    Pull Requests Read; optional Actions Read; org Members Read; Email Read.
+  - Classic alternative: `read:user`, `user:email`, `read:org`, `repo`, paired
+    with the `X-MCP-Readonly: true` header as defense in depth.
+- For Path B only: ability to create a GitHub OAuth App in the chosen org.
+
+Field reference (verified against `codersdk/mcp.go`,
+`CreateMCPServerConfigRequest`): `display_name` (required), `slug` (required),
+`description`, `icon_url`, `transport` (required, oneof `streamable_http` `sse`),
+`url` (required, url), `auth_type` (required, oneof `none` `oauth2` `api_key`
+`custom_headers` `user_oidc`), `oauth2_client_id`, `oauth2_client_secret`,
+`oauth2_auth_url`, `oauth2_token_url`, `oauth2_scopes`, `api_key_header`,
+`api_key_value`, `custom_headers` (map of string to string), `tool_allow_list`,
+`tool_deny_list`, `availability` (required, oneof `force_on` `default_on`
+`default_off`), `enabled`, `model_intent`, `allow_in_plan_mode`,
+`forward_coder_headers`. The POST returns HTTP 201 with the created object
+including `id`.
+
+## 3. THE GATE: 204 vs 202 (verify FIRST)
+
+Coder's MCP client is `mark3labs/mcp-go` v0.38.0, which accepts only HTTP 200 or
+202 on the `notifications/initialized` POST. GitLab's MCP returned 204 and was
+dropped (CODAGT-570). GitHub's status on that notification is unverified, so this
+gate decides whether GitHub MCP is usable as-is.
+
+Most authoritative procedure (register, then read coderd logs):
+
+1. Mint the PAT (section 2).
+2. Register the GitHub MCP in Coder with `api_key` + the PAT (section 4 body).
+3. Trigger a connection: open a Coder Agents chat with the server enabled, or
+   list servers, so coderd attempts to connect.
+4. Watch coderd logs for a connection-failure line mentioning status 204:
+
+```sh
+kubectl -n coder logs deploy/coder --tail=400 | \
+  grep -iE "skipping MCP server.*connection failure|status 204|notifications/initialized"
+```
+
+Optional direct probe (confirms GitHub's behavior independent of Coder). Read
+the status line on the `notifications/initialized` POST:
+
+```sh
+# 1) initialize (capture the Mcp-Session-Id response header if present)
+curl -sS -D - -o /dev/null -X POST https://api.githubcopilot.com/mcp/ \
+  -H "Authorization: Bearer <fine_scoped_PAT>" \
+  -H "Content-Type: application/json" \
+  -H "Accept: application/json, text/event-stream" \
+  -H "X-MCP-Readonly: true" \
+  --data '{"jsonrpc":"2.0","id":1,"method":"initialize","params":{"protocolVersion":"2025-03-26","capabilities":{},"clientInfo":{"name":"gate-check","version":"0.0.1"}}}'
+
+# 2) notifications/initialized (echo back Mcp-Session-Id from step 1 if returned)
+curl -sS -D - -o /dev/null -X POST https://api.githubcopilot.com/mcp/ \
+  -H "Authorization: Bearer <fine_scoped_PAT>" \
+  -H "Content-Type: application/json" \
+  -H "Accept: application/json, text/event-stream" \
+  -H "X-MCP-Readonly: true" \
+  -H "Mcp-Session-Id: <id_from_step_1>" \
+  --data '{"jsonrpc":"2.0","method":"notifications/initialized","params":{}}'
+```
+
+Pass/fail decision:
+
+- Status 200 or 202, and no "skipping MCP server" line: PASS. Proceed with Path A
+  (or Path B for the per-user headline).
+- Status 204, or coderd logs the connection-failure/204 line: FAIL. GitHub MCP is
+  unusable as-is. Switch to Fallback C (in-boundary datastore MCP), which we
+  control and can make return 202.
+
+## 4. Path A (recommended, fastest): api_key + PAT
+
+Simplest and genuinely authenticated; it is also the same registration that
+clears the gate. Caveat: one PAT is one shared identity, so per-user need-to-know
+requires either one server per demoed user (per-user PATs) or Path B.
+
+Exact JSON body. `api_key_value` is set verbatim, so it MUST include the
+`Bearer ` prefix:
+
+```json
+{
+  "display_name": "GitHub (Internal Service)",
+  "slug": "github",
+  "description": "Read-only GitHub access via GitHub hosted MCP.",
+  "transport": "streamable_http",
+  "url": "https://api.githubcopilot.com/mcp/",
+  "auth_type": "api_key",
+  "api_key_header": "Authorization",
+  "api_key_value": "Bearer <fine_scoped_PAT>",
+  "tool_allow_list": [
+    "get_me",
+    "search_repositories",
+    "get_repository",
+    "search_code",
+    "list_issues",
+    "get_issue",
+    "list_pull_requests",
+    "get_pull_request"
+  ],
+  "availability": "default_off",
+  "enabled": true
+}
+```
+
+Register:
+
+```sh
+curl -sS -X POST "$CODER_URL/api/experimental/mcp/servers" \
+  -H "Coder-Session-Token: $TOKEN" -H "Content-Type: application/json" \
+  --data @path/to/body.json
+```
+
+X-MCP-Readonly header approach (important). The `api_key` auth type sends exactly
+ONE header (`api_key_header`/`api_key_value`). It cannot also send a second static
+header such as `X-MCP-Readonly: true`. Per `codersdk/mcp.go`, sending multiple
+static headers requires `auth_type: custom_headers` with a `custom_headers` map.
+To send both the bearer token and the read-only header, use this body instead:
+
+```json
+{
+  "display_name": "GitHub (Internal Service)",
+  "slug": "github",
+  "description": "Read-only GitHub access via GitHub hosted MCP.",
+  "transport": "streamable_http",
+  "url": "https://api.githubcopilot.com/mcp/",
+  "auth_type": "custom_headers",
+  "custom_headers": {
+    "Authorization": "Bearer <fine_scoped_PAT>",
+    "X-MCP-Readonly": "true"
+  },
+  "tool_allow_list": [
+    "get_me",
+    "search_repositories",
+    "get_repository",
+    "search_code",
+    "list_issues",
+    "get_issue",
+    "list_pull_requests",
+    "get_pull_request"
+  ],
+  "availability": "default_off",
+  "enabled": true
+}
+```
+
+Recommendation: use the `custom_headers` body if you want `X-MCP-Readonly: true`
+as defense in depth (preferred). Use the `api_key` body only if a single header is
+acceptable and the PAT scopes alone enforce read-only. Keep `availability`
+`default_off` and `enabled` true so the server exists but users opt in per chat.
+
+## 5. Path B (per-user RBAC headline): manual oauth2 + GitHub OAuth App
+
+Best per-user need-to-know story: each user clicks Connect once, Coder stores a
+per-user GitHub token, and each user sees only what their GitHub identity allows.
+GitHub advertises no DCR `registration_endpoint`, so oauth2 MUST be manual
+(pre-registered GitHub OAuth App). For manual oauth2, supply ALL of
+`oauth2_client_id`, `oauth2_auth_url`, and `oauth2_token_url`, otherwise Coder
+attempts auto-DCR (which fails for GitHub).
+
+Callback sequencing problem: the OAuth App callback must be
+`https://dev.usgov.coderdemo.io/api/experimental/mcp/servers/{id}/oauth2/callback`,
+but `{id}` does not exist until the Coder MCP row is created. Resolve in this
+order:
+
+1. Create the Coder MCP row first with placeholder oauth2 values so Coder mints
+   the `{id}` (returned in the 201 response):
+
+```json
+{
+  "display_name": "GitHub (Per-User)",
+  "slug": "github-oauth",
+  "transport": "streamable_http",
+  "url": "https://api.githubcopilot.com/mcp/",
+  "auth_type": "oauth2",
+  "oauth2_client_id": "placeholder",
+  "oauth2_client_secret": "placeholder",
+  "oauth2_auth_url": "https://github.com/login/oauth/authorize",
+  "oauth2_token_url": "https://github.com/login/oauth/access_token",
+  "oauth2_scopes": "read:user user:email read:org repo",
+  "tool_allow_list": ["get_me", "search_repositories", "get_repository", "list_issues", "get_issue"],
+  "availability": "default_off",
+  "enabled": false
+}
+```
+
+2. Create (or edit) the GitHub OAuth App and set its Authorization callback URL to
+   `https://dev.usgov.coderdemo.io/api/experimental/mcp/servers/{id}/oauth2/callback`
+   using the `{id}` from step 1.
+3. Patch the Coder row with the real client id/secret and enable it:
+
+```sh
+curl -sS -X PATCH "$CODER_URL/api/experimental/mcp/servers/{id}" \
+  -H "Coder-Session-Token: $TOKEN" -H "Content-Type: application/json" \
+  --data '{"oauth2_client_id":"<real_id>","oauth2_client_secret":"<real_secret>","enabled":true}'
+```
+
+4. Each user opens the connect URL
+   (`$CODER_URL/api/experimental/mcp/servers/{id}/oauth2/connect`) from the chat UI,
+   authorizes once, and Coder stores their per-user token. Note: oauth2 does not
+   carry the `X-MCP-Readonly` header; enforce read-only via scopes and
+   `tool_allow_list`.
+
+## 6. Fallback C (in-boundary, clean optics): authenticated datastore MCP
+
+If the gate fails or egress optics must stay inside the GovCloud boundary, add
+auth to the existing datastore MCP (`deploy/datastore-mcp`). It currently runs as
+`auth_type: none` at
+`http://datastore-mcp.coder-demo-mcp.svc.cluster.local:8000/mcp` and is reached
+in-cluster. Because we own the code, we control the `notifications/initialized`
+response and can guarantee the 202 gate passes. Ranked options:
+
+1. Manual `oauth2` via Keycloak: real per-user auth, in-boundary, best optics. The
+   MCP server must validate the access token (issuer, audience, expiry) and map
+   the subject to authorized rows. Supply Keycloak `oauth2_auth_url`,
+   `oauth2_token_url`, `oauth2_client_id`, `oauth2_client_secret`, `oauth2_scopes`,
+   and set the Keycloak client callback to the Coder
+   `/oauth2/callback` URL for that server `{id}` (same sequencing as Path B).
+2. `user_oidc`: Coder forwards the user's OIDC token to the MCP server, which must
+   verify the audience and enforce per-user access. Less setup than full oauth2,
+   still per-user.
+3. `api_key`: shared static credential, simplest, but a single shared identity (no
+   per-user need-to-know).
+
+Implementation note: the current datastore server does not validate the inbound
+Authorization header (see `server/main.go`), so options 1 and 2 require adding
+token verification before they are a true auth demo. Option 3 only requires Coder
+to send the header and the server to check it.
+
+## 7. Verification
+
+- Connected: re-run the section 3 log grep and confirm NO "skipping MCP server"
+  line for the slug. Optionally `GET $CODER_URL/api/experimental/mcp/servers` and
+  confirm the row is present with `enabled: true`.
+- Visible to the model: open a Coder Agents chat, enable the server (it is
+  `default_off`), and confirm the tools appear in the chat tools listing /
+  model picker as `github__<tool>` (datastore tools appear as `datastore__<tool>`,
+  same `slug__tool` convention).
+- Smoke test (read-only): ask the agent to call a read-only tool, for example
+  `github__get_me` ("who am I authenticated as?") or
+  `github__search_repositories` against the throwaway demo org. Confirm it returns
+  real data and that a write-style tool is absent because it is not in
+  `tool_allow_list`.
+
+## 8. Rollback
+
+- Disable (keep the row): PATCH `enabled:false`.
+
+```sh
+curl -sS -X PATCH "$CODER_URL/api/experimental/mcp/servers/{id}" \
+  -H "Coder-Session-Token: $TOKEN" -H "Content-Type: application/json" \
+  --data '{"enabled":false}'
+```
+
+- Delete (remove the row): DELETE returns HTTP 204.
+
+```sh
+curl -sS -X DELETE "$CODER_URL/api/experimental/mcp/servers/{id}" \
+  -H "Coder-Session-Token: $TOKEN"
+```
+
+- Revoke the PAT or the GitHub OAuth App in GitHub after the demo. For Path B,
+  users can also disconnect their token via
+  `DELETE $CODER_URL/api/experimental/mcp/servers/{id}/oauth2/disconnect`.
+
+## 9. Risks and open questions
+
+- 204 gate (highest risk): if GitHub returns 204 on `notifications/initialized`,
+  GitHub MCP is unusable as-is and the demo must use Fallback C. Verify before
+  committing.
+- Egress / optics: GitHub MCP egresses to public GitHub, so packets and tokens
+  leave the GovCloud boundary even though the narrative says "internal service."
+  Mitigate with read-only tools, `X-MCP-Readonly: true`, a scoped PAT, and a
+  throwaway org/repo. If optics must stay in-boundary, make Fallback C primary.
+- Shared vs per-user identity: Path A (api_key) is one shared identity. The
+  per-user need-to-know headline needs Path B (oauth2) or one server per user.
+- The MCP servers config is a live, DB-resident object, not in git, so the row
+  must be recreated by hand if the database is reset.
+- Open: which GitHub org/repos for the PAT or OAuth App? Is calling `github.com`
+  acceptable for demo optics, or must the authenticated MCP stay in-boundary
+  (then Fallback C is primary)? Auth headline preference: per-user RBAC (oauth2)
+  or fastest-authenticated (api_key)?
+
+Generated by Coder Agents.
diff --git a/aoi/brief-observability-audit-readiness.md b/aoi/brief-observability-audit-readiness.md
new file mode 100644
index 0000000..e149f68
--- /dev/null
+++ b/aoi/brief-observability-audit-readiness.md
@@ -0,0 +1,261 @@
+# Brief: Observability and Audit Readiness for the Thursday Demo
+
+Execution-ready verification brief. Read-only. Another agent will execute it.
+
+Authoritative context (verified this session):
+
+- Deployment: https://dev.usgov.coderdemo.io, Coder v2.34.1 enterprise, GovCloud
+  EKS, namespace `coder`. AI Governance add-on entitled (AI Bridge + Boundary).
+- Coder Boundary (Agent Firewall) is enabled on a "firewalled" template. A live
+  jailed workspace `austenplatform/firewall-test` is running. coderd now emits
+  structured `boundary_request` audit lines (msg=boundary_request), visible via
+  `kubectl -n coder logs deploy/coder`. Source:
+  `/home/coder/coder/coderd/agentapi/boundary_logs.go`.
+- Observability assets base path (this is where the files actually live; the
+  repo-relative form `deploy/observability/*` is used below):
+  `/home/coder/demoenv-workspace/usgov-phase2/deploy/observability/`.
+- Dashboards present: `dashboards-boundary.yaml` (uid `agent-firewall`),
+  `dashboards-aibridge.yaml` (uid `ai-gateway`), `dashboards-coder.yaml`.
+  Datasources: `loki` (Loki), `prometheus` (Prometheus), `aibridge-postgres`
+  (Coder RDS Postgres, read-only role `grafana_ro`).
+
+## 1. Objective
+
+Confirm that the audit and observability surfaces show live data for the
+Thursday demo flow:
+
+1. Agent Firewall egress allow/deny (Boundary), via the `agent-firewall`
+   Grafana dashboard backed by Loki `boundary_request` events.
+2. AI Gateway usage (AI Bridge): providers, interceptions, tokens, and cost,
+   via the `ai-gateway` dashboard backed by the `aibridge-postgres` datasource.
+3. Coder audit log: template pushes, workspace builds, and governance changes
+   (MCP/spend limits), via the Coder UI `/audit` and API `/api/v2/audit`.
+
+The deliverable for the executing agent is a pass/fail check against each
+surface, plus the one concrete fix in section 7.
+
+## 2. Boundary (Agent Firewall) dashboard verification
+
+Dashboard: `dashboards-boundary.yaml`, uid `agent-firewall`, title
+"Agent Firewall". Row "Coder Agent Firewall" holds the audit panels; row
+"Agent Firewall Operations" holds Prometheus and proxy-log panels.
+
+### 2a. Confirm Loki ingests coderd logs
+
+Promtail scrapes all namespaces with no namespace filter (see
+`promtail.yaml`, it maps `__meta_kubernetes_namespace` to label `namespace`),
+so coderd logs in namespace `coder` are ingested. The audit panels select
+`{namespace=~`(coder|coder-workspaces)`}`, which covers coderd.
+
+Verify ingestion (Grafana Explore, datasource Loki, or LogCLI):
+
+```
+{namespace=~"(coder|coder-workspaces)"} |= "boundary_request" | logfmt | decision=~"deny|allow"
+```
+
+Expect non-empty results. Boundary is jailing Claude Code in
+`firewall-test`, which produces continuous deny events (for example
+`api.anthropic.com` and `raw.githubusercontent.com`), and allowed events for
+gateway traffic to `dev.usgov.coderdemo.io`.
+
+### 2b. Panels to check (exact panel titles and queries)
+
+- "Egress Audit (allow / deny)" (Loki, uid `loki`):
+
+```
+sum by (decision) (count_over_time({namespace=~`(coder|coder-workspaces)`} |= `boundary_request` | logfmt | decision=~`deny|allow` | owner=~`$owner` | domain=~`$domain` | template_id=~`$template_id` | template_version_id=~`$template_version_id` [$__range]))
+```
+
+- "Top Allowed Domains" and "Top Denied Domains" (Loki) parse the domain from
+  `http_url` with `regexp` and `topk(20, sum by (domain) (...))`.
+- "Most recent allowed requests" and "Most recent denied requests" (Loki) use
+  `decision=`allow`` / `decision=`deny`` and `line_format` over fields
+  `event_time`, `http_method`, `domain`, `path`, `owner`, `workspace_name`,
+  `template_id`, `template_version_id`.
+
+Dashboard variables (`domain`, `owner`, `template_id`, `template_version_id`)
+are textbox type, default empty. Empty regex matches all, so the allow/deny
+panels populate with no variables set. Leave them blank for the demo unless
+filtering to `austenplatform`.
+
+Field dependency to confirm on a real line: the `line_format` and the
+domain `topk` panels assume the live `boundary_request` line contains
+`owner`, `workspace_name`, and a parseable `http_url`. The emitter in
+`boundary_logs.go` writes `decision`, `workspace_id`, `template_id`,
+`template_version_id`, `http_method`, `http_url`, `event_time`, and
+`matched_rule` (allow only); `owner`/`workspace_name`/`agent_name` are added by
+the parent logger. Inspect one real line and confirm those fields are present:
+
+```
+kubectl -n coder logs deploy/coder --since=15m | grep boundary_request | head -3
+```
+
+If `owner` or `workspace_name` are absent, the allow/deny counts still work
+(missing label matches the empty regex), but the recent-request tables show
+blank owner/workspace columns. Record this as an observation, not a blocker.
+
+### 2c. Generate fresh allow/deny events on demand
+
+From a workspace terminal on the firewalled template:
+
+- Deny: `boundary --proxy-port 8091 -- curl https://example.com`
+- Allow: `curl https://dev.usgov.coderdemo.io`
+
+The firewalled template's Claude Code already emits continuous deny events, so
+fresh generation is optional for the demo.
+
+## 3. Prometheus metric-name reconciliation
+
+Dashboard `dashboards-boundary.yaml` uses
+`agent_boundary_log_proxy_batches_forwarded_total` in panels "Total Batches
+Forwarded", "Active Firewall Agents", and "Forwarded Batches by Workspace".
+
+Source of truth (`/home/coder/coder/agent/boundarylogproxy/metrics.go`):
+
+```
+Namespace: "agent"
+Subsystem: "boundary_log_proxy"
+Name:      "batches_forwarded_total"
+```
+
+Prometheus joins these as `agent_boundary_log_proxy_batches_forwarded_total`.
+Therefore the dashboard name is correct, and the prefix-less spelling
+`boundary_log_proxy_batches_forwarded_total` cited in two phase2 docs is wrong.
+
+Confirm the exported name against the live stack (any one):
+
+```
+# Prometheus label values
+curl -s http://<prometheus>/api/v1/label/__name__/values | jq -r '.data[]' | grep -i boundary
+
+# coderd aggregated agent metrics (this metric is an agent metric aggregated by coderd)
+kubectl -n coder exec deploy/coder -- wget -qO- http://localhost:2112/metrics | grep -i boundary
+```
+
+Expect `agent_boundary_log_proxy_batches_forwarded_total` (plus
+`agent_boundary_log_proxy_batches_dropped_total` and
+`agent_boundary_log_proxy_logs_dropped_total`). The metric carries labels
+`username`, `workspace_name`, `agent_name` from the coderd aggregator, which
+the "Forwarded Batches by Workspace" panel groups by (`workspace_name`,
+`username`).
+
+If the live label name turns out to differ from the source, prefer fixing the
+dashboard to match the live name. Based on source, no dashboard change is
+expected; the fix belongs in the docs (section 7).
+
+## 4. AI Bridge (AI Gateway) dashboard verification
+
+Dashboard: `dashboards-aibridge.yaml`, uid `ai-gateway`, title "AI Gateway".
+
+### 4a. Confirm the Postgres datasource is connected
+
+Datasource `aibridge-postgres` (`datasource-aibridge-postgres.yaml`) points to
+`usgov-coderdemo-pg...rds.amazonaws.com:5432`, database `coder`, user
+`grafana_ro`, password from env `${AIGOV_DB_PASSWORD}` (Secret
+`aigov-grafana-db` in namespace `monitoring`). Verify in Grafana:
+Connections, Data sources, "AI Gateway DB", Save & test, expect success.
+
+### 4b. Panels showing live data (Postgres)
+
+- "Total Interceptions": `SELECT count(*) AS value FROM aibridge_interceptions WHERE $__timeFilter(started_at)`
+- "Active Sessions": `count(DISTINCT session_id)` over `aibridge_interceptions`
+- "Unique Users": `count(DISTINCT initiator_id)` over `aibridge_interceptions`
+- "Interceptions by Provider/Model/User", "Recent Interceptions", "Sessions".
+
+Usage and cost panels ("Input/Output/Cache/Total Tokens", "Estimated Cost",
+"Tokens Over Time", "Estimated Cost Over Time", "Top Users by Usage & Cost",
+"Token Usage Detail") read from `aibridge_token_usages` joined to
+`ai_model_prices` (71 rows, includes `claude-sonnet-4-5`). Confirm whether
+token rows exist; if the Anthropic key in use is a placeholder, these can be
+zero by design. Because the gateway has been used this session, confirm live
+token/cost data is present and call it out if still zero.
+
+Provider-health stats ("Configured Providers", "Provider Reload Status",
+"Last Successful Reload", "Provider Inventory") come from Prometheus
+`coder_aibridged_*`; the "AI Gateway Log Stream" and event-rate panels come
+from Loki (namespace `coder`). Confirm each row renders without datasource
+errors.
+
+## 5. Coder audit log verification
+
+UI: open `https://dev.usgov.coderdemo.io/audit` as an admin. API:
+
+```
+curl -sS -H "Coder-Session-Token: $CODER_SESSION_TOKEN" \
+  "https://dev.usgov.coderdemo.io/api/v2/audit?limit=50" | jq '.audit_logs[] | {action, resource_type, time}'
+```
+
+Confirm the log records the demo-relevant actions:
+
+- Template pushes / new template versions (resource_type `template` or
+  `template_version`, action `create`/`write`), including the firewalled
+  template.
+- Workspace builds (resource_type `workspace_build` / `workspace`).
+- Governance changes for the demo: MCP server config and spend-limit changes
+  (filter the UI by the relevant resource type, or grep the API response for
+  the changed fields). Confirm at least one such entry exists; if none, perform
+  one change before the demo so it appears.
+
+Note the audit log (Postgres `audit_logs`) is distinct from the
+`boundary_request` application logs in Loki. Both must be checked.
+
+## 6. Demo-day checklist (5 minutes)
+
+1. Grafana, dashboard "Agent Firewall": "Egress Audit (allow / deny)" shows
+   both allow and deny in the last 15m. If flat, run the deny/allow curls in
+   section 2c.
+2. Same dashboard: "Top Denied Domains" lists `api.anthropic.com` /
+   `raw.githubusercontent.com`; "Most recent denied requests" table populated.
+3. Same dashboard: "Total Batches Forwarded" stat is non-zero (Prometheus).
+4. Grafana, dashboard "AI Gateway": "Total Interceptions", "Active Sessions",
+   "Unique Users" non-zero; "Interceptions by Provider" populated. If tokens
+   were generated, confirm "Estimated Cost" non-zero.
+5. Coder UI `/audit`: a recent template push and a workspace build are visible.
+6. Confirm no panel shows a red datasource error (loki, prometheus,
+   aibridge-postgres all healthy under Grafana, Connections, Data sources).
+
+## 7. Concrete fixes found (described only, do not edit)
+
+One fix, in docs (the dashboard is already correct):
+
+- File: `deploy/observability/../docs/architecture/agent-firewall-feasibility.md`
+  (absolute: `/home/coder/demoenv-workspace/usgov-phase2/docs/architecture/agent-firewall-feasibility.md`),
+  line 101. Replace `boundary_log_proxy_batches_forwarded_total` with
+  `agent_boundary_log_proxy_batches_forwarded_total`.
+- File:
+  `/home/coder/demoenv-workspace/usgov-phase2/aoi/plan-firewall-and-auth-mcp.md`,
+  line 131. Same replacement: add the `agent_` prefix so the cited metric
+  matches the exported name and the dashboard.
+
+Stale-doc note (optional, lower priority): both
+`deploy/observability/AI_GOVERNANCE_DASHBOARD.md` (around lines 138 to 144) and
+the header comment of `deploy/observability/dashboards-boundary.yaml` (around
+lines 25 to 27) state that `boundary_request` allow/deny events "are not
+emitted in this stack yet". That is now false on Coder v2.34.1; coderd emits
+them and the `agent-firewall` dashboard's allow/deny panels populate. If time
+allows, update that prose to reflect that allow/deny audit is now live. Do not
+change any panel JSON; the queries are correct.
+
+No dashboard JSON edits are required.
+
+## 8. Risks and open questions
+
+- Token/cost panels depend on real metered AI traffic. If the Anthropic key is
+  a placeholder, `aibridge_token_usages` may be empty and cost reads zero by
+  design. Confirm live token rows exist before relying on cost panels in the
+  demo.
+- `boundary_request` line fields: confirm `owner` and `workspace_name` are on
+  the live line (section 2b). If absent, recent-request tables show blank
+  owner/workspace columns; allow/deny counts are unaffected.
+- Log retention: Loki retention may drop older `boundary_request` lines.
+  Use a recent time range (last 15m to 1h) for the demo.
+- Prometheus scrape of the aggregated agent metric: section 3 assumes coderd
+  exposes `agent_boundary_*` on its `/metrics`. If the live label name differs
+  from source, fix the dashboard to match (not expected based on source).
+- The datasource doc references Coder v2.34.0 while the live deployment is
+  v2.34.1. Cosmetic only; no action required.
+- Access: if the executing agent lacks working Grafana/Prometheus/Loki or
+  kubectl access, treat sections 2 to 5 as steps to run once access is granted
+  rather than completed checks.
+
+Generated by Coder Agents.
diff --git a/aoi/brief-template-golden-path-e2e.md b/aoi/brief-template-golden-path-e2e.md
new file mode 100644
index 0000000..7a6fdd3
--- /dev/null
+++ b/aoi/brief-template-golden-path-e2e.md
@@ -0,0 +1,215 @@
+# WS-25 Brief: Template Golden-Path End-to-End Verification
+
+Execution-ready checklist. A parent agent runs this later. Read it in order.
+All commands target the live GovCloud demo deployment.
+
+- Deployment: `https://dev.usgov.coderdemo.io`
+- Coder version: v2.34.1
+- Primary org: `coder` (id `5de29a6d-8836-4643-a42b-2cb807c8e3e2`). Other orgs: `alpha`, `bravo`.
+- Templates in repo: `/home/coder/demoenv-workspace/usgov-phase2/coder-templates/`
+  (`ai-agent-generic`, `claude-code`, `cpp-engineer`, `data-scientist`,
+  `java-engineer`, `platform-engineer`, `firewalled`). `claude-code-ci` is also
+  registered in Coder.
+
+Set these shell variables before running steps:
+
+```bash
+CODER_URL="https://dev.usgov.coderdemo.io"
+ADMIN_TOKEN="<admin session token>"
+ORG_ID="5de29a6d-8836-4643-a42b-2cb807c8e3e2"
+```
+
+## 1. Objective
+
+Prove that each demo template builds to a healthy, connected workspace and
+passes a basic connectivity check. The goal is to de-risk the live demo's
+template flow so that, on demo day, every template starts cleanly and the
+agent reports ready. Success per template means: build job completes,
+`latest_build.status` is `running`, the agent is `lifecycle_state=ready` and
+`status=connected`, and the connectivity smoke test returns HTTP `200`.
+
+## 2. The GitLab external-auth gate (read before building anything)
+
+Every `claude-code`-derived template, and `platform-engineer`, declares:
+
+```hcl
+data "coder_external_auth" "gitlab" {
+  id = "gitlab"
+}
+```
+
+Declaring this data source without `optional = true` makes the workspace
+REQUIRE that the workspace OWNER has completed the in-cluster GitLab OAuth
+login before the build will proceed. There is NO device flow: `GET
+/api/v2/external-auth/gitlab` returns `"device":false`. The login must happen
+once, in a browser, at `https://dev.usgov.coderdemo.io/external-auth/gitlab`.
+
+Current state observed this session:
+
+- `admin` is NOT GitLab-authenticated. `GET /api/v2/external-auth/gitlab`
+  returns `authenticated:false`. An admin-initiated `coder create` against a
+  gitlab-gated template hangs on "Waiting for Git authentication".
+- `austenplatform` IS authenticated (has running claude-code workspaces).
+
+The provisioner uses the OWNER's GitLab token at build time, not the
+requester's token. That fact drives both remediation options below.
+
+### Remediation A (preferred for templates a human will demo)
+
+Have the demoing user complete the one-time browser OAuth login at
+`https://dev.usgov.coderdemo.io/external-auth/gitlab` while logged in as that
+user. After this, that user can `coder create` gitlab-gated templates
+normally. Confirm with `GET /api/v2/external-auth/gitlab` returning
+`authenticated:true` for that user's token.
+
+### Remediation B (workaround for automated verification)
+
+Create the workspace via REST for an owner who is ALREADY authenticated (for
+example `austenplatform`). The admin token authorizes the request, but the
+build uses the owner's GitLab token, so the gate is satisfied.
+
+```bash
+# Resolve the authenticated owner's user id.
+curl -sS -H "Coder-Session-Token: $ADMIN_TOKEN" \
+  "$CODER_URL/api/v2/users?q=austenplatform"
+
+OWNER_ID="<id from above>"
+
+curl -sS -X POST \
+  -H "Coder-Session-Token: $ADMIN_TOKEN" \
+  -H "Content-Type: application/json" \
+  "$CODER_URL/api/v2/users/$OWNER_ID/workspaces" \
+  -d '{
+    "template_id": "<template id>",
+    "name": "<workspace name>",
+    "rich_parameter_values": [
+      {"name": "cpu", "value": "4"},
+      {"name": "memory", "value": "8"},
+      {"name": "disk_size", "value": "20"}
+    ]
+  }'
+```
+
+This returned HTTP 201 and built successfully this session. Use Remediation B
+for the automated build matrix unless the operator is themselves an
+authenticated owner, in which case CLI `coder create` is fine.
+
+## 3. Enumerate templates and identify the gitlab gate
+
+List templates in the `coder` org and capture id plus active version:
+
+```bash
+curl -sS -H "Coder-Session-Token: $ADMIN_TOKEN" \
+  "$CODER_URL/api/v2/organizations/$ORG_ID/templates" \
+  | python3 -c 'import sys,json; [print(t["name"], t["id"], t["active_version_id"]) for t in json.load(sys.stdin)]'
+```
+
+For each template, grep its `main.tf` for the external-auth gate:
+
+```bash
+cd /home/coder/demoenv-workspace/usgov-phase2/coder-templates
+grep -Rl 'coder_external_auth' */main.tf
+```
+
+Record, per template, whether it requires gitlab auth. Verified this session:
+`claude-code` and `platform-engineer` both declare the gitlab gate. Treat any
+`claude-code`-derived template as gated until grep proves otherwise. Templates
+without the gate can be built by any owner, including a freshly authenticated
+test user.
+
+## 4. Per-template build matrix
+
+For each template, do the following:
+
+1. Read the template's `coder_parameter` blocks in its `main.tf` to get the
+   exact parameter names and acceptable values. Do not assume; parameters
+   differ per template.
+2. Decide the owner. If the template is gitlab-gated, use an authenticated
+   owner (Remediation A) or the REST create-for-owner workaround (Remediation
+   B). If ungated, any owner works.
+3. Create the workspace. Use CLI when the operator is the authenticated owner:
+
+   ```bash
+   coder --url "$CODER_URL" --token "$ADMIN_TOKEN" \
+     create <name> --template <template> \
+     --parameter cpu=4 --parameter memory=8 --parameter disk_size=20 --yes
+   ```
+
+   Otherwise use the REST POST from Remediation B.
+4. Poll to healthy:
+
+   ```bash
+   WS_ID="<workspace id from create response>"
+   curl -sS -H "Coder-Session-Token: $ADMIN_TOKEN" \
+     "$CODER_URL/api/v2/workspaces/$WS_ID" \
+     | python3 -c 'import sys,json; d=json.load(sys.stdin); b=d["latest_build"]; print("build", b["status"], "job", b["job"]["status"])'
+   ```
+
+   Parse JSON with `strict=False` because some fields contain control
+   characters. Repeat until `build` is `running` and `job` is `succeeded`.
+   The agent is ready when `lifecycle_state=ready` and `status=connected` in
+   the workspace resources.
+5. Connectivity smoke test:
+
+   ```bash
+   coder --url "$CODER_URL" --token "$ADMIN_TOKEN" \
+     ssh <owner>/<workspace> -- \
+     bash -lc "curl -sS -o /dev/null -w '%{http_code}' $CODER_URL/api/v2/buildinfo"
+   ```
+
+   Expect `200`.
+6. Record pass/fail in the results table (section 6).
+
+Known parameters for `claude-code`-derived templates: `cpu` (default 4),
+`memory` (default 8), `disk_size` (immutable, default 20), `ai_prompt`
+(default ""). `platform-engineer` adds `git_repo` (optional, default ""). For
+every other template, read its `coder_parameter` blocks and pass the required
+parameters explicitly.
+
+## 5. Cleanup guidance
+
+After verification, optionally stop or delete the verification workspaces to
+keep the deployment tidy:
+
+```bash
+coder --url "$CODER_URL" --token "$ADMIN_TOKEN" stop <owner>/<workspace> --yes
+# or
+coder --url "$CODER_URL" --token "$ADMIN_TOKEN" delete <owner>/<workspace> --yes
+```
+
+The `firewalled` template already has a validated workspace
+`austenplatform/firewall-test`. Leave it running for the demo; do not delete
+it during cleanup.
+
+## 6. Results table (fill in)
+
+| Template | Gitlab-gated | Owner used | Create method | Build status | Agent connected | Smoke HTTP | Pass/Fail | Notes |
+|----------|--------------|------------|---------------|--------------|-----------------|------------|-----------|-------|
+| ai-agent-generic |  |  |  |  |  |  |  |  |
+| claude-code |  |  |  |  |  |  |  |  |
+| claude-code-ci |  |  |  |  |  |  |  |  |
+| cpp-engineer |  |  |  |  |  |  |  |  |
+| data-scientist |  |  |  |  |  |  |  |  |
+| java-engineer |  |  |  |  |  |  |  |  |
+| platform-engineer |  |  |  |  |  |  |  |  |
+| firewalled |  |  |  |  |  |  |  |  |
+
+## 7. Risks and open questions
+
+- Per-template egress: `platform-engineer` and similar templates run
+  best-effort startup downloads (kubectl, helm, terraform from public
+  endpoints). In a fully air-gapped boundary these may be blocked. A build can
+  succeed while tooling installs silently fail. Note this when scoring.
+- Image pull from ECR: templates default to the ECR-mirrored
+  `codercom/enterprise-base`. A missing or mis-tagged mirror image causes the
+  pod to fail to start. Check pod events if the build hangs in `pending`.
+- GitLab token expiry: the owner's OAuth token is short-lived. If a previously
+  authenticated owner's token has expired, builds gate again. Re-confirm with
+  `GET /api/v2/external-auth/gitlab` before a batch run.
+- Coder Tasks vs plain builds: `claude-code` wires `coder_ai_task` and the
+  AgentAPI chat UI. Verifying a plain build proves the workspace path but not
+  the full Task UI. Decide whether the demo needs Task-mode verification too.
+- Parameter drift: immutable parameters such as `disk_size` cannot be changed
+  after creation. Pick demo-representative values up front.
+
+Generated by Coder Agents.
diff --git a/aoi/plan-firewall-and-auth-mcp.md b/aoi/plan-firewall-and-auth-mcp.md
new file mode 100644
index 0000000..4b606e4
--- /dev/null
+++ b/aoi/plan-firewall-and-auth-mcp.md
@@ -0,0 +1,284 @@
+# AOI Gap Remediation Plan: Agent Firewall + Authenticated MCP
+
+Status: PLAN for review. Nothing in here is applied yet. Target: live demo
+Thu 2026-06-11 on `dev.usgov.coderdemo.io` (Coder v2.34.1, GovCloud).
+
+Addresses the two main gaps flagged in `aoi/gaps-aoi.md` (agent firewall missing;
+no authenticated MCP), plus other gaps found while planning. Grounded in
+read-only research against the Coder source and live probes this session.
+
+Legend: [CRITICAL] demo-blocking for the AOI story. Effort: S (under ~1h),
+M (a few hours), L (most of a day). All items below are reversible.
+
+---
+
+## Gap 1: Agent Firewall (Coder Boundary) [CRITICAL] [IMPLEMENTED + VALIDATED]
+
+### Status (2026-06-09): DONE on a new `firewalled` template
+Implemented and validated live on `dev.usgov.coderdemo.io`. A new template
+`coder-templates/firewalled/` (a copy of `claude-code` with the firewall on)
+is pushed to the `coder` org, and `austenplatform/firewall-test` runs Claude
+Code jailed. See "As-built" below; the original design notes are retained
+for context.
+
+### What it is
+A process-level network egress firewall that wraps the agent and enforces an
+HTTP(S) allowlist (domain + method + path), streaming every allow/deny decision
+to the control plane. It is network egress control, not a shell-command
+sandbox: a "blocked command" in the demo means a command whose egress is denied
+(for example `curl https://example.com`), not the command being refused. This
+is the data-exfiltration / DLP guardrail story for the AOI.
+
+### Mechanism and entitlement (already satisfied)
+- Delivered as the embedded `coder agent-firewall` subcommand (Coder v2.30+).
+  The Claude Code module 4.7.3 (already pinned) invokes it via `enable_boundary`.
+- Backend: landjail (Landlock V4, no added capabilities, recommended) or nsjail
+  (transparent interception, needs `NET_ADMIN`, stronger isolation fallback).
+- License: AI Governance add-on gates it. Already entitled live
+  (`ai_governance_user_limit: 30`; AI Bridge runs on the same add-on).
+- Kernel/AMI: AL2023 kernel 6.18 exceeds the landjail 6.7 floor; user
+  namespaces enabled in-pod. No AMI or nodepool change.
+
+### Preflight (one read-only node check before enabling)
+Confirm Landlock is in the active LSM stack (could not be read from inside an
+unprivileged pod):
+```
+cat /sys/kernel/security/lsm   # expect a list including "landlock"
+```
+If `landlock` is absent, use the nsjail + `NET_ADMIN` path (still in-pod).
+
+### As-built (what actually shipped, supersedes the spec above)
+The `claude-code` module 4.7.3 already supports Boundary natively, so no
+custom variables or hand-written `coder_script` were needed. The `firewalled`
+template sets, inside `module "claude_code"`:
+```hcl
+enable_boundary       = true
+use_boundary_directly = true   # standalone boundary binary (MIT)
+boundary_version      = "latest"
+pre_install_script    = <writes ~/.config/coder_boundary/config.yaml>
+```
+Key findings from implementation:
+- The module passes NO `--allow` / `--jail-type` flags, so the allowlist and
+  jail type come ONLY from `~/.config/coder_boundary/config.yaml`, written by
+  `pre_install_script` before Claude Code launches. Config used:
+  `allowlist: [domain=dev.usgov.coderdemo.io, domain=gitlab.usgov.coderdemo.io]`,
+  `jail_type: landjail`, `log_dir: /tmp/boundary_logs`, `log_level: warn`.
+- `use_boundary_directly = true` was REQUIRED. The default path runs the
+  `coder boundary` subcommand, which verifies the deployment license through
+  an authenticated client; the agent carries only an agent token (no user
+  session), so that path errors with "not logged in". The standalone
+  `boundary` binary (installed v0.9.0 via the module install script) has no
+  license/login dependency.
+- Preflight passed: the node LSM stack is
+  `lockdown,capability,landlock,yama,safesetid,selinux,bpf,ima` (landlock
+  present), AL2023 kernel 6.18. landjail needs no added pod capabilities, so
+  the pod security context was left unchanged (no nsjail / NET_ADMIN).
+
+### Verification results (live)
+- Process tree confirms the jail: `agentapi server ... -- boundary -- claude
+  --session-id ...` (Claude Code is a child of boundary).
+- Allow/deny enforced from a workspace terminal (use a free `--proxy-port`
+  since the agent's boundary owns 8080): gateway buildinfo = 200 (allow),
+  gitlab = 302 (allow), example.com = 403 (deny), github.com = 403 (deny).
+- coderd emits `boundary_request` audit lines (owner, workspace_name,
+  agent_name, decision, http_url, template_id, ...). Real captured denies:
+  Claude Code's own calls to `api.anthropic.com` (eval + event_logging) and
+  `raw.githubusercontent.com` (update check) are decision=deny, while
+  inference through the allowlisted gateway works. This is the exact
+  data-exfiltration / DLP story, with attribution, on demand.
+
+### Rollback
+Use the un-firewalled `claude-code` template, or set `enable_boundary = false`
+and re-push. Running pods survive (`ignore_changes = all`).
+
+### Original design notes (pre-implementation, retained for context)
+1. Two default-off variables:
+```hcl
+variable "enable_agent_firewall" { type = bool   default = false }
+variable "agent_firewall_jail_type" { type = string default = "landjail" }
+```
+2. One line in the `module "claude_code"` block:
+```hcl
+enable_boundary = var.enable_agent_firewall
+```
+3. A flag-gated `coder_script` that writes `~/.config/coder_boundary/config.yaml`.
+   Environment-specific allowlist (critical: egress is in-boundary via the AI
+   Gateway, so DO NOT allow `api.anthropic.com`; DO allow the Coder domain and
+   the in-cluster GitLab host):
+```yaml
+allowlist:
+  - "domain=dev.usgov.coderdemo.io"      # reach the in-boundary AI Gateway (required)
+  - "domain=gitlab.usgov.coderdemo.io"   # in-cluster GitLab SCM (confirm exact host)
+jail_type: landjail
+log_dir: /tmp/boundary_logs
+proxy_port: 8087
+log_level: warn
+```
+4. nsjail fallback only: if `agent_firewall_jail_type == "nsjail"`, add
+   `capabilities.add = ["NET_ADMIN"]` to the container security context. The
+   default landjail path leaves the pod security context unchanged.
+
+### Demo, verification, rollback (original notes)
+- Demo: in the workspace, `curl https://dev.usgov.coderdemo.io/api/v2/buildinfo`
+  (allowed) vs `curl https://example.com` (denied). Claude Code keeps working
+  because the gateway domain is allowlisted.
+- Proof: coderd emits a structured `boundary_request` log per decision
+  (`decision=allow|deny`, `http_url`, `matched_rule`, `workspace_id`,
+  `template_id`). The boundary Grafana dashboard (already shipped) parses these
+  via Loki and lights up once a workspace runs the firewall (reads 0 today).
+- Prometheus series name (RESOLVED): the dashboard's
+  `agent_boundary_log_proxy_batches_forwarded_total` is CORRECT, confirmed
+  from source `agent/boundarylogproxy/metrics.go` (Namespace `agent`,
+  Subsystem `boundary_log_proxy`, Name `batches_forwarded_total`). The
+  prefix-less spelling in `docs/architecture/agent-firewall-feasibility.md`
+  is wrong; the observability brief tracks that one-line fix.
+- Rollback: set `enable_agent_firewall = false` (the default) and re-push the
+  template. Running pods survive (`ignore_changes = all`); a restart re-rolls
+  without the jail. No infra-layer change to revert.
+
+### Risks
+- Landlock-in-LSM preflight (mitigated by nsjail fallback).
+- Allowlist is load-bearing: omitting the Coder domain breaks Claude Code.
+- Egress-only scope under landjail (no UDP/PID isolation); frame precisely as
+  network egress control. Use nsjail for a hardened story.
+
+Effort: S. Owner: platform.
+
+---
+
+## Gap 2: Authenticated MCP [CRITICAL for the AOI auth story]
+
+Goal: demonstrate an MCP tool that requires real authentication and enforces
+need-to-know, narrated as "Coder x an internal authenticated service." The
+proposed backend is GitHub's hosted MCP (the auth genuinely works), with an
+in-boundary fallback that keeps optics clean.
+
+### Backend: GitHub remote MCP (verified specifics)
+- URL `https://api.githubcopilot.com/mcp/`, transport `streamable_http`.
+- Auth: OAuth (per-user) or PAT (`Authorization: Bearer <token>`).
+- Read-only safety: send header `X-MCP-Readonly: true`.
+- It clears GitLab blocker #2: its RFC 9728 `resource` is a string (not the JSON
+  array that broke Coder's parser). But it advertises no DCR
+  `registration_endpoint`, so Coder zero-config oauth2 (auto-DCR) will fail;
+  oauth2 must be MANUAL (pre-registered GitHub OAuth App). GitHub OAuth
+  endpoints: authorize `https://github.com/login/oauth/authorize`, token
+  `https://github.com/login/oauth/access_token`.
+
+### THE GATE (must verify first): 204 vs 202
+Coder's MCP client (`mark3labs/mcp-go` v0.38.0) accepts only HTTP 200/202 on the
+`notifications/initialized` POST; GitLab returned 204 and was dropped
+(CODAGT-570). GitHub's status on that notification is unverifiable without a
+token (unauth `initialize` returns 401; the `/_ping` 200 is a different path).
+Gate procedure: mint a fine-scoped GitHub PAT, run `initialize` then
+`notifications/initialized`, and read the status line; 200/202 = good, 204 =
+GitHub MCP unusable as-is. Most authoritative: register it in Coder with
+`api_key` + the PAT and watch coderd logs for "skipping MCP server due to
+connection failure ... status 204". Do this BEFORE committing the demo to GitHub.
+
+### Paths
+- Path A (recommended for speed): `api_key` + fine-scoped PAT. Simplest,
+  genuinely authenticated, and the same call that clears the gate. Caveat: a
+  single PAT is one shared identity, so the per-user need-to-know story needs
+  per-user PATs (one server per demoed user) or Path B.
+- Path B (best per-user RBAC headline): manual `oauth2` + a pre-created GitHub
+  OAuth App whose callback is
+  `https://dev.usgov.coderdemo.io/api/experimental/mcp/servers/{id}/oauth2/callback`.
+  Each user clicks Connect once; Coder stores a per-user GitHub token; users see
+  only what their GitHub identity can access. Sequencing note: the callback
+  needs the Coder server `{id}`, so create the Coder MCP row first (or use a
+  placeholder app), then set the OAuth App callback, then patch client id/secret.
+- Fallback C (clean GovCloud optics, fully in-boundary): add auth to our
+  existing datastore MCP (`deploy/datastore-mcp`). Ranked: (1) manual `oauth2`
+  via Keycloak (real per-user, in-boundary, best optics), (2) `user_oidc` (Coder
+  forwards the user's OIDC token; the MCP must verify audience), (3) `api_key`
+  (shared, simplest). It must also pass the 202 gate, which we control since it
+  is our code.
+
+### Registration request (api_key example; `api_key_value` must include `Bearer`)
+```json
+{
+  "display_name": "GitHub (Internal Service)",
+  "slug": "github",
+  "transport": "streamable_http",
+  "url": "https://api.githubcopilot.com/mcp/",
+  "auth_type": "api_key",
+  "api_key_header": "Authorization",
+  "api_key_value": "Bearer <fine_scoped_PAT>",
+  "tool_allow_list": ["get_me","search_repositories","get_repository","search_code","list_issues","get_issue"],
+  "availability": "default_off",
+  "enabled": true
+}
+```
+(oauth2 variant: drop the api_key fields and set `auth_type: oauth2` plus
+`oauth2_client_id/secret`, `oauth2_auth_url`, `oauth2_token_url`,
+`oauth2_scopes: "read:user repo read:org"`.)
+
+### Egress / optics
+Both GitHub options egress to public GitHub. The narration is "internal
+service," but packets and tokens leave the boundary. Mitigate with read-only
+tools + `X-MCP-Readonly`, a throwaway demo org/repo, and a scoped PAT; or, if
+optics must be clean, make Fallback C (in-boundary) the primary and use GitHub
+only as a "real external SaaS" bonus.
+
+Effort: api_key S; oauth2 M; in-boundary fallback M to L.
+
+---
+
+## Other gaps (prioritized)
+
+1. Agent attribution / non-repudiation (WS-23, staged, security review pending).
+   Who-did-what for agent actions is a core AOI governance capability. Plan:
+   complete the security review, then apply `setup-pm-persona.py` /
+   `setup-gitlab-agent-webhook.py` (both `--plan` default). Effort M.
+2. Audit and observability readiness. Coder audit log + AI Gateway (aibridge)
+   and boundary Grafana dashboards already exist. Verify they show live data for
+   the demo flow (boundary lights up after Gap 1; aibridge already does).
+   Effort S, verification only.
+3. Need-to-know data isolation as one narrative thread. Tie together orgs/groups
+   RBAC, the per-group/per-user spend limits, and the authenticated MCP (Gap 2)
+   into a single "this user sees only their mission's data and budget" story. No
+   new build; rehearsal/narrative.
+4. Workspace template golden-path e2e (WS-25 remaining): a one-time owner GitLab
+   OAuth login, then build one workspace per template and run a connectivity
+   check. Readiness gap if templates are part of the flow. Effort M.
+5. DLP / guardrails segment: pair the firewall (Gap 1) with the authenticated,
+   read-only MCP (Gap 2) as the "agent guardrails" portion of the demo.
+
+---
+
+## Recommended sequencing for Thursday
+
+1. Preflight: confirm `landlock` in the node LSM stack (5 min).
+2. Enable firewall on `claude-code` (template edit + push + 1 workspace), verify
+   allow/deny + dashboard + `boundary_request` audit lines. [Gap 1]
+3. Gate GitHub MCP: register with `api_key` + PAT in a throwaway test, watch
+   coderd logs for the 204 failure. [Gap 2 gate]
+4. If the gate passes and egress optics are acceptable: keep GitHub MCP
+   (api_key for speed, or oauth2 for the per-user RBAC headline). If the gate
+   fails or optics must stay in-boundary: stand up the authenticated datastore
+   MCP (Fallback C). [Gap 2]
+5. Optional: apply attribution (WS-23) after security review; verify
+   audit/observability; rehearse the need-to-know narrative.
+
+---
+
+## Open questions for you
+
+1. GitHub: which org/account and repos for the OAuth App / PAT? Is calling
+   `github.com` acceptable for demo optics, or must the authenticated MCP stay
+   in-boundary (then we do Fallback C as primary)?
+2. Auth headline: per-user RBAC (`oauth2`) or fastest-authenticated (`api_key`)?
+3. Firewall backend: landjail (zero-touch) or nsjail (stronger isolation)?
+4. Include agent attribution (WS-23) in this demo, or defer past Thursday?
+5. Anything in `aoi/gaps-aoi.md` not covered here? I have not seen that file yet
+   (another agent is writing it); I will reconcile once it lands.
+
+---
+
+## Top risks
+
+- The 204/202 gate (Gap 2) is the single biggest risk. Mitigated by gating
+  first and by the in-boundary fallback.
+- Firewall landlock LSM preflight. Mitigated by the nsjail fallback.
+- GovCloud egress optics for GitHub MCP. Mitigated by the in-boundary fallback.
+- Time: every item is S or M and reversible; the demo is Thursday.

From 17f4cc67e6a2e83c19acb9ca9f29a9e99f750054 Mon Sep 17 00:00:00 2001
From: Austen Bruhn <asbru17@gmail.com>
Date: Tue, 9 Jun 2026 14:04:13 +0000
Subject: [PATCH 3/3] feat(coder-templates/firewalled): use the RH Summit 2026
 boundary allowlist

Replace the minimal gateway+gitlab allowlist with the Red Hat Summit 2026 demo
allowlist (coder/demo-aigov-rhaiis-rhsummit-2026): Claude Code's default
allowed domains (most package managers, GitHub, container registries, cloud
SDKs) plus this deployment's Coder host and the in-cluster GitLab. npm is
intentionally omitted so `npm install` is the obvious DENY in the demo.

- Add boundary.config.yaml.tftpl (175 allow rules), rendered with
  templatefile() so ${coder_host} resolves from the access URL, and written
  via a base64 round-trip in pre_install_script.
- Set BOUNDARY_CONFIG and BOUNDARY_JAIL_TYPE=landjail agent env vars so
  boundary loads the config and uses landjail reliably (boundary v0.9.0
  dropped config auto-discovery).

Validated live: firewall-test rebuilt on the new version, Claude Code still
jailed, ALLOW gateway/pypi/github = 200, DENY registry.npmjs.org/example.com
= 403.

Generated by Coder Agents.
---
 coder-templates/firewalled/README.md          |  41 +--
 .../firewalled/boundary.config.yaml.tftpl     | 270 ++++++++++++++++++
 coder-templates/firewalled/main.tf            |  76 +++--
 3 files changed, 350 insertions(+), 37 deletions(-)
 create mode 100644 coder-templates/firewalled/boundary.config.yaml.tftpl

diff --git a/coder-templates/firewalled/README.md b/coder-templates/firewalled/README.md
index 7506ed5..b5dabb3 100644
--- a/coder-templates/firewalled/README.md
+++ b/coder-templates/firewalled/README.md
@@ -27,17 +27,20 @@ seeds the agent with the task prompt.
 The `module "claude_code"` block sets `enable_boundary = true` and
 `use_boundary_directly = true`, so the module installs the standalone
 `boundary` binary and launches `boundary -- claude`. The allowlist and jail
-type are read from `~/.config/coder_boundary/config.yaml`, written by the
-module `pre_install_script` before Claude Code starts:
-
-```yaml
-allowlist:
-  - "domain=dev.usgov.coderdemo.io"   # AI Gateway egress (REQUIRED)
-  - "domain=gitlab.usgov.coderdemo.io" # in-cluster GitLab SCM
-jail_type: landjail
-log_dir: /tmp/boundary_logs
-log_level: warn
-```
+type come from `~/.config/coder_boundary/config.yaml`, rendered from
+`boundary.config.yaml.tftpl` and written by the module `pre_install_script`
+before Claude Code starts. The agent env vars `BOUNDARY_CONFIG` and
+`BOUNDARY_JAIL_TYPE=landjail` make boundary load that config and use landjail
+reliably (boundary v0.9.0 dropped config auto-discovery).
+
+The allowlist (`boundary.config.yaml.tftpl`) is adapted from the Red Hat
+Summit 2026 demo (`coder/demo-aigov-rhaiis-rhsummit-2026`). It uses Claude
+Code's default allowed domains (most package managers, GitHub, container
+registries, cloud SDKs) plus this deployment's Coder host (`${coder_host}`,
+rendered from the access URL) and the in-cluster GitLab. **npm is
+intentionally omitted**, so asking the agent to `npm install <anything>` is
+the obvious DENY in the demo. Edit the `.tftpl` file to change the allowlist;
+do not inline rules in `main.tf`.
 
 Why `use_boundary_directly = true`: the default `coder boundary` subcommand
 verifies the deployment license via an authenticated client, but the agent
@@ -53,13 +56,19 @@ well past the Landlock 6.7 floor and `landlock` is in the node LSM stack.
 boundary -- curl -sS -o /dev/null -w '%{http_code}\n' \
   https://dev.usgov.coderdemo.io/api/v2/buildinfo
 
-# Denied: anything off the allowlist is blocked (boundary returns 403)
-boundary -- curl -sS -o /dev/null -w '%{http_code}\n' https://example.com
+# Allowed: PyPI is on the allowlist
+boundary -- curl -sS -o /dev/null -w '%{http_code}\n' https://pypi.org
+
+# Denied: npm is intentionally off the allowlist (boundary returns 403)
+boundary -- curl -sS -o /dev/null -w '%{http_code}\n' https://registry.npmjs.org
 ```
 
-Claude Code itself keeps working because its `ANTHROPIC_BASE_URL` points at
-the allowlisted gateway host. To roll back to an un-firewalled workspace, use
-the `claude-code` template instead (or set `enable_boundary = false`).
+The headline demo: ask Claude Code to `npm install left-pad`. boundary denies
+the egress and the deny shows up live in the boundary Grafana dashboard and
+the coderd audit log with owner / workspace / agent attribution. Claude Code
+itself keeps working because its `ANTHROPIC_BASE_URL` points at the
+allowlisted gateway host. To roll back to an un-firewalled workspace, use the
+`claude-code` template instead (or set `enable_boundary = false`).
 
 ## What's inside
 
diff --git a/coder-templates/firewalled/boundary.config.yaml.tftpl b/coder-templates/firewalled/boundary.config.yaml.tftpl
new file mode 100644
index 0000000..b4a81d4
--- /dev/null
+++ b/coder-templates/firewalled/boundary.config.yaml.tftpl
@@ -0,0 +1,270 @@
+#
+# Coder Boundary agent-firewall allowlist for the "firewalled" template.
+#
+# Rendered at plan time by Terraform templatefile() (so ${coder_host} is
+# substituted with this deployment's access URL host), then written to
+# ~/.config/coder_boundary/config.yaml on every workspace start. boundary
+# loads it via the BOUNDARY_CONFIG env var set on the agent.
+#
+# Rule format: https://github.com/coder/boundary#allow-rules
+#   domain=example.com       exact host match
+#   domain=*.example.com     subdomain match (does NOT include the apex)
+#   method=GET domain=...    restrict by HTTP method
+#   path=/api/v1/*           restrict by path prefix
+#
+# This allowlist is adapted from the Red Hat Summit 2026 demo template
+# (coder/demo-aigov-rhaiis-rhsummit-2026), which is based on Claude Code's
+# default allowed domains
+# (https://code.claude.com/docs/en/claude-code-on-the-web#default-allowed-domains)
+# plus this deployment's Coder access URL, the in-cluster GitLab, and test
+# fixtures. npm is intentionally left off so that asking the agent to
+# `npm install <anything>` is the obvious DENY in the demo.
+
+allowlist:
+  # This Coder deployment: AI Bridge, AgentAPI, workspace agent. Rendered
+  # from the workspace's access URL at plan time. REQUIRED, removing it
+  # breaks Claude Code inference through the AI Gateway.
+  - domain=${coder_host}
+
+  # In-cluster GitLab, so agents running under boundary can clone from and
+  # push to internal repos. The initial git-clone on workspace start runs
+  # outside boundary (agent context), but an agent invoking
+  # `git clone gitlab.usgov.coderdemo.io/...` via its Bash tool needs this.
+  - domain=gitlab.usgov.coderdemo.io
+
+  # Test domains
+  - method=GET domain=typicode.com
+  - method=GET domain=*.typicode.com
+
+  # Domains used by Coder workspaces (Claude Code usage telemetry via Datadog)
+  - method=POST domain=http-intake.logs.datadoghq.com
+  - method=POST domain=http-intake.logs.us5.datadoghq.com
+
+  # === Default allowed domains from Claude Code on the web ===
+  # Source: https://code.claude.com/docs/en/claude-code-on-the-web#default-allowed-domains
+
+  # Anthropic Services. *.claude.ai covers downloads.claude.ai (the Claude
+  # Code updater check, polled every 30 min) and any other subdomain
+  # Anthropic introduces. claude.ai alone is exact-match only.
+  - domain=api.anthropic.com
+  - domain=statsig.anthropic.com
+  - domain=claude.ai
+  - domain=*.claude.ai
+
+  # Version Control
+  - domain=github.com
+  - domain=www.github.com
+  - domain=api.github.com
+  - domain=raw.githubusercontent.com
+  - domain=objects.githubusercontent.com
+  - domain=codeload.github.com
+  - domain=avatars.githubusercontent.com
+  - domain=camo.githubusercontent.com
+  - domain=gist.github.com
+  - domain=gitlab.com
+  - domain=www.gitlab.com
+  - domain=registry.gitlab.com
+  - domain=bitbucket.org
+  - domain=www.bitbucket.org
+  - domain=api.bitbucket.org
+
+  # Container Registries
+  - domain=registry-1.docker.io
+  - domain=auth.docker.io
+  - domain=index.docker.io
+  - domain=hub.docker.com
+  - domain=www.docker.com
+  - domain=production.cloudflare.docker.com
+  - domain=download.docker.com
+  - domain=*.gcr.io
+  - domain=ghcr.io
+  - domain=mcr.microsoft.com
+  - domain=*.data.mcr.microsoft.com
+
+  # AWS CDN / object storage. Many release artifacts (npm tarballs, GitHub
+  # release assets redirected via CloudFront, third-party installers, SDK
+  # downloads) are hosted on *.amazonaws.com or CloudFront. Without this
+  # rule, installs of random OSS tooling silently fail with connection
+  # errors.
+  - domain=*.amazonaws.com
+  - domain=*.cloudfront.net
+
+  # Cloud Platforms
+  - domain=cloud.google.com
+  - domain=accounts.google.com
+  - domain=gcloud.google.com
+  - domain=*.googleapis.com
+  - domain=storage.googleapis.com
+  - domain=compute.googleapis.com
+  - domain=container.googleapis.com
+  - domain=azure.com
+  - domain=portal.azure.com
+  - domain=microsoft.com
+  - domain=www.microsoft.com
+  - domain=*.microsoftonline.com
+  - domain=packages.microsoft.com
+  - domain=dotnet.microsoft.com
+  - domain=dot.net
+  - domain=visualstudio.com
+  - domain=dev.azure.com
+  - domain=oracle.com
+  - domain=www.oracle.com
+  - domain=java.com
+  - domain=www.java.com
+  - domain=java.net
+  - domain=www.java.net
+  - domain=download.oracle.com
+  - domain=yum.oracle.com
+
+  # Package Managers - JavaScript/Node
+  #
+  # Intentionally NOT allowlisted in this demo template. Asking the agent
+  # to `npm install <anything>` produces a fast, obvious DENY on the
+  # Grafana dashboard, the "Part 1" firewall demo. If you fork this
+  # template for real dev work, add these back:
+  #   - domain=registry.npmjs.org
+  #   - domain=www.npmjs.com
+  #   - domain=www.npmjs.org
+  #   - domain=npmjs.com
+  #   - domain=npmjs.org
+  #   - domain=yarnpkg.com
+  #   - domain=registry.yarnpkg.com
+
+  # Package Managers - Python
+  - domain=pypi.org
+  - domain=www.pypi.org
+  - domain=files.pythonhosted.org
+  - domain=pythonhosted.org
+  - domain=test.pypi.org
+  - domain=pypi.python.org
+  - domain=pypa.io
+  - domain=www.pypa.io
+
+  # Package Managers - Ruby
+  - domain=rubygems.org
+  - domain=www.rubygems.org
+  - domain=api.rubygems.org
+  - domain=index.rubygems.org
+  - domain=ruby-lang.org
+  - domain=www.ruby-lang.org
+  - domain=rubyforge.org
+  - domain=www.rubyforge.org
+  - domain=rubyonrails.org
+  - domain=www.rubyonrails.org
+  - domain=rvm.io
+  - domain=get.rvm.io
+
+  # Package Managers - Rust
+  - domain=crates.io
+  - domain=www.crates.io
+  - domain=static.crates.io
+  - domain=rustup.rs
+  - domain=static.rust-lang.org
+  - domain=www.rust-lang.org
+
+  # Package Managers - Go
+  - domain=proxy.golang.org
+  - domain=sum.golang.org
+  - domain=index.golang.org
+  - domain=golang.org
+  - domain=www.golang.org
+  - domain=go.dev
+  - domain=dl.google.com
+  - domain=goproxy.io
+  - domain=pkg.go.dev
+
+  # Package Managers - JVM
+  - domain=maven.org
+  - domain=repo.maven.org
+  - domain=central.maven.org
+  - domain=repo1.maven.org
+  - domain=jcenter.bintray.com
+  - domain=gradle.org
+  - domain=www.gradle.org
+  - domain=services.gradle.org
+  - domain=spring.io
+  - domain=repo.spring.io
+
+  # Package Managers - Other Languages
+  - domain=packagist.org
+  - domain=www.packagist.org
+  - domain=repo.packagist.org
+  - domain=nuget.org
+  - domain=www.nuget.org
+  - domain=api.nuget.org
+  - domain=pub.dev
+  - domain=api.pub.dev
+  - domain=hex.pm
+  - domain=www.hex.pm
+  - domain=cpan.org
+  - domain=www.cpan.org
+  - domain=metacpan.org
+  - domain=www.metacpan.org
+  - domain=api.metacpan.org
+  - domain=cocoapods.org
+  - domain=www.cocoapods.org
+  - domain=cdn.cocoapods.org
+  - domain=haskell.org
+  - domain=www.haskell.org
+  - domain=hackage.haskell.org
+  - domain=swift.org
+  - domain=www.swift.org
+
+  # Linux Distributions
+  - domain=archive.ubuntu.com
+  - domain=security.ubuntu.com
+  - domain=ubuntu.com
+  - domain=www.ubuntu.com
+  - domain=*.ubuntu.com
+  - domain=ppa.launchpad.net
+  - domain=launchpad.net
+  - domain=www.launchpad.net
+
+  # Development Tools & Platforms
+  - domain=dl.k8s.io
+  - domain=pkgs.k8s.io
+  - domain=k8s.io
+  - domain=www.k8s.io
+  - domain=releases.hashicorp.com
+  - domain=apt.releases.hashicorp.com
+  - domain=rpm.releases.hashicorp.com
+  - domain=archive.releases.hashicorp.com
+  - domain=hashicorp.com
+  - domain=www.hashicorp.com
+  - domain=repo.anaconda.com
+  - domain=conda.anaconda.org
+  - domain=anaconda.org
+  - domain=www.anaconda.com
+  - domain=anaconda.com
+  - domain=continuum.io
+  - domain=apache.org
+  - domain=www.apache.org
+  - domain=archive.apache.org
+  - domain=downloads.apache.org
+  - domain=eclipse.org
+  - domain=www.eclipse.org
+  - domain=download.eclipse.org
+  - domain=nodejs.org
+  - domain=www.nodejs.org
+
+  # Cloud Services & Monitoring
+  - domain=statsig.com
+  - domain=www.statsig.com
+  - domain=api.statsig.com
+  - domain=*.sentry.io
+
+  # Content Delivery & Mirrors
+  - domain=*.sourceforge.net
+  - domain=packagecloud.io
+  - domain=*.packagecloud.io
+
+  # Schema & Configuration
+  - domain=json-schema.org
+  - domain=www.json-schema.org
+  - domain=json.schemastore.org
+  - domain=www.schemastore.org
+
+log_dir: /tmp/boundary_logs
+log_level: warn
+proxy_port: 8087
+jail_type: landjail
diff --git a/coder-templates/firewalled/main.tf b/coder-templates/firewalled/main.tf
index 4a19f44..6fd8599 100644
--- a/coder-templates/firewalled/main.tf
+++ b/coder-templates/firewalled/main.tf
@@ -15,13 +15,19 @@
 #     path needs a logged-in coder CLI session (license check); the agent has
 #     only an agent token, so the standalone binary is the reliable path.
 #   - The module adds no --allow / --jail-type flags, so the allowlist and
-#     jail type come from ~/.config/coder_boundary/config.yaml, written by
-#     pre_install_script below before Claude Code launches.
+#     jail type come from ~/.config/coder_boundary/config.yaml. That file is
+#     rendered from boundary.config.yaml.tftpl and written by
+#     pre_install_script; BOUNDARY_CONFIG + BOUNDARY_JAIL_TYPE agent env vars
+#     make boundary load it and use landjail reliably.
 #
-# Allowlist (config.yaml): dev.usgov.coderdemo.io (AI Gateway egress,
-# REQUIRED or Claude Code breaks) and gitlab.usgov.coderdemo.io (SCM).
-# jail_type landjail needs no added capabilities (AL2023 kernel 6.18
-# exceeds the Landlock 6.7 floor; landlock is in the node LSM stack).
+# Allowlist (boundary.config.yaml.tftpl): adapted from the Red Hat Summit
+# 2026 demo (coder/demo-aigov-rhaiis-rhsummit-2026), which uses Claude
+# Code's default allowed domains (package managers, GitHub, container
+# registries, cloud SDKs) plus this deployment's Coder host and the
+# in-cluster GitLab. npm is intentionally omitted so `npm install` is the
+# obvious DENY in the demo. jail_type landjail needs no added capabilities
+# (AL2023 kernel 6.18 exceeds the Landlock 6.7 floor; landlock is in the
+# node LSM stack).
 #
 # Runs Claude Code as a Coder Agent inside a Kubernetes pod on the EKS
 # cluster. Claude Code is wired through the Coder AI Gateway (AI Bridge)
@@ -224,6 +230,17 @@ locals {
   # For documentation/readme parity. The claude-code module derives the
   # same value internally from data.coder_workspace.me.access_url.
   ai_gateway_anthropic_url = "${data.coder_workspace.me.access_url}/api/v2/aibridge/anthropic"
+
+  # Coder access URL host, substituted into the boundary allowlist so the
+  # agent can reach the AI Gateway, AgentAPI, and the workspace agent.
+  coder_host = replace(replace(data.coder_workspace.me.access_url, "https://", ""), "http://", "")
+
+  # Agent firewall allowlist, rendered from the sibling
+  # boundary.config.yaml.tftpl (adapted from the Red Hat Summit 2026 demo).
+  # Edit that file to change the allowlist; do not inline rules here.
+  boundary_config_yaml = templatefile("${path.module}/boundary.config.yaml.tftpl", {
+    coder_host = local.coder_host
+  })
 }
 
 # -----------------------------------------------------------------------------
@@ -303,6 +320,25 @@ resource "coder_env" "anthropic_auth_token" {
   value    = data.coder_workspace_owner.me.session_token
 }
 
+# -----------------------------------------------------------------------------
+# Agent firewall env
+# -----------------------------------------------------------------------------
+# boundary v0.9.0 no longer auto-discovers ~/.config/coder_boundary/config.yaml,
+# so point it at the rendered config explicitly and pin landjail. These env
+# vars are read by both the module-launched `boundary -- claude` and any
+# manual `boundary -- <cmd>` run in a workspace terminal.
+resource "coder_env" "boundary_config" {
+  agent_id = coder_agent.main.id
+  name     = "BOUNDARY_CONFIG"
+  value    = "/home/coder/.config/coder_boundary/config.yaml"
+}
+
+resource "coder_env" "boundary_jail_type" {
+  agent_id = coder_agent.main.id
+  name     = "BOUNDARY_JAIL_TYPE"
+  value    = "landjail"
+}
+
 # -----------------------------------------------------------------------------
 # Claude Code (Coder registry module) + Coder Task
 # -----------------------------------------------------------------------------
@@ -340,26 +376,24 @@ module "claude_code" {
   boundary_version      = "latest"
 
   # The 4.7.3 module passes no --allow / --jail-type flags to boundary, so
-  # this config file is the ONLY source of the allowlist and jail type. It
-  # must exist before Claude Code starts, so it is written in
-  # pre_install_script (runs before the start script that launches boundary).
-  # Allowing dev.usgov.coderdemo.io is REQUIRED: it is the AI Gateway egress
-  # that Claude Code depends on. Everything not listed is denied + audited.
+  # the allowlist and jail type come ONLY from
+  # ~/.config/coder_boundary/config.yaml. That file is rendered from the
+  # sibling boundary.config.yaml.tftpl (Red Hat Summit 2026 allowlist) and
+  # written here, before Claude Code starts. The BOUNDARY_CONFIG and
+  # BOUNDARY_JAIL_TYPE agent env vars (below) make boundary load it reliably
+  # and use landjail even though boundary v0.9.0 dropped config
+  # auto-discovery. The base64 round-trip keeps the multi-line YAML intact
+  # inside the heredoc. Allowing the Coder host is REQUIRED: it is the AI
+  # Gateway egress Claude Code depends on. Everything not listed is denied
+  # and audited (npm is intentionally omitted as the demo DENY).
   pre_install_script = <<-EOT
     #!/bin/bash
     set -e
     mkdir -p "$HOME/.config/coder_boundary" /tmp/boundary_logs
     cfg="$HOME/.config/coder_boundary/config.yaml"
-    {
-      echo 'allowlist:'
-      echo '  - "domain=dev.usgov.coderdemo.io"'
-      echo '  - "domain=gitlab.usgov.coderdemo.io"'
-      echo 'jail_type: landjail'
-      echo 'log_dir: /tmp/boundary_logs'
-      echo 'log_level: warn'
-    } > "$cfg"
-    echo "[firewalled] wrote boundary config:"
-    cat "$cfg"
+    echo '${base64encode(local.boundary_config_yaml)}' | base64 -d > "$cfg"
+    chmod 600 "$cfg"
+    echo "[firewalled] wrote boundary config ($(grep -c '^  - ' "$cfg") allow rules)"
   EOT
 
   # Coder Tasks: seed the agent and report task status to the Coder UI via