From 05d12203ea1407f975a37de678999306787a6872 Mon Sep 17 00:00:00 2001 From: Zach Kipp Date: Wed, 10 Dec 2025 23:02:54 -0700 Subject: [PATCH] feat(claude-code): add boundary log socket configuration - Add CODER_AGENT_BOUNDARY_LOG_SOCKET env var for agent - Add boundary_log_socket_path variable (default: /tmp/coder-boundary-audit.sock) - Update start.sh to pass --audit-socket to boundary when env var is set This enables boundary audit log forwarding to coderd when boundary is enabled. --- registry/coder/modules/claude-code/main.tf | 14 ++++++++++++++ .../coder/modules/claude-code/scripts/start.sh | 5 +++++ 2 files changed, 19 insertions(+) diff --git a/registry/coder/modules/claude-code/main.tf b/registry/coder/modules/claude-code/main.tf index bef2a219e..5677ecc4b 100644 --- a/registry/coder/modules/claude-code/main.tf +++ b/registry/coder/modules/claude-code/main.tf @@ -252,6 +252,12 @@ variable "compile_boundary_from_source" { default = false } +variable "boundary_log_socket_path" { + type = string + description = "Path to the Unix socket for boundary audit logs. Both the agent and boundary use this path." + default = "/tmp/coder-boundary-audit.sock" +} + resource "coder_env" "claude_code_md_path" { count = var.claude_md_path == "" ? 0 : 1 @@ -288,6 +294,14 @@ resource "coder_env" "disable_autoupdater" { value = "1" } +resource "coder_env" "boundary_log_socket" { + count = var.enable_boundary ? 1 : 0 + + agent_id = var.agent_id + name = "CODER_BOUNDARY_LOG_SOCKET" + value = var.boundary_log_socket_path +} + locals { # we have to trim the slash because otherwise coder exp mcp will # set up an invalid claude config diff --git a/registry/coder/modules/claude-code/scripts/start.sh b/registry/coder/modules/claude-code/scripts/start.sh index 93ff4f723..6bb712a20 100644 --- a/registry/coder/modules/claude-code/scripts/start.sh +++ b/registry/coder/modules/claude-code/scripts/start.sh @@ -249,6 +249,11 @@ function start_agentapi() { # Set HTTP Proxy port used by Boundary BOUNDARY_ARGS+=(--proxy-port "$ARG_BOUNDARY_PROXY_PORT") + # Pass audit socket path if CODER_AGENT_BOUNDARY_LOG_SOCKET is set + if [ -n "$CODER_AGENT_BOUNDARY_LOG_SOCKET" ]; then + BOUNDARY_ARGS+=(--audit-socket "$CODER_AGENT_BOUNDARY_LOG_SOCKET") + fi + # Set log level for boundary BOUNDARY_ARGS+=(--log-level "$ARG_BOUNDARY_LOG_LEVEL")