Skip to content
Permalink

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: coder/coder
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: main
Choose a base ref
...
head repository: coder/coder
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: zedkipp/boundary-logs
Choose a head ref
Checking mergeability… Don’t worry, you can still create the pull request.
  • 5 commits
  • 15 files changed
  • 1 contributor

Commits on Dec 11, 2025

  1. feat(agent): add boundary log forwarding to coderd 

    Add a feature that transmits boundary audit logs from workspaces to coderd
via the agent API, then re-emits them to stderr in a structured format.

The implementation includes:
- BoundaryLog proto messages and ReportBoundaryLogs RPC (API v2.7)
- BoundaryLogProxy server that accepts connections from boundary processes
  on a Unix socket and forwards logs to coderd
- Server-side handler that formats logs to stderr
- Environment variables CODER_BOUNDARY_LOG_SOCKET and CODER_WORKSPACE_ID
  automatically set for all commands in the workspace

Architecture:
- Boundary process connects to Unix socket at $CODER_BOUNDARY_LOG_SOCKET
- Sends length-prefixed protobuf ReportBoundaryLogsRequest messages
- Agent proxies messages to coderd via DRPC
- coderd re-emits to stderr

Log format:
[API] 2025-12-08 20:58:46.093 [warn] boundary: workspace.id=... decision=deny http.method="GET" http.url="..." time="..."
    @zedkipp
    zedkipp committed Dec 11, 2025
    Configuration menu
    Copy the full SHA
    0d27d6b View commit details
    Browse the repository at this point in the history

  2. refactor(agent): rename startBoundaryLogSocketServer to startBoundary… 

    …LogProxyServer
    @zedkipp
    zedkipp committed Dec 11, 2025
    Configuration menu
    Copy the full SHA
    acaa3b6 View commit details
    Browse the repository at this point in the history

  3. refactor(agent): read boundary log socket path from env var 

    The socket path is now configured via the workspace template by setting
CODER_BOUNDARY_LOG_SOCKET. This allows both the agent and boundary to
use the same path without needing to pass it through child processes.

- Remove boundaryLogProxyMu (no longer needed)
- Only start proxy if CODER_BOUNDARY_LOG_SOCKET is set
- Only start forwarder if proxy was started
- Remove code that set env var for child processes
    @zedkipp
    zedkipp committed Dec 11, 2025
    Configuration menu
    Copy the full SHA
    295d760 View commit details
    Browse the repository at this point in the history

  4. refactor(agent): read boundary log socket path from manifest 

    Read CODER_BOUNDARY_LOG_SOCKET from manifest.EnvironmentVariables instead
of os.Getenv. This allows the socket path to be configured via coder_env
in the workspace template.

The proxy is now started in handleManifest after the manifest is fetched,
rather than in init() before the manifest is available.
    @zedkipp
    zedkipp committed Dec 11, 2025
    Configuration menu
    Copy the full SHA
    0860ba7 View commit details
    Browse the repository at this point in the history

  5. refactor(agent): use CLI flag for boundary log socket path 

    Add --boundary-log-socket flag (env: CODER_AGENT_BOUNDARY_LOG_SOCKET) to
configure the boundary audit log socket path. The agent starts the proxy
server in init() if configured.

This replaces reading the socket path from manifest.EnvironmentVariables,
making configuration consistent with other agent flags.
    @zedkipp
    zedkipp committed Dec 11, 2025
    Configuration menu
    Copy the full SHA
    c8252b4 View commit details
    Browse the repository at this point in the history
Loading