Skip to content
Permalink

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: coder/coder
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: main
Choose a base ref
...
head repository: coder/coder
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: zedkipp/boundary-logs
Choose a head ref
Checking mergeability… Don’t worry, you can still create the pull request.
  • 7 commits
  • 13 files changed
  • 1 contributor

Commits on Dec 11, 2025

  1. feat(agent): add boundary log forwarding to coderd 

    Add a feature that transmits boundary audit logs from workspaces to coderd
via the agent API, then re-emits them to stderr in a structured format.

The implementation includes:
- BoundaryLog proto messages and ReportBoundaryLogs RPC (API v2.7)
- BoundaryLogProxy server that accepts connections from boundary processes
  on a Unix socket and forwards logs to coderd
- Server-side handler that formats logs to stderr
- Environment variables CODER_BOUNDARY_LOG_SOCKET and CODER_WORKSPACE_ID
  automatically set for all commands in the workspace

Architecture:
- Boundary process connects to Unix socket at $CODER_BOUNDARY_LOG_SOCKET
- Sends length-prefixed protobuf ReportBoundaryLogsRequest messages
- Agent proxies messages to coderd via DRPC
- coderd re-emits to stderr

Log format:
[API] 2025-12-08 20:58:46.093 [warn] boundary: workspace.id=... decision=deny http.method="GET" http.url="..." time="..."
    @zedkipp
    zedkipp committed Dec 11, 2025
    Configuration menu
    Copy the full SHA
    0d27d6b View commit details
    Browse the repository at this point in the history

  2. refactor(agent): rename startBoundaryLogSocketServer to startBoundary… 

    …LogProxyServer
    @zedkipp
    zedkipp committed Dec 11, 2025
    Configuration menu
    Copy the full SHA
    acaa3b6 View commit details
    Browse the repository at this point in the history

  3. refactor(agent): read boundary log socket path from env var 

    The socket path is now configured via the workspace template by setting
CODER_BOUNDARY_LOG_SOCKET. This allows both the agent and boundary to
use the same path without needing to pass it through child processes.

- Remove boundaryLogProxyMu (no longer needed)
- Only start proxy if CODER_BOUNDARY_LOG_SOCKET is set
- Only start forwarder if proxy was started
- Remove code that set env var for child processes
    @zedkipp
    zedkipp committed Dec 11, 2025
    Configuration menu
    Copy the full SHA
    295d760 View commit details
    Browse the repository at this point in the history

  4. refactor(agent): read boundary log socket path from manifest 

    Read CODER_BOUNDARY_LOG_SOCKET from manifest.EnvironmentVariables instead
of os.Getenv. This allows the socket path to be configured via coder_env
in the workspace template.

The proxy is now started in handleManifest after the manifest is fetched,
rather than in init() before the manifest is available.
    @zedkipp
    zedkipp committed Dec 11, 2025
    Configuration menu
    Copy the full SHA
    0860ba7 View commit details
    Browse the repository at this point in the history

  5. refactor(agent): use CLI flag for boundary log socket path 

    Add --boundary-log-socket flag (env: CODER_AGENT_BOUNDARY_LOG_SOCKET) to
configure the boundary audit log socket path. The agent starts the proxy
server in init() if configured.

This replaces reading the socket path from manifest.EnvironmentVariables,
making configuration consistent with other agent flags.
    @zedkipp
    zedkipp committed Dec 11, 2025
    Configuration menu
    Copy the full SHA
    c8252b4 View commit details
    Browse the repository at this point in the history

Commits on Dec 12, 2025

  1. refactor: generalize BoundaryLog proto with oneof resource type 

    - Remove workspace_id from proto (coderd gets this from agent auth)
- Add nested HttpRequest message with method, url, matched_rule
- Use oneof resource to support future resource types (file ops, etc.)
- Update BoundaryLogsAPI to handle new structure with type switch
- Add comment noting wire compatibility with boundary's proto
- Remove unused codersdk/agentsdk/boundary_logs.go
- Regenerate proto Go code
    @zedkipp
    zedkipp committed Dec 12, 2025
    Configuration menu
    Copy the full SHA
    1f90597 View commit details
    Browse the repository at this point in the history

Commits on Dec 13, 2025

  1. refactor: hardcode boundary audit socket path 

    Always create socket at /tmp/boundary-audit.sock instead of using
CLI flag or env var. This simplifies configuration since boundary
uses the same well-known path.
    @zedkipp
    zedkipp committed Dec 13, 2025
    Configuration menu
    Copy the full SHA
    8ce90ab View commit details
    Browse the repository at this point in the history
Loading