feat: boundary to agent-firewall refactor

Author: 35C4n0r

registry/coder/modules/agent-firewall/README.md

@@ -1,83 +1,83 @@
 ---
-display_name: Boundary
-description: Configures boundary for network isolation in Coder workspaces
+display_name: Agent Firewall
+description: Configures agent-firewall for network isolation in Coder workspaces
 icon: ../../../../.icons/coder.svg
 verified: true
-tags: [boundary, ai, agents, firewall]
+tags: [agent-firewall, ai, agents, firewall, boundary]
 ---
 
-# Boundary
+# Agent Firewall
 
-Installs [boundary](https://coder.com/docs/ai-coder/agent-firewall) for network isolation in Coder workspaces.
+Installs [agent-firewall](https://coder.com/docs/ai-coder/agent-firewall) for network isolation in Coder workspaces.
 
 This module:
 
-- Installs boundary (via coder subcommand, direct installation, or compilation from source)
-- Creates a wrapper script at `$HOME/.coder-modules/coder/boundary/scripts/boundary-wrapper.sh`
-- Writes a default boundary config to `$HOME/.coder-modules/coder/boundary/config/config.yaml` (customizable)
+- Installs agent-firewall (via coder subcommand, direct installation, or compilation from source)
+- Creates a wrapper script at `$HOME/.coder-modules/coder/agent-firewall/scripts/agent-firewall-wrapper.sh`
+- Writes a [default agent-firewall config](./config.yaml.tftpl) to `$HOME/.coder-modules/coder/agent-firewall/config/config.yaml` (customizable)
 - Provides the wrapper path, config path, and script names via outputs
 - Uses coder-utils and output `scripts` for synchronization. https://registry.coder.com/modules/coder/coder-utils?tab=outputs
 
 ```tf
-module "boundary" {
-  source   = "registry.coder.com/coder/boundary/coder"
+module "agent-firewall" {
+  source   = "registry.coder.com/coder/agent-firewall/coder"
   version  = "0.0.1"
   agent_id = coder_agent.main.id
 }
 ```
 
 ## Examples
 
-Use the `boundary_wrapper_path` output to access the wrapper path and `boundary_config_path` to access config path in Terraform and pass it to scripts that should run commands in network isolation.
+Use the `agent_firewall_wrapper_path` output to access the wrapper path and `agent_firewall_config_path` to access config path in Terraform and pass it to scripts that should run commands in network isolation.
 
 ### With Claude Code
 
-Use boundary alongside the `claude-code` module to run Claude in a
+Use agent-firewall alongside the `claude-code` module to run Claude in a
 network-isolated environment.
 
 #### As an automated task
 
 ```tf
-module "boundary" {
-  source   = "registry.coder.com/coder/boundary/coder"
+module "agent-firewall" {
+  source   = "registry.coder.com/coder/agent-firewall/coder"
   version  = "0.0.1"
   agent_id = coder_agent.main.id
 }
 
-resource "coder_script" "claude_with_boundary" {
+resource "coder_script" "claude_with_agent_firewall" {
   agent_id     = coder_agent.main.id
-  display_name = "Claude (Boundary)"
+  display_name = "Claude (Agent Firewall)"
   run_on_start = true
   script       = <<-EOT
     #!/bin/bash
     set -e
-    coder exp sync want claude-boundary \
-      ${join(" ", module.boundary.scripts)} \
+    coder exp sync want claude-agent-firewall \
+      ${join(" ", module.agent-firewall.scripts)} \
       ${join(" ", module.claude-code.scripts)}
-    coder exp sync start claude-boundary
-  "${module.boundary.boundary_wrapper_path}" --config="${module.boundary.boundary_config_path}" -- claude -p "Fix issue #840 from coder/coder"
+    coder exp sync start claude-agent-firewall
+  "${module.agent-firewall.agent_firewall_wrapper_path}" --config="${module.agent-firewall.agent_firewall_config_path}" -- claude -p "Fix issue #840 from coder/coder"
   EOT
 }
 ```
 
 #### As a Coder app
 
 ```tf
-module "boundary" {
-  source   = "registry.coder.com/coder/boundary/coder"
+module "agent-firewall" {
+  source   = "registry.coder.com/coder/agent-firewall/coder"
   version  = "0.0.1"
   agent_id = coder_agent.main.id
 }
 
-resource "coder_app" "claude_with_boundary" {
+resource "coder_app" "claude_with_agent_firewall" {
   agent_id     = coder_agent.main.id
   display_name = "Claude Code"
   slug         = "claude-code"
   command      = <<-EOT
     #!/bin/bash
     set -e
     exec tmux new-session -A -s claude-code \
-      '"${module.boundary.boundary_wrapper_path}" --config="${module.boundary.boundary_config_path}" -- claude'
+      '"${module.agent-firewall.agent_firewall_wrapper_path}" --config="${module.agent-firewall.agent_firewall_config_path}" -- claude'
   EOT
 }
 ```
@@ -93,26 +93,26 @@ The Coder deployment domain is automatically added to the allowlist using
 `data.coder_workspace.me.access_url`.
 
 By default the config is written to
-`$HOME/.coder-modules/coder/boundary/config/config.yaml`. You can
-access the resolved path via the `boundary_config_path` output. Override
+`$HOME/.coder-modules/coder/agent-firewall/config/config.yaml`. You can
+access the resolved path via the `agent_firewall_config_path` output. Override
 it in two ways:
 
 ### Inline config
 
 Pass the full YAML content directly:
 
 ```tf
-module "boundary" {
-  source   = "registry.coder.com/coder/boundary/coder"
+module "agent-firewall" {
+  source   = "registry.coder.com/coder/agent-firewall/coder"
   version  = "0.0.1"
   agent_id = coder_agent.main.id
 
-  boundary_config = <<-YAML
+  agent_firewall_config = <<-YAML
     allowlist:
       - domain=your-deployment.coder.com
       - domain=api.anthropic.com
       - domain=api.openai.com
-    log_dir: /tmp/boundary_logs
+    log_dir: /tmp/agent_firewall_logs
     proxy_port: 8087
     log_level: warn
   YAML
@@ -122,25 +122,25 @@ module "boundary" {
 ### External config file
 
 Point to an existing config file in the workspace. The module will not
-write any config and the `boundary_config_path` output will point to
-your path:
+write any config and the `agent_firewall_config_path` output will point to
+your path. The file must exist on disk before agent-firewall starts.
 
 ```tf
-module "boundary" {
-  source   = "registry.coder.com/coder/boundary/coder"
+module "agent-firewall" {
+  source   = "registry.coder.com/coder/agent-firewall/coder"
   version  = "0.0.1"
   agent_id = coder_agent.main.id
 
-  boundary_config_path = "/workspace/my-boundary-config.yaml"
+  agent_firewall_config_path = "/workspace/my-agent-firewall-config.yaml"
 }
 ```
 
-> **Note:** `boundary_config` and `boundary_config_path` are mutually
+> **Note:** `agent_firewall_config` and `agent_firewall_config_path` are mutually
 > exclusive, setting both produces a validation error.
 
 See the [Agent Firewall docs](https://coder.com/docs/ai-coder/agent-firewall)
 for the full config reference.
 
 ## References
 
-- [Boundary Documentation](https://coder.com/docs/ai-coder/agent-firewall)
+- [Agent Firewall Documentation](https://coder.com/docs/ai-coder/agent-firewall)

registry/coder/modules/agent-firewall/agent-firewall.tftest.hcl

@@ -0,0 +1,157 @@
+# Test for agent-firewall module
+
+run "plan_with_required_vars" {
+  command = plan
+
+  variables {
+    agent_id = "test-agent-id"
+  }
+
+  # Verify the agent_firewall_wrapper_path output
+  assert {
+    condition     = output.agent_firewall_wrapper_path == "$HOME/.coder-modules/coder/agent-firewall/scripts/agent-firewall-wrapper.sh"
+    error_message = "agent_firewall_wrapper_path output should be correct"
+  }
+
+  # Verify agent_firewall_config_path output defaults to the managed path
+  assert {
+    condition     = output.agent_firewall_config_path == "$HOME/.coder-modules/coder/agent-firewall/config/config.yaml"
+    error_message = "agent_firewall_config_path output should default to managed config path"
+  }
+
+  # Verify the scripts output contains the install script name
+  assert {
+    condition     = contains(output.scripts, "coder-agent-firewall-install_script")
+    error_message = "scripts should contain the install script name"
+  }
+}
+
+run "plan_with_compile_from_source" {
+  command = plan
+
+  variables {
+    agent_id                           = "test-agent-id"
+    compile_agent_firewall_from_source = true
+    agent_firewall_version             = "main"
+  }
+
+  assert {
+    condition     = output.agent_firewall_wrapper_path == "$HOME/.coder-modules/coder/agent-firewall/scripts/agent-firewall-wrapper.sh"
+    error_message = "agent_firewall_wrapper_path output should be correct"
+  }
+
+  assert {
+    condition     = contains(output.scripts, "coder-agent-firewall-install_script")
+    error_message = "scripts should contain the install script name"
+  }
+}
+
+run "plan_with_use_directly" {
+  command = plan
+
+  variables {
+    agent_id                    = "test-agent-id"
+    use_agent_firewall_directly = true
+    agent_firewall_version      = "latest"
+  }
+
+  assert {
+    condition     = output.agent_firewall_wrapper_path == "$HOME/.coder-modules/coder/agent-firewall/scripts/agent-firewall-wrapper.sh"
+    error_message = "agent_firewall_wrapper_path output should be correct"
+  }
+
+  assert {
+    condition     = contains(output.scripts, "coder-agent-firewall-install_script")
+    error_message = "scripts should contain the install script name"
+  }
+}
+
+run "plan_with_custom_hooks" {
+  command = plan
+
+  variables {
+    agent_id            = "test-agent-id"
+    pre_install_script  = "echo 'Before install'"
+    post_install_script = "echo 'After install'"
+  }
+
+  assert {
+    condition     = contains(output.scripts, "coder-agent-firewall-install_script")
+    error_message = "scripts should contain the install script name"
+  }
+
+  # Verify pre and post install script names are set
+  assert {
+    condition     = contains(output.scripts, "coder-agent-firewall-pre_install_script")
+    error_message = "scripts should contain the pre_install script name"
+  }
+
+  assert {
+    condition     = contains(output.scripts, "coder-agent-firewall-post_install_script")
+    error_message = "scripts should contain the post_install script name"
+  }
+}
+
+run "plan_with_custom_module_directory" {
+  command = plan
+
+  variables {
+    agent_id         = "test-agent-id"
+    module_directory = "$HOME/.coder-modules/custom/agent-firewall"
+  }
+
+  assert {
+    condition     = output.agent_firewall_wrapper_path == "$HOME/.coder-modules/custom/agent-firewall/scripts/agent-firewall-wrapper.sh"
+    error_message = "agent_firewall_wrapper_path output should use custom module directory"
+  }
+
+  # Config path should also follow the module directory
+  assert {
+    condition     = output.agent_firewall_config_path == "$HOME/.coder-modules/custom/agent-firewall/config/config.yaml"
+    error_message = "agent_firewall_config_path output should use custom module directory"
+  }
+}
+
+run "plan_with_inline_config" {
+  command = plan
+
+  variables {
+    agent_id              = "test-agent-id"
+    agent_firewall_config = "allowlist:\n  - domain=example.com\nlog_level: debug\n"
+  }
+
+  # Inline config should still point to the managed path.
+  assert {
+    condition     = output.agent_firewall_config_path == "$HOME/.coder-modules/coder/agent-firewall/config/config.yaml"
+    error_message = "agent_firewall_config_path output should point to managed config path"
+  }
+}
+
+run "plan_with_config_path" {
+  command = plan
+
+  variables {
+    agent_id                   = "test-agent-id"
+    agent_firewall_config_path = "/workspace/my-boundary-config.yaml"
+  }
+
+  # agent_firewall_config_path output should point to the user-provided path.
+  assert {
+    condition     = output.agent_firewall_config_path == "/workspace/my-boundary-config.yaml"
+    error_message = "agent_firewall_config_path output should point to user-provided path"
+  }
+}
+
+run "plan_with_both_configs_should_fail" {
+  command = plan
+
+  variables {
+    agent_id                   = "test-agent-id"
+    agent_firewall_config      = "allowlist: []"
+    agent_firewall_config_path = "/workspace/config.yaml"
+  }
+
+  expect_failures = [
+    var.agent_firewall_config,
+  ]
+}