Skip to content

feat(audit): report confined process name and wire up session-correlation injection#206

Merged
SasSwart merged 3 commits into
mainfrom
fix/confined-process-name
Jul 7, 2026
Merged

feat(audit): report confined process name and wire up session-correlation injection#206
SasSwart merged 3 commits into
mainfrom
fix/confined-process-name

Conversation

@SasSwart

@SasSwart SasSwart commented Jul 6, 2026

Copy link
Copy Markdown
Contributor

Problem

Boundary is capable of injecting Session correlation headers, but does not currently do so due to a lack of required plumbing. This effectively disables one half of the AI Gateway session correlation feature.

Solution

Wire in the necessary plumbing to ensure correlation headers are injected to the appropriate paths.

Pairs with coder/coder#26990, which consumes the new ConfinedProcessName field on ReportBoundaryLogsRequest when lazily creating boundary sessions.

Changes

Confined process name attribution

  • Derive ConfinedProcessName from the first element of the target command (filepath.Base) and store it on AppConfig.
  • Thread it through SetupAuditorNewSocketAuditorflush, so it is sent alongside logs in ReportBoundaryLogsRequest.ConfinedProcessName.
  • Update audit tests to cover the new parameter and assert the field is populated on flush.

Session-correlation injection wiring

  • Add NewInjectEngine, which builds a rules engine from the configured inject targets (reusing the same matching semantics as --allow rules), returning nil when correlation is disabled or has no targets.
  • Build the inject engine in both the nsjail and landjail managers and pass it, along with SessionID, into the proxy server config.
  • Drop the now-unused SessionCorrelation field from proxy.Config; the proxy only needs the built InjectEngine and SessionID.

AI Gateway path support

  • Auto-derive inject targets from CODER_AGENT_URL for both the current AI Gateway route prefix (/api/v2/ai-gateway/*) and the backward-compatible aibridge alias (/api/v2/aibridge/*).
  • Rename DefaultInjectTargetFromEnvDefaultInjectTargetsFromEnv (now returns a slice); update callers and tests.

🤖 This PR was opened by Coder Agents on behalf of @SasSwart.

- Updated SetupAuditor function to accept an additional parameter for confined process name.
- Modified related tests to accommodate the new parameter and validate its functionality.
- Adjusted SocketAuditor and flush functions to utilize the confined process name in log messages.
- Enhanced AppConfig to store the confined process name for session attribution in audit logs.
SasSwart added a commit to coder/coder that referenced this pull request Jul 6, 2026
Bump the boundary module from the pre-#206 base commit to the head of
coder/boundary#206 so coderd actually receives ConfinedProcessName over
the wire, integrating the paired PRs end to end.

Add TestReportBoundaryLogsAgentRBAC, which drives ReportBoundaryLogs
through a dbauthz-wrapped store under the exact member-role +
WorkspaceAgentScope subject a workspace agent authenticates as. It
asserts the agent cannot read boundary sessions (the reason the
pre-insert existence check was removed) while the lazy insert still
succeeds, guarding against reintroducing a read on that path.
SasSwart added 2 commits July 7, 2026 06:46
…rrelation docs

Remove the proxy Config.SessionCorrelation field and its assignments in the
nsjail and landjail managers and the proxy test harness. The field was never
read by NewProxyServer; the injection behavior is fully captured by
InjectEngine (built from the correlation targets) and SessionID, so the copy
was dead wiring that implied the server consulted it at request time.

Also mark the aibridge inject path as a transitional alias to be removed once
deployments serve the gateway exclusively at DefaultAIGatewayPath, and fix the
stale NewSocketAuditor doc comment to describe the socketPath parameter and the
confinedProcessName it now reports.
@SasSwart SasSwart requested review from pawbana and ssncferreira and removed request for ssncferreira July 7, 2026 08:21
}

auditor, err := SetupAuditor(ctx, logger, false, socketPath, uuid.New())
auditor, err := SetupAuditor(ctx, logger, false, socketPath, uuid.New(), "claude")

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: since confined name isn't checked maybe "claude" - > "" so it is consistent with other tests.

@SasSwart SasSwart merged commit 8b1adcb into main Jul 7, 2026
5 checks passed
@SasSwart SasSwart deleted the fix/confined-process-name branch July 7, 2026 09:59
SasSwart added a commit to coder/coder that referenced this pull request Jul 7, 2026
…ss (#26990)

## Overview

Part of the **boundary correlation** feature. Fixes lazy creation of
`boundary_sessions` rows so it works within the agent's RBAC
constraints, and consumes the new `ConfinedProcessName` field reported
by boundary.

Pairs with coder/boundary#206, which adds `ConfinedProcessName` to
`ReportBoundaryLogsRequest`. This branch bumps the
`github.com/coder/boundary` module to pick up that work.

## Problem

`ensureSession` did a pre-insert existence check via
`GetBoundarySessionByID`. Agents are **not permitted to read boundary
sessions**, so that read path is not viable when the session is created
from an agent-reported log batch.

## Changes

- **Remove the pre-insert read.** `ensureSession` now inserts directly
and treats a primary-key unique violation as success, covering sessions
already created by a prior batch, a reconnection, or another coderd
replica — without requiring read access.
- **Per-connection guard.** Add a mutex-protected `ensuredSessions` set
so repeated log batches on the same connection skip the existence check
and insert entirely, touching the database only for the logs. On a
transient insert failure the session is left unmarked so the next batch
retries.
- **Consume `ConfinedProcessName`.** Pass `req.GetConfinedProcessName()`
through to the session insert.
- **Bump boundary module** from `v0.9.0` to
`v0.9.1-0.20260706095856-35ba90f9e8b2`.
- **Tests.**
- Add `TestReportBoundaryLogsAgentRBAC`
(`coderd/boundary_logs_test.go`), an integration test that connects as a
real workspace agent, verifies the session and log are persisted under
agent RBAC, and asserts the agent subject cannot read boundary sessions
— guarding against reintroducing a pre-insert read.
- Add `TestReportBoundaryLogsSessionGuard` (session inserted once across
two batches, logs inserted per batch) and
`TestReportBoundaryLogsSessionRetriedOnError` (insert retried after a
transient error).
- Regenerate `agent-firewall` CLI docs/golden files and adjust the
clidocgen template to render the YAML path when a flag has no long name.

> 🤖 This PR was opened by Coder Agents on behalf of @SasSwart.
SasSwart added a commit to coder/coder that referenced this pull request Jul 7, 2026
…ss (#27047)

## Overview

Part of the **boundary correlation** feature. Fixes lazy creation of
`boundary_sessions` rows so it works within the agent's RBAC
constraints, and consumes the new `ConfinedProcessName` field reported
by boundary.

Pairs with coder/boundary#206, which adds `ConfinedProcessName` to
`ReportBoundaryLogsRequest`. This branch bumps the
`github.com/coder/boundary` module to pick up that work.

## Problem

`ensureSession` did a pre-insert existence check via
`GetBoundarySessionByID`. Agents are **not permitted to read boundary
sessions**, so that read path is not viable when the session is created
from an agent-reported log batch.

## Changes

- **Remove the pre-insert read.** `ensureSession` now inserts directly
and treats a primary-key unique violation as success, covering sessions
already created by a prior batch, a reconnection, or another coderd
replica — without requiring read access.
- **Per-connection guard.** Add a mutex-protected `ensuredSessions` set
so repeated log batches on the same connection skip the existence check
and insert entirely, touching the database only for the logs. On a
transient insert failure the session is left unmarked so the next batch
retries.
- **Consume `ConfinedProcessName`.** Pass `req.GetConfinedProcessName()`
through to the session insert.
- **Bump boundary module** from `v0.9.0` to
`v0.9.1-0.20260706095856-35ba90f9e8b2`.
- **Tests.**
- Add `TestReportBoundaryLogsAgentRBAC`
(`coderd/boundary_logs_test.go`), an integration test that connects as a
real workspace agent, verifies the session and log are persisted under
agent RBAC, and asserts the agent subject cannot read boundary sessions
— guarding against reintroducing a pre-insert read.
- Add `TestReportBoundaryLogsSessionGuard` (session inserted once across
two batches, logs inserted per batch) and
`TestReportBoundaryLogsSessionRetriedOnError` (insert retried after a
transient error).
- Regenerate `agent-firewall` CLI docs/golden files and adjust the
clidocgen template to render the YAML path when a flag has no long name.

> 🤖 This PR was opened by Coder Agents on behalf of @SasSwart.

<!--

If you have used AI to produce some or all of this PR, please ensure you
have read our [AI Contribution
guidelines](https://coder.com/docs/about/contributing/AI_CONTRIBUTING)
before submitting.

-->
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants