feat(audit): report confined process name and wire up session-correlation injection#206
Merged
Conversation
- Updated SetupAuditor function to accept an additional parameter for confined process name. - Modified related tests to accommodate the new parameter and validate its functionality. - Adjusted SocketAuditor and flush functions to utilize the confined process name in log messages. - Enhanced AppConfig to store the confined process name for session attribution in audit logs.
SasSwart
added a commit
to coder/coder
that referenced
this pull request
Jul 6, 2026
Bump the boundary module from the pre-#206 base commit to the head of coder/boundary#206 so coderd actually receives ConfinedProcessName over the wire, integrating the paired PRs end to end. Add TestReportBoundaryLogsAgentRBAC, which drives ReportBoundaryLogs through a dbauthz-wrapped store under the exact member-role + WorkspaceAgentScope subject a workspace agent authenticates as. It asserts the agent cannot read boundary sessions (the reason the pre-insert existence check was removed) while the lazy insert still succeeds, guarding against reintroducing a read on that path.
…rrelation docs Remove the proxy Config.SessionCorrelation field and its assignments in the nsjail and landjail managers and the proxy test harness. The field was never read by NewProxyServer; the injection behavior is fully captured by InjectEngine (built from the correlation targets) and SessionID, so the copy was dead wiring that implied the server consulted it at request time. Also mark the aibridge inject path as a transitional alias to be removed once deployments serve the gateway exclusively at DefaultAIGatewayPath, and fix the stale NewSocketAuditor doc comment to describe the socketPath parameter and the confinedProcessName it now reports.
pawbana
approved these changes
Jul 7, 2026
| } | ||
|
|
||
| auditor, err := SetupAuditor(ctx, logger, false, socketPath, uuid.New()) | ||
| auditor, err := SetupAuditor(ctx, logger, false, socketPath, uuid.New(), "claude") |
There was a problem hiding this comment.
nit: since confined name isn't checked maybe "claude" - > "" so it is consistent with other tests.
SasSwart
added a commit
to coder/coder
that referenced
this pull request
Jul 7, 2026
…ss (#26990) ## Overview Part of the **boundary correlation** feature. Fixes lazy creation of `boundary_sessions` rows so it works within the agent's RBAC constraints, and consumes the new `ConfinedProcessName` field reported by boundary. Pairs with coder/boundary#206, which adds `ConfinedProcessName` to `ReportBoundaryLogsRequest`. This branch bumps the `github.com/coder/boundary` module to pick up that work. ## Problem `ensureSession` did a pre-insert existence check via `GetBoundarySessionByID`. Agents are **not permitted to read boundary sessions**, so that read path is not viable when the session is created from an agent-reported log batch. ## Changes - **Remove the pre-insert read.** `ensureSession` now inserts directly and treats a primary-key unique violation as success, covering sessions already created by a prior batch, a reconnection, or another coderd replica — without requiring read access. - **Per-connection guard.** Add a mutex-protected `ensuredSessions` set so repeated log batches on the same connection skip the existence check and insert entirely, touching the database only for the logs. On a transient insert failure the session is left unmarked so the next batch retries. - **Consume `ConfinedProcessName`.** Pass `req.GetConfinedProcessName()` through to the session insert. - **Bump boundary module** from `v0.9.0` to `v0.9.1-0.20260706095856-35ba90f9e8b2`. - **Tests.** - Add `TestReportBoundaryLogsAgentRBAC` (`coderd/boundary_logs_test.go`), an integration test that connects as a real workspace agent, verifies the session and log are persisted under agent RBAC, and asserts the agent subject cannot read boundary sessions — guarding against reintroducing a pre-insert read. - Add `TestReportBoundaryLogsSessionGuard` (session inserted once across two batches, logs inserted per batch) and `TestReportBoundaryLogsSessionRetriedOnError` (insert retried after a transient error). - Regenerate `agent-firewall` CLI docs/golden files and adjust the clidocgen template to render the YAML path when a flag has no long name. > 🤖 This PR was opened by Coder Agents on behalf of @SasSwart.
SasSwart
added a commit
to coder/coder
that referenced
this pull request
Jul 7, 2026
…ss (#27047) ## Overview Part of the **boundary correlation** feature. Fixes lazy creation of `boundary_sessions` rows so it works within the agent's RBAC constraints, and consumes the new `ConfinedProcessName` field reported by boundary. Pairs with coder/boundary#206, which adds `ConfinedProcessName` to `ReportBoundaryLogsRequest`. This branch bumps the `github.com/coder/boundary` module to pick up that work. ## Problem `ensureSession` did a pre-insert existence check via `GetBoundarySessionByID`. Agents are **not permitted to read boundary sessions**, so that read path is not viable when the session is created from an agent-reported log batch. ## Changes - **Remove the pre-insert read.** `ensureSession` now inserts directly and treats a primary-key unique violation as success, covering sessions already created by a prior batch, a reconnection, or another coderd replica — without requiring read access. - **Per-connection guard.** Add a mutex-protected `ensuredSessions` set so repeated log batches on the same connection skip the existence check and insert entirely, touching the database only for the logs. On a transient insert failure the session is left unmarked so the next batch retries. - **Consume `ConfinedProcessName`.** Pass `req.GetConfinedProcessName()` through to the session insert. - **Bump boundary module** from `v0.9.0` to `v0.9.1-0.20260706095856-35ba90f9e8b2`. - **Tests.** - Add `TestReportBoundaryLogsAgentRBAC` (`coderd/boundary_logs_test.go`), an integration test that connects as a real workspace agent, verifies the session and log are persisted under agent RBAC, and asserts the agent subject cannot read boundary sessions — guarding against reintroducing a pre-insert read. - Add `TestReportBoundaryLogsSessionGuard` (session inserted once across two batches, logs inserted per batch) and `TestReportBoundaryLogsSessionRetriedOnError` (insert retried after a transient error). - Regenerate `agent-firewall` CLI docs/golden files and adjust the clidocgen template to render the YAML path when a flag has no long name. > 🤖 This PR was opened by Coder Agents on behalf of @SasSwart. <!-- If you have used AI to produce some or all of this PR, please ensure you have read our [AI Contribution guidelines](https://coder.com/docs/about/contributing/AI_CONTRIBUTING) before submitting. -->
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
Boundary is capable of injecting Session correlation headers, but does not currently do so due to a lack of required plumbing. This effectively disables one half of the AI Gateway session correlation feature.
Solution
Wire in the necessary plumbing to ensure correlation headers are injected to the appropriate paths.
Pairs with coder/coder#26990, which consumes the new
ConfinedProcessNamefield onReportBoundaryLogsRequestwhen lazily creating boundary sessions.Changes
Confined process name attribution
ConfinedProcessNamefrom the first element of the target command (filepath.Base) and store it onAppConfig.SetupAuditor→NewSocketAuditor→flush, so it is sent alongside logs inReportBoundaryLogsRequest.ConfinedProcessName.Session-correlation injection wiring
NewInjectEngine, which builds a rules engine from the configured inject targets (reusing the same matching semantics as--allowrules), returningnilwhen correlation is disabled or has no targets.SessionID, into the proxy server config.SessionCorrelationfield fromproxy.Config; the proxy only needs the builtInjectEngineandSessionID.AI Gateway path support
CODER_AGENT_URLfor both the current AI Gateway route prefix (/api/v2/ai-gateway/*) and the backward-compatible aibridge alias (/api/v2/aibridge/*).DefaultInjectTargetFromEnv→DefaultInjectTargetsFromEnv(now returns a slice); update callers and tests.