Boundary Release Checklist

[evgeniy-scherbina]

PRs to merge:

• Prerare integration with claude-code module #70
• feat: initial boundary integration with claude code registry#455

Release checklist:

• Make --dangerously-skip-permissions work with cap_net_admin @evgeniy-scherbina

  • Make --dangerously-skip-permissions work with cap_net_admin #73

• Move changes to Write Coder On Coder template. Should it be done directly in UI or via github PR? @evgeniy-scherbina

• Make proxy_port configurable in claude-code module @evgeniy-scherbina

• Make log-level configurable via claude-code module? Default is WARN. @evgeniy-scherbina

• Make boundary_version configurable in claude-code module @evgeniy-scherbina

• Optionally run profiler on boundary, and double check that new proxy doesn't have any memory/goroutine leaks. @evgeniy-scherbina

  • Enable pprof on boundary and make it configurable #74

• Make a decision how boundary should be installed in claude-code module. Use coder exp boundary vs directly install and use boundary. Coder exp boundary works out of the box, but it's very inconvenient and slow to develop, because after every change to boundary source code - we need to update version in coder/coder repo and wait for CI to finish.

• Update documentation:

  • github repo readme
  • coder docs

• Take a look at --allowed-hosts, is it safe to run agentapi server --allowed-hosts="*"?

• Is it safe to run chain of 4 processes: agentapi -> boundary (parent) -> boundary (child) -> claude. Doesn't it interfere with agentapi -> claude communication?

  Command: agentapi server --allowed-hosts="*" --type claude --term-width 67 --term-height 1190 -- sudo -E env PATH=$PATH setpriv --inh-caps=+net_admin --ambient-caps=+net_admin --bounding-set=+net_admin /home/coder/go/bin/boundary "${BOUNDARY_ARGS[@]}" -- claude "${ARGS[@]}"

• Make a decision about allow-rules formatting, related tasks: @bcpeinhardt

  • Update allow rules to use real specification #44
  • Test rules package #50

• Few times I noticed some MCP related errors in Coder Tasks environment, is it related to boundary? Is it reproducible?

• Should proxy follow redirects?

• Check this command: sudo -E env PATH=$PATH setpriv --inh-caps=+net_admin --ambient-caps=+net_admin --bounding-set=+net_admin. Is it safe: sudo -E env PATH=$PATH? Do we need all perms: inh-caps, ambient-caps, bounding-set?

Future tasks:

• remove unprivileged jail (confirm with product)?
• remove macos support (confirm with product)?
• Sometimes, if boundary completes with error, it doesn't make cleanup, and then I had to manually run:
  ip link show
ip -o link show | awk -F': ' '{print $2}' | grep '^veth_h' | cut -d'@' -f1 | xargs -r -n1 sudo ip link delete
  we should make sure clean up is always executed (network interfaces are removed, iptables rules are removed).
• refactor e2e tests: https://github.com/coder/boundary/blob/main/e2e_tests/boundary_integration_test.go
• add e2e tests to test behaviour with claude?
• add e2e tests to test behaviour with claude and agentapi?
• add tests for proxy to test behaviour when golang client uses ALPN to upgrade to HTTP 2?
• Install boundary with install script in claude-code test module? curl -fsSL https://raw.githubusercontent.com/coder/boundary/main/install.sh | bash
• Real-Time configuration updates? Without necessity to rebuild workspace.

[bcpeinhardt]

Make a decision how boundary should be installed in claude-code module. Use coder exp boundary vs directly install and use boundary

I'm in agreement with @evgeniy-scherbina that the sub command arbitrarily slows down development. I think we should just directly install it in the modules that require it. I don't think developers are likely to manually invoke it.