feat(coder/modules/boundary): add boundary module

[35C4n0r]

Description

Extracts boundary installation and wrapper logic into a standalone coder/boundary module, decoupling it from agentapi.

Why

Boundary is currently embedded inside agentapi (scripts/boundary.sh) and duplicated in claude-code. This couples network isolation to the AI/Tasks stack, but boundary is a general-purpose primitive — users running a plain agent with no agentapi or tasks should be able to use it too.

What this adds

registry/coder/modules/boundary/ — a new first-class module that:

• Installs boundary via one of three strategies:
  1. coder boundary subcommand (default, zero-install)
  2. Direct binary from release (use_boundary_directly = true)
  3. Compiled from source (compile_boundary_from_source = true)
• Creates a wrapper script at $HOME/.coder-modules/coder/boundary/boundary-wrapper.sh
• Exports AGENTAPI_BOUNDARY_PREFIX as a coder_env so any workspace process can use it
• Strips CAP_NET_ADMIN from the coder binary (copies to coder-no-caps) to allow execution inside network namespaces without sys_admin
• Supports pre_install_script / post_install_script hooks
• Exposes boundary_wrapper_path output and sync_script_names for script coordination

Usage

module "boundary" {
  count    = data.coder_workspace.me.start_count
  source   = "registry.coder.com/coder/boundary/coder"
  version  = "1.0.0"
  agent_id = coder_agent.main.id
}

Works standalone with any agent — no agentapi dependency required.

Testing

• Terraform variable validation (boundary.tftest.hcl)
• TypeScript integration tests (main.test.ts): state verification, coder subcommand happy path, custom hooks, env var correctness, wrapper execution, idempotent installation

Type of Change

• New module

Module Information

Path: registry/coder/modules/boundary
New version: v1.0.0
Breaking change: No

Related Issues

Closes #844

[Copilot]

Pull request overview

Adds a new coder/boundary registry module intended to set up Boundary-related tooling for Coder workspaces.

Changes:

• Introduces a Boundary install/setup shell script that can compile from source, install from release, or rely on coder boundary.
• Adds a Terraform module (main.tf) that deploys and runs the install script on an agent.
• Adds module README and Terraform native tests (.tftest.hcl).

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 7 comments.

File	Description
registry/coder/modules/boundary/scripts/install.sh	Installs Boundary (or validates coder boundary) and generates a wrapper script.
registry/coder/modules/boundary/main.tf	Defines module variables and a coder_script to deliver/execute install.sh.
registry/coder/modules/boundary/README.md	Documents module usage and examples.
registry/coder/modules/boundary/boundary.tftest.hcl	Adds Terraform plan-time assertions for basic module wiring.

[Copilot]

Pull request overview

Copilot reviewed 7 out of 7 changed files in this pull request and generated 7 comments.

[Copilot]

This module depends on coder-utils via a Git source pinned to a feature branch (ref=feat/coder-utils-optional-install-start). For a published registry module, this is brittle (branch rename/deletion breaks installs) and makes upgrades non-reproducible. Prefer depending on a tagged release/commit SHA (or a registry-published module version) and remove the commented-out version line once a stable version is available.

Suggested change

	source = "git::https://github.com/coder/registry.git//registry/coder/modules/coder-utils?ref=feat/coder-utils-optional-install-start"
	# version = "1.0.1"
	source = "coder/coder-utils/coder"
	version = "1.0.1"

[35C4n0r]

will be resolved later

[SasSwart]

Review request acknowledged.