chore(claude-code)!: strip boundary, agentapi, tasks, tools#861
Merged
Conversation
matifali
force-pushed
the
chore/claude-code-strip-boundary-agentapi-tasks
branch
8 times, most recently
from
92718d5 to
42ff02a
Compare
matifali
requested review from
35C4n0r and
evgeniy-scherbina
and removed request for
evgeniy-scherbina
matifali
changed the title
This was referenced Apr 22, 2026
…tasks, tools - Remove boundary variables and install logic. - Drop agentapi module; orchestrate scripts through coder-utils instead. - Remove start-script-only variables not shared with install (resume_session_id, continue, ai_prompt, dangerously_skip_permissions). - Remove allowed_tools and disallowed_tools. - Remove report_tasks, system_prompt, claude_md_path, and coder exp mcp / coder_report_task wiring. - Rename claude_api_key to anthropic_api_key (ANTHROPIC_API_KEY). - Rename enable_aibridge to enable_ai_gateway. - Drop install_via_npm; always use the official claude.ai/install.sh installer. - Tighten workdir description and drop dead module_dir_name/task_app_id. - Move module logs to $HOME/.coder-modules/coder/claude-code/logs (matches coder-utils 1.3.0 nested layout).
matifali
force-pushed
the
chore/claude-code-strip-boundary-agentapi-tasks
branch
3 times, most recently
from
3c9937a to
3885188
Compare
matifali
added a commit
that referenced
this pull request
Apr 24, 2026
…le_directory (#874) ## Summary Derives `coder-utils` script names from `module_directory` instead of a separate `agent_name` input. The `module_directory` already encodes both the namespace and the module name, so carrying both is redundant and error-prone. Callers like `claude-code` no longer need to pass `agent_name`. Scripts this module materializes lose the `${agent_name}-utils-` prefix because `module_directory` already namespaces them per-caller. We will address multiple instances of coder-utils per caller in a future iteration if needed. ## Versioning Note Previous tags (`v1.0.0` through `v1.3.0`) have been deleted because no published module ever consumed them — the module was effectively unreleased. This PR ships the first real public version as **`v0.0.1`**, treating it as a fresh start rather than a breaking bump from a version that was never in production use. ## Changes - Remove `agent_name` variable. - Derive `caller_name = "${namespace}-${module_name}"` from `module_directory`. - Validate `module_directory` matches `$HOME/.coder-modules/<namespace>/<module-name>`. - Rename script files on disk from `${agent_name}-utils-<phase>.sh` to plain `<phase>.sh`. - Add a TS test for the `module_directory` validation. - Ship as `v0.0.1` (first published version; all prior tags removed). ## Breaking Changes | Before | After | |---|---| | `agent_name = "myagent"` | removed (derived from `module_directory`) | | `module_directory = ".my-module"` | `module_directory = "$HOME/.coder-modules/<ns>/<name>"` (validated) | | Script files `${agent_name}-utils-install.sh` | `install.sh` | | Script sync names `${agent_name}-install_script` | `${namespace}-${module_name}-install_script` | No callers were depending on the old format (prior tags were unpublished). ## Validation - `terraform fmt -recursive` clean - `terraform validate` clean - `terraform test` → 17/17 pass - `bun test registry/coder/modules/coder-utils` → 5/5 pass - `prettier --check` clean ## Consumer #861 (`claude-code`) consumes this and is currently pinned to the commit SHA until this merges and ships as `v0.0.1`. > 🤖 This PR was created with the help of Coder Agents, and needs a human review. 🧑💻
…ia templatefile Render scripts/install.sh.tftpl once at plan time and pass the result directly to coder-utils, replacing the runtime base64 encode/decode wrapper and the redundant scripts/install.sh. Sources coder-utils from a pinned commit on its refactor branch until the `module_directory`-derived caller name lands in a tagged release.
…nd scope MCP to user workdir is now optional. When set, the module still pre-creates the directory and pre-accepts the Claude Code trust dialog for it. When unset, the module installs the CLI and configures authentication only; users accept trust dialogs interactively per project. MCP servers are added at Claude Code's user scope via `claude mcp add-json --scope user` so they are available across every project the workspace owner opens, instead of being tied to a single project directory. For project-local MCP servers, callers should commit a `.mcp.json` to the project repository rather than passing it through this module. Drop primaryApiKey from the standalone-mode config writer. Claude Code reads credentials from the ANTHROPIC_API_KEY and CLAUDE_CODE_OAUTH_TOKEN env vars (which the module already exports via coder_env); writing the key into ~/.claude.json had no effect on authentication. Split the standalone-mode .claude.json writer into two steps: the always-on auth/onboarding keys, and the optional `.projects[workdir]` trust block that only runs when workdir is set.
matifali
force-pushed
the
chore/claude-code-strip-boundary-agentapi-tasks
branch
from
3885188 to
46ce616
Compare
DevelopmentCats
approved these changes
Apr 24, 2026
Collaborator
DevelopmentCats
left a comment
DevelopmentCats
left a comment
There was a problem hiding this comment.
Everything looks good to me. I think it honestly makes more sense for this module to stick with just the claude-code install and configuration since everyone seems to have their own methods of utilizing the module, and with /agents we would be moving away from tasks anyways to some extent.
morganl-ant
added a commit
to morganl-ant/registry
that referenced
this pull request
Apr 27, 2026
… attribution Rebased onto post-coder#861 main. Adds a typed telemetry input that turns on CLAUDE_CODE_ENABLE_TELEMETRY and the standard OTEL_EXPORTER_OTLP_* env vars in one place, and auto-injects coder.workspace_id, coder.workspace_name, coder.workspace_owner, and coder.template_name into OTEL_RESOURCE_ATTRIBUTES so Claude Code spans and metrics can be joined directly with Coder audit logs and exectrace records on workspace_id without per-template wiring. Bumps README examples to 5.1.0.
morganl-ant
added a commit
to morganl-ant/registry
that referenced
this pull request
Apr 27, 2026
… /etc/claude-code Re-authored on top of the post-coder#861 install-only module. Adds a managed_settings variable that the install script writes to /etc/claude-code/managed-settings.d/10-coder.json. Claude Code reads this drop-in directory at startup with the highest configuration precedence, so template authors get an admin-controlled policy file that users inside the workspace cannot override. The mechanism is a local file read with no API call, so it works identically for the Anthropic API, AWS Bedrock, Google Vertex AI, and AI Gateway. Compared to the original PR against v4.x, this drops the deprecation shim for permission_mode/allowed_tools/disallowed_tools (those vars are gone in v5) and the start.sh changes (start.sh is gone). The ~/.claude.json policy-key removal is also dropped from this PR scope since the surrounding configure_standalone_mode logic changed substantially in coder#861; can revisit separately if wanted.
morganl-ant
added a commit
to morganl-ant/registry
that referenced
this pull request
Apr 27, 2026
…rk anthropic_api_key sensitive Rebased onto post-coder#861 main. Changes from the original PR: - Targets the renamed anthropic_api_key variable (was claude_api_key). - Targets the renamed enable_ai_gateway variable (was enable_aibridge). - The primaryApiKey removal from the original PR is no longer needed since coder#861's install template does not write that key. - install.sh.tftpl uses templatefile substitution; helper script is passed base64-encoded as ARG_API_KEY_HELPER_SCRIPT. - README bumped to 5.1.0.
morganl-ant
added a commit
to morganl-ant/registry
that referenced
this pull request
Apr 27, 2026
…ertex inputs Rebased onto post-coder#861 main. - New use_bedrock and use_vertex bool inputs that set CLAUDE_CODE_USE_BEDROCK=1 / CLAUDE_CODE_USE_VERTEX=1 via coder_env. Mutually exclusive with each other and with enable_ai_gateway. - New anthropic_base_url string input. The existing coder_env.anthropic_base_url resource (previously AI Gateway only) is widened to also fire when this is set; AI Gateway keeps precedence for the value. Mutually exclusive with enable_ai_gateway. - configure_standalone_mode now recognizes use_bedrock / use_vertex / anthropic_base_url as valid auth paths: prints a clear backend message and proceeds to write the onboarding-bypass keys instead of printing the misleading 'No authentication configured' note and returning early. - README: Bedrock and Vertex sections rewritten around the new inputs, leading with attached IAM role / Workload Identity over static credentials. New custom-API-gateway section. Prerequisites and mutual-exclusion caution updated. - Tests: 7 new terraform-test runs (env assertions + 4 expect_failures for mutual exclusion); 3 new bun tests. Closes coder/coder#17402 Closes coder/coder#21835
morganl-ant
added a commit
to morganl-ant/registry
that referenced
this pull request
Apr 27, 2026
…entinel Re-authored on top of coder#861. The original PR also fixed the hardcoded TASK_SESSION_ID in start.sh (coder#726); coder#861 removed start.sh entirely so that fix is no longer needed and coder#726 is resolved by coder#861 itself. What remains is install-time: - transcript_retention_days input maps to Claude Code's cleanupPeriodDays setting via a managed-settings.d drop-in so long-lived workspaces do not accumulate unbounded session JSONL. - A Stop hook touches ~/.coder-modules/coder/claude-code/last-stop on every turn end so templates can drive workspace autostop or activity tracking off that file's mtime. Both are written to /etc/claude-code/managed-settings.d/30-coder-lifecycle.json, which the Claude CLI reads regardless of inference backend.
This was referenced Apr 28, 2026
This was referenced Apr 29, 2026
DevelopmentCats
added a commit
that referenced
this pull request
Apr 29, 2026
… attribution (#862) ## Problem Claude Code ships an OpenTelemetry exporter for token usage, tool calls, session lifecycle and errors (https://docs.anthropic.com/en/docs/claude-code/monitoring-usage), but the module exposes no first-class wiring for it. Template authors who want telemetry have to know the env var names (`CLAUDE_CODE_ENABLE_TELEMETRY`, the `OTEL_EXPORTER_OTLP_*` family) and write their own `coder_env` blocks. More importantly there is no convention for how to correlate Claude Code telemetry with Coder's own audit logs and `exectrace` records, so even when both are exported they end up as two unjoined datasets. ## Change Adds a `telemetry` input that turns on `CLAUDE_CODE_ENABLE_TELEMETRY` and the standard OTLP exporter env vars in one place: ```tf telemetry = { enabled = true otlp_endpoint = "http://otel-collector.observability:4317" otlp_protocol = "grpc" otlp_headers = { authorization = "Bearer ..." } resource_attributes = { "service.name" = "claude-code" } } ``` When enabled, the module automatically appends `coder.workspace_id`, `coder.workspace_name`, `coder.workspace_owner` and `coder.template_name` to `OTEL_RESOURCE_ATTRIBUTES`. This gives a stable join key between Claude Code spans/metrics and Coder's audit log and exectrace events on `workspace_id`, so a platform team can answer "show me every shell command Claude executed in workspace X alongside the token spend for that session" without custom plumbing. This is purely additive (`coder_env` resources behind `count`), defaults to disabled, and is independent of how Claude is launched, so it composes cleanly with the install-only direction in #861. ## Validation - `terraform fmt`, `terraform validate`, `terraform test` (19/19) pass - `bun test -t telemetry` (2/2) pass: env vars are set with the expected values when enabled, and absent when the input is omitted Disclosure: I work at Anthropic on the Claude Code team. --------- Co-authored-by: DevCats <chris@dualriver.com> Co-authored-by: Atif Ali <me@matifali.dev>
DevelopmentCats
added a commit
that referenced
this pull request
May 5, 2026
…and start logic (#879) Closes #878 ## What Major refactor of the `coder-labs/codex` module to mirror the `coder/claude-code` v5 changes from #861. ## Changes ### Structural - Replace `module "agentapi"` with `module "coder_utils"` (`registry.coder.com/coder/coder-utils/coder v0.0.1`) - Replace `scripts/install.sh` with `scripts/install.sh.tftpl` (Terraform templatefile) - Delete `scripts/start.sh` - Module dir changed from `.codex-module` to `.coder-modules/coder-labs/codex` - Output changed from `task_app_id` to `scripts` (ordered list of coder exp sync names) - Extracted shared test helpers (`collectScripts`, `runScripts`) into `agentapi/coder-utils-test-helpers.ts` ### Removed variables All AgentAPI pass-throughs, boundary, and start-script-only variables: `order`, `group`, `report_tasks`, `subdomain`, `cli_app`, `web_app_display_name`, `cli_app_display_name`, `install_agentapi`, `agentapi_version`, `ai_prompt`, `continue`, `enable_state_persistence`, `codex_system_prompt`, `enable_boundary`, `boundary_config_path`, `boundary_version`, `compile_boundary_from_source`, `use_boundary_directly`, `codex_model` ### Retained `install_codex` (toggle for skipping npm install when CLI is pre-installed) ### Renamed - `enable_aibridge` -> `enable_ai_gateway` ### Changed - `workdir`: now optional (`default = null`) - `openai_api_key`: conditional env var with `count`, marked `sensitive = true` - `base_config_toml`: heredoc description documenting generated defaults; notes that `model_reasoning_effort` and workdir trust are only applied in default config - Default `config.toml`: stripped `sandbox_mode`, `approval_policy`, `sandbox_workspace_write`, `notice.model_migrations` - Install script: removed Node.js/NVM bootstrap (assumes npm pre-installed), sources NVM if present, fails with actionable error if npm missing - `ARG_CODEX_VERSION` and `ARG_WORKDIR` base64-encoded to prevent shell/TOML injection - Duplicate `[model_providers.aibridge]` guarded with grep before appending - Debug header uses user-facing variable names ### Tests - Terraform: 11 pass - Bun: 15 pass (rewritten to shared `collectScripts`/`runScripts` pattern) - Added: `model-reasoning-effort-standalone`, `ai-gateway-with-custom-base-config`, `ai-gateway-custom-config-no-duplicate-provider`, `install-codex-latest`, `workdir-trusted-project`, `no-workdir-no-project-section` - Negative assertions on `minimal-default-config` ### Docs - Migration guide (v4 to v5) in README - Quoted path in coder_app example - AI Gateway note about custom `base_config_toml` requiring manual `model_provider` > [!WARNING] > Breaking change. Drops support for Coder Tasks and Boundary. Keep using v4.x.x if you depend on them. --- *This PR was authored by Coder Agents.* --------- Co-authored-by: Jay Kumar <jay.kumar@coder.com> Co-authored-by: DevCats <christofer@coder.com>
This was referenced May 5, 2026
DevelopmentCats
added a commit
that referenced
this pull request
May 5, 2026
…ude-code v5 (#885) Aligns codex module variable names with the claude-code v5 conventions established in #861 and #879. - Rename `additional_mcp_servers` to `mcp` to match claude-code's variable name. - Change `codex_version` default from `""` to `"latest"` to match `claude_code_version`. ## Type of Change - [ ] New module - [ ] New template - [x] Bug fix - [ ] Feature/enhancement - [ ] Documentation - [ ] Other ## Module Information **Path:** `registry/coder-labs/modules/codex` **Breaking change:** [x] Yes [ ] No > [!WARNING] > Breaking change for anyone referencing `additional_mcp_servers` by name. Since v5.0.0 was released and deleted on the same day (#879), this should have zero downstream impact. ## Testing & Validation - [x] Tests pass (`bun test`) - [x] Code formatted (`bun fmt`) - [x] Changes tested locally ## Related Issues - Follow-up to #879 - Filed #886 to track adding `mcp_config_remote_path` support to codex --- *This PR was authored by Coder Agents.*
3 tasks
DevelopmentCats
added a commit
that referenced
this pull request
May 15, 2026
… /etc/claude-code (#863) ## Problem The module configures Claude Code's permission posture by reaching around the permission system rather than through it: - `scripts/install.sh` writes `bypassPermissionsModeAccepted`, `autoModeAccepted`, and `primaryApiKey` directly into the user-writable `~/.claude.json`. Any process in the workspace can read the API key or flip the acceptance flags back. - `scripts/start.sh` adds `--dangerously-skip-permissions` to every task launch, even when the template author set an explicit `permission_mode`. The README has to carry a security warning telling people the module bypasses permission checks. - `permission_mode`, `allowed_tools`, and `disallowed_tools` each plumb through a different ad-hoc path (CLI flag, `coder` subcommand) instead of a single policy surface. ## Change Add a `managed_settings` input that renders to `/etc/claude-code/managed-settings.d/10-coder.json`. Claude Code reads that drop-in directory at startup with the highest configuration precedence (above `~/.claude/settings.json` and project settings), so template authors get an admin-controlled policy file that users inside the workspace cannot override. The mechanism is a local file read with no API call, so it works identically for the Anthropic API, AWS Bedrock, Google Vertex AI, and AI Bridge / AI Gateway. ```hcl managed_settings = { permissions = { defaultMode = "acceptEdits" disableBypassPermissionsMode = "disable" deny = ["Bash(curl:*)", "WebFetch"] } } ``` Supporting changes: - `install.sh` writes the policy file (root-owned, 0644) and stops writing `bypassPermissionsModeAccepted`, `autoModeAccepted`, and `primaryApiKey` into `~/.claude.json`. The API key is already exported via `coder_env` as `CLAUDE_API_KEY`; duplicating it on disk is unnecessary. `hasCompletedOnboarding` stays because there is no env-var alternative for it. - `start.sh` only adds `--dangerously-skip-permissions` for tasks when no explicit `permission_mode` is set (same fix as #846; included here so this PR is self-contained, happy to drop if #846 lands first). - `permission_mode`, `allowed_tools`, and `disallowed_tools` are marked deprecated and shimmed into `managed_settings.permissions` for one release when `managed_settings` is not provided. - README security warning rewritten to point at the policy mechanism instead of telling people the module is unsafe by design. ## Relationship to #861 #861 strips this module to install-and-configure and removes `permission_mode` / `allowed_tools` / `disallowed_tools` outright. `managed_settings` is the natural replacement for those: it is install-time (survives the `start.sh` removal), it covers everything the dropped variables did plus `hooks`, `env`, `model`, `apiKeyHelper`, and the rest of the settings schema, and it does not require the module to know anything about how Claude is launched. If #861 lands first I will rebase this on top and drop the deprecation shim and the `start.sh` hunk. ## Validation - `terraform fmt` / `terraform validate` clean - New tests: `claude-managed-settings-written`, `claude-managed-settings-legacy-shim`, `claude-no-policy-keys-in-claudejson`, plus an assertion in `claude-auto-permission-mode` that `--dangerously-skip-permissions` is absent when a mode is set - Manually verified `/etc/claude-code/managed-settings.d/*.json` precedence in the Claude Code CLI source Closes #818. Relates to #284, #846, #861. Disclosure: I work at Anthropic on the Claude Code team. Happy to adjust scope or split this further if that is easier to review. --------- Co-authored-by: DevCats <chris@dualriver.com> Co-authored-by: DevCats <christofer@coder.com>
morganl-ant
added a commit
to morganl-ant/registry
that referenced
this pull request
May 15, 2026
…ertex inputs Rebased onto post-coder#861 main. - New use_bedrock and use_vertex bool inputs that set CLAUDE_CODE_USE_BEDROCK=1 / CLAUDE_CODE_USE_VERTEX=1 via coder_env. Mutually exclusive with each other and with enable_ai_gateway. - New anthropic_base_url string input. The existing coder_env.anthropic_base_url resource (previously AI Gateway only) is widened to also fire when this is set; AI Gateway keeps precedence for the value. Mutually exclusive with enable_ai_gateway. - configure_standalone_mode now recognizes use_bedrock / use_vertex / anthropic_base_url as valid auth paths: prints a clear backend message and proceeds to write the onboarding-bypass keys instead of printing the misleading 'No authentication configured' note and returning early. - README: Bedrock and Vertex sections rewritten around the new inputs, leading with attached IAM role / Workload Identity over static credentials. New custom-API-gateway section. Prerequisites and mutual-exclusion caution updated. - Tests: 7 new terraform-test runs (env assertions + 4 expect_failures for mutual exclusion); 3 new bun tests. Closes coder/coder#17402 Closes coder/coder#21835
morganl-ant
added a commit
to morganl-ant/registry
that referenced
this pull request
May 15, 2026
…rk anthropic_api_key sensitive Rebased onto post-coder#861 main. Changes from the original PR: - Targets the renamed anthropic_api_key variable (was claude_api_key). - Targets the renamed enable_ai_gateway variable (was enable_aibridge). - The primaryApiKey removal from the original PR is no longer needed since coder#861's install template does not write that key. - install.sh.tftpl uses templatefile substitution; helper script is passed base64-encoded as ARG_API_KEY_HELPER_SCRIPT. - README bumped to 5.1.0.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Reduces
claude-codeto a minimal install-and-configure module for the Claude CLI. Boundary, agentapi, task reporting, session tracking, tool allow/deny, and start orchestration are removed. Script execution is delegated tocoder-utilsv1.2.0. Starting Claude is now the caller's responsibility (template command, IDE launcher, or a customcoder_script).Warning
This is a breaking change. See the migration guide below.
Changes
scripts/start.sh. The module no longer launches Claude.agentapisub-module withcoder-utilsv1.2.0 for install/pre/post script orchestration.claude.ai/install.shinstaller.scripts/install.sh.tftplonce at plan time viatemplatefile()and pass the result directly tocoder-utils, replacing the runtime base64 encode/decode wrapper and the redundantscripts/install.sh.workdiroptional. When set, the module pre-creates the directory and pre-accepts the Claude Code trust dialog for it. When unset, the module installs the CLI and configures authentication only; users accept trust dialogs interactively per project.claude mcp add-json --scope userso they are available across every project the workspace owner opens, instead of being tied to a single project directory.primaryApiKeyfrom the standalone-mode config writer — credentials are already exported viacoder_env, writing the key into~/.claude.jsonhad no effect.claude_api_key→anthropic_api_key(envANTHROPIC_API_KEY).enable_aibridge→enable_ai_gateway.ANTHROPIC_AUTH_TOKEN(notANTHROPIC_API_KEY) to the workspace owner's Coder session token, matching the AI Gateway centralized API key flow.configure_standalone_modeto also recognizeCLAUDE_CODE_OAUTH_TOKENso OAuth-only users get the onboarding bypass.scriptsoutput (pass-through fromcoder-utils) so upstream modules can serialize theircoder_scriptresources behind this module's install pipeline viacoder exp sync want.task_app_idoutput.$HOME/.coder-modules/coder/claude-code/logs/(was$HOME/.claude-module/).report_tasks,system_prompt,claude_md_path,allowed_tools,disallowed_tools,enable_boundary,boundary_version,compile_boundary_from_source,use_boundary_directly,order,group,web_app,cli_app,web_app_display_name,cli_app_display_name,install_agentapi,agentapi_version,ai_prompt,subdomain,resume_session_id,continue,dangerously_skip_permissions,enable_state_persistence,permission_mode,install_via_npm.5.0.0.Breaking Changes
claude_api_keyanthropic_api_keyenable_aibridgeenable_ai_gatewayANTHROPIC_API_KEYto session tokenANTHROPIC_AUTH_TOKENto session tokenworkdirrequiredworkdiroptionalmodule.claude-code.task_app_idcoder_appcreated)permission_modeinstall_via_npmai_prompt,system_prompt,allowed_tools,disallowed_tools,report_tasks, session/continue vars, Boundary vars, agentapi vars,web_app/cli_appvars,order/group,enable_state_persistence$HOME/.claude-module/*.log$HOME/.coder-modules/coder/claude-code/logs/*.logCallers depending on any of the above must migrate. The module no longer starts Claude — provide your own
coder_scriptor template command if you want it to launch automatically.Validation
terraform fmt -recursivecleanterraform validatecleanterraform test→ 13/13 passbun test registry/coder/modules/claude-code→ 12/12 passshellcheck --severity=warningcleanprettier --checkclean