feat(audit): report confined process name and wire up session-correlation injection#206
Open
SasSwart wants to merge 1 commit into
Open
feat(audit): report confined process name and wire up session-correlation injection#206SasSwart wants to merge 1 commit into
SasSwart wants to merge 1 commit into
Conversation
- Updated SetupAuditor function to accept an additional parameter for confined process name. - Modified related tests to accommodate the new parameter and validate its functionality. - Adjusted SocketAuditor and flush functions to utilize the confined process name in log messages. - Enhanced AppConfig to store the confined process name for session attribution in audit logs.
SasSwart
added a commit
to coder/coder
that referenced
this pull request
Jul 6, 2026
Bump the boundary module from the pre-#206 base commit to the head of coder/boundary#206 so coderd actually receives ConfinedProcessName over the wire, integrating the paired PRs end to end. Add TestReportBoundaryLogsAgentRBAC, which drives ReportBoundaryLogs through a dbauthz-wrapped store under the exact member-role + WorkspaceAgentScope subject a workspace agent authenticates as. It asserts the agent cannot read boundary sessions (the reason the pre-insert existence check was removed) while the lazy insert still succeeds, guarding against reintroducing a read on that path.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Overview
Part of the boundary correlation feature. This adds the confined process name to audit reporting so downstream consumers can attribute a boundary session to the process that generated it, and wires the session-correlation inject engine into the jail managers.
Pairs with coder/coder#26990, which consumes the new
ConfinedProcessNamefield onReportBoundaryLogsRequestwhen lazily creating boundary sessions.Changes
Confined process name attribution
ConfinedProcessNamefrom the first element of the target command (filepath.Base) and store it onAppConfig.SetupAuditor→NewSocketAuditor→flush, so it is sent alongside logs inReportBoundaryLogsRequest.ConfinedProcessName.Session-correlation injection wiring
NewInjectEngine, which builds a rules engine from the configured inject targets (reusing the same matching semantics as--allowrules), returningnilwhen correlation is disabled or has no targets.SessionCorrelationandSessionID, into the proxy server config.AI Gateway path support
CODER_AGENT_URLfor both the current AI Gateway route prefix (/api/v2/ai-gateway/*) and the backward-compatible aibridge alias (/api/v2/aibridge/*).DefaultInjectTargetFromEnv→DefaultInjectTargetsFromEnv(now returns a slice); update callers and tests.