Skip to content

feat(audit): report confined process name and wire up session-correlation injection#206

Open
SasSwart wants to merge 1 commit into
mainfrom
fix/confined-process-name
Open

feat(audit): report confined process name and wire up session-correlation injection#206
SasSwart wants to merge 1 commit into
mainfrom
fix/confined-process-name

Conversation

@SasSwart

@SasSwart SasSwart commented Jul 6, 2026

Copy link
Copy Markdown
Contributor

Overview

Part of the boundary correlation feature. This adds the confined process name to audit reporting so downstream consumers can attribute a boundary session to the process that generated it, and wires the session-correlation inject engine into the jail managers.

Pairs with coder/coder#26990, which consumes the new ConfinedProcessName field on ReportBoundaryLogsRequest when lazily creating boundary sessions.

Changes

Confined process name attribution

  • Derive ConfinedProcessName from the first element of the target command (filepath.Base) and store it on AppConfig.
  • Thread it through SetupAuditorNewSocketAuditorflush, so it is sent alongside logs in ReportBoundaryLogsRequest.ConfinedProcessName.
  • Update audit tests to cover the new parameter and assert the field is populated on flush.

Session-correlation injection wiring

  • Add NewInjectEngine, which builds a rules engine from the configured inject targets (reusing the same matching semantics as --allow rules), returning nil when correlation is disabled or has no targets.
  • Build the inject engine in both the nsjail and landjail managers and pass it, along with SessionCorrelation and SessionID, into the proxy server config.

AI Gateway path support

  • Auto-derive inject targets from CODER_AGENT_URL for both the current AI Gateway route prefix (/api/v2/ai-gateway/*) and the backward-compatible aibridge alias (/api/v2/aibridge/*).
  • Rename DefaultInjectTargetFromEnvDefaultInjectTargetsFromEnv (now returns a slice); update callers and tests.

🤖 This PR was opened by Coder Agents on behalf of @SasSwart.

- Updated SetupAuditor function to accept an additional parameter for confined process name.
- Modified related tests to accommodate the new parameter and validate its functionality.
- Adjusted SocketAuditor and flush functions to utilize the confined process name in log messages.
- Enhanced AppConfig to store the confined process name for session attribution in audit logs.
SasSwart added a commit to coder/coder that referenced this pull request Jul 6, 2026
Bump the boundary module from the pre-#206 base commit to the head of
coder/boundary#206 so coderd actually receives ConfinedProcessName over
the wire, integrating the paired PRs end to end.

Add TestReportBoundaryLogsAgentRBAC, which drives ReportBoundaryLogs
through a dbauthz-wrapped store under the exact member-role +
WorkspaceAgentScope subject a workspace agent authenticates as. It
asserts the agent cannot read boundary sessions (the reason the
pre-insert existence check was removed) while the lazy insert still
succeeds, guarding against reintroducing a read on that path.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant