feat: enhance boundary configuration options in Claude Code module

[DevelopmentCats]

Description

• Added new variables boundary_config and boundary_config_path for inline YAML and file path configurations, respectively.
• Implemented validation rules to ensure proper configuration when enable_boundary is true.
• Updated README with usage examples for both configuration methods.
• Add test cases to cover various boundary configuration scenarios, including validation failures.

Review Comment Fixes

All 4 Copilot inline review comments have been addressed:

1. main.tf — boundary_config and boundary_config_path variables have per-variable validation blocks that reject empty/whitespace-only strings (using trimspace(...) != ""). The enable_boundary cross-variable validations also use trimspace() checks to treat empty strings as unset.
2. main.tftest.hcl — Failure test cases added for boundary_config = "", boundary_config_path = "", and whitespace-only variants (" ").
3. scripts/start.sh — Unified post-write/link safety check added after the if/elif/fi block: if $BOUNDARY_CONFIG_FILE does not exist or is empty, the script exits with a clear error message.
4. scripts/start.sh — ARG_BOUNDARY_CONFIG_PATH is normalized at script startup (lines 29-30) with tilde and $HOME expansion, matching the pattern used for ARG_CLAUDE_BINARY_PATH. Expansion is also applied inside start_agentapi for robustness.

Type of Change

• New module
• New template
• Bug fix
• Feature/enhancement
• Documentation
• Other

Module Information

Path: registry/coder/modules/claude-code
New version: v4.9.2
Breaking change: [ ] Yes [X] No

Testing & Validation

• Tests pass (bun test)
• Code formatted (bun fmt)
• Changes tested locally

Related Issues

Closes #792

Generated with Claude Code using claude-sonnet-4-6

[DevelopmentCats]

@matifali

Technically this is a breaking change since anyone running their module with enable_boundary=true will run into issues when updating their module since they will need to have one of these new variables set to pass validation.

Its a minimal change that we probably should have included to begin with so I figured updating to 4.9.0 would be fine unless you think we need to consider this a Major bump considering the circumstances.

[Copilot]

Pull request overview

Adds first-class support for passing Coder Boundary network filtering rules into the claude-code module, aligning the module’s enable_boundary behavior with the documented expectations in issue #792.

Changes:

• Introduces boundary_config (inline YAML) and boundary_config_path (existing file path) inputs and wires them into the startup script.
• Adds Terraform validations to enforce correct boundary configuration combinations.
• Updates README examples and expands tftest coverage for boundary configuration scenarios.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 4 comments.

File	Description
registry/coder/modules/claude-code/scripts/start.sh	Writes/links boundary config into ~/.config/coder_boundary/config.yaml before starting boundary.
registry/coder/modules/claude-code/main.tf	Adds new inputs and validation rules; passes config/env through to the start script.
registry/coder/modules/claude-code/main.tftest.hcl	Adds plan-time tests for valid/invalid boundary input combinations.
registry/coder/modules/claude-code/README.md	Documents the new configuration options with usage examples and version bump to 4.9.0.

[matifali]

Technically this is a breaking change since anyone running their module with enable_boundary=true will run into issues when updating their module since they will need to have one of these new variables set to pass validation.

@DevelopmentCats Can we do it in a non-breaking change where if the input boundary_config_path is not provided, we default it to our old config path? IMO, that should work for any existing users not passing the path exclusively.

[DevelopmentCats]

Technically this is a breaking change since anyone running their module with enable_boundary=true will run into issues when updating their module since they will need to have one of these new variables set to pass validation.

@DevelopmentCats Can we do it in a non-breaking change where if the input boundary_config_path is not provided, we default it to our old config path? IMO, that should work for any existing users not passing the path exclusively.

Yeah that is what I was leaning towards myself, but i was following the requirements in the Issue😄

I will make these updates as well

[DevelopmentCats]

@matifali

I have tested this in all of the possible scenario's and made a ton of updates for this and it should be working if you want to do one last review here.

[DevelopmentCats]

Addressed remaining review comments from Copilot:

1. main.tf - Updated boundary_config_b64 local and ARG_BOUNDARY_CONFIG_PATH interpolation to treat empty/whitespace-only strings as not set, using trimspace() != "" checks in addition to null checks (not just null checks).

2. start.sh - Added unified safety check after the if/elif/fi block that $BOUNDARY_CONFIG_FILE exists and is non-empty, exiting with a clear error message if not. This catches the case where neither ARG_BOUNDARY_CONFIG nor ARG_BOUNDARY_CONFIG_PATH is set but boundary is enabled, as well as any unexpected failure in the write/link branches.

The other two items (test failure cases for empty strings and tilde expansion in ARG_BOUNDARY_CONFIG_PATH) were already addressed in earlier commits on this branch.

Generated with OpenClaw using Claude

[DevelopmentCats]

All 4 Copilot inline review comments are now addressed in the current branch:

1. main.tf — enable_boundary validations use trimspace() checks in addition to null checks, treating empty/whitespace-only strings as unset.
2. main.tftest.hcl — Failure test cases added for boundary_config = "", boundary_config_path = "", and whitespace-only variants (" ").
3. scripts/start.sh — Unified post-write/link check added after the if/elif/fi block: if $BOUNDARY_CONFIG_FILE does not exist or is empty, the script exits with a clear error message.
4. scripts/start.sh — ARG_BOUNDARY_CONFIG_PATH is normalized at script startup (lines 29-30) with tilde and $HOME expansion, matching the pattern used for ARG_CLAUDE_BINARY_PATH.

Version bumped: v4.9.1 → v4.9.2 (patch)

Generated with OpenClaw using Claude

[DevelopmentCats]

Review Comments Addressed

All four Copilot review comments have been addressed:

1. main.tftest.hcl: Added failure test cases for empty strings (boundary_config = "", boundary_config_path = "") and whitespace-only strings (boundary_config = " ", boundary_config_path = " ").

2. main.tf: Added per-variable validations using trimspace() to reject empty/whitespace-only strings for both boundary_config and boundary_config_path. Updated enable_boundary validations to treat whitespace-only strings as "not set".

3. start.sh: Added explicit [ ! -s "$BOUNDARY_CONFIG_FILE" ] check after writing/linking boundary config, exiting with a clear error message if the file doesn't exist or is empty.

4. start.sh: Normalized ARG_BOUNDARY_CONFIG_PATH for tilde and $HOME expansion at script initialization (top of file), matching the pattern used for ARG_CLAUDE_BINARY_PATH. Also removed redundant duplicate expansion that was inside the elif block.

Generated with OpenClaw using Claude

[DevelopmentCats]

Copilot Review Comments — Verified Addressed

All four Copilot inline review comments have been verified as correctly implemented in this branch:

1. main.tftest.hcl — Failure test cases added for empty-string and whitespace-only boundary_config/boundary_config_path (lines 320–378: test_boundary_empty_config_fails, test_boundary_empty_config_path_fails, test_boundary_whitespace_config_fails, test_boundary_whitespace_config_path_fails).

2. main.tf line 243 — enable_boundary cross-variable validations use trimspace() checks (not just null checks) at lines 235–243. Per-variable validations on boundary_config and boundary_config_path also reject empty/whitespace-only strings via trimspace(...) != "" (lines 251–254 and 262–265).

3. start.sh line 252 — After the if/elif/fi block, an explicit [ ! -s "$BOUNDARY_CONFIG_FILE" ] check exits with a clear error message if the config file doesn't exist or is empty (lines 253–256). This also catches the case where enable_boundary=true but neither config variable was set.

4. start.sh line 246 — ARG_BOUNDARY_CONFIG_PATH is normalized at script startup (lines 29–30) with tilde and $HOME expansion before any function runs, matching the pattern used for ARG_CLAUDE_BINARY_PATH.

Generated with Claude Code using claude-sonnet-4-6