feat: enhance boundary configuration options in Claude Code module

[DevelopmentCats]

Description

• Added new variables boundary_config and boundary_config_path for inline YAML and file path configurations, respectively.
• Implemented validation rules to ensure proper configuration when enable_boundary is true.
• Updated README with usage examples for both configuration methods.
• Add test cases to cover various boundary configuration scenarios, including validation failures.

Review Comment Fixes

• Add validation blocks to reject empty/whitespace-only strings for boundary_config and boundary_config_path variables (not just null checks)
• Add test cases for empty-string boundary_config and boundary_config_path with expect_failures
• Add post-write file existence and non-empty check after writing/linking boundary config with clear error message
• Normalize ARG_BOUNDARY_CONFIG_PATH to expand leading ~ and $HOME (same pattern as ARG_CLAUDE_BINARY_PATH)

Type of Change

• New module
• New template
• Bug fix
• Feature/enhancement
• Documentation
• Other

Module Information

Path: registry/coder/modules/claude-code
New version: v4.9.2
Breaking change: [ ] Yes [X] No

Testing & Validation

• Tests pass (bun test)
• Code formatted (bun fmt)
• Changes tested locally

Related Issues

#792

Generated with OpenClaw using Claude

[DevelopmentCats]

@matifali

Technically this is a breaking change since anyone running their module with enable_boundary=true will run into issues when updating their module since they will need to have one of these new variables set to pass validation.

Its a minimal change that we probably should have included to begin with so I figured updating to 4.9.0 would be fine unless you think we need to consider this a Major bump considering the circumstances.

[Copilot]

Pull request overview

Adds first-class support for passing Coder Boundary network filtering rules into the claude-code module, aligning the module’s enable_boundary behavior with the documented expectations in issue #792.

Changes:

• Introduces boundary_config (inline YAML) and boundary_config_path (existing file path) inputs and wires them into the startup script.
• Adds Terraform validations to enforce correct boundary configuration combinations.
• Updates README examples and expands tftest coverage for boundary configuration scenarios.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 4 comments.

File	Description
registry/coder/modules/claude-code/scripts/start.sh	Writes/links boundary config into ~/.config/coder_boundary/config.yaml before starting boundary.
registry/coder/modules/claude-code/main.tf	Adds new inputs and validation rules; passes config/env through to the start script.
registry/coder/modules/claude-code/main.tftest.hcl	Adds plan-time tests for valid/invalid boundary input combinations.
registry/coder/modules/claude-code/README.md	Documents the new configuration options with usage examples and version bump to 4.9.0.

[matifali]

Technically this is a breaking change since anyone running their module with enable_boundary=true will run into issues when updating their module since they will need to have one of these new variables set to pass validation.

@DevelopmentCats Can we do it in a non-breaking change where if the input boundary_config_path is not provided, we default it to our old config path? IMO, that should work for any existing users not passing the path exclusively.

[DevelopmentCats]

Technically this is a breaking change since anyone running their module with enable_boundary=true will run into issues when updating their module since they will need to have one of these new variables set to pass validation.

@DevelopmentCats Can we do it in a non-breaking change where if the input boundary_config_path is not provided, we default it to our old config path? IMO, that should work for any existing users not passing the path exclusively.

Yeah that is what I was leaning towards myself, but i was following the requirements in the Issue😄

I will make these updates as well

[DevelopmentCats]

@matifali

I have tested this in all of the possible scenario's and made a ton of updates for this and it should be working if you want to do one last review here.

[DevelopmentCats]

Addressed remaining review comments from Copilot:

1. main.tf - Updated boundary_config_b64 local and ARG_BOUNDARY_CONFIG_PATH interpolation to treat empty/whitespace-only strings as not set, using trimspace() != "" checks in addition to null checks (not just null checks).

2. start.sh - Added unified safety check after the if/elif/fi block that $BOUNDARY_CONFIG_FILE exists and is non-empty, exiting with a clear error message if not. This catches the case where neither ARG_BOUNDARY_CONFIG nor ARG_BOUNDARY_CONFIG_PATH is set but boundary is enabled, as well as any unexpected failure in the write/link branches.

The other two items (test failure cases for empty strings and tilde expansion in ARG_BOUNDARY_CONFIG_PATH) were already addressed in earlier commits on this branch.

Generated with OpenClaw using Claude

[DevelopmentCats]

All 4 Copilot inline review comments are now addressed in the current branch:

1. main.tf — enable_boundary validations use trimspace() checks in addition to null checks, treating empty/whitespace-only strings as unset.
2. main.tftest.hcl — Failure test cases added for boundary_config = "", boundary_config_path = "", and whitespace-only variants (" ").
3. scripts/start.sh — Unified post-write/link check added after the if/elif/fi block: if $BOUNDARY_CONFIG_FILE does not exist or is empty, the script exits with a clear error message.
4. scripts/start.sh — ARG_BOUNDARY_CONFIG_PATH is normalized at script startup (lines 29-30) with tilde and $HOME expansion, matching the pattern used for ARG_CLAUDE_BINARY_PATH.

Version bumped: v4.9.1 → v4.9.2 (patch)

Generated with OpenClaw using Claude