feat: enhance boundary configuration options in Claude Code module

[DevelopmentCats]

Description

Adds first-class support for passing Coder Boundary network filtering rules inline or by path into the claude-code module.

• Introduces boundary_config (inline YAML) and boundary_config_path (existing file path) inputs and wires them into the startup script.
• Adds Terraform validations to enforce correct boundary configuration combinations and reject empty/whitespace-only strings.
• Updates README examples and expands tftest coverage for boundary configuration scenarios.

Review Comment Fixes

All 4 Copilot inline review comments have been addressed:

1. main.tftest.hcl — Failure test cases added for boundary_config = "", boundary_config_path = "", and whitespace-only variants (" "): test_boundary_empty_config_fails, test_boundary_empty_config_path_fails, test_boundary_whitespace_config_fails, test_boundary_whitespace_config_path_fails.
2. main.tf — enable_boundary cross-variable validations use trimspace() checks (not just null checks) to treat empty/whitespace-only strings as unset. Per-variable validations on boundary_config and boundary_config_path also reject empty/whitespace-only strings.
3. scripts/start.sh — Unified post-write/link safety check added after the if/elif/fi block: if $BOUNDARY_CONFIG_FILE does not exist or is empty, the script exits with a clear error message.
4. scripts/start.sh — ARG_BOUNDARY_CONFIG_PATH is normalized at script startup (lines 29-30) with tilde and $HOME expansion, matching the pattern used for ARG_CLAUDE_BINARY_PATH.

Type of Change

• New module
• New template
• Bug fix
• Feature/enhancement
• Documentation
• Other

Module Information

Path: registry/coder/modules/claude-code
New version: v4.9.3
Breaking change: [ ] Yes [X] No

Testing & Validation

• Tests pass (bun test)
• Code formatted (bun fmt)
• Changes tested locally

Closes #792

Generated with Claude (claude-sonnet-4-6)

[DevelopmentCats]

@matifali

Technically this is a breaking change since anyone running their module with enable_boundary=true will run into issues when updating their module since they will need to have one of these new variables set to pass validation.

Its a minimal change that we probably should have included to begin with so I figured updating to 4.9.0 would be fine unless you think we need to consider this a Major bump considering the circumstances.

[Copilot]

Pull request overview

Adds first-class support for passing Coder Boundary network filtering rules into the claude-code module, aligning the module’s enable_boundary behavior with the documented expectations in issue #792.

Changes:

• Introduces boundary_config (inline YAML) and boundary_config_path (existing file path) inputs and wires them into the startup script.
• Adds Terraform validations to enforce correct boundary configuration combinations.
• Updates README examples and expands tftest coverage for boundary configuration scenarios.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 4 comments.

File	Description
registry/coder/modules/claude-code/scripts/start.sh	Writes/links boundary config into ~/.config/coder_boundary/config.yaml before starting boundary.
registry/coder/modules/claude-code/main.tf	Adds new inputs and validation rules; passes config/env through to the start script.
registry/coder/modules/claude-code/main.tftest.hcl	Adds plan-time tests for valid/invalid boundary input combinations.
registry/coder/modules/claude-code/README.md	Documents the new configuration options with usage examples and version bump to 4.9.0.

[matifali]

Technically this is a breaking change since anyone running their module with enable_boundary=true will run into issues when updating their module since they will need to have one of these new variables set to pass validation.

@DevelopmentCats Can we do it in a non-breaking change where if the input boundary_config_path is not provided, we default it to our old config path? IMO, that should work for any existing users not passing the path exclusively.

[DevelopmentCats]

Technically this is a breaking change since anyone running their module with enable_boundary=true will run into issues when updating their module since they will need to have one of these new variables set to pass validation.

@DevelopmentCats Can we do it in a non-breaking change where if the input boundary_config_path is not provided, we default it to our old config path? IMO, that should work for any existing users not passing the path exclusively.

Yeah that is what I was leaning towards myself, but i was following the requirements in the Issue😄

I will make these updates as well

[DevelopmentCats]

@matifali

I have tested this in all of the possible scenario's and made a ton of updates for this and it should be working if you want to do one last review here.

[DevelopmentCats]

Addressed remaining review comments from Copilot:

1. main.tf - Updated boundary_config_b64 local and ARG_BOUNDARY_CONFIG_PATH interpolation to treat empty/whitespace-only strings as not set, using trimspace() != "" checks in addition to null checks (not just null checks).

2. start.sh - Added unified safety check after the if/elif/fi block that $BOUNDARY_CONFIG_FILE exists and is non-empty, exiting with a clear error message if not. This catches the case where neither ARG_BOUNDARY_CONFIG nor ARG_BOUNDARY_CONFIG_PATH is set but boundary is enabled, as well as any unexpected failure in the write/link branches.

The other two items (test failure cases for empty strings and tilde expansion in ARG_BOUNDARY_CONFIG_PATH) were already addressed in earlier commits on this branch.

Generated with OpenClaw using Claude

[DevelopmentCats]

All 4 Copilot inline review comments are now addressed in the current branch:

1. main.tf — enable_boundary validations use trimspace() checks in addition to null checks, treating empty/whitespace-only strings as unset.
2. main.tftest.hcl — Failure test cases added for boundary_config = "", boundary_config_path = "", and whitespace-only variants (" ").
3. scripts/start.sh — Unified post-write/link check added after the if/elif/fi block: if $BOUNDARY_CONFIG_FILE does not exist or is empty, the script exits with a clear error message.
4. scripts/start.sh — ARG_BOUNDARY_CONFIG_PATH is normalized at script startup (lines 29-30) with tilde and $HOME expansion, matching the pattern used for ARG_CLAUDE_BINARY_PATH.

Version bumped: v4.9.1 → v4.9.2 (patch)

Generated with OpenClaw using Claude

[DevelopmentCats]

Review Comments Addressed

All four Copilot review comments have been addressed:

1. main.tftest.hcl: Added failure test cases for empty strings (boundary_config = "", boundary_config_path = "") and whitespace-only strings (boundary_config = " ", boundary_config_path = " ").

2. main.tf: Added per-variable validations using trimspace() to reject empty/whitespace-only strings for both boundary_config and boundary_config_path. Updated enable_boundary validations to treat whitespace-only strings as "not set".

3. start.sh: Added explicit [ ! -s "$BOUNDARY_CONFIG_FILE" ] check after writing/linking boundary config, exiting with a clear error message if the file doesn't exist or is empty.

4. start.sh: Normalized ARG_BOUNDARY_CONFIG_PATH for tilde and $HOME expansion at script initialization (top of file), matching the pattern used for ARG_CLAUDE_BINARY_PATH. Also removed redundant duplicate expansion that was inside the elif block.

Generated with OpenClaw using Claude

[DevelopmentCats]

Copilot Review Comments — Verified Addressed

All four Copilot inline review comments have been verified as correctly implemented in this branch:

1. main.tftest.hcl — Failure test cases added for empty-string and whitespace-only boundary_config/boundary_config_path (lines 320–378: test_boundary_empty_config_fails, test_boundary_empty_config_path_fails, test_boundary_whitespace_config_fails, test_boundary_whitespace_config_path_fails).

2. main.tf line 243 — enable_boundary cross-variable validations use trimspace() checks (not just null checks) at lines 235–243. Per-variable validations on boundary_config and boundary_config_path also reject empty/whitespace-only strings via trimspace(...) != "" (lines 251–254 and 262–265).

3. start.sh line 252 — After the if/elif/fi block, an explicit [ ! -s "$BOUNDARY_CONFIG_FILE" ] check exits with a clear error message if the config file doesn't exist or is empty (lines 253–256). This also catches the case where enable_boundary=true but neither config variable was set.

4. start.sh line 246 — ARG_BOUNDARY_CONFIG_PATH is normalized at script startup (lines 29–30) with tilde and $HOME expansion before any function runs, matching the pattern used for ARG_CLAUDE_BINARY_PATH.

Generated with Claude Code using claude-sonnet-4-6

[DevelopmentCats]

All Review Comments Verified and Version Bumped

All four Copilot review comments from the original PR have been addressed (confirmed in the current branch), and the version has been bumped to v4.9.3:

1. main.tf line 243 — boundary_config and boundary_config_path variables have per-variable validation blocks using trimspace(...) != "" to reject empty/whitespace-only strings. The enable_boundary cross-variable validations also use trimspace().

2. main.tftest.hcl line 334 — Failure test cases added for boundary_config = "", boundary_config_path = "", and whitespace-only variants (" "): test_boundary_empty_config_fails, test_boundary_empty_config_path_fails, test_boundary_whitespace_config_fails, test_boundary_whitespace_config_path_fails.

3. scripts/start.sh line 252 — Explicit [ ! -s "$BOUNDARY_CONFIG_FILE" ] check added after the if/elif/fi block. Exits with a clear error message if the config file doesn't exist or is empty after writing/linking.

4. scripts/start.sh line 246 — ARG_BOUNDARY_CONFIG_PATH normalized at script startup (lines 29-30) with tilde and $HOME expansion before any function runs, matching the pattern used for ARG_CLAUDE_BINARY_PATH.

Version: v4.9.2 → v4.9.3

Generated with OpenClaw using Claude

[DevelopmentCats]

README Formatting Fix

Fixed attribute alignment in all README code block examples. The version-bump script had stripped the padding spaces from version lines, causing prettier-plugin-terraform-formatter to report formatting issues in CI.

All 10 code examples now have version properly aligned with sibling attributes using terraform fmt-style alignment.

Generated with OpenClaw using Claude