From 1b27a4297de5d646000ac4e9dcc5180b0e4ac919 Mon Sep 17 00:00:00 2001 From: 35C4n0r Date: Mon, 22 Jun 2026 11:53:46 +0000 Subject: [PATCH 1/4] docs(registry/coder/modules/agent-firewall): add Codex MCP TLS workaround note --- .../coder/modules/agent-firewall/README.md | 39 +++++++++++++++++++ 1 file changed, 39 insertions(+) diff --git a/registry/coder/modules/agent-firewall/README.md b/registry/coder/modules/agent-firewall/README.md index 42cd2b820..5d547584b 100644 --- a/registry/coder/modules/agent-firewall/README.md +++ b/registry/coder/modules/agent-firewall/README.md @@ -82,6 +82,45 @@ resource "coder_app" "claude_with_agent_firewall" { } ``` +### With Codex + +Use agent-firewall alongside the `codex` module the same way as other AI modules. + +> [!WARNING] +> **MCP subprocesses and TLS verification** +> +> Codex clears the subprocess environment when spawning MCP stdio servers, stripping +> the CA cert and proxy vars that agent-firewall injects into the Codex process. +> This causes MCP subprocesses to fail TLS verification against agent-firewall's +> intercepting proxy. This is a known upstream issue: +> [openai/codex#29124](https://github.com/openai/codex/issues/29124). +> +> **Workaround:** pass the required vars through explicitly via `env_vars` in each +> `[mcp_servers.*]` block in `~/.codex/config.toml`: +> +> ```toml +> [mcp_servers.memory] +> command = "npx" +> args = ["-y", "@modelcontextprotocol/server-memory"] +> env_vars = ["NODE_EXTRA_CA_CERTS", "HTTPS_PROXY"] +> ``` +> +> This must be repeated for every MCP server. There is no global default in Codex. +> +> **All vars agent-firewall injects** (from [`landjail/child.go`](https://github.com/coder/boundary/blob/main/landjail/child.go)): +> +> | Variable | Description | +> | ---------------------------- | ---------------------------------------- | +> | `NODE_EXTRA_CA_CERTS` | CA cert for Node.js TLS verification | +> | `SSL_CERT_FILE` | CA cert for OpenSSL/LibreSSL-based tools | +> | `SSL_CERT_DIR` | CA cert directory for OpenSSL | +> | `CURL_CA_BUNDLE` | CA cert for curl | +> | `GIT_SSL_CAINFO` | CA cert for Git | +> | `REQUESTS_CA_BUNDLE` | CA cert for Python requests | +> | `HTTPS_PROXY` / `HTTP_PROXY` | Proxy address for HTTPS/HTTP traffic | +> | `https_proxy` / `http_proxy` | Lowercase aliases for the above | +> | `NO_PROXY` / `no_proxy` | Cleared to prevent bypassing the proxy | + ## Configuration The module ships with a comprehensive default config based on the From ae2e54d066b72c72bb1178906f6d148fa2b25dbe Mon Sep 17 00:00:00 2001 From: 35C4n0r Date: Mon, 22 Jun 2026 13:20:46 +0000 Subject: [PATCH 2/4] chore(registry/coder/modules/agent-firewall): bump version to 0.0.2 --- registry/coder/modules/agent-firewall/README.md | 10 +++++----- registry/coder/modules/agent-firewall/main.tf | 2 +- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/registry/coder/modules/agent-firewall/README.md b/registry/coder/modules/agent-firewall/README.md index 5d547584b..b7ed4d698 100644 --- a/registry/coder/modules/agent-firewall/README.md +++ b/registry/coder/modules/agent-firewall/README.md @@ -21,7 +21,7 @@ This module: ```tf module "agent-firewall" { source = "registry.coder.com/coder/agent-firewall/coder" - version = "0.0.1" + version = "0.0.2" agent_id = coder_agent.main.id } ``` @@ -40,7 +40,7 @@ network-isolated environment. ```tf module "agent-firewall" { source = "registry.coder.com/coder/agent-firewall/coder" - version = "0.0.1" + version = "0.0.2" agent_id = coder_agent.main.id } @@ -65,7 +65,7 @@ resource "coder_script" "claude_with_agent_firewall" { ```tf module "agent-firewall" { source = "registry.coder.com/coder/agent-firewall/coder" - version = "0.0.1" + version = "0.0.2" agent_id = coder_agent.main.id } @@ -143,7 +143,7 @@ Pass the full YAML content directly: ```tf module "agent-firewall" { source = "registry.coder.com/coder/agent-firewall/coder" - version = "0.0.1" + version = "0.0.2" agent_id = coder_agent.main.id agent_firewall_config = <<-YAML @@ -167,7 +167,7 @@ your path. The file must exist on disk before agent-firewall starts. ```tf module "agent-firewall" { source = "registry.coder.com/coder/agent-firewall/coder" - version = "0.0.1" + version = "0.0.2" agent_id = coder_agent.main.id agent_firewall_config_path = "/workspace/my-agent-firewall-config.yaml" diff --git a/registry/coder/modules/agent-firewall/main.tf b/registry/coder/modules/agent-firewall/main.tf index 8e795007a..359d60d65 100644 --- a/registry/coder/modules/agent-firewall/main.tf +++ b/registry/coder/modules/agent-firewall/main.tf @@ -103,7 +103,7 @@ locals { module "coder_utils" { source = "registry.coder.com/coder/coder-utils/coder" - version = "0.0.1" + version = "0.0.2" agent_id = var.agent_id display_name_prefix = "Agent Firewall" module_directory = var.module_directory From 85a3c782bd898eb1fad88a7bcf8c65a6b669b076 Mon Sep 17 00:00:00 2001 From: 35C4n0r Date: Mon, 22 Jun 2026 13:24:39 +0000 Subject: [PATCH 3/4] fix(registry/coder/modules/agent-firewall): revert coder-utils dependency version bump --- registry/coder/modules/agent-firewall/main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/registry/coder/modules/agent-firewall/main.tf b/registry/coder/modules/agent-firewall/main.tf index 359d60d65..8e795007a 100644 --- a/registry/coder/modules/agent-firewall/main.tf +++ b/registry/coder/modules/agent-firewall/main.tf @@ -103,7 +103,7 @@ locals { module "coder_utils" { source = "registry.coder.com/coder/coder-utils/coder" - version = "0.0.2" + version = "0.0.1" agent_id = var.agent_id display_name_prefix = "Agent Firewall" module_directory = var.module_directory From 451cdffcf16434c1a4d08c0ffcacc9b43ffbbb96 Mon Sep 17 00:00:00 2001 From: 35C4n0r Date: Tue, 23 Jun 2026 15:15:46 +0000 Subject: [PATCH 4/4] docs(registry/coder/modules/agent-firewall): address review comments --- .../coder/modules/agent-firewall/README.md | 35 ++++++++++--------- 1 file changed, 18 insertions(+), 17 deletions(-) diff --git a/registry/coder/modules/agent-firewall/README.md b/registry/coder/modules/agent-firewall/README.md index b7ed4d698..3e05bbd5b 100644 --- a/registry/coder/modules/agent-firewall/README.md +++ b/registry/coder/modules/agent-firewall/README.md @@ -84,7 +84,7 @@ resource "coder_app" "claude_with_agent_firewall" { ### With Codex -Use agent-firewall alongside the `codex` module the same way as other AI modules. +Use agent-firewall alongside the [`codex`](https://registry.coder.com/modules/coder-labs/codex) module the same way as other AI modules. > [!WARNING] > **MCP subprocesses and TLS verification** @@ -95,8 +95,9 @@ Use agent-firewall alongside the `codex` module the same way as other AI modules > intercepting proxy. This is a known upstream issue: > [openai/codex#29124](https://github.com/openai/codex/issues/29124). > -> **Workaround:** pass the required vars through explicitly via `env_vars` in each -> `[mcp_servers.*]` block in `~/.codex/config.toml`: +> **Workaround:** pass the vars your MCP server's runtime needs via `env_vars` in +> each `[mcp_servers.*]` block in `~/.codex/config.toml`. For example, for a +> Node.js-based server: > > ```toml > [mcp_servers.memory] @@ -106,20 +107,20 @@ Use agent-firewall alongside the `codex` module the same way as other AI modules > ``` > > This must be repeated for every MCP server. There is no global default in Codex. -> -> **All vars agent-firewall injects** (from [`landjail/child.go`](https://github.com/coder/boundary/blob/main/landjail/child.go)): -> -> | Variable | Description | -> | ---------------------------- | ---------------------------------------- | -> | `NODE_EXTRA_CA_CERTS` | CA cert for Node.js TLS verification | -> | `SSL_CERT_FILE` | CA cert for OpenSSL/LibreSSL-based tools | -> | `SSL_CERT_DIR` | CA cert directory for OpenSSL | -> | `CURL_CA_BUNDLE` | CA cert for curl | -> | `GIT_SSL_CAINFO` | CA cert for Git | -> | `REQUESTS_CA_BUNDLE` | CA cert for Python requests | -> | `HTTPS_PROXY` / `HTTP_PROXY` | Proxy address for HTTPS/HTTP traffic | -> | `https_proxy` / `http_proxy` | Lowercase aliases for the above | -> | `NO_PROXY` / `no_proxy` | Cleared to prevent bypassing the proxy | + +The full list of vars agent-firewall injects (from [`landjail/child.go`](https://github.com/coder/boundary/blob/main/landjail/child.go)). Add the ones relevant to your MCP server's runtime: + +| Variable | Description | +| ---------------------------- | ---------------------------------------- | +| `NODE_EXTRA_CA_CERTS` | CA cert for Node.js TLS verification | +| `SSL_CERT_FILE` | CA cert for OpenSSL/LibreSSL-based tools | +| `SSL_CERT_DIR` | CA cert directory for OpenSSL | +| `CURL_CA_BUNDLE` | CA cert for curl | +| `GIT_SSL_CAINFO` | CA cert for Git | +| `REQUESTS_CA_BUNDLE` | CA cert for Python requests | +| `HTTPS_PROXY` / `HTTP_PROXY` | Proxy address for HTTPS/HTTP traffic | +| `https_proxy` / `http_proxy` | Lowercase aliases for the above | +| `NO_PROXY` / `no_proxy` | Cleared to prevent bypassing the proxy | ## Configuration