coder
diff --git a/‎.gitignore‎
Lines changed: 48 additions & 0 deletions b/‎.gitignore‎
Lines changed: 48 additions & 0 deletions
diff --git a/‎README.md‎
Lines changed: 180 additions & 0 deletions b/‎README.md‎
Lines changed: 180 additions & 0 deletions
diff --git a/‎boundary-linux‎
13 MB b/‎boundary-linux‎
13 MB
diff --git a/‎boundary-macos‎
12.9 MB b/‎boundary-macos‎
12.9 MB
diff --git a/‎cleanup.sh‎
Lines changed: 29 additions & 0 deletions b/‎cleanup.sh‎
Lines changed: 29 additions & 0 deletions
diff --git a/‎go.mod‎
Lines changed: 33 additions & 3 deletions b/‎go.mod‎
Lines changed: 33 additions & 3 deletions
@@ -0,0 +1,48 @@
+# Binaries for programs and plugins
+*.exe
+*.exe~
+*.dll
+*.so
+*.dylib
+boundary
+boundary.exe
+
+# Test binary, built with `go test -c`
+*.test
+
+# Output of the go coverage tool, specifically when used with LiteIDE
+*.out
+
+# Dependency directories (remove the comment below to include it)
+# vendor/
+
+# Go workspace file
+go.work
+
+# IDE files
+.vscode/
+.idea/
+*.swp
+*.swo
+*~
+
+# OS generated files
+.DS_Store
+.DS_Store?
+._*
+.Spotlight-V100
+.Trashes
+ehthumbs.db
+Thumbs.db
+
+# Temporary files
+*.tmp
+*.temp
+
+# Log files
+*.log
+
+# Certificate files (generated at runtime)
+*.pem
+*.crt
+*.key
@@ -0,0 +1,180 @@
+# boundary
+
+**Network isolation tool for monitoring and restricting HTTP/HTTPS requests from processes**
+
+boundary creates an isolated network environment for target processes, intercepting all HTTP/HTTPS traffic through a transparent proxy that enforces user-defined allow rules.
+
+## Features
+
+- 🔒 **Process-level network isolation** - Linux namespaces, macOS process groups
+- 🌐 **HTTP/HTTPS interception** - Transparent proxy with TLS certificate injection
+- 🎯 **Wildcard pattern matching** - Simple `*` wildcards for URL patterns
+- 📝 **Request logging** - Monitor and log all HTTP/HTTPS requests
+- 🖥️ **Cross-platform** - Native support for Linux and macOS
+- ⚡ **Zero configuration** - Works out of the box with sensible defaults
+- 🛡️ **Default deny-all** - Secure by default, only allow what you explicitly permit
+
+## Quick Start
+
+```bash
+# Build the tool
+go build -o boundary .
+
+# Allow only requests to github.com
+./boundary --allow "github.com" -- curl https://github.com
+
+# Allow full access to GitHub issues API, but only GET/HEAD elsewhere on GitHub
+./boundary \
+  --allow "github.com/api/issues/*" \
+  --allow "GET,HEAD github.com" \
+  -- npm install
+
+# Default deny-all: everything is blocked unless explicitly allowed
+./boundary -- curl https://example.com
+```
+
+## Allow Rules
+
+boundary uses simple wildcard patterns for URL matching.
+
+### Rule Format
+
+```text
+--allow "pattern"
+--allow "METHOD[,METHOD] pattern"
+```
+
+- If only a pattern is provided, all HTTP methods are allowed
+- If methods are provided, only those HTTP methods are allowed (case-insensitive)
+- Patterns use wildcards: `*` (matches any characters)
+
+### Examples
+
+```bash
+# Basic patterns
+boundary --allow "github.com" -- git pull
+
+# Wildcard patterns
+boundary --allow "*.github.com" -- npm install    # GitHub subdomains
+boundary --allow "api.*" -- ./app                 # Any API domain
+
+# Method-specific rules
+boundary --allow "GET,HEAD api.github.com" -- curl https://api.github.com
+```
+
+**Default Policy:** All traffic is denied unless explicitly allowed.
+
+## Logging
+
+```bash
+# Monitor all requests with info logging
+boundary --log-level info --allow "*" -- npm install
+
+# Debug logging for troubleshooting
+boundary --log-level debug --allow "github.com" -- git pull
+
+# Error-only logging
+boundary --log-level error --allow "*" -- ./app
+```
+
+**Log Levels:**
+- `error`: Shows only errors
+- `warn`: Shows blocked requests and errors (default)
+- `info`: Shows all requests (allowed and blocked)
+- `debug`: Shows detailed information including TLS operations
+
+## Blocked Request Messages
+
+When a request is blocked, boundary provides helpful guidance:
+
+```
+🚫 Request Blocked by Boundary
+
+Request: GET /
+Host: google.com
+Reason: No matching allow rules (default deny-all policy)
+
+To allow this request, restart boundary with:
+  --allow "google.com"                    # Allow all methods to this host
+  --allow "GET google.com"          # Allow only GET requests to this host
+
+For more help: https://github.com/coder/boundary
+```
+
+## Platform Support
+
+| Platform | Implementation | Sudo Required |
+|----------|----------------|---------------|
+| Linux    | Network namespaces + iptables | Yes |
+| macOS    | Process groups + PF rules | Yes |
+| Windows  | Not supported | - |
+
+## Installation
+
+### Prerequisites
+
+**Linux:**
+- Linux kernel 3.8+ (network namespace support)
+- iptables
+- Go 1.21+ (for building)
+- sudo access
+
+**macOS:**
+- macOS 10.15+ (Catalina or later)
+- pfctl (included)
+- Go 1.21+ (for building)
+- sudo access
+
+### Build from Source
+
+```bash
+git clone https://github.com/coder/boundary
+cd boundary
+go build -o boundary .
+```
+
+## TLS Interception
+
+boundary automatically generates a Certificate Authority (CA) to intercept HTTPS traffic:
+
+- CA stored in `~/.config/boundary/` (or `$XDG_CONFIG_HOME/boundary/`)
+- CA certificate provided via `BOUNDARY_CA_CERT` environment variable
+- Certificates generated on-demand for intercepted domains
+- CA expires after 1 year
+
+### Disable TLS Interception
+
+```bash
+boundary --no-tls-intercept --allow "*" -- ./app
+```
+
+## Command-Line Options
+
+```text
+boundary [flags] -- command [args...]
+
+OPTIONS:
+    --allow <SPEC>             Allow rule (repeatable)
+                               Format: "pattern" or "METHOD[,METHOD] pattern"
+    --log-level <LEVEL>        Set log level (error, warn, info, debug)
+    --no-tls-intercept         Disable HTTPS interception
+    -h, --help                 Print help
+```
+
+## Development
+
+```bash
+# Build
+go build -o boundary .
+
+# Test
+go test ./...
+
+# Cross-compile
+GOOS=linux GOARCH=amd64 go build -o boundary-linux .
+GOOS=darwin GOARCH=amd64 go build -o boundary-macos .
+```
+
+## License
+
+MIT License - see LICENSE file for details.
@@ -0,0 +1,29 @@
+#!/bin/bash
+
+# Emergency cleanup script for boundary network jail
+# Run this if boundary crashes and leaves your networking in a bad state
+
+echo "Cleaning up boundary network namespaces and iptables rules..."
+
+# Remove all boundary network namespaces
+for ns in $(ip netns list | grep boundary | awk '{print $1}'); do
+    echo "Removing namespace: $ns"
+    sudo ip netns delete "$ns" 2>/dev/null || true
+done
+
+# Remove boundary iptables rules
+echo "Cleaning up iptables rules..."
+sudo iptables -t nat -D POSTROUTING -s 192.168.100.0/24 -j MASQUERADE 2>/dev/null || true
+
+# Remove any boundary interfaces
+for iface in $(ip link show | grep veth_n_ | awk -F: '{print $2}' | awk '{print $1}'); do
+    echo "Removing interface: $iface"
+    sudo ip link delete "$iface" 2>/dev/null || true
+done
+
+# Clean up DNS config directories
+echo "Cleaning up DNS configuration..."
+sudo rm -rf /etc/netns/boundary_* 2>/dev/null || true
+
+echo "Cleanup completed. Your networking should be restored."
+echo "If you still have issues, try: sudo systemctl restart networking"
@@ -1,5 +1,35 @@
-module github.com/coder/squeeze
+module boundary
 
-go 1.25.0
+go 1.21.4
 
-require golang.org/x/sys v0.35.0 // indirect
+toolchain go1.23.8
+
+require (
+	cdr.dev/slog v1.6.2-0.20240126064726-20367d4aede6 // indirect
+	github.com/coder/serpent v0.10.0
+	gopkg.in/yaml.v3 v3.0.1 // indirect
+)
+
+require (
+	github.com/aymanbagabas/go-osc52/v2 v2.0.1 // indirect
+	github.com/coder/pretty v0.0.0-20230908205945-e89ba86370e0 // indirect
+	github.com/hashicorp/errwrap v1.1.0 // indirect
+	github.com/hashicorp/go-multierror v1.1.1 // indirect
+	github.com/kr/text v0.2.0 // indirect
+	github.com/lucasb-eyer/go-colorful v1.2.0 // indirect
+	github.com/mattn/go-isatty v0.0.20 // indirect
+	github.com/mattn/go-runewidth v0.0.15 // indirect
+	github.com/mitchellh/go-wordwrap v1.0.1 // indirect
+	github.com/muesli/termenv v0.15.2 // indirect
+	github.com/pion/transport/v2 v2.0.0 // indirect
+	github.com/pion/udp v0.1.4 // indirect
+	github.com/rivo/uniseg v0.4.4 // indirect
+	github.com/spf13/pflag v1.0.5 // indirect
+	go.opentelemetry.io/otel v1.19.0 // indirect
+	go.opentelemetry.io/otel/trace v1.19.0 // indirect
+	golang.org/x/crypto v0.19.0 // indirect
+	golang.org/x/exp v0.0.0-20240213143201-ec583247a57a // indirect
+	golang.org/x/sys v0.17.0 // indirect
+	golang.org/x/term v0.17.0 // indirect
+	golang.org/x/xerrors v0.0.0-20231012003039-104605ab7028 // indirect
+)