Skip to content

Port complete boundary implementation #38

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Sep 15, 2025
Merged

Port complete boundary implementation #38

merged 2 commits into from
Sep 15, 2025

Conversation

f0ssel
Copy link
Collaborator

@f0ssel f0ssel commented Sep 15, 2025
edited
Loading

This PR ports the complete boundary network isolation tool implementation.

Features

  • Process-level network isolation using Linux namespaces and macOS process groups
  • HTTP/HTTPS interception with transparent proxy and TLS certificate injection
  • Rule-based access control with wildcard pattern matching for URLs
  • Cross-platform support for Linux and macOS
  • Unprivileged mode for restricted environments using proxy environment variables
  • Comprehensive logging and request auditing

Implementation

  • CLI interface with serpent-based command structure
  • Modular architecture: audit, jail, proxy, rules, TLS packages
  • Production-ready CI/CD with automated building, testing, and releases
  • Cross-platform builds for Linux (x64/ARM64) and macOS (Intel/Apple Silicon)

Usage

# Allow only requests to github.com
boundary --allow "github.com" -- curl https://github.com

# Allow specific methods
boundary --allow "GET,HEAD github.com" -- npm install

# Unprivileged mode (no sudo required)
boundary --unprivileged --allow "*.npmjs.org" -- npm install

@blink-so blink-so bot changed the title init Port complete boundary implementation from agentjail Sep 15, 2025
@f0ssel f0ssel changed the title Port complete boundary implementation from agentjail Port complete boundary implementation Sep 15, 2025
@f0ssel f0ssel requested a review from bcpeinhardt September 15, 2025 15:38
bcpeinhardt
bcpeinhardt reviewed Sep 15, 2025
View reviewed changes
ARCHITECTURE.md
│ │ │
│ ├─ Pattern: "*.github.com", "api.*", "exact.com" │
│ ├─ Methods: ["GET", "POST"] or nil (all methods) │
│ └─ Raw: "allow GET,POST *.github.com" (for logging) │
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The "allow" bit should be removed

@f0ssel f0ssel merged commit a5b051d into main Sep 15, 2025
2 checks passed
@f0ssel f0ssel deleted the f0ssel/move-again branch September 15, 2025 22:31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bcpeinhardt bcpeinhardt bcpeinhardt left review comments

@evgeniy-scherbina evgeniy-scherbina Awaiting requested review from evgeniy-scherbina

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@f0ssel @bcpeinhardt