refactor rules engine for key value structure with spec compliance

README.md

@@ -25,12 +25,12 @@ curl -fsSL https://raw.githubusercontent.com/coder/boundary/main/install.sh | ba
 
 ```bash
 # Allow only requests to github.com
-boundary --allow "github.com" -- curl https://github.com
+boundary --allow "domain=github.com" -- curl https://github.com
 
 # Allow full access to GitHub issues API, but only GET/HEAD elsewhere on GitHub
 boundary \
-  --allow "github.com/api/issues/*" \
-  --allow "GET,HEAD github.com" \
+  --allow "domain=github.com path=/api/issues/*" \
+  --allow "method=GET,HEAD domain=github.com" \
   -- npm install
 
 # Default deny-all: everything is blocked unless explicitly allowed
@@ -41,25 +41,29 @@ boundary -- curl https://example.com
 
 ### Format
 ```text
---allow "pattern"                    # All HTTP methods allowed
---allow "METHOD[,METHOD] pattern"    # Specific methods only
+--allow "key=value [key=value ...]"
 ```
 
+**Keys:**
+- `method` - HTTP method(s), comma-separated (GET, POST, etc.)
+- `domain` - Domain/hostname pattern
+- `path` - URL path pattern
+
 ### Examples
 ```bash
-boundary --allow "github.com" -- git pull
-boundary --allow "*.github.com" -- npm install           # GitHub subdomains
-boundary --allow "api.*" -- ./app                        # Any API domain
-boundary --allow "GET,HEAD api.github.com" -- curl https://api.github.com
+boundary --allow "domain=github.com" -- git pull
+boundary --allow "domain=*.github.com" -- npm install           # GitHub subdomains
+boundary --allow "method=GET,HEAD domain=api.github.com" -- curl https://api.github.com
+boundary --allow "method=POST domain=api.example.com path=/users" -- ./app
 ```
 
 Wildcards: `*` matches any characters. All traffic is denied unless explicitly allowed.
 
 ## Logging
 
 ```bash
-boundary --log-level info --allow "*" -- npm install     # Show all requests
-boundary --log-level debug --allow "github.com" -- git pull  # Debug info
+boundary --log-level info --allow "method=*" -- npm install     # Show all requests
+boundary --log-level debug --allow "domain=github.com" -- git pull  # Debug info
 ```
 
 **Log Levels:** `error`, `warn` (default), `info`, `debug`
@@ -70,10 +74,10 @@ When you can't or don't want to run with sudo privileges, use `--unprivileged`:
 
 ```bash
 # Run without network isolation (uses HTTP_PROXY/HTTPS_PROXY environment variables)
-boundary --unprivileged --allow "github.com" -- npm install
+boundary --unprivileged --allow "domain=github.com" -- npm install
 
 # Useful in containers or restricted environments
-boundary --unprivileged --allow "*.npmjs.org" --allow "registry.npmjs.org" -- npm install
+boundary --unprivileged --allow "domain=*.npmjs.org" --allow "domain=registry.npmjs.org" -- npm install
 ```
 
 **Unprivileged Mode:**

boundary.go

@@ -11,11 +11,11 @@ import (
 	"github.com/coder/boundary/audit"
 	"github.com/coder/boundary/jail"
 	"github.com/coder/boundary/proxy"
-	"github.com/coder/boundary/rules"
+	"github.com/coder/boundary/rulesengine"
 )
 
 type Config struct {
-	RuleEngine rules.Evaluator
+	RuleEngine rulesengine.Engine
 	Auditor    audit.Auditor
 	TLSConfig  *tls.Config
 	Logger     *slog.Logger

cli/cli.go

@@ -14,7 +14,7 @@ import (
 	"github.com/coder/boundary"
 	"github.com/coder/boundary/audit"
 	"github.com/coder/boundary/jail"
-	"github.com/coder/boundary/rules"
+	"github.com/coder/boundary/rulesengine"
 	"github.com/coder/boundary/tls"
 	"github.com/coder/boundary/util"
 	"github.com/coder/serpent"
@@ -38,10 +38,10 @@ func NewCommand() *serpent.Command {
 	// may be called something different when used as a subcommand / there will be a leading binary (i.e. `coder boundary` vs. `boundary`).
 	cmd.Long += `Examples:
   # Allow only requests to github.com
-  boundary --allow "github.com" -- curl https://github.com
+  boundary --allow "domain=github.com" -- curl https://github.com
 
   # Monitor all requests to specific domains (allow only those)
-  boundary --allow "github.com/api/issues/*" --allow "GET,HEAD github.com" -- npm install
+  boundary --allow "domain=github.com path=/api/issues/*" --allow "method=GET,HEAD domain=github.com" -- npm install
 
   # Block everything by default (implicit)`
 
@@ -114,14 +114,14 @@ func Run(ctx context.Context, config Config, args []string) error {
 	}
 
 	// Parse allow rules
-	allowRules, err := rules.ParseAllowSpecs(config.AllowStrings)
+	allowRules, err := rulesengine.ParseAllowSpecs(config.AllowStrings)
 	if err != nil {
 		logger.Error("Failed to parse allow rules", "error", err)
 		return fmt.Errorf("failed to parse allow rules: %v", err)
 	}
 
 	// Create rule engine
-	ruleEngine := rules.NewRuleEngine(allowRules, logger)
+	ruleEngine := rulesengine.NewRuleEngine(allowRules, logger)
 
 	// Create auditor
 	auditor := audit.NewLogAuditor(logger)

e2e_tests/boundary_integration_test.go

@@ -78,8 +78,8 @@ func TestBoundaryIntegration(t *testing.T) {
 
 	// Start boundary process with sudo
 	boundaryCmd := exec.CommandContext(ctx, "/tmp/boundary-test",
-		"--allow", "dev.coder.com",
-		"--allow", "jsonplaceholder.typicode.com",
+		"--allow", "domain=dev.coder.com",
+		"--allow", "domain=jsonplaceholder.typicode.com",
 		"--log-level", "debug",
 		"--", "bash", "-c", "sleep 10 && echo 'Test completed'")
 

proxy/proxy.go

@@ -15,12 +15,12 @@ import (
 	"sync/atomic"
 
 	"github.com/coder/boundary/audit"
-	"github.com/coder/boundary/rules"
+	"github.com/coder/boundary/rulesengine"
 )
 
 // Server handles HTTP and HTTPS requests with rule-based filtering
 type Server struct {
-	ruleEngine rules.Evaluator
+	ruleEngine rulesengine.Engine
 	auditor    audit.Auditor
 	logger     *slog.Logger
 	tlsConfig  *tls.Config
@@ -33,7 +33,7 @@ type Server struct {
 // Config holds configuration for the proxy server
 type Config struct {
 	HTTPPort   int
-	RuleEngine rules.Evaluator
+	RuleEngine rulesengine.Engine
 	Auditor    audit.Auditor
 	Logger     *slog.Logger
 	TLSConfig  *tls.Config
@@ -254,8 +254,8 @@ Request: %s %s
 Host: %s
 
 To allow this request, restart boundary with:
-  --allow "%s"                    # Allow all methods to this host
-  --allow "%s %s"          # Allow only %s requests to this host
+  --allow "domain=%s"                    # Allow all methods to this host
+  --allow "method=%s domain=%s"          # Allow only %s requests to this host
 
 For more help: https://github.com/coder/boundary
 `,
@@ -639,7 +639,7 @@ func (p *Server) constructFullURL(req *http.Request, hostname string) string {
 
 // writeBlockedResponseStreaming writes a blocked response directly to the TLS connection
 func (p *Server) writeBlockedResponseStreaming(tlsConn *tls.Conn, req *http.Request) {
-	response := fmt.Sprintf("HTTP/1.1 403 Forbidden\r\nContent-Type: text/plain\r\nConnection: close\r\n\r\n🚫 Request Blocked by Boundary\n\nRequest: %s %s\nHost: %s\n\nTo allow this request, restart boundary with:\n  --allow \"%s\"\n",
+	response := fmt.Sprintf("HTTP/1.1 403 Forbidden\r\nContent-Type: text/plain\r\nConnection: close\r\n\r\n🚫 Request Blocked by Boundary\n\nRequest: %s %s\nHost: %s\n\nTo allow this request, restart boundary with:\n  --allow \"domain=%s\"\n",
 		req.Method, req.URL.Path, req.Host, req.Host)
 	_, _ = tlsConn.Write([]byte(response))
 }

proxy/proxy_test.go

@@ -17,7 +17,7 @@ import (
 	"github.com/stretchr/testify/require"
 
 	"github.com/coder/boundary/audit"
-	"github.com/coder/boundary/rules"
+	"github.com/coder/boundary/rulesengine"
 )
 
 // mockAuditor is a simple mock auditor for testing
@@ -35,13 +35,13 @@ func TestProxyServerBasicHTTP(t *testing.T) {
 	}))
 
 	// Create test rules (allow all for testing)
-	testRules, err := rules.ParseAllowSpecs([]string{"*"})
+	testRules, err := rulesengine.ParseAllowSpecs([]string{"method=*"})
 	if err != nil {
 		t.Fatalf("Failed to parse test rules: %v", err)
 	}
 
 	// Create rule engine
-	ruleEngine := rules.NewRuleEngine(testRules, logger)
+	ruleEngine := rulesengine.NewRuleEngine(testRules, logger)
 
 	// Create mock auditor
 	auditor := &mockAuditor{}
@@ -116,13 +116,13 @@ func TestProxyServerBasicHTTPS(t *testing.T) {
 	}))
 
 	// Create test rules (allow all for testing)
-	testRules, err := rules.ParseAllowSpecs([]string{"*"})
+	testRules, err := rulesengine.ParseAllowSpecs([]string{"method=*"})
 	if err != nil {
 		t.Fatalf("Failed to parse test rules: %v", err)
 	}
 
 	// Create rule engine
-	ruleEngine := rules.NewRuleEngine(testRules, logger)
+	ruleEngine := rulesengine.NewRuleEngine(testRules, logger)
 
 	// Create mock auditor
 	auditor := &mockAuditor{}
@@ -210,13 +210,13 @@ func TestProxyServerCONNECT(t *testing.T) {
 	}))
 
 	// Create test rules (allow all for testing)
-	testRules, err := rules.ParseAllowSpecs([]string{"*"})
+	testRules, err := rulesengine.ParseAllowSpecs([]string{"method=*"})
 	if err != nil {
 		t.Fatalf("Failed to parse test rules: %v", err)
 	}
 
 	// Create rule engine
-	ruleEngine := rules.NewRuleEngine(testRules, logger)
+	ruleEngine := rulesengine.NewRuleEngine(testRules, logger)
 
 	// Create mock auditor
 	auditor := &mockAuditor{}