feat(claude-code): add boundary log socket configuration

- Add CODER_AGENT_BOUNDARY_LOG_SOCKET env var for agent
- Add boundary_log_socket_path variable (default: /tmp/coder-boundary-audit.sock)
- Update start.sh to pass --audit-socket to boundary when env var is set

This enables boundary audit log forwarding to coderd when boundary is enabled.

registry/coder/modules/claude-code/main.tf

@@ -252,6 +252,12 @@ variable "compile_boundary_from_source" {
   default     = false
 }
 
+variable "boundary_log_socket_path" {
+  type        = string
+  description = "Path to the Unix socket for boundary audit logs. Both the agent and boundary use this path."
+  default     = "/tmp/coder-boundary-audit.sock"
+}
+
 resource "coder_env" "claude_code_md_path" {
   count = var.claude_md_path == "" ? 0 : 1
 
@@ -288,6 +294,14 @@ resource "coder_env" "disable_autoupdater" {
   value    = "1"
 }
 
+resource "coder_env" "boundary_log_socket" {
+  count = var.enable_boundary ? 1 : 0
+
+  agent_id = var.agent_id
+  name     = "CODER_BOUNDARY_LOG_SOCKET"
+  value    = var.boundary_log_socket_path
+}
+
 locals {
   # we have to trim the slash because otherwise coder exp mcp will
   # set up an invalid claude config

registry/coder/modules/claude-code/scripts/start.sh

@@ -249,6 +249,11 @@ function start_agentapi() {
     # Set HTTP Proxy port used by Boundary
     BOUNDARY_ARGS+=(--proxy-port "$ARG_BOUNDARY_PROXY_PORT")
 
+    # Pass audit socket path if CODER_AGENT_BOUNDARY_LOG_SOCKET is set
+    if [ -n "$CODER_AGENT_BOUNDARY_LOG_SOCKET" ]; then
+      BOUNDARY_ARGS+=(--audit-socket "$CODER_AGENT_BOUNDARY_LOG_SOCKET")
+    fi
+
     # Set log level for boundary
     BOUNDARY_ARGS+=(--log-level "$ARG_BOUNDARY_LOG_LEVEL")