feat(agentapi): use wildcard alllowed hosts (#320)

Since https://github.com/coder/agentapi/pull/49 was merged, agentapi by
default only accepts requests with the `Host` header set to localhost,
127.0.0.1, or [::1]. In Coder, agentapi is served behind a reverse proxy
as a workspace app, so we need to use a wildcard
`AGENTAPI_ALLOWED_HOSTS` for agentapi-based modules to continue working.

This PR updates the claude code and agentapi modules, and a subsequent
PR will update modules that are based on the agentapi module.

registry/coder/modules/agentapi/README.md

@@ -16,7 +16,7 @@ The AgentAPI module is a building block for modules that need to run an AgentAPI
 ```tf
 module "agentapi" {
   source  = "registry.coder.com/coder/agentapi/coder"
-  version = "1.1.0"
+  version = "1.1.1"
 
   agent_id             = var.agent_id
   web_app_slug         = local.app_slug

registry/coder/modules/agentapi/main.test.ts

@@ -236,4 +236,17 @@ describe("agentapi", async () => {
       }
     }
   });
+
+  test("agentapi-allowed-hosts", async () => {
+    // verify that the agentapi binary has access to the AGENTAPI_ALLOWED_HOSTS environment variable
+    // set in main.sh
+    const { id } = await setup();
+    await execModuleScript(id);
+    await expectAgentAPIStarted(id);
+    const agentApiStartLog = await readFileContainer(
+      id,
+      "/home/coder/agentapi-mock.log",
+    );
+    expect(agentApiStartLog).toContain("AGENTAPI_ALLOWED_HOSTS: *");
+  });
 });

registry/coder/modules/agentapi/scripts/main.sh

@@ -95,5 +95,7 @@ export LC_ALL=en_US.UTF-8
 cd "${WORKDIR}"
 
 export AGENTAPI_CHAT_BASE_PATH="${AGENTAPI_CHAT_BASE_PATH:-}"
+# Disable host header check since AgentAPI is proxied by Coder (which does its own validation)
+export AGENTAPI_ALLOWED_HOSTS="*"
 nohup "$module_path/scripts/agentapi-start.sh" true "${AGENTAPI_PORT}" &>"$module_path/agentapi-start.log" &
 "$module_path/scripts/agentapi-wait-for-start.sh" "${AGENTAPI_PORT}"

registry/coder/modules/agentapi/testdata/agentapi-mock.js

@@ -1,11 +1,13 @@
 #!/usr/bin/env node
 
 const http = require("http");
+const fs = require("fs");
 const args = process.argv.slice(2);
 const portIdx = args.findIndex((arg) => arg === "--port") + 1;
 const port = portIdx ? args[portIdx] : 3284;
 
 console.log(`starting server on port ${port}`);
+fs.writeFileSync("/home/coder/agentapi-mock.log", `AGENTAPI_ALLOWED_HOSTS: ${process.env.AGENTAPI_ALLOWED_HOSTS}`);
 
 http
   .createServer(function (_request, response) {

registry/coder/modules/claude-code/README.md

@@ -13,7 +13,7 @@ Run the [Claude Code](https://docs.anthropic.com/en/docs/agents-and-tools/claude
 ```tf
 module "claude-code" {
   source              = "registry.coder.com/coder/claude-code/coder"
-  version             = "2.0.6"
+  version             = "2.0.7"
   agent_id            = coder_agent.example.id
   folder              = "/home/coder"
   install_claude_code = true
@@ -84,7 +84,7 @@ resource "coder_agent" "main" {
 module "claude-code" {
   count               = data.coder_workspace.me.start_count
   source              = "registry.coder.com/coder/claude-code/coder"
-  version             = "2.0.6"
+  version             = "2.0.7"
   agent_id            = coder_agent.example.id
   folder              = "/home/coder"
   install_claude_code = true
@@ -102,7 +102,7 @@ Run Claude Code as a standalone app in your workspace. This will install Claude
 ```tf
 module "claude-code" {
   source              = "registry.coder.com/coder/claude-code/coder"
-  version             = "2.0.6"
+  version             = "2.0.7"
   agent_id            = coder_agent.example.id
   folder              = "/home/coder"
   install_claude_code = true

registry/coder/modules/claude-code/main.test.ts

@@ -10,6 +10,7 @@ import path from "path";
 import {
   execContainer,
   findResourceInstance,
+  readFileContainer,
   removeContainer,
   runContainer,
   runTerraformApply,
@@ -319,4 +320,21 @@ describe("claude-code", async () => {
       agentApiUrl: "http://localhost:3284",
     });
   });
+
+  // verify that the agentapi binary has access to the AGENTAPI_ALLOWED_HOSTS environment variable
+  // set in main.tf
+  test("agentapi-allowed-hosts", async () => {
+    const { id } = await setup();
+
+    const respModuleScript = await execModuleScript(id);
+    expect(respModuleScript.exitCode).toBe(0);
+
+    await expectAgentAPIStarted(id);
+
+    const agentApiStartLog = await readFileContainer(
+      id,
+      "/home/coder/agentapi-mock.log",
+    );
+    expect(agentApiStartLog).toContain("AGENTAPI_ALLOWED_HOSTS: *");
+  });
 });

registry/coder/modules/claude-code/main.tf

@@ -241,6 +241,10 @@ resource "coder_script" "claude_code" {
     export LC_ALL=en_US.UTF-8
 
     cd "${local.workdir}"
+
+    # Disable host header check since AgentAPI is proxied by Coder (which does its own validation)
+    export AGENTAPI_ALLOWED_HOSTS="*"
+
     nohup "$module_path/scripts/agentapi-start.sh" use_prompt &> "$module_path/agentapi-start.log" &
     "$module_path/scripts/agentapi-wait-for-start.sh"
     EOT

registry/coder/modules/claude-code/testdata/agentapi-mock.js

@@ -20,6 +20,8 @@ if (
   process.exit(1);
 }
 
+fs.writeFileSync("/home/coder/agentapi-mock.log", `AGENTAPI_ALLOWED_HOSTS: ${process.env.AGENTAPI_ALLOWED_HOSTS}`);
+
 console.log(`starting server on port ${port}`);
 
 http