feat(cloudcli): add secure CloudCLI workspace module#939
Conversation
This is kind of a slow first installation. I'm wondering if we should optionally allow people to use an image with it pre-baked. |
|
@bpmct Good point. The eight-minute result was a cold install; subsequent starts reuse the installed version. I can add an optional install_cloudcli input to support pre-baked images |
|
Awesome. Do you know of any pre-baked images that exist? If not, perhaps we could provide one (I could add something to the coder/images repo) |
|
CloudCLI publishes Docker Sandbox images (https://hub.docker.com/r/cloudcliai/sandbox), but they are not designed specifically for Coder workspaces. A dedicated image in coder/images would likely be a better fit. nice idea |
Oh awesome find! Honestly, given they do have Docker Sandbox images my preference would be to use/recommend their official "sandbox" images (even if it means documenting an example template in the README because those will be more likely to be maintained. There aren't many requirements for an image to work with Coder, so it's at least worth testing If it doesn't work, I'm happy to fall back to making one in |
|
This makes sense. I completely agree with you and I just tried it and it works quite well 🙂 |
|
Awesome, thanks for looking into that 🙂 |
|
Adding @DevelopmentCats as a reviewer too as I'm sure he'll have some stylistic reviews too |
|
Honestly style wise everything looks great here. It looks like everything passed our CI checks as well. I will give this a test as well but it looks like Ben picked out most of the key points I noticed, I will also follow up with some review comments as well since there are a few things worth addressing/changing |
|
thank you for your feedback and I am working hard to resolve your various comments and proposals |
|
@bpmct Thanks — I addressed points 2–4 in 6e981e9: the README now includes the agent prerequisite and a Claude Code example, the module uses the external CloudCLI icon, and startup polling no longer emits transient curl warnings. CloudCLI OSS 1.35.0 does not provide a supported option to skip the initial account setup, so I documented it as a one-time step rather than bypassing its authentication. |
|
@DevelopmentCats I tested path-based mode in a full Coder workspace. CloudCLI 1.35.0 uses root-relative /assets, /api, /ws, and /shell routes, so with subdomain = false the HTML loads but the UI remains blank. Exposing this option would currently create a broken configuration. I kept subdomain mode mandatory and documented |
|
@bpmct can you review ? |
Ahh yeah I see that they don't have a configurable base domain path in the product. I will give this another review. This would also make a good feature request for cloud-cli as well. |

Description
Adds a community CloudCLI module that installs the pinned npm package in an isolated per-module runtime and exposes the service through an owner-only Coder app.
The module binds CloudCLI explicitly to
127.0.0.1:3001, uses the/healthendpoint for readiness, preserves existing coding-agent installations and authentication, and supports an optional validatedworkspaces_rootto limit project discovery. Startup is idempotent and refuses occupied or non-loopback listeners without terminating unrelated processes. The start pipeline allows a slow first-time npm installation to complete before launching CloudCLI.The registry catalog uses the bundled CloudCLI icon. Coder deployments that do not provide
/icon/cloudcli.svgmay not render the in-workspace app and script icon; this does not affect module operation.Type of Change
Module Information
Path:
registry/edd88-pixel/modules/cloudcliNew version:
v1.0.0Breaking change: [ ] Yes [x] No
Testing & Validation
bun test)bun fmt)Executed successfully:
bun installbun run fmtbun run shellcheckbun run tftestwith explicit changed-module inputsbun run tstestwith explicit changed-module inputs: 10 passed, 127 assertionsterraform init -upgradeterraform validateterraform test -verbose: 9 passedbun test main.test.ts: 10 passed, 127 assertions./scripts/terraform_validate.shwith explicitALL_CHANGED_FILESandMODULE_CHANGED_FILESgo build ./cmd/readmevalidation && ./readmevalidationready, and the Coder app reachedhealthy@cloudcli-ai/cloudcli@1.35.0, successful/health, live PID, listener127.0.0.1:3001, and no wildcard listenerRelated Issues
Closes #868