feat(useragent): add heuristics for bare HTTP client UAs (okhttp, CFNetwork)

- Add optional chaining for userAgent.os.name in ConnectionLogRow.tsx
- Make os field optional in DiagnosticSessionConnection type to match Go SDK

.github/pr-deployments/certificate.yaml

@@ -1,13 +1,13 @@
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
-  name: pr${PR_NUMBER}-tls
+  name: ${DEPLOY_NAME}-tls
   namespace: pr-deployment-certs
 spec:
-  secretName: pr${PR_NUMBER}-tls
+  secretName: ${DEPLOY_NAME}-tls
   issuerRef:
     name: letsencrypt
     kind: ClusterIssuer
   dnsNames:
-    - "${PR_HOSTNAME}"
-    - "*.${PR_HOSTNAME}"
+    - "${DEPLOY_HOSTNAME}"
+    - "*.${DEPLOY_HOSTNAME}"

.github/pr-deployments/rbac.yaml

@@ -1,15 +1,15 @@
 apiVersion: v1
 kind: ServiceAccount
 metadata:
-  name: coder-workspace-pr${PR_NUMBER}
-  namespace: pr${PR_NUMBER}
+  name: coder-workspace-${DEPLOY_NAME}
+  namespace: ${DEPLOY_NAME}
 
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
-  name: coder-workspace-pr${PR_NUMBER}
-  namespace: pr${PR_NUMBER}
+  name: coder-workspace-${DEPLOY_NAME}
+  namespace: ${DEPLOY_NAME}
 rules:
   - apiGroups: ["*"]
     resources: ["*"]
@@ -19,13 +19,13 @@ rules:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
-  name: coder-workspace-pr${PR_NUMBER}
-  namespace: pr${PR_NUMBER}
+  name: coder-workspace-${DEPLOY_NAME}
+  namespace: ${DEPLOY_NAME}
 subjects:
   - kind: ServiceAccount
-    name: coder-workspace-pr${PR_NUMBER}
-    namespace: pr${PR_NUMBER}
+    name: coder-workspace-${DEPLOY_NAME}
+    namespace: ${DEPLOY_NAME}
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: Role
-  name: coder-workspace-pr${PR_NUMBER}
+  name: coder-workspace-${DEPLOY_NAME}

.github/pr-deployments/template/main.tf

@@ -12,9 +12,23 @@ terraform {
 provider "coder" {
 }
 
+variable "use_kubeconfig" {
+  type        = bool
+  description = <<-EOF
+  Use host kubeconfig? (true/false)
+
+  Set this to false if the Coder host is itself running as a Pod on the same
+  Kubernetes cluster as you are deploying workspaces to.
+
+  Set this to true if the Coder host is running outside the Kubernetes cluster
+  for workspaces.  A valid "~/.kube/config" must be present on the Coder host.
+  EOF
+  default     = false
+}
+
 variable "namespace" {
   type        = string
-  description = "The Kubernetes namespace to create workspaces in (must exist prior to creating workspaces)"
+  description = "The Kubernetes namespace to create workspaces in (must exist prior to creating workspaces). If the Coder host is itself running as a Pod on the same Kubernetes cluster as you are deploying workspaces to, set this to the same namespace."
 }
 
 data "coder_parameter" "cpu" {
@@ -82,7 +96,8 @@ data "coder_parameter" "home_disk_size" {
 }
 
 provider "kubernetes" {
-  config_path = null
+  # Authenticate via ~/.kube/config or a Coder-specific ServiceAccount, depending on admin preferences
+  config_path = var.use_kubeconfig == true ? "~/.kube/config" : null
 }
 
 data "coder_workspace" "me" {}
@@ -94,10 +109,12 @@ resource "coder_agent" "main" {
   startup_script = <<-EOT
     set -e
 
-    # install and start code-server
+    # Install the latest code-server.
+    # Append "--version x.x.x" to install a specific version of code-server.
     curl -fsSL https://code-server.dev/install.sh | sh -s -- --method=standalone --prefix=/tmp/code-server
-    /tmp/code-server/bin/code-server --auth none --port 13337 >/tmp/code-server.log 2>&1 &
 
+    # Start code-server in the background.
+    /tmp/code-server/bin/code-server --auth none --port 13337 >/tmp/code-server.log 2>&1 &
   EOT
 
   # The following metadata blocks are optional. They are used to display
@@ -174,13 +191,13 @@ resource "coder_app" "code-server" {
   }
 }
 
-resource "kubernetes_persistent_volume_claim" "home" {
+resource "kubernetes_persistent_volume_claim_v1" "home" {
   metadata {
-    name      = "coder-${lower(data.coder_workspace_owner.me.name)}-${lower(data.coder_workspace.me.name)}-home"
+    name      = "coder-${data.coder_workspace.me.id}-home"
     namespace = var.namespace
     labels = {
       "app.kubernetes.io/name"     = "coder-pvc"
-      "app.kubernetes.io/instance" = "coder-pvc-${lower(data.coder_workspace_owner.me.name)}-${lower(data.coder_workspace.me.name)}"
+      "app.kubernetes.io/instance" = "coder-pvc-${data.coder_workspace.me.id}"
       "app.kubernetes.io/part-of"  = "coder"
       //Coder-specific labels.
       "com.coder.resource"       = "true"
@@ -204,18 +221,18 @@ resource "kubernetes_persistent_volume_claim" "home" {
   }
 }
 
-resource "kubernetes_deployment" "main" {
+resource "kubernetes_deployment_v1" "main" {
   count = data.coder_workspace.me.start_count
   depends_on = [
-    kubernetes_persistent_volume_claim.home
+    kubernetes_persistent_volume_claim_v1.home
   ]
   wait_for_rollout = false
   metadata {
-    name      = "coder-${lower(data.coder_workspace_owner.me.name)}-${lower(data.coder_workspace.me.name)}"
+    name      = "coder-${data.coder_workspace.me.id}"
     namespace = var.namespace
     labels = {
       "app.kubernetes.io/name"     = "coder-workspace"
-      "app.kubernetes.io/instance" = "coder-workspace-${lower(data.coder_workspace_owner.me.name)}-${lower(data.coder_workspace.me.name)}"
+      "app.kubernetes.io/instance" = "coder-workspace-${data.coder_workspace.me.id}"
       "app.kubernetes.io/part-of"  = "coder"
       "com.coder.resource"         = "true"
       "com.coder.workspace.id"     = data.coder_workspace.me.id
@@ -232,7 +249,14 @@ resource "kubernetes_deployment" "main" {
     replicas = 1
     selector {
       match_labels = {
-        "app.kubernetes.io/name" = "coder-workspace"
+        "app.kubernetes.io/name"     = "coder-workspace"
+        "app.kubernetes.io/instance" = "coder-workspace-${data.coder_workspace.me.id}"
+        "app.kubernetes.io/part-of"  = "coder"
+        "com.coder.resource"         = "true"
+        "com.coder.workspace.id"     = data.coder_workspace.me.id
+        "com.coder.workspace.name"   = data.coder_workspace.me.name
+        "com.coder.user.id"          = data.coder_workspace_owner.me.id
+        "com.coder.user.username"    = data.coder_workspace_owner.me.name
       }
     }
     strategy {
@@ -242,20 +266,29 @@ resource "kubernetes_deployment" "main" {
     template {
       metadata {
         labels = {
-          "app.kubernetes.io/name" = "coder-workspace"
+          "app.kubernetes.io/name"     = "coder-workspace"
+          "app.kubernetes.io/instance" = "coder-workspace-${data.coder_workspace.me.id}"
+          "app.kubernetes.io/part-of"  = "coder"
+          "com.coder.resource"         = "true"
+          "com.coder.workspace.id"     = data.coder_workspace.me.id
+          "com.coder.workspace.name"   = data.coder_workspace.me.name
+          "com.coder.user.id"          = data.coder_workspace_owner.me.id
+          "com.coder.user.username"    = data.coder_workspace_owner.me.name
         }
       }
       spec {
+        hostname = lower(data.coder_workspace.me.name)
+
         security_context {
-          run_as_user = 1000
-          fs_group    = 1000
+          run_as_user     = 1000
+          fs_group        = 1000
+          run_as_non_root = true
         }
 
-        service_account_name = "coder-workspace-${var.namespace}"
         container {
           name              = "dev"
-          image             = "bencdr/devops-tools"
-          image_pull_policy = "Always"
+          image             = "codercom/enterprise-base:ubuntu"
+          image_pull_policy = "IfNotPresent"
           command           = ["sh", "-c", coder_agent.main.init_script]
           security_context {
             run_as_user = "1000"
@@ -284,7 +317,7 @@ resource "kubernetes_deployment" "main" {
         volume {
           name = "home"
           persistent_volume_claim {
-            claim_name = kubernetes_persistent_volume_claim.home.metadata.0.name
+            claim_name = kubernetes_persistent_volume_claim_v1.home.metadata.0.name
             read_only  = false
           }
         }

.github/pr-deployments/values.yaml

@@ -1,24 +1,26 @@
 coder:
+  podAnnotations:
+    deploy-sha: "${GITHUB_SHA}"
   image:
     repo: "${REPO}"
-    tag: "pr${PR_NUMBER}"
+    tag: "${DEPLOY_NAME}"
     pullPolicy: Always
   service:
     type: ClusterIP
   ingress:
     enable: true
     className: traefik
-    host: "${PR_HOSTNAME}"
-    wildcardHost: "*.${PR_HOSTNAME}"
+    host: "${DEPLOY_HOSTNAME}"
+    wildcardHost: "*.${DEPLOY_HOSTNAME}"
     tls:
       enable: true
-      secretName: "pr${PR_NUMBER}-tls"
-      wildcardSecretName: "pr${PR_NUMBER}-tls"
+      secretName: "${DEPLOY_NAME}-tls"
+      wildcardSecretName: "${DEPLOY_NAME}-tls"
   env:
     - name: "CODER_ACCESS_URL"
-      value: "https://${PR_HOSTNAME}"
+      value: "https://${DEPLOY_HOSTNAME}"
     - name: "CODER_WILDCARD_ACCESS_URL"
-      value: "*.${PR_HOSTNAME}"
+      value: "*.${DEPLOY_HOSTNAME}"
     - name: "CODER_EXPERIMENTS"
       value: "${EXPERIMENTS}"
     - name: CODER_PG_CONNECTION_URL

.github/workflows/branch-deploy.yaml

@@ -0,0 +1,408 @@
+name: Deploy Branch
+
+on:
+  push:
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+concurrency:
+  group: deploy-${{ github.ref_name }}
+  cancel-in-progress: true
+
+jobs:
+  build:
+    runs-on: ${{ github.repository_owner == 'coder' && 'depot-ubuntu-22.04-8' || 'ubuntu-latest' }}
+    permissions:
+      packages: write
+    env:
+      CODER_IMAGE_TAG: "ghcr.io/coder/coder-preview:${{ github.ref_name }}"
+    steps:
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          fetch-depth: 0
+          persist-credentials: false
+
+      - name: Setup Node
+        uses: ./.github/actions/setup-node
+
+      - name: Setup Go
+        uses: ./.github/actions/setup-go
+
+      - name: Setup sqlc
+        uses: ./.github/actions/setup-sqlc
+
+      - name: GHCR Login
+        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Build and push Docker image
+        run: |
+          set -euo pipefail
+          go mod download
+          make gen/mark-fresh
+          export DOCKER_IMAGE_NO_PREREQUISITES=true
+          version="$(./scripts/version.sh)"
+          CODER_IMAGE_BUILD_BASE_TAG="$(CODER_IMAGE_BASE=coder-base ./scripts/image_tag.sh --version "$version")"
+          export CODER_IMAGE_BUILD_BASE_TAG
+          make -j build/coder_linux_amd64
+          ./scripts/build_docker.sh \
+            --arch amd64 \
+            --target "${CODER_IMAGE_TAG}" \
+            --version "$version" \
+            --push \
+            build/coder_linux_amd64
+
+  deploy:
+    needs: build
+    runs-on: ubuntu-latest
+    env:
+      BRANCH_NAME: ${{ github.ref_name }}
+      DEPLOY_NAME: "${{ github.ref_name }}"
+      TEST_DOMAIN_SUFFIX: "${{ startsWith(secrets.PR_DEPLOYMENTS_DOMAIN, 'test.') && secrets.PR_DEPLOYMENTS_DOMAIN || format('test.{0}', secrets.PR_DEPLOYMENTS_DOMAIN) }}"
+      BRANCH_HOSTNAME: "${{ github.ref_name }}.${{ startsWith(secrets.PR_DEPLOYMENTS_DOMAIN, 'test.') && secrets.PR_DEPLOYMENTS_DOMAIN || format('test.{0}', secrets.PR_DEPLOYMENTS_DOMAIN) }}"
+      CODER_IMAGE_TAG: "ghcr.io/coder/coder-preview:${{ github.ref_name }}"
+      REPO: ghcr.io/coder/coder-preview
+      EXPERIMENTS: "*,oauth2,mcp-server-http"
+    steps:
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+
+      - name: Set up kubeconfig
+        run: |
+          set -euo pipefail
+          mkdir -p ~/.kube
+          echo "${{ secrets.PR_DEPLOYMENTS_KUBECONFIG_BASE64 }}" | base64 --decode > ~/.kube/config
+          chmod 600 ~/.kube/config
+
+      - name: Verify cluster authentication
+        run: |
+          set -euo pipefail
+          kubectl auth can-i get namespaces > /dev/null
+
+      - name: Check if deployment exists
+        id: check
+        run: |
+          set -euo pipefail
+
+          set +e
+          helm_status_output="$(helm status "${DEPLOY_NAME}" --namespace "${DEPLOY_NAME}" 2>&1)"
+          helm_status_code=$?
+          set -e
+
+          if [ "$helm_status_code" -eq 0 ]; then
+            echo "new=false" >> "$GITHUB_OUTPUT"
+          elif echo "$helm_status_output" | grep -qi "release: not found"; then
+            echo "new=true" >> "$GITHUB_OUTPUT"
+          else
+            echo "$helm_status_output"
+            exit "$helm_status_code"
+          fi
+
+      # ---- Every push: ensure routing + TLS ----
+
+      - name: Ensure DNS records
+        run: |
+          set -euo pipefail
+
+          api_base_url="https://api.cloudflare.com/client/v4/zones/${{ secrets.PR_DEPLOYMENTS_ZONE_ID }}/dns_records"
+          base_name="${BRANCH_HOSTNAME}"
+          base_target="${TEST_DOMAIN_SUFFIX}"
+          wildcard_name="*.${BRANCH_HOSTNAME}"
+
+          ensure_cname_record() {
+            local record_name="$1"
+            local record_content="$2"
+
+            echo "Ensuring CNAME ${record_name} -> ${record_content}."
+
+            set +e
+            lookup_raw_response="$(
+              curl -sS -G "${api_base_url}" \
+                -H "Authorization: Bearer ${{ secrets.PR_DEPLOYMENTS_CLOUDFLARE_API_TOKEN }}" \
+                -H "Content-Type:application/json" \
+                --data-urlencode "name=${record_name}" \
+                --data-urlencode "per_page=100" \
+                -w '\n%{http_code}'
+            )"
+            lookup_exit_code=$?
+            set -e
+
+            if [ "$lookup_exit_code" -eq 0 ]; then
+              lookup_response="${lookup_raw_response%$'\n'*}"
+              lookup_http_code="${lookup_raw_response##*$'\n'}"
+
+              if [ "$lookup_http_code" = "200" ] && echo "$lookup_response" | jq -e '.success == true' > /dev/null 2>&1; then
+                if echo "$lookup_response" | jq -e '.result[]? | select(.type != "CNAME")' > /dev/null 2>&1; then
+                  echo "Conflicting non-CNAME DNS record exists for ${record_name}."
+                  echo "$lookup_response"
+                  return 1
+                fi
+
+                existing_cname_id="$(echo "$lookup_response" | jq -r '.result[]? | select(.type == "CNAME") | .id' | head -n1)"
+                if [ -n "$existing_cname_id" ]; then
+                  existing_content="$(echo "$lookup_response" | jq -r --arg id "$existing_cname_id" '.result[] | select(.id == $id) | .content')"
+                  if [ "$existing_content" = "$record_content" ]; then
+                    echo "CNAME already set for ${record_name}."
+                    return 0
+                  fi
+
+                  echo "Updating existing CNAME for ${record_name}."
+                  update_response="$(
+                    curl -sS -X PUT "${api_base_url}/${existing_cname_id}" \
+                      -H "Authorization: Bearer ${{ secrets.PR_DEPLOYMENTS_CLOUDFLARE_API_TOKEN }}" \
+                      -H "Content-Type:application/json" \
+                      --data '{"type":"CNAME","name":"'"${record_name}"'","content":"'"${record_content}"'","ttl":1,"proxied":false}'
+                  )"
+
+                  if echo "$update_response" | jq -e '.success == true' > /dev/null 2>&1; then
+                    echo "Updated CNAME for ${record_name}."
+                    return 0
+                  fi
+
+                  echo "Cloudflare API error while updating ${record_name}:"
+                  echo "$update_response"
+                  return 1
+                fi
+              fi
+            else
+              echo "Could not query DNS record ${record_name}; attempting create."
+            fi
+
+            max_attempts=6
+            attempt=1
+            last_response=""
+            last_http_code=""
+
+            while [ "$attempt" -le "$max_attempts" ]; do
+              echo "Creating DNS record ${record_name} (attempt ${attempt}/${max_attempts})."
+
+              set +e
+              raw_response="$(
+                curl -sS -X POST "${api_base_url}" \
+                  -H "Authorization: Bearer ${{ secrets.PR_DEPLOYMENTS_CLOUDFLARE_API_TOKEN }}" \
+                  -H "Content-Type:application/json" \
+                  --data '{"type":"CNAME","name":"'"${record_name}"'","content":"'"${record_content}"'","ttl":1,"proxied":false}' \
+                  -w '\n%{http_code}'
+              )"
+              curl_exit_code=$?
+              set -e
+
+              curl_failed=false
+              if [ "$curl_exit_code" -eq 0 ]; then
+                response="${raw_response%$'\n'*}"
+                http_code="${raw_response##*$'\n'}"
+              else
+                response="curl exited with code ${curl_exit_code}."
+                http_code="000"
+                curl_failed=true
+              fi
+
+              last_response="$response"
+              last_http_code="$http_code"
+
+              if echo "$response" | jq -e '.success == true' > /dev/null 2>&1; then
+                echo "Created DNS record ${record_name}."
+                return 0
+              fi
+
+              # 81057: identical record exists. 81053: host record conflict.
+              if echo "$response" | jq -e '.errors[]? | select(.code == 81057 or .code == 81053)' > /dev/null 2>&1; then
+                echo "DNS record already exists for ${record_name}."
+                return 0
+              fi
+
+              transient_error=false
+              if [ "$curl_failed" = true ] || [ "$http_code" = "429" ]; then
+                transient_error=true
+              elif [[ "$http_code" =~ ^[0-9]{3}$ ]] && [ "$http_code" -ge 500 ] && [ "$http_code" -lt 600 ]; then
+                transient_error=true
+              fi
+
+              if echo "$response" | jq -e '.errors[]? | select(.code == 10000 or .code == 10001)' > /dev/null 2>&1; then
+                transient_error=true
+              fi
+
+              if [ "$transient_error" = true ] && [ "$attempt" -lt "$max_attempts" ]; then
+                sleep_seconds=$((attempt * 5))
+                echo "Transient Cloudflare API error (HTTP ${http_code}). Retrying in ${sleep_seconds}s."
+                sleep "$sleep_seconds"
+                attempt=$((attempt + 1))
+                continue
+              fi
+
+              break
+            done
+
+            echo "Cloudflare API error while creating DNS record ${record_name} after ${attempt} attempt(s):"
+            echo "HTTP status: ${last_http_code}"
+            echo "$last_response"
+            return 1
+          }
+
+          ensure_cname_record "${base_name}" "${base_target}"
+          ensure_cname_record "${wildcard_name}" "${base_name}"
+
+      # ---- First deploy only ----
+
+      - name: Create namespace
+        if: steps.check.outputs.new == 'true'
+        run: |
+          set -euo pipefail
+          kubectl delete namespace "${DEPLOY_NAME}" --wait=true || true
+          # Delete any orphaned PVs that were bound to PVCs in this
+          # namespace. Without this, the old PV (with stale Postgres
+          # data) gets reused on reinstall, causing auth failures.
+          kubectl get pv -o json | \
+            jq -r '.items[] | select(.spec.claimRef.namespace=='"${DEPLOY_NAME}"') | .metadata.name' | \
+            xargs -r kubectl delete pv || true
+          kubectl create namespace "${DEPLOY_NAME}"
+
+      # ---- Every push: ensure deployment certificate ----
+
+      - name: Ensure certificate
+        env:
+          DEPLOY_HOSTNAME: ${{ env.BRANCH_HOSTNAME }}
+        run: |
+          set -euo pipefail
+          cert_secret_name="${DEPLOY_NAME}-tls"
+
+          envsubst < ./.github/pr-deployments/certificate.yaml | kubectl apply -f -
+
+          if ! kubectl -n pr-deployment-certs wait --for=condition=Ready "certificate/${cert_secret_name}" --timeout=10m; then
+            echo "Timed out waiting for certificate ${cert_secret_name} to become Ready after 10 minutes."
+            kubectl -n pr-deployment-certs describe certificate "${cert_secret_name}" || true
+            kubectl -n pr-deployment-certs get certificaterequest,order,challenge -l "cert-manager.io/certificate-name=${cert_secret_name}" || true
+            exit 1
+          fi
+
+          kubectl get secret "${cert_secret_name}" -n pr-deployment-certs -o json |
+            jq 'del(.metadata.namespace,.metadata.creationTimestamp,.metadata.resourceVersion,.metadata.selfLink,.metadata.uid,.metadata.managedFields)' |
+            kubectl -n "${DEPLOY_NAME}" apply -f -
+
+      - name: Set up PostgreSQL
+        if: steps.check.outputs.new == 'true'
+        run: |
+          helm repo add bitnami https://charts.bitnami.com/bitnami
+          helm install coder-db bitnami/postgresql \
+            --namespace "${DEPLOY_NAME}" \
+            --set image.repository=bitnamilegacy/postgresql \
+            --set auth.username=coder \
+            --set auth.password=coder \
+            --set auth.database=coder \
+            --set persistence.size=10Gi
+          kubectl create secret generic coder-db-url -n "${DEPLOY_NAME}" \
+            --from-literal=url="postgres://coder:coder@coder-db-postgresql.${DEPLOY_NAME}.svc.cluster.local:5432/coder?sslmode=disable"
+
+      - name: Create RBAC
+        if: steps.check.outputs.new == 'true'
+        run: envsubst < ./.github/pr-deployments/rbac.yaml | kubectl apply -f -
+
+      # ---- Every push ----
+
+      - name: Create values.yaml
+        env:
+          DEPLOY_HOSTNAME: ${{ env.BRANCH_HOSTNAME }}
+          REPO: ${{ env.REPO }}
+          PR_DEPLOYMENTS_GITHUB_OAUTH_CLIENT_ID: ${{ secrets.PR_DEPLOYMENTS_GITHUB_OAUTH_CLIENT_ID }}
+          PR_DEPLOYMENTS_GITHUB_OAUTH_CLIENT_SECRET: ${{ secrets.PR_DEPLOYMENTS_GITHUB_OAUTH_CLIENT_SECRET }}
+        run: envsubst < ./.github/pr-deployments/values.yaml > ./deploy-values.yaml
+
+      - name: Install/Upgrade Helm chart
+        run: |
+          set -euo pipefail
+          helm dependency update --skip-refresh ./helm/coder
+          helm upgrade --install "${DEPLOY_NAME}" ./helm/coder \
+            --namespace "${DEPLOY_NAME}" \
+            --values ./deploy-values.yaml \
+            --force
+
+      - name: Install coder-logstream-kube
+        if: steps.check.outputs.new == 'true'
+        run: |
+          helm repo add coder-logstream-kube https://helm.coder.com/logstream-kube
+          helm upgrade --install coder-logstream-kube coder-logstream-kube/coder-logstream-kube \
+            --namespace "${DEPLOY_NAME}" \
+            --set url="https://${BRANCH_HOSTNAME}" \
+            --set "namespaces[0]=${DEPLOY_NAME}"
+
+      - name: Create first user and template
+        if: steps.check.outputs.new == 'true'
+        env:
+          PR_DEPLOYMENTS_ADMIN_PASSWORD: ${{ secrets.PR_DEPLOYMENTS_ADMIN_PASSWORD }}
+        run: |
+          set -euo pipefail
+          URL="https://${BRANCH_HOSTNAME}/bin/coder-linux-amd64"
+          COUNT=0
+          until curl --output /dev/null --silent --head --fail "$URL"; do
+            sleep 5
+            COUNT=$((COUNT+1))
+            if [ "$COUNT" -ge 60 ]; then echo "Timed out"; exit 1; fi
+          done
+          curl -fsSL "$URL" -o /tmp/coder && chmod +x /tmp/coder
+
+          password="${PR_DEPLOYMENTS_ADMIN_PASSWORD}"
+          if [ -z "$password" ]; then
+            echo "Missing PR_DEPLOYMENTS_ADMIN_PASSWORD repository secret."
+            exit 1
+          fi
+          echo "::add-mask::$password"
+
+          admin_username="${BRANCH_NAME}-admin"
+          admin_email="${BRANCH_NAME}@coder.com"
+          coder_url="https://${BRANCH_HOSTNAME}"
+
+          first_user_status="$(curl -sS -o /dev/null -w '%{http_code}' "${coder_url}/api/v2/users/first")"
+          if [ "$first_user_status" = "404" ]; then
+            /tmp/coder login \
+              --first-user-username "$admin_username" \
+              --first-user-email "$admin_email" \
+              --first-user-password "$password" \
+              --first-user-trial=false \
+              --use-token-as-session \
+              "$coder_url"
+          elif [ "$first_user_status" = "200" ]; then
+            login_payload="$(jq -n --arg email "$admin_email" --arg password "$password" '{email: $email, password: $password}')"
+            login_response="$(
+              curl -sS -X POST "${coder_url}/api/v2/users/login" \
+                -H "Content-Type: application/json" \
+                --data "$login_payload" \
+                -w '\n%{http_code}'
+            )"
+            login_body="${login_response%$'\n'*}"
+            login_status="${login_response##*$'\n'}"
+
+            if [ "$login_status" != "201" ]; then
+              echo "Password login failed for existing deployment (HTTP ${login_status})."
+              echo "$login_body"
+              exit 1
+            fi
+
+            session_token="$(echo "$login_body" | jq -r '.session_token // empty')"
+            if [ -z "$session_token" ]; then
+              echo "Password login response is missing session_token."
+              exit 1
+            fi
+            echo "::add-mask::$session_token"
+
+            /tmp/coder login \
+              --token "$session_token" \
+              --use-token-as-session \
+              "$coder_url"
+          else
+            echo "Unexpected status from /api/v2/users/first: ${first_user_status}."
+            exit 1
+          fi
+
+          cd .github/pr-deployments/template
+          /tmp/coder templates push -y --directory . --variable "namespace=${DEPLOY_NAME}" kubernetes
+          /tmp/coder create --template="kubernetes" kube \
+            --parameter cpu=2 --parameter memory=4 --parameter home_disk_size=2 -y
+          /tmp/coder stop kube -y

.github/workflows/ci.yaml

@@ -181,7 +181,7 @@ jobs:
           echo "LINT_CACHE_DIR=$dir" >> "$GITHUB_ENV"
 
       - name: golangci-lint cache
-        uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3
+        uses: actions/cache@8b402f58fbc84540c8b491a91e594a4576fec3d7 # v5.0.2
         with:
           path: |
             ${{ env.LINT_CACHE_DIR }}
@@ -241,9 +241,7 @@ jobs:
 
   lint-actions:
     needs: changes
-    # Only run this job if changes to CI workflow files are detected. This job
-    # can flake as it reaches out to GitHub to check referenced actions.
-    if: needs.changes.outputs.ci == 'true'
+    if: needs.changes.outputs.ci == 'true' || github.ref == 'refs/heads/main'
     runs-on: ${{ github.repository_owner == 'coder' && 'depot-ubuntu-22.04-8' || 'ubuntu-latest' }}
     steps:
       - name: Harden Runner
@@ -1186,7 +1184,7 @@ jobs:
           persist-credentials: false
 
       - name: GHCR Login
-        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
+        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
@@ -1393,7 +1391,7 @@ jobs:
         id: attest_main
         if: github.ref == 'refs/heads/main'
         continue-on-error: true
-        uses: actions/attest@e59cbc1ad1ac2d59339667419eb8cdde6eb61e3d # v3.2.0
+        uses: actions/attest@7667f588f2f73a90cea6c7ac70e78266c4f76616 # v3.1.0
         with:
           subject-name: "ghcr.io/coder/coder-preview:main"
           predicate-type: "https://slsa.dev/provenance/v1"
@@ -1430,7 +1428,7 @@ jobs:
         id: attest_latest
         if: github.ref == 'refs/heads/main'
         continue-on-error: true
-        uses: actions/attest@e59cbc1ad1ac2d59339667419eb8cdde6eb61e3d # v3.2.0
+        uses: actions/attest@7667f588f2f73a90cea6c7ac70e78266c4f76616 # v3.1.0
         with:
           subject-name: "ghcr.io/coder/coder-preview:latest"
           predicate-type: "https://slsa.dev/provenance/v1"
@@ -1467,7 +1465,7 @@ jobs:
         id: attest_version
         if: github.ref == 'refs/heads/main'
         continue-on-error: true
-        uses: actions/attest@e59cbc1ad1ac2d59339667419eb8cdde6eb61e3d # v3.2.0
+        uses: actions/attest@7667f588f2f73a90cea6c7ac70e78266c4f76616 # v3.1.0
         with:
           subject-name: "ghcr.io/coder/coder-preview:${{ steps.build-docker.outputs.tag }}"
           predicate-type: "https://slsa.dev/provenance/v1"

.github/workflows/deploy.yaml

@@ -76,7 +76,7 @@ jobs:
           persist-credentials: false
 
       - name: GHCR Login
-        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
+        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
         with:
           registry: ghcr.io
           username: ${{ github.actor }}

.github/workflows/docker-base.yaml

@@ -48,7 +48,7 @@ jobs:
           persist-credentials: false
 
       - name: Docker login
-        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
+        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
         with:
           registry: ghcr.io
           username: ${{ github.actor }}

.github/workflows/dogfood.yaml

@@ -42,7 +42,7 @@ jobs:
           # on version 2.29 and above.
           nix_version: "2.28.5"
 
-      - uses: nix-community/cache-nix-action@7df957e333c1e5da7721f60227dbba6d06080569 # v7.0.2
+      - uses: nix-community/cache-nix-action@106bba72ed8e29c8357661199511ef07790175e9 # v7.0.1
         with:
           # restore and save a cache using this key
           primary-key: nix-${{ runner.os }}-${{ hashFiles('**/*.nix', '**/flake.lock') }}
@@ -82,7 +82,7 @@ jobs:
 
       - name: Login to DockerHub
         if: github.ref == 'refs/heads/main'
-        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
+        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
         with:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_PASSWORD }}

.github/workflows/pr-deploy.yaml

@@ -248,7 +248,7 @@ jobs:
         uses: ./.github/actions/setup-sqlc
 
       - name: GHCR Login
-        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
+        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
@@ -285,6 +285,8 @@ jobs:
       PR_NUMBER: ${{ needs.get_info.outputs.PR_NUMBER }}
       PR_TITLE: ${{ needs.get_info.outputs.PR_TITLE }}
       PR_URL: ${{ needs.get_info.outputs.PR_URL }}
+      DEPLOY_NAME: "pr${{ needs.get_info.outputs.PR_NUMBER }}"
+      DEPLOY_HOSTNAME: "pr${{ needs.get_info.outputs.PR_NUMBER }}.${{ secrets.PR_DEPLOYMENTS_DOMAIN }}"
       PR_HOSTNAME: "pr${{ needs.get_info.outputs.PR_NUMBER }}.${{ secrets.PR_DEPLOYMENTS_DOMAIN }}"
     steps:
       - name: Harden Runner
@@ -521,7 +523,7 @@ jobs:
         run: |
           set -euo pipefail
           cd .github/pr-deployments/template
-          coder templates push -y --variable "namespace=pr${PR_NUMBER}" kubernetes
+          coder templates push -y --directory . --variable "namespace=pr${PR_NUMBER}" kubernetes
 
           # Create workspace
           coder create --template="kubernetes" kube --parameter cpu=2 --parameter memory=4 --parameter home_disk_size=2 -y

.github/workflows/release.yaml

@@ -233,7 +233,7 @@ jobs:
           cat "$CODER_RELEASE_NOTES_FILE"
 
       - name: Docker Login
-        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
+        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
@@ -448,7 +448,7 @@ jobs:
         id: attest_base
         if: ${{ !inputs.dry_run && steps.image-base-tag.outputs.tag != '' }}
         continue-on-error: true
-        uses: actions/attest@e59cbc1ad1ac2d59339667419eb8cdde6eb61e3d # v3.2.0
+        uses: actions/attest@7667f588f2f73a90cea6c7ac70e78266c4f76616 # v3.1.0
         with:
           subject-name: ${{ steps.image-base-tag.outputs.tag }}
           predicate-type: "https://slsa.dev/provenance/v1"
@@ -564,7 +564,7 @@ jobs:
         id: attest_main
         if: ${{ !inputs.dry_run }}
         continue-on-error: true
-        uses: actions/attest@e59cbc1ad1ac2d59339667419eb8cdde6eb61e3d # v3.2.0
+        uses: actions/attest@7667f588f2f73a90cea6c7ac70e78266c4f76616 # v3.1.0
         with:
           subject-name: ${{ steps.build_docker.outputs.multiarch_image }}
           predicate-type: "https://slsa.dev/provenance/v1"
@@ -608,7 +608,7 @@ jobs:
         id: attest_latest
         if: ${{ !inputs.dry_run && steps.build_docker.outputs.created_latest_tag == 'true' }}
         continue-on-error: true
-        uses: actions/attest@e59cbc1ad1ac2d59339667419eb8cdde6eb61e3d # v3.2.0
+        uses: actions/attest@7667f588f2f73a90cea6c7ac70e78266c4f76616 # v3.1.0
         with:
           subject-name: ${{ steps.latest_tag.outputs.tag }}
           predicate-type: "https://slsa.dev/provenance/v1"

agent/agent.go

@@ -12,6 +12,7 @@ import (
 	"net"
 	"net/http"
 	"net/netip"
+	"net/url"
 	"os"
 	"os/user"
 	"path/filepath"
@@ -47,7 +48,6 @@ import (
 	"github.com/coder/coder/v2/agent/boundarylogproxy"
 	"github.com/coder/coder/v2/agent/proto"
 	"github.com/coder/coder/v2/agent/proto/resourcesmonitor"
-	"github.com/coder/coder/v2/agent/reaper"
 	"github.com/coder/coder/v2/agent/reconnectingpty"
 	"github.com/coder/coder/v2/buildinfo"
 	"github.com/coder/coder/v2/cli/gitauth"
@@ -76,32 +76,6 @@ const (
 
 var ErrAgentClosing = xerrors.New("agent is closing")
 
-// readStartCount reads the start count from the well-known file.
-// Returns 0 if the file doesn't exist or can't be parsed.
-func readStartCount() int {
-	data, err := os.ReadFile(reaper.StartCountFile)
-	if err != nil {
-		return 0
-	}
-	n, err := strconv.Atoi(strings.TrimSpace(string(data)))
-	if err != nil {
-		return 0
-	}
-	return n
-}
-
-// IncrementStartCount reads the current start count, increments it,
-// writes it back, and returns the new value. This is used in the
-// systemd supervised path where the agent manages its own file
-// (as opposed to the PID 1 reaper path where the reaper does it).
-func IncrementStartCount() int {
-	count := readStartCount() + 1
-	// Best-effort write; if it fails we still return the count
-	// so the agent can report the restart.
-	_ = reaper.WriteStartCount(count)
-	return count
-}
-
 type Options struct {
 	Filesystem             afero.Fs
 	LogDir                 string
@@ -135,8 +109,8 @@ type Options struct {
 }
 
 type Client interface {
-	ConnectRPC29(ctx context.Context) (
-		proto.DRPCAgentClient29, tailnetproto.DRPCTailnetClient28, error,
+	ConnectRPC28(ctx context.Context) (
+		proto.DRPCAgentClient28, tailnetproto.DRPCTailnetClient28, error,
 	)
 	tailnet.DERPMapRewriter
 	agentsdk.RefreshableSessionTokenProvider
@@ -306,8 +280,6 @@ type agent struct {
 	reportConnectionsMu     sync.Mutex
 	reportConnections       []*proto.ReportConnectionRequest
 
-	restartReported atomic.Bool
-
 	logSender *agentsdk.LogSender
 
 	// boundaryLogProxy is a socket server that forwards boundary audit logs to coderd.
@@ -562,7 +534,7 @@ func (t *trySingleflight) Do(key string, fn func()) {
 	fn()
 }
 
-func (a *agent) reportMetadata(ctx context.Context, aAPI proto.DRPCAgentClient29) error {
+func (a *agent) reportMetadata(ctx context.Context, aAPI proto.DRPCAgentClient28) error {
 	tickerDone := make(chan struct{})
 	collectDone := make(chan struct{})
 	ctx, cancel := context.WithCancel(ctx)
@@ -777,7 +749,7 @@ func (a *agent) reportMetadata(ctx context.Context, aAPI proto.DRPCAgentClient29
 
 // reportLifecycle reports the current lifecycle state once. All state
 // changes are reported in order.
-func (a *agent) reportLifecycle(ctx context.Context, aAPI proto.DRPCAgentClient29) error {
+func (a *agent) reportLifecycle(ctx context.Context, aAPI proto.DRPCAgentClient28) error {
 	for {
 		select {
 		case <-a.lifecycleUpdate:
@@ -857,7 +829,7 @@ func (a *agent) setLifecycle(state codersdk.WorkspaceAgentLifecycle) {
 }
 
 // reportConnectionsLoop reports connections to the agent for auditing.
-func (a *agent) reportConnectionsLoop(ctx context.Context, aAPI proto.DRPCAgentClient29) error {
+func (a *agent) reportConnectionsLoop(ctx context.Context, aAPI proto.DRPCAgentClient28) error {
 	for {
 		select {
 		case <-a.reportConnectionsUpdate:
@@ -910,7 +882,7 @@ const (
 	reportConnectionBufferLimit = 2048
 )
 
-func (a *agent) reportConnection(id uuid.UUID, connectionType proto.Connection_Type, ip string) (disconnected func(code int, reason string)) {
+func (a *agent) reportConnection(id uuid.UUID, connectionType proto.Connection_Type, ip string, options ...func(*proto.Connection)) (disconnected func(code int, reason string)) {
 	// A blank IP can unfortunately happen if the connection is broken in a data race before we get to introspect it. We
 	// still report it, and the recipient can handle a blank IP.
 	if ip != "" {
@@ -941,16 +913,20 @@ func (a *agent) reportConnection(id uuid.UUID, connectionType proto.Connection_T
 			slog.F("ip", ip),
 		)
 	} else {
+		connectMsg := &proto.Connection{
+			Id:         id[:],
+			Action:     proto.Connection_CONNECT,
+			Type:       connectionType,
+			Timestamp:  timestamppb.New(time.Now()),
+			Ip:         ip,
+			StatusCode: 0,
+			Reason:     nil,
+		}
+		for _, opt := range options {
+			opt(connectMsg)
+		}
 		a.reportConnections = append(a.reportConnections, &proto.ReportConnectionRequest{
-			Connection: &proto.Connection{
-				Id:         id[:],
-				Action:     proto.Connection_CONNECT,
-				Type:       connectionType,
-				Timestamp:  timestamppb.New(time.Now()),
-				Ip:         ip,
-				StatusCode: 0,
-				Reason:     nil,
-			},
+			Connection: connectMsg,
 		})
 		select {
 		case a.reportConnectionsUpdate <- struct{}{}:
@@ -971,16 +947,20 @@ func (a *agent) reportConnection(id uuid.UUID, connectionType proto.Connection_T
 			return
 		}
 
+		disconnMsg := &proto.Connection{
+			Id:         id[:],
+			Action:     proto.Connection_DISCONNECT,
+			Type:       connectionType,
+			Timestamp:  timestamppb.New(time.Now()),
+			Ip:         ip,
+			StatusCode: int32(code), //nolint:gosec
+			Reason:     &reason,
+		}
+		for _, opt := range options {
+			opt(disconnMsg)
+		}
 		a.reportConnections = append(a.reportConnections, &proto.ReportConnectionRequest{
-			Connection: &proto.Connection{
-				Id:         id[:],
-				Action:     proto.Connection_DISCONNECT,
-				Type:       connectionType,
-				Timestamp:  timestamppb.New(time.Now()),
-				Ip:         ip,
-				StatusCode: int32(code), //nolint:gosec
-				Reason:     &reason,
-			},
+			Connection: disconnMsg,
 		})
 		select {
 		case a.reportConnectionsUpdate <- struct{}{}:
@@ -992,7 +972,7 @@ func (a *agent) reportConnection(id uuid.UUID, connectionType proto.Connection_T
 // fetchServiceBannerLoop fetches the service banner on an interval.  It will
 // not be fetched immediately; the expectation is that it is primed elsewhere
 // (and must be done before the session actually starts).
-func (a *agent) fetchServiceBannerLoop(ctx context.Context, aAPI proto.DRPCAgentClient29) error {
+func (a *agent) fetchServiceBannerLoop(ctx context.Context, aAPI proto.DRPCAgentClient28) error {
 	ticker := time.NewTicker(a.announcementBannersRefreshInterval)
 	defer ticker.Stop()
 	for {
@@ -1027,7 +1007,7 @@ func (a *agent) run() (retErr error) {
 	}
 
 	// ConnectRPC returns the dRPC connection we use for the Agent and Tailnet v2+ APIs
-	aAPI, tAPI, err := a.client.ConnectRPC29(a.hardCtx)
+	aAPI, tAPI, err := a.client.ConnectRPC28(a.hardCtx)
 	if err != nil {
 		return err
 	}
@@ -1043,44 +1023,8 @@ func (a *agent) run() (retErr error) {
 	// redial the coder server and retry.
 	connMan := newAPIConnRoutineManager(a.gracefulCtx, a.hardCtx, a.logger, aAPI, tAPI)
 
-	// Report restart to coderd if this agent was restarted by the
-	// reaper or systemd after an OOM kill or other SIGKILL event.
-	// In the reaper path, the reaper writes the start count before
-	// forking. In the systemd path, the agent increments it itself
-	// on startup. A start count > 1 means we've been restarted.
-	// We use an atomic flag to ensure we only report once per
-	// process lifetime, even if run() is called multiple times
-	// due to reconnects.
-	startCount := readStartCount()
-	if startCount > 1 && !a.restartReported.Load() {
-		// #nosec G115 - restart count is always small (< max restarts).
-		restartCount := int32(startCount - 1)
-		killSignalRaw := reaper.ReadKillSignal()
-		reason, killSignal := reaper.ParseKillSignal(killSignalRaw)
-		_, err := aAPI.ReportRestart(a.hardCtx, &proto.ReportRestartRequest{
-			RestartCount: restartCount,
-			KillSignal:   killSignal,
-			Reason:       reason,
-		})
-		if err != nil {
-			a.logger.Error(a.hardCtx, "failed to report restart to coderd",
-				slog.F("start_count", startCount),
-				slog.F("reason", reason),
-				slog.F("kill_signal", killSignal),
-				slog.Error(err),
-			)
-		} else {
-			a.restartReported.Store(true)
-			a.logger.Info(a.hardCtx, "reported restart to coderd",
-				slog.F("start_count", startCount),
-				slog.F("reason", reason),
-				slog.F("kill_signal", killSignal),
-			)
-		}
-	}
-
 	connMan.startAgentAPI("init notification banners", gracefulShutdownBehaviorStop,
-		func(ctx context.Context, aAPI proto.DRPCAgentClient29) error {
+		func(ctx context.Context, aAPI proto.DRPCAgentClient28) error {
 			bannersProto, err := aAPI.GetAnnouncementBanners(ctx, &proto.GetAnnouncementBannersRequest{})
 			if err != nil {
 				return xerrors.Errorf("fetch service banner: %w", err)
@@ -1097,7 +1041,7 @@ func (a *agent) run() (retErr error) {
 	// sending logs gets gracefulShutdownBehaviorRemain because we want to send logs generated by
 	// shutdown scripts.
 	connMan.startAgentAPI("send logs", gracefulShutdownBehaviorRemain,
-		func(ctx context.Context, aAPI proto.DRPCAgentClient29) error {
+		func(ctx context.Context, aAPI proto.DRPCAgentClient28) error {
 			err := a.logSender.SendLoop(ctx, aAPI)
 			if xerrors.Is(err, agentsdk.ErrLogLimitExceeded) {
 				// we don't want this error to tear down the API connection and propagate to the
@@ -1111,7 +1055,7 @@ func (a *agent) run() (retErr error) {
 	// Forward boundary audit logs to coderd if boundary log forwarding is enabled.
 	// These are audit logs so they should continue during graceful shutdown.
 	if a.boundaryLogProxy != nil {
-		proxyFunc := func(ctx context.Context, aAPI proto.DRPCAgentClient29) error {
+		proxyFunc := func(ctx context.Context, aAPI proto.DRPCAgentClient28) error {
 			return a.boundaryLogProxy.RunForwarder(ctx, aAPI)
 		}
 		connMan.startAgentAPI("boundary log proxy", gracefulShutdownBehaviorRemain, proxyFunc)
@@ -1125,7 +1069,7 @@ func (a *agent) run() (retErr error) {
 	connMan.startAgentAPI("report metadata", gracefulShutdownBehaviorStop, a.reportMetadata)
 
 	// resources monitor can cease as soon as we start gracefully shutting down.
-	connMan.startAgentAPI("resources monitor", gracefulShutdownBehaviorStop, func(ctx context.Context, aAPI proto.DRPCAgentClient29) error {
+	connMan.startAgentAPI("resources monitor", gracefulShutdownBehaviorStop, func(ctx context.Context, aAPI proto.DRPCAgentClient28) error {
 		logger := a.logger.Named("resources_monitor")
 		clk := quartz.NewReal()
 		config, err := aAPI.GetResourcesMonitoringConfiguration(ctx, &proto.GetResourcesMonitoringConfigurationRequest{})
@@ -1172,7 +1116,7 @@ func (a *agent) run() (retErr error) {
 	connMan.startAgentAPI("handle manifest", gracefulShutdownBehaviorStop, a.handleManifest(manifestOK))
 
 	connMan.startAgentAPI("app health reporter", gracefulShutdownBehaviorStop,
-		func(ctx context.Context, aAPI proto.DRPCAgentClient29) error {
+		func(ctx context.Context, aAPI proto.DRPCAgentClient28) error {
 			if err := manifestOK.wait(ctx); err != nil {
 				return xerrors.Errorf("no manifest: %w", err)
 			}
@@ -1205,7 +1149,7 @@ func (a *agent) run() (retErr error) {
 
 	connMan.startAgentAPI("fetch service banner loop", gracefulShutdownBehaviorStop, a.fetchServiceBannerLoop)
 
-	connMan.startAgentAPI("stats report loop", gracefulShutdownBehaviorStop, func(ctx context.Context, aAPI proto.DRPCAgentClient29) error {
+	connMan.startAgentAPI("stats report loop", gracefulShutdownBehaviorStop, func(ctx context.Context, aAPI proto.DRPCAgentClient28) error {
 		if err := networkOK.wait(ctx); err != nil {
 			return xerrors.Errorf("no network: %w", err)
 		}
@@ -1220,8 +1164,8 @@ func (a *agent) run() (retErr error) {
 }
 
 // handleManifest returns a function that fetches and processes the manifest
-func (a *agent) handleManifest(manifestOK *checkpoint) func(ctx context.Context, aAPI proto.DRPCAgentClient29) error {
-	return func(ctx context.Context, aAPI proto.DRPCAgentClient29) error {
+func (a *agent) handleManifest(manifestOK *checkpoint) func(ctx context.Context, aAPI proto.DRPCAgentClient28) error {
+	return func(ctx context.Context, aAPI proto.DRPCAgentClient28) error {
 		var (
 			sentResult = false
 			err        error
@@ -1288,19 +1232,7 @@ func (a *agent) handleManifest(manifestOK *checkpoint) func(ctx context.Context,
 		sentResult = true
 
 		// The startup script should only execute on the first run!
-		//nolint:nestif
 		if oldManifest == nil {
-			// If this is a restart after OOM kill, skip startup
-			// scripts since they already ran on the initial start.
-			// We still initialize the script runner for cron jobs
-			// and set the lifecycle to ready.
-			startCount := readStartCount()
-			if startCount > 1 {
-				a.logger.Warn(ctx, "agent was restarted, skipping startup scripts",
-					slog.F("start_count", startCount),
-				)
-			}
-
 			a.setLifecycle(codersdk.WorkspaceAgentLifecycleStarting)
 
 			// Perform overrides early so that Git auth can work even if users
@@ -1342,62 +1274,52 @@ func (a *agent) handleManifest(manifestOK *checkpoint) func(ctx context.Context,
 			if err != nil {
 				return xerrors.Errorf("init script runner: %w", err)
 			}
-			if startCount > 1 {
-				// On restart, skip startup script execution but
-				// still start the cron scheduler for ongoing tasks.
-				a.setLifecycle(codersdk.WorkspaceAgentLifecycleReady)
+			err = a.trackGoroutine(func() {
+				start := time.Now()
+				// Here we use the graceful context because the script runner is
+				// not directly tied to the agent API.
+				//
+				// First we run the start scripts to ensure the workspace has
+				// been initialized and then the post start scripts which may
+				// depend on the workspace start scripts.
+				//
+				// Measure the time immediately after the start scripts have
+				// finished (both start and post start). For instance, an
+				// autostarted devcontainer will be included in this time.
+				err := a.scriptRunner.Execute(a.gracefulCtx, agentscripts.ExecuteStartScripts)
+
 				if a.devcontainers {
+					// Start the container API after the startup scripts have
+					// been executed to ensure that the required tools can be
+					// installed.
 					a.containerAPI.Start()
+					for _, dc := range manifest.Devcontainers {
+						cErr := a.createDevcontainer(ctx, aAPI, dc, devcontainerScripts[dc.ID])
+						err = errors.Join(err, cErr)
+					}
 				}
-				a.scriptRunner.StartCron()
-			} else {
-				err = a.trackGoroutine(func() {
-					start := time.Now()
-					// Here we use the graceful context because the script runner is
-					// not directly tied to the agent API.
-					//
-					// First we run the start scripts to ensure the workspace has
-					// been initialized and then the post start scripts which may
-					// depend on the workspace start scripts.
-					//
-					// Measure the time immediately after the start scripts have
-					// finished (both start and post start). For instance, an
-					// autostarted devcontainer will be included in this time.
-					err := a.scriptRunner.Execute(a.gracefulCtx, agentscripts.ExecuteStartScripts)
 
-					if a.devcontainers {
-						// Start the container API after the startup scripts have
-						// been executed to ensure that the required tools can be
-						// installed.
-						a.containerAPI.Start()
-						for _, dc := range manifest.Devcontainers {
-							cErr := a.createDevcontainer(ctx, aAPI, dc, devcontainerScripts[dc.ID])
-							err = errors.Join(err, cErr)
-						}
-					}
-
-					dur := time.Since(start).Seconds()
-					if err != nil {
-						a.logger.Warn(ctx, "startup script(s) failed", slog.Error(err))
-						if errors.Is(err, agentscripts.ErrTimeout) {
-							a.setLifecycle(codersdk.WorkspaceAgentLifecycleStartTimeout)
-						} else {
-							a.setLifecycle(codersdk.WorkspaceAgentLifecycleStartError)
-						}
-					} else {
-						a.setLifecycle(codersdk.WorkspaceAgentLifecycleReady)
-					}
-
-					label := "false"
-					if err == nil {
-						label = "true"
-					}
-					a.metrics.startupScriptSeconds.WithLabelValues(label).Set(dur)
-					a.scriptRunner.StartCron()
-				})
+				dur := time.Since(start).Seconds()
 				if err != nil {
-					return xerrors.Errorf("track conn goroutine: %w", err)
+					a.logger.Warn(ctx, "startup script(s) failed", slog.Error(err))
+					if errors.Is(err, agentscripts.ErrTimeout) {
+						a.setLifecycle(codersdk.WorkspaceAgentLifecycleStartTimeout)
+					} else {
+						a.setLifecycle(codersdk.WorkspaceAgentLifecycleStartError)
+					}
+				} else {
+					a.setLifecycle(codersdk.WorkspaceAgentLifecycleReady)
 				}
+
+				label := "false"
+				if err == nil {
+					label = "true"
+				}
+				a.metrics.startupScriptSeconds.WithLabelValues(label).Set(dur)
+				a.scriptRunner.StartCron()
+			})
+			if err != nil {
+				return xerrors.Errorf("track conn goroutine: %w", err)
 			}
 		}
 		return nil
@@ -1406,7 +1328,7 @@ func (a *agent) handleManifest(manifestOK *checkpoint) func(ctx context.Context,
 
 func (a *agent) createDevcontainer(
 	ctx context.Context,
-	aAPI proto.DRPCAgentClient29,
+	aAPI proto.DRPCAgentClient28,
 	dc codersdk.WorkspaceAgentDevcontainer,
 	script codersdk.WorkspaceAgentScript,
 ) (err error) {
@@ -1438,8 +1360,8 @@ func (a *agent) createDevcontainer(
 
 // createOrUpdateNetwork waits for the manifest to be set using manifestOK, then creates or updates
 // the tailnet using the information in the manifest
-func (a *agent) createOrUpdateNetwork(manifestOK, networkOK *checkpoint) func(context.Context, proto.DRPCAgentClient29) error {
-	return func(ctx context.Context, aAPI proto.DRPCAgentClient29) (retErr error) {
+func (a *agent) createOrUpdateNetwork(manifestOK, networkOK *checkpoint) func(context.Context, proto.DRPCAgentClient28) error {
+	return func(ctx context.Context, aAPI proto.DRPCAgentClient28) (retErr error) {
 		if err := manifestOK.wait(ctx); err != nil {
 			return xerrors.Errorf("no manifest: %w", err)
 		}
@@ -1464,6 +1386,8 @@ func (a *agent) createOrUpdateNetwork(manifestOK, networkOK *checkpoint) func(co
 				manifest.DERPForceWebSockets,
 				manifest.DisableDirectConnections,
 				keySeed,
+				manifest.WorkspaceName,
+				manifest.Apps,
 			)
 			if err != nil {
 				return xerrors.Errorf("create tailnet: %w", err)
@@ -1612,12 +1536,39 @@ func (a *agent) trackGoroutine(fn func()) error {
 	return nil
 }
 
+// appPortFromURL extracts the port from a workspace app URL,
+// defaulting to 80/443 by scheme.
+func appPortFromURL(rawURL string) uint16 {
+	u, err := url.Parse(rawURL)
+	if err != nil {
+		return 0
+	}
+	p := u.Port()
+	if p == "" {
+		switch u.Scheme {
+		case "http":
+			return 80
+		case "https":
+			return 443
+		default:
+			return 0
+		}
+	}
+	port, err := strconv.ParseUint(p, 10, 16)
+	if err != nil {
+		return 0
+	}
+	return uint16(port)
+}
+
 func (a *agent) createTailnet(
 	ctx context.Context,
 	agentID uuid.UUID,
 	derpMap *tailcfg.DERPMap,
 	derpForceWebSockets, disableDirectConnections bool,
 	keySeed int64,
+	workspaceName string,
+	apps []codersdk.WorkspaceApp,
 ) (_ *tailnet.Conn, err error) {
 	// Inject `CODER_AGENT_HEADER` into the DERP header.
 	var header http.Header
@@ -1626,6 +1577,18 @@ func (a *agent) createTailnet(
 			header = headerTransport.Header
 		}
 	}
+
+	// Build port-to-app mapping for workspace app connection tracking
+	// via the tailnet callback.
+	portToApp := make(map[uint16]codersdk.WorkspaceApp)
+	for _, app := range apps {
+		port := appPortFromURL(app.URL)
+		if port == 0 || app.External {
+			continue
+		}
+		portToApp[port] = app
+	}
+
 	network, err := tailnet.NewConn(&tailnet.Options{
 		ID:                  agentID,
 		Addresses:           a.wireguardAddresses(agentID),
@@ -1635,6 +1598,27 @@ func (a *agent) createTailnet(
 		Logger:              a.logger.Named("net.tailnet"),
 		ListenPort:          a.tailnetListenPort,
 		BlockEndpoints:      disableDirectConnections,
+		ShortDescription:    "Workspace Agent",
+		Hostname:            workspaceName,
+		TCPConnCallback: func(src, dst netip.AddrPort) (disconnected func(int, string)) {
+			app, ok := portToApp[dst.Port()]
+			connType := proto.Connection_PORT_FORWARDING
+			slugOrPort := strconv.Itoa(int(dst.Port()))
+			if ok {
+				connType = proto.Connection_WORKSPACE_APP
+				if app.Slug != "" {
+					slugOrPort = app.Slug
+				}
+			}
+			return a.reportConnection(
+				uuid.New(),
+				connType,
+				src.String(),
+				func(c *proto.Connection) {
+					c.SlugOrPort = &slugOrPort
+				},
+			)
+		},
 	})
 	if err != nil {
 		return nil, xerrors.Errorf("create tailnet: %w", err)
@@ -2058,11 +2042,6 @@ func (a *agent) Close() error {
 	a.logger.Info(a.hardCtx, "shutting down agent")
 	a.setLifecycle(codersdk.WorkspaceAgentLifecycleShuttingDown)
 
-	// Clear restart state files on graceful shutdown so the next
-	// start doesn't incorrectly think it's a restart after a
-	// crash.
-	reaper.ClearRestartState()
-
 	// Attempt to gracefully shut down all active SSH connections and
 	// stop accepting new ones. If all processes have not exited after 5
 	// seconds, we just log it and move on as it's more important to run
@@ -2238,7 +2217,7 @@ const (
 
 type apiConnRoutineManager struct {
 	logger    slog.Logger
-	aAPI      proto.DRPCAgentClient29
+	aAPI      proto.DRPCAgentClient28
 	tAPI      tailnetproto.DRPCTailnetClient28
 	eg        *errgroup.Group
 	stopCtx   context.Context
@@ -2247,7 +2226,7 @@ type apiConnRoutineManager struct {
 
 func newAPIConnRoutineManager(
 	gracefulCtx, hardCtx context.Context, logger slog.Logger,
-	aAPI proto.DRPCAgentClient29, tAPI tailnetproto.DRPCTailnetClient28,
+	aAPI proto.DRPCAgentClient28, tAPI tailnetproto.DRPCTailnetClient28,
 ) *apiConnRoutineManager {
 	// routines that remain in operation during graceful shutdown use the remainCtx.  They'll still
 	// exit if the errgroup hits an error, which usually means a problem with the conn.
@@ -2280,7 +2259,7 @@ func newAPIConnRoutineManager(
 // but for Tailnet.
 func (a *apiConnRoutineManager) startAgentAPI(
 	name string, behavior gracefulShutdownBehavior,
-	f func(context.Context, proto.DRPCAgentClient29) error,
+	f func(context.Context, proto.DRPCAgentClient28) error,
 ) {
 	logger := a.logger.With(slog.F("name", name))
 	var ctx context.Context

agent/agent_test.go

@@ -2843,6 +2843,102 @@ func TestAgent_Dial(t *testing.T) {
 	}
 }
 
+// TestAgent_PortForwardConnectionType verifies connection
+// type classification for forwarded TCP connections.
+func TestAgent_PortForwardConnectionType(t *testing.T) {
+	t.Parallel()
+
+	// Start a TCP echo server for the "app" port.
+	appListener, err := net.Listen("tcp", "127.0.0.1:0")
+	require.NoError(t, err)
+	t.Cleanup(func() { _ = appListener.Close() })
+	appPort := appListener.Addr().(*net.TCPAddr).Port
+
+	// Start a TCP echo server for a non-app port.
+	nonAppListener, err := net.Listen("tcp", "127.0.0.1:0")
+	require.NoError(t, err)
+	t.Cleanup(func() { _ = nonAppListener.Close() })
+	nonAppPort := nonAppListener.Addr().(*net.TCPAddr).Port
+
+	echoOnce := func(l net.Listener) <-chan struct{} {
+		done := make(chan struct{})
+		go func() {
+			defer close(done)
+			c, err := l.Accept()
+			if err != nil {
+				return
+			}
+			defer c.Close()
+			_, _ = io.Copy(c, c)
+		}()
+		return done
+	}
+
+	ctx := testutil.Context(t, testutil.WaitLong)
+
+	//nolint:dogsled
+	agentConn, agentClient, _, _, _ := setupAgent(t, agentsdk.Manifest{
+		Apps: []codersdk.WorkspaceApp{
+			{
+				ID:           uuid.New(),
+				Slug:         "myapp",
+				URL:          fmt.Sprintf("http://localhost:%d", appPort),
+				SharingLevel: codersdk.WorkspaceAppSharingLevelOwner,
+				Health:       codersdk.WorkspaceAppHealthDisabled,
+			},
+		},
+	}, 0)
+	require.True(t, agentConn.AwaitReachable(ctx))
+
+	// Phase 1: Connect to the app port, expect WORKSPACE_APP.
+	appDone := echoOnce(appListener)
+	conn, err := agentConn.DialContext(ctx, "tcp", appListener.Addr().String())
+	require.NoError(t, err)
+	testDial(ctx, t, conn)
+	_ = conn.Close()
+	<-appDone
+
+	var reports []*proto.ReportConnectionRequest
+	require.Eventually(t, func() bool {
+		reports = agentClient.GetConnectionReports()
+		return len(reports) >= 2
+	}, testutil.WaitMedium, testutil.IntervalFast,
+		"waiting for 2 connection reports for workspace app",
+	)
+
+	require.Equal(t, proto.Connection_CONNECT, reports[0].GetConnection().GetAction())
+	require.Equal(t, proto.Connection_WORKSPACE_APP, reports[0].GetConnection().GetType())
+	require.Equal(t, "myapp", reports[0].GetConnection().GetSlugOrPort())
+
+	require.Equal(t, proto.Connection_DISCONNECT, reports[1].GetConnection().GetAction())
+	require.Equal(t, proto.Connection_WORKSPACE_APP, reports[1].GetConnection().GetType())
+	require.Equal(t, "myapp", reports[1].GetConnection().GetSlugOrPort())
+
+	// Phase 2: Connect to the non-app port, expect PORT_FORWARDING.
+	nonAppDone := echoOnce(nonAppListener)
+	conn, err = agentConn.DialContext(ctx, "tcp", nonAppListener.Addr().String())
+	require.NoError(t, err)
+	testDial(ctx, t, conn)
+	_ = conn.Close()
+	<-nonAppDone
+
+	nonAppPortStr := strconv.Itoa(nonAppPort)
+	require.Eventually(t, func() bool {
+		reports = agentClient.GetConnectionReports()
+		return len(reports) >= 4
+	}, testutil.WaitMedium, testutil.IntervalFast,
+		"waiting for 4 connection reports total",
+	)
+
+	require.Equal(t, proto.Connection_CONNECT, reports[2].GetConnection().GetAction())
+	require.Equal(t, proto.Connection_PORT_FORWARDING, reports[2].GetConnection().GetType())
+	require.Equal(t, nonAppPortStr, reports[2].GetConnection().GetSlugOrPort())
+
+	require.Equal(t, proto.Connection_DISCONNECT, reports[3].GetConnection().GetAction())
+	require.Equal(t, proto.Connection_PORT_FORWARDING, reports[3].GetConnection().GetType())
+	require.Equal(t, nonAppPortStr, reports[3].GetConnection().GetSlugOrPort())
+}
+
 // TestAgent_UpdatedDERP checks that agents can handle their DERP map being
 // updated, and that clients can also handle it.
 func TestAgent_UpdatedDERP(t *testing.T) {

agent/agentcontainers/subagent_test.go

@@ -81,7 +81,7 @@ func TestSubAgentClient_CreateWithDisplayApps(t *testing.T) {
 
 				agentAPI := agenttest.NewClient(t, logger, uuid.New(), agentsdk.Manifest{}, statsCh, tailnet.NewCoordinator(logger))
 
-				agentClient, _, err := agentAPI.ConnectRPC29(ctx)
+				agentClient, _, err := agentAPI.ConnectRPC28(ctx)
 				require.NoError(t, err)
 
 				subAgentClient := agentcontainers.NewSubAgentClientFromAPI(logger, agentClient)
@@ -245,7 +245,7 @@ func TestSubAgentClient_CreateWithDisplayApps(t *testing.T) {
 
 				agentAPI := agenttest.NewClient(t, logger, uuid.New(), agentsdk.Manifest{}, statsCh, tailnet.NewCoordinator(logger))
 
-				agentClient, _, err := agentAPI.ConnectRPC29(ctx)
+				agentClient, _, err := agentAPI.ConnectRPC28(ctx)
 				require.NoError(t, err)
 
 				subAgentClient := agentcontainers.NewSubAgentClientFromAPI(logger, agentClient)

agent/agentsocket/proto/agentsocket.pb.go

@@ -1,7 +1,7 @@
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.30.0
-// 	protoc        v4.23.4
+// 	protoc-gen-go v1.36.11
+// 	protoc        v6.33.1
 // source: agent/agentsocket/proto/agentsocket.proto
 
 package proto
@@ -11,6 +11,7 @@ import (
 	protoimpl "google.golang.org/protobuf/runtime/protoimpl"
 	reflect "reflect"
 	sync "sync"
+	unsafe "unsafe"
 )
 
 const (
@@ -21,18 +22,16 @@ const (
 )
 
 type PingRequest struct {
-	state         protoimpl.MessageState
-	sizeCache     protoimpl.SizeCache
+	state         protoimpl.MessageState `protogen:"open.v1"`
 	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
 }
 
 func (x *PingRequest) Reset() {
 	*x = PingRequest{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_agent_agentsocket_proto_agentsocket_proto_msgTypes[0]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_agent_agentsocket_proto_agentsocket_proto_msgTypes[0]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }
 
 func (x *PingRequest) String() string {
@@ -43,7 +42,7 @@ func (*PingRequest) ProtoMessage() {}
 
 func (x *PingRequest) ProtoReflect() protoreflect.Message {
 	mi := &file_agent_agentsocket_proto_agentsocket_proto_msgTypes[0]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -59,18 +58,16 @@ func (*PingRequest) Descriptor() ([]byte, []int) {
 }
 
 type PingResponse struct {
-	state         protoimpl.MessageState
-	sizeCache     protoimpl.SizeCache
+	state         protoimpl.MessageState `protogen:"open.v1"`
 	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
 }
 
 func (x *PingResponse) Reset() {
 	*x = PingResponse{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_agent_agentsocket_proto_agentsocket_proto_msgTypes[1]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_agent_agentsocket_proto_agentsocket_proto_msgTypes[1]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }
 
 func (x *PingResponse) String() string {
@@ -81,7 +78,7 @@ func (*PingResponse) ProtoMessage() {}
 
 func (x *PingResponse) ProtoReflect() protoreflect.Message {
 	mi := &file_agent_agentsocket_proto_agentsocket_proto_msgTypes[1]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -97,20 +94,17 @@ func (*PingResponse) Descriptor() ([]byte, []int) {
 }
 
 type SyncStartRequest struct {
-	state         protoimpl.MessageState
-	sizeCache     protoimpl.SizeCache
+	state         protoimpl.MessageState `protogen:"open.v1"`
+	Unit          string                 `protobuf:"bytes,1,opt,name=unit,proto3" json:"unit,omitempty"`
 	unknownFields protoimpl.UnknownFields
-
-	Unit string `protobuf:"bytes,1,opt,name=unit,proto3" json:"unit,omitempty"`
+	sizeCache     protoimpl.SizeCache
 }
 
 func (x *SyncStartRequest) Reset() {
 	*x = SyncStartRequest{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_agent_agentsocket_proto_agentsocket_proto_msgTypes[2]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_agent_agentsocket_proto_agentsocket_proto_msgTypes[2]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }
 
 func (x *SyncStartRequest) String() string {
@@ -121,7 +115,7 @@ func (*SyncStartRequest) ProtoMessage() {}
 
 func (x *SyncStartRequest) ProtoReflect() protoreflect.Message {
 	mi := &file_agent_agentsocket_proto_agentsocket_proto_msgTypes[2]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -144,18 +138,16 @@ func (x *SyncStartRequest) GetUnit() string {
 }
 
 type SyncStartResponse struct {
-	state         protoimpl.MessageState
-	sizeCache     protoimpl.SizeCache
+	state         protoimpl.MessageState `protogen:"open.v1"`
 	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
 }
 
 func (x *SyncStartResponse) Reset() {
 	*x = SyncStartResponse{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_agent_agentsocket_proto_agentsocket_proto_msgTypes[3]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_agent_agentsocket_proto_agentsocket_proto_msgTypes[3]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }
 
 func (x *SyncStartResponse) String() string {
@@ -166,7 +158,7 @@ func (*SyncStartResponse) ProtoMessage() {}
 
 func (x *SyncStartResponse) ProtoReflect() protoreflect.Message {
 	mi := &file_agent_agentsocket_proto_agentsocket_proto_msgTypes[3]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -182,21 +174,18 @@ func (*SyncStartResponse) Descriptor() ([]byte, []int) {
 }
 
 type SyncWantRequest struct {
-	state         protoimpl.MessageState
-	sizeCache     protoimpl.SizeCache
+	state         protoimpl.MessageState `protogen:"open.v1"`
+	Unit          string                 `protobuf:"bytes,1,opt,name=unit,proto3" json:"unit,omitempty"`
+	DependsOn     string                 `protobuf:"bytes,2,opt,name=depends_on,json=dependsOn,proto3" json:"depends_on,omitempty"`
 	unknownFields protoimpl.UnknownFields
-
-	Unit      string `protobuf:"bytes,1,opt,name=unit,proto3" json:"unit,omitempty"`
-	DependsOn string `protobuf:"bytes,2,opt,name=depends_on,json=dependsOn,proto3" json:"depends_on,omitempty"`
+	sizeCache     protoimpl.SizeCache
 }
 
 func (x *SyncWantRequest) Reset() {
 	*x = SyncWantRequest{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_agent_agentsocket_proto_agentsocket_proto_msgTypes[4]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_agent_agentsocket_proto_agentsocket_proto_msgTypes[4]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }
 
 func (x *SyncWantRequest) String() string {
@@ -207,7 +196,7 @@ func (*SyncWantRequest) ProtoMessage() {}
 
 func (x *SyncWantRequest) ProtoReflect() protoreflect.Message {
 	mi := &file_agent_agentsocket_proto_agentsocket_proto_msgTypes[4]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -237,18 +226,16 @@ func (x *SyncWantRequest) GetDependsOn() string {
 }
 
 type SyncWantResponse struct {
-	state         protoimpl.MessageState
-	sizeCache     protoimpl.SizeCache
+	state         protoimpl.MessageState `protogen:"open.v1"`
 	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
 }
 
 func (x *SyncWantResponse) Reset() {
 	*x = SyncWantResponse{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_agent_agentsocket_proto_agentsocket_proto_msgTypes[5]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_agent_agentsocket_proto_agentsocket_proto_msgTypes[5]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }
 
 func (x *SyncWantResponse) String() string {
@@ -259,7 +246,7 @@ func (*SyncWantResponse) ProtoMessage() {}
 
 func (x *SyncWantResponse) ProtoReflect() protoreflect.Message {
 	mi := &file_agent_agentsocket_proto_agentsocket_proto_msgTypes[5]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -275,20 +262,17 @@ func (*SyncWantResponse) Descriptor() ([]byte, []int) {
 }
 
 type SyncCompleteRequest struct {
-	state         protoimpl.MessageState
-	sizeCache     protoimpl.SizeCache
+	state         protoimpl.MessageState `protogen:"open.v1"`
+	Unit          string                 `protobuf:"bytes,1,opt,name=unit,proto3" json:"unit,omitempty"`
 	unknownFields protoimpl.UnknownFields
-
-	Unit string `protobuf:"bytes,1,opt,name=unit,proto3" json:"unit,omitempty"`
+	sizeCache     protoimpl.SizeCache
 }
 
 func (x *SyncCompleteRequest) Reset() {
 	*x = SyncCompleteRequest{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_agent_agentsocket_proto_agentsocket_proto_msgTypes[6]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_agent_agentsocket_proto_agentsocket_proto_msgTypes[6]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }
 
 func (x *SyncCompleteRequest) String() string {
@@ -299,7 +283,7 @@ func (*SyncCompleteRequest) ProtoMessage() {}
 
 func (x *SyncCompleteRequest) ProtoReflect() protoreflect.Message {
 	mi := &file_agent_agentsocket_proto_agentsocket_proto_msgTypes[6]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -322,18 +306,16 @@ func (x *SyncCompleteRequest) GetUnit() string {
 }
 
 type SyncCompleteResponse struct {
-	state         protoimpl.MessageState
-	sizeCache     protoimpl.SizeCache
+	state         protoimpl.MessageState `protogen:"open.v1"`
 	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
 }
 
 func (x *SyncCompleteResponse) Reset() {
 	*x = SyncCompleteResponse{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_agent_agentsocket_proto_agentsocket_proto_msgTypes[7]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_agent_agentsocket_proto_agentsocket_proto_msgTypes[7]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }
 
 func (x *SyncCompleteResponse) String() string {
@@ -344,7 +326,7 @@ func (*SyncCompleteResponse) ProtoMessage() {}
 
 func (x *SyncCompleteResponse) ProtoReflect() protoreflect.Message {
 	mi := &file_agent_agentsocket_proto_agentsocket_proto_msgTypes[7]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -360,20 +342,17 @@ func (*SyncCompleteResponse) Descriptor() ([]byte, []int) {
 }
 
 type SyncReadyRequest struct {
-	state         protoimpl.MessageState
-	sizeCache     protoimpl.SizeCache
+	state         protoimpl.MessageState `protogen:"open.v1"`
+	Unit          string                 `protobuf:"bytes,1,opt,name=unit,proto3" json:"unit,omitempty"`
 	unknownFields protoimpl.UnknownFields
-
-	Unit string `protobuf:"bytes,1,opt,name=unit,proto3" json:"unit,omitempty"`
+	sizeCache     protoimpl.SizeCache
 }
 
 func (x *SyncReadyRequest) Reset() {
 	*x = SyncReadyRequest{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_agent_agentsocket_proto_agentsocket_proto_msgTypes[8]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_agent_agentsocket_proto_agentsocket_proto_msgTypes[8]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }
 
 func (x *SyncReadyRequest) String() string {
@@ -384,7 +363,7 @@ func (*SyncReadyRequest) ProtoMessage() {}
 
 func (x *SyncReadyRequest) ProtoReflect() protoreflect.Message {
 	mi := &file_agent_agentsocket_proto_agentsocket_proto_msgTypes[8]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -407,20 +386,17 @@ func (x *SyncReadyRequest) GetUnit() string {
 }
 
 type SyncReadyResponse struct {
-	state         protoimpl.MessageState
-	sizeCache     protoimpl.SizeCache
+	state         protoimpl.MessageState `protogen:"open.v1"`
+	Ready         bool                   `protobuf:"varint,1,opt,name=ready,proto3" json:"ready,omitempty"`
 	unknownFields protoimpl.UnknownFields
-
-	Ready bool `protobuf:"varint,1,opt,name=ready,proto3" json:"ready,omitempty"`
+	sizeCache     protoimpl.SizeCache
 }
 
 func (x *SyncReadyResponse) Reset() {
 	*x = SyncReadyResponse{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_agent_agentsocket_proto_agentsocket_proto_msgTypes[9]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_agent_agentsocket_proto_agentsocket_proto_msgTypes[9]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }
 
 func (x *SyncReadyResponse) String() string {
@@ -431,7 +407,7 @@ func (*SyncReadyResponse) ProtoMessage() {}
 
 func (x *SyncReadyResponse) ProtoReflect() protoreflect.Message {
 	mi := &file_agent_agentsocket_proto_agentsocket_proto_msgTypes[9]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -454,20 +430,17 @@ func (x *SyncReadyResponse) GetReady() bool {
 }
 
 type SyncStatusRequest struct {
-	state         protoimpl.MessageState
-	sizeCache     protoimpl.SizeCache
+	state         protoimpl.MessageState `protogen:"open.v1"`
+	Unit          string                 `protobuf:"bytes,1,opt,name=unit,proto3" json:"unit,omitempty"`
 	unknownFields protoimpl.UnknownFields
-
-	Unit string `protobuf:"bytes,1,opt,name=unit,proto3" json:"unit,omitempty"`
+	sizeCache     protoimpl.SizeCache
 }
 
 func (x *SyncStatusRequest) Reset() {
 	*x = SyncStatusRequest{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_agent_agentsocket_proto_agentsocket_proto_msgTypes[10]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_agent_agentsocket_proto_agentsocket_proto_msgTypes[10]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }
 
 func (x *SyncStatusRequest) String() string {
@@ -478,7 +451,7 @@ func (*SyncStatusRequest) ProtoMessage() {}
 
 func (x *SyncStatusRequest) ProtoReflect() protoreflect.Message {
 	mi := &file_agent_agentsocket_proto_agentsocket_proto_msgTypes[10]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -501,24 +474,21 @@ func (x *SyncStatusRequest) GetUnit() string {
 }
 
 type DependencyInfo struct {
-	state         protoimpl.MessageState
-	sizeCache     protoimpl.SizeCache
-	unknownFields protoimpl.UnknownFields
-
-	Unit           string `protobuf:"bytes,1,opt,name=unit,proto3" json:"unit,omitempty"`
-	DependsOn      string `protobuf:"bytes,2,opt,name=depends_on,json=dependsOn,proto3" json:"depends_on,omitempty"`
-	RequiredStatus string `protobuf:"bytes,3,opt,name=required_status,json=requiredStatus,proto3" json:"required_status,omitempty"`
-	CurrentStatus  string `protobuf:"bytes,4,opt,name=current_status,json=currentStatus,proto3" json:"current_status,omitempty"`
-	IsSatisfied    bool   `protobuf:"varint,5,opt,name=is_satisfied,json=isSatisfied,proto3" json:"is_satisfied,omitempty"`
+	state          protoimpl.MessageState `protogen:"open.v1"`
+	Unit           string                 `protobuf:"bytes,1,opt,name=unit,proto3" json:"unit,omitempty"`
+	DependsOn      string                 `protobuf:"bytes,2,opt,name=depends_on,json=dependsOn,proto3" json:"depends_on,omitempty"`
+	RequiredStatus string                 `protobuf:"bytes,3,opt,name=required_status,json=requiredStatus,proto3" json:"required_status,omitempty"`
+	CurrentStatus  string                 `protobuf:"bytes,4,opt,name=current_status,json=currentStatus,proto3" json:"current_status,omitempty"`
+	IsSatisfied    bool                   `protobuf:"varint,5,opt,name=is_satisfied,json=isSatisfied,proto3" json:"is_satisfied,omitempty"`
+	unknownFields  protoimpl.UnknownFields
+	sizeCache      protoimpl.SizeCache
 }
 
 func (x *DependencyInfo) Reset() {
 	*x = DependencyInfo{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_agent_agentsocket_proto_agentsocket_proto_msgTypes[11]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_agent_agentsocket_proto_agentsocket_proto_msgTypes[11]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }
 
 func (x *DependencyInfo) String() string {
@@ -529,7 +499,7 @@ func (*DependencyInfo) ProtoMessage() {}
 
 func (x *DependencyInfo) ProtoReflect() protoreflect.Message {
 	mi := &file_agent_agentsocket_proto_agentsocket_proto_msgTypes[11]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -580,22 +550,19 @@ func (x *DependencyInfo) GetIsSatisfied() bool {
 }
 
 type SyncStatusResponse struct {
-	state         protoimpl.MessageState
-	sizeCache     protoimpl.SizeCache
+	state         protoimpl.MessageState `protogen:"open.v1"`
+	Status        string                 `protobuf:"bytes,1,opt,name=status,proto3" json:"status,omitempty"`
+	IsReady       bool                   `protobuf:"varint,2,opt,name=is_ready,json=isReady,proto3" json:"is_ready,omitempty"`
+	Dependencies  []*DependencyInfo      `protobuf:"bytes,3,rep,name=dependencies,proto3" json:"dependencies,omitempty"`
 	unknownFields protoimpl.UnknownFields
-
-	Status       string            `protobuf:"bytes,1,opt,name=status,proto3" json:"status,omitempty"`
-	IsReady      bool              `protobuf:"varint,2,opt,name=is_ready,json=isReady,proto3" json:"is_ready,omitempty"`
-	Dependencies []*DependencyInfo `protobuf:"bytes,3,rep,name=dependencies,proto3" json:"dependencies,omitempty"`
+	sizeCache     protoimpl.SizeCache
 }
 
 func (x *SyncStatusResponse) Reset() {
 	*x = SyncStatusResponse{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_agent_agentsocket_proto_agentsocket_proto_msgTypes[12]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_agent_agentsocket_proto_agentsocket_proto_msgTypes[12]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }
 
 func (x *SyncStatusResponse) String() string {
@@ -606,7 +573,7 @@ func (*SyncStatusResponse) ProtoMessage() {}
 
 func (x *SyncStatusResponse) ProtoReflect() protoreflect.Message {
 	mi := &file_agent_agentsocket_proto_agentsocket_proto_msgTypes[12]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -644,111 +611,62 @@ func (x *SyncStatusResponse) GetDependencies() []*DependencyInfo {
 
 var File_agent_agentsocket_proto_agentsocket_proto protoreflect.FileDescriptor
 
-var file_agent_agentsocket_proto_agentsocket_proto_rawDesc = []byte{
-	0x0a, 0x29, 0x61, 0x67, 0x65, 0x6e, 0x74, 0x2f, 0x61, 0x67, 0x65, 0x6e, 0x74, 0x73, 0x6f, 0x63,
-	0x6b, 0x65, 0x74, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2f, 0x61, 0x67, 0x65, 0x6e, 0x74, 0x73,
-	0x6f, 0x63, 0x6b, 0x65, 0x74, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x14, 0x63, 0x6f, 0x64,
-	0x65, 0x72, 0x2e, 0x61, 0x67, 0x65, 0x6e, 0x74, 0x73, 0x6f, 0x63, 0x6b, 0x65, 0x74, 0x2e, 0x76,
-	0x31, 0x22, 0x0d, 0x0a, 0x0b, 0x50, 0x69, 0x6e, 0x67, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74,
-	0x22, 0x0e, 0x0a, 0x0c, 0x50, 0x69, 0x6e, 0x67, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65,
-	0x22, 0x26, 0x0a, 0x10, 0x53, 0x79, 0x6e, 0x63, 0x53, 0x74, 0x61, 0x72, 0x74, 0x52, 0x65, 0x71,
-	0x75, 0x65, 0x73, 0x74, 0x12, 0x12, 0x0a, 0x04, 0x75, 0x6e, 0x69, 0x74, 0x18, 0x01, 0x20, 0x01,
-	0x28, 0x09, 0x52, 0x04, 0x75, 0x6e, 0x69, 0x74, 0x22, 0x13, 0x0a, 0x11, 0x53, 0x79, 0x6e, 0x63,
-	0x53, 0x74, 0x61, 0x72, 0x74, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x44, 0x0a,
-	0x0f, 0x53, 0x79, 0x6e, 0x63, 0x57, 0x61, 0x6e, 0x74, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74,
-	0x12, 0x12, 0x0a, 0x04, 0x75, 0x6e, 0x69, 0x74, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04,
-	0x75, 0x6e, 0x69, 0x74, 0x12, 0x1d, 0x0a, 0x0a, 0x64, 0x65, 0x70, 0x65, 0x6e, 0x64, 0x73, 0x5f,
-	0x6f, 0x6e, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x09, 0x64, 0x65, 0x70, 0x65, 0x6e, 0x64,
-	0x73, 0x4f, 0x6e, 0x22, 0x12, 0x0a, 0x10, 0x53, 0x79, 0x6e, 0x63, 0x57, 0x61, 0x6e, 0x74, 0x52,
-	0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x29, 0x0a, 0x13, 0x53, 0x79, 0x6e, 0x63, 0x43,
-	0x6f, 0x6d, 0x70, 0x6c, 0x65, 0x74, 0x65, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x12,
-	0x0a, 0x04, 0x75, 0x6e, 0x69, 0x74, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x75, 0x6e,
-	0x69, 0x74, 0x22, 0x16, 0x0a, 0x14, 0x53, 0x79, 0x6e, 0x63, 0x43, 0x6f, 0x6d, 0x70, 0x6c, 0x65,
-	0x74, 0x65, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x26, 0x0a, 0x10, 0x53, 0x79,
-	0x6e, 0x63, 0x52, 0x65, 0x61, 0x64, 0x79, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x12,
-	0x0a, 0x04, 0x75, 0x6e, 0x69, 0x74, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x75, 0x6e,
-	0x69, 0x74, 0x22, 0x29, 0x0a, 0x11, 0x53, 0x79, 0x6e, 0x63, 0x52, 0x65, 0x61, 0x64, 0x79, 0x52,
-	0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x14, 0x0a, 0x05, 0x72, 0x65, 0x61, 0x64, 0x79,
-	0x18, 0x01, 0x20, 0x01, 0x28, 0x08, 0x52, 0x05, 0x72, 0x65, 0x61, 0x64, 0x79, 0x22, 0x27, 0x0a,
-	0x11, 0x53, 0x79, 0x6e, 0x63, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65,
-	0x73, 0x74, 0x12, 0x12, 0x0a, 0x04, 0x75, 0x6e, 0x69, 0x74, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09,
-	0x52, 0x04, 0x75, 0x6e, 0x69, 0x74, 0x22, 0xb6, 0x01, 0x0a, 0x0e, 0x44, 0x65, 0x70, 0x65, 0x6e,
-	0x64, 0x65, 0x6e, 0x63, 0x79, 0x49, 0x6e, 0x66, 0x6f, 0x12, 0x12, 0x0a, 0x04, 0x75, 0x6e, 0x69,
-	0x74, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x75, 0x6e, 0x69, 0x74, 0x12, 0x1d, 0x0a,
-	0x0a, 0x64, 0x65, 0x70, 0x65, 0x6e, 0x64, 0x73, 0x5f, 0x6f, 0x6e, 0x18, 0x02, 0x20, 0x01, 0x28,
-	0x09, 0x52, 0x09, 0x64, 0x65, 0x70, 0x65, 0x6e, 0x64, 0x73, 0x4f, 0x6e, 0x12, 0x27, 0x0a, 0x0f,
-	0x72, 0x65, 0x71, 0x75, 0x69, 0x72, 0x65, 0x64, 0x5f, 0x73, 0x74, 0x61, 0x74, 0x75, 0x73, 0x18,
-	0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0e, 0x72, 0x65, 0x71, 0x75, 0x69, 0x72, 0x65, 0x64, 0x53,
-	0x74, 0x61, 0x74, 0x75, 0x73, 0x12, 0x25, 0x0a, 0x0e, 0x63, 0x75, 0x72, 0x72, 0x65, 0x6e, 0x74,
-	0x5f, 0x73, 0x74, 0x61, 0x74, 0x75, 0x73, 0x18, 0x04, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0d, 0x63,
-	0x75, 0x72, 0x72, 0x65, 0x6e, 0x74, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x12, 0x21, 0x0a, 0x0c,
-	0x69, 0x73, 0x5f, 0x73, 0x61, 0x74, 0x69, 0x73, 0x66, 0x69, 0x65, 0x64, 0x18, 0x05, 0x20, 0x01,
-	0x28, 0x08, 0x52, 0x0b, 0x69, 0x73, 0x53, 0x61, 0x74, 0x69, 0x73, 0x66, 0x69, 0x65, 0x64, 0x22,
-	0x91, 0x01, 0x0a, 0x12, 0x53, 0x79, 0x6e, 0x63, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x52, 0x65,
-	0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x16, 0x0a, 0x06, 0x73, 0x74, 0x61, 0x74, 0x75, 0x73,
-	0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x73, 0x74, 0x61, 0x74, 0x75, 0x73, 0x12, 0x19,
-	0x0a, 0x08, 0x69, 0x73, 0x5f, 0x72, 0x65, 0x61, 0x64, 0x79, 0x18, 0x02, 0x20, 0x01, 0x28, 0x08,
-	0x52, 0x07, 0x69, 0x73, 0x52, 0x65, 0x61, 0x64, 0x79, 0x12, 0x48, 0x0a, 0x0c, 0x64, 0x65, 0x70,
-	0x65, 0x6e, 0x64, 0x65, 0x6e, 0x63, 0x69, 0x65, 0x73, 0x18, 0x03, 0x20, 0x03, 0x28, 0x0b, 0x32,
-	0x24, 0x2e, 0x63, 0x6f, 0x64, 0x65, 0x72, 0x2e, 0x61, 0x67, 0x65, 0x6e, 0x74, 0x73, 0x6f, 0x63,
-	0x6b, 0x65, 0x74, 0x2e, 0x76, 0x31, 0x2e, 0x44, 0x65, 0x70, 0x65, 0x6e, 0x64, 0x65, 0x6e, 0x63,
-	0x79, 0x49, 0x6e, 0x66, 0x6f, 0x52, 0x0c, 0x64, 0x65, 0x70, 0x65, 0x6e, 0x64, 0x65, 0x6e, 0x63,
-	0x69, 0x65, 0x73, 0x32, 0xbb, 0x04, 0x0a, 0x0b, 0x41, 0x67, 0x65, 0x6e, 0x74, 0x53, 0x6f, 0x63,
-	0x6b, 0x65, 0x74, 0x12, 0x4d, 0x0a, 0x04, 0x50, 0x69, 0x6e, 0x67, 0x12, 0x21, 0x2e, 0x63, 0x6f,
-	0x64, 0x65, 0x72, 0x2e, 0x61, 0x67, 0x65, 0x6e, 0x74, 0x73, 0x6f, 0x63, 0x6b, 0x65, 0x74, 0x2e,
-	0x76, 0x31, 0x2e, 0x50, 0x69, 0x6e, 0x67, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x22,
-	0x2e, 0x63, 0x6f, 0x64, 0x65, 0x72, 0x2e, 0x61, 0x67, 0x65, 0x6e, 0x74, 0x73, 0x6f, 0x63, 0x6b,
-	0x65, 0x74, 0x2e, 0x76, 0x31, 0x2e, 0x50, 0x69, 0x6e, 0x67, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e,
-	0x73, 0x65, 0x12, 0x5c, 0x0a, 0x09, 0x53, 0x79, 0x6e, 0x63, 0x53, 0x74, 0x61, 0x72, 0x74, 0x12,
-	0x26, 0x2e, 0x63, 0x6f, 0x64, 0x65, 0x72, 0x2e, 0x61, 0x67, 0x65, 0x6e, 0x74, 0x73, 0x6f, 0x63,
-	0x6b, 0x65, 0x74, 0x2e, 0x76, 0x31, 0x2e, 0x53, 0x79, 0x6e, 0x63, 0x53, 0x74, 0x61, 0x72, 0x74,
-	0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x27, 0x2e, 0x63, 0x6f, 0x64, 0x65, 0x72, 0x2e,
-	0x61, 0x67, 0x65, 0x6e, 0x74, 0x73, 0x6f, 0x63, 0x6b, 0x65, 0x74, 0x2e, 0x76, 0x31, 0x2e, 0x53,
-	0x79, 0x6e, 0x63, 0x53, 0x74, 0x61, 0x72, 0x74, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65,
-	0x12, 0x59, 0x0a, 0x08, 0x53, 0x79, 0x6e, 0x63, 0x57, 0x61, 0x6e, 0x74, 0x12, 0x25, 0x2e, 0x63,
-	0x6f, 0x64, 0x65, 0x72, 0x2e, 0x61, 0x67, 0x65, 0x6e, 0x74, 0x73, 0x6f, 0x63, 0x6b, 0x65, 0x74,
-	0x2e, 0x76, 0x31, 0x2e, 0x53, 0x79, 0x6e, 0x63, 0x57, 0x61, 0x6e, 0x74, 0x52, 0x65, 0x71, 0x75,
-	0x65, 0x73, 0x74, 0x1a, 0x26, 0x2e, 0x63, 0x6f, 0x64, 0x65, 0x72, 0x2e, 0x61, 0x67, 0x65, 0x6e,
-	0x74, 0x73, 0x6f, 0x63, 0x6b, 0x65, 0x74, 0x2e, 0x76, 0x31, 0x2e, 0x53, 0x79, 0x6e, 0x63, 0x57,
-	0x61, 0x6e, 0x74, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x65, 0x0a, 0x0c, 0x53,
-	0x79, 0x6e, 0x63, 0x43, 0x6f, 0x6d, 0x70, 0x6c, 0x65, 0x74, 0x65, 0x12, 0x29, 0x2e, 0x63, 0x6f,
-	0x64, 0x65, 0x72, 0x2e, 0x61, 0x67, 0x65, 0x6e, 0x74, 0x73, 0x6f, 0x63, 0x6b, 0x65, 0x74, 0x2e,
-	0x76, 0x31, 0x2e, 0x53, 0x79, 0x6e, 0x63, 0x43, 0x6f, 0x6d, 0x70, 0x6c, 0x65, 0x74, 0x65, 0x52,
-	0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x2a, 0x2e, 0x63, 0x6f, 0x64, 0x65, 0x72, 0x2e, 0x61,
-	0x67, 0x65, 0x6e, 0x74, 0x73, 0x6f, 0x63, 0x6b, 0x65, 0x74, 0x2e, 0x76, 0x31, 0x2e, 0x53, 0x79,
-	0x6e, 0x63, 0x43, 0x6f, 0x6d, 0x70, 0x6c, 0x65, 0x74, 0x65, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e,
-	0x73, 0x65, 0x12, 0x5c, 0x0a, 0x09, 0x53, 0x79, 0x6e, 0x63, 0x52, 0x65, 0x61, 0x64, 0x79, 0x12,
-	0x26, 0x2e, 0x63, 0x6f, 0x64, 0x65, 0x72, 0x2e, 0x61, 0x67, 0x65, 0x6e, 0x74, 0x73, 0x6f, 0x63,
-	0x6b, 0x65, 0x74, 0x2e, 0x76, 0x31, 0x2e, 0x53, 0x79, 0x6e, 0x63, 0x52, 0x65, 0x61, 0x64, 0x79,
-	0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x27, 0x2e, 0x63, 0x6f, 0x64, 0x65, 0x72, 0x2e,
-	0x61, 0x67, 0x65, 0x6e, 0x74, 0x73, 0x6f, 0x63, 0x6b, 0x65, 0x74, 0x2e, 0x76, 0x31, 0x2e, 0x53,
-	0x79, 0x6e, 0x63, 0x52, 0x65, 0x61, 0x64, 0x79, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65,
-	0x12, 0x5f, 0x0a, 0x0a, 0x53, 0x79, 0x6e, 0x63, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x12, 0x27,
-	0x2e, 0x63, 0x6f, 0x64, 0x65, 0x72, 0x2e, 0x61, 0x67, 0x65, 0x6e, 0x74, 0x73, 0x6f, 0x63, 0x6b,
-	0x65, 0x74, 0x2e, 0x76, 0x31, 0x2e, 0x53, 0x79, 0x6e, 0x63, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73,
-	0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x28, 0x2e, 0x63, 0x6f, 0x64, 0x65, 0x72, 0x2e,
-	0x61, 0x67, 0x65, 0x6e, 0x74, 0x73, 0x6f, 0x63, 0x6b, 0x65, 0x74, 0x2e, 0x76, 0x31, 0x2e, 0x53,
-	0x79, 0x6e, 0x63, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73,
-	0x65, 0x42, 0x33, 0x5a, 0x31, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f,
-	0x63, 0x6f, 0x64, 0x65, 0x72, 0x2f, 0x63, 0x6f, 0x64, 0x65, 0x72, 0x2f, 0x76, 0x32, 0x2f, 0x61,
-	0x67, 0x65, 0x6e, 0x74, 0x2f, 0x61, 0x67, 0x65, 0x6e, 0x74, 0x73, 0x6f, 0x63, 0x6b, 0x65, 0x74,
-	0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
-}
+const file_agent_agentsocket_proto_agentsocket_proto_rawDesc = "" +
+	"\n" +
+	")agent/agentsocket/proto/agentsocket.proto\x12\x14coder.agentsocket.v1\"\r\n" +
+	"\vPingRequest\"\x0e\n" +
+	"\fPingResponse\"&\n" +
+	"\x10SyncStartRequest\x12\x12\n" +
+	"\x04unit\x18\x01 \x01(\tR\x04unit\"\x13\n" +
+	"\x11SyncStartResponse\"D\n" +
+	"\x0fSyncWantRequest\x12\x12\n" +
+	"\x04unit\x18\x01 \x01(\tR\x04unit\x12\x1d\n" +
+	"\n" +
+	"depends_on\x18\x02 \x01(\tR\tdependsOn\"\x12\n" +
+	"\x10SyncWantResponse\")\n" +
+	"\x13SyncCompleteRequest\x12\x12\n" +
+	"\x04unit\x18\x01 \x01(\tR\x04unit\"\x16\n" +
+	"\x14SyncCompleteResponse\"&\n" +
+	"\x10SyncReadyRequest\x12\x12\n" +
+	"\x04unit\x18\x01 \x01(\tR\x04unit\")\n" +
+	"\x11SyncReadyResponse\x12\x14\n" +
+	"\x05ready\x18\x01 \x01(\bR\x05ready\"'\n" +
+	"\x11SyncStatusRequest\x12\x12\n" +
+	"\x04unit\x18\x01 \x01(\tR\x04unit\"\xb6\x01\n" +
+	"\x0eDependencyInfo\x12\x12\n" +
+	"\x04unit\x18\x01 \x01(\tR\x04unit\x12\x1d\n" +
+	"\n" +
+	"depends_on\x18\x02 \x01(\tR\tdependsOn\x12'\n" +
+	"\x0frequired_status\x18\x03 \x01(\tR\x0erequiredStatus\x12%\n" +
+	"\x0ecurrent_status\x18\x04 \x01(\tR\rcurrentStatus\x12!\n" +
+	"\fis_satisfied\x18\x05 \x01(\bR\visSatisfied\"\x91\x01\n" +
+	"\x12SyncStatusResponse\x12\x16\n" +
+	"\x06status\x18\x01 \x01(\tR\x06status\x12\x19\n" +
+	"\bis_ready\x18\x02 \x01(\bR\aisReady\x12H\n" +
+	"\fdependencies\x18\x03 \x03(\v2$.coder.agentsocket.v1.DependencyInfoR\fdependencies2\xbb\x04\n" +
+	"\vAgentSocket\x12M\n" +
+	"\x04Ping\x12!.coder.agentsocket.v1.PingRequest\x1a\".coder.agentsocket.v1.PingResponse\x12\\\n" +
+	"\tSyncStart\x12&.coder.agentsocket.v1.SyncStartRequest\x1a'.coder.agentsocket.v1.SyncStartResponse\x12Y\n" +
+	"\bSyncWant\x12%.coder.agentsocket.v1.SyncWantRequest\x1a&.coder.agentsocket.v1.SyncWantResponse\x12e\n" +
+	"\fSyncComplete\x12).coder.agentsocket.v1.SyncCompleteRequest\x1a*.coder.agentsocket.v1.SyncCompleteResponse\x12\\\n" +
+	"\tSyncReady\x12&.coder.agentsocket.v1.SyncReadyRequest\x1a'.coder.agentsocket.v1.SyncReadyResponse\x12_\n" +
+	"\n" +
+	"SyncStatus\x12'.coder.agentsocket.v1.SyncStatusRequest\x1a(.coder.agentsocket.v1.SyncStatusResponseB3Z1github.com/coder/coder/v2/agent/agentsocket/protob\x06proto3"
 
 var (
 	file_agent_agentsocket_proto_agentsocket_proto_rawDescOnce sync.Once
-	file_agent_agentsocket_proto_agentsocket_proto_rawDescData = file_agent_agentsocket_proto_agentsocket_proto_rawDesc
+	file_agent_agentsocket_proto_agentsocket_proto_rawDescData []byte
 )
 
 func file_agent_agentsocket_proto_agentsocket_proto_rawDescGZIP() []byte {
 	file_agent_agentsocket_proto_agentsocket_proto_rawDescOnce.Do(func() {
-		file_agent_agentsocket_proto_agentsocket_proto_rawDescData = protoimpl.X.CompressGZIP(file_agent_agentsocket_proto_agentsocket_proto_rawDescData)
+		file_agent_agentsocket_proto_agentsocket_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_agent_agentsocket_proto_agentsocket_proto_rawDesc), len(file_agent_agentsocket_proto_agentsocket_proto_rawDesc)))
 	})
 	return file_agent_agentsocket_proto_agentsocket_proto_rawDescData
 }
 
 var file_agent_agentsocket_proto_agentsocket_proto_msgTypes = make([]protoimpl.MessageInfo, 13)
-var file_agent_agentsocket_proto_agentsocket_proto_goTypes = []interface{}{
+var file_agent_agentsocket_proto_agentsocket_proto_goTypes = []any{
 	(*PingRequest)(nil),          // 0: coder.agentsocket.v1.PingRequest
 	(*PingResponse)(nil),         // 1: coder.agentsocket.v1.PingResponse
 	(*SyncStartRequest)(nil),     // 2: coder.agentsocket.v1.SyncStartRequest
@@ -789,169 +707,11 @@ func file_agent_agentsocket_proto_agentsocket_proto_init() {
 	if File_agent_agentsocket_proto_agentsocket_proto != nil {
 		return
 	}
-	if !protoimpl.UnsafeEnabled {
-		file_agent_agentsocket_proto_agentsocket_proto_msgTypes[0].Exporter = func(v interface{}, i int) interface{} {
-			switch v := v.(*PingRequest); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_agent_agentsocket_proto_agentsocket_proto_msgTypes[1].Exporter = func(v interface{}, i int) interface{} {
-			switch v := v.(*PingResponse); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_agent_agentsocket_proto_agentsocket_proto_msgTypes[2].Exporter = func(v interface{}, i int) interface{} {
-			switch v := v.(*SyncStartRequest); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_agent_agentsocket_proto_agentsocket_proto_msgTypes[3].Exporter = func(v interface{}, i int) interface{} {
-			switch v := v.(*SyncStartResponse); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_agent_agentsocket_proto_agentsocket_proto_msgTypes[4].Exporter = func(v interface{}, i int) interface{} {
-			switch v := v.(*SyncWantRequest); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_agent_agentsocket_proto_agentsocket_proto_msgTypes[5].Exporter = func(v interface{}, i int) interface{} {
-			switch v := v.(*SyncWantResponse); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_agent_agentsocket_proto_agentsocket_proto_msgTypes[6].Exporter = func(v interface{}, i int) interface{} {
-			switch v := v.(*SyncCompleteRequest); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_agent_agentsocket_proto_agentsocket_proto_msgTypes[7].Exporter = func(v interface{}, i int) interface{} {
-			switch v := v.(*SyncCompleteResponse); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_agent_agentsocket_proto_agentsocket_proto_msgTypes[8].Exporter = func(v interface{}, i int) interface{} {
-			switch v := v.(*SyncReadyRequest); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_agent_agentsocket_proto_agentsocket_proto_msgTypes[9].Exporter = func(v interface{}, i int) interface{} {
-			switch v := v.(*SyncReadyResponse); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_agent_agentsocket_proto_agentsocket_proto_msgTypes[10].Exporter = func(v interface{}, i int) interface{} {
-			switch v := v.(*SyncStatusRequest); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_agent_agentsocket_proto_agentsocket_proto_msgTypes[11].Exporter = func(v interface{}, i int) interface{} {
-			switch v := v.(*DependencyInfo); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_agent_agentsocket_proto_agentsocket_proto_msgTypes[12].Exporter = func(v interface{}, i int) interface{} {
-			switch v := v.(*SyncStatusResponse); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-	}
 	type x struct{}
 	out := protoimpl.TypeBuilder{
 		File: protoimpl.DescBuilder{
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
-			RawDescriptor: file_agent_agentsocket_proto_agentsocket_proto_rawDesc,
+			RawDescriptor: unsafe.Slice(unsafe.StringData(file_agent_agentsocket_proto_agentsocket_proto_rawDesc), len(file_agent_agentsocket_proto_agentsocket_proto_rawDesc)),
 			NumEnums:      0,
 			NumMessages:   13,
 			NumExtensions: 0,
@@ -962,7 +722,6 @@ func file_agent_agentsocket_proto_agentsocket_proto_init() {
 		MessageInfos:      file_agent_agentsocket_proto_agentsocket_proto_msgTypes,
 	}.Build()
 	File_agent_agentsocket_proto_agentsocket_proto = out.File
-	file_agent_agentsocket_proto_agentsocket_proto_rawDesc = nil
 	file_agent_agentsocket_proto_agentsocket_proto_goTypes = nil
 	file_agent_agentsocket_proto_agentsocket_proto_depIdxs = nil
 }

agent/agentssh/x11_test.go

@@ -131,6 +131,7 @@ func TestServer_X11(t *testing.T) {
 
 func TestServer_X11_EvictionLRU(t *testing.T) {
 	t.Parallel()
+	t.Skip("Flaky test, times out in CI")
 	if runtime.GOOS != "linux" {
 		t.Skip("X11 forwarding is only supported on Linux")
 	}

agent/agenttest/client.go

@@ -124,8 +124,8 @@ func (c *Client) Close() {
 	c.derpMapOnce.Do(func() { close(c.derpMapUpdates) })
 }
 
-func (c *Client) ConnectRPC29(ctx context.Context) (
-	agentproto.DRPCAgentClient29, proto.DRPCTailnetClient28, error,
+func (c *Client) ConnectRPC28(ctx context.Context) (
+	agentproto.DRPCAgentClient28, proto.DRPCTailnetClient28, error,
 ) {
 	conn, lis := drpcsdk.MemTransportPipe()
 	c.LastWorkspaceAgent = func() {
@@ -408,9 +408,6 @@ func (f *FakeAgentAPI) ReportConnection(_ context.Context, req *agentproto.Repor
 func (*FakeAgentAPI) ReportBoundaryLogs(_ context.Context, _ *agentproto.ReportBoundaryLogsRequest) (*agentproto.ReportBoundaryLogsResponse, error) {
 	return &agentproto.ReportBoundaryLogsResponse{}, nil
 }
-func (*FakeAgentAPI) ReportRestart(_ context.Context, _ *agentproto.ReportRestartRequest) (*agentproto.ReportRestartResponse, error) {
-	return &agentproto.ReportRestartResponse{}, nil
-}
 
 func (f *FakeAgentAPI) GetConnectionReports() []*agentproto.ReportConnectionRequest {
 	f.Lock()

agent/proto/agent.proto

@@ -364,6 +364,8 @@ message Connection {
 		VSCODE = 2;
 		JETBRAINS = 3;
 		RECONNECTING_PTY = 4;
+		WORKSPACE_APP = 5;
+		PORT_FORWARDING = 6;
 	}
 
 	bytes id = 1;
@@ -373,6 +375,7 @@ message Connection {
 	string ip = 5;
 	int32 status_code = 6;
 	optional string reason = 7;
+	optional string slug_or_port = 8;
 }
 
 message ReportConnectionRequest {
@@ -494,18 +497,6 @@ message ReportBoundaryLogsRequest {
 
 message ReportBoundaryLogsResponse {}
 
-message ReportRestartRequest {
-	int32 restart_count = 1;
-	string kill_signal = 2;
-	// reason describes how the previous agent process exited.
-	// In the reaper (PID 1) path this is always "signal". In
-	// the systemd path it mirrors $SERVICE_RESULT and can be
-	// "signal", "exit-code", or another systemd result string.
-	string reason = 3;
-}
-
-message ReportRestartResponse {}
-
 service Agent {
 	rpc GetManifest(GetManifestRequest) returns (Manifest);
 	rpc GetServiceBanner(GetServiceBannerRequest) returns (ServiceBanner);
@@ -524,5 +515,4 @@ service Agent {
 	rpc DeleteSubAgent(DeleteSubAgentRequest) returns (DeleteSubAgentResponse);
 	rpc ListSubAgents(ListSubAgentsRequest) returns (ListSubAgentsResponse);
 	rpc ReportBoundaryLogs(ReportBoundaryLogsRequest) returns (ReportBoundaryLogsResponse);
-	rpc ReportRestart(ReportRestartRequest) returns (ReportRestartResponse);
 }

agent/proto/agent_drpc.pb.go

@@ -56,7 +56,6 @@ type DRPCAgentClient interface {
 	DeleteSubAgent(ctx context.Context, in *DeleteSubAgentRequest) (*DeleteSubAgentResponse, error)
 	ListSubAgents(ctx context.Context, in *ListSubAgentsRequest) (*ListSubAgentsResponse, error)
 	ReportBoundaryLogs(ctx context.Context, in *ReportBoundaryLogsRequest) (*ReportBoundaryLogsResponse, error)
-	ReportRestart(ctx context.Context, in *ReportRestartRequest) (*ReportRestartResponse, error)
 }
 
 type drpcAgentClient struct {
@@ -222,15 +221,6 @@ func (c *drpcAgentClient) ReportBoundaryLogs(ctx context.Context, in *ReportBoun
 	return out, nil
 }
 
-func (c *drpcAgentClient) ReportRestart(ctx context.Context, in *ReportRestartRequest) (*ReportRestartResponse, error) {
-	out := new(ReportRestartResponse)
-	err := c.cc.Invoke(ctx, "/coder.agent.v2.Agent/ReportRestart", drpcEncoding_File_agent_proto_agent_proto{}, in, out)
-	if err != nil {
-		return nil, err
-	}
-	return out, nil
-}
-
 type DRPCAgentServer interface {
 	GetManifest(context.Context, *GetManifestRequest) (*Manifest, error)
 	GetServiceBanner(context.Context, *GetServiceBannerRequest) (*ServiceBanner, error)
@@ -249,7 +239,6 @@ type DRPCAgentServer interface {
 	DeleteSubAgent(context.Context, *DeleteSubAgentRequest) (*DeleteSubAgentResponse, error)
 	ListSubAgents(context.Context, *ListSubAgentsRequest) (*ListSubAgentsResponse, error)
 	ReportBoundaryLogs(context.Context, *ReportBoundaryLogsRequest) (*ReportBoundaryLogsResponse, error)
-	ReportRestart(context.Context, *ReportRestartRequest) (*ReportRestartResponse, error)
 }
 
 type DRPCAgentUnimplementedServer struct{}
@@ -322,13 +311,9 @@ func (s *DRPCAgentUnimplementedServer) ReportBoundaryLogs(context.Context, *Repo
 	return nil, drpcerr.WithCode(errors.New("Unimplemented"), drpcerr.Unimplemented)
 }
 
-func (s *DRPCAgentUnimplementedServer) ReportRestart(context.Context, *ReportRestartRequest) (*ReportRestartResponse, error) {
-	return nil, drpcerr.WithCode(errors.New("Unimplemented"), drpcerr.Unimplemented)
-}
-
 type DRPCAgentDescription struct{}
 
-func (DRPCAgentDescription) NumMethods() int { return 18 }
+func (DRPCAgentDescription) NumMethods() int { return 17 }
 
 func (DRPCAgentDescription) Method(n int) (string, drpc.Encoding, drpc.Receiver, interface{}, bool) {
 	switch n {
@@ -485,15 +470,6 @@ func (DRPCAgentDescription) Method(n int) (string, drpc.Encoding, drpc.Receiver,
 						in1.(*ReportBoundaryLogsRequest),
 					)
 			}, DRPCAgentServer.ReportBoundaryLogs, true
-	case 17:
-		return "/coder.agent.v2.Agent/ReportRestart", drpcEncoding_File_agent_proto_agent_proto{},
-			func(srv interface{}, ctx context.Context, in1, in2 interface{}) (drpc.Message, error) {
-				return srv.(DRPCAgentServer).
-					ReportRestart(
-						ctx,
-						in1.(*ReportRestartRequest),
-					)
-			}, DRPCAgentServer.ReportRestart, true
 	default:
 		return "", nil, nil, nil, false
 	}
@@ -774,19 +750,3 @@ func (x *drpcAgent_ReportBoundaryLogsStream) SendAndClose(m *ReportBoundaryLogsR
 	}
 	return x.CloseSend()
 }
-
-type DRPCAgent_ReportRestartStream interface {
-	drpc.Stream
-	SendAndClose(*ReportRestartResponse) error
-}
-
-type drpcAgent_ReportRestartStream struct {
-	drpc.Stream
-}
-
-func (x *drpcAgent_ReportRestartStream) SendAndClose(m *ReportRestartResponse) error {
-	if err := x.MsgSend(m, drpcEncoding_File_agent_proto_agent_proto{}); err != nil {
-		return err
-	}
-	return x.CloseSend()
-}

agent/proto/agent_drpc_old.go

@@ -79,10 +79,3 @@ type DRPCAgentClient27 interface {
 type DRPCAgentClient28 interface {
 	DRPCAgentClient27
 }
-
-// DRPCAgentClient29 is the Agent API at v2.9. It adds the ReportRestart RPC
-// for reporting agent restarts after OOM kills or other SIGKILL events.
-type DRPCAgentClient29 interface {
-	DRPCAgentClient28
-	ReportRestart(ctx context.Context, in *ReportRestartRequest) (*ReportRestartResponse, error)
-}

agent/reaper/reaper.go

@@ -2,7 +2,6 @@ package reaper
 
 import (
 	"os"
-	"time"
 
 	"github.com/hashicorp/go-reap"
 
@@ -43,50 +42,9 @@ func WithLogger(logger slog.Logger) Option {
 	}
 }
 
-// WithMaxRestarts sets the maximum number of times the child process
-// will be restarted after being killed by SIGKILL within the restart
-// window. Default is 5.
-func WithMaxRestarts(n int) Option {
-	return func(o *options) {
-		o.MaxRestarts = n
-	}
-}
-
-// WithRestartWindow sets the sliding time window within which restart
-// attempts are counted. If the max restarts are exhausted within this
-// window, the reaper gives up. Default is 10 minutes.
-func WithRestartWindow(d time.Duration) Option {
-	return func(o *options) {
-		o.RestartWindow = d
-	}
-}
-
-// WithRestartBaseDelay sets the initial backoff delay before restarting
-// the child process. The delay doubles on each subsequent restart.
-// Default is 1 second.
-func WithRestartBaseDelay(d time.Duration) Option {
-	return func(o *options) {
-		o.RestartBaseDelay = d
-	}
-}
-
-// WithRestartMaxDelay sets the maximum backoff delay before restarting
-// the child process. Default is 60 seconds.
-func WithRestartMaxDelay(d time.Duration) Option {
-	return func(o *options) {
-		o.RestartMaxDelay = d
-	}
-}
-
 type options struct {
 	ExecArgs     []string
 	PIDs         reap.PidCh
 	CatchSignals []os.Signal
 	Logger       slog.Logger
-
-	// Restart options for crash-loop recovery (e.g. OOM kills).
-	MaxRestarts      int
-	RestartWindow    time.Duration
-	RestartBaseDelay time.Duration
-	RestartMaxDelay  time.Duration
 }

agent/reaper/reaper_stub.go

@@ -2,15 +2,6 @@
 
 package reaper
 
-const (
-	// StartCountFile tracks how many times the agent process has
-	// started. A value > 1 indicates the agent was restarted.
-	StartCountFile = "/tmp/coder-agent-start-count.txt"
-	// KillSignalFile records the signal that terminated the
-	// previous agent process.
-	KillSignalFile = "/tmp/coder-agent-kill-signal.txt"
-)
-
 // IsInitProcess returns true if the current process's PID is 1.
 func IsInitProcess() bool {
 	return false
@@ -19,27 +10,3 @@ func IsInitProcess() bool {
 func ForkReap(_ ...Option) (int, error) {
 	return 0, nil
 }
-
-// WriteStartCount is a no-op on non-Linux platforms.
-func WriteStartCount(_ int) error {
-	return nil
-}
-
-// WriteKillSignal is a no-op on non-Linux platforms.
-func WriteKillSignal(_ string) error {
-	return nil
-}
-
-// ReadKillSignal returns empty on non-Linux platforms.
-func ReadKillSignal() string {
-	return ""
-}
-
-// ParseKillSignal parses the kill signal file content on
-// non-Linux platforms. Always returns empty strings.
-func ParseKillSignal(_ string) (reason, value string) {
-	return "", ""
-}
-
-// ClearRestartState is a no-op on non-Linux platforms.
-func ClearRestartState() {}

agent/reaper/reaper_test.go

@@ -96,38 +96,6 @@ func TestForkReapExitCodes(t *testing.T) {
 	}
 }
 
-func TestParseKillSignal(t *testing.T) {
-	t.Parallel()
-
-	tests := []struct {
-		raw            string
-		expectedReason string
-		expectedValue  string
-	}{
-		// Reaper path: "signal:killed"
-		{"signal:killed", "signal", "killed"},
-		// Systemd path: signal death
-		{"signal:SIGKILL", "signal", "SIGKILL"},
-		{"signal:SIGABRT", "signal", "SIGABRT"},
-		// Systemd path: exit code
-		{"exit-code:2", "exit-code", "2"},
-		{"exit-code:134", "exit-code", "134"},
-		// Empty
-		{"", "", ""},
-		// Legacy format (no colon)
-		{"killed", "", "killed"},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.raw, func(t *testing.T) {
-			t.Parallel()
-			reason, value := reaper.ParseKillSignal(tt.raw)
-			require.Equal(t, tt.expectedReason, reason)
-			require.Equal(t, tt.expectedValue, value)
-		})
-	}
-}
-
 //nolint:paralleltest // Signal handling.
 func TestReapInterrupt(t *testing.T) {
 	// Don't run the reaper test in CI. It does weird

agent/reaper/reaper_unix.go

@@ -4,14 +4,9 @@ package reaper
 
 import (
 	"context"
-	"fmt"
-	"math/rand"
 	"os"
 	"os/signal"
-	"strings"
-	"sync"
 	"syscall"
-	"time"
 
 	"github.com/hashicorp/go-reap"
 	"golang.org/x/xerrors"
@@ -19,37 +14,12 @@ import (
 	"cdr.dev/slog/v3"
 )
 
-const (
-	defaultMaxRestarts      = 5
-	defaultRestartWindow    = 10 * time.Minute
-	defaultRestartBaseDelay = 1 * time.Second
-	defaultRestartMaxDelay  = 60 * time.Second
-
-	// StartCountFile tracks how many times the agent process has
-	// started. A value > 1 indicates the agent was restarted
-	// (e.g. after an OOM kill). The file is written by the reaper
-	// in PID 1 mode and by the agent itself in systemd mode. It
-	// is deleted on graceful shutdown.
-	StartCountFile = "/tmp/coder-agent-start-count.txt"
-	// KillSignalFile records the signal that terminated the
-	// previous agent process (e.g. "SIGKILL"). Written by the
-	// reaper after wait4 in the PID 1 path, or by systemd's
-	// ExecStopPost in the supervised path. Deleted on graceful
-	// shutdown.
-	KillSignalFile = "/tmp/coder-agent-kill-signal.txt"
-)
-
 // IsInitProcess returns true if the current process's PID is 1.
 func IsInitProcess() bool {
 	return os.Getpid() == 1
 }
 
-// catchSignalsWithStop catches the given signals and forwards them to
-// the child process. On the first signal received, it closes the
-// stopping channel to indicate that the reaper should not restart the
-// child. Subsequent signals are still forwarded. The goroutine exits
-// when the done channel is closed (typically after Wait4 returns).
-func catchSignalsWithStop(logger slog.Logger, pid int, sigs []os.Signal, stopping chan struct{}, once *sync.Once, done <-chan struct{}) {
+func catchSignals(logger slog.Logger, pid int, sigs []os.Signal) {
 	if len(sigs) == 0 {
 		return
 	}
@@ -64,18 +34,10 @@ func catchSignalsWithStop(logger slog.Logger, pid int, sigs []os.Signal, stoppin
 	)
 
 	for {
-		select {
-		case <-done:
-			return
-		case s := <-sc:
-			sig, ok := s.(syscall.Signal)
-			if !ok {
-				continue
-			}
-			// Signal that we're intentionally stopping — suppress
-			// restart after the child exits.
-			once.Do(func() { close(stopping) })
-			logger.Info(context.Background(), "reaper caught signal, forwarding to child",
+		s := <-sc
+		sig, ok := s.(syscall.Signal)
+		if ok {
+			logger.Info(context.Background(), "reaper caught signal, killing child process",
 				slog.F("signal", sig.String()),
 				slog.F("child_pid", pid),
 			)
@@ -88,23 +50,14 @@ func catchSignalsWithStop(logger slog.Logger, pid int, sigs []os.Signal, stoppin
 // complications with spawning `exec.Commands` in the same process that
 // is reaping, we forkexec a child process. This prevents a race between
 // the reaper and an exec.Command waiting for its process to complete.
-// The provided 'pids' channel may be nil if the caller does not care
-// about the reaped children PIDs.
+// The provided 'pids' channel may be nil if the caller does not care about the
+// reaped children PIDs.
 //
-// If the child process is killed by SIGKILL (e.g. by the OOM killer),
-// ForkReap will restart it with exponential backoff, up to MaxRestarts
-// times within RestartWindow. If the reaper receives a stop signal
-// (via CatchSignals), it will not restart the child after it exits.
-//
-// Returns the child's exit code (using 128+signal for signal
-// termination) and any error from Wait4.
+// Returns the child's exit code (using 128+signal for signal termination)
+// and any error from Wait4.
 func ForkReap(opt ...Option) (int, error) {
 	opts := &options{
-		ExecArgs:         os.Args,
-		MaxRestarts:      defaultMaxRestarts,
-		RestartWindow:    defaultRestartWindow,
-		RestartBaseDelay: defaultRestartBaseDelay,
-		RestartMaxDelay:  defaultRestartMaxDelay,
+		ExecArgs: os.Args,
 	}
 
 	for _, o := range opt {
@@ -131,191 +84,31 @@ func ForkReap(opt ...Option) (int, error) {
 		},
 	}
 
-	// Track whether we've been told to stop via a caught signal.
-	stopping := make(chan struct{})
-	var stoppingOnce sync.Once
+	//#nosec G204
+	pid, err := syscall.ForkExec(opts.ExecArgs[0], opts.ExecArgs, pattrs)
+	if err != nil {
+		return 1, xerrors.Errorf("fork exec: %w", err)
+	}
 
-	var restartCount int
-	var restartTimes []time.Time
+	go catchSignals(opts.Logger, pid, opts.CatchSignals)
 
-	for {
-		// Write the start count before forking so the child can
-		// detect restarts. Start count = restartCount + 1 (first
-		// start is 1, first restart is 2, etc.).
-		if err := WriteStartCount(restartCount + 1); err != nil {
-			opts.Logger.Error(context.Background(), "failed to write start count file", slog.Error(err))
-		}
-
-		//#nosec G204
-		pid, err := syscall.ForkExec(opts.ExecArgs[0], opts.ExecArgs, pattrs)
-		if err != nil {
-			return 1, xerrors.Errorf("fork exec: %w", err)
-		}
-
-		childDone := make(chan struct{})
-		go catchSignalsWithStop(opts.Logger, pid, opts.CatchSignals, stopping, &stoppingOnce, childDone)
-
-		var wstatus syscall.WaitStatus
+	var wstatus syscall.WaitStatus
+	_, err = syscall.Wait4(pid, &wstatus, 0, nil)
+	for xerrors.Is(err, syscall.EINTR) {
 		_, err = syscall.Wait4(pid, &wstatus, 0, nil)
-		for xerrors.Is(err, syscall.EINTR) {
-			_, err = syscall.Wait4(pid, &wstatus, 0, nil)
-		}
-
-		// Stop the signal-forwarding goroutine now that the child
-		// has exited, before we potentially loop and spawn a new one.
-		close(childDone)
-
-		exitCode := convertExitCode(wstatus)
-
-		if !shouldRestart(wstatus, stopping, restartTimes, opts) {
-			return exitCode, err
-		}
-
-		// Record the signal that killed the child so the next
-		// instance can report it to coderd. Format matches
-		// the systemd path: "signal:<name>".
-		if wstatus.Signaled() {
-			if err := WriteKillSignal(fmt.Sprintf("signal:%s", wstatus.Signal().String())); err != nil {
-				opts.Logger.Error(context.Background(), "failed to write kill signal file", slog.Error(err))
-			}
-		}
-
-		restartCount++
-		restartTimes = append(restartTimes, time.Now())
-		delay := backoffDelay(restartCount, opts.RestartBaseDelay, opts.RestartMaxDelay)
-		opts.Logger.Warn(context.Background(), "child process killed, restarting",
-			slog.F("restart_count", restartCount),
-			slog.F("signal", wstatus.Signal()),
-			slog.F("delay", delay),
-		)
-
-		select {
-		case <-time.After(delay):
-			// Continue to restart.
-		case <-stopping:
-			return exitCode, err
-		}
-	}
-}
-
-// shouldRestart determines whether the child process should be
-// restarted based on its exit status, whether we're stopping, and
-// how many recent restarts have occurred.
-func shouldRestart(wstatus syscall.WaitStatus, stopping <-chan struct{}, restartTimes []time.Time, opts *options) bool {
-	// Don't restart if we've been told to stop.
-	select {
-	case <-stopping:
-		return false
-	default:
 	}
 
-	// Only restart on SIGKILL (signal 9), which is what the OOM
-	// killer sends. Other signals (SIGTERM, SIGINT, etc.) indicate
-	// intentional termination.
-	if !wstatus.Signaled() || wstatus.Signal() != syscall.SIGKILL {
-		return false
-	}
-
-	// Count restarts within the sliding window.
-	cutoff := time.Now().Add(-opts.RestartWindow)
-	recentCount := 0
-	for _, t := range restartTimes {
-		if t.After(cutoff) {
-			recentCount++
-		}
-	}
-	return recentCount < opts.MaxRestarts
-}
-
-// convertExitCode converts a wait status to an exit code using
-// standard Unix conventions.
-func convertExitCode(wstatus syscall.WaitStatus) int {
+	// Convert wait status to exit code using standard Unix conventions:
+	// - Normal exit: use the exit code
+	// - Signal termination: use 128 + signal number
+	var exitCode int
 	switch {
 	case wstatus.Exited():
-		return wstatus.ExitStatus()
+		exitCode = wstatus.ExitStatus()
 	case wstatus.Signaled():
-		return 128 + int(wstatus.Signal())
+		exitCode = 128 + int(wstatus.Signal())
 	default:
-		return 1
+		exitCode = 1
 	}
-}
-
-// backoffDelay computes an exponential backoff delay with jitter.
-// The delay doubles on each attempt, capped at maxDelay, with
-// 0-25% jitter added to prevent thundering herd.
-func backoffDelay(attempt int, baseDelay, maxDelay time.Duration) time.Duration {
-	// Cap the shift amount to prevent overflow. With a 1s base
-	// delay, shift > 60 would overflow time.Duration (int64).
-	shift := attempt - 1
-	if shift > 60 {
-		shift = 60
-	}
-	// #nosec G115 - shift is capped above, so this is safe.
-	delay := baseDelay * time.Duration(1<<uint(shift))
-	if delay > maxDelay {
-		delay = maxDelay
-	}
-	// Add 0-25% jitter.
-	if delay > 0 {
-		//nolint:gosec // Jitter doesn't need cryptographic randomness.
-		jitter := time.Duration(rand.Int63n(int64(delay / 4)))
-		delay += jitter
-	}
-	return delay
-}
-
-// WriteStartCount writes the start count to the well-known file.
-// The reaper calls this before forking each child so the agent
-// can detect it has been restarted (start count > 1).
-func WriteStartCount(count int) error {
-	if err := os.WriteFile(StartCountFile, []byte(fmt.Sprintf("%d", count)), 0o644); err != nil {
-		return xerrors.Errorf("write start count file: %w", err)
-	}
-	return nil
-}
-
-// WriteKillSignal writes the kill signal info to the well-known file
-// so the agent can report it to coderd. The format is
-// "<service_result>:<exit_status>", e.g. "signal:killed" (reaper
-// path) or "signal:SIGKILL" / "exit-code:2" (systemd path).
-func WriteKillSignal(sig string) error {
-	if err := os.WriteFile(KillSignalFile, []byte(sig), 0o644); err != nil {
-		return xerrors.Errorf("write kill signal file: %w", err)
-	}
-	return nil
-}
-
-// ReadKillSignal reads the kill signal from the well-known file.
-// Returns an empty string if the file doesn't exist.
-func ReadKillSignal() string {
-	data, err := os.ReadFile(KillSignalFile)
-	if err != nil {
-		return ""
-	}
-	return strings.TrimSpace(string(data))
-}
-
-// ParseKillSignal parses the kill signal file content into its
-// components. The format is "<reason>:<value>", e.g.
-// "signal:killed" or "exit-code:2". Returns the reason
-// (e.g. "signal", "exit-code") and the value (e.g. "killed",
-// "SIGKILL", "2"). For legacy format (no colon), returns empty
-// reason and the raw value.
-func ParseKillSignal(raw string) (reason, value string) {
-	if raw == "" {
-		return "", ""
-	}
-	if idx := strings.IndexByte(raw, ':'); idx >= 0 {
-		return raw[:idx], raw[idx+1:]
-	}
-	// Legacy format: just the signal name.
-	return "", raw
-}
-
-// ClearRestartState deletes the start count and kill signal files.
-// This should be called on graceful shutdown so the next start
-// begins fresh.
-func ClearRestartState() {
-	_ = os.Remove(StartCountFile)
-	_ = os.Remove(KillSignalFile)
+	return exitCode, err
 }

cli/agent.go

@@ -138,33 +138,11 @@ func workspaceAgent() *serpent.Command {
 				// to do this else we fork bomb ourselves.
 				//nolint:gocritic
 				args := append(os.Args, "--no-reap")
-
-				reaperOpts := []reaper.Option{
+				exitCode, err := reaper.ForkReap(
 					reaper.WithExecArgs(args...),
 					reaper.WithCatchSignals(StopSignals...),
 					reaper.WithLogger(logger),
-				}
-
-				// Allow configuring restart behavior via environment
-				// variables for OOM recovery.
-				if v, ok := os.LookupEnv("CODER_AGENT_MAX_RESTARTS"); ok {
-					n, err := strconv.Atoi(v)
-					if err == nil {
-						reaperOpts = append(reaperOpts, reaper.WithMaxRestarts(n))
-					} else {
-						logger.Warn(ctx, "invalid CODER_AGENT_MAX_RESTARTS value", slog.F("value", v))
-					}
-				}
-				if v, ok := os.LookupEnv("CODER_AGENT_RESTART_WINDOW"); ok {
-					d, err := time.ParseDuration(v)
-					if err == nil {
-						reaperOpts = append(reaperOpts, reaper.WithRestartWindow(d))
-					} else {
-						logger.Warn(ctx, "invalid CODER_AGENT_RESTART_WINDOW value", slog.F("value", v))
-					}
-				}
-
-				exitCode, err := reaper.ForkReap(reaperOpts...)
+				)
 				if err != nil {
 					logger.Error(ctx, "agent process reaper unable to fork", slog.Error(err))
 					return xerrors.Errorf("fork reap: %w", err)
@@ -204,21 +182,6 @@ func workspaceAgent() *serpent.Command {
 			go DumpHandler(ctx, "agent")
 
 			version := buildinfo.Version()
-
-			// In the systemd supervised path (not under a PID 1
-			// reaper), the agent manages its own start count.
-			// Increment the count on each startup so that a crash
-			// (which skips graceful shutdown) leaves the incremented
-			// value for the next start. Graceful shutdown deletes
-			// the file. The kill signal file is written by the
-			// systemd ExecStopPost handler, not the agent itself.
-			if os.Getppid() != 1 {
-				startCount := agent.IncrementStartCount()
-				logger.Info(ctx, "agent starting (self-managed start count)",
-					slog.F("start_count", startCount),
-				)
-			}
-
 			logger.Info(ctx, "agent is starting now",
 				slog.F("url", agentAuth.agentURL),
 				slog.F("auth", agentAuth.agentAuth),

cli/cliutil/hostname/hostname.go

@@ -1,4 +1,4 @@
-package cliutil
+package hostname
 
 import (
 	"os"

cli/ping.go

@@ -123,7 +123,9 @@ func (r *RootCmd) ping() *serpent.Command {
 				spin.Start()
 			}
 
-			opts := &workspacesdk.DialAgentOptions{}
+			opts := &workspacesdk.DialAgentOptions{
+				ShortDescription: "CLI ping",
+			}
 
 			if r.verbose {
 				opts.Logger = inv.Logger.AppendSinks(sloghuman.Sink(inv.Stdout)).Leveled(slog.LevelDebug)

cli/portforward.go

@@ -107,7 +107,9 @@ func (r *RootCmd) portForward() *serpent.Command {
 				return xerrors.Errorf("await agent: %w", err)
 			}
 
-			opts := &workspacesdk.DialAgentOptions{}
+			opts := &workspacesdk.DialAgentOptions{
+				ShortDescription: "CLI port-forward",
+			}
 
 			logger := inv.Logger
 			if r.verbose {

cli/server.go

@@ -59,7 +59,7 @@ import (
 	"github.com/coder/coder/v2/buildinfo"
 	"github.com/coder/coder/v2/cli/clilog"
 	"github.com/coder/coder/v2/cli/cliui"
-	"github.com/coder/coder/v2/cli/cliutil"
+	"github.com/coder/coder/v2/cli/cliutil/hostname"
 	"github.com/coder/coder/v2/cli/config"
 	"github.com/coder/coder/v2/coderd"
 	"github.com/coder/coder/v2/coderd/autobuild"
@@ -1029,7 +1029,7 @@ func (r *RootCmd) Server(newAPI func(context.Context, *coderd.Options) (*coderd.
 				suffix := fmt.Sprintf("%d", i)
 				// The suffix is added to the hostname, so we may need to trim to fit into
 				// the 64 character limit.
-				hostname := stringutil.Truncate(cliutil.Hostname(), 63-len(suffix))
+				hostname := stringutil.Truncate(hostname.Hostname(), 63-len(suffix))
 				name := fmt.Sprintf("%s-%s", hostname, suffix)
 				daemonCacheDir := filepath.Join(cacheDir, fmt.Sprintf("provisioner-%d", i))
 				daemon, err := newProvisionerDaemon(

cli/server_test.go

@@ -2244,7 +2244,6 @@ type runServerOpts struct {
 	waitForSnapshot               bool
 	telemetryDisabled             bool
 	waitForTelemetryDisabledCheck bool
-	name                          string
 }
 
 func TestServer_TelemetryDisabled_FinalReport(t *testing.T) {
@@ -2267,23 +2266,25 @@ func TestServer_TelemetryDisabled_FinalReport(t *testing.T) {
 			"--cache-dir", cacheDir,
 			"--log-filter", ".*",
 		)
-		inv.Logger = inv.Logger.Named(opts.name)
-
+		finished := make(chan bool, 2)
 		errChan := make(chan error, 1)
-		pty := ptytest.New(t).Named(opts.name).Attach(inv)
+		pty := ptytest.New(t).Attach(inv)
 		go func() {
 			errChan <- inv.WithContext(ctx).Run()
-			// close the pty here so that we can start tearing down resources. This test creates multiple servers with
-			// associated ptys. There is a `t.Cleanup()` that does this, but it waits until the whole test is complete.
-			_ = pty.Close()
+			finished <- true
 		}()
-
-		if opts.waitForSnapshot {
-			pty.ExpectMatchContext(testutil.Context(t, testutil.WaitLong), "submitted snapshot")
-		}
-		if opts.waitForTelemetryDisabledCheck {
-			pty.ExpectMatchContext(testutil.Context(t, testutil.WaitLong), "finished telemetry status check")
-		}
+		go func() {
+			defer func() {
+				finished <- true
+			}()
+			if opts.waitForSnapshot {
+				pty.ExpectMatchContext(testutil.Context(t, testutil.WaitLong), "submitted snapshot")
+			}
+			if opts.waitForTelemetryDisabledCheck {
+				pty.ExpectMatchContext(testutil.Context(t, testutil.WaitLong), "finished telemetry status check")
+			}
+		}()
+		<-finished
 		return errChan, cancelFunc
 	}
 	waitForShutdown := func(t *testing.T, errChan chan error) error {
@@ -2297,9 +2298,7 @@ func TestServer_TelemetryDisabled_FinalReport(t *testing.T) {
 		return nil
 	}
 
-	errChan, cancelFunc := runServer(t, runServerOpts{
-		telemetryDisabled: true, waitForTelemetryDisabledCheck: true, name: "0disabled",
-	})
+	errChan, cancelFunc := runServer(t, runServerOpts{telemetryDisabled: true, waitForTelemetryDisabledCheck: true})
 	cancelFunc()
 	require.NoError(t, waitForShutdown(t, errChan))
 
@@ -2307,7 +2306,7 @@ func TestServer_TelemetryDisabled_FinalReport(t *testing.T) {
 	require.Empty(t, deployment)
 	require.Empty(t, snapshot)
 
-	errChan, cancelFunc = runServer(t, runServerOpts{waitForSnapshot: true, name: "1enabled"})
+	errChan, cancelFunc = runServer(t, runServerOpts{waitForSnapshot: true})
 	cancelFunc()
 	require.NoError(t, waitForShutdown(t, errChan))
 	// we expect to see a deployment and a snapshot twice:
@@ -2326,9 +2325,7 @@ func TestServer_TelemetryDisabled_FinalReport(t *testing.T) {
 		}
 	}
 
-	errChan, cancelFunc = runServer(t, runServerOpts{
-		telemetryDisabled: true, waitForTelemetryDisabledCheck: true, name: "2disabled",
-	})
+	errChan, cancelFunc = runServer(t, runServerOpts{telemetryDisabled: true, waitForTelemetryDisabledCheck: true})
 	cancelFunc()
 	require.NoError(t, waitForShutdown(t, errChan))
 
@@ -2344,9 +2341,7 @@ func TestServer_TelemetryDisabled_FinalReport(t *testing.T) {
 		t.Fatalf("timed out waiting for snapshot")
 	}
 
-	errChan, cancelFunc = runServer(t, runServerOpts{
-		telemetryDisabled: true, waitForTelemetryDisabledCheck: true, name: "3disabled",
-	})
+	errChan, cancelFunc = runServer(t, runServerOpts{telemetryDisabled: true, waitForTelemetryDisabledCheck: true})
 	cancelFunc()
 	require.NoError(t, waitForShutdown(t, errChan))
 	// Since telemetry is disabled and we've already sent a snapshot, we expect no

cli/speedtest.go

@@ -97,7 +97,9 @@ func (r *RootCmd) speedtest() *serpent.Command {
 				return xerrors.Errorf("await agent: %w", err)
 			}
 
-			opts := &workspacesdk.DialAgentOptions{}
+			opts := &workspacesdk.DialAgentOptions{
+				ShortDescription: "CLI speedtest",
+			}
 			if r.verbose {
 				opts.Logger = inv.Logger.AppendSinks(sloghuman.Sink(inv.Stderr)).Leveled(slog.LevelDebug)
 			}

cli/ssh.go

@@ -24,6 +24,7 @@ import (
 	"github.com/gofrs/flock"
 	"github.com/google/uuid"
 	"github.com/mattn/go-isatty"
+	"github.com/shirou/gopsutil/v4/process"
 	"github.com/spf13/afero"
 	gossh "golang.org/x/crypto/ssh"
 	gosshagent "golang.org/x/crypto/ssh/agent"
@@ -84,6 +85,9 @@ func (r *RootCmd) ssh() *serpent.Command {
 
 		containerName string
 		containerUser string
+
+		// Used in tests to simulate the parent exiting.
+		testForcePPID int64
 	)
 	cmd := &serpent.Command{
 		Annotations: workspaceCommand,
@@ -175,6 +179,24 @@ func (r *RootCmd) ssh() *serpent.Command {
 			ctx, cancel := context.WithCancel(ctx)
 			defer cancel()
 
+			// When running as a ProxyCommand (stdio mode), monitor the parent process
+			// and exit if it dies to avoid leaving orphaned processes. This is
+			// particularly important when editors like VSCode/Cursor spawn SSH
+			// connections and then crash or are killed - we don't want zombie
+			// `coder ssh` processes accumulating.
+			// Note: using gopsutil to check the parent process as this handles
+			// windows processes as well in a standard way.
+			if stdio {
+				ppid := int32(os.Getppid())             // nolint:gosec
+				checkParentInterval := 10 * time.Second // Arbitrary interval to not be too frequent
+				if testForcePPID > 0 {
+					ppid = int32(testForcePPID)                  // nolint:gosec
+					checkParentInterval = 100 * time.Millisecond // Shorter interval for testing
+				}
+				ctx, cancel = watchParentContext(ctx, quartz.NewReal(), ppid, process.PidExistsWithContext, checkParentInterval)
+				defer cancel()
+			}
+
 			// Prevent unnecessary logs from the stdlib from messing up the TTY.
 			// See: https://github.com/coder/coder/issues/13144
 			log.SetOutput(io.Discard)
@@ -343,6 +365,10 @@ func (r *RootCmd) ssh() *serpent.Command {
 				}
 				return err
 			}
+			shortDescription := "CLI ssh"
+			if stdio {
+				shortDescription = "CLI ssh (stdio)"
+			}
 
 			// If we're in stdio mode, check to see if we can use Coder Connect.
 			// We don't support Coder Connect over non-stdio coder ssh yet.
@@ -383,9 +409,10 @@ func (r *RootCmd) ssh() *serpent.Command {
 			}
 			conn, err := wsClient.
 				DialAgent(ctx, workspaceAgent.ID, &workspacesdk.DialAgentOptions{
-					Logger:          logger,
-					BlockEndpoints:  r.disableDirect,
-					EnableTelemetry: !r.disableNetworkTelemetry,
+					Logger:           logger,
+					BlockEndpoints:   r.disableDirect,
+					EnableTelemetry:  !r.disableNetworkTelemetry,
+					ShortDescription: shortDescription,
 				})
 			if err != nil {
 				return xerrors.Errorf("dial agent: %w", err)
@@ -775,6 +802,12 @@ func (r *RootCmd) ssh() *serpent.Command {
 			Value:       serpent.BoolOf(&forceNewTunnel),
 			Hidden:      true,
 		},
+		{
+			Flag:        "test.force-ppid",
+			Description: "Override the parent process ID to simulate a different parent process. ONLY USE THIS IN TESTS.",
+			Value:       serpent.Int64Of(&testForcePPID),
+			Hidden:      true,
+		},
 		sshDisableAutostartOption(serpent.BoolOf(&disableAutostart)),
 	}
 	return cmd
@@ -1662,3 +1695,33 @@ func normalizeWorkspaceInput(input string) string {
 		return input // Fallback
 	}
 }
+
+// watchParentContext returns a context that is canceled when the parent process
+// dies. It polls using the provided clock and checks if the parent is alive
+// using the provided pidExists function.
+func watchParentContext(ctx context.Context, clock quartz.Clock, originalPPID int32, pidExists func(context.Context, int32) (bool, error), interval time.Duration) (context.Context, context.CancelFunc) {
+	ctx, cancel := context.WithCancel(ctx) // intentionally shadowed
+
+	go func() {
+		ticker := clock.NewTicker(interval)
+		defer ticker.Stop()
+		for {
+			select {
+			case <-ctx.Done():
+				return
+			case <-ticker.C:
+				alive, err := pidExists(ctx, originalPPID)
+				// If we get an error checking the parent process (e.g., permission
+				// denied, the process is in an unknown state), we assume the parent
+				// is still alive to avoid disrupting the SSH connection. We only
+				// cancel when we definitively know the parent is gone (alive=false, err=nil).
+				if !alive && err == nil {
+					cancel()
+					return
+				}
+			}
+		}
+	}()
+
+	return ctx, cancel
+}

cli/ssh_internal_test.go

@@ -312,6 +312,102 @@ type fakeCloser struct {
 	err    error
 }
 
+func TestWatchParentContext(t *testing.T) {
+	t.Parallel()
+
+	t.Run("CancelsWhenParentDies", func(t *testing.T) {
+		t.Parallel()
+		ctx := testutil.Context(t, testutil.WaitShort)
+		mClock := quartz.NewMock(t)
+		trap := mClock.Trap().NewTicker()
+		defer trap.Close()
+
+		parentAlive := true
+		childCtx, cancel := watchParentContext(ctx, mClock, 1234, func(context.Context, int32) (bool, error) {
+			return parentAlive, nil
+		}, testutil.WaitShort)
+		defer cancel()
+
+		// Wait for the ticker to be created
+		trap.MustWait(ctx).MustRelease(ctx)
+
+		// When: we simulate parent death and advance the clock
+		parentAlive = false
+		mClock.AdvanceNext()
+
+		// Then: The context should be canceled
+		_ = testutil.TryReceive(ctx, t, childCtx.Done())
+	})
+
+	t.Run("DoesNotCancelWhenParentAlive", func(t *testing.T) {
+		t.Parallel()
+		ctx := testutil.Context(t, testutil.WaitShort)
+		mClock := quartz.NewMock(t)
+		trap := mClock.Trap().NewTicker()
+		defer trap.Close()
+
+		childCtx, cancel := watchParentContext(ctx, mClock, 1234, func(context.Context, int32) (bool, error) {
+			return true, nil // Parent always alive
+		}, testutil.WaitShort)
+		defer cancel()
+
+		// Wait for the ticker to be created
+		trap.MustWait(ctx).MustRelease(ctx)
+
+		// When: we advance the clock several times with the parent alive
+		for range 3 {
+			mClock.AdvanceNext()
+		}
+
+		// Then: context should not be canceled
+		require.NoError(t, childCtx.Err())
+	})
+
+	t.Run("RespectsParentContext", func(t *testing.T) {
+		t.Parallel()
+		ctx, cancelParent := context.WithCancel(context.Background())
+		mClock := quartz.NewMock(t)
+
+		childCtx, cancel := watchParentContext(ctx, mClock, 1234, func(context.Context, int32) (bool, error) {
+			return true, nil
+		}, testutil.WaitShort)
+		defer cancel()
+
+		// When: we cancel the parent context
+		cancelParent()
+
+		// Then: The context should be canceled
+		require.ErrorIs(t, childCtx.Err(), context.Canceled)
+	})
+
+	t.Run("DoesNotCancelOnError", func(t *testing.T) {
+		t.Parallel()
+		ctx := testutil.Context(t, testutil.WaitShort)
+		mClock := quartz.NewMock(t)
+		trap := mClock.Trap().NewTicker()
+		defer trap.Close()
+
+		// Simulate an error checking parent status (e.g., permission denied).
+		// We should not cancel the context in this case to avoid disrupting
+		// the SSH connection.
+		childCtx, cancel := watchParentContext(ctx, mClock, 1234, func(context.Context, int32) (bool, error) {
+			return false, xerrors.New("permission denied")
+		}, testutil.WaitShort)
+		defer cancel()
+
+		// Wait for the ticker to be created
+		trap.MustWait(ctx).MustRelease(ctx)
+
+		// When: we advance clock several times
+		for range 3 {
+			mClock.AdvanceNext()
+		}
+
+		// Context should NOT be canceled since we got an error (not a definitive "not alive")
+		require.NoError(t, childCtx.Err(), "context was canceled even though pidExists returned an error")
+	})
+}
+
 func (c *fakeCloser) Close() error {
 	*c.closes = append(*c.closes, c)
 	return c.err

cli/ssh_test.go

@@ -1122,6 +1122,107 @@ func TestSSH(t *testing.T) {
 		}
 	})
 
+	// This test ensures that the SSH session exits when the parent process dies.
+	t.Run("StdioExitOnParentDeath", func(t *testing.T) {
+		t.Parallel()
+
+		ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitSuperLong)
+		defer cancel()
+
+		// sleepStart -> agentReady -> sessionStarted -> sleepKill -> sleepDone -> cmdDone
+		sleepStart := make(chan int)
+		agentReady := make(chan struct{})
+		sessionStarted := make(chan struct{})
+		sleepKill := make(chan struct{})
+		sleepDone := make(chan struct{})
+
+		// Start a sleep process which we will pretend is the parent.
+		go func() {
+			sleepCmd := exec.Command("sleep", "infinity")
+			if !assert.NoError(t, sleepCmd.Start(), "failed to start sleep command") {
+				return
+			}
+			sleepStart <- sleepCmd.Process.Pid
+			defer close(sleepDone)
+			<-sleepKill
+			sleepCmd.Process.Kill()
+			_ = sleepCmd.Wait()
+		}()
+
+		client, workspace, agentToken := setupWorkspaceForAgent(t)
+		go func() {
+			defer close(agentReady)
+			_ = agenttest.New(t, client.URL, agentToken)
+			coderdtest.NewWorkspaceAgentWaiter(t, client, workspace.ID).WaitFor(coderdtest.AgentsReady)
+		}()
+
+		clientOutput, clientInput := io.Pipe()
+		serverOutput, serverInput := io.Pipe()
+		defer func() {
+			for _, c := range []io.Closer{clientOutput, clientInput, serverOutput, serverInput} {
+				_ = c.Close()
+			}
+		}()
+
+		// Start a connection to the agent once it's ready
+		go func() {
+			<-agentReady
+			conn, channels, requests, err := ssh.NewClientConn(&testutil.ReaderWriterConn{
+				Reader: serverOutput,
+				Writer: clientInput,
+			}, "", &ssh.ClientConfig{
+				// #nosec
+				HostKeyCallback: ssh.InsecureIgnoreHostKey(),
+			})
+			if !assert.NoError(t, err, "failed to create SSH client connection") {
+				return
+			}
+			defer conn.Close()
+
+			sshClient := ssh.NewClient(conn, channels, requests)
+			defer sshClient.Close()
+
+			session, err := sshClient.NewSession()
+			if !assert.NoError(t, err, "failed to create SSH session") {
+				return
+			}
+			close(sessionStarted)
+			<-sleepDone
+			// Ref: https://github.com/coder/internal/issues/1289
+			// This may return either a nil error or io.EOF.
+			// There is an inherent race here:
+			// 1. Sleep process is killed -> sleepDone is closed.
+			// 2. watchParentContext detects parent death, cancels context,
+			//    causing SSH session teardown.
+			// 3. We receive from sleepDone and attempt to call session.Close()
+			// Now either:
+			// a. Session teardown completes before we call Close(), resulting in io.EOF
+			// b. We call Close() first, resulting in a nil error.
+			_ = session.Close()
+		}()
+
+		// Wait for our "parent" process to start
+		sleepPid := testutil.RequireReceive(ctx, t, sleepStart)
+		// Wait for the agent to be ready
+		testutil.SoftTryReceive(ctx, t, agentReady)
+		inv, root := clitest.New(t, "ssh", "--stdio", workspace.Name, "--test.force-ppid", fmt.Sprintf("%d", sleepPid))
+		clitest.SetupConfig(t, client, root)
+		inv.Stdin = clientOutput
+		inv.Stdout = serverInput
+		inv.Stderr = io.Discard
+
+		// Start the command
+		clitest.Start(t, inv.WithContext(ctx))
+
+		// Wait for a session to be established
+		testutil.SoftTryReceive(ctx, t, sessionStarted)
+		// Now kill the fake "parent"
+		close(sleepKill)
+		// The sleep process should exit
+		testutil.SoftTryReceive(ctx, t, sleepDone)
+		// And then the command should exit. This is tracked by clitest.Start.
+	})
+
 	t.Run("ForwardAgent", func(t *testing.T) {
 		if runtime.GOOS == "windows" {
 			t.Skip("Test not supported on windows")

cli/support.go

@@ -418,6 +418,7 @@ func writeBundle(src *support.Bundle, dest *zip.Writer) error {
 		"workspace/template_version.json": src.Workspace.TemplateVersion,
 		"workspace/parameters.json":       src.Workspace.Parameters,
 		"workspace/workspace.json":        src.Workspace.Workspace,
+		"workspace/workspace_sessions.json": src.Workspace.WorkspaceSessions,
 	} {
 		f, err := dest.Create(k)
 		if err != nil {

cli/vscodessh.go

@@ -166,8 +166,9 @@ func (r *RootCmd) vscodeSSH() *serpent.Command {
 			}
 			agentConn, err := workspacesdk.New(client).
 				DialAgent(ctx, workspaceAgent.ID, &workspacesdk.DialAgentOptions{
-					Logger:         logger,
-					BlockEndpoints: r.disableDirect,
+					Logger:           logger,
+					BlockEndpoints:   r.disableDirect,
+					ShortDescription: "VSCode SSH",
 				})
 			if err != nil {
 				return xerrors.Errorf("dial workspace agent: %w", err)

coderd/agentapi/api.go

@@ -57,7 +57,6 @@ type API struct {
 	*ConnLogAPI
 	*SubAgentAPI
 	*BoundaryLogsAPI
-	*RestartAPI
 	*tailnet.DRPCService
 
 	cachedWorkspaceFields *CachedWorkspaceFields
@@ -74,9 +73,6 @@ type Options struct {
 	OrganizationID    uuid.UUID
 	TemplateVersionID uuid.UUID
 
-	TemplateName        string
-	TemplateVersionName string
-
 	AuthenticatedCtx                  context.Context
 	Log                               slog.Logger
 	Clock                             quartz.Clock
@@ -206,11 +202,13 @@ func New(opts Options, workspace database.Workspace) *API {
 	}
 
 	api.ConnLogAPI = &ConnLogAPI{
-		AgentFn:          api.agent,
-		ConnectionLogger: opts.ConnectionLogger,
-		Database:         opts.Database,
-		Workspace:        api.cachedWorkspaceFields,
-		Log:              opts.Log,
+		AgentFn:                  api.agent,
+		ConnectionLogger:         opts.ConnectionLogger,
+		TailnetCoordinator:       opts.TailnetCoordinator,
+		Database:                 opts.Database,
+		Workspace:                api.cachedWorkspaceFields,
+		Log:                      opts.Log,
+		PublishWorkspaceUpdateFn: api.publishWorkspaceUpdate,
 	}
 
 	api.DRPCService = &tailnet.DRPCService{
@@ -240,18 +238,6 @@ func New(opts Options, workspace database.Workspace) *API {
 		BoundaryUsageTracker: opts.BoundaryUsageTracker,
 	}
 
-	api.RestartAPI = &RestartAPI{
-		AgentFn:                  api.agent,
-		WorkspaceID:              opts.WorkspaceID,
-		Database:                 opts.Database,
-		Log:                      opts.Log,
-		NotificationsEnqueuer:    opts.NotificationsEnqueuer,
-		PublishWorkspaceUpdateFn: api.publishWorkspaceUpdate,
-		Metrics:                  opts.LifecycleMetrics,
-		TemplateName:             workspace.TemplateName,
-		TemplateVersionName:      opts.TemplateVersionName,
-	}
-
 	// Start background cache refresh loop to handle workspace changes
 	// like prebuild claims where owner_id and other fields may be modified in the DB.
 	go api.startCacheRefreshLoop(opts.AuthenticatedCtx)

coderd/agentapi/connectionlog.go

@@ -3,6 +3,8 @@ package agentapi
 import (
 	"context"
 	"database/sql"
+	"fmt"
+	"net/netip"
 	"sync/atomic"
 
 	"github.com/google/uuid"
@@ -15,14 +17,18 @@ import (
 	"github.com/coder/coder/v2/coderd/database"
 	"github.com/coder/coder/v2/coderd/database/db2sdk"
 	"github.com/coder/coder/v2/coderd/database/dbauthz"
+	"github.com/coder/coder/v2/coderd/wspubsub"
+	"github.com/coder/coder/v2/tailnet"
 )
 
 type ConnLogAPI struct {
-	AgentFn          func(context.Context) (database.WorkspaceAgent, error)
-	ConnectionLogger *atomic.Pointer[connectionlog.ConnectionLogger]
-	Workspace        *CachedWorkspaceFields
-	Database         database.Store
-	Log              slog.Logger
+	AgentFn                  func(context.Context) (database.WorkspaceAgent, error)
+	ConnectionLogger         *atomic.Pointer[connectionlog.ConnectionLogger]
+	TailnetCoordinator       *atomic.Pointer[tailnet.Coordinator]
+	Workspace                *CachedWorkspaceFields
+	Database                 database.Store
+	Log                      slog.Logger
+	PublishWorkspaceUpdateFn func(context.Context, *database.WorkspaceAgent, wspubsub.WorkspaceEventKind) error
 }
 
 func (a *ConnLogAPI) ReportConnection(ctx context.Context, req *agentproto.ReportConnectionRequest) (*emptypb.Empty, error) {
@@ -88,6 +94,38 @@ func (a *ConnLogAPI) ReportConnection(ctx context.Context, req *agentproto.Repor
 	}
 	logIP := database.ParseIP(logIPRaw) // will return null if invalid
 
+	// At connect time, look up the tailnet peer to capture the
+	// client hostname and description for session grouping later.
+	var clientHostname, shortDescription, clientOS sql.NullString
+	if action == database.ConnectionStatusConnected && a.TailnetCoordinator != nil {
+		if coord := a.TailnetCoordinator.Load(); coord != nil {
+			for _, peer := range (*coord).TunnelPeers(workspaceAgent.ID) {
+				if peer.Node != nil {
+					// Match peer by checking if any of its addresses
+					// match the connection IP.
+					for _, addr := range peer.Node.Addresses {
+						prefix, err := netip.ParsePrefix(addr)
+						if err != nil {
+							continue
+						}
+						if logIP.Valid && prefix.Addr().String() == logIP.IPNet.IP.String() {
+							if peer.Node.Hostname != "" {
+								clientHostname = sql.NullString{String: peer.Node.Hostname, Valid: true}
+							}
+							if peer.Node.ShortDescription != "" {
+								shortDescription = sql.NullString{String: peer.Node.ShortDescription, Valid: true}
+							}
+							if peer.Node.Os != "" {
+								clientOS = sql.NullString{String: peer.Node.Os, Valid: true}
+							}
+							break
+						}
+					}
+				}
+			}
+		}
+	}
+
 	reason := req.GetConnection().GetReason()
 	connLogger := *a.ConnectionLogger.Load()
 	err = connLogger.Upsert(ctx, database.UpsertConnectionLogParams{
@@ -98,6 +136,7 @@ func (a *ConnLogAPI) ReportConnection(ctx context.Context, req *agentproto.Repor
 		WorkspaceID:      ws.ID,
 		WorkspaceName:    ws.Name,
 		AgentName:        workspaceAgent.Name,
+		AgentID:          uuid.NullUUID{UUID: workspaceAgent.ID, Valid: true},
 		Type:             connectionType,
 		Code:             code,
 		Ip:               logIP,
@@ -109,6 +148,7 @@ func (a *ConnLogAPI) ReportConnection(ctx context.Context, req *agentproto.Repor
 			String: reason,
 			Valid:  reason != "",
 		},
+		SessionID: uuid.NullUUID{},
 		// We supply the action:
 		// - So the DB can handle duplicate connections or disconnections properly.
 		// - To make it clear whether this is a connection or disconnection
@@ -121,13 +161,101 @@ func (a *ConnLogAPI) ReportConnection(ctx context.Context, req *agentproto.Repor
 			Valid: false,
 		},
 		// N/A
-		UserAgent: sql.NullString{},
-		// N/A
-		SlugOrPort: sql.NullString{},
+		UserAgent:        sql.NullString{},
+		ClientHostname:   clientHostname,
+		ShortDescription: shortDescription,
+		Os:               clientOS,
+		SlugOrPort: sql.NullString{
+			String: req.GetConnection().GetSlugOrPort(),
+			Valid:  req.GetConnection().GetSlugOrPort() != "",
+		},
 	})
 	if err != nil {
 		return nil, xerrors.Errorf("export connection log: %w", err)
 	}
 
+	// At disconnect time, find or create a session for this connection.
+	// This groups related connection logs into workspace sessions.
+	if action == database.ConnectionStatusDisconnected {
+		a.assignSessionForDisconnect(ctx, connectionID, ws, workspaceAgent, req)
+	}
+
+	if a.PublishWorkspaceUpdateFn != nil {
+		if err := a.PublishWorkspaceUpdateFn(ctx, &workspaceAgent, wspubsub.WorkspaceEventKindConnectionLogUpdate); err != nil {
+			a.Log.Warn(ctx, "failed to publish connection log update", slog.Error(err))
+		}
+	}
+
 	return &emptypb.Empty{}, nil
 }
+
+// assignSessionForDisconnect looks up the existing connection log for this
+// connection ID and finds or creates a session to group it with.
+func (a *ConnLogAPI) assignSessionForDisconnect(
+	ctx context.Context,
+	connectionID uuid.UUID,
+	ws database.WorkspaceIdentity,
+	workspaceAgent database.WorkspaceAgent,
+	req *agentproto.ReportConnectionRequest,
+) {
+	//nolint:gocritic // The agent context doesn't have connection_log
+	// permissions. Session creation is authorized by the workspace
+	// access already validated in ReportConnection.
+	ctx = dbauthz.AsConnectionLogger(ctx)
+
+	existingLog, err := a.Database.GetConnectionLogByConnectionID(ctx, database.GetConnectionLogByConnectionIDParams{
+		ConnectionID: uuid.NullUUID{UUID: connectionID, Valid: true},
+		WorkspaceID:  ws.ID,
+		AgentName:    workspaceAgent.Name,
+	})
+	if err != nil {
+		a.Log.Warn(ctx, "failed to look up connection log for session assignment",
+			slog.Error(err),
+			slog.F("connection_id", connectionID),
+		)
+		return
+	}
+
+	sessionIDRaw, err := a.Database.FindOrCreateSessionForDisconnect(ctx, database.FindOrCreateSessionForDisconnectParams{
+		WorkspaceID:      ws.ID.String(),
+		Ip:               existingLog.Ip,
+		ClientHostname:   existingLog.ClientHostname,
+		ShortDescription: existingLog.ShortDescription,
+		ConnectTime:      existingLog.ConnectTime,
+		DisconnectTime:   req.GetConnection().GetTimestamp().AsTime(),
+		AgentID:          uuid.NullUUID{UUID: workspaceAgent.ID, Valid: true},
+	})
+	if err != nil {
+		a.Log.Warn(ctx, "failed to find or create session for disconnect",
+			slog.Error(err),
+			slog.F("connection_id", connectionID),
+		)
+		return
+	}
+
+	// The query uses COALESCE which returns a generic type. The
+	// database/sql driver may return the UUID as a string, []byte,
+	// or [16]byte rather than uuid.UUID, so we parse it.
+	sessionID, parseErr := uuid.Parse(fmt.Sprintf("%s", sessionIDRaw))
+	if parseErr != nil {
+		a.Log.Warn(ctx, "failed to parse session ID from FindOrCreateSessionForDisconnect",
+			slog.Error(parseErr),
+			slog.F("connection_id", connectionID),
+			slog.F("session_id_raw", sessionIDRaw),
+			slog.F("session_id_type", fmt.Sprintf("%T", sessionIDRaw)),
+		)
+		return
+	}
+
+	// Link the connection log to its session so that
+	// CloseConnectionLogsAndCreateSessions skips it.
+	if err := a.Database.UpdateConnectionLogSessionID(ctx, database.UpdateConnectionLogSessionIDParams{
+		ID:        existingLog.ID,
+		SessionID: uuid.NullUUID{UUID: sessionID, Valid: true},
+	}); err != nil {
+		a.Log.Warn(ctx, "failed to update connection log session ID",
+			slog.Error(err),
+			slog.F("connection_id", connectionID),
+		)
+	}
+}

coderd/agentapi/connectionlog_test.go

@@ -19,6 +19,7 @@ import (
 	"github.com/coder/coder/v2/coderd/database/db2sdk"
 	"github.com/coder/coder/v2/coderd/database/dbmock"
 	"github.com/coder/coder/v2/coderd/database/dbtime"
+	"github.com/coder/coder/v2/coderd/wspubsub"
 )
 
 func TestConnectionLog(t *testing.T) {
@@ -41,14 +42,15 @@ func TestConnectionLog(t *testing.T) {
 	)
 
 	tests := []struct {
-		name   string
-		id     uuid.UUID
-		action *agentproto.Connection_Action
-		typ    *agentproto.Connection_Type
-		time   time.Time
-		ip     string
-		status int32
-		reason string
+		name       string
+		id         uuid.UUID
+		action     *agentproto.Connection_Action
+		typ        *agentproto.Connection_Type
+		time       time.Time
+		ip         string
+		status     int32
+		reason     string
+		slugOrPort string
 	}{
 		{
 			name:   "SSH Connect",
@@ -84,6 +86,34 @@ func TestConnectionLog(t *testing.T) {
 			typ:    agentproto.Connection_RECONNECTING_PTY.Enum(),
 			time:   dbtime.Now(),
 		},
+		{
+			name:       "Port Forwarding Connect",
+			id:         uuid.New(),
+			action:     agentproto.Connection_CONNECT.Enum(),
+			typ:        agentproto.Connection_PORT_FORWARDING.Enum(),
+			time:       dbtime.Now(),
+			ip:         "192.168.1.1",
+			slugOrPort: "8080",
+		},
+		{
+			name:       "Port Forwarding Disconnect",
+			id:         uuid.New(),
+			action:     agentproto.Connection_DISCONNECT.Enum(),
+			typ:        agentproto.Connection_PORT_FORWARDING.Enum(),
+			time:       dbtime.Now(),
+			ip:         "192.168.1.1",
+			status:     200,
+			slugOrPort: "8080",
+		},
+		{
+			name:       "Workspace App Connect",
+			id:         uuid.New(),
+			action:     agentproto.Connection_CONNECT.Enum(),
+			typ:        agentproto.Connection_WORKSPACE_APP.Enum(),
+			time:       dbtime.Now(),
+			ip:         "10.0.0.1",
+			slugOrPort: "my-app",
+		},
 		{
 			name:   "SSH Disconnect",
 			id:     uuid.New(),
@@ -110,6 +140,10 @@ func TestConnectionLog(t *testing.T) {
 
 			mDB := dbmock.NewMockStore(gomock.NewController(t))
 			mDB.EXPECT().GetWorkspaceByAgentID(gomock.Any(), agent.ID).Return(workspace, nil)
+			// Disconnect actions trigger session assignment which calls
+			// GetConnectionLogByConnectionID and FindOrCreateSessionForDisconnect.
+			mDB.EXPECT().GetConnectionLogByConnectionID(gomock.Any(), gomock.Any()).Return(database.ConnectionLog{}, nil).AnyTimes()
+			mDB.EXPECT().FindOrCreateSessionForDisconnect(gomock.Any(), gomock.Any()).Return(database.WorkspaceSession{}, nil).AnyTimes()
 
 			api := &agentapi.ConnLogAPI{
 				ConnectionLogger: asAtomicPointer[connectionlog.ConnectionLogger](connLogger),
@@ -128,6 +162,7 @@ func TestConnectionLog(t *testing.T) {
 					Ip:         tt.ip,
 					StatusCode: tt.status,
 					Reason:     &tt.reason,
+					SlugOrPort: &tt.slugOrPort,
 				},
 			})
 
@@ -144,6 +179,7 @@ func TestConnectionLog(t *testing.T) {
 				WorkspaceID:      workspace.ID,
 				WorkspaceName:    workspace.Name,
 				AgentName:        agent.Name,
+				AgentID:          uuid.NullUUID{UUID: agent.ID, Valid: true},
 				UserID: uuid.NullUUID{
 					UUID:  uuid.Nil,
 					Valid: false,
@@ -164,11 +200,72 @@ func TestConnectionLog(t *testing.T) {
 					UUID:  tt.id,
 					Valid: tt.id != uuid.Nil,
 				},
+				SlugOrPort: sql.NullString{
+					String: tt.slugOrPort,
+					Valid:  tt.slugOrPort != "",
+				},
 			}))
 		})
 	}
 }
 
+func TestConnectionLogPublishesWorkspaceUpdate(t *testing.T) {
+	t.Parallel()
+
+	var (
+		owner     = database.User{ID: uuid.New(), Username: "cool-user"}
+		workspace = database.Workspace{
+			ID:             uuid.New(),
+			OrganizationID: uuid.New(),
+			OwnerID:        owner.ID,
+			Name:           "cool-workspace",
+		}
+		agent = database.WorkspaceAgent{ID: uuid.New()}
+	)
+
+	connLogger := connectionlog.NewFake()
+
+	mDB := dbmock.NewMockStore(gomock.NewController(t))
+	mDB.EXPECT().GetWorkspaceByAgentID(gomock.Any(), agent.ID).Return(workspace, nil)
+
+	var (
+		called   int
+		gotKind  wspubsub.WorkspaceEventKind
+		gotAgent uuid.UUID
+	)
+
+	api := &agentapi.ConnLogAPI{
+		ConnectionLogger: asAtomicPointer[connectionlog.ConnectionLogger](connLogger),
+		Database:         mDB,
+		AgentFn: func(context.Context) (database.WorkspaceAgent, error) {
+			return agent, nil
+		},
+		Workspace: &agentapi.CachedWorkspaceFields{},
+		PublishWorkspaceUpdateFn: func(ctx context.Context, agent *database.WorkspaceAgent, kind wspubsub.WorkspaceEventKind) error {
+			called++
+			gotKind = kind
+			gotAgent = agent.ID
+			return nil
+		},
+	}
+
+	id := uuid.New()
+	_, err := api.ReportConnection(context.Background(), &agentproto.ReportConnectionRequest{
+		Connection: &agentproto.Connection{
+			Id:        id[:],
+			Action:    agentproto.Connection_CONNECT,
+			Type:      agentproto.Connection_SSH,
+			Timestamp: timestamppb.New(dbtime.Now()),
+			Ip:        "127.0.0.1",
+		},
+	})
+	require.NoError(t, err)
+
+	require.Equal(t, 1, called)
+	require.Equal(t, wspubsub.WorkspaceEventKindConnectionLogUpdate, gotKind)
+	require.Equal(t, agent.ID, gotAgent)
+}
+
 func agentProtoConnectionTypeToConnectionLog(t *testing.T, typ agentproto.Connection_Type) database.ConnectionType {
 	a, err := db2sdk.ConnectionLogConnectionTypeFromAgentProtoConnectionType(typ)
 	require.NoError(t, err)

coderd/agentapi/metrics.go

@@ -16,15 +16,9 @@ import (
 // prefixed with the namespace "coderd_".
 const BuildDurationMetricName = "template_workspace_build_duration_seconds"
 
-// AgentRestartMetricName is the short name for the agent restart
-// counter. The full metric name is prefixed with the namespace
-// "coderd_".
-const AgentRestartMetricName = "agents_restarts_total"
-
 // LifecycleMetrics contains Prometheus metrics for the lifecycle API.
 type LifecycleMetrics struct {
 	BuildDuration *prometheus.HistogramVec
-	AgentRestarts *prometheus.CounterVec
 }
 
 // NewLifecycleMetrics creates and registers all lifecycle-related
@@ -59,14 +53,8 @@ func NewLifecycleMetrics(reg prometheus.Registerer) *LifecycleMetrics {
 			NativeHistogramMaxBucketNumber:  100,
 			NativeHistogramMinResetDuration: time.Hour,
 		}, []string{"template_name", "organization_name", "transition", "status", "is_prebuild"}),
-		AgentRestarts: prometheus.NewCounterVec(prometheus.CounterOpts{
-			Namespace: "coderd",
-			Name:      AgentRestartMetricName,
-			Help:      "Total number of agent restarts after unexpected exits, by template and cause.",
-		}, []string{"template_name", "template_version", "reason", "signal"}),
 	}
 	reg.MustRegister(m.BuildDuration)
-	reg.MustRegister(m.AgentRestarts)
 	return m
 }
 

coderd/agentapi/restart.go

@@ -1,109 +0,0 @@
-package agentapi
-
-import (
-	"context"
-	"database/sql"
-	"fmt"
-
-	"golang.org/x/xerrors"
-
-	"github.com/google/uuid"
-
-	"cdr.dev/slog/v3"
-	agentproto "github.com/coder/coder/v2/agent/proto"
-	"github.com/coder/coder/v2/coderd/database"
-	"github.com/coder/coder/v2/coderd/database/dbauthz"
-	"github.com/coder/coder/v2/coderd/database/dbtime"
-	"github.com/coder/coder/v2/coderd/notifications"
-	"github.com/coder/coder/v2/coderd/wspubsub"
-)
-
-// RestartAPI handles the ReportRestart RPC, which is called by the
-// agent when it has been restarted by the reaper after an OOM kill
-// or other SIGKILL event.
-type RestartAPI struct {
-	AgentFn                  func(context.Context) (database.WorkspaceAgent, error)
-	WorkspaceID              uuid.UUID
-	Database                 database.Store
-	Log                      slog.Logger
-	NotificationsEnqueuer    notifications.Enqueuer
-	PublishWorkspaceUpdateFn func(context.Context, *database.WorkspaceAgent, wspubsub.WorkspaceEventKind) error
-	Metrics                  *LifecycleMetrics
-	TemplateName             string
-	TemplateVersionName      string
-}
-
-func (a *RestartAPI) ReportRestart(ctx context.Context, req *agentproto.ReportRestartRequest) (*agentproto.ReportRestartResponse, error) {
-	workspaceAgent, err := a.AgentFn(ctx)
-	if err != nil {
-		return nil, err
-	}
-
-	now := dbtime.Now()
-	err = a.Database.UpdateWorkspaceAgentRestartCount(ctx, database.UpdateWorkspaceAgentRestartCountParams{
-		ID:              workspaceAgent.ID,
-		RestartCount:    req.RestartCount,
-		LastRestartedAt: sql.NullTime{Time: now, Valid: true},
-	})
-	if err != nil {
-		return nil, xerrors.Errorf("update workspace agent restart count: %w", err)
-	}
-
-	a.Log.Info(ctx, "agent reported restart",
-		slog.F("agent_id", workspaceAgent.ID),
-		slog.F("restart_count", req.RestartCount),
-		slog.F("reason", req.Reason),
-		slog.F("kill_signal", req.KillSignal),
-	)
-
-	if a.Metrics != nil {
-		a.Metrics.AgentRestarts.WithLabelValues(
-			a.TemplateName,
-			a.TemplateVersionName,
-			req.Reason,
-			req.KillSignal,
-		).Add(float64(req.RestartCount))
-	}
-
-	if a.PublishWorkspaceUpdateFn != nil {
-		if err := a.PublishWorkspaceUpdateFn(ctx, &workspaceAgent, wspubsub.WorkspaceEventKindAgentLifecycleUpdate); err != nil {
-			a.Log.Error(ctx, "failed to publish workspace update after restart report", slog.Error(err))
-		}
-	}
-
-	// Notify the workspace owner that the agent has been restarted.
-	if a.NotificationsEnqueuer != nil {
-		workspace, err := a.Database.GetWorkspaceByID(ctx, a.WorkspaceID)
-		if err != nil {
-			a.Log.Error(ctx, "failed to get workspace for restart notification", slog.Error(err))
-		} else {
-			if _, err := a.NotificationsEnqueuer.EnqueueWithData(
-				// nolint:gocritic // Notifier context required to enqueue.
-				dbauthz.AsNotifier(ctx),
-				workspace.OwnerID,
-				notifications.TemplateWorkspaceAgentRestarted,
-				map[string]string{
-					"workspace":     workspace.Name,
-					"agent":         workspaceAgent.Name,
-					"restart_count": fmt.Sprintf("%d", req.RestartCount),
-					"reason":        req.Reason,
-					"kill_signal":   req.KillSignal,
-				},
-				map[string]any{
-					// Include a timestamp to prevent deduplication
-					// of repeated restart notifications within the
-					// same day.
-					"timestamp": now,
-				},
-				"agent-restart",
-				workspace.ID,
-				workspace.OwnerID,
-				workspace.OrganizationID,
-			); err != nil {
-				a.Log.Error(ctx, "failed to send restart notification", slog.Error(err))
-			}
-		}
-	}
-
-	return &agentproto.ReportRestartResponse{}, nil
-}

coderd/aitasks.go

@@ -1244,63 +1244,3 @@ func (api *API) postWorkspaceAgentTaskLogSnapshot(rw http.ResponseWriter, r *htt
 
 	rw.WriteHeader(http.StatusNoContent)
 }
-
-// @Summary Pause task
-// @ID pause-task
-// @Security CoderSessionToken
-// @Accept json
-// @Tags Tasks
-// @Param user path string true "Username, user ID, or 'me' for the authenticated user"
-// @Param task path string true "Task ID" format(uuid)
-// @Success 202 {object} codersdk.PauseTaskResponse
-// @Router /tasks/{user}/{task}/pause [post]
-func (api *API) pauseTask(rw http.ResponseWriter, r *http.Request) {
-	var (
-		ctx    = r.Context()
-		apiKey = httpmw.APIKey(r)
-		task   = httpmw.TaskParam(r)
-	)
-
-	if !task.WorkspaceID.Valid {
-		httpapi.Write(ctx, rw, http.StatusInternalServerError, codersdk.Response{
-			Message: "Task does not have a workspace.",
-		})
-		return
-	}
-
-	workspace, err := api.Database.GetWorkspaceByID(ctx, task.WorkspaceID.UUID)
-	if err != nil {
-		if httpapi.Is404Error(err) {
-			httpapi.ResourceNotFound(rw)
-			return
-		}
-		httpapi.Write(ctx, rw, http.StatusInternalServerError, codersdk.Response{
-			Message: "Internal error fetching task workspace.",
-			Detail:  err.Error(),
-		})
-		return
-	}
-
-	buildReq := codersdk.CreateWorkspaceBuildRequest{
-		Transition: codersdk.WorkspaceTransitionStop,
-		Reason:     codersdk.CreateWorkspaceBuildReasonTaskManualPause,
-	}
-	build, err := api.postWorkspaceBuildsInternal(
-		ctx,
-		apiKey,
-		workspace,
-		buildReq,
-		func(action policy.Action, object rbac.Objecter) bool {
-			return api.Authorize(r, action, object)
-		},
-		audit.WorkspaceBuildBaggageFromRequest(r),
-	)
-	if err != nil {
-		httperror.WriteWorkspaceBuildError(ctx, rw, err)
-		return
-	}
-
-	httpapi.Write(ctx, rw, http.StatusAccepted, codersdk.PauseTaskResponse{
-		WorkspaceBuild: &build,
-	})
-}

coderd/aitasks_test.go

@@ -16,7 +16,6 @@ import (
 	"github.com/google/uuid"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
-	"golang.org/x/xerrors"
 
 	agentapisdk "github.com/coder/agentapi-sdk-go"
 	"github.com/coder/coder/v2/agent"
@@ -27,14 +26,11 @@ import (
 	"github.com/coder/coder/v2/coderd/database/dbauthz"
 	"github.com/coder/coder/v2/coderd/database/dbfake"
 	"github.com/coder/coder/v2/coderd/database/dbgen"
-	"github.com/coder/coder/v2/coderd/database/dbtestutil"
 	"github.com/coder/coder/v2/coderd/database/dbtime"
-	"github.com/coder/coder/v2/coderd/database/pubsub"
 	"github.com/coder/coder/v2/coderd/httpapi"
 	"github.com/coder/coder/v2/coderd/notifications"
 	"github.com/coder/coder/v2/coderd/notifications/notificationstest"
 	"github.com/coder/coder/v2/coderd/rbac"
-	"github.com/coder/coder/v2/coderd/rbac/policy"
 	"github.com/coder/coder/v2/coderd/util/slice"
 	"github.com/coder/coder/v2/codersdk"
 	"github.com/coder/coder/v2/codersdk/agentsdk"
@@ -104,36 +100,6 @@ func createTaskInState(db database.Store, ownerSubject rbac.Subject, ownerOrgID,
 	}
 }
 
-type aiTaskStoreWrapper struct {
-	database.Store
-	getWorkspaceByID     func(ctx context.Context, id uuid.UUID) (database.Workspace, error)
-	insertWorkspaceBuild func(ctx context.Context, arg database.InsertWorkspaceBuildParams) error
-}
-
-func (s aiTaskStoreWrapper) GetWorkspaceByID(ctx context.Context, id uuid.UUID) (database.Workspace, error) {
-	if s.getWorkspaceByID != nil {
-		return s.getWorkspaceByID(ctx, id)
-	}
-	return s.Store.GetWorkspaceByID(ctx, id)
-}
-
-func (s aiTaskStoreWrapper) InsertWorkspaceBuild(ctx context.Context, arg database.InsertWorkspaceBuildParams) error {
-	if s.insertWorkspaceBuild != nil {
-		return s.insertWorkspaceBuild(ctx, arg)
-	}
-	return s.Store.InsertWorkspaceBuild(ctx, arg)
-}
-
-func (s aiTaskStoreWrapper) InTx(fn func(database.Store) error, opts *database.TxOptions) error {
-	return s.Store.InTx(func(tx database.Store) error {
-		return fn(aiTaskStoreWrapper{
-			Store:                tx,
-			getWorkspaceByID:     s.getWorkspaceByID,
-			insertWorkspaceBuild: s.insertWorkspaceBuild,
-		})
-	}, opts)
-}
-
 func TestTasks(t *testing.T) {
 	t.Parallel()
 
@@ -2456,328 +2422,3 @@ func TestPostWorkspaceAgentTaskSnapshot(t *testing.T) {
 		require.Equal(t, http.StatusUnauthorized, res.StatusCode)
 	})
 }
-
-func TestPauseTask(t *testing.T) {
-	t.Parallel()
-
-	setupClient := func(t *testing.T, db database.Store, ps pubsub.Pubsub, authorizer rbac.Authorizer) *codersdk.Client {
-		t.Helper()
-		client, _, _ := coderdtest.NewWithAPI(t, &coderdtest.Options{
-			Database:   db,
-			Pubsub:     ps,
-			Authorizer: authorizer,
-		})
-		return client
-	}
-
-	setupWorkspaceTask := func(t *testing.T, db database.Store, user codersdk.CreateFirstUserResponse) (database.Task, uuid.UUID) {
-		t.Helper()
-		workspaceBuild := dbfake.WorkspaceBuild(t, db, database.WorkspaceTable{
-			OrganizationID: user.OrganizationID,
-			OwnerID:        user.UserID,
-		}).WithTask(database.TaskTable{
-			Prompt: "pause me",
-		}, nil).Do()
-		return workspaceBuild.Task, workspaceBuild.Workspace.ID
-	}
-
-	t.Run("OK", func(t *testing.T) {
-		t.Parallel()
-
-		ctx := testutil.Context(t, testutil.WaitLong)
-		client := coderdtest.New(t, &coderdtest.Options{IncludeProvisionerDaemon: true})
-		user := coderdtest.CreateFirstUser(t, client)
-
-		version := coderdtest.CreateTemplateVersion(t, client, user.OrganizationID, &echo.Responses{
-			Parse:          echo.ParseComplete,
-			ProvisionApply: echo.ApplyComplete,
-			ProvisionGraph: []*proto.Response{
-				{Type: &proto.Response_Graph{Graph: &proto.GraphComplete{
-					HasAiTasks: true,
-				}}},
-			},
-		})
-		coderdtest.AwaitTemplateVersionJobCompleted(t, client, version.ID)
-		template := coderdtest.CreateTemplate(t, client, user.OrganizationID, version.ID)
-
-		task, err := client.CreateTask(ctx, codersdk.Me, codersdk.CreateTaskRequest{
-			TemplateVersionID: template.ActiveVersionID,
-			Input:             "pause me",
-		})
-		require.NoError(t, err)
-		require.True(t, task.WorkspaceID.Valid)
-
-		workspace, err := client.Workspace(ctx, task.WorkspaceID.UUID)
-		require.NoError(t, err)
-		coderdtest.AwaitWorkspaceBuildJobCompleted(t, client, workspace.LatestBuild.ID)
-
-		resp, err := client.PauseTask(ctx, codersdk.Me, task.ID)
-		require.NoError(t, err)
-		build := *resp.WorkspaceBuild
-		require.NotNil(t, build)
-		require.Equal(t, codersdk.WorkspaceTransitionStop, build.Transition)
-		require.Equal(t, task.WorkspaceID.UUID, build.WorkspaceID)
-		require.Equal(t, workspace.LatestBuild.BuildNumber+1, build.BuildNumber)
-		require.Equal(t, string(codersdk.CreateWorkspaceBuildReasonTaskManualPause), string(build.Reason))
-	})
-
-	t.Run("Non-owner role access", func(t *testing.T) {
-		t.Parallel()
-
-		ctx := testutil.Context(t, testutil.WaitShort)
-		db, ps := dbtestutil.NewDB(t)
-		client := setupClient(t, db, ps, nil)
-		owner := coderdtest.CreateFirstUser(t, client)
-
-		cases := []struct {
-			name           string
-			roles          []rbac.RoleIdentifier
-			expectedStatus int
-		}{
-			{
-				name:           "org_member",
-				expectedStatus: http.StatusNotFound,
-			},
-			{
-				name:           "org_admin",
-				roles:          []rbac.RoleIdentifier{rbac.ScopedRoleOrgAdmin(owner.OrganizationID)},
-				expectedStatus: http.StatusAccepted,
-			},
-			{
-				name:           "sitewide_member",
-				roles:          []rbac.RoleIdentifier{rbac.RoleMember()},
-				expectedStatus: http.StatusNotFound,
-			},
-			{
-				name:           "sitewide_admin",
-				roles:          []rbac.RoleIdentifier{rbac.RoleOwner()},
-				expectedStatus: http.StatusAccepted,
-			},
-		}
-
-		for _, tc := range cases {
-			tc := tc
-			t.Run(tc.name, func(t *testing.T) {
-				task, _ := setupWorkspaceTask(t, db, owner)
-				userClient, _ := coderdtest.CreateAnotherUser(t, client, owner.OrganizationID, tc.roles...)
-
-				resp, err := userClient.PauseTask(ctx, codersdk.Me, task.ID)
-				if tc.expectedStatus == http.StatusAccepted {
-					require.NoError(t, err)
-					require.NotNil(t, resp.WorkspaceBuild)
-					require.NotEqual(t, uuid.Nil, resp.WorkspaceBuild.ID)
-					return
-				}
-
-				var apiErr *codersdk.Error
-				require.ErrorAs(t, err, &apiErr)
-				require.Equal(t, tc.expectedStatus, apiErr.StatusCode())
-			})
-		}
-	})
-
-	t.Run("Task not found", func(t *testing.T) {
-		t.Parallel()
-
-		ctx := testutil.Context(t, testutil.WaitShort)
-		client := coderdtest.New(t, &coderdtest.Options{IncludeProvisionerDaemon: true})
-		_ = coderdtest.CreateFirstUser(t, client)
-
-		_, err := client.PauseTask(ctx, codersdk.Me, uuid.New())
-		var apiErr *codersdk.Error
-		require.ErrorAs(t, err, &apiErr)
-		require.Equal(t, http.StatusNotFound, apiErr.StatusCode())
-	})
-
-	t.Run("Task lookup forbidden", func(t *testing.T) {
-		t.Parallel()
-
-		ctx := testutil.Context(t, testutil.WaitShort)
-		db, ps := dbtestutil.NewDB(t)
-		auth := &coderdtest.FakeAuthorizer{
-			ConditionalReturn: func(_ context.Context, _ rbac.Subject, action policy.Action, object rbac.Object) error {
-				if action == policy.ActionRead && object.Type == rbac.ResourceTask.Type {
-					return rbac.UnauthorizedError{}
-				}
-				return nil
-			},
-		}
-		client := setupClient(t, db, ps, auth)
-		user := coderdtest.CreateFirstUser(t, client)
-		task, _ := setupWorkspaceTask(t, db, user)
-
-		_, err := client.PauseTask(ctx, codersdk.Me, task.ID)
-		var apiErr *codersdk.Error
-		require.ErrorAs(t, err, &apiErr)
-		require.Equal(t, http.StatusNotFound, apiErr.StatusCode())
-	})
-
-	t.Run("Workspace lookup forbidden", func(t *testing.T) {
-		t.Parallel()
-
-		ctx := testutil.Context(t, testutil.WaitShort)
-		db, ps := dbtestutil.NewDB(t)
-		auth := &coderdtest.FakeAuthorizer{
-			ConditionalReturn: func(_ context.Context, _ rbac.Subject, action policy.Action, object rbac.Object) error {
-				if action == policy.ActionRead && object.Type == rbac.ResourceWorkspace.Type {
-					return rbac.UnauthorizedError{}
-				}
-				return nil
-			},
-		}
-		client := setupClient(t, db, ps, auth)
-		user := coderdtest.CreateFirstUser(t, client)
-		task, _ := setupWorkspaceTask(t, db, user)
-
-		_, err := client.PauseTask(ctx, codersdk.Me, task.ID)
-		var apiErr *codersdk.Error
-		require.ErrorAs(t, err, &apiErr)
-		require.Equal(t, http.StatusNotFound, apiErr.StatusCode())
-	})
-
-	t.Run("No Workspace for Task", func(t *testing.T) {
-		t.Parallel()
-
-		ctx := testutil.Context(t, testutil.WaitShort)
-		db, ps := dbtestutil.NewDB(t)
-		client := setupClient(t, db, ps, nil)
-		user := coderdtest.CreateFirstUser(t, client)
-
-		workspaceBuild := dbfake.WorkspaceBuild(t, db, database.WorkspaceTable{
-			OrganizationID: user.OrganizationID,
-			OwnerID:        user.UserID,
-		}).Do()
-		task := dbgen.Task(t, db, database.TaskTable{
-			OrganizationID:    user.OrganizationID,
-			OwnerID:           user.UserID,
-			TemplateVersionID: workspaceBuild.Build.TemplateVersionID,
-			Prompt:            "no workspace",
-		})
-
-		_, err := client.PauseTask(ctx, codersdk.Me, task.ID)
-		var apiErr *codersdk.Error
-		require.ErrorAs(t, err, &apiErr)
-		require.Equal(t, http.StatusInternalServerError, apiErr.StatusCode())
-		require.Equal(t, "Task does not have a workspace.", apiErr.Message)
-	})
-
-	t.Run("Workspace not found", func(t *testing.T) {
-		t.Parallel()
-
-		ctx := testutil.Context(t, testutil.WaitShort)
-		db, ps := dbtestutil.NewDB(t)
-		var workspaceID uuid.UUID
-		wrapped := aiTaskStoreWrapper{
-			Store: db,
-			getWorkspaceByID: func(ctx context.Context, id uuid.UUID) (database.Workspace, error) {
-				if id == workspaceID && id != uuid.Nil {
-					return database.Workspace{}, sql.ErrNoRows
-				}
-				return db.GetWorkspaceByID(ctx, id)
-			},
-		}
-		client := setupClient(t, wrapped, ps, nil)
-		user := coderdtest.CreateFirstUser(t, client)
-		task, workspaceIDValue := setupWorkspaceTask(t, db, user)
-		workspaceID = workspaceIDValue
-
-		_, err := client.PauseTask(ctx, codersdk.Me, task.ID)
-		var apiErr *codersdk.Error
-		require.ErrorAs(t, err, &apiErr)
-		require.Equal(t, http.StatusNotFound, apiErr.StatusCode())
-	})
-
-	t.Run("Workspace lookup internal error", func(t *testing.T) {
-		t.Parallel()
-
-		ctx := testutil.Context(t, testutil.WaitShort)
-		db, ps := dbtestutil.NewDB(t)
-		var workspaceID uuid.UUID
-		wrapped := aiTaskStoreWrapper{
-			Store: db,
-			getWorkspaceByID: func(ctx context.Context, id uuid.UUID) (database.Workspace, error) {
-				if id == workspaceID && id != uuid.Nil {
-					return database.Workspace{}, xerrors.New("boom")
-				}
-				return db.GetWorkspaceByID(ctx, id)
-			},
-		}
-		client := setupClient(t, wrapped, ps, nil)
-		user := coderdtest.CreateFirstUser(t, client)
-		task, workspaceIDValue := setupWorkspaceTask(t, db, user)
-		workspaceID = workspaceIDValue
-
-		_, err := client.PauseTask(ctx, codersdk.Me, task.ID)
-		var apiErr *codersdk.Error
-		require.ErrorAs(t, err, &apiErr)
-		require.Equal(t, http.StatusInternalServerError, apiErr.StatusCode())
-		require.Equal(t, "Internal error fetching task workspace.", apiErr.Message)
-	})
-
-	t.Run("Build Forbidden", func(t *testing.T) {
-		t.Parallel()
-
-		ctx := testutil.Context(t, testutil.WaitShort)
-		db, ps := dbtestutil.NewDB(t)
-		auth := &coderdtest.FakeAuthorizer{
-			ConditionalReturn: func(_ context.Context, _ rbac.Subject, action policy.Action, object rbac.Object) error {
-				if action == policy.ActionWorkspaceStop && object.Type == rbac.ResourceWorkspace.Type {
-					return rbac.UnauthorizedError{}
-				}
-				return nil
-			},
-		}
-		client := setupClient(t, db, ps, auth)
-		user := coderdtest.CreateFirstUser(t, client)
-		task, _ := setupWorkspaceTask(t, db, user)
-
-		_, err := client.PauseTask(ctx, codersdk.Me, task.ID)
-		var apiErr *codersdk.Error
-		require.ErrorAs(t, err, &apiErr)
-		require.Equal(t, http.StatusForbidden, apiErr.StatusCode())
-	})
-
-	t.Run("Job already in progress", func(t *testing.T) {
-		t.Parallel()
-
-		ctx := testutil.Context(t, testutil.WaitShort)
-		db, ps := dbtestutil.NewDB(t)
-		client := setupClient(t, db, ps, nil)
-		user := coderdtest.CreateFirstUser(t, client)
-		workspaceBuild := dbfake.WorkspaceBuild(t, db, database.WorkspaceTable{
-			OrganizationID: user.OrganizationID,
-			OwnerID:        user.UserID,
-		}).
-			WithTask(database.TaskTable{
-				Prompt: "pause me",
-			}, nil).
-			Starting().
-			Do()
-
-		_, err := client.PauseTask(ctx, codersdk.Me, workspaceBuild.Task.ID)
-		var apiErr *codersdk.Error
-		require.ErrorAs(t, err, &apiErr)
-		require.Equal(t, http.StatusConflict, apiErr.StatusCode())
-	})
-
-	t.Run("Build Internal Error", func(t *testing.T) {
-		t.Parallel()
-
-		ctx := testutil.Context(t, testutil.WaitShort)
-		db, ps := dbtestutil.NewDB(t)
-		wrapped := aiTaskStoreWrapper{
-			Store: db,
-			insertWorkspaceBuild: func(ctx context.Context, arg database.InsertWorkspaceBuildParams) error {
-				return xerrors.New("insert failed")
-			},
-		}
-		client := setupClient(t, wrapped, ps, nil)
-		user := coderdtest.CreateFirstUser(t, client)
-		task, _ := setupWorkspaceTask(t, db, user)
-
-		_, err := client.PauseTask(ctx, codersdk.Me, task.ID)
-		var apiErr *codersdk.Error
-		require.ErrorAs(t, err, &apiErr)
-		require.Equal(t, http.StatusInternalServerError, apiErr.StatusCode())
-	})
-}

coderd/coderd.go

@@ -90,6 +90,7 @@ import (
 	"github.com/coder/coder/v2/coderd/workspaceapps/appurl"
 	"github.com/coder/coder/v2/coderd/workspacestats"
 	"github.com/coder/coder/v2/coderd/wsbuilder"
+	"github.com/coder/coder/v2/coderd/wspubsub"
 	"github.com/coder/coder/v2/codersdk"
 	"github.com/coder/coder/v2/codersdk/drpcsdk"
 	"github.com/coder/coder/v2/codersdk/healthsdk"
@@ -98,6 +99,8 @@ import (
 	"github.com/coder/coder/v2/provisionersdk"
 	"github.com/coder/coder/v2/site"
 	"github.com/coder/coder/v2/tailnet"
+	"github.com/coder/coder/v2/tailnet/eventsink"
+	tailnetproto "github.com/coder/coder/v2/tailnet/proto"
 	"github.com/coder/quartz"
 	"github.com/coder/serpent"
 )
@@ -414,7 +417,8 @@ func New(options *Options) *API {
 		options.NetworkTelemetryBatchMaxSize = 1_000
 	}
 	if options.TailnetCoordinator == nil {
-		options.TailnetCoordinator = tailnet.NewCoordinator(options.Logger)
+		eventSink := eventsink.NewEventSink(context.Background(), options.Database, options.Logger)
+		options.TailnetCoordinator = tailnet.NewCoordinator(options.Logger, eventSink)
 	}
 	if options.Auditor == nil {
 		options.Auditor = audit.NewNop()
@@ -734,20 +738,23 @@ func New(options *Options) *API {
 	api.Auditor.Store(&options.Auditor)
 	api.ConnectionLogger.Store(&options.ConnectionLogger)
 	api.TailnetCoordinator.Store(&options.TailnetCoordinator)
+	serverTailnetID := uuid.New()
 	dialer := &InmemTailnetDialer{
 		CoordPtr:            &api.TailnetCoordinator,
 		DERPFn:              api.DERPMap,
 		Logger:              options.Logger,
-		ClientID:            uuid.New(),
+		ClientID:            serverTailnetID,
 		DatabaseHealthCheck: api.Database,
 	}
 	stn, err := NewServerTailnet(api.ctx,
 		options.Logger,
 		options.DERPServer,
+		serverTailnetID,
 		dialer,
 		options.DeploymentValues.DERP.Config.ForceWebSockets.Value(),
 		options.DeploymentValues.DERP.Config.BlockDirect.Value(),
 		api.TracerProvider,
+		"Coder Server",
 	)
 	if err != nil {
 		panic("failed to setup server tailnet: " + err.Error())
@@ -763,17 +770,19 @@ func New(options *Options) *API {
 		api.Options.NetworkTelemetryBatchMaxSize,
 		api.handleNetworkTelemetry,
 	)
+	api.PeerNetworkTelemetryStore = NewPeerNetworkTelemetryStore()
 	if options.CoordinatorResumeTokenProvider == nil {
 		panic("CoordinatorResumeTokenProvider is nil")
 	}
 	api.TailnetClientService, err = tailnet.NewClientService(tailnet.ClientServiceOptions{
-		Logger:                   api.Logger.Named("tailnetclient"),
-		CoordPtr:                 &api.TailnetCoordinator,
-		DERPMapUpdateFrequency:   api.Options.DERPMapUpdateFrequency,
-		DERPMapFn:                api.DERPMap,
-		NetworkTelemetryHandler:  api.NetworkTelemetryBatcher.Handler,
-		ResumeTokenProvider:      api.Options.CoordinatorResumeTokenProvider,
-		WorkspaceUpdatesProvider: api.UpdatesProvider,
+		Logger:                     api.Logger.Named("tailnetclient"),
+		CoordPtr:                   &api.TailnetCoordinator,
+		DERPMapUpdateFrequency:     api.Options.DERPMapUpdateFrequency,
+		DERPMapFn:                  api.DERPMap,
+		NetworkTelemetryHandler:    api.NetworkTelemetryBatcher.Handler,
+		IdentifiedTelemetryHandler: api.handleIdentifiedTelemetry,
+		ResumeTokenProvider:        api.Options.CoordinatorResumeTokenProvider,
+		WorkspaceUpdatesProvider:   api.UpdatesProvider,
 	})
 	if err != nil {
 		api.Logger.Fatal(context.Background(), "failed to initialize tailnet client service", slog.Error(err))
@@ -1078,7 +1087,6 @@ func New(options *Options) *API {
 					r.Patch("/input", api.taskUpdateInput)
 					r.Post("/send", api.taskSend)
 					r.Get("/logs", api.taskLogs)
-					r.Post("/pause", api.pauseTask)
 				})
 			})
 		})
@@ -1518,6 +1526,7 @@ func New(options *Options) *API {
 					r.Delete("/", api.deleteWorkspaceAgentPortShare)
 				})
 				r.Get("/timings", api.workspaceTimings)
+				r.Get("/sessions", api.workspaceSessions)
 				r.Route("/acl", func(r chi.Router) {
 					r.Use(
 						httpmw.RequireExperiment(api.Experiments, codersdk.ExperimentWorkspaceSharing),
@@ -1829,6 +1838,7 @@ type API struct {
 	WorkspaceClientCoordinateOverride atomic.Pointer[func(rw http.ResponseWriter) bool]
 	TailnetCoordinator                atomic.Pointer[tailnet.Coordinator]
 	NetworkTelemetryBatcher           *tailnet.NetworkTelemetryBatcher
+	PeerNetworkTelemetryStore         *PeerNetworkTelemetryStore
 	TailnetClientService              *tailnet.ClientService
 	// WebpushDispatcher is a way to send notifications to users via Web Push.
 	WebpushDispatcher webpush.Dispatcher
@@ -1963,6 +1973,36 @@ func (api *API) Close() error {
 	return nil
 }
 
+// handleIdentifiedTelemetry stores peer telemetry events and publishes a
+// workspace update so watch subscribers see fresh data.
+func (api *API) handleIdentifiedTelemetry(agentID, peerID uuid.UUID, events []*tailnetproto.TelemetryEvent) {
+	if len(events) == 0 {
+		return
+	}
+
+	for _, event := range events {
+		api.PeerNetworkTelemetryStore.Update(agentID, peerID, event)
+	}
+
+	// Telemetry callback runs outside any user request, so we use a system
+	// context to look up the workspace for the pubsub notification.
+	ctx := dbauthz.AsSystemRestricted(context.Background()) //nolint:gocritic // Telemetry callback has no user context.
+	workspace, err := api.Database.GetWorkspaceByAgentID(ctx, agentID)
+	if err != nil {
+		api.Logger.Warn(ctx, "failed to resolve workspace for telemetry update",
+			slog.F("agent_id", agentID),
+			slog.Error(err),
+		)
+		return
+	}
+
+	api.publishWorkspaceUpdate(ctx, workspace.OwnerID, wspubsub.WorkspaceEvent{
+		Kind:        wspubsub.WorkspaceEventKindConnectionLogUpdate,
+		WorkspaceID: workspace.ID,
+		AgentID:     &agentID,
+	})
+}
+
 func compressHandler(h http.Handler) http.Handler {
 	level := 5
 	if flag.Lookup("test.v") != nil {

coderd/connectionlog/connectionlog.go

@@ -82,6 +82,10 @@ func (m *FakeConnectionLogger) Contains(t testing.TB, expected database.UpsertCo
 			t.Logf("connection log %d: expected AgentName %s, got %s", idx+1, expected.AgentName, cl.AgentName)
 			continue
 		}
+		if expected.AgentID.Valid && cl.AgentID.UUID != expected.AgentID.UUID {
+			t.Logf("connection log %d: expected AgentID %s, got %s", idx+1, expected.AgentID.UUID, cl.AgentID.UUID)
+			continue
+		}
 		if expected.Type != "" && cl.Type != expected.Type {
 			t.Logf("connection log %d: expected Type %s, got %s", idx+1, expected.Type, cl.Type)
 			continue

coderd/database/connectionlogs_closeout_test.go

@@ -0,0 +1,938 @@
+package database_test
+
+import (
+	"context"
+	"database/sql"
+	"fmt"
+	"net"
+	"testing"
+	"time"
+
+	"github.com/google/uuid"
+	"github.com/sqlc-dev/pqtype"
+	"github.com/stretchr/testify/require"
+
+	"github.com/coder/coder/v2/coderd/database"
+	"github.com/coder/coder/v2/coderd/database/dbgen"
+	"github.com/coder/coder/v2/coderd/database/dbtestutil"
+	"github.com/coder/coder/v2/coderd/database/dbtime"
+)
+
+func TestCloseOpenAgentConnectionLogsForWorkspace(t *testing.T) {
+	t.Parallel()
+
+	db, _ := dbtestutil.NewDB(t)
+	ctx := context.Background()
+
+	u := dbgen.User(t, db, database.User{})
+	o := dbgen.Organization(t, db, database.Organization{})
+	tpl := dbgen.Template(t, db, database.Template{
+		OrganizationID: o.ID,
+		CreatedBy:      u.ID,
+	})
+
+	ws1 := dbgen.Workspace(t, db, database.WorkspaceTable{
+		ID:               uuid.New(),
+		OwnerID:          u.ID,
+		OrganizationID:   o.ID,
+		AutomaticUpdates: database.AutomaticUpdatesNever,
+		TemplateID:       tpl.ID,
+	})
+	ws2 := dbgen.Workspace(t, db, database.WorkspaceTable{
+		ID:               uuid.New(),
+		OwnerID:          u.ID,
+		OrganizationID:   o.ID,
+		AutomaticUpdates: database.AutomaticUpdatesNever,
+		TemplateID:       tpl.ID,
+	})
+
+	ip := pqtype.Inet{
+		IPNet: net.IPNet{
+			IP:   net.IPv4(127, 0, 0, 1),
+			Mask: net.IPv4Mask(255, 255, 255, 255),
+		},
+		Valid: true,
+	}
+
+	// Simulate agent clock skew by using a connect time in the future.
+	connectTime := dbtime.Now().Add(time.Hour)
+
+	sshLog1, err := db.UpsertConnectionLog(ctx, database.UpsertConnectionLogParams{
+		ID:               uuid.New(),
+		Time:             connectTime,
+		OrganizationID:   ws1.OrganizationID,
+		WorkspaceOwnerID: ws1.OwnerID,
+		WorkspaceID:      ws1.ID,
+		WorkspaceName:    ws1.Name,
+		AgentName:        "agent",
+		Type:             database.ConnectionTypeSsh,
+		Ip:               ip,
+		ConnectionID:     uuid.NullUUID{UUID: uuid.New(), Valid: true},
+		ConnectionStatus: database.ConnectionStatusConnected,
+	})
+	require.NoError(t, err)
+
+	appLog, err := db.UpsertConnectionLog(ctx, database.UpsertConnectionLogParams{
+		ID:               uuid.New(),
+		Time:             dbtime.Now(),
+		OrganizationID:   ws1.OrganizationID,
+		WorkspaceOwnerID: ws1.OwnerID,
+		WorkspaceID:      ws1.ID,
+		WorkspaceName:    ws1.Name,
+		AgentName:        "agent",
+		Type:             database.ConnectionTypeWorkspaceApp,
+		Ip:               ip,
+		UserAgent:        sql.NullString{String: "test", Valid: true},
+		UserID:           uuid.NullUUID{UUID: ws1.OwnerID, Valid: true},
+		SlugOrPort:       sql.NullString{String: "app", Valid: true},
+		Code:             sql.NullInt32{Int32: 200, Valid: true},
+		ConnectionStatus: database.ConnectionStatusConnected,
+	})
+	require.NoError(t, err)
+
+	sshLog2, err := db.UpsertConnectionLog(ctx, database.UpsertConnectionLogParams{
+		ID:               uuid.New(),
+		Time:             dbtime.Now(),
+		OrganizationID:   ws2.OrganizationID,
+		WorkspaceOwnerID: ws2.OwnerID,
+		WorkspaceID:      ws2.ID,
+		WorkspaceName:    ws2.Name,
+		AgentName:        "agent",
+		Type:             database.ConnectionTypeSsh,
+		Ip:               ip,
+		ConnectionID:     uuid.NullUUID{UUID: uuid.New(), Valid: true},
+		ConnectionStatus: database.ConnectionStatusConnected,
+	})
+	require.NoError(t, err)
+
+	rowsClosed, err := db.CloseOpenAgentConnectionLogsForWorkspace(ctx, database.CloseOpenAgentConnectionLogsForWorkspaceParams{
+		WorkspaceID: ws1.ID,
+		ClosedAt:    dbtime.Now(),
+		Reason:      "workspace stopped",
+		Types: []database.ConnectionType{
+			database.ConnectionTypeSsh,
+			database.ConnectionTypeVscode,
+			database.ConnectionTypeJetbrains,
+			database.ConnectionTypeReconnectingPty,
+		},
+	})
+	require.NoError(t, err)
+	require.EqualValues(t, 1, rowsClosed)
+
+	ws1Rows, err := db.GetConnectionLogsOffset(ctx, database.GetConnectionLogsOffsetParams{WorkspaceID: ws1.ID})
+	require.NoError(t, err)
+	require.Len(t, ws1Rows, 2)
+
+	for _, row := range ws1Rows {
+		switch row.ConnectionLog.ID {
+		case sshLog1.ID:
+			updated := row.ConnectionLog
+			require.True(t, updated.DisconnectTime.Valid)
+			require.True(t, updated.DisconnectReason.Valid)
+			require.Equal(t, "workspace stopped", updated.DisconnectReason.String)
+			require.False(t, updated.DisconnectTime.Time.Before(updated.ConnectTime), "disconnect_time should never be before connect_time")
+		case appLog.ID:
+			notClosed := row.ConnectionLog
+			require.False(t, notClosed.DisconnectTime.Valid)
+			require.False(t, notClosed.DisconnectReason.Valid)
+		default:
+			t.Fatalf("unexpected connection log id: %s", row.ConnectionLog.ID)
+		}
+	}
+
+	ws2Rows, err := db.GetConnectionLogsOffset(ctx, database.GetConnectionLogsOffsetParams{WorkspaceID: ws2.ID})
+	require.NoError(t, err)
+	require.Len(t, ws2Rows, 1)
+	require.Equal(t, sshLog2.ID, ws2Rows[0].ConnectionLog.ID)
+	require.False(t, ws2Rows[0].ConnectionLog.DisconnectTime.Valid)
+}
+
+// Regression test: CloseConnectionLogsAndCreateSessions must not fail
+// when connection_logs have NULL IPs (e.g., disconnect-only tunnel
+// events). NULL-IP logs should be closed but no session created for
+// them.
+func TestCloseConnectionLogsAndCreateSessions_NullIP(t *testing.T) {
+	t.Parallel()
+
+	db, _ := dbtestutil.NewDB(t)
+	ctx := context.Background()
+
+	u := dbgen.User(t, db, database.User{})
+	o := dbgen.Organization(t, db, database.Organization{})
+	tpl := dbgen.Template(t, db, database.Template{
+		OrganizationID: o.ID,
+		CreatedBy:      u.ID,
+	})
+	ws := dbgen.Workspace(t, db, database.WorkspaceTable{
+		OwnerID:          u.ID,
+		OrganizationID:   o.ID,
+		AutomaticUpdates: database.AutomaticUpdatesNever,
+		TemplateID:       tpl.ID,
+	})
+
+	validIP := pqtype.Inet{
+		IPNet: net.IPNet{
+			IP:   net.IPv4(10, 0, 0, 1),
+			Mask: net.IPv4Mask(255, 255, 255, 255),
+		},
+		Valid: true,
+	}
+	now := dbtime.Now()
+
+	// Connection with a valid IP.
+	sshLog, err := db.UpsertConnectionLog(ctx, database.UpsertConnectionLogParams{
+		ID:               uuid.New(),
+		Time:             now.Add(-30 * time.Minute),
+		OrganizationID:   ws.OrganizationID,
+		WorkspaceOwnerID: ws.OwnerID,
+		WorkspaceID:      ws.ID,
+		WorkspaceName:    ws.Name,
+		AgentName:        "agent",
+		Type:             database.ConnectionTypeSsh,
+		Ip:               validIP,
+		ConnectionID:     uuid.NullUUID{UUID: uuid.New(), Valid: true},
+		ConnectionStatus: database.ConnectionStatusConnected,
+	})
+	require.NoError(t, err)
+
+	// Connection with a NULL IP — simulates a disconnect-only tunnel
+	// event where the source node info is unavailable.
+	nullIPLog, err := db.UpsertConnectionLog(ctx, database.UpsertConnectionLogParams{
+		ID:               uuid.New(),
+		Time:             now.Add(-25 * time.Minute),
+		OrganizationID:   ws.OrganizationID,
+		WorkspaceOwnerID: ws.OwnerID,
+		WorkspaceID:      ws.ID,
+		WorkspaceName:    ws.Name,
+		AgentName:        "agent",
+		Type:             database.ConnectionTypeSystem,
+		Ip:               pqtype.Inet{Valid: false},
+		ConnectionID:     uuid.NullUUID{UUID: uuid.New(), Valid: true},
+		ConnectionStatus: database.ConnectionStatusConnected,
+	})
+	require.NoError(t, err)
+
+	// This previously failed with: "pq: null value in column ip of
+	// relation workspace_sessions violates not-null constraint".
+	closedAt := now.Add(-5 * time.Minute)
+	_, err = db.CloseConnectionLogsAndCreateSessions(ctx, database.CloseConnectionLogsAndCreateSessionsParams{
+		ClosedAt:    sql.NullTime{Time: closedAt, Valid: true},
+		Reason:      sql.NullString{String: "workspace stopped", Valid: true},
+		WorkspaceID: ws.ID,
+		Types: []database.ConnectionType{
+			database.ConnectionTypeSsh,
+			database.ConnectionTypeSystem,
+		},
+	})
+	require.NoError(t, err)
+
+	// Verify both logs were closed.
+	rows, err := db.GetConnectionLogsOffset(ctx, database.GetConnectionLogsOffsetParams{
+		WorkspaceID: ws.ID,
+	})
+	require.NoError(t, err)
+	require.Len(t, rows, 2)
+
+	for _, row := range rows {
+		cl := row.ConnectionLog
+		require.True(t, cl.DisconnectTime.Valid,
+			"connection log %s (type=%s) should be closed", cl.ID, cl.Type)
+
+		switch cl.ID {
+		case sshLog.ID:
+			// Valid-IP log should have a session.
+			require.True(t, cl.SessionID.Valid,
+				"valid-IP log should be linked to a session")
+		case nullIPLog.ID:
+			// NULL-IP system connection overlaps with the SSH
+			// session, so it gets attached to that session.
+			require.True(t, cl.SessionID.Valid,
+				"NULL-IP system log overlapping with SSH session should be linked to a session")
+		default:
+			t.Fatalf("unexpected connection log id: %s", cl.ID)
+		}
+	}
+}
+
+// Regression test: CloseConnectionLogsAndCreateSessions must handle
+// connections that are already disconnected but have no session_id
+// (e.g., system/tunnel connections disconnected by dbsink). It must
+// also avoid creating duplicate sessions when assignSessionForDisconnect
+// has already created one for the same IP/time range.
+func TestCloseConnectionLogsAndCreateSessions_AlreadyDisconnectedGetsSession(t *testing.T) {
+	t.Parallel()
+
+	db, _ := dbtestutil.NewDB(t)
+	ctx := context.Background()
+
+	u := dbgen.User(t, db, database.User{})
+	o := dbgen.Organization(t, db, database.Organization{})
+	tpl := dbgen.Template(t, db, database.Template{
+		OrganizationID: o.ID,
+		CreatedBy:      u.ID,
+	})
+	ws := dbgen.Workspace(t, db, database.WorkspaceTable{
+		OwnerID:          u.ID,
+		OrganizationID:   o.ID,
+		AutomaticUpdates: database.AutomaticUpdatesNever,
+		TemplateID:       tpl.ID,
+	})
+
+	ip := pqtype.Inet{
+		IPNet: net.IPNet{
+			IP:   net.IPv4(127, 0, 0, 1),
+			Mask: net.IPv4Mask(255, 255, 255, 255),
+		},
+		Valid: true,
+	}
+	now := dbtime.Now()
+
+	// A system connection that was already disconnected (by dbsink)
+	// but has no session_id — dbsink doesn't assign sessions.
+	sysConnID := uuid.New()
+	_, err := db.UpsertConnectionLog(ctx, database.UpsertConnectionLogParams{
+		ID:               uuid.New(),
+		Time:             now.Add(-10 * time.Minute),
+		OrganizationID:   ws.OrganizationID,
+		WorkspaceOwnerID: ws.OwnerID,
+		WorkspaceID:      ws.ID,
+		WorkspaceName:    ws.Name,
+		AgentName:        "agent",
+		Type:             database.ConnectionTypeSystem,
+		Ip:               ip,
+		ConnectionID:     uuid.NullUUID{UUID: sysConnID, Valid: true},
+		ConnectionStatus: database.ConnectionStatusConnected,
+	})
+	require.NoError(t, err)
+	_, err = db.UpsertConnectionLog(ctx, database.UpsertConnectionLogParams{
+		ID:               uuid.New(),
+		Time:             now.Add(-5 * time.Minute),
+		OrganizationID:   ws.OrganizationID,
+		WorkspaceOwnerID: ws.OwnerID,
+		WorkspaceID:      ws.ID,
+		WorkspaceName:    ws.Name,
+		AgentName:        "agent",
+		Type:             database.ConnectionTypeSystem,
+		Ip:               ip,
+		ConnectionID:     uuid.NullUUID{UUID: sysConnID, Valid: true},
+		ConnectionStatus: database.ConnectionStatusDisconnected,
+	})
+	require.NoError(t, err)
+
+	// Run CloseConnectionLogsAndCreateSessions (workspace stop).
+	closedAt := now
+	_, err = db.CloseConnectionLogsAndCreateSessions(ctx, database.CloseConnectionLogsAndCreateSessionsParams{
+		ClosedAt:    sql.NullTime{Time: closedAt, Valid: true},
+		Reason:      sql.NullString{String: "workspace stopped", Valid: true},
+		WorkspaceID: ws.ID,
+		Types: []database.ConnectionType{
+			database.ConnectionTypeSsh,
+			database.ConnectionTypeSystem,
+		},
+	})
+	require.NoError(t, err)
+
+	// The system connection should now have a session_id.
+	rows, err := db.GetConnectionLogsOffset(ctx, database.GetConnectionLogsOffsetParams{
+		WorkspaceID: ws.ID,
+	})
+	require.NoError(t, err)
+	require.Len(t, rows, 1)
+	require.True(t, rows[0].ConnectionLog.SessionID.Valid,
+		"already-disconnected system connection should be assigned to a session")
+}
+
+// Regression test: when assignSessionForDisconnect has already
+// created a session for an SSH connection,
+// CloseConnectionLogsAndCreateSessions must reuse that session
+// instead of creating a duplicate.
+func TestCloseConnectionLogsAndCreateSessions_ReusesExistingSession(t *testing.T) {
+	t.Parallel()
+
+	db, _ := dbtestutil.NewDB(t)
+	ctx := context.Background()
+
+	u := dbgen.User(t, db, database.User{})
+	o := dbgen.Organization(t, db, database.Organization{})
+	tpl := dbgen.Template(t, db, database.Template{
+		OrganizationID: o.ID,
+		CreatedBy:      u.ID,
+	})
+	ws := dbgen.Workspace(t, db, database.WorkspaceTable{
+		OwnerID:          u.ID,
+		OrganizationID:   o.ID,
+		AutomaticUpdates: database.AutomaticUpdatesNever,
+		TemplateID:       tpl.ID,
+	})
+
+	ip := pqtype.Inet{
+		IPNet: net.IPNet{
+			IP:   net.IPv4(127, 0, 0, 1),
+			Mask: net.IPv4Mask(255, 255, 255, 255),
+		},
+		Valid: true,
+	}
+	now := dbtime.Now()
+
+	// Simulate an SSH connection where assignSessionForDisconnect
+	// already created a session but the connection log's session_id
+	// was set (the normal successful path).
+	sshConnID := uuid.New()
+	_, err := db.UpsertConnectionLog(ctx, database.UpsertConnectionLogParams{
+		ID:               uuid.New(),
+		Time:             now.Add(-10 * time.Minute),
+		OrganizationID:   ws.OrganizationID,
+		WorkspaceOwnerID: ws.OwnerID,
+		WorkspaceID:      ws.ID,
+		WorkspaceName:    ws.Name,
+		AgentName:        "agent",
+		Type:             database.ConnectionTypeSsh,
+		Ip:               ip,
+		ConnectionID:     uuid.NullUUID{UUID: sshConnID, Valid: true},
+		ConnectionStatus: database.ConnectionStatusConnected,
+	})
+	require.NoError(t, err)
+	sshLog, err := db.UpsertConnectionLog(ctx, database.UpsertConnectionLogParams{
+		ID:               uuid.New(),
+		Time:             now.Add(-5 * time.Minute),
+		OrganizationID:   ws.OrganizationID,
+		WorkspaceOwnerID: ws.OwnerID,
+		WorkspaceID:      ws.ID,
+		WorkspaceName:    ws.Name,
+		AgentName:        "agent",
+		Type:             database.ConnectionTypeSsh,
+		Ip:               ip,
+		ConnectionID:     uuid.NullUUID{UUID: sshConnID, Valid: true},
+		ConnectionStatus: database.ConnectionStatusDisconnected,
+	})
+	require.NoError(t, err)
+
+	// Create the session that assignSessionForDisconnect would have
+	// created, and link the connection log to it.
+	existingSessionIDRaw, err := db.FindOrCreateSessionForDisconnect(ctx, database.FindOrCreateSessionForDisconnectParams{
+		WorkspaceID:    ws.ID.String(),
+		Ip:             ip,
+		ConnectTime:    sshLog.ConnectTime,
+		DisconnectTime: sshLog.DisconnectTime.Time,
+	})
+	require.NoError(t, err)
+	existingSessionID, err := uuid.Parse(fmt.Sprintf("%s", existingSessionIDRaw))
+	require.NoError(t, err)
+	err = db.UpdateConnectionLogSessionID(ctx, database.UpdateConnectionLogSessionIDParams{
+		ID:        sshLog.ID,
+		SessionID: uuid.NullUUID{UUID: existingSessionID, Valid: true},
+	})
+	require.NoError(t, err)
+
+	// Also add a system connection (no session, already disconnected).
+	sysConnID := uuid.New()
+	_, err = db.UpsertConnectionLog(ctx, database.UpsertConnectionLogParams{
+		ID:               uuid.New(),
+		Time:             now.Add(-10 * time.Minute),
+		OrganizationID:   ws.OrganizationID,
+		WorkspaceOwnerID: ws.OwnerID,
+		WorkspaceID:      ws.ID,
+		WorkspaceName:    ws.Name,
+		AgentName:        "agent",
+		Type:             database.ConnectionTypeSystem,
+		Ip:               ip,
+		ConnectionID:     uuid.NullUUID{UUID: sysConnID, Valid: true},
+		ConnectionStatus: database.ConnectionStatusConnected,
+	})
+	require.NoError(t, err)
+	_, err = db.UpsertConnectionLog(ctx, database.UpsertConnectionLogParams{
+		ID:               uuid.New(),
+		Time:             now.Add(-5 * time.Minute),
+		OrganizationID:   ws.OrganizationID,
+		WorkspaceOwnerID: ws.OwnerID,
+		WorkspaceID:      ws.ID,
+		WorkspaceName:    ws.Name,
+		AgentName:        "agent",
+		Type:             database.ConnectionTypeSystem,
+		Ip:               ip,
+		ConnectionID:     uuid.NullUUID{UUID: sysConnID, Valid: true},
+		ConnectionStatus: database.ConnectionStatusDisconnected,
+	})
+	require.NoError(t, err)
+
+	// Run CloseConnectionLogsAndCreateSessions.
+	closedAt := now
+	_, err = db.CloseConnectionLogsAndCreateSessions(ctx, database.CloseConnectionLogsAndCreateSessionsParams{
+		ClosedAt:    sql.NullTime{Time: closedAt, Valid: true},
+		Reason:      sql.NullString{String: "workspace stopped", Valid: true},
+		WorkspaceID: ws.ID,
+		Types: []database.ConnectionType{
+			database.ConnectionTypeSsh,
+			database.ConnectionTypeSystem,
+		},
+	})
+	require.NoError(t, err)
+
+	// Verify: the system connection should be assigned to the
+	// EXISTING session (reused), not a new one.
+	rows, err := db.GetConnectionLogsOffset(ctx, database.GetConnectionLogsOffsetParams{
+		WorkspaceID: ws.ID,
+	})
+	require.NoError(t, err)
+	require.Len(t, rows, 2)
+
+	for _, row := range rows {
+		cl := row.ConnectionLog
+		require.True(t, cl.SessionID.Valid,
+			"connection log %s (type=%s) should have a session", cl.ID, cl.Type)
+		require.Equal(t, existingSessionID, cl.SessionID.UUID,
+			"connection log %s should reuse the existing session, not create a new one", cl.ID)
+	}
+}
+
+// Test: connections with different IPs but same hostname get grouped
+// into one session.
+func TestCloseConnectionLogsAndCreateSessions_GroupsByHostname(t *testing.T) {
+	t.Parallel()
+
+	db, _ := dbtestutil.NewDB(t)
+	ctx := context.Background()
+
+	u := dbgen.User(t, db, database.User{})
+	o := dbgen.Organization(t, db, database.Organization{})
+	tpl := dbgen.Template(t, db, database.Template{
+		OrganizationID: o.ID,
+		CreatedBy:      u.ID,
+	})
+	ws := dbgen.Workspace(t, db, database.WorkspaceTable{
+		OwnerID:          u.ID,
+		OrganizationID:   o.ID,
+		AutomaticUpdates: database.AutomaticUpdatesNever,
+		TemplateID:       tpl.ID,
+	})
+
+	now := dbtime.Now()
+	hostname := sql.NullString{String: "my-laptop", Valid: true}
+
+	// Create 3 SSH connections with different IPs but same hostname,
+	// overlapping in time.
+	for i := 0; i < 3; i++ {
+		ip := pqtype.Inet{
+			IPNet: net.IPNet{
+				IP:   net.IPv4(10, 0, 0, byte(i+1)),
+				Mask: net.IPv4Mask(255, 255, 255, 255),
+			},
+			Valid: true,
+		}
+		_, err := db.UpsertConnectionLog(ctx, database.UpsertConnectionLogParams{
+			ID:               uuid.New(),
+			Time:             now.Add(time.Duration(-30+i*5) * time.Minute),
+			OrganizationID:   ws.OrganizationID,
+			WorkspaceOwnerID: ws.OwnerID,
+			WorkspaceID:      ws.ID,
+			WorkspaceName:    ws.Name,
+			AgentName:        "agent",
+			Type:             database.ConnectionTypeSsh,
+			Ip:               ip,
+			ClientHostname:   hostname,
+			ConnectionID:     uuid.NullUUID{UUID: uuid.New(), Valid: true},
+			ConnectionStatus: database.ConnectionStatusConnected,
+		})
+		require.NoError(t, err)
+	}
+
+	closedAt := now
+	_, err := db.CloseConnectionLogsAndCreateSessions(ctx, database.CloseConnectionLogsAndCreateSessionsParams{
+		ClosedAt:    sql.NullTime{Time: closedAt, Valid: true},
+		Reason:      sql.NullString{String: "workspace stopped", Valid: true},
+		WorkspaceID: ws.ID,
+		Types: []database.ConnectionType{
+			database.ConnectionTypeSsh,
+		},
+	})
+	require.NoError(t, err)
+
+	rows, err := db.GetConnectionLogsOffset(ctx, database.GetConnectionLogsOffsetParams{
+		WorkspaceID: ws.ID,
+	})
+	require.NoError(t, err)
+	require.Len(t, rows, 3)
+
+	// All 3 connections should have the same session_id.
+	var sessionID uuid.UUID
+	for i, row := range rows {
+		cl := row.ConnectionLog
+		require.True(t, cl.SessionID.Valid,
+			"connection %d should have a session", i)
+		if i == 0 {
+			sessionID = cl.SessionID.UUID
+		} else {
+			require.Equal(t, sessionID, cl.SessionID.UUID,
+				"all connections with same hostname should share one session")
+		}
+	}
+}
+
+// Test: a long-running system connection gets attached to the first
+// overlapping primary session, not the second.
+func TestCloseConnectionLogsAndCreateSessions_SystemAttachesToFirstSession(t *testing.T) {
+	t.Parallel()
+
+	db, _ := dbtestutil.NewDB(t)
+	ctx := context.Background()
+
+	u := dbgen.User(t, db, database.User{})
+	o := dbgen.Organization(t, db, database.Organization{})
+	tpl := dbgen.Template(t, db, database.Template{
+		OrganizationID: o.ID,
+		CreatedBy:      u.ID,
+	})
+	ws := dbgen.Workspace(t, db, database.WorkspaceTable{
+		OwnerID:          u.ID,
+		OrganizationID:   o.ID,
+		AutomaticUpdates: database.AutomaticUpdatesNever,
+		TemplateID:       tpl.ID,
+	})
+
+	ip := pqtype.Inet{
+		IPNet: net.IPNet{
+			IP:   net.IPv4(10, 0, 0, 1),
+			Mask: net.IPv4Mask(255, 255, 255, 255),
+		},
+		Valid: true,
+	}
+	now := dbtime.Now()
+
+	// System connection spanning the full workspace lifetime.
+	sysLog, err := db.UpsertConnectionLog(ctx, database.UpsertConnectionLogParams{
+		ID:               uuid.New(),
+		Time:             now.Add(-3 * time.Hour),
+		OrganizationID:   ws.OrganizationID,
+		WorkspaceOwnerID: ws.OwnerID,
+		WorkspaceID:      ws.ID,
+		WorkspaceName:    ws.Name,
+		AgentName:        "agent",
+		Type:             database.ConnectionTypeSystem,
+		Ip:               ip,
+		ConnectionID:     uuid.NullUUID{UUID: uuid.New(), Valid: true},
+		ConnectionStatus: database.ConnectionStatusConnected,
+	})
+	require.NoError(t, err)
+
+	// SSH session 1: -3h to -2h.
+	ssh1ConnID := uuid.New()
+	_, err = db.UpsertConnectionLog(ctx, database.UpsertConnectionLogParams{
+		ID:               uuid.New(),
+		Time:             now.Add(-3 * time.Hour),
+		OrganizationID:   ws.OrganizationID,
+		WorkspaceOwnerID: ws.OwnerID,
+		WorkspaceID:      ws.ID,
+		WorkspaceName:    ws.Name,
+		AgentName:        "agent",
+		Type:             database.ConnectionTypeSsh,
+		Ip:               ip,
+		ConnectionID:     uuid.NullUUID{UUID: ssh1ConnID, Valid: true},
+		ConnectionStatus: database.ConnectionStatusConnected,
+	})
+	require.NoError(t, err)
+	ssh1Disc, err := db.UpsertConnectionLog(ctx, database.UpsertConnectionLogParams{
+		ID:               uuid.New(),
+		Time:             now.Add(-2 * time.Hour),
+		OrganizationID:   ws.OrganizationID,
+		WorkspaceOwnerID: ws.OwnerID,
+		WorkspaceID:      ws.ID,
+		WorkspaceName:    ws.Name,
+		AgentName:        "agent",
+		Type:             database.ConnectionTypeSsh,
+		Ip:               ip,
+		ConnectionID:     uuid.NullUUID{UUID: ssh1ConnID, Valid: true},
+		ConnectionStatus: database.ConnectionStatusDisconnected,
+	})
+	require.NoError(t, err)
+	_ = ssh1Disc
+
+	// SSH session 2: -30min to now (>30min gap from session 1).
+	_, err = db.UpsertConnectionLog(ctx, database.UpsertConnectionLogParams{
+		ID:               uuid.New(),
+		Time:             now.Add(-30 * time.Minute),
+		OrganizationID:   ws.OrganizationID,
+		WorkspaceOwnerID: ws.OwnerID,
+		WorkspaceID:      ws.ID,
+		WorkspaceName:    ws.Name,
+		AgentName:        "agent",
+		Type:             database.ConnectionTypeSsh,
+		Ip:               ip,
+		ConnectionID:     uuid.NullUUID{UUID: uuid.New(), Valid: true},
+		ConnectionStatus: database.ConnectionStatusConnected,
+	})
+	require.NoError(t, err)
+
+	closedAt := now
+	_, err = db.CloseConnectionLogsAndCreateSessions(ctx, database.CloseConnectionLogsAndCreateSessionsParams{
+		ClosedAt:    sql.NullTime{Time: closedAt, Valid: true},
+		Reason:      sql.NullString{String: "workspace stopped", Valid: true},
+		WorkspaceID: ws.ID,
+		Types: []database.ConnectionType{
+			database.ConnectionTypeSsh,
+			database.ConnectionTypeSystem,
+		},
+	})
+	require.NoError(t, err)
+
+	rows, err := db.GetConnectionLogsOffset(ctx, database.GetConnectionLogsOffsetParams{
+		WorkspaceID: ws.ID,
+	})
+	require.NoError(t, err)
+
+	// Find the system connection and its assigned session.
+	var sysSessionID uuid.UUID
+	// Collect all session IDs from SSH connections to verify 2
+	// distinct sessions were created.
+	sshSessionIDs := make(map[uuid.UUID]bool)
+	for _, row := range rows {
+		cl := row.ConnectionLog
+		if cl.ID == sysLog.ID {
+			require.True(t, cl.SessionID.Valid,
+				"system connection should have a session")
+			sysSessionID = cl.SessionID.UUID
+		}
+		if cl.Type == database.ConnectionTypeSsh && cl.SessionID.Valid {
+			sshSessionIDs[cl.SessionID.UUID] = true
+		}
+	}
+
+	// Two distinct SSH sessions should exist (>30min gap).
+	require.Len(t, sshSessionIDs, 2, "should have 2 distinct SSH sessions")
+
+	// System connection should be attached to the first (earliest)
+	// session.
+	require.True(t, sshSessionIDs[sysSessionID],
+		"system connection should be attached to one of the SSH sessions")
+}
+
+// Test: an orphaned system connection (no overlapping primary sessions)
+// with an IP gets its own session.
+func TestCloseConnectionLogsAndCreateSessions_OrphanSystemGetsOwnSession(t *testing.T) {
+	t.Parallel()
+
+	db, _ := dbtestutil.NewDB(t)
+	ctx := context.Background()
+
+	u := dbgen.User(t, db, database.User{})
+	o := dbgen.Organization(t, db, database.Organization{})
+	tpl := dbgen.Template(t, db, database.Template{
+		OrganizationID: o.ID,
+		CreatedBy:      u.ID,
+	})
+	ws := dbgen.Workspace(t, db, database.WorkspaceTable{
+		OwnerID:          u.ID,
+		OrganizationID:   o.ID,
+		AutomaticUpdates: database.AutomaticUpdatesNever,
+		TemplateID:       tpl.ID,
+	})
+
+	ip := pqtype.Inet{
+		IPNet: net.IPNet{
+			IP:   net.IPv4(10, 0, 0, 1),
+			Mask: net.IPv4Mask(255, 255, 255, 255),
+		},
+		Valid: true,
+	}
+	now := dbtime.Now()
+
+	// System connection with an IP but no overlapping primary
+	// connections.
+	_, err := db.UpsertConnectionLog(ctx, database.UpsertConnectionLogParams{
+		ID:               uuid.New(),
+		Time:             now.Add(-10 * time.Minute),
+		OrganizationID:   ws.OrganizationID,
+		WorkspaceOwnerID: ws.OwnerID,
+		WorkspaceID:      ws.ID,
+		WorkspaceName:    ws.Name,
+		AgentName:        "agent",
+		Type:             database.ConnectionTypeSystem,
+		Ip:               ip,
+		ConnectionID:     uuid.NullUUID{UUID: uuid.New(), Valid: true},
+		ConnectionStatus: database.ConnectionStatusConnected,
+	})
+	require.NoError(t, err)
+
+	closedAt := now
+	_, err = db.CloseConnectionLogsAndCreateSessions(ctx, database.CloseConnectionLogsAndCreateSessionsParams{
+		ClosedAt:    sql.NullTime{Time: closedAt, Valid: true},
+		Reason:      sql.NullString{String: "workspace stopped", Valid: true},
+		WorkspaceID: ws.ID,
+		Types: []database.ConnectionType{
+			database.ConnectionTypeSystem,
+		},
+	})
+	require.NoError(t, err)
+
+	rows, err := db.GetConnectionLogsOffset(ctx, database.GetConnectionLogsOffsetParams{
+		WorkspaceID: ws.ID,
+	})
+	require.NoError(t, err)
+	require.Len(t, rows, 1)
+	require.True(t, rows[0].ConnectionLog.SessionID.Valid,
+		"orphaned system connection with IP should get its own session")
+}
+
+// Test: a system connection with NULL IP and no overlapping primary
+// sessions gets no session (can't create a useful session without IP).
+func TestCloseConnectionLogsAndCreateSessions_SystemNoIPNoSession(t *testing.T) {
+	t.Parallel()
+
+	db, _ := dbtestutil.NewDB(t)
+	ctx := context.Background()
+
+	u := dbgen.User(t, db, database.User{})
+	o := dbgen.Organization(t, db, database.Organization{})
+	tpl := dbgen.Template(t, db, database.Template{
+		OrganizationID: o.ID,
+		CreatedBy:      u.ID,
+	})
+	ws := dbgen.Workspace(t, db, database.WorkspaceTable{
+		OwnerID:          u.ID,
+		OrganizationID:   o.ID,
+		AutomaticUpdates: database.AutomaticUpdatesNever,
+		TemplateID:       tpl.ID,
+	})
+
+	now := dbtime.Now()
+
+	// System connection with NULL IP and no overlapping primary.
+	_, err := db.UpsertConnectionLog(ctx, database.UpsertConnectionLogParams{
+		ID:               uuid.New(),
+		Time:             now.Add(-10 * time.Minute),
+		OrganizationID:   ws.OrganizationID,
+		WorkspaceOwnerID: ws.OwnerID,
+		WorkspaceID:      ws.ID,
+		WorkspaceName:    ws.Name,
+		AgentName:        "agent",
+		Type:             database.ConnectionTypeSystem,
+		Ip:               pqtype.Inet{Valid: false},
+		ConnectionID:     uuid.NullUUID{UUID: uuid.New(), Valid: true},
+		ConnectionStatus: database.ConnectionStatusConnected,
+	})
+	require.NoError(t, err)
+
+	closedAt := now
+	_, err = db.CloseConnectionLogsAndCreateSessions(ctx, database.CloseConnectionLogsAndCreateSessionsParams{
+		ClosedAt:    sql.NullTime{Time: closedAt, Valid: true},
+		Reason:      sql.NullString{String: "workspace stopped", Valid: true},
+		WorkspaceID: ws.ID,
+		Types: []database.ConnectionType{
+			database.ConnectionTypeSystem,
+		},
+	})
+	require.NoError(t, err)
+
+	rows, err := db.GetConnectionLogsOffset(ctx, database.GetConnectionLogsOffsetParams{
+		WorkspaceID: ws.ID,
+	})
+	require.NoError(t, err)
+	require.Len(t, rows, 1)
+	require.True(t, rows[0].ConnectionLog.DisconnectTime.Valid,
+		"system connection should be closed")
+	require.False(t, rows[0].ConnectionLog.SessionID.Valid,
+		"NULL-IP system connection with no primary overlap should not get a session")
+}
+
+// Test: connections from the same hostname with a >30-minute gap
+// create separate sessions.
+func TestCloseConnectionLogsAndCreateSessions_SeparateSessionsForLargeGap(t *testing.T) {
+	t.Parallel()
+
+	db, _ := dbtestutil.NewDB(t)
+	ctx := context.Background()
+
+	u := dbgen.User(t, db, database.User{})
+	o := dbgen.Organization(t, db, database.Organization{})
+	tpl := dbgen.Template(t, db, database.Template{
+		OrganizationID: o.ID,
+		CreatedBy:      u.ID,
+	})
+	ws := dbgen.Workspace(t, db, database.WorkspaceTable{
+		OwnerID:          u.ID,
+		OrganizationID:   o.ID,
+		AutomaticUpdates: database.AutomaticUpdatesNever,
+		TemplateID:       tpl.ID,
+	})
+
+	ip := pqtype.Inet{
+		IPNet: net.IPNet{
+			IP:   net.IPv4(10, 0, 0, 1),
+			Mask: net.IPv4Mask(255, 255, 255, 255),
+		},
+		Valid: true,
+	}
+	now := dbtime.Now()
+
+	// SSH connection 1: -3h to -2h.
+	conn1ID := uuid.New()
+	_, err := db.UpsertConnectionLog(ctx, database.UpsertConnectionLogParams{
+		ID:               uuid.New(),
+		Time:             now.Add(-3 * time.Hour),
+		OrganizationID:   ws.OrganizationID,
+		WorkspaceOwnerID: ws.OwnerID,
+		WorkspaceID:      ws.ID,
+		WorkspaceName:    ws.Name,
+		AgentName:        "agent",
+		Type:             database.ConnectionTypeSsh,
+		Ip:               ip,
+		ConnectionID:     uuid.NullUUID{UUID: conn1ID, Valid: true},
+		ConnectionStatus: database.ConnectionStatusConnected,
+	})
+	require.NoError(t, err)
+	_, err = db.UpsertConnectionLog(ctx, database.UpsertConnectionLogParams{
+		ID:               uuid.New(),
+		Time:             now.Add(-2 * time.Hour),
+		OrganizationID:   ws.OrganizationID,
+		WorkspaceOwnerID: ws.OwnerID,
+		WorkspaceID:      ws.ID,
+		WorkspaceName:    ws.Name,
+		AgentName:        "agent",
+		Type:             database.ConnectionTypeSsh,
+		Ip:               ip,
+		ConnectionID:     uuid.NullUUID{UUID: conn1ID, Valid: true},
+		ConnectionStatus: database.ConnectionStatusDisconnected,
+	})
+	require.NoError(t, err)
+
+	// SSH connection 2: -30min to now (>30min gap from connection 1).
+	_, err = db.UpsertConnectionLog(ctx, database.UpsertConnectionLogParams{
+		ID:               uuid.New(),
+		Time:             now.Add(-30 * time.Minute),
+		OrganizationID:   ws.OrganizationID,
+		WorkspaceOwnerID: ws.OwnerID,
+		WorkspaceID:      ws.ID,
+		WorkspaceName:    ws.Name,
+		AgentName:        "agent",
+		Type:             database.ConnectionTypeSsh,
+		Ip:               ip,
+		ConnectionID:     uuid.NullUUID{UUID: uuid.New(), Valid: true},
+		ConnectionStatus: database.ConnectionStatusConnected,
+	})
+	require.NoError(t, err)
+
+	closedAt := now
+	_, err = db.CloseConnectionLogsAndCreateSessions(ctx, database.CloseConnectionLogsAndCreateSessionsParams{
+		ClosedAt:    sql.NullTime{Time: closedAt, Valid: true},
+		Reason:      sql.NullString{String: "workspace stopped", Valid: true},
+		WorkspaceID: ws.ID,
+		Types: []database.ConnectionType{
+			database.ConnectionTypeSsh,
+		},
+	})
+	require.NoError(t, err)
+
+	rows, err := db.GetConnectionLogsOffset(ctx, database.GetConnectionLogsOffsetParams{
+		WorkspaceID: ws.ID,
+	})
+	require.NoError(t, err)
+
+	sessionIDs := make(map[uuid.UUID]bool)
+	for _, row := range rows {
+		cl := row.ConnectionLog
+		if cl.SessionID.Valid {
+			sessionIDs[cl.SessionID.UUID] = true
+		}
+	}
+	require.Len(t, sessionIDs, 2,
+		"connections with >30min gap should create 2 separate sessions")
+}

coderd/database/connectionlogs_ongoing_test.go

@@ -0,0 +1,239 @@
+package database_test
+
+import (
+	"context"
+	"database/sql"
+	"testing"
+	"time"
+
+	"github.com/google/uuid"
+	"github.com/stretchr/testify/require"
+
+	"github.com/coder/coder/v2/coderd/database"
+	"github.com/coder/coder/v2/coderd/database/dbfake"
+	"github.com/coder/coder/v2/coderd/database/dbgen"
+	"github.com/coder/coder/v2/coderd/database/dbtestutil"
+	"github.com/coder/coder/v2/coderd/database/dbtime"
+)
+
+func TestGetOngoingAgentConnectionsLast24h(t *testing.T) {
+	t.Parallel()
+
+	ctx := context.Background()
+	db, _ := dbtestutil.NewDB(t)
+
+	org := dbfake.Organization(t, db).Do()
+	user := dbgen.User(t, db, database.User{})
+	tpl := dbgen.Template(t, db, database.Template{OrganizationID: org.Org.ID, CreatedBy: user.ID})
+	ws := dbgen.Workspace(t, db, database.WorkspaceTable{
+		OrganizationID: org.Org.ID,
+		OwnerID:        user.ID,
+		TemplateID:     tpl.ID,
+		Name:           "ws",
+	})
+
+	now := dbtime.Now()
+	since := now.Add(-24 * time.Hour)
+
+	const (
+		agent1 = "agent1"
+		agent2 = "agent2"
+	)
+
+	// Insert a disconnected log that should be excluded.
+	disconnectedConnID := uuid.New()
+	disconnected := dbgen.ConnectionLog(t, db, database.UpsertConnectionLogParams{
+		Time:             now.Add(-30 * time.Minute),
+		OrganizationID:   ws.OrganizationID,
+		WorkspaceOwnerID: ws.OwnerID,
+		WorkspaceID:      ws.ID,
+		WorkspaceName:    ws.Name,
+		AgentName:        agent1,
+		Type:             database.ConnectionTypeSsh,
+		ConnectionStatus: database.ConnectionStatusConnected,
+		ConnectionID:     uuid.NullUUID{UUID: disconnectedConnID, Valid: true},
+	})
+	_ = dbgen.ConnectionLog(t, db, database.UpsertConnectionLogParams{
+		Time:             now.Add(-20 * time.Minute),
+		OrganizationID:   ws.OrganizationID,
+		WorkspaceOwnerID: ws.OwnerID,
+		WorkspaceID:      ws.ID,
+		AgentName:        disconnected.AgentName,
+		ConnectionStatus: database.ConnectionStatusDisconnected,
+		ConnectionID:     disconnected.ConnectionID,
+		DisconnectReason: sql.NullString{String: "closed", Valid: true},
+	})
+
+	// Insert an old log that should be excluded by the 24h window.
+	_ = dbgen.ConnectionLog(t, db, database.UpsertConnectionLogParams{
+		Time:             now.Add(-25 * time.Hour),
+		OrganizationID:   ws.OrganizationID,
+		WorkspaceOwnerID: ws.OwnerID,
+		WorkspaceID:      ws.ID,
+		WorkspaceName:    ws.Name,
+		AgentName:        agent1,
+		Type:             database.ConnectionTypeSsh,
+		ConnectionStatus: database.ConnectionStatusConnected,
+		ConnectionID:     uuid.NullUUID{UUID: uuid.New(), Valid: true},
+	})
+
+	// Insert a web log that should be excluded by the types filter.
+	_ = dbgen.ConnectionLog(t, db, database.UpsertConnectionLogParams{
+		Time:             now.Add(-10 * time.Minute),
+		OrganizationID:   ws.OrganizationID,
+		WorkspaceOwnerID: ws.OwnerID,
+		WorkspaceID:      ws.ID,
+		WorkspaceName:    ws.Name,
+		AgentName:        agent1,
+		Type:             database.ConnectionTypeWorkspaceApp,
+		ConnectionStatus: database.ConnectionStatusConnected,
+		ConnectionID:     uuid.NullUUID{UUID: uuid.New(), Valid: true},
+	})
+
+	// Insert 55 active logs for agent1 (should be capped to 50).
+	for i := 0; i < 55; i++ {
+		_ = dbgen.ConnectionLog(t, db, database.UpsertConnectionLogParams{
+			Time:             now.Add(-time.Duration(i) * time.Minute),
+			OrganizationID:   ws.OrganizationID,
+			WorkspaceOwnerID: ws.OwnerID,
+			WorkspaceID:      ws.ID,
+			WorkspaceName:    ws.Name,
+			AgentName:        agent1,
+			Type:             database.ConnectionTypeVscode,
+			ConnectionStatus: database.ConnectionStatusConnected,
+			ConnectionID:     uuid.NullUUID{UUID: uuid.New(), Valid: true},
+		})
+	}
+
+	// Insert one active log for agent2.
+	agent2Log := dbgen.ConnectionLog(t, db, database.UpsertConnectionLogParams{
+		Time:             now.Add(-5 * time.Minute),
+		OrganizationID:   ws.OrganizationID,
+		WorkspaceOwnerID: ws.OwnerID,
+		WorkspaceID:      ws.ID,
+		WorkspaceName:    ws.Name,
+		AgentName:        agent2,
+		Type:             database.ConnectionTypeJetbrains,
+		ConnectionStatus: database.ConnectionStatusConnected,
+		ConnectionID:     uuid.NullUUID{UUID: uuid.New(), Valid: true},
+	})
+
+	logs, err := db.GetOngoingAgentConnectionsLast24h(ctx, database.GetOngoingAgentConnectionsLast24hParams{
+		WorkspaceIds:  []uuid.UUID{ws.ID},
+		AgentNames:    []string{agent1, agent2},
+		Types:         []database.ConnectionType{database.ConnectionTypeSsh, database.ConnectionTypeVscode, database.ConnectionTypeJetbrains, database.ConnectionTypeReconnectingPty},
+		Since:         since,
+		PerAgentLimit: 50,
+	})
+	require.NoError(t, err)
+
+	byAgent := map[string][]database.GetOngoingAgentConnectionsLast24hRow{}
+	for _, l := range logs {
+		byAgent[l.AgentName] = append(byAgent[l.AgentName], l)
+	}
+
+	// Agent1 should be capped at 50 and contain only active logs within the window.
+	require.Len(t, byAgent[agent1], 50)
+	for i, l := range byAgent[agent1] {
+		require.False(t, l.DisconnectTime.Valid, "expected log to be ongoing")
+		require.True(t, l.ConnectTime.After(since) || l.ConnectTime.Equal(since), "expected log to be within window")
+		if i > 0 {
+			require.True(t, byAgent[agent1][i-1].ConnectTime.After(l.ConnectTime) || byAgent[agent1][i-1].ConnectTime.Equal(l.ConnectTime), "expected logs to be ordered by connect_time desc")
+		}
+	}
+
+	// Agent2 should include its single active log.
+	require.Equal(t, []uuid.UUID{agent2Log.ID}, []uuid.UUID{byAgent[agent2][0].ID})
+}
+
+func TestGetOngoingAgentConnectionsLast24h_PortForwarding(t *testing.T) {
+	t.Parallel()
+
+	ctx := context.Background()
+	db, _ := dbtestutil.NewDB(t)
+
+	org := dbfake.Organization(t, db).Do()
+	user := dbgen.User(t, db, database.User{})
+	tpl := dbgen.Template(t, db, database.Template{OrganizationID: org.Org.ID, CreatedBy: user.ID})
+	ws := dbgen.Workspace(t, db, database.WorkspaceTable{
+		OrganizationID: org.Org.ID,
+		OwnerID:        user.ID,
+		TemplateID:     tpl.ID,
+		Name:           "ws-pf",
+	})
+
+	now := dbtime.Now()
+	since := now.Add(-24 * time.Hour)
+
+	const agentName = "agent-pf"
+
+	// Agent-reported: NULL user_agent, included unconditionally.
+	agentReported := dbgen.ConnectionLog(t, db, database.UpsertConnectionLogParams{
+		Time:             now.Add(-10 * time.Minute),
+		OrganizationID:   ws.OrganizationID,
+		WorkspaceOwnerID: ws.OwnerID,
+		WorkspaceID:      ws.ID,
+		WorkspaceName:    ws.Name,
+		AgentName:        agentName,
+		Type:             database.ConnectionTypePortForwarding,
+		ConnectionStatus: database.ConnectionStatusConnected,
+		ConnectionID:     uuid.NullUUID{UUID: uuid.New(), Valid: true},
+		SlugOrPort:       sql.NullString{String: "8080", Valid: true},
+		Ip:               database.ParseIP("fd7a:115c:a1e0:4353:89d9:4ca8:9c42:8d2d"),
+	})
+
+	// Stale proxy-reported: non-NULL user_agent, bumped but older than AppActiveSince.
+	// Use a non-localhost IP to verify the fix works even behind a reverse proxy.
+	staleConnID := uuid.New()
+	staleConnectTime := now.Add(-15 * time.Minute)
+	_ = dbgen.ConnectionLog(t, db, database.UpsertConnectionLogParams{
+		Time:             staleConnectTime,
+		OrganizationID:   ws.OrganizationID,
+		WorkspaceOwnerID: ws.OwnerID,
+		WorkspaceID:      ws.ID,
+		WorkspaceName:    ws.Name,
+		AgentName:        agentName,
+		Type:             database.ConnectionTypePortForwarding,
+		ConnectionStatus: database.ConnectionStatusConnected,
+		ConnectionID:     uuid.NullUUID{UUID: staleConnID, Valid: true},
+		SlugOrPort:       sql.NullString{String: "3000", Valid: true},
+		Ip:               database.ParseIP("203.0.113.45"),
+		UserAgent:        sql.NullString{String: "Mozilla/5.0", Valid: true},
+	})
+
+	// Bump updated_at to simulate a proxy refresh.
+	staleBumpTime := now.Add(-8 * time.Minute)
+	_, err := db.UpsertConnectionLog(ctx, database.UpsertConnectionLogParams{
+		ID:               uuid.New(),
+		Time:             staleBumpTime,
+		OrganizationID:   ws.OrganizationID,
+		WorkspaceOwnerID: ws.OwnerID,
+		WorkspaceID:      ws.ID,
+		WorkspaceName:    ws.Name,
+		AgentName:        agentName,
+		Type:             database.ConnectionTypePortForwarding,
+		ConnectionStatus: database.ConnectionStatusConnected,
+		ConnectionID:     uuid.NullUUID{UUID: staleConnID, Valid: true},
+		SlugOrPort:       sql.NullString{String: "3000", Valid: true},
+	})
+	require.NoError(t, err)
+
+	appActiveSince := now.Add(-5 * time.Minute)
+
+	logs, err := db.GetOngoingAgentConnectionsLast24h(ctx, database.GetOngoingAgentConnectionsLast24hParams{
+		WorkspaceIds:   []uuid.UUID{ws.ID},
+		AgentNames:     []string{agentName},
+		Types:          []database.ConnectionType{database.ConnectionTypePortForwarding},
+		Since:          since,
+		PerAgentLimit:  50,
+		AppActiveSince: appActiveSince,
+	})
+	require.NoError(t, err)
+
+	// Only the agent-reported connection should appear.
+	require.Len(t, logs, 1)
+	require.Equal(t, agentReported.ID, logs[0].ID)
+	require.Equal(t, database.ConnectionTypePortForwarding, logs[0].Type)
+	require.True(t, logs[0].SlugOrPort.Valid)
+	require.Equal(t, "8080", logs[0].SlugOrPort.String)
+}

coderd/database/constants.go

@@ -3,3 +3,12 @@ package database
 import "github.com/google/uuid"
 
 var PrebuildsSystemUserID = uuid.MustParse("c42fdf75-3097-471c-8c33-fb52454d81c0")
+
+const (
+	TailnetPeeringEventTypeAddedTunnel                 = "added_tunnel"
+	TailnetPeeringEventTypeRemovedTunnel               = "removed_tunnel"
+	TailnetPeeringEventTypePeerUpdateNode              = "peer_update_node"
+	TailnetPeeringEventTypePeerUpdateDisconnected      = "peer_update_disconnected"
+	TailnetPeeringEventTypePeerUpdateLost              = "peer_update_lost"
+	TailnetPeeringEventTypePeerUpdateReadyForHandshake = "peer_update_ready_for_handshake"
+)

coderd/database/db2sdk/db2sdk.go

@@ -500,10 +500,6 @@ func WorkspaceAgent(derpMap *tailcfg.DERPMap, coordinator tailnet.Coordinator,
 	if dbAgent.ReadyAt.Valid {
 		workspaceAgent.ReadyAt = &dbAgent.ReadyAt.Time
 	}
-	workspaceAgent.RestartCount = dbAgent.RestartCount
-	if dbAgent.LastRestartedAt.Valid {
-		workspaceAgent.LastRestartedAt = &dbAgent.LastRestartedAt.Time
-	}
 
 	switch {
 	case workspaceAgent.Status != codersdk.WorkspaceAgentConnected && workspaceAgent.LifecycleState == codersdk.WorkspaceAgentLifecycleOff:
@@ -853,6 +849,10 @@ func ConnectionLogConnectionTypeFromAgentProtoConnectionType(typ agentproto.Conn
 		return database.ConnectionTypeVscode, nil
 	case agentproto.Connection_RECONNECTING_PTY:
 		return database.ConnectionTypeReconnectingPty, nil
+	case agentproto.Connection_WORKSPACE_APP:
+		return database.ConnectionTypeWorkspaceApp, nil
+	case agentproto.Connection_PORT_FORWARDING:
+		return database.ConnectionTypePortForwarding, nil
 	default:
 		// Also Connection_TYPE_UNSPECIFIED, no mapping.
 		return "", xerrors.Errorf("unknown agent connection type %q", typ)

coderd/database/dbauthz/dbauthz.go

@@ -461,6 +461,24 @@ var (
 		Scope: rbac.ScopeAll,
 	}.WithCachedASTValue()
 
+	subjectTailnetCoordinator = rbac.Subject{
+		Type:         rbac.SubjectTypeTailnetCoordinator,
+		FriendlyName: "Tailnet Coordinator",
+		ID:           uuid.Nil.String(),
+		Roles: rbac.Roles([]rbac.Role{
+			{
+				Identifier:  rbac.RoleIdentifier{Name: "tailnetcoordinator"},
+				DisplayName: "Tailnet Coordinator",
+				Site: rbac.Permissions(map[string][]policy.Action{
+					rbac.ResourceTailnetCoordinator.Type: {policy.WildcardSymbol},
+				}),
+				User:    []rbac.Permission{},
+				ByOrgID: map[string]rbac.OrgPermissions{},
+			},
+		}),
+		Scope: rbac.ScopeAll,
+	}.WithCachedASTValue()
+
 	subjectSystemOAuth2 = rbac.Subject{
 		Type:         rbac.SubjectTypeSystemOAuth,
 		FriendlyName: "System OAuth2",
@@ -726,6 +744,12 @@ func AsSystemRestricted(ctx context.Context) context.Context {
 	return As(ctx, subjectSystemRestricted)
 }
 
+// AsTailnetCoordinator returns a context with an actor that has permissions
+// required for tailnet coordinator operations.
+func AsTailnetCoordinator(ctx context.Context) context.Context {
+	return As(ctx, subjectTailnetCoordinator)
+}
+
 // AsSystemOAuth2 returns a context with an actor that has permissions
 // required for OAuth2 provider operations (token revocation, device codes, registration).
 func AsSystemOAuth2(ctx context.Context) context.Context {
@@ -1588,6 +1612,20 @@ func (q *querier) CleanTailnetTunnels(ctx context.Context) error {
 	return q.db.CleanTailnetTunnels(ctx)
 }
 
+func (q *querier) CloseConnectionLogsAndCreateSessions(ctx context.Context, arg database.CloseConnectionLogsAndCreateSessionsParams) (int64, error) {
+	if err := q.authorizeContext(ctx, policy.ActionUpdate, rbac.ResourceConnectionLog); err != nil {
+		return 0, err
+	}
+	return q.db.CloseConnectionLogsAndCreateSessions(ctx, arg)
+}
+
+func (q *querier) CloseOpenAgentConnectionLogsForWorkspace(ctx context.Context, arg database.CloseOpenAgentConnectionLogsForWorkspaceParams) (int64, error) {
+	if err := q.authorizeContext(ctx, policy.ActionUpdate, rbac.ResourceConnectionLog); err != nil {
+		return 0, err
+	}
+	return q.db.CloseOpenAgentConnectionLogsForWorkspace(ctx, arg)
+}
+
 func (q *querier) CountAIBridgeInterceptions(ctx context.Context, arg database.CountAIBridgeInterceptionsParams) (int64, error) {
 	prep, err := prepareSQLFilter(ctx, q.auth, policy.ActionRead, rbac.ResourceAibridgeInterception.Type)
 	if err != nil {
@@ -1623,6 +1661,13 @@ func (q *querier) CountConnectionLogs(ctx context.Context, arg database.CountCon
 	return q.db.CountAuthorizedConnectionLogs(ctx, arg, prep)
 }
 
+func (q *querier) CountGlobalWorkspaceSessions(ctx context.Context, arg database.CountGlobalWorkspaceSessionsParams) (int64, error) {
+	if err := q.authorizeContext(ctx, policy.ActionRead, rbac.ResourceConnectionLog); err != nil {
+		return 0, err
+	}
+	return q.db.CountGlobalWorkspaceSessions(ctx, arg)
+}
+
 func (q *querier) CountInProgressPrebuilds(ctx context.Context) ([]database.CountInProgressPrebuildsRow, error) {
 	if err := q.authorizeContext(ctx, policy.ActionRead, rbac.ResourceWorkspace.All()); err != nil {
 		return nil, err
@@ -1644,6 +1689,13 @@ func (q *querier) CountUnreadInboxNotificationsByUserID(ctx context.Context, use
 	return q.db.CountUnreadInboxNotificationsByUserID(ctx, userID)
 }
 
+func (q *querier) CountWorkspaceSessions(ctx context.Context, arg database.CountWorkspaceSessionsParams) (int64, error) {
+	if err := q.authorizeContext(ctx, policy.ActionRead, rbac.ResourceConnectionLog); err != nil {
+		return 0, err
+	}
+	return q.db.CountWorkspaceSessions(ctx, arg)
+}
+
 func (q *querier) CreateUserSecret(ctx context.Context, arg database.CreateUserSecretParams) (database.UserSecret, error) {
 	obj := rbac.ResourceUserSecret.WithOwner(arg.UserID.String())
 	if err := q.authorizeContext(ctx, policy.ActionCreate, obj); err != nil {
@@ -2118,6 +2170,13 @@ func (q *querier) FindMatchingPresetID(ctx context.Context, arg database.FindMat
 	return q.db.FindMatchingPresetID(ctx, arg)
 }
 
+func (q *querier) FindOrCreateSessionForDisconnect(ctx context.Context, arg database.FindOrCreateSessionForDisconnectParams) (interface{}, error) {
+	if err := q.authorizeContext(ctx, policy.ActionUpdate, rbac.ResourceConnectionLog); err != nil {
+		return nil, err
+	}
+	return q.db.FindOrCreateSessionForDisconnect(ctx, arg)
+}
+
 func (q *querier) GetAIBridgeInterceptionByID(ctx context.Context, id uuid.UUID) (database.AIBridgeInterception, error) {
 	return fetch(q.log, q.auth, q.db.GetAIBridgeInterceptionByID)(ctx, id)
 }
@@ -2202,6 +2261,13 @@ func (q *querier) GetAllTailnetCoordinators(ctx context.Context) ([]database.Tai
 	return q.db.GetAllTailnetCoordinators(ctx)
 }
 
+func (q *querier) GetAllTailnetPeeringEventsByPeerID(ctx context.Context, srcPeerID uuid.NullUUID) ([]database.TailnetPeeringEvent, error) {
+	if err := q.authorizeContext(ctx, policy.ActionRead, rbac.ResourceTailnetCoordinator); err != nil {
+		return nil, err
+	}
+	return q.db.GetAllTailnetPeeringEventsByPeerID(ctx, srcPeerID)
+}
+
 func (q *querier) GetAllTailnetPeers(ctx context.Context) ([]database.TailnetPeer, error) {
 	if err := q.authorizeContext(ctx, policy.ActionRead, rbac.ResourceTailnetCoordinator); err != nil {
 		return nil, err
@@ -2271,6 +2337,20 @@ func (q *querier) GetAuthorizationUserRoles(ctx context.Context, userID uuid.UUI
 	return q.db.GetAuthorizationUserRoles(ctx, userID)
 }
 
+func (q *querier) GetConnectionLogByConnectionID(ctx context.Context, arg database.GetConnectionLogByConnectionIDParams) (database.ConnectionLog, error) {
+	if err := q.authorizeContext(ctx, policy.ActionRead, rbac.ResourceConnectionLog); err != nil {
+		return database.ConnectionLog{}, err
+	}
+	return q.db.GetConnectionLogByConnectionID(ctx, arg)
+}
+
+func (q *querier) GetConnectionLogsBySessionIDs(ctx context.Context, sessionIDs []uuid.UUID) ([]database.ConnectionLog, error) {
+	if err := q.authorizeContext(ctx, policy.ActionRead, rbac.ResourceConnectionLog); err != nil {
+		return nil, err
+	}
+	return q.db.GetConnectionLogsBySessionIDs(ctx, sessionIDs)
+}
+
 func (q *querier) GetConnectionLogsOffset(ctx context.Context, arg database.GetConnectionLogsOffsetParams) ([]database.GetConnectionLogsOffsetRow, error) {
 	// Just like with the audit logs query, shortcut if the user is an owner.
 	err := q.authorizeContext(ctx, policy.ActionRead, rbac.ResourceConnectionLog)
@@ -2446,6 +2526,13 @@ func (q *querier) GetGitSSHKey(ctx context.Context, userID uuid.UUID) (database.
 	return fetchWithAction(q.log, q.auth, policy.ActionReadPersonal, q.db.GetGitSSHKey)(ctx, userID)
 }
 
+func (q *querier) GetGlobalWorkspaceSessionsOffset(ctx context.Context, arg database.GetGlobalWorkspaceSessionsOffsetParams) ([]database.GetGlobalWorkspaceSessionsOffsetRow, error) {
+	if err := q.authorizeContext(ctx, policy.ActionRead, rbac.ResourceConnectionLog); err != nil {
+		return nil, err
+	}
+	return q.db.GetGlobalWorkspaceSessionsOffset(ctx, arg)
+}
+
 func (q *querier) GetGroupByID(ctx context.Context, id uuid.UUID) (database.Group, error) {
 	return fetch(q.log, q.auth, q.db.GetGroupByID)(ctx, id)
 }
@@ -2712,6 +2799,15 @@ func (q *querier) GetOAuthSigningKey(ctx context.Context) (string, error) {
 	return q.db.GetOAuthSigningKey(ctx)
 }
 
+func (q *querier) GetOngoingAgentConnectionsLast24h(ctx context.Context, arg database.GetOngoingAgentConnectionsLast24hParams) ([]database.GetOngoingAgentConnectionsLast24hRow, error) {
+	// This is a system-level read; authorization comes from the
+	// caller using dbauthz.AsSystemRestricted(ctx).
+	if err := q.authorizeContext(ctx, policy.ActionRead, rbac.ResourceSystem); err != nil {
+		return nil, err
+	}
+	return q.db.GetOngoingAgentConnectionsLast24h(ctx, arg)
+}
+
 func (q *querier) GetOrganizationByID(ctx context.Context, id uuid.UUID) (database.Organization, error) {
 	return fetch(q.log, q.auth, q.db.GetOrganizationByID)(ctx, id)
 }
@@ -3081,6 +3177,13 @@ func (q *querier) GetTailnetTunnelPeerBindings(ctx context.Context, srcID uuid.U
 	return q.db.GetTailnetTunnelPeerBindings(ctx, srcID)
 }
 
+func (q *querier) GetTailnetTunnelPeerBindingsByDstID(ctx context.Context, dstID uuid.UUID) ([]database.GetTailnetTunnelPeerBindingsByDstIDRow, error) {
+	if err := q.authorizeContext(ctx, policy.ActionRead, rbac.ResourceTailnetCoordinator); err != nil {
+		return nil, err
+	}
+	return q.db.GetTailnetTunnelPeerBindingsByDstID(ctx, dstID)
+}
+
 func (q *querier) GetTailnetTunnelPeerIDs(ctx context.Context, srcID uuid.UUID) ([]database.GetTailnetTunnelPeerIDsRow, error) {
 	if err := q.authorizeContext(ctx, policy.ActionRead, rbac.ResourceTailnetCoordinator); err != nil {
 		return nil, err
@@ -4086,6 +4189,13 @@ func (q *querier) GetWorkspaceResourcesCreatedAfter(ctx context.Context, created
 	return q.db.GetWorkspaceResourcesCreatedAfter(ctx, createdAt)
 }
 
+func (q *querier) GetWorkspaceSessionsOffset(ctx context.Context, arg database.GetWorkspaceSessionsOffsetParams) ([]database.GetWorkspaceSessionsOffsetRow, error) {
+	if err := q.authorizeContext(ctx, policy.ActionRead, rbac.ResourceConnectionLog); err != nil {
+		return nil, err
+	}
+	return q.db.GetWorkspaceSessionsOffset(ctx, arg)
+}
+
 func (q *querier) GetWorkspaceUniqueOwnerCountByTemplateIDs(ctx context.Context, templateIDs []uuid.UUID) ([]database.GetWorkspaceUniqueOwnerCountByTemplateIDsRow, error) {
 	if err := q.authorizeContext(ctx, policy.ActionRead, rbac.ResourceSystem); err != nil {
 		return nil, err
@@ -4400,6 +4510,13 @@ func (q *querier) InsertReplica(ctx context.Context, arg database.InsertReplicaP
 	return q.db.InsertReplica(ctx, arg)
 }
 
+func (q *querier) InsertTailnetPeeringEvent(ctx context.Context, arg database.InsertTailnetPeeringEventParams) error {
+	if err := q.authorizeContext(ctx, policy.ActionCreate, rbac.ResourceTailnetCoordinator); err != nil {
+		return err
+	}
+	return q.db.InsertTailnetPeeringEvent(ctx, arg)
+}
+
 func (q *querier) InsertTask(ctx context.Context, arg database.InsertTaskParams) (database.TaskTable, error) {
 	// Ensure the actor can access the specified template version (and thus its template).
 	if _, err := q.GetTemplateVersionByID(ctx, arg.TemplateVersionID); err != nil {
@@ -4948,6 +5065,13 @@ func (q *querier) UpdateAPIKeyByID(ctx context.Context, arg database.UpdateAPIKe
 	return update(q.log, q.auth, fetch, q.db.UpdateAPIKeyByID)(ctx, arg)
 }
 
+func (q *querier) UpdateConnectionLogSessionID(ctx context.Context, arg database.UpdateConnectionLogSessionIDParams) error {
+	if err := q.authorizeContext(ctx, policy.ActionUpdate, rbac.ResourceConnectionLog); err != nil {
+		return err
+	}
+	return q.db.UpdateConnectionLogSessionID(ctx, arg)
+}
+
 func (q *querier) UpdateCryptoKeyDeletesAt(ctx context.Context, arg database.UpdateCryptoKeyDeletesAtParams) (database.CryptoKey, error) {
 	if err := q.authorizeContext(ctx, policy.ActionUpdate, rbac.ResourceCryptoKey); err != nil {
 		return database.CryptoKey{}, err
@@ -5794,24 +5918,6 @@ func (q *querier) UpdateWorkspaceAgentMetadata(ctx context.Context, arg database
 	return q.db.UpdateWorkspaceAgentMetadata(ctx, arg)
 }
 
-func (q *querier) UpdateWorkspaceAgentRestartCount(ctx context.Context, arg database.UpdateWorkspaceAgentRestartCountParams) error {
-	agent, err := q.db.GetWorkspaceAgentByID(ctx, arg.ID)
-	if err != nil {
-		return err
-	}
-
-	workspace, err := q.db.GetWorkspaceByAgentID(ctx, agent.ID)
-	if err != nil {
-		return err
-	}
-
-	if err := q.authorizeContext(ctx, policy.ActionUpdate, workspace); err != nil {
-		return err
-	}
-
-	return q.db.UpdateWorkspaceAgentRestartCount(ctx, arg)
-}
-
 func (q *querier) UpdateWorkspaceAgentStartupByID(ctx context.Context, arg database.UpdateWorkspaceAgentStartupByIDParams) error {
 	agent, err := q.db.GetWorkspaceAgentByID(ctx, arg.ID)
 	if err != nil {
@@ -6220,9 +6326,9 @@ func (q *querier) UpsertWorkspaceApp(ctx context.Context, arg database.UpsertWor
 	return q.db.UpsertWorkspaceApp(ctx, arg)
 }
 
-func (q *querier) UpsertWorkspaceAppAuditSession(ctx context.Context, arg database.UpsertWorkspaceAppAuditSessionParams) (bool, error) {
+func (q *querier) UpsertWorkspaceAppAuditSession(ctx context.Context, arg database.UpsertWorkspaceAppAuditSessionParams) (database.UpsertWorkspaceAppAuditSessionRow, error) {
 	if err := q.authorizeContext(ctx, policy.ActionUpdate, rbac.ResourceSystem); err != nil {
-		return false, err
+		return database.UpsertWorkspaceAppAuditSessionRow{}, err
 	}
 	return q.db.UpsertWorkspaceAppAuditSession(ctx, arg)
 }

coderd/database/dbauthz/dbauthz_test.go

@@ -362,6 +362,11 @@ func (s *MethodTestSuite) TestConnectionLogs() {
 		dbm.EXPECT().DeleteOldConnectionLogs(gomock.Any(), database.DeleteOldConnectionLogsParams{}).Return(int64(0), nil).AnyTimes()
 		check.Args(database.DeleteOldConnectionLogsParams{}).Asserts(rbac.ResourceSystem, policy.ActionDelete)
 	}))
+	s.Run("CloseOpenAgentConnectionLogsForWorkspace", s.Mocked(func(dbm *dbmock.MockStore, _ *gofakeit.Faker, check *expects) {
+		arg := database.CloseOpenAgentConnectionLogsForWorkspaceParams{}
+		dbm.EXPECT().CloseOpenAgentConnectionLogsForWorkspace(gomock.Any(), arg).Return(int64(0), nil).AnyTimes()
+		check.Args(arg).Asserts(rbac.ResourceConnectionLog, policy.ActionUpdate)
+	}))
 }
 
 func (s *MethodTestSuite) TestFile() {
@@ -2841,6 +2846,10 @@ func (s *MethodTestSuite) TestTailnetFunctions() {
 		check.Args(uuid.New()).
 			Asserts(rbac.ResourceTailnetCoordinator, policy.ActionRead)
 	}))
+	s.Run("GetTailnetTunnelPeerBindingsByDstID", s.Subtest(func(_ database.Store, check *expects) {
+		check.Args(uuid.New()).
+			Asserts(rbac.ResourceTailnetCoordinator, policy.ActionRead)
+	}))
 	s.Run("GetTailnetTunnelPeerIDs", s.Subtest(func(_ database.Store, check *expects) {
 		check.Args(uuid.New()).
 			Asserts(rbac.ResourceTailnetCoordinator, policy.ActionRead)
@@ -3309,7 +3318,7 @@ func (s *MethodTestSuite) TestSystemFunctions() {
 		agent := testutil.Fake(s.T(), faker, database.WorkspaceAgent{})
 		app := testutil.Fake(s.T(), faker, database.WorkspaceApp{})
 		arg := database.UpsertWorkspaceAppAuditSessionParams{AgentID: agent.ID, AppID: app.ID, UserID: u.ID, Ip: "127.0.0.1"}
-		dbm.EXPECT().UpsertWorkspaceAppAuditSession(gomock.Any(), arg).Return(true, nil).AnyTimes()
+		dbm.EXPECT().UpsertWorkspaceAppAuditSession(gomock.Any(), arg).Return(database.UpsertWorkspaceAppAuditSessionRow{NewOrStale: true}, nil).AnyTimes()
 		check.Args(arg).Asserts(rbac.ResourceSystem, policy.ActionUpdate)
 	}))
 	s.Run("InsertWorkspaceAgentScriptTimings", s.Mocked(func(dbm *dbmock.MockStore, _ *gofakeit.Faker, check *expects) {

coderd/database/dbauthz/setup_test.go

@@ -35,12 +35,25 @@ import (
 var errMatchAny = xerrors.New("match any error")
 
 var skipMethods = map[string]string{
-	"InTx":           "Not relevant",
-	"Ping":           "Not relevant",
-	"PGLocks":        "Not relevant",
-	"Wrappers":       "Not relevant",
-	"AcquireLock":    "Not relevant",
-	"TryAcquireLock": "Not relevant",
+
+	"InTx":                                 "Not relevant",
+	"Ping":                                 "Not relevant",
+	"PGLocks":                              "Not relevant",
+	"Wrappers":                             "Not relevant",
+	"AcquireLock":                          "Not relevant",
+	"TryAcquireLock":                       "Not relevant",
+	"GetOngoingAgentConnectionsLast24h":    "Hackathon",
+	"InsertTailnetPeeringEvent":            "Hackathon",
+	"CloseConnectionLogsAndCreateSessions": "Hackathon",
+	"CountGlobalWorkspaceSessions":         "Hackathon",
+	"CountWorkspaceSessions":               "Hackathon",
+	"FindOrCreateSessionForDisconnect":     "Hackathon",
+	"GetConnectionLogByConnectionID":       "Hackathon",
+	"GetConnectionLogsBySessionIDs":        "Hackathon",
+	"GetGlobalWorkspaceSessionsOffset":     "Hackathon",
+	"GetWorkspaceSessionsOffset":           "Hackathon",
+	"UpdateConnectionLogSessionID":         "Hackathon",
+	"GetAllTailnetPeeringEventsByPeerID":   "Hackathon",
 }
 
 // TestMethodTestSuite runs MethodTestSuite.

coderd/database/dbgen/dbgen.go

@@ -86,18 +86,27 @@ func ConnectionLog(t testing.TB, db database.Store, seed database.UpsertConnecti
 		WorkspaceID:      takeFirst(seed.WorkspaceID, uuid.New()),
 		WorkspaceName:    takeFirst(seed.WorkspaceName, testutil.GetRandomName(t)),
 		AgentName:        takeFirst(seed.AgentName, testutil.GetRandomName(t)),
-		Type:             takeFirst(seed.Type, database.ConnectionTypeSsh),
+		AgentID: uuid.NullUUID{
+			UUID:  takeFirst(seed.AgentID.UUID, uuid.Nil),
+			Valid: takeFirst(seed.AgentID.Valid, false),
+		},
+		Type: takeFirst(seed.Type, database.ConnectionTypeSsh),
 		Code: sql.NullInt32{
 			Int32: takeFirst(seed.Code.Int32, 0),
 			Valid: takeFirst(seed.Code.Valid, false),
 		},
-		Ip: pqtype.Inet{
-			IPNet: net.IPNet{
-				IP:   net.IPv4(127, 0, 0, 1),
-				Mask: net.IPv4Mask(255, 255, 255, 255),
-			},
-			Valid: true,
-		},
+		Ip: func() pqtype.Inet {
+			if seed.Ip.Valid {
+				return seed.Ip
+			}
+			return pqtype.Inet{
+				IPNet: net.IPNet{
+					IP:   net.IPv4(127, 0, 0, 1),
+					Mask: net.IPv4Mask(255, 255, 255, 255),
+				},
+				Valid: true,
+			}
+		}(),
 		UserAgent: sql.NullString{
 			String: takeFirst(seed.UserAgent.String, ""),
 			Valid:  takeFirst(seed.UserAgent.Valid, false),
@@ -118,6 +127,18 @@ func ConnectionLog(t testing.TB, db database.Store, seed database.UpsertConnecti
 			String: takeFirst(seed.DisconnectReason.String, ""),
 			Valid:  takeFirst(seed.DisconnectReason.Valid, false),
 		},
+		SessionID: uuid.NullUUID{
+			UUID:  takeFirst(seed.SessionID.UUID, uuid.Nil),
+			Valid: takeFirst(seed.SessionID.Valid, false),
+		},
+		ClientHostname: sql.NullString{
+			String: takeFirst(seed.ClientHostname.String, ""),
+			Valid:  takeFirst(seed.ClientHostname.Valid, false),
+		},
+		ShortDescription: sql.NullString{
+			String: takeFirst(seed.ShortDescription.String, ""),
+			Valid:  takeFirst(seed.ShortDescription.Valid, false),
+		},
 		ConnectionStatus: takeFirst(seed.ConnectionStatus, database.ConnectionStatusConnected),
 	})
 	require.NoError(t, err, "insert connection log")

coderd/database/dbmetrics/querymetrics.go

@@ -231,6 +231,22 @@ func (m queryMetricsStore) CleanTailnetTunnels(ctx context.Context) error {
 	return r0
 }
 
+func (m queryMetricsStore) CloseConnectionLogsAndCreateSessions(ctx context.Context, arg database.CloseConnectionLogsAndCreateSessionsParams) (int64, error) {
+	start := time.Now()
+	r0, r1 := m.s.CloseConnectionLogsAndCreateSessions(ctx, arg)
+	m.queryLatencies.WithLabelValues("CloseConnectionLogsAndCreateSessions").Observe(time.Since(start).Seconds())
+	m.queryCounts.WithLabelValues(httpmw.ExtractHTTPRoute(ctx), httpmw.ExtractHTTPMethod(ctx), "CloseConnectionLogsAndCreateSessions").Inc()
+	return r0, r1
+}
+
+func (m queryMetricsStore) CloseOpenAgentConnectionLogsForWorkspace(ctx context.Context, arg database.CloseOpenAgentConnectionLogsForWorkspaceParams) (int64, error) {
+	start := time.Now()
+	r0, r1 := m.s.CloseOpenAgentConnectionLogsForWorkspace(ctx, arg)
+	m.queryLatencies.WithLabelValues("CloseOpenAgentConnectionLogsForWorkspace").Observe(time.Since(start).Seconds())
+	m.queryCounts.WithLabelValues(httpmw.ExtractHTTPRoute(ctx), httpmw.ExtractHTTPMethod(ctx), "CloseOpenAgentConnectionLogsForWorkspace").Inc()
+	return r0, r1
+}
+
 func (m queryMetricsStore) CountAIBridgeInterceptions(ctx context.Context, arg database.CountAIBridgeInterceptionsParams) (int64, error) {
 	start := time.Now()
 	r0, r1 := m.s.CountAIBridgeInterceptions(ctx, arg)
@@ -255,6 +271,14 @@ func (m queryMetricsStore) CountConnectionLogs(ctx context.Context, arg database
 	return r0, r1
 }
 
+func (m queryMetricsStore) CountGlobalWorkspaceSessions(ctx context.Context, arg database.CountGlobalWorkspaceSessionsParams) (int64, error) {
+	start := time.Now()
+	r0, r1 := m.s.CountGlobalWorkspaceSessions(ctx, arg)
+	m.queryLatencies.WithLabelValues("CountGlobalWorkspaceSessions").Observe(time.Since(start).Seconds())
+	m.queryCounts.WithLabelValues(httpmw.ExtractHTTPRoute(ctx), httpmw.ExtractHTTPMethod(ctx), "CountGlobalWorkspaceSessions").Inc()
+	return r0, r1
+}
+
 func (m queryMetricsStore) CountInProgressPrebuilds(ctx context.Context) ([]database.CountInProgressPrebuildsRow, error) {
 	start := time.Now()
 	r0, r1 := m.s.CountInProgressPrebuilds(ctx)
@@ -279,6 +303,14 @@ func (m queryMetricsStore) CountUnreadInboxNotificationsByUserID(ctx context.Con
 	return r0, r1
 }
 
+func (m queryMetricsStore) CountWorkspaceSessions(ctx context.Context, arg database.CountWorkspaceSessionsParams) (int64, error) {
+	start := time.Now()
+	r0, r1 := m.s.CountWorkspaceSessions(ctx, arg)
+	m.queryLatencies.WithLabelValues("CountWorkspaceSessions").Observe(time.Since(start).Seconds())
+	m.queryCounts.WithLabelValues(httpmw.ExtractHTTPRoute(ctx), httpmw.ExtractHTTPMethod(ctx), "CountWorkspaceSessions").Inc()
+	return r0, r1
+}
+
 func (m queryMetricsStore) CreateUserSecret(ctx context.Context, arg database.CreateUserSecretParams) (database.UserSecret, error) {
 	start := time.Now()
 	r0, r1 := m.s.CreateUserSecret(ctx, arg)
@@ -718,6 +750,14 @@ func (m queryMetricsStore) FindMatchingPresetID(ctx context.Context, arg databas
 	return r0, r1
 }
 
+func (m queryMetricsStore) FindOrCreateSessionForDisconnect(ctx context.Context, arg database.FindOrCreateSessionForDisconnectParams) (interface{}, error) {
+	start := time.Now()
+	r0, r1 := m.s.FindOrCreateSessionForDisconnect(ctx, arg)
+	m.queryLatencies.WithLabelValues("FindOrCreateSessionForDisconnect").Observe(time.Since(start).Seconds())
+	m.queryCounts.WithLabelValues(httpmw.ExtractHTTPRoute(ctx), httpmw.ExtractHTTPMethod(ctx), "FindOrCreateSessionForDisconnect").Inc()
+	return r0, r1
+}
+
 func (m queryMetricsStore) GetAIBridgeInterceptionByID(ctx context.Context, id uuid.UUID) (database.AIBridgeInterception, error) {
 	start := time.Now()
 	r0, r1 := m.s.GetAIBridgeInterceptionByID(ctx, id)
@@ -830,6 +870,14 @@ func (m queryMetricsStore) GetAllTailnetCoordinators(ctx context.Context) ([]dat
 	return r0, r1
 }
 
+func (m queryMetricsStore) GetAllTailnetPeeringEventsByPeerID(ctx context.Context, srcPeerID uuid.NullUUID) ([]database.TailnetPeeringEvent, error) {
+	start := time.Now()
+	r0, r1 := m.s.GetAllTailnetPeeringEventsByPeerID(ctx, srcPeerID)
+	m.queryLatencies.WithLabelValues("GetAllTailnetPeeringEventsByPeerID").Observe(time.Since(start).Seconds())
+	m.queryCounts.WithLabelValues(httpmw.ExtractHTTPRoute(ctx), httpmw.ExtractHTTPMethod(ctx), "GetAllTailnetPeeringEventsByPeerID").Inc()
+	return r0, r1
+}
+
 func (m queryMetricsStore) GetAllTailnetPeers(ctx context.Context) ([]database.TailnetPeer, error) {
 	start := time.Now()
 	r0, r1 := m.s.GetAllTailnetPeers(ctx)
@@ -902,6 +950,22 @@ func (m queryMetricsStore) GetAuthorizationUserRoles(ctx context.Context, userID
 	return r0, r1
 }
 
+func (m queryMetricsStore) GetConnectionLogByConnectionID(ctx context.Context, arg database.GetConnectionLogByConnectionIDParams) (database.ConnectionLog, error) {
+	start := time.Now()
+	r0, r1 := m.s.GetConnectionLogByConnectionID(ctx, arg)
+	m.queryLatencies.WithLabelValues("GetConnectionLogByConnectionID").Observe(time.Since(start).Seconds())
+	m.queryCounts.WithLabelValues(httpmw.ExtractHTTPRoute(ctx), httpmw.ExtractHTTPMethod(ctx), "GetConnectionLogByConnectionID").Inc()
+	return r0, r1
+}
+
+func (m queryMetricsStore) GetConnectionLogsBySessionIDs(ctx context.Context, sessionIds []uuid.UUID) ([]database.ConnectionLog, error) {
+	start := time.Now()
+	r0, r1 := m.s.GetConnectionLogsBySessionIDs(ctx, sessionIds)
+	m.queryLatencies.WithLabelValues("GetConnectionLogsBySessionIDs").Observe(time.Since(start).Seconds())
+	m.queryCounts.WithLabelValues(httpmw.ExtractHTTPRoute(ctx), httpmw.ExtractHTTPMethod(ctx), "GetConnectionLogsBySessionIDs").Inc()
+	return r0, r1
+}
+
 func (m queryMetricsStore) GetConnectionLogsOffset(ctx context.Context, arg database.GetConnectionLogsOffsetParams) ([]database.GetConnectionLogsOffsetRow, error) {
 	start := time.Now()
 	r0, r1 := m.s.GetConnectionLogsOffset(ctx, arg)
@@ -1094,6 +1158,14 @@ func (m queryMetricsStore) GetGitSSHKey(ctx context.Context, userID uuid.UUID) (
 	return r0, r1
 }
 
+func (m queryMetricsStore) GetGlobalWorkspaceSessionsOffset(ctx context.Context, arg database.GetGlobalWorkspaceSessionsOffsetParams) ([]database.GetGlobalWorkspaceSessionsOffsetRow, error) {
+	start := time.Now()
+	r0, r1 := m.s.GetGlobalWorkspaceSessionsOffset(ctx, arg)
+	m.queryLatencies.WithLabelValues("GetGlobalWorkspaceSessionsOffset").Observe(time.Since(start).Seconds())
+	m.queryCounts.WithLabelValues(httpmw.ExtractHTTPRoute(ctx), httpmw.ExtractHTTPMethod(ctx), "GetGlobalWorkspaceSessionsOffset").Inc()
+	return r0, r1
+}
+
 func (m queryMetricsStore) GetGroupByID(ctx context.Context, id uuid.UUID) (database.Group, error) {
 	start := time.Now()
 	r0, r1 := m.s.GetGroupByID(ctx, id)
@@ -1390,6 +1462,14 @@ func (m queryMetricsStore) GetOAuthSigningKey(ctx context.Context) (string, erro
 	return r0, r1
 }
 
+func (m queryMetricsStore) GetOngoingAgentConnectionsLast24h(ctx context.Context, arg database.GetOngoingAgentConnectionsLast24hParams) ([]database.GetOngoingAgentConnectionsLast24hRow, error) {
+	start := time.Now()
+	r0, r1 := m.s.GetOngoingAgentConnectionsLast24h(ctx, arg)
+	m.queryLatencies.WithLabelValues("GetOngoingAgentConnectionsLast24h").Observe(time.Since(start).Seconds())
+	m.queryCounts.WithLabelValues(httpmw.ExtractHTTPRoute(ctx), httpmw.ExtractHTTPMethod(ctx), "GetOngoingAgentConnectionsLast24h").Inc()
+	return r0, r1
+}
+
 func (m queryMetricsStore) GetOrganizationByID(ctx context.Context, id uuid.UUID) (database.Organization, error) {
 	start := time.Now()
 	r0, r1 := m.s.GetOrganizationByID(ctx, id)
@@ -1734,6 +1814,14 @@ func (m queryMetricsStore) GetTailnetTunnelPeerBindings(ctx context.Context, src
 	return r0, r1
 }
 
+func (m queryMetricsStore) GetTailnetTunnelPeerBindingsByDstID(ctx context.Context, dstID uuid.UUID) ([]database.GetTailnetTunnelPeerBindingsByDstIDRow, error) {
+	start := time.Now()
+	r0, r1 := m.s.GetTailnetTunnelPeerBindingsByDstID(ctx, dstID)
+	m.queryLatencies.WithLabelValues("GetTailnetTunnelPeerBindingsByDstID").Observe(time.Since(start).Seconds())
+	m.queryCounts.WithLabelValues(httpmw.ExtractHTTPRoute(ctx), httpmw.ExtractHTTPMethod(ctx), "GetTailnetTunnelPeerBindingsByDstID").Inc()
+	return r0, r1
+}
+
 func (m queryMetricsStore) GetTailnetTunnelPeerIDs(ctx context.Context, srcID uuid.UUID) ([]database.GetTailnetTunnelPeerIDsRow, error) {
 	start := time.Now()
 	r0, r1 := m.s.GetTailnetTunnelPeerIDs(ctx, srcID)
@@ -2590,6 +2678,14 @@ func (m queryMetricsStore) GetWorkspaceResourcesCreatedAfter(ctx context.Context
 	return r0, r1
 }
 
+func (m queryMetricsStore) GetWorkspaceSessionsOffset(ctx context.Context, arg database.GetWorkspaceSessionsOffsetParams) ([]database.GetWorkspaceSessionsOffsetRow, error) {
+	start := time.Now()
+	r0, r1 := m.s.GetWorkspaceSessionsOffset(ctx, arg)
+	m.queryLatencies.WithLabelValues("GetWorkspaceSessionsOffset").Observe(time.Since(start).Seconds())
+	m.queryCounts.WithLabelValues(httpmw.ExtractHTTPRoute(ctx), httpmw.ExtractHTTPMethod(ctx), "GetWorkspaceSessionsOffset").Inc()
+	return r0, r1
+}
+
 func (m queryMetricsStore) GetWorkspaceUniqueOwnerCountByTemplateIDs(ctx context.Context, templateIds []uuid.UUID) ([]database.GetWorkspaceUniqueOwnerCountByTemplateIDsRow, error) {
 	start := time.Now()
 	r0, r1 := m.s.GetWorkspaceUniqueOwnerCountByTemplateIDs(ctx, templateIds)
@@ -2918,6 +3014,14 @@ func (m queryMetricsStore) InsertReplica(ctx context.Context, arg database.Inser
 	return r0, r1
 }
 
+func (m queryMetricsStore) InsertTailnetPeeringEvent(ctx context.Context, arg database.InsertTailnetPeeringEventParams) error {
+	start := time.Now()
+	r0 := m.s.InsertTailnetPeeringEvent(ctx, arg)
+	m.queryLatencies.WithLabelValues("InsertTailnetPeeringEvent").Observe(time.Since(start).Seconds())
+	m.queryCounts.WithLabelValues(httpmw.ExtractHTTPRoute(ctx), httpmw.ExtractHTTPMethod(ctx), "InsertTailnetPeeringEvent").Inc()
+	return r0
+}
+
 func (m queryMetricsStore) InsertTask(ctx context.Context, arg database.InsertTaskParams) (database.TaskTable, error) {
 	start := time.Now()
 	r0, r1 := m.s.InsertTask(ctx, arg)
@@ -3390,6 +3494,14 @@ func (m queryMetricsStore) UpdateAPIKeyByID(ctx context.Context, arg database.Up
 	return r0
 }
 
+func (m queryMetricsStore) UpdateConnectionLogSessionID(ctx context.Context, arg database.UpdateConnectionLogSessionIDParams) error {
+	start := time.Now()
+	r0 := m.s.UpdateConnectionLogSessionID(ctx, arg)
+	m.queryLatencies.WithLabelValues("UpdateConnectionLogSessionID").Observe(time.Since(start).Seconds())
+	m.queryCounts.WithLabelValues(httpmw.ExtractHTTPRoute(ctx), httpmw.ExtractHTTPMethod(ctx), "UpdateConnectionLogSessionID").Inc()
+	return r0
+}
+
 func (m queryMetricsStore) UpdateCryptoKeyDeletesAt(ctx context.Context, arg database.UpdateCryptoKeyDeletesAtParams) (database.CryptoKey, error) {
 	start := time.Now()
 	r0, r1 := m.s.UpdateCryptoKeyDeletesAt(ctx, arg)
@@ -3933,14 +4045,6 @@ func (m queryMetricsStore) UpdateWorkspaceAgentMetadata(ctx context.Context, arg
 	return r0
 }
 
-func (m queryMetricsStore) UpdateWorkspaceAgentRestartCount(ctx context.Context, arg database.UpdateWorkspaceAgentRestartCountParams) error {
-	start := time.Now()
-	r0 := m.s.UpdateWorkspaceAgentRestartCount(ctx, arg)
-	m.queryLatencies.WithLabelValues("UpdateWorkspaceAgentRestartCount").Observe(time.Since(start).Seconds())
-	m.queryCounts.WithLabelValues(httpmw.ExtractHTTPRoute(ctx), httpmw.ExtractHTTPMethod(ctx), "UpdateWorkspaceAgentRestartCount").Inc()
-	return r0
-}
-
 func (m queryMetricsStore) UpdateWorkspaceAgentStartupByID(ctx context.Context, arg database.UpdateWorkspaceAgentStartupByIDParams) error {
 	start := time.Now()
 	r0 := m.s.UpdateWorkspaceAgentStartupByID(ctx, arg)
@@ -4293,7 +4397,7 @@ func (m queryMetricsStore) UpsertWorkspaceApp(ctx context.Context, arg database.
 	return r0, r1
 }
 
-func (m queryMetricsStore) UpsertWorkspaceAppAuditSession(ctx context.Context, arg database.UpsertWorkspaceAppAuditSessionParams) (bool, error) {
+func (m queryMetricsStore) UpsertWorkspaceAppAuditSession(ctx context.Context, arg database.UpsertWorkspaceAppAuditSessionParams) (database.UpsertWorkspaceAppAuditSessionRow, error) {
 	start := time.Now()
 	r0, r1 := m.s.UpsertWorkspaceAppAuditSession(ctx, arg)
 	m.queryLatencies.WithLabelValues("UpsertWorkspaceAppAuditSession").Observe(time.Since(start).Seconds())

coderd/database/dbmock/dbmock.go

@@ -276,6 +276,36 @@ func (mr *MockStoreMockRecorder) CleanTailnetTunnels(ctx any) *gomock.Call {
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "CleanTailnetTunnels", reflect.TypeOf((*MockStore)(nil).CleanTailnetTunnels), ctx)
 }
 
+// CloseConnectionLogsAndCreateSessions mocks base method.
+func (m *MockStore) CloseConnectionLogsAndCreateSessions(ctx context.Context, arg database.CloseConnectionLogsAndCreateSessionsParams) (int64, error) {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "CloseConnectionLogsAndCreateSessions", ctx, arg)
+	ret0, _ := ret[0].(int64)
+	ret1, _ := ret[1].(error)
+	return ret0, ret1
+}
+
+// CloseConnectionLogsAndCreateSessions indicates an expected call of CloseConnectionLogsAndCreateSessions.
+func (mr *MockStoreMockRecorder) CloseConnectionLogsAndCreateSessions(ctx, arg any) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "CloseConnectionLogsAndCreateSessions", reflect.TypeOf((*MockStore)(nil).CloseConnectionLogsAndCreateSessions), ctx, arg)
+}
+
+// CloseOpenAgentConnectionLogsForWorkspace mocks base method.
+func (m *MockStore) CloseOpenAgentConnectionLogsForWorkspace(ctx context.Context, arg database.CloseOpenAgentConnectionLogsForWorkspaceParams) (int64, error) {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "CloseOpenAgentConnectionLogsForWorkspace", ctx, arg)
+	ret0, _ := ret[0].(int64)
+	ret1, _ := ret[1].(error)
+	return ret0, ret1
+}
+
+// CloseOpenAgentConnectionLogsForWorkspace indicates an expected call of CloseOpenAgentConnectionLogsForWorkspace.
+func (mr *MockStoreMockRecorder) CloseOpenAgentConnectionLogsForWorkspace(ctx, arg any) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "CloseOpenAgentConnectionLogsForWorkspace", reflect.TypeOf((*MockStore)(nil).CloseOpenAgentConnectionLogsForWorkspace), ctx, arg)
+}
+
 // CountAIBridgeInterceptions mocks base method.
 func (m *MockStore) CountAIBridgeInterceptions(ctx context.Context, arg database.CountAIBridgeInterceptionsParams) (int64, error) {
 	m.ctrl.T.Helper()
@@ -366,6 +396,21 @@ func (mr *MockStoreMockRecorder) CountConnectionLogs(ctx, arg any) *gomock.Call
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "CountConnectionLogs", reflect.TypeOf((*MockStore)(nil).CountConnectionLogs), ctx, arg)
 }
 
+// CountGlobalWorkspaceSessions mocks base method.
+func (m *MockStore) CountGlobalWorkspaceSessions(ctx context.Context, arg database.CountGlobalWorkspaceSessionsParams) (int64, error) {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "CountGlobalWorkspaceSessions", ctx, arg)
+	ret0, _ := ret[0].(int64)
+	ret1, _ := ret[1].(error)
+	return ret0, ret1
+}
+
+// CountGlobalWorkspaceSessions indicates an expected call of CountGlobalWorkspaceSessions.
+func (mr *MockStoreMockRecorder) CountGlobalWorkspaceSessions(ctx, arg any) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "CountGlobalWorkspaceSessions", reflect.TypeOf((*MockStore)(nil).CountGlobalWorkspaceSessions), ctx, arg)
+}
+
 // CountInProgressPrebuilds mocks base method.
 func (m *MockStore) CountInProgressPrebuilds(ctx context.Context) ([]database.CountInProgressPrebuildsRow, error) {
 	m.ctrl.T.Helper()
@@ -411,6 +456,21 @@ func (mr *MockStoreMockRecorder) CountUnreadInboxNotificationsByUserID(ctx, user
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "CountUnreadInboxNotificationsByUserID", reflect.TypeOf((*MockStore)(nil).CountUnreadInboxNotificationsByUserID), ctx, userID)
 }
 
+// CountWorkspaceSessions mocks base method.
+func (m *MockStore) CountWorkspaceSessions(ctx context.Context, arg database.CountWorkspaceSessionsParams) (int64, error) {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "CountWorkspaceSessions", ctx, arg)
+	ret0, _ := ret[0].(int64)
+	ret1, _ := ret[1].(error)
+	return ret0, ret1
+}
+
+// CountWorkspaceSessions indicates an expected call of CountWorkspaceSessions.
+func (mr *MockStoreMockRecorder) CountWorkspaceSessions(ctx, arg any) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "CountWorkspaceSessions", reflect.TypeOf((*MockStore)(nil).CountWorkspaceSessions), ctx, arg)
+}
+
 // CreateUserSecret mocks base method.
 func (m *MockStore) CreateUserSecret(ctx context.Context, arg database.CreateUserSecretParams) (database.UserSecret, error) {
 	m.ctrl.T.Helper()
@@ -1199,6 +1259,21 @@ func (mr *MockStoreMockRecorder) FindMatchingPresetID(ctx, arg any) *gomock.Call
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "FindMatchingPresetID", reflect.TypeOf((*MockStore)(nil).FindMatchingPresetID), ctx, arg)
 }
 
+// FindOrCreateSessionForDisconnect mocks base method.
+func (m *MockStore) FindOrCreateSessionForDisconnect(ctx context.Context, arg database.FindOrCreateSessionForDisconnectParams) (any, error) {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "FindOrCreateSessionForDisconnect", ctx, arg)
+	ret0, _ := ret[0].(any)
+	ret1, _ := ret[1].(error)
+	return ret0, ret1
+}
+
+// FindOrCreateSessionForDisconnect indicates an expected call of FindOrCreateSessionForDisconnect.
+func (mr *MockStoreMockRecorder) FindOrCreateSessionForDisconnect(ctx, arg any) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "FindOrCreateSessionForDisconnect", reflect.TypeOf((*MockStore)(nil).FindOrCreateSessionForDisconnect), ctx, arg)
+}
+
 // GetAIBridgeInterceptionByID mocks base method.
 func (m *MockStore) GetAIBridgeInterceptionByID(ctx context.Context, id uuid.UUID) (database.AIBridgeInterception, error) {
 	m.ctrl.T.Helper()
@@ -1409,6 +1484,21 @@ func (mr *MockStoreMockRecorder) GetAllTailnetCoordinators(ctx any) *gomock.Call
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetAllTailnetCoordinators", reflect.TypeOf((*MockStore)(nil).GetAllTailnetCoordinators), ctx)
 }
 
+// GetAllTailnetPeeringEventsByPeerID mocks base method.
+func (m *MockStore) GetAllTailnetPeeringEventsByPeerID(ctx context.Context, srcPeerID uuid.NullUUID) ([]database.TailnetPeeringEvent, error) {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "GetAllTailnetPeeringEventsByPeerID", ctx, srcPeerID)
+	ret0, _ := ret[0].([]database.TailnetPeeringEvent)
+	ret1, _ := ret[1].(error)
+	return ret0, ret1
+}
+
+// GetAllTailnetPeeringEventsByPeerID indicates an expected call of GetAllTailnetPeeringEventsByPeerID.
+func (mr *MockStoreMockRecorder) GetAllTailnetPeeringEventsByPeerID(ctx, srcPeerID any) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetAllTailnetPeeringEventsByPeerID", reflect.TypeOf((*MockStore)(nil).GetAllTailnetPeeringEventsByPeerID), ctx, srcPeerID)
+}
+
 // GetAllTailnetPeers mocks base method.
 func (m *MockStore) GetAllTailnetPeers(ctx context.Context) ([]database.TailnetPeer, error) {
 	m.ctrl.T.Helper()
@@ -1649,6 +1739,36 @@ func (mr *MockStoreMockRecorder) GetAuthorizedWorkspacesAndAgentsByOwnerID(ctx,
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetAuthorizedWorkspacesAndAgentsByOwnerID", reflect.TypeOf((*MockStore)(nil).GetAuthorizedWorkspacesAndAgentsByOwnerID), ctx, ownerID, prepared)
 }
 
+// GetConnectionLogByConnectionID mocks base method.
+func (m *MockStore) GetConnectionLogByConnectionID(ctx context.Context, arg database.GetConnectionLogByConnectionIDParams) (database.ConnectionLog, error) {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "GetConnectionLogByConnectionID", ctx, arg)
+	ret0, _ := ret[0].(database.ConnectionLog)
+	ret1, _ := ret[1].(error)
+	return ret0, ret1
+}
+
+// GetConnectionLogByConnectionID indicates an expected call of GetConnectionLogByConnectionID.
+func (mr *MockStoreMockRecorder) GetConnectionLogByConnectionID(ctx, arg any) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetConnectionLogByConnectionID", reflect.TypeOf((*MockStore)(nil).GetConnectionLogByConnectionID), ctx, arg)
+}
+
+// GetConnectionLogsBySessionIDs mocks base method.
+func (m *MockStore) GetConnectionLogsBySessionIDs(ctx context.Context, sessionIds []uuid.UUID) ([]database.ConnectionLog, error) {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "GetConnectionLogsBySessionIDs", ctx, sessionIds)
+	ret0, _ := ret[0].([]database.ConnectionLog)
+	ret1, _ := ret[1].(error)
+	return ret0, ret1
+}
+
+// GetConnectionLogsBySessionIDs indicates an expected call of GetConnectionLogsBySessionIDs.
+func (mr *MockStoreMockRecorder) GetConnectionLogsBySessionIDs(ctx, sessionIds any) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetConnectionLogsBySessionIDs", reflect.TypeOf((*MockStore)(nil).GetConnectionLogsBySessionIDs), ctx, sessionIds)
+}
+
 // GetConnectionLogsOffset mocks base method.
 func (m *MockStore) GetConnectionLogsOffset(ctx context.Context, arg database.GetConnectionLogsOffsetParams) ([]database.GetConnectionLogsOffsetRow, error) {
 	m.ctrl.T.Helper()
@@ -2009,6 +2129,21 @@ func (mr *MockStoreMockRecorder) GetGitSSHKey(ctx, userID any) *gomock.Call {
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetGitSSHKey", reflect.TypeOf((*MockStore)(nil).GetGitSSHKey), ctx, userID)
 }
 
+// GetGlobalWorkspaceSessionsOffset mocks base method.
+func (m *MockStore) GetGlobalWorkspaceSessionsOffset(ctx context.Context, arg database.GetGlobalWorkspaceSessionsOffsetParams) ([]database.GetGlobalWorkspaceSessionsOffsetRow, error) {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "GetGlobalWorkspaceSessionsOffset", ctx, arg)
+	ret0, _ := ret[0].([]database.GetGlobalWorkspaceSessionsOffsetRow)
+	ret1, _ := ret[1].(error)
+	return ret0, ret1
+}
+
+// GetGlobalWorkspaceSessionsOffset indicates an expected call of GetGlobalWorkspaceSessionsOffset.
+func (mr *MockStoreMockRecorder) GetGlobalWorkspaceSessionsOffset(ctx, arg any) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetGlobalWorkspaceSessionsOffset", reflect.TypeOf((*MockStore)(nil).GetGlobalWorkspaceSessionsOffset), ctx, arg)
+}
+
 // GetGroupByID mocks base method.
 func (m *MockStore) GetGroupByID(ctx context.Context, id uuid.UUID) (database.Group, error) {
 	m.ctrl.T.Helper()
@@ -2564,6 +2699,21 @@ func (mr *MockStoreMockRecorder) GetOAuthSigningKey(ctx any) *gomock.Call {
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetOAuthSigningKey", reflect.TypeOf((*MockStore)(nil).GetOAuthSigningKey), ctx)
 }
 
+// GetOngoingAgentConnectionsLast24h mocks base method.
+func (m *MockStore) GetOngoingAgentConnectionsLast24h(ctx context.Context, arg database.GetOngoingAgentConnectionsLast24hParams) ([]database.GetOngoingAgentConnectionsLast24hRow, error) {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "GetOngoingAgentConnectionsLast24h", ctx, arg)
+	ret0, _ := ret[0].([]database.GetOngoingAgentConnectionsLast24hRow)
+	ret1, _ := ret[1].(error)
+	return ret0, ret1
+}
+
+// GetOngoingAgentConnectionsLast24h indicates an expected call of GetOngoingAgentConnectionsLast24h.
+func (mr *MockStoreMockRecorder) GetOngoingAgentConnectionsLast24h(ctx, arg any) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetOngoingAgentConnectionsLast24h", reflect.TypeOf((*MockStore)(nil).GetOngoingAgentConnectionsLast24h), ctx, arg)
+}
+
 // GetOrganizationByID mocks base method.
 func (m *MockStore) GetOrganizationByID(ctx context.Context, id uuid.UUID) (database.Organization, error) {
 	m.ctrl.T.Helper()
@@ -3209,6 +3359,21 @@ func (mr *MockStoreMockRecorder) GetTailnetTunnelPeerBindings(ctx, srcID any) *g
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetTailnetTunnelPeerBindings", reflect.TypeOf((*MockStore)(nil).GetTailnetTunnelPeerBindings), ctx, srcID)
 }
 
+// GetTailnetTunnelPeerBindingsByDstID mocks base method.
+func (m *MockStore) GetTailnetTunnelPeerBindingsByDstID(ctx context.Context, dstID uuid.UUID) ([]database.GetTailnetTunnelPeerBindingsByDstIDRow, error) {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "GetTailnetTunnelPeerBindingsByDstID", ctx, dstID)
+	ret0, _ := ret[0].([]database.GetTailnetTunnelPeerBindingsByDstIDRow)
+	ret1, _ := ret[1].(error)
+	return ret0, ret1
+}
+
+// GetTailnetTunnelPeerBindingsByDstID indicates an expected call of GetTailnetTunnelPeerBindingsByDstID.
+func (mr *MockStoreMockRecorder) GetTailnetTunnelPeerBindingsByDstID(ctx, dstID any) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetTailnetTunnelPeerBindingsByDstID", reflect.TypeOf((*MockStore)(nil).GetTailnetTunnelPeerBindingsByDstID), ctx, dstID)
+}
+
 // GetTailnetTunnelPeerIDs mocks base method.
 func (m *MockStore) GetTailnetTunnelPeerIDs(ctx context.Context, srcID uuid.UUID) ([]database.GetTailnetTunnelPeerIDsRow, error) {
 	m.ctrl.T.Helper()
@@ -4844,6 +5009,21 @@ func (mr *MockStoreMockRecorder) GetWorkspaceResourcesCreatedAfter(ctx, createdA
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetWorkspaceResourcesCreatedAfter", reflect.TypeOf((*MockStore)(nil).GetWorkspaceResourcesCreatedAfter), ctx, createdAt)
 }
 
+// GetWorkspaceSessionsOffset mocks base method.
+func (m *MockStore) GetWorkspaceSessionsOffset(ctx context.Context, arg database.GetWorkspaceSessionsOffsetParams) ([]database.GetWorkspaceSessionsOffsetRow, error) {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "GetWorkspaceSessionsOffset", ctx, arg)
+	ret0, _ := ret[0].([]database.GetWorkspaceSessionsOffsetRow)
+	ret1, _ := ret[1].(error)
+	return ret0, ret1
+}
+
+// GetWorkspaceSessionsOffset indicates an expected call of GetWorkspaceSessionsOffset.
+func (mr *MockStoreMockRecorder) GetWorkspaceSessionsOffset(ctx, arg any) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetWorkspaceSessionsOffset", reflect.TypeOf((*MockStore)(nil).GetWorkspaceSessionsOffset), ctx, arg)
+}
+
 // GetWorkspaceUniqueOwnerCountByTemplateIDs mocks base method.
 func (m *MockStore) GetWorkspaceUniqueOwnerCountByTemplateIDs(ctx context.Context, templateIds []uuid.UUID) ([]database.GetWorkspaceUniqueOwnerCountByTemplateIDsRow, error) {
 	m.ctrl.T.Helper()
@@ -5469,6 +5649,20 @@ func (mr *MockStoreMockRecorder) InsertReplica(ctx, arg any) *gomock.Call {
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "InsertReplica", reflect.TypeOf((*MockStore)(nil).InsertReplica), ctx, arg)
 }
 
+// InsertTailnetPeeringEvent mocks base method.
+func (m *MockStore) InsertTailnetPeeringEvent(ctx context.Context, arg database.InsertTailnetPeeringEventParams) error {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "InsertTailnetPeeringEvent", ctx, arg)
+	ret0, _ := ret[0].(error)
+	return ret0
+}
+
+// InsertTailnetPeeringEvent indicates an expected call of InsertTailnetPeeringEvent.
+func (mr *MockStoreMockRecorder) InsertTailnetPeeringEvent(ctx, arg any) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "InsertTailnetPeeringEvent", reflect.TypeOf((*MockStore)(nil).InsertTailnetPeeringEvent), ctx, arg)
+}
+
 // InsertTask mocks base method.
 func (m *MockStore) InsertTask(ctx context.Context, arg database.InsertTaskParams) (database.TaskTable, error) {
 	m.ctrl.T.Helper()
@@ -6380,6 +6574,20 @@ func (mr *MockStoreMockRecorder) UpdateAPIKeyByID(ctx, arg any) *gomock.Call {
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "UpdateAPIKeyByID", reflect.TypeOf((*MockStore)(nil).UpdateAPIKeyByID), ctx, arg)
 }
 
+// UpdateConnectionLogSessionID mocks base method.
+func (m *MockStore) UpdateConnectionLogSessionID(ctx context.Context, arg database.UpdateConnectionLogSessionIDParams) error {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "UpdateConnectionLogSessionID", ctx, arg)
+	ret0, _ := ret[0].(error)
+	return ret0
+}
+
+// UpdateConnectionLogSessionID indicates an expected call of UpdateConnectionLogSessionID.
+func (mr *MockStoreMockRecorder) UpdateConnectionLogSessionID(ctx, arg any) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "UpdateConnectionLogSessionID", reflect.TypeOf((*MockStore)(nil).UpdateConnectionLogSessionID), ctx, arg)
+}
+
 // UpdateCryptoKeyDeletesAt mocks base method.
 func (m *MockStore) UpdateCryptoKeyDeletesAt(ctx context.Context, arg database.UpdateCryptoKeyDeletesAtParams) (database.CryptoKey, error) {
 	m.ctrl.T.Helper()
@@ -7364,20 +7572,6 @@ func (mr *MockStoreMockRecorder) UpdateWorkspaceAgentMetadata(ctx, arg any) *gom
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "UpdateWorkspaceAgentMetadata", reflect.TypeOf((*MockStore)(nil).UpdateWorkspaceAgentMetadata), ctx, arg)
 }
 
-// UpdateWorkspaceAgentRestartCount mocks base method.
-func (m *MockStore) UpdateWorkspaceAgentRestartCount(ctx context.Context, arg database.UpdateWorkspaceAgentRestartCountParams) error {
-	m.ctrl.T.Helper()
-	ret := m.ctrl.Call(m, "UpdateWorkspaceAgentRestartCount", ctx, arg)
-	ret0, _ := ret[0].(error)
-	return ret0
-}
-
-// UpdateWorkspaceAgentRestartCount indicates an expected call of UpdateWorkspaceAgentRestartCount.
-func (mr *MockStoreMockRecorder) UpdateWorkspaceAgentRestartCount(ctx, arg any) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "UpdateWorkspaceAgentRestartCount", reflect.TypeOf((*MockStore)(nil).UpdateWorkspaceAgentRestartCount), ctx, arg)
-}
-
 // UpdateWorkspaceAgentStartupByID mocks base method.
 func (m *MockStore) UpdateWorkspaceAgentStartupByID(ctx context.Context, arg database.UpdateWorkspaceAgentStartupByIDParams) error {
 	m.ctrl.T.Helper()
@@ -8007,10 +8201,10 @@ func (mr *MockStoreMockRecorder) UpsertWorkspaceApp(ctx, arg any) *gomock.Call {
 }
 
 // UpsertWorkspaceAppAuditSession mocks base method.
-func (m *MockStore) UpsertWorkspaceAppAuditSession(ctx context.Context, arg database.UpsertWorkspaceAppAuditSessionParams) (bool, error) {
+func (m *MockStore) UpsertWorkspaceAppAuditSession(ctx context.Context, arg database.UpsertWorkspaceAppAuditSessionParams) (database.UpsertWorkspaceAppAuditSessionRow, error) {
 	m.ctrl.T.Helper()
 	ret := m.ctrl.Call(m, "UpsertWorkspaceAppAuditSession", ctx, arg)
-	ret0, _ := ret[0].(bool)
+	ret0, _ := ret[0].(database.UpsertWorkspaceAppAuditSessionRow)
 	ret1, _ := ret[1].(error)
 	return ret0, ret1
 }

coderd/database/dump.sql

@@ -271,7 +271,8 @@ CREATE TYPE connection_type AS ENUM (
     'jetbrains',
     'reconnecting_pty',
     'workspace_app',
-    'port_forwarding'
+    'port_forwarding',
+    'system'
 );
 
 CREATE TYPE cors_behavior AS ENUM (
@@ -1015,6 +1016,11 @@ BEGIN
 END;
 $$;
 
+CREATE TABLE agent_peering_ids (
+    agent_id uuid NOT NULL,
+    peering_id bytea NOT NULL
+);
+
 CREATE TABLE aibridge_interceptions (
     id uuid NOT NULL,
     initiator_id uuid NOT NULL,
@@ -1159,7 +1165,13 @@ CREATE TABLE connection_logs (
     slug_or_port text,
     connection_id uuid,
     disconnect_time timestamp with time zone,
-    disconnect_reason text
+    disconnect_reason text,
+    agent_id uuid,
+    updated_at timestamp with time zone DEFAULT now() NOT NULL,
+    session_id uuid,
+    client_hostname text,
+    short_description text,
+    os text
 );
 
 COMMENT ON COLUMN connection_logs.code IS 'Either the HTTP status code of the web request, or the exit code of an SSH connection. For non-web connections, this is Null until we receive a disconnect event for the same connection_id.';
@@ -1176,6 +1188,8 @@ COMMENT ON COLUMN connection_logs.disconnect_time IS 'The time the connection wa
 
 COMMENT ON COLUMN connection_logs.disconnect_reason IS 'The reason the connection was closed. Null for web connections. For other connections, this is null until we receive a disconnect event for the same connection_id.';
 
+COMMENT ON COLUMN connection_logs.updated_at IS 'Last time this connection log was confirmed active. For agent connections, equals connect_time. For web connections, bumped while the session is active.';
+
 CREATE TABLE crypto_keys (
     feature crypto_key_feature NOT NULL,
     sequence integer NOT NULL,
@@ -1771,6 +1785,15 @@ CREATE UNLOGGED TABLE tailnet_coordinators (
 
 COMMENT ON TABLE tailnet_coordinators IS 'We keep this separate from replicas in case we need to break the coordinator out into its own service';
 
+CREATE TABLE tailnet_peering_events (
+    peering_id bytea NOT NULL,
+    event_type text NOT NULL,
+    src_peer_id uuid,
+    dst_peer_id uuid,
+    node bytea,
+    occurred_at timestamp with time zone NOT NULL
+);
+
 CREATE UNLOGGED TABLE tailnet_peers (
     id uuid NOT NULL,
     coordinator_id uuid NOT NULL,
@@ -1867,8 +1890,6 @@ CREATE TABLE workspace_agents (
     parent_id uuid,
     api_key_scope agent_key_scope_enum DEFAULT 'all'::agent_key_scope_enum NOT NULL,
     deleted boolean DEFAULT false NOT NULL,
-    restart_count integer DEFAULT 0 NOT NULL,
-    last_restarted_at timestamp with time zone,
     CONSTRAINT max_logs_length CHECK ((logs_length <= 1048576)),
     CONSTRAINT subsystems_not_none CHECK ((NOT ('none'::workspace_agent_subsystem = ANY (subsystems))))
 );
@@ -2606,7 +2627,8 @@ CREATE UNLOGGED TABLE workspace_app_audit_sessions (
     status_code integer NOT NULL,
     started_at timestamp with time zone NOT NULL,
     updated_at timestamp with time zone NOT NULL,
-    id uuid NOT NULL
+    id uuid NOT NULL,
+    connection_id uuid
 );
 
 COMMENT ON TABLE workspace_app_audit_sessions IS 'Audit sessions for workspace apps, the data in this table is ephemeral and is used to deduplicate audit log entries for workspace apps. While a session is active, the same data will not be logged again. This table does not store historical data.';
@@ -2900,6 +2922,18 @@ CREATE SEQUENCE workspace_resource_metadata_id_seq
 
 ALTER SEQUENCE workspace_resource_metadata_id_seq OWNED BY workspace_resource_metadata.id;
 
+CREATE TABLE workspace_sessions (
+    id uuid DEFAULT gen_random_uuid() NOT NULL,
+    workspace_id uuid NOT NULL,
+    agent_id uuid,
+    ip inet,
+    client_hostname text,
+    short_description text,
+    started_at timestamp with time zone NOT NULL,
+    ended_at timestamp with time zone NOT NULL,
+    created_at timestamp with time zone DEFAULT now() NOT NULL
+);
+
 CREATE VIEW workspaces_expanded AS
  SELECT workspaces.id,
     workspaces.created_at,
@@ -2957,6 +2991,9 @@ ALTER TABLE ONLY workspace_proxies ALTER COLUMN region_id SET DEFAULT nextval('w
 
 ALTER TABLE ONLY workspace_resource_metadata ALTER COLUMN id SET DEFAULT nextval('workspace_resource_metadata_id_seq'::regclass);
 
+ALTER TABLE ONLY agent_peering_ids
+    ADD CONSTRAINT agent_peering_ids_pkey PRIMARY KEY (agent_id, peering_id);
+
 ALTER TABLE ONLY workspace_agent_stats
     ADD CONSTRAINT agent_stats_pkey PRIMARY KEY (id);
 
@@ -3263,6 +3300,9 @@ ALTER TABLE ONLY workspace_resource_metadata
 ALTER TABLE ONLY workspace_resources
     ADD CONSTRAINT workspace_resources_pkey PRIMARY KEY (id);
 
+ALTER TABLE ONLY workspace_sessions
+    ADD CONSTRAINT workspace_sessions_pkey PRIMARY KEY (id);
+
 ALTER TABLE ONLY workspaces
     ADD CONSTRAINT workspaces_pkey PRIMARY KEY (id);
 
@@ -3314,6 +3354,8 @@ COMMENT ON INDEX idx_connection_logs_connection_id_workspace_id_agent_name IS 'C
 
 CREATE INDEX idx_connection_logs_organization_id ON connection_logs USING btree (organization_id);
 
+CREATE INDEX idx_connection_logs_session ON connection_logs USING btree (session_id) WHERE (session_id IS NOT NULL);
+
 CREATE INDEX idx_connection_logs_workspace_id ON connection_logs USING btree (workspace_id);
 
 CREATE INDEX idx_connection_logs_workspace_owner_id ON connection_logs USING btree (workspace_owner_id);
@@ -3368,6 +3410,12 @@ CREATE INDEX idx_workspace_app_statuses_workspace_id_created_at ON workspace_app
 
 CREATE INDEX idx_workspace_builds_initiator_id ON workspace_builds USING btree (initiator_id);
 
+CREATE INDEX idx_workspace_sessions_hostname_lookup ON workspace_sessions USING btree (workspace_id, client_hostname, started_at) WHERE (client_hostname IS NOT NULL);
+
+CREATE INDEX idx_workspace_sessions_ip_lookup ON workspace_sessions USING btree (workspace_id, ip, started_at) WHERE ((ip IS NOT NULL) AND (client_hostname IS NULL));
+
+CREATE INDEX idx_workspace_sessions_workspace ON workspace_sessions USING btree (workspace_id, started_at DESC);
+
 CREATE UNIQUE INDEX notification_messages_dedupe_hash_idx ON notification_messages USING btree (dedupe_hash);
 
 CREATE UNIQUE INDEX organizations_single_default_org ON organizations USING btree (is_default) WHERE (is_default = true);
@@ -3555,6 +3603,9 @@ ALTER TABLE ONLY api_keys
 ALTER TABLE ONLY connection_logs
     ADD CONSTRAINT connection_logs_organization_id_fkey FOREIGN KEY (organization_id) REFERENCES organizations(id) ON DELETE CASCADE;
 
+ALTER TABLE ONLY connection_logs
+    ADD CONSTRAINT connection_logs_session_id_fkey FOREIGN KEY (session_id) REFERENCES workspace_sessions(id) ON DELETE SET NULL;
+
 ALTER TABLE ONLY connection_logs
     ADD CONSTRAINT connection_logs_workspace_id_fkey FOREIGN KEY (workspace_id) REFERENCES workspaces(id) ON DELETE CASCADE;
 
@@ -3828,6 +3879,12 @@ ALTER TABLE ONLY workspace_resource_metadata
 ALTER TABLE ONLY workspace_resources
     ADD CONSTRAINT workspace_resources_job_id_fkey FOREIGN KEY (job_id) REFERENCES provisioner_jobs(id) ON DELETE CASCADE;
 
+ALTER TABLE ONLY workspace_sessions
+    ADD CONSTRAINT workspace_sessions_agent_id_fkey FOREIGN KEY (agent_id) REFERENCES workspace_agents(id) ON DELETE SET NULL;
+
+ALTER TABLE ONLY workspace_sessions
+    ADD CONSTRAINT workspace_sessions_workspace_id_fkey FOREIGN KEY (workspace_id) REFERENCES workspaces(id) ON DELETE CASCADE;
+
 ALTER TABLE ONLY workspaces
     ADD CONSTRAINT workspaces_organization_id_fkey FOREIGN KEY (organization_id) REFERENCES organizations(id) ON DELETE RESTRICT;
 

coderd/database/foreign_key_constraint.go

@@ -9,6 +9,7 @@ const (
 	ForeignKeyAibridgeInterceptionsInitiatorID                    ForeignKeyConstraint = "aibridge_interceptions_initiator_id_fkey"                        // ALTER TABLE ONLY aibridge_interceptions ADD CONSTRAINT aibridge_interceptions_initiator_id_fkey FOREIGN KEY (initiator_id) REFERENCES users(id);
 	ForeignKeyAPIKeysUserIDUUID                                   ForeignKeyConstraint = "api_keys_user_id_uuid_fkey"                                      // ALTER TABLE ONLY api_keys ADD CONSTRAINT api_keys_user_id_uuid_fkey FOREIGN KEY (user_id) REFERENCES users(id) ON DELETE CASCADE;
 	ForeignKeyConnectionLogsOrganizationID                        ForeignKeyConstraint = "connection_logs_organization_id_fkey"                            // ALTER TABLE ONLY connection_logs ADD CONSTRAINT connection_logs_organization_id_fkey FOREIGN KEY (organization_id) REFERENCES organizations(id) ON DELETE CASCADE;
+	ForeignKeyConnectionLogsSessionID                             ForeignKeyConstraint = "connection_logs_session_id_fkey"                                 // ALTER TABLE ONLY connection_logs ADD CONSTRAINT connection_logs_session_id_fkey FOREIGN KEY (session_id) REFERENCES workspace_sessions(id) ON DELETE SET NULL;
 	ForeignKeyConnectionLogsWorkspaceID                           ForeignKeyConstraint = "connection_logs_workspace_id_fkey"                               // ALTER TABLE ONLY connection_logs ADD CONSTRAINT connection_logs_workspace_id_fkey FOREIGN KEY (workspace_id) REFERENCES workspaces(id) ON DELETE CASCADE;
 	ForeignKeyConnectionLogsWorkspaceOwnerID                      ForeignKeyConstraint = "connection_logs_workspace_owner_id_fkey"                         // ALTER TABLE ONLY connection_logs ADD CONSTRAINT connection_logs_workspace_owner_id_fkey FOREIGN KEY (workspace_owner_id) REFERENCES users(id) ON DELETE CASCADE;
 	ForeignKeyCryptoKeysSecretKeyID                               ForeignKeyConstraint = "crypto_keys_secret_key_id_fkey"                                  // ALTER TABLE ONLY crypto_keys ADD CONSTRAINT crypto_keys_secret_key_id_fkey FOREIGN KEY (secret_key_id) REFERENCES dbcrypt_keys(active_key_digest);
@@ -100,6 +101,8 @@ const (
 	ForeignKeyWorkspaceModulesJobID                               ForeignKeyConstraint = "workspace_modules_job_id_fkey"                                   // ALTER TABLE ONLY workspace_modules ADD CONSTRAINT workspace_modules_job_id_fkey FOREIGN KEY (job_id) REFERENCES provisioner_jobs(id) ON DELETE CASCADE;
 	ForeignKeyWorkspaceResourceMetadataWorkspaceResourceID        ForeignKeyConstraint = "workspace_resource_metadata_workspace_resource_id_fkey"          // ALTER TABLE ONLY workspace_resource_metadata ADD CONSTRAINT workspace_resource_metadata_workspace_resource_id_fkey FOREIGN KEY (workspace_resource_id) REFERENCES workspace_resources(id) ON DELETE CASCADE;
 	ForeignKeyWorkspaceResourcesJobID                             ForeignKeyConstraint = "workspace_resources_job_id_fkey"                                 // ALTER TABLE ONLY workspace_resources ADD CONSTRAINT workspace_resources_job_id_fkey FOREIGN KEY (job_id) REFERENCES provisioner_jobs(id) ON DELETE CASCADE;
+	ForeignKeyWorkspaceSessionsAgentID                            ForeignKeyConstraint = "workspace_sessions_agent_id_fkey"                                // ALTER TABLE ONLY workspace_sessions ADD CONSTRAINT workspace_sessions_agent_id_fkey FOREIGN KEY (agent_id) REFERENCES workspace_agents(id) ON DELETE SET NULL;
+	ForeignKeyWorkspaceSessionsWorkspaceID                        ForeignKeyConstraint = "workspace_sessions_workspace_id_fkey"                            // ALTER TABLE ONLY workspace_sessions ADD CONSTRAINT workspace_sessions_workspace_id_fkey FOREIGN KEY (workspace_id) REFERENCES workspaces(id) ON DELETE CASCADE;
 	ForeignKeyWorkspacesOrganizationID                            ForeignKeyConstraint = "workspaces_organization_id_fkey"                                 // ALTER TABLE ONLY workspaces ADD CONSTRAINT workspaces_organization_id_fkey FOREIGN KEY (organization_id) REFERENCES organizations(id) ON DELETE RESTRICT;
 	ForeignKeyWorkspacesOwnerID                                   ForeignKeyConstraint = "workspaces_owner_id_fkey"                                        // ALTER TABLE ONLY workspaces ADD CONSTRAINT workspaces_owner_id_fkey FOREIGN KEY (owner_id) REFERENCES users(id) ON DELETE RESTRICT;
 	ForeignKeyWorkspacesTemplateID                                ForeignKeyConstraint = "workspaces_template_id_fkey"                                     // ALTER TABLE ONLY workspaces ADD CONSTRAINT workspaces_template_id_fkey FOREIGN KEY (template_id) REFERENCES templates(id) ON DELETE RESTRICT;

coderd/database/migrations/000417_agent_restart_count.down.sql

@@ -1,3 +0,0 @@
-ALTER TABLE workspace_agents
-    DROP COLUMN restart_count,
-    DROP COLUMN last_restarted_at;

coderd/database/migrations/000417_agent_restart_count.up.sql

@@ -1,3 +0,0 @@
-ALTER TABLE workspace_agents
-    ADD COLUMN restart_count integer NOT NULL DEFAULT 0,
-    ADD COLUMN last_restarted_at timestamp with time zone;

coderd/database/migrations/000417_connection_logs_agent_id.down.sql

@@ -0,0 +1,2 @@
+ALTER TABLE connection_logs
+	DROP COLUMN agent_id;

coderd/database/migrations/000417_connection_logs_agent_id.up.sql

@@ -0,0 +1,2 @@
+ALTER TABLE connection_logs
+	ADD COLUMN agent_id uuid;

coderd/database/migrations/000418_agent_restart_notification.down.sql

@@ -1,2 +0,0 @@
-DELETE FROM notification_templates
-WHERE id = 'bb2bb51b-5d40-4e33-ae8b-f40f13bfcd24';

coderd/database/migrations/000418_agent_restart_notification.up.sql

@@ -1,15 +0,0 @@
-INSERT INTO notification_templates
-	(id, name, title_template, body_template, "group", actions)
-VALUES (
-	'bb2bb51b-5d40-4e33-ae8b-f40f13bfcd24',
-	'Workspace Agent Restarted',
-	E'Your workspace agent "{{.Labels.agent}}" has been restarted',
-	E'Your workspace **{{.Labels.workspace}}** agent **{{.Labels.agent}}** has been restarted **{{.Labels.restart_count}}** time(s) to recover from an unexpected exit ({{.Labels.reason}}: {{.Labels.kill_signal}}).',
-	'Workspace Events',
-	'[
-		{
-			"label": "View workspace",
-			"url": "{{base_url}}/@{{.UserUsername}}/{{.Labels.workspace}}"
-		}
-	]'::jsonb
-);

coderd/database/migrations/000418_app_connection_tracking.down.sql

@@ -0,0 +1,2 @@
+ALTER TABLE workspace_app_audit_sessions DROP COLUMN IF EXISTS connection_id;
+ALTER TABLE connection_logs DROP COLUMN IF EXISTS updated_at;

coderd/database/migrations/000418_app_connection_tracking.up.sql

@@ -0,0 +1,14 @@
+ALTER TABLE workspace_app_audit_sessions
+    ADD COLUMN connection_id uuid;
+
+ALTER TABLE connection_logs
+    ADD COLUMN updated_at timestamp with time zone;
+
+UPDATE connection_logs SET updated_at = connect_time WHERE updated_at IS NULL;
+
+ALTER TABLE connection_logs
+    ALTER COLUMN updated_at SET NOT NULL,
+    ALTER COLUMN updated_at SET DEFAULT now();
+
+COMMENT ON COLUMN connection_logs.updated_at IS
+    'Last time this connection log was confirmed active. For agent connections, equals connect_time. For web connections, bumped while the session is active.';

coderd/database/migrations/000419_tailnet_peering.down.sql

@@ -0,0 +1,2 @@
+DROP TABLE IF EXISTS tailnet_peering_events;
+DROP TABLE IF EXISTS agent_peering_ids;

coderd/database/migrations/000419_tailnet_peering.up.sql

@@ -0,0 +1,14 @@
+CREATE TABLE agent_peering_ids (
+    agent_id uuid NOT NULL,
+    peering_id bytea NOT NULL,
+    PRIMARY KEY (agent_id, peering_id)
+);
+
+CREATE TABLE tailnet_peering_events (
+    peering_id bytea NOT NULL,
+    event_type text NOT NULL,
+    src_peer_id uuid,
+    dst_peer_id uuid,
+    node bytea,
+    occurred_at timestamp with time zone NOT NULL
+);

coderd/database/migrations/000420_workspace_sessions.down.sql

@@ -0,0 +1,8 @@
+DROP INDEX IF EXISTS idx_connection_logs_session;
+
+ALTER TABLE connection_logs
+    DROP COLUMN IF EXISTS short_description,
+    DROP COLUMN IF EXISTS client_hostname,
+    DROP COLUMN IF EXISTS session_id;
+
+DROP TABLE IF EXISTS workspace_sessions;

coderd/database/migrations/000420_workspace_sessions.up.sql

@@ -0,0 +1,21 @@
+CREATE TABLE workspace_sessions (
+    id uuid PRIMARY KEY DEFAULT gen_random_uuid(),
+    workspace_id uuid NOT NULL REFERENCES workspaces(id) ON DELETE CASCADE,
+    agent_id uuid REFERENCES workspace_agents(id) ON DELETE SET NULL,
+    ip inet NOT NULL,
+    client_hostname text,
+    short_description text,
+    started_at timestamp with time zone NOT NULL,
+    ended_at timestamp with time zone NOT NULL,
+    created_at timestamp with time zone NOT NULL DEFAULT now()
+);
+
+CREATE INDEX idx_workspace_sessions_workspace ON workspace_sessions (workspace_id, started_at DESC);
+CREATE INDEX idx_workspace_sessions_lookup ON workspace_sessions (workspace_id, ip, started_at);
+
+ALTER TABLE connection_logs
+    ADD COLUMN session_id uuid REFERENCES workspace_sessions(id) ON DELETE SET NULL,
+    ADD COLUMN client_hostname text,
+    ADD COLUMN short_description text;
+
+CREATE INDEX idx_connection_logs_session ON connection_logs (session_id) WHERE session_id IS NOT NULL;

coderd/database/migrations/000421_connection_type_system.down.sql

@@ -0,0 +1 @@
+-- No-op: PostgreSQL does not support removing enum values.

coderd/database/migrations/000421_connection_type_system.up.sql

@@ -0,0 +1 @@
+ALTER TYPE connection_type ADD VALUE IF NOT EXISTS 'system';

coderd/database/migrations/000422_session_grouping_by_hostname.down.sql

@@ -0,0 +1,6 @@
+UPDATE workspace_sessions SET ip = '0.0.0.0'::inet WHERE ip IS NULL;
+ALTER TABLE workspace_sessions ALTER COLUMN ip SET NOT NULL;
+
+DROP INDEX IF EXISTS idx_workspace_sessions_hostname_lookup;
+DROP INDEX IF EXISTS idx_workspace_sessions_ip_lookup;
+CREATE INDEX idx_workspace_sessions_lookup ON workspace_sessions (workspace_id, ip, started_at);

coderd/database/migrations/000422_session_grouping_by_hostname.up.sql

@@ -0,0 +1,13 @@
+-- Make workspace_sessions.ip nullable since sessions now group by
+-- hostname (with IP fallback), and a session may span multiple IPs.
+ALTER TABLE workspace_sessions ALTER COLUMN ip DROP NOT NULL;
+
+-- Replace the IP-based lookup index with hostname-based indexes
+-- to support the new grouping logic.
+DROP INDEX IF EXISTS idx_workspace_sessions_lookup;
+CREATE INDEX idx_workspace_sessions_hostname_lookup
+    ON workspace_sessions (workspace_id, client_hostname, started_at)
+    WHERE client_hostname IS NOT NULL;
+CREATE INDEX idx_workspace_sessions_ip_lookup
+    ON workspace_sessions (workspace_id, ip, started_at)
+    WHERE ip IS NOT NULL AND client_hostname IS NULL;

coderd/database/migrations/000423_connection_logs_os.down.sql

@@ -0,0 +1 @@
+ALTER TABLE connection_logs DROP COLUMN os;

coderd/database/migrations/000423_connection_logs_os.up.sql

@@ -0,0 +1 @@
+ALTER TABLE connection_logs ADD COLUMN os text;

coderd/database/migrations/testdata/fixtures/000419_tailnet_peering.up.sql

@@ -0,0 +1,17 @@
+INSERT INTO agent_peering_ids
+	(agent_id, peering_id)
+VALUES (
+	'c0eebc99-9c0b-4ef8-bb6d-6bb9bd380a11',
+	'\xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef'
+);
+
+INSERT INTO tailnet_peering_events
+	(peering_id, event_type, src_peer_id, dst_peer_id, node, occurred_at)
+VALUES (
+	'\xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef',
+	'added_tunnel',
+	'c0eebc99-9c0b-4ef8-bb6d-6bb9bd380a11',
+	'b0eebc99-9c0b-4ef8-bb6d-6bb9bd380a11',
+	'a fake protobuf byte string',
+	'2025-01-15 10:23:54+00'
+);

coderd/database/migrations/testdata/fixtures/000420_workspace_sessions.up.sql

@@ -0,0 +1,11 @@
+INSERT INTO workspace_sessions
+	(id, workspace_id, agent_id, ip, started_at, ended_at, created_at)
+VALUES (
+	'a1b2c3d4-e5f6-7890-abcd-ef1234567890',
+	'3a9a1feb-e89d-457c-9d53-ac751b198ebe',
+	'5f8e48e4-1304-45bd-b91a-ab12c8bfc20f',
+	'127.0.0.1',
+	'2025-01-01 10:00:00+00',
+	'2025-01-01 11:00:00+00',
+	'2025-01-01 11:00:00+00'
+);

coderd/database/modelqueries.go

@@ -689,6 +689,11 @@ func (q *sqlQuerier) GetAuthorizedConnectionLogsOffset(ctx context.Context, arg
 			&i.ConnectionLog.ConnectionID,
 			&i.ConnectionLog.DisconnectTime,
 			&i.ConnectionLog.DisconnectReason,
+			&i.ConnectionLog.AgentID,
+			&i.ConnectionLog.UpdatedAt,
+			&i.ConnectionLog.SessionID,
+			&i.ConnectionLog.ClientHostname,
+			&i.ConnectionLog.ShortDescription,
 			&i.UserUsername,
 			&i.UserName,
 			&i.UserEmail,

coderd/database/models.go

@@ -1101,6 +1101,7 @@ const (
 	ConnectionTypeReconnectingPty ConnectionType = "reconnecting_pty"
 	ConnectionTypeWorkspaceApp    ConnectionType = "workspace_app"
 	ConnectionTypePortForwarding  ConnectionType = "port_forwarding"
+	ConnectionTypeSystem          ConnectionType = "system"
 )
 
 func (e *ConnectionType) Scan(src interface{}) error {
@@ -1145,7 +1146,8 @@ func (e ConnectionType) Valid() bool {
 		ConnectionTypeJetbrains,
 		ConnectionTypeReconnectingPty,
 		ConnectionTypeWorkspaceApp,
-		ConnectionTypePortForwarding:
+		ConnectionTypePortForwarding,
+		ConnectionTypeSystem:
 		return true
 	}
 	return false
@@ -1159,6 +1161,7 @@ func AllConnectionTypeValues() []ConnectionType {
 		ConnectionTypeReconnectingPty,
 		ConnectionTypeWorkspaceApp,
 		ConnectionTypePortForwarding,
+		ConnectionTypeSystem,
 	}
 }
 
@@ -3702,6 +3705,11 @@ type APIKey struct {
 	AllowList       AllowList    `db:"allow_list" json:"allow_list"`
 }
 
+type AgentPeeringID struct {
+	AgentID   uuid.UUID `db:"agent_id" json:"agent_id"`
+	PeeringID []byte    `db:"peering_id" json:"peering_id"`
+}
+
 type AuditLog struct {
 	ID               uuid.UUID       `db:"id" json:"id"`
 	Time             time.Time       `db:"time" json:"time"`
@@ -3762,6 +3770,13 @@ type ConnectionLog struct {
 	DisconnectTime sql.NullTime `db:"disconnect_time" json:"disconnect_time"`
 	// The reason the connection was closed. Null for web connections. For other connections, this is null until we receive a disconnect event for the same connection_id.
 	DisconnectReason sql.NullString `db:"disconnect_reason" json:"disconnect_reason"`
+	AgentID          uuid.NullUUID  `db:"agent_id" json:"agent_id"`
+	// Last time this connection log was confirmed active. For agent connections, equals connect_time. For web connections, bumped while the session is active.
+	UpdatedAt        time.Time      `db:"updated_at" json:"updated_at"`
+	SessionID        uuid.NullUUID  `db:"session_id" json:"session_id"`
+	ClientHostname   sql.NullString `db:"client_hostname" json:"client_hostname"`
+	ShortDescription sql.NullString `db:"short_description" json:"short_description"`
+	Os               sql.NullString `db:"os" json:"os"`
 }
 
 type CryptoKey struct {
@@ -4228,6 +4243,15 @@ type TailnetPeer struct {
 	Status        TailnetStatus `db:"status" json:"status"`
 }
 
+type TailnetPeeringEvent struct {
+	PeeringID  []byte        `db:"peering_id" json:"peering_id"`
+	EventType  string        `db:"event_type" json:"event_type"`
+	SrcPeerID  uuid.NullUUID `db:"src_peer_id" json:"src_peer_id"`
+	DstPeerID  uuid.NullUUID `db:"dst_peer_id" json:"dst_peer_id"`
+	Node       []byte        `db:"node" json:"node"`
+	OccurredAt time.Time     `db:"occurred_at" json:"occurred_at"`
+}
+
 type TailnetTunnel struct {
 	CoordinatorID uuid.UUID `db:"coordinator_id" json:"coordinator_id"`
 	SrcID         uuid.UUID `db:"src_id" json:"src_id"`
@@ -4763,9 +4787,7 @@ type WorkspaceAgent struct {
 	// Defines the scope of the API key associated with the agent. 'all' allows access to everything, 'no_user_data' restricts it to exclude user data.
 	APIKeyScope AgentKeyScopeEnum `db:"api_key_scope" json:"api_key_scope"`
 	// Indicates whether or not the agent has been deleted. This is currently only applicable to sub agents.
-	Deleted         bool         `db:"deleted" json:"deleted"`
-	RestartCount    int32        `db:"restart_count" json:"restart_count"`
-	LastRestartedAt sql.NullTime `db:"last_restarted_at" json:"last_restarted_at"`
+	Deleted bool `db:"deleted" json:"deleted"`
 }
 
 // Workspace agent devcontainer configuration
@@ -4935,8 +4957,9 @@ type WorkspaceAppAuditSession struct {
 	// The time the user started the session.
 	StartedAt time.Time `db:"started_at" json:"started_at"`
 	// The time the session was last updated.
-	UpdatedAt time.Time `db:"updated_at" json:"updated_at"`
-	ID        uuid.UUID `db:"id" json:"id"`
+	UpdatedAt    time.Time     `db:"updated_at" json:"updated_at"`
+	ID           uuid.UUID     `db:"id" json:"id"`
+	ConnectionID uuid.NullUUID `db:"connection_id" json:"connection_id"`
 }
 
 // A record of workspace app usage statistics
@@ -5111,6 +5134,18 @@ type WorkspaceResourceMetadatum struct {
 	ID                  int64          `db:"id" json:"id"`
 }
 
+type WorkspaceSession struct {
+	ID               uuid.UUID      `db:"id" json:"id"`
+	WorkspaceID      uuid.UUID      `db:"workspace_id" json:"workspace_id"`
+	AgentID          uuid.NullUUID  `db:"agent_id" json:"agent_id"`
+	Ip               pqtype.Inet    `db:"ip" json:"ip"`
+	ClientHostname   sql.NullString `db:"client_hostname" json:"client_hostname"`
+	ShortDescription sql.NullString `db:"short_description" json:"short_description"`
+	StartedAt        time.Time      `db:"started_at" json:"started_at"`
+	EndedAt          time.Time      `db:"ended_at" json:"ended_at"`
+	CreatedAt        time.Time      `db:"created_at" json:"created_at"`
+}
+
 type WorkspaceTable struct {
 	ID                uuid.UUID        `db:"id" json:"id"`
 	CreatedAt         time.Time        `db:"created_at" json:"created_at"`

coderd/database/querier.go

@@ -68,15 +68,43 @@ type sqlcQuerier interface {
 	CleanTailnetCoordinators(ctx context.Context) error
 	CleanTailnetLostPeers(ctx context.Context) error
 	CleanTailnetTunnels(ctx context.Context) error
+	// Atomically closes open connections and creates sessions grouped by
+	// client_hostname (with IP fallback) and time overlap. Non-system
+	// connections drive session boundaries; system connections attach to
+	// the first overlapping session or get their own if orphaned.
+	//
+	// Processes connections that are still open (disconnect_time IS NULL) OR
+	// already disconnected but not yet assigned to a session (session_id IS
+	// NULL). The latter covers system/tunnel connections whose disconnect is
+	// recorded by dbsink but which have no session-assignment code path.
+	// Phase 1: Group non-system connections by hostname+time overlap.
+	// System connections persist for the entire workspace lifetime and
+	// would create mega-sessions if included in boundary computation.
+	// Check for pre-existing sessions that match by hostname (or IP
+	// fallback) and overlap in time, to avoid duplicates from the race
+	// with FindOrCreateSessionForDisconnect.
+	// Combine existing and newly created sessions.
+	// Phase 2: Assign system connections to the earliest overlapping
+	// primary session. First check sessions from this batch, then fall
+	// back to pre-existing workspace_sessions.
+	// Also match system connections to pre-existing sessions (created
+	// by FindOrCreateSessionForDisconnect) that aren't in this batch.
+	// Create sessions for orphaned system connections (no overlapping
+	// primary session) that have an IP.
+	// Combine all session sources for the final UPDATE.
+	CloseConnectionLogsAndCreateSessions(ctx context.Context, arg CloseConnectionLogsAndCreateSessionsParams) (int64, error)
+	CloseOpenAgentConnectionLogsForWorkspace(ctx context.Context, arg CloseOpenAgentConnectionLogsForWorkspaceParams) (int64, error)
 	CountAIBridgeInterceptions(ctx context.Context, arg CountAIBridgeInterceptionsParams) (int64, error)
 	CountAuditLogs(ctx context.Context, arg CountAuditLogsParams) (int64, error)
 	CountConnectionLogs(ctx context.Context, arg CountConnectionLogsParams) (int64, error)
+	CountGlobalWorkspaceSessions(ctx context.Context, arg CountGlobalWorkspaceSessionsParams) (int64, error)
 	// CountInProgressPrebuilds returns the number of in-progress prebuilds, grouped by preset ID and transition.
 	// Prebuild considered in-progress if it's in the "pending", "starting", "stopping", or "deleting" state.
 	CountInProgressPrebuilds(ctx context.Context) ([]CountInProgressPrebuildsRow, error)
 	// CountPendingNonActivePrebuilds returns the number of pending prebuilds for non-active template versions
 	CountPendingNonActivePrebuilds(ctx context.Context) ([]CountPendingNonActivePrebuildsRow, error)
 	CountUnreadInboxNotificationsByUserID(ctx context.Context, userID uuid.UUID) (int64, error)
+	CountWorkspaceSessions(ctx context.Context, arg CountWorkspaceSessionsParams) (int64, error)
 	CreateUserSecret(ctx context.Context, arg CreateUserSecretParams) (UserSecret, error)
 	CustomRoles(ctx context.Context, arg CustomRolesParams) ([]CustomRole, error)
 	DeleteAPIKeyByID(ctx context.Context, id string) error
@@ -161,6 +189,11 @@ type sqlcQuerier interface {
 	// The query finds presets where all preset parameters are present in the provided parameters,
 	// and returns the preset with the most parameters (largest subset).
 	FindMatchingPresetID(ctx context.Context, arg FindMatchingPresetIDParams) (uuid.UUID, error)
+	// Find existing session within time window, or create new one.
+	// Uses advisory lock to prevent duplicate sessions from concurrent disconnects.
+	// Groups by client_hostname (with IP fallback) to match the live session
+	// grouping in mergeWorkspaceConnectionsIntoSessions.
+	FindOrCreateSessionForDisconnect(ctx context.Context, arg FindOrCreateSessionForDisconnectParams) (interface{}, error)
 	GetAIBridgeInterceptionByID(ctx context.Context, id uuid.UUID) (AIBridgeInterception, error)
 	GetAIBridgeInterceptions(ctx context.Context) ([]AIBridgeInterception, error)
 	GetAIBridgeTokenUsagesByInterceptionID(ctx context.Context, interceptionID uuid.UUID) ([]AIBridgeTokenUsage, error)
@@ -177,6 +210,7 @@ type sqlcQuerier interface {
 	GetActiveWorkspaceBuildsByTemplateID(ctx context.Context, templateID uuid.UUID) ([]WorkspaceBuild, error)
 	// For PG Coordinator HTMLDebug
 	GetAllTailnetCoordinators(ctx context.Context) ([]TailnetCoordinator, error)
+	GetAllTailnetPeeringEventsByPeerID(ctx context.Context, srcPeerID uuid.NullUUID) ([]TailnetPeeringEvent, error)
 	GetAllTailnetPeers(ctx context.Context) ([]TailnetPeer, error)
 	GetAllTailnetTunnels(ctx context.Context) ([]TailnetTunnel, error)
 	// Atomic read+delete prevents replicas that flush between a separate read and
@@ -199,6 +233,8 @@ type sqlcQuerier interface {
 	// This function returns roles for authorization purposes. Implied member roles
 	// are included.
 	GetAuthorizationUserRoles(ctx context.Context, userID uuid.UUID) (GetAuthorizationUserRolesRow, error)
+	GetConnectionLogByConnectionID(ctx context.Context, arg GetConnectionLogByConnectionIDParams) (ConnectionLog, error)
+	GetConnectionLogsBySessionIDs(ctx context.Context, sessionIds []uuid.UUID) ([]ConnectionLog, error)
 	GetConnectionLogsOffset(ctx context.Context, arg GetConnectionLogsOffsetParams) ([]GetConnectionLogsOffsetRow, error)
 	GetCoordinatorResumeTokenSigningKey(ctx context.Context) (string, error)
 	GetCryptoKeyByFeatureAndSequence(ctx context.Context, arg GetCryptoKeyByFeatureAndSequenceParams) (CryptoKey, error)
@@ -231,6 +267,7 @@ type sqlcQuerier interface {
 	// param limit_opt: The limit of notifications to fetch. If the limit is not specified, it defaults to 25
 	GetFilteredInboxNotificationsByUserID(ctx context.Context, arg GetFilteredInboxNotificationsByUserIDParams) ([]InboxNotification, error)
 	GetGitSSHKey(ctx context.Context, userID uuid.UUID) (GitSSHKey, error)
+	GetGlobalWorkspaceSessionsOffset(ctx context.Context, arg GetGlobalWorkspaceSessionsOffsetParams) ([]GetGlobalWorkspaceSessionsOffsetRow, error)
 	GetGroupByID(ctx context.Context, id uuid.UUID) (Group, error)
 	GetGroupByOrgAndName(ctx context.Context, arg GetGroupByOrgAndNameParams) (Group, error)
 	GetGroupMembers(ctx context.Context, includeSystem bool) ([]GroupMember, error)
@@ -278,6 +315,7 @@ type sqlcQuerier interface {
 	GetOAuth2ProviderApps(ctx context.Context) ([]OAuth2ProviderApp, error)
 	GetOAuth2ProviderAppsByUserID(ctx context.Context, userID uuid.UUID) ([]GetOAuth2ProviderAppsByUserIDRow, error)
 	GetOAuthSigningKey(ctx context.Context) (string, error)
+	GetOngoingAgentConnectionsLast24h(ctx context.Context, arg GetOngoingAgentConnectionsLast24hParams) ([]GetOngoingAgentConnectionsLast24hRow, error)
 	GetOrganizationByID(ctx context.Context, id uuid.UUID) (Organization, error)
 	GetOrganizationByName(ctx context.Context, arg GetOrganizationByNameParams) (Organization, error)
 	GetOrganizationIDsByMemberIDs(ctx context.Context, ids []uuid.UUID) ([]GetOrganizationIDsByMemberIDsRow, error)
@@ -354,6 +392,7 @@ type sqlcQuerier interface {
 	GetRuntimeConfig(ctx context.Context, key string) (string, error)
 	GetTailnetPeers(ctx context.Context, id uuid.UUID) ([]TailnetPeer, error)
 	GetTailnetTunnelPeerBindings(ctx context.Context, srcID uuid.UUID) ([]GetTailnetTunnelPeerBindingsRow, error)
+	GetTailnetTunnelPeerBindingsByDstID(ctx context.Context, dstID uuid.UUID) ([]GetTailnetTunnelPeerBindingsByDstIDRow, error)
 	GetTailnetTunnelPeerIDs(ctx context.Context, srcID uuid.UUID) ([]GetTailnetTunnelPeerIDsRow, error)
 	GetTaskByID(ctx context.Context, id uuid.UUID) (Task, error)
 	GetTaskByOwnerIDAndName(ctx context.Context, arg GetTaskByOwnerIDAndNameParams) (Task, error)
@@ -533,6 +572,7 @@ type sqlcQuerier interface {
 	GetWorkspaceResourcesByJobID(ctx context.Context, jobID uuid.UUID) ([]WorkspaceResource, error)
 	GetWorkspaceResourcesByJobIDs(ctx context.Context, ids []uuid.UUID) ([]WorkspaceResource, error)
 	GetWorkspaceResourcesCreatedAfter(ctx context.Context, createdAt time.Time) ([]WorkspaceResource, error)
+	GetWorkspaceSessionsOffset(ctx context.Context, arg GetWorkspaceSessionsOffsetParams) ([]GetWorkspaceSessionsOffsetRow, error)
 	GetWorkspaceUniqueOwnerCountByTemplateIDs(ctx context.Context, templateIds []uuid.UUID) ([]GetWorkspaceUniqueOwnerCountByTemplateIDsRow, error)
 	// build_params is used to filter by build parameters if present.
 	// It has to be a CTE because the set returning function 'unnest' cannot
@@ -584,6 +624,7 @@ type sqlcQuerier interface {
 	InsertProvisionerJobTimings(ctx context.Context, arg InsertProvisionerJobTimingsParams) ([]ProvisionerJobTiming, error)
 	InsertProvisionerKey(ctx context.Context, arg InsertProvisionerKeyParams) (ProvisionerKey, error)
 	InsertReplica(ctx context.Context, arg InsertReplicaParams) (Replica, error)
+	InsertTailnetPeeringEvent(ctx context.Context, arg InsertTailnetPeeringEventParams) error
 	InsertTask(ctx context.Context, arg InsertTaskParams) (TaskTable, error)
 	InsertTelemetryItemIfNotExists(ctx context.Context, arg InsertTelemetryItemIfNotExistsParams) error
 	// Inserts a new lock row into the telemetry_locks table. Replicas should call
@@ -670,6 +711,8 @@ type sqlcQuerier interface {
 	UnfavoriteWorkspace(ctx context.Context, id uuid.UUID) error
 	UpdateAIBridgeInterceptionEnded(ctx context.Context, arg UpdateAIBridgeInterceptionEndedParams) (AIBridgeInterception, error)
 	UpdateAPIKeyByID(ctx context.Context, arg UpdateAPIKeyByIDParams) error
+	// Links a connection log row to its workspace session.
+	UpdateConnectionLogSessionID(ctx context.Context, arg UpdateConnectionLogSessionIDParams) error
 	UpdateCryptoKeyDeletesAt(ctx context.Context, arg UpdateCryptoKeyDeletesAtParams) (CryptoKey, error)
 	UpdateCustomRole(ctx context.Context, arg UpdateCustomRoleParams) (CustomRole, error)
 	UpdateExternalAuthLink(ctx context.Context, arg UpdateExternalAuthLinkParams) (ExternalAuthLink, error)
@@ -741,7 +784,6 @@ type sqlcQuerier interface {
 	UpdateWorkspaceAgentLifecycleStateByID(ctx context.Context, arg UpdateWorkspaceAgentLifecycleStateByIDParams) error
 	UpdateWorkspaceAgentLogOverflowByID(ctx context.Context, arg UpdateWorkspaceAgentLogOverflowByIDParams) error
 	UpdateWorkspaceAgentMetadata(ctx context.Context, arg UpdateWorkspaceAgentMetadataParams) error
-	UpdateWorkspaceAgentRestartCount(ctx context.Context, arg UpdateWorkspaceAgentRestartCountParams) error
 	UpdateWorkspaceAgentStartupByID(ctx context.Context, arg UpdateWorkspaceAgentStartupByIDParams) error
 	UpdateWorkspaceAppHealthByID(ctx context.Context, arg UpdateWorkspaceAppHealthByIDParams) error
 	UpdateWorkspaceAutomaticUpdates(ctx context.Context, arg UpdateWorkspaceAutomaticUpdatesParams) error
@@ -800,10 +842,11 @@ type sqlcQuerier interface {
 	UpsertWorkspaceAgentPortShare(ctx context.Context, arg UpsertWorkspaceAgentPortShareParams) (WorkspaceAgentPortShare, error)
 	UpsertWorkspaceApp(ctx context.Context, arg UpsertWorkspaceAppParams) (WorkspaceApp, error)
 	//
-	// The returned boolean, new_or_stale, can be used to deduce if a new session
-	// was started. This means that a new row was inserted (no previous session) or
-	// the updated_at is older than stale interval.
-	UpsertWorkspaceAppAuditSession(ctx context.Context, arg UpsertWorkspaceAppAuditSessionParams) (bool, error)
+	// The returned columns, new_or_stale and connection_id, can be used to deduce
+	// if a new session was started and which connection_id to use. new_or_stale is
+	// true when a new row was inserted (no previous session) or the updated_at is
+	// older than the stale interval.
+	UpsertWorkspaceAppAuditSession(ctx context.Context, arg UpsertWorkspaceAppAuditSessionParams) (UpsertWorkspaceAppAuditSessionRow, error)
 	ValidateGroupIDs(ctx context.Context, groupIds []uuid.UUID) (ValidateGroupIDsRow, error)
 	ValidateUserIDs(ctx context.Context, userIds []uuid.UUID) (ValidateUserIDsRow, error)
 }

coderd/database/querier_test.go

@@ -3081,7 +3081,7 @@ func TestConnectionLogsOffsetFilters(t *testing.T) {
 			params: database.GetConnectionLogsOffsetParams{
 				Status: string(codersdk.ConnectionLogStatusOngoing),
 			},
-			expectedLogIDs: []uuid.UUID{log4.ID},
+			expectedLogIDs: []uuid.UUID{log1.ID, log4.ID},
 		},
 		{
 			name: "StatusCompleted",
@@ -3308,12 +3308,16 @@ func TestUpsertConnectionLog(t *testing.T) {
 
 		origLog, err := db.UpsertConnectionLog(ctx, connectParams2)
 		require.NoError(t, err)
-		require.Equal(t, log, origLog, "connect update should be a no-op")
+		// updated_at is always bumped on conflict to track activity.
+		require.True(t, connectTime2.Equal(origLog.UpdatedAt), "expected updated_at %s, got %s", connectTime2, origLog.UpdatedAt)
+		origLog.UpdatedAt = log.UpdatedAt
+		require.Equal(t, log, origLog, "connect update should be a no-op except updated_at")
 
 		// Check that still only one row exists.
 		rows, err := db.GetConnectionLogsOffset(ctx, database.GetConnectionLogsOffsetParams{})
 		require.NoError(t, err)
 		require.Len(t, rows, 1)
+		rows[0].ConnectionLog.UpdatedAt = log.UpdatedAt
 		require.Equal(t, log, rows[0].ConnectionLog)
 	})
 
@@ -3395,6 +3399,8 @@ func TestUpsertConnectionLog(t *testing.T) {
 		secondRows, err := db.GetConnectionLogsOffset(ctx, database.GetConnectionLogsOffsetParams{})
 		require.NoError(t, err)
 		require.Len(t, secondRows, 1)
+		// updated_at is always bumped on conflict to track activity.
+		secondRows[0].ConnectionLog.UpdatedAt = firstRows[0].ConnectionLog.UpdatedAt
 		require.Equal(t, firstRows, secondRows)
 
 		// Upsert a disconnection, which should also be a no op

coderd/database/queries/connectionlogs.sql

@@ -114,9 +114,7 @@ WHERE
 	AND CASE
 		WHEN @status :: text != '' THEN
 			((@status = 'ongoing' AND disconnect_time IS NULL) OR
-			(@status = 'completed' AND disconnect_time IS NOT NULL)) AND
-			-- Exclude web events, since we don't know their close time.
-			"type" NOT IN ('workspace_app', 'port_forwarding')
+			(@status = 'completed' AND disconnect_time IS NOT NULL))
 		ELSE true
 	END
 	-- Authorize Filter clause will be injected below in
@@ -229,9 +227,7 @@ WHERE
 	AND CASE
 		WHEN @status :: text != '' THEN
 			((@status = 'ongoing' AND disconnect_time IS NULL) OR
-			(@status = 'completed' AND disconnect_time IS NOT NULL)) AND
-			-- Exclude web events, since we don't know their close time.
-			"type" NOT IN ('workspace_app', 'port_forwarding')
+			(@status = 'completed' AND disconnect_time IS NOT NULL))
 		ELSE true
 	END
 	-- Authorize Filter clause will be injected below in
@@ -260,6 +256,7 @@ INSERT INTO connection_logs (
 	workspace_id,
 	workspace_name,
 	agent_name,
+	agent_id,
 	type,
 	code,
 	ip,
@@ -268,18 +265,25 @@ INSERT INTO connection_logs (
 	slug_or_port,
 	connection_id,
 	disconnect_reason,
-	disconnect_time
+	disconnect_time,
+	updated_at,
+	session_id,
+	client_hostname,
+	short_description,
+	os
 ) VALUES
-	($1, @time, $2, $3, $4, $5, $6, $7, $8, $9, $10, $11, $12, $13, $14,
+	($1, @time, $2, $3, $4, $5, $6, $7, $8, $9, $10, $11, $12, $13, $14, $15,
 	-- If we've only received a disconnect event, mark the event as immediately
 	-- closed.
 	 CASE
 		 WHEN @connection_status::connection_status = 'disconnected'
 		 THEN @time :: timestamp with time zone
 		 ELSE NULL
-	 END)
+	 END,
+	 @time, $16, $17, $18, $19)
 ON CONFLICT (connection_id, workspace_id, agent_name)
 DO UPDATE SET
+	updated_at = @time,
 	-- No-op if the connection is still open.
 	disconnect_time = CASE
 		WHEN @connection_status::connection_status = 'disconnected'
@@ -301,5 +305,277 @@ DO UPDATE SET
 		AND connection_logs.code IS NULL
 		THEN EXCLUDED.code
 		ELSE connection_logs.code
-	END
+	END,
+	agent_id = COALESCE(connection_logs.agent_id, EXCLUDED.agent_id),
+	os = COALESCE(EXCLUDED.os, connection_logs.os)
 RETURNING *;
+
+
+-- name: CloseOpenAgentConnectionLogsForWorkspace :execrows
+UPDATE connection_logs
+SET
+	disconnect_time = GREATEST(connect_time, @closed_at :: timestamp with time zone),
+	-- Do not overwrite any existing reason.
+	disconnect_reason = COALESCE(disconnect_reason, @reason :: text)
+WHERE disconnect_time IS NULL
+	AND workspace_id = @workspace_id :: uuid
+	AND type = ANY(@types :: connection_type[]);
+
+-- name: GetOngoingAgentConnectionsLast24h :many
+WITH ranked AS (
+	SELECT
+		id,
+		connect_time,
+		organization_id,
+		workspace_owner_id,
+		workspace_id,
+		workspace_name,
+		agent_name,
+		type,
+		ip,
+		code,
+		user_agent,
+		user_id,
+		slug_or_port,
+		connection_id,
+		disconnect_time,
+		disconnect_reason,
+		agent_id,
+		updated_at,
+		session_id,
+		client_hostname,
+		short_description,
+		os,
+		row_number() OVER (
+			PARTITION BY workspace_id, agent_name
+			ORDER BY connect_time DESC
+		) AS rn
+	FROM
+		connection_logs
+	WHERE
+		workspace_id = ANY(@workspace_ids :: uuid[])
+		AND agent_name = ANY(@agent_names :: text[])
+		AND type = ANY(@types :: connection_type[])
+		AND disconnect_time IS NULL
+		AND (
+			-- Non-web types always included while connected.
+			type NOT IN ('workspace_app', 'port_forwarding')
+			-- Agent-reported web connections have NULL user_agent
+			-- and carry proper disconnect lifecycle tracking.
+			OR user_agent IS NULL
+			-- Proxy-reported web connections (non-NULL user_agent)
+			-- rely on updated_at being bumped on each token refresh.
+			OR updated_at >= @app_active_since :: timestamp with time zone
+		)
+		AND connect_time >= @since :: timestamp with time zone
+)
+SELECT
+	id,
+	connect_time,
+	organization_id,
+	workspace_owner_id,
+	workspace_id,
+	workspace_name,
+	agent_name,
+	type,
+	ip,
+	code,
+	user_agent,
+	user_id,
+	slug_or_port,
+	connection_id,
+	disconnect_time,
+	disconnect_reason,
+	updated_at,
+	session_id,
+	client_hostname,
+	short_description,
+	os
+FROM
+	ranked
+WHERE
+	rn <= @per_agent_limit
+ORDER BY
+	workspace_id,
+	agent_name,
+	connect_time DESC;
+
+-- name: UpdateConnectionLogSessionID :exec
+-- Links a connection log row to its workspace session.
+UPDATE connection_logs SET session_id = @session_id WHERE id = @id;
+
+-- name: CloseConnectionLogsAndCreateSessions :execrows
+-- Atomically closes open connections and creates sessions grouped by
+-- client_hostname (with IP fallback) and time overlap. Non-system
+-- connections drive session boundaries; system connections attach to
+-- the first overlapping session or get their own if orphaned.
+--
+-- Processes connections that are still open (disconnect_time IS NULL) OR
+-- already disconnected but not yet assigned to a session (session_id IS
+-- NULL). The latter covers system/tunnel connections whose disconnect is
+-- recorded by dbsink but which have no session-assignment code path.
+WITH connections_to_close AS (
+    SELECT id, ip, connect_time, disconnect_time, agent_id,
+           client_hostname, short_description, type
+    FROM connection_logs
+    WHERE (disconnect_time IS NULL OR session_id IS NULL)
+      AND workspace_id = @workspace_id
+      AND type = ANY(@types::connection_type[])
+),
+-- Phase 1: Group non-system connections by hostname+time overlap.
+-- System connections persist for the entire workspace lifetime and
+-- would create mega-sessions if included in boundary computation.
+primary_connections AS (
+    SELECT *,
+        COALESCE(client_hostname, host(ip), 'unknown') AS group_key
+    FROM connections_to_close
+    WHERE type != 'system'
+),
+ordered AS (
+    SELECT *,
+        ROW_NUMBER() OVER (PARTITION BY group_key ORDER BY connect_time) AS rn,
+        MAX(COALESCE(disconnect_time, @closed_at::timestamptz))
+            OVER (PARTITION BY group_key ORDER BY connect_time
+                  ROWS BETWEEN UNBOUNDED PRECEDING AND 1 PRECEDING) AS running_max_end
+    FROM primary_connections
+),
+with_boundaries AS (
+    SELECT *,
+        SUM(CASE
+            WHEN rn = 1 THEN 1
+            WHEN connect_time > running_max_end + INTERVAL '30 minutes' THEN 1
+            ELSE 0
+        END) OVER (PARTITION BY group_key ORDER BY connect_time) AS group_id
+    FROM ordered
+),
+session_groups AS (
+    SELECT
+        group_key,
+        group_id,
+        MIN(connect_time) AS started_at,
+        MAX(COALESCE(disconnect_time, @closed_at::timestamptz)) AS ended_at,
+        (array_agg(agent_id ORDER BY connect_time) FILTER (WHERE agent_id IS NOT NULL))[1] AS agent_id,
+        (array_agg(ip ORDER BY connect_time) FILTER (WHERE ip IS NOT NULL))[1] AS ip,
+        (array_agg(client_hostname ORDER BY connect_time) FILTER (WHERE client_hostname IS NOT NULL))[1] AS client_hostname,
+        (array_agg(short_description ORDER BY connect_time) FILTER (WHERE short_description IS NOT NULL))[1] AS short_description
+    FROM with_boundaries
+    GROUP BY group_key, group_id
+),
+-- Check for pre-existing sessions that match by hostname (or IP
+-- fallback) and overlap in time, to avoid duplicates from the race
+-- with FindOrCreateSessionForDisconnect.
+existing_sessions AS (
+    SELECT DISTINCT ON (sg.group_key, sg.group_id)
+        sg.group_key, sg.group_id, ws.id AS session_id
+    FROM session_groups sg
+    JOIN workspace_sessions ws
+      ON ws.workspace_id = @workspace_id
+     AND (
+         (sg.client_hostname IS NOT NULL AND ws.client_hostname = sg.client_hostname)
+         OR (sg.client_hostname IS NULL AND sg.ip IS NOT NULL AND ws.ip = sg.ip AND ws.client_hostname IS NULL)
+     )
+     AND sg.started_at <= ws.ended_at + INTERVAL '30 minutes'
+     AND sg.ended_at >= ws.started_at - INTERVAL '30 minutes'
+    ORDER BY sg.group_key, sg.group_id, ws.started_at DESC
+),
+new_sessions AS (
+    INSERT INTO workspace_sessions (workspace_id, agent_id, ip, client_hostname, short_description, started_at, ended_at)
+    SELECT @workspace_id, sg.agent_id, sg.ip, sg.client_hostname, sg.short_description, sg.started_at, sg.ended_at
+    FROM session_groups sg
+    WHERE NOT EXISTS (
+        SELECT 1 FROM existing_sessions es
+        WHERE es.group_key = sg.group_key AND es.group_id = sg.group_id
+    )
+    RETURNING id, ip, started_at
+),
+-- Combine existing and newly created sessions.
+all_sessions AS (
+    SELECT ns.id, sg.group_key, sg.started_at
+    FROM new_sessions ns
+    JOIN session_groups sg
+      ON sg.started_at = ns.started_at
+     AND (sg.ip IS NOT DISTINCT FROM ns.ip)
+    UNION ALL
+    SELECT es.session_id AS id, es.group_key, sg.started_at
+    FROM existing_sessions es
+    JOIN session_groups sg ON es.group_key = sg.group_key AND es.group_id = sg.group_id
+),
+-- Phase 2: Assign system connections to the earliest overlapping
+-- primary session. First check sessions from this batch, then fall
+-- back to pre-existing workspace_sessions.
+system_batch_match AS (
+    SELECT DISTINCT ON (c.id)
+        c.id AS connection_id,
+        alls.id AS session_id,
+        sg.started_at AS session_start
+    FROM connections_to_close c
+    JOIN all_sessions alls ON true
+    JOIN session_groups sg ON alls.group_key = sg.group_key AND alls.started_at = sg.started_at
+    WHERE c.type = 'system'
+      AND COALESCE(c.disconnect_time, @closed_at::timestamptz) >= sg.started_at
+      AND c.connect_time <= sg.ended_at
+    ORDER BY c.id, sg.started_at
+),
+-- Also match system connections to pre-existing sessions (created
+-- by FindOrCreateSessionForDisconnect) that aren't in this batch.
+system_existing_match AS (
+    SELECT DISTINCT ON (c.id)
+        c.id AS connection_id,
+        ws.id AS session_id
+    FROM connections_to_close c
+    JOIN workspace_sessions ws
+      ON ws.workspace_id = @workspace_id
+     AND COALESCE(c.disconnect_time, @closed_at::timestamptz) >= ws.started_at
+     AND c.connect_time <= ws.ended_at
+    WHERE c.type = 'system'
+      AND NOT EXISTS (SELECT 1 FROM system_batch_match sbm WHERE sbm.connection_id = c.id)
+    ORDER BY c.id, ws.started_at
+),
+system_session_match AS (
+    SELECT connection_id, session_id FROM system_batch_match
+    UNION ALL
+    SELECT connection_id, session_id FROM system_existing_match
+),
+-- Create sessions for orphaned system connections (no overlapping
+-- primary session) that have an IP.
+orphan_system AS (
+    SELECT c.*
+    FROM connections_to_close c
+    LEFT JOIN system_session_match ssm ON ssm.connection_id = c.id
+    WHERE c.type = 'system'
+      AND ssm.connection_id IS NULL
+      AND c.ip IS NOT NULL
+),
+orphan_system_sessions AS (
+    INSERT INTO workspace_sessions (workspace_id, agent_id, ip, client_hostname, short_description, started_at, ended_at)
+    SELECT @workspace_id, os.agent_id, os.ip, os.client_hostname, os.short_description,
+           os.connect_time, COALESCE(os.disconnect_time, @closed_at::timestamptz)
+    FROM orphan_system os
+    RETURNING id, ip, started_at
+),
+-- Combine all session sources for the final UPDATE.
+final_sessions AS (
+    -- Primary sessions matched to non-system connections.
+    SELECT wb.id AS connection_id, alls.id AS session_id
+    FROM with_boundaries wb
+    JOIN session_groups sg ON wb.group_key = sg.group_key AND wb.group_id = sg.group_id
+    JOIN all_sessions alls ON sg.group_key = alls.group_key AND sg.started_at = alls.started_at
+    UNION ALL
+    -- System connections matched to primary sessions.
+    SELECT ssm.connection_id, ssm.session_id
+    FROM system_session_match ssm
+    UNION ALL
+    -- Orphaned system connections with their own sessions.
+    SELECT os.id, oss.id
+    FROM orphan_system os
+    JOIN orphan_system_sessions oss ON os.ip = oss.ip AND os.connect_time = oss.started_at
+)
+UPDATE connection_logs cl
+SET
+    disconnect_time = COALESCE(cl.disconnect_time, @closed_at),
+    disconnect_reason = COALESCE(cl.disconnect_reason, @reason),
+    session_id = COALESCE(cl.session_id, fs.session_id)
+FROM connections_to_close ctc
+LEFT JOIN final_sessions fs ON ctc.id = fs.connection_id
+WHERE cl.id = ctc.id;
+

coderd/database/queries/tailnet.sql

@@ -126,5 +126,29 @@ SELECT * FROM tailnet_coordinators;
 -- name: GetAllTailnetPeers :many
 SELECT * FROM tailnet_peers;
 
+-- name: GetTailnetTunnelPeerBindingsByDstID :many
+SELECT tp.id AS peer_id, tp.coordinator_id, tp.updated_at, tp.node, tp.status
+FROM tailnet_peers tp
+INNER JOIN tailnet_tunnels tt ON tp.id = tt.src_id
+WHERE tt.dst_id = @dst_id;
+
 -- name: GetAllTailnetTunnels :many
 SELECT * FROM tailnet_tunnels;
+
+-- name: InsertTailnetPeeringEvent :exec
+INSERT INTO tailnet_peering_events (
+	peering_id,
+	event_type,
+	src_peer_id,
+	dst_peer_id,
+	node,
+	occurred_at
+)
+VALUES
+	($1, $2, $3, $4, $5, $6);
+
+-- name: GetAllTailnetPeeringEventsByPeerID :many
+SELECT *
+FROM tailnet_peering_events
+WHERE src_peer_id = $1 OR dst_peer_id = $1
+ORDER BY peering_id, occurred_at;

coderd/database/queries/workspaceagents.sql

@@ -475,13 +475,3 @@ WHERE
 	AND workspaces.deleted = FALSE
 	AND users.deleted = FALSE
 LIMIT 1;
-
--- name: UpdateWorkspaceAgentRestartCount :exec
-UPDATE
-	workspace_agents
-SET
-	restart_count = @restart_count,
-	last_restarted_at = @last_restarted_at
-WHERE
-	id = @id;
-

coderd/database/queries/workspaceappaudit.sql

@@ -1,8 +1,9 @@
 -- name: UpsertWorkspaceAppAuditSession :one
 --
--- The returned boolean, new_or_stale, can be used to deduce if a new session
--- was started. This means that a new row was inserted (no previous session) or
--- the updated_at is older than stale interval.
+-- The returned columns, new_or_stale and connection_id, can be used to deduce
+-- if a new session was started and which connection_id to use. new_or_stale is
+-- true when a new row was inserted (no previous session) or the updated_at is
+-- older than the stale interval.
 INSERT INTO
 	workspace_app_audit_sessions (
 		id,
@@ -14,7 +15,8 @@ INSERT INTO
 		slug_or_port,
 		status_code,
 		started_at,
-		updated_at
+		updated_at,
+		connection_id
 	)
 VALUES
 	(
@@ -27,7 +29,8 @@ VALUES
 		$7,
 		$8,
 		$9,
-		$10
+		$10,
+		$11
 	)
 ON CONFLICT
 	(agent_id, app_id, user_id, ip, user_agent, slug_or_port, status_code)
@@ -45,6 +48,12 @@ DO
 			THEN workspace_app_audit_sessions.started_at
 			ELSE EXCLUDED.started_at
 		END,
+		connection_id = CASE
+			WHEN workspace_app_audit_sessions.updated_at > NOW() - (@stale_interval_ms::bigint || ' ms')::interval
+			THEN workspace_app_audit_sessions.connection_id
+			ELSE EXCLUDED.connection_id
+		END,
 		updated_at = EXCLUDED.updated_at
 RETURNING
-	id = $1 AS new_or_stale;
+	id = $1 AS new_or_stale,
+	connection_id;

coderd/database/queries/workspaces.sql

@@ -399,13 +399,13 @@ WHERE
 		filtered_workspaces fw
 	ORDER BY
 		-- To ensure that 'favorite' workspaces show up first in the list only for their owner.
-		CASE WHEN owner_id = @requester_id AND favorite THEN 0 ELSE 1 END ASC,
-		(latest_build_completed_at IS NOT NULL AND
-			latest_build_canceled_at IS NULL AND
-			latest_build_error IS NULL AND
-			latest_build_transition = 'start'::workspace_transition) DESC,
-		LOWER(owner_username) ASC,
-		LOWER(name) ASC
+		CASE WHEN fw.owner_id = @requester_id AND fw.favorite THEN 0 ELSE 1 END ASC,
+		(fw.latest_build_completed_at IS NOT NULL AND
+			fw.latest_build_canceled_at IS NULL AND
+			fw.latest_build_error IS NULL AND
+			fw.latest_build_transition = 'start'::workspace_transition) DESC,
+		LOWER(fw.owner_username) ASC,
+		LOWER(fw.name) ASC
 	LIMIT
 		CASE
 			WHEN @limit_ :: integer > 0 THEN

coderd/database/queries/workspacesessions.sql

@@ -0,0 +1,110 @@
+-- name: FindOrCreateSessionForDisconnect :one
+-- Find existing session within time window, or create new one.
+-- Uses advisory lock to prevent duplicate sessions from concurrent disconnects.
+-- Groups by client_hostname (with IP fallback) to match the live session
+-- grouping in mergeWorkspaceConnectionsIntoSessions.
+WITH lock AS (
+    SELECT pg_advisory_xact_lock(
+        hashtext(@workspace_id::text || COALESCE(@client_hostname, host(@ip::inet), 'unknown'))
+    )
+),
+existing AS (
+    SELECT id FROM workspace_sessions
+    WHERE workspace_id = @workspace_id::uuid
+      AND (
+          (@client_hostname IS NOT NULL AND client_hostname = @client_hostname)
+          OR
+          (@client_hostname IS NULL AND client_hostname IS NULL AND ip = @ip::inet)
+      )
+      AND @connect_time BETWEEN started_at - INTERVAL '30 minutes' AND ended_at + INTERVAL '30 minutes'
+    ORDER BY started_at DESC
+    LIMIT 1
+),
+new_session AS (
+    INSERT INTO workspace_sessions (workspace_id, agent_id, ip, client_hostname, short_description, started_at, ended_at)
+    SELECT @workspace_id::uuid, @agent_id, @ip::inet, @client_hostname, @short_description, @connect_time, @disconnect_time
+    WHERE NOT EXISTS (SELECT 1 FROM existing)
+    RETURNING id
+),
+updated_session AS (
+    UPDATE workspace_sessions
+    SET started_at = LEAST(started_at, @connect_time),
+        ended_at = GREATEST(ended_at, @disconnect_time)
+    WHERE id = (SELECT id FROM existing)
+    RETURNING id
+)
+SELECT COALESCE(
+    (SELECT id FROM updated_session),
+    (SELECT id FROM new_session)
+) AS id;
+
+-- name: GetWorkspaceSessionsOffset :many
+SELECT
+    ws.*,
+    (SELECT COUNT(*) FROM connection_logs cl WHERE cl.session_id = ws.id) AS connection_count
+FROM workspace_sessions ws
+WHERE ws.workspace_id = @workspace_id
+  AND CASE WHEN @started_after::timestamptz != '0001-01-01 00:00:00Z'::timestamptz
+      THEN ws.started_at >= @started_after ELSE true END
+  AND CASE WHEN @started_before::timestamptz != '0001-01-01 00:00:00Z'::timestamptz
+      THEN ws.started_at <= @started_before ELSE true END
+ORDER BY ws.started_at DESC
+LIMIT @limit_count
+OFFSET @offset_count;
+
+-- name: CountWorkspaceSessions :one
+SELECT COUNT(*) FROM workspace_sessions ws
+WHERE ws.workspace_id = @workspace_id
+  AND CASE WHEN @started_after::timestamptz != '0001-01-01 00:00:00Z'::timestamptz
+      THEN ws.started_at >= @started_after ELSE true END
+  AND CASE WHEN @started_before::timestamptz != '0001-01-01 00:00:00Z'::timestamptz
+      THEN ws.started_at <= @started_before ELSE true END;
+
+-- name: GetConnectionLogsBySessionIDs :many
+SELECT * FROM connection_logs
+WHERE session_id = ANY(@session_ids::uuid[])
+ORDER BY session_id, connect_time DESC;
+
+-- name: GetConnectionLogByConnectionID :one
+SELECT * FROM connection_logs
+WHERE connection_id = @connection_id
+  AND workspace_id = @workspace_id
+  AND agent_name = @agent_name
+LIMIT 1;
+
+-- name: GetGlobalWorkspaceSessionsOffset :many
+SELECT
+    ws.*,
+    w.name AS workspace_name,
+    workspace_owner.username AS workspace_owner_username,
+    (SELECT COUNT(*) FROM connection_logs cl WHERE cl.session_id = ws.id) AS connection_count
+FROM workspace_sessions ws
+JOIN workspaces w ON w.id = ws.workspace_id
+JOIN users workspace_owner ON workspace_owner.id = w.owner_id
+WHERE
+  CASE WHEN @workspace_id::uuid != '00000000-0000-0000-0000-000000000000'::uuid
+    THEN ws.workspace_id = @workspace_id ELSE true END
+  AND CASE WHEN @workspace_owner::text != ''
+    THEN workspace_owner.username = @workspace_owner ELSE true END
+  AND CASE WHEN @started_after::timestamptz != '0001-01-01 00:00:00Z'::timestamptz
+    THEN ws.started_at >= @started_after ELSE true END
+  AND CASE WHEN @started_before::timestamptz != '0001-01-01 00:00:00Z'::timestamptz
+    THEN ws.started_at <= @started_before ELSE true END
+ORDER BY ws.started_at DESC
+LIMIT @limit_count
+OFFSET @offset_count;
+
+-- name: CountGlobalWorkspaceSessions :one
+SELECT COUNT(*) FROM workspace_sessions ws
+JOIN workspaces w ON w.id = ws.workspace_id
+JOIN users workspace_owner ON workspace_owner.id = w.owner_id
+WHERE
+  CASE WHEN @workspace_id::uuid != '00000000-0000-0000-0000-000000000000'::uuid
+    THEN ws.workspace_id = @workspace_id ELSE true END
+  AND CASE WHEN @workspace_owner::text != ''
+    THEN workspace_owner.username = @workspace_owner ELSE true END
+  AND CASE WHEN @started_after::timestamptz != '0001-01-01 00:00:00Z'::timestamptz
+    THEN ws.started_at >= @started_after ELSE true END
+  AND CASE WHEN @started_before::timestamptz != '0001-01-01 00:00:00Z'::timestamptz
+    THEN ws.started_at <= @started_before ELSE true END;
+

coderd/database/unique_constraint.go

@@ -6,6 +6,7 @@ type UniqueConstraint string
 
 // UniqueConstraint enums.
 const (
+	UniqueAgentPeeringIDsPkey                                 UniqueConstraint = "agent_peering_ids_pkey"                                          // ALTER TABLE ONLY agent_peering_ids ADD CONSTRAINT agent_peering_ids_pkey PRIMARY KEY (agent_id, peering_id);
 	UniqueAgentStatsPkey                                      UniqueConstraint = "agent_stats_pkey"                                                // ALTER TABLE ONLY workspace_agent_stats ADD CONSTRAINT agent_stats_pkey PRIMARY KEY (id);
 	UniqueAibridgeInterceptionsPkey                           UniqueConstraint = "aibridge_interceptions_pkey"                                     // ALTER TABLE ONLY aibridge_interceptions ADD CONSTRAINT aibridge_interceptions_pkey PRIMARY KEY (id);
 	UniqueAibridgeTokenUsagesPkey                             UniqueConstraint = "aibridge_token_usages_pkey"                                      // ALTER TABLE ONLY aibridge_token_usages ADD CONSTRAINT aibridge_token_usages_pkey PRIMARY KEY (id);
@@ -108,6 +109,7 @@ const (
 	UniqueWorkspaceResourceMetadataName                       UniqueConstraint = "workspace_resource_metadata_name"                                // ALTER TABLE ONLY workspace_resource_metadata ADD CONSTRAINT workspace_resource_metadata_name UNIQUE (workspace_resource_id, key);
 	UniqueWorkspaceResourceMetadataPkey                       UniqueConstraint = "workspace_resource_metadata_pkey"                                // ALTER TABLE ONLY workspace_resource_metadata ADD CONSTRAINT workspace_resource_metadata_pkey PRIMARY KEY (id);
 	UniqueWorkspaceResourcesPkey                              UniqueConstraint = "workspace_resources_pkey"                                        // ALTER TABLE ONLY workspace_resources ADD CONSTRAINT workspace_resources_pkey PRIMARY KEY (id);
+	UniqueWorkspaceSessionsPkey                               UniqueConstraint = "workspace_sessions_pkey"                                         // ALTER TABLE ONLY workspace_sessions ADD CONSTRAINT workspace_sessions_pkey PRIMARY KEY (id);
 	UniqueWorkspacesPkey                                      UniqueConstraint = "workspaces_pkey"                                                 // ALTER TABLE ONLY workspaces ADD CONSTRAINT workspaces_pkey PRIMARY KEY (id);
 	UniqueIndexAPIKeyName                                     UniqueConstraint = "idx_api_key_name"                                                // CREATE UNIQUE INDEX idx_api_key_name ON api_keys USING btree (user_id, token_name) WHERE (login_type = 'token'::login_type);
 	UniqueIndexConnectionLogsConnectionIDWorkspaceIDAgentName UniqueConstraint = "idx_connection_logs_connection_id_workspace_id_agent_name"       // CREATE UNIQUE INDEX idx_connection_logs_connection_id_workspace_id_agent_name ON connection_logs USING btree (connection_id, workspace_id, agent_name);

coderd/identifiedtelemetry_internal_test.go

@@ -0,0 +1,155 @@
+package coderd
+
+import (
+	"context"
+	"testing"
+	"time"
+
+	"github.com/google/uuid"
+	"github.com/stretchr/testify/require"
+	"go.uber.org/mock/gomock"
+	"golang.org/x/xerrors"
+
+	"cdr.dev/slog/v3/sloggers/slogtest"
+	"github.com/coder/coder/v2/coderd/database"
+	"github.com/coder/coder/v2/coderd/database/dbmock"
+	"github.com/coder/coder/v2/coderd/database/pubsub"
+	"github.com/coder/coder/v2/coderd/wspubsub"
+	tailnetproto "github.com/coder/coder/v2/tailnet/proto"
+	"github.com/coder/coder/v2/testutil"
+)
+
+func TestHandleIdentifiedTelemetry(t *testing.T) {
+	t.Parallel()
+
+	t.Run("PublishesWorkspaceUpdate", func(t *testing.T) {
+		t.Parallel()
+
+		api, dbM, ps := newIdentifiedTelemetryTestAPI(t)
+		ownerID := uuid.New()
+		workspaceID := uuid.New()
+		agentID := uuid.New()
+		peerID := uuid.New()
+
+		dbM.EXPECT().GetWorkspaceByAgentID(gomock.Any(), agentID).Return(database.Workspace{
+			ID:      workspaceID,
+			OwnerID: ownerID,
+		}, nil)
+
+		events, errs := subscribeWorkspaceEvents(t, ps, ownerID)
+
+		api.handleIdentifiedTelemetry(agentID, peerID, []*tailnetproto.TelemetryEvent{{
+			Status: tailnetproto.TelemetryEvent_CONNECTED,
+		}})
+
+		select {
+		case err := <-errs:
+			require.NoError(t, err)
+		default:
+		}
+
+		select {
+		case event := <-events:
+			require.Equal(t, wspubsub.WorkspaceEventKindConnectionLogUpdate, event.Kind)
+			require.Equal(t, workspaceID, event.WorkspaceID)
+			require.NotNil(t, event.AgentID)
+			require.Equal(t, agentID, *event.AgentID)
+		case err := <-errs:
+			require.NoError(t, err)
+		case <-time.After(testutil.IntervalMedium):
+			t.Fatal("timed out waiting for workspace event")
+		}
+
+		require.NotNil(t, api.PeerNetworkTelemetryStore.Get(agentID, peerID))
+	})
+
+	t.Run("EmptyBatchNoPublish", func(t *testing.T) {
+		t.Parallel()
+
+		api, _, ps := newIdentifiedTelemetryTestAPI(t)
+		events, errs := subscribeWorkspaceEvents(t, ps, uuid.Nil)
+
+		agentID := uuid.New()
+		peerID := uuid.New()
+		api.handleIdentifiedTelemetry(agentID, peerID, []*tailnetproto.TelemetryEvent{})
+
+		select {
+		case event := <-events:
+			t.Fatalf("unexpected workspace event: %+v", event)
+		case err := <-errs:
+			t.Fatalf("unexpected pubsub error: %v", err)
+		case <-time.After(testutil.IntervalFast):
+		}
+
+		require.Nil(t, api.PeerNetworkTelemetryStore.Get(agentID, peerID))
+	})
+
+	t.Run("LookupFailureNoPublish", func(t *testing.T) {
+		t.Parallel()
+
+		api, dbM, ps := newIdentifiedTelemetryTestAPI(t)
+		agentID := uuid.New()
+		peerID := uuid.New()
+		dbM.EXPECT().GetWorkspaceByAgentID(gomock.Any(), agentID).Return(database.Workspace{}, xerrors.New("lookup failed"))
+
+		events, errs := subscribeWorkspaceEvents(t, ps, uuid.Nil)
+
+		api.handleIdentifiedTelemetry(agentID, peerID, []*tailnetproto.TelemetryEvent{{
+			Status: tailnetproto.TelemetryEvent_CONNECTED,
+		}})
+
+		select {
+		case event := <-events:
+			t.Fatalf("unexpected workspace event: %+v", event)
+		case err := <-errs:
+			t.Fatalf("unexpected pubsub error: %v", err)
+		case <-time.After(testutil.IntervalFast):
+		}
+
+		require.NotNil(t, api.PeerNetworkTelemetryStore.Get(agentID, peerID))
+	})
+}
+
+func newIdentifiedTelemetryTestAPI(t *testing.T) (*API, *dbmock.MockStore, pubsub.Pubsub) {
+	t.Helper()
+
+	dbM := dbmock.NewMockStore(gomock.NewController(t))
+	ps := pubsub.NewInMemory()
+
+	api := &API{
+		Options: &Options{
+			Database: dbM,
+			Pubsub:   ps,
+			Logger:   slogtest.Make(t, &slogtest.Options{IgnoreErrors: true}),
+		},
+		PeerNetworkTelemetryStore: NewPeerNetworkTelemetryStore(),
+	}
+
+	return api, dbM, ps
+}
+
+func subscribeWorkspaceEvents(t *testing.T, ps pubsub.Pubsub, ownerID uuid.UUID) (<-chan wspubsub.WorkspaceEvent, <-chan error) {
+	t.Helper()
+
+	events := make(chan wspubsub.WorkspaceEvent, 1)
+	errs := make(chan error, 1)
+	cancel, err := ps.SubscribeWithErr(wspubsub.WorkspaceEventChannel(ownerID), wspubsub.HandleWorkspaceEvent(
+		func(_ context.Context, event wspubsub.WorkspaceEvent, err error) {
+			if err != nil {
+				select {
+				case errs <- err:
+				default:
+				}
+				return
+			}
+			select {
+			case events <- event:
+			default:
+			}
+		},
+	))
+	require.NoError(t, err)
+	t.Cleanup(cancel)
+
+	return events, errs
+}

coderd/inboxnotifications.go

@@ -40,7 +40,6 @@ var fallbackIcons = map[uuid.UUID]string{
 	notifications.TemplateWorkspaceManualBuildFailed: codersdk.InboxNotificationFallbackIconWorkspace,
 	notifications.TemplateWorkspaceOutOfMemory:       codersdk.InboxNotificationFallbackIconWorkspace,
 	notifications.TemplateWorkspaceOutOfDisk:         codersdk.InboxNotificationFallbackIconWorkspace,
-	notifications.TemplateWorkspaceAgentRestarted:    codersdk.InboxNotificationFallbackIconWorkspace,
 
 	// account related notifications
 	notifications.TemplateUserAccountCreated:           codersdk.InboxNotificationFallbackIconAccount,

coderd/networktelemetry.go

@@ -0,0 +1,178 @@
+package coderd
+
+import (
+	"sync"
+	"time"
+
+	"github.com/google/uuid"
+
+	tailnetproto "github.com/coder/coder/v2/tailnet/proto"
+)
+
+const peerNetworkTelemetryMaxAge = 2 * time.Minute
+
+type PeerNetworkTelemetry struct {
+	P2P           *bool
+	DERPLatency   *time.Duration
+	P2PLatency    *time.Duration
+	HomeDERP      int
+	LastUpdatedAt time.Time
+}
+
+type PeerNetworkTelemetryStore struct {
+	mu      sync.RWMutex
+	byAgent map[uuid.UUID]map[uuid.UUID]*PeerNetworkTelemetry
+}
+
+func NewPeerNetworkTelemetryStore() *PeerNetworkTelemetryStore {
+	return &PeerNetworkTelemetryStore{
+		byAgent: make(map[uuid.UUID]map[uuid.UUID]*PeerNetworkTelemetry),
+	}
+}
+
+func (s *PeerNetworkTelemetryStore) Update(agentID, peerID uuid.UUID, event *tailnetproto.TelemetryEvent) {
+	if event == nil {
+		return
+	}
+	if event.Status == tailnetproto.TelemetryEvent_DISCONNECTED {
+		s.Delete(agentID, peerID)
+		return
+	}
+	if event.Status != tailnetproto.TelemetryEvent_CONNECTED {
+		return
+	}
+
+	s.mu.Lock()
+	defer s.mu.Unlock()
+
+	byPeer := s.byAgent[agentID]
+	if byPeer == nil {
+		byPeer = make(map[uuid.UUID]*PeerNetworkTelemetry)
+		s.byAgent[agentID] = byPeer
+	}
+
+	existing := byPeer[peerID]
+	entry := &PeerNetworkTelemetry{
+		LastUpdatedAt: time.Now(),
+	}
+
+	// HomeDERP: prefer explicit non-zero value from the event,
+	// otherwise preserve the prior known value.
+	if event.HomeDerp != 0 {
+		entry.HomeDERP = int(event.HomeDerp)
+	} else if existing != nil {
+		entry.HomeDERP = existing.HomeDERP
+	}
+
+	// Determine whether this event carries any mode/latency signal.
+	hasNetworkInfo := event.P2PEndpoint != nil || event.DerpLatency != nil || event.P2PLatency != nil
+
+	if hasNetworkInfo {
+		// Apply explicit values from the event.
+		if event.P2PEndpoint != nil {
+			p2p := true
+			entry.P2P = &p2p
+		}
+		if event.DerpLatency != nil {
+			d := event.DerpLatency.AsDuration()
+			entry.DERPLatency = &d
+			p2p := false
+			entry.P2P = &p2p
+		}
+		if event.P2PLatency != nil {
+			d := event.P2PLatency.AsDuration()
+			entry.P2PLatency = &d
+			p2p := true
+			entry.P2P = &p2p
+		}
+	} else if existing != nil {
+		// Event has no mode/latency info — preserve prior values
+		// so a bare CONNECTED event doesn't wipe known state.
+		entry.P2P = existing.P2P
+		entry.DERPLatency = existing.DERPLatency
+		entry.P2PLatency = existing.P2PLatency
+	}
+
+	byPeer[peerID] = entry
+}
+
+func (s *PeerNetworkTelemetryStore) Get(agentID uuid.UUID, peerID ...uuid.UUID) *PeerNetworkTelemetry {
+	if len(peerID) > 0 {
+		return s.getByPeer(agentID, peerID[0])
+	}
+
+	// Legacy callers only provide agentID. Return the freshest peer entry.
+	entries := s.GetAll(agentID)
+	var latest *PeerNetworkTelemetry
+	for _, entry := range entries {
+		if latest == nil || entry.LastUpdatedAt.After(latest.LastUpdatedAt) {
+			latest = entry
+		}
+	}
+	return latest
+}
+
+func (s *PeerNetworkTelemetryStore) getByPeer(agentID, peerID uuid.UUID) *PeerNetworkTelemetry {
+	s.mu.Lock()
+	defer s.mu.Unlock()
+
+	byPeer := s.byAgent[agentID]
+	if byPeer == nil {
+		return nil
+	}
+
+	entry := byPeer[peerID]
+	if entry == nil {
+		return nil
+	}
+	if time.Since(entry.LastUpdatedAt) > peerNetworkTelemetryMaxAge {
+		delete(byPeer, peerID)
+		if len(byPeer) == 0 {
+			delete(s.byAgent, agentID)
+		}
+		return nil
+	}
+	return entry
+}
+
+func (s *PeerNetworkTelemetryStore) GetAll(agentID uuid.UUID) map[uuid.UUID]*PeerNetworkTelemetry {
+	s.mu.Lock()
+	defer s.mu.Unlock()
+
+	byPeer := s.byAgent[agentID]
+	if len(byPeer) == 0 {
+		return nil
+	}
+
+	entries := make(map[uuid.UUID]*PeerNetworkTelemetry, len(byPeer))
+	now := time.Now()
+	for peerID, entry := range byPeer {
+		if now.Sub(entry.LastUpdatedAt) > peerNetworkTelemetryMaxAge {
+			delete(byPeer, peerID)
+			continue
+		}
+		entries[peerID] = entry
+	}
+
+	if len(byPeer) == 0 {
+		delete(s.byAgent, agentID)
+	}
+	if len(entries) == 0 {
+		return nil
+	}
+	return entries
+}
+
+func (s *PeerNetworkTelemetryStore) Delete(agentID, peerID uuid.UUID) {
+	s.mu.Lock()
+	defer s.mu.Unlock()
+
+	byPeer := s.byAgent[agentID]
+	if byPeer == nil {
+		return
+	}
+	delete(byPeer, peerID)
+	if len(byPeer) == 0 {
+		delete(s.byAgent, agentID)
+	}
+}

coderd/networktelemetry_test.go

@@ -0,0 +1,333 @@
+package coderd_test
+
+import (
+	"sync"
+	"testing"
+	"time"
+
+	"github.com/google/uuid"
+	"github.com/stretchr/testify/require"
+	"google.golang.org/protobuf/types/known/durationpb"
+
+	"github.com/coder/coder/v2/coderd"
+	tailnetproto "github.com/coder/coder/v2/tailnet/proto"
+)
+
+func TestPeerNetworkTelemetryStore(t *testing.T) {
+	t.Parallel()
+
+	t.Run("UpdateAndGet", func(t *testing.T) {
+		t.Parallel()
+
+		store := coderd.NewPeerNetworkTelemetryStore()
+		agentID := uuid.New()
+		peerID := uuid.New()
+		store.Update(agentID, peerID, &tailnetproto.TelemetryEvent{
+			Status:     tailnetproto.TelemetryEvent_CONNECTED,
+			P2PLatency: durationpb.New(50 * time.Millisecond),
+			HomeDerp:   1,
+		})
+
+		got := store.Get(agentID, peerID)
+		require.NotNil(t, got)
+		require.NotNil(t, got.P2P)
+		require.True(t, *got.P2P)
+		require.NotNil(t, got.P2PLatency)
+		require.Equal(t, 50*time.Millisecond, *got.P2PLatency)
+		require.Equal(t, 1, got.HomeDERP)
+	})
+
+	t.Run("GetMissing", func(t *testing.T) {
+		t.Parallel()
+
+		store := coderd.NewPeerNetworkTelemetryStore()
+		require.Nil(t, store.Get(uuid.New(), uuid.New()))
+	})
+
+	t.Run("LatestWins", func(t *testing.T) {
+		t.Parallel()
+
+		store := coderd.NewPeerNetworkTelemetryStore()
+		agentID := uuid.New()
+		peerID := uuid.New()
+
+		store.Update(agentID, peerID, &tailnetproto.TelemetryEvent{
+			Status:     tailnetproto.TelemetryEvent_CONNECTED,
+			P2PLatency: durationpb.New(10 * time.Millisecond),
+			HomeDerp:   1,
+		})
+		store.Update(agentID, peerID, &tailnetproto.TelemetryEvent{
+			Status:      tailnetproto.TelemetryEvent_CONNECTED,
+			DerpLatency: durationpb.New(75 * time.Millisecond),
+			HomeDerp:    2,
+		})
+
+		got := store.Get(agentID, peerID)
+		require.NotNil(t, got)
+		require.NotNil(t, got.P2P)
+		require.False(t, *got.P2P)
+		require.NotNil(t, got.DERPLatency)
+		require.Equal(t, 75*time.Millisecond, *got.DERPLatency)
+		require.Nil(t, got.P2PLatency)
+		require.Equal(t, 2, got.HomeDERP)
+	})
+
+	t.Run("ConnectedWithoutLatencyPreservesExistingModeAndLatency", func(t *testing.T) {
+		t.Parallel()
+
+		store := coderd.NewPeerNetworkTelemetryStore()
+		agentID := uuid.New()
+		peerID := uuid.New()
+		store.Update(agentID, peerID, &tailnetproto.TelemetryEvent{
+			Status:     tailnetproto.TelemetryEvent_CONNECTED,
+			P2PLatency: durationpb.New(50 * time.Millisecond),
+			HomeDerp:   1,
+		})
+		store.Update(agentID, peerID, &tailnetproto.TelemetryEvent{
+			Status: tailnetproto.TelemetryEvent_CONNECTED,
+		})
+
+		got := store.Get(agentID, peerID)
+		require.NotNil(t, got)
+		require.NotNil(t, got.P2P)
+		require.True(t, *got.P2P)
+		require.NotNil(t, got.P2PLatency)
+		require.Equal(t, 50*time.Millisecond, *got.P2PLatency)
+		require.Equal(t, 1, got.HomeDERP)
+	})
+
+	t.Run("ConnectedWithHomeDerpZeroPreservesPreviousHomeDerp", func(t *testing.T) {
+		t.Parallel()
+
+		store := coderd.NewPeerNetworkTelemetryStore()
+		agentID := uuid.New()
+		peerID := uuid.New()
+		store.Update(agentID, peerID, &tailnetproto.TelemetryEvent{
+			Status:   tailnetproto.TelemetryEvent_CONNECTED,
+			HomeDerp: 3,
+		})
+		store.Update(agentID, peerID, &tailnetproto.TelemetryEvent{
+			Status:      tailnetproto.TelemetryEvent_CONNECTED,
+			DerpLatency: durationpb.New(20 * time.Millisecond),
+		})
+
+		got := store.Get(agentID, peerID)
+		require.NotNil(t, got)
+		require.Equal(t, 3, got.HomeDERP)
+		require.NotNil(t, got.P2P)
+		require.False(t, *got.P2P)
+		require.NotNil(t, got.DERPLatency)
+		require.Equal(t, 20*time.Millisecond, *got.DERPLatency)
+	})
+
+	t.Run("ConnectedWithExplicitLatencyOverridesPreviousValues", func(t *testing.T) {
+		t.Parallel()
+
+		store := coderd.NewPeerNetworkTelemetryStore()
+		agentID := uuid.New()
+		peerID := uuid.New()
+		store.Update(agentID, peerID, &tailnetproto.TelemetryEvent{
+			Status:     tailnetproto.TelemetryEvent_CONNECTED,
+			P2PLatency: durationpb.New(50 * time.Millisecond),
+		})
+		store.Update(agentID, peerID, &tailnetproto.TelemetryEvent{
+			Status:      tailnetproto.TelemetryEvent_CONNECTED,
+			DerpLatency: durationpb.New(30 * time.Millisecond),
+		})
+
+		got := store.Get(agentID, peerID)
+		require.NotNil(t, got)
+		require.NotNil(t, got.P2P)
+		require.False(t, *got.P2P)
+		require.NotNil(t, got.DERPLatency)
+		require.Equal(t, 30*time.Millisecond, *got.DERPLatency)
+		require.Nil(t, got.P2PLatency)
+	})
+
+	t.Run("ConnectedWithoutLatencyLeavesModeUnknown", func(t *testing.T) {
+		t.Parallel()
+
+		store := coderd.NewPeerNetworkTelemetryStore()
+		agentID := uuid.New()
+		peerID := uuid.New()
+		store.Update(agentID, peerID, &tailnetproto.TelemetryEvent{
+			Status:   tailnetproto.TelemetryEvent_CONNECTED,
+			HomeDerp: 1,
+		})
+
+		got := store.Get(agentID, peerID)
+		require.NotNil(t, got)
+		require.Nil(t, got.P2P)
+		require.Nil(t, got.DERPLatency)
+		require.Nil(t, got.P2PLatency)
+	})
+
+	t.Run("TwoPeersIndependentState", func(t *testing.T) {
+		t.Parallel()
+
+		store := coderd.NewPeerNetworkTelemetryStore()
+		agentID := uuid.New()
+		peerA := uuid.New()
+		peerB := uuid.New()
+
+		store.Update(agentID, peerA, &tailnetproto.TelemetryEvent{
+			Status:     tailnetproto.TelemetryEvent_CONNECTED,
+			P2PLatency: durationpb.New(10 * time.Millisecond),
+			HomeDerp:   1,
+		})
+		store.Update(agentID, peerB, &tailnetproto.TelemetryEvent{
+			Status:      tailnetproto.TelemetryEvent_CONNECTED,
+			DerpLatency: durationpb.New(80 * time.Millisecond),
+			HomeDerp:    2,
+		})
+
+		gotA := store.Get(agentID, peerA)
+		require.NotNil(t, gotA)
+		require.NotNil(t, gotA.P2P)
+		require.True(t, *gotA.P2P)
+		require.NotNil(t, gotA.P2PLatency)
+		require.Equal(t, 10*time.Millisecond, *gotA.P2PLatency)
+		require.Nil(t, gotA.DERPLatency)
+		require.Equal(t, 1, gotA.HomeDERP)
+
+		gotB := store.Get(agentID, peerB)
+		require.NotNil(t, gotB)
+		require.NotNil(t, gotB.P2P)
+		require.False(t, *gotB.P2P)
+		require.NotNil(t, gotB.DERPLatency)
+		require.Equal(t, 80*time.Millisecond, *gotB.DERPLatency)
+		require.Nil(t, gotB.P2PLatency)
+		require.Equal(t, 2, gotB.HomeDERP)
+
+		all := store.GetAll(agentID)
+		require.Len(t, all, 2)
+		require.Same(t, gotA, all[peerA])
+		require.Same(t, gotB, all[peerB])
+	})
+
+	t.Run("PeerDisconnectDoesNotWipeOther", func(t *testing.T) {
+		t.Parallel()
+
+		store := coderd.NewPeerNetworkTelemetryStore()
+		agentID := uuid.New()
+		peerA := uuid.New()
+		peerB := uuid.New()
+
+		store.Update(agentID, peerA, &tailnetproto.TelemetryEvent{
+			Status:     tailnetproto.TelemetryEvent_CONNECTED,
+			P2PLatency: durationpb.New(15 * time.Millisecond),
+			HomeDerp:   5,
+		})
+		store.Update(agentID, peerB, &tailnetproto.TelemetryEvent{
+			Status:      tailnetproto.TelemetryEvent_CONNECTED,
+			DerpLatency: durationpb.New(70 * time.Millisecond),
+			HomeDerp:    6,
+		})
+
+		store.Update(agentID, peerA, &tailnetproto.TelemetryEvent{Status: tailnetproto.TelemetryEvent_DISCONNECTED})
+
+		require.Nil(t, store.Get(agentID, peerA))
+		gotB := store.Get(agentID, peerB)
+		require.NotNil(t, gotB)
+		require.NotNil(t, gotB.P2P)
+		require.False(t, *gotB.P2P)
+		require.Equal(t, 6, gotB.HomeDERP)
+		require.NotNil(t, gotB.DERPLatency)
+		require.Equal(t, 70*time.Millisecond, *gotB.DERPLatency)
+
+		all := store.GetAll(agentID)
+		require.Len(t, all, 1)
+		require.Contains(t, all, peerB)
+	})
+
+	t.Run("DisconnectedDeletes", func(t *testing.T) {
+		t.Parallel()
+
+		store := coderd.NewPeerNetworkTelemetryStore()
+		agentID := uuid.New()
+		peerID := uuid.New()
+		store.Update(agentID, peerID, &tailnetproto.TelemetryEvent{
+			Status:     tailnetproto.TelemetryEvent_CONNECTED,
+			P2PLatency: durationpb.New(15 * time.Millisecond),
+		})
+		store.Update(agentID, peerID, &tailnetproto.TelemetryEvent{Status: tailnetproto.TelemetryEvent_DISCONNECTED})
+
+		require.Nil(t, store.Get(agentID, peerID))
+	})
+
+	t.Run("StaleEntryEvicted", func(t *testing.T) {
+		t.Parallel()
+
+		store := coderd.NewPeerNetworkTelemetryStore()
+		agentID := uuid.New()
+		peerID := uuid.New()
+		store.Update(agentID, peerID, &tailnetproto.TelemetryEvent{
+			Status:     tailnetproto.TelemetryEvent_CONNECTED,
+			P2PLatency: durationpb.New(20 * time.Millisecond),
+		})
+
+		entry := store.Get(agentID, peerID)
+		require.NotNil(t, entry)
+		entry.LastUpdatedAt = time.Now().Add(-3 * time.Minute)
+
+		require.Nil(t, store.Get(agentID, peerID))
+		require.Nil(t, store.Get(agentID, peerID))
+	})
+
+	t.Run("Delete", func(t *testing.T) {
+		t.Parallel()
+
+		store := coderd.NewPeerNetworkTelemetryStore()
+		agentID := uuid.New()
+		peerID := uuid.New()
+		store.Update(agentID, peerID, &tailnetproto.TelemetryEvent{
+			Status:     tailnetproto.TelemetryEvent_CONNECTED,
+			P2PLatency: durationpb.New(15 * time.Millisecond),
+		})
+
+		store.Delete(agentID, peerID)
+		require.Nil(t, store.Get(agentID, peerID))
+	})
+
+	t.Run("ConcurrentAccess", func(t *testing.T) {
+		t.Parallel()
+
+		store := coderd.NewPeerNetworkTelemetryStore()
+		agentIDs := make([]uuid.UUID, 8)
+		for i := range agentIDs {
+			agentIDs[i] = uuid.New()
+		}
+		peerIDs := make([]uuid.UUID, 16)
+		for i := range peerIDs {
+			peerIDs[i] = uuid.New()
+		}
+
+		const (
+			goroutines = 8
+			iterations = 100
+		)
+
+		var wg sync.WaitGroup
+		wg.Add(goroutines)
+		for g := 0; g < goroutines; g++ {
+			go func(worker int) {
+				defer wg.Done()
+				for i := 0; i < iterations; i++ {
+					agentID := agentIDs[(worker+i)%len(agentIDs)]
+					peerID := peerIDs[(worker*iterations+i)%len(peerIDs)]
+					store.Update(agentID, peerID, &tailnetproto.TelemetryEvent{
+						Status:     tailnetproto.TelemetryEvent_CONNECTED,
+						P2PLatency: durationpb.New(time.Duration(i+1) * time.Millisecond),
+						HomeDerp:   int32(worker + 1), //nolint:gosec // test data, worker is small
+					})
+					_ = store.Get(agentID, peerID)
+					_ = store.GetAll(agentID)
+					if i%10 == 0 {
+						store.Delete(agentID, peerID)
+					}
+				}
+			}(g)
+		}
+		wg.Wait()
+	})
+}

coderd/notifications/events.go

@@ -18,7 +18,6 @@ var (
 	TemplateWorkspaceManualBuildFailed = uuid.MustParse("2faeee0f-26cb-4e96-821c-85ccb9f71513")
 	TemplateWorkspaceOutOfMemory       = uuid.MustParse("a9d027b4-ac49-4fb1-9f6d-45af15f64e7a")
 	TemplateWorkspaceOutOfDisk         = uuid.MustParse("f047f6a3-5713-40f7-85aa-0394cce9fa3a")
-	TemplateWorkspaceAgentRestarted    = uuid.MustParse("bb2bb51b-5d40-4e33-ae8b-f40f13bfcd24")
 )
 
 // Account-related events.

coderd/notifications/notifications_test.go

@@ -1185,22 +1185,6 @@ func TestNotificationTemplates_Golden(t *testing.T) {
 				},
 			},
 		},
-		{
-			name: "TemplateWorkspaceAgentRestarted",
-			id:   notifications.TemplateWorkspaceAgentRestarted,
-			payload: types.MessagePayload{
-				UserName:     "Bobby",
-				UserEmail:    "bobby@coder.com",
-				UserUsername: "bobby",
-				Labels: map[string]string{
-					"workspace":     "bobby-workspace",
-					"agent":         "main",
-					"restart_count": "3",
-					"reason":        "signal",
-					"kill_signal":   "killed",
-				},
-			},
-		},
 		{
 			name: "TemplateTestNotification",
 			id:   notifications.TemplateTestNotification,

coderd/notifications/testdata/rendered-templates/smtp/TemplateWorkspaceAgentRestarted.html.golden

@@ -1,79 +0,0 @@
-From: system@coder.com
-To: bobby@coder.com
-Subject: Your workspace agent "main" has been restarted
-Message-Id: 02ee4935-73be-4fa1-a290-ff9999026b13@blush-whale-48
-Date: Fri, 11 Oct 2024 09:03:06 +0000
-Content-Type: multipart/alternative;  boundary=bbe61b741255b6098bb6b3c1f41b885773df633cb18d2a3002b68e4bc9c4
-MIME-Version: 1.0
-
---bbe61b741255b6098bb6b3c1f41b885773df633cb18d2a3002b68e4bc9c4
-Content-Transfer-Encoding: quoted-printable
-Content-Type: text/plain; charset=UTF-8
-
-Hi Bobby,
-
-Your workspace bobby-workspace agent main has been restarted 3 time(s) to r=
-ecover from an unexpected exit (signal: killed).
-
-
-View workspace: http://test.com/@bobby/bobby-workspace
-
---bbe61b741255b6098bb6b3c1f41b885773df633cb18d2a3002b68e4bc9c4
-Content-Transfer-Encoding: quoted-printable
-Content-Type: text/html; charset=UTF-8
-
-<!doctype html>
-<html lang=3D"en">
-  <head>
-    <meta charset=3D"UTF-8" />
-    <meta name=3D"viewport" content=3D"width=3Ddevice-width, initial-scale=
-=3D1.0" />
-    <title>Your workspace agent "main" has been restarted</title>
-  </head>
-  <body style=3D"margin: 0; padding: 0; font-family: -apple-system, system-=
-ui, BlinkMacSystemFont, 'Segoe UI', 'Roboto', 'Oxygen', 'Ubuntu', 'Cantarel=
-l', 'Fira Sans', 'Droid Sans', 'Helvetica Neue', sans-serif; color: #020617=
-; background: #f8fafc;">
-    <div style=3D"max-width: 600px; margin: 20px auto; padding: 60px; borde=
-r: 1px solid #e2e8f0; border-radius: 8px; background-color: #fff; text-alig=
-n: left; font-size: 14px; line-height: 1.5;">
-      <div style=3D"text-align: center;">
-        <img src=3D"https://coder.com/coder-logo-horizontal.png" alt=3D"Cod=
-er Logo" style=3D"height: 40px;" />
-      </div>
-      <h1 style=3D"text-align: center; font-size: 24px; font-weight: 400; m=
-argin: 8px 0 32px; line-height: 1.5;">
-        Your workspace agent "main" has been restarted
-      </h1>
-      <div style=3D"line-height: 1.5;">
-        <p>Hi Bobby,</p>
-        <p>Your workspace <strong>bobby-workspace</strong> agent <strong>ma=
-in</strong> has been restarted <strong>3</strong> time(s) to recover from a=
-n unexpected exit (signal: killed).</p>
-      </div>
-      <div style=3D"text-align: center; margin-top: 32px;">
-       =20
-        <a href=3D"http://test.com/@bobby/bobby-workspace" style=3D"display=
-: inline-block; padding: 13px 24px; background-color: #020617; color: #f8fa=
-fc; text-decoration: none; border-radius: 8px; margin: 0 4px;">
-          View workspace
-        </a>
-       =20
-      </div>
-      <div style=3D"border-top: 1px solid #e2e8f0; color: #475569; font-siz=
-e: 12px; margin-top: 64px; padding-top: 24px; line-height: 1.6;">
-        <p>&copy;&nbsp;2024&nbsp;Coder. All rights reserved&nbsp;-&nbsp;<a =
-href=3D"http://test.com" style=3D"color: #2563eb; text-decoration: none;">h=
-ttp://test.com</a></p>
-        <p><a href=3D"http://test.com/settings/notifications" style=3D"colo=
-r: #2563eb; text-decoration: none;">Click here to manage your notification =
-settings</a></p>
-        <p><a href=3D"http://test.com/settings/notifications?disabled=3Dbb2=
-bb51b-5d40-4e33-ae8b-f40f13bfcd24" style=3D"color: #2563eb; text-decoration=
-: none;">Stop receiving emails like this</a></p>
-      </div>
-    </div>
-  </body>
-</html>
-
---bbe61b741255b6098bb6b3c1f41b885773df633cb18d2a3002b68e4bc9c4--

coderd/notifications/testdata/rendered-templates/webhook/TemplateWorkspaceAgentRestarted.json.golden

@@ -1,32 +0,0 @@
-{
-  "_version": "1.1",
-  "msg_id": "00000000-0000-0000-0000-000000000000",
-  "payload": {
-    "_version": "1.2",
-    "notification_name": "Workspace Agent Restarted",
-    "notification_template_id": "00000000-0000-0000-0000-000000000000",
-    "user_id": "00000000-0000-0000-0000-000000000000",
-    "user_email": "bobby@coder.com",
-    "user_name": "Bobby",
-    "user_username": "bobby",
-    "actions": [
-      {
-        "label": "View workspace",
-        "url": "http://test.com/@bobby/bobby-workspace"
-      }
-    ],
-    "labels": {
-      "agent": "main",
-      "kill_signal": "killed",
-      "reason": "signal",
-      "restart_count": "3",
-      "workspace": "bobby-workspace"
-    },
-    "data": null,
-    "targets": null
-  },
-  "title": "Your workspace agent \"main\" has been restarted",
-  "title_markdown": "Your workspace agent \"main\" has been restarted",
-  "body": "Your workspace bobby-workspace agent main has been restarted 3 time(s) to recover from an unexpected exit (signal: killed).",
-  "body_markdown": "Your workspace **bobby-workspace** agent **main** has been restarted **3** time(s) to recover from an unexpected exit (signal: killed)."
-}