docs(cli): reference --oidc-group-mapping flag name instead of 'legacy'

Issue: Used internal nomenclature instead of user-facing flag name The previous fix referenced 'legacy group name mapping' but users don't know what that means - it's an internal implementation detail. Users configure this via the --oidc-group-mapping flag. Changed to: 'This filter is applied after the oidc-group-mapping.' This directly references the flag name users would actually use, making the relationship clear and actionable. Users can now understand: - The regex filter applies to group names - Group names may have been transformed by --oidc-group-mapping first - They need to write regex patterns that match the mapped names Example: If --oidc-group-mapping transforms 'developers' to 'dev-team', the regex in --oidc-group-regex-filter will match against 'dev-team'.
docs(cli): fix help text for --oidc-group-regex-filter (clarify mapping order)
2026-02-09 16:14:00 -05:00 · 2026-02-09 16:13:59 -05:00 · 2026-02-09 16:13:59 -05:00 · 2026-02-09 16:13:59 -05:00 · 2026-02-09 16:13:59 -05:00 · 2026-02-09 16:13:58 -05:00
821 changed files with 12653 additions and 66673 deletions
@@ -1,4 +0,0 @@
-# All artifacts of the build processed are dumped here.
-# Ignore it for docker context, as all Dockerfiles should build their own
-# binaries.
-build
@@ -4,7 +4,10 @@ description: |
 inputs:
  version:
    description: "The Go version to use."
-    default: "1.25.7"
+    default: "1.25.6"
+  use-preinstalled-go:
+    description: "Whether to use preinstalled Go."
+    default: "false"
  use-cache:
    description: "Whether to use the cache."
    default: "true"
@@ -12,9 +15,9 @@ runs:
  using: "composite"
  steps:
    - name: Setup Go
-      uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5.6.0
+      uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
      with:
-        go-version: ${{ inputs.version }}
+        go-version: ${{ inputs.use-preinstalled-go == 'false' && inputs.version || '' }}
        cache: ${{ inputs.use-cache }}

    - name: Install gotestsum
@@ -7,5 +7,5 @@ runs:
    - name: Install Terraform
      uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd # v3.1.2
      with:
-        terraform_version: 1.14.5
+        terraform_version: 1.14.1
        terraform_wrapper: false
@@ -35,7 +35,7 @@ jobs:
      tailnet-integration: ${{ steps.filter.outputs.tailnet-integration }}
    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2
+        uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1
        with:
          egress-policy: audit

@@ -157,7 +157,7 @@ jobs:
    runs-on: ${{ github.repository_owner == 'coder' && 'depot-ubuntu-22.04-8' || 'ubuntu-latest' }}
    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2
+        uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1
        with:
          egress-policy: audit

@@ -247,7 +247,7 @@ jobs:
    runs-on: ${{ github.repository_owner == 'coder' && 'depot-ubuntu-22.04-8' || 'ubuntu-latest' }}
    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2
+        uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1
        with:
          egress-policy: audit

@@ -272,7 +272,7 @@ jobs:
    if: ${{ !cancelled() }}
    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2
+        uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1
        with:
          egress-policy: audit

@@ -329,7 +329,7 @@ jobs:
    timeout-minutes: 20
    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2
+        uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1
        with:
          egress-policy: audit

@@ -381,7 +381,7 @@ jobs:
          - windows-2022
    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2
+        uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1
        with:
          egress-policy: audit

@@ -422,6 +422,10 @@ jobs:
      - name: Setup Go
        uses: ./.github/actions/setup-go
        with:
+          # Runners have Go baked-in and Go will automatically
+          # download the toolchain configured in go.mod, so we don't
+          # need to reinstall it. It's faster on Windows runners.
+          use-preinstalled-go: ${{ runner.os == 'Windows' }}
          use-cache: true

      - name: Setup Terraform
@@ -485,14 +489,6 @@ jobs:
          # macOS will output "The default interactive shell is now zsh" intermittently in CI.
          touch ~/.bash_profile && echo "export BASH_SILENCE_DEPRECATION_WARNING=1" >> ~/.bash_profile

-      - name: Increase PTY limit (macOS)
-        if: runner.os == 'macOS'
-        shell: bash
-        run: |
-          # Increase PTY limit to avoid exhaustion during tests.
-          # Default is 511; 999 is the maximum value on CI runner.
-          sudo sysctl -w kern.tty.ptmx_max=999
-
      - name: Test with PostgreSQL Database (Linux)
        if: runner.os == 'Linux'
        uses: ./.github/actions/test-go-pg
@@ -582,7 +578,7 @@ jobs:
    timeout-minutes: 25
    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2
+        uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1
        with:
          egress-policy: audit

@@ -644,7 +640,7 @@ jobs:
    timeout-minutes: 25
    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2
+        uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1
        with:
          egress-policy: audit

@@ -716,7 +712,7 @@ jobs:
    timeout-minutes: 20
    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2
+        uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1
        with:
          egress-policy: audit

@@ -743,7 +739,7 @@ jobs:
    timeout-minutes: 20
    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2
+        uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1
        with:
          egress-policy: audit

@@ -776,7 +772,7 @@ jobs:
    name: ${{ matrix.variant.name }}
    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2
+        uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1
        with:
          egress-policy: audit

@@ -856,7 +852,7 @@ jobs:
    if: needs.changes.outputs.site == 'true' || needs.changes.outputs.ci == 'true'
    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2
+        uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1
        with:
          egress-policy: audit

@@ -937,7 +933,7 @@ jobs:

    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2
+        uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1
        with:
          egress-policy: audit

@@ -1009,7 +1005,7 @@ jobs:
    if: always()
    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2
+        uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1
        with:
          egress-policy: audit

@@ -1124,7 +1120,7 @@ jobs:
    runs-on: ${{ github.repository_owner == 'coder' && 'depot-ubuntu-22.04-8' || 'ubuntu-latest' }}
    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2
+        uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1
        with:
          egress-policy: audit

@@ -1179,7 +1175,7 @@ jobs:
      IMAGE: ghcr.io/coder/coder-preview:${{ steps.build-docker.outputs.tag }}
    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2
+        uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1
        with:
          egress-policy: audit

@@ -1576,7 +1572,7 @@ jobs:
    if: needs.changes.outputs.db == 'true' || needs.changes.outputs.ci == 'true' || github.ref == 'refs/heads/main'
    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2
+        uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1
        with:
          egress-policy: audit

@@ -36,7 +36,7 @@ jobs:
      verdict: ${{ steps.check.outputs.verdict }} # DEPLOY or NOOP
    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2
+        uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1
        with:
          egress-policy: audit

@@ -65,7 +65,7 @@ jobs:
      packages: write # to retag image as dogfood
    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2
+        uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1
        with:
          egress-policy: audit

@@ -146,7 +146,7 @@ jobs:
    needs: deploy
    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2
+        uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1
        with:
          egress-policy: audit

@@ -38,7 +38,7 @@ jobs:
    if: github.repository_owner == 'coder'
    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2
+        uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1
        with:
          egress-policy: audit

@@ -58,11 +58,11 @@ jobs:
        run: mkdir base-build-context

      - name: Install depot.dev CLI
-        uses: depot/setup-action@15c09a5f77a0840ad4bce955686522a257853461 # v1.7.1
+        uses: depot/setup-action@b0b1ea4f69e92ebf5dea3f8713a1b0c37b2126a5 # v1.6.0

      # This uses OIDC authentication, so no auth variables are required.
      - name: Build base Docker image via depot.dev
-        uses: depot/build-push-action@5f3b3c2e5a00f0093de47f657aeaefcedff27d18 # v1.17.0
+        uses: depot/build-push-action@9785b135c3c76c33db102e45be96a25ab55cd507 # v1.16.2
        with:
          project: wl5hnrrkns
          context: base-build-context
@@ -26,7 +26,7 @@ jobs:
    runs-on: ${{ github.repository_owner == 'coder' && 'depot-ubuntu-22.04-4' || 'ubuntu-latest' }}
    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2
+        uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1
        with:
          egress-policy: audit

@@ -75,7 +75,7 @@ jobs:
          BRANCH_NAME: ${{ steps.branch-name.outputs.current_branch }}

      - name: Set up Depot CLI
-        uses: depot/setup-action@15c09a5f77a0840ad4bce955686522a257853461 # v1.7.1
+        uses: depot/setup-action@b0b1ea4f69e92ebf5dea3f8713a1b0c37b2126a5 # v1.6.0

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
@@ -88,7 +88,7 @@ jobs:
          password: ${{ secrets.DOCKERHUB_PASSWORD }}

      - name: Build and push Non-Nix image
-        uses: depot/build-push-action@5f3b3c2e5a00f0093de47f657aeaefcedff27d18 # v1.17.0
+        uses: depot/build-push-action@9785b135c3c76c33db102e45be96a25ab55cd507 # v1.16.2
        with:
          project: b4q6ltmpzh
          token: ${{ secrets.DEPOT_TOKEN }}
@@ -125,7 +125,7 @@ jobs:
      id-token: write
    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2
+        uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1
        with:
          egress-policy: audit

@@ -28,7 +28,7 @@ jobs:
          - windows-2022
    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2
+        uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1
        with:
          egress-policy: audit

@@ -64,6 +64,11 @@ jobs:

      - name: Setup Go
        uses: ./.github/actions/setup-go
+        with:
+          # Runners have Go baked-in and Go will automatically
+          # download the toolchain configured in go.mod, so we don't
+          # need to reinstall it. It's faster on Windows runners.
+          use-preinstalled-go: ${{ runner.os == 'Windows' }}

      - name: Setup Terraform
        uses: ./.github/actions/setup-tf
@@ -15,7 +15,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2
+        uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1
        with:
          egress-policy: audit

@@ -19,7 +19,7 @@ jobs:
      packages: write
    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2
+        uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1
        with:
          egress-policy: audit

@@ -39,7 +39,7 @@ jobs:
      PR_OPEN: ${{ steps.check_pr.outputs.pr_open }}
    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2
+        uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1
        with:
          egress-policy: audit

@@ -76,7 +76,7 @@ jobs:
    runs-on: "ubuntu-latest"
    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2
+        uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1
        with:
          egress-policy: audit

@@ -184,7 +184,7 @@ jobs:
      pull-requests: write # needed for commenting on PRs
    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2
+        uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1
        with:
          egress-policy: audit

@@ -228,7 +228,7 @@ jobs:
      CODER_IMAGE_TAG: ${{ needs.get_info.outputs.CODER_IMAGE_TAG }}
    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2
+        uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1
        with:
          egress-policy: audit

@@ -288,7 +288,7 @@ jobs:
      PR_HOSTNAME: "pr${{ needs.get_info.outputs.PR_NUMBER }}.${{ secrets.PR_DEPLOYMENTS_DOMAIN }}"
    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2
+        uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1
        with:
          egress-policy: audit

@@ -14,7 +14,7 @@ jobs:

    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2
+        uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1
        with:
          egress-policy: audit

@@ -158,7 +158,7 @@ jobs:
      version: ${{ steps.version.outputs.version }}
    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2
+        uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1
        with:
          egress-policy: audit

@@ -386,12 +386,12 @@ jobs:

      - name: Install depot.dev CLI
        if: steps.image-base-tag.outputs.tag != ''
-        uses: depot/setup-action@15c09a5f77a0840ad4bce955686522a257853461 # v1.7.1
+        uses: depot/setup-action@b0b1ea4f69e92ebf5dea3f8713a1b0c37b2126a5 # v1.6.0

      # This uses OIDC authentication, so no auth variables are required.
      - name: Build base Docker image via depot.dev
        if: steps.image-base-tag.outputs.tag != ''
-        uses: depot/build-push-action@5f3b3c2e5a00f0093de47f657aeaefcedff27d18 # v1.17.0
+        uses: depot/build-push-action@9785b135c3c76c33db102e45be96a25ab55cd507 # v1.16.2
        with:
          project: wl5hnrrkns
          context: base-build-context
@@ -796,7 +796,7 @@ jobs:
      # TODO: skip this if it's not a new release (i.e. a backport). This is
      #       fine right now because it just makes a PR that we can close.
      - name: Harden Runner
-        uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2
+        uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1
        with:
          egress-policy: audit

@@ -872,7 +872,7 @@ jobs:

    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2
+        uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1
        with:
          egress-policy: audit

@@ -965,7 +965,7 @@ jobs:
    if: ${{ !inputs.dry_run }}
    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2
+        uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1
        with:
          egress-policy: audit

@@ -20,7 +20,7 @@ jobs:

    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2
+        uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1
        with:
          egress-policy: audit

@@ -27,7 +27,7 @@ jobs:
    runs-on: ${{ github.repository_owner == 'coder' && 'depot-ubuntu-22.04-8' || 'ubuntu-latest' }}
    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2
+        uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1
        with:
          egress-policy: audit

@@ -69,7 +69,7 @@ jobs:
    runs-on: ${{ github.repository_owner == 'coder' && 'depot-ubuntu-22.04-8' || 'ubuntu-latest' }}
    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2
+        uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1
        with:
          egress-policy: audit

@@ -146,7 +146,7 @@ jobs:
          echo "image=$(cat "$image_job")" >> "$GITHUB_OUTPUT"

      - name: Run Trivy vulnerability scanner
-        uses: aquasecurity/trivy-action@c1824fd6edce30d7ab345a9989de00bbd46ef284 # v0.34.0
+        uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8
        with:
          image-ref: ${{ steps.build.outputs.image }}
          format: sarif
@@ -18,12 +18,12 @@ jobs:
      pull-requests: write
    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2
+        uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1
        with:
          egress-policy: audit

      - name: stale
-        uses: actions/stale@b5d41d4e1d5dceea10e7104786b73624c18a190f # v10.2.0
+        uses: actions/stale@997185467fa4f803885201cee163a9f38240193d # v10.1.1
        with:
          stale-issue-label: "stale"
          stale-pr-label: "stale"
@@ -96,7 +96,7 @@ jobs:
      contents: write
    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2
+        uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1
        with:
          egress-policy: audit

@@ -120,7 +120,7 @@ jobs:
      actions: write
    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2
+        uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1
        with:
          egress-policy: audit

@@ -21,7 +21,7 @@ jobs:
      pull-requests: write # required to post PR review comments by the action
    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2
+        uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1
        with:
          egress-policy: audit

@@ -98,6 +98,3 @@ AGENTS.local.md

 # Ignore plans written by AI agents.
 PLAN.md
-
-# Ignore any dev licenses
-license.txt
@@ -854,7 +854,7 @@ enterprise/aibridged/proto/aibridged.pb.go: enterprise/aibridged/proto/aibridged
 site/src/api/typesGenerated.ts: site/node_modules/.installed $(wildcard scripts/apitypings/*) $(shell find ./codersdk $(FIND_EXCLUSIONS) -type f -name '*.go')
 	# -C sets the directory for the go run command
 	go run -C ./scripts/apitypings main.go > $@
-	./scripts/biome_format.sh src/api/typesGenerated.ts
+	(cd site/ && pnpm exec biome format --write src/api/typesGenerated.ts)
 	touch "$@"

 site/e2e/provisionerGenerated.ts: site/node_modules/.installed provisionerd/proto/provisionerd.pb.go provisionersdk/proto/provisioner.pb.go
@@ -863,7 +863,7 @@ site/e2e/provisionerGenerated.ts: site/node_modules/.installed provisionerd/prot

 site/src/theme/icons.json: site/node_modules/.installed $(wildcard scripts/gensite/*) $(wildcard site/static/icon/*)
 	go run ./scripts/gensite/ -icons "$@"
-	./scripts/biome_format.sh src/theme/icons.json
+	(cd site/ && pnpm exec biome format --write src/theme/icons.json)
 	touch "$@"

 examples/examples.gen.json: scripts/examplegen/main.go examples/examples.go $(shell find ./examples/templates)
@@ -901,18 +901,15 @@ codersdk/apikey_scopes_gen.go: scripts/apikeyscopesgen/main.go coderd/rbac/scope

 site/src/api/rbacresourcesGenerated.ts: site/node_modules/.installed scripts/typegen/codersdk.gotmpl scripts/typegen/main.go coderd/rbac/object.go coderd/rbac/policy/policy.go
 	go run scripts/typegen/main.go rbac typescript > "$@"
-	./scripts/biome_format.sh src/api/rbacresourcesGenerated.ts
+	(cd site/ && pnpm exec biome format --write src/api/rbacresourcesGenerated.ts)
 	touch "$@"

 site/src/api/countriesGenerated.ts: site/node_modules/.installed scripts/typegen/countries.tstmpl scripts/typegen/main.go codersdk/countries.go
 	go run scripts/typegen/main.go countries > "$@"
-	./scripts/biome_format.sh src/api/countriesGenerated.ts
+	(cd site/ && pnpm exec biome format --write src/api/countriesGenerated.ts)
 	touch "$@"

-scripts/metricsdocgen/generated_metrics: $(GO_SRC_FILES)
-	go run ./scripts/metricsdocgen/scanner > $@
-
-docs/admin/integrations/prometheus.md: node_modules/.installed scripts/metricsdocgen/main.go scripts/metricsdocgen/metrics scripts/metricsdocgen/generated_metrics
+docs/admin/integrations/prometheus.md: node_modules/.installed scripts/metricsdocgen/main.go scripts/metricsdocgen/metrics
 	go run scripts/metricsdocgen/main.go
 	pnpm exec markdownlint-cli2 --fix ./docs/admin/integrations/prometheus.md
 	pnpm exec markdown-table-formatter ./docs/admin/integrations/prometheus.md
@@ -950,11 +947,11 @@ coderd/apidoc/.gen: \
 	touch "$@"

 docs/manifest.json: site/node_modules/.installed coderd/apidoc/.gen docs/reference/cli/index.md
-	./scripts/biome_format.sh ../docs/manifest.json
+	(cd site/ && pnpm exec biome format --write ../docs/manifest.json)
 	touch "$@"

 coderd/apidoc/swagger.json: site/node_modules/.installed coderd/apidoc/.gen
-	./scripts/biome_format.sh ../coderd/apidoc/swagger.json
+	(cd site/ && pnpm exec biome format --write ../coderd/apidoc/swagger.json)
 	touch "$@"

 update-golden-files:
@@ -999,19 +996,11 @@ enterprise/tailnet/testdata/.gen-golden: $(wildcard enterprise/tailnet/testdata/
 	touch "$@"

 helm/coder/tests/testdata/.gen-golden: $(wildcard helm/coder/tests/testdata/*.yaml) $(wildcard helm/coder/tests/testdata/*.golden) $(GO_SRC_FILES) $(wildcard helm/coder/tests/*_test.go)
-	if command -v helm >/dev/null 2>&1; then
-		TZ=UTC go test ./helm/coder/tests -run=TestUpdateGoldenFiles -update
-	else
-		echo "WARNING: helm not found; skipping helm/coder golden generation" >&2
-	fi
+	TZ=UTC go test ./helm/coder/tests -run=TestUpdateGoldenFiles -update
 	touch "$@"

 helm/provisioner/tests/testdata/.gen-golden: $(wildcard helm/provisioner/tests/testdata/*.yaml) $(wildcard helm/provisioner/tests/testdata/*.golden) $(GO_SRC_FILES) $(wildcard helm/provisioner/tests/*_test.go)
-	if command -v helm >/dev/null 2>&1; then
-		TZ=UTC go test ./helm/provisioner/tests -run=TestUpdateGoldenFiles -update
-	else
-		echo "WARNING: helm not found; skipping helm/provisioner golden generation" >&2
-	fi
+	TZ=UTC go test ./helm/provisioner/tests -run=TestUpdateGoldenFiles -update
 	touch "$@"

 coderd/.gen-golden: $(wildcard coderd/testdata/*/*.golden) $(GO_SRC_FILES) $(wildcard coderd/*_test.go)
@@ -131,6 +131,3 @@ contributions!
 ## Hiring

 Apply [here](https://jobs.ashbyhq.com/coder?utm_source=github&utm_medium=readme&utm_campaign=unknown) if you're interested in joining our team.
-
-## Joke
-Why do developers love Coder? Because it helps them keep their environments stable while their deadlines are not.
@@ -111,12 +111,6 @@ type Client interface {
 	ConnectRPC28(ctx context.Context) (
 		proto.DRPCAgentClient28, tailnetproto.DRPCTailnetClient28, error,
 	)
-	// ConnectRPC28WithRole is like ConnectRPC28 but sends an explicit
-	// role query parameter to the server. The workspace agent should
-	// use role "agent" to enable connection monitoring.
-	ConnectRPC28WithRole(ctx context.Context, role string) (
-		proto.DRPCAgentClient28, tailnetproto.DRPCTailnetClient28, error,
-	)
 	tailnet.DERPMapRewriter
 	agentsdk.RefreshableSessionTokenProvider
 }
@@ -1003,10 +997,8 @@ func (a *agent) run() (retErr error) {
 		return xerrors.Errorf("refresh token: %w", err)
 	}

-	// ConnectRPC returns the dRPC connection we use for the Agent and Tailnet v2+ APIs.
-	// We pass role "agent" to enable connection monitoring on the server, which tracks
-	// the agent's connectivity state (first_connected_at, last_connected_at, disconnected_at).
-	aAPI, tAPI, err := a.client.ConnectRPC28WithRole(a.hardCtx, "agent")
+	// ConnectRPC returns the dRPC connection we use for the Agent and Tailnet v2+ APIs
+	aAPI, tAPI, err := a.client.ConnectRPC28(a.hardCtx)
 	if err != nil {
 		return err
 	}
@@ -1,22 +1,37 @@
 package agentsocket_test

 import (
+	"context"
+	"path/filepath"
+	"runtime"
 	"testing"

+	"github.com/google/uuid"
+	"github.com/spf13/afero"
 	"github.com/stretchr/testify/require"

 	"cdr.dev/slog/v3"
+	"github.com/coder/coder/v2/agent"
 	"github.com/coder/coder/v2/agent/agentsocket"
+	"github.com/coder/coder/v2/agent/agenttest"
+	agentproto "github.com/coder/coder/v2/agent/proto"
+	"github.com/coder/coder/v2/codersdk/agentsdk"
+	"github.com/coder/coder/v2/tailnet"
+	"github.com/coder/coder/v2/tailnet/tailnettest"
 	"github.com/coder/coder/v2/testutil"
 )

 func TestServer(t *testing.T) {
 	t.Parallel()

+	if runtime.GOOS == "windows" {
+		t.Skip("agentsocket is not supported on Windows")
+	}
+
 	t.Run("StartStop", func(t *testing.T) {
 		t.Parallel()

-		socketPath := testutil.AgentSocketPath(t)
+		socketPath := filepath.Join(t.TempDir(), "test.sock")
 		logger := slog.Make().Leveled(slog.LevelDebug)
 		server, err := agentsocket.NewServer(logger, agentsocket.WithPath(socketPath))
 		require.NoError(t, err)
@@ -26,7 +41,7 @@ func TestServer(t *testing.T) {
 	t.Run("AlreadyStarted", func(t *testing.T) {
 		t.Parallel()

-		socketPath := testutil.AgentSocketPath(t)
+		socketPath := filepath.Join(t.TempDir(), "test.sock")
 		logger := slog.Make().Leveled(slog.LevelDebug)
 		server1, err := agentsocket.NewServer(logger, agentsocket.WithPath(socketPath))
 		require.NoError(t, err)
@@ -34,4 +49,90 @@ func TestServer(t *testing.T) {
 		_, err = agentsocket.NewServer(logger, agentsocket.WithPath(socketPath))
 		require.ErrorContains(t, err, "create socket")
 	})
+
+	t.Run("AutoSocketPath", func(t *testing.T) {
+		t.Parallel()
+
+		socketPath := filepath.Join(t.TempDir(), "test.sock")
+		logger := slog.Make().Leveled(slog.LevelDebug)
+		server, err := agentsocket.NewServer(logger, agentsocket.WithPath(socketPath))
+		require.NoError(t, err)
+		require.NoError(t, server.Close())
+	})
+}
+
+func TestServerWindowsNotSupported(t *testing.T) {
+	t.Parallel()
+
+	if runtime.GOOS != "windows" {
+		t.Skip("this test only runs on Windows")
+	}
+
+	t.Run("NewServer", func(t *testing.T) {
+		t.Parallel()
+
+		socketPath := filepath.Join(t.TempDir(), "test.sock")
+		logger := slog.Make().Leveled(slog.LevelDebug)
+		_, err := agentsocket.NewServer(logger, agentsocket.WithPath(socketPath))
+		require.ErrorContains(t, err, "agentsocket is not supported on Windows")
+	})
+
+	t.Run("NewClient", func(t *testing.T) {
+		t.Parallel()
+
+		_, err := agentsocket.NewClient(context.Background(), agentsocket.WithPath("test.sock"))
+		require.ErrorContains(t, err, "agentsocket is not supported on Windows")
+	})
+}
+
+func TestAgentInitializesOnWindowsWithoutSocketServer(t *testing.T) {
+	t.Parallel()
+
+	if runtime.GOOS != "windows" {
+		t.Skip("this test only runs on Windows")
+	}
+
+	ctx := testutil.Context(t, testutil.WaitShort)
+	logger := testutil.Logger(t).Named("agent")
+
+	derpMap, _ := tailnettest.RunDERPAndSTUN(t)
+
+	coordinator := tailnet.NewCoordinator(logger)
+	t.Cleanup(func() {
+		_ = coordinator.Close()
+	})
+
+	statsCh := make(chan *agentproto.Stats, 50)
+	agentID := uuid.New()
+	manifest := agentsdk.Manifest{
+		AgentID:       agentID,
+		AgentName:     "test-agent",
+		WorkspaceName: "test-workspace",
+		OwnerName:     "test-user",
+		WorkspaceID:   uuid.New(),
+		DERPMap:       derpMap,
+	}
+
+	client := agenttest.NewClient(t, logger.Named("agenttest"), agentID, manifest, statsCh, coordinator)
+	t.Cleanup(client.Close)
+
+	options := agent.Options{
+		Client:                 client,
+		Filesystem:             afero.NewMemMapFs(),
+		Logger:                 logger.Named("agent"),
+		ReconnectingPTYTimeout: testutil.WaitShort,
+		EnvironmentVariables:   map[string]string{},
+		SocketPath:             "",
+	}
+
+	agnt := agent.New(options)
+	t.Cleanup(func() {
+		_ = agnt.Close()
+	})
+
+	startup := testutil.TryReceive(ctx, t, client.GetStartup())
+	require.NotNil(t, startup, "agent should send startup message")
+
+	err := agnt.Close()
+	require.NoError(t, err, "agent should close cleanly")
 }
@@ -2,6 +2,8 @@ package agentsocket_test

 import (
 	"context"
+	"path/filepath"
+	"runtime"
 	"testing"

 	"github.com/stretchr/testify/require"
@@ -28,10 +30,14 @@ func newSocketClient(ctx context.Context, t *testing.T, socketPath string) *agen
 func TestDRPCAgentSocketService(t *testing.T) {
 	t.Parallel()

+	if runtime.GOOS == "windows" {
+		t.Skip("agentsocket is not supported on Windows")
+	}
+
 	t.Run("Ping", func(t *testing.T) {
 		t.Parallel()

-		socketPath := testutil.AgentSocketPath(t)
+		socketPath := filepath.Join(testutil.TempDirUnixSocket(t), "test.sock")
 		ctx := testutil.Context(t, testutil.WaitShort)
 		server, err := agentsocket.NewServer(
 			slog.Make().Leveled(slog.LevelDebug),
@@ -51,7 +57,7 @@ func TestDRPCAgentSocketService(t *testing.T) {

 		t.Run("NewUnit", func(t *testing.T) {
 			t.Parallel()
-			socketPath := testutil.AgentSocketPath(t)
+			socketPath := filepath.Join(testutil.TempDirUnixSocket(t), "test.sock")
 			ctx := testutil.Context(t, testutil.WaitShort)
 			server, err := agentsocket.NewServer(
 				slog.Make().Leveled(slog.LevelDebug),
@@ -73,7 +79,7 @@ func TestDRPCAgentSocketService(t *testing.T) {
 		t.Run("UnitAlreadyStarted", func(t *testing.T) {
 			t.Parallel()

-			socketPath := testutil.AgentSocketPath(t)
+			socketPath := filepath.Join(testutil.TempDirUnixSocket(t), "test.sock")
 			ctx := testutil.Context(t, testutil.WaitShort)
 			server, err := agentsocket.NewServer(
 				slog.Make().Leveled(slog.LevelDebug),
@@ -103,7 +109,7 @@ func TestDRPCAgentSocketService(t *testing.T) {
 		t.Run("UnitAlreadyCompleted", func(t *testing.T) {
 			t.Parallel()

-			socketPath := testutil.AgentSocketPath(t)
+			socketPath := filepath.Join(testutil.TempDirUnixSocket(t), "test.sock")
 			ctx := testutil.Context(t, testutil.WaitShort)
 			server, err := agentsocket.NewServer(
 				slog.Make().Leveled(slog.LevelDebug),
@@ -142,7 +148,7 @@ func TestDRPCAgentSocketService(t *testing.T) {
 		t.Run("UnitNotReady", func(t *testing.T) {
 			t.Parallel()

-			socketPath := testutil.AgentSocketPath(t)
+			socketPath := filepath.Join(testutil.TempDirUnixSocket(t), "test.sock")
 			ctx := testutil.Context(t, testutil.WaitShort)
 			server, err := agentsocket.NewServer(
 				slog.Make().Leveled(slog.LevelDebug),
@@ -172,7 +178,7 @@ func TestDRPCAgentSocketService(t *testing.T) {
 		t.Run("NewUnits", func(t *testing.T) {
 			t.Parallel()

-			socketPath := testutil.AgentSocketPath(t)
+			socketPath := filepath.Join(testutil.TempDirUnixSocket(t), "test.sock")
 			ctx := testutil.Context(t, testutil.WaitShort)
 			server, err := agentsocket.NewServer(
 				slog.Make().Leveled(slog.LevelDebug),
@@ -197,7 +203,7 @@ func TestDRPCAgentSocketService(t *testing.T) {
 		t.Run("DependencyAlreadyRegistered", func(t *testing.T) {
 			t.Parallel()

-			socketPath := testutil.AgentSocketPath(t)
+			socketPath := filepath.Join(testutil.TempDirUnixSocket(t), "test.sock")
 			ctx := testutil.Context(t, testutil.WaitShort)
 			server, err := agentsocket.NewServer(
 				slog.Make().Leveled(slog.LevelDebug),
@@ -232,7 +238,7 @@ func TestDRPCAgentSocketService(t *testing.T) {
 		t.Run("DependencyAddedAfterDependentStarted", func(t *testing.T) {
 			t.Parallel()

-			socketPath := testutil.AgentSocketPath(t)
+			socketPath := filepath.Join(testutil.TempDirUnixSocket(t), "test.sock")
 			ctx := testutil.Context(t, testutil.WaitShort)
 			server, err := agentsocket.NewServer(
 				slog.Make().Leveled(slog.LevelDebug),
@@ -274,7 +280,7 @@ func TestDRPCAgentSocketService(t *testing.T) {
 		t.Run("UnregisteredUnit", func(t *testing.T) {
 			t.Parallel()

-			socketPath := testutil.AgentSocketPath(t)
+			socketPath := filepath.Join(testutil.TempDirUnixSocket(t), "test.sock")
 			ctx := testutil.Context(t, testutil.WaitShort)
 			server, err := agentsocket.NewServer(
 				slog.Make().Leveled(slog.LevelDebug),
@@ -293,7 +299,7 @@ func TestDRPCAgentSocketService(t *testing.T) {
 		t.Run("UnitNotReady", func(t *testing.T) {
 			t.Parallel()

-			socketPath := testutil.AgentSocketPath(t)
+			socketPath := filepath.Join(testutil.TempDirUnixSocket(t), "test.sock")
 			ctx := testutil.Context(t, testutil.WaitShort)
 			server, err := agentsocket.NewServer(
 				slog.Make().Leveled(slog.LevelDebug),
@@ -317,7 +323,7 @@ func TestDRPCAgentSocketService(t *testing.T) {
 		t.Run("UnitReady", func(t *testing.T) {
 			t.Parallel()

-			socketPath := testutil.AgentSocketPath(t)
+			socketPath := filepath.Join(testutil.TempDirUnixSocket(t), "test.sock")
 			ctx := testutil.Context(t, testutil.WaitShort)
 			server, err := agentsocket.NewServer(
 				slog.Make().Leveled(slog.LevelDebug),
@@ -4,60 +4,19 @@ package agentsocket

 import (
 	"context"
-	"fmt"
 	"net"
-	"os"
-	"os/user"
-	"strings"

-	"github.com/Microsoft/go-winio"
 	"golang.org/x/xerrors"
 )

-const defaultSocketPath = `\\.\pipe\com.coder.agentsocket`
-
-func createSocket(path string) (net.Listener, error) {
-	if path == "" {
-		path = defaultSocketPath
-	}
-	if !strings.HasPrefix(path, `\\.\pipe\`) {
-		return nil, xerrors.Errorf("%q is not a valid local socket path", path)
-	}
-
-	user, err := user.Current()
-	if err != nil {
-		return nil, fmt.Errorf("unable to look up current user: %w", err)
-	}
-	sid := user.Uid
-
-	// SecurityDescriptor is in SDDL format. c.f.
-	// https://learn.microsoft.com/en-us/windows/win32/secauthz/security-descriptor-string-format for full details.
-	// D: indicates this is a Discretionary Access Control List (DACL), which is Windows-speak for ACLs that allow or
-	// deny access (as opposed to SACL which controls audit logging).
-	// P indicates that this DACL is "protected" from being modified thru inheritance
-	// () delimit access control entries (ACEs), here we only have one, which, allows (A) generic all (GA) access to our
-	// specific user's security ID (SID).
-	//
-	// Note that although Microsoft docs at https://learn.microsoft.com/en-us/windows/win32/ipc/named-pipes warns that
-	// named pipes are accessible from remote machines in the general case, the `winio` package sets the flag
-	// windows.FILE_PIPE_REJECT_REMOTE_CLIENTS when creating pipes, so connections from remote machines are always
-	// denied. This is important because we sort of expect customers to run the Coder agent under a generic user
-	// account unless they are very sophisticated. We don't want this socket to cross the boundary of the local machine.
-	configuration := &winio.PipeConfig{
-		SecurityDescriptor: fmt.Sprintf("D:P(A;;GA;;;%s)", sid),
-	}
-
-	listener, err := winio.ListenPipe(path, configuration)
-	if err != nil {
-		return nil, xerrors.Errorf("failed to open named pipe: %w", err)
-	}
-	return listener, nil
+func createSocket(_ string) (net.Listener, error) {
+	return nil, xerrors.New("agentsocket is not supported on Windows")
 }

-func cleanupSocket(path string) error {
-	return os.Remove(path)
+func cleanupSocket(_ string) error {
+	return nil
 }

-func dialSocket(ctx context.Context, path string) (net.Conn, error) {
-	return winio.DialPipeContext(ctx, path)
+func dialSocket(_ context.Context, _ string) (net.Conn, error) {
+	return nil, xerrors.New("agentsocket is not supported on Windows")
 }
@@ -124,12 +124,6 @@ func (c *Client) Close() {
 	c.derpMapOnce.Do(func() { close(c.derpMapUpdates) })
 }

-func (c *Client) ConnectRPC28WithRole(ctx context.Context, _ string) (
-	agentproto.DRPCAgentClient28, proto.DRPCTailnetClient28, error,
-) {
-	return c.ConnectRPC28(ctx)
-}
-
 func (c *Client) ConnectRPC28(ctx context.Context) (
 	agentproto.DRPCAgentClient28, proto.DRPCTailnetClient28, error,
 ) {
@@ -235,10 +229,6 @@ type FakeAgentAPI struct {
 	pushResourcesMonitoringUsageFunc        func(*agentproto.PushResourcesMonitoringUsageRequest) (*agentproto.PushResourcesMonitoringUsageResponse, error)
 }

-func (*FakeAgentAPI) UpdateAppStatus(context.Context, *agentproto.UpdateAppStatusRequest) (*agentproto.UpdateAppStatusResponse, error) {
-	panic("unimplemented")
-}
-
 func (f *FakeAgentAPI) GetManifest(context.Context, *agentproto.GetManifestRequest) (*agentproto.Manifest, error) {
 	return f.manifest, nil
 }
@@ -436,7 +436,7 @@ message CreateSubAgentRequest {
 	}

 	repeated DisplayApp display_apps = 6;
-
+	
 	optional bytes id = 7;
 }

@@ -494,24 +494,6 @@ message ReportBoundaryLogsRequest {

 message ReportBoundaryLogsResponse {}

-// UpdateAppStatusRequest updates the given Workspace App's status. c.f. agentsdk.PatchAppStatus
-message UpdateAppStatusRequest {
-  string slug = 1;
-
-  enum AppStatusState {
-    WORKING = 0;
-    IDLE = 1;
-    COMPLETE = 2;
-    FAILURE = 3;
-  }
-  AppStatusState state = 2;
-
-  string message = 3;
-  string uri = 4;
-}
-
-message UpdateAppStatusResponse {}
-
 service Agent {
 	rpc GetManifest(GetManifestRequest) returns (Manifest);
 	rpc GetServiceBanner(GetServiceBannerRequest) returns (ServiceBanner);
@@ -530,5 +512,4 @@ service Agent {
 	rpc DeleteSubAgent(DeleteSubAgentRequest) returns (DeleteSubAgentResponse);
 	rpc ListSubAgents(ListSubAgentsRequest) returns (ListSubAgentsResponse);
 	rpc ReportBoundaryLogs(ReportBoundaryLogsRequest) returns (ReportBoundaryLogsResponse);
-  rpc UpdateAppStatus(UpdateAppStatusRequest) returns (UpdateAppStatusResponse);
 }
@@ -56,7 +56,6 @@ type DRPCAgentClient interface {
 	DeleteSubAgent(ctx context.Context, in *DeleteSubAgentRequest) (*DeleteSubAgentResponse, error)
 	ListSubAgents(ctx context.Context, in *ListSubAgentsRequest) (*ListSubAgentsResponse, error)
 	ReportBoundaryLogs(ctx context.Context, in *ReportBoundaryLogsRequest) (*ReportBoundaryLogsResponse, error)
-	UpdateAppStatus(ctx context.Context, in *UpdateAppStatusRequest) (*UpdateAppStatusResponse, error)
 }

 type drpcAgentClient struct {
@@ -222,15 +221,6 @@ func (c *drpcAgentClient) ReportBoundaryLogs(ctx context.Context, in *ReportBoun
 	return out, nil
 }

-func (c *drpcAgentClient) UpdateAppStatus(ctx context.Context, in *UpdateAppStatusRequest) (*UpdateAppStatusResponse, error) {
-	out := new(UpdateAppStatusResponse)
-	err := c.cc.Invoke(ctx, "/coder.agent.v2.Agent/UpdateAppStatus", drpcEncoding_File_agent_proto_agent_proto{}, in, out)
-	if err != nil {
-		return nil, err
-	}
-	return out, nil
-}
-
 type DRPCAgentServer interface {
 	GetManifest(context.Context, *GetManifestRequest) (*Manifest, error)
 	GetServiceBanner(context.Context, *GetServiceBannerRequest) (*ServiceBanner, error)
@@ -249,7 +239,6 @@ type DRPCAgentServer interface {
 	DeleteSubAgent(context.Context, *DeleteSubAgentRequest) (*DeleteSubAgentResponse, error)
 	ListSubAgents(context.Context, *ListSubAgentsRequest) (*ListSubAgentsResponse, error)
 	ReportBoundaryLogs(context.Context, *ReportBoundaryLogsRequest) (*ReportBoundaryLogsResponse, error)
-	UpdateAppStatus(context.Context, *UpdateAppStatusRequest) (*UpdateAppStatusResponse, error)
 }

 type DRPCAgentUnimplementedServer struct{}
@@ -322,13 +311,9 @@ func (s *DRPCAgentUnimplementedServer) ReportBoundaryLogs(context.Context, *Repo
 	return nil, drpcerr.WithCode(errors.New("Unimplemented"), drpcerr.Unimplemented)
 }

-func (s *DRPCAgentUnimplementedServer) UpdateAppStatus(context.Context, *UpdateAppStatusRequest) (*UpdateAppStatusResponse, error) {
-	return nil, drpcerr.WithCode(errors.New("Unimplemented"), drpcerr.Unimplemented)
-}
-
 type DRPCAgentDescription struct{}

-func (DRPCAgentDescription) NumMethods() int { return 18 }
+func (DRPCAgentDescription) NumMethods() int { return 17 }

 func (DRPCAgentDescription) Method(n int) (string, drpc.Encoding, drpc.Receiver, interface{}, bool) {
 	switch n {
@@ -485,15 +470,6 @@ func (DRPCAgentDescription) Method(n int) (string, drpc.Encoding, drpc.Receiver,
 						in1.(*ReportBoundaryLogsRequest),
 					)
 			}, DRPCAgentServer.ReportBoundaryLogs, true
-	case 17:
-		return "/coder.agent.v2.Agent/UpdateAppStatus", drpcEncoding_File_agent_proto_agent_proto{},
-			func(srv interface{}, ctx context.Context, in1, in2 interface{}) (drpc.Message, error) {
-				return srv.(DRPCAgentServer).
-					UpdateAppStatus(
-						ctx,
-						in1.(*UpdateAppStatusRequest),
-					)
-			}, DRPCAgentServer.UpdateAppStatus, true
 	default:
 		return "", nil, nil, nil, false
 	}
@@ -774,19 +750,3 @@ func (x *drpcAgent_ReportBoundaryLogsStream) SendAndClose(m *ReportBoundaryLogsR
 	}
 	return x.CloseSend()
 }
-
-type DRPCAgent_UpdateAppStatusStream interface {
-	drpc.Stream
-	SendAndClose(*UpdateAppStatusResponse) error
-}
-
-type drpcAgent_UpdateAppStatusStream struct {
-	drpc.Stream
-}
-
-func (x *drpcAgent_UpdateAppStatusStream) SendAndClose(m *UpdateAppStatusResponse) error {
-	if err := x.MsgSend(m, drpcEncoding_File_agent_proto_agent_proto{}); err != nil {
-		return err
-	}
-	return x.CloseSend()
-}
@@ -73,13 +73,9 @@ type DRPCAgentClient27 interface {
 	ReportBoundaryLogs(ctx context.Context, in *ReportBoundaryLogsRequest) (*ReportBoundaryLogsResponse, error)
 }

-// DRPCAgentClient28 is the Agent API at v2.8. It adds
-//   - a SubagentId field to the WorkspaceAgentDevcontainer message
-//   - an Id field to the CreateSubAgentRequest message.
-//   - UpdateAppStatus RPC.
-//
-// Compatible with Coder v2.31+
+// DRPCAgentClient28 is the Agent API at v2.8. It adds a SubagentId field to the
+// WorkspaceAgentDevcontainer message, and a Id field to the CreateSubAgentRequest
+// message. Compatible with Coder v2.31+
 type DRPCAgentClient28 interface {
 	DRPCAgentClient27
-	UpdateAppStatus(ctx context.Context, in *UpdateAppStatusRequest) (*UpdateAppStatusResponse, error)
 }
@@ -3,11 +3,11 @@
 		"enabled": true,
 		"clientKind": "git",
 		"useIgnoreFile": true,
-		"defaultBranch": "main",
+		"defaultBranch": "main"
 	},
 	"files": {
 		"includes": ["**", "!**/pnpm-lock.yaml"],
-		"ignoreUnknown": true,
+		"ignoreUnknown": true
 	},
 	"linter": {
 		"rules": {
@@ -15,18 +15,18 @@
 				"noSvgWithoutTitle": "off",
 				"useButtonType": "off",
 				"useSemanticElements": "off",
-				"noStaticElementInteractions": "off",
+				"noStaticElementInteractions": "off"
 			},
-			"correctness": {
-				"noUnusedImports": "warn",
+		"correctness": {
+			"noUnusedImports": "warn",
 				"useUniqueElementIds": "off", // TODO: This is new but we want to fix it
 				"noNestedComponentDefinitions": "off", // TODO: Investigate, since it is used by shadcn components
-				"noUnusedVariables": {
-					"level": "warn",
+			"noUnusedVariables": {
+				"level": "warn",
 					"options": {
-						"ignoreRestSiblings": true,
-					},
-				},
+						"ignoreRestSiblings": true
+					}
+				}
 			},
 			"style": {
 				"noNonNullAssertion": "off",
@@ -45,10 +45,6 @@
 					"level": "error",
 					"options": {
 						"paths": {
-							"react": {
-								"message": "React 19 no longer requires forwardRef. Use ref as a prop instead.",
-								"importNames": ["forwardRef"],
-							},
 							// "@mui/material/Alert": "Use components/Alert/Alert instead.",
 							// "@mui/material/AlertTitle": "Use components/Alert/Alert instead.",
 							// "@mui/material/Autocomplete": "Use shadcn/ui Combobox instead.",
@@ -115,10 +111,10 @@
 							"@emotion/styled": "Use Tailwind CSS instead.",
 							// "@emotion/cache": "Use Tailwind CSS instead.",
 							// "components/Stack/Stack": "Use Tailwind flex utilities instead (e.g., <div className='flex flex-col gap-4'>).",
-							"lodash": "Use lodash/<name> instead.",
-						},
-					},
-				},
+							"lodash": "Use lodash/<name> instead."
+						}
+					}
+				}
 			},
 			"suspicious": {
 				"noArrayIndexKey": "off",
@@ -129,14 +125,14 @@
 				"noConsole": {
 					"level": "error",
 					"options": {
-						"allow": ["error", "info", "warn"],
-					},
-				},
+						"allow": ["error", "info", "warn"]
+					}
+				}
 			},
 			"complexity": {
-				"noImportantStyles": "off", // TODO: check and fix !important styles
-			},
-		},
+				"noImportantStyles": "off" // TODO: check and fix !important styles
+			}
+		}
 	},
-	"$schema": "./node_modules/@biomejs/biome/configuration_schema.json",
+	"$schema": "./node_modules/@biomejs/biome/configuration_schema.json"
 }
@@ -30,15 +30,9 @@ func RichParameter(inv *serpent.Invocation, templateVersionParameter codersdk.Te
 		_, _ = fmt.Fprint(inv.Stdout, "\033[1A")

 		var defaults []string
-		defaultSource := defaultValue
-		if defaultSource == "" {
-			defaultSource = templateVersionParameter.DefaultValue
-		}
-		if defaultSource != "" {
-			err = json.Unmarshal([]byte(defaultSource), &defaults)
-			if err != nil {
-				return "", err
-			}
+		err = json.Unmarshal([]byte(templateVersionParameter.DefaultValue), &defaults)
+		if err != nil {
+			return "", err
 		}

 		values, err := RichMultiSelect(inv, RichMultiSelectOptions{
@@ -10,7 +10,6 @@ import (
 	"path/filepath"
 	"slices"
 	"strings"
-	"time"

 	"github.com/mark3labs/mcp-go/mcp"
 	"github.com/mark3labs/mcp-go/server"
@@ -24,7 +23,6 @@ import (
 	"github.com/coder/coder/v2/codersdk"
 	"github.com/coder/coder/v2/codersdk/agentsdk"
 	"github.com/coder/coder/v2/codersdk/toolsdk"
-	"github.com/coder/retry"
 	"github.com/coder/serpent"
 )

@@ -541,6 +539,7 @@ func (r *RootCmd) mcpServer() *serpent.Command {
 			defer cancel()
 			defer srv.queue.Close()

+			cliui.Infof(inv.Stderr, "Failed to watch screen events")
 			// Start the reporter, watcher, and server.  These are all tied to the
 			// lifetime of the MCP server, which is itself tied to the lifetime of the
 			// AI agent.
@@ -614,51 +613,48 @@ func (s *mcpServer) startReporter(ctx context.Context, inv *serpent.Invocation)
 }

 func (s *mcpServer) startWatcher(ctx context.Context, inv *serpent.Invocation) {
+	eventsCh, errCh, err := s.aiAgentAPIClient.SubscribeEvents(ctx)
+	if err != nil {
+		cliui.Warnf(inv.Stderr, "Failed to watch screen events: %s", err)
+		return
+	}
 	go func() {
-		for retrier := retry.New(time.Second, 30*time.Second); retrier.Wait(ctx); {
-			eventsCh, errCh, err := s.aiAgentAPIClient.SubscribeEvents(ctx)
-			if err == nil {
-				retrier.Reset()
-			loop:
-				for {
-					select {
-					case <-ctx.Done():
+		for {
+			select {
+			case <-ctx.Done():
+				return
+			case event := <-eventsCh:
+				switch ev := event.(type) {
+				case agentapi.EventStatusChange:
+					// If the screen is stable, report idle.
+					state := codersdk.WorkspaceAppStatusStateWorking
+					if ev.Status == agentapi.StatusStable {
+						state = codersdk.WorkspaceAppStatusStateIdle
+					}
+					err := s.queue.Push(taskReport{
+						state: state,
+					})
+					if err != nil {
+						cliui.Warnf(inv.Stderr, "Failed to queue update: %s", err)
 						return
-					case event := <-eventsCh:
-						switch ev := event.(type) {
-						case agentapi.EventStatusChange:
-							state := codersdk.WorkspaceAppStatusStateWorking
-							if ev.Status == agentapi.StatusStable {
-								state = codersdk.WorkspaceAppStatusStateIdle
-							}
-							err := s.queue.Push(taskReport{
-								state: state,
-							})
-							if err != nil {
-								cliui.Warnf(inv.Stderr, "Failed to queue update: %s", err)
-								return
-							}
-						case agentapi.EventMessageUpdate:
-							if ev.Role == agentapi.RoleUser {
-								err := s.queue.Push(taskReport{
-									messageID: &ev.Id,
-									state:     codersdk.WorkspaceAppStatusStateWorking,
-								})
-								if err != nil {
-									cliui.Warnf(inv.Stderr, "Failed to queue update: %s", err)
-									return
-								}
-							}
+					}
+				case agentapi.EventMessageUpdate:
+					if ev.Role == agentapi.RoleUser {
+						err := s.queue.Push(taskReport{
+							messageID: &ev.Id,
+							state:     codersdk.WorkspaceAppStatusStateWorking,
+						})
+						if err != nil {
+							cliui.Warnf(inv.Stderr, "Failed to queue update: %s", err)
+							return
 						}
-					case err := <-errCh:
-						if !errors.Is(err, context.Canceled) {
-							cliui.Warnf(inv.Stderr, "Received error from screen event watcher: %s", err)
-						}
-						break loop
 					}
 				}
-			} else {
-				cliui.Warnf(inv.Stderr, "Failed to watch screen events: %s", err)
+			case err := <-errCh:
+				if !errors.Is(err, context.Canceled) {
+					cliui.Warnf(inv.Stderr, "Received error from screen event watcher: %s", err)
+				}
+				return
 			}
 		}
 	}()
@@ -696,14 +692,13 @@ func (s *mcpServer) startServer(ctx context.Context, inv *serpent.Invocation, in
 	// Add tool dependencies.
 	toolOpts := []func(*toolsdk.Deps){
 		toolsdk.WithTaskReporter(func(args toolsdk.ReportTaskArgs) error {
-			state := codersdk.WorkspaceAppStatusState(args.State)
-			// The agent does not reliably report idle, so when AgentAPI is
-			// enabled we override idle to working and let the screen watcher
-			// detect the real idle via StatusStable.  Final states (failure,
-			// complete) are trusted from the agent since the screen watcher
-			// cannot produce them.
-			if s.aiAgentAPIClient != nil && state == codersdk.WorkspaceAppStatusStateIdle {
-				state = codersdk.WorkspaceAppStatusStateWorking
+			// The agent does not reliably report its status correctly.  If AgentAPI
+			// is enabled, we will always set the status to "working" when we get an
+			// MCP message, and rely on the screen watcher to eventually catch the
+			// idle state.
+			state := codersdk.WorkspaceAppStatusStateWorking
+			if s.aiAgentAPIClient == nil {
+				state = codersdk.WorkspaceAppStatusState(args.State)
 			}
 			return s.queue.Push(taskReport{
 				link:         args.Link,
@@ -921,7 +921,7 @@ func TestExpMcpReporter(t *testing.T) {
 				},
 			},
 		},
-		// We override idle from the agent to working, but trust final states.
+		// We ignore the state from the agent and assume "working".
 		{
 			name: "IgnoreAgentState",
 			// AI agent reports that it is finished but the summary says it is doing
@@ -953,46 +953,6 @@ func TestExpMcpReporter(t *testing.T) {
 						Message: "finished",
 					},
 				},
-				// Agent reports failure; trusted even with AgentAPI enabled.
-				{
-					state:   codersdk.WorkspaceAppStatusStateFailure,
-					summary: "something broke",
-					expected: &codersdk.WorkspaceAppStatus{
-						State:   codersdk.WorkspaceAppStatusStateFailure,
-						Message: "something broke",
-					},
-				},
-				// After failure, watcher reports stable -> idle.
-				{
-					event: makeStatusEvent(agentapi.StatusStable),
-					expected: &codersdk.WorkspaceAppStatus{
-						State:   codersdk.WorkspaceAppStatusStateIdle,
-						Message: "something broke",
-					},
-				},
-			},
-		},
-		// Final states pass through with AgentAPI enabled.
-		{
-			name: "AllowFinalStates",
-			tests: []test{
-				{
-					state:   codersdk.WorkspaceAppStatusStateWorking,
-					summary: "doing work",
-					expected: &codersdk.WorkspaceAppStatus{
-						State:   codersdk.WorkspaceAppStatusStateWorking,
-						Message: "doing work",
-					},
-				},
-				// Agent reports complete; not overridden.
-				{
-					state:   codersdk.WorkspaceAppStatusStateComplete,
-					summary: "all done",
-					expected: &codersdk.WorkspaceAppStatus{
-						State:   codersdk.WorkspaceAppStatusStateComplete,
-						Message: "all done",
-					},
-				},
 			},
 		},
 		// When AgentAPI is not being used, we accept agent state updates as-is.
@@ -1150,148 +1110,4 @@ func TestExpMcpReporter(t *testing.T) {
 			<-cmdDone
 		})
 	}
-
-	t.Run("Reconnect", func(t *testing.T) {
-		t.Parallel()
-
-		// Create a test deployment and workspace.
-		client, db := coderdtest.NewWithDatabase(t, nil)
-		user := coderdtest.CreateFirstUser(t, client)
-		client, user2 := coderdtest.CreateAnotherUser(t, client, user.OrganizationID)
-
-		r := dbfake.WorkspaceBuild(t, db, database.WorkspaceTable{
-			OrganizationID: user.OrganizationID,
-			OwnerID:        user2.ID,
-		}).WithAgent(func(a []*proto.Agent) []*proto.Agent {
-			a[0].Apps = []*proto.App{
-				{
-					Slug: "vscode",
-				},
-			}
-			return a
-		}).Do()
-
-		ctx, cancel := context.WithCancel(testutil.Context(t, testutil.WaitLong))
-
-		// Watch the workspace for changes.
-		watcher, err := client.WatchWorkspace(ctx, r.Workspace.ID)
-		require.NoError(t, err)
-		var lastAppStatus codersdk.WorkspaceAppStatus
-		nextUpdate := func() codersdk.WorkspaceAppStatus {
-			for {
-				select {
-				case <-ctx.Done():
-					require.FailNow(t, "timed out waiting for status update")
-				case w, ok := <-watcher:
-					require.True(t, ok, "watch channel closed")
-					if w.LatestAppStatus != nil && w.LatestAppStatus.ID != lastAppStatus.ID {
-						t.Logf("Got status update: %s > %s", lastAppStatus.State, w.LatestAppStatus.State)
-						lastAppStatus = *w.LatestAppStatus
-						return lastAppStatus
-					}
-				}
-			}
-		}
-
-		// Mock AI AgentAPI server that supports disconnect/reconnect.
-		disconnect := make(chan struct{})
-		listening := make(chan func(sse codersdk.ServerSentEvent) error)
-		srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-			// Create a cancelable context so we can stop the SSE sender
-			// goroutine on disconnect without waiting for the HTTP
-			// serve loop to cancel r.Context().
-			sseCtx, sseCancel := context.WithCancel(r.Context())
-			defer sseCancel()
-			r = r.WithContext(sseCtx)
-
-			send, closed, err := httpapi.ServerSentEventSender(w, r)
-			if err != nil {
-				httpapi.Write(sseCtx, w, http.StatusInternalServerError, codersdk.Response{
-					Message: "Internal error setting up server-sent events.",
-					Detail:  err.Error(),
-				})
-				return
-			}
-			// Send initial message so the watcher knows the agent is active.
-			send(*makeMessageEvent(0, agentapi.RoleAgent))
-			select {
-			case listening <- send:
-			case <-r.Context().Done():
-				return
-			}
-			select {
-			case <-closed:
-			case <-disconnect:
-				sseCancel()
-				<-closed
-			}
-		}))
-		t.Cleanup(srv.Close)
-
-		inv, _ := clitest.New(t,
-			"exp", "mcp", "server",
-			"--agent-url", client.URL.String(),
-			"--agent-token", r.AgentToken,
-			"--app-status-slug", "vscode",
-			"--allowed-tools=coder_report_task",
-			"--ai-agentapi-url", srv.URL,
-		)
-		inv = inv.WithContext(ctx)
-
-		pty := ptytest.New(t)
-		inv.Stdin = pty.Input()
-		inv.Stdout = pty.Output()
-		stderr := ptytest.New(t)
-		inv.Stderr = stderr.Output()
-
-		// Run the MCP server.
-		clitest.Start(t, inv)
-
-		// Initialize.
-		payload := `{"jsonrpc":"2.0","id":1,"method":"initialize"}`
-		pty.WriteLine(payload)
-		_ = pty.ReadLine(ctx) // ignore echo
-		_ = pty.ReadLine(ctx) // ignore init response
-
-		// Get first sender from the initial SSE connection.
-		sender := testutil.RequireReceive(ctx, t, listening)
-
-		// Self-report a working status via tool call.
-		toolPayload := `{"jsonrpc":"2.0","id":2,"method":"tools/call","params":{"name":"coder_report_task","arguments":{"state":"working","summary":"doing work","link":""}}}`
-		pty.WriteLine(toolPayload)
-		_ = pty.ReadLine(ctx) // ignore echo
-		_ = pty.ReadLine(ctx) // ignore response
-		got := nextUpdate()
-		require.Equal(t, codersdk.WorkspaceAppStatusStateWorking, got.State)
-		require.Equal(t, "doing work", got.Message)
-
-		// Watcher sends stable, verify idle is reported.
-		err = sender(*makeStatusEvent(agentapi.StatusStable))
-		require.NoError(t, err)
-		got = nextUpdate()
-		require.Equal(t, codersdk.WorkspaceAppStatusStateIdle, got.State)
-
-		// Disconnect the SSE connection by signaling the handler to return.
-		testutil.RequireSend(ctx, t, disconnect, struct{}{})
-
-		// Wait for the watcher to reconnect and get the new sender.
-		sender = testutil.RequireReceive(ctx, t, listening)
-
-		// After reconnect, self-report a working status again.
-		toolPayload = `{"jsonrpc":"2.0","id":3,"method":"tools/call","params":{"name":"coder_report_task","arguments":{"state":"working","summary":"reconnected","link":""}}}`
-		pty.WriteLine(toolPayload)
-		_ = pty.ReadLine(ctx) // ignore echo
-		_ = pty.ReadLine(ctx) // ignore response
-		got = nextUpdate()
-		require.Equal(t, codersdk.WorkspaceAppStatusStateWorking, got.State)
-		require.Equal(t, "reconnected", got.Message)
-
-		// Verify the watcher still processes events after reconnect.
-		err = sender(*makeStatusEvent(agentapi.StatusStable))
-		require.NoError(t, err)
-		got = nextUpdate()
-		require.Equal(t, codersdk.WorkspaceAppStatusStateIdle, got.State)
-
-		cancel()
-	})
 }
@@ -29,7 +29,6 @@ func (r *RootCmd) scaletestPrebuilds() *serpent.Command {
 		templateVersionJobTimeout time.Duration
 		prebuildWorkspaceTimeout  time.Duration
 		noCleanup                 bool
-		provisionerTags           []string

 		tracingFlags    = &scaletestTracingFlags{}
 		timeoutStrategy = &timeoutFlags{}
@@ -112,16 +111,10 @@ func (r *RootCmd) scaletestPrebuilds() *serpent.Command {

 			th := harness.NewTestHarness(timeoutStrategy.wrapStrategy(harness.ConcurrentExecutionStrategy{}), cleanupStrategy.toStrategy())

-			tags, err := ParseProvisionerTags(provisionerTags)
-			if err != nil {
-				return err
-			}
-
 			for i := range numTemplates {
 				id := strconv.Itoa(int(i))
 				cfg := prebuilds.Config{
 					OrganizationID:            me.OrganizationIDs[0],
-					ProvisionerTags:           tags,
 					NumPresets:                int(numPresets),
 					NumPresetPrebuilds:        int(numPresetPrebuilds),
 					TemplateVersionJobTimeout: templateVersionJobTimeout,
@@ -290,11 +283,6 @@ func (r *RootCmd) scaletestPrebuilds() *serpent.Command {
 			Description: "Skip cleanup (deletion test) and leave resources intact.",
 			Value:       serpent.BoolOf(&noCleanup),
 		},
-		{
-			Flag:        "provisioner-tag",
-			Description: "Specify a set of tags to target provisioner daemons.",
-			Value:       serpent.StringArrayOf(&provisionerTags),
-		},
 	}

 	tracingFlags.attach(&cmd.Options)
@@ -4,9 +4,6 @@ import (
 	"errors"
 	"fmt"
 	"net/http"
-	"os"
-	"os/exec"
-	"strings"
 	"time"

 	"golang.org/x/xerrors"
@@ -19,29 +16,6 @@ import (
 	"github.com/coder/serpent"
 )

-// detectGitRef attempts to resolve the current git branch and remote
-// origin URL from the given working directory. These are sent to the
-// control plane so it can look up PR/diff status via the GitHub API
-// without SSHing into the workspace. Failures are silently ignored
-// since this is best-effort.
-func detectGitRef(workingDirectory string) (branch string, remoteOrigin string) {
-	run := func(args ...string) string {
-		//nolint:gosec
-		cmd := exec.Command(args[0], args[1:]...)
-		if workingDirectory != "" {
-			cmd.Dir = workingDirectory
-		}
-		out, err := cmd.Output()
-		if err != nil {
-			return ""
-		}
-		return strings.TrimSpace(string(out))
-	}
-	branch = run("git", "rev-parse", "--abbrev-ref", "HEAD")
-	remoteOrigin = run("git", "config", "--get", "remote.origin.url")
-	return branch, remoteOrigin
-}
-
 // gitAskpass is used by the Coder agent to automatically authenticate
 // with Git providers based on a hostname.
 func gitAskpass(agentAuth *AgentAuth) *serpent.Command {
@@ -64,20 +38,8 @@ func gitAskpass(agentAuth *AgentAuth) *serpent.Command {
 				return xerrors.Errorf("create agent client: %w", err)
 			}

-			workingDirectory, err := os.Getwd()
-			if err != nil {
-				workingDirectory = ""
-			}
-
-			// Detect the current git branch and remote origin so
-			// the control plane can resolve diffs without needing
-			// to SSH back into the workspace.
-			gitBranch, gitRemoteOrigin := detectGitRef(workingDirectory)
-
 			token, err := client.ExternalAuth(ctx, agentsdk.ExternalAuthRequest{
-				Match:           host,
-				GitBranch:       gitBranch,
-				GitRemoteOrigin: gitRemoteOrigin,
+				Match: host,
 			})
 			if err != nil {
 				var apiError *codersdk.Error
@@ -96,12 +58,6 @@ func gitAskpass(agentAuth *AgentAuth) *serpent.Command {
 				return xerrors.Errorf("get git token: %w", err)
 			}
 			if token.URL != "" {
-				// This is to help the agent authenticate with Git.
-				if inv.Environ.Get("CODER_CHAT_AGENT") == "true" {
-					_, _ = fmt.Fprintf(inv.Stderr, `You must notify the user to authenticate with Git.\n\nThe URL is: %s\n`, token.URL)
-					return cliui.ErrCanceled
-				}
-
 				if err := openURL(inv, token.URL); err == nil {
 					cliui.Infof(inv.Stderr, "Your browser has been opened to authenticate with Git:\n%s", token.URL)
 				} else {
@@ -106,7 +106,11 @@ func TestList(t *testing.T) {
 		t.Parallel()

 		var (
-			client, db           = coderdtest.NewWithDatabase(t, nil)
+			client, db = coderdtest.NewWithDatabase(t, &coderdtest.Options{
+				DeploymentValues: coderdtest.DeploymentValues(t, func(dv *codersdk.DeploymentValues) {
+					dv.Experiments = []string{string(codersdk.ExperimentWorkspaceSharing)}
+				}),
+			})
 			orgOwner             = coderdtest.CreateFirstUser(t, client)
 			memberClient, member = coderdtest.CreateAnotherUser(t, client, orgOwner.OrganizationID, rbac.ScopedRoleOrgAuditor(orgOwner.OrganizationID))
 			sharedWorkspace      = dbfake.WorkspaceBuild(t, db, database.WorkspaceTable{
@@ -1,7 +1,6 @@
 package cli

 import (
-	"encoding/json"
 	"fmt"
 	"strings"

@@ -232,7 +231,7 @@ next:
 			continue // immutables should not be passed to consecutive builds
 		}

-		if len(tvp.Options) > 0 && !isValidTemplateParameterOption(buildParameter, *tvp) {
+		if len(tvp.Options) > 0 && !isValidTemplateParameterOption(buildParameter, tvp.Options) {
 			continue // do not propagate invalid options
 		}

@@ -298,7 +297,7 @@ func (pr *ParameterResolver) verifyConstraints(resolved []codersdk.WorkspaceBuil
 			return xerrors.Errorf("ephemeral parameter %q can be used only with --prompt-ephemeral-parameters or --ephemeral-parameter flag", r.Name)
 		}

-		if !tvp.Mutable && action != WorkspaceCreate && !pr.isFirstTimeUse(r.Name) {
+		if !tvp.Mutable && action != WorkspaceCreate {
 			return xerrors.Errorf("parameter %q is immutable and cannot be updated", r.Name)
 		}
 	}
@@ -366,7 +365,7 @@ func (pr *ParameterResolver) isLastBuildParameterInvalidOption(templateVersionPa

 	for _, buildParameter := range pr.lastBuildParameters {
 		if buildParameter.Name == templateVersionParameter.Name {
-			return !isValidTemplateParameterOption(buildParameter, templateVersionParameter)
+			return !isValidTemplateParameterOption(buildParameter, templateVersionParameter.Options)
 		}
 	}
 	return false
@@ -390,31 +389,8 @@ func findWorkspaceBuildParameter(parameterName string, params []codersdk.Workspa
 	return nil
 }

-func isValidTemplateParameterOption(buildParameter codersdk.WorkspaceBuildParameter, templateVersionParameter codersdk.TemplateVersionParameter) bool {
-	// Multi-select parameters store values as a JSON array (e.g.
-	// '["vim","emacs"]'), so we need to parse the array and validate
-	// each element individually against the allowed options.
-	if templateVersionParameter.Type == "list(string)" {
-		var values []string
-		if err := json.Unmarshal([]byte(buildParameter.Value), &values); err != nil {
-			return false
-		}
-		for _, v := range values {
-			found := false
-			for _, opt := range templateVersionParameter.Options {
-				if opt.Value == v {
-					found = true
-					break
-				}
-			}
-			if !found {
-				return false
-			}
-		}
-		return true
-	}
-
-	for _, opt := range templateVersionParameter.Options {
+func isValidTemplateParameterOption(buildParameter codersdk.WorkspaceBuildParameter, options []codersdk.TemplateVersionParameterOption) bool {
+	for _, opt := range options {
 		if opt.Value == buildParameter.Value {
 			return true
 		}
@@ -1,85 +0,0 @@
-package cli
-
-import (
-	"testing"
-
-	"github.com/stretchr/testify/assert"
-
-	"github.com/coder/coder/v2/codersdk"
-)
-
-func TestIsValidTemplateParameterOption(t *testing.T) {
-	t.Parallel()
-
-	options := []codersdk.TemplateVersionParameterOption{
-		{Name: "Vim", Value: "vim"},
-		{Name: "Emacs", Value: "emacs"},
-		{Name: "VS Code", Value: "vscode"},
-	}
-
-	t.Run("SingleSelectValid", func(t *testing.T) {
-		t.Parallel()
-		bp := codersdk.WorkspaceBuildParameter{Name: "editor", Value: "vim"}
-		tvp := codersdk.TemplateVersionParameter{
-			Name:    "editor",
-			Type:    "string",
-			Options: options,
-		}
-		assert.True(t, isValidTemplateParameterOption(bp, tvp))
-	})
-
-	t.Run("SingleSelectInvalid", func(t *testing.T) {
-		t.Parallel()
-		bp := codersdk.WorkspaceBuildParameter{Name: "editor", Value: "notepad"}
-		tvp := codersdk.TemplateVersionParameter{
-			Name:    "editor",
-			Type:    "string",
-			Options: options,
-		}
-		assert.False(t, isValidTemplateParameterOption(bp, tvp))
-	})
-
-	t.Run("MultiSelectAllValid", func(t *testing.T) {
-		t.Parallel()
-		bp := codersdk.WorkspaceBuildParameter{Name: "editors", Value: `["vim","emacs"]`}
-		tvp := codersdk.TemplateVersionParameter{
-			Name:    "editors",
-			Type:    "list(string)",
-			Options: options,
-		}
-		assert.True(t, isValidTemplateParameterOption(bp, tvp))
-	})
-
-	t.Run("MultiSelectOneInvalid", func(t *testing.T) {
-		t.Parallel()
-		bp := codersdk.WorkspaceBuildParameter{Name: "editors", Value: `["vim","notepad"]`}
-		tvp := codersdk.TemplateVersionParameter{
-			Name:    "editors",
-			Type:    "list(string)",
-			Options: options,
-		}
-		assert.False(t, isValidTemplateParameterOption(bp, tvp))
-	})
-
-	t.Run("MultiSelectEmptyArray", func(t *testing.T) {
-		t.Parallel()
-		bp := codersdk.WorkspaceBuildParameter{Name: "editors", Value: `[]`}
-		tvp := codersdk.TemplateVersionParameter{
-			Name:    "editors",
-			Type:    "list(string)",
-			Options: options,
-		}
-		assert.True(t, isValidTemplateParameterOption(bp, tvp))
-	})
-
-	t.Run("MultiSelectInvalidJSON", func(t *testing.T) {
-		t.Parallel()
-		bp := codersdk.WorkspaceBuildParameter{Name: "editors", Value: `not-json`}
-		tvp := codersdk.TemplateVersionParameter{
-			Name:    "editors",
-			Type:    "list(string)",
-			Options: options,
-		}
-		assert.False(t, isValidTemplateParameterOption(bp, tvp))
-	})
-}
@@ -884,27 +884,16 @@ func (o *OrganizationContext) Selected(inv *serpent.Invocation, client *codersdk
 		index := slices.IndexFunc(orgs, func(org codersdk.Organization) bool {
 			return org.Name == o.FlagSelect || org.ID.String() == o.FlagSelect
 		})
-		if index >= 0 {
-			return orgs[index], nil
-		}

-		// Not in membership list - try direct fetch.
-		// This allows site-wide admins (e.g., Owners) to use orgs they aren't
-		// members of.
-		org, err := client.OrganizationByName(inv.Context(), o.FlagSelect)
-		if err != nil {
+		if index < 0 {
 			var names []string
 			for _, org := range orgs {
 				names = append(names, org.Name)
 			}
-			var sdkErr *codersdk.Error
-			if errors.As(err, &sdkErr) && sdkErr.StatusCode() == http.StatusNotFound {
-				return codersdk.Organization{}, xerrors.Errorf("organization %q not found, are you sure you are a member of this organization? "+
-					"Valid options for '--org=' are [%s].", o.FlagSelect, strings.Join(names, ", "))
-			}
-			return codersdk.Organization{}, xerrors.Errorf("get organization %q: %w", o.FlagSelect, err)
+			return codersdk.Organization{}, xerrors.Errorf("organization %q not found, are you sure you are a member of this organization? "+
+				"Valid options for '--org=' are [%s].", o.FlagSelect, strings.Join(names, ", "))
 		}
-		return org, nil
+		return orgs[index], nil
 	}

 	if len(orgs) == 1 {
@@ -95,7 +95,6 @@ import (
 	"github.com/coder/coder/v2/coderd/webpush"
 	"github.com/coder/coder/v2/coderd/workspaceapps/appurl"
 	"github.com/coder/coder/v2/coderd/workspacestats"
-	"github.com/coder/coder/v2/coderd/wsbuilder"
 	"github.com/coder/coder/v2/codersdk"
 	"github.com/coder/coder/v2/codersdk/drpcsdk"
 	"github.com/coder/coder/v2/cryptorand"
@@ -137,15 +136,6 @@ func createOIDCConfig(ctx context.Context, logger slog.Logger, vals *codersdk.De
 	if err != nil {
 		return nil, xerrors.Errorf("parse oidc oauth callback url: %w", err)
 	}
-
-	if vals.OIDC.RedirectURL.String() != "" {
-		redirectURL, err = vals.OIDC.RedirectURL.Value().Parse("/api/v2/users/oidc/callback")
-		if err != nil {
-			return nil, xerrors.Errorf("parse oidc redirect url %q", err)
-		}
-		logger.Warn(ctx, "custom OIDC redirect URL used instead of 'access_url', ensure this matches the value configured in your OIDC provider")
-	}
-
 	// If the scopes contain 'groups', we enable group support.
 	// Do not override any custom value set by the user.
 	if slice.Contains(vals.OIDC.Scopes, "groups") && vals.OIDC.GroupField == "" {
@@ -617,8 +607,28 @@ func (r *RootCmd) Server(newAPI func(context.Context, *coderd.Options) (*coderd.
 				}
 			}

+			extAuthEnv, err := ReadExternalAuthProvidersFromEnv(os.Environ())
+			if err != nil {
+				return xerrors.Errorf("read external auth providers from env: %w", err)
+			}
+
 			promRegistry := prometheus.NewRegistry()
 			oauthInstrument := promoauth.NewFactory(promRegistry)
+			vals.ExternalAuthConfigs.Value = append(vals.ExternalAuthConfigs.Value, extAuthEnv...)
+			externalAuthConfigs, err := externalauth.ConvertConfig(
+				oauthInstrument,
+				vals.ExternalAuthConfigs.Value,
+				vals.AccessURL.Value(),
+			)
+			if err != nil {
+				return xerrors.Errorf("convert external auth config: %w", err)
+			}
+			for _, c := range externalAuthConfigs {
+				logger.Debug(
+					ctx, "loaded external auth config",
+					slog.F("id", c.ID),
+				)
+			}

 			realIPConfig, err := httpmw.ParseRealIPConfig(vals.ProxyTrustedHeaders, vals.ProxyTrustedOrigins)
 			if err != nil {
@@ -649,7 +659,7 @@ func (r *RootCmd) Server(newAPI func(context.Context, *coderd.Options) (*coderd.
 				Pubsub:                      nil,
 				CacheDir:                    cacheDir,
 				GoogleTokenValidator:        googleTokenValidator,
-				ExternalAuthConfigs:         nil,
+				ExternalAuthConfigs:         externalAuthConfigs,
 				RealIPConfig:                realIPConfig,
 				SSHKeygenAlgorithm:          sshKeygenAlgorithm,
 				TracerProvider:              tracerProvider,
@@ -809,40 +819,6 @@ func (r *RootCmd) Server(newAPI func(context.Context, *coderd.Options) (*coderd.
 				return xerrors.Errorf("set deployment id: %w", err)
 			}

-			extAuthEnv, err := ReadExternalAuthProvidersFromEnv(os.Environ())
-			if err != nil {
-				return xerrors.Errorf("read external auth providers from env: %w", err)
-			}
-			mergedExternalAuthProviders := append([]codersdk.ExternalAuthConfig{}, vals.ExternalAuthConfigs.Value...)
-			mergedExternalAuthProviders = append(mergedExternalAuthProviders, extAuthEnv...)
-			vals.ExternalAuthConfigs.Value = mergedExternalAuthProviders
-
-			mergedExternalAuthProviders, err = maybeAppendDefaultGithubExternalAuthProvider(
-				ctx,
-				options.Logger,
-				options.Database,
-				vals,
-				mergedExternalAuthProviders,
-			)
-			if err != nil {
-				return xerrors.Errorf("maybe append default github external auth provider: %w", err)
-			}
-
-			options.ExternalAuthConfigs, err = externalauth.ConvertConfig(
-				oauthInstrument,
-				mergedExternalAuthProviders,
-				vals.AccessURL.Value(),
-			)
-			if err != nil {
-				return xerrors.Errorf("convert external auth config: %w", err)
-			}
-			for _, c := range options.ExternalAuthConfigs {
-				logger.Debug(
-					ctx, "loaded external auth config",
-					slog.F("id", c.ID),
-				)
-			}
-
 			// Manage push notifications.
 			experiments := coderd.ReadExperiments(options.Logger, options.DeploymentValues.Experiments.Value())
 			if experiments.Enabled(codersdk.ExperimentWebPush) {
@@ -959,12 +935,6 @@ func (r *RootCmd) Server(newAPI func(context.Context, *coderd.Options) (*coderd.
 			options.StatsBatcher = batcher
 			defer closeBatcher()

-			wsBuilderMetrics, err := wsbuilder.NewMetrics(options.PrometheusRegistry)
-			if err != nil {
-				return xerrors.Errorf("failed to register workspace builder metrics: %w", err)
-			}
-			options.WorkspaceBuilderMetrics = wsBuilderMetrics
-
 			// Manage notifications.
 			var (
 				notificationsCfg     = options.DeploymentValues.Notifications
@@ -1148,7 +1118,7 @@ func (r *RootCmd) Server(newAPI func(context.Context, *coderd.Options) (*coderd.
 			autobuildTicker := time.NewTicker(vals.AutobuildPollInterval.Value())
 			defer autobuildTicker.Stop()
 			autobuildExecutor := autobuild.NewExecutor(
-				ctx, options.Database, options.Pubsub, coderAPI.FileCache, options.PrometheusRegistry, coderAPI.TemplateScheduleStore, &coderAPI.Auditor, coderAPI.AccessControlStore, coderAPI.BuildUsageChecker, logger, autobuildTicker.C, options.NotificationsEnqueuer, coderAPI.Experiments, coderAPI.WorkspaceBuilderMetrics)
+				ctx, options.Database, options.Pubsub, coderAPI.FileCache, options.PrometheusRegistry, coderAPI.TemplateScheduleStore, &coderAPI.Auditor, coderAPI.AccessControlStore, coderAPI.BuildUsageChecker, logger, autobuildTicker.C, options.NotificationsEnqueuer, coderAPI.Experiments)
 			autobuildExecutor.Run()

 			jobReaperTicker := time.NewTicker(vals.JobReaperDetectorInterval.Value())
@@ -1940,79 +1910,6 @@ type githubOAuth2ConfigParams struct {
 	enterpriseBaseURL string
 }

-func isDeploymentEligibleForGithubDefaultProvider(ctx context.Context, db database.Store) (bool, error) {
-	// We want to enable the default provider only for new deployments, and avoid
-	// enabling it if a deployment was upgraded from an older version.
-	// nolint:gocritic // Requires system privileges
-	defaultEligible, err := db.GetOAuth2GithubDefaultEligible(dbauthz.AsSystemRestricted(ctx))
-	if err != nil && !errors.Is(err, sql.ErrNoRows) {
-		return false, xerrors.Errorf("get github default eligible: %w", err)
-	}
-	defaultEligibleNotSet := errors.Is(err, sql.ErrNoRows)
-
-	if defaultEligibleNotSet {
-		// nolint:gocritic // User count requires system privileges
-		userCount, err := db.GetUserCount(dbauthz.AsSystemRestricted(ctx), false)
-		if err != nil {
-			return false, xerrors.Errorf("get user count: %w", err)
-		}
-		// We check if a deployment is new by checking if it has any users.
-		defaultEligible = userCount == 0
-		// nolint:gocritic // Requires system privileges
-		if err := db.UpsertOAuth2GithubDefaultEligible(dbauthz.AsSystemRestricted(ctx), defaultEligible); err != nil {
-			return false, xerrors.Errorf("upsert github default eligible: %w", err)
-		}
-	}
-
-	return defaultEligible, nil
-}
-
-func maybeAppendDefaultGithubExternalAuthProvider(
-	ctx context.Context,
-	logger slog.Logger,
-	db database.Store,
-	vals *codersdk.DeploymentValues,
-	mergedExplicitProviders []codersdk.ExternalAuthConfig,
-) ([]codersdk.ExternalAuthConfig, error) {
-	if !vals.ExternalAuthGithubDefaultProviderEnable.Value() {
-		logger.Info(ctx, "default github external auth provider suppressed",
-			slog.F("reason", "disabled by configuration"),
-			slog.F("flag", "external-auth-github-default-provider-enable"),
-		)
-		return mergedExplicitProviders, nil
-	}
-
-	if len(mergedExplicitProviders) > 0 {
-		logger.Info(ctx, "default github external auth provider suppressed",
-			slog.F("reason", "explicit external auth providers configured"),
-			slog.F("provider_count", len(mergedExplicitProviders)),
-		)
-		return mergedExplicitProviders, nil
-	}
-
-	defaultEligible, err := isDeploymentEligibleForGithubDefaultProvider(ctx, db)
-	if err != nil {
-		return nil, err
-	}
-	if !defaultEligible {
-		logger.Info(ctx, "default github external auth provider suppressed",
-			slog.F("reason", "deployment is not eligible"),
-		)
-		return mergedExplicitProviders, nil
-	}
-
-	logger.Info(ctx, "injecting default github external auth provider",
-		slog.F("type", codersdk.EnhancedExternalAuthProviderGitHub.String()),
-		slog.F("client_id", GithubOAuth2DefaultProviderClientID),
-		slog.F("device_flow", GithubOAuth2DefaultProviderDeviceFlow),
-	)
-	return append(mergedExplicitProviders, codersdk.ExternalAuthConfig{
-		Type:       codersdk.EnhancedExternalAuthProviderGitHub.String(),
-		ClientID:   GithubOAuth2DefaultProviderClientID,
-		DeviceFlow: GithubOAuth2DefaultProviderDeviceFlow,
-	}), nil
-}
-
 func getGithubOAuth2ConfigParams(ctx context.Context, db database.Store, vals *codersdk.DeploymentValues) (*githubOAuth2ConfigParams, error) {
 	params := githubOAuth2ConfigParams{
 		accessURL:         vals.AccessURL.Value(),
@@ -2037,9 +1934,28 @@ func getGithubOAuth2ConfigParams(ctx context.Context, db database.Store, vals *c
 		return nil, nil //nolint:nilnil
 	}

-	defaultEligible, err := isDeploymentEligibleForGithubDefaultProvider(ctx, db)
-	if err != nil {
-		return nil, err
+	// Check if the deployment is eligible for the default GitHub OAuth2 provider.
+	// We want to enable it only for new deployments, and avoid enabling it
+	// if a deployment was upgraded from an older version.
+	// nolint:gocritic // Requires system privileges
+	defaultEligible, err := db.GetOAuth2GithubDefaultEligible(dbauthz.AsSystemRestricted(ctx))
+	if err != nil && !errors.Is(err, sql.ErrNoRows) {
+		return nil, xerrors.Errorf("get github default eligible: %w", err)
+	}
+	defaultEligibleNotSet := errors.Is(err, sql.ErrNoRows)
+
+	if defaultEligibleNotSet {
+		// nolint:gocritic // User count requires system privileges
+		userCount, err := db.GetUserCount(dbauthz.AsSystemRestricted(ctx), false)
+		if err != nil {
+			return nil, xerrors.Errorf("get user count: %w", err)
+		}
+		// We check if a deployment is new by checking if it has any users.
+		defaultEligible = userCount == 0
+		// nolint:gocritic // Requires system privileges
+		if err := db.UpsertOAuth2GithubDefaultEligible(dbauthz.AsSystemRestricted(ctx), defaultEligible); err != nil {
+			return nil, xerrors.Errorf("upsert github default eligible: %w", err)
+		}
 	}

 	if !defaultEligible {
@@ -53,7 +53,6 @@ import (
 	"github.com/coder/coder/v2/coderd/database/migrations"
 	"github.com/coder/coder/v2/coderd/httpapi"
 	"github.com/coder/coder/v2/coderd/telemetry"
-	"github.com/coder/coder/v2/coderd/userpassword"
 	"github.com/coder/coder/v2/codersdk"
 	"github.com/coder/coder/v2/cryptorand"
 	"github.com/coder/coder/v2/pty/ptytest"
@@ -303,7 +302,6 @@ func TestServer(t *testing.T) {
 			"open install.sh: file does not exist",
 			"telemetry disabled, unable to notify of security issues",
 			"installed terraform version newer than expected",
-			"report generator",
 		}

 		countLines := func(fullOutput string) int {
@@ -1742,18 +1740,6 @@ func TestServer(t *testing.T) {

 			// Next, we instruct the same server to display the YAML config
 			// and then save it.
-			// Because this is literally the same invocation, DefaultFn sets the
-			// value of 'Default'. Which triggers a mutually exclusive error
-			// on the next parse.
-			// Usually we only parse flags once, so this is not an issue
-			for _, c := range inv.Command.Children {
-				if c.Name() == "server" {
-					for i := range c.Options {
-						c.Options[i].DefaultFn = nil
-					}
-					break
-				}
-			}
 			inv = inv.WithContext(testutil.Context(t, testutil.WaitMedium))
 			//nolint:gocritic
 			inv.Args = append(args, "--write-config")
@@ -1807,155 +1793,6 @@ func TestServer(t *testing.T) {
 	})
 }

-//nolint:tparallel,paralleltest // This test sets environment variables.
-func TestServer_ExternalAuthGitHubDefaultProvider(t *testing.T) {
-	type testCase struct {
-		name               string
-		args               []string
-		env                map[string]string
-		createUserPreStart bool
-		expectedProviders  []string
-	}
-
-	run := func(t *testing.T, tc testCase) {
-		ctx := testutil.Context(t, testutil.WaitLong)
-
-		unsetPrefixedEnv := func(prefix string) {
-			t.Helper()
-			for _, envVar := range os.Environ() {
-				envKey, _, found := strings.Cut(envVar, "=")
-				if !found || !strings.HasPrefix(envKey, prefix) {
-					continue
-				}
-				value, had := os.LookupEnv(envKey)
-				require.True(t, had)
-				require.NoError(t, os.Unsetenv(envKey))
-				keyCopy := envKey
-				valueCopy := value
-				t.Cleanup(func() {
-					// This is for setting/unsetting a number of prefixed env vars.
-					// t.Setenv doesn't cover this use case.
-					// nolint:usetesting
-					_ = os.Setenv(keyCopy, valueCopy)
-				})
-			}
-		}
-		unsetPrefixedEnv("CODER_EXTERNAL_AUTH_")
-		unsetPrefixedEnv("CODER_GITAUTH_")
-
-		dbURL, err := dbtestutil.Open(t)
-		require.NoError(t, err)
-		db, _ := dbtestutil.NewDB(t, dbtestutil.WithURL(dbURL))
-
-		const (
-			existingUserEmail    = "existing-user@coder.com"
-			existingUserUsername = "existing-user"
-			existingUserPassword = "SomeSecurePassword!"
-		)
-		if tc.createUserPreStart {
-			hashedPassword, err := userpassword.Hash(existingUserPassword)
-			require.NoError(t, err)
-			_ = dbgen.User(t, db, database.User{
-				Email:          existingUserEmail,
-				Username:       existingUserUsername,
-				HashedPassword: []byte(hashedPassword),
-			})
-		}
-
-		args := []string{
-			"server",
-			"--postgres-url", dbURL,
-			"--http-address", ":0",
-			"--access-url", "https://example.com",
-		}
-		args = append(args, tc.args...)
-
-		inv, cfg := clitest.New(t, args...)
-		for envKey, value := range tc.env {
-			t.Setenv(envKey, value)
-		}
-		clitest.Start(t, inv)
-
-		accessURL := waitAccessURL(t, cfg)
-		client := codersdk.New(accessURL)
-
-		if tc.createUserPreStart {
-			loginResp, err := client.LoginWithPassword(ctx, codersdk.LoginWithPasswordRequest{
-				Email:    existingUserEmail,
-				Password: existingUserPassword,
-			})
-			require.NoError(t, err)
-			client.SetSessionToken(loginResp.SessionToken)
-		} else {
-			_ = coderdtest.CreateFirstUser(t, client)
-		}
-
-		externalAuthResp, err := client.ListExternalAuths(ctx)
-		require.NoError(t, err)
-
-		gotProviders := map[string]codersdk.ExternalAuthLinkProvider{}
-		for _, provider := range externalAuthResp.Providers {
-			gotProviders[provider.ID] = provider
-		}
-		require.Len(t, gotProviders, len(tc.expectedProviders))
-
-		for _, providerID := range tc.expectedProviders {
-			provider, ok := gotProviders[providerID]
-			require.Truef(t, ok, "expected provider %q to be configured", providerID)
-			if providerID == codersdk.EnhancedExternalAuthProviderGitHub.String() {
-				require.Equal(t, codersdk.EnhancedExternalAuthProviderGitHub.String(), provider.Type)
-				require.True(t, provider.Device)
-			}
-		}
-	}
-
-	for _, tc := range []testCase{
-		{
-			name:              "NewDeployment_NoExplicitProviders_InjectsDefaultGithub",
-			expectedProviders: []string{codersdk.EnhancedExternalAuthProviderGitHub.String()},
-		},
-		{
-			name:               "ExistingDeployment_DoesNotInjectDefaultGithub",
-			createUserPreStart: true,
-			expectedProviders:  nil,
-		},
-		{
-			name: "DefaultProviderDisabled_DoesNotInjectDefaultGithub",
-			args: []string{
-				"--external-auth-github-default-provider-enable=false",
-			},
-			expectedProviders: nil,
-		},
-		{
-			name: "ExplicitProviderViaConfig_DoesNotInjectDefaultGithub",
-			args: []string{
-				`--external-auth-providers=[{"type":"gitlab","client_id":"config-client-id"}]`,
-			},
-			expectedProviders: []string{codersdk.EnhancedExternalAuthProviderGitLab.String()},
-		},
-		{
-			name: "ExplicitProviderViaEnv_DoesNotInjectDefaultGithub",
-			env: map[string]string{
-				"CODER_EXTERNAL_AUTH_0_TYPE":      codersdk.EnhancedExternalAuthProviderGitLab.String(),
-				"CODER_EXTERNAL_AUTH_0_CLIENT_ID": "env-client-id",
-			},
-			expectedProviders: []string{codersdk.EnhancedExternalAuthProviderGitLab.String()},
-		},
-		{
-			name: "ExplicitProviderViaLegacyEnv_DoesNotInjectDefaultGithub",
-			env: map[string]string{
-				"CODER_GITAUTH_0_TYPE":      codersdk.EnhancedExternalAuthProviderGitLab.String(),
-				"CODER_GITAUTH_0_CLIENT_ID": "legacy-env-client-id",
-			},
-			expectedProviders: []string{codersdk.EnhancedExternalAuthProviderGitLab.String()},
-		},
-	} {
-		t.Run(tc.name, func(t *testing.T) {
-			run(t, tc)
-		})
-	}
-}
-
 //nolint:tparallel,paralleltest // This test sets environment variables.
 func TestServer_Logging_NoParallel(t *testing.T) {
 	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
@@ -25,7 +25,11 @@ func TestSharingShare(t *testing.T) {
 		t.Parallel()

 		var (
-			client, db                           = coderdtest.NewWithDatabase(t, nil)
+			client, db = coderdtest.NewWithDatabase(t, &coderdtest.Options{
+				DeploymentValues: coderdtest.DeploymentValues(t, func(dv *codersdk.DeploymentValues) {
+					dv.Experiments = []string{string(codersdk.ExperimentWorkspaceSharing)}
+				}),
+			})
 			orgOwner                             = coderdtest.CreateFirstUser(t, client)
 			workspaceOwnerClient, workspaceOwner = coderdtest.CreateAnotherUser(t, client, orgOwner.OrganizationID, rbac.ScopedRoleOrgAuditor(orgOwner.OrganizationID))
 			workspace                            = dbfake.WorkspaceBuild(t, db, database.WorkspaceTable{
@@ -64,8 +68,12 @@ func TestSharingShare(t *testing.T) {
 		t.Parallel()

 		var (
-			client, db = coderdtest.NewWithDatabase(t, nil)
-			orgOwner   = coderdtest.CreateFirstUser(t, client)
+			client, db = coderdtest.NewWithDatabase(t, &coderdtest.Options{
+				DeploymentValues: coderdtest.DeploymentValues(t, func(dv *codersdk.DeploymentValues) {
+					dv.Experiments = []string{string(codersdk.ExperimentWorkspaceSharing)}
+				}),
+			})
+			orgOwner = coderdtest.CreateFirstUser(t, client)

 			workspaceOwnerClient, workspaceOwner = coderdtest.CreateAnotherUser(t, client, orgOwner.OrganizationID, rbac.ScopedRoleOrgAuditor(orgOwner.OrganizationID))
 			workspace                            = dbfake.WorkspaceBuild(t, db, database.WorkspaceTable{
@@ -119,7 +127,11 @@ func TestSharingShare(t *testing.T) {
 		t.Parallel()

 		var (
-			client, db                           = coderdtest.NewWithDatabase(t, nil)
+			client, db = coderdtest.NewWithDatabase(t, &coderdtest.Options{
+				DeploymentValues: coderdtest.DeploymentValues(t, func(dv *codersdk.DeploymentValues) {
+					dv.Experiments = []string{string(codersdk.ExperimentWorkspaceSharing)}
+				}),
+			})
 			orgOwner                             = coderdtest.CreateFirstUser(t, client)
 			workspaceOwnerClient, workspaceOwner = coderdtest.CreateAnotherUser(t, client, orgOwner.OrganizationID, rbac.ScopedRoleOrgAuditor(orgOwner.OrganizationID))
 			workspace                            = dbfake.WorkspaceBuild(t, db, database.WorkspaceTable{
@@ -170,7 +182,11 @@ func TestSharingStatus(t *testing.T) {
 		t.Parallel()

 		var (
-			client, db                           = coderdtest.NewWithDatabase(t, nil)
+			client, db = coderdtest.NewWithDatabase(t, &coderdtest.Options{
+				DeploymentValues: coderdtest.DeploymentValues(t, func(dv *codersdk.DeploymentValues) {
+					dv.Experiments = []string{string(codersdk.ExperimentWorkspaceSharing)}
+				}),
+			})
 			orgOwner                             = coderdtest.CreateFirstUser(t, client)
 			workspaceOwnerClient, workspaceOwner = coderdtest.CreateAnotherUser(t, client, orgOwner.OrganizationID, rbac.ScopedRoleOrgAuditor(orgOwner.OrganizationID))
 			workspace                            = dbfake.WorkspaceBuild(t, db, database.WorkspaceTable{
@@ -214,7 +230,11 @@ func TestSharingRemove(t *testing.T) {
 		t.Parallel()

 		var (
-			client, db                           = coderdtest.NewWithDatabase(t, nil)
+			client, db = coderdtest.NewWithDatabase(t, &coderdtest.Options{
+				DeploymentValues: coderdtest.DeploymentValues(t, func(dv *codersdk.DeploymentValues) {
+					dv.Experiments = []string{string(codersdk.ExperimentWorkspaceSharing)}
+				}),
+			})
 			orgOwner                             = coderdtest.CreateFirstUser(t, client)
 			workspaceOwnerClient, workspaceOwner = coderdtest.CreateAnotherUser(t, client, orgOwner.OrganizationID, rbac.ScopedRoleOrgAuditor(orgOwner.OrganizationID))
 			workspace                            = dbfake.WorkspaceBuild(t, db, database.WorkspaceTable{
@@ -271,7 +291,11 @@ func TestSharingRemove(t *testing.T) {
 		t.Parallel()

 		var (
-			client, db                           = coderdtest.NewWithDatabase(t, nil)
+			client, db = coderdtest.NewWithDatabase(t, &coderdtest.Options{
+				DeploymentValues: coderdtest.DeploymentValues(t, func(dv *codersdk.DeploymentValues) {
+					dv.Experiments = []string{string(codersdk.ExperimentWorkspaceSharing)}
+				}),
+			})
 			orgOwner                             = coderdtest.CreateFirstUser(t, client)
 			workspaceOwnerClient, workspaceOwner = coderdtest.CreateAnotherUser(t, client, orgOwner.OrganizationID, rbac.ScopedRoleOrgAuditor(orgOwner.OrganizationID))
 			workspace                            = dbfake.WorkspaceBuild(t, db, database.WorkspaceTable{
@@ -120,7 +120,7 @@ func (r *RootCmd) start() *serpent.Command {
 func buildWorkspaceStartRequest(inv *serpent.Invocation, client *codersdk.Client, workspace codersdk.Workspace, parameterFlags workspaceParameterFlags, buildFlags buildFlags, action WorkspaceCLIAction) (codersdk.CreateWorkspaceBuildRequest, error) {
 	version := workspace.LatestBuild.TemplateVersionID

-	if workspace.AutomaticUpdates == codersdk.AutomaticUpdatesAlways || workspace.TemplateRequireActiveVersion || action == WorkspaceUpdate {
+	if workspace.AutomaticUpdates == codersdk.AutomaticUpdatesAlways || action == WorkspaceUpdate {
 		version = workspace.TemplateActiveVersionID
 		if version != workspace.LatestBuild.TemplateVersionID {
 			action = WorkspaceUpdate
@@ -33,7 +33,7 @@ func TestStatePull(t *testing.T) {
 			OrganizationID: owner.OrganizationID,
 			OwnerID:        taUser.ID,
 		}).
-			Seed(database.WorkspaceBuild{}).ProvisionerState(wantState).
+			Seed(database.WorkspaceBuild{ProvisionerState: wantState}).
 			Do()
 		statefilePath := filepath.Join(t.TempDir(), "state")
 		inv, root := clitest.New(t, "state", "pull", r.Workspace.Name, statefilePath)
@@ -54,7 +54,7 @@ func TestStatePull(t *testing.T) {
 			OrganizationID: owner.OrganizationID,
 			OwnerID:        taUser.ID,
 		}).
-			Seed(database.WorkspaceBuild{}).ProvisionerState(wantState).
+			Seed(database.WorkspaceBuild{ProvisionerState: wantState}).
 			Do()
 		inv, root := clitest.New(t, "state", "pull", r.Workspace.Name)
 		var gotState bytes.Buffer
@@ -74,7 +74,7 @@ func TestStatePull(t *testing.T) {
 			OrganizationID: owner.OrganizationID,
 			OwnerID:        taUser.ID,
 		}).
-			Seed(database.WorkspaceBuild{}).ProvisionerState(wantState).
+			Seed(database.WorkspaceBuild{ProvisionerState: wantState}).
 			Do()
 		inv, root := clitest.New(t, "state", "pull", taUser.Username+"/"+r.Workspace.Name,
 			"--build", fmt.Sprintf("%d", r.Build.BuildNumber))
@@ -170,7 +170,7 @@ func TestStatePush(t *testing.T) {
 			OrganizationID: owner.OrganizationID,
 			OwnerID:        taUser.ID,
 		}).
-			Seed(database.WorkspaceBuild{}).ProvisionerState(initialState).
+			Seed(database.WorkspaceBuild{ProvisionerState: initialState}).
 			Do()
 		wantState := []byte("updated state")
 		stateFile, err := os.CreateTemp(t.TempDir(), "")
@@ -1,3 +1,5 @@
+//go:build !windows
+
 package cli_test

 import (
@@ -5,7 +7,6 @@ import (
 	"context"
 	"os"
 	"path/filepath"
-	"runtime"
 	"testing"
 	"time"

@@ -24,15 +25,12 @@ func setupSocketServer(t *testing.T) (path string, cleanup func()) {
 	t.Helper()

 	// Use a temporary socket path for each test
-	socketPath := testutil.AgentSocketPath(t)
+	socketPath := filepath.Join(testutil.TempDirUnixSocket(t), "test.sock")

-	// Create parent directory if needed. Not necessary on Windows because named pipes live in an abstract namespace
-	// not tied to any real files.
-	if runtime.GOOS != "windows" {
-		parentDir := filepath.Dir(socketPath)
-		err := os.MkdirAll(parentDir, 0o700)
-		require.NoError(t, err, "create socket directory")
-	}
+	// Create parent directory if needed
+	parentDir := filepath.Dir(socketPath)
+	err := os.MkdirAll(parentDir, 0o700)
+	require.NoError(t, err, "create socket directory")

 	server, err := agentsocket.NewServer(
 		slog.Make().Leveled(slog.LevelDebug),
@@ -17,8 +17,6 @@ func (r *RootCmd) tasksCommand() *serpent.Command {
 			r.taskDelete(),
 			r.taskList(),
 			r.taskLogs(),
-			r.taskPause(),
-			r.taskResume(),
 			r.taskSend(),
 			r.taskStatus(),
 		},
@@ -41,7 +41,8 @@ func Test_TaskLogs_Golden(t *testing.T) {
 		t.Parallel()

 		setupCtx := testutil.Context(t, testutil.WaitLong)
-		_, userClient, task := setupCLITaskTest(setupCtx, t, fakeAgentAPITaskLogsOK(testMessages))
+		client, task := setupCLITaskTest(setupCtx, t, fakeAgentAPITaskLogsOK(testMessages))
+		userClient := client // user already has access to their own workspace

 		inv, root := clitest.New(t, "task", "logs", task.Name, "--output", "json")
 		output := clitest.Capture(inv)
@@ -64,7 +65,8 @@ func Test_TaskLogs_Golden(t *testing.T) {
 		t.Parallel()

 		setupCtx := testutil.Context(t, testutil.WaitLong)
-		_, userClient, task := setupCLITaskTest(setupCtx, t, fakeAgentAPITaskLogsOK(testMessages))
+		client, task := setupCLITaskTest(setupCtx, t, fakeAgentAPITaskLogsOK(testMessages))
+		userClient := client

 		inv, root := clitest.New(t, "task", "logs", task.ID.String(), "--output", "json")
 		output := clitest.Capture(inv)
@@ -87,7 +89,8 @@ func Test_TaskLogs_Golden(t *testing.T) {
 		t.Parallel()

 		setupCtx := testutil.Context(t, testutil.WaitLong)
-		_, userClient, task := setupCLITaskTest(setupCtx, t, fakeAgentAPITaskLogsOK(testMessages))
+		client, task := setupCLITaskTest(setupCtx, t, fakeAgentAPITaskLogsOK(testMessages))
+		userClient := client

 		inv, root := clitest.New(t, "task", "logs", task.ID.String())
 		output := clitest.Capture(inv)
@@ -141,7 +144,8 @@ func Test_TaskLogs_Golden(t *testing.T) {
 		t.Parallel()

 		setupCtx := testutil.Context(t, testutil.WaitLong)
-		_, userClient, task := setupCLITaskTest(setupCtx, t, fakeAgentAPITaskLogsErr(assert.AnError))
+		client, task := setupCLITaskTest(setupCtx, t, fakeAgentAPITaskLogsErr(assert.AnError))
+		userClient := client

 		inv, root := clitest.New(t, "task", "logs", task.ID.String())
 		clitest.SetupConfig(t, userClient, root)
@@ -197,7 +201,8 @@ func Test_TaskLogs_Golden(t *testing.T) {
 	t.Run("SnapshotWithoutLogs_NoSnapshotCaptured", func(t *testing.T) {
 		t.Parallel()

-		userClient, task := setupCLITaskTestWithoutSnapshot(t, codersdk.TaskStatusPaused)
+		client, task := setupCLITaskTestWithoutSnapshot(t, codersdk.TaskStatusPaused)
+		userClient := client

 		inv, root := clitest.New(t, "task", "logs", task.Name)
 		output := clitest.Capture(inv)
@@ -1,90 +0,0 @@
-package cli
-
-import (
-	"fmt"
-	"time"
-
-	"golang.org/x/xerrors"
-
-	"github.com/coder/coder/v2/cli/cliui"
-	"github.com/coder/coder/v2/codersdk"
-	"github.com/coder/pretty"
-	"github.com/coder/serpent"
-)
-
-func (r *RootCmd) taskPause() *serpent.Command {
-	cmd := &serpent.Command{
-		Use:   "pause <task>",
-		Short: "Pause a task",
-		Long: FormatExamples(
-			Example{
-				Description: "Pause a task by name",
-				Command:     "coder task pause my-task",
-			},
-			Example{
-				Description: "Pause another user's task",
-				Command:     "coder task pause alice/my-task",
-			},
-			Example{
-				Description: "Pause a task without confirmation",
-				Command:     "coder task pause my-task --yes",
-			},
-		),
-		Middleware: serpent.Chain(
-			serpent.RequireNArgs(1),
-		),
-		Options: serpent.OptionSet{
-			cliui.SkipPromptOption(),
-		},
-		Handler: func(inv *serpent.Invocation) error {
-			ctx := inv.Context()
-			client, err := r.InitClient(inv)
-			if err != nil {
-				return err
-			}
-
-			task, err := client.TaskByIdentifier(ctx, inv.Args[0])
-			if err != nil {
-				return xerrors.Errorf("resolve task %q: %w", inv.Args[0], err)
-			}
-
-			display := fmt.Sprintf("%s/%s", task.OwnerName, task.Name)
-
-			if task.Status == codersdk.TaskStatusPaused {
-				return xerrors.Errorf("task %q is already paused", display)
-			}
-
-			_, err = cliui.Prompt(inv, cliui.PromptOptions{
-				Text:      fmt.Sprintf("Pause task %s?", pretty.Sprint(cliui.DefaultStyles.Code, display)),
-				IsConfirm: true,
-				Default:   cliui.ConfirmNo,
-			})
-			if err != nil {
-				return err
-			}
-
-			resp, err := client.PauseTask(ctx, task.OwnerName, task.ID)
-			if err != nil {
-				return xerrors.Errorf("pause task %q: %w", display, err)
-			}
-
-			if resp.WorkspaceBuild == nil {
-				return xerrors.Errorf("pause task %q: no workspace build returned", display)
-			}
-
-			err = cliui.WorkspaceBuild(ctx, inv.Stdout, client, resp.WorkspaceBuild.ID)
-			if err != nil {
-				return xerrors.Errorf("watch pause build for task %q: %w", display, err)
-			}
-
-			_, _ = fmt.Fprintf(
-				inv.Stdout,
-				"\nThe %s task has been paused at %s!\n",
-				cliui.Keyword(task.Name),
-				cliui.Timestamp(time.Now()),
-			)
-			return nil
-		},
-	}
-	return cmd
-}
@@ -1,144 +0,0 @@
-package cli_test
-
-import (
-	"fmt"
-	"testing"
-
-	"github.com/stretchr/testify/require"
-
-	"github.com/coder/coder/v2/cli/clitest"
-	"github.com/coder/coder/v2/coderd/coderdtest"
-	"github.com/coder/coder/v2/codersdk"
-	"github.com/coder/coder/v2/pty/ptytest"
-	"github.com/coder/coder/v2/testutil"
-)
-
-func TestExpTaskPause(t *testing.T) {
-	t.Parallel()
-
-	t.Run("WithYesFlag", func(t *testing.T) {
-		t.Parallel()
-
-		// Given: A running task
-		setupCtx := testutil.Context(t, testutil.WaitLong)
-		_, userClient, task := setupCLITaskTest(setupCtx, t, nil)
-
-		// When: We attempt to pause the task
-		inv, root := clitest.New(t, "task", "pause", task.Name, "--yes")
-		output := clitest.Capture(inv)
-		clitest.SetupConfig(t, userClient, root)
-
-		// Then: Expect the task to be paused
-		ctx := testutil.Context(t, testutil.WaitMedium)
-		err := inv.WithContext(ctx).Run()
-		require.NoError(t, err)
-		require.Contains(t, output.Stdout(), "has been paused")
-
-		updated, err := userClient.TaskByIdentifier(ctx, task.Name)
-		require.NoError(t, err)
-		require.Equal(t, codersdk.TaskStatusPaused, updated.Status)
-	})
-
-	// OtherUserTask verifies that an admin can pause a task owned by
-	// another user using the "owner/name" identifier format.
-	t.Run("OtherUserTask", func(t *testing.T) {
-		t.Parallel()
-
-		// Given: A different user's running task
-		setupCtx := testutil.Context(t, testutil.WaitLong)
-		adminClient, _, task := setupCLITaskTest(setupCtx, t, nil)
-
-		// When: We attempt to pause their task
-		identifier := fmt.Sprintf("%s/%s", task.OwnerName, task.Name)
-		inv, root := clitest.New(t, "task", "pause", identifier, "--yes")
-		output := clitest.Capture(inv)
-		clitest.SetupConfig(t, adminClient, root)
-
-		// Then: We expect the task to be paused
-		ctx := testutil.Context(t, testutil.WaitMedium)
-		err := inv.WithContext(ctx).Run()
-		require.NoError(t, err)
-		require.Contains(t, output.Stdout(), "has been paused")
-
-		updated, err := adminClient.TaskByIdentifier(ctx, identifier)
-		require.NoError(t, err)
-		require.Equal(t, codersdk.TaskStatusPaused, updated.Status)
-	})
-
-	t.Run("PromptConfirm", func(t *testing.T) {
-		t.Parallel()
-
-		// Given: A running task
-		setupCtx := testutil.Context(t, testutil.WaitLong)
-		_, userClient, task := setupCLITaskTest(setupCtx, t, nil)
-
-		// When: We attempt to pause the task
-		inv, root := clitest.New(t, "task", "pause", task.Name)
-		clitest.SetupConfig(t, userClient, root)
-
-		// And: We confirm we want to pause the task
-		ctx := testutil.Context(t, testutil.WaitMedium)
-		inv = inv.WithContext(ctx)
-		pty := ptytest.New(t).Attach(inv)
-		w := clitest.StartWithWaiter(t, inv)
-		pty.ExpectMatchContext(ctx, "Pause task")
-		pty.WriteLine("yes")
-
-		// Then: We expect the task to be paused
-		pty.ExpectMatchContext(ctx, "has been paused")
-		require.NoError(t, w.Wait())
-
-		updated, err := userClient.TaskByIdentifier(ctx, task.Name)
-		require.NoError(t, err)
-		require.Equal(t, codersdk.TaskStatusPaused, updated.Status)
-	})
-
-	t.Run("PromptDecline", func(t *testing.T) {
-		t.Parallel()
-
-		// Given: A running task
-		setupCtx := testutil.Context(t, testutil.WaitLong)
-		_, userClient, task := setupCLITaskTest(setupCtx, t, nil)
-
-		// When: We attempt to pause the task
-		inv, root := clitest.New(t, "task", "pause", task.Name)
-		clitest.SetupConfig(t, userClient, root)
-
-		// But: We say no at the confirmation screen
-		ctx := testutil.Context(t, testutil.WaitMedium)
-		inv = inv.WithContext(ctx)
-		pty := ptytest.New(t).Attach(inv)
-		w := clitest.StartWithWaiter(t, inv)
-		pty.ExpectMatchContext(ctx, "Pause task")
-		pty.WriteLine("no")
-		require.Error(t, w.Wait())
-
-		// Then: We expect the task to not be paused
-		updated, err := userClient.TaskByIdentifier(ctx, task.Name)
-		require.NoError(t, err)
-		require.NotEqual(t, codersdk.TaskStatusPaused, updated.Status)
-	})
-
-	t.Run("TaskAlreadyPaused", func(t *testing.T) {
-		t.Parallel()
-
-		// Given: A running task
-		setupCtx := testutil.Context(t, testutil.WaitLong)
-		_, userClient, task := setupCLITaskTest(setupCtx, t, nil)
-
-		// And: We paused the running task
-		ctx := testutil.Context(t, testutil.WaitMedium)
-		resp, err := userClient.PauseTask(ctx, task.OwnerName, task.ID)
-		require.NoError(t, err)
-		require.NotNil(t, resp.WorkspaceBuild)
-		coderdtest.AwaitWorkspaceBuildJobCompleted(t, userClient, resp.WorkspaceBuild.ID)
-
-		// When: We attempt to pause the task again
-		inv, root := clitest.New(t, "task", "pause", task.Name, "--yes")
-		clitest.SetupConfig(t, userClient, root)
-
-		// Then: We expect to get an error that the task is already paused
-		err = inv.WithContext(ctx).Run()
-		require.ErrorContains(t, err, "is already paused")
-	})
-}
@@ -1,95 +0,0 @@
-package cli
-
-import (
-	"fmt"
-
-	"golang.org/x/xerrors"
-
-	"github.com/coder/coder/v2/cli/cliui"
-	"github.com/coder/coder/v2/codersdk"
-	"github.com/coder/pretty"
-	"github.com/coder/serpent"
-)
-
-func (r *RootCmd) taskResume() *serpent.Command {
-	var noWait bool
-
-	cmd := &serpent.Command{
-		Use:   "resume <task>",
-		Short: "Resume a task",
-		Long: FormatExamples(
-			Example{
-				Description: "Resume a task by name",
-				Command:     "coder task resume my-task",
-			},
-			Example{
-				Description: "Resume another user's task",
-				Command:     "coder task resume alice/my-task",
-			},
-			Example{
-				Description: "Resume a task without confirmation",
-				Command:     "coder task resume my-task --yes",
-			},
-		),
-		Middleware: serpent.Chain(
-			serpent.RequireNArgs(1),
-		),
-		Options: serpent.OptionSet{
-			{
-				Flag:        "no-wait",
-				Description: "Return immediately after resuming the task.",
-				Value:       serpent.BoolOf(&noWait),
-			},
-			cliui.SkipPromptOption(),
-		},
-		Handler: func(inv *serpent.Invocation) error {
-			ctx := inv.Context()
-			client, err := r.InitClient(inv)
-			if err != nil {
-				return err
-			}
-
-			task, err := client.TaskByIdentifier(ctx, inv.Args[0])
-			if err != nil {
-				return xerrors.Errorf("resolve task %q: %w", inv.Args[0], err)
-			}
-
-			display := fmt.Sprintf("%s/%s", task.OwnerName, task.Name)
-
-			if task.Status == codersdk.TaskStatusError || task.Status == codersdk.TaskStatusUnknown {
-				return xerrors.Errorf("task %q is in %s state and cannot be resumed; check the workspace build logs and agent status for details", display, task.Status)
-			} else if task.Status != codersdk.TaskStatusPaused {
-				return xerrors.Errorf("task %q cannot be resumed (current status: %s)", display, task.Status)
-			}
-
-			_, err = cliui.Prompt(inv, cliui.PromptOptions{
-				Text:      fmt.Sprintf("Resume task %s?", pretty.Sprint(cliui.DefaultStyles.Code, display)),
-				IsConfirm: true,
-				Default:   cliui.ConfirmNo,
-			})
-			if err != nil {
-				return err
-			}
-
-			resp, err := client.ResumeTask(ctx, task.OwnerName, task.ID)
-			if err != nil {
-				return xerrors.Errorf("resume task %q: %w", display, err)
-			} else if resp.WorkspaceBuild == nil {
-				return xerrors.Errorf("resume task %q: no workspace build returned", display)
-			}
-
-			if noWait {
-				_, _ = fmt.Fprintf(inv.Stdout, "Resuming task %q in the background.\n", cliui.Keyword(display))
-				return nil
-			}
-
-			if err = cliui.WorkspaceBuild(ctx, inv.Stdout, client, resp.WorkspaceBuild.ID); err != nil {
-				return xerrors.Errorf("watch resume build for task %q: %w", display, err)
-			}
-
-			_, _ = fmt.Fprintf(inv.Stdout, "\nThe %s task has been resumed.\n", cliui.Keyword(display))
-			return nil
-		},
-	}
-	return cmd
-}
@@ -1,183 +0,0 @@
-package cli_test
-
-import (
-	"context"
-	"fmt"
-	"testing"
-
-	"github.com/stretchr/testify/require"
-
-	"github.com/coder/coder/v2/cli/clitest"
-	"github.com/coder/coder/v2/coderd/coderdtest"
-	"github.com/coder/coder/v2/codersdk"
-	"github.com/coder/coder/v2/pty/ptytest"
-	"github.com/coder/coder/v2/testutil"
-)
-
-func TestExpTaskResume(t *testing.T) {
-	t.Parallel()
-
-	// pauseTask is a helper that pauses a task and waits for the stop
-	// build to complete.
-	pauseTask := func(ctx context.Context, t *testing.T, client *codersdk.Client, task codersdk.Task) {
-		t.Helper()
-
-		pauseResp, err := client.PauseTask(ctx, task.OwnerName, task.ID)
-		require.NoError(t, err)
-		require.NotNil(t, pauseResp.WorkspaceBuild)
-		coderdtest.AwaitWorkspaceBuildJobCompleted(t, client, pauseResp.WorkspaceBuild.ID)
-	}
-
-	t.Run("WithYesFlag", func(t *testing.T) {
-		t.Parallel()
-
-		// Given: A paused task
-		setupCtx := testutil.Context(t, testutil.WaitLong)
-		_, userClient, task := setupCLITaskTest(setupCtx, t, nil)
-		pauseTask(setupCtx, t, userClient, task)
-
-		// When: We attempt to resume the task
-		inv, root := clitest.New(t, "task", "resume", task.Name, "--yes")
-		output := clitest.Capture(inv)
-		clitest.SetupConfig(t, userClient, root)
-
-		// Then: We expect the task to be resumed
-		ctx := testutil.Context(t, testutil.WaitMedium)
-		err := inv.WithContext(ctx).Run()
-		require.NoError(t, err)
-		require.Contains(t, output.Stdout(), "has been resumed")
-
-		updated, err := userClient.TaskByIdentifier(ctx, task.Name)
-		require.NoError(t, err)
-		require.Equal(t, codersdk.TaskStatusInitializing, updated.Status)
-	})
-
-	// OtherUserTask verifies that an admin can resume a task owned by
-	// another user using the "owner/name" identifier format.
-	t.Run("OtherUserTask", func(t *testing.T) {
-		t.Parallel()
-
-		// Given: A different user's paused task
-		setupCtx := testutil.Context(t, testutil.WaitLong)
-		adminClient, userClient, task := setupCLITaskTest(setupCtx, t, nil)
-		pauseTask(setupCtx, t, userClient, task)
-
-		// When: We attempt to resume their task
-		identifier := fmt.Sprintf("%s/%s", task.OwnerName, task.Name)
-		inv, root := clitest.New(t, "task", "resume", identifier, "--yes")
-		output := clitest.Capture(inv)
-		clitest.SetupConfig(t, adminClient, root)
-
-		// Then: We expect the task to be resumed
-		ctx := testutil.Context(t, testutil.WaitMedium)
-		err := inv.WithContext(ctx).Run()
-		require.NoError(t, err)
-		require.Contains(t, output.Stdout(), "has been resumed")
-
-		updated, err := adminClient.TaskByIdentifier(ctx, identifier)
-		require.NoError(t, err)
-		require.Equal(t, codersdk.TaskStatusInitializing, updated.Status)
-	})
-
-	t.Run("NoWait", func(t *testing.T) {
-		t.Parallel()
-
-		// Given: A paused task
-		setupCtx := testutil.Context(t, testutil.WaitLong)
-		_, userClient, task := setupCLITaskTest(setupCtx, t, nil)
-		pauseTask(setupCtx, t, userClient, task)
-
-		// When: We attempt to resume the task (and specify no wait)
-		inv, root := clitest.New(t, "task", "resume", task.Name, "--yes", "--no-wait")
-		output := clitest.Capture(inv)
-		clitest.SetupConfig(t, userClient, root)
-
-		// Then: We expect the task to be resumed in the background
-		ctx := testutil.Context(t, testutil.WaitMedium)
-		err := inv.WithContext(ctx).Run()
-		require.NoError(t, err)
-		require.Contains(t, output.Stdout(), "in the background")
-
-		// And: The task to eventually be resumed
-		require.True(t, task.WorkspaceID.Valid, "task should have a workspace ID")
-		ws := coderdtest.MustWorkspace(t, userClient, task.WorkspaceID.UUID)
-		coderdtest.AwaitWorkspaceBuildJobCompleted(t, userClient, ws.LatestBuild.ID)
-
-		updated, err := userClient.TaskByIdentifier(ctx, task.Name)
-		require.NoError(t, err)
-		require.Equal(t, codersdk.TaskStatusInitializing, updated.Status)
-	})
-
-	t.Run("PromptConfirm", func(t *testing.T) {
-		t.Parallel()
-
-		// Given: A paused task
-		setupCtx := testutil.Context(t, testutil.WaitLong)
-		_, userClient, task := setupCLITaskTest(setupCtx, t, nil)
-		pauseTask(setupCtx, t, userClient, task)
-
-		// When: We attempt to resume the task
-		inv, root := clitest.New(t, "task", "resume", task.Name)
-		clitest.SetupConfig(t, userClient, root)
-
-		// And: We confirm we want to resume the task
-		ctx := testutil.Context(t, testutil.WaitMedium)
-		inv = inv.WithContext(ctx)
-		pty := ptytest.New(t).Attach(inv)
-		w := clitest.StartWithWaiter(t, inv)
-		pty.ExpectMatchContext(ctx, "Resume task")
-		pty.WriteLine("yes")
-
-		// Then: We expect the task to be resumed
-		pty.ExpectMatchContext(ctx, "has been resumed")
-		require.NoError(t, w.Wait())
-
-		updated, err := userClient.TaskByIdentifier(ctx, task.Name)
-		require.NoError(t, err)
-		require.Equal(t, codersdk.TaskStatusInitializing, updated.Status)
-	})
-
-	t.Run("PromptDecline", func(t *testing.T) {
-		t.Parallel()
-
-		// Given: A paused task
-		setupCtx := testutil.Context(t, testutil.WaitLong)
-		_, userClient, task := setupCLITaskTest(setupCtx, t, nil)
-		pauseTask(setupCtx, t, userClient, task)
-
-		// When: We attempt to resume the task
-		inv, root := clitest.New(t, "task", "resume", task.Name)
-		clitest.SetupConfig(t, userClient, root)
-
-		// But: Say no at the confirmation screen
-		ctx := testutil.Context(t, testutil.WaitMedium)
-		inv = inv.WithContext(ctx)
-		pty := ptytest.New(t).Attach(inv)
-		w := clitest.StartWithWaiter(t, inv)
-		pty.ExpectMatchContext(ctx, "Resume task")
-		pty.WriteLine("no")
-		require.Error(t, w.Wait())
-
-		// Then: We expect the task to still be paused
-		updated, err := userClient.TaskByIdentifier(ctx, task.Name)
-		require.NoError(t, err)
-		require.Equal(t, codersdk.TaskStatusPaused, updated.Status)
-	})
-
-	t.Run("TaskNotPaused", func(t *testing.T) {
-		t.Parallel()
-
-		// Given: A running task
-		setupCtx := testutil.Context(t, testutil.WaitLong)
-		_, userClient, task := setupCLITaskTest(setupCtx, t, nil)
-
-		// When: We attempt to resume the task that is not paused
-		inv, root := clitest.New(t, "task", "resume", task.Name, "--yes")
-		clitest.SetupConfig(t, userClient, root)
-
-		// Then: We expect to get an error that the task is not paused
-		ctx := testutil.Context(t, testutil.WaitMedium)
-		err := inv.WithContext(ctx).Run()
-		require.ErrorContains(t, err, "cannot be resumed")
-	})
-}
@@ -25,7 +25,8 @@ func Test_TaskSend(t *testing.T) {
 		t.Parallel()

 		setupCtx := testutil.Context(t, testutil.WaitLong)
-		_, userClient, task := setupCLITaskTest(setupCtx, t, fakeAgentAPITaskSendOK(t, "carry on with the task", "you got it"))
+		client, task := setupCLITaskTest(setupCtx, t, fakeAgentAPITaskSendOK(t, "carry on with the task", "you got it"))
+		userClient := client

 		var stdout strings.Builder
 		inv, root := clitest.New(t, "task", "send", task.Name, "carry on with the task")
@@ -41,7 +42,8 @@ func Test_TaskSend(t *testing.T) {
 		t.Parallel()

 		setupCtx := testutil.Context(t, testutil.WaitLong)
-		_, userClient, task := setupCLITaskTest(setupCtx, t, fakeAgentAPITaskSendOK(t, "carry on with the task", "you got it"))
+		client, task := setupCLITaskTest(setupCtx, t, fakeAgentAPITaskSendOK(t, "carry on with the task", "you got it"))
+		userClient := client

 		var stdout strings.Builder
 		inv, root := clitest.New(t, "task", "send", task.ID.String(), "carry on with the task")
@@ -57,7 +59,8 @@ func Test_TaskSend(t *testing.T) {
 		t.Parallel()

 		setupCtx := testutil.Context(t, testutil.WaitLong)
-		_, userClient, task := setupCLITaskTest(setupCtx, t, fakeAgentAPITaskSendOK(t, "carry on with the task", "you got it"))
+		client, task := setupCLITaskTest(setupCtx, t, fakeAgentAPITaskSendOK(t, "carry on with the task", "you got it"))
+		userClient := client

 		var stdout strings.Builder
 		inv, root := clitest.New(t, "task", "send", task.Name, "--stdin")
@@ -110,7 +113,7 @@ func Test_TaskSend(t *testing.T) {
 		t.Parallel()

 		setupCtx := testutil.Context(t, testutil.WaitLong)
-		_, userClient, task := setupCLITaskTest(setupCtx, t, fakeAgentAPITaskSendErr(t, assert.AnError))
+		userClient, task := setupCLITaskTest(setupCtx, t, fakeAgentAPITaskSendErr(t, assert.AnError))

 		var stdout strings.Builder
 		inv, root := clitest.New(t, "task", "send", task.Name, "some task input")
@@ -120,40 +120,6 @@ func Test_Tasks(t *testing.T) {
 				require.Equal(t, logs[2].Type, codersdk.TaskLogTypeOutput, "third message should be an output")
 			},
 		},
-		{
-			name:    "pause task",
-			cmdArgs: []string{"task", "pause", taskName, "--yes"},
-			assertFn: func(stdout string, userClient *codersdk.Client) {
-				require.Contains(t, stdout, "has been paused", "pause output should confirm task was paused")
-			},
-		},
-		{
-			name:    "get task status after pause",
-			cmdArgs: []string{"task", "status", taskName, "--output", "json"},
-			assertFn: func(stdout string, userClient *codersdk.Client) {
-				var task codersdk.Task
-				require.NoError(t, json.NewDecoder(strings.NewReader(stdout)).Decode(&task), "should unmarshal task status")
-				require.Equal(t, taskName, task.Name, "task name should match")
-				require.Equal(t, codersdk.TaskStatusPaused, task.Status, "task should be paused")
-			},
-		},
-		{
-			name:    "resume task",
-			cmdArgs: []string{"task", "resume", taskName, "--yes"},
-			assertFn: func(stdout string, userClient *codersdk.Client) {
-				require.Contains(t, stdout, "has been resumed", "resume output should confirm task was resumed")
-			},
-		},
-		{
-			name:    "get task status after resume",
-			cmdArgs: []string{"task", "status", taskName, "--output", "json"},
-			assertFn: func(stdout string, userClient *codersdk.Client) {
-				var task codersdk.Task
-				require.NoError(t, json.NewDecoder(strings.NewReader(stdout)).Decode(&task), "should unmarshal task status")
-				require.Equal(t, taskName, task.Name, "task name should match")
-				require.Equal(t, codersdk.TaskStatusInitializing, task.Status, "task should be initializing after resume")
-			},
-		},
 		{
 			name:    "delete task",
 			cmdArgs: []string{"task", "delete", taskName, "--yes"},
@@ -272,17 +238,17 @@ func fakeAgentAPIEcho(ctx context.Context, t testing.TB, initMsg agentapisdk.Mes
 // setupCLITaskTest creates a test workspace with an AI task template and agent,
 // with a fake agent API configured with the provided set of handlers.
 // Returns the user client and workspace.
-func setupCLITaskTest(ctx context.Context, t *testing.T, agentAPIHandlers map[string]http.HandlerFunc) (ownerClient *codersdk.Client, memberClient *codersdk.Client, task codersdk.Task) {
+func setupCLITaskTest(ctx context.Context, t *testing.T, agentAPIHandlers map[string]http.HandlerFunc) (*codersdk.Client, codersdk.Task) {
 	t.Helper()

-	ownerClient = coderdtest.New(t, &coderdtest.Options{IncludeProvisionerDaemon: true})
-	owner := coderdtest.CreateFirstUser(t, ownerClient)
-	userClient, _ := coderdtest.CreateAnotherUser(t, ownerClient, owner.OrganizationID)
+	client := coderdtest.New(t, &coderdtest.Options{IncludeProvisionerDaemon: true})
+	owner := coderdtest.CreateFirstUser(t, client)
+	userClient, _ := coderdtest.CreateAnotherUser(t, client, owner.OrganizationID)

 	fakeAPI := startFakeAgentAPI(t, agentAPIHandlers)

 	authToken := uuid.NewString()
-	template := createAITaskTemplate(t, ownerClient, owner.OrganizationID, withSidebarURL(fakeAPI.URL()), withAgentToken(authToken))
+	template := createAITaskTemplate(t, client, owner.OrganizationID, withSidebarURL(fakeAPI.URL()), withAgentToken(authToken))

 	wantPrompt := "test prompt"
 	task, err := userClient.CreateTask(ctx, codersdk.Me, codersdk.CreateTaskRequest{
@@ -296,17 +262,17 @@ func setupCLITaskTest(ctx context.Context, t *testing.T, agentAPIHandlers map[st
 	require.True(t, task.WorkspaceID.Valid, "task should have a workspace ID")
 	workspace, err := userClient.Workspace(ctx, task.WorkspaceID.UUID)
 	require.NoError(t, err)
-	coderdtest.AwaitWorkspaceBuildJobCompleted(t, userClient, workspace.LatestBuild.ID)
+	coderdtest.AwaitWorkspaceBuildJobCompleted(t, client, workspace.LatestBuild.ID)

-	agentClient := agentsdk.New(userClient.URL, agentsdk.WithFixedToken(authToken))
-	_ = agenttest.New(t, userClient.URL, authToken, func(o *agent.Options) {
+	agentClient := agentsdk.New(client.URL, agentsdk.WithFixedToken(authToken))
+	_ = agenttest.New(t, client.URL, authToken, func(o *agent.Options) {
 		o.Client = agentClient
 	})

-	coderdtest.NewWorkspaceAgentWaiter(t, userClient, workspace.ID).
+	coderdtest.NewWorkspaceAgentWaiter(t, client, workspace.ID).
 		WaitFor(coderdtest.AgentsReady)

-	return ownerClient, userClient, task
+	return userClient, task
 }

 // setupCLITaskTestWithSnapshot creates a task in the specified status with a log snapshot.
@@ -139,10 +139,8 @@ func (r *RootCmd) templateVersionsList() *serpent.Command {
 type templateVersionRow struct {
 	// For json format:
 	TemplateVersion codersdk.TemplateVersion `table:"-"`
-	ActiveJSON      bool                     `json:"active" table:"-"`

 	// For table format:
-	ID        string    `json:"-" table:"id"`
 	Name      string    `json:"-" table:"name,default_sort"`
 	CreatedAt time.Time `json:"-" table:"created at"`
 	CreatedBy string    `json:"-" table:"created by"`
@@ -168,8 +166,6 @@ func templateVersionsToRows(activeVersionID uuid.UUID, templateVersions ...coder

 		rows[i] = templateVersionRow{
 			TemplateVersion: templateVersion,
-			ActiveJSON:      templateVersion.ID == activeVersionID,
-			ID:              templateVersion.ID.String(),
 			Name:            templateVersion.Name,
 			CreatedAt:       templateVersion.CreatedAt,
 			CreatedBy:       templateVersion.CreatedBy.Username,
@@ -1,9 +1,7 @@
 package cli_test

 import (
-	"bytes"
 	"context"
-	"encoding/json"
 	"testing"

 	"github.com/stretchr/testify/assert"
@@ -42,33 +40,6 @@ func TestTemplateVersions(t *testing.T) {
 		pty.ExpectMatch(version.CreatedBy.Username)
 		pty.ExpectMatch("Active")
 	})
-
-	t.Run("ListVersionsJSON", func(t *testing.T) {
-		t.Parallel()
-		client := coderdtest.New(t, &coderdtest.Options{IncludeProvisionerDaemon: true})
-		owner := coderdtest.CreateFirstUser(t, client)
-		member, _ := coderdtest.CreateAnotherUser(t, client, owner.OrganizationID)
-		version := coderdtest.CreateTemplateVersion(t, client, owner.OrganizationID, nil)
-		_ = coderdtest.AwaitTemplateVersionJobCompleted(t, client, version.ID)
-		template := coderdtest.CreateTemplate(t, client, owner.OrganizationID, version.ID)
-
-		inv, root := clitest.New(t, "templates", "versions", "list", template.Name, "--output", "json")
-		clitest.SetupConfig(t, member, root)
-
-		var stdout bytes.Buffer
-		inv.Stdout = &stdout
-
-		require.NoError(t, inv.Run())
-
-		var rows []struct {
-			TemplateVersion codersdk.TemplateVersion `json:"TemplateVersion"`
-			Active          bool                     `json:"active"`
-		}
-		require.NoError(t, json.Unmarshal(stdout.Bytes(), &rows))
-		require.Len(t, rows, 1)
-		assert.Equal(t, version.ID, rows[0].TemplateVersion.ID)
-		assert.True(t, rows[0].Active)
-	})
 }

 func TestTemplateVersionsPromote(t *testing.T) {
@@ -49,9 +49,10 @@ OPTIONS:
          security purposes if a --wildcard-access-url is configured.

      --disable-workspace-sharing bool, $CODER_DISABLE_WORKSPACE_SHARING
-          Disable workspace sharing. Workspace ACL checking is disabled and only
-          owners can have ssh, apps and terminal access to workspaces. Access
-          based on the 'owner' role is also allowed unless disabled via
+          Disable workspace sharing (requires the "workspace-sharing" experiment
+          to be enabled). Workspace ACL checking is disabled and only owners can
+          have ssh, apps and terminal access to workspaces. Access based on the
+          'owner' role is also allowed unless disabled via
          --disable-owner-workspace-access.

      --swagger-enable bool, $CODER_SWAGGER_ENABLE
@@ -62,9 +63,6 @@ OPTIONS:
          Separate multiple experiments with commas, or enter '*' to opt-in to
          all available experiments.

-      --external-auth-github-default-provider-enable bool, $CODER_EXTERNAL_AUTH_GITHUB_DEFAULT_PROVIDER_ENABLE (default: true)
-          Enable the default GitHub external auth provider managed by Coder.
-
      --postgres-auth password|awsiamrds, $CODER_PG_AUTH (default: password)
          Type of auth to use when connecting to postgres. For AWS RDS, using
          IAM authentication (awsiamrds) is recommended.
@@ -385,19 +383,13 @@ NETWORKING OPTIONS:
      --samesite-auth-cookie lax|none, $CODER_SAMESITE_AUTH_COOKIE (default: lax)
          Controls the 'SameSite' property is set on browser session cookies.

-      --secure-auth-cookie bool, $CODER_SECURE_AUTH_COOKIE (default: false)
+      --secure-auth-cookie bool, $CODER_SECURE_AUTH_COOKIE
          Controls if the 'Secure' property is set on browser session cookies.

      --wildcard-access-url string, $CODER_WILDCARD_ACCESS_URL
          Specifies the wildcard hostname to use for workspace applications in
          the form "*.example.com".

-      --host-prefix-cookie bool, $CODER_HOST_PREFIX_COOKIE (default: false)
-          Recommended to be enabled. Enables `__Host-` prefix for cookies to
-          guarantee they are only set by the right domain. This change is
-          disruptive to any workspaces built before release 1.31, requiring a
-          workspace restart.
-
 NETWORKING / DERP OPTIONS: 
 Most Coder deployments never have to think about DERP because all connections
 between workspaces and users are peer-to-peer. However, when Coder cannot
@@ -12,8 +12,6 @@ SUBCOMMANDS:
    delete    Delete tasks
    list      List tasks
    logs      Show a task's logs
-    pause     Pause a task
-    resume    Resume a task
    send      Send input to a task
    status    Show the status of a task.

@@ -1,25 +0,0 @@
-coder v0.0.0-devel
-
-USAGE:
-  coder task pause [flags] <task>
-
-  Pause a task
-
-    - Pause a task by name:
-  
-       $ coder task pause my-task
-  
-    - Pause another user's task:
-  
-       $ coder task pause alice/my-task
-  
-    - Pause a task without confirmation:
-  
-       $ coder task pause my-task --yes
-
-OPTIONS:
-  -y, --yes bool
-          Bypass confirmation prompts.
-
-———
-Run `coder --help` for a list of global options.
@@ -1,28 +0,0 @@
-coder v0.0.0-devel
-
-USAGE:
-  coder task resume [flags] <task>
-
-  Resume a task
-
-    - Resume a task by name:
-  
-       $ coder task resume my-task
-  
-    - Resume another user's task:
-  
-       $ coder task resume alice/my-task
-  
-    - Resume a task without confirmation:
-  
-       $ coder task resume my-task --yes
-
-OPTIONS:
-      --no-wait bool
-          Return immediately after resuming the task.
-
-  -y, --yes bool
-          Bypass confirmation prompts.
-
-———
-Run `coder --help` for a list of global options.
@@ -9,7 +9,7 @@ OPTIONS:
  -O, --org string, $CODER_ORGANIZATION
          Select which organization (uuid or name) to use.

-  -c, --column [id|name|created at|created by|status|active|archived] (default: name,created at,created by,status,active)
+  -c, --column [name|created at|created by|status|active|archived] (default: name,created at,created by,status,active)
          Columns to display in table output.

      --include-archived bool
@@ -27,7 +27,7 @@ USAGE:
 SUBCOMMANDS:
    create    Create a token
    list      List tokens
-    remove    Expire or delete a token
+    remove    Delete a token
    view      Display detailed information about a token

 ———
@@ -15,10 +15,6 @@ OPTIONS:
  -c, --column [id|name|scopes|allow list|last used|expires at|created at|owner] (default: id,name,scopes,allow list,last used,expires at,created at)
          Columns to display in table output.

-      --include-expired bool
-          Include expired tokens in the output. By default, expired tokens are
-          hidden.
-
  -o, --output table|json (default: table)
          Output format.

@@ -1,19 +1,11 @@
 coder v0.0.0-devel

 USAGE:
-  coder tokens remove [flags] <name|id|token>
+  coder tokens remove <name|id|token>

-  Expire or delete a token
+  Delete a token

  Aliases: delete, rm

-  Remove a token by expiring it. Use --delete to permanently hard-delete the
-  token instead.
-
-OPTIONS:
-      --delete bool
-          Permanently delete the token instead of expiring it. This removes the
-          audit trail.
-
 ———
 Run `coder --help` for a list of global options.
@@ -176,16 +176,11 @@ networking:
  # (default: <unset>, type: string-array)
  proxyTrustedOrigins: []
  # Controls if the 'Secure' property is set on browser session cookies.
-  # (default: false, type: bool)
+  # (default: <unset>, type: bool)
  secureAuthCookie: false
  # Controls the 'SameSite' property is set on browser session cookies.
  # (default: lax, type: enum[lax\|none])
  sameSiteAuthCookie: lax
-  # Recommended to be enabled. Enables `__Host-` prefix for cookies to guarantee
-  # they are only set by the right domain. This change is disruptive to any
-  # workspaces built before release 1.31, requiring a workspace restart.
-  # (default: false, type: bool)
-  hostPrefixCookie: false
  # Whether Coder only allows connections to workspaces via the browser.
  # (default: <unset>, type: bool)
  browserOnly: false
@@ -422,11 +417,6 @@ oidc:
  # an insecure OIDC configuration. It is not recommended to use this flag.
  # (default: <unset>, type: bool)
  dangerousSkipIssuerChecks: false
-  # Optional override of the default redirect url which uses the deployment's access
-  # url. Useful in situations where a deployment has more than 1 domain. Using this
-  # setting can also break OIDC, so use with caution.
-  # (default: <unset>, type: url)
-  oidc-redirect-url:
 # Telemetry is critical to our ability to improve Coder. We strip all personal
 #  information before sending data to our servers. Please only disable telemetry
 #  when required by your organization's security policy.
@@ -524,10 +514,10 @@ disablePathApps: false
 # workspaces.
 # (default: <unset>, type: bool)
 disableOwnerWorkspaceAccess: false
-# Disable workspace sharing. Workspace ACL checking is disabled and only owners
-# can have ssh, apps and terminal access to workspaces. Access based on the
-# 'owner' role is also allowed unless disabled via
-# --disable-owner-workspace-access.
+# Disable workspace sharing (requires the "workspace-sharing" experiment to be
+# enabled). Workspace ACL checking is disabled and only owners can have ssh, apps
+# and terminal access to workspaces. Access based on the 'owner' role is also
+# allowed unless disabled via --disable-owner-workspace-access.
 # (default: <unset>, type: bool)
 disableWorkspaceSharing: false
 # These options change the behavior of how clients interact with the Coder.
@@ -564,9 +554,6 @@ supportLinks: []
 # External Authentication providers.
 # (default: <unset>, type: struct[[]codersdk.ExternalAuthConfig])
 externalAuthProviders: []
-# Enable the default GitHub external auth provider managed by Coder.
-# (default: true, type: bool)
-externalAuthGithubDefaultProviderEnable: true
 # Hostname of HTTPS server that runs https://github.com/coder/wgtunnel. By
 # default, this will pick the best available wgtunnel server hosted by Coder. e.g.
 # "tunnel.example.com".
@@ -218,10 +218,9 @@ func (r *RootCmd) listTokens() *serpent.Command {
 	}

 	var (
-		all            bool
-		includeExpired bool
-		displayTokens  []tokenListRow
-		formatter      = cliui.NewOutputFormatter(
+		all           bool
+		displayTokens []tokenListRow
+		formatter     = cliui.NewOutputFormatter(
 			cliui.TableFormat([]tokenListRow{}, defaultCols),
 			cliui.JSONFormat(),
 		)
@@ -241,8 +240,7 @@ func (r *RootCmd) listTokens() *serpent.Command {
 			}

 			tokens, err := client.Tokens(inv.Context(), codersdk.Me, codersdk.TokensFilter{
-				IncludeAll:     all,
-				IncludeExpired: includeExpired,
+				IncludeAll: all,
 			})
 			if err != nil {
 				return xerrors.Errorf("list tokens: %w", err)
@@ -276,12 +274,6 @@ func (r *RootCmd) listTokens() *serpent.Command {
 			Description:   "Specifies whether all users' tokens will be listed or not (must have Owner role to see all tokens).",
 			Value:         serpent.BoolOf(&all),
 		},
-		{
-			Name:        "include-expired",
-			Flag:        "include-expired",
-			Description: "Include expired tokens in the output. By default, expired tokens are hidden.",
-			Value:       serpent.BoolOf(&includeExpired),
-		},
 	}

 	formatter.AttachOptions(&cmd.Options)
@@ -331,13 +323,10 @@ func (r *RootCmd) viewToken() *serpent.Command {
 }

 func (r *RootCmd) removeToken() *serpent.Command {
-	var deleteToken bool
 	cmd := &serpent.Command{
 		Use:     "remove <name|id|token>",
 		Aliases: []string{"delete"},
-		Short:   "Expire or delete a token",
-		Long: "Remove a token by expiring it. Use --delete to permanently hard-" +
-			"delete the token instead.",
+		Short:   "Delete a token",
 		Middleware: serpent.Chain(
 			serpent.RequireNArgs(1),
 		),
@@ -349,7 +338,7 @@ func (r *RootCmd) removeToken() *serpent.Command {

 			token, err := client.APIKeyByName(inv.Context(), codersdk.Me, inv.Args[0])
 			if err != nil {
-				// If it's a token, we need to extract the ID.
+				// If it's a token, we need to extract the ID
 				maybeID := strings.Split(inv.Args[0], "-")[0]
 				token, err = client.APIKeyByID(inv.Context(), codersdk.Me, maybeID)
 				if err != nil {
@@ -357,29 +346,17 @@ func (r *RootCmd) removeToken() *serpent.Command {
 				}
 			}

-			if deleteToken {
-				err = client.DeleteAPIKey(inv.Context(), codersdk.Me, token.ID)
-				if err != nil {
-					return xerrors.Errorf("delete api key: %w", err)
-				}
-				cliui.Infof(inv.Stdout, "Token has been deleted.")
-				return nil
-			}
-
-			err = client.ExpireAPIKey(inv.Context(), codersdk.Me, token.ID)
+			err = client.DeleteAPIKey(inv.Context(), codersdk.Me, token.ID)
 			if err != nil {
-				return xerrors.Errorf("expire api key: %w", err)
+				return xerrors.Errorf("delete api key: %w", err)
 			}
-			cliui.Infof(inv.Stdout, "Token has been expired.")
-			return nil
-		},
-	}

-	cmd.Options = serpent.OptionSet{
-		{
-			Flag:        "delete",
-			Description: "Permanently delete the token instead of expiring it. This removes the audit trail.",
-			Value:       serpent.BoolOf(&deleteToken),
+			cliui.Infof(
+				inv.Stdout,
+				"Token has been deleted.",
+			)
+
+			return nil
 		},
 	}

@@ -6,16 +6,12 @@ import (
 	"encoding/json"
 	"fmt"
 	"testing"
-	"time"

 	"github.com/google/uuid"
-	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"

 	"github.com/coder/coder/v2/cli/clitest"
 	"github.com/coder/coder/v2/coderd/coderdtest"
-	"github.com/coder/coder/v2/coderd/database"
-	"github.com/coder/coder/v2/coderd/database/dbgen"
 	"github.com/coder/coder/v2/codersdk"
 	"github.com/coder/coder/v2/testutil"
 )
@@ -26,7 +22,7 @@ func TestTokens(t *testing.T) {
 	adminUser := coderdtest.CreateFirstUser(t, client)

 	secondUserClient, secondUser := coderdtest.CreateAnotherUser(t, client, adminUser.OrganizationID)
-	thirdUserClient, thirdUser := coderdtest.CreateAnotherUser(t, client, adminUser.OrganizationID)
+	_, thirdUser := coderdtest.CreateAnotherUser(t, client, adminUser.OrganizationID)

 	ctx, cancelFunc := context.WithTimeout(context.Background(), testutil.WaitLong)
 	defer cancelFunc()
@@ -159,7 +155,7 @@ func TestTokens(t *testing.T) {
 	require.Len(t, scopedToken.AllowList, 1)
 	require.Equal(t, allowSpec, scopedToken.AllowList[0].String())

-	// Delete by name (default behavior is now expire)
+	// Delete by name
 	inv, root = clitest.New(t, "tokens", "rm", "token-one")
 	clitest.SetupConfig(t, client, root)
 	buf = new(bytes.Buffer)
@@ -168,42 +164,21 @@ func TestTokens(t *testing.T) {
 	require.NoError(t, err)
 	res = buf.String()
 	require.NotEmpty(t, res)
-	require.Contains(t, res, "expired")
-
-	// Regular users cannot expire other users' tokens (expire is default now).
-	inv, root = clitest.New(t, "tokens", "rm", secondTokenID)
-	clitest.SetupConfig(t, thirdUserClient, root)
-	buf = new(bytes.Buffer)
-	inv.Stdout = buf
-	err = inv.WithContext(ctx).Run()
-	require.Error(t, err)
-	require.Contains(t, err.Error(), "not found")
-
-	// Only admin users can expire other users' tokens (expire is default now).
-	inv, root = clitest.New(t, "tokens", "rm", secondTokenID)
-	clitest.SetupConfig(t, client, root)
-	buf = new(bytes.Buffer)
-	inv.Stdout = buf
-	err = inv.WithContext(ctx).Run()
-	require.NoError(t, err)
-	// Validate that token was expired
-	if token, err := client.APIKeyByName(ctx, secondUser.ID.String(), "token-two"); assert.NoError(t, err) {
-		require.True(t, token.ExpiresAt.Before(time.Now()))
-	}
-
-	// Delete by ID (explicit delete flag)
-	inv, root = clitest.New(t, "tokens", "rm", "--delete", secondTokenID)
-	clitest.SetupConfig(t, client, root)
-	buf = new(bytes.Buffer)
-	inv.Stdout = buf
-	err = inv.WithContext(ctx).Run()
-	require.NoError(t, err)
-	res = buf.String()
-	require.NotEmpty(t, res)
 	require.Contains(t, res, "deleted")

-	// Delete scoped token by ID (explicit delete flag)
-	inv, root = clitest.New(t, "tokens", "rm", "--delete", scopedTokenID)
+	// Delete by ID
+	inv, root = clitest.New(t, "tokens", "rm", secondTokenID)
+	clitest.SetupConfig(t, client, root)
+	buf = new(bytes.Buffer)
+	inv.Stdout = buf
+	err = inv.WithContext(ctx).Run()
+	require.NoError(t, err)
+	res = buf.String()
+	require.NotEmpty(t, res)
+	require.Contains(t, res, "deleted")
+
+	// Delete scoped token by ID
+	inv, root = clitest.New(t, "tokens", "rm", scopedTokenID)
 	clitest.SetupConfig(t, client, root)
 	buf = new(bytes.Buffer)
 	inv.Stdout = buf
@@ -224,8 +199,8 @@ func TestTokens(t *testing.T) {
 	require.NotEmpty(t, res)
 	fourthToken := res

-	// Delete by token (explicit delete flag)
-	inv, root = clitest.New(t, "tokens", "rm", "--delete", fourthToken)
+	// Delete by token
+	inv, root = clitest.New(t, "tokens", "rm", fourthToken)
 	clitest.SetupConfig(t, client, root)
 	buf = new(bytes.Buffer)
 	inv.Stdout = buf
@@ -235,114 +210,3 @@ func TestTokens(t *testing.T) {
 	require.NotEmpty(t, res)
 	require.Contains(t, res, "deleted")
 }
-
-func TestTokensListExpiredFiltering(t *testing.T) {
-	t.Parallel()
-
-	client, _, api := coderdtest.NewWithAPI(t, nil)
-	owner := coderdtest.CreateFirstUser(t, client)
-
-	// Create a valid (non-expired) token
-	validToken, _ := dbgen.APIKey(t, api.Database, database.APIKey{
-		UserID:    owner.UserID,
-		ExpiresAt: time.Now().Add(24 * time.Hour),
-		LoginType: database.LoginTypeToken,
-		TokenName: "valid-token",
-	})
-
-	// Create an expired token
-	expiredToken, _ := dbgen.APIKey(t, api.Database, database.APIKey{
-		UserID:    owner.UserID,
-		ExpiresAt: time.Now().Add(-24 * time.Hour),
-		LoginType: database.LoginTypeToken,
-		TokenName: "expired-token",
-	})
-
-	t.Run("HidesExpiredByDefault", func(t *testing.T) {
-		t.Parallel()
-		ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitLong)
-		defer cancel()
-
-		inv, root := clitest.New(t, "tokens", "ls")
-		clitest.SetupConfig(t, client, root)
-		buf := new(bytes.Buffer)
-		inv.Stdout = buf
-		err := inv.WithContext(ctx).Run()
-		require.NoError(t, err)
-
-		res := buf.String()
-		require.Contains(t, res, validToken.ID)
-		require.Contains(t, res, "valid-token")
-		require.NotContains(t, res, expiredToken.ID)
-		require.NotContains(t, res, "expired-token")
-	})
-
-	t.Run("ShowsExpiredWithFlag", func(t *testing.T) {
-		t.Parallel()
-		ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitLong)
-		defer cancel()
-
-		inv, root := clitest.New(t, "tokens", "ls", "--include-expired")
-		clitest.SetupConfig(t, client, root)
-		buf := new(bytes.Buffer)
-		inv.Stdout = buf
-		err := inv.WithContext(ctx).Run()
-		require.NoError(t, err)
-
-		res := buf.String()
-		require.Contains(t, res, validToken.ID)
-		require.Contains(t, res, "valid-token")
-		require.Contains(t, res, expiredToken.ID)
-		require.Contains(t, res, "expired-token")
-	})
-
-	t.Run("JSONOutputRespectsFilter", func(t *testing.T) {
-		t.Parallel()
-		ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitLong)
-		defer cancel()
-
-		// Default (no expired)
-		inv, root := clitest.New(t, "tokens", "ls", "--output=json")
-		clitest.SetupConfig(t, client, root)
-		buf := new(bytes.Buffer)
-		inv.Stdout = buf
-		err := inv.WithContext(ctx).Run()
-		require.NoError(t, err)
-
-		res := buf.String()
-		require.Contains(t, res, "valid-token")
-		require.NotContains(t, res, "expired-token")
-
-		// With --include-expired
-		inv, root = clitest.New(t, "tokens", "ls", "--output=json", "--include-expired")
-		clitest.SetupConfig(t, client, root)
-		buf = new(bytes.Buffer)
-		inv.Stdout = buf
-		err = inv.WithContext(ctx).Run()
-		require.NoError(t, err)
-
-		res = buf.String()
-		require.Contains(t, res, "valid-token")
-		require.Contains(t, res, "expired-token")
-	})
-
-	t.Run("AllUsersWithIncludeExpired", func(t *testing.T) {
-		t.Parallel()
-		ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitLong)
-		defer cancel()
-
-		inv, root := clitest.New(t, "tokens", "ls", "--all", "--include-expired")
-		clitest.SetupConfig(t, client, root)
-		buf := new(bytes.Buffer)
-		inv.Stdout = buf
-		err := inv.WithContext(ctx).Run()
-		require.NoError(t, err)
-
-		res := buf.String()
-		// Should show both valid and expired tokens
-		require.Contains(t, res, validToken.ID)
-		require.Contains(t, res, "valid-token")
-		require.Contains(t, res, expiredToken.ID)
-		require.Contains(t, res, "expired-token")
-	})
-}
@@ -990,74 +990,4 @@ func TestUpdateValidateRichParameters(t *testing.T) {

 		_ = testutil.TryReceive(ctx, t, doneChan)
 	})
-
-	t.Run("NewImmutableParameterViaFlag", func(t *testing.T) {
-		t.Parallel()
-
-		// Create template and workspace with only a mutable parameter.
-		client := coderdtest.New(t, &coderdtest.Options{IncludeProvisionerDaemon: true})
-		owner := coderdtest.CreateFirstUser(t, client)
-		member, memberUser := coderdtest.CreateAnotherUser(t, client, owner.OrganizationID)
-
-		templateParameters := []*proto.RichParameter{
-			{Name: stringParameterName, Type: "string", Mutable: true, Required: true, Options: []*proto.RichParameterOption{
-				{Name: "First option", Description: "This is first option", Value: "1st"},
-				{Name: "Second option", Description: "This is second option", Value: "2nd"},
-			}},
-		}
-		version := coderdtest.CreateTemplateVersion(t, client, owner.OrganizationID, prepareEchoResponses(templateParameters))
-		coderdtest.AwaitTemplateVersionJobCompleted(t, client, version.ID)
-		template := coderdtest.CreateTemplate(t, client, owner.OrganizationID, version.ID)
-
-		inv, root := clitest.New(t, "create", "my-workspace", "--yes", "--template", template.Name, "--parameter", fmt.Sprintf("%s=%s", stringParameterName, "1st"))
-		clitest.SetupConfig(t, member, root)
-		err := inv.Run()
-		require.NoError(t, err)
-
-		// Update template: add a new immutable parameter.
-		updatedTemplateParameters := []*proto.RichParameter{
-			templateParameters[0],
-			{Name: immutableParameterName, Type: "string", Mutable: false, Required: true, Options: []*proto.RichParameterOption{
-				{Name: "fir", Description: "First option for immutable parameter", Value: "I"},
-				{Name: "sec", Description: "Second option for immutable parameter", Value: "II"},
-			}},
-		}
-
-		updatedVersion := coderdtest.UpdateTemplateVersion(t, client, owner.OrganizationID, prepareEchoResponses(updatedTemplateParameters), template.ID)
-		coderdtest.AwaitTemplateVersionJobCompleted(t, client, updatedVersion.ID)
-		err = client.UpdateActiveTemplateVersion(context.Background(), template.ID, codersdk.UpdateActiveTemplateVersion{
-			ID: updatedVersion.ID,
-		})
-		require.NoError(t, err)
-
-		// Update workspace, supplying the new immutable parameter via
-		// the --parameter flag. This should succeed because it's the
-		// first time this parameter is being set.
-		inv, root = clitest.New(t, "update", "my-workspace",
-			"--parameter", fmt.Sprintf("%s=%s", immutableParameterName, "II"))
-		clitest.SetupConfig(t, member, root)
-
-		pty := ptytest.New(t).Attach(inv)
-		doneChan := make(chan struct{})
-		go func() {
-			defer close(doneChan)
-			err := inv.Run()
-			assert.NoError(t, err)
-		}()
-
-		pty.ExpectMatch("Planning workspace")
-
-		ctx := testutil.Context(t, testutil.WaitLong)
-		_ = testutil.TryReceive(ctx, t, doneChan)
-
-		// Verify the immutable parameter was set correctly.
-		workspace, err := client.WorkspaceByOwnerAndName(ctx, memberUser.ID.String(), "my-workspace", codersdk.WorkspaceOptions{})
-		require.NoError(t, err)
-		actualParameters, err := client.WorkspaceBuildParameters(ctx, workspace.LatestBuild.ID)
-		require.NoError(t, err)
-		require.Contains(t, actualParameters, codersdk.WorkspaceBuildParameter{
-			Name:  immutableParameterName,
-			Value: "II",
-		})
-	})
 }
@@ -0,0 +1,24 @@
+//go:build !windows && !darwin
+
+package cli
+
+import (
+	"golang.org/x/xerrors"
+
+	"github.com/coder/serpent"
+)
+
+func (*RootCmd) vpnDaemonRun() *serpent.Command {
+	cmd := &serpent.Command{
+		Use:   "run",
+		Short: "Run the VPN daemon on Windows.",
+		Middleware: serpent.Chain(
+			serpent.RequireNArgs(0),
+		),
+		Handler: func(_ *serpent.Invocation) error {
+			return xerrors.New("vpn-daemon subcommand is not supported on this platform")
+		},
+	}
+
+	return cmd
+}
@@ -1,4 +1,4 @@
-//go:build windows || linux
+//go:build windows

 package cli

@@ -11,7 +11,7 @@ import (
 	"github.com/coder/serpent"
 )

-func (*RootCmd) vpnDaemonRun() *serpent.Command {
+func (r *RootCmd) vpnDaemonRun() *serpent.Command {
 	var (
 		rpcReadHandleInt  int64
 		rpcWriteHandleInt int64
@@ -19,7 +19,7 @@ func (*RootCmd) vpnDaemonRun() *serpent.Command {

 	cmd := &serpent.Command{
 		Use:   "run",
-		Short: "Run the VPN daemon on Windows and Linux.",
+		Short: "Run the VPN daemon on Windows.",
 		Middleware: serpent.Chain(
 			serpent.RequireNArgs(0),
 		),
@@ -53,8 +53,8 @@ func (*RootCmd) vpnDaemonRun() *serpent.Command {
 				return xerrors.Errorf("rpc-read-handle (%v) and rpc-write-handle (%v) must be different", rpcReadHandleInt, rpcWriteHandleInt)
 			}

-			// The manager passes the read and write descriptors directly to the
-			// daemon, so we can open the RPC pipe from the raw values.
+			// We don't need to worry about duplicating the handles on Windows,
+			// which is different from Unix.
 			logger.Info(ctx, "opening bidirectional RPC pipe", slog.F("rpc_read_handle", rpcReadHandleInt), slog.F("rpc_write_handle", rpcWriteHandleInt))
 			pipe, err := vpn.NewBidirectionalPipe(uintptr(rpcReadHandleInt), uintptr(rpcWriteHandleInt))
 			if err != nil {
@@ -62,7 +62,7 @@ func (*RootCmd) vpnDaemonRun() *serpent.Command {
 			}
 			defer pipe.Close()

-			logger.Info(ctx, "starting VPN tunnel")
+			logger.Info(ctx, "starting tunnel")
 			tunnel, err := vpn.NewTunnel(ctx, logger, pipe, vpn.NewClient(), vpn.UseOSNetworkingStack())
 			if err != nil {
 				return xerrors.Errorf("create new tunnel for client: %w", err)
@@ -1,19 +0,0 @@
-//go:build linux
-
-package cli_test
-
-import (
-	"os"
-	"testing"
-
-	"github.com/stretchr/testify/require"
-	"golang.org/x/sys/unix"
-)
-
-func dupHandle(t *testing.T, f *os.File) uintptr {
-	t.Helper()
-
-	dupFD, err := unix.Dup(int(f.Fd()))
-	require.NoError(t, err)
-	return uintptr(dupFD)
-}
@@ -1,33 +0,0 @@
-//go:build windows
-
-package cli_test
-
-import (
-	"os"
-	"syscall"
-	"testing"
-
-	"github.com/stretchr/testify/require"
-)
-
-func dupHandle(t *testing.T, f *os.File) uintptr {
-	t.Helper()
-
-	src := syscall.Handle(f.Fd())
-	var dup syscall.Handle
-
-	proc, err := syscall.GetCurrentProcess()
-	require.NoError(t, err)
-
-	err = syscall.DuplicateHandle(
-		proc,
-		src,
-		proc,
-		&dup,
-		0,
-		false,
-		syscall.DUPLICATE_SAME_ACCESS,
-	)
-	require.NoError(t, err)
-	return uintptr(dup)
-}
@@ -1,4 +1,4 @@
-//go:build windows || linux
+//go:build windows

 package cli_test

@@ -67,35 +67,22 @@ func TestVPNDaemonRun(t *testing.T) {

 		r1, w1, err := os.Pipe()
 		require.NoError(t, err)
+		defer r1.Close()
 		defer w1.Close()
-
 		r2, w2, err := os.Pipe()
 		require.NoError(t, err)
 		defer r2.Close()
-
-		// The daemon closes the handles passed via NewBidirectionalPipe. Since our
-		// CLI tests run in-process, pass duplicated handles so we can close the
-		// originals without risking a double-close on FD reuse.
-		rpcReadHandle := dupHandle(t, r1)
-		rpcWriteHandle := dupHandle(t, w2)
-		require.NoError(t, r1.Close())
-		require.NoError(t, w2.Close())
+		defer w2.Close()

 		ctx := testutil.Context(t, testutil.WaitLong)
-		inv, _ := clitest.New(t,
-			"vpn-daemon",
-			"run",
-			"--rpc-read-handle",
-			fmt.Sprint(rpcReadHandle),
-			"--rpc-write-handle",
-			fmt.Sprint(rpcWriteHandle),
-		)
+		inv, _ := clitest.New(t, "vpn-daemon", "run", "--rpc-read-handle", fmt.Sprint(r1.Fd()), "--rpc-write-handle", fmt.Sprint(w2.Fd()))
 		waiter := clitest.StartWithWaiter(t, inv.WithContext(ctx))

-		// Send an invalid header, including a newline delimiter, so the handshake
-		// fails without requiring context cancellation.
-		_, err = w1.Write([]byte("garbage\n"))
+		// Send garbage which should cause the handshake to fail and the daemon
+		// to exit.
+		_, err = w1.Write([]byte("garbage"))
 		require.NoError(t, err)
+		waiter.Cancel()
 		err = waiter.Wait()
 		require.ErrorContains(t, err, "handshake failed")
 	})
@@ -179,8 +179,6 @@ func New(opts Options, workspace database.Workspace) *API {
 		Database:                 opts.Database,
 		Log:                      opts.Log,
 		PublishWorkspaceUpdateFn: api.publishWorkspaceUpdate,
-		Clock:                    opts.Clock,
-		NotificationsEnqueuer:    opts.NotificationsEnqueuer,
 	}

 	api.MetadataAPI = &MetadataAPI{
@@ -2,10 +2,6 @@ package agentapi

 import (
 	"context"
-	"database/sql"
-	"fmt"
-	"net/http"
-	"time"

 	"github.com/google/uuid"
 	"golang.org/x/xerrors"
@@ -13,14 +9,7 @@ import (
 	"cdr.dev/slog/v3"
 	agentproto "github.com/coder/coder/v2/agent/proto"
 	"github.com/coder/coder/v2/coderd/database"
-	"github.com/coder/coder/v2/coderd/database/dbauthz"
-	"github.com/coder/coder/v2/coderd/database/dbtime"
-	"github.com/coder/coder/v2/coderd/notifications"
-	strutil "github.com/coder/coder/v2/coderd/util/strings"
-	"github.com/coder/coder/v2/coderd/workspacestats"
 	"github.com/coder/coder/v2/coderd/wspubsub"
-	"github.com/coder/coder/v2/codersdk"
-	"github.com/coder/quartz"
 )

 type AppsAPI struct {
@@ -28,8 +17,6 @@ type AppsAPI struct {
 	Database                 database.Store
 	Log                      slog.Logger
 	PublishWorkspaceUpdateFn func(context.Context, *database.WorkspaceAgent, wspubsub.WorkspaceEventKind) error
-	NotificationsEnqueuer    notifications.Enqueuer
-	Clock                    quartz.Clock
 }

 func (a *AppsAPI) BatchUpdateAppHealths(ctx context.Context, req *agentproto.BatchUpdateAppHealthRequest) (*agentproto.BatchUpdateAppHealthResponse, error) {
@@ -117,230 +104,3 @@ func (a *AppsAPI) BatchUpdateAppHealths(ctx context.Context, req *agentproto.Bat
 	}
 	return &agentproto.BatchUpdateAppHealthResponse{}, nil
 }
-
-func (a *AppsAPI) UpdateAppStatus(ctx context.Context, req *agentproto.UpdateAppStatusRequest) (*agentproto.UpdateAppStatusResponse, error) {
-	if len(req.Message) > 160 {
-		return nil, codersdk.NewError(http.StatusBadRequest, codersdk.Response{
-			Message: "Message is too long.",
-			Detail:  "Message must be less than 160 characters.",
-			Validations: []codersdk.ValidationError{
-				{Field: "message", Detail: "Message must be less than 160 characters."},
-			},
-		})
-	}
-
-	var dbState database.WorkspaceAppStatusState
-	switch req.State {
-	case agentproto.UpdateAppStatusRequest_COMPLETE:
-		dbState = database.WorkspaceAppStatusStateComplete
-	case agentproto.UpdateAppStatusRequest_FAILURE:
-		dbState = database.WorkspaceAppStatusStateFailure
-	case agentproto.UpdateAppStatusRequest_WORKING:
-		dbState = database.WorkspaceAppStatusStateWorking
-	case agentproto.UpdateAppStatusRequest_IDLE:
-		dbState = database.WorkspaceAppStatusStateIdle
-	default:
-		return nil, codersdk.NewError(http.StatusBadRequest, codersdk.Response{
-			Message: "Invalid state provided.",
-			Detail:  fmt.Sprintf("invalid state: %q", req.State),
-			Validations: []codersdk.ValidationError{
-				{Field: "state", Detail: "State must be one of: complete, failure, working, idle."},
-			},
-		})
-	}
-
-	workspaceAgent, err := a.AgentFn(ctx)
-	if err != nil {
-		return nil, err
-	}
-	app, err := a.Database.GetWorkspaceAppByAgentIDAndSlug(ctx, database.GetWorkspaceAppByAgentIDAndSlugParams{
-		AgentID: workspaceAgent.ID,
-		Slug:    req.Slug,
-	})
-	if err != nil {
-		return nil, codersdk.NewError(http.StatusBadRequest, codersdk.Response{
-			Message: "Failed to get workspace app.",
-			Detail:  fmt.Sprintf("No app found with slug %q", req.Slug),
-		})
-	}
-
-	workspace, err := a.Database.GetWorkspaceByAgentID(ctx, workspaceAgent.ID)
-	if err != nil {
-		return nil, codersdk.NewError(http.StatusBadRequest, codersdk.Response{
-			Message: "Failed to get workspace.",
-			Detail:  err.Error(),
-		})
-	}
-
-	// Treat the message as untrusted input.
-	cleaned := strutil.UISanitize(req.Message)
-
-	// Get the latest status for the workspace app to detect no-op updates
-	// nolint:gocritic // This is a system restricted operation.
-	latestAppStatus, err := a.Database.GetLatestWorkspaceAppStatusByAppID(dbauthz.AsSystemRestricted(ctx), app.ID)
-	if err != nil && !xerrors.Is(err, sql.ErrNoRows) {
-		return nil, codersdk.NewError(http.StatusInternalServerError, codersdk.Response{
-			Message: "Failed to get latest workspace app status.",
-			Detail:  err.Error(),
-		})
-	}
-	// If no rows found, latestAppStatus will be a zero-value struct (ID == uuid.Nil)
-
-	// nolint:gocritic // This is a system restricted operation.
-	_, err = a.Database.InsertWorkspaceAppStatus(dbauthz.AsSystemRestricted(ctx), database.InsertWorkspaceAppStatusParams{
-		ID:          uuid.New(),
-		CreatedAt:   dbtime.Now(),
-		WorkspaceID: workspace.ID,
-		AgentID:     workspaceAgent.ID,
-		AppID:       app.ID,
-		State:       dbState,
-		Message:     cleaned,
-		Uri: sql.NullString{
-			String: req.Uri,
-			Valid:  req.Uri != "",
-		},
-	})
-	if err != nil {
-		return nil, codersdk.NewError(http.StatusInternalServerError, codersdk.Response{
-			Message: "Failed to insert workspace app status.",
-			Detail:  err.Error(),
-		})
-	}
-
-	if a.PublishWorkspaceUpdateFn != nil {
-		err = a.PublishWorkspaceUpdateFn(ctx, &workspaceAgent, wspubsub.WorkspaceEventKindAgentAppStatusUpdate)
-		if err != nil {
-			return nil, codersdk.NewError(http.StatusInternalServerError, codersdk.Response{
-				Message: "Failed to publish workspace update.",
-				Detail:  err.Error(),
-			})
-		}
-	}
-
-	// Notify on state change to Working/Idle for AI tasks
-	a.enqueueAITaskStateNotification(ctx, app.ID, latestAppStatus, dbState, workspace, workspaceAgent)
-
-	if shouldBump(dbState, latestAppStatus) {
-		// We pass time.Time{} for nextAutostart since we don't have access to
-		// TemplateScheduleStore here. The activity bump logic handles this by
-		// defaulting to the template's activity_bump duration (typically 1 hour).
-		workspacestats.ActivityBumpWorkspace(ctx, a.Log, a.Database, workspace.ID, time.Time{})
-	}
-	// just return a blank response because it doesn't contain any settable fields at present.
-	return new(agentproto.UpdateAppStatusResponse), nil
-}
-
-func shouldBump(dbState database.WorkspaceAppStatusState, latestAppStatus database.WorkspaceAppStatus) bool {
-	// Bump deadline when agent reports working or transitions away from working.
-	// This prevents auto-pause during active work and gives users time to interact
-	// after work completes.
-
-	// Bump if reporting working state.
-	if dbState == database.WorkspaceAppStatusStateWorking {
-		return true
-	}
-
-	// Bump if transitioning away from working state.
-	if latestAppStatus.ID != uuid.Nil {
-		prevState := latestAppStatus.State
-		if prevState == database.WorkspaceAppStatusStateWorking {
-			return true
-		}
-	}
-	return false
-}
-
-// enqueueAITaskStateNotification enqueues a notification when an AI task's app
-// transitions to Working or Idle.
-// No-op if:
-//   - the workspace agent app isn't configured as an AI task,
-//   - the new state equals the latest persisted state,
-//   - the workspace agent is not ready (still starting up).
-func (a *AppsAPI) enqueueAITaskStateNotification(
-	ctx context.Context,
-	appID uuid.UUID,
-	latestAppStatus database.WorkspaceAppStatus,
-	newAppStatus database.WorkspaceAppStatusState,
-	workspace database.Workspace,
-	agent database.WorkspaceAgent,
-) {
-	var notificationTemplate uuid.UUID
-	switch newAppStatus {
-	case database.WorkspaceAppStatusStateWorking:
-		notificationTemplate = notifications.TemplateTaskWorking
-	case database.WorkspaceAppStatusStateIdle:
-		notificationTemplate = notifications.TemplateTaskIdle
-	case database.WorkspaceAppStatusStateComplete:
-		notificationTemplate = notifications.TemplateTaskCompleted
-	case database.WorkspaceAppStatusStateFailure:
-		notificationTemplate = notifications.TemplateTaskFailed
-	default:
-		// Not a notifiable state, do nothing
-		return
-	}
-
-	if !workspace.TaskID.Valid {
-		// Workspace has no task ID, do nothing.
-		return
-	}
-
-	// Only send notifications when the agent is ready. We want to skip
-	// any state transitions that occur whilst the workspace is starting
-	// up as it doesn't make sense to receive them.
-	if agent.LifecycleState != database.WorkspaceAgentLifecycleStateReady {
-		a.Log.Debug(ctx, "skipping AI task notification because agent is not ready",
-			slog.F("agent_id", agent.ID),
-			slog.F("lifecycle_state", agent.LifecycleState),
-			slog.F("new_app_status", newAppStatus),
-		)
-		return
-	}
-
-	task, err := a.Database.GetTaskByID(ctx, workspace.TaskID.UUID)
-	if err != nil {
-		a.Log.Warn(ctx, "failed to get task", slog.Error(err))
-		return
-	}
-
-	if !task.WorkspaceAppID.Valid || task.WorkspaceAppID.UUID != appID {
-		// Non-task app, do nothing.
-		return
-	}
-
-	// Skip if the latest persisted state equals the new state (no new transition)
-	// Note: uuid.Nil check is valid here. If no previous status exists,
-	// GetLatestWorkspaceAppStatusByAppID returns sql.ErrNoRows and we get a zero-value struct.
-	if latestAppStatus.ID != uuid.Nil && latestAppStatus.State == newAppStatus {
-		return
-	}
-
-	// Skip the initial "Working" notification when the task first starts.
-	// This is obvious to the user since they just created the task.
-	// We still notify on the first "Idle" status and all subsequent transitions.
-	if latestAppStatus.ID == uuid.Nil && newAppStatus == database.WorkspaceAppStatusStateWorking {
-		return
-	}
-
-	if _, err := a.NotificationsEnqueuer.EnqueueWithData(
-		// nolint:gocritic // Need notifier actor to enqueue notifications
-		dbauthz.AsNotifier(ctx),
-		workspace.OwnerID,
-		notificationTemplate,
-		map[string]string{
-			"task":      task.Name,
-			"workspace": workspace.Name,
-		},
-		map[string]any{
-			// Use a 1-minute bucketed timestamp to bypass per-day dedupe,
-			// allowing identical content to resend within the same day
-			// (but not more than once every 10s).
-			"dedupe_bypass_ts": a.Clock.Now().UTC().Truncate(time.Minute),
-		},
-		"api-workspace-agent-app-status",
-		// Associate this notification with related entities
-		workspace.ID, workspace.OwnerID, workspace.OrganizationID, appID,
-	); err != nil {
-		a.Log.Warn(ctx, "failed to notify of task state", slog.Error(err))
-		return
-	}
-}
@@ -1,115 +0,0 @@
-package agentapi
-
-import (
-	"testing"
-
-	"github.com/google/uuid"
-	"github.com/stretchr/testify/require"
-
-	"github.com/coder/coder/v2/coderd/database"
-	"github.com/coder/coder/v2/coderd/util/ptr"
-)
-
-func TestShouldBump(t *testing.T) {
-	t.Parallel()
-
-	tests := []struct {
-		name       string
-		prevState  *database.WorkspaceAppStatusState // nil means no previous state
-		newState   database.WorkspaceAppStatusState
-		shouldBump bool
-	}{
-		{
-			name:       "FirstStatusBumps",
-			prevState:  nil,
-			newState:   database.WorkspaceAppStatusStateWorking,
-			shouldBump: true,
-		},
-		{
-			name:       "WorkingToIdleBumps",
-			prevState:  ptr.Ref(database.WorkspaceAppStatusStateWorking),
-			newState:   database.WorkspaceAppStatusStateIdle,
-			shouldBump: true,
-		},
-		{
-			name:       "WorkingToCompleteBumps",
-			prevState:  ptr.Ref(database.WorkspaceAppStatusStateWorking),
-			newState:   database.WorkspaceAppStatusStateComplete,
-			shouldBump: true,
-		},
-		{
-			name:       "CompleteToIdleNoBump",
-			prevState:  ptr.Ref(database.WorkspaceAppStatusStateComplete),
-			newState:   database.WorkspaceAppStatusStateIdle,
-			shouldBump: false,
-		},
-		{
-			name:       "CompleteToCompleteNoBump",
-			prevState:  ptr.Ref(database.WorkspaceAppStatusStateComplete),
-			newState:   database.WorkspaceAppStatusStateComplete,
-			shouldBump: false,
-		},
-		{
-			name:       "FailureToIdleNoBump",
-			prevState:  ptr.Ref(database.WorkspaceAppStatusStateFailure),
-			newState:   database.WorkspaceAppStatusStateIdle,
-			shouldBump: false,
-		},
-		{
-			name:       "FailureToFailureNoBump",
-			prevState:  ptr.Ref(database.WorkspaceAppStatusStateFailure),
-			newState:   database.WorkspaceAppStatusStateFailure,
-			shouldBump: false,
-		},
-		{
-			name:       "CompleteToWorkingBumps",
-			prevState:  ptr.Ref(database.WorkspaceAppStatusStateComplete),
-			newState:   database.WorkspaceAppStatusStateWorking,
-			shouldBump: true,
-		},
-		{
-			name:       "FailureToCompleteNoBump",
-			prevState:  ptr.Ref(database.WorkspaceAppStatusStateFailure),
-			newState:   database.WorkspaceAppStatusStateComplete,
-			shouldBump: false,
-		},
-		{
-			name:       "WorkingToFailureBumps",
-			prevState:  ptr.Ref(database.WorkspaceAppStatusStateWorking),
-			newState:   database.WorkspaceAppStatusStateFailure,
-			shouldBump: true,
-		},
-		{
-			name:       "IdleToIdleNoBump",
-			prevState:  ptr.Ref(database.WorkspaceAppStatusStateIdle),
-			newState:   database.WorkspaceAppStatusStateIdle,
-			shouldBump: false,
-		},
-		{
-			name:       "IdleToWorkingBumps",
-			prevState:  ptr.Ref(database.WorkspaceAppStatusStateIdle),
-			newState:   database.WorkspaceAppStatusStateWorking,
-			shouldBump: true,
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			t.Parallel()
-
-			var prevAppStatus database.WorkspaceAppStatus
-			// If there's a previous state, report it first.
-			if tt.prevState != nil {
-				prevAppStatus.ID = uuid.UUID{1}
-				prevAppStatus.State = *tt.prevState
-			}
-
-			didBump := shouldBump(tt.newState, prevAppStatus)
-			if tt.shouldBump {
-				require.True(t, didBump, "wanted deadline to bump but it didn't")
-			} else {
-				require.False(t, didBump, "wanted deadline not to bump but it did")
-			}
-		})
-	}
-}
@@ -2,13 +2,9 @@ package agentapi_test

 import (
 	"context"
-	"database/sql"
-	"net/http"
-	"strings"
 	"testing"

 	"github.com/google/uuid"
-	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"go.uber.org/mock/gomock"

@@ -16,12 +12,8 @@ import (
 	"github.com/coder/coder/v2/coderd/agentapi"
 	"github.com/coder/coder/v2/coderd/database"
 	"github.com/coder/coder/v2/coderd/database/dbmock"
-	"github.com/coder/coder/v2/coderd/notifications"
-	"github.com/coder/coder/v2/coderd/notifications/notificationstest"
 	"github.com/coder/coder/v2/coderd/wspubsub"
-	"github.com/coder/coder/v2/codersdk"
 	"github.com/coder/coder/v2/testutil"
-	"github.com/coder/quartz"
 )

 func TestBatchUpdateAppHealths(t *testing.T) {
@@ -261,183 +253,3 @@ func TestBatchUpdateAppHealths(t *testing.T) {
 		require.Nil(t, resp)
 	})
 }
-
-func TestWorkspaceAgentAppStatus(t *testing.T) {
-	t.Parallel()
-
-	t.Run("Success", func(t *testing.T) {
-		t.Parallel()
-
-		ctx := testutil.Context(t, testutil.WaitShort)
-		ctrl := gomock.NewController(t)
-		mDB := dbmock.NewMockStore(ctrl)
-		fEnq := &notificationstest.FakeEnqueuer{}
-		mClock := quartz.NewMock(t)
-		agent := database.WorkspaceAgent{
-			ID:             uuid.UUID{2},
-			LifecycleState: database.WorkspaceAgentLifecycleStateReady,
-		}
-		workspaceUpdates := make(chan wspubsub.WorkspaceEventKind, 100)
-
-		api := &agentapi.AppsAPI{
-			AgentFn: func(context.Context) (database.WorkspaceAgent, error) {
-				return agent, nil
-			},
-			Database: mDB,
-			Log:      testutil.Logger(t),
-			PublishWorkspaceUpdateFn: func(_ context.Context, agnt *database.WorkspaceAgent, kind wspubsub.WorkspaceEventKind) error {
-				assert.Equal(t, *agnt, agent)
-				testutil.AssertSend(ctx, t, workspaceUpdates, kind)
-				return nil
-			},
-			NotificationsEnqueuer: fEnq,
-			Clock:                 mClock,
-		}
-
-		app := database.WorkspaceApp{
-			ID: uuid.UUID{8},
-		}
-		mDB.EXPECT().GetWorkspaceAppByAgentIDAndSlug(gomock.Any(), database.GetWorkspaceAppByAgentIDAndSlugParams{
-			AgentID: agent.ID,
-			Slug:    "vscode",
-		}).Times(1).Return(app, nil)
-		task := database.Task{
-			ID: uuid.UUID{7},
-			WorkspaceAppID: uuid.NullUUID{
-				Valid: true,
-				UUID:  app.ID,
-			},
-		}
-		mDB.EXPECT().GetTaskByID(gomock.Any(), task.ID).Times(1).Return(task, nil)
-		workspace := database.Workspace{
-			ID: uuid.UUID{9},
-			TaskID: uuid.NullUUID{
-				Valid: true,
-				UUID:  task.ID,
-			},
-		}
-		mDB.EXPECT().GetWorkspaceByAgentID(gomock.Any(), agent.ID).Times(1).Return(workspace, nil)
-		appStatus := database.WorkspaceAppStatus{
-			ID: uuid.UUID{6},
-		}
-		mDB.EXPECT().GetLatestWorkspaceAppStatusByAppID(gomock.Any(), app.ID).Times(1).Return(appStatus, nil)
-		mDB.EXPECT().InsertWorkspaceAppStatus(
-			gomock.Any(),
-			gomock.Cond(func(params database.InsertWorkspaceAppStatusParams) bool {
-				if params.AgentID == agent.ID && params.AppID == app.ID {
-					assert.Equal(t, "testing", params.Message)
-					assert.Equal(t, database.WorkspaceAppStatusStateComplete, params.State)
-					assert.True(t, params.Uri.Valid)
-					assert.Equal(t, "https://example.com", params.Uri.String)
-					return true
-				}
-				return false
-			})).Times(1).Return(database.WorkspaceAppStatus{}, nil)
-
-		_, err := api.UpdateAppStatus(ctx, &agentproto.UpdateAppStatusRequest{
-			Slug:    "vscode",
-			Message: "testing",
-			Uri:     "https://example.com",
-			State:   agentproto.UpdateAppStatusRequest_COMPLETE,
-		})
-		require.NoError(t, err)
-
-		kind := testutil.RequireReceive(ctx, t, workspaceUpdates)
-		require.Equal(t, wspubsub.WorkspaceEventKindAgentAppStatusUpdate, kind)
-		sent := fEnq.Sent(notificationstest.WithTemplateID(notifications.TemplateTaskCompleted))
-		require.Len(t, sent, 1)
-	})
-
-	t.Run("FailUnknownApp", func(t *testing.T) {
-		t.Parallel()
-		ctx := testutil.Context(t, testutil.WaitShort)
-		ctrl := gomock.NewController(t)
-		mDB := dbmock.NewMockStore(ctrl)
-		agent := database.WorkspaceAgent{
-			ID:             uuid.UUID{2},
-			LifecycleState: database.WorkspaceAgentLifecycleStateReady,
-		}
-
-		mDB.EXPECT().GetWorkspaceAppByAgentIDAndSlug(gomock.Any(), gomock.Any()).
-			Times(1).
-			Return(database.WorkspaceApp{}, sql.ErrNoRows)
-
-		api := &agentapi.AppsAPI{
-			AgentFn: func(context.Context) (database.WorkspaceAgent, error) {
-				return agent, nil
-			},
-			Database: mDB,
-			Log:      testutil.Logger(t),
-		}
-		_, err := api.UpdateAppStatus(ctx, &agentproto.UpdateAppStatusRequest{
-			Slug:    "unknown",
-			Message: "testing",
-			Uri:     "https://example.com",
-			State:   agentproto.UpdateAppStatusRequest_COMPLETE,
-		})
-		require.ErrorContains(t, err, "No app found with slug")
-		var sdkErr *codersdk.Error
-		require.ErrorAs(t, err, &sdkErr)
-		require.Equal(t, http.StatusBadRequest, sdkErr.StatusCode())
-	})
-
-	t.Run("FailUnknownState", func(t *testing.T) {
-		t.Parallel()
-		ctx := testutil.Context(t, testutil.WaitShort)
-		ctrl := gomock.NewController(t)
-		mDB := dbmock.NewMockStore(ctrl)
-		agent := database.WorkspaceAgent{
-			ID:             uuid.UUID{2},
-			LifecycleState: database.WorkspaceAgentLifecycleStateReady,
-		}
-
-		api := &agentapi.AppsAPI{
-			AgentFn: func(context.Context) (database.WorkspaceAgent, error) {
-				return agent, nil
-			},
-			Database: mDB,
-			Log:      testutil.Logger(t),
-		}
-
-		_, err := api.UpdateAppStatus(ctx, &agentproto.UpdateAppStatusRequest{
-			Slug:    "vscode",
-			Message: "testing",
-			Uri:     "https://example.com",
-			State:   77,
-		})
-		require.ErrorContains(t, err, "Invalid state")
-		var sdkErr *codersdk.Error
-		require.ErrorAs(t, err, &sdkErr)
-		require.Equal(t, http.StatusBadRequest, sdkErr.StatusCode())
-	})
-
-	t.Run("FailTooLong", func(t *testing.T) {
-		t.Parallel()
-		ctx := testutil.Context(t, testutil.WaitShort)
-		ctrl := gomock.NewController(t)
-		mDB := dbmock.NewMockStore(ctrl)
-		agent := database.WorkspaceAgent{
-			ID:             uuid.UUID{2},
-			LifecycleState: database.WorkspaceAgentLifecycleStateReady,
-		}
-
-		api := &agentapi.AppsAPI{
-			AgentFn: func(context.Context) (database.WorkspaceAgent, error) {
-				return agent, nil
-			},
-			Database: mDB,
-			Log:      testutil.Logger(t),
-		}
-
-		_, err := api.UpdateAppStatus(ctx, &agentproto.UpdateAppStatusRequest{
-			Slug:    "vscode",
-			Message: strings.Repeat("a", 161),
-			Uri:     "https://example.com",
-			State:   agentproto.UpdateAppStatusRequest_COMPLETE,
-		})
-		require.ErrorContains(t, err, "Message is too long")
-		var sdkErr *codersdk.Error
-		require.ErrorAs(t, err, &sdkErr)
-		require.Equal(t, http.StatusBadRequest, sdkErr.StatusCode())
-	})
-}
@@ -128,7 +128,7 @@ func (a *SubAgentAPI) CreateSubAgent(ctx context.Context, req *agentproto.Create
 		Name:                     agentName,
 		ResourceID:               parentAgent.ResourceID,
 		AuthToken:                uuid.New(),
-		AuthInstanceID:           sql.NullString{},
+		AuthInstanceID:           parentAgent.AuthInstanceID,
 		Architecture:             req.Architecture,
 		EnvironmentVariables:     pqtype.NullRawMessage{},
 		OperatingSystem:          req.OperatingSystem,
@@ -175,52 +175,6 @@ func TestSubAgentAPI(t *testing.T) {
 		}
 	})

-	// Context: https://github.com/coder/coder/pull/22196
-	t.Run("CreateSubAgentDoesNotInheritAuthInstanceID", func(t *testing.T) {
-		t.Parallel()
-
-		var (
-			log   = testutil.Logger(t)
-			clock = quartz.NewMock(t)
-
-			db, org     = newDatabaseWithOrg(t)
-			user, agent = newUserWithWorkspaceAgent(t, db, org)
-		)
-
-		// Given: The parent agent has an AuthInstanceID set
-		ctx := testutil.Context(t, testutil.WaitShort)
-		parentAgent, err := db.GetWorkspaceAgentByID(dbauthz.AsSystemRestricted(ctx), agent.ID)
-		require.NoError(t, err)
-		require.True(t, parentAgent.AuthInstanceID.Valid, "parent agent should have an AuthInstanceID")
-		require.NotEmpty(t, parentAgent.AuthInstanceID.String)
-
-		api := newAgentAPI(t, log, db, clock, user, org, agent)
-
-		// When: We create a sub agent
-		createResp, err := api.CreateSubAgent(ctx, &proto.CreateSubAgentRequest{
-			Name:            "sub-agent",
-			Directory:       "/workspaces/test",
-			Architecture:    "amd64",
-			OperatingSystem: "linux",
-		})
-		require.NoError(t, err)
-
-		subAgentID, err := uuid.FromBytes(createResp.Agent.Id)
-		require.NoError(t, err)
-
-		// Then: The sub-agent must NOT re-use the parent's AuthInstanceID.
-		subAgent, err := db.GetWorkspaceAgentByID(dbauthz.AsSystemRestricted(ctx), subAgentID)
-		require.NoError(t, err)
-		assert.False(t, subAgent.AuthInstanceID.Valid, "sub-agent should not have an AuthInstanceID")
-		assert.Empty(t, subAgent.AuthInstanceID.String, "sub-agent AuthInstanceID string should be empty")
-
-		// Double-check: looking up by the parent's instance ID must
-		// still return the parent, not the sub-agent.
-		lookedUp, err := db.GetWorkspaceAgentByInstanceID(dbauthz.AsSystemRestricted(ctx), parentAgent.AuthInstanceID.String)
-		require.NoError(t, err)
-		assert.Equal(t, parentAgent.ID, lookedUp.ID, "instance ID lookup should still return the parent agent")
-	})
-
 	type expectedAppError struct {
 		index int32
 		field string
@@ -1366,6 +1320,7 @@ func TestSubAgentAPI(t *testing.T) {
 		}

 		for _, tc := range tests {
+			tc := tc
 			t.Run(tc.name, func(t *testing.T) {
 				t.Parallel()

@@ -21,12 +21,10 @@ import (
 	agentapisdk "github.com/coder/agentapi-sdk-go"
 	"github.com/coder/coder/v2/coderd/audit"
 	"github.com/coder/coder/v2/coderd/database"
-	"github.com/coder/coder/v2/coderd/database/dbauthz"
 	"github.com/coder/coder/v2/coderd/database/dbtime"
 	"github.com/coder/coder/v2/coderd/httpapi"
 	"github.com/coder/coder/v2/coderd/httpapi/httperror"
 	"github.com/coder/coder/v2/coderd/httpmw"
-	"github.com/coder/coder/v2/coderd/notifications"
 	"github.com/coder/coder/v2/coderd/rbac"
 	"github.com/coder/coder/v2/coderd/rbac/policy"
 	"github.com/coder/coder/v2/coderd/searchquery"
@@ -192,8 +190,7 @@ func (api *API) tasksCreate(rw http.ResponseWriter, r *http.Request) {
 	})
 	defer commitAuditWS()

-	workspace, err := createWorkspace(ctx, aReqWS, apiKey.UserID, api, owner, createReq, &createWorkspaceOptions{
-		remoteAddr: r.RemoteAddr,
+	workspace, err := createWorkspace(ctx, aReqWS, apiKey.UserID, api, owner, createReq, r, &createWorkspaceOptions{
 		// Before creating the workspace, ensure that this task can be created.
 		preCreateInTX: func(ctx context.Context, tx database.Store) error {
 			// Create task record in the database before creating the workspace so that
@@ -467,6 +464,7 @@ func (api *API) convertTasks(ctx context.Context, requesterID uuid.UUID, dbTasks

 	apiWorkspaces, err := convertWorkspaces(
 		ctx,
+		api.Experiments,
 		api.Logger,
 		requesterID,
 		workspaces,
@@ -546,6 +544,7 @@ func (api *API) taskGet(rw http.ResponseWriter, r *http.Request) {

 	ws, err := convertWorkspace(
 		ctx,
+		api.Experiments,
 		api.Logger,
 		apiKey.UserID,
 		workspace,
@@ -1301,127 +1300,7 @@ func (api *API) pauseTask(rw http.ResponseWriter, r *http.Request) {
 		return
 	}

-	if _, err := api.NotificationsEnqueuer.Enqueue(
-		// nolint:gocritic // Need notifier actor to enqueue notifications.
-		dbauthz.AsNotifier(ctx),
-		workspace.OwnerID,
-		notifications.TemplateTaskPaused,
-		map[string]string{
-			"task":         task.Name,
-			"task_id":      task.ID.String(),
-			"workspace":    workspace.Name,
-			"pause_reason": "manual",
-		},
-		"api-task-pause",
-		workspace.ID, workspace.OwnerID, workspace.OrganizationID,
-	); err != nil {
-		api.Logger.Warn(ctx, "failed to notify of task paused", slog.Error(err), slog.F("task_id", task.ID), slog.F("workspace_id", workspace.ID))
-	}
-
 	httpapi.Write(ctx, rw, http.StatusAccepted, codersdk.PauseTaskResponse{
 		WorkspaceBuild: &build,
 	})
 }
-
-// @Summary Resume task
-// @ID resume-task
-// @Security CoderSessionToken
-// @Accept json
-// @Tags Tasks
-// @Param user path string true "Username, user ID, or 'me' for the authenticated user"
-// @Param task path string true "Task ID" format(uuid)
-// @Success 202 {object} codersdk.ResumeTaskResponse
-// @Router /tasks/{user}/{task}/resume [post]
-func (api *API) resumeTask(rw http.ResponseWriter, r *http.Request) {
-	var (
-		ctx    = r.Context()
-		apiKey = httpmw.APIKey(r)
-		task   = httpmw.TaskParam(r)
-	)
-
-	if !task.WorkspaceID.Valid {
-		httpapi.Write(ctx, rw, http.StatusInternalServerError, codersdk.Response{
-			Message: "Task does not have a workspace.",
-		})
-		return
-	}
-
-	workspace, err := api.Database.GetWorkspaceByID(ctx, task.WorkspaceID.UUID)
-	if err != nil {
-		if httpapi.Is404Error(err) {
-			httpapi.ResourceNotFound(rw)
-			return
-		}
-		httpapi.Write(ctx, rw, http.StatusInternalServerError, codersdk.Response{
-			Message: "Internal error fetching task workspace.",
-			Detail:  err.Error(),
-		})
-		return
-	}
-
-	latestBuild, err := api.Database.GetLatestWorkspaceBuildByWorkspaceID(ctx, workspace.ID)
-	if err != nil {
-		httpapi.Write(ctx, rw, http.StatusInternalServerError, codersdk.Response{
-			Message: "Internal error fetching task workspace build.",
-			Detail:  err.Error(),
-		})
-		return
-	}
-	job, err := api.Database.GetProvisionerJobByID(ctx, latestBuild.JobID)
-	if err != nil {
-		httpapi.Write(ctx, rw, http.StatusInternalServerError, codersdk.Response{
-			Message: "Internal error fetching task workspace build job.",
-			Detail:  err.Error(),
-		})
-		return
-	}
-	workspaceStatus := codersdk.ConvertWorkspaceStatus(
-		codersdk.ProvisionerJobStatus(job.JobStatus),
-		codersdk.WorkspaceTransition(latestBuild.Transition),
-	)
-	if workspaceStatus == codersdk.WorkspaceStatusRunning {
-		httpapi.Write(ctx, rw, http.StatusConflict, codersdk.Response{
-			Message: "Task workspace is already running.",
-			Detail:  fmt.Sprintf("Workspace status is %q.", workspaceStatus),
-		})
-		return
-	}
-
-	buildReq := codersdk.CreateWorkspaceBuildRequest{
-		Transition: codersdk.WorkspaceTransitionStart,
-		Reason:     codersdk.CreateWorkspaceBuildReasonTaskResume,
-	}
-	build, err := api.postWorkspaceBuildsInternal(
-		ctx,
-		apiKey,
-		workspace,
-		buildReq,
-		func(action policy.Action, object rbac.Objecter) bool {
-			return api.Authorize(r, action, object)
-		},
-		audit.WorkspaceBuildBaggageFromRequest(r),
-	)
-	if err != nil {
-		httperror.WriteWorkspaceBuildError(ctx, rw, err)
-		return
-	}
-	if _, err := api.NotificationsEnqueuer.Enqueue(
-		// nolint:gocritic // Need notifier actor to enqueue notifications.
-		dbauthz.AsNotifier(ctx),
-		workspace.OwnerID,
-		notifications.TemplateTaskResumed,
-		map[string]string{
-			"task":      task.Name,
-			"task_id":   task.ID.String(),
-			"workspace": workspace.Name,
-		},
-		"api-task-resume",
-		workspace.ID, workspace.OwnerID, workspace.OrganizationID,
-	); err != nil {
-		api.Logger.Warn(ctx, "failed to notify of task resumed", slog.Error(err), slog.F("task_id", task.ID), slog.F("workspace_id", workspace.ID))
-	}
-
-	httpapi.Write(ctx, rw, http.StatusAccepted, codersdk.ResumeTaskResponse{
-		WorkspaceBuild: &build,
-	})
-}
@@ -45,10 +45,10 @@ import (
 )

 // createTaskInState is a helper to create a task in the desired state.
-// It returns a function that takes context, test, and status, and returns the task.
+// It returns a function that takes context, test, and status, and returns the task ID.
 // The caller is responsible for setting up the database, owner, and user.
-func createTaskInState(db database.Store, ownerSubject rbac.Subject, ownerOrgID, userID uuid.UUID) func(context.Context, *testing.T, database.TaskStatus) database.Task {
-	return func(ctx context.Context, t *testing.T, status database.TaskStatus) database.Task {
+func createTaskInState(db database.Store, ownerSubject rbac.Subject, ownerOrgID, userID uuid.UUID) func(context.Context, *testing.T, database.TaskStatus) uuid.UUID {
+	return func(ctx context.Context, t *testing.T, status database.TaskStatus) uuid.UUID {
 		ctx = dbauthz.As(ctx, ownerSubject)

 		builder := dbfake.WorkspaceBuild(t, db, database.WorkspaceTable{
@@ -65,9 +65,6 @@ func createTaskInState(db database.Store, ownerSubject rbac.Subject, ownerOrgID,
 			builder = builder.Pending()
 		case database.TaskStatusInitializing:
 			builder = builder.Starting()
-		case database.TaskStatusActive:
-			// Default builder produces a succeeded start build.
-			// Post-processing below sets agent and app to active.
 		case database.TaskStatusPaused:
 			builder = builder.Seed(database.WorkspaceBuild{
 				Transition: database.WorkspaceTransitionStop,
@@ -79,32 +76,31 @@ func createTaskInState(db database.Store, ownerSubject rbac.Subject, ownerOrgID,
 		}

 		resp := builder.Do()
+		taskID := resp.Task.ID

 		// Post-process by manipulating agent and app state.
-		if status == database.TaskStatusActive || status == database.TaskStatusError {
-			// Set agent to ready state so agent_status returns 'active'.
+		if status == database.TaskStatusError {
+			// First, set agent to ready state so agent_status returns 'active'.
+			// This ensures the cascade reaches app_status.
 			err := db.UpdateWorkspaceAgentLifecycleStateByID(ctx, database.UpdateWorkspaceAgentLifecycleStateByIDParams{
 				ID:             resp.Agents[0].ID,
 				LifecycleState: database.WorkspaceAgentLifecycleStateReady,
 			})
 			require.NoError(t, err)

+			// Then set workspace app health to unhealthy to trigger error state.
 			apps, err := db.GetWorkspaceAppsByAgentID(ctx, resp.Agents[0].ID)
 			require.NoError(t, err)
 			require.Len(t, apps, 1, "expected exactly one app for task")

-			appHealth := database.WorkspaceAppHealthHealthy
-			if status == database.TaskStatusError {
-				appHealth = database.WorkspaceAppHealthUnhealthy
-			}
 			err = db.UpdateWorkspaceAppHealthByID(ctx, database.UpdateWorkspaceAppHealthByIDParams{
 				ID:     apps[0].ID,
-				Health: appHealth,
+				Health: database.WorkspaceAppHealthUnhealthy,
 			})
 			require.NoError(t, err)
 		}

-		return resp.Task
+		return taskID
 	}
 }

@@ -832,7 +828,7 @@ func TestTasks(t *testing.T) {
 		t.Run("SendToNonActiveStates", func(t *testing.T) {
 			t.Parallel()

-			client, db := coderdtest.NewWithDatabase(t, &coderdtest.Options{})
+			client, db := coderdtest.NewWithDatabase(t, &coderdtest.Options{IncludeProvisionerDaemon: true})
 			owner := coderdtest.CreateFirstUser(t, client)
 			ctx := testutil.Context(t, testutil.WaitMedium)

@@ -849,9 +845,9 @@ func TestTasks(t *testing.T) {
 				t.Parallel()

 				ctx := testutil.Context(t, testutil.WaitMedium)
-				task := createTask(ctx, t, database.TaskStatusPaused)
+				taskID := createTask(ctx, t, database.TaskStatusPaused)

-				err := client.TaskSend(ctx, "me", task.ID, codersdk.TaskSendRequest{
+				err := client.TaskSend(ctx, "me", taskID, codersdk.TaskSendRequest{
 					Input: "Hello",
 				})

@@ -867,9 +863,9 @@ func TestTasks(t *testing.T) {
 				t.Parallel()

 				ctx := testutil.Context(t, testutil.WaitMedium)
-				task := createTask(ctx, t, database.TaskStatusInitializing)
+				taskID := createTask(ctx, t, database.TaskStatusInitializing)

-				err := client.TaskSend(ctx, "me", task.ID, codersdk.TaskSendRequest{
+				err := client.TaskSend(ctx, "me", taskID, codersdk.TaskSendRequest{
 					Input: "Hello",
 				})

@@ -885,9 +881,9 @@ func TestTasks(t *testing.T) {
 				t.Parallel()

 				ctx := testutil.Context(t, testutil.WaitMedium)
-				task := createTask(ctx, t, database.TaskStatusPending)
+				taskID := createTask(ctx, t, database.TaskStatusPending)

-				err := client.TaskSend(ctx, "me", task.ID, codersdk.TaskSendRequest{
+				err := client.TaskSend(ctx, "me", taskID, codersdk.TaskSendRequest{
 					Input: "Hello",
 				})

@@ -903,9 +899,9 @@ func TestTasks(t *testing.T) {
 				t.Parallel()

 				ctx := testutil.Context(t, testutil.WaitMedium)
-				task := createTask(ctx, t, database.TaskStatusError)
+				taskID := createTask(ctx, t, database.TaskStatusError)

-				err := client.TaskSend(ctx, "me", task.ID, codersdk.TaskSendRequest{
+				err := client.TaskSend(ctx, "me", taskID, codersdk.TaskSendRequest{
 					Input: "Hello",
 				})

@@ -1124,16 +1120,16 @@ func TestTasks(t *testing.T) {
 			t.Parallel()

 			ctx := testutil.Context(t, testutil.WaitMedium)
-			task := createTask(ctx, t, database.TaskStatusPending)
+			taskID := createTask(ctx, t, database.TaskStatusPending)

 			err := db.UpsertTaskSnapshot(dbauthz.As(ctx, ownerSubject), database.UpsertTaskSnapshotParams{
-				TaskID:               task.ID,
+				TaskID:               taskID,
 				LogSnapshot:          json.RawMessage(snapshotJSON),
 				LogSnapshotCreatedAt: snapshotTime,
 			})
 			require.NoError(t, err, "upserting task snapshot")

-			logsResp, err := client.TaskLogs(ctx, "me", task.ID)
+			logsResp, err := client.TaskLogs(ctx, "me", taskID)
 			require.NoError(t, err, "fetching task logs")
 			verifySnapshotLogs(t, logsResp)
 		})
@@ -1142,16 +1138,16 @@ func TestTasks(t *testing.T) {
 			t.Parallel()

 			ctx := testutil.Context(t, testutil.WaitMedium)
-			task := createTask(ctx, t, database.TaskStatusInitializing)
+			taskID := createTask(ctx, t, database.TaskStatusInitializing)

 			err := db.UpsertTaskSnapshot(dbauthz.As(ctx, ownerSubject), database.UpsertTaskSnapshotParams{
-				TaskID:               task.ID,
+				TaskID:               taskID,
 				LogSnapshot:          json.RawMessage(snapshotJSON),
 				LogSnapshotCreatedAt: snapshotTime,
 			})
 			require.NoError(t, err, "upserting task snapshot")

-			logsResp, err := client.TaskLogs(ctx, "me", task.ID)
+			logsResp, err := client.TaskLogs(ctx, "me", taskID)
 			require.NoError(t, err, "fetching task logs")
 			verifySnapshotLogs(t, logsResp)
 		})
@@ -1160,16 +1156,16 @@ func TestTasks(t *testing.T) {
 			t.Parallel()

 			ctx := testutil.Context(t, testutil.WaitMedium)
-			task := createTask(ctx, t, database.TaskStatusPaused)
+			taskID := createTask(ctx, t, database.TaskStatusPaused)

 			err := db.UpsertTaskSnapshot(dbauthz.As(ctx, ownerSubject), database.UpsertTaskSnapshotParams{
-				TaskID:               task.ID,
+				TaskID:               taskID,
 				LogSnapshot:          json.RawMessage(snapshotJSON),
 				LogSnapshotCreatedAt: snapshotTime,
 			})
 			require.NoError(t, err, "upserting task snapshot")

-			logsResp, err := client.TaskLogs(ctx, "me", task.ID)
+			logsResp, err := client.TaskLogs(ctx, "me", taskID)
 			require.NoError(t, err, "fetching task logs")
 			verifySnapshotLogs(t, logsResp)
 		})
@@ -1178,9 +1174,9 @@ func TestTasks(t *testing.T) {
 			t.Parallel()

 			ctx := testutil.Context(t, testutil.WaitMedium)
-			task := createTask(ctx, t, database.TaskStatusPending)
+			taskID := createTask(ctx, t, database.TaskStatusPending)

-			logsResp, err := client.TaskLogs(ctx, "me", task.ID)
+			logsResp, err := client.TaskLogs(ctx, "me", taskID)
 			require.NoError(t, err)

 			assert.True(t, logsResp.Snapshot)
@@ -1192,7 +1188,7 @@ func TestTasks(t *testing.T) {
 			t.Parallel()

 			ctx := testutil.Context(t, testutil.WaitMedium)
-			task := createTask(ctx, t, database.TaskStatusPending)
+			taskID := createTask(ctx, t, database.TaskStatusPending)

 			invalidEnvelope := coderd.TaskLogSnapshotEnvelope{
 				Format: "unknown-format",
@@ -1202,13 +1198,13 @@ func TestTasks(t *testing.T) {
 			require.NoError(t, err)

 			err = db.UpsertTaskSnapshot(dbauthz.As(ctx, ownerSubject), database.UpsertTaskSnapshotParams{
-				TaskID:               task.ID,
+				TaskID:               taskID,
 				LogSnapshot:          json.RawMessage(invalidJSON),
 				LogSnapshotCreatedAt: snapshotTime,
 			})
 			require.NoError(t, err)

-			_, err = client.TaskLogs(ctx, "me", task.ID)
+			_, err = client.TaskLogs(ctx, "me", taskID)
 			require.Error(t, err)

 			var sdkErr *codersdk.Error
@@ -1221,16 +1217,16 @@ func TestTasks(t *testing.T) {
 			t.Parallel()

 			ctx := testutil.Context(t, testutil.WaitMedium)
-			task := createTask(ctx, t, database.TaskStatusPending)
+			taskID := createTask(ctx, t, database.TaskStatusPending)

 			err := db.UpsertTaskSnapshot(dbauthz.As(ctx, ownerSubject), database.UpsertTaskSnapshotParams{
-				TaskID:               task.ID,
+				TaskID:               taskID,
 				LogSnapshot:          json.RawMessage(`{"format":"agentapi","data":"not an object"}`),
 				LogSnapshotCreatedAt: snapshotTime,
 			})
 			require.NoError(t, err)

-			_, err = client.TaskLogs(ctx, "me", task.ID)
+			_, err = client.TaskLogs(ctx, "me", taskID)
 			require.Error(t, err)

 			var sdkErr *codersdk.Error
@@ -1242,9 +1238,9 @@ func TestTasks(t *testing.T) {
 			t.Parallel()

 			ctx := testutil.Context(t, testutil.WaitMedium)
-			task := createTask(ctx, t, database.TaskStatusError)
+			taskID := createTask(ctx, t, database.TaskStatusError)

-			_, err := client.TaskLogs(ctx, "me", task.ID)
+			_, err := client.TaskLogs(ctx, "me", taskID)
 			require.Error(t, err)

 			var sdkErr *codersdk.Error
@@ -2516,20 +2512,13 @@ func TestPauseTask(t *testing.T) {
 		coderdtest.AwaitWorkspaceBuildJobCompleted(t, client, workspace.LatestBuild.ID)

 		resp, err := client.PauseTask(ctx, codersdk.Me, task.ID)
-
-		// Verify that the request was accepted correctly:
 		require.NoError(t, err)
 		build := *resp.WorkspaceBuild
+		require.NotNil(t, build)
 		require.Equal(t, codersdk.WorkspaceTransitionStop, build.Transition)
 		require.Equal(t, task.WorkspaceID.UUID, build.WorkspaceID)
 		require.Equal(t, workspace.LatestBuild.BuildNumber+1, build.BuildNumber)
 		require.Equal(t, string(codersdk.CreateWorkspaceBuildReasonTaskManualPause), string(build.Reason))
-
-		// Verify that the accepted request was processed correctly:
-		coderdtest.AwaitWorkspaceBuildJobCompleted(t, client, build.ID)
-		workspace, err = client.Workspace(ctx, task.WorkspaceID.UUID)
-		require.NoError(t, err)
-		require.Equal(t, codersdk.WorkspaceStatusStopped, workspace.LatestBuild.Status)
 	})

 	t.Run("Non-owner role access", func(t *testing.T) {
@@ -2567,6 +2556,7 @@ func TestPauseTask(t *testing.T) {
 		}

 		for _, tc := range cases {
+			tc := tc
 			t.Run(tc.name, func(t *testing.T) {
 				task, _ := setupWorkspaceTask(t, db, owner)
 				userClient, _ := coderdtest.CreateAnotherUser(t, client, owner.OrganizationID, tc.roles...)
@@ -2790,402 +2780,4 @@ func TestPauseTask(t *testing.T) {
 		require.ErrorAs(t, err, &apiErr)
 		require.Equal(t, http.StatusInternalServerError, apiErr.StatusCode())
 	})
-
-	t.Run("Notification", func(t *testing.T) {
-		t.Parallel()
-
-		var (
-			notifyEnq       = &notificationstest.FakeEnqueuer{}
-			ownerClient, db = coderdtest.NewWithDatabase(t, &coderdtest.Options{NotificationsEnqueuer: notifyEnq})
-			owner           = coderdtest.CreateFirstUser(t, ownerClient)
-		)
-
-		ctx := testutil.Context(t, testutil.WaitMedium)
-		ownerUser, err := ownerClient.User(ctx, owner.UserID.String())
-		require.NoError(t, err)
-
-		createTask := createTaskInState(db, coderdtest.AuthzUserSubject(ownerUser), owner.OrganizationID, owner.UserID)
-
-		// Given: A task in an active state
-		task := createTask(ctx, t, database.TaskStatusActive)
-
-		workspace, err := ownerClient.Workspace(ctx, task.WorkspaceID.UUID)
-		require.NoError(t, err)
-
-		// When: We pause the task
-		_, err = ownerClient.PauseTask(ctx, codersdk.Me, task.ID)
-		require.NoError(t, err)
-
-		// Then: A notification should be sent
-		sent := notifyEnq.Sent(notificationstest.WithTemplateID(notifications.TemplateTaskPaused))
-		require.Len(t, sent, 1)
-		require.Equal(t, owner.UserID, sent[0].UserID)
-		require.Equal(t, task.Name, sent[0].Labels["task"])
-		require.Equal(t, task.ID.String(), sent[0].Labels["task_id"])
-		require.Equal(t, workspace.Name, sent[0].Labels["workspace"])
-		require.Equal(t, "manual", sent[0].Labels["pause_reason"])
-	})
-}
-
-func TestResumeTask(t *testing.T) {
-	t.Parallel()
-
-	setupClient := func(t *testing.T, db database.Store, ps pubsub.Pubsub, authorizer rbac.Authorizer) *codersdk.Client {
-		t.Helper()
-		client, _, _ := coderdtest.NewWithAPI(t, &coderdtest.Options{
-			Database:                 db,
-			Pubsub:                   ps,
-			Authorizer:               authorizer,
-			IncludeProvisionerDaemon: true,
-		})
-		return client
-	}
-
-	setupWorkspaceTask := func(t *testing.T, db database.Store, user codersdk.CreateFirstUserResponse) (database.Task, uuid.UUID) {
-		t.Helper()
-		workspaceBuild := dbfake.WorkspaceBuild(t, db, database.WorkspaceTable{
-			OrganizationID: user.OrganizationID,
-			OwnerID:        user.UserID,
-		}).WithTask(database.TaskTable{
-			Prompt: "resume me",
-		}, nil).Do()
-		return workspaceBuild.Task, workspaceBuild.Workspace.ID
-	}
-
-	t.Run("OK", func(t *testing.T) {
-		t.Parallel()
-
-		ctx := testutil.Context(t, testutil.WaitLong)
-		client := coderdtest.New(t, &coderdtest.Options{IncludeProvisionerDaemon: true})
-		user := coderdtest.CreateFirstUser(t, client)
-
-		version := coderdtest.CreateTemplateVersion(t, client, user.OrganizationID, &echo.Responses{
-			Parse:          echo.ParseComplete,
-			ProvisionApply: echo.ApplyComplete,
-			ProvisionGraph: []*proto.Response{
-				{Type: &proto.Response_Graph{Graph: &proto.GraphComplete{
-					HasAiTasks: true,
-				}}},
-			},
-		})
-		coderdtest.AwaitTemplateVersionJobCompleted(t, client, version.ID)
-		template := coderdtest.CreateTemplate(t, client, user.OrganizationID, version.ID)
-		task, err := client.CreateTask(ctx, codersdk.Me, codersdk.CreateTaskRequest{
-			TemplateVersionID: template.ActiveVersionID,
-			Input:             "resume me",
-		})
-		require.NoError(t, err)
-
-		workspace, err := client.Workspace(ctx, task.WorkspaceID.UUID)
-		require.NoError(t, err)
-		coderdtest.AwaitWorkspaceBuildJobCompleted(t, client, workspace.LatestBuild.ID)
-
-		pauseResp, err := client.PauseTask(ctx, codersdk.Me, task.ID)
-		require.NoError(t, err)
-		coderdtest.AwaitWorkspaceBuildJobCompleted(t, client, pauseResp.WorkspaceBuild.ID)
-
-		resumeResp, err := client.ResumeTask(ctx, codersdk.Me, task.ID)
-		require.NoError(t, err)
-		build := *resumeResp.WorkspaceBuild
-		require.Equal(t, codersdk.WorkspaceTransitionStart, build.Transition)
-		require.Equal(t, task.WorkspaceID.UUID, build.WorkspaceID)
-		require.Equal(t, workspace.LatestBuild.BuildNumber+2, build.BuildNumber)
-		require.Equal(t, string(codersdk.CreateWorkspaceBuildReasonTaskResume), string(build.Reason))
-
-		coderdtest.AwaitWorkspaceBuildJobCompleted(t, client, build.ID)
-		workspace, err = client.Workspace(ctx, task.WorkspaceID.UUID)
-		require.NoError(t, err)
-		require.Equal(t, codersdk.WorkspaceStatusRunning, workspace.LatestBuild.Status)
-	})
-
-	t.Run("Resume a task that is not paused", func(t *testing.T) {
-		t.Parallel()
-
-		ctx := testutil.Context(t, testutil.WaitLong)
-		db, ps := dbtestutil.NewDB(t)
-		client := setupClient(t, db, ps, nil)
-		user := coderdtest.CreateFirstUser(t, client)
-		workspaceBuild := dbfake.WorkspaceBuild(t, db, database.WorkspaceTable{
-			OrganizationID: user.OrganizationID,
-			OwnerID:        user.UserID,
-		}).
-			WithTask(database.TaskTable{
-				Prompt: "pause me",
-			}, nil).
-			Succeeded().
-			Do()
-
-		_, err := client.ResumeTask(ctx, codersdk.Me, workspaceBuild.Task.ID)
-		var apiErr *codersdk.Error
-		require.ErrorAs(t, err, &apiErr)
-		require.Equal(t, http.StatusConflict, apiErr.StatusCode())
-	})
-
-	t.Run("Task not found", func(t *testing.T) {
-		t.Parallel()
-
-		ctx := testutil.Context(t, testutil.WaitShort)
-		client := coderdtest.New(t, &coderdtest.Options{IncludeProvisionerDaemon: true})
-		_ = coderdtest.CreateFirstUser(t, client)
-
-		_, err := client.ResumeTask(ctx, codersdk.Me, uuid.New())
-		var apiErr *codersdk.Error
-		require.ErrorAs(t, err, &apiErr)
-		require.Equal(t, http.StatusNotFound, apiErr.StatusCode())
-	})
-
-	t.Run("Task lookup forbidden", func(t *testing.T) {
-		t.Parallel()
-
-		ctx := testutil.Context(t, testutil.WaitShort)
-		db, ps := dbtestutil.NewDB(t)
-		auth := &coderdtest.FakeAuthorizer{
-			ConditionalReturn: func(_ context.Context, _ rbac.Subject, action policy.Action, object rbac.Object) error {
-				if action == policy.ActionRead && object.Type == rbac.ResourceTask.Type {
-					return rbac.UnauthorizedError{}
-				}
-				return nil
-			},
-		}
-		client := setupClient(t, db, ps, auth)
-		user := coderdtest.CreateFirstUser(t, client)
-		task, _ := setupWorkspaceTask(t, db, user)
-
-		_, err := client.ResumeTask(ctx, codersdk.Me, task.ID)
-		var apiErr *codersdk.Error
-		require.ErrorAs(t, err, &apiErr)
-		require.Equal(t, http.StatusNotFound, apiErr.StatusCode())
-	})
-
-	t.Run("Workspace lookup forbidden", func(t *testing.T) {
-		t.Parallel()
-
-		ctx := testutil.Context(t, testutil.WaitShort)
-		db, ps := dbtestutil.NewDB(t)
-		auth := &coderdtest.FakeAuthorizer{
-			ConditionalReturn: func(_ context.Context, _ rbac.Subject, action policy.Action, object rbac.Object) error {
-				if action == policy.ActionRead && object.Type == rbac.ResourceWorkspace.Type {
-					return rbac.UnauthorizedError{}
-				}
-				return nil
-			},
-		}
-		client := setupClient(t, db, ps, auth)
-		user := coderdtest.CreateFirstUser(t, client)
-		task, _ := setupWorkspaceTask(t, db, user)
-
-		_, err := client.ResumeTask(ctx, codersdk.Me, task.ID)
-		var apiErr *codersdk.Error
-		require.ErrorAs(t, err, &apiErr)
-		require.Equal(t, http.StatusNotFound, apiErr.StatusCode())
-	})
-
-	t.Run("No Workspace for Task", func(t *testing.T) {
-		t.Parallel()
-
-		ctx := testutil.Context(t, testutil.WaitShort)
-		db, ps := dbtestutil.NewDB(t)
-		client := setupClient(t, db, ps, nil)
-		user := coderdtest.CreateFirstUser(t, client)
-
-		workspaceBuild := dbfake.WorkspaceBuild(t, db, database.WorkspaceTable{
-			OrganizationID: user.OrganizationID,
-			OwnerID:        user.UserID,
-		}).Do()
-		task := dbgen.Task(t, db, database.TaskTable{
-			OrganizationID:    user.OrganizationID,
-			OwnerID:           user.UserID,
-			TemplateVersionID: workspaceBuild.Build.TemplateVersionID,
-			Prompt:            "no workspace",
-		})
-
-		_, err := client.ResumeTask(ctx, codersdk.Me, task.ID)
-		var apiErr *codersdk.Error
-		require.ErrorAs(t, err, &apiErr)
-		require.Equal(t, http.StatusInternalServerError, apiErr.StatusCode())
-		require.Equal(t, "Task does not have a workspace.", apiErr.Message)
-	})
-
-	t.Run("Workspace not found", func(t *testing.T) {
-		t.Parallel()
-
-		ctx := testutil.Context(t, testutil.WaitShort)
-		db, ps := dbtestutil.NewDB(t)
-		var workspaceID uuid.UUID
-		wrapped := aiTaskStoreWrapper{
-			Store: db,
-			getWorkspaceByID: func(ctx context.Context, id uuid.UUID) (database.Workspace, error) {
-				if id == workspaceID && id != uuid.Nil {
-					return database.Workspace{}, sql.ErrNoRows
-				}
-				return db.GetWorkspaceByID(ctx, id)
-			},
-		}
-		client := setupClient(t, wrapped, ps, nil)
-		user := coderdtest.CreateFirstUser(t, client)
-		task, workspaceIDValue := setupWorkspaceTask(t, db, user)
-		workspaceID = workspaceIDValue
-
-		_, err := client.ResumeTask(ctx, codersdk.Me, task.ID)
-		var apiErr *codersdk.Error
-		require.ErrorAs(t, err, &apiErr)
-		require.Equal(t, http.StatusNotFound, apiErr.StatusCode())
-	})
-
-	t.Run("Workspace lookup internal error", func(t *testing.T) {
-		t.Parallel()
-
-		ctx := testutil.Context(t, testutil.WaitShort)
-		db, ps := dbtestutil.NewDB(t)
-		var workspaceID uuid.UUID
-		wrapped := aiTaskStoreWrapper{
-			Store: db,
-			getWorkspaceByID: func(ctx context.Context, id uuid.UUID) (database.Workspace, error) {
-				if id == workspaceID && id != uuid.Nil {
-					return database.Workspace{}, xerrors.New("boom")
-				}
-				return db.GetWorkspaceByID(ctx, id)
-			},
-		}
-		client := setupClient(t, wrapped, ps, nil)
-		user := coderdtest.CreateFirstUser(t, client)
-		task, workspaceIDValue := setupWorkspaceTask(t, db, user)
-		workspaceID = workspaceIDValue
-
-		_, err := client.ResumeTask(ctx, codersdk.Me, task.ID)
-		var apiErr *codersdk.Error
-		require.ErrorAs(t, err, &apiErr)
-		require.Equal(t, http.StatusInternalServerError, apiErr.StatusCode())
-		require.Equal(t, "Internal error fetching task workspace.", apiErr.Message)
-	})
-
-	t.Run("Build Forbidden", func(t *testing.T) {
-		t.Parallel()
-
-		ctx := testutil.Context(t, testutil.WaitShort)
-		db, ps := dbtestutil.NewDB(t)
-		auth := &coderdtest.FakeAuthorizer{
-			ConditionalReturn: func(_ context.Context, _ rbac.Subject, action policy.Action, object rbac.Object) error {
-				if action == policy.ActionWorkspaceStart && object.Type == rbac.ResourceWorkspace.Type {
-					return rbac.UnauthorizedError{}
-				}
-				return nil
-			},
-		}
-		client := setupClient(t, db, ps, auth)
-		user := coderdtest.CreateFirstUser(t, client)
-		task, _ := setupWorkspaceTask(t, db, user)
-
-		pauseResp, err := client.PauseTask(ctx, codersdk.Me, task.ID)
-		require.NoError(t, err)
-		coderdtest.AwaitWorkspaceBuildJobCompleted(t, client, pauseResp.WorkspaceBuild.ID)
-
-		_, err = client.ResumeTask(ctx, codersdk.Me, task.ID)
-		var apiErr *codersdk.Error
-		require.ErrorAs(t, err, &apiErr)
-		require.Equal(t, http.StatusForbidden, apiErr.StatusCode())
-	})
-
-	t.Run("Job already in progress", func(t *testing.T) {
-		t.Parallel()
-
-		ctx := testutil.Context(t, testutil.WaitShort)
-		db, ps := dbtestutil.NewDB(t)
-		client := setupClient(t, db, ps, nil)
-		user := coderdtest.CreateFirstUser(t, client)
-		workspaceBuild := dbfake.WorkspaceBuild(t, db, database.WorkspaceTable{
-			OrganizationID: user.OrganizationID,
-			OwnerID:        user.UserID,
-		}).
-			WithTask(database.TaskTable{
-				Prompt: "resume me",
-			}, nil).
-			Starting().
-			Do()
-
-		_, err := client.ResumeTask(ctx, codersdk.Me, workspaceBuild.Task.ID)
-		var apiErr *codersdk.Error
-		require.ErrorAs(t, err, &apiErr)
-		require.Equal(t, http.StatusConflict, apiErr.StatusCode())
-	})
-
-	t.Run("Build Internal Error", func(t *testing.T) {
-		t.Parallel()
-
-		ctx := testutil.Context(t, testutil.WaitShort)
-		db, ps := dbtestutil.NewDB(t)
-		wrapped := aiTaskStoreWrapper{
-			Store: db,
-		}
-
-		client := setupClient(t, &wrapped, ps, nil)
-		user := coderdtest.CreateFirstUser(t, client)
-		version := coderdtest.CreateTemplateVersion(t, client, user.OrganizationID, &echo.Responses{
-			Parse:          echo.ParseComplete,
-			ProvisionApply: echo.ApplyComplete,
-			ProvisionGraph: []*proto.Response{
-				{Type: &proto.Response_Graph{Graph: &proto.GraphComplete{
-					HasAiTasks: true,
-				}}},
-			},
-		})
-		coderdtest.AwaitTemplateVersionJobCompleted(t, client, version.ID)
-		template := coderdtest.CreateTemplate(t, client, user.OrganizationID, version.ID)
-		task, err := client.CreateTask(ctx, codersdk.Me, codersdk.CreateTaskRequest{
-			TemplateVersionID: template.ActiveVersionID,
-			Input:             "resume me",
-		})
-		require.NoError(t, err)
-
-		workspace, err := client.Workspace(ctx, task.WorkspaceID.UUID)
-		require.NoError(t, err)
-		coderdtest.AwaitWorkspaceBuildJobCompleted(t, client, workspace.LatestBuild.ID)
-
-		pauseResp, err := client.PauseTask(ctx, codersdk.Me, task.ID)
-		require.NoError(t, err)
-		coderdtest.AwaitWorkspaceBuildJobCompleted(t, client, pauseResp.WorkspaceBuild.ID)
-
-		// Induce a transient failure in the database after the task has been paused.
-		wrapped.insertWorkspaceBuild = func(ctx context.Context, arg database.InsertWorkspaceBuildParams) error {
-			return xerrors.New("insert failed")
-		}
-		_, err = client.ResumeTask(ctx, codersdk.Me, task.ID)
-		var apiErr *codersdk.Error
-		require.ErrorAs(t, err, &apiErr)
-		require.Equal(t, http.StatusInternalServerError, apiErr.StatusCode())
-	})
-
-	t.Run("Notification", func(t *testing.T) {
-		t.Parallel()
-
-		var (
-			notifyEnq       = &notificationstest.FakeEnqueuer{}
-			ownerClient, db = coderdtest.NewWithDatabase(t, &coderdtest.Options{NotificationsEnqueuer: notifyEnq})
-			owner           = coderdtest.CreateFirstUser(t, ownerClient)
-		)
-
-		ctx := testutil.Context(t, testutil.WaitMedium)
-		ownerUser, err := ownerClient.User(ctx, owner.UserID.String())
-		require.NoError(t, err)
-
-		createTask := createTaskInState(db, coderdtest.AuthzUserSubject(ownerUser), owner.OrganizationID, owner.UserID)
-
-		// Given: A task in a paused state
-		task := createTask(ctx, t, database.TaskStatusPaused)
-
-		workspace, err := ownerClient.Workspace(ctx, task.WorkspaceID.UUID)
-		require.NoError(t, err)
-
-		// When: We resume the task
-		_, err = ownerClient.ResumeTask(ctx, codersdk.Me, task.ID)
-		require.NoError(t, err)
-
-		// Then: A notification should be sent
-		sent := notifyEnq.Sent(notificationstest.WithTemplateID(notifications.TemplateTaskResumed))
-		require.Len(t, sent, 1)
-		require.Equal(t, owner.UserID, sent[0].UserID)
-		require.Equal(t, task.Name, sent[0].Labels["task"])
-		require.Equal(t, task.ID.String(), sent[0].Labels["task_id"])
-		require.Equal(t, workspace.Name, sent[0].Labels["workspace"])
-	})
 }
@@ -135,34 +135,6 @@ const docTemplate = `{
                }
            }
        },
-        "/aibridge/models": {
-            "get": {
-                "security": [
-                    {
-                        "CoderSessionToken": []
-                    }
-                ],
-                "produces": [
-                    "application/json"
-                ],
-                "tags": [
-                    "AI Bridge"
-                ],
-                "summary": "List AI Bridge models",
-                "operationId": "list-ai-bridge-models",
-                "responses": {
-                    "200": {
-                        "description": "OK",
-                        "schema": {
-                            "type": "array",
-                            "items": {
-                                "type": "string"
-                            }
-                        }
-                    }
-                }
-            }
-        },
        "/appearance": {
            "get": {
                "security": [
@@ -3773,69 +3745,6 @@ const docTemplate = `{
                }
            }
        },
-        "/organizations/{organization}/members/{user}/workspaces/available-users": {
-            "get": {
-                "security": [
-                    {
-                        "CoderSessionToken": []
-                    }
-                ],
-                "produces": [
-                    "application/json"
-                ],
-                "tags": [
-                    "Workspaces"
-                ],
-                "summary": "Get users available for workspace creation",
-                "operationId": "get-users-available-for-workspace-creation",
-                "parameters": [
-                    {
-                        "type": "string",
-                        "format": "uuid",
-                        "description": "Organization ID",
-                        "name": "organization",
-                        "in": "path",
-                        "required": true
-                    },
-                    {
-                        "type": "string",
-                        "description": "User ID, name, or me",
-                        "name": "user",
-                        "in": "path",
-                        "required": true
-                    },
-                    {
-                        "type": "string",
-                        "description": "Search query",
-                        "name": "q",
-                        "in": "query"
-                    },
-                    {
-                        "type": "integer",
-                        "description": "Limit results",
-                        "name": "limit",
-                        "in": "query"
-                    },
-                    {
-                        "type": "integer",
-                        "description": "Offset for pagination",
-                        "name": "offset",
-                        "in": "query"
-                    }
-                ],
-                "responses": {
-                    "200": {
-                        "description": "OK",
-                        "schema": {
-                            "type": "array",
-                            "items": {
-                                "$ref": "#/definitions/codersdk.MinimalUser"
-                            }
-                        }
-                    }
-                }
-            }
-        },
        "/organizations/{organization}/paginated-members": {
            "get": {
                "security": [
@@ -5957,48 +5866,6 @@ const docTemplate = `{
                }
            }
        },
-        "/tasks/{user}/{task}/resume": {
-            "post": {
-                "security": [
-                    {
-                        "CoderSessionToken": []
-                    }
-                ],
-                "consumes": [
-                    "application/json"
-                ],
-                "tags": [
-                    "Tasks"
-                ],
-                "summary": "Resume task",
-                "operationId": "resume-task",
-                "parameters": [
-                    {
-                        "type": "string",
-                        "description": "Username, user ID, or 'me' for the authenticated user",
-                        "name": "user",
-                        "in": "path",
-                        "required": true
-                    },
-                    {
-                        "type": "string",
-                        "format": "uuid",
-                        "description": "Task ID",
-                        "name": "task",
-                        "in": "path",
-                        "required": true
-                    }
-                ],
-                "responses": {
-                    "202": {
-                        "description": "Accepted",
-                        "schema": {
-                            "$ref": "#/definitions/codersdk.ResumeTaskResponse"
-                        }
-                    }
-                }
-            }
-        },
        "/tasks/{user}/{task}/send": {
            "post": {
                "security": [
@@ -8266,12 +8133,6 @@ const docTemplate = `{
                        "name": "user",
                        "in": "path",
                        "required": true
-                    },
-                    {
-                        "type": "boolean",
-                        "description": "Include expired tokens in the list",
-                        "name": "include_expired",
-                        "in": "query"
                    }
                ],
                "responses": {
@@ -8483,54 +8344,6 @@ const docTemplate = `{
                }
            }
        },
-        "/users/{user}/keys/{keyid}/expire": {
-            "put": {
-                "security": [
-                    {
-                        "CoderSessionToken": []
-                    }
-                ],
-                "tags": [
-                    "Users"
-                ],
-                "summary": "Expire API key",
-                "operationId": "expire-api-key",
-                "parameters": [
-                    {
-                        "type": "string",
-                        "description": "User ID, name, or me",
-                        "name": "user",
-                        "in": "path",
-                        "required": true
-                    },
-                    {
-                        "type": "string",
-                        "format": "string",
-                        "description": "Key ID",
-                        "name": "keyid",
-                        "in": "path",
-                        "required": true
-                    }
-                ],
-                "responses": {
-                    "204": {
-                        "description": "No Content"
-                    },
-                    "404": {
-                        "description": "Not Found",
-                        "schema": {
-                            "$ref": "#/definitions/codersdk.Response"
-                        }
-                    },
-                    "500": {
-                        "description": "Internal Server Error",
-                        "schema": {
-                            "$ref": "#/definitions/codersdk.Response"
-                        }
-                    }
-                }
-            }
-        },
        "/users/{user}/login-type": {
            "get": {
                "security": [
@@ -9579,7 +9392,6 @@ const docTemplate = `{
                ],
                "summary": "Patch workspace agent app status",
                "operationId": "patch-workspace-agent-app-status",
-                "deprecated": true,
                "parameters": [
                    {
                        "description": "app status",
@@ -12449,9 +12261,6 @@ const docTemplate = `{
                "api_key_id": {
                    "type": "string"
                },
-                "client": {
-                    "type": "string"
-                },
                "ended_at": {
                    "type": "string",
                    "format": "date-time"
@@ -12783,11 +12592,6 @@ const docTemplate = `{
                "boundary_usage:delete",
                "boundary_usage:read",
                "boundary_usage:update",
-                "chat:*",
-                "chat:create",
-                "chat:delete",
-                "chat:read",
-                "chat:update",
                "coder:all",
                "coder:apikeys.manage_self",
                "coder:application_connect",
@@ -12992,11 +12796,6 @@ const docTemplate = `{
                "APIKeyScopeBoundaryUsageDelete",
                "APIKeyScopeBoundaryUsageRead",
                "APIKeyScopeBoundaryUsageUpdate",
-                "APIKeyScopeChatAll",
-                "APIKeyScopeChatCreate",
-                "APIKeyScopeChatDelete",
-                "APIKeyScopeChatRead",
-                "APIKeyScopeChatUpdate",
                "APIKeyScopeCoderAll",
                "APIKeyScopeCoderApikeysManageSelf",
                "APIKeyScopeCoderApplicationConnect",
@@ -13661,10 +13460,7 @@ const docTemplate = `{
                "cli",
                "ssh_connection",
                "vscode_connection",
-                "jetbrains_connection",
-                "task_auto_pause",
-                "task_manual_pause",
-                "task_resume"
+                "jetbrains_connection"
            ],
            "x-enum-varnames": [
                "BuildReasonInitiator",
@@ -13675,10 +13471,7 @@ const docTemplate = `{
                "BuildReasonCLI",
                "BuildReasonSSHConnection",
                "BuildReasonVSCodeConnection",
-                "BuildReasonJetbrainsConnection",
-                "BuildReasonTaskAutoPause",
-                "BuildReasonTaskManualPause",
-                "BuildReasonTaskResume"
+                "BuildReasonJetbrainsConnection"
            ]
        },
        "codersdk.CORSBehavior": {
@@ -14352,8 +14145,7 @@ const docTemplate = `{
                "ssh_connection",
                "vscode_connection",
                "jetbrains_connection",
-                "task_manual_pause",
-                "task_resume"
+                "task_manual_pause"
            ],
            "x-enum-varnames": [
                "CreateWorkspaceBuildReasonDashboard",
@@ -14361,8 +14153,7 @@ const docTemplate = `{
                "CreateWorkspaceBuildReasonSSHConnection",
                "CreateWorkspaceBuildReasonVSCodeConnection",
                "CreateWorkspaceBuildReasonJetbrainsConnection",
-                "CreateWorkspaceBuildReasonTaskManualPause",
-                "CreateWorkspaceBuildReasonTaskResume"
+                "CreateWorkspaceBuildReasonTaskManualPause"
            ]
        },
        "codersdk.CreateWorkspaceBuildRequest": {
@@ -14858,9 +14649,6 @@ const docTemplate = `{
                "external_auth": {
                    "$ref": "#/definitions/serpent.Struct-array_codersdk_ExternalAuthConfig"
                },
-                "external_auth_github_default_provider_enable": {
-                    "type": "boolean"
-                },
                "external_token_encryption_keys": {
                    "type": "array",
                    "items": {
@@ -15145,17 +14933,17 @@ const docTemplate = `{
                "workspace-usage",
                "web-push",
                "oauth2",
-                "agents",
-                "mcp-server-http"
+                "mcp-server-http",
+                "workspace-sharing"
            ],
            "x-enum-comments": {
-                "ExperimentAgents": "Enables agent-powered chat functionality.",
                "ExperimentAutoFillParameters": "This should not be taken out of experiments until we have redesigned the feature.",
                "ExperimentExample": "This isn't used for anything.",
                "ExperimentMCPServerHTTP": "Enables the MCP HTTP server functionality.",
                "ExperimentNotifications": "Sends notifications via SMTP and webhooks following certain events.",
                "ExperimentOAuth2": "Enables OAuth2 provider functionality.",
                "ExperimentWebPush": "Enables web push notifications through the browser.",
+                "ExperimentWorkspaceSharing": "Enables updating workspace ACLs for sharing with users and groups.",
                "ExperimentWorkspaceUsage": "Enables the new workspace usage tracking."
            },
            "x-enum-descriptions": [
@@ -15165,8 +14953,8 @@ const docTemplate = `{
                "Enables the new workspace usage tracking.",
                "Enables web push notifications through the browser.",
                "Enables OAuth2 provider functionality.",
-                "Enables agent-powered chat functionality.",
-                "Enables the MCP HTTP server functionality."
+                "Enables the MCP HTTP server functionality.",
+                "Enables updating workspace ACLs for sharing with users and groups."
            ],
            "x-enum-varnames": [
                "ExperimentExample",
@@ -15175,8 +14963,8 @@ const docTemplate = `{
                "ExperimentWorkspaceUsage",
                "ExperimentWebPush",
                "ExperimentOAuth2",
-                "ExperimentAgents",
-                "ExperimentMCPServerHTTP"
+                "ExperimentMCPServerHTTP",
+                "ExperimentWorkspaceSharing"
            ]
        },
        "codersdk.ExternalAPIKeyScopes": {
@@ -15416,6 +15204,10 @@ const docTemplate = `{
                "limit": {
                    "type": "integer"
                },
+                "soft_limit": {
+                    "description": "SoftLimit is the soft limit of the feature, and is only used for showing\nincluded limits in the dashboard. No license validation or warnings are\ngenerated from this value.",
+                    "type": "integer"
+                },
                "usage_period": {
                    "description": "UsagePeriod denotes that the usage is a counter that accumulates over\nthis period (and most likely resets with the issuance of the next\nlicense).\n\nThese dates are determined from the license that this entitlement comes\nfrom, see enterprise/coderd/license/license.go.\n\nOnly certain features set these fields:\n- FeatureManagedAgentLimit",
                    "allOf": [
@@ -15619,9 +15411,6 @@ const docTemplate = `{
        "codersdk.HTTPCookieConfig": {
            "type": "object",
            "properties": {
-                "host_prefix": {
-                    "type": "boolean"
-                },
                "same_site": {
                    "type": "string"
                },
@@ -16832,14 +16621,6 @@ const docTemplate = `{
                "organization_mapping": {
                    "type": "object"
                },
-                "redirect_url": {
-                    "description": "RedirectURL is optional, defaulting to 'ACCESS_URL'. Only useful in niche\nsituations where the OIDC callback domain is different from the ACCESS_URL\ndomain.",
-                    "allOf": [
-                        {
-                            "$ref": "#/definitions/serpent.URL"
-                        }
-                    ]
-                },
                "scopes": {
                    "type": "array",
                    "items": {
@@ -18116,7 +17897,6 @@ const docTemplate = `{
                "assign_role",
                "audit_log",
                "boundary_usage",
-                "chat",
                "connection_log",
                "crypto_key",
                "debug_info",
@@ -18162,7 +17942,6 @@ const docTemplate = `{
                "ResourceAssignRole",
                "ResourceAuditLog",
                "ResourceBoundaryUsage",
-                "ResourceChat",
                "ResourceConnectionLog",
                "ResourceCryptoKey",
                "ResourceDebugInfo",
@@ -18456,14 +18235,6 @@ const docTemplate = `{
                }
            }
        },
-        "codersdk.ResumeTaskResponse": {
-            "type": "object",
-            "properties": {
-                "workspace_build": {
-                    "$ref": "#/definitions/codersdk.WorkspaceBuild"
-                }
-            }
-        },
        "codersdk.RetentionConfig": {
            "type": "object",
            "properties": {
@@ -19096,9 +18867,6 @@ const docTemplate = `{
                "default_ttl_ms": {
                    "type": "integer"
                },
-                "deleted": {
-                    "type": "boolean"
-                },
                "deprecated": {
                    "type": "boolean"
                },
@@ -22925,7 +22693,7 @@ const docTemplate = `{
                    ]
                },
                "default": {
-                    "description": "Default is parsed into Value if set.\nMust be ` + "`" + `\"\"` + "`" + ` if ` + "`" + `DefaultFn` + "`" + ` != nil",
+                    "description": "Default is parsed into Value if set.",
                    "type": "string"
                },
                "description": {
@@ -112,30 +112,6 @@
 				}
 			}
 		},
-		"/aibridge/models": {
-			"get": {
-				"security": [
-					{
-						"CoderSessionToken": []
-					}
-				],
-				"produces": ["application/json"],
-				"tags": ["AI Bridge"],
-				"summary": "List AI Bridge models",
-				"operationId": "list-ai-bridge-models",
-				"responses": {
-					"200": {
-						"description": "OK",
-						"schema": {
-							"type": "array",
-							"items": {
-								"type": "string"
-							}
-						}
-					}
-				}
-			}
-		},
 		"/appearance": {
 			"get": {
 				"security": [
@@ -3320,65 +3296,6 @@
 				}
 			}
 		},
-		"/organizations/{organization}/members/{user}/workspaces/available-users": {
-			"get": {
-				"security": [
-					{
-						"CoderSessionToken": []
-					}
-				],
-				"produces": ["application/json"],
-				"tags": ["Workspaces"],
-				"summary": "Get users available for workspace creation",
-				"operationId": "get-users-available-for-workspace-creation",
-				"parameters": [
-					{
-						"type": "string",
-						"format": "uuid",
-						"description": "Organization ID",
-						"name": "organization",
-						"in": "path",
-						"required": true
-					},
-					{
-						"type": "string",
-						"description": "User ID, name, or me",
-						"name": "user",
-						"in": "path",
-						"required": true
-					},
-					{
-						"type": "string",
-						"description": "Search query",
-						"name": "q",
-						"in": "query"
-					},
-					{
-						"type": "integer",
-						"description": "Limit results",
-						"name": "limit",
-						"in": "query"
-					},
-					{
-						"type": "integer",
-						"description": "Offset for pagination",
-						"name": "offset",
-						"in": "query"
-					}
-				],
-				"responses": {
-					"200": {
-						"description": "OK",
-						"schema": {
-							"type": "array",
-							"items": {
-								"$ref": "#/definitions/codersdk.MinimalUser"
-							}
-						}
-					}
-				}
-			}
-		},
 		"/organizations/{organization}/paginated-members": {
 			"get": {
 				"security": [
@@ -5268,44 +5185,6 @@
 				}
 			}
 		},
-		"/tasks/{user}/{task}/resume": {
-			"post": {
-				"security": [
-					{
-						"CoderSessionToken": []
-					}
-				],
-				"consumes": ["application/json"],
-				"tags": ["Tasks"],
-				"summary": "Resume task",
-				"operationId": "resume-task",
-				"parameters": [
-					{
-						"type": "string",
-						"description": "Username, user ID, or 'me' for the authenticated user",
-						"name": "user",
-						"in": "path",
-						"required": true
-					},
-					{
-						"type": "string",
-						"format": "uuid",
-						"description": "Task ID",
-						"name": "task",
-						"in": "path",
-						"required": true
-					}
-				],
-				"responses": {
-					"202": {
-						"description": "Accepted",
-						"schema": {
-							"$ref": "#/definitions/codersdk.ResumeTaskResponse"
-						}
-					}
-				}
-			}
-		},
 		"/tasks/{user}/{task}/send": {
 			"post": {
 				"security": [
@@ -7309,12 +7188,6 @@
 						"name": "user",
 						"in": "path",
 						"required": true
-					},
-					{
-						"type": "boolean",
-						"description": "Include expired tokens in the list",
-						"name": "include_expired",
-						"in": "query"
 					}
 				],
 				"responses": {
@@ -7506,52 +7379,6 @@
 				}
 			}
 		},
-		"/users/{user}/keys/{keyid}/expire": {
-			"put": {
-				"security": [
-					{
-						"CoderSessionToken": []
-					}
-				],
-				"tags": ["Users"],
-				"summary": "Expire API key",
-				"operationId": "expire-api-key",
-				"parameters": [
-					{
-						"type": "string",
-						"description": "User ID, name, or me",
-						"name": "user",
-						"in": "path",
-						"required": true
-					},
-					{
-						"type": "string",
-						"format": "string",
-						"description": "Key ID",
-						"name": "keyid",
-						"in": "path",
-						"required": true
-					}
-				],
-				"responses": {
-					"204": {
-						"description": "No Content"
-					},
-					"404": {
-						"description": "Not Found",
-						"schema": {
-							"$ref": "#/definitions/codersdk.Response"
-						}
-					},
-					"500": {
-						"description": "Internal Server Error",
-						"schema": {
-							"$ref": "#/definitions/codersdk.Response"
-						}
-					}
-				}
-			}
-		},
 		"/users/{user}/login-type": {
 			"get": {
 				"security": [
@@ -8474,7 +8301,6 @@
 				"tags": ["Agents"],
 				"summary": "Patch workspace agent app status",
 				"operationId": "patch-workspace-agent-app-status",
-				"deprecated": true,
 				"parameters": [
 					{
 						"description": "app status",
@@ -11061,9 +10887,6 @@
 				"api_key_id": {
 					"type": "string"
 				},
-				"client": {
-					"type": "string"
-				},
 				"ended_at": {
 					"type": "string",
 					"format": "date-time"
@@ -11387,11 +11210,6 @@
 				"boundary_usage:delete",
 				"boundary_usage:read",
 				"boundary_usage:update",
-				"chat:*",
-				"chat:create",
-				"chat:delete",
-				"chat:read",
-				"chat:update",
 				"coder:all",
 				"coder:apikeys.manage_self",
 				"coder:application_connect",
@@ -11596,11 +11414,6 @@
 				"APIKeyScopeBoundaryUsageDelete",
 				"APIKeyScopeBoundaryUsageRead",
 				"APIKeyScopeBoundaryUsageUpdate",
-				"APIKeyScopeChatAll",
-				"APIKeyScopeChatCreate",
-				"APIKeyScopeChatDelete",
-				"APIKeyScopeChatRead",
-				"APIKeyScopeChatUpdate",
 				"APIKeyScopeCoderAll",
 				"APIKeyScopeCoderApikeysManageSelf",
 				"APIKeyScopeCoderApplicationConnect",
@@ -12248,10 +12061,7 @@
 				"cli",
 				"ssh_connection",
 				"vscode_connection",
-				"jetbrains_connection",
-				"task_auto_pause",
-				"task_manual_pause",
-				"task_resume"
+				"jetbrains_connection"
 			],
 			"x-enum-varnames": [
 				"BuildReasonInitiator",
@@ -12262,10 +12072,7 @@
 				"BuildReasonCLI",
 				"BuildReasonSSHConnection",
 				"BuildReasonVSCodeConnection",
-				"BuildReasonJetbrainsConnection",
-				"BuildReasonTaskAutoPause",
-				"BuildReasonTaskManualPause",
-				"BuildReasonTaskResume"
+				"BuildReasonJetbrainsConnection"
 			]
 		},
 		"codersdk.CORSBehavior": {
@@ -12894,8 +12701,7 @@
 				"ssh_connection",
 				"vscode_connection",
 				"jetbrains_connection",
-				"task_manual_pause",
-				"task_resume"
+				"task_manual_pause"
 			],
 			"x-enum-varnames": [
 				"CreateWorkspaceBuildReasonDashboard",
@@ -12903,8 +12709,7 @@
 				"CreateWorkspaceBuildReasonSSHConnection",
 				"CreateWorkspaceBuildReasonVSCodeConnection",
 				"CreateWorkspaceBuildReasonJetbrainsConnection",
-				"CreateWorkspaceBuildReasonTaskManualPause",
-				"CreateWorkspaceBuildReasonTaskResume"
+				"CreateWorkspaceBuildReasonTaskManualPause"
 			]
 		},
 		"codersdk.CreateWorkspaceBuildRequest": {
@@ -13388,9 +13193,6 @@
 				"external_auth": {
 					"$ref": "#/definitions/serpent.Struct-array_codersdk_ExternalAuthConfig"
 				},
-				"external_auth_github_default_provider_enable": {
-					"type": "boolean"
-				},
 				"external_token_encryption_keys": {
 					"type": "array",
 					"items": {
@@ -13668,17 +13470,17 @@
 				"workspace-usage",
 				"web-push",
 				"oauth2",
-				"agents",
-				"mcp-server-http"
+				"mcp-server-http",
+				"workspace-sharing"
 			],
 			"x-enum-comments": {
-				"ExperimentAgents": "Enables agent-powered chat functionality.",
 				"ExperimentAutoFillParameters": "This should not be taken out of experiments until we have redesigned the feature.",
 				"ExperimentExample": "This isn't used for anything.",
 				"ExperimentMCPServerHTTP": "Enables the MCP HTTP server functionality.",
 				"ExperimentNotifications": "Sends notifications via SMTP and webhooks following certain events.",
 				"ExperimentOAuth2": "Enables OAuth2 provider functionality.",
 				"ExperimentWebPush": "Enables web push notifications through the browser.",
+				"ExperimentWorkspaceSharing": "Enables updating workspace ACLs for sharing with users and groups.",
 				"ExperimentWorkspaceUsage": "Enables the new workspace usage tracking."
 			},
 			"x-enum-descriptions": [
@@ -13688,8 +13490,8 @@
 				"Enables the new workspace usage tracking.",
 				"Enables web push notifications through the browser.",
 				"Enables OAuth2 provider functionality.",
-				"Enables agent-powered chat functionality.",
-				"Enables the MCP HTTP server functionality."
+				"Enables the MCP HTTP server functionality.",
+				"Enables updating workspace ACLs for sharing with users and groups."
 			],
 			"x-enum-varnames": [
 				"ExperimentExample",
@@ -13698,8 +13500,8 @@
 				"ExperimentWorkspaceUsage",
 				"ExperimentWebPush",
 				"ExperimentOAuth2",
-				"ExperimentAgents",
-				"ExperimentMCPServerHTTP"
+				"ExperimentMCPServerHTTP",
+				"ExperimentWorkspaceSharing"
 			]
 		},
 		"codersdk.ExternalAPIKeyScopes": {
@@ -13939,6 +13741,10 @@
 				"limit": {
 					"type": "integer"
 				},
+				"soft_limit": {
+					"description": "SoftLimit is the soft limit of the feature, and is only used for showing\nincluded limits in the dashboard. No license validation or warnings are\ngenerated from this value.",
+					"type": "integer"
+				},
 				"usage_period": {
 					"description": "UsagePeriod denotes that the usage is a counter that accumulates over\nthis period (and most likely resets with the issuance of the next\nlicense).\n\nThese dates are determined from the license that this entitlement comes\nfrom, see enterprise/coderd/license/license.go.\n\nOnly certain features set these fields:\n- FeatureManagedAgentLimit",
 					"allOf": [
@@ -14136,9 +13942,6 @@
 		"codersdk.HTTPCookieConfig": {
 			"type": "object",
 			"properties": {
-				"host_prefix": {
-					"type": "boolean"
-				},
 				"same_site": {
 					"type": "string"
 				},
@@ -15292,14 +15095,6 @@
 				"organization_mapping": {
 					"type": "object"
 				},
-				"redirect_url": {
-					"description": "RedirectURL is optional, defaulting to 'ACCESS_URL'. Only useful in niche\nsituations where the OIDC callback domain is different from the ACCESS_URL\ndomain.",
-					"allOf": [
-						{
-							"$ref": "#/definitions/serpent.URL"
-						}
-					]
-				},
 				"scopes": {
 					"type": "array",
 					"items": {
@@ -16524,7 +16319,6 @@
 				"assign_role",
 				"audit_log",
 				"boundary_usage",
-				"chat",
 				"connection_log",
 				"crypto_key",
 				"debug_info",
@@ -16570,7 +16364,6 @@
 				"ResourceAssignRole",
 				"ResourceAuditLog",
 				"ResourceBoundaryUsage",
-				"ResourceChat",
 				"ResourceConnectionLog",
 				"ResourceCryptoKey",
 				"ResourceDebugInfo",
@@ -16854,14 +16647,6 @@
 				}
 			}
 		},
-		"codersdk.ResumeTaskResponse": {
-			"type": "object",
-			"properties": {
-				"workspace_build": {
-					"$ref": "#/definitions/codersdk.WorkspaceBuild"
-				}
-			}
-		},
 		"codersdk.RetentionConfig": {
 			"type": "object",
 			"properties": {
@@ -17473,9 +17258,6 @@
 				"default_ttl_ms": {
 					"type": "integer"
 				},
-				"deleted": {
-					"type": "boolean"
-				},
 				"deprecated": {
 					"type": "boolean"
 				},
@@ -21091,7 +20873,7 @@
 					]
 				},
 				"default": {
-					"description": "Default is parsed into Value if set.\nMust be `\"\"` if `DefaultFn` != nil",
+					"description": "Default is parsed into Value if set.",
 					"type": "string"
 				},
 				"description": {
@@ -307,26 +307,20 @@ func (api *API) apiKeyByName(rw http.ResponseWriter, r *http.Request) {
 // @Tags Users
 // @Param user path string true "User ID, name, or me"
 // @Success 200 {array} codersdk.APIKey
-// @Param include_expired query bool false "Include expired tokens in the list"
 // @Router /users/{user}/keys/tokens [get]
 func (api *API) tokens(rw http.ResponseWriter, r *http.Request) {
 	var (
-		ctx               = r.Context()
-		user              = httpmw.UserParam(r)
-		keys              []database.APIKey
-		err               error
-		queryStr          = r.URL.Query().Get("include_all")
-		includeAll, _     = strconv.ParseBool(queryStr)
-		expiredStr        = r.URL.Query().Get("include_expired")
-		includeExpired, _ = strconv.ParseBool(expiredStr)
+		ctx           = r.Context()
+		user          = httpmw.UserParam(r)
+		keys          []database.APIKey
+		err           error
+		queryStr      = r.URL.Query().Get("include_all")
+		includeAll, _ = strconv.ParseBool(queryStr)
 	)

 	if includeAll {
 		// get tokens for all users
-		keys, err = api.Database.GetAPIKeysByLoginType(ctx, database.GetAPIKeysByLoginTypeParams{
-			LoginType:      database.LoginTypeToken,
-			IncludeExpired: includeExpired,
-		})
+		keys, err = api.Database.GetAPIKeysByLoginType(ctx, database.LoginTypeToken)
 		if err != nil {
 			httpapi.Write(ctx, rw, http.StatusInternalServerError, codersdk.Response{
 				Message: "Internal error fetching API keys.",
@@ -336,7 +330,7 @@ func (api *API) tokens(rw http.ResponseWriter, r *http.Request) {
 		}
 	} else {
 		// get user's tokens only
-		keys, err = api.Database.GetAPIKeysByUserID(ctx, database.GetAPIKeysByUserIDParams{LoginType: database.LoginTypeToken, UserID: user.ID, IncludeExpired: includeExpired})
+		keys, err = api.Database.GetAPIKeysByUserID(ctx, database.GetAPIKeysByUserIDParams{LoginType: database.LoginTypeToken, UserID: user.ID})
 		if err != nil {
 			httpapi.Write(ctx, rw, http.StatusInternalServerError, codersdk.Response{
 				Message: "Internal error fetching API keys.",
@@ -427,69 +421,6 @@ func (api *API) deleteAPIKey(rw http.ResponseWriter, r *http.Request) {
 	rw.WriteHeader(http.StatusNoContent)
 }

-// @Summary Expire API key
-// @ID expire-api-key
-// @Security CoderSessionToken
-// @Tags Users
-// @Param user path string true "User ID, name, or me"
-// @Param keyid path string true "Key ID" format(string)
-// @Success 204
-// @Failure 404 {object} codersdk.Response
-// @Failure 500 {object} codersdk.Response
-// @Router /users/{user}/keys/{keyid}/expire [put]
-func (api *API) expireAPIKey(rw http.ResponseWriter, r *http.Request) {
-	var (
-		ctx               = r.Context()
-		keyID             = chi.URLParam(r, "keyid")
-		auditor           = api.Auditor.Load()
-		aReq, commitAudit = audit.InitRequest[database.APIKey](rw, &audit.RequestParams{
-			Audit:   *auditor,
-			Log:     api.Logger,
-			Request: r,
-			Action:  database.AuditActionWrite,
-		})
-	)
-	defer commitAudit()
-
-	if err := api.Database.InTx(func(db database.Store) error {
-		key, err := db.GetAPIKeyByID(ctx, keyID)
-		if err != nil {
-			return xerrors.Errorf("fetch API key: %w", err)
-		}
-		if !key.ExpiresAt.After(api.Clock.Now()) {
-			return nil // Already expired
-		}
-		aReq.Old = key
-		if err := db.UpdateAPIKeyByID(ctx, database.UpdateAPIKeyByIDParams{
-			ID:        key.ID,
-			LastUsed:  key.LastUsed,
-			ExpiresAt: dbtime.Now(),
-			IPAddress: key.IPAddress,
-		}); err != nil {
-			return xerrors.Errorf("expire API key: %w", err)
-		}
-		// Fetch the updated key for audit log.
-		newKey, err := db.GetAPIKeyByID(ctx, keyID)
-		if err != nil {
-			api.Logger.Warn(ctx, "failed to fetch updated API key for audit log", slog.Error(err))
-		} else {
-			aReq.New = newKey
-		}
-		return nil
-	}, nil); httpapi.Is404Error(err) {
-		httpapi.ResourceNotFound(rw)
-		return
-	} else if err != nil {
-		httpapi.Write(ctx, rw, http.StatusInternalServerError, codersdk.Response{
-			Message: "Internal error expiring API key.",
-			Detail:  err.Error(),
-		})
-		return
-	}
-
-	rw.WriteHeader(http.StatusNoContent)
-}
-
 // @Summary Get token config
 // @ID get-token-config
 // @Security CoderSessionToken
@@ -69,44 +69,6 @@ func TestTokenCRUD(t *testing.T) {
 	require.Equal(t, database.AuditActionDelete, auditor.AuditLogs()[numLogs-1].Action)
 }

-func TestTokensFilterExpired(t *testing.T) {
-	t.Parallel()
-
-	ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitLong)
-	defer cancel()
-	adminClient := coderdtest.New(t, nil)
-	_ = coderdtest.CreateFirstUser(t, adminClient)
-
-	// Create a token.
-	res, err := adminClient.CreateToken(ctx, codersdk.Me, codersdk.CreateTokenRequest{
-		Lifetime: time.Hour * 24 * 7,
-	})
-	require.NoError(t, err)
-	keyID := strings.Split(res.Key, "-")[0]
-
-	// List tokens without including expired - should see the token.
-	keys, err := adminClient.Tokens(ctx, codersdk.Me, codersdk.TokensFilter{})
-	require.NoError(t, err)
-	require.Len(t, keys, 1)
-
-	// Expire the token.
-	err = adminClient.ExpireAPIKey(ctx, codersdk.Me, keyID)
-	require.NoError(t, err)
-
-	// List tokens without including expired - should NOT see expired token.
-	keys, err = adminClient.Tokens(ctx, codersdk.Me, codersdk.TokensFilter{})
-	require.NoError(t, err)
-	require.Empty(t, keys)
-
-	// List tokens WITH including expired - should see expired token.
-	keys, err = adminClient.Tokens(ctx, codersdk.Me, codersdk.TokensFilter{
-		IncludeExpired: true,
-	})
-	require.NoError(t, err)
-	require.Len(t, keys, 1)
-	require.Equal(t, keyID, keys[0].ID)
-}
-
 func TestTokenScoped(t *testing.T) {
 	t.Parallel()

@@ -438,7 +400,7 @@ func TestAPIKey_Deleted(t *testing.T) {
 	require.Error(t, err)
 	var apiErr *codersdk.Error
 	require.ErrorAs(t, err, &apiErr)
-	require.Equal(t, http.StatusNotFound, apiErr.StatusCode())
+	require.Equal(t, http.StatusBadRequest, apiErr.StatusCode())
 }

 func TestAPIKey_SetDefault(t *testing.T) {
@@ -477,7 +439,7 @@ func TestAPIKey_PrebuildsNotAllowed(t *testing.T) {
 		DeploymentValues: dc,
 	})

-	setupCtx := testutil.Context(t, testutil.WaitLong)
+	ctx := testutil.Context(t, testutil.WaitLong)

 	// Given: an existing api token for the prebuilds user
 	_, prebuildsToken := dbgen.APIKey(t, db, database.APIKey{
@@ -486,167 +448,12 @@ func TestAPIKey_PrebuildsNotAllowed(t *testing.T) {
 	client.SetSessionToken(prebuildsToken)

 	// When: the prebuilds user tries to create an API key
-	_, err := client.CreateAPIKey(setupCtx, database.PrebuildsSystemUserID.String())
+	_, err := client.CreateAPIKey(ctx, database.PrebuildsSystemUserID.String())
 	// Then: denied.
 	require.ErrorContains(t, err, httpapi.ResourceForbiddenResponse.Message)

 	// When: the prebuilds user tries to create a token
-	_, err = client.CreateToken(setupCtx, database.PrebuildsSystemUserID.String(), codersdk.CreateTokenRequest{})
+	_, err = client.CreateToken(ctx, database.PrebuildsSystemUserID.String(), codersdk.CreateTokenRequest{})
 	// Then: also denied.
 	require.ErrorContains(t, err, httpapi.ResourceForbiddenResponse.Message)
 }
-
-//nolint:tparallel,paralleltest // Subtests share the same coderdtest instance and auditor.
-func TestExpireAPIKey(t *testing.T) {
-	t.Parallel()
-
-	auditor := audit.NewMock()
-	adminClient := coderdtest.New(t, &coderdtest.Options{Auditor: auditor})
-	admin := coderdtest.CreateFirstUser(t, adminClient)
-	memberClient, member := coderdtest.CreateAnotherUser(t, adminClient, admin.OrganizationID)
-
-	t.Run("OwnerCanExpireOwnToken", func(t *testing.T) {
-		ctx := testutil.Context(t, testutil.WaitLong)
-
-		// Create a token.
-		res, err := adminClient.CreateToken(ctx, codersdk.Me, codersdk.CreateTokenRequest{
-			Lifetime: time.Hour * 24 * 7,
-		})
-		require.NoError(t, err)
-		keyID := strings.Split(res.Key, "-")[0]
-
-		// Verify the token is not expired.
-		key, err := adminClient.APIKeyByID(ctx, codersdk.Me, keyID)
-		require.NoError(t, err)
-		require.True(t, key.ExpiresAt.After(time.Now()))
-
-		auditor.ResetLogs()
-
-		// Expire the token.
-		err = adminClient.ExpireAPIKey(ctx, codersdk.Me, keyID)
-		require.NoError(t, err)
-
-		// Verify the token is expired.
-		key, err = adminClient.APIKeyByID(ctx, codersdk.Me, keyID)
-		require.NoError(t, err)
-		require.True(t, key.ExpiresAt.Before(time.Now()))
-
-		// Verify audit log.
-		als := auditor.AuditLogs()
-		require.Len(t, als, 1)
-		require.Equal(t, database.AuditActionWrite, als[0].Action)
-		require.Equal(t, database.ResourceTypeApiKey, als[0].ResourceType)
-		require.Equal(t, admin.UserID.String(), als[0].UserID.String())
-	})
-
-	t.Run("AdminCanExpireOtherUsersToken", func(t *testing.T) {
-		ctx := testutil.Context(t, testutil.WaitLong)
-
-		// Create a token for the member.
-		res, err := memberClient.CreateToken(ctx, codersdk.Me, codersdk.CreateTokenRequest{
-			Lifetime: time.Hour * 24 * 7,
-		})
-		require.NoError(t, err)
-		keyID := strings.Split(res.Key, "-")[0]
-
-		// Admin expires the member's token.
-		err = adminClient.ExpireAPIKey(ctx, member.ID.String(), keyID)
-		require.NoError(t, err)
-
-		// Verify the token is expired.
-		key, err := memberClient.APIKeyByID(ctx, codersdk.Me, keyID)
-		require.NoError(t, err)
-		require.True(t, key.ExpiresAt.Before(time.Now()))
-	})
-
-	t.Run("MemberCannotExpireOtherUsersToken", func(t *testing.T) {
-		ctx := testutil.Context(t, testutil.WaitLong)
-
-		// Create a token for the admin.
-		res, err := adminClient.CreateToken(ctx, codersdk.Me, codersdk.CreateTokenRequest{
-			Lifetime: time.Hour * 24 * 7,
-		})
-		require.NoError(t, err)
-		keyID := strings.Split(res.Key, "-")[0]
-
-		// Member attempts to expire admin's token.
-		err = memberClient.ExpireAPIKey(ctx, admin.UserID.String(), keyID)
-		require.Error(t, err)
-		var sdkErr *codersdk.Error
-		require.ErrorAs(t, err, &sdkErr)
-		// Members cannot read other users, so they get a 404 Not Found
-		// from the authorization layer.
-		require.Equal(t, http.StatusNotFound, sdkErr.StatusCode())
-	})
-
-	t.Run("NotFound", func(t *testing.T) {
-		ctx := testutil.Context(t, testutil.WaitLong)
-
-		// Try to expire a non-existent token.
-		err := adminClient.ExpireAPIKey(ctx, codersdk.Me, "nonexistent")
-		require.Error(t, err)
-		var sdkErr *codersdk.Error
-		require.ErrorAs(t, err, &sdkErr)
-		require.Equal(t, http.StatusNotFound, sdkErr.StatusCode())
-	})
-
-	t.Run("ExpiringAlreadyExpiredTokenSucceeds", func(t *testing.T) {
-		ctx := testutil.Context(t, testutil.WaitLong)
-
-		// Create and expire a token.
-		res, err := adminClient.CreateToken(ctx, codersdk.Me, codersdk.CreateTokenRequest{
-			Lifetime: time.Hour * 24 * 7,
-		})
-		require.NoError(t, err)
-		keyID := strings.Split(res.Key, "-")[0]
-
-		// Expire it once.
-		err = adminClient.ExpireAPIKey(ctx, codersdk.Me, keyID)
-		require.NoError(t, err)
-
-		// Invariant: make sure it's actually expired
-		key, err := adminClient.APIKeyByID(ctx, codersdk.Me, keyID)
-		require.NoError(t, err)
-		require.LessOrEqual(t, key.ExpiresAt, time.Now(), "key should be expired")
-
-		// Expire it again - should succeed (idempotent).
-		err = adminClient.ExpireAPIKey(ctx, codersdk.Me, keyID)
-		require.NoError(t, err)
-
-		// Token should still be just as expired as before. No more, no less.
-		keyAgain, err := adminClient.APIKeyByID(ctx, codersdk.Me, keyID)
-		require.NoError(t, err)
-		require.Equal(t, key.ExpiresAt, keyAgain.ExpiresAt, "expiration should be idempotent")
-	})
-
-	t.Run("DeletingExpiredTokenSucceeds", func(t *testing.T) {
-		ctx := testutil.Context(t, testutil.WaitLong)
-
-		// Create a token.
-		res, err := adminClient.CreateToken(ctx, codersdk.Me, codersdk.CreateTokenRequest{
-			Lifetime: time.Hour * 24 * 7,
-		})
-		require.NoError(t, err)
-		keyID := strings.Split(res.Key, "-")[0]
-
-		// Expire it first.
-		err = adminClient.ExpireAPIKey(ctx, codersdk.Me, keyID)
-		require.NoError(t, err)
-
-		// Verify it's expired.
-		key, err := adminClient.APIKeyByID(ctx, codersdk.Me, keyID)
-		require.NoError(t, err)
-		require.True(t, key.ExpiresAt.Before(time.Now()))
-
-		// Delete the expired token - should succeed.
-		err = adminClient.DeleteAPIKey(ctx, codersdk.Me, keyID)
-		require.NoError(t, err)
-
-		// Verify it's gone.
-		_, err = adminClient.APIKeyByID(ctx, codersdk.Me, keyID)
-		require.Error(t, err)
-		var sdkErr *codersdk.Error
-		require.ErrorAs(t, err, &sdkErr)
-		require.Equal(t, http.StatusNotFound, sdkErr.StatusCode())
-	})
-}
@@ -1,7 +1,6 @@
 package coderd

 import (
-	"context"
 	"fmt"
 	"net/http"

@@ -9,7 +8,6 @@ import (
 	"golang.org/x/xerrors"

 	"cdr.dev/slog/v3"
-	"github.com/coder/coder/v2/coderd/database/dbauthz"
 	"github.com/coder/coder/v2/coderd/httpapi"
 	"github.com/coder/coder/v2/coderd/httpmw"
 	"github.com/coder/coder/v2/coderd/rbac"
@@ -93,36 +91,6 @@ func (h *HTTPAuthorizer) Authorize(r *http.Request, action policy.Action, object
 	return true
 }

-// AuthorizeContext checks whether the RBAC subject on the context
-// is authorized to perform the given action. The subject must have
-// been set via dbauthz.As or the ExtractAPIKey middleware. Returns
-// false if the subject is missing or unauthorized.
-func (h *HTTPAuthorizer) AuthorizeContext(ctx context.Context, action policy.Action, object rbac.Objecter) bool {
-	roles, ok := dbauthz.ActorFromContext(ctx)
-	if !ok {
-		h.Logger.Error(ctx, "no authorization actor in context")
-		return false
-	}
-	err := h.Authorizer.Authorize(ctx, roles, action, object.RBACObject())
-	if err != nil {
-		internalError := new(rbac.UnauthorizedError)
-		logger := h.Logger
-		if xerrors.As(err, internalError) {
-			logger = h.Logger.With(slog.F("internal_error", internalError.Internal()))
-		}
-		logger.Warn(ctx, "requester is not authorized to access the object",
-			slog.F("roles", roles.SafeRoleNames()),
-			slog.F("actor_id", roles.ID),
-			slog.F("actor_name", roles),
-			slog.F("scope", roles.SafeScopeName()),
-			slog.F("action", action),
-			slog.F("object", object),
-		)
-		return false
-	}
-	return true
-}
-
 // AuthorizeSQLFilter returns an authorization filter that can used in a
 // SQL 'WHERE' clause. If the filter is used, the resulting rows returned
 // from postgres are already authorized, and the caller does not need to
@@ -138,22 +106,6 @@ func (h *HTTPAuthorizer) AuthorizeSQLFilter(r *http.Request, action policy.Actio
 	return prepared, nil
 }

-// AuthorizeSQLFilterContext is like AuthorizeSQLFilter but reads the
-// RBAC subject from the context directly rather than from an
-// *http.Request. The subject must have been set via dbauthz.As.
-func (h *HTTPAuthorizer) AuthorizeSQLFilterContext(ctx context.Context, action policy.Action, objectType string) (rbac.PreparedAuthorized, error) {
-	roles, ok := dbauthz.ActorFromContext(ctx)
-	if !ok {
-		return nil, xerrors.New("no authorization actor in context")
-	}
-	prepared, err := h.Authorizer.Prepare(ctx, roles, action, objectType)
-	if err != nil {
-		return nil, xerrors.Errorf("prepare filter: %w", err)
-	}
-
-	return prepared, nil
-}
-
 // checkAuthorization returns if the current API key can use the given
 // permissions, factoring in the current user's roles and the API key scopes.
 //
@@ -48,10 +48,9 @@ type Executor struct {
 	tick                  <-chan time.Time
 	statsCh               chan<- Stats
 	// NotificationsEnqueuer handles enqueueing notifications for delivery by SMTP, webhook, etc.
-	notificationsEnqueuer   notifications.Enqueuer
-	reg                     prometheus.Registerer
-	experiments             codersdk.Experiments
-	workspaceBuilderMetrics *wsbuilder.Metrics
+	notificationsEnqueuer notifications.Enqueuer
+	reg                   prometheus.Registerer
+	experiments           codersdk.Experiments

 	metrics executorMetrics
 }
@@ -68,24 +67,23 @@ type Stats struct {
 }

 // New returns a new wsactions executor.
-func NewExecutor(ctx context.Context, db database.Store, ps pubsub.Pubsub, fc *files.Cache, reg prometheus.Registerer, tss *atomic.Pointer[schedule.TemplateScheduleStore], auditor *atomic.Pointer[audit.Auditor], acs *atomic.Pointer[dbauthz.AccessControlStore], buildUsageChecker *atomic.Pointer[wsbuilder.UsageChecker], log slog.Logger, tick <-chan time.Time, enqueuer notifications.Enqueuer, exp codersdk.Experiments, workspaceBuilderMetrics *wsbuilder.Metrics) *Executor {
+func NewExecutor(ctx context.Context, db database.Store, ps pubsub.Pubsub, fc *files.Cache, reg prometheus.Registerer, tss *atomic.Pointer[schedule.TemplateScheduleStore], auditor *atomic.Pointer[audit.Auditor], acs *atomic.Pointer[dbauthz.AccessControlStore], buildUsageChecker *atomic.Pointer[wsbuilder.UsageChecker], log slog.Logger, tick <-chan time.Time, enqueuer notifications.Enqueuer, exp codersdk.Experiments) *Executor {
 	factory := promauto.With(reg)
 	le := &Executor{
 		//nolint:gocritic // Autostart has a limited set of permissions.
-		ctx:                     dbauthz.AsAutostart(ctx),
-		db:                      db,
-		ps:                      ps,
-		fileCache:               fc,
-		templateScheduleStore:   tss,
-		tick:                    tick,
-		log:                     log.Named("autobuild"),
-		auditor:                 auditor,
-		accessControlStore:      acs,
-		buildUsageChecker:       buildUsageChecker,
-		notificationsEnqueuer:   enqueuer,
-		reg:                     reg,
-		experiments:             exp,
-		workspaceBuilderMetrics: workspaceBuilderMetrics,
+		ctx:                   dbauthz.AsAutostart(ctx),
+		db:                    db,
+		ps:                    ps,
+		fileCache:             fc,
+		templateScheduleStore: tss,
+		tick:                  tick,
+		log:                   log.Named("autobuild"),
+		auditor:               auditor,
+		accessControlStore:    acs,
+		buildUsageChecker:     buildUsageChecker,
+		notificationsEnqueuer: enqueuer,
+		reg:                   reg,
+		experiments:           exp,
 		metrics: executorMetrics{
 			autobuildExecutionDuration: factory.NewHistogram(prometheus.HistogramOpts{
 				Namespace: "coderd",
@@ -231,7 +229,6 @@ func (e *Executor) runOnce(t time.Time) Stats {
 					job                   *database.ProvisionerJob
 					auditLog              *auditParams
 					shouldNotifyDormancy  bool
-					shouldNotifyTaskPause bool
 					nextBuild             *database.WorkspaceBuild
 					activeTemplateVersion database.TemplateVersion
 					ws                    database.Workspace
@@ -317,10 +314,6 @@ func (e *Executor) runOnce(t time.Time) Stats {
 						return nil
 					}

-					if reason == database.BuildReasonTaskAutoPause {
-						shouldNotifyTaskPause = true
-					}
-
 					// Get the template version job to access tags
 					templateVersionJob, err := tx.GetProvisionerJobByID(e.ctx, activeTemplateVersion.JobID)
 					if err != nil {
@@ -342,8 +335,7 @@ func (e *Executor) runOnce(t time.Time) Stats {
 							SetLastWorkspaceBuildInTx(&latestBuild).
 							SetLastWorkspaceBuildJobInTx(&latestJob).
 							Experiments(e.experiments).
-							Reason(reason).
-							BuildMetrics(e.workspaceBuilderMetrics)
+							Reason(reason)
 						log.Debug(e.ctx, "auto building workspace", slog.F("transition", nextTransition))
 						if nextTransition == database.WorkspaceTransitionStart &&
 							useActiveVersion(accessControl, ws) {
@@ -487,28 +479,6 @@ func (e *Executor) runOnce(t time.Time) Stats {
 						log.Warn(e.ctx, "failed to notify of workspace marked as dormant", slog.Error(err), slog.F("workspace_id", ws.ID))
 					}
 				}
-				if shouldNotifyTaskPause {
-					task, err := e.db.GetTaskByID(e.ctx, ws.TaskID.UUID)
-					if err != nil {
-						log.Warn(e.ctx, "failed to get task for pause notification", slog.Error(err), slog.F("task_id", ws.TaskID.UUID), slog.F("workspace_id", ws.ID))
-					} else {
-						if _, err := e.notificationsEnqueuer.Enqueue(
-							e.ctx,
-							ws.OwnerID,
-							notifications.TemplateTaskPaused,
-							map[string]string{
-								"task":         task.Name,
-								"task_id":      task.ID.String(),
-								"workspace":    ws.Name,
-								"pause_reason": "idle timeout",
-							},
-							"lifecycle_executor",
-							ws.ID, ws.OwnerID, ws.OrganizationID,
-						); err != nil {
-							log.Warn(e.ctx, "failed to notify of task paused", slog.Error(err), slog.F("task_id", ws.TaskID.UUID), slog.F("workspace_id", ws.ID))
-						}
-					}
-				}
 				return nil
 			}()
 			if err != nil && !xerrors.Is(err, context.Canceled) {
@@ -552,18 +522,10 @@ func getNextTransition(
 ) {
 	switch {
 	case isEligibleForAutostop(user, ws, latestBuild, latestJob, currentTick):
-		// Use task-specific reason for AI task workspaces.
-		if ws.TaskID.Valid {
-			return database.WorkspaceTransitionStop, database.BuildReasonTaskAutoPause, nil
-		}
 		return database.WorkspaceTransitionStop, database.BuildReasonAutostop, nil
 	case isEligibleForAutostart(user, ws, latestBuild, latestJob, templateSchedule, currentTick):
 		return database.WorkspaceTransitionStart, database.BuildReasonAutostart, nil
 	case isEligibleForFailedStop(latestBuild, latestJob, templateSchedule, currentTick):
-		// Use task-specific reason for AI task workspaces.
-		if ws.TaskID.Valid {
-			return database.WorkspaceTransitionStop, database.BuildReasonTaskAutoPause, nil
-		}
 		return database.WorkspaceTransitionStop, database.BuildReasonAutostop, nil
 	case isEligibleForDormantStop(ws, templateSchedule, currentTick):
 		// Only stop started workspaces.
@@ -5,113 +5,12 @@ import (
 	"testing"
 	"time"

-	"github.com/google/uuid"
 	"github.com/stretchr/testify/require"

 	"github.com/coder/coder/v2/coderd/database"
 	"github.com/coder/coder/v2/coderd/schedule"
 )

-func Test_getNextTransition_TaskAutoPause(t *testing.T) {
-	t.Parallel()
-
-	// Set up a workspace that is eligible for autostop (past deadline).
-	now := time.Now()
-	pastDeadline := now.Add(-time.Hour)
-
-	okUser := database.User{Status: database.UserStatusActive}
-	okBuild := database.WorkspaceBuild{
-		Transition: database.WorkspaceTransitionStart,
-		Deadline:   pastDeadline,
-	}
-	okJob := database.ProvisionerJob{
-		JobStatus: database.ProvisionerJobStatusSucceeded,
-	}
-	okTemplateSchedule := schedule.TemplateScheduleOptions{}
-
-	// Failed build setup for failedstop tests.
-	failedBuild := database.WorkspaceBuild{
-		Transition: database.WorkspaceTransitionStart,
-	}
-	failedJob := database.ProvisionerJob{
-		JobStatus:   database.ProvisionerJobStatusFailed,
-		CompletedAt: sql.NullTime{Time: now.Add(-time.Hour), Valid: true},
-	}
-	failedTemplateSchedule := schedule.TemplateScheduleOptions{
-		FailureTTL: time.Minute, // TTL already elapsed since job completed an hour ago.
-	}
-
-	testCases := []struct {
-		Name             string
-		Workspace        database.Workspace
-		Build            database.WorkspaceBuild
-		Job              database.ProvisionerJob
-		TemplateSchedule schedule.TemplateScheduleOptions
-		ExpectedReason   database.BuildReason
-	}{
-		{
-			Name: "RegularWorkspace_Autostop",
-			Workspace: database.Workspace{
-				DormantAt: sql.NullTime{Valid: false},
-			},
-			Build:            okBuild,
-			Job:              okJob,
-			TemplateSchedule: okTemplateSchedule,
-			ExpectedReason:   database.BuildReasonAutostop,
-		},
-		{
-			Name: "TaskWorkspace_Autostop_UsesTaskAutoPause",
-			Workspace: database.Workspace{
-				DormantAt: sql.NullTime{Valid: false},
-				TaskID:    uuid.NullUUID{UUID: uuid.New(), Valid: true},
-			},
-			Build:            okBuild,
-			Job:              okJob,
-			TemplateSchedule: okTemplateSchedule,
-			ExpectedReason:   database.BuildReasonTaskAutoPause,
-		},
-		{
-			Name: "RegularWorkspace_FailedStop",
-			Workspace: database.Workspace{
-				DormantAt: sql.NullTime{Valid: false},
-			},
-			Build:            failedBuild,
-			Job:              failedJob,
-			TemplateSchedule: failedTemplateSchedule,
-			ExpectedReason:   database.BuildReasonAutostop,
-		},
-		{
-			Name: "TaskWorkspace_FailedStop_UsesTaskAutoPause",
-			Workspace: database.Workspace{
-				DormantAt: sql.NullTime{Valid: false},
-				TaskID:    uuid.NullUUID{UUID: uuid.New(), Valid: true},
-			},
-			Build:            failedBuild,
-			Job:              failedJob,
-			TemplateSchedule: failedTemplateSchedule,
-			ExpectedReason:   database.BuildReasonTaskAutoPause,
-		},
-	}
-
-	for _, tc := range testCases {
-		t.Run(tc.Name, func(t *testing.T) {
-			t.Parallel()
-
-			transition, reason, err := getNextTransition(
-				okUser,
-				tc.Workspace,
-				tc.Build,
-				tc.Job,
-				tc.TemplateSchedule,
-				now,
-			)
-			require.NoError(t, err)
-			require.Equal(t, database.WorkspaceTransitionStop, transition)
-			require.Equal(t, tc.ExpectedReason, reason)
-		})
-	}
-}
-
 func Test_isEligibleForAutostart(t *testing.T) {
 	t.Parallel()

@@ -2019,69 +2019,5 @@ func TestExecutorTaskWorkspace(t *testing.T) {
 		assert.Contains(t, stats.Transitions, workspace.ID, "task workspace should be in transitions")
 		assert.Equal(t, database.WorkspaceTransitionStop, stats.Transitions[workspace.ID], "should autostop the workspace")
 		require.Empty(t, stats.Errors, "should have no errors when managing task workspaces")
-
-		// Then: The build reason should be TaskAutoPause (not regular Autostop)
-		workspace = coderdtest.MustWorkspace(t, client, workspace.ID)
-		_ = coderdtest.AwaitWorkspaceBuildJobCompleted(t, client, workspace.LatestBuild.ID)
-		workspace = coderdtest.MustWorkspace(t, client, workspace.ID)
-		assert.Equal(t, codersdk.BuildReasonTaskAutoPause, workspace.LatestBuild.Reason, "task workspace should use TaskAutoPause build reason")
-	})
-
-	t.Run("AutostopNotification", func(t *testing.T) {
-		t.Parallel()
-
-		var (
-			tickCh     = make(chan time.Time)
-			statsCh    = make(chan autobuild.Stats)
-			notifyEnq  = notificationstest.FakeEnqueuer{}
-			client, db = coderdtest.NewWithDatabase(t, &coderdtest.Options{
-				AutobuildTicker:          tickCh,
-				IncludeProvisionerDaemon: true,
-				AutobuildStats:           statsCh,
-				NotificationsEnqueuer:    &notifyEnq,
-			})
-			admin = coderdtest.CreateFirstUser(t, client)
-		)
-
-		// Given: A task workspace with an 8 hour deadline
-		ctx := testutil.Context(t, testutil.WaitShort)
-		template := createTaskTemplate(t, client, admin.OrganizationID, ctx, 8*time.Hour)
-		workspace := createTaskWorkspace(t, client, template, ctx, "test task for autostop notification")
-
-		// Given: The workspace is currently running
-		workspace = coderdtest.MustWorkspace(t, client, workspace.ID)
-		require.Equal(t, codersdk.WorkspaceTransitionStart, workspace.LatestBuild.Transition)
-		require.NotZero(t, workspace.LatestBuild.Deadline, "workspace should have a deadline for autostop")
-
-		p, err := coderdtest.GetProvisionerForTags(db, time.Now(), workspace.OrganizationID, map[string]string{})
-		require.NoError(t, err)
-
-		// When: the autobuild executor ticks after the deadline
-		go func() {
-			tickTime := workspace.LatestBuild.Deadline.Time.Add(time.Minute)
-			coderdtest.UpdateProvisionerLastSeenAt(t, db, p.ID, tickTime)
-			tickCh <- tickTime
-			close(tickCh)
-		}()
-
-		// Then: We expect to see a stop transition
-		stats := <-statsCh
-		require.Len(t, stats.Transitions, 1, "lifecycle executor should transition the task workspace")
-		assert.Contains(t, stats.Transitions, workspace.ID, "task workspace should be in transitions")
-		assert.Equal(t, database.WorkspaceTransitionStop, stats.Transitions[workspace.ID], "should autostop the workspace")
-		require.Empty(t, stats.Errors, "should have no errors when managing task workspaces")
-
-		// Then: A task paused notification was sent with "idle timeout" reason
-		require.True(t, workspace.TaskID.Valid, "workspace should have a task ID")
-		task, err := db.GetTaskByID(dbauthz.AsSystemRestricted(ctx), workspace.TaskID.UUID)
-		require.NoError(t, err)
-
-		sent := notifyEnq.Sent(notificationstest.WithTemplateID(notifications.TemplateTaskPaused))
-		require.Len(t, sent, 1)
-		require.Equal(t, workspace.OwnerID, sent[0].UserID)
-		require.Equal(t, task.Name, sent[0].Labels["task"])
-		require.Equal(t, task.ID.String(), sent[0].Labels["task_id"])
-		require.Equal(t, workspace.Name, sent[0].Labels["workspace"])
-		require.Equal(t, "idle timeout", sent[0].Labels["pause_reason"])
 	})
 }
@@ -1,461 +0,0 @@
-package chatd_test
-
-import (
-	"context"
-	"database/sql"
-	"encoding/json"
-	"errors"
-	"testing"
-	"time"
-
-	"charm.land/fantasy"
-	"github.com/google/uuid"
-	"github.com/sqlc-dev/pqtype"
-	"github.com/stretchr/testify/require"
-
-	"cdr.dev/slog/v3/sloggers/slogtest"
-	"github.com/coder/coder/v2/coderd/chatd"
-	"github.com/coder/coder/v2/coderd/database"
-	"github.com/coder/coder/v2/coderd/database/db2sdk"
-	"github.com/coder/coder/v2/coderd/database/dbgen"
-	"github.com/coder/coder/v2/coderd/database/dbtestutil"
-	dbpubsub "github.com/coder/coder/v2/coderd/database/pubsub"
-	"github.com/coder/coder/v2/codersdk"
-	"github.com/coder/coder/v2/testutil"
-)
-
-func TestInterruptChatBroadcastsStatusAcrossInstances(t *testing.T) {
-	t.Parallel()
-
-	db, ps := dbtestutil.NewDB(t)
-	replicaA := newTestServer(t, db, ps, uuid.New())
-	replicaB := newTestServer(t, db, ps, uuid.New())
-
-	ctx := testutil.Context(t, testutil.WaitLong)
-	user, model := seedChatDependencies(ctx, t, db)
-
-	chat, err := replicaA.CreateChat(ctx, chatd.CreateOptions{
-		OwnerID:            user.ID,
-		Title:              "interrupt-me",
-		ModelConfigID:      model.ID,
-		InitialUserContent: []fantasy.Content{fantasy.TextContent{Text: "hello"}},
-	})
-	require.NoError(t, err)
-
-	runningWorker := uuid.New()
-	chat, err = db.UpdateChatStatus(ctx, database.UpdateChatStatusParams{
-		ID:          chat.ID,
-		Status:      database.ChatStatusRunning,
-		WorkerID:    uuid.NullUUID{UUID: runningWorker, Valid: true},
-		StartedAt:   sql.NullTime{Time: time.Now(), Valid: true},
-		HeartbeatAt: sql.NullTime{Time: time.Now(), Valid: true},
-	})
-	require.NoError(t, err)
-
-	_, events, cancel, ok := replicaB.Subscribe(ctx, chat.ID, nil)
-	require.True(t, ok)
-	t.Cleanup(cancel)
-
-	updated := replicaA.InterruptChat(ctx, chat)
-	require.Equal(t, database.ChatStatusWaiting, updated.Status)
-	require.False(t, updated.WorkerID.Valid)
-
-	require.Eventually(t, func() bool {
-		select {
-		case event := <-events:
-			if event.Type != codersdk.ChatStreamEventTypeStatus || event.Status == nil {
-				return false
-			}
-			return event.Status.Status == codersdk.ChatStatusWaiting
-		default:
-			return false
-		}
-	}, testutil.WaitMedium, testutil.IntervalFast)
-}
-
-func TestInterruptChatClearsWorkerInDatabase(t *testing.T) {
-	t.Parallel()
-
-	db, ps := dbtestutil.NewDB(t)
-	replica := newTestServer(t, db, ps, uuid.New())
-
-	ctx := testutil.Context(t, testutil.WaitLong)
-	user, model := seedChatDependencies(ctx, t, db)
-
-	chat, err := replica.CreateChat(ctx, chatd.CreateOptions{
-		OwnerID:            user.ID,
-		Title:              "db-transition",
-		ModelConfigID:      model.ID,
-		InitialUserContent: []fantasy.Content{fantasy.TextContent{Text: "hello"}},
-	})
-	require.NoError(t, err)
-
-	chat, err = db.UpdateChatStatus(ctx, database.UpdateChatStatusParams{
-		ID:          chat.ID,
-		Status:      database.ChatStatusRunning,
-		WorkerID:    uuid.NullUUID{UUID: uuid.New(), Valid: true},
-		StartedAt:   sql.NullTime{Time: time.Now(), Valid: true},
-		HeartbeatAt: sql.NullTime{Time: time.Now(), Valid: true},
-	})
-	require.NoError(t, err)
-
-	updated := replica.InterruptChat(ctx, chat)
-	require.Equal(t, database.ChatStatusWaiting, updated.Status)
-	require.False(t, updated.WorkerID.Valid)
-
-	fromDB, err := db.GetChatByID(ctx, chat.ID)
-	require.NoError(t, err)
-	require.Equal(t, database.ChatStatusWaiting, fromDB.Status)
-	require.False(t, fromDB.WorkerID.Valid)
-}
-
-func TestUpdateChatHeartbeatRequiresOwnership(t *testing.T) {
-	t.Parallel()
-
-	db, ps := dbtestutil.NewDB(t)
-	replica := newTestServer(t, db, ps, uuid.New())
-
-	ctx := testutil.Context(t, testutil.WaitLong)
-	user, model := seedChatDependencies(ctx, t, db)
-
-	chat, err := replica.CreateChat(ctx, chatd.CreateOptions{
-		OwnerID:            user.ID,
-		Title:              "heartbeat-ownership",
-		ModelConfigID:      model.ID,
-		InitialUserContent: []fantasy.Content{fantasy.TextContent{Text: "hello"}},
-	})
-	require.NoError(t, err)
-
-	workerID := uuid.New()
-	chat, err = db.UpdateChatStatus(ctx, database.UpdateChatStatusParams{
-		ID:          chat.ID,
-		Status:      database.ChatStatusRunning,
-		WorkerID:    uuid.NullUUID{UUID: workerID, Valid: true},
-		StartedAt:   sql.NullTime{Time: time.Now(), Valid: true},
-		HeartbeatAt: sql.NullTime{Time: time.Now(), Valid: true},
-	})
-	require.NoError(t, err)
-
-	rows, err := db.UpdateChatHeartbeat(ctx, database.UpdateChatHeartbeatParams{
-		ID:       chat.ID,
-		WorkerID: uuid.New(),
-	})
-	require.NoError(t, err)
-	require.Equal(t, int64(0), rows)
-
-	rows, err = db.UpdateChatHeartbeat(ctx, database.UpdateChatHeartbeatParams{
-		ID:       chat.ID,
-		WorkerID: workerID,
-	})
-	require.NoError(t, err)
-	require.Equal(t, int64(1), rows)
-}
-
-func TestSendMessageQueueBehaviorQueuesWhenBusy(t *testing.T) {
-	t.Parallel()
-
-	db, ps := dbtestutil.NewDB(t)
-	replica := newTestServer(t, db, ps, uuid.New())
-
-	ctx := testutil.Context(t, testutil.WaitLong)
-	user, model := seedChatDependencies(ctx, t, db)
-
-	chat, err := replica.CreateChat(ctx, chatd.CreateOptions{
-		OwnerID:            user.ID,
-		Title:              "queue-when-busy",
-		ModelConfigID:      model.ID,
-		InitialUserContent: []fantasy.Content{fantasy.TextContent{Text: "hello"}},
-	})
-	require.NoError(t, err)
-
-	workerID := uuid.New()
-	chat, err = db.UpdateChatStatus(ctx, database.UpdateChatStatusParams{
-		ID:          chat.ID,
-		Status:      database.ChatStatusRunning,
-		WorkerID:    uuid.NullUUID{UUID: workerID, Valid: true},
-		StartedAt:   sql.NullTime{Time: time.Now(), Valid: true},
-		HeartbeatAt: sql.NullTime{Time: time.Now(), Valid: true},
-	})
-	require.NoError(t, err)
-
-	result, err := replica.SendMessage(ctx, chatd.SendMessageOptions{
-		ChatID:       chat.ID,
-		Content:      []fantasy.Content{fantasy.TextContent{Text: "queued"}},
-		BusyBehavior: chatd.SendMessageBusyBehaviorQueue,
-	})
-	require.NoError(t, err)
-	require.True(t, result.Queued)
-	require.NotNil(t, result.QueuedMessage)
-	require.Equal(t, database.ChatStatusRunning, result.Chat.Status)
-	require.Equal(t, workerID, result.Chat.WorkerID.UUID)
-	require.True(t, result.Chat.WorkerID.Valid)
-
-	queued, err := db.GetChatQueuedMessages(ctx, chat.ID)
-	require.NoError(t, err)
-	require.Len(t, queued, 1)
-
-	messages, err := db.GetChatMessagesByChatID(ctx, chat.ID)
-	require.NoError(t, err)
-	require.Len(t, messages, 1)
-}
-
-func TestSendMessageInterruptBehaviorSendsImmediatelyWhenBusy(t *testing.T) {
-	t.Parallel()
-
-	db, ps := dbtestutil.NewDB(t)
-	replica := newTestServer(t, db, ps, uuid.New())
-
-	ctx := testutil.Context(t, testutil.WaitLong)
-	user, model := seedChatDependencies(ctx, t, db)
-
-	chat, err := replica.CreateChat(ctx, chatd.CreateOptions{
-		OwnerID:            user.ID,
-		Title:              "interrupt-when-busy",
-		ModelConfigID:      model.ID,
-		InitialUserContent: []fantasy.Content{fantasy.TextContent{Text: "hello"}},
-	})
-	require.NoError(t, err)
-
-	chat, err = db.UpdateChatStatus(ctx, database.UpdateChatStatusParams{
-		ID:          chat.ID,
-		Status:      database.ChatStatusRunning,
-		WorkerID:    uuid.NullUUID{UUID: uuid.New(), Valid: true},
-		StartedAt:   sql.NullTime{Time: time.Now(), Valid: true},
-		HeartbeatAt: sql.NullTime{Time: time.Now(), Valid: true},
-	})
-	require.NoError(t, err)
-
-	result, err := replica.SendMessage(ctx, chatd.SendMessageOptions{
-		ChatID:       chat.ID,
-		Content:      []fantasy.Content{fantasy.TextContent{Text: "interrupt"}},
-		BusyBehavior: chatd.SendMessageBusyBehaviorInterrupt,
-	})
-	require.NoError(t, err)
-	require.False(t, result.Queued)
-	require.Equal(t, database.ChatStatusPending, result.Chat.Status)
-	require.False(t, result.Chat.WorkerID.Valid)
-
-	fromDB, err := db.GetChatByID(ctx, chat.ID)
-	require.NoError(t, err)
-	require.Equal(t, database.ChatStatusPending, fromDB.Status)
-	require.False(t, fromDB.WorkerID.Valid)
-
-	queued, err := db.GetChatQueuedMessages(ctx, chat.ID)
-	require.NoError(t, err)
-	require.Len(t, queued, 0)
-
-	messages, err := db.GetChatMessagesByChatID(ctx, chat.ID)
-	require.NoError(t, err)
-	require.Len(t, messages, 2)
-	require.Equal(t, messages[len(messages)-1].ID, result.Message.ID)
-}
-
-func TestEditMessageUpdatesAndTruncatesAndClearsQueue(t *testing.T) {
-	t.Parallel()
-
-	db, ps := dbtestutil.NewDB(t)
-	replica := newTestServer(t, db, ps, uuid.New())
-
-	ctx := testutil.Context(t, testutil.WaitLong)
-	user, model := seedChatDependencies(ctx, t, db)
-
-	chat, err := replica.CreateChat(ctx, chatd.CreateOptions{
-		OwnerID:            user.ID,
-		Title:              "edit-message",
-		ModelConfigID:      model.ID,
-		InitialUserContent: []fantasy.Content{fantasy.TextContent{Text: "original"}},
-	})
-	require.NoError(t, err)
-
-	initialMessages, err := db.GetChatMessagesByChatID(ctx, chat.ID)
-	require.NoError(t, err)
-	require.Len(t, initialMessages, 1)
-	editedMessageID := initialMessages[0].ID
-
-	_, err = replica.SendMessage(ctx, chatd.SendMessageOptions{
-		ChatID:       chat.ID,
-		Content:      []fantasy.Content{fantasy.TextContent{Text: "follow-up"}},
-		BusyBehavior: chatd.SendMessageBusyBehaviorInterrupt,
-	})
-	require.NoError(t, err)
-	_, err = replica.SendMessage(ctx, chatd.SendMessageOptions{
-		ChatID:       chat.ID,
-		Content:      []fantasy.Content{fantasy.TextContent{Text: "another"}},
-		BusyBehavior: chatd.SendMessageBusyBehaviorInterrupt,
-	})
-	require.NoError(t, err)
-
-	_, err = db.InsertChatQueuedMessage(ctx, database.InsertChatQueuedMessageParams{
-		ChatID:  chat.ID,
-		Content: json.RawMessage(`"queued"`),
-	})
-	require.NoError(t, err)
-
-	chat, err = db.UpdateChatStatus(ctx, database.UpdateChatStatusParams{
-		ID:          chat.ID,
-		Status:      database.ChatStatusRunning,
-		WorkerID:    uuid.NullUUID{UUID: uuid.New(), Valid: true},
-		StartedAt:   sql.NullTime{Time: time.Now(), Valid: true},
-		HeartbeatAt: sql.NullTime{Time: time.Now(), Valid: true},
-	})
-	require.NoError(t, err)
-
-	editResult, err := replica.EditMessage(ctx, chatd.EditMessageOptions{
-		ChatID:          chat.ID,
-		EditedMessageID: editedMessageID,
-		Content:         []fantasy.Content{fantasy.TextContent{Text: "edited"}},
-	})
-	require.NoError(t, err)
-	require.Equal(t, editedMessageID, editResult.Message.ID)
-	require.Equal(t, database.ChatStatusPending, editResult.Chat.Status)
-	require.False(t, editResult.Chat.WorkerID.Valid)
-
-	editedSDK := db2sdk.ChatMessage(editResult.Message)
-	require.Len(t, editedSDK.Content, 1)
-	require.Equal(t, "edited", editedSDK.Content[0].Text)
-
-	messages, err := db.GetChatMessagesByChatID(ctx, chat.ID)
-	require.NoError(t, err)
-	require.Len(t, messages, 1)
-	require.Equal(t, editedMessageID, messages[0].ID)
-	onlyMessage := db2sdk.ChatMessage(messages[0])
-	require.Len(t, onlyMessage.Content, 1)
-	require.Equal(t, "edited", onlyMessage.Content[0].Text)
-
-	queued, err := db.GetChatQueuedMessages(ctx, chat.ID)
-	require.NoError(t, err)
-	require.Len(t, queued, 0)
-
-	chatFromDB, err := db.GetChatByID(ctx, chat.ID)
-	require.NoError(t, err)
-	require.Equal(t, database.ChatStatusPending, chatFromDB.Status)
-	require.False(t, chatFromDB.WorkerID.Valid)
-}
-
-func TestEditMessageRejectsMissingMessage(t *testing.T) {
-	t.Parallel()
-
-	db, ps := dbtestutil.NewDB(t)
-	replica := newTestServer(t, db, ps, uuid.New())
-
-	ctx := testutil.Context(t, testutil.WaitLong)
-	user, model := seedChatDependencies(ctx, t, db)
-
-	chat, err := replica.CreateChat(ctx, chatd.CreateOptions{
-		OwnerID:            user.ID,
-		Title:              "missing-edited-message",
-		ModelConfigID:      model.ID,
-		InitialUserContent: []fantasy.Content{fantasy.TextContent{Text: "hello"}},
-	})
-	require.NoError(t, err)
-
-	_, err = replica.EditMessage(ctx, chatd.EditMessageOptions{
-		ChatID:          chat.ID,
-		EditedMessageID: 999999,
-		Content:         []fantasy.Content{fantasy.TextContent{Text: "edited"}},
-	})
-	require.Error(t, err)
-	require.True(t, errors.Is(err, chatd.ErrEditedMessageNotFound))
-}
-
-func TestEditMessageRejectsNonUserMessage(t *testing.T) {
-	t.Parallel()
-
-	db, ps := dbtestutil.NewDB(t)
-	replica := newTestServer(t, db, ps, uuid.New())
-
-	ctx := testutil.Context(t, testutil.WaitLong)
-	user, model := seedChatDependencies(ctx, t, db)
-
-	chat, err := replica.CreateChat(ctx, chatd.CreateOptions{
-		OwnerID:            user.ID,
-		Title:              "non-user-edited-message",
-		ModelConfigID:      model.ID,
-		InitialUserContent: []fantasy.Content{fantasy.TextContent{Text: "hello"}},
-	})
-	require.NoError(t, err)
-
-	assistantMessage, err := db.InsertChatMessage(ctx, database.InsertChatMessageParams{
-		ChatID:        chat.ID,
-		ModelConfigID: uuid.NullUUID{UUID: model.ID, Valid: true},
-		Role:          "assistant",
-		Content: pqtype.NullRawMessage{
-			RawMessage: json.RawMessage(`"assistant"`),
-			Valid:      true,
-		},
-		Visibility:          database.ChatMessageVisibilityBoth,
-		InputTokens:         sql.NullInt64{},
-		OutputTokens:        sql.NullInt64{},
-		TotalTokens:         sql.NullInt64{},
-		ReasoningTokens:     sql.NullInt64{},
-		CacheCreationTokens: sql.NullInt64{},
-		CacheReadTokens:     sql.NullInt64{},
-		ContextLimit:        sql.NullInt64{},
-		Compressed:          sql.NullBool{},
-	})
-	require.NoError(t, err)
-
-	_, err = replica.EditMessage(ctx, chatd.EditMessageOptions{
-		ChatID:          chat.ID,
-		EditedMessageID: assistantMessage.ID,
-		Content:         []fantasy.Content{fantasy.TextContent{Text: "edited"}},
-	})
-	require.Error(t, err)
-	require.True(t, errors.Is(err, chatd.ErrEditedMessageNotUser))
-}
-
-func newTestServer(
-	t *testing.T,
-	db database.Store,
-	ps dbpubsub.Pubsub,
-	replicaID uuid.UUID,
-) *chatd.Server {
-	t.Helper()
-
-	logger := slogtest.Make(t, &slogtest.Options{IgnoreErrors: true})
-	server := chatd.New(chatd.Config{
-		Logger:                     logger,
-		Database:                   db,
-		ReplicaID:                  replicaID,
-		Pubsub:                     ps,
-		PendingChatAcquireInterval: testutil.WaitSuperLong,
-	})
-	t.Cleanup(func() {
-		require.NoError(t, server.Close())
-	})
-	return server
-}
-
-func seedChatDependencies(
-	ctx context.Context,
-	t *testing.T,
-	db database.Store,
-) (database.User, database.ChatModelConfig) {
-	t.Helper()
-
-	user := dbgen.User(t, db, database.User{})
-	_, err := db.InsertChatProvider(ctx, database.InsertChatProviderParams{
-		Provider:    "openai",
-		DisplayName: "OpenAI",
-		APIKey:      "test-key",
-		BaseUrl:     "",
-		ApiKeyKeyID: sql.NullString{},
-		CreatedBy:   uuid.NullUUID{UUID: user.ID, Valid: true},
-		Enabled:     true,
-	})
-	require.NoError(t, err)
-	model, err := db.InsertChatModelConfig(ctx, database.InsertChatModelConfigParams{
-		Provider:             "openai",
-		Model:                "gpt-4o-mini",
-		DisplayName:          "Test Model",
-		CreatedBy:            uuid.NullUUID{UUID: user.ID, Valid: true},
-		UpdatedBy:            uuid.NullUUID{UUID: user.ID, Valid: true},
-		Enabled:              true,
-		IsDefault:            true,
-		ContextLimit:         128000,
-		CompressionThreshold: 70,
-		Options:              json.RawMessage(`{}`),
-	})
-	require.NoError(t, err)
-	return user, model
-}
@@ -1,676 +0,0 @@
-package chatloop
-
-import (
-	"context"
-	"database/sql"
-	"encoding/json"
-	"errors"
-	"strconv"
-	"strings"
-	"sync"
-
-	"charm.land/fantasy"
-	fantasyanthropic "charm.land/fantasy/providers/anthropic"
-	"github.com/google/uuid"
-	"golang.org/x/xerrors"
-
-	"github.com/coder/coder/v2/coderd/chatd/chatprompt"
-	"github.com/coder/coder/v2/codersdk"
-)
-
-const (
-	interruptedToolResultErrorMessage = "tool call was interrupted before it produced a result"
-)
-
-var ErrInterrupted = xerrors.New("chat interrupted")
-
-// PersistedStep contains the full content of a completed or
-// interrupted agent step. Content includes both assistant blocks
-// (text, reasoning, tool calls) and tool result blocks, mirroring
-// what fantasy provides in StepResult.Content. The persistence
-// layer is responsible for splitting these into separate database
-// messages by role.
-type PersistedStep struct {
-	Content      []fantasy.Content
-	Usage        fantasy.Usage
-	ContextLimit sql.NullInt64
-}
-
-// RunOptions configures a single streaming chat loop run.
-type RunOptions struct {
-	Model      fantasy.LanguageModel
-	Messages   []fantasy.Message
-	Tools      []fantasy.AgentTool
-	StreamCall fantasy.AgentStreamCall
-	MaxSteps   int
-
-	ActiveTools          []string
-	ContextLimitFallback int64
-
-	PersistStep        func(context.Context, PersistedStep) error
-	PublishMessagePart func(
-		role fantasy.MessageRole,
-		part codersdk.ChatMessagePart,
-	)
-	Compaction *CompactionOptions
-
-	OnInterruptedPersistError func(error)
-}
-
-// Run executes the chat step-stream loop and delegates persistence/publishing to callbacks.
-func Run(ctx context.Context, opts RunOptions) (*fantasy.AgentResult, error) {
-	if opts.Model == nil {
-		return nil, xerrors.New("chat model is required")
-	}
-	if opts.PersistStep == nil {
-		return nil, xerrors.New("persist step callback is required")
-	}
-	if opts.MaxSteps <= 0 {
-		opts.MaxSteps = 1
-	}
-
-	publishMessagePart := func(role fantasy.MessageRole, part codersdk.ChatMessagePart) {
-		if opts.PublishMessagePart == nil {
-			return
-		}
-		opts.PublishMessagePart(role, part)
-	}
-
-	var (
-		stepStateMu           sync.Mutex
-		streamToolNames       map[string]string
-		streamReasoningTitles map[string]string
-		streamReasoningText   map[string]string
-		// stepToolResultContents tracks tool results received during
-		// streaming. These are needed for the interrupted-step path
-		// where OnStepFinish never fires.
-		stepToolResultContents []fantasy.ToolResultContent
-		stepAssistantDraft     []fantasy.Content
-		stepToolCallIndexByID  map[string]int
-	)
-
-	resetStepState := func() {
-		stepStateMu.Lock()
-		streamToolNames = make(map[string]string)
-		streamReasoningTitles = make(map[string]string)
-		streamReasoningText = make(map[string]string)
-		stepToolResultContents = nil
-		stepAssistantDraft = nil
-		stepToolCallIndexByID = make(map[string]int)
-		stepStateMu.Unlock()
-	}
-
-	setReasoningTitleFromText := func(id string, text string) {
-		if id == "" || strings.TrimSpace(text) == "" {
-			return
-		}
-
-		stepStateMu.Lock()
-		defer stepStateMu.Unlock()
-
-		if streamReasoningTitles[id] != "" {
-			return
-		}
-
-		streamReasoningText[id] += text
-		if !strings.ContainsAny(streamReasoningText[id], "\r\n") {
-			return
-		}
-		title := chatprompt.ReasoningTitleFromFirstLine(streamReasoningText[id])
-		if title == "" {
-			return
-		}
-
-		streamReasoningTitles[id] = title
-	}
-
-	appendDraftText := func(text string) {
-		if text == "" {
-			return
-		}
-
-		stepStateMu.Lock()
-		defer stepStateMu.Unlock()
-
-		if len(stepAssistantDraft) > 0 {
-			lastIndex := len(stepAssistantDraft) - 1
-			switch last := stepAssistantDraft[lastIndex].(type) {
-			case fantasy.TextContent:
-				last.Text += text
-				stepAssistantDraft[lastIndex] = last
-				return
-			case *fantasy.TextContent:
-				last.Text += text
-				stepAssistantDraft[lastIndex] = fantasy.TextContent{Text: last.Text}
-				return
-			}
-		}
-		stepAssistantDraft = append(stepAssistantDraft, fantasy.TextContent{Text: text})
-	}
-
-	appendDraftReasoning := func(text string) {
-		if text == "" {
-			return
-		}
-
-		stepStateMu.Lock()
-		defer stepStateMu.Unlock()
-
-		if len(stepAssistantDraft) > 0 {
-			lastIndex := len(stepAssistantDraft) - 1
-			switch last := stepAssistantDraft[lastIndex].(type) {
-			case fantasy.ReasoningContent:
-				last.Text += text
-				stepAssistantDraft[lastIndex] = last
-				return
-			case *fantasy.ReasoningContent:
-				last.Text += text
-				stepAssistantDraft[lastIndex] = fantasy.ReasoningContent{Text: last.Text}
-				return
-			}
-		}
-		stepAssistantDraft = append(stepAssistantDraft, fantasy.ReasoningContent{Text: text})
-	}
-
-	upsertDraftToolCall := func(toolCallID, toolName, input string, appendInput bool) {
-		if toolCallID == "" {
-			return
-		}
-
-		stepStateMu.Lock()
-		defer stepStateMu.Unlock()
-
-		if strings.TrimSpace(toolName) != "" {
-			streamToolNames[toolCallID] = toolName
-		}
-
-		index, exists := stepToolCallIndexByID[toolCallID]
-		if !exists {
-			stepToolCallIndexByID[toolCallID] = len(stepAssistantDraft)
-			stepAssistantDraft = append(stepAssistantDraft, fantasy.ToolCallContent{
-				ToolCallID: toolCallID,
-				ToolName:   toolName,
-				Input:      input,
-			})
-			return
-		}
-
-		if index < 0 || index >= len(stepAssistantDraft) {
-			stepToolCallIndexByID[toolCallID] = len(stepAssistantDraft)
-			stepAssistantDraft = append(stepAssistantDraft, fantasy.ToolCallContent{
-				ToolCallID: toolCallID,
-				ToolName:   toolName,
-				Input:      input,
-			})
-			return
-		}
-
-		existingCall, ok := fantasy.AsContentType[fantasy.ToolCallContent](stepAssistantDraft[index])
-		if !ok {
-			if ptrCall, ptrOK := fantasy.AsContentType[*fantasy.ToolCallContent](stepAssistantDraft[index]); ptrOK && ptrCall != nil {
-				existingCall = *ptrCall
-				ok = true
-			}
-		}
-		if !ok {
-			stepToolCallIndexByID[toolCallID] = len(stepAssistantDraft)
-			stepAssistantDraft = append(stepAssistantDraft, fantasy.ToolCallContent{
-				ToolCallID: toolCallID,
-				ToolName:   toolName,
-				Input:      input,
-			})
-			return
-		}
-
-		if strings.TrimSpace(toolName) != "" {
-			existingCall.ToolName = toolName
-		}
-		if appendInput {
-			existingCall.Input += input
-		} else if input != "" || existingCall.Input == "" {
-			existingCall.Input = input
-		}
-		stepAssistantDraft[index] = existingCall
-	}
-
-	appendDraftSource := func(source fantasy.SourceContent) {
-		stepStateMu.Lock()
-		stepAssistantDraft = append(stepAssistantDraft, source)
-		stepStateMu.Unlock()
-	}
-
-	persistInterruptedStep := func() error {
-		stepStateMu.Lock()
-		draft := append([]fantasy.Content(nil), stepAssistantDraft...)
-		toolResults := append([]fantasy.ToolResultContent(nil), stepToolResultContents...)
-		toolNameByCallID := make(map[string]string, len(streamToolNames))
-		for id, name := range streamToolNames {
-			toolNameByCallID[id] = name
-		}
-		stepStateMu.Unlock()
-
-		if len(draft) == 0 && len(toolResults) == 0 {
-			return nil
-		}
-
-		// Track which tool calls already have results.
-		answeredToolCalls := make(map[string]struct{}, len(toolResults))
-		for _, tr := range toolResults {
-			if tr.ToolCallID != "" {
-				answeredToolCalls[tr.ToolCallID] = struct{}{}
-			}
-		}
-
-		// Build the combined content: draft + received tool results
-		// + synthetic interrupted results for unanswered tool calls.
-		content := make([]fantasy.Content, 0, len(draft)+len(toolResults))
-		content = append(content, draft...)
-		for _, tr := range toolResults {
-			content = append(content, tr)
-		}
-
-		for _, block := range draft {
-			toolCall, ok := fantasy.AsContentType[fantasy.ToolCallContent](block)
-			if !ok {
-				if ptrCall, ptrOK := fantasy.AsContentType[*fantasy.ToolCallContent](block); ptrOK && ptrCall != nil {
-					toolCall = *ptrCall
-					ok = true
-				}
-			}
-			if !ok || toolCall.ToolCallID == "" {
-				continue
-			}
-			if _, exists := answeredToolCalls[toolCall.ToolCallID]; exists {
-				continue
-			}
-
-			toolName := strings.TrimSpace(toolCall.ToolName)
-			if toolName == "" {
-				toolName = strings.TrimSpace(toolNameByCallID[toolCall.ToolCallID])
-			}
-
-			content = append(content, fantasy.ToolResultContent{
-				ToolCallID: toolCall.ToolCallID,
-				ToolName:   toolName,
-				Result: fantasy.ToolResultOutputContentError{
-					Error: xerrors.New(interruptedToolResultErrorMessage),
-				},
-			})
-			answeredToolCalls[toolCall.ToolCallID] = struct{}{}
-		}
-
-		persistCtx := context.WithoutCancel(ctx)
-		return opts.PersistStep(persistCtx, PersistedStep{
-			Content: content,
-		})
-	}
-
-	resetStepState()
-
-	agent := fantasy.NewAgent(
-		opts.Model,
-		fantasy.WithTools(opts.Tools...),
-		fantasy.WithStopConditions(fantasy.StepCountIs(opts.MaxSteps)),
-	)
-	applyAnthropicCaching := shouldApplyAnthropicPromptCaching(opts.Model)
-	// Fantasy's AgentStreamCall currently requires a non-empty Prompt and always
-	// appends it as a user message. chatd already supplies the full history in
-	// Messages, so we pass and then strip a sentinel user message in PrepareStep.
-	sentinelPrompt := "__chatd_agent_prompt_sentinel_" + uuid.NewString()
-
-	streamCall := opts.StreamCall
-	streamCall.Prompt = sentinelPrompt
-	streamCall.Messages = opts.Messages
-	streamCall.PrepareStep = func(
-		stepCtx context.Context,
-		options fantasy.PrepareStepFunctionOptions,
-	) (context.Context, fantasy.PrepareStepResult, error) {
-		return stepCtx, prepareStepResult(
-			options.Messages,
-			sentinelPrompt,
-			opts.ActiveTools,
-			applyAnthropicCaching,
-		), nil
-	}
-	streamCall.OnStepStart = func(_ int) error {
-		resetStepState()
-		return nil
-	}
-	streamCall.OnTextDelta = func(_ string, text string) error {
-		appendDraftText(text)
-		publishMessagePart(fantasy.MessageRoleAssistant, codersdk.ChatMessagePart{
-			Type: codersdk.ChatMessagePartTypeText,
-			Text: text,
-		})
-		return nil
-	}
-	streamCall.OnReasoningDelta = func(id string, text string) error {
-		appendDraftReasoning(text)
-		setReasoningTitleFromText(id, text)
-		stepStateMu.Lock()
-		title := streamReasoningTitles[id]
-		stepStateMu.Unlock()
-		publishMessagePart(fantasy.MessageRoleAssistant, codersdk.ChatMessagePart{
-			Type:  codersdk.ChatMessagePartTypeReasoning,
-			Text:  text,
-			Title: title,
-		})
-		return nil
-	}
-	streamCall.OnReasoningEnd = func(id string, _ fantasy.ReasoningContent) error {
-		stepStateMu.Lock()
-		if streamReasoningTitles[id] == "" {
-			// At the end of reasoning we have the full text, so we can
-			// safely evaluate first-line title format even if no newline
-			// ever arrived in deltas.
-			streamReasoningTitles[id] = chatprompt.ReasoningTitleFromFirstLine(
-				streamReasoningText[id],
-			)
-		}
-		title := streamReasoningTitles[id]
-		stepStateMu.Unlock()
-		if title != "" {
-			// Publish a title-only reasoning part so clients can update the
-			// reasoning header when metadata arrives at the end of streaming.
-			publishMessagePart(fantasy.MessageRoleAssistant, codersdk.ChatMessagePart{
-				Type:  codersdk.ChatMessagePartTypeReasoning,
-				Title: title,
-			})
-		}
-		return nil
-	}
-	streamCall.OnToolInputStart = func(id, toolName string) error {
-		upsertDraftToolCall(id, toolName, "", false)
-		return nil
-	}
-	streamCall.OnToolInputDelta = func(id, delta string) error {
-		stepStateMu.Lock()
-		toolName := streamToolNames[id]
-		stepStateMu.Unlock()
-		upsertDraftToolCall(id, toolName, delta, true)
-		publishMessagePart(fantasy.MessageRoleAssistant, codersdk.ChatMessagePart{
-			Type:       codersdk.ChatMessagePartTypeToolCall,
-			ToolCallID: id,
-			ToolName:   toolName,
-			ArgsDelta:  delta,
-		})
-		return nil
-	}
-	streamCall.OnToolCall = func(toolCall fantasy.ToolCallContent) error {
-		upsertDraftToolCall(toolCall.ToolCallID, toolCall.ToolName, toolCall.Input, false)
-		publishMessagePart(
-			fantasy.MessageRoleAssistant,
-			chatprompt.PartFromContent(toolCall),
-		)
-		return nil
-	}
-	streamCall.OnSource = func(source fantasy.SourceContent) error {
-		appendDraftSource(source)
-		publishMessagePart(
-			fantasy.MessageRoleAssistant,
-			chatprompt.PartFromContent(source),
-		)
-		return nil
-	}
-	streamCall.OnToolResult = func(result fantasy.ToolResultContent) error {
-		publishMessagePart(
-			fantasy.MessageRoleTool,
-			chatprompt.PartFromContent(result),
-		)
-
-		stepStateMu.Lock()
-		if result.ToolCallID != "" && strings.TrimSpace(result.ToolName) != "" {
-			streamToolNames[result.ToolCallID] = result.ToolName
-		}
-		stepToolResultContents = append(stepToolResultContents, result)
-		stepStateMu.Unlock()
-
-		return nil
-	}
-	streamCall.OnStepFinish = func(stepResult fantasy.StepResult) error {
-		contextLimit := extractContextLimit(stepResult.ProviderMetadata)
-		if !contextLimit.Valid && opts.ContextLimitFallback > 0 {
-			contextLimit = sql.NullInt64{
-				Int64: opts.ContextLimitFallback,
-				Valid: true,
-			}
-		}
-
-		return opts.PersistStep(ctx, PersistedStep{
-			Content:      stepResult.Content,
-			Usage:        stepResult.Usage,
-			ContextLimit: contextLimit,
-		})
-	}
-
-	result, err := agent.Stream(ctx, streamCall)
-	if err != nil {
-		if errors.Is(err, context.Canceled) &&
-			errors.Is(context.Cause(ctx), ErrInterrupted) {
-			if persistErr := persistInterruptedStep(); persistErr != nil {
-				if opts.OnInterruptedPersistError != nil {
-					opts.OnInterruptedPersistError(persistErr)
-				}
-			}
-			return nil, ErrInterrupted
-		}
-		return nil, xerrors.Errorf("stream response: %w", err)
-	}
-	if opts.Compaction != nil {
-		if err := maybeCompact(ctx, opts, result); err != nil {
-			if opts.Compaction.OnError != nil {
-				opts.Compaction.OnError(err)
-			}
-		}
-	}
-
-	return result, nil
-}
-
-//nolint:revive // Boolean controls Anthropic-specific caching behavior.
-func prepareStepResult(
-	messages []fantasy.Message,
-	sentinel string,
-	activeTools []string,
-	anthropicCaching bool,
-) fantasy.PrepareStepResult {
-	filtered := make([]fantasy.Message, 0, len(messages))
-	removed := false
-	for _, message := range messages {
-		if !removed &&
-			message.Role == fantasy.MessageRoleUser &&
-			len(message.Content) == 1 {
-			textPart, ok := fantasy.AsMessagePart[fantasy.TextPart](message.Content[0])
-			if ok && textPart.Text == sentinel {
-				removed = true
-				continue
-			}
-		}
-		filtered = append(filtered, message)
-	}
-
-	result := fantasy.PrepareStepResult{
-		Messages: filtered,
-	}
-	if anthropicCaching {
-		result.Messages = addAnthropicPromptCaching(result.Messages)
-	}
-	if len(activeTools) > 0 {
-		result.ActiveTools = append([]string(nil), activeTools...)
-	}
-	return result
-}
-
-func shouldApplyAnthropicPromptCaching(model fantasy.LanguageModel) bool {
-	if model == nil {
-		return false
-	}
-	return model.Provider() == fantasyanthropic.Name
-}
-
-func addAnthropicPromptCaching(messages []fantasy.Message) []fantasy.Message {
-	for i := range messages {
-		messages[i].ProviderOptions = nil
-	}
-
-	providerOption := fantasy.ProviderOptions{
-		fantasyanthropic.Name: &fantasyanthropic.ProviderCacheControlOptions{
-			CacheControl: fantasyanthropic.CacheControl{Type: "ephemeral"},
-		},
-	}
-
-	lastSystemRoleIdx := -1
-	systemMessageUpdated := false
-	for i, msg := range messages {
-		if msg.Role == fantasy.MessageRoleSystem {
-			lastSystemRoleIdx = i
-		} else if !systemMessageUpdated && lastSystemRoleIdx >= 0 {
-			messages[lastSystemRoleIdx].ProviderOptions = providerOption
-			systemMessageUpdated = true
-		}
-		if i > len(messages)-3 {
-			messages[i].ProviderOptions = providerOption
-		}
-	}
-
-	return messages
-}
-
-func extractContextLimit(metadata fantasy.ProviderMetadata) sql.NullInt64 {
-	if len(metadata) == 0 {
-		return sql.NullInt64{}
-	}
-
-	encoded, err := json.Marshal(metadata)
-	if err != nil || len(encoded) == 0 {
-		return sql.NullInt64{}
-	}
-
-	var payload any
-	if err := json.Unmarshal(encoded, &payload); err != nil {
-		return sql.NullInt64{}
-	}
-
-	limit, ok := findContextLimitValue(payload)
-	if !ok {
-		return sql.NullInt64{}
-	}
-
-	return sql.NullInt64{
-		Int64: limit,
-		Valid: true,
-	}
-}
-
-func findContextLimitValue(value any) (int64, bool) {
-	var (
-		limit int64
-		found bool
-	)
-
-	collectContextLimitValues(value, func(candidate int64) {
-		if !found || candidate > limit {
-			limit = candidate
-			found = true
-		}
-	})
-
-	return limit, found
-}
-
-func collectContextLimitValues(value any, onValue func(int64)) {
-	switch typed := value.(type) {
-	case map[string]any:
-		for key, child := range typed {
-			if isContextLimitKey(key) {
-				if numeric, ok := numericContextLimitValue(child); ok {
-					onValue(numeric)
-				}
-			}
-			collectContextLimitValues(child, onValue)
-		}
-	case []any:
-		for _, child := range typed {
-			collectContextLimitValues(child, onValue)
-		}
-	}
-}
-
-func isContextLimitKey(key string) bool {
-	normalized := normalizeMetadataKey(key)
-	if normalized == "" {
-		return false
-	}
-
-	switch normalized {
-	case
-		"contextlimit",
-		"contextwindow",
-		"contextlength",
-		"maxcontext",
-		"maxcontexttokens",
-		"maxinputtokens",
-		"maxinputtoken",
-		"inputtokenlimit":
-		return true
-	}
-
-	return strings.Contains(normalized, "context") &&
-		(strings.Contains(normalized, "limit") ||
-			strings.Contains(normalized, "window") ||
-			strings.Contains(normalized, "length") ||
-			strings.HasPrefix(normalized, "max"))
-}
-
-func normalizeMetadataKey(key string) string {
-	var b strings.Builder
-	b.Grow(len(key))
-
-	for _, r := range key {
-		switch {
-		case r >= 'a' && r <= 'z':
-			_, _ = b.WriteRune(r)
-		case r >= 'A' && r <= 'Z':
-			_, _ = b.WriteRune(r + ('a' - 'A'))
-		case r >= '0' && r <= '9':
-			_, _ = b.WriteRune(r)
-		}
-	}
-
-	return b.String()
-}
-
-func numericContextLimitValue(value any) (int64, bool) {
-	switch typed := value.(type) {
-	case int64:
-		return positiveInt64(typed)
-	case int32:
-		return positiveInt64(int64(typed))
-	case int:
-		return positiveInt64(int64(typed))
-	case float64:
-		casted := int64(typed)
-		if typed > 0 && float64(casted) == typed {
-			return casted, true
-		}
-	case string:
-		parsed, err := strconv.ParseInt(strings.TrimSpace(typed), 10, 64)
-		if err == nil {
-			return positiveInt64(parsed)
-		}
-	case json.Number:
-		parsed, err := typed.Int64()
-		if err == nil {
-			return positiveInt64(parsed)
-		}
-	}
-
-	return 0, false
-}
-
-func positiveInt64(value int64) (int64, bool) {
-	if value <= 0 {
-		return 0, false
-	}
-	return value, true
-}
@@ -1,289 +0,0 @@
-package chatloop //nolint:testpackage // Uses internal symbols.
-
-import (
-	"context"
-	"iter"
-	"strings"
-	"testing"
-
-	"charm.land/fantasy"
-	fantasyanthropic "charm.land/fantasy/providers/anthropic"
-	"github.com/stretchr/testify/require"
-	"golang.org/x/xerrors"
-)
-
-const activeToolName = "read_file"
-
-func TestRun_ActiveToolsPrepareBehavior(t *testing.T) {
-	t.Parallel()
-
-	var capturedCall fantasy.Call
-	model := &loopTestModel{
-		provider: fantasyanthropic.Name,
-		streamFn: func(_ context.Context, call fantasy.Call) (fantasy.StreamResponse, error) {
-			capturedCall = call
-			return streamFromParts([]fantasy.StreamPart{
-				{Type: fantasy.StreamPartTypeTextStart, ID: "text-1"},
-				{Type: fantasy.StreamPartTypeTextDelta, ID: "text-1", Delta: "done"},
-				{Type: fantasy.StreamPartTypeTextEnd, ID: "text-1"},
-				{Type: fantasy.StreamPartTypeFinish, FinishReason: fantasy.FinishReasonStop},
-			}), nil
-		},
-	}
-
-	persistStepCalls := 0
-	var persistedStep PersistedStep
-
-	_, err := Run(context.Background(), RunOptions{
-		Model: model,
-		Messages: []fantasy.Message{
-			textMessage(fantasy.MessageRoleSystem, "sys-1"),
-			textMessage(fantasy.MessageRoleSystem, "sys-2"),
-			textMessage(fantasy.MessageRoleUser, "hello"),
-			textMessage(fantasy.MessageRoleAssistant, "working"),
-			textMessage(fantasy.MessageRoleUser, "continue"),
-		},
-		Tools: []fantasy.AgentTool{
-			newNoopTool(activeToolName),
-			newNoopTool("write_file"),
-		},
-		MaxSteps:             3,
-		ActiveTools:          []string{activeToolName},
-		ContextLimitFallback: 4096,
-		PersistStep: func(_ context.Context, step PersistedStep) error {
-			persistStepCalls++
-			persistedStep = step
-			return nil
-		},
-	})
-	require.NoError(t, err)
-
-	require.Equal(t, 1, persistStepCalls)
-	require.True(t, persistedStep.ContextLimit.Valid)
-	require.Equal(t, int64(4096), persistedStep.ContextLimit.Int64)
-
-	require.NotEmpty(t, capturedCall.Prompt)
-	require.False(t, containsPromptSentinel(capturedCall.Prompt))
-	require.Len(t, capturedCall.Tools, 1)
-	require.Equal(t, activeToolName, capturedCall.Tools[0].GetName())
-
-	require.Len(t, capturedCall.Prompt, 5)
-	require.False(t, hasAnthropicEphemeralCacheControl(capturedCall.Prompt[0]))
-	require.True(t, hasAnthropicEphemeralCacheControl(capturedCall.Prompt[1]))
-	require.False(t, hasAnthropicEphemeralCacheControl(capturedCall.Prompt[2]))
-	require.True(t, hasAnthropicEphemeralCacheControl(capturedCall.Prompt[3]))
-	require.True(t, hasAnthropicEphemeralCacheControl(capturedCall.Prompt[4]))
-}
-
-func TestRun_InterruptedStepPersistsSyntheticToolResult(t *testing.T) {
-	t.Parallel()
-
-	started := make(chan struct{})
-	model := &loopTestModel{
-		provider: "fake",
-		streamFn: func(ctx context.Context, _ fantasy.Call) (fantasy.StreamResponse, error) {
-			return iter.Seq[fantasy.StreamPart](func(yield func(fantasy.StreamPart) bool) {
-				parts := []fantasy.StreamPart{
-					{
-						Type:         fantasy.StreamPartTypeToolInputStart,
-						ID:           "interrupt-tool-1",
-						ToolCallName: "read_file",
-					},
-					{
-						Type:         fantasy.StreamPartTypeToolInputDelta,
-						ID:           "interrupt-tool-1",
-						ToolCallName: "read_file",
-						Delta:        `{"path":"main.go"`,
-					},
-					{Type: fantasy.StreamPartTypeTextStart, ID: "text-1"},
-					{Type: fantasy.StreamPartTypeTextDelta, ID: "text-1", Delta: "partial assistant output"},
-				}
-				for _, part := range parts {
-					if !yield(part) {
-						return
-					}
-				}
-
-				select {
-				case <-started:
-				default:
-					close(started)
-				}
-
-				<-ctx.Done()
-				_ = yield(fantasy.StreamPart{
-					Type:  fantasy.StreamPartTypeError,
-					Error: ctx.Err(),
-				})
-			}), nil
-		},
-	}
-
-	ctx, cancel := context.WithCancelCause(context.Background())
-	defer cancel(nil)
-
-	go func() {
-		<-started
-		cancel(ErrInterrupted)
-	}()
-
-	persistedAssistantCtxErr := xerrors.New("unset")
-	var persistedContent []fantasy.Content
-
-	_, err := Run(ctx, RunOptions{
-		Model: model,
-		Messages: []fantasy.Message{
-			textMessage(fantasy.MessageRoleUser, "hello"),
-		},
-		Tools: []fantasy.AgentTool{
-			newNoopTool("read_file"),
-		},
-		MaxSteps: 3,
-		PersistStep: func(persistCtx context.Context, step PersistedStep) error {
-			persistedAssistantCtxErr = persistCtx.Err()
-			persistedContent = append([]fantasy.Content(nil), step.Content...)
-			return nil
-		},
-	})
-	require.ErrorIs(t, err, ErrInterrupted)
-	require.NoError(t, persistedAssistantCtxErr)
-
-	require.NotEmpty(t, persistedContent)
-	var (
-		foundText       bool
-		foundToolCall   bool
-		foundToolResult bool
-	)
-	for _, block := range persistedContent {
-		if text, ok := fantasy.AsContentType[fantasy.TextContent](block); ok {
-			if strings.Contains(text.Text, "partial assistant output") {
-				foundText = true
-			}
-			continue
-		}
-		if toolCall, ok := fantasy.AsContentType[fantasy.ToolCallContent](block); ok {
-			if toolCall.ToolCallID == "interrupt-tool-1" &&
-				toolCall.ToolName == "read_file" &&
-				strings.Contains(toolCall.Input, `"path":"main.go"`) {
-				foundToolCall = true
-			}
-			continue
-		}
-		if toolResult, ok := fantasy.AsContentType[fantasy.ToolResultContent](block); ok {
-			if toolResult.ToolCallID == "interrupt-tool-1" &&
-				toolResult.ToolName == "read_file" {
-				_, isErr := toolResult.Result.(fantasy.ToolResultOutputContentError)
-				require.True(t, isErr, "interrupted tool result should be an error")
-				foundToolResult = true
-			}
-		}
-	}
-	require.True(t, foundText)
-	require.True(t, foundToolCall)
-	require.True(t, foundToolResult)
-}
-
-type loopTestModel struct {
-	provider   string
-	model      string
-	generateFn func(context.Context, fantasy.Call) (*fantasy.Response, error)
-	streamFn   func(context.Context, fantasy.Call) (fantasy.StreamResponse, error)
-}
-
-func (m *loopTestModel) Provider() string {
-	if m.provider != "" {
-		return m.provider
-	}
-	return "fake"
-}
-
-func (m *loopTestModel) Model() string {
-	if m.model != "" {
-		return m.model
-	}
-	return "fake"
-}
-
-func (m *loopTestModel) Generate(ctx context.Context, call fantasy.Call) (*fantasy.Response, error) {
-	if m.generateFn != nil {
-		return m.generateFn(ctx, call)
-	}
-	return &fantasy.Response{}, nil
-}
-
-func (m *loopTestModel) Stream(ctx context.Context, call fantasy.Call) (fantasy.StreamResponse, error) {
-	if m.streamFn != nil {
-		return m.streamFn(ctx, call)
-	}
-	return streamFromParts([]fantasy.StreamPart{{
-		Type:         fantasy.StreamPartTypeFinish,
-		FinishReason: fantasy.FinishReasonStop,
-	}}), nil
-}
-
-func (*loopTestModel) GenerateObject(context.Context, fantasy.ObjectCall) (*fantasy.ObjectResponse, error) {
-	return nil, xerrors.New("not implemented")
-}
-
-func (*loopTestModel) StreamObject(context.Context, fantasy.ObjectCall) (fantasy.ObjectStreamResponse, error) {
-	return nil, xerrors.New("not implemented")
-}
-
-func streamFromParts(parts []fantasy.StreamPart) fantasy.StreamResponse {
-	return iter.Seq[fantasy.StreamPart](func(yield func(fantasy.StreamPart) bool) {
-		for _, part := range parts {
-			if !yield(part) {
-				return
-			}
-		}
-	})
-}
-
-func newNoopTool(name string) fantasy.AgentTool {
-	return fantasy.NewAgentTool(
-		name,
-		"test noop tool",
-		func(context.Context, struct{}, fantasy.ToolCall) (fantasy.ToolResponse, error) {
-			return fantasy.ToolResponse{}, nil
-		},
-	)
-}
-
-func textMessage(role fantasy.MessageRole, text string) fantasy.Message {
-	return fantasy.Message{
-		Role: role,
-		Content: []fantasy.MessagePart{
-			fantasy.TextPart{Text: text},
-		},
-	}
-}
-
-func containsPromptSentinel(prompt []fantasy.Message) bool {
-	for _, message := range prompt {
-		if message.Role != fantasy.MessageRoleUser || len(message.Content) != 1 {
-			continue
-		}
-		textPart, ok := fantasy.AsMessagePart[fantasy.TextPart](message.Content[0])
-		if !ok {
-			continue
-		}
-		if strings.HasPrefix(textPart.Text, "__chatd_agent_prompt_sentinel_") {
-			return true
-		}
-	}
-	return false
-}
-
-func hasAnthropicEphemeralCacheControl(message fantasy.Message) bool {
-	if len(message.ProviderOptions) == 0 {
-		return false
-	}
-
-	options, ok := message.ProviderOptions[fantasyanthropic.Name]
-	if !ok {
-		return false
-	}
-
-	cacheOptions, ok := options.(*fantasyanthropic.ProviderCacheControlOptions)
-	return ok && cacheOptions.CacheControl.Type == "ephemeral"
-}
@@ -1,209 +0,0 @@
-package chatloop
-
-import (
-	"context"
-	"strings"
-	"time"
-
-	"charm.land/fantasy"
-	"golang.org/x/xerrors"
-)
-
-const (
-	defaultCompactionThresholdPercent = int32(70)
-	minCompactionThresholdPercent     = int32(0)
-	maxCompactionThresholdPercent     = int32(100)
-
-	defaultCompactionSummaryPrompt = "Summarize the current chat so a " +
-		"new assistant can continue seamlessly. Include the user's goals, " +
-		"decisions made, concrete technical details (files, commands, APIs), " +
-		"errors encountered and fixes, and open questions. Be dense and factual. " +
-		"Omit pleasantries and next-step suggestions."
-	defaultCompactionSystemSummaryPrefix = "Summary of earlier chat context:"
-	defaultCompactionTimeout             = 90 * time.Second
-)
-
-type CompactionOptions struct {
-	ThresholdPercent    int32
-	ContextLimit        int64
-	SummaryPrompt       string
-	SystemSummaryPrefix string
-	Timeout             time.Duration
-	Persist             func(context.Context, CompactionResult) error
-	OnError             func(error)
-}
-
-type CompactionResult struct {
-	SystemSummary    string
-	SummaryReport    string
-	ThresholdPercent int32
-	UsagePercent     float64
-	ContextTokens    int64
-	ContextLimit     int64
-}
-
-func maybeCompact(
-	ctx context.Context,
-	runOpts RunOptions,
-	runResult *fantasy.AgentResult,
-) error {
-	if runResult == nil || runOpts.Compaction == nil {
-		return nil
-	}
-
-	config := *runOpts.Compaction
-	if config.Persist == nil {
-		return xerrors.New("compaction persist callback is required")
-	}
-	if strings.TrimSpace(config.SummaryPrompt) == "" {
-		config.SummaryPrompt = defaultCompactionSummaryPrompt
-	}
-	if strings.TrimSpace(config.SystemSummaryPrefix) == "" {
-		config.SystemSummaryPrefix = defaultCompactionSystemSummaryPrefix
-	}
-	if config.Timeout <= 0 {
-		config.Timeout = defaultCompactionTimeout
-	}
-	if config.ThresholdPercent < minCompactionThresholdPercent ||
-		config.ThresholdPercent > maxCompactionThresholdPercent {
-		config.ThresholdPercent = defaultCompactionThresholdPercent
-	}
-
-	if config.ThresholdPercent >= maxCompactionThresholdPercent {
-		return nil
-	}
-	if runOpts.MaxSteps > 0 && len(runResult.Steps) >= runOpts.MaxSteps {
-		lastStep := runResult.Steps[len(runResult.Steps)-1]
-		if lastStep.FinishReason == fantasy.FinishReasonToolCalls &&
-			len(lastStep.Content.ToolCalls()) > 0 {
-			return nil
-		}
-	}
-
-	contextTokens := int64(0)
-	contextLimitFromMetadata := int64(0)
-	for i := len(runResult.Steps) - 1; i >= 0; i-- {
-		usage := runResult.Steps[i].Usage
-		total := int64(0)
-		hasContextTokens := false
-
-		if usage.InputTokens > 0 {
-			total += usage.InputTokens
-			hasContextTokens = true
-		}
-		if usage.CacheReadTokens > 0 {
-			total += usage.CacheReadTokens
-			hasContextTokens = true
-		}
-		if usage.CacheCreationTokens > 0 {
-			total += usage.CacheCreationTokens
-			hasContextTokens = true
-		}
-		if !hasContextTokens && usage.TotalTokens > 0 {
-			total = usage.TotalTokens
-			hasContextTokens = true
-		}
-		if !hasContextTokens || total <= 0 {
-			continue
-		}
-
-		contextTokens = total
-		metadataLimit := extractContextLimit(runResult.Steps[i].ProviderMetadata)
-		if metadataLimit.Valid && metadataLimit.Int64 > 0 {
-			contextLimitFromMetadata = metadataLimit.Int64
-		}
-		break
-	}
-	if contextTokens <= 0 {
-		return nil
-	}
-
-	contextLimit := contextLimitFromMetadata
-	if contextLimit <= 0 && config.ContextLimit > 0 {
-		contextLimit = config.ContextLimit
-	}
-	if contextLimit <= 0 && runOpts.ContextLimitFallback > 0 {
-		contextLimit = runOpts.ContextLimitFallback
-	}
-	if contextLimit <= 0 {
-		return nil
-	}
-
-	usagePercent := (float64(contextTokens) / float64(contextLimit)) * 100
-	if usagePercent < float64(config.ThresholdPercent) {
-		return nil
-	}
-
-	summary, err := generateCompactionSummary(
-		ctx,
-		runOpts.Model,
-		runOpts.Messages,
-		runResult.Steps,
-		config,
-	)
-	if err != nil {
-		return err
-	}
-	if summary == "" {
-		return nil
-	}
-
-	systemSummary := strings.TrimSpace(
-		config.SystemSummaryPrefix + "\n\n" + summary,
-	)
-
-	return config.Persist(ctx, CompactionResult{
-		SystemSummary:    systemSummary,
-		SummaryReport:    summary,
-		ThresholdPercent: config.ThresholdPercent,
-		UsagePercent:     usagePercent,
-		ContextTokens:    contextTokens,
-		ContextLimit:     contextLimit,
-	})
-}
-
-func generateCompactionSummary(
-	ctx context.Context,
-	model fantasy.LanguageModel,
-	messages []fantasy.Message,
-	steps []fantasy.StepResult,
-	options CompactionOptions,
-) (string, error) {
-	summaryPrompt := make([]fantasy.Message, 0, len(messages)+len(steps)+1)
-	summaryPrompt = append(summaryPrompt, messages...)
-	for _, step := range steps {
-		summaryPrompt = append(summaryPrompt, step.Messages...)
-	}
-	summaryPrompt = append(summaryPrompt, fantasy.Message{
-		Role: fantasy.MessageRoleUser,
-		Content: []fantasy.MessagePart{
-			fantasy.TextPart{Text: options.SummaryPrompt},
-		},
-	})
-	toolChoice := fantasy.ToolChoiceNone
-
-	summaryCtx, cancel := context.WithTimeout(ctx, options.Timeout)
-	defer cancel()
-
-	response, err := model.Generate(summaryCtx, fantasy.Call{
-		Prompt:     summaryPrompt,
-		ToolChoice: &toolChoice,
-	})
-	if err != nil {
-		return "", xerrors.Errorf("generate summary text: %w", err)
-	}
-
-	parts := make([]string, 0, len(response.Content))
-	for _, block := range response.Content {
-		textBlock, ok := fantasy.AsContentType[fantasy.TextContent](block)
-		if !ok {
-			continue
-		}
-		text := strings.TrimSpace(textBlock.Text)
-		if text == "" {
-			continue
-		}
-		parts = append(parts, text)
-	}
-	return strings.TrimSpace(strings.Join(parts, " ")), nil
-}
@@ -1,132 +0,0 @@
-package chatloop //nolint:testpackage // Uses internal symbols.
-
-import (
-	"context"
-	"testing"
-
-	"charm.land/fantasy"
-	"github.com/stretchr/testify/require"
-	"golang.org/x/xerrors"
-)
-
-func TestRun_Compaction(t *testing.T) {
-	t.Parallel()
-
-	t.Run("PersistsWhenThresholdReached", func(t *testing.T) {
-		t.Parallel()
-
-		persistCompactionCalls := 0
-		var persistedCompaction CompactionResult
-		const summaryText = "summary text for compaction"
-
-		model := &loopTestModel{
-			provider: "fake",
-			streamFn: func(_ context.Context, _ fantasy.Call) (fantasy.StreamResponse, error) {
-				return streamFromParts([]fantasy.StreamPart{
-					{Type: fantasy.StreamPartTypeTextStart, ID: "text-1"},
-					{Type: fantasy.StreamPartTypeTextDelta, ID: "text-1", Delta: "done"},
-					{Type: fantasy.StreamPartTypeTextEnd, ID: "text-1"},
-					{
-						Type:         fantasy.StreamPartTypeFinish,
-						FinishReason: fantasy.FinishReasonStop,
-						Usage: fantasy.Usage{
-							InputTokens: 80,
-							TotalTokens: 85,
-						},
-					},
-				}), nil
-			},
-			generateFn: func(_ context.Context, call fantasy.Call) (*fantasy.Response, error) {
-				require.NotEmpty(t, call.Prompt)
-				lastPrompt := call.Prompt[len(call.Prompt)-1]
-				require.Equal(t, fantasy.MessageRoleUser, lastPrompt.Role)
-				require.Len(t, lastPrompt.Content, 1)
-
-				instruction, ok := fantasy.AsMessagePart[fantasy.TextPart](lastPrompt.Content[0])
-				require.True(t, ok)
-				require.Equal(t, "summarize now", instruction.Text)
-
-				return &fantasy.Response{
-					Content: []fantasy.Content{
-						fantasy.TextContent{Text: summaryText},
-					},
-				}, nil
-			},
-		}
-
-		_, err := Run(context.Background(), RunOptions{
-			Model: model,
-			Messages: []fantasy.Message{
-				textMessage(fantasy.MessageRoleUser, "hello"),
-			},
-			MaxSteps: 1,
-			PersistStep: func(_ context.Context, _ PersistedStep) error {
-				return nil
-			},
-			ContextLimitFallback: 100,
-			Compaction: &CompactionOptions{
-				ThresholdPercent: 70,
-				SummaryPrompt:    "summarize now",
-				Persist: func(_ context.Context, result CompactionResult) error {
-					persistCompactionCalls++
-					persistedCompaction = result
-					return nil
-				},
-			},
-		})
-		require.NoError(t, err)
-		require.Equal(t, 1, persistCompactionCalls)
-		require.Contains(t, persistedCompaction.SystemSummary, summaryText)
-		require.Equal(t, summaryText, persistedCompaction.SummaryReport)
-		require.Equal(t, int64(80), persistedCompaction.ContextTokens)
-		require.Equal(t, int64(100), persistedCompaction.ContextLimit)
-		require.InDelta(t, 80.0, persistedCompaction.UsagePercent, 0.0001)
-	})
-
-	t.Run("ErrorsAreReported", func(t *testing.T) {
-		t.Parallel()
-
-		model := &loopTestModel{
-			provider: "fake",
-			streamFn: func(_ context.Context, _ fantasy.Call) (fantasy.StreamResponse, error) {
-				return streamFromParts([]fantasy.StreamPart{
-					{
-						Type:         fantasy.StreamPartTypeFinish,
-						FinishReason: fantasy.FinishReasonStop,
-						Usage: fantasy.Usage{
-							InputTokens: 80,
-						},
-					},
-				}), nil
-			},
-			generateFn: func(_ context.Context, _ fantasy.Call) (*fantasy.Response, error) {
-				return nil, xerrors.New("generate failed")
-			},
-		}
-
-		compactionErr := xerrors.New("unset")
-		_, err := Run(context.Background(), RunOptions{
-			Model: model,
-			Messages: []fantasy.Message{
-				textMessage(fantasy.MessageRoleUser, "hello"),
-			},
-			MaxSteps: 1,
-			PersistStep: func(_ context.Context, _ PersistedStep) error {
-				return nil
-			},
-			ContextLimitFallback: 100,
-			Compaction: &CompactionOptions{
-				ThresholdPercent: 70,
-				Persist: func(_ context.Context, _ CompactionResult) error {
-					return nil
-				},
-				OnError: func(err error) {
-					compactionErr = err
-				},
-			},
-		})
-		require.NoError(t, err)
-		require.Error(t, compactionErr)
-		require.ErrorContains(t, compactionErr, "generate summary text")
-	})
-}
@@ -1,982 +0,0 @@
-package chatprompt
-
-import (
-	"encoding/json"
-	"regexp"
-	"strings"
-
-	"charm.land/fantasy"
-	fantasyopenai "charm.land/fantasy/providers/openai"
-	"github.com/sqlc-dev/pqtype"
-	"golang.org/x/xerrors"
-
-	"github.com/coder/coder/v2/coderd/database"
-	"github.com/coder/coder/v2/codersdk"
-)
-
-var toolCallIDSanitizer = regexp.MustCompile(`[^a-zA-Z0-9_-]`)
-
-func ConvertMessages(
-	messages []database.ChatMessage,
-) ([]fantasy.Message, error) {
-	prompt := make([]fantasy.Message, 0, len(messages))
-	toolNameByCallID := make(map[string]string)
-	for _, message := range messages {
-		visibility := message.Visibility
-		if visibility == "" {
-			visibility = database.ChatMessageVisibilityBoth
-		}
-		if visibility != database.ChatMessageVisibilityModel &&
-			visibility != database.ChatMessageVisibilityBoth {
-			continue
-		}
-
-		switch message.Role {
-		case string(fantasy.MessageRoleSystem):
-			content, err := parseSystemContent(message.Content)
-			if err != nil {
-				return nil, err
-			}
-			if strings.TrimSpace(content) == "" {
-				continue
-			}
-			prompt = append(prompt, fantasy.Message{
-				Role: fantasy.MessageRoleSystem,
-				Content: []fantasy.MessagePart{
-					fantasy.TextPart{Text: content},
-				},
-			})
-		case string(fantasy.MessageRoleUser):
-			content, err := ParseContent(string(fantasy.MessageRoleUser), message.Content)
-			if err != nil {
-				return nil, err
-			}
-			prompt = append(prompt, fantasy.Message{
-				Role:    fantasy.MessageRoleUser,
-				Content: ToMessageParts(content),
-			})
-		case string(fantasy.MessageRoleAssistant):
-			content, err := ParseContent(string(fantasy.MessageRoleAssistant), message.Content)
-			if err != nil {
-				return nil, err
-			}
-			parts := normalizeAssistantToolCallInputs(ToMessageParts(content))
-			for _, toolCall := range ExtractToolCalls(parts) {
-				if toolCall.ToolCallID == "" || strings.TrimSpace(toolCall.ToolName) == "" {
-					continue
-				}
-				toolNameByCallID[sanitizeToolCallID(toolCall.ToolCallID)] = toolCall.ToolName
-			}
-			prompt = append(prompt, fantasy.Message{
-				Role:    fantasy.MessageRoleAssistant,
-				Content: parts,
-			})
-		case string(fantasy.MessageRoleTool):
-			rows, err := parseToolResultRows(message.Content)
-			if err != nil {
-				return nil, err
-			}
-			parts := make([]fantasy.MessagePart, 0, len(rows))
-			for _, row := range rows {
-				if row.ToolCallID != "" && row.ToolName != "" {
-					toolNameByCallID[sanitizeToolCallID(row.ToolCallID)] = row.ToolName
-				}
-				parts = append(parts, row.toToolResultPart())
-			}
-			prompt = append(prompt, fantasy.Message{
-				Role:    fantasy.MessageRoleTool,
-				Content: parts,
-			})
-		default:
-			return nil, xerrors.Errorf("unsupported chat message role %q", message.Role)
-		}
-	}
-	prompt = injectMissingToolResults(prompt)
-	prompt = injectMissingToolUses(
-		prompt,
-		toolNameByCallID,
-	)
-	return prompt, nil
-}
-
-// PrependSystem prepends a system message unless an existing system
-// message already mentions create_workspace guidance.
-func PrependSystem(prompt []fantasy.Message, instruction string) []fantasy.Message {
-	instruction = strings.TrimSpace(instruction)
-	if instruction == "" {
-		return prompt
-	}
-	for _, message := range prompt {
-		if message.Role != fantasy.MessageRoleSystem {
-			continue
-		}
-		for _, part := range message.Content {
-			textPart, ok := fantasy.AsMessagePart[fantasy.TextPart](part)
-			if !ok {
-				continue
-			}
-			if strings.Contains(strings.ToLower(textPart.Text), "create_workspace") {
-				return prompt
-			}
-		}
-	}
-
-	out := make([]fantasy.Message, 0, len(prompt)+1)
-	out = append(out, fantasy.Message{
-		Role: fantasy.MessageRoleSystem,
-		Content: []fantasy.MessagePart{
-			fantasy.TextPart{Text: instruction},
-		},
-	})
-	out = append(out, prompt...)
-	return out
-}
-
-// InsertSystem inserts a system message after the existing system
-// block and before the first non-system message.
-func InsertSystem(prompt []fantasy.Message, instruction string) []fantasy.Message {
-	instruction = strings.TrimSpace(instruction)
-	if instruction == "" {
-		return prompt
-	}
-
-	systemMessage := fantasy.Message{
-		Role: fantasy.MessageRoleSystem,
-		Content: []fantasy.MessagePart{
-			fantasy.TextPart{Text: instruction},
-		},
-	}
-
-	out := make([]fantasy.Message, 0, len(prompt)+1)
-	inserted := false
-	for _, message := range prompt {
-		if !inserted && message.Role != fantasy.MessageRoleSystem {
-			out = append(out, systemMessage)
-			inserted = true
-		}
-		out = append(out, message)
-	}
-	if !inserted {
-		out = append(out, systemMessage)
-	}
-	return out
-}
-
-// AppendUser appends an instruction as a user message at the end of
-// the prompt.
-func AppendUser(prompt []fantasy.Message, instruction string) []fantasy.Message {
-	instruction = strings.TrimSpace(instruction)
-	if instruction == "" {
-		return prompt
-	}
-	out := make([]fantasy.Message, 0, len(prompt)+1)
-	out = append(out, prompt...)
-	out = append(out, fantasy.Message{
-		Role: fantasy.MessageRoleUser,
-		Content: []fantasy.MessagePart{
-			fantasy.TextPart{Text: instruction},
-		},
-	})
-	return out
-}
-
-// ParseContent decodes persisted chat message content blocks.
-func ParseContent(role string, raw pqtype.NullRawMessage) ([]fantasy.Content, error) {
-	if !raw.Valid || len(raw.RawMessage) == 0 {
-		return nil, nil
-	}
-
-	var text string
-	if err := json.Unmarshal(raw.RawMessage, &text); err == nil {
-		return []fantasy.Content{fantasy.TextContent{Text: text}}, nil
-	}
-
-	var rawBlocks []json.RawMessage
-	if err := json.Unmarshal(raw.RawMessage, &rawBlocks); err != nil {
-		return nil, xerrors.Errorf("parse %s content: %w", role, err)
-	}
-
-	content := make([]fantasy.Content, 0, len(rawBlocks))
-	for i, rawBlock := range rawBlocks {
-		block, err := fantasy.UnmarshalContent(rawBlock)
-		if err != nil {
-			return nil, xerrors.Errorf("parse %s content block %d: %w", role, i, err)
-		}
-		content = append(content, block)
-	}
-	return content, nil
-}
-
-// toolResultRaw is an untyped representation of a persisted tool
-// result row. We intentionally avoid a strict Go struct so that
-// historical shapes are never rejected.
-type toolResultRaw struct {
-	ToolCallID string          `json:"tool_call_id"`
-	ToolName   string          `json:"tool_name"`
-	Result     json.RawMessage `json:"result"`
-	IsError    bool            `json:"is_error,omitempty"`
-}
-
-// parseToolResultRows decodes persisted tool result rows.
-func parseToolResultRows(raw pqtype.NullRawMessage) ([]toolResultRaw, error) {
-	if !raw.Valid || len(raw.RawMessage) == 0 {
-		return nil, nil
-	}
-
-	var rows []toolResultRaw
-	if err := json.Unmarshal(raw.RawMessage, &rows); err != nil {
-		return nil, xerrors.Errorf("parse tool content: %w", err)
-	}
-	return rows, nil
-}
-
-func (r toolResultRaw) toToolResultPart() fantasy.ToolResultPart {
-	toolCallID := sanitizeToolCallID(r.ToolCallID)
-	resultText := string(r.Result)
-	if resultText == "" || resultText == "null" {
-		resultText = "{}"
-	}
-
-	if r.IsError {
-		message := strings.TrimSpace(resultText)
-		if extracted := extractErrorString(r.Result); extracted != "" {
-			message = extracted
-		}
-		return fantasy.ToolResultPart{
-			ToolCallID: toolCallID,
-			Output: fantasy.ToolResultOutputContentError{
-				Error: xerrors.New(message),
-			},
-		}
-	}
-
-	return fantasy.ToolResultPart{
-		ToolCallID: toolCallID,
-		Output: fantasy.ToolResultOutputContentText{
-			Text: resultText,
-		},
-	}
-}
-
-// extractErrorString pulls the "error" field from a JSON object if
-// present, returning it as a string. Returns "" if the field is
-// missing or the input is not an object.
-func extractErrorString(raw json.RawMessage) string {
-	var fields map[string]json.RawMessage
-	if err := json.Unmarshal(raw, &fields); err != nil {
-		return ""
-	}
-	errField, ok := fields["error"]
-	if !ok {
-		return ""
-	}
-	var s string
-	if err := json.Unmarshal(errField, &s); err != nil {
-		return ""
-	}
-	return strings.TrimSpace(s)
-}
-
-// ToMessageParts converts fantasy content blocks into message parts.
-func ToMessageParts(content []fantasy.Content) []fantasy.MessagePart {
-	parts := make([]fantasy.MessagePart, 0, len(content))
-	for _, block := range content {
-		switch value := block.(type) {
-		case fantasy.TextContent:
-			parts = append(parts, fantasy.TextPart{
-				Text:            value.Text,
-				ProviderOptions: fantasy.ProviderOptions(value.ProviderMetadata),
-			})
-		case *fantasy.TextContent:
-			parts = append(parts, fantasy.TextPart{
-				Text:            value.Text,
-				ProviderOptions: fantasy.ProviderOptions(value.ProviderMetadata),
-			})
-		case fantasy.ReasoningContent:
-			parts = append(parts, fantasy.ReasoningPart{
-				Text:            value.Text,
-				ProviderOptions: fantasy.ProviderOptions(value.ProviderMetadata),
-			})
-		case *fantasy.ReasoningContent:
-			parts = append(parts, fantasy.ReasoningPart{
-				Text:            value.Text,
-				ProviderOptions: fantasy.ProviderOptions(value.ProviderMetadata),
-			})
-		case fantasy.ToolCallContent:
-			parts = append(parts, fantasy.ToolCallPart{
-				ToolCallID:       sanitizeToolCallID(value.ToolCallID),
-				ToolName:         value.ToolName,
-				Input:            value.Input,
-				ProviderExecuted: value.ProviderExecuted,
-				ProviderOptions:  fantasy.ProviderOptions(value.ProviderMetadata),
-			})
-		case *fantasy.ToolCallContent:
-			parts = append(parts, fantasy.ToolCallPart{
-				ToolCallID:       sanitizeToolCallID(value.ToolCallID),
-				ToolName:         value.ToolName,
-				Input:            value.Input,
-				ProviderExecuted: value.ProviderExecuted,
-				ProviderOptions:  fantasy.ProviderOptions(value.ProviderMetadata),
-			})
-		case fantasy.FileContent:
-			parts = append(parts, fantasy.FilePart{
-				Data:            value.Data,
-				MediaType:       value.MediaType,
-				ProviderOptions: fantasy.ProviderOptions(value.ProviderMetadata),
-			})
-		case *fantasy.FileContent:
-			parts = append(parts, fantasy.FilePart{
-				Data:            value.Data,
-				MediaType:       value.MediaType,
-				ProviderOptions: fantasy.ProviderOptions(value.ProviderMetadata),
-			})
-		case fantasy.ToolResultContent:
-			parts = append(parts, fantasy.ToolResultPart{
-				ToolCallID:      sanitizeToolCallID(value.ToolCallID),
-				Output:          value.Result,
-				ProviderOptions: fantasy.ProviderOptions(value.ProviderMetadata),
-			})
-		case *fantasy.ToolResultContent:
-			parts = append(parts, fantasy.ToolResultPart{
-				ToolCallID:      sanitizeToolCallID(value.ToolCallID),
-				Output:          value.Result,
-				ProviderOptions: fantasy.ProviderOptions(value.ProviderMetadata),
-			})
-		}
-	}
-	return parts
-}
-
-func normalizeAssistantToolCallInputs(
-	parts []fantasy.MessagePart,
-) []fantasy.MessagePart {
-	normalized := make([]fantasy.MessagePart, 0, len(parts))
-	for _, part := range parts {
-		toolCall, ok := fantasy.AsMessagePart[fantasy.ToolCallPart](part)
-		if !ok {
-			normalized = append(normalized, part)
-			continue
-		}
-
-		toolCall.Input = normalizeToolCallInput(toolCall.Input)
-		normalized = append(normalized, toolCall)
-	}
-	return normalized
-}
-
-// normalizeToolCallInput guarantees tool call input is a JSON object string.
-// Anthropic drops assistant tool calls with malformed input, which can leave
-// following tool results orphaned.
-func normalizeToolCallInput(input string) string {
-	input = strings.TrimSpace(input)
-	if input == "" {
-		return "{}"
-	}
-
-	var object map[string]any
-	if err := json.Unmarshal([]byte(input), &object); err != nil || object == nil {
-		return "{}"
-	}
-
-	return input
-}
-
-// ExtractToolCalls returns all tool call parts as content blocks.
-func ExtractToolCalls(parts []fantasy.MessagePart) []fantasy.ToolCallContent {
-	toolCalls := make([]fantasy.ToolCallContent, 0, len(parts))
-	for _, part := range parts {
-		toolCall, ok := fantasy.AsMessagePart[fantasy.ToolCallPart](part)
-		if !ok {
-			continue
-		}
-		toolCalls = append(toolCalls, fantasy.ToolCallContent{
-			ToolCallID:       toolCall.ToolCallID,
-			ToolName:         toolCall.ToolName,
-			Input:            toolCall.Input,
-			ProviderExecuted: toolCall.ProviderExecuted,
-		})
-	}
-	return toolCalls
-}
-
-// MarshalContent encodes message content blocks for persistence.
-func MarshalContent(blocks []fantasy.Content) (pqtype.NullRawMessage, error) {
-	if len(blocks) == 0 {
-		return pqtype.NullRawMessage{}, nil
-	}
-
-	encodedBlocks := make([]json.RawMessage, 0, len(blocks))
-	for i, block := range blocks {
-		encoded, err := marshalContentBlock(block)
-		if err != nil {
-			return pqtype.NullRawMessage{}, xerrors.Errorf(
-				"encode content block %d: %w",
-				i,
-				err,
-			)
-		}
-		encodedBlocks = append(encodedBlocks, encoded)
-	}
-
-	data, err := json.Marshal(encodedBlocks)
-	if err != nil {
-		return pqtype.NullRawMessage{}, xerrors.Errorf("encode content blocks: %w", err)
-	}
-	return pqtype.NullRawMessage{RawMessage: data, Valid: true}, nil
-}
-
-// MarshalToolResult encodes a single tool result for persistence as
-// an opaque JSON blob. The stored shape is
-// [{"tool_call_id":…,"tool_name":…,"result":…,"is_error":…}].
-func MarshalToolResult(toolCallID, toolName string, result json.RawMessage, isError bool) (pqtype.NullRawMessage, error) {
-	row := toolResultRaw{
-		ToolCallID: toolCallID,
-		ToolName:   toolName,
-		Result:     result,
-		IsError:    isError,
-	}
-	data, err := json.Marshal([]toolResultRaw{row})
-	if err != nil {
-		return pqtype.NullRawMessage{}, xerrors.Errorf("encode tool result: %w", err)
-	}
-	return pqtype.NullRawMessage{RawMessage: data, Valid: true}, nil
-}
-
-// MarshalToolResultContent encodes a fantasy tool result content
-// block for persistence. It extracts the raw fields and delegates
-// to MarshalToolResult.
-func MarshalToolResultContent(content fantasy.ToolResultContent) (pqtype.NullRawMessage, error) {
-	var result json.RawMessage
-	var isError bool
-
-	switch output := content.Result.(type) {
-	case fantasy.ToolResultOutputContentError:
-		isError = true
-		if output.Error != nil {
-			result, _ = json.Marshal(map[string]any{"error": output.Error.Error()})
-		} else {
-			result = []byte(`{"error":""}`)
-		}
-	case fantasy.ToolResultOutputContentText:
-		result = json.RawMessage(output.Text)
-		if !json.Valid(result) {
-			result, _ = json.Marshal(map[string]any{"output": output.Text})
-		}
-	case fantasy.ToolResultOutputContentMedia:
-		result, _ = json.Marshal(map[string]any{
-			"data":      output.Data,
-			"mime_type": output.MediaType,
-			"text":      output.Text,
-		})
-	default:
-		result = []byte(`{}`)
-	}
-
-	return MarshalToolResult(content.ToolCallID, content.ToolName, result, isError)
-}
-
-// PartFromContent converts fantasy content into a SDK chat message part.
-func PartFromContent(block fantasy.Content) codersdk.ChatMessagePart {
-	switch value := block.(type) {
-	case fantasy.TextContent:
-		return codersdk.ChatMessagePart{
-			Type: codersdk.ChatMessagePartTypeText,
-			Text: value.Text,
-		}
-	case *fantasy.TextContent:
-		return codersdk.ChatMessagePart{
-			Type: codersdk.ChatMessagePartTypeText,
-			Text: value.Text,
-		}
-	case fantasy.ReasoningContent:
-		return codersdk.ChatMessagePart{
-			Type:  codersdk.ChatMessagePartTypeReasoning,
-			Text:  value.Text,
-			Title: reasoningSummaryTitle(value.ProviderMetadata),
-		}
-	case *fantasy.ReasoningContent:
-		return codersdk.ChatMessagePart{
-			Type:  codersdk.ChatMessagePartTypeReasoning,
-			Text:  value.Text,
-			Title: reasoningSummaryTitle(value.ProviderMetadata),
-		}
-	case fantasy.ToolCallContent:
-		return codersdk.ChatMessagePart{
-			Type:       codersdk.ChatMessagePartTypeToolCall,
-			ToolCallID: value.ToolCallID,
-			ToolName:   value.ToolName,
-			Args:       []byte(value.Input),
-		}
-	case *fantasy.ToolCallContent:
-		return codersdk.ChatMessagePart{
-			Type:       codersdk.ChatMessagePartTypeToolCall,
-			ToolCallID: value.ToolCallID,
-			ToolName:   value.ToolName,
-			Args:       []byte(value.Input),
-		}
-	case fantasy.SourceContent:
-		return codersdk.ChatMessagePart{
-			Type:     codersdk.ChatMessagePartTypeSource,
-			SourceID: value.ID,
-			URL:      value.URL,
-			Title:    value.Title,
-		}
-	case *fantasy.SourceContent:
-		return codersdk.ChatMessagePart{
-			Type:     codersdk.ChatMessagePartTypeSource,
-			SourceID: value.ID,
-			URL:      value.URL,
-			Title:    value.Title,
-		}
-	case fantasy.FileContent:
-		return codersdk.ChatMessagePart{
-			Type:      codersdk.ChatMessagePartTypeFile,
-			MediaType: value.MediaType,
-			Data:      value.Data,
-		}
-	case *fantasy.FileContent:
-		return codersdk.ChatMessagePart{
-			Type:      codersdk.ChatMessagePartTypeFile,
-			MediaType: value.MediaType,
-			Data:      value.Data,
-		}
-	case fantasy.ToolResultContent:
-		return toolResultContentToPart(value)
-	case *fantasy.ToolResultContent:
-		return toolResultContentToPart(*value)
-	default:
-		return codersdk.ChatMessagePart{}
-	}
-}
-
-// ToolResultToPart converts a tool call ID, raw result, and error
-// flag into a ChatMessagePart. This is the minimal conversion used
-// both during streaming and when reading from the database.
-func ToolResultToPart(toolCallID, toolName string, result json.RawMessage, isError bool) codersdk.ChatMessagePart {
-	return codersdk.ChatMessagePart{
-		Type:       codersdk.ChatMessagePartTypeToolResult,
-		ToolCallID: toolCallID,
-		ToolName:   toolName,
-		Result:     result,
-		IsError:    isError,
-	}
-}
-
-// toolResultContentToPart converts a fantasy ToolResultContent
-// directly into a ChatMessagePart without an intermediate struct.
-func toolResultContentToPart(content fantasy.ToolResultContent) codersdk.ChatMessagePart {
-	var result json.RawMessage
-	var isError bool
-
-	switch output := content.Result.(type) {
-	case fantasy.ToolResultOutputContentError:
-		isError = true
-		if output.Error != nil {
-			result, _ = json.Marshal(map[string]any{"error": output.Error.Error()})
-		} else {
-			result = []byte(`{"error":""}`)
-		}
-	case fantasy.ToolResultOutputContentText:
-		result = json.RawMessage(output.Text)
-		// Ensure valid JSON; wrap in an object if not.
-		if !json.Valid(result) {
-			result, _ = json.Marshal(map[string]any{"output": output.Text})
-		}
-	case fantasy.ToolResultOutputContentMedia:
-		result, _ = json.Marshal(map[string]any{
-			"data":      output.Data,
-			"mime_type": output.MediaType,
-			"text":      output.Text,
-		})
-	default:
-		result = []byte(`{}`)
-	}
-
-	return ToolResultToPart(content.ToolCallID, content.ToolName, result, isError)
-}
-
-// ReasoningTitleFromFirstLine extracts a compact markdown title.
-func ReasoningTitleFromFirstLine(text string) string {
-	text = strings.TrimSpace(text)
-	if text == "" {
-		return ""
-	}
-
-	firstLine := text
-	if idx := strings.IndexAny(firstLine, "\r\n"); idx >= 0 {
-		firstLine = firstLine[:idx]
-	}
-	firstLine = strings.TrimSpace(firstLine)
-	if firstLine == "" || !strings.HasPrefix(firstLine, "**") {
-		return ""
-	}
-
-	rest := firstLine[2:]
-	end := strings.Index(rest, "**")
-	if end < 0 {
-		return ""
-	}
-
-	title := strings.TrimSpace(rest[:end])
-	if title == "" {
-		return ""
-	}
-
-	// Require the first line to be exactly "**title**" (ignoring
-	// surrounding whitespace) so providers without this format don't
-	// accidentally emit a title.
-	if strings.TrimSpace(rest[end+2:]) != "" {
-		return ""
-	}
-
-	return compactReasoningSummaryTitle(title)
-}
-
-func injectMissingToolResults(prompt []fantasy.Message) []fantasy.Message {
-	result := make([]fantasy.Message, 0, len(prompt))
-	for i := 0; i < len(prompt); i++ {
-		msg := prompt[i]
-		result = append(result, msg)
-
-		if msg.Role != fantasy.MessageRoleAssistant {
-			continue
-		}
-		toolCalls := ExtractToolCalls(msg.Content)
-		if len(toolCalls) == 0 {
-			continue
-		}
-
-		// Collect the tool call IDs that have results in the
-		// following tool message(s).
-		answered := make(map[string]struct{})
-		j := i + 1
-		for ; j < len(prompt); j++ {
-			if prompt[j].Role != fantasy.MessageRoleTool {
-				break
-			}
-			for _, part := range prompt[j].Content {
-				tr, ok := fantasy.AsMessagePart[fantasy.ToolResultPart](part)
-				if !ok {
-					continue
-				}
-				answered[tr.ToolCallID] = struct{}{}
-			}
-		}
-		if i+1 < j {
-			// Preserve persisted tool result ordering and inject any
-			// synthetic results after the existing contiguous tool messages.
-			result = append(result, prompt[i+1:j]...)
-			i = j - 1
-		}
-
-		// Build synthetic results for any unanswered tool calls.
-		var missing []fantasy.MessagePart
-		for _, tc := range toolCalls {
-			if _, ok := answered[tc.ToolCallID]; !ok {
-				missing = append(missing, fantasy.ToolResultPart{
-					ToolCallID: tc.ToolCallID,
-					Output: fantasy.ToolResultOutputContentError{
-						Error: xerrors.New("tool call was interrupted and did not receive a result"),
-					},
-				})
-			}
-		}
-		if len(missing) > 0 {
-			result = append(result, fantasy.Message{
-				Role:    fantasy.MessageRoleTool,
-				Content: missing,
-			})
-		}
-	}
-	return result
-}
-
-func injectMissingToolUses(
-	prompt []fantasy.Message,
-	toolNameByCallID map[string]string,
-) []fantasy.Message {
-	result := make([]fantasy.Message, 0, len(prompt))
-	for _, msg := range prompt {
-		if msg.Role != fantasy.MessageRoleTool {
-			result = append(result, msg)
-			continue
-		}
-
-		toolResults := make([]fantasy.ToolResultPart, 0, len(msg.Content))
-		for _, part := range msg.Content {
-			toolResult, ok := fantasy.AsMessagePart[fantasy.ToolResultPart](part)
-			if !ok {
-				continue
-			}
-			toolResults = append(toolResults, toolResult)
-		}
-		if len(toolResults) == 0 {
-			result = append(result, msg)
-			continue
-		}
-
-		// Walk backwards through the result to find the nearest
-		// preceding assistant message (skipping over other tool
-		// messages that belong to the same batch of results).
-		answeredByPrevious := make(map[string]struct{})
-		for k := len(result) - 1; k >= 0; k-- {
-			if result[k].Role == fantasy.MessageRoleAssistant {
-				for _, toolCall := range ExtractToolCalls(result[k].Content) {
-					toolCallID := sanitizeToolCallID(toolCall.ToolCallID)
-					if toolCallID == "" {
-						continue
-					}
-					answeredByPrevious[toolCallID] = struct{}{}
-				}
-				break
-			}
-			if result[k].Role != fantasy.MessageRoleTool {
-				break
-			}
-		}
-
-		matchingResults := make([]fantasy.ToolResultPart, 0, len(toolResults))
-		orphanResults := make([]fantasy.ToolResultPart, 0, len(toolResults))
-		for _, toolResult := range toolResults {
-			toolCallID := sanitizeToolCallID(toolResult.ToolCallID)
-			if _, ok := answeredByPrevious[toolCallID]; ok {
-				matchingResults = append(matchingResults, toolResult)
-				continue
-			}
-			orphanResults = append(orphanResults, toolResult)
-		}
-
-		if len(orphanResults) == 0 {
-			result = append(result, msg)
-			continue
-		}
-
-		syntheticToolUse := syntheticToolUseMessage(
-			orphanResults,
-			toolNameByCallID,
-		)
-		if len(syntheticToolUse.Content) == 0 {
-			result = append(result, msg)
-			continue
-		}
-
-		if len(matchingResults) > 0 {
-			result = append(result, toolMessageFromToolResultParts(matchingResults))
-		}
-		result = append(result, syntheticToolUse)
-		result = append(result, toolMessageFromToolResultParts(orphanResults))
-	}
-
-	return result
-}
-
-func toolMessageFromToolResultParts(results []fantasy.ToolResultPart) fantasy.Message {
-	parts := make([]fantasy.MessagePart, 0, len(results))
-	for _, result := range results {
-		parts = append(parts, result)
-	}
-	return fantasy.Message{
-		Role:    fantasy.MessageRoleTool,
-		Content: parts,
-	}
-}
-
-func syntheticToolUseMessage(
-	toolResults []fantasy.ToolResultPart,
-	toolNameByCallID map[string]string,
-) fantasy.Message {
-	parts := make([]fantasy.MessagePart, 0, len(toolResults))
-	seen := make(map[string]struct{}, len(toolResults))
-
-	for _, toolResult := range toolResults {
-		toolCallID := sanitizeToolCallID(toolResult.ToolCallID)
-		if toolCallID == "" {
-			continue
-		}
-		if _, ok := seen[toolCallID]; ok {
-			continue
-		}
-
-		toolName := strings.TrimSpace(toolNameByCallID[toolCallID])
-		if toolName == "" {
-			continue
-		}
-
-		seen[toolCallID] = struct{}{}
-		parts = append(parts, fantasy.ToolCallPart{
-			ToolCallID: toolCallID,
-			ToolName:   toolName,
-			Input:      "{}",
-		})
-	}
-
-	return fantasy.Message{
-		Role:    fantasy.MessageRoleAssistant,
-		Content: parts,
-	}
-}
-
-func parseSystemContent(raw pqtype.NullRawMessage) (string, error) {
-	if !raw.Valid || len(raw.RawMessage) == 0 {
-		return "", nil
-	}
-
-	var content string
-	if err := json.Unmarshal(raw.RawMessage, &content); err != nil {
-		return "", xerrors.Errorf("parse system message content: %w", err)
-	}
-	return content, nil
-}
-
-func sanitizeToolCallID(id string) string {
-	if id == "" {
-		return ""
-	}
-	return toolCallIDSanitizer.ReplaceAllString(id, "_")
-}
-
-func marshalContentBlock(block fantasy.Content) (json.RawMessage, error) {
-	encoded, err := json.Marshal(block)
-	if err != nil {
-		return nil, err
-	}
-
-	title, ok := reasoningTitleFromContent(block)
-	if !ok || title == "" {
-		return encoded, nil
-	}
-
-	var envelope struct {
-		Type string         `json:"type"`
-		Data map[string]any `json:"data"`
-	}
-	if err := json.Unmarshal(encoded, &envelope); err != nil {
-		return nil, err
-	}
-
-	if !strings.EqualFold(envelope.Type, string(fantasy.ContentTypeReasoning)) {
-		return encoded, nil
-	}
-	if envelope.Data == nil {
-		envelope.Data = map[string]any{}
-	}
-	envelope.Data["title"] = title
-
-	encodedWithTitle, err := json.Marshal(envelope)
-	if err != nil {
-		return nil, err
-	}
-	return encodedWithTitle, nil
-}
-
-func reasoningTitleFromContent(block fantasy.Content) (string, bool) {
-	switch value := block.(type) {
-	case fantasy.ReasoningContent:
-		return ReasoningTitleFromFirstLine(value.Text), true
-	case *fantasy.ReasoningContent:
-		if value == nil {
-			return "", false
-		}
-		return ReasoningTitleFromFirstLine(value.Text), true
-	default:
-		return "", false
-	}
-}
-
-func reasoningSummaryTitle(metadata fantasy.ProviderMetadata) string {
-	if len(metadata) == 0 {
-		return ""
-	}
-
-	reasoningMetadata := fantasyopenai.GetReasoningMetadata(
-		fantasy.ProviderOptions(metadata),
-	)
-	if reasoningMetadata == nil {
-		return ""
-	}
-
-	for _, summary := range reasoningMetadata.Summary {
-		if title := compactReasoningSummaryTitle(summary); title != "" {
-			return title
-		}
-	}
-
-	return ""
-}
-
-func compactReasoningSummaryTitle(summary string) string {
-	const maxWords = 8
-	const maxRunes = 80
-
-	summary = strings.TrimSpace(summary)
-	if summary == "" {
-		return ""
-	}
-
-	summary = strings.Trim(summary, "\"'`")
-	summary = reasoningSummaryHeadline(summary)
-	words := strings.Fields(summary)
-	if len(words) == 0 {
-		return ""
-	}
-
-	truncated := false
-	if len(words) > maxWords {
-		words = words[:maxWords]
-		truncated = true
-	}
-
-	title := strings.Join(words, " ")
-	if truncated {
-		title += "…"
-	}
-	return truncateRunes(title, maxRunes)
-}
-
-func reasoningSummaryHeadline(summary string) string {
-	summary = strings.TrimSpace(summary)
-	if summary == "" {
-		return ""
-	}
-
-	// OpenAI summary_text may be markdown like:
-	// "**Title**\n\nLonger explanation ...".
-	// Keep only the heading segment for UI titles.
-	if idx := strings.Index(summary, "\n\n"); idx >= 0 {
-		summary = summary[:idx]
-	}
-
-	if idx := strings.IndexAny(summary, "\r\n"); idx >= 0 {
-		summary = summary[:idx]
-	}
-
-	summary = strings.TrimSpace(summary)
-	if summary == "" {
-		return ""
-	}
-
-	if strings.HasPrefix(summary, "**") {
-		rest := summary[2:]
-		if end := strings.Index(rest, "**"); end >= 0 {
-			bold := strings.TrimSpace(rest[:end])
-			if bold != "" {
-				summary = bold
-			}
-		}
-	}
-
-	return strings.TrimSpace(strings.Trim(summary, "\"'`"))
-}
-
-func truncateRunes(value string, maxLen int) string {
-	if maxLen <= 0 {
-		return ""
-	}
-
-	runes := []rune(value)
-	if len(runes) <= maxLen {
-		return value
-	}
-
-	return string(runes[:maxLen])
-}
@@ -1,91 +0,0 @@
-package chatprompt_test
-
-import (
-	"encoding/json"
-	"testing"
-
-	"charm.land/fantasy"
-	"github.com/stretchr/testify/require"
-
-	"github.com/coder/coder/v2/coderd/chatd/chatprompt"
-	"github.com/coder/coder/v2/coderd/database"
-)
-
-func TestConvertMessages_NormalizesAssistantToolCallInput(t *testing.T) {
-	t.Parallel()
-
-	testCases := []struct {
-		name     string
-		input    string
-		expected string
-	}{
-		{
-			name:     "empty input",
-			input:    "",
-			expected: "{}",
-		},
-		{
-			name:     "invalid json",
-			input:    "{\"command\":",
-			expected: "{}",
-		},
-		{
-			name:     "non-object json",
-			input:    "[]",
-			expected: "{}",
-		},
-		{
-			name:     "valid object json",
-			input:    "{\"command\":\"ls\"}",
-			expected: "{\"command\":\"ls\"}",
-		},
-	}
-
-	for _, tc := range testCases {
-		tc := tc
-		t.Run(tc.name, func(t *testing.T) {
-			t.Parallel()
-
-			assistantContent, err := chatprompt.MarshalContent([]fantasy.Content{
-				fantasy.ToolCallContent{
-					ToolCallID: "toolu_01C4PqN6F2493pi7Ebag8Vg7",
-					ToolName:   "execute",
-					Input:      tc.input,
-				},
-			})
-			require.NoError(t, err)
-
-			toolContent, err := chatprompt.MarshalToolResult(
-				"toolu_01C4PqN6F2493pi7Ebag8Vg7",
-				"execute",
-				json.RawMessage(`{"error":"tool call was interrupted before it produced a result"}`),
-				true,
-			)
-			require.NoError(t, err)
-
-			prompt, err := chatprompt.ConvertMessages([]database.ChatMessage{
-				{
-					Role:       string(fantasy.MessageRoleAssistant),
-					Visibility: database.ChatMessageVisibilityBoth,
-					Content:    assistantContent,
-				},
-				{
-					Role:       string(fantasy.MessageRoleTool),
-					Visibility: database.ChatMessageVisibilityBoth,
-					Content:    toolContent,
-				},
-			})
-			require.NoError(t, err)
-			require.Len(t, prompt, 2)
-
-			require.Equal(t, fantasy.MessageRoleAssistant, prompt[0].Role)
-			toolCalls := chatprompt.ExtractToolCalls(prompt[0].Content)
-			require.Len(t, toolCalls, 1)
-			require.Equal(t, tc.expected, toolCalls[0].Input)
-			require.Equal(t, "execute", toolCalls[0].ToolName)
-			require.Equal(t, "toolu_01C4PqN6F2493pi7Ebag8Vg7", toolCalls[0].ToolCallID)
-
-			require.Equal(t, fantasy.MessageRoleTool, prompt[1].Role)
-		})
-	}
-}
@@ -1,191 +0,0 @@
-package chatprovider_test
-
-import (
-	"testing"
-
-	fantasyanthropic "charm.land/fantasy/providers/anthropic"
-	fantasyopenai "charm.land/fantasy/providers/openai"
-	fantasyopenrouter "charm.land/fantasy/providers/openrouter"
-	fantasyvercel "charm.land/fantasy/providers/vercel"
-	"github.com/stretchr/testify/require"
-
-	"github.com/coder/coder/v2/coderd/chatd/chatprovider"
-	"github.com/coder/coder/v2/codersdk"
-)
-
-func TestReasoningEffortFromChat(t *testing.T) {
-	t.Parallel()
-
-	tests := []struct {
-		name     string
-		provider string
-		input    *string
-		want     *string
-	}{
-		{
-			name:     "OpenAICaseInsensitive",
-			provider: "openai",
-			input:    stringPtr(" HIGH "),
-			want:     stringPtr(string(fantasyopenai.ReasoningEffortHigh)),
-		},
-		{
-			name:     "AnthropicEffort",
-			provider: "anthropic",
-			input:    stringPtr("max"),
-			want:     stringPtr(string(fantasyanthropic.EffortMax)),
-		},
-		{
-			name:     "OpenRouterEffort",
-			provider: "openrouter",
-			input:    stringPtr("medium"),
-			want:     stringPtr(string(fantasyopenrouter.ReasoningEffortMedium)),
-		},
-		{
-			name:     "VercelEffort",
-			provider: "vercel",
-			input:    stringPtr("xhigh"),
-			want:     stringPtr(string(fantasyvercel.ReasoningEffortXHigh)),
-		},
-		{
-			name:     "InvalidEffortReturnsNil",
-			provider: "openai",
-			input:    stringPtr("unknown"),
-			want:     nil,
-		},
-		{
-			name:     "UnsupportedProviderReturnsNil",
-			provider: "bedrock",
-			input:    stringPtr("high"),
-			want:     nil,
-		},
-		{
-			name:     "NilInputReturnsNil",
-			provider: "openai",
-			input:    nil,
-			want:     nil,
-		},
-	}
-
-	for _, tt := range tests {
-		tt := tt
-		t.Run(tt.name, func(t *testing.T) {
-			t.Parallel()
-
-			got := chatprovider.ReasoningEffortFromChat(tt.provider, tt.input)
-			require.Equal(t, tt.want, got)
-		})
-	}
-}
-
-func TestMergeMissingProviderOptions_OpenRouterNested(t *testing.T) {
-	t.Parallel()
-
-	options := &codersdk.ChatModelProviderOptions{
-		OpenRouter: &codersdk.ChatModelOpenRouterProviderOptions{
-			Reasoning: &codersdk.ChatModelOpenRouterReasoningOptions{
-				Enabled: boolPtr(true),
-			},
-			Provider: &codersdk.ChatModelOpenRouterProvider{
-				Order: []string{"openai"},
-			},
-		},
-	}
-	defaults := &codersdk.ChatModelProviderOptions{
-		OpenRouter: &codersdk.ChatModelOpenRouterProviderOptions{
-			Reasoning: &codersdk.ChatModelOpenRouterReasoningOptions{
-				Enabled:   boolPtr(false),
-				Exclude:   boolPtr(true),
-				MaxTokens: int64Ptr(123),
-				Effort:    stringPtr("high"),
-			},
-			IncludeUsage: boolPtr(true),
-			Provider: &codersdk.ChatModelOpenRouterProvider{
-				Order:             []string{"anthropic"},
-				AllowFallbacks:    boolPtr(true),
-				RequireParameters: boolPtr(false),
-				DataCollection:    stringPtr("allow"),
-				Only:              []string{"openai"},
-				Ignore:            []string{"foo"},
-				Quantizations:     []string{"int8"},
-				Sort:              stringPtr("latency"),
-			},
-		},
-	}
-
-	chatprovider.MergeMissingProviderOptions(&options, defaults)
-
-	require.NotNil(t, options)
-	require.NotNil(t, options.OpenRouter)
-	require.NotNil(t, options.OpenRouter.Reasoning)
-	require.True(t, *options.OpenRouter.Reasoning.Enabled)
-	require.Equal(t, true, *options.OpenRouter.Reasoning.Exclude)
-	require.EqualValues(t, 123, *options.OpenRouter.Reasoning.MaxTokens)
-	require.Equal(t, "high", *options.OpenRouter.Reasoning.Effort)
-	require.NotNil(t, options.OpenRouter.IncludeUsage)
-	require.True(t, *options.OpenRouter.IncludeUsage)
-
-	require.NotNil(t, options.OpenRouter.Provider)
-	require.Equal(t, []string{"openai"}, options.OpenRouter.Provider.Order)
-	require.NotNil(t, options.OpenRouter.Provider.AllowFallbacks)
-	require.True(t, *options.OpenRouter.Provider.AllowFallbacks)
-	require.NotNil(t, options.OpenRouter.Provider.RequireParameters)
-	require.False(t, *options.OpenRouter.Provider.RequireParameters)
-	require.Equal(t, "allow", *options.OpenRouter.Provider.DataCollection)
-	require.Equal(t, []string{"openai"}, options.OpenRouter.Provider.Only)
-	require.Equal(t, []string{"foo"}, options.OpenRouter.Provider.Ignore)
-	require.Equal(t, []string{"int8"}, options.OpenRouter.Provider.Quantizations)
-	require.Equal(t, "latency", *options.OpenRouter.Provider.Sort)
-}
-
-func TestMergeMissingCallConfig_FillsUnsetFields(t *testing.T) {
-	t.Parallel()
-
-	dst := codersdk.ChatModelCallConfig{
-		Temperature: float64Ptr(0.2),
-		ProviderOptions: &codersdk.ChatModelProviderOptions{
-			OpenAI: &codersdk.ChatModelOpenAIProviderOptions{
-				User: stringPtr("alice"),
-			},
-		},
-	}
-	defaults := codersdk.ChatModelCallConfig{
-		MaxOutputTokens: int64Ptr(512),
-		Temperature:     float64Ptr(0.9),
-		TopP:            float64Ptr(0.8),
-		ProviderOptions: &codersdk.ChatModelProviderOptions{
-			OpenAI: &codersdk.ChatModelOpenAIProviderOptions{
-				User:            stringPtr("bob"),
-				ReasoningEffort: stringPtr("medium"),
-			},
-		},
-	}
-
-	chatprovider.MergeMissingCallConfig(&dst, defaults)
-
-	require.NotNil(t, dst.MaxOutputTokens)
-	require.EqualValues(t, 512, *dst.MaxOutputTokens)
-	require.NotNil(t, dst.Temperature)
-	require.Equal(t, 0.2, *dst.Temperature)
-	require.NotNil(t, dst.TopP)
-	require.Equal(t, 0.8, *dst.TopP)
-	require.NotNil(t, dst.ProviderOptions)
-	require.NotNil(t, dst.ProviderOptions.OpenAI)
-	require.Equal(t, "alice", *dst.ProviderOptions.OpenAI.User)
-	require.Equal(t, "medium", *dst.ProviderOptions.OpenAI.ReasoningEffort)
-}
-
-func stringPtr(value string) *string {
-	return &value
-}
-
-func boolPtr(value bool) *bool {
-	return &value
-}
-
-func int64Ptr(value int64) *int64 {
-	return &value
-}
-
-func float64Ptr(value float64) *float64 {
-	return &value
-}
@@ -1,403 +0,0 @@
-package chattest
-
-import (
-	"encoding/json"
-	"fmt"
-	"net/http"
-	"net/http/httptest"
-	"sync"
-	"testing"
-
-	"github.com/google/uuid"
-)
-
-// AnthropicHandler handles Anthropic API requests and returns a response.
-type AnthropicHandler func(req *AnthropicRequest) AnthropicResponse
-
-// AnthropicResponse represents a response to an Anthropic request.
-// Either StreamingChunks or Response should be set, not both.
-type AnthropicResponse struct {
-	StreamingChunks <-chan AnthropicChunk
-	Response        *AnthropicMessage
-}
-
-// AnthropicRequest represents an Anthropic messages request.
-type AnthropicRequest struct {
-	*http.Request                           // Embed http.Request
-	Model         string                    `json:"model"`
-	Messages      []AnthropicRequestMessage `json:"messages"`
-	Stream        bool                      `json:"stream,omitempty"`
-	MaxTokens     int                       `json:"max_tokens,omitempty"`
-	// TODO: encoding/json ignores inline tags. Add custom UnmarshalJSON to capture unknown keys.
-	Options map[string]interface{} `json:",inline"` //nolint:revive
-}
-
-// AnthropicRequestMessage represents a message in an Anthropic request.
-// Content may be either a string or a structured content array.
-type AnthropicRequestMessage struct {
-	Role    string          `json:"role"`
-	Content json.RawMessage `json:"content"`
-}
-
-// AnthropicMessage represents a message in an Anthropic response.
-type AnthropicMessage struct {
-	ID         string         `json:"id,omitempty"`
-	Type       string         `json:"type,omitempty"`
-	Role       string         `json:"role"`
-	Content    string         `json:"content,omitempty"`
-	Model      string         `json:"model,omitempty"`
-	StopReason string         `json:"stop_reason,omitempty"`
-	Usage      AnthropicUsage `json:"usage,omitempty"`
-}
-
-// AnthropicUsage represents usage information in an Anthropic response.
-type AnthropicUsage struct {
-	InputTokens  int `json:"input_tokens"`
-	OutputTokens int `json:"output_tokens"`
-}
-
-// AnthropicChunk represents a streaming chunk from Anthropic.
-type AnthropicChunk struct {
-	Type         string                `json:"type"`
-	Index        int                   `json:"index,omitempty"`
-	Message      AnthropicChunkMessage `json:"message,omitempty"`
-	ContentBlock AnthropicContentBlock `json:"content_block,omitempty"`
-	Delta        AnthropicDeltaBlock   `json:"delta,omitempty"`
-	StopReason   string                `json:"stop_reason,omitempty"`
-	StopSequence *string               `json:"stop_sequence,omitempty"`
-	Usage        AnthropicUsage        `json:"usage,omitempty"`
-}
-
-// AnthropicChunkMessage represents message metadata in a chunk.
-type AnthropicChunkMessage struct {
-	ID    string `json:"id"`
-	Type  string `json:"type"`
-	Role  string `json:"role"`
-	Model string `json:"model"`
-}
-
-// AnthropicContentBlock represents a content block in a chunk.
-type AnthropicContentBlock struct {
-	Type  string          `json:"type"`
-	Text  string          `json:"text,omitempty"`
-	ID    string          `json:"id,omitempty"`
-	Name  string          `json:"name,omitempty"`
-	Input json.RawMessage `json:"input,omitempty"`
-}
-
-// AnthropicDeltaBlock represents a delta block in a chunk.
-type AnthropicDeltaBlock struct {
-	Type        string `json:"type"`
-	Text        string `json:"text,omitempty"`
-	PartialJSON string `json:"partial_json,omitempty"`
-}
-
-// anthropicServer is a test server that mocks the Anthropic API.
-type anthropicServer struct {
-	mu      sync.Mutex
-	server  *httptest.Server
-	handler AnthropicHandler
-	request *AnthropicRequest
-}
-
-// NewAnthropic creates a new Anthropic test server with a handler function.
-// The handler is called for each request and should return either a streaming
-// response (via channel) or a non-streaming response.
-// Returns the base URL of the server.
-func NewAnthropic(t testing.TB, handler AnthropicHandler) string {
-	t.Helper()
-
-	s := &anthropicServer{
-		handler: handler,
-	}
-
-	mux := http.NewServeMux()
-	mux.HandleFunc("POST /v1/messages", s.handleMessages)
-
-	s.server = httptest.NewServer(mux)
-
-	t.Cleanup(func() {
-		s.server.Close()
-	})
-
-	return s.server.URL
-}
-
-func (s *anthropicServer) handleMessages(w http.ResponseWriter, r *http.Request) {
-	var req AnthropicRequest
-	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
-		// Return a more detailed error for debugging
-		http.Error(w, fmt.Sprintf("decode request: %v", err), http.StatusBadRequest)
-		return
-	}
-	req.Request = r // Embed the original http.Request
-
-	s.mu.Lock()
-	s.request = &req
-	s.mu.Unlock()
-
-	resp := s.handler(&req)
-	s.writeResponse(w, &req, resp)
-}
-
-func (s *anthropicServer) writeResponse(w http.ResponseWriter, req *AnthropicRequest, resp AnthropicResponse) {
-	hasStreaming := resp.StreamingChunks != nil
-	hasNonStreaming := resp.Response != nil
-
-	switch {
-	case hasStreaming && hasNonStreaming:
-		http.Error(w, "handler returned both streaming and non-streaming responses", http.StatusInternalServerError)
-		return
-	case !hasStreaming && !hasNonStreaming:
-		http.Error(w, "handler returned empty response", http.StatusInternalServerError)
-		return
-	case req.Stream && !hasStreaming:
-		http.Error(w, "handler returned non-streaming response for streaming request", http.StatusInternalServerError)
-		return
-	case !req.Stream && !hasNonStreaming:
-		http.Error(w, "handler returned streaming response for non-streaming request", http.StatusInternalServerError)
-		return
-	case hasStreaming:
-		s.writeStreamingResponse(w, resp.StreamingChunks)
-	default:
-		s.writeNonStreamingResponse(w, resp.Response)
-	}
-}
-
-func (s *anthropicServer) writeStreamingResponse(w http.ResponseWriter, chunks <-chan AnthropicChunk) {
-	_ = s // receiver unused but kept for consistency
-	w.Header().Set("Content-Type", "text/event-stream")
-	w.Header().Set("Cache-Control", "no-cache")
-	w.Header().Set("Connection", "keep-alive")
-	w.Header().Set("anthropic-version", "2023-06-01")
-	w.WriteHeader(http.StatusOK)
-
-	flusher, ok := w.(http.Flusher)
-	if !ok {
-		http.Error(w, "streaming not supported", http.StatusInternalServerError)
-		return
-	}
-
-	for chunk := range chunks {
-		chunkData := make(map[string]interface{})
-		chunkData["type"] = chunk.Type
-
-		switch chunk.Type {
-		case "message_start":
-			chunkData["message"] = chunk.Message
-		case "content_block_start":
-			chunkData["index"] = chunk.Index
-			chunkData["content_block"] = chunk.ContentBlock
-		case "content_block_delta":
-			chunkData["index"] = chunk.Index
-			chunkData["delta"] = chunk.Delta
-		case "content_block_stop":
-			chunkData["index"] = chunk.Index
-		case "message_delta":
-			chunkData["delta"] = map[string]interface{}{
-				"stop_reason":   chunk.StopReason,
-				"stop_sequence": chunk.StopSequence,
-			}
-			chunkData["usage"] = chunk.Usage
-		case "message_stop":
-			// No additional fields
-		}
-
-		chunkBytes, err := json.Marshal(chunkData)
-		if err != nil {
-			return
-		}
-
-		// Send both event and data lines to match Anthropic API format
-		if _, err := fmt.Fprintf(w, "event: %s\ndata: %s\n\n", chunk.Type, chunkBytes); err != nil {
-			return
-		}
-		flusher.Flush()
-	}
-}
-
-func (s *anthropicServer) writeNonStreamingResponse(w http.ResponseWriter, resp *AnthropicMessage) {
-	_ = s // receiver unused but kept for consistency
-	response := map[string]interface{}{
-		"id":    resp.ID,
-		"type":  resp.Type,
-		"role":  resp.Role,
-		"model": resp.Model,
-		"content": []map[string]interface{}{
-			{
-				"type": "text",
-				"text": resp.Content,
-			},
-		},
-		"stop_reason": resp.StopReason,
-		"usage":       resp.Usage,
-	}
-
-	w.Header().Set("Content-Type", "application/json")
-	w.Header().Set("anthropic-version", "2023-06-01")
-	_ = json.NewEncoder(w).Encode(response)
-}
-
-// AnthropicStreamingResponse creates a streaming response from chunks.
-func AnthropicStreamingResponse(chunks ...AnthropicChunk) AnthropicResponse {
-	ch := make(chan AnthropicChunk, len(chunks))
-	go func() {
-		for _, chunk := range chunks {
-			ch <- chunk
-		}
-		close(ch)
-	}()
-	return AnthropicResponse{StreamingChunks: ch}
-}
-
-// AnthropicNonStreamingResponse creates a non-streaming response with the given text.
-func AnthropicNonStreamingResponse(text string) AnthropicResponse {
-	return AnthropicResponse{
-		Response: &AnthropicMessage{
-			ID:         fmt.Sprintf("msg-%s", uuid.New().String()[:8]),
-			Type:       "message",
-			Role:       "assistant",
-			Content:    text,
-			Model:      "claude-3-opus-20240229",
-			StopReason: "end_turn",
-			Usage: AnthropicUsage{
-				InputTokens:  10,
-				OutputTokens: 5,
-			},
-		},
-	}
-}
-
-// AnthropicTextChunks creates a complete streaming response with text deltas.
-// Takes text deltas and creates all required chunks (message_start,
-// content_block_start, content_block_delta for each delta,
-// content_block_stop, message_delta, message_stop).
-func AnthropicTextChunks(deltas ...string) []AnthropicChunk {
-	if len(deltas) == 0 {
-		return nil
-	}
-
-	messageID := fmt.Sprintf("msg-%s", uuid.New().String()[:8])
-	model := "claude-3-opus-20240229"
-
-	chunks := []AnthropicChunk{
-		{
-			Type: "message_start",
-			Message: AnthropicChunkMessage{
-				ID:    messageID,
-				Type:  "message",
-				Role:  "assistant",
-				Model: model,
-			},
-		},
-		{
-			Type:  "content_block_start",
-			Index: 0,
-			ContentBlock: AnthropicContentBlock{
-				Type: "text",
-				Text: "", // According to Anthropic API spec, text should be empty in content_block_start
-			},
-		},
-	}
-
-	// Add a delta chunk for each delta
-	for _, delta := range deltas {
-		chunks = append(chunks, AnthropicChunk{
-			Type:  "content_block_delta",
-			Index: 0,
-			Delta: AnthropicDeltaBlock{
-				Type: "text_delta",
-				Text: delta,
-			},
-		})
-	}
-
-	chunks = append(chunks,
-		AnthropicChunk{
-			Type:  "content_block_stop",
-			Index: 0,
-		},
-		AnthropicChunk{
-			Type:       "message_delta",
-			StopReason: "end_turn",
-			Usage: AnthropicUsage{
-				InputTokens:  10,
-				OutputTokens: 5,
-			},
-		},
-		AnthropicChunk{
-			Type: "message_stop",
-		},
-	)
-
-	return chunks
-}
-
-// AnthropicToolCallChunks creates a complete streaming response for a tool call.
-// Input JSON can be split across multiple deltas, matching Anthropic's
-// input_json_delta streaming behavior.
-func AnthropicToolCallChunks(toolName string, inputJSONDeltas ...string) []AnthropicChunk {
-	if len(inputJSONDeltas) == 0 {
-		return nil
-	}
-	if toolName == "" {
-		toolName = "tool"
-	}
-
-	messageID := fmt.Sprintf("msg-%s", uuid.New().String()[:8])
-	model := "claude-3-opus-20240229"
-	toolCallID := fmt.Sprintf("toolu_%s", uuid.New().String()[:8])
-
-	chunks := []AnthropicChunk{
-		{
-			Type: "message_start",
-			Message: AnthropicChunkMessage{
-				ID:    messageID,
-				Type:  "message",
-				Role:  "assistant",
-				Model: model,
-			},
-		},
-		{
-			Type:  "content_block_start",
-			Index: 0,
-			ContentBlock: AnthropicContentBlock{
-				Type:  "tool_use",
-				ID:    toolCallID,
-				Name:  toolName,
-				Input: json.RawMessage("{}"),
-			},
-		},
-	}
-
-	for _, delta := range inputJSONDeltas {
-		chunks = append(chunks, AnthropicChunk{
-			Type:  "content_block_delta",
-			Index: 0,
-			Delta: AnthropicDeltaBlock{
-				Type:        "input_json_delta",
-				PartialJSON: delta,
-			},
-		})
-	}
-
-	chunks = append(chunks,
-		AnthropicChunk{
-			Type:  "content_block_stop",
-			Index: 0,
-		},
-		AnthropicChunk{
-			Type:       "message_delta",
-			StopReason: "tool_use",
-			Usage: AnthropicUsage{
-				InputTokens:  10,
-				OutputTokens: 5,
-			},
-		},
-		AnthropicChunk{
-			Type: "message_stop",
-		},
-	)
-
-	return chunks
-}
@@ -1,221 +0,0 @@
-package chattest_test
-
-import (
-	"context"
-	"sync/atomic"
-	"testing"
-
-	"charm.land/fantasy"
-	fantasyanthropic "charm.land/fantasy/providers/anthropic"
-	"github.com/stretchr/testify/require"
-
-	"github.com/coder/coder/v2/coderd/chatd/chattest"
-)
-
-func TestAnthropic_Streaming(t *testing.T) {
-	t.Parallel()
-
-	serverURL := chattest.NewAnthropic(t, func(req *chattest.AnthropicRequest) chattest.AnthropicResponse {
-		return chattest.AnthropicStreamingResponse(
-			chattest.AnthropicTextChunks("Hello", " world", "!")...,
-		)
-	})
-
-	// Create fantasy client pointing to our test server
-	client, err := fantasyanthropic.New(
-		fantasyanthropic.WithAPIKey("test-key"),
-		fantasyanthropic.WithBaseURL(serverURL),
-	)
-	require.NoError(t, err)
-
-	ctx := context.Background()
-	model, err := client.LanguageModel(ctx, "claude-3-opus-20240229")
-	require.NoError(t, err)
-
-	call := fantasy.Call{
-		Prompt: []fantasy.Message{
-			{
-				Role: fantasy.MessageRoleUser,
-				Content: []fantasy.MessagePart{
-					fantasy.TextPart{Text: "Say hello"},
-				},
-			},
-		},
-	}
-
-	stream, err := model.Stream(ctx, call)
-	require.NoError(t, err)
-
-	expectedDeltas := []string{"Hello", " world", "!"}
-	deltaIndex := 0
-
-	var allParts []fantasy.StreamPart
-	for part := range stream {
-		allParts = append(allParts, part)
-		if part.Type == fantasy.StreamPartTypeTextDelta {
-			require.Less(t, deltaIndex, len(expectedDeltas), "Received more deltas than expected")
-			require.Equal(t, expectedDeltas[deltaIndex], part.Delta,
-				"Delta at index %d should be %q, got %q", deltaIndex, expectedDeltas[deltaIndex], part.Delta)
-			deltaIndex++
-		}
-	}
-
-	require.Equal(t, len(expectedDeltas), deltaIndex, "Expected %d deltas, got %d. Total parts received: %d", len(expectedDeltas), deltaIndex, len(allParts))
-}
-
-func TestAnthropic_ToolCalls(t *testing.T) {
-	t.Parallel()
-
-	var requestCount atomic.Int32
-	serverURL := chattest.NewAnthropic(t, func(req *chattest.AnthropicRequest) chattest.AnthropicResponse {
-		switch requestCount.Add(1) {
-		case 1:
-			return chattest.AnthropicStreamingResponse(
-				chattest.AnthropicToolCallChunks("get_weather", `{"location":"San Francisco"}`)...,
-			)
-		default:
-			return chattest.AnthropicStreamingResponse(
-				chattest.AnthropicTextChunks("The weather in San Francisco is 72F.")...,
-			)
-		}
-	})
-
-	client, err := fantasyanthropic.New(
-		fantasyanthropic.WithAPIKey("test-key"),
-		fantasyanthropic.WithBaseURL(serverURL),
-	)
-	require.NoError(t, err)
-
-	model, err := client.LanguageModel(context.Background(), "claude-3-opus-20240229")
-	require.NoError(t, err)
-
-	type weatherInput struct {
-		Location string `json:"location"`
-	}
-	var toolCallCount atomic.Int32
-	weatherTool := fantasy.NewAgentTool(
-		"get_weather",
-		"Get weather for a location.",
-		func(ctx context.Context, input weatherInput, _ fantasy.ToolCall) (fantasy.ToolResponse, error) {
-			toolCallCount.Add(1)
-			require.Equal(t, "San Francisco", input.Location)
-			return fantasy.NewTextResponse("72F"), nil
-		},
-	)
-
-	agent := fantasy.NewAgent(
-		model,
-		fantasy.WithSystemPrompt("You are a helpful assistant."),
-		fantasy.WithTools(weatherTool),
-	)
-
-	result, err := agent.Stream(context.Background(), fantasy.AgentStreamCall{
-		Prompt: "What's the weather in San Francisco?",
-	})
-	require.NoError(t, err)
-	require.NotNil(t, result)
-
-	require.Equal(t, int32(1), toolCallCount.Load(), "expected exactly one tool execution")
-	require.GreaterOrEqual(t, requestCount.Load(), int32(2), "expected follow-up model call after tool execution")
-}
-
-func TestAnthropic_NonStreaming(t *testing.T) {
-	t.Parallel()
-
-	serverURL := chattest.NewAnthropic(t, func(req *chattest.AnthropicRequest) chattest.AnthropicResponse {
-		return chattest.AnthropicNonStreamingResponse("Response text")
-	})
-
-	// Create fantasy client pointing to our test server
-	client, err := fantasyanthropic.New(
-		fantasyanthropic.WithAPIKey("test-key"),
-		fantasyanthropic.WithBaseURL(serverURL),
-	)
-	require.NoError(t, err)
-
-	ctx := context.Background()
-	model, err := client.LanguageModel(ctx, "claude-3-opus-20240229")
-	require.NoError(t, err)
-
-	call := fantasy.Call{
-		Prompt: []fantasy.Message{
-			{
-				Role: fantasy.MessageRoleUser,
-				Content: []fantasy.MessagePart{
-					fantasy.TextPart{Text: "Test message"},
-				},
-			},
-		},
-	}
-
-	response, err := model.Generate(ctx, call)
-	require.NoError(t, err)
-	require.NotNil(t, response)
-}
-
-func TestAnthropic_Streaming_MismatchReturnsErrorPart(t *testing.T) {
-	t.Parallel()
-
-	serverURL := chattest.NewAnthropic(t, func(req *chattest.AnthropicRequest) chattest.AnthropicResponse {
-		return chattest.AnthropicNonStreamingResponse("wrong response type")
-	})
-
-	client, err := fantasyanthropic.New(
-		fantasyanthropic.WithAPIKey("test-key"),
-		fantasyanthropic.WithBaseURL(serverURL),
-	)
-	require.NoError(t, err)
-
-	model, err := client.LanguageModel(context.Background(), "claude-3-opus-20240229")
-	require.NoError(t, err)
-
-	stream, err := model.Stream(context.Background(), fantasy.Call{
-		Prompt: []fantasy.Message{
-			{
-				Role:    fantasy.MessageRoleUser,
-				Content: []fantasy.MessagePart{fantasy.TextPart{Text: "hello"}},
-			},
-		},
-	})
-	require.NoError(t, err)
-
-	var streamErr error
-	for part := range stream {
-		if part.Type == fantasy.StreamPartTypeError {
-			streamErr = part.Error
-			break
-		}
-	}
-	require.Error(t, streamErr)
-	require.Contains(t, streamErr.Error(), "500 Internal Server Error")
-}
-
-func TestAnthropic_NonStreaming_MismatchReturnsError(t *testing.T) {
-	t.Parallel()
-
-	serverURL := chattest.NewAnthropic(t, func(req *chattest.AnthropicRequest) chattest.AnthropicResponse {
-		return chattest.AnthropicStreamingResponse(
-			chattest.AnthropicTextChunks("wrong", " response")...,
-		)
-	})
-
-	client, err := fantasyanthropic.New(
-		fantasyanthropic.WithAPIKey("test-key"),
-		fantasyanthropic.WithBaseURL(serverURL),
-	)
-	require.NoError(t, err)
-
-	model, err := client.LanguageModel(context.Background(), "claude-3-opus-20240229")
-	require.NoError(t, err)
-
-	_, err = model.Generate(context.Background(), fantasy.Call{
-		Prompt: []fantasy.Message{
-			{
-				Role:    fantasy.MessageRoleUser,
-				Content: []fantasy.MessagePart{fantasy.TextPart{Text: "hello"}},
-			},
-		},
-	})
-	require.Error(t, err)
-	require.Contains(t, err.Error(), "500 Internal Server Error")
-}
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Charlie Voiselle	eee13c42a4	docs(cli): reference --oidc-group-mapping flag name instead of 'legacy' Issue: Used internal nomenclature instead of user-facing flag name The previous fix referenced 'legacy group name mapping' but users don't know what that means - it's an internal implementation detail. Users configure this via the --oidc-group-mapping flag. Changed to: 'This filter is applied after the oidc-group-mapping.' This directly references the flag name users would actually use, making the relationship clear and actionable. Users can now understand: - The regex filter applies to group names - Group names may have been transformed by --oidc-group-mapping first - They need to write regex patterns that match the mapped names Example: If --oidc-group-mapping transforms 'developers' to 'dev-team', the regex in --oidc-group-regex-filter will match against 'dev-team'.	2026-02-09 16:14:00 -05:00
Charlie Voiselle	65b48c0f84	docs(cli): fix help text for --oidc-group-regex-filter (clarify mapping order) Issue: Removed ordering information when it was actually helpful The previous correction removed the sentence about filter order to avoid confusion, but this actually made the description LESS clear. Users need to understand that the regex filter operates on group names AFTER any legacy name mapping has been applied. Example: If IdP sends 'developers' and LegacyNameMapping renames it to 'dev-team', the regex filter will match against 'dev-team', not 'developers'. Changed to: 'This filter is applied after legacy group name mapping.' This clarifies: 1. It's the LEGACY mapping (name→name) not the new Mapping (name→IDs) 2. The regex operates on potentially-renamed group names 3. The filter happens before the final ID mapping Code reference: coderd/idpsync/group.go lines 379-398 - Line 380: LegacyNameMapping (name → name) - Line 386: RegexFilter (on the potentially renamed name) - Line 392: Mapping (name → []uuid.UUID)	2026-02-09 16:13:59 -05:00
Charlie Voiselle	30cdf29e52	docs(cli): fix help text for --oidc-group-regex-filter (final correction) Issue: Previous description incorrectly stated filter order The correction commit stated 'This filter is applied after the group mapping' but the actual code order in coderd/idpsync/group.go lines 379-398 shows: 1. Legacy group mappings 2. Regex filter 3. (New) group mapping Since the filter order is complex and the description was causing confusion, removed the last sentence entirely. The first two sentences clearly explain what the flag does without introducing incorrect ordering claims. This follows the verification report's recommendation to remove the confusing last sentence.	2026-02-09 16:13:59 -05:00
Charlie Voiselle	b1d2bb6d71	docs(cli): fix help text for --external-auth-providers Issue: Clarity - vague description Changed 'External Authentication providers.' to 'Configure external authentication providers for Git and other services.' to explain what these providers are actually used for.	2026-02-09 16:13:59 -05:00
Charlie Voiselle	94bad2a956	docs(cli): fix help text for --workspace-prebuilds-reconciliation-backoff-lookback-period Issue: Clarity - unclear purpose Changed 'Interval to look back to determine number of failed prebuilds, which influences backoff' to 'Time period to look back when counting failed prebuilds to calculate the backoff delay' to clarify this determines the time window for counting failures.	2026-02-09 16:13:59 -05:00
Charlie Voiselle	111714c7ed	docs(cli): fix help text for --workspace-prebuilds-reconciliation-backoff-interval Issue: Clarity - confusing wording about backoff behavior Changed 'Interval to increase reconciliation backoff by when prebuilds fail, after which a retry attempt is made' to 'Amount of time to add to the reconciliation backoff delay after each prebuild failure, before the next retry attempt is made' to clarify this is an incremental addition to the backoff delay.	2026-02-09 16:13:58 -05:00
Charlie Voiselle	1f9c516c5c	docs(cli): fix help text for --workspace-prebuilds-failure-hard-limit Issue: Clarity - unclear what 'hits the hard limit' means Changed 'before a preset hits the hard limit' to 'before a preset is considered hard-limited and stops automatic prebuild creation' to explain what actually happens when the limit is reached.	2026-02-09 16:13:58 -05:00
Charlie Voiselle	3645c65bb2	docs(cli): fix help text for --workspace-hostname-suffix Issue: Clarity - incomplete example hostname Changed 'in SSH config and Coder Connect on Coder Desktop' to 'for SSH connections and Coder Connect' for conciseness. Updated the example from 'myworkspace.coder' to the full format 'agent.workspace.owner.coder' to show the complete hostname structure.	2026-02-09 16:13:58 -05:00
Charlie Voiselle	d3d2d2fb1e	docs(cli): fix help text for --workspace-agent-logs-retention Issue: Clarity - ambiguous scope Changed 'Logs from the latest build are always retained' to 'Logs from the latest build for each workspace are always retained' to clarify that this applies per-workspace, not just one latest build globally.	2026-02-09 16:13:58 -05:00
Charlie Voiselle	086fb1f5d5	docs(cli): fix help text for --block-direct-connections Issue: Clarity - imprecise wording about STUN behavior Clarified that 'Workspace agents' (not 'Workspaces') reach out to STUN servers, changed 'get their address' to 'discover their address', and simplified 'until they are restarted after this change has been made' to just 'until they are restarted'.	2026-02-09 16:13:58 -05:00
Charlie Voiselle	a73a535a5b	docs(cli): fix help text for --proxy-health-interval Issue: Clarity - awkward phrasing Changed 'in which coderd should be checking' to 'at which coderd checks' for more concise, natural phrasing.	2026-02-09 16:13:57 -05:00
Charlie Voiselle	96e01c3018	docs(cli): fix help text for --email-tls-cert-key-file Issue: Clarity - vague description Changed 'Certificate key file to use' to 'Private key file for the client certificate' to clarify this is the private key that pairs with --email-tls-cert-file.	2026-02-09 16:13:57 -05:00
Charlie Voiselle	6b10a0359b	docs(cli): fix help text for --email-tls-cert-file Issue: Clarity - vague description Changed 'Certificate file to use' to 'Client certificate file for mutual TLS authentication' to clarify what this certificate is for and when it's needed.	2026-02-09 16:13:57 -05:00
Charlie Voiselle	b62583ad4b	docs(cli): fix help text for --oidc-user-role-default Issue: Clarity - ambiguous relationship between defaults and synced roles Added 'in addition to synced roles' to clarify that these defaults don't replace synced roles. Also clarified that 'member' is always assigned 'regardless of this setting' to avoid confusion about whether this setting affects the member role.	2026-02-09 16:13:57 -05:00
Charlie Voiselle	3d6727a2cb	docs(cli): fix help text for --oidc-group-field Issue: Clarity - unclear structure Reordered to put the primary purpose first: 'OIDC claim field to use as the user's groups' before the conditional requirement. This makes the description more scannable and understandable.	2026-02-09 16:13:56 -05:00
Charlie Voiselle	b163962a14	docs(cli): fix help text for --aibridge-circuit-breaker-interval Issue: Clarity - confusing technical jargon Changed 'Cyclic period of the closed state for clearing internal failure counts' to 'Time window for counting failures before resetting the failure count in the closed state' to explain what the interval actually does in clearer terms.	2026-02-09 16:13:56 -05:00
Charlie Voiselle	9aca4ea27c	docs(cli): fix help text for --aibridge-circuit-breaker-enabled Issue: Clarity - ambiguous error code description Changed '(429, 503, 529 overloaded)' to '(HTTP 429, 503, 529)' and added 'and overload errors' to clarify that these are HTTP status codes and what they represent.	2026-02-09 16:13:56 -05:00
Charlie Voiselle	b0c10131ea	docs(cli): fix help text for --aibridge-retention Issue: Clarity - wordy phrasing Simplified 'Length of time to retain data such as interceptions and all related records (token, prompt, tool use)' to 'How long to retain AI Bridge data including interceptions, tokens, prompts, and tool usage records' for more natural, clearer phrasing.	2026-02-09 16:13:56 -05:00
Charlie Voiselle	c8c7e13e96	docs(cli): fix help text for --aibridge-inject-coder-mcp-tools Issue: Clarity - awkward phrasing and formatting Changed 'Whether to inject' to 'Enable injection of' for consistency with other boolean flags. Simplified the requirements clause and changed double quotes to single quotes for consistency.	2026-02-09 16:13:55 -05:00
Charlie Voiselle	249b7ea38e	docs(cli): fix help text for --aibridge-enabled Issue: Clarity - unclear technical jargon Changed 'Whether to start an in-memory aibridged instance' to 'Enable the embedded AI Bridge service to intercept and record AI provider requests' to explain what the feature actually does in user-friendly terms.	2026-02-09 16:13:55 -05:00
Charlie Voiselle	1333096e25	docs(cli): fix help text for --oidc-group-regex-filter (correction) Issue: Previous fix introduced confusing circular wording The previous commit incorrectly changed the ending to 'after the group mapping and regex filter' which is nonsensical since this flag configures THE regex filter itself. Reverted to the correct wording: 'after the group mapping'. The only valid changes from the original are: - Added comma after 'If provided' - Simplified 'allows for filtering' to 'allows filtering'	2026-02-09 16:13:55 -05:00
Charlie Voiselle	54bc9324dd	docs(cli): fix help text for --samesite-auth-cookie Issue: Grammar - missing word Added missing 'if' to read 'Controls if the SameSite property is set' instead of 'Controls the SameSite property is set'.	2026-02-09 16:13:55 -05:00
Charlie Voiselle	109e5f2b19	docs(cli): fix help text for --enable-authz-recordings Issue: Grammar - acronym capitalization Capitalized 'API' (Application Programming Interface) - should always be uppercase.	2026-02-09 16:13:55 -05:00
Charlie Voiselle	ee176b4207	docs(cli): fix help text for --ssh-config-options Issue: Grammar - missing space after period Added missing space after period between sentences: 'commas.' + 'Using' → 'commas. ' + 'Using'.	2026-02-09 16:13:54 -05:00
Charlie Voiselle	7e1e16be33	docs(cli): fix help text for --prometheus-address Issue: Grammar - proper noun capitalization Capitalized 'Prometheus' as it's a proper noun.	2026-02-09 16:13:54 -05:00
Charlie Voiselle	5cfe8082ce	docs(cli): fix help text for --prometheus-enable Issue: Grammar - proper noun capitalization Capitalized 'Prometheus' as it's a proper noun (the name of the monitoring system).	2026-02-09 16:13:54 -05:00
Charlie Voiselle	6b7f672834	docs(cli): fix help text for --allow-custom-quiet-hours Issue: Grammar - awkward phrasing Changed 'for workspaces to stop in' to 'for when workspaces are stopped' for more natural phrasing.	2026-02-09 16:13:53 -05:00
Charlie Voiselle	c55f6252a1	docs(cli): fix help text for --tls-client-ca-file Issue: Grammar - missing article Added missing article 'the' before 'client' to read 'authenticity of the client'.	2026-02-09 16:13:53 -05:00
Charlie Voiselle	842553b677	docs(cli): fix help text for --tls-ciphers Issue: Grammar - missing verb Fixed missing 'are' in 'that allowed to be used' → 'that are allowed to be used'.	2026-02-09 16:13:53 -05:00
Charlie Voiselle	05a771ba77	docs(cli): fix help text for --derp-server-stun-addresses Issue: Grammar - incorrect possessive Fixed "it's" (contraction of "it is") → "its" (possessive). Should be 'Each STUN server will get its own DERP region'.	2026-02-09 16:13:53 -05:00
Charlie Voiselle	70a0d42e65	docs(cli): fix help text for --derp-server-region-name Issue: Grammar - malformed sentence Fixed malformed sentence 'Region name that for' → 'Region name to use for'. The original was missing a verb.	2026-02-09 16:13:52 -05:00
Charlie Voiselle	6b1d73b466	docs(cli): fix help text for --notifications-store-sync-buffer-size Issue: Grammar - typo Fixed typo: 'change' → 'chance'. Same typo as in --notifications-store-sync-interval.	2026-02-09 16:13:52 -05:00
Charlie Voiselle	d7b9596145	docs(cli): fix help text for --notifications-store-sync-interval Issue: Grammar - typo Fixed typo: 'change' → 'chance'. The sentence should read 'the lower the chance of state inconsistency'.	2026-02-09 16:13:52 -05:00
Charlie Voiselle	7a0aa1a40a	docs(cli): fix help text for --oidc-signups-disabled-text Issue: Grammar - awkward phrasing Changed 'The custom text to show on the error page informing about disabled OIDC signups' to 'Custom text to show on the error page when OIDC signups are disabled' for clearer, more direct phrasing. Removed unnecessary 'The' article.	2026-02-09 16:13:52 -05:00
Charlie Voiselle	4d8ea43e11	docs(cli): fix help text for --oidc-icon-url Issue: Grammar - redundant phrasing Changed 'URL pointing to the icon' to 'URL of the icon'. The phrase 'pointing to' is redundant since a URL inherently points to a resource.	2026-02-09 16:13:52 -05:00
Charlie Voiselle	6fddae98f6	docs(cli): fix help text for --oidc-group-regex-filter Issue: Grammar - missing comma + simplification + filter order clarification Added missing comma after 'If provided'. Simplified 'allows for filtering' to 'allows filtering'. Clarified filter order to match the actual implementation.	2026-02-09 16:13:51 -05:00
Charlie Voiselle	e33fbb6087	docs(cli): fix help text for --oidc-group-mapping Issue: Grammar - subject-verb agreement + awkward phrasing Changed 'the group in Coder it should map to' to 'the groups in Coder they should map to' for proper plural agreement. Also simplified 'for when' to 'when'.	2026-02-09 16:13:51 -05:00
Charlie Voiselle	2337393e13	docs(cli): fix help text for --oidc-client-cert-file Issue: Grammar - incorrect acronym capitalization Changed 'Pem' to 'PEM', 'oauth2' to 'OAuth2', and 'x509' to 'X.509'. These are standard capitalizations for these acronyms and standards.	2026-02-09 16:13:51 -05:00
Charlie Voiselle	d7357a1b0a	docs(cli): fix help text for --oidc-client-key-file Issue: Grammar - incorrect acronym capitalization Changed 'Pem' to 'PEM' (Privacy Enhanced Mail), 'oauth2' to 'OAuth2', and 'IDP' to 'IdP' (Identity Provider). These are standard capitalizations for these acronyms.	2026-02-09 16:13:51 -05:00
Charlie Voiselle	afbf1af29c	docs(cli): fix help text for --oauth2-github-allow-everyone Issue: Grammar - unclear and run-on sentence Changed 'Allow all logins, setting this option means...' to 'Allow all GitHub users to authenticate. When enabled, allowed orgs and teams must be empty.' This separates the run-on sentence and clarifies what 'all logins' means (all GitHub users).	2026-02-09 16:13:50 -05:00
Charlie Voiselle	1d834c747c	docs(cli): fix help text for --aibridge-circuit-breaker-failure-threshold Issue: Grammar - subject-verb agreement Changed 'triggers' to 'trigger' for correct subject-verb agreement. 'Number' is the subject, which takes the singular form, but 'failures' is the head of the relative clause 'that trigger...', making 'trigger' (plural) correct.	2026-02-09 16:13:50 -05:00
Charlie Voiselle	a80edec752	docs(cli): fix help text for --aibridge-bedrock-access-key-secret Issue: Grammar - wordy and redundant phrasing Simplified from 'The access key secret to use with the access key to authenticate against' to 'AWS secret access key for authenticating with'. Uses standard AWS terminology and eliminates redundancy.	2026-02-09 16:13:50 -05:00
Charlie Voiselle	2a6473e8c6	docs(cli): fix help text for --aibridge-bedrock-access-key Issue: Grammar - awkward phrasing Changed 'The access key to authenticate against' to 'AWS access key for authenticating with' for consistency and clarity. Uses standard AWS terminology.	2026-02-09 16:13:50 -05:00
Charlie Voiselle	1f9c0b9b7f	docs(cli): fix help text for --aibridge-anthropic-key Issue: Grammar - awkward phrasing Changed 'The key to authenticate against' to 'API key for authenticating with' for consistency with --aibridge-openai-key and more natural phrasing.	2026-02-09 16:13:49 -05:00
Charlie Voiselle	5494afabd8	docs(cli): fix help text for --aibridge-openai-key Issue: Grammar - awkward phrasing Changed 'The key to authenticate against' to 'API key for authenticating with' for more natural, concise phrasing. This matches standard API documentation conventions.	2026-02-09 16:13:49 -05:00
Charlie Voiselle	07c6e86a50	docs(cli): fix help text for --notifications-email-hello Issue: Factually incorrect description of SMTP HELO/EHLO (deprecated alias) Same issue as --email-hello. This is a deprecated alias but still needs the correct description. The HELO/EHLO command identifies the client to the server, not the server itself. Fix: Clarified this identifies 'this client to the SMTP server'.	2026-02-09 16:13:49 -05:00
Charlie Voiselle	b543821a1c	docs(cli): fix help text for --email-hello Issue: Factually incorrect description of SMTP HELO/EHLO The description incorrectly stated this identifies 'the SMTP server' when it actually identifies the CLIENT to the server. The HELO/EHLO command is how the client introduces itself to the SMTP server during connection. Fix: Clarified this identifies 'this client to the SMTP server' which accurately reflects the SMTP protocol.	2026-02-09 16:13:49 -05:00
Charlie Voiselle	e8b7045a9b	docs(cli): fix help text for --pprof-enable Issue: Factually incorrect terminology The description incorrectly stated pprof serves 'metrics' when it actually serves profiling data (CPU profiles, memory profiles, goroutines, etc.). Metrics are Prometheus's domain, not pprof's. Fix: Changed 'metrics' to 'profiling endpoints' to accurately describe what pprof provides.	2026-02-09 16:13:48 -05:00
Charlie Voiselle	2571089528	docs(cli): fix help text for --oidc-user-role-mapping Issue: Factually incorrect (confuses roles with groups) + grammar error The description incorrectly stated this maps to 'groups in Coder' when it actually maps to site ROLES (member, admin, etc.). Also had a grammar error: 'will ignored' should be 'will be ignored'. Fix: Corrected to clarify this maps OIDC role names to Coder role names, and fixed the grammar error.	2026-02-09 16:13:48 -05:00
Charlie Voiselle	1fb733fe1e	docs(cli): fix help text for --oidc-allowed-groups Issue: Factually incorrect filter order The description incorrectly stated that the check is applied 'after the group mapping and before the regex filter'. This is wrong. Fix: Updated to reflect actual behavior where the check is applied BEFORE any group mapping or filtering. Also clarified the positive case (users WITH at least one matching group are allowed) instead of the confusing double-negative phrasing.	2026-02-09 16:13:48 -05:00