docs(cli): reference --oidc-group-mapping flag name instead of 'legacy'

Issue: Used internal nomenclature instead of user-facing flag name The previous fix referenced 'legacy group name mapping' but users don't know what that means - it's an internal implementation detail. Users configure this via the --oidc-group-mapping flag. Changed to: 'This filter is applied after the oidc-group-mapping.' This directly references the flag name users would actually use, making the relationship clear and actionable. Users can now understand: - The regex filter applies to group names - Group names may have been transformed by --oidc-group-mapping first - They need to write regex patterns that match the mapped names Example: If --oidc-group-mapping transforms 'developers' to 'dev-team', the regex in --oidc-group-regex-filter will match against 'dev-team'.
docs(cli): fix help text for --oidc-group-regex-filter (clarify mapping order)
2026-02-09 16:14:00 -05:00 · 2026-02-09 16:13:59 -05:00 · 2026-02-09 16:13:59 -05:00 · 2026-02-09 16:13:59 -05:00 · 2026-02-09 16:13:59 -05:00 · 2026-02-09 16:13:58 -05:00
388 changed files with 5708 additions and 10985 deletions
@@ -1,4 +0,0 @@
-# All artifacts of the build processed are dumped here.
-# Ignore it for docker context, as all Dockerfiles should build their own
-# binaries.
-build
@@ -4,7 +4,7 @@ description: |
 inputs:
  version:
    description: "The Go version to use."
-    default: "1.25.7"
+    default: "1.25.6"
  use-preinstalled-go:
    description: "Whether to use preinstalled Go."
    default: "false"
@@ -7,5 +7,5 @@ runs:
    - name: Install Terraform
      uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd # v3.1.2
      with:
-        terraform_version: 1.14.5
+        terraform_version: 1.14.1
        terraform_wrapper: false
@@ -35,7 +35,7 @@ jobs:
      tailnet-integration: ${{ steps.filter.outputs.tailnet-integration }}
    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2
+        uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1
        with:
          egress-policy: audit

@@ -157,7 +157,7 @@ jobs:
    runs-on: ${{ github.repository_owner == 'coder' && 'depot-ubuntu-22.04-8' || 'ubuntu-latest' }}
    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2
+        uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1
        with:
          egress-policy: audit

@@ -247,7 +247,7 @@ jobs:
    runs-on: ${{ github.repository_owner == 'coder' && 'depot-ubuntu-22.04-8' || 'ubuntu-latest' }}
    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2
+        uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1
        with:
          egress-policy: audit

@@ -272,7 +272,7 @@ jobs:
    if: ${{ !cancelled() }}
    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2
+        uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1
        with:
          egress-policy: audit

@@ -329,7 +329,7 @@ jobs:
    timeout-minutes: 20
    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2
+        uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1
        with:
          egress-policy: audit

@@ -381,7 +381,7 @@ jobs:
          - windows-2022
    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2
+        uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1
        with:
          egress-policy: audit

@@ -489,14 +489,6 @@ jobs:
          # macOS will output "The default interactive shell is now zsh" intermittently in CI.
          touch ~/.bash_profile && echo "export BASH_SILENCE_DEPRECATION_WARNING=1" >> ~/.bash_profile

-      - name: Increase PTY limit (macOS)
-        if: runner.os == 'macOS'
-        shell: bash
-        run: |
-          # Increase PTY limit to avoid exhaustion during tests.
-          # Default is 511; 999 is the maximum value on CI runner.
-          sudo sysctl -w kern.tty.ptmx_max=999
-
      - name: Test with PostgreSQL Database (Linux)
        if: runner.os == 'Linux'
        uses: ./.github/actions/test-go-pg
@@ -586,7 +578,7 @@ jobs:
    timeout-minutes: 25
    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2
+        uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1
        with:
          egress-policy: audit

@@ -648,7 +640,7 @@ jobs:
    timeout-minutes: 25
    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2
+        uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1
        with:
          egress-policy: audit

@@ -720,7 +712,7 @@ jobs:
    timeout-minutes: 20
    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2
+        uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1
        with:
          egress-policy: audit

@@ -747,7 +739,7 @@ jobs:
    timeout-minutes: 20
    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2
+        uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1
        with:
          egress-policy: audit

@@ -780,7 +772,7 @@ jobs:
    name: ${{ matrix.variant.name }}
    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2
+        uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1
        with:
          egress-policy: audit

@@ -860,7 +852,7 @@ jobs:
    if: needs.changes.outputs.site == 'true' || needs.changes.outputs.ci == 'true'
    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2
+        uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1
        with:
          egress-policy: audit

@@ -941,7 +933,7 @@ jobs:

    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2
+        uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1
        with:
          egress-policy: audit

@@ -1013,7 +1005,7 @@ jobs:
    if: always()
    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2
+        uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1
        with:
          egress-policy: audit

@@ -1128,7 +1120,7 @@ jobs:
    runs-on: ${{ github.repository_owner == 'coder' && 'depot-ubuntu-22.04-8' || 'ubuntu-latest' }}
    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2
+        uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1
        with:
          egress-policy: audit

@@ -1183,7 +1175,7 @@ jobs:
      IMAGE: ghcr.io/coder/coder-preview:${{ steps.build-docker.outputs.tag }}
    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2
+        uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1
        with:
          egress-policy: audit

@@ -1580,7 +1572,7 @@ jobs:
    if: needs.changes.outputs.db == 'true' || needs.changes.outputs.ci == 'true' || github.ref == 'refs/heads/main'
    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2
+        uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1
        with:
          egress-policy: audit

@@ -36,7 +36,7 @@ jobs:
      verdict: ${{ steps.check.outputs.verdict }} # DEPLOY or NOOP
    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2
+        uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1
        with:
          egress-policy: audit

@@ -65,7 +65,7 @@ jobs:
      packages: write # to retag image as dogfood
    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2
+        uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1
        with:
          egress-policy: audit

@@ -146,7 +146,7 @@ jobs:
    needs: deploy
    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2
+        uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1
        with:
          egress-policy: audit

@@ -38,7 +38,7 @@ jobs:
    if: github.repository_owner == 'coder'
    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2
+        uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1
        with:
          egress-policy: audit

@@ -58,11 +58,11 @@ jobs:
        run: mkdir base-build-context

      - name: Install depot.dev CLI
-        uses: depot/setup-action@15c09a5f77a0840ad4bce955686522a257853461 # v1.7.1
+        uses: depot/setup-action@b0b1ea4f69e92ebf5dea3f8713a1b0c37b2126a5 # v1.6.0

      # This uses OIDC authentication, so no auth variables are required.
      - name: Build base Docker image via depot.dev
-        uses: depot/build-push-action@5f3b3c2e5a00f0093de47f657aeaefcedff27d18 # v1.17.0
+        uses: depot/build-push-action@9785b135c3c76c33db102e45be96a25ab55cd507 # v1.16.2
        with:
          project: wl5hnrrkns
          context: base-build-context
@@ -26,7 +26,7 @@ jobs:
    runs-on: ${{ github.repository_owner == 'coder' && 'depot-ubuntu-22.04-4' || 'ubuntu-latest' }}
    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2
+        uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1
        with:
          egress-policy: audit

@@ -75,7 +75,7 @@ jobs:
          BRANCH_NAME: ${{ steps.branch-name.outputs.current_branch }}

      - name: Set up Depot CLI
-        uses: depot/setup-action@15c09a5f77a0840ad4bce955686522a257853461 # v1.7.1
+        uses: depot/setup-action@b0b1ea4f69e92ebf5dea3f8713a1b0c37b2126a5 # v1.6.0

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
@@ -88,7 +88,7 @@ jobs:
          password: ${{ secrets.DOCKERHUB_PASSWORD }}

      - name: Build and push Non-Nix image
-        uses: depot/build-push-action@5f3b3c2e5a00f0093de47f657aeaefcedff27d18 # v1.17.0
+        uses: depot/build-push-action@9785b135c3c76c33db102e45be96a25ab55cd507 # v1.16.2
        with:
          project: b4q6ltmpzh
          token: ${{ secrets.DEPOT_TOKEN }}
@@ -125,7 +125,7 @@ jobs:
      id-token: write
    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2
+        uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1
        with:
          egress-policy: audit

@@ -28,7 +28,7 @@ jobs:
          - windows-2022
    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2
+        uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1
        with:
          egress-policy: audit

@@ -15,7 +15,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2
+        uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1
        with:
          egress-policy: audit

@@ -19,7 +19,7 @@ jobs:
      packages: write
    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2
+        uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1
        with:
          egress-policy: audit

@@ -39,7 +39,7 @@ jobs:
      PR_OPEN: ${{ steps.check_pr.outputs.pr_open }}
    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2
+        uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1
        with:
          egress-policy: audit

@@ -76,7 +76,7 @@ jobs:
    runs-on: "ubuntu-latest"
    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2
+        uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1
        with:
          egress-policy: audit

@@ -184,7 +184,7 @@ jobs:
      pull-requests: write # needed for commenting on PRs
    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2
+        uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1
        with:
          egress-policy: audit

@@ -228,7 +228,7 @@ jobs:
      CODER_IMAGE_TAG: ${{ needs.get_info.outputs.CODER_IMAGE_TAG }}
    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2
+        uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1
        with:
          egress-policy: audit

@@ -288,7 +288,7 @@ jobs:
      PR_HOSTNAME: "pr${{ needs.get_info.outputs.PR_NUMBER }}.${{ secrets.PR_DEPLOYMENTS_DOMAIN }}"
    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2
+        uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1
        with:
          egress-policy: audit

@@ -14,7 +14,7 @@ jobs:

    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2
+        uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1
        with:
          egress-policy: audit

@@ -158,7 +158,7 @@ jobs:
      version: ${{ steps.version.outputs.version }}
    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2
+        uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1
        with:
          egress-policy: audit

@@ -386,12 +386,12 @@ jobs:

      - name: Install depot.dev CLI
        if: steps.image-base-tag.outputs.tag != ''
-        uses: depot/setup-action@15c09a5f77a0840ad4bce955686522a257853461 # v1.7.1
+        uses: depot/setup-action@b0b1ea4f69e92ebf5dea3f8713a1b0c37b2126a5 # v1.6.0

      # This uses OIDC authentication, so no auth variables are required.
      - name: Build base Docker image via depot.dev
        if: steps.image-base-tag.outputs.tag != ''
-        uses: depot/build-push-action@5f3b3c2e5a00f0093de47f657aeaefcedff27d18 # v1.17.0
+        uses: depot/build-push-action@9785b135c3c76c33db102e45be96a25ab55cd507 # v1.16.2
        with:
          project: wl5hnrrkns
          context: base-build-context
@@ -796,7 +796,7 @@ jobs:
      # TODO: skip this if it's not a new release (i.e. a backport). This is
      #       fine right now because it just makes a PR that we can close.
      - name: Harden Runner
-        uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2
+        uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1
        with:
          egress-policy: audit

@@ -872,7 +872,7 @@ jobs:

    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2
+        uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1
        with:
          egress-policy: audit

@@ -965,7 +965,7 @@ jobs:
    if: ${{ !inputs.dry_run }}
    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2
+        uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1
        with:
          egress-policy: audit

@@ -20,7 +20,7 @@ jobs:

    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2
+        uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1
        with:
          egress-policy: audit

@@ -27,7 +27,7 @@ jobs:
    runs-on: ${{ github.repository_owner == 'coder' && 'depot-ubuntu-22.04-8' || 'ubuntu-latest' }}
    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2
+        uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1
        with:
          egress-policy: audit

@@ -69,7 +69,7 @@ jobs:
    runs-on: ${{ github.repository_owner == 'coder' && 'depot-ubuntu-22.04-8' || 'ubuntu-latest' }}
    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2
+        uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1
        with:
          egress-policy: audit

@@ -18,7 +18,7 @@ jobs:
      pull-requests: write
    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2
+        uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1
        with:
          egress-policy: audit

@@ -96,7 +96,7 @@ jobs:
      contents: write
    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2
+        uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1
        with:
          egress-policy: audit

@@ -120,7 +120,7 @@ jobs:
      actions: write
    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2
+        uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1
        with:
          egress-policy: audit

@@ -21,7 +21,7 @@ jobs:
      pull-requests: write # required to post PR review comments by the action
    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2
+        uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1
        with:
          egress-policy: audit

@@ -909,10 +909,7 @@ site/src/api/countriesGenerated.ts: site/node_modules/.installed scripts/typegen
 	(cd site/ && pnpm exec biome format --write src/api/countriesGenerated.ts)
 	touch "$@"

-scripts/metricsdocgen/generated_metrics: $(GO_SRC_FILES)
-	go run ./scripts/metricsdocgen/scanner > $@
-
-docs/admin/integrations/prometheus.md: node_modules/.installed scripts/metricsdocgen/main.go scripts/metricsdocgen/metrics scripts/metricsdocgen/generated_metrics
+docs/admin/integrations/prometheus.md: node_modules/.installed scripts/metricsdocgen/main.go scripts/metricsdocgen/metrics
 	go run scripts/metricsdocgen/main.go
 	pnpm exec markdownlint-cli2 --fix ./docs/admin/integrations/prometheus.md
 	pnpm exec markdown-table-formatter ./docs/admin/integrations/prometheus.md
@@ -111,12 +111,6 @@ type Client interface {
 	ConnectRPC28(ctx context.Context) (
 		proto.DRPCAgentClient28, tailnetproto.DRPCTailnetClient28, error,
 	)
-	// ConnectRPC28WithRole is like ConnectRPC28 but sends an explicit
-	// role query parameter to the server. The workspace agent should
-	// use role "agent" to enable connection monitoring.
-	ConnectRPC28WithRole(ctx context.Context, role string) (
-		proto.DRPCAgentClient28, tailnetproto.DRPCTailnetClient28, error,
-	)
 	tailnet.DERPMapRewriter
 	agentsdk.RefreshableSessionTokenProvider
 }
@@ -1003,10 +997,8 @@ func (a *agent) run() (retErr error) {
 		return xerrors.Errorf("refresh token: %w", err)
 	}

-	// ConnectRPC returns the dRPC connection we use for the Agent and Tailnet v2+ APIs.
-	// We pass role "agent" to enable connection monitoring on the server, which tracks
-	// the agent's connectivity state (first_connected_at, last_connected_at, disconnected_at).
-	aAPI, tAPI, err := a.client.ConnectRPC28WithRole(a.hardCtx, "agent")
+	// ConnectRPC returns the dRPC connection we use for the Agent and Tailnet v2+ APIs
+	aAPI, tAPI, err := a.client.ConnectRPC28(a.hardCtx)
 	if err != nil {
 		return err
 	}
@@ -857,7 +857,7 @@ func TestAgent_Session_TTY_FastCommandHasOutput(t *testing.T) {
 	// not increase test times needlessly).
 	// Limit GOMAXPROCS (e.g. `export GOMAXPROCS=1`) to further increase
 	// chance of failure. Also -race helps.
-	for range 5 {
+	for i := 0; i < 5; i++ {
 		func() {
 			stdout.Reset()

@@ -906,7 +906,7 @@ func TestAgent_Session_TTY_HugeOutputIsNotLost(t *testing.T) {
 	// not increase test times needlessly). Run with -race and do not
 	// limit parallelism (`export GOMAXPROCS=10`) to increase the chance
 	// of failure.
-	for range 1 {
+	for i := 0; i < 1; i++ {
 		func() {
 			stdout.Reset()

@@ -175,7 +175,7 @@ func TestNewServer_CloseActiveConnections(t *testing.T) {
 			assert.Error(t, err) // Server is closed.
 		}()

-		for i := range waitConns {
+		for i := 0; i < len(waitConns); i++ {
 			waitConns[i] = make(chan struct{})
 			go func(ch chan struct{}) {
 				defer wg.Done()
@@ -124,12 +124,6 @@ func (c *Client) Close() {
 	c.derpMapOnce.Do(func() { close(c.derpMapUpdates) })
 }

-func (c *Client) ConnectRPC28WithRole(ctx context.Context, _ string) (
-	agentproto.DRPCAgentClient28, proto.DRPCTailnetClient28, error,
-) {
-	return c.ConnectRPC28(ctx)
-}
-
 func (c *Client) ConnectRPC28(ctx context.Context) (
 	agentproto.DRPCAgentClient28, proto.DRPCTailnetClient28, error,
 ) {
@@ -76,7 +76,7 @@ func TestAppHealth_Healthy(t *testing.T) {
 	fakeAPI, closeFn := setupAppReporter(ctx, t, slices.Clone(apps), handlers, mClock)
 	defer closeFn()
 	healthchecksStarted := make([]string, 2)
-	for i := range 2 {
+	for i := 0; i < 2; i++ {
 		c := healthcheckTrap.MustWait(ctx)
 		c.MustRelease(ctx)
 		healthchecksStarted[i] = c.Tags[1]
@@ -755,7 +755,7 @@ func TestBackedPipe_DuplicateReconnectionPrevention(t *testing.T) {
 	var wg sync.WaitGroup

 	// Start all goroutines
-	for i := range numConcurrent {
+	for i := 0; i < numConcurrent; i++ {
 		wg.Add(1)
 		go func(idx int) {
 			defer wg.Done()
@@ -778,7 +778,7 @@ func TestBackedPipe_DuplicateReconnectionPrevention(t *testing.T) {
 	}

 	// Wait for all ForceReconnect calls to join the singleflight operation.
-	for range numConcurrent {
+	for i := 0; i < numConcurrent; i++ {
 		testutil.RequireReceive(testCtx, t, enteredSignals)
 	}

@@ -435,7 +435,7 @@ func TestBackedReader_PartialReads(t *testing.T) {

 	// Read multiple times
 	buf := make([]byte, 10)
-	for range 5 {
+	for i := 0; i < 5; i++ {
 		n, err := br.Read(buf)
 		require.NoError(t, err)
 		require.Equal(t, 1, n)
@@ -882,7 +882,7 @@ func TestBackedWriter_MultipleWritesDuringReconnect(t *testing.T) {
 	writeResults := make([]error, numWriters)
 	writesStarted := make(chan struct{}, numWriters)

-	for i := range numWriters {
+	for i := 0; i < numWriters; i++ {
 		wg.Add(1)
 		go func(id int) {
 			defer wg.Done()
@@ -895,7 +895,7 @@ func TestBackedWriter_MultipleWritesDuringReconnect(t *testing.T) {

 	// Wait for all writes to start
 	ctx := testutil.Context(t, testutil.WaitLong)
-	for range numWriters {
+	for i := 0; i < numWriters; i++ {
 		testutil.RequireReceive(ctx, t, writesStarted)
 	}

@@ -980,7 +980,7 @@ func BenchmarkBackedWriter_Reconnect(b *testing.B) {

 	// Fill buffer with data
 	data := bytes.Repeat([]byte("x"), 1024)
-	for range 32 {
+	for i := 0; i < 32; i++ {
 		bw.Write(data)
 	}

@@ -247,7 +247,7 @@ func BenchmarkRingBuffer_Write(b *testing.B) {
 func BenchmarkRingBuffer_ReadLast(b *testing.B) {
 	rb := newRingBuffer(64 * 1024 * 1024) // 64MB for benchmarks
 	// Fill buffer with test data
-	for range 64 {
+	for i := 0; i < 64; i++ {
 		rb.Write(bytes.Repeat([]byte("x"), 1024))
 	}

@@ -243,12 +243,12 @@ func TestGraphThreadSafety(t *testing.T) {

 		barrier := make(chan struct{})
 		// Launch writers
-		for i := range numWriters {
+		for i := 0; i < numWriters; i++ {
 			wg.Add(1)
 			go func(writerID int) {
 				defer wg.Done()
 				<-barrier
-				for j := range operationsPerWriter {
+				for j := 0; j < operationsPerWriter; j++ {
 					from := &testGraphVertex{Name: fmt.Sprintf("writer-%d-%d", writerID, j)}
 					to := &testGraphVertex{Name: fmt.Sprintf("writer-%d-%d", writerID, j+1)}
 					graph.AddEdge(from, to, testEdgeCompleted)
@@ -262,7 +262,7 @@ func TestGraphThreadSafety(t *testing.T) {
 			readCount int
 		}, numReaders)

-		for i := range numReaders {
+		for i := 0; i < numReaders; i++ {
 			wg.Add(1)
 			go func(readerID int) {
 				defer wg.Done()
@@ -274,7 +274,7 @@ func TestGraphThreadSafety(t *testing.T) {
 				}()

 				readCount := 0
-				for j := range operationsPerReader {
+				for j := 0; j < operationsPerReader; j++ {
 					// Create a test vertex and read
 					testUnit := &testGraphVertex{Name: fmt.Sprintf("test-reader-%d-%d", readerID, j)}
 					forwardEdges := graph.GetForwardAdjacentVertices(testUnit)
@@ -323,7 +323,7 @@ func TestGraphThreadSafety(t *testing.T) {
 		cycleErrors := make([]error, numGoroutines)

 		// Launch goroutines trying to add D→A (creates cycle)
-		for i := range numGoroutines {
+		for i := 0; i < numGoroutines; i++ {
 			wg.Add(1)
 			go func(goroutineID int) {
 				defer wg.Done()
@@ -354,7 +354,7 @@ func TestGraphThreadSafety(t *testing.T) {
 		graph := &testGraph{}

 		// Pre-populate graph
-		for i := range 20 {
+		for i := 0; i < 20; i++ {
 			from := &testGraphVertex{Name: fmt.Sprintf("dot-unit-%d", i)}
 			to := &testGraphVertex{Name: fmt.Sprintf("dot-unit-%d", i+1)}
 			err := graph.AddEdge(from, to, testEdgeCompleted)
@@ -369,7 +369,7 @@ func TestGraphThreadSafety(t *testing.T) {

 		// Launch readers calling ToDOT
 		dotErrors := make([]error, numReaders)
-		for i := range numReaders {
+		for i := 0; i < numReaders; i++ {
 			wg.Add(1)
 			go func(readerID int) {
 				defer wg.Done()
@@ -383,7 +383,7 @@ func TestGraphThreadSafety(t *testing.T) {
 		}

 		// Launch writers adding edges
-		for i := range numWriters {
+		for i := 0; i < numWriters; i++ {
 			wg.Add(1)
 			go func(writerID int) {
 				defer wg.Done()
@@ -417,7 +417,7 @@ func BenchmarkGraph_ConcurrentMixedOperations(b *testing.B) {
 	b.ResetTimer()
 	for i := 0; i < b.N; i++ {
 		// Launch goroutines performing random operations
-		for j := range numGoroutines {
+		for j := 0; j < numGoroutines; j++ {
 			wg.Add(1)
 			go func(goroutineID int) {
 				defer wg.Done()
@@ -3,11 +3,11 @@
 		"enabled": true,
 		"clientKind": "git",
 		"useIgnoreFile": true,
-		"defaultBranch": "main",
+		"defaultBranch": "main"
 	},
 	"files": {
 		"includes": ["**", "!**/pnpm-lock.yaml"],
-		"ignoreUnknown": true,
+		"ignoreUnknown": true
 	},
 	"linter": {
 		"rules": {
@@ -15,18 +15,18 @@
 				"noSvgWithoutTitle": "off",
 				"useButtonType": "off",
 				"useSemanticElements": "off",
-				"noStaticElementInteractions": "off",
+				"noStaticElementInteractions": "off"
 			},
-			"correctness": {
-				"noUnusedImports": "warn",
+		"correctness": {
+			"noUnusedImports": "warn",
 				"useUniqueElementIds": "off", // TODO: This is new but we want to fix it
 				"noNestedComponentDefinitions": "off", // TODO: Investigate, since it is used by shadcn components
-				"noUnusedVariables": {
-					"level": "warn",
+			"noUnusedVariables": {
+				"level": "warn",
 					"options": {
-						"ignoreRestSiblings": true,
-					},
-				},
+						"ignoreRestSiblings": true
+					}
+				}
 			},
 			"style": {
 				"noNonNullAssertion": "off",
@@ -45,10 +45,6 @@
 					"level": "error",
 					"options": {
 						"paths": {
-							"react": {
-								"message": "React 19 no longer requires forwardRef. Use ref as a prop instead.",
-								"importNames": ["forwardRef"],
-							},
 							// "@mui/material/Alert": "Use components/Alert/Alert instead.",
 							// "@mui/material/AlertTitle": "Use components/Alert/Alert instead.",
 							// "@mui/material/Autocomplete": "Use shadcn/ui Combobox instead.",
@@ -115,10 +111,10 @@
 							"@emotion/styled": "Use Tailwind CSS instead.",
 							// "@emotion/cache": "Use Tailwind CSS instead.",
 							// "components/Stack/Stack": "Use Tailwind flex utilities instead (e.g., <div className='flex flex-col gap-4'>).",
-							"lodash": "Use lodash/<name> instead.",
-						},
-					},
-				},
+							"lodash": "Use lodash/<name> instead."
+						}
+					}
+				}
 			},
 			"suspicious": {
 				"noArrayIndexKey": "off",
@@ -129,14 +125,14 @@
 				"noConsole": {
 					"level": "error",
 					"options": {
-						"allow": ["error", "info", "warn"],
-					},
-				},
+						"allow": ["error", "info", "warn"]
+					}
+				}
 			},
 			"complexity": {
-				"noImportantStyles": "off", // TODO: check and fix !important styles
-			},
-		},
+				"noImportantStyles": "off" // TODO: check and fix !important styles
+			}
+		}
 	},
-	"$schema": "./node_modules/@biomejs/biome/configuration_schema.json",
+	"$schema": "./node_modules/@biomejs/biome/configuration_schema.json"
 }
@@ -18,7 +18,7 @@ func TestQueue(t *testing.T) {
 		q := cliutil.NewQueue[int](10)
 		require.Equal(t, 0, q.Len())

-		for i := range 20 {
+		for i := 0; i < 20; i++ {
 			err := q.Push(i)
 			require.NoError(t, err)
 			if i < 10 {
@@ -38,13 +38,13 @@ func TestQueue(t *testing.T) {
 		t.Parallel()

 		q := cliutil.NewQueue[int](10)
-		for i := range 5 {
+		for i := 0; i < 5; i++ {
 			err := q.Push(i)
 			require.NoError(t, err)
 		}

 		// No blocking, should pop immediately.
-		for i := range 5 {
+		for i := 0; i < 5; i++ {
 			val, ok := q.Pop()
 			require.True(t, ok)
 			require.Equal(t, i, val)
@@ -94,13 +94,13 @@ func TestQueue(t *testing.T) {
 			return n + 1, true
 		})

-		for i := range 5 {
+		for i := 0; i < 5; i++ {
 			err := q.Push(i)
 			require.NoError(t, err)
 		}

 		got := []int{}
-		for range 4 {
+		for i := 0; i < 4; i++ {
 			val, ok := q.Pop()
 			require.True(t, ok)
 			got = append(got, val)
@@ -884,27 +884,16 @@ func (o *OrganizationContext) Selected(inv *serpent.Invocation, client *codersdk
 		index := slices.IndexFunc(orgs, func(org codersdk.Organization) bool {
 			return org.Name == o.FlagSelect || org.ID.String() == o.FlagSelect
 		})
-		if index >= 0 {
-			return orgs[index], nil
-		}

-		// Not in membership list - try direct fetch.
-		// This allows site-wide admins (e.g., Owners) to use orgs they aren't
-		// members of.
-		org, err := client.OrganizationByName(inv.Context(), o.FlagSelect)
-		if err != nil {
+		if index < 0 {
 			var names []string
 			for _, org := range orgs {
 				names = append(names, org.Name)
 			}
-			var sdkErr *codersdk.Error
-			if errors.As(err, &sdkErr) && sdkErr.StatusCode() == http.StatusNotFound {
-				return codersdk.Organization{}, xerrors.Errorf("organization %q not found, are you sure you are a member of this organization? "+
-					"Valid options for '--org=' are [%s].", o.FlagSelect, strings.Join(names, ", "))
-			}
-			return codersdk.Organization{}, xerrors.Errorf("get organization %q: %w", o.FlagSelect, err)
+			return codersdk.Organization{}, xerrors.Errorf("organization %q not found, are you sure you are a member of this organization? "+
+				"Valid options for '--org=' are [%s].", o.FlagSelect, strings.Join(names, ", "))
 		}
-		return org, nil
+		return orgs[index], nil
 	}

 	if len(orgs) == 1 {
@@ -95,7 +95,6 @@ import (
 	"github.com/coder/coder/v2/coderd/webpush"
 	"github.com/coder/coder/v2/coderd/workspaceapps/appurl"
 	"github.com/coder/coder/v2/coderd/workspacestats"
-	"github.com/coder/coder/v2/coderd/wsbuilder"
 	"github.com/coder/coder/v2/codersdk"
 	"github.com/coder/coder/v2/codersdk/drpcsdk"
 	"github.com/coder/coder/v2/cryptorand"
@@ -936,12 +935,6 @@ func (r *RootCmd) Server(newAPI func(context.Context, *coderd.Options) (*coderd.
 			options.StatsBatcher = batcher
 			defer closeBatcher()

-			wsBuilderMetrics, err := wsbuilder.NewMetrics(options.PrometheusRegistry)
-			if err != nil {
-				return xerrors.Errorf("failed to register workspace builder metrics: %w", err)
-			}
-			options.WorkspaceBuilderMetrics = wsBuilderMetrics
-
 			// Manage notifications.
 			var (
 				notificationsCfg     = options.DeploymentValues.Notifications
@@ -1125,7 +1118,7 @@ func (r *RootCmd) Server(newAPI func(context.Context, *coderd.Options) (*coderd.
 			autobuildTicker := time.NewTicker(vals.AutobuildPollInterval.Value())
 			defer autobuildTicker.Stop()
 			autobuildExecutor := autobuild.NewExecutor(
-				ctx, options.Database, options.Pubsub, coderAPI.FileCache, options.PrometheusRegistry, coderAPI.TemplateScheduleStore, &coderAPI.Auditor, coderAPI.AccessControlStore, coderAPI.BuildUsageChecker, logger, autobuildTicker.C, options.NotificationsEnqueuer, coderAPI.Experiments, coderAPI.WorkspaceBuilderMetrics)
+				ctx, options.Database, options.Pubsub, coderAPI.FileCache, options.PrometheusRegistry, coderAPI.TemplateScheduleStore, &coderAPI.Auditor, coderAPI.AccessControlStore, coderAPI.BuildUsageChecker, logger, autobuildTicker.C, options.NotificationsEnqueuer, coderAPI.Experiments)
 			autobuildExecutor.Run()

 			jobReaperTicker := time.NewTicker(vals.JobReaperDetectorInterval.Value())
@@ -17,8 +17,6 @@ func (r *RootCmd) tasksCommand() *serpent.Command {
 			r.taskDelete(),
 			r.taskList(),
 			r.taskLogs(),
-			r.taskPause(),
-			r.taskResume(),
 			r.taskSend(),
 			r.taskStatus(),
 		},
@@ -41,7 +41,8 @@ func Test_TaskLogs_Golden(t *testing.T) {
 		t.Parallel()

 		setupCtx := testutil.Context(t, testutil.WaitLong)
-		_, userClient, task := setupCLITaskTest(setupCtx, t, fakeAgentAPITaskLogsOK(testMessages))
+		client, task := setupCLITaskTest(setupCtx, t, fakeAgentAPITaskLogsOK(testMessages))
+		userClient := client // user already has access to their own workspace

 		inv, root := clitest.New(t, "task", "logs", task.Name, "--output", "json")
 		output := clitest.Capture(inv)
@@ -64,7 +65,8 @@ func Test_TaskLogs_Golden(t *testing.T) {
 		t.Parallel()

 		setupCtx := testutil.Context(t, testutil.WaitLong)
-		_, userClient, task := setupCLITaskTest(setupCtx, t, fakeAgentAPITaskLogsOK(testMessages))
+		client, task := setupCLITaskTest(setupCtx, t, fakeAgentAPITaskLogsOK(testMessages))
+		userClient := client

 		inv, root := clitest.New(t, "task", "logs", task.ID.String(), "--output", "json")
 		output := clitest.Capture(inv)
@@ -87,7 +89,8 @@ func Test_TaskLogs_Golden(t *testing.T) {
 		t.Parallel()

 		setupCtx := testutil.Context(t, testutil.WaitLong)
-		_, userClient, task := setupCLITaskTest(setupCtx, t, fakeAgentAPITaskLogsOK(testMessages))
+		client, task := setupCLITaskTest(setupCtx, t, fakeAgentAPITaskLogsOK(testMessages))
+		userClient := client

 		inv, root := clitest.New(t, "task", "logs", task.ID.String())
 		output := clitest.Capture(inv)
@@ -141,7 +144,8 @@ func Test_TaskLogs_Golden(t *testing.T) {
 		t.Parallel()

 		setupCtx := testutil.Context(t, testutil.WaitLong)
-		_, userClient, task := setupCLITaskTest(setupCtx, t, fakeAgentAPITaskLogsErr(assert.AnError))
+		client, task := setupCLITaskTest(setupCtx, t, fakeAgentAPITaskLogsErr(assert.AnError))
+		userClient := client

 		inv, root := clitest.New(t, "task", "logs", task.ID.String())
 		clitest.SetupConfig(t, userClient, root)
@@ -197,7 +201,8 @@ func Test_TaskLogs_Golden(t *testing.T) {
 	t.Run("SnapshotWithoutLogs_NoSnapshotCaptured", func(t *testing.T) {
 		t.Parallel()

-		userClient, task := setupCLITaskTestWithoutSnapshot(t, codersdk.TaskStatusPaused)
+		client, task := setupCLITaskTestWithoutSnapshot(t, codersdk.TaskStatusPaused)
+		userClient := client

 		inv, root := clitest.New(t, "task", "logs", task.Name)
 		output := clitest.Capture(inv)
@@ -1,90 +0,0 @@
-package cli
-
-import (
-	"fmt"
-	"time"
-
-	"golang.org/x/xerrors"
-
-	"github.com/coder/coder/v2/cli/cliui"
-	"github.com/coder/coder/v2/codersdk"
-	"github.com/coder/pretty"
-	"github.com/coder/serpent"
-)
-
-func (r *RootCmd) taskPause() *serpent.Command {
-	cmd := &serpent.Command{
-		Use:   "pause <task>",
-		Short: "Pause a task",
-		Long: FormatExamples(
-			Example{
-				Description: "Pause a task by name",
-				Command:     "coder task pause my-task",
-			},
-			Example{
-				Description: "Pause another user's task",
-				Command:     "coder task pause alice/my-task",
-			},
-			Example{
-				Description: "Pause a task without confirmation",
-				Command:     "coder task pause my-task --yes",
-			},
-		),
-		Middleware: serpent.Chain(
-			serpent.RequireNArgs(1),
-		),
-		Options: serpent.OptionSet{
-			cliui.SkipPromptOption(),
-		},
-		Handler: func(inv *serpent.Invocation) error {
-			ctx := inv.Context()
-			client, err := r.InitClient(inv)
-			if err != nil {
-				return err
-			}
-
-			task, err := client.TaskByIdentifier(ctx, inv.Args[0])
-			if err != nil {
-				return xerrors.Errorf("resolve task %q: %w", inv.Args[0], err)
-			}
-
-			display := fmt.Sprintf("%s/%s", task.OwnerName, task.Name)
-
-			if task.Status == codersdk.TaskStatusPaused {
-				return xerrors.Errorf("task %q is already paused", display)
-			}
-
-			_, err = cliui.Prompt(inv, cliui.PromptOptions{
-				Text:      fmt.Sprintf("Pause task %s?", pretty.Sprint(cliui.DefaultStyles.Code, display)),
-				IsConfirm: true,
-				Default:   cliui.ConfirmNo,
-			})
-			if err != nil {
-				return err
-			}
-
-			resp, err := client.PauseTask(ctx, task.OwnerName, task.ID)
-			if err != nil {
-				return xerrors.Errorf("pause task %q: %w", display, err)
-			}
-
-			if resp.WorkspaceBuild == nil {
-				return xerrors.Errorf("pause task %q: no workspace build returned", display)
-			}
-
-			err = cliui.WorkspaceBuild(ctx, inv.Stdout, client, resp.WorkspaceBuild.ID)
-			if err != nil {
-				return xerrors.Errorf("watch pause build for task %q: %w", display, err)
-			}
-
-			_, _ = fmt.Fprintf(
-				inv.Stdout,
-				"\nThe %s task has been paused at %s!\n",
-				cliui.Keyword(task.Name),
-				cliui.Timestamp(time.Now()),
-			)
-			return nil
-		},
-	}
-	return cmd
-}
@@ -1,144 +0,0 @@
-package cli_test
-
-import (
-	"fmt"
-	"testing"
-
-	"github.com/stretchr/testify/require"
-
-	"github.com/coder/coder/v2/cli/clitest"
-	"github.com/coder/coder/v2/coderd/coderdtest"
-	"github.com/coder/coder/v2/codersdk"
-	"github.com/coder/coder/v2/pty/ptytest"
-	"github.com/coder/coder/v2/testutil"
-)
-
-func TestExpTaskPause(t *testing.T) {
-	t.Parallel()
-
-	t.Run("WithYesFlag", func(t *testing.T) {
-		t.Parallel()
-
-		// Given: A running task
-		setupCtx := testutil.Context(t, testutil.WaitLong)
-		_, userClient, task := setupCLITaskTest(setupCtx, t, nil)
-
-		// When: We attempt to pause the task
-		inv, root := clitest.New(t, "task", "pause", task.Name, "--yes")
-		output := clitest.Capture(inv)
-		clitest.SetupConfig(t, userClient, root)
-
-		// Then: Expect the task to be paused
-		ctx := testutil.Context(t, testutil.WaitMedium)
-		err := inv.WithContext(ctx).Run()
-		require.NoError(t, err)
-		require.Contains(t, output.Stdout(), "has been paused")
-
-		updated, err := userClient.TaskByIdentifier(ctx, task.Name)
-		require.NoError(t, err)
-		require.Equal(t, codersdk.TaskStatusPaused, updated.Status)
-	})
-
-	// OtherUserTask verifies that an admin can pause a task owned by
-	// another user using the "owner/name" identifier format.
-	t.Run("OtherUserTask", func(t *testing.T) {
-		t.Parallel()
-
-		// Given: A different user's running task
-		setupCtx := testutil.Context(t, testutil.WaitLong)
-		adminClient, _, task := setupCLITaskTest(setupCtx, t, nil)
-
-		// When: We attempt to pause their task
-		identifier := fmt.Sprintf("%s/%s", task.OwnerName, task.Name)
-		inv, root := clitest.New(t, "task", "pause", identifier, "--yes")
-		output := clitest.Capture(inv)
-		clitest.SetupConfig(t, adminClient, root)
-
-		// Then: We expect the task to be paused
-		ctx := testutil.Context(t, testutil.WaitMedium)
-		err := inv.WithContext(ctx).Run()
-		require.NoError(t, err)
-		require.Contains(t, output.Stdout(), "has been paused")
-
-		updated, err := adminClient.TaskByIdentifier(ctx, identifier)
-		require.NoError(t, err)
-		require.Equal(t, codersdk.TaskStatusPaused, updated.Status)
-	})
-
-	t.Run("PromptConfirm", func(t *testing.T) {
-		t.Parallel()
-
-		// Given: A running task
-		setupCtx := testutil.Context(t, testutil.WaitLong)
-		_, userClient, task := setupCLITaskTest(setupCtx, t, nil)
-
-		// When: We attempt to pause the task
-		inv, root := clitest.New(t, "task", "pause", task.Name)
-		clitest.SetupConfig(t, userClient, root)
-
-		// And: We confirm we want to pause the task
-		ctx := testutil.Context(t, testutil.WaitMedium)
-		inv = inv.WithContext(ctx)
-		pty := ptytest.New(t).Attach(inv)
-		w := clitest.StartWithWaiter(t, inv)
-		pty.ExpectMatchContext(ctx, "Pause task")
-		pty.WriteLine("yes")
-
-		// Then: We expect the task to be paused
-		pty.ExpectMatchContext(ctx, "has been paused")
-		require.NoError(t, w.Wait())
-
-		updated, err := userClient.TaskByIdentifier(ctx, task.Name)
-		require.NoError(t, err)
-		require.Equal(t, codersdk.TaskStatusPaused, updated.Status)
-	})
-
-	t.Run("PromptDecline", func(t *testing.T) {
-		t.Parallel()
-
-		// Given: A running task
-		setupCtx := testutil.Context(t, testutil.WaitLong)
-		_, userClient, task := setupCLITaskTest(setupCtx, t, nil)
-
-		// When: We attempt to pause the task
-		inv, root := clitest.New(t, "task", "pause", task.Name)
-		clitest.SetupConfig(t, userClient, root)
-
-		// But: We say no at the confirmation screen
-		ctx := testutil.Context(t, testutil.WaitMedium)
-		inv = inv.WithContext(ctx)
-		pty := ptytest.New(t).Attach(inv)
-		w := clitest.StartWithWaiter(t, inv)
-		pty.ExpectMatchContext(ctx, "Pause task")
-		pty.WriteLine("no")
-		require.Error(t, w.Wait())
-
-		// Then: We expect the task to not be paused
-		updated, err := userClient.TaskByIdentifier(ctx, task.Name)
-		require.NoError(t, err)
-		require.NotEqual(t, codersdk.TaskStatusPaused, updated.Status)
-	})
-
-	t.Run("TaskAlreadyPaused", func(t *testing.T) {
-		t.Parallel()
-
-		// Given: A running task
-		setupCtx := testutil.Context(t, testutil.WaitLong)
-		_, userClient, task := setupCLITaskTest(setupCtx, t, nil)
-
-		// And: We paused the running task
-		ctx := testutil.Context(t, testutil.WaitMedium)
-		resp, err := userClient.PauseTask(ctx, task.OwnerName, task.ID)
-		require.NoError(t, err)
-		require.NotNil(t, resp.WorkspaceBuild)
-		coderdtest.AwaitWorkspaceBuildJobCompleted(t, userClient, resp.WorkspaceBuild.ID)
-
-		// When: We attempt to pause the task again
-		inv, root := clitest.New(t, "task", "pause", task.Name, "--yes")
-		clitest.SetupConfig(t, userClient, root)
-
-		// Then: We expect to get an error that the task is already paused
-		err = inv.WithContext(ctx).Run()
-		require.ErrorContains(t, err, "is already paused")
-	})
-}
@@ -1,95 +0,0 @@
-package cli
-
-import (
-	"fmt"
-
-	"golang.org/x/xerrors"
-
-	"github.com/coder/coder/v2/cli/cliui"
-	"github.com/coder/coder/v2/codersdk"
-	"github.com/coder/pretty"
-	"github.com/coder/serpent"
-)
-
-func (r *RootCmd) taskResume() *serpent.Command {
-	var noWait bool
-
-	cmd := &serpent.Command{
-		Use:   "resume <task>",
-		Short: "Resume a task",
-		Long: FormatExamples(
-			Example{
-				Description: "Resume a task by name",
-				Command:     "coder task resume my-task",
-			},
-			Example{
-				Description: "Resume another user's task",
-				Command:     "coder task resume alice/my-task",
-			},
-			Example{
-				Description: "Resume a task without confirmation",
-				Command:     "coder task resume my-task --yes",
-			},
-		),
-		Middleware: serpent.Chain(
-			serpent.RequireNArgs(1),
-		),
-		Options: serpent.OptionSet{
-			{
-				Flag:        "no-wait",
-				Description: "Return immediately after resuming the task.",
-				Value:       serpent.BoolOf(&noWait),
-			},
-			cliui.SkipPromptOption(),
-		},
-		Handler: func(inv *serpent.Invocation) error {
-			ctx := inv.Context()
-			client, err := r.InitClient(inv)
-			if err != nil {
-				return err
-			}
-
-			task, err := client.TaskByIdentifier(ctx, inv.Args[0])
-			if err != nil {
-				return xerrors.Errorf("resolve task %q: %w", inv.Args[0], err)
-			}
-
-			display := fmt.Sprintf("%s/%s", task.OwnerName, task.Name)
-
-			if task.Status == codersdk.TaskStatusError || task.Status == codersdk.TaskStatusUnknown {
-				return xerrors.Errorf("task %q is in %s state and cannot be resumed; check the workspace build logs and agent status for details", display, task.Status)
-			} else if task.Status != codersdk.TaskStatusPaused {
-				return xerrors.Errorf("task %q cannot be resumed (current status: %s)", display, task.Status)
-			}
-
-			_, err = cliui.Prompt(inv, cliui.PromptOptions{
-				Text:      fmt.Sprintf("Resume task %s?", pretty.Sprint(cliui.DefaultStyles.Code, display)),
-				IsConfirm: true,
-				Default:   cliui.ConfirmNo,
-			})
-			if err != nil {
-				return err
-			}
-
-			resp, err := client.ResumeTask(ctx, task.OwnerName, task.ID)
-			if err != nil {
-				return xerrors.Errorf("resume task %q: %w", display, err)
-			} else if resp.WorkspaceBuild == nil {
-				return xerrors.Errorf("resume task %q: no workspace build returned", display)
-			}
-
-			if noWait {
-				_, _ = fmt.Fprintf(inv.Stdout, "Resuming task %q in the background.\n", cliui.Keyword(display))
-				return nil
-			}
-
-			if err = cliui.WorkspaceBuild(ctx, inv.Stdout, client, resp.WorkspaceBuild.ID); err != nil {
-				return xerrors.Errorf("watch resume build for task %q: %w", display, err)
-			}
-
-			_, _ = fmt.Fprintf(inv.Stdout, "\nThe %s task has been resumed.\n", cliui.Keyword(display))
-			return nil
-		},
-	}
-	return cmd
-}
@@ -1,183 +0,0 @@
-package cli_test
-
-import (
-	"context"
-	"fmt"
-	"testing"
-
-	"github.com/stretchr/testify/require"
-
-	"github.com/coder/coder/v2/cli/clitest"
-	"github.com/coder/coder/v2/coderd/coderdtest"
-	"github.com/coder/coder/v2/codersdk"
-	"github.com/coder/coder/v2/pty/ptytest"
-	"github.com/coder/coder/v2/testutil"
-)
-
-func TestExpTaskResume(t *testing.T) {
-	t.Parallel()
-
-	// pauseTask is a helper that pauses a task and waits for the stop
-	// build to complete.
-	pauseTask := func(ctx context.Context, t *testing.T, client *codersdk.Client, task codersdk.Task) {
-		t.Helper()
-
-		pauseResp, err := client.PauseTask(ctx, task.OwnerName, task.ID)
-		require.NoError(t, err)
-		require.NotNil(t, pauseResp.WorkspaceBuild)
-		coderdtest.AwaitWorkspaceBuildJobCompleted(t, client, pauseResp.WorkspaceBuild.ID)
-	}
-
-	t.Run("WithYesFlag", func(t *testing.T) {
-		t.Parallel()
-
-		// Given: A paused task
-		setupCtx := testutil.Context(t, testutil.WaitLong)
-		_, userClient, task := setupCLITaskTest(setupCtx, t, nil)
-		pauseTask(setupCtx, t, userClient, task)
-
-		// When: We attempt to resume the task
-		inv, root := clitest.New(t, "task", "resume", task.Name, "--yes")
-		output := clitest.Capture(inv)
-		clitest.SetupConfig(t, userClient, root)
-
-		// Then: We expect the task to be resumed
-		ctx := testutil.Context(t, testutil.WaitMedium)
-		err := inv.WithContext(ctx).Run()
-		require.NoError(t, err)
-		require.Contains(t, output.Stdout(), "has been resumed")
-
-		updated, err := userClient.TaskByIdentifier(ctx, task.Name)
-		require.NoError(t, err)
-		require.Equal(t, codersdk.TaskStatusInitializing, updated.Status)
-	})
-
-	// OtherUserTask verifies that an admin can resume a task owned by
-	// another user using the "owner/name" identifier format.
-	t.Run("OtherUserTask", func(t *testing.T) {
-		t.Parallel()
-
-		// Given: A different user's paused task
-		setupCtx := testutil.Context(t, testutil.WaitLong)
-		adminClient, userClient, task := setupCLITaskTest(setupCtx, t, nil)
-		pauseTask(setupCtx, t, userClient, task)
-
-		// When: We attempt to resume their task
-		identifier := fmt.Sprintf("%s/%s", task.OwnerName, task.Name)
-		inv, root := clitest.New(t, "task", "resume", identifier, "--yes")
-		output := clitest.Capture(inv)
-		clitest.SetupConfig(t, adminClient, root)
-
-		// Then: We expect the task to be resumed
-		ctx := testutil.Context(t, testutil.WaitMedium)
-		err := inv.WithContext(ctx).Run()
-		require.NoError(t, err)
-		require.Contains(t, output.Stdout(), "has been resumed")
-
-		updated, err := adminClient.TaskByIdentifier(ctx, identifier)
-		require.NoError(t, err)
-		require.Equal(t, codersdk.TaskStatusInitializing, updated.Status)
-	})
-
-	t.Run("NoWait", func(t *testing.T) {
-		t.Parallel()
-
-		// Given: A paused task
-		setupCtx := testutil.Context(t, testutil.WaitLong)
-		_, userClient, task := setupCLITaskTest(setupCtx, t, nil)
-		pauseTask(setupCtx, t, userClient, task)
-
-		// When: We attempt to resume the task (and specify no wait)
-		inv, root := clitest.New(t, "task", "resume", task.Name, "--yes", "--no-wait")
-		output := clitest.Capture(inv)
-		clitest.SetupConfig(t, userClient, root)
-
-		// Then: We expect the task to be resumed in the background
-		ctx := testutil.Context(t, testutil.WaitMedium)
-		err := inv.WithContext(ctx).Run()
-		require.NoError(t, err)
-		require.Contains(t, output.Stdout(), "in the background")
-
-		// And: The task to eventually be resumed
-		require.True(t, task.WorkspaceID.Valid, "task should have a workspace ID")
-		ws := coderdtest.MustWorkspace(t, userClient, task.WorkspaceID.UUID)
-		coderdtest.AwaitWorkspaceBuildJobCompleted(t, userClient, ws.LatestBuild.ID)
-
-		updated, err := userClient.TaskByIdentifier(ctx, task.Name)
-		require.NoError(t, err)
-		require.Equal(t, codersdk.TaskStatusInitializing, updated.Status)
-	})
-
-	t.Run("PromptConfirm", func(t *testing.T) {
-		t.Parallel()
-
-		// Given: A paused task
-		setupCtx := testutil.Context(t, testutil.WaitLong)
-		_, userClient, task := setupCLITaskTest(setupCtx, t, nil)
-		pauseTask(setupCtx, t, userClient, task)
-
-		// When: We attempt to resume the task
-		inv, root := clitest.New(t, "task", "resume", task.Name)
-		clitest.SetupConfig(t, userClient, root)
-
-		// And: We confirm we want to resume the task
-		ctx := testutil.Context(t, testutil.WaitMedium)
-		inv = inv.WithContext(ctx)
-		pty := ptytest.New(t).Attach(inv)
-		w := clitest.StartWithWaiter(t, inv)
-		pty.ExpectMatchContext(ctx, "Resume task")
-		pty.WriteLine("yes")
-
-		// Then: We expect the task to be resumed
-		pty.ExpectMatchContext(ctx, "has been resumed")
-		require.NoError(t, w.Wait())
-
-		updated, err := userClient.TaskByIdentifier(ctx, task.Name)
-		require.NoError(t, err)
-		require.Equal(t, codersdk.TaskStatusInitializing, updated.Status)
-	})
-
-	t.Run("PromptDecline", func(t *testing.T) {
-		t.Parallel()
-
-		// Given: A paused task
-		setupCtx := testutil.Context(t, testutil.WaitLong)
-		_, userClient, task := setupCLITaskTest(setupCtx, t, nil)
-		pauseTask(setupCtx, t, userClient, task)
-
-		// When: We attempt to resume the task
-		inv, root := clitest.New(t, "task", "resume", task.Name)
-		clitest.SetupConfig(t, userClient, root)
-
-		// But: Say no at the confirmation screen
-		ctx := testutil.Context(t, testutil.WaitMedium)
-		inv = inv.WithContext(ctx)
-		pty := ptytest.New(t).Attach(inv)
-		w := clitest.StartWithWaiter(t, inv)
-		pty.ExpectMatchContext(ctx, "Resume task")
-		pty.WriteLine("no")
-		require.Error(t, w.Wait())
-
-		// Then: We expect the task to still be paused
-		updated, err := userClient.TaskByIdentifier(ctx, task.Name)
-		require.NoError(t, err)
-		require.Equal(t, codersdk.TaskStatusPaused, updated.Status)
-	})
-
-	t.Run("TaskNotPaused", func(t *testing.T) {
-		t.Parallel()
-
-		// Given: A running task
-		setupCtx := testutil.Context(t, testutil.WaitLong)
-		_, userClient, task := setupCLITaskTest(setupCtx, t, nil)
-
-		// When: We attempt to resume the task that is not paused
-		inv, root := clitest.New(t, "task", "resume", task.Name, "--yes")
-		clitest.SetupConfig(t, userClient, root)
-
-		// Then: We expect to get an error that the task is not paused
-		ctx := testutil.Context(t, testutil.WaitMedium)
-		err := inv.WithContext(ctx).Run()
-		require.ErrorContains(t, err, "cannot be resumed")
-	})
-}
@@ -25,7 +25,8 @@ func Test_TaskSend(t *testing.T) {
 		t.Parallel()

 		setupCtx := testutil.Context(t, testutil.WaitLong)
-		_, userClient, task := setupCLITaskTest(setupCtx, t, fakeAgentAPITaskSendOK(t, "carry on with the task", "you got it"))
+		client, task := setupCLITaskTest(setupCtx, t, fakeAgentAPITaskSendOK(t, "carry on with the task", "you got it"))
+		userClient := client

 		var stdout strings.Builder
 		inv, root := clitest.New(t, "task", "send", task.Name, "carry on with the task")
@@ -41,7 +42,8 @@ func Test_TaskSend(t *testing.T) {
 		t.Parallel()

 		setupCtx := testutil.Context(t, testutil.WaitLong)
-		_, userClient, task := setupCLITaskTest(setupCtx, t, fakeAgentAPITaskSendOK(t, "carry on with the task", "you got it"))
+		client, task := setupCLITaskTest(setupCtx, t, fakeAgentAPITaskSendOK(t, "carry on with the task", "you got it"))
+		userClient := client

 		var stdout strings.Builder
 		inv, root := clitest.New(t, "task", "send", task.ID.String(), "carry on with the task")
@@ -57,7 +59,8 @@ func Test_TaskSend(t *testing.T) {
 		t.Parallel()

 		setupCtx := testutil.Context(t, testutil.WaitLong)
-		_, userClient, task := setupCLITaskTest(setupCtx, t, fakeAgentAPITaskSendOK(t, "carry on with the task", "you got it"))
+		client, task := setupCLITaskTest(setupCtx, t, fakeAgentAPITaskSendOK(t, "carry on with the task", "you got it"))
+		userClient := client

 		var stdout strings.Builder
 		inv, root := clitest.New(t, "task", "send", task.Name, "--stdin")
@@ -110,7 +113,7 @@ func Test_TaskSend(t *testing.T) {
 		t.Parallel()

 		setupCtx := testutil.Context(t, testutil.WaitLong)
-		_, userClient, task := setupCLITaskTest(setupCtx, t, fakeAgentAPITaskSendErr(t, assert.AnError))
+		userClient, task := setupCLITaskTest(setupCtx, t, fakeAgentAPITaskSendErr(t, assert.AnError))

 		var stdout strings.Builder
 		inv, root := clitest.New(t, "task", "send", task.Name, "some task input")
@@ -120,40 +120,6 @@ func Test_Tasks(t *testing.T) {
 				require.Equal(t, logs[2].Type, codersdk.TaskLogTypeOutput, "third message should be an output")
 			},
 		},
-		{
-			name:    "pause task",
-			cmdArgs: []string{"task", "pause", taskName, "--yes"},
-			assertFn: func(stdout string, userClient *codersdk.Client) {
-				require.Contains(t, stdout, "has been paused", "pause output should confirm task was paused")
-			},
-		},
-		{
-			name:    "get task status after pause",
-			cmdArgs: []string{"task", "status", taskName, "--output", "json"},
-			assertFn: func(stdout string, userClient *codersdk.Client) {
-				var task codersdk.Task
-				require.NoError(t, json.NewDecoder(strings.NewReader(stdout)).Decode(&task), "should unmarshal task status")
-				require.Equal(t, taskName, task.Name, "task name should match")
-				require.Equal(t, codersdk.TaskStatusPaused, task.Status, "task should be paused")
-			},
-		},
-		{
-			name:    "resume task",
-			cmdArgs: []string{"task", "resume", taskName, "--yes"},
-			assertFn: func(stdout string, userClient *codersdk.Client) {
-				require.Contains(t, stdout, "has been resumed", "resume output should confirm task was resumed")
-			},
-		},
-		{
-			name:    "get task status after resume",
-			cmdArgs: []string{"task", "status", taskName, "--output", "json"},
-			assertFn: func(stdout string, userClient *codersdk.Client) {
-				var task codersdk.Task
-				require.NoError(t, json.NewDecoder(strings.NewReader(stdout)).Decode(&task), "should unmarshal task status")
-				require.Equal(t, taskName, task.Name, "task name should match")
-				require.Equal(t, codersdk.TaskStatusInitializing, task.Status, "task should be initializing after resume")
-			},
-		},
 		{
 			name:    "delete task",
 			cmdArgs: []string{"task", "delete", taskName, "--yes"},
@@ -272,17 +238,17 @@ func fakeAgentAPIEcho(ctx context.Context, t testing.TB, initMsg agentapisdk.Mes
 // setupCLITaskTest creates a test workspace with an AI task template and agent,
 // with a fake agent API configured with the provided set of handlers.
 // Returns the user client and workspace.
-func setupCLITaskTest(ctx context.Context, t *testing.T, agentAPIHandlers map[string]http.HandlerFunc) (ownerClient *codersdk.Client, memberClient *codersdk.Client, task codersdk.Task) {
+func setupCLITaskTest(ctx context.Context, t *testing.T, agentAPIHandlers map[string]http.HandlerFunc) (*codersdk.Client, codersdk.Task) {
 	t.Helper()

-	ownerClient = coderdtest.New(t, &coderdtest.Options{IncludeProvisionerDaemon: true})
-	owner := coderdtest.CreateFirstUser(t, ownerClient)
-	userClient, _ := coderdtest.CreateAnotherUser(t, ownerClient, owner.OrganizationID)
+	client := coderdtest.New(t, &coderdtest.Options{IncludeProvisionerDaemon: true})
+	owner := coderdtest.CreateFirstUser(t, client)
+	userClient, _ := coderdtest.CreateAnotherUser(t, client, owner.OrganizationID)

 	fakeAPI := startFakeAgentAPI(t, agentAPIHandlers)

 	authToken := uuid.NewString()
-	template := createAITaskTemplate(t, ownerClient, owner.OrganizationID, withSidebarURL(fakeAPI.URL()), withAgentToken(authToken))
+	template := createAITaskTemplate(t, client, owner.OrganizationID, withSidebarURL(fakeAPI.URL()), withAgentToken(authToken))

 	wantPrompt := "test prompt"
 	task, err := userClient.CreateTask(ctx, codersdk.Me, codersdk.CreateTaskRequest{
@@ -296,17 +262,17 @@ func setupCLITaskTest(ctx context.Context, t *testing.T, agentAPIHandlers map[st
 	require.True(t, task.WorkspaceID.Valid, "task should have a workspace ID")
 	workspace, err := userClient.Workspace(ctx, task.WorkspaceID.UUID)
 	require.NoError(t, err)
-	coderdtest.AwaitWorkspaceBuildJobCompleted(t, userClient, workspace.LatestBuild.ID)
+	coderdtest.AwaitWorkspaceBuildJobCompleted(t, client, workspace.LatestBuild.ID)

-	agentClient := agentsdk.New(userClient.URL, agentsdk.WithFixedToken(authToken))
-	_ = agenttest.New(t, userClient.URL, authToken, func(o *agent.Options) {
+	agentClient := agentsdk.New(client.URL, agentsdk.WithFixedToken(authToken))
+	_ = agenttest.New(t, client.URL, authToken, func(o *agent.Options) {
 		o.Client = agentClient
 	})

-	coderdtest.NewWorkspaceAgentWaiter(t, userClient, workspace.ID).
+	coderdtest.NewWorkspaceAgentWaiter(t, client, workspace.ID).
 		WaitFor(coderdtest.AgentsReady)

-	return ownerClient, userClient, task
+	return userClient, task
 }

 // setupCLITaskTestWithSnapshot creates a task in the specified status with a log snapshot.
@@ -141,7 +141,6 @@ type templateVersionRow struct {
 	TemplateVersion codersdk.TemplateVersion `table:"-"`

 	// For table format:
-	ID        string    `json:"-" table:"id"`
 	Name      string    `json:"-" table:"name,default_sort"`
 	CreatedAt time.Time `json:"-" table:"created at"`
 	CreatedBy string    `json:"-" table:"created by"`
@@ -167,7 +166,6 @@ func templateVersionsToRows(activeVersionID uuid.UUID, templateVersions ...coder

 		rows[i] = templateVersionRow{
 			TemplateVersion: templateVersion,
-			ID:              templateVersion.ID.String(),
 			Name:            templateVersion.Name,
 			CreatedAt:       templateVersion.CreatedAt,
 			CreatedBy:       templateVersion.CreatedBy.Username,
@@ -12,8 +12,6 @@ SUBCOMMANDS:
    delete    Delete tasks
    list      List tasks
    logs      Show a task's logs
-    pause     Pause a task
-    resume    Resume a task
    send      Send input to a task
    status    Show the status of a task.

@@ -1,25 +0,0 @@
-coder v0.0.0-devel
-
-USAGE:
-  coder task pause [flags] <task>
-
-  Pause a task
-
-    - Pause a task by name:
-  
-       $ coder task pause my-task
-  
-    - Pause another user's task:
-  
-       $ coder task pause alice/my-task
-  
-    - Pause a task without confirmation:
-  
-       $ coder task pause my-task --yes
-
-OPTIONS:
-  -y, --yes bool
-          Bypass confirmation prompts.
-
-———
-Run `coder --help` for a list of global options.
@@ -1,28 +0,0 @@
-coder v0.0.0-devel
-
-USAGE:
-  coder task resume [flags] <task>
-
-  Resume a task
-
-    - Resume a task by name:
-  
-       $ coder task resume my-task
-  
-    - Resume another user's task:
-  
-       $ coder task resume alice/my-task
-  
-    - Resume a task without confirmation:
-  
-       $ coder task resume my-task --yes
-
-OPTIONS:
-      --no-wait bool
-          Return immediately after resuming the task.
-
-  -y, --yes bool
-          Bypass confirmation prompts.
-
-———
-Run `coder --help` for a list of global options.
@@ -9,7 +9,7 @@ OPTIONS:
  -O, --org string, $CODER_ORGANIZATION
          Select which organization (uuid or name) to use.

-  -c, --column [id|name|created at|created by|status|active|archived] (default: name,created at,created by,status,active)
+  -c, --column [name|created at|created by|status|active|archived] (default: name,created at,created by,status,active)
          Columns to display in table output.

      --include-archived bool
@@ -27,7 +27,7 @@ USAGE:
 SUBCOMMANDS:
    create    Create a token
    list      List tokens
-    remove    Expire or delete a token
+    remove    Delete a token
    view      Display detailed information about a token

 ———
@@ -15,10 +15,6 @@ OPTIONS:
  -c, --column [id|name|scopes|allow list|last used|expires at|created at|owner] (default: id,name,scopes,allow list,last used,expires at,created at)
          Columns to display in table output.

-      --include-expired bool
-          Include expired tokens in the output. By default, expired tokens are
-          hidden.
-
  -o, --output table|json (default: table)
          Output format.

@@ -1,19 +1,11 @@
 coder v0.0.0-devel

 USAGE:
-  coder tokens remove [flags] <name|id|token>
+  coder tokens remove <name|id|token>

-  Expire or delete a token
+  Delete a token

  Aliases: delete, rm

-  Remove a token by expiring it. Use --delete to permanently hard-delete the
-  token instead.
-
-OPTIONS:
-      --delete bool
-          Permanently delete the token instead of expiring it. This removes the
-          audit trail.
-
 ———
 Run `coder --help` for a list of global options.
@@ -218,10 +218,9 @@ func (r *RootCmd) listTokens() *serpent.Command {
 	}

 	var (
-		all            bool
-		includeExpired bool
-		displayTokens  []tokenListRow
-		formatter      = cliui.NewOutputFormatter(
+		all           bool
+		displayTokens []tokenListRow
+		formatter     = cliui.NewOutputFormatter(
 			cliui.TableFormat([]tokenListRow{}, defaultCols),
 			cliui.JSONFormat(),
 		)
@@ -247,20 +246,6 @@ func (r *RootCmd) listTokens() *serpent.Command {
 				return xerrors.Errorf("list tokens: %w", err)
 			}

-			// Filter out expired tokens unless --include-expired is set
-			// TODO(Cian): This _could_ get too big for client-side filtering.
-			// If it causes issues, we can filter server-side.
-			if !includeExpired {
-				now := time.Now()
-				filtered := make([]codersdk.APIKeyWithOwner, 0, len(tokens))
-				for _, token := range tokens {
-					if token.ExpiresAt.After(now) {
-						filtered = append(filtered, token)
-					}
-				}
-				tokens = filtered
-			}
-
 			displayTokens = make([]tokenListRow, len(tokens))

 			for i, token := range tokens {
@@ -289,12 +274,6 @@ func (r *RootCmd) listTokens() *serpent.Command {
 			Description:   "Specifies whether all users' tokens will be listed or not (must have Owner role to see all tokens).",
 			Value:         serpent.BoolOf(&all),
 		},
-		{
-			Name:        "include-expired",
-			Flag:        "include-expired",
-			Description: "Include expired tokens in the output. By default, expired tokens are hidden.",
-			Value:       serpent.BoolOf(&includeExpired),
-		},
 	}

 	formatter.AttachOptions(&cmd.Options)
@@ -344,13 +323,10 @@ func (r *RootCmd) viewToken() *serpent.Command {
 }

 func (r *RootCmd) removeToken() *serpent.Command {
-	var deleteToken bool
 	cmd := &serpent.Command{
 		Use:     "remove <name|id|token>",
 		Aliases: []string{"delete"},
-		Short:   "Expire or delete a token",
-		Long: "Remove a token by expiring it. Use --delete to permanently hard-" +
-			"delete the token instead.",
+		Short:   "Delete a token",
 		Middleware: serpent.Chain(
 			serpent.RequireNArgs(1),
 		),
@@ -362,7 +338,7 @@ func (r *RootCmd) removeToken() *serpent.Command {

 			token, err := client.APIKeyByName(inv.Context(), codersdk.Me, inv.Args[0])
 			if err != nil {
-				// If it's a token, we need to extract the ID.
+				// If it's a token, we need to extract the ID
 				maybeID := strings.Split(inv.Args[0], "-")[0]
 				token, err = client.APIKeyByID(inv.Context(), codersdk.Me, maybeID)
 				if err != nil {
@@ -370,29 +346,17 @@ func (r *RootCmd) removeToken() *serpent.Command {
 				}
 			}

-			if deleteToken {
-				err = client.DeleteAPIKey(inv.Context(), codersdk.Me, token.ID)
-				if err != nil {
-					return xerrors.Errorf("delete api key: %w", err)
-				}
-				cliui.Infof(inv.Stdout, "Token has been deleted.")
-				return nil
-			}
-
-			err = client.ExpireAPIKey(inv.Context(), codersdk.Me, token.ID)
+			err = client.DeleteAPIKey(inv.Context(), codersdk.Me, token.ID)
 			if err != nil {
-				return xerrors.Errorf("expire api key: %w", err)
+				return xerrors.Errorf("delete api key: %w", err)
 			}
-			cliui.Infof(inv.Stdout, "Token has been expired.")
-			return nil
-		},
-	}

-	cmd.Options = serpent.OptionSet{
-		{
-			Flag:        "delete",
-			Description: "Permanently delete the token instead of expiring it. This removes the audit trail.",
-			Value:       serpent.BoolOf(&deleteToken),
+			cliui.Infof(
+				inv.Stdout,
+				"Token has been deleted.",
+			)
+
+			return nil
 		},
 	}

@@ -6,16 +6,12 @@ import (
 	"encoding/json"
 	"fmt"
 	"testing"
-	"time"

 	"github.com/google/uuid"
-	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"

 	"github.com/coder/coder/v2/cli/clitest"
 	"github.com/coder/coder/v2/coderd/coderdtest"
-	"github.com/coder/coder/v2/coderd/database"
-	"github.com/coder/coder/v2/coderd/database/dbgen"
 	"github.com/coder/coder/v2/codersdk"
 	"github.com/coder/coder/v2/testutil"
 )
@@ -26,7 +22,7 @@ func TestTokens(t *testing.T) {
 	adminUser := coderdtest.CreateFirstUser(t, client)

 	secondUserClient, secondUser := coderdtest.CreateAnotherUser(t, client, adminUser.OrganizationID)
-	thirdUserClient, thirdUser := coderdtest.CreateAnotherUser(t, client, adminUser.OrganizationID)
+	_, thirdUser := coderdtest.CreateAnotherUser(t, client, adminUser.OrganizationID)

 	ctx, cancelFunc := context.WithTimeout(context.Background(), testutil.WaitLong)
 	defer cancelFunc()
@@ -159,7 +155,7 @@ func TestTokens(t *testing.T) {
 	require.Len(t, scopedToken.AllowList, 1)
 	require.Equal(t, allowSpec, scopedToken.AllowList[0].String())

-	// Delete by name (default behavior is now expire)
+	// Delete by name
 	inv, root = clitest.New(t, "tokens", "rm", "token-one")
 	clitest.SetupConfig(t, client, root)
 	buf = new(bytes.Buffer)
@@ -168,42 +164,21 @@ func TestTokens(t *testing.T) {
 	require.NoError(t, err)
 	res = buf.String()
 	require.NotEmpty(t, res)
-	require.Contains(t, res, "expired")
-
-	// Regular users cannot expire other users' tokens (expire is default now).
-	inv, root = clitest.New(t, "tokens", "rm", secondTokenID)
-	clitest.SetupConfig(t, thirdUserClient, root)
-	buf = new(bytes.Buffer)
-	inv.Stdout = buf
-	err = inv.WithContext(ctx).Run()
-	require.Error(t, err)
-	require.Contains(t, err.Error(), "not found")
-
-	// Only admin users can expire other users' tokens (expire is default now).
-	inv, root = clitest.New(t, "tokens", "rm", secondTokenID)
-	clitest.SetupConfig(t, client, root)
-	buf = new(bytes.Buffer)
-	inv.Stdout = buf
-	err = inv.WithContext(ctx).Run()
-	require.NoError(t, err)
-	// Validate that token was expired
-	if token, err := client.APIKeyByName(ctx, secondUser.ID.String(), "token-two"); assert.NoError(t, err) {
-		require.True(t, token.ExpiresAt.Before(time.Now()))
-	}
-
-	// Delete by ID (explicit delete flag)
-	inv, root = clitest.New(t, "tokens", "rm", "--delete", secondTokenID)
-	clitest.SetupConfig(t, client, root)
-	buf = new(bytes.Buffer)
-	inv.Stdout = buf
-	err = inv.WithContext(ctx).Run()
-	require.NoError(t, err)
-	res = buf.String()
-	require.NotEmpty(t, res)
 	require.Contains(t, res, "deleted")

-	// Delete scoped token by ID (explicit delete flag)
-	inv, root = clitest.New(t, "tokens", "rm", "--delete", scopedTokenID)
+	// Delete by ID
+	inv, root = clitest.New(t, "tokens", "rm", secondTokenID)
+	clitest.SetupConfig(t, client, root)
+	buf = new(bytes.Buffer)
+	inv.Stdout = buf
+	err = inv.WithContext(ctx).Run()
+	require.NoError(t, err)
+	res = buf.String()
+	require.NotEmpty(t, res)
+	require.Contains(t, res, "deleted")
+
+	// Delete scoped token by ID
+	inv, root = clitest.New(t, "tokens", "rm", scopedTokenID)
 	clitest.SetupConfig(t, client, root)
 	buf = new(bytes.Buffer)
 	inv.Stdout = buf
@@ -224,8 +199,8 @@ func TestTokens(t *testing.T) {
 	require.NotEmpty(t, res)
 	fourthToken := res

-	// Delete by token (explicit delete flag)
-	inv, root = clitest.New(t, "tokens", "rm", "--delete", fourthToken)
+	// Delete by token
+	inv, root = clitest.New(t, "tokens", "rm", fourthToken)
 	clitest.SetupConfig(t, client, root)
 	buf = new(bytes.Buffer)
 	inv.Stdout = buf
@@ -235,114 +210,3 @@ func TestTokens(t *testing.T) {
 	require.NotEmpty(t, res)
 	require.Contains(t, res, "deleted")
 }
-
-func TestTokensListExpiredFiltering(t *testing.T) {
-	t.Parallel()
-
-	client, _, api := coderdtest.NewWithAPI(t, nil)
-	owner := coderdtest.CreateFirstUser(t, client)
-
-	// Create a valid (non-expired) token
-	validToken, _ := dbgen.APIKey(t, api.Database, database.APIKey{
-		UserID:    owner.UserID,
-		ExpiresAt: time.Now().Add(24 * time.Hour),
-		LoginType: database.LoginTypeToken,
-		TokenName: "valid-token",
-	})
-
-	// Create an expired token
-	expiredToken, _ := dbgen.APIKey(t, api.Database, database.APIKey{
-		UserID:    owner.UserID,
-		ExpiresAt: time.Now().Add(-24 * time.Hour),
-		LoginType: database.LoginTypeToken,
-		TokenName: "expired-token",
-	})
-
-	t.Run("HidesExpiredByDefault", func(t *testing.T) {
-		t.Parallel()
-		ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitLong)
-		defer cancel()
-
-		inv, root := clitest.New(t, "tokens", "ls")
-		clitest.SetupConfig(t, client, root)
-		buf := new(bytes.Buffer)
-		inv.Stdout = buf
-		err := inv.WithContext(ctx).Run()
-		require.NoError(t, err)
-
-		res := buf.String()
-		require.Contains(t, res, validToken.ID)
-		require.Contains(t, res, "valid-token")
-		require.NotContains(t, res, expiredToken.ID)
-		require.NotContains(t, res, "expired-token")
-	})
-
-	t.Run("ShowsExpiredWithFlag", func(t *testing.T) {
-		t.Parallel()
-		ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitLong)
-		defer cancel()
-
-		inv, root := clitest.New(t, "tokens", "ls", "--include-expired")
-		clitest.SetupConfig(t, client, root)
-		buf := new(bytes.Buffer)
-		inv.Stdout = buf
-		err := inv.WithContext(ctx).Run()
-		require.NoError(t, err)
-
-		res := buf.String()
-		require.Contains(t, res, validToken.ID)
-		require.Contains(t, res, "valid-token")
-		require.Contains(t, res, expiredToken.ID)
-		require.Contains(t, res, "expired-token")
-	})
-
-	t.Run("JSONOutputRespectsFilter", func(t *testing.T) {
-		t.Parallel()
-		ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitLong)
-		defer cancel()
-
-		// Default (no expired)
-		inv, root := clitest.New(t, "tokens", "ls", "--output=json")
-		clitest.SetupConfig(t, client, root)
-		buf := new(bytes.Buffer)
-		inv.Stdout = buf
-		err := inv.WithContext(ctx).Run()
-		require.NoError(t, err)
-
-		res := buf.String()
-		require.Contains(t, res, "valid-token")
-		require.NotContains(t, res, "expired-token")
-
-		// With --include-expired
-		inv, root = clitest.New(t, "tokens", "ls", "--output=json", "--include-expired")
-		clitest.SetupConfig(t, client, root)
-		buf = new(bytes.Buffer)
-		inv.Stdout = buf
-		err = inv.WithContext(ctx).Run()
-		require.NoError(t, err)
-
-		res = buf.String()
-		require.Contains(t, res, "valid-token")
-		require.Contains(t, res, "expired-token")
-	})
-
-	t.Run("AllUsersWithIncludeExpired", func(t *testing.T) {
-		t.Parallel()
-		ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitLong)
-		defer cancel()
-
-		inv, root := clitest.New(t, "tokens", "ls", "--all", "--include-expired")
-		clitest.SetupConfig(t, client, root)
-		buf := new(bytes.Buffer)
-		inv.Stdout = buf
-		err := inv.WithContext(ctx).Run()
-		require.NoError(t, err)
-
-		res := buf.String()
-		// Should show both valid and expired tokens
-		require.Contains(t, res, validToken.ID)
-		require.Contains(t, res, "valid-token")
-		require.Contains(t, res, expiredToken.ID)
-		require.Contains(t, res, "expired-token")
-	})
-}
@@ -0,0 +1,24 @@
+//go:build !windows && !darwin
+
+package cli
+
+import (
+	"golang.org/x/xerrors"
+
+	"github.com/coder/serpent"
+)
+
+func (*RootCmd) vpnDaemonRun() *serpent.Command {
+	cmd := &serpent.Command{
+		Use:   "run",
+		Short: "Run the VPN daemon on Windows.",
+		Middleware: serpent.Chain(
+			serpent.RequireNArgs(0),
+		),
+		Handler: func(_ *serpent.Invocation) error {
+			return xerrors.New("vpn-daemon subcommand is not supported on this platform")
+		},
+	}
+
+	return cmd
+}
@@ -1,4 +1,4 @@
-//go:build windows || linux
+//go:build windows

 package cli

@@ -11,7 +11,7 @@ import (
 	"github.com/coder/serpent"
 )

-func (*RootCmd) vpnDaemonRun() *serpent.Command {
+func (r *RootCmd) vpnDaemonRun() *serpent.Command {
 	var (
 		rpcReadHandleInt  int64
 		rpcWriteHandleInt int64
@@ -19,7 +19,7 @@ func (*RootCmd) vpnDaemonRun() *serpent.Command {

 	cmd := &serpent.Command{
 		Use:   "run",
-		Short: "Run the VPN daemon on Windows and Linux.",
+		Short: "Run the VPN daemon on Windows.",
 		Middleware: serpent.Chain(
 			serpent.RequireNArgs(0),
 		),
@@ -53,8 +53,8 @@ func (*RootCmd) vpnDaemonRun() *serpent.Command {
 				return xerrors.Errorf("rpc-read-handle (%v) and rpc-write-handle (%v) must be different", rpcReadHandleInt, rpcWriteHandleInt)
 			}

-			// The manager passes the read and write descriptors directly to the
-			// daemon, so we can open the RPC pipe from the raw values.
+			// We don't need to worry about duplicating the handles on Windows,
+			// which is different from Unix.
 			logger.Info(ctx, "opening bidirectional RPC pipe", slog.F("rpc_read_handle", rpcReadHandleInt), slog.F("rpc_write_handle", rpcWriteHandleInt))
 			pipe, err := vpn.NewBidirectionalPipe(uintptr(rpcReadHandleInt), uintptr(rpcWriteHandleInt))
 			if err != nil {
@@ -62,7 +62,7 @@ func (*RootCmd) vpnDaemonRun() *serpent.Command {
 			}
 			defer pipe.Close()

-			logger.Info(ctx, "starting VPN tunnel")
+			logger.Info(ctx, "starting tunnel")
 			tunnel, err := vpn.NewTunnel(ctx, logger, pipe, vpn.NewClient(), vpn.UseOSNetworkingStack())
 			if err != nil {
 				return xerrors.Errorf("create new tunnel for client: %w", err)
@@ -1,19 +0,0 @@
-//go:build linux
-
-package cli_test
-
-import (
-	"os"
-	"testing"
-
-	"github.com/stretchr/testify/require"
-	"golang.org/x/sys/unix"
-)
-
-func dupHandle(t *testing.T, f *os.File) uintptr {
-	t.Helper()
-
-	dupFD, err := unix.Dup(int(f.Fd()))
-	require.NoError(t, err)
-	return uintptr(dupFD)
-}
@@ -1,33 +0,0 @@
-//go:build windows
-
-package cli_test
-
-import (
-	"os"
-	"syscall"
-	"testing"
-
-	"github.com/stretchr/testify/require"
-)
-
-func dupHandle(t *testing.T, f *os.File) uintptr {
-	t.Helper()
-
-	src := syscall.Handle(f.Fd())
-	var dup syscall.Handle
-
-	proc, err := syscall.GetCurrentProcess()
-	require.NoError(t, err)
-
-	err = syscall.DuplicateHandle(
-		proc,
-		src,
-		proc,
-		&dup,
-		0,
-		false,
-		syscall.DUPLICATE_SAME_ACCESS,
-	)
-	require.NoError(t, err)
-	return uintptr(dup)
-}
@@ -1,4 +1,4 @@
-//go:build windows || linux
+//go:build windows

 package cli_test

@@ -67,35 +67,22 @@ func TestVPNDaemonRun(t *testing.T) {

 		r1, w1, err := os.Pipe()
 		require.NoError(t, err)
+		defer r1.Close()
 		defer w1.Close()
-
 		r2, w2, err := os.Pipe()
 		require.NoError(t, err)
 		defer r2.Close()
-
-		// The daemon closes the handles passed via NewBidirectionalPipe. Since our
-		// CLI tests run in-process, pass duplicated handles so we can close the
-		// originals without risking a double-close on FD reuse.
-		rpcReadHandle := dupHandle(t, r1)
-		rpcWriteHandle := dupHandle(t, w2)
-		require.NoError(t, r1.Close())
-		require.NoError(t, w2.Close())
+		defer w2.Close()

 		ctx := testutil.Context(t, testutil.WaitLong)
-		inv, _ := clitest.New(t,
-			"vpn-daemon",
-			"run",
-			"--rpc-read-handle",
-			fmt.Sprint(rpcReadHandle),
-			"--rpc-write-handle",
-			fmt.Sprint(rpcWriteHandle),
-		)
+		inv, _ := clitest.New(t, "vpn-daemon", "run", "--rpc-read-handle", fmt.Sprint(r1.Fd()), "--rpc-write-handle", fmt.Sprint(w2.Fd()))
 		waiter := clitest.StartWithWaiter(t, inv.WithContext(ctx))

-		// Send an invalid header, including a newline delimiter, so the handshake
-		// fails without requiring context cancellation.
-		_, err = w1.Write([]byte("garbage\n"))
+		// Send garbage which should cause the handshake to fail and the daemon
+		// to exit.
+		_, err = w1.Write([]byte("garbage"))
 		require.NoError(t, err)
+		waiter.Cancel()
 		err = waiter.Wait()
 		require.ErrorContains(t, err, "handshake failed")
 	})
@@ -235,7 +235,7 @@ func main() {
 					agent.LifecycleState = codersdk.WorkspaceAgentLifecycleStarting
 					startingAt := time.Now()
 					agent.StartedAt = &startingAt
-					for i := range 10 {
+					for i := 0; i < 10; i++ {
 						level := codersdk.LogLevelInfo
 						if rand.Float64() > 0.75 { //nolint:gosec
 							level = codersdk.LogLevelError
@@ -2,7 +2,6 @@ package agentapi_test

 import (
 	"context"
-	"strings"
 	"testing"
 	"time"

@@ -120,7 +119,7 @@ func TestBatchUpdateMetadata(t *testing.T) {

 		now := dbtime.Now()
 		almostLongValue := ""
-		for range 2048 {
+		for i := 0; i < 2048; i++ {
 			almostLongValue += "a"
 		}
 		req := &agentproto.BatchUpdateMetadataRequest{
@@ -207,12 +206,11 @@ func TestBatchUpdateMetadata(t *testing.T) {
 				},
 				{
 					Key: func() string {
-						var key strings.Builder
-						key.WriteString("key 3 ")
-						for range 6144 - len("key 1") - len("key 2") - len("key 3") - 1 {
-							key.WriteString("a")
+						key := "key 3 "
+						for i := 0; i < (6144 - len("key 1") - len("key 2") - len("key 3") - 1); i++ {
+							key += "a"
 						}
-						return key.String()
+						return key
 					}(),
 					Result: &agentproto.WorkspaceAgentMetadata_Result{
 						Value: "value 3",
@@ -21,12 +21,10 @@ import (
 	agentapisdk "github.com/coder/agentapi-sdk-go"
 	"github.com/coder/coder/v2/coderd/audit"
 	"github.com/coder/coder/v2/coderd/database"
-	"github.com/coder/coder/v2/coderd/database/dbauthz"
 	"github.com/coder/coder/v2/coderd/database/dbtime"
 	"github.com/coder/coder/v2/coderd/httpapi"
 	"github.com/coder/coder/v2/coderd/httpapi/httperror"
 	"github.com/coder/coder/v2/coderd/httpmw"
-	"github.com/coder/coder/v2/coderd/notifications"
 	"github.com/coder/coder/v2/coderd/rbac"
 	"github.com/coder/coder/v2/coderd/rbac/policy"
 	"github.com/coder/coder/v2/coderd/searchquery"
@@ -1302,127 +1300,7 @@ func (api *API) pauseTask(rw http.ResponseWriter, r *http.Request) {
 		return
 	}

-	if _, err := api.NotificationsEnqueuer.Enqueue(
-		// nolint:gocritic // Need notifier actor to enqueue notifications.
-		dbauthz.AsNotifier(ctx),
-		workspace.OwnerID,
-		notifications.TemplateTaskPaused,
-		map[string]string{
-			"task":         task.Name,
-			"task_id":      task.ID.String(),
-			"workspace":    workspace.Name,
-			"pause_reason": "manual",
-		},
-		"api-task-pause",
-		workspace.ID, workspace.OwnerID, workspace.OrganizationID,
-	); err != nil {
-		api.Logger.Warn(ctx, "failed to notify of task paused", slog.Error(err), slog.F("task_id", task.ID), slog.F("workspace_id", workspace.ID))
-	}
-
 	httpapi.Write(ctx, rw, http.StatusAccepted, codersdk.PauseTaskResponse{
 		WorkspaceBuild: &build,
 	})
 }
-
-// @Summary Resume task
-// @ID resume-task
-// @Security CoderSessionToken
-// @Accept json
-// @Tags Tasks
-// @Param user path string true "Username, user ID, or 'me' for the authenticated user"
-// @Param task path string true "Task ID" format(uuid)
-// @Success 202 {object} codersdk.ResumeTaskResponse
-// @Router /tasks/{user}/{task}/resume [post]
-func (api *API) resumeTask(rw http.ResponseWriter, r *http.Request) {
-	var (
-		ctx    = r.Context()
-		apiKey = httpmw.APIKey(r)
-		task   = httpmw.TaskParam(r)
-	)
-
-	if !task.WorkspaceID.Valid {
-		httpapi.Write(ctx, rw, http.StatusInternalServerError, codersdk.Response{
-			Message: "Task does not have a workspace.",
-		})
-		return
-	}
-
-	workspace, err := api.Database.GetWorkspaceByID(ctx, task.WorkspaceID.UUID)
-	if err != nil {
-		if httpapi.Is404Error(err) {
-			httpapi.ResourceNotFound(rw)
-			return
-		}
-		httpapi.Write(ctx, rw, http.StatusInternalServerError, codersdk.Response{
-			Message: "Internal error fetching task workspace.",
-			Detail:  err.Error(),
-		})
-		return
-	}
-
-	latestBuild, err := api.Database.GetLatestWorkspaceBuildByWorkspaceID(ctx, workspace.ID)
-	if err != nil {
-		httpapi.Write(ctx, rw, http.StatusInternalServerError, codersdk.Response{
-			Message: "Internal error fetching task workspace build.",
-			Detail:  err.Error(),
-		})
-		return
-	}
-	job, err := api.Database.GetProvisionerJobByID(ctx, latestBuild.JobID)
-	if err != nil {
-		httpapi.Write(ctx, rw, http.StatusInternalServerError, codersdk.Response{
-			Message: "Internal error fetching task workspace build job.",
-			Detail:  err.Error(),
-		})
-		return
-	}
-	workspaceStatus := codersdk.ConvertWorkspaceStatus(
-		codersdk.ProvisionerJobStatus(job.JobStatus),
-		codersdk.WorkspaceTransition(latestBuild.Transition),
-	)
-	if workspaceStatus == codersdk.WorkspaceStatusRunning {
-		httpapi.Write(ctx, rw, http.StatusConflict, codersdk.Response{
-			Message: "Task workspace is already running.",
-			Detail:  fmt.Sprintf("Workspace status is %q.", workspaceStatus),
-		})
-		return
-	}
-
-	buildReq := codersdk.CreateWorkspaceBuildRequest{
-		Transition: codersdk.WorkspaceTransitionStart,
-		Reason:     codersdk.CreateWorkspaceBuildReasonTaskResume,
-	}
-	build, err := api.postWorkspaceBuildsInternal(
-		ctx,
-		apiKey,
-		workspace,
-		buildReq,
-		func(action policy.Action, object rbac.Objecter) bool {
-			return api.Authorize(r, action, object)
-		},
-		audit.WorkspaceBuildBaggageFromRequest(r),
-	)
-	if err != nil {
-		httperror.WriteWorkspaceBuildError(ctx, rw, err)
-		return
-	}
-	if _, err := api.NotificationsEnqueuer.Enqueue(
-		// nolint:gocritic // Need notifier actor to enqueue notifications.
-		dbauthz.AsNotifier(ctx),
-		workspace.OwnerID,
-		notifications.TemplateTaskResumed,
-		map[string]string{
-			"task":      task.Name,
-			"task_id":   task.ID.String(),
-			"workspace": workspace.Name,
-		},
-		"api-task-resume",
-		workspace.ID, workspace.OwnerID, workspace.OrganizationID,
-	); err != nil {
-		api.Logger.Warn(ctx, "failed to notify of task resumed", slog.Error(err), slog.F("task_id", task.ID), slog.F("workspace_id", workspace.ID))
-	}
-
-	httpapi.Write(ctx, rw, http.StatusAccepted, codersdk.ResumeTaskResponse{
-		WorkspaceBuild: &build,
-	})
-}
@@ -45,10 +45,10 @@ import (
 )

 // createTaskInState is a helper to create a task in the desired state.
-// It returns a function that takes context, test, and status, and returns the task.
+// It returns a function that takes context, test, and status, and returns the task ID.
 // The caller is responsible for setting up the database, owner, and user.
-func createTaskInState(db database.Store, ownerSubject rbac.Subject, ownerOrgID, userID uuid.UUID) func(context.Context, *testing.T, database.TaskStatus) database.Task {
-	return func(ctx context.Context, t *testing.T, status database.TaskStatus) database.Task {
+func createTaskInState(db database.Store, ownerSubject rbac.Subject, ownerOrgID, userID uuid.UUID) func(context.Context, *testing.T, database.TaskStatus) uuid.UUID {
+	return func(ctx context.Context, t *testing.T, status database.TaskStatus) uuid.UUID {
 		ctx = dbauthz.As(ctx, ownerSubject)

 		builder := dbfake.WorkspaceBuild(t, db, database.WorkspaceTable{
@@ -65,9 +65,6 @@ func createTaskInState(db database.Store, ownerSubject rbac.Subject, ownerOrgID,
 			builder = builder.Pending()
 		case database.TaskStatusInitializing:
 			builder = builder.Starting()
-		case database.TaskStatusActive:
-			// Default builder produces a succeeded start build.
-			// Post-processing below sets agent and app to active.
 		case database.TaskStatusPaused:
 			builder = builder.Seed(database.WorkspaceBuild{
 				Transition: database.WorkspaceTransitionStop,
@@ -79,32 +76,31 @@ func createTaskInState(db database.Store, ownerSubject rbac.Subject, ownerOrgID,
 		}

 		resp := builder.Do()
+		taskID := resp.Task.ID

 		// Post-process by manipulating agent and app state.
-		if status == database.TaskStatusActive || status == database.TaskStatusError {
-			// Set agent to ready state so agent_status returns 'active'.
+		if status == database.TaskStatusError {
+			// First, set agent to ready state so agent_status returns 'active'.
+			// This ensures the cascade reaches app_status.
 			err := db.UpdateWorkspaceAgentLifecycleStateByID(ctx, database.UpdateWorkspaceAgentLifecycleStateByIDParams{
 				ID:             resp.Agents[0].ID,
 				LifecycleState: database.WorkspaceAgentLifecycleStateReady,
 			})
 			require.NoError(t, err)

+			// Then set workspace app health to unhealthy to trigger error state.
 			apps, err := db.GetWorkspaceAppsByAgentID(ctx, resp.Agents[0].ID)
 			require.NoError(t, err)
 			require.Len(t, apps, 1, "expected exactly one app for task")

-			appHealth := database.WorkspaceAppHealthHealthy
-			if status == database.TaskStatusError {
-				appHealth = database.WorkspaceAppHealthUnhealthy
-			}
 			err = db.UpdateWorkspaceAppHealthByID(ctx, database.UpdateWorkspaceAppHealthByIDParams{
 				ID:     apps[0].ID,
-				Health: appHealth,
+				Health: database.WorkspaceAppHealthUnhealthy,
 			})
 			require.NoError(t, err)
 		}

-		return resp.Task
+		return taskID
 	}
 }

@@ -849,9 +845,9 @@ func TestTasks(t *testing.T) {
 				t.Parallel()

 				ctx := testutil.Context(t, testutil.WaitMedium)
-				task := createTask(ctx, t, database.TaskStatusPaused)
+				taskID := createTask(ctx, t, database.TaskStatusPaused)

-				err := client.TaskSend(ctx, "me", task.ID, codersdk.TaskSendRequest{
+				err := client.TaskSend(ctx, "me", taskID, codersdk.TaskSendRequest{
 					Input: "Hello",
 				})

@@ -867,9 +863,9 @@ func TestTasks(t *testing.T) {
 				t.Parallel()

 				ctx := testutil.Context(t, testutil.WaitMedium)
-				task := createTask(ctx, t, database.TaskStatusInitializing)
+				taskID := createTask(ctx, t, database.TaskStatusInitializing)

-				err := client.TaskSend(ctx, "me", task.ID, codersdk.TaskSendRequest{
+				err := client.TaskSend(ctx, "me", taskID, codersdk.TaskSendRequest{
 					Input: "Hello",
 				})

@@ -885,9 +881,9 @@ func TestTasks(t *testing.T) {
 				t.Parallel()

 				ctx := testutil.Context(t, testutil.WaitMedium)
-				task := createTask(ctx, t, database.TaskStatusPending)
+				taskID := createTask(ctx, t, database.TaskStatusPending)

-				err := client.TaskSend(ctx, "me", task.ID, codersdk.TaskSendRequest{
+				err := client.TaskSend(ctx, "me", taskID, codersdk.TaskSendRequest{
 					Input: "Hello",
 				})

@@ -903,9 +899,9 @@ func TestTasks(t *testing.T) {
 				t.Parallel()

 				ctx := testutil.Context(t, testutil.WaitMedium)
-				task := createTask(ctx, t, database.TaskStatusError)
+				taskID := createTask(ctx, t, database.TaskStatusError)

-				err := client.TaskSend(ctx, "me", task.ID, codersdk.TaskSendRequest{
+				err := client.TaskSend(ctx, "me", taskID, codersdk.TaskSendRequest{
 					Input: "Hello",
 				})

@@ -1124,16 +1120,16 @@ func TestTasks(t *testing.T) {
 			t.Parallel()

 			ctx := testutil.Context(t, testutil.WaitMedium)
-			task := createTask(ctx, t, database.TaskStatusPending)
+			taskID := createTask(ctx, t, database.TaskStatusPending)

 			err := db.UpsertTaskSnapshot(dbauthz.As(ctx, ownerSubject), database.UpsertTaskSnapshotParams{
-				TaskID:               task.ID,
+				TaskID:               taskID,
 				LogSnapshot:          json.RawMessage(snapshotJSON),
 				LogSnapshotCreatedAt: snapshotTime,
 			})
 			require.NoError(t, err, "upserting task snapshot")

-			logsResp, err := client.TaskLogs(ctx, "me", task.ID)
+			logsResp, err := client.TaskLogs(ctx, "me", taskID)
 			require.NoError(t, err, "fetching task logs")
 			verifySnapshotLogs(t, logsResp)
 		})
@@ -1142,16 +1138,16 @@ func TestTasks(t *testing.T) {
 			t.Parallel()

 			ctx := testutil.Context(t, testutil.WaitMedium)
-			task := createTask(ctx, t, database.TaskStatusInitializing)
+			taskID := createTask(ctx, t, database.TaskStatusInitializing)

 			err := db.UpsertTaskSnapshot(dbauthz.As(ctx, ownerSubject), database.UpsertTaskSnapshotParams{
-				TaskID:               task.ID,
+				TaskID:               taskID,
 				LogSnapshot:          json.RawMessage(snapshotJSON),
 				LogSnapshotCreatedAt: snapshotTime,
 			})
 			require.NoError(t, err, "upserting task snapshot")

-			logsResp, err := client.TaskLogs(ctx, "me", task.ID)
+			logsResp, err := client.TaskLogs(ctx, "me", taskID)
 			require.NoError(t, err, "fetching task logs")
 			verifySnapshotLogs(t, logsResp)
 		})
@@ -1160,16 +1156,16 @@ func TestTasks(t *testing.T) {
 			t.Parallel()

 			ctx := testutil.Context(t, testutil.WaitMedium)
-			task := createTask(ctx, t, database.TaskStatusPaused)
+			taskID := createTask(ctx, t, database.TaskStatusPaused)

 			err := db.UpsertTaskSnapshot(dbauthz.As(ctx, ownerSubject), database.UpsertTaskSnapshotParams{
-				TaskID:               task.ID,
+				TaskID:               taskID,
 				LogSnapshot:          json.RawMessage(snapshotJSON),
 				LogSnapshotCreatedAt: snapshotTime,
 			})
 			require.NoError(t, err, "upserting task snapshot")

-			logsResp, err := client.TaskLogs(ctx, "me", task.ID)
+			logsResp, err := client.TaskLogs(ctx, "me", taskID)
 			require.NoError(t, err, "fetching task logs")
 			verifySnapshotLogs(t, logsResp)
 		})
@@ -1178,9 +1174,9 @@ func TestTasks(t *testing.T) {
 			t.Parallel()

 			ctx := testutil.Context(t, testutil.WaitMedium)
-			task := createTask(ctx, t, database.TaskStatusPending)
+			taskID := createTask(ctx, t, database.TaskStatusPending)

-			logsResp, err := client.TaskLogs(ctx, "me", task.ID)
+			logsResp, err := client.TaskLogs(ctx, "me", taskID)
 			require.NoError(t, err)

 			assert.True(t, logsResp.Snapshot)
@@ -1192,7 +1188,7 @@ func TestTasks(t *testing.T) {
 			t.Parallel()

 			ctx := testutil.Context(t, testutil.WaitMedium)
-			task := createTask(ctx, t, database.TaskStatusPending)
+			taskID := createTask(ctx, t, database.TaskStatusPending)

 			invalidEnvelope := coderd.TaskLogSnapshotEnvelope{
 				Format: "unknown-format",
@@ -1202,13 +1198,13 @@ func TestTasks(t *testing.T) {
 			require.NoError(t, err)

 			err = db.UpsertTaskSnapshot(dbauthz.As(ctx, ownerSubject), database.UpsertTaskSnapshotParams{
-				TaskID:               task.ID,
+				TaskID:               taskID,
 				LogSnapshot:          json.RawMessage(invalidJSON),
 				LogSnapshotCreatedAt: snapshotTime,
 			})
 			require.NoError(t, err)

-			_, err = client.TaskLogs(ctx, "me", task.ID)
+			_, err = client.TaskLogs(ctx, "me", taskID)
 			require.Error(t, err)

 			var sdkErr *codersdk.Error
@@ -1221,16 +1217,16 @@ func TestTasks(t *testing.T) {
 			t.Parallel()

 			ctx := testutil.Context(t, testutil.WaitMedium)
-			task := createTask(ctx, t, database.TaskStatusPending)
+			taskID := createTask(ctx, t, database.TaskStatusPending)

 			err := db.UpsertTaskSnapshot(dbauthz.As(ctx, ownerSubject), database.UpsertTaskSnapshotParams{
-				TaskID:               task.ID,
+				TaskID:               taskID,
 				LogSnapshot:          json.RawMessage(`{"format":"agentapi","data":"not an object"}`),
 				LogSnapshotCreatedAt: snapshotTime,
 			})
 			require.NoError(t, err)

-			_, err = client.TaskLogs(ctx, "me", task.ID)
+			_, err = client.TaskLogs(ctx, "me", taskID)
 			require.Error(t, err)

 			var sdkErr *codersdk.Error
@@ -1242,9 +1238,9 @@ func TestTasks(t *testing.T) {
 			t.Parallel()

 			ctx := testutil.Context(t, testutil.WaitMedium)
-			task := createTask(ctx, t, database.TaskStatusError)
+			taskID := createTask(ctx, t, database.TaskStatusError)

-			_, err := client.TaskLogs(ctx, "me", task.ID)
+			_, err := client.TaskLogs(ctx, "me", taskID)
 			require.Error(t, err)

 			var sdkErr *codersdk.Error
@@ -2516,20 +2512,13 @@ func TestPauseTask(t *testing.T) {
 		coderdtest.AwaitWorkspaceBuildJobCompleted(t, client, workspace.LatestBuild.ID)

 		resp, err := client.PauseTask(ctx, codersdk.Me, task.ID)
-
-		// Verify that the request was accepted correctly:
 		require.NoError(t, err)
 		build := *resp.WorkspaceBuild
+		require.NotNil(t, build)
 		require.Equal(t, codersdk.WorkspaceTransitionStop, build.Transition)
 		require.Equal(t, task.WorkspaceID.UUID, build.WorkspaceID)
 		require.Equal(t, workspace.LatestBuild.BuildNumber+1, build.BuildNumber)
 		require.Equal(t, string(codersdk.CreateWorkspaceBuildReasonTaskManualPause), string(build.Reason))
-
-		// Verify that the accepted request was processed correctly:
-		coderdtest.AwaitWorkspaceBuildJobCompleted(t, client, build.ID)
-		workspace, err = client.Workspace(ctx, task.WorkspaceID.UUID)
-		require.NoError(t, err)
-		require.Equal(t, codersdk.WorkspaceStatusStopped, workspace.LatestBuild.Status)
 	})

 	t.Run("Non-owner role access", func(t *testing.T) {
@@ -2791,402 +2780,4 @@ func TestPauseTask(t *testing.T) {
 		require.ErrorAs(t, err, &apiErr)
 		require.Equal(t, http.StatusInternalServerError, apiErr.StatusCode())
 	})
-
-	t.Run("Notification", func(t *testing.T) {
-		t.Parallel()
-
-		var (
-			notifyEnq       = &notificationstest.FakeEnqueuer{}
-			ownerClient, db = coderdtest.NewWithDatabase(t, &coderdtest.Options{NotificationsEnqueuer: notifyEnq})
-			owner           = coderdtest.CreateFirstUser(t, ownerClient)
-		)
-
-		ctx := testutil.Context(t, testutil.WaitMedium)
-		ownerUser, err := ownerClient.User(ctx, owner.UserID.String())
-		require.NoError(t, err)
-
-		createTask := createTaskInState(db, coderdtest.AuthzUserSubject(ownerUser), owner.OrganizationID, owner.UserID)
-
-		// Given: A task in an active state
-		task := createTask(ctx, t, database.TaskStatusActive)
-
-		workspace, err := ownerClient.Workspace(ctx, task.WorkspaceID.UUID)
-		require.NoError(t, err)
-
-		// When: We pause the task
-		_, err = ownerClient.PauseTask(ctx, codersdk.Me, task.ID)
-		require.NoError(t, err)
-
-		// Then: A notification should be sent
-		sent := notifyEnq.Sent(notificationstest.WithTemplateID(notifications.TemplateTaskPaused))
-		require.Len(t, sent, 1)
-		require.Equal(t, owner.UserID, sent[0].UserID)
-		require.Equal(t, task.Name, sent[0].Labels["task"])
-		require.Equal(t, task.ID.String(), sent[0].Labels["task_id"])
-		require.Equal(t, workspace.Name, sent[0].Labels["workspace"])
-		require.Equal(t, "manual", sent[0].Labels["pause_reason"])
-	})
-}
-
-func TestResumeTask(t *testing.T) {
-	t.Parallel()
-
-	setupClient := func(t *testing.T, db database.Store, ps pubsub.Pubsub, authorizer rbac.Authorizer) *codersdk.Client {
-		t.Helper()
-		client, _, _ := coderdtest.NewWithAPI(t, &coderdtest.Options{
-			Database:                 db,
-			Pubsub:                   ps,
-			Authorizer:               authorizer,
-			IncludeProvisionerDaemon: true,
-		})
-		return client
-	}
-
-	setupWorkspaceTask := func(t *testing.T, db database.Store, user codersdk.CreateFirstUserResponse) (database.Task, uuid.UUID) {
-		t.Helper()
-		workspaceBuild := dbfake.WorkspaceBuild(t, db, database.WorkspaceTable{
-			OrganizationID: user.OrganizationID,
-			OwnerID:        user.UserID,
-		}).WithTask(database.TaskTable{
-			Prompt: "resume me",
-		}, nil).Do()
-		return workspaceBuild.Task, workspaceBuild.Workspace.ID
-	}
-
-	t.Run("OK", func(t *testing.T) {
-		t.Parallel()
-
-		ctx := testutil.Context(t, testutil.WaitLong)
-		client := coderdtest.New(t, &coderdtest.Options{IncludeProvisionerDaemon: true})
-		user := coderdtest.CreateFirstUser(t, client)
-
-		version := coderdtest.CreateTemplateVersion(t, client, user.OrganizationID, &echo.Responses{
-			Parse:          echo.ParseComplete,
-			ProvisionApply: echo.ApplyComplete,
-			ProvisionGraph: []*proto.Response{
-				{Type: &proto.Response_Graph{Graph: &proto.GraphComplete{
-					HasAiTasks: true,
-				}}},
-			},
-		})
-		coderdtest.AwaitTemplateVersionJobCompleted(t, client, version.ID)
-		template := coderdtest.CreateTemplate(t, client, user.OrganizationID, version.ID)
-		task, err := client.CreateTask(ctx, codersdk.Me, codersdk.CreateTaskRequest{
-			TemplateVersionID: template.ActiveVersionID,
-			Input:             "resume me",
-		})
-		require.NoError(t, err)
-
-		workspace, err := client.Workspace(ctx, task.WorkspaceID.UUID)
-		require.NoError(t, err)
-		coderdtest.AwaitWorkspaceBuildJobCompleted(t, client, workspace.LatestBuild.ID)
-
-		pauseResp, err := client.PauseTask(ctx, codersdk.Me, task.ID)
-		require.NoError(t, err)
-		coderdtest.AwaitWorkspaceBuildJobCompleted(t, client, pauseResp.WorkspaceBuild.ID)
-
-		resumeResp, err := client.ResumeTask(ctx, codersdk.Me, task.ID)
-		require.NoError(t, err)
-		build := *resumeResp.WorkspaceBuild
-		require.Equal(t, codersdk.WorkspaceTransitionStart, build.Transition)
-		require.Equal(t, task.WorkspaceID.UUID, build.WorkspaceID)
-		require.Equal(t, workspace.LatestBuild.BuildNumber+2, build.BuildNumber)
-		require.Equal(t, string(codersdk.CreateWorkspaceBuildReasonTaskResume), string(build.Reason))
-
-		coderdtest.AwaitWorkspaceBuildJobCompleted(t, client, build.ID)
-		workspace, err = client.Workspace(ctx, task.WorkspaceID.UUID)
-		require.NoError(t, err)
-		require.Equal(t, codersdk.WorkspaceStatusRunning, workspace.LatestBuild.Status)
-	})
-
-	t.Run("Resume a task that is not paused", func(t *testing.T) {
-		t.Parallel()
-
-		ctx := testutil.Context(t, testutil.WaitLong)
-		db, ps := dbtestutil.NewDB(t)
-		client := setupClient(t, db, ps, nil)
-		user := coderdtest.CreateFirstUser(t, client)
-		workspaceBuild := dbfake.WorkspaceBuild(t, db, database.WorkspaceTable{
-			OrganizationID: user.OrganizationID,
-			OwnerID:        user.UserID,
-		}).
-			WithTask(database.TaskTable{
-				Prompt: "pause me",
-			}, nil).
-			Succeeded().
-			Do()
-
-		_, err := client.ResumeTask(ctx, codersdk.Me, workspaceBuild.Task.ID)
-		var apiErr *codersdk.Error
-		require.ErrorAs(t, err, &apiErr)
-		require.Equal(t, http.StatusConflict, apiErr.StatusCode())
-	})
-
-	t.Run("Task not found", func(t *testing.T) {
-		t.Parallel()
-
-		ctx := testutil.Context(t, testutil.WaitShort)
-		client := coderdtest.New(t, &coderdtest.Options{IncludeProvisionerDaemon: true})
-		_ = coderdtest.CreateFirstUser(t, client)
-
-		_, err := client.ResumeTask(ctx, codersdk.Me, uuid.New())
-		var apiErr *codersdk.Error
-		require.ErrorAs(t, err, &apiErr)
-		require.Equal(t, http.StatusNotFound, apiErr.StatusCode())
-	})
-
-	t.Run("Task lookup forbidden", func(t *testing.T) {
-		t.Parallel()
-
-		ctx := testutil.Context(t, testutil.WaitShort)
-		db, ps := dbtestutil.NewDB(t)
-		auth := &coderdtest.FakeAuthorizer{
-			ConditionalReturn: func(_ context.Context, _ rbac.Subject, action policy.Action, object rbac.Object) error {
-				if action == policy.ActionRead && object.Type == rbac.ResourceTask.Type {
-					return rbac.UnauthorizedError{}
-				}
-				return nil
-			},
-		}
-		client := setupClient(t, db, ps, auth)
-		user := coderdtest.CreateFirstUser(t, client)
-		task, _ := setupWorkspaceTask(t, db, user)
-
-		_, err := client.ResumeTask(ctx, codersdk.Me, task.ID)
-		var apiErr *codersdk.Error
-		require.ErrorAs(t, err, &apiErr)
-		require.Equal(t, http.StatusNotFound, apiErr.StatusCode())
-	})
-
-	t.Run("Workspace lookup forbidden", func(t *testing.T) {
-		t.Parallel()
-
-		ctx := testutil.Context(t, testutil.WaitShort)
-		db, ps := dbtestutil.NewDB(t)
-		auth := &coderdtest.FakeAuthorizer{
-			ConditionalReturn: func(_ context.Context, _ rbac.Subject, action policy.Action, object rbac.Object) error {
-				if action == policy.ActionRead && object.Type == rbac.ResourceWorkspace.Type {
-					return rbac.UnauthorizedError{}
-				}
-				return nil
-			},
-		}
-		client := setupClient(t, db, ps, auth)
-		user := coderdtest.CreateFirstUser(t, client)
-		task, _ := setupWorkspaceTask(t, db, user)
-
-		_, err := client.ResumeTask(ctx, codersdk.Me, task.ID)
-		var apiErr *codersdk.Error
-		require.ErrorAs(t, err, &apiErr)
-		require.Equal(t, http.StatusNotFound, apiErr.StatusCode())
-	})
-
-	t.Run("No Workspace for Task", func(t *testing.T) {
-		t.Parallel()
-
-		ctx := testutil.Context(t, testutil.WaitShort)
-		db, ps := dbtestutil.NewDB(t)
-		client := setupClient(t, db, ps, nil)
-		user := coderdtest.CreateFirstUser(t, client)
-
-		workspaceBuild := dbfake.WorkspaceBuild(t, db, database.WorkspaceTable{
-			OrganizationID: user.OrganizationID,
-			OwnerID:        user.UserID,
-		}).Do()
-		task := dbgen.Task(t, db, database.TaskTable{
-			OrganizationID:    user.OrganizationID,
-			OwnerID:           user.UserID,
-			TemplateVersionID: workspaceBuild.Build.TemplateVersionID,
-			Prompt:            "no workspace",
-		})
-
-		_, err := client.ResumeTask(ctx, codersdk.Me, task.ID)
-		var apiErr *codersdk.Error
-		require.ErrorAs(t, err, &apiErr)
-		require.Equal(t, http.StatusInternalServerError, apiErr.StatusCode())
-		require.Equal(t, "Task does not have a workspace.", apiErr.Message)
-	})
-
-	t.Run("Workspace not found", func(t *testing.T) {
-		t.Parallel()
-
-		ctx := testutil.Context(t, testutil.WaitShort)
-		db, ps := dbtestutil.NewDB(t)
-		var workspaceID uuid.UUID
-		wrapped := aiTaskStoreWrapper{
-			Store: db,
-			getWorkspaceByID: func(ctx context.Context, id uuid.UUID) (database.Workspace, error) {
-				if id == workspaceID && id != uuid.Nil {
-					return database.Workspace{}, sql.ErrNoRows
-				}
-				return db.GetWorkspaceByID(ctx, id)
-			},
-		}
-		client := setupClient(t, wrapped, ps, nil)
-		user := coderdtest.CreateFirstUser(t, client)
-		task, workspaceIDValue := setupWorkspaceTask(t, db, user)
-		workspaceID = workspaceIDValue
-
-		_, err := client.ResumeTask(ctx, codersdk.Me, task.ID)
-		var apiErr *codersdk.Error
-		require.ErrorAs(t, err, &apiErr)
-		require.Equal(t, http.StatusNotFound, apiErr.StatusCode())
-	})
-
-	t.Run("Workspace lookup internal error", func(t *testing.T) {
-		t.Parallel()
-
-		ctx := testutil.Context(t, testutil.WaitShort)
-		db, ps := dbtestutil.NewDB(t)
-		var workspaceID uuid.UUID
-		wrapped := aiTaskStoreWrapper{
-			Store: db,
-			getWorkspaceByID: func(ctx context.Context, id uuid.UUID) (database.Workspace, error) {
-				if id == workspaceID && id != uuid.Nil {
-					return database.Workspace{}, xerrors.New("boom")
-				}
-				return db.GetWorkspaceByID(ctx, id)
-			},
-		}
-		client := setupClient(t, wrapped, ps, nil)
-		user := coderdtest.CreateFirstUser(t, client)
-		task, workspaceIDValue := setupWorkspaceTask(t, db, user)
-		workspaceID = workspaceIDValue
-
-		_, err := client.ResumeTask(ctx, codersdk.Me, task.ID)
-		var apiErr *codersdk.Error
-		require.ErrorAs(t, err, &apiErr)
-		require.Equal(t, http.StatusInternalServerError, apiErr.StatusCode())
-		require.Equal(t, "Internal error fetching task workspace.", apiErr.Message)
-	})
-
-	t.Run("Build Forbidden", func(t *testing.T) {
-		t.Parallel()
-
-		ctx := testutil.Context(t, testutil.WaitShort)
-		db, ps := dbtestutil.NewDB(t)
-		auth := &coderdtest.FakeAuthorizer{
-			ConditionalReturn: func(_ context.Context, _ rbac.Subject, action policy.Action, object rbac.Object) error {
-				if action == policy.ActionWorkspaceStart && object.Type == rbac.ResourceWorkspace.Type {
-					return rbac.UnauthorizedError{}
-				}
-				return nil
-			},
-		}
-		client := setupClient(t, db, ps, auth)
-		user := coderdtest.CreateFirstUser(t, client)
-		task, _ := setupWorkspaceTask(t, db, user)
-
-		pauseResp, err := client.PauseTask(ctx, codersdk.Me, task.ID)
-		require.NoError(t, err)
-		coderdtest.AwaitWorkspaceBuildJobCompleted(t, client, pauseResp.WorkspaceBuild.ID)
-
-		_, err = client.ResumeTask(ctx, codersdk.Me, task.ID)
-		var apiErr *codersdk.Error
-		require.ErrorAs(t, err, &apiErr)
-		require.Equal(t, http.StatusForbidden, apiErr.StatusCode())
-	})
-
-	t.Run("Job already in progress", func(t *testing.T) {
-		t.Parallel()
-
-		ctx := testutil.Context(t, testutil.WaitShort)
-		db, ps := dbtestutil.NewDB(t)
-		client := setupClient(t, db, ps, nil)
-		user := coderdtest.CreateFirstUser(t, client)
-		workspaceBuild := dbfake.WorkspaceBuild(t, db, database.WorkspaceTable{
-			OrganizationID: user.OrganizationID,
-			OwnerID:        user.UserID,
-		}).
-			WithTask(database.TaskTable{
-				Prompt: "resume me",
-			}, nil).
-			Starting().
-			Do()
-
-		_, err := client.ResumeTask(ctx, codersdk.Me, workspaceBuild.Task.ID)
-		var apiErr *codersdk.Error
-		require.ErrorAs(t, err, &apiErr)
-		require.Equal(t, http.StatusConflict, apiErr.StatusCode())
-	})
-
-	t.Run("Build Internal Error", func(t *testing.T) {
-		t.Parallel()
-
-		ctx := testutil.Context(t, testutil.WaitShort)
-		db, ps := dbtestutil.NewDB(t)
-		wrapped := aiTaskStoreWrapper{
-			Store: db,
-		}
-
-		client := setupClient(t, &wrapped, ps, nil)
-		user := coderdtest.CreateFirstUser(t, client)
-		version := coderdtest.CreateTemplateVersion(t, client, user.OrganizationID, &echo.Responses{
-			Parse:          echo.ParseComplete,
-			ProvisionApply: echo.ApplyComplete,
-			ProvisionGraph: []*proto.Response{
-				{Type: &proto.Response_Graph{Graph: &proto.GraphComplete{
-					HasAiTasks: true,
-				}}},
-			},
-		})
-		coderdtest.AwaitTemplateVersionJobCompleted(t, client, version.ID)
-		template := coderdtest.CreateTemplate(t, client, user.OrganizationID, version.ID)
-		task, err := client.CreateTask(ctx, codersdk.Me, codersdk.CreateTaskRequest{
-			TemplateVersionID: template.ActiveVersionID,
-			Input:             "resume me",
-		})
-		require.NoError(t, err)
-
-		workspace, err := client.Workspace(ctx, task.WorkspaceID.UUID)
-		require.NoError(t, err)
-		coderdtest.AwaitWorkspaceBuildJobCompleted(t, client, workspace.LatestBuild.ID)
-
-		pauseResp, err := client.PauseTask(ctx, codersdk.Me, task.ID)
-		require.NoError(t, err)
-		coderdtest.AwaitWorkspaceBuildJobCompleted(t, client, pauseResp.WorkspaceBuild.ID)
-
-		// Induce a transient failure in the database after the task has been paused.
-		wrapped.insertWorkspaceBuild = func(ctx context.Context, arg database.InsertWorkspaceBuildParams) error {
-			return xerrors.New("insert failed")
-		}
-		_, err = client.ResumeTask(ctx, codersdk.Me, task.ID)
-		var apiErr *codersdk.Error
-		require.ErrorAs(t, err, &apiErr)
-		require.Equal(t, http.StatusInternalServerError, apiErr.StatusCode())
-	})
-
-	t.Run("Notification", func(t *testing.T) {
-		t.Parallel()
-
-		var (
-			notifyEnq       = &notificationstest.FakeEnqueuer{}
-			ownerClient, db = coderdtest.NewWithDatabase(t, &coderdtest.Options{NotificationsEnqueuer: notifyEnq})
-			owner           = coderdtest.CreateFirstUser(t, ownerClient)
-		)
-
-		ctx := testutil.Context(t, testutil.WaitMedium)
-		ownerUser, err := ownerClient.User(ctx, owner.UserID.String())
-		require.NoError(t, err)
-
-		createTask := createTaskInState(db, coderdtest.AuthzUserSubject(ownerUser), owner.OrganizationID, owner.UserID)
-
-		// Given: A task in a paused state
-		task := createTask(ctx, t, database.TaskStatusPaused)
-
-		workspace, err := ownerClient.Workspace(ctx, task.WorkspaceID.UUID)
-		require.NoError(t, err)
-
-		// When: We resume the task
-		_, err = ownerClient.ResumeTask(ctx, codersdk.Me, task.ID)
-		require.NoError(t, err)
-
-		// Then: A notification should be sent
-		sent := notifyEnq.Sent(notificationstest.WithTemplateID(notifications.TemplateTaskResumed))
-		require.Len(t, sent, 1)
-		require.Equal(t, owner.UserID, sent[0].UserID)
-		require.Equal(t, task.Name, sent[0].Labels["task"])
-		require.Equal(t, task.ID.String(), sent[0].Labels["task_id"])
-		require.Equal(t, workspace.Name, sent[0].Labels["workspace"])
-	})
 }
@@ -5866,48 +5866,6 @@ const docTemplate = `{
                }
            }
        },
-        "/tasks/{user}/{task}/resume": {
-            "post": {
-                "security": [
-                    {
-                        "CoderSessionToken": []
-                    }
-                ],
-                "consumes": [
-                    "application/json"
-                ],
-                "tags": [
-                    "Tasks"
-                ],
-                "summary": "Resume task",
-                "operationId": "resume-task",
-                "parameters": [
-                    {
-                        "type": "string",
-                        "description": "Username, user ID, or 'me' for the authenticated user",
-                        "name": "user",
-                        "in": "path",
-                        "required": true
-                    },
-                    {
-                        "type": "string",
-                        "format": "uuid",
-                        "description": "Task ID",
-                        "name": "task",
-                        "in": "path",
-                        "required": true
-                    }
-                ],
-                "responses": {
-                    "202": {
-                        "description": "Accepted",
-                        "schema": {
-                            "$ref": "#/definitions/codersdk.ResumeTaskResponse"
-                        }
-                    }
-                }
-            }
-        },
        "/tasks/{user}/{task}/send": {
            "post": {
                "security": [
@@ -8386,54 +8344,6 @@ const docTemplate = `{
                }
            }
        },
-        "/users/{user}/keys/{keyid}/expire": {
-            "put": {
-                "security": [
-                    {
-                        "CoderSessionToken": []
-                    }
-                ],
-                "tags": [
-                    "Users"
-                ],
-                "summary": "Expire API key",
-                "operationId": "expire-api-key",
-                "parameters": [
-                    {
-                        "type": "string",
-                        "description": "User ID, name, or me",
-                        "name": "user",
-                        "in": "path",
-                        "required": true
-                    },
-                    {
-                        "type": "string",
-                        "format": "string",
-                        "description": "Key ID",
-                        "name": "keyid",
-                        "in": "path",
-                        "required": true
-                    }
-                ],
-                "responses": {
-                    "204": {
-                        "description": "No Content"
-                    },
-                    "404": {
-                        "description": "Not Found",
-                        "schema": {
-                            "$ref": "#/definitions/codersdk.Response"
-                        }
-                    },
-                    "500": {
-                        "description": "Internal Server Error",
-                        "schema": {
-                            "$ref": "#/definitions/codersdk.Response"
-                        }
-                    }
-                }
-            }
-        },
        "/users/{user}/login-type": {
            "get": {
                "security": [
@@ -12351,9 +12261,6 @@ const docTemplate = `{
                "api_key_id": {
                    "type": "string"
                },
-                "client": {
-                    "type": "string"
-                },
                "ended_at": {
                    "type": "string",
                    "format": "date-time"
@@ -13553,10 +13460,7 @@ const docTemplate = `{
                "cli",
                "ssh_connection",
                "vscode_connection",
-                "jetbrains_connection",
-                "task_auto_pause",
-                "task_manual_pause",
-                "task_resume"
+                "jetbrains_connection"
            ],
            "x-enum-varnames": [
                "BuildReasonInitiator",
@@ -13567,10 +13471,7 @@ const docTemplate = `{
                "BuildReasonCLI",
                "BuildReasonSSHConnection",
                "BuildReasonVSCodeConnection",
-                "BuildReasonJetbrainsConnection",
-                "BuildReasonTaskAutoPause",
-                "BuildReasonTaskManualPause",
-                "BuildReasonTaskResume"
+                "BuildReasonJetbrainsConnection"
            ]
        },
        "codersdk.CORSBehavior": {
@@ -14244,8 +14145,7 @@ const docTemplate = `{
                "ssh_connection",
                "vscode_connection",
                "jetbrains_connection",
-                "task_manual_pause",
-                "task_resume"
+                "task_manual_pause"
            ],
            "x-enum-varnames": [
                "CreateWorkspaceBuildReasonDashboard",
@@ -14253,8 +14153,7 @@ const docTemplate = `{
                "CreateWorkspaceBuildReasonSSHConnection",
                "CreateWorkspaceBuildReasonVSCodeConnection",
                "CreateWorkspaceBuildReasonJetbrainsConnection",
-                "CreateWorkspaceBuildReasonTaskManualPause",
-                "CreateWorkspaceBuildReasonTaskResume"
+                "CreateWorkspaceBuildReasonTaskManualPause"
            ]
        },
        "codersdk.CreateWorkspaceBuildRequest": {
@@ -18336,14 +18235,6 @@ const docTemplate = `{
                }
            }
        },
-        "codersdk.ResumeTaskResponse": {
-            "type": "object",
-            "properties": {
-                "workspace_build": {
-                    "$ref": "#/definitions/codersdk.WorkspaceBuild"
-                }
-            }
-        },
        "codersdk.RetentionConfig": {
            "type": "object",
            "properties": {
@@ -18976,9 +18867,6 @@ const docTemplate = `{
                "default_ttl_ms": {
                    "type": "integer"
                },
-                "deleted": {
-                    "type": "boolean"
-                },
                "deprecated": {
                    "type": "boolean"
                },
@@ -5185,44 +5185,6 @@
 				}
 			}
 		},
-		"/tasks/{user}/{task}/resume": {
-			"post": {
-				"security": [
-					{
-						"CoderSessionToken": []
-					}
-				],
-				"consumes": ["application/json"],
-				"tags": ["Tasks"],
-				"summary": "Resume task",
-				"operationId": "resume-task",
-				"parameters": [
-					{
-						"type": "string",
-						"description": "Username, user ID, or 'me' for the authenticated user",
-						"name": "user",
-						"in": "path",
-						"required": true
-					},
-					{
-						"type": "string",
-						"format": "uuid",
-						"description": "Task ID",
-						"name": "task",
-						"in": "path",
-						"required": true
-					}
-				],
-				"responses": {
-					"202": {
-						"description": "Accepted",
-						"schema": {
-							"$ref": "#/definitions/codersdk.ResumeTaskResponse"
-						}
-					}
-				}
-			}
-		},
 		"/tasks/{user}/{task}/send": {
 			"post": {
 				"security": [
@@ -7417,52 +7379,6 @@
 				}
 			}
 		},
-		"/users/{user}/keys/{keyid}/expire": {
-			"put": {
-				"security": [
-					{
-						"CoderSessionToken": []
-					}
-				],
-				"tags": ["Users"],
-				"summary": "Expire API key",
-				"operationId": "expire-api-key",
-				"parameters": [
-					{
-						"type": "string",
-						"description": "User ID, name, or me",
-						"name": "user",
-						"in": "path",
-						"required": true
-					},
-					{
-						"type": "string",
-						"format": "string",
-						"description": "Key ID",
-						"name": "keyid",
-						"in": "path",
-						"required": true
-					}
-				],
-				"responses": {
-					"204": {
-						"description": "No Content"
-					},
-					"404": {
-						"description": "Not Found",
-						"schema": {
-							"$ref": "#/definitions/codersdk.Response"
-						}
-					},
-					"500": {
-						"description": "Internal Server Error",
-						"schema": {
-							"$ref": "#/definitions/codersdk.Response"
-						}
-					}
-				}
-			}
-		},
 		"/users/{user}/login-type": {
 			"get": {
 				"security": [
@@ -10971,9 +10887,6 @@
 				"api_key_id": {
 					"type": "string"
 				},
-				"client": {
-					"type": "string"
-				},
 				"ended_at": {
 					"type": "string",
 					"format": "date-time"
@@ -12148,10 +12061,7 @@
 				"cli",
 				"ssh_connection",
 				"vscode_connection",
-				"jetbrains_connection",
-				"task_auto_pause",
-				"task_manual_pause",
-				"task_resume"
+				"jetbrains_connection"
 			],
 			"x-enum-varnames": [
 				"BuildReasonInitiator",
@@ -12162,10 +12072,7 @@
 				"BuildReasonCLI",
 				"BuildReasonSSHConnection",
 				"BuildReasonVSCodeConnection",
-				"BuildReasonJetbrainsConnection",
-				"BuildReasonTaskAutoPause",
-				"BuildReasonTaskManualPause",
-				"BuildReasonTaskResume"
+				"BuildReasonJetbrainsConnection"
 			]
 		},
 		"codersdk.CORSBehavior": {
@@ -12794,8 +12701,7 @@
 				"ssh_connection",
 				"vscode_connection",
 				"jetbrains_connection",
-				"task_manual_pause",
-				"task_resume"
+				"task_manual_pause"
 			],
 			"x-enum-varnames": [
 				"CreateWorkspaceBuildReasonDashboard",
@@ -12803,8 +12709,7 @@
 				"CreateWorkspaceBuildReasonSSHConnection",
 				"CreateWorkspaceBuildReasonVSCodeConnection",
 				"CreateWorkspaceBuildReasonJetbrainsConnection",
-				"CreateWorkspaceBuildReasonTaskManualPause",
-				"CreateWorkspaceBuildReasonTaskResume"
+				"CreateWorkspaceBuildReasonTaskManualPause"
 			]
 		},
 		"codersdk.CreateWorkspaceBuildRequest": {
@@ -16742,14 +16647,6 @@
 				}
 			}
 		},
-		"codersdk.ResumeTaskResponse": {
-			"type": "object",
-			"properties": {
-				"workspace_build": {
-					"$ref": "#/definitions/codersdk.WorkspaceBuild"
-				}
-			}
-		},
 		"codersdk.RetentionConfig": {
 			"type": "object",
 			"properties": {
@@ -17361,9 +17258,6 @@
 				"default_ttl_ms": {
 					"type": "integer"
 				},
-				"deleted": {
-					"type": "boolean"
-				},
 				"deprecated": {
 					"type": "boolean"
 				},
@@ -421,69 +421,6 @@ func (api *API) deleteAPIKey(rw http.ResponseWriter, r *http.Request) {
 	rw.WriteHeader(http.StatusNoContent)
 }

-// @Summary Expire API key
-// @ID expire-api-key
-// @Security CoderSessionToken
-// @Tags Users
-// @Param user path string true "User ID, name, or me"
-// @Param keyid path string true "Key ID" format(string)
-// @Success 204
-// @Failure 404 {object} codersdk.Response
-// @Failure 500 {object} codersdk.Response
-// @Router /users/{user}/keys/{keyid}/expire [put]
-func (api *API) expireAPIKey(rw http.ResponseWriter, r *http.Request) {
-	var (
-		ctx               = r.Context()
-		keyID             = chi.URLParam(r, "keyid")
-		auditor           = api.Auditor.Load()
-		aReq, commitAudit = audit.InitRequest[database.APIKey](rw, &audit.RequestParams{
-			Audit:   *auditor,
-			Log:     api.Logger,
-			Request: r,
-			Action:  database.AuditActionWrite,
-		})
-	)
-	defer commitAudit()
-
-	if err := api.Database.InTx(func(db database.Store) error {
-		key, err := db.GetAPIKeyByID(ctx, keyID)
-		if err != nil {
-			return xerrors.Errorf("fetch API key: %w", err)
-		}
-		if !key.ExpiresAt.After(api.Clock.Now()) {
-			return nil // Already expired
-		}
-		aReq.Old = key
-		if err := db.UpdateAPIKeyByID(ctx, database.UpdateAPIKeyByIDParams{
-			ID:        key.ID,
-			LastUsed:  key.LastUsed,
-			ExpiresAt: dbtime.Now(),
-			IPAddress: key.IPAddress,
-		}); err != nil {
-			return xerrors.Errorf("expire API key: %w", err)
-		}
-		// Fetch the updated key for audit log.
-		newKey, err := db.GetAPIKeyByID(ctx, keyID)
-		if err != nil {
-			api.Logger.Warn(ctx, "failed to fetch updated API key for audit log", slog.Error(err))
-		} else {
-			aReq.New = newKey
-		}
-		return nil
-	}, nil); httpapi.Is404Error(err) {
-		httpapi.ResourceNotFound(rw)
-		return
-	} else if err != nil {
-		httpapi.Write(ctx, rw, http.StatusInternalServerError, codersdk.Response{
-			Message: "Internal error expiring API key.",
-			Detail:  err.Error(),
-		})
-		return
-	}
-
-	rw.WriteHeader(http.StatusNoContent)
-}
-
 // @Summary Get token config
 // @ID get-token-config
 // @Security CoderSessionToken
@@ -400,7 +400,7 @@ func TestAPIKey_Deleted(t *testing.T) {
 	require.Error(t, err)
 	var apiErr *codersdk.Error
 	require.ErrorAs(t, err, &apiErr)
-	require.Equal(t, http.StatusNotFound, apiErr.StatusCode())
+	require.Equal(t, http.StatusBadRequest, apiErr.StatusCode())
 }

 func TestAPIKey_SetDefault(t *testing.T) {
@@ -439,7 +439,7 @@ func TestAPIKey_PrebuildsNotAllowed(t *testing.T) {
 		DeploymentValues: dc,
 	})

-	setupCtx := testutil.Context(t, testutil.WaitLong)
+	ctx := testutil.Context(t, testutil.WaitLong)

 	// Given: an existing api token for the prebuilds user
 	_, prebuildsToken := dbgen.APIKey(t, db, database.APIKey{
@@ -448,167 +448,12 @@ func TestAPIKey_PrebuildsNotAllowed(t *testing.T) {
 	client.SetSessionToken(prebuildsToken)

 	// When: the prebuilds user tries to create an API key
-	_, err := client.CreateAPIKey(setupCtx, database.PrebuildsSystemUserID.String())
+	_, err := client.CreateAPIKey(ctx, database.PrebuildsSystemUserID.String())
 	// Then: denied.
 	require.ErrorContains(t, err, httpapi.ResourceForbiddenResponse.Message)

 	// When: the prebuilds user tries to create a token
-	_, err = client.CreateToken(setupCtx, database.PrebuildsSystemUserID.String(), codersdk.CreateTokenRequest{})
+	_, err = client.CreateToken(ctx, database.PrebuildsSystemUserID.String(), codersdk.CreateTokenRequest{})
 	// Then: also denied.
 	require.ErrorContains(t, err, httpapi.ResourceForbiddenResponse.Message)
 }
-
-//nolint:tparallel,paralleltest // Subtests share the same coderdtest instance and auditor.
-func TestExpireAPIKey(t *testing.T) {
-	t.Parallel()
-
-	auditor := audit.NewMock()
-	adminClient := coderdtest.New(t, &coderdtest.Options{Auditor: auditor})
-	admin := coderdtest.CreateFirstUser(t, adminClient)
-	memberClient, member := coderdtest.CreateAnotherUser(t, adminClient, admin.OrganizationID)
-
-	t.Run("OwnerCanExpireOwnToken", func(t *testing.T) {
-		ctx := testutil.Context(t, testutil.WaitLong)
-
-		// Create a token.
-		res, err := adminClient.CreateToken(ctx, codersdk.Me, codersdk.CreateTokenRequest{
-			Lifetime: time.Hour * 24 * 7,
-		})
-		require.NoError(t, err)
-		keyID := strings.Split(res.Key, "-")[0]
-
-		// Verify the token is not expired.
-		key, err := adminClient.APIKeyByID(ctx, codersdk.Me, keyID)
-		require.NoError(t, err)
-		require.True(t, key.ExpiresAt.After(time.Now()))
-
-		auditor.ResetLogs()
-
-		// Expire the token.
-		err = adminClient.ExpireAPIKey(ctx, codersdk.Me, keyID)
-		require.NoError(t, err)
-
-		// Verify the token is expired.
-		key, err = adminClient.APIKeyByID(ctx, codersdk.Me, keyID)
-		require.NoError(t, err)
-		require.True(t, key.ExpiresAt.Before(time.Now()))
-
-		// Verify audit log.
-		als := auditor.AuditLogs()
-		require.Len(t, als, 1)
-		require.Equal(t, database.AuditActionWrite, als[0].Action)
-		require.Equal(t, database.ResourceTypeApiKey, als[0].ResourceType)
-		require.Equal(t, admin.UserID.String(), als[0].UserID.String())
-	})
-
-	t.Run("AdminCanExpireOtherUsersToken", func(t *testing.T) {
-		ctx := testutil.Context(t, testutil.WaitLong)
-
-		// Create a token for the member.
-		res, err := memberClient.CreateToken(ctx, codersdk.Me, codersdk.CreateTokenRequest{
-			Lifetime: time.Hour * 24 * 7,
-		})
-		require.NoError(t, err)
-		keyID := strings.Split(res.Key, "-")[0]
-
-		// Admin expires the member's token.
-		err = adminClient.ExpireAPIKey(ctx, member.ID.String(), keyID)
-		require.NoError(t, err)
-
-		// Verify the token is expired.
-		key, err := memberClient.APIKeyByID(ctx, codersdk.Me, keyID)
-		require.NoError(t, err)
-		require.True(t, key.ExpiresAt.Before(time.Now()))
-	})
-
-	t.Run("MemberCannotExpireOtherUsersToken", func(t *testing.T) {
-		ctx := testutil.Context(t, testutil.WaitLong)
-
-		// Create a token for the admin.
-		res, err := adminClient.CreateToken(ctx, codersdk.Me, codersdk.CreateTokenRequest{
-			Lifetime: time.Hour * 24 * 7,
-		})
-		require.NoError(t, err)
-		keyID := strings.Split(res.Key, "-")[0]
-
-		// Member attempts to expire admin's token.
-		err = memberClient.ExpireAPIKey(ctx, admin.UserID.String(), keyID)
-		require.Error(t, err)
-		var sdkErr *codersdk.Error
-		require.ErrorAs(t, err, &sdkErr)
-		// Members cannot read other users, so they get a 404 Not Found
-		// from the authorization layer.
-		require.Equal(t, http.StatusNotFound, sdkErr.StatusCode())
-	})
-
-	t.Run("NotFound", func(t *testing.T) {
-		ctx := testutil.Context(t, testutil.WaitLong)
-
-		// Try to expire a non-existent token.
-		err := adminClient.ExpireAPIKey(ctx, codersdk.Me, "nonexistent")
-		require.Error(t, err)
-		var sdkErr *codersdk.Error
-		require.ErrorAs(t, err, &sdkErr)
-		require.Equal(t, http.StatusNotFound, sdkErr.StatusCode())
-	})
-
-	t.Run("ExpiringAlreadyExpiredTokenSucceeds", func(t *testing.T) {
-		ctx := testutil.Context(t, testutil.WaitLong)
-
-		// Create and expire a token.
-		res, err := adminClient.CreateToken(ctx, codersdk.Me, codersdk.CreateTokenRequest{
-			Lifetime: time.Hour * 24 * 7,
-		})
-		require.NoError(t, err)
-		keyID := strings.Split(res.Key, "-")[0]
-
-		// Expire it once.
-		err = adminClient.ExpireAPIKey(ctx, codersdk.Me, keyID)
-		require.NoError(t, err)
-
-		// Invariant: make sure it's actually expired
-		key, err := adminClient.APIKeyByID(ctx, codersdk.Me, keyID)
-		require.NoError(t, err)
-		require.LessOrEqual(t, key.ExpiresAt, time.Now(), "key should be expired")
-
-		// Expire it again - should succeed (idempotent).
-		err = adminClient.ExpireAPIKey(ctx, codersdk.Me, keyID)
-		require.NoError(t, err)
-
-		// Token should still be just as expired as before. No more, no less.
-		keyAgain, err := adminClient.APIKeyByID(ctx, codersdk.Me, keyID)
-		require.NoError(t, err)
-		require.Equal(t, key.ExpiresAt, keyAgain.ExpiresAt, "expiration should be idempotent")
-	})
-
-	t.Run("DeletingExpiredTokenSucceeds", func(t *testing.T) {
-		ctx := testutil.Context(t, testutil.WaitLong)
-
-		// Create a token.
-		res, err := adminClient.CreateToken(ctx, codersdk.Me, codersdk.CreateTokenRequest{
-			Lifetime: time.Hour * 24 * 7,
-		})
-		require.NoError(t, err)
-		keyID := strings.Split(res.Key, "-")[0]
-
-		// Expire it first.
-		err = adminClient.ExpireAPIKey(ctx, codersdk.Me, keyID)
-		require.NoError(t, err)
-
-		// Verify it's expired.
-		key, err := adminClient.APIKeyByID(ctx, codersdk.Me, keyID)
-		require.NoError(t, err)
-		require.True(t, key.ExpiresAt.Before(time.Now()))
-
-		// Delete the expired token - should succeed.
-		err = adminClient.DeleteAPIKey(ctx, codersdk.Me, keyID)
-		require.NoError(t, err)
-
-		// Verify it's gone.
-		_, err = adminClient.APIKeyByID(ctx, codersdk.Me, keyID)
-		require.Error(t, err)
-		var sdkErr *codersdk.Error
-		require.ErrorAs(t, err, &sdkErr)
-		require.Equal(t, http.StatusNotFound, sdkErr.StatusCode())
-	})
-}
@@ -48,10 +48,9 @@ type Executor struct {
 	tick                  <-chan time.Time
 	statsCh               chan<- Stats
 	// NotificationsEnqueuer handles enqueueing notifications for delivery by SMTP, webhook, etc.
-	notificationsEnqueuer   notifications.Enqueuer
-	reg                     prometheus.Registerer
-	experiments             codersdk.Experiments
-	workspaceBuilderMetrics *wsbuilder.Metrics
+	notificationsEnqueuer notifications.Enqueuer
+	reg                   prometheus.Registerer
+	experiments           codersdk.Experiments

 	metrics executorMetrics
 }
@@ -68,24 +67,23 @@ type Stats struct {
 }

 // New returns a new wsactions executor.
-func NewExecutor(ctx context.Context, db database.Store, ps pubsub.Pubsub, fc *files.Cache, reg prometheus.Registerer, tss *atomic.Pointer[schedule.TemplateScheduleStore], auditor *atomic.Pointer[audit.Auditor], acs *atomic.Pointer[dbauthz.AccessControlStore], buildUsageChecker *atomic.Pointer[wsbuilder.UsageChecker], log slog.Logger, tick <-chan time.Time, enqueuer notifications.Enqueuer, exp codersdk.Experiments, workspaceBuilderMetrics *wsbuilder.Metrics) *Executor {
+func NewExecutor(ctx context.Context, db database.Store, ps pubsub.Pubsub, fc *files.Cache, reg prometheus.Registerer, tss *atomic.Pointer[schedule.TemplateScheduleStore], auditor *atomic.Pointer[audit.Auditor], acs *atomic.Pointer[dbauthz.AccessControlStore], buildUsageChecker *atomic.Pointer[wsbuilder.UsageChecker], log slog.Logger, tick <-chan time.Time, enqueuer notifications.Enqueuer, exp codersdk.Experiments) *Executor {
 	factory := promauto.With(reg)
 	le := &Executor{
 		//nolint:gocritic // Autostart has a limited set of permissions.
-		ctx:                     dbauthz.AsAutostart(ctx),
-		db:                      db,
-		ps:                      ps,
-		fileCache:               fc,
-		templateScheduleStore:   tss,
-		tick:                    tick,
-		log:                     log.Named("autobuild"),
-		auditor:                 auditor,
-		accessControlStore:      acs,
-		buildUsageChecker:       buildUsageChecker,
-		notificationsEnqueuer:   enqueuer,
-		reg:                     reg,
-		experiments:             exp,
-		workspaceBuilderMetrics: workspaceBuilderMetrics,
+		ctx:                   dbauthz.AsAutostart(ctx),
+		db:                    db,
+		ps:                    ps,
+		fileCache:             fc,
+		templateScheduleStore: tss,
+		tick:                  tick,
+		log:                   log.Named("autobuild"),
+		auditor:               auditor,
+		accessControlStore:    acs,
+		buildUsageChecker:     buildUsageChecker,
+		notificationsEnqueuer: enqueuer,
+		reg:                   reg,
+		experiments:           exp,
 		metrics: executorMetrics{
 			autobuildExecutionDuration: factory.NewHistogram(prometheus.HistogramOpts{
 				Namespace: "coderd",
@@ -231,7 +229,6 @@ func (e *Executor) runOnce(t time.Time) Stats {
 					job                   *database.ProvisionerJob
 					auditLog              *auditParams
 					shouldNotifyDormancy  bool
-					shouldNotifyTaskPause bool
 					nextBuild             *database.WorkspaceBuild
 					activeTemplateVersion database.TemplateVersion
 					ws                    database.Workspace
@@ -317,10 +314,6 @@ func (e *Executor) runOnce(t time.Time) Stats {
 						return nil
 					}

-					if reason == database.BuildReasonTaskAutoPause {
-						shouldNotifyTaskPause = true
-					}
-
 					// Get the template version job to access tags
 					templateVersionJob, err := tx.GetProvisionerJobByID(e.ctx, activeTemplateVersion.JobID)
 					if err != nil {
@@ -342,8 +335,7 @@ func (e *Executor) runOnce(t time.Time) Stats {
 							SetLastWorkspaceBuildInTx(&latestBuild).
 							SetLastWorkspaceBuildJobInTx(&latestJob).
 							Experiments(e.experiments).
-							Reason(reason).
-							BuildMetrics(e.workspaceBuilderMetrics)
+							Reason(reason)
 						log.Debug(e.ctx, "auto building workspace", slog.F("transition", nextTransition))
 						if nextTransition == database.WorkspaceTransitionStart &&
 							useActiveVersion(accessControl, ws) {
@@ -487,28 +479,6 @@ func (e *Executor) runOnce(t time.Time) Stats {
 						log.Warn(e.ctx, "failed to notify of workspace marked as dormant", slog.Error(err), slog.F("workspace_id", ws.ID))
 					}
 				}
-				if shouldNotifyTaskPause {
-					task, err := e.db.GetTaskByID(e.ctx, ws.TaskID.UUID)
-					if err != nil {
-						log.Warn(e.ctx, "failed to get task for pause notification", slog.Error(err), slog.F("task_id", ws.TaskID.UUID), slog.F("workspace_id", ws.ID))
-					} else {
-						if _, err := e.notificationsEnqueuer.Enqueue(
-							e.ctx,
-							ws.OwnerID,
-							notifications.TemplateTaskPaused,
-							map[string]string{
-								"task":         task.Name,
-								"task_id":      task.ID.String(),
-								"workspace":    ws.Name,
-								"pause_reason": "inactivity exceeded the dormancy threshold",
-							},
-							"lifecycle_executor",
-							ws.ID, ws.OwnerID, ws.OrganizationID,
-						); err != nil {
-							log.Warn(e.ctx, "failed to notify of task paused", slog.Error(err), slog.F("task_id", ws.TaskID.UUID), slog.F("workspace_id", ws.ID))
-						}
-					}
-				}
 				return nil
 			}()
 			if err != nil && !xerrors.Is(err, context.Canceled) {
@@ -552,18 +522,10 @@ func getNextTransition(
 ) {
 	switch {
 	case isEligibleForAutostop(user, ws, latestBuild, latestJob, currentTick):
-		// Use task-specific reason for AI task workspaces.
-		if ws.TaskID.Valid {
-			return database.WorkspaceTransitionStop, database.BuildReasonTaskAutoPause, nil
-		}
 		return database.WorkspaceTransitionStop, database.BuildReasonAutostop, nil
 	case isEligibleForAutostart(user, ws, latestBuild, latestJob, templateSchedule, currentTick):
 		return database.WorkspaceTransitionStart, database.BuildReasonAutostart, nil
 	case isEligibleForFailedStop(latestBuild, latestJob, templateSchedule, currentTick):
-		// Use task-specific reason for AI task workspaces.
-		if ws.TaskID.Valid {
-			return database.WorkspaceTransitionStop, database.BuildReasonTaskAutoPause, nil
-		}
 		return database.WorkspaceTransitionStop, database.BuildReasonAutostop, nil
 	case isEligibleForDormantStop(ws, templateSchedule, currentTick):
 		// Only stop started workspaces.
@@ -5,113 +5,12 @@ import (
 	"testing"
 	"time"

-	"github.com/google/uuid"
 	"github.com/stretchr/testify/require"

 	"github.com/coder/coder/v2/coderd/database"
 	"github.com/coder/coder/v2/coderd/schedule"
 )

-func Test_getNextTransition_TaskAutoPause(t *testing.T) {
-	t.Parallel()
-
-	// Set up a workspace that is eligible for autostop (past deadline).
-	now := time.Now()
-	pastDeadline := now.Add(-time.Hour)
-
-	okUser := database.User{Status: database.UserStatusActive}
-	okBuild := database.WorkspaceBuild{
-		Transition: database.WorkspaceTransitionStart,
-		Deadline:   pastDeadline,
-	}
-	okJob := database.ProvisionerJob{
-		JobStatus: database.ProvisionerJobStatusSucceeded,
-	}
-	okTemplateSchedule := schedule.TemplateScheduleOptions{}
-
-	// Failed build setup for failedstop tests.
-	failedBuild := database.WorkspaceBuild{
-		Transition: database.WorkspaceTransitionStart,
-	}
-	failedJob := database.ProvisionerJob{
-		JobStatus:   database.ProvisionerJobStatusFailed,
-		CompletedAt: sql.NullTime{Time: now.Add(-time.Hour), Valid: true},
-	}
-	failedTemplateSchedule := schedule.TemplateScheduleOptions{
-		FailureTTL: time.Minute, // TTL already elapsed since job completed an hour ago.
-	}
-
-	testCases := []struct {
-		Name             string
-		Workspace        database.Workspace
-		Build            database.WorkspaceBuild
-		Job              database.ProvisionerJob
-		TemplateSchedule schedule.TemplateScheduleOptions
-		ExpectedReason   database.BuildReason
-	}{
-		{
-			Name: "RegularWorkspace_Autostop",
-			Workspace: database.Workspace{
-				DormantAt: sql.NullTime{Valid: false},
-			},
-			Build:            okBuild,
-			Job:              okJob,
-			TemplateSchedule: okTemplateSchedule,
-			ExpectedReason:   database.BuildReasonAutostop,
-		},
-		{
-			Name: "TaskWorkspace_Autostop_UsesTaskAutoPause",
-			Workspace: database.Workspace{
-				DormantAt: sql.NullTime{Valid: false},
-				TaskID:    uuid.NullUUID{UUID: uuid.New(), Valid: true},
-			},
-			Build:            okBuild,
-			Job:              okJob,
-			TemplateSchedule: okTemplateSchedule,
-			ExpectedReason:   database.BuildReasonTaskAutoPause,
-		},
-		{
-			Name: "RegularWorkspace_FailedStop",
-			Workspace: database.Workspace{
-				DormantAt: sql.NullTime{Valid: false},
-			},
-			Build:            failedBuild,
-			Job:              failedJob,
-			TemplateSchedule: failedTemplateSchedule,
-			ExpectedReason:   database.BuildReasonAutostop,
-		},
-		{
-			Name: "TaskWorkspace_FailedStop_UsesTaskAutoPause",
-			Workspace: database.Workspace{
-				DormantAt: sql.NullTime{Valid: false},
-				TaskID:    uuid.NullUUID{UUID: uuid.New(), Valid: true},
-			},
-			Build:            failedBuild,
-			Job:              failedJob,
-			TemplateSchedule: failedTemplateSchedule,
-			ExpectedReason:   database.BuildReasonTaskAutoPause,
-		},
-	}
-
-	for _, tc := range testCases {
-		t.Run(tc.Name, func(t *testing.T) {
-			t.Parallel()
-
-			transition, reason, err := getNextTransition(
-				okUser,
-				tc.Workspace,
-				tc.Build,
-				tc.Job,
-				tc.TemplateSchedule,
-				now,
-			)
-			require.NoError(t, err)
-			require.Equal(t, database.WorkspaceTransitionStop, transition)
-			require.Equal(t, tc.ExpectedReason, reason)
-		})
-	}
-}
-
 func Test_isEligibleForAutostart(t *testing.T) {
 	t.Parallel()

@@ -2019,69 +2019,5 @@ func TestExecutorTaskWorkspace(t *testing.T) {
 		assert.Contains(t, stats.Transitions, workspace.ID, "task workspace should be in transitions")
 		assert.Equal(t, database.WorkspaceTransitionStop, stats.Transitions[workspace.ID], "should autostop the workspace")
 		require.Empty(t, stats.Errors, "should have no errors when managing task workspaces")
-
-		// Then: The build reason should be TaskAutoPause (not regular Autostop)
-		workspace = coderdtest.MustWorkspace(t, client, workspace.ID)
-		_ = coderdtest.AwaitWorkspaceBuildJobCompleted(t, client, workspace.LatestBuild.ID)
-		workspace = coderdtest.MustWorkspace(t, client, workspace.ID)
-		assert.Equal(t, codersdk.BuildReasonTaskAutoPause, workspace.LatestBuild.Reason, "task workspace should use TaskAutoPause build reason")
-	})
-
-	t.Run("AutostopNotification", func(t *testing.T) {
-		t.Parallel()
-
-		var (
-			tickCh     = make(chan time.Time)
-			statsCh    = make(chan autobuild.Stats)
-			notifyEnq  = notificationstest.FakeEnqueuer{}
-			client, db = coderdtest.NewWithDatabase(t, &coderdtest.Options{
-				AutobuildTicker:          tickCh,
-				IncludeProvisionerDaemon: true,
-				AutobuildStats:           statsCh,
-				NotificationsEnqueuer:    &notifyEnq,
-			})
-			admin = coderdtest.CreateFirstUser(t, client)
-		)
-
-		// Given: A task workspace with an 8 hour deadline
-		ctx := testutil.Context(t, testutil.WaitShort)
-		template := createTaskTemplate(t, client, admin.OrganizationID, ctx, 8*time.Hour)
-		workspace := createTaskWorkspace(t, client, template, ctx, "test task for autostop notification")
-
-		// Given: The workspace is currently running
-		workspace = coderdtest.MustWorkspace(t, client, workspace.ID)
-		require.Equal(t, codersdk.WorkspaceTransitionStart, workspace.LatestBuild.Transition)
-		require.NotZero(t, workspace.LatestBuild.Deadline, "workspace should have a deadline for autostop")
-
-		p, err := coderdtest.GetProvisionerForTags(db, time.Now(), workspace.OrganizationID, map[string]string{})
-		require.NoError(t, err)
-
-		// When: the autobuild executor ticks after the deadline
-		go func() {
-			tickTime := workspace.LatestBuild.Deadline.Time.Add(time.Minute)
-			coderdtest.UpdateProvisionerLastSeenAt(t, db, p.ID, tickTime)
-			tickCh <- tickTime
-			close(tickCh)
-		}()
-
-		// Then: We expect to see a stop transition
-		stats := <-statsCh
-		require.Len(t, stats.Transitions, 1, "lifecycle executor should transition the task workspace")
-		assert.Contains(t, stats.Transitions, workspace.ID, "task workspace should be in transitions")
-		assert.Equal(t, database.WorkspaceTransitionStop, stats.Transitions[workspace.ID], "should autostop the workspace")
-		require.Empty(t, stats.Errors, "should have no errors when managing task workspaces")
-
-		// Then: A task paused notification was sent with "idle timeout" reason
-		require.True(t, workspace.TaskID.Valid, "workspace should have a task ID")
-		task, err := db.GetTaskByID(dbauthz.AsSystemRestricted(ctx), workspace.TaskID.UUID)
-		require.NoError(t, err)
-
-		sent := notifyEnq.Sent(notificationstest.WithTemplateID(notifications.TemplateTaskPaused))
-		require.Len(t, sent, 1)
-		require.Equal(t, workspace.OwnerID, sent[0].UserID)
-		require.Equal(t, task.Name, sent[0].Labels["task"])
-		require.Equal(t, task.ID.String(), sent[0].Labels["task_id"])
-		require.Equal(t, workspace.Name, sent[0].Labels["workspace"])
-		require.Equal(t, "inactivity exceeded the dormancy threshold", sent[0].Labels["pause_reason"])
 	})
 }
@@ -245,7 +245,6 @@ type Options struct {
 	MetadataBatcherOptions []metadatabatcher.Option

 	ProvisionerdServerMetrics *provisionerdserver.Metrics
-	WorkspaceBuilderMetrics   *wsbuilder.Metrics

 	// WorkspaceAppAuditSessionTimeout allows changing the timeout for audit
 	// sessions. Raising or lowering this value will directly affect the write
@@ -1080,7 +1079,6 @@ func New(options *Options) *API {
 					r.Post("/send", api.taskSend)
 					r.Get("/logs", api.taskLogs)
 					r.Post("/pause", api.pauseTask)
-					r.Post("/resume", api.resumeTask)
 				})
 			})
 		})
@@ -1399,7 +1397,6 @@ func New(options *Options) *API {
 							r.Route("/{keyid}", func(r chi.Router) {
 								r.Get("/", api.apiKeyByID)
 								r.Delete("/", api.deleteAPIKey)
-								r.Put("/expire", api.expireAPIKey)
 							})
 						})

@@ -106,7 +106,7 @@ func fuzzAuthzPrep(t *testing.T, prep rbac.PreparedAuthorized, n int, action pol
 	t.Helper()
 	pairs := make([]coderdtest.ActionObjectPair, 0, n)

-	for range n {
+	for i := 0; i < n; i++ {
 		obj := coderdtest.RandomRBACObject()
 		obj.Type = objectType
 		p := coderdtest.ActionObjectPair{Action: action, Object: obj}
@@ -120,7 +120,7 @@ func fuzzAuthz(t *testing.T, sub rbac.Subject, rec rbac.Authorizer, n int) []cod
 	t.Helper()
 	pairs := make([]coderdtest.ActionObjectPair, 0, n)

-	for range n {
+	for i := 0; i < n; i++ {
 		p := coderdtest.ActionObjectPair{Action: coderdtest.RandomRBACAction(), Object: coderdtest.RandomRBACObject()}
 		_ = rec.Authorize(context.Background(), sub, p.Action, p.Object)
 		pairs = append(pairs, p)
@@ -191,7 +191,6 @@ type Options struct {
 	TelemetryReporter                  telemetry.Reporter

 	ProvisionerdServerMetrics *provisionerdserver.Metrics
-	WorkspaceBuilderMetrics   *wsbuilder.Metrics
 	UsageInserter             usage.Inserter
 }

@@ -400,7 +399,6 @@ func NewOptions(t testing.TB, options *Options) (func(http.Handler), context.Can
 		options.AutobuildTicker,
 		options.NotificationsEnqueuer,
 		experiments,
-		options.WorkspaceBuilderMetrics,
 	).WithStatsChannel(options.AutobuildStats)

 	lifecycleExecutor.Run()
@@ -622,7 +620,6 @@ func NewOptions(t testing.TB, options *Options) (func(http.Handler), context.Can
 			AppEncryptionKeyCache:              options.APIKeyEncryptionCache,
 			OIDCConvertKeyCache:                options.OIDCConvertKeyCache,
 			ProvisionerdServerMetrics:          options.ProvisionerdServerMetrics,
-			WorkspaceBuilderMetrics:            options.WorkspaceBuilderMetrics,
 		}
 }

@@ -17,6 +17,4 @@ const (
 	CheckTelemetryLockEventTypeConstraint        CheckConstraint = "telemetry_lock_event_type_constraint"         // telemetry_locks
 	CheckValidationMonotonicOrder                CheckConstraint = "validation_monotonic_order"                   // template_version_parameters
 	CheckUsageEventTypeCheck                     CheckConstraint = "usage_event_type_check"                       // usage_events
-	CheckGroupAclIsObject                        CheckConstraint = "group_acl_is_object"                          // workspaces
-	CheckUserAclIsObject                         CheckConstraint = "user_acl_is_object"                           // workspaces
 )
@@ -93,6 +93,7 @@ type TxOptions struct {

 // IncrementExecutionCount is a helper function for external packages
 // to increment the unexported count.
+// Mainly for `dbmem`.
 func IncrementExecutionCount(opts *TxOptions) {
 	opts.executionCount++
 }
@@ -981,9 +981,6 @@ func AIBridgeInterception(interception database.AIBridgeInterception, initiator
 	if interception.EndedAt.Valid {
 		intc.EndedAt = &interception.EndedAt.Time
 	}
-	if interception.Client.Valid {
-		intc.Client = &interception.Client.String
-	}
 	return intc
 }

@@ -9,7 +9,6 @@ import (
 	"time"

 	"github.com/google/uuid"
-	"github.com/sqlc-dev/pqtype"
 	"github.com/stretchr/testify/require"

 	"github.com/coder/coder/v2/coderd/database"
@@ -207,231 +206,3 @@ func TestTemplateVersionParameter_BadDescription(t *testing.T) {
 	req.NoError(err)
 	req.NotEmpty(sdk.DescriptionPlaintext, "broke the markdown parser with %v", desc)
 }
-
-func TestAIBridgeInterception(t *testing.T) {
-	t.Parallel()
-
-	now := dbtime.Now()
-	interceptionID := uuid.New()
-	initiatorID := uuid.New()
-
-	cases := []struct {
-		name         string
-		interception database.AIBridgeInterception
-		initiator    database.VisibleUser
-		tokenUsages  []database.AIBridgeTokenUsage
-		userPrompts  []database.AIBridgeUserPrompt
-		toolUsages   []database.AIBridgeToolUsage
-		expected     codersdk.AIBridgeInterception
-	}{
-		{
-			name: "all_optional_values_set",
-			interception: database.AIBridgeInterception{
-				ID:          interceptionID,
-				InitiatorID: initiatorID,
-				Provider:    "anthropic",
-				Model:       "claude-3-opus",
-				StartedAt:   now,
-				Metadata: pqtype.NullRawMessage{
-					RawMessage: json.RawMessage(`{"key":"value"}`),
-					Valid:      true,
-				},
-				EndedAt: sql.NullTime{
-					Time:  now.Add(time.Minute),
-					Valid: true,
-				},
-				APIKeyID: sql.NullString{
-					String: "api-key-123",
-					Valid:  true,
-				},
-				Client: sql.NullString{
-					String: "claude-code/1.0.0",
-					Valid:  true,
-				},
-			},
-			initiator: database.VisibleUser{
-				ID:        initiatorID,
-				Username:  "testuser",
-				Name:      "Test User",
-				AvatarURL: "https://example.com/avatar.png",
-			},
-			tokenUsages: []database.AIBridgeTokenUsage{
-				{
-					ID:                 uuid.New(),
-					InterceptionID:     interceptionID,
-					ProviderResponseID: "resp-123",
-					InputTokens:        100,
-					OutputTokens:       200,
-					Metadata: pqtype.NullRawMessage{
-						RawMessage: json.RawMessage(`{"cache":"hit"}`),
-						Valid:      true,
-					},
-					CreatedAt: now.Add(10 * time.Second),
-				},
-			},
-			userPrompts: []database.AIBridgeUserPrompt{
-				{
-					ID:                 uuid.New(),
-					InterceptionID:     interceptionID,
-					ProviderResponseID: "resp-123",
-					Prompt:             "Hello, world!",
-					Metadata: pqtype.NullRawMessage{
-						RawMessage: json.RawMessage(`{"role":"user"}`),
-						Valid:      true,
-					},
-					CreatedAt: now.Add(5 * time.Second),
-				},
-			},
-			toolUsages: []database.AIBridgeToolUsage{
-				{
-					ID:                 uuid.New(),
-					InterceptionID:     interceptionID,
-					ProviderResponseID: "resp-123",
-					ServerUrl: sql.NullString{
-						String: "https://mcp.example.com",
-						Valid:  true,
-					},
-					Tool:     "read_file",
-					Input:    `{"path":"/tmp/test.txt"}`,
-					Injected: true,
-					InvocationError: sql.NullString{
-						String: "file not found",
-						Valid:  true,
-					},
-					Metadata: pqtype.NullRawMessage{
-						RawMessage: json.RawMessage(`{"duration_ms":50}`),
-						Valid:      true,
-					},
-					CreatedAt: now.Add(15 * time.Second),
-				},
-			},
-			expected: codersdk.AIBridgeInterception{
-				ID: interceptionID,
-				Initiator: codersdk.MinimalUser{
-					ID:        initiatorID,
-					Username:  "testuser",
-					Name:      "Test User",
-					AvatarURL: "https://example.com/avatar.png",
-				},
-				Provider:  "anthropic",
-				Model:     "claude-3-opus",
-				Metadata:  map[string]any{"key": "value"},
-				StartedAt: now,
-			},
-		},
-		{
-			name: "no_optional_values_set",
-			interception: database.AIBridgeInterception{
-				ID:          interceptionID,
-				InitiatorID: initiatorID,
-				Provider:    "openai",
-				Model:       "gpt-4",
-				StartedAt:   now,
-				Metadata:    pqtype.NullRawMessage{Valid: false},
-				EndedAt:     sql.NullTime{Valid: false},
-				APIKeyID:    sql.NullString{Valid: false},
-				Client:      sql.NullString{Valid: false},
-			},
-			initiator: database.VisibleUser{
-				ID:        initiatorID,
-				Username:  "minimaluser",
-				Name:      "",
-				AvatarURL: "",
-			},
-			tokenUsages: nil,
-			userPrompts: nil,
-			toolUsages:  nil,
-			expected: codersdk.AIBridgeInterception{
-				ID: interceptionID,
-				Initiator: codersdk.MinimalUser{
-					ID:        initiatorID,
-					Username:  "minimaluser",
-					Name:      "",
-					AvatarURL: "",
-				},
-				Provider:  "openai",
-				Model:     "gpt-4",
-				Metadata:  nil,
-				StartedAt: now,
-			},
-		},
-	}
-
-	for _, tc := range cases {
-		t.Run(tc.name, func(t *testing.T) {
-			t.Parallel()
-
-			result := db2sdk.AIBridgeInterception(
-				tc.interception,
-				tc.initiator,
-				tc.tokenUsages,
-				tc.userPrompts,
-				tc.toolUsages,
-			)
-
-			// Check basic fields.
-			require.Equal(t, tc.expected.ID, result.ID)
-			require.Equal(t, tc.expected.Initiator, result.Initiator)
-			require.Equal(t, tc.expected.Provider, result.Provider)
-			require.Equal(t, tc.expected.Model, result.Model)
-			require.Equal(t, tc.expected.StartedAt.UTC(), result.StartedAt.UTC())
-			require.Equal(t, tc.expected.Metadata, result.Metadata)
-
-			// Check optional pointer fields.
-			if tc.interception.APIKeyID.Valid {
-				require.NotNil(t, result.APIKeyID)
-				require.Equal(t, tc.interception.APIKeyID.String, *result.APIKeyID)
-			} else {
-				require.Nil(t, result.APIKeyID)
-			}
-
-			if tc.interception.EndedAt.Valid {
-				require.NotNil(t, result.EndedAt)
-				require.Equal(t, tc.interception.EndedAt.Time.UTC(), result.EndedAt.UTC())
-			} else {
-				require.Nil(t, result.EndedAt)
-			}
-
-			if tc.interception.Client.Valid {
-				require.NotNil(t, result.Client)
-				require.Equal(t, tc.interception.Client.String, *result.Client)
-			} else {
-				require.Nil(t, result.Client)
-			}
-
-			// Check slices.
-			require.Len(t, result.TokenUsages, len(tc.tokenUsages))
-			require.Len(t, result.UserPrompts, len(tc.userPrompts))
-			require.Len(t, result.ToolUsages, len(tc.toolUsages))
-
-			// Verify token usages are converted correctly.
-			for i, tu := range tc.tokenUsages {
-				require.Equal(t, tu.ID, result.TokenUsages[i].ID)
-				require.Equal(t, tu.InterceptionID, result.TokenUsages[i].InterceptionID)
-				require.Equal(t, tu.ProviderResponseID, result.TokenUsages[i].ProviderResponseID)
-				require.Equal(t, tu.InputTokens, result.TokenUsages[i].InputTokens)
-				require.Equal(t, tu.OutputTokens, result.TokenUsages[i].OutputTokens)
-			}
-
-			// Verify user prompts are converted correctly.
-			for i, up := range tc.userPrompts {
-				require.Equal(t, up.ID, result.UserPrompts[i].ID)
-				require.Equal(t, up.InterceptionID, result.UserPrompts[i].InterceptionID)
-				require.Equal(t, up.ProviderResponseID, result.UserPrompts[i].ProviderResponseID)
-				require.Equal(t, up.Prompt, result.UserPrompts[i].Prompt)
-			}
-
-			// Verify tool usages are converted correctly.
-			for i, toolUsage := range tc.toolUsages {
-				require.Equal(t, toolUsage.ID, result.ToolUsages[i].ID)
-				require.Equal(t, toolUsage.InterceptionID, result.ToolUsages[i].InterceptionID)
-				require.Equal(t, toolUsage.ProviderResponseID, result.ToolUsages[i].ProviderResponseID)
-				require.Equal(t, toolUsage.ServerUrl.String, result.ToolUsages[i].ServerURL)
-				require.Equal(t, toolUsage.Tool, result.ToolUsages[i].Tool)
-				require.Equal(t, toolUsage.Input, result.ToolUsages[i].Input)
-				require.Equal(t, toolUsage.Injected, result.ToolUsages[i].Injected)
-				require.Equal(t, toolUsage.InvocationError.String, result.ToolUsages[i].InvocationError)
-			}
-		})
-	}
-}
@@ -41,7 +41,7 @@ func TestGroupsAuth(t *testing.T) {
 	})

 	var users []database.User
-	for range 5 {
+	for i := 0; i < 5; i++ {
 		user := dbgen.User(t, db, database.User{})
 		users = append(users, user)
 		err := db.InsertGroupMember(ownerCtx, database.InsertGroupMemberParams{
@@ -19,6 +19,7 @@ import (
 	"github.com/stretchr/testify/require"
 	"golang.org/x/xerrors"

+	"cdr.dev/slog/v3"
 	"github.com/coder/coder/v2/coderd/apikey"
 	"github.com/coder/coder/v2/coderd/database"
 	"github.com/coder/coder/v2/coderd/database/db2sdk"
@@ -29,6 +30,7 @@ import (
 	"github.com/coder/coder/v2/coderd/rbac"
 	"github.com/coder/coder/v2/coderd/rbac/policy"
 	"github.com/coder/coder/v2/coderd/rbac/rolestore"
+	"github.com/coder/coder/v2/coderd/taskname"
 	"github.com/coder/coder/v2/codersdk"
 	"github.com/coder/coder/v2/cryptorand"
 	"github.com/coder/coder/v2/provisionerd/proto"
@@ -1590,7 +1592,6 @@ func AIBridgeInterception(t testing.TB, db database.Store, seed database.InsertA
 		Model:       takeFirst(seed.Model, "model"),
 		Metadata:    takeFirstSlice(seed.Metadata, json.RawMessage("{}")),
 		StartedAt:   takeFirst(seed.StartedAt, dbtime.Now()),
-		Client:      seed.Client,
 	})
 	if endedAt != nil {
 		interception, err = db.UpdateAIBridgeInterceptionEnded(genCtx, database.UpdateAIBridgeInterceptionEndedParams{
@@ -1663,12 +1664,13 @@ func Task(t testing.TB, db database.Store, orig database.TaskTable) database.Tas
 		parameters = json.RawMessage([]byte("{}"))
 	}

+	taskName := taskname.Generate(genCtx, slog.Make(), orig.Prompt)
 	task, err := db.InsertTask(genCtx, database.InsertTaskParams{
 		ID:                 takeFirst(orig.ID, uuid.New()),
 		OrganizationID:     orig.OrganizationID,
 		OwnerID:            orig.OwnerID,
-		Name:               takeFirst(orig.Name, testutil.GetRandomNameHyphenated(t)),
-		DisplayName:        takeFirst(orig.DisplayName, testutil.GetRandomNameHyphenated(t)),
+		Name:               takeFirst(orig.Name, taskName.Name),
+		DisplayName:        takeFirst(orig.DisplayName, taskName.DisplayName),
 		WorkspaceID:        orig.WorkspaceID,
 		TemplateVersionID:  orig.TemplateVersionID,
 		TemplateParameters: parameters,
@@ -802,7 +802,7 @@ func TestDeleteOldAuditLogConnectionEventsLimit(t *testing.T) {
 	now := dbtime.Now()
 	threshold := now.Add(-90 * 24 * time.Hour)

-	for i := range 5 {
+	for i := 0; i < 5; i++ {
 		dbgen.AuditLog(t, db, database.AuditLog{
 			UserID:         user.ID,
 			OrganizationID: org.ID,
@@ -80,7 +80,7 @@ func TestOpen_ValidDBFrom(t *testing.T) {
 	require.NoError(t, rows.Close())
 	require.NoError(t, db.Close())

-	for range 10 {
+	for i := 0; i < 10; i++ {
 		db, err := sql.Open("postgres", dsn)
 		require.NoError(t, err)
 		require.NoError(t, db.Ping())
@@ -1023,8 +1023,7 @@ CREATE TABLE aibridge_interceptions (
    started_at timestamp with time zone NOT NULL,
    metadata jsonb,
    ended_at timestamp with time zone,
-    api_key_id text,
-    client character varying(64) DEFAULT 'Unknown'::character varying
+    api_key_id text
 );

 COMMENT ON TABLE aibridge_interceptions IS 'Audit log of requests intercepted by AI Bridge';
@@ -2737,9 +2736,7 @@ CREATE TABLE workspaces (
    favorite boolean DEFAULT false NOT NULL,
    next_start_at timestamp with time zone,
    group_acl jsonb DEFAULT '{}'::jsonb NOT NULL,
-    user_acl jsonb DEFAULT '{}'::jsonb NOT NULL,
-    CONSTRAINT group_acl_is_object CHECK ((jsonb_typeof(group_acl) = 'object'::text)),
-    CONSTRAINT user_acl_is_object CHECK ((jsonb_typeof(user_acl) = 'object'::text))
+    user_acl jsonb DEFAULT '{}'::jsonb NOT NULL
 );

 COMMENT ON COLUMN workspaces.favorite IS 'Favorite is true if the workspace owner has favorited the workspace.';
@@ -3275,8 +3272,6 @@ CREATE INDEX idx_agent_stats_created_at ON workspace_agent_stats USING btree (cr

 CREATE INDEX idx_agent_stats_user_id ON workspace_agent_stats USING btree (user_id);

-CREATE INDEX idx_aibridge_interceptions_client ON aibridge_interceptions USING btree (client);
-
 CREATE INDEX idx_aibridge_interceptions_initiator_id ON aibridge_interceptions USING btree (initiator_id);

 CREATE INDEX idx_aibridge_interceptions_model ON aibridge_interceptions USING btree (model);
@@ -1,3 +0,0 @@
-ALTER TABLE workspaces
-    DROP CONSTRAINT IF EXISTS group_acl_is_object,
-    DROP CONSTRAINT IF EXISTS user_acl_is_object;
@@ -1,9 +0,0 @@
-- Add constraints that reject 'null'::jsonb for group and user ACLs
-- because they would break the new workspace_expanded view.
-
-UPDATE workspaces SET group_acl = '{}'::jsonb WHERE group_acl = 'null'::jsonb;
-UPDATE workspaces SET user_acl = '{}'::jsonb WHERE user_acl = 'null'::jsonb;
-
-ALTER TABLE workspaces
-    ADD CONSTRAINT group_acl_is_object CHECK (jsonb_typeof(group_acl) = 'object'),
-    ADD CONSTRAINT user_acl_is_object CHECK (jsonb_typeof(user_acl) = 'object');
@@ -1,2 +0,0 @@
-ALTER TABLE aibridge_interceptions
-    DROP COLUMN client;
@@ -1,5 +0,0 @@
-ALTER TABLE aibridge_interceptions
-    ADD COLUMN client VARCHAR(64)
-	DEFAULT 'Unknown';
-
-CREATE INDEX idx_aibridge_interceptions_client ON aibridge_interceptions (client);
@@ -1,4 +0,0 @@
-- Remove Task 'paused' transition template notification
-DELETE FROM notification_templates WHERE id = '2a74f3d3-ab09-4123-a4a5-ca238f4f65a1';
-- Remove Task 'resumed' transition template notification
-DELETE FROM notification_templates WHERE id = '843ee9c3-a8fb-4846-afa9-977bec578649';
@@ -1,63 +0,0 @@
-- Task transition to 'paused' status
-INSERT INTO notification_templates (
-	id,
-	name,
-	title_template,
-	body_template,
-	actions,
-	"group",
-	method,
-	kind,
-	enabled_by_default
-) VALUES (
-			 '2a74f3d3-ab09-4123-a4a5-ca238f4f65a1',
-			 'Task Paused',
-			 E'Task ''{{.Labels.task}}'' is paused',
-			 E'The task ''{{.Labels.task}}'' was paused ({{.Labels.pause_reason}}).',
-			 '[
-				 {
-					 "label": "View task",
-					 "url": "{{base_url}}/tasks/{{.UserUsername}}/{{.Labels.task_id}}"
-				 },
-				 {
-					 "label": "View workspace",
-					 "url": "{{base_url}}/@{{.UserUsername}}/{{.Labels.workspace}}"
-				 }
-			 ]'::jsonb,
-			 'Task Events',
-			 NULL,
-			 'system'::notification_template_kind,
-			 true
-		 );
-
-- Task transition to 'resumed' status
-INSERT INTO notification_templates (
-	id,
-	name,
-	title_template,
-	body_template,
-	actions,
-	"group",
-	method,
-	kind,
-	enabled_by_default
-) VALUES (
-			 '843ee9c3-a8fb-4846-afa9-977bec578649',
-			 'Task Resumed',
-			 E'Task ''{{.Labels.task}}'' has resumed',
-			 E'The task ''{{.Labels.task}}'' has resumed.',
-			 '[
-				 {
-					 "label": "View task",
-					 "url": "{{base_url}}/tasks/{{.UserUsername}}/{{.Labels.task_id}}"
-				 },
-				 {
-					 "label": "View workspace",
-					 "url": "{{base_url}}/@{{.UserUsername}}/{{.Labels.workspace}}"
-				 }
-			 ]'::jsonb,
-			 'Task Events',
-			 NULL,
-			 'system'::notification_template_kind,
-			 true
-		 );
@@ -1,35 +0,0 @@
-- Fixture for migration 000417_workspace_acl_object_constraint.
-- Inserts a workspace with 'null'::json ACLs to ensure the migration
-- correctly normalizes such values.
-
-INSERT INTO workspaces (
-    id,
-    created_at,
-    updated_at,
-    owner_id,
-    organization_id,
-    template_id,
-    deleted,
-    name,
-    last_used_at,
-    automatic_updates,
-    favorite,
-    group_acl,
-    user_acl
-)
-VALUES (
-    '6f6fdbee-4c18-4a5c-8a8d-9b811c9f0a28',
-    '2024-02-10 00:00:00+00',
-    '2024-02-10 00:00:00+00',
-    '30095c71-380b-457a-8995-97b8ee6e5307',
-    'bb640d07-ca8a-4869-b6bc-ae61ebb2fda1',
-    '4cc1f466-f326-477e-8762-9d0c6781fc56',
-    false,
-    'acl-null-workspace',
-    '0001-01-01 00:00:00+00',
-    'never',
-    false,
-    'null'::jsonb,
-    'null'::jsonb
-)
-ON CONFLICT DO NOTHING;
@@ -790,7 +790,6 @@ func (q *sqlQuerier) ListAuthorizedAIBridgeInterceptions(ctx context.Context, ar
 		arg.InitiatorID,
 		arg.Provider,
 		arg.Model,
-		arg.Client,
 		arg.AfterID,
 		arg.Offset,
 		arg.Limit,
@@ -811,7 +810,6 @@ func (q *sqlQuerier) ListAuthorizedAIBridgeInterceptions(ctx context.Context, ar
 			&i.AIBridgeInterception.Metadata,
 			&i.AIBridgeInterception.EndedAt,
 			&i.AIBridgeInterception.APIKeyID,
-			&i.AIBridgeInterception.Client,
 			&i.VisibleUser.ID,
 			&i.VisibleUser.Username,
 			&i.VisibleUser.Name,
@@ -849,7 +847,6 @@ func (q *sqlQuerier) CountAuthorizedAIBridgeInterceptions(ctx context.Context, a
 		arg.InitiatorID,
 		arg.Provider,
 		arg.Model,
-		arg.Client,
 	)
 	if err != nil {
 		return 0, err
@@ -3642,7 +3642,6 @@ type AIBridgeInterception struct {
 	Metadata    pqtype.NullRawMessage `db:"metadata" json:"metadata"`
 	EndedAt     sql.NullTime          `db:"ended_at" json:"ended_at"`
 	APIKeyID    sql.NullString        `db:"api_key_id" json:"api_key_id"`
-	Client      sql.NullString        `db:"client" json:"client"`
 }

 // Audit log of tokens used by intercepted requests in AI Bridge
@@ -41,7 +41,7 @@ func TestWatchdog_NoTimeout(t *testing.T) {
 	require.Equal(t, pubsub.EventPubsubWatchdog, sub.event)

 	// 5 min / 15 sec = 20, so do 21 ticks
-	for range 21 {
+	for i := 0; i < 21; i++ {
 		d, w := mClock.AdvanceNext()
 		w.MustWait(ctx)
 		require.LessOrEqual(t, d, 15*time.Second)
@@ -97,7 +97,7 @@ func TestWatchdog_Timeout(t *testing.T) {
 	require.Equal(t, pubsub.EventPubsubWatchdog, sub.event)

 	// 5 min / 15 sec = 20, so do 19 ticks without timing out
-	for range 19 {
+	for i := 0; i < 19; i++ {
 		d, w := mClock.AdvanceNext()
 		w.MustWait(ctx)
 		require.LessOrEqual(t, d, 15*time.Second)
@@ -1478,7 +1478,7 @@ func TestQueuePosition(t *testing.T) {
 	jobCount := 10
 	jobs := []database.ProvisionerJob{}
 	jobIDs := []uuid.UUID{}
-	for range jobCount {
+	for i := 0; i < jobCount; i++ {
 		job := dbgen.ProvisionerJob(t, db, nil, database.ProvisionerJob{
 			OrganizationID: org.ID,
 			Tags:           database.StringMap{},
@@ -1931,7 +1931,7 @@ func TestAuditLogDefaultLimit(t *testing.T) {
 	require.NoError(t, err)
 	db := database.New(sqlDB)

-	for range 110 {
+	for i := 0; i < 110; i++ {
 		dbgen.AuditLog(t, db, database.AuditLog{})
 	}

@@ -2074,7 +2074,7 @@ func TestReadCustomRoles(t *testing.T) {
 	allRoles := make([]database.CustomRole, 0)
 	siteRoles := make([]database.CustomRole, 0)
 	orgRoles := make([]database.CustomRole, 0)
-	for i := range 15 {
+	for i := 0; i < 15; i++ {
 		orgID := uuid.NullUUID{
 			UUID:  orgIDs[i%len(orgIDs)],
 			Valid: true,
@@ -2829,7 +2829,7 @@ func TestCountConnectionLogs(t *testing.T) {
 	wsB := dbgen.Workspace(t, db, database.WorkspaceTable{OwnerID: userB.ID, OrganizationID: orgB.Org.ID, TemplateID: tplB.ID})

 	// Create logs for two different orgs.
-	for range 20 {
+	for i := 0; i < 20; i++ {
 		dbgen.ConnectionLog(t, db, database.UpsertConnectionLogParams{
 			OrganizationID:   wsA.OrganizationID,
 			WorkspaceOwnerID: wsA.OwnerID,
@@ -2837,7 +2837,7 @@ func TestCountConnectionLogs(t *testing.T) {
 			Type:             database.ConnectionTypeSsh,
 		})
 	}
-	for range 10 {
+	for i := 0; i < 10; i++ {
 		dbgen.ConnectionLog(t, db, database.UpsertConnectionLogParams{
 			OrganizationID:   wsB.OrganizationID,
 			WorkspaceOwnerID: wsB.OwnerID,
@@ -6765,65 +6765,6 @@ func TestWorkspaceBuildDeadlineConstraint(t *testing.T) {
 	}
 }

-func TestWorkspaceACLObjectConstraint(t *testing.T) {
-	t.Parallel()
-
-	db, _ := dbtestutil.NewDB(t)
-	org := dbgen.Organization(t, db, database.Organization{})
-	user := dbgen.User(t, db, database.User{})
-	template := dbgen.Template(t, db, database.Template{
-		CreatedBy:      user.ID,
-		OrganizationID: org.ID,
-	})
-	workspace := dbgen.Workspace(t, db, database.WorkspaceTable{
-		OwnerID:    user.ID,
-		TemplateID: template.ID,
-		Deleted:    false,
-	})
-
-	t.Run("GroupACLNull", func(t *testing.T) {
-		t.Parallel()
-
-		var nilACL database.WorkspaceACL
-
-		ctx := testutil.Context(t, testutil.WaitLong)
-		err := db.UpdateWorkspaceACLByID(ctx, database.UpdateWorkspaceACLByIDParams{
-			ID:       workspace.ID,
-			GroupACL: nilACL,
-			UserACL:  database.WorkspaceACL{},
-		})
-		require.Error(t, err)
-		require.True(t, database.IsCheckViolation(err, database.CheckGroupAclIsObject))
-	})
-
-	t.Run("UserACLNull", func(t *testing.T) {
-		t.Parallel()
-
-		var nilACL database.WorkspaceACL
-
-		ctx := testutil.Context(t, testutil.WaitLong)
-		err := db.UpdateWorkspaceACLByID(ctx, database.UpdateWorkspaceACLByIDParams{
-			ID:       workspace.ID,
-			GroupACL: database.WorkspaceACL{},
-			UserACL:  nilACL,
-		})
-		require.Error(t, err)
-		require.True(t, database.IsCheckViolation(err, database.CheckUserAclIsObject))
-	})
-
-	t.Run("ValidEmptyObjects", func(t *testing.T) {
-		t.Parallel()
-
-		ctx := testutil.Context(t, testutil.WaitLong)
-		err := db.UpdateWorkspaceACLByID(ctx, database.UpdateWorkspaceACLByIDParams{
-			ID:       workspace.ID,
-			GroupACL: database.WorkspaceACL{},
-			UserACL:  database.WorkspaceACL{},
-		})
-		require.NoError(t, err)
-	})
-}
-
 // TestGetLatestWorkspaceBuildsByWorkspaceIDs populates the database with
 // workspaces and builds. It then tests that
 // GetLatestWorkspaceBuildsByWorkspaceIDs returns the latest build for some
@@ -8070,15 +8011,12 @@ func TestUpdateAIBridgeInterceptionEnded(t *testing.T) {
 				ID:          uid,
 				InitiatorID: user.ID,
 				Metadata:    json.RawMessage("{}"),
-				Client:      sql.NullString{String: "client", Valid: true},
 			}

 			intc, err := db.InsertAIBridgeInterception(ctx, insertParams)
 			require.NoError(t, err)
 			require.Equal(t, uid, intc.ID)
 			require.False(t, intc.EndedAt.Valid)
-			require.True(t, intc.Client.Valid)
-			require.Equal(t, "client", intc.Client.String)
 			interceptions = append(interceptions, intc)
 		}

@@ -123,7 +123,8 @@ WITH interceptions_in_range AS (
    WHERE
        provider = $1::text
        AND model = $2::text
-        AND COALESCE(client, 'Unknown') = $3::text
+        -- TODO: use the client value once we have it (see https://github.com/coder/aibridge/issues/31)
+        AND 'unknown' = $3::text
        AND ended_at IS NOT NULL -- incomplete interceptions are not included in summaries
        AND ended_at >= $4::timestamptz
        AND ended_at < $5::timestamptz
@@ -300,11 +301,6 @@ WHERE
 		WHEN $5::text != '' THEN aibridge_interceptions.model = $5::text
 		ELSE true
 	END
-	-- Filter client
-	AND CASE
-		WHEN $6::text != '' THEN COALESCE(aibridge_interceptions.client, 'Unknown') = $6::text
-		ELSE true
-	END
 	-- Authorize Filter clause will be injected below in ListAuthorizedAIBridgeInterceptions
 	-- @authorize_filter
 `
@@ -315,7 +311,6 @@ type CountAIBridgeInterceptionsParams struct {
 	InitiatorID   uuid.UUID `db:"initiator_id" json:"initiator_id"`
 	Provider      string    `db:"provider" json:"provider"`
 	Model         string    `db:"model" json:"model"`
-	Client        string    `db:"client" json:"client"`
 }

 func (q *sqlQuerier) CountAIBridgeInterceptions(ctx context.Context, arg CountAIBridgeInterceptionsParams) (int64, error) {
@@ -325,7 +320,6 @@ func (q *sqlQuerier) CountAIBridgeInterceptions(ctx context.Context, arg CountAI
 		arg.InitiatorID,
 		arg.Provider,
 		arg.Model,
-		arg.Client,
 	)
 	var count int64
 	err := row.Scan(&count)
@@ -378,7 +372,7 @@ func (q *sqlQuerier) DeleteOldAIBridgeRecords(ctx context.Context, beforeTime ti

 const getAIBridgeInterceptionByID = `-- name: GetAIBridgeInterceptionByID :one
 SELECT
-	id, initiator_id, provider, model, started_at, metadata, ended_at, api_key_id, client
+	id, initiator_id, provider, model, started_at, metadata, ended_at, api_key_id
 FROM
 	aibridge_interceptions
 WHERE
@@ -397,14 +391,13 @@ func (q *sqlQuerier) GetAIBridgeInterceptionByID(ctx context.Context, id uuid.UU
 		&i.Metadata,
 		&i.EndedAt,
 		&i.APIKeyID,
-		&i.Client,
 	)
 	return i, err
 }

 const getAIBridgeInterceptions = `-- name: GetAIBridgeInterceptions :many
 SELECT
-	id, initiator_id, provider, model, started_at, metadata, ended_at, api_key_id, client
+	id, initiator_id, provider, model, started_at, metadata, ended_at, api_key_id
 FROM
 	aibridge_interceptions
 `
@@ -427,7 +420,6 @@ func (q *sqlQuerier) GetAIBridgeInterceptions(ctx context.Context) ([]AIBridgeIn
 			&i.Metadata,
 			&i.EndedAt,
 			&i.APIKeyID,
-			&i.Client,
 		); err != nil {
 			return nil, err
 		}
@@ -573,11 +565,11 @@ func (q *sqlQuerier) GetAIBridgeUserPromptsByInterceptionID(ctx context.Context,

 const insertAIBridgeInterception = `-- name: InsertAIBridgeInterception :one
 INSERT INTO aibridge_interceptions (
-	id, api_key_id, initiator_id, provider, model, metadata, started_at, client
+	id, api_key_id, initiator_id, provider, model, metadata, started_at
 ) VALUES (
-	$1, $2, $3, $4, $5, COALESCE($6::jsonb, '{}'::jsonb), $7, $8
+	$1, $2, $3, $4, $5, COALESCE($6::jsonb, '{}'::jsonb), $7
 )
-RETURNING id, initiator_id, provider, model, started_at, metadata, ended_at, api_key_id, client
+RETURNING id, initiator_id, provider, model, started_at, metadata, ended_at, api_key_id
 `

 type InsertAIBridgeInterceptionParams struct {
@@ -588,7 +580,6 @@ type InsertAIBridgeInterceptionParams struct {
 	Model       string          `db:"model" json:"model"`
 	Metadata    json.RawMessage `db:"metadata" json:"metadata"`
 	StartedAt   time.Time       `db:"started_at" json:"started_at"`
-	Client      sql.NullString  `db:"client" json:"client"`
 }

 func (q *sqlQuerier) InsertAIBridgeInterception(ctx context.Context, arg InsertAIBridgeInterceptionParams) (AIBridgeInterception, error) {
@@ -600,7 +591,6 @@ func (q *sqlQuerier) InsertAIBridgeInterception(ctx context.Context, arg InsertA
 		arg.Model,
 		arg.Metadata,
 		arg.StartedAt,
-		arg.Client,
 	)
 	var i AIBridgeInterception
 	err := row.Scan(
@@ -612,7 +602,6 @@ func (q *sqlQuerier) InsertAIBridgeInterception(ctx context.Context, arg InsertA
 		&i.Metadata,
 		&i.EndedAt,
 		&i.APIKeyID,
-		&i.Client,
 	)
 	return i, err
 }
@@ -751,7 +740,7 @@ func (q *sqlQuerier) InsertAIBridgeUserPrompt(ctx context.Context, arg InsertAIB

 const listAIBridgeInterceptions = `-- name: ListAIBridgeInterceptions :many
 SELECT
-	aibridge_interceptions.id, aibridge_interceptions.initiator_id, aibridge_interceptions.provider, aibridge_interceptions.model, aibridge_interceptions.started_at, aibridge_interceptions.metadata, aibridge_interceptions.ended_at, aibridge_interceptions.api_key_id, aibridge_interceptions.client,
+	aibridge_interceptions.id, aibridge_interceptions.initiator_id, aibridge_interceptions.provider, aibridge_interceptions.model, aibridge_interceptions.started_at, aibridge_interceptions.metadata, aibridge_interceptions.ended_at, aibridge_interceptions.api_key_id,
 	visible_users.id, visible_users.username, visible_users.name, visible_users.avatar_url
 FROM
 	aibridge_interceptions
@@ -784,14 +773,9 @@ WHERE
 		WHEN $5::text != '' THEN aibridge_interceptions.model = $5::text
 		ELSE true
 	END
-	-- Filter client
-	AND CASE
-		WHEN $6::text != '' THEN COALESCE(aibridge_interceptions.client, 'Unknown') = $6::text
-		ELSE true
-	END
 	-- Cursor pagination
 	AND CASE
-		WHEN $7::uuid != '00000000-0000-0000-0000-000000000000'::uuid THEN (
+		WHEN $6::uuid != '00000000-0000-0000-0000-000000000000'::uuid THEN (
 			-- The pagination cursor is the last ID of the previous page.
 			-- The query is ordered by the started_at field, so select all
 			-- rows before the cursor and before the after_id UUID.
@@ -799,8 +783,8 @@ WHERE
 			-- "after_id" terminology comes from our pagination parser in
 			-- coderd.
 			(aibridge_interceptions.started_at, aibridge_interceptions.id) < (
-				(SELECT started_at FROM aibridge_interceptions WHERE id = $7),
-				$7::uuid
+				(SELECT started_at FROM aibridge_interceptions WHERE id = $6),
+				$6::uuid
 			)
 		)
 		ELSE true
@@ -810,8 +794,8 @@ WHERE
 ORDER BY
 	aibridge_interceptions.started_at DESC,
 	aibridge_interceptions.id DESC
-LIMIT COALESCE(NULLIF($9::integer, 0), 100)
-OFFSET $8
+LIMIT COALESCE(NULLIF($8::integer, 0), 100)
+OFFSET $7
 `

 type ListAIBridgeInterceptionsParams struct {
@@ -820,7 +804,6 @@ type ListAIBridgeInterceptionsParams struct {
 	InitiatorID   uuid.UUID `db:"initiator_id" json:"initiator_id"`
 	Provider      string    `db:"provider" json:"provider"`
 	Model         string    `db:"model" json:"model"`
-	Client        string    `db:"client" json:"client"`
 	AfterID       uuid.UUID `db:"after_id" json:"after_id"`
 	Offset        int32     `db:"offset_" json:"offset_"`
 	Limit         int32     `db:"limit_" json:"limit_"`
@@ -838,7 +821,6 @@ func (q *sqlQuerier) ListAIBridgeInterceptions(ctx context.Context, arg ListAIBr
 		arg.InitiatorID,
 		arg.Provider,
 		arg.Model,
-		arg.Client,
 		arg.AfterID,
 		arg.Offset,
 		arg.Limit,
@@ -859,7 +841,6 @@ func (q *sqlQuerier) ListAIBridgeInterceptions(ctx context.Context, arg ListAIBr
 			&i.AIBridgeInterception.Metadata,
 			&i.AIBridgeInterception.EndedAt,
 			&i.AIBridgeInterception.APIKeyID,
-			&i.AIBridgeInterception.Client,
 			&i.VisibleUser.ID,
 			&i.VisibleUser.Username,
 			&i.VisibleUser.Name,
@@ -883,7 +864,8 @@ SELECT
    DISTINCT ON (provider, model, client)
    provider,
    model,
-    COALESCE(client, 'Unknown') AS client
+    -- TODO: use the client value once we have it (see https://github.com/coder/aibridge/issues/31)
+    'unknown' AS client
 FROM
    aibridge_interceptions
 WHERE
@@ -1065,7 +1047,7 @@ UPDATE aibridge_interceptions
 WHERE
 	id = $2::uuid
 	AND ended_at IS NULL
-RETURNING id, initiator_id, provider, model, started_at, metadata, ended_at, api_key_id, client
+RETURNING id, initiator_id, provider, model, started_at, metadata, ended_at, api_key_id
 `

 type UpdateAIBridgeInterceptionEndedParams struct {
@@ -1085,7 +1067,6 @@ func (q *sqlQuerier) UpdateAIBridgeInterceptionEnded(ctx context.Context, arg Up
 		&i.Metadata,
 		&i.EndedAt,
 		&i.APIKeyID,
-		&i.Client,
 	)
 	return i, err
 }
@@ -1,8 +1,8 @@
 -- name: InsertAIBridgeInterception :one
 INSERT INTO aibridge_interceptions (
-	id, api_key_id, initiator_id, provider, model, metadata, started_at, client
+	id, api_key_id, initiator_id, provider, model, metadata, started_at
 ) VALUES (
-	@id, @api_key_id, @initiator_id, @provider, @model, COALESCE(@metadata::jsonb, '{}'::jsonb), @started_at, @client
+	@id, @api_key_id, @initiator_id, @provider, @model, COALESCE(@metadata::jsonb, '{}'::jsonb), @started_at
 )
 RETURNING *;

@@ -115,11 +115,6 @@ WHERE
 		WHEN @model::text != '' THEN aibridge_interceptions.model = @model::text
 		ELSE true
 	END
-	-- Filter client
-	AND CASE
-		WHEN @client::text != '' THEN COALESCE(aibridge_interceptions.client, 'Unknown') = @client::text
-		ELSE true
-	END
 	-- Authorize Filter clause will be injected below in ListAuthorizedAIBridgeInterceptions
 	-- @authorize_filter
 ;
@@ -159,11 +154,6 @@ WHERE
 		WHEN @model::text != '' THEN aibridge_interceptions.model = @model::text
 		ELSE true
 	END
-	-- Filter client
-	AND CASE
-		WHEN @client::text != '' THEN COALESCE(aibridge_interceptions.client, 'Unknown') = @client::text
-		ELSE true
-	END
 	-- Cursor pagination
 	AND CASE
 		WHEN @after_id::uuid != '00000000-0000-0000-0000-000000000000'::uuid THEN (
@@ -229,7 +219,8 @@ SELECT
    DISTINCT ON (provider, model, client)
    provider,
    model,
-    COALESCE(client, 'Unknown') AS client
+    -- TODO: use the client value once we have it (see https://github.com/coder/aibridge/issues/31)
+    'unknown' AS client
 FROM
    aibridge_interceptions
 WHERE
@@ -251,7 +242,8 @@ WITH interceptions_in_range AS (
    WHERE
        provider = @provider::text
        AND model = @model::text
-        AND COALESCE(client, 'Unknown') = @client::text
+        -- TODO: use the client value once we have it (see https://github.com/coder/aibridge/issues/31)
+        AND 'unknown' = @client::text
        AND ended_at IS NOT NULL -- incomplete interceptions are not included in summaries
        AND ended_at >= @ended_at_after::timestamptz
        AND ended_at < @ended_at_before::timestamptz
@@ -32,7 +32,7 @@ const maxRetries = 5
 func ReadModifyUpdate(db Store, f func(tx Store) error,
 ) error {
 	var err error
-	for range maxRetries {
+	for retries := 0; retries < maxRetries; retries++ {
 		err = db.InTx(f, &TxOptions{
 			Isolation: sql.LevelRepeatableRead,
 		})
@@ -44,7 +44,7 @@ func TestDebugHealth(t *testing.T) {
 		defer cancel()

 		sessionToken = client.SessionToken()
-		for range 10 {
+		for i := 0; i < 10; i++ {
 			res, err := client.Request(ctx, "GET", "/api/v2/debug/health", nil)
 			require.NoError(t, err)
 			_, _ = io.ReadAll(res.Body)
@@ -77,7 +77,7 @@ func TestDebugHealth(t *testing.T) {
 		defer cancel()

 		sessionToken = client.SessionToken()
-		for range 10 {
+		for i := 0; i < 10; i++ {
 			res, err := client.Request(ctx, "GET", "/api/v2/debug/health?force=true", nil)
 			require.NoError(t, err)
 			_, _ = io.ReadAll(res.Body)
@@ -199,7 +199,7 @@ func newTunnelServer(t *testing.T) *tunnelServer {
 	// passed an active listener (because wireguard needs to make the listener),
 	// so we may need to try a few times to get a free port.
 	var td *tunneld.API
-	for range 10 {
+	for i := 0; i < 10; i++ {
 		wireguardPort := freeUDPPort(t)
 		options := &tunneld.Options{
 			BaseURL:                baseURLParsed,
@@ -101,7 +101,7 @@ func MarshalED25519PrivateKey(key ed25519.PrivateKey) ([]byte, error) {
 	pk1.Pad = make([]byte, padLen)

 	// Padding is a sequence of bytes like: 1, 2, 3...
-	for i := range padLen {
+	for i := 0; i < padLen; i++ {
 		pk1.Pad[i] = byte(i + 1)
 	}

@@ -38,7 +38,7 @@ func (r *DatabaseReport) Run(ctx context.Context, opts *DatabaseReportOptions) {
 	pingCount := 5
 	pings := make([]time.Duration, 0, pingCount)
 	// Ping 5 times and average the latency.
-	for range pingCount {
+	for i := 0; i < pingCount; i++ {
 		pong, err := opts.DB.Ping(ctx)
 		if err != nil {
 			r.Error = health.Errorf(health.CodeDatabasePingFailed, "ping database: %s", err)
@@ -76,7 +76,7 @@ func TestExtractUserRoles(t *testing.T) {
 				expected := []rbac.RoleIdentifier{}
 				user, token := addUser(t, db)
 				expected = append(expected, rbac.RoleMember())
-				for i := range 3 {
+				for i := 0; i < 3; i++ {
 					organization, err := db.InsertOrganization(context.Background(), database.InsertOrganizationParams{
 						ID:          uuid.New(),
 						Name:        fmt.Sprintf("testorg%d", i),
@@ -106,10 +106,6 @@ func ExtractUserContext(ctx context.Context, db database.Store, rw http.Response
 	if userID, err := uuid.Parse(userQuery); err == nil {
 		user, err = db.GetUserByID(ctx, userID)
 		if err != nil {
-			if httpapi.Is404Error(err) {
-				httpapi.ResourceNotFound(rw)
-				return database.User{}, false
-			}
 			httpapi.Write(ctx, rw, http.StatusBadRequest, codersdk.Response{
 				Message: userErrorMessage,
 				Detail:  fmt.Sprintf("queried user=%q", userQuery),
@@ -124,10 +120,6 @@ func ExtractUserContext(ctx context.Context, db database.Store, rw http.Response
 		Username: userQuery,
 	})
 	if err != nil {
-		if httpapi.Is404Error(err) {
-			httpapi.ResourceNotFound(rw)
-			return database.User{}, false
-		}
 		httpapi.Write(ctx, rw, http.StatusBadRequest, codersdk.Response{
 			Message: userErrorMessage,
 			Detail:  fmt.Sprintf("queried user=%q", userQuery),
@@ -71,53 +71,7 @@ func TestUserParam(t *testing.T) {
 		})).ServeHTTP(rw, r)
 		res := rw.Result()
 		defer res.Body.Close()
-		// User "ben" doesn't exist, so expect 404.
-		require.Equal(t, http.StatusNotFound, res.StatusCode)
-	})
-
-	t.Run("NotFoundByUsername", func(t *testing.T) {
-		t.Parallel()
-		db, rw, r := setup(t)
-
-		httpmw.ExtractAPIKeyMW(httpmw.ExtractAPIKeyConfig{
-			DB:              db,
-			RedirectToLogin: false,
-		})(http.HandlerFunc(func(rw http.ResponseWriter, returnedRequest *http.Request) {
-			r = returnedRequest
-		})).ServeHTTP(rw, r)
-
-		routeContext := chi.NewRouteContext()
-		routeContext.URLParams.Add("user", "nonexistent-user")
-		r = r.WithContext(context.WithValue(r.Context(), chi.RouteCtxKey, routeContext))
-		httpmw.ExtractUserParam(db)(http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
-			rw.WriteHeader(http.StatusOK)
-		})).ServeHTTP(rw, r)
-		res := rw.Result()
-		defer res.Body.Close()
-		require.Equal(t, http.StatusNotFound, res.StatusCode)
-	})
-
-	t.Run("NotFoundByUUID", func(t *testing.T) {
-		t.Parallel()
-		db, rw, r := setup(t)
-
-		httpmw.ExtractAPIKeyMW(httpmw.ExtractAPIKeyConfig{
-			DB:              db,
-			RedirectToLogin: false,
-		})(http.HandlerFunc(func(rw http.ResponseWriter, returnedRequest *http.Request) {
-			r = returnedRequest
-		})).ServeHTTP(rw, r)
-
-		routeContext := chi.NewRouteContext()
-		// Use a valid UUID that doesn't exist in the database.
-		routeContext.URLParams.Add("user", "88888888-4444-4444-4444-121212121212")
-		r = r.WithContext(context.WithValue(r.Context(), chi.RouteCtxKey, routeContext))
-		httpmw.ExtractUserParam(db)(http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
-			rw.WriteHeader(http.StatusOK)
-		})).ServeHTTP(rw, r)
-		res := rw.Result()
-		defer res.Body.Close()
-		require.Equal(t, http.StatusNotFound, res.StatusCode)
+		require.Equal(t, http.StatusBadRequest, res.StatusCode)
 	})

 	t.Run("me", func(t *testing.T) {
@@ -71,7 +71,7 @@ func TestDetectorNoHungJobs(t *testing.T) {
 	org := dbgen.Organization(t, db, database.Organization{})
 	user := dbgen.User(t, db, database.User{})
 	file := dbgen.File(t, db, database.File{})
-	for i := range 5 {
+	for i := 0; i < 5; i++ {
 		dbgen.ProvisionerJob(t, db, pubsub, database.ProvisionerJob{
 			CreatedAt: now.Add(-time.Minute * 5),
 			UpdatedAt: now.Add(-time.Minute * time.Duration(i)),
@@ -884,7 +884,7 @@ func TestDetectorMaxJobsPerRun(t *testing.T) {

 	// Create MaxJobsPerRun + 1 hung jobs.
 	now := time.Now()
-	for range jobreaper.MaxJobsPerRun + 1 {
+	for i := 0; i < jobreaper.MaxJobsPerRun+1; i++ {
 		pj := dbgen.ProvisionerJob(t, db, pubsub, database.ProvisionerJob{
 			CreatedAt: now.Add(-time.Hour),
 			UpdatedAt: now.Add(-time.Hour),
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Charlie Voiselle	eee13c42a4	docs(cli): reference --oidc-group-mapping flag name instead of 'legacy' Issue: Used internal nomenclature instead of user-facing flag name The previous fix referenced 'legacy group name mapping' but users don't know what that means - it's an internal implementation detail. Users configure this via the --oidc-group-mapping flag. Changed to: 'This filter is applied after the oidc-group-mapping.' This directly references the flag name users would actually use, making the relationship clear and actionable. Users can now understand: - The regex filter applies to group names - Group names may have been transformed by --oidc-group-mapping first - They need to write regex patterns that match the mapped names Example: If --oidc-group-mapping transforms 'developers' to 'dev-team', the regex in --oidc-group-regex-filter will match against 'dev-team'.	2026-02-09 16:14:00 -05:00
Charlie Voiselle	65b48c0f84	docs(cli): fix help text for --oidc-group-regex-filter (clarify mapping order) Issue: Removed ordering information when it was actually helpful The previous correction removed the sentence about filter order to avoid confusion, but this actually made the description LESS clear. Users need to understand that the regex filter operates on group names AFTER any legacy name mapping has been applied. Example: If IdP sends 'developers' and LegacyNameMapping renames it to 'dev-team', the regex filter will match against 'dev-team', not 'developers'. Changed to: 'This filter is applied after legacy group name mapping.' This clarifies: 1. It's the LEGACY mapping (name→name) not the new Mapping (name→IDs) 2. The regex operates on potentially-renamed group names 3. The filter happens before the final ID mapping Code reference: coderd/idpsync/group.go lines 379-398 - Line 380: LegacyNameMapping (name → name) - Line 386: RegexFilter (on the potentially renamed name) - Line 392: Mapping (name → []uuid.UUID)	2026-02-09 16:13:59 -05:00
Charlie Voiselle	30cdf29e52	docs(cli): fix help text for --oidc-group-regex-filter (final correction) Issue: Previous description incorrectly stated filter order The correction commit stated 'This filter is applied after the group mapping' but the actual code order in coderd/idpsync/group.go lines 379-398 shows: 1. Legacy group mappings 2. Regex filter 3. (New) group mapping Since the filter order is complex and the description was causing confusion, removed the last sentence entirely. The first two sentences clearly explain what the flag does without introducing incorrect ordering claims. This follows the verification report's recommendation to remove the confusing last sentence.	2026-02-09 16:13:59 -05:00
Charlie Voiselle	b1d2bb6d71	docs(cli): fix help text for --external-auth-providers Issue: Clarity - vague description Changed 'External Authentication providers.' to 'Configure external authentication providers for Git and other services.' to explain what these providers are actually used for.	2026-02-09 16:13:59 -05:00
Charlie Voiselle	94bad2a956	docs(cli): fix help text for --workspace-prebuilds-reconciliation-backoff-lookback-period Issue: Clarity - unclear purpose Changed 'Interval to look back to determine number of failed prebuilds, which influences backoff' to 'Time period to look back when counting failed prebuilds to calculate the backoff delay' to clarify this determines the time window for counting failures.	2026-02-09 16:13:59 -05:00
Charlie Voiselle	111714c7ed	docs(cli): fix help text for --workspace-prebuilds-reconciliation-backoff-interval Issue: Clarity - confusing wording about backoff behavior Changed 'Interval to increase reconciliation backoff by when prebuilds fail, after which a retry attempt is made' to 'Amount of time to add to the reconciliation backoff delay after each prebuild failure, before the next retry attempt is made' to clarify this is an incremental addition to the backoff delay.	2026-02-09 16:13:58 -05:00
Charlie Voiselle	1f9c516c5c	docs(cli): fix help text for --workspace-prebuilds-failure-hard-limit Issue: Clarity - unclear what 'hits the hard limit' means Changed 'before a preset hits the hard limit' to 'before a preset is considered hard-limited and stops automatic prebuild creation' to explain what actually happens when the limit is reached.	2026-02-09 16:13:58 -05:00
Charlie Voiselle	3645c65bb2	docs(cli): fix help text for --workspace-hostname-suffix Issue: Clarity - incomplete example hostname Changed 'in SSH config and Coder Connect on Coder Desktop' to 'for SSH connections and Coder Connect' for conciseness. Updated the example from 'myworkspace.coder' to the full format 'agent.workspace.owner.coder' to show the complete hostname structure.	2026-02-09 16:13:58 -05:00
Charlie Voiselle	d3d2d2fb1e	docs(cli): fix help text for --workspace-agent-logs-retention Issue: Clarity - ambiguous scope Changed 'Logs from the latest build are always retained' to 'Logs from the latest build for each workspace are always retained' to clarify that this applies per-workspace, not just one latest build globally.	2026-02-09 16:13:58 -05:00
Charlie Voiselle	086fb1f5d5	docs(cli): fix help text for --block-direct-connections Issue: Clarity - imprecise wording about STUN behavior Clarified that 'Workspace agents' (not 'Workspaces') reach out to STUN servers, changed 'get their address' to 'discover their address', and simplified 'until they are restarted after this change has been made' to just 'until they are restarted'.	2026-02-09 16:13:58 -05:00
Charlie Voiselle	a73a535a5b	docs(cli): fix help text for --proxy-health-interval Issue: Clarity - awkward phrasing Changed 'in which coderd should be checking' to 'at which coderd checks' for more concise, natural phrasing.	2026-02-09 16:13:57 -05:00
Charlie Voiselle	96e01c3018	docs(cli): fix help text for --email-tls-cert-key-file Issue: Clarity - vague description Changed 'Certificate key file to use' to 'Private key file for the client certificate' to clarify this is the private key that pairs with --email-tls-cert-file.	2026-02-09 16:13:57 -05:00
Charlie Voiselle	6b10a0359b	docs(cli): fix help text for --email-tls-cert-file Issue: Clarity - vague description Changed 'Certificate file to use' to 'Client certificate file for mutual TLS authentication' to clarify what this certificate is for and when it's needed.	2026-02-09 16:13:57 -05:00
Charlie Voiselle	b62583ad4b	docs(cli): fix help text for --oidc-user-role-default Issue: Clarity - ambiguous relationship between defaults and synced roles Added 'in addition to synced roles' to clarify that these defaults don't replace synced roles. Also clarified that 'member' is always assigned 'regardless of this setting' to avoid confusion about whether this setting affects the member role.	2026-02-09 16:13:57 -05:00
Charlie Voiselle	3d6727a2cb	docs(cli): fix help text for --oidc-group-field Issue: Clarity - unclear structure Reordered to put the primary purpose first: 'OIDC claim field to use as the user's groups' before the conditional requirement. This makes the description more scannable and understandable.	2026-02-09 16:13:56 -05:00
Charlie Voiselle	b163962a14	docs(cli): fix help text for --aibridge-circuit-breaker-interval Issue: Clarity - confusing technical jargon Changed 'Cyclic period of the closed state for clearing internal failure counts' to 'Time window for counting failures before resetting the failure count in the closed state' to explain what the interval actually does in clearer terms.	2026-02-09 16:13:56 -05:00
Charlie Voiselle	9aca4ea27c	docs(cli): fix help text for --aibridge-circuit-breaker-enabled Issue: Clarity - ambiguous error code description Changed '(429, 503, 529 overloaded)' to '(HTTP 429, 503, 529)' and added 'and overload errors' to clarify that these are HTTP status codes and what they represent.	2026-02-09 16:13:56 -05:00
Charlie Voiselle	b0c10131ea	docs(cli): fix help text for --aibridge-retention Issue: Clarity - wordy phrasing Simplified 'Length of time to retain data such as interceptions and all related records (token, prompt, tool use)' to 'How long to retain AI Bridge data including interceptions, tokens, prompts, and tool usage records' for more natural, clearer phrasing.	2026-02-09 16:13:56 -05:00
Charlie Voiselle	c8c7e13e96	docs(cli): fix help text for --aibridge-inject-coder-mcp-tools Issue: Clarity - awkward phrasing and formatting Changed 'Whether to inject' to 'Enable injection of' for consistency with other boolean flags. Simplified the requirements clause and changed double quotes to single quotes for consistency.	2026-02-09 16:13:55 -05:00
Charlie Voiselle	249b7ea38e	docs(cli): fix help text for --aibridge-enabled Issue: Clarity - unclear technical jargon Changed 'Whether to start an in-memory aibridged instance' to 'Enable the embedded AI Bridge service to intercept and record AI provider requests' to explain what the feature actually does in user-friendly terms.	2026-02-09 16:13:55 -05:00
Charlie Voiselle	1333096e25	docs(cli): fix help text for --oidc-group-regex-filter (correction) Issue: Previous fix introduced confusing circular wording The previous commit incorrectly changed the ending to 'after the group mapping and regex filter' which is nonsensical since this flag configures THE regex filter itself. Reverted to the correct wording: 'after the group mapping'. The only valid changes from the original are: - Added comma after 'If provided' - Simplified 'allows for filtering' to 'allows filtering'	2026-02-09 16:13:55 -05:00
Charlie Voiselle	54bc9324dd	docs(cli): fix help text for --samesite-auth-cookie Issue: Grammar - missing word Added missing 'if' to read 'Controls if the SameSite property is set' instead of 'Controls the SameSite property is set'.	2026-02-09 16:13:55 -05:00
Charlie Voiselle	109e5f2b19	docs(cli): fix help text for --enable-authz-recordings Issue: Grammar - acronym capitalization Capitalized 'API' (Application Programming Interface) - should always be uppercase.	2026-02-09 16:13:55 -05:00
Charlie Voiselle	ee176b4207	docs(cli): fix help text for --ssh-config-options Issue: Grammar - missing space after period Added missing space after period between sentences: 'commas.' + 'Using' → 'commas. ' + 'Using'.	2026-02-09 16:13:54 -05:00
Charlie Voiselle	7e1e16be33	docs(cli): fix help text for --prometheus-address Issue: Grammar - proper noun capitalization Capitalized 'Prometheus' as it's a proper noun.	2026-02-09 16:13:54 -05:00
Charlie Voiselle	5cfe8082ce	docs(cli): fix help text for --prometheus-enable Issue: Grammar - proper noun capitalization Capitalized 'Prometheus' as it's a proper noun (the name of the monitoring system).	2026-02-09 16:13:54 -05:00
Charlie Voiselle	6b7f672834	docs(cli): fix help text for --allow-custom-quiet-hours Issue: Grammar - awkward phrasing Changed 'for workspaces to stop in' to 'for when workspaces are stopped' for more natural phrasing.	2026-02-09 16:13:53 -05:00
Charlie Voiselle	c55f6252a1	docs(cli): fix help text for --tls-client-ca-file Issue: Grammar - missing article Added missing article 'the' before 'client' to read 'authenticity of the client'.	2026-02-09 16:13:53 -05:00
Charlie Voiselle	842553b677	docs(cli): fix help text for --tls-ciphers Issue: Grammar - missing verb Fixed missing 'are' in 'that allowed to be used' → 'that are allowed to be used'.	2026-02-09 16:13:53 -05:00
Charlie Voiselle	05a771ba77	docs(cli): fix help text for --derp-server-stun-addresses Issue: Grammar - incorrect possessive Fixed "it's" (contraction of "it is") → "its" (possessive). Should be 'Each STUN server will get its own DERP region'.	2026-02-09 16:13:53 -05:00
Charlie Voiselle	70a0d42e65	docs(cli): fix help text for --derp-server-region-name Issue: Grammar - malformed sentence Fixed malformed sentence 'Region name that for' → 'Region name to use for'. The original was missing a verb.	2026-02-09 16:13:52 -05:00
Charlie Voiselle	6b1d73b466	docs(cli): fix help text for --notifications-store-sync-buffer-size Issue: Grammar - typo Fixed typo: 'change' → 'chance'. Same typo as in --notifications-store-sync-interval.	2026-02-09 16:13:52 -05:00
Charlie Voiselle	d7b9596145	docs(cli): fix help text for --notifications-store-sync-interval Issue: Grammar - typo Fixed typo: 'change' → 'chance'. The sentence should read 'the lower the chance of state inconsistency'.	2026-02-09 16:13:52 -05:00
Charlie Voiselle	7a0aa1a40a	docs(cli): fix help text for --oidc-signups-disabled-text Issue: Grammar - awkward phrasing Changed 'The custom text to show on the error page informing about disabled OIDC signups' to 'Custom text to show on the error page when OIDC signups are disabled' for clearer, more direct phrasing. Removed unnecessary 'The' article.	2026-02-09 16:13:52 -05:00
Charlie Voiselle	4d8ea43e11	docs(cli): fix help text for --oidc-icon-url Issue: Grammar - redundant phrasing Changed 'URL pointing to the icon' to 'URL of the icon'. The phrase 'pointing to' is redundant since a URL inherently points to a resource.	2026-02-09 16:13:52 -05:00
Charlie Voiselle	6fddae98f6	docs(cli): fix help text for --oidc-group-regex-filter Issue: Grammar - missing comma + simplification + filter order clarification Added missing comma after 'If provided'. Simplified 'allows for filtering' to 'allows filtering'. Clarified filter order to match the actual implementation.	2026-02-09 16:13:51 -05:00
Charlie Voiselle	e33fbb6087	docs(cli): fix help text for --oidc-group-mapping Issue: Grammar - subject-verb agreement + awkward phrasing Changed 'the group in Coder it should map to' to 'the groups in Coder they should map to' for proper plural agreement. Also simplified 'for when' to 'when'.	2026-02-09 16:13:51 -05:00
Charlie Voiselle	2337393e13	docs(cli): fix help text for --oidc-client-cert-file Issue: Grammar - incorrect acronym capitalization Changed 'Pem' to 'PEM', 'oauth2' to 'OAuth2', and 'x509' to 'X.509'. These are standard capitalizations for these acronyms and standards.	2026-02-09 16:13:51 -05:00
Charlie Voiselle	d7357a1b0a	docs(cli): fix help text for --oidc-client-key-file Issue: Grammar - incorrect acronym capitalization Changed 'Pem' to 'PEM' (Privacy Enhanced Mail), 'oauth2' to 'OAuth2', and 'IDP' to 'IdP' (Identity Provider). These are standard capitalizations for these acronyms.	2026-02-09 16:13:51 -05:00
Charlie Voiselle	afbf1af29c	docs(cli): fix help text for --oauth2-github-allow-everyone Issue: Grammar - unclear and run-on sentence Changed 'Allow all logins, setting this option means...' to 'Allow all GitHub users to authenticate. When enabled, allowed orgs and teams must be empty.' This separates the run-on sentence and clarifies what 'all logins' means (all GitHub users).	2026-02-09 16:13:50 -05:00
Charlie Voiselle	1d834c747c	docs(cli): fix help text for --aibridge-circuit-breaker-failure-threshold Issue: Grammar - subject-verb agreement Changed 'triggers' to 'trigger' for correct subject-verb agreement. 'Number' is the subject, which takes the singular form, but 'failures' is the head of the relative clause 'that trigger...', making 'trigger' (plural) correct.	2026-02-09 16:13:50 -05:00
Charlie Voiselle	a80edec752	docs(cli): fix help text for --aibridge-bedrock-access-key-secret Issue: Grammar - wordy and redundant phrasing Simplified from 'The access key secret to use with the access key to authenticate against' to 'AWS secret access key for authenticating with'. Uses standard AWS terminology and eliminates redundancy.	2026-02-09 16:13:50 -05:00
Charlie Voiselle	2a6473e8c6	docs(cli): fix help text for --aibridge-bedrock-access-key Issue: Grammar - awkward phrasing Changed 'The access key to authenticate against' to 'AWS access key for authenticating with' for consistency and clarity. Uses standard AWS terminology.	2026-02-09 16:13:50 -05:00
Charlie Voiselle	1f9c0b9b7f	docs(cli): fix help text for --aibridge-anthropic-key Issue: Grammar - awkward phrasing Changed 'The key to authenticate against' to 'API key for authenticating with' for consistency with --aibridge-openai-key and more natural phrasing.	2026-02-09 16:13:49 -05:00
Charlie Voiselle	5494afabd8	docs(cli): fix help text for --aibridge-openai-key Issue: Grammar - awkward phrasing Changed 'The key to authenticate against' to 'API key for authenticating with' for more natural, concise phrasing. This matches standard API documentation conventions.	2026-02-09 16:13:49 -05:00
Charlie Voiselle	07c6e86a50	docs(cli): fix help text for --notifications-email-hello Issue: Factually incorrect description of SMTP HELO/EHLO (deprecated alias) Same issue as --email-hello. This is a deprecated alias but still needs the correct description. The HELO/EHLO command identifies the client to the server, not the server itself. Fix: Clarified this identifies 'this client to the SMTP server'.	2026-02-09 16:13:49 -05:00
Charlie Voiselle	b543821a1c	docs(cli): fix help text for --email-hello Issue: Factually incorrect description of SMTP HELO/EHLO The description incorrectly stated this identifies 'the SMTP server' when it actually identifies the CLIENT to the server. The HELO/EHLO command is how the client introduces itself to the SMTP server during connection. Fix: Clarified this identifies 'this client to the SMTP server' which accurately reflects the SMTP protocol.	2026-02-09 16:13:49 -05:00
Charlie Voiselle	e8b7045a9b	docs(cli): fix help text for --pprof-enable Issue: Factually incorrect terminology The description incorrectly stated pprof serves 'metrics' when it actually serves profiling data (CPU profiles, memory profiles, goroutines, etc.). Metrics are Prometheus's domain, not pprof's. Fix: Changed 'metrics' to 'profiling endpoints' to accurately describe what pprof provides.	2026-02-09 16:13:48 -05:00
Charlie Voiselle	2571089528	docs(cli): fix help text for --oidc-user-role-mapping Issue: Factually incorrect (confuses roles with groups) + grammar error The description incorrectly stated this maps to 'groups in Coder' when it actually maps to site ROLES (member, admin, etc.). Also had a grammar error: 'will ignored' should be 'will be ignored'. Fix: Corrected to clarify this maps OIDC role names to Coder role names, and fixed the grammar error.	2026-02-09 16:13:48 -05:00
Charlie Voiselle	1fb733fe1e	docs(cli): fix help text for --oidc-allowed-groups Issue: Factually incorrect filter order The description incorrectly stated that the check is applied 'after the group mapping and before the regex filter'. This is wrong. Fix: Updated to reflect actual behavior where the check is applied BEFORE any group mapping or filtering. Also clarified the positive case (users WITH at least one matching group are allowed) instead of the confusing double-negative phrasing.	2026-02-09 16:13:48 -05:00