perf: cap count queries, use native UUID ops for audit/conn logs (backport #23835 ) (#24133 )

Backport of #23835. Audit and connection log pages were timing out due to expensive COUNT(*) queries over large tables. This commit adds opt-in count capping: requests can return a `count_cap` field signaling that the count was truncated at a threshold, avoiding full table scans that caused page timeouts. Text-cast UUID comparisons in regosql-generated authorization queries also contributed to the slowdown by preventing index usage for connection and audit log queries. These now emit native UUID operators. Frontend changes handle the capped state in usePaginatedQuery and PaginationWidget, optionally displaying a capped count in the pagination UI (e.g. "Showing 2,076 to 2,100 of 2,000+ logs") --- Cherry picked from 86ca61d6ca
chore: backport high and critical Iron Bank dependency fixes (#24109 )
2026-04-09 12:47:44 -04:00 · 2026-04-09 18:04:07 +02:00 · 2026-04-01 18:53:56 +02:00 · 2026-04-01 12:32:00 +05:00 · 2026-03-31 15:53:56 +02:00 · 2026-03-25 16:49:44 -04:00
241 changed files with 6137 additions and 2498 deletions
@@ -4,7 +4,7 @@ description: |
 inputs:
  version:
    description: "The Go version to use."
-    default: "1.25.6"
+    default: "1.25.8"
  use-preinstalled-go:
    description: "Whether to use preinstalled Go."
    default: "false"
@@ -7,5 +7,5 @@ runs:
    - name: Install Terraform
      uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd # v3.1.2
      with:
-        terraform_version: 1.14.1
+        terraform_version: 1.14.5
        terraform_wrapper: false
@@ -35,7 +35,7 @@ jobs:
      tailnet-integration: ${{ steps.filter.outputs.tailnet-integration }}
    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
        with:
          egress-policy: audit

@@ -157,7 +157,7 @@ jobs:
    runs-on: ${{ github.repository_owner == 'coder' && 'depot-ubuntu-22.04-8' || 'ubuntu-latest' }}
    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
        with:
          egress-policy: audit

@@ -251,7 +251,7 @@ jobs:
    if: ${{ !cancelled() }}
    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
        with:
          egress-policy: audit

@@ -308,7 +308,7 @@ jobs:
    timeout-minutes: 20
    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
        with:
          egress-policy: audit

@@ -360,7 +360,7 @@ jobs:
          - windows-2022
    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
        with:
          egress-policy: audit

@@ -554,7 +554,7 @@ jobs:
    timeout-minutes: 25
    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
        with:
          egress-policy: audit

@@ -616,7 +616,7 @@ jobs:
    timeout-minutes: 25
    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
        with:
          egress-policy: audit

@@ -688,7 +688,7 @@ jobs:
    timeout-minutes: 20
    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
        with:
          egress-policy: audit

@@ -715,7 +715,7 @@ jobs:
    timeout-minutes: 20
    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
        with:
          egress-policy: audit

@@ -748,7 +748,7 @@ jobs:
    name: ${{ matrix.variant.name }}
    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
        with:
          egress-policy: audit

@@ -828,7 +828,7 @@ jobs:
    if: needs.changes.outputs.site == 'true' || needs.changes.outputs.ci == 'true'
    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
        with:
          egress-policy: audit

@@ -909,7 +909,7 @@ jobs:

    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
        with:
          egress-policy: audit

@@ -980,7 +980,7 @@ jobs:
    if: always()
    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
        with:
          egress-policy: audit

@@ -1100,7 +1100,7 @@ jobs:
    runs-on: ${{ github.repository_owner == 'coder' && 'depot-ubuntu-22.04-8' || 'ubuntu-latest' }}
    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
        with:
          egress-policy: audit

@@ -1155,7 +1155,7 @@ jobs:
      IMAGE: ghcr.io/coder/coder-preview:${{ steps.build-docker.outputs.tag }}
    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
        with:
          egress-policy: audit

@@ -1552,7 +1552,7 @@ jobs:
    if: needs.changes.outputs.db == 'true' || needs.changes.outputs.ci == 'true' || github.ref == 'refs/heads/main'
    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
        with:
          egress-policy: audit

@@ -36,7 +36,7 @@ jobs:
      verdict: ${{ steps.check.outputs.verdict }} # DEPLOY or NOOP
    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
        with:
          egress-policy: audit

@@ -65,7 +65,7 @@ jobs:
      packages: write # to retag image as dogfood
    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
        with:
          egress-policy: audit

@@ -146,7 +146,7 @@ jobs:
    needs: deploy
    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
        with:
          egress-policy: audit

@@ -229,6 +229,7 @@ jobs:
      - name: Create Coder Task for Documentation Check
        if: steps.check-secrets.outputs.skip != 'true'
        id: create_task
+        continue-on-error: true
        uses: ./.github/actions/create-task-action
        with:
          coder-url: ${{ secrets.DOC_CHECK_CODER_URL }}
@@ -243,8 +244,21 @@ jobs:
          github-issue-url: ${{ steps.determine-context.outputs.pr_url }}
          comment-on-issue: false

+      - name: Handle Task Creation Failure
+        if: steps.check-secrets.outputs.skip != 'true' && steps.create_task.outcome != 'success'
+        run: |
+          {
+            echo "## Documentation Check Task"
+            echo ""
+            echo "⚠️ The external Coder task service was unavailable, so this"
+            echo "advisory documentation check did not run."
+            echo ""
+            echo "Maintainers can rerun the workflow or trigger it manually"
+            echo "after the service recovers."
+          } >> "${GITHUB_STEP_SUMMARY}"
+
      - name: Write Task Info
-        if: steps.check-secrets.outputs.skip != 'true'
+        if: steps.check-secrets.outputs.skip != 'true' && steps.create_task.outcome == 'success'
        env:
          TASK_CREATED: ${{ steps.create_task.outputs.task-created }}
          TASK_NAME: ${{ steps.create_task.outputs.task-name }}
@@ -262,7 +276,7 @@ jobs:
          } >> "${GITHUB_STEP_SUMMARY}"

      - name: Wait for Task Completion
-        if: steps.check-secrets.outputs.skip != 'true'
+        if: steps.check-secrets.outputs.skip != 'true' && steps.create_task.outcome == 'success'
        id: wait_task
        env:
          TASK_NAME: ${{ steps.create_task.outputs.task-name }}
@@ -352,7 +366,7 @@ jobs:
          fi

      - name: Fetch Task Logs
-        if: always() && steps.check-secrets.outputs.skip != 'true'
+        if: always() && steps.check-secrets.outputs.skip != 'true' && steps.create_task.outcome == 'success'
        env:
          TASK_NAME: ${{ steps.create_task.outputs.task-name }}
        run: |
@@ -365,7 +379,7 @@ jobs:
          echo "::endgroup::"

      - name: Cleanup Task
-        if: always() && steps.check-secrets.outputs.skip != 'true'
+        if: always() && steps.check-secrets.outputs.skip != 'true' && steps.create_task.outcome == 'success'
        env:
          TASK_NAME: ${{ steps.create_task.outputs.task-name }}
        run: |
@@ -379,6 +393,7 @@ jobs:
      - name: Write Final Summary
        if: always() && steps.check-secrets.outputs.skip != 'true'
        env:
+          CREATE_TASK_OUTCOME: ${{ steps.create_task.outcome }}
          TASK_NAME: ${{ steps.create_task.outputs.task-name }}
          TASK_MESSAGE: ${{ steps.wait_task.outputs.task_message }}
          RESULT_URI: ${{ steps.wait_task.outputs.result_uri }}
@@ -389,10 +404,15 @@ jobs:
            echo "---"
            echo "### Result"
            echo ""
-            echo "**Status:** ${TASK_MESSAGE:-Task completed}"
-            if [[ -n "${RESULT_URI}" ]]; then
-              echo "**Comment:** ${RESULT_URI}"
+            if [[ "${CREATE_TASK_OUTCOME}" == "success" ]]; then
+              echo "**Status:** ${TASK_MESSAGE:-Task completed}"
+              if [[ -n "${RESULT_URI}" ]]; then
+                echo "**Comment:** ${RESULT_URI}"
+              fi
+              echo ""
+              echo "Task \`${TASK_NAME}\` has been cleaned up."
+            else
+              echo "**Status:** Skipped because the external Coder task"
+              echo "service was unavailable."
            fi
-            echo ""
-            echo "Task \`${TASK_NAME}\` has been cleaned up."
          } >> "${GITHUB_STEP_SUMMARY}"
@@ -38,7 +38,7 @@ jobs:
    if: github.repository_owner == 'coder'
    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
        with:
          egress-policy: audit

@@ -26,7 +26,7 @@ jobs:
    runs-on: ${{ github.repository_owner == 'coder' && 'depot-ubuntu-22.04-4' || 'ubuntu-latest' }}
    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
        with:
          egress-policy: audit

@@ -125,7 +125,7 @@ jobs:
      id-token: write
    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
        with:
          egress-policy: audit

@@ -28,7 +28,7 @@ jobs:
          - windows-2022
    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
        with:
          egress-policy: audit

@@ -15,7 +15,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
        with:
          egress-policy: audit

@@ -19,7 +19,7 @@ jobs:
      packages: write
    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
        with:
          egress-policy: audit

@@ -39,7 +39,7 @@ jobs:
      PR_OPEN: ${{ steps.check_pr.outputs.pr_open }}
    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
        with:
          egress-policy: audit

@@ -76,7 +76,7 @@ jobs:
    runs-on: "ubuntu-latest"
    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
        with:
          egress-policy: audit

@@ -184,7 +184,7 @@ jobs:
      pull-requests: write # needed for commenting on PRs
    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
        with:
          egress-policy: audit

@@ -228,7 +228,7 @@ jobs:
      CODER_IMAGE_TAG: ${{ needs.get_info.outputs.CODER_IMAGE_TAG }}
    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
        with:
          egress-policy: audit

@@ -288,7 +288,7 @@ jobs:
      PR_HOSTNAME: "pr${{ needs.get_info.outputs.PR_NUMBER }}.${{ secrets.PR_DEPLOYMENTS_DOMAIN }}"
    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
        with:
          egress-policy: audit

@@ -14,7 +14,7 @@ jobs:

    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
        with:
          egress-policy: audit

@@ -164,7 +164,7 @@ jobs:
      version: ${{ steps.version.outputs.version }}
    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
        with:
          egress-policy: audit

@@ -802,7 +802,7 @@ jobs:
      # TODO: skip this if it's not a new release (i.e. a backport). This is
      #       fine right now because it just makes a PR that we can close.
      - name: Harden Runner
-        uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
        with:
          egress-policy: audit

@@ -878,7 +878,7 @@ jobs:

    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
        with:
          egress-policy: audit

@@ -971,7 +971,7 @@ jobs:
    if: ${{ !inputs.dry_run }}
    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
        with:
          egress-policy: audit

@@ -20,7 +20,7 @@ jobs:

    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
        with:
          egress-policy: audit

@@ -27,7 +27,7 @@ jobs:
    runs-on: ${{ github.repository_owner == 'coder' && 'depot-ubuntu-22.04-8' || 'ubuntu-latest' }}
    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
        with:
          egress-policy: audit

@@ -63,116 +63,3 @@ jobs:
            --data "{\"content\": \"$msg\"}" \
            "${{ secrets.SLACK_SECURITY_FAILURE_WEBHOOK_URL }}"

-  trivy:
-    permissions:
-      security-events: write
-    runs-on: ${{ github.repository_owner == 'coder' && 'depot-ubuntu-22.04-8' || 'ubuntu-latest' }}
-    steps:
-      - name: Harden Runner
-        uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
-        with:
-          egress-policy: audit
-
-      - name: Checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          fetch-depth: 0
-          persist-credentials: false
-
-      - name: Setup Go
-        uses: ./.github/actions/setup-go
-
-      - name: Setup Node
-        uses: ./.github/actions/setup-node
-
-      - name: Setup sqlc
-        uses: ./.github/actions/setup-sqlc
-
-      - name: Install cosign
-        uses: ./.github/actions/install-cosign
-
-      - name: Install syft
-        uses: ./.github/actions/install-syft
-
-      - name: Install yq
-        run: go run github.com/mikefarah/yq/v4@v4.44.3
-      - name: Install mockgen
-        run: go install go.uber.org/mock/mockgen@v0.5.0
-      - name: Install protoc-gen-go
-        run: go install google.golang.org/protobuf/cmd/protoc-gen-go@v1.30
-      - name: Install protoc-gen-go-drpc
-        run: go install storj.io/drpc/cmd/protoc-gen-go-drpc@v0.0.34
-      - name: Install Protoc
-        run: |
-          # protoc must be in lockstep with our dogfood Dockerfile or the
-          # version in the comments will differ. This is also defined in
-          # ci.yaml.
-          set -euxo pipefail
-          cd dogfood/coder
-          mkdir -p /usr/local/bin
-          mkdir -p /usr/local/include
-
-          DOCKER_BUILDKIT=1 docker build . --target proto -t protoc
-          protoc_path=/usr/local/bin/protoc
-          docker run --rm --entrypoint cat protoc /tmp/bin/protoc > $protoc_path
-          chmod +x $protoc_path
-          protoc --version
-          # Copy the generated files to the include directory.
-          docker run --rm -v /usr/local/include:/target protoc cp -r /tmp/include/google /target/
-          ls -la /usr/local/include/google/protobuf/
-          stat /usr/local/include/google/protobuf/timestamp.proto
-
-      - name: Build Coder linux amd64 Docker image
-        id: build
-        run: |
-          set -euo pipefail
-
-          version="$(./scripts/version.sh)"
-          image_job="build/coder_${version}_linux_amd64.tag"
-
-          # This environment variable force make to not build packages and
-          # archives (which the Docker image depends on due to technical reasons
-          # related to concurrent FS writes).
-          export DOCKER_IMAGE_NO_PREREQUISITES=true
-          # This environment variables forces scripts/build_docker.sh to build
-          # the base image tag locally instead of using the cached version from
-          # the registry.
-          CODER_IMAGE_BUILD_BASE_TAG="$(CODER_IMAGE_BASE=coder-base ./scripts/image_tag.sh --version "$version")"
-          export CODER_IMAGE_BUILD_BASE_TAG
-
-          # We would like to use make -j here, but it doesn't work with the some recent additions
-          # to our code generation.
-          make "$image_job"
-          echo "image=$(cat "$image_job")" >> "$GITHUB_OUTPUT"
-
-      - name: Run Trivy vulnerability scanner
-        uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8
-        with:
-          image-ref: ${{ steps.build.outputs.image }}
-          format: sarif
-          output: trivy-results.sarif
-          severity: "CRITICAL,HIGH"
-
-      - name: Upload Trivy scan results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@5d4e8d1aca955e8d8589aabd499c5cae939e33c7 # v3.29.5
-        with:
-          sarif_file: trivy-results.sarif
-          category: "Trivy"
-
-      - name: Upload Trivy scan results as an artifact
-        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
-        with:
-          name: trivy
-          path: trivy-results.sarif
-          retention-days: 7
-
-      - name: Send Slack notification on failure
-        if: ${{ failure() }}
-        run: |
-          msg="❌ Trivy Failed\n\nhttps://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}"
-          curl \
-            -qfsSL \
-            -X POST \
-            -H "Content-Type: application/json" \
-            --data "{\"content\": \"$msg\"}" \
-            "${{ secrets.SLACK_SECURITY_FAILURE_WEBHOOK_URL }}"
@@ -18,7 +18,7 @@ jobs:
      pull-requests: write
    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
        with:
          egress-policy: audit

@@ -96,7 +96,7 @@ jobs:
      contents: write
    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
        with:
          egress-policy: audit

@@ -120,7 +120,7 @@ jobs:
      actions: write
    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
        with:
          egress-policy: audit

@@ -21,7 +21,7 @@ jobs:
      pull-requests: write # required to post PR review comments by the action
    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
        with:
          egress-policy: audit

@@ -7,6 +7,6 @@ func IsInitProcess() bool {
 	return false
 }

-func ForkReap(_ ...Option) error {
-	return nil
+func ForkReap(_ ...Option) (int, error) {
+	return 0, nil
 }
@@ -32,12 +32,13 @@ func TestReap(t *testing.T) {
 	}

 	pids := make(reap.PidCh, 1)
-	err := reaper.ForkReap(
+	exitCode, err := reaper.ForkReap(
 		reaper.WithPIDCallback(pids),
 		// Provide some argument that immediately exits.
 		reaper.WithExecArgs("/bin/sh", "-c", "exit 0"),
 	)
 	require.NoError(t, err)
+	require.Equal(t, 0, exitCode)

 	cmd := exec.Command("tail", "-f", "/dev/null")
 	err = cmd.Start()
@@ -65,6 +66,36 @@ func TestReap(t *testing.T) {
 	}
 }

+//nolint:paralleltest
+func TestForkReapExitCodes(t *testing.T) {
+	if testutil.InCI() {
+		t.Skip("Detected CI, skipping reaper tests")
+	}
+
+	tests := []struct {
+		name         string
+		command      string
+		expectedCode int
+	}{
+		{"exit 0", "exit 0", 0},
+		{"exit 1", "exit 1", 1},
+		{"exit 42", "exit 42", 42},
+		{"exit 255", "exit 255", 255},
+		{"SIGKILL", "kill -9 $$", 128 + 9},
+		{"SIGTERM", "kill -15 $$", 128 + 15},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			exitCode, err := reaper.ForkReap(
+				reaper.WithExecArgs("/bin/sh", "-c", tt.command),
+			)
+			require.NoError(t, err)
+			require.Equal(t, tt.expectedCode, exitCode, "exit code mismatch for %q", tt.command)
+		})
+	}
+}
+
 //nolint:paralleltest // Signal handling.
 func TestReapInterrupt(t *testing.T) {
 	// Don't run the reaper test in CI. It does weird
@@ -84,13 +115,17 @@ func TestReapInterrupt(t *testing.T) {
 	defer signal.Stop(usrSig)

 	go func() {
-		errC <- reaper.ForkReap(
+		exitCode, err := reaper.ForkReap(
 			reaper.WithPIDCallback(pids),
 			reaper.WithCatchSignals(os.Interrupt),
 			// Signal propagation does not extend to children of children, so
 			// we create a little bash script to ensure sleep is interrupted.
 			reaper.WithExecArgs("/bin/sh", "-c", fmt.Sprintf("pid=0; trap 'kill -USR2 %d; kill -TERM $pid' INT; sleep 10 &\npid=$!; kill -USR1 %d; wait", os.Getpid(), os.Getpid())),
 		)
+		// The child exits with 128 + SIGTERM (15) = 143, but the trap catches
+		// SIGINT and sends SIGTERM to the sleep process, so exit code varies.
+		_ = exitCode
+		errC <- err
 	}()

 	require.Equal(t, <-usrSig, syscall.SIGUSR1)
@@ -40,7 +40,10 @@ func catchSignals(pid int, sigs []os.Signal) {
 // the reaper and an exec.Command waiting for its process to complete.
 // The provided 'pids' channel may be nil if the caller does not care about the
 // reaped children PIDs.
-func ForkReap(opt ...Option) error {
+//
+// Returns the child's exit code (using 128+signal for signal termination)
+// and any error from Wait4.
+func ForkReap(opt ...Option) (int, error) {
 	opts := &options{
 		ExecArgs: os.Args,
 	}
@@ -53,7 +56,7 @@ func ForkReap(opt ...Option) error {

 	pwd, err := os.Getwd()
 	if err != nil {
-		return xerrors.Errorf("get wd: %w", err)
+		return 1, xerrors.Errorf("get wd: %w", err)
 	}

 	pattrs := &syscall.ProcAttr{
@@ -72,7 +75,7 @@ func ForkReap(opt ...Option) error {
 	//#nosec G204
 	pid, err := syscall.ForkExec(opts.ExecArgs[0], opts.ExecArgs, pattrs)
 	if err != nil {
-		return xerrors.Errorf("fork exec: %w", err)
+		return 1, xerrors.Errorf("fork exec: %w", err)
 	}

 	go catchSignals(pid, opts.CatchSignals)
@@ -82,5 +85,18 @@ func ForkReap(opt ...Option) error {
 	for xerrors.Is(err, syscall.EINTR) {
 		_, err = syscall.Wait4(pid, &wstatus, 0, nil)
 	}
-	return err
+
+	// Convert wait status to exit code using standard Unix conventions:
+	// - Normal exit: use the exit code
+	// - Signal termination: use 128 + signal number
+	var exitCode int
+	switch {
+	case wstatus.Exited():
+		exitCode = wstatus.ExitStatus()
+	case wstatus.Signaled():
+		exitCode = 128 + int(wstatus.Signal())
+	default:
+		exitCode = 1
+	}
+	return exitCode, err
 }
@@ -136,7 +136,7 @@ func workspaceAgent() *serpent.Command {
 				// to do this else we fork bomb ourselves.
 				//nolint:gocritic
 				args := append(os.Args, "--no-reap")
-				err := reaper.ForkReap(
+				exitCode, err := reaper.ForkReap(
 					reaper.WithExecArgs(args...),
 					reaper.WithCatchSignals(StopSignals...),
 				)
@@ -145,8 +145,8 @@ func workspaceAgent() *serpent.Command {
 					return xerrors.Errorf("fork reap: %w", err)
 				}

-				logger.Info(ctx, "reaper process exiting")
-				return nil
+				logger.Info(ctx, "reaper child process exited", slog.F("exit_code", exitCode))
+				return ExitError(exitCode, nil)
 			}

 			// Handle interrupt signals to allow for graceful shutdown,
@@ -49,6 +49,9 @@ Examples:
  # Test OpenAI API through bridge
  coder scaletest bridge --mode bridge --provider openai --concurrent-users 10 --request-count 5 --num-messages 10

+  # Test OpenAI Responses API through bridge
+  coder scaletest bridge --mode bridge --provider responses --concurrent-users 10 --request-count 5 --num-messages 10
+
  # Test Anthropic API through bridge
  coder scaletest bridge --mode bridge --provider anthropic --concurrent-users 10 --request-count 5 --num-messages 10

@@ -219,9 +222,9 @@ Examples:
 		{
 			Flag:        "provider",
 			Env:         "CODER_SCALETEST_BRIDGE_PROVIDER",
-			Default:     "openai",
+			Required:    true,
 			Description: "API provider to use.",
-			Value:       serpent.EnumOf(&provider, "openai", "anthropic"),
+			Value:       serpent.EnumOf(&provider, "completions", "messages", "responses"),
 		},
 		{
 			Flag:        "request-count",
@@ -62,6 +62,7 @@ func (*RootCmd) scaletestLLMMock() *serpent.Command {

 			_, _ = fmt.Fprintf(inv.Stdout, "Mock LLM API server started on %s\n", srv.APIAddress())
 			_, _ = fmt.Fprintf(inv.Stdout, "  OpenAI endpoint: %s/v1/chat/completions\n", srv.APIAddress())
+			_, _ = fmt.Fprintf(inv.Stdout, "  OpenAI responses endpoint: %s/v1/responses\n", srv.APIAddress())
 			_, _ = fmt.Fprintf(inv.Stdout, "  Anthropic endpoint: %s/v1/messages\n", srv.APIAddress())

 			<-ctx.Done()
@@ -24,7 +24,6 @@ import (
 	"github.com/gofrs/flock"
 	"github.com/google/uuid"
 	"github.com/mattn/go-isatty"
-	"github.com/shirou/gopsutil/v4/process"
 	"github.com/spf13/afero"
 	gossh "golang.org/x/crypto/ssh"
 	gosshagent "golang.org/x/crypto/ssh/agent"
@@ -85,9 +84,6 @@ func (r *RootCmd) ssh() *serpent.Command {

 		containerName string
 		containerUser string
-
-		// Used in tests to simulate the parent exiting.
-		testForcePPID int64
 	)
 	cmd := &serpent.Command{
 		Annotations: workspaceCommand,
@@ -179,24 +175,6 @@ func (r *RootCmd) ssh() *serpent.Command {
 			ctx, cancel := context.WithCancel(ctx)
 			defer cancel()

-			// When running as a ProxyCommand (stdio mode), monitor the parent process
-			// and exit if it dies to avoid leaving orphaned processes. This is
-			// particularly important when editors like VSCode/Cursor spawn SSH
-			// connections and then crash or are killed - we don't want zombie
-			// `coder ssh` processes accumulating.
-			// Note: using gopsutil to check the parent process as this handles
-			// windows processes as well in a standard way.
-			if stdio {
-				ppid := int32(os.Getppid())             // nolint:gosec
-				checkParentInterval := 10 * time.Second // Arbitrary interval to not be too frequent
-				if testForcePPID > 0 {
-					ppid = int32(testForcePPID)                  // nolint:gosec
-					checkParentInterval = 100 * time.Millisecond // Shorter interval for testing
-				}
-				ctx, cancel = watchParentContext(ctx, quartz.NewReal(), ppid, process.PidExistsWithContext, checkParentInterval)
-				defer cancel()
-			}
-
 			// Prevent unnecessary logs from the stdlib from messing up the TTY.
 			// See: https://github.com/coder/coder/issues/13144
 			log.SetOutput(io.Discard)
@@ -797,12 +775,6 @@ func (r *RootCmd) ssh() *serpent.Command {
 			Value:       serpent.BoolOf(&forceNewTunnel),
 			Hidden:      true,
 		},
-		{
-			Flag:        "test.force-ppid",
-			Description: "Override the parent process ID to simulate a different parent process. ONLY USE THIS IN TESTS.",
-			Value:       serpent.Int64Of(&testForcePPID),
-			Hidden:      true,
-		},
 		sshDisableAutostartOption(serpent.BoolOf(&disableAutostart)),
 	}
 	return cmd
@@ -1690,33 +1662,3 @@ func normalizeWorkspaceInput(input string) string {
 		return input // Fallback
 	}
 }
-
-// watchParentContext returns a context that is canceled when the parent process
-// dies. It polls using the provided clock and checks if the parent is alive
-// using the provided pidExists function.
-func watchParentContext(ctx context.Context, clock quartz.Clock, originalPPID int32, pidExists func(context.Context, int32) (bool, error), interval time.Duration) (context.Context, context.CancelFunc) {
-	ctx, cancel := context.WithCancel(ctx) // intentionally shadowed
-
-	go func() {
-		ticker := clock.NewTicker(interval)
-		defer ticker.Stop()
-		for {
-			select {
-			case <-ctx.Done():
-				return
-			case <-ticker.C:
-				alive, err := pidExists(ctx, originalPPID)
-				// If we get an error checking the parent process (e.g., permission
-				// denied, the process is in an unknown state), we assume the parent
-				// is still alive to avoid disrupting the SSH connection. We only
-				// cancel when we definitively know the parent is gone (alive=false, err=nil).
-				if !alive && err == nil {
-					cancel()
-					return
-				}
-			}
-		}
-	}()
-
-	return ctx, cancel
-}
@@ -312,102 +312,6 @@ type fakeCloser struct {
 	err    error
 }

-func TestWatchParentContext(t *testing.T) {
-	t.Parallel()
-
-	t.Run("CancelsWhenParentDies", func(t *testing.T) {
-		t.Parallel()
-		ctx := testutil.Context(t, testutil.WaitShort)
-		mClock := quartz.NewMock(t)
-		trap := mClock.Trap().NewTicker()
-		defer trap.Close()
-
-		parentAlive := true
-		childCtx, cancel := watchParentContext(ctx, mClock, 1234, func(context.Context, int32) (bool, error) {
-			return parentAlive, nil
-		}, testutil.WaitShort)
-		defer cancel()
-
-		// Wait for the ticker to be created
-		trap.MustWait(ctx).MustRelease(ctx)
-
-		// When: we simulate parent death and advance the clock
-		parentAlive = false
-		mClock.AdvanceNext()
-
-		// Then: The context should be canceled
-		_ = testutil.TryReceive(ctx, t, childCtx.Done())
-	})
-
-	t.Run("DoesNotCancelWhenParentAlive", func(t *testing.T) {
-		t.Parallel()
-		ctx := testutil.Context(t, testutil.WaitShort)
-		mClock := quartz.NewMock(t)
-		trap := mClock.Trap().NewTicker()
-		defer trap.Close()
-
-		childCtx, cancel := watchParentContext(ctx, mClock, 1234, func(context.Context, int32) (bool, error) {
-			return true, nil // Parent always alive
-		}, testutil.WaitShort)
-		defer cancel()
-
-		// Wait for the ticker to be created
-		trap.MustWait(ctx).MustRelease(ctx)
-
-		// When: we advance the clock several times with the parent alive
-		for range 3 {
-			mClock.AdvanceNext()
-		}
-
-		// Then: context should not be canceled
-		require.NoError(t, childCtx.Err())
-	})
-
-	t.Run("RespectsParentContext", func(t *testing.T) {
-		t.Parallel()
-		ctx, cancelParent := context.WithCancel(context.Background())
-		mClock := quartz.NewMock(t)
-
-		childCtx, cancel := watchParentContext(ctx, mClock, 1234, func(context.Context, int32) (bool, error) {
-			return true, nil
-		}, testutil.WaitShort)
-		defer cancel()
-
-		// When: we cancel the parent context
-		cancelParent()
-
-		// Then: The context should be canceled
-		require.ErrorIs(t, childCtx.Err(), context.Canceled)
-	})
-
-	t.Run("DoesNotCancelOnError", func(t *testing.T) {
-		t.Parallel()
-		ctx := testutil.Context(t, testutil.WaitShort)
-		mClock := quartz.NewMock(t)
-		trap := mClock.Trap().NewTicker()
-		defer trap.Close()
-
-		// Simulate an error checking parent status (e.g., permission denied).
-		// We should not cancel the context in this case to avoid disrupting
-		// the SSH connection.
-		childCtx, cancel := watchParentContext(ctx, mClock, 1234, func(context.Context, int32) (bool, error) {
-			return false, xerrors.New("permission denied")
-		}, testutil.WaitShort)
-		defer cancel()
-
-		// Wait for the ticker to be created
-		trap.MustWait(ctx).MustRelease(ctx)
-
-		// When: we advance clock several times
-		for range 3 {
-			mClock.AdvanceNext()
-		}
-
-		// Context should NOT be canceled since we got an error (not a definitive "not alive")
-		require.NoError(t, childCtx.Err(), "context was canceled even though pidExists returned an error")
-	})
-}
-
 func (c *fakeCloser) Close() error {
 	*c.closes = append(*c.closes, c)
 	return c.err
@@ -1122,97 +1122,6 @@ func TestSSH(t *testing.T) {
 		}
 	})

-	// This test ensures that the SSH session exits when the parent process dies.
-	t.Run("StdioExitOnParentDeath", func(t *testing.T) {
-		t.Parallel()
-
-		ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitSuperLong)
-		defer cancel()
-
-		// sleepStart -> agentReady -> sessionStarted -> sleepKill -> sleepDone -> cmdDone
-		sleepStart := make(chan int)
-		agentReady := make(chan struct{})
-		sessionStarted := make(chan struct{})
-		sleepKill := make(chan struct{})
-		sleepDone := make(chan struct{})
-
-		// Start a sleep process which we will pretend is the parent.
-		go func() {
-			sleepCmd := exec.Command("sleep", "infinity")
-			if !assert.NoError(t, sleepCmd.Start(), "failed to start sleep command") {
-				return
-			}
-			sleepStart <- sleepCmd.Process.Pid
-			defer close(sleepDone)
-			<-sleepKill
-			sleepCmd.Process.Kill()
-			_ = sleepCmd.Wait()
-		}()
-
-		client, workspace, agentToken := setupWorkspaceForAgent(t)
-		go func() {
-			defer close(agentReady)
-			_ = agenttest.New(t, client.URL, agentToken)
-			coderdtest.NewWorkspaceAgentWaiter(t, client, workspace.ID).WaitFor(coderdtest.AgentsReady)
-		}()
-
-		clientOutput, clientInput := io.Pipe()
-		serverOutput, serverInput := io.Pipe()
-		defer func() {
-			for _, c := range []io.Closer{clientOutput, clientInput, serverOutput, serverInput} {
-				_ = c.Close()
-			}
-		}()
-
-		// Start a connection to the agent once it's ready
-		go func() {
-			<-agentReady
-			conn, channels, requests, err := ssh.NewClientConn(&testutil.ReaderWriterConn{
-				Reader: serverOutput,
-				Writer: clientInput,
-			}, "", &ssh.ClientConfig{
-				// #nosec
-				HostKeyCallback: ssh.InsecureIgnoreHostKey(),
-			})
-			if !assert.NoError(t, err, "failed to create SSH client connection") {
-				return
-			}
-			defer conn.Close()
-
-			sshClient := ssh.NewClient(conn, channels, requests)
-			defer sshClient.Close()
-
-			session, err := sshClient.NewSession()
-			if !assert.NoError(t, err, "failed to create SSH session") {
-				return
-			}
-			close(sessionStarted)
-			<-sleepDone
-			assert.NoError(t, session.Close())
-		}()
-
-		// Wait for our "parent" process to start
-		sleepPid := testutil.RequireReceive(ctx, t, sleepStart)
-		// Wait for the agent to be ready
-		testutil.SoftTryReceive(ctx, t, agentReady)
-		inv, root := clitest.New(t, "ssh", "--stdio", workspace.Name, "--test.force-ppid", fmt.Sprintf("%d", sleepPid))
-		clitest.SetupConfig(t, client, root)
-		inv.Stdin = clientOutput
-		inv.Stdout = serverInput
-		inv.Stderr = io.Discard
-
-		// Start the command
-		clitest.Start(t, inv.WithContext(ctx))
-
-		// Wait for a session to be established
-		testutil.SoftTryReceive(ctx, t, sessionStarted)
-		// Now kill the fake "parent"
-		close(sleepKill)
-		// The sleep process should exit
-		testutil.SoftTryReceive(ctx, t, sleepDone)
-		// And then the command should exit. This is tracked by clitest.Start.
-	})
-
 	t.Run("ForwardAgent", func(t *testing.T) {
 		if runtime.GOOS == "windows" {
 			t.Skip("Test not supported on windows")
@@ -775,15 +775,15 @@ aibridge:
  # Maximum number of concurrent AI Bridge requests per replica. Set to 0 to disable
  # (unlimited).
  # (default: 0, type: int)
-  maxConcurrency: 0
+  max_concurrency: 0
  # Maximum number of AI Bridge requests per second per replica. Set to 0 to disable
  # (unlimited).
  # (default: 0, type: int)
-  rateLimit: 0
+  rate_limit: 0
  # Emit structured logs for AI Bridge interception records. Use this for exporting
  # these records to external SIEM or observability systems.
  # (default: false, type: bool)
-  structuredLogging: false
+  structured_logging: false
  # Once enabled, extra headers will be added to upstream requests to identify the
  # user (actor) making requests to AI Bridge. This is only needed if you are using
  # a proxy between AI Bridge and an upstream AI provider. This will send
@@ -794,20 +794,20 @@ aibridge:
  # Enable the circuit breaker to protect against cascading failures from upstream
  # AI provider rate limits (429, 503, 529 overloaded).
  # (default: false, type: bool)
-  circuitBreakerEnabled: false
+  circuit_breaker_enabled: false
  # Number of consecutive failures that triggers the circuit breaker to open.
  # (default: 5, type: int)
-  circuitBreakerFailureThreshold: 5
+  circuit_breaker_failure_threshold: 5
  # Cyclic period of the closed state for clearing internal failure counts.
  # (default: 10s, type: duration)
-  circuitBreakerInterval: 10s
+  circuit_breaker_interval: 10s
  # How long the circuit breaker stays open before transitioning to half-open state.
  # (default: 30s, type: duration)
-  circuitBreakerTimeout: 30s
+  circuit_breaker_timeout: 30s
  # Maximum number of requests allowed in half-open state before deciding to close
  # or re-open the circuit.
  # (default: 3, type: int)
-  circuitBreakerMaxRequests: 3
+  circuit_breaker_max_requests: 3
 aibridgeproxy:
  # Enable the AI Bridge MITM Proxy for intercepting and decrypting AI provider
  # requests.
@@ -91,7 +91,7 @@ func (a *SubAgentAPI) CreateSubAgent(ctx context.Context, req *agentproto.Create
 		Name:                     agentName,
 		ResourceID:               parentAgent.ResourceID,
 		AuthToken:                uuid.New(),
-		AuthInstanceID:           parentAgent.AuthInstanceID,
+		AuthInstanceID:           sql.NullString{},
 		Architecture:             req.Architecture,
 		EnvironmentVariables:     pqtype.NullRawMessage{},
 		OperatingSystem:          req.OperatingSystem,
@@ -175,6 +175,52 @@ func TestSubAgentAPI(t *testing.T) {
 		}
 	})

+	// Context: https://github.com/coder/coder/pull/22196
+	t.Run("CreateSubAgentDoesNotInheritAuthInstanceID", func(t *testing.T) {
+		t.Parallel()
+
+		var (
+			log   = testutil.Logger(t)
+			clock = quartz.NewMock(t)
+
+			db, org     = newDatabaseWithOrg(t)
+			user, agent = newUserWithWorkspaceAgent(t, db, org)
+		)
+
+		// Given: The parent agent has an AuthInstanceID set
+		ctx := testutil.Context(t, testutil.WaitShort)
+		parentAgent, err := db.GetWorkspaceAgentByID(dbauthz.AsSystemRestricted(ctx), agent.ID)
+		require.NoError(t, err)
+		require.True(t, parentAgent.AuthInstanceID.Valid, "parent agent should have an AuthInstanceID")
+		require.NotEmpty(t, parentAgent.AuthInstanceID.String)
+
+		api := newAgentAPI(t, log, db, clock, user, org, agent)
+
+		// When: We create a sub agent
+		createResp, err := api.CreateSubAgent(ctx, &proto.CreateSubAgentRequest{
+			Name:            "sub-agent",
+			Directory:       "/workspaces/test",
+			Architecture:    "amd64",
+			OperatingSystem: "linux",
+		})
+		require.NoError(t, err)
+
+		subAgentID, err := uuid.FromBytes(createResp.Agent.Id)
+		require.NoError(t, err)
+
+		// Then: The sub-agent must NOT re-use the parent's AuthInstanceID.
+		subAgent, err := db.GetWorkspaceAgentByID(dbauthz.AsSystemRestricted(ctx), subAgentID)
+		require.NoError(t, err)
+		assert.False(t, subAgent.AuthInstanceID.Valid, "sub-agent should not have an AuthInstanceID")
+		assert.Empty(t, subAgent.AuthInstanceID.String, "sub-agent AuthInstanceID string should be empty")
+
+		// Double-check: looking up by the parent's instance ID must
+		// still return the parent, not the sub-agent.
+		lookedUp, err := db.GetWorkspaceAgentByInstanceID(dbauthz.AsSystemRestricted(ctx), parentAgent.AuthInstanceID.String)
+		require.NoError(t, err)
+		assert.Equal(t, parentAgent.ID, lookedUp.ID, "instance ID lookup should still return the parent agent")
+	})
+
 	type expectedAppError struct {
 		index int32
 		field string
@@ -13152,6 +13152,9 @@ const docTemplate = `{
                },
                "count": {
                    "type": "integer"
+                },
+                "count_cap": {
+                    "type": "integer"
                }
            }
        },
@@ -13459,6 +13462,9 @@ const docTemplate = `{
                },
                "count": {
                    "type": "integer"
+                },
+                "count_cap": {
+                    "type": "integer"
                }
            }
        },
@@ -15066,10 +15072,6 @@ const docTemplate = `{
                "limit": {
                    "type": "integer"
                },
-                "soft_limit": {
-                    "description": "SoftLimit is the soft limit of the feature, and is only used for showing\nincluded limits in the dashboard. No license validation or warnings are\ngenerated from this value.",
-                    "type": "integer"
-                },
                "usage_period": {
                    "description": "UsagePeriod denotes that the usage is a counter that accumulates over\nthis period (and most likely resets with the issuance of the next\nlicense).\n\nThese dates are determined from the license that this entitlement comes\nfrom, see enterprise/coderd/license/license.go.\n\nOnly certain features set these fields:\n- FeatureManagedAgentLimit",
                    "allOf": [
@@ -11784,6 +11784,9 @@
 				},
 				"count": {
 					"type": "integer"
+				},
+				"count_cap": {
+					"type": "integer"
 				}
 			}
 		},
@@ -12070,6 +12073,9 @@
 				},
 				"count": {
 					"type": "integer"
+				},
+				"count_cap": {
+					"type": "integer"
 				}
 			}
 		},
@@ -13623,10 +13629,6 @@
 				"limit": {
 					"type": "integer"
 				},
-				"soft_limit": {
-					"description": "SoftLimit is the soft limit of the feature, and is only used for showing\nincluded limits in the dashboard. No license validation or warnings are\ngenerated from this value.",
-					"type": "integer"
-				},
 				"usage_period": {
 					"description": "UsagePeriod denotes that the usage is a counter that accumulates over\nthis period (and most likely resets with the issuance of the next\nlicense).\n\nThese dates are determined from the license that this entitlement comes\nfrom, see enterprise/coderd/license/license.go.\n\nOnly certain features set these fields:\n- FeatureManagedAgentLimit",
 					"allOf": [
@@ -26,6 +26,11 @@ import (
 	"github.com/coder/coder/v2/codersdk"
 )

+// Limit the count query to avoid a slow sequential scan due to joins
+// on a large table. Set to 0 to disable capping (but also see the note
+// in the SQL query).
+const auditLogCountCap = 2000
+
 // @Summary Get audit logs
 // @ID get-audit-logs
 // @Security CoderSessionToken
@@ -66,7 +71,7 @@ func (api *API) auditLogs(rw http.ResponseWriter, r *http.Request) {
 		countFilter.Username = ""
 	}

-	// Use the same filters to count the number of audit logs
+	countFilter.CountCap = auditLogCountCap
 	count, err := api.Database.CountAuditLogs(ctx, countFilter)
 	if dbauthz.IsNotAuthorizedError(err) {
 		httpapi.Forbidden(rw)
@@ -81,6 +86,7 @@ func (api *API) auditLogs(rw http.ResponseWriter, r *http.Request) {
 		httpapi.Write(ctx, rw, http.StatusOK, codersdk.AuditLogResponse{
 			AuditLogs: []codersdk.AuditLog{},
 			Count:     0,
+			CountCap:  auditLogCountCap,
 		})
 		return
 	}
@@ -98,6 +104,7 @@ func (api *API) auditLogs(rw http.ResponseWriter, r *http.Request) {
 	httpapi.Write(ctx, rw, http.StatusOK, codersdk.AuditLogResponse{
 		AuditLogs: api.convertAuditLogs(ctx, dblogs),
 		Count:     count,
+		CountCap:  auditLogCountCap,
 	})
 }

@@ -40,8 +40,10 @@
 // counters. When boundary logs are reported, Track() adds the IDs to the sets
 // and increments request counters.
 //
-// FlushToDB() writes stats to the database, replacing all values with the current
-// in-memory state. Stats accumulate in memory throughout the telemetry period.
+// FlushToDB() writes stats to the database only when there's been new activity
+// since the last flush. This prevents stale data from being written after a
+// telemetry reset when no new usage occurred. Stats accumulate in memory
+// throughout the telemetry period.
 //
 // A new period is detected when the upsert results in an INSERT (meaning
 // telemetry deleted the replica's row). At that point, all in-memory stats are
@@ -14,21 +14,40 @@ import (

 // Tracker tracks boundary usage for telemetry reporting.
 //
-// All stats accumulate in memory throughout a telemetry period and are only
-// reset when a new period begins.
+// Unique user/workspace counts are tracked both cumulatively and as deltas since
+// the last flush. The delta is needed because when a new telemetry period starts
+// (the DB row is deleted), we must only insert data accumulated since the last
+// flush. If we used cumulative values, stale data from the previous period would
+// be written to the new row and then lost when subsequent updates overwrite it.
+//
+// Request counts are tracked as deltas and accumulated in the database.
 type Tracker struct {
-	mu              sync.Mutex
-	workspaces      map[uuid.UUID]struct{}
-	users           map[uuid.UUID]struct{}
+	mu sync.Mutex
+
+	// Cumulative unique counts for the current period (used on UPDATE to
+	// replace the DB value with accurate totals).
+	workspaces map[uuid.UUID]struct{}
+	users      map[uuid.UUID]struct{}
+
+	// Delta unique counts since last flush (used on INSERT to avoid writing
+	// stale data from the previous period).
+	workspacesDelta map[uuid.UUID]struct{}
+	usersDelta      map[uuid.UUID]struct{}
+
+	// Request deltas (always reset when flushing, accumulated in DB).
 	allowedRequests int64
 	deniedRequests  int64
+
+	usageSinceLastFlush bool
 }

 // NewTracker creates a new boundary usage tracker.
 func NewTracker() *Tracker {
 	return &Tracker{
-		workspaces: make(map[uuid.UUID]struct{}),
-		users:      make(map[uuid.UUID]struct{}),
+		workspaces:      make(map[uuid.UUID]struct{}),
+		users:           make(map[uuid.UUID]struct{}),
+		workspacesDelta: make(map[uuid.UUID]struct{}),
+		usersDelta:      make(map[uuid.UUID]struct{}),
 	}
 }

@@ -39,50 +58,68 @@ func (t *Tracker) Track(workspaceID, ownerID uuid.UUID, allowed, denied int64) {

 	t.workspaces[workspaceID] = struct{}{}
 	t.users[ownerID] = struct{}{}
+	t.workspacesDelta[workspaceID] = struct{}{}
+	t.usersDelta[ownerID] = struct{}{}
 	t.allowedRequests += allowed
 	t.deniedRequests += denied
+	t.usageSinceLastFlush = true
 }

-// FlushToDB writes the accumulated stats to the database. All values are
-// replaced in the database (they represent the current in-memory state). If the
-// database row was deleted (new telemetry period), all in-memory stats are reset.
+// FlushToDB writes stats to the database. For unique counts, cumulative values
+// are used on UPDATE (replacing the DB value) while delta values are used on
+// INSERT (starting fresh). Request counts are always deltas, accumulated in DB.
+// All deltas are reset immediately after snapshot so Track() calls during the
+// DB operation are preserved for the next flush.
 func (t *Tracker) FlushToDB(ctx context.Context, db database.Store, replicaID uuid.UUID) error {
 	t.mu.Lock()
-	workspaceCount := int64(len(t.workspaces))
-	userCount := int64(len(t.users))
-	allowed := t.allowedRequests
-	denied := t.deniedRequests
-	t.mu.Unlock()
-
-	// Don't flush if there's no activity.
-	if workspaceCount == 0 && userCount == 0 && allowed == 0 && denied == 0 {
+	if !t.usageSinceLastFlush {
+		t.mu.Unlock()
 		return nil
 	}

+	// Snapshot all values.
+	workspaceCount := int64(len(t.workspaces))      // cumulative, for UPDATE
+	userCount := int64(len(t.users))                // cumulative, for UPDATE
+	workspaceDelta := int64(len(t.workspacesDelta)) // delta, for INSERT
+	userDelta := int64(len(t.usersDelta))           // delta, for INSERT
+	allowed := t.allowedRequests                    // delta, accumulated in DB
+	denied := t.deniedRequests                      // delta, accumulated in DB
+
+	// Reset all deltas immediately so Track() calls during the DB operation
+	// below are preserved for the next flush.
+	t.workspacesDelta = make(map[uuid.UUID]struct{})
+	t.usersDelta = make(map[uuid.UUID]struct{})
+	t.allowedRequests = 0
+	t.deniedRequests = 0
+	t.usageSinceLastFlush = false
+	t.mu.Unlock()
+
 	//nolint:gocritic // This is the actual package doing boundary usage tracking.
-	newPeriod, err := db.UpsertBoundaryUsageStats(dbauthz.AsBoundaryUsageTracker(ctx), database.UpsertBoundaryUsageStatsParams{
+	_, err := db.UpsertBoundaryUsageStats(dbauthz.AsBoundaryUsageTracker(ctx), database.UpsertBoundaryUsageStatsParams{
 		ReplicaID:             replicaID,
-		UniqueWorkspacesCount: workspaceCount,
-		UniqueUsersCount:      userCount,
+		UniqueWorkspacesCount: workspaceCount, // cumulative, for UPDATE
+		UniqueUsersCount:      userCount,      // cumulative, for UPDATE
+		UniqueWorkspacesDelta: workspaceDelta, // delta, for INSERT
+		UniqueUsersDelta:      userDelta,      // delta, for INSERT
 		AllowedRequests:       allowed,
 		DeniedRequests:        denied,
 	})
-	if err != nil {
-		return err
-	}

-	// If this was an insert (new period), reset all stats. Any Track() calls
-	// that occurred during the DB operation will be counted in the next period.
-	if newPeriod {
-		t.mu.Lock()
-		t.workspaces = make(map[uuid.UUID]struct{})
-		t.users = make(map[uuid.UUID]struct{})
-		t.allowedRequests = 0
-		t.deniedRequests = 0
-		t.mu.Unlock()
+	// Always reset cumulative counts to prevent unbounded memory growth (e.g.
+	// if the DB is unreachable). Copy delta maps to preserve any Track() calls
+	// that occurred during the DB operation above.
+	t.mu.Lock()
+	t.workspaces = make(map[uuid.UUID]struct{})
+	t.users = make(map[uuid.UUID]struct{})
+	for id := range t.workspacesDelta {
+		t.workspaces[id] = struct{}{}
 	}
+	for id := range t.usersDelta {
+		t.users[id] = struct{}{}
+	}
+	t.mu.Unlock()

-	return nil
+	return err
 }

 // StartFlushLoop begins the periodic flush loop that writes accumulated stats
@@ -159,23 +159,18 @@ func TestTracker_FlushToDB_Accumulates(t *testing.T) {
 	workspaceID := uuid.New()
 	ownerID := uuid.New()

+	// First flush is an insert, resets unique counts (new period).
 	tracker.Track(workspaceID, ownerID, 5, 3)
-
-	// First flush is an insert, which resets in-memory stats.
 	err := tracker.FlushToDB(ctx, db, replicaID)
 	require.NoError(t, err)

-	// Track more data after the reset.
+	// Track & flush more data. Same workspace/user, so unique counts stay at 1.
 	tracker.Track(workspaceID, ownerID, 2, 1)
-
-	// Second flush is an update so stats should accumulate.
 	err = tracker.FlushToDB(ctx, db, replicaID)
 	require.NoError(t, err)

-	// Track even more data.
+	// Track & flush even more data to continue accumulation.
 	tracker.Track(workspaceID, ownerID, 3, 2)
-
-	// Third flush stats should continue accumulating.
 	err = tracker.FlushToDB(ctx, db, replicaID)
 	require.NoError(t, err)

@@ -184,8 +179,8 @@ func TestTracker_FlushToDB_Accumulates(t *testing.T) {
 	require.NoError(t, err)
 	require.Equal(t, int64(1), summary.UniqueWorkspaces)
 	require.Equal(t, int64(1), summary.UniqueUsers)
-	require.Equal(t, int64(5), summary.AllowedRequests, "should accumulate after first reset: 2+3=5")
-	require.Equal(t, int64(3), summary.DeniedRequests, "should accumulate after first reset: 1+2=3")
+	require.Equal(t, int64(5+2+3), summary.AllowedRequests)
+	require.Equal(t, int64(3+1+2), summary.DeniedRequests)
 }

 func TestTracker_FlushToDB_NewPeriod(t *testing.T) {
@@ -256,15 +251,24 @@ func TestUpsertBoundaryUsageStats_Insert(t *testing.T) {

 	replicaID := uuid.New()

+	// Set different values for delta vs cumulative to verify INSERT uses delta.
 	newPeriod, err := db.UpsertBoundaryUsageStats(ctx, database.UpsertBoundaryUsageStatsParams{
 		ReplicaID:             replicaID,
-		UniqueWorkspacesCount: 5,
-		UniqueUsersCount:      3,
+		UniqueWorkspacesDelta: 5,
+		UniqueUsersDelta:      3,
+		UniqueWorkspacesCount: 999, // should be ignored on INSERT
+		UniqueUsersCount:      999, // should be ignored on INSERT
 		AllowedRequests:       100,
 		DeniedRequests:        10,
 	})
 	require.NoError(t, err)
 	require.True(t, newPeriod, "should return true for insert")
+
+	// Verify INSERT used the delta values, not cumulative.
+	summary, err := db.GetBoundaryUsageSummary(ctx, 60000)
+	require.NoError(t, err)
+	require.Equal(t, int64(5), summary.UniqueWorkspaces)
+	require.Equal(t, int64(3), summary.UniqueUsers)
 }

 func TestUpsertBoundaryUsageStats_Update(t *testing.T) {
@@ -275,34 +279,34 @@ func TestUpsertBoundaryUsageStats_Update(t *testing.T) {

 	replicaID := uuid.New()

-	// First insert.
+	// First insert uses delta fields.
 	_, err := db.UpsertBoundaryUsageStats(ctx, database.UpsertBoundaryUsageStatsParams{
 		ReplicaID:             replicaID,
-		UniqueWorkspacesCount: 5,
-		UniqueUsersCount:      3,
+		UniqueWorkspacesDelta: 5,
+		UniqueUsersDelta:      3,
 		AllowedRequests:       100,
 		DeniedRequests:        10,
 	})
 	require.NoError(t, err)

-	// Second upsert (update).
+	// Second upsert (update). Set different delta vs cumulative to verify UPDATE uses cumulative.
 	newPeriod, err := db.UpsertBoundaryUsageStats(ctx, database.UpsertBoundaryUsageStatsParams{
 		ReplicaID:             replicaID,
-		UniqueWorkspacesCount: 8,
-		UniqueUsersCount:      5,
+		UniqueWorkspacesCount: 8, // cumulative, should be used
+		UniqueUsersCount:      5, // cumulative, should be used
 		AllowedRequests:       200,
 		DeniedRequests:        20,
 	})
 	require.NoError(t, err)
 	require.False(t, newPeriod, "should return false for update")

-	// Verify the update took effect.
+	// Verify UPDATE used cumulative values.
 	summary, err := db.GetBoundaryUsageSummary(ctx, 60000)
 	require.NoError(t, err)
 	require.Equal(t, int64(8), summary.UniqueWorkspaces)
 	require.Equal(t, int64(5), summary.UniqueUsers)
-	require.Equal(t, int64(200), summary.AllowedRequests)
-	require.Equal(t, int64(20), summary.DeniedRequests)
+	require.Equal(t, int64(100+200), summary.AllowedRequests)
+	require.Equal(t, int64(10+20), summary.DeniedRequests)
 }

 func TestGetBoundaryUsageSummary_MultipleReplicas(t *testing.T) {
@@ -315,11 +319,11 @@ func TestGetBoundaryUsageSummary_MultipleReplicas(t *testing.T) {
 	replica2 := uuid.New()
 	replica3 := uuid.New()

-	// Insert stats for 3 replicas.
+	// Insert stats for 3 replicas. Delta fields are used for INSERT.
 	_, err := db.UpsertBoundaryUsageStats(ctx, database.UpsertBoundaryUsageStatsParams{
 		ReplicaID:             replica1,
-		UniqueWorkspacesCount: 10,
-		UniqueUsersCount:      5,
+		UniqueWorkspacesDelta: 10,
+		UniqueUsersDelta:      5,
 		AllowedRequests:       100,
 		DeniedRequests:        10,
 	})
@@ -327,8 +331,8 @@ func TestGetBoundaryUsageSummary_MultipleReplicas(t *testing.T) {

 	_, err = db.UpsertBoundaryUsageStats(ctx, database.UpsertBoundaryUsageStatsParams{
 		ReplicaID:             replica2,
-		UniqueWorkspacesCount: 15,
-		UniqueUsersCount:      8,
+		UniqueWorkspacesDelta: 15,
+		UniqueUsersDelta:      8,
 		AllowedRequests:       150,
 		DeniedRequests:        15,
 	})
@@ -336,8 +340,8 @@ func TestGetBoundaryUsageSummary_MultipleReplicas(t *testing.T) {

 	_, err = db.UpsertBoundaryUsageStats(ctx, database.UpsertBoundaryUsageStatsParams{
 		ReplicaID:             replica3,
-		UniqueWorkspacesCount: 20,
-		UniqueUsersCount:      12,
+		UniqueWorkspacesDelta: 20,
+		UniqueUsersDelta:      12,
 		AllowedRequests:       200,
 		DeniedRequests:        20,
 	})
@@ -375,12 +379,12 @@ func TestResetBoundaryUsageStats(t *testing.T) {
 	db, _ := dbtestutil.NewDB(t)
 	ctx := dbauthz.AsBoundaryUsageTracker(context.Background())

-	// Insert stats for multiple replicas.
+	// Insert stats for multiple replicas. Delta fields are used for INSERT.
 	for i := 0; i < 5; i++ {
 		_, err := db.UpsertBoundaryUsageStats(ctx, database.UpsertBoundaryUsageStatsParams{
 			ReplicaID:             uuid.New(),
-			UniqueWorkspacesCount: int64(i + 1),
-			UniqueUsersCount:      int64(i + 1),
+			UniqueWorkspacesDelta: int64(i + 1),
+			UniqueUsersDelta:      int64(i + 1),
 			AllowedRequests:       int64((i + 1) * 10),
 			DeniedRequests:        int64(i + 1),
 		})
@@ -412,11 +416,11 @@ func TestDeleteBoundaryUsageStatsByReplicaID(t *testing.T) {
 	replica1 := uuid.New()
 	replica2 := uuid.New()

-	// Insert stats for 2 replicas.
+	// Insert stats for 2 replicas. Delta fields are used for INSERT.
 	_, err := db.UpsertBoundaryUsageStats(ctx, database.UpsertBoundaryUsageStatsParams{
 		ReplicaID:             replica1,
-		UniqueWorkspacesCount: 10,
-		UniqueUsersCount:      5,
+		UniqueWorkspacesDelta: 10,
+		UniqueUsersDelta:      5,
 		AllowedRequests:       100,
 		DeniedRequests:        10,
 	})
@@ -424,8 +428,8 @@ func TestDeleteBoundaryUsageStatsByReplicaID(t *testing.T) {

 	_, err = db.UpsertBoundaryUsageStats(ctx, database.UpsertBoundaryUsageStatsParams{
 		ReplicaID:             replica2,
-		UniqueWorkspacesCount: 20,
-		UniqueUsersCount:      10,
+		UniqueWorkspacesDelta: 20,
+		UniqueUsersDelta:      10,
 		AllowedRequests:       200,
 		DeniedRequests:        20,
 	})
@@ -497,6 +501,49 @@ func TestTracker_TelemetryCycle(t *testing.T) {
 	require.Equal(t, int64(1), summary.AllowedRequests)
 }

+func TestTracker_FlushToDB_NoStaleDataAfterReset(t *testing.T) {
+	t.Parallel()
+
+	db, _ := dbtestutil.NewDB(t)
+	ctx := testutil.Context(t, testutil.WaitShort)
+	boundaryCtx := dbauthz.AsBoundaryUsageTracker(ctx)
+
+	tracker := boundaryusage.NewTracker()
+	replicaID := uuid.New()
+	workspaceID := uuid.New()
+	ownerID := uuid.New()
+
+	// Track some data, flush, and verify.
+	tracker.Track(workspaceID, ownerID, 10, 5)
+	err := tracker.FlushToDB(ctx, db, replicaID)
+	require.NoError(t, err)
+
+	summary, err := db.GetBoundaryUsageSummary(boundaryCtx, 60000)
+	require.NoError(t, err)
+	require.Equal(t, int64(1), summary.UniqueWorkspaces)
+	require.Equal(t, int64(10), summary.AllowedRequests)
+
+	// Simulate telemetry reset (new period).
+	err = db.ResetBoundaryUsageStats(boundaryCtx)
+	require.NoError(t, err)
+	summary, err = db.GetBoundaryUsageSummary(boundaryCtx, 60000)
+	require.NoError(t, err)
+	require.Equal(t, int64(0), summary.AllowedRequests)
+
+	// Flush again without any new Track() calls. This should not write stale
+	// data back to the DB.
+	err = tracker.FlushToDB(ctx, db, replicaID)
+	require.NoError(t, err)
+
+	// Summary should be empty (no stale data written).
+	summary, err = db.GetBoundaryUsageSummary(boundaryCtx, 60000)
+	require.NoError(t, err)
+	require.Equal(t, int64(0), summary.UniqueWorkspaces)
+	require.Equal(t, int64(0), summary.UniqueUsers)
+	require.Equal(t, int64(0), summary.AllowedRequests)
+	require.Equal(t, int64(0), summary.DeniedRequests)
+}
+
 func TestTracker_ConcurrentFlushAndTrack(t *testing.T) {
 	t.Parallel()

@@ -540,3 +587,57 @@ func TestTracker_ConcurrentFlushAndTrack(t *testing.T) {
 	require.GreaterOrEqual(t, summary.AllowedRequests, int64(0))
 	require.GreaterOrEqual(t, summary.DeniedRequests, int64(0))
 }
+
+// trackDuringUpsertDB wraps a database.Store to call Track() during the
+// UpsertBoundaryUsageStats operation, simulating a concurrent Track() call.
+type trackDuringUpsertDB struct {
+	database.Store
+	tracker     *boundaryusage.Tracker
+	workspaceID uuid.UUID
+	userID      uuid.UUID
+}
+
+func (s *trackDuringUpsertDB) UpsertBoundaryUsageStats(ctx context.Context, arg database.UpsertBoundaryUsageStatsParams) (bool, error) {
+	s.tracker.Track(s.workspaceID, s.userID, 20, 10)
+	return s.Store.UpsertBoundaryUsageStats(ctx, arg)
+}
+
+func TestTracker_TrackDuringFlush(t *testing.T) {
+	t.Parallel()
+
+	db, _ := dbtestutil.NewDB(t)
+	ctx := testutil.Context(t, testutil.WaitShort)
+	boundaryCtx := dbauthz.AsBoundaryUsageTracker(ctx)
+
+	tracker := boundaryusage.NewTracker()
+	replicaID := uuid.New()
+
+	// Track some initial data.
+	tracker.Track(uuid.New(), uuid.New(), 10, 5)
+
+	trackingDB := &trackDuringUpsertDB{
+		Store:       db,
+		tracker:     tracker,
+		workspaceID: uuid.New(),
+		userID:      uuid.New(),
+	}
+
+	// Flush will call Track() during the DB operation.
+	err := tracker.FlushToDB(ctx, trackingDB, replicaID)
+	require.NoError(t, err)
+
+	// Verify first flush only wrote the initial data.
+	summary, err := db.GetBoundaryUsageSummary(boundaryCtx, 60000)
+	require.NoError(t, err)
+	require.Equal(t, int64(10), summary.AllowedRequests)
+
+	// The second flush should include the Track() call that happened during the
+	// first flush's DB operation.
+	err = tracker.FlushToDB(ctx, db, replicaID)
+	require.NoError(t, err)
+
+	summary, err = db.GetBoundaryUsageSummary(boundaryCtx, 60000)
+	require.NoError(t, err)
+	require.Equal(t, int64(10+20), summary.AllowedRequests)
+	require.Equal(t, int64(5+10), summary.DeniedRequests)
+}
@@ -384,9 +384,9 @@ func TestCSRFExempt(t *testing.T) {
 		data, _ := io.ReadAll(resp.Body)
 		_ = resp.Body.Close()

-		// A StatusBadGateway means Coderd tried to proxy to the agent and failed because the agent
+		// A StatusNotFound means Coderd tried to proxy to the agent and failed because the agent
 		// was not there. This means CSRF did not block the app request, which is what we want.
-		require.Equal(t, http.StatusBadGateway, resp.StatusCode, "status code 500 is CSRF failure")
+		require.Equal(t, http.StatusNotFound, resp.StatusCode, "status code 500 is CSRF failure")
 		require.NotContains(t, string(data), "CSRF")
 	})
 }
@@ -106,6 +106,8 @@ import (
 	"github.com/coder/quartz"
 )

+const DefaultDERPMeshKey = "test-key"
+
 const defaultTestDaemonName = "test-daemon"

 type Options struct {
@@ -510,8 +512,18 @@ func NewOptions(t testing.TB, options *Options) (func(http.Handler), context.Can
 		stunAddresses = options.DeploymentValues.DERP.Server.STUNAddresses.Value()
 	}

-	derpServer := derp.NewServer(key.NewNode(), tailnet.Logger(options.Logger.Named("derp").Leveled(slog.LevelDebug)))
-	derpServer.SetMeshKey("test-key")
+	const derpMeshKey = "test-key"
+	// Technically AGPL coderd servers don't set this value, but it doesn't
+	// change any behavior. It's useful for enterprise tests.
+	err = options.Database.InsertDERPMeshKey(dbauthz.AsSystemRestricted(ctx), derpMeshKey) //nolint:gocritic // test
+	if !database.IsUniqueViolation(err, database.UniqueSiteConfigsKeyKey) {
+		require.NoError(t, err, "insert DERP mesh key")
+	}
+	var derpServer *derp.Server
+	if options.DeploymentValues.DERP.Server.Enable.Value() {
+		derpServer = derp.NewServer(key.NewNode(), tailnet.Logger(options.Logger.Named("derp").Leveled(slog.LevelDebug)))
+		derpServer.SetMeshKey(derpMeshKey)
+	}

 	// match default with cli default
 	if options.SSHKeygenAlgorithm == "" {
@@ -608,6 +608,7 @@ func (q *sqlQuerier) CountAuthorizedAuditLogs(ctx context.Context, arg CountAudi
 		arg.DateTo,
 		arg.BuildReason,
 		arg.RequestID,
+		arg.CountCap,
 	)
 	if err != nil {
 		return 0, err
@@ -744,6 +745,7 @@ func (q *sqlQuerier) CountAuthorizedConnectionLogs(ctx context.Context, arg Coun
 		arg.WorkspaceID,
 		arg.ConnectionID,
 		arg.Status,
+		arg.CountCap,
 	)
 	if err != nil {
 		return 0, err
@@ -145,5 +145,13 @@ func extractWhereClause(query string) string {
 	// Remove SQL comments
 	whereClause = regexp.MustCompile(`(?m)--.*$`).ReplaceAllString(whereClause, "")

+	// Normalize indentation so subquery wrapping doesn't cause
+	// mismatches.
+	lines := strings.Split(whereClause, "\n")
+	for i, line := range lines {
+		lines[i] = strings.TrimLeft(line, " \t")
+	}
+	whereClause = strings.Join(lines, "\n")
+
 	return strings.TrimSpace(whereClause)
 }
@@ -762,9 +762,10 @@ type sqlcQuerier interface {
 	UpsertAnnouncementBanners(ctx context.Context, value string) error
 	UpsertAppSecurityKey(ctx context.Context, value string) error
 	UpsertApplicationName(ctx context.Context, value string) error
-	// Upserts boundary usage statistics for a replica. All values are replaced with
-	// the current in-memory state. Returns true if this was an insert (new period),
-	// false if update.
+	// Upserts boundary usage statistics for a replica. On INSERT (new period), uses
+	// delta values for unique counts (only data since last flush). On UPDATE, uses
+	// cumulative values for unique counts (accurate period totals). Request counts
+	// are always deltas, accumulated in DB. Returns true if insert, false if update.
 	UpsertBoundaryUsageStats(ctx context.Context, arg UpsertBoundaryUsageStatsParams) (bool, error)
 	UpsertConnectionLog(ctx context.Context, arg UpsertConnectionLogParams) (ConnectionLog, error)
 	UpsertCoordinatorResumeTokenSigningKey(ctx context.Context, value string) error
@@ -6271,6 +6271,56 @@ func TestGetWorkspaceAgentsByParentID(t *testing.T) {
 	})
 }

+func TestGetWorkspaceAgentByInstanceID(t *testing.T) {
+	t.Parallel()
+
+	// Context: https://github.com/coder/coder/pull/22196
+	t.Run("DoesNotReturnSubAgents", func(t *testing.T) {
+		t.Parallel()
+
+		// Given: A parent workspace agent with an AuthInstanceID and a
+		// sub-agent that shares the same AuthInstanceID.
+		db, _ := dbtestutil.NewDB(t)
+		org := dbgen.Organization(t, db, database.Organization{})
+		job := dbgen.ProvisionerJob(t, db, nil, database.ProvisionerJob{
+			Type:           database.ProvisionerJobTypeTemplateVersionImport,
+			OrganizationID: org.ID,
+		})
+		resource := dbgen.WorkspaceResource(t, db, database.WorkspaceResource{
+			JobID: job.ID,
+		})
+
+		authInstanceID := fmt.Sprintf("instance-%s-%d", t.Name(), time.Now().UnixNano())
+		parentAgent := dbgen.WorkspaceAgent(t, db, database.WorkspaceAgent{
+			ResourceID: resource.ID,
+			AuthInstanceID: sql.NullString{
+				String: authInstanceID,
+				Valid:  true,
+			},
+		})
+		// Create a sub-agent with the same AuthInstanceID (simulating
+		// the old behavior before the fix).
+		_ = dbgen.WorkspaceAgent(t, db, database.WorkspaceAgent{
+			ParentID:   uuid.NullUUID{UUID: parentAgent.ID, Valid: true},
+			ResourceID: resource.ID,
+			AuthInstanceID: sql.NullString{
+				String: authInstanceID,
+				Valid:  true,
+			},
+		})
+
+		ctx := testutil.Context(t, testutil.WaitShort)
+
+		// When: We look up the agent by instance ID.
+		agent, err := db.GetWorkspaceAgentByInstanceID(ctx, authInstanceID)
+		require.NoError(t, err)
+
+		// Then: The result must be the parent agent, not the sub-agent.
+		assert.Equal(t, parentAgent.ID, agent.ID, "instance ID lookup should return the parent agent, not a sub-agent")
+		assert.False(t, agent.ParentID.Valid, "returned agent should not have a parent (should be the parent itself)")
+	})
+}
+
 func requireUsersMatch(t testing.TB, expected []database.User, found []database.GetUsersRow, msg string) {
 	t.Helper()
 	require.ElementsMatch(t, expected, database.ConvertUserRows(found), msg)
@@ -1484,93 +1484,105 @@ func (q *sqlQuerier) UpdateAPIKeyByID(ctx context.Context, arg UpdateAPIKeyByIDP
 }

 const countAuditLogs = `-- name: CountAuditLogs :one
-SELECT COUNT(*)
-FROM audit_logs
-	LEFT JOIN users ON audit_logs.user_id = users.id
-	LEFT JOIN organizations ON audit_logs.organization_id = organizations.id
-	-- First join on workspaces to get the initial workspace create
-	-- to workspace build 1 id. This is because the first create is
-	-- is a different audit log than subsequent starts.
-	LEFT JOIN workspaces ON audit_logs.resource_type = 'workspace'
-	AND audit_logs.resource_id = workspaces.id
-	-- Get the reason from the build if the resource type
-	-- is a workspace_build
-	LEFT JOIN workspace_builds wb_build ON audit_logs.resource_type = 'workspace_build'
-	AND audit_logs.resource_id = wb_build.id
-	-- Get the reason from the build #1 if this is the first
-	-- workspace create.
-	LEFT JOIN workspace_builds wb_workspace ON audit_logs.resource_type = 'workspace'
-	AND audit_logs.action = 'create'
-	AND workspaces.id = wb_workspace.workspace_id
-	AND wb_workspace.build_number = 1
-WHERE
-	-- Filter resource_type
-	CASE
-		WHEN $1::text != '' THEN resource_type = $1::resource_type
-		ELSE true
-	END
-	-- Filter resource_id
-	AND CASE
-		WHEN $2::uuid != '00000000-0000-0000-0000-000000000000'::uuid THEN resource_id = $2
-		ELSE true
-	END
-	-- Filter organization_id
-	AND CASE
-		WHEN $3::uuid != '00000000-0000-0000-0000-000000000000'::uuid THEN audit_logs.organization_id = $3
-		ELSE true
-	END
-	-- Filter by resource_target
-	AND CASE
-		WHEN $4::text != '' THEN resource_target = $4
-		ELSE true
-	END
-	-- Filter action
-	AND CASE
-		WHEN $5::text != '' THEN action = $5::audit_action
-		ELSE true
-	END
-	-- Filter by user_id
-	AND CASE
-		WHEN $6::uuid != '00000000-0000-0000-0000-000000000000'::uuid THEN user_id = $6
-		ELSE true
-	END
-	-- Filter by username
-	AND CASE
-		WHEN $7::text != '' THEN user_id = (
-			SELECT id
-			FROM users
-			WHERE lower(username) = lower($7)
-				AND deleted = false
-		)
-		ELSE true
-	END
-	-- Filter by user_email
-	AND CASE
-		WHEN $8::text != '' THEN users.email = $8
-		ELSE true
-	END
-	-- Filter by date_from
-	AND CASE
-		WHEN $9::timestamp with time zone != '0001-01-01 00:00:00Z' THEN "time" >= $9
-		ELSE true
-	END
-	-- Filter by date_to
-	AND CASE
-		WHEN $10::timestamp with time zone != '0001-01-01 00:00:00Z' THEN "time" <= $10
-		ELSE true
-	END
-	-- Filter by build_reason
-	AND CASE
-		WHEN $11::text != '' THEN COALESCE(wb_build.reason::text, wb_workspace.reason::text) = $11
-		ELSE true
-	END
-	-- Filter request_id
-	AND CASE
-		WHEN $12::uuid != '00000000-0000-0000-0000-000000000000'::uuid THEN audit_logs.request_id = $12
-		ELSE true
-	END
-	-- Authorize Filter clause will be injected below in CountAuthorizedAuditLogs
-	-- @authorize_filter
+SELECT COUNT(*) FROM (
+	SELECT 1
+	FROM audit_logs
+		LEFT JOIN users ON audit_logs.user_id = users.id
+		LEFT JOIN organizations ON audit_logs.organization_id = organizations.id
+		-- First join on workspaces to get the initial workspace create
+		-- to workspace build 1 id. This is because the first create is
+		-- is a different audit log than subsequent starts.
+		LEFT JOIN workspaces ON audit_logs.resource_type = 'workspace'
+		AND audit_logs.resource_id = workspaces.id
+		-- Get the reason from the build if the resource type
+		-- is a workspace_build
+		LEFT JOIN workspace_builds wb_build ON audit_logs.resource_type = 'workspace_build'
+		AND audit_logs.resource_id = wb_build.id
+		-- Get the reason from the build #1 if this is the first
+		-- workspace create.
+		LEFT JOIN workspace_builds wb_workspace ON audit_logs.resource_type = 'workspace'
+		AND audit_logs.action = 'create'
+		AND workspaces.id = wb_workspace.workspace_id
+		AND wb_workspace.build_number = 1
+	WHERE
+		-- Filter resource_type
+		CASE
+			WHEN $1::text != '' THEN resource_type = $1::resource_type
+			ELSE true
+		END
+		-- Filter resource_id
+		AND CASE
+			WHEN $2::uuid != '00000000-0000-0000-0000-000000000000'::uuid THEN resource_id = $2
+			ELSE true
+		END
+		-- Filter organization_id
+		AND CASE
+			WHEN $3::uuid != '00000000-0000-0000-0000-000000000000'::uuid THEN audit_logs.organization_id = $3
+			ELSE true
+		END
+		-- Filter by resource_target
+		AND CASE
+			WHEN $4::text != '' THEN resource_target = $4
+			ELSE true
+		END
+		-- Filter action
+		AND CASE
+			WHEN $5::text != '' THEN action = $5::audit_action
+			ELSE true
+		END
+		-- Filter by user_id
+		AND CASE
+			WHEN $6::uuid != '00000000-0000-0000-0000-000000000000'::uuid THEN user_id = $6
+			ELSE true
+		END
+		-- Filter by username
+		AND CASE
+			WHEN $7::text != '' THEN user_id = (
+				SELECT id
+				FROM users
+				WHERE lower(username) = lower($7)
+					AND deleted = false
+			)
+			ELSE true
+		END
+		-- Filter by user_email
+		AND CASE
+			WHEN $8::text != '' THEN users.email = $8
+			ELSE true
+		END
+		-- Filter by date_from
+		AND CASE
+			WHEN $9::timestamp with time zone != '0001-01-01 00:00:00Z' THEN "time" >= $9
+			ELSE true
+		END
+		-- Filter by date_to
+		AND CASE
+			WHEN $10::timestamp with time zone != '0001-01-01 00:00:00Z' THEN "time" <= $10
+			ELSE true
+		END
+		-- Filter by build_reason
+		AND CASE
+			WHEN $11::text != '' THEN COALESCE(wb_build.reason::text, wb_workspace.reason::text) = $11
+			ELSE true
+		END
+		-- Filter request_id
+		AND CASE
+			WHEN $12::uuid != '00000000-0000-0000-0000-000000000000'::uuid THEN audit_logs.request_id = $12
+			ELSE true
+		END
+		-- Authorize Filter clause will be injected below in CountAuthorizedAuditLogs
+		-- @authorize_filter
+	-- Avoid a slow scan on a large table with joins. The caller
+	-- passes the count cap and we add 1 so the frontend can detect
+	-- capping and show "... of N+". A cap of 0 means no limit (NULLIF
+	-- -> NULL + 1 = NULL).
+	-- NOTE: Parameterizing this so that we can easily change from,
+	-- e.g., 2000 to 5000. However, use literal NULL (or no LIMIT)
+	-- here if disabling the capping on a large table permanently.
+	-- This way the PG planner can plan parallel execution for
+	-- potential large wins.
+	LIMIT NULLIF($13::int, 0) + 1
+) AS limited_count
 `

 type CountAuditLogsParams struct {
@@ -1586,6 +1598,7 @@ type CountAuditLogsParams struct {
 	DateTo         time.Time `db:"date_to" json:"date_to"`
 	BuildReason    string    `db:"build_reason" json:"build_reason"`
 	RequestID      uuid.UUID `db:"request_id" json:"request_id"`
+	CountCap       int32     `db:"count_cap" json:"count_cap"`
 }

 func (q *sqlQuerier) CountAuditLogs(ctx context.Context, arg CountAuditLogsParams) (int64, error) {
@@ -1602,6 +1615,7 @@ func (q *sqlQuerier) CountAuditLogs(ctx context.Context, arg CountAuditLogsParam
 		arg.DateTo,
 		arg.BuildReason,
 		arg.RequestID,
+		arg.CountCap,
 	)
 	var count int64
 	err := row.Scan(&count)
@@ -2051,32 +2065,37 @@ INSERT INTO boundary_usage_stats (
    NOW(),
    NOW()
 ) ON CONFLICT (replica_id) DO UPDATE SET
-    unique_workspaces_count = EXCLUDED.unique_workspaces_count,
-    unique_users_count = EXCLUDED.unique_users_count,
-    allowed_requests = EXCLUDED.allowed_requests,
-    denied_requests = EXCLUDED.denied_requests,
+    unique_workspaces_count = $6,
+    unique_users_count = $7,
+    allowed_requests = boundary_usage_stats.allowed_requests + EXCLUDED.allowed_requests,
+    denied_requests = boundary_usage_stats.denied_requests + EXCLUDED.denied_requests,
    updated_at = NOW()
 RETURNING (xmax = 0) AS new_period
 `

 type UpsertBoundaryUsageStatsParams struct {
 	ReplicaID             uuid.UUID `db:"replica_id" json:"replica_id"`
-	UniqueWorkspacesCount int64     `db:"unique_workspaces_count" json:"unique_workspaces_count"`
-	UniqueUsersCount      int64     `db:"unique_users_count" json:"unique_users_count"`
+	UniqueWorkspacesDelta int64     `db:"unique_workspaces_delta" json:"unique_workspaces_delta"`
+	UniqueUsersDelta      int64     `db:"unique_users_delta" json:"unique_users_delta"`
 	AllowedRequests       int64     `db:"allowed_requests" json:"allowed_requests"`
 	DeniedRequests        int64     `db:"denied_requests" json:"denied_requests"`
+	UniqueWorkspacesCount int64     `db:"unique_workspaces_count" json:"unique_workspaces_count"`
+	UniqueUsersCount      int64     `db:"unique_users_count" json:"unique_users_count"`
 }

-// Upserts boundary usage statistics for a replica. All values are replaced with
-// the current in-memory state. Returns true if this was an insert (new period),
-// false if update.
+// Upserts boundary usage statistics for a replica. On INSERT (new period), uses
+// delta values for unique counts (only data since last flush). On UPDATE, uses
+// cumulative values for unique counts (accurate period totals). Request counts
+// are always deltas, accumulated in DB. Returns true if insert, false if update.
 func (q *sqlQuerier) UpsertBoundaryUsageStats(ctx context.Context, arg UpsertBoundaryUsageStatsParams) (bool, error) {
 	row := q.db.QueryRowContext(ctx, upsertBoundaryUsageStats,
 		arg.ReplicaID,
-		arg.UniqueWorkspacesCount,
-		arg.UniqueUsersCount,
+		arg.UniqueWorkspacesDelta,
+		arg.UniqueUsersDelta,
 		arg.AllowedRequests,
 		arg.DeniedRequests,
+		arg.UniqueWorkspacesCount,
+		arg.UniqueUsersCount,
 	)
 	var new_period bool
 	err := row.Scan(&new_period)
@@ -2084,110 +2103,113 @@ func (q *sqlQuerier) UpsertBoundaryUsageStats(ctx context.Context, arg UpsertBou
 }

 const countConnectionLogs = `-- name: CountConnectionLogs :one
-SELECT
-	COUNT(*) AS count
-FROM
-	connection_logs
-JOIN users AS workspace_owner ON
-	connection_logs.workspace_owner_id = workspace_owner.id
-LEFT JOIN users ON
-	connection_logs.user_id = users.id
-JOIN organizations ON
-	connection_logs.organization_id = organizations.id
-WHERE
-	-- Filter organization_id
-	CASE
-		WHEN $1 :: uuid != '00000000-0000-0000-0000-000000000000'::uuid THEN
-			connection_logs.organization_id = $1
-		ELSE true
-	END
-	-- Filter by workspace owner username
-	AND CASE
-		WHEN $2 :: text != '' THEN
-			workspace_owner_id = (
-				SELECT id FROM users
-				WHERE lower(username) = lower($2) AND deleted = false
-			)
-		ELSE true
-	END
-	-- Filter by workspace_owner_id
-	AND CASE
-		WHEN $3 :: uuid != '00000000-0000-0000-0000-000000000000'::uuid THEN
-			workspace_owner_id = $3
-		ELSE true
-	END
-	-- Filter by workspace_owner_email
-	AND CASE
-		WHEN $4 :: text != '' THEN
-			workspace_owner_id = (
-				SELECT id FROM users
-				WHERE email = $4 AND deleted = false
-			)
-		ELSE true
-	END
-	-- Filter by type
-	AND CASE
-		WHEN $5 :: text != '' THEN
-			type = $5 :: connection_type
-		ELSE true
-	END
-	-- Filter by user_id
-	AND CASE
-		WHEN $6 :: uuid != '00000000-0000-0000-0000-000000000000'::uuid THEN
-			user_id = $6
-		ELSE true
-	END
-	-- Filter by username
-	AND CASE
-		WHEN $7 :: text != '' THEN
-			user_id = (
-				SELECT id FROM users
-				WHERE lower(username) = lower($7) AND deleted = false
-			)
-		ELSE true
-	END
-	-- Filter by user_email
-	AND CASE
-		WHEN $8 :: text != '' THEN
-			users.email = $8
-		ELSE true
-	END
-	-- Filter by connected_after
-	AND CASE
-		WHEN $9 :: timestamp with time zone != '0001-01-01 00:00:00Z' THEN
-			connect_time >= $9
-		ELSE true
-	END
-	-- Filter by connected_before
-	AND CASE
-		WHEN $10 :: timestamp with time zone != '0001-01-01 00:00:00Z' THEN
-			connect_time <= $10
-		ELSE true
-	END
-	-- Filter by workspace_id
-	AND CASE
-		WHEN $11 :: uuid != '00000000-0000-0000-0000-000000000000'::uuid THEN
-			connection_logs.workspace_id = $11
-		ELSE true
-	END
-	-- Filter by connection_id
-	AND CASE
-		WHEN $12 :: uuid != '00000000-0000-0000-0000-000000000000'::uuid THEN
-			connection_logs.connection_id = $12
-		ELSE true
-	END
-	-- Filter by whether the session has a disconnect_time
-	AND CASE
-		WHEN $13 :: text != '' THEN
-			(($13 = 'ongoing' AND disconnect_time IS NULL) OR
-			($13 = 'completed' AND disconnect_time IS NOT NULL)) AND
-			-- Exclude web events, since we don't know their close time.
-			"type" NOT IN ('workspace_app', 'port_forwarding')
-		ELSE true
-	END
-	-- Authorize Filter clause will be injected below in
-	-- CountAuthorizedConnectionLogs
-	-- @authorize_filter
+SELECT COUNT(*) AS count FROM (
+	SELECT 1
+	FROM
+		connection_logs
+	JOIN users AS workspace_owner ON
+		connection_logs.workspace_owner_id = workspace_owner.id
+	LEFT JOIN users ON
+		connection_logs.user_id = users.id
+	JOIN organizations ON
+		connection_logs.organization_id = organizations.id
+	WHERE
+		-- Filter organization_id
+		CASE
+			WHEN $1 :: uuid != '00000000-0000-0000-0000-000000000000'::uuid THEN
+				connection_logs.organization_id = $1
+			ELSE true
+		END
+		-- Filter by workspace owner username
+		AND CASE
+			WHEN $2 :: text != '' THEN
+				workspace_owner_id = (
+					SELECT id FROM users
+					WHERE lower(username) = lower($2) AND deleted = false
+				)
+			ELSE true
+		END
+		-- Filter by workspace_owner_id
+		AND CASE
+			WHEN $3 :: uuid != '00000000-0000-0000-0000-000000000000'::uuid THEN
+				workspace_owner_id = $3
+			ELSE true
+		END
+		-- Filter by workspace_owner_email
+		AND CASE
+			WHEN $4 :: text != '' THEN
+				workspace_owner_id = (
+					SELECT id FROM users
+					WHERE email = $4 AND deleted = false
+				)
+			ELSE true
+		END
+		-- Filter by type
+		AND CASE
+			WHEN $5 :: text != '' THEN
+				type = $5 :: connection_type
+			ELSE true
+		END
+		-- Filter by user_id
+		AND CASE
+			WHEN $6 :: uuid != '00000000-0000-0000-0000-000000000000'::uuid THEN
+				user_id = $6
+			ELSE true
+		END
+		-- Filter by username
+		AND CASE
+			WHEN $7 :: text != '' THEN
+				user_id = (
+					SELECT id FROM users
+					WHERE lower(username) = lower($7) AND deleted = false
+				)
+			ELSE true
+		END
+		-- Filter by user_email
+		AND CASE
+			WHEN $8 :: text != '' THEN
+				users.email = $8
+			ELSE true
+		END
+		-- Filter by connected_after
+		AND CASE
+			WHEN $9 :: timestamp with time zone != '0001-01-01 00:00:00Z' THEN
+				connect_time >= $9
+			ELSE true
+		END
+		-- Filter by connected_before
+		AND CASE
+			WHEN $10 :: timestamp with time zone != '0001-01-01 00:00:00Z' THEN
+				connect_time <= $10
+			ELSE true
+		END
+		-- Filter by workspace_id
+		AND CASE
+			WHEN $11 :: uuid != '00000000-0000-0000-0000-000000000000'::uuid THEN
+				connection_logs.workspace_id = $11
+			ELSE true
+		END
+		-- Filter by connection_id
+		AND CASE
+			WHEN $12 :: uuid != '00000000-0000-0000-0000-000000000000'::uuid THEN
+				connection_logs.connection_id = $12
+			ELSE true
+		END
+		-- Filter by whether the session has a disconnect_time
+		AND CASE
+			WHEN $13 :: text != '' THEN
+				(($13 = 'ongoing' AND disconnect_time IS NULL) OR
+				($13 = 'completed' AND disconnect_time IS NOT NULL)) AND
+				-- Exclude web events, since we don't know their close time.
+				"type" NOT IN ('workspace_app', 'port_forwarding')
+			ELSE true
+		END
+		-- Authorize Filter clause will be injected below in
+		-- CountAuthorizedConnectionLogs
+		-- @authorize_filter
+	-- NOTE: See the CountAuditLogs LIMIT note.
+	LIMIT NULLIF($14::int, 0) + 1
+) AS limited_count
 `

 type CountConnectionLogsParams struct {
@@ -2204,6 +2226,7 @@ type CountConnectionLogsParams struct {
 	WorkspaceID         uuid.UUID `db:"workspace_id" json:"workspace_id"`
 	ConnectionID        uuid.UUID `db:"connection_id" json:"connection_id"`
 	Status              string    `db:"status" json:"status"`
+	CountCap            int32     `db:"count_cap" json:"count_cap"`
 }

 func (q *sqlQuerier) CountConnectionLogs(ctx context.Context, arg CountConnectionLogsParams) (int64, error) {
@@ -2221,6 +2244,7 @@ func (q *sqlQuerier) CountConnectionLogs(ctx context.Context, arg CountConnectio
 		arg.WorkspaceID,
 		arg.ConnectionID,
 		arg.Status,
+		arg.CountCap,
 	)
 	var count int64
 	err := row.Scan(&count)
@@ -18221,6 +18245,8 @@ WHERE
 	auth_instance_id = $1 :: TEXT
 	-- Filter out deleted sub agents.
 	AND deleted = FALSE
+	-- Filter out sub agents, they do not authenticate with auth_instance_id.
+	AND parent_id IS NULL
 ORDER BY
 	created_at DESC
 `
@@ -149,94 +149,105 @@ VALUES (
 RETURNING *;

 -- name: CountAuditLogs :one
-SELECT COUNT(*)
-FROM audit_logs
-	LEFT JOIN users ON audit_logs.user_id = users.id
-	LEFT JOIN organizations ON audit_logs.organization_id = organizations.id
-	-- First join on workspaces to get the initial workspace create
-	-- to workspace build 1 id. This is because the first create is
-	-- is a different audit log than subsequent starts.
-	LEFT JOIN workspaces ON audit_logs.resource_type = 'workspace'
-	AND audit_logs.resource_id = workspaces.id
-	-- Get the reason from the build if the resource type
-	-- is a workspace_build
-	LEFT JOIN workspace_builds wb_build ON audit_logs.resource_type = 'workspace_build'
-	AND audit_logs.resource_id = wb_build.id
-	-- Get the reason from the build #1 if this is the first
-	-- workspace create.
-	LEFT JOIN workspace_builds wb_workspace ON audit_logs.resource_type = 'workspace'
-	AND audit_logs.action = 'create'
-	AND workspaces.id = wb_workspace.workspace_id
-	AND wb_workspace.build_number = 1
-WHERE
-	-- Filter resource_type
-	CASE
-		WHEN @resource_type::text != '' THEN resource_type = @resource_type::resource_type
-		ELSE true
-	END
-	-- Filter resource_id
-	AND CASE
-		WHEN @resource_id::uuid != '00000000-0000-0000-0000-000000000000'::uuid THEN resource_id = @resource_id
-		ELSE true
-	END
-	-- Filter organization_id
-	AND CASE
-		WHEN @organization_id::uuid != '00000000-0000-0000-0000-000000000000'::uuid THEN audit_logs.organization_id = @organization_id
-		ELSE true
-	END
-	-- Filter by resource_target
-	AND CASE
-		WHEN @resource_target::text != '' THEN resource_target = @resource_target
-		ELSE true
-	END
-	-- Filter action
-	AND CASE
-		WHEN @action::text != '' THEN action = @action::audit_action
-		ELSE true
-	END
-	-- Filter by user_id
-	AND CASE
-		WHEN @user_id::uuid != '00000000-0000-0000-0000-000000000000'::uuid THEN user_id = @user_id
-		ELSE true
-	END
-	-- Filter by username
-	AND CASE
-		WHEN @username::text != '' THEN user_id = (
-			SELECT id
-			FROM users
-			WHERE lower(username) = lower(@username)
-				AND deleted = false
-		)
-		ELSE true
-	END
-	-- Filter by user_email
-	AND CASE
-		WHEN @email::text != '' THEN users.email = @email
-		ELSE true
-	END
-	-- Filter by date_from
-	AND CASE
-		WHEN @date_from::timestamp with time zone != '0001-01-01 00:00:00Z' THEN "time" >= @date_from
-		ELSE true
-	END
-	-- Filter by date_to
-	AND CASE
-		WHEN @date_to::timestamp with time zone != '0001-01-01 00:00:00Z' THEN "time" <= @date_to
-		ELSE true
-	END
-	-- Filter by build_reason
-	AND CASE
-		WHEN @build_reason::text != '' THEN COALESCE(wb_build.reason::text, wb_workspace.reason::text) = @build_reason
-		ELSE true
-	END
-	-- Filter request_id
-	AND CASE
-		WHEN @request_id::uuid != '00000000-0000-0000-0000-000000000000'::uuid THEN audit_logs.request_id = @request_id
-		ELSE true
-	END
-	-- Authorize Filter clause will be injected below in CountAuthorizedAuditLogs
-	-- @authorize_filter
-;
+SELECT COUNT(*) FROM (
+	SELECT 1
+	FROM audit_logs
+		LEFT JOIN users ON audit_logs.user_id = users.id
+		LEFT JOIN organizations ON audit_logs.organization_id = organizations.id
+		-- First join on workspaces to get the initial workspace create
+		-- to workspace build 1 id. This is because the first create is
+		-- is a different audit log than subsequent starts.
+		LEFT JOIN workspaces ON audit_logs.resource_type = 'workspace'
+		AND audit_logs.resource_id = workspaces.id
+		-- Get the reason from the build if the resource type
+		-- is a workspace_build
+		LEFT JOIN workspace_builds wb_build ON audit_logs.resource_type = 'workspace_build'
+		AND audit_logs.resource_id = wb_build.id
+		-- Get the reason from the build #1 if this is the first
+		-- workspace create.
+		LEFT JOIN workspace_builds wb_workspace ON audit_logs.resource_type = 'workspace'
+		AND audit_logs.action = 'create'
+		AND workspaces.id = wb_workspace.workspace_id
+		AND wb_workspace.build_number = 1
+	WHERE
+		-- Filter resource_type
+		CASE
+			WHEN @resource_type::text != '' THEN resource_type = @resource_type::resource_type
+			ELSE true
+		END
+		-- Filter resource_id
+		AND CASE
+			WHEN @resource_id::uuid != '00000000-0000-0000-0000-000000000000'::uuid THEN resource_id = @resource_id
+			ELSE true
+		END
+		-- Filter organization_id
+		AND CASE
+			WHEN @organization_id::uuid != '00000000-0000-0000-0000-000000000000'::uuid THEN audit_logs.organization_id = @organization_id
+			ELSE true
+		END
+		-- Filter by resource_target
+		AND CASE
+			WHEN @resource_target::text != '' THEN resource_target = @resource_target
+			ELSE true
+		END
+		-- Filter action
+		AND CASE
+			WHEN @action::text != '' THEN action = @action::audit_action
+			ELSE true
+		END
+		-- Filter by user_id
+		AND CASE
+			WHEN @user_id::uuid != '00000000-0000-0000-0000-000000000000'::uuid THEN user_id = @user_id
+			ELSE true
+		END
+		-- Filter by username
+		AND CASE
+			WHEN @username::text != '' THEN user_id = (
+				SELECT id
+				FROM users
+				WHERE lower(username) = lower(@username)
+					AND deleted = false
+			)
+			ELSE true
+		END
+		-- Filter by user_email
+		AND CASE
+			WHEN @email::text != '' THEN users.email = @email
+			ELSE true
+		END
+		-- Filter by date_from
+		AND CASE
+			WHEN @date_from::timestamp with time zone != '0001-01-01 00:00:00Z' THEN "time" >= @date_from
+			ELSE true
+		END
+		-- Filter by date_to
+		AND CASE
+			WHEN @date_to::timestamp with time zone != '0001-01-01 00:00:00Z' THEN "time" <= @date_to
+			ELSE true
+		END
+		-- Filter by build_reason
+		AND CASE
+			WHEN @build_reason::text != '' THEN COALESCE(wb_build.reason::text, wb_workspace.reason::text) = @build_reason
+			ELSE true
+		END
+		-- Filter request_id
+		AND CASE
+			WHEN @request_id::uuid != '00000000-0000-0000-0000-000000000000'::uuid THEN audit_logs.request_id = @request_id
+			ELSE true
+		END
+		-- Authorize Filter clause will be injected below in CountAuthorizedAuditLogs
+		-- @authorize_filter
+	-- Avoid a slow scan on a large table with joins. The caller
+	-- passes the count cap and we add 1 so the frontend can detect
+	-- capping and show "... of N+". A cap of 0 means no limit (NULLIF
+	-- -> NULL + 1 = NULL).
+	-- NOTE: Parameterizing this so that we can easily change from,
+	-- e.g., 2000 to 5000. However, use literal NULL (or no LIMIT)
+	-- here if disabling the capping on a large table permanently.
+	-- This way the PG planner can plan parallel execution for
+	-- potential large wins.
+	LIMIT NULLIF(@count_cap::int, 0) + 1
+) AS limited_count;

 -- name: DeleteOldAuditLogConnectionEvents :exec
 DELETE FROM audit_logs
@@ -1,7 +1,8 @@
 -- name: UpsertBoundaryUsageStats :one
-- Upserts boundary usage statistics for a replica. All values are replaced with
-- the current in-memory state. Returns true if this was an insert (new period),
-- false if update.
+-- Upserts boundary usage statistics for a replica. On INSERT (new period), uses
+-- delta values for unique counts (only data since last flush). On UPDATE, uses
+-- cumulative values for unique counts (accurate period totals). Request counts
+-- are always deltas, accumulated in DB. Returns true if insert, false if update.
 INSERT INTO boundary_usage_stats (
    replica_id,
    unique_workspaces_count,
@@ -12,17 +13,17 @@ INSERT INTO boundary_usage_stats (
    updated_at
 ) VALUES (
    @replica_id,
-    @unique_workspaces_count,
-    @unique_users_count,
+    @unique_workspaces_delta,
+    @unique_users_delta,
    @allowed_requests,
    @denied_requests,
    NOW(),
    NOW()
 ) ON CONFLICT (replica_id) DO UPDATE SET
-    unique_workspaces_count = EXCLUDED.unique_workspaces_count,
-    unique_users_count = EXCLUDED.unique_users_count,
-    allowed_requests = EXCLUDED.allowed_requests,
-    denied_requests = EXCLUDED.denied_requests,
+    unique_workspaces_count = @unique_workspaces_count,
+    unique_users_count = @unique_users_count,
+    allowed_requests = boundary_usage_stats.allowed_requests + EXCLUDED.allowed_requests,
+    denied_requests = boundary_usage_stats.denied_requests + EXCLUDED.denied_requests,
    updated_at = NOW()
 RETURNING (xmax = 0) AS new_period;

@@ -133,111 +133,113 @@ OFFSET
 	@offset_opt;

 -- name: CountConnectionLogs :one
-SELECT
-	COUNT(*) AS count
-FROM
-	connection_logs
-JOIN users AS workspace_owner ON
-	connection_logs.workspace_owner_id = workspace_owner.id
-LEFT JOIN users ON
-	connection_logs.user_id = users.id
-JOIN organizations ON
-	connection_logs.organization_id = organizations.id
-WHERE
-	-- Filter organization_id
-	CASE
-		WHEN @organization_id :: uuid != '00000000-0000-0000-0000-000000000000'::uuid THEN
-			connection_logs.organization_id = @organization_id
-		ELSE true
-	END
-	-- Filter by workspace owner username
-	AND CASE
-		WHEN @workspace_owner :: text != '' THEN
-			workspace_owner_id = (
-				SELECT id FROM users
-				WHERE lower(username) = lower(@workspace_owner) AND deleted = false
-			)
-		ELSE true
-	END
-	-- Filter by workspace_owner_id
-	AND CASE
-		WHEN @workspace_owner_id :: uuid != '00000000-0000-0000-0000-000000000000'::uuid THEN
-			workspace_owner_id = @workspace_owner_id
-		ELSE true
-	END
-	-- Filter by workspace_owner_email
-	AND CASE
-		WHEN @workspace_owner_email :: text != '' THEN
-			workspace_owner_id = (
-				SELECT id FROM users
-				WHERE email = @workspace_owner_email AND deleted = false
-			)
-		ELSE true
-	END
-	-- Filter by type
-	AND CASE
-		WHEN @type :: text != '' THEN
-			type = @type :: connection_type
-		ELSE true
-	END
-	-- Filter by user_id
-	AND CASE
-		WHEN @user_id :: uuid != '00000000-0000-0000-0000-000000000000'::uuid THEN
-			user_id = @user_id
-		ELSE true
-	END
-	-- Filter by username
-	AND CASE
-		WHEN @username :: text != '' THEN
-			user_id = (
-				SELECT id FROM users
-				WHERE lower(username) = lower(@username) AND deleted = false
-			)
-		ELSE true
-	END
-	-- Filter by user_email
-	AND CASE
-		WHEN @user_email :: text != '' THEN
-			users.email = @user_email
-		ELSE true
-	END
-	-- Filter by connected_after
-	AND CASE
-		WHEN @connected_after :: timestamp with time zone != '0001-01-01 00:00:00Z' THEN
-			connect_time >= @connected_after
-		ELSE true
-	END
-	-- Filter by connected_before
-	AND CASE
-		WHEN @connected_before :: timestamp with time zone != '0001-01-01 00:00:00Z' THEN
-			connect_time <= @connected_before
-		ELSE true
-	END
-	-- Filter by workspace_id
-	AND CASE
-		WHEN @workspace_id :: uuid != '00000000-0000-0000-0000-000000000000'::uuid THEN
-			connection_logs.workspace_id = @workspace_id
-		ELSE true
-	END
-	-- Filter by connection_id
-	AND CASE
-		WHEN @connection_id :: uuid != '00000000-0000-0000-0000-000000000000'::uuid THEN
-			connection_logs.connection_id = @connection_id
-		ELSE true
-	END
-	-- Filter by whether the session has a disconnect_time
-	AND CASE
-		WHEN @status :: text != '' THEN
-			((@status = 'ongoing' AND disconnect_time IS NULL) OR
-			(@status = 'completed' AND disconnect_time IS NOT NULL)) AND
-			-- Exclude web events, since we don't know their close time.
-			"type" NOT IN ('workspace_app', 'port_forwarding')
-		ELSE true
-	END
-	-- Authorize Filter clause will be injected below in
-	-- CountAuthorizedConnectionLogs
-	-- @authorize_filter
-;
+SELECT COUNT(*) AS count FROM (
+	SELECT 1
+	FROM
+		connection_logs
+	JOIN users AS workspace_owner ON
+		connection_logs.workspace_owner_id = workspace_owner.id
+	LEFT JOIN users ON
+		connection_logs.user_id = users.id
+	JOIN organizations ON
+		connection_logs.organization_id = organizations.id
+	WHERE
+		-- Filter organization_id
+		CASE
+			WHEN @organization_id :: uuid != '00000000-0000-0000-0000-000000000000'::uuid THEN
+				connection_logs.organization_id = @organization_id
+			ELSE true
+		END
+		-- Filter by workspace owner username
+		AND CASE
+			WHEN @workspace_owner :: text != '' THEN
+				workspace_owner_id = (
+					SELECT id FROM users
+					WHERE lower(username) = lower(@workspace_owner) AND deleted = false
+				)
+			ELSE true
+		END
+		-- Filter by workspace_owner_id
+		AND CASE
+			WHEN @workspace_owner_id :: uuid != '00000000-0000-0000-0000-000000000000'::uuid THEN
+				workspace_owner_id = @workspace_owner_id
+			ELSE true
+		END
+		-- Filter by workspace_owner_email
+		AND CASE
+			WHEN @workspace_owner_email :: text != '' THEN
+				workspace_owner_id = (
+					SELECT id FROM users
+					WHERE email = @workspace_owner_email AND deleted = false
+				)
+			ELSE true
+		END
+		-- Filter by type
+		AND CASE
+			WHEN @type :: text != '' THEN
+				type = @type :: connection_type
+			ELSE true
+		END
+		-- Filter by user_id
+		AND CASE
+			WHEN @user_id :: uuid != '00000000-0000-0000-0000-000000000000'::uuid THEN
+				user_id = @user_id
+			ELSE true
+		END
+		-- Filter by username
+		AND CASE
+			WHEN @username :: text != '' THEN
+				user_id = (
+					SELECT id FROM users
+					WHERE lower(username) = lower(@username) AND deleted = false
+				)
+			ELSE true
+		END
+		-- Filter by user_email
+		AND CASE
+			WHEN @user_email :: text != '' THEN
+				users.email = @user_email
+			ELSE true
+		END
+		-- Filter by connected_after
+		AND CASE
+			WHEN @connected_after :: timestamp with time zone != '0001-01-01 00:00:00Z' THEN
+				connect_time >= @connected_after
+			ELSE true
+		END
+		-- Filter by connected_before
+		AND CASE
+			WHEN @connected_before :: timestamp with time zone != '0001-01-01 00:00:00Z' THEN
+				connect_time <= @connected_before
+			ELSE true
+		END
+		-- Filter by workspace_id
+		AND CASE
+			WHEN @workspace_id :: uuid != '00000000-0000-0000-0000-000000000000'::uuid THEN
+				connection_logs.workspace_id = @workspace_id
+			ELSE true
+		END
+		-- Filter by connection_id
+		AND CASE
+			WHEN @connection_id :: uuid != '00000000-0000-0000-0000-000000000000'::uuid THEN
+				connection_logs.connection_id = @connection_id
+			ELSE true
+		END
+		-- Filter by whether the session has a disconnect_time
+		AND CASE
+			WHEN @status :: text != '' THEN
+				((@status = 'ongoing' AND disconnect_time IS NULL) OR
+				(@status = 'completed' AND disconnect_time IS NOT NULL)) AND
+				-- Exclude web events, since we don't know their close time.
+				"type" NOT IN ('workspace_app', 'port_forwarding')
+			ELSE true
+		END
+		-- Authorize Filter clause will be injected below in
+		-- CountAuthorizedConnectionLogs
+		-- @authorize_filter
+	-- NOTE: See the CountAuditLogs LIMIT note.
+	LIMIT NULLIF(@count_cap::int, 0) + 1
+) AS limited_count;

 -- name: DeleteOldConnectionLogs :execrows
 WITH old_logs AS (
@@ -17,6 +17,8 @@ WHERE
 	auth_instance_id = @auth_instance_id :: TEXT
 	-- Filter out deleted sub agents.
 	AND deleted = FALSE
+	-- Filter out sub agents, they do not authenticate with auth_instance_id.
+	AND parent_id IS NULL
 ORDER BY
 	created_at DESC;

@@ -238,9 +238,18 @@ func (api *API) paginatedMembers(rw http.ResponseWriter, r *http.Request) {
 		memberRows = append(memberRows, row)
 	}

+	if len(paginatedMemberRows) == 0 {
+		httpapi.Write(ctx, rw, http.StatusOK, codersdk.PaginatedMembersResponse{
+			Members: []codersdk.OrganizationMemberWithUserData{},
+			Count:   0,
+		})
+		return
+	}
+
 	members, err := convertOrganizationMembersWithUserData(ctx, api.Database, memberRows)
 	if err != nil {
 		httpapi.InternalServerError(rw, err)
+		return
 	}

 	resp := codersdk.PaginatedMembersResponse{
@@ -65,6 +65,7 @@ type StateSnapshotter interface {
 type Claimer interface {
 	Claim(
 		ctx context.Context,
+		store database.Store,
 		now time.Time,
 		userID uuid.UUID,
 		name string,
@@ -34,7 +34,7 @@ var DefaultReconciler ReconciliationOrchestrator = NoopReconciler{}

 type NoopClaimer struct{}

-func (NoopClaimer) Claim(context.Context, time.Time, uuid.UUID, string, uuid.UUID, sql.NullString, sql.NullTime, sql.NullInt64) (*uuid.UUID, error) {
+func (NoopClaimer) Claim(context.Context, database.Store, time.Time, uuid.UUID, string, uuid.UUID, sql.NullString, sql.NullTime, sql.NullInt64) (*uuid.UUID, error) {
 	// Not entitled to claim prebuilds in AGPL version.
 	return nil, ErrAGPLDoesNotSupportPrebuiltWorkspaces
 }
@@ -19,9 +19,9 @@ import (
 )

 var (
-	templatesActiveUsersDesc     = prometheus.NewDesc("coderd_insights_templates_active_users", "The number of active users of the template.", []string{"template_name"}, nil)
-	applicationsUsageSecondsDesc = prometheus.NewDesc("coderd_insights_applications_usage_seconds", "The application usage per template.", []string{"template_name", "application_name", "slug"}, nil)
-	parametersDesc               = prometheus.NewDesc("coderd_insights_parameters", "The parameter usage per template.", []string{"template_name", "parameter_name", "parameter_type", "parameter_value"}, nil)
+	templatesActiveUsersDesc     = prometheus.NewDesc("coderd_insights_templates_active_users", "The number of active users of the template.", []string{"template_name", "organization_name"}, nil)
+	applicationsUsageSecondsDesc = prometheus.NewDesc("coderd_insights_applications_usage_seconds", "The application usage per template.", []string{"template_name", "application_name", "slug", "organization_name"}, nil)
+	parametersDesc               = prometheus.NewDesc("coderd_insights_parameters", "The parameter usage per template.", []string{"template_name", "parameter_name", "parameter_type", "parameter_value", "organization_name"}, nil)
 )

 type MetricsCollector struct {
@@ -38,7 +38,8 @@ type insightsData struct {
 	apps      []database.GetTemplateAppInsightsByTemplateRow
 	params    []parameterRow

-	templateNames map[uuid.UUID]string
+	templateNames     map[uuid.UUID]string
+	organizationNames map[uuid.UUID]string // template ID → org name
 }

 type parameterRow struct {
@@ -137,6 +138,7 @@ func (mc *MetricsCollector) Run(ctx context.Context) (func(), error) {
 		templateIDs := uniqueTemplateIDs(templateInsights, appInsights, paramInsights)

 		templateNames := make(map[uuid.UUID]string, len(templateIDs))
+		organizationNames := make(map[uuid.UUID]string, len(templateIDs))
 		if len(templateIDs) > 0 {
 			templates, err := mc.database.GetTemplatesWithFilter(ctx, database.GetTemplatesWithFilterParams{
 				IDs: templateIDs,
@@ -146,6 +148,31 @@ func (mc *MetricsCollector) Run(ctx context.Context) (func(), error) {
 				return
 			}
 			templateNames = onlyTemplateNames(templates)
+
+			// Build org name lookup so that metrics can
+			// distinguish templates with the same name across
+			// different organizations.
+			orgIDs := make([]uuid.UUID, 0, len(templates))
+			for _, t := range templates {
+				orgIDs = append(orgIDs, t.OrganizationID)
+			}
+			orgIDs = slice.Unique(orgIDs)
+
+			orgs, err := mc.database.GetOrganizations(ctx, database.GetOrganizationsParams{
+				IDs: orgIDs,
+			})
+			if err != nil {
+				mc.logger.Error(ctx, "unable to fetch organizations from database", slog.Error(err))
+				return
+			}
+			orgNameByID := make(map[uuid.UUID]string, len(orgs))
+			for _, o := range orgs {
+				orgNameByID[o.ID] = o.Name
+			}
+			organizationNames = make(map[uuid.UUID]string, len(templates))
+			for _, t := range templates {
+				organizationNames[t.ID] = orgNameByID[t.OrganizationID]
+			}
 		}

 		// Refresh the collector state
@@ -154,7 +181,8 @@ func (mc *MetricsCollector) Run(ctx context.Context) (func(), error) {
 			apps:      appInsights,
 			params:    paramInsights,

-			templateNames: templateNames,
+			templateNames:     templateNames,
+			organizationNames: organizationNames,
 		})
 	}

@@ -194,44 +222,46 @@ func (mc *MetricsCollector) Collect(metricsCh chan<- prometheus.Metric) {
 	// Custom apps
 	for _, appRow := range data.apps {
 		metricsCh <- prometheus.MustNewConstMetric(applicationsUsageSecondsDesc, prometheus.GaugeValue, float64(appRow.UsageSeconds), data.templateNames[appRow.TemplateID],
-			appRow.DisplayName, appRow.SlugOrPort)
+			appRow.DisplayName, appRow.SlugOrPort, data.organizationNames[appRow.TemplateID])
 	}

 	// Built-in apps
 	for _, templateRow := range data.templates {
+		orgName := data.organizationNames[templateRow.TemplateID]
+
 		metricsCh <- prometheus.MustNewConstMetric(applicationsUsageSecondsDesc, prometheus.GaugeValue,
 			float64(templateRow.UsageVscodeSeconds),
 			data.templateNames[templateRow.TemplateID],
 			codersdk.TemplateBuiltinAppDisplayNameVSCode,
-			"")
+			"", orgName)

 		metricsCh <- prometheus.MustNewConstMetric(applicationsUsageSecondsDesc, prometheus.GaugeValue,
 			float64(templateRow.UsageJetbrainsSeconds),
 			data.templateNames[templateRow.TemplateID],
 			codersdk.TemplateBuiltinAppDisplayNameJetBrains,
-			"")
+			"", orgName)

 		metricsCh <- prometheus.MustNewConstMetric(applicationsUsageSecondsDesc, prometheus.GaugeValue,
 			float64(templateRow.UsageReconnectingPtySeconds),
 			data.templateNames[templateRow.TemplateID],
 			codersdk.TemplateBuiltinAppDisplayNameWebTerminal,
-			"")
+			"", orgName)

 		metricsCh <- prometheus.MustNewConstMetric(applicationsUsageSecondsDesc, prometheus.GaugeValue,
 			float64(templateRow.UsageSshSeconds),
 			data.templateNames[templateRow.TemplateID],
 			codersdk.TemplateBuiltinAppDisplayNameSSH,
-			"")
+			"", orgName)
 	}

 	// Templates
 	for _, templateRow := range data.templates {
-		metricsCh <- prometheus.MustNewConstMetric(templatesActiveUsersDesc, prometheus.GaugeValue, float64(templateRow.ActiveUsers), data.templateNames[templateRow.TemplateID])
+		metricsCh <- prometheus.MustNewConstMetric(templatesActiveUsersDesc, prometheus.GaugeValue, float64(templateRow.ActiveUsers), data.templateNames[templateRow.TemplateID], data.organizationNames[templateRow.TemplateID])
 	}

 	// Parameters
 	for _, parameterRow := range data.params {
-		metricsCh <- prometheus.MustNewConstMetric(parametersDesc, prometheus.GaugeValue, float64(parameterRow.count), data.templateNames[parameterRow.templateID], parameterRow.name, parameterRow.aType, parameterRow.value)
+		metricsCh <- prometheus.MustNewConstMetric(parametersDesc, prometheus.GaugeValue, float64(parameterRow.count), data.templateNames[parameterRow.templateID], parameterRow.name, parameterRow.aType, parameterRow.value, data.organizationNames[parameterRow.templateID])
 	}
 }

@@ -1,13 +1,13 @@
 {
-  "coderd_insights_applications_usage_seconds[application_name=JetBrains,slug=,template_name=golden-template]": 60,
-  "coderd_insights_applications_usage_seconds[application_name=Visual Studio Code,slug=,template_name=golden-template]": 60,
-  "coderd_insights_applications_usage_seconds[application_name=Web Terminal,slug=,template_name=golden-template]": 0,
-  "coderd_insights_applications_usage_seconds[application_name=SSH,slug=,template_name=golden-template]": 60,
-  "coderd_insights_applications_usage_seconds[application_name=Golden Slug,slug=golden-slug,template_name=golden-template]": 180,
-  "coderd_insights_parameters[parameter_name=first_parameter,parameter_type=string,parameter_value=Foobar,template_name=golden-template]": 1,
-  "coderd_insights_parameters[parameter_name=first_parameter,parameter_type=string,parameter_value=Baz,template_name=golden-template]": 1,
-  "coderd_insights_parameters[parameter_name=second_parameter,parameter_type=bool,parameter_value=true,template_name=golden-template]": 2,
-  "coderd_insights_parameters[parameter_name=third_parameter,parameter_type=number,parameter_value=789,template_name=golden-template]": 1,
-  "coderd_insights_parameters[parameter_name=third_parameter,parameter_type=number,parameter_value=999,template_name=golden-template]": 1,
-  "coderd_insights_templates_active_users[template_name=golden-template]": 1
+  "coderd_insights_applications_usage_seconds[application_name=JetBrains,organization_name=coder,slug=,template_name=golden-template]": 60,
+  "coderd_insights_applications_usage_seconds[application_name=Visual Studio Code,organization_name=coder,slug=,template_name=golden-template]": 60,
+  "coderd_insights_applications_usage_seconds[application_name=Web Terminal,organization_name=coder,slug=,template_name=golden-template]": 0,
+  "coderd_insights_applications_usage_seconds[application_name=SSH,organization_name=coder,slug=,template_name=golden-template]": 60,
+  "coderd_insights_applications_usage_seconds[application_name=Golden Slug,organization_name=coder,slug=golden-slug,template_name=golden-template]": 180,
+  "coderd_insights_parameters[organization_name=coder,parameter_name=first_parameter,parameter_type=string,parameter_value=Foobar,template_name=golden-template]": 1,
+  "coderd_insights_parameters[organization_name=coder,parameter_name=first_parameter,parameter_type=string,parameter_value=Baz,template_name=golden-template]": 1,
+  "coderd_insights_parameters[organization_name=coder,parameter_name=second_parameter,parameter_type=bool,parameter_value=true,template_name=golden-template]": 2,
+  "coderd_insights_parameters[organization_name=coder,parameter_name=third_parameter,parameter_type=number,parameter_value=789,template_name=golden-template]": 1,
+  "coderd_insights_parameters[organization_name=coder,parameter_name=third_parameter,parameter_type=number,parameter_value=999,template_name=golden-template]": 1,
+  "coderd_insights_templates_active_users[organization_name=coder,template_name=golden-template]": 1
 }
@@ -282,6 +282,40 @@ neq(input.object.owner, "");
 				p("'10d03e62-7703-4df5-a358-4f76577d4e2f' = id :: text") + " AND " + p("id :: text != ''") + " AND " + p("'' = ''"),
 			),
 		},
+		{
+			Name: "AuditLogUUID",
+			Queries: []string{
+				`"8c0b9bdc-a013-4b14-a49b-5747bc335708" = input.object.org_owner`,
+				`input.object.org_owner != ""`,
+				`neq(input.object.org_owner, "8c0b9bdc-a013-4b14-a49b-5747bc335708")`,
+				`input.object.org_owner in {"8c0b9bdc-a013-4b14-a49b-5747bc335708", "05f58202-4bfc-43ce-9ba4-5ff6e0174a71"}`,
+				`"read" in input.object.acl_group_list[input.object.org_owner]`,
+			},
+			ExpectedSQL: p(
+				p("audit_logs.organization_id = '8c0b9bdc-a013-4b14-a49b-5747bc335708'::uuid") + " OR " +
+					p("audit_logs.organization_id IS NOT NULL") + " OR " +
+					p("audit_logs.organization_id != '8c0b9bdc-a013-4b14-a49b-5747bc335708'::uuid") + " OR " +
+					p("audit_logs.organization_id = ANY(ARRAY ['05f58202-4bfc-43ce-9ba4-5ff6e0174a71'::uuid,'8c0b9bdc-a013-4b14-a49b-5747bc335708'::uuid])") + " OR " +
+					"(false)"),
+			VariableConverter: regosql.AuditLogConverter(),
+		},
+		{
+			Name: "ConnectionLogUUID",
+			Queries: []string{
+				`"8c0b9bdc-a013-4b14-a49b-5747bc335708" = input.object.org_owner`,
+				`input.object.org_owner != ""`,
+				`neq(input.object.org_owner, "8c0b9bdc-a013-4b14-a49b-5747bc335708")`,
+				`input.object.org_owner in {"8c0b9bdc-a013-4b14-a49b-5747bc335708"}`,
+				`"read" in input.object.acl_group_list[input.object.org_owner]`,
+			},
+			ExpectedSQL: p(
+				p("connection_logs.organization_id = '8c0b9bdc-a013-4b14-a49b-5747bc335708'::uuid") + " OR " +
+					p("connection_logs.organization_id IS NOT NULL") + " OR " +
+					p("connection_logs.organization_id != '8c0b9bdc-a013-4b14-a49b-5747bc335708'::uuid") + " OR " +
+					p("connection_logs.organization_id = ANY(ARRAY ['8c0b9bdc-a013-4b14-a49b-5747bc335708'::uuid])") + " OR " +
+					"(false)"),
+			VariableConverter: regosql.ConnectionLogConverter(),
+		},
 	}

 	for _, tc := range testCases {
@@ -53,7 +53,7 @@ func WorkspaceConverter() *sqltypes.VariableConverter {
 func AuditLogConverter() *sqltypes.VariableConverter {
 	matcher := sqltypes.NewVariableConverter().RegisterMatcher(
 		resourceIDMatcher(),
-		sqltypes.StringVarMatcher("COALESCE(audit_logs.organization_id :: text, '')", []string{"input", "object", "org_owner"}),
+		sqltypes.UUIDVarMatcher("audit_logs.organization_id", []string{"input", "object", "org_owner"}),
 		// Audit logs have no user owner, only owner by an organization.
 		sqltypes.AlwaysFalse(userOwnerMatcher()),
 	)
@@ -67,7 +67,7 @@ func AuditLogConverter() *sqltypes.VariableConverter {
 func ConnectionLogConverter() *sqltypes.VariableConverter {
 	matcher := sqltypes.NewVariableConverter().RegisterMatcher(
 		resourceIDMatcher(),
-		sqltypes.StringVarMatcher("COALESCE(connection_logs.organization_id :: text, '')", []string{"input", "object", "org_owner"}),
+		sqltypes.UUIDVarMatcher("connection_logs.organization_id", []string{"input", "object", "org_owner"}),
 		// Connection logs have no user owner, only owner by an organization.
 		sqltypes.AlwaysFalse(userOwnerMatcher()),
 	)
@@ -0,0 +1,114 @@
+package sqltypes
+
+import (
+	"fmt"
+	"strings"
+
+	"github.com/open-policy-agent/opa/ast"
+	"golang.org/x/xerrors"
+)
+
+var (
+	_ VariableMatcher  = astUUIDVar{}
+	_ Node             = astUUIDVar{}
+	_ SupportsEquality = astUUIDVar{}
+)
+
+// astUUIDVar is a variable that represents a UUID column. Unlike
+// astStringVar it emits native UUID comparisons (column = 'val'::uuid)
+// instead of text-based ones (COALESCE(column::text, ”) = 'val').
+// This allows PostgreSQL to use indexes on UUID columns.
+type astUUIDVar struct {
+	Source       RegoSource
+	FieldPath    []string
+	ColumnString string
+}
+
+func UUIDVarMatcher(sqlColumn string, regoPath []string) VariableMatcher {
+	return astUUIDVar{FieldPath: regoPath, ColumnString: sqlColumn}
+}
+
+func (astUUIDVar) UseAs() Node { return astUUIDVar{} }
+
+func (u astUUIDVar) ConvertVariable(rego ast.Ref) (Node, bool) {
+	left, err := RegoVarPath(u.FieldPath, rego)
+	if err == nil && len(left) == 0 {
+		return astUUIDVar{
+			Source:       RegoSource(rego.String()),
+			FieldPath:    u.FieldPath,
+			ColumnString: u.ColumnString,
+		}, true
+	}
+
+	return nil, false
+}
+
+func (u astUUIDVar) SQLString(_ *SQLGenerator) string {
+	return u.ColumnString
+}
+
+// EqualsSQLString handles equality comparisons for UUID columns.
+// Rego always produces string literals, so we accept AstString and
+// cast the literal to ::uuid in the output SQL. This lets PG use
+// native UUID indexes instead of falling back to text comparisons.
+// nolint:revive
+func (u astUUIDVar) EqualsSQLString(cfg *SQLGenerator, not bool, other Node) (string, error) {
+	switch other.UseAs().(type) {
+	case AstString:
+		// The other side is a rego string literal like
+		// "8c0b9bdc-a013-4b14-a49b-5747bc335708". Emit a comparison
+		// that casts the literal to uuid so PG can use indexes:
+		//   column = 'val'::uuid
+		// instead of the text-based:
+		//   'val' = COALESCE(column::text, '')
+		s, ok := other.(AstString)
+		if !ok {
+			return "", xerrors.Errorf("expected AstString, got %T", other)
+		}
+		if s.Value == "" {
+			// Empty string in rego means "no value". Compare the
+			// column against NULL since UUID columns represent
+			// absent values as NULL, not empty strings.
+			op := "IS NULL"
+			if not {
+				op = "IS NOT NULL"
+			}
+			return fmt.Sprintf("%s %s", u.ColumnString, op), nil
+		}
+		return fmt.Sprintf("%s %s '%s'::uuid",
+			u.ColumnString, equalsOp(not), s.Value), nil
+	case astUUIDVar:
+		return basicSQLEquality(cfg, not, u, other), nil
+	default:
+		return "", xerrors.Errorf("unsupported equality: %T %s %T",
+			u, equalsOp(not), other)
+	}
+}
+
+// ContainedInSQL implements SupportsContainedIn so that a UUID column
+// can appear in membership checks like `col = ANY(ARRAY[...])`. The
+// array elements are rego strings, so we cast each to ::uuid.
+func (u astUUIDVar) ContainedInSQL(_ *SQLGenerator, haystack Node) (string, error) {
+	arr, ok := haystack.(ASTArray)
+	if !ok {
+		return "", xerrors.Errorf("unsupported containedIn: %T in %T", u, haystack)
+	}
+
+	if len(arr.Value) == 0 {
+		return "false", nil
+	}
+
+	// Build ARRAY['uuid1'::uuid, 'uuid2'::uuid, ...]
+	values := make([]string, 0, len(arr.Value))
+	for _, v := range arr.Value {
+		s, ok := v.(AstString)
+		if !ok {
+			return "", xerrors.Errorf("expected AstString array element, got %T", v)
+		}
+		values = append(values, fmt.Sprintf("'%s'::uuid", s.Value))
+	}
+
+	return fmt.Sprintf("%s = ANY(ARRAY [%s])",
+		u.ColumnString,
+		strings.Join(values, ",")), nil
+}
@@ -66,7 +66,7 @@ func AuditLogs(ctx context.Context, db database.Store, query string) (database.G
 	}

 	// Prepare the count filter, which uses the same parameters as the GetAuditLogsOffsetParams.
-	// nolint:exhaustruct // UserID is not obtained from the query parameters.
+	// nolint:exhaustruct // UserID and CountCap are not obtained from the query parameters.
 	countFilter := database.CountAuditLogsParams{
 		RequestID:      filter.RequestID,
 		ResourceID:     filter.ResourceID,
@@ -123,6 +123,7 @@ func ConnectionLogs(ctx context.Context, db database.Store, query string, apiKey
 	}

 	// This MUST be kept in sync with the above
+	// nolint:exhaustruct // CountCap is not obtained from the query parameters.
 	countFilter := database.CountConnectionLogsParams{
 		OrganizationID:      filter.OrganizationID,
 		WorkspaceOwner:      filter.WorkspaceOwner,
@@ -177,7 +177,7 @@ func generateFromPrompt(prompt string) (TaskName, error) {
 		// Ensure display name is never empty
 		displayName = strings.ReplaceAll(name, "-", " ")
 	}
-	displayName = strings.ToUpper(displayName[:1]) + displayName[1:]
+	displayName = strutil.Capitalize(displayName)

 	return TaskName{
 		Name:        taskName,
@@ -269,7 +269,7 @@ func generateFromAnthropic(ctx context.Context, prompt string, apiKey string, mo
 		// Ensure display name is never empty
 		displayName = strings.ReplaceAll(taskNameResponse.Name, "-", " ")
 	}
-	displayName = strings.ToUpper(displayName[:1]) + displayName[1:]
+	displayName = strutil.Capitalize(displayName)

 	return TaskName{
 		Name:        name,
@@ -49,6 +49,19 @@ func TestGenerate(t *testing.T) {
 		require.NotEmpty(t, taskName.DisplayName)
 	})

+	t.Run("FromPromptMultiByte", func(t *testing.T) {
+		t.Setenv("ANTHROPIC_API_KEY", "")
+
+		ctx := testutil.Context(t, testutil.WaitShort)
+
+		taskName := taskname.Generate(ctx, testutil.Logger(t), "über cool feature")
+
+		require.NoError(t, codersdk.NameValid(taskName.Name))
+		require.True(t, len(taskName.DisplayName) > 0)
+		// The display name must start with "Ü", not corrupted bytes.
+		require.Equal(t, "Über cool feature", taskName.DisplayName)
+	})
+
 	t.Run("Fallback", func(t *testing.T) {
 		// Ensure no API key
 		t.Setenv("ANTHROPIC_API_KEY", "")
@@ -43,6 +43,8 @@ const (
 	// VersionHeader is sent in every telemetry request to
 	// report the semantic version of Coder.
 	VersionHeader = "X-Coder-Version"
+
+	DefaultSnapshotFrequency = 30 * time.Minute
 )

 type Options struct {
@@ -71,8 +73,7 @@ func New(options Options) (Reporter, error) {
 		options.Clock = quartz.NewReal()
 	}
 	if options.SnapshotFrequency == 0 {
-		// Report once every 30mins by default!
-		options.SnapshotFrequency = 30 * time.Minute
+		options.SnapshotFrequency = DefaultSnapshotFrequency
 	}
 	snapshotURL, err := options.URL.Parse("/snapshot")
 	if err != nil {
@@ -881,16 +882,20 @@ func (r *remoteReporter) collectBoundaryUsageSummary(ctx context.Context) (*Boun
 	}

 	// Reset stats after capturing the summary. This deletes all rows so each
-	// replica will detect a new period on their next flush.
+	// replica will detect a new period on their next flush. Note: there is a
+	// known race condition here that may result in a small telemetry inaccuracy
+	// with multiple replicas (https://github.com/coder/coder/issues/21770).
 	if err := r.options.Database.ResetBoundaryUsageStats(boundaryCtx); err != nil {
 		return nil, xerrors.Errorf("reset boundary usage stats: %w", err)
 	}

 	return &BoundaryUsageSummary{
-		UniqueWorkspaces: summary.UniqueWorkspaces,
-		UniqueUsers:      summary.UniqueUsers,
-		AllowedRequests:  summary.AllowedRequests,
-		DeniedRequests:   summary.DeniedRequests,
+		UniqueWorkspaces:           summary.UniqueWorkspaces,
+		UniqueUsers:                summary.UniqueUsers,
+		AllowedRequests:            summary.AllowedRequests,
+		DeniedRequests:             summary.DeniedRequests,
+		PeriodStart:                now.Add(-r.options.SnapshotFrequency),
+		PeriodDurationMilliseconds: r.options.SnapshotFrequency.Milliseconds(),
 	}, nil
 }

@@ -2054,12 +2059,29 @@ type AIBridgeInterceptionsSummary struct {
 }

 // BoundaryUsageSummary contains aggregated boundary usage statistics across all
-// replicas for the telemetry period.
+// replicas for the telemetry period. See the boundaryusage package documentation
+// for the full tracking architecture.
 type BoundaryUsageSummary struct {
 	UniqueWorkspaces int64 `json:"unique_workspaces"`
 	UniqueUsers      int64 `json:"unique_users"`
 	AllowedRequests  int64 `json:"allowed_requests"`
 	DeniedRequests   int64 `json:"denied_requests"`
+
+	// PeriodStart and PeriodDurationMilliseconds describe the approximate collection
+	// window. The actual data may not align *exactly* to these boundaries because:
+	//
+	//   - Each replica flushes to the database independently on its own schedule
+	//   - The summary captures "data flushed since last reset" rather than "usage
+	//     during exactly the stated interval"
+	//   - Unflushed in-memory data at snapshot time rolls into the next period
+	//
+	// This is adequate for our purposes of gathering general usage and trends.
+	//
+	// PeriodStart is the approximate start of the collection period.
+	PeriodStart time.Time `json:"period_start"`
+	// PeriodDurationMilliseconds is the expected duration of the collection
+	// period (the telemetry snapshot frequency).
+	PeriodDurationMilliseconds int64 `json:"period_duration_ms"`
 }

 func ConvertAIBridgeInterceptionsSummary(endTime time.Time, provider, model, client string, summary database.CalculateAIBridgeInterceptionsTelemetrySummaryRow) AIBridgeInterceptionsSummary {
@@ -880,6 +880,8 @@ func TestTelemetry_BoundaryUsageSummary(t *testing.T) {
 		require.Equal(t, int64(2), snapshot.BoundaryUsageSummary.UniqueUsers)
 		require.Equal(t, int64(10+5+3), snapshot.BoundaryUsageSummary.AllowedRequests)
 		require.Equal(t, int64(2+1+0), snapshot.BoundaryUsageSummary.DeniedRequests)
+		require.Equal(t, clock.Now().Add(-telemetry.DefaultSnapshotFrequency), snapshot.BoundaryUsageSummary.PeriodStart)
+		require.Equal(t, int64(telemetry.DefaultSnapshotFrequency/time.Millisecond), snapshot.BoundaryUsageSummary.PeriodDurationMilliseconds)
 	})

 	t.Run("ResetAfterCollection", func(t *testing.T) {
@@ -5,6 +5,7 @@ import (
 	"strconv"
 	"strings"
 	"unicode"
+	"unicode/utf8"

 	"github.com/acarl005/stripansi"
 	"github.com/microcosm-cc/bluemonday"
@@ -53,7 +54,7 @@ const (
 	TruncateWithFullWords TruncateOption = 1 << 1
 )

-// Truncate truncates s to n characters.
+// Truncate truncates s to n runes.
 // Additional behaviors can be specified using TruncateOptions.
 func Truncate(s string, n int, opts ...TruncateOption) string {
 	var options TruncateOption
@@ -63,7 +64,8 @@ func Truncate(s string, n int, opts ...TruncateOption) string {
 	if n < 1 {
 		return ""
 	}
-	if len(s) <= n {
+	runes := []rune(s)
+	if len(runes) <= n {
 		return s
 	}

@@ -72,18 +74,18 @@ func Truncate(s string, n int, opts ...TruncateOption) string {
 		maxLen--
 	}
 	var sb strings.Builder
-	// If we need to truncate to full words, find the last word boundary before n.
 	if options&TruncateWithFullWords != 0 {
-		lastWordBoundary := strings.LastIndexFunc(s[:maxLen], unicode.IsSpace)
+		// Convert the rune-safe prefix to a string, then find
+		// the last word boundary (byte offset within that prefix).
+		truncated := string(runes[:maxLen])
+		lastWordBoundary := strings.LastIndexFunc(truncated, unicode.IsSpace)
 		if lastWordBoundary < 0 {
-			// We cannot find a word boundary. At this point, we'll truncate the string.
-			// It's better than nothing.
-			_, _ = sb.WriteString(s[:maxLen])
-		} else { // lastWordBoundary <= maxLen
-			_, _ = sb.WriteString(s[:lastWordBoundary])
+			_, _ = sb.WriteString(truncated)
+		} else {
+			_, _ = sb.WriteString(truncated[:lastWordBoundary])
 		}
 	} else {
-		_, _ = sb.WriteString(s[:maxLen])
+		_, _ = sb.WriteString(string(runes[:maxLen]))
 	}

 	if options&TruncateWithEllipsis != 0 {
@@ -126,3 +128,13 @@ func UISanitize(in string) string {
 	}
 	return strings.TrimSpace(b.String())
 }
+
+// Capitalize returns s with its first rune upper-cased. It is safe for
+// multi-byte UTF-8 characters, unlike naive byte-slicing approaches.
+func Capitalize(s string) string {
+	r, size := utf8.DecodeRuneInString(s)
+	if size == 0 {
+		return s
+	}
+	return string(unicode.ToUpper(r)) + s[size:]
+}
@@ -57,6 +57,17 @@ func TestTruncate(t *testing.T) {
 		{"foo bar", 1, "…", []strings.TruncateOption{strings.TruncateWithFullWords, strings.TruncateWithEllipsis}},
 		{"foo bar", 0, "", []strings.TruncateOption{strings.TruncateWithFullWords, strings.TruncateWithEllipsis}},
 		{"This is a very long task prompt that should be truncated to 160 characters. Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua.", 160, "This is a very long task prompt that should be truncated to 160 characters. Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor…", []strings.TruncateOption{strings.TruncateWithFullWords, strings.TruncateWithEllipsis}},
+		// Multi-byte rune handling.
+		{"日本語テスト", 3, "日本語", nil},
+		{"日本語テスト", 4, "日本語テ", nil},
+		{"日本語テスト", 6, "日本語テスト", nil},
+		{"日本語テスト", 4, "日本語…", []strings.TruncateOption{strings.TruncateWithEllipsis}},
+		{"🎉🎊🎈🎁", 2, "🎉🎊", nil},
+		{"🎉🎊🎈🎁", 3, "🎉🎊…", []strings.TruncateOption{strings.TruncateWithEllipsis}},
+		// Multi-byte with full-word truncation.
+		{"hello 日本語", 7, "hello…", []strings.TruncateOption{strings.TruncateWithFullWords, strings.TruncateWithEllipsis}},
+		{"hello 日本語", 8, "hello 日…", []strings.TruncateOption{strings.TruncateWithEllipsis}},
+		{"日本語 テスト", 4, "日本語", []strings.TruncateOption{strings.TruncateWithFullWords}},
 	} {
 		tName := fmt.Sprintf("%s_%d", tt.s, tt.n)
 		for _, opt := range tt.options {
@@ -107,3 +118,24 @@ func TestUISanitize(t *testing.T) {
 		})
 	}
 }
+
+func TestCapitalize(t *testing.T) {
+	t.Parallel()
+
+	tests := []struct {
+		input    string
+		expected string
+	}{
+		{"", ""},
+		{"hello", "Hello"},
+		{"über", "Über"},
+		{"Hello", "Hello"},
+		{"a", "A"},
+	}
+	for _, tt := range tests {
+		t.Run(fmt.Sprintf("%q", tt.input), func(t *testing.T) {
+			t.Parallel()
+			assert.Equal(t, tt.expected, strings.Capitalize(tt.input))
+		})
+	}
+}
@@ -1015,7 +1015,7 @@ func Test_ResolveRequest(t *testing.T) {

 		w := rw.Result()
 		defer w.Body.Close()
-		require.Equal(t, http.StatusBadGateway, w.StatusCode)
+		require.Equal(t, http.StatusNotFound, w.StatusCode)
 		assertConnLogContains(t, rw, r, connLogger, workspace, agentNameUnhealthy, appNameAgentUnhealthy, database.ConnectionTypeWorkspaceApp, me.ID)
 		require.Len(t, connLogger.ConnectionLogs(), 1)

@@ -77,7 +77,7 @@ func WriteWorkspaceApp500(log slog.Logger, accessURL *url.URL, rw http.ResponseW
 	})
 }

-// WriteWorkspaceAppOffline writes a HTML 502 error page for a workspace app. If
+// WriteWorkspaceAppOffline writes a HTML 404 error page for a workspace app. If
 // appReq is not nil, it will be used to log the request details at debug level.
 func WriteWorkspaceAppOffline(log slog.Logger, accessURL *url.URL, rw http.ResponseWriter, r *http.Request, appReq *Request, msg string) {
 	if appReq != nil {
@@ -94,7 +94,7 @@ func WriteWorkspaceAppOffline(log slog.Logger, accessURL *url.URL, rw http.Respo
 	}

 	site.RenderStaticErrorPage(rw, r, site.ErrorPageData{
-		Status:      http.StatusBadGateway,
+		Status:      http.StatusNotFound,
 		Title:       "Application Unavailable",
 		Description: msg,
 		Actions: []site.Action{
@@ -959,7 +959,7 @@ func claimPrebuild(
 	nextStartAt sql.NullTime,
 	ttl sql.NullInt64,
 ) (*database.Workspace, error) {
-	claimedID, err := claimer.Claim(ctx, now, owner.ID, name, templateVersionPresetID, autostartSchedule, nextStartAt, ttl)
+	claimedID, err := claimer.Claim(ctx, db, now, owner.ID, name, templateVersionPresetID, autostartSchedule, nextStartAt, ttl)
 	if err != nil {
 		// TODO: enhance this by clarifying whether this *specific* prebuild failed or whether there are none to claim.
 		return nil, xerrors.Errorf("claim prebuild: %w", err)
@@ -2353,6 +2353,17 @@ func (api *API) patchWorkspaceACL(rw http.ResponseWriter, r *http.Request) {
 		return
 	}

+	// Don't allow adding new groups or users to a workspace associated with a
+	// task. Sharing a task workspace without sharing the task itself is a broken
+	// half measure that we don't want to support right now. To be fixed!
+	if workspace.TaskID.Valid {
+		httpapi.Write(ctx, rw, http.StatusBadRequest, codersdk.Response{
+			Message: "Task workspaces cannot be shared.",
+			Detail:  "This workspace is managed by a task. Task sharing has not yet been implemented.",
+		})
+		return
+	}
+
 	validErrs := acl.Validate(ctx, api.Database, WorkspaceACLUpdateValidator(req))
 	if len(validErrs) > 0 {
 		httpapi.Write(ctx, rw, http.StatusBadRequest, codersdk.Response{
@@ -209,6 +209,7 @@ type AuditLogsRequest struct {
 type AuditLogResponse struct {
 	AuditLogs []AuditLog `json:"audit_logs"`
 	Count     int64      `json:"count"`
+	CountCap  int64      `json:"count_cap"`
 }

 type CreateTestAuditLogRequest struct {
@@ -96,6 +96,7 @@ type ConnectionLogsRequest struct {
 type ConnectionLogResponse struct {
 	ConnectionLogs []ConnectionLog `json:"connection_logs"`
 	Count          int64           `json:"count"`
+	CountCap       int64           `json:"count_cap"`
 }

 func (c *Client) ConnectionLogs(ctx context.Context, req ConnectionLogsRequest) (ConnectionLogResponse, error) {
@@ -372,10 +372,6 @@ type Feature struct {

 	// Below is only for features that use usage periods.

-	// SoftLimit is the soft limit of the feature, and is only used for showing
-	// included limits in the dashboard. No license validation or warnings are
-	// generated from this value.
-	SoftLimit *int64 `json:"soft_limit,omitempty"`
 	// UsagePeriod denotes that the usage is a counter that accumulates over
 	// this period (and most likely resets with the issuance of the next
 	// license).
@@ -3616,7 +3612,7 @@ Write out the current server config as YAML to stdout.`,
 			Value:       &c.AI.BridgeConfig.MaxConcurrency,
 			Default:     "0",
 			Group:       &deploymentGroupAIBridge,
-			YAML:        "maxConcurrency",
+			YAML:        "max_concurrency",
 		},
 		{
 			Name:        "AI Bridge Rate Limit",
@@ -3626,7 +3622,7 @@ Write out the current server config as YAML to stdout.`,
 			Value:       &c.AI.BridgeConfig.RateLimit,
 			Default:     "0",
 			Group:       &deploymentGroupAIBridge,
-			YAML:        "rateLimit",
+			YAML:        "rate_limit",
 		},
 		{
 			Name:        "AI Bridge Structured Logging",
@@ -3636,7 +3632,7 @@ Write out the current server config as YAML to stdout.`,
 			Value:       &c.AI.BridgeConfig.StructuredLogging,
 			Default:     "false",
 			Group:       &deploymentGroupAIBridge,
-			YAML:        "structuredLogging",
+			YAML:        "structured_logging",
 		},
 		{
 			Name: "AI Bridge Send Actor Headers",
@@ -3658,7 +3654,7 @@ Write out the current server config as YAML to stdout.`,
 			Value:       &c.AI.BridgeConfig.CircuitBreakerEnabled,
 			Default:     "false",
 			Group:       &deploymentGroupAIBridge,
-			YAML:        "circuitBreakerEnabled",
+			YAML:        "circuit_breaker_enabled",
 		},
 		{
 			Name:        "AI Bridge Circuit Breaker Failure Threshold",
@@ -3674,7 +3670,7 @@ Write out the current server config as YAML to stdout.`,
 			Default: "5",
 			Hidden:  true,
 			Group:   &deploymentGroupAIBridge,
-			YAML:    "circuitBreakerFailureThreshold",
+			YAML:    "circuit_breaker_failure_threshold",
 		},
 		{
 			Name:        "AI Bridge Circuit Breaker Interval",
@@ -3685,7 +3681,7 @@ Write out the current server config as YAML to stdout.`,
 			Default:     "10s",
 			Hidden:      true,
 			Group:       &deploymentGroupAIBridge,
-			YAML:        "circuitBreakerInterval",
+			YAML:        "circuit_breaker_interval",
 			Annotations: serpent.Annotations{}.Mark(annotationFormatDuration, "true"),
 		},
 		{
@@ -3697,7 +3693,7 @@ Write out the current server config as YAML to stdout.`,
 			Default:     "30s",
 			Hidden:      true,
 			Group:       &deploymentGroupAIBridge,
-			YAML:        "circuitBreakerTimeout",
+			YAML:        "circuit_breaker_timeout",
 			Annotations: serpent.Annotations{}.Mark(annotationFormatDuration, "true"),
 		},
 		{
@@ -3714,7 +3710,7 @@ Write out the current server config as YAML to stdout.`,
 			Default: "3",
 			Hidden:  true,
 			Group:   &deploymentGroupAIBridge,
-			YAML:    "circuitBreakerMaxRequests",
+			YAML:    "circuit_breaker_max_requests",
 		},

 		// AI Bridge Proxy Options
@@ -12,8 +12,9 @@ import (
 )

 const (
-	LicenseExpiryClaim                = "license_expires"
-	LicenseTelemetryRequiredErrorText = "License requires telemetry but telemetry is disabled"
+	LicenseExpiryClaim                          = "license_expires"
+	LicenseTelemetryRequiredErrorText           = "License requires telemetry but telemetry is disabled"
+	LicenseManagedAgentLimitExceededWarningText = "You have built more workspaces with managed agents than your license allows."
 )

 type AddLicenseRequest struct {
@@ -115,6 +115,25 @@ specified in your template in the `disable_params` search params list
 [![Open in Coder](https://YOUR_ACCESS_URL/open-in-coder.svg)](https://YOUR_ACCESS_URL/templates/YOUR_TEMPLATE/workspace?disable_params=first_parameter,second_parameter)
 ```

+### Security: consent dialog for automatic creation
+
+When using `mode=auto` with prefilled `param.*` values, Coder displays a
+security consent dialog before creating the workspace. This protects users
+from malicious links that could provision workspaces with untrusted
+configurations, such as dotfiles or startup scripts from unknown sources.
+
+The dialog shows:
+
+- A warning that a workspace is about to be created automatically from a link
+- All prefilled `param.*` values from the URL
+- **Confirm and Create** and **Cancel** buttons
+
+The workspace is only created if the user explicitly clicks **Confirm and
+Create**. Clicking **Cancel** falls back to the standard creation form where
+all parameters can be reviewed manually.
+
+![Consent dialog for automatic workspace creation](../../images/templates/auto-create-consent-dialog.png)
+
 ### Example: Kubernetes

 For a full example of the Open in Coder flow in Kubernetes, check out
@@ -1,133 +0,0 @@
-# Client Configuration
-
-Once AI Bridge is setup on your deployment, the AI coding tools used by your users will need to be configured to route requests via AI Bridge.
-
-## Base URLs
-
-Most AI coding tools allow the "base URL" to be customized. In other words, when a request is made to OpenAI's API from your coding tool, the API endpoint such as [`/v1/chat/completions`](https://platform.openai.com/docs/api-reference/chat) will be appended to the configured base. Therefore, instead of the default base URL of `https://api.openai.com/v1`, you'll need to set it to `https://coder.example.com/api/v2/aibridge/openai/v1`.
-
-The exact configuration method varies by client — some use environment variables, others use configuration files or UI settings:
-
- **OpenAI-compatible clients**: Set the base URL (commonly via the `OPENAI_BASE_URL` environment variable) to `https://coder.example.com/api/v2/aibridge/openai/v1`
- **Anthropic-compatible clients**: Set the base URL (commonly via the `ANTHROPIC_BASE_URL` environment variable) to `https://coder.example.com/api/v2/aibridge/anthropic`
-
-Replace `coder.example.com` with your actual Coder deployment URL.
-
-## Authentication
-
-Instead of distributing provider-specific API keys (OpenAI/Anthropic keys) to users, they authenticate to AI Bridge using their **Coder session token** or **API key**:
-
- **OpenAI clients**: Users set `OPENAI_API_KEY` to their Coder session token or API key
- **Anthropic clients**: Users set `ANTHROPIC_API_KEY` to their Coder session token or API key
-
-Again, the exact environment variable or setting naming may differ from tool to tool; consult your tool's documentation.
-
-## Configuring In-Workspace Tools
-
-AI coding tools running inside a Coder workspace, such as IDE extensions, can be configured to use AI Bridge.
-
-While users can manually configure these tools with a long-lived API key, template admins can provide a more seamless experience by pre-configuring them. Admins can automatically inject the user's session token with `data.coder_workspace_owner.me.session_token` and the AI Bridge base URL into the workspace environment.
-
-In this example, Claude code respects these environment variables and will route all requests via AI Bridge.
-
-This is the fastest way to bring existing agents like Roo Code, Cursor, or Claude Code into compliance without adopting Coder Tasks.
-
-```hcl
-data "coder_workspace_owner" "me" {}
-
-data "coder_workspace" "me" {}
-
-resource "coder_agent" "dev" {
-  arch = "amd64"
-  os   = "linux"
-  dir  = local.repo_dir
-  env = {
-    ANTHROPIC_BASE_URL : "${data.coder_workspace.me.access_url}/api/v2/aibridge/anthropic",
-    ANTHROPIC_AUTH_TOKEN : data.coder_workspace_owner.me.session_token
-  }
-  ... # other agent configuration
-}
-```
-
-### Using Coder Tasks
-
-Agents like Claude Code can be configured to route through AI Bridge in any template by pre-configuring the agent with the session token. [Coder Tasks](../tasks.md) is particularly useful for this pattern, providing a framework for agents to complete background development operations autonomously. To route agents through AI Bridge in a Coder Tasks template, pre-configure it to install Claude Code and configure it with the session token:
-
-```hcl
-data "coder_workspace_owner" "me" {}
-
-data "coder_workspace" "me" {}
-
-data "coder_task" "me" {}
-
-resource "coder_agent" "dev" {
-  arch = "amd64"
-  os   = "linux"
-  dir  = local.repo_dir
-  env = {
-    ANTHROPIC_BASE_URL : "${data.coder_workspace.me.access_url}/api/v2/aibridge/anthropic",
-    ANTHROPIC_AUTH_TOKEN : data.coder_workspace_owner.me.session_token
-  }
-  ... # other agent configuration
-}
-
-# See https://registry.coder.com/modules/coder/claude-code for more information
-module "claude-code" {
-  count               = data.coder_task.me.enabled ? data.coder_workspace.me.start_count : 0
-  source              = "dev.registry.coder.com/coder/claude-code/coder"
-  version             = ">= 4.0.0"
-  agent_id            = coder_agent.dev.id
-  workdir             = "/home/coder/project"
-  claude_api_key      = data.coder_workspace_owner.me.session_token # Use the Coder session token to authenticate with AI Bridge
-  ai_prompt           = data.coder_task.me.prompt
-  ... # other claude-code configuration
-}
-
-# The coder_ai_task resource associates the task to the app.
-resource "coder_ai_task" "task" {
-  count  = data.coder_task.me.enabled ? data.coder_workspace.me.start_count : 0
-  app_id = module.claude-code[0].task_app_id
-}
-```
-
-## External and Desktop Clients
-
-You can also configure AI tools running outside of a Coder workspace, such as local IDE extensions or desktop applications, to connect to AI Bridge.
-
-The configuration is the same: point the tool to the AI Bridge [base URL](#base-urls) and use a Coder API key for authentication.
-
-Users can generate a long-lived API key from the Coder UI or CLI. Follow the instructions at [Sessions and API tokens](../../admin/users/sessions-tokens.md#generate-a-long-lived-api-token-on-behalf-of-yourself) to create one.
-
-## Compatibility
-
-The table below shows tested AI clients and their compatibility with AI Bridge. Click each client name for vendor-specific configuration instructions. Report issues or share compatibility updates in the [aibridge](https://github.com/coder/aibridge) issue tracker.
-
-| Client                                                                                                                              | OpenAI support | Anthropic support | Notes                                                                                                                                                                                                                                                     |
-|-------------------------------------------------------------------------------------------------------------------------------------|----------------|-------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| [Claude Code](https://docs.claude.com/en/docs/claude-code/settings#environment-variables)                                           | -              | ✅                 | Works out of the box and can be preconfigured in templates.                                                                                                                                                                                               |
-| Claude Code (VS Code)                                                                                                               | -              | ✅                 | May require signing in once; afterwards respects workspace environment variables.                                                                                                                                                                         |
-| Cursor                                                                                                                              | ❌              | ❌                 | Support dropped for `v1/chat/completions` endpoints; `v1/responses` support is in progress [#16](https://github.com/coder/aibridge/issues/16)                                                                                                             |
-| [Roo Code](https://docs.roocode.com/features/api-configuration-profiles#creating-and-managing-profiles)                             | ✅              | ✅                 | Use the **OpenAI Compatible** provider with the legacy format to avoid `/v1/responses`.                                                                                                                                                                   |
-| [Codex CLI](https://github.com/openai/codex/blob/main/docs/config.md#model_providers)                                               | ⚠️             | N/A               | • Use v0.58.0 (`npm install -g @openai/codex@0.58.0`). Newer versions have a [bug](https://github.com/openai/codex/issues/8107) breaking the request payload. <br/>• `gpt-5-codex` support is [in progress](https://github.com/coder/aibridge/issues/16). |
-| [GitHub Copilot (VS Code)](https://code.visualstudio.com/docs/copilot/customization/language-models#_add-an-openaicompatible-model) | ✅              | ❌                 | Requires the pre-release extension. Anthropic endpoints are not supported.                                                                                                                                                                                |
-| [Goose](https://block.github.io/goose/docs/getting-started/providers/#available-providers)                                          | ❓              | ❓                 |                                                                                                                                                                                                                                                           |
-| [Goose Desktop](https://block.github.io/goose/docs/getting-started/providers/#available-providers)                                  | ❓              | ✅                 |                                                                                                                                                                                                                                                           |
-| WindSurf                                                                                                                            | ❌              | ❌                 | No option to override the base URL.                                                                                                                                                                                                                       |
-| Sourcegraph Amp                                                                                                                     | ❌              | ❌                 | No option to override the base URL.                                                                                                                                                                                                                       |
-| Kiro                                                                                                                                | ❌              | ❌                 | No option to override the base URL.                                                                                                                                                                                                                       |
-| [Copilot CLI](https://github.com/github/copilot-cli/issues/104)                                                                     | ❌              | ❌                 | No support for custom base URLs and uses a `GITHUB_TOKEN` for authentication.                                                                                                                                                                             |
-| [Kilo Code](https://kilocode.ai/docs/features/api-configuration-profiles#creating-and-managing-profiles)                            | ✅              | ✅                 | Similar to Roo Code.                                                                                                                                                                                                                                      |
-| Gemini CLI                                                                                                                          | ❌              | ❌                 | Not supported yet.                                                                                                                                                                                                                                        |
-| [Amazon Q CLI](https://aws.amazon.com/q/)                                                                                           | ❌              | ❌                 | Limited to Amazon Q subscriptions; no custom endpoint support.                                                                                                                                                                                            |
-
-Legend: ✅ works, ⚠️ limited support, ❌ not supported, ❓ not yet verified, — not applicable.
-
-### Compatibility Overview
-
-Most AI coding assistants can use AI Bridge, provided they support custom base URLs. Client-specific requirements vary:
-
- Some clients require specific URL formats (for example, removing the `/v1` suffix).
- Some clients proxy requests through their own servers, which limits compatibility.
- Some clients do not support custom base URLs.
-
-See the table in the [compatibility](#compatibility) section above for the combinations we have verified and any known issues.
@@ -0,0 +1,55 @@
+# Claude Code
+
+## Configuration
+
+Claude Code can be configured using environment variables.
+
+* **Base URL**: `ANTHROPIC_BASE_URL` should point to `https://coder.example.com/api/v2/aibridge/anthropic`
+* **API Key**: `ANTHROPIC_API_KEY` should be your [Coder session token](../../../admin/users/sessions-tokens.md#generate-a-long-lived-api-token-on-behalf-of-yourself).
+
+### Pre-configuring in Templates
+
+Template admins can pre-configure Claude Code for a seamless experience. Admins can automatically inject the user's Coder session token and the AI Bridge base URL into the workspace environment.
+
+```hcl
+module "claude-code" {
+  source          = "registry.coder.com/coder/claude-code/coder"
+  version         = "4.7.3"
+  agent_id        = coder_agent.main.id
+  workdir         = "/path/to/project"  # Set to your project directory
+  enable_aibridge = true
+}
+```
+
+### Coder Tasks
+
+[Coder Tasks](../../tasks.md) provides a framework for agents to complete background development operations autonomously. Claude Code can be configured in your Tasks automatically:
+
+```hcl
+resource "coder_ai_task" "task" {
+  count  = data.coder_workspace.me.start_count
+  app_id = module.claude-code.task_app_id
+}
+
+data "coder_task" "me" {}
+
+module "claude-code" {
+  source         = "registry.coder.com/coder/claude-code/coder"
+  version        = "4.7.3"
+  agent_id       = coder_agent.main.id
+  workdir        = "/path/to/project"  # Set to your project directory
+  ai_prompt      = data.coder_task.me.prompt
+
+  # Route through AI Bridge (Premium feature)
+  enable_aibridge = true
+}
+```
+
+## VS Code Extension
+
+The Claude Code VS Code extension is also supported.
+
+1. If pre-configured in the workspace environment variables (as shown above), it typically respects them.
+2. You may need to sign in once; afterwards, it respects the workspace environment variables.
+
+**References:** [Claude Code Settings](https://docs.claude.com/en/docs/claude-code/settings#environment-variables)
@@ -0,0 +1,36 @@
+# Cline
+
+Cline supports both OpenAI and Anthropic models and can be configured to use AI Bridge by setting providers.
+
+## Configuration
+
+To configure Cline to use AI Bridge, follow these steps:
+![Cline Settings](../../../images/aibridge/clients/cline-setup.png)
+
+<div class="tabs">
+
+### OpenAI Compatible
+
+1. Open Cline in VS Code.
+1. Go to **Settings**.
+1. **API Provider**: Select **OpenAI Compatible**.
+1. **Base URL**: Enter `https://coder.example.com/api/v2/aibridge/openai/v1`.
+1. **OpenAI Compatible API Key**: Enter your **[Coder Session Token](../../../admin/users/sessions-tokens.md#generate-a-long-lived-api-token-on-behalf-of-yourself)**.
+1. **Model ID** (Optional): Enter the model you wish to use (e.g., `gpt-5.2-codex`).
+
+![Cline OpenAI Settings](../../../images/aibridge/clients/cline-openai.png)
+
+### Anthropic
+
+1. Open Cline in VS Code.
+1. Go to **Settings**.
+1. **API Provider**: Select **Anthropic**.
+1. **Anthropic API Key**: Enter your **Coder Session Token**.
+1. **Base URL**: Enter `https://coder.example.com/api/v2/aibridge/anthropic` after checking **_Use custom base URL_**.
+1. **Model ID** (Optional): Select your desired Claude model.
+
+![Cline Anthropic Settings](../../../images/aibridge/clients/cline-anthropic.png)
+
+</div>
+
+**References:** [Cline Configuration](https://github.com/cline/cline)
@@ -0,0 +1,50 @@
+# Codex CLI
+
+Codex CLI can be configured to use AI Bridge by setting up a custom model provider.
+
+## Configuration
+
+> [!NOTE]
+> When running Codex CLI inside a Coder workspace, use the configuration below to route requests through AI Bridge.
+
+To configure Codex CLI to use AI Bridge, set the following configuration options in your Codex configuration file (e.g., `~/.codex/config.toml`):
+
+```toml
+[model_providers.aibridge]
+name = "AI Bridge"
+base_url = "${data.coder_workspace.me.access_url}/api/v2/aibridge/openai/v1"
+env_key = "OPENAI_API_KEY"
+wire_api = "responses"
+
+[profiles.aibridge]
+model_provider = "aibridge"
+model = "gpt-5.2-codex"
+```
+
+Run Codex with the `aibridge` profile:
+
+```bash
+codex --profile aibridge
+```
+
+If configuring within a Coder workspace, you can also use the [Codex CLI](https://registry.coder.com/modules/coder-labs/codex) module and set the following variables:
+
+```tf
+module "codex" {
+  source          = "registry.coder.com/coder-labs/codex/coder"
+  version         = "~> 4.1"
+  agent_id        = coder_agent.main.id
+  workdir         = "/path/to/project"  # Set to your project directory
+  enable_aibridge = true
+}
+```
+
+## Authentication
+
+To authenticate with AI Bridge, get your **[Coder session token](../../../admin/users/sessions-tokens.md#generate-a-long-lived-api-token-on-behalf-of-yourself)** and set it in your environment:
+
+```bash
+export OPENAI_API_KEY="<your-coder-session-token>"
+```
+
+**References:** [Codex CLI Configuration](https://developers.openai.com/codex/config-advanced)
@@ -0,0 +1,35 @@
+# Factory
+
+Factort's Droid agent can be configured to use AI Bridge by setting up custom models for OpenAI and Anthropic.
+
+## Configuration
+
+1. Open `~/.factory/settings.json` (create it if it does not exist).
+2. Add a `customModels` entry for each provider you want to use with AI Bridge.
+3. Replace `coder.example.com` with your Coder deployment URL.
+4. Use a **[Coder session token](../../../admin/users/sessions-tokens.md#generate-a-long-lived-api-token-on-behalf-of-yourself)** for `apiKey`.
+
+```json
+{
+  "customModels": [
+    {
+      "model": "claude-4-5-opus",
+      "displayName": "Claude (Coder AI Bridge)",
+      "baseUrl": "https://coder.example.com/api/v2/aibridge/anthropic",
+      "apiKey": "<your-coder-session-token>",
+      "provider": "anthropic",
+      "maxOutputTokens": 8192
+    },
+    {
+      "model": "gpt-5.2-codex",
+      "displayName": "GPT (Coder AI Bridge)",
+      "baseUrl": "https://coder.example.com/api/v2/aibridge/openai/v1",
+      "apiKey": "<your-coder-session-token>",
+      "provider": "openai",
+      "maxOutputTokens": 16384
+    }
+  ]
+}
+```
+
+**References:** [Factory BYOK OpenAI & Anthropic](https://docs.factory.ai/cli/byok/openai-anthropic)
@@ -0,0 +1,99 @@
+# Client Configuration
+
+Once AI Bridge is setup on your deployment, the AI coding tools used by your users will need to be configured to route requests via AI Bridge.
+
+## Base URLs
+
+Most AI coding tools allow the "base URL" to be customized. In other words, when a request is made to OpenAI's API from your coding tool, the API endpoint such as [`/v1/chat/completions`](https://platform.openai.com/docs/api-reference/chat) will be appended to the configured base. Therefore, instead of the default base URL of `https://api.openai.com/v1`, you'll need to set it to `https://coder.example.com/api/v2/aibridge/openai/v1`.
+
+The exact configuration method varies by client — some use environment variables, others use configuration files or UI settings:
+
+- **OpenAI-compatible clients**: Set the base URL (commonly via the `OPENAI_BASE_URL` environment variable) to `https://coder.example.com/api/v2/aibridge/openai/v1`
+- **Anthropic-compatible clients**: Set the base URL (commonly via the `ANTHROPIC_BASE_URL` environment variable) to `https://coder.example.com/api/v2/aibridge/anthropic`
+
+Replace `coder.example.com` with your actual Coder deployment URL.
+
+## Authentication
+
+Instead of distributing provider-specific API keys (OpenAI/Anthropic keys) to users, they authenticate to AI Bridge using their **Coder session token** or **API key**:
+
+- **OpenAI clients**: Users set `OPENAI_API_KEY` to their Coder session token or API key
+- **Anthropic clients**: Users set `ANTHROPIC_API_KEY` to their Coder session token or API key
+
+> [!NOTE]
+> Only Coder-issued tokens can authenticate users against AI Bridge.
+> AI Bridge will use provider-specific API keys to [authenticate against upstream AI services](https://coder.com/docs/ai-coder/ai-bridge/setup#configure-providers).
+
+Again, the exact environment variable or setting naming may differ from tool to tool. See a list of [supported clients](#all-supported-clients) below and consult your tool's documentation for details.
+
+### Retrieving your session token
+
+[Generate a long-lived API token](../../../admin/users/sessions-tokens.md#generate-a-long-lived-api-token-on-behalf-of-yourself) via the Coder dashboard and use it to configure your AI coding tool:
+
+```sh
+export ANTHROPIC_API_KEY="your-coder-session-token"
+export ANTHROPIC_BASE_URL="https://coder.example.com/api/v2/aibridge/anthropic"
+```
+
+## Compatibility
+
+The table below shows tested AI clients and their compatibility with AI Bridge.
+
+| Client                           | OpenAI | Anthropic | Notes                                                                                                                                                  |
+|----------------------------------|--------|-----------|--------------------------------------------------------------------------------------------------------------------------------------------------------|
+| [Claude Code](./claude-code.md)  | -      | ✅         |                                                                                                                                                        |
+| [Codex CLI](./codex.md)          | ✅      | -         |                                                                                                                                                        |
+| [OpenCode](./opencode.md)        | ✅      | ✅         |                                                                                                                                                        |
+| [Factory](./factory.md)          | ✅      | ✅         |                                                                                                                                                        |
+| [Cline](./cline.md)              | ✅      | ✅         |                                                                                                                                                        |
+| [Kilo Code](./kilo-code.md)      | ✅      | ✅         |                                                                                                                                                        |
+| [Roo Code](./roo-code.md)        | ✅      | ✅         |                                                                                                                                                        |
+| [VS Code](./vscode.md)           | ✅      | ❌         | Only supports Custom Base URL for OpenAI.                                                                                                              |
+| [JetBrains IDEs](./jetbrains.md) | ✅      | ❌         | Works in Chat mode via "Bring Your Own Key".                                                                                                           |
+| [Zed](./zed.md)                  | ✅      | ✅         |                                                                                                                                                        |
+| WindSurf                         | ❌      | ❌         | No option to override base URL.                                                                                                                        |
+| Cursor                           | ❌      | ❌         | Override for OpenAI broken ([upstream issue](https://forum.cursor.com/t/requests-are-sent-to-incorrect-endpoint-when-using-base-url-override/144894)). |
+| Sourcegraph Amp                  | ❌      | ❌         | No option to override base URL.                                                                                                                        |
+| Kiro                             | ❌      | ❌         | No option to override base URL.                                                                                                                        |
+| Gemini CLI                       | ❌      | ❌         | No Gemini API support. Upvote [this issue](https://github.com/coder/aibridge/issues/27).                                                               |
+| Antigravity                      | ❌      | ❌         | No option to override base URL.                                                                                                                        |
+|
+
+*Legend: ✅ supported, ❌ not supported, - not applicable.*
+
+## Configuring In-Workspace Tools
+
+AI coding tools running inside a Coder workspace, such as IDE extensions, can be configured to use AI Bridge.
+
+While users can manually configure these tools with a long-lived API key, template admins can provide a more seamless experience by pre-configuring them. Admins can automatically inject the user's session token with `data.coder_workspace_owner.me.session_token` and the AI Bridge base URL into the workspace environment.
+
+In this example, Claude Code respects these environment variables and will route all requests via AI Bridge.
+
+```hcl
+data "coder_workspace_owner" "me" {}
+
+data "coder_workspace" "me" {}
+
+resource "coder_agent" "dev" {
+    arch = "amd64"
+    os   = "linux"
+    dir  = local.repo_dir
+    env = {
+        ANTHROPIC_BASE_URL : "${data.coder_workspace.me.access_url}/api/v2/aibridge/anthropic",
+        ANTHROPIC_AUTH_TOKEN : data.coder_workspace_owner.me.session_token
+    }
+    ... # other agent configuration
+}
+```
+
+## External and Desktop Clients
+
+You can also configure AI tools running outside of a Coder workspace, such as local IDE extensions or desktop applications, to connect to AI Bridge.
+
+The configuration is the same: point the tool to the AI Bridge [base URL](#base-urls) and use a Coder API key for authentication.
+
+Users can generate a long-lived API key from the Coder UI or CLI. Follow the instructions at [Sessions and API tokens](../../../admin/users/sessions-tokens.md#generate-a-long-lived-api-token-on-behalf-of-yourself) to create one.
+
+## All Supported Clients
+
+<children></children>
@@ -0,0 +1,35 @@
+# JetBrains IDEs
+
+JetBrains IDE (IntelliJ IDEA, PyCharm, WebStorm, etc.) support AI Bridge via the ["Bring Your Own Key" (BYOK)](https://www.jetbrains.com/help/ai-assistant/use-custom-models.html#provide-your-own-api-key) feature.
+
+## Prerequisites
+
+* [**JetBrains AI Assistant**](https://www.jetbrains.com/help/ai-assistant/installation-guide-ai-assistant.html): Installed and enabled.
+* **Authentication**: Your **[Coder session token](../../../admin/users/sessions-tokens.md#generate-a-long-lived-api-token-on-behalf-of-yourself)**.
+
+## Configuration
+
+1. **Open Settings**: Go to **Settings** > **Tools** > **AI Assistant** > **Models & API Keys**.
+1. **Configure Provider**: Go to **Third-party AI providers**.
+1. **Choose Provider**: Choose **OpenAI-compatible**.
+1. **URL**: `https://coder.example.com/api/v2/aibridge/openai/v1`
+1. **API Key**: Paste your **[Coder session token](../../../admin/users/sessions-tokens.md#generate-a-long-lived-api-token-on-behalf-of-yourself)**.
+1. **Apply**: Click **Apply** and **OK**.
+
+![JetBrains AI Assistant Settings](../../../images/aibridge/clients/jetbrains-ai-settings.png)
+
+## Using the AI Assistant
+
+1. Go back to **AI Chat** on theleft side bar and choose **Chat**.
+1. In the Model dropdown, select the desired model (e.g., `gpt-5.2`).
+
+![JetBrains AI Assistant Chat](../../../images/aibridge/clients/jetbrains-ai-chat.png)
+
+You can now use the AI Assistant chat with the configured provider.
+
+> [!NOTE]
+>
+> * JetBrains AI Assistant currently only supports OpenAI-compatible endpoints. There is an open [issue](https://youtrack.jetbrains.com/issue/LLM-22740) tracking support for Anthropic.
+> * JetBrains AI Assistant may not support all models that support OPenAI's `/chat/completions` endpoint in Chat mode.
+
+**References:** [Use custom models with JetBrains AI Assistant](https://www.jetbrains.com/help/ai-assistant/use-custom-models.html#provide-your-own-api-key)
@@ -0,0 +1,33 @@
+# Kilo Code
+
+Kilo Code allows you to configure providers via the UI and can be set up to use AI Bridge.
+
+## Configuration
+
+<div class="tabs">
+
+### OpenAI Compatible
+
+1. Open Kilo Code in VS Code.
+1. Go to **Settings**.
+1. **Provider**: Select **OpenAI**.
+1. **Base URL**: Enter `https://coder.example.com/api/v2/aibridge/openai/v1`.
+1. **API Key**: Enter your **[Coder Session Token](../../../admin/users/sessions-tokens.md#generate-a-long-lived-api-token-on-behalf-of-yourself)**.
+1. **Model ID**: Enter the model you wish to use (e.g., `gpt-5.2-codex`).
+
+![Kilo Code OpenAI Settings](../../../images/aibridge/clients/kilo-code-openai.png)
+
+### Anthropic
+
+1. Open Kilo Code in VS Code.
+1. Go to **Settings**.
+1. **Provider**: Select **Anthropic**.
+1. **Base URL**: Enter `https://coder.example.com/api/v2/aibridge/anthropic`.
+1. **API Key**: Enter your **Coder Session Token**.
+1. **Model ID**: Select your desired Claude model.
+
+![Kilo Code Anthropic Settings](../../../images/aibridge/clients/kilo-code-anthropic.png)
+
+</div>
+
+**References:** [Kilo Code Configuration](https://kilocode.ai/docs/ai-providers/openai-compatible)
@@ -0,0 +1,44 @@
+# OpenCode
+
+OpenCode supports both OpenAI and Anthropic models and can be configured to use AI Bridge by setting custom base URLs for each provider.
+
+## Configuration
+
+You can configure OpenCode to connect to AI Bridge by setting the following configuration options in your OpenCode configuration file (e.g., `~/.config/opencode/opencode.json`):
+
+```json
+{
+  "$schema": "https://opencode.ai/config.json",
+  "provider": {
+    "anthropic": {
+      "options": {
+        "baseURL": "https://coder.example.com/api/v2/aibridge/anthropic/v1"
+      }
+    },
+    "openai": {
+      "options": {
+        "baseURL": "https://coder.example.com/api/v2/aibridge/openai/v1"
+      }
+    }
+  }
+}
+```
+
+## Authentication
+
+To authenticate with AI Bridge, get your **[Coder session token](../../../admin/users/sessions-tokens.md#generate-a-long-lived-api-token-on-behalf-of-yourself)** and replace `<your-coder-session-token>` in `~/.local/share/opencode/auth.json`
+
+```json
+{
+  "anthropic": {
+    "type": "api",
+    "key": "<your-coder-session-token>"
+  },
+  "openai": {
+    "type": "api",
+    "key": "<your-coder-session-token>"
+  }
+}
+```
+
+**References:** [OpenCode Documentation](https://opencode.ai/docs/providers/#config)
@@ -0,0 +1,39 @@
+# Roo Code
+
+Roo Code allows you to configure providers via the UI and can be set up to use AI Bridge.
+
+## Configuration
+
+Roo Code allows you to configure providers via the UI.
+
+<div class="tabs">
+
+### OpenAI Compatible
+
+1. Open Roo Code in VS Code.
+1. Go to **Settings**.
+1. **Provider**: Select **OpenAI**.
+1. **Base URL**: Enter `https://coder.example.com/api/v2/aibridge/openai/v1`.
+1. **API Key**: Enter your **[Coder Session Token](../../../admin/users/sessions-tokens.md#generate-a-long-lived-api-token-on-behalf-of-yourself)**.
+1. **Model ID**: Enter the model you wish to use (e.g., `gpt-5.2-codex`).
+![Roo Code OpenAI Settings](../../../images/aibridge/clients/roo-code-openai.png)
+
+### Anthropic
+
+1. Open Roo Code in VS Code.
+1. Go to **Settings**.
+1. **Provider**: Select **Anthropic**.
+1. **Base URL**: Enter `https://coder.example.com/api/v2/aibridge/anthropic`.
+1. **API Key**: Enter your **Coder Session Token**.
+1. **Model ID**: Select your desired Claude model.
+
+![Roo Code Anthropic Settings](../../../images/aibridge/clients/roo-code-anthropic.png)
+
+</div>
+
+### Notes
+
+* If you encounter issues with the **OpenAI** provider type, use **OpenAI Compatible** to ensure correct endpoint routing.
+* Ensure your Coder deployment URL is reachable from your VS Code environment.
+
+**References:** [Roo Code Configuration Profiles](https://docs.roocode.com/features/api-configuration-profiles#creating-and-managing-profiles)
@@ -0,0 +1,50 @@
+# VS Code
+
+VS Code's native chat can be configured to use AI Bridge with the GitHub Copilot Chat extension's custom language model support.
+
+## Configuration
+
+> [!IMPORTANT]
+> You need the **Pre-release** version of the [GitHub Copilot Chat extension](https://marketplace.visualstudio.com/items?itemName=GitHub.copilot-chat) and [VS Code Insiders](https://code.visualstudio.com/insiders/).
+
+1. Open command palette (`Ctrl+Shift+P` or `Cmd+Shift+P` on Mac) and search for _Chat: Open Language Models (JSON)_.
+1. Paste the following JSON configuration, replacing `<your-coder-session-token>` with your **[Coder Session Token](../../../admin/users/sessions-tokens.md#generate-a-long-lived-api-token-on-behalf-of-yourself)**:
+
+```json
+[
+    {
+        "name": "Coder",
+        "vendor": "customoai",
+        "apiKey": "your-coder-session-token>",
+        "models": [
+            {
+                "name": "GPT 5.2",
+                "url": "https://coder.example.com/api/v2/aibridge/openai/v1/chat/completions",
+                "toolCalling": true,
+                "vision": true,
+                "thinking": true,
+                "maxInputTokens": 272000,
+                "maxOutputTokens": 128000,
+                "id": "gpt-5.2"
+            },
+            {
+                "name": "GPT 5.2 Codex",
+                "url": "https://coder.example.com/api/v2/aibridge/openai/v1/responses",
+                "toolCalling": true,
+                "vision": true,
+                "thinking": true,
+                "maxInputTokens": 272000,
+                "maxOutputTokens": 128000,
+                "id": "gpt-5.2-codex"
+            }
+        ]
+    }
+]
+```
+
+_Replace `coder.example.com` with your Coder deployment URL._
+
+> [!NOTE]
+> The setting names may change as the feature moves from pre-release to stable. Refer to the official documentation for the latest setting keys.
+
+**References:** [GitHub Copilot - Bring your own language model](https://code.visualstudio.com/docs/copilot/customization/language-models#_add-an-openaicompatible-model)
@@ -0,0 +1,63 @@
+# Zed
+
+Zed IDE supports AI Bridge via its `language_models` configuration in `settings.json`.
+
+## Configuration
+
+To configure Zed to use AI Bridge, you need to edit your `settings.json` file. You can access this by pressing `Cmd/Ctrl + ,` or opening the command palette and searching for "Open Settings".
+
+You can configure both Anthropic and OpenAI providers to point to AI Bridge.
+
+```json
+{
+  "language_models": {
+    "anthropic": {
+      "api_url": "https://coder.example.com/api/v2/aibridge/anthropic",
+    },
+    "openai": {
+      "api_url": "https://coder.example.com/api/v2/aibridge/openai/v1",
+    },
+  },
+  // optional settings to set favorite models for the AI
+  "agent": {
+    "favorite_models": [
+      {
+        "provider": "anthropic",
+        "model": "claude-sonnet-4-5-thinking-latest"
+      },
+      {
+        "provider": "openai",
+        "model": "gpt-5.2-codex"
+      }
+    ],
+  },
+}
+```
+
+*Replace `coder.example.com` with your Coder deployment URL.*
+
+> [!NOTE]
+> These settings and environment variables need to be configured from client side. Zed currently does not support reading these settings from remote configuration. See this [feature request](https://github.com/zed-industries/zed/discussions/47058) for more details.
+
+## Authentication
+
+Zed requires an API key for these providers. For AI Bridge, this key is your **[Coder Session Token](../../../admin/users/sessions-tokens.md#generate-a-long-lived-api-token-on-behalf-of-yourself)**.
+
+You can set this in two ways:
+
+<div class="tabs">
+
+### Zed UI
+
+1. Open the **Assistant Panel** (right sidebar).
+1. Click **Configuration** or the settings icon.
+1. Select your provider ("Anthropic" or "OpenAI").
+1. Paste your **[Coder Session Token](../../../admin/users/sessions-tokens.md#generate-a-long-lived-api-token-on-behalf-of-yourself)** for the API Key.
+
+### Environment Variables
+
+1. Set `ANTHROPIC_API_KEY` and `OPENAI_API_KEY` to your **[Coder Session Token](../../../admin/users/sessions-tokens.md#generate-a-long-lived-api-token-on-behalf-of-yourself)** in the environment where you launch Zed.
+
+</div>
+
+**References:** [Configuring Zed - Language Models](https://zed.dev/docs/reference/all-settings#language-models)
@@ -33,7 +33,9 @@ AI Bridge is best suited for organizations facing these centralized management a
 ## Next steps

 - [Set up AI Bridge](./setup.md) on your Coder deployment
- [Configure AI clients](./client-config.md) to use AI Bridge
+- [Configure AI clients](./clients/index.md) to use AI Bridge
 - [Configure MCP servers](./mcp.md) for tool access
 - [Monitor usage and metrics](./monitoring.md) and [configure data retention](./setup.md#data-retention)
 - [Reference documentation](./reference.md)
+
+<children></children>
@@ -20,11 +20,11 @@ Where relevant, both streaming and non-streaming requests are supported.
 #### Intercepted

 - [`/v1/chat/completions`](https://platform.openai.com/docs/api-reference/chat/create)
+- [`/v1/responses`](https://platform.openai.com/docs/api-reference/responses/create)

 #### Passthrough

 - [`/v1/models(/*)`](https://platform.openai.com/docs/api-reference/models/list)
- [`/v1/responses`](https://platform.openai.com/docs/api-reference/responses/create) _(Interception support coming in **Beta**)_

 ### Anthropic

@@ -258,15 +258,6 @@ reference, and not all security requirements may apply to your business.
   - Both the control plane and workspaces set resource request/limits by
     default.

-7. **All Kubernetes objects must define liveness and readiness probes**
-
-   - Control plane - The control plane Deployment has liveness and readiness
-     probes
-     [configured by default here](https://github.com/coder/coder/blob/f57ce97b5aadd825ddb9a9a129bb823a3725252b/helm/coder/templates/_coder.tpl#L98-L107).
-   - Workspaces - the Kubernetes Deployment template does not configure
-     liveness/readiness probes for the workspace, but this can be added to the
-     Terraform template, and is supported.
-
 ## Load balancing considerations

 ### AWS
@@ -1025,7 +1025,7 @@
 							"description": "AI Gateway for Enterprise Governance \u0026 Observability",
 							"path": "./ai-coder/ai-bridge/index.md",
 							"icon_path": "./images/icons/api.svg",
-							"state": ["premium", "beta"],
+							"state": ["premium"],
 							"children": [
 								{
 									"title": "Setup",
@@ -1035,7 +1035,59 @@
 								{
 									"title": "Client Configuration",
 									"description": "How to configure your AI coding tools to use AI Bridge",
-									"path": "./ai-coder/ai-bridge/client-config.md"
+									"path": "./ai-coder/ai-bridge/clients/index.md",
+									"children": [
+										{
+											"title": "Claude Code",
+											"description": "Configure Claude Code to use AI Bridge",
+											"path": "./ai-coder/ai-bridge/clients/claude-code.md"
+										},
+										{
+											"title": "Codex",
+											"description": "Configure Codex to use AI Bridge",
+											"path": "./ai-coder/ai-bridge/clients/codex.md"
+										},
+										{
+											"title": "OpenCode",
+											"description": "Configure OpenCode to use AI Bridge",
+											"path": "./ai-coder/ai-bridge/clients/opencode.md"
+										},
+										{
+											"title": "Factory",
+											"description": "Configure Factory to use AI Bridge",
+											"path": "./ai-coder/ai-bridge/clients/factory.md"
+										},
+										{
+											"title": "Cline",
+											"description": "Configure Cline to use AI Bridge",
+											"path": "./ai-coder/ai-bridge/clients/cline.md"
+										},
+										{
+											"title": "Kilo Code",
+											"description": "Configure Kilo Code to use AI Bridge",
+											"path": "./ai-coder/ai-bridge/clients/kilo-code.md"
+										},
+										{
+											"title": "Roo Code",
+											"description": "Configure Roo Code to use AI Bridge",
+											"path": "./ai-coder/ai-bridge/clients/roo-code.md"
+										},
+										{
+											"title": "VS Code",
+											"description": "Configure VS Code to use AI Bridge",
+											"path": "./ai-coder/ai-bridge/clients/vscode.md"
+										},
+										{
+											"title": "JetBrains",
+											"description": "Configure JetBrains IDEs to use AI Bridge",
+											"path": "./ai-coder/ai-bridge/clients/jetbrains.md"
+										},
+										{
+											"title": "Zed",
+											"description": "Configure Zed to use AI Bridge",
+											"path": "./ai-coder/ai-bridge/clients/zed.md"
+										}
+									]
 								},
 								{
 									"title": "MCP Tools Injection",
@@ -88,7 +88,8 @@ curl -X GET http://coder-server:8080/api/v2/audit?limit=0 \
      "user_agent": "string"
    }
  ],
-  "count": 0
+  "count": 0,
+  "count_cap": 0
 }
 ```

@@ -289,7 +289,8 @@ curl -X GET http://coder-server:8080/api/v2/connectionlog?limit=0 \
      "workspace_owner_username": "string"
    }
  ],
-  "count": 0
+  "count": 0,
+  "count_cap": 0
 }
 ```

@@ -329,7 +330,6 @@ curl -X GET http://coder-server:8080/api/v2/entitlements \
      "enabled": true,
      "entitlement": "entitled",
      "limit": 0,
-      "soft_limit": 0,
      "usage_period": {
        "end": "2019-08-24T14:15:22Z",
        "issued_at": "2019-08-24T14:15:22Z",
@@ -341,7 +341,6 @@ curl -X GET http://coder-server:8080/api/v2/entitlements \
      "enabled": true,
      "entitlement": "entitled",
      "limit": 0,
-      "soft_limit": 0,
      "usage_period": {
        "end": "2019-08-24T14:15:22Z",
        "issued_at": "2019-08-24T14:15:22Z",
@@ -1275,7 +1275,8 @@
      "user_agent": "string"
    }
  ],
-  "count": 0
+  "count": 0,
+  "count_cap": 0
 }
 ```

@@ -1285,6 +1286,7 @@
 |--------------|-------------------------------------------------|----------|--------------|-------------|
 | `audit_logs` | array of [codersdk.AuditLog](#codersdkauditlog) | false    |              |             |
 | `count`      | integer                                         | false    |              |             |
+| `count_cap`  | integer                                         | false    |              |             |

 ## codersdk.AuthMethod

@@ -1690,7 +1692,8 @@ AuthorizationObject can represent a "set" of objects, such as: all workspaces in
      "workspace_owner_username": "string"
    }
  ],
-  "count": 0
+  "count": 0,
+  "count_cap": 0
 }
 ```

@@ -1700,6 +1703,7 @@ AuthorizationObject can represent a "set" of objects, such as: all workspaces in
 |-------------------|-----------------------------------------------------------|----------|--------------|-------------|
 | `connection_logs` | array of [codersdk.ConnectionLog](#codersdkconnectionlog) | false    |              |             |
 | `count`           | integer                                                   | false    |              |             |
+| `count_cap`       | integer                                                   | false    |              |             |

 ## codersdk.ConnectionLogSSHInfo

@@ -3899,7 +3903,6 @@ CreateWorkspaceRequest provides options for creating a new workspace. Only one o
      "enabled": true,
      "entitlement": "entitled",
      "limit": 0,
-      "soft_limit": 0,
      "usage_period": {
        "end": "2019-08-24T14:15:22Z",
        "issued_at": "2019-08-24T14:15:22Z",
@@ -3911,7 +3914,6 @@ CreateWorkspaceRequest provides options for creating a new workspace. Only one o
      "enabled": true,
      "entitlement": "entitled",
      "limit": 0,
-      "soft_limit": 0,
      "usage_period": {
        "end": "2019-08-24T14:15:22Z",
        "issued_at": "2019-08-24T14:15:22Z",
@@ -4193,7 +4195,6 @@ Git clone makes use of this by parsing the URL from: 'Username for "https://gith
  "enabled": true,
  "entitlement": "entitled",
  "limit": 0,
-  "soft_limit": 0,
  "usage_period": {
    "end": "2019-08-24T14:15:22Z",
    "issued_at": "2019-08-24T14:15:22Z",
@@ -4204,13 +4205,12 @@ Git clone makes use of this by parsing the URL from: 'Username for "https://gith

 ### Properties

-| Name          | Type                                         | Required | Restrictions | Description                                                                                                                                                                  |
-|---------------|----------------------------------------------|----------|--------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| `actual`      | integer                                      | false    |              |                                                                                                                                                                              |
-| `enabled`     | boolean                                      | false    |              |                                                                                                                                                                              |
-| `entitlement` | [codersdk.Entitlement](#codersdkentitlement) | false    |              |                                                                                                                                                                              |
-| `limit`       | integer                                      | false    |              |                                                                                                                                                                              |
-| `soft_limit`  | integer                                      | false    |              | Soft limit is the soft limit of the feature, and is only used for showing included limits in the dashboard. No license validation or warnings are generated from this value. |
+| Name          | Type                                         | Required | Restrictions | Description |
+|---------------|----------------------------------------------|----------|--------------|-------------|
+| `actual`      | integer                                      | false    |              |             |
+| `enabled`     | boolean                                      | false    |              |             |
+| `entitlement` | [codersdk.Entitlement](#codersdkentitlement) | false    |              |             |
+| `limit`       | integer                                      | false    |              |             |
 |`usage_period`|[codersdk.UsagePeriod](#codersdkusageperiod)|false||Usage period denotes that the usage is a counter that accumulates over this period (and most likely resets with the issuance of the next license).
 These dates are determined from the license that this entitlement comes from, see enterprise/coderd/license/license.go.
 Only certain features set these fields: - FeatureManagedAgentLimit|
@@ -1830,7 +1830,7 @@ Length of time to retain data such as interceptions and all related records (tok
 |-------------|----------------------------------------------|
 | Type        | <code>int</code>                             |
 | Environment | <code>$CODER_AIBRIDGE_MAX_CONCURRENCY</code> |
-| YAML        | <code>aibridge.maxConcurrency</code>         |
+| YAML        | <code>aibridge.max_concurrency</code>        |
 | Default     | <code>0</code>                               |

 Maximum number of concurrent AI Bridge requests per replica. Set to 0 to disable (unlimited).
@@ -1841,7 +1841,7 @@ Maximum number of concurrent AI Bridge requests per replica. Set to 0 to disable
 |-------------|-----------------------------------------|
 | Type        | <code>int</code>                        |
 | Environment | <code>$CODER_AIBRIDGE_RATE_LIMIT</code> |
-| YAML        | <code>aibridge.rateLimit</code>         |
+| YAML        | <code>aibridge.rate_limit</code>        |
 | Default     | <code>0</code>                          |

 Maximum number of AI Bridge requests per second per replica. Set to 0 to disable (unlimited).
@@ -1852,7 +1852,7 @@ Maximum number of AI Bridge requests per second per replica. Set to 0 to disable
 |-------------|-------------------------------------------------|
 | Type        | <code>bool</code>                               |
 | Environment | <code>$CODER_AIBRIDGE_STRUCTURED_LOGGING</code> |
-| YAML        | <code>aibridge.structuredLogging</code>         |
+| YAML        | <code>aibridge.structured_logging</code>        |
 | Default     | <code>false</code>                              |

 Emit structured logs for AI Bridge interception records. Use this for exporting these records to external SIEM or observability systems.
@@ -1874,7 +1874,7 @@ Once enabled, extra headers will be added to upstream requests to identify the u
 |-------------|------------------------------------------------------|
 | Type        | <code>bool</code>                                    |
 | Environment | <code>$CODER_AIBRIDGE_CIRCUIT_BREAKER_ENABLED</code> |
-| YAML        | <code>aibridge.circuitBreakerEnabled</code>          |
+| YAML        | <code>aibridge.circuit_breaker_enabled</code>        |
 | Default     | <code>false</code>                                   |

 Enable the circuit breaker to protect against cascading failures from upstream AI provider rate limits (429, 503, 529 overloaded).
@@ -11,8 +11,8 @@ RUN cargo install jj-cli typos-cli watchexec-cli
 FROM ubuntu:jammy@sha256:c7eb020043d8fc2ae0793fb35a37bff1cf33f156d4d4b12ccc7f3ef8706c38b1 AS go

 # Install Go manually, so that we can control the version
-ARG GO_VERSION=1.25.6
-ARG GO_CHECKSUM="f022b6aad78e362bcba9b0b94d09ad58c5a70c6ba3b7582905fababf5fe0181a"
+ARG GO_VERSION=1.25.8
+ARG GO_CHECKSUM="ceb5e041bbc3893846bd1614d76cb4681c91dadee579426cf21a63f2d7e03be6"

 # Boring Go is needed to build FIPS-compliant binaries.
 RUN apt-get update && \
@@ -212,9 +212,9 @@ RUN sed -i 's|http://archive.ubuntu.com/ubuntu/|http://mirrors.edge.kernel.org/u
 	# Configure FIPS-compliant policies
 	update-crypto-policies --set FIPS

-# NOTE: In scripts/Dockerfile.base we specifically install Terraform version 1.12.2.
+# NOTE: In scripts/Dockerfile.base we specifically install Terraform version 1.14.5.
 # Installing the same version here to match.
-RUN wget -O /tmp/terraform.zip "https://releases.hashicorp.com/terraform/1.14.1/terraform_1.14.1_linux_amd64.zip" && \
+RUN wget -O /tmp/terraform.zip "https://releases.hashicorp.com/terraform/1.14.5/terraform_1.14.5_linux_amd64.zip" && \
 	unzip /tmp/terraform.zip -d /usr/local/bin && \
 	rm -f /tmp/terraform.zip && \
 	chmod +x /usr/local/bin/terraform && \
@@ -298,7 +298,6 @@ ARG CLOUD_SQL_PROXY_VERSION=2.2.0 \
 	KUBECTX_VERSION=0.9.4 \
 	STRIPE_VERSION=1.14.5 \
 	TERRAGRUNT_VERSION=0.45.11 \
-	TRIVY_VERSION=0.41.0 \
 	SYFT_VERSION=1.20.0 \
 	COSIGN_VERSION=2.4.3 \
 	BUN_VERSION=1.2.15
@@ -337,9 +336,6 @@ RUN curl --silent --show-error --location --output /usr/local/bin/cloud_sql_prox
 	# terragrunt for running Terraform and Terragrunt files
 	curl --silent --show-error --location --output /usr/local/bin/terragrunt "https://github.com/gruntwork-io/terragrunt/releases/download/v${TERRAGRUNT_VERSION}/terragrunt_linux_amd64" && \
 	chmod a=rx /usr/local/bin/terragrunt && \
-	# AquaSec Trivy for scanning container images for security issues
-	curl --silent --show-error --location "https://github.com/aquasecurity/trivy/releases/download/v${TRIVY_VERSION}/trivy_${TRIVY_VERSION}_Linux-64bit.tar.gz" | \
-	tar --extract --gzip --directory=/usr/local/bin --file=- trivy && \
 	# Anchore Syft for SBOM generation
 	curl --silent --show-error --location "https://github.com/anchore/syft/releases/download/v${SYFT_VERSION}/syft_${SYFT_VERSION}_linux_amd64.tar.gz" | \
 	tar --extract --gzip --directory=/usr/local/bin --file=- syft && \
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
George K	77e8bc490b	perf: cap count queries, use native UUID ops for audit/conn logs (backport #23835 ) (#24133 ) Backport of #23835. Audit and connection log pages were timing out due to expensive COUNT(*) queries over large tables. This commit adds opt-in count capping: requests can return a `count_cap` field signaling that the count was truncated at a threshold, avoiding full table scans that caused page timeouts. Text-cast UUID comparisons in regosql-generated authorization queries also contributed to the slowdown by preventing index usage for connection and audit log queries. These now emit native UUID operators. Frontend changes handle the capped state in usePaginatedQuery and PaginationWidget, optionally displaying a capped count in the pagination UI (e.g. "Showing 2,076 to 2,100 of 2,000+ logs") --- Cherry picked from `86ca61d6ca`	2026-04-09 12:47:44 -04:00
Lukasz	756cc3a60e	chore: backport high and critical Iron Bank dependency fixes (#24109 ) ## Summary - backport the high/critical Iron Bank dependency fixes needed on release/2.30 - bump github.com/go-jose/go-jose/v4 to v4.1.4 - bump google.golang.org/grpc to v1.79.3 and github.com/buger/jsonparser to v1.1.2 ## Context - main already contains the required fixes, so no main patch PR was needed - I checked whether the existing main patches could be cherry-picked directly - grpc and jsonparser have matching commits on main, but the backport branches have drift in the same dependency blocks, so the release-branch patch was applied as the minimal equivalent dependency bump instead of a clean cherry-pick ## Validation - make lint is blocked locally because the installed golangci-lint binary was built with Go 1.24 while this branch targets Go 1.25.8 - go test ./... progresses and then fails in Docker-backed tests because /var/run/docker.sock is unavailable in this environment	2026-04-09 18:04:07 +02:00
Lukasz	3470ce826d	chore: backport Go 1.25.8 bump to release/2.30 (#23908 ) Backports #23772 to release/2.30. Changes from https://github.com/coder/coder/pull/23772/	2026-04-01 18:53:56 +02:00
Jakub Domeracki	c10d2e9ad4	chore: remove trivy GHA job (backport v2.30) (#23859 ) Co-authored-by: Cian Johnston <cian@coder.com> Co-authored-by: Ethan <39577870+ethanndickson@users.noreply.github.com>	2026-04-01 12:32:00 +05:00
Paweł Banaszewski	eba077312e	fix: update aibridge library to include AWS Bedrock fixes (#23800 ) Updates aibridge library to include Bedrock fixes. Contains fixes to https://github.com/coder/aibridge/issues/219 and https://github.com/coder/aibridge/issues/221	2026-03-31 15:53:56 +02:00
Rowan Smith	3b2ded6985	chore: switch agent gone response from 502 to 404 (backport #23090 ) (#23636 ) Backport of #23090 to `release/2.30`. When a user creates a workspace, opens the web terminal, then the workspace stops but the web terminal remains open, the web terminal will retry the connection. Coder would issue a HTTP 502 Bad Gateway response when this occurred because coderd could not connect to the workspace agent, however this is problematic as any load balancer sitting in front of Coder sees a 502 and thinks Coder is unhealthy. This PR changes the response to a HTTP 404 after internal discussion. Cherry-picked from merge commit `c33812a430`.	2026-03-25 16:49:44 -04:00
blinkagent[bot]	de64b63977	fix(coderd): add organization_name label to insights Prometheus metrics (cherry-pick #22296 ) (#23447 ) Backport of #22296 to release/2.30. When multiple organizations have templates with the same name, the Prometheus `/metrics` endpoint returns HTTP 500 because Prometheus rejects duplicate label combinations. The three `coderd_insights_*` metrics (`coderd_insights_templates_active_users`, `coderd_insights_applications_usage_seconds`, `coderd_insights_parameters`) used only `template_name` as a distinguishing label, so two templates named e.g. `"openstack-v1"` in different orgs would produce duplicate metric series. This adds `organization_name` as a label to all three insight metric descriptors to disambiguate templates across organizations. (cherry picked from commit `4057363f78`) Fixes #21748 Co-authored-by: Garrett Delfosse <garrett@coder.com>	2026-03-25 15:43:12 -04:00
Charlie Voiselle	149e9f1dc0	fix: open coder_app links in new tab when open_in is tab (cherry-pick #23000 ) (#23621 ) Cherry-pick of #23000 onto release/2.30. Co-authored-by: Kayla はな <kayla@tree.camp>	2026-03-25 15:31:43 -04:00
Susana Ferreira	2970c54140	fix: bump aibridge to v1.0.9 to forward Anthropic-Beta header (#22936 ) Bumps aibridge to v1.0.9, which forwards the `Anthropic-Beta` header from client requests to the upstream Anthropic API: https://github.com/coder/aibridge/pull/205 This fixes the `context_management: Extra inputs are not permitted` error when using Claude Code with AI Bridge. Note: v1.0.8 was retracted due to a conflict marker cached by the Go module proxy https://github.com/coder/aibridge/pull/208. v1.0.9 contains the same fix. Related to internal Slack thread: https://codercom.slack.com/archives/C096PFVBZKN/p1773192289945009?thread_ts=1772811897.981709&cid=C096PFVBZKN	2026-03-16 13:20:40 -04:00
Ethan	26e3da1f17	fix(tailnet): retry after transport dial timeouts (#22977 ) (cherry-pick/v2.30) (#22993 ) Backport of #22977 to 2.30	2026-03-16 13:20:19 -04:00
Rowan Smith	b49c4b3257	fix: prevent ui error when last org member is removed (#23018 ) Backport of #22975 to release/2.30.	2026-03-13 14:22:31 -04:00
Rowan Smith	55da992aeb	fix: avoid derp-related panic during wsproxy registration (backport release/2.30) (#22343 ) Backport of #22322. - Cherry-picked `7f03bd7`. Co-authored-by: Dean Sheather <dean@deansheather.com>	2026-03-03 13:39:15 -05:00
Lukasz	613029cb21	chore: update Go from 1.25.6 to 1.25.7 (#22465 ) chore: update Go from 1.25.6 to 1.25.7 Co-authored-by: Jon Ayers <jon@coder.com>	2026-03-03 13:38:06 -05:00
Cian Johnston	7e0cf53dd1	fix(stringutil): operate on runes instead of bytes in Truncate (#22388 ) (#22467 ) Fixes https://github.com/coder/coder/issues/22375 Updates `stringutil.Truncate` to properly handle multi-byte UTF-8 characters. Adds tests for multi-byte truncation with word boundary. Created by Mux using Opus 4.6 (cherry picked from commit `0cfa03718e`)	2026-03-02 11:19:49 +00:00
Danny Kopping	fa050ee0ab	chore: backport aibridge fixes (#22266 ) Backports https://github.com/coder/coder/pull/22264 Includes fixes https://github.com/coder/aibridge/pull/189 and https://github.com/coder/aibridge/pull/185 Signed-off-by: Danny Kopping <danny@coder.com>	2026-02-23 17:18:32 -05:00
Jake Howell	bfb6583ecc	feat: convert `soft_limit` to `limit` (cherry-pick/v2.30) (#22209 ) Related [`internal#1281`](https://github.com/coder/internal/issues/1281) Cherry picks two pull-requests in `release/2.30`. * https://github.com/coder/coder/pull/22048 * https://github.com/coder/coder/pull/21998 * https://github.com/coder/coder/pull/22210	2026-02-23 17:18:14 -05:00
Jakub Domeracki	40b3970388	feat(site)!: add consent prompt for auto-creation with prefilled parameters (#22255 ) Cherry-pick of `60e3ab7632` from main. Workspace created via mode=auto links now require explicit user confirmation before provisioning. A warning dialog shows all prefilled param.* values from the URL and blocks creation until the user clicks `Confirm and Create`. Clicking `Cancel` falls back to the standard form view. ### Breaking behavior change Links using `mode=auto` (e.g., "Open in Coder" buttons) will no longer silently create workspaces. Users will now see a consent dialog and must explicitly confirm before the workspace is provisioned. Original PR: #22011 Co-authored-by: Kacper Sawicki <kacper@coder.com> Co-authored-by: Jake Howell <jacob@coder.com>	2026-02-23 17:17:40 -05:00
Danielle Maywood	fa284dc149	fix: avoid re-using `AuthInstanceID` for sub agents (#22196 ) (#22211 ) Parent agents were re-using AuthInstanceID when spawning child agents. This caused GetWorkspaceAgentByInstanceID to return the most recently created sub agent instead of the parent when the parent tried to refetch its own manifest. Fix by not reusing AuthInstanceID for sub agents, and updating GetWorkspaceAgentByInstanceID to filter them out entirely. --- Cherry picked from `911d734df9`	2026-02-23 17:17:16 -05:00
Lukasz	b89dc439b7	chore: bump bundled terraform to 1.14.5 for 2.30 (#22192 ) Description: This PR updates the bundled Terraform binary and related version pins from 1.14.1 to 1.14.5 (base image, installer fallback, and CI/test fixtures). Terraform is statically built with an embedded Go runtime. Moving to 1.14.5 updates the embedded toolchain and is intended to address Go stdlib CVEs reported by security scanning. Notes: - Change is version-only; no functional Coder logic changes. - Backport-friendly: intended to be cherry-picked to release branches after merge.	2026-02-20 13:19:18 +01:00
Lukasz	d4ce9620d6	chore: bump versions of gh actions 2.30 (#22217 ) Update gh actions: - aquasecurity/trivy-action v0.34.0 - harden-runner v2.14.2	2026-02-20 12:49:48 +01:00
Cian Johnston	16408b157b	fix(cli): revert #21583 (#22000 ) (#22002 )	2026-02-10 11:11:03 -06:00
Sas Swart	ef29702014	fix: update AI Bridge to preserve stream property in 'chat/completions' calls (#21953 )	2026-02-10 11:10:44 -06:00
Sas Swart	43e67d12e2	perf: update AIBridge for improved memory use at scale (#21896 )	2026-02-03 10:58:25 -06:00
ケイラ	94cf95a3e8	fix: disable task sharing (#21901 )	2026-02-03 10:49:17 -06:00
Susana Ferreira	5e2f845272	fix: support authentication for upstream proxy (#21841 ) (#21849 ) Related to PR: https://github.com/coder/coder/pull/21841 (cherry picked from commit `09453aa5a5`)	2026-02-03 10:05:59 +00:00
blinkagent[bot]	3d5dc93060	docs: reorganize AI Bridge client documentation (#21873 ) Co-authored-by: Danny Kopping <danny@coder.com> Co-authored-by: Atif Ali <atif@coder.com>	2026-02-03 13:22:43 +05:00
Rowan Smith	6e1fe14d6c	fix(helm): allow overriding CODER_PPROF_ADDRESS and CODER_PROMETHEUS_ADDRESS (#21871 ) backport of #21714 cc @uzair-coder07	2026-02-02 23:09:23 -06:00
Jon Ayers	c0b939f7e4	fix: use existing transaction to claim prebuild (#21862 ) (#21868 ) - Claiming a prebuild was happening outside a transaction	2026-02-02 22:11:03 -06:00
Jon Ayers	1fd77bc459	chore: cherry-pick fixes (#21864 )	2026-02-02 15:57:20 -06:00
Zach	37c3476ca7	fix: handle boundary usage across snapshots and prevent race (cherry-pick) (#21853 )	2026-02-02 14:06:04 -06:00
Danny Kopping	26a3f82a39	chore(helm): disable liveness probes by default, allow all probe settings (#21847 )	2026-02-02 14:05:18 -06:00
Zach	ea6b11472c	feat: add time window fields to telemetry boundary usage (cherry-pick) (#21775 )	2026-02-02 14:04:58 -06:00
Danny Kopping	a92dc3d5b3	chore: ensure consistent YAML names for aibridge flags (#21751 ) (#21756 )	2026-02-02 14:03:09 -06:00
Jake Howell	a69aea2c83	feat: implement ai governance consumption frontend (cherry-pick) (#21742 )	2026-02-02 14:02:53 -06:00
Jake Howell	c2db391019	chore: update paywall message to reference AI governance-add on (cherry-pick) (#21741 )	2026-02-02 14:02:35 -06:00
Susana Ferreira	895cc07395	feat: add metrics to aibridgeproxy (#21709 ) (#21767 ) Related to PR: https://github.com/coder/coder/pull/21709 (cherry picked from commit `9f6ce7542a`)	2026-02-02 17:48:12 +00:00
Susana Ferreira	0377c985e4	feat: add provider to aibridgeproxy requestContext (#21710 ) (#21766 ) Related to PR: https://github.com/coder/coder/pull/21710 (cherry picked from commit `327c885292`)	2026-02-02 17:42:47 +00:00