fix: use separate http.Transports for wsproxy tests

feat(wsproxy): add /debug/expvar endpoint for DERP server stats
feat(monitoring): add wsproxy DERP section to Grafana dashboard
2026-02-24 23:02:37 +00:00 · 2026-02-21 00:19:41 +00:00 · 2026-02-20 23:44:24 +00:00 · 2026-02-20 23:44:21 +00:00 · 2026-02-20 23:40:03 +00:00 · 2026-02-20 16:32:49 -05:00
433 changed files with 16777 additions and 8438 deletions
@@ -0,0 +1,4 @@
+# All artifacts of the build processed are dumped here.
+# Ignore it for docker context, as all Dockerfiles should build their own
+# binaries.
+build
@@ -4,7 +4,7 @@ description: |
 inputs:
  version:
    description: "The Go version to use."
-    default: "1.25.6"
+    default: "1.25.7"
  use-preinstalled-go:
    description: "Whether to use preinstalled Go."
    default: "false"
@@ -7,5 +7,5 @@ runs:
    - name: Install Terraform
      uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd # v3.1.2
      with:
-        terraform_version: 1.14.1
+        terraform_version: 1.14.5
        terraform_wrapper: false
@@ -35,7 +35,7 @@ jobs:
      tailnet-integration: ${{ steps.filter.outputs.tailnet-integration }}
    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1
+        uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2
        with:
          egress-policy: audit

@@ -157,7 +157,7 @@ jobs:
    runs-on: ${{ github.repository_owner == 'coder' && 'depot-ubuntu-22.04-8' || 'ubuntu-latest' }}
    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1
+        uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2
        with:
          egress-policy: audit

@@ -181,7 +181,7 @@ jobs:
          echo "LINT_CACHE_DIR=$dir" >> "$GITHUB_ENV"

      - name: golangci-lint cache
-        uses: actions/cache@8b402f58fbc84540c8b491a91e594a4576fec3d7 # v5.0.2
+        uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3
        with:
          path: |
            ${{ env.LINT_CACHE_DIR }}
@@ -247,7 +247,7 @@ jobs:
    runs-on: ${{ github.repository_owner == 'coder' && 'depot-ubuntu-22.04-8' || 'ubuntu-latest' }}
    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1
+        uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2
        with:
          egress-policy: audit

@@ -272,7 +272,7 @@ jobs:
    if: ${{ !cancelled() }}
    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1
+        uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2
        with:
          egress-policy: audit

@@ -329,7 +329,7 @@ jobs:
    timeout-minutes: 20
    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1
+        uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2
        with:
          egress-policy: audit

@@ -381,7 +381,7 @@ jobs:
          - windows-2022
    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1
+        uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2
        with:
          egress-policy: audit

@@ -489,6 +489,14 @@ jobs:
          # macOS will output "The default interactive shell is now zsh" intermittently in CI.
          touch ~/.bash_profile && echo "export BASH_SILENCE_DEPRECATION_WARNING=1" >> ~/.bash_profile

+      - name: Increase PTY limit (macOS)
+        if: runner.os == 'macOS'
+        shell: bash
+        run: |
+          # Increase PTY limit to avoid exhaustion during tests.
+          # Default is 511; 999 is the maximum value on CI runner.
+          sudo sysctl -w kern.tty.ptmx_max=999
+
      - name: Test with PostgreSQL Database (Linux)
        if: runner.os == 'Linux'
        uses: ./.github/actions/test-go-pg
@@ -578,7 +586,7 @@ jobs:
    timeout-minutes: 25
    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1
+        uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2
        with:
          egress-policy: audit

@@ -640,7 +648,7 @@ jobs:
    timeout-minutes: 25
    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1
+        uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2
        with:
          egress-policy: audit

@@ -712,7 +720,7 @@ jobs:
    timeout-minutes: 20
    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1
+        uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2
        with:
          egress-policy: audit

@@ -739,7 +747,7 @@ jobs:
    timeout-minutes: 20
    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1
+        uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2
        with:
          egress-policy: audit

@@ -772,7 +780,7 @@ jobs:
    name: ${{ matrix.variant.name }}
    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1
+        uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2
        with:
          egress-policy: audit

@@ -852,7 +860,7 @@ jobs:
    if: needs.changes.outputs.site == 'true' || needs.changes.outputs.ci == 'true'
    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1
+        uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2
        with:
          egress-policy: audit

@@ -933,7 +941,7 @@ jobs:

    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1
+        uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2
        with:
          egress-policy: audit

@@ -1005,7 +1013,7 @@ jobs:
    if: always()
    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1
+        uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2
        with:
          egress-policy: audit

@@ -1120,7 +1128,7 @@ jobs:
    runs-on: ${{ github.repository_owner == 'coder' && 'depot-ubuntu-22.04-8' || 'ubuntu-latest' }}
    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1
+        uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2
        with:
          egress-policy: audit

@@ -1175,7 +1183,7 @@ jobs:
      IMAGE: ghcr.io/coder/coder-preview:${{ steps.build-docker.outputs.tag }}
    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1
+        uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2
        with:
          egress-policy: audit

@@ -1186,7 +1194,7 @@ jobs:
          persist-credentials: false

      - name: GHCR Login
-        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
+        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
@@ -1393,7 +1401,7 @@ jobs:
        id: attest_main
        if: github.ref == 'refs/heads/main'
        continue-on-error: true
-        uses: actions/attest@7667f588f2f73a90cea6c7ac70e78266c4f76616 # v3.1.0
+        uses: actions/attest@e59cbc1ad1ac2d59339667419eb8cdde6eb61e3d # v3.2.0
        with:
          subject-name: "ghcr.io/coder/coder-preview:main"
          predicate-type: "https://slsa.dev/provenance/v1"
@@ -1430,7 +1438,7 @@ jobs:
        id: attest_latest
        if: github.ref == 'refs/heads/main'
        continue-on-error: true
-        uses: actions/attest@7667f588f2f73a90cea6c7ac70e78266c4f76616 # v3.1.0
+        uses: actions/attest@e59cbc1ad1ac2d59339667419eb8cdde6eb61e3d # v3.2.0
        with:
          subject-name: "ghcr.io/coder/coder-preview:latest"
          predicate-type: "https://slsa.dev/provenance/v1"
@@ -1467,7 +1475,7 @@ jobs:
        id: attest_version
        if: github.ref == 'refs/heads/main'
        continue-on-error: true
-        uses: actions/attest@7667f588f2f73a90cea6c7ac70e78266c4f76616 # v3.1.0
+        uses: actions/attest@e59cbc1ad1ac2d59339667419eb8cdde6eb61e3d # v3.2.0
        with:
          subject-name: "ghcr.io/coder/coder-preview:${{ steps.build-docker.outputs.tag }}"
          predicate-type: "https://slsa.dev/provenance/v1"
@@ -1572,7 +1580,7 @@ jobs:
    if: needs.changes.outputs.db == 'true' || needs.changes.outputs.ci == 'true' || github.ref == 'refs/heads/main'
    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1
+        uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2
        with:
          egress-policy: audit

@@ -36,7 +36,7 @@ jobs:
      verdict: ${{ steps.check.outputs.verdict }} # DEPLOY or NOOP
    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1
+        uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2
        with:
          egress-policy: audit

@@ -65,7 +65,7 @@ jobs:
      packages: write # to retag image as dogfood
    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1
+        uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2
        with:
          egress-policy: audit

@@ -76,7 +76,7 @@ jobs:
          persist-credentials: false

      - name: GHCR Login
-        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
+        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
@@ -146,7 +146,7 @@ jobs:
    needs: deploy
    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1
+        uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2
        with:
          egress-policy: audit

@@ -38,7 +38,7 @@ jobs:
    if: github.repository_owner == 'coder'
    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1
+        uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2
        with:
          egress-policy: audit

@@ -48,7 +48,7 @@ jobs:
          persist-credentials: false

      - name: Docker login
-        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
+        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
@@ -58,11 +58,11 @@ jobs:
        run: mkdir base-build-context

      - name: Install depot.dev CLI
-        uses: depot/setup-action@b0b1ea4f69e92ebf5dea3f8713a1b0c37b2126a5 # v1.6.0
+        uses: depot/setup-action@15c09a5f77a0840ad4bce955686522a257853461 # v1.7.1

      # This uses OIDC authentication, so no auth variables are required.
      - name: Build base Docker image via depot.dev
-        uses: depot/build-push-action@9785b135c3c76c33db102e45be96a25ab55cd507 # v1.16.2
+        uses: depot/build-push-action@5f3b3c2e5a00f0093de47f657aeaefcedff27d18 # v1.17.0
        with:
          project: wl5hnrrkns
          context: base-build-context
@@ -26,7 +26,7 @@ jobs:
    runs-on: ${{ github.repository_owner == 'coder' && 'depot-ubuntu-22.04-4' || 'ubuntu-latest' }}
    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1
+        uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2
        with:
          egress-policy: audit

@@ -42,7 +42,7 @@ jobs:
          # on version 2.29 and above.
          nix_version: "2.28.5"

-      - uses: nix-community/cache-nix-action@106bba72ed8e29c8357661199511ef07790175e9 # v7.0.1
+      - uses: nix-community/cache-nix-action@7df957e333c1e5da7721f60227dbba6d06080569 # v7.0.2
        with:
          # restore and save a cache using this key
          primary-key: nix-${{ runner.os }}-${{ hashFiles('**/*.nix', '**/flake.lock') }}
@@ -75,20 +75,20 @@ jobs:
          BRANCH_NAME: ${{ steps.branch-name.outputs.current_branch }}

      - name: Set up Depot CLI
-        uses: depot/setup-action@b0b1ea4f69e92ebf5dea3f8713a1b0c37b2126a5 # v1.6.0
+        uses: depot/setup-action@15c09a5f77a0840ad4bce955686522a257853461 # v1.7.1

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0

      - name: Login to DockerHub
        if: github.ref == 'refs/heads/main'
-        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
+        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_PASSWORD }}

      - name: Build and push Non-Nix image
-        uses: depot/build-push-action@9785b135c3c76c33db102e45be96a25ab55cd507 # v1.16.2
+        uses: depot/build-push-action@5f3b3c2e5a00f0093de47f657aeaefcedff27d18 # v1.17.0
        with:
          project: b4q6ltmpzh
          token: ${{ secrets.DEPOT_TOKEN }}
@@ -125,7 +125,7 @@ jobs:
      id-token: write
    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1
+        uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2
        with:
          egress-policy: audit

@@ -28,7 +28,7 @@ jobs:
          - windows-2022
    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1
+        uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2
        with:
          egress-policy: audit

@@ -15,7 +15,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1
+        uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2
        with:
          egress-policy: audit

@@ -19,7 +19,7 @@ jobs:
      packages: write
    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1
+        uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2
        with:
          egress-policy: audit

@@ -39,7 +39,7 @@ jobs:
      PR_OPEN: ${{ steps.check_pr.outputs.pr_open }}
    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1
+        uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2
        with:
          egress-policy: audit

@@ -76,7 +76,7 @@ jobs:
    runs-on: "ubuntu-latest"
    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1
+        uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2
        with:
          egress-policy: audit

@@ -184,7 +184,7 @@ jobs:
      pull-requests: write # needed for commenting on PRs
    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1
+        uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2
        with:
          egress-policy: audit

@@ -228,7 +228,7 @@ jobs:
      CODER_IMAGE_TAG: ${{ needs.get_info.outputs.CODER_IMAGE_TAG }}
    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1
+        uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2
        with:
          egress-policy: audit

@@ -248,7 +248,7 @@ jobs:
        uses: ./.github/actions/setup-sqlc

      - name: GHCR Login
-        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
+        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
@@ -288,7 +288,7 @@ jobs:
      PR_HOSTNAME: "pr${{ needs.get_info.outputs.PR_NUMBER }}.${{ secrets.PR_DEPLOYMENTS_DOMAIN }}"
    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1
+        uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2
        with:
          egress-policy: audit

@@ -14,7 +14,7 @@ jobs:

    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1
+        uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2
        with:
          egress-policy: audit

@@ -158,7 +158,7 @@ jobs:
      version: ${{ steps.version.outputs.version }}
    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1
+        uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2
        with:
          egress-policy: audit

@@ -233,7 +233,7 @@ jobs:
          cat "$CODER_RELEASE_NOTES_FILE"

      - name: Docker Login
-        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
+        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
@@ -386,12 +386,12 @@ jobs:

      - name: Install depot.dev CLI
        if: steps.image-base-tag.outputs.tag != ''
-        uses: depot/setup-action@b0b1ea4f69e92ebf5dea3f8713a1b0c37b2126a5 # v1.6.0
+        uses: depot/setup-action@15c09a5f77a0840ad4bce955686522a257853461 # v1.7.1

      # This uses OIDC authentication, so no auth variables are required.
      - name: Build base Docker image via depot.dev
        if: steps.image-base-tag.outputs.tag != ''
-        uses: depot/build-push-action@9785b135c3c76c33db102e45be96a25ab55cd507 # v1.16.2
+        uses: depot/build-push-action@5f3b3c2e5a00f0093de47f657aeaefcedff27d18 # v1.17.0
        with:
          project: wl5hnrrkns
          context: base-build-context
@@ -448,7 +448,7 @@ jobs:
        id: attest_base
        if: ${{ !inputs.dry_run && steps.image-base-tag.outputs.tag != '' }}
        continue-on-error: true
-        uses: actions/attest@7667f588f2f73a90cea6c7ac70e78266c4f76616 # v3.1.0
+        uses: actions/attest@e59cbc1ad1ac2d59339667419eb8cdde6eb61e3d # v3.2.0
        with:
          subject-name: ${{ steps.image-base-tag.outputs.tag }}
          predicate-type: "https://slsa.dev/provenance/v1"
@@ -564,7 +564,7 @@ jobs:
        id: attest_main
        if: ${{ !inputs.dry_run }}
        continue-on-error: true
-        uses: actions/attest@7667f588f2f73a90cea6c7ac70e78266c4f76616 # v3.1.0
+        uses: actions/attest@e59cbc1ad1ac2d59339667419eb8cdde6eb61e3d # v3.2.0
        with:
          subject-name: ${{ steps.build_docker.outputs.multiarch_image }}
          predicate-type: "https://slsa.dev/provenance/v1"
@@ -608,7 +608,7 @@ jobs:
        id: attest_latest
        if: ${{ !inputs.dry_run && steps.build_docker.outputs.created_latest_tag == 'true' }}
        continue-on-error: true
-        uses: actions/attest@7667f588f2f73a90cea6c7ac70e78266c4f76616 # v3.1.0
+        uses: actions/attest@e59cbc1ad1ac2d59339667419eb8cdde6eb61e3d # v3.2.0
        with:
          subject-name: ${{ steps.latest_tag.outputs.tag }}
          predicate-type: "https://slsa.dev/provenance/v1"
@@ -796,7 +796,7 @@ jobs:
      # TODO: skip this if it's not a new release (i.e. a backport). This is
      #       fine right now because it just makes a PR that we can close.
      - name: Harden Runner
-        uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1
+        uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2
        with:
          egress-policy: audit

@@ -872,7 +872,7 @@ jobs:

    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1
+        uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2
        with:
          egress-policy: audit

@@ -965,7 +965,7 @@ jobs:
    if: ${{ !inputs.dry_run }}
    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1
+        uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2
        with:
          egress-policy: audit

@@ -20,7 +20,7 @@ jobs:

    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1
+        uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2
        with:
          egress-policy: audit

@@ -27,7 +27,7 @@ jobs:
    runs-on: ${{ github.repository_owner == 'coder' && 'depot-ubuntu-22.04-8' || 'ubuntu-latest' }}
    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1
+        uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2
        with:
          egress-policy: audit

@@ -69,7 +69,7 @@ jobs:
    runs-on: ${{ github.repository_owner == 'coder' && 'depot-ubuntu-22.04-8' || 'ubuntu-latest' }}
    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1
+        uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2
        with:
          egress-policy: audit

@@ -146,7 +146,7 @@ jobs:
          echo "image=$(cat "$image_job")" >> "$GITHUB_OUTPUT"

      - name: Run Trivy vulnerability scanner
-        uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8
+        uses: aquasecurity/trivy-action@c1824fd6edce30d7ab345a9989de00bbd46ef284 # v0.34.0
        with:
          image-ref: ${{ steps.build.outputs.image }}
          format: sarif
@@ -18,7 +18,7 @@ jobs:
      pull-requests: write
    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1
+        uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2
        with:
          egress-policy: audit

@@ -96,7 +96,7 @@ jobs:
      contents: write
    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1
+        uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2
        with:
          egress-policy: audit

@@ -120,7 +120,7 @@ jobs:
      actions: write
    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1
+        uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2
        with:
          egress-policy: audit

@@ -21,7 +21,7 @@ jobs:
      pull-requests: write # required to post PR review comments by the action
    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1
+        uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2
        with:
          egress-policy: audit

@@ -98,3 +98,6 @@ AGENTS.local.md

 # Ignore plans written by AI agents.
 PLAN.md
+
+# Ignore any dev licenses
+license.txt
@@ -909,7 +909,10 @@ site/src/api/countriesGenerated.ts: site/node_modules/.installed scripts/typegen
 	(cd site/ && pnpm exec biome format --write src/api/countriesGenerated.ts)
 	touch "$@"

-docs/admin/integrations/prometheus.md: node_modules/.installed scripts/metricsdocgen/main.go scripts/metricsdocgen/metrics
+scripts/metricsdocgen/generated_metrics: $(GO_SRC_FILES)
+	go run ./scripts/metricsdocgen/scanner > $@
+
+docs/admin/integrations/prometheus.md: node_modules/.installed scripts/metricsdocgen/main.go scripts/metricsdocgen/metrics scripts/metricsdocgen/generated_metrics
 	go run scripts/metricsdocgen/main.go
 	pnpm exec markdownlint-cli2 --fix ./docs/admin/integrations/prometheus.md
 	pnpm exec markdown-table-formatter ./docs/admin/integrations/prometheus.md
@@ -111,6 +111,12 @@ type Client interface {
 	ConnectRPC28(ctx context.Context) (
 		proto.DRPCAgentClient28, tailnetproto.DRPCTailnetClient28, error,
 	)
+	// ConnectRPC28WithRole is like ConnectRPC28 but sends an explicit
+	// role query parameter to the server. The workspace agent should
+	// use role "agent" to enable connection monitoring.
+	ConnectRPC28WithRole(ctx context.Context, role string) (
+		proto.DRPCAgentClient28, tailnetproto.DRPCTailnetClient28, error,
+	)
 	tailnet.DERPMapRewriter
 	agentsdk.RefreshableSessionTokenProvider
 }
@@ -997,8 +1003,10 @@ func (a *agent) run() (retErr error) {
 		return xerrors.Errorf("refresh token: %w", err)
 	}

-	// ConnectRPC returns the dRPC connection we use for the Agent and Tailnet v2+ APIs
-	aAPI, tAPI, err := a.client.ConnectRPC28(a.hardCtx)
+	// ConnectRPC returns the dRPC connection we use for the Agent and Tailnet v2+ APIs.
+	// We pass role "agent" to enable connection monitoring on the server, which tracks
+	// the agent's connectivity state (first_connected_at, last_connected_at, disconnected_at).
+	aAPI, tAPI, err := a.client.ConnectRPC28WithRole(a.hardCtx, "agent")
 	if err != nil {
 		return err
 	}
@@ -1,37 +1,22 @@
 package agentsocket_test

 import (
-	"context"
-	"path/filepath"
-	"runtime"
 	"testing"

-	"github.com/google/uuid"
-	"github.com/spf13/afero"
 	"github.com/stretchr/testify/require"

 	"cdr.dev/slog/v3"
-	"github.com/coder/coder/v2/agent"
 	"github.com/coder/coder/v2/agent/agentsocket"
-	"github.com/coder/coder/v2/agent/agenttest"
-	agentproto "github.com/coder/coder/v2/agent/proto"
-	"github.com/coder/coder/v2/codersdk/agentsdk"
-	"github.com/coder/coder/v2/tailnet"
-	"github.com/coder/coder/v2/tailnet/tailnettest"
 	"github.com/coder/coder/v2/testutil"
 )

 func TestServer(t *testing.T) {
 	t.Parallel()

-	if runtime.GOOS == "windows" {
-		t.Skip("agentsocket is not supported on Windows")
-	}
-
 	t.Run("StartStop", func(t *testing.T) {
 		t.Parallel()

-		socketPath := filepath.Join(t.TempDir(), "test.sock")
+		socketPath := testutil.AgentSocketPath(t)
 		logger := slog.Make().Leveled(slog.LevelDebug)
 		server, err := agentsocket.NewServer(logger, agentsocket.WithPath(socketPath))
 		require.NoError(t, err)
@@ -41,7 +26,7 @@ func TestServer(t *testing.T) {
 	t.Run("AlreadyStarted", func(t *testing.T) {
 		t.Parallel()

-		socketPath := filepath.Join(t.TempDir(), "test.sock")
+		socketPath := testutil.AgentSocketPath(t)
 		logger := slog.Make().Leveled(slog.LevelDebug)
 		server1, err := agentsocket.NewServer(logger, agentsocket.WithPath(socketPath))
 		require.NoError(t, err)
@@ -49,90 +34,4 @@ func TestServer(t *testing.T) {
 		_, err = agentsocket.NewServer(logger, agentsocket.WithPath(socketPath))
 		require.ErrorContains(t, err, "create socket")
 	})
-
-	t.Run("AutoSocketPath", func(t *testing.T) {
-		t.Parallel()
-
-		socketPath := filepath.Join(t.TempDir(), "test.sock")
-		logger := slog.Make().Leveled(slog.LevelDebug)
-		server, err := agentsocket.NewServer(logger, agentsocket.WithPath(socketPath))
-		require.NoError(t, err)
-		require.NoError(t, server.Close())
-	})
-}
-
-func TestServerWindowsNotSupported(t *testing.T) {
-	t.Parallel()
-
-	if runtime.GOOS != "windows" {
-		t.Skip("this test only runs on Windows")
-	}
-
-	t.Run("NewServer", func(t *testing.T) {
-		t.Parallel()
-
-		socketPath := filepath.Join(t.TempDir(), "test.sock")
-		logger := slog.Make().Leveled(slog.LevelDebug)
-		_, err := agentsocket.NewServer(logger, agentsocket.WithPath(socketPath))
-		require.ErrorContains(t, err, "agentsocket is not supported on Windows")
-	})
-
-	t.Run("NewClient", func(t *testing.T) {
-		t.Parallel()
-
-		_, err := agentsocket.NewClient(context.Background(), agentsocket.WithPath("test.sock"))
-		require.ErrorContains(t, err, "agentsocket is not supported on Windows")
-	})
-}
-
-func TestAgentInitializesOnWindowsWithoutSocketServer(t *testing.T) {
-	t.Parallel()
-
-	if runtime.GOOS != "windows" {
-		t.Skip("this test only runs on Windows")
-	}
-
-	ctx := testutil.Context(t, testutil.WaitShort)
-	logger := testutil.Logger(t).Named("agent")
-
-	derpMap, _ := tailnettest.RunDERPAndSTUN(t)
-
-	coordinator := tailnet.NewCoordinator(logger)
-	t.Cleanup(func() {
-		_ = coordinator.Close()
-	})
-
-	statsCh := make(chan *agentproto.Stats, 50)
-	agentID := uuid.New()
-	manifest := agentsdk.Manifest{
-		AgentID:       agentID,
-		AgentName:     "test-agent",
-		WorkspaceName: "test-workspace",
-		OwnerName:     "test-user",
-		WorkspaceID:   uuid.New(),
-		DERPMap:       derpMap,
-	}
-
-	client := agenttest.NewClient(t, logger.Named("agenttest"), agentID, manifest, statsCh, coordinator)
-	t.Cleanup(client.Close)
-
-	options := agent.Options{
-		Client:                 client,
-		Filesystem:             afero.NewMemMapFs(),
-		Logger:                 logger.Named("agent"),
-		ReconnectingPTYTimeout: testutil.WaitShort,
-		EnvironmentVariables:   map[string]string{},
-		SocketPath:             "",
-	}
-
-	agnt := agent.New(options)
-	t.Cleanup(func() {
-		_ = agnt.Close()
-	})
-
-	startup := testutil.TryReceive(ctx, t, client.GetStartup())
-	require.NotNil(t, startup, "agent should send startup message")
-
-	err := agnt.Close()
-	require.NoError(t, err, "agent should close cleanly")
 }
@@ -2,8 +2,6 @@ package agentsocket_test

 import (
 	"context"
-	"path/filepath"
-	"runtime"
 	"testing"

 	"github.com/stretchr/testify/require"
@@ -30,14 +28,10 @@ func newSocketClient(ctx context.Context, t *testing.T, socketPath string) *agen
 func TestDRPCAgentSocketService(t *testing.T) {
 	t.Parallel()

-	if runtime.GOOS == "windows" {
-		t.Skip("agentsocket is not supported on Windows")
-	}
-
 	t.Run("Ping", func(t *testing.T) {
 		t.Parallel()

-		socketPath := filepath.Join(testutil.TempDirUnixSocket(t), "test.sock")
+		socketPath := testutil.AgentSocketPath(t)
 		ctx := testutil.Context(t, testutil.WaitShort)
 		server, err := agentsocket.NewServer(
 			slog.Make().Leveled(slog.LevelDebug),
@@ -57,7 +51,7 @@ func TestDRPCAgentSocketService(t *testing.T) {

 		t.Run("NewUnit", func(t *testing.T) {
 			t.Parallel()
-			socketPath := filepath.Join(testutil.TempDirUnixSocket(t), "test.sock")
+			socketPath := testutil.AgentSocketPath(t)
 			ctx := testutil.Context(t, testutil.WaitShort)
 			server, err := agentsocket.NewServer(
 				slog.Make().Leveled(slog.LevelDebug),
@@ -79,7 +73,7 @@ func TestDRPCAgentSocketService(t *testing.T) {
 		t.Run("UnitAlreadyStarted", func(t *testing.T) {
 			t.Parallel()

-			socketPath := filepath.Join(testutil.TempDirUnixSocket(t), "test.sock")
+			socketPath := testutil.AgentSocketPath(t)
 			ctx := testutil.Context(t, testutil.WaitShort)
 			server, err := agentsocket.NewServer(
 				slog.Make().Leveled(slog.LevelDebug),
@@ -109,7 +103,7 @@ func TestDRPCAgentSocketService(t *testing.T) {
 		t.Run("UnitAlreadyCompleted", func(t *testing.T) {
 			t.Parallel()

-			socketPath := filepath.Join(testutil.TempDirUnixSocket(t), "test.sock")
+			socketPath := testutil.AgentSocketPath(t)
 			ctx := testutil.Context(t, testutil.WaitShort)
 			server, err := agentsocket.NewServer(
 				slog.Make().Leveled(slog.LevelDebug),
@@ -148,7 +142,7 @@ func TestDRPCAgentSocketService(t *testing.T) {
 		t.Run("UnitNotReady", func(t *testing.T) {
 			t.Parallel()

-			socketPath := filepath.Join(testutil.TempDirUnixSocket(t), "test.sock")
+			socketPath := testutil.AgentSocketPath(t)
 			ctx := testutil.Context(t, testutil.WaitShort)
 			server, err := agentsocket.NewServer(
 				slog.Make().Leveled(slog.LevelDebug),
@@ -178,7 +172,7 @@ func TestDRPCAgentSocketService(t *testing.T) {
 		t.Run("NewUnits", func(t *testing.T) {
 			t.Parallel()

-			socketPath := filepath.Join(testutil.TempDirUnixSocket(t), "test.sock")
+			socketPath := testutil.AgentSocketPath(t)
 			ctx := testutil.Context(t, testutil.WaitShort)
 			server, err := agentsocket.NewServer(
 				slog.Make().Leveled(slog.LevelDebug),
@@ -203,7 +197,7 @@ func TestDRPCAgentSocketService(t *testing.T) {
 		t.Run("DependencyAlreadyRegistered", func(t *testing.T) {
 			t.Parallel()

-			socketPath := filepath.Join(testutil.TempDirUnixSocket(t), "test.sock")
+			socketPath := testutil.AgentSocketPath(t)
 			ctx := testutil.Context(t, testutil.WaitShort)
 			server, err := agentsocket.NewServer(
 				slog.Make().Leveled(slog.LevelDebug),
@@ -238,7 +232,7 @@ func TestDRPCAgentSocketService(t *testing.T) {
 		t.Run("DependencyAddedAfterDependentStarted", func(t *testing.T) {
 			t.Parallel()

-			socketPath := filepath.Join(testutil.TempDirUnixSocket(t), "test.sock")
+			socketPath := testutil.AgentSocketPath(t)
 			ctx := testutil.Context(t, testutil.WaitShort)
 			server, err := agentsocket.NewServer(
 				slog.Make().Leveled(slog.LevelDebug),
@@ -280,7 +274,7 @@ func TestDRPCAgentSocketService(t *testing.T) {
 		t.Run("UnregisteredUnit", func(t *testing.T) {
 			t.Parallel()

-			socketPath := filepath.Join(testutil.TempDirUnixSocket(t), "test.sock")
+			socketPath := testutil.AgentSocketPath(t)
 			ctx := testutil.Context(t, testutil.WaitShort)
 			server, err := agentsocket.NewServer(
 				slog.Make().Leveled(slog.LevelDebug),
@@ -299,7 +293,7 @@ func TestDRPCAgentSocketService(t *testing.T) {
 		t.Run("UnitNotReady", func(t *testing.T) {
 			t.Parallel()

-			socketPath := filepath.Join(testutil.TempDirUnixSocket(t), "test.sock")
+			socketPath := testutil.AgentSocketPath(t)
 			ctx := testutil.Context(t, testutil.WaitShort)
 			server, err := agentsocket.NewServer(
 				slog.Make().Leveled(slog.LevelDebug),
@@ -323,7 +317,7 @@ func TestDRPCAgentSocketService(t *testing.T) {
 		t.Run("UnitReady", func(t *testing.T) {
 			t.Parallel()

-			socketPath := filepath.Join(testutil.TempDirUnixSocket(t), "test.sock")
+			socketPath := testutil.AgentSocketPath(t)
 			ctx := testutil.Context(t, testutil.WaitShort)
 			server, err := agentsocket.NewServer(
 				slog.Make().Leveled(slog.LevelDebug),
@@ -4,19 +4,60 @@ package agentsocket

 import (
 	"context"
+	"fmt"
 	"net"
+	"os"
+	"os/user"
+	"strings"

+	"github.com/Microsoft/go-winio"
 	"golang.org/x/xerrors"
 )

-func createSocket(_ string) (net.Listener, error) {
-	return nil, xerrors.New("agentsocket is not supported on Windows")
+const defaultSocketPath = `\\.\pipe\com.coder.agentsocket`
+
+func createSocket(path string) (net.Listener, error) {
+	if path == "" {
+		path = defaultSocketPath
+	}
+	if !strings.HasPrefix(path, `\\.\pipe\`) {
+		return nil, xerrors.Errorf("%q is not a valid local socket path", path)
+	}
+
+	user, err := user.Current()
+	if err != nil {
+		return nil, fmt.Errorf("unable to look up current user: %w", err)
+	}
+	sid := user.Uid
+
+	// SecurityDescriptor is in SDDL format. c.f.
+	// https://learn.microsoft.com/en-us/windows/win32/secauthz/security-descriptor-string-format for full details.
+	// D: indicates this is a Discretionary Access Control List (DACL), which is Windows-speak for ACLs that allow or
+	// deny access (as opposed to SACL which controls audit logging).
+	// P indicates that this DACL is "protected" from being modified thru inheritance
+	// () delimit access control entries (ACEs), here we only have one, which, allows (A) generic all (GA) access to our
+	// specific user's security ID (SID).
+	//
+	// Note that although Microsoft docs at https://learn.microsoft.com/en-us/windows/win32/ipc/named-pipes warns that
+	// named pipes are accessible from remote machines in the general case, the `winio` package sets the flag
+	// windows.FILE_PIPE_REJECT_REMOTE_CLIENTS when creating pipes, so connections from remote machines are always
+	// denied. This is important because we sort of expect customers to run the Coder agent under a generic user
+	// account unless they are very sophisticated. We don't want this socket to cross the boundary of the local machine.
+	configuration := &winio.PipeConfig{
+		SecurityDescriptor: fmt.Sprintf("D:P(A;;GA;;;%s)", sid),
+	}
+
+	listener, err := winio.ListenPipe(path, configuration)
+	if err != nil {
+		return nil, xerrors.Errorf("failed to open named pipe: %w", err)
+	}
+	return listener, nil
 }

-func cleanupSocket(_ string) error {
-	return nil
+func cleanupSocket(path string) error {
+	return os.Remove(path)
 }

-func dialSocket(_ context.Context, _ string) (net.Conn, error) {
-	return nil, xerrors.New("agentsocket is not supported on Windows")
+func dialSocket(ctx context.Context, path string) (net.Conn, error) {
+	return winio.DialPipeContext(ctx, path)
 }
@@ -124,6 +124,12 @@ func (c *Client) Close() {
 	c.derpMapOnce.Do(func() { close(c.derpMapUpdates) })
 }

+func (c *Client) ConnectRPC28WithRole(ctx context.Context, _ string) (
+	agentproto.DRPCAgentClient28, proto.DRPCTailnetClient28, error,
+) {
+	return c.ConnectRPC28(ctx)
+}
+
 func (c *Client) ConnectRPC28(ctx context.Context) (
 	agentproto.DRPCAgentClient28, proto.DRPCTailnetClient28, error,
 ) {
@@ -3,11 +3,11 @@
 		"enabled": true,
 		"clientKind": "git",
 		"useIgnoreFile": true,
-		"defaultBranch": "main"
+		"defaultBranch": "main",
 	},
 	"files": {
 		"includes": ["**", "!**/pnpm-lock.yaml"],
-		"ignoreUnknown": true
+		"ignoreUnknown": true,
 	},
 	"linter": {
 		"rules": {
@@ -15,18 +15,18 @@
 				"noSvgWithoutTitle": "off",
 				"useButtonType": "off",
 				"useSemanticElements": "off",
-				"noStaticElementInteractions": "off"
+				"noStaticElementInteractions": "off",
 			},
-		"correctness": {
-			"noUnusedImports": "warn",
+			"correctness": {
+				"noUnusedImports": "warn",
 				"useUniqueElementIds": "off", // TODO: This is new but we want to fix it
 				"noNestedComponentDefinitions": "off", // TODO: Investigate, since it is used by shadcn components
-			"noUnusedVariables": {
-				"level": "warn",
+				"noUnusedVariables": {
+					"level": "warn",
 					"options": {
-						"ignoreRestSiblings": true
-					}
-				}
+						"ignoreRestSiblings": true,
+					},
+				},
 			},
 			"style": {
 				"noNonNullAssertion": "off",
@@ -45,6 +45,10 @@
 					"level": "error",
 					"options": {
 						"paths": {
+							"react": {
+								"message": "React 19 no longer requires forwardRef. Use ref as a prop instead.",
+								"importNames": ["forwardRef"],
+							},
 							// "@mui/material/Alert": "Use components/Alert/Alert instead.",
 							// "@mui/material/AlertTitle": "Use components/Alert/Alert instead.",
 							// "@mui/material/Autocomplete": "Use shadcn/ui Combobox instead.",
@@ -111,10 +115,10 @@
 							"@emotion/styled": "Use Tailwind CSS instead.",
 							// "@emotion/cache": "Use Tailwind CSS instead.",
 							// "components/Stack/Stack": "Use Tailwind flex utilities instead (e.g., <div className='flex flex-col gap-4'>).",
-							"lodash": "Use lodash/<name> instead."
-						}
-					}
-				}
+							"lodash": "Use lodash/<name> instead.",
+						},
+					},
+				},
 			},
 			"suspicious": {
 				"noArrayIndexKey": "off",
@@ -125,14 +129,14 @@
 				"noConsole": {
 					"level": "error",
 					"options": {
-						"allow": ["error", "info", "warn"]
-					}
-				}
+						"allow": ["error", "info", "warn"],
+					},
+				},
 			},
 			"complexity": {
-				"noImportantStyles": "off" // TODO: check and fix !important styles
-			}
-		}
+				"noImportantStyles": "off", // TODO: check and fix !important styles
+			},
+		},
 	},
-	"$schema": "./node_modules/@biomejs/biome/configuration_schema.json"
+	"$schema": "./node_modules/@biomejs/biome/configuration_schema.json",
 }
@@ -884,16 +884,27 @@ func (o *OrganizationContext) Selected(inv *serpent.Invocation, client *codersdk
 		index := slices.IndexFunc(orgs, func(org codersdk.Organization) bool {
 			return org.Name == o.FlagSelect || org.ID.String() == o.FlagSelect
 		})
+		if index >= 0 {
+			return orgs[index], nil
+		}

-		if index < 0 {
+		// Not in membership list - try direct fetch.
+		// This allows site-wide admins (e.g., Owners) to use orgs they aren't
+		// members of.
+		org, err := client.OrganizationByName(inv.Context(), o.FlagSelect)
+		if err != nil {
 			var names []string
 			for _, org := range orgs {
 				names = append(names, org.Name)
 			}
-			return codersdk.Organization{}, xerrors.Errorf("organization %q not found, are you sure you are a member of this organization? "+
-				"Valid options for '--org=' are [%s].", o.FlagSelect, strings.Join(names, ", "))
+			var sdkErr *codersdk.Error
+			if errors.As(err, &sdkErr) && sdkErr.StatusCode() == http.StatusNotFound {
+				return codersdk.Organization{}, xerrors.Errorf("organization %q not found, are you sure you are a member of this organization? "+
+					"Valid options for '--org=' are [%s].", o.FlagSelect, strings.Join(names, ", "))
+			}
+			return codersdk.Organization{}, xerrors.Errorf("get organization %q: %w", o.FlagSelect, err)
 		}
-		return orgs[index], nil
+		return org, nil
 	}

 	if len(orgs) == 1 {
@@ -95,6 +95,7 @@ import (
 	"github.com/coder/coder/v2/coderd/webpush"
 	"github.com/coder/coder/v2/coderd/workspaceapps/appurl"
 	"github.com/coder/coder/v2/coderd/workspacestats"
+	"github.com/coder/coder/v2/coderd/wsbuilder"
 	"github.com/coder/coder/v2/codersdk"
 	"github.com/coder/coder/v2/codersdk/drpcsdk"
 	"github.com/coder/coder/v2/cryptorand"
@@ -136,6 +137,15 @@ func createOIDCConfig(ctx context.Context, logger slog.Logger, vals *codersdk.De
 	if err != nil {
 		return nil, xerrors.Errorf("parse oidc oauth callback url: %w", err)
 	}
+
+	if vals.OIDC.RedirectURL.String() != "" {
+		redirectURL, err = vals.OIDC.RedirectURL.Value().Parse("/api/v2/users/oidc/callback")
+		if err != nil {
+			return nil, xerrors.Errorf("parse oidc redirect url %q", err)
+		}
+		logger.Warn(ctx, "custom OIDC redirect URL used instead of 'access_url', ensure this matches the value configured in your OIDC provider")
+	}
+
 	// If the scopes contain 'groups', we enable group support.
 	// Do not override any custom value set by the user.
 	if slice.Contains(vals.OIDC.Scopes, "groups") && vals.OIDC.GroupField == "" {
@@ -935,6 +945,12 @@ func (r *RootCmd) Server(newAPI func(context.Context, *coderd.Options) (*coderd.
 			options.StatsBatcher = batcher
 			defer closeBatcher()

+			wsBuilderMetrics, err := wsbuilder.NewMetrics(options.PrometheusRegistry)
+			if err != nil {
+				return xerrors.Errorf("failed to register workspace builder metrics: %w", err)
+			}
+			options.WorkspaceBuilderMetrics = wsBuilderMetrics
+
 			// Manage notifications.
 			var (
 				notificationsCfg     = options.DeploymentValues.Notifications
@@ -1118,7 +1134,7 @@ func (r *RootCmd) Server(newAPI func(context.Context, *coderd.Options) (*coderd.
 			autobuildTicker := time.NewTicker(vals.AutobuildPollInterval.Value())
 			defer autobuildTicker.Stop()
 			autobuildExecutor := autobuild.NewExecutor(
-				ctx, options.Database, options.Pubsub, coderAPI.FileCache, options.PrometheusRegistry, coderAPI.TemplateScheduleStore, &coderAPI.Auditor, coderAPI.AccessControlStore, coderAPI.BuildUsageChecker, logger, autobuildTicker.C, options.NotificationsEnqueuer, coderAPI.Experiments)
+				ctx, options.Database, options.Pubsub, coderAPI.FileCache, options.PrometheusRegistry, coderAPI.TemplateScheduleStore, &coderAPI.Auditor, coderAPI.AccessControlStore, coderAPI.BuildUsageChecker, logger, autobuildTicker.C, options.NotificationsEnqueuer, coderAPI.Experiments, coderAPI.WorkspaceBuilderMetrics)
 			autobuildExecutor.Run()

 			jobReaperTicker := time.NewTicker(vals.JobReaperDetectorInterval.Value())
@@ -1740,6 +1740,18 @@ func TestServer(t *testing.T) {

 			// Next, we instruct the same server to display the YAML config
 			// and then save it.
+			// Because this is literally the same invocation, DefaultFn sets the
+			// value of 'Default'. Which triggers a mutually exclusive error
+			// on the next parse.
+			// Usually we only parse flags once, so this is not an issue
+			for _, c := range inv.Command.Children {
+				if c.Name() == "server" {
+					for i := range c.Options {
+						c.Options[i].DefaultFn = nil
+					}
+					break
+				}
+			}
 			inv = inv.WithContext(testutil.Context(t, testutil.WaitMedium))
 			//nolint:gocritic
 			inv.Args = append(args, "--write-config")
@@ -1,5 +1,3 @@
-//go:build !windows
-
 package cli_test

 import (
@@ -7,6 +5,7 @@ import (
 	"context"
 	"os"
 	"path/filepath"
+	"runtime"
 	"testing"
 	"time"

@@ -25,12 +24,15 @@ func setupSocketServer(t *testing.T) (path string, cleanup func()) {
 	t.Helper()

 	// Use a temporary socket path for each test
-	socketPath := filepath.Join(testutil.TempDirUnixSocket(t), "test.sock")
+	socketPath := testutil.AgentSocketPath(t)

-	// Create parent directory if needed
-	parentDir := filepath.Dir(socketPath)
-	err := os.MkdirAll(parentDir, 0o700)
-	require.NoError(t, err, "create socket directory")
+	// Create parent directory if needed. Not necessary on Windows because named pipes live in an abstract namespace
+	// not tied to any real files.
+	if runtime.GOOS != "windows" {
+		parentDir := filepath.Dir(socketPath)
+		err := os.MkdirAll(parentDir, 0o700)
+		require.NoError(t, err, "create socket directory")
+	}

 	server, err := agentsocket.NewServer(
 		slog.Make().Leveled(slog.LevelDebug),
@@ -17,6 +17,8 @@ func (r *RootCmd) tasksCommand() *serpent.Command {
 			r.taskDelete(),
 			r.taskList(),
 			r.taskLogs(),
+			r.taskPause(),
+			r.taskResume(),
 			r.taskSend(),
 			r.taskStatus(),
 		},
@@ -41,8 +41,7 @@ func Test_TaskLogs_Golden(t *testing.T) {
 		t.Parallel()

 		setupCtx := testutil.Context(t, testutil.WaitLong)
-		client, task := setupCLITaskTest(setupCtx, t, fakeAgentAPITaskLogsOK(testMessages))
-		userClient := client // user already has access to their own workspace
+		_, userClient, task := setupCLITaskTest(setupCtx, t, fakeAgentAPITaskLogsOK(testMessages))

 		inv, root := clitest.New(t, "task", "logs", task.Name, "--output", "json")
 		output := clitest.Capture(inv)
@@ -65,8 +64,7 @@ func Test_TaskLogs_Golden(t *testing.T) {
 		t.Parallel()

 		setupCtx := testutil.Context(t, testutil.WaitLong)
-		client, task := setupCLITaskTest(setupCtx, t, fakeAgentAPITaskLogsOK(testMessages))
-		userClient := client
+		_, userClient, task := setupCLITaskTest(setupCtx, t, fakeAgentAPITaskLogsOK(testMessages))

 		inv, root := clitest.New(t, "task", "logs", task.ID.String(), "--output", "json")
 		output := clitest.Capture(inv)
@@ -89,8 +87,7 @@ func Test_TaskLogs_Golden(t *testing.T) {
 		t.Parallel()

 		setupCtx := testutil.Context(t, testutil.WaitLong)
-		client, task := setupCLITaskTest(setupCtx, t, fakeAgentAPITaskLogsOK(testMessages))
-		userClient := client
+		_, userClient, task := setupCLITaskTest(setupCtx, t, fakeAgentAPITaskLogsOK(testMessages))

 		inv, root := clitest.New(t, "task", "logs", task.ID.String())
 		output := clitest.Capture(inv)
@@ -144,8 +141,7 @@ func Test_TaskLogs_Golden(t *testing.T) {
 		t.Parallel()

 		setupCtx := testutil.Context(t, testutil.WaitLong)
-		client, task := setupCLITaskTest(setupCtx, t, fakeAgentAPITaskLogsErr(assert.AnError))
-		userClient := client
+		_, userClient, task := setupCLITaskTest(setupCtx, t, fakeAgentAPITaskLogsErr(assert.AnError))

 		inv, root := clitest.New(t, "task", "logs", task.ID.String())
 		clitest.SetupConfig(t, userClient, root)
@@ -201,8 +197,7 @@ func Test_TaskLogs_Golden(t *testing.T) {
 	t.Run("SnapshotWithoutLogs_NoSnapshotCaptured", func(t *testing.T) {
 		t.Parallel()

-		client, task := setupCLITaskTestWithoutSnapshot(t, codersdk.TaskStatusPaused)
-		userClient := client
+		userClient, task := setupCLITaskTestWithoutSnapshot(t, codersdk.TaskStatusPaused)

 		inv, root := clitest.New(t, "task", "logs", task.Name)
 		output := clitest.Capture(inv)
@@ -0,0 +1,90 @@
+package cli
+
+import (
+	"fmt"
+	"time"
+
+	"golang.org/x/xerrors"
+
+	"github.com/coder/coder/v2/cli/cliui"
+	"github.com/coder/coder/v2/codersdk"
+	"github.com/coder/pretty"
+	"github.com/coder/serpent"
+)
+
+func (r *RootCmd) taskPause() *serpent.Command {
+	cmd := &serpent.Command{
+		Use:   "pause <task>",
+		Short: "Pause a task",
+		Long: FormatExamples(
+			Example{
+				Description: "Pause a task by name",
+				Command:     "coder task pause my-task",
+			},
+			Example{
+				Description: "Pause another user's task",
+				Command:     "coder task pause alice/my-task",
+			},
+			Example{
+				Description: "Pause a task without confirmation",
+				Command:     "coder task pause my-task --yes",
+			},
+		),
+		Middleware: serpent.Chain(
+			serpent.RequireNArgs(1),
+		),
+		Options: serpent.OptionSet{
+			cliui.SkipPromptOption(),
+		},
+		Handler: func(inv *serpent.Invocation) error {
+			ctx := inv.Context()
+			client, err := r.InitClient(inv)
+			if err != nil {
+				return err
+			}
+
+			task, err := client.TaskByIdentifier(ctx, inv.Args[0])
+			if err != nil {
+				return xerrors.Errorf("resolve task %q: %w", inv.Args[0], err)
+			}
+
+			display := fmt.Sprintf("%s/%s", task.OwnerName, task.Name)
+
+			if task.Status == codersdk.TaskStatusPaused {
+				return xerrors.Errorf("task %q is already paused", display)
+			}
+
+			_, err = cliui.Prompt(inv, cliui.PromptOptions{
+				Text:      fmt.Sprintf("Pause task %s?", pretty.Sprint(cliui.DefaultStyles.Code, display)),
+				IsConfirm: true,
+				Default:   cliui.ConfirmNo,
+			})
+			if err != nil {
+				return err
+			}
+
+			resp, err := client.PauseTask(ctx, task.OwnerName, task.ID)
+			if err != nil {
+				return xerrors.Errorf("pause task %q: %w", display, err)
+			}
+
+			if resp.WorkspaceBuild == nil {
+				return xerrors.Errorf("pause task %q: no workspace build returned", display)
+			}
+
+			err = cliui.WorkspaceBuild(ctx, inv.Stdout, client, resp.WorkspaceBuild.ID)
+			if err != nil {
+				return xerrors.Errorf("watch pause build for task %q: %w", display, err)
+			}
+
+			_, _ = fmt.Fprintf(
+				inv.Stdout,
+				"\nThe %s task has been paused at %s!\n",
+				cliui.Keyword(task.Name),
+				cliui.Timestamp(time.Now()),
+			)
+			return nil
+		},
+	}
+	return cmd
+}
@@ -0,0 +1,144 @@
+package cli_test
+
+import (
+	"fmt"
+	"testing"
+
+	"github.com/stretchr/testify/require"
+
+	"github.com/coder/coder/v2/cli/clitest"
+	"github.com/coder/coder/v2/coderd/coderdtest"
+	"github.com/coder/coder/v2/codersdk"
+	"github.com/coder/coder/v2/pty/ptytest"
+	"github.com/coder/coder/v2/testutil"
+)
+
+func TestExpTaskPause(t *testing.T) {
+	t.Parallel()
+
+	t.Run("WithYesFlag", func(t *testing.T) {
+		t.Parallel()
+
+		// Given: A running task
+		setupCtx := testutil.Context(t, testutil.WaitLong)
+		_, userClient, task := setupCLITaskTest(setupCtx, t, nil)
+
+		// When: We attempt to pause the task
+		inv, root := clitest.New(t, "task", "pause", task.Name, "--yes")
+		output := clitest.Capture(inv)
+		clitest.SetupConfig(t, userClient, root)
+
+		// Then: Expect the task to be paused
+		ctx := testutil.Context(t, testutil.WaitMedium)
+		err := inv.WithContext(ctx).Run()
+		require.NoError(t, err)
+		require.Contains(t, output.Stdout(), "has been paused")
+
+		updated, err := userClient.TaskByIdentifier(ctx, task.Name)
+		require.NoError(t, err)
+		require.Equal(t, codersdk.TaskStatusPaused, updated.Status)
+	})
+
+	// OtherUserTask verifies that an admin can pause a task owned by
+	// another user using the "owner/name" identifier format.
+	t.Run("OtherUserTask", func(t *testing.T) {
+		t.Parallel()
+
+		// Given: A different user's running task
+		setupCtx := testutil.Context(t, testutil.WaitLong)
+		adminClient, _, task := setupCLITaskTest(setupCtx, t, nil)
+
+		// When: We attempt to pause their task
+		identifier := fmt.Sprintf("%s/%s", task.OwnerName, task.Name)
+		inv, root := clitest.New(t, "task", "pause", identifier, "--yes")
+		output := clitest.Capture(inv)
+		clitest.SetupConfig(t, adminClient, root)
+
+		// Then: We expect the task to be paused
+		ctx := testutil.Context(t, testutil.WaitMedium)
+		err := inv.WithContext(ctx).Run()
+		require.NoError(t, err)
+		require.Contains(t, output.Stdout(), "has been paused")
+
+		updated, err := adminClient.TaskByIdentifier(ctx, identifier)
+		require.NoError(t, err)
+		require.Equal(t, codersdk.TaskStatusPaused, updated.Status)
+	})
+
+	t.Run("PromptConfirm", func(t *testing.T) {
+		t.Parallel()
+
+		// Given: A running task
+		setupCtx := testutil.Context(t, testutil.WaitLong)
+		_, userClient, task := setupCLITaskTest(setupCtx, t, nil)
+
+		// When: We attempt to pause the task
+		inv, root := clitest.New(t, "task", "pause", task.Name)
+		clitest.SetupConfig(t, userClient, root)
+
+		// And: We confirm we want to pause the task
+		ctx := testutil.Context(t, testutil.WaitMedium)
+		inv = inv.WithContext(ctx)
+		pty := ptytest.New(t).Attach(inv)
+		w := clitest.StartWithWaiter(t, inv)
+		pty.ExpectMatchContext(ctx, "Pause task")
+		pty.WriteLine("yes")
+
+		// Then: We expect the task to be paused
+		pty.ExpectMatchContext(ctx, "has been paused")
+		require.NoError(t, w.Wait())
+
+		updated, err := userClient.TaskByIdentifier(ctx, task.Name)
+		require.NoError(t, err)
+		require.Equal(t, codersdk.TaskStatusPaused, updated.Status)
+	})
+
+	t.Run("PromptDecline", func(t *testing.T) {
+		t.Parallel()
+
+		// Given: A running task
+		setupCtx := testutil.Context(t, testutil.WaitLong)
+		_, userClient, task := setupCLITaskTest(setupCtx, t, nil)
+
+		// When: We attempt to pause the task
+		inv, root := clitest.New(t, "task", "pause", task.Name)
+		clitest.SetupConfig(t, userClient, root)
+
+		// But: We say no at the confirmation screen
+		ctx := testutil.Context(t, testutil.WaitMedium)
+		inv = inv.WithContext(ctx)
+		pty := ptytest.New(t).Attach(inv)
+		w := clitest.StartWithWaiter(t, inv)
+		pty.ExpectMatchContext(ctx, "Pause task")
+		pty.WriteLine("no")
+		require.Error(t, w.Wait())
+
+		// Then: We expect the task to not be paused
+		updated, err := userClient.TaskByIdentifier(ctx, task.Name)
+		require.NoError(t, err)
+		require.NotEqual(t, codersdk.TaskStatusPaused, updated.Status)
+	})
+
+	t.Run("TaskAlreadyPaused", func(t *testing.T) {
+		t.Parallel()
+
+		// Given: A running task
+		setupCtx := testutil.Context(t, testutil.WaitLong)
+		_, userClient, task := setupCLITaskTest(setupCtx, t, nil)
+
+		// And: We paused the running task
+		ctx := testutil.Context(t, testutil.WaitMedium)
+		resp, err := userClient.PauseTask(ctx, task.OwnerName, task.ID)
+		require.NoError(t, err)
+		require.NotNil(t, resp.WorkspaceBuild)
+		coderdtest.AwaitWorkspaceBuildJobCompleted(t, userClient, resp.WorkspaceBuild.ID)
+
+		// When: We attempt to pause the task again
+		inv, root := clitest.New(t, "task", "pause", task.Name, "--yes")
+		clitest.SetupConfig(t, userClient, root)
+
+		// Then: We expect to get an error that the task is already paused
+		err = inv.WithContext(ctx).Run()
+		require.ErrorContains(t, err, "is already paused")
+	})
+}
@@ -0,0 +1,95 @@
+package cli
+
+import (
+	"fmt"
+
+	"golang.org/x/xerrors"
+
+	"github.com/coder/coder/v2/cli/cliui"
+	"github.com/coder/coder/v2/codersdk"
+	"github.com/coder/pretty"
+	"github.com/coder/serpent"
+)
+
+func (r *RootCmd) taskResume() *serpent.Command {
+	var noWait bool
+
+	cmd := &serpent.Command{
+		Use:   "resume <task>",
+		Short: "Resume a task",
+		Long: FormatExamples(
+			Example{
+				Description: "Resume a task by name",
+				Command:     "coder task resume my-task",
+			},
+			Example{
+				Description: "Resume another user's task",
+				Command:     "coder task resume alice/my-task",
+			},
+			Example{
+				Description: "Resume a task without confirmation",
+				Command:     "coder task resume my-task --yes",
+			},
+		),
+		Middleware: serpent.Chain(
+			serpent.RequireNArgs(1),
+		),
+		Options: serpent.OptionSet{
+			{
+				Flag:        "no-wait",
+				Description: "Return immediately after resuming the task.",
+				Value:       serpent.BoolOf(&noWait),
+			},
+			cliui.SkipPromptOption(),
+		},
+		Handler: func(inv *serpent.Invocation) error {
+			ctx := inv.Context()
+			client, err := r.InitClient(inv)
+			if err != nil {
+				return err
+			}
+
+			task, err := client.TaskByIdentifier(ctx, inv.Args[0])
+			if err != nil {
+				return xerrors.Errorf("resolve task %q: %w", inv.Args[0], err)
+			}
+
+			display := fmt.Sprintf("%s/%s", task.OwnerName, task.Name)
+
+			if task.Status == codersdk.TaskStatusError || task.Status == codersdk.TaskStatusUnknown {
+				return xerrors.Errorf("task %q is in %s state and cannot be resumed; check the workspace build logs and agent status for details", display, task.Status)
+			} else if task.Status != codersdk.TaskStatusPaused {
+				return xerrors.Errorf("task %q cannot be resumed (current status: %s)", display, task.Status)
+			}
+
+			_, err = cliui.Prompt(inv, cliui.PromptOptions{
+				Text:      fmt.Sprintf("Resume task %s?", pretty.Sprint(cliui.DefaultStyles.Code, display)),
+				IsConfirm: true,
+				Default:   cliui.ConfirmNo,
+			})
+			if err != nil {
+				return err
+			}
+
+			resp, err := client.ResumeTask(ctx, task.OwnerName, task.ID)
+			if err != nil {
+				return xerrors.Errorf("resume task %q: %w", display, err)
+			} else if resp.WorkspaceBuild == nil {
+				return xerrors.Errorf("resume task %q: no workspace build returned", display)
+			}
+
+			if noWait {
+				_, _ = fmt.Fprintf(inv.Stdout, "Resuming task %q in the background.\n", cliui.Keyword(display))
+				return nil
+			}
+
+			if err = cliui.WorkspaceBuild(ctx, inv.Stdout, client, resp.WorkspaceBuild.ID); err != nil {
+				return xerrors.Errorf("watch resume build for task %q: %w", display, err)
+			}
+
+			_, _ = fmt.Fprintf(inv.Stdout, "\nThe %s task has been resumed.\n", cliui.Keyword(display))
+			return nil
+		},
+	}
+	return cmd
+}
@@ -0,0 +1,183 @@
+package cli_test
+
+import (
+	"context"
+	"fmt"
+	"testing"
+
+	"github.com/stretchr/testify/require"
+
+	"github.com/coder/coder/v2/cli/clitest"
+	"github.com/coder/coder/v2/coderd/coderdtest"
+	"github.com/coder/coder/v2/codersdk"
+	"github.com/coder/coder/v2/pty/ptytest"
+	"github.com/coder/coder/v2/testutil"
+)
+
+func TestExpTaskResume(t *testing.T) {
+	t.Parallel()
+
+	// pauseTask is a helper that pauses a task and waits for the stop
+	// build to complete.
+	pauseTask := func(ctx context.Context, t *testing.T, client *codersdk.Client, task codersdk.Task) {
+		t.Helper()
+
+		pauseResp, err := client.PauseTask(ctx, task.OwnerName, task.ID)
+		require.NoError(t, err)
+		require.NotNil(t, pauseResp.WorkspaceBuild)
+		coderdtest.AwaitWorkspaceBuildJobCompleted(t, client, pauseResp.WorkspaceBuild.ID)
+	}
+
+	t.Run("WithYesFlag", func(t *testing.T) {
+		t.Parallel()
+
+		// Given: A paused task
+		setupCtx := testutil.Context(t, testutil.WaitLong)
+		_, userClient, task := setupCLITaskTest(setupCtx, t, nil)
+		pauseTask(setupCtx, t, userClient, task)
+
+		// When: We attempt to resume the task
+		inv, root := clitest.New(t, "task", "resume", task.Name, "--yes")
+		output := clitest.Capture(inv)
+		clitest.SetupConfig(t, userClient, root)
+
+		// Then: We expect the task to be resumed
+		ctx := testutil.Context(t, testutil.WaitMedium)
+		err := inv.WithContext(ctx).Run()
+		require.NoError(t, err)
+		require.Contains(t, output.Stdout(), "has been resumed")
+
+		updated, err := userClient.TaskByIdentifier(ctx, task.Name)
+		require.NoError(t, err)
+		require.Equal(t, codersdk.TaskStatusInitializing, updated.Status)
+	})
+
+	// OtherUserTask verifies that an admin can resume a task owned by
+	// another user using the "owner/name" identifier format.
+	t.Run("OtherUserTask", func(t *testing.T) {
+		t.Parallel()
+
+		// Given: A different user's paused task
+		setupCtx := testutil.Context(t, testutil.WaitLong)
+		adminClient, userClient, task := setupCLITaskTest(setupCtx, t, nil)
+		pauseTask(setupCtx, t, userClient, task)
+
+		// When: We attempt to resume their task
+		identifier := fmt.Sprintf("%s/%s", task.OwnerName, task.Name)
+		inv, root := clitest.New(t, "task", "resume", identifier, "--yes")
+		output := clitest.Capture(inv)
+		clitest.SetupConfig(t, adminClient, root)
+
+		// Then: We expect the task to be resumed
+		ctx := testutil.Context(t, testutil.WaitMedium)
+		err := inv.WithContext(ctx).Run()
+		require.NoError(t, err)
+		require.Contains(t, output.Stdout(), "has been resumed")
+
+		updated, err := adminClient.TaskByIdentifier(ctx, identifier)
+		require.NoError(t, err)
+		require.Equal(t, codersdk.TaskStatusInitializing, updated.Status)
+	})
+
+	t.Run("NoWait", func(t *testing.T) {
+		t.Parallel()
+
+		// Given: A paused task
+		setupCtx := testutil.Context(t, testutil.WaitLong)
+		_, userClient, task := setupCLITaskTest(setupCtx, t, nil)
+		pauseTask(setupCtx, t, userClient, task)
+
+		// When: We attempt to resume the task (and specify no wait)
+		inv, root := clitest.New(t, "task", "resume", task.Name, "--yes", "--no-wait")
+		output := clitest.Capture(inv)
+		clitest.SetupConfig(t, userClient, root)
+
+		// Then: We expect the task to be resumed in the background
+		ctx := testutil.Context(t, testutil.WaitMedium)
+		err := inv.WithContext(ctx).Run()
+		require.NoError(t, err)
+		require.Contains(t, output.Stdout(), "in the background")
+
+		// And: The task to eventually be resumed
+		require.True(t, task.WorkspaceID.Valid, "task should have a workspace ID")
+		ws := coderdtest.MustWorkspace(t, userClient, task.WorkspaceID.UUID)
+		coderdtest.AwaitWorkspaceBuildJobCompleted(t, userClient, ws.LatestBuild.ID)
+
+		updated, err := userClient.TaskByIdentifier(ctx, task.Name)
+		require.NoError(t, err)
+		require.Equal(t, codersdk.TaskStatusInitializing, updated.Status)
+	})
+
+	t.Run("PromptConfirm", func(t *testing.T) {
+		t.Parallel()
+
+		// Given: A paused task
+		setupCtx := testutil.Context(t, testutil.WaitLong)
+		_, userClient, task := setupCLITaskTest(setupCtx, t, nil)
+		pauseTask(setupCtx, t, userClient, task)
+
+		// When: We attempt to resume the task
+		inv, root := clitest.New(t, "task", "resume", task.Name)
+		clitest.SetupConfig(t, userClient, root)
+
+		// And: We confirm we want to resume the task
+		ctx := testutil.Context(t, testutil.WaitMedium)
+		inv = inv.WithContext(ctx)
+		pty := ptytest.New(t).Attach(inv)
+		w := clitest.StartWithWaiter(t, inv)
+		pty.ExpectMatchContext(ctx, "Resume task")
+		pty.WriteLine("yes")
+
+		// Then: We expect the task to be resumed
+		pty.ExpectMatchContext(ctx, "has been resumed")
+		require.NoError(t, w.Wait())
+
+		updated, err := userClient.TaskByIdentifier(ctx, task.Name)
+		require.NoError(t, err)
+		require.Equal(t, codersdk.TaskStatusInitializing, updated.Status)
+	})
+
+	t.Run("PromptDecline", func(t *testing.T) {
+		t.Parallel()
+
+		// Given: A paused task
+		setupCtx := testutil.Context(t, testutil.WaitLong)
+		_, userClient, task := setupCLITaskTest(setupCtx, t, nil)
+		pauseTask(setupCtx, t, userClient, task)
+
+		// When: We attempt to resume the task
+		inv, root := clitest.New(t, "task", "resume", task.Name)
+		clitest.SetupConfig(t, userClient, root)
+
+		// But: Say no at the confirmation screen
+		ctx := testutil.Context(t, testutil.WaitMedium)
+		inv = inv.WithContext(ctx)
+		pty := ptytest.New(t).Attach(inv)
+		w := clitest.StartWithWaiter(t, inv)
+		pty.ExpectMatchContext(ctx, "Resume task")
+		pty.WriteLine("no")
+		require.Error(t, w.Wait())
+
+		// Then: We expect the task to still be paused
+		updated, err := userClient.TaskByIdentifier(ctx, task.Name)
+		require.NoError(t, err)
+		require.Equal(t, codersdk.TaskStatusPaused, updated.Status)
+	})
+
+	t.Run("TaskNotPaused", func(t *testing.T) {
+		t.Parallel()
+
+		// Given: A running task
+		setupCtx := testutil.Context(t, testutil.WaitLong)
+		_, userClient, task := setupCLITaskTest(setupCtx, t, nil)
+
+		// When: We attempt to resume the task that is not paused
+		inv, root := clitest.New(t, "task", "resume", task.Name, "--yes")
+		clitest.SetupConfig(t, userClient, root)
+
+		// Then: We expect to get an error that the task is not paused
+		ctx := testutil.Context(t, testutil.WaitMedium)
+		err := inv.WithContext(ctx).Run()
+		require.ErrorContains(t, err, "cannot be resumed")
+	})
+}
@@ -25,8 +25,7 @@ func Test_TaskSend(t *testing.T) {
 		t.Parallel()

 		setupCtx := testutil.Context(t, testutil.WaitLong)
-		client, task := setupCLITaskTest(setupCtx, t, fakeAgentAPITaskSendOK(t, "carry on with the task", "you got it"))
-		userClient := client
+		_, userClient, task := setupCLITaskTest(setupCtx, t, fakeAgentAPITaskSendOK(t, "carry on with the task", "you got it"))

 		var stdout strings.Builder
 		inv, root := clitest.New(t, "task", "send", task.Name, "carry on with the task")
@@ -42,8 +41,7 @@ func Test_TaskSend(t *testing.T) {
 		t.Parallel()

 		setupCtx := testutil.Context(t, testutil.WaitLong)
-		client, task := setupCLITaskTest(setupCtx, t, fakeAgentAPITaskSendOK(t, "carry on with the task", "you got it"))
-		userClient := client
+		_, userClient, task := setupCLITaskTest(setupCtx, t, fakeAgentAPITaskSendOK(t, "carry on with the task", "you got it"))

 		var stdout strings.Builder
 		inv, root := clitest.New(t, "task", "send", task.ID.String(), "carry on with the task")
@@ -59,8 +57,7 @@ func Test_TaskSend(t *testing.T) {
 		t.Parallel()

 		setupCtx := testutil.Context(t, testutil.WaitLong)
-		client, task := setupCLITaskTest(setupCtx, t, fakeAgentAPITaskSendOK(t, "carry on with the task", "you got it"))
-		userClient := client
+		_, userClient, task := setupCLITaskTest(setupCtx, t, fakeAgentAPITaskSendOK(t, "carry on with the task", "you got it"))

 		var stdout strings.Builder
 		inv, root := clitest.New(t, "task", "send", task.Name, "--stdin")
@@ -113,7 +110,7 @@ func Test_TaskSend(t *testing.T) {
 		t.Parallel()

 		setupCtx := testutil.Context(t, testutil.WaitLong)
-		userClient, task := setupCLITaskTest(setupCtx, t, fakeAgentAPITaskSendErr(t, assert.AnError))
+		_, userClient, task := setupCLITaskTest(setupCtx, t, fakeAgentAPITaskSendErr(t, assert.AnError))

 		var stdout strings.Builder
 		inv, root := clitest.New(t, "task", "send", task.Name, "some task input")
@@ -120,6 +120,40 @@ func Test_Tasks(t *testing.T) {
 				require.Equal(t, logs[2].Type, codersdk.TaskLogTypeOutput, "third message should be an output")
 			},
 		},
+		{
+			name:    "pause task",
+			cmdArgs: []string{"task", "pause", taskName, "--yes"},
+			assertFn: func(stdout string, userClient *codersdk.Client) {
+				require.Contains(t, stdout, "has been paused", "pause output should confirm task was paused")
+			},
+		},
+		{
+			name:    "get task status after pause",
+			cmdArgs: []string{"task", "status", taskName, "--output", "json"},
+			assertFn: func(stdout string, userClient *codersdk.Client) {
+				var task codersdk.Task
+				require.NoError(t, json.NewDecoder(strings.NewReader(stdout)).Decode(&task), "should unmarshal task status")
+				require.Equal(t, taskName, task.Name, "task name should match")
+				require.Equal(t, codersdk.TaskStatusPaused, task.Status, "task should be paused")
+			},
+		},
+		{
+			name:    "resume task",
+			cmdArgs: []string{"task", "resume", taskName, "--yes"},
+			assertFn: func(stdout string, userClient *codersdk.Client) {
+				require.Contains(t, stdout, "has been resumed", "resume output should confirm task was resumed")
+			},
+		},
+		{
+			name:    "get task status after resume",
+			cmdArgs: []string{"task", "status", taskName, "--output", "json"},
+			assertFn: func(stdout string, userClient *codersdk.Client) {
+				var task codersdk.Task
+				require.NoError(t, json.NewDecoder(strings.NewReader(stdout)).Decode(&task), "should unmarshal task status")
+				require.Equal(t, taskName, task.Name, "task name should match")
+				require.Equal(t, codersdk.TaskStatusInitializing, task.Status, "task should be initializing after resume")
+			},
+		},
 		{
 			name:    "delete task",
 			cmdArgs: []string{"task", "delete", taskName, "--yes"},
@@ -238,17 +272,17 @@ func fakeAgentAPIEcho(ctx context.Context, t testing.TB, initMsg agentapisdk.Mes
 // setupCLITaskTest creates a test workspace with an AI task template and agent,
 // with a fake agent API configured with the provided set of handlers.
 // Returns the user client and workspace.
-func setupCLITaskTest(ctx context.Context, t *testing.T, agentAPIHandlers map[string]http.HandlerFunc) (*codersdk.Client, codersdk.Task) {
+func setupCLITaskTest(ctx context.Context, t *testing.T, agentAPIHandlers map[string]http.HandlerFunc) (ownerClient *codersdk.Client, memberClient *codersdk.Client, task codersdk.Task) {
 	t.Helper()

-	client := coderdtest.New(t, &coderdtest.Options{IncludeProvisionerDaemon: true})
-	owner := coderdtest.CreateFirstUser(t, client)
-	userClient, _ := coderdtest.CreateAnotherUser(t, client, owner.OrganizationID)
+	ownerClient = coderdtest.New(t, &coderdtest.Options{IncludeProvisionerDaemon: true})
+	owner := coderdtest.CreateFirstUser(t, ownerClient)
+	userClient, _ := coderdtest.CreateAnotherUser(t, ownerClient, owner.OrganizationID)

 	fakeAPI := startFakeAgentAPI(t, agentAPIHandlers)

 	authToken := uuid.NewString()
-	template := createAITaskTemplate(t, client, owner.OrganizationID, withSidebarURL(fakeAPI.URL()), withAgentToken(authToken))
+	template := createAITaskTemplate(t, ownerClient, owner.OrganizationID, withSidebarURL(fakeAPI.URL()), withAgentToken(authToken))

 	wantPrompt := "test prompt"
 	task, err := userClient.CreateTask(ctx, codersdk.Me, codersdk.CreateTaskRequest{
@@ -262,17 +296,17 @@ func setupCLITaskTest(ctx context.Context, t *testing.T, agentAPIHandlers map[st
 	require.True(t, task.WorkspaceID.Valid, "task should have a workspace ID")
 	workspace, err := userClient.Workspace(ctx, task.WorkspaceID.UUID)
 	require.NoError(t, err)
-	coderdtest.AwaitWorkspaceBuildJobCompleted(t, client, workspace.LatestBuild.ID)
+	coderdtest.AwaitWorkspaceBuildJobCompleted(t, userClient, workspace.LatestBuild.ID)

-	agentClient := agentsdk.New(client.URL, agentsdk.WithFixedToken(authToken))
-	_ = agenttest.New(t, client.URL, authToken, func(o *agent.Options) {
+	agentClient := agentsdk.New(userClient.URL, agentsdk.WithFixedToken(authToken))
+	_ = agenttest.New(t, userClient.URL, authToken, func(o *agent.Options) {
 		o.Client = agentClient
 	})

-	coderdtest.NewWorkspaceAgentWaiter(t, client, workspace.ID).
+	coderdtest.NewWorkspaceAgentWaiter(t, userClient, workspace.ID).
 		WaitFor(coderdtest.AgentsReady)

-	return userClient, task
+	return ownerClient, userClient, task
 }

 // setupCLITaskTestWithSnapshot creates a task in the specified status with a log snapshot.
@@ -139,8 +139,10 @@ func (r *RootCmd) templateVersionsList() *serpent.Command {
 type templateVersionRow struct {
 	// For json format:
 	TemplateVersion codersdk.TemplateVersion `table:"-"`
+	ActiveJSON      bool                     `json:"active" table:"-"`

 	// For table format:
+	ID        string    `json:"-" table:"id"`
 	Name      string    `json:"-" table:"name,default_sort"`
 	CreatedAt time.Time `json:"-" table:"created at"`
 	CreatedBy string    `json:"-" table:"created by"`
@@ -166,6 +168,8 @@ func templateVersionsToRows(activeVersionID uuid.UUID, templateVersions ...coder

 		rows[i] = templateVersionRow{
 			TemplateVersion: templateVersion,
+			ActiveJSON:      templateVersion.ID == activeVersionID,
+			ID:              templateVersion.ID.String(),
 			Name:            templateVersion.Name,
 			CreatedAt:       templateVersion.CreatedAt,
 			CreatedBy:       templateVersion.CreatedBy.Username,
@@ -1,7 +1,9 @@
 package cli_test

 import (
+	"bytes"
 	"context"
+	"encoding/json"
 	"testing"

 	"github.com/stretchr/testify/assert"
@@ -40,6 +42,33 @@ func TestTemplateVersions(t *testing.T) {
 		pty.ExpectMatch(version.CreatedBy.Username)
 		pty.ExpectMatch("Active")
 	})
+
+	t.Run("ListVersionsJSON", func(t *testing.T) {
+		t.Parallel()
+		client := coderdtest.New(t, &coderdtest.Options{IncludeProvisionerDaemon: true})
+		owner := coderdtest.CreateFirstUser(t, client)
+		member, _ := coderdtest.CreateAnotherUser(t, client, owner.OrganizationID)
+		version := coderdtest.CreateTemplateVersion(t, client, owner.OrganizationID, nil)
+		_ = coderdtest.AwaitTemplateVersionJobCompleted(t, client, version.ID)
+		template := coderdtest.CreateTemplate(t, client, owner.OrganizationID, version.ID)
+
+		inv, root := clitest.New(t, "templates", "versions", "list", template.Name, "--output", "json")
+		clitest.SetupConfig(t, member, root)
+
+		var stdout bytes.Buffer
+		inv.Stdout = &stdout
+
+		require.NoError(t, inv.Run())
+
+		var rows []struct {
+			TemplateVersion codersdk.TemplateVersion `json:"TemplateVersion"`
+			Active          bool                     `json:"active"`
+		}
+		require.NoError(t, json.Unmarshal(stdout.Bytes(), &rows))
+		require.Len(t, rows, 1)
+		assert.Equal(t, version.ID, rows[0].TemplateVersion.ID)
+		assert.True(t, rows[0].Active)
+	})
 }

 func TestTemplateVersionsPromote(t *testing.T) {
@@ -383,13 +383,17 @@ NETWORKING OPTIONS:
      --samesite-auth-cookie lax|none, $CODER_SAMESITE_AUTH_COOKIE (default: lax)
          Controls the 'SameSite' property is set on browser session cookies.

-      --secure-auth-cookie bool, $CODER_SECURE_AUTH_COOKIE
+      --secure-auth-cookie bool, $CODER_SECURE_AUTH_COOKIE (default: false)
          Controls if the 'Secure' property is set on browser session cookies.

      --wildcard-access-url string, $CODER_WILDCARD_ACCESS_URL
          Specifies the wildcard hostname to use for workspace applications in
          the form "*.example.com".

+      --host-prefix-cookie bool, $CODER_HOST_PREFIX_COOKIE (default: false)
+          Recommended to be enabled. Enables `__Host-` prefix for cookies to
+          guarantee they are only set by the right domain.
+
 NETWORKING / DERP OPTIONS: 
 Most Coder deployments never have to think about DERP because all connections
 between workspaces and users are peer-to-peer. However, when Coder cannot
@@ -12,6 +12,8 @@ SUBCOMMANDS:
    delete    Delete tasks
    list      List tasks
    logs      Show a task's logs
+    pause     Pause a task
+    resume    Resume a task
    send      Send input to a task
    status    Show the status of a task.

@@ -0,0 +1,25 @@
+coder v0.0.0-devel
+
+USAGE:
+  coder task pause [flags] <task>
+
+  Pause a task
+
+    - Pause a task by name:
+  
+       $ coder task pause my-task
+  
+    - Pause another user's task:
+  
+       $ coder task pause alice/my-task
+  
+    - Pause a task without confirmation:
+  
+       $ coder task pause my-task --yes
+
+OPTIONS:
+  -y, --yes bool
+          Bypass confirmation prompts.
+
+———
+Run `coder --help` for a list of global options.
@@ -0,0 +1,28 @@
+coder v0.0.0-devel
+
+USAGE:
+  coder task resume [flags] <task>
+
+  Resume a task
+
+    - Resume a task by name:
+  
+       $ coder task resume my-task
+  
+    - Resume another user's task:
+  
+       $ coder task resume alice/my-task
+  
+    - Resume a task without confirmation:
+  
+       $ coder task resume my-task --yes
+
+OPTIONS:
+      --no-wait bool
+          Return immediately after resuming the task.
+
+  -y, --yes bool
+          Bypass confirmation prompts.
+
+———
+Run `coder --help` for a list of global options.
@@ -9,7 +9,7 @@ OPTIONS:
  -O, --org string, $CODER_ORGANIZATION
          Select which organization (uuid or name) to use.

-  -c, --column [name|created at|created by|status|active|archived] (default: name,created at,created by,status,active)
+  -c, --column [id|name|created at|created by|status|active|archived] (default: name,created at,created by,status,active)
          Columns to display in table output.

      --include-archived bool
@@ -27,7 +27,7 @@ USAGE:
 SUBCOMMANDS:
    create    Create a token
    list      List tokens
-    remove    Delete a token
+    remove    Expire or delete a token
    view      Display detailed information about a token

 ———
@@ -15,6 +15,10 @@ OPTIONS:
  -c, --column [id|name|scopes|allow list|last used|expires at|created at|owner] (default: id,name,scopes,allow list,last used,expires at,created at)
          Columns to display in table output.

+      --include-expired bool
+          Include expired tokens in the output. By default, expired tokens are
+          hidden.
+
  -o, --output table|json (default: table)
          Output format.

@@ -1,11 +1,19 @@
 coder v0.0.0-devel

 USAGE:
-  coder tokens remove <name|id|token>
+  coder tokens remove [flags] <name|id|token>

-  Delete a token
+  Expire or delete a token

  Aliases: delete, rm

+  Remove a token by expiring it. Use --delete to permanently hard-delete the
+  token instead.
+
+OPTIONS:
+      --delete bool
+          Permanently delete the token instead of expiring it. This removes the
+          audit trail.
+
 ———
 Run `coder --help` for a list of global options.
@@ -176,11 +176,15 @@ networking:
  # (default: <unset>, type: string-array)
  proxyTrustedOrigins: []
  # Controls if the 'Secure' property is set on browser session cookies.
-  # (default: <unset>, type: bool)
+  # (default: false, type: bool)
  secureAuthCookie: false
  # Controls the 'SameSite' property is set on browser session cookies.
  # (default: lax, type: enum[lax\|none])
  sameSiteAuthCookie: lax
+  # Recommended to be enabled. Enables `__Host-` prefix for cookies to guarantee
+  # they are only set by the right domain.
+  # (default: false, type: bool)
+  hostPrefixCookie: false
  # Whether Coder only allows connections to workspaces via the browser.
  # (default: <unset>, type: bool)
  browserOnly: false
@@ -417,6 +421,11 @@ oidc:
  # an insecure OIDC configuration. It is not recommended to use this flag.
  # (default: <unset>, type: bool)
  dangerousSkipIssuerChecks: false
+  # Optional override of the default redirect url which uses the deployment's access
+  # url. Useful in situations where a deployment has more than 1 domain. Using this
+  # setting can also break OIDC, so use with caution.
+  # (default: <unset>, type: url)
+  oidc-redirect-url:
 # Telemetry is critical to our ability to improve Coder. We strip all personal
 #  information before sending data to our servers. Please only disable telemetry
 #  when required by your organization's security policy.
@@ -218,9 +218,10 @@ func (r *RootCmd) listTokens() *serpent.Command {
 	}

 	var (
-		all           bool
-		displayTokens []tokenListRow
-		formatter     = cliui.NewOutputFormatter(
+		all            bool
+		includeExpired bool
+		displayTokens  []tokenListRow
+		formatter      = cliui.NewOutputFormatter(
 			cliui.TableFormat([]tokenListRow{}, defaultCols),
 			cliui.JSONFormat(),
 		)
@@ -246,6 +247,20 @@ func (r *RootCmd) listTokens() *serpent.Command {
 				return xerrors.Errorf("list tokens: %w", err)
 			}

+			// Filter out expired tokens unless --include-expired is set
+			// TODO(Cian): This _could_ get too big for client-side filtering.
+			// If it causes issues, we can filter server-side.
+			if !includeExpired {
+				now := time.Now()
+				filtered := make([]codersdk.APIKeyWithOwner, 0, len(tokens))
+				for _, token := range tokens {
+					if token.ExpiresAt.After(now) {
+						filtered = append(filtered, token)
+					}
+				}
+				tokens = filtered
+			}
+
 			displayTokens = make([]tokenListRow, len(tokens))

 			for i, token := range tokens {
@@ -274,6 +289,12 @@ func (r *RootCmd) listTokens() *serpent.Command {
 			Description:   "Specifies whether all users' tokens will be listed or not (must have Owner role to see all tokens).",
 			Value:         serpent.BoolOf(&all),
 		},
+		{
+			Name:        "include-expired",
+			Flag:        "include-expired",
+			Description: "Include expired tokens in the output. By default, expired tokens are hidden.",
+			Value:       serpent.BoolOf(&includeExpired),
+		},
 	}

 	formatter.AttachOptions(&cmd.Options)
@@ -323,10 +344,13 @@ func (r *RootCmd) viewToken() *serpent.Command {
 }

 func (r *RootCmd) removeToken() *serpent.Command {
+	var deleteToken bool
 	cmd := &serpent.Command{
 		Use:     "remove <name|id|token>",
 		Aliases: []string{"delete"},
-		Short:   "Delete a token",
+		Short:   "Expire or delete a token",
+		Long: "Remove a token by expiring it. Use --delete to permanently hard-" +
+			"delete the token instead.",
 		Middleware: serpent.Chain(
 			serpent.RequireNArgs(1),
 		),
@@ -338,7 +362,7 @@ func (r *RootCmd) removeToken() *serpent.Command {

 			token, err := client.APIKeyByName(inv.Context(), codersdk.Me, inv.Args[0])
 			if err != nil {
-				// If it's a token, we need to extract the ID
+				// If it's a token, we need to extract the ID.
 				maybeID := strings.Split(inv.Args[0], "-")[0]
 				token, err = client.APIKeyByID(inv.Context(), codersdk.Me, maybeID)
 				if err != nil {
@@ -346,19 +370,31 @@ func (r *RootCmd) removeToken() *serpent.Command {
 				}
 			}

-			err = client.DeleteAPIKey(inv.Context(), codersdk.Me, token.ID)
-			if err != nil {
-				return xerrors.Errorf("delete api key: %w", err)
+			if deleteToken {
+				err = client.DeleteAPIKey(inv.Context(), codersdk.Me, token.ID)
+				if err != nil {
+					return xerrors.Errorf("delete api key: %w", err)
+				}
+				cliui.Infof(inv.Stdout, "Token has been deleted.")
+				return nil
 			}

-			cliui.Infof(
-				inv.Stdout,
-				"Token has been deleted.",
-			)
-
+			err = client.ExpireAPIKey(inv.Context(), codersdk.Me, token.ID)
+			if err != nil {
+				return xerrors.Errorf("expire api key: %w", err)
+			}
+			cliui.Infof(inv.Stdout, "Token has been expired.")
 			return nil
 		},
 	}

+	cmd.Options = serpent.OptionSet{
+		{
+			Flag:        "delete",
+			Description: "Permanently delete the token instead of expiring it. This removes the audit trail.",
+			Value:       serpent.BoolOf(&deleteToken),
+		},
+	}
+
 	return cmd
 }
@@ -6,12 +6,16 @@ import (
 	"encoding/json"
 	"fmt"
 	"testing"
+	"time"

 	"github.com/google/uuid"
+	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"

 	"github.com/coder/coder/v2/cli/clitest"
 	"github.com/coder/coder/v2/coderd/coderdtest"
+	"github.com/coder/coder/v2/coderd/database"
+	"github.com/coder/coder/v2/coderd/database/dbgen"
 	"github.com/coder/coder/v2/codersdk"
 	"github.com/coder/coder/v2/testutil"
 )
@@ -22,7 +26,7 @@ func TestTokens(t *testing.T) {
 	adminUser := coderdtest.CreateFirstUser(t, client)

 	secondUserClient, secondUser := coderdtest.CreateAnotherUser(t, client, adminUser.OrganizationID)
-	_, thirdUser := coderdtest.CreateAnotherUser(t, client, adminUser.OrganizationID)
+	thirdUserClient, thirdUser := coderdtest.CreateAnotherUser(t, client, adminUser.OrganizationID)

 	ctx, cancelFunc := context.WithTimeout(context.Background(), testutil.WaitLong)
 	defer cancelFunc()
@@ -155,7 +159,7 @@ func TestTokens(t *testing.T) {
 	require.Len(t, scopedToken.AllowList, 1)
 	require.Equal(t, allowSpec, scopedToken.AllowList[0].String())

-	// Delete by name
+	// Delete by name (default behavior is now expire)
 	inv, root = clitest.New(t, "tokens", "rm", "token-one")
 	clitest.SetupConfig(t, client, root)
 	buf = new(bytes.Buffer)
@@ -164,10 +168,31 @@ func TestTokens(t *testing.T) {
 	require.NoError(t, err)
 	res = buf.String()
 	require.NotEmpty(t, res)
-	require.Contains(t, res, "deleted")
+	require.Contains(t, res, "expired")

-	// Delete by ID
+	// Regular users cannot expire other users' tokens (expire is default now).
 	inv, root = clitest.New(t, "tokens", "rm", secondTokenID)
+	clitest.SetupConfig(t, thirdUserClient, root)
+	buf = new(bytes.Buffer)
+	inv.Stdout = buf
+	err = inv.WithContext(ctx).Run()
+	require.Error(t, err)
+	require.Contains(t, err.Error(), "not found")
+
+	// Only admin users can expire other users' tokens (expire is default now).
+	inv, root = clitest.New(t, "tokens", "rm", secondTokenID)
+	clitest.SetupConfig(t, client, root)
+	buf = new(bytes.Buffer)
+	inv.Stdout = buf
+	err = inv.WithContext(ctx).Run()
+	require.NoError(t, err)
+	// Validate that token was expired
+	if token, err := client.APIKeyByName(ctx, secondUser.ID.String(), "token-two"); assert.NoError(t, err) {
+		require.True(t, token.ExpiresAt.Before(time.Now()))
+	}
+
+	// Delete by ID (explicit delete flag)
+	inv, root = clitest.New(t, "tokens", "rm", "--delete", secondTokenID)
 	clitest.SetupConfig(t, client, root)
 	buf = new(bytes.Buffer)
 	inv.Stdout = buf
@@ -177,8 +202,8 @@ func TestTokens(t *testing.T) {
 	require.NotEmpty(t, res)
 	require.Contains(t, res, "deleted")

-	// Delete scoped token by ID
-	inv, root = clitest.New(t, "tokens", "rm", scopedTokenID)
+	// Delete scoped token by ID (explicit delete flag)
+	inv, root = clitest.New(t, "tokens", "rm", "--delete", scopedTokenID)
 	clitest.SetupConfig(t, client, root)
 	buf = new(bytes.Buffer)
 	inv.Stdout = buf
@@ -199,8 +224,8 @@ func TestTokens(t *testing.T) {
 	require.NotEmpty(t, res)
 	fourthToken := res

-	// Delete by token
-	inv, root = clitest.New(t, "tokens", "rm", fourthToken)
+	// Delete by token (explicit delete flag)
+	inv, root = clitest.New(t, "tokens", "rm", "--delete", fourthToken)
 	clitest.SetupConfig(t, client, root)
 	buf = new(bytes.Buffer)
 	inv.Stdout = buf
@@ -210,3 +235,114 @@ func TestTokens(t *testing.T) {
 	require.NotEmpty(t, res)
 	require.Contains(t, res, "deleted")
 }
+
+func TestTokensListExpiredFiltering(t *testing.T) {
+	t.Parallel()
+
+	client, _, api := coderdtest.NewWithAPI(t, nil)
+	owner := coderdtest.CreateFirstUser(t, client)
+
+	// Create a valid (non-expired) token
+	validToken, _ := dbgen.APIKey(t, api.Database, database.APIKey{
+		UserID:    owner.UserID,
+		ExpiresAt: time.Now().Add(24 * time.Hour),
+		LoginType: database.LoginTypeToken,
+		TokenName: "valid-token",
+	})
+
+	// Create an expired token
+	expiredToken, _ := dbgen.APIKey(t, api.Database, database.APIKey{
+		UserID:    owner.UserID,
+		ExpiresAt: time.Now().Add(-24 * time.Hour),
+		LoginType: database.LoginTypeToken,
+		TokenName: "expired-token",
+	})
+
+	t.Run("HidesExpiredByDefault", func(t *testing.T) {
+		t.Parallel()
+		ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitLong)
+		defer cancel()
+
+		inv, root := clitest.New(t, "tokens", "ls")
+		clitest.SetupConfig(t, client, root)
+		buf := new(bytes.Buffer)
+		inv.Stdout = buf
+		err := inv.WithContext(ctx).Run()
+		require.NoError(t, err)
+
+		res := buf.String()
+		require.Contains(t, res, validToken.ID)
+		require.Contains(t, res, "valid-token")
+		require.NotContains(t, res, expiredToken.ID)
+		require.NotContains(t, res, "expired-token")
+	})
+
+	t.Run("ShowsExpiredWithFlag", func(t *testing.T) {
+		t.Parallel()
+		ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitLong)
+		defer cancel()
+
+		inv, root := clitest.New(t, "tokens", "ls", "--include-expired")
+		clitest.SetupConfig(t, client, root)
+		buf := new(bytes.Buffer)
+		inv.Stdout = buf
+		err := inv.WithContext(ctx).Run()
+		require.NoError(t, err)
+
+		res := buf.String()
+		require.Contains(t, res, validToken.ID)
+		require.Contains(t, res, "valid-token")
+		require.Contains(t, res, expiredToken.ID)
+		require.Contains(t, res, "expired-token")
+	})
+
+	t.Run("JSONOutputRespectsFilter", func(t *testing.T) {
+		t.Parallel()
+		ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitLong)
+		defer cancel()
+
+		// Default (no expired)
+		inv, root := clitest.New(t, "tokens", "ls", "--output=json")
+		clitest.SetupConfig(t, client, root)
+		buf := new(bytes.Buffer)
+		inv.Stdout = buf
+		err := inv.WithContext(ctx).Run()
+		require.NoError(t, err)
+
+		res := buf.String()
+		require.Contains(t, res, "valid-token")
+		require.NotContains(t, res, "expired-token")
+
+		// With --include-expired
+		inv, root = clitest.New(t, "tokens", "ls", "--output=json", "--include-expired")
+		clitest.SetupConfig(t, client, root)
+		buf = new(bytes.Buffer)
+		inv.Stdout = buf
+		err = inv.WithContext(ctx).Run()
+		require.NoError(t, err)
+
+		res = buf.String()
+		require.Contains(t, res, "valid-token")
+		require.Contains(t, res, "expired-token")
+	})
+
+	t.Run("AllUsersWithIncludeExpired", func(t *testing.T) {
+		t.Parallel()
+		ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitLong)
+		defer cancel()
+
+		inv, root := clitest.New(t, "tokens", "ls", "--all", "--include-expired")
+		clitest.SetupConfig(t, client, root)
+		buf := new(bytes.Buffer)
+		inv.Stdout = buf
+		err := inv.WithContext(ctx).Run()
+		require.NoError(t, err)
+
+		res := buf.String()
+		// Should show both valid and expired tokens
+		require.Contains(t, res, validToken.ID)
+		require.Contains(t, res, "valid-token")
+		require.Contains(t, res, expiredToken.ID)
+		require.Contains(t, res, "expired-token")
+	})
+}
@@ -1,24 +0,0 @@
-//go:build !windows && !darwin
-
-package cli
-
-import (
-	"golang.org/x/xerrors"
-
-	"github.com/coder/serpent"
-)
-
-func (*RootCmd) vpnDaemonRun() *serpent.Command {
-	cmd := &serpent.Command{
-		Use:   "run",
-		Short: "Run the VPN daemon on Windows.",
-		Middleware: serpent.Chain(
-			serpent.RequireNArgs(0),
-		),
-		Handler: func(_ *serpent.Invocation) error {
-			return xerrors.New("vpn-daemon subcommand is not supported on this platform")
-		},
-	}
-
-	return cmd
-}
@@ -1,4 +1,4 @@
-//go:build windows
+//go:build windows || linux

 package cli

@@ -11,7 +11,7 @@ import (
 	"github.com/coder/serpent"
 )

-func (r *RootCmd) vpnDaemonRun() *serpent.Command {
+func (*RootCmd) vpnDaemonRun() *serpent.Command {
 	var (
 		rpcReadHandleInt  int64
 		rpcWriteHandleInt int64
@@ -19,7 +19,7 @@ func (r *RootCmd) vpnDaemonRun() *serpent.Command {

 	cmd := &serpent.Command{
 		Use:   "run",
-		Short: "Run the VPN daemon on Windows.",
+		Short: "Run the VPN daemon on Windows and Linux.",
 		Middleware: serpent.Chain(
 			serpent.RequireNArgs(0),
 		),
@@ -53,8 +53,8 @@ func (r *RootCmd) vpnDaemonRun() *serpent.Command {
 				return xerrors.Errorf("rpc-read-handle (%v) and rpc-write-handle (%v) must be different", rpcReadHandleInt, rpcWriteHandleInt)
 			}

-			// We don't need to worry about duplicating the handles on Windows,
-			// which is different from Unix.
+			// The manager passes the read and write descriptors directly to the
+			// daemon, so we can open the RPC pipe from the raw values.
 			logger.Info(ctx, "opening bidirectional RPC pipe", slog.F("rpc_read_handle", rpcReadHandleInt), slog.F("rpc_write_handle", rpcWriteHandleInt))
 			pipe, err := vpn.NewBidirectionalPipe(uintptr(rpcReadHandleInt), uintptr(rpcWriteHandleInt))
 			if err != nil {
@@ -62,7 +62,7 @@ func (r *RootCmd) vpnDaemonRun() *serpent.Command {
 			}
 			defer pipe.Close()

-			logger.Info(ctx, "starting tunnel")
+			logger.Info(ctx, "starting VPN tunnel")
 			tunnel, err := vpn.NewTunnel(ctx, logger, pipe, vpn.NewClient(), vpn.UseOSNetworkingStack())
 			if err != nil {
 				return xerrors.Errorf("create new tunnel for client: %w", err)
@@ -1,4 +1,4 @@
-//go:build windows
+//go:build windows || linux

 package cli_test

@@ -67,22 +67,35 @@ func TestVPNDaemonRun(t *testing.T) {

 		r1, w1, err := os.Pipe()
 		require.NoError(t, err)
-		defer r1.Close()
 		defer w1.Close()
+
 		r2, w2, err := os.Pipe()
 		require.NoError(t, err)
 		defer r2.Close()
-		defer w2.Close()
+
+		// The daemon closes the handles passed via NewBidirectionalPipe. Since our
+		// CLI tests run in-process, pass duplicated handles so we can close the
+		// originals without risking a double-close on FD reuse.
+		rpcReadHandle := dupHandle(t, r1)
+		rpcWriteHandle := dupHandle(t, w2)
+		require.NoError(t, r1.Close())
+		require.NoError(t, w2.Close())

 		ctx := testutil.Context(t, testutil.WaitLong)
-		inv, _ := clitest.New(t, "vpn-daemon", "run", "--rpc-read-handle", fmt.Sprint(r1.Fd()), "--rpc-write-handle", fmt.Sprint(w2.Fd()))
+		inv, _ := clitest.New(t,
+			"vpn-daemon",
+			"run",
+			"--rpc-read-handle",
+			fmt.Sprint(rpcReadHandle),
+			"--rpc-write-handle",
+			fmt.Sprint(rpcWriteHandle),
+		)
 		waiter := clitest.StartWithWaiter(t, inv.WithContext(ctx))

-		// Send garbage which should cause the handshake to fail and the daemon
-		// to exit.
-		_, err = w1.Write([]byte("garbage"))
+		// Send an invalid header, including a newline delimiter, so the handshake
+		// fails without requiring context cancellation.
+		_, err = w1.Write([]byte("garbage\n"))
 		require.NoError(t, err)
-		waiter.Cancel()
 		err = waiter.Wait()
 		require.ErrorContains(t, err, "handshake failed")
 	})
@@ -0,0 +1,19 @@
+//go:build linux
+
+package cli_test
+
+import (
+	"os"
+	"testing"
+
+	"github.com/stretchr/testify/require"
+	"golang.org/x/sys/unix"
+)
+
+func dupHandle(t *testing.T, f *os.File) uintptr {
+	t.Helper()
+
+	dupFD, err := unix.Dup(int(f.Fd()))
+	require.NoError(t, err)
+	return uintptr(dupFD)
+}
@@ -0,0 +1,33 @@
+//go:build windows
+
+package cli_test
+
+import (
+	"os"
+	"syscall"
+	"testing"
+
+	"github.com/stretchr/testify/require"
+)
+
+func dupHandle(t *testing.T, f *os.File) uintptr {
+	t.Helper()
+
+	src := syscall.Handle(f.Fd())
+	var dup syscall.Handle
+
+	proc, err := syscall.GetCurrentProcess()
+	require.NoError(t, err)
+
+	err = syscall.DuplicateHandle(
+		proc,
+		src,
+		proc,
+		&dup,
+		0,
+		false,
+		syscall.DUPLICATE_SAME_ACCESS,
+	)
+	require.NoError(t, err)
+	return uintptr(dup)
+}
@@ -128,7 +128,7 @@ func (a *SubAgentAPI) CreateSubAgent(ctx context.Context, req *agentproto.Create
 		Name:                     agentName,
 		ResourceID:               parentAgent.ResourceID,
 		AuthToken:                uuid.New(),
-		AuthInstanceID:           parentAgent.AuthInstanceID,
+		AuthInstanceID:           sql.NullString{},
 		Architecture:             req.Architecture,
 		EnvironmentVariables:     pqtype.NullRawMessage{},
 		OperatingSystem:          req.OperatingSystem,
@@ -175,6 +175,52 @@ func TestSubAgentAPI(t *testing.T) {
 		}
 	})

+	// Context: https://github.com/coder/coder/pull/22196
+	t.Run("CreateSubAgentDoesNotInheritAuthInstanceID", func(t *testing.T) {
+		t.Parallel()
+
+		var (
+			log   = testutil.Logger(t)
+			clock = quartz.NewMock(t)
+
+			db, org     = newDatabaseWithOrg(t)
+			user, agent = newUserWithWorkspaceAgent(t, db, org)
+		)
+
+		// Given: The parent agent has an AuthInstanceID set
+		ctx := testutil.Context(t, testutil.WaitShort)
+		parentAgent, err := db.GetWorkspaceAgentByID(dbauthz.AsSystemRestricted(ctx), agent.ID)
+		require.NoError(t, err)
+		require.True(t, parentAgent.AuthInstanceID.Valid, "parent agent should have an AuthInstanceID")
+		require.NotEmpty(t, parentAgent.AuthInstanceID.String)
+
+		api := newAgentAPI(t, log, db, clock, user, org, agent)
+
+		// When: We create a sub agent
+		createResp, err := api.CreateSubAgent(ctx, &proto.CreateSubAgentRequest{
+			Name:            "sub-agent",
+			Directory:       "/workspaces/test",
+			Architecture:    "amd64",
+			OperatingSystem: "linux",
+		})
+		require.NoError(t, err)
+
+		subAgentID, err := uuid.FromBytes(createResp.Agent.Id)
+		require.NoError(t, err)
+
+		// Then: The sub-agent must NOT re-use the parent's AuthInstanceID.
+		subAgent, err := db.GetWorkspaceAgentByID(dbauthz.AsSystemRestricted(ctx), subAgentID)
+		require.NoError(t, err)
+		assert.False(t, subAgent.AuthInstanceID.Valid, "sub-agent should not have an AuthInstanceID")
+		assert.Empty(t, subAgent.AuthInstanceID.String, "sub-agent AuthInstanceID string should be empty")
+
+		// Double-check: looking up by the parent's instance ID must
+		// still return the parent, not the sub-agent.
+		lookedUp, err := db.GetWorkspaceAgentByInstanceID(dbauthz.AsSystemRestricted(ctx), parentAgent.AuthInstanceID.String)
+		require.NoError(t, err)
+		assert.Equal(t, parentAgent.ID, lookedUp.ID, "instance ID lookup should still return the parent agent")
+	})
+
 	type expectedAppError struct {
 		index int32
 		field string
@@ -1320,7 +1366,6 @@ func TestSubAgentAPI(t *testing.T) {
 		}

 		for _, tc := range tests {
-			tc := tc
 			t.Run(tc.name, func(t *testing.T) {
 				t.Parallel()

@@ -21,10 +21,12 @@ import (
 	agentapisdk "github.com/coder/agentapi-sdk-go"
 	"github.com/coder/coder/v2/coderd/audit"
 	"github.com/coder/coder/v2/coderd/database"
+	"github.com/coder/coder/v2/coderd/database/dbauthz"
 	"github.com/coder/coder/v2/coderd/database/dbtime"
 	"github.com/coder/coder/v2/coderd/httpapi"
 	"github.com/coder/coder/v2/coderd/httpapi/httperror"
 	"github.com/coder/coder/v2/coderd/httpmw"
+	"github.com/coder/coder/v2/coderd/notifications"
 	"github.com/coder/coder/v2/coderd/rbac"
 	"github.com/coder/coder/v2/coderd/rbac/policy"
 	"github.com/coder/coder/v2/coderd/searchquery"
@@ -1300,7 +1302,127 @@ func (api *API) pauseTask(rw http.ResponseWriter, r *http.Request) {
 		return
 	}

+	if _, err := api.NotificationsEnqueuer.Enqueue(
+		// nolint:gocritic // Need notifier actor to enqueue notifications.
+		dbauthz.AsNotifier(ctx),
+		workspace.OwnerID,
+		notifications.TemplateTaskPaused,
+		map[string]string{
+			"task":         task.Name,
+			"task_id":      task.ID.String(),
+			"workspace":    workspace.Name,
+			"pause_reason": "manual",
+		},
+		"api-task-pause",
+		workspace.ID, workspace.OwnerID, workspace.OrganizationID,
+	); err != nil {
+		api.Logger.Warn(ctx, "failed to notify of task paused", slog.Error(err), slog.F("task_id", task.ID), slog.F("workspace_id", workspace.ID))
+	}
+
 	httpapi.Write(ctx, rw, http.StatusAccepted, codersdk.PauseTaskResponse{
 		WorkspaceBuild: &build,
 	})
 }
+
+// @Summary Resume task
+// @ID resume-task
+// @Security CoderSessionToken
+// @Accept json
+// @Tags Tasks
+// @Param user path string true "Username, user ID, or 'me' for the authenticated user"
+// @Param task path string true "Task ID" format(uuid)
+// @Success 202 {object} codersdk.ResumeTaskResponse
+// @Router /tasks/{user}/{task}/resume [post]
+func (api *API) resumeTask(rw http.ResponseWriter, r *http.Request) {
+	var (
+		ctx    = r.Context()
+		apiKey = httpmw.APIKey(r)
+		task   = httpmw.TaskParam(r)
+	)
+
+	if !task.WorkspaceID.Valid {
+		httpapi.Write(ctx, rw, http.StatusInternalServerError, codersdk.Response{
+			Message: "Task does not have a workspace.",
+		})
+		return
+	}
+
+	workspace, err := api.Database.GetWorkspaceByID(ctx, task.WorkspaceID.UUID)
+	if err != nil {
+		if httpapi.Is404Error(err) {
+			httpapi.ResourceNotFound(rw)
+			return
+		}
+		httpapi.Write(ctx, rw, http.StatusInternalServerError, codersdk.Response{
+			Message: "Internal error fetching task workspace.",
+			Detail:  err.Error(),
+		})
+		return
+	}
+
+	latestBuild, err := api.Database.GetLatestWorkspaceBuildByWorkspaceID(ctx, workspace.ID)
+	if err != nil {
+		httpapi.Write(ctx, rw, http.StatusInternalServerError, codersdk.Response{
+			Message: "Internal error fetching task workspace build.",
+			Detail:  err.Error(),
+		})
+		return
+	}
+	job, err := api.Database.GetProvisionerJobByID(ctx, latestBuild.JobID)
+	if err != nil {
+		httpapi.Write(ctx, rw, http.StatusInternalServerError, codersdk.Response{
+			Message: "Internal error fetching task workspace build job.",
+			Detail:  err.Error(),
+		})
+		return
+	}
+	workspaceStatus := codersdk.ConvertWorkspaceStatus(
+		codersdk.ProvisionerJobStatus(job.JobStatus),
+		codersdk.WorkspaceTransition(latestBuild.Transition),
+	)
+	if workspaceStatus == codersdk.WorkspaceStatusRunning {
+		httpapi.Write(ctx, rw, http.StatusConflict, codersdk.Response{
+			Message: "Task workspace is already running.",
+			Detail:  fmt.Sprintf("Workspace status is %q.", workspaceStatus),
+		})
+		return
+	}
+
+	buildReq := codersdk.CreateWorkspaceBuildRequest{
+		Transition: codersdk.WorkspaceTransitionStart,
+		Reason:     codersdk.CreateWorkspaceBuildReasonTaskResume,
+	}
+	build, err := api.postWorkspaceBuildsInternal(
+		ctx,
+		apiKey,
+		workspace,
+		buildReq,
+		func(action policy.Action, object rbac.Objecter) bool {
+			return api.Authorize(r, action, object)
+		},
+		audit.WorkspaceBuildBaggageFromRequest(r),
+	)
+	if err != nil {
+		httperror.WriteWorkspaceBuildError(ctx, rw, err)
+		return
+	}
+	if _, err := api.NotificationsEnqueuer.Enqueue(
+		// nolint:gocritic // Need notifier actor to enqueue notifications.
+		dbauthz.AsNotifier(ctx),
+		workspace.OwnerID,
+		notifications.TemplateTaskResumed,
+		map[string]string{
+			"task":      task.Name,
+			"task_id":   task.ID.String(),
+			"workspace": workspace.Name,
+		},
+		"api-task-resume",
+		workspace.ID, workspace.OwnerID, workspace.OrganizationID,
+	); err != nil {
+		api.Logger.Warn(ctx, "failed to notify of task resumed", slog.Error(err), slog.F("task_id", task.ID), slog.F("workspace_id", workspace.ID))
+	}
+
+	httpapi.Write(ctx, rw, http.StatusAccepted, codersdk.ResumeTaskResponse{
+		WorkspaceBuild: &build,
+	})
+}
@@ -45,10 +45,10 @@ import (
 )

 // createTaskInState is a helper to create a task in the desired state.
-// It returns a function that takes context, test, and status, and returns the task ID.
+// It returns a function that takes context, test, and status, and returns the task.
 // The caller is responsible for setting up the database, owner, and user.
-func createTaskInState(db database.Store, ownerSubject rbac.Subject, ownerOrgID, userID uuid.UUID) func(context.Context, *testing.T, database.TaskStatus) uuid.UUID {
-	return func(ctx context.Context, t *testing.T, status database.TaskStatus) uuid.UUID {
+func createTaskInState(db database.Store, ownerSubject rbac.Subject, ownerOrgID, userID uuid.UUID) func(context.Context, *testing.T, database.TaskStatus) database.Task {
+	return func(ctx context.Context, t *testing.T, status database.TaskStatus) database.Task {
 		ctx = dbauthz.As(ctx, ownerSubject)

 		builder := dbfake.WorkspaceBuild(t, db, database.WorkspaceTable{
@@ -65,6 +65,9 @@ func createTaskInState(db database.Store, ownerSubject rbac.Subject, ownerOrgID,
 			builder = builder.Pending()
 		case database.TaskStatusInitializing:
 			builder = builder.Starting()
+		case database.TaskStatusActive:
+			// Default builder produces a succeeded start build.
+			// Post-processing below sets agent and app to active.
 		case database.TaskStatusPaused:
 			builder = builder.Seed(database.WorkspaceBuild{
 				Transition: database.WorkspaceTransitionStop,
@@ -76,31 +79,32 @@ func createTaskInState(db database.Store, ownerSubject rbac.Subject, ownerOrgID,
 		}

 		resp := builder.Do()
-		taskID := resp.Task.ID

 		// Post-process by manipulating agent and app state.
-		if status == database.TaskStatusError {
-			// First, set agent to ready state so agent_status returns 'active'.
-			// This ensures the cascade reaches app_status.
+		if status == database.TaskStatusActive || status == database.TaskStatusError {
+			// Set agent to ready state so agent_status returns 'active'.
 			err := db.UpdateWorkspaceAgentLifecycleStateByID(ctx, database.UpdateWorkspaceAgentLifecycleStateByIDParams{
 				ID:             resp.Agents[0].ID,
 				LifecycleState: database.WorkspaceAgentLifecycleStateReady,
 			})
 			require.NoError(t, err)

-			// Then set workspace app health to unhealthy to trigger error state.
 			apps, err := db.GetWorkspaceAppsByAgentID(ctx, resp.Agents[0].ID)
 			require.NoError(t, err)
 			require.Len(t, apps, 1, "expected exactly one app for task")

+			appHealth := database.WorkspaceAppHealthHealthy
+			if status == database.TaskStatusError {
+				appHealth = database.WorkspaceAppHealthUnhealthy
+			}
 			err = db.UpdateWorkspaceAppHealthByID(ctx, database.UpdateWorkspaceAppHealthByIDParams{
 				ID:     apps[0].ID,
-				Health: database.WorkspaceAppHealthUnhealthy,
+				Health: appHealth,
 			})
 			require.NoError(t, err)
 		}

-		return taskID
+		return resp.Task
 	}
 }

@@ -845,9 +849,9 @@ func TestTasks(t *testing.T) {
 				t.Parallel()

 				ctx := testutil.Context(t, testutil.WaitMedium)
-				taskID := createTask(ctx, t, database.TaskStatusPaused)
+				task := createTask(ctx, t, database.TaskStatusPaused)

-				err := client.TaskSend(ctx, "me", taskID, codersdk.TaskSendRequest{
+				err := client.TaskSend(ctx, "me", task.ID, codersdk.TaskSendRequest{
 					Input: "Hello",
 				})

@@ -863,9 +867,9 @@ func TestTasks(t *testing.T) {
 				t.Parallel()

 				ctx := testutil.Context(t, testutil.WaitMedium)
-				taskID := createTask(ctx, t, database.TaskStatusInitializing)
+				task := createTask(ctx, t, database.TaskStatusInitializing)

-				err := client.TaskSend(ctx, "me", taskID, codersdk.TaskSendRequest{
+				err := client.TaskSend(ctx, "me", task.ID, codersdk.TaskSendRequest{
 					Input: "Hello",
 				})

@@ -881,9 +885,9 @@ func TestTasks(t *testing.T) {
 				t.Parallel()

 				ctx := testutil.Context(t, testutil.WaitMedium)
-				taskID := createTask(ctx, t, database.TaskStatusPending)
+				task := createTask(ctx, t, database.TaskStatusPending)

-				err := client.TaskSend(ctx, "me", taskID, codersdk.TaskSendRequest{
+				err := client.TaskSend(ctx, "me", task.ID, codersdk.TaskSendRequest{
 					Input: "Hello",
 				})

@@ -899,9 +903,9 @@ func TestTasks(t *testing.T) {
 				t.Parallel()

 				ctx := testutil.Context(t, testutil.WaitMedium)
-				taskID := createTask(ctx, t, database.TaskStatusError)
+				task := createTask(ctx, t, database.TaskStatusError)

-				err := client.TaskSend(ctx, "me", taskID, codersdk.TaskSendRequest{
+				err := client.TaskSend(ctx, "me", task.ID, codersdk.TaskSendRequest{
 					Input: "Hello",
 				})

@@ -1120,16 +1124,16 @@ func TestTasks(t *testing.T) {
 			t.Parallel()

 			ctx := testutil.Context(t, testutil.WaitMedium)
-			taskID := createTask(ctx, t, database.TaskStatusPending)
+			task := createTask(ctx, t, database.TaskStatusPending)

 			err := db.UpsertTaskSnapshot(dbauthz.As(ctx, ownerSubject), database.UpsertTaskSnapshotParams{
-				TaskID:               taskID,
+				TaskID:               task.ID,
 				LogSnapshot:          json.RawMessage(snapshotJSON),
 				LogSnapshotCreatedAt: snapshotTime,
 			})
 			require.NoError(t, err, "upserting task snapshot")

-			logsResp, err := client.TaskLogs(ctx, "me", taskID)
+			logsResp, err := client.TaskLogs(ctx, "me", task.ID)
 			require.NoError(t, err, "fetching task logs")
 			verifySnapshotLogs(t, logsResp)
 		})
@@ -1138,16 +1142,16 @@ func TestTasks(t *testing.T) {
 			t.Parallel()

 			ctx := testutil.Context(t, testutil.WaitMedium)
-			taskID := createTask(ctx, t, database.TaskStatusInitializing)
+			task := createTask(ctx, t, database.TaskStatusInitializing)

 			err := db.UpsertTaskSnapshot(dbauthz.As(ctx, ownerSubject), database.UpsertTaskSnapshotParams{
-				TaskID:               taskID,
+				TaskID:               task.ID,
 				LogSnapshot:          json.RawMessage(snapshotJSON),
 				LogSnapshotCreatedAt: snapshotTime,
 			})
 			require.NoError(t, err, "upserting task snapshot")

-			logsResp, err := client.TaskLogs(ctx, "me", taskID)
+			logsResp, err := client.TaskLogs(ctx, "me", task.ID)
 			require.NoError(t, err, "fetching task logs")
 			verifySnapshotLogs(t, logsResp)
 		})
@@ -1156,16 +1160,16 @@ func TestTasks(t *testing.T) {
 			t.Parallel()

 			ctx := testutil.Context(t, testutil.WaitMedium)
-			taskID := createTask(ctx, t, database.TaskStatusPaused)
+			task := createTask(ctx, t, database.TaskStatusPaused)

 			err := db.UpsertTaskSnapshot(dbauthz.As(ctx, ownerSubject), database.UpsertTaskSnapshotParams{
-				TaskID:               taskID,
+				TaskID:               task.ID,
 				LogSnapshot:          json.RawMessage(snapshotJSON),
 				LogSnapshotCreatedAt: snapshotTime,
 			})
 			require.NoError(t, err, "upserting task snapshot")

-			logsResp, err := client.TaskLogs(ctx, "me", taskID)
+			logsResp, err := client.TaskLogs(ctx, "me", task.ID)
 			require.NoError(t, err, "fetching task logs")
 			verifySnapshotLogs(t, logsResp)
 		})
@@ -1174,9 +1178,9 @@ func TestTasks(t *testing.T) {
 			t.Parallel()

 			ctx := testutil.Context(t, testutil.WaitMedium)
-			taskID := createTask(ctx, t, database.TaskStatusPending)
+			task := createTask(ctx, t, database.TaskStatusPending)

-			logsResp, err := client.TaskLogs(ctx, "me", taskID)
+			logsResp, err := client.TaskLogs(ctx, "me", task.ID)
 			require.NoError(t, err)

 			assert.True(t, logsResp.Snapshot)
@@ -1188,7 +1192,7 @@ func TestTasks(t *testing.T) {
 			t.Parallel()

 			ctx := testutil.Context(t, testutil.WaitMedium)
-			taskID := createTask(ctx, t, database.TaskStatusPending)
+			task := createTask(ctx, t, database.TaskStatusPending)

 			invalidEnvelope := coderd.TaskLogSnapshotEnvelope{
 				Format: "unknown-format",
@@ -1198,13 +1202,13 @@ func TestTasks(t *testing.T) {
 			require.NoError(t, err)

 			err = db.UpsertTaskSnapshot(dbauthz.As(ctx, ownerSubject), database.UpsertTaskSnapshotParams{
-				TaskID:               taskID,
+				TaskID:               task.ID,
 				LogSnapshot:          json.RawMessage(invalidJSON),
 				LogSnapshotCreatedAt: snapshotTime,
 			})
 			require.NoError(t, err)

-			_, err = client.TaskLogs(ctx, "me", taskID)
+			_, err = client.TaskLogs(ctx, "me", task.ID)
 			require.Error(t, err)

 			var sdkErr *codersdk.Error
@@ -1217,16 +1221,16 @@ func TestTasks(t *testing.T) {
 			t.Parallel()

 			ctx := testutil.Context(t, testutil.WaitMedium)
-			taskID := createTask(ctx, t, database.TaskStatusPending)
+			task := createTask(ctx, t, database.TaskStatusPending)

 			err := db.UpsertTaskSnapshot(dbauthz.As(ctx, ownerSubject), database.UpsertTaskSnapshotParams{
-				TaskID:               taskID,
+				TaskID:               task.ID,
 				LogSnapshot:          json.RawMessage(`{"format":"agentapi","data":"not an object"}`),
 				LogSnapshotCreatedAt: snapshotTime,
 			})
 			require.NoError(t, err)

-			_, err = client.TaskLogs(ctx, "me", taskID)
+			_, err = client.TaskLogs(ctx, "me", task.ID)
 			require.Error(t, err)

 			var sdkErr *codersdk.Error
@@ -1238,9 +1242,9 @@ func TestTasks(t *testing.T) {
 			t.Parallel()

 			ctx := testutil.Context(t, testutil.WaitMedium)
-			taskID := createTask(ctx, t, database.TaskStatusError)
+			task := createTask(ctx, t, database.TaskStatusError)

-			_, err := client.TaskLogs(ctx, "me", taskID)
+			_, err := client.TaskLogs(ctx, "me", task.ID)
 			require.Error(t, err)

 			var sdkErr *codersdk.Error
@@ -2512,13 +2516,20 @@ func TestPauseTask(t *testing.T) {
 		coderdtest.AwaitWorkspaceBuildJobCompleted(t, client, workspace.LatestBuild.ID)

 		resp, err := client.PauseTask(ctx, codersdk.Me, task.ID)
+
+		// Verify that the request was accepted correctly:
 		require.NoError(t, err)
 		build := *resp.WorkspaceBuild
-		require.NotNil(t, build)
 		require.Equal(t, codersdk.WorkspaceTransitionStop, build.Transition)
 		require.Equal(t, task.WorkspaceID.UUID, build.WorkspaceID)
 		require.Equal(t, workspace.LatestBuild.BuildNumber+1, build.BuildNumber)
 		require.Equal(t, string(codersdk.CreateWorkspaceBuildReasonTaskManualPause), string(build.Reason))
+
+		// Verify that the accepted request was processed correctly:
+		coderdtest.AwaitWorkspaceBuildJobCompleted(t, client, build.ID)
+		workspace, err = client.Workspace(ctx, task.WorkspaceID.UUID)
+		require.NoError(t, err)
+		require.Equal(t, codersdk.WorkspaceStatusStopped, workspace.LatestBuild.Status)
 	})

 	t.Run("Non-owner role access", func(t *testing.T) {
@@ -2556,7 +2567,6 @@ func TestPauseTask(t *testing.T) {
 		}

 		for _, tc := range cases {
-			tc := tc
 			t.Run(tc.name, func(t *testing.T) {
 				task, _ := setupWorkspaceTask(t, db, owner)
 				userClient, _ := coderdtest.CreateAnotherUser(t, client, owner.OrganizationID, tc.roles...)
@@ -2780,4 +2790,402 @@ func TestPauseTask(t *testing.T) {
 		require.ErrorAs(t, err, &apiErr)
 		require.Equal(t, http.StatusInternalServerError, apiErr.StatusCode())
 	})
+
+	t.Run("Notification", func(t *testing.T) {
+		t.Parallel()
+
+		var (
+			notifyEnq       = &notificationstest.FakeEnqueuer{}
+			ownerClient, db = coderdtest.NewWithDatabase(t, &coderdtest.Options{NotificationsEnqueuer: notifyEnq})
+			owner           = coderdtest.CreateFirstUser(t, ownerClient)
+		)
+
+		ctx := testutil.Context(t, testutil.WaitMedium)
+		ownerUser, err := ownerClient.User(ctx, owner.UserID.String())
+		require.NoError(t, err)
+
+		createTask := createTaskInState(db, coderdtest.AuthzUserSubject(ownerUser), owner.OrganizationID, owner.UserID)
+
+		// Given: A task in an active state
+		task := createTask(ctx, t, database.TaskStatusActive)
+
+		workspace, err := ownerClient.Workspace(ctx, task.WorkspaceID.UUID)
+		require.NoError(t, err)
+
+		// When: We pause the task
+		_, err = ownerClient.PauseTask(ctx, codersdk.Me, task.ID)
+		require.NoError(t, err)
+
+		// Then: A notification should be sent
+		sent := notifyEnq.Sent(notificationstest.WithTemplateID(notifications.TemplateTaskPaused))
+		require.Len(t, sent, 1)
+		require.Equal(t, owner.UserID, sent[0].UserID)
+		require.Equal(t, task.Name, sent[0].Labels["task"])
+		require.Equal(t, task.ID.String(), sent[0].Labels["task_id"])
+		require.Equal(t, workspace.Name, sent[0].Labels["workspace"])
+		require.Equal(t, "manual", sent[0].Labels["pause_reason"])
+	})
+}
+
+func TestResumeTask(t *testing.T) {
+	t.Parallel()
+
+	setupClient := func(t *testing.T, db database.Store, ps pubsub.Pubsub, authorizer rbac.Authorizer) *codersdk.Client {
+		t.Helper()
+		client, _, _ := coderdtest.NewWithAPI(t, &coderdtest.Options{
+			Database:                 db,
+			Pubsub:                   ps,
+			Authorizer:               authorizer,
+			IncludeProvisionerDaemon: true,
+		})
+		return client
+	}
+
+	setupWorkspaceTask := func(t *testing.T, db database.Store, user codersdk.CreateFirstUserResponse) (database.Task, uuid.UUID) {
+		t.Helper()
+		workspaceBuild := dbfake.WorkspaceBuild(t, db, database.WorkspaceTable{
+			OrganizationID: user.OrganizationID,
+			OwnerID:        user.UserID,
+		}).WithTask(database.TaskTable{
+			Prompt: "resume me",
+		}, nil).Do()
+		return workspaceBuild.Task, workspaceBuild.Workspace.ID
+	}
+
+	t.Run("OK", func(t *testing.T) {
+		t.Parallel()
+
+		ctx := testutil.Context(t, testutil.WaitLong)
+		client := coderdtest.New(t, &coderdtest.Options{IncludeProvisionerDaemon: true})
+		user := coderdtest.CreateFirstUser(t, client)
+
+		version := coderdtest.CreateTemplateVersion(t, client, user.OrganizationID, &echo.Responses{
+			Parse:          echo.ParseComplete,
+			ProvisionApply: echo.ApplyComplete,
+			ProvisionGraph: []*proto.Response{
+				{Type: &proto.Response_Graph{Graph: &proto.GraphComplete{
+					HasAiTasks: true,
+				}}},
+			},
+		})
+		coderdtest.AwaitTemplateVersionJobCompleted(t, client, version.ID)
+		template := coderdtest.CreateTemplate(t, client, user.OrganizationID, version.ID)
+		task, err := client.CreateTask(ctx, codersdk.Me, codersdk.CreateTaskRequest{
+			TemplateVersionID: template.ActiveVersionID,
+			Input:             "resume me",
+		})
+		require.NoError(t, err)
+
+		workspace, err := client.Workspace(ctx, task.WorkspaceID.UUID)
+		require.NoError(t, err)
+		coderdtest.AwaitWorkspaceBuildJobCompleted(t, client, workspace.LatestBuild.ID)
+
+		pauseResp, err := client.PauseTask(ctx, codersdk.Me, task.ID)
+		require.NoError(t, err)
+		coderdtest.AwaitWorkspaceBuildJobCompleted(t, client, pauseResp.WorkspaceBuild.ID)
+
+		resumeResp, err := client.ResumeTask(ctx, codersdk.Me, task.ID)
+		require.NoError(t, err)
+		build := *resumeResp.WorkspaceBuild
+		require.Equal(t, codersdk.WorkspaceTransitionStart, build.Transition)
+		require.Equal(t, task.WorkspaceID.UUID, build.WorkspaceID)
+		require.Equal(t, workspace.LatestBuild.BuildNumber+2, build.BuildNumber)
+		require.Equal(t, string(codersdk.CreateWorkspaceBuildReasonTaskResume), string(build.Reason))
+
+		coderdtest.AwaitWorkspaceBuildJobCompleted(t, client, build.ID)
+		workspace, err = client.Workspace(ctx, task.WorkspaceID.UUID)
+		require.NoError(t, err)
+		require.Equal(t, codersdk.WorkspaceStatusRunning, workspace.LatestBuild.Status)
+	})
+
+	t.Run("Resume a task that is not paused", func(t *testing.T) {
+		t.Parallel()
+
+		ctx := testutil.Context(t, testutil.WaitLong)
+		db, ps := dbtestutil.NewDB(t)
+		client := setupClient(t, db, ps, nil)
+		user := coderdtest.CreateFirstUser(t, client)
+		workspaceBuild := dbfake.WorkspaceBuild(t, db, database.WorkspaceTable{
+			OrganizationID: user.OrganizationID,
+			OwnerID:        user.UserID,
+		}).
+			WithTask(database.TaskTable{
+				Prompt: "pause me",
+			}, nil).
+			Succeeded().
+			Do()
+
+		_, err := client.ResumeTask(ctx, codersdk.Me, workspaceBuild.Task.ID)
+		var apiErr *codersdk.Error
+		require.ErrorAs(t, err, &apiErr)
+		require.Equal(t, http.StatusConflict, apiErr.StatusCode())
+	})
+
+	t.Run("Task not found", func(t *testing.T) {
+		t.Parallel()
+
+		ctx := testutil.Context(t, testutil.WaitShort)
+		client := coderdtest.New(t, &coderdtest.Options{IncludeProvisionerDaemon: true})
+		_ = coderdtest.CreateFirstUser(t, client)
+
+		_, err := client.ResumeTask(ctx, codersdk.Me, uuid.New())
+		var apiErr *codersdk.Error
+		require.ErrorAs(t, err, &apiErr)
+		require.Equal(t, http.StatusNotFound, apiErr.StatusCode())
+	})
+
+	t.Run("Task lookup forbidden", func(t *testing.T) {
+		t.Parallel()
+
+		ctx := testutil.Context(t, testutil.WaitShort)
+		db, ps := dbtestutil.NewDB(t)
+		auth := &coderdtest.FakeAuthorizer{
+			ConditionalReturn: func(_ context.Context, _ rbac.Subject, action policy.Action, object rbac.Object) error {
+				if action == policy.ActionRead && object.Type == rbac.ResourceTask.Type {
+					return rbac.UnauthorizedError{}
+				}
+				return nil
+			},
+		}
+		client := setupClient(t, db, ps, auth)
+		user := coderdtest.CreateFirstUser(t, client)
+		task, _ := setupWorkspaceTask(t, db, user)
+
+		_, err := client.ResumeTask(ctx, codersdk.Me, task.ID)
+		var apiErr *codersdk.Error
+		require.ErrorAs(t, err, &apiErr)
+		require.Equal(t, http.StatusNotFound, apiErr.StatusCode())
+	})
+
+	t.Run("Workspace lookup forbidden", func(t *testing.T) {
+		t.Parallel()
+
+		ctx := testutil.Context(t, testutil.WaitShort)
+		db, ps := dbtestutil.NewDB(t)
+		auth := &coderdtest.FakeAuthorizer{
+			ConditionalReturn: func(_ context.Context, _ rbac.Subject, action policy.Action, object rbac.Object) error {
+				if action == policy.ActionRead && object.Type == rbac.ResourceWorkspace.Type {
+					return rbac.UnauthorizedError{}
+				}
+				return nil
+			},
+		}
+		client := setupClient(t, db, ps, auth)
+		user := coderdtest.CreateFirstUser(t, client)
+		task, _ := setupWorkspaceTask(t, db, user)
+
+		_, err := client.ResumeTask(ctx, codersdk.Me, task.ID)
+		var apiErr *codersdk.Error
+		require.ErrorAs(t, err, &apiErr)
+		require.Equal(t, http.StatusNotFound, apiErr.StatusCode())
+	})
+
+	t.Run("No Workspace for Task", func(t *testing.T) {
+		t.Parallel()
+
+		ctx := testutil.Context(t, testutil.WaitShort)
+		db, ps := dbtestutil.NewDB(t)
+		client := setupClient(t, db, ps, nil)
+		user := coderdtest.CreateFirstUser(t, client)
+
+		workspaceBuild := dbfake.WorkspaceBuild(t, db, database.WorkspaceTable{
+			OrganizationID: user.OrganizationID,
+			OwnerID:        user.UserID,
+		}).Do()
+		task := dbgen.Task(t, db, database.TaskTable{
+			OrganizationID:    user.OrganizationID,
+			OwnerID:           user.UserID,
+			TemplateVersionID: workspaceBuild.Build.TemplateVersionID,
+			Prompt:            "no workspace",
+		})
+
+		_, err := client.ResumeTask(ctx, codersdk.Me, task.ID)
+		var apiErr *codersdk.Error
+		require.ErrorAs(t, err, &apiErr)
+		require.Equal(t, http.StatusInternalServerError, apiErr.StatusCode())
+		require.Equal(t, "Task does not have a workspace.", apiErr.Message)
+	})
+
+	t.Run("Workspace not found", func(t *testing.T) {
+		t.Parallel()
+
+		ctx := testutil.Context(t, testutil.WaitShort)
+		db, ps := dbtestutil.NewDB(t)
+		var workspaceID uuid.UUID
+		wrapped := aiTaskStoreWrapper{
+			Store: db,
+			getWorkspaceByID: func(ctx context.Context, id uuid.UUID) (database.Workspace, error) {
+				if id == workspaceID && id != uuid.Nil {
+					return database.Workspace{}, sql.ErrNoRows
+				}
+				return db.GetWorkspaceByID(ctx, id)
+			},
+		}
+		client := setupClient(t, wrapped, ps, nil)
+		user := coderdtest.CreateFirstUser(t, client)
+		task, workspaceIDValue := setupWorkspaceTask(t, db, user)
+		workspaceID = workspaceIDValue
+
+		_, err := client.ResumeTask(ctx, codersdk.Me, task.ID)
+		var apiErr *codersdk.Error
+		require.ErrorAs(t, err, &apiErr)
+		require.Equal(t, http.StatusNotFound, apiErr.StatusCode())
+	})
+
+	t.Run("Workspace lookup internal error", func(t *testing.T) {
+		t.Parallel()
+
+		ctx := testutil.Context(t, testutil.WaitShort)
+		db, ps := dbtestutil.NewDB(t)
+		var workspaceID uuid.UUID
+		wrapped := aiTaskStoreWrapper{
+			Store: db,
+			getWorkspaceByID: func(ctx context.Context, id uuid.UUID) (database.Workspace, error) {
+				if id == workspaceID && id != uuid.Nil {
+					return database.Workspace{}, xerrors.New("boom")
+				}
+				return db.GetWorkspaceByID(ctx, id)
+			},
+		}
+		client := setupClient(t, wrapped, ps, nil)
+		user := coderdtest.CreateFirstUser(t, client)
+		task, workspaceIDValue := setupWorkspaceTask(t, db, user)
+		workspaceID = workspaceIDValue
+
+		_, err := client.ResumeTask(ctx, codersdk.Me, task.ID)
+		var apiErr *codersdk.Error
+		require.ErrorAs(t, err, &apiErr)
+		require.Equal(t, http.StatusInternalServerError, apiErr.StatusCode())
+		require.Equal(t, "Internal error fetching task workspace.", apiErr.Message)
+	})
+
+	t.Run("Build Forbidden", func(t *testing.T) {
+		t.Parallel()
+
+		ctx := testutil.Context(t, testutil.WaitShort)
+		db, ps := dbtestutil.NewDB(t)
+		auth := &coderdtest.FakeAuthorizer{
+			ConditionalReturn: func(_ context.Context, _ rbac.Subject, action policy.Action, object rbac.Object) error {
+				if action == policy.ActionWorkspaceStart && object.Type == rbac.ResourceWorkspace.Type {
+					return rbac.UnauthorizedError{}
+				}
+				return nil
+			},
+		}
+		client := setupClient(t, db, ps, auth)
+		user := coderdtest.CreateFirstUser(t, client)
+		task, _ := setupWorkspaceTask(t, db, user)
+
+		pauseResp, err := client.PauseTask(ctx, codersdk.Me, task.ID)
+		require.NoError(t, err)
+		coderdtest.AwaitWorkspaceBuildJobCompleted(t, client, pauseResp.WorkspaceBuild.ID)
+
+		_, err = client.ResumeTask(ctx, codersdk.Me, task.ID)
+		var apiErr *codersdk.Error
+		require.ErrorAs(t, err, &apiErr)
+		require.Equal(t, http.StatusForbidden, apiErr.StatusCode())
+	})
+
+	t.Run("Job already in progress", func(t *testing.T) {
+		t.Parallel()
+
+		ctx := testutil.Context(t, testutil.WaitShort)
+		db, ps := dbtestutil.NewDB(t)
+		client := setupClient(t, db, ps, nil)
+		user := coderdtest.CreateFirstUser(t, client)
+		workspaceBuild := dbfake.WorkspaceBuild(t, db, database.WorkspaceTable{
+			OrganizationID: user.OrganizationID,
+			OwnerID:        user.UserID,
+		}).
+			WithTask(database.TaskTable{
+				Prompt: "resume me",
+			}, nil).
+			Starting().
+			Do()
+
+		_, err := client.ResumeTask(ctx, codersdk.Me, workspaceBuild.Task.ID)
+		var apiErr *codersdk.Error
+		require.ErrorAs(t, err, &apiErr)
+		require.Equal(t, http.StatusConflict, apiErr.StatusCode())
+	})
+
+	t.Run("Build Internal Error", func(t *testing.T) {
+		t.Parallel()
+
+		ctx := testutil.Context(t, testutil.WaitShort)
+		db, ps := dbtestutil.NewDB(t)
+		wrapped := aiTaskStoreWrapper{
+			Store: db,
+		}
+
+		client := setupClient(t, &wrapped, ps, nil)
+		user := coderdtest.CreateFirstUser(t, client)
+		version := coderdtest.CreateTemplateVersion(t, client, user.OrganizationID, &echo.Responses{
+			Parse:          echo.ParseComplete,
+			ProvisionApply: echo.ApplyComplete,
+			ProvisionGraph: []*proto.Response{
+				{Type: &proto.Response_Graph{Graph: &proto.GraphComplete{
+					HasAiTasks: true,
+				}}},
+			},
+		})
+		coderdtest.AwaitTemplateVersionJobCompleted(t, client, version.ID)
+		template := coderdtest.CreateTemplate(t, client, user.OrganizationID, version.ID)
+		task, err := client.CreateTask(ctx, codersdk.Me, codersdk.CreateTaskRequest{
+			TemplateVersionID: template.ActiveVersionID,
+			Input:             "resume me",
+		})
+		require.NoError(t, err)
+
+		workspace, err := client.Workspace(ctx, task.WorkspaceID.UUID)
+		require.NoError(t, err)
+		coderdtest.AwaitWorkspaceBuildJobCompleted(t, client, workspace.LatestBuild.ID)
+
+		pauseResp, err := client.PauseTask(ctx, codersdk.Me, task.ID)
+		require.NoError(t, err)
+		coderdtest.AwaitWorkspaceBuildJobCompleted(t, client, pauseResp.WorkspaceBuild.ID)
+
+		// Induce a transient failure in the database after the task has been paused.
+		wrapped.insertWorkspaceBuild = func(ctx context.Context, arg database.InsertWorkspaceBuildParams) error {
+			return xerrors.New("insert failed")
+		}
+		_, err = client.ResumeTask(ctx, codersdk.Me, task.ID)
+		var apiErr *codersdk.Error
+		require.ErrorAs(t, err, &apiErr)
+		require.Equal(t, http.StatusInternalServerError, apiErr.StatusCode())
+	})
+
+	t.Run("Notification", func(t *testing.T) {
+		t.Parallel()
+
+		var (
+			notifyEnq       = &notificationstest.FakeEnqueuer{}
+			ownerClient, db = coderdtest.NewWithDatabase(t, &coderdtest.Options{NotificationsEnqueuer: notifyEnq})
+			owner           = coderdtest.CreateFirstUser(t, ownerClient)
+		)
+
+		ctx := testutil.Context(t, testutil.WaitMedium)
+		ownerUser, err := ownerClient.User(ctx, owner.UserID.String())
+		require.NoError(t, err)
+
+		createTask := createTaskInState(db, coderdtest.AuthzUserSubject(ownerUser), owner.OrganizationID, owner.UserID)
+
+		// Given: A task in a paused state
+		task := createTask(ctx, t, database.TaskStatusPaused)
+
+		workspace, err := ownerClient.Workspace(ctx, task.WorkspaceID.UUID)
+		require.NoError(t, err)
+
+		// When: We resume the task
+		_, err = ownerClient.ResumeTask(ctx, codersdk.Me, task.ID)
+		require.NoError(t, err)
+
+		// Then: A notification should be sent
+		sent := notifyEnq.Sent(notificationstest.WithTemplateID(notifications.TemplateTaskResumed))
+		require.Len(t, sent, 1)
+		require.Equal(t, owner.UserID, sent[0].UserID)
+		require.Equal(t, task.Name, sent[0].Labels["task"])
+		require.Equal(t, task.ID.String(), sent[0].Labels["task_id"])
+		require.Equal(t, workspace.Name, sent[0].Labels["workspace"])
+	})
 }
@@ -3745,6 +3745,69 @@ const docTemplate = `{
                }
            }
        },
+        "/organizations/{organization}/members/{user}/workspaces/available-users": {
+            "get": {
+                "security": [
+                    {
+                        "CoderSessionToken": []
+                    }
+                ],
+                "produces": [
+                    "application/json"
+                ],
+                "tags": [
+                    "Workspaces"
+                ],
+                "summary": "Get users available for workspace creation",
+                "operationId": "get-users-available-for-workspace-creation",
+                "parameters": [
+                    {
+                        "type": "string",
+                        "format": "uuid",
+                        "description": "Organization ID",
+                        "name": "organization",
+                        "in": "path",
+                        "required": true
+                    },
+                    {
+                        "type": "string",
+                        "description": "User ID, name, or me",
+                        "name": "user",
+                        "in": "path",
+                        "required": true
+                    },
+                    {
+                        "type": "string",
+                        "description": "Search query",
+                        "name": "q",
+                        "in": "query"
+                    },
+                    {
+                        "type": "integer",
+                        "description": "Limit results",
+                        "name": "limit",
+                        "in": "query"
+                    },
+                    {
+                        "type": "integer",
+                        "description": "Offset for pagination",
+                        "name": "offset",
+                        "in": "query"
+                    }
+                ],
+                "responses": {
+                    "200": {
+                        "description": "OK",
+                        "schema": {
+                            "type": "array",
+                            "items": {
+                                "$ref": "#/definitions/codersdk.MinimalUser"
+                            }
+                        }
+                    }
+                }
+            }
+        },
        "/organizations/{organization}/paginated-members": {
            "get": {
                "security": [
@@ -5866,6 +5929,48 @@ const docTemplate = `{
                }
            }
        },
+        "/tasks/{user}/{task}/resume": {
+            "post": {
+                "security": [
+                    {
+                        "CoderSessionToken": []
+                    }
+                ],
+                "consumes": [
+                    "application/json"
+                ],
+                "tags": [
+                    "Tasks"
+                ],
+                "summary": "Resume task",
+                "operationId": "resume-task",
+                "parameters": [
+                    {
+                        "type": "string",
+                        "description": "Username, user ID, or 'me' for the authenticated user",
+                        "name": "user",
+                        "in": "path",
+                        "required": true
+                    },
+                    {
+                        "type": "string",
+                        "format": "uuid",
+                        "description": "Task ID",
+                        "name": "task",
+                        "in": "path",
+                        "required": true
+                    }
+                ],
+                "responses": {
+                    "202": {
+                        "description": "Accepted",
+                        "schema": {
+                            "$ref": "#/definitions/codersdk.ResumeTaskResponse"
+                        }
+                    }
+                }
+            }
+        },
        "/tasks/{user}/{task}/send": {
            "post": {
                "security": [
@@ -8344,6 +8449,54 @@ const docTemplate = `{
                }
            }
        },
+        "/users/{user}/keys/{keyid}/expire": {
+            "put": {
+                "security": [
+                    {
+                        "CoderSessionToken": []
+                    }
+                ],
+                "tags": [
+                    "Users"
+                ],
+                "summary": "Expire API key",
+                "operationId": "expire-api-key",
+                "parameters": [
+                    {
+                        "type": "string",
+                        "description": "User ID, name, or me",
+                        "name": "user",
+                        "in": "path",
+                        "required": true
+                    },
+                    {
+                        "type": "string",
+                        "format": "string",
+                        "description": "Key ID",
+                        "name": "keyid",
+                        "in": "path",
+                        "required": true
+                    }
+                ],
+                "responses": {
+                    "204": {
+                        "description": "No Content"
+                    },
+                    "404": {
+                        "description": "Not Found",
+                        "schema": {
+                            "$ref": "#/definitions/codersdk.Response"
+                        }
+                    },
+                    "500": {
+                        "description": "Internal Server Error",
+                        "schema": {
+                            "$ref": "#/definitions/codersdk.Response"
+                        }
+                    }
+                }
+            }
+        },
        "/users/{user}/login-type": {
            "get": {
                "security": [
@@ -12261,6 +12414,9 @@ const docTemplate = `{
                "api_key_id": {
                    "type": "string"
                },
+                "client": {
+                    "type": "string"
+                },
                "ended_at": {
                    "type": "string",
                    "format": "date-time"
@@ -13460,7 +13616,10 @@ const docTemplate = `{
                "cli",
                "ssh_connection",
                "vscode_connection",
-                "jetbrains_connection"
+                "jetbrains_connection",
+                "task_auto_pause",
+                "task_manual_pause",
+                "task_resume"
            ],
            "x-enum-varnames": [
                "BuildReasonInitiator",
@@ -13471,7 +13630,10 @@ const docTemplate = `{
                "BuildReasonCLI",
                "BuildReasonSSHConnection",
                "BuildReasonVSCodeConnection",
-                "BuildReasonJetbrainsConnection"
+                "BuildReasonJetbrainsConnection",
+                "BuildReasonTaskAutoPause",
+                "BuildReasonTaskManualPause",
+                "BuildReasonTaskResume"
            ]
        },
        "codersdk.CORSBehavior": {
@@ -14145,7 +14307,8 @@ const docTemplate = `{
                "ssh_connection",
                "vscode_connection",
                "jetbrains_connection",
-                "task_manual_pause"
+                "task_manual_pause",
+                "task_resume"
            ],
            "x-enum-varnames": [
                "CreateWorkspaceBuildReasonDashboard",
@@ -14153,7 +14316,8 @@ const docTemplate = `{
                "CreateWorkspaceBuildReasonSSHConnection",
                "CreateWorkspaceBuildReasonVSCodeConnection",
                "CreateWorkspaceBuildReasonJetbrainsConnection",
-                "CreateWorkspaceBuildReasonTaskManualPause"
+                "CreateWorkspaceBuildReasonTaskManualPause",
+                "CreateWorkspaceBuildReasonTaskResume"
            ]
        },
        "codersdk.CreateWorkspaceBuildRequest": {
@@ -15204,10 +15368,6 @@ const docTemplate = `{
                "limit": {
                    "type": "integer"
                },
-                "soft_limit": {
-                    "description": "SoftLimit is the soft limit of the feature, and is only used for showing\nincluded limits in the dashboard. No license validation or warnings are\ngenerated from this value.",
-                    "type": "integer"
-                },
                "usage_period": {
                    "description": "UsagePeriod denotes that the usage is a counter that accumulates over\nthis period (and most likely resets with the issuance of the next\nlicense).\n\nThese dates are determined from the license that this entitlement comes\nfrom, see enterprise/coderd/license/license.go.\n\nOnly certain features set these fields:\n- FeatureManagedAgentLimit",
                    "allOf": [
@@ -15411,6 +15571,9 @@ const docTemplate = `{
        "codersdk.HTTPCookieConfig": {
            "type": "object",
            "properties": {
+                "host_prefix": {
+                    "type": "boolean"
+                },
                "same_site": {
                    "type": "string"
                },
@@ -16621,6 +16784,14 @@ const docTemplate = `{
                "organization_mapping": {
                    "type": "object"
                },
+                "redirect_url": {
+                    "description": "RedirectURL is optional, defaulting to 'ACCESS_URL'. Only useful in niche\nsituations where the OIDC callback domain is different from the ACCESS_URL\ndomain.",
+                    "allOf": [
+                        {
+                            "$ref": "#/definitions/serpent.URL"
+                        }
+                    ]
+                },
                "scopes": {
                    "type": "array",
                    "items": {
@@ -18235,6 +18406,14 @@ const docTemplate = `{
                }
            }
        },
+        "codersdk.ResumeTaskResponse": {
+            "type": "object",
+            "properties": {
+                "workspace_build": {
+                    "$ref": "#/definitions/codersdk.WorkspaceBuild"
+                }
+            }
+        },
        "codersdk.RetentionConfig": {
            "type": "object",
            "properties": {
@@ -18867,6 +19046,9 @@ const docTemplate = `{
                "default_ttl_ms": {
                    "type": "integer"
                },
+                "deleted": {
+                    "type": "boolean"
+                },
                "deprecated": {
                    "type": "boolean"
                },
@@ -22693,7 +22875,7 @@ const docTemplate = `{
                    ]
                },
                "default": {
-                    "description": "Default is parsed into Value if set.",
+                    "description": "Default is parsed into Value if set.\nMust be ` + "`" + `\"\"` + "`" + ` if ` + "`" + `DefaultFn` + "`" + ` != nil",
                    "type": "string"
                },
                "description": {
@@ -3296,6 +3296,65 @@
 				}
 			}
 		},
+		"/organizations/{organization}/members/{user}/workspaces/available-users": {
+			"get": {
+				"security": [
+					{
+						"CoderSessionToken": []
+					}
+				],
+				"produces": ["application/json"],
+				"tags": ["Workspaces"],
+				"summary": "Get users available for workspace creation",
+				"operationId": "get-users-available-for-workspace-creation",
+				"parameters": [
+					{
+						"type": "string",
+						"format": "uuid",
+						"description": "Organization ID",
+						"name": "organization",
+						"in": "path",
+						"required": true
+					},
+					{
+						"type": "string",
+						"description": "User ID, name, or me",
+						"name": "user",
+						"in": "path",
+						"required": true
+					},
+					{
+						"type": "string",
+						"description": "Search query",
+						"name": "q",
+						"in": "query"
+					},
+					{
+						"type": "integer",
+						"description": "Limit results",
+						"name": "limit",
+						"in": "query"
+					},
+					{
+						"type": "integer",
+						"description": "Offset for pagination",
+						"name": "offset",
+						"in": "query"
+					}
+				],
+				"responses": {
+					"200": {
+						"description": "OK",
+						"schema": {
+							"type": "array",
+							"items": {
+								"$ref": "#/definitions/codersdk.MinimalUser"
+							}
+						}
+					}
+				}
+			}
+		},
 		"/organizations/{organization}/paginated-members": {
 			"get": {
 				"security": [
@@ -5185,6 +5244,44 @@
 				}
 			}
 		},
+		"/tasks/{user}/{task}/resume": {
+			"post": {
+				"security": [
+					{
+						"CoderSessionToken": []
+					}
+				],
+				"consumes": ["application/json"],
+				"tags": ["Tasks"],
+				"summary": "Resume task",
+				"operationId": "resume-task",
+				"parameters": [
+					{
+						"type": "string",
+						"description": "Username, user ID, or 'me' for the authenticated user",
+						"name": "user",
+						"in": "path",
+						"required": true
+					},
+					{
+						"type": "string",
+						"format": "uuid",
+						"description": "Task ID",
+						"name": "task",
+						"in": "path",
+						"required": true
+					}
+				],
+				"responses": {
+					"202": {
+						"description": "Accepted",
+						"schema": {
+							"$ref": "#/definitions/codersdk.ResumeTaskResponse"
+						}
+					}
+				}
+			}
+		},
 		"/tasks/{user}/{task}/send": {
 			"post": {
 				"security": [
@@ -7379,6 +7476,52 @@
 				}
 			}
 		},
+		"/users/{user}/keys/{keyid}/expire": {
+			"put": {
+				"security": [
+					{
+						"CoderSessionToken": []
+					}
+				],
+				"tags": ["Users"],
+				"summary": "Expire API key",
+				"operationId": "expire-api-key",
+				"parameters": [
+					{
+						"type": "string",
+						"description": "User ID, name, or me",
+						"name": "user",
+						"in": "path",
+						"required": true
+					},
+					{
+						"type": "string",
+						"format": "string",
+						"description": "Key ID",
+						"name": "keyid",
+						"in": "path",
+						"required": true
+					}
+				],
+				"responses": {
+					"204": {
+						"description": "No Content"
+					},
+					"404": {
+						"description": "Not Found",
+						"schema": {
+							"$ref": "#/definitions/codersdk.Response"
+						}
+					},
+					"500": {
+						"description": "Internal Server Error",
+						"schema": {
+							"$ref": "#/definitions/codersdk.Response"
+						}
+					}
+				}
+			}
+		},
 		"/users/{user}/login-type": {
 			"get": {
 				"security": [
@@ -10887,6 +11030,9 @@
 				"api_key_id": {
 					"type": "string"
 				},
+				"client": {
+					"type": "string"
+				},
 				"ended_at": {
 					"type": "string",
 					"format": "date-time"
@@ -12061,7 +12207,10 @@
 				"cli",
 				"ssh_connection",
 				"vscode_connection",
-				"jetbrains_connection"
+				"jetbrains_connection",
+				"task_auto_pause",
+				"task_manual_pause",
+				"task_resume"
 			],
 			"x-enum-varnames": [
 				"BuildReasonInitiator",
@@ -12072,7 +12221,10 @@
 				"BuildReasonCLI",
 				"BuildReasonSSHConnection",
 				"BuildReasonVSCodeConnection",
-				"BuildReasonJetbrainsConnection"
+				"BuildReasonJetbrainsConnection",
+				"BuildReasonTaskAutoPause",
+				"BuildReasonTaskManualPause",
+				"BuildReasonTaskResume"
 			]
 		},
 		"codersdk.CORSBehavior": {
@@ -12701,7 +12853,8 @@
 				"ssh_connection",
 				"vscode_connection",
 				"jetbrains_connection",
-				"task_manual_pause"
+				"task_manual_pause",
+				"task_resume"
 			],
 			"x-enum-varnames": [
 				"CreateWorkspaceBuildReasonDashboard",
@@ -12709,7 +12862,8 @@
 				"CreateWorkspaceBuildReasonSSHConnection",
 				"CreateWorkspaceBuildReasonVSCodeConnection",
 				"CreateWorkspaceBuildReasonJetbrainsConnection",
-				"CreateWorkspaceBuildReasonTaskManualPause"
+				"CreateWorkspaceBuildReasonTaskManualPause",
+				"CreateWorkspaceBuildReasonTaskResume"
 			]
 		},
 		"codersdk.CreateWorkspaceBuildRequest": {
@@ -13741,10 +13895,6 @@
 				"limit": {
 					"type": "integer"
 				},
-				"soft_limit": {
-					"description": "SoftLimit is the soft limit of the feature, and is only used for showing\nincluded limits in the dashboard. No license validation or warnings are\ngenerated from this value.",
-					"type": "integer"
-				},
 				"usage_period": {
 					"description": "UsagePeriod denotes that the usage is a counter that accumulates over\nthis period (and most likely resets with the issuance of the next\nlicense).\n\nThese dates are determined from the license that this entitlement comes\nfrom, see enterprise/coderd/license/license.go.\n\nOnly certain features set these fields:\n- FeatureManagedAgentLimit",
 					"allOf": [
@@ -13942,6 +14092,9 @@
 		"codersdk.HTTPCookieConfig": {
 			"type": "object",
 			"properties": {
+				"host_prefix": {
+					"type": "boolean"
+				},
 				"same_site": {
 					"type": "string"
 				},
@@ -15095,6 +15248,14 @@
 				"organization_mapping": {
 					"type": "object"
 				},
+				"redirect_url": {
+					"description": "RedirectURL is optional, defaulting to 'ACCESS_URL'. Only useful in niche\nsituations where the OIDC callback domain is different from the ACCESS_URL\ndomain.",
+					"allOf": [
+						{
+							"$ref": "#/definitions/serpent.URL"
+						}
+					]
+				},
 				"scopes": {
 					"type": "array",
 					"items": {
@@ -16647,6 +16808,14 @@
 				}
 			}
 		},
+		"codersdk.ResumeTaskResponse": {
+			"type": "object",
+			"properties": {
+				"workspace_build": {
+					"$ref": "#/definitions/codersdk.WorkspaceBuild"
+				}
+			}
+		},
 		"codersdk.RetentionConfig": {
 			"type": "object",
 			"properties": {
@@ -17258,6 +17427,9 @@
 				"default_ttl_ms": {
 					"type": "integer"
 				},
+				"deleted": {
+					"type": "boolean"
+				},
 				"deprecated": {
 					"type": "boolean"
 				},
@@ -20873,7 +21045,7 @@
 					]
 				},
 				"default": {
-					"description": "Default is parsed into Value if set.",
+					"description": "Default is parsed into Value if set.\nMust be `\"\"` if `DefaultFn` != nil",
 					"type": "string"
 				},
 				"description": {
@@ -421,6 +421,69 @@ func (api *API) deleteAPIKey(rw http.ResponseWriter, r *http.Request) {
 	rw.WriteHeader(http.StatusNoContent)
 }

+// @Summary Expire API key
+// @ID expire-api-key
+// @Security CoderSessionToken
+// @Tags Users
+// @Param user path string true "User ID, name, or me"
+// @Param keyid path string true "Key ID" format(string)
+// @Success 204
+// @Failure 404 {object} codersdk.Response
+// @Failure 500 {object} codersdk.Response
+// @Router /users/{user}/keys/{keyid}/expire [put]
+func (api *API) expireAPIKey(rw http.ResponseWriter, r *http.Request) {
+	var (
+		ctx               = r.Context()
+		keyID             = chi.URLParam(r, "keyid")
+		auditor           = api.Auditor.Load()
+		aReq, commitAudit = audit.InitRequest[database.APIKey](rw, &audit.RequestParams{
+			Audit:   *auditor,
+			Log:     api.Logger,
+			Request: r,
+			Action:  database.AuditActionWrite,
+		})
+	)
+	defer commitAudit()
+
+	if err := api.Database.InTx(func(db database.Store) error {
+		key, err := db.GetAPIKeyByID(ctx, keyID)
+		if err != nil {
+			return xerrors.Errorf("fetch API key: %w", err)
+		}
+		if !key.ExpiresAt.After(api.Clock.Now()) {
+			return nil // Already expired
+		}
+		aReq.Old = key
+		if err := db.UpdateAPIKeyByID(ctx, database.UpdateAPIKeyByIDParams{
+			ID:        key.ID,
+			LastUsed:  key.LastUsed,
+			ExpiresAt: dbtime.Now(),
+			IPAddress: key.IPAddress,
+		}); err != nil {
+			return xerrors.Errorf("expire API key: %w", err)
+		}
+		// Fetch the updated key for audit log.
+		newKey, err := db.GetAPIKeyByID(ctx, keyID)
+		if err != nil {
+			api.Logger.Warn(ctx, "failed to fetch updated API key for audit log", slog.Error(err))
+		} else {
+			aReq.New = newKey
+		}
+		return nil
+	}, nil); httpapi.Is404Error(err) {
+		httpapi.ResourceNotFound(rw)
+		return
+	} else if err != nil {
+		httpapi.Write(ctx, rw, http.StatusInternalServerError, codersdk.Response{
+			Message: "Internal error expiring API key.",
+			Detail:  err.Error(),
+		})
+		return
+	}
+
+	rw.WriteHeader(http.StatusNoContent)
+}
+
 // @Summary Get token config
 // @ID get-token-config
 // @Security CoderSessionToken
@@ -400,7 +400,7 @@ func TestAPIKey_Deleted(t *testing.T) {
 	require.Error(t, err)
 	var apiErr *codersdk.Error
 	require.ErrorAs(t, err, &apiErr)
-	require.Equal(t, http.StatusBadRequest, apiErr.StatusCode())
+	require.Equal(t, http.StatusNotFound, apiErr.StatusCode())
 }

 func TestAPIKey_SetDefault(t *testing.T) {
@@ -439,7 +439,7 @@ func TestAPIKey_PrebuildsNotAllowed(t *testing.T) {
 		DeploymentValues: dc,
 	})

-	ctx := testutil.Context(t, testutil.WaitLong)
+	setupCtx := testutil.Context(t, testutil.WaitLong)

 	// Given: an existing api token for the prebuilds user
 	_, prebuildsToken := dbgen.APIKey(t, db, database.APIKey{
@@ -448,12 +448,167 @@ func TestAPIKey_PrebuildsNotAllowed(t *testing.T) {
 	client.SetSessionToken(prebuildsToken)

 	// When: the prebuilds user tries to create an API key
-	_, err := client.CreateAPIKey(ctx, database.PrebuildsSystemUserID.String())
+	_, err := client.CreateAPIKey(setupCtx, database.PrebuildsSystemUserID.String())
 	// Then: denied.
 	require.ErrorContains(t, err, httpapi.ResourceForbiddenResponse.Message)

 	// When: the prebuilds user tries to create a token
-	_, err = client.CreateToken(ctx, database.PrebuildsSystemUserID.String(), codersdk.CreateTokenRequest{})
+	_, err = client.CreateToken(setupCtx, database.PrebuildsSystemUserID.String(), codersdk.CreateTokenRequest{})
 	// Then: also denied.
 	require.ErrorContains(t, err, httpapi.ResourceForbiddenResponse.Message)
 }
+
+//nolint:tparallel,paralleltest // Subtests share the same coderdtest instance and auditor.
+func TestExpireAPIKey(t *testing.T) {
+	t.Parallel()
+
+	auditor := audit.NewMock()
+	adminClient := coderdtest.New(t, &coderdtest.Options{Auditor: auditor})
+	admin := coderdtest.CreateFirstUser(t, adminClient)
+	memberClient, member := coderdtest.CreateAnotherUser(t, adminClient, admin.OrganizationID)
+
+	t.Run("OwnerCanExpireOwnToken", func(t *testing.T) {
+		ctx := testutil.Context(t, testutil.WaitLong)
+
+		// Create a token.
+		res, err := adminClient.CreateToken(ctx, codersdk.Me, codersdk.CreateTokenRequest{
+			Lifetime: time.Hour * 24 * 7,
+		})
+		require.NoError(t, err)
+		keyID := strings.Split(res.Key, "-")[0]
+
+		// Verify the token is not expired.
+		key, err := adminClient.APIKeyByID(ctx, codersdk.Me, keyID)
+		require.NoError(t, err)
+		require.True(t, key.ExpiresAt.After(time.Now()))
+
+		auditor.ResetLogs()
+
+		// Expire the token.
+		err = adminClient.ExpireAPIKey(ctx, codersdk.Me, keyID)
+		require.NoError(t, err)
+
+		// Verify the token is expired.
+		key, err = adminClient.APIKeyByID(ctx, codersdk.Me, keyID)
+		require.NoError(t, err)
+		require.True(t, key.ExpiresAt.Before(time.Now()))
+
+		// Verify audit log.
+		als := auditor.AuditLogs()
+		require.Len(t, als, 1)
+		require.Equal(t, database.AuditActionWrite, als[0].Action)
+		require.Equal(t, database.ResourceTypeApiKey, als[0].ResourceType)
+		require.Equal(t, admin.UserID.String(), als[0].UserID.String())
+	})
+
+	t.Run("AdminCanExpireOtherUsersToken", func(t *testing.T) {
+		ctx := testutil.Context(t, testutil.WaitLong)
+
+		// Create a token for the member.
+		res, err := memberClient.CreateToken(ctx, codersdk.Me, codersdk.CreateTokenRequest{
+			Lifetime: time.Hour * 24 * 7,
+		})
+		require.NoError(t, err)
+		keyID := strings.Split(res.Key, "-")[0]
+
+		// Admin expires the member's token.
+		err = adminClient.ExpireAPIKey(ctx, member.ID.String(), keyID)
+		require.NoError(t, err)
+
+		// Verify the token is expired.
+		key, err := memberClient.APIKeyByID(ctx, codersdk.Me, keyID)
+		require.NoError(t, err)
+		require.True(t, key.ExpiresAt.Before(time.Now()))
+	})
+
+	t.Run("MemberCannotExpireOtherUsersToken", func(t *testing.T) {
+		ctx := testutil.Context(t, testutil.WaitLong)
+
+		// Create a token for the admin.
+		res, err := adminClient.CreateToken(ctx, codersdk.Me, codersdk.CreateTokenRequest{
+			Lifetime: time.Hour * 24 * 7,
+		})
+		require.NoError(t, err)
+		keyID := strings.Split(res.Key, "-")[0]
+
+		// Member attempts to expire admin's token.
+		err = memberClient.ExpireAPIKey(ctx, admin.UserID.String(), keyID)
+		require.Error(t, err)
+		var sdkErr *codersdk.Error
+		require.ErrorAs(t, err, &sdkErr)
+		// Members cannot read other users, so they get a 404 Not Found
+		// from the authorization layer.
+		require.Equal(t, http.StatusNotFound, sdkErr.StatusCode())
+	})
+
+	t.Run("NotFound", func(t *testing.T) {
+		ctx := testutil.Context(t, testutil.WaitLong)
+
+		// Try to expire a non-existent token.
+		err := adminClient.ExpireAPIKey(ctx, codersdk.Me, "nonexistent")
+		require.Error(t, err)
+		var sdkErr *codersdk.Error
+		require.ErrorAs(t, err, &sdkErr)
+		require.Equal(t, http.StatusNotFound, sdkErr.StatusCode())
+	})
+
+	t.Run("ExpiringAlreadyExpiredTokenSucceeds", func(t *testing.T) {
+		ctx := testutil.Context(t, testutil.WaitLong)
+
+		// Create and expire a token.
+		res, err := adminClient.CreateToken(ctx, codersdk.Me, codersdk.CreateTokenRequest{
+			Lifetime: time.Hour * 24 * 7,
+		})
+		require.NoError(t, err)
+		keyID := strings.Split(res.Key, "-")[0]
+
+		// Expire it once.
+		err = adminClient.ExpireAPIKey(ctx, codersdk.Me, keyID)
+		require.NoError(t, err)
+
+		// Invariant: make sure it's actually expired
+		key, err := adminClient.APIKeyByID(ctx, codersdk.Me, keyID)
+		require.NoError(t, err)
+		require.LessOrEqual(t, key.ExpiresAt, time.Now(), "key should be expired")
+
+		// Expire it again - should succeed (idempotent).
+		err = adminClient.ExpireAPIKey(ctx, codersdk.Me, keyID)
+		require.NoError(t, err)
+
+		// Token should still be just as expired as before. No more, no less.
+		keyAgain, err := adminClient.APIKeyByID(ctx, codersdk.Me, keyID)
+		require.NoError(t, err)
+		require.Equal(t, key.ExpiresAt, keyAgain.ExpiresAt, "expiration should be idempotent")
+	})
+
+	t.Run("DeletingExpiredTokenSucceeds", func(t *testing.T) {
+		ctx := testutil.Context(t, testutil.WaitLong)
+
+		// Create a token.
+		res, err := adminClient.CreateToken(ctx, codersdk.Me, codersdk.CreateTokenRequest{
+			Lifetime: time.Hour * 24 * 7,
+		})
+		require.NoError(t, err)
+		keyID := strings.Split(res.Key, "-")[0]
+
+		// Expire it first.
+		err = adminClient.ExpireAPIKey(ctx, codersdk.Me, keyID)
+		require.NoError(t, err)
+
+		// Verify it's expired.
+		key, err := adminClient.APIKeyByID(ctx, codersdk.Me, keyID)
+		require.NoError(t, err)
+		require.True(t, key.ExpiresAt.Before(time.Now()))
+
+		// Delete the expired token - should succeed.
+		err = adminClient.DeleteAPIKey(ctx, codersdk.Me, keyID)
+		require.NoError(t, err)
+
+		// Verify it's gone.
+		_, err = adminClient.APIKeyByID(ctx, codersdk.Me, keyID)
+		require.Error(t, err)
+		var sdkErr *codersdk.Error
+		require.ErrorAs(t, err, &sdkErr)
+		require.Equal(t, http.StatusNotFound, sdkErr.StatusCode())
+	})
+}
@@ -48,9 +48,10 @@ type Executor struct {
 	tick                  <-chan time.Time
 	statsCh               chan<- Stats
 	// NotificationsEnqueuer handles enqueueing notifications for delivery by SMTP, webhook, etc.
-	notificationsEnqueuer notifications.Enqueuer
-	reg                   prometheus.Registerer
-	experiments           codersdk.Experiments
+	notificationsEnqueuer   notifications.Enqueuer
+	reg                     prometheus.Registerer
+	experiments             codersdk.Experiments
+	workspaceBuilderMetrics *wsbuilder.Metrics

 	metrics executorMetrics
 }
@@ -67,23 +68,24 @@ type Stats struct {
 }

 // New returns a new wsactions executor.
-func NewExecutor(ctx context.Context, db database.Store, ps pubsub.Pubsub, fc *files.Cache, reg prometheus.Registerer, tss *atomic.Pointer[schedule.TemplateScheduleStore], auditor *atomic.Pointer[audit.Auditor], acs *atomic.Pointer[dbauthz.AccessControlStore], buildUsageChecker *atomic.Pointer[wsbuilder.UsageChecker], log slog.Logger, tick <-chan time.Time, enqueuer notifications.Enqueuer, exp codersdk.Experiments) *Executor {
+func NewExecutor(ctx context.Context, db database.Store, ps pubsub.Pubsub, fc *files.Cache, reg prometheus.Registerer, tss *atomic.Pointer[schedule.TemplateScheduleStore], auditor *atomic.Pointer[audit.Auditor], acs *atomic.Pointer[dbauthz.AccessControlStore], buildUsageChecker *atomic.Pointer[wsbuilder.UsageChecker], log slog.Logger, tick <-chan time.Time, enqueuer notifications.Enqueuer, exp codersdk.Experiments, workspaceBuilderMetrics *wsbuilder.Metrics) *Executor {
 	factory := promauto.With(reg)
 	le := &Executor{
 		//nolint:gocritic // Autostart has a limited set of permissions.
-		ctx:                   dbauthz.AsAutostart(ctx),
-		db:                    db,
-		ps:                    ps,
-		fileCache:             fc,
-		templateScheduleStore: tss,
-		tick:                  tick,
-		log:                   log.Named("autobuild"),
-		auditor:               auditor,
-		accessControlStore:    acs,
-		buildUsageChecker:     buildUsageChecker,
-		notificationsEnqueuer: enqueuer,
-		reg:                   reg,
-		experiments:           exp,
+		ctx:                     dbauthz.AsAutostart(ctx),
+		db:                      db,
+		ps:                      ps,
+		fileCache:               fc,
+		templateScheduleStore:   tss,
+		tick:                    tick,
+		log:                     log.Named("autobuild"),
+		auditor:                 auditor,
+		accessControlStore:      acs,
+		buildUsageChecker:       buildUsageChecker,
+		notificationsEnqueuer:   enqueuer,
+		reg:                     reg,
+		experiments:             exp,
+		workspaceBuilderMetrics: workspaceBuilderMetrics,
 		metrics: executorMetrics{
 			autobuildExecutionDuration: factory.NewHistogram(prometheus.HistogramOpts{
 				Namespace: "coderd",
@@ -229,6 +231,7 @@ func (e *Executor) runOnce(t time.Time) Stats {
 					job                   *database.ProvisionerJob
 					auditLog              *auditParams
 					shouldNotifyDormancy  bool
+					shouldNotifyTaskPause bool
 					nextBuild             *database.WorkspaceBuild
 					activeTemplateVersion database.TemplateVersion
 					ws                    database.Workspace
@@ -314,6 +317,10 @@ func (e *Executor) runOnce(t time.Time) Stats {
 						return nil
 					}

+					if reason == database.BuildReasonTaskAutoPause {
+						shouldNotifyTaskPause = true
+					}
+
 					// Get the template version job to access tags
 					templateVersionJob, err := tx.GetProvisionerJobByID(e.ctx, activeTemplateVersion.JobID)
 					if err != nil {
@@ -335,7 +342,8 @@ func (e *Executor) runOnce(t time.Time) Stats {
 							SetLastWorkspaceBuildInTx(&latestBuild).
 							SetLastWorkspaceBuildJobInTx(&latestJob).
 							Experiments(e.experiments).
-							Reason(reason)
+							Reason(reason).
+							BuildMetrics(e.workspaceBuilderMetrics)
 						log.Debug(e.ctx, "auto building workspace", slog.F("transition", nextTransition))
 						if nextTransition == database.WorkspaceTransitionStart &&
 							useActiveVersion(accessControl, ws) {
@@ -479,6 +487,28 @@ func (e *Executor) runOnce(t time.Time) Stats {
 						log.Warn(e.ctx, "failed to notify of workspace marked as dormant", slog.Error(err), slog.F("workspace_id", ws.ID))
 					}
 				}
+				if shouldNotifyTaskPause {
+					task, err := e.db.GetTaskByID(e.ctx, ws.TaskID.UUID)
+					if err != nil {
+						log.Warn(e.ctx, "failed to get task for pause notification", slog.Error(err), slog.F("task_id", ws.TaskID.UUID), slog.F("workspace_id", ws.ID))
+					} else {
+						if _, err := e.notificationsEnqueuer.Enqueue(
+							e.ctx,
+							ws.OwnerID,
+							notifications.TemplateTaskPaused,
+							map[string]string{
+								"task":         task.Name,
+								"task_id":      task.ID.String(),
+								"workspace":    ws.Name,
+								"pause_reason": "inactivity exceeded the dormancy threshold",
+							},
+							"lifecycle_executor",
+							ws.ID, ws.OwnerID, ws.OrganizationID,
+						); err != nil {
+							log.Warn(e.ctx, "failed to notify of task paused", slog.Error(err), slog.F("task_id", ws.TaskID.UUID), slog.F("workspace_id", ws.ID))
+						}
+					}
+				}
 				return nil
 			}()
 			if err != nil && !xerrors.Is(err, context.Canceled) {
@@ -522,10 +552,18 @@ func getNextTransition(
 ) {
 	switch {
 	case isEligibleForAutostop(user, ws, latestBuild, latestJob, currentTick):
+		// Use task-specific reason for AI task workspaces.
+		if ws.TaskID.Valid {
+			return database.WorkspaceTransitionStop, database.BuildReasonTaskAutoPause, nil
+		}
 		return database.WorkspaceTransitionStop, database.BuildReasonAutostop, nil
 	case isEligibleForAutostart(user, ws, latestBuild, latestJob, templateSchedule, currentTick):
 		return database.WorkspaceTransitionStart, database.BuildReasonAutostart, nil
 	case isEligibleForFailedStop(latestBuild, latestJob, templateSchedule, currentTick):
+		// Use task-specific reason for AI task workspaces.
+		if ws.TaskID.Valid {
+			return database.WorkspaceTransitionStop, database.BuildReasonTaskAutoPause, nil
+		}
 		return database.WorkspaceTransitionStop, database.BuildReasonAutostop, nil
 	case isEligibleForDormantStop(ws, templateSchedule, currentTick):
 		// Only stop started workspaces.
@@ -5,12 +5,113 @@ import (
 	"testing"
 	"time"

+	"github.com/google/uuid"
 	"github.com/stretchr/testify/require"

 	"github.com/coder/coder/v2/coderd/database"
 	"github.com/coder/coder/v2/coderd/schedule"
 )

+func Test_getNextTransition_TaskAutoPause(t *testing.T) {
+	t.Parallel()
+
+	// Set up a workspace that is eligible for autostop (past deadline).
+	now := time.Now()
+	pastDeadline := now.Add(-time.Hour)
+
+	okUser := database.User{Status: database.UserStatusActive}
+	okBuild := database.WorkspaceBuild{
+		Transition: database.WorkspaceTransitionStart,
+		Deadline:   pastDeadline,
+	}
+	okJob := database.ProvisionerJob{
+		JobStatus: database.ProvisionerJobStatusSucceeded,
+	}
+	okTemplateSchedule := schedule.TemplateScheduleOptions{}
+
+	// Failed build setup for failedstop tests.
+	failedBuild := database.WorkspaceBuild{
+		Transition: database.WorkspaceTransitionStart,
+	}
+	failedJob := database.ProvisionerJob{
+		JobStatus:   database.ProvisionerJobStatusFailed,
+		CompletedAt: sql.NullTime{Time: now.Add(-time.Hour), Valid: true},
+	}
+	failedTemplateSchedule := schedule.TemplateScheduleOptions{
+		FailureTTL: time.Minute, // TTL already elapsed since job completed an hour ago.
+	}
+
+	testCases := []struct {
+		Name             string
+		Workspace        database.Workspace
+		Build            database.WorkspaceBuild
+		Job              database.ProvisionerJob
+		TemplateSchedule schedule.TemplateScheduleOptions
+		ExpectedReason   database.BuildReason
+	}{
+		{
+			Name: "RegularWorkspace_Autostop",
+			Workspace: database.Workspace{
+				DormantAt: sql.NullTime{Valid: false},
+			},
+			Build:            okBuild,
+			Job:              okJob,
+			TemplateSchedule: okTemplateSchedule,
+			ExpectedReason:   database.BuildReasonAutostop,
+		},
+		{
+			Name: "TaskWorkspace_Autostop_UsesTaskAutoPause",
+			Workspace: database.Workspace{
+				DormantAt: sql.NullTime{Valid: false},
+				TaskID:    uuid.NullUUID{UUID: uuid.New(), Valid: true},
+			},
+			Build:            okBuild,
+			Job:              okJob,
+			TemplateSchedule: okTemplateSchedule,
+			ExpectedReason:   database.BuildReasonTaskAutoPause,
+		},
+		{
+			Name: "RegularWorkspace_FailedStop",
+			Workspace: database.Workspace{
+				DormantAt: sql.NullTime{Valid: false},
+			},
+			Build:            failedBuild,
+			Job:              failedJob,
+			TemplateSchedule: failedTemplateSchedule,
+			ExpectedReason:   database.BuildReasonAutostop,
+		},
+		{
+			Name: "TaskWorkspace_FailedStop_UsesTaskAutoPause",
+			Workspace: database.Workspace{
+				DormantAt: sql.NullTime{Valid: false},
+				TaskID:    uuid.NullUUID{UUID: uuid.New(), Valid: true},
+			},
+			Build:            failedBuild,
+			Job:              failedJob,
+			TemplateSchedule: failedTemplateSchedule,
+			ExpectedReason:   database.BuildReasonTaskAutoPause,
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.Name, func(t *testing.T) {
+			t.Parallel()
+
+			transition, reason, err := getNextTransition(
+				okUser,
+				tc.Workspace,
+				tc.Build,
+				tc.Job,
+				tc.TemplateSchedule,
+				now,
+			)
+			require.NoError(t, err)
+			require.Equal(t, database.WorkspaceTransitionStop, transition)
+			require.Equal(t, tc.ExpectedReason, reason)
+		})
+	}
+}
+
 func Test_isEligibleForAutostart(t *testing.T) {
 	t.Parallel()

@@ -2019,5 +2019,69 @@ func TestExecutorTaskWorkspace(t *testing.T) {
 		assert.Contains(t, stats.Transitions, workspace.ID, "task workspace should be in transitions")
 		assert.Equal(t, database.WorkspaceTransitionStop, stats.Transitions[workspace.ID], "should autostop the workspace")
 		require.Empty(t, stats.Errors, "should have no errors when managing task workspaces")
+
+		// Then: The build reason should be TaskAutoPause (not regular Autostop)
+		workspace = coderdtest.MustWorkspace(t, client, workspace.ID)
+		_ = coderdtest.AwaitWorkspaceBuildJobCompleted(t, client, workspace.LatestBuild.ID)
+		workspace = coderdtest.MustWorkspace(t, client, workspace.ID)
+		assert.Equal(t, codersdk.BuildReasonTaskAutoPause, workspace.LatestBuild.Reason, "task workspace should use TaskAutoPause build reason")
+	})
+
+	t.Run("AutostopNotification", func(t *testing.T) {
+		t.Parallel()
+
+		var (
+			tickCh     = make(chan time.Time)
+			statsCh    = make(chan autobuild.Stats)
+			notifyEnq  = notificationstest.FakeEnqueuer{}
+			client, db = coderdtest.NewWithDatabase(t, &coderdtest.Options{
+				AutobuildTicker:          tickCh,
+				IncludeProvisionerDaemon: true,
+				AutobuildStats:           statsCh,
+				NotificationsEnqueuer:    &notifyEnq,
+			})
+			admin = coderdtest.CreateFirstUser(t, client)
+		)
+
+		// Given: A task workspace with an 8 hour deadline
+		ctx := testutil.Context(t, testutil.WaitShort)
+		template := createTaskTemplate(t, client, admin.OrganizationID, ctx, 8*time.Hour)
+		workspace := createTaskWorkspace(t, client, template, ctx, "test task for autostop notification")
+
+		// Given: The workspace is currently running
+		workspace = coderdtest.MustWorkspace(t, client, workspace.ID)
+		require.Equal(t, codersdk.WorkspaceTransitionStart, workspace.LatestBuild.Transition)
+		require.NotZero(t, workspace.LatestBuild.Deadline, "workspace should have a deadline for autostop")
+
+		p, err := coderdtest.GetProvisionerForTags(db, time.Now(), workspace.OrganizationID, map[string]string{})
+		require.NoError(t, err)
+
+		// When: the autobuild executor ticks after the deadline
+		go func() {
+			tickTime := workspace.LatestBuild.Deadline.Time.Add(time.Minute)
+			coderdtest.UpdateProvisionerLastSeenAt(t, db, p.ID, tickTime)
+			tickCh <- tickTime
+			close(tickCh)
+		}()
+
+		// Then: We expect to see a stop transition
+		stats := <-statsCh
+		require.Len(t, stats.Transitions, 1, "lifecycle executor should transition the task workspace")
+		assert.Contains(t, stats.Transitions, workspace.ID, "task workspace should be in transitions")
+		assert.Equal(t, database.WorkspaceTransitionStop, stats.Transitions[workspace.ID], "should autostop the workspace")
+		require.Empty(t, stats.Errors, "should have no errors when managing task workspaces")
+
+		// Then: A task paused notification was sent with "idle timeout" reason
+		require.True(t, workspace.TaskID.Valid, "workspace should have a task ID")
+		task, err := db.GetTaskByID(dbauthz.AsSystemRestricted(ctx), workspace.TaskID.UUID)
+		require.NoError(t, err)
+
+		sent := notifyEnq.Sent(notificationstest.WithTemplateID(notifications.TemplateTaskPaused))
+		require.Len(t, sent, 1)
+		require.Equal(t, workspace.OwnerID, sent[0].UserID)
+		require.Equal(t, task.Name, sent[0].Labels["task"])
+		require.Equal(t, task.ID.String(), sent[0].Labels["task_id"])
+		require.Equal(t, workspace.Name, sent[0].Labels["workspace"])
+		require.Equal(t, "inactivity exceeded the dormancy threshold", sent[0].Labels["pause_reason"])
 	})
 }
@@ -245,6 +245,7 @@ type Options struct {
 	MetadataBatcherOptions []metadatabatcher.Option

 	ProvisionerdServerMetrics *provisionerdserver.Metrics
+	WorkspaceBuilderMetrics   *wsbuilder.Metrics

 	// WorkspaceAppAuditSessionTimeout allows changing the timeout for audit
 	// sessions. Raising or lowering this value will directly affect the write
@@ -899,6 +900,7 @@ func New(options *Options) *API {
 		sharedhttpmw.Recover(api.Logger),
 		httpmw.WithProfilingLabels,
 		tracing.StatusWriterMiddleware,
+		options.DeploymentValues.HTTPCookies.Middleware,
 		tracing.Middleware(api.TracerProvider),
 		httpmw.AttachRequestID,
 		httpmw.ExtractRealIP(api.RealIPConfig),
@@ -1079,6 +1081,7 @@ func New(options *Options) *API {
 					r.Post("/send", api.taskSend)
 					r.Get("/logs", api.taskLogs)
 					r.Post("/pause", api.pauseTask)
+					r.Post("/resume", api.resumeTask)
 				})
 			})
 		})
@@ -1230,7 +1233,10 @@ func New(options *Options) *API {
 							r.Get("/", api.organizationMember)
 							r.Delete("/", api.deleteOrganizationMember)
 							r.Put("/roles", api.putMemberRoles)
-							r.Post("/workspaces", api.postWorkspacesByOrganization)
+							r.Route("/workspaces", func(r chi.Router) {
+								r.Post("/", api.postWorkspacesByOrganization)
+								r.Get("/available-users", api.workspaceAvailableUsers)
+							})
 						})
 					})
 				})
@@ -1397,6 +1403,7 @@ func New(options *Options) *API {
 							r.Route("/{keyid}", func(r chi.Router) {
 								r.Get("/", api.apiKeyByID)
 								r.Delete("/", api.deleteAPIKey)
+								r.Put("/expire", api.expireAPIKey)
 							})
 						})

@@ -191,6 +191,7 @@ type Options struct {
 	TelemetryReporter                  telemetry.Reporter

 	ProvisionerdServerMetrics *provisionerdserver.Metrics
+	WorkspaceBuilderMetrics   *wsbuilder.Metrics
 	UsageInserter             usage.Inserter
 }

@@ -399,6 +400,7 @@ func NewOptions(t testing.TB, options *Options) (func(http.Handler), context.Can
 		options.AutobuildTicker,
 		options.NotificationsEnqueuer,
 		experiments,
+		options.WorkspaceBuilderMetrics,
 	).WithStatsChannel(options.AutobuildStats)

 	lifecycleExecutor.Run()
@@ -620,6 +622,7 @@ func NewOptions(t testing.TB, options *Options) (func(http.Handler), context.Can
 			AppEncryptionKeyCache:              options.APIKeyEncryptionCache,
 			OIDCConvertKeyCache:                options.OIDCConvertKeyCache,
 			ProvisionerdServerMetrics:          options.ProvisionerdServerMetrics,
+			WorkspaceBuilderMetrics:            options.WorkspaceBuilderMetrics,
 		}
 }

@@ -17,4 +17,6 @@ const (
 	CheckTelemetryLockEventTypeConstraint        CheckConstraint = "telemetry_lock_event_type_constraint"         // telemetry_locks
 	CheckValidationMonotonicOrder                CheckConstraint = "validation_monotonic_order"                   // template_version_parameters
 	CheckUsageEventTypeCheck                     CheckConstraint = "usage_event_type_check"                       // usage_events
+	CheckGroupAclIsObject                        CheckConstraint = "group_acl_is_object"                          // workspaces
+	CheckUserAclIsObject                         CheckConstraint = "user_acl_is_object"                           // workspaces
 )
@@ -93,7 +93,6 @@ type TxOptions struct {

 // IncrementExecutionCount is a helper function for external packages
 // to increment the unexported count.
-// Mainly for `dbmem`.
 func IncrementExecutionCount(opts *TxOptions) {
 	opts.executionCount++
 }
@@ -981,6 +981,9 @@ func AIBridgeInterception(interception database.AIBridgeInterception, initiator
 	if interception.EndedAt.Valid {
 		intc.EndedAt = &interception.EndedAt.Time
 	}
+	if interception.Client.Valid {
+		intc.Client = &interception.Client.String
+	}
 	return intc
 }

@@ -9,6 +9,7 @@ import (
 	"time"

 	"github.com/google/uuid"
+	"github.com/sqlc-dev/pqtype"
 	"github.com/stretchr/testify/require"

 	"github.com/coder/coder/v2/coderd/database"
@@ -206,3 +207,231 @@ func TestTemplateVersionParameter_BadDescription(t *testing.T) {
 	req.NoError(err)
 	req.NotEmpty(sdk.DescriptionPlaintext, "broke the markdown parser with %v", desc)
 }
+
+func TestAIBridgeInterception(t *testing.T) {
+	t.Parallel()
+
+	now := dbtime.Now()
+	interceptionID := uuid.New()
+	initiatorID := uuid.New()
+
+	cases := []struct {
+		name         string
+		interception database.AIBridgeInterception
+		initiator    database.VisibleUser
+		tokenUsages  []database.AIBridgeTokenUsage
+		userPrompts  []database.AIBridgeUserPrompt
+		toolUsages   []database.AIBridgeToolUsage
+		expected     codersdk.AIBridgeInterception
+	}{
+		{
+			name: "all_optional_values_set",
+			interception: database.AIBridgeInterception{
+				ID:          interceptionID,
+				InitiatorID: initiatorID,
+				Provider:    "anthropic",
+				Model:       "claude-3-opus",
+				StartedAt:   now,
+				Metadata: pqtype.NullRawMessage{
+					RawMessage: json.RawMessage(`{"key":"value"}`),
+					Valid:      true,
+				},
+				EndedAt: sql.NullTime{
+					Time:  now.Add(time.Minute),
+					Valid: true,
+				},
+				APIKeyID: sql.NullString{
+					String: "api-key-123",
+					Valid:  true,
+				},
+				Client: sql.NullString{
+					String: "claude-code/1.0.0",
+					Valid:  true,
+				},
+			},
+			initiator: database.VisibleUser{
+				ID:        initiatorID,
+				Username:  "testuser",
+				Name:      "Test User",
+				AvatarURL: "https://example.com/avatar.png",
+			},
+			tokenUsages: []database.AIBridgeTokenUsage{
+				{
+					ID:                 uuid.New(),
+					InterceptionID:     interceptionID,
+					ProviderResponseID: "resp-123",
+					InputTokens:        100,
+					OutputTokens:       200,
+					Metadata: pqtype.NullRawMessage{
+						RawMessage: json.RawMessage(`{"cache":"hit"}`),
+						Valid:      true,
+					},
+					CreatedAt: now.Add(10 * time.Second),
+				},
+			},
+			userPrompts: []database.AIBridgeUserPrompt{
+				{
+					ID:                 uuid.New(),
+					InterceptionID:     interceptionID,
+					ProviderResponseID: "resp-123",
+					Prompt:             "Hello, world!",
+					Metadata: pqtype.NullRawMessage{
+						RawMessage: json.RawMessage(`{"role":"user"}`),
+						Valid:      true,
+					},
+					CreatedAt: now.Add(5 * time.Second),
+				},
+			},
+			toolUsages: []database.AIBridgeToolUsage{
+				{
+					ID:                 uuid.New(),
+					InterceptionID:     interceptionID,
+					ProviderResponseID: "resp-123",
+					ServerUrl: sql.NullString{
+						String: "https://mcp.example.com",
+						Valid:  true,
+					},
+					Tool:     "read_file",
+					Input:    `{"path":"/tmp/test.txt"}`,
+					Injected: true,
+					InvocationError: sql.NullString{
+						String: "file not found",
+						Valid:  true,
+					},
+					Metadata: pqtype.NullRawMessage{
+						RawMessage: json.RawMessage(`{"duration_ms":50}`),
+						Valid:      true,
+					},
+					CreatedAt: now.Add(15 * time.Second),
+				},
+			},
+			expected: codersdk.AIBridgeInterception{
+				ID: interceptionID,
+				Initiator: codersdk.MinimalUser{
+					ID:        initiatorID,
+					Username:  "testuser",
+					Name:      "Test User",
+					AvatarURL: "https://example.com/avatar.png",
+				},
+				Provider:  "anthropic",
+				Model:     "claude-3-opus",
+				Metadata:  map[string]any{"key": "value"},
+				StartedAt: now,
+			},
+		},
+		{
+			name: "no_optional_values_set",
+			interception: database.AIBridgeInterception{
+				ID:          interceptionID,
+				InitiatorID: initiatorID,
+				Provider:    "openai",
+				Model:       "gpt-4",
+				StartedAt:   now,
+				Metadata:    pqtype.NullRawMessage{Valid: false},
+				EndedAt:     sql.NullTime{Valid: false},
+				APIKeyID:    sql.NullString{Valid: false},
+				Client:      sql.NullString{Valid: false},
+			},
+			initiator: database.VisibleUser{
+				ID:        initiatorID,
+				Username:  "minimaluser",
+				Name:      "",
+				AvatarURL: "",
+			},
+			tokenUsages: nil,
+			userPrompts: nil,
+			toolUsages:  nil,
+			expected: codersdk.AIBridgeInterception{
+				ID: interceptionID,
+				Initiator: codersdk.MinimalUser{
+					ID:        initiatorID,
+					Username:  "minimaluser",
+					Name:      "",
+					AvatarURL: "",
+				},
+				Provider:  "openai",
+				Model:     "gpt-4",
+				Metadata:  nil,
+				StartedAt: now,
+			},
+		},
+	}
+
+	for _, tc := range cases {
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+
+			result := db2sdk.AIBridgeInterception(
+				tc.interception,
+				tc.initiator,
+				tc.tokenUsages,
+				tc.userPrompts,
+				tc.toolUsages,
+			)
+
+			// Check basic fields.
+			require.Equal(t, tc.expected.ID, result.ID)
+			require.Equal(t, tc.expected.Initiator, result.Initiator)
+			require.Equal(t, tc.expected.Provider, result.Provider)
+			require.Equal(t, tc.expected.Model, result.Model)
+			require.Equal(t, tc.expected.StartedAt.UTC(), result.StartedAt.UTC())
+			require.Equal(t, tc.expected.Metadata, result.Metadata)
+
+			// Check optional pointer fields.
+			if tc.interception.APIKeyID.Valid {
+				require.NotNil(t, result.APIKeyID)
+				require.Equal(t, tc.interception.APIKeyID.String, *result.APIKeyID)
+			} else {
+				require.Nil(t, result.APIKeyID)
+			}
+
+			if tc.interception.EndedAt.Valid {
+				require.NotNil(t, result.EndedAt)
+				require.Equal(t, tc.interception.EndedAt.Time.UTC(), result.EndedAt.UTC())
+			} else {
+				require.Nil(t, result.EndedAt)
+			}
+
+			if tc.interception.Client.Valid {
+				require.NotNil(t, result.Client)
+				require.Equal(t, tc.interception.Client.String, *result.Client)
+			} else {
+				require.Nil(t, result.Client)
+			}
+
+			// Check slices.
+			require.Len(t, result.TokenUsages, len(tc.tokenUsages))
+			require.Len(t, result.UserPrompts, len(tc.userPrompts))
+			require.Len(t, result.ToolUsages, len(tc.toolUsages))
+
+			// Verify token usages are converted correctly.
+			for i, tu := range tc.tokenUsages {
+				require.Equal(t, tu.ID, result.TokenUsages[i].ID)
+				require.Equal(t, tu.InterceptionID, result.TokenUsages[i].InterceptionID)
+				require.Equal(t, tu.ProviderResponseID, result.TokenUsages[i].ProviderResponseID)
+				require.Equal(t, tu.InputTokens, result.TokenUsages[i].InputTokens)
+				require.Equal(t, tu.OutputTokens, result.TokenUsages[i].OutputTokens)
+			}
+
+			// Verify user prompts are converted correctly.
+			for i, up := range tc.userPrompts {
+				require.Equal(t, up.ID, result.UserPrompts[i].ID)
+				require.Equal(t, up.InterceptionID, result.UserPrompts[i].InterceptionID)
+				require.Equal(t, up.ProviderResponseID, result.UserPrompts[i].ProviderResponseID)
+				require.Equal(t, up.Prompt, result.UserPrompts[i].Prompt)
+			}
+
+			// Verify tool usages are converted correctly.
+			for i, toolUsage := range tc.toolUsages {
+				require.Equal(t, toolUsage.ID, result.ToolUsages[i].ID)
+				require.Equal(t, toolUsage.InterceptionID, result.ToolUsages[i].InterceptionID)
+				require.Equal(t, toolUsage.ProviderResponseID, result.ToolUsages[i].ProviderResponseID)
+				require.Equal(t, toolUsage.ServerUrl.String, result.ToolUsages[i].ServerURL)
+				require.Equal(t, toolUsage.Tool, result.ToolUsages[i].Tool)
+				require.Equal(t, toolUsage.Input, result.ToolUsages[i].Input)
+				require.Equal(t, toolUsage.Injected, result.ToolUsages[i].Injected)
+				require.Equal(t, toolUsage.InvocationError.String, result.ToolUsages[i].InvocationError)
+			}
+		})
+	}
+}
@@ -19,7 +19,6 @@ import (
 	"github.com/stretchr/testify/require"
 	"golang.org/x/xerrors"

-	"cdr.dev/slog/v3"
 	"github.com/coder/coder/v2/coderd/apikey"
 	"github.com/coder/coder/v2/coderd/database"
 	"github.com/coder/coder/v2/coderd/database/db2sdk"
@@ -30,7 +29,6 @@ import (
 	"github.com/coder/coder/v2/coderd/rbac"
 	"github.com/coder/coder/v2/coderd/rbac/policy"
 	"github.com/coder/coder/v2/coderd/rbac/rolestore"
-	"github.com/coder/coder/v2/coderd/taskname"
 	"github.com/coder/coder/v2/codersdk"
 	"github.com/coder/coder/v2/cryptorand"
 	"github.com/coder/coder/v2/provisionerd/proto"
@@ -1592,6 +1590,7 @@ func AIBridgeInterception(t testing.TB, db database.Store, seed database.InsertA
 		Model:       takeFirst(seed.Model, "model"),
 		Metadata:    takeFirstSlice(seed.Metadata, json.RawMessage("{}")),
 		StartedAt:   takeFirst(seed.StartedAt, dbtime.Now()),
+		Client:      seed.Client,
 	})
 	if endedAt != nil {
 		interception, err = db.UpdateAIBridgeInterceptionEnded(genCtx, database.UpdateAIBridgeInterceptionEndedParams{
@@ -1664,13 +1663,12 @@ func Task(t testing.TB, db database.Store, orig database.TaskTable) database.Tas
 		parameters = json.RawMessage([]byte("{}"))
 	}

-	taskName := taskname.Generate(genCtx, slog.Make(), orig.Prompt)
 	task, err := db.InsertTask(genCtx, database.InsertTaskParams{
 		ID:                 takeFirst(orig.ID, uuid.New()),
 		OrganizationID:     orig.OrganizationID,
 		OwnerID:            orig.OwnerID,
-		Name:               takeFirst(orig.Name, taskName.Name),
-		DisplayName:        takeFirst(orig.DisplayName, taskName.DisplayName),
+		Name:               takeFirst(orig.Name, testutil.GetRandomNameHyphenated(t)),
+		DisplayName:        takeFirst(orig.DisplayName, testutil.GetRandomNameHyphenated(t)),
 		WorkspaceID:        orig.WorkspaceID,
 		TemplateVersionID:  orig.TemplateVersionID,
 		TemplateParameters: parameters,
@@ -1023,7 +1023,8 @@ CREATE TABLE aibridge_interceptions (
    started_at timestamp with time zone NOT NULL,
    metadata jsonb,
    ended_at timestamp with time zone,
-    api_key_id text
+    api_key_id text,
+    client character varying(64) DEFAULT 'Unknown'::character varying
 );

 COMMENT ON TABLE aibridge_interceptions IS 'Audit log of requests intercepted by AI Bridge';
@@ -2736,7 +2737,9 @@ CREATE TABLE workspaces (
    favorite boolean DEFAULT false NOT NULL,
    next_start_at timestamp with time zone,
    group_acl jsonb DEFAULT '{}'::jsonb NOT NULL,
-    user_acl jsonb DEFAULT '{}'::jsonb NOT NULL
+    user_acl jsonb DEFAULT '{}'::jsonb NOT NULL,
+    CONSTRAINT group_acl_is_object CHECK ((jsonb_typeof(group_acl) = 'object'::text)),
+    CONSTRAINT user_acl_is_object CHECK ((jsonb_typeof(user_acl) = 'object'::text))
 );

 COMMENT ON COLUMN workspaces.favorite IS 'Favorite is true if the workspace owner has favorited the workspace.';
@@ -3272,6 +3275,8 @@ CREATE INDEX idx_agent_stats_created_at ON workspace_agent_stats USING btree (cr

 CREATE INDEX idx_agent_stats_user_id ON workspace_agent_stats USING btree (user_id);

+CREATE INDEX idx_aibridge_interceptions_client ON aibridge_interceptions USING btree (client);
+
 CREATE INDEX idx_aibridge_interceptions_initiator_id ON aibridge_interceptions USING btree (initiator_id);

 CREATE INDEX idx_aibridge_interceptions_model ON aibridge_interceptions USING btree (model);
@@ -0,0 +1,3 @@
+ALTER TABLE workspaces
+    DROP CONSTRAINT IF EXISTS group_acl_is_object,
+    DROP CONSTRAINT IF EXISTS user_acl_is_object;
@@ -0,0 +1,9 @@
+-- Add constraints that reject 'null'::jsonb for group and user ACLs
+-- because they would break the new workspace_expanded view.
+
+UPDATE workspaces SET group_acl = '{}'::jsonb WHERE group_acl = 'null'::jsonb;
+UPDATE workspaces SET user_acl = '{}'::jsonb WHERE user_acl = 'null'::jsonb;
+
+ALTER TABLE workspaces
+    ADD CONSTRAINT group_acl_is_object CHECK (jsonb_typeof(group_acl) = 'object'),
+    ADD CONSTRAINT user_acl_is_object CHECK (jsonb_typeof(user_acl) = 'object');
@@ -0,0 +1,2 @@
+ALTER TABLE aibridge_interceptions
+    DROP COLUMN client;
@@ -0,0 +1,5 @@
+ALTER TABLE aibridge_interceptions
+    ADD COLUMN client VARCHAR(64)
+	DEFAULT 'Unknown';
+
+CREATE INDEX idx_aibridge_interceptions_client ON aibridge_interceptions (client);
@@ -0,0 +1,4 @@
+-- Remove Task 'paused' transition template notification
+DELETE FROM notification_templates WHERE id = '2a74f3d3-ab09-4123-a4a5-ca238f4f65a1';
+-- Remove Task 'resumed' transition template notification
+DELETE FROM notification_templates WHERE id = '843ee9c3-a8fb-4846-afa9-977bec578649';
@@ -0,0 +1,63 @@
+-- Task transition to 'paused' status
+INSERT INTO notification_templates (
+	id,
+	name,
+	title_template,
+	body_template,
+	actions,
+	"group",
+	method,
+	kind,
+	enabled_by_default
+) VALUES (
+			 '2a74f3d3-ab09-4123-a4a5-ca238f4f65a1',
+			 'Task Paused',
+			 E'Task ''{{.Labels.task}}'' is paused',
+			 E'The task ''{{.Labels.task}}'' was paused ({{.Labels.pause_reason}}).',
+			 '[
+				 {
+					 "label": "View task",
+					 "url": "{{base_url}}/tasks/{{.UserUsername}}/{{.Labels.task_id}}"
+				 },
+				 {
+					 "label": "View workspace",
+					 "url": "{{base_url}}/@{{.UserUsername}}/{{.Labels.workspace}}"
+				 }
+			 ]'::jsonb,
+			 'Task Events',
+			 NULL,
+			 'system'::notification_template_kind,
+			 true
+		 );
+
+-- Task transition to 'resumed' status
+INSERT INTO notification_templates (
+	id,
+	name,
+	title_template,
+	body_template,
+	actions,
+	"group",
+	method,
+	kind,
+	enabled_by_default
+) VALUES (
+			 '843ee9c3-a8fb-4846-afa9-977bec578649',
+			 'Task Resumed',
+			 E'Task ''{{.Labels.task}}'' has resumed',
+			 E'The task ''{{.Labels.task}}'' has resumed.',
+			 '[
+				 {
+					 "label": "View task",
+					 "url": "{{base_url}}/tasks/{{.UserUsername}}/{{.Labels.task_id}}"
+				 },
+				 {
+					 "label": "View workspace",
+					 "url": "{{base_url}}/@{{.UserUsername}}/{{.Labels.workspace}}"
+				 }
+			 ]'::jsonb,
+			 'Task Events',
+			 NULL,
+			 'system'::notification_template_kind,
+			 true
+		 );
@@ -138,7 +138,6 @@ func TestCheckLatestVersion(t *testing.T) {
 	}

 	for i, tc := range tests {
-		i, tc := i, tc
 		t.Run(fmt.Sprintf("entry %d", i), func(t *testing.T) {
 			t.Parallel()

@@ -0,0 +1,35 @@
+-- Fixture for migration 000417_workspace_acl_object_constraint.
+-- Inserts a workspace with 'null'::json ACLs to ensure the migration
+-- correctly normalizes such values.
+
+INSERT INTO workspaces (
+    id,
+    created_at,
+    updated_at,
+    owner_id,
+    organization_id,
+    template_id,
+    deleted,
+    name,
+    last_used_at,
+    automatic_updates,
+    favorite,
+    group_acl,
+    user_acl
+)
+VALUES (
+    '6f6fdbee-4c18-4a5c-8a8d-9b811c9f0a28',
+    '2024-02-10 00:00:00+00',
+    '2024-02-10 00:00:00+00',
+    '30095c71-380b-457a-8995-97b8ee6e5307',
+    'bb640d07-ca8a-4869-b6bc-ae61ebb2fda1',
+    '4cc1f466-f326-477e-8762-9d0c6781fc56',
+    false,
+    'acl-null-workspace',
+    '0001-01-01 00:00:00+00',
+    'never',
+    false,
+    'null'::jsonb,
+    'null'::jsonb
+)
+ON CONFLICT DO NOTHING;
@@ -790,6 +790,7 @@ func (q *sqlQuerier) ListAuthorizedAIBridgeInterceptions(ctx context.Context, ar
 		arg.InitiatorID,
 		arg.Provider,
 		arg.Model,
+		arg.Client,
 		arg.AfterID,
 		arg.Offset,
 		arg.Limit,
@@ -810,6 +811,7 @@ func (q *sqlQuerier) ListAuthorizedAIBridgeInterceptions(ctx context.Context, ar
 			&i.AIBridgeInterception.Metadata,
 			&i.AIBridgeInterception.EndedAt,
 			&i.AIBridgeInterception.APIKeyID,
+			&i.AIBridgeInterception.Client,
 			&i.VisibleUser.ID,
 			&i.VisibleUser.Username,
 			&i.VisibleUser.Name,
@@ -847,6 +849,7 @@ func (q *sqlQuerier) CountAuthorizedAIBridgeInterceptions(ctx context.Context, a
 		arg.InitiatorID,
 		arg.Provider,
 		arg.Model,
+		arg.Client,
 	)
 	if err != nil {
 		return 0, err
@@ -3642,6 +3642,7 @@ type AIBridgeInterception struct {
 	Metadata    pqtype.NullRawMessage `db:"metadata" json:"metadata"`
 	EndedAt     sql.NullTime          `db:"ended_at" json:"ended_at"`
 	APIKeyID    sql.NullString        `db:"api_key_id" json:"api_key_id"`
+	Client      sql.NullString        `db:"client" json:"client"`
 }

 // Audit log of tokens used by intercepted requests in AI Bridge
@@ -6319,6 +6319,56 @@ func TestGetWorkspaceAgentsByParentID(t *testing.T) {
 	})
 }

+func TestGetWorkspaceAgentByInstanceID(t *testing.T) {
+	t.Parallel()
+
+	// Context: https://github.com/coder/coder/pull/22196
+	t.Run("DoesNotReturnSubAgents", func(t *testing.T) {
+		t.Parallel()
+
+		// Given: A parent workspace agent with an AuthInstanceID and a
+		// sub-agent that shares the same AuthInstanceID.
+		db, _ := dbtestutil.NewDB(t)
+		org := dbgen.Organization(t, db, database.Organization{})
+		job := dbgen.ProvisionerJob(t, db, nil, database.ProvisionerJob{
+			Type:           database.ProvisionerJobTypeTemplateVersionImport,
+			OrganizationID: org.ID,
+		})
+		resource := dbgen.WorkspaceResource(t, db, database.WorkspaceResource{
+			JobID: job.ID,
+		})
+
+		authInstanceID := fmt.Sprintf("instance-%s-%d", t.Name(), time.Now().UnixNano())
+		parentAgent := dbgen.WorkspaceAgent(t, db, database.WorkspaceAgent{
+			ResourceID: resource.ID,
+			AuthInstanceID: sql.NullString{
+				String: authInstanceID,
+				Valid:  true,
+			},
+		})
+		// Create a sub-agent with the same AuthInstanceID (simulating
+		// the old behavior before the fix).
+		_ = dbgen.WorkspaceAgent(t, db, database.WorkspaceAgent{
+			ParentID:   uuid.NullUUID{UUID: parentAgent.ID, Valid: true},
+			ResourceID: resource.ID,
+			AuthInstanceID: sql.NullString{
+				String: authInstanceID,
+				Valid:  true,
+			},
+		})
+
+		ctx := testutil.Context(t, testutil.WaitShort)
+
+		// When: We look up the agent by instance ID.
+		agent, err := db.GetWorkspaceAgentByInstanceID(ctx, authInstanceID)
+		require.NoError(t, err)
+
+		// Then: The result must be the parent agent, not the sub-agent.
+		assert.Equal(t, parentAgent.ID, agent.ID, "instance ID lookup should return the parent agent, not a sub-agent")
+		assert.False(t, agent.ParentID.Valid, "returned agent should not have a parent (should be the parent itself)")
+	})
+}
+
 func requireUsersMatch(t testing.TB, expected []database.User, found []database.GetUsersRow, msg string) {
 	t.Helper()
 	require.ElementsMatch(t, expected, database.ConvertUserRows(found), msg)
@@ -6646,7 +6696,6 @@ func TestUserSecretsAuthorization(t *testing.T) {
 	}

 	for _, tc := range testCases {
-		tc := tc // capture range variable
 		t.Run(tc.name, func(t *testing.T) {
 			t.Parallel()
 			ctx := testutil.Context(t, testutil.WaitMedium)
@@ -6765,6 +6814,65 @@ func TestWorkspaceBuildDeadlineConstraint(t *testing.T) {
 	}
 }

+func TestWorkspaceACLObjectConstraint(t *testing.T) {
+	t.Parallel()
+
+	db, _ := dbtestutil.NewDB(t)
+	org := dbgen.Organization(t, db, database.Organization{})
+	user := dbgen.User(t, db, database.User{})
+	template := dbgen.Template(t, db, database.Template{
+		CreatedBy:      user.ID,
+		OrganizationID: org.ID,
+	})
+	workspace := dbgen.Workspace(t, db, database.WorkspaceTable{
+		OwnerID:    user.ID,
+		TemplateID: template.ID,
+		Deleted:    false,
+	})
+
+	t.Run("GroupACLNull", func(t *testing.T) {
+		t.Parallel()
+
+		var nilACL database.WorkspaceACL
+
+		ctx := testutil.Context(t, testutil.WaitLong)
+		err := db.UpdateWorkspaceACLByID(ctx, database.UpdateWorkspaceACLByIDParams{
+			ID:       workspace.ID,
+			GroupACL: nilACL,
+			UserACL:  database.WorkspaceACL{},
+		})
+		require.Error(t, err)
+		require.True(t, database.IsCheckViolation(err, database.CheckGroupAclIsObject))
+	})
+
+	t.Run("UserACLNull", func(t *testing.T) {
+		t.Parallel()
+
+		var nilACL database.WorkspaceACL
+
+		ctx := testutil.Context(t, testutil.WaitLong)
+		err := db.UpdateWorkspaceACLByID(ctx, database.UpdateWorkspaceACLByIDParams{
+			ID:       workspace.ID,
+			GroupACL: database.WorkspaceACL{},
+			UserACL:  nilACL,
+		})
+		require.Error(t, err)
+		require.True(t, database.IsCheckViolation(err, database.CheckUserAclIsObject))
+	})
+
+	t.Run("ValidEmptyObjects", func(t *testing.T) {
+		t.Parallel()
+
+		ctx := testutil.Context(t, testutil.WaitLong)
+		err := db.UpdateWorkspaceACLByID(ctx, database.UpdateWorkspaceACLByIDParams{
+			ID:       workspace.ID,
+			GroupACL: database.WorkspaceACL{},
+			UserACL:  database.WorkspaceACL{},
+		})
+		require.NoError(t, err)
+	})
+}
+
 // TestGetLatestWorkspaceBuildsByWorkspaceIDs populates the database with
 // workspaces and builds. It then tests that
 // GetLatestWorkspaceBuildsByWorkspaceIDs returns the latest build for some
@@ -7401,7 +7509,6 @@ func TestGetTaskByWorkspaceID(t *testing.T) {
 	db, _ := dbtestutil.NewDB(t)

 	for _, tt := range tests {
-		tt := tt
 		t.Run(tt.name, func(t *testing.T) {
 			t.Parallel()

@@ -7941,7 +8048,6 @@ func TestUpdateTaskWorkspaceID(t *testing.T) {
 	}

 	for _, tt := range tests {
-		tt := tt
 		t.Run(tt.name, func(t *testing.T) {
 			t.Parallel()

@@ -8011,12 +8117,15 @@ func TestUpdateAIBridgeInterceptionEnded(t *testing.T) {
 				ID:          uid,
 				InitiatorID: user.ID,
 				Metadata:    json.RawMessage("{}"),
+				Client:      sql.NullString{String: "client", Valid: true},
 			}

 			intc, err := db.InsertAIBridgeInterception(ctx, insertParams)
 			require.NoError(t, err)
 			require.Equal(t, uid, intc.ID)
 			require.False(t, intc.EndedAt.Valid)
+			require.True(t, intc.Client.Valid)
+			require.Equal(t, "client", intc.Client.String)
 			interceptions = append(interceptions, intc)
 		}

@@ -123,8 +123,7 @@ WITH interceptions_in_range AS (
    WHERE
        provider = $1::text
        AND model = $2::text
-        -- TODO: use the client value once we have it (see https://github.com/coder/aibridge/issues/31)
-        AND 'unknown' = $3::text
+        AND COALESCE(client, 'Unknown') = $3::text
        AND ended_at IS NOT NULL -- incomplete interceptions are not included in summaries
        AND ended_at >= $4::timestamptz
        AND ended_at < $5::timestamptz
@@ -301,6 +300,11 @@ WHERE
 		WHEN $5::text != '' THEN aibridge_interceptions.model = $5::text
 		ELSE true
 	END
+	-- Filter client
+	AND CASE
+		WHEN $6::text != '' THEN COALESCE(aibridge_interceptions.client, 'Unknown') = $6::text
+		ELSE true
+	END
 	-- Authorize Filter clause will be injected below in ListAuthorizedAIBridgeInterceptions
 	-- @authorize_filter
 `
@@ -311,6 +315,7 @@ type CountAIBridgeInterceptionsParams struct {
 	InitiatorID   uuid.UUID `db:"initiator_id" json:"initiator_id"`
 	Provider      string    `db:"provider" json:"provider"`
 	Model         string    `db:"model" json:"model"`
+	Client        string    `db:"client" json:"client"`
 }

 func (q *sqlQuerier) CountAIBridgeInterceptions(ctx context.Context, arg CountAIBridgeInterceptionsParams) (int64, error) {
@@ -320,6 +325,7 @@ func (q *sqlQuerier) CountAIBridgeInterceptions(ctx context.Context, arg CountAI
 		arg.InitiatorID,
 		arg.Provider,
 		arg.Model,
+		arg.Client,
 	)
 	var count int64
 	err := row.Scan(&count)
@@ -372,7 +378,7 @@ func (q *sqlQuerier) DeleteOldAIBridgeRecords(ctx context.Context, beforeTime ti

 const getAIBridgeInterceptionByID = `-- name: GetAIBridgeInterceptionByID :one
 SELECT
-	id, initiator_id, provider, model, started_at, metadata, ended_at, api_key_id
+	id, initiator_id, provider, model, started_at, metadata, ended_at, api_key_id, client
 FROM
 	aibridge_interceptions
 WHERE
@@ -391,13 +397,14 @@ func (q *sqlQuerier) GetAIBridgeInterceptionByID(ctx context.Context, id uuid.UU
 		&i.Metadata,
 		&i.EndedAt,
 		&i.APIKeyID,
+		&i.Client,
 	)
 	return i, err
 }

 const getAIBridgeInterceptions = `-- name: GetAIBridgeInterceptions :many
 SELECT
-	id, initiator_id, provider, model, started_at, metadata, ended_at, api_key_id
+	id, initiator_id, provider, model, started_at, metadata, ended_at, api_key_id, client
 FROM
 	aibridge_interceptions
 `
@@ -420,6 +427,7 @@ func (q *sqlQuerier) GetAIBridgeInterceptions(ctx context.Context) ([]AIBridgeIn
 			&i.Metadata,
 			&i.EndedAt,
 			&i.APIKeyID,
+			&i.Client,
 		); err != nil {
 			return nil, err
 		}
@@ -565,11 +573,11 @@ func (q *sqlQuerier) GetAIBridgeUserPromptsByInterceptionID(ctx context.Context,

 const insertAIBridgeInterception = `-- name: InsertAIBridgeInterception :one
 INSERT INTO aibridge_interceptions (
-	id, api_key_id, initiator_id, provider, model, metadata, started_at
+	id, api_key_id, initiator_id, provider, model, metadata, started_at, client
 ) VALUES (
-	$1, $2, $3, $4, $5, COALESCE($6::jsonb, '{}'::jsonb), $7
+	$1, $2, $3, $4, $5, COALESCE($6::jsonb, '{}'::jsonb), $7, $8
 )
-RETURNING id, initiator_id, provider, model, started_at, metadata, ended_at, api_key_id
+RETURNING id, initiator_id, provider, model, started_at, metadata, ended_at, api_key_id, client
 `

 type InsertAIBridgeInterceptionParams struct {
@@ -580,6 +588,7 @@ type InsertAIBridgeInterceptionParams struct {
 	Model       string          `db:"model" json:"model"`
 	Metadata    json.RawMessage `db:"metadata" json:"metadata"`
 	StartedAt   time.Time       `db:"started_at" json:"started_at"`
+	Client      sql.NullString  `db:"client" json:"client"`
 }

 func (q *sqlQuerier) InsertAIBridgeInterception(ctx context.Context, arg InsertAIBridgeInterceptionParams) (AIBridgeInterception, error) {
@@ -591,6 +600,7 @@ func (q *sqlQuerier) InsertAIBridgeInterception(ctx context.Context, arg InsertA
 		arg.Model,
 		arg.Metadata,
 		arg.StartedAt,
+		arg.Client,
 	)
 	var i AIBridgeInterception
 	err := row.Scan(
@@ -602,6 +612,7 @@ func (q *sqlQuerier) InsertAIBridgeInterception(ctx context.Context, arg InsertA
 		&i.Metadata,
 		&i.EndedAt,
 		&i.APIKeyID,
+		&i.Client,
 	)
 	return i, err
 }
@@ -740,7 +751,7 @@ func (q *sqlQuerier) InsertAIBridgeUserPrompt(ctx context.Context, arg InsertAIB

 const listAIBridgeInterceptions = `-- name: ListAIBridgeInterceptions :many
 SELECT
-	aibridge_interceptions.id, aibridge_interceptions.initiator_id, aibridge_interceptions.provider, aibridge_interceptions.model, aibridge_interceptions.started_at, aibridge_interceptions.metadata, aibridge_interceptions.ended_at, aibridge_interceptions.api_key_id,
+	aibridge_interceptions.id, aibridge_interceptions.initiator_id, aibridge_interceptions.provider, aibridge_interceptions.model, aibridge_interceptions.started_at, aibridge_interceptions.metadata, aibridge_interceptions.ended_at, aibridge_interceptions.api_key_id, aibridge_interceptions.client,
 	visible_users.id, visible_users.username, visible_users.name, visible_users.avatar_url
 FROM
 	aibridge_interceptions
@@ -773,9 +784,14 @@ WHERE
 		WHEN $5::text != '' THEN aibridge_interceptions.model = $5::text
 		ELSE true
 	END
+	-- Filter client
+	AND CASE
+		WHEN $6::text != '' THEN COALESCE(aibridge_interceptions.client, 'Unknown') = $6::text
+		ELSE true
+	END
 	-- Cursor pagination
 	AND CASE
-		WHEN $6::uuid != '00000000-0000-0000-0000-000000000000'::uuid THEN (
+		WHEN $7::uuid != '00000000-0000-0000-0000-000000000000'::uuid THEN (
 			-- The pagination cursor is the last ID of the previous page.
 			-- The query is ordered by the started_at field, so select all
 			-- rows before the cursor and before the after_id UUID.
@@ -783,8 +799,8 @@ WHERE
 			-- "after_id" terminology comes from our pagination parser in
 			-- coderd.
 			(aibridge_interceptions.started_at, aibridge_interceptions.id) < (
-				(SELECT started_at FROM aibridge_interceptions WHERE id = $6),
-				$6::uuid
+				(SELECT started_at FROM aibridge_interceptions WHERE id = $7),
+				$7::uuid
 			)
 		)
 		ELSE true
@@ -794,8 +810,8 @@ WHERE
 ORDER BY
 	aibridge_interceptions.started_at DESC,
 	aibridge_interceptions.id DESC
-LIMIT COALESCE(NULLIF($8::integer, 0), 100)
-OFFSET $7
+LIMIT COALESCE(NULLIF($9::integer, 0), 100)
+OFFSET $8
 `

 type ListAIBridgeInterceptionsParams struct {
@@ -804,6 +820,7 @@ type ListAIBridgeInterceptionsParams struct {
 	InitiatorID   uuid.UUID `db:"initiator_id" json:"initiator_id"`
 	Provider      string    `db:"provider" json:"provider"`
 	Model         string    `db:"model" json:"model"`
+	Client        string    `db:"client" json:"client"`
 	AfterID       uuid.UUID `db:"after_id" json:"after_id"`
 	Offset        int32     `db:"offset_" json:"offset_"`
 	Limit         int32     `db:"limit_" json:"limit_"`
@@ -821,6 +838,7 @@ func (q *sqlQuerier) ListAIBridgeInterceptions(ctx context.Context, arg ListAIBr
 		arg.InitiatorID,
 		arg.Provider,
 		arg.Model,
+		arg.Client,
 		arg.AfterID,
 		arg.Offset,
 		arg.Limit,
@@ -841,6 +859,7 @@ func (q *sqlQuerier) ListAIBridgeInterceptions(ctx context.Context, arg ListAIBr
 			&i.AIBridgeInterception.Metadata,
 			&i.AIBridgeInterception.EndedAt,
 			&i.AIBridgeInterception.APIKeyID,
+			&i.AIBridgeInterception.Client,
 			&i.VisibleUser.ID,
 			&i.VisibleUser.Username,
 			&i.VisibleUser.Name,
@@ -864,8 +883,7 @@ SELECT
    DISTINCT ON (provider, model, client)
    provider,
    model,
-    -- TODO: use the client value once we have it (see https://github.com/coder/aibridge/issues/31)
-    'unknown' AS client
+    COALESCE(client, 'Unknown') AS client
 FROM
    aibridge_interceptions
 WHERE
@@ -1047,7 +1065,7 @@ UPDATE aibridge_interceptions
 WHERE
 	id = $2::uuid
 	AND ended_at IS NULL
-RETURNING id, initiator_id, provider, model, started_at, metadata, ended_at, api_key_id
+RETURNING id, initiator_id, provider, model, started_at, metadata, ended_at, api_key_id, client
 `

 type UpdateAIBridgeInterceptionEndedParams struct {
@@ -1067,6 +1085,7 @@ func (q *sqlQuerier) UpdateAIBridgeInterceptionEnded(ctx context.Context, arg Up
 		&i.Metadata,
 		&i.EndedAt,
 		&i.APIKeyID,
+		&i.Client,
 	)
 	return i, err
 }
@@ -18232,6 +18251,8 @@ WHERE
 	auth_instance_id = $1 :: TEXT
 	-- Filter out deleted sub agents.
 	AND deleted = FALSE
+	-- Filter out sub agents, they do not authenticate with auth_instance_id.
+	AND parent_id IS NULL
 ORDER BY
 	created_at DESC
 `
@@ -1,8 +1,8 @@
 -- name: InsertAIBridgeInterception :one
 INSERT INTO aibridge_interceptions (
-	id, api_key_id, initiator_id, provider, model, metadata, started_at
+	id, api_key_id, initiator_id, provider, model, metadata, started_at, client
 ) VALUES (
-	@id, @api_key_id, @initiator_id, @provider, @model, COALESCE(@metadata::jsonb, '{}'::jsonb), @started_at
+	@id, @api_key_id, @initiator_id, @provider, @model, COALESCE(@metadata::jsonb, '{}'::jsonb), @started_at, @client
 )
 RETURNING *;

@@ -115,6 +115,11 @@ WHERE
 		WHEN @model::text != '' THEN aibridge_interceptions.model = @model::text
 		ELSE true
 	END
+	-- Filter client
+	AND CASE
+		WHEN @client::text != '' THEN COALESCE(aibridge_interceptions.client, 'Unknown') = @client::text
+		ELSE true
+	END
 	-- Authorize Filter clause will be injected below in ListAuthorizedAIBridgeInterceptions
 	-- @authorize_filter
 ;
@@ -154,6 +159,11 @@ WHERE
 		WHEN @model::text != '' THEN aibridge_interceptions.model = @model::text
 		ELSE true
 	END
+	-- Filter client
+	AND CASE
+		WHEN @client::text != '' THEN COALESCE(aibridge_interceptions.client, 'Unknown') = @client::text
+		ELSE true
+	END
 	-- Cursor pagination
 	AND CASE
 		WHEN @after_id::uuid != '00000000-0000-0000-0000-000000000000'::uuid THEN (
@@ -219,8 +229,7 @@ SELECT
    DISTINCT ON (provider, model, client)
    provider,
    model,
-    -- TODO: use the client value once we have it (see https://github.com/coder/aibridge/issues/31)
-    'unknown' AS client
+    COALESCE(client, 'Unknown') AS client
 FROM
    aibridge_interceptions
 WHERE
@@ -242,8 +251,7 @@ WITH interceptions_in_range AS (
    WHERE
        provider = @provider::text
        AND model = @model::text
-        -- TODO: use the client value once we have it (see https://github.com/coder/aibridge/issues/31)
-        AND 'unknown' = @client::text
+        AND COALESCE(client, 'Unknown') = @client::text
        AND ended_at IS NOT NULL -- incomplete interceptions are not included in summaries
        AND ended_at >= @ended_at_after::timestamptz
        AND ended_at < @ended_at_before::timestamptz
@@ -17,6 +17,8 @@ WHERE
 	auth_instance_id = @auth_instance_id :: TEXT
 	-- Filter out deleted sub agents.
 	AND deleted = FALSE
+	-- Filter out sub agents, they do not authenticate with auth_instance_id.
+	AND parent_id IS NULL
 ORDER BY
 	created_at DESC;

@@ -86,7 +86,6 @@ func FindClosestNode(nodes []Node) (Node, error) {
 		eg      = errgroup.Group{}
 	)
 	for i, node := range nodes {
-		i, node := i, node
 		eg.Go(func() error {
 			pinger, err := ping.NewPinger(node.HostnameHTTPS)
 			if err != nil {
@@ -106,7 +106,6 @@ func TestNormalizeAudienceURI(t *testing.T) {
 	}

 	for _, tc := range testCases {
-		tc := tc
 		t.Run(tc.name, func(t *testing.T) {
 			t.Parallel()
 			result := normalizeAudienceURI(tc.input)
@@ -157,7 +156,6 @@ func TestNormalizeHost(t *testing.T) {
 	}

 	for _, tc := range testCases {
-		tc := tc
 		t.Run(tc.name, func(t *testing.T) {
 			t.Parallel()
 			result := normalizeHost(tc.input)
@@ -203,7 +201,6 @@ func TestNormalizePathSegments(t *testing.T) {
 	}

 	for _, tc := range testCases {
-		tc := tc
 		t.Run(tc.name, func(t *testing.T) {
 			t.Parallel()
 			result := normalizePathSegments(tc.input)
@@ -247,7 +244,6 @@ func TestExtractExpectedAudience(t *testing.T) {
 	}

 	for _, tc := range testCases {
-		tc := tc
 		t.Run(tc.name, func(t *testing.T) {
 			t.Parallel()
 			var req *http.Request
@@ -106,6 +106,10 @@ func ExtractUserContext(ctx context.Context, db database.Store, rw http.Response
 	if userID, err := uuid.Parse(userQuery); err == nil {
 		user, err = db.GetUserByID(ctx, userID)
 		if err != nil {
+			if httpapi.Is404Error(err) {
+				httpapi.ResourceNotFound(rw)
+				return database.User{}, false
+			}
 			httpapi.Write(ctx, rw, http.StatusBadRequest, codersdk.Response{
 				Message: userErrorMessage,
 				Detail:  fmt.Sprintf("queried user=%q", userQuery),
@@ -120,6 +124,10 @@ func ExtractUserContext(ctx context.Context, db database.Store, rw http.Response
 		Username: userQuery,
 	})
 	if err != nil {
+		if httpapi.Is404Error(err) {
+			httpapi.ResourceNotFound(rw)
+			return database.User{}, false
+		}
 		httpapi.Write(ctx, rw, http.StatusBadRequest, codersdk.Response{
 			Message: userErrorMessage,
 			Detail:  fmt.Sprintf("queried user=%q", userQuery),
@@ -71,7 +71,53 @@ func TestUserParam(t *testing.T) {
 		})).ServeHTTP(rw, r)
 		res := rw.Result()
 		defer res.Body.Close()
-		require.Equal(t, http.StatusBadRequest, res.StatusCode)
+		// User "ben" doesn't exist, so expect 404.
+		require.Equal(t, http.StatusNotFound, res.StatusCode)
+	})
+
+	t.Run("NotFoundByUsername", func(t *testing.T) {
+		t.Parallel()
+		db, rw, r := setup(t)
+
+		httpmw.ExtractAPIKeyMW(httpmw.ExtractAPIKeyConfig{
+			DB:              db,
+			RedirectToLogin: false,
+		})(http.HandlerFunc(func(rw http.ResponseWriter, returnedRequest *http.Request) {
+			r = returnedRequest
+		})).ServeHTTP(rw, r)
+
+		routeContext := chi.NewRouteContext()
+		routeContext.URLParams.Add("user", "nonexistent-user")
+		r = r.WithContext(context.WithValue(r.Context(), chi.RouteCtxKey, routeContext))
+		httpmw.ExtractUserParam(db)(http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
+			rw.WriteHeader(http.StatusOK)
+		})).ServeHTTP(rw, r)
+		res := rw.Result()
+		defer res.Body.Close()
+		require.Equal(t, http.StatusNotFound, res.StatusCode)
+	})
+
+	t.Run("NotFoundByUUID", func(t *testing.T) {
+		t.Parallel()
+		db, rw, r := setup(t)
+
+		httpmw.ExtractAPIKeyMW(httpmw.ExtractAPIKeyConfig{
+			DB:              db,
+			RedirectToLogin: false,
+		})(http.HandlerFunc(func(rw http.ResponseWriter, returnedRequest *http.Request) {
+			r = returnedRequest
+		})).ServeHTTP(rw, r)
+
+		routeContext := chi.NewRouteContext()
+		// Use a valid UUID that doesn't exist in the database.
+		routeContext.URLParams.Add("user", "88888888-4444-4444-4444-121212121212")
+		r = r.WithContext(context.WithValue(r.Context(), chi.RouteCtxKey, routeContext))
+		httpmw.ExtractUserParam(db)(http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
+			rw.WriteHeader(http.StatusOK)
+		})).ServeHTTP(rw, r)
+		res := rw.Result()
+		defer res.Body.Close()
+		require.Equal(t, http.StatusNotFound, res.StatusCode)
 	})

 	t.Run("me", func(t *testing.T) {
@@ -59,4 +59,6 @@ var (
 	TemplateTaskIdle      = uuid.MustParse("d4a6271c-cced-4ed0-84ad-afd02a9c7799")
 	TemplateTaskCompleted = uuid.MustParse("8c5a4d12-9f7e-4b3a-a1c8-6e4f2d9b5a7c")
 	TemplateTaskFailed    = uuid.MustParse("3b7e8f1a-4c2d-49a6-b5e9-7f3a1c8d6b4e")
+	TemplateTaskPaused    = uuid.MustParse("2a74f3d3-ab09-4123-a4a5-ca238f4f65a1")
+	TemplateTaskResumed   = uuid.MustParse("843ee9c3-a8fb-4846-afa9-977bec578649")
 )
@@ -262,8 +262,6 @@ func TestWebhookDispatch(t *testing.T) {
 	// This is not strictly necessary for this test, but it's testing some side logic which is too small for its own test.
 	require.Equal(t, payload.Payload.UserName, name)
 	require.Equal(t, payload.Payload.UserUsername, username)
-	// Right now we don't have a way to query notification templates by ID in dbmem, and it's not necessary to add this
-	// just to satisfy this test. We can safely assume that as long as this value is not empty that the given value was delivered.
 	require.NotEmpty(t, payload.Payload.NotificationName)
 }

@@ -1304,6 +1302,37 @@ func TestNotificationTemplates_Golden(t *testing.T) {
 				Data: map[string]any{},
 			},
 		},
+		{
+			name: "TemplateTaskPaused",
+			id:   notifications.TemplateTaskPaused,
+			payload: types.MessagePayload{
+				UserName:     "Bobby",
+				UserEmail:    "bobby@coder.com",
+				UserUsername: "bobby",
+				Labels: map[string]string{
+					"task":         "my-task",
+					"task_id":      "00000000-0000-0000-0000-000000000000",
+					"workspace":    "my-workspace",
+					"pause_reason": "idle timeout",
+				},
+				Data: map[string]any{},
+			},
+		},
+		{
+			name: "TemplateTaskResumed",
+			id:   notifications.TemplateTaskResumed,
+			payload: types.MessagePayload{
+				UserName:     "Bobby",
+				UserEmail:    "bobby@coder.com",
+				UserUsername: "bobby",
+				Labels: map[string]string{
+					"task":      "my-task",
+					"task_id":   "00000000-0000-0000-0000-000000000001",
+					"workspace": "my-workspace",
+				},
+				Data: map[string]any{},
+			},
+		},
 	}

 	// We must have a test case for every notification_template. This is enforced below:
@@ -0,0 +1,85 @@
+From: system@coder.com
+To: bobby@coder.com
+Subject: Task 'my-task' is paused
+Message-Id: 02ee4935-73be-4fa1-a290-ff9999026b13@blush-whale-48
+Date: Fri, 11 Oct 2024 09:03:06 +0000
+Content-Type: multipart/alternative;  boundary=bbe61b741255b6098bb6b3c1f41b885773df633cb18d2a3002b68e4bc9c4
+MIME-Version: 1.0
+
+--bbe61b741255b6098bb6b3c1f41b885773df633cb18d2a3002b68e4bc9c4
+Content-Transfer-Encoding: quoted-printable
+Content-Type: text/plain; charset=UTF-8
+
+Hi Bobby,
+
+The task 'my-task' was paused (idle timeout).
+
+
+View task: http://test.com/tasks/bobby/00000000-0000-0000-0000-000000000000
+
+View workspace: http://test.com/@bobby/my-workspace
+
+--bbe61b741255b6098bb6b3c1f41b885773df633cb18d2a3002b68e4bc9c4
+Content-Transfer-Encoding: quoted-printable
+Content-Type: text/html; charset=UTF-8
+
+<!doctype html>
+<html lang=3D"en">
+  <head>
+    <meta charset=3D"UTF-8" />
+    <meta name=3D"viewport" content=3D"width=3Ddevice-width, initial-scale=
+=3D1.0" />
+    <title>Task 'my-task' is paused</title>
+  </head>
+  <body style=3D"margin: 0; padding: 0; font-family: -apple-system, system-=
+ui, BlinkMacSystemFont, 'Segoe UI', 'Roboto', 'Oxygen', 'Ubuntu', 'Cantarel=
+l', 'Fira Sans', 'Droid Sans', 'Helvetica Neue', sans-serif; color: #020617=
+; background: #f8fafc;">
+    <div style=3D"max-width: 600px; margin: 20px auto; padding: 60px; borde=
+r: 1px solid #e2e8f0; border-radius: 8px; background-color: #fff; text-alig=
+n: left; font-size: 14px; line-height: 1.5;">
+      <div style=3D"text-align: center;">
+        <img src=3D"https://coder.com/coder-logo-horizontal.png" alt=3D"Cod=
+er Logo" style=3D"height: 40px;" />
+      </div>
+      <h1 style=3D"text-align: center; font-size: 24px; font-weight: 400; m=
+argin: 8px 0 32px; line-height: 1.5;">
+        Task 'my-task' is paused
+      </h1>
+      <div style=3D"line-height: 1.5;">
+        <p>Hi Bobby,</p>
+        <p>The task &lsquo;my-task&rsquo; was paused (idle timeout).</p>
+      </div>
+      <div style=3D"text-align: center; margin-top: 32px;">
+       =20
+        <a href=3D"http://test.com/tasks/bobby/00000000-0000-0000-0000-0000=
+00000000" style=3D"display: inline-block; padding: 13px 24px; background-co=
+lor: #020617; color: #f8fafc; text-decoration: none; border-radius: 8px; ma=
+rgin: 0 4px;">
+          View task
+        </a>
+       =20
+        <a href=3D"http://test.com/@bobby/my-workspace" style=3D"display: i=
+nline-block; padding: 13px 24px; background-color: #020617; color: #f8fafc;=
+ text-decoration: none; border-radius: 8px; margin: 0 4px;">
+          View workspace
+        </a>
+       =20
+      </div>
+      <div style=3D"border-top: 1px solid #e2e8f0; color: #475569; font-siz=
+e: 12px; margin-top: 64px; padding-top: 24px; line-height: 1.6;">
+        <p>&copy;&nbsp;2024&nbsp;Coder. All rights reserved&nbsp;-&nbsp;<a =
+href=3D"http://test.com" style=3D"color: #2563eb; text-decoration: none;">h=
+ttp://test.com</a></p>
+        <p><a href=3D"http://test.com/settings/notifications" style=3D"colo=
+r: #2563eb; text-decoration: none;">Click here to manage your notification =
+settings</a></p>
+        <p><a href=3D"http://test.com/settings/notifications?disabled=3D2a7=
+4f3d3-ab09-4123-a4a5-ca238f4f65a1" style=3D"color: #2563eb; text-decoration=
+: none;">Stop receiving emails like this</a></p>
+      </div>
+    </div>
+  </body>
+</html>
+
+--bbe61b741255b6098bb6b3c1f41b885773df633cb18d2a3002b68e4bc9c4--
@@ -0,0 +1,85 @@
+From: system@coder.com
+To: bobby@coder.com
+Subject: Task 'my-task' has resumed
+Message-Id: 02ee4935-73be-4fa1-a290-ff9999026b13@blush-whale-48
+Date: Fri, 11 Oct 2024 09:03:06 +0000
+Content-Type: multipart/alternative;  boundary=bbe61b741255b6098bb6b3c1f41b885773df633cb18d2a3002b68e4bc9c4
+MIME-Version: 1.0
+
+--bbe61b741255b6098bb6b3c1f41b885773df633cb18d2a3002b68e4bc9c4
+Content-Transfer-Encoding: quoted-printable
+Content-Type: text/plain; charset=UTF-8
+
+Hi Bobby,
+
+The task 'my-task' has resumed.
+
+
+View task: http://test.com/tasks/bobby/00000000-0000-0000-0000-000000000001
+
+View workspace: http://test.com/@bobby/my-workspace
+
+--bbe61b741255b6098bb6b3c1f41b885773df633cb18d2a3002b68e4bc9c4
+Content-Transfer-Encoding: quoted-printable
+Content-Type: text/html; charset=UTF-8
+
+<!doctype html>
+<html lang=3D"en">
+  <head>
+    <meta charset=3D"UTF-8" />
+    <meta name=3D"viewport" content=3D"width=3Ddevice-width, initial-scale=
+=3D1.0" />
+    <title>Task 'my-task' has resumed</title>
+  </head>
+  <body style=3D"margin: 0; padding: 0; font-family: -apple-system, system-=
+ui, BlinkMacSystemFont, 'Segoe UI', 'Roboto', 'Oxygen', 'Ubuntu', 'Cantarel=
+l', 'Fira Sans', 'Droid Sans', 'Helvetica Neue', sans-serif; color: #020617=
+; background: #f8fafc;">
+    <div style=3D"max-width: 600px; margin: 20px auto; padding: 60px; borde=
+r: 1px solid #e2e8f0; border-radius: 8px; background-color: #fff; text-alig=
+n: left; font-size: 14px; line-height: 1.5;">
+      <div style=3D"text-align: center;">
+        <img src=3D"https://coder.com/coder-logo-horizontal.png" alt=3D"Cod=
+er Logo" style=3D"height: 40px;" />
+      </div>
+      <h1 style=3D"text-align: center; font-size: 24px; font-weight: 400; m=
+argin: 8px 0 32px; line-height: 1.5;">
+        Task 'my-task' has resumed
+      </h1>
+      <div style=3D"line-height: 1.5;">
+        <p>Hi Bobby,</p>
+        <p>The task &lsquo;my-task&rsquo; has resumed.</p>
+      </div>
+      <div style=3D"text-align: center; margin-top: 32px;">
+       =20
+        <a href=3D"http://test.com/tasks/bobby/00000000-0000-0000-0000-0000=
+00000001" style=3D"display: inline-block; padding: 13px 24px; background-co=
+lor: #020617; color: #f8fafc; text-decoration: none; border-radius: 8px; ma=
+rgin: 0 4px;">
+          View task
+        </a>
+       =20
+        <a href=3D"http://test.com/@bobby/my-workspace" style=3D"display: i=
+nline-block; padding: 13px 24px; background-color: #020617; color: #f8fafc;=
+ text-decoration: none; border-radius: 8px; margin: 0 4px;">
+          View workspace
+        </a>
+       =20
+      </div>
+      <div style=3D"border-top: 1px solid #e2e8f0; color: #475569; font-siz=
+e: 12px; margin-top: 64px; padding-top: 24px; line-height: 1.6;">
+        <p>&copy;&nbsp;2024&nbsp;Coder. All rights reserved&nbsp;-&nbsp;<a =
+href=3D"http://test.com" style=3D"color: #2563eb; text-decoration: none;">h=
+ttp://test.com</a></p>
+        <p><a href=3D"http://test.com/settings/notifications" style=3D"colo=
+r: #2563eb; text-decoration: none;">Click here to manage your notification =
+settings</a></p>
+        <p><a href=3D"http://test.com/settings/notifications?disabled=3D843=
+ee9c3-a8fb-4846-afa9-977bec578649" style=3D"color: #2563eb; text-decoration=
+: none;">Stop receiving emails like this</a></p>
+      </div>
+    </div>
+  </body>
+</html>
+
+--bbe61b741255b6098bb6b3c1f41b885773df633cb18d2a3002b68e4bc9c4--
@@ -0,0 +1,35 @@
+{
+  "_version": "1.1",
+  "msg_id": "00000000-0000-0000-0000-000000000000",
+  "payload": {
+    "_version": "1.2",
+    "notification_name": "Task Paused",
+    "notification_template_id": "00000000-0000-0000-0000-000000000000",
+    "user_id": "00000000-0000-0000-0000-000000000000",
+    "user_email": "bobby@coder.com",
+    "user_name": "Bobby",
+    "user_username": "bobby",
+    "actions": [
+      {
+        "label": "View task",
+        "url": "http://test.com/tasks/bobby/00000000-0000-0000-0000-000000000000"
+      },
+      {
+        "label": "View workspace",
+        "url": "http://test.com/@bobby/my-workspace"
+      }
+    ],
+    "labels": {
+      "pause_reason": "idle timeout",
+      "task": "my-task",
+      "task_id": "00000000-0000-0000-0000-000000000000",
+      "workspace": "my-workspace"
+    },
+    "data": {},
+    "targets": null
+  },
+  "title": "Task 'my-task' is paused",
+  "title_markdown": "Task 'my-task' is paused",
+  "body": "The task 'my-task' was paused (idle timeout).",
+  "body_markdown": "The task 'my-task' was paused (idle timeout)."
+}
@@ -0,0 +1,34 @@
+{
+  "_version": "1.1",
+  "msg_id": "00000000-0000-0000-0000-000000000000",
+  "payload": {
+    "_version": "1.2",
+    "notification_name": "Task Resumed",
+    "notification_template_id": "00000000-0000-0000-0000-000000000000",
+    "user_id": "00000000-0000-0000-0000-000000000000",
+    "user_email": "bobby@coder.com",
+    "user_name": "Bobby",
+    "user_username": "bobby",
+    "actions": [
+      {
+        "label": "View task",
+        "url": "http://test.com/tasks/bobby/00000000-0000-0000-0000-000000000000"
+      },
+      {
+        "label": "View workspace",
+        "url": "http://test.com/@bobby/my-workspace"
+      }
+    ],
+    "labels": {
+      "task": "my-task",
+      "task_id": "00000000-0000-0000-0000-000000000000",
+      "workspace": "my-workspace"
+    },
+    "data": {},
+    "targets": null
+  },
+  "title": "Task 'my-task' has resumed",
+  "title_markdown": "Task 'my-task' has resumed",
+  "body": "The task 'my-task' has resumed.",
+  "body_markdown": "The task 'my-task' has resumed."
+}
@@ -150,7 +150,7 @@ func TestNotificationPreferences(t *testing.T) {
 		require.ErrorAsf(t, err, &sdkError, "error should be of type *codersdk.Error")
 		// NOTE: ExtractUserParam gets in the way here, and returns a 400 Bad Request instead of a 403 Forbidden.
 		// This is not ideal, and we should probably change this behavior.
-		require.Equal(t, http.StatusBadRequest, sdkError.StatusCode())
+		require.Equal(t, http.StatusNotFound, sdkError.StatusCode())
 	})

 	t.Run("Admin may read any users' preferences", func(t *testing.T) {
@@ -53,7 +53,6 @@ func TestVerifyPKCE(t *testing.T) {
 	}

 	for _, tt := range tests {
-		tt := tt
 		t.Run(tt.name, func(t *testing.T) {
 			t.Parallel()
 			result := oauth2provider.VerifyPKCE(tt.challenge, tt.verifier)
--- a/Show More
+++ b/Show More