docs(ai-bridge): remove early access language from troubleshooting

Complete the transition to GA by removing remaining early access reference in the troubleshooting section.
docs: change AI Bridge state from 'early access' to 'beta'
2025-11-26 14:44:06 +00:00 · 2025-11-26 19:10:33 +05:00
194 changed files with 2330 additions and 7911 deletions
@@ -1,126 +0,0 @@
-# Coder Architecture
-
-This document provides an overview of Coder's architecture and core systems.
-
-## What is Coder?
-
-Coder is a platform for creating, managing, and using remote development environments (also known as Cloud Development Environments or CDEs). It leverages Terraform to define and provision these environments, which are referred to as "workspaces" within the project. The system is designed to be extensible, secure, and provide developers with a seamless remote development experience.
-
-## Core Architecture
-
-The heart of Coder is a control plane that orchestrates the creation and management of workspaces. This control plane interacts with separate Provisioner processes over gRPC to handle workspace builds. The Provisioners consume workspace definitions and use Terraform to create the actual infrastructure.
-
-The CLI package serves dual purposes - it can be used to launch the control plane itself and also provides client functionality for users to interact with an existing control plane instance. All user-facing frontend code is developed in TypeScript using React and lives in the `site/` directory.
-
-The database layer uses PostgreSQL with SQLC for generating type-safe database code. Database migrations are carefully managed to ensure both forward and backward compatibility through paired `.up.sql` and `.down.sql` files.
-
-## API Design
-
-Coder's API architecture combines REST and gRPC approaches. The REST API is defined in `coderd/coderd.go` and uses Chi for HTTP routing. This provides the primary interface for the frontend and external integrations.
-
-Internal communication with Provisioners occurs over gRPC, with service definitions maintained in `.proto` files. This separation allows for efficient binary communication with the components responsible for infrastructure management while providing a standard REST interface for human-facing applications.
-
-## Network Architecture
-
-Coder implements a secure networking layer based on Tailscale's Wireguard implementation. The `tailnet` package provides connectivity between workspace agents and clients through DERP (Designated Encrypted Relay for Packets) servers when direct connections aren't possible. This creates a secure overlay network allowing access to workspaces regardless of network topology, firewalls, or NAT configurations.
-
-### Tailnet and DERP System
-
-The networking system has three key components:
-
-1. **Tailnet**: An overlay network implemented in the `tailnet` package that provides secure, end-to-end encrypted connections between clients, the Coder server, and workspace agents.
-
-2. **DERP Servers**: These relay traffic when direct connections aren't possible. Coder provides several options:
-   - A built-in DERP server that runs on the Coder control plane
-   - Integration with Tailscale's global DERP infrastructure
-   - Support for custom DERP servers for lower latency or offline deployments
-
-3. **Direct Connections**: When possible, the system establishes peer-to-peer connections between clients and workspaces using STUN for NAT traversal. This requires both endpoints to send UDP traffic on ephemeral ports.
-
-### Workspace Proxies
-
-Workspace proxies (in the Enterprise edition) provide regional relay points for browser-based connections, reducing latency for geo-distributed teams. Key characteristics:
-
- Deployed as independent servers that authenticate with the Coder control plane
- Relay connections for SSH, workspace apps, port forwarding, and web terminals
- Do not make direct database connections
- Managed through the `coder wsproxy` commands
- Implemented primarily in the `enterprise/wsproxy/` package
-
-## Agent System
-
-The workspace agent runs within each provisioned workspace and provides core functionality including:
-
- SSH access to workspaces via the `agentssh` package
- Port forwarding
- Terminal connectivity via the `pty` package for pseudo-terminal support
- Application serving
- Healthcheck monitoring
- Resource usage reporting
-
-Agents communicate with the control plane using the tailnet system and authenticate using secure tokens.
-
-## Workspace Applications
-
-Workspace applications (or "apps") provide browser-based access to services running within workspaces. The system supports:
-
- HTTP(S) and WebSocket connections
- Path-based or subdomain-based access URLs
- Health checks to monitor application availability
- Different sharing levels (owner-only, authenticated users, or public)
- Custom icons and display settings
-
-The implementation is primarily in the `coderd/workspaceapps/` directory with components for URL generation, proxying connections, and managing application state.
-
-## Implementation Details
-
-The project structure separates frontend and backend concerns. React components and pages are organized in the `site/src/` directory, with Jest used for testing. The backend is primarily written in Go, with a strong emphasis on error handling patterns and test coverage.
-
-Database interactions are carefully managed through migrations in `coderd/database/migrations/` and queries in `coderd/database/queries/`. All new queries require proper database authorization (dbauthz) implementation to ensure that only users with appropriate permissions can access specific resources.
-
-## Authorization System
-
-The database authorization (dbauthz) system enforces fine-grained access control across all database operations. It uses role-based access control (RBAC) to validate user permissions before executing database operations. The `dbauthz` package wraps the database store and performs authorization checks before returning data. All database operations must pass through this layer to ensure security.
-
-## Testing Framework
-
-The codebase has a comprehensive testing approach with several key components:
-
-1. **Parallel Testing**: All tests must use `t.Parallel()` to run concurrently, which improves test suite performance and helps identify race conditions.
-
-2. **coderdtest Package**: This package in `coderd/coderdtest/` provides utilities for creating test instances of the Coder server, setting up test users and workspaces, and mocking external components.
-
-3. **Integration Tests**: Tests often span multiple components to verify system behavior, such as template creation, workspace provisioning, and agent connectivity.
-
-4. **Enterprise Testing**: Enterprise features have dedicated test utilities in the `coderdenttest` package.
-
-## Open Source and Enterprise Components
-
-The repository contains both open source and enterprise components:
-
- Enterprise code lives primarily in the `enterprise/` directory
- Enterprise features focus on governance, scalability (high availability), and advanced deployment options like workspace proxies
- The boundary between open source and enterprise is managed through a licensing system
- The same core codebase supports both editions, with enterprise features conditionally enabled
-
-## Development Philosophy
-
-Coder emphasizes clear error handling, with specific patterns required:
-
- Concise error messages that avoid phrases like "failed to"
- Wrapping errors with `%w` to maintain error chains
- Using sentinel errors with the "err" prefix (e.g., `errNotFound`)
-
-All tests should run in parallel using `t.Parallel()` to ensure efficient testing and expose potential race conditions. The codebase is rigorously linted with golangci-lint to maintain consistent code quality.
-
-Git contributions follow a standard format with commit messages structured as `type: <message>`, where type is one of `feat`, `fix`, or `chore`.
-
-## Development Workflow
-
-Development can be initiated using `scripts/develop.sh` to start the application after making changes. Database schema updates should be performed through the migration system using `create_migration.sh <name>` to generate migration files, with each `.up.sql` migration paired with a corresponding `.down.sql` that properly reverts all changes.
-
-If the development database gets into a bad state, it can be completely reset by removing the PostgreSQL data directory with `rm -rf .coderv2/postgres`. This will destroy all data in the development database, requiring you to recreate any test users, templates, or workspaces after restarting the application.
-
-Code generation for the database layer uses `coderd/database/generate.sh`, and developers should refer to `sqlc.yaml` for the appropriate style and patterns to follow when creating new queries or tables.
-
-The focus should always be on maintaining security through proper database authorization, clean error handling, and comprehensive test coverage to ensure the platform remains robust and reliable.
@@ -1 +0,0 @@
-AGENTS.md
@@ -0,0 +1,124 @@
+# Cursor Rules
+
+This project is called "Coder" - an application for managing remote development environments.
+
+Coder provides a platform for creating, managing, and using remote development environments (also known as Cloud Development Environments or CDEs). It leverages Terraform to define and provision these environments, which are referred to as "workspaces" within the project. The system is designed to be extensible, secure, and provide developers with a seamless remote development experience.
+
+## Core Architecture
+
+The heart of Coder is a control plane that orchestrates the creation and management of workspaces. This control plane interacts with separate Provisioner processes over gRPC to handle workspace builds. The Provisioners consume workspace definitions and use Terraform to create the actual infrastructure.
+
+The CLI package serves dual purposes - it can be used to launch the control plane itself and also provides client functionality for users to interact with an existing control plane instance. All user-facing frontend code is developed in TypeScript using React and lives in the `site/` directory.
+
+The database layer uses PostgreSQL with SQLC for generating type-safe database code. Database migrations are carefully managed to ensure both forward and backward compatibility through paired `.up.sql` and `.down.sql` files.
+
+## API Design
+
+Coder's API architecture combines REST and gRPC approaches. The REST API is defined in `coderd/coderd.go` and uses Chi for HTTP routing. This provides the primary interface for the frontend and external integrations.
+
+Internal communication with Provisioners occurs over gRPC, with service definitions maintained in `.proto` files. This separation allows for efficient binary communication with the components responsible for infrastructure management while providing a standard REST interface for human-facing applications.
+
+## Network Architecture
+
+Coder implements a secure networking layer based on Tailscale's Wireguard implementation. The `tailnet` package provides connectivity between workspace agents and clients through DERP (Designated Encrypted Relay for Packets) servers when direct connections aren't possible. This creates a secure overlay network allowing access to workspaces regardless of network topology, firewalls, or NAT configurations.
+
+### Tailnet and DERP System
+
+The networking system has three key components:
+
+1. **Tailnet**: An overlay network implemented in the `tailnet` package that provides secure, end-to-end encrypted connections between clients, the Coder server, and workspace agents.
+
+2. **DERP Servers**: These relay traffic when direct connections aren't possible. Coder provides several options:
+   - A built-in DERP server that runs on the Coder control plane
+   - Integration with Tailscale's global DERP infrastructure
+   - Support for custom DERP servers for lower latency or offline deployments
+
+3. **Direct Connections**: When possible, the system establishes peer-to-peer connections between clients and workspaces using STUN for NAT traversal. This requires both endpoints to send UDP traffic on ephemeral ports.
+
+### Workspace Proxies
+
+Workspace proxies (in the Enterprise edition) provide regional relay points for browser-based connections, reducing latency for geo-distributed teams. Key characteristics:
+
+- Deployed as independent servers that authenticate with the Coder control plane
+- Relay connections for SSH, workspace apps, port forwarding, and web terminals
+- Do not make direct database connections
+- Managed through the `coder wsproxy` commands
+- Implemented primarily in the `enterprise/wsproxy/` package
+
+## Agent System
+
+The workspace agent runs within each provisioned workspace and provides core functionality including:
+
+- SSH access to workspaces via the `agentssh` package
+- Port forwarding
+- Terminal connectivity via the `pty` package for pseudo-terminal support
+- Application serving
+- Healthcheck monitoring
+- Resource usage reporting
+
+Agents communicate with the control plane using the tailnet system and authenticate using secure tokens.
+
+## Workspace Applications
+
+Workspace applications (or "apps") provide browser-based access to services running within workspaces. The system supports:
+
+- HTTP(S) and WebSocket connections
+- Path-based or subdomain-based access URLs
+- Health checks to monitor application availability
+- Different sharing levels (owner-only, authenticated users, or public)
+- Custom icons and display settings
+
+The implementation is primarily in the `coderd/workspaceapps/` directory with components for URL generation, proxying connections, and managing application state.
+
+## Implementation Details
+
+The project structure separates frontend and backend concerns. React components and pages are organized in the `site/src/` directory, with Jest used for testing. The backend is primarily written in Go, with a strong emphasis on error handling patterns and test coverage.
+
+Database interactions are carefully managed through migrations in `coderd/database/migrations/` and queries in `coderd/database/queries/`. All new queries require proper database authorization (dbauthz) implementation to ensure that only users with appropriate permissions can access specific resources.
+
+## Authorization System
+
+The database authorization (dbauthz) system enforces fine-grained access control across all database operations. It uses role-based access control (RBAC) to validate user permissions before executing database operations. The `dbauthz` package wraps the database store and performs authorization checks before returning data. All database operations must pass through this layer to ensure security.
+
+## Testing Framework
+
+The codebase has a comprehensive testing approach with several key components:
+
+1. **Parallel Testing**: All tests must use `t.Parallel()` to run concurrently, which improves test suite performance and helps identify race conditions.
+
+2. **coderdtest Package**: This package in `coderd/coderdtest/` provides utilities for creating test instances of the Coder server, setting up test users and workspaces, and mocking external components.
+
+3. **Integration Tests**: Tests often span multiple components to verify system behavior, such as template creation, workspace provisioning, and agent connectivity.
+
+4. **Enterprise Testing**: Enterprise features have dedicated test utilities in the `coderdenttest` package.
+
+## Open Source and Enterprise Components
+
+The repository contains both open source and enterprise components:
+
+- Enterprise code lives primarily in the `enterprise/` directory
+- Enterprise features focus on governance, scalability (high availability), and advanced deployment options like workspace proxies
+- The boundary between open source and enterprise is managed through a licensing system
+- The same core codebase supports both editions, with enterprise features conditionally enabled
+
+## Development Philosophy
+
+Coder emphasizes clear error handling, with specific patterns required:
+
+- Concise error messages that avoid phrases like "failed to"
+- Wrapping errors with `%w` to maintain error chains
+- Using sentinel errors with the "err" prefix (e.g., `errNotFound`)
+
+All tests should run in parallel using `t.Parallel()` to ensure efficient testing and expose potential race conditions. The codebase is rigorously linted with golangci-lint to maintain consistent code quality.
+
+Git contributions follow a standard format with commit messages structured as `type: <message>`, where type is one of `feat`, `fix`, or `chore`.
+
+## Development Workflow
+
+Development can be initiated using `scripts/develop.sh` to start the application after making changes. Database schema updates should be performed through the migration system using `create_migration.sh <name>` to generate migration files, with each `.up.sql` migration paired with a corresponding `.down.sql` that properly reverts all changes.
+
+If the development database gets into a bad state, it can be completely reset by removing the PostgreSQL data directory with `rm -rf .coderv2/postgres`. This will destroy all data in the development database, requiring you to recreate any test users, templates, or workspaces after restarting the application.
+
+Code generation for the database layer uses `coderd/database/generate.sh`, and developers should refer to `sqlc.yaml` for the appropriate style and patterns to follow when creating new queries or tables.
+
+The focus should always be on maintaining security through proper database authorization, clean error handling, and comprehensive test coverage to ensure the platform remains robust and reliable.
@@ -27,7 +27,7 @@ ignorePatterns:
  - pattern: "splunk.com"
  - pattern: "stackoverflow.com/questions"
  - pattern: "developer.hashicorp.com/terraform/language"
-  - pattern: "platform.openai.com"
+  - pattern: "platform.openai.com/docs/api-reference"
  - pattern: "api.openai.com"
 aliveStatusCodes:
  - 200
@@ -119,9 +119,9 @@ updates:
    commit-message:
      prefix: "chore"
    groups:
-      coder-modules:
+      coder:
        patterns:
-          - "coder/*/coder"
+          - "registry.coder.com/coder/*/coder"
    labels: []
    ignore:
      - dependency-name: "*"
@@ -40,7 +40,7 @@ jobs:
          egress-policy: audit

      - name: Checkout
-        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
        with:
          fetch-depth: 1
          persist-credentials: false
@@ -124,7 +124,7 @@ jobs:
  #   runs-on: ${{ github.repository_owner == 'coder' && 'depot-ubuntu-22.04-8' || 'ubuntu-latest' }}
  #   steps:
  #     - name: Checkout
-  #       uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+  #       uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
  #       with:
  #         fetch-depth: 1
  #         # See: https://github.com/stefanzweifel/git-auto-commit-action?tab=readme-ov-file#commits-made-by-this-action-do-not-trigger-new-workflow-runs
@@ -162,7 +162,7 @@ jobs:
          egress-policy: audit

      - name: Checkout
-        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
        with:
          fetch-depth: 1
          persist-credentials: false
@@ -191,7 +191,7 @@ jobs:

      # Check for any typos
      - name: Check for typos
-        uses: crate-ci/typos@2d0ce569feab1f8752f1dde43cc2f2aa53236e06 # v1.40.0
+        uses: crate-ci/typos@626c4bedb751ce0b7f03262ca97ddda9a076ae1c # v1.39.2
        with:
          config: .github/workflows/typos.toml

@@ -240,7 +240,7 @@ jobs:
          egress-policy: audit

      - name: Checkout
-        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
        with:
          fetch-depth: 1
          persist-credentials: false
@@ -297,7 +297,7 @@ jobs:
          egress-policy: audit

      - name: Checkout
-        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
        with:
          fetch-depth: 1
          persist-credentials: false
@@ -369,7 +369,7 @@ jobs:
        uses: coder/setup-ramdisk-action@e1100847ab2d7bcd9d14bcda8f2d1b0f07b36f1b # v0.1.0

      - name: Checkout
-        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
        with:
          fetch-depth: 1
          persist-credentials: false
@@ -537,7 +537,7 @@ jobs:
          egress-policy: audit

      - name: Checkout
-        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
        with:
          fetch-depth: 1
          persist-credentials: false
@@ -586,7 +586,7 @@ jobs:
          egress-policy: audit

      - name: Checkout
-        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
        with:
          fetch-depth: 1
          persist-credentials: false
@@ -646,7 +646,7 @@ jobs:
          egress-policy: audit

      - name: Checkout
-        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
        with:
          fetch-depth: 1
          persist-credentials: false
@@ -673,7 +673,7 @@ jobs:
          egress-policy: audit

      - name: Checkout
-        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
        with:
          fetch-depth: 1
          persist-credentials: false
@@ -706,7 +706,7 @@ jobs:
          egress-policy: audit

      - name: Checkout
-        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
        with:
          fetch-depth: 1
          persist-credentials: false
@@ -786,7 +786,7 @@ jobs:
          egress-policy: audit

      - name: Checkout
-        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
        with:
          # 👇 Ensures Chromatic can read your full git history
          fetch-depth: 0
@@ -802,7 +802,7 @@ jobs:
      # the check to pass. This is desired in PRs, but not in mainline.
      - name: Publish to Chromatic (non-mainline)
        if: github.ref != 'refs/heads/main' && github.repository_owner == 'coder'
-        uses: chromaui/action@4c20b95e9d3209ecfdf9cd6aace6bbde71ba1694 # v13.3.4
+        uses: chromaui/action@ac86f2ff0a458ffbce7b40698abd44c0fa34d4b6 # v13.3.3
        env:
          NODE_OPTIONS: "--max_old_space_size=4096"
          STORYBOOK: true
@@ -834,7 +834,7 @@ jobs:
      # infinitely "in progress" in mainline unless we re-review each build.
      - name: Publish to Chromatic (mainline)
        if: github.ref == 'refs/heads/main' && github.repository_owner == 'coder'
-        uses: chromaui/action@4c20b95e9d3209ecfdf9cd6aace6bbde71ba1694 # v13.3.4
+        uses: chromaui/action@ac86f2ff0a458ffbce7b40698abd44c0fa34d4b6 # v13.3.3
        env:
          NODE_OPTIONS: "--max_old_space_size=4096"
          STORYBOOK: true
@@ -867,7 +867,7 @@ jobs:
          egress-policy: audit

      - name: Checkout
-        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
        with:
          # 0 is required here for version.sh to work.
          fetch-depth: 0
@@ -971,7 +971,7 @@ jobs:
    steps:
      # Harden Runner doesn't work on macOS
      - name: Checkout
-        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
        with:
          fetch-depth: 0
          persist-credentials: false
@@ -1058,7 +1058,7 @@ jobs:
          egress-policy: audit

      - name: Checkout
-        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
        with:
          fetch-depth: 0
          persist-credentials: false
@@ -1113,7 +1113,7 @@ jobs:
          egress-policy: audit

      - name: Checkout
-        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
        with:
          fetch-depth: 0
          persist-credentials: false
@@ -1510,7 +1510,7 @@ jobs:
          egress-policy: audit

      - name: Checkout
-        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
        with:
          fetch-depth: 1
          persist-credentials: false
@@ -28,7 +28,6 @@ jobs:
          github-token: "${{ secrets.GITHUB_TOKEN }}"

      - name: Approve the PR
-        if: steps.metadata.outputs.package-ecosystem != 'github-actions'
        run: |
          echo "Approving $PR_URL"
          gh pr review --approve "$PR_URL"
@@ -37,7 +36,6 @@ jobs:
          GH_TOKEN: ${{secrets.GITHUB_TOKEN}}

      - name: Enable auto-merge
-        if: steps.metadata.outputs.package-ecosystem != 'github-actions'
        run: |
          echo "Enabling auto-merge for $PR_URL"
          gh pr merge --auto --squash "$PR_URL"
@@ -47,11 +45,6 @@ jobs:

      - name: Send Slack notification
        run: |
-          if [ "$PACKAGE_ECOSYSTEM" = "github-actions" ]; then
-            STATUS_TEXT=":pr-opened: Dependabot opened PR #${PR_NUMBER} (GitHub Actions changes are not auto-merged)"
-          else
-            STATUS_TEXT=":pr-merged: Auto merge enabled for Dependabot PR #${PR_NUMBER}"
-          fi
          curl -X POST -H 'Content-type: application/json' \
          --data '{
            "username": "dependabot",
@@ -61,7 +54,7 @@ jobs:
                "type": "header",
                "text": {
                  "type": "plain_text",
-                  "text": "'"${STATUS_TEXT}"'",
+                  "text": ":pr-merged: Auto merge enabled for Dependabot PR #'"${PR_NUMBER}"'",
                  "emoji": true
                }
              },
@@ -91,7 +84,6 @@ jobs:
          }' "${{ secrets.DEPENDABOT_PRS_SLACK_WEBHOOK }}"
        env:
          SLACK_WEBHOOK: ${{ secrets.DEPENDABOT_PRS_SLACK_WEBHOOK }}
-          PACKAGE_ECOSYSTEM: ${{ steps.metadata.outputs.package-ecosystem }}
          PR_NUMBER: ${{ github.event.pull_request.number }}
          PR_TITLE: ${{ github.event.pull_request.title }}
          PR_URL: ${{ github.event.pull_request.html_url }}
@@ -41,7 +41,7 @@ jobs:
          egress-policy: audit

      - name: Checkout
-        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
        with:
          fetch-depth: 0
          persist-credentials: false
@@ -70,7 +70,7 @@ jobs:
          egress-policy: audit

      - name: Checkout
-        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
        with:
          fetch-depth: 0
          persist-credentials: false
@@ -92,7 +92,7 @@ jobs:
        uses: google-github-actions/setup-gcloud@aa5489c8933f4cc7a4f7d45035b3b1440c9c10db # v3.0.1

      - name: Set up Flux CLI
-        uses: fluxcd/flux2/action@8454b02a32e48d775b9f563cb51fdcb1787b5b93 # v2.7.5
+        uses: fluxcd/flux2/action@b6e76ca2534f76dcb8dd94fb057cdfa923c3b641 # v2.7.3
        with:
          # Keep this and the github action up to date with the version of flux installed in dogfood cluster
          version: "2.7.0"
@@ -151,7 +151,7 @@ jobs:
          egress-policy: audit

      - name: Checkout
-        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
        with:
          fetch-depth: 0
          persist-credentials: false
@@ -162,7 +162,7 @@ jobs:
          } >> "${GITHUB_OUTPUT}"

      - name: Checkout create-task-action
-        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
        with:
          fetch-depth: 1
          path: ./.github/actions/create-task-action
@@ -43,7 +43,7 @@ jobs:
          egress-policy: audit

      - name: Checkout
-        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
        with:
          persist-credentials: false

@@ -23,14 +23,14 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
-        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
        with:
          persist-credentials: false

      - name: Setup Node
        uses: ./.github/actions/setup-node

-      - uses: tj-actions/changed-files@abdd2f68ea150cee8f236d4a9fb4e0f2491abf1b # v45.0.7
+      - uses: tj-actions/changed-files@70069877f29101175ed2b055d210fe8b1d54d7d7 # v45.0.7
        id: changed-files
        with:
          files: |
@@ -31,7 +31,7 @@ jobs:
          egress-policy: audit

      - name: Checkout
-        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
        with:
          persist-credentials: false

@@ -130,7 +130,7 @@ jobs:
          egress-policy: audit

      - name: Checkout
-        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
        with:
          persist-credentials: false

@@ -53,7 +53,7 @@ jobs:
        uses: coder/setup-ramdisk-action@e1100847ab2d7bcd9d14bcda8f2d1b0f07b36f1b # v0.1.0

      - name: Checkout
-        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
        with:
          fetch-depth: 1
          persist-credentials: false
@@ -44,7 +44,7 @@ jobs:
          egress-policy: audit

      - name: Checkout
-        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
        with:
          persist-credentials: false

@@ -81,7 +81,7 @@ jobs:
          egress-policy: audit

      - name: Checkout
-        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
        with:
          fetch-depth: 0
          persist-credentials: false
@@ -233,7 +233,7 @@ jobs:
          egress-policy: audit

      - name: Checkout
-        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
        with:
          fetch-depth: 0
          persist-credentials: false
@@ -337,7 +337,7 @@ jobs:
          kubectl create namespace "pr${PR_NUMBER}"

      - name: Checkout
-        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
        with:
          persist-credentials: false

@@ -65,7 +65,7 @@ jobs:
    steps:
      # Harden Runner doesn't work on macOS.
      - name: Checkout
-        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
        with:
          fetch-depth: 0
          persist-credentials: false
@@ -169,7 +169,7 @@ jobs:
          egress-policy: audit

      - name: Checkout
-        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
        with:
          fetch-depth: 0
          persist-credentials: false
@@ -888,7 +888,7 @@ jobs:
          GH_TOKEN: ${{ secrets.CDRCI_GITHUB_TOKEN }}

      - name: Checkout
-        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
        with:
          fetch-depth: 0
          persist-credentials: false
@@ -976,7 +976,7 @@ jobs:
          egress-policy: audit

      - name: Checkout
-        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
        with:
          fetch-depth: 1
          persist-credentials: false
@@ -25,7 +25,7 @@ jobs:
          egress-policy: audit

      - name: "Checkout code"
-        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
        with:
          persist-credentials: false

@@ -47,6 +47,6 @@ jobs:

      # Upload the results to GitHub's code scanning dashboard.
      - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@fe4161a26a8629af62121b670040955b330f9af2 # v3.29.5
+        uses: github/codeql-action/upload-sarif@014f16e7ab1402f30e7c3329d33797e7948572db # v3.29.5
        with:
          sarif_file: results.sarif
@@ -32,7 +32,7 @@ jobs:
          egress-policy: audit

      - name: Checkout
-        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
        with:
          persist-credentials: false

@@ -40,7 +40,7 @@ jobs:
        uses: ./.github/actions/setup-go

      - name: Initialize CodeQL
-        uses: github/codeql-action/init@fe4161a26a8629af62121b670040955b330f9af2 # v3.29.5
+        uses: github/codeql-action/init@014f16e7ab1402f30e7c3329d33797e7948572db # v3.29.5
        with:
          languages: go, javascript

@@ -50,7 +50,7 @@ jobs:
          rm Makefile

      - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@fe4161a26a8629af62121b670040955b330f9af2 # v3.29.5
+        uses: github/codeql-action/analyze@014f16e7ab1402f30e7c3329d33797e7948572db # v3.29.5

      - name: Send Slack notification on failure
        if: ${{ failure() }}
@@ -74,7 +74,7 @@ jobs:
          egress-policy: audit

      - name: Checkout
-        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
        with:
          fetch-depth: 0
          persist-credentials: false
@@ -154,7 +154,7 @@ jobs:
          severity: "CRITICAL,HIGH"

      - name: Upload Trivy scan results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@fe4161a26a8629af62121b670040955b330f9af2 # v3.29.5
+        uses: github/codeql-action/upload-sarif@014f16e7ab1402f30e7c3329d33797e7948572db # v3.29.5
        with:
          sarif_file: trivy-results.sarif
          category: "Trivy"
@@ -101,7 +101,7 @@ jobs:
          egress-policy: audit

      - name: Checkout repository
-        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
        with:
          persist-credentials: false
      - name: Run delete-old-branches-action
@@ -153,7 +153,7 @@ jobs:
          } >> "${GITHUB_OUTPUT}"

      - name: Checkout repository
-        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
        with:
          fetch-depth: 1
          path: ./.github/actions/create-task-action
@@ -26,7 +26,7 @@ jobs:
          egress-policy: audit

      - name: Checkout
-        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
        with:
          persist-credentials: false

@@ -90,9 +90,6 @@ __debug_bin*

 **/.claude/settings.local.json

-# Local agent configuration
-AGENTS.local.md
-
 /.env

 # Ignore plans written by AI agents.
@@ -140,53 +140,13 @@ seems like it should use `time.Sleep`, read through https://github.com/coder/qua
 - Follow [Uber Go Style Guide](https://github.com/uber-go/guide/blob/master/style.md)
 - Commit format: `type(scope): message`

-### Writing Comments
-
-Code comments should be clear, well-formatted, and add meaningful context.
-
-**Proper sentence structure**: Comments are sentences and should end with
-periods or other appropriate punctuation. This improves readability and
-maintains professional code standards.
-
-**Explain why, not what**: Good comments explain the reasoning behind code
-rather than describing what the code does. The code itself should be
-self-documenting through clear naming and structure. Focus your comments on
-non-obvious decisions, edge cases, or business logic that isn't immediately
-apparent from reading the implementation.
-
-**Line length and wrapping**: Keep comment lines to 80 characters wide
-(including the comment prefix like `//` or `#`). When a comment spans multiple
-lines, wrap it naturally at word boundaries rather than writing one sentence
-per line. This creates more readable, paragraph-like blocks of documentation.
-
-```go
-// Good: Explains the rationale with proper sentence structure.
-// We need a custom timeout here because workspace builds can take several
-// minutes on slow networks, and the default 30s timeout causes false
-// failures during initial template imports.
-ctx, cancel := context.WithTimeout(ctx, 5*time.Minute)
-
-// Bad: Describes what the code does without punctuation or wrapping
-// Set a custom timeout
-// Workspace builds can take a long time
-// Default timeout is too short
-ctx, cancel := context.WithTimeout(ctx, 5*time.Minute)
-```
-
 ## Detailed Development Guides

-@.claude/docs/ARCHITECTURE.md
@.claude/docs/OAUTH2.md
@.claude/docs/TESTING.md
@.claude/docs/TROUBLESHOOTING.md
@.claude/docs/DATABASE.md

-## Local Configuration
-
-These files may be gitignored, read manually if not auto-loaded.
-
-@AGENTS.local.md
-
 ## Common Pitfalls

 1. **Audit table errors** → Update `enterprise/audit/table.go`
@@ -41,7 +41,6 @@ import (
 	"github.com/coder/coder/v2/agent/agentcontainers"
 	"github.com/coder/coder/v2/agent/agentexec"
 	"github.com/coder/coder/v2/agent/agentscripts"
-	"github.com/coder/coder/v2/agent/agentsocket"
 	"github.com/coder/coder/v2/agent/agentssh"
 	"github.com/coder/coder/v2/agent/proto"
 	"github.com/coder/coder/v2/agent/proto/resourcesmonitor"
@@ -98,8 +97,6 @@ type Options struct {
 	Devcontainers                bool
 	DevcontainerAPIOptions       []agentcontainers.Option // Enable Devcontainers for these to be effective.
 	Clock                        quartz.Clock
-	SocketServerEnabled          bool
-	SocketPath                   string // Path for the agent socket server socket
 }

 type Client interface {
@@ -205,8 +202,6 @@ func New(options Options) Agent {

 		devcontainers:       options.Devcontainers,
 		containerAPIOptions: options.DevcontainerAPIOptions,
-		socketPath:          options.SocketPath,
-		socketServerEnabled: options.SocketServerEnabled,
 	}
 	// Initially, we have a closed channel, reflecting the fact that we are not initially connected.
 	// Each time we connect we replace the channel (while holding the closeMutex) with a new one
@@ -284,10 +279,6 @@ type agent struct {
 	devcontainers       bool
 	containerAPIOptions []agentcontainers.Option
 	containerAPI        *agentcontainers.API
-
-	socketServerEnabled bool
-	socketPath          string
-	socketServer        *agentsocket.Server
 }

 func (a *agent) TailnetConn() *tailnet.Conn {
@@ -367,32 +358,9 @@ func (a *agent) init() {
 			s.ExperimentalContainers = a.devcontainers
 		},
 	)
-
-	a.initSocketServer()
-
 	go a.runLoop()
 }

-// initSocketServer initializes server that allows direct communication with a workspace agent using IPC.
-func (a *agent) initSocketServer() {
-	if !a.socketServerEnabled {
-		a.logger.Info(a.hardCtx, "socket server is disabled")
-		return
-	}
-
-	server, err := agentsocket.NewServer(
-		a.logger.Named("socket"),
-		agentsocket.WithPath(a.socketPath),
-	)
-	if err != nil {
-		a.logger.Warn(a.hardCtx, "failed to create socket server", slog.Error(err), slog.F("path", a.socketPath))
-		return
-	}
-
-	a.socketServer = server
-	a.logger.Debug(a.hardCtx, "socket server started", slog.F("path", a.socketPath))
-}
-
 // runLoop attempts to start the agent in a retry loop.
 // Coder may be offline temporarily, a connection issue
 // may be happening, but regardless after the intermittent
@@ -1127,7 +1095,7 @@ func (a *agent) handleManifest(manifestOK *checkpoint) func(ctx context.Context,
 		if err != nil {
 			return xerrors.Errorf("fetch metadata: %w", err)
 		}
-		a.logger.Info(ctx, "fetched manifest")
+		a.logger.Info(ctx, "fetched manifest", slog.F("manifest", mp))
 		manifest, err := agentsdk.ManifestFromProto(mp)
 		if err != nil {
 			a.logger.Critical(ctx, "failed to convert manifest", slog.F("manifest", mp), slog.Error(err))
@@ -1576,8 +1544,8 @@ func (a *agent) createTailnet(
 				break
 			}
 			clog := a.logger.Named("speedtest").With(
-				slog.F("remote", conn.RemoteAddr()),
-				slog.F("local", conn.LocalAddr()))
+				slog.F("remote", conn.RemoteAddr().String()),
+				slog.F("local", conn.LocalAddr().String()))
 			clog.Info(ctx, "accepted conn")
 			wg.Add(1)
 			closed := make(chan struct{})
@@ -1960,7 +1928,6 @@ func (a *agent) Close() error {
 			lifecycleState = codersdk.WorkspaceAgentLifecycleShutdownError
 		}
 	}
-
 	a.setLifecycle(lifecycleState)

 	err = a.scriptRunner.Close()
@@ -1968,12 +1935,6 @@ func (a *agent) Close() error {
 		a.logger.Error(a.hardCtx, "script runner close", slog.Error(err))
 	}

-	if a.socketServer != nil {
-		if err := a.socketServer.Close(); err != nil {
-			a.logger.Error(a.hardCtx, "socket server close", slog.Error(err))
-		}
-	}
-
 	if err := a.containerAPI.Close(); err != nil {
 		a.logger.Error(a.hardCtx, "container API close", slog.Error(err))
 	}
@@ -1,45 +0,0 @@
-package agent
-
-import (
-	"testing"
-
-	"github.com/google/uuid"
-	"github.com/stretchr/testify/require"
-
-	"cdr.dev/slog"
-	"cdr.dev/slog/sloggers/slogtest"
-
-	"github.com/coder/coder/v2/agent/proto"
-	"github.com/coder/coder/v2/testutil"
-)
-
-// TestReportConnectionEmpty tests that reportConnection() doesn't choke if given an empty IP string, which is what we
-// send if we cannot get the remote address.
-func TestReportConnectionEmpty(t *testing.T) {
-	t.Parallel()
-	connID := uuid.UUID{1}
-	logger := slogtest.Make(t, &slogtest.Options{IgnoreErrors: true}).Leveled(slog.LevelDebug)
-	ctx := testutil.Context(t, testutil.WaitShort)
-
-	uut := &agent{
-		hardCtx: ctx,
-		logger:  logger,
-	}
-	disconnected := uut.reportConnection(connID, proto.Connection_TYPE_UNSPECIFIED, "")
-
-	require.Len(t, uut.reportConnections, 1)
-	req0 := uut.reportConnections[0]
-	require.Equal(t, proto.Connection_TYPE_UNSPECIFIED, req0.GetConnection().GetType())
-	require.Equal(t, "", req0.GetConnection().Ip)
-	require.Equal(t, connID[:], req0.GetConnection().GetId())
-	require.Equal(t, proto.Connection_CONNECT, req0.GetConnection().GetAction())
-
-	disconnected(0, "because")
-	require.Len(t, uut.reportConnections, 2)
-	req1 := uut.reportConnections[1]
-	require.Equal(t, proto.Connection_TYPE_UNSPECIFIED, req1.GetConnection().GetType())
-	require.Equal(t, "", req1.GetConnection().Ip)
-	require.Equal(t, connID[:], req1.GetConnection().GetId())
-	require.Equal(t, proto.Connection_DISCONNECT, req1.GetConnection().GetAction())
-	require.Equal(t, "because", req1.GetConnection().GetReason())
-}
@@ -1039,10 +1039,6 @@ func (api *API) processUpdatedContainersLocked(ctx context.Context, updated code
 					logger.Error(ctx, "inject subagent into container failed", slog.Error(err))
 					dc.Error = err.Error()
 				} else {
-					// TODO(mafredri): Preserve the error from devcontainer
-					// up if it was a lifecycle script error. Currently
-					// this results in a brief flicker for the user if
-					// injection is fast, as the error is shown then erased.
 					dc.Error = ""
 				}
 			}
@@ -1351,41 +1347,27 @@ func (api *API) CreateDevcontainer(workspaceFolder, configPath string, opts ...D
 	upOptions := []DevcontainerCLIUpOptions{WithUpOutput(infoW, errW)}
 	upOptions = append(upOptions, opts...)

-	containerID, upErr := api.dccli.Up(ctx, dc.WorkspaceFolder, configPath, upOptions...)
-	if upErr != nil {
+	_, err := api.dccli.Up(ctx, dc.WorkspaceFolder, configPath, upOptions...)
+	if err != nil {
 		// No need to log if the API is closing (context canceled), as this
 		// is expected behavior when the API is shutting down.
-		if !errors.Is(upErr, context.Canceled) {
-			logger.Error(ctx, "devcontainer creation failed", slog.Error(upErr))
+		if !errors.Is(err, context.Canceled) {
+			logger.Error(ctx, "devcontainer creation failed", slog.Error(err))
 		}

-		// If we don't have a container ID, the error is fatal, so we
-		// should mark the devcontainer as errored and return.
-		if containerID == "" {
-			api.mu.Lock()
-			dc = api.knownDevcontainers[dc.WorkspaceFolder]
-			dc.Status = codersdk.WorkspaceAgentDevcontainerStatusError
-			dc.Error = upErr.Error()
-			api.knownDevcontainers[dc.WorkspaceFolder] = dc
-			api.recreateErrorTimes[dc.WorkspaceFolder] = api.clock.Now("agentcontainers", "recreate", "errorTimes")
-			api.broadcastUpdatesLocked()
-			api.mu.Unlock()
+		api.mu.Lock()
+		dc = api.knownDevcontainers[dc.WorkspaceFolder]
+		dc.Status = codersdk.WorkspaceAgentDevcontainerStatusError
+		dc.Error = err.Error()
+		api.knownDevcontainers[dc.WorkspaceFolder] = dc
+		api.recreateErrorTimes[dc.WorkspaceFolder] = api.clock.Now("agentcontainers", "recreate", "errorTimes")
+		api.mu.Unlock()

-			return xerrors.Errorf("start devcontainer: %w", upErr)
-		}
-
-		// If we have a container ID, it means the container was created
-		// but a lifecycle script (e.g. postCreateCommand) failed. In this
-		// case, we still want to refresh containers to pick up the new
-		// container, inject the agent, and allow the user to debug the
-		// issue. We store the error to surface it to the user.
-		logger.Warn(ctx, "devcontainer created with errors (e.g. lifecycle script failure), container is available",
-			slog.F("container_id", containerID),
-		)
-	} else {
-		logger.Info(ctx, "devcontainer created successfully")
+		return xerrors.Errorf("start devcontainer: %w", err)
 	}

+	logger.Info(ctx, "devcontainer created successfully")
+
 	api.mu.Lock()
 	dc = api.knownDevcontainers[dc.WorkspaceFolder]
 	// Update the devcontainer status to Running or Stopped based on the
@@ -1394,18 +1376,13 @@ func (api *API) CreateDevcontainer(workspaceFolder, configPath string, opts ...D
 	// to minimize the time between API consistency, we guess the status
 	// based on the container state.
 	dc.Status = codersdk.WorkspaceAgentDevcontainerStatusStopped
-	if dc.Container != nil && dc.Container.Running {
-		dc.Status = codersdk.WorkspaceAgentDevcontainerStatusRunning
+	if dc.Container != nil {
+		if dc.Container.Running {
+			dc.Status = codersdk.WorkspaceAgentDevcontainerStatusRunning
+		}
 	}
 	dc.Dirty = false
-	if upErr != nil {
-		// If there was a lifecycle script error but we have a container ID,
-		// the container is running so we should set the status to Running.
-		dc.Status = codersdk.WorkspaceAgentDevcontainerStatusRunning
-		dc.Error = upErr.Error()
-	} else {
-		dc.Error = ""
-	}
+	dc.Error = ""
 	api.recreateSuccessTimes[dc.WorkspaceFolder] = api.clock.Now("agentcontainers", "recreate", "successTimes")
 	api.knownDevcontainers[dc.WorkspaceFolder] = dc
 	api.broadcastUpdatesLocked()
@@ -234,8 +234,6 @@ func (w *fakeWatcher) sendEventWaitNextCalled(ctx context.Context, event fsnotif
 // fakeSubAgentClient implements SubAgentClient for testing purposes.
 type fakeSubAgentClient struct {
 	logger slog.Logger
-
-	mu     sync.Mutex // Protects following.
 	agents map[uuid.UUID]agentcontainers.SubAgent

 	listErrC   chan error // If set, send to return error, close to return nil.
@@ -256,8 +254,6 @@ func (m *fakeSubAgentClient) List(ctx context.Context) ([]agentcontainers.SubAge
 			}
 		}
 	}
-	m.mu.Lock()
-	defer m.mu.Unlock()
 	var agents []agentcontainers.SubAgent
 	for _, agent := range m.agents {
 		agents = append(agents, agent)
@@ -287,9 +283,6 @@ func (m *fakeSubAgentClient) Create(ctx context.Context, agent agentcontainers.S
 		return agentcontainers.SubAgent{}, xerrors.New("operating system must be set")
 	}

-	m.mu.Lock()
-	defer m.mu.Unlock()
-
 	for _, a := range m.agents {
 		if a.Name == agent.Name {
 			return agentcontainers.SubAgent{}, &pq.Error{
@@ -321,8 +314,6 @@ func (m *fakeSubAgentClient) Delete(ctx context.Context, id uuid.UUID) error {
 			}
 		}
 	}
-	m.mu.Lock()
-	defer m.mu.Unlock()
 	if m.agents == nil {
 		m.agents = make(map[uuid.UUID]agentcontainers.SubAgent)
 	}
@@ -2079,122 +2070,6 @@ func TestAPI(t *testing.T) {
 			require.Equal(t, "", response.Devcontainers[0].Error)
 		})

-		// This test verifies that when devcontainer up fails due to a
-		// lifecycle script error (such as postCreateCommand failing) but the
-		// container was successfully created, we still proceed with the
-		// devcontainer. The container should be available for use and the
-		// agent should be injected.
-		t.Run("DuringUpWithContainerID", func(t *testing.T) {
-			t.Parallel()
-
-			var (
-				ctx    = testutil.Context(t, testutil.WaitMedium)
-				logger = slogtest.Make(t, &slogtest.Options{IgnoreErrors: true}).Leveled(slog.LevelDebug)
-				mClock = quartz.NewMock(t)
-
-				testContainer = codersdk.WorkspaceAgentContainer{
-					ID:           "test-container-id",
-					FriendlyName: "test-container",
-					Image:        "test-image",
-					Running:      true,
-					CreatedAt:    time.Now(),
-					Labels: map[string]string{
-						agentcontainers.DevcontainerLocalFolderLabel: "/workspaces/project",
-						agentcontainers.DevcontainerConfigFileLabel:  "/workspaces/project/.devcontainer/devcontainer.json",
-					},
-				}
-				fCCLI = &fakeContainerCLI{
-					containers: codersdk.WorkspaceAgentListContainersResponse{
-						Containers: []codersdk.WorkspaceAgentContainer{testContainer},
-					},
-					arch: "amd64",
-				}
-				fDCCLI = &fakeDevcontainerCLI{
-					upID:   testContainer.ID,
-					upErrC: make(chan func() error, 1),
-				}
-				fSAC = &fakeSubAgentClient{
-					logger: logger.Named("fakeSubAgentClient"),
-				}
-
-				testDevcontainer = codersdk.WorkspaceAgentDevcontainer{
-					ID:              uuid.New(),
-					Name:            "test-devcontainer",
-					WorkspaceFolder: "/workspaces/project",
-					ConfigPath:      "/workspaces/project/.devcontainer/devcontainer.json",
-					Status:          codersdk.WorkspaceAgentDevcontainerStatusStopped,
-				}
-			)
-
-			mClock.Set(time.Now()).MustWait(ctx)
-			tickerTrap := mClock.Trap().TickerFunc("updaterLoop")
-			nowRecreateSuccessTrap := mClock.Trap().Now("recreate", "successTimes")
-
-			api := agentcontainers.NewAPI(logger,
-				agentcontainers.WithClock(mClock),
-				agentcontainers.WithContainerCLI(fCCLI),
-				agentcontainers.WithDevcontainerCLI(fDCCLI),
-				agentcontainers.WithDevcontainers(
-					[]codersdk.WorkspaceAgentDevcontainer{testDevcontainer},
-					[]codersdk.WorkspaceAgentScript{{ID: testDevcontainer.ID, LogSourceID: uuid.New()}},
-				),
-				agentcontainers.WithSubAgentClient(fSAC),
-				agentcontainers.WithSubAgentURL("test-subagent-url"),
-				agentcontainers.WithWatcher(watcher.NewNoop()),
-			)
-			api.Start()
-			defer func() {
-				close(fDCCLI.upErrC)
-				api.Close()
-			}()
-
-			r := chi.NewRouter()
-			r.Mount("/", api.Routes())
-
-			tickerTrap.MustWait(ctx).MustRelease(ctx)
-			tickerTrap.Close()
-
-			// Send a recreate request to trigger devcontainer up.
-			req := httptest.NewRequest(http.MethodPost, "/devcontainers/"+testDevcontainer.ID.String()+"/recreate", nil)
-			rec := httptest.NewRecorder()
-			r.ServeHTTP(rec, req)
-			require.Equal(t, http.StatusAccepted, rec.Code)
-
-			// Simulate a lifecycle script failure. The devcontainer CLI
-			// will return an error but also provide a container ID since
-			// the container was created before the script failed.
-			simulatedError := xerrors.New("postCreateCommand failed with exit code 1")
-			testutil.RequireSend(ctx, t, fDCCLI.upErrC, func() error { return simulatedError })
-
-			// Wait for the recreate operation to complete. We expect it to
-			// record a success time because the container was created.
-			nowRecreateSuccessTrap.MustWait(ctx).MustRelease(ctx)
-			nowRecreateSuccessTrap.Close()
-
-			// Advance the clock to run the devcontainer state update routine.
-			_, aw := mClock.AdvanceNext()
-			aw.MustWait(ctx)
-
-			req = httptest.NewRequest(http.MethodGet, "/", nil)
-			rec = httptest.NewRecorder()
-			r.ServeHTTP(rec, req)
-			require.Equal(t, http.StatusOK, rec.Code)
-
-			var response codersdk.WorkspaceAgentListContainersResponse
-			err := json.NewDecoder(rec.Body).Decode(&response)
-			require.NoError(t, err)
-
-			// Verify that the devcontainer is running and has the container
-			// associated with it despite the lifecycle script error. The
-			// error may be cleared during refresh if agent injection
-			// succeeds, but the important thing is that the container is
-			// available for use.
-			require.Len(t, response.Devcontainers, 1)
-			assert.Equal(t, codersdk.WorkspaceAgentDevcontainerStatusRunning, response.Devcontainers[0].Status)
-			require.NotNil(t, response.Devcontainers[0].Container)
-			assert.Equal(t, testContainer.ID, response.Devcontainers[0].Container.ID)
-		})
-
 		t.Run("DuringInjection", func(t *testing.T) {
 			t.Parallel()

@@ -263,14 +263,11 @@ func (d *devcontainerCLI) Up(ctx context.Context, workspaceFolder, configPath st
 	}

 	if err := cmd.Run(); err != nil {
-		result, err2 := parseDevcontainerCLILastLine[devcontainerCLIResult](ctx, logger, stdoutBuf.Bytes())
+		_, err2 := parseDevcontainerCLILastLine[devcontainerCLIResult](ctx, logger, stdoutBuf.Bytes())
 		if err2 != nil {
 			err = errors.Join(err, err2)
 		}
-		// Return the container ID if available, even if there was an error.
-		// This can happen if the container was created successfully but a
-		// lifecycle script (e.g. postCreateCommand) failed.
-		return result.ContainerID, err
+		return "", err
 	}

 	result, err := parseDevcontainerCLILastLine[devcontainerCLIResult](ctx, logger, stdoutBuf.Bytes())
@@ -278,13 +275,6 @@ func (d *devcontainerCLI) Up(ctx context.Context, workspaceFolder, configPath st
 		return "", err
 	}

-	// Check if the result indicates an error (e.g. lifecycle script failure)
-	// but still has a container ID, allowing the caller to potentially
-	// continue with the container that was created.
-	if err := result.Err(); err != nil {
-		return result.ContainerID, err
-	}
-
 	return result.ContainerID, nil
 }

@@ -404,10 +394,7 @@ func parseDevcontainerCLILastLine[T any](ctx context.Context, logger slog.Logger
 type devcontainerCLIResult struct {
 	Outcome string `json:"outcome"` // "error", "success".

-	// The following fields are typically set if outcome is success, but
-	// ContainerID may also be present when outcome is error if the
-	// container was created but a lifecycle script (e.g. postCreateCommand)
-	// failed.
+	// The following fields are set if outcome is success.
 	ContainerID           string `json:"containerId"`
 	RemoteUser            string `json:"remoteUser"`
 	RemoteWorkspaceFolder string `json:"remoteWorkspaceFolder"`
@@ -417,6 +404,18 @@ type devcontainerCLIResult struct {
 	Description string `json:"description"`
 }

+func (r *devcontainerCLIResult) UnmarshalJSON(data []byte) error {
+	type wrapperResult devcontainerCLIResult
+
+	var wrappedResult wrapperResult
+	if err := json.Unmarshal(data, &wrappedResult); err != nil {
+		return err
+	}
+
+	*r = devcontainerCLIResult(wrappedResult)
+	return r.Err()
+}
+
 func (r devcontainerCLIResult) Err() error {
 	if r.Outcome == "success" {
 		return nil
@@ -42,63 +42,56 @@ func TestDevcontainerCLI_ArgsAndParsing(t *testing.T) {
 		t.Parallel()

 		tests := []struct {
-			name            string
-			logFile         string
-			workspace       string
-			config          string
-			opts            []agentcontainers.DevcontainerCLIUpOptions
-			wantArgs        string
-			wantError       bool
-			wantContainerID bool // If true, expect a container ID even when wantError is true.
+			name      string
+			logFile   string
+			workspace string
+			config    string
+			opts      []agentcontainers.DevcontainerCLIUpOptions
+			wantArgs  string
+			wantError bool
 		}{
 			{
-				name:            "success",
-				logFile:         "up.log",
-				workspace:       "/test/workspace",
-				wantArgs:        "up --log-format json --workspace-folder /test/workspace",
-				wantError:       false,
-				wantContainerID: true,
+				name:      "success",
+				logFile:   "up.log",
+				workspace: "/test/workspace",
+				wantArgs:  "up --log-format json --workspace-folder /test/workspace",
+				wantError: false,
 			},
 			{
-				name:            "success with config",
-				logFile:         "up.log",
-				workspace:       "/test/workspace",
-				config:          "/test/config.json",
-				wantArgs:        "up --log-format json --workspace-folder /test/workspace --config /test/config.json",
-				wantError:       false,
-				wantContainerID: true,
+				name:      "success with config",
+				logFile:   "up.log",
+				workspace: "/test/workspace",
+				config:    "/test/config.json",
+				wantArgs:  "up --log-format json --workspace-folder /test/workspace --config /test/config.json",
+				wantError: false,
 			},
 			{
-				name:            "already exists",
-				logFile:         "up-already-exists.log",
-				workspace:       "/test/workspace",
-				wantArgs:        "up --log-format json --workspace-folder /test/workspace",
-				wantError:       false,
-				wantContainerID: true,
+				name:      "already exists",
+				logFile:   "up-already-exists.log",
+				workspace: "/test/workspace",
+				wantArgs:  "up --log-format json --workspace-folder /test/workspace",
+				wantError: false,
 			},
 			{
-				name:            "docker error",
-				logFile:         "up-error-docker.log",
-				workspace:       "/test/workspace",
-				wantArgs:        "up --log-format json --workspace-folder /test/workspace",
-				wantError:       true,
-				wantContainerID: false,
+				name:      "docker error",
+				logFile:   "up-error-docker.log",
+				workspace: "/test/workspace",
+				wantArgs:  "up --log-format json --workspace-folder /test/workspace",
+				wantError: true,
 			},
 			{
-				name:            "bad outcome",
-				logFile:         "up-error-bad-outcome.log",
-				workspace:       "/test/workspace",
-				wantArgs:        "up --log-format json --workspace-folder /test/workspace",
-				wantError:       true,
-				wantContainerID: false,
+				name:      "bad outcome",
+				logFile:   "up-error-bad-outcome.log",
+				workspace: "/test/workspace",
+				wantArgs:  "up --log-format json --workspace-folder /test/workspace",
+				wantError: true,
 			},
 			{
-				name:            "does not exist",
-				logFile:         "up-error-does-not-exist.log",
-				workspace:       "/test/workspace",
-				wantArgs:        "up --log-format json --workspace-folder /test/workspace",
-				wantError:       true,
-				wantContainerID: false,
+				name:      "does not exist",
+				logFile:   "up-error-does-not-exist.log",
+				workspace: "/test/workspace",
+				wantArgs:  "up --log-format json --workspace-folder /test/workspace",
+				wantError: true,
 			},
 			{
 				name:      "with remove existing container",
@@ -107,21 +100,8 @@ func TestDevcontainerCLI_ArgsAndParsing(t *testing.T) {
 				opts: []agentcontainers.DevcontainerCLIUpOptions{
 					agentcontainers.WithRemoveExistingContainer(),
 				},
-				wantArgs:        "up --log-format json --workspace-folder /test/workspace --remove-existing-container",
-				wantError:       false,
-				wantContainerID: true,
-			},
-			{
-				// This test verifies that when a lifecycle script like
-				// postCreateCommand fails, the CLI returns both an error
-				// and a container ID. The caller can then proceed with
-				// agent injection into the created container.
-				name:            "lifecycle script failure with container",
-				logFile:         "up-error-lifecycle-script.log",
-				workspace:       "/test/workspace",
-				wantArgs:        "up --log-format json --workspace-folder /test/workspace",
-				wantError:       true,
-				wantContainerID: true,
+				wantArgs:  "up --log-format json --workspace-folder /test/workspace --remove-existing-container",
+				wantError: false,
 			},
 		}

@@ -142,13 +122,10 @@ func TestDevcontainerCLI_ArgsAndParsing(t *testing.T) {
 				containerID, err := dccli.Up(ctx, tt.workspace, tt.config, tt.opts...)
 				if tt.wantError {
 					assert.Error(t, err, "want error")
+					assert.Empty(t, containerID, "expected empty container ID")
 				} else {
 					assert.NoError(t, err, "want no error")
-				}
-				if tt.wantContainerID {
 					assert.NotEmpty(t, containerID, "expected non-empty container ID")
-				} else {
-					assert.Empty(t, containerID, "expected empty container ID")
 				}
 			})
 		}
@@ -1,146 +0,0 @@
-package agentsocket
-
-import (
-	"context"
-
-	"golang.org/x/xerrors"
-	"storj.io/drpc"
-	"storj.io/drpc/drpcconn"
-
-	"github.com/coder/coder/v2/agent/agentsocket/proto"
-	"github.com/coder/coder/v2/agent/unit"
-)
-
-// Option represents a configuration option for NewClient.
-type Option func(*options)
-
-type options struct {
-	path string
-}
-
-// WithPath sets the socket path. If not provided or empty, the client will
-// auto-discover the default socket path.
-func WithPath(path string) Option {
-	return func(opts *options) {
-		if path == "" {
-			return
-		}
-		opts.path = path
-	}
-}
-
-// Client provides a client for communicating with the workspace agentsocket API.
-type Client struct {
-	client proto.DRPCAgentSocketClient
-	conn   drpc.Conn
-}
-
-// NewClient creates a new socket client and opens a connection to the socket.
-// If path is not provided via WithPath or is empty, it will auto-discover the
-// default socket path.
-func NewClient(ctx context.Context, opts ...Option) (*Client, error) {
-	options := &options{}
-	for _, opt := range opts {
-		opt(options)
-	}
-
-	conn, err := dialSocket(ctx, options.path)
-	if err != nil {
-		return nil, xerrors.Errorf("connect to socket: %w", err)
-	}
-
-	drpcConn := drpcconn.New(conn)
-	client := proto.NewDRPCAgentSocketClient(drpcConn)
-
-	return &Client{
-		client: client,
-		conn:   drpcConn,
-	}, nil
-}
-
-// Close closes the socket connection.
-func (c *Client) Close() error {
-	return c.conn.Close()
-}
-
-// Ping sends a ping request to the agent.
-func (c *Client) Ping(ctx context.Context) error {
-	_, err := c.client.Ping(ctx, &proto.PingRequest{})
-	return err
-}
-
-// SyncStart starts a unit in the dependency graph.
-func (c *Client) SyncStart(ctx context.Context, unitName unit.ID) error {
-	_, err := c.client.SyncStart(ctx, &proto.SyncStartRequest{
-		Unit: string(unitName),
-	})
-	return err
-}
-
-// SyncWant declares a dependency between units.
-func (c *Client) SyncWant(ctx context.Context, unitName, dependsOn unit.ID) error {
-	_, err := c.client.SyncWant(ctx, &proto.SyncWantRequest{
-		Unit:      string(unitName),
-		DependsOn: string(dependsOn),
-	})
-	return err
-}
-
-// SyncComplete marks a unit as complete in the dependency graph.
-func (c *Client) SyncComplete(ctx context.Context, unitName unit.ID) error {
-	_, err := c.client.SyncComplete(ctx, &proto.SyncCompleteRequest{
-		Unit: string(unitName),
-	})
-	return err
-}
-
-// SyncReady requests whether a unit is ready to be started. That is, all dependencies are satisfied.
-func (c *Client) SyncReady(ctx context.Context, unitName unit.ID) (bool, error) {
-	resp, err := c.client.SyncReady(ctx, &proto.SyncReadyRequest{
-		Unit: string(unitName),
-	})
-	return resp.Ready, err
-}
-
-// SyncStatus gets the status of a unit and its dependencies.
-func (c *Client) SyncStatus(ctx context.Context, unitName unit.ID) (SyncStatusResponse, error) {
-	resp, err := c.client.SyncStatus(ctx, &proto.SyncStatusRequest{
-		Unit: string(unitName),
-	})
-	if err != nil {
-		return SyncStatusResponse{}, err
-	}
-
-	var dependencies []DependencyInfo
-	for _, dep := range resp.Dependencies {
-		dependencies = append(dependencies, DependencyInfo{
-			DependsOn:      unit.ID(dep.DependsOn),
-			RequiredStatus: unit.Status(dep.RequiredStatus),
-			CurrentStatus:  unit.Status(dep.CurrentStatus),
-			IsSatisfied:    dep.IsSatisfied,
-		})
-	}
-
-	return SyncStatusResponse{
-		UnitName:     unitName,
-		Status:       unit.Status(resp.Status),
-		IsReady:      resp.IsReady,
-		Dependencies: dependencies,
-	}, nil
-}
-
-// SyncStatusResponse contains the status information for a unit.
-type SyncStatusResponse struct {
-	UnitName     unit.ID          `table:"unit,default_sort" json:"unit_name"`
-	Status       unit.Status      `table:"status" json:"status"`
-	IsReady      bool             `table:"ready" json:"is_ready"`
-	Dependencies []DependencyInfo `table:"dependencies" json:"dependencies"`
-}
-
-// DependencyInfo contains information about a unit dependency.
-type DependencyInfo struct {
-	DependsOn      unit.ID     `table:"depends on,default_sort" json:"depends_on"`
-	RequiredStatus unit.Status `table:"required status" json:"required_status"`
-	CurrentStatus  unit.Status `table:"current status" json:"current_status"`
-	IsSatisfied    bool        `table:"satisfied" json:"is_satisfied"`
-}
@@ -7,6 +7,8 @@ import (
 	"sync"

 	"golang.org/x/xerrors"
+
+	"github.com/hashicorp/yamux"
 	"storj.io/drpc/drpcmux"
 	"storj.io/drpc/drpcserver"

@@ -31,17 +33,11 @@ type Server struct {
 	wg       sync.WaitGroup
 }

-// NewServer creates a new agent socket server.
-func NewServer(logger slog.Logger, opts ...Option) (*Server, error) {
-	options := &options{}
-	for _, opt := range opts {
-		opt(options)
-	}
-
+func NewServer(path string, logger slog.Logger) (*Server, error) {
 	logger = logger.Named("agentsocket-server")
 	server := &Server{
 		logger: logger,
-		path:   options.path,
+		path:   path,
 		service: &DRPCAgentSocketService{
 			logger:      logger,
 			unitManager: unit.NewManager(),
@@ -65,6 +61,14 @@ func NewServer(logger slog.Logger, opts ...Option) (*Server, error) {
 		},
 	})

+	if server.path == "" {
+		var err error
+		server.path, err = getDefaultSocketPath()
+		if err != nil {
+			return nil, xerrors.Errorf("get default socket path: %w", err)
+		}
+	}
+
 	listener, err := createSocket(server.path)
 	if err != nil {
 		return nil, xerrors.Errorf("create socket: %w", err)
@@ -87,7 +91,6 @@ func NewServer(logger slog.Logger, opts ...Option) (*Server, error) {
 	return server, nil
 }

-// Close stops the server and cleans up resources.
 func (s *Server) Close() error {
 	s.mu.Lock()

@@ -131,8 +134,52 @@ func (s *Server) acceptConnections() {
 		return
 	}

-	err := s.drpcServer.Serve(s.ctx, listener)
-	if err != nil {
-		s.logger.Warn(s.ctx, "error serving drpc server", slog.Error(err))
+	for {
+		select {
+		case <-s.ctx.Done():
+			return
+		default:
+		}
+
+		conn, err := listener.Accept()
+		if err != nil {
+			s.logger.Warn(s.ctx, "error accepting connection", slog.Error(err))
+			continue
+		}
+
+		s.mu.Lock()
+		if s.listener == nil {
+			s.mu.Unlock()
+			_ = conn.Close()
+			return
+		}
+		s.wg.Add(1)
+		s.mu.Unlock()
+
+		go func() {
+			defer s.wg.Done()
+			s.handleConnection(conn)
+		}()
+	}
+}
+
+func (s *Server) handleConnection(conn net.Conn) {
+	defer conn.Close()
+
+	s.logger.Debug(s.ctx, "new connection accepted", slog.F("remote_addr", conn.RemoteAddr()))
+
+	config := yamux.DefaultConfig()
+	config.LogOutput = nil
+	config.Logger = slog.Stdlib(s.ctx, s.logger.Named("agentsocket-yamux"), slog.LevelInfo)
+	session, err := yamux.Server(conn, config)
+	if err != nil {
+		s.logger.Warn(s.ctx, "failed to create yamux session", slog.Error(err))
+		return
+	}
+	defer session.Close()
+
+	err = s.drpcServer.Serve(s.ctx, session)
+	if err != nil {
+		s.logger.Debug(s.ctx, "drpc server finished", slog.Error(err))
 	}
 }
@@ -1,24 +1,14 @@
 package agentsocket_test

 import (
-	"context"
 	"path/filepath"
 	"runtime"
 	"testing"

-	"github.com/google/uuid"
-	"github.com/spf13/afero"
 	"github.com/stretchr/testify/require"

 	"cdr.dev/slog"
-	"github.com/coder/coder/v2/agent"
 	"github.com/coder/coder/v2/agent/agentsocket"
-	"github.com/coder/coder/v2/agent/agenttest"
-	agentproto "github.com/coder/coder/v2/agent/proto"
-	"github.com/coder/coder/v2/codersdk/agentsdk"
-	"github.com/coder/coder/v2/tailnet"
-	"github.com/coder/coder/v2/tailnet/tailnettest"
-	"github.com/coder/coder/v2/testutil"
 )

 func TestServer(t *testing.T) {
@@ -33,7 +23,7 @@ func TestServer(t *testing.T) {

 		socketPath := filepath.Join(t.TempDir(), "test.sock")
 		logger := slog.Make().Leveled(slog.LevelDebug)
-		server, err := agentsocket.NewServer(logger, agentsocket.WithPath(socketPath))
+		server, err := agentsocket.NewServer(socketPath, logger)
 		require.NoError(t, err)
 		require.NoError(t, server.Close())
 	})
@@ -43,10 +33,10 @@ func TestServer(t *testing.T) {

 		socketPath := filepath.Join(t.TempDir(), "test.sock")
 		logger := slog.Make().Leveled(slog.LevelDebug)
-		server1, err := agentsocket.NewServer(logger, agentsocket.WithPath(socketPath))
+		server1, err := agentsocket.NewServer(socketPath, logger)
 		require.NoError(t, err)
 		defer server1.Close()
-		_, err = agentsocket.NewServer(logger, agentsocket.WithPath(socketPath))
+		_, err = agentsocket.NewServer(socketPath, logger)
 		require.ErrorContains(t, err, "create socket")
 	})

@@ -55,84 +45,8 @@ func TestServer(t *testing.T) {

 		socketPath := filepath.Join(t.TempDir(), "test.sock")
 		logger := slog.Make().Leveled(slog.LevelDebug)
-		server, err := agentsocket.NewServer(logger, agentsocket.WithPath(socketPath))
+		server, err := agentsocket.NewServer(socketPath, logger)
 		require.NoError(t, err)
 		require.NoError(t, server.Close())
 	})
 }
-
-func TestServerWindowsNotSupported(t *testing.T) {
-	t.Parallel()
-
-	if runtime.GOOS != "windows" {
-		t.Skip("this test only runs on Windows")
-	}
-
-	t.Run("NewServer", func(t *testing.T) {
-		t.Parallel()
-
-		socketPath := filepath.Join(t.TempDir(), "test.sock")
-		logger := slog.Make().Leveled(slog.LevelDebug)
-		_, err := agentsocket.NewServer(logger, agentsocket.WithPath(socketPath))
-		require.ErrorContains(t, err, "agentsocket is not supported on Windows")
-	})
-
-	t.Run("NewClient", func(t *testing.T) {
-		t.Parallel()
-
-		_, err := agentsocket.NewClient(context.Background(), agentsocket.WithPath("test.sock"))
-		require.ErrorContains(t, err, "agentsocket is not supported on Windows")
-	})
-}
-
-func TestAgentInitializesOnWindowsWithoutSocketServer(t *testing.T) {
-	t.Parallel()
-
-	if runtime.GOOS != "windows" {
-		t.Skip("this test only runs on Windows")
-	}
-
-	ctx := testutil.Context(t, testutil.WaitShort)
-	logger := testutil.Logger(t).Named("agent")
-
-	derpMap, _ := tailnettest.RunDERPAndSTUN(t)
-
-	coordinator := tailnet.NewCoordinator(logger)
-	t.Cleanup(func() {
-		_ = coordinator.Close()
-	})
-
-	statsCh := make(chan *agentproto.Stats, 50)
-	agentID := uuid.New()
-	manifest := agentsdk.Manifest{
-		AgentID:       agentID,
-		AgentName:     "test-agent",
-		WorkspaceName: "test-workspace",
-		OwnerName:     "test-user",
-		WorkspaceID:   uuid.New(),
-		DERPMap:       derpMap,
-	}
-
-	client := agenttest.NewClient(t, logger.Named("agenttest"), agentID, manifest, statsCh, coordinator)
-	t.Cleanup(client.Close)
-
-	options := agent.Options{
-		Client:                 client,
-		Filesystem:             afero.NewMemMapFs(),
-		Logger:                 logger.Named("agent"),
-		ReconnectingPTYTimeout: testutil.WaitShort,
-		EnvironmentVariables:   map[string]string{},
-		SocketPath:             "",
-	}
-
-	agnt := agent.New(options)
-	t.Cleanup(func() {
-		_ = agnt.Close()
-	})
-
-	startup := testutil.TryReceive(ctx, t, client.GetStartup())
-	require.NotNil(t, startup, "agent should send startup message")
-
-	err := agnt.Close()
-	require.NoError(t, err, "agent should close cleanly")
-}
@@ -15,18 +15,15 @@ var _ proto.DRPCAgentSocketServer = (*DRPCAgentSocketService)(nil)

 var ErrUnitManagerNotAvailable = xerrors.New("unit manager not available")

-// DRPCAgentSocketService implements the DRPC agent socket service.
 type DRPCAgentSocketService struct {
 	unitManager *unit.Manager
 	logger      slog.Logger
 }

-// Ping responds to a ping request to check if the service is alive.
 func (*DRPCAgentSocketService) Ping(_ context.Context, _ *proto.PingRequest) (*proto.PingResponse, error) {
 	return &proto.PingResponse{}, nil
 }

-// SyncStart starts a unit in the dependency graph.
 func (s *DRPCAgentSocketService) SyncStart(_ context.Context, req *proto.SyncStartRequest) (*proto.SyncStartResponse, error) {
 	if s.unitManager == nil {
 		return nil, xerrors.Errorf("SyncStart: %w", ErrUnitManagerNotAvailable)
@@ -56,7 +53,6 @@ func (s *DRPCAgentSocketService) SyncStart(_ context.Context, req *proto.SyncSta
 	return &proto.SyncStartResponse{}, nil
 }

-// SyncWant declares a dependency between units.
 func (s *DRPCAgentSocketService) SyncWant(_ context.Context, req *proto.SyncWantRequest) (*proto.SyncWantResponse, error) {
 	if s.unitManager == nil {
 		return nil, xerrors.Errorf("cannot add dependency: %w", ErrUnitManagerNotAvailable)
@@ -76,7 +72,6 @@ func (s *DRPCAgentSocketService) SyncWant(_ context.Context, req *proto.SyncWant
 	return &proto.SyncWantResponse{}, nil
 }

-// SyncComplete marks a unit as complete in the dependency graph.
 func (s *DRPCAgentSocketService) SyncComplete(_ context.Context, req *proto.SyncCompleteRequest) (*proto.SyncCompleteResponse, error) {
 	if s.unitManager == nil {
 		return nil, xerrors.Errorf("cannot complete unit: %w", ErrUnitManagerNotAvailable)
@@ -91,7 +86,6 @@ func (s *DRPCAgentSocketService) SyncComplete(_ context.Context, req *proto.Sync
 	return &proto.SyncCompleteResponse{}, nil
 }

-// SyncReady checks whether a unit is ready to be started. That is, all dependencies are satisfied.
 func (s *DRPCAgentSocketService) SyncReady(_ context.Context, req *proto.SyncReadyRequest) (*proto.SyncReadyResponse, error) {
 	if s.unitManager == nil {
 		return nil, xerrors.Errorf("cannot check readiness: %w", ErrUnitManagerNotAvailable)
@@ -108,7 +102,6 @@ func (s *DRPCAgentSocketService) SyncReady(_ context.Context, req *proto.SyncRea
 	}, nil
 }

-// SyncStatus gets the status of a unit and lists its dependencies.
 func (s *DRPCAgentSocketService) SyncStatus(_ context.Context, req *proto.SyncStatusRequest) (*proto.SyncStatusResponse, error) {
 	if s.unitManager == nil {
 		return nil, xerrors.Errorf("cannot get status for unit %q: %w", req.Unit, ErrUnitManagerNotAvailable)
@@ -122,11 +115,8 @@ func (s *DRPCAgentSocketService) SyncStatus(_ context.Context, req *proto.SyncSt
 	}

 	dependencies, err := s.unitManager.GetAllDependencies(unitID)
-	switch {
-	case errors.Is(err, unit.ErrUnitNotFound):
-		dependencies = []unit.Dependency{}
-	case err != nil:
-		return nil, xerrors.Errorf("cannot get dependencies: %w", err)
+	if err != nil {
+		return nil, xerrors.Errorf("failed to get dependencies: %w", err)
 	}

 	var depInfos []*proto.DependencyInfo
@@ -5,18 +5,21 @@ import (
 	"crypto/sha256"
 	"encoding/hex"
 	"fmt"
+	"net"
 	"os"
 	"path/filepath"
 	"runtime"
 	"testing"

+	"github.com/hashicorp/yamux"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"

 	"cdr.dev/slog"
 	"github.com/coder/coder/v2/agent/agentsocket"
+	"github.com/coder/coder/v2/agent/agentsocket/proto"
 	"github.com/coder/coder/v2/agent/unit"
-	"github.com/coder/coder/v2/testutil"
+	"github.com/coder/coder/v2/codersdk/drpcsdk"
 )

 // tempDirUnixSocket returns a temporary directory that can safely hold unix
@@ -44,15 +47,23 @@ func tempDirUnixSocket(t *testing.T) string {
 }

 // newSocketClient creates a DRPC client connected to the Unix socket at the given path.
-func newSocketClient(ctx context.Context, t *testing.T, socketPath string) *agentsocket.Client {
+func newSocketClient(t *testing.T, socketPath string) proto.DRPCAgentSocketClient {
 	t.Helper()

-	client, err := agentsocket.NewClient(ctx, agentsocket.WithPath(socketPath))
-	t.Cleanup(func() {
-		_ = client.Close()
-	})
+	conn, err := net.Dial("unix", socketPath)
 	require.NoError(t, err)

+	config := yamux.DefaultConfig()
+	config.Logger = nil
+	session, err := yamux.Client(conn, config)
+	require.NoError(t, err)
+
+	client := proto.NewDRPCAgentSocketClient(drpcsdk.MultiplexedConn(session))
+
+	t.Cleanup(func() {
+		_ = session.Close()
+		_ = conn.Close()
+	})
 	return client
 }

@@ -67,17 +78,17 @@ func TestDRPCAgentSocketService(t *testing.T) {
 		t.Parallel()

 		socketPath := filepath.Join(tempDirUnixSocket(t), "test.sock")
-		ctx := testutil.Context(t, testutil.WaitShort)
+
 		server, err := agentsocket.NewServer(
+			socketPath,
 			slog.Make().Leveled(slog.LevelDebug),
-			agentsocket.WithPath(socketPath),
 		)
 		require.NoError(t, err)
 		defer server.Close()

-		client := newSocketClient(ctx, t, socketPath)
+		client := newSocketClient(t, socketPath)

-		err = client.Ping(ctx)
+		_, err = client.Ping(context.Background(), &proto.PingRequest{})
 		require.NoError(t, err)
 	})

@@ -87,116 +98,147 @@ func TestDRPCAgentSocketService(t *testing.T) {
 		t.Run("NewUnit", func(t *testing.T) {
 			t.Parallel()
 			socketPath := filepath.Join(tempDirUnixSocket(t), "test.sock")
-			ctx := testutil.Context(t, testutil.WaitShort)
+
 			server, err := agentsocket.NewServer(
+				socketPath,
 				slog.Make().Leveled(slog.LevelDebug),
-				agentsocket.WithPath(socketPath),
 			)
 			require.NoError(t, err)
 			defer server.Close()

-			client := newSocketClient(ctx, t, socketPath)
+			client := newSocketClient(t, socketPath)

-			err = client.SyncStart(ctx, "test-unit")
+			_, err = client.SyncStart(context.Background(), &proto.SyncStartRequest{
+				Unit: "test-unit",
+			})
 			require.NoError(t, err)

-			status, err := client.SyncStatus(ctx, "test-unit")
+			status, err := client.SyncStatus(context.Background(), &proto.SyncStatusRequest{
+				Unit: "test-unit",
+			})
 			require.NoError(t, err)
-			require.Equal(t, unit.StatusStarted, status.Status)
+			require.Equal(t, "started", status.Status)
 		})

 		t.Run("UnitAlreadyStarted", func(t *testing.T) {
 			t.Parallel()

 			socketPath := filepath.Join(tempDirUnixSocket(t), "test.sock")
-			ctx := testutil.Context(t, testutil.WaitShort)
+
 			server, err := agentsocket.NewServer(
+				socketPath,
 				slog.Make().Leveled(slog.LevelDebug),
-				agentsocket.WithPath(socketPath),
 			)
 			require.NoError(t, err)
 			defer server.Close()

-			client := newSocketClient(ctx, t, socketPath)
+			client := newSocketClient(t, socketPath)

 			// First Start
-			err = client.SyncStart(ctx, "test-unit")
+			_, err = client.SyncStart(context.Background(), &proto.SyncStartRequest{
+				Unit: "test-unit",
+			})
 			require.NoError(t, err)
-			status, err := client.SyncStatus(ctx, "test-unit")
+			status, err := client.SyncStatus(context.Background(), &proto.SyncStatusRequest{
+				Unit: "test-unit",
+			})
 			require.NoError(t, err)
-			require.Equal(t, unit.StatusStarted, status.Status)
+			require.Equal(t, "started", status.Status)

 			// Second Start
-			err = client.SyncStart(ctx, "test-unit")
+			_, err = client.SyncStart(context.Background(), &proto.SyncStartRequest{
+				Unit: "test-unit",
+			})
 			require.ErrorContains(t, err, unit.ErrSameStatusAlreadySet.Error())

-			status, err = client.SyncStatus(ctx, "test-unit")
+			status, err = client.SyncStatus(context.Background(), &proto.SyncStatusRequest{
+				Unit: "test-unit",
+			})
 			require.NoError(t, err)
-			require.Equal(t, unit.StatusStarted, status.Status)
+			require.Equal(t, "started", status.Status)
 		})

 		t.Run("UnitAlreadyCompleted", func(t *testing.T) {
 			t.Parallel()

 			socketPath := filepath.Join(tempDirUnixSocket(t), "test.sock")
-			ctx := testutil.Context(t, testutil.WaitShort)
+
 			server, err := agentsocket.NewServer(
+				socketPath,
 				slog.Make().Leveled(slog.LevelDebug),
-				agentsocket.WithPath(socketPath),
 			)
 			require.NoError(t, err)
 			defer server.Close()

-			client := newSocketClient(ctx, t, socketPath)
+			client := newSocketClient(t, socketPath)

 			// First start
-			err = client.SyncStart(ctx, "test-unit")
+			_, err = client.SyncStart(context.Background(), &proto.SyncStartRequest{
+				Unit: "test-unit",
+			})
 			require.NoError(t, err)

-			status, err := client.SyncStatus(ctx, "test-unit")
+			status, err := client.SyncStatus(context.Background(), &proto.SyncStatusRequest{
+				Unit: "test-unit",
+			})
 			require.NoError(t, err)
-			require.Equal(t, unit.StatusStarted, status.Status)
+			require.Equal(t, "started", status.Status)

 			// Complete the unit
-			err = client.SyncComplete(ctx, "test-unit")
+			_, err = client.SyncComplete(context.Background(), &proto.SyncCompleteRequest{
+				Unit: "test-unit",
+			})
 			require.NoError(t, err)

-			status, err = client.SyncStatus(ctx, "test-unit")
+			status, err = client.SyncStatus(context.Background(), &proto.SyncStatusRequest{
+				Unit: "test-unit",
+			})
 			require.NoError(t, err)
-			require.Equal(t, unit.StatusComplete, status.Status)
+			require.Equal(t, "completed", status.Status)

 			// Second start
-			err = client.SyncStart(ctx, "test-unit")
+			_, err = client.SyncStart(context.Background(), &proto.SyncStartRequest{
+				Unit: "test-unit",
+			})
 			require.NoError(t, err)

-			status, err = client.SyncStatus(ctx, "test-unit")
+			status, err = client.SyncStatus(context.Background(), &proto.SyncStatusRequest{
+				Unit: "test-unit",
+			})
 			require.NoError(t, err)
-			require.Equal(t, unit.StatusStarted, status.Status)
+			require.Equal(t, "started", status.Status)
 		})

 		t.Run("UnitNotReady", func(t *testing.T) {
 			t.Parallel()

 			socketPath := filepath.Join(tempDirUnixSocket(t), "test.sock")
-			ctx := testutil.Context(t, testutil.WaitShort)
+
 			server, err := agentsocket.NewServer(
+				socketPath,
 				slog.Make().Leveled(slog.LevelDebug),
-				agentsocket.WithPath(socketPath),
 			)
 			require.NoError(t, err)
 			defer server.Close()

-			client := newSocketClient(ctx, t, socketPath)
+			client := newSocketClient(t, socketPath)

-			err = client.SyncWant(ctx, "test-unit", "dependency-unit")
+			_, err = client.SyncWant(context.Background(), &proto.SyncWantRequest{
+				Unit:      "test-unit",
+				DependsOn: "dependency-unit",
+			})
 			require.NoError(t, err)

-			err = client.SyncStart(ctx, "test-unit")
+			_, err = client.SyncStart(context.Background(), &proto.SyncStartRequest{
+				Unit: "test-unit",
+			})
 			require.ErrorContains(t, err, "unit not ready")

-			status, err := client.SyncStatus(ctx, "test-unit")
+			status, err := client.SyncStatus(context.Background(), &proto.SyncStatusRequest{
+				Unit: "test-unit",
+			})
 			require.NoError(t, err)
-			require.Equal(t, unit.StatusPending, status.Status)
+			require.Equal(t, string(unit.StatusPending), status.Status)
 			require.False(t, status.IsReady)
 		})
 	})
@@ -208,86 +250,107 @@ func TestDRPCAgentSocketService(t *testing.T) {
 			t.Parallel()

 			socketPath := filepath.Join(tempDirUnixSocket(t), "test.sock")
-			ctx := testutil.Context(t, testutil.WaitShort)
+
 			server, err := agentsocket.NewServer(
+				socketPath,
 				slog.Make().Leveled(slog.LevelDebug),
-				agentsocket.WithPath(socketPath),
 			)
 			require.NoError(t, err)
 			defer server.Close()

-			client := newSocketClient(ctx, t, socketPath)
+			client := newSocketClient(t, socketPath)

 			// If dependency units are not registered, they are registered automatically
-			err = client.SyncWant(ctx, "test-unit", "dependency-unit")
+			_, err = client.SyncWant(context.Background(), &proto.SyncWantRequest{
+				Unit:      "test-unit",
+				DependsOn: "dependency-unit",
+			})
 			require.NoError(t, err)

-			status, err := client.SyncStatus(ctx, "test-unit")
+			status, err := client.SyncStatus(context.Background(), &proto.SyncStatusRequest{
+				Unit: "test-unit",
+			})
 			require.NoError(t, err)
 			require.Len(t, status.Dependencies, 1)
-			require.Equal(t, unit.ID("dependency-unit"), status.Dependencies[0].DependsOn)
-			require.Equal(t, unit.StatusComplete, status.Dependencies[0].RequiredStatus)
+			require.Equal(t, "dependency-unit", status.Dependencies[0].DependsOn)
+			require.Equal(t, "completed", status.Dependencies[0].RequiredStatus)
 		})

 		t.Run("DependencyAlreadyRegistered", func(t *testing.T) {
 			t.Parallel()

 			socketPath := filepath.Join(tempDirUnixSocket(t), "test.sock")
-			ctx := testutil.Context(t, testutil.WaitShort)
+
 			server, err := agentsocket.NewServer(
+				socketPath,
 				slog.Make().Leveled(slog.LevelDebug),
-				agentsocket.WithPath(socketPath),
 			)
 			require.NoError(t, err)
 			defer server.Close()

-			client := newSocketClient(ctx, t, socketPath)
+			client := newSocketClient(t, socketPath)

 			// Start the dependency unit
-			err = client.SyncStart(ctx, "dependency-unit")
+			_, err = client.SyncStart(context.Background(), &proto.SyncStartRequest{
+				Unit: "dependency-unit",
+			})
 			require.NoError(t, err)

-			status, err := client.SyncStatus(ctx, "dependency-unit")
+			status, err := client.SyncStatus(context.Background(), &proto.SyncStatusRequest{
+				Unit: "dependency-unit",
+			})
 			require.NoError(t, err)
-			require.Equal(t, unit.StatusStarted, status.Status)
+			require.Equal(t, "started", status.Status)

 			// Add the dependency after the dependency unit has already started
-			err = client.SyncWant(ctx, "test-unit", "dependency-unit")
+			_, err = client.SyncWant(context.Background(), &proto.SyncWantRequest{
+				Unit:      "test-unit",
+				DependsOn: "dependency-unit",
+			})

 			// Dependencies can be added even if the dependency unit has already started
 			require.NoError(t, err)

 			// The dependency is now reflected in the test unit's status
-			status, err = client.SyncStatus(ctx, "test-unit")
+			status, err = client.SyncStatus(context.Background(), &proto.SyncStatusRequest{
+				Unit: "test-unit",
+			})
 			require.NoError(t, err)
-			require.Equal(t, unit.ID("dependency-unit"), status.Dependencies[0].DependsOn)
-			require.Equal(t, unit.StatusComplete, status.Dependencies[0].RequiredStatus)
+			require.Equal(t, "dependency-unit", status.Dependencies[0].DependsOn)
+			require.Equal(t, "completed", status.Dependencies[0].RequiredStatus)
 		})

 		t.Run("DependencyAddedAfterDependentStarted", func(t *testing.T) {
 			t.Parallel()

 			socketPath := filepath.Join(tempDirUnixSocket(t), "test.sock")
-			ctx := testutil.Context(t, testutil.WaitShort)
+
 			server, err := agentsocket.NewServer(
+				socketPath,
 				slog.Make().Leveled(slog.LevelDebug),
-				agentsocket.WithPath(socketPath),
 			)
 			require.NoError(t, err)
 			defer server.Close()

-			client := newSocketClient(ctx, t, socketPath)
+			client := newSocketClient(t, socketPath)

 			// Start the dependent unit
-			err = client.SyncStart(ctx, "test-unit")
+			_, err = client.SyncStart(context.Background(), &proto.SyncStartRequest{
+				Unit: "test-unit",
+			})
 			require.NoError(t, err)

-			status, err := client.SyncStatus(ctx, "test-unit")
+			status, err := client.SyncStatus(context.Background(), &proto.SyncStatusRequest{
+				Unit: "test-unit",
+			})
 			require.NoError(t, err)
-			require.Equal(t, unit.StatusStarted, status.Status)
+			require.Equal(t, "started", status.Status)

 			// Add the dependency after the dependency unit has already started
-			err = client.SyncWant(ctx, "test-unit", "dependency-unit")
+			_, err = client.SyncWant(context.Background(), &proto.SyncWantRequest{
+				Unit:      "test-unit",
+				DependsOn: "dependency-unit",
+			})

 			// Dependencies can be added even if the dependent unit has already started.
 			// The dependency applies the next time a unit is started. The current status is not updated.
@@ -296,10 +359,12 @@ func TestDRPCAgentSocketService(t *testing.T) {
 			require.NoError(t, err)

 			// The dependency is now reflected in the test unit's status
-			status, err = client.SyncStatus(ctx, "test-unit")
+			status, err = client.SyncStatus(context.Background(), &proto.SyncStatusRequest{
+				Unit: "test-unit",
+			})
 			require.NoError(t, err)
-			require.Equal(t, unit.ID("dependency-unit"), status.Dependencies[0].DependsOn)
-			require.Equal(t, unit.StatusComplete, status.Dependencies[0].RequiredStatus)
+			require.Equal(t, "dependency-unit", status.Dependencies[0].DependsOn)
+			require.Equal(t, "completed", status.Dependencies[0].RequiredStatus)
 		})
 	})

@@ -310,80 +375,96 @@ func TestDRPCAgentSocketService(t *testing.T) {
 			t.Parallel()

 			socketPath := filepath.Join(tempDirUnixSocket(t), "test.sock")
-			ctx := testutil.Context(t, testutil.WaitShort)
+
 			server, err := agentsocket.NewServer(
+				socketPath,
 				slog.Make().Leveled(slog.LevelDebug),
-				agentsocket.WithPath(socketPath),
 			)
 			require.NoError(t, err)
 			defer server.Close()

-			client := newSocketClient(ctx, t, socketPath)
+			client := newSocketClient(t, socketPath)

-			ready, err := client.SyncReady(ctx, "unregistered-unit")
+			response, err := client.SyncReady(context.Background(), &proto.SyncReadyRequest{
+				Unit: "unregistered-unit",
+			})
 			require.NoError(t, err)
-			require.True(t, ready)
+			require.False(t, response.Ready)
 		})

 		t.Run("UnitNotReady", func(t *testing.T) {
 			t.Parallel()

 			socketPath := filepath.Join(tempDirUnixSocket(t), "test.sock")
-			ctx := testutil.Context(t, testutil.WaitShort)
+
 			server, err := agentsocket.NewServer(
+				socketPath,
 				slog.Make().Leveled(slog.LevelDebug),
-				agentsocket.WithPath(socketPath),
 			)
 			require.NoError(t, err)
 			defer server.Close()

-			client := newSocketClient(ctx, t, socketPath)
+			client := newSocketClient(t, socketPath)

 			// Register a unit with an unsatisfied dependency
-			err = client.SyncWant(ctx, "test-unit", "dependency-unit")
+			_, err = client.SyncWant(context.Background(), &proto.SyncWantRequest{
+				Unit:      "test-unit",
+				DependsOn: "dependency-unit",
+			})
 			require.NoError(t, err)

 			// Check readiness - should be false because dependency is not satisfied
-			ready, err := client.SyncReady(ctx, "test-unit")
+			response, err := client.SyncReady(context.Background(), &proto.SyncReadyRequest{
+				Unit: "test-unit",
+			})
 			require.NoError(t, err)
-			require.False(t, ready)
+			require.False(t, response.Ready)
 		})

 		t.Run("UnitReady", func(t *testing.T) {
 			t.Parallel()

 			socketPath := filepath.Join(tempDirUnixSocket(t), "test.sock")
-			ctx := testutil.Context(t, testutil.WaitShort)
+
 			server, err := agentsocket.NewServer(
+				socketPath,
 				slog.Make().Leveled(slog.LevelDebug),
-				agentsocket.WithPath(socketPath),
 			)
 			require.NoError(t, err)
 			defer server.Close()

-			client := newSocketClient(ctx, t, socketPath)
+			client := newSocketClient(t, socketPath)

 			// Register a unit with no dependencies - should be ready immediately
-			err = client.SyncStart(ctx, "test-unit")
+			_, err = client.SyncStart(context.Background(), &proto.SyncStartRequest{
+				Unit: "test-unit",
+			})
 			require.NoError(t, err)

 			// Check readiness - should be true
-			ready, err := client.SyncReady(ctx, "test-unit")
+			_, err = client.SyncReady(context.Background(), &proto.SyncReadyRequest{
+				Unit: "test-unit",
+			})
 			require.NoError(t, err)
-			require.True(t, ready)

 			// Also test a unit with satisfied dependencies
-			err = client.SyncWant(ctx, "dependent-unit", "test-unit")
+			_, err = client.SyncWant(context.Background(), &proto.SyncWantRequest{
+				Unit:      "dependent-unit",
+				DependsOn: "test-unit",
+			})
 			require.NoError(t, err)

 			// Complete the dependency
-			err = client.SyncComplete(ctx, "test-unit")
+			_, err = client.SyncComplete(context.Background(), &proto.SyncCompleteRequest{
+				Unit: "test-unit",
+			})
 			require.NoError(t, err)

 			// Now dependent-unit should be ready
-			ready, err = client.SyncReady(ctx, "dependent-unit")
+			_, err = client.SyncReady(context.Background(), &proto.SyncReadyRequest{
+				Unit: "dependent-unit",
+			})
 			require.NoError(t, err)
-			require.True(t, ready)
 		})
 	})
 }
@@ -3,7 +3,8 @@
 package agentsocket

 import (
-	"context"
+	"crypto/rand"
+	"encoding/hex"
 	"net"
 	"os"
 	"path/filepath"
@@ -12,13 +13,8 @@ import (
 	"golang.org/x/xerrors"
 )

-const defaultSocketPath = "/tmp/coder-agent.sock"
-
+// createSocket creates a Unix domain socket listener
 func createSocket(path string) (net.Listener, error) {
-	if path == "" {
-		path = defaultSocketPath
-	}
-
 	if !isSocketAvailable(path) {
 		return nil, xerrors.Errorf("socket path %s is not available", path)
 	}
@@ -27,6 +23,7 @@ func createSocket(path string) (net.Listener, error) {
 		return nil, xerrors.Errorf("remove existing socket: %w", err)
 	}

+	// Create parent directory if it doesn't exist
 	parentDir := filepath.Dir(path)
 	if err := os.MkdirAll(parentDir, 0o700); err != nil {
 		return nil, xerrors.Errorf("create socket directory: %w", err)
@@ -44,30 +41,43 @@ func createSocket(path string) (net.Listener, error) {
 	return listener, nil
 }

+// getDefaultSocketPath returns the default socket path for Unix-like systems
+func getDefaultSocketPath() (string, error) {
+	randomBytes := make([]byte, 4)
+	if _, err := rand.Read(randomBytes); err != nil {
+		return "", xerrors.Errorf("generate random socket name: %w", err)
+	}
+	randomSuffix := hex.EncodeToString(randomBytes)
+
+	// Try XDG_RUNTIME_DIR first
+	if runtimeDir := os.Getenv("XDG_RUNTIME_DIR"); runtimeDir != "" {
+		return filepath.Join(runtimeDir, "coder-agent-"+randomSuffix+".sock"), nil
+	}
+
+	return filepath.Join("/tmp", "coder-agent-"+randomSuffix+".sock"), nil
+}
+
+// CleanupSocket removes the socket file
 func cleanupSocket(path string) error {
 	return os.Remove(path)
 }

+// isSocketAvailable checks if a socket path is available for use
 func isSocketAvailable(path string) bool {
+	// Check if file exists
 	if _, err := os.Stat(path); os.IsNotExist(err) {
 		return true
 	}

-	// Try to connect to see if it's actually listening.
+	// Try to connect to see if it's actually listening
 	dialer := net.Dialer{Timeout: 10 * time.Second}
 	conn, err := dialer.Dial("unix", path)
 	if err != nil {
+		// If we can't connect, the socket is not in use
+		// Socket is available for use
 		return true
 	}
 	_ = conn.Close()
+	// Socket is in use
 	return false
 }
-
-func dialSocket(ctx context.Context, path string) (net.Conn, error) {
-	if path == "" {
-		path = defaultSocketPath
-	}
-
-	dialer := net.Dialer{}
-	return dialer.DialContext(ctx, "unix", path)
-}
@@ -3,20 +3,25 @@
 package agentsocket

 import (
-	"context"
 	"net"

 	"golang.org/x/xerrors"
 )

+// createSocket returns an error indicating that agentsocket is not supported on Windows.
+// This feature is unix-only in its current experimental state.
 func createSocket(_ string) (net.Listener, error) {
 	return nil, xerrors.New("agentsocket is not supported on Windows")
 }

-func cleanupSocket(_ string) error {
-	return nil
+// getDefaultSocketPath returns an error indicating that agentsocket is not supported on Windows.
+// This feature is unix-only in its current experimental state.
+func getDefaultSocketPath() (string, error) {
+	return "", xerrors.New("agentsocket is not supported on Windows")
 }

-func dialSocket(_ context.Context, _ string) (net.Conn, error) {
-	return nil, xerrors.New("agentsocket is not supported on Windows")
+// cleanupSocket is a no-op on Windows since agentsocket is not supported.
+func cleanupSocket(_ string) error {
+	// No-op since agentsocket is not supported on Windows
+	return nil
 }
@@ -391,19 +391,10 @@ func (s *Server) sessionHandler(session ssh.Session) {
 	env := session.Environ()
 	magicType, magicTypeRaw, env := extractMagicSessionType(env)

-	// It's not safe to assume RemoteAddr() returns a non-nil value. slog.F usage is fine because it correctly
-	// handles nil.
-	// c.f. https://github.com/coder/internal/issues/1143
-	remoteAddr := session.RemoteAddr()
-	remoteAddrString := ""
-	if remoteAddr != nil {
-		remoteAddrString = remoteAddr.String()
-	}
-
 	if !s.trackSession(session, true) {
 		reason := "unable to accept new session, server is closing"
 		// Report connection attempt even if we couldn't accept it.
-		disconnected := s.config.ReportConnection(id, magicType, remoteAddrString)
+		disconnected := s.config.ReportConnection(id, magicType, session.RemoteAddr().String())
 		defer disconnected(1, reason)

 		logger.Info(ctx, reason)
@@ -438,7 +429,7 @@ func (s *Server) sessionHandler(session ssh.Session) {
 		scr := &sessionCloseTracker{Session: session}
 		session = scr

-		disconnected := s.config.ReportConnection(id, magicType, remoteAddrString)
+		disconnected := s.config.ReportConnection(id, magicType, session.RemoteAddr().String())
 		defer func() {
 			disconnected(scr.exitCode(), reason)
 		}()
@@ -176,7 +176,7 @@ func (x *x11Forwarder) listenForConnections(
 		var originPort uint32

 		if tcpConn, ok := conn.(*net.TCPConn); ok {
-			if tcpAddr, ok := tcpConn.LocalAddr().(*net.TCPAddr); ok && tcpAddr != nil {
+			if tcpAddr, ok := tcpConn.LocalAddr().(*net.TCPAddr); ok {
 				originAddr = tcpAddr.IP.String()
 				// #nosec G115 - Safe conversion as TCP port numbers are within uint32 range (0-65535)
 				originPort = uint32(tcpAddr.Port)
@@ -74,21 +74,11 @@ func (s *Server) Serve(ctx, hardCtx context.Context, l net.Listener) (retErr err
 			break
 		}
 		clog := s.logger.With(
-			slog.F("remote", conn.RemoteAddr()),
-			slog.F("local", conn.LocalAddr()))
+			slog.F("remote", conn.RemoteAddr().String()),
+			slog.F("local", conn.LocalAddr().String()))
 		clog.Info(ctx, "accepted conn")
-
-		// It's not safe to assume RemoteAddr() returns a non-nil value. slog.F usage is fine because it correctly
-		// handles nil.
-		// c.f. https://github.com/coder/internal/issues/1143
-		remoteAddr := conn.RemoteAddr()
-		remoteAddrString := ""
-		if remoteAddr != nil {
-			remoteAddrString = remoteAddr.String()
-		}
-
 		wg.Add(1)
-		disconnected := s.reportConnection(uuid.New(), remoteAddrString)
+		disconnected := s.reportConnection(uuid.New(), conn.RemoteAddr().String())
 		closed := make(chan struct{})
 		go func() {
 			defer wg.Done()
@@ -2,7 +2,6 @@ package unit

 import (
 	"errors"
-	"fmt"
 	"sync"

 	"golang.org/x/xerrors"
@@ -24,15 +23,6 @@ var (
 // Status represents the status of a unit.
 type Status string

-var _ fmt.Stringer = Status("")
-
-func (s Status) String() string {
-	if s == StatusNotRegistered {
-		return "not registered"
-	}
-	return string(s)
-}
-
 // Status constants for dependency tracking.
 const (
 	StatusNotRegistered Status = ""
@@ -147,7 +137,7 @@ func (m *Manager) IsReady(id ID) (bool, error) {
 	defer m.mu.RUnlock()

 	if !m.registered(id) {
-		return true, nil
+		return false, nil
 	}

 	return m.units[id].ready, nil
@@ -684,7 +684,7 @@ func TestManager_IsReady(t *testing.T) {
 		// Then: the unit is not ready
 		isReady, err := manager.IsReady(unitA)
 		require.NoError(t, err)
-		assert.True(t, isReady)
+		assert.False(t, isReady)
 	})
 }

@@ -57,8 +57,6 @@ func workspaceAgent() *serpent.Command {
 		devcontainers                  bool
 		devcontainerProjectDiscovery   bool
 		devcontainerDiscoveryAutostart bool
-		socketServerEnabled            bool
-		socketPath                     string
 	)
 	agentAuth := &AgentAuth{}
 	cmd := &serpent.Command{
@@ -319,8 +317,6 @@ func workspaceAgent() *serpent.Command {
 						agentcontainers.WithProjectDiscovery(devcontainerProjectDiscovery),
 						agentcontainers.WithDiscoveryAutostart(devcontainerDiscoveryAutostart),
 					},
-					SocketPath:          socketPath,
-					SocketServerEnabled: socketServerEnabled,
 				})

 				if debugAddress != "" {
@@ -481,19 +477,6 @@ func workspaceAgent() *serpent.Command {
 			Description: "Allow the agent to autostart devcontainer projects it discovers based on their configuration.",
 			Value:       serpent.BoolOf(&devcontainerDiscoveryAutostart),
 		},
-		{
-			Flag:        "socket-server-enabled",
-			Default:     "false",
-			Env:         "CODER_AGENT_SOCKET_SERVER_ENABLED",
-			Description: "Enable the agent socket server.",
-			Value:       serpent.BoolOf(&socketServerEnabled),
-		},
-		{
-			Flag:        "socket-path",
-			Env:         "CODER_AGENT_SOCKET_PATH",
-			Description: "Specify the path for the agent socket.",
-			Value:       serpent.StringOf(&socketPath),
-		},
 	}
 	agentAuth.AttachOptions(cmd, false)
 	return cmd
@@ -152,13 +152,7 @@ func Agent(ctx context.Context, writer io.Writer, agentID uuid.UUID, opts AgentO
 				sw.Log(time.Time{}, codersdk.LogLevelInfo, "==> ℹ︎ To connect immediately, reconnect with --wait=no or CODER_SSH_WAIT=no, see --help for more information.")
 			}

-			err = func() error {
-				// In non-blocking mode, skip streaming logs.
-				// See: https://github.com/coder/coder/issues/13580
-				if !opts.Wait {
-					return nil
-				}
-
+			err = func() error { // Use func because of defer in for loop.
 				logStream, logsCloser, err := opts.FetchLogs(ctx, agent.ID, 0, follow)
 				if err != nil {
 					return xerrors.Errorf("fetch workspace agent startup logs: %w", err)
@@ -106,9 +106,6 @@ var _ OutputFormat = &tableFormat{}
 //
 // defaultColumns is optional and specifies the default columns to display. If
 // not specified, all columns are displayed by default.
-//
-// If the data is empty, an empty string is returned. Callers should check for
-// this and provide an appropriate message to the user.
 func TableFormat(out any, defaultColumns []string) OutputFormat {
 	v := reflect.Indirect(reflect.ValueOf(out))
 	if v.Kind() != reflect.Slice {
@@ -180,12 +180,6 @@ func DisplayTable(out any, sort string, filterColumns []string) (string, error)
 func renderTable(out any, sort string, headers table.Row, filterColumns []string) (string, error) {
 	v := reflect.Indirect(reflect.ValueOf(out))

-	// Return empty string for empty data. Callers should check for this
-	// and provide an appropriate message to the user.
-	if v.Kind() == reflect.Slice && v.Len() == 0 {
-		return "", nil
-	}
-
 	headers = filterHeaders(headers, filterColumns)
 	columnConfigs := createColumnConfigs(headers, filterColumns)

@@ -472,15 +472,6 @@ alice  1
 		require.NoError(t, err)
 		compareTables(t, expected, out)
 	})
-
-	t.Run("Empty", func(t *testing.T) {
-		t.Parallel()
-
-		var in []tableTest4
-		out, err := cliui.DisplayTable(in, "", nil)
-		require.NoError(t, err)
-		require.Empty(t, out)
-	})
 }

 // compareTables normalizes the incoming table lines
@@ -1559,15 +1559,6 @@ func (r *RootCmd) scaletestDashboard() *serpent.Command {
 			if err != nil {
 				return xerrors.Errorf("create tracer provider: %w", err)
 			}
-			tracer := tracerProvider.Tracer(scaletestTracerName)
-			outputs, err := output.parse()
-			if err != nil {
-				return xerrors.Errorf("could not parse --output flags")
-			}
-			reg := prometheus.NewRegistry()
-			prometheusSrvClose := ServeHandler(ctx, logger, promhttp.HandlerFor(reg, promhttp.HandlerOpts{}), prometheusFlags.Address, "prometheus")
-			defer prometheusSrvClose()
-
 			defer func() {
 				// Allow time for traces to flush even if command context is
 				// canceled. This is a no-op if tracing is not enabled.
@@ -1579,7 +1570,14 @@ func (r *RootCmd) scaletestDashboard() *serpent.Command {
 				_, _ = fmt.Fprintf(inv.Stderr, "Waiting %s for prometheus metrics to be scraped\n", prometheusFlags.Wait)
 				<-time.After(prometheusFlags.Wait)
 			}()
-
+			tracer := tracerProvider.Tracer(scaletestTracerName)
+			outputs, err := output.parse()
+			if err != nil {
+				return xerrors.Errorf("could not parse --output flags")
+			}
+			reg := prometheus.NewRegistry()
+			prometheusSrvClose := ServeHandler(ctx, logger, promhttp.HandlerFor(reg, promhttp.HandlerOpts{}), prometheusFlags.Address, "prometheus")
+			defer prometheusSrvClose()
 			metrics := dashboard.NewMetrics(reg)

 			th := harness.NewTestHarness(strategy.toStrategy(), cleanupStrategy.toStrategy())
@@ -84,15 +84,6 @@ func (r *RootCmd) scaletestPrebuilds() *serpent.Command {
 			if err != nil {
 				return xerrors.Errorf("create tracer provider: %w", err)
 			}
-			tracer := tracerProvider.Tracer(scaletestTracerName)
-
-			reg := prometheus.NewRegistry()
-			metrics := prebuilds.NewMetrics(reg)
-
-			logger := inv.Logger
-			prometheusSrvClose := ServeHandler(ctx, logger, promhttp.HandlerFor(reg, promhttp.HandlerOpts{}), prometheusFlags.Address, "prometheus")
-			defer prometheusSrvClose()
-
 			defer func() {
 				_, _ = fmt.Fprintln(inv.Stderr, "\nUploading traces...")
 				if err := closeTracing(ctx); err != nil {
@@ -101,6 +92,14 @@ func (r *RootCmd) scaletestPrebuilds() *serpent.Command {
 				_, _ = fmt.Fprintf(inv.Stderr, "Waiting %s for prometheus metrics to be scraped\n", prometheusFlags.Wait)
 				<-time.After(prometheusFlags.Wait)
 			}()
+			tracer := tracerProvider.Tracer(scaletestTracerName)
+
+			reg := prometheus.NewRegistry()
+			metrics := prebuilds.NewMetrics(reg)
+
+			logger := inv.Logger
+			prometheusSrvClose := ServeHandler(ctx, logger, promhttp.HandlerFor(reg, promhttp.HandlerOpts{}), prometheusFlags.Address, "prometheus")
+			defer prometheusSrvClose()

 			err = client.PutPrebuildsSettings(ctx, codersdk.PrebuildsSettings{
 				ReconciliationPaused: true,
@@ -139,12 +139,7 @@ func (r *RootCmd) list() *serpent.Command {
 				return err
 			}

-			out, err := formatter.Format(inv.Context(), res)
-			if err != nil {
-				return err
-			}
-
-			if out == "" {
+			if len(res) == 0 && formatter.FormatID() != cliui.JSONFormat().ID() {
 				pretty.Fprintf(inv.Stderr, cliui.DefaultStyles.Prompt, "No workspaces found! Create one:\n")
 				_, _ = fmt.Fprintln(inv.Stderr)
 				_, _ = fmt.Fprintln(inv.Stderr, "  "+pretty.Sprint(cliui.DefaultStyles.Code, "coder create <name>"))
@@ -152,6 +147,11 @@ func (r *RootCmd) list() *serpent.Command {
 				return nil
 			}

+			out, err := formatter.Format(inv.Context(), res)
+			if err != nil {
+				return err
+			}
+
 			_, err = fmt.Fprintln(inv.Stdout, out)
 			return err
 		},
@@ -170,11 +170,6 @@ func (r *RootCmd) listOrganizationMembers(orgContext *OrganizationContext) *serp
 				return err
 			}

-			if out == "" {
-				cliui.Infof(inv.Stderr, "No organization members found.")
-				return nil
-			}
-
 			_, err = fmt.Fprintln(inv.Stdout, out)
 			return err
 		},
@@ -92,11 +92,6 @@ func (r *RootCmd) showOrganizationRoles(orgContext *OrganizationContext) *serpen
 				return err
 			}

-			if out == "" {
-				cliui.Infof(inv.Stderr, "No organization roles found.")
-				return nil
-			}
-
 			_, err = fmt.Fprintln(inv.Stdout, out)
 			return err
 		},
@@ -110,11 +110,6 @@ func (r *RootCmd) provisionerJobsList() *serpent.Command {
 				return xerrors.Errorf("display provisioner daemons: %w", err)
 			}

-			if out == "" {
-				cliui.Infof(inv.Stderr, "No provisioner jobs found.")
-				return nil
-			}
-
 			_, _ = fmt.Fprintln(inv.Stdout, out)

 			return nil
@@ -74,6 +74,11 @@ func (r *RootCmd) provisionerList() *serpent.Command {
 				return xerrors.Errorf("list provisioner daemons: %w", err)
 			}

+			if len(daemons) == 0 {
+				_, _ = fmt.Fprintln(inv.Stdout, "No provisioner daemons found")
+				return nil
+			}
+
 			var rows []provisionerDaemonRow
 			for _, daemon := range daemons {
 				rows = append(rows, provisionerDaemonRow{
@@ -87,11 +92,6 @@ func (r *RootCmd) provisionerList() *serpent.Command {
 				return xerrors.Errorf("display provisioner daemons: %w", err)
 			}

-			if out == "" {
-				cliui.Infof(inv.Stderr, "No provisioner daemons found.")
-				return nil
-			}
-
 			_, _ = fmt.Fprintln(inv.Stdout, out)

 			return nil
@@ -150,7 +150,6 @@ func (r *RootCmd) AGPLExperimental() []*serpent.Command {
 		r.mcpCommand(),
 		r.promptExample(),
 		r.rptyCommand(),
-		r.syncCommand(),
 		r.boundary(),
 	}
 }
@@ -72,31 +72,6 @@ func TestCommandHelp(t *testing.T) {
 			Name: "coder provisioner jobs list --output json",
 			Cmd:  []string{"provisioner", "jobs", "list", "--output", "json"},
 		},
-		// TODO (SasSwart): Remove these once the sync commands are promoted out of experimental.
-		clitest.CommandHelpCase{
-			Name: "coder exp sync --help",
-			Cmd:  []string{"exp", "sync", "--help"},
-		},
-		clitest.CommandHelpCase{
-			Name: "coder exp sync ping --help",
-			Cmd:  []string{"exp", "sync", "ping", "--help"},
-		},
-		clitest.CommandHelpCase{
-			Name: "coder exp sync start --help",
-			Cmd:  []string{"exp", "sync", "start", "--help"},
-		},
-		clitest.CommandHelpCase{
-			Name: "coder exp sync want --help",
-			Cmd:  []string{"exp", "sync", "want", "--help"},
-		},
-		clitest.CommandHelpCase{
-			Name: "coder exp sync complete --help",
-			Cmd:  []string{"exp", "sync", "complete", "--help"},
-		},
-		clitest.CommandHelpCase{
-			Name: "coder exp sync status --help",
-			Cmd:  []string{"exp", "sync", "status", "--help"},
-		},
 	))
 }

@@ -129,11 +129,6 @@ func (r *RootCmd) scheduleShow() *serpent.Command {
 				return err
 			}

-			if out == "" {
-				cliui.Infof(inv.Stderr, "No schedules found.")
-				return nil
-			}
-
 			_, err = fmt.Fprintln(inv.Stdout, out)
 			return err
 		},
@@ -1,35 +0,0 @@
-package cli
-
-import (
-	"github.com/coder/serpent"
-)
-
-func (r *RootCmd) syncCommand() *serpent.Command {
-	var socketPath string
-
-	cmd := &serpent.Command{
-		Use:   "sync",
-		Short: "Manage unit dependencies for coordinated startup",
-		Long:  "Commands for orchestrating unit startup order in workspaces. Units are most commonly coder scripts. Use these commands to declare dependencies between units, coordinate their startup sequence, and ensure units start only after their dependencies are ready. This helps prevent race conditions and startup failures.",
-		Handler: func(i *serpent.Invocation) error {
-			return i.Command.HelpHandler(i)
-		},
-		Children: []*serpent.Command{
-			r.syncPing(&socketPath),
-			r.syncStart(&socketPath),
-			r.syncWant(&socketPath),
-			r.syncComplete(&socketPath),
-			r.syncStatus(&socketPath),
-		},
-		Options: serpent.OptionSet{
-			{
-				Flag:        "socket-path",
-				Env:         "CODER_AGENT_SOCKET_PATH",
-				Description: "Specify the path for the agent socket.",
-				Value:       serpent.StringOf(&socketPath),
-			},
-		},
-	}
-
-	return cmd
-}
@@ -1,47 +0,0 @@
-package cli
-
-import (
-	"golang.org/x/xerrors"
-
-	"github.com/coder/coder/v2/agent/agentsocket"
-	"github.com/coder/coder/v2/agent/unit"
-	"github.com/coder/coder/v2/cli/cliui"
-	"github.com/coder/serpent"
-)
-
-func (*RootCmd) syncComplete(socketPath *string) *serpent.Command {
-	cmd := &serpent.Command{
-		Use:   "complete <unit>",
-		Short: "Mark a unit as complete",
-		Long:  "Mark a unit as complete. Indicating to other units that it has completed its work. This allows units that depend on it to proceed with their startup.",
-		Handler: func(i *serpent.Invocation) error {
-			ctx := i.Context()
-
-			if len(i.Args) != 1 {
-				return xerrors.New("exactly one unit name is required")
-			}
-			unit := unit.ID(i.Args[0])
-
-			opts := []agentsocket.Option{}
-			if *socketPath != "" {
-				opts = append(opts, agentsocket.WithPath(*socketPath))
-			}
-
-			client, err := agentsocket.NewClient(ctx, opts...)
-			if err != nil {
-				return xerrors.Errorf("connect to agent socket: %w", err)
-			}
-			defer client.Close()
-
-			if err := client.SyncComplete(ctx, unit); err != nil {
-				return xerrors.Errorf("complete unit failed: %w", err)
-			}
-
-			cliui.Info(i.Stdout, "Success")
-
-			return nil
-		},
-	}
-
-	return cmd
-}
@@ -1,42 +0,0 @@
-package cli
-
-import (
-	"golang.org/x/xerrors"
-
-	"github.com/coder/coder/v2/agent/agentsocket"
-	"github.com/coder/coder/v2/cli/cliui"
-	"github.com/coder/serpent"
-)
-
-func (*RootCmd) syncPing(socketPath *string) *serpent.Command {
-	cmd := &serpent.Command{
-		Use:   "ping",
-		Short: "Test agent socket connectivity and health",
-		Long:  "Test connectivity to the local Coder agent socket to verify the agent is running and responsive. Useful for troubleshooting startup issues or verifying the agent is accessible before running other sync commands.",
-		Handler: func(i *serpent.Invocation) error {
-			ctx := i.Context()
-
-			opts := []agentsocket.Option{}
-			if *socketPath != "" {
-				opts = append(opts, agentsocket.WithPath(*socketPath))
-			}
-
-			client, err := agentsocket.NewClient(ctx, opts...)
-			if err != nil {
-				return xerrors.Errorf("connect to agent socket: %w", err)
-			}
-			defer client.Close()
-
-			err = client.Ping(ctx)
-			if err != nil {
-				return xerrors.Errorf("ping failed: %w", err)
-			}
-
-			cliui.Info(i.Stdout, "Success")
-
-			return nil
-		},
-	}
-
-	return cmd
-}
@@ -1,101 +0,0 @@
-package cli
-
-import (
-	"context"
-	"time"
-
-	"golang.org/x/xerrors"
-
-	"github.com/coder/serpent"
-
-	"github.com/coder/coder/v2/agent/agentsocket"
-	"github.com/coder/coder/v2/agent/unit"
-	"github.com/coder/coder/v2/cli/cliui"
-)
-
-const (
-	syncPollInterval = 1 * time.Second
-)
-
-func (*RootCmd) syncStart(socketPath *string) *serpent.Command {
-	var timeout time.Duration
-
-	cmd := &serpent.Command{
-		Use:   "start <unit>",
-		Short: "Wait until all unit dependencies are satisfied",
-		Long:  "Wait until all dependencies are satisfied, consider the unit to have started, then allow it to proceed. This command polls until dependencies are ready, then marks the unit as started.",
-		Handler: func(i *serpent.Invocation) error {
-			ctx := i.Context()
-
-			if len(i.Args) != 1 {
-				return xerrors.New("exactly one unit name is required")
-			}
-			unitName := unit.ID(i.Args[0])
-
-			if timeout > 0 {
-				var cancel context.CancelFunc
-				ctx, cancel = context.WithTimeout(ctx, timeout)
-				defer cancel()
-			}
-
-			opts := []agentsocket.Option{}
-			if *socketPath != "" {
-				opts = append(opts, agentsocket.WithPath(*socketPath))
-			}
-
-			client, err := agentsocket.NewClient(ctx, opts...)
-			if err != nil {
-				return xerrors.Errorf("connect to agent socket: %w", err)
-			}
-			defer client.Close()
-
-			ready, err := client.SyncReady(ctx, unitName)
-			if err != nil {
-				return xerrors.Errorf("error checking dependencies: %w", err)
-			}
-
-			if !ready {
-				cliui.Infof(i.Stdout, "Waiting for dependencies of unit '%s' to be satisfied...", unitName)
-
-				ticker := time.NewTicker(syncPollInterval)
-				defer ticker.Stop()
-
-			pollLoop:
-				for {
-					select {
-					case <-ctx.Done():
-						if ctx.Err() == context.DeadlineExceeded {
-							return xerrors.Errorf("timeout waiting for dependencies of unit '%s'", unitName)
-						}
-						return ctx.Err()
-					case <-ticker.C:
-						ready, err := client.SyncReady(ctx, unitName)
-						if err != nil {
-							return xerrors.Errorf("error checking dependencies: %w", err)
-						}
-						if ready {
-							break pollLoop
-						}
-					}
-				}
-			}
-
-			if err := client.SyncStart(ctx, unitName); err != nil {
-				return xerrors.Errorf("start unit failed: %w", err)
-			}
-
-			cliui.Info(i.Stdout, "Success")
-
-			return nil
-		},
-	}
-
-	cmd.Options = append(cmd.Options, serpent.Option{
-		Flag:        "timeout",
-		Description: "Maximum time to wait for dependencies (e.g., 30s, 5m). 5m by default.",
-		Value:       serpent.DurationOf(&timeout),
-		Default:     "5m",
-	})
-
-	return cmd
-}
@@ -1,88 +0,0 @@
-package cli
-
-import (
-	"fmt"
-
-	"golang.org/x/xerrors"
-
-	"github.com/coder/serpent"
-
-	"github.com/coder/coder/v2/agent/agentsocket"
-	"github.com/coder/coder/v2/agent/unit"
-	"github.com/coder/coder/v2/cli/cliui"
-)
-
-func (*RootCmd) syncStatus(socketPath *string) *serpent.Command {
-	formatter := cliui.NewOutputFormatter(
-		cliui.ChangeFormatterData(
-			cliui.TableFormat(
-				[]agentsocket.DependencyInfo{},
-				[]string{
-					"depends on",
-					"required status",
-					"current status",
-					"satisfied",
-				},
-			),
-			func(data any) (any, error) {
-				resp, ok := data.(agentsocket.SyncStatusResponse)
-				if !ok {
-					return nil, xerrors.Errorf("expected agentsocket.SyncStatusResponse, got %T", data)
-				}
-				return resp.Dependencies, nil
-			}),
-		cliui.JSONFormat(),
-	)
-
-	cmd := &serpent.Command{
-		Use:   "status <unit>",
-		Short: "Show unit status and dependency state",
-		Long:  "Show the current status of a unit, whether it is ready to start, and lists its dependencies. Shows which dependencies are satisfied and which are still pending. Supports multiple output formats.",
-		Handler: func(i *serpent.Invocation) error {
-			ctx := i.Context()
-
-			if len(i.Args) != 1 {
-				return xerrors.New("exactly one unit name is required")
-			}
-			unit := unit.ID(i.Args[0])
-
-			opts := []agentsocket.Option{}
-			if *socketPath != "" {
-				opts = append(opts, agentsocket.WithPath(*socketPath))
-			}
-
-			client, err := agentsocket.NewClient(ctx, opts...)
-			if err != nil {
-				return xerrors.Errorf("connect to agent socket: %w", err)
-			}
-			defer client.Close()
-
-			statusResp, err := client.SyncStatus(ctx, unit)
-			if err != nil {
-				return xerrors.Errorf("get status failed: %w", err)
-			}
-
-			var out string
-			header := fmt.Sprintf("Unit: %s\nStatus: %s\nReady: %t\n\nDependencies:\n", unit, statusResp.Status, statusResp.IsReady)
-			if formatter.FormatID() == "table" && len(statusResp.Dependencies) == 0 {
-				out = header + "No dependencies found"
-			} else {
-				out, err = formatter.Format(ctx, statusResp)
-				if err != nil {
-					return xerrors.Errorf("format status: %w", err)
-				}
-
-				if formatter.FormatID() == "table" {
-					out = header + out
-				}
-			}
-
-			_, _ = fmt.Fprintln(i.Stdout, out)
-
-			return nil
-		},
-	}
-
-	formatter.AttachOptions(&cmd.Options)
-	return cmd
-}
@@ -1,330 +0,0 @@
-//go:build !windows
-
-package cli_test
-
-import (
-	"bytes"
-	"context"
-	"os"
-	"path/filepath"
-	"testing"
-	"time"
-
-	"github.com/stretchr/testify/require"
-
-	"cdr.dev/slog"
-	"github.com/coder/coder/v2/agent/agentsocket"
-	"github.com/coder/coder/v2/cli/clitest"
-	"github.com/coder/coder/v2/testutil"
-)
-
-// setupSocketServer creates an agentsocket server at a temporary path for testing.
-// Returns the socket path and a cleanup function. The path should be passed to
-// sync commands via the --socket-path flag.
-func setupSocketServer(t *testing.T) (path string, cleanup func()) {
-	t.Helper()
-
-	// Use a temporary socket path for each test
-	socketPath := filepath.Join(tempDirUnixSocket(t), "test.sock")
-
-	// Create parent directory if needed
-	parentDir := filepath.Dir(socketPath)
-	err := os.MkdirAll(parentDir, 0o700)
-	require.NoError(t, err, "create socket directory")
-
-	server, err := agentsocket.NewServer(
-		slog.Make().Leveled(slog.LevelDebug),
-		agentsocket.WithPath(socketPath),
-	)
-	require.NoError(t, err, "create socket server")
-
-	// Return cleanup function
-	return socketPath, func() {
-		err := server.Close()
-		require.NoError(t, err, "close socket server")
-		_ = os.Remove(socketPath)
-	}
-}
-
-func TestSyncCommands_Golden(t *testing.T) {
-	t.Parallel()
-
-	t.Run("ping", func(t *testing.T) {
-		t.Parallel()
-		path, cleanup := setupSocketServer(t)
-		defer cleanup()
-
-		ctx := testutil.Context(t, testutil.WaitShort)
-
-		var outBuf bytes.Buffer
-		inv, _ := clitest.New(t, "exp", "sync", "ping", "--socket-path", path)
-		inv.Stdout = &outBuf
-		inv.Stderr = &outBuf
-
-		err := inv.WithContext(ctx).Run()
-		require.NoError(t, err)
-
-		clitest.TestGoldenFile(t, "TestSyncCommands_Golden/ping_success", outBuf.Bytes(), nil)
-	})
-
-	t.Run("start_no_dependencies", func(t *testing.T) {
-		t.Parallel()
-		path, cleanup := setupSocketServer(t)
-		defer cleanup()
-
-		ctx := testutil.Context(t, testutil.WaitShort)
-
-		var outBuf bytes.Buffer
-		inv, _ := clitest.New(t, "exp", "sync", "start", "test-unit", "--socket-path", path)
-		inv.Stdout = &outBuf
-		inv.Stderr = &outBuf
-
-		err := inv.WithContext(ctx).Run()
-		require.NoError(t, err)
-
-		clitest.TestGoldenFile(t, "TestSyncCommands_Golden/start_no_dependencies", outBuf.Bytes(), nil)
-	})
-
-	t.Run("start_with_dependencies", func(t *testing.T) {
-		t.Parallel()
-		path, cleanup := setupSocketServer(t)
-		defer cleanup()
-
-		ctx := testutil.Context(t, testutil.WaitShort)
-
-		// Set up dependency: test-unit depends on dep-unit
-		client, err := agentsocket.NewClient(ctx, agentsocket.WithPath(path))
-		require.NoError(t, err)
-
-		// Declare dependency
-		err = client.SyncWant(ctx, "test-unit", "dep-unit")
-		require.NoError(t, err)
-		client.Close()
-
-		// Start a goroutine to complete the dependency after a short delay
-		// This simulates the dependency being satisfied while start is waiting
-		// The delay ensures the "Waiting..." message appears in the output
-		done := make(chan error, 1)
-		go func() {
-			// Wait a moment to let the start command begin waiting and print the message
-			time.Sleep(100 * time.Millisecond)
-
-			compCtx := context.Background()
-			compClient, err := agentsocket.NewClient(compCtx, agentsocket.WithPath(path))
-			if err != nil {
-				done <- err
-				return
-			}
-			defer compClient.Close()
-
-			// Start and complete the dependency unit
-			err = compClient.SyncStart(compCtx, "dep-unit")
-			if err != nil {
-				done <- err
-				return
-			}
-			err = compClient.SyncComplete(compCtx, "dep-unit")
-			done <- err
-		}()
-
-		var outBuf bytes.Buffer
-		inv, _ := clitest.New(t, "exp", "sync", "start", "test-unit", "--socket-path", path)
-		inv.Stdout = &outBuf
-		inv.Stderr = &outBuf
-
-		// Run the start command - it should wait for the dependency
-		err = inv.WithContext(ctx).Run()
-		require.NoError(t, err)
-
-		// Ensure the completion goroutine finished
-		select {
-		case err := <-done:
-			require.NoError(t, err, "complete dependency")
-		case <-time.After(time.Second):
-			// Goroutine should have finished by now
-		}
-
-		clitest.TestGoldenFile(t, "TestSyncCommands_Golden/start_with_dependencies", outBuf.Bytes(), nil)
-	})
-
-	t.Run("want", func(t *testing.T) {
-		t.Parallel()
-		path, cleanup := setupSocketServer(t)
-		defer cleanup()
-
-		ctx := testutil.Context(t, testutil.WaitShort)
-
-		var outBuf bytes.Buffer
-		inv, _ := clitest.New(t, "exp", "sync", "want", "test-unit", "dep-unit", "--socket-path", path)
-		inv.Stdout = &outBuf
-		inv.Stderr = &outBuf
-
-		err := inv.WithContext(ctx).Run()
-		require.NoError(t, err)
-
-		clitest.TestGoldenFile(t, "TestSyncCommands_Golden/want_success", outBuf.Bytes(), nil)
-	})
-
-	t.Run("complete", func(t *testing.T) {
-		t.Parallel()
-		path, cleanup := setupSocketServer(t)
-		defer cleanup()
-
-		ctx := testutil.Context(t, testutil.WaitShort)
-
-		// First start the unit
-		client, err := agentsocket.NewClient(ctx, agentsocket.WithPath(path))
-		require.NoError(t, err)
-		err = client.SyncStart(ctx, "test-unit")
-		require.NoError(t, err)
-		client.Close()
-
-		var outBuf bytes.Buffer
-		inv, _ := clitest.New(t, "exp", "sync", "complete", "test-unit", "--socket-path", path)
-		inv.Stdout = &outBuf
-		inv.Stderr = &outBuf
-
-		err = inv.WithContext(ctx).Run()
-		require.NoError(t, err)
-
-		clitest.TestGoldenFile(t, "TestSyncCommands_Golden/complete_success", outBuf.Bytes(), nil)
-	})
-
-	t.Run("status_pending", func(t *testing.T) {
-		t.Parallel()
-		path, cleanup := setupSocketServer(t)
-		defer cleanup()
-
-		ctx := testutil.Context(t, testutil.WaitShort)
-
-		// Set up a unit with unsatisfied dependency
-		client, err := agentsocket.NewClient(ctx, agentsocket.WithPath(path))
-		require.NoError(t, err)
-		err = client.SyncWant(ctx, "test-unit", "dep-unit")
-		require.NoError(t, err)
-		client.Close()
-
-		var outBuf bytes.Buffer
-		inv, _ := clitest.New(t, "exp", "sync", "status", "test-unit", "--socket-path", path)
-		inv.Stdout = &outBuf
-		inv.Stderr = &outBuf
-
-		err = inv.WithContext(ctx).Run()
-		require.NoError(t, err)
-
-		clitest.TestGoldenFile(t, "TestSyncCommands_Golden/status_pending", outBuf.Bytes(), nil)
-	})
-
-	t.Run("status_started", func(t *testing.T) {
-		t.Parallel()
-		path, cleanup := setupSocketServer(t)
-		defer cleanup()
-
-		ctx := testutil.Context(t, testutil.WaitShort)
-
-		// Start a unit
-		client, err := agentsocket.NewClient(ctx, agentsocket.WithPath(path))
-		require.NoError(t, err)
-		err = client.SyncStart(ctx, "test-unit")
-		require.NoError(t, err)
-		client.Close()
-
-		var outBuf bytes.Buffer
-		inv, _ := clitest.New(t, "exp", "sync", "status", "test-unit", "--socket-path", path)
-		inv.Stdout = &outBuf
-		inv.Stderr = &outBuf
-
-		err = inv.WithContext(ctx).Run()
-		require.NoError(t, err)
-
-		clitest.TestGoldenFile(t, "TestSyncCommands_Golden/status_started", outBuf.Bytes(), nil)
-	})
-
-	t.Run("status_completed", func(t *testing.T) {
-		t.Parallel()
-		path, cleanup := setupSocketServer(t)
-		defer cleanup()
-
-		ctx := testutil.Context(t, testutil.WaitShort)
-
-		// Start and complete a unit
-		client, err := agentsocket.NewClient(ctx, agentsocket.WithPath(path))
-		require.NoError(t, err)
-		err = client.SyncStart(ctx, "test-unit")
-		require.NoError(t, err)
-		err = client.SyncComplete(ctx, "test-unit")
-		require.NoError(t, err)
-		client.Close()
-
-		var outBuf bytes.Buffer
-		inv, _ := clitest.New(t, "exp", "sync", "status", "test-unit", "--socket-path", path)
-		inv.Stdout = &outBuf
-		inv.Stderr = &outBuf
-
-		err = inv.WithContext(ctx).Run()
-		require.NoError(t, err)
-
-		clitest.TestGoldenFile(t, "TestSyncCommands_Golden/status_completed", outBuf.Bytes(), nil)
-	})
-
-	t.Run("status_with_dependencies", func(t *testing.T) {
-		t.Parallel()
-		path, cleanup := setupSocketServer(t)
-		defer cleanup()
-
-		ctx := testutil.Context(t, testutil.WaitShort)
-
-		// Set up a unit with dependencies, some satisfied, some not
-		client, err := agentsocket.NewClient(ctx, agentsocket.WithPath(path))
-		require.NoError(t, err)
-		err = client.SyncWant(ctx, "test-unit", "dep-1")
-		require.NoError(t, err)
-		err = client.SyncWant(ctx, "test-unit", "dep-2")
-		require.NoError(t, err)
-		// Complete dep-1, leave dep-2 incomplete
-		err = client.SyncStart(ctx, "dep-1")
-		require.NoError(t, err)
-		err = client.SyncComplete(ctx, "dep-1")
-		require.NoError(t, err)
-		client.Close()
-
-		var outBuf bytes.Buffer
-		inv, _ := clitest.New(t, "exp", "sync", "status", "test-unit", "--socket-path", path)
-		inv.Stdout = &outBuf
-		inv.Stderr = &outBuf
-
-		err = inv.WithContext(ctx).Run()
-		require.NoError(t, err)
-
-		clitest.TestGoldenFile(t, "TestSyncCommands_Golden/status_with_dependencies", outBuf.Bytes(), nil)
-	})
-
-	t.Run("status_json_format", func(t *testing.T) {
-		t.Parallel()
-		path, cleanup := setupSocketServer(t)
-		defer cleanup()
-
-		ctx := testutil.Context(t, testutil.WaitShort)
-
-		// Set up a unit with dependencies
-		client, err := agentsocket.NewClient(ctx, agentsocket.WithPath(path))
-		require.NoError(t, err)
-		err = client.SyncWant(ctx, "test-unit", "dep-unit")
-		require.NoError(t, err)
-		err = client.SyncStart(ctx, "dep-unit")
-		require.NoError(t, err)
-		err = client.SyncComplete(ctx, "dep-unit")
-		require.NoError(t, err)
-		client.Close()
-
-		var outBuf bytes.Buffer
-		inv, _ := clitest.New(t, "exp", "sync", "status", "test-unit", "--output", "json", "--socket-path", path)
-		inv.Stdout = &outBuf
-		inv.Stderr = &outBuf
-
-		err = inv.WithContext(ctx).Run()
-		require.NoError(t, err)
-
-		clitest.TestGoldenFile(t, "TestSyncCommands_Golden/status_json_format", outBuf.Bytes(), nil)
-	})
-}
@@ -1,49 +0,0 @@
-package cli
-
-import (
-	"golang.org/x/xerrors"
-
-	"github.com/coder/serpent"
-
-	"github.com/coder/coder/v2/agent/agentsocket"
-	"github.com/coder/coder/v2/agent/unit"
-	"github.com/coder/coder/v2/cli/cliui"
-)
-
-func (*RootCmd) syncWant(socketPath *string) *serpent.Command {
-	cmd := &serpent.Command{
-		Use:   "want <unit> <depends-on>",
-		Short: "Declare that a unit depends on another unit completing before it can start",
-		Long:  "Declare that a unit depends on another unit completing before it can start. The unit specified first will not start until the second has signaled that it has completed.",
-		Handler: func(i *serpent.Invocation) error {
-			ctx := i.Context()
-
-			if len(i.Args) != 2 {
-				return xerrors.New("exactly two arguments are required: unit and depends-on")
-			}
-			dependentUnit := unit.ID(i.Args[0])
-			dependsOn := unit.ID(i.Args[1])
-
-			opts := []agentsocket.Option{}
-			if *socketPath != "" {
-				opts = append(opts, agentsocket.WithPath(*socketPath))
-			}
-
-			client, err := agentsocket.NewClient(ctx, opts...)
-			if err != nil {
-				return xerrors.Errorf("connect to agent socket: %w", err)
-			}
-			defer client.Close()
-
-			if err := client.SyncWant(ctx, dependentUnit, dependsOn); err != nil {
-				return xerrors.Errorf("declare dependency failed: %w", err)
-			}
-
-			cliui.Info(i.Stdout, "Success")
-
-			return nil
-		},
-	}
-
-	return cmd
-}
@@ -157,6 +157,12 @@ func (r *RootCmd) taskList() *serpent.Command {
 				return nil
 			}

+			// If no rows and not JSON, show a friendly message.
+			if len(tasks) == 0 && formatter.FormatID() != cliui.JSONFormat().ID() {
+				_, _ = fmt.Fprintln(inv.Stderr, "No tasks found.")
+				return nil
+			}
+
 			rows := make([]taskListRow, len(tasks))
 			now := time.Now()
 			for i := range tasks {
@@ -167,10 +173,6 @@ func (r *RootCmd) taskList() *serpent.Command {
 			if err != nil {
 				return xerrors.Errorf("format tasks: %w", err)
 			}
-			if out == "" {
-				cliui.Infof(inv.Stderr, "No tasks found.")
-				return nil
-			}
 			_, _ = fmt.Fprintln(inv.Stdout, out)
 			return nil
 		},
@@ -59,11 +59,6 @@ func (r *RootCmd) taskLogs() *serpent.Command {
 				return xerrors.Errorf("format task logs: %w", err)
 			}

-			if out == "" {
-				cliui.Infof(inv.Stderr, "No task logs found.")
-				return nil
-			}
-
 			_, _ = fmt.Fprintln(inv.Stdout, out)
 			return nil
 		},
@@ -30,18 +30,18 @@ func (r *RootCmd) templateList() *serpent.Command {
 				return err
 			}

+			if len(templates) == 0 {
+				_, _ = fmt.Fprintf(inv.Stderr, "%s No templates found! Create one:\n\n", Caret)
+				_, _ = fmt.Fprintln(inv.Stderr, color.HiMagentaString("  $ coder templates push <directory>\n"))
+				return nil
+			}
+
 			rows := templatesToRows(templates...)
 			out, err := formatter.Format(inv.Context(), rows)
 			if err != nil {
 				return err
 			}

-			if out == "" {
-				_, _ = fmt.Fprintf(inv.Stderr, "%s No templates found! Create one:\n\n", Caret)
-				_, _ = fmt.Fprintln(inv.Stderr, color.HiMagentaString("  $ coder templates push <directory>\n"))
-				return nil
-			}
-
 			_, err = fmt.Fprintln(inv.Stdout, out)
 			return err
 		},
@@ -106,7 +106,7 @@ func (r *RootCmd) templatePresetsList() *serpent.Command {
 			if len(presets) == 0 {
 				cliui.Infof(
 					inv.Stdout,
-					"No presets found for template %q and template-version %q.", template.Name, version.Name,
+					"No presets found for template %q and template-version %q.\n", template.Name, version.Name,
 				)
 				return nil
 			}
@@ -115,7 +115,7 @@ func (r *RootCmd) templatePresetsList() *serpent.Command {
 			if formatter.FormatID() == "table" {
 				cliui.Infof(
 					inv.Stdout,
-					"Showing presets for template %q and template version %q.", template.Name, version.Name,
+					"Showing presets for template %q and template version %q.\n", template.Name, version.Name,
 				)
 			}
 			rows := templatePresetsToRows(presets...)
@@ -124,11 +124,6 @@ func (r *RootCmd) templatePresetsList() *serpent.Command {
 				return xerrors.Errorf("render table: %w", err)
 			}

-			if out == "" {
-				cliui.Infof(inv.Stderr, "No template presets found.")
-				return nil
-			}
-
 			_, err = fmt.Fprintln(inv.Stdout, out)
 			return err
 		},
@@ -121,11 +121,6 @@ func (r *RootCmd) templateVersionsList() *serpent.Command {
 				return xerrors.Errorf("render table: %w", err)
 			}

-			if out == "" {
-				cliui.Infof(inv.Stderr, "No template versions found.")
-				return nil
-			}
-
 			_, err = fmt.Fprintln(inv.Stdout, out)
 			return err
 		},
@@ -1 +0,0 @@
-Success
@@ -1 +0,0 @@
-Success
@@ -1 +0,0 @@
-Success
@@ -1,2 +0,0 @@
-Waiting for dependencies of unit 'test-unit' to be satisfied...
-Success
@@ -1,6 +0,0 @@
-Unit: test-unit
-Status: completed
-Ready: true
-
-Dependencies:
-No dependencies found
@@ -1,13 +0,0 @@
-{
-  "unit_name": "test-unit",
-  "status": "pending",
-  "is_ready": true,
-  "dependencies": [
-    {
-      "depends_on": "dep-unit",
-      "required_status": "completed",
-      "current_status": "completed",
-      "is_satisfied": true
-    }
-  ]
-}
@@ -1,7 +0,0 @@
-Unit: test-unit
-Status: pending
-Ready: false
-
-Dependencies:
-DEPENDS ON  REQUIRED STATUS  CURRENT STATUS  SATISFIED  
-dep-unit    completed        not registered  false      
@@ -1,6 +0,0 @@
-Unit: test-unit
-Status: started
-Ready: true
-
-Dependencies:
-No dependencies found
@@ -1,8 +0,0 @@
-Unit: test-unit
-Status: pending
-Ready: false
-
-Dependencies:
-DEPENDS ON  REQUIRED STATUS  CURRENT STATUS  SATISFIED  
-dep-1       completed        completed       true       
-dep-2       completed        not registered  false      
@@ -1 +0,0 @@
-Success
@@ -67,12 +67,6 @@ OPTIONS:
      --script-data-dir string, $CODER_AGENT_SCRIPT_DATA_DIR (default: /tmp)
          Specify the location for storing script data.

-      --socket-path string, $CODER_AGENT_SOCKET_PATH
-          Specify the path for the agent socket.
-
-      --socket-server-enabled bool, $CODER_AGENT_SOCKET_SERVER_ENABLED (default: false)
-          Enable the agent socket server.
-
      --ssh-max-timeout duration, $CODER_AGENT_SSH_MAX_TIMEOUT (default: 72h)
          Specify the max timeout for a SSH connection, it is advisable to set
          it to a minimum of 60s, but no more than 72h.
@@ -1,27 +0,0 @@
-coder v0.0.0-devel
-
-USAGE:
-  coder exp sync [flags]
-
-  Manage unit dependencies for coordinated startup
-
-  Commands for orchestrating unit startup order in workspaces. Units are most
-  commonly coder scripts. Use these commands to declare dependencies between
-  units, coordinate their startup sequence, and ensure units start only after
-  their dependencies are ready. This helps prevent race conditions and startup
-  failures.
-
-SUBCOMMANDS:
-    complete    Mark a unit as complete
-    ping        Test agent socket connectivity and health
-    start       Wait until all unit dependencies are satisfied
-    status      Show unit status and dependency state
-    want        Declare that a unit depends on another unit completing before it
-                can start
-
-OPTIONS:
-      --socket-path string, $CODER_AGENT_SOCKET_PATH
-          Specify the path for the agent socket.
-
-———
-Run `coder --help` for a list of global options.
@@ -1,12 +0,0 @@
-coder v0.0.0-devel
-
-USAGE:
-  coder exp sync complete <unit>
-
-  Mark a unit as complete
-
-  Mark a unit as complete. Indicating to other units that it has completed its
-  work. This allows units that depend on it to proceed with their startup.
-
-———
-Run `coder --help` for a list of global options.
@@ -1,13 +0,0 @@
-coder v0.0.0-devel
-
-USAGE:
-  coder exp sync ping
-
-  Test agent socket connectivity and health
-
-  Test connectivity to the local Coder agent socket to verify the agent is
-  running and responsive. Useful for troubleshooting startup issues or verifying
-  the agent is accessible before running other sync commands.
-
-———
-Run `coder --help` for a list of global options.
@@ -1,17 +0,0 @@
-coder v0.0.0-devel
-
-USAGE:
-  coder exp sync start [flags] <unit>
-
-  Wait until all unit dependencies are satisfied
-
-  Wait until all dependencies are satisfied, consider the unit to have started,
-  then allow it to proceed. This command polls until dependencies are ready,
-  then marks the unit as started.
-
-OPTIONS:
-      --timeout duration (default: 5m)
-          Maximum time to wait for dependencies (e.g., 30s, 5m). 5m by default.
-
-———
-Run `coder --help` for a list of global options.
@@ -1,20 +0,0 @@
-coder v0.0.0-devel
-
-USAGE:
-  coder exp sync status [flags] <unit>
-
-  Show unit status and dependency state
-
-  Show the current status of a unit, whether it is ready to start, and lists its
-  dependencies. Shows which dependencies are satisfied and which are still
-  pending. Supports multiple output formats.
-
-OPTIONS:
-  -c, --column [depends on|required status|current status|satisfied] (default: depends on,required status,current status,satisfied)
-          Columns to display in table output.
-
-  -o, --output table|json (default: table)
-          Output format.
-
-———
-Run `coder --help` for a list of global options.
@@ -1,13 +0,0 @@
-coder v0.0.0-devel
-
-USAGE:
-  coder exp sync want <unit> <depends-on>
-
-  Declare that a unit depends on another unit completing before it can start
-
-  Declare that a unit depends on another unit completing before it can start.
-  The unit specified first will not start until the second has signaled that it
-  has completed.
-
-———
-Run `coder --help` for a list of global options.
@@ -696,33 +696,6 @@ updating, and deleting workspace resources.
          Number of provisioner daemons to create on start. If builds are stuck
          in queued state for a long time, consider increasing this.

-RETENTION OPTIONS: 
-Configure data retention policies for various database tables. Retention
-policies automatically purge old data to reduce database size and improve
-performance. Setting a retention duration to 0 disables automatic purging for
-that data type.
-
-      --api-keys-retention duration, $CODER_API_KEYS_RETENTION (default: 7d)
-          How long expired API keys are retained before being deleted. Keeping
-          expired keys allows the backend to return a more helpful error when a
-          user tries to use an expired key. Set to 0 to disable automatic
-          deletion of expired keys.
-
-      --audit-logs-retention duration, $CODER_AUDIT_LOGS_RETENTION (default: 0)
-          How long audit log entries are retained. Set to 0 to disable (keep
-          indefinitely). We advise keeping audit logs for at least a year, and
-          in accordance with your compliance requirements.
-
-      --connection-logs-retention duration, $CODER_CONNECTION_LOGS_RETENTION (default: 0)
-          How long connection log entries are retained. Set to 0 to disable
-          (keep indefinitely).
-
-      --workspace-agent-logs-retention duration, $CODER_WORKSPACE_AGENT_LOGS_RETENTION (default: 7d)
-          How long workspace agent logs are retained. Logs from non-latest
-          builds are deleted if the agent hasn't connected within this period.
-          Logs from the latest build are always retained. Set to 0 to disable
-          automatic deletion.
-
 TELEMETRY OPTIONS: 
 Telemetry is critical to our ability to improve Coder. We strip all personal
 information before sending data to our servers. Please only disable telemetry
@@ -720,12 +720,25 @@ aibridge:
  # The base URL of the OpenAI API.
  # (default: https://api.openai.com/v1/, type: string)
  openai_base_url: https://api.openai.com/v1/
+  # The key to authenticate against the OpenAI API.
+  # (default: <unset>, type: string)
+  openai_key: ""
  # The base URL of the Anthropic API.
  # (default: https://api.anthropic.com/, type: string)
  anthropic_base_url: https://api.anthropic.com/
+  # The key to authenticate against the Anthropic API.
+  # (default: <unset>, type: string)
+  anthropic_key: ""
  # The AWS Bedrock API region.
  # (default: <unset>, type: string)
  bedrock_region: ""
+  # The access key to authenticate against the AWS Bedrock API.
+  # (default: <unset>, type: string)
+  bedrock_access_key: ""
+  # The access key secret to use with the access key to authenticate against the AWS
+  # Bedrock API.
+  # (default: <unset>, type: string)
+  bedrock_access_key_secret: ""
  # The model to use when making requests to the AWS Bedrock API.
  # (default: global.anthropic.claude-sonnet-4-5-20250929-v1:0, type: string)
  bedrock_model: global.anthropic.claude-sonnet-4-5-20250929-v1:0
@@ -742,27 +755,3 @@ aibridge:
  # (token, prompt, tool use).
  # (default: 60d, type: duration)
  retention: 1440h0m0s
-# Configure data retention policies for various database tables. Retention
-# policies automatically purge old data to reduce database size and improve
-# performance. Setting a retention duration to 0 disables automatic purging for
-# that data type.
-retention:
-  # How long audit log entries are retained. Set to 0 to disable (keep
-  # indefinitely). We advise keeping audit logs for at least a year, and in
-  # accordance with your compliance requirements.
-  # (default: 0, type: duration)
-  audit_logs: 0s
-  # How long connection log entries are retained. Set to 0 to disable (keep
-  # indefinitely).
-  # (default: 0, type: duration)
-  connection_logs: 0s
-  # How long expired API keys are retained before being deleted. Keeping expired
-  # keys allows the backend to return a more helpful error when a user tries to use
-  # an expired key. Set to 0 to disable automatic deletion of expired keys.
-  # (default: 7d, type: duration)
-  api_keys: 168h0m0s
-  # How long workspace agent logs are retained. Logs from non-latest builds are
-  # deleted if the agent hasn't connected within this period. Logs from the latest
-  # build are always retained. Set to 0 to disable automatic deletion.
-  # (default: 7d, type: duration)
-  workspace_agent_logs: 168h0m0s
@@ -246,6 +246,13 @@ func (r *RootCmd) listTokens() *serpent.Command {
 				return xerrors.Errorf("list tokens: %w", err)
 			}

+			if len(tokens) == 0 {
+				cliui.Infof(
+					inv.Stdout,
+					"No tokens found.\n",
+				)
+			}
+
 			displayTokens = make([]tokenListRow, len(tokens))

 			for i, token := range tokens {
@@ -257,11 +264,6 @@ func (r *RootCmd) listTokens() *serpent.Command {
 				return err
 			}

-			if out == "" {
-				cliui.Info(inv.Stderr, "No tokens found.")
-				return nil
-			}
-
 			_, err = fmt.Fprintln(inv.Stdout, out)
 			return err
 		},
@@ -34,7 +34,6 @@ func TestTokens(t *testing.T) {
 	clitest.SetupConfig(t, client, root)
 	buf := new(bytes.Buffer)
 	inv.Stdout = buf
-	inv.Stderr = buf
 	err := inv.WithContext(ctx).Run()
 	require.NoError(t, err)
 	res := buf.String()
@@ -58,11 +58,6 @@ func (r *RootCmd) userList() *serpent.Command {
 				return err
 			}

-			if out == "" {
-				cliui.Infof(inv.Stderr, "No users found.")
-				return nil
-			}
-
 			_, err = fmt.Fprintln(inv.Stdout, out)
 			return err
 		},
@@ -69,7 +69,7 @@ type Options struct {
 	WorkspaceID    uuid.UUID
 	OrganizationID uuid.UUID

-	AuthenticatedCtx                  context.Context
+	Ctx                               context.Context
 	Log                               slog.Logger
 	Clock                             quartz.Clock
 	Database                          database.Store
@@ -220,7 +220,7 @@ func New(opts Options, workspace database.Workspace) *API {

 	// Start background cache refresh loop to handle workspace changes
 	// like prebuild claims where owner_id and other fields may be modified in the DB.
-	go api.startCacheRefreshLoop(opts.AuthenticatedCtx)
+	go api.startCacheRefreshLoop(opts.Ctx)

 	return api
 }
@@ -671,15 +671,15 @@ func TestBatchUpdateMetadata(t *testing.T) {

 		// Create full API with cached workspace fields (initial state)
 		api := agentapi.New(agentapi.Options{
-			AuthenticatedCtx: ctxWithActor,
-			AgentID:          agentID,
-			WorkspaceID:      workspaceID,
-			OwnerID:          ownerID,
-			OrganizationID:   orgID,
-			Database:         dbauthz.New(dbM, auth, testutil.Logger(t), accessControlStore),
-			Log:              testutil.Logger(t),
-			Clock:            mClock,
-			Pubsub:           pub,
+			Ctx:            ctxWithActor,
+			AgentID:        agentID,
+			WorkspaceID:    workspaceID,
+			OwnerID:        ownerID,
+			OrganizationID: orgID,
+			Database:       dbauthz.New(dbM, auth, testutil.Logger(t), accessControlStore),
+			Log:            testutil.Logger(t),
+			Clock:          mClock,
+			Pubsub:         pub,
 		}, initialWorkspace) // Cache is initialized with 9am schedule and "my-workspace" name

 		// Wait for ticker to be set up and release it so it can fire
@@ -8387,84 +8387,6 @@ const docTemplate = `{
                }
            }
        },
-        "/users/{user}/preferences": {
-            "get": {
-                "security": [
-                    {
-                        "CoderSessionToken": []
-                    }
-                ],
-                "produces": [
-                    "application/json"
-                ],
-                "tags": [
-                    "Users"
-                ],
-                "summary": "Get user preference settings",
-                "operationId": "get-user-preference-settings",
-                "parameters": [
-                    {
-                        "type": "string",
-                        "description": "User ID, name, or me",
-                        "name": "user",
-                        "in": "path",
-                        "required": true
-                    }
-                ],
-                "responses": {
-                    "200": {
-                        "description": "OK",
-                        "schema": {
-                            "$ref": "#/definitions/codersdk.UserPreferenceSettings"
-                        }
-                    }
-                }
-            },
-            "put": {
-                "security": [
-                    {
-                        "CoderSessionToken": []
-                    }
-                ],
-                "consumes": [
-                    "application/json"
-                ],
-                "produces": [
-                    "application/json"
-                ],
-                "tags": [
-                    "Users"
-                ],
-                "summary": "Update user preference settings",
-                "operationId": "update-user-preference-settings",
-                "parameters": [
-                    {
-                        "type": "string",
-                        "description": "User ID, name, or me",
-                        "name": "user",
-                        "in": "path",
-                        "required": true
-                    },
-                    {
-                        "description": "New preference settings",
-                        "name": "request",
-                        "in": "body",
-                        "required": true,
-                        "schema": {
-                            "$ref": "#/definitions/codersdk.UpdateUserPreferenceSettingsRequest"
-                        }
-                    }
-                ],
-                "responses": {
-                    "200": {
-                        "description": "OK",
-                        "schema": {
-                            "$ref": "#/definitions/codersdk.UserPreferenceSettings"
-                        }
-                    }
-                }
-            }
-        },
        "/users/{user}/profile": {
            "put": {
                "security": [
@@ -14302,9 +14224,6 @@ const docTemplate = `{
                "redirect_to_access_url": {
                    "type": "boolean"
                },
-                "retention": {
-                    "$ref": "#/definitions/codersdk.RetentionConfig"
-                },
                "scim_api_key": {
                    "type": "string"
                },
@@ -17731,27 +17650,6 @@ const docTemplate = `{
                }
            }
        },
-        "codersdk.RetentionConfig": {
-            "type": "object",
-            "properties": {
-                "api_keys": {
-                    "description": "APIKeys controls how long expired API keys are retained before being deleted.\nKeys are only deleted if they have been expired for at least this duration.\nDefaults to 7 days to preserve existing behavior.",
-                    "type": "integer"
-                },
-                "audit_logs": {
-                    "description": "AuditLogs controls how long audit log entries are retained.\nSet to 0 to disable (keep indefinitely).",
-                    "type": "integer"
-                },
-                "connection_logs": {
-                    "description": "ConnectionLogs controls how long connection log entries are retained.\nSet to 0 to disable (keep indefinitely).",
-                    "type": "integer"
-                },
-                "workspace_agent_logs": {
-                    "description": "WorkspaceAgentLogs controls how long workspace agent logs are retained.\nLogs are deleted if the agent hasn't connected within this period.\nLogs from the latest build are always retained regardless of age.\nDefaults to 7 days to preserve existing behavior.",
-                    "type": "integer"
-                }
-            }
-        },
        "codersdk.Role": {
            "type": "object",
            "properties": {
@@ -19356,14 +19254,6 @@ const docTemplate = `{
                }
            }
        },
-        "codersdk.UpdateUserPreferenceSettingsRequest": {
-            "type": "object",
-            "properties": {
-                "task_notification_alert_dismissed": {
-                    "type": "boolean"
-                }
-            }
-        },
        "codersdk.UpdateUserProfileRequest": {
            "type": "object",
            "required": [
@@ -19749,14 +19639,6 @@ const docTemplate = `{
                }
            }
        },
-        "codersdk.UserPreferenceSettings": {
-            "type": "object",
-            "properties": {
-                "task_notification_alert_dismissed": {
-                    "type": "boolean"
-                }
-            }
-        },
        "codersdk.UserQuietHoursScheduleConfig": {
            "type": "object",
            "properties": {
@@ -7418,74 +7418,6 @@
 				}
 			}
 		},
-		"/users/{user}/preferences": {
-			"get": {
-				"security": [
-					{
-						"CoderSessionToken": []
-					}
-				],
-				"produces": ["application/json"],
-				"tags": ["Users"],
-				"summary": "Get user preference settings",
-				"operationId": "get-user-preference-settings",
-				"parameters": [
-					{
-						"type": "string",
-						"description": "User ID, name, or me",
-						"name": "user",
-						"in": "path",
-						"required": true
-					}
-				],
-				"responses": {
-					"200": {
-						"description": "OK",
-						"schema": {
-							"$ref": "#/definitions/codersdk.UserPreferenceSettings"
-						}
-					}
-				}
-			},
-			"put": {
-				"security": [
-					{
-						"CoderSessionToken": []
-					}
-				],
-				"consumes": ["application/json"],
-				"produces": ["application/json"],
-				"tags": ["Users"],
-				"summary": "Update user preference settings",
-				"operationId": "update-user-preference-settings",
-				"parameters": [
-					{
-						"type": "string",
-						"description": "User ID, name, or me",
-						"name": "user",
-						"in": "path",
-						"required": true
-					},
-					{
-						"description": "New preference settings",
-						"name": "request",
-						"in": "body",
-						"required": true,
-						"schema": {
-							"$ref": "#/definitions/codersdk.UpdateUserPreferenceSettingsRequest"
-						}
-					}
-				],
-				"responses": {
-					"200": {
-						"description": "OK",
-						"schema": {
-							"$ref": "#/definitions/codersdk.UserPreferenceSettings"
-						}
-					}
-				}
-			}
-		},
 		"/users/{user}/profile": {
 			"put": {
 				"security": [
@@ -12886,9 +12818,6 @@
 				"redirect_to_access_url": {
 					"type": "boolean"
 				},
-				"retention": {
-					"$ref": "#/definitions/codersdk.RetentionConfig"
-				},
 				"scim_api_key": {
 					"type": "string"
 				},
@@ -16193,27 +16122,6 @@
 				}
 			}
 		},
-		"codersdk.RetentionConfig": {
-			"type": "object",
-			"properties": {
-				"api_keys": {
-					"description": "APIKeys controls how long expired API keys are retained before being deleted.\nKeys are only deleted if they have been expired for at least this duration.\nDefaults to 7 days to preserve existing behavior.",
-					"type": "integer"
-				},
-				"audit_logs": {
-					"description": "AuditLogs controls how long audit log entries are retained.\nSet to 0 to disable (keep indefinitely).",
-					"type": "integer"
-				},
-				"connection_logs": {
-					"description": "ConnectionLogs controls how long connection log entries are retained.\nSet to 0 to disable (keep indefinitely).",
-					"type": "integer"
-				},
-				"workspace_agent_logs": {
-					"description": "WorkspaceAgentLogs controls how long workspace agent logs are retained.\nLogs are deleted if the agent hasn't connected within this period.\nLogs from the latest build are always retained regardless of age.\nDefaults to 7 days to preserve existing behavior.",
-					"type": "integer"
-				}
-			}
-		},
 		"codersdk.Role": {
 			"type": "object",
 			"properties": {
@@ -17752,14 +17660,6 @@
 				}
 			}
 		},
-		"codersdk.UpdateUserPreferenceSettingsRequest": {
-			"type": "object",
-			"properties": {
-				"task_notification_alert_dismissed": {
-					"type": "boolean"
-				}
-			}
-		},
 		"codersdk.UpdateUserProfileRequest": {
 			"type": "object",
 			"required": ["username"],
@@ -18120,14 +18020,6 @@
 				}
 			}
 		},
-		"codersdk.UserPreferenceSettings": {
-			"type": "object",
-			"properties": {
-				"task_notification_alert_dismissed": {
-					"type": "boolean"
-				}
-			}
-		},
 		"codersdk.UserQuietHoursScheduleConfig": {
 			"type": "object",
 			"properties": {
@@ -1336,8 +1336,6 @@ func New(options *Options) *API {
 						})
 						r.Get("/appearance", api.userAppearanceSettings)
 						r.Put("/appearance", api.putUserAppearanceSettings)
-						r.Get("/preferences", api.userPreferenceSettings)
-						r.Put("/preferences", api.putUserPreferenceSettings)
 						r.Route("/password", func(r chi.Router) {
 							r.Use(httpmw.RateLimit(options.LoginRateLimit, time.Minute))
 							r.Put("/", api.putUserPassword)
@@ -1732,7 +1732,7 @@ func (q *querier) DeleteOAuth2ProviderAppTokensByAppAndUserID(ctx context.Contex
 	return q.db.DeleteOAuth2ProviderAppTokensByAppAndUserID(ctx, arg)
 }

-func (q *querier) DeleteOldAIBridgeRecords(ctx context.Context, beforeTime time.Time) (int64, error) {
+func (q *querier) DeleteOldAIBridgeRecords(ctx context.Context, beforeTime time.Time) (int32, error) {
 	if err := q.authorizeContext(ctx, policy.ActionDelete, rbac.ResourceAibridgeInterception); err != nil {
 		return -1, err
 	}
@@ -1749,20 +1749,6 @@ func (q *querier) DeleteOldAuditLogConnectionEvents(ctx context.Context, thresho
 	return q.db.DeleteOldAuditLogConnectionEvents(ctx, threshold)
 }

-func (q *querier) DeleteOldAuditLogs(ctx context.Context, arg database.DeleteOldAuditLogsParams) (int64, error) {
-	if err := q.authorizeContext(ctx, policy.ActionDelete, rbac.ResourceSystem); err != nil {
-		return 0, err
-	}
-	return q.db.DeleteOldAuditLogs(ctx, arg)
-}
-
-func (q *querier) DeleteOldConnectionLogs(ctx context.Context, arg database.DeleteOldConnectionLogsParams) (int64, error) {
-	if err := q.authorizeContext(ctx, policy.ActionDelete, rbac.ResourceSystem); err != nil {
-		return 0, err
-	}
-	return q.db.DeleteOldConnectionLogs(ctx, arg)
-}
-
 func (q *querier) DeleteOldNotificationMessages(ctx context.Context) error {
 	if err := q.authorizeContext(ctx, policy.ActionDelete, rbac.ResourceNotificationMessage); err != nil {
 		return err
@@ -1784,9 +1770,9 @@ func (q *querier) DeleteOldTelemetryLocks(ctx context.Context, beforeTime time.T
 	return q.db.DeleteOldTelemetryLocks(ctx, beforeTime)
 }

-func (q *querier) DeleteOldWorkspaceAgentLogs(ctx context.Context, threshold time.Time) (int64, error) {
+func (q *querier) DeleteOldWorkspaceAgentLogs(ctx context.Context, threshold time.Time) error {
 	if err := q.authorizeContext(ctx, policy.ActionDelete, rbac.ResourceSystem); err != nil {
-		return 0, err
+		return err
 	}
 	return q.db.DeleteOldWorkspaceAgentLogs(ctx, threshold)
 }
@@ -3445,17 +3431,6 @@ func (q *querier) GetUserStatusCounts(ctx context.Context, arg database.GetUserS
 	return q.db.GetUserStatusCounts(ctx, arg)
 }

-func (q *querier) GetUserTaskNotificationAlertDismissed(ctx context.Context, userID uuid.UUID) (bool, error) {
-	user, err := q.db.GetUserByID(ctx, userID)
-	if err != nil {
-		return false, err
-	}
-	if err := q.authorizeContext(ctx, policy.ActionReadPersonal, user); err != nil {
-		return false, err
-	}
-	return q.db.GetUserTaskNotificationAlertDismissed(ctx, userID)
-}
-
 func (q *querier) GetUserTerminalFont(ctx context.Context, userID uuid.UUID) (string, error) {
 	u, err := q.db.GetUserByID(ctx, userID)
 	if err != nil {
@@ -5489,17 +5464,6 @@ func (q *querier) UpdateUserStatus(ctx context.Context, arg database.UpdateUserS
 	return updateWithReturn(q.log, q.auth, fetch, q.db.UpdateUserStatus)(ctx, arg)
 }

-func (q *querier) UpdateUserTaskNotificationAlertDismissed(ctx context.Context, arg database.UpdateUserTaskNotificationAlertDismissedParams) (bool, error) {
-	user, err := q.db.GetUserByID(ctx, arg.UserID)
-	if err != nil {
-		return false, err
-	}
-	if err := q.authorizeContext(ctx, policy.ActionUpdatePersonal, user); err != nil {
-		return false, err
-	}
-	return q.db.UpdateUserTaskNotificationAlertDismissed(ctx, arg)
-}
-
 func (q *querier) UpdateUserTerminalFont(ctx context.Context, arg database.UpdateUserTerminalFontParams) (database.UserConfig, error) {
 	u, err := q.db.GetUserByID(ctx, arg.UserID)
 	if err != nil {
@@ -7,7 +7,6 @@ import (
 	"fmt"
 	"net"
 	"reflect"
-	"strconv"
 	"testing"
 	"time"

@@ -324,10 +323,6 @@ func (s *MethodTestSuite) TestAuditLogs() {
 		dbm.EXPECT().DeleteOldAuditLogConnectionEvents(gomock.Any(), database.DeleteOldAuditLogConnectionEventsParams{}).Return(nil).AnyTimes()
 		check.Args(database.DeleteOldAuditLogConnectionEventsParams{}).Asserts(rbac.ResourceSystem, policy.ActionDelete)
 	}))
-	s.Run("DeleteOldAuditLogs", s.Mocked(func(dbm *dbmock.MockStore, _ *gofakeit.Faker, check *expects) {
-		dbm.EXPECT().DeleteOldAuditLogs(gomock.Any(), database.DeleteOldAuditLogsParams{}).Return(int64(0), nil).AnyTimes()
-		check.Args(database.DeleteOldAuditLogsParams{}).Asserts(rbac.ResourceSystem, policy.ActionDelete)
-	}))
 }

 func (s *MethodTestSuite) TestConnectionLogs() {
@@ -359,10 +354,6 @@ func (s *MethodTestSuite) TestConnectionLogs() {
 		dbm.EXPECT().CountConnectionLogs(gomock.Any(), database.CountConnectionLogsParams{}).Return(int64(0), nil).AnyTimes()
 		check.Args(database.CountConnectionLogsParams{}, emptyPreparedAuthorized{}).Asserts(rbac.ResourceConnectionLog, policy.ActionRead)
 	}))
-	s.Run("DeleteOldConnectionLogs", s.Mocked(func(dbm *dbmock.MockStore, _ *gofakeit.Faker, check *expects) {
-		dbm.EXPECT().DeleteOldConnectionLogs(gomock.Any(), database.DeleteOldConnectionLogsParams{}).Return(int64(0), nil).AnyTimes()
-		check.Args(database.DeleteOldConnectionLogsParams{}).Asserts(rbac.ResourceSystem, policy.ActionDelete)
-	}))
 }

 func (s *MethodTestSuite) TestFile() {
@@ -1486,21 +1477,6 @@ func (s *MethodTestSuite) TestUser() {
 		dbm.EXPECT().UpdateUserTerminalFont(gomock.Any(), arg).Return(uc, nil).AnyTimes()
 		check.Args(arg).Asserts(u, policy.ActionUpdatePersonal).Returns(uc)
 	}))
-	s.Run("GetUserTaskNotificationAlertDismissed", s.Mocked(func(dbm *dbmock.MockStore, faker *gofakeit.Faker, check *expects) {
-		u := testutil.Fake(s.T(), faker, database.User{})
-		dbm.EXPECT().GetUserByID(gomock.Any(), u.ID).Return(u, nil).AnyTimes()
-		dbm.EXPECT().GetUserTaskNotificationAlertDismissed(gomock.Any(), u.ID).Return(false, nil).AnyTimes()
-		check.Args(u.ID).Asserts(u, policy.ActionReadPersonal).Returns(false)
-	}))
-	s.Run("UpdateUserTaskNotificationAlertDismissed", s.Mocked(func(dbm *dbmock.MockStore, faker *gofakeit.Faker, check *expects) {
-		user := testutil.Fake(s.T(), faker, database.User{})
-		userConfig := database.UserConfig{UserID: user.ID, Key: "task_notification_alert_dismissed", Value: "false"}
-		userConfigValue, _ := strconv.ParseBool(userConfig.Value)
-		arg := database.UpdateUserTaskNotificationAlertDismissedParams{UserID: user.ID, TaskNotificationAlertDismissed: userConfigValue}
-		dbm.EXPECT().GetUserByID(gomock.Any(), user.ID).Return(user, nil).AnyTimes()
-		dbm.EXPECT().UpdateUserTaskNotificationAlertDismissed(gomock.Any(), arg).Return(false, nil).AnyTimes()
-		check.Args(arg).Asserts(user, policy.ActionUpdatePersonal).Returns(userConfigValue)
-	}))
 	s.Run("UpdateUserStatus", s.Mocked(func(dbm *dbmock.MockStore, faker *gofakeit.Faker, check *expects) {
 		u := testutil.Fake(s.T(), faker, database.User{})
 		arg := database.UpdateUserStatusParams{ID: u.ID, Status: u.Status, UpdatedAt: u.UpdatedAt}
@@ -3227,7 +3203,7 @@ func (s *MethodTestSuite) TestSystemFunctions() {
 	}))
 	s.Run("DeleteOldWorkspaceAgentLogs", s.Mocked(func(dbm *dbmock.MockStore, _ *gofakeit.Faker, check *expects) {
 		t := time.Time{}
-		dbm.EXPECT().DeleteOldWorkspaceAgentLogs(gomock.Any(), t).Return(int64(0), nil).AnyTimes()
+		dbm.EXPECT().DeleteOldWorkspaceAgentLogs(gomock.Any(), t).Return(nil).AnyTimes()
 		check.Args(t).Asserts(rbac.ResourceSystem, policy.ActionDelete)
 	}))
 	s.Run("InsertWorkspaceAgentStats", s.Mocked(func(dbm *dbmock.MockStore, _ *gofakeit.Faker, check *expects) {
@@ -4705,7 +4681,7 @@ func (s *MethodTestSuite) TestAIBridge() {

 	s.Run("DeleteOldAIBridgeRecords", s.Mocked(func(db *dbmock.MockStore, faker *gofakeit.Faker, check *expects) {
 		t := dbtime.Now()
-		db.EXPECT().DeleteOldAIBridgeRecords(gomock.Any(), t).Return(int64(0), nil).AnyTimes()
+		db.EXPECT().DeleteOldAIBridgeRecords(gomock.Any(), t).Return(int32(0), nil).AnyTimes()
 		check.Args(t).Asserts(rbac.ResourceAibridgeInterception, policy.ActionDelete)
 	}))
 }
@@ -396,7 +396,7 @@ func (m queryMetricsStore) DeleteOAuth2ProviderAppTokensByAppAndUserID(ctx conte
 	return r0
 }

-func (m queryMetricsStore) DeleteOldAIBridgeRecords(ctx context.Context, beforeTime time.Time) (int64, error) {
+func (m queryMetricsStore) DeleteOldAIBridgeRecords(ctx context.Context, beforeTime time.Time) (int32, error) {
 	start := time.Now()
 	r0, r1 := m.s.DeleteOldAIBridgeRecords(ctx, beforeTime)
 	m.queryLatencies.WithLabelValues("DeleteOldAIBridgeRecords").Observe(time.Since(start).Seconds())
@@ -410,20 +410,6 @@ func (m queryMetricsStore) DeleteOldAuditLogConnectionEvents(ctx context.Context
 	return r0
 }

-func (m queryMetricsStore) DeleteOldAuditLogs(ctx context.Context, arg database.DeleteOldAuditLogsParams) (int64, error) {
-	start := time.Now()
-	r0, r1 := m.s.DeleteOldAuditLogs(ctx, arg)
-	m.queryLatencies.WithLabelValues("DeleteOldAuditLogs").Observe(time.Since(start).Seconds())
-	return r0, r1
-}
-
-func (m queryMetricsStore) DeleteOldConnectionLogs(ctx context.Context, arg database.DeleteOldConnectionLogsParams) (int64, error) {
-	start := time.Now()
-	r0, r1 := m.s.DeleteOldConnectionLogs(ctx, arg)
-	m.queryLatencies.WithLabelValues("DeleteOldConnectionLogs").Observe(time.Since(start).Seconds())
-	return r0, r1
-}
-
 func (m queryMetricsStore) DeleteOldNotificationMessages(ctx context.Context) error {
 	start := time.Now()
 	r0 := m.s.DeleteOldNotificationMessages(ctx)
@@ -445,11 +431,11 @@ func (m queryMetricsStore) DeleteOldTelemetryLocks(ctx context.Context, periodEn
 	return r0
 }

-func (m queryMetricsStore) DeleteOldWorkspaceAgentLogs(ctx context.Context, arg time.Time) (int64, error) {
+func (m queryMetricsStore) DeleteOldWorkspaceAgentLogs(ctx context.Context, arg time.Time) error {
 	start := time.Now()
-	r0, r1 := m.s.DeleteOldWorkspaceAgentLogs(ctx, arg)
+	r0 := m.s.DeleteOldWorkspaceAgentLogs(ctx, arg)
 	m.queryLatencies.WithLabelValues("DeleteOldWorkspaceAgentLogs").Observe(time.Since(start).Seconds())
-	return r0, r1
+	return r0
 }

 func (m queryMetricsStore) DeleteOldWorkspaceAgentStats(ctx context.Context) error {
@@ -1859,13 +1845,6 @@ func (m queryMetricsStore) GetUserStatusCounts(ctx context.Context, arg database
 	return r0, r1
 }

-func (m queryMetricsStore) GetUserTaskNotificationAlertDismissed(ctx context.Context, userID uuid.UUID) (bool, error) {
-	start := time.Now()
-	r0, r1 := m.s.GetUserTaskNotificationAlertDismissed(ctx, userID)
-	m.queryLatencies.WithLabelValues("GetUserTaskNotificationAlertDismissed").Observe(time.Since(start).Seconds())
-	return r0, r1
-}
-
 func (m queryMetricsStore) GetUserTerminalFont(ctx context.Context, userID uuid.UUID) (string, error) {
 	start := time.Now()
 	r0, r1 := m.s.GetUserTerminalFont(ctx, userID)
@@ -3371,13 +3350,6 @@ func (m queryMetricsStore) UpdateUserStatus(ctx context.Context, arg database.Up
 	return user, err
 }

-func (m queryMetricsStore) UpdateUserTaskNotificationAlertDismissed(ctx context.Context, arg database.UpdateUserTaskNotificationAlertDismissedParams) (bool, error) {
-	start := time.Now()
-	r0, r1 := m.s.UpdateUserTaskNotificationAlertDismissed(ctx, arg)
-	m.queryLatencies.WithLabelValues("UpdateUserTaskNotificationAlertDismissed").Observe(time.Since(start).Seconds())
-	return r0, r1
-}
-
 func (m queryMetricsStore) UpdateUserTerminalFont(ctx context.Context, arg database.UpdateUserTerminalFontParams) (database.UserConfig, error) {
 	start := time.Now()
 	r0, r1 := m.s.UpdateUserTerminalFont(ctx, arg)
@@ -725,10 +725,10 @@ func (mr *MockStoreMockRecorder) DeleteOAuth2ProviderAppTokensByAppAndUserID(ctx
 }

 // DeleteOldAIBridgeRecords mocks base method.
-func (m *MockStore) DeleteOldAIBridgeRecords(ctx context.Context, beforeTime time.Time) (int64, error) {
+func (m *MockStore) DeleteOldAIBridgeRecords(ctx context.Context, beforeTime time.Time) (int32, error) {
 	m.ctrl.T.Helper()
 	ret := m.ctrl.Call(m, "DeleteOldAIBridgeRecords", ctx, beforeTime)
-	ret0, _ := ret[0].(int64)
+	ret0, _ := ret[0].(int32)
 	ret1, _ := ret[1].(error)
 	return ret0, ret1
 }
@@ -753,36 +753,6 @@ func (mr *MockStoreMockRecorder) DeleteOldAuditLogConnectionEvents(ctx, arg any)
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "DeleteOldAuditLogConnectionEvents", reflect.TypeOf((*MockStore)(nil).DeleteOldAuditLogConnectionEvents), ctx, arg)
 }

-// DeleteOldAuditLogs mocks base method.
-func (m *MockStore) DeleteOldAuditLogs(ctx context.Context, arg database.DeleteOldAuditLogsParams) (int64, error) {
-	m.ctrl.T.Helper()
-	ret := m.ctrl.Call(m, "DeleteOldAuditLogs", ctx, arg)
-	ret0, _ := ret[0].(int64)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// DeleteOldAuditLogs indicates an expected call of DeleteOldAuditLogs.
-func (mr *MockStoreMockRecorder) DeleteOldAuditLogs(ctx, arg any) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "DeleteOldAuditLogs", reflect.TypeOf((*MockStore)(nil).DeleteOldAuditLogs), ctx, arg)
-}
-
-// DeleteOldConnectionLogs mocks base method.
-func (m *MockStore) DeleteOldConnectionLogs(ctx context.Context, arg database.DeleteOldConnectionLogsParams) (int64, error) {
-	m.ctrl.T.Helper()
-	ret := m.ctrl.Call(m, "DeleteOldConnectionLogs", ctx, arg)
-	ret0, _ := ret[0].(int64)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// DeleteOldConnectionLogs indicates an expected call of DeleteOldConnectionLogs.
-func (mr *MockStoreMockRecorder) DeleteOldConnectionLogs(ctx, arg any) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "DeleteOldConnectionLogs", reflect.TypeOf((*MockStore)(nil).DeleteOldConnectionLogs), ctx, arg)
-}
-
 // DeleteOldNotificationMessages mocks base method.
 func (m *MockStore) DeleteOldNotificationMessages(ctx context.Context) error {
 	m.ctrl.T.Helper()
@@ -826,12 +796,11 @@ func (mr *MockStoreMockRecorder) DeleteOldTelemetryLocks(ctx, periodEndingAtBefo
 }

 // DeleteOldWorkspaceAgentLogs mocks base method.
-func (m *MockStore) DeleteOldWorkspaceAgentLogs(ctx context.Context, threshold time.Time) (int64, error) {
+func (m *MockStore) DeleteOldWorkspaceAgentLogs(ctx context.Context, threshold time.Time) error {
 	m.ctrl.T.Helper()
 	ret := m.ctrl.Call(m, "DeleteOldWorkspaceAgentLogs", ctx, threshold)
-	ret0, _ := ret[0].(int64)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
+	ret0, _ := ret[0].(error)
+	return ret0
 }

 // DeleteOldWorkspaceAgentLogs indicates an expected call of DeleteOldWorkspaceAgentLogs.
@@ -3973,21 +3942,6 @@ func (mr *MockStoreMockRecorder) GetUserStatusCounts(ctx, arg any) *gomock.Call
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetUserStatusCounts", reflect.TypeOf((*MockStore)(nil).GetUserStatusCounts), ctx, arg)
 }

-// GetUserTaskNotificationAlertDismissed mocks base method.
-func (m *MockStore) GetUserTaskNotificationAlertDismissed(ctx context.Context, userID uuid.UUID) (bool, error) {
-	m.ctrl.T.Helper()
-	ret := m.ctrl.Call(m, "GetUserTaskNotificationAlertDismissed", ctx, userID)
-	ret0, _ := ret[0].(bool)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// GetUserTaskNotificationAlertDismissed indicates an expected call of GetUserTaskNotificationAlertDismissed.
-func (mr *MockStoreMockRecorder) GetUserTaskNotificationAlertDismissed(ctx, userID any) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetUserTaskNotificationAlertDismissed", reflect.TypeOf((*MockStore)(nil).GetUserTaskNotificationAlertDismissed), ctx, userID)
-}
-
 // GetUserTerminalFont mocks base method.
 func (m *MockStore) GetUserTerminalFont(ctx context.Context, userID uuid.UUID) (string, error) {
 	m.ctrl.T.Helper()
@@ -7220,21 +7174,6 @@ func (mr *MockStoreMockRecorder) UpdateUserStatus(ctx, arg any) *gomock.Call {
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "UpdateUserStatus", reflect.TypeOf((*MockStore)(nil).UpdateUserStatus), ctx, arg)
 }

-// UpdateUserTaskNotificationAlertDismissed mocks base method.
-func (m *MockStore) UpdateUserTaskNotificationAlertDismissed(ctx context.Context, arg database.UpdateUserTaskNotificationAlertDismissedParams) (bool, error) {
-	m.ctrl.T.Helper()
-	ret := m.ctrl.Call(m, "UpdateUserTaskNotificationAlertDismissed", ctx, arg)
-	ret0, _ := ret[0].(bool)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// UpdateUserTaskNotificationAlertDismissed indicates an expected call of UpdateUserTaskNotificationAlertDismissed.
-func (mr *MockStoreMockRecorder) UpdateUserTaskNotificationAlertDismissed(ctx, arg any) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "UpdateUserTaskNotificationAlertDismissed", reflect.TypeOf((*MockStore)(nil).UpdateUserTaskNotificationAlertDismissed), ctx, arg)
-}
-
 // UpdateUserTerminalFont mocks base method.
 func (m *MockStore) UpdateUserTerminalFont(ctx context.Context, arg database.UpdateUserTerminalFontParams) (database.UserConfig, error) {
 	m.ctrl.T.Helper()
@@ -18,16 +18,13 @@ import (
 )

 const (
-	delay = 10 * time.Minute
+	delay          = 10 * time.Minute
+	maxAgentLogAge = 7 * 24 * time.Hour
 	// Connection events are now inserted into the `connection_logs` table.
-	// We'll slowly remove old connection events from the `audit_logs` table.
-	// The `connection_logs` table is purged based on the configured retention.
+	// We'll slowly remove old connection events from the `audit_logs` table,
+	// but we won't touch the `connection_logs` table.
 	maxAuditLogConnectionEventAge    = 90 * 24 * time.Hour // 90 days
 	auditLogConnectionEventBatchSize = 1000
-	// Batch size for connection log deletion.
-	connectionLogsBatchSize = 10000
-	// Batch size for audit log deletion.
-	auditLogsBatchSize = 10000
 	// Telemetry heartbeats are used to deduplicate events across replicas. We
 	// don't need to persist heartbeat rows for longer than 24 hours, as they
 	// are only used for deduplication across replicas. The time needs to be
@@ -65,14 +62,9 @@ func New(ctx context.Context, logger slog.Logger, db database.Store, vals *coder
 				return nil
 			}

-			var purgedWorkspaceAgentLogs int64
-			workspaceAgentLogsRetention := vals.Retention.WorkspaceAgentLogs.Value()
-			if workspaceAgentLogsRetention > 0 {
-				deleteOldWorkspaceAgentLogsBefore := start.Add(-workspaceAgentLogsRetention)
-				purgedWorkspaceAgentLogs, err = tx.DeleteOldWorkspaceAgentLogs(ctx, deleteOldWorkspaceAgentLogsBefore)
-				if err != nil {
-					return xerrors.Errorf("failed to delete old workspace agent logs: %w", err)
-				}
+			deleteOldWorkspaceAgentLogsBefore := start.Add(-maxAgentLogAge)
+			if err := tx.DeleteOldWorkspaceAgentLogs(ctx, deleteOldWorkspaceAgentLogsBefore); err != nil {
+				return xerrors.Errorf("failed to delete old workspace agent logs: %w", err)
 			}
 			if err := tx.DeleteOldWorkspaceAgentStats(ctx); err != nil {
 				return xerrors.Errorf("failed to delete old workspace agent stats: %w", err)
@@ -86,24 +78,18 @@ func New(ctx context.Context, logger slog.Logger, db database.Store, vals *coder
 			if err := tx.ExpirePrebuildsAPIKeys(ctx, dbtime.Time(start)); err != nil {
 				return xerrors.Errorf("failed to expire prebuilds user api keys: %w", err)
 			}
-
-			var expiredAPIKeys int64
-			apiKeysRetention := vals.Retention.APIKeys.Value()
-			if apiKeysRetention > 0 {
-				// Delete keys that have been expired for at least the retention period.
-				// A higher retention period allows the backend to return a more helpful
-				// error message when a user tries to use an expired key.
-				deleteExpiredKeysBefore := start.Add(-apiKeysRetention)
-				expiredAPIKeys, err = tx.DeleteExpiredAPIKeys(ctx, database.DeleteExpiredAPIKeysParams{
-					Before: dbtime.Time(deleteExpiredKeysBefore),
-					// There could be a lot of expired keys here, so set a limit to prevent
-					// this taking too long. This runs every 10 minutes, so it deletes
-					// ~1.5m keys per day at most.
-					LimitCount: 10000,
-				})
-				if err != nil {
-					return xerrors.Errorf("failed to delete expired api keys: %w", err)
-				}
+			expiredAPIKeys, err := tx.DeleteExpiredAPIKeys(ctx, database.DeleteExpiredAPIKeysParams{
+				// Leave expired keys for a week to allow the backend to know the difference
+				// between a 404 and an expired key. This purge code is just to bound the size of
+				// the table to something more reasonable.
+				Before: dbtime.Time(start.Add(time.Hour * 24 * 7 * -1)),
+				// There could be a lot of expired keys here, so set a limit to prevent this
+				// taking too long.
+				// This runs every 10 minutes, so it deletes ~1.5m keys per day at most.
+				LimitCount: 10000,
+			})
+			if err != nil {
+				return xerrors.Errorf("failed to delete expired api keys: %w", err)
 			}
 			deleteOldTelemetryLocksBefore := start.Add(-maxTelemetryHeartbeatAge)
 			if err := tx.DeleteOldTelemetryLocks(ctx, deleteOldTelemetryLocksBefore); err != nil {
@@ -118,49 +104,16 @@ func New(ctx context.Context, logger slog.Logger, db database.Store, vals *coder
 				return xerrors.Errorf("failed to delete old audit log connection events: %w", err)
 			}

-			var purgedAIBridgeRecords int64
-			aibridgeRetention := vals.AI.BridgeConfig.Retention.Value()
-			if aibridgeRetention > 0 {
-				deleteAIBridgeRecordsBefore := start.Add(-aibridgeRetention)
-				// nolint:gocritic // Needs to run as aibridge context.
-				purgedAIBridgeRecords, err = tx.DeleteOldAIBridgeRecords(dbauthz.AsAIBridged(ctx), deleteAIBridgeRecordsBefore)
-				if err != nil {
-					return xerrors.Errorf("failed to delete old aibridge records: %w", err)
-				}
-			}
-
-			var purgedConnectionLogs int64
-			connectionLogsRetention := vals.Retention.ConnectionLogs.Value()
-			if connectionLogsRetention > 0 {
-				deleteConnectionLogsBefore := start.Add(-connectionLogsRetention)
-				purgedConnectionLogs, err = tx.DeleteOldConnectionLogs(ctx, database.DeleteOldConnectionLogsParams{
-					BeforeTime: deleteConnectionLogsBefore,
-					LimitCount: connectionLogsBatchSize,
-				})
-				if err != nil {
-					return xerrors.Errorf("failed to delete old connection logs: %w", err)
-				}
-			}
-
-			var purgedAuditLogs int64
-			auditLogsRetention := vals.Retention.AuditLogs.Value()
-			if auditLogsRetention > 0 {
-				deleteAuditLogsBefore := start.Add(-auditLogsRetention)
-				purgedAuditLogs, err = tx.DeleteOldAuditLogs(ctx, database.DeleteOldAuditLogsParams{
-					BeforeTime: deleteAuditLogsBefore,
-					LimitCount: auditLogsBatchSize,
-				})
-				if err != nil {
-					return xerrors.Errorf("failed to delete old audit logs: %w", err)
-				}
+			deleteAIBridgeRecordsBefore := start.Add(-vals.AI.BridgeConfig.Retention.Value())
+			// nolint:gocritic // Needs to run as aibridge context.
+			purgedAIBridgeRecords, err := tx.DeleteOldAIBridgeRecords(dbauthz.AsAIBridged(ctx), deleteAIBridgeRecordsBefore)
+			if err != nil {
+				return xerrors.Errorf("failed to delete old aibridge records: %w", err)
 			}

 			logger.Debug(ctx, "purged old database entries",
-				slog.F("workspace_agent_logs", purgedWorkspaceAgentLogs),
 				slog.F("expired_api_keys", expiredAPIKeys),
 				slog.F("aibridge_records", purgedAIBridgeRecords),
-				slog.F("connection_logs", purgedConnectionLogs),
-				slog.F("audit_logs", purgedAuditLogs),
 				slog.F("duration", clk.Since(start)),
 			)

--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Atif Ali	5344570589	docs(ai-bridge): remove early access language from troubleshooting Complete the transition to GA by removing remaining early access reference in the troubleshooting section.	2025-11-26 14:44:06 +00:00
Atif Ali	baa1029b90	docs: change AI Bridge state from 'early access' to 'beta'	2025-11-26 19:10:33 +05:00