chore: switch agent gone response from 502 to 404 (backport #23090 ) (#23634 )

Backport of #23090 to `release/2.29`. When a user creates a workspace, opens the web terminal, then the workspace stops but the web terminal remains open, the web terminal will retry the connection. Coder would issue a HTTP 502 Bad Gateway response when this occurred because coderd could not connect to the workspace agent, however this is problematic as any load balancer sitting in front of Coder sees a 502 and thinks Coder is unhealthy. This PR changes the response to a HTTP 404 after internal discussion. Cherry-picked from merge commit c33812a430. The conflict in `coderd/workspaceapps/errors.go` was resolved by applying the status code change (502 → 404) while keeping the existing `RetryEnabled`/`DashboardURL` fields (the `Actions` refactor is not on this branch).
fix: prevent ui error when last org member is removed (#23017 )
2026-03-25 16:49:51 -04:00 · 2026-03-25 15:47:37 -04:00 · 2026-03-25 15:46:57 -04:00 · 2026-03-25 15:31:12 -04:00 · 2026-03-03 13:25:55 -05:00 · 2026-03-03 12:24:44 +01:00
276 changed files with 5774 additions and 9479 deletions
@@ -1,126 +0,0 @@
-# Coder Architecture
-
-This document provides an overview of Coder's architecture and core systems.
-
-## What is Coder?
-
-Coder is a platform for creating, managing, and using remote development environments (also known as Cloud Development Environments or CDEs). It leverages Terraform to define and provision these environments, which are referred to as "workspaces" within the project. The system is designed to be extensible, secure, and provide developers with a seamless remote development experience.
-
-## Core Architecture
-
-The heart of Coder is a control plane that orchestrates the creation and management of workspaces. This control plane interacts with separate Provisioner processes over gRPC to handle workspace builds. The Provisioners consume workspace definitions and use Terraform to create the actual infrastructure.
-
-The CLI package serves dual purposes - it can be used to launch the control plane itself and also provides client functionality for users to interact with an existing control plane instance. All user-facing frontend code is developed in TypeScript using React and lives in the `site/` directory.
-
-The database layer uses PostgreSQL with SQLC for generating type-safe database code. Database migrations are carefully managed to ensure both forward and backward compatibility through paired `.up.sql` and `.down.sql` files.
-
-## API Design
-
-Coder's API architecture combines REST and gRPC approaches. The REST API is defined in `coderd/coderd.go` and uses Chi for HTTP routing. This provides the primary interface for the frontend and external integrations.
-
-Internal communication with Provisioners occurs over gRPC, with service definitions maintained in `.proto` files. This separation allows for efficient binary communication with the components responsible for infrastructure management while providing a standard REST interface for human-facing applications.
-
-## Network Architecture
-
-Coder implements a secure networking layer based on Tailscale's Wireguard implementation. The `tailnet` package provides connectivity between workspace agents and clients through DERP (Designated Encrypted Relay for Packets) servers when direct connections aren't possible. This creates a secure overlay network allowing access to workspaces regardless of network topology, firewalls, or NAT configurations.
-
-### Tailnet and DERP System
-
-The networking system has three key components:
-
-1. **Tailnet**: An overlay network implemented in the `tailnet` package that provides secure, end-to-end encrypted connections between clients, the Coder server, and workspace agents.
-
-2. **DERP Servers**: These relay traffic when direct connections aren't possible. Coder provides several options:
-   - A built-in DERP server that runs on the Coder control plane
-   - Integration with Tailscale's global DERP infrastructure
-   - Support for custom DERP servers for lower latency or offline deployments
-
-3. **Direct Connections**: When possible, the system establishes peer-to-peer connections between clients and workspaces using STUN for NAT traversal. This requires both endpoints to send UDP traffic on ephemeral ports.
-
-### Workspace Proxies
-
-Workspace proxies (in the Enterprise edition) provide regional relay points for browser-based connections, reducing latency for geo-distributed teams. Key characteristics:
-
- Deployed as independent servers that authenticate with the Coder control plane
- Relay connections for SSH, workspace apps, port forwarding, and web terminals
- Do not make direct database connections
- Managed through the `coder wsproxy` commands
- Implemented primarily in the `enterprise/wsproxy/` package
-
-## Agent System
-
-The workspace agent runs within each provisioned workspace and provides core functionality including:
-
- SSH access to workspaces via the `agentssh` package
- Port forwarding
- Terminal connectivity via the `pty` package for pseudo-terminal support
- Application serving
- Healthcheck monitoring
- Resource usage reporting
-
-Agents communicate with the control plane using the tailnet system and authenticate using secure tokens.
-
-## Workspace Applications
-
-Workspace applications (or "apps") provide browser-based access to services running within workspaces. The system supports:
-
- HTTP(S) and WebSocket connections
- Path-based or subdomain-based access URLs
- Health checks to monitor application availability
- Different sharing levels (owner-only, authenticated users, or public)
- Custom icons and display settings
-
-The implementation is primarily in the `coderd/workspaceapps/` directory with components for URL generation, proxying connections, and managing application state.
-
-## Implementation Details
-
-The project structure separates frontend and backend concerns. React components and pages are organized in the `site/src/` directory, with Jest used for testing. The backend is primarily written in Go, with a strong emphasis on error handling patterns and test coverage.
-
-Database interactions are carefully managed through migrations in `coderd/database/migrations/` and queries in `coderd/database/queries/`. All new queries require proper database authorization (dbauthz) implementation to ensure that only users with appropriate permissions can access specific resources.
-
-## Authorization System
-
-The database authorization (dbauthz) system enforces fine-grained access control across all database operations. It uses role-based access control (RBAC) to validate user permissions before executing database operations. The `dbauthz` package wraps the database store and performs authorization checks before returning data. All database operations must pass through this layer to ensure security.
-
-## Testing Framework
-
-The codebase has a comprehensive testing approach with several key components:
-
-1. **Parallel Testing**: All tests must use `t.Parallel()` to run concurrently, which improves test suite performance and helps identify race conditions.
-
-2. **coderdtest Package**: This package in `coderd/coderdtest/` provides utilities for creating test instances of the Coder server, setting up test users and workspaces, and mocking external components.
-
-3. **Integration Tests**: Tests often span multiple components to verify system behavior, such as template creation, workspace provisioning, and agent connectivity.
-
-4. **Enterprise Testing**: Enterprise features have dedicated test utilities in the `coderdenttest` package.
-
-## Open Source and Enterprise Components
-
-The repository contains both open source and enterprise components:
-
- Enterprise code lives primarily in the `enterprise/` directory
- Enterprise features focus on governance, scalability (high availability), and advanced deployment options like workspace proxies
- The boundary between open source and enterprise is managed through a licensing system
- The same core codebase supports both editions, with enterprise features conditionally enabled
-
-## Development Philosophy
-
-Coder emphasizes clear error handling, with specific patterns required:
-
- Concise error messages that avoid phrases like "failed to"
- Wrapping errors with `%w` to maintain error chains
- Using sentinel errors with the "err" prefix (e.g., `errNotFound`)
-
-All tests should run in parallel using `t.Parallel()` to ensure efficient testing and expose potential race conditions. The codebase is rigorously linted with golangci-lint to maintain consistent code quality.
-
-Git contributions follow a standard format with commit messages structured as `type: <message>`, where type is one of `feat`, `fix`, or `chore`.
-
-## Development Workflow
-
-Development can be initiated using `scripts/develop.sh` to start the application after making changes. Database schema updates should be performed through the migration system using `create_migration.sh <name>` to generate migration files, with each `.up.sql` migration paired with a corresponding `.down.sql` that properly reverts all changes.
-
-If the development database gets into a bad state, it can be completely reset by removing the PostgreSQL data directory with `rm -rf .coderv2/postgres`. This will destroy all data in the development database, requiring you to recreate any test users, templates, or workspaces after restarting the application.
-
-Code generation for the database layer uses `coderd/database/generate.sh`, and developers should refer to `sqlc.yaml` for the appropriate style and patterns to follow when creating new queries or tables.
-
-The focus should always be on maintaining security through proper database authorization, clean error handling, and comprehensive test coverage to ensure the platform remains robust and reliable.
@@ -1 +0,0 @@
-AGENTS.md
@@ -0,0 +1,124 @@
+# Cursor Rules
+
+This project is called "Coder" - an application for managing remote development environments.
+
+Coder provides a platform for creating, managing, and using remote development environments (also known as Cloud Development Environments or CDEs). It leverages Terraform to define and provision these environments, which are referred to as "workspaces" within the project. The system is designed to be extensible, secure, and provide developers with a seamless remote development experience.
+
+## Core Architecture
+
+The heart of Coder is a control plane that orchestrates the creation and management of workspaces. This control plane interacts with separate Provisioner processes over gRPC to handle workspace builds. The Provisioners consume workspace definitions and use Terraform to create the actual infrastructure.
+
+The CLI package serves dual purposes - it can be used to launch the control plane itself and also provides client functionality for users to interact with an existing control plane instance. All user-facing frontend code is developed in TypeScript using React and lives in the `site/` directory.
+
+The database layer uses PostgreSQL with SQLC for generating type-safe database code. Database migrations are carefully managed to ensure both forward and backward compatibility through paired `.up.sql` and `.down.sql` files.
+
+## API Design
+
+Coder's API architecture combines REST and gRPC approaches. The REST API is defined in `coderd/coderd.go` and uses Chi for HTTP routing. This provides the primary interface for the frontend and external integrations.
+
+Internal communication with Provisioners occurs over gRPC, with service definitions maintained in `.proto` files. This separation allows for efficient binary communication with the components responsible for infrastructure management while providing a standard REST interface for human-facing applications.
+
+## Network Architecture
+
+Coder implements a secure networking layer based on Tailscale's Wireguard implementation. The `tailnet` package provides connectivity between workspace agents and clients through DERP (Designated Encrypted Relay for Packets) servers when direct connections aren't possible. This creates a secure overlay network allowing access to workspaces regardless of network topology, firewalls, or NAT configurations.
+
+### Tailnet and DERP System
+
+The networking system has three key components:
+
+1. **Tailnet**: An overlay network implemented in the `tailnet` package that provides secure, end-to-end encrypted connections between clients, the Coder server, and workspace agents.
+
+2. **DERP Servers**: These relay traffic when direct connections aren't possible. Coder provides several options:
+   - A built-in DERP server that runs on the Coder control plane
+   - Integration with Tailscale's global DERP infrastructure
+   - Support for custom DERP servers for lower latency or offline deployments
+
+3. **Direct Connections**: When possible, the system establishes peer-to-peer connections between clients and workspaces using STUN for NAT traversal. This requires both endpoints to send UDP traffic on ephemeral ports.
+
+### Workspace Proxies
+
+Workspace proxies (in the Enterprise edition) provide regional relay points for browser-based connections, reducing latency for geo-distributed teams. Key characteristics:
+
+- Deployed as independent servers that authenticate with the Coder control plane
+- Relay connections for SSH, workspace apps, port forwarding, and web terminals
+- Do not make direct database connections
+- Managed through the `coder wsproxy` commands
+- Implemented primarily in the `enterprise/wsproxy/` package
+
+## Agent System
+
+The workspace agent runs within each provisioned workspace and provides core functionality including:
+
+- SSH access to workspaces via the `agentssh` package
+- Port forwarding
+- Terminal connectivity via the `pty` package for pseudo-terminal support
+- Application serving
+- Healthcheck monitoring
+- Resource usage reporting
+
+Agents communicate with the control plane using the tailnet system and authenticate using secure tokens.
+
+## Workspace Applications
+
+Workspace applications (or "apps") provide browser-based access to services running within workspaces. The system supports:
+
+- HTTP(S) and WebSocket connections
+- Path-based or subdomain-based access URLs
+- Health checks to monitor application availability
+- Different sharing levels (owner-only, authenticated users, or public)
+- Custom icons and display settings
+
+The implementation is primarily in the `coderd/workspaceapps/` directory with components for URL generation, proxying connections, and managing application state.
+
+## Implementation Details
+
+The project structure separates frontend and backend concerns. React components and pages are organized in the `site/src/` directory, with Jest used for testing. The backend is primarily written in Go, with a strong emphasis on error handling patterns and test coverage.
+
+Database interactions are carefully managed through migrations in `coderd/database/migrations/` and queries in `coderd/database/queries/`. All new queries require proper database authorization (dbauthz) implementation to ensure that only users with appropriate permissions can access specific resources.
+
+## Authorization System
+
+The database authorization (dbauthz) system enforces fine-grained access control across all database operations. It uses role-based access control (RBAC) to validate user permissions before executing database operations. The `dbauthz` package wraps the database store and performs authorization checks before returning data. All database operations must pass through this layer to ensure security.
+
+## Testing Framework
+
+The codebase has a comprehensive testing approach with several key components:
+
+1. **Parallel Testing**: All tests must use `t.Parallel()` to run concurrently, which improves test suite performance and helps identify race conditions.
+
+2. **coderdtest Package**: This package in `coderd/coderdtest/` provides utilities for creating test instances of the Coder server, setting up test users and workspaces, and mocking external components.
+
+3. **Integration Tests**: Tests often span multiple components to verify system behavior, such as template creation, workspace provisioning, and agent connectivity.
+
+4. **Enterprise Testing**: Enterprise features have dedicated test utilities in the `coderdenttest` package.
+
+## Open Source and Enterprise Components
+
+The repository contains both open source and enterprise components:
+
+- Enterprise code lives primarily in the `enterprise/` directory
+- Enterprise features focus on governance, scalability (high availability), and advanced deployment options like workspace proxies
+- The boundary between open source and enterprise is managed through a licensing system
+- The same core codebase supports both editions, with enterprise features conditionally enabled
+
+## Development Philosophy
+
+Coder emphasizes clear error handling, with specific patterns required:
+
+- Concise error messages that avoid phrases like "failed to"
+- Wrapping errors with `%w` to maintain error chains
+- Using sentinel errors with the "err" prefix (e.g., `errNotFound`)
+
+All tests should run in parallel using `t.Parallel()` to ensure efficient testing and expose potential race conditions. The codebase is rigorously linted with golangci-lint to maintain consistent code quality.
+
+Git contributions follow a standard format with commit messages structured as `type: <message>`, where type is one of `feat`, `fix`, or `chore`.
+
+## Development Workflow
+
+Development can be initiated using `scripts/develop.sh` to start the application after making changes. Database schema updates should be performed through the migration system using `create_migration.sh <name>` to generate migration files, with each `.up.sql` migration paired with a corresponding `.down.sql` that properly reverts all changes.
+
+If the development database gets into a bad state, it can be completely reset by removing the PostgreSQL data directory with `rm -rf .coderv2/postgres`. This will destroy all data in the development database, requiring you to recreate any test users, templates, or workspaces after restarting the application.
+
+Code generation for the database layer uses `coderd/database/generate.sh`, and developers should refer to `sqlc.yaml` for the appropriate style and patterns to follow when creating new queries or tables.
+
+The focus should always be on maintaining security through proper database authorization, clean error handling, and comprehensive test coverage to ensure the platform remains robust and reliable.
@@ -11,4 +11,4 @@ runs:
          go install storj.io/drpc/cmd/protoc-gen-go-drpc@v0.0.34
          go install golang.org/x/tools/cmd/goimports@v0.31.0
          go install github.com/mikefarah/yq/v4@v4.44.3
-          go install go.uber.org/mock/mockgen@v0.5.0
+          go install go.uber.org/mock/mockgen@v0.6.0
@@ -4,7 +4,7 @@ description: |
 inputs:
  version:
    description: "The Go version to use."
-    default: "1.24.10"
+    default: "1.25.6"
  use-preinstalled-go:
    description: "Whether to use preinstalled Go."
    default: "false"
@@ -7,5 +7,5 @@ runs:
    - name: Install Terraform
      uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd # v3.1.2
      with:
-        terraform_version: 1.13.4
+        terraform_version: 1.14.5
        terraform_wrapper: false
@@ -119,9 +119,9 @@ updates:
    commit-message:
      prefix: "chore"
    groups:
-      coder-modules:
+      coder:
        patterns:
-          - "coder/*/coder"
+          - "registry.coder.com/coder/*/coder"
    labels: []
    ignore:
      - dependency-name: "*"
@@ -35,12 +35,12 @@ jobs:
      tailnet-integration: ${{ steps.filter.outputs.tailnet-integration }}
    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2
+        uses: step-security/harden-runner@58077d3c7e43986b6b15fba718e8ea69e387dfcc # v2.16.0
        with:
          egress-policy: audit

      - name: Checkout
-        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
        with:
          fetch-depth: 1
          persist-credentials: false
@@ -124,7 +124,7 @@ jobs:
  #   runs-on: ${{ github.repository_owner == 'coder' && 'depot-ubuntu-22.04-8' || 'ubuntu-latest' }}
  #   steps:
  #     - name: Checkout
-  #       uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+  #       uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
  #       with:
  #         fetch-depth: 1
  #         # See: https://github.com/stefanzweifel/git-auto-commit-action?tab=readme-ov-file#commits-made-by-this-action-do-not-trigger-new-workflow-runs
@@ -157,12 +157,12 @@ jobs:
    runs-on: ${{ github.repository_owner == 'coder' && 'depot-ubuntu-22.04-8' || 'ubuntu-latest' }}
    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2
+        uses: step-security/harden-runner@58077d3c7e43986b6b15fba718e8ea69e387dfcc # v2.16.0
        with:
          egress-policy: audit

      - name: Checkout
-        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
        with:
          fetch-depth: 1
          persist-credentials: false
@@ -191,7 +191,7 @@ jobs:

      # Check for any typos
      - name: Check for typos
-        uses: crate-ci/typos@2d0ce569feab1f8752f1dde43cc2f2aa53236e06 # v1.40.0
+        uses: crate-ci/typos@626c4bedb751ce0b7f03262ca97ddda9a076ae1c # v1.39.2
        with:
          config: .github/workflows/typos.toml

@@ -235,12 +235,12 @@ jobs:
    if: ${{ !cancelled() }}
    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2
+        uses: step-security/harden-runner@58077d3c7e43986b6b15fba718e8ea69e387dfcc # v2.16.0
        with:
          egress-policy: audit

      - name: Checkout
-        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
        with:
          fetch-depth: 1
          persist-credentials: false
@@ -292,12 +292,12 @@ jobs:
    timeout-minutes: 20
    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2
+        uses: step-security/harden-runner@58077d3c7e43986b6b15fba718e8ea69e387dfcc # v2.16.0
        with:
          egress-policy: audit

      - name: Checkout
-        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
        with:
          fetch-depth: 1
          persist-credentials: false
@@ -343,7 +343,7 @@ jobs:
          - windows-2022
    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2
+        uses: step-security/harden-runner@58077d3c7e43986b6b15fba718e8ea69e387dfcc # v2.16.0
        with:
          egress-policy: audit

@@ -369,7 +369,7 @@ jobs:
        uses: coder/setup-ramdisk-action@e1100847ab2d7bcd9d14bcda8f2d1b0f07b36f1b # v0.1.0

      - name: Checkout
-        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
        with:
          fetch-depth: 1
          persist-credentials: false
@@ -532,12 +532,12 @@ jobs:
    timeout-minutes: 25
    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2
+        uses: step-security/harden-runner@58077d3c7e43986b6b15fba718e8ea69e387dfcc # v2.16.0
        with:
          egress-policy: audit

      - name: Checkout
-        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
        with:
          fetch-depth: 1
          persist-credentials: false
@@ -581,12 +581,12 @@ jobs:
    timeout-minutes: 25
    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2
+        uses: step-security/harden-runner@58077d3c7e43986b6b15fba718e8ea69e387dfcc # v2.16.0
        with:
          egress-policy: audit

      - name: Checkout
-        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
        with:
          fetch-depth: 1
          persist-credentials: false
@@ -641,12 +641,12 @@ jobs:
    timeout-minutes: 20
    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2
+        uses: step-security/harden-runner@58077d3c7e43986b6b15fba718e8ea69e387dfcc # v2.16.0
        with:
          egress-policy: audit

      - name: Checkout
-        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
        with:
          fetch-depth: 1
          persist-credentials: false
@@ -668,12 +668,12 @@ jobs:
    timeout-minutes: 20
    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2
+        uses: step-security/harden-runner@58077d3c7e43986b6b15fba718e8ea69e387dfcc # v2.16.0
        with:
          egress-policy: audit

      - name: Checkout
-        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
        with:
          fetch-depth: 1
          persist-credentials: false
@@ -701,12 +701,12 @@ jobs:
    name: ${{ matrix.variant.name }}
    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2
+        uses: step-security/harden-runner@58077d3c7e43986b6b15fba718e8ea69e387dfcc # v2.16.0
        with:
          egress-policy: audit

      - name: Checkout
-        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
        with:
          fetch-depth: 1
          persist-credentials: false
@@ -781,12 +781,12 @@ jobs:
    if: needs.changes.outputs.site == 'true' || needs.changes.outputs.ci == 'true'
    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2
+        uses: step-security/harden-runner@58077d3c7e43986b6b15fba718e8ea69e387dfcc # v2.16.0
        with:
          egress-policy: audit

      - name: Checkout
-        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
        with:
          # 👇 Ensures Chromatic can read your full git history
          fetch-depth: 0
@@ -802,7 +802,7 @@ jobs:
      # the check to pass. This is desired in PRs, but not in mainline.
      - name: Publish to Chromatic (non-mainline)
        if: github.ref != 'refs/heads/main' && github.repository_owner == 'coder'
-        uses: chromaui/action@4c20b95e9d3209ecfdf9cd6aace6bbde71ba1694 # v13.3.4
+        uses: chromaui/action@ac86f2ff0a458ffbce7b40698abd44c0fa34d4b6 # v13.3.3
        env:
          NODE_OPTIONS: "--max_old_space_size=4096"
          STORYBOOK: true
@@ -834,7 +834,7 @@ jobs:
      # infinitely "in progress" in mainline unless we re-review each build.
      - name: Publish to Chromatic (mainline)
        if: github.ref == 'refs/heads/main' && github.repository_owner == 'coder'
-        uses: chromaui/action@4c20b95e9d3209ecfdf9cd6aace6bbde71ba1694 # v13.3.4
+        uses: chromaui/action@ac86f2ff0a458ffbce7b40698abd44c0fa34d4b6 # v13.3.3
        env:
          NODE_OPTIONS: "--max_old_space_size=4096"
          STORYBOOK: true
@@ -862,12 +862,12 @@ jobs:

    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2
+        uses: step-security/harden-runner@58077d3c7e43986b6b15fba718e8ea69e387dfcc # v2.16.0
        with:
          egress-policy: audit

      - name: Checkout
-        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
        with:
          # 0 is required here for version.sh to work.
          fetch-depth: 0
@@ -933,7 +933,7 @@ jobs:
    if: always()
    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2
+        uses: step-security/harden-runner@58077d3c7e43986b6b15fba718e8ea69e387dfcc # v2.16.0
        with:
          egress-policy: audit

@@ -971,7 +971,7 @@ jobs:
    steps:
      # Harden Runner doesn't work on macOS
      - name: Checkout
-        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
        with:
          fetch-depth: 0
          persist-credentials: false
@@ -1053,12 +1053,12 @@ jobs:
    runs-on: ${{ github.repository_owner == 'coder' && 'depot-ubuntu-22.04-8' || 'ubuntu-latest' }}
    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2
+        uses: step-security/harden-runner@58077d3c7e43986b6b15fba718e8ea69e387dfcc # v2.16.0
        with:
          egress-policy: audit

      - name: Checkout
-        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
        with:
          fetch-depth: 0
          persist-credentials: false
@@ -1108,12 +1108,12 @@ jobs:
      IMAGE: ghcr.io/coder/coder-preview:${{ steps.build-docker.outputs.tag }}
    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2
+        uses: step-security/harden-runner@58077d3c7e43986b6b15fba718e8ea69e387dfcc # v2.16.0
        with:
          egress-policy: audit

      - name: Checkout
-        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
        with:
          fetch-depth: 0
          persist-credentials: false
@@ -1505,12 +1505,12 @@ jobs:
    if: needs.changes.outputs.db == 'true' || needs.changes.outputs.ci == 'true' || github.ref == 'refs/heads/main'
    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2
+        uses: step-security/harden-runner@58077d3c7e43986b6b15fba718e8ea69e387dfcc # v2.16.0
        with:
          egress-policy: audit

      - name: Checkout
-        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
        with:
          fetch-depth: 1
          persist-credentials: false
@@ -28,7 +28,6 @@ jobs:
          github-token: "${{ secrets.GITHUB_TOKEN }}"

      - name: Approve the PR
-        if: steps.metadata.outputs.package-ecosystem != 'github-actions'
        run: |
          echo "Approving $PR_URL"
          gh pr review --approve "$PR_URL"
@@ -37,7 +36,6 @@ jobs:
          GH_TOKEN: ${{secrets.GITHUB_TOKEN}}

      - name: Enable auto-merge
-        if: steps.metadata.outputs.package-ecosystem != 'github-actions'
        run: |
          echo "Enabling auto-merge for $PR_URL"
          gh pr merge --auto --squash "$PR_URL"
@@ -47,11 +45,6 @@ jobs:

      - name: Send Slack notification
        run: |
-          if [ "$PACKAGE_ECOSYSTEM" = "github-actions" ]; then
-            STATUS_TEXT=":pr-opened: Dependabot opened PR #${PR_NUMBER} (GitHub Actions changes are not auto-merged)"
-          else
-            STATUS_TEXT=":pr-merged: Auto merge enabled for Dependabot PR #${PR_NUMBER}"
-          fi
          curl -X POST -H 'Content-type: application/json' \
          --data '{
            "username": "dependabot",
@@ -61,7 +54,7 @@ jobs:
                "type": "header",
                "text": {
                  "type": "plain_text",
-                  "text": "'"${STATUS_TEXT}"'",
+                  "text": ":pr-merged: Auto merge enabled for Dependabot PR #'"${PR_NUMBER}"'",
                  "emoji": true
                }
              },
@@ -91,7 +84,6 @@ jobs:
          }' "${{ secrets.DEPENDABOT_PRS_SLACK_WEBHOOK }}"
        env:
          SLACK_WEBHOOK: ${{ secrets.DEPENDABOT_PRS_SLACK_WEBHOOK }}
-          PACKAGE_ECOSYSTEM: ${{ steps.metadata.outputs.package-ecosystem }}
          PR_NUMBER: ${{ github.event.pull_request.number }}
          PR_TITLE: ${{ github.event.pull_request.title }}
          PR_URL: ${{ github.event.pull_request.html_url }}
@@ -36,12 +36,12 @@ jobs:
      verdict: ${{ steps.check.outputs.verdict }} # DEPLOY or NOOP
    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2
+        uses: step-security/harden-runner@58077d3c7e43986b6b15fba718e8ea69e387dfcc # v2.16.0
        with:
          egress-policy: audit

      - name: Checkout
-        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
        with:
          fetch-depth: 0
          persist-credentials: false
@@ -65,12 +65,12 @@ jobs:
      packages: write # to retag image as dogfood
    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2
+        uses: step-security/harden-runner@58077d3c7e43986b6b15fba718e8ea69e387dfcc # v2.16.0
        with:
          egress-policy: audit

      - name: Checkout
-        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
        with:
          fetch-depth: 0
          persist-credentials: false
@@ -92,7 +92,7 @@ jobs:
        uses: google-github-actions/setup-gcloud@aa5489c8933f4cc7a4f7d45035b3b1440c9c10db # v3.0.1

      - name: Set up Flux CLI
-        uses: fluxcd/flux2/action@8454b02a32e48d775b9f563cb51fdcb1787b5b93 # v2.7.5
+        uses: fluxcd/flux2/action@b6e76ca2534f76dcb8dd94fb057cdfa923c3b641 # v2.7.3
        with:
          # Keep this and the github action up to date with the version of flux installed in dogfood cluster
          version: "2.7.0"
@@ -146,12 +146,12 @@ jobs:
    needs: deploy
    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2
+        uses: step-security/harden-runner@58077d3c7e43986b6b15fba718e8ea69e387dfcc # v2.16.0
        with:
          egress-policy: audit

      - name: Checkout
-        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
        with:
          fetch-depth: 0
          persist-credentials: false
@@ -162,7 +162,7 @@ jobs:
          } >> "${GITHUB_OUTPUT}"

      - name: Checkout create-task-action
-        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
        with:
          fetch-depth: 1
          path: ./.github/actions/create-task-action
@@ -38,12 +38,12 @@ jobs:
    if: github.repository_owner == 'coder'
    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2
+        uses: step-security/harden-runner@58077d3c7e43986b6b15fba718e8ea69e387dfcc # v2.16.0
        with:
          egress-policy: audit

      - name: Checkout
-        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
        with:
          persist-credentials: false

@@ -23,14 +23,14 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
-        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
        with:
          persist-credentials: false

      - name: Setup Node
        uses: ./.github/actions/setup-node

-      - uses: tj-actions/changed-files@abdd2f68ea150cee8f236d4a9fb4e0f2491abf1b # v45.0.7
+      - uses: tj-actions/changed-files@70069877f29101175ed2b055d210fe8b1d54d7d7 # v45.0.7
        id: changed-files
        with:
          files: |
@@ -26,12 +26,12 @@ jobs:
    runs-on: ${{ github.repository_owner == 'coder' && 'depot-ubuntu-22.04-4' || 'ubuntu-latest' }}
    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2
+        uses: step-security/harden-runner@58077d3c7e43986b6b15fba718e8ea69e387dfcc # v2.16.0
        with:
          egress-policy: audit

      - name: Checkout
-        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
        with:
          persist-credentials: false

@@ -125,12 +125,12 @@ jobs:
      id-token: write
    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2
+        uses: step-security/harden-runner@58077d3c7e43986b6b15fba718e8ea69e387dfcc # v2.16.0
        with:
          egress-policy: audit

      - name: Checkout
-        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
        with:
          persist-credentials: false

@@ -27,7 +27,7 @@ jobs:
          - windows-2022
    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2
+        uses: step-security/harden-runner@58077d3c7e43986b6b15fba718e8ea69e387dfcc # v2.16.0
        with:
          egress-policy: audit

@@ -53,7 +53,7 @@ jobs:
        uses: coder/setup-ramdisk-action@e1100847ab2d7bcd9d14bcda8f2d1b0f07b36f1b # v0.1.0

      - name: Checkout
-        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
        with:
          fetch-depth: 1
          persist-credentials: false
@@ -15,7 +15,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2
+        uses: step-security/harden-runner@58077d3c7e43986b6b15fba718e8ea69e387dfcc # v2.16.0
        with:
          egress-policy: audit

@@ -19,7 +19,7 @@ jobs:
      packages: write
    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2
+        uses: step-security/harden-runner@58077d3c7e43986b6b15fba718e8ea69e387dfcc # v2.16.0
        with:
          egress-policy: audit

@@ -39,12 +39,12 @@ jobs:
      PR_OPEN: ${{ steps.check_pr.outputs.pr_open }}
    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2
+        uses: step-security/harden-runner@58077d3c7e43986b6b15fba718e8ea69e387dfcc # v2.16.0
        with:
          egress-policy: audit

      - name: Checkout
-        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
        with:
          persist-credentials: false

@@ -76,12 +76,12 @@ jobs:
    runs-on: "ubuntu-latest"
    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2
+        uses: step-security/harden-runner@58077d3c7e43986b6b15fba718e8ea69e387dfcc # v2.16.0
        with:
          egress-policy: audit

      - name: Checkout
-        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
        with:
          fetch-depth: 0
          persist-credentials: false
@@ -184,7 +184,7 @@ jobs:
      pull-requests: write # needed for commenting on PRs
    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2
+        uses: step-security/harden-runner@58077d3c7e43986b6b15fba718e8ea69e387dfcc # v2.16.0
        with:
          egress-policy: audit

@@ -228,12 +228,12 @@ jobs:
      CODER_IMAGE_TAG: ${{ needs.get_info.outputs.CODER_IMAGE_TAG }}
    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2
+        uses: step-security/harden-runner@58077d3c7e43986b6b15fba718e8ea69e387dfcc # v2.16.0
        with:
          egress-policy: audit

      - name: Checkout
-        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
        with:
          fetch-depth: 0
          persist-credentials: false
@@ -288,7 +288,7 @@ jobs:
      PR_HOSTNAME: "pr${{ needs.get_info.outputs.PR_NUMBER }}.${{ secrets.PR_DEPLOYMENTS_DOMAIN }}"
    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2
+        uses: step-security/harden-runner@58077d3c7e43986b6b15fba718e8ea69e387dfcc # v2.16.0
        with:
          egress-policy: audit

@@ -337,7 +337,7 @@ jobs:
          kubectl create namespace "pr${PR_NUMBER}"

      - name: Checkout
-        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
        with:
          persist-credentials: false

@@ -14,7 +14,7 @@ jobs:

    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2
+        uses: step-security/harden-runner@58077d3c7e43986b6b15fba718e8ea69e387dfcc # v2.16.0
        with:
          egress-policy: audit

@@ -65,7 +65,7 @@ jobs:
    steps:
      # Harden Runner doesn't work on macOS.
      - name: Checkout
-        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
        with:
          fetch-depth: 0
          persist-credentials: false
@@ -164,12 +164,12 @@ jobs:
      version: ${{ steps.version.outputs.version }}
    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2
+        uses: step-security/harden-runner@58077d3c7e43986b6b15fba718e8ea69e387dfcc # v2.16.0
        with:
          egress-policy: audit

      - name: Checkout
-        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
        with:
          fetch-depth: 0
          persist-credentials: false
@@ -802,7 +802,7 @@ jobs:
      # TODO: skip this if it's not a new release (i.e. a backport). This is
      #       fine right now because it just makes a PR that we can close.
      - name: Harden Runner
-        uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2
+        uses: step-security/harden-runner@58077d3c7e43986b6b15fba718e8ea69e387dfcc # v2.16.0
        with:
          egress-policy: audit

@@ -878,7 +878,7 @@ jobs:

    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2
+        uses: step-security/harden-runner@58077d3c7e43986b6b15fba718e8ea69e387dfcc # v2.16.0
        with:
          egress-policy: audit

@@ -888,7 +888,7 @@ jobs:
          GH_TOKEN: ${{ secrets.CDRCI_GITHUB_TOKEN }}

      - name: Checkout
-        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
        with:
          fetch-depth: 0
          persist-credentials: false
@@ -971,12 +971,12 @@ jobs:
    if: ${{ !inputs.dry_run }}
    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2
+        uses: step-security/harden-runner@58077d3c7e43986b6b15fba718e8ea69e387dfcc # v2.16.0
        with:
          egress-policy: audit

      - name: Checkout
-        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
        with:
          fetch-depth: 1
          persist-credentials: false
@@ -20,12 +20,12 @@ jobs:

    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2
+        uses: step-security/harden-runner@58077d3c7e43986b6b15fba718e8ea69e387dfcc # v2.16.0
        with:
          egress-policy: audit

      - name: "Checkout code"
-        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
        with:
          persist-credentials: false

@@ -47,6 +47,6 @@ jobs:

      # Upload the results to GitHub's code scanning dashboard.
      - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@fe4161a26a8629af62121b670040955b330f9af2 # v3.29.5
+        uses: github/codeql-action/upload-sarif@014f16e7ab1402f30e7c3329d33797e7948572db # v3.29.5
        with:
          sarif_file: results.sarif
@@ -27,12 +27,12 @@ jobs:
    runs-on: ${{ github.repository_owner == 'coder' && 'depot-ubuntu-22.04-8' || 'ubuntu-latest' }}
    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2
+        uses: step-security/harden-runner@58077d3c7e43986b6b15fba718e8ea69e387dfcc # v2.16.0
        with:
          egress-policy: audit

      - name: Checkout
-        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
        with:
          persist-credentials: false

@@ -40,7 +40,7 @@ jobs:
        uses: ./.github/actions/setup-go

      - name: Initialize CodeQL
-        uses: github/codeql-action/init@fe4161a26a8629af62121b670040955b330f9af2 # v3.29.5
+        uses: github/codeql-action/init@014f16e7ab1402f30e7c3329d33797e7948572db # v3.29.5
        with:
          languages: go, javascript

@@ -50,7 +50,7 @@ jobs:
          rm Makefile

      - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@fe4161a26a8629af62121b670040955b330f9af2 # v3.29.5
+        uses: github/codeql-action/analyze@014f16e7ab1402f30e7c3329d33797e7948572db # v3.29.5

      - name: Send Slack notification on failure
        if: ${{ failure() }}
@@ -69,12 +69,12 @@ jobs:
    runs-on: ${{ github.repository_owner == 'coder' && 'depot-ubuntu-22.04-8' || 'ubuntu-latest' }}
    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2
+        uses: step-security/harden-runner@58077d3c7e43986b6b15fba718e8ea69e387dfcc # v2.16.0
        with:
          egress-policy: audit

      - name: Checkout
-        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
        with:
          fetch-depth: 0
          persist-credentials: false
@@ -97,7 +97,7 @@ jobs:
      - name: Install yq
        run: go run github.com/mikefarah/yq/v4@v4.44.3
      - name: Install mockgen
-        run: go install go.uber.org/mock/mockgen@v0.5.0
+        run: go install go.uber.org/mock/mockgen@v0.6.0
      - name: Install protoc-gen-go
        run: go install google.golang.org/protobuf/cmd/protoc-gen-go@v1.30
      - name: Install protoc-gen-go-drpc
@@ -146,7 +146,7 @@ jobs:
          echo "image=$(cat "$image_job")" >> "$GITHUB_OUTPUT"

      - name: Run Trivy vulnerability scanner
-        uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8
+        uses: aquasecurity/trivy-action@c1824fd6edce30d7ab345a9989de00bbd46ef284 # v0.34.0
        with:
          image-ref: ${{ steps.build.outputs.image }}
          format: sarif
@@ -154,7 +154,7 @@ jobs:
          severity: "CRITICAL,HIGH"

      - name: Upload Trivy scan results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@fe4161a26a8629af62121b670040955b330f9af2 # v3.29.5
+        uses: github/codeql-action/upload-sarif@014f16e7ab1402f30e7c3329d33797e7948572db # v3.29.5
        with:
          sarif_file: trivy-results.sarif
          category: "Trivy"
@@ -18,7 +18,7 @@ jobs:
      pull-requests: write
    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2
+        uses: step-security/harden-runner@58077d3c7e43986b6b15fba718e8ea69e387dfcc # v2.16.0
        with:
          egress-policy: audit

@@ -96,12 +96,12 @@ jobs:
      contents: write
    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2
+        uses: step-security/harden-runner@58077d3c7e43986b6b15fba718e8ea69e387dfcc # v2.16.0
        with:
          egress-policy: audit

      - name: Checkout repository
-        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
        with:
          persist-credentials: false
      - name: Run delete-old-branches-action
@@ -120,7 +120,7 @@ jobs:
      actions: write
    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2
+        uses: step-security/harden-runner@58077d3c7e43986b6b15fba718e8ea69e387dfcc # v2.16.0
        with:
          egress-policy: audit

@@ -153,7 +153,7 @@ jobs:
          } >> "${GITHUB_OUTPUT}"

      - name: Checkout repository
-        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
        with:
          fetch-depth: 1
          path: ./.github/actions/create-task-action
@@ -21,12 +21,12 @@ jobs:
      pull-requests: write # required to post PR review comments by the action
    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2
+        uses: step-security/harden-runner@58077d3c7e43986b6b15fba718e8ea69e387dfcc # v2.16.0
        with:
          egress-policy: audit

      - name: Checkout
-        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
        with:
          persist-credentials: false

@@ -90,9 +90,6 @@ __debug_bin*

 **/.claude/settings.local.json

-# Local agent configuration
-AGENTS.local.md
-
 /.env

 # Ignore plans written by AI agents.
@@ -140,53 +140,13 @@ seems like it should use `time.Sleep`, read through https://github.com/coder/qua
 - Follow [Uber Go Style Guide](https://github.com/uber-go/guide/blob/master/style.md)
 - Commit format: `type(scope): message`

-### Writing Comments
-
-Code comments should be clear, well-formatted, and add meaningful context.
-
-**Proper sentence structure**: Comments are sentences and should end with
-periods or other appropriate punctuation. This improves readability and
-maintains professional code standards.
-
-**Explain why, not what**: Good comments explain the reasoning behind code
-rather than describing what the code does. The code itself should be
-self-documenting through clear naming and structure. Focus your comments on
-non-obvious decisions, edge cases, or business logic that isn't immediately
-apparent from reading the implementation.
-
-**Line length and wrapping**: Keep comment lines to 80 characters wide
-(including the comment prefix like `//` or `#`). When a comment spans multiple
-lines, wrap it naturally at word boundaries rather than writing one sentence
-per line. This creates more readable, paragraph-like blocks of documentation.
-
-```go
-// Good: Explains the rationale with proper sentence structure.
-// We need a custom timeout here because workspace builds can take several
-// minutes on slow networks, and the default 30s timeout causes false
-// failures during initial template imports.
-ctx, cancel := context.WithTimeout(ctx, 5*time.Minute)
-
-// Bad: Describes what the code does without punctuation or wrapping
-// Set a custom timeout
-// Workspace builds can take a long time
-// Default timeout is too short
-ctx, cancel := context.WithTimeout(ctx, 5*time.Minute)
-```
-
 ## Detailed Development Guides

-@.claude/docs/ARCHITECTURE.md
@.claude/docs/OAUTH2.md
@.claude/docs/TESTING.md
@.claude/docs/TROUBLESHOOTING.md
@.claude/docs/DATABASE.md

-## Local Configuration
-
-These files may be gitignored, read manually if not auto-loaded.
-
-@AGENTS.local.md
-
 ## Common Pitfalls

 1. **Audit table errors** → Update `enterprise/audit/table.go`
@@ -69,6 +69,9 @@ MOST_GO_SRC_FILES := $(shell \
 # All the shell files in the repo, excluding ignored files.
 SHELL_SRC_FILES := $(shell find . $(FIND_EXCLUSIONS) -type f -name '*.sh')

+MIGRATION_FILES := $(shell find ./coderd/database/migrations/ -maxdepth 1 $(FIND_EXCLUSIONS) -type f -name '*.sql')
+FIXTURE_FILES := $(shell find ./coderd/database/migrations/testdata/fixtures/ $(FIND_EXCLUSIONS) -type f -name '*.sql')
+
 # Ensure we don't use the user's git configs which might cause side-effects
 GIT_FLAGS = GIT_CONFIG_GLOBAL=/dev/null GIT_CONFIG_SYSTEM=/dev/null

@@ -561,7 +564,7 @@ endif

 # Note: we don't run zizmor in the lint target because it takes a while. CI
 #       runs it explicitly.
-lint: lint/shellcheck lint/go lint/ts lint/examples lint/helm lint/site-icons lint/markdown lint/actions/actionlint lint/check-scopes
+lint: lint/shellcheck lint/go lint/ts lint/examples lint/helm lint/site-icons lint/markdown lint/actions/actionlint lint/check-scopes lint/migrations
 .PHONY: lint

 lint/site-icons:
@@ -608,7 +611,9 @@ lint/actions/actionlint:
 .PHONY: lint/actions/actionlint

 lint/actions/zizmor:
-	./scripts/zizmor.sh \
+	# Using a token will use trivy, which is no longer supported.
+	# So disable any use of a token for this target.
+	GH_TOKEN="" ./scripts/zizmor.sh \
 		--strict-collection \
 		--persona=regular \
 		.
@@ -619,6 +624,12 @@ lint/check-scopes: coderd/database/dump.sql
 	go run ./scripts/check-scopes
 .PHONY: lint/check-scopes

+# Verify migrations do not hardcode the public schema.
+lint/migrations:
+	./scripts/check_pg_schema.sh "Migrations" $(MIGRATION_FILES)
+	./scripts/check_pg_schema.sh "Fixtures" $(FIXTURE_FILES)
+.PHONY: lint/migrations
+
 # All files generated by the database should be added here, and this can be used
 # as a target for jobs that need to run after the database is generated.
 DB_GEN_FILES := \
@@ -1576,8 +1576,8 @@ func (a *agent) createTailnet(
 				break
 			}
 			clog := a.logger.Named("speedtest").With(
-				slog.F("remote", conn.RemoteAddr()),
-				slog.F("local", conn.LocalAddr()))
+				slog.F("remote", conn.RemoteAddr().String()),
+				slog.F("local", conn.LocalAddr().String()))
 			clog.Info(ctx, "accepted conn")
 			wg.Add(1)
 			closed := make(chan struct{})
@@ -1,45 +0,0 @@
-package agent
-
-import (
-	"testing"
-
-	"github.com/google/uuid"
-	"github.com/stretchr/testify/require"
-
-	"cdr.dev/slog"
-	"cdr.dev/slog/sloggers/slogtest"
-
-	"github.com/coder/coder/v2/agent/proto"
-	"github.com/coder/coder/v2/testutil"
-)
-
-// TestReportConnectionEmpty tests that reportConnection() doesn't choke if given an empty IP string, which is what we
-// send if we cannot get the remote address.
-func TestReportConnectionEmpty(t *testing.T) {
-	t.Parallel()
-	connID := uuid.UUID{1}
-	logger := slogtest.Make(t, &slogtest.Options{IgnoreErrors: true}).Leveled(slog.LevelDebug)
-	ctx := testutil.Context(t, testutil.WaitShort)
-
-	uut := &agent{
-		hardCtx: ctx,
-		logger:  logger,
-	}
-	disconnected := uut.reportConnection(connID, proto.Connection_TYPE_UNSPECIFIED, "")
-
-	require.Len(t, uut.reportConnections, 1)
-	req0 := uut.reportConnections[0]
-	require.Equal(t, proto.Connection_TYPE_UNSPECIFIED, req0.GetConnection().GetType())
-	require.Equal(t, "", req0.GetConnection().Ip)
-	require.Equal(t, connID[:], req0.GetConnection().GetId())
-	require.Equal(t, proto.Connection_CONNECT, req0.GetConnection().GetAction())
-
-	disconnected(0, "because")
-	require.Len(t, uut.reportConnections, 2)
-	req1 := uut.reportConnections[1]
-	require.Equal(t, proto.Connection_TYPE_UNSPECIFIED, req1.GetConnection().GetType())
-	require.Equal(t, "", req1.GetConnection().Ip)
-	require.Equal(t, connID[:], req1.GetConnection().GetId())
-	require.Equal(t, proto.Connection_DISCONNECT, req1.GetConnection().GetAction())
-	require.Equal(t, "because", req1.GetConnection().GetReason())
-}
@@ -1039,10 +1039,6 @@ func (api *API) processUpdatedContainersLocked(ctx context.Context, updated code
 					logger.Error(ctx, "inject subagent into container failed", slog.Error(err))
 					dc.Error = err.Error()
 				} else {
-					// TODO(mafredri): Preserve the error from devcontainer
-					// up if it was a lifecycle script error. Currently
-					// this results in a brief flicker for the user if
-					// injection is fast, as the error is shown then erased.
 					dc.Error = ""
 				}
 			}
@@ -1351,41 +1347,27 @@ func (api *API) CreateDevcontainer(workspaceFolder, configPath string, opts ...D
 	upOptions := []DevcontainerCLIUpOptions{WithUpOutput(infoW, errW)}
 	upOptions = append(upOptions, opts...)

-	containerID, upErr := api.dccli.Up(ctx, dc.WorkspaceFolder, configPath, upOptions...)
-	if upErr != nil {
+	_, err := api.dccli.Up(ctx, dc.WorkspaceFolder, configPath, upOptions...)
+	if err != nil {
 		// No need to log if the API is closing (context canceled), as this
 		// is expected behavior when the API is shutting down.
-		if !errors.Is(upErr, context.Canceled) {
-			logger.Error(ctx, "devcontainer creation failed", slog.Error(upErr))
+		if !errors.Is(err, context.Canceled) {
+			logger.Error(ctx, "devcontainer creation failed", slog.Error(err))
 		}

-		// If we don't have a container ID, the error is fatal, so we
-		// should mark the devcontainer as errored and return.
-		if containerID == "" {
-			api.mu.Lock()
-			dc = api.knownDevcontainers[dc.WorkspaceFolder]
-			dc.Status = codersdk.WorkspaceAgentDevcontainerStatusError
-			dc.Error = upErr.Error()
-			api.knownDevcontainers[dc.WorkspaceFolder] = dc
-			api.recreateErrorTimes[dc.WorkspaceFolder] = api.clock.Now("agentcontainers", "recreate", "errorTimes")
-			api.broadcastUpdatesLocked()
-			api.mu.Unlock()
+		api.mu.Lock()
+		dc = api.knownDevcontainers[dc.WorkspaceFolder]
+		dc.Status = codersdk.WorkspaceAgentDevcontainerStatusError
+		dc.Error = err.Error()
+		api.knownDevcontainers[dc.WorkspaceFolder] = dc
+		api.recreateErrorTimes[dc.WorkspaceFolder] = api.clock.Now("agentcontainers", "recreate", "errorTimes")
+		api.mu.Unlock()

-			return xerrors.Errorf("start devcontainer: %w", upErr)
-		}
-
-		// If we have a container ID, it means the container was created
-		// but a lifecycle script (e.g. postCreateCommand) failed. In this
-		// case, we still want to refresh containers to pick up the new
-		// container, inject the agent, and allow the user to debug the
-		// issue. We store the error to surface it to the user.
-		logger.Warn(ctx, "devcontainer created with errors (e.g. lifecycle script failure), container is available",
-			slog.F("container_id", containerID),
-		)
-	} else {
-		logger.Info(ctx, "devcontainer created successfully")
+		return xerrors.Errorf("start devcontainer: %w", err)
 	}

+	logger.Info(ctx, "devcontainer created successfully")
+
 	api.mu.Lock()
 	dc = api.knownDevcontainers[dc.WorkspaceFolder]
 	// Update the devcontainer status to Running or Stopped based on the
@@ -1394,18 +1376,13 @@ func (api *API) CreateDevcontainer(workspaceFolder, configPath string, opts ...D
 	// to minimize the time between API consistency, we guess the status
 	// based on the container state.
 	dc.Status = codersdk.WorkspaceAgentDevcontainerStatusStopped
-	if dc.Container != nil && dc.Container.Running {
-		dc.Status = codersdk.WorkspaceAgentDevcontainerStatusRunning
+	if dc.Container != nil {
+		if dc.Container.Running {
+			dc.Status = codersdk.WorkspaceAgentDevcontainerStatusRunning
+		}
 	}
 	dc.Dirty = false
-	if upErr != nil {
-		// If there was a lifecycle script error but we have a container ID,
-		// the container is running so we should set the status to Running.
-		dc.Status = codersdk.WorkspaceAgentDevcontainerStatusRunning
-		dc.Error = upErr.Error()
-	} else {
-		dc.Error = ""
-	}
+	dc.Error = ""
 	api.recreateSuccessTimes[dc.WorkspaceFolder] = api.clock.Now("agentcontainers", "recreate", "successTimes")
 	api.knownDevcontainers[dc.WorkspaceFolder] = dc
 	api.broadcastUpdatesLocked()
@@ -234,8 +234,6 @@ func (w *fakeWatcher) sendEventWaitNextCalled(ctx context.Context, event fsnotif
 // fakeSubAgentClient implements SubAgentClient for testing purposes.
 type fakeSubAgentClient struct {
 	logger slog.Logger
-
-	mu     sync.Mutex // Protects following.
 	agents map[uuid.UUID]agentcontainers.SubAgent

 	listErrC   chan error // If set, send to return error, close to return nil.
@@ -256,8 +254,6 @@ func (m *fakeSubAgentClient) List(ctx context.Context) ([]agentcontainers.SubAge
 			}
 		}
 	}
-	m.mu.Lock()
-	defer m.mu.Unlock()
 	var agents []agentcontainers.SubAgent
 	for _, agent := range m.agents {
 		agents = append(agents, agent)
@@ -287,9 +283,6 @@ func (m *fakeSubAgentClient) Create(ctx context.Context, agent agentcontainers.S
 		return agentcontainers.SubAgent{}, xerrors.New("operating system must be set")
 	}

-	m.mu.Lock()
-	defer m.mu.Unlock()
-
 	for _, a := range m.agents {
 		if a.Name == agent.Name {
 			return agentcontainers.SubAgent{}, &pq.Error{
@@ -321,8 +314,6 @@ func (m *fakeSubAgentClient) Delete(ctx context.Context, id uuid.UUID) error {
 			}
 		}
 	}
-	m.mu.Lock()
-	defer m.mu.Unlock()
 	if m.agents == nil {
 		m.agents = make(map[uuid.UUID]agentcontainers.SubAgent)
 	}
@@ -2079,122 +2070,6 @@ func TestAPI(t *testing.T) {
 			require.Equal(t, "", response.Devcontainers[0].Error)
 		})

-		// This test verifies that when devcontainer up fails due to a
-		// lifecycle script error (such as postCreateCommand failing) but the
-		// container was successfully created, we still proceed with the
-		// devcontainer. The container should be available for use and the
-		// agent should be injected.
-		t.Run("DuringUpWithContainerID", func(t *testing.T) {
-			t.Parallel()
-
-			var (
-				ctx    = testutil.Context(t, testutil.WaitMedium)
-				logger = slogtest.Make(t, &slogtest.Options{IgnoreErrors: true}).Leveled(slog.LevelDebug)
-				mClock = quartz.NewMock(t)
-
-				testContainer = codersdk.WorkspaceAgentContainer{
-					ID:           "test-container-id",
-					FriendlyName: "test-container",
-					Image:        "test-image",
-					Running:      true,
-					CreatedAt:    time.Now(),
-					Labels: map[string]string{
-						agentcontainers.DevcontainerLocalFolderLabel: "/workspaces/project",
-						agentcontainers.DevcontainerConfigFileLabel:  "/workspaces/project/.devcontainer/devcontainer.json",
-					},
-				}
-				fCCLI = &fakeContainerCLI{
-					containers: codersdk.WorkspaceAgentListContainersResponse{
-						Containers: []codersdk.WorkspaceAgentContainer{testContainer},
-					},
-					arch: "amd64",
-				}
-				fDCCLI = &fakeDevcontainerCLI{
-					upID:   testContainer.ID,
-					upErrC: make(chan func() error, 1),
-				}
-				fSAC = &fakeSubAgentClient{
-					logger: logger.Named("fakeSubAgentClient"),
-				}
-
-				testDevcontainer = codersdk.WorkspaceAgentDevcontainer{
-					ID:              uuid.New(),
-					Name:            "test-devcontainer",
-					WorkspaceFolder: "/workspaces/project",
-					ConfigPath:      "/workspaces/project/.devcontainer/devcontainer.json",
-					Status:          codersdk.WorkspaceAgentDevcontainerStatusStopped,
-				}
-			)
-
-			mClock.Set(time.Now()).MustWait(ctx)
-			tickerTrap := mClock.Trap().TickerFunc("updaterLoop")
-			nowRecreateSuccessTrap := mClock.Trap().Now("recreate", "successTimes")
-
-			api := agentcontainers.NewAPI(logger,
-				agentcontainers.WithClock(mClock),
-				agentcontainers.WithContainerCLI(fCCLI),
-				agentcontainers.WithDevcontainerCLI(fDCCLI),
-				agentcontainers.WithDevcontainers(
-					[]codersdk.WorkspaceAgentDevcontainer{testDevcontainer},
-					[]codersdk.WorkspaceAgentScript{{ID: testDevcontainer.ID, LogSourceID: uuid.New()}},
-				),
-				agentcontainers.WithSubAgentClient(fSAC),
-				agentcontainers.WithSubAgentURL("test-subagent-url"),
-				agentcontainers.WithWatcher(watcher.NewNoop()),
-			)
-			api.Start()
-			defer func() {
-				close(fDCCLI.upErrC)
-				api.Close()
-			}()
-
-			r := chi.NewRouter()
-			r.Mount("/", api.Routes())
-
-			tickerTrap.MustWait(ctx).MustRelease(ctx)
-			tickerTrap.Close()
-
-			// Send a recreate request to trigger devcontainer up.
-			req := httptest.NewRequest(http.MethodPost, "/devcontainers/"+testDevcontainer.ID.String()+"/recreate", nil)
-			rec := httptest.NewRecorder()
-			r.ServeHTTP(rec, req)
-			require.Equal(t, http.StatusAccepted, rec.Code)
-
-			// Simulate a lifecycle script failure. The devcontainer CLI
-			// will return an error but also provide a container ID since
-			// the container was created before the script failed.
-			simulatedError := xerrors.New("postCreateCommand failed with exit code 1")
-			testutil.RequireSend(ctx, t, fDCCLI.upErrC, func() error { return simulatedError })
-
-			// Wait for the recreate operation to complete. We expect it to
-			// record a success time because the container was created.
-			nowRecreateSuccessTrap.MustWait(ctx).MustRelease(ctx)
-			nowRecreateSuccessTrap.Close()
-
-			// Advance the clock to run the devcontainer state update routine.
-			_, aw := mClock.AdvanceNext()
-			aw.MustWait(ctx)
-
-			req = httptest.NewRequest(http.MethodGet, "/", nil)
-			rec = httptest.NewRecorder()
-			r.ServeHTTP(rec, req)
-			require.Equal(t, http.StatusOK, rec.Code)
-
-			var response codersdk.WorkspaceAgentListContainersResponse
-			err := json.NewDecoder(rec.Body).Decode(&response)
-			require.NoError(t, err)
-
-			// Verify that the devcontainer is running and has the container
-			// associated with it despite the lifecycle script error. The
-			// error may be cleared during refresh if agent injection
-			// succeeds, but the important thing is that the container is
-			// available for use.
-			require.Len(t, response.Devcontainers, 1)
-			assert.Equal(t, codersdk.WorkspaceAgentDevcontainerStatusRunning, response.Devcontainers[0].Status)
-			require.NotNil(t, response.Devcontainers[0].Container)
-			assert.Equal(t, testContainer.ID, response.Devcontainers[0].Container.ID)
-		})
-
 		t.Run("DuringInjection", func(t *testing.T) {
 			t.Parallel()

@@ -263,14 +263,11 @@ func (d *devcontainerCLI) Up(ctx context.Context, workspaceFolder, configPath st
 	}

 	if err := cmd.Run(); err != nil {
-		result, err2 := parseDevcontainerCLILastLine[devcontainerCLIResult](ctx, logger, stdoutBuf.Bytes())
+		_, err2 := parseDevcontainerCLILastLine[devcontainerCLIResult](ctx, logger, stdoutBuf.Bytes())
 		if err2 != nil {
 			err = errors.Join(err, err2)
 		}
-		// Return the container ID if available, even if there was an error.
-		// This can happen if the container was created successfully but a
-		// lifecycle script (e.g. postCreateCommand) failed.
-		return result.ContainerID, err
+		return "", err
 	}

 	result, err := parseDevcontainerCLILastLine[devcontainerCLIResult](ctx, logger, stdoutBuf.Bytes())
@@ -278,13 +275,6 @@ func (d *devcontainerCLI) Up(ctx context.Context, workspaceFolder, configPath st
 		return "", err
 	}

-	// Check if the result indicates an error (e.g. lifecycle script failure)
-	// but still has a container ID, allowing the caller to potentially
-	// continue with the container that was created.
-	if err := result.Err(); err != nil {
-		return result.ContainerID, err
-	}
-
 	return result.ContainerID, nil
 }

@@ -404,10 +394,7 @@ func parseDevcontainerCLILastLine[T any](ctx context.Context, logger slog.Logger
 type devcontainerCLIResult struct {
 	Outcome string `json:"outcome"` // "error", "success".

-	// The following fields are typically set if outcome is success, but
-	// ContainerID may also be present when outcome is error if the
-	// container was created but a lifecycle script (e.g. postCreateCommand)
-	// failed.
+	// The following fields are set if outcome is success.
 	ContainerID           string `json:"containerId"`
 	RemoteUser            string `json:"remoteUser"`
 	RemoteWorkspaceFolder string `json:"remoteWorkspaceFolder"`
@@ -417,6 +404,18 @@ type devcontainerCLIResult struct {
 	Description string `json:"description"`
 }

+func (r *devcontainerCLIResult) UnmarshalJSON(data []byte) error {
+	type wrapperResult devcontainerCLIResult
+
+	var wrappedResult wrapperResult
+	if err := json.Unmarshal(data, &wrappedResult); err != nil {
+		return err
+	}
+
+	*r = devcontainerCLIResult(wrappedResult)
+	return r.Err()
+}
+
 func (r devcontainerCLIResult) Err() error {
 	if r.Outcome == "success" {
 		return nil
@@ -42,63 +42,56 @@ func TestDevcontainerCLI_ArgsAndParsing(t *testing.T) {
 		t.Parallel()

 		tests := []struct {
-			name            string
-			logFile         string
-			workspace       string
-			config          string
-			opts            []agentcontainers.DevcontainerCLIUpOptions
-			wantArgs        string
-			wantError       bool
-			wantContainerID bool // If true, expect a container ID even when wantError is true.
+			name      string
+			logFile   string
+			workspace string
+			config    string
+			opts      []agentcontainers.DevcontainerCLIUpOptions
+			wantArgs  string
+			wantError bool
 		}{
 			{
-				name:            "success",
-				logFile:         "up.log",
-				workspace:       "/test/workspace",
-				wantArgs:        "up --log-format json --workspace-folder /test/workspace",
-				wantError:       false,
-				wantContainerID: true,
+				name:      "success",
+				logFile:   "up.log",
+				workspace: "/test/workspace",
+				wantArgs:  "up --log-format json --workspace-folder /test/workspace",
+				wantError: false,
 			},
 			{
-				name:            "success with config",
-				logFile:         "up.log",
-				workspace:       "/test/workspace",
-				config:          "/test/config.json",
-				wantArgs:        "up --log-format json --workspace-folder /test/workspace --config /test/config.json",
-				wantError:       false,
-				wantContainerID: true,
+				name:      "success with config",
+				logFile:   "up.log",
+				workspace: "/test/workspace",
+				config:    "/test/config.json",
+				wantArgs:  "up --log-format json --workspace-folder /test/workspace --config /test/config.json",
+				wantError: false,
 			},
 			{
-				name:            "already exists",
-				logFile:         "up-already-exists.log",
-				workspace:       "/test/workspace",
-				wantArgs:        "up --log-format json --workspace-folder /test/workspace",
-				wantError:       false,
-				wantContainerID: true,
+				name:      "already exists",
+				logFile:   "up-already-exists.log",
+				workspace: "/test/workspace",
+				wantArgs:  "up --log-format json --workspace-folder /test/workspace",
+				wantError: false,
 			},
 			{
-				name:            "docker error",
-				logFile:         "up-error-docker.log",
-				workspace:       "/test/workspace",
-				wantArgs:        "up --log-format json --workspace-folder /test/workspace",
-				wantError:       true,
-				wantContainerID: false,
+				name:      "docker error",
+				logFile:   "up-error-docker.log",
+				workspace: "/test/workspace",
+				wantArgs:  "up --log-format json --workspace-folder /test/workspace",
+				wantError: true,
 			},
 			{
-				name:            "bad outcome",
-				logFile:         "up-error-bad-outcome.log",
-				workspace:       "/test/workspace",
-				wantArgs:        "up --log-format json --workspace-folder /test/workspace",
-				wantError:       true,
-				wantContainerID: false,
+				name:      "bad outcome",
+				logFile:   "up-error-bad-outcome.log",
+				workspace: "/test/workspace",
+				wantArgs:  "up --log-format json --workspace-folder /test/workspace",
+				wantError: true,
 			},
 			{
-				name:            "does not exist",
-				logFile:         "up-error-does-not-exist.log",
-				workspace:       "/test/workspace",
-				wantArgs:        "up --log-format json --workspace-folder /test/workspace",
-				wantError:       true,
-				wantContainerID: false,
+				name:      "does not exist",
+				logFile:   "up-error-does-not-exist.log",
+				workspace: "/test/workspace",
+				wantArgs:  "up --log-format json --workspace-folder /test/workspace",
+				wantError: true,
 			},
 			{
 				name:      "with remove existing container",
@@ -107,21 +100,8 @@ func TestDevcontainerCLI_ArgsAndParsing(t *testing.T) {
 				opts: []agentcontainers.DevcontainerCLIUpOptions{
 					agentcontainers.WithRemoveExistingContainer(),
 				},
-				wantArgs:        "up --log-format json --workspace-folder /test/workspace --remove-existing-container",
-				wantError:       false,
-				wantContainerID: true,
-			},
-			{
-				// This test verifies that when a lifecycle script like
-				// postCreateCommand fails, the CLI returns both an error
-				// and a container ID. The caller can then proceed with
-				// agent injection into the created container.
-				name:            "lifecycle script failure with container",
-				logFile:         "up-error-lifecycle-script.log",
-				workspace:       "/test/workspace",
-				wantArgs:        "up --log-format json --workspace-folder /test/workspace",
-				wantError:       true,
-				wantContainerID: true,
+				wantArgs:  "up --log-format json --workspace-folder /test/workspace --remove-existing-container",
+				wantError: false,
 			},
 		}

@@ -142,13 +122,10 @@ func TestDevcontainerCLI_ArgsAndParsing(t *testing.T) {
 				containerID, err := dccli.Up(ctx, tt.workspace, tt.config, tt.opts...)
 				if tt.wantError {
 					assert.Error(t, err, "want error")
+					assert.Empty(t, containerID, "expected empty container ID")
 				} else {
 					assert.NoError(t, err, "want no error")
-				}
-				if tt.wantContainerID {
 					assert.NotEmpty(t, containerID, "expected non-empty container ID")
-				} else {
-					assert.Empty(t, containerID, "expected empty container ID")
 				}
 			})
 		}
@@ -99,7 +99,10 @@ func (c *Client) SyncReady(ctx context.Context, unitName unit.ID) (bool, error)
 	resp, err := c.client.SyncReady(ctx, &proto.SyncReadyRequest{
 		Unit: string(unitName),
 	})
-	return resp.Ready, err
+	if err != nil {
+		return false, xerrors.Errorf("sync ready: %w", err)
+	}
+	return resp.Ready, nil
 }

 // SyncStatus gets the status of a unit and its dependencies.
@@ -391,19 +391,10 @@ func (s *Server) sessionHandler(session ssh.Session) {
 	env := session.Environ()
 	magicType, magicTypeRaw, env := extractMagicSessionType(env)

-	// It's not safe to assume RemoteAddr() returns a non-nil value. slog.F usage is fine because it correctly
-	// handles nil.
-	// c.f. https://github.com/coder/internal/issues/1143
-	remoteAddr := session.RemoteAddr()
-	remoteAddrString := ""
-	if remoteAddr != nil {
-		remoteAddrString = remoteAddr.String()
-	}
-
 	if !s.trackSession(session, true) {
 		reason := "unable to accept new session, server is closing"
 		// Report connection attempt even if we couldn't accept it.
-		disconnected := s.config.ReportConnection(id, magicType, remoteAddrString)
+		disconnected := s.config.ReportConnection(id, magicType, session.RemoteAddr().String())
 		defer disconnected(1, reason)

 		logger.Info(ctx, reason)
@@ -438,7 +429,7 @@ func (s *Server) sessionHandler(session ssh.Session) {
 		scr := &sessionCloseTracker{Session: session}
 		session = scr

-		disconnected := s.config.ReportConnection(id, magicType, remoteAddrString)
+		disconnected := s.config.ReportConnection(id, magicType, session.RemoteAddr().String())
 		defer func() {
 			disconnected(scr.exitCode(), reason)
 		}()
@@ -176,7 +176,7 @@ func (x *x11Forwarder) listenForConnections(
 		var originPort uint32

 		if tcpConn, ok := conn.(*net.TCPConn); ok {
-			if tcpAddr, ok := tcpConn.LocalAddr().(*net.TCPAddr); ok && tcpAddr != nil {
+			if tcpAddr, ok := tcpConn.LocalAddr().(*net.TCPAddr); ok {
 				originAddr = tcpAddr.IP.String()
 				// #nosec G115 - Safe conversion as TCP port numbers are within uint32 range (0-65535)
 				originPort = uint32(tcpAddr.Port)
@@ -4,6 +4,8 @@ import (
 	"os"

 	"github.com/hashicorp/go-reap"
+
+	"cdr.dev/slog"
 )

 type Option func(o *options)
@@ -34,8 +36,15 @@ func WithCatchSignals(sigs ...os.Signal) Option {
 	}
 }

+func WithLogger(logger slog.Logger) Option {
+	return func(o *options) {
+		o.Logger = logger
+	}
+}
+
 type options struct {
 	ExecArgs     []string
 	PIDs         reap.PidCh
 	CatchSignals []os.Signal
+	Logger       slog.Logger
 }
@@ -7,6 +7,6 @@ func IsInitProcess() bool {
 	return false
 }

-func ForkReap(_ ...Option) error {
-	return nil
+func ForkReap(_ ...Option) (int, error) {
+	return 0, nil
 }
@@ -32,12 +32,13 @@ func TestReap(t *testing.T) {
 	}

 	pids := make(reap.PidCh, 1)
-	err := reaper.ForkReap(
+	exitCode, err := reaper.ForkReap(
 		reaper.WithPIDCallback(pids),
 		// Provide some argument that immediately exits.
 		reaper.WithExecArgs("/bin/sh", "-c", "exit 0"),
 	)
 	require.NoError(t, err)
+	require.Equal(t, 0, exitCode)

 	cmd := exec.Command("tail", "-f", "/dev/null")
 	err = cmd.Start()
@@ -65,6 +66,36 @@ func TestReap(t *testing.T) {
 	}
 }

+//nolint:paralleltest
+func TestForkReapExitCodes(t *testing.T) {
+	if testutil.InCI() {
+		t.Skip("Detected CI, skipping reaper tests")
+	}
+
+	tests := []struct {
+		name         string
+		command      string
+		expectedCode int
+	}{
+		{"exit 0", "exit 0", 0},
+		{"exit 1", "exit 1", 1},
+		{"exit 42", "exit 42", 42},
+		{"exit 255", "exit 255", 255},
+		{"SIGKILL", "kill -9 $$", 128 + 9},
+		{"SIGTERM", "kill -15 $$", 128 + 15},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			exitCode, err := reaper.ForkReap(
+				reaper.WithExecArgs("/bin/sh", "-c", tt.command),
+			)
+			require.NoError(t, err)
+			require.Equal(t, tt.expectedCode, exitCode, "exit code mismatch for %q", tt.command)
+		})
+	}
+}
+
 //nolint:paralleltest // Signal handling.
 func TestReapInterrupt(t *testing.T) {
 	// Don't run the reaper test in CI. It does weird
@@ -84,13 +115,17 @@ func TestReapInterrupt(t *testing.T) {
 	defer signal.Stop(usrSig)

 	go func() {
-		errC <- reaper.ForkReap(
+		exitCode, err := reaper.ForkReap(
 			reaper.WithPIDCallback(pids),
 			reaper.WithCatchSignals(os.Interrupt),
 			// Signal propagation does not extend to children of children, so
 			// we create a little bash script to ensure sleep is interrupted.
 			reaper.WithExecArgs("/bin/sh", "-c", fmt.Sprintf("pid=0; trap 'kill -USR2 %d; kill -TERM $pid' INT; sleep 10 &\npid=$!; kill -USR1 %d; wait", os.Getpid(), os.Getpid())),
 		)
+		// The child exits with 128 + SIGTERM (15) = 143, but the trap catches
+		// SIGINT and sends SIGTERM to the sleep process, so exit code varies.
+		_ = exitCode
+		errC <- err
 	}()

 	require.Equal(t, <-usrSig, syscall.SIGUSR1)
@@ -3,12 +3,15 @@
 package reaper

 import (
+	"context"
 	"os"
 	"os/signal"
 	"syscall"

 	"github.com/hashicorp/go-reap"
 	"golang.org/x/xerrors"
+
+	"cdr.dev/slog"
 )

 // IsInitProcess returns true if the current process's PID is 1.
@@ -16,7 +19,7 @@ func IsInitProcess() bool {
 	return os.Getpid() == 1
 }

-func catchSignals(pid int, sigs []os.Signal) {
+func catchSignals(logger slog.Logger, pid int, sigs []os.Signal) {
 	if len(sigs) == 0 {
 		return
 	}
@@ -25,10 +28,19 @@ func catchSignals(pid int, sigs []os.Signal) {
 	signal.Notify(sc, sigs...)
 	defer signal.Stop(sc)

+	logger.Info(context.Background(), "reaper catching signals",
+		slog.F("signals", sigs),
+		slog.F("child_pid", pid),
+	)
+
 	for {
 		s := <-sc
 		sig, ok := s.(syscall.Signal)
 		if ok {
+			logger.Info(context.Background(), "reaper caught signal, killing child process",
+				slog.F("signal", sig.String()),
+				slog.F("child_pid", pid),
+			)
 			_ = syscall.Kill(pid, sig)
 		}
 	}
@@ -40,7 +52,10 @@ func catchSignals(pid int, sigs []os.Signal) {
 // the reaper and an exec.Command waiting for its process to complete.
 // The provided 'pids' channel may be nil if the caller does not care about the
 // reaped children PIDs.
-func ForkReap(opt ...Option) error {
+//
+// Returns the child's exit code (using 128+signal for signal termination)
+// and any error from Wait4.
+func ForkReap(opt ...Option) (int, error) {
 	opts := &options{
 		ExecArgs: os.Args,
 	}
@@ -53,7 +68,7 @@ func ForkReap(opt ...Option) error {

 	pwd, err := os.Getwd()
 	if err != nil {
-		return xerrors.Errorf("get wd: %w", err)
+		return 1, xerrors.Errorf("get wd: %w", err)
 	}

 	pattrs := &syscall.ProcAttr{
@@ -72,15 +87,28 @@ func ForkReap(opt ...Option) error {
 	//#nosec G204
 	pid, err := syscall.ForkExec(opts.ExecArgs[0], opts.ExecArgs, pattrs)
 	if err != nil {
-		return xerrors.Errorf("fork exec: %w", err)
+		return 1, xerrors.Errorf("fork exec: %w", err)
 	}

-	go catchSignals(pid, opts.CatchSignals)
+	go catchSignals(opts.Logger, pid, opts.CatchSignals)

 	var wstatus syscall.WaitStatus
 	_, err = syscall.Wait4(pid, &wstatus, 0, nil)
 	for xerrors.Is(err, syscall.EINTR) {
 		_, err = syscall.Wait4(pid, &wstatus, 0, nil)
 	}
-	return err
+
+	// Convert wait status to exit code using standard Unix conventions:
+	// - Normal exit: use the exit code
+	// - Signal termination: use 128 + signal number
+	var exitCode int
+	switch {
+	case wstatus.Exited():
+		exitCode = wstatus.ExitStatus()
+	case wstatus.Signaled():
+		exitCode = 128 + int(wstatus.Signal())
+	default:
+		exitCode = 1
+	}
+	return exitCode, err
 }
@@ -74,21 +74,11 @@ func (s *Server) Serve(ctx, hardCtx context.Context, l net.Listener) (retErr err
 			break
 		}
 		clog := s.logger.With(
-			slog.F("remote", conn.RemoteAddr()),
-			slog.F("local", conn.LocalAddr()))
+			slog.F("remote", conn.RemoteAddr().String()),
+			slog.F("local", conn.LocalAddr().String()))
 		clog.Info(ctx, "accepted conn")
-
-		// It's not safe to assume RemoteAddr() returns a non-nil value. slog.F usage is fine because it correctly
-		// handles nil.
-		// c.f. https://github.com/coder/internal/issues/1143
-		remoteAddr := conn.RemoteAddr()
-		remoteAddrString := ""
-		if remoteAddr != nil {
-			remoteAddrString = remoteAddr.String()
-		}
-
 		wg.Add(1)
-		disconnected := s.reportConnection(uuid.New(), remoteAddrString)
+		disconnected := s.reportConnection(uuid.New(), conn.RemoteAddr().String())
 		closed := make(chan struct{})
 		go func() {
 			defer wg.Done()
@@ -9,6 +9,7 @@ import (
 	"net/http/pprof"
 	"net/url"
 	"os"
+	"os/signal"
 	"path/filepath"
 	"runtime"
 	"slices"
@@ -130,40 +131,29 @@ func workspaceAgent() *serpent.Command {

 				sinks = append(sinks, sloghuman.Sink(logWriter))
 				logger := inv.Logger.AppendSinks(sinks...).Leveled(slog.LevelDebug)
+				logger = logger.Named("reaper")

 				logger.Info(ctx, "spawning reaper process")
 				// Do not start a reaper on the child process. It's important
 				// to do this else we fork bomb ourselves.
 				//nolint:gocritic
 				args := append(os.Args, "--no-reap")
-				err := reaper.ForkReap(
+				exitCode, err := reaper.ForkReap(
 					reaper.WithExecArgs(args...),
 					reaper.WithCatchSignals(StopSignals...),
+					reaper.WithLogger(logger),
 				)
 				if err != nil {
 					logger.Error(ctx, "agent process reaper unable to fork", slog.Error(err))
 					return xerrors.Errorf("fork reap: %w", err)
 				}

-				logger.Info(ctx, "reaper process exiting")
-				return nil
+				logger.Info(ctx, "child process exited, propagating exit code",
+					slog.F("exit_code", exitCode),
+				)
+				return ExitError(exitCode, nil)
 			}

-			// Handle interrupt signals to allow for graceful shutdown,
-			// note that calling stopNotify disables the signal handler
-			// and the next interrupt will terminate the program (you
-			// probably want cancel instead).
-			//
-			// Note that we don't want to handle these signals in the
-			// process that runs as PID 1, that's why we do this after
-			// the reaper forked.
-			ctx, stopNotify := inv.SignalNotifyContext(ctx, StopSignals...)
-			defer stopNotify()
-
-			// DumpHandler does signal handling, so we call it after the
-			// reaper.
-			go DumpHandler(ctx, "agent")
-
 			logWriter := &clilog.LumberjackWriteCloseFixer{Writer: &lumberjack.Logger{
 				Filename: filepath.Join(logDir, "coder-agent.log"),
 				MaxSize:  5, // MB
@@ -176,6 +166,21 @@ func workspaceAgent() *serpent.Command {
 			sinks = append(sinks, sloghuman.Sink(logWriter))
 			logger := inv.Logger.AppendSinks(sinks...).Leveled(slog.LevelDebug)

+			// Handle interrupt signals to allow for graceful shutdown,
+			// note that calling stopNotify disables the signal handler
+			// and the next interrupt will terminate the program (you
+			// probably want cancel instead).
+			//
+			// Note that we also handle these signals in the
+			// process that runs as PID 1, mainly to forward it to the agent child
+			// so that it can shutdown gracefully.
+			ctx, stopNotify := logSignalNotifyContext(ctx, logger, StopSignals...)
+			defer stopNotify()
+
+			// DumpHandler does signal handling, so we call it after the
+			// reaper.
+			go DumpHandler(ctx, "agent")
+
 			version := buildinfo.Version()
 			logger.Info(ctx, "agent is starting now",
 				slog.F("url", agentAuth.agentURL),
@@ -557,3 +562,26 @@ func urlPort(u string) (int, error) {
 	}
 	return -1, xerrors.Errorf("invalid port: %s", u)
 }
+
+// logSignalNotifyContext is like signal.NotifyContext but logs the received
+// signal before canceling the context.
+func logSignalNotifyContext(parent context.Context, logger slog.Logger, signals ...os.Signal) (context.Context, context.CancelFunc) {
+	ctx, cancel := context.WithCancelCause(parent)
+	c := make(chan os.Signal, 1)
+	signal.Notify(c, signals...)
+
+	go func() {
+		select {
+		case sig := <-c:
+			logger.Info(ctx, "agent received signal", slog.F("signal", sig.String()))
+			cancel(xerrors.Errorf("signal: %s", sig.String()))
+		case <-ctx.Done():
+			logger.Info(ctx, "ctx canceled, stopping signal handler")
+		}
+	}()
+
+	return ctx, func() {
+		cancel(context.Canceled)
+		signal.Stop(c)
+	}
+}
@@ -152,13 +152,7 @@ func Agent(ctx context.Context, writer io.Writer, agentID uuid.UUID, opts AgentO
 				sw.Log(time.Time{}, codersdk.LogLevelInfo, "==> ℹ︎ To connect immediately, reconnect with --wait=no or CODER_SSH_WAIT=no, see --help for more information.")
 			}

-			err = func() error {
-				// In non-blocking mode, skip streaming logs.
-				// See: https://github.com/coder/coder/issues/13580
-				if !opts.Wait {
-					return nil
-				}
-
+			err = func() error { // Use func because of defer in for loop.
 				logStream, logsCloser, err := opts.FetchLogs(ctx, agent.ID, 0, follow)
 				if err != nil {
 					return xerrors.Errorf("fetch workspace agent startup logs: %w", err)
@@ -106,9 +106,6 @@ var _ OutputFormat = &tableFormat{}
 //
 // defaultColumns is optional and specifies the default columns to display. If
 // not specified, all columns are displayed by default.
-//
-// If the data is empty, an empty string is returned. Callers should check for
-// this and provide an appropriate message to the user.
 func TableFormat(out any, defaultColumns []string) OutputFormat {
 	v := reflect.Indirect(reflect.ValueOf(out))
 	if v.Kind() != reflect.Slice {
@@ -180,12 +180,6 @@ func DisplayTable(out any, sort string, filterColumns []string) (string, error)
 func renderTable(out any, sort string, headers table.Row, filterColumns []string) (string, error) {
 	v := reflect.Indirect(reflect.ValueOf(out))

-	// Return empty string for empty data. Callers should check for this
-	// and provide an appropriate message to the user.
-	if v.Kind() == reflect.Slice && v.Len() == 0 {
-		return "", nil
-	}
-
 	headers = filterHeaders(headers, filterColumns)
 	columnConfigs := createColumnConfigs(headers, filterColumns)

@@ -472,15 +472,6 @@ alice  1
 		require.NoError(t, err)
 		compareTables(t, expected, out)
 	})
-
-	t.Run("Empty", func(t *testing.T) {
-		t.Parallel()
-
-		var in []tableTest4
-		out, err := cliui.DisplayTable(in, "", nil)
-		require.NoError(t, err)
-		require.Empty(t, out)
-	})
 }

 // compareTables normalizes the incoming table lines
@@ -1559,15 +1559,6 @@ func (r *RootCmd) scaletestDashboard() *serpent.Command {
 			if err != nil {
 				return xerrors.Errorf("create tracer provider: %w", err)
 			}
-			tracer := tracerProvider.Tracer(scaletestTracerName)
-			outputs, err := output.parse()
-			if err != nil {
-				return xerrors.Errorf("could not parse --output flags")
-			}
-			reg := prometheus.NewRegistry()
-			prometheusSrvClose := ServeHandler(ctx, logger, promhttp.HandlerFor(reg, promhttp.HandlerOpts{}), prometheusFlags.Address, "prometheus")
-			defer prometheusSrvClose()
-
 			defer func() {
 				// Allow time for traces to flush even if command context is
 				// canceled. This is a no-op if tracing is not enabled.
@@ -1579,7 +1570,14 @@ func (r *RootCmd) scaletestDashboard() *serpent.Command {
 				_, _ = fmt.Fprintf(inv.Stderr, "Waiting %s for prometheus metrics to be scraped\n", prometheusFlags.Wait)
 				<-time.After(prometheusFlags.Wait)
 			}()
-
+			tracer := tracerProvider.Tracer(scaletestTracerName)
+			outputs, err := output.parse()
+			if err != nil {
+				return xerrors.Errorf("could not parse --output flags")
+			}
+			reg := prometheus.NewRegistry()
+			prometheusSrvClose := ServeHandler(ctx, logger, promhttp.HandlerFor(reg, promhttp.HandlerOpts{}), prometheusFlags.Address, "prometheus")
+			defer prometheusSrvClose()
 			metrics := dashboard.NewMetrics(reg)

 			th := harness.NewTestHarness(strategy.toStrategy(), cleanupStrategy.toStrategy())
@@ -84,15 +84,6 @@ func (r *RootCmd) scaletestPrebuilds() *serpent.Command {
 			if err != nil {
 				return xerrors.Errorf("create tracer provider: %w", err)
 			}
-			tracer := tracerProvider.Tracer(scaletestTracerName)
-
-			reg := prometheus.NewRegistry()
-			metrics := prebuilds.NewMetrics(reg)
-
-			logger := inv.Logger
-			prometheusSrvClose := ServeHandler(ctx, logger, promhttp.HandlerFor(reg, promhttp.HandlerOpts{}), prometheusFlags.Address, "prometheus")
-			defer prometheusSrvClose()
-
 			defer func() {
 				_, _ = fmt.Fprintln(inv.Stderr, "\nUploading traces...")
 				if err := closeTracing(ctx); err != nil {
@@ -101,6 +92,14 @@ func (r *RootCmd) scaletestPrebuilds() *serpent.Command {
 				_, _ = fmt.Fprintf(inv.Stderr, "Waiting %s for prometheus metrics to be scraped\n", prometheusFlags.Wait)
 				<-time.After(prometheusFlags.Wait)
 			}()
+			tracer := tracerProvider.Tracer(scaletestTracerName)
+
+			reg := prometheus.NewRegistry()
+			metrics := prebuilds.NewMetrics(reg)
+
+			logger := inv.Logger
+			prometheusSrvClose := ServeHandler(ctx, logger, promhttp.HandlerFor(reg, promhttp.HandlerOpts{}), prometheusFlags.Address, "prometheus")
+			defer prometheusSrvClose()

 			err = client.PutPrebuildsSettings(ctx, codersdk.PrebuildsSettings{
 				ReconciliationPaused: true,
@@ -139,12 +139,7 @@ func (r *RootCmd) list() *serpent.Command {
 				return err
 			}

-			out, err := formatter.Format(inv.Context(), res)
-			if err != nil {
-				return err
-			}
-
-			if out == "" {
+			if len(res) == 0 && formatter.FormatID() != cliui.JSONFormat().ID() {
 				pretty.Fprintf(inv.Stderr, cliui.DefaultStyles.Prompt, "No workspaces found! Create one:\n")
 				_, _ = fmt.Fprintln(inv.Stderr)
 				_, _ = fmt.Fprintln(inv.Stderr, "  "+pretty.Sprint(cliui.DefaultStyles.Code, "coder create <name>"))
@@ -152,6 +147,11 @@ func (r *RootCmd) list() *serpent.Command {
 				return nil
 			}

+			out, err := formatter.Format(inv.Context(), res)
+			if err != nil {
+				return err
+			}
+
 			_, err = fmt.Fprintln(inv.Stdout, out)
 			return err
 		},
@@ -170,11 +170,6 @@ func (r *RootCmd) listOrganizationMembers(orgContext *OrganizationContext) *serp
 				return err
 			}

-			if out == "" {
-				cliui.Infof(inv.Stderr, "No organization members found.")
-				return nil
-			}
-
 			_, err = fmt.Fprintln(inv.Stdout, out)
 			return err
 		},
@@ -92,11 +92,6 @@ func (r *RootCmd) showOrganizationRoles(orgContext *OrganizationContext) *serpen
 				return err
 			}

-			if out == "" {
-				cliui.Infof(inv.Stderr, "No organization roles found.")
-				return nil
-			}
-
 			_, err = fmt.Fprintln(inv.Stdout, out)
 			return err
 		},
@@ -110,11 +110,6 @@ func (r *RootCmd) provisionerJobsList() *serpent.Command {
 				return xerrors.Errorf("display provisioner daemons: %w", err)
 			}

-			if out == "" {
-				cliui.Infof(inv.Stderr, "No provisioner jobs found.")
-				return nil
-			}
-
 			_, _ = fmt.Fprintln(inv.Stdout, out)

 			return nil
@@ -74,6 +74,11 @@ func (r *RootCmd) provisionerList() *serpent.Command {
 				return xerrors.Errorf("list provisioner daemons: %w", err)
 			}

+			if len(daemons) == 0 {
+				_, _ = fmt.Fprintln(inv.Stdout, "No provisioner daemons found")
+				return nil
+			}
+
 			var rows []provisionerDaemonRow
 			for _, daemon := range daemons {
 				rows = append(rows, provisionerDaemonRow{
@@ -87,11 +92,6 @@ func (r *RootCmd) provisionerList() *serpent.Command {
 				return xerrors.Errorf("display provisioner daemons: %w", err)
 			}

-			if out == "" {
-				cliui.Infof(inv.Stderr, "No provisioner daemons found.")
-				return nil
-			}
-
 			_, _ = fmt.Fprintln(inv.Stdout, out)

 			return nil
@@ -129,11 +129,6 @@ func (r *RootCmd) scheduleShow() *serpent.Command {
 				return err
 			}

-			if out == "" {
-				cliui.Infof(inv.Stderr, "No schedules found.")
-				return nil
-			}
-
 			_, err = fmt.Fprintln(inv.Stdout, out)
 			return err
 		},
@@ -87,6 +87,7 @@ func buildNumberOption(n *int64) serpent.Option {

 func (r *RootCmd) statePush() *serpent.Command {
 	var buildNumber int64
+	var noBuild bool
 	cmd := &serpent.Command{
 		Use:   "push <workspace> <file>",
 		Short: "Push a Terraform state file to a workspace.",
@@ -126,6 +127,16 @@ func (r *RootCmd) statePush() *serpent.Command {
 				return err
 			}

+			if noBuild {
+				// Update state directly without triggering a build.
+				err = client.UpdateWorkspaceBuildState(inv.Context(), build.ID, state)
+				if err != nil {
+					return err
+				}
+				_, _ = fmt.Fprintln(inv.Stdout, "State updated successfully.")
+				return nil
+			}
+
 			build, err = client.CreateWorkspaceBuild(inv.Context(), workspace.ID, codersdk.CreateWorkspaceBuildRequest{
 				TemplateVersionID: build.TemplateVersionID,
 				Transition:        build.Transition,
@@ -139,6 +150,12 @@ func (r *RootCmd) statePush() *serpent.Command {
 	}
 	cmd.Options = serpent.OptionSet{
 		buildNumberOption(&buildNumber),
+		{
+			Flag:          "no-build",
+			FlagShorthand: "n",
+			Description:   "Update the state without triggering a workspace build. Useful for state-only migrations.",
+			Value:         serpent.BoolOf(&noBuild),
+		},
 	}
 	return cmd
 }
@@ -2,6 +2,7 @@ package cli_test

 import (
 	"bytes"
+	"context"
 	"fmt"
 	"os"
 	"path/filepath"
@@ -10,6 +11,7 @@ import (
 	"testing"

 	"github.com/coder/coder/v2/coderd/database"
+	"github.com/coder/coder/v2/coderd/database/dbauthz"
 	"github.com/coder/coder/v2/coderd/database/dbfake"

 	"github.com/stretchr/testify/require"
@@ -158,4 +160,49 @@ func TestStatePush(t *testing.T) {
 		err := inv.Run()
 		require.NoError(t, err)
 	})
+
+	t.Run("NoBuild", func(t *testing.T) {
+		t.Parallel()
+		client, store := coderdtest.NewWithDatabase(t, nil)
+		owner := coderdtest.CreateFirstUser(t, client)
+		templateAdmin, taUser := coderdtest.CreateAnotherUser(t, client, owner.OrganizationID, rbac.RoleTemplateAdmin())
+		initialState := []byte("initial state")
+		r := dbfake.WorkspaceBuild(t, store, database.WorkspaceTable{
+			OrganizationID: owner.OrganizationID,
+			OwnerID:        taUser.ID,
+		}).
+			Seed(database.WorkspaceBuild{ProvisionerState: initialState}).
+			Do()
+		wantState := []byte("updated state")
+		stateFile, err := os.CreateTemp(t.TempDir(), "")
+		require.NoError(t, err)
+		_, err = stateFile.Write(wantState)
+		require.NoError(t, err)
+		err = stateFile.Close()
+		require.NoError(t, err)
+
+		inv, root := clitest.New(t, "state", "push", "--no-build", r.Workspace.Name, stateFile.Name())
+		clitest.SetupConfig(t, templateAdmin, root)
+		var stdout bytes.Buffer
+		inv.Stdout = &stdout
+		err = inv.Run()
+		require.NoError(t, err)
+		require.Contains(t, stdout.String(), "State updated successfully")
+
+		// Verify the state was updated by pulling it.
+		inv, root = clitest.New(t, "state", "pull", r.Workspace.Name)
+		var gotState bytes.Buffer
+		inv.Stdout = &gotState
+		clitest.SetupConfig(t, templateAdmin, root)
+		err = inv.Run()
+		require.NoError(t, err)
+		require.Equal(t, wantState, bytes.TrimSpace(gotState.Bytes()))
+
+		// Verify no new build was created.
+		builds, err := store.GetWorkspaceBuildsByWorkspaceID(dbauthz.AsSystemRestricted(context.Background()), database.GetWorkspaceBuildsByWorkspaceIDParams{
+			WorkspaceID: r.Workspace.ID,
+		})
+		require.NoError(t, err)
+		require.Len(t, builds, 1, "expected only the initial build, no new build should be created")
+	})
 }
@@ -157,6 +157,12 @@ func (r *RootCmd) taskList() *serpent.Command {
 				return nil
 			}

+			// If no rows and not JSON, show a friendly message.
+			if len(tasks) == 0 && formatter.FormatID() != cliui.JSONFormat().ID() {
+				_, _ = fmt.Fprintln(inv.Stderr, "No tasks found.")
+				return nil
+			}
+
 			rows := make([]taskListRow, len(tasks))
 			now := time.Now()
 			for i := range tasks {
@@ -167,10 +173,6 @@ func (r *RootCmd) taskList() *serpent.Command {
 			if err != nil {
 				return xerrors.Errorf("format tasks: %w", err)
 			}
-			if out == "" {
-				cliui.Infof(inv.Stderr, "No tasks found.")
-				return nil
-			}
 			_, _ = fmt.Fprintln(inv.Stdout, out)
 			return nil
 		},
@@ -59,11 +59,6 @@ func (r *RootCmd) taskLogs() *serpent.Command {
 				return xerrors.Errorf("format task logs: %w", err)
 			}

-			if out == "" {
-				cliui.Infof(inv.Stderr, "No task logs found.")
-				return nil
-			}
-
 			_, _ = fmt.Fprintln(inv.Stdout, out)
 			return nil
 		},
@@ -30,18 +30,18 @@ func (r *RootCmd) templateList() *serpent.Command {
 				return err
 			}

+			if len(templates) == 0 {
+				_, _ = fmt.Fprintf(inv.Stderr, "%s No templates found! Create one:\n\n", Caret)
+				_, _ = fmt.Fprintln(inv.Stderr, color.HiMagentaString("  $ coder templates push <directory>\n"))
+				return nil
+			}
+
 			rows := templatesToRows(templates...)
 			out, err := formatter.Format(inv.Context(), rows)
 			if err != nil {
 				return err
 			}

-			if out == "" {
-				_, _ = fmt.Fprintf(inv.Stderr, "%s No templates found! Create one:\n\n", Caret)
-				_, _ = fmt.Fprintln(inv.Stderr, color.HiMagentaString("  $ coder templates push <directory>\n"))
-				return nil
-			}
-
 			_, err = fmt.Fprintln(inv.Stdout, out)
 			return err
 		},
@@ -106,7 +106,7 @@ func (r *RootCmd) templatePresetsList() *serpent.Command {
 			if len(presets) == 0 {
 				cliui.Infof(
 					inv.Stdout,
-					"No presets found for template %q and template-version %q.", template.Name, version.Name,
+					"No presets found for template %q and template-version %q.\n", template.Name, version.Name,
 				)
 				return nil
 			}
@@ -115,7 +115,7 @@ func (r *RootCmd) templatePresetsList() *serpent.Command {
 			if formatter.FormatID() == "table" {
 				cliui.Infof(
 					inv.Stdout,
-					"Showing presets for template %q and template version %q.", template.Name, version.Name,
+					"Showing presets for template %q and template version %q.\n", template.Name, version.Name,
 				)
 			}
 			rows := templatePresetsToRows(presets...)
@@ -124,11 +124,6 @@ func (r *RootCmd) templatePresetsList() *serpent.Command {
 				return xerrors.Errorf("render table: %w", err)
 			}

-			if out == "" {
-				cliui.Infof(inv.Stderr, "No template presets found.")
-				return nil
-			}
-
 			_, err = fmt.Fprintln(inv.Stdout, out)
 			return err
 		},
@@ -121,11 +121,6 @@ func (r *RootCmd) templateVersionsList() *serpent.Command {
 				return xerrors.Errorf("render table: %w", err)
 			}

-			if out == "" {
-				cliui.Infof(inv.Stderr, "No template versions found.")
-				return nil
-			}
-
 			_, err = fmt.Fprintln(inv.Stdout, out)
 			return err
 		},
@@ -696,33 +696,6 @@ updating, and deleting workspace resources.
          Number of provisioner daemons to create on start. If builds are stuck
          in queued state for a long time, consider increasing this.

-RETENTION OPTIONS: 
-Configure data retention policies for various database tables. Retention
-policies automatically purge old data to reduce database size and improve
-performance. Setting a retention duration to 0 disables automatic purging for
-that data type.
-
-      --api-keys-retention duration, $CODER_API_KEYS_RETENTION (default: 7d)
-          How long expired API keys are retained before being deleted. Keeping
-          expired keys allows the backend to return a more helpful error when a
-          user tries to use an expired key. Set to 0 to disable automatic
-          deletion of expired keys.
-
-      --audit-logs-retention duration, $CODER_AUDIT_LOGS_RETENTION (default: 0)
-          How long audit log entries are retained. Set to 0 to disable (keep
-          indefinitely). We advise keeping audit logs for at least a year, and
-          in accordance with your compliance requirements.
-
-      --connection-logs-retention duration, $CODER_CONNECTION_LOGS_RETENTION (default: 0)
-          How long connection log entries are retained. Set to 0 to disable
-          (keep indefinitely).
-
-      --workspace-agent-logs-retention duration, $CODER_WORKSPACE_AGENT_LOGS_RETENTION (default: 7d)
-          How long workspace agent logs are retained. Logs from non-latest
-          builds are deleted if the agent hasn't connected within this period.
-          Logs from the latest build are always retained. Set to 0 to disable
-          automatic deletion.
-
 TELEMETRY OPTIONS: 
 Telemetry is critical to our ability to improve Coder. We strip all personal
 information before sending data to our servers. Please only disable telemetry
@@ -9,5 +9,9 @@ OPTIONS:
  -b, --build int
          Specify a workspace build to target by name. Defaults to latest.

+  -n, --no-build bool
+          Update the state without triggering a workspace build. Useful for
+          state-only migrations.
+
 ———
 Run `coder --help` for a list of global options.
@@ -720,12 +720,25 @@ aibridge:
  # The base URL of the OpenAI API.
  # (default: https://api.openai.com/v1/, type: string)
  openai_base_url: https://api.openai.com/v1/
+  # The key to authenticate against the OpenAI API.
+  # (default: <unset>, type: string)
+  openai_key: ""
  # The base URL of the Anthropic API.
  # (default: https://api.anthropic.com/, type: string)
  anthropic_base_url: https://api.anthropic.com/
+  # The key to authenticate against the Anthropic API.
+  # (default: <unset>, type: string)
+  anthropic_key: ""
  # The AWS Bedrock API region.
  # (default: <unset>, type: string)
  bedrock_region: ""
+  # The access key to authenticate against the AWS Bedrock API.
+  # (default: <unset>, type: string)
+  bedrock_access_key: ""
+  # The access key secret to use with the access key to authenticate against the AWS
+  # Bedrock API.
+  # (default: <unset>, type: string)
+  bedrock_access_key_secret: ""
  # The model to use when making requests to the AWS Bedrock API.
  # (default: global.anthropic.claude-sonnet-4-5-20250929-v1:0, type: string)
  bedrock_model: global.anthropic.claude-sonnet-4-5-20250929-v1:0
@@ -742,27 +755,3 @@ aibridge:
  # (token, prompt, tool use).
  # (default: 60d, type: duration)
  retention: 1440h0m0s
-# Configure data retention policies for various database tables. Retention
-# policies automatically purge old data to reduce database size and improve
-# performance. Setting a retention duration to 0 disables automatic purging for
-# that data type.
-retention:
-  # How long audit log entries are retained. Set to 0 to disable (keep
-  # indefinitely). We advise keeping audit logs for at least a year, and in
-  # accordance with your compliance requirements.
-  # (default: 0, type: duration)
-  audit_logs: 0s
-  # How long connection log entries are retained. Set to 0 to disable (keep
-  # indefinitely).
-  # (default: 0, type: duration)
-  connection_logs: 0s
-  # How long expired API keys are retained before being deleted. Keeping expired
-  # keys allows the backend to return a more helpful error when a user tries to use
-  # an expired key. Set to 0 to disable automatic deletion of expired keys.
-  # (default: 7d, type: duration)
-  api_keys: 168h0m0s
-  # How long workspace agent logs are retained. Logs from non-latest builds are
-  # deleted if the agent hasn't connected within this period. Logs from the latest
-  # build are always retained. Set to 0 to disable automatic deletion.
-  # (default: 7d, type: duration)
-  workspace_agent_logs: 168h0m0s
@@ -246,6 +246,13 @@ func (r *RootCmd) listTokens() *serpent.Command {
 				return xerrors.Errorf("list tokens: %w", err)
 			}

+			if len(tokens) == 0 {
+				cliui.Infof(
+					inv.Stdout,
+					"No tokens found.\n",
+				)
+			}
+
 			displayTokens = make([]tokenListRow, len(tokens))

 			for i, token := range tokens {
@@ -257,11 +264,6 @@ func (r *RootCmd) listTokens() *serpent.Command {
 				return err
 			}

-			if out == "" {
-				cliui.Info(inv.Stderr, "No tokens found.")
-				return nil
-			}
-
 			_, err = fmt.Fprintln(inv.Stdout, out)
 			return err
 		},
@@ -34,7 +34,6 @@ func TestTokens(t *testing.T) {
 	clitest.SetupConfig(t, client, root)
 	buf := new(bytes.Buffer)
 	inv.Stdout = buf
-	inv.Stderr = buf
 	err := inv.WithContext(ctx).Run()
 	require.NoError(t, err)
 	res := buf.String()
@@ -58,11 +58,6 @@ func (r *RootCmd) userList() *serpent.Command {
 				return err
 			}

-			if out == "" {
-				cliui.Infof(inv.Stderr, "No users found.")
-				return nil
-			}
-
 			_, err = fmt.Fprintln(inv.Stdout, out)
 			return err
 		},
@@ -92,7 +92,7 @@ func (a *SubAgentAPI) CreateSubAgent(ctx context.Context, req *agentproto.Create
 		Name:                     agentName,
 		ResourceID:               parentAgent.ResourceID,
 		AuthToken:                uuid.New(),
-		AuthInstanceID:           parentAgent.AuthInstanceID,
+		AuthInstanceID:           sql.NullString{},
 		Architecture:             req.Architecture,
 		EnvironmentVariables:     pqtype.NullRawMessage{},
 		OperatingSystem:          req.OperatingSystem,
@@ -175,6 +175,52 @@ func TestSubAgentAPI(t *testing.T) {
 		}
 	})

+	// Context: https://github.com/coder/coder/pull/22196
+	t.Run("CreateSubAgentDoesNotInheritAuthInstanceID", func(t *testing.T) {
+		t.Parallel()
+
+		var (
+			log   = testutil.Logger(t)
+			clock = quartz.NewMock(t)
+
+			db, org     = newDatabaseWithOrg(t)
+			user, agent = newUserWithWorkspaceAgent(t, db, org)
+		)
+
+		// Given: The parent agent has an AuthInstanceID set
+		ctx := testutil.Context(t, testutil.WaitShort)
+		parentAgent, err := db.GetWorkspaceAgentByID(dbauthz.AsSystemRestricted(ctx), agent.ID)
+		require.NoError(t, err)
+		require.True(t, parentAgent.AuthInstanceID.Valid, "parent agent should have an AuthInstanceID")
+		require.NotEmpty(t, parentAgent.AuthInstanceID.String)
+
+		api := newAgentAPI(t, log, db, clock, user, org, agent)
+
+		// When: We create a sub agent
+		createResp, err := api.CreateSubAgent(ctx, &proto.CreateSubAgentRequest{
+			Name:            "sub-agent",
+			Directory:       "/workspaces/test",
+			Architecture:    "amd64",
+			OperatingSystem: "linux",
+		})
+		require.NoError(t, err)
+
+		subAgentID, err := uuid.FromBytes(createResp.Agent.Id)
+		require.NoError(t, err)
+
+		// Then: The sub-agent must NOT re-use the parent's AuthInstanceID.
+		subAgent, err := db.GetWorkspaceAgentByID(dbauthz.AsSystemRestricted(ctx), subAgentID)
+		require.NoError(t, err)
+		assert.False(t, subAgent.AuthInstanceID.Valid, "sub-agent should not have an AuthInstanceID")
+		assert.Empty(t, subAgent.AuthInstanceID.String, "sub-agent AuthInstanceID string should be empty")
+
+		// Double-check: looking up by the parent's instance ID must
+		// still return the parent, not the sub-agent.
+		lookedUp, err := db.GetWorkspaceAgentByInstanceID(dbauthz.AsSystemRestricted(ctx), parentAgent.AuthInstanceID.String)
+		require.NoError(t, err)
+		assert.Equal(t, parentAgent.ID, lookedUp.ID, "instance ID lookup should still return the parent agent")
+	})
+
 	type expectedAppError struct {
 		index int32
 		field string
@@ -10182,6 +10182,45 @@ const docTemplate = `{
                        }
                    }
                }
+            },
+            "put": {
+                "security": [
+                    {
+                        "CoderSessionToken": []
+                    }
+                ],
+                "consumes": [
+                    "application/json"
+                ],
+                "tags": [
+                    "Builds"
+                ],
+                "summary": "Update workspace build state",
+                "operationId": "update-workspace-build-state",
+                "parameters": [
+                    {
+                        "type": "string",
+                        "format": "uuid",
+                        "description": "Workspace build ID",
+                        "name": "workspacebuild",
+                        "in": "path",
+                        "required": true
+                    },
+                    {
+                        "description": "Request body",
+                        "name": "request",
+                        "in": "body",
+                        "required": true,
+                        "schema": {
+                            "$ref": "#/definitions/codersdk.UpdateWorkspaceBuildStateRequest"
+                        }
+                    }
+                ],
+                "responses": {
+                    "204": {
+                        "description": "No Content"
+                    }
+                }
            }
        },
        "/workspacebuilds/{workspacebuild}/timings": {
@@ -14302,9 +14341,6 @@ const docTemplate = `{
                "redirect_to_access_url": {
                    "type": "boolean"
                },
-                "retention": {
-                    "$ref": "#/definitions/codersdk.RetentionConfig"
-                },
                "scim_api_key": {
                    "type": "string"
                },
@@ -14761,10 +14797,6 @@ const docTemplate = `{
                "limit": {
                    "type": "integer"
                },
-                "soft_limit": {
-                    "description": "SoftLimit is the soft limit of the feature, and is only used for showing\nincluded limits in the dashboard. No license validation or warnings are\ngenerated from this value.",
-                    "type": "integer"
-                },
                "usage_period": {
                    "description": "UsagePeriod denotes that the usage is a counter that accumulates over\nthis period (and most likely resets with the issuance of the next\nlicense).\n\nThese dates are determined from the license that this entitlement comes\nfrom, see enterprise/coderd/license/license.go.\n\nOnly certain features set these fields:\n- FeatureManagedAgentLimit",
                    "allOf": [
@@ -17731,27 +17763,6 @@ const docTemplate = `{
                }
            }
        },
-        "codersdk.RetentionConfig": {
-            "type": "object",
-            "properties": {
-                "api_keys": {
-                    "description": "APIKeys controls how long expired API keys are retained before being deleted.\nKeys are only deleted if they have been expired for at least this duration.\nDefaults to 7 days to preserve existing behavior.",
-                    "type": "integer"
-                },
-                "audit_logs": {
-                    "description": "AuditLogs controls how long audit log entries are retained.\nSet to 0 to disable (keep indefinitely).",
-                    "type": "integer"
-                },
-                "connection_logs": {
-                    "description": "ConnectionLogs controls how long connection log entries are retained.\nSet to 0 to disable (keep indefinitely).",
-                    "type": "integer"
-                },
-                "workspace_agent_logs": {
-                    "description": "WorkspaceAgentLogs controls how long workspace agent logs are retained.\nLogs are deleted if the agent hasn't connected within this period.\nLogs from the latest build are always retained regardless of age.\nDefaults to 7 days to preserve existing behavior.",
-                    "type": "integer"
-                }
-            }
-        },
        "codersdk.Role": {
            "type": "object",
            "properties": {
@@ -19426,6 +19437,17 @@ const docTemplate = `{
                }
            }
        },
+        "codersdk.UpdateWorkspaceBuildStateRequest": {
+            "type": "object",
+            "properties": {
+                "state": {
+                    "type": "array",
+                    "items": {
+                        "type": "integer"
+                    }
+                }
+            }
+        },
        "codersdk.UpdateWorkspaceDormancy": {
            "type": "object",
            "properties": {
@@ -9014,6 +9014,41 @@
 						}
 					}
 				}
+			},
+			"put": {
+				"security": [
+					{
+						"CoderSessionToken": []
+					}
+				],
+				"consumes": ["application/json"],
+				"tags": ["Builds"],
+				"summary": "Update workspace build state",
+				"operationId": "update-workspace-build-state",
+				"parameters": [
+					{
+						"type": "string",
+						"format": "uuid",
+						"description": "Workspace build ID",
+						"name": "workspacebuild",
+						"in": "path",
+						"required": true
+					},
+					{
+						"description": "Request body",
+						"name": "request",
+						"in": "body",
+						"required": true,
+						"schema": {
+							"$ref": "#/definitions/codersdk.UpdateWorkspaceBuildStateRequest"
+						}
+					}
+				],
+				"responses": {
+					"204": {
+						"description": "No Content"
+					}
+				}
 			}
 		},
 		"/workspacebuilds/{workspacebuild}/timings": {
@@ -12886,9 +12921,6 @@
 				"redirect_to_access_url": {
 					"type": "boolean"
 				},
-				"retention": {
-					"$ref": "#/definitions/codersdk.RetentionConfig"
-				},
 				"scim_api_key": {
 					"type": "string"
 				},
@@ -13338,10 +13370,6 @@
 				"limit": {
 					"type": "integer"
 				},
-				"soft_limit": {
-					"description": "SoftLimit is the soft limit of the feature, and is only used for showing\nincluded limits in the dashboard. No license validation or warnings are\ngenerated from this value.",
-					"type": "integer"
-				},
 				"usage_period": {
 					"description": "UsagePeriod denotes that the usage is a counter that accumulates over\nthis period (and most likely resets with the issuance of the next\nlicense).\n\nThese dates are determined from the license that this entitlement comes\nfrom, see enterprise/coderd/license/license.go.\n\nOnly certain features set these fields:\n- FeatureManagedAgentLimit",
 					"allOf": [
@@ -16193,27 +16221,6 @@
 				}
 			}
 		},
-		"codersdk.RetentionConfig": {
-			"type": "object",
-			"properties": {
-				"api_keys": {
-					"description": "APIKeys controls how long expired API keys are retained before being deleted.\nKeys are only deleted if they have been expired for at least this duration.\nDefaults to 7 days to preserve existing behavior.",
-					"type": "integer"
-				},
-				"audit_logs": {
-					"description": "AuditLogs controls how long audit log entries are retained.\nSet to 0 to disable (keep indefinitely).",
-					"type": "integer"
-				},
-				"connection_logs": {
-					"description": "ConnectionLogs controls how long connection log entries are retained.\nSet to 0 to disable (keep indefinitely).",
-					"type": "integer"
-				},
-				"workspace_agent_logs": {
-					"description": "WorkspaceAgentLogs controls how long workspace agent logs are retained.\nLogs are deleted if the agent hasn't connected within this period.\nLogs from the latest build are always retained regardless of age.\nDefaults to 7 days to preserve existing behavior.",
-					"type": "integer"
-				}
-			}
-		},
 		"codersdk.Role": {
 			"type": "object",
 			"properties": {
@@ -17818,6 +17825,17 @@
 				}
 			}
 		},
+		"codersdk.UpdateWorkspaceBuildStateRequest": {
+			"type": "object",
+			"properties": {
+				"state": {
+					"type": "array",
+					"items": {
+						"type": "integer"
+					}
+				}
+			}
+		},
 		"codersdk.UpdateWorkspaceDormancy": {
 			"type": "object",
 			"properties": {
@@ -9,7 +9,6 @@ import (

 	"github.com/go-chi/chi/v5"
 	"github.com/google/uuid"
-	"github.com/moby/moby/pkg/namesgenerator"
 	"golang.org/x/xerrors"

 	"cdr.dev/slog"
@@ -23,6 +22,7 @@ import (
 	"github.com/coder/coder/v2/coderd/rbac"
 	"github.com/coder/coder/v2/coderd/rbac/policy"
 	"github.com/coder/coder/v2/coderd/telemetry"
+	"github.com/coder/coder/v2/coderd/util/namesgenerator"
 	"github.com/coder/coder/v2/codersdk"
 )

@@ -102,7 +102,7 @@ func (api *API) postToken(rw http.ResponseWriter, r *http.Request) {
 		}
 	}

-	tokenName := namesgenerator.GetRandomName(1)
+	tokenName := namesgenerator.NameDigitWith("_")

 	if len(createToken.TokenName) != 0 {
 		tokenName = createToken.TokenName
@@ -1501,6 +1501,7 @@ func New(options *Options) *API {
 			r.Get("/parameters", api.workspaceBuildParameters)
 			r.Get("/resources", api.workspaceBuildResourcesDeprecated)
 			r.Get("/state", api.workspaceBuildState)
+			r.Put("/state", api.workspaceBuildUpdateState)
 			r.Get("/timings", api.workspaceBuildTimings)
 		})
 		r.Route("/authcheck", func(r chi.Router) {
@@ -385,9 +385,9 @@ func TestCSRFExempt(t *testing.T) {
 		data, _ := io.ReadAll(resp.Body)
 		_ = resp.Body.Close()

-		// A StatusBadGateway means Coderd tried to proxy to the agent and failed because the agent
+		// A StatusNotFound means Coderd tried to proxy to the agent and failed because the agent
 		// was not there. This means CSRF did not block the app request, which is what we want.
-		require.Equal(t, http.StatusBadGateway, resp.StatusCode, "status code 500 is CSRF failure")
+		require.Equal(t, http.StatusNotFound, resp.StatusCode, "status code 500 is CSRF failure")
 		require.NotContains(t, string(data), "CSRF")
 	})
 }
@@ -11,7 +11,6 @@ import (
 	"testing"

 	"github.com/google/uuid"
-	"github.com/moby/moby/pkg/namesgenerator"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"golang.org/x/xerrors"
@@ -22,6 +21,7 @@ import (
 	"github.com/coder/coder/v2/coderd/rbac"
 	"github.com/coder/coder/v2/coderd/rbac/policy"
 	"github.com/coder/coder/v2/coderd/rbac/regosql"
+	"github.com/coder/coder/v2/coderd/util/namesgenerator"
 	"github.com/coder/coder/v2/codersdk"
 	"github.com/coder/coder/v2/cryptorand"
 )
@@ -439,10 +439,10 @@ func RandomRBACObject() rbac.Object {
 		OrgID: uuid.NewString(),
 		Type:  randomRBACType(),
 		ACLUserList: map[string][]policy.Action{
-			namesgenerator.GetRandomName(1): {RandomRBACAction()},
+			namesgenerator.UniqueName(): {RandomRBACAction()},
 		},
 		ACLGroupList: map[string][]policy.Action{
-			namesgenerator.GetRandomName(1): {RandomRBACAction()},
+			namesgenerator.UniqueName(): {RandomRBACAction()},
 		},
 	}
 }
@@ -471,7 +471,7 @@ func RandomRBACSubject() rbac.Subject {
 	return rbac.Subject{
 		ID:     uuid.NewString(),
 		Roles:  rbac.RoleIdentifiers{rbac.RoleMember()},
-		Groups: []string{namesgenerator.GetRandomName(1)},
+		Groups: []string{namesgenerator.UniqueName()},
 		Scope:  rbac.ScopeAll,
 	}
 }
@@ -30,17 +30,17 @@ import (
 	"sync/atomic"
 	"testing"
 	"time"
-	"unicode"

 	"cloud.google.com/go/compute/metadata"
 	"github.com/fullsailor/pkcs7"
 	"github.com/go-chi/chi/v5"
 	"github.com/golang-jwt/jwt/v4"
 	"github.com/google/uuid"
-	"github.com/moby/moby/pkg/namesgenerator"
 	"github.com/prometheus/client_golang/prometheus"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
+	"golang.org/x/text/cases"
+	"golang.org/x/text/language"
 	"golang.org/x/xerrors"
 	"google.golang.org/api/idtoken"
 	"google.golang.org/api/option"
@@ -83,6 +83,8 @@ import (
 	"github.com/coder/coder/v2/coderd/schedule"
 	"github.com/coder/coder/v2/coderd/telemetry"
 	"github.com/coder/coder/v2/coderd/updatecheck"
+	"github.com/coder/coder/v2/coderd/usage"
+	"github.com/coder/coder/v2/coderd/util/namesgenerator"
 	"github.com/coder/coder/v2/coderd/util/ptr"
 	"github.com/coder/coder/v2/coderd/webpush"
 	"github.com/coder/coder/v2/coderd/workspaceapps"
@@ -102,6 +104,8 @@ import (
 	"github.com/coder/coder/v2/testutil"
 )

+const DefaultDERPMeshKey = "test-key"
+
 const defaultTestDaemonName = "test-daemon"

 type Options struct {
@@ -186,6 +190,7 @@ type Options struct {
 	TelemetryReporter                  telemetry.Reporter

 	ProvisionerdServerMetrics *provisionerdserver.Metrics
+	UsageInserter             usage.Inserter
 }

 // New constructs a codersdk client connected to an in-memory API instance.
@@ -266,6 +271,11 @@ func NewOptions(t testing.TB, options *Options) (func(http.Handler), context.Can
 		}
 	}

+	var usageInserter *atomic.Pointer[usage.Inserter]
+	if options.UsageInserter != nil {
+		usageInserter = &atomic.Pointer[usage.Inserter]{}
+		usageInserter.Store(&options.UsageInserter)
+	}
 	if options.Database == nil {
 		options.Database, options.Pubsub = dbtestutil.NewDB(t)
 	}
@@ -499,8 +509,18 @@ func NewOptions(t testing.TB, options *Options) (func(http.Handler), context.Can
 		stunAddresses = options.DeploymentValues.DERP.Server.STUNAddresses.Value()
 	}

-	derpServer := derp.NewServer(key.NewNode(), tailnet.Logger(options.Logger.Named("derp").Leveled(slog.LevelDebug)))
-	derpServer.SetMeshKey("test-key")
+	const derpMeshKey = "test-key"
+	// Technically AGPL coderd servers don't set this value, but it doesn't
+	// change any behavior. It's useful for enterprise tests.
+	err = options.Database.InsertDERPMeshKey(dbauthz.AsSystemRestricted(ctx), derpMeshKey) //nolint:gocritic // test
+	if !database.IsUniqueViolation(err, database.UniqueSiteConfigsKeyKey) {
+		require.NoError(t, err, "insert DERP mesh key")
+	}
+	var derpServer *derp.Server
+	if options.DeploymentValues.DERP.Server.Enable.Value() {
+		derpServer = derp.NewServer(key.NewNode(), tailnet.Logger(options.Logger.Named("derp").Leveled(slog.LevelDebug)))
+		derpServer.SetMeshKey(derpMeshKey)
+	}

 	// match default with cli default
 	if options.SSHKeygenAlgorithm == "" {
@@ -559,6 +579,7 @@ func NewOptions(t testing.TB, options *Options) (func(http.Handler), context.Can
 			Database:                       options.Database,
 			Pubsub:                         options.Pubsub,
 			ExternalAuthConfigs:            options.ExternalAuthConfigs,
+			UsageInserter:                  usageInserter,

 			Auditor:                            options.Auditor,
 			ConnectionLogger:                   options.ConnectionLogger,
@@ -793,7 +814,7 @@ func AuthzUserSubject(user codersdk.User, orgID uuid.UUID) rbac.Subject {

 func createAnotherUserRetry(t testing.TB, client *codersdk.Client, organizationIDs []uuid.UUID, retries int, roles []rbac.RoleIdentifier, mutators ...func(r *codersdk.CreateUserRequestWithOrgs)) (*codersdk.Client, codersdk.User) {
 	req := codersdk.CreateUserRequestWithOrgs{
-		Email:           namesgenerator.GetRandomName(10) + "@coder.com",
+		Email:           namesgenerator.UniqueName() + "@coder.com",
 		Username:        RandomUsername(t),
 		Name:            RandomName(t),
 		Password:        "SomeSecurePassword!",
@@ -1557,37 +1578,15 @@ func NewAzureInstanceIdentity(t testing.TB, instanceID string) (x509.VerifyOptio
 		}
 }

-func RandomUsername(t testing.TB) string {
-	suffix, err := cryptorand.String(3)
-	require.NoError(t, err)
-	suffix = "-" + suffix
-	n := strings.ReplaceAll(namesgenerator.GetRandomName(10), "_", "-") + suffix
-	if len(n) > 32 {
-		n = n[:32-len(suffix)] + suffix
-	}
-	return n
+func RandomUsername(_ testing.TB) string {
+	return namesgenerator.UniqueNameWith("-")
 }

-func RandomName(t testing.TB) string {
-	var sb strings.Builder
-	var err error
-	ss := strings.Split(namesgenerator.GetRandomName(10), "_")
-	for si, s := range ss {
-		for ri, r := range s {
-			if ri == 0 {
-				_, err = sb.WriteRune(unicode.ToTitle(r))
-				require.NoError(t, err)
-			} else {
-				_, err = sb.WriteRune(r)
-				require.NoError(t, err)
-			}
-		}
-		if si < len(ss)-1 {
-			_, err = sb.WriteRune(' ')
-			require.NoError(t, err)
-		}
-	}
-	return sb.String()
+// RandomName returns a random name in title case (e.g. "Happy Einstein").
+func RandomName(_ testing.TB) string {
+	return cases.Title(language.English).String(
+		namesgenerator.NameWith(" "),
+	)
 }

 // Used to easily create an HTTP transport!
@@ -1,8 +1,11 @@
 package coderdtest_test

 import (
+	"strings"
 	"testing"
+	"unicode"

+	"github.com/stretchr/testify/require"
 	"go.uber.org/goleak"

 	"github.com/coder/coder/v2/coderd/coderdtest"
@@ -28,3 +31,22 @@ func TestNew(t *testing.T) {
 	_, _ = coderdtest.NewGoogleInstanceIdentity(t, "example", false)
 	_, _ = coderdtest.NewAWSInstanceIdentity(t, "an-instance")
 }
+
+func TestRandomName(t *testing.T) {
+	t.Parallel()
+
+	for range 10 {
+		name := coderdtest.RandomName(t)
+
+		require.NotEmpty(t, name, "name should not be empty")
+		require.NotContains(t, name, "_", "name should not contain underscores")
+
+		// Should be title cased (e.g., "Happy Einstein").
+		words := strings.Split(name, " ")
+		require.Len(t, words, 2, "name should have exactly two words")
+		for _, word := range words {
+			firstRune := []rune(word)[0]
+			require.True(t, unicode.IsUpper(firstRune), "word %q should start with uppercase letter", word)
+		}
+	}
+}
@@ -0,0 +1,44 @@
+package coderdtest
+
+import (
+	"context"
+	"sync"
+
+	"github.com/coder/coder/v2/coderd/database"
+	"github.com/coder/coder/v2/coderd/usage"
+	"github.com/coder/coder/v2/coderd/usage/usagetypes"
+)
+
+var _ usage.Inserter = (*UsageInserter)(nil)
+
+type UsageInserter struct {
+	sync.Mutex
+	events []usagetypes.DiscreteEvent
+}
+
+func NewUsageInserter() *UsageInserter {
+	return &UsageInserter{
+		events: []usagetypes.DiscreteEvent{},
+	}
+}
+
+func (u *UsageInserter) InsertDiscreteUsageEvent(_ context.Context, _ database.Store, event usagetypes.DiscreteEvent) error {
+	u.Lock()
+	defer u.Unlock()
+	u.events = append(u.events, event)
+	return nil
+}
+
+func (u *UsageInserter) GetEvents() []usagetypes.DiscreteEvent {
+	u.Lock()
+	defer u.Unlock()
+	eventsCopy := make([]usagetypes.DiscreteEvent, len(u.events))
+	copy(eventsCopy, u.events)
+	return eventsCopy
+}
+
+func (u *UsageInserter) Reset() {
+	u.Lock()
+	defer u.Unlock()
+	u.events = []usagetypes.DiscreteEvent{}
+}
@@ -1732,7 +1732,7 @@ func (q *querier) DeleteOAuth2ProviderAppTokensByAppAndUserID(ctx context.Contex
 	return q.db.DeleteOAuth2ProviderAppTokensByAppAndUserID(ctx, arg)
 }

-func (q *querier) DeleteOldAIBridgeRecords(ctx context.Context, beforeTime time.Time) (int64, error) {
+func (q *querier) DeleteOldAIBridgeRecords(ctx context.Context, beforeTime time.Time) (int32, error) {
 	if err := q.authorizeContext(ctx, policy.ActionDelete, rbac.ResourceAibridgeInterception); err != nil {
 		return -1, err
 	}
@@ -1749,20 +1749,6 @@ func (q *querier) DeleteOldAuditLogConnectionEvents(ctx context.Context, thresho
 	return q.db.DeleteOldAuditLogConnectionEvents(ctx, threshold)
 }

-func (q *querier) DeleteOldAuditLogs(ctx context.Context, arg database.DeleteOldAuditLogsParams) (int64, error) {
-	if err := q.authorizeContext(ctx, policy.ActionDelete, rbac.ResourceSystem); err != nil {
-		return 0, err
-	}
-	return q.db.DeleteOldAuditLogs(ctx, arg)
-}
-
-func (q *querier) DeleteOldConnectionLogs(ctx context.Context, arg database.DeleteOldConnectionLogsParams) (int64, error) {
-	if err := q.authorizeContext(ctx, policy.ActionDelete, rbac.ResourceSystem); err != nil {
-		return 0, err
-	}
-	return q.db.DeleteOldConnectionLogs(ctx, arg)
-}
-
 func (q *querier) DeleteOldNotificationMessages(ctx context.Context) error {
 	if err := q.authorizeContext(ctx, policy.ActionDelete, rbac.ResourceNotificationMessage); err != nil {
 		return err
@@ -1784,9 +1770,9 @@ func (q *querier) DeleteOldTelemetryLocks(ctx context.Context, beforeTime time.T
 	return q.db.DeleteOldTelemetryLocks(ctx, beforeTime)
 }

-func (q *querier) DeleteOldWorkspaceAgentLogs(ctx context.Context, threshold time.Time) (int64, error) {
+func (q *querier) DeleteOldWorkspaceAgentLogs(ctx context.Context, threshold time.Time) error {
 	if err := q.authorizeContext(ctx, policy.ActionDelete, rbac.ResourceSystem); err != nil {
-		return 0, err
+		return err
 	}
 	return q.db.DeleteOldWorkspaceAgentLogs(ctx, threshold)
 }
@@ -324,10 +324,6 @@ func (s *MethodTestSuite) TestAuditLogs() {
 		dbm.EXPECT().DeleteOldAuditLogConnectionEvents(gomock.Any(), database.DeleteOldAuditLogConnectionEventsParams{}).Return(nil).AnyTimes()
 		check.Args(database.DeleteOldAuditLogConnectionEventsParams{}).Asserts(rbac.ResourceSystem, policy.ActionDelete)
 	}))
-	s.Run("DeleteOldAuditLogs", s.Mocked(func(dbm *dbmock.MockStore, _ *gofakeit.Faker, check *expects) {
-		dbm.EXPECT().DeleteOldAuditLogs(gomock.Any(), database.DeleteOldAuditLogsParams{}).Return(int64(0), nil).AnyTimes()
-		check.Args(database.DeleteOldAuditLogsParams{}).Asserts(rbac.ResourceSystem, policy.ActionDelete)
-	}))
 }

 func (s *MethodTestSuite) TestConnectionLogs() {
@@ -359,10 +355,6 @@ func (s *MethodTestSuite) TestConnectionLogs() {
 		dbm.EXPECT().CountConnectionLogs(gomock.Any(), database.CountConnectionLogsParams{}).Return(int64(0), nil).AnyTimes()
 		check.Args(database.CountConnectionLogsParams{}, emptyPreparedAuthorized{}).Asserts(rbac.ResourceConnectionLog, policy.ActionRead)
 	}))
-	s.Run("DeleteOldConnectionLogs", s.Mocked(func(dbm *dbmock.MockStore, _ *gofakeit.Faker, check *expects) {
-		dbm.EXPECT().DeleteOldConnectionLogs(gomock.Any(), database.DeleteOldConnectionLogsParams{}).Return(int64(0), nil).AnyTimes()
-		check.Args(database.DeleteOldConnectionLogsParams{}).Asserts(rbac.ResourceSystem, policy.ActionDelete)
-	}))
 }

 func (s *MethodTestSuite) TestFile() {
@@ -3227,7 +3219,7 @@ func (s *MethodTestSuite) TestSystemFunctions() {
 	}))
 	s.Run("DeleteOldWorkspaceAgentLogs", s.Mocked(func(dbm *dbmock.MockStore, _ *gofakeit.Faker, check *expects) {
 		t := time.Time{}
-		dbm.EXPECT().DeleteOldWorkspaceAgentLogs(gomock.Any(), t).Return(int64(0), nil).AnyTimes()
+		dbm.EXPECT().DeleteOldWorkspaceAgentLogs(gomock.Any(), t).Return(nil).AnyTimes()
 		check.Args(t).Asserts(rbac.ResourceSystem, policy.ActionDelete)
 	}))
 	s.Run("InsertWorkspaceAgentStats", s.Mocked(func(dbm *dbmock.MockStore, _ *gofakeit.Faker, check *expects) {
@@ -4705,7 +4697,7 @@ func (s *MethodTestSuite) TestAIBridge() {

 	s.Run("DeleteOldAIBridgeRecords", s.Mocked(func(db *dbmock.MockStore, faker *gofakeit.Faker, check *expects) {
 		t := dbtime.Now()
-		db.EXPECT().DeleteOldAIBridgeRecords(gomock.Any(), t).Return(int64(0), nil).AnyTimes()
+		db.EXPECT().DeleteOldAIBridgeRecords(gomock.Any(), t).Return(int32(0), nil).AnyTimes()
 		check.Args(t).Asserts(rbac.ResourceAibridgeInterception, policy.ActionDelete)
 	}))
 }
@@ -396,7 +396,7 @@ func (m queryMetricsStore) DeleteOAuth2ProviderAppTokensByAppAndUserID(ctx conte
 	return r0
 }

-func (m queryMetricsStore) DeleteOldAIBridgeRecords(ctx context.Context, beforeTime time.Time) (int64, error) {
+func (m queryMetricsStore) DeleteOldAIBridgeRecords(ctx context.Context, beforeTime time.Time) (int32, error) {
 	start := time.Now()
 	r0, r1 := m.s.DeleteOldAIBridgeRecords(ctx, beforeTime)
 	m.queryLatencies.WithLabelValues("DeleteOldAIBridgeRecords").Observe(time.Since(start).Seconds())
@@ -410,20 +410,6 @@ func (m queryMetricsStore) DeleteOldAuditLogConnectionEvents(ctx context.Context
 	return r0
 }

-func (m queryMetricsStore) DeleteOldAuditLogs(ctx context.Context, arg database.DeleteOldAuditLogsParams) (int64, error) {
-	start := time.Now()
-	r0, r1 := m.s.DeleteOldAuditLogs(ctx, arg)
-	m.queryLatencies.WithLabelValues("DeleteOldAuditLogs").Observe(time.Since(start).Seconds())
-	return r0, r1
-}
-
-func (m queryMetricsStore) DeleteOldConnectionLogs(ctx context.Context, arg database.DeleteOldConnectionLogsParams) (int64, error) {
-	start := time.Now()
-	r0, r1 := m.s.DeleteOldConnectionLogs(ctx, arg)
-	m.queryLatencies.WithLabelValues("DeleteOldConnectionLogs").Observe(time.Since(start).Seconds())
-	return r0, r1
-}
-
 func (m queryMetricsStore) DeleteOldNotificationMessages(ctx context.Context) error {
 	start := time.Now()
 	r0 := m.s.DeleteOldNotificationMessages(ctx)
@@ -445,11 +431,11 @@ func (m queryMetricsStore) DeleteOldTelemetryLocks(ctx context.Context, periodEn
 	return r0
 }

-func (m queryMetricsStore) DeleteOldWorkspaceAgentLogs(ctx context.Context, arg time.Time) (int64, error) {
+func (m queryMetricsStore) DeleteOldWorkspaceAgentLogs(ctx context.Context, arg time.Time) error {
 	start := time.Now()
-	r0, r1 := m.s.DeleteOldWorkspaceAgentLogs(ctx, arg)
+	r0 := m.s.DeleteOldWorkspaceAgentLogs(ctx, arg)
 	m.queryLatencies.WithLabelValues("DeleteOldWorkspaceAgentLogs").Observe(time.Since(start).Seconds())
-	return r0, r1
+	return r0
 }

 func (m queryMetricsStore) DeleteOldWorkspaceAgentStats(ctx context.Context) error {
@@ -725,10 +725,10 @@ func (mr *MockStoreMockRecorder) DeleteOAuth2ProviderAppTokensByAppAndUserID(ctx
 }

 // DeleteOldAIBridgeRecords mocks base method.
-func (m *MockStore) DeleteOldAIBridgeRecords(ctx context.Context, beforeTime time.Time) (int64, error) {
+func (m *MockStore) DeleteOldAIBridgeRecords(ctx context.Context, beforeTime time.Time) (int32, error) {
 	m.ctrl.T.Helper()
 	ret := m.ctrl.Call(m, "DeleteOldAIBridgeRecords", ctx, beforeTime)
-	ret0, _ := ret[0].(int64)
+	ret0, _ := ret[0].(int32)
 	ret1, _ := ret[1].(error)
 	return ret0, ret1
 }
@@ -753,36 +753,6 @@ func (mr *MockStoreMockRecorder) DeleteOldAuditLogConnectionEvents(ctx, arg any)
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "DeleteOldAuditLogConnectionEvents", reflect.TypeOf((*MockStore)(nil).DeleteOldAuditLogConnectionEvents), ctx, arg)
 }

-// DeleteOldAuditLogs mocks base method.
-func (m *MockStore) DeleteOldAuditLogs(ctx context.Context, arg database.DeleteOldAuditLogsParams) (int64, error) {
-	m.ctrl.T.Helper()
-	ret := m.ctrl.Call(m, "DeleteOldAuditLogs", ctx, arg)
-	ret0, _ := ret[0].(int64)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// DeleteOldAuditLogs indicates an expected call of DeleteOldAuditLogs.
-func (mr *MockStoreMockRecorder) DeleteOldAuditLogs(ctx, arg any) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "DeleteOldAuditLogs", reflect.TypeOf((*MockStore)(nil).DeleteOldAuditLogs), ctx, arg)
-}
-
-// DeleteOldConnectionLogs mocks base method.
-func (m *MockStore) DeleteOldConnectionLogs(ctx context.Context, arg database.DeleteOldConnectionLogsParams) (int64, error) {
-	m.ctrl.T.Helper()
-	ret := m.ctrl.Call(m, "DeleteOldConnectionLogs", ctx, arg)
-	ret0, _ := ret[0].(int64)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// DeleteOldConnectionLogs indicates an expected call of DeleteOldConnectionLogs.
-func (mr *MockStoreMockRecorder) DeleteOldConnectionLogs(ctx, arg any) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "DeleteOldConnectionLogs", reflect.TypeOf((*MockStore)(nil).DeleteOldConnectionLogs), ctx, arg)
-}
-
 // DeleteOldNotificationMessages mocks base method.
 func (m *MockStore) DeleteOldNotificationMessages(ctx context.Context) error {
 	m.ctrl.T.Helper()
@@ -826,12 +796,11 @@ func (mr *MockStoreMockRecorder) DeleteOldTelemetryLocks(ctx, periodEndingAtBefo
 }

 // DeleteOldWorkspaceAgentLogs mocks base method.
-func (m *MockStore) DeleteOldWorkspaceAgentLogs(ctx context.Context, threshold time.Time) (int64, error) {
+func (m *MockStore) DeleteOldWorkspaceAgentLogs(ctx context.Context, threshold time.Time) error {
 	m.ctrl.T.Helper()
 	ret := m.ctrl.Call(m, "DeleteOldWorkspaceAgentLogs", ctx, threshold)
-	ret0, _ := ret[0].(int64)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
+	ret0, _ := ret[0].(error)
+	return ret0
 }

 // DeleteOldWorkspaceAgentLogs indicates an expected call of DeleteOldWorkspaceAgentLogs.
@@ -18,16 +18,13 @@ import (
 )

 const (
-	delay = 10 * time.Minute
+	delay          = 10 * time.Minute
+	maxAgentLogAge = 7 * 24 * time.Hour
 	// Connection events are now inserted into the `connection_logs` table.
-	// We'll slowly remove old connection events from the `audit_logs` table.
-	// The `connection_logs` table is purged based on the configured retention.
+	// We'll slowly remove old connection events from the `audit_logs` table,
+	// but we won't touch the `connection_logs` table.
 	maxAuditLogConnectionEventAge    = 90 * 24 * time.Hour // 90 days
 	auditLogConnectionEventBatchSize = 1000
-	// Batch size for connection log deletion.
-	connectionLogsBatchSize = 10000
-	// Batch size for audit log deletion.
-	auditLogsBatchSize = 10000
 	// Telemetry heartbeats are used to deduplicate events across replicas. We
 	// don't need to persist heartbeat rows for longer than 24 hours, as they
 	// are only used for deduplication across replicas. The time needs to be
@@ -65,14 +62,9 @@ func New(ctx context.Context, logger slog.Logger, db database.Store, vals *coder
 				return nil
 			}

-			var purgedWorkspaceAgentLogs int64
-			workspaceAgentLogsRetention := vals.Retention.WorkspaceAgentLogs.Value()
-			if workspaceAgentLogsRetention > 0 {
-				deleteOldWorkspaceAgentLogsBefore := start.Add(-workspaceAgentLogsRetention)
-				purgedWorkspaceAgentLogs, err = tx.DeleteOldWorkspaceAgentLogs(ctx, deleteOldWorkspaceAgentLogsBefore)
-				if err != nil {
-					return xerrors.Errorf("failed to delete old workspace agent logs: %w", err)
-				}
+			deleteOldWorkspaceAgentLogsBefore := start.Add(-maxAgentLogAge)
+			if err := tx.DeleteOldWorkspaceAgentLogs(ctx, deleteOldWorkspaceAgentLogsBefore); err != nil {
+				return xerrors.Errorf("failed to delete old workspace agent logs: %w", err)
 			}
 			if err := tx.DeleteOldWorkspaceAgentStats(ctx); err != nil {
 				return xerrors.Errorf("failed to delete old workspace agent stats: %w", err)
@@ -86,24 +78,18 @@ func New(ctx context.Context, logger slog.Logger, db database.Store, vals *coder
 			if err := tx.ExpirePrebuildsAPIKeys(ctx, dbtime.Time(start)); err != nil {
 				return xerrors.Errorf("failed to expire prebuilds user api keys: %w", err)
 			}
-
-			var expiredAPIKeys int64
-			apiKeysRetention := vals.Retention.APIKeys.Value()
-			if apiKeysRetention > 0 {
-				// Delete keys that have been expired for at least the retention period.
-				// A higher retention period allows the backend to return a more helpful
-				// error message when a user tries to use an expired key.
-				deleteExpiredKeysBefore := start.Add(-apiKeysRetention)
-				expiredAPIKeys, err = tx.DeleteExpiredAPIKeys(ctx, database.DeleteExpiredAPIKeysParams{
-					Before: dbtime.Time(deleteExpiredKeysBefore),
-					// There could be a lot of expired keys here, so set a limit to prevent
-					// this taking too long. This runs every 10 minutes, so it deletes
-					// ~1.5m keys per day at most.
-					LimitCount: 10000,
-				})
-				if err != nil {
-					return xerrors.Errorf("failed to delete expired api keys: %w", err)
-				}
+			expiredAPIKeys, err := tx.DeleteExpiredAPIKeys(ctx, database.DeleteExpiredAPIKeysParams{
+				// Leave expired keys for a week to allow the backend to know the difference
+				// between a 404 and an expired key. This purge code is just to bound the size of
+				// the table to something more reasonable.
+				Before: dbtime.Time(start.Add(time.Hour * 24 * 7 * -1)),
+				// There could be a lot of expired keys here, so set a limit to prevent this
+				// taking too long.
+				// This runs every 10 minutes, so it deletes ~1.5m keys per day at most.
+				LimitCount: 10000,
+			})
+			if err != nil {
+				return xerrors.Errorf("failed to delete expired api keys: %w", err)
 			}
 			deleteOldTelemetryLocksBefore := start.Add(-maxTelemetryHeartbeatAge)
 			if err := tx.DeleteOldTelemetryLocks(ctx, deleteOldTelemetryLocksBefore); err != nil {
@@ -118,49 +104,16 @@ func New(ctx context.Context, logger slog.Logger, db database.Store, vals *coder
 				return xerrors.Errorf("failed to delete old audit log connection events: %w", err)
 			}

-			var purgedAIBridgeRecords int64
-			aibridgeRetention := vals.AI.BridgeConfig.Retention.Value()
-			if aibridgeRetention > 0 {
-				deleteAIBridgeRecordsBefore := start.Add(-aibridgeRetention)
-				// nolint:gocritic // Needs to run as aibridge context.
-				purgedAIBridgeRecords, err = tx.DeleteOldAIBridgeRecords(dbauthz.AsAIBridged(ctx), deleteAIBridgeRecordsBefore)
-				if err != nil {
-					return xerrors.Errorf("failed to delete old aibridge records: %w", err)
-				}
-			}
-
-			var purgedConnectionLogs int64
-			connectionLogsRetention := vals.Retention.ConnectionLogs.Value()
-			if connectionLogsRetention > 0 {
-				deleteConnectionLogsBefore := start.Add(-connectionLogsRetention)
-				purgedConnectionLogs, err = tx.DeleteOldConnectionLogs(ctx, database.DeleteOldConnectionLogsParams{
-					BeforeTime: deleteConnectionLogsBefore,
-					LimitCount: connectionLogsBatchSize,
-				})
-				if err != nil {
-					return xerrors.Errorf("failed to delete old connection logs: %w", err)
-				}
-			}
-
-			var purgedAuditLogs int64
-			auditLogsRetention := vals.Retention.AuditLogs.Value()
-			if auditLogsRetention > 0 {
-				deleteAuditLogsBefore := start.Add(-auditLogsRetention)
-				purgedAuditLogs, err = tx.DeleteOldAuditLogs(ctx, database.DeleteOldAuditLogsParams{
-					BeforeTime: deleteAuditLogsBefore,
-					LimitCount: auditLogsBatchSize,
-				})
-				if err != nil {
-					return xerrors.Errorf("failed to delete old audit logs: %w", err)
-				}
+			deleteAIBridgeRecordsBefore := start.Add(-vals.AI.BridgeConfig.Retention.Value())
+			// nolint:gocritic // Needs to run as aibridge context.
+			purgedAIBridgeRecords, err := tx.DeleteOldAIBridgeRecords(dbauthz.AsAIBridged(ctx), deleteAIBridgeRecordsBefore)
+			if err != nil {
+				return xerrors.Errorf("failed to delete old aibridge records: %w", err)
 			}

 			logger.Debug(ctx, "purged old database entries",
-				slog.F("workspace_agent_logs", purgedWorkspaceAgentLogs),
 				slog.F("expired_api_keys", expiredAPIKeys),
 				slog.F("aibridge_records", purgedAIBridgeRecords),
-				slog.F("connection_logs", purgedConnectionLogs),
-				slog.F("audit_logs", purgedAuditLogs),
 				slog.F("duration", clk.Since(start)),
 			)

@@ -246,11 +246,7 @@ func TestDeleteOldWorkspaceAgentLogs(t *testing.T) {
 	// After dbpurge completes, the ticker is reset. Trap this call.

 	done := awaitDoTick(ctx, t, clk)
-	closer := dbpurge.New(ctx, logger, db, &codersdk.DeploymentValues{
-		Retention: codersdk.RetentionConfig{
-			WorkspaceAgentLogs: serpent.Duration(7 * 24 * time.Hour),
-		},
-	}, clk)
+	closer := dbpurge.New(ctx, logger, db, &codersdk.DeploymentValues{}, clk)
 	defer closer.Close()
 	<-done // doTick() has now run.

@@ -396,90 +392,6 @@ func mustCreateAgentLogs(ctx context.Context, t *testing.T, db database.Store, a
 	require.NotEmpty(t, agentLogs, "agent logs must be present")
 }

-func TestDeleteOldWorkspaceAgentLogsRetention(t *testing.T) {
-	t.Parallel()
-
-	now := time.Date(2025, 1, 15, 7, 30, 0, 0, time.UTC)
-
-	testCases := []struct {
-		name            string
-		retentionConfig codersdk.RetentionConfig
-		logsAge         time.Duration
-		expectDeleted   bool
-	}{
-		{
-			name: "RetentionEnabled",
-			retentionConfig: codersdk.RetentionConfig{
-				WorkspaceAgentLogs: serpent.Duration(7 * 24 * time.Hour), // 7 days
-			},
-			logsAge:       8 * 24 * time.Hour, // 8 days ago
-			expectDeleted: true,
-		},
-		{
-			name: "RetentionDisabled",
-			retentionConfig: codersdk.RetentionConfig{
-				WorkspaceAgentLogs: serpent.Duration(0),
-			},
-			logsAge:       60 * 24 * time.Hour, // 60 days ago
-			expectDeleted: false,
-		},
-
-		{
-			name: "CustomRetention30Days",
-			retentionConfig: codersdk.RetentionConfig{
-				WorkspaceAgentLogs: serpent.Duration(30 * 24 * time.Hour), // 30 days
-			},
-			logsAge:       31 * 24 * time.Hour, // 31 days ago
-			expectDeleted: true,
-		},
-	}
-
-	for _, tc := range testCases {
-		t.Run(tc.name, func(t *testing.T) {
-			t.Parallel()
-
-			ctx := testutil.Context(t, testutil.WaitShort)
-			clk := quartz.NewMock(t)
-			clk.Set(now).MustWait(ctx)
-
-			oldTime := now.Add(-tc.logsAge)
-
-			db, _ := dbtestutil.NewDB(t, dbtestutil.WithDumpOnFailure())
-			logger := slogtest.Make(t, &slogtest.Options{IgnoreErrors: true})
-			org := dbgen.Organization(t, db, database.Organization{})
-			user := dbgen.User(t, db, database.User{})
-			_ = dbgen.OrganizationMember(t, db, database.OrganizationMember{UserID: user.ID, OrganizationID: org.ID})
-			tv := dbgen.TemplateVersion(t, db, database.TemplateVersion{OrganizationID: org.ID, CreatedBy: user.ID})
-			tmpl := dbgen.Template(t, db, database.Template{OrganizationID: org.ID, ActiveVersionID: tv.ID, CreatedBy: user.ID})
-
-			ws := dbgen.Workspace(t, db, database.WorkspaceTable{Name: "test-ws", OwnerID: user.ID, OrganizationID: org.ID, TemplateID: tmpl.ID})
-			wb1 := mustCreateWorkspaceBuild(t, db, org, tv, ws.ID, oldTime, 1)
-			wb2 := mustCreateWorkspaceBuild(t, db, org, tv, ws.ID, oldTime, 2)
-			agent1 := mustCreateAgent(t, db, wb1)
-			agent2 := mustCreateAgent(t, db, wb2)
-			mustCreateAgentLogs(ctx, t, db, agent1, &oldTime, "agent 1 logs")
-			mustCreateAgentLogs(ctx, t, db, agent2, &oldTime, "agent 2 logs")
-
-			// Run the purge.
-			done := awaitDoTick(ctx, t, clk)
-			closer := dbpurge.New(ctx, logger, db, &codersdk.DeploymentValues{
-				Retention: tc.retentionConfig,
-			}, clk)
-			defer closer.Close()
-			testutil.TryReceive(ctx, t, done)
-
-			// Verify results.
-			if tc.expectDeleted {
-				assertNoWorkspaceAgentLogs(ctx, t, db, agent1.ID)
-			} else {
-				assertWorkspaceAgentLogs(ctx, t, db, agent1.ID, "agent 1 logs")
-			}
-			// Latest build logs are always retained.
-			assertWorkspaceAgentLogs(ctx, t, db, agent2.ID, "agent 2 logs")
-		})
-	}
-}
-
 //nolint:paralleltest // It uses LockIDDBPurge.
 func TestDeleteOldProvisionerDaemons(t *testing.T) {
 	// TODO: must refactor DeleteOldProvisionerDaemons to allow passing in cutoff
@@ -847,684 +759,171 @@ func TestDeleteOldTelemetryHeartbeats(t *testing.T) {
 	}, testutil.WaitShort, testutil.IntervalFast, "it should delete old telemetry heartbeats")
 }

-func TestDeleteOldConnectionLogs(t *testing.T) {
-	t.Parallel()
-
-	now := time.Date(2025, 1, 15, 7, 30, 0, 0, time.UTC)
-	retentionPeriod := 30 * 24 * time.Hour
-	afterThreshold := now.Add(-retentionPeriod).Add(-24 * time.Hour) // 31 days ago (older than threshold)
-	beforeThreshold := now.Add(-15 * 24 * time.Hour)                 // 15 days ago (newer than threshold)
-
-	testCases := []struct {
-		name                  string
-		retentionConfig       codersdk.RetentionConfig
-		oldLogTime            time.Time
-		recentLogTime         *time.Time // nil means no recent log created
-		expectOldDeleted      bool
-		expectedLogsRemaining int
-	}{
-		{
-			name: "RetentionEnabled",
-			retentionConfig: codersdk.RetentionConfig{
-				ConnectionLogs: serpent.Duration(retentionPeriod),
-			},
-			oldLogTime:            afterThreshold,
-			recentLogTime:         &beforeThreshold,
-			expectOldDeleted:      true,
-			expectedLogsRemaining: 1, // only recent log remains
-		},
-		{
-			name: "RetentionDisabled",
-			retentionConfig: codersdk.RetentionConfig{
-				ConnectionLogs: serpent.Duration(0),
-			},
-			oldLogTime:            now.Add(-365 * 24 * time.Hour), // 1 year ago
-			recentLogTime:         nil,
-			expectOldDeleted:      false,
-			expectedLogsRemaining: 1, // old log is kept
-		},
-	}
-
-	for _, tc := range testCases {
-		t.Run(tc.name, func(t *testing.T) {
-			t.Parallel()
-
-			ctx := testutil.Context(t, testutil.WaitShort)
-			clk := quartz.NewMock(t)
-			clk.Set(now).MustWait(ctx)
-
-			db, _ := dbtestutil.NewDB(t, dbtestutil.WithDumpOnFailure())
-			logger := slogtest.Make(t, &slogtest.Options{IgnoreErrors: true})
-
-			// Setup test fixtures.
-			user := dbgen.User(t, db, database.User{})
-			org := dbgen.Organization(t, db, database.Organization{})
-			_ = dbgen.OrganizationMember(t, db, database.OrganizationMember{UserID: user.ID, OrganizationID: org.ID})
-			tv := dbgen.TemplateVersion(t, db, database.TemplateVersion{OrganizationID: org.ID, CreatedBy: user.ID})
-			tmpl := dbgen.Template(t, db, database.Template{OrganizationID: org.ID, ActiveVersionID: tv.ID, CreatedBy: user.ID})
-			workspace := dbgen.Workspace(t, db, database.WorkspaceTable{
-				OwnerID:        user.ID,
-				OrganizationID: org.ID,
-				TemplateID:     tmpl.ID,
-			})
-
-			// Create old connection log.
-			oldLog := dbgen.ConnectionLog(t, db, database.UpsertConnectionLogParams{
-				ID:               uuid.New(),
-				Time:             tc.oldLogTime,
-				OrganizationID:   org.ID,
-				WorkspaceOwnerID: user.ID,
-				WorkspaceID:      workspace.ID,
-				WorkspaceName:    workspace.Name,
-				AgentName:        "agent1",
-				Type:             database.ConnectionTypeSsh,
-				ConnectionStatus: database.ConnectionStatusConnected,
-			})
-
-			// Create recent connection log if specified.
-			var recentLog database.ConnectionLog
-			if tc.recentLogTime != nil {
-				recentLog = dbgen.ConnectionLog(t, db, database.UpsertConnectionLogParams{
-					ID:               uuid.New(),
-					Time:             *tc.recentLogTime,
-					OrganizationID:   org.ID,
-					WorkspaceOwnerID: user.ID,
-					WorkspaceID:      workspace.ID,
-					WorkspaceName:    workspace.Name,
-					AgentName:        "agent2",
-					Type:             database.ConnectionTypeSsh,
-					ConnectionStatus: database.ConnectionStatusConnected,
-				})
-			}
-
-			// Run the purge.
-			done := awaitDoTick(ctx, t, clk)
-			closer := dbpurge.New(ctx, logger, db, &codersdk.DeploymentValues{
-				Retention: tc.retentionConfig,
-			}, clk)
-			defer closer.Close()
-			testutil.TryReceive(ctx, t, done)
-
-			// Verify results.
-			logs, err := db.GetConnectionLogsOffset(ctx, database.GetConnectionLogsOffsetParams{
-				LimitOpt: 100,
-			})
-			require.NoError(t, err)
-			require.Len(t, logs, tc.expectedLogsRemaining, "unexpected number of logs remaining")
-
-			logIDs := make([]uuid.UUID, len(logs))
-			for i, log := range logs {
-				logIDs[i] = log.ConnectionLog.ID
-			}
-
-			if tc.expectOldDeleted {
-				require.NotContains(t, logIDs, oldLog.ID, "old connection log should be deleted")
-			} else {
-				require.Contains(t, logIDs, oldLog.ID, "old connection log should NOT be deleted")
-			}
-
-			if tc.recentLogTime != nil {
-				require.Contains(t, logIDs, recentLog.ID, "recent connection log should be kept")
-			}
-		})
-	}
-}
-
 func TestDeleteOldAIBridgeRecords(t *testing.T) {
 	t.Parallel()

+	ctx := testutil.Context(t, testutil.WaitShort)
+
+	clk := quartz.NewMock(t)
 	now := time.Date(2025, 1, 15, 7, 30, 0, 0, time.UTC)
 	retentionPeriod := 30 * 24 * time.Hour                                // 30 days
 	afterThreshold := now.Add(-retentionPeriod).Add(-24 * time.Hour)      // 31 days ago (older than threshold)
 	beforeThreshold := now.Add(-15 * 24 * time.Hour)                      // 15 days ago (newer than threshold)
 	closeBeforeThreshold := now.Add(-retentionPeriod).Add(24 * time.Hour) // 29 days ago
+	clk.Set(now).MustWait(ctx)

-	type testFixtures struct {
-		oldInterception            database.AIBridgeInterception
-		oldInterceptionWithRelated database.AIBridgeInterception
-		recentInterception         database.AIBridgeInterception
-		nearThresholdInterception  database.AIBridgeInterception
-	}
+	db, _ := dbtestutil.NewDB(t, dbtestutil.WithDumpOnFailure())
+	logger := slogtest.Make(t, &slogtest.Options{IgnoreErrors: true})
+	user := dbgen.User(t, db, database.User{})

-	testCases := []struct {
-		name      string
-		retention time.Duration
-		verify    func(t *testing.T, ctx context.Context, db database.Store, fixtures testFixtures)
-	}{
-		{
-			name:      "RetentionEnabled",
-			retention: retentionPeriod,
-			verify: func(t *testing.T, ctx context.Context, db database.Store, fixtures testFixtures) {
-				t.Helper()
+	// Create old AI Bridge interception (should be deleted)
+	oldInterception := dbgen.AIBridgeInterception(t, db, database.InsertAIBridgeInterceptionParams{
+		ID:          uuid.New(),
+		APIKeyID:    sql.NullString{},
+		InitiatorID: user.ID,
+		Provider:    "anthropic",
+		Model:       "claude-3-5-sonnet",
+		StartedAt:   afterThreshold,
+	}, &afterThreshold)

-				interceptions, err := db.GetAIBridgeInterceptions(ctx)
-				require.NoError(t, err)
-				require.Len(t, interceptions, 2, "expected 2 interceptions remaining")
+	// Create old interception with related records (should all be deleted)
+	oldInterceptionWithRelated := dbgen.AIBridgeInterception(t, db, database.InsertAIBridgeInterceptionParams{
+		ID:          uuid.New(),
+		APIKeyID:    sql.NullString{},
+		InitiatorID: user.ID,
+		Provider:    "openai",
+		Model:       "gpt-4",
+		StartedAt:   afterThreshold,
+	}, &afterThreshold)

-				interceptionIDs := make([]uuid.UUID, len(interceptions))
-				for i, interception := range interceptions {
-					interceptionIDs[i] = interception.ID
-				}
-
-				require.NotContains(t, interceptionIDs, fixtures.oldInterception.ID, "old interception should be deleted")
-				require.NotContains(t, interceptionIDs, fixtures.oldInterceptionWithRelated.ID, "old interception with related records should be deleted")
-				require.Contains(t, interceptionIDs, fixtures.recentInterception.ID, "recent interception should be kept")
-				require.Contains(t, interceptionIDs, fixtures.nearThresholdInterception.ID, "near threshold interception should be kept")
-
-				// Verify related records were deleted for old interception.
-				oldTokenUsages, err := db.GetAIBridgeTokenUsagesByInterceptionID(ctx, fixtures.oldInterceptionWithRelated.ID)
-				require.NoError(t, err)
-				require.Empty(t, oldTokenUsages, "old token usages should be deleted")
-
-				oldUserPrompts, err := db.GetAIBridgeUserPromptsByInterceptionID(ctx, fixtures.oldInterceptionWithRelated.ID)
-				require.NoError(t, err)
-				require.Empty(t, oldUserPrompts, "old user prompts should be deleted")
-
-				oldToolUsages, err := db.GetAIBridgeToolUsagesByInterceptionID(ctx, fixtures.oldInterceptionWithRelated.ID)
-				require.NoError(t, err)
-				require.Empty(t, oldToolUsages, "old tool usages should be deleted")
-
-				// Verify related records were NOT deleted for near-threshold interception.
-				newTokenUsages, err := db.GetAIBridgeTokenUsagesByInterceptionID(ctx, fixtures.nearThresholdInterception.ID)
-				require.NoError(t, err)
-				require.Len(t, newTokenUsages, 1, "near threshold token usages should not be deleted")
-
-				newUserPrompts, err := db.GetAIBridgeUserPromptsByInterceptionID(ctx, fixtures.nearThresholdInterception.ID)
-				require.NoError(t, err)
-				require.Len(t, newUserPrompts, 1, "near threshold user prompts should not be deleted")
-
-				newToolUsages, err := db.GetAIBridgeToolUsagesByInterceptionID(ctx, fixtures.nearThresholdInterception.ID)
-				require.NoError(t, err)
-				require.Len(t, newToolUsages, 1, "near threshold tool usages should not be deleted")
-			},
-		},
-		{
-			name:      "RetentionDisabled",
-			retention: 0,
-			verify: func(t *testing.T, ctx context.Context, db database.Store, fixtures testFixtures) {
-				t.Helper()
-
-				interceptions, err := db.GetAIBridgeInterceptions(ctx)
-				require.NoError(t, err)
-				require.Len(t, interceptions, 4, "expected all 4 interceptions to be retained")
-
-				interceptionIDs := make([]uuid.UUID, len(interceptions))
-				for i, interception := range interceptions {
-					interceptionIDs[i] = interception.ID
-				}
-
-				require.Contains(t, interceptionIDs, fixtures.oldInterception.ID, "old interception should be kept")
-				require.Contains(t, interceptionIDs, fixtures.oldInterceptionWithRelated.ID, "old interception with related records should be kept")
-				require.Contains(t, interceptionIDs, fixtures.recentInterception.ID, "recent interception should be kept")
-				require.Contains(t, interceptionIDs, fixtures.nearThresholdInterception.ID, "near threshold interception should be kept")
-
-				// Verify all related records were kept.
-				oldTokenUsages, err := db.GetAIBridgeTokenUsagesByInterceptionID(ctx, fixtures.oldInterceptionWithRelated.ID)
-				require.NoError(t, err)
-				require.Len(t, oldTokenUsages, 1, "old token usages should be kept")
-
-				oldUserPrompts, err := db.GetAIBridgeUserPromptsByInterceptionID(ctx, fixtures.oldInterceptionWithRelated.ID)
-				require.NoError(t, err)
-				require.Len(t, oldUserPrompts, 1, "old user prompts should be kept")
-
-				oldToolUsages, err := db.GetAIBridgeToolUsagesByInterceptionID(ctx, fixtures.oldInterceptionWithRelated.ID)
-				require.NoError(t, err)
-				require.Len(t, oldToolUsages, 1, "old tool usages should be kept")
-			},
-		},
-	}
-
-	for _, tc := range testCases {
-		t.Run(tc.name, func(t *testing.T) {
-			t.Parallel()
-
-			ctx := testutil.Context(t, testutil.WaitShort)
-			clk := quartz.NewMock(t)
-			clk.Set(now).MustWait(ctx)
-
-			db, _ := dbtestutil.NewDB(t, dbtestutil.WithDumpOnFailure())
-			logger := slogtest.Make(t, &slogtest.Options{IgnoreErrors: true})
-			user := dbgen.User(t, db, database.User{})
-
-			// Create old AI Bridge interception (should be deleted when retention enabled).
-			oldInterception := dbgen.AIBridgeInterception(t, db, database.InsertAIBridgeInterceptionParams{
-				ID:          uuid.New(),
-				APIKeyID:    sql.NullString{},
-				InitiatorID: user.ID,
-				Provider:    "anthropic",
-				Model:       "claude-3-5-sonnet",
-				StartedAt:   afterThreshold,
-			}, &afterThreshold)
-
-			// Create old interception with related records (should all be deleted when retention enabled).
-			oldInterceptionWithRelated := dbgen.AIBridgeInterception(t, db, database.InsertAIBridgeInterceptionParams{
-				ID:          uuid.New(),
-				APIKeyID:    sql.NullString{},
-				InitiatorID: user.ID,
-				Provider:    "openai",
-				Model:       "gpt-4",
-				StartedAt:   afterThreshold,
-			}, &afterThreshold)
-
-			_ = dbgen.AIBridgeTokenUsage(t, db, database.InsertAIBridgeTokenUsageParams{
-				ID:                 uuid.New(),
-				InterceptionID:     oldInterceptionWithRelated.ID,
-				ProviderResponseID: "resp-1",
-				InputTokens:        100,
-				OutputTokens:       50,
-				CreatedAt:          afterThreshold,
-			})
-
-			_ = dbgen.AIBridgeUserPrompt(t, db, database.InsertAIBridgeUserPromptParams{
-				ID:                 uuid.New(),
-				InterceptionID:     oldInterceptionWithRelated.ID,
-				ProviderResponseID: "resp-1",
-				Prompt:             "test prompt",
-				CreatedAt:          afterThreshold,
-			})
-
-			_ = dbgen.AIBridgeToolUsage(t, db, database.InsertAIBridgeToolUsageParams{
-				ID:                 uuid.New(),
-				InterceptionID:     oldInterceptionWithRelated.ID,
-				ProviderResponseID: "resp-1",
-				Tool:               "test-tool",
-				ServerUrl:          sql.NullString{String: "http://test", Valid: true},
-				Input:              "{}",
-				Injected:           true,
-				CreatedAt:          afterThreshold,
-			})
-
-			// Create recent AI Bridge interception (should be kept).
-			recentInterception := dbgen.AIBridgeInterception(t, db, database.InsertAIBridgeInterceptionParams{
-				ID:          uuid.New(),
-				APIKeyID:    sql.NullString{},
-				InitiatorID: user.ID,
-				Provider:    "anthropic",
-				Model:       "claude-3-5-sonnet",
-				StartedAt:   beforeThreshold,
-			}, &beforeThreshold)
-
-			// Create interception close to threshold (should be kept).
-			nearThresholdInterception := dbgen.AIBridgeInterception(t, db, database.InsertAIBridgeInterceptionParams{
-				ID:          uuid.New(),
-				APIKeyID:    sql.NullString{},
-				InitiatorID: user.ID,
-				Provider:    "anthropic",
-				Model:       "claude-3-5-sonnet",
-				StartedAt:   closeBeforeThreshold,
-			}, &closeBeforeThreshold)
-
-			_ = dbgen.AIBridgeTokenUsage(t, db, database.InsertAIBridgeTokenUsageParams{
-				ID:                 uuid.New(),
-				InterceptionID:     nearThresholdInterception.ID,
-				ProviderResponseID: "resp-1",
-				InputTokens:        100,
-				OutputTokens:       50,
-				CreatedAt:          closeBeforeThreshold,
-			})
-
-			_ = dbgen.AIBridgeUserPrompt(t, db, database.InsertAIBridgeUserPromptParams{
-				ID:                 uuid.New(),
-				InterceptionID:     nearThresholdInterception.ID,
-				ProviderResponseID: "resp-1",
-				Prompt:             "test prompt",
-				CreatedAt:          closeBeforeThreshold,
-			})
-
-			_ = dbgen.AIBridgeToolUsage(t, db, database.InsertAIBridgeToolUsageParams{
-				ID:                 uuid.New(),
-				InterceptionID:     nearThresholdInterception.ID,
-				ProviderResponseID: "resp-1",
-				Tool:               "test-tool",
-				ServerUrl:          sql.NullString{String: "http://test", Valid: true},
-				Input:              "{}",
-				Injected:           true,
-				CreatedAt:          closeBeforeThreshold,
-			})
-
-			fixtures := testFixtures{
-				oldInterception:            oldInterception,
-				oldInterceptionWithRelated: oldInterceptionWithRelated,
-				recentInterception:         recentInterception,
-				nearThresholdInterception:  nearThresholdInterception,
-			}
-
-			// Run the purge with configured retention period.
-			done := awaitDoTick(ctx, t, clk)
-			closer := dbpurge.New(ctx, logger, db, &codersdk.DeploymentValues{
-				AI: codersdk.AIConfig{
-					BridgeConfig: codersdk.AIBridgeConfig{
-						Retention: serpent.Duration(tc.retention),
-					},
-				},
-			}, clk)
-			defer closer.Close()
-			testutil.TryReceive(ctx, t, done)
-
-			tc.verify(t, ctx, db, fixtures)
-		})
-	}
-}
-
-func TestDeleteOldAuditLogs(t *testing.T) {
-	t.Parallel()
-
-	now := time.Date(2025, 1, 15, 7, 30, 0, 0, time.UTC)
-	retentionPeriod := 30 * 24 * time.Hour
-	afterThreshold := now.Add(-retentionPeriod).Add(-24 * time.Hour) // 31 days ago (older than threshold)
-	beforeThreshold := now.Add(-15 * 24 * time.Hour)                 // 15 days ago (newer than threshold)
-
-	testCases := []struct {
-		name                  string
-		retentionConfig       codersdk.RetentionConfig
-		oldLogTime            time.Time
-		recentLogTime         *time.Time // nil means no recent log created
-		expectOldDeleted      bool
-		expectedLogsRemaining int
-	}{
-		{
-			name: "RetentionEnabled",
-			retentionConfig: codersdk.RetentionConfig{
-				AuditLogs: serpent.Duration(retentionPeriod),
-			},
-			oldLogTime:            afterThreshold,
-			recentLogTime:         &beforeThreshold,
-			expectOldDeleted:      true,
-			expectedLogsRemaining: 1, // only recent log remains
-		},
-		{
-			name: "RetentionDisabled",
-			retentionConfig: codersdk.RetentionConfig{
-				AuditLogs: serpent.Duration(0),
-			},
-			oldLogTime:            now.Add(-365 * 24 * time.Hour), // 1 year ago
-			recentLogTime:         nil,
-			expectOldDeleted:      false,
-			expectedLogsRemaining: 1, // old log is kept
-		},
-	}
-
-	for _, tc := range testCases {
-		t.Run(tc.name, func(t *testing.T) {
-			t.Parallel()
-
-			ctx := testutil.Context(t, testutil.WaitShort)
-			clk := quartz.NewMock(t)
-			clk.Set(now).MustWait(ctx)
-
-			db, _ := dbtestutil.NewDB(t, dbtestutil.WithDumpOnFailure())
-			logger := slogtest.Make(t, &slogtest.Options{IgnoreErrors: true})
-
-			// Setup test fixtures.
-			user := dbgen.User(t, db, database.User{})
-			org := dbgen.Organization(t, db, database.Organization{})
-
-			// Create old audit log.
-			oldLog := dbgen.AuditLog(t, db, database.AuditLog{
-				UserID:         user.ID,
-				OrganizationID: org.ID,
-				Time:           tc.oldLogTime,
-				Action:         database.AuditActionCreate,
-				ResourceType:   database.ResourceTypeWorkspace,
-			})
-
-			// Create recent audit log if specified.
-			var recentLog database.AuditLog
-			if tc.recentLogTime != nil {
-				recentLog = dbgen.AuditLog(t, db, database.AuditLog{
-					UserID:         user.ID,
-					OrganizationID: org.ID,
-					Time:           *tc.recentLogTime,
-					Action:         database.AuditActionCreate,
-					ResourceType:   database.ResourceTypeWorkspace,
-				})
-			}
-
-			// Run the purge.
-			done := awaitDoTick(ctx, t, clk)
-			closer := dbpurge.New(ctx, logger, db, &codersdk.DeploymentValues{
-				Retention: tc.retentionConfig,
-			}, clk)
-			defer closer.Close()
-			testutil.TryReceive(ctx, t, done)
-
-			// Verify results.
-			logs, err := db.GetAuditLogsOffset(ctx, database.GetAuditLogsOffsetParams{
-				LimitOpt: 100,
-			})
-			require.NoError(t, err)
-			require.Len(t, logs, tc.expectedLogsRemaining, "unexpected number of logs remaining")
-
-			logIDs := make([]uuid.UUID, len(logs))
-			for i, log := range logs {
-				logIDs[i] = log.AuditLog.ID
-			}
-
-			if tc.expectOldDeleted {
-				require.NotContains(t, logIDs, oldLog.ID, "old audit log should be deleted")
-			} else {
-				require.Contains(t, logIDs, oldLog.ID, "old audit log should NOT be deleted")
-			}
-
-			if tc.recentLogTime != nil {
-				require.Contains(t, logIDs, recentLog.ID, "recent audit log should be kept")
-			}
-		})
-	}
-
-	// ConnectionEventsNotDeleted is a special case that tests multiple audit
-	// action types, so it's kept as a separate subtest.
-	t.Run("ConnectionEventsNotDeleted", func(t *testing.T) {
-		t.Parallel()
-
-		ctx := testutil.Context(t, testutil.WaitShort)
-		clk := quartz.NewMock(t)
-		clk.Set(now).MustWait(ctx)
-
-		db, _ := dbtestutil.NewDB(t, dbtestutil.WithDumpOnFailure())
-		logger := slogtest.Make(t, &slogtest.Options{IgnoreErrors: true})
-		user := dbgen.User(t, db, database.User{})
-		org := dbgen.Organization(t, db, database.Organization{})
-
-		// Create old connection events (should NOT be deleted by audit logs retention).
-		oldConnectLog := dbgen.AuditLog(t, db, database.AuditLog{
-			UserID:         user.ID,
-			OrganizationID: org.ID,
-			Time:           afterThreshold,
-			Action:         database.AuditActionConnect,
-			ResourceType:   database.ResourceTypeWorkspace,
-		})
-
-		oldDisconnectLog := dbgen.AuditLog(t, db, database.AuditLog{
-			UserID:         user.ID,
-			OrganizationID: org.ID,
-			Time:           afterThreshold,
-			Action:         database.AuditActionDisconnect,
-			ResourceType:   database.ResourceTypeWorkspace,
-		})
-
-		oldOpenLog := dbgen.AuditLog(t, db, database.AuditLog{
-			UserID:         user.ID,
-			OrganizationID: org.ID,
-			Time:           afterThreshold,
-			Action:         database.AuditActionOpen,
-			ResourceType:   database.ResourceTypeWorkspace,
-		})
-
-		oldCloseLog := dbgen.AuditLog(t, db, database.AuditLog{
-			UserID:         user.ID,
-			OrganizationID: org.ID,
-			Time:           afterThreshold,
-			Action:         database.AuditActionClose,
-			ResourceType:   database.ResourceTypeWorkspace,
-		})
-
-		// Create old non-connection audit log (should be deleted).
-		oldCreateLog := dbgen.AuditLog(t, db, database.AuditLog{
-			UserID:         user.ID,
-			OrganizationID: org.ID,
-			Time:           afterThreshold,
-			Action:         database.AuditActionCreate,
-			ResourceType:   database.ResourceTypeWorkspace,
-		})
-
-		// Run the purge with audit logs retention enabled.
-		done := awaitDoTick(ctx, t, clk)
-		closer := dbpurge.New(ctx, logger, db, &codersdk.DeploymentValues{
-			Retention: codersdk.RetentionConfig{
-				AuditLogs: serpent.Duration(retentionPeriod),
-			},
-		}, clk)
-		defer closer.Close()
-		testutil.TryReceive(ctx, t, done)
-
-		// Verify results.
-		logs, err := db.GetAuditLogsOffset(ctx, database.GetAuditLogsOffsetParams{
-			LimitOpt: 100,
-		})
-		require.NoError(t, err)
-		require.Len(t, logs, 4, "should have 4 connection event logs remaining")
-
-		logIDs := make([]uuid.UUID, len(logs))
-		for i, log := range logs {
-			logIDs[i] = log.AuditLog.ID
-		}
-
-		// Connection events should NOT be deleted by audit logs retention.
-		require.Contains(t, logIDs, oldConnectLog.ID, "old connect log should NOT be deleted by audit logs retention")
-		require.Contains(t, logIDs, oldDisconnectLog.ID, "old disconnect log should NOT be deleted by audit logs retention")
-		require.Contains(t, logIDs, oldOpenLog.ID, "old open log should NOT be deleted by audit logs retention")
-		require.Contains(t, logIDs, oldCloseLog.ID, "old close log should NOT be deleted by audit logs retention")
-
-		// Non-connection event should be deleted.
-		require.NotContains(t, logIDs, oldCreateLog.ID, "old create log should be deleted by audit logs retention")
+	_ = dbgen.AIBridgeTokenUsage(t, db, database.InsertAIBridgeTokenUsageParams{
+		ID:                 uuid.New(),
+		InterceptionID:     oldInterceptionWithRelated.ID,
+		ProviderResponseID: "resp-1",
+		InputTokens:        100,
+		OutputTokens:       50,
+		CreatedAt:          afterThreshold,
 	})
-}

-func TestDeleteExpiredAPIKeys(t *testing.T) {
-	t.Parallel()
+	_ = dbgen.AIBridgeUserPrompt(t, db, database.InsertAIBridgeUserPromptParams{
+		ID:                 uuid.New(),
+		InterceptionID:     oldInterceptionWithRelated.ID,
+		ProviderResponseID: "resp-1",
+		Prompt:             "test prompt",
+		CreatedAt:          afterThreshold,
+	})

-	now := time.Date(2025, 1, 15, 7, 30, 0, 0, time.UTC)
+	_ = dbgen.AIBridgeToolUsage(t, db, database.InsertAIBridgeToolUsageParams{
+		ID:                 uuid.New(),
+		InterceptionID:     oldInterceptionWithRelated.ID,
+		ProviderResponseID: "resp-1",
+		Tool:               "test-tool",
+		ServerUrl:          sql.NullString{String: "http://test", Valid: true},
+		Input:              "{}",
+		Injected:           true,
+		CreatedAt:          afterThreshold,
+	})

-	testCases := []struct {
-		name                    string
-		retentionConfig         codersdk.RetentionConfig
-		oldExpiredTime          time.Time
-		recentExpiredTime       *time.Time // nil means no recent expired key created
-		activeTime              *time.Time // nil means no active key created
-		expectOldExpiredDeleted bool
-		expectedKeysRemaining   int
-	}{
-		{
-			name: "RetentionEnabled",
-			retentionConfig: codersdk.RetentionConfig{
-				APIKeys: serpent.Duration(7 * 24 * time.Hour), // 7 days
+	// Create recent AI Bridge interception (should be kept)
+	recentInterception := dbgen.AIBridgeInterception(t, db, database.InsertAIBridgeInterceptionParams{
+		ID:          uuid.New(),
+		APIKeyID:    sql.NullString{},
+		InitiatorID: user.ID,
+		Provider:    "anthropic",
+		Model:       "claude-3-5-sonnet",
+		StartedAt:   beforeThreshold,
+	}, &beforeThreshold)
+
+	// Create interception close to threshold (should be kept)
+	nearThresholdInterception := dbgen.AIBridgeInterception(t, db, database.InsertAIBridgeInterceptionParams{
+		ID:          uuid.New(),
+		APIKeyID:    sql.NullString{},
+		InitiatorID: user.ID,
+		Provider:    "anthropic",
+		Model:       "claude-3-5-sonnet",
+		StartedAt:   closeBeforeThreshold,
+	}, &closeBeforeThreshold)
+
+	_ = dbgen.AIBridgeTokenUsage(t, db, database.InsertAIBridgeTokenUsageParams{
+		ID:                 uuid.New(),
+		InterceptionID:     nearThresholdInterception.ID,
+		ProviderResponseID: "resp-1",
+		InputTokens:        100,
+		OutputTokens:       50,
+		CreatedAt:          closeBeforeThreshold,
+	})
+
+	_ = dbgen.AIBridgeUserPrompt(t, db, database.InsertAIBridgeUserPromptParams{
+		ID:                 uuid.New(),
+		InterceptionID:     nearThresholdInterception.ID,
+		ProviderResponseID: "resp-1",
+		Prompt:             "test prompt",
+		CreatedAt:          closeBeforeThreshold,
+	})
+
+	_ = dbgen.AIBridgeToolUsage(t, db, database.InsertAIBridgeToolUsageParams{
+		ID:                 uuid.New(),
+		InterceptionID:     nearThresholdInterception.ID,
+		ProviderResponseID: "resp-1",
+		Tool:               "test-tool",
+		ServerUrl:          sql.NullString{String: "http://test", Valid: true},
+		Input:              "{}",
+		Injected:           true,
+		CreatedAt:          closeBeforeThreshold,
+	})
+
+	// Run the purge with configured retention period
+	done := awaitDoTick(ctx, t, clk)
+	closer := dbpurge.New(ctx, logger, db, &codersdk.DeploymentValues{
+		AI: codersdk.AIConfig{
+			BridgeConfig: codersdk.AIBridgeConfig{
+				Retention: serpent.Duration(retentionPeriod),
 			},
-			oldExpiredTime:          now.Add(-8 * 24 * time.Hour),      // Expired 8 days ago
-			recentExpiredTime:       ptr(now.Add(-6 * 24 * time.Hour)), // Expired 6 days ago
-			activeTime:              ptr(now.Add(24 * time.Hour)),      // Expires tomorrow
-			expectOldExpiredDeleted: true,
-			expectedKeysRemaining:   2, // recent expired + active
-		},
-		{
-			name: "RetentionDisabled",
-			retentionConfig: codersdk.RetentionConfig{
-				APIKeys: serpent.Duration(0),
-			},
-			oldExpiredTime:          now.Add(-365 * 24 * time.Hour), // Expired 1 year ago
-			recentExpiredTime:       nil,
-			activeTime:              nil,
-			expectOldExpiredDeleted: false,
-			expectedKeysRemaining:   1, // old expired is kept
 		},
+	}, clk)
+	defer closer.Close()
+	// Wait for tick
+	testutil.TryReceive(ctx, t, done)

-		{
-			name: "CustomRetention30Days",
-			retentionConfig: codersdk.RetentionConfig{
-				APIKeys: serpent.Duration(30 * 24 * time.Hour), // 30 days
-			},
-			oldExpiredTime:          now.Add(-31 * 24 * time.Hour),      // Expired 31 days ago
-			recentExpiredTime:       ptr(now.Add(-29 * 24 * time.Hour)), // Expired 29 days ago
-			activeTime:              nil,
-			expectOldExpiredDeleted: true,
-			expectedKeysRemaining:   1, // only recent expired remains
-		},
+	// Verify results by querying all AI Bridge records
+	interceptions, err := db.GetAIBridgeInterceptions(ctx)
+	require.NoError(t, err)
+
+	// Extract interception IDs for comparison
+	interceptionIDs := make([]uuid.UUID, len(interceptions))
+	for i, interception := range interceptions {
+		interceptionIDs[i] = interception.ID
 	}

-	for _, tc := range testCases {
-		t.Run(tc.name, func(t *testing.T) {
-			t.Parallel()
+	require.NotContains(t, interceptionIDs, oldInterception.ID, "old interception should be deleted")
+	require.NotContains(t, interceptionIDs, oldInterceptionWithRelated.ID, "old interception with related records should be deleted")

-			ctx := testutil.Context(t, testutil.WaitShort)
-			clk := quartz.NewMock(t)
-			clk.Set(now).MustWait(ctx)
+	// Verify related records were also deleted
+	oldTokenUsages, err := db.GetAIBridgeTokenUsagesByInterceptionID(ctx, oldInterceptionWithRelated.ID)
+	require.NoError(t, err)
+	require.Empty(t, oldTokenUsages, "old token usages should be deleted")

-			db, _ := dbtestutil.NewDB(t, dbtestutil.WithDumpOnFailure())
-			logger := slogtest.Make(t, &slogtest.Options{IgnoreErrors: true})
-			user := dbgen.User(t, db, database.User{})
+	oldUserPrompts, err := db.GetAIBridgeUserPromptsByInterceptionID(ctx, oldInterceptionWithRelated.ID)
+	require.NoError(t, err)
+	require.Empty(t, oldUserPrompts, "old user prompts should be deleted")

-			// Create API key that expired long ago.
-			oldExpiredKey, _ := dbgen.APIKey(t, db, database.APIKey{
-				UserID:    user.ID,
-				ExpiresAt: tc.oldExpiredTime,
-				TokenName: "old-expired-key",
-			})
+	oldToolUsages, err := db.GetAIBridgeToolUsagesByInterceptionID(ctx, oldInterceptionWithRelated.ID)
+	require.NoError(t, err)
+	require.Empty(t, oldToolUsages, "old tool usages should be deleted")

-			// Create API key that expired recently if specified.
-			var recentExpiredKey database.APIKey
-			if tc.recentExpiredTime != nil {
-				recentExpiredKey, _ = dbgen.APIKey(t, db, database.APIKey{
-					UserID:    user.ID,
-					ExpiresAt: *tc.recentExpiredTime,
-					TokenName: "recent-expired-key",
-				})
-			}
+	require.Contains(t, interceptionIDs, recentInterception.ID, "recent interception should be kept")
+	require.Contains(t, interceptionIDs, nearThresholdInterception.ID, "near threshold interception should be kept")

-			// Create API key that hasn't expired yet if specified.
-			var activeKey database.APIKey
-			if tc.activeTime != nil {
-				activeKey, _ = dbgen.APIKey(t, db, database.APIKey{
-					UserID:    user.ID,
-					ExpiresAt: *tc.activeTime,
-					TokenName: "active-key",
-				})
-			}
+	// Verify related records were NOT deleted
+	newTokenUsages, err := db.GetAIBridgeTokenUsagesByInterceptionID(ctx, nearThresholdInterception.ID)
+	require.NoError(t, err)
+	require.Len(t, newTokenUsages, 1, "near threshold token usages should not be deleted")

-			// Run the purge.
-			done := awaitDoTick(ctx, t, clk)
-			closer := dbpurge.New(ctx, logger, db, &codersdk.DeploymentValues{
-				Retention: tc.retentionConfig,
-			}, clk)
-			defer closer.Close()
-			testutil.TryReceive(ctx, t, done)
+	newUserPrompts, err := db.GetAIBridgeUserPromptsByInterceptionID(ctx, nearThresholdInterception.ID)
+	require.NoError(t, err)
+	require.Len(t, newUserPrompts, 1, "near threshold user prompts should not be deleted")

-			// Verify total keys remaining.
-			keys, err := db.GetAPIKeysLastUsedAfter(ctx, time.Time{})
-			require.NoError(t, err)
-			require.Len(t, keys, tc.expectedKeysRemaining, "unexpected number of keys remaining")
-
-			// Verify results.
-			_, err = db.GetAPIKeyByID(ctx, oldExpiredKey.ID)
-			if tc.expectOldExpiredDeleted {
-				require.Error(t, err, "old expired key should be deleted")
-			} else {
-				require.NoError(t, err, "old expired key should NOT be deleted")
-			}
-
-			if tc.recentExpiredTime != nil {
-				_, err = db.GetAPIKeyByID(ctx, recentExpiredKey.ID)
-				require.NoError(t, err, "recently expired key should be kept")
-			}
-
-			if tc.activeTime != nil {
-				_, err = db.GetAPIKeyByID(ctx, activeKey.ID)
-				require.NoError(t, err, "active key should be kept")
-			}
-		})
-	}
-}
-
-// ptr is a helper to create a pointer to a value.
-func ptr[T any](v T) *T {
-	return &v
+	newToolUsages, err := db.GetAIBridgeToolUsagesByInterceptionID(ctx, nearThresholdInterception.ID)
+	require.NoError(t, err)
+	require.Len(t, newToolUsages, 1, "near threshold tool usages should not be deleted")
 }
@@ -1 +1 @@
-DROP INDEX IF EXISTS public.workspace_agents_auth_instance_id_deleted_idx;
+DROP INDEX IF EXISTS workspace_agents_auth_instance_id_deleted_idx;
@@ -1 +1 @@
-CREATE INDEX IF NOT EXISTS workspace_agents_auth_instance_id_deleted_idx ON public.workspace_agents (auth_instance_id, deleted);
+CREATE INDEX IF NOT EXISTS workspace_agents_auth_instance_id_deleted_idx ON workspace_agents (auth_instance_id, deleted);
@@ -1,34 +1,34 @@
 -- This is a deleted user that shares the same username and linked_id as the existing user below.
 -- Any future migrations need to handle this case.
-INSERT INTO public.users(id, email, username, hashed_password, created_at, updated_at, status, rbac_roles, deleted)
+INSERT INTO users(id, email, username, hashed_password, created_at, updated_at, status, rbac_roles, deleted)
 	VALUES ('a0061a8e-7db7-4585-838c-3116a003dd21', 'githubuser@coder.com', 'githubuser', '\x', '2022-11-02 13:05:21.445455+02', '2022-11-02 13:05:21.445455+02', 'active', '{}', true) ON CONFLICT DO NOTHING;
-INSERT INTO public.organization_members VALUES ('a0061a8e-7db7-4585-838c-3116a003dd21', 'bb640d07-ca8a-4869-b6bc-ae61ebb2fda1', '2022-11-02 13:05:21.447595+02', '2022-11-02 13:05:21.447595+02', '{}') ON CONFLICT DO NOTHING;
-INSERT INTO public.user_links(user_id, login_type, linked_id, oauth_access_token)
+INSERT INTO organization_members VALUES ('a0061a8e-7db7-4585-838c-3116a003dd21', 'bb640d07-ca8a-4869-b6bc-ae61ebb2fda1', '2022-11-02 13:05:21.447595+02', '2022-11-02 13:05:21.447595+02', '{}') ON CONFLICT DO NOTHING;
+INSERT INTO user_links(user_id, login_type, linked_id, oauth_access_token)
 	VALUES('a0061a8e-7db7-4585-838c-3116a003dd21', 'github', '100', '');


-INSERT INTO public.users(id, email, username, hashed_password, created_at, updated_at, status, rbac_roles, deleted)
+INSERT INTO users(id, email, username, hashed_password, created_at, updated_at, status, rbac_roles, deleted)
 	VALUES ('fc1511ef-4fcf-4a3b-98a1-8df64160e35a', 'githubuser@coder.com', 'githubuser', '\x', '2022-11-02 13:05:21.445455+02', '2022-11-02 13:05:21.445455+02', 'active', '{}', false) ON CONFLICT DO NOTHING;
-INSERT INTO public.organization_members VALUES ('fc1511ef-4fcf-4a3b-98a1-8df64160e35a', 'bb640d07-ca8a-4869-b6bc-ae61ebb2fda1', '2022-11-02 13:05:21.447595+02', '2022-11-02 13:05:21.447595+02', '{}') ON CONFLICT DO NOTHING;
-INSERT INTO public.user_links(user_id, login_type, linked_id, oauth_access_token)
+INSERT INTO organization_members VALUES ('fc1511ef-4fcf-4a3b-98a1-8df64160e35a', 'bb640d07-ca8a-4869-b6bc-ae61ebb2fda1', '2022-11-02 13:05:21.447595+02', '2022-11-02 13:05:21.447595+02', '{}') ON CONFLICT DO NOTHING;
+INSERT INTO user_links(user_id, login_type, linked_id, oauth_access_token)
 	VALUES('fc1511ef-4fcf-4a3b-98a1-8df64160e35a', 'github', '100', '');

 -- Additionally, there is no unique constraint on user_id. So also add another user_link for the same user.
 -- This has happened on a production database.
-INSERT INTO public.user_links(user_id, login_type, linked_id, oauth_access_token)
+INSERT INTO user_links(user_id, login_type, linked_id, oauth_access_token)
 VALUES('fc1511ef-4fcf-4a3b-98a1-8df64160e35a', 'oidc', 'foo', '');


 -- Lastly, make 2 other users who have the same user link.
-INSERT INTO public.users(id, email, username, hashed_password, created_at, updated_at, status, rbac_roles, deleted)
+INSERT INTO users(id, email, username, hashed_password, created_at, updated_at, status, rbac_roles, deleted)
 VALUES ('580ed397-727d-4aaf-950a-51f89f556c24', 'dup_link_a@coder.com', 'dupe_a', '\x', '2022-11-02 13:05:21.445455+02', '2022-11-02 13:05:21.445455+02', 'active', '{}', false) ON CONFLICT DO NOTHING;
-INSERT INTO public.organization_members VALUES ('580ed397-727d-4aaf-950a-51f89f556c24', 'bb640d07-ca8a-4869-b6bc-ae61ebb2fda1', '2022-11-02 13:05:21.447595+02', '2022-11-02 13:05:21.447595+02', '{}') ON CONFLICT DO NOTHING;
-INSERT INTO public.user_links(user_id, login_type, linked_id, oauth_access_token)
+INSERT INTO organization_members VALUES ('580ed397-727d-4aaf-950a-51f89f556c24', 'bb640d07-ca8a-4869-b6bc-ae61ebb2fda1', '2022-11-02 13:05:21.447595+02', '2022-11-02 13:05:21.447595+02', '{}') ON CONFLICT DO NOTHING;
+INSERT INTO user_links(user_id, login_type, linked_id, oauth_access_token)
 VALUES('580ed397-727d-4aaf-950a-51f89f556c24', 'github', '500', '');


-INSERT INTO public.users(id, email, username, hashed_password, created_at, updated_at, status, rbac_roles, deleted)
+INSERT INTO users(id, email, username, hashed_password, created_at, updated_at, status, rbac_roles, deleted)
 VALUES ('c813366b-2fde-45ae-920c-101c3ad6a1e1', 'dup_link_b@coder.com', 'dupe_b', '\x', '2022-11-02 13:05:21.445455+02', '2022-11-02 13:05:21.445455+02', 'active', '{}', false) ON CONFLICT DO NOTHING;
-INSERT INTO public.organization_members VALUES ('c813366b-2fde-45ae-920c-101c3ad6a1e1', 'bb640d07-ca8a-4869-b6bc-ae61ebb2fda1', '2022-11-02 13:05:21.447595+02', '2022-11-02 13:05:21.447595+02', '{}') ON CONFLICT DO NOTHING;
-INSERT INTO public.user_links(user_id, login_type, linked_id, oauth_access_token)
+INSERT INTO organization_members VALUES ('c813366b-2fde-45ae-920c-101c3ad6a1e1', 'bb640d07-ca8a-4869-b6bc-ae61ebb2fda1', '2022-11-02 13:05:21.447595+02', '2022-11-02 13:05:21.447595+02', '{}') ON CONFLICT DO NOTHING;
+INSERT INTO user_links(user_id, login_type, linked_id, oauth_access_token)
 VALUES('c813366b-2fde-45ae-920c-101c3ad6a1e1', 'github', '500', '');
@@ -1,4 +1,4 @@
-INSERT INTO public.workspace_app_stats (
+INSERT INTO workspace_app_stats (
 	id,
 	user_id,
 	workspace_id,
@@ -1,5 +1,5 @@
 INSERT INTO
-    public.workspace_modules (
+    workspace_modules (
        id,
        job_id,
        transition,
@@ -1,15 +1,15 @@
-INSERT INTO public.organizations (id, name, description, created_at, updated_at, is_default, display_name, icon) VALUES ('20362772-802a-4a72-8e4f-3648b4bfd168', 'strange_hopper58', 'wizardly_stonebraker60', '2025-02-07 07:46:19.507551 +00:00', '2025-02-07 07:46:19.507552 +00:00', false, 'competent_rhodes59', '');
+INSERT INTO organizations (id, name, description, created_at, updated_at, is_default, display_name, icon) VALUES ('20362772-802a-4a72-8e4f-3648b4bfd168', 'strange_hopper58', 'wizardly_stonebraker60', '2025-02-07 07:46:19.507551 +00:00', '2025-02-07 07:46:19.507552 +00:00', false, 'competent_rhodes59', '');

-INSERT INTO public.users (id, email, username, hashed_password, created_at, updated_at, status, rbac_roles, login_type, avatar_url, deleted, last_seen_at, quiet_hours_schedule, theme_preference, name, github_com_user_id, hashed_one_time_passcode, one_time_passcode_expires_at) VALUES ('6c353aac-20de-467b-bdfb-3c30a37adcd2', 'vigorous_murdock61', 'affectionate_hawking62', 'lqTu9C5363AwD7NVNH6noaGjp91XIuZJ', '2025-02-07 07:46:19.510861 +00:00', '2025-02-07 07:46:19.512949 +00:00', 'active', '{}', 'password', '', false, '0001-01-01 00:00:00.000000', '', '', 'vigilant_hugle63', null, null, null);
+INSERT INTO users (id, email, username, hashed_password, created_at, updated_at, status, rbac_roles, login_type, avatar_url, deleted, last_seen_at, quiet_hours_schedule, theme_preference, name, github_com_user_id, hashed_one_time_passcode, one_time_passcode_expires_at) VALUES ('6c353aac-20de-467b-bdfb-3c30a37adcd2', 'vigorous_murdock61', 'affectionate_hawking62', 'lqTu9C5363AwD7NVNH6noaGjp91XIuZJ', '2025-02-07 07:46:19.510861 +00:00', '2025-02-07 07:46:19.512949 +00:00', 'active', '{}', 'password', '', false, '0001-01-01 00:00:00.000000', '', '', 'vigilant_hugle63', null, null, null);

-INSERT INTO public.templates (id, created_at, updated_at, organization_id, deleted, name, provisioner, active_version_id, description, default_ttl, created_by, icon, user_acl, group_acl, display_name, allow_user_cancel_workspace_jobs, allow_user_autostart, allow_user_autostop, failure_ttl, time_til_dormant, time_til_dormant_autodelete, autostop_requirement_days_of_week, autostop_requirement_weeks, autostart_block_days_of_week, require_active_version, deprecated, activity_bump, max_port_sharing_level) VALUES ('6b298946-7a4f-47ac-9158-b03b08740a41', '2025-02-07 07:46:19.513317 +00:00', '2025-02-07 07:46:19.513317 +00:00', '20362772-802a-4a72-8e4f-3648b4bfd168', false, 'modest_leakey64', 'echo', 'e6cfa2a4-e4cf-4182-9e19-08b975682a28', 'upbeat_wright65', 604800000000000, '6c353aac-20de-467b-bdfb-3c30a37adcd2', 'nervous_keller66', '{}', '{"20362772-802a-4a72-8e4f-3648b4bfd168": ["read", "use"]}', 'determined_aryabhata67', false, true, true, 0, 0, 0, 0, 0, 0, false, '', 3600000000000, 'owner');
-INSERT INTO public.template_versions (id, template_id, organization_id, created_at, updated_at, name, readme, job_id, created_by, external_auth_providers, message, archived, source_example_id) VALUES ('af58bd62-428c-4c33-849b-d43a3be07d93', '6b298946-7a4f-47ac-9158-b03b08740a41', '20362772-802a-4a72-8e4f-3648b4bfd168', '2025-02-07 07:46:19.514782 +00:00', '2025-02-07 07:46:19.514782 +00:00', 'distracted_shockley68', 'sleepy_turing69', 'f2e2ea1c-5aa3-4a1d-8778-2e5071efae59', '6c353aac-20de-467b-bdfb-3c30a37adcd2', '[]', '', false, null);
+INSERT INTO templates (id, created_at, updated_at, organization_id, deleted, name, provisioner, active_version_id, description, default_ttl, created_by, icon, user_acl, group_acl, display_name, allow_user_cancel_workspace_jobs, allow_user_autostart, allow_user_autostop, failure_ttl, time_til_dormant, time_til_dormant_autodelete, autostop_requirement_days_of_week, autostop_requirement_weeks, autostart_block_days_of_week, require_active_version, deprecated, activity_bump, max_port_sharing_level) VALUES ('6b298946-7a4f-47ac-9158-b03b08740a41', '2025-02-07 07:46:19.513317 +00:00', '2025-02-07 07:46:19.513317 +00:00', '20362772-802a-4a72-8e4f-3648b4bfd168', false, 'modest_leakey64', 'echo', 'e6cfa2a4-e4cf-4182-9e19-08b975682a28', 'upbeat_wright65', 604800000000000, '6c353aac-20de-467b-bdfb-3c30a37adcd2', 'nervous_keller66', '{}', '{"20362772-802a-4a72-8e4f-3648b4bfd168": ["read", "use"]}', 'determined_aryabhata67', false, true, true, 0, 0, 0, 0, 0, 0, false, '', 3600000000000, 'owner');
+INSERT INTO template_versions (id, template_id, organization_id, created_at, updated_at, name, readme, job_id, created_by, external_auth_providers, message, archived, source_example_id) VALUES ('af58bd62-428c-4c33-849b-d43a3be07d93', '6b298946-7a4f-47ac-9158-b03b08740a41', '20362772-802a-4a72-8e4f-3648b4bfd168', '2025-02-07 07:46:19.514782 +00:00', '2025-02-07 07:46:19.514782 +00:00', 'distracted_shockley68', 'sleepy_turing69', 'f2e2ea1c-5aa3-4a1d-8778-2e5071efae59', '6c353aac-20de-467b-bdfb-3c30a37adcd2', '[]', '', false, null);

-INSERT INTO public.template_version_presets (id, template_version_id, name, created_at) VALUES ('28b42cc0-c4fe-4907-a0fe-e4d20f1e9bfe', 'af58bd62-428c-4c33-849b-d43a3be07d93', 'test', '0001-01-01 00:00:00.000000 +00:00');
+INSERT INTO template_version_presets (id, template_version_id, name, created_at) VALUES ('28b42cc0-c4fe-4907-a0fe-e4d20f1e9bfe', 'af58bd62-428c-4c33-849b-d43a3be07d93', 'test', '0001-01-01 00:00:00.000000 +00:00');

 -- Add presets with the same template version ID and name
 -- to ensure they're correctly handled by the 00031*_preset_prebuilds migration.
-INSERT INTO public.template_version_presets (
+INSERT INTO template_version_presets (
 	id, template_version_id, name, created_at
 )
 VALUES (
@@ -19,7 +19,7 @@ VALUES (
 	'0001-01-01 00:00:00.000000 +00:00'
 );

-INSERT INTO public.template_version_presets (
+INSERT INTO template_version_presets (
 	id, template_version_id, name, created_at
 )
 VALUES (
@@ -29,4 +29,4 @@ VALUES (
 	'0001-01-01 00:00:00.000000 +00:00'
 );

-INSERT INTO public.template_version_preset_parameters (id, template_version_preset_id, name, value) VALUES ('ea90ccd2-5024-459e-87e4-879afd24de0f', '28b42cc0-c4fe-4907-a0fe-e4d20f1e9bfe', 'test', 'test');
+INSERT INTO template_version_preset_parameters (id, template_version_preset_id, name, value) VALUES ('ea90ccd2-5024-459e-87e4-879afd24de0f', '28b42cc0-c4fe-4907-a0fe-e4d20f1e9bfe', 'test', 'test');
@@ -1,4 +1,4 @@
-INSERT INTO public.tasks VALUES (
+INSERT INTO tasks VALUES (
    'f5a1c3e4-8b2d-4f6a-9d7e-2a8b5c9e1f3d', -- id
    'bb640d07-ca8a-4869-b6bc-ae61ebb2fda1', -- organization_id
    '30095c71-380b-457a-8995-97b8ee6e5307', -- owner_id
@@ -11,7 +11,7 @@ INSERT INTO public.tasks VALUES (
    NULL                                    -- deleted_at
 ) ON CONFLICT DO NOTHING;

-INSERT INTO public.task_workspace_apps VALUES (
+INSERT INTO task_workspace_apps VALUES (
    'f5a1c3e4-8b2d-4f6a-9d7e-2a8b5c9e1f3d', -- task_id
    'a8c0b8c5-c9a8-4f33-93a4-8142e6858244', -- workspace_build_id
    '8fa17bbd-c48c-44c7-91ae-d4acbc755fad', -- workspace_agent_id
@@ -1,4 +1,4 @@
-INSERT INTO public.task_workspace_apps VALUES (
+INSERT INTO task_workspace_apps VALUES (
    'f5a1c3e4-8b2d-4f6a-9d7e-2a8b5c9e1f3d', -- task_id
    NULL,                                   -- workspace_agent_id
    NULL,                                   -- workspace_app_id
@@ -104,13 +104,8 @@ type sqlcQuerier interface {
 	DeleteOAuth2ProviderAppSecretByID(ctx context.Context, id uuid.UUID) error
 	DeleteOAuth2ProviderAppTokensByAppAndUserID(ctx context.Context, arg DeleteOAuth2ProviderAppTokensByAppAndUserIDParams) error
 	// Cumulative count.
-	DeleteOldAIBridgeRecords(ctx context.Context, beforeTime time.Time) (int64, error)
+	DeleteOldAIBridgeRecords(ctx context.Context, beforeTime time.Time) (int32, error)
 	DeleteOldAuditLogConnectionEvents(ctx context.Context, arg DeleteOldAuditLogConnectionEventsParams) error
-	// Deletes old audit logs based on retention policy, excluding deprecated
-	// connection events (connect, disconnect, open, close) which are handled
-	// separately by DeleteOldAuditLogConnectionEvents.
-	DeleteOldAuditLogs(ctx context.Context, arg DeleteOldAuditLogsParams) (int64, error)
-	DeleteOldConnectionLogs(ctx context.Context, arg DeleteOldConnectionLogsParams) (int64, error)
 	// Delete all notification messages which have not been updated for over a week.
 	DeleteOldNotificationMessages(ctx context.Context) error
 	// Delete provisioner daemons that have been created at least a week ago
@@ -120,10 +115,10 @@ type sqlcQuerier interface {
 	DeleteOldProvisionerDaemons(ctx context.Context) error
 	// Deletes old telemetry locks from the telemetry_locks table.
 	DeleteOldTelemetryLocks(ctx context.Context, periodEndingAtBefore time.Time) error
-	// If an agent hasn't connected within the retention period, we purge its logs.
+	// If an agent hasn't connected in the last 7 days, we purge it's logs.
 	// Exception: if the logs are related to the latest build, we keep those around.
 	// Logs can take up a lot of space, so it's important we clean up frequently.
-	DeleteOldWorkspaceAgentLogs(ctx context.Context, threshold time.Time) (int64, error)
+	DeleteOldWorkspaceAgentLogs(ctx context.Context, threshold time.Time) error
 	DeleteOldWorkspaceAgentStats(ctx context.Context) error
 	DeleteOrganizationMember(ctx context.Context, arg DeleteOrganizationMemberParams) error
 	DeleteProvisionerKey(ctx context.Context, id uuid.UUID) error
@@ -6107,6 +6107,56 @@ func TestGetWorkspaceAgentsByParentID(t *testing.T) {
 	})
 }

+func TestGetWorkspaceAgentByInstanceID(t *testing.T) {
+	t.Parallel()
+
+	// Context: https://github.com/coder/coder/pull/22196
+	t.Run("DoesNotReturnSubAgents", func(t *testing.T) {
+		t.Parallel()
+
+		// Given: A parent workspace agent with an AuthInstanceID and a
+		// sub-agent that shares the same AuthInstanceID.
+		db, _ := dbtestutil.NewDB(t)
+		org := dbgen.Organization(t, db, database.Organization{})
+		job := dbgen.ProvisionerJob(t, db, nil, database.ProvisionerJob{
+			Type:           database.ProvisionerJobTypeTemplateVersionImport,
+			OrganizationID: org.ID,
+		})
+		resource := dbgen.WorkspaceResource(t, db, database.WorkspaceResource{
+			JobID: job.ID,
+		})
+
+		authInstanceID := fmt.Sprintf("instance-%s-%d", t.Name(), time.Now().UnixNano())
+		parentAgent := dbgen.WorkspaceAgent(t, db, database.WorkspaceAgent{
+			ResourceID: resource.ID,
+			AuthInstanceID: sql.NullString{
+				String: authInstanceID,
+				Valid:  true,
+			},
+		})
+		// Create a sub-agent with the same AuthInstanceID (simulating
+		// the old behavior before the fix).
+		_ = dbgen.WorkspaceAgent(t, db, database.WorkspaceAgent{
+			ParentID:   uuid.NullUUID{UUID: parentAgent.ID, Valid: true},
+			ResourceID: resource.ID,
+			AuthInstanceID: sql.NullString{
+				String: authInstanceID,
+				Valid:  true,
+			},
+		})
+
+		ctx := testutil.Context(t, testutil.WaitShort)
+
+		// When: We look up the agent by instance ID.
+		agent, err := db.GetWorkspaceAgentByInstanceID(ctx, authInstanceID)
+		require.NoError(t, err)
+
+		// Then: The result must be the parent agent, not the sub-agent.
+		assert.Equal(t, parentAgent.ID, agent.ID, "instance ID lookup should return the parent agent, not a sub-agent")
+		assert.False(t, agent.ParentID.Valid, "returned agent should not have a parent (should be the parent itself)")
+	})
+}
+
 func requireUsersMatch(t testing.TB, expected []database.User, found []database.GetUsersRow, msg string) {
 	t.Helper()
 	require.ElementsMatch(t, expected, database.ConvertUserRows(found), msg)
@@ -354,18 +354,17 @@ WITH
    WHERE id IN (SELECT id FROM to_delete)
    RETURNING 1
  )
-SELECT (
+SELECT
  (SELECT COUNT(*) FROM tool_usages) +
  (SELECT COUNT(*) FROM token_usages) +
  (SELECT COUNT(*) FROM user_prompts) +
-  (SELECT COUNT(*) FROM interceptions)
-)::bigint as total_deleted
+  (SELECT COUNT(*) FROM interceptions) as total_deleted
 `

 // Cumulative count.
-func (q *sqlQuerier) DeleteOldAIBridgeRecords(ctx context.Context, beforeTime time.Time) (int64, error) {
+func (q *sqlQuerier) DeleteOldAIBridgeRecords(ctx context.Context, beforeTime time.Time) (int32, error) {
 	row := q.db.QueryRowContext(ctx, deleteOldAIBridgeRecords, beforeTime)
-	var total_deleted int64
+	var total_deleted int32
 	err := row.Scan(&total_deleted)
 	return total_deleted, err
 }
@@ -1108,20 +1107,24 @@ func (q *sqlQuerier) DeleteApplicationConnectAPIKeysByUserID(ctx context.Context
 	return err
 }

-const deleteExpiredAPIKeys = `-- name: DeleteExpiredAPIKeys :execrows
+const deleteExpiredAPIKeys = `-- name: DeleteExpiredAPIKeys :one
 WITH expired_keys AS (
 	SELECT id
 	FROM api_keys
 	-- expired keys only
 	WHERE expires_at < $1::timestamptz
 	LIMIT $2
-)
-DELETE FROM
-	api_keys
-USING
-	expired_keys
-WHERE
-	api_keys.id = expired_keys.id
+),
+deleted_rows AS (
+	 DELETE FROM
+		 api_keys
+	 USING
+		 expired_keys
+	 WHERE
+		 api_keys.id = expired_keys.id
+	 RETURNING api_keys.id
+ )
+SELECT COUNT(deleted_rows.id) AS deleted_count FROM deleted_rows
 `

 type DeleteExpiredAPIKeysParams struct {
@@ -1130,11 +1133,10 @@ type DeleteExpiredAPIKeysParams struct {
 }

 func (q *sqlQuerier) DeleteExpiredAPIKeys(ctx context.Context, arg DeleteExpiredAPIKeysParams) (int64, error) {
-	result, err := q.db.ExecContext(ctx, deleteExpiredAPIKeys, arg.Before, arg.LimitCount)
-	if err != nil {
-		return 0, err
-	}
-	return result.RowsAffected()
+	row := q.db.QueryRowContext(ctx, deleteExpiredAPIKeys, arg.Before, arg.LimitCount)
+	var deleted_count int64
+	err := row.Scan(&deleted_count)
+	return deleted_count, err
 }

 const expirePrebuildsAPIKeys = `-- name: ExpirePrebuildsAPIKeys :exec
@@ -1635,37 +1637,6 @@ func (q *sqlQuerier) DeleteOldAuditLogConnectionEvents(ctx context.Context, arg
 	return err
 }

-const deleteOldAuditLogs = `-- name: DeleteOldAuditLogs :execrows
-WITH old_logs AS (
-    SELECT id
-    FROM audit_logs
-    WHERE
-        "time" < $1::timestamp with time zone
-        AND action NOT IN ('connect', 'disconnect', 'open', 'close')
-    ORDER BY "time" ASC
-    LIMIT $2
-)
-DELETE FROM audit_logs
-USING old_logs
-WHERE audit_logs.id = old_logs.id
-`
-
-type DeleteOldAuditLogsParams struct {
-	BeforeTime time.Time `db:"before_time" json:"before_time"`
-	LimitCount int32     `db:"limit_count" json:"limit_count"`
-}
-
-// Deletes old audit logs based on retention policy, excluding deprecated
-// connection events (connect, disconnect, open, close) which are handled
-// separately by DeleteOldAuditLogConnectionEvents.
-func (q *sqlQuerier) DeleteOldAuditLogs(ctx context.Context, arg DeleteOldAuditLogsParams) (int64, error) {
-	result, err := q.db.ExecContext(ctx, deleteOldAuditLogs, arg.BeforeTime, arg.LimitCount)
-	if err != nil {
-		return 0, err
-	}
-	return result.RowsAffected()
-}
-
 const getAuditLogsOffset = `-- name: GetAuditLogsOffset :many
 SELECT audit_logs.id, audit_logs.time, audit_logs.user_id, audit_logs.organization_id, audit_logs.ip, audit_logs.user_agent, audit_logs.resource_type, audit_logs.resource_id, audit_logs.resource_target, audit_logs.action, audit_logs.diff, audit_logs.status_code, audit_logs.additional_fields, audit_logs.request_id, audit_logs.resource_icon,
 	-- sqlc.embed(users) would be nice but it does not seem to play well with
@@ -2124,32 +2095,6 @@ func (q *sqlQuerier) CountConnectionLogs(ctx context.Context, arg CountConnectio
 	return count, err
 }

-const deleteOldConnectionLogs = `-- name: DeleteOldConnectionLogs :execrows
-WITH old_logs AS (
-	SELECT id
-	FROM connection_logs
-	WHERE connect_time < $1::timestamp with time zone
-	ORDER BY connect_time ASC
-	LIMIT $2
-)
-DELETE FROM connection_logs
-USING old_logs
-WHERE connection_logs.id = old_logs.id
-`
-
-type DeleteOldConnectionLogsParams struct {
-	BeforeTime time.Time `db:"before_time" json:"before_time"`
-	LimitCount int32     `db:"limit_count" json:"limit_count"`
-}
-
-func (q *sqlQuerier) DeleteOldConnectionLogs(ctx context.Context, arg DeleteOldConnectionLogsParams) (int64, error) {
-	result, err := q.db.ExecContext(ctx, deleteOldConnectionLogs, arg.BeforeTime, arg.LimitCount)
-	if err != nil {
-		return 0, err
-	}
-	return result.RowsAffected()
-}
-
 const getConnectionLogsOffset = `-- name: GetConnectionLogsOffset :many
 SELECT
 	connection_logs.id, connection_logs.connect_time, connection_logs.organization_id, connection_logs.workspace_owner_id, connection_logs.workspace_id, connection_logs.workspace_name, connection_logs.agent_name, connection_logs.type, connection_logs.ip, connection_logs.code, connection_logs.user_agent, connection_logs.user_id, connection_logs.slug_or_port, connection_logs.connection_id, connection_logs.disconnect_time, connection_logs.disconnect_reason,
@@ -17847,7 +17792,7 @@ func (q *sqlQuerier) UpdateVolumeResourceMonitor(ctx context.Context, arg Update
 	return err
 }

-const deleteOldWorkspaceAgentLogs = `-- name: DeleteOldWorkspaceAgentLogs :execrows
+const deleteOldWorkspaceAgentLogs = `-- name: DeleteOldWorkspaceAgentLogs :exec
 WITH
 	latest_builds AS (
 		SELECT
@@ -17890,15 +17835,12 @@ WITH
 DELETE FROM workspace_agent_logs WHERE agent_id IN (SELECT id FROM old_agents)
 `

-// If an agent hasn't connected within the retention period, we purge its logs.
+// If an agent hasn't connected in the last 7 days, we purge it's logs.
 // Exception: if the logs are related to the latest build, we keep those around.
 // Logs can take up a lot of space, so it's important we clean up frequently.
-func (q *sqlQuerier) DeleteOldWorkspaceAgentLogs(ctx context.Context, threshold time.Time) (int64, error) {
-	result, err := q.db.ExecContext(ctx, deleteOldWorkspaceAgentLogs, threshold)
-	if err != nil {
-		return 0, err
-	}
-	return result.RowsAffected()
+func (q *sqlQuerier) DeleteOldWorkspaceAgentLogs(ctx context.Context, threshold time.Time) error {
+	_, err := q.db.ExecContext(ctx, deleteOldWorkspaceAgentLogs, threshold)
+	return err
 }

 const deleteWorkspaceSubAgentByID = `-- name: DeleteWorkspaceSubAgentByID :exec
@@ -18110,6 +18052,8 @@ WHERE
 	auth_instance_id = $1 :: TEXT
 	-- Filter out deleted sub agents.
 	AND deleted = FALSE
+	-- Filter out sub agents, they do not authenticate with auth_instance_id.
+	AND parent_id IS NULL
 ORDER BY
 	created_at DESC
 `
@@ -23853,7 +23797,6 @@ SET
 WHERE
    template_id = $3
 	AND dormant_at IS NOT NULL
-	AND deleted = false
 	-- Prebuilt workspaces (identified by having the prebuilds system user as owner_id)
 	-- should not have their dormant or deleting at set, as these are handled by the
    -- prebuilds reconciliation loop.
@@ -360,9 +360,8 @@ WITH
    RETURNING 1
  )
 -- Cumulative count.
-SELECT (
+SELECT
  (SELECT COUNT(*) FROM tool_usages) +
  (SELECT COUNT(*) FROM token_usages) +
  (SELECT COUNT(*) FROM user_prompts) +
-  (SELECT COUNT(*) FROM interceptions)
-)::bigint as total_deleted;
+  (SELECT COUNT(*) FROM interceptions) as total_deleted;
@@ -85,20 +85,25 @@ DELETE FROM
 WHERE
 	user_id = $1;

-- name: DeleteExpiredAPIKeys :execrows
+-- name: DeleteExpiredAPIKeys :one
 WITH expired_keys AS (
 	SELECT id
 	FROM api_keys
 	-- expired keys only
 	WHERE expires_at < @before::timestamptz
 	LIMIT @limit_count
-)
-DELETE FROM
-	api_keys
-USING
-	expired_keys
-WHERE
-	api_keys.id = expired_keys.id;
+),
+deleted_rows AS (
+	 DELETE FROM
+		 api_keys
+	 USING
+		 expired_keys
+	 WHERE
+		 api_keys.id = expired_keys.id
+	 RETURNING api_keys.id
+ )
+SELECT COUNT(deleted_rows.id) AS deleted_count FROM deleted_rows;
+;

 -- name: ExpirePrebuildsAPIKeys :exec
 -- Firstly, collect api_keys owned by the prebuilds user that correlate
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Rowan Smith	031d99288a	chore: switch agent gone response from 502 to 404 (backport #23090 ) (#23634 ) Backport of #23090 to `release/2.29`. When a user creates a workspace, opens the web terminal, then the workspace stops but the web terminal remains open, the web terminal will retry the connection. Coder would issue a HTTP 502 Bad Gateway response when this occurred because coderd could not connect to the workspace agent, however this is problematic as any load balancer sitting in front of Coder sees a 502 and thinks Coder is unhealthy. This PR changes the response to a HTTP 404 after internal discussion. Cherry-picked from merge commit `c33812a430`. The conflict in `coderd/workspaceapps/errors.go` was resolved by applying the status code change (502 → 404) while keeping the existing `RetryEnabled`/`DashboardURL` fields (the `Actions` refactor is not on this branch).	2026-03-25 16:49:51 -04:00
Rowan Smith	afb2fc6faf	fix: prevent ui error when last org member is removed (#23017 ) Backport of #22975 to release/2.29.	2026-03-25 15:47:37 -04:00
Steven Masley	dc7be5f43a	chore: update to Go 1.25.6 and coder/preview to 1.08 (cherry 2.29) (#23228 ) - Update Go version from 1.24.11 to 1.25.6 - Remove dependency on `moby` for `namesgenerator` - Disable any use of trivy in zizmor GH action linting (https://github.com/coder/coder/pull/23228/commits/17532ef2a8e40784499c36d3e7b871a2109d9bf2) --------- (cherry picked from commit `3ee4f6d0ec`) (cherry picked from commit https://github.com/coder/coder/commit/091d31224d2fe00d83695adcc53a225842dbb8d3) (cherry picked from commit https://github.com/coder/coder/commit/b44a421412a12ef7222322c68109426fb1f65286) --------- Co-authored-by: Danny Kopping <danny@coder.com> Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com> Co-authored-by: Zach <3724288+zedkipp@users.noreply.github.com>	2026-03-25 15:46:57 -04:00
Charlie Voiselle	4ee29d078d	fix: open coder_app links in new tab when open_in is tab (cherry-pick #23000 ) (#23623 ) Cherry-pick of #23000 onto release/2.29.	2026-03-25 15:31:12 -04:00
Rowan Smith	50c4832f41	fix: avoid derp-related panic during wsproxy registration (backport release/2.29) (#22342 ) Backport of #22322. - Cherry-picked `7f03bd7`. Co-authored-by: Dean Sheather <dean@deansheather.com>	2026-03-03 13:25:55 -05:00
Lukasz	5c99fed1f1	chore: update Go from 1.24.10 to 1.24.13 (#22473 ) Update Go from 1.24.10 to 1.24.13 This update resolves 9 vulnerabilities across three minor releases (1.24.11, 1.24.12, and 1.24.13) --------- Co-authored-by: Jakub Domeracki <jakub@coder.com> Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-03-03 12:24:44 +01:00
Cian Johnston	72d05f322b	fix(stringutil): operate on runes instead of bytes in Truncate (#22388 ) (#22468 ) Fixes https://github.com/coder/coder/issues/22375 Updates `stringutil.Truncate` to properly handle multi-byte UTF-8 characters. Adds tests for multi-byte truncation with word boundary. Created by Mux using Opus 4.6 (cherry picked from commit `0cfa03718e`)	2026-03-02 11:19:33 +00:00
Jakub Domeracki	8a097ee635	feat(site)!: add consent prompt for auto-creation with prefilled parameters (#22256 ) Cherry-pick of `60e3ab7632` from main. Workspace created via mode=auto links now require explicit user confirmation before provisioning. A warning dialog shows all prefilled param.* values from the URL and blocks creation until the user clicks `Confirm and Create`. Clicking `Cancel` falls back to the standard form view. ### Breaking behavior change Links using `mode=auto` (e.g., "Open in Coder" buttons) will no longer silently create workspaces. Users will now see a consent dialog and must explicitly confirm before the workspace is provisioned. Original PR: #22011 Co-authored-by: Kacper Sawicki <kacper@coder.com> Co-authored-by: Jake Howell <jacob@coder.com>	2026-02-23 17:37:57 -05:00
Danielle Maywood	2ca88b0f07	fix: avoid re-using `AuthInstanceID` for sub agents (#22196 ) (#22212 ) Parent agents were re-using AuthInstanceID when spawning child agents. This caused GetWorkspaceAgentByInstanceID to return the most recently created sub agent instead of the parent when the parent tried to refetch its own manifest. Fix by not reusing AuthInstanceID for sub agents, and updating GetWorkspaceAgentByInstanceID to filter them out entirely. --- Cherry picked from `911d734df9`	2026-02-23 17:37:41 -05:00
Jake Howell	79a0ff8249	feat: convert `soft_limit` to `limit` (cherry-pick/v2.29) (#22207 ) Related [`internal#1281`](https://github.com/coder/internal/issues/1281) Cherry picks two pull-requests in `release/2.29`. * https://github.com/coder/coder/pull/22048 * https://github.com/coder/coder/pull/21998 * https://github.com/coder/coder/pull/22210	2026-02-23 17:37:15 -05:00
Lukasz	7819c471f7	chore: bump bundled terraform to 1.14.5 for 2.29 (#22193 ) Description: This PR updates the bundled Terraform binary and related version pins from 1.13.4 to 1.14.5 (base image, installer fallback, and CI/test fixtures). Terraform is statically built with an embedded Go runtime. Moving to 1.14.5 updates the embedded toolchain and is intended to address Go stdlib CVEs reported by security scanning. Notes: - Change is version-only; no functional Coder logic changes. - Backport-friendly: intended to be cherry-picked to release branches after merge. --------- Co-authored-by: Jakub Domeracki <jakub@coder.com> Co-authored-by: Dean Sheather <dean@deansheather.com>	2026-02-23 15:32:41 +01:00
Lukasz	3aa8212aac	chore: bump versions of gh actions for 2.29 (#22218 ) Update gh actions: - aquasecurity/trivy-action v0.34.0 - harden-runner v2.14.2	2026-02-20 12:49:36 +01:00
Jon Ayers	8b2f472f71	chore: use old slog (#21959 )	2026-02-05 16:35:41 -06:00
Jon Ayers	13337a193c	chore: fix go.mod (#21958 )	2026-02-05 16:23:04 -06:00
Jon Ayers	b275be2e7a	chore: backport fixes (#21957 )	2026-02-05 16:09:41 -06:00
Lukasz	72afd3677c	chore: bump alpine to 3.23.3 in release/2.29 (#21879 ) (cherry picked from commit `3d97f677e5`) Co-authored-by: Jon Ayers <jon@coder.com>	2026-02-03 09:12:15 -06:00
Dean Sheather	7dfaa606ee	fix: fix various AI task usage accounting bugs (#21723 ) <!-- If you have used AI to produce some or all of this PR, please ensure you have read our [AI Contribution guidelines](https://coder.com/docs/about/contributing/AI_CONTRIBUTING) before submitting. --> --------- Co-authored-by: Cian Johnston <cian@coder.com> Co-authored-by: Steven Masley <Emyrk@users.noreply.github.com>	2026-01-29 10:06:45 -06:00
Cian Johnston	0c3144fc32	fix(coderd): ensure inbox WebSocket is closed when client disconnects… (#21684 ) … (#21652) Relates to https://github.com/coder/coder/issues/19715 This is similar to https://github.com/coder/coder/pull/19711 This endpoint works by doing the following: - Subscribing to the database's with pubsub - Accepts a WebSocket upgrade - Starts a `httpapi.Heartbeat` - Creates a json encoder - Infinitely loops waiting for notification until request context cancelled The critical issue here is that `httpapi.Heartbeat` silently fails when the client has disconnected. This means we never cancel the request context, leaving the WebSocket alive until we receive a notification from the database and fail to write that down the pipe. By replacing usage of `httpapi.Heartbeat` with `httpapi.HeartbeatClose`, we cancel the context _when the heartbeat fails to write_ due to the client disconnecting. This allows us to cleanup without waiting for a notification to come through the pubsub channel. (cherry picked from commit `409360c62d`) <!-- If you have used AI to produce some or all of this PR, please ensure you have read our [AI Contribution guidelines](https://coder.com/docs/about/contributing/AI_CONTRIBUTING) before submitting. --> Co-authored-by: Danielle Maywood <danielle@themaywoods.com>	2026-01-26 09:28:04 -06:00
Cian Johnston	b5360a9180	fix: backport migration fixes (#21611 ) * https://github.com/coder/coder/pull/21493 * https://github.com/coder/coder/pull/21496 * https://github.com/coder/coder/pull/21530 NB these commits were originally authored by Blink on behalf of @dannykopping, so amended to reflect actual authorship. Repro/Verification Steps: * Created a Coder deployment with a non-public schema via Docker compose on v2.28.6: * Created a DB init script under `db-init/01-create-schema.sql` with the following: ```sql CREATE SCHEMA IF NOT EXISTS coder AUTHORIZATION coder; GRANT ALL PRIVILEGES ON SCHEMA coder TO coder; ALTER ROLE coder SET search_path TO coder; ``` * Mounted above inside the `postgres` container: ```diff volumes: - coder_data:/var/lib/postgresql/data + - ./db-init:/docker-entrypoint-initdb.d:ro ``` * Edited `CODER_PG_CONNECTION_URL` to update the search path: ```diff environment: - CODER_PG_CONNECTION_URL: "postgresql://${POSTGRES_USER:-username}:${POSTGRES_PASSWORD:-password}@database/${POSTGRES_DB:-coder}?sslmode=disable" + CODER_PG_CONNECTION_URL: "postgresql://${POSTGRES_USER:-username}:${POSTGRES_PASSWORD:-password}@database/${POSTGRES_DB:-coder}?sslmode=disable&search_path=coder" ``` * Brought up the deployment: ```shell CODER_VERSION=v2.28.6 CODER_ACCESS_URL=http://localhost:7080 POSTGRES_USER=coder POSTGRES_PASSWORD=coder docker compose up` ``` * Created user / template / workspace * Updated to `v2.29.1`: * ```shell CODER_VERSION=v2.29.1 CODER_ACCESS_URL=http://localhost:7080 POSTGRES_USER=coder POSTGRES_PASSWORD=coder docker compose up` ``` * Observed following error: ``` database-1 \| 2026-01-21 15:07:17.629 UTC [102] ERROR: relation "public.workspace_agents" does not exist coder-1 \| Encountered an error running "coder server", see "coder server --help" for more information database-1 \| 2026-01-21 15:07:17.629 UTC [102] STATEMENT: CREATE INDEX IF NOT EXISTS workspace_agents_auth_instance_id_deleted_idx ON public.workspace_agents (auth_instance_id, deleted); coder-1 \| error: connect to postgres: connect to postgres: migrate up: up: 2 errors occurred: coder-1 \| * run statement: migration failed: relation "public.workspace_agents" does not exist in line 0: CREATE INDEX IF NOT EXISTS workspace_agents_auth_instance_id_deleted_idx ON public.workspace_agents (auth_instance_id, deleted); coder-1 \| (details: pq: relation "public.workspace_agents" does not exist) coder-1 \| * commit tx on unlock: pq: Could not complete operation in a failed transaction coder-1 exited with code 1 ``` * Built image locally: ```console $ make build/coder_$(./scripts/version.sh)_linux_amd64.tag ... ghcr.io/coder/coder:v2.29.1-devel-e8c482a98a67-amd64 ``` * Started with new image: ```shell CODER_VERSION=v2.29.1-devel-e8c482a98a67-amd64 CODER_ACCESS_URL=http://localhost:7080 POSTGRES_USER=coder POSTGRES_PASSWORD=coder docker compose up ``` * Observed migrations ran successfully and Coder came up successfully --------- Signed-off-by: Danny Kopping <danny@coder.com> Co-authored-by: Danny Kopping <danny@coder.com> Co-authored-by: blink-so[bot] <211532188+blink-so[bot]@users.noreply.github.com>	2026-01-21 15:45:58 +00:00
Kacper Sawicki	2e2d0dde44	feat(cli): backport #21374 to 2.29 (#21561 ) backport #21374 to 2.29 feat(cli): add --no-build flag to state push for state-only updates #21374	2026-01-20 15:46:46 -06:00
Kacper Sawicki	2314e4a94e	fix: backport update boundary version to 2.29 (#21290 ) (#21575 ) fix: update boundary version https://github.com/coder/coder/pull/21290 required by https://github.com/coder/coder/pull/21561 Co-authored-by: Yevhenii Shcherbina <evgeniy.shcherbina.es@gmail.com>	2026-01-20 11:19:53 +01:00
blinkagent[bot]	bd76c602e4	chore: add antigravity to allowed protocols list (#20873 ) (#21122 ) Co-authored-by: DevCats <christofer@coder.com> Co-authored-by: blink-so[bot] <211532188+blink-so[bot]@users.noreply.github.com> Co-authored-by: Atif Ali <atif@coder.com>	2025-12-29 13:29:28 +05:00
Jakub Domeracki	59cdd7e21f	chore: update react to apply patch for CVE-2025-55182 (#21084 ) (#21168 ) Reference: https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components > Please note that coder deployments aren't vulnerable since [React Server Components](https://react.dev/reference/rsc/server-components) aren't in use --------- Co-authored-by: blinkagent[bot] <237617714+blinkagent[bot]@users.noreply.github.com> Co-authored-by: blink-so[bot] <211532188+blink-so[bot]@users.noreply.github.com>	2025-12-09 09:34:16 -06:00
blinkagent[bot]	ba71b321bc	fix: remove a sensitive field from an agent log line (#20968 ) (#21063 ) This PR removes a log field that could expose sensitive information in agent logs for workspaces that pass such information to the agent via its manifest. (cherry picked from commit `1d726c81bb`) Co-authored-by: Sas Swart <sas.swart.cdk@gmail.com>	2025-12-02 11:33:50 -06:00
Callum Styan	c94c470aae	fix: pass context with authorization to agentapi (#21045 ) cherry pick 20959 into release branch Signed-off-by: Callum Styan <callumstyan@gmail.com>	2025-12-01 14:16:30 -06:00
Zach	8430dd648a	fix(cli): remove defaulting to keyring when --global-config set (cherry-pick) (#20953 ) (cherry picked from commit `bbf7b137da`)	2025-12-01 14:09:54 -06:00
Susana Ferreira	0bd0990e14	feat: add notification warning alert to Tasks page (#20900 ) (#20981 ) Related to PR: https://github.com/coder/coder/pull/20900 (cherry picked from commit `f8d9a8046f`)	2025-12-01 14:08:50 -06:00
Susana Ferreira	10e70f8c51	fix: show task display name in task topbar (#20957 ) (#20980 ) Related to PR: https://github.com/coder/coder/pull/20957 (cherry picked from commit `21efebeadc`)	2025-12-01 14:08:01 -06:00
Sas Swart	abe66a38eb	feat: implement agent socket api, client and cli (#20758 ) (#20976 )	2025-12-01 14:07:40 -06:00
Jake Howell	cd9d3ef46f	fix: ensure we check if the user can actually see `ai bridge` (#20964 )	2025-12-01 14:07:18 -06:00
Mathias Fredriksson	c0a2522bd6	fix(site): only show active tasks in waiting for input tab (#20933 ) (#20955 )	2025-12-01 14:06:44 -06:00
Danny Kopping	dfa25d5f00	chore: document bedrock setup process for `aibridge` (#20956 ) (#20966 ) Cherry-pick of https://github.com/coder/coder/pull/20956 Signed-off-by: Danny Kopping <danny@coder.com>	2025-11-28 13:09:10 +05:00