chore: update react to apply patch for CVE-2025-55182 (not vulnerable)

This PR removes a log field that could expose sensitive information in
agent logs for workspaces that pass such information to the agent via
its manifest.

(cherry picked from commit 1d726c81bb)

Co-authored-by: Sas Swart <sas.swart.cdk@gmail.com>

.github/.linkspector.yml

@@ -27,7 +27,7 @@ ignorePatterns:
   - pattern: "splunk.com"
   - pattern: "stackoverflow.com/questions"
   - pattern: "developer.hashicorp.com/terraform/language"
-  - pattern: "platform.openai.com/docs/api-reference"
+  - pattern: "platform.openai.com"
   - pattern: "api.openai.com"
 aliveStatusCodes:
   - 200

CODEOWNERS

@@ -27,3 +27,5 @@ coderd/schedule/autostop.go @deansheather @DanielleMaywood
 # well as guidance from revenue.
 coderd/usage/ @deansheather @spikecurtis
 enterprise/coderd/usage/ @deansheather @spikecurtis
+
+.github/ 	@jdomeracki-coder

agent/agent.go

@@ -8,6 +8,7 @@ import (
 	"fmt"
 	"hash/fnv"
 	"io"
+	"maps"
 	"net"
 	"net/http"
 	"net/netip"
@@ -40,6 +41,7 @@ import (
 	"github.com/coder/coder/v2/agent/agentcontainers"
 	"github.com/coder/coder/v2/agent/agentexec"
 	"github.com/coder/coder/v2/agent/agentscripts"
+	"github.com/coder/coder/v2/agent/agentsocket"
 	"github.com/coder/coder/v2/agent/agentssh"
 	"github.com/coder/coder/v2/agent/proto"
 	"github.com/coder/coder/v2/agent/proto/resourcesmonitor"
@@ -70,16 +72,21 @@ const (
 )
 
 type Options struct {
-	Filesystem                   afero.Fs
-	LogDir                       string
-	TempDir                      string
-	ScriptDataDir                string
-	Client                       Client
-	ReconnectingPTYTimeout       time.Duration
-	EnvironmentVariables         map[string]string
-	Logger                       slog.Logger
-	IgnorePorts                  map[int]string
-	PortCacheDuration            time.Duration
+	Filesystem             afero.Fs
+	LogDir                 string
+	TempDir                string
+	ScriptDataDir          string
+	Client                 Client
+	ReconnectingPTYTimeout time.Duration
+	EnvironmentVariables   map[string]string
+	Logger                 slog.Logger
+	// IgnorePorts tells the api handler which ports to ignore when
+	// listing all listening ports. This is helpful to hide ports that
+	// are used by the agent, that the user does not care about.
+	IgnorePorts map[int]string
+	// ListeningPortsGetter is used to get the list of listening ports. Only
+	// tests should set this. If unset, a default that queries the OS will be used.
+	ListeningPortsGetter         ListeningPortsGetter
 	SSHMaxTimeout                time.Duration
 	TailnetListenPort            uint16
 	Subsystems                   []codersdk.AgentSubsystem
@@ -91,6 +98,8 @@ type Options struct {
 	Devcontainers                bool
 	DevcontainerAPIOptions       []agentcontainers.Option // Enable Devcontainers for these to be effective.
 	Clock                        quartz.Clock
+	SocketServerEnabled          bool
+	SocketPath                   string // Path for the agent socket server socket
 }
 
 type Client interface {
@@ -137,9 +146,7 @@ func New(options Options) Agent {
 	if options.ServiceBannerRefreshInterval == 0 {
 		options.ServiceBannerRefreshInterval = 2 * time.Minute
 	}
-	if options.PortCacheDuration == 0 {
-		options.PortCacheDuration = 1 * time.Second
-	}
+
 	if options.Clock == nil {
 		options.Clock = quartz.NewReal()
 	}
@@ -153,30 +160,38 @@ func New(options Options) Agent {
 		options.Execer = agentexec.DefaultExecer
 	}
 
+	if options.ListeningPortsGetter == nil {
+		options.ListeningPortsGetter = &osListeningPortsGetter{
+			cacheDuration: 1 * time.Second,
+		}
+	}
+
 	hardCtx, hardCancel := context.WithCancel(context.Background())
 	gracefulCtx, gracefulCancel := context.WithCancel(hardCtx)
 	a := &agent{
-		clock:                              options.Clock,
-		tailnetListenPort:                  options.TailnetListenPort,
-		reconnectingPTYTimeout:             options.ReconnectingPTYTimeout,
-		logger:                             options.Logger,
-		gracefulCtx:                        gracefulCtx,
-		gracefulCancel:                     gracefulCancel,
-		hardCtx:                            hardCtx,
-		hardCancel:                         hardCancel,
-		coordDisconnected:                  make(chan struct{}),
-		environmentVariables:               options.EnvironmentVariables,
-		client:                             options.Client,
-		filesystem:                         options.Filesystem,
-		logDir:                             options.LogDir,
-		tempDir:                            options.TempDir,
-		scriptDataDir:                      options.ScriptDataDir,
-		lifecycleUpdate:                    make(chan struct{}, 1),
-		lifecycleReported:                  make(chan codersdk.WorkspaceAgentLifecycle, 1),
-		lifecycleStates:                    []agentsdk.PostLifecycleRequest{{State: codersdk.WorkspaceAgentLifecycleCreated}},
-		reportConnectionsUpdate:            make(chan struct{}, 1),
-		ignorePorts:                        options.IgnorePorts,
-		portCacheDuration:                  options.PortCacheDuration,
+		clock:                   options.Clock,
+		tailnetListenPort:       options.TailnetListenPort,
+		reconnectingPTYTimeout:  options.ReconnectingPTYTimeout,
+		logger:                  options.Logger,
+		gracefulCtx:             gracefulCtx,
+		gracefulCancel:          gracefulCancel,
+		hardCtx:                 hardCtx,
+		hardCancel:              hardCancel,
+		coordDisconnected:       make(chan struct{}),
+		environmentVariables:    options.EnvironmentVariables,
+		client:                  options.Client,
+		filesystem:              options.Filesystem,
+		logDir:                  options.LogDir,
+		tempDir:                 options.TempDir,
+		scriptDataDir:           options.ScriptDataDir,
+		lifecycleUpdate:         make(chan struct{}, 1),
+		lifecycleReported:       make(chan codersdk.WorkspaceAgentLifecycle, 1),
+		lifecycleStates:         []agentsdk.PostLifecycleRequest{{State: codersdk.WorkspaceAgentLifecycleCreated}},
+		reportConnectionsUpdate: make(chan struct{}, 1),
+		listeningPortsHandler: listeningPortsHandler{
+			getter:      options.ListeningPortsGetter,
+			ignorePorts: maps.Clone(options.IgnorePorts),
+		},
 		reportMetadataInterval:             options.ReportMetadataInterval,
 		announcementBannersRefreshInterval: options.ServiceBannerRefreshInterval,
 		sshMaxTimeout:                      options.SSHMaxTimeout,
@@ -190,6 +205,8 @@ func New(options Options) Agent {
 
 		devcontainers:       options.Devcontainers,
 		containerAPIOptions: options.DevcontainerAPIOptions,
+		socketPath:          options.SocketPath,
+		socketServerEnabled: options.SocketServerEnabled,
 	}
 	// Initially, we have a closed channel, reflecting the fact that we are not initially connected.
 	// Each time we connect we replace the channel (while holding the closeMutex) with a new one
@@ -202,20 +219,16 @@ func New(options Options) Agent {
 }
 
 type agent struct {
-	clock             quartz.Clock
-	logger            slog.Logger
-	client            Client
-	tailnetListenPort uint16
-	filesystem        afero.Fs
-	logDir            string
-	tempDir           string
-	scriptDataDir     string
-	// ignorePorts tells the api handler which ports to ignore when
-	// listing all listening ports. This is helpful to hide ports that
-	// are used by the agent, that the user does not care about.
-	ignorePorts       map[int]string
-	portCacheDuration time.Duration
-	subsystems        []codersdk.AgentSubsystem
+	clock                 quartz.Clock
+	logger                slog.Logger
+	client                Client
+	tailnetListenPort     uint16
+	filesystem            afero.Fs
+	logDir                string
+	tempDir               string
+	scriptDataDir         string
+	listeningPortsHandler listeningPortsHandler
+	subsystems            []codersdk.AgentSubsystem
 
 	reconnectingPTYTimeout time.Duration
 	reconnectingPTYServer  *reconnectingpty.Server
@@ -271,6 +284,10 @@ type agent struct {
 	devcontainers       bool
 	containerAPIOptions []agentcontainers.Option
 	containerAPI        *agentcontainers.API
+
+	socketServerEnabled bool
+	socketPath          string
+	socketServer        *agentsocket.Server
 }
 
 func (a *agent) TailnetConn() *tailnet.Conn {
@@ -350,9 +367,32 @@ func (a *agent) init() {
 			s.ExperimentalContainers = a.devcontainers
 		},
 	)
+
+	a.initSocketServer()
+
 	go a.runLoop()
 }
 
+// initSocketServer initializes server that allows direct communication with a workspace agent using IPC.
+func (a *agent) initSocketServer() {
+	if !a.socketServerEnabled {
+		a.logger.Info(a.hardCtx, "socket server is disabled")
+		return
+	}
+
+	server, err := agentsocket.NewServer(
+		a.logger.Named("socket"),
+		agentsocket.WithPath(a.socketPath),
+	)
+	if err != nil {
+		a.logger.Warn(a.hardCtx, "failed to create socket server", slog.Error(err), slog.F("path", a.socketPath))
+		return
+	}
+
+	a.socketServer = server
+	a.logger.Debug(a.hardCtx, "socket server started", slog.F("path", a.socketPath))
+}
+
 // runLoop attempts to start the agent in a retry loop.
 // Coder may be offline temporarily, a connection issue
 // may be happening, but regardless after the intermittent
@@ -1087,7 +1127,7 @@ func (a *agent) handleManifest(manifestOK *checkpoint) func(ctx context.Context,
 		if err != nil {
 			return xerrors.Errorf("fetch metadata: %w", err)
 		}
-		a.logger.Info(ctx, "fetched manifest", slog.F("manifest", mp))
+		a.logger.Info(ctx, "fetched manifest")
 		manifest, err := agentsdk.ManifestFromProto(mp)
 		if err != nil {
 			a.logger.Critical(ctx, "failed to convert manifest", slog.F("manifest", mp), slog.Error(err))
@@ -1920,6 +1960,7 @@ func (a *agent) Close() error {
 			lifecycleState = codersdk.WorkspaceAgentLifecycleShutdownError
 		}
 	}
+
 	a.setLifecycle(lifecycleState)
 
 	err = a.scriptRunner.Close()
@@ -1927,6 +1968,12 @@ func (a *agent) Close() error {
 		a.logger.Error(a.hardCtx, "script runner close", slog.Error(err))
 	}
 
+	if a.socketServer != nil {
+		if err := a.socketServer.Close(); err != nil {
+			a.logger.Error(a.hardCtx, "socket server close", slog.Error(err))
+		}
+	}
+
 	if err := a.containerAPI.Close(); err != nil {
 		a.logger.Error(a.hardCtx, "container API close", slog.Error(err))
 	}

agent/agentsocket/client.go

@@ -0,0 +1,146 @@
+package agentsocket
+
+import (
+	"context"
+
+	"golang.org/x/xerrors"
+	"storj.io/drpc"
+	"storj.io/drpc/drpcconn"
+
+	"github.com/coder/coder/v2/agent/agentsocket/proto"
+	"github.com/coder/coder/v2/agent/unit"
+)
+
+// Option represents a configuration option for NewClient.
+type Option func(*options)
+
+type options struct {
+	path string
+}
+
+// WithPath sets the socket path. If not provided or empty, the client will
+// auto-discover the default socket path.
+func WithPath(path string) Option {
+	return func(opts *options) {
+		if path == "" {
+			return
+		}
+		opts.path = path
+	}
+}
+
+// Client provides a client for communicating with the workspace agentsocket API.
+type Client struct {
+	client proto.DRPCAgentSocketClient
+	conn   drpc.Conn
+}
+
+// NewClient creates a new socket client and opens a connection to the socket.
+// If path is not provided via WithPath or is empty, it will auto-discover the
+// default socket path.
+func NewClient(ctx context.Context, opts ...Option) (*Client, error) {
+	options := &options{}
+	for _, opt := range opts {
+		opt(options)
+	}
+
+	conn, err := dialSocket(ctx, options.path)
+	if err != nil {
+		return nil, xerrors.Errorf("connect to socket: %w", err)
+	}
+
+	drpcConn := drpcconn.New(conn)
+	client := proto.NewDRPCAgentSocketClient(drpcConn)
+
+	return &Client{
+		client: client,
+		conn:   drpcConn,
+	}, nil
+}
+
+// Close closes the socket connection.
+func (c *Client) Close() error {
+	return c.conn.Close()
+}
+
+// Ping sends a ping request to the agent.
+func (c *Client) Ping(ctx context.Context) error {
+	_, err := c.client.Ping(ctx, &proto.PingRequest{})
+	return err
+}
+
+// SyncStart starts a unit in the dependency graph.
+func (c *Client) SyncStart(ctx context.Context, unitName unit.ID) error {
+	_, err := c.client.SyncStart(ctx, &proto.SyncStartRequest{
+		Unit: string(unitName),
+	})
+	return err
+}
+
+// SyncWant declares a dependency between units.
+func (c *Client) SyncWant(ctx context.Context, unitName, dependsOn unit.ID) error {
+	_, err := c.client.SyncWant(ctx, &proto.SyncWantRequest{
+		Unit:      string(unitName),
+		DependsOn: string(dependsOn),
+	})
+	return err
+}
+
+// SyncComplete marks a unit as complete in the dependency graph.
+func (c *Client) SyncComplete(ctx context.Context, unitName unit.ID) error {
+	_, err := c.client.SyncComplete(ctx, &proto.SyncCompleteRequest{
+		Unit: string(unitName),
+	})
+	return err
+}
+
+// SyncReady requests whether a unit is ready to be started. That is, all dependencies are satisfied.
+func (c *Client) SyncReady(ctx context.Context, unitName unit.ID) (bool, error) {
+	resp, err := c.client.SyncReady(ctx, &proto.SyncReadyRequest{
+		Unit: string(unitName),
+	})
+	return resp.Ready, err
+}
+
+// SyncStatus gets the status of a unit and its dependencies.
+func (c *Client) SyncStatus(ctx context.Context, unitName unit.ID) (SyncStatusResponse, error) {
+	resp, err := c.client.SyncStatus(ctx, &proto.SyncStatusRequest{
+		Unit: string(unitName),
+	})
+	if err != nil {
+		return SyncStatusResponse{}, err
+	}
+
+	var dependencies []DependencyInfo
+	for _, dep := range resp.Dependencies {
+		dependencies = append(dependencies, DependencyInfo{
+			DependsOn:      unit.ID(dep.DependsOn),
+			RequiredStatus: unit.Status(dep.RequiredStatus),
+			CurrentStatus:  unit.Status(dep.CurrentStatus),
+			IsSatisfied:    dep.IsSatisfied,
+		})
+	}
+
+	return SyncStatusResponse{
+		UnitName:     unitName,
+		Status:       unit.Status(resp.Status),
+		IsReady:      resp.IsReady,
+		Dependencies: dependencies,
+	}, nil
+}
+
+// SyncStatusResponse contains the status information for a unit.
+type SyncStatusResponse struct {
+	UnitName     unit.ID          `table:"unit,default_sort" json:"unit_name"`
+	Status       unit.Status      `table:"status" json:"status"`
+	IsReady      bool             `table:"ready" json:"is_ready"`
+	Dependencies []DependencyInfo `table:"dependencies" json:"dependencies"`
+}
+
+// DependencyInfo contains information about a unit dependency.
+type DependencyInfo struct {
+	DependsOn      unit.ID     `table:"depends on,default_sort" json:"depends_on"`
+	RequiredStatus unit.Status `table:"required status" json:"required_status"`
+	CurrentStatus  unit.Status `table:"current status" json:"current_status"`
+	IsSatisfied    bool        `table:"satisfied" json:"is_satisfied"`
+}

agent/agentsocket/server.go

@@ -7,8 +7,6 @@ import (
 	"sync"
 
 	"golang.org/x/xerrors"
-
-	"github.com/hashicorp/yamux"
 	"storj.io/drpc/drpcmux"
 	"storj.io/drpc/drpcserver"
 
@@ -33,11 +31,17 @@ type Server struct {
 	wg       sync.WaitGroup
 }
 
-func NewServer(path string, logger slog.Logger) (*Server, error) {
+// NewServer creates a new agent socket server.
+func NewServer(logger slog.Logger, opts ...Option) (*Server, error) {
+	options := &options{}
+	for _, opt := range opts {
+		opt(options)
+	}
+
 	logger = logger.Named("agentsocket-server")
 	server := &Server{
 		logger: logger,
-		path:   path,
+		path:   options.path,
 		service: &DRPCAgentSocketService{
 			logger:      logger,
 			unitManager: unit.NewManager(),
@@ -61,14 +65,6 @@ func NewServer(path string, logger slog.Logger) (*Server, error) {
 		},
 	})
 
-	if server.path == "" {
-		var err error
-		server.path, err = getDefaultSocketPath()
-		if err != nil {
-			return nil, xerrors.Errorf("get default socket path: %w", err)
-		}
-	}
-
 	listener, err := createSocket(server.path)
 	if err != nil {
 		return nil, xerrors.Errorf("create socket: %w", err)
@@ -91,6 +87,7 @@ func NewServer(path string, logger slog.Logger) (*Server, error) {
 	return server, nil
 }
 
+// Close stops the server and cleans up resources.
 func (s *Server) Close() error {
 	s.mu.Lock()
 
@@ -134,52 +131,8 @@ func (s *Server) acceptConnections() {
 		return
 	}
 
-	for {
-		select {
-		case <-s.ctx.Done():
-			return
-		default:
-		}
-
-		conn, err := listener.Accept()
-		if err != nil {
-			s.logger.Warn(s.ctx, "error accepting connection", slog.Error(err))
-			continue
-		}
-
-		s.mu.Lock()
-		if s.listener == nil {
-			s.mu.Unlock()
-			_ = conn.Close()
-			return
-		}
-		s.wg.Add(1)
-		s.mu.Unlock()
-
-		go func() {
-			defer s.wg.Done()
-			s.handleConnection(conn)
-		}()
-	}
-}
-
-func (s *Server) handleConnection(conn net.Conn) {
-	defer conn.Close()
-
-	s.logger.Debug(s.ctx, "new connection accepted", slog.F("remote_addr", conn.RemoteAddr()))
-
-	config := yamux.DefaultConfig()
-	config.LogOutput = nil
-	config.Logger = slog.Stdlib(s.ctx, s.logger.Named("agentsocket-yamux"), slog.LevelInfo)
-	session, err := yamux.Server(conn, config)
-	if err != nil {
-		s.logger.Warn(s.ctx, "failed to create yamux session", slog.Error(err))
-		return
-	}
-	defer session.Close()
-
-	err = s.drpcServer.Serve(s.ctx, session)
-	if err != nil {
-		s.logger.Debug(s.ctx, "drpc server finished", slog.Error(err))
+	err := s.drpcServer.Serve(s.ctx, listener)
+	if err != nil {
+		s.logger.Warn(s.ctx, "error serving drpc server", slog.Error(err))
 	}
 }

agent/agentsocket/server_test.go

@@ -1,14 +1,24 @@
 package agentsocket_test
 
 import (
+	"context"
 	"path/filepath"
 	"runtime"
 	"testing"
 
+	"github.com/google/uuid"
+	"github.com/spf13/afero"
 	"github.com/stretchr/testify/require"
 
 	"cdr.dev/slog"
+	"github.com/coder/coder/v2/agent"
 	"github.com/coder/coder/v2/agent/agentsocket"
+	"github.com/coder/coder/v2/agent/agenttest"
+	agentproto "github.com/coder/coder/v2/agent/proto"
+	"github.com/coder/coder/v2/codersdk/agentsdk"
+	"github.com/coder/coder/v2/tailnet"
+	"github.com/coder/coder/v2/tailnet/tailnettest"
+	"github.com/coder/coder/v2/testutil"
 )
 
 func TestServer(t *testing.T) {
@@ -23,7 +33,7 @@ func TestServer(t *testing.T) {
 
 		socketPath := filepath.Join(t.TempDir(), "test.sock")
 		logger := slog.Make().Leveled(slog.LevelDebug)
-		server, err := agentsocket.NewServer(socketPath, logger)
+		server, err := agentsocket.NewServer(logger, agentsocket.WithPath(socketPath))
 		require.NoError(t, err)
 		require.NoError(t, server.Close())
 	})
@@ -33,10 +43,10 @@ func TestServer(t *testing.T) {
 
 		socketPath := filepath.Join(t.TempDir(), "test.sock")
 		logger := slog.Make().Leveled(slog.LevelDebug)
-		server1, err := agentsocket.NewServer(socketPath, logger)
+		server1, err := agentsocket.NewServer(logger, agentsocket.WithPath(socketPath))
 		require.NoError(t, err)
 		defer server1.Close()
-		_, err = agentsocket.NewServer(socketPath, logger)
+		_, err = agentsocket.NewServer(logger, agentsocket.WithPath(socketPath))
 		require.ErrorContains(t, err, "create socket")
 	})
 
@@ -45,8 +55,84 @@ func TestServer(t *testing.T) {
 
 		socketPath := filepath.Join(t.TempDir(), "test.sock")
 		logger := slog.Make().Leveled(slog.LevelDebug)
-		server, err := agentsocket.NewServer(socketPath, logger)
+		server, err := agentsocket.NewServer(logger, agentsocket.WithPath(socketPath))
 		require.NoError(t, err)
 		require.NoError(t, server.Close())
 	})
 }
+
+func TestServerWindowsNotSupported(t *testing.T) {
+	t.Parallel()
+
+	if runtime.GOOS != "windows" {
+		t.Skip("this test only runs on Windows")
+	}
+
+	t.Run("NewServer", func(t *testing.T) {
+		t.Parallel()
+
+		socketPath := filepath.Join(t.TempDir(), "test.sock")
+		logger := slog.Make().Leveled(slog.LevelDebug)
+		_, err := agentsocket.NewServer(logger, agentsocket.WithPath(socketPath))
+		require.ErrorContains(t, err, "agentsocket is not supported on Windows")
+	})
+
+	t.Run("NewClient", func(t *testing.T) {
+		t.Parallel()
+
+		_, err := agentsocket.NewClient(context.Background(), agentsocket.WithPath("test.sock"))
+		require.ErrorContains(t, err, "agentsocket is not supported on Windows")
+	})
+}
+
+func TestAgentInitializesOnWindowsWithoutSocketServer(t *testing.T) {
+	t.Parallel()
+
+	if runtime.GOOS != "windows" {
+		t.Skip("this test only runs on Windows")
+	}
+
+	ctx := testutil.Context(t, testutil.WaitShort)
+	logger := testutil.Logger(t).Named("agent")
+
+	derpMap, _ := tailnettest.RunDERPAndSTUN(t)
+
+	coordinator := tailnet.NewCoordinator(logger)
+	t.Cleanup(func() {
+		_ = coordinator.Close()
+	})
+
+	statsCh := make(chan *agentproto.Stats, 50)
+	agentID := uuid.New()
+	manifest := agentsdk.Manifest{
+		AgentID:       agentID,
+		AgentName:     "test-agent",
+		WorkspaceName: "test-workspace",
+		OwnerName:     "test-user",
+		WorkspaceID:   uuid.New(),
+		DERPMap:       derpMap,
+	}
+
+	client := agenttest.NewClient(t, logger.Named("agenttest"), agentID, manifest, statsCh, coordinator)
+	t.Cleanup(client.Close)
+
+	options := agent.Options{
+		Client:                 client,
+		Filesystem:             afero.NewMemMapFs(),
+		Logger:                 logger.Named("agent"),
+		ReconnectingPTYTimeout: testutil.WaitShort,
+		EnvironmentVariables:   map[string]string{},
+		SocketPath:             "",
+	}
+
+	agnt := agent.New(options)
+	t.Cleanup(func() {
+		_ = agnt.Close()
+	})
+
+	startup := testutil.TryReceive(ctx, t, client.GetStartup())
+	require.NotNil(t, startup, "agent should send startup message")
+
+	err := agnt.Close()
+	require.NoError(t, err, "agent should close cleanly")
+}

agent/agentsocket/service.go

@@ -15,15 +15,18 @@ var _ proto.DRPCAgentSocketServer = (*DRPCAgentSocketService)(nil)
 
 var ErrUnitManagerNotAvailable = xerrors.New("unit manager not available")
 
+// DRPCAgentSocketService implements the DRPC agent socket service.
 type DRPCAgentSocketService struct {
 	unitManager *unit.Manager
 	logger      slog.Logger
 }
 
+// Ping responds to a ping request to check if the service is alive.
 func (*DRPCAgentSocketService) Ping(_ context.Context, _ *proto.PingRequest) (*proto.PingResponse, error) {
 	return &proto.PingResponse{}, nil
 }
 
+// SyncStart starts a unit in the dependency graph.
 func (s *DRPCAgentSocketService) SyncStart(_ context.Context, req *proto.SyncStartRequest) (*proto.SyncStartResponse, error) {
 	if s.unitManager == nil {
 		return nil, xerrors.Errorf("SyncStart: %w", ErrUnitManagerNotAvailable)
@@ -53,6 +56,7 @@ func (s *DRPCAgentSocketService) SyncStart(_ context.Context, req *proto.SyncSta
 	return &proto.SyncStartResponse{}, nil
 }
 
+// SyncWant declares a dependency between units.
 func (s *DRPCAgentSocketService) SyncWant(_ context.Context, req *proto.SyncWantRequest) (*proto.SyncWantResponse, error) {
 	if s.unitManager == nil {
 		return nil, xerrors.Errorf("cannot add dependency: %w", ErrUnitManagerNotAvailable)
@@ -72,6 +76,7 @@ func (s *DRPCAgentSocketService) SyncWant(_ context.Context, req *proto.SyncWant
 	return &proto.SyncWantResponse{}, nil
 }
 
+// SyncComplete marks a unit as complete in the dependency graph.
 func (s *DRPCAgentSocketService) SyncComplete(_ context.Context, req *proto.SyncCompleteRequest) (*proto.SyncCompleteResponse, error) {
 	if s.unitManager == nil {
 		return nil, xerrors.Errorf("cannot complete unit: %w", ErrUnitManagerNotAvailable)
@@ -86,6 +91,7 @@ func (s *DRPCAgentSocketService) SyncComplete(_ context.Context, req *proto.Sync
 	return &proto.SyncCompleteResponse{}, nil
 }
 
+// SyncReady checks whether a unit is ready to be started. That is, all dependencies are satisfied.
 func (s *DRPCAgentSocketService) SyncReady(_ context.Context, req *proto.SyncReadyRequest) (*proto.SyncReadyResponse, error) {
 	if s.unitManager == nil {
 		return nil, xerrors.Errorf("cannot check readiness: %w", ErrUnitManagerNotAvailable)
@@ -102,6 +108,7 @@ func (s *DRPCAgentSocketService) SyncReady(_ context.Context, req *proto.SyncRea
 	}, nil
 }
 
+// SyncStatus gets the status of a unit and lists its dependencies.
 func (s *DRPCAgentSocketService) SyncStatus(_ context.Context, req *proto.SyncStatusRequest) (*proto.SyncStatusResponse, error) {
 	if s.unitManager == nil {
 		return nil, xerrors.Errorf("cannot get status for unit %q: %w", req.Unit, ErrUnitManagerNotAvailable)
@@ -115,8 +122,11 @@ func (s *DRPCAgentSocketService) SyncStatus(_ context.Context, req *proto.SyncSt
 	}
 
 	dependencies, err := s.unitManager.GetAllDependencies(unitID)
-	if err != nil {
-		return nil, xerrors.Errorf("failed to get dependencies: %w", err)
+	switch {
+	case errors.Is(err, unit.ErrUnitNotFound):
+		dependencies = []unit.Dependency{}
+	case err != nil:
+		return nil, xerrors.Errorf("cannot get dependencies: %w", err)
 	}
 
 	var depInfos []*proto.DependencyInfo

agent/agentsocket/service_test.go

@@ -5,21 +5,18 @@ import (
 	"crypto/sha256"
 	"encoding/hex"
 	"fmt"
-	"net"
 	"os"
 	"path/filepath"
 	"runtime"
 	"testing"
 
-	"github.com/hashicorp/yamux"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 
 	"cdr.dev/slog"
 	"github.com/coder/coder/v2/agent/agentsocket"
-	"github.com/coder/coder/v2/agent/agentsocket/proto"
 	"github.com/coder/coder/v2/agent/unit"
-	"github.com/coder/coder/v2/codersdk/drpcsdk"
+	"github.com/coder/coder/v2/testutil"
 )
 
 // tempDirUnixSocket returns a temporary directory that can safely hold unix
@@ -47,23 +44,15 @@ func tempDirUnixSocket(t *testing.T) string {
 }
 
 // newSocketClient creates a DRPC client connected to the Unix socket at the given path.
-func newSocketClient(t *testing.T, socketPath string) proto.DRPCAgentSocketClient {
+func newSocketClient(ctx context.Context, t *testing.T, socketPath string) *agentsocket.Client {
 	t.Helper()
 
-	conn, err := net.Dial("unix", socketPath)
-	require.NoError(t, err)
-
-	config := yamux.DefaultConfig()
-	config.Logger = nil
-	session, err := yamux.Client(conn, config)
-	require.NoError(t, err)
-
-	client := proto.NewDRPCAgentSocketClient(drpcsdk.MultiplexedConn(session))
-
+	client, err := agentsocket.NewClient(ctx, agentsocket.WithPath(socketPath))
 	t.Cleanup(func() {
-		_ = session.Close()
-		_ = conn.Close()
+		_ = client.Close()
 	})
+	require.NoError(t, err)
+
 	return client
 }
 
@@ -78,17 +67,17 @@ func TestDRPCAgentSocketService(t *testing.T) {
 		t.Parallel()
 
 		socketPath := filepath.Join(tempDirUnixSocket(t), "test.sock")
-
+		ctx := testutil.Context(t, testutil.WaitShort)
 		server, err := agentsocket.NewServer(
-			socketPath,
 			slog.Make().Leveled(slog.LevelDebug),
+			agentsocket.WithPath(socketPath),
 		)
 		require.NoError(t, err)
 		defer server.Close()
 
-		client := newSocketClient(t, socketPath)
+		client := newSocketClient(ctx, t, socketPath)
 
-		_, err = client.Ping(context.Background(), &proto.PingRequest{})
+		err = client.Ping(ctx)
 		require.NoError(t, err)
 	})
 
@@ -98,147 +87,116 @@ func TestDRPCAgentSocketService(t *testing.T) {
 		t.Run("NewUnit", func(t *testing.T) {
 			t.Parallel()
 			socketPath := filepath.Join(tempDirUnixSocket(t), "test.sock")
-
+			ctx := testutil.Context(t, testutil.WaitShort)
 			server, err := agentsocket.NewServer(
-				socketPath,
 				slog.Make().Leveled(slog.LevelDebug),
+				agentsocket.WithPath(socketPath),
 			)
 			require.NoError(t, err)
 			defer server.Close()
 
-			client := newSocketClient(t, socketPath)
+			client := newSocketClient(ctx, t, socketPath)
 
-			_, err = client.SyncStart(context.Background(), &proto.SyncStartRequest{
-				Unit: "test-unit",
-			})
+			err = client.SyncStart(ctx, "test-unit")
 			require.NoError(t, err)
 
-			status, err := client.SyncStatus(context.Background(), &proto.SyncStatusRequest{
-				Unit: "test-unit",
-			})
+			status, err := client.SyncStatus(ctx, "test-unit")
 			require.NoError(t, err)
-			require.Equal(t, "started", status.Status)
+			require.Equal(t, unit.StatusStarted, status.Status)
 		})
 
 		t.Run("UnitAlreadyStarted", func(t *testing.T) {
 			t.Parallel()
 
 			socketPath := filepath.Join(tempDirUnixSocket(t), "test.sock")
-
+			ctx := testutil.Context(t, testutil.WaitShort)
 			server, err := agentsocket.NewServer(
-				socketPath,
 				slog.Make().Leveled(slog.LevelDebug),
+				agentsocket.WithPath(socketPath),
 			)
 			require.NoError(t, err)
 			defer server.Close()
 
-			client := newSocketClient(t, socketPath)
+			client := newSocketClient(ctx, t, socketPath)
 
 			// First Start
-			_, err = client.SyncStart(context.Background(), &proto.SyncStartRequest{
-				Unit: "test-unit",
-			})
+			err = client.SyncStart(ctx, "test-unit")
 			require.NoError(t, err)
-			status, err := client.SyncStatus(context.Background(), &proto.SyncStatusRequest{
-				Unit: "test-unit",
-			})
+			status, err := client.SyncStatus(ctx, "test-unit")
 			require.NoError(t, err)
-			require.Equal(t, "started", status.Status)
+			require.Equal(t, unit.StatusStarted, status.Status)
 
 			// Second Start
-			_, err = client.SyncStart(context.Background(), &proto.SyncStartRequest{
-				Unit: "test-unit",
-			})
+			err = client.SyncStart(ctx, "test-unit")
 			require.ErrorContains(t, err, unit.ErrSameStatusAlreadySet.Error())
 
-			status, err = client.SyncStatus(context.Background(), &proto.SyncStatusRequest{
-				Unit: "test-unit",
-			})
+			status, err = client.SyncStatus(ctx, "test-unit")
 			require.NoError(t, err)
-			require.Equal(t, "started", status.Status)
+			require.Equal(t, unit.StatusStarted, status.Status)
 		})
 
 		t.Run("UnitAlreadyCompleted", func(t *testing.T) {
 			t.Parallel()
 
 			socketPath := filepath.Join(tempDirUnixSocket(t), "test.sock")
-
+			ctx := testutil.Context(t, testutil.WaitShort)
 			server, err := agentsocket.NewServer(
-				socketPath,
 				slog.Make().Leveled(slog.LevelDebug),
+				agentsocket.WithPath(socketPath),
 			)
 			require.NoError(t, err)
 			defer server.Close()
 
-			client := newSocketClient(t, socketPath)
+			client := newSocketClient(ctx, t, socketPath)
 
 			// First start
-			_, err = client.SyncStart(context.Background(), &proto.SyncStartRequest{
-				Unit: "test-unit",
-			})
+			err = client.SyncStart(ctx, "test-unit")
 			require.NoError(t, err)
 
-			status, err := client.SyncStatus(context.Background(), &proto.SyncStatusRequest{
-				Unit: "test-unit",
-			})
+			status, err := client.SyncStatus(ctx, "test-unit")
 			require.NoError(t, err)
-			require.Equal(t, "started", status.Status)
+			require.Equal(t, unit.StatusStarted, status.Status)
 
 			// Complete the unit
-			_, err = client.SyncComplete(context.Background(), &proto.SyncCompleteRequest{
-				Unit: "test-unit",
-			})
+			err = client.SyncComplete(ctx, "test-unit")
 			require.NoError(t, err)
 
-			status, err = client.SyncStatus(context.Background(), &proto.SyncStatusRequest{
-				Unit: "test-unit",
-			})
+			status, err = client.SyncStatus(ctx, "test-unit")
 			require.NoError(t, err)
-			require.Equal(t, "completed", status.Status)
+			require.Equal(t, unit.StatusComplete, status.Status)
 
 			// Second start
-			_, err = client.SyncStart(context.Background(), &proto.SyncStartRequest{
-				Unit: "test-unit",
-			})
+			err = client.SyncStart(ctx, "test-unit")
 			require.NoError(t, err)
 
-			status, err = client.SyncStatus(context.Background(), &proto.SyncStatusRequest{
-				Unit: "test-unit",
-			})
+			status, err = client.SyncStatus(ctx, "test-unit")
 			require.NoError(t, err)
-			require.Equal(t, "started", status.Status)
+			require.Equal(t, unit.StatusStarted, status.Status)
 		})
 
 		t.Run("UnitNotReady", func(t *testing.T) {
 			t.Parallel()
 
 			socketPath := filepath.Join(tempDirUnixSocket(t), "test.sock")
-
+			ctx := testutil.Context(t, testutil.WaitShort)
 			server, err := agentsocket.NewServer(
-				socketPath,
 				slog.Make().Leveled(slog.LevelDebug),
+				agentsocket.WithPath(socketPath),
 			)
 			require.NoError(t, err)
 			defer server.Close()
 
-			client := newSocketClient(t, socketPath)
+			client := newSocketClient(ctx, t, socketPath)
 
-			_, err = client.SyncWant(context.Background(), &proto.SyncWantRequest{
-				Unit:      "test-unit",
-				DependsOn: "dependency-unit",
-			})
+			err = client.SyncWant(ctx, "test-unit", "dependency-unit")
 			require.NoError(t, err)
 
-			_, err = client.SyncStart(context.Background(), &proto.SyncStartRequest{
-				Unit: "test-unit",
-			})
+			err = client.SyncStart(ctx, "test-unit")
 			require.ErrorContains(t, err, "unit not ready")
 
-			status, err := client.SyncStatus(context.Background(), &proto.SyncStatusRequest{
-				Unit: "test-unit",
-			})
+			status, err := client.SyncStatus(ctx, "test-unit")
 			require.NoError(t, err)
-			require.Equal(t, string(unit.StatusPending), status.Status)
+			require.Equal(t, unit.StatusPending, status.Status)
 			require.False(t, status.IsReady)
 		})
 	})
@@ -250,107 +208,86 @@ func TestDRPCAgentSocketService(t *testing.T) {
 			t.Parallel()
 
 			socketPath := filepath.Join(tempDirUnixSocket(t), "test.sock")
-
+			ctx := testutil.Context(t, testutil.WaitShort)
 			server, err := agentsocket.NewServer(
-				socketPath,
 				slog.Make().Leveled(slog.LevelDebug),
+				agentsocket.WithPath(socketPath),
 			)
 			require.NoError(t, err)
 			defer server.Close()
 
-			client := newSocketClient(t, socketPath)
+			client := newSocketClient(ctx, t, socketPath)
 
 			// If dependency units are not registered, they are registered automatically
-			_, err = client.SyncWant(context.Background(), &proto.SyncWantRequest{
-				Unit:      "test-unit",
-				DependsOn: "dependency-unit",
-			})
+			err = client.SyncWant(ctx, "test-unit", "dependency-unit")
 			require.NoError(t, err)
 
-			status, err := client.SyncStatus(context.Background(), &proto.SyncStatusRequest{
-				Unit: "test-unit",
-			})
+			status, err := client.SyncStatus(ctx, "test-unit")
 			require.NoError(t, err)
 			require.Len(t, status.Dependencies, 1)
-			require.Equal(t, "dependency-unit", status.Dependencies[0].DependsOn)
-			require.Equal(t, "completed", status.Dependencies[0].RequiredStatus)
+			require.Equal(t, unit.ID("dependency-unit"), status.Dependencies[0].DependsOn)
+			require.Equal(t, unit.StatusComplete, status.Dependencies[0].RequiredStatus)
 		})
 
 		t.Run("DependencyAlreadyRegistered", func(t *testing.T) {
 			t.Parallel()
 
 			socketPath := filepath.Join(tempDirUnixSocket(t), "test.sock")
-
+			ctx := testutil.Context(t, testutil.WaitShort)
 			server, err := agentsocket.NewServer(
-				socketPath,
 				slog.Make().Leveled(slog.LevelDebug),
+				agentsocket.WithPath(socketPath),
 			)
 			require.NoError(t, err)
 			defer server.Close()
 
-			client := newSocketClient(t, socketPath)
+			client := newSocketClient(ctx, t, socketPath)
 
 			// Start the dependency unit
-			_, err = client.SyncStart(context.Background(), &proto.SyncStartRequest{
-				Unit: "dependency-unit",
-			})
+			err = client.SyncStart(ctx, "dependency-unit")
 			require.NoError(t, err)
 
-			status, err := client.SyncStatus(context.Background(), &proto.SyncStatusRequest{
-				Unit: "dependency-unit",
-			})
+			status, err := client.SyncStatus(ctx, "dependency-unit")
 			require.NoError(t, err)
-			require.Equal(t, "started", status.Status)
+			require.Equal(t, unit.StatusStarted, status.Status)
 
 			// Add the dependency after the dependency unit has already started
-			_, err = client.SyncWant(context.Background(), &proto.SyncWantRequest{
-				Unit:      "test-unit",
-				DependsOn: "dependency-unit",
-			})
+			err = client.SyncWant(ctx, "test-unit", "dependency-unit")
 
 			// Dependencies can be added even if the dependency unit has already started
 			require.NoError(t, err)
 
 			// The dependency is now reflected in the test unit's status
-			status, err = client.SyncStatus(context.Background(), &proto.SyncStatusRequest{
-				Unit: "test-unit",
-			})
+			status, err = client.SyncStatus(ctx, "test-unit")
 			require.NoError(t, err)
-			require.Equal(t, "dependency-unit", status.Dependencies[0].DependsOn)
-			require.Equal(t, "completed", status.Dependencies[0].RequiredStatus)
+			require.Equal(t, unit.ID("dependency-unit"), status.Dependencies[0].DependsOn)
+			require.Equal(t, unit.StatusComplete, status.Dependencies[0].RequiredStatus)
 		})
 
 		t.Run("DependencyAddedAfterDependentStarted", func(t *testing.T) {
 			t.Parallel()
 
 			socketPath := filepath.Join(tempDirUnixSocket(t), "test.sock")
-
+			ctx := testutil.Context(t, testutil.WaitShort)
 			server, err := agentsocket.NewServer(
-				socketPath,
 				slog.Make().Leveled(slog.LevelDebug),
+				agentsocket.WithPath(socketPath),
 			)
 			require.NoError(t, err)
 			defer server.Close()
 
-			client := newSocketClient(t, socketPath)
+			client := newSocketClient(ctx, t, socketPath)
 
 			// Start the dependent unit
-			_, err = client.SyncStart(context.Background(), &proto.SyncStartRequest{
-				Unit: "test-unit",
-			})
+			err = client.SyncStart(ctx, "test-unit")
 			require.NoError(t, err)
 
-			status, err := client.SyncStatus(context.Background(), &proto.SyncStatusRequest{
-				Unit: "test-unit",
-			})
+			status, err := client.SyncStatus(ctx, "test-unit")
 			require.NoError(t, err)
-			require.Equal(t, "started", status.Status)
+			require.Equal(t, unit.StatusStarted, status.Status)
 
 			// Add the dependency after the dependency unit has already started
-			_, err = client.SyncWant(context.Background(), &proto.SyncWantRequest{
-				Unit:      "test-unit",
-				DependsOn: "dependency-unit",
-			})
+			err = client.SyncWant(ctx, "test-unit", "dependency-unit")
 
 			// Dependencies can be added even if the dependent unit has already started.
 			// The dependency applies the next time a unit is started. The current status is not updated.
@@ -359,12 +296,10 @@ func TestDRPCAgentSocketService(t *testing.T) {
 			require.NoError(t, err)
 
 			// The dependency is now reflected in the test unit's status
-			status, err = client.SyncStatus(context.Background(), &proto.SyncStatusRequest{
-				Unit: "test-unit",
-			})
+			status, err = client.SyncStatus(ctx, "test-unit")
 			require.NoError(t, err)
-			require.Equal(t, "dependency-unit", status.Dependencies[0].DependsOn)
-			require.Equal(t, "completed", status.Dependencies[0].RequiredStatus)
+			require.Equal(t, unit.ID("dependency-unit"), status.Dependencies[0].DependsOn)
+			require.Equal(t, unit.StatusComplete, status.Dependencies[0].RequiredStatus)
 		})
 	})
 
@@ -375,96 +310,80 @@ func TestDRPCAgentSocketService(t *testing.T) {
 			t.Parallel()
 
 			socketPath := filepath.Join(tempDirUnixSocket(t), "test.sock")
-
+			ctx := testutil.Context(t, testutil.WaitShort)
 			server, err := agentsocket.NewServer(
-				socketPath,
 				slog.Make().Leveled(slog.LevelDebug),
+				agentsocket.WithPath(socketPath),
 			)
 			require.NoError(t, err)
 			defer server.Close()
 
-			client := newSocketClient(t, socketPath)
+			client := newSocketClient(ctx, t, socketPath)
 
-			response, err := client.SyncReady(context.Background(), &proto.SyncReadyRequest{
-				Unit: "unregistered-unit",
-			})
+			ready, err := client.SyncReady(ctx, "unregistered-unit")
 			require.NoError(t, err)
-			require.False(t, response.Ready)
+			require.True(t, ready)
 		})
 
 		t.Run("UnitNotReady", func(t *testing.T) {
 			t.Parallel()
 
 			socketPath := filepath.Join(tempDirUnixSocket(t), "test.sock")
-
+			ctx := testutil.Context(t, testutil.WaitShort)
 			server, err := agentsocket.NewServer(
-				socketPath,
 				slog.Make().Leveled(slog.LevelDebug),
+				agentsocket.WithPath(socketPath),
 			)
 			require.NoError(t, err)
 			defer server.Close()
 
-			client := newSocketClient(t, socketPath)
+			client := newSocketClient(ctx, t, socketPath)
 
 			// Register a unit with an unsatisfied dependency
-			_, err = client.SyncWant(context.Background(), &proto.SyncWantRequest{
-				Unit:      "test-unit",
-				DependsOn: "dependency-unit",
-			})
+			err = client.SyncWant(ctx, "test-unit", "dependency-unit")
 			require.NoError(t, err)
 
 			// Check readiness - should be false because dependency is not satisfied
-			response, err := client.SyncReady(context.Background(), &proto.SyncReadyRequest{
-				Unit: "test-unit",
-			})
+			ready, err := client.SyncReady(ctx, "test-unit")
 			require.NoError(t, err)
-			require.False(t, response.Ready)
+			require.False(t, ready)
 		})
 
 		t.Run("UnitReady", func(t *testing.T) {
 			t.Parallel()
 
 			socketPath := filepath.Join(tempDirUnixSocket(t), "test.sock")
-
+			ctx := testutil.Context(t, testutil.WaitShort)
 			server, err := agentsocket.NewServer(
-				socketPath,
 				slog.Make().Leveled(slog.LevelDebug),
+				agentsocket.WithPath(socketPath),
 			)
 			require.NoError(t, err)
 			defer server.Close()
 
-			client := newSocketClient(t, socketPath)
+			client := newSocketClient(ctx, t, socketPath)
 
 			// Register a unit with no dependencies - should be ready immediately
-			_, err = client.SyncStart(context.Background(), &proto.SyncStartRequest{
-				Unit: "test-unit",
-			})
+			err = client.SyncStart(ctx, "test-unit")
 			require.NoError(t, err)
 
 			// Check readiness - should be true
-			_, err = client.SyncReady(context.Background(), &proto.SyncReadyRequest{
-				Unit: "test-unit",
-			})
+			ready, err := client.SyncReady(ctx, "test-unit")
 			require.NoError(t, err)
+			require.True(t, ready)
 
 			// Also test a unit with satisfied dependencies
-			_, err = client.SyncWant(context.Background(), &proto.SyncWantRequest{
-				Unit:      "dependent-unit",
-				DependsOn: "test-unit",
-			})
+			err = client.SyncWant(ctx, "dependent-unit", "test-unit")
 			require.NoError(t, err)
 
 			// Complete the dependency
-			_, err = client.SyncComplete(context.Background(), &proto.SyncCompleteRequest{
-				Unit: "test-unit",
-			})
+			err = client.SyncComplete(ctx, "test-unit")
 			require.NoError(t, err)
 
 			// Now dependent-unit should be ready
-			_, err = client.SyncReady(context.Background(), &proto.SyncReadyRequest{
-				Unit: "dependent-unit",
-			})
+			ready, err = client.SyncReady(ctx, "dependent-unit")
 			require.NoError(t, err)
+			require.True(t, ready)
 		})
 	})
 }

agent/agentsocket/socket_unix.go

@@ -3,8 +3,7 @@
 package agentsocket
 
 import (
-	"crypto/rand"
-	"encoding/hex"
+	"context"
 	"net"
 	"os"
 	"path/filepath"
@@ -13,8 +12,13 @@ import (
 	"golang.org/x/xerrors"
 )
 
-// createSocket creates a Unix domain socket listener
+const defaultSocketPath = "/tmp/coder-agent.sock"
+
 func createSocket(path string) (net.Listener, error) {
+	if path == "" {
+		path = defaultSocketPath
+	}
+
 	if !isSocketAvailable(path) {
 		return nil, xerrors.Errorf("socket path %s is not available", path)
 	}
@@ -23,7 +27,6 @@ func createSocket(path string) (net.Listener, error) {
 		return nil, xerrors.Errorf("remove existing socket: %w", err)
 	}
 
-	// Create parent directory if it doesn't exist
 	parentDir := filepath.Dir(path)
 	if err := os.MkdirAll(parentDir, 0o700); err != nil {
 		return nil, xerrors.Errorf("create socket directory: %w", err)
@@ -41,43 +44,30 @@ func createSocket(path string) (net.Listener, error) {
 	return listener, nil
 }
 
-// getDefaultSocketPath returns the default socket path for Unix-like systems
-func getDefaultSocketPath() (string, error) {
-	randomBytes := make([]byte, 4)
-	if _, err := rand.Read(randomBytes); err != nil {
-		return "", xerrors.Errorf("generate random socket name: %w", err)
-	}
-	randomSuffix := hex.EncodeToString(randomBytes)
-
-	// Try XDG_RUNTIME_DIR first
-	if runtimeDir := os.Getenv("XDG_RUNTIME_DIR"); runtimeDir != "" {
-		return filepath.Join(runtimeDir, "coder-agent-"+randomSuffix+".sock"), nil
-	}
-
-	return filepath.Join("/tmp", "coder-agent-"+randomSuffix+".sock"), nil
-}
-
-// CleanupSocket removes the socket file
 func cleanupSocket(path string) error {
 	return os.Remove(path)
 }
 
-// isSocketAvailable checks if a socket path is available for use
 func isSocketAvailable(path string) bool {
-	// Check if file exists
 	if _, err := os.Stat(path); os.IsNotExist(err) {
 		return true
 	}
 
-	// Try to connect to see if it's actually listening
+	// Try to connect to see if it's actually listening.
 	dialer := net.Dialer{Timeout: 10 * time.Second}
 	conn, err := dialer.Dial("unix", path)
 	if err != nil {
-		// If we can't connect, the socket is not in use
-		// Socket is available for use
 		return true
 	}
 	_ = conn.Close()
-	// Socket is in use
 	return false
 }
+
+func dialSocket(ctx context.Context, path string) (net.Conn, error) {
+	if path == "" {
+		path = defaultSocketPath
+	}
+
+	dialer := net.Dialer{}
+	return dialer.DialContext(ctx, "unix", path)
+}

agent/agentsocket/socket_windows.go

@@ -3,25 +3,20 @@
 package agentsocket
 
 import (
+	"context"
 	"net"
 
 	"golang.org/x/xerrors"
 )
 
-// createSocket returns an error indicating that agentsocket is not supported on Windows.
-// This feature is unix-only in its current experimental state.
 func createSocket(_ string) (net.Listener, error) {
 	return nil, xerrors.New("agentsocket is not supported on Windows")
 }
 
-// getDefaultSocketPath returns an error indicating that agentsocket is not supported on Windows.
-// This feature is unix-only in its current experimental state.
-func getDefaultSocketPath() (string, error) {
-	return "", xerrors.New("agentsocket is not supported on Windows")
-}
-
-// cleanupSocket is a no-op on Windows since agentsocket is not supported.
 func cleanupSocket(_ string) error {
-	// No-op since agentsocket is not supported on Windows
 	return nil
 }
+
+func dialSocket(_ context.Context, _ string) (net.Conn, error) {
+	return nil, xerrors.New("agentsocket is not supported on Windows")
+}

agent/api.go

@@ -2,41 +2,31 @@ package agent
 
 import (
 	"net/http"
-	"sync"
-	"time"
 
 	"github.com/go-chi/chi/v5"
 	"github.com/google/uuid"
 
 	"github.com/coder/coder/v2/coderd/httpapi"
+	"github.com/coder/coder/v2/coderd/httpmw/loggermw"
+	"github.com/coder/coder/v2/coderd/tracing"
 	"github.com/coder/coder/v2/codersdk"
+	"github.com/coder/coder/v2/codersdk/workspacesdk"
+	"github.com/coder/coder/v2/httpmw"
 )
 
 func (a *agent) apiHandler() http.Handler {
 	r := chi.NewRouter()
+	r.Use(
+		httpmw.Recover(a.logger),
+		tracing.StatusWriterMiddleware,
+		loggermw.Logger(a.logger),
+	)
 	r.Get("/", func(rw http.ResponseWriter, r *http.Request) {
 		httpapi.Write(r.Context(), rw, http.StatusOK, codersdk.Response{
 			Message: "Hello from the agent!",
 		})
 	})
 
-	// Make a copy to ensure the map is not modified after the handler is
-	// created.
-	cpy := make(map[int]string)
-	for k, b := range a.ignorePorts {
-		cpy[k] = b
-	}
-
-	cacheDuration := 1 * time.Second
-	if a.portCacheDuration > 0 {
-		cacheDuration = a.portCacheDuration
-	}
-
-	lp := &listeningPortsHandler{
-		ignorePorts:   cpy,
-		cacheDuration: cacheDuration,
-	}
-
 	if a.devcontainers {
 		r.Mount("/api/v0/containers", a.containerAPI.Routes())
 	} else if manifest := a.manifest.Load(); manifest != nil && manifest.ParentID != uuid.Nil {
@@ -57,7 +47,7 @@ func (a *agent) apiHandler() http.Handler {
 
 	promHandler := PrometheusMetricsHandler(a.prometheusRegistry, a.logger)
 
-	r.Get("/api/v0/listening-ports", lp.handler)
+	r.Get("/api/v0/listening-ports", a.listeningPortsHandler.handler)
 	r.Get("/api/v0/netcheck", a.HandleNetcheck)
 	r.Post("/api/v0/list-directory", a.HandleLS)
 	r.Get("/api/v0/read-file", a.HandleReadFile)
@@ -72,22 +62,21 @@ func (a *agent) apiHandler() http.Handler {
 	return r
 }
 
-type listeningPortsHandler struct {
-	ignorePorts   map[int]string
-	cacheDuration time.Duration
+type ListeningPortsGetter interface {
+	GetListeningPorts() ([]codersdk.WorkspaceAgentListeningPort, error)
+}
 
-	//nolint: unused  // used on some but not all platforms
-	mut sync.Mutex
-	//nolint: unused  // used on some but not all platforms
-	ports []codersdk.WorkspaceAgentListeningPort
-	//nolint: unused  // used on some but not all platforms
-	mtime time.Time
+type listeningPortsHandler struct {
+	// In production code, this is set to an osListeningPortsGetter, but it can be overridden for
+	// testing.
+	getter      ListeningPortsGetter
+	ignorePorts map[int]string
 }
 
 // handler returns a list of listening ports. This is tested by coderd's
 // TestWorkspaceAgentListeningPorts test.
 func (lp *listeningPortsHandler) handler(rw http.ResponseWriter, r *http.Request) {
-	ports, err := lp.getListeningPorts()
+	ports, err := lp.getter.GetListeningPorts()
 	if err != nil {
 		httpapi.Write(r.Context(), rw, http.StatusInternalServerError, codersdk.Response{
 			Message: "Could not scan for listening ports.",
@@ -96,7 +85,20 @@ func (lp *listeningPortsHandler) handler(rw http.ResponseWriter, r *http.Request
 		return
 	}
 
+	filteredPorts := make([]codersdk.WorkspaceAgentListeningPort, 0, len(ports))
+	for _, port := range ports {
+		if port.Port < workspacesdk.AgentMinimumListeningPort {
+			continue
+		}
+
+		// Ignore ports that we've been told to ignore.
+		if _, ok := lp.ignorePorts[int(port.Port)]; ok {
+			continue
+		}
+		filteredPorts = append(filteredPorts, port)
+	}
+
 	httpapi.Write(r.Context(), rw, http.StatusOK, codersdk.WorkspaceAgentListeningPortsResponse{
-		Ports: ports,
+		Ports: filteredPorts,
 	})
 }

agent/ports_supported.go

@@ -3,16 +3,23 @@
 package agent
 
 import (
+	"sync"
 	"time"
 
 	"github.com/cakturk/go-netstat/netstat"
 	"golang.org/x/xerrors"
 
 	"github.com/coder/coder/v2/codersdk"
-	"github.com/coder/coder/v2/codersdk/workspacesdk"
 )
 
-func (lp *listeningPortsHandler) getListeningPorts() ([]codersdk.WorkspaceAgentListeningPort, error) {
+type osListeningPortsGetter struct {
+	cacheDuration time.Duration
+	mut           sync.Mutex
+	ports         []codersdk.WorkspaceAgentListeningPort
+	mtime         time.Time
+}
+
+func (lp *osListeningPortsGetter) GetListeningPorts() ([]codersdk.WorkspaceAgentListeningPort, error) {
 	lp.mut.Lock()
 	defer lp.mut.Unlock()
 
@@ -33,12 +40,7 @@ func (lp *listeningPortsHandler) getListeningPorts() ([]codersdk.WorkspaceAgentL
 	seen := make(map[uint16]struct{}, len(tabs))
 	ports := []codersdk.WorkspaceAgentListeningPort{}
 	for _, tab := range tabs {
-		if tab.LocalAddr == nil || tab.LocalAddr.Port < workspacesdk.AgentMinimumListeningPort {
-			continue
-		}
-
-		// Ignore ports that we've been told to ignore.
-		if _, ok := lp.ignorePorts[int(tab.LocalAddr.Port)]; ok {
+		if tab.LocalAddr == nil {
 			continue
 		}
 

agent/ports_supported_internal_test.go

@@ -0,0 +1,45 @@
+//go:build linux || (windows && amd64)
+
+package agent
+
+import (
+	"net"
+	"testing"
+	"time"
+
+	"github.com/stretchr/testify/require"
+)
+
+func TestOSListeningPortsGetter(t *testing.T) {
+	t.Parallel()
+
+	uut := &osListeningPortsGetter{
+		cacheDuration: 1 * time.Hour,
+	}
+
+	l, err := net.Listen("tcp", "localhost:0")
+	require.NoError(t, err)
+	defer l.Close()
+
+	ports, err := uut.GetListeningPorts()
+	require.NoError(t, err)
+	found := false
+	for _, port := range ports {
+		// #nosec G115 - Safe conversion as TCP port numbers are within uint16 range (0-65535)
+		if port.Port == uint16(l.Addr().(*net.TCPAddr).Port) {
+			found = true
+			break
+		}
+	}
+	require.True(t, found)
+
+	// check that we cache the ports
+	err = l.Close()
+	require.NoError(t, err)
+	portsNew, err := uut.GetListeningPorts()
+	require.NoError(t, err)
+	require.Equal(t, ports, portsNew)
+
+	// note that it's unsafe to try to assert that a port does not exist in the response
+	// because the OS may reallocate the port very quickly.
+}

agent/ports_unsupported.go

@@ -2,9 +2,17 @@
 
 package agent
 
-import "github.com/coder/coder/v2/codersdk"
+import (
+	"time"
 
-func (*listeningPortsHandler) getListeningPorts() ([]codersdk.WorkspaceAgentListeningPort, error) {
+	"github.com/coder/coder/v2/codersdk"
+)
+
+type osListeningPortsGetter struct {
+	cacheDuration time.Duration
+}
+
+func (*osListeningPortsGetter) GetListeningPorts() ([]codersdk.WorkspaceAgentListeningPort, error) {
 	// Can't scan for ports on non-linux or non-windows_amd64 systems at the
 	// moment. The UI will not show any "no ports found" message to the user, so
 	// the user won't suspect a thing.

agent/unit/manager.go

@@ -2,6 +2,7 @@ package unit
 
 import (
 	"errors"
+	"fmt"
 	"sync"
 
 	"golang.org/x/xerrors"
@@ -23,6 +24,15 @@ var (
 // Status represents the status of a unit.
 type Status string
 
+var _ fmt.Stringer = Status("")
+
+func (s Status) String() string {
+	if s == StatusNotRegistered {
+		return "not registered"
+	}
+	return string(s)
+}
+
 // Status constants for dependency tracking.
 const (
 	StatusNotRegistered Status = ""
@@ -137,7 +147,7 @@ func (m *Manager) IsReady(id ID) (bool, error) {
 	defer m.mu.RUnlock()
 
 	if !m.registered(id) {
-		return false, nil
+		return true, nil
 	}
 
 	return m.units[id].ready, nil

agent/unit/manager_test.go

@@ -684,7 +684,7 @@ func TestManager_IsReady(t *testing.T) {
 		// Then: the unit is not ready
 		isReady, err := manager.IsReady(unitA)
 		require.NoError(t, err)
-		assert.False(t, isReady)
+		assert.True(t, isReady)
 	})
 }
 

cli/agent.go

@@ -57,6 +57,8 @@ func workspaceAgent() *serpent.Command {
 		devcontainers                  bool
 		devcontainerProjectDiscovery   bool
 		devcontainerDiscoveryAutostart bool
+		socketServerEnabled            bool
+		socketPath                     string
 	)
 	agentAuth := &AgentAuth{}
 	cmd := &serpent.Command{
@@ -317,6 +319,8 @@ func workspaceAgent() *serpent.Command {
 						agentcontainers.WithProjectDiscovery(devcontainerProjectDiscovery),
 						agentcontainers.WithDiscoveryAutostart(devcontainerDiscoveryAutostart),
 					},
+					SocketPath:          socketPath,
+					SocketServerEnabled: socketServerEnabled,
 				})
 
 				if debugAddress != "" {
@@ -477,6 +481,19 @@ func workspaceAgent() *serpent.Command {
 			Description: "Allow the agent to autostart devcontainer projects it discovers based on their configuration.",
 			Value:       serpent.BoolOf(&devcontainerDiscoveryAutostart),
 		},
+		{
+			Flag:        "socket-server-enabled",
+			Default:     "false",
+			Env:         "CODER_AGENT_SOCKET_SERVER_ENABLED",
+			Description: "Enable the agent socket server.",
+			Value:       serpent.BoolOf(&socketServerEnabled),
+		},
+		{
+			Flag:        "socket-path",
+			Env:         "CODER_AGENT_SOCKET_PATH",
+			Description: "Specify the path for the agent socket.",
+			Value:       serpent.StringOf(&socketPath),
+		},
 	}
 	agentAuth.AttachOptions(cmd, false)
 	return cmd

cli/clitest/clitest.go

@@ -28,7 +28,9 @@ import (
 )
 
 // New creates a CLI instance with a configuration pointed to a
-// temporary testing directory.
+// temporary testing directory. The invocation is set up to use a
+// global config directory for the given testing.TB, and keyring
+// usage disabled.
 func New(t testing.TB, args ...string) (*serpent.Invocation, config.Root) {
 	var root cli.RootCmd
 
@@ -59,6 +61,15 @@ func NewWithCommand(
 	t testing.TB, cmd *serpent.Command, args ...string,
 ) (*serpent.Invocation, config.Root) {
 	configDir := config.Root(t.TempDir())
+	// Keyring usage is disabled here when --global-config is set because many existing
+	// tests expect the session token to be stored on disk and is not properly instrumented
+	// for parallel testing against the actual operating system keyring.
+	invArgs := append([]string{"--global-config", string(configDir)}, args...)
+	return setupInvocation(t, cmd, invArgs...), configDir
+}
+
+func setupInvocation(t testing.TB, cmd *serpent.Command, args ...string,
+) *serpent.Invocation {
 	// I really would like to fail test on error logs, but realistically, turning on by default
 	// in all our CLI tests is going to create a lot of flaky noise.
 	logger := slogtest.Make(t, &slogtest.Options{IgnoreErrors: true}).
@@ -66,16 +77,21 @@ func NewWithCommand(
 		Named("cli")
 	i := &serpent.Invocation{
 		Command: cmd,
-		Args:    append([]string{"--global-config", string(configDir)}, args...),
+		Args:    args,
 		Stdin:   io.LimitReader(nil, 0),
 		Stdout:  (&logWriter{prefix: "stdout", log: logger}),
 		Stderr:  (&logWriter{prefix: "stderr", log: logger}),
 		Logger:  logger,
 	}
 	t.Logf("invoking command: %s %s", cmd.Name(), strings.Join(i.Args, " "))
+	return i
+}
 
-	// These can be overridden by the test.
-	return i, configDir
+func NewWithDefaultKeyringCommand(t testing.TB, cmd *serpent.Command, args ...string,
+) (*serpent.Invocation, config.Root) {
+	configDir := config.Root(t.TempDir())
+	invArgs := append([]string{"--global-config", string(configDir)}, args...)
+	return setupInvocation(t, cmd, invArgs...), configDir
 }
 
 // SetupConfig applies the URL and SessionToken of the client to the config.

cli/keyring_test.go

@@ -2,62 +2,85 @@ package cli_test
 
 import (
 	"bytes"
+	"crypto/rand"
+	"encoding/binary"
+	"fmt"
 	"net/url"
 	"os"
 	"path"
 	"runtime"
 	"testing"
+	"time"
 
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 
 	"github.com/coder/coder/v2/cli"
 	"github.com/coder/coder/v2/cli/clitest"
+	"github.com/coder/coder/v2/cli/config"
+	"github.com/coder/coder/v2/cli/sessionstore"
 	"github.com/coder/coder/v2/coderd/coderdtest"
 	"github.com/coder/coder/v2/pty/ptytest"
+	"github.com/coder/serpent"
 )
 
-// mockKeyring is a mock sessionstore.Backend implementation.
-type mockKeyring struct {
-	credentials map[string]string // service name -> credential
-}
-
-const mockServiceName = "mock-service-name"
-
-func newMockKeyring() *mockKeyring {
-	return &mockKeyring{credentials: make(map[string]string)}
-}
-
-func (m *mockKeyring) Read(_ *url.URL) (string, error) {
-	cred, ok := m.credentials[mockServiceName]
-	if !ok {
-		return "", os.ErrNotExist
+// keyringTestServiceName generates a unique service name for keyring tests
+// using the test name and a nanosecond timestamp to prevent collisions.
+func keyringTestServiceName(t *testing.T) string {
+	t.Helper()
+	var n uint32
+	err := binary.Read(rand.Reader, binary.BigEndian, &n)
+	if err != nil {
+		t.Fatal(err)
 	}
-	return cred, nil
+	return fmt.Sprintf("%s_%v_%d", t.Name(), time.Now().UnixNano(), n)
 }
 
-func (m *mockKeyring) Write(_ *url.URL, token string) error {
-	m.credentials[mockServiceName] = token
-	return nil
+type keyringTestEnv struct {
+	serviceName string
+	keyring     sessionstore.Keyring
+	inv         *serpent.Invocation
+	cfg         config.Root
+	clientURL   *url.URL
 }
 
-func (m *mockKeyring) Delete(_ *url.URL) error {
-	_, ok := m.credentials[mockServiceName]
-	if !ok {
-		return os.ErrNotExist
-	}
-	delete(m.credentials, mockServiceName)
-	return nil
+func setupKeyringTestEnv(t *testing.T, clientURL string, args ...string) keyringTestEnv {
+	t.Helper()
+
+	var root cli.RootCmd
+
+	cmd, err := root.Command(root.AGPL())
+	require.NoError(t, err)
+
+	serviceName := keyringTestServiceName(t)
+	root.WithKeyringServiceName(serviceName)
+	root.UseKeyringWithGlobalConfig()
+
+	inv, cfg := clitest.NewWithDefaultKeyringCommand(t, cmd, args...)
+
+	parsedURL, err := url.Parse(clientURL)
+	require.NoError(t, err)
+
+	backend := sessionstore.NewKeyringWithService(serviceName)
+	t.Cleanup(func() {
+		_ = backend.Delete(parsedURL)
+	})
+
+	return keyringTestEnv{serviceName, backend, inv, cfg, parsedURL}
 }
 
 func TestUseKeyring(t *testing.T) {
-	// Verify that the --use-keyring flag opts into using a keyring backend for
-	// storing session tokens instead of plain text files.
+	// Verify that the --use-keyring flag default opts into using a keyring backend
+	// for storing session tokens instead of plain text files.
 	t.Parallel()
 
 	t.Run("Login", func(t *testing.T) {
 		t.Parallel()
 
+		if runtime.GOOS != "windows" && runtime.GOOS != "darwin" {
+			t.Skip("keyring is not supported on this OS")
+		}
+
 		// Create a test server
 		client := coderdtest.New(t, nil)
 		coderdtest.CreateFirstUser(t, client)
@@ -65,25 +88,16 @@ func TestUseKeyring(t *testing.T) {
 		// Create a pty for interactive prompts
 		pty := ptytest.New(t)
 
-		// Create CLI invocation with --use-keyring flag
-		inv, cfg := clitest.New(t,
+		// Create CLI invocation which defaults to using the keyring
+		env := setupKeyringTestEnv(t, client.URL.String(),
 			"login",
 			"--force-tty",
-			"--use-keyring",
 			"--no-open",
-			client.URL.String(),
-		)
+			client.URL.String())
+		inv := env.inv
 		inv.Stdin = pty.Input()
 		inv.Stdout = pty.Output()
 
-		// Inject the mock backend before running the command
-		var root cli.RootCmd
-		cmd, err := root.Command(root.AGPL())
-		require.NoError(t, err)
-		mockBackend := newMockKeyring()
-		root.WithSessionStorageBackend(mockBackend)
-		inv.Command = cmd
-
 		// Run login in background
 		doneChan := make(chan struct{})
 		go func() {
@@ -99,19 +113,23 @@ func TestUseKeyring(t *testing.T) {
 		<-doneChan
 
 		// Verify that session file was NOT created (using keyring instead)
-		sessionFile := path.Join(string(cfg), "session")
-		_, err = os.Stat(sessionFile)
+		sessionFile := path.Join(string(env.cfg), "session")
+		_, err := os.Stat(sessionFile)
 		require.True(t, os.IsNotExist(err), "session file should not exist when using keyring")
 
-		// Verify that the credential IS stored in mock keyring
-		cred, err := mockBackend.Read(nil)
-		require.NoError(t, err, "credential should be stored in mock keyring")
+		// Verify that the credential IS stored in OS keyring
+		cred, err := env.keyring.Read(env.clientURL)
+		require.NoError(t, err, "credential should be stored in OS keyring")
 		require.Equal(t, client.SessionToken(), cred, "stored token should match login token")
 	})
 
 	t.Run("Logout", func(t *testing.T) {
 		t.Parallel()
 
+		if runtime.GOOS != "windows" && runtime.GOOS != "darwin" {
+			t.Skip("keyring is not supported on this OS")
+		}
+
 		// Create a test server
 		client := coderdtest.New(t, nil)
 		coderdtest.CreateFirstUser(t, client)
@@ -119,25 +137,17 @@ func TestUseKeyring(t *testing.T) {
 		// Create a pty for interactive prompts
 		pty := ptytest.New(t)
 
-		// First, login with --use-keyring
-		loginInv, cfg := clitest.New(t,
+		// First, login with the keyring (default)
+		env := setupKeyringTestEnv(t, client.URL.String(),
 			"login",
 			"--force-tty",
-			"--use-keyring",
 			"--no-open",
 			client.URL.String(),
 		)
+		loginInv := env.inv
 		loginInv.Stdin = pty.Input()
 		loginInv.Stdout = pty.Output()
 
-		// Inject the mock backend
-		var loginRoot cli.RootCmd
-		loginCmd, err := loginRoot.Command(loginRoot.AGPL())
-		require.NoError(t, err)
-		mockBackend := newMockKeyring()
-		loginRoot.WithSessionStorageBackend(mockBackend)
-		loginInv.Command = loginCmd
-
 		doneChan := make(chan struct{})
 		go func() {
 			defer close(doneChan)
@@ -150,25 +160,23 @@ func TestUseKeyring(t *testing.T) {
 		pty.ExpectMatch("Welcome to Coder")
 		<-doneChan
 
-		// Verify credential exists in mock keyring
-		cred, err := mockBackend.Read(nil)
+		// Verify credential exists in OS keyring
+		cred, err := env.keyring.Read(env.clientURL)
 		require.NoError(t, err, "read credential should succeed before logout")
-		require.NotEmpty(t, cred, "credential should exist after logout")
+		require.NotEmpty(t, cred, "credential should exist before logout")
 
-		// Now run logout with --use-keyring
-		logoutInv, _ := clitest.New(t,
-			"logout",
-			"--use-keyring",
-			"--yes",
-			"--global-config", string(cfg),
-		)
-
-		// Inject the same mock backend
+		// Now logout using the same keyring service name
 		var logoutRoot cli.RootCmd
 		logoutCmd, err := logoutRoot.Command(logoutRoot.AGPL())
 		require.NoError(t, err)
-		logoutRoot.WithSessionStorageBackend(mockBackend)
-		logoutInv.Command = logoutCmd
+		logoutRoot.WithKeyringServiceName(env.serviceName)
+		logoutRoot.UseKeyringWithGlobalConfig()
+
+		logoutInv, _ := clitest.NewWithDefaultKeyringCommand(t, logoutCmd,
+			"logout",
+			"--yes",
+			"--global-config", string(env.cfg),
+		)
 
 		var logoutOut bytes.Buffer
 		logoutInv.Stdout = &logoutOut
@@ -176,14 +184,18 @@ func TestUseKeyring(t *testing.T) {
 		err = logoutInv.Run()
 		require.NoError(t, err, "logout should succeed")
 
-		// Verify the credential was deleted from mock keyring
-		_, err = mockBackend.Read(nil)
+		// Verify the credential was deleted from OS keyring
+		_, err = env.keyring.Read(env.clientURL)
 		require.ErrorIs(t, err, os.ErrNotExist, "credential should be deleted from keyring after logout")
 	})
 
-	t.Run("OmitFlag", func(t *testing.T) {
+	t.Run("DefaultFileStorage", func(t *testing.T) {
 		t.Parallel()
 
+		if runtime.GOOS != "linux" {
+			t.Skip("file storage is the default for Linux")
+		}
+
 		// Create a test server
 		client := coderdtest.New(t, nil)
 		coderdtest.CreateFirstUser(t, client)
@@ -191,13 +203,13 @@ func TestUseKeyring(t *testing.T) {
 		// Create a pty for interactive prompts
 		pty := ptytest.New(t)
 
-		// --use-keyring flag omitted (should use file-based storage)
-		inv, cfg := clitest.New(t,
+		env := setupKeyringTestEnv(t, client.URL.String(),
 			"login",
 			"--force-tty",
 			"--no-open",
 			client.URL.String(),
 		)
+		inv := env.inv
 		inv.Stdin = pty.Input()
 		inv.Stdout = pty.Output()
 
@@ -214,9 +226,9 @@ func TestUseKeyring(t *testing.T) {
 		<-doneChan
 
 		// Verify that session file WAS created (not using keyring)
-		sessionFile := path.Join(string(cfg), "session")
+		sessionFile := path.Join(string(env.cfg), "session")
 		_, err := os.Stat(sessionFile)
-		require.NoError(t, err, "session file should exist when NOT using --use-keyring")
+		require.NoError(t, err, "session file should exist when NOT using --use-keyring on Linux")
 
 		// Read and verify the token from file
 		content, err := os.ReadFile(sessionFile)
@@ -234,24 +246,18 @@ func TestUseKeyring(t *testing.T) {
 		// Create a pty for interactive prompts
 		pty := ptytest.New(t)
 
-		// Login using CODER_USE_KEYRING environment variable instead of flag
-		inv, cfg := clitest.New(t,
+		// Login using CODER_USE_KEYRING environment variable set to disable keyring usage,
+		// which should have the same behavior on all platforms.
+		env := setupKeyringTestEnv(t, client.URL.String(),
 			"login",
 			"--force-tty",
 			"--no-open",
 			client.URL.String(),
 		)
+		inv := env.inv
 		inv.Stdin = pty.Input()
 		inv.Stdout = pty.Output()
-		inv.Environ.Set("CODER_USE_KEYRING", "true")
-
-		// Inject the mock backend
-		var root cli.RootCmd
-		cmd, err := root.Command(root.AGPL())
-		require.NoError(t, err)
-		mockBackend := newMockKeyring()
-		root.WithSessionStorageBackend(mockBackend)
-		inv.Command = cmd
+		inv.Environ.Set("CODER_USE_KEYRING", "false")
 
 		doneChan := make(chan struct{})
 		go func() {
@@ -265,21 +271,64 @@ func TestUseKeyring(t *testing.T) {
 		pty.ExpectMatch("Welcome to Coder")
 		<-doneChan
 
-		// Verify that session file was NOT created (using keyring via env var)
-		sessionFile := path.Join(string(cfg), "session")
-		_, err = os.Stat(sessionFile)
-		require.True(t, os.IsNotExist(err), "session file should not exist when using keyring via env var")
+		// Verify that session file WAS created (not using keyring)
+		sessionFile := path.Join(string(env.cfg), "session")
+		_, err := os.Stat(sessionFile)
+		require.NoError(t, err, "session file should exist when CODER_USE_KEYRING set to false")
 
-		// Verify credential is in mock keyring
-		cred, err := mockBackend.Read(nil)
-		require.NoError(t, err, "credential should be stored in keyring when CODER_USE_KEYRING=true")
-		require.NotEmpty(t, cred)
+		// Read and verify the token from file
+		content, err := os.ReadFile(sessionFile)
+		require.NoError(t, err, "should be able to read session file")
+		require.Equal(t, client.SessionToken(), string(content), "file should contain the session token")
+	})
+
+	t.Run("DisableKeyringWithFlag", func(t *testing.T) {
+		t.Parallel()
+
+		client := coderdtest.New(t, nil)
+		coderdtest.CreateFirstUser(t, client)
+		pty := ptytest.New(t)
+
+		// Login with --use-keyring=false to explicitly disable keyring usage, which
+		// should have the same behavior on all platforms.
+		env := setupKeyringTestEnv(t, client.URL.String(),
+			"login",
+			"--use-keyring=false",
+			"--force-tty",
+			"--no-open",
+			client.URL.String(),
+		)
+		inv := env.inv
+		inv.Stdin = pty.Input()
+		inv.Stdout = pty.Output()
+
+		doneChan := make(chan struct{})
+		go func() {
+			defer close(doneChan)
+			err := inv.Run()
+			assert.NoError(t, err)
+		}()
+
+		pty.ExpectMatch("Paste your token here:")
+		pty.WriteLine(client.SessionToken())
+		pty.ExpectMatch("Welcome to Coder")
+		<-doneChan
+
+		// Verify that session file WAS created (not using keyring)
+		sessionFile := path.Join(string(env.cfg), "session")
+		_, err := os.Stat(sessionFile)
+		require.NoError(t, err, "session file should exist when --use-keyring=false is specified")
+
+		// Read and verify the token from file
+		content, err := os.ReadFile(sessionFile)
+		require.NoError(t, err, "should be able to read session file")
+		require.Equal(t, client.SessionToken(), string(content), "file should contain the session token")
 	})
 }
 
 func TestUseKeyringUnsupportedOS(t *testing.T) {
-	// Verify that trying to use --use-keyring on an unsupported operating system produces
-	// a helpful error message.
+	// Verify that on unsupported operating systems, file-based storage is used
+	// automatically even when --use-keyring is set to true (the default).
 	t.Parallel()
 
 	// Only run this on an unsupported OS.
@@ -287,43 +336,60 @@ func TestUseKeyringUnsupportedOS(t *testing.T) {
 		t.Skipf("Skipping unsupported OS test on %s where keyring is supported", runtime.GOOS)
 	}
 
-	const expMessage = "keyring storage is not supported on this operating system; remove the --use-keyring flag"
-
-	t.Run("LoginWithUnsupportedKeyring", func(t *testing.T) {
-		t.Parallel()
-
-		client := coderdtest.New(t, nil)
-		coderdtest.CreateFirstUser(t, client)
-
-		// Try to login with --use-keyring on an unsupported OS
-		inv, _ := clitest.New(t,
-			"login",
-			"--use-keyring",
-			client.URL.String(),
-		)
-
-		// The error should occur immediately, before any prompts
-		loginErr := inv.Run()
-
-		// Verify we got an error about unsupported OS
-		require.Error(t, loginErr)
-		require.Contains(t, loginErr.Error(), expMessage)
-	})
-
-	t.Run("LogoutWithUnsupportedKeyring", func(t *testing.T) {
+	t.Run("LoginWithDefaultKeyring", func(t *testing.T) {
 		t.Parallel()
 
 		client := coderdtest.New(t, nil)
 		coderdtest.CreateFirstUser(t, client)
 		pty := ptytest.New(t)
 
-		// First login without keyring to create a session
-		loginInv, cfg := clitest.New(t,
+		env := setupKeyringTestEnv(t, client.URL.String(),
 			"login",
 			"--force-tty",
 			"--no-open",
 			client.URL.String(),
 		)
+		inv := env.inv
+		inv.Stdin = pty.Input()
+		inv.Stdout = pty.Output()
+
+		doneChan := make(chan struct{})
+		go func() {
+			defer close(doneChan)
+			err := inv.Run()
+			assert.NoError(t, err)
+		}()
+
+		pty.ExpectMatch("Paste your token here:")
+		pty.WriteLine(client.SessionToken())
+		pty.ExpectMatch("Welcome to Coder")
+		<-doneChan
+
+		// Verify that session file WAS created (automatic fallback to file storage)
+		sessionFile := path.Join(string(env.cfg), "session")
+		_, err := os.Stat(sessionFile)
+		require.NoError(t, err, "session file should exist due to automatic fallback to file storage")
+
+		content, err := os.ReadFile(sessionFile)
+		require.NoError(t, err, "should be able to read session file")
+		require.Equal(t, client.SessionToken(), string(content), "file should contain the session token")
+	})
+
+	t.Run("LogoutWithDefaultKeyring", func(t *testing.T) {
+		t.Parallel()
+
+		client := coderdtest.New(t, nil)
+		coderdtest.CreateFirstUser(t, client)
+		pty := ptytest.New(t)
+
+		// First login to create a session (will use file storage due to automatic fallback)
+		env := setupKeyringTestEnv(t, client.URL.String(),
+			"login",
+			"--force-tty",
+			"--no-open",
+			client.URL.String(),
+		)
+		loginInv := env.inv
 		loginInv.Stdin = pty.Input()
 		loginInv.Stdout = pty.Output()
 
@@ -339,17 +405,22 @@ func TestUseKeyringUnsupportedOS(t *testing.T) {
 		pty.ExpectMatch("Welcome to Coder")
 		<-doneChan
 
-		// Now try to logout with --use-keyring on an unsupported OS
-		logoutInv, _ := clitest.New(t,
+		// Verify session file exists
+		sessionFile := path.Join(string(env.cfg), "session")
+		_, err := os.Stat(sessionFile)
+		require.NoError(t, err, "session file should exist before logout")
+
+		// Now logout - should succeed and delete the file
+		logoutEnv := setupKeyringTestEnv(t, client.URL.String(),
 			"logout",
-			"--use-keyring",
 			"--yes",
-			"--global-config", string(cfg),
+			"--global-config", string(env.cfg),
 		)
 
-		err := logoutInv.Run()
-		// Verify we got an error about unsupported OS
-		require.Error(t, err)
-		require.Contains(t, err.Error(), expMessage)
+		err = logoutEnv.inv.Run()
+		require.NoError(t, err, "logout should succeed with automatic file storage fallback")
+
+		_, err = os.Stat(sessionFile)
+		require.True(t, os.IsNotExist(err), "session file should be deleted after logout")
 	})
 }

cli/login.go

@@ -154,9 +154,9 @@ func (r *RootCmd) login() *serpent.Command {
 	cmd := &serpent.Command{
 		Use:   "login [<url>]",
 		Short: "Authenticate with Coder deployment",
-		Long: "By default, the session token is stored in a plain text file. Use the " +
-			"--use-keyring flag or set CODER_USE_KEYRING=true to store the token in " +
-			"the operating system keyring instead.",
+		Long: "By default, the session token is stored in the operating system keyring on " +
+			"macOS and Windows and a plain text file on Linux. Use the --use-keyring flag " +
+			"or CODER_USE_KEYRING environment variable to change the storage mechanism.",
 		Middleware: serpent.RequireRangeArgs(0, 1),
 		Handler: func(inv *serpent.Invocation) error {
 			ctx := inv.Context()

cli/root.go

@@ -56,7 +56,7 @@ var (
 	// anything.
 	ErrSilent = xerrors.New("silent error")
 
-	errKeyringNotSupported = xerrors.New("keyring storage is not supported on this operating system; remove the --use-keyring flag to use file-based storage")
+	errKeyringNotSupported = xerrors.New("keyring storage is not supported on this operating system; omit --use-keyring to use file-based storage")
 )
 
 const (
@@ -104,6 +104,7 @@ func (r *RootCmd) CoreSubcommands() []*serpent.Command {
 		r.resetPassword(),
 		r.sharing(),
 		r.state(),
+		r.tasksCommand(),
 		r.templates(),
 		r.tokens(),
 		r.users(),
@@ -149,7 +150,7 @@ func (r *RootCmd) AGPLExperimental() []*serpent.Command {
 		r.mcpCommand(),
 		r.promptExample(),
 		r.rptyCommand(),
-		r.tasksCommand(),
+		r.syncCommand(),
 		r.boundary(),
 	}
 }
@@ -483,10 +484,12 @@ func (r *RootCmd) Command(subcommands []*serpent.Command) (*serpent.Command, err
 			Flag: varUseKeyring,
 			Env:  envUseKeyring,
 			Description: "Store and retrieve session tokens using the operating system " +
-				"keyring. Currently only supported on Windows. By default, tokens are " +
-				"stored in plain text files.",
-			Value: serpent.BoolOf(&r.useKeyring),
-			Group: globalGroup,
+				"keyring. This flag is ignored and file-based storage is used when " +
+				"--global-config is set or keyring usage is not supported on the current " +
+				"platform. Set to false to force file-based storage on supported platforms.",
+			Default: "true",
+			Value:   serpent.BoolOf(&r.useKeyring),
+			Group:   globalGroup,
 		},
 		{
 			Flag:        "debug-http",
@@ -534,10 +537,12 @@ type RootCmd struct {
 	disableDirect bool
 	debugHTTP     bool
 
-	disableNetworkTelemetry bool
-	noVersionCheck          bool
-	noFeatureWarning        bool
-	useKeyring              bool
+	disableNetworkTelemetry    bool
+	noVersionCheck             bool
+	noFeatureWarning           bool
+	useKeyring                 bool
+	keyringServiceName         string
+	useKeyringWithGlobalConfig bool
 }
 
 // InitClient creates and configures a new client with authentication, telemetry,
@@ -718,8 +723,19 @@ func (r *RootCmd) createUnauthenticatedClient(ctx context.Context, serverURL *ur
 // flag.
 func (r *RootCmd) ensureTokenBackend() sessionstore.Backend {
 	if r.tokenBackend == nil {
-		if r.useKeyring {
-			r.tokenBackend = sessionstore.NewKeyring()
+		// Checking for the --global-config directory being set is a bit wonky but necessary
+		// to allow extensions that invoke the CLI with this flag (e.g. VS code) to continue
+		// working without modification. In the future we should modify these extensions to
+		// either access the credential in the keyring (like Coder Desktop) or some other
+		// approach that doesn't rely on the session token being stored on disk.
+		assumeExtensionInUse := r.globalConfig != config.DefaultDir() && !r.useKeyringWithGlobalConfig
+		keyringSupported := runtime.GOOS == "windows" || runtime.GOOS == "darwin"
+		if r.useKeyring && !assumeExtensionInUse && keyringSupported {
+			serviceName := sessionstore.DefaultServiceName
+			if r.keyringServiceName != "" {
+				serviceName = r.keyringServiceName
+			}
+			r.tokenBackend = sessionstore.NewKeyringWithService(serviceName)
 		} else {
 			r.tokenBackend = sessionstore.NewFile(r.createConfig)
 		}
@@ -727,8 +743,18 @@ func (r *RootCmd) ensureTokenBackend() sessionstore.Backend {
 	return r.tokenBackend
 }
 
-func (r *RootCmd) WithSessionStorageBackend(backend sessionstore.Backend) {
-	r.tokenBackend = backend
+// WithKeyringServiceName sets a custom keyring service name for testing purposes.
+// This allows tests to use isolated keyring storage while still exercising the
+// genuine storage backend selection logic in ensureTokenBackend().
+func (r *RootCmd) WithKeyringServiceName(serviceName string) {
+	r.keyringServiceName = serviceName
+}
+
+// UseKeyringWithGlobalConfig enables the use of the keyring storage backend
+// when the --global-config directory is set. This is only intended as an override
+// for tests, which require specifying the global config directory for test isolation.
+func (r *RootCmd) UseKeyringWithGlobalConfig() {
+	r.useKeyringWithGlobalConfig = true
 }
 
 type AgentAuth struct {

cli/root_test.go

@@ -72,6 +72,31 @@ func TestCommandHelp(t *testing.T) {
 			Name: "coder provisioner jobs list --output json",
 			Cmd:  []string{"provisioner", "jobs", "list", "--output", "json"},
 		},
+		// TODO (SasSwart): Remove these once the sync commands are promoted out of experimental.
+		clitest.CommandHelpCase{
+			Name: "coder exp sync --help",
+			Cmd:  []string{"exp", "sync", "--help"},
+		},
+		clitest.CommandHelpCase{
+			Name: "coder exp sync ping --help",
+			Cmd:  []string{"exp", "sync", "ping", "--help"},
+		},
+		clitest.CommandHelpCase{
+			Name: "coder exp sync start --help",
+			Cmd:  []string{"exp", "sync", "start", "--help"},
+		},
+		clitest.CommandHelpCase{
+			Name: "coder exp sync want --help",
+			Cmd:  []string{"exp", "sync", "want", "--help"},
+		},
+		clitest.CommandHelpCase{
+			Name: "coder exp sync complete --help",
+			Cmd:  []string{"exp", "sync", "complete", "--help"},
+		},
+		clitest.CommandHelpCase{
+			Name: "coder exp sync status --help",
+			Cmd:  []string{"exp", "sync", "status", "--help"},
+		},
 	))
 }
 

cli/sessionstore/sessionstore.go

@@ -47,9 +47,9 @@ var (
 )
 
 const (
-	// defaultServiceName is the service name used in keyrings  for storing Coder CLI session
+	// DefaultServiceName is the service name used in keyrings for storing Coder CLI session
 	// tokens.
-	defaultServiceName = "coder-v2-credentials"
+	DefaultServiceName = "coder-v2-credentials"
 )
 
 // keyringProvider represents an operating system keyring. The expectation
@@ -108,17 +108,9 @@ type Keyring struct {
 	serviceName string
 }
 
-// NewKeyring creates a Keyring with the default service name for production use.
-func NewKeyring() Keyring {
-	return Keyring{
-		provider:    operatingSystemKeyring{},
-		serviceName: defaultServiceName,
-	}
-}
-
 // NewKeyringWithService creates a Keyring Backend that stores credentials under the
-// specified service name. This is primarily intended for testing to avoid conflicts
-// with production credentials and collisions between tests.
+// specified service name. Generally, DefaultServiceName should be provided as the service
+// name except in tests which may need parameterization to avoid conflicting keyring use.
 func NewKeyringWithService(serviceName string) Keyring {
 	return Keyring{
 		provider:    operatingSystemKeyring{},

cli/sync.go

@@ -0,0 +1,35 @@
+package cli
+
+import (
+	"github.com/coder/serpent"
+)
+
+func (r *RootCmd) syncCommand() *serpent.Command {
+	var socketPath string
+
+	cmd := &serpent.Command{
+		Use:   "sync",
+		Short: "Manage unit dependencies for coordinated startup",
+		Long:  "Commands for orchestrating unit startup order in workspaces. Units are most commonly coder scripts. Use these commands to declare dependencies between units, coordinate their startup sequence, and ensure units start only after their dependencies are ready. This helps prevent race conditions and startup failures.",
+		Handler: func(i *serpent.Invocation) error {
+			return i.Command.HelpHandler(i)
+		},
+		Children: []*serpent.Command{
+			r.syncPing(&socketPath),
+			r.syncStart(&socketPath),
+			r.syncWant(&socketPath),
+			r.syncComplete(&socketPath),
+			r.syncStatus(&socketPath),
+		},
+		Options: serpent.OptionSet{
+			{
+				Flag:        "socket-path",
+				Env:         "CODER_AGENT_SOCKET_PATH",
+				Description: "Specify the path for the agent socket.",
+				Value:       serpent.StringOf(&socketPath),
+			},
+		},
+	}
+
+	return cmd
+}

cli/sync_complete.go

@@ -0,0 +1,47 @@
+package cli
+
+import (
+	"golang.org/x/xerrors"
+
+	"github.com/coder/coder/v2/agent/agentsocket"
+	"github.com/coder/coder/v2/agent/unit"
+	"github.com/coder/coder/v2/cli/cliui"
+	"github.com/coder/serpent"
+)
+
+func (*RootCmd) syncComplete(socketPath *string) *serpent.Command {
+	cmd := &serpent.Command{
+		Use:   "complete <unit>",
+		Short: "Mark a unit as complete",
+		Long:  "Mark a unit as complete. Indicating to other units that it has completed its work. This allows units that depend on it to proceed with their startup.",
+		Handler: func(i *serpent.Invocation) error {
+			ctx := i.Context()
+
+			if len(i.Args) != 1 {
+				return xerrors.New("exactly one unit name is required")
+			}
+			unit := unit.ID(i.Args[0])
+
+			opts := []agentsocket.Option{}
+			if *socketPath != "" {
+				opts = append(opts, agentsocket.WithPath(*socketPath))
+			}
+
+			client, err := agentsocket.NewClient(ctx, opts...)
+			if err != nil {
+				return xerrors.Errorf("connect to agent socket: %w", err)
+			}
+			defer client.Close()
+
+			if err := client.SyncComplete(ctx, unit); err != nil {
+				return xerrors.Errorf("complete unit failed: %w", err)
+			}
+
+			cliui.Info(i.Stdout, "Success")
+
+			return nil
+		},
+	}
+
+	return cmd
+}

cli/sync_ping.go

@@ -0,0 +1,42 @@
+package cli
+
+import (
+	"golang.org/x/xerrors"
+
+	"github.com/coder/coder/v2/agent/agentsocket"
+	"github.com/coder/coder/v2/cli/cliui"
+	"github.com/coder/serpent"
+)
+
+func (*RootCmd) syncPing(socketPath *string) *serpent.Command {
+	cmd := &serpent.Command{
+		Use:   "ping",
+		Short: "Test agent socket connectivity and health",
+		Long:  "Test connectivity to the local Coder agent socket to verify the agent is running and responsive. Useful for troubleshooting startup issues or verifying the agent is accessible before running other sync commands.",
+		Handler: func(i *serpent.Invocation) error {
+			ctx := i.Context()
+
+			opts := []agentsocket.Option{}
+			if *socketPath != "" {
+				opts = append(opts, agentsocket.WithPath(*socketPath))
+			}
+
+			client, err := agentsocket.NewClient(ctx, opts...)
+			if err != nil {
+				return xerrors.Errorf("connect to agent socket: %w", err)
+			}
+			defer client.Close()
+
+			err = client.Ping(ctx)
+			if err != nil {
+				return xerrors.Errorf("ping failed: %w", err)
+			}
+
+			cliui.Info(i.Stdout, "Success")
+
+			return nil
+		},
+	}
+
+	return cmd
+}

cli/sync_start.go

@@ -0,0 +1,101 @@
+package cli
+
+import (
+	"context"
+	"time"
+
+	"golang.org/x/xerrors"
+
+	"github.com/coder/serpent"
+
+	"github.com/coder/coder/v2/agent/agentsocket"
+	"github.com/coder/coder/v2/agent/unit"
+	"github.com/coder/coder/v2/cli/cliui"
+)
+
+const (
+	syncPollInterval = 1 * time.Second
+)
+
+func (*RootCmd) syncStart(socketPath *string) *serpent.Command {
+	var timeout time.Duration
+
+	cmd := &serpent.Command{
+		Use:   "start <unit>",
+		Short: "Wait until all unit dependencies are satisfied",
+		Long:  "Wait until all dependencies are satisfied, consider the unit to have started, then allow it to proceed. This command polls until dependencies are ready, then marks the unit as started.",
+		Handler: func(i *serpent.Invocation) error {
+			ctx := i.Context()
+
+			if len(i.Args) != 1 {
+				return xerrors.New("exactly one unit name is required")
+			}
+			unitName := unit.ID(i.Args[0])
+
+			if timeout > 0 {
+				var cancel context.CancelFunc
+				ctx, cancel = context.WithTimeout(ctx, timeout)
+				defer cancel()
+			}
+
+			opts := []agentsocket.Option{}
+			if *socketPath != "" {
+				opts = append(opts, agentsocket.WithPath(*socketPath))
+			}
+
+			client, err := agentsocket.NewClient(ctx, opts...)
+			if err != nil {
+				return xerrors.Errorf("connect to agent socket: %w", err)
+			}
+			defer client.Close()
+
+			ready, err := client.SyncReady(ctx, unitName)
+			if err != nil {
+				return xerrors.Errorf("error checking dependencies: %w", err)
+			}
+
+			if !ready {
+				cliui.Infof(i.Stdout, "Waiting for dependencies of unit '%s' to be satisfied...", unitName)
+
+				ticker := time.NewTicker(syncPollInterval)
+				defer ticker.Stop()
+
+			pollLoop:
+				for {
+					select {
+					case <-ctx.Done():
+						if ctx.Err() == context.DeadlineExceeded {
+							return xerrors.Errorf("timeout waiting for dependencies of unit '%s'", unitName)
+						}
+						return ctx.Err()
+					case <-ticker.C:
+						ready, err := client.SyncReady(ctx, unitName)
+						if err != nil {
+							return xerrors.Errorf("error checking dependencies: %w", err)
+						}
+						if ready {
+							break pollLoop
+						}
+					}
+				}
+			}
+
+			if err := client.SyncStart(ctx, unitName); err != nil {
+				return xerrors.Errorf("start unit failed: %w", err)
+			}
+
+			cliui.Info(i.Stdout, "Success")
+
+			return nil
+		},
+	}
+
+	cmd.Options = append(cmd.Options, serpent.Option{
+		Flag:        "timeout",
+		Description: "Maximum time to wait for dependencies (e.g., 30s, 5m). 5m by default.",
+		Value:       serpent.DurationOf(&timeout),
+		Default:     "5m",
+	})
+
+	return cmd
+}

cli/sync_status.go

@@ -0,0 +1,88 @@
+package cli
+
+import (
+	"fmt"
+
+	"golang.org/x/xerrors"
+
+	"github.com/coder/serpent"
+
+	"github.com/coder/coder/v2/agent/agentsocket"
+	"github.com/coder/coder/v2/agent/unit"
+	"github.com/coder/coder/v2/cli/cliui"
+)
+
+func (*RootCmd) syncStatus(socketPath *string) *serpent.Command {
+	formatter := cliui.NewOutputFormatter(
+		cliui.ChangeFormatterData(
+			cliui.TableFormat(
+				[]agentsocket.DependencyInfo{},
+				[]string{
+					"depends on",
+					"required status",
+					"current status",
+					"satisfied",
+				},
+			),
+			func(data any) (any, error) {
+				resp, ok := data.(agentsocket.SyncStatusResponse)
+				if !ok {
+					return nil, xerrors.Errorf("expected agentsocket.SyncStatusResponse, got %T", data)
+				}
+				return resp.Dependencies, nil
+			}),
+		cliui.JSONFormat(),
+	)
+
+	cmd := &serpent.Command{
+		Use:   "status <unit>",
+		Short: "Show unit status and dependency state",
+		Long:  "Show the current status of a unit, whether it is ready to start, and lists its dependencies. Shows which dependencies are satisfied and which are still pending. Supports multiple output formats.",
+		Handler: func(i *serpent.Invocation) error {
+			ctx := i.Context()
+
+			if len(i.Args) != 1 {
+				return xerrors.New("exactly one unit name is required")
+			}
+			unit := unit.ID(i.Args[0])
+
+			opts := []agentsocket.Option{}
+			if *socketPath != "" {
+				opts = append(opts, agentsocket.WithPath(*socketPath))
+			}
+
+			client, err := agentsocket.NewClient(ctx, opts...)
+			if err != nil {
+				return xerrors.Errorf("connect to agent socket: %w", err)
+			}
+			defer client.Close()
+
+			statusResp, err := client.SyncStatus(ctx, unit)
+			if err != nil {
+				return xerrors.Errorf("get status failed: %w", err)
+			}
+
+			var out string
+			header := fmt.Sprintf("Unit: %s\nStatus: %s\nReady: %t\n\nDependencies:\n", unit, statusResp.Status, statusResp.IsReady)
+			if formatter.FormatID() == "table" && len(statusResp.Dependencies) == 0 {
+				out = header + "No dependencies found"
+			} else {
+				out, err = formatter.Format(ctx, statusResp)
+				if err != nil {
+					return xerrors.Errorf("format status: %w", err)
+				}
+
+				if formatter.FormatID() == "table" {
+					out = header + out
+				}
+			}
+
+			_, _ = fmt.Fprintln(i.Stdout, out)
+
+			return nil
+		},
+	}
+
+	formatter.AttachOptions(&cmd.Options)
+	return cmd
+}

cli/sync_test.go

@@ -0,0 +1,330 @@
+//go:build !windows
+
+package cli_test
+
+import (
+	"bytes"
+	"context"
+	"os"
+	"path/filepath"
+	"testing"
+	"time"
+
+	"github.com/stretchr/testify/require"
+
+	"cdr.dev/slog"
+	"github.com/coder/coder/v2/agent/agentsocket"
+	"github.com/coder/coder/v2/cli/clitest"
+	"github.com/coder/coder/v2/testutil"
+)
+
+// setupSocketServer creates an agentsocket server at a temporary path for testing.
+// Returns the socket path and a cleanup function. The path should be passed to
+// sync commands via the --socket-path flag.
+func setupSocketServer(t *testing.T) (path string, cleanup func()) {
+	t.Helper()
+
+	// Use a temporary socket path for each test
+	socketPath := filepath.Join(tempDirUnixSocket(t), "test.sock")
+
+	// Create parent directory if needed
+	parentDir := filepath.Dir(socketPath)
+	err := os.MkdirAll(parentDir, 0o700)
+	require.NoError(t, err, "create socket directory")
+
+	server, err := agentsocket.NewServer(
+		slog.Make().Leveled(slog.LevelDebug),
+		agentsocket.WithPath(socketPath),
+	)
+	require.NoError(t, err, "create socket server")
+
+	// Return cleanup function
+	return socketPath, func() {
+		err := server.Close()
+		require.NoError(t, err, "close socket server")
+		_ = os.Remove(socketPath)
+	}
+}
+
+func TestSyncCommands_Golden(t *testing.T) {
+	t.Parallel()
+
+	t.Run("ping", func(t *testing.T) {
+		t.Parallel()
+		path, cleanup := setupSocketServer(t)
+		defer cleanup()
+
+		ctx := testutil.Context(t, testutil.WaitShort)
+
+		var outBuf bytes.Buffer
+		inv, _ := clitest.New(t, "exp", "sync", "ping", "--socket-path", path)
+		inv.Stdout = &outBuf
+		inv.Stderr = &outBuf
+
+		err := inv.WithContext(ctx).Run()
+		require.NoError(t, err)
+
+		clitest.TestGoldenFile(t, "TestSyncCommands_Golden/ping_success", outBuf.Bytes(), nil)
+	})
+
+	t.Run("start_no_dependencies", func(t *testing.T) {
+		t.Parallel()
+		path, cleanup := setupSocketServer(t)
+		defer cleanup()
+
+		ctx := testutil.Context(t, testutil.WaitShort)
+
+		var outBuf bytes.Buffer
+		inv, _ := clitest.New(t, "exp", "sync", "start", "test-unit", "--socket-path", path)
+		inv.Stdout = &outBuf
+		inv.Stderr = &outBuf
+
+		err := inv.WithContext(ctx).Run()
+		require.NoError(t, err)
+
+		clitest.TestGoldenFile(t, "TestSyncCommands_Golden/start_no_dependencies", outBuf.Bytes(), nil)
+	})
+
+	t.Run("start_with_dependencies", func(t *testing.T) {
+		t.Parallel()
+		path, cleanup := setupSocketServer(t)
+		defer cleanup()
+
+		ctx := testutil.Context(t, testutil.WaitShort)
+
+		// Set up dependency: test-unit depends on dep-unit
+		client, err := agentsocket.NewClient(ctx, agentsocket.WithPath(path))
+		require.NoError(t, err)
+
+		// Declare dependency
+		err = client.SyncWant(ctx, "test-unit", "dep-unit")
+		require.NoError(t, err)
+		client.Close()
+
+		// Start a goroutine to complete the dependency after a short delay
+		// This simulates the dependency being satisfied while start is waiting
+		// The delay ensures the "Waiting..." message appears in the output
+		done := make(chan error, 1)
+		go func() {
+			// Wait a moment to let the start command begin waiting and print the message
+			time.Sleep(100 * time.Millisecond)
+
+			compCtx := context.Background()
+			compClient, err := agentsocket.NewClient(compCtx, agentsocket.WithPath(path))
+			if err != nil {
+				done <- err
+				return
+			}
+			defer compClient.Close()
+
+			// Start and complete the dependency unit
+			err = compClient.SyncStart(compCtx, "dep-unit")
+			if err != nil {
+				done <- err
+				return
+			}
+			err = compClient.SyncComplete(compCtx, "dep-unit")
+			done <- err
+		}()
+
+		var outBuf bytes.Buffer
+		inv, _ := clitest.New(t, "exp", "sync", "start", "test-unit", "--socket-path", path)
+		inv.Stdout = &outBuf
+		inv.Stderr = &outBuf
+
+		// Run the start command - it should wait for the dependency
+		err = inv.WithContext(ctx).Run()
+		require.NoError(t, err)
+
+		// Ensure the completion goroutine finished
+		select {
+		case err := <-done:
+			require.NoError(t, err, "complete dependency")
+		case <-time.After(time.Second):
+			// Goroutine should have finished by now
+		}
+
+		clitest.TestGoldenFile(t, "TestSyncCommands_Golden/start_with_dependencies", outBuf.Bytes(), nil)
+	})
+
+	t.Run("want", func(t *testing.T) {
+		t.Parallel()
+		path, cleanup := setupSocketServer(t)
+		defer cleanup()
+
+		ctx := testutil.Context(t, testutil.WaitShort)
+
+		var outBuf bytes.Buffer
+		inv, _ := clitest.New(t, "exp", "sync", "want", "test-unit", "dep-unit", "--socket-path", path)
+		inv.Stdout = &outBuf
+		inv.Stderr = &outBuf
+
+		err := inv.WithContext(ctx).Run()
+		require.NoError(t, err)
+
+		clitest.TestGoldenFile(t, "TestSyncCommands_Golden/want_success", outBuf.Bytes(), nil)
+	})
+
+	t.Run("complete", func(t *testing.T) {
+		t.Parallel()
+		path, cleanup := setupSocketServer(t)
+		defer cleanup()
+
+		ctx := testutil.Context(t, testutil.WaitShort)
+
+		// First start the unit
+		client, err := agentsocket.NewClient(ctx, agentsocket.WithPath(path))
+		require.NoError(t, err)
+		err = client.SyncStart(ctx, "test-unit")
+		require.NoError(t, err)
+		client.Close()
+
+		var outBuf bytes.Buffer
+		inv, _ := clitest.New(t, "exp", "sync", "complete", "test-unit", "--socket-path", path)
+		inv.Stdout = &outBuf
+		inv.Stderr = &outBuf
+
+		err = inv.WithContext(ctx).Run()
+		require.NoError(t, err)
+
+		clitest.TestGoldenFile(t, "TestSyncCommands_Golden/complete_success", outBuf.Bytes(), nil)
+	})
+
+	t.Run("status_pending", func(t *testing.T) {
+		t.Parallel()
+		path, cleanup := setupSocketServer(t)
+		defer cleanup()
+
+		ctx := testutil.Context(t, testutil.WaitShort)
+
+		// Set up a unit with unsatisfied dependency
+		client, err := agentsocket.NewClient(ctx, agentsocket.WithPath(path))
+		require.NoError(t, err)
+		err = client.SyncWant(ctx, "test-unit", "dep-unit")
+		require.NoError(t, err)
+		client.Close()
+
+		var outBuf bytes.Buffer
+		inv, _ := clitest.New(t, "exp", "sync", "status", "test-unit", "--socket-path", path)
+		inv.Stdout = &outBuf
+		inv.Stderr = &outBuf
+
+		err = inv.WithContext(ctx).Run()
+		require.NoError(t, err)
+
+		clitest.TestGoldenFile(t, "TestSyncCommands_Golden/status_pending", outBuf.Bytes(), nil)
+	})
+
+	t.Run("status_started", func(t *testing.T) {
+		t.Parallel()
+		path, cleanup := setupSocketServer(t)
+		defer cleanup()
+
+		ctx := testutil.Context(t, testutil.WaitShort)
+
+		// Start a unit
+		client, err := agentsocket.NewClient(ctx, agentsocket.WithPath(path))
+		require.NoError(t, err)
+		err = client.SyncStart(ctx, "test-unit")
+		require.NoError(t, err)
+		client.Close()
+
+		var outBuf bytes.Buffer
+		inv, _ := clitest.New(t, "exp", "sync", "status", "test-unit", "--socket-path", path)
+		inv.Stdout = &outBuf
+		inv.Stderr = &outBuf
+
+		err = inv.WithContext(ctx).Run()
+		require.NoError(t, err)
+
+		clitest.TestGoldenFile(t, "TestSyncCommands_Golden/status_started", outBuf.Bytes(), nil)
+	})
+
+	t.Run("status_completed", func(t *testing.T) {
+		t.Parallel()
+		path, cleanup := setupSocketServer(t)
+		defer cleanup()
+
+		ctx := testutil.Context(t, testutil.WaitShort)
+
+		// Start and complete a unit
+		client, err := agentsocket.NewClient(ctx, agentsocket.WithPath(path))
+		require.NoError(t, err)
+		err = client.SyncStart(ctx, "test-unit")
+		require.NoError(t, err)
+		err = client.SyncComplete(ctx, "test-unit")
+		require.NoError(t, err)
+		client.Close()
+
+		var outBuf bytes.Buffer
+		inv, _ := clitest.New(t, "exp", "sync", "status", "test-unit", "--socket-path", path)
+		inv.Stdout = &outBuf
+		inv.Stderr = &outBuf
+
+		err = inv.WithContext(ctx).Run()
+		require.NoError(t, err)
+
+		clitest.TestGoldenFile(t, "TestSyncCommands_Golden/status_completed", outBuf.Bytes(), nil)
+	})
+
+	t.Run("status_with_dependencies", func(t *testing.T) {
+		t.Parallel()
+		path, cleanup := setupSocketServer(t)
+		defer cleanup()
+
+		ctx := testutil.Context(t, testutil.WaitShort)
+
+		// Set up a unit with dependencies, some satisfied, some not
+		client, err := agentsocket.NewClient(ctx, agentsocket.WithPath(path))
+		require.NoError(t, err)
+		err = client.SyncWant(ctx, "test-unit", "dep-1")
+		require.NoError(t, err)
+		err = client.SyncWant(ctx, "test-unit", "dep-2")
+		require.NoError(t, err)
+		// Complete dep-1, leave dep-2 incomplete
+		err = client.SyncStart(ctx, "dep-1")
+		require.NoError(t, err)
+		err = client.SyncComplete(ctx, "dep-1")
+		require.NoError(t, err)
+		client.Close()
+
+		var outBuf bytes.Buffer
+		inv, _ := clitest.New(t, "exp", "sync", "status", "test-unit", "--socket-path", path)
+		inv.Stdout = &outBuf
+		inv.Stderr = &outBuf
+
+		err = inv.WithContext(ctx).Run()
+		require.NoError(t, err)
+
+		clitest.TestGoldenFile(t, "TestSyncCommands_Golden/status_with_dependencies", outBuf.Bytes(), nil)
+	})
+
+	t.Run("status_json_format", func(t *testing.T) {
+		t.Parallel()
+		path, cleanup := setupSocketServer(t)
+		defer cleanup()
+
+		ctx := testutil.Context(t, testutil.WaitShort)
+
+		// Set up a unit with dependencies
+		client, err := agentsocket.NewClient(ctx, agentsocket.WithPath(path))
+		require.NoError(t, err)
+		err = client.SyncWant(ctx, "test-unit", "dep-unit")
+		require.NoError(t, err)
+		err = client.SyncStart(ctx, "dep-unit")
+		require.NoError(t, err)
+		err = client.SyncComplete(ctx, "dep-unit")
+		require.NoError(t, err)
+		client.Close()
+
+		var outBuf bytes.Buffer
+		inv, _ := clitest.New(t, "exp", "sync", "status", "test-unit", "--output", "json", "--socket-path", path)
+		inv.Stdout = &outBuf
+		inv.Stderr = &outBuf
+
+		err = inv.WithContext(ctx).Run()
+		require.NoError(t, err)
+
+		clitest.TestGoldenFile(t, "TestSyncCommands_Golden/status_json_format", outBuf.Bytes(), nil)
+	})
+}

cli/sync_want.go

@@ -0,0 +1,49 @@
+package cli
+
+import (
+	"golang.org/x/xerrors"
+
+	"github.com/coder/serpent"
+
+	"github.com/coder/coder/v2/agent/agentsocket"
+	"github.com/coder/coder/v2/agent/unit"
+	"github.com/coder/coder/v2/cli/cliui"
+)
+
+func (*RootCmd) syncWant(socketPath *string) *serpent.Command {
+	cmd := &serpent.Command{
+		Use:   "want <unit> <depends-on>",
+		Short: "Declare that a unit depends on another unit completing before it can start",
+		Long:  "Declare that a unit depends on another unit completing before it can start. The unit specified first will not start until the second has signaled that it has completed.",
+		Handler: func(i *serpent.Invocation) error {
+			ctx := i.Context()
+
+			if len(i.Args) != 2 {
+				return xerrors.New("exactly two arguments are required: unit and depends-on")
+			}
+			dependentUnit := unit.ID(i.Args[0])
+			dependsOn := unit.ID(i.Args[1])
+
+			opts := []agentsocket.Option{}
+			if *socketPath != "" {
+				opts = append(opts, agentsocket.WithPath(*socketPath))
+			}
+
+			client, err := agentsocket.NewClient(ctx, opts...)
+			if err != nil {
+				return xerrors.Errorf("connect to agent socket: %w", err)
+			}
+			defer client.Close()
+
+			if err := client.SyncWant(ctx, dependentUnit, dependsOn); err != nil {
+				return xerrors.Errorf("declare dependency failed: %w", err)
+			}
+
+			cliui.Info(i.Stdout, "Success")
+
+			return nil
+		},
+	}
+
+	return cmd
+}

cli/task.go

@@ -8,7 +8,7 @@ func (r *RootCmd) tasksCommand() *serpent.Command {
 	cmd := &serpent.Command{
 		Use:     "task",
 		Aliases: []string{"tasks"},
-		Short:   "Experimental task commands.",
+		Short:   "Manage tasks",
 		Handler: func(i *serpent.Invocation) error {
 			return i.Command.HelpHandler(i)
 		},

cli/task_create.go

@@ -28,27 +28,27 @@ func (r *RootCmd) taskCreate() *serpent.Command {
 
 	cmd := &serpent.Command{
 		Use:   "create [input]",
-		Short: "Create an experimental task",
+		Short: "Create a task",
 		Long: FormatExamples(
 			Example{
 				Description: "Create a task with direct input",
-				Command:     "coder exp task create \"Add authentication to the user service\"",
+				Command:     "coder task create \"Add authentication to the user service\"",
 			},
 			Example{
 				Description: "Create a task with stdin input",
-				Command:     "echo \"Add authentication to the user service\" | coder exp task create",
+				Command:     "echo \"Add authentication to the user service\" | coder task create",
 			},
 			Example{
 				Description: "Create a task with a specific name",
-				Command:     "coder exp task create --name task1 \"Add authentication to the user service\"",
+				Command:     "coder task create --name task1 \"Add authentication to the user service\"",
 			},
 			Example{
 				Description: "Create a task from a specific template / preset",
-				Command:     "coder exp task create --template backend-dev --preset \"My Preset\" \"Add authentication to the user service\"",
+				Command:     "coder task create --template backend-dev --preset \"My Preset\" \"Add authentication to the user service\"",
 			},
 			Example{
 				Description: "Create a task for another user (requires appropriate permissions)",
-				Command:     "coder exp task create --owner user@example.com \"Add authentication to the user service\"",
+				Command:     "coder task create --owner user@example.com \"Add authentication to the user service\"",
 			},
 		),
 		Middleware: serpent.Chain(
@@ -111,8 +111,7 @@ func (r *RootCmd) taskCreate() *serpent.Command {
 			}
 
 			var (
-				ctx       = inv.Context()
-				expClient = codersdk.NewExperimentalClient(client)
+				ctx = inv.Context()
 
 				taskInput               string
 				templateVersionID       uuid.UUID
@@ -208,7 +207,7 @@ func (r *RootCmd) taskCreate() *serpent.Command {
 				templateVersionPresetID = preset.ID
 			}
 
-			task, err := expClient.CreateTask(ctx, ownerArg, codersdk.CreateTaskRequest{
+			task, err := client.CreateTask(ctx, ownerArg, codersdk.CreateTaskRequest{
 				Name:                    taskName,
 				TemplateVersionID:       templateVersionID,
 				TemplateVersionPresetID: templateVersionPresetID,

cli/task_create_test.go

@@ -69,7 +69,7 @@ func TestTaskCreate(t *testing.T) {
 						ActiveVersionID: templateVersionID,
 					},
 				})
-			case fmt.Sprintf("/api/experimental/tasks/%s", username):
+			case fmt.Sprintf("/api/v2/tasks/%s", username):
 				var req codersdk.CreateTaskRequest
 				if !httpapi.Read(ctx, w, r, &req) {
 					return
@@ -329,7 +329,7 @@ func TestTaskCreate(t *testing.T) {
 				ctx    = testutil.Context(t, testutil.WaitShort)
 				srv    = httptest.NewServer(tt.handler(t, ctx))
 				client = codersdk.New(testutil.MustURL(t, srv.URL))
-				args   = []string{"exp", "task", "create"}
+				args   = []string{"task", "create"}
 				sb     strings.Builder
 				err    error
 			)

cli/task_delete.go

@@ -17,19 +17,19 @@ import (
 func (r *RootCmd) taskDelete() *serpent.Command {
 	cmd := &serpent.Command{
 		Use:   "delete <task> [<task> ...]",
-		Short: "Delete experimental tasks",
+		Short: "Delete tasks",
 		Long: FormatExamples(
 			Example{
 				Description: "Delete a single task.",
-				Command:     "$ coder exp task delete task1",
+				Command:     "$ coder task delete task1",
 			},
 			Example{
 				Description: "Delete multiple tasks.",
-				Command:     "$ coder exp task delete task1 task2 task3",
+				Command:     "$ coder task delete task1 task2 task3",
 			},
 			Example{
 				Description: "Delete a task without confirmation.",
-				Command:     "$ coder exp task delete task4 --yes",
+				Command:     "$ coder task delete task4 --yes",
 			},
 		),
 		Middleware: serpent.Chain(
@@ -44,11 +44,10 @@ func (r *RootCmd) taskDelete() *serpent.Command {
 			if err != nil {
 				return err
 			}
-			exp := codersdk.NewExperimentalClient(client)
 
 			var tasks []codersdk.Task
 			for _, identifier := range inv.Args {
-				task, err := exp.TaskByIdentifier(ctx, identifier)
+				task, err := client.TaskByIdentifier(ctx, identifier)
 				if err != nil {
 					return xerrors.Errorf("resolve task %q: %w", identifier, err)
 				}
@@ -71,7 +70,7 @@ func (r *RootCmd) taskDelete() *serpent.Command {
 
 			for i, task := range tasks {
 				display := displayList[i]
-				if err := exp.DeleteTask(ctx, task.OwnerName, task.ID); err != nil {
+				if err := client.DeleteTask(ctx, task.OwnerName, task.ID); err != nil {
 					return xerrors.Errorf("delete task %q: %w", display, err)
 				}
 				_, _ = fmt.Fprintln(

cli/task_delete_test.go

@@ -56,7 +56,7 @@ func TestExpTaskDelete(t *testing.T) {
 				taskID := uuid.MustParse(id1)
 				return func(w http.ResponseWriter, r *http.Request) {
 					switch {
-					case r.Method == http.MethodGet && r.URL.Path == "/api/experimental/tasks/me/exists":
+					case r.Method == http.MethodGet && r.URL.Path == "/api/v2/tasks/me/exists":
 						c.nameResolves.Add(1)
 						httpapi.Write(r.Context(), w, http.StatusOK,
 							codersdk.Task{
@@ -64,7 +64,7 @@ func TestExpTaskDelete(t *testing.T) {
 								Name:      "exists",
 								OwnerName: "me",
 							})
-					case r.Method == http.MethodDelete && r.URL.Path == "/api/experimental/tasks/me/"+id1:
+					case r.Method == http.MethodDelete && r.URL.Path == "/api/v2/tasks/me/"+id1:
 						c.deleteCalls.Add(1)
 						w.WriteHeader(http.StatusAccepted)
 					default:
@@ -82,13 +82,13 @@ func TestExpTaskDelete(t *testing.T) {
 			buildHandler: func(c *testCounters) http.HandlerFunc {
 				return func(w http.ResponseWriter, r *http.Request) {
 					switch {
-					case r.Method == http.MethodGet && r.URL.Path == "/api/experimental/tasks/me/"+id2:
+					case r.Method == http.MethodGet && r.URL.Path == "/api/v2/tasks/me/"+id2:
 						httpapi.Write(r.Context(), w, http.StatusOK, codersdk.Task{
 							ID:        uuid.MustParse(id2),
 							OwnerName: "me",
 							Name:      "uuid-task",
 						})
-					case r.Method == http.MethodDelete && r.URL.Path == "/api/experimental/tasks/me/"+id2:
+					case r.Method == http.MethodDelete && r.URL.Path == "/api/v2/tasks/me/"+id2:
 						c.deleteCalls.Add(1)
 						w.WriteHeader(http.StatusAccepted)
 					default:
@@ -104,24 +104,24 @@ func TestExpTaskDelete(t *testing.T) {
 			buildHandler: func(c *testCounters) http.HandlerFunc {
 				return func(w http.ResponseWriter, r *http.Request) {
 					switch {
-					case r.Method == http.MethodGet && r.URL.Path == "/api/experimental/tasks/me/first":
+					case r.Method == http.MethodGet && r.URL.Path == "/api/v2/tasks/me/first":
 						c.nameResolves.Add(1)
 						httpapi.Write(r.Context(), w, http.StatusOK, codersdk.Task{
 							ID:        uuid.MustParse(id3),
 							Name:      "first",
 							OwnerName: "me",
 						})
-					case r.Method == http.MethodGet && r.URL.Path == "/api/experimental/tasks/me/"+id4:
+					case r.Method == http.MethodGet && r.URL.Path == "/api/v2/tasks/me/"+id4:
 						c.nameResolves.Add(1)
 						httpapi.Write(r.Context(), w, http.StatusOK, codersdk.Task{
 							ID:        uuid.MustParse(id4),
 							OwnerName: "me",
 							Name:      "uuid-task-4",
 						})
-					case r.Method == http.MethodDelete && r.URL.Path == "/api/experimental/tasks/me/"+id3:
+					case r.Method == http.MethodDelete && r.URL.Path == "/api/v2/tasks/me/"+id3:
 						c.deleteCalls.Add(1)
 						w.WriteHeader(http.StatusAccepted)
-					case r.Method == http.MethodDelete && r.URL.Path == "/api/experimental/tasks/me/"+id4:
+					case r.Method == http.MethodDelete && r.URL.Path == "/api/v2/tasks/me/"+id4:
 						c.deleteCalls.Add(1)
 						w.WriteHeader(http.StatusAccepted)
 					default:
@@ -140,7 +140,7 @@ func TestExpTaskDelete(t *testing.T) {
 			buildHandler: func(_ *testCounters) http.HandlerFunc {
 				return func(w http.ResponseWriter, r *http.Request) {
 					switch {
-					case r.Method == http.MethodGet && r.URL.Path == "/api/experimental/tasks" && r.URL.Query().Get("q") == "owner:\"me\"":
+					case r.Method == http.MethodGet && r.URL.Path == "/api/v2/tasks" && r.URL.Query().Get("q") == "owner:\"me\"":
 						httpapi.Write(r.Context(), w, http.StatusOK, struct {
 							Tasks []codersdk.Task `json:"tasks"`
 							Count int             `json:"count"`
@@ -163,14 +163,14 @@ func TestExpTaskDelete(t *testing.T) {
 				taskID := uuid.MustParse(id5)
 				return func(w http.ResponseWriter, r *http.Request) {
 					switch {
-					case r.Method == http.MethodGet && r.URL.Path == "/api/experimental/tasks/me/bad":
+					case r.Method == http.MethodGet && r.URL.Path == "/api/v2/tasks/me/bad":
 						c.nameResolves.Add(1)
 						httpapi.Write(r.Context(), w, http.StatusOK, codersdk.Task{
 							ID:        taskID,
 							Name:      "bad",
 							OwnerName: "me",
 						})
-					case r.Method == http.MethodDelete && r.URL.Path == "/api/experimental/tasks/me/bad":
+					case r.Method == http.MethodDelete && r.URL.Path == "/api/v2/tasks/me/bad":
 						httpapi.InternalServerError(w, xerrors.New("boom"))
 					default:
 						httpapi.InternalServerError(w, xerrors.New("unwanted path: "+r.Method+" "+r.URL.Path))
@@ -193,7 +193,7 @@ func TestExpTaskDelete(t *testing.T) {
 
 			client := codersdk.New(testutil.MustURL(t, srv.URL))
 
-			args := append([]string{"exp", "task", "delete"}, tc.args...)
+			args := append([]string{"task", "delete"}, tc.args...)
 			inv, root := clitest.New(t, args...)
 			inv = inv.WithContext(ctx)
 			clitest.SetupConfig(t, client, root)

cli/task_list.go

@@ -69,27 +69,27 @@ func (r *RootCmd) taskList() *serpent.Command {
 
 	cmd := &serpent.Command{
 		Use:   "list",
-		Short: "List experimental tasks",
+		Short: "List tasks",
 		Long: FormatExamples(
 			Example{
 				Description: "List tasks for the current user.",
-				Command:     "coder exp task list",
+				Command:     "coder task list",
 			},
 			Example{
 				Description: "List tasks for a specific user.",
-				Command:     "coder exp task list --user someone-else",
+				Command:     "coder task list --user someone-else",
 			},
 			Example{
 				Description: "List all tasks you can view.",
-				Command:     "coder exp task list --all",
+				Command:     "coder task list --all",
 			},
 			Example{
 				Description: "List all your running tasks.",
-				Command:     "coder exp task list --status running",
+				Command:     "coder task list --status running",
 			},
 			Example{
 				Description: "As above, but only show IDs.",
-				Command:     "coder exp task list --status running --quiet",
+				Command:     "coder task list --status running --quiet",
 			},
 		),
 		Aliases: []string{"ls"},
@@ -135,14 +135,13 @@ func (r *RootCmd) taskList() *serpent.Command {
 			}
 
 			ctx := inv.Context()
-			exp := codersdk.NewExperimentalClient(client)
 
 			targetUser := strings.TrimSpace(user)
 			if targetUser == "" && !all {
 				targetUser = codersdk.Me
 			}
 
-			tasks, err := exp.Tasks(ctx, &codersdk.TasksFilter{
+			tasks, err := client.Tasks(ctx, &codersdk.TasksFilter{
 				Owner:  targetUser,
 				Status: codersdk.TaskStatus(statusFilter),
 			})

cli/task_list_test.go

@@ -69,7 +69,7 @@ func TestExpTaskList(t *testing.T) {
 		owner := coderdtest.CreateFirstUser(t, client)
 		memberClient, _ := coderdtest.CreateAnotherUser(t, client, owner.OrganizationID)
 
-		inv, root := clitest.New(t, "exp", "task", "list")
+		inv, root := clitest.New(t, "task", "list")
 		clitest.SetupConfig(t, memberClient, root)
 
 		pty := ptytest.New(t).Attach(inv)
@@ -93,7 +93,7 @@ func TestExpTaskList(t *testing.T) {
 		wantPrompt := "build me a web app"
 		task := makeAITask(t, db, owner.OrganizationID, owner.UserID, memberUser.ID, database.WorkspaceTransitionStart, wantPrompt)
 
-		inv, root := clitest.New(t, "exp", "task", "list", "--column", "id,name,status,initial prompt")
+		inv, root := clitest.New(t, "task", "list", "--column", "id,name,status,initial prompt")
 		clitest.SetupConfig(t, memberClient, root)
 
 		pty := ptytest.New(t).Attach(inv)
@@ -122,7 +122,7 @@ func TestExpTaskList(t *testing.T) {
 		pausedTask := makeAITask(t, db, owner.OrganizationID, owner.UserID, memberUser.ID, database.WorkspaceTransitionStop, "stop me please")
 
 		// Use JSON output to reliably validate filtering.
-		inv, root := clitest.New(t, "exp", "task", "list", "--status=paused", "--output=json")
+		inv, root := clitest.New(t, "task", "list", "--status=paused", "--output=json")
 		clitest.SetupConfig(t, memberClient, root)
 
 		ctx := testutil.Context(t, testutil.WaitShort)
@@ -153,7 +153,7 @@ func TestExpTaskList(t *testing.T) {
 		_ = makeAITask(t, db, owner.OrganizationID, owner.UserID, memberUser.ID, database.WorkspaceTransitionStart, "other-task")
 		task := makeAITask(t, db, owner.OrganizationID, owner.UserID, owner.UserID, database.WorkspaceTransitionStart, "me-task")
 
-		inv, root := clitest.New(t, "exp", "task", "list", "--user", "me")
+		inv, root := clitest.New(t, "task", "list", "--user", "me")
 		//nolint:gocritic // Owner client is intended here smoke test the member task not showing up.
 		clitest.SetupConfig(t, client, root)
 
@@ -180,7 +180,7 @@ func TestExpTaskList(t *testing.T) {
 		task2 := makeAITask(t, db, owner.OrganizationID, owner.UserID, memberUser.ID, database.WorkspaceTransitionStop, "stop me please")
 
 		// Given: We add the `--quiet` flag
-		inv, root := clitest.New(t, "exp", "task", "list", "--quiet")
+		inv, root := clitest.New(t, "task", "list", "--quiet")
 		clitest.SetupConfig(t, memberClient, root)
 
 		ctx := testutil.Context(t, testutil.WaitShort)
@@ -224,7 +224,7 @@ func TestExpTaskList_OwnerCanListOthers(t *testing.T) {
 		t.Parallel()
 
 		// As the owner, list only member A tasks.
-		inv, root := clitest.New(t, "exp", "task", "list", "--user", memberAUser.Username, "--output=json")
+		inv, root := clitest.New(t, "task", "list", "--user", memberAUser.Username, "--output=json")
 		//nolint:gocritic // Owner client is intended here to allow member tasks to be listed.
 		clitest.SetupConfig(t, ownerClient, root)
 
@@ -252,7 +252,7 @@ func TestExpTaskList_OwnerCanListOthers(t *testing.T) {
 
 		// As the owner, list all tasks to verify both member tasks are present.
 		// Use JSON output to reliably validate filtering.
-		inv, root := clitest.New(t, "exp", "task", "list", "--all", "--output=json")
+		inv, root := clitest.New(t, "task", "list", "--all", "--output=json")
 		//nolint:gocritic // Owner client is intended here to allow all tasks to be listed.
 		clitest.SetupConfig(t, ownerClient, root)
 

cli/task_logs.go

@@ -28,7 +28,7 @@ func (r *RootCmd) taskLogs() *serpent.Command {
 		Long: FormatExamples(
 			Example{
 				Description: "Show logs for a given task.",
-				Command:     "coder exp task logs task1",
+				Command:     "coder task logs task1",
 			}),
 		Middleware: serpent.Chain(
 			serpent.RequireNArgs(1),
@@ -41,16 +41,15 @@ func (r *RootCmd) taskLogs() *serpent.Command {
 
 			var (
 				ctx        = inv.Context()
-				exp        = codersdk.NewExperimentalClient(client)
 				identifier = inv.Args[0]
 			)
 
-			task, err := exp.TaskByIdentifier(ctx, identifier)
+			task, err := client.TaskByIdentifier(ctx, identifier)
 			if err != nil {
 				return xerrors.Errorf("resolve task %q: %w", identifier, err)
 			}
 
-			logs, err := exp.TaskLogs(ctx, codersdk.Me, task.ID)
+			logs, err := client.TaskLogs(ctx, codersdk.Me, task.ID)
 			if err != nil {
 				return xerrors.Errorf("get task logs: %w", err)
 			}

cli/task_logs_test.go

@@ -46,7 +46,7 @@ func Test_TaskLogs(t *testing.T) {
 		userClient := client // user already has access to their own workspace
 
 		var stdout strings.Builder
-		inv, root := clitest.New(t, "exp", "task", "logs", task.Name, "--output", "json")
+		inv, root := clitest.New(t, "task", "logs", task.Name, "--output", "json")
 		inv.Stdout = &stdout
 		clitest.SetupConfig(t, userClient, root)
 
@@ -72,7 +72,7 @@ func Test_TaskLogs(t *testing.T) {
 		userClient := client
 
 		var stdout strings.Builder
-		inv, root := clitest.New(t, "exp", "task", "logs", task.ID.String(), "--output", "json")
+		inv, root := clitest.New(t, "task", "logs", task.ID.String(), "--output", "json")
 		inv.Stdout = &stdout
 		clitest.SetupConfig(t, userClient, root)
 
@@ -98,7 +98,7 @@ func Test_TaskLogs(t *testing.T) {
 		userClient := client
 
 		var stdout strings.Builder
-		inv, root := clitest.New(t, "exp", "task", "logs", task.ID.String())
+		inv, root := clitest.New(t, "task", "logs", task.ID.String())
 		inv.Stdout = &stdout
 		clitest.SetupConfig(t, userClient, root)
 
@@ -121,7 +121,7 @@ func Test_TaskLogs(t *testing.T) {
 		userClient, _ := coderdtest.CreateAnotherUser(t, client, owner.OrganizationID)
 
 		var stdout strings.Builder
-		inv, root := clitest.New(t, "exp", "task", "logs", "doesnotexist")
+		inv, root := clitest.New(t, "task", "logs", "doesnotexist")
 		inv.Stdout = &stdout
 		clitest.SetupConfig(t, userClient, root)
 
@@ -139,7 +139,7 @@ func Test_TaskLogs(t *testing.T) {
 		userClient, _ := coderdtest.CreateAnotherUser(t, client, owner.OrganizationID)
 
 		var stdout strings.Builder
-		inv, root := clitest.New(t, "exp", "task", "logs", uuid.Nil.String())
+		inv, root := clitest.New(t, "task", "logs", uuid.Nil.String())
 		inv.Stdout = &stdout
 		clitest.SetupConfig(t, userClient, root)
 
@@ -155,7 +155,7 @@ func Test_TaskLogs(t *testing.T) {
 		client, task := setupCLITaskTest(ctx, t, fakeAgentAPITaskLogsErr(assert.AnError))
 		userClient := client
 
-		inv, root := clitest.New(t, "exp", "task", "logs", task.ID.String())
+		inv, root := clitest.New(t, "task", "logs", task.ID.String())
 		clitest.SetupConfig(t, userClient, root)
 
 		err := inv.WithContext(ctx).Run()

cli/task_send.go

@@ -17,10 +17,10 @@ func (r *RootCmd) taskSend() *serpent.Command {
 		Short: "Send input to a task",
 		Long: FormatExamples(Example{
 			Description: "Send direct input to a task.",
-			Command:     "coder exp task send task1 \"Please also add unit tests\"",
+			Command:     "coder task send task1 \"Please also add unit tests\"",
 		}, Example{
 			Description: "Send input from stdin to a task.",
-			Command:     "echo \"Please also add unit tests\" | coder exp task send task1 --stdin",
+			Command:     "echo \"Please also add unit tests\" | coder task send task1 --stdin",
 		}),
 		Middleware: serpent.RequireRangeArgs(1, 2),
 		Options: serpent.OptionSet{
@@ -39,7 +39,6 @@ func (r *RootCmd) taskSend() *serpent.Command {
 
 			var (
 				ctx        = inv.Context()
-				exp        = codersdk.NewExperimentalClient(client)
 				identifier = inv.Args[0]
 
 				taskInput string
@@ -60,12 +59,12 @@ func (r *RootCmd) taskSend() *serpent.Command {
 				taskInput = inv.Args[1]
 			}
 
-			task, err := exp.TaskByIdentifier(ctx, identifier)
+			task, err := client.TaskByIdentifier(ctx, identifier)
 			if err != nil {
 				return xerrors.Errorf("resolve task: %w", err)
 			}
 
-			if err = exp.TaskSend(ctx, codersdk.Me, task.ID, codersdk.TaskSendRequest{Input: taskInput}); err != nil {
+			if err = client.TaskSend(ctx, codersdk.Me, task.ID, codersdk.TaskSendRequest{Input: taskInput}); err != nil {
 				return xerrors.Errorf("send input to task: %w", err)
 			}
 

cli/task_send_test.go

@@ -30,7 +30,7 @@ func Test_TaskSend(t *testing.T) {
 		userClient := client
 
 		var stdout strings.Builder
-		inv, root := clitest.New(t, "exp", "task", "send", task.Name, "carry on with the task")
+		inv, root := clitest.New(t, "task", "send", task.Name, "carry on with the task")
 		inv.Stdout = &stdout
 		clitest.SetupConfig(t, userClient, root)
 
@@ -46,7 +46,7 @@ func Test_TaskSend(t *testing.T) {
 		userClient := client
 
 		var stdout strings.Builder
-		inv, root := clitest.New(t, "exp", "task", "send", task.ID.String(), "carry on with the task")
+		inv, root := clitest.New(t, "task", "send", task.ID.String(), "carry on with the task")
 		inv.Stdout = &stdout
 		clitest.SetupConfig(t, userClient, root)
 
@@ -62,7 +62,7 @@ func Test_TaskSend(t *testing.T) {
 		userClient := client
 
 		var stdout strings.Builder
-		inv, root := clitest.New(t, "exp", "task", "send", task.Name, "--stdin")
+		inv, root := clitest.New(t, "task", "send", task.Name, "--stdin")
 		inv.Stdout = &stdout
 		inv.Stdin = strings.NewReader("carry on with the task")
 		clitest.SetupConfig(t, userClient, root)
@@ -80,7 +80,7 @@ func Test_TaskSend(t *testing.T) {
 		userClient, _ := coderdtest.CreateAnotherUser(t, client, owner.OrganizationID)
 
 		var stdout strings.Builder
-		inv, root := clitest.New(t, "exp", "task", "send", "doesnotexist", "some task input")
+		inv, root := clitest.New(t, "task", "send", "doesnotexist", "some task input")
 		inv.Stdout = &stdout
 		clitest.SetupConfig(t, userClient, root)
 
@@ -98,7 +98,7 @@ func Test_TaskSend(t *testing.T) {
 		userClient, _ := coderdtest.CreateAnotherUser(t, client, owner.OrganizationID)
 
 		var stdout strings.Builder
-		inv, root := clitest.New(t, "exp", "task", "send", uuid.Nil.String(), "some task input")
+		inv, root := clitest.New(t, "task", "send", uuid.Nil.String(), "some task input")
 		inv.Stdout = &stdout
 		clitest.SetupConfig(t, userClient, root)
 
@@ -114,7 +114,7 @@ func Test_TaskSend(t *testing.T) {
 		userClient, task := setupCLITaskTest(ctx, t, fakeAgentAPITaskSendErr(t, assert.AnError))
 
 		var stdout strings.Builder
-		inv, root := clitest.New(t, "exp", "task", "send", task.Name, "some task input")
+		inv, root := clitest.New(t, "task", "send", task.Name, "some task input")
 		inv.Stdout = &stdout
 		clitest.SetupConfig(t, userClient, root)
 

cli/task_status.go

@@ -47,11 +47,11 @@ func (r *RootCmd) taskStatus() *serpent.Command {
 		Long: FormatExamples(
 			Example{
 				Description: "Show the status of a given task.",
-				Command:     "coder exp task status task1",
+				Command:     "coder task status task1",
 			},
 			Example{
 				Description: "Watch the status of a given task until it completes (idle or stopped).",
-				Command:     "coder exp task status task1 --watch",
+				Command:     "coder task status task1 --watch",
 			},
 		),
 		Use:     "status",
@@ -83,10 +83,9 @@ func (r *RootCmd) taskStatus() *serpent.Command {
 			}
 
 			ctx := i.Context()
-			exp := codersdk.NewExperimentalClient(client)
 			identifier := i.Args[0]
 
-			task, err := exp.TaskByIdentifier(ctx, identifier)
+			task, err := client.TaskByIdentifier(ctx, identifier)
 			if err != nil {
 				return err
 			}
@@ -107,7 +106,7 @@ func (r *RootCmd) taskStatus() *serpent.Command {
 			// TODO: implement streaming updates instead of polling
 			lastStatusRow := tsr
 			for range t.C {
-				task, err := exp.TaskByID(ctx, task.ID)
+				task, err := client.TaskByID(ctx, task.ID)
 				if err != nil {
 					return err
 				}

cli/task_status_test.go

@@ -36,7 +36,7 @@ func Test_TaskStatus(t *testing.T) {
 			hf: func(ctx context.Context, _ time.Time) func(w http.ResponseWriter, r *http.Request) {
 				return func(w http.ResponseWriter, r *http.Request) {
 					switch r.URL.Path {
-					case "/api/experimental/tasks/me/doesnotexist":
+					case "/api/v2/tasks/me/doesnotexist":
 						httpapi.ResourceNotFound(w)
 						return
 					default:
@@ -52,7 +52,7 @@ func Test_TaskStatus(t *testing.T) {
 			hf: func(ctx context.Context, now time.Time) func(w http.ResponseWriter, r *http.Request) {
 				return func(w http.ResponseWriter, r *http.Request) {
 					switch r.URL.Path {
-					case "/api/experimental/tasks/me/exists":
+					case "/api/v2/tasks/me/exists":
 						httpapi.Write(ctx, w, http.StatusOK, codersdk.Task{
 							ID:              uuid.MustParse("11111111-1111-1111-1111-111111111111"),
 							WorkspaceStatus: codersdk.WorkspaceStatusRunning,
@@ -88,7 +88,7 @@ func Test_TaskStatus(t *testing.T) {
 				var calls atomic.Int64
 				return func(w http.ResponseWriter, r *http.Request) {
 					switch r.URL.Path {
-					case "/api/experimental/tasks/me/exists":
+					case "/api/v2/tasks/me/exists":
 						httpapi.Write(ctx, w, http.StatusOK, codersdk.Task{
 							ID:              uuid.MustParse("11111111-1111-1111-1111-111111111111"),
 							Name:            "exists",
@@ -103,7 +103,7 @@ func Test_TaskStatus(t *testing.T) {
 							Status:                  codersdk.TaskStatusPending,
 						})
 						return
-					case "/api/experimental/tasks/me/11111111-1111-1111-1111-111111111111":
+					case "/api/v2/tasks/me/11111111-1111-1111-1111-111111111111":
 						defer calls.Add(1)
 						switch calls.Load() {
 						case 0:
@@ -189,6 +189,7 @@ func Test_TaskStatus(t *testing.T) {
   "owner_id": "00000000-0000-0000-0000-000000000000",
   "owner_name": "me",
   "name": "exists",
+  "display_name": "Task exists",
   "template_id": "00000000-0000-0000-0000-000000000000",
   "template_version_id": "00000000-0000-0000-0000-000000000000",
   "template_name": "",
@@ -218,11 +219,12 @@ func Test_TaskStatus(t *testing.T) {
 				ts := time.Date(2025, 8, 26, 12, 34, 56, 0, time.UTC)
 				return func(w http.ResponseWriter, r *http.Request) {
 					switch r.URL.Path {
-					case "/api/experimental/tasks/me/exists":
+					case "/api/v2/tasks/me/exists":
 						httpapi.Write(ctx, w, http.StatusOK, codersdk.Task{
-							ID:        uuid.MustParse("11111111-1111-1111-1111-111111111111"),
-							Name:      "exists",
-							OwnerName: "me",
+							ID:          uuid.MustParse("11111111-1111-1111-1111-111111111111"),
+							Name:        "exists",
+							DisplayName: "Task exists",
+							OwnerName:   "me",
 							WorkspaceAgentHealth: &codersdk.WorkspaceAgentHealth{
 								Healthy: true,
 							},
@@ -254,7 +256,7 @@ func Test_TaskStatus(t *testing.T) {
 				srv    = httptest.NewServer(http.HandlerFunc(tc.hf(ctx, now)))
 				client = codersdk.New(testutil.MustURL(t, srv.URL))
 				sb     = strings.Builder{}
-				args   = []string{"exp", "task", "status", "--watch-interval", testutil.IntervalFast.String()}
+				args   = []string{"task", "status", "--watch-interval", testutil.IntervalFast.String()}
 			)
 
 			t.Cleanup(srv.Close)

cli/task_test.go

@@ -60,14 +60,14 @@ func Test_Tasks(t *testing.T) {
 	}{
 		{
 			name:    "create task",
-			cmdArgs: []string{"exp", "task", "create", "test task input for " + t.Name(), "--name", taskName, "--template", taskTpl.Name},
+			cmdArgs: []string{"task", "create", "test task input for " + t.Name(), "--name", taskName, "--template", taskTpl.Name},
 			assertFn: func(stdout string, userClient *codersdk.Client) {
 				require.Contains(t, stdout, taskName, "task name should be in output")
 			},
 		},
 		{
 			name:    "list tasks after create",
-			cmdArgs: []string{"exp", "task", "list", "--output", "json"},
+			cmdArgs: []string{"task", "list", "--output", "json"},
 			assertFn: func(stdout string, userClient *codersdk.Client) {
 				var tasks []codersdk.Task
 				err := json.NewDecoder(strings.NewReader(stdout)).Decode(&tasks)
@@ -88,7 +88,7 @@ func Test_Tasks(t *testing.T) {
 		},
 		{
 			name:    "get task status after create",
-			cmdArgs: []string{"exp", "task", "status", taskName, "--output", "json"},
+			cmdArgs: []string{"task", "status", taskName, "--output", "json"},
 			assertFn: func(stdout string, userClient *codersdk.Client) {
 				var task codersdk.Task
 				require.NoError(t, json.NewDecoder(strings.NewReader(stdout)).Decode(&task), "should unmarshal task status")
@@ -98,12 +98,12 @@ func Test_Tasks(t *testing.T) {
 		},
 		{
 			name:    "send task message",
-			cmdArgs: []string{"exp", "task", "send", taskName, "hello"},
+			cmdArgs: []string{"task", "send", taskName, "hello"},
 			// Assertions for this happen in the fake agent API handler.
 		},
 		{
 			name:    "read task logs",
-			cmdArgs: []string{"exp", "task", "logs", taskName, "--output", "json"},
+			cmdArgs: []string{"task", "logs", taskName, "--output", "json"},
 			assertFn: func(stdout string, userClient *codersdk.Client) {
 				var logs []codersdk.TaskLogEntry
 				require.NoError(t, json.NewDecoder(strings.NewReader(stdout)).Decode(&logs), "should unmarshal task logs")
@@ -118,12 +118,11 @@ func Test_Tasks(t *testing.T) {
 		},
 		{
 			name:    "delete task",
-			cmdArgs: []string{"exp", "task", "delete", taskName, "--yes"},
+			cmdArgs: []string{"task", "delete", taskName, "--yes"},
 			assertFn: func(stdout string, userClient *codersdk.Client) {
 				// The task should eventually no longer show up in the list of tasks
 				testutil.Eventually(ctx, t, func(ctx context.Context) bool {
-					expClient := codersdk.NewExperimentalClient(userClient)
-					tasks, err := expClient.Tasks(ctx, &codersdk.TasksFilter{})
+					tasks, err := userClient.Tasks(ctx, &codersdk.TasksFilter{})
 					if !assert.NoError(t, err) {
 						return false
 					}
@@ -248,8 +247,7 @@ func setupCLITaskTest(ctx context.Context, t *testing.T, agentAPIHandlers map[st
 	template := createAITaskTemplate(t, client, owner.OrganizationID, withSidebarURL(fakeAPI.URL()), withAgentToken(authToken))
 
 	wantPrompt := "test prompt"
-	exp := codersdk.NewExperimentalClient(userClient)
-	task, err := exp.CreateTask(ctx, codersdk.Me, codersdk.CreateTaskRequest{
+	task, err := userClient.CreateTask(ctx, codersdk.Me, codersdk.CreateTaskRequest{
 		TemplateVersionID: template.ActiveVersionID,
 		Input:             wantPrompt,
 		Name:              "test-task",

cli/testdata/TestSyncCommands_Golden/complete_success.golden

@@ -0,0 +1 @@
+Success

cli/testdata/TestSyncCommands_Golden/ping_success.golden

@@ -0,0 +1 @@
+Success

cli/testdata/TestSyncCommands_Golden/start_no_dependencies.golden

@@ -0,0 +1 @@
+Success

cli/testdata/TestSyncCommands_Golden/start_with_dependencies.golden

@@ -0,0 +1,2 @@
+Waiting for dependencies of unit 'test-unit' to be satisfied...
+Success

cli/testdata/TestSyncCommands_Golden/status_completed.golden

@@ -0,0 +1,6 @@
+Unit: test-unit
+Status: completed
+Ready: true
+
+Dependencies:
+No dependencies found

cli/testdata/TestSyncCommands_Golden/status_json_format.golden

@@ -0,0 +1,13 @@
+{
+  "unit_name": "test-unit",
+  "status": "pending",
+  "is_ready": true,
+  "dependencies": [
+    {
+      "depends_on": "dep-unit",
+      "required_status": "completed",
+      "current_status": "completed",
+      "is_satisfied": true
+    }
+  ]
+}

cli/testdata/TestSyncCommands_Golden/status_pending.golden

@@ -0,0 +1,7 @@
+Unit: test-unit
+Status: pending
+Ready: false
+
+Dependencies:
+DEPENDS ON  REQUIRED STATUS  CURRENT STATUS  SATISFIED  
+dep-unit    completed        not registered  false      

cli/testdata/TestSyncCommands_Golden/status_started.golden

@@ -0,0 +1,6 @@
+Unit: test-unit
+Status: started
+Ready: true
+
+Dependencies:
+No dependencies found

cli/testdata/TestSyncCommands_Golden/status_with_dependencies.golden

@@ -0,0 +1,8 @@
+Unit: test-unit
+Status: pending
+Ready: false
+
+Dependencies:
+DEPENDS ON  REQUIRED STATUS  CURRENT STATUS  SATISFIED  
+dep-1       completed        completed       true       
+dep-2       completed        not registered  false      

cli/testdata/TestSyncCommands_Golden/want_success.golden

@@ -0,0 +1 @@
+Success

cli/testdata/coder_--help.golden

@@ -53,6 +53,7 @@ SUBCOMMANDS:
     stop              Stop a workspace
     support           Commands for troubleshooting issues with a Coder
                       deployment.
+    task              Manage tasks
     templates         Manage templates
     tokens            Manage personal access tokens
     unfavorite        Remove a workspace from your favorites
@@ -108,10 +109,12 @@ variables or flags.
       --url url, $CODER_URL
           URL to a deployment.
 
-      --use-keyring bool, $CODER_USE_KEYRING
+      --use-keyring bool, $CODER_USE_KEYRING (default: true)
           Store and retrieve session tokens using the operating system keyring.
-          Currently only supported on Windows. By default, tokens are stored in
-          plain text files.
+          This flag is ignored and file-based storage is used when
+          --global-config is set or keyring usage is not supported on the
+          current platform. Set to false to force file-based storage on
+          supported platforms.
 
   -v, --verbose bool, $CODER_VERBOSE
           Enable verbose output.

cli/testdata/coder_agent_--help.golden

@@ -67,6 +67,12 @@ OPTIONS:
       --script-data-dir string, $CODER_AGENT_SCRIPT_DATA_DIR (default: /tmp)
           Specify the location for storing script data.
 
+      --socket-path string, $CODER_AGENT_SOCKET_PATH
+          Specify the path for the agent socket.
+
+      --socket-server-enabled bool, $CODER_AGENT_SOCKET_SERVER_ENABLED (default: false)
+          Enable the agent socket server.
+
       --ssh-max-timeout duration, $CODER_AGENT_SSH_MAX_TIMEOUT (default: 72h)
           Specify the max timeout for a SSH connection, it is advisable to set
           it to a minimum of 60s, but no more than 72h.

cli/testdata/coder_exp_sync_--help.golden

@@ -0,0 +1,27 @@
+coder v0.0.0-devel
+
+USAGE:
+  coder exp sync [flags]
+
+  Manage unit dependencies for coordinated startup
+
+  Commands for orchestrating unit startup order in workspaces. Units are most
+  commonly coder scripts. Use these commands to declare dependencies between
+  units, coordinate their startup sequence, and ensure units start only after
+  their dependencies are ready. This helps prevent race conditions and startup
+  failures.
+
+SUBCOMMANDS:
+    complete    Mark a unit as complete
+    ping        Test agent socket connectivity and health
+    start       Wait until all unit dependencies are satisfied
+    status      Show unit status and dependency state
+    want        Declare that a unit depends on another unit completing before it
+                can start
+
+OPTIONS:
+      --socket-path string, $CODER_AGENT_SOCKET_PATH
+          Specify the path for the agent socket.
+
+———
+Run `coder --help` for a list of global options.

cli/testdata/coder_exp_sync_complete_--help.golden

@@ -0,0 +1,12 @@
+coder v0.0.0-devel
+
+USAGE:
+  coder exp sync complete <unit>
+
+  Mark a unit as complete
+
+  Mark a unit as complete. Indicating to other units that it has completed its
+  work. This allows units that depend on it to proceed with their startup.
+
+———
+Run `coder --help` for a list of global options.

cli/testdata/coder_exp_sync_ping_--help.golden

@@ -0,0 +1,13 @@
+coder v0.0.0-devel
+
+USAGE:
+  coder exp sync ping
+
+  Test agent socket connectivity and health
+
+  Test connectivity to the local Coder agent socket to verify the agent is
+  running and responsive. Useful for troubleshooting startup issues or verifying
+  the agent is accessible before running other sync commands.
+
+———
+Run `coder --help` for a list of global options.

cli/testdata/coder_exp_sync_start_--help.golden

@@ -0,0 +1,17 @@
+coder v0.0.0-devel
+
+USAGE:
+  coder exp sync start [flags] <unit>
+
+  Wait until all unit dependencies are satisfied
+
+  Wait until all dependencies are satisfied, consider the unit to have started,
+  then allow it to proceed. This command polls until dependencies are ready,
+  then marks the unit as started.
+
+OPTIONS:
+      --timeout duration (default: 5m)
+          Maximum time to wait for dependencies (e.g., 30s, 5m). 5m by default.
+
+———
+Run `coder --help` for a list of global options.

cli/testdata/coder_exp_sync_status_--help.golden

@@ -0,0 +1,20 @@
+coder v0.0.0-devel
+
+USAGE:
+  coder exp sync status [flags] <unit>
+
+  Show unit status and dependency state
+
+  Show the current status of a unit, whether it is ready to start, and lists its
+  dependencies. Shows which dependencies are satisfied and which are still
+  pending. Supports multiple output formats.
+
+OPTIONS:
+  -c, --column [depends on|required status|current status|satisfied] (default: depends on,required status,current status,satisfied)
+          Columns to display in table output.
+
+  -o, --output table|json (default: table)
+          Output format.
+
+———
+Run `coder --help` for a list of global options.

cli/testdata/coder_exp_sync_want_--help.golden

@@ -0,0 +1,13 @@
+coder v0.0.0-devel
+
+USAGE:
+  coder exp sync want <unit> <depends-on>
+
+  Declare that a unit depends on another unit completing before it can start
+
+  Declare that a unit depends on another unit completing before it can start.
+  The unit specified first will not start until the second has signaled that it
+  has completed.
+
+———
+Run `coder --help` for a list of global options.

cli/testdata/coder_login_--help.golden

@@ -5,9 +5,9 @@ USAGE:
 
   Authenticate with Coder deployment
 
-  By default, the session token is stored in a plain text file. Use the
-  --use-keyring flag or set CODER_USE_KEYRING=true to store the token in the
-  operating system keyring instead.
+  By default, the session token is stored in the operating system keyring on
+  macOS and Windows and a plain text file on Linux. Use the --use-keyring flag
+  or CODER_USE_KEYRING environment variable to change the storage mechanism.
 
 OPTIONS:
       --first-user-email string, $CODER_FIRST_USER_EMAIL

cli/testdata/coder_task_--help.golden

@@ -0,0 +1,19 @@
+coder v0.0.0-devel
+
+USAGE:
+  coder task
+
+  Manage tasks
+
+  Aliases: tasks
+
+SUBCOMMANDS:
+    create    Create a task
+    delete    Delete tasks
+    list      List tasks
+    logs      Show a task's logs
+    send      Send input to a task
+    status    Show the status of a task.
+
+———
+Run `coder --help` for a list of global options.

cli/testdata/coder_task_create_--help.golden

@@ -0,0 +1,51 @@
+coder v0.0.0-devel
+
+USAGE:
+  coder task create [flags] [input]
+
+  Create a task
+
+    - Create a task with direct input:
+  
+       $ coder task create "Add authentication to the user service"
+  
+    - Create a task with stdin input:
+  
+       $ echo "Add authentication to the user service" | coder task create
+  
+    - Create a task with a specific name:
+  
+       $ coder task create --name task1 "Add authentication to the user service"
+  
+    - Create a task from a specific template / preset:
+  
+       $ coder task create --template backend-dev --preset "My Preset" "Add
+  authentication to the user service"
+  
+    - Create a task for another user (requires appropriate permissions):
+  
+       $ coder task create --owner user@example.com "Add authentication to the
+  user service"
+
+OPTIONS:
+  -O, --org string, $CODER_ORGANIZATION
+          Select which organization (uuid or name) to use.
+
+      --name string
+          Specify the name of the task. If you do not specify one, a name will
+          be generated for you.
+
+      --owner string (default: me)
+          Specify the owner of the task. Defaults to the current user.
+
+      --preset string, $CODER_TASK_PRESET_NAME (default: none)
+  -q, --quiet bool
+          Only display the created task's ID.
+
+      --stdin bool
+          Reads from stdin for the task input.
+
+      --template string, $CODER_TASK_TEMPLATE_NAME
+      --template-version string, $CODER_TASK_TEMPLATE_VERSION
+———
+Run `coder --help` for a list of global options.

cli/testdata/coder_task_delete_--help.golden

@@ -0,0 +1,27 @@
+coder v0.0.0-devel
+
+USAGE:
+  coder task delete [flags] <task> [<task> ...]
+
+  Delete tasks
+
+  Aliases: rm
+
+    - Delete a single task.:
+  
+       $ $ coder task delete task1
+  
+    - Delete multiple tasks.:
+  
+       $ $ coder task delete task1 task2 task3
+  
+    - Delete a task without confirmation.:
+  
+       $ $ coder task delete task4 --yes
+
+OPTIONS:
+  -y, --yes bool
+          Bypass prompts.
+
+———
+Run `coder --help` for a list of global options.

cli/testdata/coder_task_list_--help.golden

@@ -0,0 +1,50 @@
+coder v0.0.0-devel
+
+USAGE:
+  coder task list [flags]
+
+  List tasks
+
+  Aliases: ls
+
+    - List tasks for the current user.:
+  
+       $ coder task list
+  
+    - List tasks for a specific user.:
+  
+       $ coder task list --user someone-else
+  
+    - List all tasks you can view.:
+  
+       $ coder task list --all
+  
+    - List all your running tasks.:
+  
+       $ coder task list --status running
+  
+    - As above, but only show IDs.:
+  
+       $ coder task list --status running --quiet
+
+OPTIONS:
+  -a, --all bool (default: false)
+          List tasks for all users you can view.
+
+  -c, --column [id|organization id|owner id|owner name|owner avatar url|name|display name|template id|template version id|template name|template display name|template icon|workspace id|workspace name|workspace status|workspace build number|workspace agent id|workspace agent lifecycle|workspace agent health|workspace app id|initial prompt|status|state|message|created at|updated at|state changed] (default: name,status,state,state changed,message)
+          Columns to display in table output.
+
+  -o, --output table|json (default: table)
+          Output format.
+
+  -q, --quiet bool (default: false)
+          Only display task IDs.
+
+      --status pending|initializing|active|paused|error|unknown
+          Filter by task status.
+
+      --user string
+          List tasks for the specified user (username, "me").
+
+———
+Run `coder --help` for a list of global options.

cli/testdata/coder_task_logs_--help.golden

@@ -0,0 +1,20 @@
+coder v0.0.0-devel
+
+USAGE:
+  coder task logs [flags] <task>
+
+  Show a task's logs
+
+    - Show logs for a given task.:
+  
+       $ coder task logs task1
+
+OPTIONS:
+  -c, --column [id|content|type|time] (default: type,content)
+          Columns to display in table output.
+
+  -o, --output table|json (default: table)
+          Output format.
+
+———
+Run `coder --help` for a list of global options.

cli/testdata/coder_task_send_--help.golden

@@ -0,0 +1,21 @@
+coder v0.0.0-devel
+
+USAGE:
+  coder task send [flags] <task> [<input> | --stdin]
+
+  Send input to a task
+
+    - Send direct input to a task.:
+  
+       $ coder task send task1 "Please also add unit tests"
+  
+    - Send input from stdin to a task.:
+  
+       $ echo "Please also add unit tests" | coder task send task1 --stdin
+
+OPTIONS:
+      --stdin bool
+          Reads the input from stdin.
+
+———
+Run `coder --help` for a list of global options.

cli/testdata/coder_task_status_--help.golden

@@ -0,0 +1,30 @@
+coder v0.0.0-devel
+
+USAGE:
+  coder task status [flags]
+
+  Show the status of a task.
+
+  Aliases: stat
+
+    - Show the status of a given task.:
+  
+       $ coder task status task1
+  
+    - Watch the status of a given task until it completes (idle or stopped).:
+  
+       $ coder task status task1 --watch
+
+OPTIONS:
+  -c, --column [id|organization id|owner id|owner name|owner avatar url|name|display name|template id|template version id|template name|template display name|template icon|workspace id|workspace name|workspace status|workspace build number|workspace agent id|workspace agent lifecycle|workspace agent health|workspace app id|initial prompt|status|state|message|created at|updated at|state changed|healthy] (default: state changed,status,healthy,state,message)
+          Columns to display in table output.
+
+  -o, --output table|json (default: table)
+          Output format.
+
+      --watch bool (default: false)
+          Watch the task status output. This will stream updates to the terminal
+          until the underlying workspace is stopped.
+
+———
+Run `coder --help` for a list of global options.

coderd/agentapi/api.go

@@ -36,6 +36,8 @@ import (
 	"github.com/coder/quartz"
 )
 
+const workspaceCacheRefreshInterval = 5 * time.Minute
+
 // API implements the DRPC agent API interface from agent/proto. This struct is
 // instantiated once per agent connection and kept alive for the duration of the
 // session.
@@ -54,6 +56,8 @@ type API struct {
 	*SubAgentAPI
 	*tailnet.DRPCService
 
+	cachedWorkspaceFields *CachedWorkspaceFields
+
 	mu sync.Mutex
 }
 
@@ -65,7 +69,7 @@ type Options struct {
 	WorkspaceID    uuid.UUID
 	OrganizationID uuid.UUID
 
-	Ctx                               context.Context
+	AuthenticatedCtx                  context.Context
 	Log                               slog.Logger
 	Clock                             quartz.Clock
 	Database                          database.Store
@@ -92,7 +96,7 @@ type Options struct {
 	UpdateAgentMetricsFn func(ctx context.Context, labels prometheusmetrics.AgentMetricLabels, metrics []*agentproto.Stats_Metric)
 }
 
-func New(opts Options) *API {
+func New(opts Options, workspace database.Workspace) *API {
 	if opts.Clock == nil {
 		opts.Clock = quartz.NewReal()
 	}
@@ -114,6 +118,13 @@ func New(opts Options) *API {
 		WorkspaceID:              opts.WorkspaceID,
 	}
 
+	// Don't cache details for prebuilds, though the cached fields will eventually be updated
+	// by the refresh routine once the prebuild workspace is claimed.
+	api.cachedWorkspaceFields = &CachedWorkspaceFields{}
+	if !workspace.IsPrebuild() {
+		api.cachedWorkspaceFields.UpdateValues(workspace)
+	}
+
 	api.AnnouncementBannerAPI = &AnnouncementBannerAPI{
 		appearanceFetcher: opts.AppearanceFetcher,
 	}
@@ -139,6 +150,7 @@ func New(opts Options) *API {
 
 	api.StatsAPI = &StatsAPI{
 		AgentFn:                   api.agent,
+		Workspace:                 api.cachedWorkspaceFields,
 		Database:                  opts.Database,
 		Log:                       opts.Log,
 		StatsReporter:             opts.StatsReporter,
@@ -162,10 +174,11 @@ func New(opts Options) *API {
 	}
 
 	api.MetadataAPI = &MetadataAPI{
-		AgentFn:  api.agent,
-		Database: opts.Database,
-		Pubsub:   opts.Pubsub,
-		Log:      opts.Log,
+		AgentFn:   api.agent,
+		Workspace: api.cachedWorkspaceFields,
+		Database:  opts.Database,
+		Pubsub:    opts.Pubsub,
+		Log:       opts.Log,
 	}
 
 	api.LogsAPI = &LogsAPI{
@@ -205,6 +218,10 @@ func New(opts Options) *API {
 		Database:       opts.Database,
 	}
 
+	// Start background cache refresh loop to handle workspace changes
+	// like prebuild claims where owner_id and other fields may be modified in the DB.
+	go api.startCacheRefreshLoop(opts.AuthenticatedCtx)
+
 	return api
 }
 
@@ -254,6 +271,56 @@ func (a *API) agent(ctx context.Context) (database.WorkspaceAgent, error) {
 	return agent, nil
 }
 
+// refreshCachedWorkspace periodically updates the cached workspace fields.
+// This ensures that changes like prebuild claims (which modify owner_id, name, etc.)
+// are eventually reflected in the cache without requiring agent reconnection.
+func (a *API) refreshCachedWorkspace(ctx context.Context) {
+	ws, err := a.opts.Database.GetWorkspaceByID(ctx, a.opts.WorkspaceID)
+	if err != nil {
+		a.opts.Log.Warn(ctx, "failed to refresh cached workspace fields", slog.Error(err))
+		a.cachedWorkspaceFields.Clear()
+		return
+	}
+
+	if ws.IsPrebuild() {
+		return
+	}
+
+	// If we still have the same values, skip the update and logging calls.
+	if a.cachedWorkspaceFields.identity.Equal(database.WorkspaceIdentityFromWorkspace(ws)) {
+		return
+	}
+	// Update fields that can change during workspace lifecycle (e.g., AutostartSchedule)
+	a.cachedWorkspaceFields.UpdateValues(ws)
+
+	a.opts.Log.Debug(ctx, "refreshed cached workspace fields",
+		slog.F("workspace_id", ws.ID),
+		slog.F("owner_id", ws.OwnerID),
+		slog.F("name", ws.Name))
+}
+
+// startCacheRefreshLoop runs a background goroutine that periodically refreshes
+// the cached workspace fields. This is primarily needed to handle prebuild claims
+// where the owner_id and other fields change while the agent connection persists.
+func (a *API) startCacheRefreshLoop(ctx context.Context) {
+	// Refresh every 5 minutes. This provides a reasonable balance between:
+	// - Keeping cache fresh for prebuild claims and other workspace updates
+	// - Minimizing unnecessary database queries
+	ticker := a.opts.Clock.TickerFunc(ctx, workspaceCacheRefreshInterval, func() error {
+		a.refreshCachedWorkspace(ctx)
+		return nil
+	}, "cache_refresh")
+
+	// We need to wait on the ticker exiting.
+	_ = ticker.Wait()
+
+	a.opts.Log.Debug(ctx, "cache refresh loop exited, invalidating the workspace cache on agent API",
+		slog.F("workspace_id", a.cachedWorkspaceFields.identity.ID),
+		slog.F("owner_id", a.cachedWorkspaceFields.identity.OwnerUsername),
+		slog.F("name", a.cachedWorkspaceFields.identity.Name))
+	a.cachedWorkspaceFields.Clear()
+}
+
 func (a *API) publishWorkspaceUpdate(ctx context.Context, agent *database.WorkspaceAgent, kind wspubsub.WorkspaceEventKind) error {
 	a.opts.PublishWorkspaceUpdateFn(ctx, a.opts.OwnerID, wspubsub.WorkspaceEvent{
 		Kind:        kind,

coderd/agentapi/cached_workspace.go

@@ -0,0 +1,52 @@
+package agentapi
+
+import (
+	"sync"
+
+	"github.com/coder/coder/v2/coderd/database"
+)
+
+// CachedWorkspaceFields contains workspace data that is safe to cache for the
+// duration of an agent connection. These fields are used to reduce database calls
+// in high-frequency operations like stats reporting and metadata updates.
+// Prebuild workspaces should not be cached using this struct within the API struct,
+// however some of these fields for a workspace can be updated live so there is a
+// routine in the API for refreshing the workspace on a timed interval.
+//
+// IMPORTANT: ACL fields (GroupACL, UserACL) are NOT cached because they can be
+// modified in the database and we must use fresh data for authorization checks.
+type CachedWorkspaceFields struct {
+	lock sync.RWMutex
+
+	identity database.WorkspaceIdentity
+}
+
+func (cws *CachedWorkspaceFields) Clear() {
+	cws.lock.Lock()
+	defer cws.lock.Unlock()
+	cws.identity = database.WorkspaceIdentity{}
+}
+
+func (cws *CachedWorkspaceFields) UpdateValues(ws database.Workspace) {
+	cws.lock.Lock()
+	defer cws.lock.Unlock()
+	cws.identity.ID = ws.ID
+	cws.identity.OwnerID = ws.OwnerID
+	cws.identity.OrganizationID = ws.OrganizationID
+	cws.identity.TemplateID = ws.TemplateID
+	cws.identity.Name = ws.Name
+	cws.identity.OwnerUsername = ws.OwnerUsername
+	cws.identity.TemplateName = ws.TemplateName
+	cws.identity.AutostartSchedule = ws.AutostartSchedule
+}
+
+// Returns the Workspace, true, unless the workspace has not been cached (nuked or was a prebuild).
+func (cws *CachedWorkspaceFields) AsWorkspaceIdentity() (database.WorkspaceIdentity, bool) {
+	cws.lock.RLock()
+	defer cws.lock.RUnlock()
+	// Should we be more explicit about all fields being set to be valid?
+	if cws.identity.Equal(database.WorkspaceIdentity{}) {
+		return database.WorkspaceIdentity{}, false
+	}
+	return cws.identity, true
+}

coderd/agentapi/cached_workspace_test.go

@@ -0,0 +1,97 @@
+package agentapi_test
+
+import (
+	"testing"
+
+	"github.com/google/uuid"
+	"github.com/stretchr/testify/require"
+
+	"github.com/coder/coder/v2/coderd/agentapi"
+	"github.com/coder/coder/v2/coderd/database"
+)
+
+func TestCacheClear(t *testing.T) {
+	t.Parallel()
+
+	var (
+		user = database.User{
+			ID:       uuid.New(),
+			Username: "bill",
+		}
+		template = database.Template{
+			ID:   uuid.New(),
+			Name: "tpl",
+		}
+		workspace = database.Workspace{
+			ID:            uuid.New(),
+			OwnerID:       user.ID,
+			OwnerUsername: user.Username,
+			TemplateID:    template.ID,
+			Name:          "xyz",
+			TemplateName:  template.Name,
+		}
+		workspaceAsCacheFields = agentapi.CachedWorkspaceFields{}
+	)
+
+	workspaceAsCacheFields.UpdateValues(database.Workspace{
+		ID:                workspace.ID,
+		OwnerID:           workspace.OwnerID,
+		OwnerUsername:     workspace.OwnerUsername,
+		TemplateID:        workspace.TemplateID,
+		Name:              workspace.Name,
+		TemplateName:      workspace.TemplateName,
+		AutostartSchedule: workspace.AutostartSchedule,
+	},
+	)
+
+	emptyCws := agentapi.CachedWorkspaceFields{}
+	workspaceAsCacheFields.Clear()
+	wsi, ok := workspaceAsCacheFields.AsWorkspaceIdentity()
+	require.False(t, ok)
+	ecwsi, ok := emptyCws.AsWorkspaceIdentity()
+	require.False(t, ok)
+	require.True(t, ecwsi.Equal(wsi))
+}
+
+func TestCacheUpdate(t *testing.T) {
+	t.Parallel()
+
+	var (
+		user = database.User{
+			ID:       uuid.New(),
+			Username: "bill",
+		}
+		template = database.Template{
+			ID:   uuid.New(),
+			Name: "tpl",
+		}
+		workspace = database.Workspace{
+			ID:            uuid.New(),
+			OwnerID:       user.ID,
+			OwnerUsername: user.Username,
+			TemplateID:    template.ID,
+			Name:          "xyz",
+			TemplateName:  template.Name,
+		}
+		workspaceAsCacheFields = agentapi.CachedWorkspaceFields{}
+	)
+
+	workspaceAsCacheFields.UpdateValues(database.Workspace{
+		ID:                workspace.ID,
+		OwnerID:           workspace.OwnerID,
+		OwnerUsername:     workspace.OwnerUsername,
+		TemplateID:        workspace.TemplateID,
+		Name:              workspace.Name,
+		TemplateName:      workspace.TemplateName,
+		AutostartSchedule: workspace.AutostartSchedule,
+	},
+	)
+
+	cws := agentapi.CachedWorkspaceFields{}
+	cws.UpdateValues(workspace)
+	wsi, ok := workspaceAsCacheFields.AsWorkspaceIdentity()
+	require.True(t, ok)
+	cwsi, ok := cws.AsWorkspaceIdentity()
+	require.True(t, ok)
+	require.True(t, wsi.Equal(cwsi))
+}

coderd/agentapi/metadata.go

@@ -12,15 +12,17 @@ import (
 	"cdr.dev/slog"
 	agentproto "github.com/coder/coder/v2/agent/proto"
 	"github.com/coder/coder/v2/coderd/database"
+	"github.com/coder/coder/v2/coderd/database/dbauthz"
 	"github.com/coder/coder/v2/coderd/database/dbtime"
 	"github.com/coder/coder/v2/coderd/database/pubsub"
 )
 
 type MetadataAPI struct {
-	AgentFn  func(context.Context) (database.WorkspaceAgent, error)
-	Database database.Store
-	Pubsub   pubsub.Pubsub
-	Log      slog.Logger
+	AgentFn   func(context.Context) (database.WorkspaceAgent, error)
+	Workspace *CachedWorkspaceFields
+	Database  database.Store
+	Pubsub    pubsub.Pubsub
+	Log       slog.Logger
 
 	TimeNowFn func() time.Time // defaults to dbtime.Now()
 }
@@ -107,7 +109,19 @@ func (a *MetadataAPI) BatchUpdateMetadata(ctx context.Context, req *agentproto.B
 		)
 	}
 
-	err = a.Database.UpdateWorkspaceAgentMetadata(ctx, dbUpdate)
+	// Inject RBAC object into context for dbauthz fast path, avoid having to
+	// call GetWorkspaceByAgentID on every metadata update.
+	rbacCtx := ctx
+	if dbws, ok := a.Workspace.AsWorkspaceIdentity(); ok {
+		rbacCtx, err = dbauthz.WithWorkspaceRBAC(ctx, dbws.RBACObject())
+		if err != nil {
+			// Don't error level log here, will exit the function. We want to fall back to GetWorkspaceByAgentID.
+			//nolint:gocritic
+			a.Log.Debug(ctx, "Cached workspace was present but RBAC object was invalid", slog.F("err", err))
+		}
+	}
+
+	err = a.Database.UpdateWorkspaceAgentMetadata(rbacCtx, dbUpdate)
 	if err != nil {
 		return nil, xerrors.Errorf("update workspace agent metadata in database: %w", err)
 	}

coderd/agentapi/metadata_test.go

@@ -2,12 +2,14 @@ package agentapi_test
 
 import (
 	"context"
+	"database/sql"
 	"encoding/json"
 	"sync/atomic"
 	"testing"
 	"time"
 
 	"github.com/google/uuid"
+	"github.com/prometheus/client_golang/prometheus"
 	"github.com/stretchr/testify/require"
 	"go.uber.org/mock/gomock"
 	"google.golang.org/protobuf/types/known/timestamppb"
@@ -15,10 +17,14 @@ import (
 	agentproto "github.com/coder/coder/v2/agent/proto"
 	"github.com/coder/coder/v2/coderd/agentapi"
 	"github.com/coder/coder/v2/coderd/database"
+	"github.com/coder/coder/v2/coderd/database/dbauthz"
 	"github.com/coder/coder/v2/coderd/database/dbmock"
 	"github.com/coder/coder/v2/coderd/database/dbtime"
 	"github.com/coder/coder/v2/coderd/database/pubsub"
+	"github.com/coder/coder/v2/coderd/rbac"
+	"github.com/coder/coder/v2/coderd/rbac/policy"
 	"github.com/coder/coder/v2/testutil"
+	"github.com/coder/quartz"
 )
 
 type fakePublisher struct {
@@ -84,9 +90,10 @@ func TestBatchUpdateMetadata(t *testing.T) {
 			AgentFn: func(context.Context) (database.WorkspaceAgent, error) {
 				return agent, nil
 			},
-			Database: dbM,
-			Pubsub:   pub,
-			Log:      testutil.Logger(t),
+			Workspace: &agentapi.CachedWorkspaceFields{},
+			Database:  dbM,
+			Pubsub:    pub,
+			Log:       testutil.Logger(t),
 			TimeNowFn: func() time.Time {
 				return now
 			},
@@ -169,9 +176,10 @@ func TestBatchUpdateMetadata(t *testing.T) {
 			AgentFn: func(context.Context) (database.WorkspaceAgent, error) {
 				return agent, nil
 			},
-			Database: dbM,
-			Pubsub:   pub,
-			Log:      testutil.Logger(t),
+			Workspace: &agentapi.CachedWorkspaceFields{},
+			Database:  dbM,
+			Pubsub:    pub,
+			Log:       testutil.Logger(t),
 			TimeNowFn: func() time.Time {
 				return now
 			},
@@ -238,9 +246,10 @@ func TestBatchUpdateMetadata(t *testing.T) {
 			AgentFn: func(context.Context) (database.WorkspaceAgent, error) {
 				return agent, nil
 			},
-			Database: dbM,
-			Pubsub:   pub,
-			Log:      testutil.Logger(t),
+			Workspace: &agentapi.CachedWorkspaceFields{},
+			Database:  dbM,
+			Pubsub:    pub,
+			Log:       testutil.Logger(t),
 			TimeNowFn: func() time.Time {
 				return now
 			},
@@ -272,4 +281,421 @@ func TestBatchUpdateMetadata(t *testing.T) {
 			Keys: []string{req.Metadata[0].Key, req.Metadata[1].Key, req.Metadata[2].Key},
 		}, gotEvent)
 	})
+
+	// Test RBAC fast path with valid RBAC object - should NOT call GetWorkspaceByAgentID
+	// This test verifies that when a valid RBAC object is present in context, the dbauthz layer
+	// uses the fast path and skips the GetWorkspaceByAgentID database call.
+	t.Run("WorkspaceCached_SkipsDBCall", func(t *testing.T) {
+		t.Parallel()
+
+		var (
+			ctrl = gomock.NewController(t)
+			dbM  = dbmock.NewMockStore(ctrl)
+			pub  = &fakePublisher{}
+			now  = dbtime.Now()
+			// Set up consistent IDs that represent a valid workspace->agent relationship
+			workspaceID = uuid.MustParse("12345678-1234-1234-1234-123456789012")
+			ownerID     = uuid.MustParse("87654321-4321-4321-4321-210987654321")
+			orgID       = uuid.MustParse("11111111-1111-1111-1111-111111111111")
+			agentID     = uuid.MustParse("aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa")
+		)
+
+		agent := database.WorkspaceAgent{
+			ID: agentID,
+			// In a real scenario, this agent would belong to a resource in the workspace above
+		}
+
+		req := &agentproto.BatchUpdateMetadataRequest{
+			Metadata: []*agentproto.Metadata{
+				{
+					Key: "test_key",
+					Result: &agentproto.WorkspaceAgentMetadata_Result{
+						CollectedAt: timestamppb.New(now.Add(-time.Second)),
+						Age:         1,
+						Value:       "test_value",
+					},
+				},
+			},
+		}
+
+		// Expect UpdateWorkspaceAgentMetadata to be called
+		dbM.EXPECT().UpdateWorkspaceAgentMetadata(gomock.Any(), database.UpdateWorkspaceAgentMetadataParams{
+			WorkspaceAgentID: agent.ID,
+			Key:              []string{"test_key"},
+			Value:            []string{"test_value"},
+			Error:            []string{""},
+			CollectedAt:      []time.Time{now},
+		}).Return(nil)
+
+		// DO NOT expect GetWorkspaceByAgentID - the fast path should skip this call
+		// If GetWorkspaceByAgentID is called, the test will fail with "unexpected call"
+
+		// dbauthz will call Wrappers() to check for wrapped databases
+		dbM.EXPECT().Wrappers().Return([]string{}).AnyTimes()
+
+		// Set up dbauthz to test the actual authorization layer
+		auth := rbac.NewStrictCachingAuthorizer(prometheus.NewRegistry())
+		accessControlStore := &atomic.Pointer[dbauthz.AccessControlStore]{}
+		var acs dbauthz.AccessControlStore = dbauthz.AGPLTemplateAccessControlStore{}
+		accessControlStore.Store(&acs)
+
+		api := &agentapi.MetadataAPI{
+			AgentFn: func(_ context.Context) (database.WorkspaceAgent, error) {
+				return agent, nil
+			},
+			Workspace: &agentapi.CachedWorkspaceFields{},
+			Database:  dbauthz.New(dbM, auth, testutil.Logger(t), accessControlStore),
+			Pubsub:    pub,
+			Log:       testutil.Logger(t),
+			TimeNowFn: func() time.Time {
+				return now
+			},
+		}
+
+		api.Workspace.UpdateValues(database.Workspace{
+			ID:             workspaceID,
+			OwnerID:        ownerID,
+			OrganizationID: orgID,
+		})
+
+		// Create context with system actor so authorization passes
+		ctx := dbauthz.AsSystemRestricted(context.Background())
+		resp, err := api.BatchUpdateMetadata(ctx, req)
+		require.NoError(t, err)
+		require.NotNil(t, resp)
+	})
+	// Test RBAC slow path - invalid RBAC object should fall back to GetWorkspaceByAgentID
+	// This test verifies that when the RBAC object has invalid IDs (nil UUIDs), the dbauthz layer
+	// falls back to the slow path and calls GetWorkspaceByAgentID.
+	t.Run("InvalidWorkspaceCached_RequiresDBCall", func(t *testing.T) {
+		t.Parallel()
+
+		var (
+			ctrl        = gomock.NewController(t)
+			dbM         = dbmock.NewMockStore(ctrl)
+			pub         = &fakePublisher{}
+			now         = dbtime.Now()
+			workspaceID = uuid.MustParse("12345678-1234-1234-1234-123456789012")
+			ownerID     = uuid.MustParse("87654321-4321-4321-4321-210987654321")
+			orgID       = uuid.MustParse("11111111-1111-1111-1111-111111111111")
+			agentID     = uuid.MustParse("bbbbbbbb-bbbb-bbbb-bbbb-bbbbbbbbbbbb")
+		)
+
+		agent := database.WorkspaceAgent{
+			ID: agentID,
+		}
+
+		req := &agentproto.BatchUpdateMetadataRequest{
+			Metadata: []*agentproto.Metadata{
+				{
+					Key: "test_key",
+					Result: &agentproto.WorkspaceAgentMetadata_Result{
+						CollectedAt: timestamppb.New(now.Add(-time.Second)),
+						Age:         1,
+						Value:       "test_value",
+					},
+				},
+			},
+		}
+
+		// EXPECT GetWorkspaceByAgentID to be called because the RBAC fast path validation fails
+		dbM.EXPECT().GetWorkspaceByAgentID(gomock.Any(), agentID).Return(database.Workspace{
+			ID:             workspaceID,
+			OwnerID:        ownerID,
+			OrganizationID: orgID,
+		}, nil)
+
+		// Expect UpdateWorkspaceAgentMetadata to be called after authorization
+		dbM.EXPECT().UpdateWorkspaceAgentMetadata(gomock.Any(), database.UpdateWorkspaceAgentMetadataParams{
+			WorkspaceAgentID: agent.ID,
+			Key:              []string{"test_key"},
+			Value:            []string{"test_value"},
+			Error:            []string{""},
+			CollectedAt:      []time.Time{now},
+		}).Return(nil)
+
+		// dbauthz will call Wrappers() to check for wrapped databases
+		dbM.EXPECT().Wrappers().Return([]string{}).AnyTimes()
+
+		// Set up dbauthz to test the actual authorization layer
+		auth := rbac.NewStrictCachingAuthorizer(prometheus.NewRegistry())
+		accessControlStore := &atomic.Pointer[dbauthz.AccessControlStore]{}
+		var acs dbauthz.AccessControlStore = dbauthz.AGPLTemplateAccessControlStore{}
+		accessControlStore.Store(&acs)
+
+		api := &agentapi.MetadataAPI{
+			AgentFn: func(_ context.Context) (database.WorkspaceAgent, error) {
+				return agent, nil
+			},
+
+			Workspace: &agentapi.CachedWorkspaceFields{},
+			Database:  dbauthz.New(dbM, auth, testutil.Logger(t), accessControlStore),
+			Pubsub:    pub,
+			Log:       testutil.Logger(t),
+			TimeNowFn: func() time.Time {
+				return now
+			},
+		}
+
+		// Create an invalid RBAC object with nil UUIDs for owner/org
+		// This will fail dbauthz fast path validation and trigger GetWorkspaceByAgentID
+		api.Workspace.UpdateValues(database.Workspace{
+			ID:             uuid.MustParse("cccccccc-cccc-cccc-cccc-cccccccccccc"),
+			OwnerID:        uuid.Nil, // Invalid: fails dbauthz fast path validation
+			OrganizationID: uuid.Nil, // Invalid: fails dbauthz fast path validation
+		})
+
+		// Create context with system actor so authorization passes
+		ctx := dbauthz.AsSystemRestricted(context.Background())
+		resp, err := api.BatchUpdateMetadata(ctx, req)
+		require.NoError(t, err)
+		require.NotNil(t, resp)
+	})
+	// Test RBAC slow path - no RBAC object in context
+	// This test verifies that when no RBAC object is present in context, the dbauthz layer
+	// falls back to the slow path and calls GetWorkspaceByAgentID.
+	t.Run("WorkspaceNotCached_RequiresDBCall", func(t *testing.T) {
+		t.Parallel()
+
+		var (
+			ctrl        = gomock.NewController(t)
+			dbM         = dbmock.NewMockStore(ctrl)
+			pub         = &fakePublisher{}
+			now         = dbtime.Now()
+			workspaceID = uuid.MustParse("12345678-1234-1234-1234-123456789012")
+			ownerID     = uuid.MustParse("87654321-4321-4321-4321-210987654321")
+			orgID       = uuid.MustParse("11111111-1111-1111-1111-111111111111")
+			agentID     = uuid.MustParse("dddddddd-dddd-dddd-dddd-dddddddddddd")
+		)
+
+		agent := database.WorkspaceAgent{
+			ID: agentID,
+		}
+
+		req := &agentproto.BatchUpdateMetadataRequest{
+			Metadata: []*agentproto.Metadata{
+				{
+					Key: "test_key",
+					Result: &agentproto.WorkspaceAgentMetadata_Result{
+						CollectedAt: timestamppb.New(now.Add(-time.Second)),
+						Age:         1,
+						Value:       "test_value",
+					},
+				},
+			},
+		}
+
+		// EXPECT GetWorkspaceByAgentID to be called because no RBAC object is in context
+		dbM.EXPECT().GetWorkspaceByAgentID(gomock.Any(), agentID).Return(database.Workspace{
+			ID:             workspaceID,
+			OwnerID:        ownerID,
+			OrganizationID: orgID,
+		}, nil)
+
+		// Expect UpdateWorkspaceAgentMetadata to be called after authorization
+		dbM.EXPECT().UpdateWorkspaceAgentMetadata(gomock.Any(), database.UpdateWorkspaceAgentMetadataParams{
+			WorkspaceAgentID: agent.ID,
+			Key:              []string{"test_key"},
+			Value:            []string{"test_value"},
+			Error:            []string{""},
+			CollectedAt:      []time.Time{now},
+		}).Return(nil)
+
+		// dbauthz will call Wrappers() to check for wrapped databases
+		dbM.EXPECT().Wrappers().Return([]string{}).AnyTimes()
+
+		// Set up dbauthz to test the actual authorization layer
+		auth := rbac.NewStrictCachingAuthorizer(prometheus.NewRegistry())
+		accessControlStore := &atomic.Pointer[dbauthz.AccessControlStore]{}
+		var acs dbauthz.AccessControlStore = dbauthz.AGPLTemplateAccessControlStore{}
+		accessControlStore.Store(&acs)
+
+		api := &agentapi.MetadataAPI{
+			AgentFn: func(_ context.Context) (database.WorkspaceAgent, error) {
+				return agent, nil
+			},
+			Workspace: &agentapi.CachedWorkspaceFields{},
+			Database:  dbauthz.New(dbM, auth, testutil.Logger(t), accessControlStore),
+			Pubsub:    pub,
+			Log:       testutil.Logger(t),
+			TimeNowFn: func() time.Time {
+				return now
+			},
+		}
+
+		// Create context with system actor so authorization passes
+		ctx := dbauthz.AsSystemRestricted(context.Background())
+		resp, err := api.BatchUpdateMetadata(ctx, req)
+		require.NoError(t, err)
+		require.NotNil(t, resp)
+	})
+
+	// Test cache refresh - AutostartSchedule updated
+	// This test verifies that the cache refresh mechanism actually calls GetWorkspaceByID
+	// and updates the cached workspace fields when the workspace is modified (e.g., autostart schedule changes).
+	t.Run("CacheRefreshed_AutostartScheduleUpdated", func(t *testing.T) {
+		t.Parallel()
+
+		var (
+			ctrl       = gomock.NewController(t)
+			dbM        = dbmock.NewMockStore(ctrl)
+			pub        = &fakePublisher{}
+			now        = dbtime.Now()
+			mClock     = quartz.NewMock(t)
+			tickerTrap = mClock.Trap().TickerFunc("cache_refresh")
+
+			workspaceID = uuid.MustParse("12345678-1234-1234-1234-123456789012")
+			ownerID     = uuid.MustParse("87654321-4321-4321-4321-210987654321")
+			orgID       = uuid.MustParse("11111111-1111-1111-1111-111111111111")
+			templateID  = uuid.MustParse("aaaabbbb-cccc-dddd-eeee-ffffffff0000")
+			agentID     = uuid.MustParse("ffffffff-ffff-ffff-ffff-ffffffffffff")
+		)
+
+		agent := database.WorkspaceAgent{
+			ID: agentID,
+		}
+
+		// Initial workspace - has Monday-Friday 9am autostart
+		initialWorkspace := database.Workspace{
+			ID:                workspaceID,
+			OwnerID:           ownerID,
+			OrganizationID:    orgID,
+			TemplateID:        templateID,
+			Name:              "my-workspace",
+			OwnerUsername:     "testuser",
+			TemplateName:      "test-template",
+			AutostartSchedule: sql.NullString{Valid: true, String: "CRON_TZ=UTC 0 9 * * 1-5"},
+		}
+
+		// Updated workspace - user changed autostart to 5pm and renamed workspace
+		updatedWorkspace := database.Workspace{
+			ID:                workspaceID,
+			OwnerID:           ownerID,
+			OrganizationID:    orgID,
+			TemplateID:        templateID,
+			Name:              "my-workspace-renamed", // Changed!
+			OwnerUsername:     "testuser",
+			TemplateName:      "test-template",
+			AutostartSchedule: sql.NullString{Valid: true, String: "CRON_TZ=UTC 0 17 * * 1-5"}, // Changed!
+			DormantAt:         sql.NullTime{},
+		}
+
+		req := &agentproto.BatchUpdateMetadataRequest{
+			Metadata: []*agentproto.Metadata{
+				{
+					Key: "test_key",
+					Result: &agentproto.WorkspaceAgentMetadata_Result{
+						CollectedAt: timestamppb.New(now.Add(-time.Second)),
+						Age:         1,
+						Value:       "test_value",
+					},
+				},
+			},
+		}
+
+		// EXPECT GetWorkspaceByID to be called during cache refresh
+		// This is the key assertion - proves the refresh mechanism is working
+		dbM.EXPECT().GetWorkspaceByID(gomock.Any(), workspaceID).Return(updatedWorkspace, nil)
+
+		// API needs to fetch the agent when calling metadata update
+		dbM.EXPECT().GetWorkspaceAgentByID(gomock.Any(), agentID).Return(agent, nil)
+
+		// After refresh, metadata update should work with updated cache
+		dbM.EXPECT().UpdateWorkspaceAgentMetadata(gomock.Any(), gomock.Any()).DoAndReturn(
+			func(ctx context.Context, params database.UpdateWorkspaceAgentMetadataParams) error {
+				require.Equal(t, agent.ID, params.WorkspaceAgentID)
+				require.Equal(t, []string{"test_key"}, params.Key)
+				require.Equal(t, []string{"test_value"}, params.Value)
+				require.Equal(t, []string{""}, params.Error)
+				require.Len(t, params.CollectedAt, 1)
+				return nil
+			},
+		).AnyTimes()
+
+		// May call GetWorkspaceByAgentID if slow path is used before refresh
+		dbM.EXPECT().GetWorkspaceByAgentID(gomock.Any(), agentID).Return(updatedWorkspace, nil).AnyTimes()
+
+		// dbauthz will call Wrappers()
+		dbM.EXPECT().Wrappers().Return([]string{}).AnyTimes()
+
+		// Set up dbauthz
+		auth := rbac.NewStrictCachingAuthorizer(prometheus.NewRegistry())
+		accessControlStore := &atomic.Pointer[dbauthz.AccessControlStore]{}
+		var acs dbauthz.AccessControlStore = dbauthz.AGPLTemplateAccessControlStore{}
+		accessControlStore.Store(&acs)
+
+		ctx, cancel := context.WithCancel(context.Background())
+		defer cancel()
+
+		// Create roles with workspace permissions
+		userRoles := rbac.Roles([]rbac.Role{
+			{
+				Identifier: rbac.RoleMember(),
+				User: []rbac.Permission{
+					{
+						Negate:       false,
+						ResourceType: rbac.ResourceWorkspace.Type,
+						Action:       policy.WildcardSymbol,
+					},
+				},
+				ByOrgID: map[string]rbac.OrgPermissions{
+					orgID.String(): {
+						Member: []rbac.Permission{
+							{
+								Negate:       false,
+								ResourceType: rbac.ResourceWorkspace.Type,
+								Action:       policy.WildcardSymbol,
+							},
+						},
+					},
+				},
+			},
+		})
+
+		agentScope := rbac.WorkspaceAgentScope(rbac.WorkspaceAgentScopeParams{
+			WorkspaceID: workspaceID,
+			OwnerID:     ownerID,
+			TemplateID:  templateID,
+			VersionID:   uuid.New(),
+		})
+
+		ctxWithActor := dbauthz.As(ctx, rbac.Subject{
+			Type:         rbac.SubjectTypeUser,
+			FriendlyName: "testuser",
+			Email:        "testuser@example.com",
+			ID:           ownerID.String(),
+			Roles:        userRoles,
+			Groups:       []string{orgID.String()},
+			Scope:        agentScope,
+		}.WithCachedASTValue())
+
+		// Create full API with cached workspace fields (initial state)
+		api := agentapi.New(agentapi.Options{
+			AuthenticatedCtx: ctxWithActor,
+			AgentID:          agentID,
+			WorkspaceID:      workspaceID,
+			OwnerID:          ownerID,
+			OrganizationID:   orgID,
+			Database:         dbauthz.New(dbM, auth, testutil.Logger(t), accessControlStore),
+			Log:              testutil.Logger(t),
+			Clock:            mClock,
+			Pubsub:           pub,
+		}, initialWorkspace) // Cache is initialized with 9am schedule and "my-workspace" name
+
+		// Wait for ticker to be set up and release it so it can fire
+		tickerTrap.MustWait(ctx).MustRelease(ctx)
+		tickerTrap.Close()
+
+		// Advance clock to trigger cache refresh and wait for it to complete
+		_, aw := mClock.AdvanceNext()
+		aw.MustWait(ctx)
+
+		// At this point, GetWorkspaceByID should have been called and cache updated
+		// The cache now has the 5pm schedule and "my-workspace-renamed" name
+
+		// Now call metadata update to verify the refreshed cache works
+		resp, err := api.MetadataAPI.BatchUpdateMetadata(ctxWithActor, req)
+		require.NoError(t, err)
+		require.NotNil(t, resp)
+	})
 }

coderd/agentapi/stats.go

@@ -17,6 +17,7 @@ import (
 
 type StatsAPI struct {
 	AgentFn                   func(context.Context) (database.WorkspaceAgent, error)
+	Workspace                 *CachedWorkspaceFields
 	Database                  database.Store
 	Log                       slog.Logger
 	StatsReporter             *workspacestats.Reporter
@@ -46,14 +47,21 @@ func (a *StatsAPI) UpdateStats(ctx context.Context, req *agentproto.UpdateStatsR
 	if err != nil {
 		return nil, err
 	}
-	getWorkspaceAgentByIDRow, err := a.Database.GetWorkspaceByAgentID(ctx, workspaceAgent.ID)
-	if err != nil {
-		return nil, xerrors.Errorf("get workspace by agent ID %q: %w", workspaceAgent.ID, err)
+
+	// If cache is empty (prebuild or invalid), fall back to DB
+	var ws database.WorkspaceIdentity
+	var ok bool
+	if ws, ok = a.Workspace.AsWorkspaceIdentity(); !ok {
+		w, err := a.Database.GetWorkspaceByAgentID(ctx, workspaceAgent.ID)
+		if err != nil {
+			return nil, xerrors.Errorf("get workspace by agent ID %q: %w", workspaceAgent.ID, err)
+		}
+		ws = database.WorkspaceIdentityFromWorkspace(w)
 	}
-	workspace := getWorkspaceAgentByIDRow
+
 	a.Log.Debug(ctx, "read stats report",
 		slog.F("interval", a.AgentStatsRefreshInterval),
-		slog.F("workspace_id", workspace.ID),
+		slog.F("workspace_id", ws.ID),
 		slog.F("payload", req),
 	)
 
@@ -70,9 +78,8 @@ func (a *StatsAPI) UpdateStats(ctx context.Context, req *agentproto.UpdateStatsR
 	err = a.StatsReporter.ReportAgentStats(
 		ctx,
 		a.now(),
-		workspace,
+		ws,
 		workspaceAgent,
-		getWorkspaceAgentByIDRow.TemplateName,
 		req.Stats,
 		false,
 	)

coderd/agentapi/stats_test.go

@@ -52,8 +52,19 @@ func TestUpdateStates(t *testing.T) {
 			ID:   uuid.New(),
 			Name: "abc",
 		}
+		workspaceAsCacheFields = agentapi.CachedWorkspaceFields{}
 	)
 
+	workspaceAsCacheFields.UpdateValues(database.Workspace{
+		ID:                workspace.ID,
+		OwnerID:           workspace.OwnerID,
+		OwnerUsername:     workspace.OwnerUsername,
+		TemplateID:        workspace.TemplateID,
+		Name:              workspace.Name,
+		TemplateName:      workspace.TemplateName,
+		AutostartSchedule: workspace.AutostartSchedule,
+	})
+
 	t.Run("OK", func(t *testing.T) {
 		t.Parallel()
 
@@ -111,7 +122,8 @@ func TestUpdateStates(t *testing.T) {
 			AgentFn: func(context.Context) (database.WorkspaceAgent, error) {
 				return agent, nil
 			},
-			Database: dbM,
+			Workspace: &workspaceAsCacheFields,
+			Database:  dbM,
 			StatsReporter: workspacestats.NewReporter(workspacestats.ReporterOptions{
 				Database:              dbM,
 				Pubsub:                ps,
@@ -136,9 +148,6 @@ func TestUpdateStates(t *testing.T) {
 		}
 		defer wut.Close()
 
-		// Workspace gets fetched.
-		dbM.EXPECT().GetWorkspaceByAgentID(gomock.Any(), agent.ID).Return(workspace, nil)
-
 		// We expect an activity bump because ConnectionCount > 0.
 		dbM.EXPECT().ActivityBumpWorkspace(gomock.Any(), database.ActivityBumpWorkspaceParams{
 			WorkspaceID:   workspace.ID,
@@ -223,7 +232,8 @@ func TestUpdateStates(t *testing.T) {
 			AgentFn: func(context.Context) (database.WorkspaceAgent, error) {
 				return agent, nil
 			},
-			Database: dbM,
+			Workspace: &workspaceAsCacheFields,
+			Database:  dbM,
 			StatsReporter: workspacestats.NewReporter(workspacestats.ReporterOptions{
 				Database:              dbM,
 				Pubsub:                ps,
@@ -239,9 +249,6 @@ func TestUpdateStates(t *testing.T) {
 			},
 		}
 
-		// Workspace gets fetched.
-		dbM.EXPECT().GetWorkspaceByAgentID(gomock.Any(), agent.ID).Return(workspace, nil)
-
 		_, err := api.UpdateStats(context.Background(), req)
 		require.NoError(t, err)
 	})
@@ -260,7 +267,8 @@ func TestUpdateStates(t *testing.T) {
 			AgentFn: func(context.Context) (database.WorkspaceAgent, error) {
 				return agent, nil
 			},
-			Database: dbM,
+			Workspace: &workspaceAsCacheFields,
+			Database:  dbM,
 			StatsReporter: workspacestats.NewReporter(workspacestats.ReporterOptions{
 				Database:              dbM,
 				Pubsub:                ps,
@@ -333,11 +341,17 @@ func TestUpdateStates(t *testing.T) {
 				},
 			}
 		)
+		// need to overwrite the cached fields for this test, but the struct has a lock
+		ws := agentapi.CachedWorkspaceFields{}
+		ws.UpdateValues(workspace)
+		// ws.AutostartSchedule = workspace.AutostartSchedule
+
 		api := agentapi.StatsAPI{
 			AgentFn: func(context.Context) (database.WorkspaceAgent, error) {
 				return agent, nil
 			},
-			Database: dbM,
+			Workspace: &ws,
+			Database:  dbM,
 			StatsReporter: workspacestats.NewReporter(workspacestats.ReporterOptions{
 				Database:              dbM,
 				Pubsub:                ps,
@@ -362,9 +376,6 @@ func TestUpdateStates(t *testing.T) {
 		}
 		defer wut.Close()
 
-		// Workspace gets fetched.
-		dbM.EXPECT().GetWorkspaceByAgentID(gomock.Any(), agent.ID).Return(workspace, nil)
-
 		// We expect an activity bump because ConnectionCount > 0. However, the
 		// next autostart time will be set on the bump.
 		dbM.EXPECT().ActivityBumpWorkspace(gomock.Any(), database.ActivityBumpWorkspaceParams{
@@ -451,7 +462,8 @@ func TestUpdateStates(t *testing.T) {
 			AgentFn: func(context.Context) (database.WorkspaceAgent, error) {
 				return agent, nil
 			},
-			Database: dbM,
+			Workspace: &workspaceAsCacheFields,
+			Database:  dbM,
 			StatsReporter: workspacestats.NewReporter(workspacestats.ReporterOptions{
 				Database:              dbM,
 				Pubsub:                ps,
@@ -478,9 +490,6 @@ func TestUpdateStates(t *testing.T) {
 			},
 		}
 
-		// Workspace gets fetched.
-		dbM.EXPECT().GetWorkspaceByAgentID(gomock.Any(), agent.ID).Return(workspace, nil)
-
 		// We expect an activity bump because ConnectionCount > 0.
 		dbM.EXPECT().ActivityBumpWorkspace(gomock.Any(), database.ActivityBumpWorkspaceParams{
 			WorkspaceID:   workspace.ID,

coderd/aitasks.go

@@ -7,13 +7,15 @@ import (
 	"net/http"
 	"net/url"
 	"slices"
+	"strings"
 	"time"
 
 	"github.com/google/uuid"
 	"golang.org/x/xerrors"
 
-	"cdr.dev/slog"
+	"github.com/coder/coder/v2/coderd/taskname"
 
+	aiagentapi "github.com/coder/agentapi-sdk-go"
 	"github.com/coder/coder/v2/coderd/audit"
 	"github.com/coder/coder/v2/coderd/database"
 	"github.com/coder/coder/v2/coderd/database/dbtime"
@@ -23,26 +25,21 @@ import (
 	"github.com/coder/coder/v2/coderd/rbac"
 	"github.com/coder/coder/v2/coderd/rbac/policy"
 	"github.com/coder/coder/v2/coderd/searchquery"
-	"github.com/coder/coder/v2/coderd/taskname"
 	"github.com/coder/coder/v2/coderd/util/ptr"
 	"github.com/coder/coder/v2/coderd/util/slice"
 	"github.com/coder/coder/v2/codersdk"
-
-	aiagentapi "github.com/coder/agentapi-sdk-go"
 )
 
 // @Summary Create a new AI task
-// @Description: EXPERIMENTAL: this endpoint is experimental and not guaranteed to be stable.
-// @ID create-task
+// @ID create-a-new-ai-task
 // @Security CoderSessionToken
-// @Tags Experimental
+// @Accept json
+// @Produce json
+// @Tags Tasks
 // @Param user path string true "Username, user ID, or 'me' for the authenticated user"
 // @Param request body codersdk.CreateTaskRequest true "Create task request"
 // @Success 201 {object} codersdk.Task
-// @Router /api/experimental/tasks/{user} [post]
-//
-// EXPERIMENTAL: This endpoint is experimental and not guaranteed to be stable.
-// This endpoint creates a new task for the given user.
+// @Router /tasks/{user} [post]
 func (api *API) tasksCreate(rw http.ResponseWriter, r *http.Request) {
 	var (
 		ctx              = r.Context()
@@ -110,18 +107,25 @@ func (api *API) tasksCreate(rw http.ResponseWriter, r *http.Request) {
 		}
 	}
 
-	if taskName == "" {
-		taskName = taskname.GenerateFallback()
+	taskDisplayName := strings.TrimSpace(req.DisplayName)
+	if taskDisplayName != "" {
+		if len(taskDisplayName) > 64 {
+			httpapi.Write(ctx, rw, http.StatusBadRequest, codersdk.Response{
+				Message: "Display name must be 64 characters or less.",
+			})
+			return
+		}
+	}
 
-		if anthropicAPIKey := taskname.GetAnthropicAPIKeyFromEnv(); anthropicAPIKey != "" {
-			anthropicModel := taskname.GetAnthropicModelFromEnv()
+	// Generate task name and display name if either is not provided
+	if taskName == "" || taskDisplayName == "" {
+		generatedTaskName := taskname.Generate(ctx, api.Logger, req.Input)
 
-			generatedName, err := taskname.Generate(ctx, req.Input, taskname.WithAPIKey(anthropicAPIKey), taskname.WithModel(anthropicModel))
-			if err != nil {
-				api.Logger.Error(ctx, "unable to generate task name", slog.Error(err))
-			} else {
-				taskName = generatedName
-			}
+		if taskName == "" {
+			taskName = generatedTaskName.Name
+		}
+		if taskDisplayName == "" {
+			taskDisplayName = generatedTaskName.DisplayName
 		}
 	}
 
@@ -214,6 +218,7 @@ func (api *API) tasksCreate(rw http.ResponseWriter, r *http.Request) {
 				OrganizationID:     templateVersion.OrganizationID,
 				OwnerID:            owner.ID,
 				Name:               taskName,
+				DisplayName:        taskDisplayName,
 				WorkspaceID:        uuid.NullUUID{}, // Will be set after workspace creation.
 				TemplateVersionID:  templateVersion.ID,
 				TemplateParameters: []byte("{}"),
@@ -303,6 +308,7 @@ func taskFromDBTaskAndWorkspace(dbTask database.Task, ws codersdk.Workspace) cod
 		OwnerName:               dbTask.OwnerUsername,
 		OwnerAvatarURL:          dbTask.OwnerAvatarUrl,
 		Name:                    dbTask.Name,
+		DisplayName:             dbTask.DisplayName,
 		TemplateID:              ws.TemplateID,
 		TemplateVersionID:       dbTask.TemplateVersionID,
 		TemplateName:            ws.TemplateName,
@@ -392,16 +398,13 @@ func deriveTaskCurrentState(
 }
 
 // @Summary List AI tasks
-// @Description: EXPERIMENTAL: this endpoint is experimental and not guaranteed to be stable.
-// @ID list-tasks
+// @ID list-ai-tasks
 // @Security CoderSessionToken
-// @Tags Experimental
+// @Produce json
+// @Tags Tasks
 // @Param q query string false "Search query for filtering tasks. Supports: owner:<username/uuid/me>, organization:<org-name/uuid>, status:<status>"
 // @Success 200 {object} codersdk.TasksListResponse
-// @Router /api/experimental/tasks [get]
-//
-// EXPERIMENTAL: This endpoint is experimental and not guaranteed to be stable.
-// tasksList is an experimental endpoint to list tasks.
+// @Router /tasks [get]
 func (api *API) tasksList(rw http.ResponseWriter, r *http.Request) {
 	ctx := r.Context()
 	apiKey := httpmw.APIKey(r)
@@ -494,20 +497,15 @@ func (api *API) convertTasks(ctx context.Context, requesterID uuid.UUID, dbTasks
 	return result, nil
 }
 
-// @Summary Get AI task by ID
-// @Description: EXPERIMENTAL: this endpoint is experimental and not guaranteed to be stable.
-// @ID get-task
+// @Summary Get AI task by ID or name
+// @ID get-ai-task-by-id-or-name
 // @Security CoderSessionToken
-// @Tags Experimental
+// @Produce json
+// @Tags Tasks
 // @Param user path string true "Username, user ID, or 'me' for the authenticated user"
-// @Param task path string true "Task ID" format(uuid)
+// @Param task path string true "Task ID, or task name"
 // @Success 200 {object} codersdk.Task
-// @Router /api/experimental/tasks/{user}/{task} [get]
-//
-// EXPERIMENTAL: This endpoint is experimental and not guaranteed to be stable.
-// taskGet is an experimental endpoint to fetch a single AI task by ID
-// (workspace ID). It returns a synthesized task response including
-// prompt and status.
+// @Router /tasks/{user}/{task} [get]
 func (api *API) taskGet(rw http.ResponseWriter, r *http.Request) {
 	ctx := r.Context()
 	apiKey := httpmw.APIKey(r)
@@ -572,20 +570,14 @@ func (api *API) taskGet(rw http.ResponseWriter, r *http.Request) {
 	httpapi.Write(ctx, rw, http.StatusOK, taskResp)
 }
 
-// @Summary Delete AI task by ID
-// @Description: EXPERIMENTAL: this endpoint is experimental and not guaranteed to be stable.
-// @ID delete-task
+// @Summary Delete AI task
+// @ID delete-ai-task
 // @Security CoderSessionToken
-// @Tags Experimental
+// @Tags Tasks
 // @Param user path string true "Username, user ID, or 'me' for the authenticated user"
-// @Param task path string true "Task ID" format(uuid)
-// @Success 202 "Task deletion initiated"
-// @Router /api/experimental/tasks/{user}/{task} [delete]
-//
-// EXPERIMENTAL: This endpoint is experimental and not guaranteed to be stable.
-// taskDelete is an experimental endpoint to delete a task by ID.
-// It creates a delete workspace build and returns 202 Accepted if the build was
-// created.
+// @Param task path string true "Task ID, or task name"
+// @Success 202
+// @Router /tasks/{user}/{task} [delete]
 func (api *API) taskDelete(rw http.ResponseWriter, r *http.Request) {
 	ctx := r.Context()
 	apiKey := httpmw.APIKey(r)
@@ -646,21 +638,96 @@ func (api *API) taskDelete(rw http.ResponseWriter, r *http.Request) {
 	rw.WriteHeader(http.StatusAccepted)
 }
 
-// @Summary Send input to AI task
-// @Description: EXPERIMENTAL: this endpoint is experimental and not guaranteed to be stable.
-// @ID send-task-input
+// @Summary Update AI task input
+// @ID update-ai-task-input
 // @Security CoderSessionToken
-// @Tags Experimental
+// @Accept json
+// @Tags Tasks
 // @Param user path string true "Username, user ID, or 'me' for the authenticated user"
-// @Param task path string true "Task ID" format(uuid)
+// @Param task path string true "Task ID, or task name"
+// @Param request body codersdk.UpdateTaskInputRequest true "Update task input request"
+// @Success 204
+// @Router /tasks/{user}/{task}/input [patch]
+func (api *API) taskUpdateInput(rw http.ResponseWriter, r *http.Request) {
+	var (
+		ctx              = r.Context()
+		task             = httpmw.TaskParam(r)
+		auditor          = api.Auditor.Load()
+		taskResourceInfo = audit.AdditionalFields{}
+	)
+
+	aReq, commitAudit := audit.InitRequest[database.TaskTable](rw, &audit.RequestParams{
+		Audit:            *auditor,
+		Log:              api.Logger,
+		Request:          r,
+		Action:           database.AuditActionWrite,
+		AdditionalFields: taskResourceInfo,
+	})
+	defer commitAudit()
+	aReq.Old = task.TaskTable()
+	aReq.UpdateOrganizationID(task.OrganizationID)
+
+	var req codersdk.UpdateTaskInputRequest
+	if !httpapi.Read(ctx, rw, r, &req) {
+		return
+	}
+
+	if strings.TrimSpace(req.Input) == "" {
+		httpapi.Write(ctx, rw, http.StatusBadRequest, codersdk.Response{
+			Message: "Task input is required.",
+		})
+		return
+	}
+
+	var updatedTask database.TaskTable
+	if err := api.Database.InTx(func(tx database.Store) error {
+		task, err := tx.GetTaskByID(ctx, task.ID)
+		if err != nil {
+			return httperror.NewResponseError(http.StatusInternalServerError, codersdk.Response{
+				Message: "Failed to fetch task.",
+				Detail:  err.Error(),
+			})
+		}
+
+		if task.Status != database.TaskStatusPaused {
+			return httperror.NewResponseError(http.StatusConflict, codersdk.Response{
+				Message: "Unable to update task input, task must be paused.",
+				Detail:  "Please stop the task's workspace before updating the input.",
+			})
+		}
+
+		updatedTask, err = tx.UpdateTaskPrompt(ctx, database.UpdateTaskPromptParams{
+			ID:     task.ID,
+			Prompt: req.Input,
+		})
+		if err != nil {
+			return httperror.NewResponseError(http.StatusInternalServerError, codersdk.Response{
+				Message: "Failed to update task input.",
+				Detail:  err.Error(),
+			})
+		}
+
+		return nil
+	}, nil); err != nil {
+		httperror.WriteResponseError(ctx, rw, err)
+		return
+	}
+
+	aReq.New = updatedTask
+
+	httpapi.Write(ctx, rw, http.StatusNoContent, nil)
+}
+
+// @Summary Send input to AI task
+// @ID send-input-to-ai-task
+// @Security CoderSessionToken
+// @Accept json
+// @Tags Tasks
+// @Param user path string true "Username, user ID, or 'me' for the authenticated user"
+// @Param task path string true "Task ID, or task name"
 // @Param request body codersdk.TaskSendRequest true "Task input request"
-// @Success 204 "Input sent successfully"
-// @Router /api/experimental/tasks/{user}/{task}/send [post]
-//
-// EXPERIMENTAL: This endpoint is experimental and not guaranteed to be stable.
-// taskSend submits task input to the task app by dialing the agent
-// directly over the tailnet. We enforce ApplicationConnect RBAC on the
-// workspace and validate the task app health.
+// @Success 204
+// @Router /tasks/{user}/{task}/send [post]
 func (api *API) taskSend(rw http.ResponseWriter, r *http.Request) {
 	ctx := r.Context()
 	task := httpmw.TaskParam(r)
@@ -721,18 +788,14 @@ func (api *API) taskSend(rw http.ResponseWriter, r *http.Request) {
 }
 
 // @Summary Get AI task logs
-// @Description: EXPERIMENTAL: this endpoint is experimental and not guaranteed to be stable.
-// @ID get-task-logs
+// @ID get-ai-task-logs
 // @Security CoderSessionToken
-// @Tags Experimental
+// @Produce json
+// @Tags Tasks
 // @Param user path string true "Username, user ID, or 'me' for the authenticated user"
-// @Param task path string true "Task ID" format(uuid)
+// @Param task path string true "Task ID, or task name"
 // @Success 200 {object} codersdk.TaskLogsResponse
-// @Router /api/experimental/tasks/{user}/{task}/logs [get]
-//
-// EXPERIMENTAL: This endpoint is experimental and not guaranteed to be stable.
-// taskLogs reads task output by dialing the agent directly over the tailnet.
-// We enforce ApplicationConnect RBAC on the workspace and validate the task app health.
+// @Router /tasks/{user}/{task}/logs [get]
 func (api *API) taskLogs(rw http.ResponseWriter, r *http.Request) {
 	ctx := r.Context()
 	task := httpmw.TaskParam(r)

coderd/aitasks_test.go

@@ -23,6 +23,7 @@ import (
 	"github.com/coder/coder/v2/coderd/database/dbfake"
 	"github.com/coder/coder/v2/coderd/database/dbgen"
 	"github.com/coder/coder/v2/coderd/database/dbtime"
+	"github.com/coder/coder/v2/coderd/httpapi"
 	"github.com/coder/coder/v2/coderd/notifications"
 	"github.com/coder/coder/v2/coderd/notifications/notificationstest"
 	"github.com/coder/coder/v2/coderd/util/slice"
@@ -123,8 +124,7 @@ func TestTasks(t *testing.T) {
 
 		// Create a task with a specific prompt using the new data model.
 		wantPrompt := "build me a web app"
-		exp := codersdk.NewExperimentalClient(client)
-		task, err := exp.CreateTask(ctx, codersdk.Me, codersdk.CreateTaskRequest{
+		task, err := client.CreateTask(ctx, codersdk.Me, codersdk.CreateTaskRequest{
 			TemplateVersionID: template.ActiveVersionID,
 			Input:             wantPrompt,
 		})
@@ -140,7 +140,7 @@ func TestTasks(t *testing.T) {
 		coderdtest.AwaitWorkspaceBuildJobCompleted(t, client, workspace.LatestBuild.ID)
 
 		// List tasks via experimental API and verify the prompt and status mapping.
-		tasks, err := exp.Tasks(ctx, &codersdk.TasksFilter{Owner: codersdk.Me})
+		tasks, err := client.Tasks(ctx, &codersdk.TasksFilter{Owner: codersdk.Me})
 		require.NoError(t, err)
 
 		got, ok := slice.Find(tasks, func(t codersdk.Task) bool { return t.ID == task.ID })
@@ -163,10 +163,9 @@ func TestTasks(t *testing.T) {
 			anotherUser, _ = coderdtest.CreateAnotherUser(t, client, user.OrganizationID)
 			template       = createAITemplate(t, client, user)
 			wantPrompt     = "review my code"
-			exp            = codersdk.NewExperimentalClient(client)
 		)
 
-		task, err := exp.CreateTask(ctx, "me", codersdk.CreateTaskRequest{
+		task, err := client.CreateTask(ctx, "me", codersdk.CreateTaskRequest{
 			TemplateVersionID: template.ActiveVersionID,
 			Input:             wantPrompt,
 		})
@@ -200,7 +199,7 @@ func TestTasks(t *testing.T) {
 		require.NoError(t, err)
 
 		// Fetch the task by ID via experimental API and verify fields.
-		updated, err := exp.TaskByID(ctx, task.ID)
+		updated, err := client.TaskByID(ctx, task.ID)
 		require.NoError(t, err)
 
 		assert.Equal(t, task.ID, updated.ID, "task ID should match")
@@ -214,19 +213,18 @@ func TestTasks(t *testing.T) {
 		assert.NotEmpty(t, updated.WorkspaceStatus, "task status should not be empty")
 
 		// Fetch the task by name and verify the same result
-		byName, err := exp.TaskByOwnerAndName(ctx, codersdk.Me, task.Name)
+		byName, err := client.TaskByOwnerAndName(ctx, codersdk.Me, task.Name)
 		require.NoError(t, err)
 		require.Equal(t, byName, updated)
 
 		// Another member user should not be able to fetch the task
-		otherClient := codersdk.NewExperimentalClient(anotherUser)
-		_, err = otherClient.TaskByID(ctx, task.ID)
+		_, err = anotherUser.TaskByID(ctx, task.ID)
 		require.Error(t, err, "fetching task should fail by ID for another member user")
 		var sdkErr *codersdk.Error
 		require.ErrorAs(t, err, &sdkErr)
 		require.Equal(t, http.StatusNotFound, sdkErr.StatusCode())
 		// Also test by name
-		_, err = otherClient.TaskByOwnerAndName(ctx, task.OwnerName, task.Name)
+		_, err = anotherUser.TaskByOwnerAndName(ctx, task.OwnerName, task.Name)
 		require.Error(t, err, "fetching task should fail by name for another member user")
 		require.ErrorAs(t, err, &sdkErr)
 		require.Equal(t, http.StatusNotFound, sdkErr.StatusCode())
@@ -235,7 +233,7 @@ func TestTasks(t *testing.T) {
 		coderdtest.MustTransitionWorkspace(t, client, task.WorkspaceID.UUID, codersdk.WorkspaceTransitionStart, codersdk.WorkspaceTransitionStop)
 
 		// Verify that the previous status still remains
-		updated, err = exp.TaskByID(ctx, task.ID)
+		updated, err = client.TaskByID(ctx, task.ID)
 		require.NoError(t, err)
 		assert.NotNil(t, updated.CurrentState, "current state should not be nil")
 		assert.Equal(t, "all done", updated.CurrentState.Message)
@@ -247,7 +245,7 @@ func TestTasks(t *testing.T) {
 
 		// Verify that the status from the previous build has been cleared
 		// and replaced by the agent initialization status.
-		updated, err = exp.TaskByID(ctx, task.ID)
+		updated, err = client.TaskByID(ctx, task.ID)
 		require.NoError(t, err)
 		assert.NotEqual(t, previousCurrentState, updated.CurrentState)
 		assert.Equal(t, codersdk.TaskStateWorking, updated.CurrentState.State)
@@ -266,8 +264,7 @@ func TestTasks(t *testing.T) {
 
 			ctx := testutil.Context(t, testutil.WaitLong)
 
-			exp := codersdk.NewExperimentalClient(client)
-			task, err := exp.CreateTask(ctx, "me", codersdk.CreateTaskRequest{
+			task, err := client.CreateTask(ctx, "me", codersdk.CreateTaskRequest{
 				TemplateVersionID: template.ActiveVersionID,
 				Input:             "delete me",
 			})
@@ -280,7 +277,7 @@ func TestTasks(t *testing.T) {
 			}
 			coderdtest.AwaitWorkspaceBuildJobCompleted(t, client, ws.LatestBuild.ID)
 
-			err = exp.DeleteTask(ctx, "me", task.ID)
+			err = client.DeleteTask(ctx, "me", task.ID)
 			require.NoError(t, err, "delete task request should be accepted")
 
 			// Poll until the workspace is deleted.
@@ -302,8 +299,7 @@ func TestTasks(t *testing.T) {
 
 			ctx := testutil.Context(t, testutil.WaitShort)
 
-			exp := codersdk.NewExperimentalClient(client)
-			err := exp.DeleteTask(ctx, "me", uuid.New())
+			err := client.DeleteTask(ctx, "me", uuid.New())
 
 			var sdkErr *codersdk.Error
 			require.Error(t, err, "expected an error for non-existent task")
@@ -329,8 +325,7 @@ func TestTasks(t *testing.T) {
 			}
 			coderdtest.AwaitWorkspaceBuildJobCompleted(t, client, ws.LatestBuild.ID)
 
-			exp := codersdk.NewExperimentalClient(client)
-			err := exp.DeleteTask(ctx, "me", ws.ID)
+			err := client.DeleteTask(ctx, "me", ws.ID)
 
 			var sdkErr *codersdk.Error
 			require.Error(t, err, "expected an error for non-task workspace delete via tasks endpoint")
@@ -349,8 +344,7 @@ func TestTasks(t *testing.T) {
 
 			ctx := testutil.Context(t, testutil.WaitShort)
 
-			exp := codersdk.NewExperimentalClient(client)
-			task, err := exp.CreateTask(ctx, "me", codersdk.CreateTaskRequest{
+			task, err := client.CreateTask(ctx, "me", codersdk.CreateTaskRequest{
 				TemplateVersionID: template.ActiveVersionID,
 				Input:             "delete me not",
 			})
@@ -362,10 +356,9 @@ func TestTasks(t *testing.T) {
 
 			// Another regular org member without elevated permissions.
 			otherClient, _ := coderdtest.CreateAnotherUser(t, client, owner.OrganizationID)
-			expOther := codersdk.NewExperimentalClient(otherClient)
 
 			// Attempt to delete the owner's task as a non-owner without permissions.
-			err = expOther.DeleteTask(ctx, "me", task.ID)
+			err = otherClient.DeleteTask(ctx, "me", task.ID)
 
 			var authErr *codersdk.Error
 			require.Error(t, err, "expected an authorization error when deleting another user's task")
@@ -383,8 +376,7 @@ func TestTasks(t *testing.T) {
 			user := coderdtest.CreateFirstUser(t, client)
 			template := createAITemplate(t, client, user)
 			ctx := testutil.Context(t, testutil.WaitLong)
-			exp := codersdk.NewExperimentalClient(client)
-			task, err := exp.CreateTask(ctx, "me", codersdk.CreateTaskRequest{
+			task, err := client.CreateTask(ctx, "me", codersdk.CreateTaskRequest{
 				TemplateVersionID: template.ActiveVersionID,
 				Input:             "delete me",
 			})
@@ -403,9 +395,9 @@ func TestTasks(t *testing.T) {
 			// Provisionerdserver will attempt delete the related task when deleting a workspace.
 			// This test ensures that we can still handle the case where, for some reason, the
 			// task has not been marked as deleted, but the workspace has.
-			task, err = exp.TaskByID(ctx, task.ID)
+			task, err = client.TaskByID(ctx, task.ID)
 			require.NoError(t, err, "fetching a task should still work if its related workspace is deleted")
-			err = exp.DeleteTask(ctx, task.OwnerID.String(), task.ID)
+			err = client.DeleteTask(ctx, task.OwnerID.String(), task.ID)
 			require.NoError(t, err, "should be possible to delete a task with no workspace")
 		})
 
@@ -418,8 +410,7 @@ func TestTasks(t *testing.T) {
 
 			ctx := testutil.Context(t, testutil.WaitLong)
 
-			exp := codersdk.NewExperimentalClient(client)
-			task, err := exp.CreateTask(ctx, "me", codersdk.CreateTaskRequest{
+			task, err := client.CreateTask(ctx, "me", codersdk.CreateTaskRequest{
 				TemplateVersionID: template.ActiveVersionID,
 				Input:             "delete me",
 			})
@@ -435,7 +426,7 @@ func TestTasks(t *testing.T) {
 			// When; the task workspace is deleted
 			coderdtest.MustTransitionWorkspace(t, client, ws.ID, codersdk.WorkspaceTransitionStart, codersdk.WorkspaceTransitionDelete)
 			// Then: the task associated with the workspace is also deleted
-			_, err = exp.TaskByID(ctx, task.ID)
+			_, err = client.TaskByID(ctx, task.ID)
 			require.Error(t, err, "expected an error fetching the task")
 			var sdkErr *codersdk.Error
 			require.ErrorAs(t, err, &sdkErr, "expected a codersdk.Error")
@@ -494,10 +485,9 @@ func TestTasks(t *testing.T) {
 				userClient, _  = coderdtest.CreateAnotherUser(t, client, owner.OrganizationID)
 				agentAuthToken = uuid.NewString()
 				template       = createAITemplate(t, client, owner, withAgentToken(agentAuthToken), withSidebarURL(srv.URL))
-				exp            = codersdk.NewExperimentalClient(userClient)
 			)
 
-			task, err := exp.CreateTask(ctx, "me", codersdk.CreateTaskRequest{
+			task, err := userClient.CreateTask(ctx, "me", codersdk.CreateTaskRequest{
 				TemplateVersionID: template.ActiveVersionID,
 				Input:             "send me food",
 			})
@@ -510,7 +500,7 @@ func TestTasks(t *testing.T) {
 			coderdtest.AwaitWorkspaceBuildJobCompleted(t, userClient, ws.LatestBuild.ID)
 
 			// Fetch the task by ID via experimental API and verify fields.
-			task, err = exp.TaskByID(ctx, task.ID)
+			task, err = client.TaskByID(ctx, task.ID)
 			require.NoError(t, err)
 			require.NotZero(t, task.WorkspaceBuildNumber)
 			require.True(t, task.WorkspaceAgentID.Valid)
@@ -536,7 +526,7 @@ func TestTasks(t *testing.T) {
 			coderdtest.NewWorkspaceAgentWaiter(t, userClient, ws.ID).WaitFor(coderdtest.AgentsReady)
 
 			// Fetch the task by ID via experimental API and verify fields.
-			task, err = exp.TaskByID(ctx, task.ID)
+			task, err = client.TaskByID(ctx, task.ID)
 			require.NoError(t, err)
 
 			// Make the sidebar app unhealthy initially.
@@ -546,7 +536,7 @@ func TestTasks(t *testing.T) {
 			})
 			require.NoError(t, err)
 
-			err = exp.TaskSend(ctx, "me", task.ID, codersdk.TaskSendRequest{
+			err = client.TaskSend(ctx, "me", task.ID, codersdk.TaskSendRequest{
 				Input: "Hello, Agent!",
 			})
 			require.Error(t, err, "wanted error due to unhealthy sidebar app")
@@ -560,7 +550,7 @@ func TestTasks(t *testing.T) {
 
 			statusResponse = agentapisdk.AgentStatus("bad")
 
-			err = exp.TaskSend(ctx, "me", task.ID, codersdk.TaskSendRequest{
+			err = client.TaskSend(ctx, "me", task.ID, codersdk.TaskSendRequest{
 				Input: "Hello, Agent!",
 			})
 			require.Error(t, err, "wanted error due to bad status")
@@ -569,7 +559,7 @@ func TestTasks(t *testing.T) {
 
 			//nolint:tparallel // Not intended to run in parallel.
 			t.Run("SendOK", func(t *testing.T) {
-				err = exp.TaskSend(ctx, "me", task.ID, codersdk.TaskSendRequest{
+				err = client.TaskSend(ctx, "me", task.ID, codersdk.TaskSendRequest{
 					Input: "Hello, Agent!",
 				})
 				require.NoError(t, err, "wanted no error due to healthy sidebar app and stable status")
@@ -577,7 +567,7 @@ func TestTasks(t *testing.T) {
 
 			//nolint:tparallel // Not intended to run in parallel.
 			t.Run("MissingContent", func(t *testing.T) {
-				err = exp.TaskSend(ctx, "me", task.ID, codersdk.TaskSendRequest{
+				err = client.TaskSend(ctx, "me", task.ID, codersdk.TaskSendRequest{
 					Input: "",
 				})
 				require.Error(t, err, "wanted error due to missing content")
@@ -595,8 +585,7 @@ func TestTasks(t *testing.T) {
 			_ = coderdtest.CreateFirstUser(t, client)
 			ctx := testutil.Context(t, testutil.WaitShort)
 
-			exp := codersdk.NewExperimentalClient(client)
-			err := exp.TaskSend(ctx, "me", uuid.New(), codersdk.TaskSendRequest{
+			err := client.TaskSend(ctx, "me", uuid.New(), codersdk.TaskSendRequest{
 				Input: "hi",
 			})
 
@@ -662,10 +651,9 @@ func TestTasks(t *testing.T) {
 			owner          = coderdtest.CreateFirstUser(t, client)
 			agentAuthToken = uuid.NewString()
 			template       = createAITemplate(t, client, owner, withAgentToken(agentAuthToken), withSidebarURL(srv.URL))
-			exp            = codersdk.NewExperimentalClient(client)
 		)
 
-		task, err := exp.CreateTask(ctx, "me", codersdk.CreateTaskRequest{
+		task, err := client.CreateTask(ctx, "me", codersdk.CreateTaskRequest{
 			TemplateVersionID: template.ActiveVersionID,
 			Input:             "show logs",
 		})
@@ -678,7 +666,7 @@ func TestTasks(t *testing.T) {
 		coderdtest.AwaitWorkspaceBuildJobCompleted(t, client, ws.LatestBuild.ID)
 
 		// Fetch the task by ID via experimental API and verify fields.
-		task, err = exp.TaskByIdentifier(ctx, task.ID.String())
+		task, err = client.TaskByIdentifier(ctx, task.ID.String())
 		require.NoError(t, err)
 		require.NotZero(t, task.WorkspaceBuildNumber)
 		require.True(t, task.WorkspaceAgentID.Valid)
@@ -704,13 +692,13 @@ func TestTasks(t *testing.T) {
 		coderdtest.NewWorkspaceAgentWaiter(t, client, ws.ID).WaitFor(coderdtest.AgentsReady)
 
 		// Fetch the task by ID via experimental API and verify fields.
-		task, err = exp.TaskByID(ctx, task.ID)
+		task, err = client.TaskByID(ctx, task.ID)
 		require.NoError(t, err)
 
 		//nolint:tparallel // Not intended to run in parallel.
 		t.Run("OK", func(t *testing.T) {
 			// Fetch logs.
-			resp, err := exp.TaskLogs(ctx, "me", task.ID)
+			resp, err := client.TaskLogs(ctx, "me", task.ID)
 			require.NoError(t, err)
 			require.Len(t, resp.Logs, 3)
 			assert.Equal(t, 0, resp.Logs[0].ID)
@@ -730,7 +718,7 @@ func TestTasks(t *testing.T) {
 		t.Run("UpstreamError", func(t *testing.T) {
 			shouldReturnError = true
 			t.Cleanup(func() { shouldReturnError = false })
-			_, err := exp.TaskLogs(ctx, "me", task.ID)
+			_, err := client.TaskLogs(ctx, "me", task.ID)
 
 			var sdkErr *codersdk.Error
 			require.Error(t, err)
@@ -738,6 +726,205 @@ func TestTasks(t *testing.T) {
 			require.Equal(t, http.StatusBadGateway, sdkErr.StatusCode())
 		})
 	})
+
+	t.Run("UpdateInput", func(t *testing.T) {
+		tests := []struct {
+			name               string
+			disableProvisioner bool
+			transition         database.WorkspaceTransition
+			cancelTransition   bool
+			deleteTask         bool
+			taskInput          string
+			wantStatus         codersdk.TaskStatus
+			wantErr            string
+			wantErrStatusCode  int
+		}{
+			{
+				name: "TaskStatusInitializing",
+				// We want to disable the provisioner so that the task
+				// never gets provisioned (ensuring it stays in Initializing).
+				disableProvisioner: true,
+				taskInput:          "Valid prompt",
+				wantStatus:         codersdk.TaskStatusInitializing,
+				wantErr:            "Unable to update",
+				wantErrStatusCode:  http.StatusConflict,
+			},
+			{
+				name:       "TaskStatusPaused",
+				transition: database.WorkspaceTransitionStop,
+				taskInput:  "Valid prompt",
+				wantStatus: codersdk.TaskStatusPaused,
+			},
+			{
+				name:              "TaskStatusError",
+				transition:        database.WorkspaceTransitionStart,
+				cancelTransition:  true,
+				taskInput:         "Valid prompt",
+				wantStatus:        codersdk.TaskStatusError,
+				wantErr:           "Unable to update",
+				wantErrStatusCode: http.StatusConflict,
+			},
+			{
+				name:       "EmptyPrompt",
+				transition: database.WorkspaceTransitionStop,
+				// We want to ensure an empty prompt is rejected.
+				taskInput:         "",
+				wantStatus:        codersdk.TaskStatusPaused,
+				wantErr:           "Task input is required.",
+				wantErrStatusCode: http.StatusBadRequest,
+			},
+			{
+				name:              "TaskDeleted",
+				transition:        database.WorkspaceTransitionStop,
+				deleteTask:        true,
+				taskInput:         "Valid prompt",
+				wantErr:           httpapi.ResourceNotFoundResponse.Message,
+				wantErrStatusCode: http.StatusNotFound,
+			},
+		}
+
+		for _, tt := range tests {
+			t.Run(tt.name, func(t *testing.T) {
+				t.Parallel()
+
+				client, provisioner := coderdtest.NewWithProvisionerCloser(t, &coderdtest.Options{IncludeProvisionerDaemon: true})
+				user := coderdtest.CreateFirstUser(t, client)
+				ctx := testutil.Context(t, testutil.WaitLong)
+
+				template := createAITemplate(t, client, user)
+
+				if tt.disableProvisioner {
+					provisioner.Close()
+				}
+
+				// Given: We create a task
+				task, err := client.CreateTask(ctx, codersdk.Me, codersdk.CreateTaskRequest{
+					TemplateVersionID: template.ActiveVersionID,
+					Input:             "initial prompt",
+				})
+				require.NoError(t, err)
+				require.True(t, task.WorkspaceID.Valid, "task should have a workspace ID")
+
+				if !tt.disableProvisioner {
+					// Given: The Task is running
+					workspace, err := client.Workspace(ctx, task.WorkspaceID.UUID)
+					require.NoError(t, err)
+					coderdtest.AwaitWorkspaceBuildJobCompleted(t, client, workspace.LatestBuild.ID)
+
+					// Given: We transition the task's workspace
+					build := coderdtest.CreateWorkspaceBuild(t, client, workspace, tt.transition)
+					if tt.cancelTransition {
+						// Given: We cancel the workspace build
+						err := client.CancelWorkspaceBuild(ctx, build.ID, codersdk.CancelWorkspaceBuildParams{})
+						require.NoError(t, err)
+
+						coderdtest.AwaitWorkspaceBuildJobCompleted(t, client, build.ID)
+
+						// Then: We expect it to be canceled
+						build, err = client.WorkspaceBuild(ctx, build.ID)
+						require.NoError(t, err)
+						require.Equal(t, codersdk.WorkspaceStatusCanceled, build.Status)
+					} else {
+						coderdtest.AwaitWorkspaceBuildJobCompleted(t, client, build.ID)
+					}
+				}
+
+				if tt.deleteTask {
+					err = client.DeleteTask(ctx, codersdk.Me, task.ID)
+					require.NoError(t, err)
+				} else {
+					// Given: Task has expected status
+					task, err = client.TaskByID(ctx, task.ID)
+					require.NoError(t, err)
+					require.Equal(t, tt.wantStatus, task.Status)
+				}
+
+				// When: We attempt to update the task input
+				err = client.UpdateTaskInput(ctx, task.OwnerName, task.ID, codersdk.UpdateTaskInputRequest{
+					Input: tt.taskInput,
+				})
+				if tt.wantErr != "" {
+					require.ErrorContains(t, err, tt.wantErr)
+
+					if tt.wantErrStatusCode != 0 {
+						var apiErr *codersdk.Error
+						require.ErrorAs(t, err, &apiErr)
+						require.Equal(t, tt.wantErrStatusCode, apiErr.StatusCode())
+					}
+
+					if !tt.deleteTask {
+						// Then: We expect the input to **not** be updated
+						task, err = client.TaskByID(ctx, task.ID)
+						require.NoError(t, err)
+						require.NotEqual(t, tt.taskInput, task.InitialPrompt)
+					}
+				} else {
+					require.NoError(t, err)
+
+					if !tt.deleteTask {
+						// Then: We expect the input to be updated
+						task, err = client.TaskByID(ctx, task.ID)
+						require.NoError(t, err)
+						require.Equal(t, tt.taskInput, task.InitialPrompt)
+					}
+				}
+			})
+		}
+
+		t.Run("NonExistentTask", func(t *testing.T) {
+			t.Parallel()
+
+			client := coderdtest.New(t, &coderdtest.Options{IncludeProvisionerDaemon: true})
+			user := coderdtest.CreateFirstUser(t, client)
+			ctx := testutil.Context(t, testutil.WaitShort)
+
+			// Attempt to update prompt for non-existent task
+			err := client.UpdateTaskInput(ctx, user.UserID.String(), uuid.New(), codersdk.UpdateTaskInputRequest{
+				Input: "Should fail",
+			})
+			require.Error(t, err)
+			var apiErr *codersdk.Error
+			require.ErrorAs(t, err, &apiErr)
+			require.Equal(t, http.StatusNotFound, apiErr.StatusCode())
+		})
+
+		t.Run("UnauthorizedUser", func(t *testing.T) {
+			t.Parallel()
+
+			client := coderdtest.New(t, &coderdtest.Options{IncludeProvisionerDaemon: true})
+			user := coderdtest.CreateFirstUser(t, client)
+			anotherUser, _ := coderdtest.CreateAnotherUser(t, client, user.OrganizationID)
+			ctx := testutil.Context(t, testutil.WaitLong)
+
+			template := createAITemplate(t, client, user)
+
+			// Create a task as the first user
+			task, err := client.CreateTask(ctx, codersdk.Me, codersdk.CreateTaskRequest{
+				TemplateVersionID: template.ActiveVersionID,
+				Input:             "initial prompt",
+			})
+			require.NoError(t, err)
+			require.True(t, task.WorkspaceID.Valid)
+
+			// Wait for workspace to complete
+			workspace, err := client.Workspace(ctx, task.WorkspaceID.UUID)
+			require.NoError(t, err)
+			coderdtest.AwaitWorkspaceBuildJobCompleted(t, client, workspace.LatestBuild.ID)
+
+			// Stop the workspace
+			build := coderdtest.CreateWorkspaceBuild(t, client, workspace, database.WorkspaceTransitionStop)
+			coderdtest.AwaitWorkspaceBuildJobCompleted(t, client, build.ID)
+
+			// Attempt to update prompt as another user should fail with 404 Not Found
+			err = anotherUser.UpdateTaskInput(ctx, task.OwnerName, task.ID, codersdk.UpdateTaskInputRequest{
+				Input: "Should fail - unauthorized",
+			})
+			require.Error(t, err)
+			var apiErr *codersdk.Error
+			require.ErrorAs(t, err, &apiErr)
+			require.Equal(t, http.StatusNotFound, apiErr.StatusCode())
+		})
+	})
 }
 
 func TestTasksCreate(t *testing.T) {
@@ -767,9 +954,7 @@ func TestTasksCreate(t *testing.T) {
 		coderdtest.AwaitTemplateVersionJobCompleted(t, client, version.ID)
 		template := coderdtest.CreateTemplate(t, client, user.OrganizationID, version.ID)
 
-		expClient := codersdk.NewExperimentalClient(client)
-
-		task, err := expClient.CreateTask(ctx, "me", codersdk.CreateTaskRequest{
+		task, err := client.CreateTask(ctx, "me", codersdk.CreateTaskRequest{
 			TemplateVersionID: template.ActiveVersionID,
 			Input:             taskPrompt,
 		})
@@ -814,10 +999,8 @@ func TestTasksCreate(t *testing.T) {
 		coderdtest.AwaitTemplateVersionJobCompleted(t, client, version.ID)
 		template := coderdtest.CreateTemplate(t, client, user.OrganizationID, version.ID)
 
-		expClient := codersdk.NewExperimentalClient(client)
-
 		// When: We attempt to create a Task.
-		task, err := expClient.CreateTask(ctx, "me", codersdk.CreateTaskRequest{
+		task, err := client.CreateTask(ctx, "me", codersdk.CreateTaskRequest{
 			TemplateVersionID: template.ActiveVersionID,
 			Input:             taskPrompt,
 		})
@@ -844,14 +1027,17 @@ func TestTasksCreate(t *testing.T) {
 		t.Parallel()
 
 		tests := []struct {
-			name               string
-			taskName           string
-			expectFallbackName bool
-			expectError        string
+			name                      string
+			taskName                  string
+			taskDisplayName           string
+			expectFallbackName        bool
+			expectFallbackDisplayName bool
+			expectError               string
 		}{
 			{
-				name:     "ValidName",
-				taskName: "a-valid-task-name",
+				name:                      "ValidName",
+				taskName:                  "a-valid-task-name",
+				expectFallbackDisplayName: true,
 			},
 			{
 				name:        "NotValidName",
@@ -861,8 +1047,37 @@ func TestTasksCreate(t *testing.T) {
 			{
 				name:               "NoNameProvided",
 				taskName:           "",
+				taskDisplayName:    "A valid task display name",
 				expectFallbackName: true,
 			},
+			{
+				name:               "ValidDisplayName",
+				taskDisplayName:    "A valid task display name",
+				expectFallbackName: true,
+			},
+			{
+				name:            "NotValidDisplayName",
+				taskDisplayName: "This is a task display name with a length greater than 64 characters.",
+				expectError:     "Display name must be 64 characters or less.",
+			},
+			{
+				name:                      "NoDisplayNameProvided",
+				taskName:                  "a-valid-task-name",
+				taskDisplayName:           "",
+				expectFallbackDisplayName: true,
+			},
+			{
+				name:            "ValidNameAndDisplayName",
+				taskName:        "a-valid-task-name",
+				taskDisplayName: "A valid task display name",
+			},
+			{
+				name:                      "NoNameAndDisplayNameProvided",
+				taskName:                  "",
+				taskDisplayName:           "",
+				expectFallbackName:        true,
+				expectFallbackDisplayName: true,
+			},
 		}
 
 		for _, tt := range tests {
@@ -870,11 +1085,10 @@ func TestTasksCreate(t *testing.T) {
 				t.Parallel()
 
 				var (
-					ctx       = testutil.Context(t, testutil.WaitShort)
-					client    = coderdtest.New(t, &coderdtest.Options{IncludeProvisionerDaemon: true})
-					expClient = codersdk.NewExperimentalClient(client)
-					user      = coderdtest.CreateFirstUser(t, client)
-					version   = coderdtest.CreateTemplateVersion(t, client, user.OrganizationID, &echo.Responses{
+					ctx     = testutil.Context(t, testutil.WaitShort)
+					client  = coderdtest.New(t, &coderdtest.Options{IncludeProvisionerDaemon: true})
+					user    = coderdtest.CreateFirstUser(t, client)
+					version = coderdtest.CreateTemplateVersion(t, client, user.OrganizationID, &echo.Responses{
 						Parse:          echo.ParseComplete,
 						ProvisionApply: echo.ApplyComplete,
 						ProvisionPlan: []*proto.Response{
@@ -889,10 +1103,11 @@ func TestTasksCreate(t *testing.T) {
 				coderdtest.AwaitTemplateVersionJobCompleted(t, client, version.ID)
 
 				// When: We attempt to create a Task.
-				task, err := expClient.CreateTask(ctx, "me", codersdk.CreateTaskRequest{
+				task, err := client.CreateTask(ctx, "me", codersdk.CreateTaskRequest{
 					TemplateVersionID: template.ActiveVersionID,
 					Input:             "Some prompt",
 					Name:              tt.taskName,
+					DisplayName:       tt.taskDisplayName,
 				})
 				if tt.expectError == "" {
 					require.NoError(t, err)
@@ -906,8 +1121,17 @@ func TestTasksCreate(t *testing.T) {
 					if !tt.expectFallbackName {
 						require.Equal(t, tt.taskName, task.Name)
 					}
+
+					// Then: We expect the correct display name to have been picked.
+					require.NotEmpty(t, task.DisplayName)
+					if !tt.expectFallbackDisplayName {
+						require.Equal(t, tt.taskDisplayName, task.DisplayName)
+					}
 				} else {
-					require.ErrorContains(t, err, tt.expectError)
+					var apiErr *codersdk.Error
+					require.ErrorAs(t, err, &apiErr)
+					require.Equal(t, http.StatusBadRequest, apiErr.StatusCode())
+					require.Equal(t, apiErr.Message, tt.expectError)
 				}
 			})
 		}
@@ -930,10 +1154,8 @@ func TestTasksCreate(t *testing.T) {
 		coderdtest.AwaitTemplateVersionJobCompleted(t, client, version.ID)
 		template := coderdtest.CreateTemplate(t, client, user.OrganizationID, version.ID)
 
-		expClient := codersdk.NewExperimentalClient(client)
-
 		// When: We attempt to create a Task.
-		_, err := expClient.CreateTask(ctx, "me", codersdk.CreateTaskRequest{
+		_, err := client.CreateTask(ctx, "me", codersdk.CreateTaskRequest{
 			TemplateVersionID: template.ActiveVersionID,
 			Input:             taskPrompt,
 		})
@@ -962,10 +1184,8 @@ func TestTasksCreate(t *testing.T) {
 		coderdtest.AwaitTemplateVersionJobCompleted(t, client, version.ID)
 		_ = coderdtest.CreateTemplate(t, client, user.OrganizationID, version.ID)
 
-		expClient := codersdk.NewExperimentalClient(client)
-
 		// When: We attempt to create a Task with an invalid template version ID.
-		_, err := expClient.CreateTask(ctx, "me", codersdk.CreateTaskRequest{
+		_, err := client.CreateTask(ctx, "me", codersdk.CreateTaskRequest{
 			TemplateVersionID: uuid.New(),
 			Input:             taskPrompt,
 		})
@@ -1001,9 +1221,7 @@ func TestTasksCreate(t *testing.T) {
 		coderdtest.AwaitTemplateVersionJobCompleted(t, client, version.ID)
 		template := coderdtest.CreateTemplate(t, client, user.OrganizationID, version.ID)
 
-		expClient := codersdk.NewExperimentalClient(client)
-
-		task, err := expClient.CreateTask(ctx, "me", codersdk.CreateTaskRequest{
+		task, err := client.CreateTask(ctx, "me", codersdk.CreateTaskRequest{
 			TemplateVersionID: template.ActiveVersionID,
 			Input:             taskPrompt,
 		})
@@ -1060,9 +1278,7 @@ func TestTasksCreate(t *testing.T) {
 		coderdtest.AwaitTemplateVersionJobCompleted(t, client, version.ID)
 		template := coderdtest.CreateTemplate(t, client, user.OrganizationID, version.ID)
 
-		expClient := codersdk.NewExperimentalClient(client)
-
-		task, err := expClient.CreateTask(ctx, "me", codersdk.CreateTaskRequest{
+		task, err := client.CreateTask(ctx, "me", codersdk.CreateTaskRequest{
 			TemplateVersionID: template.ActiveVersionID,
 			Input:             taskPrompt,
 			Name:              taskName,
@@ -1096,16 +1312,14 @@ func TestTasksCreate(t *testing.T) {
 		coderdtest.AwaitTemplateVersionJobCompleted(t, client, version.ID)
 		template := coderdtest.CreateTemplate(t, client, user.OrganizationID, version.ID)
 
-		expClient := codersdk.NewExperimentalClient(client)
-
-		task1, err := expClient.CreateTask(ctx, "me", codersdk.CreateTaskRequest{
+		task1, err := client.CreateTask(ctx, "me", codersdk.CreateTaskRequest{
 			TemplateVersionID: template.ActiveVersionID,
 			Input:             "First task",
 			Name:              "task-1",
 		})
 		require.NoError(t, err)
 
-		task2, err := expClient.CreateTask(ctx, "me", codersdk.CreateTaskRequest{
+		task2, err := client.CreateTask(ctx, "me", codersdk.CreateTaskRequest{
 			TemplateVersionID: template.ActiveVersionID,
 			Input:             "Second task",
 			Name:              "task-2",
@@ -1159,11 +1373,9 @@ func TestTasksCreate(t *testing.T) {
 		}, template.ID)
 		coderdtest.AwaitTemplateVersionJobCompleted(t, client, version2.ID)
 
-		expClient := codersdk.NewExperimentalClient(client)
-
 		// Create a task using version 2 to verify the template_version_id is
 		// stored correctly.
-		task, err := expClient.CreateTask(ctx, "me", codersdk.CreateTaskRequest{
+		task, err := client.CreateTask(ctx, "me", codersdk.CreateTaskRequest{
 			TemplateVersionID: version2.ID,
 			Input:             "Use version 2",
 		})

coderd/apidoc/docs.go

@@ -136,233 +136,6 @@ const docTemplate = `{
                 }
             }
         },
-        "/api/experimental/tasks": {
-            "get": {
-                "security": [
-                    {
-                        "CoderSessionToken": []
-                    }
-                ],
-                "tags": [
-                    "Experimental"
-                ],
-                "summary": "List AI tasks",
-                "operationId": "list-tasks",
-                "parameters": [
-                    {
-                        "type": "string",
-                        "description": "Search query for filtering tasks. Supports: owner:\u003cusername/uuid/me\u003e, organization:\u003corg-name/uuid\u003e, status:\u003cstatus\u003e",
-                        "name": "q",
-                        "in": "query"
-                    }
-                ],
-                "responses": {
-                    "200": {
-                        "description": "OK",
-                        "schema": {
-                            "$ref": "#/definitions/codersdk.TasksListResponse"
-                        }
-                    }
-                }
-            }
-        },
-        "/api/experimental/tasks/{user}": {
-            "post": {
-                "security": [
-                    {
-                        "CoderSessionToken": []
-                    }
-                ],
-                "tags": [
-                    "Experimental"
-                ],
-                "summary": "Create a new AI task",
-                "operationId": "create-task",
-                "parameters": [
-                    {
-                        "type": "string",
-                        "description": "Username, user ID, or 'me' for the authenticated user",
-                        "name": "user",
-                        "in": "path",
-                        "required": true
-                    },
-                    {
-                        "description": "Create task request",
-                        "name": "request",
-                        "in": "body",
-                        "required": true,
-                        "schema": {
-                            "$ref": "#/definitions/codersdk.CreateTaskRequest"
-                        }
-                    }
-                ],
-                "responses": {
-                    "201": {
-                        "description": "Created",
-                        "schema": {
-                            "$ref": "#/definitions/codersdk.Task"
-                        }
-                    }
-                }
-            }
-        },
-        "/api/experimental/tasks/{user}/{task}": {
-            "get": {
-                "security": [
-                    {
-                        "CoderSessionToken": []
-                    }
-                ],
-                "tags": [
-                    "Experimental"
-                ],
-                "summary": "Get AI task by ID",
-                "operationId": "get-task",
-                "parameters": [
-                    {
-                        "type": "string",
-                        "description": "Username, user ID, or 'me' for the authenticated user",
-                        "name": "user",
-                        "in": "path",
-                        "required": true
-                    },
-                    {
-                        "type": "string",
-                        "format": "uuid",
-                        "description": "Task ID",
-                        "name": "task",
-                        "in": "path",
-                        "required": true
-                    }
-                ],
-                "responses": {
-                    "200": {
-                        "description": "OK",
-                        "schema": {
-                            "$ref": "#/definitions/codersdk.Task"
-                        }
-                    }
-                }
-            },
-            "delete": {
-                "security": [
-                    {
-                        "CoderSessionToken": []
-                    }
-                ],
-                "tags": [
-                    "Experimental"
-                ],
-                "summary": "Delete AI task by ID",
-                "operationId": "delete-task",
-                "parameters": [
-                    {
-                        "type": "string",
-                        "description": "Username, user ID, or 'me' for the authenticated user",
-                        "name": "user",
-                        "in": "path",
-                        "required": true
-                    },
-                    {
-                        "type": "string",
-                        "format": "uuid",
-                        "description": "Task ID",
-                        "name": "task",
-                        "in": "path",
-                        "required": true
-                    }
-                ],
-                "responses": {
-                    "202": {
-                        "description": "Task deletion initiated"
-                    }
-                }
-            }
-        },
-        "/api/experimental/tasks/{user}/{task}/logs": {
-            "get": {
-                "security": [
-                    {
-                        "CoderSessionToken": []
-                    }
-                ],
-                "tags": [
-                    "Experimental"
-                ],
-                "summary": "Get AI task logs",
-                "operationId": "get-task-logs",
-                "parameters": [
-                    {
-                        "type": "string",
-                        "description": "Username, user ID, or 'me' for the authenticated user",
-                        "name": "user",
-                        "in": "path",
-                        "required": true
-                    },
-                    {
-                        "type": "string",
-                        "format": "uuid",
-                        "description": "Task ID",
-                        "name": "task",
-                        "in": "path",
-                        "required": true
-                    }
-                ],
-                "responses": {
-                    "200": {
-                        "description": "OK",
-                        "schema": {
-                            "$ref": "#/definitions/codersdk.TaskLogsResponse"
-                        }
-                    }
-                }
-            }
-        },
-        "/api/experimental/tasks/{user}/{task}/send": {
-            "post": {
-                "security": [
-                    {
-                        "CoderSessionToken": []
-                    }
-                ],
-                "tags": [
-                    "Experimental"
-                ],
-                "summary": "Send input to AI task",
-                "operationId": "send-task-input",
-                "parameters": [
-                    {
-                        "type": "string",
-                        "description": "Username, user ID, or 'me' for the authenticated user",
-                        "name": "user",
-                        "in": "path",
-                        "required": true
-                    },
-                    {
-                        "type": "string",
-                        "format": "uuid",
-                        "description": "Task ID",
-                        "name": "task",
-                        "in": "path",
-                        "required": true
-                    },
-                    {
-                        "description": "Task input request",
-                        "name": "request",
-                        "in": "body",
-                        "required": true,
-                        "schema": {
-                            "$ref": "#/definitions/codersdk.TaskSendRequest"
-                        }
-                    }
-                ],
-                "responses": {
-                    "204": {
-                        "description": "Input sent successfully"
-                    }
-                }
-            }
-        },
         "/appearance": {
             "get": {
                 "security": [
@@ -5679,6 +5452,294 @@ const docTemplate = `{
                 }
             }
         },
+        "/tasks": {
+            "get": {
+                "security": [
+                    {
+                        "CoderSessionToken": []
+                    }
+                ],
+                "produces": [
+                    "application/json"
+                ],
+                "tags": [
+                    "Tasks"
+                ],
+                "summary": "List AI tasks",
+                "operationId": "list-ai-tasks",
+                "parameters": [
+                    {
+                        "type": "string",
+                        "description": "Search query for filtering tasks. Supports: owner:\u003cusername/uuid/me\u003e, organization:\u003corg-name/uuid\u003e, status:\u003cstatus\u003e",
+                        "name": "q",
+                        "in": "query"
+                    }
+                ],
+                "responses": {
+                    "200": {
+                        "description": "OK",
+                        "schema": {
+                            "$ref": "#/definitions/codersdk.TasksListResponse"
+                        }
+                    }
+                }
+            }
+        },
+        "/tasks/{user}": {
+            "post": {
+                "security": [
+                    {
+                        "CoderSessionToken": []
+                    }
+                ],
+                "consumes": [
+                    "application/json"
+                ],
+                "produces": [
+                    "application/json"
+                ],
+                "tags": [
+                    "Tasks"
+                ],
+                "summary": "Create a new AI task",
+                "operationId": "create-a-new-ai-task",
+                "parameters": [
+                    {
+                        "type": "string",
+                        "description": "Username, user ID, or 'me' for the authenticated user",
+                        "name": "user",
+                        "in": "path",
+                        "required": true
+                    },
+                    {
+                        "description": "Create task request",
+                        "name": "request",
+                        "in": "body",
+                        "required": true,
+                        "schema": {
+                            "$ref": "#/definitions/codersdk.CreateTaskRequest"
+                        }
+                    }
+                ],
+                "responses": {
+                    "201": {
+                        "description": "Created",
+                        "schema": {
+                            "$ref": "#/definitions/codersdk.Task"
+                        }
+                    }
+                }
+            }
+        },
+        "/tasks/{user}/{task}": {
+            "get": {
+                "security": [
+                    {
+                        "CoderSessionToken": []
+                    }
+                ],
+                "produces": [
+                    "application/json"
+                ],
+                "tags": [
+                    "Tasks"
+                ],
+                "summary": "Get AI task by ID or name",
+                "operationId": "get-ai-task-by-id-or-name",
+                "parameters": [
+                    {
+                        "type": "string",
+                        "description": "Username, user ID, or 'me' for the authenticated user",
+                        "name": "user",
+                        "in": "path",
+                        "required": true
+                    },
+                    {
+                        "type": "string",
+                        "description": "Task ID, or task name",
+                        "name": "task",
+                        "in": "path",
+                        "required": true
+                    }
+                ],
+                "responses": {
+                    "200": {
+                        "description": "OK",
+                        "schema": {
+                            "$ref": "#/definitions/codersdk.Task"
+                        }
+                    }
+                }
+            },
+            "delete": {
+                "security": [
+                    {
+                        "CoderSessionToken": []
+                    }
+                ],
+                "tags": [
+                    "Tasks"
+                ],
+                "summary": "Delete AI task",
+                "operationId": "delete-ai-task",
+                "parameters": [
+                    {
+                        "type": "string",
+                        "description": "Username, user ID, or 'me' for the authenticated user",
+                        "name": "user",
+                        "in": "path",
+                        "required": true
+                    },
+                    {
+                        "type": "string",
+                        "description": "Task ID, or task name",
+                        "name": "task",
+                        "in": "path",
+                        "required": true
+                    }
+                ],
+                "responses": {
+                    "202": {
+                        "description": "Accepted"
+                    }
+                }
+            }
+        },
+        "/tasks/{user}/{task}/input": {
+            "patch": {
+                "security": [
+                    {
+                        "CoderSessionToken": []
+                    }
+                ],
+                "consumes": [
+                    "application/json"
+                ],
+                "tags": [
+                    "Tasks"
+                ],
+                "summary": "Update AI task input",
+                "operationId": "update-ai-task-input",
+                "parameters": [
+                    {
+                        "type": "string",
+                        "description": "Username, user ID, or 'me' for the authenticated user",
+                        "name": "user",
+                        "in": "path",
+                        "required": true
+                    },
+                    {
+                        "type": "string",
+                        "description": "Task ID, or task name",
+                        "name": "task",
+                        "in": "path",
+                        "required": true
+                    },
+                    {
+                        "description": "Update task input request",
+                        "name": "request",
+                        "in": "body",
+                        "required": true,
+                        "schema": {
+                            "$ref": "#/definitions/codersdk.UpdateTaskInputRequest"
+                        }
+                    }
+                ],
+                "responses": {
+                    "204": {
+                        "description": "No Content"
+                    }
+                }
+            }
+        },
+        "/tasks/{user}/{task}/logs": {
+            "get": {
+                "security": [
+                    {
+                        "CoderSessionToken": []
+                    }
+                ],
+                "produces": [
+                    "application/json"
+                ],
+                "tags": [
+                    "Tasks"
+                ],
+                "summary": "Get AI task logs",
+                "operationId": "get-ai-task-logs",
+                "parameters": [
+                    {
+                        "type": "string",
+                        "description": "Username, user ID, or 'me' for the authenticated user",
+                        "name": "user",
+                        "in": "path",
+                        "required": true
+                    },
+                    {
+                        "type": "string",
+                        "description": "Task ID, or task name",
+                        "name": "task",
+                        "in": "path",
+                        "required": true
+                    }
+                ],
+                "responses": {
+                    "200": {
+                        "description": "OK",
+                        "schema": {
+                            "$ref": "#/definitions/codersdk.TaskLogsResponse"
+                        }
+                    }
+                }
+            }
+        },
+        "/tasks/{user}/{task}/send": {
+            "post": {
+                "security": [
+                    {
+                        "CoderSessionToken": []
+                    }
+                ],
+                "consumes": [
+                    "application/json"
+                ],
+                "tags": [
+                    "Tasks"
+                ],
+                "summary": "Send input to AI task",
+                "operationId": "send-input-to-ai-task",
+                "parameters": [
+                    {
+                        "type": "string",
+                        "description": "Username, user ID, or 'me' for the authenticated user",
+                        "name": "user",
+                        "in": "path",
+                        "required": true
+                    },
+                    {
+                        "type": "string",
+                        "description": "Task ID, or task name",
+                        "name": "task",
+                        "in": "path",
+                        "required": true
+                    },
+                    {
+                        "description": "Task input request",
+                        "name": "request",
+                        "in": "body",
+                        "required": true,
+                        "schema": {
+                            "$ref": "#/definitions/codersdk.TaskSendRequest"
+                        }
+                    }
+                ],
+                "responses": {
+                    "204": {
+                        "description": "No Content"
+                    }
+                }
+            }
+        },
         "/templates": {
             "get": {
                 "security": [
@@ -8326,6 +8387,84 @@ const docTemplate = `{
                 }
             }
         },
+        "/users/{user}/preferences": {
+            "get": {
+                "security": [
+                    {
+                        "CoderSessionToken": []
+                    }
+                ],
+                "produces": [
+                    "application/json"
+                ],
+                "tags": [
+                    "Users"
+                ],
+                "summary": "Get user preference settings",
+                "operationId": "get-user-preference-settings",
+                "parameters": [
+                    {
+                        "type": "string",
+                        "description": "User ID, name, or me",
+                        "name": "user",
+                        "in": "path",
+                        "required": true
+                    }
+                ],
+                "responses": {
+                    "200": {
+                        "description": "OK",
+                        "schema": {
+                            "$ref": "#/definitions/codersdk.UserPreferenceSettings"
+                        }
+                    }
+                }
+            },
+            "put": {
+                "security": [
+                    {
+                        "CoderSessionToken": []
+                    }
+                ],
+                "consumes": [
+                    "application/json"
+                ],
+                "produces": [
+                    "application/json"
+                ],
+                "tags": [
+                    "Users"
+                ],
+                "summary": "Update user preference settings",
+                "operationId": "update-user-preference-settings",
+                "parameters": [
+                    {
+                        "type": "string",
+                        "description": "User ID, name, or me",
+                        "name": "user",
+                        "in": "path",
+                        "required": true
+                    },
+                    {
+                        "description": "New preference settings",
+                        "name": "request",
+                        "in": "body",
+                        "required": true,
+                        "schema": {
+                            "$ref": "#/definitions/codersdk.UpdateUserPreferenceSettingsRequest"
+                        }
+                    }
+                ],
+                "responses": {
+                    "200": {
+                        "description": "OK",
+                        "schema": {
+                            "$ref": "#/definitions/codersdk.UserPreferenceSettings"
+                        }
+                    }
+                }
+            }
+        },
         "/users/{user}/profile": {
             "put": {
                 "security": [
@@ -13237,6 +13376,9 @@ const docTemplate = `{
         "codersdk.CreateTaskRequest": {
             "type": "object",
             "properties": {
+                "display_name": {
+                    "type": "string"
+                },
                 "input": {
                     "type": "string"
                 },
@@ -17836,6 +17978,9 @@ const docTemplate = `{
                 "current_state": {
                     "$ref": "#/definitions/codersdk.TaskStateEntry"
                 },
+                "display_name": {
+                    "type": "string"
+                },
                 "id": {
                     "type": "string",
                     "format": "uuid"
@@ -19025,6 +19170,14 @@ const docTemplate = `{
                 }
             }
         },
+        "codersdk.UpdateTaskInputRequest": {
+            "type": "object",
+            "properties": {
+                "input": {
+                    "type": "string"
+                }
+            }
+        },
         "codersdk.UpdateTemplateACL": {
             "type": "object",
             "properties": {
@@ -19179,6 +19332,14 @@ const docTemplate = `{
                 }
             }
         },
+        "codersdk.UpdateUserPreferenceSettingsRequest": {
+            "type": "object",
+            "properties": {
+                "task_notification_alert_dismissed": {
+                    "type": "boolean"
+                }
+            }
+        },
         "codersdk.UpdateUserProfileRequest": {
             "type": "object",
             "required": [
@@ -19564,6 +19725,14 @@ const docTemplate = `{
                 }
             }
         },
+        "codersdk.UserPreferenceSettings": {
+            "type": "object",
+            "properties": {
+                "task_notification_alert_dismissed": {
+                    "type": "boolean"
+                }
+            }
+        },
         "codersdk.UserQuietHoursScheduleConfig": {
             "type": "object",
             "properties": {

coderd/apidoc/swagger.json

@@ -112,221 +112,6 @@
 				}
 			}
 		},
-		"/api/experimental/tasks": {
-			"get": {
-				"security": [
-					{
-						"CoderSessionToken": []
-					}
-				],
-				"tags": ["Experimental"],
-				"summary": "List AI tasks",
-				"operationId": "list-tasks",
-				"parameters": [
-					{
-						"type": "string",
-						"description": "Search query for filtering tasks. Supports: owner:\u003cusername/uuid/me\u003e, organization:\u003corg-name/uuid\u003e, status:\u003cstatus\u003e",
-						"name": "q",
-						"in": "query"
-					}
-				],
-				"responses": {
-					"200": {
-						"description": "OK",
-						"schema": {
-							"$ref": "#/definitions/codersdk.TasksListResponse"
-						}
-					}
-				}
-			}
-		},
-		"/api/experimental/tasks/{user}": {
-			"post": {
-				"security": [
-					{
-						"CoderSessionToken": []
-					}
-				],
-				"tags": ["Experimental"],
-				"summary": "Create a new AI task",
-				"operationId": "create-task",
-				"parameters": [
-					{
-						"type": "string",
-						"description": "Username, user ID, or 'me' for the authenticated user",
-						"name": "user",
-						"in": "path",
-						"required": true
-					},
-					{
-						"description": "Create task request",
-						"name": "request",
-						"in": "body",
-						"required": true,
-						"schema": {
-							"$ref": "#/definitions/codersdk.CreateTaskRequest"
-						}
-					}
-				],
-				"responses": {
-					"201": {
-						"description": "Created",
-						"schema": {
-							"$ref": "#/definitions/codersdk.Task"
-						}
-					}
-				}
-			}
-		},
-		"/api/experimental/tasks/{user}/{task}": {
-			"get": {
-				"security": [
-					{
-						"CoderSessionToken": []
-					}
-				],
-				"tags": ["Experimental"],
-				"summary": "Get AI task by ID",
-				"operationId": "get-task",
-				"parameters": [
-					{
-						"type": "string",
-						"description": "Username, user ID, or 'me' for the authenticated user",
-						"name": "user",
-						"in": "path",
-						"required": true
-					},
-					{
-						"type": "string",
-						"format": "uuid",
-						"description": "Task ID",
-						"name": "task",
-						"in": "path",
-						"required": true
-					}
-				],
-				"responses": {
-					"200": {
-						"description": "OK",
-						"schema": {
-							"$ref": "#/definitions/codersdk.Task"
-						}
-					}
-				}
-			},
-			"delete": {
-				"security": [
-					{
-						"CoderSessionToken": []
-					}
-				],
-				"tags": ["Experimental"],
-				"summary": "Delete AI task by ID",
-				"operationId": "delete-task",
-				"parameters": [
-					{
-						"type": "string",
-						"description": "Username, user ID, or 'me' for the authenticated user",
-						"name": "user",
-						"in": "path",
-						"required": true
-					},
-					{
-						"type": "string",
-						"format": "uuid",
-						"description": "Task ID",
-						"name": "task",
-						"in": "path",
-						"required": true
-					}
-				],
-				"responses": {
-					"202": {
-						"description": "Task deletion initiated"
-					}
-				}
-			}
-		},
-		"/api/experimental/tasks/{user}/{task}/logs": {
-			"get": {
-				"security": [
-					{
-						"CoderSessionToken": []
-					}
-				],
-				"tags": ["Experimental"],
-				"summary": "Get AI task logs",
-				"operationId": "get-task-logs",
-				"parameters": [
-					{
-						"type": "string",
-						"description": "Username, user ID, or 'me' for the authenticated user",
-						"name": "user",
-						"in": "path",
-						"required": true
-					},
-					{
-						"type": "string",
-						"format": "uuid",
-						"description": "Task ID",
-						"name": "task",
-						"in": "path",
-						"required": true
-					}
-				],
-				"responses": {
-					"200": {
-						"description": "OK",
-						"schema": {
-							"$ref": "#/definitions/codersdk.TaskLogsResponse"
-						}
-					}
-				}
-			}
-		},
-		"/api/experimental/tasks/{user}/{task}/send": {
-			"post": {
-				"security": [
-					{
-						"CoderSessionToken": []
-					}
-				],
-				"tags": ["Experimental"],
-				"summary": "Send input to AI task",
-				"operationId": "send-task-input",
-				"parameters": [
-					{
-						"type": "string",
-						"description": "Username, user ID, or 'me' for the authenticated user",
-						"name": "user",
-						"in": "path",
-						"required": true
-					},
-					{
-						"type": "string",
-						"format": "uuid",
-						"description": "Task ID",
-						"name": "task",
-						"in": "path",
-						"required": true
-					},
-					{
-						"description": "Task input request",
-						"name": "request",
-						"in": "body",
-						"required": true,
-						"schema": {
-							"$ref": "#/definitions/codersdk.TaskSendRequest"
-						}
-					}
-				],
-				"responses": {
-					"204": {
-						"description": "Input sent successfully"
-					}
-				}
-			}
-		},
 		"/appearance": {
 			"get": {
 				"security": [
@@ -5026,6 +4811,266 @@
 				}
 			}
 		},
+		"/tasks": {
+			"get": {
+				"security": [
+					{
+						"CoderSessionToken": []
+					}
+				],
+				"produces": ["application/json"],
+				"tags": ["Tasks"],
+				"summary": "List AI tasks",
+				"operationId": "list-ai-tasks",
+				"parameters": [
+					{
+						"type": "string",
+						"description": "Search query for filtering tasks. Supports: owner:\u003cusername/uuid/me\u003e, organization:\u003corg-name/uuid\u003e, status:\u003cstatus\u003e",
+						"name": "q",
+						"in": "query"
+					}
+				],
+				"responses": {
+					"200": {
+						"description": "OK",
+						"schema": {
+							"$ref": "#/definitions/codersdk.TasksListResponse"
+						}
+					}
+				}
+			}
+		},
+		"/tasks/{user}": {
+			"post": {
+				"security": [
+					{
+						"CoderSessionToken": []
+					}
+				],
+				"consumes": ["application/json"],
+				"produces": ["application/json"],
+				"tags": ["Tasks"],
+				"summary": "Create a new AI task",
+				"operationId": "create-a-new-ai-task",
+				"parameters": [
+					{
+						"type": "string",
+						"description": "Username, user ID, or 'me' for the authenticated user",
+						"name": "user",
+						"in": "path",
+						"required": true
+					},
+					{
+						"description": "Create task request",
+						"name": "request",
+						"in": "body",
+						"required": true,
+						"schema": {
+							"$ref": "#/definitions/codersdk.CreateTaskRequest"
+						}
+					}
+				],
+				"responses": {
+					"201": {
+						"description": "Created",
+						"schema": {
+							"$ref": "#/definitions/codersdk.Task"
+						}
+					}
+				}
+			}
+		},
+		"/tasks/{user}/{task}": {
+			"get": {
+				"security": [
+					{
+						"CoderSessionToken": []
+					}
+				],
+				"produces": ["application/json"],
+				"tags": ["Tasks"],
+				"summary": "Get AI task by ID or name",
+				"operationId": "get-ai-task-by-id-or-name",
+				"parameters": [
+					{
+						"type": "string",
+						"description": "Username, user ID, or 'me' for the authenticated user",
+						"name": "user",
+						"in": "path",
+						"required": true
+					},
+					{
+						"type": "string",
+						"description": "Task ID, or task name",
+						"name": "task",
+						"in": "path",
+						"required": true
+					}
+				],
+				"responses": {
+					"200": {
+						"description": "OK",
+						"schema": {
+							"$ref": "#/definitions/codersdk.Task"
+						}
+					}
+				}
+			},
+			"delete": {
+				"security": [
+					{
+						"CoderSessionToken": []
+					}
+				],
+				"tags": ["Tasks"],
+				"summary": "Delete AI task",
+				"operationId": "delete-ai-task",
+				"parameters": [
+					{
+						"type": "string",
+						"description": "Username, user ID, or 'me' for the authenticated user",
+						"name": "user",
+						"in": "path",
+						"required": true
+					},
+					{
+						"type": "string",
+						"description": "Task ID, or task name",
+						"name": "task",
+						"in": "path",
+						"required": true
+					}
+				],
+				"responses": {
+					"202": {
+						"description": "Accepted"
+					}
+				}
+			}
+		},
+		"/tasks/{user}/{task}/input": {
+			"patch": {
+				"security": [
+					{
+						"CoderSessionToken": []
+					}
+				],
+				"consumes": ["application/json"],
+				"tags": ["Tasks"],
+				"summary": "Update AI task input",
+				"operationId": "update-ai-task-input",
+				"parameters": [
+					{
+						"type": "string",
+						"description": "Username, user ID, or 'me' for the authenticated user",
+						"name": "user",
+						"in": "path",
+						"required": true
+					},
+					{
+						"type": "string",
+						"description": "Task ID, or task name",
+						"name": "task",
+						"in": "path",
+						"required": true
+					},
+					{
+						"description": "Update task input request",
+						"name": "request",
+						"in": "body",
+						"required": true,
+						"schema": {
+							"$ref": "#/definitions/codersdk.UpdateTaskInputRequest"
+						}
+					}
+				],
+				"responses": {
+					"204": {
+						"description": "No Content"
+					}
+				}
+			}
+		},
+		"/tasks/{user}/{task}/logs": {
+			"get": {
+				"security": [
+					{
+						"CoderSessionToken": []
+					}
+				],
+				"produces": ["application/json"],
+				"tags": ["Tasks"],
+				"summary": "Get AI task logs",
+				"operationId": "get-ai-task-logs",
+				"parameters": [
+					{
+						"type": "string",
+						"description": "Username, user ID, or 'me' for the authenticated user",
+						"name": "user",
+						"in": "path",
+						"required": true
+					},
+					{
+						"type": "string",
+						"description": "Task ID, or task name",
+						"name": "task",
+						"in": "path",
+						"required": true
+					}
+				],
+				"responses": {
+					"200": {
+						"description": "OK",
+						"schema": {
+							"$ref": "#/definitions/codersdk.TaskLogsResponse"
+						}
+					}
+				}
+			}
+		},
+		"/tasks/{user}/{task}/send": {
+			"post": {
+				"security": [
+					{
+						"CoderSessionToken": []
+					}
+				],
+				"consumes": ["application/json"],
+				"tags": ["Tasks"],
+				"summary": "Send input to AI task",
+				"operationId": "send-input-to-ai-task",
+				"parameters": [
+					{
+						"type": "string",
+						"description": "Username, user ID, or 'me' for the authenticated user",
+						"name": "user",
+						"in": "path",
+						"required": true
+					},
+					{
+						"type": "string",
+						"description": "Task ID, or task name",
+						"name": "task",
+						"in": "path",
+						"required": true
+					},
+					{
+						"description": "Task input request",
+						"name": "request",
+						"in": "body",
+						"required": true,
+						"schema": {
+							"$ref": "#/definitions/codersdk.TaskSendRequest"
+						}
+					}
+				],
+				"responses": {
+					"204": {
+						"description": "No Content"
+					}
+				}
+			}
+		},
 		"/templates": {
 			"get": {
 				"security": [
@@ -7373,6 +7418,74 @@
 				}
 			}
 		},
+		"/users/{user}/preferences": {
+			"get": {
+				"security": [
+					{
+						"CoderSessionToken": []
+					}
+				],
+				"produces": ["application/json"],
+				"tags": ["Users"],
+				"summary": "Get user preference settings",
+				"operationId": "get-user-preference-settings",
+				"parameters": [
+					{
+						"type": "string",
+						"description": "User ID, name, or me",
+						"name": "user",
+						"in": "path",
+						"required": true
+					}
+				],
+				"responses": {
+					"200": {
+						"description": "OK",
+						"schema": {
+							"$ref": "#/definitions/codersdk.UserPreferenceSettings"
+						}
+					}
+				}
+			},
+			"put": {
+				"security": [
+					{
+						"CoderSessionToken": []
+					}
+				],
+				"consumes": ["application/json"],
+				"produces": ["application/json"],
+				"tags": ["Users"],
+				"summary": "Update user preference settings",
+				"operationId": "update-user-preference-settings",
+				"parameters": [
+					{
+						"type": "string",
+						"description": "User ID, name, or me",
+						"name": "user",
+						"in": "path",
+						"required": true
+					},
+					{
+						"description": "New preference settings",
+						"name": "request",
+						"in": "body",
+						"required": true,
+						"schema": {
+							"$ref": "#/definitions/codersdk.UpdateUserPreferenceSettingsRequest"
+						}
+					}
+				],
+				"responses": {
+					"200": {
+						"description": "OK",
+						"schema": {
+							"$ref": "#/definitions/codersdk.UserPreferenceSettings"
+						}
+					}
+				}
+			}
+		},
 		"/users/{user}/profile": {
 			"put": {
 				"security": [
@@ -11883,6 +11996,9 @@
 		"codersdk.CreateTaskRequest": {
 			"type": "object",
 			"properties": {
+				"display_name": {
+					"type": "string"
+				},
 				"input": {
 					"type": "string"
 				},
@@ -16320,6 +16436,9 @@
 				"current_state": {
 					"$ref": "#/definitions/codersdk.TaskStateEntry"
 				},
+				"display_name": {
+					"type": "string"
+				},
 				"id": {
 					"type": "string",
 					"format": "uuid"
@@ -17452,6 +17571,14 @@
 				}
 			}
 		},
+		"codersdk.UpdateTaskInputRequest": {
+			"type": "object",
+			"properties": {
+				"input": {
+					"type": "string"
+				}
+			}
+		},
 		"codersdk.UpdateTemplateACL": {
 			"type": "object",
 			"properties": {
@@ -17601,6 +17728,14 @@
 				}
 			}
 		},
+		"codersdk.UpdateUserPreferenceSettingsRequest": {
+			"type": "object",
+			"properties": {
+				"task_notification_alert_dismissed": {
+					"type": "boolean"
+				}
+			}
+		},
 		"codersdk.UpdateUserProfileRequest": {
 			"type": "object",
 			"required": ["username"],
@@ -17961,6 +18096,14 @@
 				}
 			}
 		},
+		"codersdk.UserPreferenceSettings": {
+			"type": "object",
+			"properties": {
+				"task_notification_alert_dismissed": {
+					"type": "boolean"
+				}
+			}
+		},
 		"codersdk.UserQuietHoursScheduleConfig": {
 			"type": "object",
 			"properties": {

coderd/autobuild/lifecycle_executor_test.go

@@ -1830,8 +1830,7 @@ func TestExecutorTaskWorkspace(t *testing.T) {
 	createTaskWorkspace := func(t *testing.T, client *codersdk.Client, template codersdk.Template, ctx context.Context, input string) codersdk.Workspace {
 		t.Helper()
 
-		exp := codersdk.NewExperimentalClient(client)
-		task, err := exp.CreateTask(ctx, "me", codersdk.CreateTaskRequest{
+		task, err := client.CreateTask(ctx, "me", codersdk.CreateTaskRequest{
 			TemplateVersionID: template.ActiveVersionID,
 			Input:             input,
 		})

coderd/coderd.go

@@ -99,6 +99,7 @@ import (
 	"github.com/coder/coder/v2/coderd/workspacestats"
 	"github.com/coder/coder/v2/codersdk"
 	"github.com/coder/coder/v2/codersdk/healthsdk"
+	sharedhttpmw "github.com/coder/coder/v2/httpmw"
 	"github.com/coder/coder/v2/provisionersdk"
 	"github.com/coder/coder/v2/site"
 	"github.com/coder/coder/v2/tailnet"
@@ -861,7 +862,7 @@ func New(options *Options) *API {
 	prometheusMW := httpmw.Prometheus(options.PrometheusRegistry)
 
 	r.Use(
-		httpmw.Recover(api.Logger),
+		sharedhttpmw.Recover(api.Logger),
 		httpmw.WithProfilingLabels,
 		tracing.StatusWriterMiddleware,
 		tracing.Middleware(api.TracerProvider),
@@ -1023,6 +1024,9 @@ func New(options *Options) *API {
 			httpmw.ReportCLITelemetry(api.Logger, options.Telemetry),
 		)
 
+		// NOTE(DanielleMaywood):
+		// Tasks have been promoted to stable, but we have guaranteed a single release transition period
+		// where these routes must remain. These should be removed no earlier than Coder v2.30.0
 		r.Route("/tasks", func(r chi.Router) {
 			r.Use(apiKeyMiddleware)
 
@@ -1036,6 +1040,7 @@ func New(options *Options) *API {
 					r.Use(httpmw.ExtractTaskParam(options.Database))
 					r.Get("/", api.taskGet)
 					r.Delete("/", api.taskDelete)
+					r.Patch("/input", api.taskUpdateInput)
 					r.Post("/send", api.taskSend)
 					r.Get("/logs", api.taskLogs)
 				})
@@ -1331,6 +1336,8 @@ func New(options *Options) *API {
 						})
 						r.Get("/appearance", api.userAppearanceSettings)
 						r.Put("/appearance", api.putUserAppearanceSettings)
+						r.Get("/preferences", api.userPreferenceSettings)
+						r.Put("/preferences", api.putUserPreferenceSettings)
 						r.Route("/password", func(r chi.Router) {
 							r.Use(httpmw.RateLimit(options.LoginRateLimit, time.Minute))
 							r.Put("/", api.putUserPassword)
@@ -1649,6 +1656,25 @@ func New(options *Options) *API {
 		r.Route("/init-script", func(r chi.Router) {
 			r.Get("/{os}/{arch}", api.initScript)
 		})
+		r.Route("/tasks", func(r chi.Router) {
+			r.Use(apiKeyMiddleware)
+
+			r.Get("/", api.tasksList)
+
+			r.Route("/{user}", func(r chi.Router) {
+				r.Use(httpmw.ExtractOrganizationMembersParam(options.Database, api.HTTPAuth.Authorize))
+				r.Post("/", api.tasksCreate)
+
+				r.Route("/{task}", func(r chi.Router) {
+					r.Use(httpmw.ExtractTaskParam(options.Database))
+					r.Get("/", api.taskGet)
+					r.Delete("/", api.taskDelete)
+					r.Patch("/input", api.taskUpdateInput)
+					r.Post("/send", api.taskSend)
+					r.Get("/logs", api.taskLogs)
+				})
+			})
+		})
 	})
 
 	if options.SwaggerEndpoint {

coderd/database/dbauthz/dbauthz.go

@@ -217,7 +217,7 @@ var (
 					rbac.ResourceTemplate.Type:        {policy.ActionRead, policy.ActionUpdate},
 					// Unsure why provisionerd needs update and read personal
 					rbac.ResourceUser.Type:             {policy.ActionRead, policy.ActionReadPersonal, policy.ActionUpdatePersonal},
-					rbac.ResourceWorkspaceDormant.Type: {policy.ActionDelete, policy.ActionRead, policy.ActionUpdate, policy.ActionWorkspaceStop},
+					rbac.ResourceWorkspaceDormant.Type: {policy.ActionDelete, policy.ActionRead, policy.ActionUpdate, policy.ActionWorkspaceStop, policy.ActionCreateAgent},
 					rbac.ResourceWorkspace.Type:        {policy.ActionDelete, policy.ActionRead, policy.ActionUpdate, policy.ActionWorkspaceStart, policy.ActionWorkspaceStop, policy.ActionCreateAgent},
 					// Provisionerd needs to read, update, and delete tasks associated with workspaces.
 					rbac.ResourceTask.Type:   {policy.ActionRead, policy.ActionUpdate, policy.ActionDelete},
@@ -2426,11 +2426,11 @@ func (q *querier) GetLatestCryptoKeyByFeature(ctx context.Context, feature datab
 	return q.db.GetLatestCryptoKeyByFeature(ctx, feature)
 }
 
-func (q *querier) GetLatestWorkspaceAppStatusesByAppID(ctx context.Context, appID uuid.UUID) ([]database.WorkspaceAppStatus, error) {
+func (q *querier) GetLatestWorkspaceAppStatusByAppID(ctx context.Context, appID uuid.UUID) (database.WorkspaceAppStatus, error) {
 	if err := q.authorizeContext(ctx, policy.ActionRead, rbac.ResourceSystem); err != nil {
-		return nil, err
+		return database.WorkspaceAppStatus{}, err
 	}
-	return q.db.GetLatestWorkspaceAppStatusesByAppID(ctx, appID)
+	return q.db.GetLatestWorkspaceAppStatusByAppID(ctx, appID)
 }
 
 func (q *querier) GetLatestWorkspaceAppStatusesByWorkspaceIDs(ctx context.Context, ids []uuid.UUID) ([]database.WorkspaceAppStatus, error) {
@@ -3431,6 +3431,17 @@ func (q *querier) GetUserStatusCounts(ctx context.Context, arg database.GetUserS
 	return q.db.GetUserStatusCounts(ctx, arg)
 }
 
+func (q *querier) GetUserTaskNotificationAlertDismissed(ctx context.Context, userID uuid.UUID) (bool, error) {
+	user, err := q.db.GetUserByID(ctx, userID)
+	if err != nil {
+		return false, err
+	}
+	if err := q.authorizeContext(ctx, policy.ActionReadPersonal, user); err != nil {
+		return false, err
+	}
+	return q.db.GetUserTaskNotificationAlertDismissed(ctx, userID)
+}
+
 func (q *querier) GetUserTerminalFont(ctx context.Context, userID uuid.UUID) (string, error) {
 	u, err := q.db.GetUserByID(ctx, userID)
 	if err != nil {
@@ -5130,6 +5141,21 @@ func (q *querier) UpdateTailnetPeerStatusByCoordinator(ctx context.Context, arg
 	return q.db.UpdateTailnetPeerStatusByCoordinator(ctx, arg)
 }
 
+func (q *querier) UpdateTaskPrompt(ctx context.Context, arg database.UpdateTaskPromptParams) (database.TaskTable, error) {
+	// An actor is allowed to update the prompt of a task if they have
+	// permission to update the task (same as UpdateTaskWorkspaceID).
+	task, err := q.db.GetTaskByID(ctx, arg.ID)
+	if err != nil {
+		return database.TaskTable{}, err
+	}
+
+	if err := q.authorizeContext(ctx, policy.ActionUpdate, task.RBACObject()); err != nil {
+		return database.TaskTable{}, err
+	}
+
+	return q.db.UpdateTaskPrompt(ctx, arg)
+}
+
 func (q *querier) UpdateTaskWorkspaceID(ctx context.Context, arg database.UpdateTaskWorkspaceIDParams) (database.TaskTable, error) {
 	// An actor is allowed to update the workspace ID of a task if they are the
 	// owner of the task and workspace or have the appropriate permissions.
@@ -5449,6 +5475,17 @@ func (q *querier) UpdateUserStatus(ctx context.Context, arg database.UpdateUserS
 	return updateWithReturn(q.log, q.auth, fetch, q.db.UpdateUserStatus)(ctx, arg)
 }
 
+func (q *querier) UpdateUserTaskNotificationAlertDismissed(ctx context.Context, arg database.UpdateUserTaskNotificationAlertDismissedParams) (bool, error) {
+	user, err := q.db.GetUserByID(ctx, arg.UserID)
+	if err != nil {
+		return false, err
+	}
+	if err := q.authorizeContext(ctx, policy.ActionUpdatePersonal, user); err != nil {
+		return false, err
+	}
+	return q.db.UpdateUserTaskNotificationAlertDismissed(ctx, arg)
+}
+
 func (q *querier) UpdateUserTerminalFont(ctx context.Context, arg database.UpdateUserTerminalFontParams) (database.UserConfig, error) {
 	u, err := q.db.GetUserByID(ctx, arg.UserID)
 	if err != nil {
@@ -5541,6 +5578,22 @@ func (q *querier) UpdateWorkspaceAgentLogOverflowByID(ctx context.Context, arg d
 }
 
 func (q *querier) UpdateWorkspaceAgentMetadata(ctx context.Context, arg database.UpdateWorkspaceAgentMetadataParams) error {
+	// Fast path: Check if we have an RBAC object in context.
+	// This is set by the workspace agent RPC handler to avoid the expensive
+	// GetWorkspaceByAgentID query for every metadata update.
+	// NOTE: The cached RBAC object is refreshed every 5 minutes in agentapi/api.go.
+	if rbacObj, ok := WorkspaceRBACFromContext(ctx); ok {
+		// Errors here will result in falling back to the GetWorkspaceAgentByID query, skipping
+		// the cache in case the cached data is stale.
+		if err := q.authorizeContext(ctx, policy.ActionUpdate, rbacObj); err == nil {
+			return q.db.UpdateWorkspaceAgentMetadata(ctx, arg)
+		}
+		q.log.Debug(ctx, "fast path authorization failed, using slow path",
+			slog.F("agent_id", arg.WorkspaceAgentID))
+	}
+
+	// Slow path: Fallback to fetching the workspace for authorization if the RBAC object is not present (or is invalid)
+	// in the request context.
 	workspace, err := q.db.GetWorkspaceByAgentID(ctx, arg.WorkspaceAgentID)
 	if err != nil {
 		return err

coderd/database/dbauthz/dbauthz_test.go

@@ -7,6 +7,7 @@ import (
 	"fmt"
 	"net"
 	"reflect"
+	"strconv"
 	"testing"
 	"time"
 
@@ -1477,6 +1478,21 @@ func (s *MethodTestSuite) TestUser() {
 		dbm.EXPECT().UpdateUserTerminalFont(gomock.Any(), arg).Return(uc, nil).AnyTimes()
 		check.Args(arg).Asserts(u, policy.ActionUpdatePersonal).Returns(uc)
 	}))
+	s.Run("GetUserTaskNotificationAlertDismissed", s.Mocked(func(dbm *dbmock.MockStore, faker *gofakeit.Faker, check *expects) {
+		u := testutil.Fake(s.T(), faker, database.User{})
+		dbm.EXPECT().GetUserByID(gomock.Any(), u.ID).Return(u, nil).AnyTimes()
+		dbm.EXPECT().GetUserTaskNotificationAlertDismissed(gomock.Any(), u.ID).Return(false, nil).AnyTimes()
+		check.Args(u.ID).Asserts(u, policy.ActionReadPersonal).Returns(false)
+	}))
+	s.Run("UpdateUserTaskNotificationAlertDismissed", s.Mocked(func(dbm *dbmock.MockStore, faker *gofakeit.Faker, check *expects) {
+		user := testutil.Fake(s.T(), faker, database.User{})
+		userConfig := database.UserConfig{UserID: user.ID, Key: "task_notification_alert_dismissed", Value: "false"}
+		userConfigValue, _ := strconv.ParseBool(userConfig.Value)
+		arg := database.UpdateUserTaskNotificationAlertDismissedParams{UserID: user.ID, TaskNotificationAlertDismissed: userConfigValue}
+		dbm.EXPECT().GetUserByID(gomock.Any(), user.ID).Return(user, nil).AnyTimes()
+		dbm.EXPECT().UpdateUserTaskNotificationAlertDismissed(gomock.Any(), arg).Return(false, nil).AnyTimes()
+		check.Args(arg).Asserts(user, policy.ActionUpdatePersonal).Returns(userConfigValue)
+	}))
 	s.Run("UpdateUserStatus", s.Mocked(func(dbm *dbmock.MockStore, faker *gofakeit.Faker, check *expects) {
 		u := testutil.Fake(s.T(), faker, database.User{})
 		arg := database.UpdateUserStatusParams{ID: u.ID, Status: u.Status, UpdatedAt: u.UpdatedAt}
@@ -2457,6 +2473,22 @@ func (s *MethodTestSuite) TestTasks() {
 
 		check.Args(arg).Asserts(task, policy.ActionUpdate, ws, policy.ActionUpdate).Returns(database.TaskTable{})
 	}))
+	s.Run("UpdateTaskPrompt", s.Mocked(func(dbm *dbmock.MockStore, faker *gofakeit.Faker, check *expects) {
+		task := testutil.Fake(s.T(), faker, database.Task{})
+		arg := database.UpdateTaskPromptParams{
+			ID:     task.ID,
+			Prompt: "Updated prompt text",
+		}
+
+		// Create a copy of the task with the updated prompt
+		updatedTask := task
+		updatedTask.Prompt = arg.Prompt
+
+		dbm.EXPECT().GetTaskByID(gomock.Any(), task.ID).Return(task, nil).AnyTimes()
+		dbm.EXPECT().UpdateTaskPrompt(gomock.Any(), arg).Return(updatedTask.TaskTable(), nil).AnyTimes()
+
+		check.Args(arg).Asserts(task, policy.ActionUpdate).Returns(updatedTask.TaskTable())
+	}))
 	s.Run("GetTaskByWorkspaceID", s.Mocked(func(dbm *dbmock.MockStore, faker *gofakeit.Faker, check *expects) {
 		task := testutil.Fake(s.T(), faker, database.Task{})
 		task.WorkspaceID = uuid.NullUUID{UUID: uuid.New(), Valid: true}
@@ -2848,9 +2880,9 @@ func (s *MethodTestSuite) TestSystemFunctions() {
 		dbm.EXPECT().UpdateUserLinkedID(gomock.Any(), arg).Return(l, nil).AnyTimes()
 		check.Args(arg).Asserts(rbac.ResourceSystem, policy.ActionUpdate).Returns(l)
 	}))
-	s.Run("GetLatestWorkspaceAppStatusesByAppID", s.Mocked(func(dbm *dbmock.MockStore, _ *gofakeit.Faker, check *expects) {
+	s.Run("GetLatestWorkspaceAppStatusByAppID", s.Mocked(func(dbm *dbmock.MockStore, _ *gofakeit.Faker, check *expects) {
 		appID := uuid.New()
-		dbm.EXPECT().GetLatestWorkspaceAppStatusesByAppID(gomock.Any(), appID).Return([]database.WorkspaceAppStatus{}, nil).AnyTimes()
+		dbm.EXPECT().GetLatestWorkspaceAppStatusByAppID(gomock.Any(), appID).Return(database.WorkspaceAppStatus{}, nil).AnyTimes()
 		check.Args(appID).Asserts(rbac.ResourceSystem, policy.ActionRead)
 	}))
 	s.Run("GetLatestWorkspaceAppStatusesByWorkspaceIDs", s.Mocked(func(dbm *dbmock.MockStore, _ *gofakeit.Faker, check *expects) {

coderd/database/dbauthz/workspace_rbac_context.go

@@ -0,0 +1,41 @@
+package dbauthz
+
+import (
+	"context"
+
+	"github.com/google/uuid"
+	"golang.org/x/xerrors"
+
+	"github.com/coder/coder/v2/coderd/rbac"
+)
+
+func isWorkspaceRBACObjectEmpty(rbacObj rbac.Object) bool {
+	// if any of these are true then the rbac.Object work a workspace is considered empty
+	return rbacObj.Owner == "" || rbacObj.OrgID == "" || rbacObj.Owner == uuid.Nil.String() || rbacObj.OrgID == uuid.Nil.String()
+}
+
+type workspaceRBACContextKey struct{}
+
+// WithWorkspaceRBAC attaches a workspace RBAC object to the context.
+// RBAC fields on this RBAC object should not be used.
+//
+// This is primarily used by the workspace agent RPC handler to cache workspace
+// authorization data for the duration of an agent connection.
+func WithWorkspaceRBAC(ctx context.Context, rbacObj rbac.Object) (context.Context, error) {
+	if rbacObj.Type != rbac.ResourceWorkspace.Type {
+		return ctx, xerrors.New("RBAC Object must be of type Workspace")
+	}
+	if isWorkspaceRBACObjectEmpty(rbacObj) {
+		return ctx, xerrors.Errorf("cannot attach empty RBAC object to context: %+v", rbacObj)
+	}
+	if len(rbacObj.ACLGroupList) != 0 || len(rbacObj.ACLUserList) != 0 {
+		return ctx, xerrors.New("ACL fields for Workspace RBAC object must be nullified, the can be changed during runtime and should not be cached")
+	}
+	return context.WithValue(ctx, workspaceRBACContextKey{}, rbacObj), nil
+}
+
+// WorkspaceRBACFromContext attempts to retrieve the workspace RBAC object from context.
+func WorkspaceRBACFromContext(ctx context.Context) (rbac.Object, bool) {
+	obj, ok := ctx.Value(workspaceRBACContextKey{}).(rbac.Object)
+	return obj, ok
+}

coderd/database/dbgen/dbgen.go

@@ -14,6 +14,8 @@ import (
 	"testing"
 	"time"
 
+	"cdr.dev/slog"
+
 	"github.com/google/uuid"
 	"github.com/sqlc-dev/pqtype"
 	"github.com/stretchr/testify/require"
@@ -1582,11 +1584,13 @@ func Task(t testing.TB, db database.Store, orig database.TaskTable) database.Tas
 		parameters = json.RawMessage([]byte("{}"))
 	}
 
+	taskName := taskname.Generate(genCtx, slog.Make(), orig.Prompt)
 	task, err := db.InsertTask(genCtx, database.InsertTaskParams{
 		ID:                 takeFirst(orig.ID, uuid.New()),
 		OrganizationID:     orig.OrganizationID,
 		OwnerID:            orig.OwnerID,
-		Name:               takeFirst(orig.Name, taskname.GenerateFallback()),
+		Name:               takeFirst(orig.Name, taskName.Name),
+		DisplayName:        takeFirst(orig.DisplayName, taskName.DisplayName),
 		WorkspaceID:        orig.WorkspaceID,
 		TemplateVersionID:  orig.TemplateVersionID,
 		TemplateParameters: parameters,

coderd/database/dbmetrics/querymetrics.go

@@ -1033,10 +1033,10 @@ func (m queryMetricsStore) GetLatestCryptoKeyByFeature(ctx context.Context, feat
 	return r0, r1
 }
 
-func (m queryMetricsStore) GetLatestWorkspaceAppStatusesByAppID(ctx context.Context, appID uuid.UUID) ([]database.WorkspaceAppStatus, error) {
+func (m queryMetricsStore) GetLatestWorkspaceAppStatusByAppID(ctx context.Context, appID uuid.UUID) (database.WorkspaceAppStatus, error) {
 	start := time.Now()
-	r0, r1 := m.s.GetLatestWorkspaceAppStatusesByAppID(ctx, appID)
-	m.queryLatencies.WithLabelValues("GetLatestWorkspaceAppStatusesByAppID").Observe(time.Since(start).Seconds())
+	r0, r1 := m.s.GetLatestWorkspaceAppStatusByAppID(ctx, appID)
+	m.queryLatencies.WithLabelValues("GetLatestWorkspaceAppStatusByAppID").Observe(time.Since(start).Seconds())
 	return r0, r1
 }
 
@@ -1845,6 +1845,13 @@ func (m queryMetricsStore) GetUserStatusCounts(ctx context.Context, arg database
 	return r0, r1
 }
 
+func (m queryMetricsStore) GetUserTaskNotificationAlertDismissed(ctx context.Context, userID uuid.UUID) (bool, error) {
+	start := time.Now()
+	r0, r1 := m.s.GetUserTaskNotificationAlertDismissed(ctx, userID)
+	m.queryLatencies.WithLabelValues("GetUserTaskNotificationAlertDismissed").Observe(time.Since(start).Seconds())
+	return r0, r1
+}
+
 func (m queryMetricsStore) GetUserTerminalFont(ctx context.Context, userID uuid.UUID) (string, error) {
 	start := time.Now()
 	r0, r1 := m.s.GetUserTerminalFont(ctx, userID)
@@ -3154,6 +3161,13 @@ func (m queryMetricsStore) UpdateTailnetPeerStatusByCoordinator(ctx context.Cont
 	return r0
 }
 
+func (m queryMetricsStore) UpdateTaskPrompt(ctx context.Context, arg database.UpdateTaskPromptParams) (database.TaskTable, error) {
+	start := time.Now()
+	r0, r1 := m.s.UpdateTaskPrompt(ctx, arg)
+	m.queryLatencies.WithLabelValues("UpdateTaskPrompt").Observe(time.Since(start).Seconds())
+	return r0, r1
+}
+
 func (m queryMetricsStore) UpdateTaskWorkspaceID(ctx context.Context, arg database.UpdateTaskWorkspaceIDParams) (database.TaskTable, error) {
 	start := time.Now()
 	r0, r1 := m.s.UpdateTaskWorkspaceID(ctx, arg)
@@ -3343,6 +3357,13 @@ func (m queryMetricsStore) UpdateUserStatus(ctx context.Context, arg database.Up
 	return user, err
 }
 
+func (m queryMetricsStore) UpdateUserTaskNotificationAlertDismissed(ctx context.Context, arg database.UpdateUserTaskNotificationAlertDismissedParams) (bool, error) {
+	start := time.Now()
+	r0, r1 := m.s.UpdateUserTaskNotificationAlertDismissed(ctx, arg)
+	m.queryLatencies.WithLabelValues("UpdateUserTaskNotificationAlertDismissed").Observe(time.Since(start).Seconds())
+	return r0, r1
+}
+
 func (m queryMetricsStore) UpdateUserTerminalFont(ctx context.Context, arg database.UpdateUserTerminalFontParams) (database.UserConfig, error) {
 	start := time.Now()
 	r0, r1 := m.s.UpdateUserTerminalFont(ctx, arg)

coderd/database/dbmock/dbmock.go

@@ -2172,19 +2172,19 @@ func (mr *MockStoreMockRecorder) GetLatestCryptoKeyByFeature(ctx, feature any) *
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetLatestCryptoKeyByFeature", reflect.TypeOf((*MockStore)(nil).GetLatestCryptoKeyByFeature), ctx, feature)
 }
 
-// GetLatestWorkspaceAppStatusesByAppID mocks base method.
-func (m *MockStore) GetLatestWorkspaceAppStatusesByAppID(ctx context.Context, appID uuid.UUID) ([]database.WorkspaceAppStatus, error) {
+// GetLatestWorkspaceAppStatusByAppID mocks base method.
+func (m *MockStore) GetLatestWorkspaceAppStatusByAppID(ctx context.Context, appID uuid.UUID) (database.WorkspaceAppStatus, error) {
 	m.ctrl.T.Helper()
-	ret := m.ctrl.Call(m, "GetLatestWorkspaceAppStatusesByAppID", ctx, appID)
-	ret0, _ := ret[0].([]database.WorkspaceAppStatus)
+	ret := m.ctrl.Call(m, "GetLatestWorkspaceAppStatusByAppID", ctx, appID)
+	ret0, _ := ret[0].(database.WorkspaceAppStatus)
 	ret1, _ := ret[1].(error)
 	return ret0, ret1
 }
 
-// GetLatestWorkspaceAppStatusesByAppID indicates an expected call of GetLatestWorkspaceAppStatusesByAppID.
-func (mr *MockStoreMockRecorder) GetLatestWorkspaceAppStatusesByAppID(ctx, appID any) *gomock.Call {
+// GetLatestWorkspaceAppStatusByAppID indicates an expected call of GetLatestWorkspaceAppStatusByAppID.
+func (mr *MockStoreMockRecorder) GetLatestWorkspaceAppStatusByAppID(ctx, appID any) *gomock.Call {
 	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetLatestWorkspaceAppStatusesByAppID", reflect.TypeOf((*MockStore)(nil).GetLatestWorkspaceAppStatusesByAppID), ctx, appID)
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetLatestWorkspaceAppStatusByAppID", reflect.TypeOf((*MockStore)(nil).GetLatestWorkspaceAppStatusByAppID), ctx, appID)
 }
 
 // GetLatestWorkspaceAppStatusesByWorkspaceIDs mocks base method.
@@ -3942,6 +3942,21 @@ func (mr *MockStoreMockRecorder) GetUserStatusCounts(ctx, arg any) *gomock.Call
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetUserStatusCounts", reflect.TypeOf((*MockStore)(nil).GetUserStatusCounts), ctx, arg)
 }
 
+// GetUserTaskNotificationAlertDismissed mocks base method.
+func (m *MockStore) GetUserTaskNotificationAlertDismissed(ctx context.Context, userID uuid.UUID) (bool, error) {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "GetUserTaskNotificationAlertDismissed", ctx, userID)
+	ret0, _ := ret[0].(bool)
+	ret1, _ := ret[1].(error)
+	return ret0, ret1
+}
+
+// GetUserTaskNotificationAlertDismissed indicates an expected call of GetUserTaskNotificationAlertDismissed.
+func (mr *MockStoreMockRecorder) GetUserTaskNotificationAlertDismissed(ctx, userID any) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetUserTaskNotificationAlertDismissed", reflect.TypeOf((*MockStore)(nil).GetUserTaskNotificationAlertDismissed), ctx, userID)
+}
+
 // GetUserTerminalFont mocks base method.
 func (m *MockStore) GetUserTerminalFont(ctx context.Context, userID uuid.UUID) (string, error) {
 	m.ctrl.T.Helper()
@@ -6770,6 +6785,21 @@ func (mr *MockStoreMockRecorder) UpdateTailnetPeerStatusByCoordinator(ctx, arg a
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "UpdateTailnetPeerStatusByCoordinator", reflect.TypeOf((*MockStore)(nil).UpdateTailnetPeerStatusByCoordinator), ctx, arg)
 }
 
+// UpdateTaskPrompt mocks base method.
+func (m *MockStore) UpdateTaskPrompt(ctx context.Context, arg database.UpdateTaskPromptParams) (database.TaskTable, error) {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "UpdateTaskPrompt", ctx, arg)
+	ret0, _ := ret[0].(database.TaskTable)
+	ret1, _ := ret[1].(error)
+	return ret0, ret1
+}
+
+// UpdateTaskPrompt indicates an expected call of UpdateTaskPrompt.
+func (mr *MockStoreMockRecorder) UpdateTaskPrompt(ctx, arg any) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "UpdateTaskPrompt", reflect.TypeOf((*MockStore)(nil).UpdateTaskPrompt), ctx, arg)
+}
+
 // UpdateTaskWorkspaceID mocks base method.
 func (m *MockStore) UpdateTaskWorkspaceID(ctx context.Context, arg database.UpdateTaskWorkspaceIDParams) (database.TaskTable, error) {
 	m.ctrl.T.Helper()
@@ -7159,6 +7189,21 @@ func (mr *MockStoreMockRecorder) UpdateUserStatus(ctx, arg any) *gomock.Call {
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "UpdateUserStatus", reflect.TypeOf((*MockStore)(nil).UpdateUserStatus), ctx, arg)
 }
 
+// UpdateUserTaskNotificationAlertDismissed mocks base method.
+func (m *MockStore) UpdateUserTaskNotificationAlertDismissed(ctx context.Context, arg database.UpdateUserTaskNotificationAlertDismissedParams) (bool, error) {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "UpdateUserTaskNotificationAlertDismissed", ctx, arg)
+	ret0, _ := ret[0].(bool)
+	ret1, _ := ret[1].(error)
+	return ret0, ret1
+}
+
+// UpdateUserTaskNotificationAlertDismissed indicates an expected call of UpdateUserTaskNotificationAlertDismissed.
+func (mr *MockStoreMockRecorder) UpdateUserTaskNotificationAlertDismissed(ctx, arg any) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "UpdateUserTaskNotificationAlertDismissed", reflect.TypeOf((*MockStore)(nil).UpdateUserTaskNotificationAlertDismissed), ctx, arg)
+}
+
 // UpdateUserTerminalFont mocks base method.
 func (m *MockStore) UpdateUserTerminalFont(ctx context.Context, arg database.UpdateUserTerminalFontParams) (database.UserConfig, error) {
 	m.ctrl.T.Helper()

coderd/database/dump.sql

@@ -1826,9 +1826,12 @@ CREATE TABLE tasks (
     template_parameters jsonb DEFAULT '{}'::jsonb NOT NULL,
     prompt text NOT NULL,
     created_at timestamp with time zone NOT NULL,
-    deleted_at timestamp with time zone
+    deleted_at timestamp with time zone,
+    display_name character varying(127) DEFAULT ''::character varying NOT NULL
 );
 
+COMMENT ON COLUMN tasks.display_name IS 'Display name is a custom, human-friendly task name.';
+
 CREATE VIEW visible_users AS
  SELECT users.id,
     users.username,
@@ -1964,6 +1967,7 @@ CREATE VIEW tasks_with_status AS
     tasks.prompt,
     tasks.created_at,
     tasks.deleted_at,
+    tasks.display_name,
         CASE
             WHEN (tasks.workspace_id IS NULL) THEN 'pending'::task_status
             WHEN (build_status.status <> 'active'::task_status) THEN build_status.status
@@ -3433,6 +3437,8 @@ CREATE INDEX workspace_agent_stats_template_id_created_at_user_id_idx ON workspa
 
 COMMENT ON INDEX workspace_agent_stats_template_id_created_at_user_id_idx IS 'Support index for template insights endpoint to build interval reports faster.';
 
+CREATE INDEX workspace_agents_auth_instance_id_deleted_idx ON workspace_agents USING btree (auth_instance_id, deleted);
+
 CREATE INDEX workspace_agents_auth_token_idx ON workspace_agents USING btree (auth_token);
 
 CREATE INDEX workspace_agents_resource_id_idx ON workspace_agents USING btree (resource_id);

coderd/database/migrations/000371_api_key_scopes_array_allow_list.up.sql

@@ -141,13 +141,19 @@ ALTER TYPE api_key_scope ADD VALUE IF NOT EXISTS 'workspace_proxy:read';
 ALTER TYPE api_key_scope ADD VALUE IF NOT EXISTS 'workspace_proxy:update';
 -- End enum extensions
 
+-- Purge old API keys to speed up the migration for large deployments.
+-- Note: that problem should be solved in coderd once PR 20863 is released:
+-- https://github.com/coder/coder/blob/main/coderd/database/dbpurge/dbpurge.go#L85
+DELETE FROM api_keys WHERE expires_at < NOW() - INTERVAL '7 days';
+
 -- Add new columns without defaults; backfill; then enforce NOT NULL
 ALTER TABLE api_keys ADD COLUMN scopes api_key_scope[];
 ALTER TABLE api_keys ADD COLUMN allow_list text[];
 
 -- Backfill existing rows for compatibility
-UPDATE api_keys SET scopes = ARRAY[scope::api_key_scope];
-UPDATE api_keys SET allow_list = ARRAY['*:*'];
+UPDATE api_keys SET
+    scopes = ARRAY[scope::api_key_scope],
+    allow_list = ARRAY['*:*'];
 
 -- Enforce NOT NULL
 ALTER TABLE api_keys ALTER COLUMN scopes SET NOT NULL;

coderd/database/migrations/000400_add_task_display_name.down.sql

@@ -0,0 +1,87 @@
+-- Drop view first before removing the display_name column from tasks
+DROP VIEW IF EXISTS tasks_with_status;
+
+-- Remove display_name column from tasks
+ALTER TABLE tasks DROP COLUMN display_name;
+
+-- Recreate view without the display_name column.
+-- This restores the view to its previous state after removing display_name from tasks.
+CREATE VIEW
+	tasks_with_status
+AS
+SELECT
+	tasks.*,
+	CASE
+		WHEN tasks.workspace_id IS NULL OR latest_build.job_status IS NULL THEN 'pending'::task_status
+
+		WHEN latest_build.job_status = 'failed' THEN 'error'::task_status
+
+		WHEN latest_build.transition IN ('stop', 'delete')
+			AND latest_build.job_status = 'succeeded' THEN 'paused'::task_status
+
+		WHEN latest_build.transition = 'start'
+			AND latest_build.job_status = 'pending' THEN 'initializing'::task_status
+
+		WHEN latest_build.transition = 'start' AND latest_build.job_status IN ('running', 'succeeded') THEN
+			CASE
+				WHEN agent_status.none THEN 'initializing'::task_status
+				WHEN agent_status.connecting THEN 'initializing'::task_status
+				WHEN agent_status.connected THEN
+					CASE
+						WHEN app_status.any_unhealthy THEN 'error'::task_status
+						WHEN app_status.any_initializing THEN 'initializing'::task_status
+						WHEN app_status.all_healthy_or_disabled THEN 'active'::task_status
+						ELSE 'unknown'::task_status
+						END
+				ELSE 'unknown'::task_status
+				END
+
+		ELSE 'unknown'::task_status
+		END AS status,
+	task_app.*,
+	task_owner.*
+FROM
+	tasks
+		CROSS JOIN LATERAL (
+		SELECT
+			vu.username AS owner_username,
+			vu.name AS owner_name,
+			vu.avatar_url AS owner_avatar_url
+		FROM visible_users vu
+		WHERE vu.id = tasks.owner_id
+			) task_owner
+		LEFT JOIN LATERAL (
+		SELECT workspace_build_number, workspace_agent_id, workspace_app_id
+		FROM task_workspace_apps task_app
+		WHERE task_id = tasks.id
+		ORDER BY workspace_build_number DESC
+			LIMIT 1
+	) task_app ON TRUE
+	LEFT JOIN LATERAL (
+		SELECT
+			workspace_build.transition,
+			provisioner_job.job_status,
+			workspace_build.job_id
+		FROM workspace_builds workspace_build
+		JOIN provisioner_jobs provisioner_job ON provisioner_job.id = workspace_build.job_id
+		WHERE workspace_build.workspace_id = tasks.workspace_id
+			AND workspace_build.build_number = task_app.workspace_build_number
+	) latest_build ON TRUE
+	CROSS JOIN LATERAL (
+		SELECT
+			COUNT(*) = 0 AS none,
+			bool_or(workspace_agent.lifecycle_state IN ('created', 'starting')) AS connecting,
+			bool_and(workspace_agent.lifecycle_state = 'ready') AS connected
+		FROM workspace_agents workspace_agent
+		WHERE workspace_agent.id = task_app.workspace_agent_id
+	) agent_status
+	CROSS JOIN LATERAL (
+		SELECT
+			bool_or(workspace_app.health = 'unhealthy') AS any_unhealthy,
+			bool_or(workspace_app.health = 'initializing') AS any_initializing,
+			bool_and(workspace_app.health IN ('healthy', 'disabled')) AS all_healthy_or_disabled
+		FROM workspace_apps workspace_app
+		WHERE workspace_app.id = task_app.workspace_app_id
+	) app_status
+	WHERE
+		tasks.deleted_at IS NULL;

coderd/database/migrations/000400_add_task_display_name.up.sql

@@ -0,0 +1,158 @@
+-- Add display_name column to tasks table
+ALTER TABLE tasks ADD COLUMN display_name VARCHAR(127) NOT NULL DEFAULT '';
+COMMENT ON COLUMN tasks.display_name IS 'Display name is a custom, human-friendly task name.';
+
+-- Backfill existing tasks with truncated prompt as display name
+-- Replace newlines/tabs with spaces, truncate to 64 characters and add ellipsis if truncated
+UPDATE tasks
+SET display_name = CASE
+	WHEN LENGTH(REGEXP_REPLACE(prompt, E'[\\n\\r\\t]+', ' ', 'g')) > 64
+	THEN LEFT(REGEXP_REPLACE(prompt, E'[\\n\\r\\t]+', ' ', 'g'), 63) || '…'
+	ELSE REGEXP_REPLACE(prompt, E'[\\n\\r\\t]+', ' ', 'g')
+	END
+WHERE display_name = '';
+
+-- Recreate the tasks_with_status view to pick up the new display_name column.
+-- PostgreSQL resolves the tasks.* wildcard when the view is created, not when
+-- it's queried, so the view must be recreated after adding columns to tasks.
+DROP VIEW IF EXISTS tasks_with_status;
+
+CREATE VIEW
+	tasks_with_status
+AS
+SELECT
+	tasks.*,
+	-- Combine component statuses with precedence: build -> agent -> app.
+	CASE
+		WHEN tasks.workspace_id IS NULL THEN 'pending'::task_status
+		WHEN build_status.status != 'active' THEN build_status.status::task_status
+		WHEN agent_status.status != 'active' THEN agent_status.status::task_status
+		ELSE app_status.status::task_status
+		END AS status,
+	-- Attach debug information for troubleshooting status.
+	jsonb_build_object(
+		'build', jsonb_build_object(
+		'transition', latest_build_raw.transition,
+		'job_status', latest_build_raw.job_status,
+		'computed', build_status.status
+				 ),
+		'agent', jsonb_build_object(
+			'lifecycle_state', agent_raw.lifecycle_state,
+			'computed', agent_status.status
+				 ),
+		'app', jsonb_build_object(
+			'health', app_raw.health,
+			'computed', app_status.status
+			   )
+	) AS status_debug,
+	task_app.*,
+	agent_raw.lifecycle_state AS workspace_agent_lifecycle_state,
+	app_raw.health AS workspace_app_health,
+	task_owner.*
+FROM
+	tasks
+		CROSS JOIN LATERAL (
+		SELECT
+			vu.username AS owner_username,
+			vu.name AS owner_name,
+			vu.avatar_url AS owner_avatar_url
+		FROM
+			visible_users vu
+		WHERE
+			vu.id = tasks.owner_id
+			) task_owner
+		LEFT JOIN LATERAL (
+		SELECT
+			task_app.workspace_build_number,
+			task_app.workspace_agent_id,
+			task_app.workspace_app_id
+		FROM
+			task_workspace_apps task_app
+		WHERE
+			task_id = tasks.id
+		ORDER BY
+			task_app.workspace_build_number DESC
+			LIMIT 1
+	) task_app ON TRUE
+
+	-- Join the raw data for computing task status.
+	LEFT JOIN LATERAL (
+		SELECT
+			workspace_build.transition,
+			provisioner_job.job_status,
+			workspace_build.job_id
+		FROM
+			workspace_builds workspace_build
+		JOIN
+			provisioner_jobs provisioner_job
+			ON provisioner_job.id = workspace_build.job_id
+		WHERE
+			workspace_build.workspace_id = tasks.workspace_id
+			AND workspace_build.build_number = task_app.workspace_build_number
+	) latest_build_raw ON TRUE
+	LEFT JOIN LATERAL (
+		SELECT
+			workspace_agent.lifecycle_state
+		FROM
+			workspace_agents workspace_agent
+		WHERE
+			workspace_agent.id = task_app.workspace_agent_id
+	) agent_raw ON TRUE
+	LEFT JOIN LATERAL (
+		SELECT
+			workspace_app.health
+		FROM
+			workspace_apps workspace_app
+		WHERE
+			workspace_app.id = task_app.workspace_app_id
+	) app_raw ON TRUE
+
+	-- Compute the status for each component.
+	CROSS JOIN LATERAL (
+		SELECT
+			CASE
+				WHEN latest_build_raw.job_status IS NULL THEN 'pending'::task_status
+				WHEN latest_build_raw.job_status IN ('failed', 'canceling', 'canceled') THEN 'error'::task_status
+				WHEN
+					latest_build_raw.transition IN ('stop', 'delete')
+					AND latest_build_raw.job_status = 'succeeded' THEN 'paused'::task_status
+				WHEN
+					latest_build_raw.transition = 'start'
+					AND latest_build_raw.job_status = 'pending' THEN 'initializing'::task_status
+				-- Build is running or done, defer to agent/app status.
+				WHEN
+					latest_build_raw.transition = 'start'
+					AND latest_build_raw.job_status IN ('running', 'succeeded') THEN 'active'::task_status
+				ELSE 'unknown'::task_status
+			END AS status
+	) build_status
+	CROSS JOIN LATERAL (
+		SELECT
+			CASE
+				-- No agent or connecting.
+				WHEN
+					agent_raw.lifecycle_state IS NULL
+					OR agent_raw.lifecycle_state IN ('created', 'starting') THEN 'initializing'::task_status
+				-- Agent is running, defer to app status.
+				-- NOTE(mafredri): The start_error/start_timeout states means connected, but some startup script failed.
+				-- This may or may not affect the task status but this has to be caught by app health check.
+				WHEN agent_raw.lifecycle_state IN ('ready', 'start_timeout', 'start_error') THEN 'active'::task_status
+				-- If the agent is shutting down or turned off, this is an unknown state because we would expect a stop
+				-- build to be running.
+				-- This is essentially equal to: `IN ('shutting_down', 'shutdown_timeout', 'shutdown_error', 'off')`,
+				-- but we cannot use them because the values were added in a migration.
+				WHEN agent_raw.lifecycle_state NOT IN ('created', 'starting', 'ready', 'start_timeout', 'start_error') THEN 'unknown'::task_status
+				ELSE 'unknown'::task_status
+			END AS status
+	) agent_status
+	CROSS JOIN LATERAL (
+		SELECT
+			CASE
+				WHEN app_raw.health = 'initializing' THEN 'initializing'::task_status
+				WHEN app_raw.health = 'unhealthy' THEN 'error'::task_status
+				WHEN app_raw.health IN ('healthy', 'disabled') THEN 'active'::task_status
+				ELSE 'unknown'::task_status
+			END AS status
+	) app_status
+	WHERE
+		tasks.deleted_at IS NULL;

coderd/database/migrations/000401_add_workspace_agents_index.down.sql

@@ -0,0 +1 @@
+DROP INDEX IF EXISTS public.workspace_agents_auth_instance_id_deleted_idx;

coderd/database/migrations/000401_add_workspace_agents_index.up.sql

@@ -0,0 +1 @@
+CREATE INDEX IF NOT EXISTS workspace_agents_auth_instance_id_deleted_idx ON public.workspace_agents (auth_instance_id, deleted);

coderd/database/migrations/testdata/fixtures/000371_add_api_key_and_oauth2_provider_app_token.up.sql

@@ -0,0 +1,57 @@
+-- Ensure api_keys and oauth2_provider_app_tokens have live data after
+-- migration 000371 deletes expired rows.
+INSERT INTO api_keys (
+	id,
+	hashed_secret,
+	user_id,
+	last_used,
+	expires_at,
+	created_at,
+	updated_at,
+	login_type,
+	lifetime_seconds,
+	ip_address,
+	token_name,
+	scopes,
+	allow_list
+)
+VALUES (
+	'fixture-api-key',
+	'\xaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa',
+	'30095c71-380b-457a-8995-97b8ee6e5307',
+	NOW() - INTERVAL '1 hour',
+	NOW() + INTERVAL '30 days',
+	NOW() - INTERVAL '1 day',
+	NOW() - INTERVAL '1 day',
+	'password',
+	86400,
+	'0.0.0.0',
+	'fixture-api-key',
+	ARRAY['workspace:read']::api_key_scope[],
+	ARRAY['*:*']
+)
+ON CONFLICT (id) DO NOTHING;
+
+INSERT INTO oauth2_provider_app_tokens (
+	id,
+	created_at,
+	expires_at,
+	hash_prefix,
+	refresh_hash,
+	app_secret_id,
+	api_key_id,
+	audience,
+	user_id
+)
+VALUES (
+	'9f92f3c9-811f-4f6f-9a1c-3f2eed1f9f15',
+	NOW() - INTERVAL '30 minutes',
+	NOW() + INTERVAL '30 days',
+	CAST('fixture-hash-prefix' AS bytea),
+	CAST('fixture-refresh-hash' AS bytea),
+	'b0eebc99-9c0b-4ef8-bb6d-6bb9bd380a11',
+	'fixture-api-key',
+	'https://coder.example.com',
+	'30095c71-380b-457a-8995-97b8ee6e5307'
+)
+ON CONFLICT (id) DO NOTHING;

coderd/database/modelmethods.go

@@ -1,6 +1,7 @@
 package database
 
 import (
+	"database/sql"
 	"encoding/hex"
 	"slices"
 	"sort"
@@ -132,11 +133,29 @@ func (w ConnectionLog) RBACObject() rbac.Object {
 	return obj
 }
 
+// TaskTable converts a Task to it's reduced version.
+// A more generalized solution is to use json marshaling to
+// consistently keep these two structs in sync.
+// That would be a lot of overhead, and a more costly unit test is
+// written to make sure these match up.
+func (t Task) TaskTable() TaskTable {
+	return TaskTable{
+		ID:                 t.ID,
+		OrganizationID:     t.OrganizationID,
+		OwnerID:            t.OwnerID,
+		Name:               t.Name,
+		DisplayName:        t.DisplayName,
+		WorkspaceID:        t.WorkspaceID,
+		TemplateVersionID:  t.TemplateVersionID,
+		TemplateParameters: t.TemplateParameters,
+		Prompt:             t.Prompt,
+		CreatedAt:          t.CreatedAt,
+		DeletedAt:          t.DeletedAt,
+	}
+}
+
 func (t Task) RBACObject() rbac.Object {
-	return rbac.ResourceTask.
-		WithID(t.ID).
-		WithOwner(t.OwnerID.String()).
-		InOrg(t.OrganizationID)
+	return t.TaskTable().RBACObject()
 }
 
 func (t TaskTable) RBACObject() rbac.Object {
@@ -778,3 +797,60 @@ func (s UserSecret) RBACObject() rbac.Object {
 func (s AIBridgeInterception) RBACObject() rbac.Object {
 	return rbac.ResourceAibridgeInterception.WithOwner(s.InitiatorID.String())
 }
+
+// WorkspaceIdentity contains the minimal workspace fields needed for agent API metadata/stats reporting
+// and RBAC checks, without requiring a full database.Workspace object.
+type WorkspaceIdentity struct {
+	// Add any other fields needed for IsPrebuild() if it relies on workspace fields
+	// Identity fields
+	ID             uuid.UUID
+	OwnerID        uuid.UUID
+	OrganizationID uuid.UUID
+	TemplateID     uuid.UUID
+
+	// Display fields for logging/metrics
+	Name          string
+	OwnerUsername string
+	TemplateName  string
+
+	// Lifecycle fields needed for stats reporting
+	AutostartSchedule sql.NullString
+}
+
+func (w WorkspaceIdentity) RBACObject() rbac.Object {
+	return Workspace{
+		ID:                w.ID,
+		OwnerID:           w.OwnerID,
+		OrganizationID:    w.OrganizationID,
+		TemplateID:        w.TemplateID,
+		Name:              w.Name,
+		OwnerUsername:     w.OwnerUsername,
+		TemplateName:      w.TemplateName,
+		AutostartSchedule: w.AutostartSchedule,
+	}.RBACObject()
+}
+
+// IsPrebuild returns true if the workspace is a prebuild workspace.
+// A workspace is considered a prebuild if its owner is the prebuild system user.
+func (w WorkspaceIdentity) IsPrebuild() bool {
+	return w.OwnerID == PrebuildsSystemUserID
+}
+
+func (w WorkspaceIdentity) Equal(w2 WorkspaceIdentity) bool {
+	return w.ID == w2.ID && w.OwnerID == w2.OwnerID && w.OrganizationID == w2.OrganizationID &&
+		w.TemplateID == w2.TemplateID && w.Name == w2.Name && w.OwnerUsername == w2.OwnerUsername &&
+		w.TemplateName == w2.TemplateName && w.AutostartSchedule == w2.AutostartSchedule
+}
+
+func WorkspaceIdentityFromWorkspace(w Workspace) WorkspaceIdentity {
+	return WorkspaceIdentity{
+		ID:                w.ID,
+		OwnerID:           w.OwnerID,
+		OrganizationID:    w.OrganizationID,
+		TemplateID:        w.TemplateID,
+		Name:              w.Name,
+		OwnerUsername:     w.OwnerUsername,
+		TemplateName:      w.TemplateName,
+		AutostartSchedule: w.AutostartSchedule,
+	}
+}

coderd/database/modelqueries_internal_test.go

@@ -58,6 +58,45 @@ func TestWorkspaceTableConvert(t *testing.T) {
 			"To resolve this, go to the 'func (w Workspace) WorkspaceTable()' and ensure all fields are converted.")
 }
 
+// TestTaskTableConvert verifies all task fields are converted
+// when reducing a `Task` to a `TaskTable`.
+// This test is a guard rail to prevent developer oversight mistakes.
+func TestTaskTableConvert(t *testing.T) {
+	t.Parallel()
+
+	staticRandoms := &testutil.Random{
+		String:  func() string { return "foo" },
+		Bool:    func() bool { return true },
+		Int:     func() int64 { return 500 },
+		Uint:    func() uint64 { return 126 },
+		Float:   func() float64 { return 3.14 },
+		Complex: func() complex128 { return 6.24 },
+		Time: func() time.Time {
+			return time.Date(2020, 5, 2, 5, 19, 21, 30, time.UTC)
+		},
+	}
+
+	// Copies the approach taken by TestWorkspaceTableConvert.
+	//
+	// If you use 'PopulateStruct' to create 2 tasks, using the same
+	// "random" values for each type. Then they should be identical.
+	//
+	// So if 'task.TaskTable()' was missing any fields in its
+	// conversion, the comparison would fail.
+
+	var task Task
+	err := testutil.PopulateStruct(&task, staticRandoms)
+	require.NoError(t, err)
+
+	var subset TaskTable
+	err = testutil.PopulateStruct(&subset, staticRandoms)
+	require.NoError(t, err)
+
+	require.Equal(t, task.TaskTable(), subset,
+		"'task.TaskTable()' is not missing at least 1 field when converting to 'TaskTable'. "+
+			"To resolve this, go to the 'func (t Task) TaskTable()' and ensure all fields are converted.")
+}
+
 // TestAuditLogsQueryConsistency ensures that GetAuditLogsOffset and CountAuditLogs
 // have identical WHERE clauses to prevent filtering inconsistencies.
 // This test is a guard rail to prevent developer oversight mistakes.

coderd/database/models.go

@@ -4218,6 +4218,7 @@ type Task struct {
 	Prompt                       string                           `db:"prompt" json:"prompt"`
 	CreatedAt                    time.Time                        `db:"created_at" json:"created_at"`
 	DeletedAt                    sql.NullTime                     `db:"deleted_at" json:"deleted_at"`
+	DisplayName                  string                           `db:"display_name" json:"display_name"`
 	Status                       TaskStatus                       `db:"status" json:"status"`
 	StatusDebug                  json.RawMessage                  `db:"status_debug" json:"status_debug"`
 	WorkspaceBuildNumber         sql.NullInt32                    `db:"workspace_build_number" json:"workspace_build_number"`
@@ -4241,6 +4242,8 @@ type TaskTable struct {
 	Prompt             string          `db:"prompt" json:"prompt"`
 	CreatedAt          time.Time       `db:"created_at" json:"created_at"`
 	DeletedAt          sql.NullTime    `db:"deleted_at" json:"deleted_at"`
+	// Display name is a custom, human-friendly task name.
+	DisplayName string `db:"display_name" json:"display_name"`
 }
 
 type TaskWorkspaceApp struct {

coderd/database/querier.go

@@ -238,7 +238,7 @@ type sqlcQuerier interface {
 	GetInboxNotificationsByUserID(ctx context.Context, arg GetInboxNotificationsByUserIDParams) ([]InboxNotification, error)
 	GetLastUpdateCheck(ctx context.Context) (string, error)
 	GetLatestCryptoKeyByFeature(ctx context.Context, feature CryptoKeyFeature) (CryptoKey, error)
-	GetLatestWorkspaceAppStatusesByAppID(ctx context.Context, appID uuid.UUID) ([]WorkspaceAppStatus, error)
+	GetLatestWorkspaceAppStatusByAppID(ctx context.Context, appID uuid.UUID) (WorkspaceAppStatus, error)
 	GetLatestWorkspaceAppStatusesByWorkspaceIDs(ctx context.Context, ids []uuid.UUID) ([]WorkspaceAppStatus, error)
 	GetLatestWorkspaceBuildByWorkspaceID(ctx context.Context, workspaceID uuid.UUID) (WorkspaceBuild, error)
 	GetLatestWorkspaceBuildsByWorkspaceIDs(ctx context.Context, ids []uuid.UUID) ([]WorkspaceBuild, error)
@@ -447,6 +447,7 @@ type sqlcQuerier interface {
 	// We do not start counting from 0 at the start_time. We check the last status change before the start_time for each user. As such,
 	// the result shows the total number of users in each status on any particular day.
 	GetUserStatusCounts(ctx context.Context, arg GetUserStatusCountsParams) ([]GetUserStatusCountsRow, error)
+	GetUserTaskNotificationAlertDismissed(ctx context.Context, userID uuid.UUID) (bool, error)
 	GetUserTerminalFont(ctx context.Context, userID uuid.UUID) (string, error)
 	GetUserThemePreference(ctx context.Context, userID uuid.UUID) (string, error)
 	GetUserWorkspaceBuildParameters(ctx context.Context, arg GetUserWorkspaceBuildParametersParams) ([]GetUserWorkspaceBuildParametersRow, error)
@@ -686,6 +687,7 @@ type sqlcQuerier interface {
 	UpdateProvisionerJobWithCompleteWithStartedAtByID(ctx context.Context, arg UpdateProvisionerJobWithCompleteWithStartedAtByIDParams) error
 	UpdateReplica(ctx context.Context, arg UpdateReplicaParams) (Replica, error)
 	UpdateTailnetPeerStatusByCoordinator(ctx context.Context, arg UpdateTailnetPeerStatusByCoordinatorParams) error
+	UpdateTaskPrompt(ctx context.Context, arg UpdateTaskPromptParams) (TaskTable, error)
 	UpdateTaskWorkspaceID(ctx context.Context, arg UpdateTaskWorkspaceIDParams) (TaskTable, error)
 	UpdateTemplateACLByID(ctx context.Context, arg UpdateTemplateACLByIDParams) error
 	UpdateTemplateAccessControlByID(ctx context.Context, arg UpdateTemplateAccessControlByIDParams) error
@@ -713,6 +715,7 @@ type sqlcQuerier interface {
 	UpdateUserRoles(ctx context.Context, arg UpdateUserRolesParams) (User, error)
 	UpdateUserSecret(ctx context.Context, arg UpdateUserSecretParams) (UserSecret, error)
 	UpdateUserStatus(ctx context.Context, arg UpdateUserStatusParams) (User, error)
+	UpdateUserTaskNotificationAlertDismissed(ctx context.Context, arg UpdateUserTaskNotificationAlertDismissedParams) (bool, error)
 	UpdateUserTerminalFont(ctx context.Context, arg UpdateUserTerminalFontParams) (UserConfig, error)
 	UpdateUserThemePreference(ctx context.Context, arg UpdateUserThemePreferenceParams) (UserConfig, error)
 	UpdateVolumeResourceMonitor(ctx context.Context, arg UpdateVolumeResourceMonitorParams) error