docs(cli): reference --oidc-group-mapping flag name instead of 'legacy'

Issue: Used internal nomenclature instead of user-facing flag name

The previous fix referenced 'legacy group name mapping' but users don't
know what that means - it's an internal implementation detail. Users
configure this via the --oidc-group-mapping flag.

Changed to: 'This filter is applied after the oidc-group-mapping.'

This directly references the flag name users would actually use, making
the relationship clear and actionable. Users can now understand:
- The regex filter applies to group names
- Group names may have been transformed by --oidc-group-mapping first
- They need to write regex patterns that match the mapped names

Example: If --oidc-group-mapping transforms 'developers' to 'dev-team',
the regex in --oidc-group-regex-filter will match against 'dev-team'.

.github/actions/setup-gnu-tools/action.yaml

@@ -0,0 +1,18 @@
+name: "Setup GNU tools (macOS)"
+description: |
+  Installs GNU versions of bash, getopt, and make on macOS runners.
+  Required because lib.sh needs bash 4+, GNU getopt, and make 4+.
+  This is a no-op on non-macOS runners.
+runs:
+  using: "composite"
+  steps:
+    - name: Setup GNU tools (macOS)
+      if: runner.os == 'macOS'
+      shell: bash
+      run: |
+        brew install bash gnu-getopt make
+        {
+          echo "$(brew --prefix bash)/bin"
+          echo "$(brew --prefix gnu-getopt)/bin"
+          echo "$(brew --prefix make)/libexec/gnubin"
+        } >> "$GITHUB_PATH"

.github/workflows/ci.yaml

@@ -181,7 +181,7 @@ jobs:
           echo "LINT_CACHE_DIR=$dir" >> "$GITHUB_ENV"
 
       - name: golangci-lint cache
-        uses: actions/cache@8b402f58fbc84540c8b491a91e594a4576fec3d7 # v5.0.2
+        uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3
         with:
           path: |
             ${{ env.LINT_CACHE_DIR }}
@@ -241,7 +241,9 @@ jobs:
 
   lint-actions:
     needs: changes
-    if: needs.changes.outputs.ci == 'true' || github.ref == 'refs/heads/main'
+    # Only run this job if changes to CI workflow files are detected. This job
+    # can flake as it reaches out to GitHub to check referenced actions.
+    if: needs.changes.outputs.ci == 'true'
     runs-on: ${{ github.repository_owner == 'coder' && 'depot-ubuntu-22.04-8' || 'ubuntu-latest' }}
     steps:
       - name: Harden Runner
@@ -414,17 +416,8 @@ jobs:
         id: go-paths
         uses: ./.github/actions/setup-go-paths
 
-      # macOS default bash and coreutils are too old for our scripts
-      # (lib.sh requires bash 4+, GNU getopt, make 4+).
       - name: Setup GNU tools (macOS)
-        if: runner.os == 'macOS'
-        run: |
-          brew install bash gnu-getopt make
-          {
-            echo "$(brew --prefix bash)/bin"
-            echo "$(brew --prefix gnu-getopt)/bin"
-            echo "$(brew --prefix make)/libexec/gnubin"
-          } >> "$GITHUB_PATH"
+        uses: ./.github/actions/setup-gnu-tools
 
       - name: Setup Go
         uses: ./.github/actions/setup-go
@@ -1056,14 +1049,8 @@ jobs:
           fetch-depth: 0
           persist-credentials: false
 
-      - name: Setup build tools
-        run: |
-          brew install bash gnu-getopt make
-          {
-            echo "$(brew --prefix bash)/bin"
-            echo "$(brew --prefix gnu-getopt)/bin"
-            echo "$(brew --prefix make)/libexec/gnubin"
-          } >> "$GITHUB_PATH"
+      - name: Setup GNU tools (macOS)
+        uses: ./.github/actions/setup-gnu-tools
 
       - name: Switch XCode Version
         uses: maxim-lobanov/setup-xcode@60606e260d2fc5762a71e64e74b2174e8ea3c8bd # v1.6.0
@@ -1199,7 +1186,7 @@ jobs:
           persist-credentials: false
 
       - name: GHCR Login
-        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
+        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
@@ -1406,7 +1393,7 @@ jobs:
         id: attest_main
         if: github.ref == 'refs/heads/main'
         continue-on-error: true
-        uses: actions/attest@7667f588f2f73a90cea6c7ac70e78266c4f76616 # v3.1.0
+        uses: actions/attest@e59cbc1ad1ac2d59339667419eb8cdde6eb61e3d # v3.2.0
         with:
           subject-name: "ghcr.io/coder/coder-preview:main"
           predicate-type: "https://slsa.dev/provenance/v1"
@@ -1443,7 +1430,7 @@ jobs:
         id: attest_latest
         if: github.ref == 'refs/heads/main'
         continue-on-error: true
-        uses: actions/attest@7667f588f2f73a90cea6c7ac70e78266c4f76616 # v3.1.0
+        uses: actions/attest@e59cbc1ad1ac2d59339667419eb8cdde6eb61e3d # v3.2.0
         with:
           subject-name: "ghcr.io/coder/coder-preview:latest"
           predicate-type: "https://slsa.dev/provenance/v1"
@@ -1480,7 +1467,7 @@ jobs:
         id: attest_version
         if: github.ref == 'refs/heads/main'
         continue-on-error: true
-        uses: actions/attest@7667f588f2f73a90cea6c7ac70e78266c4f76616 # v3.1.0
+        uses: actions/attest@e59cbc1ad1ac2d59339667419eb8cdde6eb61e3d # v3.2.0
         with:
           subject-name: "ghcr.io/coder/coder-preview:${{ steps.build-docker.outputs.tag }}"
           predicate-type: "https://slsa.dev/provenance/v1"

.github/workflows/code-review.yaml

@@ -6,9 +6,7 @@
 # native suggestion syntax, allowing one-click commits of suggested changes.
 #
 # Triggers:
-#   - New PR opened: Initial code review
-#   - Label "code-review" added: Re-run review on demand
-#   - PR marked ready for review: Review when draft is promoted
+#   - Label "code-review" added: Run review on demand
 #   - Workflow dispatch: Manual run with PR URL
 #
 # Note: This workflow requires access to secrets and will be skipped for:
@@ -20,9 +18,7 @@ name: AI Code Review
 on:
   pull_request:
     types:
-      - opened
       - labeled
-      - ready_for_review
   workflow_dispatch:
     inputs:
       pr_url:
@@ -44,9 +40,7 @@ jobs:
       cancel-in-progress: true
     if: |
       (
-        github.event.action == 'opened' ||
         github.event.label.name == 'code-review' ||
-        github.event.action == 'ready_for_review' ||
         github.event_name == 'workflow_dispatch'
       ) &&
       (github.event.pull_request.draft == false || github.event_name == 'workflow_dispatch')
@@ -127,15 +121,9 @@ jobs:
 
             # Set trigger type based on action
             case "${GITHUB_EVENT_ACTION}" in
-              opened)
-                echo "trigger_type=new_pr" >> "${GITHUB_OUTPUT}"
-                ;;
               labeled)
                 echo "trigger_type=label_requested" >> "${GITHUB_OUTPUT}"
                 ;;
-              ready_for_review)
-                echo "trigger_type=ready_for_review" >> "${GITHUB_OUTPUT}"
-                ;;
               *)
                 echo "trigger_type=unknown" >> "${GITHUB_OUTPUT}"
                 ;;
@@ -157,15 +145,9 @@ jobs:
 
           # Build context based on trigger type
           case "${TRIGGER_TYPE}" in
-            new_pr)
-              CONTEXT="This is a NEW PR. Perform a thorough code review."
-              ;;
             label_requested)
               CONTEXT="A code review was REQUESTED via label. Perform a thorough code review."
               ;;
-            ready_for_review)
-              CONTEXT="This PR was marked READY FOR REVIEW. Perform a thorough code review."
-              ;;
             manual)
               CONTEXT="This is a MANUAL review request. Perform a thorough code review."
               ;;

.github/workflows/deploy.yaml

@@ -76,7 +76,7 @@ jobs:
           persist-credentials: false
 
       - name: GHCR Login
-        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
+        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
         with:
           registry: ghcr.io
           username: ${{ github.actor }}

.github/workflows/doc-check.yaml

@@ -160,34 +160,41 @@ jobs:
           # Build context based on trigger type
           case "${TRIGGER_TYPE}" in
             new_pr)
-              CONTEXT="This is a NEW PR. Perform a thorough documentation review."
+              CONTEXT="This is a NEW PR. Perform initial documentation review."
               ;;
             pr_updated)
-              CONTEXT="This PR was UPDATED with new commits. Only comment if the changes affect documentation needs or address previous feedback."
+              CONTEXT="This PR was UPDATED with new commits. Check if previous feedback was addressed or if new doc needs arose."
               ;;
             label_requested)
-              CONTEXT="A documentation review was REQUESTED via label. Perform a thorough documentation review."
+              CONTEXT="A documentation review was REQUESTED via label. Perform a thorough review."
               ;;
             ready_for_review)
-              CONTEXT="This PR was marked READY FOR REVIEW (converted from draft). Perform a thorough documentation review."
+              CONTEXT="This PR was marked READY FOR REVIEW. Perform a thorough review."
               ;;
             manual)
-              CONTEXT="This is a MANUAL review request. Perform a thorough documentation review."
+              CONTEXT="This is a MANUAL review request. Perform a thorough review."
               ;;
             *)
-              CONTEXT="Perform a thorough documentation review."
+              CONTEXT="Perform a documentation review."
               ;;
           esac
 
-          # Build task prompt with PR-specific context
+          # Build task prompt with sticky comment logic
           TASK_PROMPT="Use the doc-check skill to review PR #${PR_NUMBER} in coder/coder.
 
           ${CONTEXT}
 
-          Use \`gh\` to get PR details, diff, and all comments. Check for previous doc-check comments (from coder-doc-check) and only post a new comment if it adds value.
+          Use \`gh\` to get PR details, diff, and all comments. Look for an existing doc-check comment containing \`<!-- doc-check-sticky -->\` - if one exists, you'll update it instead of creating a new one.
 
           **Do not comment if no documentation changes are needed.**
 
+          If a sticky comment already exists, compare your current findings against it:
+          - Check off \`[x]\` items that are now addressed
+          - Strikethrough items no longer needed (e.g., code was reverted)
+          - Add new unchecked \`[ ]\` items for newly discovered needs
+          - If an item is checked but you can't verify the docs were added, add a warning note below it
+          - If nothing meaningful changed, don't update the comment at all
+
           ## Comment format
 
           Use this structure (only include relevant sections):
@@ -195,18 +202,21 @@ jobs:
           \`\`\`
           ## Documentation Check
 
-          ### Previous Feedback
-          [For re-reviews only: Addressed | Partially addressed | Not yet addressed]
-
           ### Updates Needed
-          - [ ] \`docs/path/file.md\` - [what needs to change]
+          - [ ] \`docs/path/file.md\` - What needs to change
+          - [x] \`docs/other/file.md\` - This was addressed
+          - ~~\`docs/removed.md\` - No longer needed~~ *(reverted in abc123)*
 
           ### New Documentation Needed
-          - [ ] \`docs/suggested/path.md\` - [what should be documented]
+          - [ ] \`docs/suggested/path.md\` - What should be documented
+            > ⚠️ *Checked but no corresponding documentation changes found in this PR*
 
           ---
           *Automated review via [Coder Tasks](https://coder.com/docs/ai-coder/tasks)*
-          \`\`\`"
+          <!-- doc-check-sticky -->
+          \`\`\`
+
+          The \`<!-- doc-check-sticky -->\` marker must be at the end so future runs can find and update this comment."
 
           # Output the prompt
           {

.github/workflows/docker-base.yaml

@@ -48,7 +48,7 @@ jobs:
           persist-credentials: false
 
       - name: Docker login
-        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
+        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
         with:
           registry: ghcr.io
           username: ${{ github.actor }}

.github/workflows/dogfood.yaml

@@ -42,7 +42,7 @@ jobs:
           # on version 2.29 and above.
           nix_version: "2.28.5"
 
-      - uses: nix-community/cache-nix-action@106bba72ed8e29c8357661199511ef07790175e9 # v7.0.1
+      - uses: nix-community/cache-nix-action@7df957e333c1e5da7721f60227dbba6d06080569 # v7.0.2
         with:
           # restore and save a cache using this key
           primary-key: nix-${{ runner.os }}-${{ hashFiles('**/*.nix', '**/flake.lock') }}
@@ -82,7 +82,7 @@ jobs:
 
       - name: Login to DockerHub
         if: github.ref == 'refs/heads/main'
-        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
+        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
         with:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_PASSWORD }}

.github/workflows/nightly-gauntlet.yaml

@@ -59,6 +59,9 @@ jobs:
           fetch-depth: 1
           persist-credentials: false
 
+      - name: Setup GNU tools (macOS)
+        uses: ./.github/actions/setup-gnu-tools
+
       - name: Setup Go
         uses: ./.github/actions/setup-go
         with:

.github/workflows/pr-deploy.yaml

@@ -248,7 +248,7 @@ jobs:
         uses: ./.github/actions/setup-sqlc
 
       - name: GHCR Login
-        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
+        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
         with:
           registry: ghcr.io
           username: ${{ github.actor }}

.github/workflows/release.yaml

@@ -78,14 +78,8 @@ jobs:
       - name: Fetch git tags
         run: git fetch --tags --force
 
-      - name: Setup build tools
-        run: |
-          brew install bash gnu-getopt make
-          {
-            echo "$(brew --prefix bash)/bin"
-            echo "$(brew --prefix gnu-getopt)/bin"
-            echo "$(brew --prefix make)/libexec/gnubin"
-          } >> "$GITHUB_PATH"
+      - name: Setup GNU tools (macOS)
+        uses: ./.github/actions/setup-gnu-tools
 
       - name: Switch XCode Version
         uses: maxim-lobanov/setup-xcode@60606e260d2fc5762a71e64e74b2174e8ea3c8bd # v1.6.0
@@ -239,7 +233,7 @@ jobs:
           cat "$CODER_RELEASE_NOTES_FILE"
 
       - name: Docker Login
-        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
+        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
@@ -454,7 +448,7 @@ jobs:
         id: attest_base
         if: ${{ !inputs.dry_run && steps.image-base-tag.outputs.tag != '' }}
         continue-on-error: true
-        uses: actions/attest@7667f588f2f73a90cea6c7ac70e78266c4f76616 # v3.1.0
+        uses: actions/attest@e59cbc1ad1ac2d59339667419eb8cdde6eb61e3d # v3.2.0
         with:
           subject-name: ${{ steps.image-base-tag.outputs.tag }}
           predicate-type: "https://slsa.dev/provenance/v1"
@@ -570,7 +564,7 @@ jobs:
         id: attest_main
         if: ${{ !inputs.dry_run }}
         continue-on-error: true
-        uses: actions/attest@7667f588f2f73a90cea6c7ac70e78266c4f76616 # v3.1.0
+        uses: actions/attest@e59cbc1ad1ac2d59339667419eb8cdde6eb61e3d # v3.2.0
         with:
           subject-name: ${{ steps.build_docker.outputs.multiarch_image }}
           predicate-type: "https://slsa.dev/provenance/v1"
@@ -614,7 +608,7 @@ jobs:
         id: attest_latest
         if: ${{ !inputs.dry_run && steps.build_docker.outputs.created_latest_tag == 'true' }}
         continue-on-error: true
-        uses: actions/attest@7667f588f2f73a90cea6c7ac70e78266c4f76616 # v3.1.0
+        uses: actions/attest@e59cbc1ad1ac2d59339667419eb8cdde6eb61e3d # v3.2.0
         with:
           subject-name: ${{ steps.latest_tag.outputs.tag }}
           predicate-type: "https://slsa.dev/provenance/v1"

Makefile

@@ -938,6 +938,7 @@ coderd/apidoc/.gen: \
 	coderd/rbac/object_gen.go \
 	.swaggo \
 	scripts/apidocgen/generate.sh \
+	scripts/apidocgen/swaginit/main.go \
 	$(wildcard scripts/apidocgen/postprocess/*) \
 	$(wildcard scripts/apidocgen/markdown-template/*)
 	./scripts/apidocgen/generate.sh

agent/agentcontainers/acmock/acmock.go

@@ -1,9 +1,9 @@
 // Code generated by MockGen. DO NOT EDIT.
-// Source: .. (interfaces: ContainerCLI,DevcontainerCLI)
+// Source: .. (interfaces: ContainerCLI,DevcontainerCLI,SubAgentClient)
 //
 // Generated by this command:
 //
-//	mockgen -destination ./acmock.go -package acmock .. ContainerCLI,DevcontainerCLI
+//	mockgen -destination ./acmock.go -package acmock .. ContainerCLI,DevcontainerCLI,SubAgentClient
 //
 
 // Package acmock is a generated GoMock package.
@@ -15,6 +15,7 @@ import (
 
 	agentcontainers "github.com/coder/coder/v2/agent/agentcontainers"
 	codersdk "github.com/coder/coder/v2/codersdk"
+	uuid "github.com/google/uuid"
 	gomock "go.uber.org/mock/gomock"
 )
 
@@ -216,3 +217,71 @@ func (mr *MockDevcontainerCLIMockRecorder) Up(ctx, workspaceFolder, configPath a
 	varargs := append([]any{ctx, workspaceFolder, configPath}, opts...)
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Up", reflect.TypeOf((*MockDevcontainerCLI)(nil).Up), varargs...)
 }
+
+// MockSubAgentClient is a mock of SubAgentClient interface.
+type MockSubAgentClient struct {
+	ctrl     *gomock.Controller
+	recorder *MockSubAgentClientMockRecorder
+	isgomock struct{}
+}
+
+// MockSubAgentClientMockRecorder is the mock recorder for MockSubAgentClient.
+type MockSubAgentClientMockRecorder struct {
+	mock *MockSubAgentClient
+}
+
+// NewMockSubAgentClient creates a new mock instance.
+func NewMockSubAgentClient(ctrl *gomock.Controller) *MockSubAgentClient {
+	mock := &MockSubAgentClient{ctrl: ctrl}
+	mock.recorder = &MockSubAgentClientMockRecorder{mock}
+	return mock
+}
+
+// EXPECT returns an object that allows the caller to indicate expected use.
+func (m *MockSubAgentClient) EXPECT() *MockSubAgentClientMockRecorder {
+	return m.recorder
+}
+
+// Create mocks base method.
+func (m *MockSubAgentClient) Create(ctx context.Context, agent agentcontainers.SubAgent) (agentcontainers.SubAgent, error) {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "Create", ctx, agent)
+	ret0, _ := ret[0].(agentcontainers.SubAgent)
+	ret1, _ := ret[1].(error)
+	return ret0, ret1
+}
+
+// Create indicates an expected call of Create.
+func (mr *MockSubAgentClientMockRecorder) Create(ctx, agent any) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Create", reflect.TypeOf((*MockSubAgentClient)(nil).Create), ctx, agent)
+}
+
+// Delete mocks base method.
+func (m *MockSubAgentClient) Delete(ctx context.Context, id uuid.UUID) error {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "Delete", ctx, id)
+	ret0, _ := ret[0].(error)
+	return ret0
+}
+
+// Delete indicates an expected call of Delete.
+func (mr *MockSubAgentClientMockRecorder) Delete(ctx, id any) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Delete", reflect.TypeOf((*MockSubAgentClient)(nil).Delete), ctx, id)
+}
+
+// List mocks base method.
+func (m *MockSubAgentClient) List(ctx context.Context) ([]agentcontainers.SubAgent, error) {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "List", ctx)
+	ret0, _ := ret[0].([]agentcontainers.SubAgent)
+	ret1, _ := ret[1].(error)
+	return ret0, ret1
+}
+
+// List indicates an expected call of List.
+func (mr *MockSubAgentClientMockRecorder) List(ctx any) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "List", reflect.TypeOf((*MockSubAgentClient)(nil).List), ctx)
+}

agent/agentcontainers/acmock/doc.go

@@ -1,4 +1,4 @@
 // Package acmock contains a mock implementation of agentcontainers.Lister for use in tests.
 package acmock
 
-//go:generate mockgen -destination ./acmock.go -package acmock .. ContainerCLI,DevcontainerCLI
+//go:generate mockgen -destination ./acmock.go -package acmock .. ContainerCLI,DevcontainerCLI,SubAgentClient

agent/agentcontainers/api.go

@@ -562,12 +562,9 @@ func (api *API) discoverDevcontainersInProject(projectPath string) error {
 				api.broadcastUpdatesLocked()
 
 				if dc.Status == codersdk.WorkspaceAgentDevcontainerStatusStarting {
-					api.asyncWg.Add(1)
-					go func() {
-						defer api.asyncWg.Done()
-
+					api.asyncWg.Go(func() {
 						_ = api.CreateDevcontainer(dc.WorkspaceFolder, dc.ConfigPath)
-					}()
+					})
 				}
 			}
 			api.mu.Unlock()
@@ -1627,16 +1624,25 @@ func (api *API) cleanupSubAgents(ctx context.Context) error {
 	api.mu.Lock()
 	defer api.mu.Unlock()
 
-	injected := make(map[uuid.UUID]bool, len(api.injectedSubAgentProcs))
+	// Collect all subagent IDs that should be kept:
+	// 1. Subagents currently tracked by injectedSubAgentProcs
+	// 2. Subagents referenced by known devcontainers from the manifest
+	var keep []uuid.UUID
 	for _, proc := range api.injectedSubAgentProcs {
-		injected[proc.agent.ID] = true
+		keep = append(keep, proc.agent.ID)
+	}
+	for _, dc := range api.knownDevcontainers {
+		if dc.SubagentID.Valid {
+			keep = append(keep, dc.SubagentID.UUID)
+		}
 	}
 
 	ctx, cancel := context.WithTimeout(ctx, defaultOperationTimeout)
 	defer cancel()
 
+	var errs []error
 	for _, agent := range agents {
-		if injected[agent.ID] {
+		if slices.Contains(keep, agent.ID) {
 			continue
 		}
 		client := *api.subAgentClient.Load()
@@ -1647,10 +1653,11 @@ func (api *API) cleanupSubAgents(ctx context.Context) error {
 				slog.F("agent_id", agent.ID),
 				slog.F("agent_name", agent.Name),
 			)
+			errs = append(errs, xerrors.Errorf("delete agent %s (%s): %w", agent.Name, agent.ID, err))
 		}
 	}
 
-	return nil
+	return errors.Join(errs...)
 }
 
 // maybeInjectSubAgentIntoContainerLocked injects a subagent into a dev
@@ -2001,7 +2008,20 @@ func (api *API) maybeInjectSubAgentIntoContainerLocked(ctx context.Context, dc c
 	// 	logger.Warn(ctx, "set CAP_NET_ADMIN on agent binary failed", slog.Error(err))
 	// }
 
-	deleteSubAgent := proc.agent.ID != uuid.Nil && maybeRecreateSubAgent && !proc.agent.EqualConfig(subAgentConfig)
+	// Only delete and recreate subagents that were dynamically created
+	// (ID == uuid.Nil). Terraform-defined subagents (subAgentConfig.ID !=
+	// uuid.Nil) must not be deleted because they have attached resources
+	// managed by terraform.
+	isTerraformManaged := subAgentConfig.ID != uuid.Nil
+	configHasChanged := !proc.agent.EqualConfig(subAgentConfig)
+
+	logger.Debug(ctx, "checking if sub agent should be deleted",
+		slog.F("is_terraform_managed", isTerraformManaged),
+		slog.F("maybe_recreate_sub_agent", maybeRecreateSubAgent),
+		slog.F("config_has_changed", configHasChanged),
+	)
+
+	deleteSubAgent := !isTerraformManaged && maybeRecreateSubAgent && configHasChanged
 	if deleteSubAgent {
 		logger.Debug(ctx, "deleting existing subagent for recreation", slog.F("agent_id", proc.agent.ID))
 		client := *api.subAgentClient.Load()
@@ -2012,11 +2032,23 @@ func (api *API) maybeInjectSubAgentIntoContainerLocked(ctx context.Context, dc c
 		proc.agent = SubAgent{} // Clear agent to signal that we need to create a new one.
 	}
 
-	if proc.agent.ID == uuid.Nil {
-		logger.Debug(ctx, "creating new subagent",
-			slog.F("directory", subAgentConfig.Directory),
-			slog.F("display_apps", subAgentConfig.DisplayApps),
-		)
+	// Re-create (upsert) terraform-managed subagents when the config
+	// changes so that display apps and other settings are updated
+	// without deleting the agent.
+	recreateTerraformSubAgent := isTerraformManaged && maybeRecreateSubAgent && configHasChanged
+
+	if proc.agent.ID == uuid.Nil || recreateTerraformSubAgent {
+		if recreateTerraformSubAgent {
+			logger.Debug(ctx, "updating existing subagent",
+				slog.F("directory", subAgentConfig.Directory),
+				slog.F("display_apps", subAgentConfig.DisplayApps),
+			)
+		} else {
+			logger.Debug(ctx, "creating new subagent",
+				slog.F("directory", subAgentConfig.Directory),
+				slog.F("display_apps", subAgentConfig.DisplayApps),
+			)
+		}
 
 		// Create new subagent record in the database to receive the auth token.
 		// If we get a unique constraint violation, try with expanded names that

agent/agentcontainers/api_test.go

@@ -437,7 +437,11 @@ func (m *fakeSubAgentClient) Create(ctx context.Context, agent agentcontainers.S
 		}
 	}
 
-	agent.ID = uuid.New()
+	// Only generate a new ID if one wasn't provided. Terraform-defined
+	// subagents have pre-existing IDs that should be preserved.
+	if agent.ID == uuid.Nil {
+		agent.ID = uuid.New()
+	}
 	agent.AuthToken = uuid.New()
 	if m.agents == nil {
 		m.agents = make(map[uuid.UUID]agentcontainers.SubAgent)
@@ -1035,6 +1039,30 @@ func TestAPI(t *testing.T) {
 				wantStatus:      []int{http.StatusAccepted, http.StatusConflict},
 				wantBody:        []string{"Devcontainer recreation initiated", "is currently starting and cannot be restarted"},
 			},
+			{
+				name:           "Terraform-defined devcontainer can be rebuilt",
+				devcontainerID: devcontainerID1.String(),
+				setupDevcontainers: []codersdk.WorkspaceAgentDevcontainer{
+					{
+						ID:              devcontainerID1,
+						Name:            "test-devcontainer-terraform",
+						WorkspaceFolder: workspaceFolder1,
+						ConfigPath:      configPath1,
+						Status:          codersdk.WorkspaceAgentDevcontainerStatusRunning,
+						Container:       &devContainer1,
+						SubagentID:      uuid.NullUUID{UUID: uuid.New(), Valid: true},
+					},
+				},
+				lister: &fakeContainerCLI{
+					containers: codersdk.WorkspaceAgentListContainersResponse{
+						Containers: []codersdk.WorkspaceAgentContainer{devContainer1},
+					},
+					arch: "<none>",
+				},
+				devcontainerCLI: &fakeDevcontainerCLI{},
+				wantStatus:      []int{http.StatusAccepted, http.StatusConflict},
+				wantBody:        []string{"Devcontainer recreation initiated", "is currently starting and cannot be restarted"},
+			},
 		}
 
 		for _, tt := range tests {
@@ -1449,14 +1477,6 @@ func TestAPI(t *testing.T) {
 					)
 				}
 
-				api := agentcontainers.NewAPI(logger, apiOpts...)
-
-				api.Start()
-				defer api.Close()
-
-				r := chi.NewRouter()
-				r.Mount("/", api.Routes())
-
 				var (
 					agentRunningCh chan struct{}
 					stopAgentCh    chan struct{}
@@ -1473,6 +1493,14 @@ func TestAPI(t *testing.T) {
 					}
 				}
 
+				api := agentcontainers.NewAPI(logger, apiOpts...)
+
+				api.Start()
+				defer api.Close()
+
+				r := chi.NewRouter()
+				r.Mount("/", api.Routes())
+
 				tickerTrap.MustWait(ctx).MustRelease(ctx)
 				tickerTrap.Close()
 
@@ -2490,6 +2518,338 @@ func TestAPI(t *testing.T) {
 		assert.Empty(t, fakeSAC.agents)
 	})
 
+	t.Run("SubAgentCleanupPreservesTerraformDefined", func(t *testing.T) {
+		t.Parallel()
+
+		var (
+			// Given: A terraform-defined agent and devcontainer that should be preserved
+			terraformAgentID    = uuid.New()
+			terraformAgentToken = uuid.New()
+			terraformAgent      = agentcontainers.SubAgent{
+				ID:        terraformAgentID,
+				Name:      "terraform-defined-agent",
+				Directory: "/workspace",
+				AuthToken: terraformAgentToken,
+			}
+			terraformDevcontainer = codersdk.WorkspaceAgentDevcontainer{
+				ID:              uuid.New(),
+				Name:            "terraform-devcontainer",
+				WorkspaceFolder: "/workspace/project",
+				SubagentID:      uuid.NullUUID{UUID: terraformAgentID, Valid: true},
+			}
+
+			// Given: An orphaned agent that should be cleaned up
+			orphanedAgentID    = uuid.New()
+			orphanedAgentToken = uuid.New()
+			orphanedAgent      = agentcontainers.SubAgent{
+				ID:        orphanedAgentID,
+				Name:      "orphaned-agent",
+				Directory: "/tmp",
+				AuthToken: orphanedAgentToken,
+			}
+
+			ctx    = testutil.Context(t, testutil.WaitMedium)
+			logger = slog.Make()
+			mClock = quartz.NewMock(t)
+			mCCLI  = acmock.NewMockContainerCLI(gomock.NewController(t))
+
+			fakeSAC = &fakeSubAgentClient{
+				logger: logger.Named("fakeSubAgentClient"),
+				agents: map[uuid.UUID]agentcontainers.SubAgent{
+					terraformAgentID: terraformAgent,
+					orphanedAgentID:  orphanedAgent,
+				},
+			}
+		)
+
+		mCCLI.EXPECT().List(gomock.Any()).Return(codersdk.WorkspaceAgentListContainersResponse{
+			Containers: []codersdk.WorkspaceAgentContainer{},
+		}, nil).AnyTimes()
+
+		mClock.Set(time.Now()).MustWait(ctx)
+		tickerTrap := mClock.Trap().TickerFunc("updaterLoop")
+
+		api := agentcontainers.NewAPI(logger,
+			agentcontainers.WithClock(mClock),
+			agentcontainers.WithContainerCLI(mCCLI),
+			agentcontainers.WithSubAgentClient(fakeSAC),
+			agentcontainers.WithDevcontainerCLI(&fakeDevcontainerCLI{}),
+			agentcontainers.WithDevcontainers([]codersdk.WorkspaceAgentDevcontainer{terraformDevcontainer}, nil),
+		)
+		api.Start()
+		defer api.Close()
+
+		tickerTrap.MustWait(ctx).MustRelease(ctx)
+		tickerTrap.Close()
+
+		// When: We advance the clock, allowing cleanup to occur
+		_, aw := mClock.AdvanceNext()
+		aw.MustWait(ctx)
+
+		// Then: The orphaned agent should be deleted
+		assert.Contains(t, fakeSAC.deleted, orphanedAgentID, "orphaned agent should be deleted")
+
+		// And: The terraform-defined agent should not be deleted
+		assert.NotContains(t, fakeSAC.deleted, terraformAgentID, "terraform-defined agent should be preserved")
+		assert.Len(t, fakeSAC.agents, 1, "only terraform agent should remain")
+		assert.Contains(t, fakeSAC.agents, terraformAgentID, "terraform agent should still exist")
+	})
+
+	t.Run("TerraformDefinedSubAgentNotRecreatedOnConfigChange", func(t *testing.T) {
+		t.Parallel()
+
+		if runtime.GOOS == "windows" {
+			t.Skip("Dev Container tests are not supported on Windows (this test uses mocks but fails due to Windows paths)")
+		}
+
+		var (
+			logger = slogtest.Make(t, &slogtest.Options{IgnoreErrors: true}).Leveled(slog.LevelDebug)
+			mCtrl  = gomock.NewController(t)
+
+			// Given: A terraform-defined devcontainer with a pre-assigned subagent ID.
+			terraformAgentID   = uuid.New()
+			terraformContainer = codersdk.WorkspaceAgentContainer{
+				ID:           "test-container-id",
+				FriendlyName: "test-container",
+				Image:        "test-image",
+				Running:      true,
+				CreatedAt:    time.Now(),
+				Labels: map[string]string{
+					agentcontainers.DevcontainerLocalFolderLabel: "/workspace/project",
+					agentcontainers.DevcontainerConfigFileLabel:  "/workspace/project/.devcontainer/devcontainer.json",
+				},
+			}
+			terraformDevcontainer = codersdk.WorkspaceAgentDevcontainer{
+				ID:              uuid.New(),
+				Name:            "terraform-devcontainer",
+				WorkspaceFolder: "/workspace/project",
+				ConfigPath:      "/workspace/project/.devcontainer/devcontainer.json",
+				SubagentID:      uuid.NullUUID{UUID: terraformAgentID, Valid: true},
+			}
+
+			fCCLI = &fakeContainerCLI{
+				containers: codersdk.WorkspaceAgentListContainersResponse{
+					Containers: []codersdk.WorkspaceAgentContainer{terraformContainer},
+				},
+				arch: runtime.GOARCH,
+			}
+
+			fDCCLI = &fakeDevcontainerCLI{
+				upID: terraformContainer.ID,
+				readConfig: agentcontainers.DevcontainerConfig{
+					MergedConfiguration: agentcontainers.DevcontainerMergedConfiguration{
+						Customizations: agentcontainers.DevcontainerMergedCustomizations{
+							Coder: []agentcontainers.CoderCustomization{{
+								Apps: []agentcontainers.SubAgentApp{{Slug: "app1"}},
+							}},
+						},
+					},
+				},
+			}
+
+			mSAC   = acmock.NewMockSubAgentClient(mCtrl)
+			closed bool
+		)
+
+		mSAC.EXPECT().List(gomock.Any()).Return([]agentcontainers.SubAgent{}, nil).AnyTimes()
+
+		// EXPECT: Create is called twice with the terraform-defined ID:
+		// once for the initial creation and once after the rebuild with
+		// config changes (upsert).
+		mSAC.EXPECT().Create(gomock.Any(), gomock.Any()).DoAndReturn(
+			func(_ context.Context, agent agentcontainers.SubAgent) (agentcontainers.SubAgent, error) {
+				assert.Equal(t, terraformAgentID, agent.ID, "agent should have terraform-defined ID")
+				agent.AuthToken = uuid.New()
+				return agent, nil
+			},
+		).Times(2)
+
+		// EXPECT: Delete may be called during Close, but not before.
+		mSAC.EXPECT().Delete(gomock.Any(), gomock.Any()).DoAndReturn(func(_ context.Context, _ uuid.UUID) error {
+			assert.True(t, closed, "Delete should only be called after Close, not during recreation")
+			return nil
+		}).AnyTimes()
+
+		api := agentcontainers.NewAPI(logger,
+			agentcontainers.WithContainerCLI(fCCLI),
+			agentcontainers.WithDevcontainerCLI(fDCCLI),
+			agentcontainers.WithDevcontainers(
+				[]codersdk.WorkspaceAgentDevcontainer{terraformDevcontainer},
+				[]codersdk.WorkspaceAgentScript{{ID: terraformDevcontainer.ID, LogSourceID: uuid.New()}},
+			),
+			agentcontainers.WithSubAgentClient(mSAC),
+			agentcontainers.WithSubAgentURL("test-subagent-url"),
+			agentcontainers.WithWatcher(watcher.NewNoop()),
+		)
+		api.Start()
+
+		// Given: We create the devcontainer for the first time.
+		err := api.CreateDevcontainer(terraformDevcontainer.WorkspaceFolder, terraformDevcontainer.ConfigPath)
+		require.NoError(t, err)
+
+		// When: The container is recreated (new container ID) with config changes.
+		terraformContainer.ID = "new-container-id"
+		fCCLI.containers.Containers = []codersdk.WorkspaceAgentContainer{terraformContainer}
+		fDCCLI.upID = terraformContainer.ID
+		fDCCLI.readConfig.MergedConfiguration.Customizations.Coder = []agentcontainers.CoderCustomization{{
+			Apps: []agentcontainers.SubAgentApp{{Slug: "app2"}}, // Changed app triggers recreation logic.
+		}}
+
+		err = api.CreateDevcontainer(terraformDevcontainer.WorkspaceFolder, terraformDevcontainer.ConfigPath, agentcontainers.WithRemoveExistingContainer())
+		require.NoError(t, err)
+
+		// Then: Mock expectations verify that Create was called once and Delete was not called during recreation.
+		closed = true
+		api.Close()
+	})
+
+	// Verify that rebuilding a terraform-defined devcontainer via the
+	// HTTP API does not delete the sub agent. The sub agent should be
+	// preserved (Create called again with the same terraform ID) and
+	// display app changes should be picked up.
+	t.Run("TerraformDefinedSubAgentRebuildViaHTTP", func(t *testing.T) {
+		t.Parallel()
+
+		if runtime.GOOS == "windows" {
+			t.Skip("Dev Container tests are not supported on Windows (this test uses mocks but fails due to Windows paths)")
+		}
+
+		var (
+			ctx    = testutil.Context(t, testutil.WaitMedium)
+			logger = slogtest.Make(t, &slogtest.Options{IgnoreErrors: true}).Leveled(slog.LevelDebug)
+			mCtrl  = gomock.NewController(t)
+
+			terraformAgentID = uuid.New()
+			containerID      = "test-container-id"
+
+			terraformContainer = codersdk.WorkspaceAgentContainer{
+				ID:           containerID,
+				FriendlyName: "test-container",
+				Image:        "test-image",
+				Running:      true,
+				CreatedAt:    time.Now(),
+				Labels: map[string]string{
+					agentcontainers.DevcontainerLocalFolderLabel: "/workspace/project",
+					agentcontainers.DevcontainerConfigFileLabel:  "/workspace/project/.devcontainer/devcontainer.json",
+				},
+			}
+			terraformDevcontainer = codersdk.WorkspaceAgentDevcontainer{
+				ID:              uuid.New(),
+				Name:            "terraform-devcontainer",
+				WorkspaceFolder: "/workspace/project",
+				ConfigPath:      "/workspace/project/.devcontainer/devcontainer.json",
+				SubagentID:      uuid.NullUUID{UUID: terraformAgentID, Valid: true},
+			}
+
+			fCCLI = &fakeContainerCLI{
+				containers: codersdk.WorkspaceAgentListContainersResponse{
+					Containers: []codersdk.WorkspaceAgentContainer{terraformContainer},
+				},
+				arch: runtime.GOARCH,
+			}
+
+			fDCCLI = &fakeDevcontainerCLI{
+				upID: containerID,
+				readConfig: agentcontainers.DevcontainerConfig{
+					MergedConfiguration: agentcontainers.DevcontainerMergedConfiguration{
+						Customizations: agentcontainers.DevcontainerMergedCustomizations{
+							Coder: []agentcontainers.CoderCustomization{{
+								DisplayApps: map[codersdk.DisplayApp]bool{
+									codersdk.DisplayAppSSH:         true,
+									codersdk.DisplayAppWebTerminal: true,
+								},
+							}},
+						},
+					},
+				},
+			}
+
+			mSAC   = acmock.NewMockSubAgentClient(mCtrl)
+			closed bool
+
+			createCalled = make(chan agentcontainers.SubAgent, 2)
+		)
+
+		mSAC.EXPECT().List(gomock.Any()).Return([]agentcontainers.SubAgent{}, nil).AnyTimes()
+
+		// Create should be called twice: once for the initial injection
+		// and once after the rebuild picks up the new container.
+		mSAC.EXPECT().Create(gomock.Any(), gomock.Any()).DoAndReturn(
+			func(_ context.Context, agent agentcontainers.SubAgent) (agentcontainers.SubAgent, error) {
+				assert.Equal(t, terraformAgentID, agent.ID, "agent should always use terraform-defined ID")
+				agent.AuthToken = uuid.New()
+				createCalled <- agent
+				return agent, nil
+			},
+		).Times(2)
+
+		// Delete must only be called during Close, never during rebuild.
+		mSAC.EXPECT().Delete(gomock.Any(), gomock.Any()).DoAndReturn(func(_ context.Context, _ uuid.UUID) error {
+			assert.True(t, closed, "Delete should only be called after Close, not during rebuild")
+			return nil
+		}).AnyTimes()
+
+		api := agentcontainers.NewAPI(logger,
+			agentcontainers.WithContainerCLI(fCCLI),
+			agentcontainers.WithDevcontainerCLI(fDCCLI),
+			agentcontainers.WithDevcontainers(
+				[]codersdk.WorkspaceAgentDevcontainer{terraformDevcontainer},
+				[]codersdk.WorkspaceAgentScript{{ID: terraformDevcontainer.ID, LogSourceID: uuid.New()}},
+			),
+			agentcontainers.WithSubAgentClient(mSAC),
+			agentcontainers.WithSubAgentURL("test-subagent-url"),
+			agentcontainers.WithWatcher(watcher.NewNoop()),
+		)
+		api.Start()
+		defer func() {
+			closed = true
+			api.Close()
+		}()
+
+		r := chi.NewRouter()
+		r.Mount("/", api.Routes())
+
+		// Perform the initial devcontainer creation directly to set up
+		// the subagent (mirrors the TerraformDefinedSubAgentNotRecreatedOnConfigChange
+		// test pattern).
+		err := api.CreateDevcontainer(terraformDevcontainer.WorkspaceFolder, terraformDevcontainer.ConfigPath)
+		require.NoError(t, err)
+
+		initialAgent := testutil.RequireReceive(ctx, t, createCalled)
+		assert.Equal(t, terraformAgentID, initialAgent.ID)
+
+		// Simulate container rebuild: new container ID, changed display apps.
+		newContainerID := "new-container-id"
+		terraformContainer.ID = newContainerID
+		fCCLI.containers.Containers = []codersdk.WorkspaceAgentContainer{terraformContainer}
+		fDCCLI.upID = newContainerID
+		fDCCLI.readConfig.MergedConfiguration.Customizations.Coder = []agentcontainers.CoderCustomization{{
+			DisplayApps: map[codersdk.DisplayApp]bool{
+				codersdk.DisplayAppSSH:            true,
+				codersdk.DisplayAppWebTerminal:    true,
+				codersdk.DisplayAppVSCodeDesktop:  true,
+				codersdk.DisplayAppVSCodeInsiders: true,
+			},
+		}}
+
+		// Issue the rebuild request via the HTTP API.
+		req := httptest.NewRequest(http.MethodPost, "/devcontainers/"+terraformDevcontainer.ID.String()+"/recreate", nil).
+			WithContext(ctx)
+		rec := httptest.NewRecorder()
+		r.ServeHTTP(rec, req)
+		require.Equal(t, http.StatusAccepted, rec.Code)
+
+		// Wait for the post-rebuild injection to complete.
+		rebuiltAgent := testutil.RequireReceive(ctx, t, createCalled)
+		assert.Equal(t, terraformAgentID, rebuiltAgent.ID, "rebuilt agent should preserve terraform ID")
+
+		// Verify that the display apps were updated.
+		assert.Contains(t, rebuiltAgent.DisplayApps, codersdk.DisplayAppVSCodeDesktop,
+			"rebuilt agent should include updated display apps")
+		assert.Contains(t, rebuiltAgent.DisplayApps, codersdk.DisplayAppVSCodeInsiders,
+			"rebuilt agent should include updated display apps")
+	})
+
 	t.Run("Error", func(t *testing.T) {
 		t.Parallel()
 

agent/agentcontainers/subagent.go

@@ -24,10 +24,12 @@ type SubAgent struct {
 	DisplayApps     []codersdk.DisplayApp
 }
 
-// CloneConfig makes a copy of SubAgent without ID and AuthToken. The
-// name is inherited from the devcontainer.
+// CloneConfig makes a copy of SubAgent using configuration from the
+// devcontainer. The ID is inherited from dc.SubagentID if present, and
+// the name is inherited from the devcontainer. AuthToken is not copied.
 func (s SubAgent) CloneConfig(dc codersdk.WorkspaceAgentDevcontainer) SubAgent {
 	return SubAgent{
+		ID:              dc.SubagentID.UUID,
 		Name:            dc.Name,
 		Directory:       s.Directory,
 		Architecture:    s.Architecture,
@@ -190,6 +192,11 @@ func (a *subAgentAPIClient) List(ctx context.Context) ([]SubAgent, error) {
 func (a *subAgentAPIClient) Create(ctx context.Context, agent SubAgent) (_ SubAgent, err error) {
 	a.logger.Debug(ctx, "creating sub agent", slog.F("name", agent.Name), slog.F("directory", agent.Directory))
 
+	var id []byte
+	if agent.ID != uuid.Nil {
+		id = agent.ID[:]
+	}
+
 	displayApps := make([]agentproto.CreateSubAgentRequest_DisplayApp, 0, len(agent.DisplayApps))
 	for _, displayApp := range agent.DisplayApps {
 		var app agentproto.CreateSubAgentRequest_DisplayApp
@@ -228,6 +235,7 @@ func (a *subAgentAPIClient) Create(ctx context.Context, agent SubAgent) (_ SubAg
 		OperatingSystem: agent.OperatingSystem,
 		DisplayApps:     displayApps,
 		Apps:            apps,
+		Id:              id,
 	})
 	if err != nil {
 		return SubAgent{}, err

agent/agentcontainers/subagent_test.go

@@ -306,3 +306,128 @@ func TestSubAgentClient_CreateWithDisplayApps(t *testing.T) {
 		}
 	})
 }
+
+func TestSubAgent_CloneConfig(t *testing.T) {
+	t.Parallel()
+
+	t.Run("CopiesIDFromDevcontainer", func(t *testing.T) {
+		t.Parallel()
+
+		subAgent := agentcontainers.SubAgent{
+			ID:              uuid.New(),
+			Name:            "original-name",
+			Directory:       "/workspace",
+			Architecture:    "amd64",
+			OperatingSystem: "linux",
+			DisplayApps:     []codersdk.DisplayApp{codersdk.DisplayAppVSCodeDesktop},
+			Apps:            []agentcontainers.SubAgentApp{{Slug: "app1"}},
+		}
+		expectedID := uuid.MustParse("550e8400-e29b-41d4-a716-446655440000")
+		dc := codersdk.WorkspaceAgentDevcontainer{
+			Name:       "devcontainer-name",
+			SubagentID: uuid.NullUUID{UUID: expectedID, Valid: true},
+		}
+
+		cloned := subAgent.CloneConfig(dc)
+
+		assert.Equal(t, expectedID, cloned.ID)
+		assert.Equal(t, dc.Name, cloned.Name)
+		assert.Equal(t, subAgent.Directory, cloned.Directory)
+		assert.Zero(t, cloned.AuthToken, "AuthToken should not be copied")
+	})
+
+	t.Run("HandlesNilSubagentID", func(t *testing.T) {
+		t.Parallel()
+
+		subAgent := agentcontainers.SubAgent{
+			ID:              uuid.New(),
+			Name:            "original-name",
+			Directory:       "/workspace",
+			Architecture:    "amd64",
+			OperatingSystem: "linux",
+		}
+		dc := codersdk.WorkspaceAgentDevcontainer{
+			Name:       "devcontainer-name",
+			SubagentID: uuid.NullUUID{Valid: false},
+		}
+
+		cloned := subAgent.CloneConfig(dc)
+
+		assert.Equal(t, uuid.Nil, cloned.ID)
+	})
+}
+
+func TestSubAgent_EqualConfig(t *testing.T) {
+	t.Parallel()
+
+	base := agentcontainers.SubAgent{
+		ID:              uuid.New(),
+		Name:            "test-agent",
+		Directory:       "/workspace",
+		Architecture:    "amd64",
+		OperatingSystem: "linux",
+		DisplayApps:     []codersdk.DisplayApp{codersdk.DisplayAppVSCodeDesktop},
+		Apps: []agentcontainers.SubAgentApp{
+			{Slug: "test-app", DisplayName: "Test App"},
+		},
+	}
+
+	tests := []struct {
+		name      string
+		modify    func(*agentcontainers.SubAgent)
+		wantEqual bool
+	}{
+		{
+			name:      "identical",
+			modify:    func(s *agentcontainers.SubAgent) {},
+			wantEqual: true,
+		},
+		{
+			name:      "different ID",
+			modify:    func(s *agentcontainers.SubAgent) { s.ID = uuid.New() },
+			wantEqual: true,
+		},
+		{
+			name:      "different Name",
+			modify:    func(s *agentcontainers.SubAgent) { s.Name = "different-name" },
+			wantEqual: false,
+		},
+		{
+			name:      "different Directory",
+			modify:    func(s *agentcontainers.SubAgent) { s.Directory = "/different/path" },
+			wantEqual: false,
+		},
+		{
+			name:      "different Architecture",
+			modify:    func(s *agentcontainers.SubAgent) { s.Architecture = "arm64" },
+			wantEqual: false,
+		},
+		{
+			name:      "different OperatingSystem",
+			modify:    func(s *agentcontainers.SubAgent) { s.OperatingSystem = "windows" },
+			wantEqual: false,
+		},
+		{
+			name:      "different DisplayApps",
+			modify:    func(s *agentcontainers.SubAgent) { s.DisplayApps = []codersdk.DisplayApp{codersdk.DisplayAppSSH} },
+			wantEqual: false,
+		},
+		{
+			name: "different Apps",
+			modify: func(s *agentcontainers.SubAgent) {
+				s.Apps = []agentcontainers.SubAgentApp{{Slug: "different-app", DisplayName: "Different App"}}
+			},
+			wantEqual: false,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			t.Parallel()
+
+			modified := base
+			tt.modify(&modified)
+			assert.Equal(t, tt.wantEqual, base.EqualConfig(modified))
+		})
+	}
+}

agent/agentsocket/client.go

@@ -99,7 +99,10 @@ func (c *Client) SyncReady(ctx context.Context, unitName unit.ID) (bool, error)
 	resp, err := c.client.SyncReady(ctx, &proto.SyncReadyRequest{
 		Unit: string(unitName),
 	})
-	return resp.Ready, err
+	if err != nil {
+		return false, xerrors.Errorf("sync ready: %w", err)
+	}
+	return resp.Ready, nil
 }
 
 // SyncStatus gets the status of a unit and its dependencies.

agent/reaper/reaper.go

@@ -4,6 +4,8 @@ import (
 	"os"
 
 	"github.com/hashicorp/go-reap"
+
+	"cdr.dev/slog/v3"
 )
 
 type Option func(o *options)
@@ -34,8 +36,15 @@ func WithCatchSignals(sigs ...os.Signal) Option {
 	}
 }
 
+func WithLogger(logger slog.Logger) Option {
+	return func(o *options) {
+		o.Logger = logger
+	}
+}
+
 type options struct {
 	ExecArgs     []string
 	PIDs         reap.PidCh
 	CatchSignals []os.Signal
+	Logger       slog.Logger
 }

agent/reaper/reaper_unix.go

@@ -3,12 +3,15 @@
 package reaper
 
 import (
+	"context"
 	"os"
 	"os/signal"
 	"syscall"
 
 	"github.com/hashicorp/go-reap"
 	"golang.org/x/xerrors"
+
+	"cdr.dev/slog/v3"
 )
 
 // IsInitProcess returns true if the current process's PID is 1.
@@ -16,7 +19,7 @@ func IsInitProcess() bool {
 	return os.Getpid() == 1
 }
 
-func catchSignals(pid int, sigs []os.Signal) {
+func catchSignals(logger slog.Logger, pid int, sigs []os.Signal) {
 	if len(sigs) == 0 {
 		return
 	}
@@ -25,10 +28,19 @@ func catchSignals(pid int, sigs []os.Signal) {
 	signal.Notify(sc, sigs...)
 	defer signal.Stop(sc)
 
+	logger.Info(context.Background(), "reaper catching signals",
+		slog.F("signals", sigs),
+		slog.F("child_pid", pid),
+	)
+
 	for {
 		s := <-sc
 		sig, ok := s.(syscall.Signal)
 		if ok {
+			logger.Info(context.Background(), "reaper caught signal, killing child process",
+				slog.F("signal", sig.String()),
+				slog.F("child_pid", pid),
+			)
 			_ = syscall.Kill(pid, sig)
 		}
 	}
@@ -78,7 +90,7 @@ func ForkReap(opt ...Option) (int, error) {
 		return 1, xerrors.Errorf("fork exec: %w", err)
 	}
 
-	go catchSignals(pid, opts.CatchSignals)
+	go catchSignals(opts.Logger, pid, opts.CatchSignals)
 
 	var wstatus syscall.WaitStatus
 	_, err = syscall.Wait4(pid, &wstatus, 0, nil)

cli/agent.go

@@ -9,6 +9,7 @@ import (
 	"net/http/pprof"
 	"net/url"
 	"os"
+	"os/signal"
 	"path/filepath"
 	"runtime"
 	"slices"
@@ -130,6 +131,7 @@ func workspaceAgent() *serpent.Command {
 
 				sinks = append(sinks, sloghuman.Sink(logWriter))
 				logger := inv.Logger.AppendSinks(sinks...).Leveled(slog.LevelDebug)
+				logger = logger.Named("reaper")
 
 				logger.Info(ctx, "spawning reaper process")
 				// Do not start a reaper on the child process. It's important
@@ -139,31 +141,19 @@ func workspaceAgent() *serpent.Command {
 				exitCode, err := reaper.ForkReap(
 					reaper.WithExecArgs(args...),
 					reaper.WithCatchSignals(StopSignals...),
+					reaper.WithLogger(logger),
 				)
 				if err != nil {
 					logger.Error(ctx, "agent process reaper unable to fork", slog.Error(err))
 					return xerrors.Errorf("fork reap: %w", err)
 				}
 
-				logger.Info(ctx, "reaper child process exited", slog.F("exit_code", exitCode))
+				logger.Info(ctx, "child process exited, propagating exit code",
+					slog.F("exit_code", exitCode),
+				)
 				return ExitError(exitCode, nil)
 			}
 
-			// Handle interrupt signals to allow for graceful shutdown,
-			// note that calling stopNotify disables the signal handler
-			// and the next interrupt will terminate the program (you
-			// probably want cancel instead).
-			//
-			// Note that we don't want to handle these signals in the
-			// process that runs as PID 1, that's why we do this after
-			// the reaper forked.
-			ctx, stopNotify := inv.SignalNotifyContext(ctx, StopSignals...)
-			defer stopNotify()
-
-			// DumpHandler does signal handling, so we call it after the
-			// reaper.
-			go DumpHandler(ctx, "agent")
-
 			logWriter := &clilog.LumberjackWriteCloseFixer{Writer: &lumberjack.Logger{
 				Filename: filepath.Join(logDir, "coder-agent.log"),
 				MaxSize:  5, // MB
@@ -176,6 +166,21 @@ func workspaceAgent() *serpent.Command {
 			sinks = append(sinks, sloghuman.Sink(logWriter))
 			logger := inv.Logger.AppendSinks(sinks...).Leveled(slog.LevelDebug)
 
+			// Handle interrupt signals to allow for graceful shutdown,
+			// note that calling stopNotify disables the signal handler
+			// and the next interrupt will terminate the program (you
+			// probably want cancel instead).
+			//
+			// Note that we also handle these signals in the
+			// process that runs as PID 1, mainly to forward it to the agent child
+			// so that it can shutdown gracefully.
+			ctx, stopNotify := logSignalNotifyContext(ctx, logger, StopSignals...)
+			defer stopNotify()
+
+			// DumpHandler does signal handling, so we call it after the
+			// reaper.
+			go DumpHandler(ctx, "agent")
+
 			version := buildinfo.Version()
 			logger.Info(ctx, "agent is starting now",
 				slog.F("url", agentAuth.agentURL),
@@ -565,3 +570,26 @@ func urlPort(u string) (int, error) {
 	}
 	return -1, xerrors.Errorf("invalid port: %s", u)
 }
+
+// logSignalNotifyContext is like signal.NotifyContext but logs the received
+// signal before canceling the context.
+func logSignalNotifyContext(parent context.Context, logger slog.Logger, signals ...os.Signal) (context.Context, context.CancelFunc) {
+	ctx, cancel := context.WithCancelCause(parent)
+	c := make(chan os.Signal, 1)
+	signal.Notify(c, signals...)
+
+	go func() {
+		select {
+		case sig := <-c:
+			logger.Info(ctx, "agent received signal", slog.F("signal", sig.String()))
+			cancel(xerrors.Errorf("signal: %s", sig.String()))
+		case <-ctx.Done():
+			logger.Info(ctx, "ctx canceled, stopping signal handler")
+		}
+	}()
+
+	return ctx, func() {
+		cancel(context.Canceled)
+		signal.Stop(c)
+	}
+}

cli/organization.go

@@ -23,7 +23,9 @@ func (r *RootCmd) organizations() *serpent.Command {
 		},
 		Children: []*serpent.Command{
 			r.showOrganization(orgContext),
+			r.listOrganizations(),
 			r.createOrganization(),
+			r.deleteOrganization(orgContext),
 			r.organizationMembers(orgContext),
 			r.organizationRoles(orgContext),
 			r.organizationSettings(orgContext),

cli/organization_test.go

@@ -1,10 +1,13 @@
 package cli_test
 
 import (
+	"bytes"
 	"encoding/json"
+	"fmt"
 	"net/http"
 	"net/http/httptest"
 	"net/url"
+	"sync/atomic"
 	"testing"
 	"time"
 
@@ -12,8 +15,10 @@ import (
 	"github.com/stretchr/testify/require"
 
 	"github.com/coder/coder/v2/cli/clitest"
+	"github.com/coder/coder/v2/cli/cliui"
 	"github.com/coder/coder/v2/codersdk"
 	"github.com/coder/coder/v2/pty/ptytest"
+	"github.com/coder/pretty"
 )
 
 func TestCurrentOrganization(t *testing.T) {
@@ -54,6 +59,166 @@ func TestCurrentOrganization(t *testing.T) {
 	})
 }
 
+func TestOrganizationList(t *testing.T) {
+	t.Parallel()
+
+	t.Run("OK", func(t *testing.T) {
+		t.Parallel()
+
+		orgID := uuid.New()
+		server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			switch {
+			case r.Method == http.MethodGet && r.URL.Path == "/api/v2/organizations":
+				_ = json.NewEncoder(w).Encode([]codersdk.Organization{
+					{
+						MinimalOrganization: codersdk.MinimalOrganization{
+							ID:          orgID,
+							Name:        "my-org",
+							DisplayName: "My Org",
+						},
+						CreatedAt: time.Now(),
+						UpdatedAt: time.Now(),
+					},
+				})
+			default:
+				t.Errorf("unexpected request: %s %s", r.Method, r.URL.Path)
+				w.WriteHeader(http.StatusNotFound)
+			}
+		}))
+		defer server.Close()
+
+		client := codersdk.New(must(url.Parse(server.URL)))
+		inv, root := clitest.New(t, "organizations", "list")
+		clitest.SetupConfig(t, client, root)
+
+		buf := new(bytes.Buffer)
+		inv.Stdout = buf
+
+		require.NoError(t, inv.Run())
+		require.Contains(t, buf.String(), "my-org")
+		require.Contains(t, buf.String(), "My Org")
+		require.Contains(t, buf.String(), orgID.String())
+	})
+}
+
+func TestOrganizationDelete(t *testing.T) {
+	t.Parallel()
+
+	t.Run("Yes", func(t *testing.T) {
+		t.Parallel()
+
+		orgID := uuid.New()
+		var deleteCalled atomic.Bool
+		server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			switch {
+			case r.Method == http.MethodGet && r.URL.Path == "/api/v2/organizations/my-org":
+				_ = json.NewEncoder(w).Encode(codersdk.Organization{
+					MinimalOrganization: codersdk.MinimalOrganization{
+						ID:   orgID,
+						Name: "my-org",
+					},
+					CreatedAt: time.Now(),
+					UpdatedAt: time.Now(),
+				})
+			case r.Method == http.MethodDelete && r.URL.Path == fmt.Sprintf("/api/v2/organizations/%s", orgID.String()):
+				deleteCalled.Store(true)
+				w.WriteHeader(http.StatusOK)
+			default:
+				t.Errorf("unexpected request: %s %s", r.Method, r.URL.Path)
+				w.WriteHeader(http.StatusNotFound)
+			}
+		}))
+		defer server.Close()
+
+		client := codersdk.New(must(url.Parse(server.URL)))
+		inv, root := clitest.New(t, "organizations", "delete", "my-org", "--yes")
+		clitest.SetupConfig(t, client, root)
+
+		require.NoError(t, inv.Run())
+		require.True(t, deleteCalled.Load(), "expected delete request")
+	})
+
+	t.Run("Prompted", func(t *testing.T) {
+		t.Parallel()
+
+		orgID := uuid.New()
+		var deleteCalled atomic.Bool
+		server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			switch {
+			case r.Method == http.MethodGet && r.URL.Path == "/api/v2/organizations/my-org":
+				_ = json.NewEncoder(w).Encode(codersdk.Organization{
+					MinimalOrganization: codersdk.MinimalOrganization{
+						ID:   orgID,
+						Name: "my-org",
+					},
+					CreatedAt: time.Now(),
+					UpdatedAt: time.Now(),
+				})
+			case r.Method == http.MethodDelete && r.URL.Path == fmt.Sprintf("/api/v2/organizations/%s", orgID.String()):
+				deleteCalled.Store(true)
+				w.WriteHeader(http.StatusOK)
+			default:
+				t.Errorf("unexpected request: %s %s", r.Method, r.URL.Path)
+				w.WriteHeader(http.StatusNotFound)
+			}
+		}))
+		defer server.Close()
+
+		client := codersdk.New(must(url.Parse(server.URL)))
+		inv, root := clitest.New(t, "organizations", "delete", "my-org")
+		clitest.SetupConfig(t, client, root)
+		pty := ptytest.New(t).Attach(inv)
+
+		execDone := make(chan error)
+		go func() {
+			execDone <- inv.Run()
+		}()
+
+		pty.ExpectMatch(fmt.Sprintf("Delete organization %s?", pretty.Sprint(cliui.DefaultStyles.Code, "my-org")))
+		pty.WriteLine("yes")
+
+		require.NoError(t, <-execDone)
+		require.True(t, deleteCalled.Load(), "expected delete request")
+	})
+
+	t.Run("Default", func(t *testing.T) {
+		t.Parallel()
+
+		orgID := uuid.New()
+		var deleteCalled atomic.Bool
+		server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			switch {
+			case r.Method == http.MethodGet && r.URL.Path == "/api/v2/organizations/default":
+				_ = json.NewEncoder(w).Encode(codersdk.Organization{
+					MinimalOrganization: codersdk.MinimalOrganization{
+						ID:   orgID,
+						Name: "default",
+					},
+					CreatedAt: time.Now(),
+					UpdatedAt: time.Now(),
+					IsDefault: true,
+				})
+			case r.Method == http.MethodDelete:
+				deleteCalled.Store(true)
+				w.WriteHeader(http.StatusOK)
+			default:
+				t.Errorf("unexpected request: %s %s", r.Method, r.URL.Path)
+				w.WriteHeader(http.StatusNotFound)
+			}
+		}))
+		defer server.Close()
+
+		client := codersdk.New(must(url.Parse(server.URL)))
+		inv, root := clitest.New(t, "organizations", "delete", "default", "--yes")
+		clitest.SetupConfig(t, client, root)
+
+		err := inv.Run()
+		require.Error(t, err)
+		require.ErrorContains(t, err, "default organization")
+		require.False(t, deleteCalled.Load(), "expected no delete request")
+	})
+}
+
 func must[V any](v V, err error) V {
 	if err != nil {
 		panic(err)

cli/organizationdelete.go

@@ -0,0 +1,65 @@
+package cli
+
+import (
+	"fmt"
+	"time"
+
+	"golang.org/x/xerrors"
+
+	"github.com/coder/coder/v2/cli/cliui"
+	"github.com/coder/pretty"
+	"github.com/coder/serpent"
+)
+
+func (r *RootCmd) deleteOrganization(_ *OrganizationContext) *serpent.Command {
+	cmd := &serpent.Command{
+		Use:   "delete <organization_name_or_id>",
+		Short: "Delete an organization",
+		Middleware: serpent.Chain(
+			serpent.RequireNArgs(1),
+		),
+		Options: serpent.OptionSet{
+			cliui.SkipPromptOption(),
+		},
+		Handler: func(inv *serpent.Invocation) error {
+			client, err := r.InitClient(inv)
+			if err != nil {
+				return err
+			}
+
+			orgArg := inv.Args[0]
+			organization, err := client.OrganizationByName(inv.Context(), orgArg)
+			if err != nil {
+				return err
+			}
+
+			if organization.IsDefault {
+				return xerrors.Errorf("cannot delete the default organization %q", organization.Name)
+			}
+
+			_, err = cliui.Prompt(inv, cliui.PromptOptions{
+				Text:      fmt.Sprintf("Delete organization %s?", pretty.Sprint(cliui.DefaultStyles.Code, organization.Name)),
+				IsConfirm: true,
+				Default:   cliui.ConfirmNo,
+			})
+			if err != nil {
+				return err
+			}
+
+			err = client.DeleteOrganization(inv.Context(), organization.ID.String())
+			if err != nil {
+				return xerrors.Errorf("delete organization %q: %w", organization.Name, err)
+			}
+
+			_, _ = fmt.Fprintf(
+				inv.Stdout,
+				"Deleted organization %s at %s\n",
+				pretty.Sprint(cliui.DefaultStyles.Keyword, organization.Name),
+				cliui.Timestamp(time.Now()),
+			)
+			return nil
+		},
+	}
+
+	return cmd
+}

cli/organizationlist.go

@@ -0,0 +1,53 @@
+package cli
+
+import (
+	"fmt"
+
+	"github.com/coder/coder/v2/cli/cliui"
+	"github.com/coder/coder/v2/codersdk"
+	"github.com/coder/serpent"
+)
+
+func (r *RootCmd) listOrganizations() *serpent.Command {
+	formatter := cliui.NewOutputFormatter(
+		cliui.TableFormat([]codersdk.Organization{}, []string{"name", "display name", "id", "default"}),
+		cliui.JSONFormat(),
+	)
+
+	cmd := &serpent.Command{
+		Use:     "list",
+		Short:   "List all organizations",
+		Long:    "List all organizations. Requires a role which grants ResourceOrganization: read.",
+		Aliases: []string{"ls"},
+		Middleware: serpent.Chain(
+			serpent.RequireNArgs(0),
+		),
+		Handler: func(inv *serpent.Invocation) error {
+			client, err := r.InitClient(inv)
+			if err != nil {
+				return err
+			}
+
+			organizations, err := client.Organizations(inv.Context())
+			if err != nil {
+				return err
+			}
+
+			out, err := formatter.Format(inv.Context(), organizations)
+			if err != nil {
+				return err
+			}
+
+			if out == "" {
+				cliui.Infof(inv.Stderr, "No organizations found.")
+				return nil
+			}
+
+			_, err = fmt.Fprintln(inv.Stdout, out)
+			return err
+		},
+	}
+
+	formatter.AttachOptions(&cmd.Options)
+	return cmd
+}

cli/server.go

@@ -2174,7 +2174,7 @@ func startBuiltinPostgres(ctx context.Context, cfg config.Root, logger slog.Logg
 	// existing database
 	retryPortDiscovery := errors.Is(err, os.ErrNotExist) && testing.Testing()
 	if retryPortDiscovery {
-		maxAttempts = 3
+		maxAttempts = 10
 	}
 
 	var startErr error

cli/server_test.go

@@ -2244,6 +2244,7 @@ type runServerOpts struct {
 	waitForSnapshot               bool
 	telemetryDisabled             bool
 	waitForTelemetryDisabledCheck bool
+	name                          string
 }
 
 func TestServer_TelemetryDisabled_FinalReport(t *testing.T) {
@@ -2266,25 +2267,23 @@ func TestServer_TelemetryDisabled_FinalReport(t *testing.T) {
 			"--cache-dir", cacheDir,
 			"--log-filter", ".*",
 		)
-		finished := make(chan bool, 2)
+		inv.Logger = inv.Logger.Named(opts.name)
+
 		errChan := make(chan error, 1)
-		pty := ptytest.New(t).Attach(inv)
+		pty := ptytest.New(t).Named(opts.name).Attach(inv)
 		go func() {
 			errChan <- inv.WithContext(ctx).Run()
-			finished <- true
+			// close the pty here so that we can start tearing down resources. This test creates multiple servers with
+			// associated ptys. There is a `t.Cleanup()` that does this, but it waits until the whole test is complete.
+			_ = pty.Close()
 		}()
-		go func() {
-			defer func() {
-				finished <- true
-			}()
-			if opts.waitForSnapshot {
-				pty.ExpectMatchContext(testutil.Context(t, testutil.WaitLong), "submitted snapshot")
-			}
-			if opts.waitForTelemetryDisabledCheck {
-				pty.ExpectMatchContext(testutil.Context(t, testutil.WaitLong), "finished telemetry status check")
-			}
-		}()
-		<-finished
+
+		if opts.waitForSnapshot {
+			pty.ExpectMatchContext(testutil.Context(t, testutil.WaitLong), "submitted snapshot")
+		}
+		if opts.waitForTelemetryDisabledCheck {
+			pty.ExpectMatchContext(testutil.Context(t, testutil.WaitLong), "finished telemetry status check")
+		}
 		return errChan, cancelFunc
 	}
 	waitForShutdown := func(t *testing.T, errChan chan error) error {
@@ -2298,7 +2297,9 @@ func TestServer_TelemetryDisabled_FinalReport(t *testing.T) {
 		return nil
 	}
 
-	errChan, cancelFunc := runServer(t, runServerOpts{telemetryDisabled: true, waitForTelemetryDisabledCheck: true})
+	errChan, cancelFunc := runServer(t, runServerOpts{
+		telemetryDisabled: true, waitForTelemetryDisabledCheck: true, name: "0disabled",
+	})
 	cancelFunc()
 	require.NoError(t, waitForShutdown(t, errChan))
 
@@ -2306,7 +2307,7 @@ func TestServer_TelemetryDisabled_FinalReport(t *testing.T) {
 	require.Empty(t, deployment)
 	require.Empty(t, snapshot)
 
-	errChan, cancelFunc = runServer(t, runServerOpts{waitForSnapshot: true})
+	errChan, cancelFunc = runServer(t, runServerOpts{waitForSnapshot: true, name: "1enabled"})
 	cancelFunc()
 	require.NoError(t, waitForShutdown(t, errChan))
 	// we expect to see a deployment and a snapshot twice:
@@ -2325,7 +2326,9 @@ func TestServer_TelemetryDisabled_FinalReport(t *testing.T) {
 		}
 	}
 
-	errChan, cancelFunc = runServer(t, runServerOpts{telemetryDisabled: true, waitForTelemetryDisabledCheck: true})
+	errChan, cancelFunc = runServer(t, runServerOpts{
+		telemetryDisabled: true, waitForTelemetryDisabledCheck: true, name: "2disabled",
+	})
 	cancelFunc()
 	require.NoError(t, waitForShutdown(t, errChan))
 
@@ -2341,7 +2344,9 @@ func TestServer_TelemetryDisabled_FinalReport(t *testing.T) {
 		t.Fatalf("timed out waiting for snapshot")
 	}
 
-	errChan, cancelFunc = runServer(t, runServerOpts{telemetryDisabled: true, waitForTelemetryDisabledCheck: true})
+	errChan, cancelFunc = runServer(t, runServerOpts{
+		telemetryDisabled: true, waitForTelemetryDisabledCheck: true, name: "3disabled",
+	})
 	cancelFunc()
 	require.NoError(t, waitForShutdown(t, errChan))
 	// Since telemetry is disabled and we've already sent a snapshot, we expect no

cli/ssh.go

@@ -24,7 +24,6 @@ import (
 	"github.com/gofrs/flock"
 	"github.com/google/uuid"
 	"github.com/mattn/go-isatty"
-	"github.com/shirou/gopsutil/v4/process"
 	"github.com/spf13/afero"
 	gossh "golang.org/x/crypto/ssh"
 	gosshagent "golang.org/x/crypto/ssh/agent"
@@ -85,9 +84,6 @@ func (r *RootCmd) ssh() *serpent.Command {
 
 		containerName string
 		containerUser string
-
-		// Used in tests to simulate the parent exiting.
-		testForcePPID int64
 	)
 	cmd := &serpent.Command{
 		Annotations: workspaceCommand,
@@ -179,24 +175,6 @@ func (r *RootCmd) ssh() *serpent.Command {
 			ctx, cancel := context.WithCancel(ctx)
 			defer cancel()
 
-			// When running as a ProxyCommand (stdio mode), monitor the parent process
-			// and exit if it dies to avoid leaving orphaned processes. This is
-			// particularly important when editors like VSCode/Cursor spawn SSH
-			// connections and then crash or are killed - we don't want zombie
-			// `coder ssh` processes accumulating.
-			// Note: using gopsutil to check the parent process as this handles
-			// windows processes as well in a standard way.
-			if stdio {
-				ppid := int32(os.Getppid())             // nolint:gosec
-				checkParentInterval := 10 * time.Second // Arbitrary interval to not be too frequent
-				if testForcePPID > 0 {
-					ppid = int32(testForcePPID)                  // nolint:gosec
-					checkParentInterval = 100 * time.Millisecond // Shorter interval for testing
-				}
-				ctx, cancel = watchParentContext(ctx, quartz.NewReal(), ppid, process.PidExistsWithContext, checkParentInterval)
-				defer cancel()
-			}
-
 			// Prevent unnecessary logs from the stdlib from messing up the TTY.
 			// See: https://github.com/coder/coder/issues/13144
 			log.SetOutput(io.Discard)
@@ -797,12 +775,6 @@ func (r *RootCmd) ssh() *serpent.Command {
 			Value:       serpent.BoolOf(&forceNewTunnel),
 			Hidden:      true,
 		},
-		{
-			Flag:        "test.force-ppid",
-			Description: "Override the parent process ID to simulate a different parent process. ONLY USE THIS IN TESTS.",
-			Value:       serpent.Int64Of(&testForcePPID),
-			Hidden:      true,
-		},
 		sshDisableAutostartOption(serpent.BoolOf(&disableAutostart)),
 	}
 	return cmd
@@ -1690,33 +1662,3 @@ func normalizeWorkspaceInput(input string) string {
 		return input // Fallback
 	}
 }
-
-// watchParentContext returns a context that is canceled when the parent process
-// dies. It polls using the provided clock and checks if the parent is alive
-// using the provided pidExists function.
-func watchParentContext(ctx context.Context, clock quartz.Clock, originalPPID int32, pidExists func(context.Context, int32) (bool, error), interval time.Duration) (context.Context, context.CancelFunc) {
-	ctx, cancel := context.WithCancel(ctx) // intentionally shadowed
-
-	go func() {
-		ticker := clock.NewTicker(interval)
-		defer ticker.Stop()
-		for {
-			select {
-			case <-ctx.Done():
-				return
-			case <-ticker.C:
-				alive, err := pidExists(ctx, originalPPID)
-				// If we get an error checking the parent process (e.g., permission
-				// denied, the process is in an unknown state), we assume the parent
-				// is still alive to avoid disrupting the SSH connection. We only
-				// cancel when we definitively know the parent is gone (alive=false, err=nil).
-				if !alive && err == nil {
-					cancel()
-					return
-				}
-			}
-		}
-	}()
-
-	return ctx, cancel
-}

cli/ssh_internal_test.go

@@ -312,102 +312,6 @@ type fakeCloser struct {
 	err    error
 }
 
-func TestWatchParentContext(t *testing.T) {
-	t.Parallel()
-
-	t.Run("CancelsWhenParentDies", func(t *testing.T) {
-		t.Parallel()
-		ctx := testutil.Context(t, testutil.WaitShort)
-		mClock := quartz.NewMock(t)
-		trap := mClock.Trap().NewTicker()
-		defer trap.Close()
-
-		parentAlive := true
-		childCtx, cancel := watchParentContext(ctx, mClock, 1234, func(context.Context, int32) (bool, error) {
-			return parentAlive, nil
-		}, testutil.WaitShort)
-		defer cancel()
-
-		// Wait for the ticker to be created
-		trap.MustWait(ctx).MustRelease(ctx)
-
-		// When: we simulate parent death and advance the clock
-		parentAlive = false
-		mClock.AdvanceNext()
-
-		// Then: The context should be canceled
-		_ = testutil.TryReceive(ctx, t, childCtx.Done())
-	})
-
-	t.Run("DoesNotCancelWhenParentAlive", func(t *testing.T) {
-		t.Parallel()
-		ctx := testutil.Context(t, testutil.WaitShort)
-		mClock := quartz.NewMock(t)
-		trap := mClock.Trap().NewTicker()
-		defer trap.Close()
-
-		childCtx, cancel := watchParentContext(ctx, mClock, 1234, func(context.Context, int32) (bool, error) {
-			return true, nil // Parent always alive
-		}, testutil.WaitShort)
-		defer cancel()
-
-		// Wait for the ticker to be created
-		trap.MustWait(ctx).MustRelease(ctx)
-
-		// When: we advance the clock several times with the parent alive
-		for range 3 {
-			mClock.AdvanceNext()
-		}
-
-		// Then: context should not be canceled
-		require.NoError(t, childCtx.Err())
-	})
-
-	t.Run("RespectsParentContext", func(t *testing.T) {
-		t.Parallel()
-		ctx, cancelParent := context.WithCancel(context.Background())
-		mClock := quartz.NewMock(t)
-
-		childCtx, cancel := watchParentContext(ctx, mClock, 1234, func(context.Context, int32) (bool, error) {
-			return true, nil
-		}, testutil.WaitShort)
-		defer cancel()
-
-		// When: we cancel the parent context
-		cancelParent()
-
-		// Then: The context should be canceled
-		require.ErrorIs(t, childCtx.Err(), context.Canceled)
-	})
-
-	t.Run("DoesNotCancelOnError", func(t *testing.T) {
-		t.Parallel()
-		ctx := testutil.Context(t, testutil.WaitShort)
-		mClock := quartz.NewMock(t)
-		trap := mClock.Trap().NewTicker()
-		defer trap.Close()
-
-		// Simulate an error checking parent status (e.g., permission denied).
-		// We should not cancel the context in this case to avoid disrupting
-		// the SSH connection.
-		childCtx, cancel := watchParentContext(ctx, mClock, 1234, func(context.Context, int32) (bool, error) {
-			return false, xerrors.New("permission denied")
-		}, testutil.WaitShort)
-		defer cancel()
-
-		// Wait for the ticker to be created
-		trap.MustWait(ctx).MustRelease(ctx)
-
-		// When: we advance clock several times
-		for range 3 {
-			mClock.AdvanceNext()
-		}
-
-		// Context should NOT be canceled since we got an error (not a definitive "not alive")
-		require.NoError(t, childCtx.Err(), "context was canceled even though pidExists returned an error")
-	})
-}
-
 func (c *fakeCloser) Close() error {
 	*c.closes = append(*c.closes, c)
 	return c.err

cli/ssh_test.go

@@ -1122,107 +1122,6 @@ func TestSSH(t *testing.T) {
 		}
 	})
 
-	// This test ensures that the SSH session exits when the parent process dies.
-	t.Run("StdioExitOnParentDeath", func(t *testing.T) {
-		t.Parallel()
-
-		ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitSuperLong)
-		defer cancel()
-
-		// sleepStart -> agentReady -> sessionStarted -> sleepKill -> sleepDone -> cmdDone
-		sleepStart := make(chan int)
-		agentReady := make(chan struct{})
-		sessionStarted := make(chan struct{})
-		sleepKill := make(chan struct{})
-		sleepDone := make(chan struct{})
-
-		// Start a sleep process which we will pretend is the parent.
-		go func() {
-			sleepCmd := exec.Command("sleep", "infinity")
-			if !assert.NoError(t, sleepCmd.Start(), "failed to start sleep command") {
-				return
-			}
-			sleepStart <- sleepCmd.Process.Pid
-			defer close(sleepDone)
-			<-sleepKill
-			sleepCmd.Process.Kill()
-			_ = sleepCmd.Wait()
-		}()
-
-		client, workspace, agentToken := setupWorkspaceForAgent(t)
-		go func() {
-			defer close(agentReady)
-			_ = agenttest.New(t, client.URL, agentToken)
-			coderdtest.NewWorkspaceAgentWaiter(t, client, workspace.ID).WaitFor(coderdtest.AgentsReady)
-		}()
-
-		clientOutput, clientInput := io.Pipe()
-		serverOutput, serverInput := io.Pipe()
-		defer func() {
-			for _, c := range []io.Closer{clientOutput, clientInput, serverOutput, serverInput} {
-				_ = c.Close()
-			}
-		}()
-
-		// Start a connection to the agent once it's ready
-		go func() {
-			<-agentReady
-			conn, channels, requests, err := ssh.NewClientConn(&testutil.ReaderWriterConn{
-				Reader: serverOutput,
-				Writer: clientInput,
-			}, "", &ssh.ClientConfig{
-				// #nosec
-				HostKeyCallback: ssh.InsecureIgnoreHostKey(),
-			})
-			if !assert.NoError(t, err, "failed to create SSH client connection") {
-				return
-			}
-			defer conn.Close()
-
-			sshClient := ssh.NewClient(conn, channels, requests)
-			defer sshClient.Close()
-
-			session, err := sshClient.NewSession()
-			if !assert.NoError(t, err, "failed to create SSH session") {
-				return
-			}
-			close(sessionStarted)
-			<-sleepDone
-			// Ref: https://github.com/coder/internal/issues/1289
-			// This may return either a nil error or io.EOF.
-			// There is an inherent race here:
-			// 1. Sleep process is killed -> sleepDone is closed.
-			// 2. watchParentContext detects parent death, cancels context,
-			//    causing SSH session teardown.
-			// 3. We receive from sleepDone and attempt to call session.Close()
-			// Now either:
-			// a. Session teardown completes before we call Close(), resulting in io.EOF
-			// b. We call Close() first, resulting in a nil error.
-			_ = session.Close()
-		}()
-
-		// Wait for our "parent" process to start
-		sleepPid := testutil.RequireReceive(ctx, t, sleepStart)
-		// Wait for the agent to be ready
-		testutil.SoftTryReceive(ctx, t, agentReady)
-		inv, root := clitest.New(t, "ssh", "--stdio", workspace.Name, "--test.force-ppid", fmt.Sprintf("%d", sleepPid))
-		clitest.SetupConfig(t, client, root)
-		inv.Stdin = clientOutput
-		inv.Stdout = serverInput
-		inv.Stderr = io.Discard
-
-		// Start the command
-		clitest.Start(t, inv.WithContext(ctx))
-
-		// Wait for a session to be established
-		testutil.SoftTryReceive(ctx, t, sessionStarted)
-		// Now kill the fake "parent"
-		close(sleepKill)
-		// The sleep process should exit
-		testutil.SoftTryReceive(ctx, t, sleepDone)
-		// And then the command should exit. This is tracked by clitest.Start.
-	})
-
 	t.Run("ForwardAgent", func(t *testing.T) {
 		if runtime.GOOS == "windows" {
 			t.Skip("Test not supported on windows")

cli/task_logs_test.go

@@ -39,15 +39,16 @@ func Test_TaskLogs_Golden(t *testing.T) {
 
 	t.Run("ByTaskName_JSON", func(t *testing.T) {
 		t.Parallel()
-		ctx := testutil.Context(t, testutil.WaitLong)
 
-		client, task := setupCLITaskTest(ctx, t, fakeAgentAPITaskLogsOK(testMessages))
+		setupCtx := testutil.Context(t, testutil.WaitLong)
+		client, task := setupCLITaskTest(setupCtx, t, fakeAgentAPITaskLogsOK(testMessages))
 		userClient := client // user already has access to their own workspace
 
 		inv, root := clitest.New(t, "task", "logs", task.Name, "--output", "json")
 		output := clitest.Capture(inv)
 		clitest.SetupConfig(t, userClient, root)
 
+		ctx := testutil.Context(t, testutil.WaitLong)
 		err := inv.WithContext(ctx).Run()
 		require.NoError(t, err)
 
@@ -62,15 +63,16 @@ func Test_TaskLogs_Golden(t *testing.T) {
 
 	t.Run("ByTaskID_JSON", func(t *testing.T) {
 		t.Parallel()
-		ctx := testutil.Context(t, testutil.WaitLong)
 
-		client, task := setupCLITaskTest(ctx, t, fakeAgentAPITaskLogsOK(testMessages))
+		setupCtx := testutil.Context(t, testutil.WaitLong)
+		client, task := setupCLITaskTest(setupCtx, t, fakeAgentAPITaskLogsOK(testMessages))
 		userClient := client
 
 		inv, root := clitest.New(t, "task", "logs", task.ID.String(), "--output", "json")
 		output := clitest.Capture(inv)
 		clitest.SetupConfig(t, userClient, root)
 
+		ctx := testutil.Context(t, testutil.WaitLong)
 		err := inv.WithContext(ctx).Run()
 		require.NoError(t, err)
 
@@ -85,15 +87,16 @@ func Test_TaskLogs_Golden(t *testing.T) {
 
 	t.Run("ByTaskID_Table", func(t *testing.T) {
 		t.Parallel()
-		ctx := testutil.Context(t, testutil.WaitLong)
 
-		client, task := setupCLITaskTest(ctx, t, fakeAgentAPITaskLogsOK(testMessages))
+		setupCtx := testutil.Context(t, testutil.WaitLong)
+		client, task := setupCLITaskTest(setupCtx, t, fakeAgentAPITaskLogsOK(testMessages))
 		userClient := client
 
 		inv, root := clitest.New(t, "task", "logs", task.ID.String())
 		output := clitest.Capture(inv)
 		clitest.SetupConfig(t, userClient, root)
 
+		ctx := testutil.Context(t, testutil.WaitLong)
 		err := inv.WithContext(ctx).Run()
 		require.NoError(t, err)
 
@@ -139,29 +142,31 @@ func Test_TaskLogs_Golden(t *testing.T) {
 
 	t.Run("ErrorFetchingLogs", func(t *testing.T) {
 		t.Parallel()
-		ctx := testutil.Context(t, testutil.WaitLong)
 
-		client, task := setupCLITaskTest(ctx, t, fakeAgentAPITaskLogsErr(assert.AnError))
+		setupCtx := testutil.Context(t, testutil.WaitLong)
+		client, task := setupCLITaskTest(setupCtx, t, fakeAgentAPITaskLogsErr(assert.AnError))
 		userClient := client
 
 		inv, root := clitest.New(t, "task", "logs", task.ID.String())
 		clitest.SetupConfig(t, userClient, root)
 
+		ctx := testutil.Context(t, testutil.WaitLong)
 		err := inv.WithContext(ctx).Run()
 		require.ErrorContains(t, err, assert.AnError.Error())
 	})
 
 	t.Run("SnapshotWithLogs_Table", func(t *testing.T) {
 		t.Parallel()
-		ctx := testutil.Context(t, testutil.WaitLong)
 
-		client, task := setupCLITaskTestWithSnapshot(ctx, t, codersdk.TaskStatusPaused, testMessages)
+		setupCtx := testutil.Context(t, testutil.WaitLong)
+		client, task := setupCLITaskTestWithSnapshot(setupCtx, t, codersdk.TaskStatusPaused, testMessages)
 		userClient := client
 
 		inv, root := clitest.New(t, "task", "logs", task.Name)
 		output := clitest.Capture(inv)
 		clitest.SetupConfig(t, userClient, root)
 
+		ctx := testutil.Context(t, testutil.WaitLong)
 		err := inv.WithContext(ctx).Run()
 		require.NoError(t, err)
 
@@ -171,15 +176,16 @@ func Test_TaskLogs_Golden(t *testing.T) {
 
 	t.Run("SnapshotWithLogs_JSON", func(t *testing.T) {
 		t.Parallel()
-		ctx := testutil.Context(t, testutil.WaitLong)
 
-		client, task := setupCLITaskTestWithSnapshot(ctx, t, codersdk.TaskStatusPaused, testMessages)
+		setupCtx := testutil.Context(t, testutil.WaitLong)
+		client, task := setupCLITaskTestWithSnapshot(setupCtx, t, codersdk.TaskStatusPaused, testMessages)
 		userClient := client
 
 		inv, root := clitest.New(t, "task", "logs", task.Name, "--output", "json")
 		output := clitest.Capture(inv)
 		clitest.SetupConfig(t, userClient, root)
 
+		ctx := testutil.Context(t, testutil.WaitLong)
 		err := inv.WithContext(ctx).Run()
 		require.NoError(t, err)
 
@@ -194,7 +200,6 @@ func Test_TaskLogs_Golden(t *testing.T) {
 
 	t.Run("SnapshotWithoutLogs_NoSnapshotCaptured", func(t *testing.T) {
 		t.Parallel()
-		ctx := testutil.Context(t, testutil.WaitLong)
 
 		client, task := setupCLITaskTestWithoutSnapshot(t, codersdk.TaskStatusPaused)
 		userClient := client
@@ -203,6 +208,7 @@ func Test_TaskLogs_Golden(t *testing.T) {
 		output := clitest.Capture(inv)
 		clitest.SetupConfig(t, userClient, root)
 
+		ctx := testutil.Context(t, testutil.WaitLong)
 		err := inv.WithContext(ctx).Run()
 		require.NoError(t, err)
 
@@ -212,7 +218,6 @@ func Test_TaskLogs_Golden(t *testing.T) {
 
 	t.Run("SnapshotWithSingleMessage", func(t *testing.T) {
 		t.Parallel()
-		ctx := testutil.Context(t, testutil.WaitLong)
 
 		singleMessage := []agentapisdk.Message{
 			{
@@ -223,13 +228,15 @@ func Test_TaskLogs_Golden(t *testing.T) {
 			},
 		}
 
-		client, task := setupCLITaskTestWithSnapshot(ctx, t, codersdk.TaskStatusPending, singleMessage)
+		setupCtx := testutil.Context(t, testutil.WaitLong)
+		client, task := setupCLITaskTestWithSnapshot(setupCtx, t, codersdk.TaskStatusPending, singleMessage)
 		userClient := client
 
 		inv, root := clitest.New(t, "task", "logs", task.Name)
 		output := clitest.Capture(inv)
 		clitest.SetupConfig(t, userClient, root)
 
+		ctx := testutil.Context(t, testutil.WaitLong)
 		err := inv.WithContext(ctx).Run()
 		require.NoError(t, err)
 
@@ -239,15 +246,16 @@ func Test_TaskLogs_Golden(t *testing.T) {
 
 	t.Run("SnapshotEmptyLogs", func(t *testing.T) {
 		t.Parallel()
-		ctx := testutil.Context(t, testutil.WaitLong)
 
-		client, task := setupCLITaskTestWithSnapshot(ctx, t, codersdk.TaskStatusInitializing, []agentapisdk.Message{})
+		setupCtx := testutil.Context(t, testutil.WaitLong)
+		client, task := setupCLITaskTestWithSnapshot(setupCtx, t, codersdk.TaskStatusInitializing, []agentapisdk.Message{})
 		userClient := client
 
 		inv, root := clitest.New(t, "task", "logs", task.Name)
 		output := clitest.Capture(inv)
 		clitest.SetupConfig(t, userClient, root)
 
+		ctx := testutil.Context(t, testutil.WaitLong)
 		err := inv.WithContext(ctx).Run()
 		require.NoError(t, err)
 
@@ -257,15 +265,16 @@ func Test_TaskLogs_Golden(t *testing.T) {
 
 	t.Run("InitializingTaskSnapshot", func(t *testing.T) {
 		t.Parallel()
-		ctx := testutil.Context(t, testutil.WaitLong)
 
-		client, task := setupCLITaskTestWithSnapshot(ctx, t, codersdk.TaskStatusInitializing, testMessages)
+		setupCtx := testutil.Context(t, testutil.WaitLong)
+		client, task := setupCLITaskTestWithSnapshot(setupCtx, t, codersdk.TaskStatusInitializing, testMessages)
 		userClient := client
 
 		inv, root := clitest.New(t, "task", "logs", task.Name)
 		output := clitest.Capture(inv)
 		clitest.SetupConfig(t, userClient, root)
 
+		ctx := testutil.Context(t, testutil.WaitLong)
 		err := inv.WithContext(ctx).Run()
 		require.NoError(t, err)
 

cli/task_send_test.go

@@ -23,9 +23,9 @@ func Test_TaskSend(t *testing.T) {
 
 	t.Run("ByTaskName_WithArgument", func(t *testing.T) {
 		t.Parallel()
-		ctx := testutil.Context(t, testutil.WaitLong)
 
-		client, task := setupCLITaskTest(ctx, t, fakeAgentAPITaskSendOK(t, "carry on with the task", "you got it"))
+		setupCtx := testutil.Context(t, testutil.WaitLong)
+		client, task := setupCLITaskTest(setupCtx, t, fakeAgentAPITaskSendOK(t, "carry on with the task", "you got it"))
 		userClient := client
 
 		var stdout strings.Builder
@@ -33,15 +33,16 @@ func Test_TaskSend(t *testing.T) {
 		inv.Stdout = &stdout
 		clitest.SetupConfig(t, userClient, root)
 
+		ctx := testutil.Context(t, testutil.WaitLong)
 		err := inv.WithContext(ctx).Run()
 		require.NoError(t, err)
 	})
 
 	t.Run("ByTaskID_WithArgument", func(t *testing.T) {
 		t.Parallel()
-		ctx := testutil.Context(t, testutil.WaitLong)
 
-		client, task := setupCLITaskTest(ctx, t, fakeAgentAPITaskSendOK(t, "carry on with the task", "you got it"))
+		setupCtx := testutil.Context(t, testutil.WaitLong)
+		client, task := setupCLITaskTest(setupCtx, t, fakeAgentAPITaskSendOK(t, "carry on with the task", "you got it"))
 		userClient := client
 
 		var stdout strings.Builder
@@ -49,15 +50,16 @@ func Test_TaskSend(t *testing.T) {
 		inv.Stdout = &stdout
 		clitest.SetupConfig(t, userClient, root)
 
+		ctx := testutil.Context(t, testutil.WaitLong)
 		err := inv.WithContext(ctx).Run()
 		require.NoError(t, err)
 	})
 
 	t.Run("ByTaskName_WithStdin", func(t *testing.T) {
 		t.Parallel()
-		ctx := testutil.Context(t, testutil.WaitLong)
 
-		client, task := setupCLITaskTest(ctx, t, fakeAgentAPITaskSendOK(t, "carry on with the task", "you got it"))
+		setupCtx := testutil.Context(t, testutil.WaitLong)
+		client, task := setupCLITaskTest(setupCtx, t, fakeAgentAPITaskSendOK(t, "carry on with the task", "you got it"))
 		userClient := client
 
 		var stdout strings.Builder
@@ -66,6 +68,7 @@ func Test_TaskSend(t *testing.T) {
 		inv.Stdin = strings.NewReader("carry on with the task")
 		clitest.SetupConfig(t, userClient, root)
 
+		ctx := testutil.Context(t, testutil.WaitLong)
 		err := inv.WithContext(ctx).Run()
 		require.NoError(t, err)
 	})
@@ -108,15 +111,16 @@ func Test_TaskSend(t *testing.T) {
 
 	t.Run("SendError", func(t *testing.T) {
 		t.Parallel()
-		ctx := testutil.Context(t, testutil.WaitLong)
 
-		userClient, task := setupCLITaskTest(ctx, t, fakeAgentAPITaskSendErr(t, assert.AnError))
+		setupCtx := testutil.Context(t, testutil.WaitLong)
+		userClient, task := setupCLITaskTest(setupCtx, t, fakeAgentAPITaskSendErr(t, assert.AnError))
 
 		var stdout strings.Builder
 		inv, root := clitest.New(t, "task", "send", task.Name, "some task input")
 		inv.Stdout = &stdout
 		clitest.SetupConfig(t, userClient, root)
 
+		ctx := testutil.Context(t, testutil.WaitLong)
 		err := inv.WithContext(ctx).Run()
 		require.ErrorContains(t, err, assert.AnError.Error())
 	})

cli/testdata/Test_TaskLogs_Golden/SnapshotWithSingleMessage.golden

@@ -1,4 +1,4 @@
-err: WARN: Task is initializing. Showing last 1 message from snapshot.
+err: WARN: Task is pending. Showing last 1 message from snapshot.
 err: 
 out: TYPE   CONTENT         
 out: input  Single message  

cli/testdata/coder_organizations_--help.golden

@@ -9,6 +9,8 @@ USAGE:
 
 SUBCOMMANDS:
     create      Create a new organization.
+    delete      Delete an organization
+    list        List all organizations
     members     Manage organization members
     roles       Manage organization roles.
     settings    Manage organization settings.

cli/testdata/coder_organizations_delete_--help.golden

@@ -0,0 +1,15 @@
+coder v0.0.0-devel
+
+USAGE:
+  coder organizations delete [flags] <organization_name_or_id>
+
+  Delete an organization
+
+  Aliases: rm
+
+OPTIONS:
+  -y, --yes bool
+          Bypass confirmation prompts.
+
+———
+Run `coder --help` for a list of global options.

cli/testdata/coder_organizations_list_--help.golden

@@ -0,0 +1,21 @@
+coder v0.0.0-devel
+
+USAGE:
+  coder organizations list [flags]
+
+  List all organizations
+
+  Aliases: ls
+
+  List all organizations. Requires a role which grants ResourceOrganization:
+  read.
+
+OPTIONS:
+  -c, --column [id|name|display name|icon|description|created at|updated at|default] (default: name,display name,id,default)
+          Columns to display in table output.
+
+  -o, --output table|json (default: table)
+          Output format.
+
+———
+Run `coder --help` for a list of global options.

coderd/agentapi/api.go

@@ -89,6 +89,7 @@ type Options struct {
 	PublishWorkspaceAgentLogsUpdateFn func(ctx context.Context, workspaceAgentID uuid.UUID, msg agentsdk.LogsNotifyMessage)
 	NetworkTelemetryHandler           func(batch []*tailnetproto.TelemetryEvent)
 	BoundaryUsageTracker              *boundaryusage.Tracker
+	LifecycleMetrics                  *LifecycleMetrics
 
 	AccessURL                 *url.URL
 	AppHostname               string
@@ -170,6 +171,7 @@ func New(opts Options, workspace database.Workspace) *API {
 		Database:                 opts.Database,
 		Log:                      opts.Log,
 		PublishWorkspaceUpdateFn: api.publishWorkspaceUpdate,
+		Metrics:                  opts.LifecycleMetrics,
 	}
 
 	api.AppsAPI = &AppsAPI{

coderd/agentapi/lifecycle.go

@@ -4,6 +4,7 @@ import (
 	"context"
 	"database/sql"
 	"slices"
+	"sync"
 	"time"
 
 	"github.com/google/uuid"
@@ -31,7 +32,9 @@ type LifecycleAPI struct {
 	Log                      slog.Logger
 	PublishWorkspaceUpdateFn func(context.Context, *database.WorkspaceAgent, wspubsub.WorkspaceEventKind) error
 
-	TimeNowFn func() time.Time // defaults to dbtime.Now()
+	TimeNowFn       func() time.Time // defaults to dbtime.Now()
+	Metrics         *LifecycleMetrics
+	emitMetricsOnce sync.Once
 }
 
 func (a *LifecycleAPI) now() time.Time {
@@ -125,6 +128,17 @@ func (a *LifecycleAPI) UpdateLifecycle(ctx context.Context, req *agentproto.Upda
 		}
 	}
 
+	// Emit build duration metric when agent transitions to a terminal startup state.
+	// We only emit once per agent connection to avoid duplicate metrics.
+	switch lifecycleState {
+	case database.WorkspaceAgentLifecycleStateReady,
+		database.WorkspaceAgentLifecycleStateStartTimeout,
+		database.WorkspaceAgentLifecycleStateStartError:
+		a.emitMetricsOnce.Do(func() {
+			a.emitBuildDurationMetric(ctx, workspaceAgent.ResourceID)
+		})
+	}
+
 	return req.Lifecycle, nil
 }
 

coderd/agentapi/lifecycle_test.go

@@ -9,12 +9,14 @@ import (
 	"time"
 
 	"github.com/google/uuid"
+	"github.com/prometheus/client_golang/prometheus"
 	"github.com/stretchr/testify/require"
 	"go.uber.org/mock/gomock"
 	"google.golang.org/protobuf/types/known/timestamppb"
 
 	agentproto "github.com/coder/coder/v2/agent/proto"
 	"github.com/coder/coder/v2/coderd/agentapi"
+	"github.com/coder/coder/v2/coderd/coderdtest/promhelp"
 	"github.com/coder/coder/v2/coderd/database"
 	"github.com/coder/coder/v2/coderd/database/dbmock"
 	"github.com/coder/coder/v2/coderd/database/dbtime"
@@ -22,6 +24,10 @@ import (
 	"github.com/coder/coder/v2/testutil"
 )
 
+// fullMetricName is the fully-qualified Prometheus metric name
+// (namespace + name) used for gathering in tests.
+const fullMetricName = "coderd_" + agentapi.BuildDurationMetricName
+
 func TestUpdateLifecycle(t *testing.T) {
 	t.Parallel()
 
@@ -30,6 +36,12 @@ func TestUpdateLifecycle(t *testing.T) {
 	someTime = dbtime.Time(someTime)
 	now := dbtime.Now()
 
+	// Fixed times for build duration metric assertions.
+	// The expected duration is exactly 90 seconds.
+	buildCreatedAt := dbtime.Time(time.Date(2025, 1, 1, 0, 0, 0, 0, time.UTC))
+	agentReadyAt := dbtime.Time(time.Date(2025, 1, 1, 0, 1, 30, 0, time.UTC))
+	expectedDuration := agentReadyAt.Sub(buildCreatedAt).Seconds() // 90.0
+
 	var (
 		workspaceID  = uuid.New()
 		agentCreated = database.WorkspaceAgent{
@@ -105,6 +117,19 @@ func TestUpdateLifecycle(t *testing.T) {
 				Valid: true,
 			},
 		}).Return(nil)
+		dbM.EXPECT().GetWorkspaceBuildMetricsByResourceID(gomock.Any(), agentStarting.ResourceID).Return(database.GetWorkspaceBuildMetricsByResourceIDRow{
+			CreatedAt:        buildCreatedAt,
+			Transition:       database.WorkspaceTransitionStart,
+			TemplateName:     "test-template",
+			OrganizationName: "test-org",
+			IsPrebuild:       false,
+			AllAgentsReady:   true,
+			LastAgentReadyAt: agentReadyAt,
+			WorstStatus:      "success",
+		}, nil)
+
+		reg := prometheus.NewRegistry()
+		metrics := agentapi.NewLifecycleMetrics(reg)
 
 		api := &agentapi.LifecycleAPI{
 			AgentFn: func(ctx context.Context) (database.WorkspaceAgent, error) {
@@ -113,6 +138,7 @@ func TestUpdateLifecycle(t *testing.T) {
 			WorkspaceID: workspaceID,
 			Database:    dbM,
 			Log:         testutil.Logger(t),
+			Metrics:     metrics,
 			// Test that nil publish fn works.
 			PublishWorkspaceUpdateFn: nil,
 		}
@@ -122,6 +148,16 @@ func TestUpdateLifecycle(t *testing.T) {
 		})
 		require.NoError(t, err)
 		require.Equal(t, lifecycle, resp)
+
+		got := promhelp.HistogramValue(t, reg, fullMetricName, prometheus.Labels{
+			"template_name":     "test-template",
+			"organization_name": "test-org",
+			"transition":        "start",
+			"status":            "success",
+			"is_prebuild":       "false",
+		})
+		require.Equal(t, uint64(1), got.GetSampleCount())
+		require.Equal(t, expectedDuration, got.GetSampleSum())
 	})
 
 	// This test jumps from CREATING to READY, skipping STARTED. Both the
@@ -147,8 +183,21 @@ func TestUpdateLifecycle(t *testing.T) {
 				Valid: true,
 			},
 		}).Return(nil)
+		dbM.EXPECT().GetWorkspaceBuildMetricsByResourceID(gomock.Any(), agentCreated.ResourceID).Return(database.GetWorkspaceBuildMetricsByResourceIDRow{
+			CreatedAt:        buildCreatedAt,
+			Transition:       database.WorkspaceTransitionStart,
+			TemplateName:     "test-template",
+			OrganizationName: "test-org",
+			IsPrebuild:       false,
+			AllAgentsReady:   true,
+			LastAgentReadyAt: agentReadyAt,
+			WorstStatus:      "success",
+		}, nil)
 
 		publishCalled := false
+		reg := prometheus.NewRegistry()
+		metrics := agentapi.NewLifecycleMetrics(reg)
+
 		api := &agentapi.LifecycleAPI{
 			AgentFn: func(ctx context.Context) (database.WorkspaceAgent, error) {
 				return agentCreated, nil
@@ -156,6 +205,7 @@ func TestUpdateLifecycle(t *testing.T) {
 			WorkspaceID: workspaceID,
 			Database:    dbM,
 			Log:         testutil.Logger(t),
+			Metrics:     metrics,
 			PublishWorkspaceUpdateFn: func(ctx context.Context, agent *database.WorkspaceAgent, kind wspubsub.WorkspaceEventKind) error {
 				publishCalled = true
 				return nil
@@ -168,6 +218,16 @@ func TestUpdateLifecycle(t *testing.T) {
 		require.NoError(t, err)
 		require.Equal(t, lifecycle, resp)
 		require.True(t, publishCalled)
+
+		got := promhelp.HistogramValue(t, reg, fullMetricName, prometheus.Labels{
+			"template_name":     "test-template",
+			"organization_name": "test-org",
+			"transition":        "start",
+			"status":            "success",
+			"is_prebuild":       "false",
+		})
+		require.Equal(t, uint64(1), got.GetSampleCount())
+		require.Equal(t, expectedDuration, got.GetSampleSum())
 	})
 
 	t.Run("NoTimeSpecified", func(t *testing.T) {
@@ -194,6 +254,19 @@ func TestUpdateLifecycle(t *testing.T) {
 				Valid: true,
 			},
 		})
+		dbM.EXPECT().GetWorkspaceBuildMetricsByResourceID(gomock.Any(), agentCreated.ResourceID).Return(database.GetWorkspaceBuildMetricsByResourceIDRow{
+			CreatedAt:        buildCreatedAt,
+			Transition:       database.WorkspaceTransitionStart,
+			TemplateName:     "test-template",
+			OrganizationName: "test-org",
+			IsPrebuild:       false,
+			AllAgentsReady:   true,
+			LastAgentReadyAt: agentReadyAt,
+			WorstStatus:      "success",
+		}, nil)
+
+		reg := prometheus.NewRegistry()
+		metrics := agentapi.NewLifecycleMetrics(reg)
 
 		api := &agentapi.LifecycleAPI{
 			AgentFn: func(ctx context.Context) (database.WorkspaceAgent, error) {
@@ -202,6 +275,7 @@ func TestUpdateLifecycle(t *testing.T) {
 			WorkspaceID:              workspaceID,
 			Database:                 dbM,
 			Log:                      testutil.Logger(t),
+			Metrics:                  metrics,
 			PublishWorkspaceUpdateFn: nil,
 			TimeNowFn: func() time.Time {
 				return now
@@ -213,6 +287,16 @@ func TestUpdateLifecycle(t *testing.T) {
 		})
 		require.NoError(t, err)
 		require.Equal(t, lifecycle, resp)
+
+		got := promhelp.HistogramValue(t, reg, fullMetricName, prometheus.Labels{
+			"template_name":     "test-template",
+			"organization_name": "test-org",
+			"transition":        "start",
+			"status":            "success",
+			"is_prebuild":       "false",
+		})
+		require.Equal(t, uint64(1), got.GetSampleCount())
+		require.Equal(t, expectedDuration, got.GetSampleSum())
 	})
 
 	t.Run("AllStates", func(t *testing.T) {
@@ -228,6 +312,9 @@ func TestUpdateLifecycle(t *testing.T) {
 		dbM := dbmock.NewMockStore(gomock.NewController(t))
 
 		var publishCalled int64
+		reg := prometheus.NewRegistry()
+		metrics := agentapi.NewLifecycleMetrics(reg)
+
 		api := &agentapi.LifecycleAPI{
 			AgentFn: func(ctx context.Context) (database.WorkspaceAgent, error) {
 				return agent, nil
@@ -235,6 +322,7 @@ func TestUpdateLifecycle(t *testing.T) {
 			WorkspaceID: workspaceID,
 			Database:    dbM,
 			Log:         testutil.Logger(t),
+			Metrics:     metrics,
 			PublishWorkspaceUpdateFn: func(ctx context.Context, agent *database.WorkspaceAgent, kind wspubsub.WorkspaceEventKind) error {
 				atomic.AddInt64(&publishCalled, 1)
 				return nil
@@ -277,6 +365,20 @@ func TestUpdateLifecycle(t *testing.T) {
 				ReadyAt:        expectedReadyAt,
 			}).Times(1).Return(nil)
 
+			// The first ready state triggers the build duration metric query.
+			if state == agentproto.Lifecycle_READY || state == agentproto.Lifecycle_START_TIMEOUT || state == agentproto.Lifecycle_START_ERROR {
+				dbM.EXPECT().GetWorkspaceBuildMetricsByResourceID(gomock.Any(), agent.ResourceID).Return(database.GetWorkspaceBuildMetricsByResourceIDRow{
+					CreatedAt:        someTime,
+					Transition:       database.WorkspaceTransitionStart,
+					TemplateName:     "test-template",
+					OrganizationName: "test-org",
+					IsPrebuild:       false,
+					AllAgentsReady:   true,
+					LastAgentReadyAt: stateNow,
+					WorstStatus:      "success",
+				}, nil).MaxTimes(1)
+			}
+
 			resp, err := api.UpdateLifecycle(context.Background(), &agentproto.UpdateLifecycleRequest{
 				Lifecycle: lifecycle,
 			})
@@ -322,6 +424,164 @@ func TestUpdateLifecycle(t *testing.T) {
 		require.Nil(t, resp)
 		require.False(t, publishCalled)
 	})
+
+	// Test that metric is NOT emitted when not all agents are ready (multi-agent case).
+	t.Run("MetricNotEmittedWhenNotAllAgentsReady", func(t *testing.T) {
+		t.Parallel()
+
+		lifecycle := &agentproto.Lifecycle{
+			State:     agentproto.Lifecycle_READY,
+			ChangedAt: timestamppb.New(now),
+		}
+
+		dbM := dbmock.NewMockStore(gomock.NewController(t))
+		dbM.EXPECT().UpdateWorkspaceAgentLifecycleStateByID(gomock.Any(), gomock.Any()).Return(nil)
+		// Return AllAgentsReady = false to simulate multi-agent case where not all are ready.
+		dbM.EXPECT().GetWorkspaceBuildMetricsByResourceID(gomock.Any(), agentStarting.ResourceID).Return(database.GetWorkspaceBuildMetricsByResourceIDRow{
+			CreatedAt:        someTime,
+			Transition:       database.WorkspaceTransitionStart,
+			TemplateName:     "test-template",
+			OrganizationName: "test-org",
+			IsPrebuild:       false,
+			AllAgentsReady:   false,       // Not all agents ready yet
+			LastAgentReadyAt: time.Time{}, // No ready time yet
+			WorstStatus:      "success",
+		}, nil)
+
+		reg := prometheus.NewRegistry()
+		metrics := agentapi.NewLifecycleMetrics(reg)
+
+		api := &agentapi.LifecycleAPI{
+			AgentFn: func(ctx context.Context) (database.WorkspaceAgent, error) {
+				return agentStarting, nil
+			},
+			WorkspaceID:              workspaceID,
+			Database:                 dbM,
+			Log:                      testutil.Logger(t),
+			Metrics:                  metrics,
+			PublishWorkspaceUpdateFn: nil,
+		}
+
+		resp, err := api.UpdateLifecycle(context.Background(), &agentproto.UpdateLifecycleRequest{
+			Lifecycle: lifecycle,
+		})
+		require.NoError(t, err)
+		require.Equal(t, lifecycle, resp)
+
+		require.Nil(t, promhelp.MetricValue(t, reg, fullMetricName, prometheus.Labels{
+			"template_name":     "test-template",
+			"organization_name": "test-org",
+			"transition":        "start",
+			"status":            "success",
+			"is_prebuild":       "false",
+		}), "metric should not be emitted when not all agents are ready")
+	})
+
+	// Test that prebuild label is "true" when owner is prebuild system user.
+	t.Run("PrebuildLabelTrue", func(t *testing.T) {
+		t.Parallel()
+
+		lifecycle := &agentproto.Lifecycle{
+			State:     agentproto.Lifecycle_READY,
+			ChangedAt: timestamppb.New(now),
+		}
+
+		dbM := dbmock.NewMockStore(gomock.NewController(t))
+		dbM.EXPECT().UpdateWorkspaceAgentLifecycleStateByID(gomock.Any(), gomock.Any()).Return(nil)
+		dbM.EXPECT().GetWorkspaceBuildMetricsByResourceID(gomock.Any(), agentStarting.ResourceID).Return(database.GetWorkspaceBuildMetricsByResourceIDRow{
+			CreatedAt:        buildCreatedAt,
+			Transition:       database.WorkspaceTransitionStart,
+			TemplateName:     "test-template",
+			OrganizationName: "test-org",
+			IsPrebuild:       true, // Prebuild workspace
+			AllAgentsReady:   true,
+			LastAgentReadyAt: agentReadyAt,
+			WorstStatus:      "success",
+		}, nil)
+
+		reg := prometheus.NewRegistry()
+		metrics := agentapi.NewLifecycleMetrics(reg)
+
+		api := &agentapi.LifecycleAPI{
+			AgentFn: func(ctx context.Context) (database.WorkspaceAgent, error) {
+				return agentStarting, nil
+			},
+			WorkspaceID:              workspaceID,
+			Database:                 dbM,
+			Log:                      testutil.Logger(t),
+			Metrics:                  metrics,
+			PublishWorkspaceUpdateFn: nil,
+		}
+
+		resp, err := api.UpdateLifecycle(context.Background(), &agentproto.UpdateLifecycleRequest{
+			Lifecycle: lifecycle,
+		})
+		require.NoError(t, err)
+		require.Equal(t, lifecycle, resp)
+
+		got := promhelp.HistogramValue(t, reg, fullMetricName, prometheus.Labels{
+			"template_name":     "test-template",
+			"organization_name": "test-org",
+			"transition":        "start",
+			"status":            "success",
+			"is_prebuild":       "true",
+		})
+		require.Equal(t, uint64(1), got.GetSampleCount())
+		require.Equal(t, expectedDuration, got.GetSampleSum())
+	})
+
+	// Test worst status is used when one agent has an error.
+	t.Run("WorstStatusError", func(t *testing.T) {
+		t.Parallel()
+
+		lifecycle := &agentproto.Lifecycle{
+			State:     agentproto.Lifecycle_READY,
+			ChangedAt: timestamppb.New(now),
+		}
+
+		dbM := dbmock.NewMockStore(gomock.NewController(t))
+		dbM.EXPECT().UpdateWorkspaceAgentLifecycleStateByID(gomock.Any(), gomock.Any()).Return(nil)
+		dbM.EXPECT().GetWorkspaceBuildMetricsByResourceID(gomock.Any(), agentStarting.ResourceID).Return(database.GetWorkspaceBuildMetricsByResourceIDRow{
+			CreatedAt:        buildCreatedAt,
+			Transition:       database.WorkspaceTransitionStart,
+			TemplateName:     "test-template",
+			OrganizationName: "test-org",
+			IsPrebuild:       false,
+			AllAgentsReady:   true,
+			LastAgentReadyAt: agentReadyAt,
+			WorstStatus:      "error", // One agent had an error
+		}, nil)
+
+		reg := prometheus.NewRegistry()
+		metrics := agentapi.NewLifecycleMetrics(reg)
+
+		api := &agentapi.LifecycleAPI{
+			AgentFn: func(ctx context.Context) (database.WorkspaceAgent, error) {
+				return agentStarting, nil
+			},
+			WorkspaceID:              workspaceID,
+			Database:                 dbM,
+			Log:                      testutil.Logger(t),
+			Metrics:                  metrics,
+			PublishWorkspaceUpdateFn: nil,
+		}
+
+		resp, err := api.UpdateLifecycle(context.Background(), &agentproto.UpdateLifecycleRequest{
+			Lifecycle: lifecycle,
+		})
+		require.NoError(t, err)
+		require.Equal(t, lifecycle, resp)
+
+		got := promhelp.HistogramValue(t, reg, fullMetricName, prometheus.Labels{
+			"template_name":     "test-template",
+			"organization_name": "test-org",
+			"transition":        "start",
+			"status":            "error",
+			"is_prebuild":       "false",
+		})
+		require.Equal(t, uint64(1), got.GetSampleCount())
+		require.Equal(t, expectedDuration, got.GetSampleSum())
+	})
 }
 
 func TestUpdateStartup(t *testing.T) {

coderd/agentapi/manifest.go

@@ -249,11 +249,17 @@ func dbAppToProto(dbApp database.WorkspaceApp, agent database.WorkspaceAgent, ow
 func dbAgentDevcontainersToProto(devcontainers []database.WorkspaceAgentDevcontainer) []*agentproto.WorkspaceAgentDevcontainer {
 	ret := make([]*agentproto.WorkspaceAgentDevcontainer, len(devcontainers))
 	for i, dc := range devcontainers {
+		var subagentID []byte
+		if dc.SubagentID.Valid {
+			subagentID = dc.SubagentID.UUID[:]
+		}
+
 		ret[i] = &agentproto.WorkspaceAgentDevcontainer{
 			Id:              dc.ID[:],
 			Name:            dc.Name,
 			WorkspaceFolder: dc.WorkspaceFolder,
 			ConfigPath:      dc.ConfigPath,
+			SubagentId:      subagentID,
 		}
 	}
 	return ret

coderd/agentapi/metrics.go

@@ -0,0 +1,97 @@
+package agentapi
+
+import (
+	"context"
+	"strconv"
+	"time"
+
+	"github.com/google/uuid"
+	"github.com/prometheus/client_golang/prometheus"
+
+	"cdr.dev/slog/v3"
+)
+
+// BuildDurationMetricName is the short name for the end-to-end
+// workspace build duration histogram. The full metric name is
+// prefixed with the namespace "coderd_".
+const BuildDurationMetricName = "template_workspace_build_duration_seconds"
+
+// LifecycleMetrics contains Prometheus metrics for the lifecycle API.
+type LifecycleMetrics struct {
+	BuildDuration *prometheus.HistogramVec
+}
+
+// NewLifecycleMetrics creates and registers all lifecycle-related
+// Prometheus metrics.
+//
+// The build duration histogram tracks the end-to-end duration from
+// workspace build creation to agent ready, by template. It is
+// recorded by the coderd replica handling the agent's connection
+// when the last agent reports ready. In multi-replica deployments,
+// each replica only has observations for agents it handles.
+//
+// The "is_prebuild" label distinguishes prebuild creation (background,
+// no user waiting) from user-initiated builds (regular workspace
+// creation or prebuild claims).
+func NewLifecycleMetrics(reg prometheus.Registerer) *LifecycleMetrics {
+	m := &LifecycleMetrics{
+		BuildDuration: prometheus.NewHistogramVec(prometheus.HistogramOpts{
+			Namespace: "coderd",
+			Name:      BuildDurationMetricName,
+			Help:      "Duration from workspace build creation to agent ready, by template.",
+			Buckets: []float64{
+				1, // 1s
+				10,
+				30,
+				60, // 1min
+				60 * 5,
+				60 * 10,
+				60 * 30, // 30min
+				60 * 60, // 1hr
+			},
+			NativeHistogramBucketFactor:     1.1,
+			NativeHistogramMaxBucketNumber:  100,
+			NativeHistogramMinResetDuration: time.Hour,
+		}, []string{"template_name", "organization_name", "transition", "status", "is_prebuild"}),
+	}
+	reg.MustRegister(m.BuildDuration)
+	return m
+}
+
+// emitBuildDurationMetric records the end-to-end workspace build
+// duration from build creation to when all agents are ready.
+func (a *LifecycleAPI) emitBuildDurationMetric(ctx context.Context, resourceID uuid.UUID) {
+	if a.Metrics == nil {
+		return
+	}
+
+	buildInfo, err := a.Database.GetWorkspaceBuildMetricsByResourceID(ctx, resourceID)
+	if err != nil {
+		a.Log.Warn(ctx, "failed to get build info for metrics", slog.Error(err))
+		return
+	}
+
+	// Wait until all agents have reached a terminal startup state.
+	if !buildInfo.AllAgentsReady {
+		return
+	}
+
+	// LastAgentReadyAt is the MAX(ready_at) across all agents. Since
+	// we only get here when AllAgentsReady is true, this should always
+	// be valid.
+	if buildInfo.LastAgentReadyAt.IsZero() {
+		a.Log.Warn(ctx, "last_agent_ready_at is unexpectedly zero",
+			slog.F("last_agent_ready_at", buildInfo.LastAgentReadyAt))
+		return
+	}
+
+	duration := buildInfo.LastAgentReadyAt.Sub(buildInfo.CreatedAt).Seconds()
+
+	a.Metrics.BuildDuration.WithLabelValues(
+		buildInfo.TemplateName,
+		buildInfo.OrganizationName,
+		string(buildInfo.Transition),
+		buildInfo.WorstStatus,
+		strconv.FormatBool(buildInfo.IsPrebuild),
+	).Observe(duration)
+}

coderd/agentapi/subagent.go

@@ -37,25 +37,6 @@ func (a *SubAgentAPI) CreateSubAgent(ctx context.Context, req *agentproto.Create
 	//nolint:gocritic // This gives us only the permissions required to do the job.
 	ctx = dbauthz.AsSubAgentAPI(ctx, a.OrganizationID, a.OwnerID)
 
-	parentAgent, err := a.AgentFn(ctx)
-	if err != nil {
-		return nil, xerrors.Errorf("get parent agent: %w", err)
-	}
-
-	agentName := req.Name
-	if agentName == "" {
-		return nil, codersdk.ValidationError{
-			Field:  "name",
-			Detail: "agent name cannot be empty",
-		}
-	}
-	if !provisioner.AgentNameRegex.MatchString(agentName) {
-		return nil, codersdk.ValidationError{
-			Field:  "name",
-			Detail: fmt.Sprintf("agent name %q does not match regex %q", agentName, provisioner.AgentNameRegex),
-		}
-	}
-
 	createdAt := a.Clock.Now()
 
 	displayApps := make([]database.DisplayApp, 0, len(req.DisplayApps))
@@ -83,6 +64,62 @@ func (a *SubAgentAPI) CreateSubAgent(ctx context.Context, req *agentproto.Create
 		displayApps = append(displayApps, app)
 	}
 
+	parentAgent, err := a.AgentFn(ctx)
+	if err != nil {
+		return nil, xerrors.Errorf("get parent agent: %w", err)
+	}
+
+	// An ID is only given in the request when it is a terraform-defined devcontainer
+	// that has attached resources. These subagents are pre-provisioned by terraform
+	// (the agent record already exists), so we update configurable fields like
+	// display_apps rather than creating a new agent.
+	if req.Id != nil {
+		id, err := uuid.FromBytes(req.Id)
+		if err != nil {
+			return nil, xerrors.Errorf("parse agent id: %w", err)
+		}
+
+		subAgent, err := a.Database.GetWorkspaceAgentByID(ctx, id)
+		if err != nil {
+			return nil, xerrors.Errorf("get workspace agent by id: %w", err)
+		}
+
+		// Validate that the subagent belongs to the current parent agent to
+		// prevent updating subagents from other agents within the same workspace.
+		if !subAgent.ParentID.Valid || subAgent.ParentID.UUID != parentAgent.ID {
+			return nil, xerrors.Errorf("subagent does not belong to this parent agent")
+		}
+
+		if err := a.Database.UpdateWorkspaceAgentDisplayAppsByID(ctx, database.UpdateWorkspaceAgentDisplayAppsByIDParams{
+			ID:          id,
+			DisplayApps: displayApps,
+			UpdatedAt:   createdAt,
+		}); err != nil {
+			return nil, xerrors.Errorf("update workspace agent display apps: %w", err)
+		}
+
+		return &agentproto.CreateSubAgentResponse{
+			Agent: &agentproto.SubAgent{
+				Name:      subAgent.Name,
+				Id:        subAgent.ID[:],
+				AuthToken: subAgent.AuthToken[:],
+			},
+		}, nil
+	}
+
+	agentName := req.Name
+	if agentName == "" {
+		return nil, codersdk.ValidationError{
+			Field:  "name",
+			Detail: "agent name cannot be empty",
+		}
+	}
+	if !provisioner.AgentNameRegex.MatchString(agentName) {
+		return nil, codersdk.ValidationError{
+			Field:  "name",
+			Detail: fmt.Sprintf("agent name %q does not match regex %q", agentName, provisioner.AgentNameRegex),
+		}
+	}
 	subAgent, err := a.Database.InsertWorkspaceAgent(ctx, database.InsertWorkspaceAgentParams{
 		ID:                       uuid.New(),
 		ParentID:                 uuid.NullUUID{Valid: true, UUID: parentAgent.ID},

coderd/agentapi/subagent_test.go

@@ -1132,6 +1132,225 @@ func TestSubAgentAPI(t *testing.T) {
 		require.Equal(t, "Custom App", apps[0].DisplayName)
 	})
 
+	t.Run("CreateSubAgentUpdatesExisting", func(t *testing.T) {
+		t.Parallel()
+
+		baseChildAgent := database.WorkspaceAgent{
+			Name:            "existing-child-agent",
+			Directory:       "/workspaces/test",
+			Architecture:    "amd64",
+			OperatingSystem: "linux",
+			DisplayApps:     []database.DisplayApp{database.DisplayAppVscode},
+		}
+
+		type testCase struct {
+			name    string
+			setup   func(t *testing.T, db database.Store, agent database.WorkspaceAgent) *proto.CreateSubAgentRequest
+			wantErr string
+			check   func(t *testing.T, ctx context.Context, db database.Store, resp *proto.CreateSubAgentResponse, agent database.WorkspaceAgent)
+		}
+
+		tests := []testCase{
+			{
+				name: "OK",
+				setup: func(t *testing.T, db database.Store, agent database.WorkspaceAgent) *proto.CreateSubAgentRequest {
+					// Given: An existing child agent with some display apps.
+					childAgent := dbgen.WorkspaceAgent(t, db, database.WorkspaceAgent{
+						ParentID:        uuid.NullUUID{Valid: true, UUID: agent.ID},
+						ResourceID:      agent.ResourceID,
+						Name:            baseChildAgent.Name,
+						Directory:       baseChildAgent.Directory,
+						Architecture:    baseChildAgent.Architecture,
+						OperatingSystem: baseChildAgent.OperatingSystem,
+						DisplayApps:     baseChildAgent.DisplayApps,
+					})
+
+					// When: We call CreateSubAgent with the existing agent's ID and new display apps.
+					return &proto.CreateSubAgentRequest{
+						Id: childAgent.ID[:],
+						DisplayApps: []proto.CreateSubAgentRequest_DisplayApp{
+							proto.CreateSubAgentRequest_WEB_TERMINAL,
+							proto.CreateSubAgentRequest_SSH_HELPER,
+						},
+					}
+				},
+				check: func(t *testing.T, ctx context.Context, db database.Store, resp *proto.CreateSubAgentResponse, agent database.WorkspaceAgent) {
+					// Then: The response contains the existing agent's details.
+					require.NotNil(t, resp.Agent)
+					require.Equal(t, baseChildAgent.Name, resp.Agent.Name)
+
+					agentID, err := uuid.FromBytes(resp.Agent.Id)
+					require.NoError(t, err)
+
+					// And: The database agent's display apps are updated.
+					updatedAgent, err := db.GetWorkspaceAgentByID(dbauthz.AsSystemRestricted(ctx), agentID)
+					require.NoError(t, err)
+					require.Len(t, updatedAgent.DisplayApps, 2)
+					require.Contains(t, updatedAgent.DisplayApps, database.DisplayAppWebTerminal)
+					require.Contains(t, updatedAgent.DisplayApps, database.DisplayAppSSHHelper)
+				},
+			},
+			{
+				name: "OK_OtherFieldsNotModified",
+				setup: func(t *testing.T, db database.Store, agent database.WorkspaceAgent) *proto.CreateSubAgentRequest {
+					// Given: An existing child agent with specific properties.
+					childAgent := dbgen.WorkspaceAgent(t, db, database.WorkspaceAgent{
+						ParentID:        uuid.NullUUID{Valid: true, UUID: agent.ID},
+						ResourceID:      agent.ResourceID,
+						Name:            baseChildAgent.Name,
+						Directory:       baseChildAgent.Directory,
+						Architecture:    baseChildAgent.Architecture,
+						OperatingSystem: baseChildAgent.OperatingSystem,
+						DisplayApps:     baseChildAgent.DisplayApps,
+					})
+
+					// When: We call CreateSubAgent with different values for name, directory, arch, and OS.
+					return &proto.CreateSubAgentRequest{
+						Id:              childAgent.ID[:],
+						Name:            "different-name",
+						Directory:       "/different/path",
+						Architecture:    "arm64",
+						OperatingSystem: "darwin",
+						DisplayApps: []proto.CreateSubAgentRequest_DisplayApp{
+							proto.CreateSubAgentRequest_WEB_TERMINAL,
+						},
+					}
+				},
+				check: func(t *testing.T, ctx context.Context, db database.Store, resp *proto.CreateSubAgentResponse, agent database.WorkspaceAgent) {
+					// Then: The response contains the original agent name, not the new one.
+					require.NotNil(t, resp.Agent)
+					require.Equal(t, baseChildAgent.Name, resp.Agent.Name)
+
+					agentID, err := uuid.FromBytes(resp.Agent.Id)
+					require.NoError(t, err)
+
+					// And: The database agent's other fields are unchanged.
+					updatedAgent, err := db.GetWorkspaceAgentByID(dbauthz.AsSystemRestricted(ctx), agentID)
+					require.NoError(t, err)
+					require.Equal(t, baseChildAgent.Name, updatedAgent.Name)
+					require.Equal(t, baseChildAgent.Directory, updatedAgent.Directory)
+					require.Equal(t, baseChildAgent.Architecture, updatedAgent.Architecture)
+					require.Equal(t, baseChildAgent.OperatingSystem, updatedAgent.OperatingSystem)
+
+					// But display apps should be updated.
+					require.Len(t, updatedAgent.DisplayApps, 1)
+					require.Equal(t, database.DisplayAppWebTerminal, updatedAgent.DisplayApps[0])
+				},
+			},
+			{
+				name: "Error/MalformedID",
+				setup: func(t *testing.T, db database.Store, agent database.WorkspaceAgent) *proto.CreateSubAgentRequest {
+					// When: We call CreateSubAgent with malformed ID bytes (not 16 bytes).
+					// uuid.FromBytes requires exactly 16 bytes, so we provide fewer.
+					return &proto.CreateSubAgentRequest{
+						Id: []byte("short"),
+					}
+				},
+				wantErr: "parse agent id",
+			},
+			{
+				name: "Error/AgentNotFound",
+				setup: func(t *testing.T, db database.Store, agent database.WorkspaceAgent) *proto.CreateSubAgentRequest {
+					// When: We call CreateSubAgent with a non-existent agent ID.
+					nonExistentID := uuid.New()
+					return &proto.CreateSubAgentRequest{
+						Id: nonExistentID[:],
+					}
+				},
+				wantErr: "get workspace agent by id",
+			},
+			{
+				name: "Error/ParentMismatch",
+				setup: func(t *testing.T, db database.Store, agent database.WorkspaceAgent) *proto.CreateSubAgentRequest {
+					// Create a second agent (sibling) within the same workspace/resource.
+					// This sibling has a different parent ID (or no parent).
+					siblingAgent := dbgen.WorkspaceAgent(t, db, database.WorkspaceAgent{
+						ParentID:        uuid.NullUUID{Valid: false}, // No parent - it's a top-level agent
+						ResourceID:      agent.ResourceID,
+						Name:            "sibling-agent",
+						Directory:       "/workspaces/sibling",
+						Architecture:    "amd64",
+						OperatingSystem: "linux",
+					})
+
+					// Create a child of the sibling agent (not our agent).
+					childOfSibling := dbgen.WorkspaceAgent(t, db, database.WorkspaceAgent{
+						ParentID:        uuid.NullUUID{Valid: true, UUID: siblingAgent.ID},
+						ResourceID:      agent.ResourceID,
+						Name:            "child-of-sibling",
+						Directory:       "/workspaces/test",
+						Architecture:    "amd64",
+						OperatingSystem: "linux",
+					})
+
+					// When: Our API (which is for `agent`) tries to update the child of `siblingAgent`.
+					return &proto.CreateSubAgentRequest{
+						Id: childOfSibling.ID[:],
+						DisplayApps: []proto.CreateSubAgentRequest_DisplayApp{
+							proto.CreateSubAgentRequest_VSCODE,
+						},
+					}
+				},
+				wantErr: "subagent does not belong to this parent agent",
+			},
+
+			{
+				name: "Error/NoParentID",
+				setup: func(t *testing.T, db database.Store, agent database.WorkspaceAgent) *proto.CreateSubAgentRequest {
+					// Given: An agent without a parent (a top-level agent).
+					topLevelAgent := dbgen.WorkspaceAgent(t, db, database.WorkspaceAgent{
+						ParentID:        uuid.NullUUID{Valid: false}, // No parent
+						ResourceID:      agent.ResourceID,
+						Name:            "top-level-agent",
+						Directory:       "/workspaces/test",
+						Architecture:    "amd64",
+						OperatingSystem: "linux",
+					})
+
+					// When: We try to update this agent as if it were a subagent.
+					return &proto.CreateSubAgentRequest{
+						Id: topLevelAgent.ID[:],
+						DisplayApps: []proto.CreateSubAgentRequest_DisplayApp{
+							proto.CreateSubAgentRequest_VSCODE,
+						},
+					}
+				},
+				wantErr: "subagent does not belong to this parent agent",
+			},
+		}
+
+		for _, tc := range tests {
+			tc := tc
+			t.Run(tc.name, func(t *testing.T) {
+				t.Parallel()
+
+				var (
+					log   = testutil.Logger(t)
+					clock = quartz.NewMock(t)
+
+					db, org     = newDatabaseWithOrg(t)
+					user, agent = newUserWithWorkspaceAgent(t, db, org)
+					api         = newAgentAPI(t, log, db, clock, user, org, agent)
+				)
+
+				req := tc.setup(t, db, agent)
+				ctx := testutil.Context(t, testutil.WaitShort)
+				resp, err := api.CreateSubAgent(ctx, req)
+
+				if tc.wantErr != "" {
+					require.Error(t, err)
+					require.Contains(t, err.Error(), tc.wantErr)
+					return
+				}
+
+				require.NoError(t, err)
+				if tc.check != nil {
+					tc.check(t, ctx, db, resp, agent)
+				}
+			})
+		}
+	})
+
 	t.Run("ListSubAgents", func(t *testing.T) {
 		t.Parallel()
 

coderd/aitasks.go

@@ -977,10 +977,27 @@ func (api *API) authAndDoWithTaskAppClient(
 	ctx := r.Context()
 
 	if task.Status != database.TaskStatusActive {
-		return httperror.NewResponseError(http.StatusBadRequest, codersdk.Response{
-			Message: "Task status must be active.",
-			Detail:  fmt.Sprintf("Task status is %q, it must be %q to interact with the task.", task.Status, codersdk.TaskStatusActive),
-		})
+		// Return 409 Conflict for valid requests blocked by current state
+		// (pending/initializing are transitional, paused requires resume).
+		// Return 400 Bad Request for error/unknown states.
+		switch task.Status {
+		case database.TaskStatusPending, database.TaskStatusInitializing:
+			return httperror.NewResponseError(http.StatusConflict, codersdk.Response{
+				Message: fmt.Sprintf("Task is %s.", task.Status),
+				Detail:  "The task is resuming. Wait for the task to become active before sending messages.",
+			})
+		case database.TaskStatusPaused:
+			return httperror.NewResponseError(http.StatusConflict, codersdk.Response{
+				Message: "Task is paused.",
+				Detail:  "Resume the task to send messages.",
+			})
+		default:
+			// Default handler for error and unknown status.
+			return httperror.NewResponseError(http.StatusBadRequest, codersdk.Response{
+				Message: "Task must be active.",
+				Detail:  fmt.Sprintf("Task status is %q, it must be %q to interact with the task.", task.Status, codersdk.TaskStatusActive),
+			})
+		}
 	}
 	if !task.WorkspaceID.Valid {
 		return httperror.NewResponseError(http.StatusBadRequest, codersdk.Response{
@@ -1227,3 +1244,63 @@ func (api *API) postWorkspaceAgentTaskLogSnapshot(rw http.ResponseWriter, r *htt
 
 	rw.WriteHeader(http.StatusNoContent)
 }
+
+// @Summary Pause task
+// @ID pause-task
+// @Security CoderSessionToken
+// @Accept json
+// @Tags Tasks
+// @Param user path string true "Username, user ID, or 'me' for the authenticated user"
+// @Param task path string true "Task ID" format(uuid)
+// @Success 202 {object} codersdk.PauseTaskResponse
+// @Router /tasks/{user}/{task}/pause [post]
+func (api *API) pauseTask(rw http.ResponseWriter, r *http.Request) {
+	var (
+		ctx    = r.Context()
+		apiKey = httpmw.APIKey(r)
+		task   = httpmw.TaskParam(r)
+	)
+
+	if !task.WorkspaceID.Valid {
+		httpapi.Write(ctx, rw, http.StatusInternalServerError, codersdk.Response{
+			Message: "Task does not have a workspace.",
+		})
+		return
+	}
+
+	workspace, err := api.Database.GetWorkspaceByID(ctx, task.WorkspaceID.UUID)
+	if err != nil {
+		if httpapi.Is404Error(err) {
+			httpapi.ResourceNotFound(rw)
+			return
+		}
+		httpapi.Write(ctx, rw, http.StatusInternalServerError, codersdk.Response{
+			Message: "Internal error fetching task workspace.",
+			Detail:  err.Error(),
+		})
+		return
+	}
+
+	buildReq := codersdk.CreateWorkspaceBuildRequest{
+		Transition: codersdk.WorkspaceTransitionStop,
+		Reason:     codersdk.CreateWorkspaceBuildReasonTaskManualPause,
+	}
+	build, err := api.postWorkspaceBuildsInternal(
+		ctx,
+		apiKey,
+		workspace,
+		buildReq,
+		func(action policy.Action, object rbac.Objecter) bool {
+			return api.Authorize(r, action, object)
+		},
+		audit.WorkspaceBuildBaggageFromRequest(r),
+	)
+	if err != nil {
+		httperror.WriteWorkspaceBuildError(ctx, rw, err)
+		return
+	}
+
+	httpapi.Write(ctx, rw, http.StatusAccepted, codersdk.PauseTaskResponse{
+		WorkspaceBuild: &build,
+	})
+}

coderd/aitasks_test.go

@@ -16,6 +16,7 @@ import (
 	"github.com/google/uuid"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
+	"golang.org/x/xerrors"
 
 	agentapisdk "github.com/coder/agentapi-sdk-go"
 	"github.com/coder/coder/v2/agent"
@@ -26,10 +27,14 @@ import (
 	"github.com/coder/coder/v2/coderd/database/dbauthz"
 	"github.com/coder/coder/v2/coderd/database/dbfake"
 	"github.com/coder/coder/v2/coderd/database/dbgen"
+	"github.com/coder/coder/v2/coderd/database/dbtestutil"
 	"github.com/coder/coder/v2/coderd/database/dbtime"
+	"github.com/coder/coder/v2/coderd/database/pubsub"
 	"github.com/coder/coder/v2/coderd/httpapi"
 	"github.com/coder/coder/v2/coderd/notifications"
 	"github.com/coder/coder/v2/coderd/notifications/notificationstest"
+	"github.com/coder/coder/v2/coderd/rbac"
+	"github.com/coder/coder/v2/coderd/rbac/policy"
 	"github.com/coder/coder/v2/coderd/util/slice"
 	"github.com/coder/coder/v2/codersdk"
 	"github.com/coder/coder/v2/codersdk/agentsdk"
@@ -39,6 +44,96 @@ import (
 	"github.com/coder/quartz"
 )
 
+// createTaskInState is a helper to create a task in the desired state.
+// It returns a function that takes context, test, and status, and returns the task ID.
+// The caller is responsible for setting up the database, owner, and user.
+func createTaskInState(db database.Store, ownerSubject rbac.Subject, ownerOrgID, userID uuid.UUID) func(context.Context, *testing.T, database.TaskStatus) uuid.UUID {
+	return func(ctx context.Context, t *testing.T, status database.TaskStatus) uuid.UUID {
+		ctx = dbauthz.As(ctx, ownerSubject)
+
+		builder := dbfake.WorkspaceBuild(t, db, database.WorkspaceTable{
+			OrganizationID: ownerOrgID,
+			OwnerID:        userID,
+		}).
+			WithTask(database.TaskTable{
+				OrganizationID: ownerOrgID,
+				OwnerID:        userID,
+			}, nil)
+
+		switch status {
+		case database.TaskStatusPending:
+			builder = builder.Pending()
+		case database.TaskStatusInitializing:
+			builder = builder.Starting()
+		case database.TaskStatusPaused:
+			builder = builder.Seed(database.WorkspaceBuild{
+				Transition: database.WorkspaceTransitionStop,
+			})
+		case database.TaskStatusError:
+			// For error state, create a completed build then manipulate app health.
+		default:
+			require.Fail(t, "unsupported task status in test helper", "status: %s", status)
+		}
+
+		resp := builder.Do()
+		taskID := resp.Task.ID
+
+		// Post-process by manipulating agent and app state.
+		if status == database.TaskStatusError {
+			// First, set agent to ready state so agent_status returns 'active'.
+			// This ensures the cascade reaches app_status.
+			err := db.UpdateWorkspaceAgentLifecycleStateByID(ctx, database.UpdateWorkspaceAgentLifecycleStateByIDParams{
+				ID:             resp.Agents[0].ID,
+				LifecycleState: database.WorkspaceAgentLifecycleStateReady,
+			})
+			require.NoError(t, err)
+
+			// Then set workspace app health to unhealthy to trigger error state.
+			apps, err := db.GetWorkspaceAppsByAgentID(ctx, resp.Agents[0].ID)
+			require.NoError(t, err)
+			require.Len(t, apps, 1, "expected exactly one app for task")
+
+			err = db.UpdateWorkspaceAppHealthByID(ctx, database.UpdateWorkspaceAppHealthByIDParams{
+				ID:     apps[0].ID,
+				Health: database.WorkspaceAppHealthUnhealthy,
+			})
+			require.NoError(t, err)
+		}
+
+		return taskID
+	}
+}
+
+type aiTaskStoreWrapper struct {
+	database.Store
+	getWorkspaceByID     func(ctx context.Context, id uuid.UUID) (database.Workspace, error)
+	insertWorkspaceBuild func(ctx context.Context, arg database.InsertWorkspaceBuildParams) error
+}
+
+func (s aiTaskStoreWrapper) GetWorkspaceByID(ctx context.Context, id uuid.UUID) (database.Workspace, error) {
+	if s.getWorkspaceByID != nil {
+		return s.getWorkspaceByID(ctx, id)
+	}
+	return s.Store.GetWorkspaceByID(ctx, id)
+}
+
+func (s aiTaskStoreWrapper) InsertWorkspaceBuild(ctx context.Context, arg database.InsertWorkspaceBuildParams) error {
+	if s.insertWorkspaceBuild != nil {
+		return s.insertWorkspaceBuild(ctx, arg)
+	}
+	return s.Store.InsertWorkspaceBuild(ctx, arg)
+}
+
+func (s aiTaskStoreWrapper) InTx(fn func(database.Store) error, opts *database.TxOptions) error {
+	return s.Store.InTx(func(tx database.Store) error {
+		return fn(aiTaskStoreWrapper{
+			Store:                tx,
+			getWorkspaceByID:     s.getWorkspaceByID,
+			insertWorkspaceBuild: s.insertWorkspaceBuild,
+		})
+	}, opts)
+}
+
 func TestTasks(t *testing.T) {
 	t.Parallel()
 
@@ -398,6 +493,144 @@ func TestTasks(t *testing.T) {
 			require.NoError(t, err, "should be possible to delete a task with no workspace")
 		})
 
+		t.Run("SnapshotCleanupOnDeletion", func(t *testing.T) {
+			t.Parallel()
+
+			client, db := coderdtest.NewWithDatabase(t, &coderdtest.Options{IncludeProvisionerDaemon: true})
+			user := coderdtest.CreateFirstUser(t, client)
+			template := createAITemplate(t, client, user)
+
+			ctx := testutil.Context(t, testutil.WaitLong)
+
+			userObj, err := client.User(ctx, user.UserID.String())
+			require.NoError(t, err)
+			userSubject := coderdtest.AuthzUserSubject(userObj)
+
+			task, err := client.CreateTask(ctx, "me", codersdk.CreateTaskRequest{
+				TemplateVersionID: template.ActiveVersionID,
+				Input:             "delete me with snapshot",
+			})
+			require.NoError(t, err)
+			ws, err := client.Workspace(ctx, task.WorkspaceID.UUID)
+			require.NoError(t, err)
+			coderdtest.AwaitWorkspaceBuildJobCompleted(t, client, ws.LatestBuild.ID)
+
+			// Create a snapshot for the task.
+			snapshotJSON := `{"format":"agentapi","data":{"messages":[{"role":"user","content":"test"}]}}`
+			err = db.UpsertTaskSnapshot(dbauthz.As(ctx, userSubject), database.UpsertTaskSnapshotParams{
+				TaskID:               task.ID,
+				LogSnapshot:          json.RawMessage(snapshotJSON),
+				LogSnapshotCreatedAt: dbtime.Now(),
+			})
+			require.NoError(t, err)
+
+			// Verify snapshot exists.
+			_, err = db.GetTaskSnapshot(dbauthz.As(ctx, userSubject), task.ID)
+			require.NoError(t, err)
+
+			// Delete the task.
+			err = client.DeleteTask(ctx, "me", task.ID)
+			require.NoError(t, err, "delete task request should be accepted")
+
+			// Verify snapshot no longer exists.
+			_, err = db.GetTaskSnapshot(dbauthz.As(ctx, userSubject), task.ID)
+			require.ErrorIs(t, err, sql.ErrNoRows, "snapshot should be deleted with task")
+		})
+
+		t.Run("DeletionWithoutSnapshot", func(t *testing.T) {
+			t.Parallel()
+
+			client, db := coderdtest.NewWithDatabase(t, &coderdtest.Options{IncludeProvisionerDaemon: true})
+			user := coderdtest.CreateFirstUser(t, client)
+			template := createAITemplate(t, client, user)
+
+			ctx := testutil.Context(t, testutil.WaitLong)
+
+			userObj, err := client.User(ctx, user.UserID.String())
+			require.NoError(t, err)
+			userSubject := coderdtest.AuthzUserSubject(userObj)
+
+			task, err := client.CreateTask(ctx, "me", codersdk.CreateTaskRequest{
+				TemplateVersionID: template.ActiveVersionID,
+				Input:             "delete me without snapshot",
+			})
+			require.NoError(t, err)
+			ws, err := client.Workspace(ctx, task.WorkspaceID.UUID)
+			require.NoError(t, err)
+			coderdtest.AwaitWorkspaceBuildJobCompleted(t, client, ws.LatestBuild.ID)
+
+			// Verify no snapshot exists.
+			_, err = db.GetTaskSnapshot(dbauthz.As(ctx, userSubject), task.ID)
+			require.ErrorIs(t, err, sql.ErrNoRows, "snapshot should not exist initially")
+
+			// Delete the task (should succeed even without snapshot).
+			err = client.DeleteTask(ctx, "me", task.ID)
+			require.NoError(t, err, "delete task should succeed even without snapshot")
+		})
+
+		t.Run("PreservesOtherTaskSnapshots", func(t *testing.T) {
+			t.Parallel()
+
+			client, db := coderdtest.NewWithDatabase(t, &coderdtest.Options{IncludeProvisionerDaemon: true})
+			user := coderdtest.CreateFirstUser(t, client)
+			template := createAITemplate(t, client, user)
+
+			ctx := testutil.Context(t, testutil.WaitLong)
+
+			userObj, err := client.User(ctx, user.UserID.String())
+			require.NoError(t, err)
+			userSubject := coderdtest.AuthzUserSubject(userObj)
+
+			// Create task A.
+			taskA, err := client.CreateTask(ctx, "me", codersdk.CreateTaskRequest{
+				TemplateVersionID: template.ActiveVersionID,
+				Input:             "task A",
+			})
+			require.NoError(t, err)
+			wsA, err := client.Workspace(ctx, taskA.WorkspaceID.UUID)
+			require.NoError(t, err)
+			coderdtest.AwaitWorkspaceBuildJobCompleted(t, client, wsA.LatestBuild.ID)
+
+			// Create task B.
+			taskB, err := client.CreateTask(ctx, "me", codersdk.CreateTaskRequest{
+				TemplateVersionID: template.ActiveVersionID,
+				Input:             "task B",
+			})
+			require.NoError(t, err)
+			wsB, err := client.Workspace(ctx, taskB.WorkspaceID.UUID)
+			require.NoError(t, err)
+			coderdtest.AwaitWorkspaceBuildJobCompleted(t, client, wsB.LatestBuild.ID)
+
+			// Create snapshots for both tasks.
+			snapshotJSONA := `{"format":"agentapi","data":{"messages":[{"role":"user","content":"task A"}]}}`
+			err = db.UpsertTaskSnapshot(dbauthz.As(ctx, userSubject), database.UpsertTaskSnapshotParams{
+				TaskID:               taskA.ID,
+				LogSnapshot:          json.RawMessage(snapshotJSONA),
+				LogSnapshotCreatedAt: dbtime.Now(),
+			})
+			require.NoError(t, err)
+
+			snapshotJSONB := `{"format":"agentapi","data":{"messages":[{"role":"user","content":"task B"}]}}`
+			err = db.UpsertTaskSnapshot(dbauthz.As(ctx, userSubject), database.UpsertTaskSnapshotParams{
+				TaskID:               taskB.ID,
+				LogSnapshot:          json.RawMessage(snapshotJSONB),
+				LogSnapshotCreatedAt: dbtime.Now(),
+			})
+			require.NoError(t, err)
+
+			// Delete task A.
+			err = client.DeleteTask(ctx, "me", taskA.ID)
+			require.NoError(t, err, "delete task A should succeed")
+
+			// Verify task A's snapshot is removed.
+			_, err = db.GetTaskSnapshot(dbauthz.As(ctx, userSubject), taskA.ID)
+			require.ErrorIs(t, err, sql.ErrNoRows, "task A snapshot should be deleted")
+
+			// Verify task B's snapshot still exists.
+			_, err = db.GetTaskSnapshot(dbauthz.As(ctx, userSubject), taskB.ID)
+			require.NoError(t, err, "task B snapshot should still exist")
+		})
+
 		t.Run("DeletingTaskWorkspaceDeletesTask", func(t *testing.T) {
 			t.Parallel()
 
@@ -591,6 +824,94 @@ func TestTasks(t *testing.T) {
 			require.ErrorAs(t, err, &sdkErr)
 			require.Equal(t, http.StatusNotFound, sdkErr.StatusCode())
 		})
+
+		t.Run("SendToNonActiveStates", func(t *testing.T) {
+			t.Parallel()
+
+			client, db := coderdtest.NewWithDatabase(t, &coderdtest.Options{IncludeProvisionerDaemon: true})
+			owner := coderdtest.CreateFirstUser(t, client)
+			ctx := testutil.Context(t, testutil.WaitMedium)
+
+			ownerUser, err := client.User(ctx, owner.UserID.String())
+			require.NoError(t, err)
+			ownerSubject := coderdtest.AuthzUserSubject(ownerUser)
+
+			// Create a regular user for task ownership.
+			_, user := coderdtest.CreateAnotherUser(t, client, owner.OrganizationID)
+
+			createTask := createTaskInState(db, ownerSubject, owner.OrganizationID, user.ID)
+
+			t.Run("Paused", func(t *testing.T) {
+				t.Parallel()
+
+				ctx := testutil.Context(t, testutil.WaitMedium)
+				taskID := createTask(ctx, t, database.TaskStatusPaused)
+
+				err := client.TaskSend(ctx, "me", taskID, codersdk.TaskSendRequest{
+					Input: "Hello",
+				})
+
+				var sdkErr *codersdk.Error
+				require.Error(t, err)
+				require.ErrorAs(t, err, &sdkErr)
+				require.Equal(t, http.StatusConflict, sdkErr.StatusCode())
+				require.Contains(t, sdkErr.Message, "paused")
+				require.Contains(t, sdkErr.Detail, "Resume")
+			})
+
+			t.Run("Initializing", func(t *testing.T) {
+				t.Parallel()
+
+				ctx := testutil.Context(t, testutil.WaitMedium)
+				taskID := createTask(ctx, t, database.TaskStatusInitializing)
+
+				err := client.TaskSend(ctx, "me", taskID, codersdk.TaskSendRequest{
+					Input: "Hello",
+				})
+
+				var sdkErr *codersdk.Error
+				require.Error(t, err)
+				require.ErrorAs(t, err, &sdkErr)
+				require.Equal(t, http.StatusConflict, sdkErr.StatusCode())
+				require.Contains(t, sdkErr.Message, "initializing")
+				require.Contains(t, sdkErr.Detail, "resuming")
+			})
+
+			t.Run("Pending", func(t *testing.T) {
+				t.Parallel()
+
+				ctx := testutil.Context(t, testutil.WaitMedium)
+				taskID := createTask(ctx, t, database.TaskStatusPending)
+
+				err := client.TaskSend(ctx, "me", taskID, codersdk.TaskSendRequest{
+					Input: "Hello",
+				})
+
+				var sdkErr *codersdk.Error
+				require.Error(t, err)
+				require.ErrorAs(t, err, &sdkErr)
+				require.Equal(t, http.StatusConflict, sdkErr.StatusCode())
+				require.Contains(t, sdkErr.Message, "pending")
+				require.Contains(t, sdkErr.Detail, "resuming")
+			})
+
+			t.Run("Error", func(t *testing.T) {
+				t.Parallel()
+
+				ctx := testutil.Context(t, testutil.WaitMedium)
+				taskID := createTask(ctx, t, database.TaskStatusError)
+
+				err := client.TaskSend(ctx, "me", taskID, codersdk.TaskSendRequest{
+					Input: "Hello",
+				})
+
+				var sdkErr *codersdk.Error
+				require.Error(t, err)
+				require.ErrorAs(t, err, &sdkErr)
+				require.Equal(t, http.StatusBadRequest, sdkErr.StatusCode())
+				require.Contains(t, sdkErr.Message, "must be active")
+			})
+		})
 	})
 
 	t.Run("Logs", func(t *testing.T) {
@@ -737,61 +1058,7 @@ func TestTasks(t *testing.T) {
 		// Create a regular user to test snapshot access.
 		client, user := coderdtest.CreateAnotherUser(t, ownerClient, owner.OrganizationID)
 
-		// Helper to create a task in the desired state.
-		createTaskInState := func(ctx context.Context, t *testing.T, status database.TaskStatus) uuid.UUID {
-			ctx = dbauthz.As(ctx, ownerSubject)
-
-			builder := dbfake.WorkspaceBuild(t, db, database.WorkspaceTable{
-				OrganizationID: owner.OrganizationID,
-				OwnerID:        user.ID,
-			}).
-				WithTask(database.TaskTable{
-					OrganizationID: owner.OrganizationID,
-					OwnerID:        user.ID,
-				}, nil)
-
-			switch status {
-			case database.TaskStatusPending:
-				builder = builder.Pending()
-			case database.TaskStatusInitializing:
-				builder = builder.Starting()
-			case database.TaskStatusPaused:
-				builder = builder.Seed(database.WorkspaceBuild{
-					Transition: database.WorkspaceTransitionStop,
-				})
-			case database.TaskStatusError:
-				// For error state, create a completed build then manipulate app health.
-			default:
-				require.Fail(t, "unsupported task status in test helper", "status: %s", status)
-			}
-
-			resp := builder.Do()
-			taskID := resp.Task.ID
-
-			// Post-process by manipulating agent and app state.
-			if status == database.TaskStatusError {
-				// First, set agent to ready state so agent_status returns 'active'.
-				// This ensures the cascade reaches app_status.
-				err := db.UpdateWorkspaceAgentLifecycleStateByID(ctx, database.UpdateWorkspaceAgentLifecycleStateByIDParams{
-					ID:             resp.Agents[0].ID,
-					LifecycleState: database.WorkspaceAgentLifecycleStateReady,
-				})
-				require.NoError(t, err)
-
-				// Then set workspace app health to unhealthy to trigger error state.
-				apps, err := db.GetWorkspaceAppsByAgentID(ctx, resp.Agents[0].ID)
-				require.NoError(t, err)
-				require.Len(t, apps, 1, "expected exactly one app for task")
-
-				err = db.UpdateWorkspaceAppHealthByID(ctx, database.UpdateWorkspaceAppHealthByIDParams{
-					ID:     apps[0].ID,
-					Health: database.WorkspaceAppHealthUnhealthy,
-				})
-				require.NoError(t, err)
-			}
-
-			return taskID
-		}
+		createTask := createTaskInState(db, ownerSubject, owner.OrganizationID, user.ID)
 
 		// Prepare snapshot data used across tests.
 		snapshotMessages := []agentapisdk.Message{
@@ -853,7 +1120,7 @@ func TestTasks(t *testing.T) {
 			t.Parallel()
 
 			ctx := testutil.Context(t, testutil.WaitMedium)
-			taskID := createTaskInState(ctx, t, database.TaskStatusPending)
+			taskID := createTask(ctx, t, database.TaskStatusPending)
 
 			err := db.UpsertTaskSnapshot(dbauthz.As(ctx, ownerSubject), database.UpsertTaskSnapshotParams{
 				TaskID:               taskID,
@@ -871,7 +1138,7 @@ func TestTasks(t *testing.T) {
 			t.Parallel()
 
 			ctx := testutil.Context(t, testutil.WaitMedium)
-			taskID := createTaskInState(ctx, t, database.TaskStatusInitializing)
+			taskID := createTask(ctx, t, database.TaskStatusInitializing)
 
 			err := db.UpsertTaskSnapshot(dbauthz.As(ctx, ownerSubject), database.UpsertTaskSnapshotParams{
 				TaskID:               taskID,
@@ -889,7 +1156,7 @@ func TestTasks(t *testing.T) {
 			t.Parallel()
 
 			ctx := testutil.Context(t, testutil.WaitMedium)
-			taskID := createTaskInState(ctx, t, database.TaskStatusPaused)
+			taskID := createTask(ctx, t, database.TaskStatusPaused)
 
 			err := db.UpsertTaskSnapshot(dbauthz.As(ctx, ownerSubject), database.UpsertTaskSnapshotParams{
 				TaskID:               taskID,
@@ -907,7 +1174,7 @@ func TestTasks(t *testing.T) {
 			t.Parallel()
 
 			ctx := testutil.Context(t, testutil.WaitMedium)
-			taskID := createTaskInState(ctx, t, database.TaskStatusPending)
+			taskID := createTask(ctx, t, database.TaskStatusPending)
 
 			logsResp, err := client.TaskLogs(ctx, "me", taskID)
 			require.NoError(t, err)
@@ -921,7 +1188,7 @@ func TestTasks(t *testing.T) {
 			t.Parallel()
 
 			ctx := testutil.Context(t, testutil.WaitMedium)
-			taskID := createTaskInState(ctx, t, database.TaskStatusPending)
+			taskID := createTask(ctx, t, database.TaskStatusPending)
 
 			invalidEnvelope := coderd.TaskLogSnapshotEnvelope{
 				Format: "unknown-format",
@@ -950,7 +1217,7 @@ func TestTasks(t *testing.T) {
 			t.Parallel()
 
 			ctx := testutil.Context(t, testutil.WaitMedium)
-			taskID := createTaskInState(ctx, t, database.TaskStatusPending)
+			taskID := createTask(ctx, t, database.TaskStatusPending)
 
 			err := db.UpsertTaskSnapshot(dbauthz.As(ctx, ownerSubject), database.UpsertTaskSnapshotParams{
 				TaskID:               taskID,
@@ -971,7 +1238,7 @@ func TestTasks(t *testing.T) {
 			t.Parallel()
 
 			ctx := testutil.Context(t, testutil.WaitMedium)
-			taskID := createTaskInState(ctx, t, database.TaskStatusError)
+			taskID := createTask(ctx, t, database.TaskStatusError)
 
 			_, err := client.TaskLogs(ctx, "me", taskID)
 			require.Error(t, err)
@@ -997,12 +1264,12 @@ func TestTasks(t *testing.T) {
 			wantErrStatusCode  int
 		}{
 			{
-				name: "TaskStatusInitializing",
+				name: "TaskStatusPending",
 				// We want to disable the provisioner so that the task
-				// never gets provisioned (ensuring it stays in Initializing).
+				// never gets picked up (ensuring it stays in Pending).
 				disableProvisioner: true,
 				taskInput:          "Valid prompt",
-				wantStatus:         codersdk.TaskStatusInitializing,
+				wantStatus:         codersdk.TaskStatusPending,
 				wantErr:            "Unable to update",
 				wantErrStatusCode:  http.StatusConflict,
 			},
@@ -2189,3 +2456,328 @@ func TestPostWorkspaceAgentTaskSnapshot(t *testing.T) {
 		require.Equal(t, http.StatusUnauthorized, res.StatusCode)
 	})
 }
+
+func TestPauseTask(t *testing.T) {
+	t.Parallel()
+
+	setupClient := func(t *testing.T, db database.Store, ps pubsub.Pubsub, authorizer rbac.Authorizer) *codersdk.Client {
+		t.Helper()
+		client, _, _ := coderdtest.NewWithAPI(t, &coderdtest.Options{
+			Database:   db,
+			Pubsub:     ps,
+			Authorizer: authorizer,
+		})
+		return client
+	}
+
+	setupWorkspaceTask := func(t *testing.T, db database.Store, user codersdk.CreateFirstUserResponse) (database.Task, uuid.UUID) {
+		t.Helper()
+		workspaceBuild := dbfake.WorkspaceBuild(t, db, database.WorkspaceTable{
+			OrganizationID: user.OrganizationID,
+			OwnerID:        user.UserID,
+		}).WithTask(database.TaskTable{
+			Prompt: "pause me",
+		}, nil).Do()
+		return workspaceBuild.Task, workspaceBuild.Workspace.ID
+	}
+
+	t.Run("OK", func(t *testing.T) {
+		t.Parallel()
+
+		ctx := testutil.Context(t, testutil.WaitLong)
+		client := coderdtest.New(t, &coderdtest.Options{IncludeProvisionerDaemon: true})
+		user := coderdtest.CreateFirstUser(t, client)
+
+		version := coderdtest.CreateTemplateVersion(t, client, user.OrganizationID, &echo.Responses{
+			Parse:          echo.ParseComplete,
+			ProvisionApply: echo.ApplyComplete,
+			ProvisionGraph: []*proto.Response{
+				{Type: &proto.Response_Graph{Graph: &proto.GraphComplete{
+					HasAiTasks: true,
+				}}},
+			},
+		})
+		coderdtest.AwaitTemplateVersionJobCompleted(t, client, version.ID)
+		template := coderdtest.CreateTemplate(t, client, user.OrganizationID, version.ID)
+
+		task, err := client.CreateTask(ctx, codersdk.Me, codersdk.CreateTaskRequest{
+			TemplateVersionID: template.ActiveVersionID,
+			Input:             "pause me",
+		})
+		require.NoError(t, err)
+		require.True(t, task.WorkspaceID.Valid)
+
+		workspace, err := client.Workspace(ctx, task.WorkspaceID.UUID)
+		require.NoError(t, err)
+		coderdtest.AwaitWorkspaceBuildJobCompleted(t, client, workspace.LatestBuild.ID)
+
+		resp, err := client.PauseTask(ctx, codersdk.Me, task.ID)
+		require.NoError(t, err)
+		build := *resp.WorkspaceBuild
+		require.NotNil(t, build)
+		require.Equal(t, codersdk.WorkspaceTransitionStop, build.Transition)
+		require.Equal(t, task.WorkspaceID.UUID, build.WorkspaceID)
+		require.Equal(t, workspace.LatestBuild.BuildNumber+1, build.BuildNumber)
+		require.Equal(t, string(codersdk.CreateWorkspaceBuildReasonTaskManualPause), string(build.Reason))
+	})
+
+	t.Run("Non-owner role access", func(t *testing.T) {
+		t.Parallel()
+
+		ctx := testutil.Context(t, testutil.WaitShort)
+		db, ps := dbtestutil.NewDB(t)
+		client := setupClient(t, db, ps, nil)
+		owner := coderdtest.CreateFirstUser(t, client)
+
+		cases := []struct {
+			name           string
+			roles          []rbac.RoleIdentifier
+			expectedStatus int
+		}{
+			{
+				name:           "org_member",
+				expectedStatus: http.StatusNotFound,
+			},
+			{
+				name:           "org_admin",
+				roles:          []rbac.RoleIdentifier{rbac.ScopedRoleOrgAdmin(owner.OrganizationID)},
+				expectedStatus: http.StatusAccepted,
+			},
+			{
+				name:           "sitewide_member",
+				roles:          []rbac.RoleIdentifier{rbac.RoleMember()},
+				expectedStatus: http.StatusNotFound,
+			},
+			{
+				name:           "sitewide_admin",
+				roles:          []rbac.RoleIdentifier{rbac.RoleOwner()},
+				expectedStatus: http.StatusAccepted,
+			},
+		}
+
+		for _, tc := range cases {
+			tc := tc
+			t.Run(tc.name, func(t *testing.T) {
+				task, _ := setupWorkspaceTask(t, db, owner)
+				userClient, _ := coderdtest.CreateAnotherUser(t, client, owner.OrganizationID, tc.roles...)
+
+				resp, err := userClient.PauseTask(ctx, codersdk.Me, task.ID)
+				if tc.expectedStatus == http.StatusAccepted {
+					require.NoError(t, err)
+					require.NotNil(t, resp.WorkspaceBuild)
+					require.NotEqual(t, uuid.Nil, resp.WorkspaceBuild.ID)
+					return
+				}
+
+				var apiErr *codersdk.Error
+				require.ErrorAs(t, err, &apiErr)
+				require.Equal(t, tc.expectedStatus, apiErr.StatusCode())
+			})
+		}
+	})
+
+	t.Run("Task not found", func(t *testing.T) {
+		t.Parallel()
+
+		ctx := testutil.Context(t, testutil.WaitShort)
+		client := coderdtest.New(t, &coderdtest.Options{IncludeProvisionerDaemon: true})
+		_ = coderdtest.CreateFirstUser(t, client)
+
+		_, err := client.PauseTask(ctx, codersdk.Me, uuid.New())
+		var apiErr *codersdk.Error
+		require.ErrorAs(t, err, &apiErr)
+		require.Equal(t, http.StatusNotFound, apiErr.StatusCode())
+	})
+
+	t.Run("Task lookup forbidden", func(t *testing.T) {
+		t.Parallel()
+
+		ctx := testutil.Context(t, testutil.WaitShort)
+		db, ps := dbtestutil.NewDB(t)
+		auth := &coderdtest.FakeAuthorizer{
+			ConditionalReturn: func(_ context.Context, _ rbac.Subject, action policy.Action, object rbac.Object) error {
+				if action == policy.ActionRead && object.Type == rbac.ResourceTask.Type {
+					return rbac.UnauthorizedError{}
+				}
+				return nil
+			},
+		}
+		client := setupClient(t, db, ps, auth)
+		user := coderdtest.CreateFirstUser(t, client)
+		task, _ := setupWorkspaceTask(t, db, user)
+
+		_, err := client.PauseTask(ctx, codersdk.Me, task.ID)
+		var apiErr *codersdk.Error
+		require.ErrorAs(t, err, &apiErr)
+		require.Equal(t, http.StatusNotFound, apiErr.StatusCode())
+	})
+
+	t.Run("Workspace lookup forbidden", func(t *testing.T) {
+		t.Parallel()
+
+		ctx := testutil.Context(t, testutil.WaitShort)
+		db, ps := dbtestutil.NewDB(t)
+		auth := &coderdtest.FakeAuthorizer{
+			ConditionalReturn: func(_ context.Context, _ rbac.Subject, action policy.Action, object rbac.Object) error {
+				if action == policy.ActionRead && object.Type == rbac.ResourceWorkspace.Type {
+					return rbac.UnauthorizedError{}
+				}
+				return nil
+			},
+		}
+		client := setupClient(t, db, ps, auth)
+		user := coderdtest.CreateFirstUser(t, client)
+		task, _ := setupWorkspaceTask(t, db, user)
+
+		_, err := client.PauseTask(ctx, codersdk.Me, task.ID)
+		var apiErr *codersdk.Error
+		require.ErrorAs(t, err, &apiErr)
+		require.Equal(t, http.StatusNotFound, apiErr.StatusCode())
+	})
+
+	t.Run("No Workspace for Task", func(t *testing.T) {
+		t.Parallel()
+
+		ctx := testutil.Context(t, testutil.WaitShort)
+		db, ps := dbtestutil.NewDB(t)
+		client := setupClient(t, db, ps, nil)
+		user := coderdtest.CreateFirstUser(t, client)
+
+		workspaceBuild := dbfake.WorkspaceBuild(t, db, database.WorkspaceTable{
+			OrganizationID: user.OrganizationID,
+			OwnerID:        user.UserID,
+		}).Do()
+		task := dbgen.Task(t, db, database.TaskTable{
+			OrganizationID:    user.OrganizationID,
+			OwnerID:           user.UserID,
+			TemplateVersionID: workspaceBuild.Build.TemplateVersionID,
+			Prompt:            "no workspace",
+		})
+
+		_, err := client.PauseTask(ctx, codersdk.Me, task.ID)
+		var apiErr *codersdk.Error
+		require.ErrorAs(t, err, &apiErr)
+		require.Equal(t, http.StatusInternalServerError, apiErr.StatusCode())
+		require.Equal(t, "Task does not have a workspace.", apiErr.Message)
+	})
+
+	t.Run("Workspace not found", func(t *testing.T) {
+		t.Parallel()
+
+		ctx := testutil.Context(t, testutil.WaitShort)
+		db, ps := dbtestutil.NewDB(t)
+		var workspaceID uuid.UUID
+		wrapped := aiTaskStoreWrapper{
+			Store: db,
+			getWorkspaceByID: func(ctx context.Context, id uuid.UUID) (database.Workspace, error) {
+				if id == workspaceID && id != uuid.Nil {
+					return database.Workspace{}, sql.ErrNoRows
+				}
+				return db.GetWorkspaceByID(ctx, id)
+			},
+		}
+		client := setupClient(t, wrapped, ps, nil)
+		user := coderdtest.CreateFirstUser(t, client)
+		task, workspaceIDValue := setupWorkspaceTask(t, db, user)
+		workspaceID = workspaceIDValue
+
+		_, err := client.PauseTask(ctx, codersdk.Me, task.ID)
+		var apiErr *codersdk.Error
+		require.ErrorAs(t, err, &apiErr)
+		require.Equal(t, http.StatusNotFound, apiErr.StatusCode())
+	})
+
+	t.Run("Workspace lookup internal error", func(t *testing.T) {
+		t.Parallel()
+
+		ctx := testutil.Context(t, testutil.WaitShort)
+		db, ps := dbtestutil.NewDB(t)
+		var workspaceID uuid.UUID
+		wrapped := aiTaskStoreWrapper{
+			Store: db,
+			getWorkspaceByID: func(ctx context.Context, id uuid.UUID) (database.Workspace, error) {
+				if id == workspaceID && id != uuid.Nil {
+					return database.Workspace{}, xerrors.New("boom")
+				}
+				return db.GetWorkspaceByID(ctx, id)
+			},
+		}
+		client := setupClient(t, wrapped, ps, nil)
+		user := coderdtest.CreateFirstUser(t, client)
+		task, workspaceIDValue := setupWorkspaceTask(t, db, user)
+		workspaceID = workspaceIDValue
+
+		_, err := client.PauseTask(ctx, codersdk.Me, task.ID)
+		var apiErr *codersdk.Error
+		require.ErrorAs(t, err, &apiErr)
+		require.Equal(t, http.StatusInternalServerError, apiErr.StatusCode())
+		require.Equal(t, "Internal error fetching task workspace.", apiErr.Message)
+	})
+
+	t.Run("Build Forbidden", func(t *testing.T) {
+		t.Parallel()
+
+		ctx := testutil.Context(t, testutil.WaitShort)
+		db, ps := dbtestutil.NewDB(t)
+		auth := &coderdtest.FakeAuthorizer{
+			ConditionalReturn: func(_ context.Context, _ rbac.Subject, action policy.Action, object rbac.Object) error {
+				if action == policy.ActionWorkspaceStop && object.Type == rbac.ResourceWorkspace.Type {
+					return rbac.UnauthorizedError{}
+				}
+				return nil
+			},
+		}
+		client := setupClient(t, db, ps, auth)
+		user := coderdtest.CreateFirstUser(t, client)
+		task, _ := setupWorkspaceTask(t, db, user)
+
+		_, err := client.PauseTask(ctx, codersdk.Me, task.ID)
+		var apiErr *codersdk.Error
+		require.ErrorAs(t, err, &apiErr)
+		require.Equal(t, http.StatusForbidden, apiErr.StatusCode())
+	})
+
+	t.Run("Job already in progress", func(t *testing.T) {
+		t.Parallel()
+
+		ctx := testutil.Context(t, testutil.WaitShort)
+		db, ps := dbtestutil.NewDB(t)
+		client := setupClient(t, db, ps, nil)
+		user := coderdtest.CreateFirstUser(t, client)
+		workspaceBuild := dbfake.WorkspaceBuild(t, db, database.WorkspaceTable{
+			OrganizationID: user.OrganizationID,
+			OwnerID:        user.UserID,
+		}).
+			WithTask(database.TaskTable{
+				Prompt: "pause me",
+			}, nil).
+			Starting().
+			Do()
+
+		_, err := client.PauseTask(ctx, codersdk.Me, workspaceBuild.Task.ID)
+		var apiErr *codersdk.Error
+		require.ErrorAs(t, err, &apiErr)
+		require.Equal(t, http.StatusConflict, apiErr.StatusCode())
+	})
+
+	t.Run("Build Internal Error", func(t *testing.T) {
+		t.Parallel()
+
+		ctx := testutil.Context(t, testutil.WaitShort)
+		db, ps := dbtestutil.NewDB(t)
+		wrapped := aiTaskStoreWrapper{
+			Store: db,
+			insertWorkspaceBuild: func(ctx context.Context, arg database.InsertWorkspaceBuildParams) error {
+				return xerrors.New("insert failed")
+			},
+		}
+		client := setupClient(t, wrapped, ps, nil)
+		user := coderdtest.CreateFirstUser(t, client)
+		task, _ := setupWorkspaceTask(t, db, user)
+
+		_, err := client.PauseTask(ctx, codersdk.Me, task.ID)
+		var apiErr *codersdk.Error
+		require.ErrorAs(t, err, &apiErr)
+		require.Equal(t, http.StatusInternalServerError, apiErr.StatusCode())
+	})
+}

coderd/apidoc/docs.go

@@ -5824,6 +5824,48 @@ const docTemplate = `{
                 }
             }
         },
+        "/tasks/{user}/{task}/pause": {
+            "post": {
+                "security": [
+                    {
+                        "CoderSessionToken": []
+                    }
+                ],
+                "consumes": [
+                    "application/json"
+                ],
+                "tags": [
+                    "Tasks"
+                ],
+                "summary": "Pause task",
+                "operationId": "pause-task",
+                "parameters": [
+                    {
+                        "type": "string",
+                        "description": "Username, user ID, or 'me' for the authenticated user",
+                        "name": "user",
+                        "in": "path",
+                        "required": true
+                    },
+                    {
+                        "type": "string",
+                        "format": "uuid",
+                        "description": "Task ID",
+                        "name": "task",
+                        "in": "path",
+                        "required": true
+                    }
+                ],
+                "responses": {
+                    "202": {
+                        "description": "Accepted",
+                        "schema": {
+                            "$ref": "#/definitions/codersdk.PauseTaskResponse"
+                        }
+                    }
+                }
+            }
+        },
         "/tasks/{user}/{task}/send": {
             "post": {
                 "security": [
@@ -10927,7 +10969,7 @@ const docTemplate = `{
                 "parameters": [
                     {
                         "type": "string",
-                        "description": "Search query in the format ` + "`" + `key:value` + "`" + `. Available keys are: owner, template, name, status, has-agent, dormant, last_used_after, last_used_before, has-ai-task, has_external_agent.",
+                        "description": "Search query in the format ` + "`" + `key:value` + "`" + `. Available keys are: owner, template, name, status, has-agent, dormant, last_used_after, last_used_before, has-ai-task, has_external_agent, healthy.",
                         "name": "q",
                         "in": "query"
                     },
@@ -12698,6 +12740,7 @@ const docTemplate = `{
                 "workspace:start",
                 "workspace:stop",
                 "workspace:update",
+                "workspace:update_agent",
                 "workspace_agent_devcontainers:*",
                 "workspace_agent_devcontainers:create",
                 "workspace_agent_resource_monitor:*",
@@ -12716,6 +12759,7 @@ const docTemplate = `{
                 "workspace_dormant:start",
                 "workspace_dormant:stop",
                 "workspace_dormant:update",
+                "workspace_dormant:update_agent",
                 "workspace_proxy:*",
                 "workspace_proxy:create",
                 "workspace_proxy:delete",
@@ -12900,6 +12944,7 @@ const docTemplate = `{
                 "APIKeyScopeWorkspaceStart",
                 "APIKeyScopeWorkspaceStop",
                 "APIKeyScopeWorkspaceUpdate",
+                "APIKeyScopeWorkspaceUpdateAgent",
                 "APIKeyScopeWorkspaceAgentDevcontainersAll",
                 "APIKeyScopeWorkspaceAgentDevcontainersCreate",
                 "APIKeyScopeWorkspaceAgentResourceMonitorAll",
@@ -12918,6 +12963,7 @@ const docTemplate = `{
                 "APIKeyScopeWorkspaceDormantStart",
                 "APIKeyScopeWorkspaceDormantStop",
                 "APIKeyScopeWorkspaceDormantUpdate",
+                "APIKeyScopeWorkspaceDormantUpdateAgent",
                 "APIKeyScopeWorkspaceProxyAll",
                 "APIKeyScopeWorkspaceProxyCreate",
                 "APIKeyScopeWorkspaceProxyDelete",
@@ -14098,14 +14144,16 @@ const docTemplate = `{
                 "cli",
                 "ssh_connection",
                 "vscode_connection",
-                "jetbrains_connection"
+                "jetbrains_connection",
+                "task_manual_pause"
             ],
             "x-enum-varnames": [
                 "CreateWorkspaceBuildReasonDashboard",
                 "CreateWorkspaceBuildReasonCLI",
                 "CreateWorkspaceBuildReasonSSHConnection",
                 "CreateWorkspaceBuildReasonVSCodeConnection",
-                "CreateWorkspaceBuildReasonJetbrainsConnection"
+                "CreateWorkspaceBuildReasonJetbrainsConnection",
+                "CreateWorkspaceBuildReasonTaskManualPause"
             ]
         },
         "codersdk.CreateWorkspaceBuildRequest": {
@@ -14139,7 +14187,8 @@ const docTemplate = `{
                         "cli",
                         "ssh_connection",
                         "vscode_connection",
-                        "jetbrains_connection"
+                        "jetbrains_connection",
+                        "task_manual_pause"
                     ],
                     "allOf": [
                         {
@@ -14897,6 +14946,16 @@ const docTemplate = `{
                 "ExperimentWorkspaceSharing": "Enables updating workspace ACLs for sharing with users and groups.",
                 "ExperimentWorkspaceUsage": "Enables the new workspace usage tracking."
             },
+            "x-enum-descriptions": [
+                "This isn't used for anything.",
+                "This should not be taken out of experiments until we have redesigned the feature.",
+                "Sends notifications via SMTP and webhooks following certain events.",
+                "Enables the new workspace usage tracking.",
+                "Enables web push notifications through the browser.",
+                "Enables OAuth2 provider functionality.",
+                "Enables the MCP HTTP server functionality.",
+                "Enables updating workspace ACLs for sharing with users and groups."
+            ],
             "x-enum-varnames": [
                 "ExperimentExample",
                 "ExperimentAutoFillParameters",
@@ -17000,6 +17059,14 @@ const docTemplate = `{
                 }
             }
         },
+        "codersdk.PauseTaskResponse": {
+            "type": "object",
+            "properties": {
+                "workspace_build": {
+                    "$ref": "#/definitions/codersdk.WorkspaceBuild"
+                }
+            }
+        },
         "codersdk.Permission": {
             "type": "object",
             "properties": {
@@ -17792,6 +17859,7 @@ const docTemplate = `{
                 "share",
                 "unassign",
                 "update",
+                "update_agent",
                 "update_personal",
                 "use",
                 "view_insights",
@@ -17811,6 +17879,7 @@ const docTemplate = `{
                 "ActionShare",
                 "ActionUnassign",
                 "ActionUpdate",
+                "ActionUpdateAgent",
                 "ActionUpdatePersonal",
                 "ActionUse",
                 "ActionViewInsights",
@@ -18807,6 +18876,10 @@ const docTemplate = `{
                 "description": {
                     "type": "string"
                 },
+                "disable_module_cache": {
+                    "description": "DisableModuleCache disables the use of cached Terraform modules during\nprovisioning.",
+                    "type": "boolean"
+                },
                 "display_name": {
                     "type": "string"
                 },
@@ -19763,6 +19836,10 @@ const docTemplate = `{
                     "description": "DisableEveryoneGroupAccess allows optionally disabling the default\nbehavior of granting the 'everyone' group access to use the template.\nIf this is set to true, the template will not be available to all users,\nand must be explicitly granted to users or groups in the permissions settings\nof the template.",
                     "type": "boolean"
                 },
+                "disable_module_cache": {
+                    "description": "DisableModuleCache disables the using of cached Terraform modules during\nprovisioning. It is recommended not to disable this.",
+                    "type": "boolean"
+                },
                 "display_name": {
                     "type": "string"
                 },
@@ -20813,6 +20890,14 @@ const docTemplate = `{
                         }
                     ]
                 },
+                "subagent_id": {
+                    "format": "uuid",
+                    "allOf": [
+                        {
+                            "$ref": "#/definitions/uuid.NullUUID"
+                        }
+                    ]
+                },
                 "workspace_folder": {
                     "type": "string"
                 }
@@ -21481,10 +21566,12 @@ const docTemplate = `{
             "type": "object",
             "properties": {
                 "p50": {
-                    "type": "number"
+                    "type": "number",
+                    "format": "float64"
                 },
                 "p95": {
-                    "type": "number"
+                    "type": "number",
+                    "format": "float64"
                 }
             }
         },
@@ -21870,10 +21957,12 @@ const docTemplate = `{
                     ]
                 },
                 "recv": {
-                    "type": "integer"
+                    "type": "integer",
+                    "format": "int64"
                 },
                 "sent": {
-                    "type": "integer"
+                    "type": "integer",
+                    "format": "int64"
                 }
             }
         },
@@ -22500,21 +22589,24 @@ const docTemplate = `{
                     "description": "keyed by DERP Region ID",
                     "type": "object",
                     "additionalProperties": {
-                        "type": "integer"
+                        "type": "integer",
+                        "format": "int64"
                     }
                 },
                 "regionV4Latency": {
                     "description": "keyed by DERP Region ID",
                     "type": "object",
                     "additionalProperties": {
-                        "type": "integer"
+                        "type": "integer",
+                        "format": "int64"
                     }
                 },
                 "regionV6Latency": {
                     "description": "keyed by DERP Region ID",
                     "type": "object",
                     "additionalProperties": {
-                        "type": "integer"
+                        "type": "integer",
+                        "format": "int64"
                     }
                 },
                 "udp": {
@@ -22757,7 +22849,8 @@ const docTemplate = `{
                     "description": "RegionScore scales latencies of DERP regions by a given scaling\nfactor when determining which region to use as the home\n(\"preferred\") DERP. Scores in the range (0, 1) will cause this\nregion to be proportionally more preferred, and scores in the range\n(1, ∞) will penalize a region.\n\nIf a region is not present in this map, it is treated as having a\nscore of 1.0.\n\nScores should not be 0 or negative; such scores will be ignored.\n\nA nil map means no change from the previous value (if any); an empty\nnon-nil map can be sent to reset all scores back to 1.0.",
                     "type": "object",
                     "additionalProperties": {
-                        "type": "number"
+                        "type": "number",
+                        "format": "float64"
                     }
                 }
             }

coderd/apidoc/swagger.json

@@ -5147,6 +5147,44 @@
 				}
 			}
 		},
+		"/tasks/{user}/{task}/pause": {
+			"post": {
+				"security": [
+					{
+						"CoderSessionToken": []
+					}
+				],
+				"consumes": ["application/json"],
+				"tags": ["Tasks"],
+				"summary": "Pause task",
+				"operationId": "pause-task",
+				"parameters": [
+					{
+						"type": "string",
+						"description": "Username, user ID, or 'me' for the authenticated user",
+						"name": "user",
+						"in": "path",
+						"required": true
+					},
+					{
+						"type": "string",
+						"format": "uuid",
+						"description": "Task ID",
+						"name": "task",
+						"in": "path",
+						"required": true
+					}
+				],
+				"responses": {
+					"202": {
+						"description": "Accepted",
+						"schema": {
+							"$ref": "#/definitions/codersdk.PauseTaskResponse"
+						}
+					}
+				}
+			}
+		},
 		"/tasks/{user}/{task}/send": {
 			"post": {
 				"security": [
@@ -9665,7 +9703,7 @@
 				"parameters": [
 					{
 						"type": "string",
-						"description": "Search query in the format `key:value`. Available keys are: owner, template, name, status, has-agent, dormant, last_used_after, last_used_before, has-ai-task, has_external_agent.",
+						"description": "Search query in the format `key:value`. Available keys are: owner, template, name, status, has-agent, dormant, last_used_after, last_used_before, has-ai-task, has_external_agent, healthy.",
 						"name": "q",
 						"in": "query"
 					},
@@ -11320,6 +11358,7 @@
 				"workspace:start",
 				"workspace:stop",
 				"workspace:update",
+				"workspace:update_agent",
 				"workspace_agent_devcontainers:*",
 				"workspace_agent_devcontainers:create",
 				"workspace_agent_resource_monitor:*",
@@ -11338,6 +11377,7 @@
 				"workspace_dormant:start",
 				"workspace_dormant:stop",
 				"workspace_dormant:update",
+				"workspace_dormant:update_agent",
 				"workspace_proxy:*",
 				"workspace_proxy:create",
 				"workspace_proxy:delete",
@@ -11522,6 +11562,7 @@
 				"APIKeyScopeWorkspaceStart",
 				"APIKeyScopeWorkspaceStop",
 				"APIKeyScopeWorkspaceUpdate",
+				"APIKeyScopeWorkspaceUpdateAgent",
 				"APIKeyScopeWorkspaceAgentDevcontainersAll",
 				"APIKeyScopeWorkspaceAgentDevcontainersCreate",
 				"APIKeyScopeWorkspaceAgentResourceMonitorAll",
@@ -11540,6 +11581,7 @@
 				"APIKeyScopeWorkspaceDormantStart",
 				"APIKeyScopeWorkspaceDormantStop",
 				"APIKeyScopeWorkspaceDormantUpdate",
+				"APIKeyScopeWorkspaceDormantUpdateAgent",
 				"APIKeyScopeWorkspaceProxyAll",
 				"APIKeyScopeWorkspaceProxyCreate",
 				"APIKeyScopeWorkspaceProxyDelete",
@@ -12658,14 +12700,16 @@
 				"cli",
 				"ssh_connection",
 				"vscode_connection",
-				"jetbrains_connection"
+				"jetbrains_connection",
+				"task_manual_pause"
 			],
 			"x-enum-varnames": [
 				"CreateWorkspaceBuildReasonDashboard",
 				"CreateWorkspaceBuildReasonCLI",
 				"CreateWorkspaceBuildReasonSSHConnection",
 				"CreateWorkspaceBuildReasonVSCodeConnection",
-				"CreateWorkspaceBuildReasonJetbrainsConnection"
+				"CreateWorkspaceBuildReasonJetbrainsConnection",
+				"CreateWorkspaceBuildReasonTaskManualPause"
 			]
 		},
 		"codersdk.CreateWorkspaceBuildRequest": {
@@ -12695,7 +12739,8 @@
 						"cli",
 						"ssh_connection",
 						"vscode_connection",
-						"jetbrains_connection"
+						"jetbrains_connection",
+						"task_manual_pause"
 					],
 					"allOf": [
 						{
@@ -13438,6 +13483,16 @@
 				"ExperimentWorkspaceSharing": "Enables updating workspace ACLs for sharing with users and groups.",
 				"ExperimentWorkspaceUsage": "Enables the new workspace usage tracking."
 			},
+			"x-enum-descriptions": [
+				"This isn't used for anything.",
+				"This should not be taken out of experiments until we have redesigned the feature.",
+				"Sends notifications via SMTP and webhooks following certain events.",
+				"Enables the new workspace usage tracking.",
+				"Enables web push notifications through the browser.",
+				"Enables OAuth2 provider functionality.",
+				"Enables the MCP HTTP server functionality.",
+				"Enables updating workspace ACLs for sharing with users and groups."
+			],
 			"x-enum-varnames": [
 				"ExperimentExample",
 				"ExperimentAutoFillParameters",
@@ -15463,6 +15518,14 @@
 				}
 			}
 		},
+		"codersdk.PauseTaskResponse": {
+			"type": "object",
+			"properties": {
+				"workspace_build": {
+					"$ref": "#/definitions/codersdk.WorkspaceBuild"
+				}
+			}
+		},
 		"codersdk.Permission": {
 			"type": "object",
 			"properties": {
@@ -16218,6 +16281,7 @@
 				"share",
 				"unassign",
 				"update",
+				"update_agent",
 				"update_personal",
 				"use",
 				"view_insights",
@@ -16237,6 +16301,7 @@
 				"ActionShare",
 				"ActionUnassign",
 				"ActionUpdate",
+				"ActionUpdateAgent",
 				"ActionUpdatePersonal",
 				"ActionUse",
 				"ActionViewInsights",
@@ -17202,6 +17267,10 @@
 				"description": {
 					"type": "string"
 				},
+				"disable_module_cache": {
+					"description": "DisableModuleCache disables the use of cached Terraform modules during\nprovisioning.",
+					"type": "boolean"
+				},
 				"display_name": {
 					"type": "string"
 				},
@@ -18112,6 +18181,10 @@
 					"description": "DisableEveryoneGroupAccess allows optionally disabling the default\nbehavior of granting the 'everyone' group access to use the template.\nIf this is set to true, the template will not be available to all users,\nand must be explicitly granted to users or groups in the permissions settings\nof the template.",
 					"type": "boolean"
 				},
+				"disable_module_cache": {
+					"description": "DisableModuleCache disables the using of cached Terraform modules during\nprovisioning. It is recommended not to disable this.",
+					"type": "boolean"
+				},
 				"display_name": {
 					"type": "string"
 				},
@@ -19117,6 +19190,14 @@
 						}
 					]
 				},
+				"subagent_id": {
+					"format": "uuid",
+					"allOf": [
+						{
+							"$ref": "#/definitions/uuid.NullUUID"
+						}
+					]
+				},
 				"workspace_folder": {
 					"type": "string"
 				}
@@ -19730,10 +19811,12 @@
 			"type": "object",
 			"properties": {
 				"p50": {
-					"type": "number"
+					"type": "number",
+					"format": "float64"
 				},
 				"p95": {
-					"type": "number"
+					"type": "number",
+					"format": "float64"
 				}
 			}
 		},
@@ -20098,10 +20181,12 @@
 					]
 				},
 				"recv": {
-					"type": "integer"
+					"type": "integer",
+					"format": "int64"
 				},
 				"sent": {
-					"type": "integer"
+					"type": "integer",
+					"format": "int64"
 				}
 			}
 		},
@@ -20684,21 +20769,24 @@
 					"description": "keyed by DERP Region ID",
 					"type": "object",
 					"additionalProperties": {
-						"type": "integer"
+						"type": "integer",
+						"format": "int64"
 					}
 				},
 				"regionV4Latency": {
 					"description": "keyed by DERP Region ID",
 					"type": "object",
 					"additionalProperties": {
-						"type": "integer"
+						"type": "integer",
+						"format": "int64"
 					}
 				},
 				"regionV6Latency": {
 					"description": "keyed by DERP Region ID",
 					"type": "object",
 					"additionalProperties": {
-						"type": "integer"
+						"type": "integer",
+						"format": "int64"
 					}
 				},
 				"udp": {
@@ -20935,7 +21023,8 @@
 					"description": "RegionScore scales latencies of DERP regions by a given scaling\nfactor when determining which region to use as the home\n(\"preferred\") DERP. Scores in the range (0, 1) will cause this\nregion to be proportionally more preferred, and scores in the range\n(1, ∞) will penalize a region.\n\nIf a region is not present in this map, it is treated as having a\nscore of 1.0.\n\nScores should not be 0 or negative; such scores will be ignored.\n\nA nil map means no change from the previous value (if any); an empty\nnon-nil map can be sent to reset all scores back to 1.0.",
 					"type": "object",
 					"additionalProperties": {
-						"type": "number"
+						"type": "number",
+						"format": "float64"
 					}
 				}
 			}

coderd/boundaryusage/tracker.go

@@ -95,15 +95,26 @@ func (t *Tracker) FlushToDB(ctx context.Context, db database.Store, replicaID uu
 	t.mu.Unlock()
 
 	//nolint:gocritic // This is the actual package doing boundary usage tracking.
-	_, err := db.UpsertBoundaryUsageStats(dbauthz.AsBoundaryUsageTracker(ctx), database.UpsertBoundaryUsageStatsParams{
-		ReplicaID:             replicaID,
-		UniqueWorkspacesCount: workspaceCount, // cumulative, for UPDATE
-		UniqueUsersCount:      userCount,      // cumulative, for UPDATE
-		UniqueWorkspacesDelta: workspaceDelta, // delta, for INSERT
-		UniqueUsersDelta:      userDelta,      // delta, for INSERT
-		AllowedRequests:       allowed,
-		DeniedRequests:        denied,
-	})
+	authCtx := dbauthz.AsBoundaryUsageTracker(ctx)
+	err := db.InTx(func(tx database.Store) error {
+		// The advisory lock ensures a clean period cutover by preventing
+		// this upsert from racing with the aggregate+delete in
+		// GetAndResetBoundaryUsageSummary. Without it, upserted data
+		// could be lost or miscounted across periods.
+		if err := tx.AcquireLock(authCtx, database.LockIDBoundaryUsageStats); err != nil {
+			return err
+		}
+		_, err := tx.UpsertBoundaryUsageStats(authCtx, database.UpsertBoundaryUsageStatsParams{
+			ReplicaID:             replicaID,
+			UniqueWorkspacesCount: workspaceCount, // cumulative, for UPDATE
+			UniqueUsersCount:      userCount,      // cumulative, for UPDATE
+			UniqueWorkspacesDelta: workspaceDelta, // delta, for INSERT
+			UniqueUsersDelta:      userDelta,      // delta, for INSERT
+			AllowedRequests:       allowed,
+			DeniedRequests:        denied,
+		})
+		return err
+	}, nil)
 
 	// Always reset cumulative counts to prevent unbounded memory growth (e.g.
 	// if the DB is unreachable). Copy delta maps to preserve any Track() calls

coderd/boundaryusage/tracker_test.go

@@ -45,7 +45,7 @@ func TestTracker_Track_Single(t *testing.T) {
 
 	// Verify the data was written correctly.
 	boundaryCtx := dbauthz.AsBoundaryUsageTracker(ctx)
-	summary, err := db.GetBoundaryUsageSummary(boundaryCtx, 60000)
+	summary, err := db.GetAndResetBoundaryUsageSummary(boundaryCtx, 60000)
 	require.NoError(t, err)
 	require.Equal(t, int64(1), summary.UniqueWorkspaces)
 	require.Equal(t, int64(1), summary.UniqueUsers)
@@ -73,7 +73,7 @@ func TestTracker_Track_DuplicateWorkspaceUser(t *testing.T) {
 	require.NoError(t, err)
 
 	boundaryCtx := dbauthz.AsBoundaryUsageTracker(ctx)
-	summary, err := db.GetBoundaryUsageSummary(boundaryCtx, 60000)
+	summary, err := db.GetAndResetBoundaryUsageSummary(boundaryCtx, 60000)
 	require.NoError(t, err)
 	require.Equal(t, int64(1), summary.UniqueWorkspaces, "should be 1 unique workspace")
 	require.Equal(t, int64(1), summary.UniqueUsers, "should be 1 unique user")
@@ -102,7 +102,7 @@ func TestTracker_Track_MultipleWorkspacesUsers(t *testing.T) {
 	require.NoError(t, err)
 
 	boundaryCtx := dbauthz.AsBoundaryUsageTracker(ctx)
-	summary, err := db.GetBoundaryUsageSummary(boundaryCtx, 60000)
+	summary, err := db.GetAndResetBoundaryUsageSummary(boundaryCtx, 60000)
 	require.NoError(t, err)
 	require.Equal(t, int64(3), summary.UniqueWorkspaces)
 	require.Equal(t, int64(2), summary.UniqueUsers)
@@ -140,7 +140,7 @@ func TestTracker_Track_Concurrent(t *testing.T) {
 	require.NoError(t, err)
 
 	boundaryCtx := dbauthz.AsBoundaryUsageTracker(ctx)
-	summary, err := db.GetBoundaryUsageSummary(boundaryCtx, 60000)
+	summary, err := db.GetAndResetBoundaryUsageSummary(boundaryCtx, 60000)
 	require.NoError(t, err)
 	require.Equal(t, int64(numGoroutines), summary.UniqueWorkspaces)
 	require.Equal(t, int64(numGoroutines), summary.UniqueUsers)
@@ -175,7 +175,7 @@ func TestTracker_FlushToDB_Accumulates(t *testing.T) {
 	require.NoError(t, err)
 
 	boundaryCtx := dbauthz.AsBoundaryUsageTracker(ctx)
-	summary, err := db.GetBoundaryUsageSummary(boundaryCtx, 60000)
+	summary, err := db.GetAndResetBoundaryUsageSummary(boundaryCtx, 60000)
 	require.NoError(t, err)
 	require.Equal(t, int64(1), summary.UniqueWorkspaces)
 	require.Equal(t, int64(1), summary.UniqueUsers)
@@ -202,7 +202,7 @@ func TestTracker_FlushToDB_NewPeriod(t *testing.T) {
 	require.NoError(t, err)
 
 	// Simulate telemetry reset (new period).
-	err = db.ResetBoundaryUsageStats(boundaryCtx)
+	_, err = db.GetAndResetBoundaryUsageSummary(boundaryCtx, 60000)
 	require.NoError(t, err)
 
 	// Track new data.
@@ -215,7 +215,7 @@ func TestTracker_FlushToDB_NewPeriod(t *testing.T) {
 	require.NoError(t, err)
 
 	// The summary should only contain the new data after reset.
-	summary, err := db.GetBoundaryUsageSummary(boundaryCtx, 60000)
+	summary, err := db.GetAndResetBoundaryUsageSummary(boundaryCtx, 60000)
 	require.NoError(t, err)
 	require.Equal(t, int64(1), summary.UniqueWorkspaces, "should only count new workspace")
 	require.Equal(t, int64(1), summary.UniqueUsers, "should only count new user")
@@ -237,7 +237,7 @@ func TestTracker_FlushToDB_NoActivity(t *testing.T) {
 
 	// Verify nothing was written to DB.
 	boundaryCtx := dbauthz.AsBoundaryUsageTracker(ctx)
-	summary, err := db.GetBoundaryUsageSummary(boundaryCtx, 60000)
+	summary, err := db.GetAndResetBoundaryUsageSummary(boundaryCtx, 60000)
 	require.NoError(t, err)
 	require.Equal(t, int64(0), summary.UniqueWorkspaces)
 	require.Equal(t, int64(0), summary.AllowedRequests)
@@ -265,7 +265,7 @@ func TestUpsertBoundaryUsageStats_Insert(t *testing.T) {
 	require.True(t, newPeriod, "should return true for insert")
 
 	// Verify INSERT used the delta values, not cumulative.
-	summary, err := db.GetBoundaryUsageSummary(ctx, 60000)
+	summary, err := db.GetAndResetBoundaryUsageSummary(ctx, 60000)
 	require.NoError(t, err)
 	require.Equal(t, int64(5), summary.UniqueWorkspaces)
 	require.Equal(t, int64(3), summary.UniqueUsers)
@@ -301,7 +301,7 @@ func TestUpsertBoundaryUsageStats_Update(t *testing.T) {
 	require.False(t, newPeriod, "should return false for update")
 
 	// Verify UPDATE used cumulative values.
-	summary, err := db.GetBoundaryUsageSummary(ctx, 60000)
+	summary, err := db.GetAndResetBoundaryUsageSummary(ctx, 60000)
 	require.NoError(t, err)
 	require.Equal(t, int64(8), summary.UniqueWorkspaces)
 	require.Equal(t, int64(5), summary.UniqueUsers)
@@ -309,7 +309,7 @@ func TestUpsertBoundaryUsageStats_Update(t *testing.T) {
 	require.Equal(t, int64(10+20), summary.DeniedRequests)
 }
 
-func TestGetBoundaryUsageSummary_MultipleReplicas(t *testing.T) {
+func TestGetAndResetBoundaryUsageSummary_MultipleReplicas(t *testing.T) {
 	t.Parallel()
 
 	db, _ := dbtestutil.NewDB(t)
@@ -347,7 +347,7 @@ func TestGetBoundaryUsageSummary_MultipleReplicas(t *testing.T) {
 	})
 	require.NoError(t, err)
 
-	summary, err := db.GetBoundaryUsageSummary(ctx, 60000)
+	summary, err := db.GetAndResetBoundaryUsageSummary(ctx, 60000)
 	require.NoError(t, err)
 
 	// Verify aggregation (SUM of all replicas).
@@ -357,13 +357,13 @@ func TestGetBoundaryUsageSummary_MultipleReplicas(t *testing.T) {
 	require.Equal(t, int64(45), summary.DeniedRequests)   // 10 + 15 + 20
 }
 
-func TestGetBoundaryUsageSummary_Empty(t *testing.T) {
+func TestGetAndResetBoundaryUsageSummary_Empty(t *testing.T) {
 	t.Parallel()
 
 	db, _ := dbtestutil.NewDB(t)
 	ctx := dbauthz.AsBoundaryUsageTracker(context.Background())
 
-	summary, err := db.GetBoundaryUsageSummary(ctx, 60000)
+	summary, err := db.GetAndResetBoundaryUsageSummary(ctx, 60000)
 	require.NoError(t, err)
 
 	// COALESCE should return 0 for all columns.
@@ -373,7 +373,7 @@ func TestGetBoundaryUsageSummary_Empty(t *testing.T) {
 	require.Equal(t, int64(0), summary.DeniedRequests)
 }
 
-func TestResetBoundaryUsageStats(t *testing.T) {
+func TestGetAndResetBoundaryUsageSummary_DeletesData(t *testing.T) {
 	t.Parallel()
 
 	db, _ := dbtestutil.NewDB(t)
@@ -391,61 +391,19 @@ func TestResetBoundaryUsageStats(t *testing.T) {
 		require.NoError(t, err)
 	}
 
-	// Verify data exists.
-	summary, err := db.GetBoundaryUsageSummary(ctx, 60000)
-	require.NoError(t, err)
-	require.Greater(t, summary.AllowedRequests, int64(0))
-
-	// Reset.
-	err = db.ResetBoundaryUsageStats(ctx)
+	// Should return the summary AND delete all data.
+	summary, err := db.GetAndResetBoundaryUsageSummary(ctx, 60000)
 	require.NoError(t, err)
+	require.Equal(t, int64(1+2+3+4+5), summary.UniqueWorkspaces)
+	require.Equal(t, int64(10+20+30+40+50), summary.AllowedRequests)
 
 	// Verify all data is gone.
-	summary, err = db.GetBoundaryUsageSummary(ctx, 60000)
+	summary, err = db.GetAndResetBoundaryUsageSummary(ctx, 60000)
 	require.NoError(t, err)
 	require.Equal(t, int64(0), summary.UniqueWorkspaces)
 	require.Equal(t, int64(0), summary.AllowedRequests)
 }
 
-func TestDeleteBoundaryUsageStatsByReplicaID(t *testing.T) {
-	t.Parallel()
-
-	db, _ := dbtestutil.NewDB(t)
-	ctx := dbauthz.AsBoundaryUsageTracker(context.Background())
-
-	replica1 := uuid.New()
-	replica2 := uuid.New()
-
-	// Insert stats for 2 replicas. Delta fields are used for INSERT.
-	_, err := db.UpsertBoundaryUsageStats(ctx, database.UpsertBoundaryUsageStatsParams{
-		ReplicaID:             replica1,
-		UniqueWorkspacesDelta: 10,
-		UniqueUsersDelta:      5,
-		AllowedRequests:       100,
-		DeniedRequests:        10,
-	})
-	require.NoError(t, err)
-
-	_, err = db.UpsertBoundaryUsageStats(ctx, database.UpsertBoundaryUsageStatsParams{
-		ReplicaID:             replica2,
-		UniqueWorkspacesDelta: 20,
-		UniqueUsersDelta:      10,
-		AllowedRequests:       200,
-		DeniedRequests:        20,
-	})
-	require.NoError(t, err)
-
-	// Delete replica1's stats.
-	err = db.DeleteBoundaryUsageStatsByReplicaID(ctx, replica1)
-	require.NoError(t, err)
-
-	// Verify only replica2's stats remain.
-	summary, err := db.GetBoundaryUsageSummary(ctx, 60000)
-	require.NoError(t, err)
-	require.Equal(t, int64(20), summary.UniqueWorkspaces)
-	require.Equal(t, int64(200), summary.AllowedRequests)
-}
-
 func TestTracker_TelemetryCycle(t *testing.T) {
 	t.Parallel()
 
@@ -477,8 +435,8 @@ func TestTracker_TelemetryCycle(t *testing.T) {
 	require.NoError(t, tracker2.FlushToDB(ctx, db, replica2))
 	require.NoError(t, tracker3.FlushToDB(ctx, db, replica3))
 
-	// Telemetry aggregates.
-	summary, err := db.GetBoundaryUsageSummary(boundaryCtx, 60000)
+	// Telemetry aggregates and resets (simulating telemetry report sent).
+	summary, err := db.GetAndResetBoundaryUsageSummary(boundaryCtx, 60000)
 	require.NoError(t, err)
 
 	// Verify aggregation.
@@ -487,15 +445,12 @@ func TestTracker_TelemetryCycle(t *testing.T) {
 	require.Equal(t, int64(105), summary.AllowedRequests) // 25 + 75 + 5
 	require.Equal(t, int64(15), summary.DeniedRequests)   // 3 + 12 + 0
 
-	// Telemetry resets stats (simulating telemetry report sent).
-	require.NoError(t, db.ResetBoundaryUsageStats(boundaryCtx))
-
 	// Next flush from trackers should detect new period.
 	tracker1.Track(uuid.New(), uuid.New(), 1, 0)
 	require.NoError(t, tracker1.FlushToDB(ctx, db, replica1))
 
 	// Verify trackers reset their in-memory state.
-	summary, err = db.GetBoundaryUsageSummary(boundaryCtx, 60000)
+	summary, err = db.GetAndResetBoundaryUsageSummary(boundaryCtx, 60000)
 	require.NoError(t, err)
 	require.Equal(t, int64(1), summary.UniqueWorkspaces)
 	require.Equal(t, int64(1), summary.AllowedRequests)
@@ -513,30 +468,24 @@ func TestTracker_FlushToDB_NoStaleDataAfterReset(t *testing.T) {
 	workspaceID := uuid.New()
 	ownerID := uuid.New()
 
-	// Track some data, flush, and verify.
+	// Track some data and flush.
 	tracker.Track(workspaceID, ownerID, 10, 5)
 	err := tracker.FlushToDB(ctx, db, replicaID)
 	require.NoError(t, err)
 
-	summary, err := db.GetBoundaryUsageSummary(boundaryCtx, 60000)
+	// Simulate telemetry reset (new period) - this also verifies the data.
+	summary, err := db.GetAndResetBoundaryUsageSummary(boundaryCtx, 60000)
 	require.NoError(t, err)
 	require.Equal(t, int64(1), summary.UniqueWorkspaces)
 	require.Equal(t, int64(10), summary.AllowedRequests)
 
-	// Simulate telemetry reset (new period).
-	err = db.ResetBoundaryUsageStats(boundaryCtx)
-	require.NoError(t, err)
-	summary, err = db.GetBoundaryUsageSummary(boundaryCtx, 60000)
-	require.NoError(t, err)
-	require.Equal(t, int64(0), summary.AllowedRequests)
-
 	// Flush again without any new Track() calls. This should not write stale
 	// data back to the DB.
 	err = tracker.FlushToDB(ctx, db, replicaID)
 	require.NoError(t, err)
 
 	// Summary should be empty (no stale data written).
-	summary, err = db.GetBoundaryUsageSummary(boundaryCtx, 60000)
+	summary, err = db.GetAndResetBoundaryUsageSummary(boundaryCtx, 60000)
 	require.NoError(t, err)
 	require.Equal(t, int64(0), summary.UniqueWorkspaces)
 	require.Equal(t, int64(0), summary.UniqueUsers)
@@ -582,7 +531,7 @@ func TestTracker_ConcurrentFlushAndTrack(t *testing.T) {
 
 	// Verify stats are non-negative.
 	boundaryCtx := dbauthz.AsBoundaryUsageTracker(ctx)
-	summary, err := db.GetBoundaryUsageSummary(boundaryCtx, 60000)
+	summary, err := db.GetAndResetBoundaryUsageSummary(boundaryCtx, 60000)
 	require.NoError(t, err)
 	require.GreaterOrEqual(t, summary.AllowedRequests, int64(0))
 	require.GreaterOrEqual(t, summary.DeniedRequests, int64(0))
@@ -597,6 +546,17 @@ type trackDuringUpsertDB struct {
 	userID      uuid.UUID
 }
 
+func (s *trackDuringUpsertDB) InTx(fn func(database.Store) error, opts *database.TxOptions) error {
+	return s.Store.InTx(func(tx database.Store) error {
+		return fn(&trackDuringUpsertDB{
+			Store:       tx,
+			tracker:     s.tracker,
+			workspaceID: s.workspaceID,
+			userID:      s.userID,
+		})
+	}, opts)
+}
+
 func (s *trackDuringUpsertDB) UpsertBoundaryUsageStats(ctx context.Context, arg database.UpsertBoundaryUsageStatsParams) (bool, error) {
 	s.tracker.Track(s.workspaceID, s.userID, 20, 10)
 	return s.Store.UpsertBoundaryUsageStats(ctx, arg)
@@ -626,17 +586,12 @@ func TestTracker_TrackDuringFlush(t *testing.T) {
 	err := tracker.FlushToDB(ctx, trackingDB, replicaID)
 	require.NoError(t, err)
 
-	// Verify first flush only wrote the initial data.
-	summary, err := db.GetBoundaryUsageSummary(boundaryCtx, 60000)
-	require.NoError(t, err)
-	require.Equal(t, int64(10), summary.AllowedRequests)
-
-	// The second flush should include the Track() call that happened during the
-	// first flush's DB operation.
+	// Second flush captures the Track() that happened during the first flush.
 	err = tracker.FlushToDB(ctx, db, replicaID)
 	require.NoError(t, err)
 
-	summary, err = db.GetBoundaryUsageSummary(boundaryCtx, 60000)
+	// Verify both flushes are in the summary.
+	summary, err := db.GetAndResetBoundaryUsageSummary(boundaryCtx, 60000)
 	require.NoError(t, err)
 	require.Equal(t, int64(10+20), summary.AllowedRequests)
 	require.Equal(t, int64(5+10), summary.DeniedRequests)

coderd/cachecompress/LICENSE

@@ -0,0 +1,20 @@
+Copyright (c) 2015-present Peter Kieltyka (https://github.com/pkieltyka), Google Inc.
+
+MIT License
+
+Permission is hereby granted, free of charge, to any person obtaining a copy of
+this software and associated documentation files (the "Software"), to deal in
+the Software without restriction, including without limitation the rights to
+use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
+the Software, and to permit persons to whom the Software is furnished to do so,
+subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
+FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
+COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

coderd/cachecompress/compress.go

@@ -0,0 +1,440 @@
+// Package cachecompress creates a compressed cache of static files based on an http.FS. It is modified from
+// https://github.com/go-chi/chi Compressor middleware. See the LICENSE file in this directory for copyright
+// information.
+package cachecompress
+
+import (
+	"compress/flate"
+	"compress/gzip"
+	"context"
+	"encoding/base64"
+	"fmt"
+	"io"
+	"net/http"
+	"os"
+	"path/filepath"
+	"strings"
+	"sync"
+
+	"golang.org/x/xerrors"
+
+	"cdr.dev/slog/v3"
+)
+
+type cacheKey struct {
+	encoding string
+	urlPath  string
+}
+
+func (c cacheKey) filePath(cacheDir string) string {
+	// URLs can have slashes or other characters we don't want the file system interpreting. So we just encode the path
+	// to a flat base64 filename.
+	filename := base64.URLEncoding.EncodeToString([]byte(c.urlPath))
+	return filepath.Join(cacheDir, c.encoding, filename)
+}
+
+func getCacheKey(encoding string, r *http.Request) cacheKey {
+	return cacheKey{
+		encoding: encoding,
+		urlPath:  r.URL.Path,
+	}
+}
+
+type ref struct {
+	key  cacheKey
+	done chan struct{}
+	err  chan error
+}
+
+// Compressor represents a set of encoding configurations.
+type Compressor struct {
+	logger slog.Logger
+	// The mapping of encoder names to encoder functions.
+	encoders map[string]EncoderFunc
+	// The mapping of pooled encoders to pools.
+	pooledEncoders map[string]*sync.Pool
+	// The list of encoders in order of decreasing precedence.
+	encodingPrecedence []string
+	level              int // The compression level.
+	cacheDir           string
+	orig               http.FileSystem
+
+	mu    sync.Mutex
+	cache map[cacheKey]ref
+}
+
+// NewCompressor creates a new Compressor that will handle encoding responses.
+//
+// The level should be one of the ones defined in the flate package.
+// The types are the content types that are allowed to be compressed.
+func NewCompressor(logger slog.Logger, level int, cacheDir string, orig http.FileSystem) *Compressor {
+	c := &Compressor{
+		logger:         logger.Named("cachecompress"),
+		level:          level,
+		encoders:       make(map[string]EncoderFunc),
+		pooledEncoders: make(map[string]*sync.Pool),
+		cacheDir:       cacheDir,
+		orig:           orig,
+		cache:          make(map[cacheKey]ref),
+	}
+
+	// Set the default encoders.  The precedence order uses the reverse
+	// ordering that the encoders were added. This means adding new encoders
+	// will move them to the front of the order.
+	//
+	// TODO:
+	// lzma: Opera.
+	// sdch: Chrome, Android. Gzip output + dictionary header.
+	// br:   Brotli, see https://github.com/go-chi/chi/pull/326
+
+	// HTTP 1.1 "deflate" (RFC 2616) stands for DEFLATE data (RFC 1951)
+	// wrapped with zlib (RFC 1950). The zlib wrapper uses Adler-32
+	// checksum compared to CRC-32 used in "gzip" and thus is faster.
+	//
+	// But.. some old browsers (MSIE, Safari 5.1) incorrectly expect
+	// raw DEFLATE data only, without the mentioned zlib wrapper.
+	// Because of this major confusion, most modern browsers try it
+	// both ways, first looking for zlib headers.
+	// Quote by Mark Adler: http://stackoverflow.com/a/9186091/385548
+	//
+	// The list of browsers having problems is quite big, see:
+	// http://zoompf.com/blog/2012/02/lose-the-wait-http-compression
+	// https://web.archive.org/web/20120321182910/http://www.vervestudios.co/projects/compression-tests/results
+	//
+	// That's why we prefer gzip over deflate. It's just more reliable
+	// and not significantly slower than deflate.
+	c.SetEncoder("deflate", encoderDeflate)
+
+	// TODO: Exception for old MSIE browsers that can't handle non-HTML?
+	// https://zoompf.com/blog/2012/02/lose-the-wait-http-compression
+	c.SetEncoder("gzip", encoderGzip)
+
+	// NOTE: Not implemented, intentionally:
+	// case "compress": // LZW. Deprecated.
+	// case "bzip2":    // Too slow on-the-fly.
+	// case "zopfli":   // Too slow on-the-fly.
+	// case "xz":       // Too slow on-the-fly.
+	return c
+}
+
+// SetEncoder can be used to set the implementation of a compression algorithm.
+//
+// The encoding should be a standardized identifier. See:
+// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Accept-Encoding
+//
+// For example, add the Brotli algorithm:
+//
+//	import brotli_enc "gopkg.in/kothar/brotli-go.v0/enc"
+//
+//	compressor := middleware.NewCompressor(5, "text/html")
+//	compressor.SetEncoder("br", func(w io.Writer, level int) io.Writer {
+//		params := brotli_enc.NewBrotliParams()
+//		params.SetQuality(level)
+//		return brotli_enc.NewBrotliWriter(params, w)
+//	})
+func (c *Compressor) SetEncoder(encoding string, fn EncoderFunc) {
+	encoding = strings.ToLower(encoding)
+	if encoding == "" {
+		panic("the encoding can not be empty")
+	}
+	if fn == nil {
+		panic("attempted to set a nil encoder function")
+	}
+
+	// If we are adding a new encoder that is already registered, we have to
+	// clear that one out first.
+	delete(c.pooledEncoders, encoding)
+	delete(c.encoders, encoding)
+
+	// If the encoder supports Resetting (IoReseterWriter), then it can be pooled.
+	encoder := fn(io.Discard, c.level)
+	if _, ok := encoder.(ioResetterWriter); ok {
+		pool := &sync.Pool{
+			New: func() interface{} {
+				return fn(io.Discard, c.level)
+			},
+		}
+		c.pooledEncoders[encoding] = pool
+	}
+	// If the encoder is not in the pooledEncoders, add it to the normal encoders.
+	if _, ok := c.pooledEncoders[encoding]; !ok {
+		c.encoders[encoding] = fn
+	}
+
+	for i, v := range c.encodingPrecedence {
+		if v == encoding {
+			c.encodingPrecedence = append(c.encodingPrecedence[:i], c.encodingPrecedence[i+1:]...)
+		}
+	}
+
+	c.encodingPrecedence = append([]string{encoding}, c.encodingPrecedence...)
+}
+
+// ServeHTTP returns the response from the orig file system, compressed if possible.
+func (c *Compressor) ServeHTTP(w http.ResponseWriter, r *http.Request) {
+	encoding := c.selectEncoder(r.Header)
+
+	// we can only serve a cached response if all the following:
+	// 1. they requested an encoding we support
+	// 2. they are requesting the whole file, not a range
+	// 3. the method is GET
+	if encoding == "" || r.Header.Get("Range") != "" || r.Method != "GET" {
+		http.FileServer(c.orig).ServeHTTP(w, r)
+		return
+	}
+
+	// Whether we should serve a cached response also depends in a fairly complex way on the path and request
+	// headers. In particular, we don't need a cached response for non-existing files/directories, and should not serve
+	// a cached response if the correct Etag for the file is provided. This logic is all handled by the http.FileServer,
+	// and we don't want to reimplement it here. So, what we'll do is send a HEAD request to the http.FileServer to see
+	// what it would do.
+	headReq := r.Clone(r.Context())
+	headReq.Method = http.MethodHead
+	headRW := &compressResponseWriter{
+		w:       io.Discard,
+		headers: make(http.Header),
+	}
+	// deep-copy the headers already set on the response. This includes things like ETags.
+	for key, values := range w.Header() {
+		for _, value := range values {
+			headRW.headers.Add(key, value)
+		}
+	}
+	http.FileServer(c.orig).ServeHTTP(headRW, headReq)
+	if headRW.code != http.StatusOK {
+		// again, fall back to the file server. This is often a 404 Not Found, or a 304 Not Modified if they provided
+		// the correct ETag.
+		http.FileServer(c.orig).ServeHTTP(w, r)
+		return
+	}
+
+	cref := c.getRef(encoding, r)
+	c.serveRef(w, r, headRW.headers, cref)
+}
+
+func (c *Compressor) serveRef(w http.ResponseWriter, r *http.Request, headers http.Header, cref ref) {
+	select {
+	case <-r.Context().Done():
+		w.WriteHeader(http.StatusServiceUnavailable)
+		return
+	case <-cref.done:
+		cachePath := cref.key.filePath(c.cacheDir)
+		cacheFile, err := os.Open(cachePath)
+		if err != nil {
+			c.logger.Error(context.Background(), "failed to open compressed cache file",
+				slog.F("cache_path", cachePath), slog.F("url_path", cref.key.urlPath), slog.Error(err))
+			// fall back to uncompressed
+			http.FileServer(c.orig).ServeHTTP(w, r)
+		}
+		defer cacheFile.Close()
+
+		// we need to remove or modify the Content-Length, if any, set by the FileServer because it will be for
+		// uncompressed data and wrong.
+		info, err := cacheFile.Stat()
+		if err != nil {
+			c.logger.Error(context.Background(), "failed to stat compressed cache file",
+				slog.F("cache_path", cachePath), slog.F("url_path", cref.key.urlPath), slog.Error(err))
+			headers.Del("Content-Length")
+		} else {
+			headers.Set("Content-Length", fmt.Sprintf("%d", info.Size()))
+		}
+
+		for key, values := range headers {
+			for _, value := range values {
+				w.Header().Add(key, value)
+			}
+		}
+		w.Header().Set("Content-Encoding", cref.key.encoding)
+		w.Header().Add("Vary", "Accept-Encoding")
+		w.WriteHeader(http.StatusOK)
+		_, err = io.Copy(w, cacheFile)
+		if err != nil {
+			// most commonly, the writer will hang up before we are done.
+			c.logger.Debug(context.Background(), "failed to write compressed cache file", slog.Error(err))
+		}
+		return
+	case <-cref.err:
+		// fall back to uncompressed
+		http.FileServer(c.orig).ServeHTTP(w, r)
+		return
+	}
+}
+
+func (c *Compressor) getRef(encoding string, r *http.Request) ref {
+	ck := getCacheKey(encoding, r)
+	c.mu.Lock()
+	defer c.mu.Unlock()
+	cref, ok := c.cache[ck]
+	if ok {
+		return cref
+	}
+	// we are the first to encode
+	cref = ref{
+		key: ck,
+
+		done: make(chan struct{}),
+		err:  make(chan error),
+	}
+	c.cache[ck] = cref
+	go c.compress(context.Background(), encoding, cref, r)
+	return cref
+}
+
+func (c *Compressor) compress(ctx context.Context, encoding string, cref ref, r *http.Request) {
+	cachePath := cref.key.filePath(c.cacheDir)
+	var err error
+	// we want to handle closing either cref.done or cref.err in a defer at the bottom of the stack so that the encoder
+	// and cache file are both closed first (higher in the defer stack). This prevents data races where waiting HTTP
+	// handlers start reading the file before all the data has been flushed.
+	defer func() {
+		if err != nil {
+			if rErr := os.Remove(cachePath); rErr != nil {
+				// nolint: gocritic // best effort, just debug log any errors
+				c.logger.Debug(ctx, "failed to remove cache file",
+					slog.F("main_err", err), slog.F("remove_err", rErr), slog.F("cache_path", cachePath))
+			}
+			c.mu.Lock()
+			delete(c.cache, cref.key)
+			c.mu.Unlock()
+			close(cref.err)
+			return
+		}
+		close(cref.done)
+	}()
+
+	cacheDir := filepath.Dir(cachePath)
+	err = os.MkdirAll(cacheDir, 0o700)
+	if err != nil {
+		c.logger.Error(ctx, "failed to create cache directory", slog.F("cache_dir", cacheDir))
+		return
+	}
+
+	// We will truncate and overwrite any existing files. This is important in the case that we get restarted
+	// with the same cache dir, possibly with different source files.
+	cacheFile, err := os.OpenFile(cachePath, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0o600)
+	if err != nil {
+		c.logger.Error(ctx, "failed to open compression cache file",
+			slog.F("path", cachePath), slog.Error(err))
+		return
+	}
+	defer cacheFile.Close()
+	encoder, cleanup := c.getEncoder(encoding, cacheFile)
+	if encoder == nil {
+		// can only hit this if there is a programming error
+		c.logger.Critical(ctx, "got nil encoder", slog.F("encoding", encoding))
+		err = xerrors.New("nil encoder")
+		return
+	}
+	defer cleanup()
+	defer encoder.Close() // ensures we flush, needs to be called before cleanup(), so we defer after it.
+
+	cw := &compressResponseWriter{
+		w:       encoder,
+		headers: make(http.Header), // ignored
+	}
+	http.FileServer(c.orig).ServeHTTP(cw, r)
+	if cw.code != http.StatusOK {
+		// log at debug because this is likely just a 404
+		c.logger.Debug(ctx, "file server failed to serve",
+			slog.F("encoding", encoding), slog.F("url_path", cref.key.urlPath), slog.F("http_code", cw.code))
+		// mark the error so that we clean up correctly
+		err = xerrors.New("file server failed to serve")
+		return
+	}
+	// success!
+}
+
+// selectEncoder returns the name of the encoder
+func (c *Compressor) selectEncoder(h http.Header) string {
+	header := h.Get("Accept-Encoding")
+
+	// Parse the names of all accepted algorithms from the header.
+	accepted := strings.Split(strings.ToLower(header), ",")
+
+	// Find supported encoder by accepted list by precedence
+	for _, name := range c.encodingPrecedence {
+		if matchAcceptEncoding(accepted, name) {
+			return name
+		}
+	}
+
+	// No encoder found to match the accepted encoding
+	return ""
+}
+
+// getEncoder returns a writer that encodes and writes to the provided writer, and a cleanup func.
+func (c *Compressor) getEncoder(name string, w io.Writer) (io.WriteCloser, func()) {
+	if pool, ok := c.pooledEncoders[name]; ok {
+		encoder, typeOK := pool.Get().(ioResetterWriter)
+		if !typeOK {
+			return nil, nil
+		}
+		cleanup := func() {
+			pool.Put(encoder)
+		}
+		encoder.Reset(w)
+		return encoder, cleanup
+	}
+	if fn, ok := c.encoders[name]; ok {
+		return fn(w, c.level), func() {}
+	}
+	return nil, nil
+}
+
+func matchAcceptEncoding(accepted []string, encoding string) bool {
+	for _, v := range accepted {
+		if strings.Contains(v, encoding) {
+			return true
+		}
+	}
+	return false
+}
+
+// An EncoderFunc is a function that wraps the provided io.Writer with a
+// streaming compression algorithm and returns it.
+//
+// In case of failure, the function should return nil.
+type EncoderFunc func(w io.Writer, level int) io.WriteCloser
+
+// Interface for types that allow resetting io.Writers.
+type ioResetterWriter interface {
+	io.WriteCloser
+	Reset(w io.Writer)
+}
+
+func encoderGzip(w io.Writer, level int) io.WriteCloser {
+	gw, err := gzip.NewWriterLevel(w, level)
+	if err != nil {
+		return nil
+	}
+	return gw
+}
+
+func encoderDeflate(w io.Writer, level int) io.WriteCloser {
+	dw, err := flate.NewWriter(w, level)
+	if err != nil {
+		return nil
+	}
+	return dw
+}
+
+type compressResponseWriter struct {
+	w       io.Writer
+	headers http.Header
+	code    int
+}
+
+func (cw *compressResponseWriter) Header() http.Header {
+	return cw.headers
+}
+
+func (cw *compressResponseWriter) WriteHeader(code int) {
+	cw.code = code
+}
+
+func (cw *compressResponseWriter) Write(p []byte) (int, error) {
+	if cw.code == 0 {
+		cw.code = http.StatusOK
+	}
+	return cw.w.Write(p)
+}

coderd/cachecompress/compress_internal_test.go

@@ -0,0 +1,227 @@
+package cachecompress
+
+import (
+	"bytes"
+	"compress/flate"
+	"compress/gzip"
+	"context"
+	"io"
+	"net/http"
+	"net/http/httptest"
+	"os"
+	"path/filepath"
+	"strings"
+	"testing"
+
+	"github.com/stretchr/testify/require"
+
+	"github.com/coder/coder/v2/testutil"
+)
+
+func TestCompressorEncodings(t *testing.T) {
+	t.Parallel()
+
+	tests := []struct {
+		name              string
+		path              string
+		expectedEncoding  string
+		acceptedEncodings []string
+	}{
+		{
+			name:              "no expected encodings due to no accepted encodings",
+			path:              "/file.html",
+			acceptedEncodings: nil,
+			expectedEncoding:  "",
+		},
+		{
+			name:              "gzip is only encoding",
+			path:              "/file.html",
+			acceptedEncodings: []string{"gzip"},
+			expectedEncoding:  "gzip",
+		},
+		{
+			name:              "gzip is preferred over deflate",
+			path:              "/file.html",
+			acceptedEncodings: []string{"gzip", "deflate"},
+			expectedEncoding:  "gzip",
+		},
+		{
+			name:              "deflate is used",
+			path:              "/file.html",
+			acceptedEncodings: []string{"deflate"},
+			expectedEncoding:  "deflate",
+		},
+		{
+			name:              "nop is preferred",
+			path:              "/file.html",
+			acceptedEncodings: []string{"nop, gzip, deflate"},
+			expectedEncoding:  "nop",
+		},
+	}
+
+	for _, tc := range tests {
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+			logger := testutil.Logger(t)
+			tempDir := t.TempDir()
+			cacheDir := filepath.Join(tempDir, "cache")
+			err := os.MkdirAll(cacheDir, 0o700)
+			require.NoError(t, err)
+			srcDir := filepath.Join(tempDir, "src")
+			err = os.MkdirAll(srcDir, 0o700)
+			require.NoError(t, err)
+			err = os.WriteFile(filepath.Join(srcDir, "file.html"), []byte("textstring"), 0o600)
+			require.NoError(t, err)
+
+			compressor := NewCompressor(logger, 5, cacheDir, http.FS(os.DirFS(srcDir)))
+			if len(compressor.encoders) != 0 || len(compressor.pooledEncoders) != 2 {
+				t.Errorf("gzip and deflate should be pooled")
+			}
+			logger.Debug(context.Background(), "started compressor")
+
+			compressor.SetEncoder("nop", func(w io.Writer, _ int) io.WriteCloser {
+				return nopEncoder{w}
+			})
+
+			if len(compressor.encoders) != 1 {
+				t.Errorf("nop encoder should be stored in the encoders map")
+			}
+
+			ts := httptest.NewServer(compressor)
+			defer ts.Close()
+			// ctx := testutil.Context(t, testutil.WaitShort)
+			ctx := context.Background()
+			header, respString := testRequestWithAcceptedEncodings(ctx, t, ts, "GET", tc.path, tc.acceptedEncodings...)
+			if respString != "textstring" {
+				t.Errorf("response text doesn't match; expected:%q, got:%q", "textstring", respString)
+			}
+			if got := header.Get("Content-Encoding"); got != tc.expectedEncoding {
+				t.Errorf("expected encoding %q but got %q", tc.expectedEncoding, got)
+			}
+		})
+	}
+}
+
+func testRequestWithAcceptedEncodings(ctx context.Context, t *testing.T, ts *httptest.Server, method, path string, encodings ...string) (http.Header, string) {
+	req, err := http.NewRequestWithContext(ctx, method, ts.URL+path, nil)
+	if err != nil {
+		t.Fatal(err)
+		return nil, ""
+	}
+	if len(encodings) > 0 {
+		encodingsString := strings.Join(encodings, ",")
+		req.Header.Set("Accept-Encoding", encodingsString)
+	}
+
+	transport := http.DefaultTransport.(*http.Transport).Clone()
+	transport.DisableCompression = true // prevent automatically setting gzip
+
+	resp, err := (&http.Client{Transport: transport}).Do(req)
+	require.NoError(t, err)
+
+	respBody := decodeResponseBody(t, resp)
+	defer resp.Body.Close()
+
+	return resp.Header, respBody
+}
+
+func decodeResponseBody(t *testing.T, resp *http.Response) string {
+	var reader io.ReadCloser
+	t.Logf("encoding: '%s'", resp.Header.Get("Content-Encoding"))
+	rawBody, err := io.ReadAll(resp.Body)
+	require.NoError(t, err)
+	t.Logf("raw body: %x", rawBody)
+	switch resp.Header.Get("Content-Encoding") {
+	case "gzip":
+		var err error
+		reader, err = gzip.NewReader(bytes.NewReader(rawBody))
+		require.NoError(t, err)
+	case "deflate":
+		reader = flate.NewReader(bytes.NewReader(rawBody))
+	default:
+		return string(rawBody)
+	}
+	respBody, err := io.ReadAll(reader)
+	require.NoError(t, err, "failed to read response body: %T %+v", err, err)
+	err = reader.Close()
+	require.NoError(t, err)
+
+	return string(respBody)
+}
+
+type nopEncoder struct {
+	io.Writer
+}
+
+func (nopEncoder) Close() error { return nil }
+
+// nolint: tparallel // we want to assert the state of the cache, so run synchronously
+func TestCompressorHeadings(t *testing.T) {
+	t.Parallel()
+	logger := testutil.Logger(t)
+	tempDir := t.TempDir()
+	cacheDir := filepath.Join(tempDir, "cache")
+	err := os.MkdirAll(cacheDir, 0o700)
+	require.NoError(t, err)
+	srcDir := filepath.Join(tempDir, "src")
+	err = os.MkdirAll(srcDir, 0o700)
+	require.NoError(t, err)
+	err = os.WriteFile(filepath.Join(srcDir, "file.html"), []byte("textstring"), 0o600)
+	require.NoError(t, err)
+
+	compressor := NewCompressor(logger, 5, cacheDir, http.FS(os.DirFS(srcDir)))
+
+	ts := httptest.NewServer(compressor)
+	defer ts.Close()
+
+	tests := []struct {
+		name string
+		path string
+	}{
+		{
+			name: "exists",
+			path: "/file.html",
+		},
+		{
+			name: "not found",
+			path: "/missing.html",
+		},
+		{
+			name: "not found directory",
+			path: "/a_directory/",
+		},
+	}
+
+	// nolint: paralleltest // we want to assert the state of the cache, so run synchronously
+	for _, tc := range tests {
+		t.Run(tc.name, func(t *testing.T) {
+			ctx := testutil.Context(t, testutil.WaitShort)
+			req := httptest.NewRequestWithContext(ctx, "GET", tc.path, nil)
+
+			// request directly from http.FileServer as our baseline response
+			respROrig := httptest.NewRecorder()
+			http.FileServer(http.Dir(srcDir)).ServeHTTP(respROrig, req)
+			respOrig := respROrig.Result()
+
+			req.Header.Add("Accept-Encoding", "gzip")
+			// serve twice so that we go thru cache hit and cache miss code
+			for range 2 {
+				respRec := httptest.NewRecorder()
+				compressor.ServeHTTP(respRec, req)
+				respComp := respRec.Result()
+
+				require.Equal(t, respOrig.StatusCode, respComp.StatusCode)
+				for key, values := range respOrig.Header {
+					if key == "Content-Length" {
+						continue // we don't get length on compressed responses
+					}
+					require.Equal(t, values, respComp.Header[key])
+				}
+			}
+		})
+	}
+	// only the cache hit should leave a file around
+	files, err := os.ReadDir(srcDir)
+	require.NoError(t, err)
+	require.Len(t, files, 1)
+}

coderd/coderd.go

@@ -21,11 +21,9 @@ import (
 	"sync/atomic"
 	"time"
 
-	"github.com/andybalholm/brotli"
 	"github.com/go-chi/chi/v5"
 	"github.com/go-chi/chi/v5/middleware"
 	"github.com/google/uuid"
-	"github.com/klauspost/compress/zstd"
 	"github.com/prometheus/client_golang/prometheus"
 	"github.com/prometheus/client_golang/prometheus/collectors"
 	"github.com/prometheus/client_golang/prometheus/promhttp"
@@ -44,6 +42,7 @@ import (
 	"cdr.dev/slog/v3"
 	agentproto "github.com/coder/coder/v2/agent/proto"
 	"github.com/coder/coder/v2/buildinfo"
+	"github.com/coder/coder/v2/coderd/agentapi"
 	"github.com/coder/coder/v2/coderd/agentapi/metadatabatcher"
 	_ "github.com/coder/coder/v2/coderd/apidoc" // Used for swagger docs.
 	"github.com/coder/coder/v2/coderd/appearance"
@@ -462,10 +461,6 @@ func New(options *Options) *API {
 	if siteCacheDir != "" {
 		siteCacheDir = filepath.Join(siteCacheDir, "site")
 	}
-	binFS, binHashes, err := site.ExtractOrReadBinFS(siteCacheDir, site.FS())
-	if err != nil {
-		panic(xerrors.Errorf("read site bin failed: %w", err))
-	}
 
 	metricsCache := metricscache.New(
 		options.Database,
@@ -658,9 +653,8 @@ func New(options *Options) *API {
 		WebPushPublicKey:      api.WebpushDispatcher.PublicKey(),
 		Telemetry:             api.Telemetry.Enabled(),
 	}
-	api.SiteHandler = site.New(&site.Options{
-		BinFS:             binFS,
-		BinHashes:         binHashes,
+	api.SiteHandler, err = site.New(&site.Options{
+		CacheDir:          siteCacheDir,
 		Database:          options.Database,
 		SiteFS:            site.FS(),
 		OAuth2Configs:     oauthConfigs,
@@ -672,6 +666,9 @@ func New(options *Options) *API {
 		Logger:            options.Logger.Named("site"),
 		HideAITasks:       options.DeploymentValues.HideAITasks.Value(),
 	})
+	if err != nil {
+		options.Logger.Fatal(ctx, "failed to initialize site handler", slog.Error(err))
+	}
 	api.SiteHandler.Experiments.Store(&experiments)
 
 	if options.UpdateCheckOptions != nil {
@@ -758,6 +755,7 @@ func New(options *Options) *API {
 	api.agentProvider = stn
 	if options.DeploymentValues.Prometheus.Enable {
 		options.PrometheusRegistry.MustRegister(stn)
+		api.lifecycleMetrics = agentapi.NewLifecycleMetrics(options.PrometheusRegistry)
 	}
 	api.NetworkTelemetryBatcher = tailnet.NewNetworkTelemetryBatcher(
 		quartz.NewReal(),
@@ -1080,6 +1078,7 @@ func New(options *Options) *API {
 					r.Patch("/input", api.taskUpdateInput)
 					r.Post("/send", api.taskSend)
 					r.Get("/logs", api.taskLogs)
+					r.Post("/pause", api.pauseTask)
 				})
 			})
 		})
@@ -1892,8 +1891,9 @@ type API struct {
 	healthCheckCache    atomic.Pointer[healthsdk.HealthcheckReport]
 	healthCheckProgress healthcheck.Progress
 
-	statsReporter   *workspacestats.Reporter
-	metadataBatcher *metadatabatcher.Batcher
+	statsReporter    *workspacestats.Reporter
+	metadataBatcher  *metadatabatcher.Batcher
+	lifecycleMetrics *agentapi.LifecycleMetrics
 
 	Acquirer *provisionerdserver.Acquirer
 	// dbRolluper rolls up template usage stats from raw agent and app
@@ -1974,16 +1974,13 @@ func compressHandler(h http.Handler) http.Handler {
 		"application/*",
 		"image/*",
 	)
-	cmp.SetEncoder("br", func(w io.Writer, level int) io.Writer {
-		return brotli.NewWriterLevel(w, level)
-	})
-	cmp.SetEncoder("zstd", func(w io.Writer, level int) io.Writer {
-		zw, err := zstd.NewWriter(w, zstd.WithEncoderLevel(zstd.EncoderLevelFromZstd(level)))
-		if err != nil {
-			panic("invalid zstd compressor: " + err.Error())
-		}
-		return zw
-	})
+	for encoding := range site.StandardEncoders {
+		writeCloserFn := site.StandardEncoders[encoding]
+		cmp.SetEncoder(encoding, func(w io.Writer, level int) io.Writer {
+			writeCloser := writeCloserFn(w, level)
+			return writeCloser
+		})
+	}
 
 	return cmp.Handler(h)
 }
@@ -1996,8 +1993,15 @@ func MemoryProvisionerWithVersionOverride(version string) MemoryProvisionerDaemo
 	}
 }
 
+func MemoryProvisionerWithHeartbeatOverride(heartbeatFN func(context.Context) error) MemoryProvisionerDaemonOption {
+	return func(opts *memoryProvisionerDaemonOptions) {
+		opts.heartbeatFn = heartbeatFN
+	}
+}
+
 type memoryProvisionerDaemonOptions struct {
 	versionOverride string
+	heartbeatFn     func(context.Context) error
 }
 
 // CreateInMemoryProvisionerDaemon is an in-memory connection to a provisionerd.
@@ -2087,6 +2091,7 @@ func (api *API) CreateInMemoryTaggedProvisionerDaemon(dialCtx context.Context, n
 			OIDCConfig:          api.OIDCConfig,
 			ExternalAuthConfigs: api.ExternalAuthConfigs,
 			Clock:               api.Clock,
+			HeartbeatFn:         options.heartbeatFn,
 		},
 		api.NotificationsEnqueuer,
 		&api.PrebuildsReconciler,

coderd/database/dbauthz/dbauthz.go

@@ -412,7 +412,7 @@ var (
 					ByOrgID: map[string]rbac.OrgPermissions{
 						orgID.String(): {
 							Member: rbac.Permissions(map[string][]policy.Action{
-								rbac.ResourceWorkspace.Type: {policy.ActionRead, policy.ActionUpdate, policy.ActionCreateAgent, policy.ActionDeleteAgent},
+								rbac.ResourceWorkspace.Type: {policy.ActionRead, policy.ActionUpdate, policy.ActionCreateAgent, policy.ActionDeleteAgent, policy.ActionUpdateAgent},
 							}),
 						},
 					},
@@ -442,7 +442,7 @@ var (
 					rbac.ResourceProvisionerDaemon.Type:      {policy.ActionCreate, policy.ActionRead, policy.ActionUpdate},
 					rbac.ResourceUser.Type:                   rbac.ResourceUser.AvailableActions(),
 					rbac.ResourceWorkspaceDormant.Type:       {policy.ActionUpdate, policy.ActionDelete, policy.ActionWorkspaceStop},
-					rbac.ResourceWorkspace.Type:              {policy.ActionUpdate, policy.ActionDelete, policy.ActionWorkspaceStart, policy.ActionWorkspaceStop, policy.ActionSSH, policy.ActionCreateAgent, policy.ActionDeleteAgent},
+					rbac.ResourceWorkspace.Type:              {policy.ActionUpdate, policy.ActionDelete, policy.ActionWorkspaceStart, policy.ActionWorkspaceStop, policy.ActionSSH, policy.ActionCreateAgent, policy.ActionDeleteAgent, policy.ActionUpdateAgent},
 					rbac.ResourceWorkspaceProxy.Type:         {policy.ActionCreate, policy.ActionUpdate, policy.ActionDelete},
 					rbac.ResourceDeploymentConfig.Type:       {policy.ActionCreate, policy.ActionUpdate, policy.ActionDelete},
 					rbac.ResourceNotificationMessage.Type:    {policy.ActionCreate, policy.ActionRead, policy.ActionUpdate, policy.ActionDelete},
@@ -1703,13 +1703,6 @@ func (q *querier) DeleteApplicationConnectAPIKeysByUserID(ctx context.Context, u
 	return q.db.DeleteApplicationConnectAPIKeysByUserID(ctx, userID)
 }
 
-func (q *querier) DeleteBoundaryUsageStatsByReplicaID(ctx context.Context, replicaID uuid.UUID) error {
-	if err := q.authorizeContext(ctx, policy.ActionDelete, rbac.ResourceBoundaryUsage); err != nil {
-		return err
-	}
-	return q.db.DeleteBoundaryUsageStatsByReplicaID(ctx, replicaID)
-}
-
 func (q *querier) DeleteCryptoKey(ctx context.Context, arg database.DeleteCryptoKeyParams) (database.CryptoKey, error) {
 	if err := q.authorizeContext(ctx, policy.ActionDelete, rbac.ResourceCryptoKey); err != nil {
 		return database.CryptoKey{}, err
@@ -1932,14 +1925,14 @@ func (q *querier) DeleteTailnetTunnel(ctx context.Context, arg database.DeleteTa
 	return q.db.DeleteTailnetTunnel(ctx, arg)
 }
 
-func (q *querier) DeleteTask(ctx context.Context, arg database.DeleteTaskParams) (database.TaskTable, error) {
+func (q *querier) DeleteTask(ctx context.Context, arg database.DeleteTaskParams) (uuid.UUID, error) {
 	task, err := q.db.GetTaskByID(ctx, arg.ID)
 	if err != nil {
-		return database.TaskTable{}, err
+		return uuid.UUID{}, err
 	}
 
 	if err := q.authorizeContext(ctx, policy.ActionDelete, task.RBACObject()); err != nil {
-		return database.TaskTable{}, err
+		return uuid.UUID{}, err
 	}
 
 	return q.db.DeleteTask(ctx, arg)
@@ -2223,6 +2216,13 @@ func (q *querier) GetAllTailnetTunnels(ctx context.Context) ([]database.TailnetT
 	return q.db.GetAllTailnetTunnels(ctx)
 }
 
+func (q *querier) GetAndResetBoundaryUsageSummary(ctx context.Context, maxStalenessMs int64) (database.GetAndResetBoundaryUsageSummaryRow, error) {
+	if err := q.authorizeContext(ctx, policy.ActionDelete, rbac.ResourceBoundaryUsage); err != nil {
+		return database.GetAndResetBoundaryUsageSummaryRow{}, err
+	}
+	return q.db.GetAndResetBoundaryUsageSummary(ctx, maxStalenessMs)
+}
+
 func (q *querier) GetAnnouncementBanners(ctx context.Context) (string, error) {
 	// No authz checks
 	return q.db.GetAnnouncementBanners(ctx)
@@ -2271,13 +2271,6 @@ func (q *querier) GetAuthorizationUserRoles(ctx context.Context, userID uuid.UUI
 	return q.db.GetAuthorizationUserRoles(ctx, userID)
 }
 
-func (q *querier) GetBoundaryUsageSummary(ctx context.Context, maxStalenessMs int64) (database.GetBoundaryUsageSummaryRow, error) {
-	if err := q.authorizeContext(ctx, policy.ActionRead, rbac.ResourceBoundaryUsage); err != nil {
-		return database.GetBoundaryUsageSummaryRow{}, err
-	}
-	return q.db.GetBoundaryUsageSummary(ctx, maxStalenessMs)
-}
-
 func (q *querier) GetConnectionLogsOffset(ctx context.Context, arg database.GetConnectionLogsOffsetParams) ([]database.GetConnectionLogsOffsetRow, error) {
 	// Just like with the audit logs query, shortcut if the user is an owner.
 	err := q.authorizeContext(ctx, policy.ActionRead, rbac.ResourceConnectionLog)
@@ -3893,6 +3886,14 @@ func (q *querier) GetWorkspaceBuildByWorkspaceIDAndBuildNumber(ctx context.Conte
 	return q.db.GetWorkspaceBuildByWorkspaceIDAndBuildNumber(ctx, arg)
 }
 
+func (q *querier) GetWorkspaceBuildMetricsByResourceID(ctx context.Context, id uuid.UUID) (database.GetWorkspaceBuildMetricsByResourceIDRow, error) {
+	// Verify access to the resource first.
+	if _, err := q.GetWorkspaceResourceByID(ctx, id); err != nil {
+		return database.GetWorkspaceBuildMetricsByResourceIDRow{}, err
+	}
+	return q.db.GetWorkspaceBuildMetricsByResourceID(ctx, id)
+}
+
 func (q *querier) GetWorkspaceBuildParameters(ctx context.Context, workspaceBuildID uuid.UUID) ([]database.WorkspaceBuildParameter, error) {
 	// Authorized call to get the workspace build. If we can read the build,
 	// we can read the params.
@@ -4891,13 +4892,6 @@ func (q *querier) RemoveUserFromGroups(ctx context.Context, arg database.RemoveU
 	return q.db.RemoveUserFromGroups(ctx, arg)
 }
 
-func (q *querier) ResetBoundaryUsageStats(ctx context.Context) error {
-	if err := q.authorizeContext(ctx, policy.ActionDelete, rbac.ResourceBoundaryUsage); err != nil {
-		return err
-	}
-	return q.db.ResetBoundaryUsageStats(ctx)
-}
-
 func (q *querier) RevokeDBCryptKey(ctx context.Context, activeKeyDigest string) error {
 	if err := q.authorizeContext(ctx, policy.ActionUpdate, rbac.ResourceSystem); err != nil {
 		return err
@@ -5726,6 +5720,19 @@ func (q *querier) UpdateWorkspaceAgentConnectionByID(ctx context.Context, arg da
 	return q.db.UpdateWorkspaceAgentConnectionByID(ctx, arg)
 }
 
+func (q *querier) UpdateWorkspaceAgentDisplayAppsByID(ctx context.Context, arg database.UpdateWorkspaceAgentDisplayAppsByIDParams) error {
+	workspace, err := q.db.GetWorkspaceByAgentID(ctx, arg.ID)
+	if err != nil {
+		return err
+	}
+
+	if err := q.authorizeContext(ctx, policy.ActionUpdateAgent, workspace); err != nil {
+		return err
+	}
+
+	return q.db.UpdateWorkspaceAgentDisplayAppsByID(ctx, arg)
+}
+
 func (q *querier) UpdateWorkspaceAgentLifecycleStateByID(ctx context.Context, arg database.UpdateWorkspaceAgentLifecycleStateByIDParams) error {
 	workspace, err := q.db.GetWorkspaceByAgentID(ctx, arg.ID)
 	if err != nil {

coderd/database/dbauthz/dbauthz_test.go

@@ -277,11 +277,6 @@ func (s *MethodTestSuite) TestAPIKey() {
 		dbm.EXPECT().DeleteApplicationConnectAPIKeysByUserID(gomock.Any(), a.UserID).Return(nil).AnyTimes()
 		check.Args(a.UserID).Asserts(rbac.ResourceApiKey.WithOwner(a.UserID.String()), policy.ActionDelete).Returns()
 	}))
-	s.Run("DeleteBoundaryUsageStatsByReplicaID", s.Mocked(func(dbm *dbmock.MockStore, _ *gofakeit.Faker, check *expects) {
-		replicaID := uuid.New()
-		dbm.EXPECT().DeleteBoundaryUsageStatsByReplicaID(gomock.Any(), replicaID).Return(nil).AnyTimes()
-		check.Args(replicaID).Asserts(rbac.ResourceBoundaryUsage, policy.ActionDelete)
-	}))
 	s.Run("DeleteExternalAuthLink", s.Mocked(func(dbm *dbmock.MockStore, faker *gofakeit.Faker, check *expects) {
 		a := testutil.Fake(s.T(), faker, database.ExternalAuthLink{})
 		dbm.EXPECT().GetExternalAuthLink(gomock.Any(), database.GetExternalAuthLinkParams{ProviderID: a.ProviderID, UserID: a.UserID}).Return(a, nil).AnyTimes()
@@ -532,9 +527,9 @@ func (s *MethodTestSuite) TestGroup() {
 		dbm.EXPECT().RemoveUserFromGroups(gomock.Any(), arg).Return(slice.New(g1.ID, g2.ID), nil).AnyTimes()
 		check.Args(arg).Asserts(rbac.ResourceSystem, policy.ActionUpdate).Returns(slice.New(g1.ID, g2.ID))
 	}))
-	s.Run("ResetBoundaryUsageStats", s.Mocked(func(dbm *dbmock.MockStore, _ *gofakeit.Faker, check *expects) {
-		dbm.EXPECT().ResetBoundaryUsageStats(gomock.Any()).Return(nil).AnyTimes()
-		check.Args().Asserts(rbac.ResourceBoundaryUsage, policy.ActionDelete)
+	s.Run("GetAndResetBoundaryUsageSummary", s.Mocked(func(dbm *dbmock.MockStore, _ *gofakeit.Faker, check *expects) {
+		dbm.EXPECT().GetAndResetBoundaryUsageSummary(gomock.Any(), int64(1000)).Return(database.GetAndResetBoundaryUsageSummaryRow{}, nil).AnyTimes()
+		check.Args(int64(1000)).Asserts(rbac.ResourceBoundaryUsage, policy.ActionDelete)
 	}))
 
 	s.Run("UpdateGroupByID", s.Mocked(func(dbm *dbmock.MockStore, faker *gofakeit.Faker, check *expects) {
@@ -1929,6 +1924,17 @@ func (s *MethodTestSuite) TestWorkspace() {
 		dbm.EXPECT().UpdateWorkspaceAgentStartupByID(gomock.Any(), arg).Return(nil).AnyTimes()
 		check.Args(arg).Asserts(w, policy.ActionUpdate).Returns()
 	}))
+	s.Run("UpdateWorkspaceAgentDisplayAppsByID", s.Mocked(func(dbm *dbmock.MockStore, faker *gofakeit.Faker, check *expects) {
+		w := testutil.Fake(s.T(), faker, database.Workspace{})
+		agt := testutil.Fake(s.T(), faker, database.WorkspaceAgent{})
+		arg := database.UpdateWorkspaceAgentDisplayAppsByIDParams{
+			ID:          agt.ID,
+			DisplayApps: []database.DisplayApp{database.DisplayAppVscode},
+		}
+		dbm.EXPECT().GetWorkspaceByAgentID(gomock.Any(), agt.ID).Return(w, nil).AnyTimes()
+		dbm.EXPECT().UpdateWorkspaceAgentDisplayAppsByID(gomock.Any(), arg).Return(nil).AnyTimes()
+		check.Args(arg).Asserts(w, policy.ActionUpdateAgent).Returns()
+	}))
 	s.Run("GetWorkspaceAgentLogsAfter", s.Mocked(func(dbm *dbmock.MockStore, faker *gofakeit.Faker, check *expects) {
 		ws := testutil.Fake(s.T(), faker, database.Workspace{})
 		agt := testutil.Fake(s.T(), faker, database.WorkspaceAgent{})
@@ -2030,6 +2036,18 @@ func (s *MethodTestSuite) TestWorkspace() {
 		dbm.EXPECT().GetWorkspaceByID(gomock.Any(), build.WorkspaceID).Return(ws, nil).AnyTimes()
 		check.Args(res.ID).Asserts(ws, policy.ActionRead).Returns(res)
 	}))
+	s.Run("GetWorkspaceBuildMetricsByResourceID", s.Mocked(func(dbm *dbmock.MockStore, faker *gofakeit.Faker, check *expects) {
+		ws := testutil.Fake(s.T(), faker, database.Workspace{})
+		build := testutil.Fake(s.T(), faker, database.WorkspaceBuild{WorkspaceID: ws.ID})
+		job := testutil.Fake(s.T(), faker, database.ProvisionerJob{ID: build.JobID, Type: database.ProvisionerJobTypeWorkspaceBuild})
+		res := testutil.Fake(s.T(), faker, database.WorkspaceResource{JobID: build.JobID})
+		dbm.EXPECT().GetWorkspaceResourceByID(gomock.Any(), res.ID).Return(res, nil).AnyTimes()
+		dbm.EXPECT().GetProvisionerJobByID(gomock.Any(), res.JobID).Return(job, nil).AnyTimes()
+		dbm.EXPECT().GetWorkspaceBuildByJobID(gomock.Any(), res.JobID).Return(build, nil).AnyTimes()
+		dbm.EXPECT().GetWorkspaceByID(gomock.Any(), build.WorkspaceID).Return(ws, nil).AnyTimes()
+		dbm.EXPECT().GetWorkspaceBuildMetricsByResourceID(gomock.Any(), res.ID).Return(database.GetWorkspaceBuildMetricsByResourceIDRow{}, nil).AnyTimes()
+		check.Args(res.ID).Asserts(ws, policy.ActionRead).Returns(database.GetWorkspaceBuildMetricsByResourceIDRow{})
+	}))
 	s.Run("Build/GetWorkspaceResourcesByJobID", s.Mocked(func(dbm *dbmock.MockStore, faker *gofakeit.Faker, check *expects) {
 		ws := testutil.Fake(s.T(), faker, database.Workspace{})
 		build := testutil.Fake(s.T(), faker, database.WorkspaceBuild{WorkspaceID: ws.ID})
@@ -2506,8 +2524,8 @@ func (s *MethodTestSuite) TestTasks() {
 			DeletedAt: dbtime.Now(),
 		}
 		dbm.EXPECT().GetTaskByID(gomock.Any(), task.ID).Return(task, nil).AnyTimes()
-		dbm.EXPECT().DeleteTask(gomock.Any(), arg).Return(database.TaskTable{}, nil).AnyTimes()
-		check.Args(arg).Asserts(task, policy.ActionDelete).Returns(database.TaskTable{})
+		dbm.EXPECT().DeleteTask(gomock.Any(), arg).Return(task.ID, nil).AnyTimes()
+		check.Args(arg).Asserts(task, policy.ActionDelete).Returns(task.ID)
 	}))
 	s.Run("InsertTask", s.Mocked(func(dbm *dbmock.MockStore, faker *gofakeit.Faker, check *expects) {
 		tpl := testutil.Fake(s.T(), faker, database.Template{})
@@ -2980,10 +2998,6 @@ func (s *MethodTestSuite) TestSystemFunctions() {
 		dbm.EXPECT().GetAuthorizationUserRoles(gomock.Any(), u.ID).Return(database.GetAuthorizationUserRolesRow{}, nil).AnyTimes()
 		check.Args(u.ID).Asserts(rbac.ResourceSystem, policy.ActionRead)
 	}))
-	s.Run("GetBoundaryUsageSummary", s.Mocked(func(dbm *dbmock.MockStore, _ *gofakeit.Faker, check *expects) {
-		dbm.EXPECT().GetBoundaryUsageSummary(gomock.Any(), int64(1000)).Return(database.GetBoundaryUsageSummaryRow{}, nil).AnyTimes()
-		check.Args(int64(1000)).Asserts(rbac.ResourceBoundaryUsage, policy.ActionRead)
-	}))
 	s.Run("GetDERPMeshKey", s.Mocked(func(dbm *dbmock.MockStore, _ *gofakeit.Faker, check *expects) {
 		dbm.EXPECT().GetDERPMeshKey(gomock.Any()).Return("testing", nil).AnyTimes()
 		check.Args().Asserts(rbac.ResourceSystem, policy.ActionRead)

coderd/database/dbfake/dbfake.go

@@ -58,6 +58,61 @@ type WorkspaceBuildBuilder struct {
 	jobStatus  database.ProvisionerJobStatus
 	taskAppID  uuid.UUID
 	taskSeed   database.TaskTable
+
+	// Individual timestamp fields for job customization.
+	jobCreatedAt   time.Time
+	jobStartedAt   time.Time
+	jobUpdatedAt   time.Time
+	jobCompletedAt time.Time
+
+	jobError     string // Error message for failed jobs
+	jobErrorCode string // Error code for failed jobs
+}
+
+// BuilderOption is a functional option for customizing job timestamps
+// on status methods.
+type BuilderOption func(*WorkspaceBuildBuilder)
+
+// WithJobCreatedAt sets the CreatedAt timestamp for the provisioner job.
+func WithJobCreatedAt(t time.Time) BuilderOption {
+	return func(b *WorkspaceBuildBuilder) {
+		b.jobCreatedAt = t
+	}
+}
+
+// WithJobStartedAt sets the StartedAt timestamp for the provisioner job.
+func WithJobStartedAt(t time.Time) BuilderOption {
+	return func(b *WorkspaceBuildBuilder) {
+		b.jobStartedAt = t
+	}
+}
+
+// WithJobUpdatedAt sets the UpdatedAt timestamp for the provisioner job.
+func WithJobUpdatedAt(t time.Time) BuilderOption {
+	return func(b *WorkspaceBuildBuilder) {
+		b.jobUpdatedAt = t
+	}
+}
+
+// WithJobCompletedAt sets the CompletedAt timestamp for the provisioner job.
+func WithJobCompletedAt(t time.Time) BuilderOption {
+	return func(b *WorkspaceBuildBuilder) {
+		b.jobCompletedAt = t
+	}
+}
+
+// WithJobError sets the error message for the provisioner job.
+func WithJobError(msg string) BuilderOption {
+	return func(b *WorkspaceBuildBuilder) {
+		b.jobError = msg
+	}
+}
+
+// WithJobErrorCode sets the error code for the provisioner job.
+func WithJobErrorCode(code string) BuilderOption {
+	return func(b *WorkspaceBuildBuilder) {
+		b.jobErrorCode = code
+	}
 }
 
 // WorkspaceBuild generates a workspace build for the provided workspace.
@@ -141,18 +196,59 @@ func (b WorkspaceBuildBuilder) WithTask(taskSeed database.TaskTable, appSeed *sd
 	})
 }
 
-func (b WorkspaceBuildBuilder) Starting() WorkspaceBuildBuilder {
+// Starting sets the job to running status.
+func (b WorkspaceBuildBuilder) Starting(opts ...BuilderOption) WorkspaceBuildBuilder {
+	//nolint: revive // returns modified struct
 	b.jobStatus = database.ProvisionerJobStatusRunning
+	for _, opt := range opts {
+		opt(&b)
+	}
 	return b
 }
 
-func (b WorkspaceBuildBuilder) Pending() WorkspaceBuildBuilder {
+// Pending sets the job to pending status.
+func (b WorkspaceBuildBuilder) Pending(opts ...BuilderOption) WorkspaceBuildBuilder {
+	//nolint: revive // returns modified struct
 	b.jobStatus = database.ProvisionerJobStatusPending
+	for _, opt := range opts {
+		opt(&b)
+	}
 	return b
 }
 
-func (b WorkspaceBuildBuilder) Canceled() WorkspaceBuildBuilder {
+// Canceled sets the job to canceled status.
+func (b WorkspaceBuildBuilder) Canceled(opts ...BuilderOption) WorkspaceBuildBuilder {
+	//nolint: revive // returns modified struct
 	b.jobStatus = database.ProvisionerJobStatusCanceled
+	for _, opt := range opts {
+		opt(&b)
+	}
+	return b
+}
+
+// Succeeded sets the job to succeeded status.
+// This is the default status.
+func (b WorkspaceBuildBuilder) Succeeded(opts ...BuilderOption) WorkspaceBuildBuilder {
+	//nolint: revive // returns modified struct
+	b.jobStatus = database.ProvisionerJobStatusSucceeded
+	for _, opt := range opts {
+		opt(&b)
+	}
+	return b
+}
+
+// Failed sets the provisioner job to a failed state. Use WithJobError and
+// WithJobErrorCode options to set the error message and code. If no error
+// message is provided, "failed" is used as the default.
+func (b WorkspaceBuildBuilder) Failed(opts ...BuilderOption) WorkspaceBuildBuilder {
+	//nolint: revive // returns modified struct
+	b.jobStatus = database.ProvisionerJobStatusFailed
+	for _, opt := range opts {
+		opt(&b)
+	}
+	if b.jobError == "" {
+		b.jobError = "failed"
+	}
 	return b
 }
 
@@ -267,8 +363,8 @@ func (b WorkspaceBuildBuilder) doInTX() WorkspaceResponse {
 
 	job, err := b.db.InsertProvisionerJob(ownerCtx, database.InsertProvisionerJobParams{
 		ID:             jobID,
-		CreatedAt:      dbtime.Now(),
-		UpdatedAt:      dbtime.Now(),
+		CreatedAt:      takeFirstTime(b.jobCreatedAt, b.ws.CreatedAt, dbtime.Now()),
+		UpdatedAt:      takeFirstTime(b.jobCreatedAt, b.ws.CreatedAt, dbtime.Now()),
 		OrganizationID: b.ws.OrganizationID,
 		InitiatorID:    b.ws.OwnerID,
 		Provisioner:    database.ProvisionerTypeEcho,
@@ -291,11 +387,12 @@ func (b WorkspaceBuildBuilder) doInTX() WorkspaceResponse {
 		// might need to do this multiple times if we got a template version
 		// import job as well
 		b.logger.Debug(context.Background(), "looping to acquire provisioner job")
+		startedAt := takeFirstTime(b.jobStartedAt, dbtime.Now())
 		for {
 			j, err := b.db.AcquireProvisionerJob(ownerCtx, database.AcquireProvisionerJobParams{
 				OrganizationID: job.OrganizationID,
 				StartedAt: sql.NullTime{
-					Time:  dbtime.Now(),
+					Time:  startedAt,
 					Valid: true,
 				},
 				WorkerID: uuid.NullUUID{
@@ -311,32 +408,54 @@ func (b WorkspaceBuildBuilder) doInTX() WorkspaceResponse {
 				break
 			}
 		}
+		if !b.jobUpdatedAt.IsZero() {
+			err = b.db.UpdateProvisionerJobByID(ownerCtx, database.UpdateProvisionerJobByIDParams{
+				ID:        job.ID,
+				UpdatedAt: b.jobUpdatedAt,
+			})
+			require.NoError(b.t, err, "update job updated_at")
+		}
 	case database.ProvisionerJobStatusCanceled:
 		// Set provisioner job status to 'canceled'
 		b.logger.Debug(context.Background(), "canceling the provisioner job")
-		now := dbtime.Now()
+		completedAt := takeFirstTime(b.jobCompletedAt, dbtime.Now())
 		err = b.db.UpdateProvisionerJobWithCancelByID(ownerCtx, database.UpdateProvisionerJobWithCancelByIDParams{
 			ID: jobID,
 			CanceledAt: sql.NullTime{
-				Time:  now,
+				Time:  completedAt,
 				Valid: true,
 			},
 			CompletedAt: sql.NullTime{
-				Time:  now,
+				Time:  completedAt,
 				Valid: true,
 			},
 		})
 		require.NoError(b.t, err, "cancel job")
+	case database.ProvisionerJobStatusFailed:
+		b.logger.Debug(context.Background(), "failing the provisioner job")
+		completedAt := takeFirstTime(b.jobCompletedAt, dbtime.Now())
+		err = b.db.UpdateProvisionerJobWithCompleteByID(ownerCtx, database.UpdateProvisionerJobWithCompleteByIDParams{
+			ID:        job.ID,
+			UpdatedAt: completedAt,
+			Error:     sql.NullString{String: b.jobError, Valid: b.jobError != ""},
+			ErrorCode: sql.NullString{String: b.jobErrorCode, Valid: b.jobErrorCode != ""},
+			CompletedAt: sql.NullTime{
+				Time:  completedAt,
+				Valid: true,
+			},
+		})
+		require.NoError(b.t, err, "fail job")
 	default:
 		// By default, consider jobs in 'succeeded' status
 		b.logger.Debug(context.Background(), "completing the provisioner job")
+		completedAt := takeFirstTime(b.jobCompletedAt, dbtime.Now())
 		err = b.db.UpdateProvisionerJobWithCompleteByID(ownerCtx, database.UpdateProvisionerJobWithCompleteByIDParams{
 			ID:        job.ID,
-			UpdatedAt: dbtime.Now(),
+			UpdatedAt: completedAt,
 			Error:     sql.NullString{},
 			ErrorCode: sql.NullString{},
 			CompletedAt: sql.NullTime{
-				Time:  dbtime.Now(),
+				Time:  completedAt,
 				Valid: true,
 			},
 		})
@@ -751,6 +870,16 @@ func takeFirst[Value comparable](values ...Value) Value {
 	})
 }
 
+// takeFirstTime returns the first non-zero time.Time.
+func takeFirstTime(values ...time.Time) time.Time {
+	for _, v := range values {
+		if !v.IsZero() {
+			return v
+		}
+	}
+	return time.Time{}
+}
+
 // mustWorkspaceAppByWorkspaceAndBuildAndAppID finds a workspace app by
 // workspace ID, build number, and app ID. It returns the workspace app
 // if found, otherwise fails the test.

coderd/database/dbmetrics/querymetrics.go

@@ -335,14 +335,6 @@ func (m queryMetricsStore) DeleteApplicationConnectAPIKeysByUserID(ctx context.C
 	return r0
 }
 
-func (m queryMetricsStore) DeleteBoundaryUsageStatsByReplicaID(ctx context.Context, replicaID uuid.UUID) error {
-	start := time.Now()
-	r0 := m.s.DeleteBoundaryUsageStatsByReplicaID(ctx, replicaID)
-	m.queryLatencies.WithLabelValues("DeleteBoundaryUsageStatsByReplicaID").Observe(time.Since(start).Seconds())
-	m.queryCounts.WithLabelValues(httpmw.ExtractHTTPRoute(ctx), httpmw.ExtractHTTPMethod(ctx), "DeleteBoundaryUsageStatsByReplicaID").Inc()
-	return r0
-}
-
 func (m queryMetricsStore) DeleteCryptoKey(ctx context.Context, arg database.DeleteCryptoKeyParams) (database.CryptoKey, error) {
 	start := time.Now()
 	r0, r1 := m.s.DeleteCryptoKey(ctx, arg)
@@ -575,7 +567,7 @@ func (m queryMetricsStore) DeleteTailnetTunnel(ctx context.Context, arg database
 	return r0, r1
 }
 
-func (m queryMetricsStore) DeleteTask(ctx context.Context, arg database.DeleteTaskParams) (database.TaskTable, error) {
+func (m queryMetricsStore) DeleteTask(ctx context.Context, arg database.DeleteTaskParams) (uuid.UUID, error) {
 	start := time.Now()
 	r0, r1 := m.s.DeleteTask(ctx, arg)
 	m.queryLatencies.WithLabelValues("DeleteTask").Observe(time.Since(start).Seconds())
@@ -854,6 +846,14 @@ func (m queryMetricsStore) GetAllTailnetTunnels(ctx context.Context) ([]database
 	return r0, r1
 }
 
+func (m queryMetricsStore) GetAndResetBoundaryUsageSummary(ctx context.Context, maxStalenessMs int64) (database.GetAndResetBoundaryUsageSummaryRow, error) {
+	start := time.Now()
+	r0, r1 := m.s.GetAndResetBoundaryUsageSummary(ctx, maxStalenessMs)
+	m.queryLatencies.WithLabelValues("GetAndResetBoundaryUsageSummary").Observe(time.Since(start).Seconds())
+	m.queryCounts.WithLabelValues(httpmw.ExtractHTTPRoute(ctx), httpmw.ExtractHTTPMethod(ctx), "GetAndResetBoundaryUsageSummary").Inc()
+	return r0, r1
+}
+
 func (m queryMetricsStore) GetAnnouncementBanners(ctx context.Context) (string, error) {
 	start := time.Now()
 	r0, r1 := m.s.GetAnnouncementBanners(ctx)
@@ -902,14 +902,6 @@ func (m queryMetricsStore) GetAuthorizationUserRoles(ctx context.Context, userID
 	return r0, r1
 }
 
-func (m queryMetricsStore) GetBoundaryUsageSummary(ctx context.Context, maxStalenessMs int64) (database.GetBoundaryUsageSummaryRow, error) {
-	start := time.Now()
-	r0, r1 := m.s.GetBoundaryUsageSummary(ctx, maxStalenessMs)
-	m.queryLatencies.WithLabelValues("GetBoundaryUsageSummary").Observe(time.Since(start).Seconds())
-	m.queryCounts.WithLabelValues(httpmw.ExtractHTTPRoute(ctx), httpmw.ExtractHTTPMethod(ctx), "GetBoundaryUsageSummary").Inc()
-	return r0, r1
-}
-
 func (m queryMetricsStore) GetConnectionLogsOffset(ctx context.Context, arg database.GetConnectionLogsOffsetParams) ([]database.GetConnectionLogsOffsetRow, error) {
 	start := time.Now()
 	r0, r1 := m.s.GetConnectionLogsOffset(ctx, arg)
@@ -2414,6 +2406,14 @@ func (m queryMetricsStore) GetWorkspaceBuildByWorkspaceIDAndBuildNumber(ctx cont
 	return r0, r1
 }
 
+func (m queryMetricsStore) GetWorkspaceBuildMetricsByResourceID(ctx context.Context, id uuid.UUID) (database.GetWorkspaceBuildMetricsByResourceIDRow, error) {
+	start := time.Now()
+	r0, r1 := m.s.GetWorkspaceBuildMetricsByResourceID(ctx, id)
+	m.queryLatencies.WithLabelValues("GetWorkspaceBuildMetricsByResourceID").Observe(time.Since(start).Seconds())
+	m.queryCounts.WithLabelValues(httpmw.ExtractHTTPRoute(ctx), httpmw.ExtractHTTPMethod(ctx), "GetWorkspaceBuildMetricsByResourceID").Inc()
+	return r0, r1
+}
+
 func (m queryMetricsStore) GetWorkspaceBuildParameters(ctx context.Context, workspaceBuildID uuid.UUID) ([]database.WorkspaceBuildParameter, error) {
 	start := time.Now()
 	r0, r1 := m.s.GetWorkspaceBuildParameters(ctx, workspaceBuildID)
@@ -3334,14 +3334,6 @@ func (m queryMetricsStore) RemoveUserFromGroups(ctx context.Context, arg databas
 	return r0, r1
 }
 
-func (m queryMetricsStore) ResetBoundaryUsageStats(ctx context.Context) error {
-	start := time.Now()
-	r0 := m.s.ResetBoundaryUsageStats(ctx)
-	m.queryLatencies.WithLabelValues("ResetBoundaryUsageStats").Observe(time.Since(start).Seconds())
-	m.queryCounts.WithLabelValues(httpmw.ExtractHTTPRoute(ctx), httpmw.ExtractHTTPMethod(ctx), "ResetBoundaryUsageStats").Inc()
-	return r0
-}
-
 func (m queryMetricsStore) RevokeDBCryptKey(ctx context.Context, activeKeyDigest string) error {
 	start := time.Now()
 	r0 := m.s.RevokeDBCryptKey(ctx, activeKeyDigest)
@@ -3909,6 +3901,14 @@ func (m queryMetricsStore) UpdateWorkspaceAgentConnectionByID(ctx context.Contex
 	return r0
 }
 
+func (m queryMetricsStore) UpdateWorkspaceAgentDisplayAppsByID(ctx context.Context, arg database.UpdateWorkspaceAgentDisplayAppsByIDParams) error {
+	start := time.Now()
+	r0 := m.s.UpdateWorkspaceAgentDisplayAppsByID(ctx, arg)
+	m.queryLatencies.WithLabelValues("UpdateWorkspaceAgentDisplayAppsByID").Observe(time.Since(start).Seconds())
+	m.queryCounts.WithLabelValues(httpmw.ExtractHTTPRoute(ctx), httpmw.ExtractHTTPMethod(ctx), "UpdateWorkspaceAgentDisplayAppsByID").Inc()
+	return r0
+}
+
 func (m queryMetricsStore) UpdateWorkspaceAgentLifecycleStateByID(ctx context.Context, arg database.UpdateWorkspaceAgentLifecycleStateByIDParams) error {
 	start := time.Now()
 	r0 := m.s.UpdateWorkspaceAgentLifecycleStateByID(ctx, arg)

coderd/database/dbmock/dbmock.go

@@ -511,20 +511,6 @@ func (mr *MockStoreMockRecorder) DeleteApplicationConnectAPIKeysByUserID(ctx, us
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "DeleteApplicationConnectAPIKeysByUserID", reflect.TypeOf((*MockStore)(nil).DeleteApplicationConnectAPIKeysByUserID), ctx, userID)
 }
 
-// DeleteBoundaryUsageStatsByReplicaID mocks base method.
-func (m *MockStore) DeleteBoundaryUsageStatsByReplicaID(ctx context.Context, replicaID uuid.UUID) error {
-	m.ctrl.T.Helper()
-	ret := m.ctrl.Call(m, "DeleteBoundaryUsageStatsByReplicaID", ctx, replicaID)
-	ret0, _ := ret[0].(error)
-	return ret0
-}
-
-// DeleteBoundaryUsageStatsByReplicaID indicates an expected call of DeleteBoundaryUsageStatsByReplicaID.
-func (mr *MockStoreMockRecorder) DeleteBoundaryUsageStatsByReplicaID(ctx, replicaID any) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "DeleteBoundaryUsageStatsByReplicaID", reflect.TypeOf((*MockStore)(nil).DeleteBoundaryUsageStatsByReplicaID), ctx, replicaID)
-}
-
 // DeleteCryptoKey mocks base method.
 func (m *MockStore) DeleteCryptoKey(ctx context.Context, arg database.DeleteCryptoKeyParams) (database.CryptoKey, error) {
 	m.ctrl.T.Helper()
@@ -941,10 +927,10 @@ func (mr *MockStoreMockRecorder) DeleteTailnetTunnel(ctx, arg any) *gomock.Call
 }
 
 // DeleteTask mocks base method.
-func (m *MockStore) DeleteTask(ctx context.Context, arg database.DeleteTaskParams) (database.TaskTable, error) {
+func (m *MockStore) DeleteTask(ctx context.Context, arg database.DeleteTaskParams) (uuid.UUID, error) {
 	m.ctrl.T.Helper()
 	ret := m.ctrl.Call(m, "DeleteTask", ctx, arg)
-	ret0, _ := ret[0].(database.TaskTable)
+	ret0, _ := ret[0].(uuid.UUID)
 	ret1, _ := ret[1].(error)
 	return ret0, ret1
 }
@@ -1453,6 +1439,21 @@ func (mr *MockStoreMockRecorder) GetAllTailnetTunnels(ctx any) *gomock.Call {
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetAllTailnetTunnels", reflect.TypeOf((*MockStore)(nil).GetAllTailnetTunnels), ctx)
 }
 
+// GetAndResetBoundaryUsageSummary mocks base method.
+func (m *MockStore) GetAndResetBoundaryUsageSummary(ctx context.Context, maxStalenessMs int64) (database.GetAndResetBoundaryUsageSummaryRow, error) {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "GetAndResetBoundaryUsageSummary", ctx, maxStalenessMs)
+	ret0, _ := ret[0].(database.GetAndResetBoundaryUsageSummaryRow)
+	ret1, _ := ret[1].(error)
+	return ret0, ret1
+}
+
+// GetAndResetBoundaryUsageSummary indicates an expected call of GetAndResetBoundaryUsageSummary.
+func (mr *MockStoreMockRecorder) GetAndResetBoundaryUsageSummary(ctx, maxStalenessMs any) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetAndResetBoundaryUsageSummary", reflect.TypeOf((*MockStore)(nil).GetAndResetBoundaryUsageSummary), ctx, maxStalenessMs)
+}
+
 // GetAnnouncementBanners mocks base method.
 func (m *MockStore) GetAnnouncementBanners(ctx context.Context) (string, error) {
 	m.ctrl.T.Helper()
@@ -1648,21 +1649,6 @@ func (mr *MockStoreMockRecorder) GetAuthorizedWorkspacesAndAgentsByOwnerID(ctx,
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetAuthorizedWorkspacesAndAgentsByOwnerID", reflect.TypeOf((*MockStore)(nil).GetAuthorizedWorkspacesAndAgentsByOwnerID), ctx, ownerID, prepared)
 }
 
-// GetBoundaryUsageSummary mocks base method.
-func (m *MockStore) GetBoundaryUsageSummary(ctx context.Context, maxStalenessMs int64) (database.GetBoundaryUsageSummaryRow, error) {
-	m.ctrl.T.Helper()
-	ret := m.ctrl.Call(m, "GetBoundaryUsageSummary", ctx, maxStalenessMs)
-	ret0, _ := ret[0].(database.GetBoundaryUsageSummaryRow)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// GetBoundaryUsageSummary indicates an expected call of GetBoundaryUsageSummary.
-func (mr *MockStoreMockRecorder) GetBoundaryUsageSummary(ctx, maxStalenessMs any) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetBoundaryUsageSummary", reflect.TypeOf((*MockStore)(nil).GetBoundaryUsageSummary), ctx, maxStalenessMs)
-}
-
 // GetConnectionLogsOffset mocks base method.
 func (m *MockStore) GetConnectionLogsOffset(ctx context.Context, arg database.GetConnectionLogsOffsetParams) ([]database.GetConnectionLogsOffsetRow, error) {
 	m.ctrl.T.Helper()
@@ -4513,6 +4499,21 @@ func (mr *MockStoreMockRecorder) GetWorkspaceBuildByWorkspaceIDAndBuildNumber(ct
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetWorkspaceBuildByWorkspaceIDAndBuildNumber", reflect.TypeOf((*MockStore)(nil).GetWorkspaceBuildByWorkspaceIDAndBuildNumber), ctx, arg)
 }
 
+// GetWorkspaceBuildMetricsByResourceID mocks base method.
+func (m *MockStore) GetWorkspaceBuildMetricsByResourceID(ctx context.Context, id uuid.UUID) (database.GetWorkspaceBuildMetricsByResourceIDRow, error) {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "GetWorkspaceBuildMetricsByResourceID", ctx, id)
+	ret0, _ := ret[0].(database.GetWorkspaceBuildMetricsByResourceIDRow)
+	ret1, _ := ret[1].(error)
+	return ret0, ret1
+}
+
+// GetWorkspaceBuildMetricsByResourceID indicates an expected call of GetWorkspaceBuildMetricsByResourceID.
+func (mr *MockStoreMockRecorder) GetWorkspaceBuildMetricsByResourceID(ctx, id any) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetWorkspaceBuildMetricsByResourceID", reflect.TypeOf((*MockStore)(nil).GetWorkspaceBuildMetricsByResourceID), ctx, id)
+}
+
 // GetWorkspaceBuildParameters mocks base method.
 func (m *MockStore) GetWorkspaceBuildParameters(ctx context.Context, workspaceBuildID uuid.UUID) ([]database.WorkspaceBuildParameter, error) {
 	m.ctrl.T.Helper()
@@ -6278,20 +6279,6 @@ func (mr *MockStoreMockRecorder) RemoveUserFromGroups(ctx, arg any) *gomock.Call
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "RemoveUserFromGroups", reflect.TypeOf((*MockStore)(nil).RemoveUserFromGroups), ctx, arg)
 }
 
-// ResetBoundaryUsageStats mocks base method.
-func (m *MockStore) ResetBoundaryUsageStats(ctx context.Context) error {
-	m.ctrl.T.Helper()
-	ret := m.ctrl.Call(m, "ResetBoundaryUsageStats", ctx)
-	ret0, _ := ret[0].(error)
-	return ret0
-}
-
-// ResetBoundaryUsageStats indicates an expected call of ResetBoundaryUsageStats.
-func (mr *MockStoreMockRecorder) ResetBoundaryUsageStats(ctx any) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ResetBoundaryUsageStats", reflect.TypeOf((*MockStore)(nil).ResetBoundaryUsageStats), ctx)
-}
-
 // RevokeDBCryptKey mocks base method.
 func (m *MockStore) RevokeDBCryptKey(ctx context.Context, activeKeyDigest string) error {
 	m.ctrl.T.Helper()
@@ -7321,6 +7308,20 @@ func (mr *MockStoreMockRecorder) UpdateWorkspaceAgentConnectionByID(ctx, arg any
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "UpdateWorkspaceAgentConnectionByID", reflect.TypeOf((*MockStore)(nil).UpdateWorkspaceAgentConnectionByID), ctx, arg)
 }
 
+// UpdateWorkspaceAgentDisplayAppsByID mocks base method.
+func (m *MockStore) UpdateWorkspaceAgentDisplayAppsByID(ctx context.Context, arg database.UpdateWorkspaceAgentDisplayAppsByIDParams) error {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "UpdateWorkspaceAgentDisplayAppsByID", ctx, arg)
+	ret0, _ := ret[0].(error)
+	return ret0
+}
+
+// UpdateWorkspaceAgentDisplayAppsByID indicates an expected call of UpdateWorkspaceAgentDisplayAppsByID.
+func (mr *MockStoreMockRecorder) UpdateWorkspaceAgentDisplayAppsByID(ctx, arg any) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "UpdateWorkspaceAgentDisplayAppsByID", reflect.TypeOf((*MockStore)(nil).UpdateWorkspaceAgentDisplayAppsByID), ctx, arg)
+}
+
 // UpdateWorkspaceAgentLifecycleStateByID mocks base method.
 func (m *MockStore) UpdateWorkspaceAgentLifecycleStateByID(ctx context.Context, arg database.UpdateWorkspaceAgentLifecycleStateByIDParams) error {
 	m.ctrl.T.Helper()

coderd/database/dump.sql

@@ -208,7 +208,9 @@ CREATE TYPE api_key_scope AS ENUM (
     'boundary_usage:*',
     'boundary_usage:delete',
     'boundary_usage:read',
-    'boundary_usage:update'
+    'boundary_usage:update',
+    'workspace:update_agent',
+    'workspace_dormant:update_agent'
 );
 
 CREATE TYPE app_sharing_level AS ENUM (
@@ -2002,7 +2004,7 @@ CREATE VIEW tasks_with_status AS
                     WHEN (latest_build_raw.job_status IS NULL) THEN 'pending'::task_status
                     WHEN (latest_build_raw.job_status = ANY (ARRAY['failed'::provisioner_job_status, 'canceling'::provisioner_job_status, 'canceled'::provisioner_job_status])) THEN 'error'::task_status
                     WHEN ((latest_build_raw.transition = ANY (ARRAY['stop'::workspace_transition, 'delete'::workspace_transition])) AND (latest_build_raw.job_status = 'succeeded'::provisioner_job_status)) THEN 'paused'::task_status
-                    WHEN ((latest_build_raw.transition = 'start'::workspace_transition) AND (latest_build_raw.job_status = 'pending'::provisioner_job_status)) THEN 'initializing'::task_status
+                    WHEN ((latest_build_raw.transition = 'start'::workspace_transition) AND (latest_build_raw.job_status = 'pending'::provisioner_job_status)) THEN 'pending'::task_status
                     WHEN ((latest_build_raw.transition = 'start'::workspace_transition) AND (latest_build_raw.job_status = ANY (ARRAY['running'::provisioner_job_status, 'succeeded'::provisioner_job_status]))) THEN 'active'::task_status
                     ELSE 'unknown'::task_status
                 END AS status) build_status)
@@ -2288,7 +2290,8 @@ CREATE TABLE templates (
     activity_bump bigint DEFAULT '3600000000000'::bigint NOT NULL,
     max_port_sharing_level app_sharing_level DEFAULT 'owner'::app_sharing_level NOT NULL,
     use_classic_parameter_flow boolean DEFAULT false NOT NULL,
-    cors_behavior cors_behavior DEFAULT 'simple'::cors_behavior NOT NULL
+    cors_behavior cors_behavior DEFAULT 'simple'::cors_behavior NOT NULL,
+    disable_module_cache boolean DEFAULT false NOT NULL
 );
 
 COMMENT ON COLUMN templates.default_ttl IS 'The default duration for autostop for workspaces created from this template.';
@@ -2342,6 +2345,7 @@ CREATE VIEW template_with_names AS
     templates.max_port_sharing_level,
     templates.use_classic_parameter_flow,
     templates.cors_behavior,
+    templates.disable_module_cache,
     COALESCE(visible_users.avatar_url, ''::text) AS created_by_avatar_url,
     COALESCE(visible_users.username, ''::text) AS created_by_username,
     COALESCE(visible_users.name, ''::text) AS created_by_name,

coderd/database/lock.go

@@ -14,6 +14,7 @@ const (
 	LockIDCryptoKeyRotation
 	LockIDReconcilePrebuilds
 	LockIDReconcileSystemRoles
+	LockIDBoundaryUsageStats
 )
 
 // GenLockID generates a unique and consistent lock ID from a given string.

coderd/database/migrations/000414_add_update_agent_api_key_scope.down.sql

@@ -0,0 +1 @@
+-- No-op for update agent scopes: keep enum values to avoid dependency churn.

coderd/database/migrations/000414_add_update_agent_api_key_scope.up.sql

@@ -0,0 +1,2 @@
+ALTER TYPE api_key_scope ADD VALUE IF NOT EXISTS 'workspace:update_agent';
+ALTER TYPE api_key_scope ADD VALUE IF NOT EXISTS 'workspace_dormant:update_agent';

coderd/database/migrations/000415_fix_task_pending_status.down.sql

@@ -0,0 +1,142 @@
+-- Update task status in view.
+DROP VIEW IF EXISTS tasks_with_status;
+
+CREATE VIEW
+	tasks_with_status
+AS
+	SELECT
+		tasks.*,
+		-- Combine component statuses with precedence: build -> agent -> app.
+		CASE
+			WHEN tasks.workspace_id IS NULL THEN 'pending'::task_status
+			WHEN build_status.status != 'active' THEN build_status.status::task_status
+			WHEN agent_status.status != 'active' THEN agent_status.status::task_status
+			ELSE app_status.status::task_status
+		END AS status,
+		-- Attach debug information for troubleshooting status.
+		jsonb_build_object(
+			'build', jsonb_build_object(
+				'transition', latest_build_raw.transition,
+				'job_status', latest_build_raw.job_status,
+				'computed', build_status.status
+			),
+			'agent', jsonb_build_object(
+				'lifecycle_state', agent_raw.lifecycle_state,
+				'computed', agent_status.status
+			),
+			'app', jsonb_build_object(
+				'health', app_raw.health,
+				'computed', app_status.status
+			)
+		) AS status_debug,
+		task_app.*,
+		agent_raw.lifecycle_state AS workspace_agent_lifecycle_state,
+		app_raw.health AS workspace_app_health,
+		task_owner.*
+	FROM
+		tasks
+	CROSS JOIN LATERAL (
+		SELECT
+			vu.username AS owner_username,
+			vu.name AS owner_name,
+			vu.avatar_url AS owner_avatar_url
+		FROM
+			visible_users vu
+		WHERE
+			vu.id = tasks.owner_id
+	) task_owner
+	LEFT JOIN LATERAL (
+		SELECT
+			task_app.workspace_build_number,
+			task_app.workspace_agent_id,
+			task_app.workspace_app_id
+		FROM
+			task_workspace_apps task_app
+		WHERE
+			task_id = tasks.id
+		ORDER BY
+			task_app.workspace_build_number DESC
+		LIMIT 1
+	) task_app ON TRUE
+
+	-- Join the raw data for computing task status.
+	LEFT JOIN LATERAL (
+		SELECT
+			workspace_build.transition,
+			provisioner_job.job_status,
+			workspace_build.job_id
+		FROM
+			workspace_builds workspace_build
+		JOIN
+			provisioner_jobs provisioner_job
+			ON provisioner_job.id = workspace_build.job_id
+		WHERE
+			workspace_build.workspace_id = tasks.workspace_id
+			AND workspace_build.build_number = task_app.workspace_build_number
+	) latest_build_raw ON TRUE
+	LEFT JOIN LATERAL (
+		SELECT
+			workspace_agent.lifecycle_state
+		FROM
+			workspace_agents workspace_agent
+		WHERE
+			workspace_agent.id = task_app.workspace_agent_id
+	) agent_raw ON TRUE
+	LEFT JOIN LATERAL (
+		SELECT
+			workspace_app.health
+		FROM
+			workspace_apps workspace_app
+		WHERE
+			workspace_app.id = task_app.workspace_app_id
+	) app_raw ON TRUE
+
+	-- Compute the status for each component.
+	CROSS JOIN LATERAL (
+		SELECT
+			CASE
+				WHEN latest_build_raw.job_status IS NULL THEN 'pending'::task_status
+				WHEN latest_build_raw.job_status IN ('failed', 'canceling', 'canceled') THEN 'error'::task_status
+				WHEN
+					latest_build_raw.transition IN ('stop', 'delete')
+					AND latest_build_raw.job_status = 'succeeded' THEN 'paused'::task_status
+				WHEN
+					latest_build_raw.transition = 'start'
+					AND latest_build_raw.job_status = 'pending' THEN 'initializing'::task_status
+				-- Build is running or done, defer to agent/app status.
+				WHEN
+					latest_build_raw.transition = 'start'
+					AND latest_build_raw.job_status IN ('running', 'succeeded') THEN 'active'::task_status
+				ELSE 'unknown'::task_status
+			END AS status
+	) build_status
+	CROSS JOIN LATERAL (
+		SELECT
+			CASE
+				-- No agent or connecting.
+				WHEN
+					agent_raw.lifecycle_state IS NULL
+					OR agent_raw.lifecycle_state IN ('created', 'starting') THEN 'initializing'::task_status
+				-- Agent is running, defer to app status.
+				-- NOTE(mafredri): The start_error/start_timeout states means connected, but some startup script failed.
+				-- This may or may not affect the task status but this has to be caught by app health check.
+				WHEN agent_raw.lifecycle_state IN ('ready', 'start_timeout', 'start_error') THEN 'active'::task_status
+				-- If the agent is shutting down or turned off, this is an unknown state because we would expect a stop
+				-- build to be running.
+				-- This is essentially equal to: `IN ('shutting_down', 'shutdown_timeout', 'shutdown_error', 'off')`,
+				-- but we cannot use them because the values were added in a migration.
+				WHEN agent_raw.lifecycle_state NOT IN ('created', 'starting', 'ready', 'start_timeout', 'start_error') THEN 'unknown'::task_status
+				ELSE 'unknown'::task_status
+			END AS status
+	) agent_status
+	CROSS JOIN LATERAL (
+		SELECT
+			CASE
+				WHEN app_raw.health = 'initializing' THEN 'initializing'::task_status
+				WHEN app_raw.health = 'unhealthy' THEN 'error'::task_status
+				WHEN app_raw.health IN ('healthy', 'disabled') THEN 'active'::task_status
+				ELSE 'unknown'::task_status
+			END AS status
+	) app_status
+	WHERE
+		tasks.deleted_at IS NULL;

coderd/database/migrations/000415_fix_task_pending_status.up.sql

@@ -0,0 +1,145 @@
+-- Fix task status logic: pending provisioner job should give pending task status, not initializing.
+-- A task is pending when the provisioner hasn't picked up the job yet.
+-- A task is initializing when the provisioner is actively running the job.
+DROP VIEW IF EXISTS tasks_with_status;
+
+CREATE VIEW
+	tasks_with_status
+AS
+	SELECT
+		tasks.*,
+		-- Combine component statuses with precedence: build -> agent -> app.
+		CASE
+			WHEN tasks.workspace_id IS NULL THEN 'pending'::task_status
+			WHEN build_status.status != 'active' THEN build_status.status::task_status
+			WHEN agent_status.status != 'active' THEN agent_status.status::task_status
+			ELSE app_status.status::task_status
+		END AS status,
+		-- Attach debug information for troubleshooting status.
+		jsonb_build_object(
+			'build', jsonb_build_object(
+				'transition', latest_build_raw.transition,
+				'job_status', latest_build_raw.job_status,
+				'computed', build_status.status
+			),
+			'agent', jsonb_build_object(
+				'lifecycle_state', agent_raw.lifecycle_state,
+				'computed', agent_status.status
+			),
+			'app', jsonb_build_object(
+				'health', app_raw.health,
+				'computed', app_status.status
+			)
+		) AS status_debug,
+		task_app.*,
+		agent_raw.lifecycle_state AS workspace_agent_lifecycle_state,
+		app_raw.health AS workspace_app_health,
+		task_owner.*
+	FROM
+		tasks
+	CROSS JOIN LATERAL (
+		SELECT
+			vu.username AS owner_username,
+			vu.name AS owner_name,
+			vu.avatar_url AS owner_avatar_url
+		FROM
+			visible_users vu
+		WHERE
+			vu.id = tasks.owner_id
+	) task_owner
+	LEFT JOIN LATERAL (
+		SELECT
+			task_app.workspace_build_number,
+			task_app.workspace_agent_id,
+			task_app.workspace_app_id
+		FROM
+			task_workspace_apps task_app
+		WHERE
+			task_id = tasks.id
+		ORDER BY
+			task_app.workspace_build_number DESC
+		LIMIT 1
+	) task_app ON TRUE
+
+	-- Join the raw data for computing task status.
+	LEFT JOIN LATERAL (
+		SELECT
+			workspace_build.transition,
+			provisioner_job.job_status,
+			workspace_build.job_id
+		FROM
+			workspace_builds workspace_build
+		JOIN
+			provisioner_jobs provisioner_job
+			ON provisioner_job.id = workspace_build.job_id
+		WHERE
+			workspace_build.workspace_id = tasks.workspace_id
+			AND workspace_build.build_number = task_app.workspace_build_number
+	) latest_build_raw ON TRUE
+	LEFT JOIN LATERAL (
+		SELECT
+			workspace_agent.lifecycle_state
+		FROM
+			workspace_agents workspace_agent
+		WHERE
+			workspace_agent.id = task_app.workspace_agent_id
+	) agent_raw ON TRUE
+	LEFT JOIN LATERAL (
+		SELECT
+			workspace_app.health
+		FROM
+			workspace_apps workspace_app
+		WHERE
+			workspace_app.id = task_app.workspace_app_id
+	) app_raw ON TRUE
+
+	-- Compute the status for each component.
+	CROSS JOIN LATERAL (
+		SELECT
+			CASE
+				WHEN latest_build_raw.job_status IS NULL THEN 'pending'::task_status
+				WHEN latest_build_raw.job_status IN ('failed', 'canceling', 'canceled') THEN 'error'::task_status
+				WHEN
+					latest_build_raw.transition IN ('stop', 'delete')
+					AND latest_build_raw.job_status = 'succeeded' THEN 'paused'::task_status
+				-- Job is pending (not picked up by provisioner yet).
+				WHEN
+					latest_build_raw.transition = 'start'
+					AND latest_build_raw.job_status = 'pending' THEN 'pending'::task_status
+				-- Job is running or done, defer to agent/app status.
+				WHEN
+					latest_build_raw.transition = 'start'
+					AND latest_build_raw.job_status IN ('running', 'succeeded') THEN 'active'::task_status
+				ELSE 'unknown'::task_status
+			END AS status
+	) build_status
+	CROSS JOIN LATERAL (
+		SELECT
+			CASE
+				-- No agent or connecting.
+				WHEN
+					agent_raw.lifecycle_state IS NULL
+					OR agent_raw.lifecycle_state IN ('created', 'starting') THEN 'initializing'::task_status
+				-- Agent is running, defer to app status.
+				-- NOTE(mafredri): The start_error/start_timeout states means connected, but some startup script failed.
+				-- This may or may not affect the task status but this has to be caught by app health check.
+				WHEN agent_raw.lifecycle_state IN ('ready', 'start_timeout', 'start_error') THEN 'active'::task_status
+				-- If the agent is shutting down or turned off, this is an unknown state because we would expect a stop
+				-- build to be running.
+				-- This is essentially equal to: `IN ('shutting_down', 'shutdown_timeout', 'shutdown_error', 'off')`,
+				-- but we cannot use them because the values were added in a migration.
+				WHEN agent_raw.lifecycle_state NOT IN ('created', 'starting', 'ready', 'start_timeout', 'start_error') THEN 'unknown'::task_status
+				ELSE 'unknown'::task_status
+			END AS status
+	) agent_status
+	CROSS JOIN LATERAL (
+		SELECT
+			CASE
+				WHEN app_raw.health = 'initializing' THEN 'initializing'::task_status
+				WHEN app_raw.health = 'unhealthy' THEN 'error'::task_status
+				WHEN app_raw.health IN ('healthy', 'disabled') THEN 'active'::task_status
+				ELSE 'unknown'::task_status
+			END AS status
+	) app_status
+	WHERE
+		tasks.deleted_at IS NULL;

coderd/database/migrations/000416_workspace_module_reuse_toggle.down.sql

@@ -0,0 +1,16 @@
+DROP VIEW template_with_names;
+ALTER TABLE templates DROP COLUMN disable_module_cache;
+
+CREATE VIEW template_with_names AS
+SELECT templates.*,
+	   COALESCE(visible_users.avatar_url, ''::text) AS created_by_avatar_url,
+	   COALESCE(visible_users.username, ''::text) AS created_by_username,
+	   COALESCE(visible_users.name, ''::text) AS created_by_name,
+	   COALESCE(organizations.name, ''::text) AS organization_name,
+	   COALESCE(organizations.display_name, ''::text) AS organization_display_name,
+	   COALESCE(organizations.icon, ''::text) AS organization_icon
+FROM ((templates
+	LEFT JOIN visible_users ON ((templates.created_by = visible_users.id)))
+	LEFT JOIN organizations ON ((templates.organization_id = organizations.id)));
+
+COMMENT ON VIEW template_with_names IS 'Joins in the display name information such as username, avatar, and organization name.';

coderd/database/migrations/000416_workspace_module_reuse_toggle.up.sql

@@ -0,0 +1,16 @@
+DROP VIEW template_with_names;
+ALTER TABLE templates ADD COLUMN disable_module_cache BOOL NOT NULL DEFAULT false;
+
+CREATE VIEW template_with_names AS
+SELECT templates.*,
+	   COALESCE(visible_users.avatar_url, ''::text) AS created_by_avatar_url,
+	   COALESCE(visible_users.username, ''::text) AS created_by_username,
+	   COALESCE(visible_users.name, ''::text) AS created_by_name,
+	   COALESCE(organizations.name, ''::text) AS organization_name,
+	   COALESCE(organizations.display_name, ''::text) AS organization_display_name,
+	   COALESCE(organizations.icon, ''::text) AS organization_icon
+FROM ((templates
+	LEFT JOIN visible_users ON ((templates.created_by = visible_users.id)))
+	LEFT JOIN organizations ON ((templates.organization_id = organizations.id)));
+
+COMMENT ON VIEW template_with_names IS 'Joins in the display name information such as username, avatar, and organization name.';

coderd/database/modelqueries.go

@@ -127,6 +127,7 @@ func (q *sqlQuerier) GetAuthorizedTemplates(ctx context.Context, arg GetTemplate
 			&i.MaxPortSharingLevel,
 			&i.UseClassicParameterFlow,
 			&i.CorsBehavior,
+			&i.DisableModuleCache,
 			&i.CreatedByAvatarURL,
 			&i.CreatedByUsername,
 			&i.CreatedByName,
@@ -268,7 +269,7 @@ func (q *sqlQuerier) GetAuthorizedWorkspaces(ctx context.Context, arg GetWorkspa
 		pq.Array(arg.TemplateIDs),
 		pq.Array(arg.WorkspaceIds),
 		arg.Name,
-		arg.HasAgent,
+		pq.Array(arg.HasAgentStatuses),
 		arg.AgentInactiveDisconnectTimeoutSeconds,
 		arg.Dormant,
 		arg.LastUsedBefore,

coderd/database/models.go

@@ -217,6 +217,8 @@ const (
 	ApiKeyScopeBoundaryUsageDelete                 APIKeyScope = "boundary_usage:delete"
 	ApiKeyScopeBoundaryUsageRead                   APIKeyScope = "boundary_usage:read"
 	ApiKeyScopeBoundaryUsageUpdate                 APIKeyScope = "boundary_usage:update"
+	ApiKeyScopeWorkspaceUpdateAgent                APIKeyScope = "workspace:update_agent"
+	ApiKeyScopeWorkspaceDormantUpdateAgent         APIKeyScope = "workspace_dormant:update_agent"
 )
 
 func (e *APIKeyScope) Scan(src interface{}) error {
@@ -453,7 +455,9 @@ func (e APIKeyScope) Valid() bool {
 		ApiKeyScopeBoundaryUsage,
 		ApiKeyScopeBoundaryUsageDelete,
 		ApiKeyScopeBoundaryUsageRead,
-		ApiKeyScopeBoundaryUsageUpdate:
+		ApiKeyScopeBoundaryUsageUpdate,
+		ApiKeyScopeWorkspaceUpdateAgent,
+		ApiKeyScopeWorkspaceDormantUpdateAgent:
 		return true
 	}
 	return false
@@ -659,6 +663,8 @@ func AllAPIKeyScopeValues() []APIKeyScope {
 		ApiKeyScopeBoundaryUsageDelete,
 		ApiKeyScopeBoundaryUsageRead,
 		ApiKeyScopeBoundaryUsageUpdate,
+		ApiKeyScopeWorkspaceUpdateAgent,
+		ApiKeyScopeWorkspaceDormantUpdateAgent,
 	}
 }
 
@@ -4332,6 +4338,7 @@ type Template struct {
 	MaxPortSharingLevel           AppSharingLevel `db:"max_port_sharing_level" json:"max_port_sharing_level"`
 	UseClassicParameterFlow       bool            `db:"use_classic_parameter_flow" json:"use_classic_parameter_flow"`
 	CorsBehavior                  CorsBehavior    `db:"cors_behavior" json:"cors_behavior"`
+	DisableModuleCache            bool            `db:"disable_module_cache" json:"disable_module_cache"`
 	CreatedByAvatarURL            string          `db:"created_by_avatar_url" json:"created_by_avatar_url"`
 	CreatedByUsername             string          `db:"created_by_username" json:"created_by_username"`
 	CreatedByName                 string          `db:"created_by_name" json:"created_by_name"`
@@ -4381,6 +4388,7 @@ type TemplateTable struct {
 	// Determines whether to default to the dynamic parameter creation flow for this template or continue using the legacy classic parameter creation flow.This is a template wide setting, the template admin can revert to the classic flow if there are any issues. An escape hatch is required, as workspace creation is a core workflow and cannot break. This column will be removed when the dynamic parameter creation flow is stable.
 	UseClassicParameterFlow bool         `db:"use_classic_parameter_flow" json:"use_classic_parameter_flow"`
 	CorsBehavior            CorsBehavior `db:"cors_behavior" json:"cors_behavior"`
+	DisableModuleCache      bool         `db:"disable_module_cache" json:"disable_module_cache"`
 }
 
 // Records aggregated usage statistics for templates/users. All usage is rounded up to the nearest minute.

coderd/database/querier.go

@@ -88,8 +88,6 @@ type sqlcQuerier interface {
 	// be recreated.
 	DeleteAllWebpushSubscriptions(ctx context.Context) error
 	DeleteApplicationConnectAPIKeysByUserID(ctx context.Context, userID uuid.UUID) error
-	// Deletes boundary usage statistics for a specific replica.
-	DeleteBoundaryUsageStatsByReplicaID(ctx context.Context, replicaID uuid.UUID) error
 	DeleteCryptoKey(ctx context.Context, arg DeleteCryptoKeyParams) (CryptoKey, error)
 	DeleteCustomRole(ctx context.Context, arg DeleteCustomRoleParams) error
 	DeleteExpiredAPIKeys(ctx context.Context, arg DeleteExpiredAPIKeysParams) (int64, error)
@@ -132,7 +130,7 @@ type sqlcQuerier interface {
 	DeleteRuntimeConfig(ctx context.Context, key string) error
 	DeleteTailnetPeer(ctx context.Context, arg DeleteTailnetPeerParams) (DeleteTailnetPeerRow, error)
 	DeleteTailnetTunnel(ctx context.Context, arg DeleteTailnetTunnelParams) (DeleteTailnetTunnelRow, error)
-	DeleteTask(ctx context.Context, arg DeleteTaskParams) (TaskTable, error)
+	DeleteTask(ctx context.Context, arg DeleteTaskParams) (uuid.UUID, error)
 	DeleteUserSecret(ctx context.Context, id uuid.UUID) error
 	DeleteWebpushSubscriptionByUserIDAndEndpoint(ctx context.Context, arg DeleteWebpushSubscriptionByUserIDAndEndpointParams) error
 	DeleteWebpushSubscriptions(ctx context.Context, ids []uuid.UUID) error
@@ -181,6 +179,11 @@ type sqlcQuerier interface {
 	GetAllTailnetCoordinators(ctx context.Context) ([]TailnetCoordinator, error)
 	GetAllTailnetPeers(ctx context.Context) ([]TailnetPeer, error)
 	GetAllTailnetTunnels(ctx context.Context) ([]TailnetTunnel, error)
+	// Atomic read+delete prevents replicas that flush between a separate read and
+	// reset from having their data deleted before the next snapshot. Uses a common
+	// table expression with DELETE...RETURNING so the rows we sum are exactly the
+	// rows we delete. Stale rows are excluded from the sum but still deleted.
+	GetAndResetBoundaryUsageSummary(ctx context.Context, maxStalenessMs int64) (GetAndResetBoundaryUsageSummaryRow, error)
 	GetAnnouncementBanners(ctx context.Context) (string, error)
 	GetAppSecurityKey(ctx context.Context) (string, error)
 	GetApplicationName(ctx context.Context) (string, error)
@@ -196,10 +199,6 @@ type sqlcQuerier interface {
 	// This function returns roles for authorization purposes. Implied member roles
 	// are included.
 	GetAuthorizationUserRoles(ctx context.Context, userID uuid.UUID) (GetAuthorizationUserRolesRow, error)
-	// Aggregates boundary usage statistics across all replicas. Filters to only
-	// include data where window_start is within the given interval to exclude
-	// stale data.
-	GetBoundaryUsageSummary(ctx context.Context, maxStalenessMs int64) (GetBoundaryUsageSummaryRow, error)
 	GetConnectionLogsOffset(ctx context.Context, arg GetConnectionLogsOffsetParams) ([]GetConnectionLogsOffsetRow, error)
 	GetCoordinatorResumeTokenSigningKey(ctx context.Context) (string, error)
 	GetCryptoKeyByFeatureAndSequence(ctx context.Context, arg GetCryptoKeyByFeatureAndSequenceParams) (CryptoKey, error)
@@ -502,6 +501,9 @@ type sqlcQuerier interface {
 	GetWorkspaceBuildByID(ctx context.Context, id uuid.UUID) (WorkspaceBuild, error)
 	GetWorkspaceBuildByJobID(ctx context.Context, jobID uuid.UUID) (WorkspaceBuild, error)
 	GetWorkspaceBuildByWorkspaceIDAndBuildNumber(ctx context.Context, arg GetWorkspaceBuildByWorkspaceIDAndBuildNumberParams) (WorkspaceBuild, error)
+	// Returns build metadata for e2e workspace build duration metrics.
+	// Also checks if all agents are ready and returns the worst status.
+	GetWorkspaceBuildMetricsByResourceID(ctx context.Context, id uuid.UUID) (GetWorkspaceBuildMetricsByResourceIDRow, error)
 	GetWorkspaceBuildParameters(ctx context.Context, workspaceBuildID uuid.UUID) ([]WorkspaceBuildParameter, error)
 	GetWorkspaceBuildParametersByBuildIDs(ctx context.Context, workspaceBuildIds []uuid.UUID) ([]WorkspaceBuildParameter, error)
 	GetWorkspaceBuildStatsByTemplates(ctx context.Context, since time.Time) ([]GetWorkspaceBuildStatsByTemplatesRow, error)
@@ -652,9 +654,6 @@ type sqlcQuerier interface {
 	RegisterWorkspaceProxy(ctx context.Context, arg RegisterWorkspaceProxyParams) (WorkspaceProxy, error)
 	RemoveUserFromAllGroups(ctx context.Context, userID uuid.UUID) error
 	RemoveUserFromGroups(ctx context.Context, arg RemoveUserFromGroupsParams) ([]uuid.UUID, error)
-	// Deletes all boundary usage statistics. Called after telemetry reports the
-	// aggregated stats. Each replica will insert a fresh row on its next flush.
-	ResetBoundaryUsageStats(ctx context.Context) error
 	RevokeDBCryptKey(ctx context.Context, activeKeyDigest string) error
 	// Note that this selects from the CTE, not the original table. The CTE is named
 	// the same as the original table to trick sqlc into reusing the existing struct
@@ -738,6 +737,7 @@ type sqlcQuerier interface {
 	UpdateWorkspace(ctx context.Context, arg UpdateWorkspaceParams) (WorkspaceTable, error)
 	UpdateWorkspaceACLByID(ctx context.Context, arg UpdateWorkspaceACLByIDParams) error
 	UpdateWorkspaceAgentConnectionByID(ctx context.Context, arg UpdateWorkspaceAgentConnectionByIDParams) error
+	UpdateWorkspaceAgentDisplayAppsByID(ctx context.Context, arg UpdateWorkspaceAgentDisplayAppsByIDParams) error
 	UpdateWorkspaceAgentLifecycleStateByID(ctx context.Context, arg UpdateWorkspaceAgentLifecycleStateByIDParams) error
 	UpdateWorkspaceAgentLogOverflowByID(ctx context.Context, arg UpdateWorkspaceAgentLogOverflowByIDParams) error
 	UpdateWorkspaceAgentMetadata(ctx context.Context, arg UpdateWorkspaceAgentMetadataParams) error

coderd/database/querier_test.go

@@ -7093,8 +7093,8 @@ func TestTasksWithStatusView(t *testing.T) {
 			name:                      "PendingStart",
 			buildStatus:               database.ProvisionerJobStatusPending,
 			buildTransition:           database.WorkspaceTransitionStart,
-			expectedStatus:            database.TaskStatusInitializing,
-			description:               "Workspace build is starting (pending)",
+			expectedStatus:            database.TaskStatusPending,
+			description:               "Workspace build pending (not yet picked up by provisioner)",
 			expectBuildNumberValid:    true,
 			expectBuildNumber:         1,
 			expectWorkspaceAgentValid: false,

coderd/database/queries.sql.go

@@ -1980,39 +1980,41 @@ func (q *sqlQuerier) InsertAuditLog(ctx context.Context, arg InsertAuditLogParam
 	return i, err
 }
 
-const deleteBoundaryUsageStatsByReplicaID = `-- name: DeleteBoundaryUsageStatsByReplicaID :exec
-DELETE FROM boundary_usage_stats WHERE replica_id = $1
-`
-
-// Deletes boundary usage statistics for a specific replica.
-func (q *sqlQuerier) DeleteBoundaryUsageStatsByReplicaID(ctx context.Context, replicaID uuid.UUID) error {
-	_, err := q.db.ExecContext(ctx, deleteBoundaryUsageStatsByReplicaID, replicaID)
-	return err
-}
-
-const getBoundaryUsageSummary = `-- name: GetBoundaryUsageSummary :one
+const getAndResetBoundaryUsageSummary = `-- name: GetAndResetBoundaryUsageSummary :one
+WITH deleted AS (
+    DELETE FROM boundary_usage_stats
+    RETURNING replica_id, unique_workspaces_count, unique_users_count, allowed_requests, denied_requests, window_start, updated_at
+)
 SELECT
-    COALESCE(SUM(unique_workspaces_count), 0)::bigint AS unique_workspaces,
-    COALESCE(SUM(unique_users_count), 0)::bigint AS unique_users,
-    COALESCE(SUM(allowed_requests), 0)::bigint AS allowed_requests,
-    COALESCE(SUM(denied_requests), 0)::bigint AS denied_requests
-FROM boundary_usage_stats
-WHERE window_start >= NOW() - ($1::bigint || ' ms')::interval
+    COALESCE(SUM(unique_workspaces_count) FILTER (
+        WHERE window_start >= NOW() - ($1::bigint || ' ms')::interval
+    ), 0)::bigint AS unique_workspaces,
+    COALESCE(SUM(unique_users_count) FILTER (
+        WHERE window_start >= NOW() - ($1::bigint || ' ms')::interval
+    ), 0)::bigint AS unique_users,
+    COALESCE(SUM(allowed_requests) FILTER (
+        WHERE window_start >= NOW() - ($1::bigint || ' ms')::interval
+    ), 0)::bigint AS allowed_requests,
+    COALESCE(SUM(denied_requests) FILTER (
+        WHERE window_start >= NOW() - ($1::bigint || ' ms')::interval
+    ), 0)::bigint AS denied_requests
+FROM deleted
 `
 
-type GetBoundaryUsageSummaryRow struct {
+type GetAndResetBoundaryUsageSummaryRow struct {
 	UniqueWorkspaces int64 `db:"unique_workspaces" json:"unique_workspaces"`
 	UniqueUsers      int64 `db:"unique_users" json:"unique_users"`
 	AllowedRequests  int64 `db:"allowed_requests" json:"allowed_requests"`
 	DeniedRequests   int64 `db:"denied_requests" json:"denied_requests"`
 }
 
-// Aggregates boundary usage statistics across all replicas. Filters to only
-// include data where window_start is within the given interval to exclude
-// stale data.
-func (q *sqlQuerier) GetBoundaryUsageSummary(ctx context.Context, maxStalenessMs int64) (GetBoundaryUsageSummaryRow, error) {
-	row := q.db.QueryRowContext(ctx, getBoundaryUsageSummary, maxStalenessMs)
-	var i GetBoundaryUsageSummaryRow
+// Atomic read+delete prevents replicas that flush between a separate read and
+// reset from having their data deleted before the next snapshot. Uses a common
+// table expression with DELETE...RETURNING so the rows we sum are exactly the
+// rows we delete. Stale rows are excluded from the sum but still deleted.
+func (q *sqlQuerier) GetAndResetBoundaryUsageSummary(ctx context.Context, maxStalenessMs int64) (GetAndResetBoundaryUsageSummaryRow, error) {
+	row := q.db.QueryRowContext(ctx, getAndResetBoundaryUsageSummary, maxStalenessMs)
+	var i GetAndResetBoundaryUsageSummaryRow
 	err := row.Scan(
 		&i.UniqueWorkspaces,
 		&i.UniqueUsers,
@@ -2022,17 +2024,6 @@ func (q *sqlQuerier) GetBoundaryUsageSummary(ctx context.Context, maxStalenessMs
 	return i, err
 }
 
-const resetBoundaryUsageStats = `-- name: ResetBoundaryUsageStats :exec
-DELETE FROM boundary_usage_stats
-`
-
-// Deletes all boundary usage statistics. Called after telemetry reports the
-// aggregated stats. Each replica will insert a fresh row on its next flush.
-func (q *sqlQuerier) ResetBoundaryUsageStats(ctx context.Context) error {
-	_, err := q.db.ExecContext(ctx, resetBoundaryUsageStats)
-	return err
-}
-
 const upsertBoundaryUsageStats = `-- name: UpsertBoundaryUsageStats :one
 INSERT INTO boundary_usage_stats (
     replica_id,
@@ -13151,13 +13142,19 @@ func (q *sqlQuerier) UpsertTailnetTunnel(ctx context.Context, arg UpsertTailnetT
 }
 
 const deleteTask = `-- name: DeleteTask :one
-UPDATE tasks
-SET
-	deleted_at = $1::timestamptz
-WHERE
-	id = $2::uuid
-	AND deleted_at IS NULL
-RETURNING id, organization_id, owner_id, name, workspace_id, template_version_id, template_parameters, prompt, created_at, deleted_at, display_name
+WITH deleted_task AS (
+	UPDATE tasks
+	SET
+		deleted_at = $1::timestamptz
+	WHERE
+		id = $2::uuid
+		AND deleted_at IS NULL
+	RETURNING id
+), deleted_snapshot AS (
+	DELETE FROM task_snapshots
+	WHERE task_id = $2::uuid
+)
+SELECT id FROM deleted_task
 `
 
 type DeleteTaskParams struct {
@@ -13165,23 +13162,11 @@ type DeleteTaskParams struct {
 	ID        uuid.UUID `db:"id" json:"id"`
 }
 
-func (q *sqlQuerier) DeleteTask(ctx context.Context, arg DeleteTaskParams) (TaskTable, error) {
+func (q *sqlQuerier) DeleteTask(ctx context.Context, arg DeleteTaskParams) (uuid.UUID, error) {
 	row := q.db.QueryRowContext(ctx, deleteTask, arg.DeletedAt, arg.ID)
-	var i TaskTable
-	err := row.Scan(
-		&i.ID,
-		&i.OrganizationID,
-		&i.OwnerID,
-		&i.Name,
-		&i.WorkspaceID,
-		&i.TemplateVersionID,
-		&i.TemplateParameters,
-		&i.Prompt,
-		&i.CreatedAt,
-		&i.DeletedAt,
-		&i.DisplayName,
-	)
-	return i, err
+	var id uuid.UUID
+	err := row.Scan(&id)
+	return id, err
 }
 
 const getTaskByID = `-- name: GetTaskByID :one
@@ -13729,7 +13714,7 @@ func (q *sqlQuerier) GetTemplateAverageBuildTime(ctx context.Context, templateID
 
 const getTemplateByID = `-- name: GetTemplateByID :one
 SELECT
-	id, created_at, updated_at, organization_id, deleted, name, provisioner, active_version_id, description, default_ttl, created_by, icon, user_acl, group_acl, display_name, allow_user_cancel_workspace_jobs, allow_user_autostart, allow_user_autostop, failure_ttl, time_til_dormant, time_til_dormant_autodelete, autostop_requirement_days_of_week, autostop_requirement_weeks, autostart_block_days_of_week, require_active_version, deprecated, activity_bump, max_port_sharing_level, use_classic_parameter_flow, cors_behavior, created_by_avatar_url, created_by_username, created_by_name, organization_name, organization_display_name, organization_icon
+	id, created_at, updated_at, organization_id, deleted, name, provisioner, active_version_id, description, default_ttl, created_by, icon, user_acl, group_acl, display_name, allow_user_cancel_workspace_jobs, allow_user_autostart, allow_user_autostop, failure_ttl, time_til_dormant, time_til_dormant_autodelete, autostop_requirement_days_of_week, autostop_requirement_weeks, autostart_block_days_of_week, require_active_version, deprecated, activity_bump, max_port_sharing_level, use_classic_parameter_flow, cors_behavior, disable_module_cache, created_by_avatar_url, created_by_username, created_by_name, organization_name, organization_display_name, organization_icon
 FROM
 	template_with_names
 WHERE
@@ -13772,6 +13757,7 @@ func (q *sqlQuerier) GetTemplateByID(ctx context.Context, id uuid.UUID) (Templat
 		&i.MaxPortSharingLevel,
 		&i.UseClassicParameterFlow,
 		&i.CorsBehavior,
+		&i.DisableModuleCache,
 		&i.CreatedByAvatarURL,
 		&i.CreatedByUsername,
 		&i.CreatedByName,
@@ -13784,7 +13770,7 @@ func (q *sqlQuerier) GetTemplateByID(ctx context.Context, id uuid.UUID) (Templat
 
 const getTemplateByOrganizationAndName = `-- name: GetTemplateByOrganizationAndName :one
 SELECT
-	id, created_at, updated_at, organization_id, deleted, name, provisioner, active_version_id, description, default_ttl, created_by, icon, user_acl, group_acl, display_name, allow_user_cancel_workspace_jobs, allow_user_autostart, allow_user_autostop, failure_ttl, time_til_dormant, time_til_dormant_autodelete, autostop_requirement_days_of_week, autostop_requirement_weeks, autostart_block_days_of_week, require_active_version, deprecated, activity_bump, max_port_sharing_level, use_classic_parameter_flow, cors_behavior, created_by_avatar_url, created_by_username, created_by_name, organization_name, organization_display_name, organization_icon
+	id, created_at, updated_at, organization_id, deleted, name, provisioner, active_version_id, description, default_ttl, created_by, icon, user_acl, group_acl, display_name, allow_user_cancel_workspace_jobs, allow_user_autostart, allow_user_autostop, failure_ttl, time_til_dormant, time_til_dormant_autodelete, autostop_requirement_days_of_week, autostop_requirement_weeks, autostart_block_days_of_week, require_active_version, deprecated, activity_bump, max_port_sharing_level, use_classic_parameter_flow, cors_behavior, disable_module_cache, created_by_avatar_url, created_by_username, created_by_name, organization_name, organization_display_name, organization_icon
 FROM
 	template_with_names AS templates
 WHERE
@@ -13835,6 +13821,7 @@ func (q *sqlQuerier) GetTemplateByOrganizationAndName(ctx context.Context, arg G
 		&i.MaxPortSharingLevel,
 		&i.UseClassicParameterFlow,
 		&i.CorsBehavior,
+		&i.DisableModuleCache,
 		&i.CreatedByAvatarURL,
 		&i.CreatedByUsername,
 		&i.CreatedByName,
@@ -13846,7 +13833,7 @@ func (q *sqlQuerier) GetTemplateByOrganizationAndName(ctx context.Context, arg G
 }
 
 const getTemplates = `-- name: GetTemplates :many
-SELECT id, created_at, updated_at, organization_id, deleted, name, provisioner, active_version_id, description, default_ttl, created_by, icon, user_acl, group_acl, display_name, allow_user_cancel_workspace_jobs, allow_user_autostart, allow_user_autostop, failure_ttl, time_til_dormant, time_til_dormant_autodelete, autostop_requirement_days_of_week, autostop_requirement_weeks, autostart_block_days_of_week, require_active_version, deprecated, activity_bump, max_port_sharing_level, use_classic_parameter_flow, cors_behavior, created_by_avatar_url, created_by_username, created_by_name, organization_name, organization_display_name, organization_icon FROM template_with_names AS templates
+SELECT id, created_at, updated_at, organization_id, deleted, name, provisioner, active_version_id, description, default_ttl, created_by, icon, user_acl, group_acl, display_name, allow_user_cancel_workspace_jobs, allow_user_autostart, allow_user_autostop, failure_ttl, time_til_dormant, time_til_dormant_autodelete, autostop_requirement_days_of_week, autostop_requirement_weeks, autostart_block_days_of_week, require_active_version, deprecated, activity_bump, max_port_sharing_level, use_classic_parameter_flow, cors_behavior, disable_module_cache, created_by_avatar_url, created_by_username, created_by_name, organization_name, organization_display_name, organization_icon FROM template_with_names AS templates
 ORDER BY (name, id) ASC
 `
 
@@ -13890,6 +13877,7 @@ func (q *sqlQuerier) GetTemplates(ctx context.Context) ([]Template, error) {
 			&i.MaxPortSharingLevel,
 			&i.UseClassicParameterFlow,
 			&i.CorsBehavior,
+			&i.DisableModuleCache,
 			&i.CreatedByAvatarURL,
 			&i.CreatedByUsername,
 			&i.CreatedByName,
@@ -13912,7 +13900,7 @@ func (q *sqlQuerier) GetTemplates(ctx context.Context) ([]Template, error) {
 
 const getTemplatesWithFilter = `-- name: GetTemplatesWithFilter :many
 SELECT
-	t.id, t.created_at, t.updated_at, t.organization_id, t.deleted, t.name, t.provisioner, t.active_version_id, t.description, t.default_ttl, t.created_by, t.icon, t.user_acl, t.group_acl, t.display_name, t.allow_user_cancel_workspace_jobs, t.allow_user_autostart, t.allow_user_autostop, t.failure_ttl, t.time_til_dormant, t.time_til_dormant_autodelete, t.autostop_requirement_days_of_week, t.autostop_requirement_weeks, t.autostart_block_days_of_week, t.require_active_version, t.deprecated, t.activity_bump, t.max_port_sharing_level, t.use_classic_parameter_flow, t.cors_behavior, t.created_by_avatar_url, t.created_by_username, t.created_by_name, t.organization_name, t.organization_display_name, t.organization_icon
+	t.id, t.created_at, t.updated_at, t.organization_id, t.deleted, t.name, t.provisioner, t.active_version_id, t.description, t.default_ttl, t.created_by, t.icon, t.user_acl, t.group_acl, t.display_name, t.allow_user_cancel_workspace_jobs, t.allow_user_autostart, t.allow_user_autostop, t.failure_ttl, t.time_til_dormant, t.time_til_dormant_autodelete, t.autostop_requirement_days_of_week, t.autostop_requirement_weeks, t.autostart_block_days_of_week, t.require_active_version, t.deprecated, t.activity_bump, t.max_port_sharing_level, t.use_classic_parameter_flow, t.cors_behavior, t.disable_module_cache, t.created_by_avatar_url, t.created_by_username, t.created_by_name, t.organization_name, t.organization_display_name, t.organization_icon
 FROM
 	template_with_names AS t
 LEFT JOIN
@@ -14071,6 +14059,7 @@ func (q *sqlQuerier) GetTemplatesWithFilter(ctx context.Context, arg GetTemplate
 			&i.MaxPortSharingLevel,
 			&i.UseClassicParameterFlow,
 			&i.CorsBehavior,
+			&i.DisableModuleCache,
 			&i.CreatedByAvatarURL,
 			&i.CreatedByUsername,
 			&i.CreatedByName,
@@ -14256,7 +14245,8 @@ SET
 	group_acl = $8,
 	max_port_sharing_level = $9,
 	use_classic_parameter_flow = $10,
-	cors_behavior = $11
+	cors_behavior = $11,
+	disable_module_cache = $12
 WHERE
 	id = $1
 `
@@ -14273,6 +14263,7 @@ type UpdateTemplateMetaByIDParams struct {
 	MaxPortSharingLevel          AppSharingLevel `db:"max_port_sharing_level" json:"max_port_sharing_level"`
 	UseClassicParameterFlow      bool            `db:"use_classic_parameter_flow" json:"use_classic_parameter_flow"`
 	CorsBehavior                 CorsBehavior    `db:"cors_behavior" json:"cors_behavior"`
+	DisableModuleCache           bool            `db:"disable_module_cache" json:"disable_module_cache"`
 }
 
 func (q *sqlQuerier) UpdateTemplateMetaByID(ctx context.Context, arg UpdateTemplateMetaByIDParams) error {
@@ -14288,6 +14279,7 @@ func (q *sqlQuerier) UpdateTemplateMetaByID(ctx context.Context, arg UpdateTempl
 		arg.MaxPortSharingLevel,
 		arg.UseClassicParameterFlow,
 		arg.CorsBehavior,
+		arg.DisableModuleCache,
 	)
 	return err
 }
@@ -19306,6 +19298,26 @@ func (q *sqlQuerier) UpdateWorkspaceAgentConnectionByID(ctx context.Context, arg
 	return err
 }
 
+const updateWorkspaceAgentDisplayAppsByID = `-- name: UpdateWorkspaceAgentDisplayAppsByID :exec
+UPDATE
+	workspace_agents
+SET
+	display_apps = $2, updated_at = $3
+WHERE
+	id = $1
+`
+
+type UpdateWorkspaceAgentDisplayAppsByIDParams struct {
+	ID          uuid.UUID    `db:"id" json:"id"`
+	DisplayApps []DisplayApp `db:"display_apps" json:"display_apps"`
+	UpdatedAt   time.Time    `db:"updated_at" json:"updated_at"`
+}
+
+func (q *sqlQuerier) UpdateWorkspaceAgentDisplayAppsByID(ctx context.Context, arg UpdateWorkspaceAgentDisplayAppsByIDParams) error {
+	_, err := q.db.ExecContext(ctx, updateWorkspaceAgentDisplayAppsByID, arg.ID, pq.Array(arg.DisplayApps), arg.UpdatedAt)
+	return err
+}
+
 const updateWorkspaceAgentLifecycleStateByID = `-- name: UpdateWorkspaceAgentLifecycleStateByID :exec
 UPDATE
 	workspace_agents
@@ -21332,6 +21344,62 @@ func (q *sqlQuerier) GetWorkspaceBuildByWorkspaceIDAndBuildNumber(ctx context.Co
 	return i, err
 }
 
+const getWorkspaceBuildMetricsByResourceID = `-- name: GetWorkspaceBuildMetricsByResourceID :one
+SELECT
+    wb.created_at,
+    wb.transition,
+    t.name AS template_name,
+    o.name AS organization_name,
+    (w.owner_id = 'c42fdf75-3097-471c-8c33-fb52454d81c0') AS is_prebuild,
+    -- All agents must have ready_at set (terminal startup state)
+    COUNT(*) FILTER (WHERE wa.ready_at IS NULL) = 0 AS all_agents_ready,
+    -- Latest ready_at across all agents (for duration calculation)
+	MAX(wa.ready_at)::timestamptz AS last_agent_ready_at,
+    -- Worst status: error > timeout > ready
+    CASE
+        WHEN bool_or(wa.lifecycle_state = 'start_error') THEN 'error'
+        WHEN bool_or(wa.lifecycle_state = 'start_timeout') THEN 'timeout'
+        ELSE 'success'
+    END AS worst_status
+FROM workspace_builds wb
+JOIN workspaces w ON wb.workspace_id = w.id
+JOIN templates t ON w.template_id = t.id
+JOIN organizations o ON t.organization_id = o.id
+JOIN workspace_resources wr ON wr.job_id = wb.job_id
+JOIN workspace_agents wa ON wa.resource_id = wr.id
+WHERE wb.job_id = (SELECT job_id FROM workspace_resources WHERE workspace_resources.id = $1)
+GROUP BY wb.created_at, wb.transition, t.name, o.name, w.owner_id
+`
+
+type GetWorkspaceBuildMetricsByResourceIDRow struct {
+	CreatedAt        time.Time           `db:"created_at" json:"created_at"`
+	Transition       WorkspaceTransition `db:"transition" json:"transition"`
+	TemplateName     string              `db:"template_name" json:"template_name"`
+	OrganizationName string              `db:"organization_name" json:"organization_name"`
+	IsPrebuild       bool                `db:"is_prebuild" json:"is_prebuild"`
+	AllAgentsReady   bool                `db:"all_agents_ready" json:"all_agents_ready"`
+	LastAgentReadyAt time.Time           `db:"last_agent_ready_at" json:"last_agent_ready_at"`
+	WorstStatus      string              `db:"worst_status" json:"worst_status"`
+}
+
+// Returns build metadata for e2e workspace build duration metrics.
+// Also checks if all agents are ready and returns the worst status.
+func (q *sqlQuerier) GetWorkspaceBuildMetricsByResourceID(ctx context.Context, id uuid.UUID) (GetWorkspaceBuildMetricsByResourceIDRow, error) {
+	row := q.db.QueryRowContext(ctx, getWorkspaceBuildMetricsByResourceID, id)
+	var i GetWorkspaceBuildMetricsByResourceIDRow
+	err := row.Scan(
+		&i.CreatedAt,
+		&i.Transition,
+		&i.TemplateName,
+		&i.OrganizationName,
+		&i.IsPrebuild,
+		&i.AllAgentsReady,
+		&i.LastAgentReadyAt,
+		&i.WorstStatus,
+	)
+	return i, err
+}
+
 const getWorkspaceBuildStatsByTemplates = `-- name: GetWorkspaceBuildStatsByTemplates :many
 SELECT
     w.template_id,
@@ -22823,7 +22891,7 @@ LEFT JOIN LATERAL (
 ) latest_build ON TRUE
 LEFT JOIN LATERAL (
 	SELECT
-		id, created_at, updated_at, organization_id, deleted, name, provisioner, active_version_id, description, default_ttl, created_by, icon, user_acl, group_acl, display_name, allow_user_cancel_workspace_jobs, allow_user_autostart, allow_user_autostop, failure_ttl, time_til_dormant, time_til_dormant_autodelete, autostop_requirement_days_of_week, autostop_requirement_weeks, autostart_block_days_of_week, require_active_version, deprecated, activity_bump, max_port_sharing_level, use_classic_parameter_flow, cors_behavior
+		id, created_at, updated_at, organization_id, deleted, name, provisioner, active_version_id, description, default_ttl, created_by, icon, user_acl, group_acl, display_name, allow_user_cancel_workspace_jobs, allow_user_autostart, allow_user_autostop, failure_ttl, time_til_dormant, time_til_dormant_autodelete, autostop_requirement_days_of_week, autostop_requirement_weeks, autostart_block_days_of_week, require_active_version, deprecated, activity_bump, max_port_sharing_level, use_classic_parameter_flow, cors_behavior, disable_module_cache
 	FROM
 		templates
 	WHERE
@@ -22957,7 +23025,7 @@ WHERE
 	-- Filter by agent status
 	-- has-agent: is only applicable for workspaces in "start" transition. Stopped and deleted workspaces don't have agents.
 	AND CASE
-		WHEN $13 :: text != '' THEN
+		WHEN array_length($13 :: text[], 1) > 0 THEN
 			(
 				SELECT COUNT(*)
 				FROM
@@ -22971,7 +23039,7 @@ WHERE
 					latest_build.transition = 'start'::workspace_transition AND
 					-- Filter out deleted sub agents.
 					workspace_agents.deleted = FALSE AND
-					$13 = (
+					(
 						CASE
 							WHEN workspace_agents.first_connected_at IS NULL THEN
 								CASE
@@ -22989,7 +23057,7 @@ WHERE
 							ELSE
 								NULL
 						END
-					)
+					) = ANY($13 :: text[])
 			) > 0
 		ELSE true
 	END
@@ -23054,6 +23122,7 @@ WHERE
 			workspaces.group_acl ? ($23 :: uuid) :: text
 		ELSE true
 	END
+
 	-- Authorize Filter clause will be injected below in GetAuthorizedWorkspaces
 	-- @authorize_filter
 ), filtered_workspaces_order AS (
@@ -23157,7 +23226,7 @@ type GetWorkspacesParams struct {
 	TemplateIDs                           []uuid.UUID  `db:"template_ids" json:"template_ids"`
 	WorkspaceIds                          []uuid.UUID  `db:"workspace_ids" json:"workspace_ids"`
 	Name                                  string       `db:"name" json:"name"`
-	HasAgent                              string       `db:"has_agent" json:"has_agent"`
+	HasAgentStatuses                      []string     `db:"has_agent_statuses" json:"has_agent_statuses"`
 	AgentInactiveDisconnectTimeoutSeconds int64        `db:"agent_inactive_disconnect_timeout_seconds" json:"agent_inactive_disconnect_timeout_seconds"`
 	Dormant                               bool         `db:"dormant" json:"dormant"`
 	LastUsedBefore                        time.Time    `db:"last_used_before" json:"last_used_before"`
@@ -23235,7 +23304,7 @@ func (q *sqlQuerier) GetWorkspaces(ctx context.Context, arg GetWorkspacesParams)
 		pq.Array(arg.TemplateIDs),
 		pq.Array(arg.WorkspaceIds),
 		arg.Name,
-		arg.HasAgent,
+		pq.Array(arg.HasAgentStatuses),
 		arg.AgentInactiveDisconnectTimeoutSeconds,
 		arg.Dormant,
 		arg.LastUsedBefore,

coderd/database/queries/boundaryusagestats.sql

@@ -27,23 +27,26 @@ INSERT INTO boundary_usage_stats (
     updated_at = NOW()
 RETURNING (xmax = 0) AS new_period;
 
--- name: GetBoundaryUsageSummary :one
--- Aggregates boundary usage statistics across all replicas. Filters to only
--- include data where window_start is within the given interval to exclude
--- stale data.
+-- name: GetAndResetBoundaryUsageSummary :one
+-- Atomic read+delete prevents replicas that flush between a separate read and
+-- reset from having their data deleted before the next snapshot. Uses a common
+-- table expression with DELETE...RETURNING so the rows we sum are exactly the
+-- rows we delete. Stale rows are excluded from the sum but still deleted.
+WITH deleted AS (
+    DELETE FROM boundary_usage_stats
+    RETURNING *
+)
 SELECT
-    COALESCE(SUM(unique_workspaces_count), 0)::bigint AS unique_workspaces,
-    COALESCE(SUM(unique_users_count), 0)::bigint AS unique_users,
-    COALESCE(SUM(allowed_requests), 0)::bigint AS allowed_requests,
-    COALESCE(SUM(denied_requests), 0)::bigint AS denied_requests
-FROM boundary_usage_stats
-WHERE window_start >= NOW() - (@max_staleness_ms::bigint || ' ms')::interval;
-
--- name: ResetBoundaryUsageStats :exec
--- Deletes all boundary usage statistics. Called after telemetry reports the
--- aggregated stats. Each replica will insert a fresh row on its next flush.
-DELETE FROM boundary_usage_stats;
-
--- name: DeleteBoundaryUsageStatsByReplicaID :exec
--- Deletes boundary usage statistics for a specific replica.
-DELETE FROM boundary_usage_stats WHERE replica_id = @replica_id;
+    COALESCE(SUM(unique_workspaces_count) FILTER (
+        WHERE window_start >= NOW() - (@max_staleness_ms::bigint || ' ms')::interval
+    ), 0)::bigint AS unique_workspaces,
+    COALESCE(SUM(unique_users_count) FILTER (
+        WHERE window_start >= NOW() - (@max_staleness_ms::bigint || ' ms')::interval
+    ), 0)::bigint AS unique_users,
+    COALESCE(SUM(allowed_requests) FILTER (
+        WHERE window_start >= NOW() - (@max_staleness_ms::bigint || ' ms')::interval
+    ), 0)::bigint AS allowed_requests,
+    COALESCE(SUM(denied_requests) FILTER (
+        WHERE window_start >= NOW() - (@max_staleness_ms::bigint || ' ms')::interval
+    ), 0)::bigint AS denied_requests
+FROM deleted;

coderd/database/queries/tasks.sql

@@ -57,13 +57,19 @@ AND CASE WHEN @status::text != '' THEN tws.status = @status::task_status ELSE TR
 ORDER BY tws.created_at DESC;
 
 -- name: DeleteTask :one
-UPDATE tasks
-SET
-	deleted_at = @deleted_at::timestamptz
-WHERE
-	id = @id::uuid
-	AND deleted_at IS NULL
-RETURNING *;
+WITH deleted_task AS (
+	UPDATE tasks
+	SET
+		deleted_at = @deleted_at::timestamptz
+	WHERE
+		id = @id::uuid
+		AND deleted_at IS NULL
+	RETURNING id
+), deleted_snapshot AS (
+	DELETE FROM task_snapshots
+	WHERE task_id = @id::uuid
+)
+SELECT id FROM deleted_task;
 
 
 -- name: UpdateTaskPrompt :one

coderd/database/queries/templates.sql

@@ -173,7 +173,8 @@ SET
 	group_acl = $8,
 	max_port_sharing_level = $9,
 	use_classic_parameter_flow = $10,
-	cors_behavior = $11
+	cors_behavior = $11,
+	disable_module_cache = $12
 WHERE
 	id = $1
 ;

coderd/database/queries/workspaceagents.sql

@@ -180,6 +180,14 @@ SET
 WHERE
 	id = $1;
 
+-- name: UpdateWorkspaceAgentDisplayAppsByID :exec
+UPDATE
+	workspace_agents
+SET
+	display_apps = $2, updated_at = $3
+WHERE
+	id = $1;
+
 -- name: GetWorkspaceAgentLogsAfter :many
 SELECT
 	*

coderd/database/queries/workspacebuilds.sql

@@ -243,3 +243,31 @@ SET
 	has_external_agent = @has_external_agent,
 	updated_at = @updated_at::timestamptz
 WHERE id = @id::uuid;
+
+-- name: GetWorkspaceBuildMetricsByResourceID :one
+-- Returns build metadata for e2e workspace build duration metrics.
+-- Also checks if all agents are ready and returns the worst status.
+SELECT
+    wb.created_at,
+    wb.transition,
+    t.name AS template_name,
+    o.name AS organization_name,
+    (w.owner_id = 'c42fdf75-3097-471c-8c33-fb52454d81c0') AS is_prebuild,
+    -- All agents must have ready_at set (terminal startup state)
+    COUNT(*) FILTER (WHERE wa.ready_at IS NULL) = 0 AS all_agents_ready,
+    -- Latest ready_at across all agents (for duration calculation)
+	MAX(wa.ready_at)::timestamptz AS last_agent_ready_at,
+    -- Worst status: error > timeout > ready
+    CASE
+        WHEN bool_or(wa.lifecycle_state = 'start_error') THEN 'error'
+        WHEN bool_or(wa.lifecycle_state = 'start_timeout') THEN 'timeout'
+        ELSE 'success'
+    END AS worst_status
+FROM workspace_builds wb
+JOIN workspaces w ON wb.workspace_id = w.id
+JOIN templates t ON w.template_id = t.id
+JOIN organizations o ON t.organization_id = o.id
+JOIN workspace_resources wr ON wr.job_id = wb.job_id
+JOIN workspace_agents wa ON wa.resource_id = wr.id
+WHERE wb.job_id = (SELECT job_id FROM workspace_resources WHERE workspace_resources.id = $1)
+GROUP BY wb.created_at, wb.transition, t.name, o.name, w.owner_id;

coderd/database/queries/workspaces.sql

@@ -292,7 +292,7 @@ WHERE
 	-- Filter by agent status
 	-- has-agent: is only applicable for workspaces in "start" transition. Stopped and deleted workspaces don't have agents.
 	AND CASE
-		WHEN @has_agent :: text != '' THEN
+		WHEN array_length(@has_agent_statuses :: text[], 1) > 0 THEN
 			(
 				SELECT COUNT(*)
 				FROM
@@ -306,7 +306,7 @@ WHERE
 					latest_build.transition = 'start'::workspace_transition AND
 					-- Filter out deleted sub agents.
 					workspace_agents.deleted = FALSE AND
-					@has_agent = (
+					(
 						CASE
 							WHEN workspace_agents.first_connected_at IS NULL THEN
 								CASE
@@ -324,7 +324,7 @@ WHERE
 							ELSE
 								NULL
 						END
-					)
+					) = ANY(@has_agent_statuses :: text[])
 			) > 0
 		ELSE true
 	END
@@ -389,6 +389,7 @@ WHERE
 			workspaces.group_acl ? (@shared_with_group_id :: uuid) :: text
 		ELSE true
 	END
+
 	-- Authorize Filter clause will be injected below in GetAuthorizedWorkspaces
 	-- @authorize_filter
 ), filtered_workspaces_order AS (

coderd/jobreaper/detector_test.go

@@ -8,7 +8,6 @@ import (
 	"testing"
 	"time"
 
-	"github.com/google/uuid"
 	"github.com/prometheus/client_golang/prometheus"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
@@ -18,6 +17,7 @@ import (
 	"github.com/coder/coder/v2/coderd/coderdtest"
 	"github.com/coder/coder/v2/coderd/database"
 	"github.com/coder/coder/v2/coderd/database/dbauthz"
+	"github.com/coder/coder/v2/coderd/database/dbfake"
 	"github.com/coder/coder/v2/coderd/database/dbgen"
 	"github.com/coder/coder/v2/coderd/database/dbtestutil"
 	"github.com/coder/coder/v2/coderd/jobreaper"
@@ -113,87 +113,33 @@ func TestDetectorHungWorkspaceBuild(t *testing.T) {
 	)
 
 	var (
-		now          = time.Now()
-		twentyMinAgo = now.Add(-time.Minute * 20)
-		tenMinAgo    = now.Add(-time.Minute * 10)
-		sixMinAgo    = now.Add(-time.Minute * 6)
-		org          = dbgen.Organization(t, db, database.Organization{})
-		user         = dbgen.User(t, db, database.User{})
-		file         = dbgen.File(t, db, database.File{})
-		template     = dbgen.Template(t, db, database.Template{
-			OrganizationID: org.ID,
-			CreatedBy:      user.ID,
-		})
-		templateVersion = dbgen.TemplateVersion(t, db, database.TemplateVersion{
-			OrganizationID: org.ID,
-			TemplateID: uuid.NullUUID{
-				UUID:  template.ID,
-				Valid: true,
-			},
-			CreatedBy: user.ID,
-		})
-		workspace = dbgen.Workspace(t, db, database.WorkspaceTable{
-			OwnerID:        user.ID,
-			OrganizationID: org.ID,
-			TemplateID:     template.ID,
-		})
-
-		// Previous build.
+		now                         = time.Now()
+		twentyMinAgo                = now.Add(-time.Minute * 20)
+		tenMinAgo                   = now.Add(-time.Minute * 10)
+		sixMinAgo                   = now.Add(-time.Minute * 6)
+		org                         = dbgen.Organization(t, db, database.Organization{})
+		user                        = dbgen.User(t, db, database.User{})
 		expectedWorkspaceBuildState = []byte(`{"dean":"cool","colin":"also cool"}`)
-		previousWorkspaceBuildJob   = dbgen.ProvisionerJob(t, db, pubsub, database.ProvisionerJob{
-			CreatedAt: twentyMinAgo,
-			UpdatedAt: twentyMinAgo,
-			StartedAt: sql.NullTime{
-				Time:  twentyMinAgo,
-				Valid: true,
-			},
-			CompletedAt: sql.NullTime{
-				Time:  twentyMinAgo,
-				Valid: true,
-			},
-			OrganizationID: org.ID,
-			InitiatorID:    user.ID,
-			Provisioner:    database.ProvisionerTypeEcho,
-			StorageMethod:  database.ProvisionerStorageMethodFile,
-			FileID:         file.ID,
-			Type:           database.ProvisionerJobTypeWorkspaceBuild,
-			Input:          []byte("{}"),
-		})
-		_ = dbgen.WorkspaceBuild(t, db, database.WorkspaceBuild{
-			WorkspaceID:       workspace.ID,
-			TemplateVersionID: templateVersion.ID,
-			BuildNumber:       1,
-			ProvisionerState:  expectedWorkspaceBuildState,
-			JobID:             previousWorkspaceBuildJob.ID,
-		})
-
-		// Current build.
-		currentWorkspaceBuildJob = dbgen.ProvisionerJob(t, db, pubsub, database.ProvisionerJob{
-			CreatedAt: tenMinAgo,
-			UpdatedAt: sixMinAgo,
-			StartedAt: sql.NullTime{
-				Time:  tenMinAgo,
-				Valid: true,
-			},
-			OrganizationID: org.ID,
-			InitiatorID:    user.ID,
-			Provisioner:    database.ProvisionerTypeEcho,
-			StorageMethod:  database.ProvisionerStorageMethodFile,
-			FileID:         file.ID,
-			Type:           database.ProvisionerJobTypeWorkspaceBuild,
-			Input:          []byte("{}"),
-		})
-		currentWorkspaceBuild = dbgen.WorkspaceBuild(t, db, database.WorkspaceBuild{
-			WorkspaceID:       workspace.ID,
-			TemplateVersionID: templateVersion.ID,
-			BuildNumber:       2,
-			JobID:             currentWorkspaceBuildJob.ID,
-			// No provisioner state.
-		})
 	)
 
-	t.Log("previous job ID: ", previousWorkspaceBuildJob.ID)
-	t.Log("current job ID: ", currentWorkspaceBuildJob.ID)
+	// Previous build (completed successfully).
+	previousBuild := dbfake.WorkspaceBuild(t, db, database.WorkspaceTable{
+		OrganizationID: org.ID,
+		OwnerID:        user.ID,
+	}).Pubsub(pubsub).Seed(database.WorkspaceBuild{
+		ProvisionerState: expectedWorkspaceBuildState,
+	}).Succeeded(dbfake.WithJobCompletedAt(twentyMinAgo)).
+		Do()
+
+	// Current build (hung - running job with UpdatedAt > 5 min ago).
+	currentBuild := dbfake.WorkspaceBuild(t, db, previousBuild.Workspace).
+		Pubsub(pubsub).
+		Seed(database.WorkspaceBuild{BuildNumber: 2}).
+		Starting(dbfake.WithJobStartedAt(tenMinAgo), dbfake.WithJobUpdatedAt(sixMinAgo)).
+		Do()
+
+	t.Log("previous job ID: ", previousBuild.Build.JobID)
+	t.Log("current job ID: ", currentBuild.Build.JobID)
 
 	detector := jobreaper.New(ctx, wrapDBAuthz(db, log), pubsub, log, tickCh).WithStatsChannel(statsCh)
 	detector.Start()
@@ -202,10 +148,10 @@ func TestDetectorHungWorkspaceBuild(t *testing.T) {
 	stats := <-statsCh
 	require.NoError(t, stats.Error)
 	require.Len(t, stats.TerminatedJobIDs, 1)
-	require.Equal(t, currentWorkspaceBuildJob.ID, stats.TerminatedJobIDs[0])
+	require.Equal(t, currentBuild.Build.JobID, stats.TerminatedJobIDs[0])
 
 	// Check that the current provisioner job was updated.
-	job, err := db.GetProvisionerJobByID(ctx, currentWorkspaceBuildJob.ID)
+	job, err := db.GetProvisionerJobByID(ctx, currentBuild.Build.JobID)
 	require.NoError(t, err)
 	require.WithinDuration(t, now, job.UpdatedAt, 30*time.Second)
 	require.True(t, job.CompletedAt.Valid)
@@ -215,7 +161,7 @@ func TestDetectorHungWorkspaceBuild(t *testing.T) {
 	require.False(t, job.ErrorCode.Valid)
 
 	// Check that the provisioner state was copied.
-	build, err := db.GetWorkspaceBuildByID(ctx, currentWorkspaceBuild.ID)
+	build, err := db.GetWorkspaceBuildByID(ctx, currentBuild.Build.ID)
 	require.NoError(t, err)
 	require.Equal(t, expectedWorkspaceBuildState, build.ProvisionerState)
 
@@ -235,88 +181,37 @@ func TestDetectorHungWorkspaceBuildNoOverrideState(t *testing.T) {
 	)
 
 	var (
-		now          = time.Now()
-		twentyMinAgo = now.Add(-time.Minute * 20)
-		tenMinAgo    = now.Add(-time.Minute * 10)
-		sixMinAgo    = now.Add(-time.Minute * 6)
-		org          = dbgen.Organization(t, db, database.Organization{})
-		user         = dbgen.User(t, db, database.User{})
-		file         = dbgen.File(t, db, database.File{})
-		template     = dbgen.Template(t, db, database.Template{
-			OrganizationID: org.ID,
-			CreatedBy:      user.ID,
-		})
-		templateVersion = dbgen.TemplateVersion(t, db, database.TemplateVersion{
-			OrganizationID: org.ID,
-			TemplateID: uuid.NullUUID{
-				UUID:  template.ID,
-				Valid: true,
-			},
-			CreatedBy: user.ID,
-		})
-		workspace = dbgen.Workspace(t, db, database.WorkspaceTable{
-			OwnerID:        user.ID,
-			OrganizationID: org.ID,
-			TemplateID:     template.ID,
-		})
-
-		// Previous build.
-		previousWorkspaceBuildJob = dbgen.ProvisionerJob(t, db, pubsub, database.ProvisionerJob{
-			CreatedAt: twentyMinAgo,
-			UpdatedAt: twentyMinAgo,
-			StartedAt: sql.NullTime{
-				Time:  twentyMinAgo,
-				Valid: true,
-			},
-			CompletedAt: sql.NullTime{
-				Time:  twentyMinAgo,
-				Valid: true,
-			},
-			OrganizationID: org.ID,
-			InitiatorID:    user.ID,
-			Provisioner:    database.ProvisionerTypeEcho,
-			StorageMethod:  database.ProvisionerStorageMethodFile,
-			FileID:         file.ID,
-			Type:           database.ProvisionerJobTypeWorkspaceBuild,
-			Input:          []byte("{}"),
-		})
-		_ = dbgen.WorkspaceBuild(t, db, database.WorkspaceBuild{
-			WorkspaceID:       workspace.ID,
-			TemplateVersionID: templateVersion.ID,
-			BuildNumber:       1,
-			ProvisionerState:  []byte(`{"dean":"NOT cool","colin":"also NOT cool"}`),
-			JobID:             previousWorkspaceBuildJob.ID,
-		})
-
-		// Current build.
+		now                         = time.Now()
+		twentyMinAgo                = now.Add(-time.Minute * 20)
+		tenMinAgo                   = now.Add(-time.Minute * 10)
+		sixMinAgo                   = now.Add(-time.Minute * 6)
+		org                         = dbgen.Organization(t, db, database.Organization{})
+		user                        = dbgen.User(t, db, database.User{})
 		expectedWorkspaceBuildState = []byte(`{"dean":"cool","colin":"also cool"}`)
-		currentWorkspaceBuildJob    = dbgen.ProvisionerJob(t, db, pubsub, database.ProvisionerJob{
-			CreatedAt: tenMinAgo,
-			UpdatedAt: sixMinAgo,
-			StartedAt: sql.NullTime{
-				Time:  tenMinAgo,
-				Valid: true,
-			},
-			OrganizationID: org.ID,
-			InitiatorID:    user.ID,
-			Provisioner:    database.ProvisionerTypeEcho,
-			StorageMethod:  database.ProvisionerStorageMethodFile,
-			FileID:         file.ID,
-			Type:           database.ProvisionerJobTypeWorkspaceBuild,
-			Input:          []byte("{}"),
-		})
-		currentWorkspaceBuild = dbgen.WorkspaceBuild(t, db, database.WorkspaceBuild{
-			WorkspaceID:       workspace.ID,
-			TemplateVersionID: templateVersion.ID,
-			BuildNumber:       2,
-			JobID:             currentWorkspaceBuildJob.ID,
-			// Should not be overridden.
-			ProvisionerState: expectedWorkspaceBuildState,
-		})
 	)
 
-	t.Log("previous job ID: ", previousWorkspaceBuildJob.ID)
-	t.Log("current job ID: ", currentWorkspaceBuildJob.ID)
+	// Previous build (completed successfully).
+	previousBuild := dbfake.WorkspaceBuild(t, db, database.WorkspaceTable{
+		OrganizationID: org.ID,
+		OwnerID:        user.ID,
+	}).Pubsub(pubsub).Seed(database.WorkspaceBuild{
+		ProvisionerState: []byte(`{"dean":"NOT cool","colin":"also NOT cool"}`),
+	}).Succeeded(dbfake.WithJobCompletedAt(twentyMinAgo)).
+		Do()
+
+	// Current build (hung - running job with UpdatedAt > 5 min ago).
+	// This build already has provisioner state, which should NOT be overridden.
+	currentBuild := dbfake.WorkspaceBuild(t, db, previousBuild.Workspace).
+		Pubsub(pubsub).
+		Seed(database.WorkspaceBuild{
+			BuildNumber:      2,
+			ProvisionerState: expectedWorkspaceBuildState,
+		}).
+		Starting(dbfake.WithJobStartedAt(tenMinAgo), dbfake.WithJobUpdatedAt(sixMinAgo)).
+		Do()
+
+	t.Log("previous job ID: ", previousBuild.Build.JobID)
+	t.Log("current job ID: ", currentBuild.Build.JobID)
 
 	detector := jobreaper.New(ctx, wrapDBAuthz(db, log), pubsub, log, tickCh).WithStatsChannel(statsCh)
 	detector.Start()
@@ -325,10 +220,10 @@ func TestDetectorHungWorkspaceBuildNoOverrideState(t *testing.T) {
 	stats := <-statsCh
 	require.NoError(t, stats.Error)
 	require.Len(t, stats.TerminatedJobIDs, 1)
-	require.Equal(t, currentWorkspaceBuildJob.ID, stats.TerminatedJobIDs[0])
+	require.Equal(t, currentBuild.Build.JobID, stats.TerminatedJobIDs[0])
 
 	// Check that the current provisioner job was updated.
-	job, err := db.GetProvisionerJobByID(ctx, currentWorkspaceBuildJob.ID)
+	job, err := db.GetProvisionerJobByID(ctx, currentBuild.Build.JobID)
 	require.NoError(t, err)
 	require.WithinDuration(t, now, job.UpdatedAt, 30*time.Second)
 	require.True(t, job.CompletedAt.Valid)
@@ -338,7 +233,7 @@ func TestDetectorHungWorkspaceBuildNoOverrideState(t *testing.T) {
 	require.False(t, job.ErrorCode.Valid)
 
 	// Check that the provisioner state was NOT copied.
-	build, err := db.GetWorkspaceBuildByID(ctx, currentWorkspaceBuild.ID)
+	build, err := db.GetWorkspaceBuildByID(ctx, currentBuild.Build.ID)
 	require.NoError(t, err)
 	require.Equal(t, expectedWorkspaceBuildState, build.ProvisionerState)
 
@@ -358,58 +253,25 @@ func TestDetectorHungWorkspaceBuildNoOverrideStateIfNoExistingBuild(t *testing.T
 	)
 
 	var (
-		now       = time.Now()
-		tenMinAgo = now.Add(-time.Minute * 10)
-		sixMinAgo = now.Add(-time.Minute * 6)
-		org       = dbgen.Organization(t, db, database.Organization{})
-		user      = dbgen.User(t, db, database.User{})
-		file      = dbgen.File(t, db, database.File{})
-		template  = dbgen.Template(t, db, database.Template{
-			OrganizationID: org.ID,
-			CreatedBy:      user.ID,
-		})
-		templateVersion = dbgen.TemplateVersion(t, db, database.TemplateVersion{
-			OrganizationID: org.ID,
-			TemplateID: uuid.NullUUID{
-				UUID:  template.ID,
-				Valid: true,
-			},
-			CreatedBy: user.ID,
-		})
-		workspace = dbgen.Workspace(t, db, database.WorkspaceTable{
-			OwnerID:        user.ID,
-			OrganizationID: org.ID,
-			TemplateID:     template.ID,
-		})
-
-		// First build.
+		now                         = time.Now()
+		tenMinAgo                   = now.Add(-time.Minute * 10)
+		sixMinAgo                   = now.Add(-time.Minute * 6)
+		org                         = dbgen.Organization(t, db, database.Organization{})
+		user                        = dbgen.User(t, db, database.User{})
 		expectedWorkspaceBuildState = []byte(`{"dean":"cool","colin":"also cool"}`)
-		currentWorkspaceBuildJob    = dbgen.ProvisionerJob(t, db, pubsub, database.ProvisionerJob{
-			CreatedAt: tenMinAgo,
-			UpdatedAt: sixMinAgo,
-			StartedAt: sql.NullTime{
-				Time:  tenMinAgo,
-				Valid: true,
-			},
-			OrganizationID: org.ID,
-			InitiatorID:    user.ID,
-			Provisioner:    database.ProvisionerTypeEcho,
-			StorageMethod:  database.ProvisionerStorageMethodFile,
-			FileID:         file.ID,
-			Type:           database.ProvisionerJobTypeWorkspaceBuild,
-			Input:          []byte("{}"),
-		})
-		currentWorkspaceBuild = dbgen.WorkspaceBuild(t, db, database.WorkspaceBuild{
-			WorkspaceID:       workspace.ID,
-			TemplateVersionID: templateVersion.ID,
-			BuildNumber:       1,
-			JobID:             currentWorkspaceBuildJob.ID,
-			// Should not be overridden.
-			ProvisionerState: expectedWorkspaceBuildState,
-		})
 	)
 
-	t.Log("current job ID: ", currentWorkspaceBuildJob.ID)
+	// First build (hung - no previous build exists).
+	// This build has provisioner state, which should NOT be overridden.
+	currentBuild := dbfake.WorkspaceBuild(t, db, database.WorkspaceTable{
+		OrganizationID: org.ID,
+		OwnerID:        user.ID,
+	}).Pubsub(pubsub).Seed(database.WorkspaceBuild{
+		ProvisionerState: expectedWorkspaceBuildState,
+	}).Starting(dbfake.WithJobStartedAt(tenMinAgo), dbfake.WithJobUpdatedAt(sixMinAgo)).
+		Do()
+
+	t.Log("current job ID: ", currentBuild.Build.JobID)
 
 	detector := jobreaper.New(ctx, wrapDBAuthz(db, log), pubsub, log, tickCh).WithStatsChannel(statsCh)
 	detector.Start()
@@ -418,10 +280,10 @@ func TestDetectorHungWorkspaceBuildNoOverrideStateIfNoExistingBuild(t *testing.T
 	stats := <-statsCh
 	require.NoError(t, stats.Error)
 	require.Len(t, stats.TerminatedJobIDs, 1)
-	require.Equal(t, currentWorkspaceBuildJob.ID, stats.TerminatedJobIDs[0])
+	require.Equal(t, currentBuild.Build.JobID, stats.TerminatedJobIDs[0])
 
 	// Check that the current provisioner job was updated.
-	job, err := db.GetProvisionerJobByID(ctx, currentWorkspaceBuildJob.ID)
+	job, err := db.GetProvisionerJobByID(ctx, currentBuild.Build.JobID)
 	require.NoError(t, err)
 	require.WithinDuration(t, now, job.UpdatedAt, 30*time.Second)
 	require.True(t, job.CompletedAt.Valid)
@@ -431,7 +293,7 @@ func TestDetectorHungWorkspaceBuildNoOverrideStateIfNoExistingBuild(t *testing.T
 	require.False(t, job.ErrorCode.Valid)
 
 	// Check that the provisioner state was NOT updated.
-	build, err := db.GetWorkspaceBuildByID(ctx, currentWorkspaceBuild.ID)
+	build, err := db.GetWorkspaceBuildByID(ctx, currentBuild.Build.ID)
 	require.NoError(t, err)
 	require.Equal(t, expectedWorkspaceBuildState, build.ProvisionerState)
 
@@ -451,57 +313,24 @@ func TestDetectorPendingWorkspaceBuildNoOverrideStateIfNoExistingBuild(t *testin
 	)
 
 	var (
-		now              = time.Now()
-		thirtyFiveMinAgo = now.Add(-time.Minute * 35)
-		org              = dbgen.Organization(t, db, database.Organization{})
-		user             = dbgen.User(t, db, database.User{})
-		file             = dbgen.File(t, db, database.File{})
-		template         = dbgen.Template(t, db, database.Template{
-			OrganizationID: org.ID,
-			CreatedBy:      user.ID,
-		})
-		templateVersion = dbgen.TemplateVersion(t, db, database.TemplateVersion{
-			OrganizationID: org.ID,
-			TemplateID: uuid.NullUUID{
-				UUID:  template.ID,
-				Valid: true,
-			},
-			CreatedBy: user.ID,
-		})
-		workspace = dbgen.Workspace(t, db, database.WorkspaceTable{
-			OwnerID:        user.ID,
-			OrganizationID: org.ID,
-			TemplateID:     template.ID,
-		})
-
-		// First build.
+		now                         = time.Now()
+		thirtyFiveMinAgo            = now.Add(-time.Minute * 35)
+		org                         = dbgen.Organization(t, db, database.Organization{})
+		user                        = dbgen.User(t, db, database.User{})
 		expectedWorkspaceBuildState = []byte(`{"dean":"cool","colin":"also cool"}`)
-		currentWorkspaceBuildJob    = dbgen.ProvisionerJob(t, db, pubsub, database.ProvisionerJob{
-			CreatedAt: thirtyFiveMinAgo,
-			UpdatedAt: thirtyFiveMinAgo,
-			StartedAt: sql.NullTime{
-				Time:  time.Time{},
-				Valid: false,
-			},
-			OrganizationID: org.ID,
-			InitiatorID:    user.ID,
-			Provisioner:    database.ProvisionerTypeEcho,
-			StorageMethod:  database.ProvisionerStorageMethodFile,
-			FileID:         file.ID,
-			Type:           database.ProvisionerJobTypeWorkspaceBuild,
-			Input:          []byte("{}"),
-		})
-		currentWorkspaceBuild = dbgen.WorkspaceBuild(t, db, database.WorkspaceBuild{
-			WorkspaceID:       workspace.ID,
-			TemplateVersionID: templateVersion.ID,
-			BuildNumber:       1,
-			JobID:             currentWorkspaceBuildJob.ID,
-			// Should not be overridden.
-			ProvisionerState: expectedWorkspaceBuildState,
-		})
 	)
 
-	t.Log("current job ID: ", currentWorkspaceBuildJob.ID)
+	// First build (hung pending - no previous build exists).
+	// This build has provisioner state, which should NOT be overridden.
+	currentBuild := dbfake.WorkspaceBuild(t, db, database.WorkspaceTable{
+		OrganizationID: org.ID,
+		OwnerID:        user.ID,
+	}).Pubsub(pubsub).Seed(database.WorkspaceBuild{
+		ProvisionerState: expectedWorkspaceBuildState,
+	}).Pending(dbfake.WithJobCreatedAt(thirtyFiveMinAgo), dbfake.WithJobUpdatedAt(thirtyFiveMinAgo)).
+		Do()
+
+	t.Log("current job ID: ", currentBuild.Build.JobID)
 
 	detector := jobreaper.New(ctx, wrapDBAuthz(db, log), pubsub, log, tickCh).WithStatsChannel(statsCh)
 	detector.Start()
@@ -510,10 +339,10 @@ func TestDetectorPendingWorkspaceBuildNoOverrideStateIfNoExistingBuild(t *testin
 	stats := <-statsCh
 	require.NoError(t, stats.Error)
 	require.Len(t, stats.TerminatedJobIDs, 1)
-	require.Equal(t, currentWorkspaceBuildJob.ID, stats.TerminatedJobIDs[0])
+	require.Equal(t, currentBuild.Build.JobID, stats.TerminatedJobIDs[0])
 
 	// Check that the current provisioner job was updated.
-	job, err := db.GetProvisionerJobByID(ctx, currentWorkspaceBuildJob.ID)
+	job, err := db.GetProvisionerJobByID(ctx, currentBuild.Build.JobID)
 	require.NoError(t, err)
 	require.WithinDuration(t, now, job.UpdatedAt, 30*time.Second)
 	require.True(t, job.CompletedAt.Valid)
@@ -525,7 +354,7 @@ func TestDetectorPendingWorkspaceBuildNoOverrideStateIfNoExistingBuild(t *testin
 	require.False(t, job.ErrorCode.Valid)
 
 	// Check that the provisioner state was NOT updated.
-	build, err := db.GetWorkspaceBuildByID(ctx, currentWorkspaceBuild.ID)
+	build, err := db.GetWorkspaceBuildByID(ctx, currentBuild.Build.ID)
 	require.NoError(t, err)
 	require.Equal(t, expectedWorkspaceBuildState, build.ProvisionerState)
 
@@ -551,66 +380,34 @@ func TestDetectorWorkspaceBuildForDormantWorkspace(t *testing.T) {
 	)
 
 	var (
-		now       = time.Now()
-		tenMinAgo = now.Add(-time.Minute * 10)
-		sixMinAgo = now.Add(-time.Minute * 6)
-		org       = dbgen.Organization(t, db, database.Organization{})
-		user      = dbgen.User(t, db, database.User{})
-		file      = dbgen.File(t, db, database.File{})
-		template  = dbgen.Template(t, db, database.Template{
-			OrganizationID: org.ID,
-			CreatedBy:      user.ID,
-		})
-		templateVersion = dbgen.TemplateVersion(t, db, database.TemplateVersion{
-			OrganizationID: org.ID,
-			TemplateID: uuid.NullUUID{
-				UUID:  template.ID,
-				Valid: true,
-			},
-			CreatedBy: user.ID,
-		})
-		workspace = dbgen.Workspace(t, db, database.WorkspaceTable{
-			OwnerID:        user.ID,
-			OrganizationID: org.ID,
-			TemplateID:     template.ID,
-			DormantAt: sql.NullTime{
-				Time:  now.Add(-time.Hour),
-				Valid: true,
-			},
-		})
-
-		// First build.
+		now                         = time.Now()
+		tenMinAgo                   = now.Add(-time.Minute * 10)
+		sixMinAgo                   = now.Add(-time.Minute * 6)
+		org                         = dbgen.Organization(t, db, database.Organization{})
+		user                        = dbgen.User(t, db, database.User{})
 		expectedWorkspaceBuildState = []byte(`{"dean":"cool","colin":"also cool"}`)
-		currentWorkspaceBuildJob    = dbgen.ProvisionerJob(t, db, pubsub, database.ProvisionerJob{
-			CreatedAt: tenMinAgo,
-			UpdatedAt: sixMinAgo,
-			StartedAt: sql.NullTime{
-				Time:  tenMinAgo,
-				Valid: true,
-			},
-			OrganizationID: org.ID,
-			InitiatorID:    user.ID,
-			Provisioner:    database.ProvisionerTypeEcho,
-			StorageMethod:  database.ProvisionerStorageMethodFile,
-			FileID:         file.ID,
-			Type:           database.ProvisionerJobTypeWorkspaceBuild,
-			Input:          []byte("{}"),
-		})
-		_ = dbgen.WorkspaceBuild(t, db, database.WorkspaceBuild{
-			WorkspaceID:       workspace.ID,
-			TemplateVersionID: templateVersion.ID,
-			BuildNumber:       1,
-			JobID:             currentWorkspaceBuildJob.ID,
-			// Should not be overridden.
-			ProvisionerState: expectedWorkspaceBuildState,
-		})
 	)
 
-	t.Log("current job ID: ", currentWorkspaceBuildJob.ID)
+	// First build (hung - running job with UpdatedAt > 5 min ago).
+	// This build has provisioner state, which should NOT be overridden.
+	// The workspace is dormant from the start.
+	currentBuild := dbfake.WorkspaceBuild(t, db, database.WorkspaceTable{
+		OrganizationID: org.ID,
+		OwnerID:        user.ID,
+		DormantAt: sql.NullTime{
+			Time:  now.Add(-time.Hour),
+			Valid: true,
+		},
+	}).Pubsub(pubsub).Seed(database.WorkspaceBuild{
+		ProvisionerState: expectedWorkspaceBuildState,
+	}).Starting(dbfake.WithJobStartedAt(tenMinAgo), dbfake.WithJobUpdatedAt(sixMinAgo)).
+		Do()
+
+	t.Log("current job ID: ", currentBuild.Build.JobID)
 
 	// Ensure the RBAC is the dormant type to ensure we're testing the right
 	// thing.
-	require.Equal(t, rbac.ResourceWorkspaceDormant.Type, workspace.RBACObject().Type)
+	require.Equal(t, rbac.ResourceWorkspaceDormant.Type, currentBuild.Workspace.RBACObject().Type)
 
 	detector := jobreaper.New(ctx, wrapDBAuthz(db, log), pubsub, log, tickCh).WithStatsChannel(statsCh)
 	detector.Start()
@@ -619,10 +416,10 @@ func TestDetectorWorkspaceBuildForDormantWorkspace(t *testing.T) {
 	stats := <-statsCh
 	require.NoError(t, stats.Error)
 	require.Len(t, stats.TerminatedJobIDs, 1)
-	require.Equal(t, currentWorkspaceBuildJob.ID, stats.TerminatedJobIDs[0])
+	require.Equal(t, currentBuild.Build.JobID, stats.TerminatedJobIDs[0])
 
 	// Check that the current provisioner job was updated.
-	job, err := db.GetProvisionerJobByID(ctx, currentWorkspaceBuildJob.ID)
+	job, err := db.GetProvisionerJobByID(ctx, currentBuild.Build.JobID)
 	require.NoError(t, err)
 	require.WithinDuration(t, now, job.UpdatedAt, 30*time.Second)
 	require.True(t, job.CompletedAt.Valid)

coderd/notifications/reports/generator_internal_test.go

@@ -16,6 +16,7 @@ import (
 	"github.com/coder/coder/v2/coderd/coderdtest"
 	"github.com/coder/coder/v2/coderd/database"
 	"github.com/coder/coder/v2/coderd/database/dbauthz"
+	"github.com/coder/coder/v2/coderd/database/dbfake"
 	"github.com/coder/coder/v2/coderd/database/dbgen"
 	"github.com/coder/coder/v2/coderd/database/dbtestutil"
 	"github.com/coder/coder/v2/coderd/database/pubsub"
@@ -92,8 +93,11 @@ func TestReportFailedWorkspaceBuilds(t *testing.T) {
 		// Workspaces
 		w1 := dbgen.Workspace(t, db, database.WorkspaceTable{TemplateID: t1.ID, OwnerID: user1.ID, OrganizationID: org.ID})
 
-		w1wb1pj := dbgen.ProvisionerJob(t, db, ps, database.ProvisionerJob{OrganizationID: org.ID, Error: jobError, ErrorCode: jobErrorCode, CompletedAt: sql.NullTime{Time: now.Add(-6 * dayDuration), Valid: true}})
-		_ = dbgen.WorkspaceBuild(t, db, database.WorkspaceBuild{WorkspaceID: w1.ID, BuildNumber: 1, TemplateVersionID: t1v1.ID, JobID: w1wb1pj.ID, CreatedAt: now.Add(-2 * dayDuration), Transition: database.WorkspaceTransitionStart, Reason: database.BuildReasonInitiator})
+		_ = dbfake.WorkspaceBuild(t, db, w1).
+			Pubsub(ps).
+			Seed(database.WorkspaceBuild{BuildNumber: 1, TemplateVersionID: t1v1.ID, CreatedAt: now.Add(-2 * dayDuration), Transition: database.WorkspaceTransitionStart, Reason: database.BuildReasonInitiator}).
+			Failed(dbfake.WithJobError(jobError.String), dbfake.WithJobErrorCode(jobErrorCode.String), dbfake.WithJobCompletedAt(now.Add(-6*dayDuration))).
+			Do()
 
 		// When: first run
 		notifEnq.Clear()
@@ -178,27 +182,54 @@ func TestReportFailedWorkspaceBuilds(t *testing.T) {
 		now := clk.Now()
 
 		// Workspace builds
-		w1wb1pj := dbgen.ProvisionerJob(t, db, ps, database.ProvisionerJob{OrganizationID: org.ID, Error: jobError, ErrorCode: jobErrorCode, CompletedAt: sql.NullTime{Time: now.Add(-6 * dayDuration), Valid: true}})
-		_ = dbgen.WorkspaceBuild(t, db, database.WorkspaceBuild{WorkspaceID: w1.ID, BuildNumber: 1, TemplateVersionID: t1v1.ID, JobID: w1wb1pj.ID, CreatedAt: now.Add(-6 * dayDuration), Transition: database.WorkspaceTransitionStart, Reason: database.BuildReasonInitiator})
-		w1wb2pj := dbgen.ProvisionerJob(t, db, ps, database.ProvisionerJob{OrganizationID: org.ID, CompletedAt: sql.NullTime{Time: now.Add(-5 * dayDuration), Valid: true}})
-		_ = dbgen.WorkspaceBuild(t, db, database.WorkspaceBuild{WorkspaceID: w1.ID, BuildNumber: 2, TemplateVersionID: t1v2.ID, JobID: w1wb2pj.ID, CreatedAt: now.Add(-5 * dayDuration), Transition: database.WorkspaceTransitionStart, Reason: database.BuildReasonInitiator})
-		w1wb3pj := dbgen.ProvisionerJob(t, db, ps, database.ProvisionerJob{OrganizationID: org.ID, Error: jobError, ErrorCode: jobErrorCode, CompletedAt: sql.NullTime{Time: now.Add(-4 * dayDuration), Valid: true}})
-		_ = dbgen.WorkspaceBuild(t, db, database.WorkspaceBuild{WorkspaceID: w1.ID, BuildNumber: 3, TemplateVersionID: t1v2.ID, JobID: w1wb3pj.ID, CreatedAt: now.Add(-4 * dayDuration), Transition: database.WorkspaceTransitionStart, Reason: database.BuildReasonInitiator})
+		_ = dbfake.WorkspaceBuild(t, db, w1).
+			Pubsub(ps).
+			Seed(database.WorkspaceBuild{BuildNumber: 1, TemplateVersionID: t1v1.ID, CreatedAt: now.Add(-6 * dayDuration), Transition: database.WorkspaceTransitionStart, Reason: database.BuildReasonInitiator}).
+			Failed(dbfake.WithJobError(jobError.String), dbfake.WithJobErrorCode(jobErrorCode.String), dbfake.WithJobCompletedAt(now.Add(-6*dayDuration))).
+			Do()
+		_ = dbfake.WorkspaceBuild(t, db, w1).
+			Pubsub(ps).
+			Seed(database.WorkspaceBuild{BuildNumber: 2, TemplateVersionID: t1v2.ID, CreatedAt: now.Add(-5 * dayDuration), Transition: database.WorkspaceTransitionStart, Reason: database.BuildReasonInitiator}).
+			Succeeded(dbfake.WithJobCompletedAt(now.Add(-5 * dayDuration))).
+			Do()
+		_ = dbfake.WorkspaceBuild(t, db, w1).
+			Pubsub(ps).
+			Seed(database.WorkspaceBuild{BuildNumber: 3, TemplateVersionID: t1v2.ID, CreatedAt: now.Add(-4 * dayDuration), Transition: database.WorkspaceTransitionStart, Reason: database.BuildReasonInitiator}).
+			Failed(dbfake.WithJobError(jobError.String), dbfake.WithJobErrorCode(jobErrorCode.String), dbfake.WithJobCompletedAt(now.Add(-4*dayDuration))).
+			Do()
 
-		w2wb1pj := dbgen.ProvisionerJob(t, db, ps, database.ProvisionerJob{OrganizationID: org.ID, CompletedAt: sql.NullTime{Time: now.Add(-5 * dayDuration), Valid: true}})
-		_ = dbgen.WorkspaceBuild(t, db, database.WorkspaceBuild{WorkspaceID: w2.ID, BuildNumber: 4, TemplateVersionID: t2v1.ID, JobID: w2wb1pj.ID, CreatedAt: now.Add(-5 * dayDuration), Transition: database.WorkspaceTransitionStart, Reason: database.BuildReasonInitiator})
-		w2wb2pj := dbgen.ProvisionerJob(t, db, ps, database.ProvisionerJob{OrganizationID: org.ID, Error: jobError, ErrorCode: jobErrorCode, CompletedAt: sql.NullTime{Time: now.Add(-4 * dayDuration), Valid: true}})
-		_ = dbgen.WorkspaceBuild(t, db, database.WorkspaceBuild{WorkspaceID: w2.ID, BuildNumber: 5, TemplateVersionID: t2v2.ID, JobID: w2wb2pj.ID, CreatedAt: now.Add(-4 * dayDuration), Transition: database.WorkspaceTransitionStart, Reason: database.BuildReasonInitiator})
-		w2wb3pj := dbgen.ProvisionerJob(t, db, ps, database.ProvisionerJob{OrganizationID: org.ID, Error: jobError, ErrorCode: jobErrorCode, CompletedAt: sql.NullTime{Time: now.Add(-3 * dayDuration), Valid: true}})
-		_ = dbgen.WorkspaceBuild(t, db, database.WorkspaceBuild{WorkspaceID: w2.ID, BuildNumber: 6, TemplateVersionID: t2v2.ID, JobID: w2wb3pj.ID, CreatedAt: now.Add(-3 * dayDuration), Transition: database.WorkspaceTransitionStart, Reason: database.BuildReasonInitiator})
+		_ = dbfake.WorkspaceBuild(t, db, w2).
+			Pubsub(ps).
+			Seed(database.WorkspaceBuild{BuildNumber: 4, TemplateVersionID: t2v1.ID, CreatedAt: now.Add(-5 * dayDuration), Transition: database.WorkspaceTransitionStart, Reason: database.BuildReasonInitiator}).
+			Succeeded(dbfake.WithJobCompletedAt(now.Add(-5 * dayDuration))).
+			Do()
+		_ = dbfake.WorkspaceBuild(t, db, w2).
+			Pubsub(ps).
+			Seed(database.WorkspaceBuild{BuildNumber: 5, TemplateVersionID: t2v2.ID, CreatedAt: now.Add(-4 * dayDuration), Transition: database.WorkspaceTransitionStart, Reason: database.BuildReasonInitiator}).
+			Failed(dbfake.WithJobError(jobError.String), dbfake.WithJobErrorCode(jobErrorCode.String), dbfake.WithJobCompletedAt(now.Add(-4*dayDuration))).
+			Do()
+		_ = dbfake.WorkspaceBuild(t, db, w2).
+			Pubsub(ps).
+			Seed(database.WorkspaceBuild{BuildNumber: 6, TemplateVersionID: t2v2.ID, CreatedAt: now.Add(-3 * dayDuration), Transition: database.WorkspaceTransitionStart, Reason: database.BuildReasonInitiator}).
+			Failed(dbfake.WithJobError(jobError.String), dbfake.WithJobErrorCode(jobErrorCode.String), dbfake.WithJobCompletedAt(now.Add(-3*dayDuration))).
+			Do()
 
-		w3wb1pj := dbgen.ProvisionerJob(t, db, ps, database.ProvisionerJob{OrganizationID: org.ID, Error: jobError, ErrorCode: jobErrorCode, CompletedAt: sql.NullTime{Time: now.Add(-3 * dayDuration), Valid: true}})
-		_ = dbgen.WorkspaceBuild(t, db, database.WorkspaceBuild{WorkspaceID: w3.ID, BuildNumber: 7, TemplateVersionID: t1v1.ID, JobID: w3wb1pj.ID, CreatedAt: now.Add(-3 * dayDuration), Transition: database.WorkspaceTransitionStart, Reason: database.BuildReasonInitiator})
+		_ = dbfake.WorkspaceBuild(t, db, w3).
+			Pubsub(ps).
+			Seed(database.WorkspaceBuild{BuildNumber: 7, TemplateVersionID: t1v1.ID, CreatedAt: now.Add(-3 * dayDuration), Transition: database.WorkspaceTransitionStart, Reason: database.BuildReasonInitiator}).
+			Failed(dbfake.WithJobError(jobError.String), dbfake.WithJobErrorCode(jobErrorCode.String), dbfake.WithJobCompletedAt(now.Add(-3*dayDuration))).
+			Do()
 
-		w4wb1pj := dbgen.ProvisionerJob(t, db, ps, database.ProvisionerJob{OrganizationID: org.ID, Error: jobError, ErrorCode: jobErrorCode, CompletedAt: sql.NullTime{Time: now.Add(-6 * dayDuration), Valid: true}})
-		_ = dbgen.WorkspaceBuild(t, db, database.WorkspaceBuild{WorkspaceID: w4.ID, BuildNumber: 8, TemplateVersionID: t2v1.ID, JobID: w4wb1pj.ID, CreatedAt: now.Add(-6 * dayDuration), Transition: database.WorkspaceTransitionStart, Reason: database.BuildReasonInitiator})
-		w4wb2pj := dbgen.ProvisionerJob(t, db, ps, database.ProvisionerJob{OrganizationID: org.ID, CompletedAt: sql.NullTime{Time: now.Add(-dayDuration), Valid: true}})
-		_ = dbgen.WorkspaceBuild(t, db, database.WorkspaceBuild{WorkspaceID: w4.ID, BuildNumber: 9, TemplateVersionID: t2v2.ID, JobID: w4wb2pj.ID, CreatedAt: now.Add(-dayDuration), Transition: database.WorkspaceTransitionStart, Reason: database.BuildReasonInitiator})
+		_ = dbfake.WorkspaceBuild(t, db, w4).
+			Pubsub(ps).
+			Seed(database.WorkspaceBuild{BuildNumber: 8, TemplateVersionID: t2v1.ID, CreatedAt: now.Add(-6 * dayDuration), Transition: database.WorkspaceTransitionStart, Reason: database.BuildReasonInitiator}).
+			Failed(dbfake.WithJobError(jobError.String), dbfake.WithJobErrorCode(jobErrorCode.String), dbfake.WithJobCompletedAt(now.Add(-6*dayDuration))).
+			Do()
+		_ = dbfake.WorkspaceBuild(t, db, w4).
+			Pubsub(ps).
+			Seed(database.WorkspaceBuild{BuildNumber: 9, TemplateVersionID: t2v2.ID, CreatedAt: now.Add(-dayDuration), Transition: database.WorkspaceTransitionStart, Reason: database.BuildReasonInitiator}).
+			Succeeded(dbfake.WithJobCompletedAt(now.Add(-dayDuration))).
+			Do()
 
 		// When
 		notifEnq.Clear()
@@ -275,8 +306,11 @@ func TestReportFailedWorkspaceBuilds(t *testing.T) {
 		clk.Advance(6 * dayDuration).MustWait(context.Background())
 		now = clk.Now()
 
-		w1wb4pj := dbgen.ProvisionerJob(t, db, ps, database.ProvisionerJob{OrganizationID: org.ID, Error: jobError, ErrorCode: jobErrorCode, CompletedAt: sql.NullTime{Time: now.Add(-dayDuration), Valid: true}})
-		_ = dbgen.WorkspaceBuild(t, db, database.WorkspaceBuild{WorkspaceID: w1.ID, BuildNumber: 77, TemplateVersionID: t1v2.ID, JobID: w1wb4pj.ID, CreatedAt: now.Add(-dayDuration), Transition: database.WorkspaceTransitionStart, Reason: database.BuildReasonInitiator})
+		_ = dbfake.WorkspaceBuild(t, db, w1).
+			Pubsub(ps).
+			Seed(database.WorkspaceBuild{BuildNumber: 77, TemplateVersionID: t1v2.ID, CreatedAt: now.Add(-dayDuration), Transition: database.WorkspaceTransitionStart, Reason: database.BuildReasonInitiator}).
+			Failed(dbfake.WithJobError(jobError.String), dbfake.WithJobErrorCode(jobErrorCode.String), dbfake.WithJobCompletedAt(now.Add(-dayDuration))).
+			Do()
 
 		// When
 		notifEnq.Clear()
@@ -380,17 +414,26 @@ func TestReportFailedWorkspaceBuilds(t *testing.T) {
 		now := clk.Now()
 
 		// Workspace builds
-		pj0 := dbgen.ProvisionerJob(t, db, ps, database.ProvisionerJob{OrganizationID: org.ID, CompletedAt: sql.NullTime{Time: now.Add(-24 * time.Hour), Valid: true}})
-		_ = dbgen.WorkspaceBuild(t, db, database.WorkspaceBuild{WorkspaceID: w1.ID, BuildNumber: 777, TemplateVersionID: t1v1.ID, JobID: pj0.ID, CreatedAt: now.Add(-24 * time.Hour), Transition: database.WorkspaceTransitionStart, Reason: database.BuildReasonInitiator})
+		_ = dbfake.WorkspaceBuild(t, db, w1).
+			Pubsub(ps).
+			Seed(database.WorkspaceBuild{BuildNumber: 777, TemplateVersionID: t1v1.ID, CreatedAt: now.Add(-24 * time.Hour), Transition: database.WorkspaceTransitionStart, Reason: database.BuildReasonInitiator}).
+			Succeeded(dbfake.WithJobCompletedAt(now.Add(-24 * time.Hour))).
+			Do()
 
 		for i := 1; i <= 23; i++ {
 			at := now.Add(-time.Duration(i) * time.Hour)
 
-			pj1 := dbgen.ProvisionerJob(t, db, ps, database.ProvisionerJob{OrganizationID: org.ID, Error: jobError, ErrorCode: jobErrorCode, CompletedAt: sql.NullTime{Time: at, Valid: true}})
-			_ = dbgen.WorkspaceBuild(t, db, database.WorkspaceBuild{WorkspaceID: w1.ID, BuildNumber: int32(i), TemplateVersionID: t1v1.ID, JobID: pj1.ID, CreatedAt: at, Transition: database.WorkspaceTransitionStart, Reason: database.BuildReasonInitiator}) // nolint:gosec
+			_ = dbfake.WorkspaceBuild(t, db, w1).
+				Pubsub(ps).
+				Seed(database.WorkspaceBuild{BuildNumber: int32(i), TemplateVersionID: t1v1.ID, CreatedAt: at, Transition: database.WorkspaceTransitionStart, Reason: database.BuildReasonInitiator}). // nolint:gosec
+				Failed(dbfake.WithJobError(jobError.String), dbfake.WithJobErrorCode(jobErrorCode.String), dbfake.WithJobCompletedAt(at)).
+				Do()
 
-			pj2 := dbgen.ProvisionerJob(t, db, ps, database.ProvisionerJob{OrganizationID: org.ID, Error: jobError, ErrorCode: jobErrorCode, CompletedAt: sql.NullTime{Time: at, Valid: true}})
-			_ = dbgen.WorkspaceBuild(t, db, database.WorkspaceBuild{WorkspaceID: w1.ID, BuildNumber: int32(i) + 100, TemplateVersionID: t1v2.ID, JobID: pj2.ID, CreatedAt: at, Transition: database.WorkspaceTransitionStart, Reason: database.BuildReasonInitiator}) // nolint:gosec
+			_ = dbfake.WorkspaceBuild(t, db, w1).
+				Pubsub(ps).
+				Seed(database.WorkspaceBuild{BuildNumber: int32(i) + 100, TemplateVersionID: t1v2.ID, CreatedAt: at, Transition: database.WorkspaceTransitionStart, Reason: database.BuildReasonInitiator}). // nolint:gosec
+				Failed(dbfake.WithJobError(jobError.String), dbfake.WithJobErrorCode(jobErrorCode.String), dbfake.WithJobCompletedAt(at)).
+				Do()
 		}
 
 		// When
@@ -486,10 +529,16 @@ func TestReportFailedWorkspaceBuilds(t *testing.T) {
 		now := clk.Now()
 
 		// Workspace builds
-		w1wb1pj := dbgen.ProvisionerJob(t, db, ps, database.ProvisionerJob{OrganizationID: org.ID, CompletedAt: sql.NullTime{Time: now.Add(-6 * dayDuration), Valid: true}})
-		_ = dbgen.WorkspaceBuild(t, db, database.WorkspaceBuild{WorkspaceID: w1.ID, BuildNumber: 1, TemplateVersionID: t1v1.ID, JobID: w1wb1pj.ID, CreatedAt: now.Add(-2 * dayDuration), Transition: database.WorkspaceTransitionStart, Reason: database.BuildReasonInitiator})
-		w1wb2pj := dbgen.ProvisionerJob(t, db, ps, database.ProvisionerJob{OrganizationID: org.ID, CompletedAt: sql.NullTime{Time: now.Add(-5 * dayDuration), Valid: true}})
-		_ = dbgen.WorkspaceBuild(t, db, database.WorkspaceBuild{WorkspaceID: w1.ID, BuildNumber: 2, TemplateVersionID: t1v1.ID, JobID: w1wb2pj.ID, CreatedAt: now.Add(-1 * dayDuration), Transition: database.WorkspaceTransitionStart, Reason: database.BuildReasonInitiator})
+		_ = dbfake.WorkspaceBuild(t, db, w1).
+			Pubsub(ps).
+			Seed(database.WorkspaceBuild{BuildNumber: 1, TemplateVersionID: t1v1.ID, CreatedAt: now.Add(-2 * dayDuration), Transition: database.WorkspaceTransitionStart, Reason: database.BuildReasonInitiator}).
+			Succeeded(dbfake.WithJobCompletedAt(now.Add(-6 * dayDuration))).
+			Do()
+		_ = dbfake.WorkspaceBuild(t, db, w1).
+			Pubsub(ps).
+			Seed(database.WorkspaceBuild{BuildNumber: 2, TemplateVersionID: t1v1.ID, CreatedAt: now.Add(-1 * dayDuration), Transition: database.WorkspaceTransitionStart, Reason: database.BuildReasonInitiator}).
+			Succeeded(dbfake.WithJobCompletedAt(now.Add(-5 * dayDuration))).
+			Do()
 
 		// When
 		notifEnq.Clear()

coderd/oauth2provider/apps.go

@@ -50,7 +50,7 @@ func ListApps(db database.Store, accessURL *url.URL) http.HandlerFunc {
 			return
 		}
 
-		var sdkApps []codersdk.OAuth2ProviderApp
+		sdkApps := make([]codersdk.OAuth2ProviderApp, 0, len(userApps))
 		for _, app := range userApps {
 			sdkApps = append(sdkApps, db2sdk.OAuth2ProviderApp(accessURL, app.OAuth2ProviderApp))
 		}

coderd/provisionerdserver/provisionerdserver.go

@@ -512,13 +512,15 @@ func (s *server) acquireProtoJob(ctx context.Context, job database.ProvisionerJo
 
 		// Fetch the file id of the cached module files if it exists.
 		versionModulesFile := ""
-		tfvals, err := s.Database.GetTemplateVersionTerraformValues(ctx, templateVersion.ID)
-		if err != nil && !xerrors.Is(err, sql.ErrNoRows) {
-			// Older templates (before dynamic parameters) will not have cached module files.
-			return nil, failJob(fmt.Sprintf("get template version terraform values: %s", err))
-		}
-		if err == nil && tfvals.CachedModuleFiles.Valid {
-			versionModulesFile = tfvals.CachedModuleFiles.UUID.String()
+		if !template.DisableModuleCache {
+			tfvals, err := s.Database.GetTemplateVersionTerraformValues(ctx, templateVersion.ID)
+			if err != nil && !xerrors.Is(err, sql.ErrNoRows) {
+				// Older templates (before dynamic parameters) will not have cached module files.
+				return nil, failJob(fmt.Sprintf("get template version terraform values: %s", err))
+			}
+			if err == nil && tfvals.CachedModuleFiles.Valid {
+				versionModulesFile = tfvals.CachedModuleFiles.UUID.String()
+			}
 		}
 
 		var ownerSSHPublicKey, ownerSSHPrivateKey string

coderd/rbac/object_gen.go

@@ -370,6 +370,7 @@ var (
 	//  - "ActionWorkspaceStart" :: allows starting a workspace
 	//  - "ActionWorkspaceStop" :: allows stopping a workspace
 	//  - "ActionUpdate" :: edit workspace settings (scheduling, permissions, parameters)
+	//  - "ActionUpdateAgent" :: update an existing workspace agent
 	ResourceWorkspace = Object{
 		Type: "workspace",
 	}
@@ -403,6 +404,7 @@ var (
 	//  - "ActionWorkspaceStart" :: allows starting a workspace
 	//  - "ActionWorkspaceStop" :: allows stopping a workspace
 	//  - "ActionUpdate" :: edit workspace settings (scheduling, permissions, parameters)
+	//  - "ActionUpdateAgent" :: update an existing workspace agent
 	ResourceWorkspaceDormant = Object{
 		Type: "workspace_dormant",
 	}
@@ -480,6 +482,7 @@ func AllActions() []policy.Action {
 		policy.ActionShare,
 		policy.ActionUnassign,
 		policy.ActionUpdate,
+		policy.ActionUpdateAgent,
 		policy.ActionUpdatePersonal,
 		policy.ActionUse,
 		policy.ActionViewInsights,

coderd/rbac/policy/policy.go

@@ -27,6 +27,7 @@ const (
 
 	ActionCreateAgent Action = "create_agent"
 	ActionDeleteAgent Action = "delete_agent"
+	ActionUpdateAgent Action = "update_agent"
 
 	ActionShare Action = "share"
 )
@@ -63,6 +64,7 @@ var workspaceActions = map[Action]ActionDefinition{
 
 	ActionCreateAgent: "create a new workspace agent",
 	ActionDeleteAgent: "delete an existing workspace agent",
+	ActionUpdateAgent: "update an existing workspace agent",
 
 	// Sharing a workspace
 	ActionShare: "share a workspace with other users or groups",

coderd/rbac/roles.go

@@ -290,7 +290,7 @@ func ReloadBuiltinRoles(opts *RoleOptions) {
 			// This adds back in the Workspace permissions.
 			Permissions(map[string][]policy.Action{
 				ResourceWorkspace.Type:        ownerWorkspaceActions,
-				ResourceWorkspaceDormant.Type: {policy.ActionRead, policy.ActionDelete, policy.ActionCreate, policy.ActionUpdate, policy.ActionWorkspaceStop, policy.ActionCreateAgent, policy.ActionDeleteAgent},
+				ResourceWorkspaceDormant.Type: {policy.ActionRead, policy.ActionDelete, policy.ActionCreate, policy.ActionUpdate, policy.ActionWorkspaceStop, policy.ActionCreateAgent, policy.ActionDeleteAgent, policy.ActionUpdateAgent},
 				// PrebuiltWorkspaces are a subset of Workspaces.
 				// Explicitly setting PrebuiltWorkspace permissions for clarity.
 				// Note: even without PrebuiltWorkspace permissions, access is still granted via Workspace permissions.
@@ -434,7 +434,7 @@ func ReloadBuiltinRoles(opts *RoleOptions) {
 					// Org admins should not have workspace exec perms.
 					organizationID.String(): {
 						Org: append(allPermsExcept(ResourceWorkspace, ResourceWorkspaceDormant, ResourcePrebuiltWorkspace, ResourceAssignRole, ResourceUserSecret, ResourceBoundaryUsage), Permissions(map[string][]policy.Action{
-							ResourceWorkspaceDormant.Type: {policy.ActionRead, policy.ActionDelete, policy.ActionCreate, policy.ActionUpdate, policy.ActionWorkspaceStop, policy.ActionCreateAgent, policy.ActionDeleteAgent},
+							ResourceWorkspaceDormant.Type: {policy.ActionRead, policy.ActionDelete, policy.ActionCreate, policy.ActionUpdate, policy.ActionWorkspaceStop, policy.ActionCreateAgent, policy.ActionDeleteAgent, policy.ActionUpdateAgent},
 							ResourceWorkspace.Type:        slice.Omit(ResourceWorkspace.AvailableActions(), policy.ActionApplicationConnect, policy.ActionSSH),
 							// PrebuiltWorkspaces are a subset of Workspaces.
 							// Explicitly setting PrebuiltWorkspace permissions for clarity.
@@ -972,6 +972,7 @@ func OrgMemberPermissions(workspaceSharingDisabled bool) (
 				policy.ActionWorkspaceStop,
 				policy.ActionCreateAgent,
 				policy.ActionDeleteAgent,
+				policy.ActionUpdateAgent,
 			},
 			// Can read their own organization member record.
 			ResourceOrganizationMember.Type: {

coderd/rbac/roles_test.go

@@ -294,6 +294,15 @@ func TestRolePermissions(t *testing.T) {
 				false: {setOtherOrg, memberMe, userAdmin, templateAdmin, orgTemplateAdmin, orgUserAdmin, orgAuditor, orgAdminBanWorkspace},
 			},
 		},
+		{
+			Name:     "UpdateWorkspaceAgent",
+			Actions:  []policy.Action{policy.ActionUpdateAgent},
+			Resource: rbac.ResourceWorkspace.WithID(workspaceID).InOrg(orgID).WithOwner(currentUser.String()),
+			AuthorizeMap: map[bool][]hasAuthSubjects{
+				true:  {owner, orgAdmin, orgAdminBanWorkspace},
+				false: {setOtherOrg, memberMe, userAdmin, templateAdmin, orgTemplateAdmin, orgUserAdmin, orgAuditor},
+			},
+		},
 		{
 			Name:    "ShareMyWorkspace",
 			Actions: []policy.Action{policy.ActionShare},
@@ -563,7 +572,7 @@ func TestRolePermissions(t *testing.T) {
 		},
 		{
 			Name:     "WorkspaceDormant",
-			Actions:  append(crud, policy.ActionWorkspaceStop, policy.ActionCreateAgent, policy.ActionDeleteAgent),
+			Actions:  append(crud, policy.ActionWorkspaceStop, policy.ActionCreateAgent, policy.ActionDeleteAgent, policy.ActionUpdateAgent),
 			Resource: rbac.ResourceWorkspaceDormant.WithID(uuid.New()).InOrg(orgID).WithOwner(memberMe.Actor.ID),
 			AuthorizeMap: map[bool][]hasAuthSubjects{
 				true:  {orgAdmin, owner},

coderd/rbac/scopes_constants_gen.go

@@ -135,6 +135,7 @@ const (
 	ScopeWorkspaceStart                      ScopeName = "workspace:start"
 	ScopeWorkspaceStop                       ScopeName = "workspace:stop"
 	ScopeWorkspaceUpdate                     ScopeName = "workspace:update"
+	ScopeWorkspaceUpdateAgent                ScopeName = "workspace:update_agent"
 	ScopeWorkspaceAgentDevcontainersCreate   ScopeName = "workspace_agent_devcontainers:create"
 	ScopeWorkspaceAgentResourceMonitorCreate ScopeName = "workspace_agent_resource_monitor:create"
 	ScopeWorkspaceAgentResourceMonitorRead   ScopeName = "workspace_agent_resource_monitor:read"
@@ -150,6 +151,7 @@ const (
 	ScopeWorkspaceDormantStart               ScopeName = "workspace_dormant:start"
 	ScopeWorkspaceDormantStop                ScopeName = "workspace_dormant:stop"
 	ScopeWorkspaceDormantUpdate              ScopeName = "workspace_dormant:update"
+	ScopeWorkspaceDormantUpdateAgent         ScopeName = "workspace_dormant:update_agent"
 	ScopeWorkspaceProxyCreate                ScopeName = "workspace_proxy:create"
 	ScopeWorkspaceProxyDelete                ScopeName = "workspace_proxy:delete"
 	ScopeWorkspaceProxyRead                  ScopeName = "workspace_proxy:read"
@@ -293,6 +295,7 @@ func (e ScopeName) Valid() bool {
 		ScopeWorkspaceStart,
 		ScopeWorkspaceStop,
 		ScopeWorkspaceUpdate,
+		ScopeWorkspaceUpdateAgent,
 		ScopeWorkspaceAgentDevcontainersCreate,
 		ScopeWorkspaceAgentResourceMonitorCreate,
 		ScopeWorkspaceAgentResourceMonitorRead,
@@ -308,6 +311,7 @@ func (e ScopeName) Valid() bool {
 		ScopeWorkspaceDormantStart,
 		ScopeWorkspaceDormantStop,
 		ScopeWorkspaceDormantUpdate,
+		ScopeWorkspaceDormantUpdateAgent,
 		ScopeWorkspaceProxyCreate,
 		ScopeWorkspaceProxyDelete,
 		ScopeWorkspaceProxyRead,
@@ -452,6 +456,7 @@ func AllScopeNameValues() []ScopeName {
 		ScopeWorkspaceStart,
 		ScopeWorkspaceStop,
 		ScopeWorkspaceUpdate,
+		ScopeWorkspaceUpdateAgent,
 		ScopeWorkspaceAgentDevcontainersCreate,
 		ScopeWorkspaceAgentResourceMonitorCreate,
 		ScopeWorkspaceAgentResourceMonitorRead,
@@ -467,6 +472,7 @@ func AllScopeNameValues() []ScopeName {
 		ScopeWorkspaceDormantStart,
 		ScopeWorkspaceDormantStop,
 		ScopeWorkspaceDormantUpdate,
+		ScopeWorkspaceDormantUpdateAgent,
 		ScopeWorkspaceProxyCreate,
 		ScopeWorkspaceProxyDelete,
 		ScopeWorkspaceProxyRead,

coderd/searchquery/search.go

@@ -254,7 +254,7 @@ func Workspaces(ctx context.Context, db database.Store, query string, page coder
 	filter.TemplateName = parser.String(values, "", "template")
 	filter.Name = parser.String(values, "", "name")
 	filter.Status = string(httpapi.ParseCustom(parser, values, "", "status", httpapi.ParseEnum[database.WorkspaceStatus]))
-	filter.HasAgent = parser.String(values, "", "has-agent")
+	filter.HasAgentStatuses = parser.Strings(values, []string{}, "has-agent")
 	filter.Dormant = parser.Boolean(values, false, "dormant")
 	filter.LastUsedAfter = parser.Time3339Nano(values, time.Time{}, "last_used_after")
 	filter.LastUsedBefore = parser.Time3339Nano(values, time.Time{}, "last_used_before")
@@ -273,6 +273,15 @@ func Workspaces(ctx context.Context, db database.Store, query string, page coder
 	// TODO: support "me" by passing in the actorID
 	filter.SharedWithUserID = parseUser(ctx, db, parser, values, "shared_with_user", uuid.Nil)
 	filter.SharedWithGroupID = parseGroup(ctx, db, parser, values, "shared_with_group")
+	// Translate healthy filter to has-agent statuses
+	// healthy:true = connected, healthy:false = disconnected or timeout
+	if healthy := parser.NullableBoolean(values, sql.NullBool{}, "healthy"); healthy.Valid {
+		if healthy.Bool {
+			filter.HasAgentStatuses = append(filter.HasAgentStatuses, "connected")
+		} else {
+			filter.HasAgentStatuses = append(filter.HasAgentStatuses, "disconnected", "timeout")
+		}
+	}
 
 	type paramMatch struct {
 		name  string

coderd/searchquery/search_test.go

@@ -312,6 +312,34 @@ func TestSearchWorkspace(t *testing.T) {
 				},
 			},
 		},
+		{
+			Name:  "HealthyTrue",
+			Query: "healthy:true",
+			Expected: database.GetWorkspacesParams{
+				HasAgentStatuses: []string{"connected"},
+			},
+		},
+		{
+			Name:  "HealthyFalse",
+			Query: "healthy:false",
+			Expected: database.GetWorkspacesParams{
+				HasAgentStatuses: []string{"disconnected", "timeout"},
+			},
+		},
+		{
+			Name:  "HealthyMissing",
+			Query: "",
+			Expected: database.GetWorkspacesParams{
+				HasAgentStatuses: []string{},
+			},
+		},
+		{
+			Name:  "HealthyAndHasAgent",
+			Query: "has-agent:connecting healthy:true",
+			Expected: database.GetWorkspacesParams{
+				HasAgentStatuses: []string{"connecting", "connected"},
+			},
+		},
 		{
 			Name:  "SharedWithUser",
 			Query: `shared_with_user:3dd8b1b8-dff5-4b22-8ae9-c243ca136ecf`,
@@ -474,6 +502,10 @@ func TestSearchWorkspace(t *testing.T) {
 					// nil slice vs 0 len slice is equivalent for our purposes.
 					c.Expected.HasParam = values.HasParam
 				}
+				if len(c.Expected.HasAgentStatuses) == len(values.HasAgentStatuses) {
+					// nil slice vs 0 len slice is equivalent for our purposes.
+					c.Expected.HasAgentStatuses = values.HasAgentStatuses
+				}
 				assert.Len(t, errs, 0, "expected no error")
 				assert.Equal(t, c.Expected, values, "expected values")
 			}

coderd/telemetry/telemetry.go

@@ -876,17 +876,20 @@ func (r *remoteReporter) collectBoundaryUsageSummary(ctx context.Context) (*Boun
 		return nil, xerrors.Errorf("insert boundary usage telemetry lock (period_ending_at=%q): %w", periodEndingAt, err)
 	}
 
-	summary, err := r.options.Database.GetBoundaryUsageSummary(boundaryCtx, maxStaleness.Milliseconds())
+	var summary database.GetAndResetBoundaryUsageSummaryRow
+	err = r.options.Database.InTx(func(tx database.Store) error {
+		// The advisory lock use here ensures a clean transition to the next snapshot by
+		// preventing replicas from upserting row(s) at the same time as we aggregate and
+		// delete all rows here.
+		var txErr error
+		if txErr = tx.AcquireLock(boundaryCtx, database.LockIDBoundaryUsageStats); txErr != nil {
+			return txErr
+		}
+		summary, txErr = tx.GetAndResetBoundaryUsageSummary(boundaryCtx, maxStaleness.Milliseconds())
+		return txErr
+	}, nil)
 	if err != nil {
-		return nil, xerrors.Errorf("get boundary usage summary: %w", err)
-	}
-
-	// Reset stats after capturing the summary. This deletes all rows so each
-	// replica will detect a new period on their next flush. Note: there is a
-	// known race condition here that may result in a small telemetry inaccuracy
-	// with multiple replicas (https://github.com/coder/coder/issues/21770).
-	if err := r.options.Database.ResetBoundaryUsageStats(boundaryCtx); err != nil {
-		return nil, xerrors.Errorf("reset boundary usage stats: %w", err)
+		return nil, xerrors.Errorf("get and reset boundary usage summary: %w", err)
 	}
 
 	return &BoundaryUsageSummary{

coderd/telemetry/telemetry_test.go

@@ -21,7 +21,6 @@ import (
 	"github.com/coder/coder/v2/buildinfo"
 	"github.com/coder/coder/v2/coderd/boundaryusage"
 	"github.com/coder/coder/v2/coderd/database"
-	"github.com/coder/coder/v2/coderd/database/dbauthz"
 	"github.com/coder/coder/v2/coderd/database/dbgen"
 	"github.com/coder/coder/v2/coderd/database/dbtestutil"
 	"github.com/coder/coder/v2/coderd/database/dbtime"
@@ -942,13 +941,6 @@ func TestTelemetry_BoundaryUsageSummary(t *testing.T) {
 		err = tracker2.FlushToDB(ctx, db, replica2ID)
 		require.NoError(t, err)
 
-		// Verify both replicas' data is in the database.
-		boundaryCtx := dbauthz.AsBoundaryUsageTracker(ctx)
-		const maxStalenessMs = 60000
-		summary, err := db.GetBoundaryUsageSummary(boundaryCtx, maxStalenessMs)
-		require.NoError(t, err)
-		require.Equal(t, int64(10+20), summary.AllowedRequests)
-
 		clock := quartz.NewMock(t)
 		clock.Set(dbtime.Now())
 

coderd/templates.go

@@ -775,6 +775,10 @@ func (api *API) patchTemplateMeta(rw http.ResponseWriter, r *http.Request) {
 	if req.UseClassicParameterFlow != nil {
 		classicTemplateFlow = *req.UseClassicParameterFlow
 	}
+	disableModuleCache := template.DisableModuleCache
+	if req.DisableModuleCache != nil {
+		disableModuleCache = *req.DisableModuleCache
+	}
 
 	displayName := ptr.NilToDefault(req.DisplayName, template.DisplayName)
 	description := ptr.NilToDefault(req.Description, template.Description)
@@ -800,6 +804,7 @@ func (api *API) patchTemplateMeta(rw http.ResponseWriter, r *http.Request) {
 			req.RequireActiveVersion == template.RequireActiveVersion &&
 			(deprecationMessage == template.Deprecated) &&
 			(classicTemplateFlow == template.UseClassicParameterFlow) &&
+			(disableModuleCache == template.DisableModuleCache) &&
 			maxPortShareLevel == template.MaxPortSharingLevel &&
 			corsBehavior == template.CorsBehavior {
 			return nil
@@ -844,6 +849,7 @@ func (api *API) patchTemplateMeta(rw http.ResponseWriter, r *http.Request) {
 			MaxPortSharingLevel:          maxPortShareLevel,
 			UseClassicParameterFlow:      classicTemplateFlow,
 			CorsBehavior:                 corsBehavior,
+			DisableModuleCache:           disableModuleCache,
 		})
 		if err != nil {
 			return xerrors.Errorf("update template metadata: %w", err)
@@ -1128,6 +1134,7 @@ func (api *API) convertTemplate(
 		MaxPortShareLevel:       maxPortShareLevel,
 		UseClassicParameterFlow: template.UseClassicParameterFlow,
 		CORSBehavior:            codersdk.CORSBehavior(template.CorsBehavior),
+		DisableModuleCache:      template.DisableModuleCache,
 	}
 }
 

coderd/templates_test.go

@@ -1616,6 +1616,39 @@ func TestPatchTemplateMeta(t *testing.T) {
 		assert.False(t, updated.UseClassicParameterFlow, "expected false")
 	})
 
+	t.Run("DisableModuleCache", func(t *testing.T) {
+		t.Parallel()
+
+		client := coderdtest.New(t, nil)
+		user := coderdtest.CreateFirstUser(t, client)
+		version := coderdtest.CreateTemplateVersion(t, client, user.OrganizationID, nil)
+		template := coderdtest.CreateTemplate(t, client, user.OrganizationID, version.ID)
+		require.False(t, template.DisableModuleCache, "default is false")
+
+		req := codersdk.UpdateTemplateMeta{
+			DisableModuleCache: ptr.Ref(true),
+		}
+
+		ctx := testutil.Context(t, testutil.WaitLong)
+
+		// set to true
+		updated, err := client.UpdateTemplateMeta(ctx, template.ID, req)
+		require.NoError(t, err)
+		assert.True(t, updated.DisableModuleCache, "expected true")
+
+		// noop - should stay true when not specified
+		req.DisableModuleCache = nil
+		updated, err = client.UpdateTemplateMeta(ctx, template.ID, req)
+		require.NoError(t, err)
+		assert.True(t, updated.DisableModuleCache, "expected true")
+
+		// back to false
+		req.DisableModuleCache = ptr.Ref(false)
+		updated, err = client.UpdateTemplateMeta(ctx, template.ID, req)
+		require.NoError(t, err)
+		assert.False(t, updated.DisableModuleCache, "expected false")
+	})
+
 	t.Run("SupportEmptyOrDefaultFields", func(t *testing.T) {
 		t.Parallel()
 

coderd/workspaceagentsrpc.go

@@ -158,6 +158,7 @@ func (api *API) workspaceAgentRPC(rw http.ResponseWriter, r *http.Request) {
 		DerpMapUpdateFrequency:    api.Options.DERPMapUpdateFrequency,
 		ExternalAuthConfigs:       api.ExternalAuthConfigs,
 		Experiments:               api.Experiments,
+		LifecycleMetrics:          api.lifecycleMetrics,
 
 		// Optional:
 		UpdateAgentMetricsFn: api.UpdateAgentMetrics,

coderd/workspacebuilds.go

@@ -384,7 +384,7 @@ func (api *API) postWorkspaceBuildsInternal(
 		Experiments(api.Experiments).
 		TemplateVersionPresetID(createBuild.TemplateVersionPresetID)
 
-	if transition == database.WorkspaceTransitionStart && createBuild.Reason != "" {
+	if (transition == database.WorkspaceTransitionStart || transition == database.WorkspaceTransitionStop) && createBuild.Reason != "" {
 		builder = builder.Reason(database.BuildReason(createBuild.Reason))
 	}
 

coderd/workspaces.go

@@ -141,7 +141,7 @@ func (api *API) workspace(rw http.ResponseWriter, r *http.Request) {
 // @Security CoderSessionToken
 // @Produce json
 // @Tags Workspaces
-// @Param q query string false "Search query in the format `key:value`. Available keys are: owner, template, name, status, has-agent, dormant, last_used_after, last_used_before, has-ai-task, has_external_agent."
+// @Param q query string false "Search query in the format `key:value`. Available keys are: owner, template, name, status, has-agent, dormant, last_used_after, last_used_before, has-ai-task, has_external_agent, healthy."
 // @Param limit query int false "Page limit"
 // @Param offset query int false "Page offset"
 // @Success 200 {object} codersdk.WorkspacesResponse

coderd/workspaces_test.go

@@ -19,6 +19,7 @@ import (
 
 	"cdr.dev/slog/v3"
 	"github.com/coder/coder/v2/agent/agenttest"
+	"github.com/coder/coder/v2/coderd"
 	"github.com/coder/coder/v2/coderd/audit"
 	"github.com/coder/coder/v2/coderd/coderdtest"
 	"github.com/coder/coder/v2/coderd/database"
@@ -1358,12 +1359,19 @@ func TestPostWorkspacesByOrganization(t *testing.T) {
 
 		// Given: a coderd instance with a provisioner daemon
 		store, ps, db := dbtestutil.NewDBWithSQLDB(t)
-		client, closeDaemon := coderdtest.NewWithProvisionerCloser(t, &coderdtest.Options{
+		client, _, api := coderdtest.NewWithAPI(t, &coderdtest.Options{
 			Database:                 store,
 			Pubsub:                   ps,
-			IncludeProvisionerDaemon: true,
+			IncludeProvisionerDaemon: false,
 		})
-		defer closeDaemon.Close()
+
+		// Create a new provisioner with a heartbeater that does nothing.
+		provisioner := coderdtest.NewTaggedProvisionerDaemon(t, api, "test-provisioner", nil, coderd.MemoryProvisionerWithHeartbeatOverride(func(ctx context.Context) error {
+			// The default heartbeat updates the `last_seen_at` column in the database.
+			// By overriding it to do nothing, we can simulate a provisioner that is not sending heartbeats, and is therefore stale.
+			return nil
+		}))
+		defer provisioner.Close()
 
 		// Given: a user, template, and workspace
 		user := coderdtest.CreateFirstUser(t, client)
@@ -2511,6 +2519,152 @@ func TestWorkspaceFilterManual(t *testing.T) {
 		require.Len(t, res.Workspaces, 1)
 		require.Equal(t, workspace.ID, res.Workspaces[0].ID)
 	})
+
+	t.Run("HealthyFilter", func(t *testing.T) {
+		t.Parallel()
+
+		t.Run("Healthy", func(t *testing.T) {
+			t.Parallel()
+
+			// healthy:true should return workspaces with connected agents
+			// and exclude workspaces with disconnected agents
+			client, db := coderdtest.NewWithDatabase(t, nil)
+			user := coderdtest.CreateFirstUser(t, client)
+
+			// Create a workspace with a connected agent
+			connectedBuild := dbfake.WorkspaceBuild(t, db, database.WorkspaceTable{
+				OrganizationID: user.OrganizationID,
+				OwnerID:        user.UserID,
+				Name:           "connected-workspace",
+			}).WithAgent().Do()
+
+			// Mark the agent as connected
+			now := time.Now()
+			require.Len(t, connectedBuild.Agents, 1)
+			//nolint:gocritic // This is a test, we need system context to update agent connection
+			ctx := dbauthz.AsSystemRestricted(context.Background())
+			err := db.UpdateWorkspaceAgentConnectionByID(ctx, database.UpdateWorkspaceAgentConnectionByIDParams{
+				ID:                     connectedBuild.Agents[0].ID,
+				FirstConnectedAt:       sql.NullTime{Time: now, Valid: true},
+				LastConnectedAt:        sql.NullTime{Time: now, Valid: true},
+				DisconnectedAt:         sql.NullTime{},
+				UpdatedAt:              now,
+				LastConnectedReplicaID: uuid.NullUUID{},
+			})
+			require.NoError(t, err)
+
+			// Create a workspace with a disconnected agent
+			disconnectedBuild := dbfake.WorkspaceBuild(t, db, database.WorkspaceTable{
+				OrganizationID: user.OrganizationID,
+				OwnerID:        user.UserID,
+				Name:           "disconnected-workspace",
+			}).WithAgent().Do()
+
+			// Mark the agent as disconnected
+			require.Len(t, disconnectedBuild.Agents, 1)
+			disconnectedTime := now.Add(-time.Hour)
+			err = db.UpdateWorkspaceAgentConnectionByID(ctx, database.UpdateWorkspaceAgentConnectionByIDParams{
+				ID:                     disconnectedBuild.Agents[0].ID,
+				FirstConnectedAt:       sql.NullTime{Time: disconnectedTime, Valid: true},
+				LastConnectedAt:        sql.NullTime{Time: disconnectedTime, Valid: true},
+				DisconnectedAt:         sql.NullTime{Time: now, Valid: true},
+				UpdatedAt:              now,
+				LastConnectedReplicaID: uuid.NullUUID{},
+			})
+			require.NoError(t, err)
+
+			ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitLong)
+			defer cancel()
+
+			// healthy:true should only return the connected workspace
+			res, err := client.Workspaces(ctx, codersdk.WorkspaceFilter{
+				FilterQuery: "healthy:true",
+			})
+			require.NoError(t, err)
+			require.Len(t, res.Workspaces, 1)
+			require.Equal(t, connectedBuild.Workspace.ID, res.Workspaces[0].ID)
+		})
+
+		t.Run("Unhealthy", func(t *testing.T) {
+			t.Parallel()
+
+			// healthy:false should return workspaces with disconnected or timed out agents
+			// and exclude workspaces with connected agents
+			store, ps, sqlDB := dbtestutil.NewDBWithSQLDB(t)
+			client := coderdtest.New(t, &coderdtest.Options{
+				Database: store,
+				Pubsub:   ps,
+			})
+			user := coderdtest.CreateFirstUser(t, client)
+			now := time.Now()
+
+			//nolint:gocritic // This is a test, we need system context to update agent connection
+			ctx := dbauthz.AsSystemRestricted(context.Background())
+
+			// Create a workspace with a connected agent (should be excluded)
+			connectedBuild := dbfake.WorkspaceBuild(t, store, database.WorkspaceTable{
+				OrganizationID: user.OrganizationID,
+				OwnerID:        user.UserID,
+				Name:           "connected-workspace",
+			}).WithAgent().Do()
+			require.Len(t, connectedBuild.Agents, 1)
+			err := store.UpdateWorkspaceAgentConnectionByID(ctx, database.UpdateWorkspaceAgentConnectionByIDParams{
+				ID:                     connectedBuild.Agents[0].ID,
+				FirstConnectedAt:       sql.NullTime{Time: now, Valid: true},
+				LastConnectedAt:        sql.NullTime{Time: now, Valid: true},
+				DisconnectedAt:         sql.NullTime{},
+				UpdatedAt:              now,
+				LastConnectedReplicaID: uuid.NullUUID{},
+			})
+			require.NoError(t, err)
+
+			// Create a workspace with a disconnected agent
+			disconnectedBuild := dbfake.WorkspaceBuild(t, store, database.WorkspaceTable{
+				OrganizationID: user.OrganizationID,
+				OwnerID:        user.UserID,
+				Name:           "disconnected-workspace",
+			}).WithAgent().Do()
+			require.Len(t, disconnectedBuild.Agents, 1)
+			disconnectedTime := now.Add(-time.Hour)
+			err = store.UpdateWorkspaceAgentConnectionByID(ctx, database.UpdateWorkspaceAgentConnectionByIDParams{
+				ID:                     disconnectedBuild.Agents[0].ID,
+				FirstConnectedAt:       sql.NullTime{Time: disconnectedTime, Valid: true},
+				LastConnectedAt:        sql.NullTime{Time: disconnectedTime, Valid: true},
+				DisconnectedAt:         sql.NullTime{Time: now, Valid: true},
+				UpdatedAt:              now,
+				LastConnectedReplicaID: uuid.NullUUID{},
+			})
+			require.NoError(t, err)
+
+			// Create a workspace with a timed out agent (never connected, timeout exceeded)
+			timedOutBuild := dbfake.WorkspaceBuild(t, store, database.WorkspaceTable{
+				OrganizationID: user.OrganizationID,
+				OwnerID:        user.UserID,
+				Name:           "timeout-workspace",
+			}).WithAgent(func(agents []*proto.Agent) []*proto.Agent {
+				agents[0].ConnectionTimeoutSeconds = 1
+				return agents
+			}).Do()
+			require.Len(t, timedOutBuild.Agents, 1)
+			// Set created_at to the past so the timeout is exceeded
+			_, err = sqlDB.ExecContext(ctx, "UPDATE workspace_agents SET created_at = $1 WHERE id = $2",
+				now.Add(-time.Hour), timedOutBuild.Agents[0].ID)
+			require.NoError(t, err)
+
+			testCtx, cancel := context.WithTimeout(context.Background(), testutil.WaitLong)
+			defer cancel()
+
+			// healthy:false should return both disconnected and timed out workspaces
+			res, err := client.Workspaces(testCtx, codersdk.WorkspaceFilter{
+				FilterQuery: "healthy:false",
+			})
+			require.NoError(t, err)
+			require.Len(t, res.Workspaces, 2)
+			workspaceIDs := []uuid.UUID{res.Workspaces[0].ID, res.Workspaces[1].ID}
+			require.Contains(t, workspaceIDs, disconnectedBuild.Workspace.ID)
+			require.Contains(t, workspaceIDs, timedOutBuild.Workspace.ID)
+		})
+	})
 	t.Run("Params", func(t *testing.T) {
 		t.Parallel()
 

codersdk/agentsdk/convert.go

@@ -425,11 +425,20 @@ func DevcontainerFromProto(pdc *proto.WorkspaceAgentDevcontainer) (codersdk.Work
 	if err != nil {
 		return codersdk.WorkspaceAgentDevcontainer{}, xerrors.Errorf("parse id: %w", err)
 	}
+	var subagentID uuid.NullUUID
+	if pdc.SubagentId != nil {
+		subagentID.Valid = true
+		subagentID.UUID, err = uuid.FromBytes(pdc.SubagentId)
+		if err != nil {
+			return codersdk.WorkspaceAgentDevcontainer{}, xerrors.Errorf("parse subagent id: %w", err)
+		}
+	}
 	return codersdk.WorkspaceAgentDevcontainer{
 		ID:              id,
 		Name:            pdc.Name,
 		WorkspaceFolder: pdc.WorkspaceFolder,
 		ConfigPath:      pdc.ConfigPath,
+		SubagentID:      subagentID,
 	}, nil
 }
 
@@ -442,10 +451,16 @@ func ProtoFromDevcontainers(dcs []codersdk.WorkspaceAgentDevcontainer) []*proto.
 }
 
 func ProtoFromDevcontainer(dc codersdk.WorkspaceAgentDevcontainer) *proto.WorkspaceAgentDevcontainer {
+	var subagentID []byte
+	if dc.SubagentID.Valid {
+		subagentID = dc.SubagentID.UUID[:]
+	}
+
 	return &proto.WorkspaceAgentDevcontainer{
 		Id:              dc.ID[:],
 		Name:            dc.Name,
 		WorkspaceFolder: dc.WorkspaceFolder,
 		ConfigPath:      dc.ConfigPath,
+		SubagentId:      subagentID,
 	}
 }

codersdk/agentsdk/convert_test.go

@@ -136,6 +136,7 @@ func TestManifest(t *testing.T) {
 				ID:              uuid.New(),
 				WorkspaceFolder: "/home/coder/coder",
 				ConfigPath:      "/home/coder/coder/.devcontainer/devcontainer.json",
+				SubagentID:      uuid.NullUUID{Valid: true, UUID: uuid.New()},
 			},
 		},
 	}

codersdk/aitasks.go

@@ -329,6 +329,31 @@ func (c *Client) UpdateTaskInput(ctx context.Context, user string, id uuid.UUID,
 	return nil
 }
 
+// PauseTaskResponse represents the response from pausing a task.
+type PauseTaskResponse struct {
+	WorkspaceBuild *WorkspaceBuild `json:"workspace_build"`
+}
+
+// PauseTask pauses a task by stopping its workspace.
+// Experimental: uses the /api/experimental endpoint.
+func (c *Client) PauseTask(ctx context.Context, user string, id uuid.UUID) (PauseTaskResponse, error) {
+	res, err := c.Request(ctx, http.MethodPost, fmt.Sprintf("/api/experimental/tasks/%s/%s/pause", user, id.String()), nil)
+	if err != nil {
+		return PauseTaskResponse{}, err
+	}
+	defer res.Body.Close()
+	if res.StatusCode != http.StatusAccepted {
+		return PauseTaskResponse{}, ReadBodyAsError(res)
+	}
+
+	var resp PauseTaskResponse
+	if err := json.NewDecoder(res.Body).Decode(&resp); err != nil {
+		return PauseTaskResponse{}, err
+	}
+
+	return resp, nil
+}
+
 // TaskLogType indicates the source of a task log entry.
 type TaskLogType string
 

codersdk/apikey_scopes_gen.go

@@ -181,6 +181,7 @@ const (
 	APIKeyScopeWorkspaceStart                      APIKeyScope = "workspace:start"
 	APIKeyScopeWorkspaceStop                       APIKeyScope = "workspace:stop"
 	APIKeyScopeWorkspaceUpdate                     APIKeyScope = "workspace:update"
+	APIKeyScopeWorkspaceUpdateAgent                APIKeyScope = "workspace:update_agent"
 	APIKeyScopeWorkspaceAgentDevcontainersAll      APIKeyScope = "workspace_agent_devcontainers:*"
 	APIKeyScopeWorkspaceAgentDevcontainersCreate   APIKeyScope = "workspace_agent_devcontainers:create"
 	APIKeyScopeWorkspaceAgentResourceMonitorAll    APIKeyScope = "workspace_agent_resource_monitor:*"
@@ -199,6 +200,7 @@ const (
 	APIKeyScopeWorkspaceDormantStart               APIKeyScope = "workspace_dormant:start"
 	APIKeyScopeWorkspaceDormantStop                APIKeyScope = "workspace_dormant:stop"
 	APIKeyScopeWorkspaceDormantUpdate              APIKeyScope = "workspace_dormant:update"
+	APIKeyScopeWorkspaceDormantUpdateAgent         APIKeyScope = "workspace_dormant:update_agent"
 	APIKeyScopeWorkspaceProxyAll                   APIKeyScope = "workspace_proxy:*"
 	APIKeyScopeWorkspaceProxyCreate                APIKeyScope = "workspace_proxy:create"
 	APIKeyScopeWorkspaceProxyDelete                APIKeyScope = "workspace_proxy:delete"