fi stop tracing 4xx http status codes as errors (#3707)

Signed-off-by: Spike Curtis <spike@coder.com>

Signed-off-by: Spike Curtis <spike@coder.com>

.editorconfig

@@ -0,0 +1,16 @@
+root = true
+
+[*]
+end_of_line = lf
+charset = utf-8
+trim_trailing_whitespace = true
+insert_final_newline = true
+indent_style = tab
+
+[*.{md,json,yaml,yml,tf,tfvars}]
+indent_style = space
+indent_size = 2
+
+[coderd/database/dump.sql]
+indent_style = space
+indent_size = 4

.gitattributes

@@ -1,5 +1,9 @@
 # Generated files
-database/dump.sql linguist-generated=true
+coderd/database/dump.sql linguist-generated=true
 peerbroker/proto/*.go linguist-generated=true
 provisionerd/proto/*.go linguist-generated=true
 provisionersdk/proto/*.go linguist-generated=true
+*.tfplan.json linguist-generated=true
+*.tfstate.json linguist-generated=true
+*.tfstate.dot linguist-generated=true
+*.tfplan.dot linguist-generated=true

.github/CODEOWNERS

@@ -1 +1,2 @@
-site @coder/coder-frontend
+site/ @coder/frontend
+docs/ @ammario

.github/ISSUE_TEMPLATE/external_bug_report.md

@@ -0,0 +1,9 @@
+<!--- Provide a general summary of the issue in the Title above -->
+
+## Expected Behavior
+
+<!--- Tell us what should happen -->
+
+## Current Behavior
+
+<!--- Tell us what happens instead of the expected behavior -->

.github/codecov.yml

@@ -0,0 +1,43 @@
+codecov:
+  require_ci_to_pass: false
+  notify:
+    after_n_builds: 5
+
+comment: false
+
+github_checks:
+  annotations: false
+
+coverage:
+  range: 50..75
+  round: down
+  precision: 2
+  status:
+    patch:
+      default:
+        informational: yes
+    project:
+      default:
+        target: 65%
+        informational: true
+
+ignore:
+  # This is generated code.
+  - coderd/database/models.go
+  - coderd/database/queries.sql.go
+  - coderd/database/databasefake
+  # These are generated or don't require tests.
+  - cmd
+  - coderd/tunnel
+  - coderd/database/dump
+  - coderd/database/postgres
+  - peerbroker/proto
+  - provisionerd/proto
+  - provisionersdk/proto
+  - scripts
+  - site/.storybook
+  - rules.go
+  # Packages used for writing tests.
+  - cli/clitest
+  - coderd/coderdtest
+  - pty/ptytest

.github/dependabot.yaml

@@ -3,9 +3,10 @@ updates:
   - package-ecosystem: "github-actions"
     directory: "/"
     schedule:
-      interval: "daily"
+      interval: "monthly"
       time: "06:00"
       timezone: "America/Chicago"
+    labels: []
     commit-message:
       prefix: "chore"
     ignore:
@@ -27,23 +28,47 @@ updates:
   - package-ecosystem: "gomod"
     directory: "/"
     schedule:
-      interval: "daily"
+      interval: "monthly"
       time: "06:00"
       timezone: "America/Chicago"
     commit-message:
       prefix: "chore"
+    labels: []
+    ignore:
+      # Ignore patch updates for all dependencies
+      - dependency-name: "*"
+        update-types:
+        - version-update:semver-patch
 
   - package-ecosystem: "npm"
     directory: "/site/"
     schedule:
-      interval: "daily"
+      interval: "monthly"
       time: "06:00"
       timezone: "America/Chicago"
     commit-message:
       prefix: "chore"
+    labels: []
     ignore:
+      # Ignore patch updates for all dependencies
+      - dependency-name: "*"
+        update-types:
+        - version-update:semver-patch
       # Ignore major updates to Node.js types, because they need to
       # correspond to the Node.js engine version
       - dependency-name: "@types/node"
         update-types:
           - version-update:semver-major
+
+  - package-ecosystem: "terraform"
+    directory: "/examples/templates"
+    schedule:
+      interval: "monthly"
+      time: "06:00"
+      timezone: "America/Chicago"
+    commit-message:
+      prefix: "chore"
+    labels: []
+    ignore:
+      # We likely want to update this ourselves.
+      - dependency-name: "coder/coder"

.github/pull_request_template.md

@@ -0,0 +1,13 @@
+<!-- Help reviewers by listing the subtasks in this PR
+
+Here's an example:
+
+This PR adds a new feature to the CLI.
+
+## Subtasks
+
+- [x] added a test for feature
+
+Fixes #345
+
+-->

.github/semantic.yaml

@@ -7,6 +7,10 @@
 # https://www.notion.so/coderhq/Conventional-commits-1d51287f58b64026bb29393f277734ed
 ###############################################################################
 
+# We have no valid scopes right now.
+# A scope should be added when commits aren't aligning with associated change anymore.
+scopes:
+
 # We only check that the PR title is semantic. The PR title is automatically
 # applied to the "Squash & Merge" flow as the suggested commit message, so this
 # should suffice unless someone drastically alters the message in that flow.
@@ -21,26 +25,22 @@ types:
   # A build of any kind.
   - build
 
-  # A RELEASED fix that will NOT be back-ported. The originating issue may have
-  # been discovered internally or externally to Coder.
-  - fix
-
-  # Any code task that is ignored for changelog purposes. Examples include
-  # devbin scripts and internal-only configurations.
+  # Any code task that operates outside of CI, docs, or the product. Examples
+  # include configurations, linters etc.
   - chore
 
   # Any work performed on CI.
   - ci
-
-  # An UNRELEASED correction. For example, features are often built
-  # incrementally and sometimes introduce minor flaws during a release cycle.
-  # Corrections address those increments and flaws.
-  - correct
+  
+  - example
 
   # Work that directly implements or supports the implementation of a feature.
   - feat
 
-  # A fix for a RELEASED bug (regression fix) that is intended for patch-release
+  # A fix for either a released or unrelesed bug.
+  - fix
+
+  # A fix for a released bug (regression fix) that is intended for patch-release
   # purposes.
   - hotfix
 

.github/stale.yml

@@ -1,14 +0,0 @@
-# Number of days of inactivity before an issue becomes stale
-daysUntilStale: 14
-# Number of days of inactivity before a stale issue is closed
-daysUntilClose: 5
-# Only apply the stale logic to pulls, since we are using issues to manage work
-only: pulls
-# Label to apply when stale.
-staleLabel: stale
-# Comment to post when marking an issue as stale. Set to `false` to disable
-markComment: >
-  This issue has been automatically marked as stale because it has not had
-  recent activity. It will be closed if no activity occurs in the next 5 days.
-# Comment to post when closing a stale issue. Set to `false` to disable
-closeComment: false

.github/workflows/coder.yaml

@@ -4,13 +4,10 @@ on:
   push:
     branches:
       - main
-      - "release/*"
     tags:
       - "*"
 
   pull_request:
-    branches:
-      - "*"
 
   workflow_dispatch:
 
@@ -33,21 +30,103 @@ concurrency:
   cancel-in-progress: ${{ github.event_name == 'pull_request' }}
 
 jobs:
+  typos:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v2
+      - name: typos-action
+        uses: crate-ci/typos@master
+        with:
+          config: .github/workflows/typos.toml
+      - name: Fix Helper
+        if: ${{ failure() }}
+        run: |
+          echo "::notice:: you can automatically fix typos from your CLI:
+          cargo install typos-cli
+          typos -c .github/workflows/typos.toml -w"
+
+  changes:
+    runs-on: ubuntu-latest
+    outputs:
+      docs-only: ${{ steps.filter.outputs.docs_count == steps.filter.outputs.all_count }}
+      sh: ${{ steps.filter.outputs.sh }}
+      ts: ${{ steps.filter.outputs.ts }}
+      k8s: ${{ steps.filter.outputs.k8s }}
+    steps:
+      - uses: actions/checkout@v3
+      # For pull requests it's not necessary to checkout the code
+      - uses: dorny/paths-filter@v2
+        id: filter
+        with:
+          filters: |
+            all:
+              - '**'
+            docs:
+              - 'docs/**'
+              # For testing:
+              # - '.github/**'
+            sh:
+              - "**.sh"
+            ts:
+              - 'site/**'
+            k8s:
+              - 'helm/**'
+              - Dockerfile
+              - scripts/helm.sh
+      - id: debug
+        run: |
+          echo "${{ toJSON(steps.filter )}}"
+
+  # Debug step
+  debug-inputs:
+    needs:
+      - changes
+    runs-on: ubuntu-latest
+    steps:
+      - id: log
+        run: |
+          echo "${{ toJSON(needs) }}"
+
   style-lint-golangci:
     name: style/lint/golangci
+    timeout-minutes: 5
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v3
-      - uses: actions/setup-go@v2
+      - uses: actions/setup-go@v3
         with:
-          go-version: "^1.17"
+          go-version: "~1.19"
       - name: golangci-lint
-        uses: golangci/golangci-lint-action@v3.1.0
+        uses: golangci/golangci-lint-action@v3.2.0
         with:
-          version: v1.43.0
+          version: v1.48.0
+
+  check-enterprise-imports:
+    name: check/enterprise-imports
+    timeout-minutes: 5
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - name: Check imports of enterprise code
+        run: ./scripts/check_enterprise_imports.sh
+
+  style-lint-shellcheck:
+    name: style/lint/shellcheck
+    timeout-minutes: 5
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - name: Run ShellCheck
+        uses: ludeeus/action-shellcheck@1.1.0
+        env:
+          SHELLCHECK_OPTS: --external-sources
+        with:
+          ignore: node_modules
 
   style-lint-typescript:
     name: "style/lint/typescript"
+    timeout-minutes: 5
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
@@ -55,7 +134,7 @@ jobs:
 
       - name: Cache Node
         id: cache-node
-        uses: actions/cache@v2
+        uses: actions/cache@v3
         with:
           path: |
             **/node_modules
@@ -71,30 +150,95 @@ jobs:
         run: yarn lint
         working-directory: site
 
-  gen:
-    name: "style/gen"
+  style-lint-k8s:
+    name: "style/lint/k8s"
+    timeout-minutes: 5
+    needs: changes
+    if: needs.changes.outputs.k8s == 'true'
     runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+
+      - name: Install helm
+        uses: azure/setup-helm@v3
+        with:
+          version: v3.9.2
+
+      - name: cd helm && make lint
+        run: |
+          cd helm
+          make lint
+
+  gen:
+    name: "style/gen"
+    timeout-minutes: 8
+    runs-on: ubuntu-latest
+    needs: changes
+    if: needs.changes.outputs.docs-only == 'false'
     steps:
       - uses: actions/checkout@v3
+
+      - name: Cache Node
+        id: cache-node
+        uses: actions/cache@v3
+        with:
+          path: |
+            **/node_modules
+            .eslintcache
+          key: js-${{ runner.os }}-test-${{ hashFiles('**/yarn.lock') }}
+          restore-keys: |
+            js-${{ runner.os }}-
+
+      - name: Install node_modules
+        run: ./scripts/yarn_install.sh
+
       - name: Install Protoc
         uses: arduino/setup-protoc@v1
         with:
-          version: "3.6.1"
-      - uses: actions/setup-go@v2
+          version: "3.20.0"
+      - uses: actions/setup-go@v3
         with:
-          go-version: "^1.17"
-      - run: curl -sSL
-          https://github.com/kyleconroy/sqlc/releases/download/v1.11.0/sqlc_1.11.0_linux_amd64.tar.gz
-          | sudo tar -C /usr/bin -xz sqlc
+          go-version: "~1.19"
 
-      - run: go install google.golang.org/protobuf/cmd/protoc-gen-go@v1.26
-      - run: go install storj.io/drpc/cmd/protoc-gen-go-drpc@v0.0.26
-      - run: "make --output-sync -j gen"
-      - run: ./scripts/check_unstaged.sh
+      - name: Echo Go Cache Paths
+        id: go-cache-paths
+        run: |
+          echo "::set-output name=go-build::$(go env GOCACHE)"
+          echo "::set-output name=go-mod::$(go env GOMODCACHE)"
+
+      - name: Go Build Cache
+        uses: actions/cache@v3
+        with:
+          path: ${{ steps.go-cache-paths.outputs.go-build }}
+          key: ${{ github.job }}-go-build-${{ hashFiles('**/go.sum', '**/**.go') }}
+
+      - name: Go Mod Cache
+        uses: actions/cache@v3
+        with:
+          path: ${{ steps.go-cache-paths.outputs.go-mod }}
+          key: ${{ github.job }}-go-mod-${{ hashFiles('**/go.sum') }}
+
+      - name: Install sqlc
+        run: |
+          curl -sSL https://github.com/kyleconroy/sqlc/releases/download/v1.13.0/sqlc_1.13.0_linux_amd64.tar.gz | sudo tar -C /usr/bin -xz sqlc
+      - name: Install protoc-gen-go
+        run: go install google.golang.org/protobuf/cmd/protoc-gen-go@v1.26
+      - name: Install protoc-gen-go-drpc
+        run: go install storj.io/drpc/cmd/protoc-gen-go-drpc@v0.0.26
+      - name: Install goimports
+        run: go install golang.org/x/tools/cmd/goimports@latest
+
+      - name: make gen
+        run: "make --output-sync -j -B gen"
+
+      - name: Check for unstaged files
+        run: ./scripts/check_unstaged.sh
 
   style-fmt:
     name: "style/fmt"
     runs-on: ubuntu-latest
+    timeout-minutes: 5
     steps:
       - name: Checkout
         uses: actions/checkout@v3
@@ -104,7 +248,7 @@ jobs:
 
       - name: Cache Node
         id: cache-node
-        uses: actions/cache@v2
+        uses: actions/cache@v3
         with:
           path: |
             **/node_modules
@@ -116,12 +260,18 @@ jobs:
       - name: Install node_modules
         run: ./scripts/yarn_install.sh
 
-      - name: "make fmt"
-        run: "make --output-sync -j fmt"
+      - name: Install shfmt
+        run: go install mvdan.cc/sh/v3/cmd/shfmt@v3.5.0
+
+      - name: make fmt
+        run: |
+          export PATH=${PATH}:$(go env GOPATH)/bin
+          make --output-sync -j -B fmt
 
   test-go:
     name: "test/go"
     runs-on: ${{ matrix.os }}
+    timeout-minutes: 20
     strategy:
       matrix:
         os:
@@ -131,41 +281,63 @@ jobs:
     steps:
       - uses: actions/checkout@v3
 
-      - uses: actions/setup-go@v2
+      - uses: actions/setup-go@v3
         with:
-          go-version: "^1.17"
+          go-version: "~1.19"
 
-      - uses: actions/cache@v2
+      - name: Echo Go Cache Paths
+        id: go-cache-paths
+        run: |
+          echo "::set-output name=go-build::$(go env GOCACHE)"
+          echo "::set-output name=go-mod::$(go env GOMODCACHE)"
+
+      - name: Go Build Cache
+        uses: actions/cache@v3
         with:
-          # Go mod cache, Linux build cache, Mac build cache, Windows build cache
-          path: |
-            ~/go/pkg/mod
-            ~/.cache/go-build
-            ~/Library/Caches/go-build
-            %LocalAppData%\go-build
-          key: ${{ matrix.os }}-go-${{ hashFiles('**/go.sum') }}
-          restore-keys: |
-            ${{ matrix.os }}-go-
+          path: ${{ steps.go-cache-paths.outputs.go-build }}
+          key: ${{ runner.os }}-go-build-${{ hashFiles('**/go.**', '**.go') }}
 
-      - run: go install gotest.tools/gotestsum@latest
-
-      - uses: hashicorp/setup-terraform@v1
+      - name: Go Mod Cache
+        uses: actions/cache@v3
         with:
-          terraform_version: 1.1.2
+          path: ${{ steps.go-cache-paths.outputs.go-mod }}
+          key: ${{ runner.os }}-go-mod-${{ hashFiles('**/go.sum') }}
+
+      - name: Install gotestsum
+        uses: jaxxstorm/action-install-gh-release@v1.7.1
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          repo: gotestyourself/gotestsum
+          tag: v1.7.0
+
+      - uses: hashicorp/setup-terraform@v2
+        with:
+          terraform_version: 1.1.9
           terraform_wrapper: false
 
       - name: Test with Mock Database
+        id: test
         shell: bash
-        env:
-          GOCOUNT: ${{ runner.os == 'Windows' && 3 || 5 }}
-          GOMAXPROCS: ${{ runner.os == 'Windows' && 1 || 2 }}
-        run: gotestsum --junitfile="gotests.xml" --packages="./..." --
-          -covermode=atomic -coverprofile="gotests.coverage"
-          -coverpkg=./...,github.com/coder/coder/codersdk
-          -timeout=3m -count=$GOCOUNT -race -short -failfast
+        run: |
+          # Code coverage is more computationally expensive and also
+          # prevents test caching, so we disable it on alternate operating
+          # systems.
+          if [ "${{ matrix.os }}" == "ubuntu-latest" ]; then
+            echo ::set-output name=cover::true
+            export COVERAGE_FLAGS='-covermode=atomic -coverprofile="gotests.coverage" -coverpkg=./...'
+          else
+            echo ::set-output name=cover::false
+          fi
+          set -x
+          test_timeout=5m
+          if [[ "${{ matrix.os }}" == windows* ]]; then
+            test_timeout=10m
+          fi
+          gotestsum --junitfile="gotests.xml" --packages="./..." -- -parallel=8 -timeout=$test_timeout -short -failfast $COVERAGE_FLAGS
 
       - name: Upload DataDog Trace
-        if: (success() || failure()) && github.actor != 'dependabot[bot]'
+        if: github.actor != 'dependabot[bot]' && !github.event.pull_request.head.repo.fork
         env:
           DATADOG_API_KEY: ${{ secrets.DATADOG_API_KEY }}
           DD_DATABASE: fake
@@ -173,82 +345,208 @@ jobs:
           GIT_COMMIT_MESSAGE: ${{ github.event.head_commit.message }}
         run: go run scripts/datadog-cireport/main.go gotests.xml
 
+      - uses: codecov/codecov-action@v3
+        # This action has a tendency to error out unexpectedly, it has
+        # the `fail_ci_if_error` option that defaults to `false`, but
+        # that is no guarantee, see:
+        # https://github.com/codecov/codecov-action/issues/788
+        continue-on-error: true
+        if: steps.test.outputs.cover && github.actor != 'dependabot[bot]' && !github.event.pull_request.head.repo.fork
+        with:
+          token: ${{ secrets.CODECOV_TOKEN }}
+          files: ./gotests.coverage
+          flags: unittest-go-${{ matrix.os }}
+
+  test-go-postgres:
+    name: "test/go/postgres"
+    runs-on: ubuntu-latest
+    # This timeout must be greater than the timeout set by `go test` in
+    # `make test-postgres` to ensure we receive a trace of running
+    # goroutines. Setting this to the timeout +5m should work quite well
+    # even if some of the preceding steps are slow.
+    timeout-minutes: 25
+    steps:
+      - uses: actions/checkout@v3
+
+      - uses: actions/setup-go@v3
+        with:
+          go-version: "~1.19"
+
+      - name: Echo Go Cache Paths
+        id: go-cache-paths
+        run: |
+          echo "::set-output name=go-build::$(go env GOCACHE)"
+          echo "::set-output name=go-mod::$(go env GOMODCACHE)"
+
+      - name: Go Build Cache
+        uses: actions/cache@v3
+        with:
+          path: ${{ steps.go-cache-paths.outputs.go-build }}
+          key: ${{ runner.os }}-go-build-${{ hashFiles('**/go.sum', '**/**.go') }}
+
+      - name: Go Mod Cache
+        uses: actions/cache@v3
+        with:
+          path: ${{ steps.go-cache-paths.outputs.go-mod }}
+          key: ${{ runner.os }}-go-mod-${{ hashFiles('**/go.sum') }}
+
+      - name: Install gotestsum
+        uses: jaxxstorm/action-install-gh-release@v1.7.1
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          repo: gotestyourself/gotestsum
+          tag: v1.7.0
+
+      - uses: hashicorp/setup-terraform@v2
+        with:
+          terraform_version: 1.1.9
+          terraform_wrapper: false
+
       - name: Test with PostgreSQL Database
-        if: runner.os == 'Linux'
-        run: DB=true gotestsum --junitfile="gotests.xml" --packages="./..." --
-          -covermode=atomic -coverprofile="gotests.coverage" -timeout=3m
-          -coverpkg=./...,github.com/coder/coder/codersdk
-          -count=1 -race -parallel=2 -failfast
+        run: make test-postgres
 
       - name: Upload DataDog Trace
-        if: (success() || failure()) && github.actor != 'dependabot[bot]' && runner.os == 'Linux'
+        if: always() && github.actor != 'dependabot[bot]' && !github.event.pull_request.head.repo.fork
         env:
           DATADOG_API_KEY: ${{ secrets.DATADOG_API_KEY }}
           DD_DATABASE: postgresql
           GIT_COMMIT_MESSAGE: ${{ github.event.head_commit.message }}
         run: go run scripts/datadog-cireport/main.go gotests.xml
 
-      - uses: codecov/codecov-action@v2
-        if: github.actor != 'dependabot[bot]'
+      - uses: codecov/codecov-action@v3
+        # This action has a tendency to error out unexpectedly, it has
+        # the `fail_ci_if_error` option that defaults to `false`, but
+        # that is no guarantee, see:
+        # https://github.com/codecov/codecov-action/issues/788
+        continue-on-error: true
+        if: github.actor != 'dependabot[bot]' && !github.event.pull_request.head.repo.fork
         with:
           token: ${{ secrets.CODECOV_TOKEN }}
           files: ./gotests.coverage
-          flags: unittest-go-${{ matrix.os }}
-          fail_ci_if_error: true
+          flags: unittest-go-postgres-${{ matrix.os }}
 
   deploy:
     name: "deploy"
     runs-on: ubuntu-latest
-    if: github.event_name != 'pull_request'
+    timeout-minutes: 30
+    needs: changes
+    if: |
+      github.ref == 'refs/heads/main' && !github.event.pull_request.head.repo.fork
+      && needs.changes.outputs.docs-only == 'false'
     permissions:
       contents: read
       id-token: write
     steps:
       - uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
 
       - name: Authenticate to Google Cloud
         uses: google-github-actions/auth@v0
         with:
-          workload_identity_provider: projects/477254869654/locations/global/workloadIdentityPools/github/providers/github
-          service_account: github-coder@coder-ci.iam.gserviceaccount.com
+          workload_identity_provider: projects/573722524737/locations/global/workloadIdentityPools/github/providers/github
+          service_account: coder-ci@coder-dogfood.iam.gserviceaccount.com
 
       - name: Set up Google Cloud SDK
         uses: google-github-actions/setup-gcloud@v0
 
-      - name: Configure Docker for Google Artifact Registry
-        run: gcloud auth configure-docker us-docker.pkg.dev
-
-      - uses: actions/setup-node@v3
+      - uses: actions/setup-go@v3
         with:
-          node-version: "14"
+          go-version: "~1.19"
 
-      - name: Install node_modules
-        run: ./scripts/yarn_install.sh
+      - name: Echo Go Cache Paths
+        id: go-cache-paths
+        run: |
+          echo "::set-output name=go-build::$(go env GOCACHE)"
+          echo "::set-output name=go-mod::$(go env GOMODCACHE)"
 
-      - uses: actions/setup-go@v2
+      - name: Go Build Cache
+        uses: actions/cache@v3
         with:
-          go-version: "^1.17"
+          path: ${{ steps.go-cache-paths.outputs.go-build }}
+          key: ${{ runner.os }}-release-go-build-${{ hashFiles('**/go.sum') }}
 
-      - uses: goreleaser/goreleaser-action@v2
+      - name: Go Mod Cache
+        uses: actions/cache@v3
         with:
-          install-only: true
+          path: ${{ steps.go-cache-paths.outputs.go-mod }}
+          key: ${{ runner.os }}-release-go-mod-${{ hashFiles('**/go.sum') }}
 
-      - run: make docker/image/coder
+      - name: Cache Node
+        id: cache-node
+        uses: actions/cache@v3
+        with:
+          path: |
+            **/node_modules
+            .eslintcache
+          key: js-${{ runner.os }}-release-node-${{ hashFiles('**/yarn.lock') }}
+          restore-keys: |
+            js-${{ runner.os }}-
 
-      - run: docker push us-docker.pkg.dev/coder-blacktriangle-dev/ci/coder:latest
+      - name: Install nfpm
+        run: go install github.com/goreleaser/nfpm/v2/cmd/nfpm@v2.16.0
 
-      - name: Update coder service
-        run: gcloud run services update coder --image us-docker.pkg.dev/coder-blacktriangle-dev/ci/coder:latest --project coder-blacktriangle-dev --tag "git-$(git rev-parse --short HEAD)" --region us-central1
+      - name: Install zstd
+        run: sudo apt-get install -y zstd
+
+      - name: Build site
+        run: make -B site/out/index.html
+
+      - name: Build Release
+        run: |
+          set -euo pipefail
+          go mod download
+
+          mkdir -p ./dist
+          # build slim binaries
+          ./scripts/build_go_slim.sh \
+            --output ./dist/ \
+            --compress 22 \
+            linux:amd64,armv7,arm64 \
+            windows:amd64,arm64 \
+            darwin:amd64,arm64
+
+          # build linux amd64 packages
+          ./scripts/build_go_matrix.sh \
+            --output ./dist/ \
+            --package-linux \
+            linux:amd64 \
+            windows:amd64
+
+      - name: Install Release
+        run: |
+          gcloud config set project coder-dogfood
+          gcloud config set compute/zone us-central1-a
+          gcloud compute scp ./dist/coder_*_linux_amd64.deb coder:/tmp/coder.deb
+          gcloud compute ssh coder -- sudo dpkg -i --force-confdef /tmp/coder.deb
+          gcloud compute ssh coder -- sudo systemctl daemon-reload
+
+      - name: Start
+        run: gcloud compute ssh coder -- sudo service coder restart
+
+      - uses: actions/upload-artifact@v3
+        with:
+          name: coder
+          path: |
+            ./dist/*.zip
+            ./dist/*.exe
+            ./dist/*.tar.gz
+            ./dist/*.apk
+            ./dist/*.deb
+            ./dist/*.rpm
+          retention-days: 7
 
   test-js:
     name: "test/js"
     runs-on: ubuntu-latest
+    timeout-minutes: 20
     steps:
       - uses: actions/checkout@v3
 
       - name: Cache Node
         id: cache-node
-        uses: actions/cache@v2
+        uses: actions/cache@v3
         with:
           path: |
             **/node_modules
@@ -258,9 +556,9 @@ jobs:
             js-${{ runner.os }}-
 
       # Go is required for uploading the test results to datadog
-      - uses: actions/setup-go@v2
+      - uses: actions/setup-go@v3
         with:
-          go-version: "^1.17"
+          go-version: "~1.19"
 
       - uses: actions/setup-node@v3
         with:
@@ -269,27 +567,23 @@ jobs:
       - name: Install node_modules
         run: ./scripts/yarn_install.sh
 
-      - name: Build frontend
-        run: yarn build
-        working-directory: site
-
-      - name: Build Storybook
-        run: yarn storybook:build
-        working-directory: site
-
       - run: yarn test:coverage
         working-directory: site
 
-      - uses: codecov/codecov-action@v2
-        if: github.actor != 'dependabot[bot]'
+      - uses: codecov/codecov-action@v3
+        # This action has a tendency to error out unexpectedly, it has
+        # the `fail_ci_if_error` option that defaults to `false`, but
+        # that is no guarantee, see:
+        # https://github.com/codecov/codecov-action/issues/788
+        continue-on-error: true
+        if: github.actor != 'dependabot[bot]' && !github.event.pull_request.head.repo.fork
         with:
           token: ${{ secrets.CODECOV_TOKEN }}
           files: ./site/coverage/lcov.info
           flags: unittest-js
-          fail_ci_if_error: true
 
       - name: Upload DataDog Trace
-        if: (success() || failure()) && github.actor != 'dependabot[bot]'
+        if: always() && github.actor != 'dependabot[bot]' && !github.event.pull_request.head.repo.fork
         env:
           DATADOG_API_KEY: ${{ secrets.DATADOG_API_KEY }}
           DD_CATEGORY: unit
@@ -298,60 +592,63 @@ jobs:
 
   test-e2e:
     name: "test/e2e/${{ matrix.os }}"
+    needs:
+      - changes
+    if: needs.changes.outputs.docs-only == 'false'
     runs-on: ${{ matrix.os }}
+    timeout-minutes: 20
     strategy:
       matrix:
         os:
           - ubuntu-latest
-          - macos-latest
-          # TODO: Get `make build` running on Windows 2022
-          # https://github.com/coder/coder/issues/384
-          # - windows-2022
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v3
 
       - name: Cache Node
         id: cache-node
-        uses: actions/cache@v2
+        uses: actions/cache@v3
         with:
           path: |
             **/node_modules
             .eslintcache
-          key: js-${{ runner.os }}-test-${{ hashFiles('**/yarn.lock') }}
-          restore-keys: |
-            js-${{ runner.os }}-
+          key: js-${{ runner.os }}-e2e-${{ hashFiles('**/yarn.lock') }}
 
       # Go is required for uploading the test results to datadog
-      - uses: actions/setup-go@v2
+      - uses: actions/setup-go@v3
         with:
-          go-version: "^1.17"
+          go-version: "~1.19"
 
-      - uses: hashicorp/setup-terraform@v1
+      - uses: hashicorp/setup-terraform@v2
         with:
-          terraform_version: 1.1.2
+          terraform_version: 1.1.9
           terraform_wrapper: false
 
       - uses: actions/setup-node@v3
         with:
           node-version: "14"
 
-      - uses: goreleaser/goreleaser-action@v2
-        with:
-          install-only: true
+      - name: Echo Go Cache Paths
+        id: go-cache-paths
+        run: |
+          echo "::set-output name=go-build::$(go env GOCACHE)"
+          echo "::set-output name=go-mod::$(go env GOMODCACHE)"
 
-      - uses: actions/cache@v2
+      - name: Go Build Cache
+        uses: actions/cache@v3
         with:
-          # Go mod cache, Linux build cache, Mac build cache, Windows build cache
-          path: |
-            ~/go/pkg/mod
-            ~/.cache/go-build
-            ~/Library/Caches/go-build
-            %LocalAppData%\go-build
-          key: ${{ matrix.os }}-go-${{ hashFiles('**/go.sum') }}
-          restore-keys: |
-            ${{ matrix.os }}-go-
+          path: ${{ steps.go-cache-paths.outputs.go-build }}
+          key: ${{ runner.os }}-go-build-${{ hashFiles('**/go.sum') }}
 
-      - run: make build
+      - name: Go Mod Cache
+        uses: actions/cache@v3
+        with:
+          path: ${{ steps.go-cache-paths.outputs.go-mod }}
+          key: ${{ runner.os }}-go-mod-${{ hashFiles('**/go.sum') }}
+
+      - name: Build
+        run: |
+          sudo npm install -g prettier
+          make -B site/out/index.html
 
       - run: yarn playwright:install
         working-directory: site
@@ -364,10 +661,62 @@ jobs:
           DEBUG: pw:api
         working-directory: site
 
+      - name: Upload Playwright Failed Tests
+        if: always() && github.actor != 'dependabot[bot]' && runner.os == 'Linux' && !github.event.pull_request.head.repo.fork
+        uses: actions/upload-artifact@v3
+        with:
+          name: failed-test-videos
+          path: ./site/test-results/**/*.webm
+          retention:days: 7
+
       - name: Upload DataDog Trace
-        if: (success() || failure()) && github.actor != 'dependabot[bot]' && runner.os == 'Linux'
+        if: always() && github.actor != 'dependabot[bot]' && runner.os == 'Linux' && !github.event.pull_request.head.repo.fork
         env:
           DATADOG_API_KEY: ${{ secrets.DATADOG_API_KEY }}
           DD_CATEGORY: e2e
           GIT_COMMIT_MESSAGE: ${{ github.event.head_commit.message }}
-        run: go run scripts/datadog-cireport/main.go site/test-results/junit.xml
+        run: go run scripts/datadog-cireport/main.go site/test-results/junit.xml
+  chromatic:
+    # REMARK: this is only used to build storybook and deploy it to Chromatic.
+    runs-on: ubuntu-latest
+    needs:
+      - changes
+    if: needs.changes.outputs.ts == 'true'
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          # Required by Chromatic for build-over-build history, otherwise we
+          # only get 1 commit on shallow checkout.
+          fetch-depth: 0
+
+      - name: Install dependencies
+        run: cd site && yarn
+
+      # This step is not meant for mainline because any detected changes to
+      # storybook snapshots will require manual approval/review in order for
+      # the check to pass. This is desired in PRs, but not in mainline.
+      - name: Publish to Chromatic (non-mainline)
+        if: github.ref != 'refs/heads/main' && github.repository_owner == 'coder'
+        uses: chromaui/action@v1
+        with:
+          buildScriptName: "storybook:build"
+          exitOnceUploaded: true
+          # Chromatic states its fine to make this token public. See:
+          # https://www.chromatic.com/docs/github-actions#forked-repositories
+          projectToken: 695c25b6cb65
+          workingDir: "./site"
+
+      # This is a separate step for mainline only that auto accepts and changes
+      # instead of holding CI up. Since we squash/merge, this is defensive to
+      # avoid the same changeset from requiring review once squashed into
+      # main. Chromatic is supposed to be able to detect that we use squash
+      # commits, but it's good to be defensive in case, otherwise CI remains
+      # infinitely "in progress" in mainline unless we re-review each build.
+      - name: Publish to Chromatic (mainline)
+        if: github.ref == 'refs/heads/main' && github.repository_owner == 'coder'
+        uses: chromaui/action@v1
+        with:
+          autoAcceptChanges: true
+          buildScriptName: "storybook:build"
+          projectToken: 695c25b6cb65
+          workingDir: "./site"

.github/workflows/dogfood.yaml

@@ -0,0 +1,51 @@
+name: dogfood
+
+on:
+  push:
+    branches:
+      - main
+    tags:
+      - "*"
+    paths:
+      - "dogfood/**"
+  pull_request:
+    paths:
+      - "dogfood/**"
+  workflow_dispatch:
+
+jobs:
+  deploy:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Get branch name
+        id: branch-name
+        uses: tj-actions/branch-names@v5.4
+
+      - name: "Branch name to Docker tag name"
+        id: docker-tag-name
+        run: |
+          tag=${{ steps.branch-name.outputs.current_branch }}
+          # Replace / with --, e.g. user/feature => user--feature.
+          tag=${tag//\//--}
+          echo "::set-output name=tag::${tag}"
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v2
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+
+      - name: Login to DockerHub
+        uses: docker/login-action@v2
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_PASSWORD }}
+
+      - name: Build and push
+        uses: docker/build-push-action@v3
+        with:
+          context: "{{defaultContext}}:dogfood"
+          push: true
+          tags: "codercom/oss-dogfood:${{ steps.docker-tag-name.outputs.tag }},codercom/oss-dogfood:latest"
+          cache-from: type=registry,ref=codercom/oss-dogfood:latest
+          cache-to: type=inline

.github/workflows/release.yaml

@@ -1,23 +1,295 @@
+# GitHub release workflow.
+#
+# This workflow is a bit complicated because we have to build darwin binaries on
+# a mac runner, but the mac runners are extremely slow. So instead of running
+# the entire release on a mac (which will take an hour to run), we run only the
+# mac build on a mac, and the rest on a linux runner. The final release is then
+# published using a final linux runner.
 name: release
 on:
   push:
     tags:
       - "v*"
+  workflow_dispatch:
+    inputs:
+      snapshot:
+        description: Force a dev version to be generated, implies dry_run.
+        type: boolean
+        required: true
+      dry_run:
+        description: Perform a dry-run release.
+        type: boolean
+        required: true
+
+env:
+  CODER_RELEASE: ${{ github.event.inputs.snapshot && 'false' || 'true' }}
+
 jobs:
-  goreleaser:
+  linux-windows:
     runs-on: ubuntu-latest
+    env:
+      # Necessary for Docker manifest
+      DOCKER_CLI_EXPERIMENTAL: "enabled"
     steps:
       - uses: actions/checkout@v3
         with:
           fetch-depth: 0
-      - uses: actions/setup-go@v2
-        with:
-          go-version: "^1.17"
 
-      - name: Run GoReleaser
-        uses: goreleaser/goreleaser-action@v2.9.1
+      # If the event that triggered the build was an annotated tag (which our
+      # tags are supposed to be), actions/checkout has a bug where the tag in
+      # question is only a lightweight tag and not a full annotated tag. This
+      # command seems to fix it.
+      # https://github.com/actions/checkout/issues/290
+      - name: Fetch git tags
+        run: git fetch --tags --force
+
+      - name: Docker Login
+        uses: docker/login-action@v2
         with:
-          version: latest
-          args: release --rm-dist
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - uses: actions/setup-go@v3
+        with:
+          go-version: "~1.18"
+
+      - name: Cache Node
+        id: cache-node
+        uses: actions/cache@v3
+        with:
+          path: |
+            **/node_modules
+            .eslintcache
+          key: js-${{ runner.os }}-test-${{ hashFiles('**/yarn.lock') }}
+          restore-keys: |
+            js-${{ runner.os }}-
+
+      - name: Install nfpm
+        run: go install github.com/goreleaser/nfpm/v2/cmd/nfpm@v2.16.0
+
+      - name: Install zstd
+        run: sudo apt-get install -y zstd
+
+      - name: Build Site
+        run: make site/out/index.html
+
+      - name: Build Linux and Windows Binaries
+        run: |
+          set -euo pipefail
+          go mod download
+
+          mkdir -p ./dist
+          # build slim binaries
+          ./scripts/build_go_slim.sh \
+            --output ./dist/ \
+            --compress 22 \
+            linux:amd64,armv7,arm64 \
+            windows:amd64,arm64 \
+            darwin:amd64,arm64
+
+          # build linux and windows binaries
+          ./scripts/build_go_matrix.sh \
+            --output ./dist/ \
+            --archive \
+            --package-linux \
+            linux:amd64,armv7,arm64 \
+            windows:amd64,arm64
+
+      - name: Build Linux Docker images
+        run: |
+          set -euxo pipefail
+
+          # build and (maybe) push Docker images for each architecture
+          images=()
+          for arch in amd64 armv7 arm64; do
+            img="$(
+              ./scripts/build_docker.sh \
+                ${{ (!github.event.inputs.dry_run && !github.event.inputs.snapshot) && '--push' || '' }} \
+                --arch "$arch" \
+                ./dist/coder_*_linux_"$arch"
+            )"
+            images+=("$img")
+          done
+
+          # we can't build multi-arch if the images aren't pushed, so quit now
+          # if dry-running
+          if [[ "$CODER_RELEASE" != *t* ]]; then
+            echo Skipping multi-arch docker builds due to dry-run.
+            exit 0
+          fi
+
+          # build and push multi-arch manifest
+          ./scripts/build_docker_multiarch.sh \
+            --push \
+            "${images[@]}"
+
+          # if the current version is equal to the highest (according to semver)
+          # version in the repo, also create a multi-arch image as ":latest" and
+          # push it
+          if [[ "$(git tag | grep '^v' | grep -vE '(rc|dev|-|\+|\/)' | sort -r --version-sort | head -n1)" == "v$(./scripts/version.sh)" ]]; then
+            ./scripts/build_docker_multiarch.sh \
+              --push \
+              --target "$(./scripts/image_tag.sh --version latest)" \
+              "${images[@]}"
+          fi
+
+      - name: Upload binary artifacts
+        uses: actions/upload-artifact@v3
+        with:
+          name: linux
+          path: |
+            dist/*.zip
+            dist/*.tar.gz
+            dist/*.apk
+            dist/*.deb
+            dist/*.rpm
+
+  # The mac binaries get built on mac runners because they need to be signed,
+  # and the signing tool only runs on mac. This darwin job only builds the Mac
+  # binaries and uploads them as job artifacts used by the publish step.
+  darwin:
+    runs-on: macos-latest
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+
+      # If the event that triggered the build was an annotated tag (which our
+      # tags are supposed to be), actions/checkout has a bug where the tag in
+      # question is only a lightweight tag and not a full annotated tag. This
+      # command seems to fix it.
+      # https://github.com/actions/checkout/issues/290
+      - name: Fetch git tags
+        run: git fetch --tags --force
+
+      - uses: actions/setup-go@v3
+        with:
+          go-version: "~1.18"
+
+      - name: Import Signing Certificates
+        uses: Apple-Actions/import-codesign-certs@v1
+        with:
+          p12-file-base64: ${{ secrets.AC_CERTIFICATE_P12_BASE64 }}
+          p12-password: ${{ secrets.AC_CERTIFICATE_PASSWORD }}
+
+      - name: Cache Node
+        id: cache-node
+        uses: actions/cache@v3
+        with:
+          path: |
+            **/node_modules
+            .eslintcache
+          key: js-${{ runner.os }}-test-${{ hashFiles('**/yarn.lock') }}
+          restore-keys: |
+            js-${{ runner.os }}-
+
+      - name: Install dependencies
+        run: |
+          set -euo pipefail
+          # The version of bash that macOS ships with is too old
+          brew install bash
+
+          # The version of make that macOS ships with is too old
+          brew install make
+          echo "$(brew --prefix)/opt/make/libexec/gnubin" >> $GITHUB_PATH
+
+          # BSD getopt is incompatible with the build scripts
+          brew install gnu-getopt
+          echo "$(brew --prefix)/opt/gnu-getopt/bin" >> $GITHUB_PATH
+
+          # Used for notarizing the binaries
+          brew tap mitchellh/gon
+          brew install mitchellh/gon/gon
+
+          # Used for compressing embedded slim binaries
+          brew install zstd
+
+      - name: Build Site
+        run: make site/out/index.html
+
+      - name: Build darwin Binaries (with signatures)
+        run: |
+          set -euo pipefail
+          go mod download
+
+          mkdir -p ./dist
+          # build slim binaries
+          ./scripts/build_go_slim.sh \
+            --output ./dist/ \
+            --compress 22 \
+            linux:amd64,armv7,arm64 \
+            windows:amd64,arm64 \
+            darwin:amd64,arm64
+
+          # build darwin binaries
+          ./scripts/build_go_matrix.sh \
+            --output ./dist/ \
+            --archive \
+            --sign-darwin \
+            darwin:amd64,arm64
+        env:
+          AC_USERNAME: ${{ secrets.AC_USERNAME }}
+          AC_PASSWORD: ${{ secrets.AC_PASSWORD }}
+          AC_APPLICATION_IDENTITY: BDB050EB749EDD6A80C6F119BF1382ECA119CCCC
+
+      - name: Upload Binary Artifacts
+        uses: actions/upload-artifact@v3
+        with:
+          name: darwin
+          path: ./dist/coder_*.zip
+
+  publish:
+    runs-on: ubuntu-latest
+    needs:
+      - linux-windows
+      - darwin
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+
+      # If the event that triggered the build was an annotated tag (which our
+      # tags are supposed to be), actions/checkout has a bug where the tag in
+      # question is only a lightweight tag and not a full annotated tag. This
+      # command seems to fix it.
+      # https://github.com/actions/checkout/issues/290
+      - name: Fetch git tags
+        run: git fetch --tags --force
+
+      - name: mkdir artifacts
+        run: mkdir artifacts
+
+      - name: Download darwin Artifacts
+        uses: actions/download-artifact@v3
+        with:
+          name: darwin
+          path: artifacts
+
+      - name: Download Linux and Windows Artifacts
+        uses: actions/download-artifact@v3
+        with:
+          name: linux
+          path: artifacts
+
+      - name: ls artifacts
+        run: ls artifacts
+
+      - name: Publish Helm
+        run: |
+          set -euxo pipefail
+          ./scripts/helm.sh --push
+          mv ./dist/*.tgz ./artifacts/
+
+      - name: Publish Release
+        run: |
+          ./scripts/publish_release.sh \
+            ${{ (github.event.inputs.dry_run || github.event.inputs.snapshot) && '--dry-run' }} \
+            ./artifacts/*.zip \
+            ./artifacts/*.tar.gz \
+            ./artifacts/*.tgz \
+            ./artifacts/*.apk \
+            ./artifacts/*.deb \
+            ./artifacts/*.rpm
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/stale.yaml

@@ -0,0 +1,35 @@
+name: Stale Issue Cron
+on:
+  schedule:
+    # Every day at midnight
+    - cron: "0 0 * * *"
+  workflow_dispatch:
+jobs:
+  stale:
+    runs-on: ubuntu-latest
+    permissions:
+      issues: write
+      pull-requests: write
+    steps:
+      # v5.1.0 has a weird bug that makes stalebot add then remove its own label
+      # https://github.com/actions/stale/pull/775
+      - uses: actions/stale@v5.0.0
+        with:
+          stale-issue-label: stale
+          stale-pr-label: stale
+          # Pull Requests become stale more quickly due to merge conflicts.
+          # Also, we promote minimizing WIP.
+          days-before-pr-stale: 7
+          days-before-pr-close: 3
+          stale-pr-message: >
+            This Pull Request is becoming stale. In order to minimize WIP, 
+            prevent merge conflicts and keep the tracker readable, I'm going
+            close to this PR in 3 days if there isn't more activity.
+          stale-issue-message: >
+            This issue is becoming stale. In order to keep the tracker readable
+            and actionable, I'm going close to this issue in 7 days if there 
+            isn't more activity.
+          # Upped from 30 since we have a big tracker and was hitting the limit.
+          operations-per-run: 60
+          # Start with the oldest issues, always.
+          ascending: true

.github/workflows/typos.toml

@@ -0,0 +1,19 @@
+[default.extend-identifiers]
+alog = "alog"
+Jetbrains = "JetBrains"
+IST = "IST"
+MacOS = "macOS"
+
+[default.extend-words]
+
+[files]
+extend-exclude = [
+    "**.svg",
+    "**.png",
+    "**.lock",
+    "go.sum",
+    "go.mod",
+    # These files contain base64 strings that confuse the detector
+    "**XService**.ts",
+    "**identity.go",
+]

.gitignore

@@ -13,6 +13,9 @@ node_modules
 vendor
 .eslintcache
 yarn-error.log
+gotests.coverage
+.idea
+.DS_Store
 
 # Front-end ignore
 .next/
@@ -23,7 +26,19 @@ site/storybook-static/
 site/test-results/
 site/yarn-error.log
 coverage/
+site/**/*.typegen.ts
+site/build-storybook.log
 
 # Build
 dist/
 site/out/
+
+*.tfstate
+*.tfstate.backup
+*.tfplan
+*.lock.hcl
+.terraform/
+
+.vscode/*.log
+**/*.swp
+.coderv2/*

.golangci.yaml

@@ -27,7 +27,7 @@ linters-settings:
       - codegenComment
       # - commentedOutCode
       - commentedOutImport
-      # - commentFormatting
+      - commentFormatting
       - defaultCaseOrder
       - deferUnlambda
       # - deprecatedComment
@@ -54,7 +54,7 @@ linters-settings:
       # - importShadow
       - indexAlloc
       - initClause
-      # - ioutilDeprecated
+      - ioutilDeprecated
       - mapKey
       - methodExprCall
       # - nestingReduce
@@ -77,7 +77,7 @@ linters-settings:
       # - sloppyReassign
       - sloppyTypeAssert
       - sortSlice
-      # - sprintfQuotedString
+      - sprintfQuotedString
       - sqlQuery
       # - stringConcatSimplify
       # - stringXbytes
@@ -103,7 +103,14 @@ linters-settings:
     settings:
       ruleguard:
         failOn: all
-        rules: rules.go
+        rules: '${configDir}/scripts/rules.go'
+
+  staticcheck:
+    # https://staticcheck.io/docs/options#checks
+    # We disable SA1019 because it gets angry about our usage of xerrors. We
+    # intentionally xerrors because stack frame support didn't make it into the
+    # stdlib port.
+    checks: ["all", "-SA1019"]
 
   goimports:
     local-prefixes: coder.com,cdr.dev,go.coder.com,github.com/cdr,github.com/coder
@@ -154,7 +161,7 @@ linters-settings:
       - name: import-shadowing
       - name: increment-decrement
       - name: indent-error-flow
-      - name: modifies-parameter
+      # - name: modifies-parameter
       - name: modifies-value-receiver
       - name: package-comments
       - name: range
@@ -177,20 +184,6 @@ linters-settings:
       - name: var-declaration
       - name: var-naming
       - name: waitgroup-by-value
-  varnamelen:
-    ignore-names:
-      - err
-      - rw
-      - r
-      - i
-      - db
-    # Optional list of variable declarations that should be ignored completely. (defaults to empty list)
-    # Entries must be in the form of "<variable name> <type>" or "<variable name> *<type>" for
-    # variables, or "const <name>" for constants.
-    ignore-decls:
-      - rw http.ResponseWriter
-      - r *http.Request
-      - t testing.T
 
 issues:
   # Rules listed here: https://github.com/securego/gosec#available-rules
@@ -208,6 +201,8 @@ run:
   concurrency: 4
   skip-dirs:
     - node_modules
+  skip-files:
+    - scripts/rules.go
   timeout: 5m
 
 # Over time, add more and more linters from
@@ -245,11 +240,17 @@ linters:
     - staticcheck
     - structcheck
     - tenv
+    # In Go, it's possible for a package to test it's internal functionality
+    # without testing any exported functions. This is enabled to promote
+    # decomposing a package before testing it's internals. A function caller
+    # should be able to test most of the functionality from exported functions.
+    #
+    # There are edge-cases to this rule, but they should be carefully considered
+    # to avoid structural inconsistency.
     - testpackage
     - tparallel
     - typecheck
     - unconvert
     - unused
     - varcheck
-    - varnamelen
     - wastedassign

.goreleaser.yml

@@ -1,48 +0,0 @@
-archives:
-  - builds:
-      - coder
-    files:
-      - README.md
-
-before:
-  hooks:
-    - go mod tidy
-    - rm -f site/out/bin/coder*
-
-builds:
-  - id: coder-slim
-    dir: cmd/coder
-    flags: [-tags=slim]
-    ldflags: ["-s -w"]
-    env: [CGO_ENABLED=0]
-    goos: [darwin, linux, windows]
-    goarch: [amd64, arm64]
-    hooks:
-      # The "trimprefix" appends ".exe" on Windows.
-      post: |
-        cp {{.Path}} site/out/bin/coder_{{ .Os }}_{{ .Arch }}{{ trimprefix .Name "coder" }}
-
-  - id: coder
-    dir: cmd/coder
-    ldflags: ["-s -w"]
-    env: [CGO_ENABLED=0]
-    goos: [darwin, linux, windows]
-    goarch: [amd64, arm64]
-
-nfpms:
-  - vendor: Coder
-    homepage: https://coder.com
-    maintainer: Coder <support@coder.com>
-    description: |
-      Provision development environments with infrastructure with code
-    formats:
-      - apk
-      - deb
-      - rpm
-    suggests:
-      - postgresql
-    builds:
-      - coder
-
-release:
-  ids: [coder]

.vscode/extensions.json

@@ -7,6 +7,8 @@
     "emeraldwalk.runonsave",
     "zxh404.vscode-proto3",
     "redhat.vscode-yaml",
-    "streetsidesoftware.code-spell-checker"
+    "streetsidesoftware.code-spell-checker",
+    "dbaeumer.vscode-eslint",
+    "EditorConfig.EditorConfig"
   ]
 }

.vscode/settings.json

@@ -1,14 +1,133 @@
 {
+  "cSpell.words": [
+    "apps",
+    "awsidentity",
+    "bodyclose",
+    "buildinfo",
+    "buildname",
+    "circbuf",
+    "cliflag",
+    "cliui",
+    "coderd",
+    "coderdtest",
+    "codersdk",
+    "cronstrue",
+    "databasefake",
+    "devel",
+    "drpc",
+    "drpcconn",
+    "drpcmux",
+    "drpcserver",
+    "Dsts",
+    "fatih",
+    "Formik",
+    "gitsshkey",
+    "goarch",
+    "gographviz",
+    "goleak",
+    "gossh",
+    "gsyslog",
+    "hashicorp",
+    "hclsyntax",
+    "httpapi",
+    "httpmw",
+    "idtoken",
+    "Iflag",
+    "incpatch",
+    "isatty",
+    "Jobf",
+    "Keygen",
+    "kirsle",
+    "Kubernetes",
+    "ldflags",
+    "manifoldco",
+    "mapstructure",
+    "mattn",
+    "mitchellh",
+    "moby",
+    "namesgenerator",
+    "nfpms",
+    "nhooyr",
+    "nolint",
+    "nosec",
+    "ntqry",
+    "OIDC",
+    "oneof",
+    "paralleltest",
+    "parameterscopeid",
+    "pqtype",
+    "prometheusmetrics",
+    "promptui",
+    "protobuf",
+    "provisionerd",
+    "provisionersdk",
+    "ptty",
+    "ptytest",
+    "retrier",
+    "rpty",
+    "sdkproto",
+    "sdktrace",
+    "Signup",
+    "sourcemapped",
+    "Srcs",
+    "stretchr",
+    "TCGETS",
+    "tcpip",
+    "TCSETS",
+    "templateversions",
+    "testdata",
+    "testid",
+    "testutil",
+    "tfexec",
+    "tfjson",
+    "tfplan",
+    "tfstate",
+    "tparallel",
+    "trimprefix",
+    "turnconn",
+    "typegen",
+    "unconvert",
+    "Untar",
+    "VMID",
+    "weblinks",
+    "webrtc",
+    "workspaceagent",
+    "workspaceapp",
+    "workspaceapps",
+    "workspacebuilds",
+    "workspacename",
+    "wsconncache",
+    "xerrors",
+    "xstate",
+    "yamux"
+  ],
+  "emeraldwalk.runonsave": {
+    "commands": [
+      {
+        "match": "database/queries/*.sql",
+        "cmd": "make gen"
+      },
+      {
+        "match": "provisionerd/proto/provisionerd.proto",
+        "cmd": "make provisionerd/proto/provisionerd.pb.go"
+      }
+    ]
+  },
+  "eslint.workingDirectories": ["./site"],
   "files.exclude": {
     "**/node_modules": true
   },
+  // Ensure files always have a newline.
+  "files.insertFinalNewline": true,
   "go.lintTool": "golangci-lint",
   "go.lintFlags": ["--fast"],
   "go.lintOnSave": "package",
   "go.coverOnSave": true,
   // The codersdk is used by coderd another other packages extensively.
   // To reduce redundancy in tests, it's covered by other packages.
-  "go.testFlags": ["-coverpkg=./.,github.com/coder/coder/codersdk"],
+  // Since package coverage pairing can't be defined, all packages cover
+  // all other packages.
+  "go.testFlags": ["-short", "-coverpkg=./..."],
   "go.coverageDecorator": {
     "type": "gutter",
     "coveredHighlightColor": "rgba(64,128,128,0.5)",
@@ -18,63 +137,7 @@
     "coveredGutterStyle": "blockgreen",
     "uncoveredGutterStyle": "blockred"
   },
-  "emeraldwalk.runonsave": {
-    "commands": [
-      {
-        "match": "database/query.sql",
-        "cmd": "make gen"
-      }
-    ]
-  },
-  "cSpell.words": [
-    "coderd",
-    "coderdtest",
-    "codersdk",
-    "drpc",
-    "drpcconn",
-    "drpcmux",
-    "drpcserver",
-    "fatih",
-    "goarch",
-    "goleak",
-    "gossh",
-    "hashicorp",
-    "httpmw",
-    "idtoken",
-    "incpatch",
-    "isatty",
-    "Jobf",
-    "kirsle",
-    "ldflags",
-    "manifoldco",
-    "mattn",
-    "mitchellh",
-    "moby",
-    "nfpms",
-    "nhooyr",
-    "nolint",
-    "nosec",
-    "ntqry",
-    "oneof",
-    "parameterscopeid",
-    "pqtype",
-    "promptui",
-    "protobuf",
-    "provisionerd",
-    "provisionersdk",
-    "ptty",
-    "ptytest",
-    "retrier",
-    "sdkproto",
-    "stretchr",
-    "tcpip",
-    "tfexec",
-    "tfstate",
-    "trimprefix",
-    "unconvert",
-    "webrtc",
-    "xerrors",
-    "yamux"
-  ],
-  "eslint.workingDirectories": ["./site"]
+  // We often use a version of TypeScript that's ahead of the version shipped
+  // with VS Code.
+  "typescript.tsdk": "./site/node_modules/typescript/lib"
 }

Dockerfile

@@ -0,0 +1,30 @@
+# This is the multi-arch Dockerfile used for Coder. Since it's multi-arch and
+# cross-compiled, it cannot have ANY "RUN" commands. All binaries are built
+# using the go toolchain on the host and then copied into the build context by
+# scripts/build_docker.sh.
+FROM alpine:latest
+
+# LABEL doesn't add any real layers so it's fine (and easier) to do it here than
+# in the build script.
+ARG CODER_VERSION
+LABEL \
+	org.opencontainers.image.title="Coder" \
+	org.opencontainers.image.description="A tool for provisioning self-hosted development environments with Terraform." \
+	org.opencontainers.image.url="https://github.com/coder/coder" \
+	org.opencontainers.image.source="https://github.com/coder/coder" \
+	org.opencontainers.image.version="$CODER_VERSION" \
+	org.opencontainers.image.licenses="AGPL-3.0"
+
+# The coder binary is injected by scripts/build_docker.sh.
+COPY --chown=coder:coder --chmod=755 coder /opt/coder
+
+# Create coder group and user. We cannot use `addgroup` and `adduser` because
+# they won't work if we're building the image for a different architecture.
+COPY --chown=root:root --chmod=644 group passwd /etc/
+COPY --chown=coder:coder --chmod=700 empty-dir /home/coder
+
+USER coder:coder
+ENV HOME=/home/coder
+WORKDIR /home/coder
+
+ENTRYPOINT [ "/opt/coder", "server" ]

LICENSE

@@ -0,0 +1,661 @@
+                    GNU AFFERO GENERAL PUBLIC LICENSE
+                       Version 3, 19 November 2007
+
+ Copyright (C) 2007 Free Software Foundation, Inc. <https://fsf.org/>
+ Everyone is permitted to copy and distribute verbatim copies
+ of this license document, but changing it is not allowed.
+
+                            Preamble
+
+  The GNU Affero General Public License is a free, copyleft license for
+software and other kinds of works, specifically designed to ensure
+cooperation with the community in the case of network server software.
+
+  The licenses for most software and other practical works are designed
+to take away your freedom to share and change the works.  By contrast,
+our General Public Licenses are intended to guarantee your freedom to
+share and change all versions of a program--to make sure it remains free
+software for all its users.
+
+  When we speak of free software, we are referring to freedom, not
+price.  Our General Public Licenses are designed to make sure that you
+have the freedom to distribute copies of free software (and charge for
+them if you wish), that you receive source code or can get it if you
+want it, that you can change the software or use pieces of it in new
+free programs, and that you know you can do these things.
+
+  Developers that use our General Public Licenses protect your rights
+with two steps: (1) assert copyright on the software, and (2) offer
+you this License which gives you legal permission to copy, distribute
+and/or modify the software.
+
+  A secondary benefit of defending all users' freedom is that
+improvements made in alternate versions of the program, if they
+receive widespread use, become available for other developers to
+incorporate.  Many developers of free software are heartened and
+encouraged by the resulting cooperation.  However, in the case of
+software used on network servers, this result may fail to come about.
+The GNU General Public License permits making a modified version and
+letting the public access it on a server without ever releasing its
+source code to the public.
+
+  The GNU Affero General Public License is designed specifically to
+ensure that, in such cases, the modified source code becomes available
+to the community.  It requires the operator of a network server to
+provide the source code of the modified version running there to the
+users of that server.  Therefore, public use of a modified version, on
+a publicly accessible server, gives the public access to the source
+code of the modified version.
+
+  An older license, called the Affero General Public License and
+published by Affero, was designed to accomplish similar goals.  This is
+a different license, not a version of the Affero GPL, but Affero has
+released a new version of the Affero GPL which permits relicensing under
+this license.
+
+  The precise terms and conditions for copying, distribution and
+modification follow.
+
+                       TERMS AND CONDITIONS
+
+  0. Definitions.
+
+  "This License" refers to version 3 of the GNU Affero General Public License.
+
+  "Copyright" also means copyright-like laws that apply to other kinds of
+works, such as semiconductor masks.
+
+  "The Program" refers to any copyrightable work licensed under this
+License.  Each licensee is addressed as "you".  "Licensees" and
+"recipients" may be individuals or organizations.
+
+  To "modify" a work means to copy from or adapt all or part of the work
+in a fashion requiring copyright permission, other than the making of an
+exact copy.  The resulting work is called a "modified version" of the
+earlier work or a work "based on" the earlier work.
+
+  A "covered work" means either the unmodified Program or a work based
+on the Program.
+
+  To "propagate" a work means to do anything with it that, without
+permission, would make you directly or secondarily liable for
+infringement under applicable copyright law, except executing it on a
+computer or modifying a private copy.  Propagation includes copying,
+distribution (with or without modification), making available to the
+public, and in some countries other activities as well.
+
+  To "convey" a work means any kind of propagation that enables other
+parties to make or receive copies.  Mere interaction with a user through
+a computer network, with no transfer of a copy, is not conveying.
+
+  An interactive user interface displays "Appropriate Legal Notices"
+to the extent that it includes a convenient and prominently visible
+feature that (1) displays an appropriate copyright notice, and (2)
+tells the user that there is no warranty for the work (except to the
+extent that warranties are provided), that licensees may convey the
+work under this License, and how to view a copy of this License.  If
+the interface presents a list of user commands or options, such as a
+menu, a prominent item in the list meets this criterion.
+
+  1. Source Code.
+
+  The "source code" for a work means the preferred form of the work
+for making modifications to it.  "Object code" means any non-source
+form of a work.
+
+  A "Standard Interface" means an interface that either is an official
+standard defined by a recognized standards body, or, in the case of
+interfaces specified for a particular programming language, one that
+is widely used among developers working in that language.
+
+  The "System Libraries" of an executable work include anything, other
+than the work as a whole, that (a) is included in the normal form of
+packaging a Major Component, but which is not part of that Major
+Component, and (b) serves only to enable use of the work with that
+Major Component, or to implement a Standard Interface for which an
+implementation is available to the public in source code form.  A
+"Major Component", in this context, means a major essential component
+(kernel, window system, and so on) of the specific operating system
+(if any) on which the executable work runs, or a compiler used to
+produce the work, or an object code interpreter used to run it.
+
+  The "Corresponding Source" for a work in object code form means all
+the source code needed to generate, install, and (for an executable
+work) run the object code and to modify the work, including scripts to
+control those activities.  However, it does not include the work's
+System Libraries, or general-purpose tools or generally available free
+programs which are used unmodified in performing those activities but
+which are not part of the work.  For example, Corresponding Source
+includes interface definition files associated with source files for
+the work, and the source code for shared libraries and dynamically
+linked subprograms that the work is specifically designed to require,
+such as by intimate data communication or control flow between those
+subprograms and other parts of the work.
+
+  The Corresponding Source need not include anything that users
+can regenerate automatically from other parts of the Corresponding
+Source.
+
+  The Corresponding Source for a work in source code form is that
+same work.
+
+  2. Basic Permissions.
+
+  All rights granted under this License are granted for the term of
+copyright on the Program, and are irrevocable provided the stated
+conditions are met.  This License explicitly affirms your unlimited
+permission to run the unmodified Program.  The output from running a
+covered work is covered by this License only if the output, given its
+content, constitutes a covered work.  This License acknowledges your
+rights of fair use or other equivalent, as provided by copyright law.
+
+  You may make, run and propagate covered works that you do not
+convey, without conditions so long as your license otherwise remains
+in force.  You may convey covered works to others for the sole purpose
+of having them make modifications exclusively for you, or provide you
+with facilities for running those works, provided that you comply with
+the terms of this License in conveying all material for which you do
+not control copyright.  Those thus making or running the covered works
+for you must do so exclusively on your behalf, under your direction
+and control, on terms that prohibit them from making any copies of
+your copyrighted material outside their relationship with you.
+
+  Conveying under any other circumstances is permitted solely under
+the conditions stated below.  Sublicensing is not allowed; section 10
+makes it unnecessary.
+
+  3. Protecting Users' Legal Rights From Anti-Circumvention Law.
+
+  No covered work shall be deemed part of an effective technological
+measure under any applicable law fulfilling obligations under article
+11 of the WIPO copyright treaty adopted on 20 December 1996, or
+similar laws prohibiting or restricting circumvention of such
+measures.
+
+  When you convey a covered work, you waive any legal power to forbid
+circumvention of technological measures to the extent such circumvention
+is effected by exercising rights under this License with respect to
+the covered work, and you disclaim any intention to limit operation or
+modification of the work as a means of enforcing, against the work's
+users, your or third parties' legal rights to forbid circumvention of
+technological measures.
+
+  4. Conveying Verbatim Copies.
+
+  You may convey verbatim copies of the Program's source code as you
+receive it, in any medium, provided that you conspicuously and
+appropriately publish on each copy an appropriate copyright notice;
+keep intact all notices stating that this License and any
+non-permissive terms added in accord with section 7 apply to the code;
+keep intact all notices of the absence of any warranty; and give all
+recipients a copy of this License along with the Program.
+
+  You may charge any price or no price for each copy that you convey,
+and you may offer support or warranty protection for a fee.
+
+  5. Conveying Modified Source Versions.
+
+  You may convey a work based on the Program, or the modifications to
+produce it from the Program, in the form of source code under the
+terms of section 4, provided that you also meet all of these conditions:
+
+    a) The work must carry prominent notices stating that you modified
+    it, and giving a relevant date.
+
+    b) The work must carry prominent notices stating that it is
+    released under this License and any conditions added under section
+    7.  This requirement modifies the requirement in section 4 to
+    "keep intact all notices".
+
+    c) You must license the entire work, as a whole, under this
+    License to anyone who comes into possession of a copy.  This
+    License will therefore apply, along with any applicable section 7
+    additional terms, to the whole of the work, and all its parts,
+    regardless of how they are packaged.  This License gives no
+    permission to license the work in any other way, but it does not
+    invalidate such permission if you have separately received it.
+
+    d) If the work has interactive user interfaces, each must display
+    Appropriate Legal Notices; however, if the Program has interactive
+    interfaces that do not display Appropriate Legal Notices, your
+    work need not make them do so.
+
+  A compilation of a covered work with other separate and independent
+works, which are not by their nature extensions of the covered work,
+and which are not combined with it such as to form a larger program,
+in or on a volume of a storage or distribution medium, is called an
+"aggregate" if the compilation and its resulting copyright are not
+used to limit the access or legal rights of the compilation's users
+beyond what the individual works permit.  Inclusion of a covered work
+in an aggregate does not cause this License to apply to the other
+parts of the aggregate.
+
+  6. Conveying Non-Source Forms.
+
+  You may convey a covered work in object code form under the terms
+of sections 4 and 5, provided that you also convey the
+machine-readable Corresponding Source under the terms of this License,
+in one of these ways:
+
+    a) Convey the object code in, or embodied in, a physical product
+    (including a physical distribution medium), accompanied by the
+    Corresponding Source fixed on a durable physical medium
+    customarily used for software interchange.
+
+    b) Convey the object code in, or embodied in, a physical product
+    (including a physical distribution medium), accompanied by a
+    written offer, valid for at least three years and valid for as
+    long as you offer spare parts or customer support for that product
+    model, to give anyone who possesses the object code either (1) a
+    copy of the Corresponding Source for all the software in the
+    product that is covered by this License, on a durable physical
+    medium customarily used for software interchange, for a price no
+    more than your reasonable cost of physically performing this
+    conveying of source, or (2) access to copy the
+    Corresponding Source from a network server at no charge.
+
+    c) Convey individual copies of the object code with a copy of the
+    written offer to provide the Corresponding Source.  This
+    alternative is allowed only occasionally and noncommercially, and
+    only if you received the object code with such an offer, in accord
+    with subsection 6b.
+
+    d) Convey the object code by offering access from a designated
+    place (gratis or for a charge), and offer equivalent access to the
+    Corresponding Source in the same way through the same place at no
+    further charge.  You need not require recipients to copy the
+    Corresponding Source along with the object code.  If the place to
+    copy the object code is a network server, the Corresponding Source
+    may be on a different server (operated by you or a third party)
+    that supports equivalent copying facilities, provided you maintain
+    clear directions next to the object code saying where to find the
+    Corresponding Source.  Regardless of what server hosts the
+    Corresponding Source, you remain obligated to ensure that it is
+    available for as long as needed to satisfy these requirements.
+
+    e) Convey the object code using peer-to-peer transmission, provided
+    you inform other peers where the object code and Corresponding
+    Source of the work are being offered to the general public at no
+    charge under subsection 6d.
+
+  A separable portion of the object code, whose source code is excluded
+from the Corresponding Source as a System Library, need not be
+included in conveying the object code work.
+
+  A "User Product" is either (1) a "consumer product", which means any
+tangible personal property which is normally used for personal, family,
+or household purposes, or (2) anything designed or sold for incorporation
+into a dwelling.  In determining whether a product is a consumer product,
+doubtful cases shall be resolved in favor of coverage.  For a particular
+product received by a particular user, "normally used" refers to a
+typical or common use of that class of product, regardless of the status
+of the particular user or of the way in which the particular user
+actually uses, or expects or is expected to use, the product.  A product
+is a consumer product regardless of whether the product has substantial
+commercial, industrial or non-consumer uses, unless such uses represent
+the only significant mode of use of the product.
+
+  "Installation Information" for a User Product means any methods,
+procedures, authorization keys, or other information required to install
+and execute modified versions of a covered work in that User Product from
+a modified version of its Corresponding Source.  The information must
+suffice to ensure that the continued functioning of the modified object
+code is in no case prevented or interfered with solely because
+modification has been made.
+
+  If you convey an object code work under this section in, or with, or
+specifically for use in, a User Product, and the conveying occurs as
+part of a transaction in which the right of possession and use of the
+User Product is transferred to the recipient in perpetuity or for a
+fixed term (regardless of how the transaction is characterized), the
+Corresponding Source conveyed under this section must be accompanied
+by the Installation Information.  But this requirement does not apply
+if neither you nor any third party retains the ability to install
+modified object code on the User Product (for example, the work has
+been installed in ROM).
+
+  The requirement to provide Installation Information does not include a
+requirement to continue to provide support service, warranty, or updates
+for a work that has been modified or installed by the recipient, or for
+the User Product in which it has been modified or installed.  Access to a
+network may be denied when the modification itself materially and
+adversely affects the operation of the network or violates the rules and
+protocols for communication across the network.
+
+  Corresponding Source conveyed, and Installation Information provided,
+in accord with this section must be in a format that is publicly
+documented (and with an implementation available to the public in
+source code form), and must require no special password or key for
+unpacking, reading or copying.
+
+  7. Additional Terms.
+
+  "Additional permissions" are terms that supplement the terms of this
+License by making exceptions from one or more of its conditions.
+Additional permissions that are applicable to the entire Program shall
+be treated as though they were included in this License, to the extent
+that they are valid under applicable law.  If additional permissions
+apply only to part of the Program, that part may be used separately
+under those permissions, but the entire Program remains governed by
+this License without regard to the additional permissions.
+
+  When you convey a copy of a covered work, you may at your option
+remove any additional permissions from that copy, or from any part of
+it.  (Additional permissions may be written to require their own
+removal in certain cases when you modify the work.)  You may place
+additional permissions on material, added by you to a covered work,
+for which you have or can give appropriate copyright permission.
+
+  Notwithstanding any other provision of this License, for material you
+add to a covered work, you may (if authorized by the copyright holders of
+that material) supplement the terms of this License with terms:
+
+    a) Disclaiming warranty or limiting liability differently from the
+    terms of sections 15 and 16 of this License; or
+
+    b) Requiring preservation of specified reasonable legal notices or
+    author attributions in that material or in the Appropriate Legal
+    Notices displayed by works containing it; or
+
+    c) Prohibiting misrepresentation of the origin of that material, or
+    requiring that modified versions of such material be marked in
+    reasonable ways as different from the original version; or
+
+    d) Limiting the use for publicity purposes of names of licensors or
+    authors of the material; or
+
+    e) Declining to grant rights under trademark law for use of some
+    trade names, trademarks, or service marks; or
+
+    f) Requiring indemnification of licensors and authors of that
+    material by anyone who conveys the material (or modified versions of
+    it) with contractual assumptions of liability to the recipient, for
+    any liability that these contractual assumptions directly impose on
+    those licensors and authors.
+
+  All other non-permissive additional terms are considered "further
+restrictions" within the meaning of section 10.  If the Program as you
+received it, or any part of it, contains a notice stating that it is
+governed by this License along with a term that is a further
+restriction, you may remove that term.  If a license document contains
+a further restriction but permits relicensing or conveying under this
+License, you may add to a covered work material governed by the terms
+of that license document, provided that the further restriction does
+not survive such relicensing or conveying.
+
+  If you add terms to a covered work in accord with this section, you
+must place, in the relevant source files, a statement of the
+additional terms that apply to those files, or a notice indicating
+where to find the applicable terms.
+
+  Additional terms, permissive or non-permissive, may be stated in the
+form of a separately written license, or stated as exceptions;
+the above requirements apply either way.
+
+  8. Termination.
+
+  You may not propagate or modify a covered work except as expressly
+provided under this License.  Any attempt otherwise to propagate or
+modify it is void, and will automatically terminate your rights under
+this License (including any patent licenses granted under the third
+paragraph of section 11).
+
+  However, if you cease all violation of this License, then your
+license from a particular copyright holder is reinstated (a)
+provisionally, unless and until the copyright holder explicitly and
+finally terminates your license, and (b) permanently, if the copyright
+holder fails to notify you of the violation by some reasonable means
+prior to 60 days after the cessation.
+
+  Moreover, your license from a particular copyright holder is
+reinstated permanently if the copyright holder notifies you of the
+violation by some reasonable means, this is the first time you have
+received notice of violation of this License (for any work) from that
+copyright holder, and you cure the violation prior to 30 days after
+your receipt of the notice.
+
+  Termination of your rights under this section does not terminate the
+licenses of parties who have received copies or rights from you under
+this License.  If your rights have been terminated and not permanently
+reinstated, you do not qualify to receive new licenses for the same
+material under section 10.
+
+  9. Acceptance Not Required for Having Copies.
+
+  You are not required to accept this License in order to receive or
+run a copy of the Program.  Ancillary propagation of a covered work
+occurring solely as a consequence of using peer-to-peer transmission
+to receive a copy likewise does not require acceptance.  However,
+nothing other than this License grants you permission to propagate or
+modify any covered work.  These actions infringe copyright if you do
+not accept this License.  Therefore, by modifying or propagating a
+covered work, you indicate your acceptance of this License to do so.
+
+  10. Automatic Licensing of Downstream Recipients.
+
+  Each time you convey a covered work, the recipient automatically
+receives a license from the original licensors, to run, modify and
+propagate that work, subject to this License.  You are not responsible
+for enforcing compliance by third parties with this License.
+
+  An "entity transaction" is a transaction transferring control of an
+organization, or substantially all assets of one, or subdividing an
+organization, or merging organizations.  If propagation of a covered
+work results from an entity transaction, each party to that
+transaction who receives a copy of the work also receives whatever
+licenses to the work the party's predecessor in interest had or could
+give under the previous paragraph, plus a right to possession of the
+Corresponding Source of the work from the predecessor in interest, if
+the predecessor has it or can get it with reasonable efforts.
+
+  You may not impose any further restrictions on the exercise of the
+rights granted or affirmed under this License.  For example, you may
+not impose a license fee, royalty, or other charge for exercise of
+rights granted under this License, and you may not initiate litigation
+(including a cross-claim or counterclaim in a lawsuit) alleging that
+any patent claim is infringed by making, using, selling, offering for
+sale, or importing the Program or any portion of it.
+
+  11. Patents.
+
+  A "contributor" is a copyright holder who authorizes use under this
+License of the Program or a work on which the Program is based.  The
+work thus licensed is called the contributor's "contributor version".
+
+  A contributor's "essential patent claims" are all patent claims
+owned or controlled by the contributor, whether already acquired or
+hereafter acquired, that would be infringed by some manner, permitted
+by this License, of making, using, or selling its contributor version,
+but do not include claims that would be infringed only as a
+consequence of further modification of the contributor version.  For
+purposes of this definition, "control" includes the right to grant
+patent sublicenses in a manner consistent with the requirements of
+this License.
+
+  Each contributor grants you a non-exclusive, worldwide, royalty-free
+patent license under the contributor's essential patent claims, to
+make, use, sell, offer for sale, import and otherwise run, modify and
+propagate the contents of its contributor version.
+
+  In the following three paragraphs, a "patent license" is any express
+agreement or commitment, however denominated, not to enforce a patent
+(such as an express permission to practice a patent or covenant not to
+sue for patent infringement).  To "grant" such a patent license to a
+party means to make such an agreement or commitment not to enforce a
+patent against the party.
+
+  If you convey a covered work, knowingly relying on a patent license,
+and the Corresponding Source of the work is not available for anyone
+to copy, free of charge and under the terms of this License, through a
+publicly available network server or other readily accessible means,
+then you must either (1) cause the Corresponding Source to be so
+available, or (2) arrange to deprive yourself of the benefit of the
+patent license for this particular work, or (3) arrange, in a manner
+consistent with the requirements of this License, to extend the patent
+license to downstream recipients.  "Knowingly relying" means you have
+actual knowledge that, but for the patent license, your conveying the
+covered work in a country, or your recipient's use of the covered work
+in a country, would infringe one or more identifiable patents in that
+country that you have reason to believe are valid.
+
+  If, pursuant to or in connection with a single transaction or
+arrangement, you convey, or propagate by procuring conveyance of, a
+covered work, and grant a patent license to some of the parties
+receiving the covered work authorizing them to use, propagate, modify
+or convey a specific copy of the covered work, then the patent license
+you grant is automatically extended to all recipients of the covered
+work and works based on it.
+
+  A patent license is "discriminatory" if it does not include within
+the scope of its coverage, prohibits the exercise of, or is
+conditioned on the non-exercise of one or more of the rights that are
+specifically granted under this License.  You may not convey a covered
+work if you are a party to an arrangement with a third party that is
+in the business of distributing software, under which you make payment
+to the third party based on the extent of your activity of conveying
+the work, and under which the third party grants, to any of the
+parties who would receive the covered work from you, a discriminatory
+patent license (a) in connection with copies of the covered work
+conveyed by you (or copies made from those copies), or (b) primarily
+for and in connection with specific products or compilations that
+contain the covered work, unless you entered into that arrangement,
+or that patent license was granted, prior to 28 March 2007.
+
+  Nothing in this License shall be construed as excluding or limiting
+any implied license or other defenses to infringement that may
+otherwise be available to you under applicable patent law.
+
+  12. No Surrender of Others' Freedom.
+
+  If conditions are imposed on you (whether by court order, agreement or
+otherwise) that contradict the conditions of this License, they do not
+excuse you from the conditions of this License.  If you cannot convey a
+covered work so as to satisfy simultaneously your obligations under this
+License and any other pertinent obligations, then as a consequence you may
+not convey it at all.  For example, if you agree to terms that obligate you
+to collect a royalty for further conveying from those to whom you convey
+the Program, the only way you could satisfy both those terms and this
+License would be to refrain entirely from conveying the Program.
+
+  13. Remote Network Interaction; Use with the GNU General Public License.
+
+  Notwithstanding any other provision of this License, if you modify the
+Program, your modified version must prominently offer all users
+interacting with it remotely through a computer network (if your version
+supports such interaction) an opportunity to receive the Corresponding
+Source of your version by providing access to the Corresponding Source
+from a network server at no charge, through some standard or customary
+means of facilitating copying of software.  This Corresponding Source
+shall include the Corresponding Source for any work covered by version 3
+of the GNU General Public License that is incorporated pursuant to the
+following paragraph.
+
+  Notwithstanding any other provision of this License, you have
+permission to link or combine any covered work with a work licensed
+under version 3 of the GNU General Public License into a single
+combined work, and to convey the resulting work.  The terms of this
+License will continue to apply to the part which is the covered work,
+but the work with which it is combined will remain governed by version
+3 of the GNU General Public License.
+
+  14. Revised Versions of this License.
+
+  The Free Software Foundation may publish revised and/or new versions of
+the GNU Affero General Public License from time to time.  Such new versions
+will be similar in spirit to the present version, but may differ in detail to
+address new problems or concerns.
+
+  Each version is given a distinguishing version number.  If the
+Program specifies that a certain numbered version of the GNU Affero General
+Public License "or any later version" applies to it, you have the
+option of following the terms and conditions either of that numbered
+version or of any later version published by the Free Software
+Foundation.  If the Program does not specify a version number of the
+GNU Affero General Public License, you may choose any version ever published
+by the Free Software Foundation.
+
+  If the Program specifies that a proxy can decide which future
+versions of the GNU Affero General Public License can be used, that proxy's
+public statement of acceptance of a version permanently authorizes you
+to choose that version for the Program.
+
+  Later license versions may give you additional or different
+permissions.  However, no additional obligations are imposed on any
+author or copyright holder as a result of your choosing to follow a
+later version.
+
+  15. Disclaimer of Warranty.
+
+  THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY
+APPLICABLE LAW.  EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT
+HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY
+OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO,
+THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+PURPOSE.  THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM
+IS WITH YOU.  SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF
+ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
+
+  16. Limitation of Liability.
+
+  IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
+WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS
+THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY
+GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE
+USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF
+DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD
+PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS),
+EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF
+SUCH DAMAGES.
+
+  17. Interpretation of Sections 15 and 16.
+
+  If the disclaimer of warranty and limitation of liability provided
+above cannot be given local legal effect according to their terms,
+reviewing courts shall apply local law that most closely approximates
+an absolute waiver of all civil liability in connection with the
+Program, unless a warranty or assumption of liability accompanies a
+copy of the Program in return for a fee.
+
+                     END OF TERMS AND CONDITIONS
+
+            How to Apply These Terms to Your New Programs
+
+  If you develop a new program, and you want it to be of the greatest
+possible use to the public, the best way to achieve this is to make it
+free software which everyone can redistribute and change under these terms.
+
+  To do so, attach the following notices to the program.  It is safest
+to attach them to the start of each source file to most effectively
+state the exclusion of warranty; and each file should have at least
+the "copyright" line and a pointer to where the full notice is found.
+
+    <one line to give the program's name and a brief idea of what it does.>
+    Copyright (C) <year>  <name of author>
+
+    This program is free software: you can redistribute it and/or modify
+    it under the terms of the GNU Affero General Public License as published
+    by the Free Software Foundation, either version 3 of the License, or
+    (at your option) any later version.
+
+    This program is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU Affero General Public License for more details.
+
+    You should have received a copy of the GNU Affero General Public License
+    along with this program.  If not, see <https://www.gnu.org/licenses/>.
+
+Also add information on how to contact you by electronic and paper mail.
+
+  If your software can interact with users remotely through a computer
+network, you should also make sure that it provides a way for users to
+get its source.  For example, if your program is a web application, its
+interface could display a "Source" link that leads users to an archive
+of the code.  There are many ways you could offer source, and different
+solutions will be better for different programs; see section 13 for the
+specific requirements.
+
+  You should also get your employer (if you work as a programmer) or school,
+if any, to sign a "copyright disclaimer" for the program, if necessary.
+For more information on this, and how to apply and follow the GNU AGPL, see
+<https://www.gnu.org/licenses/>.

LICENSE.enterprise

@@ -0,0 +1,9 @@
+LICENSE (GNU Affero General Public License) applies to
+all files in this repository, except for those in or under
+any directory named "enterprise", which are Copyright Coder
+Technologies, Inc., All Rights Reserved.
+
+We plan to release an enterprise license covering these files
+as soon as possible.  Watch this space.
+
+

Makefile

@@ -1,94 +1,206 @@
+.DEFAULT_GOAL := build
+
+# Use a single bash shell for each job, and immediately exit on failure
+SHELL := bash
+.SHELLFLAGS = -ceu
+.ONESHELL:
+
+# This doesn't work on directories.
+# See https://stackoverflow.com/questions/25752543/make-delete-on-error-for-directory-targets
+.DELETE_ON_ERROR:
+
 INSTALL_DIR=$(shell go env GOPATH)/bin
 GOOS=$(shell go env GOOS)
 GOARCH=$(shell go env GOARCH)
+VERSION=$(shell ./scripts/version.sh)
 
-bin:
-	goreleaser build --single-target --snapshot --rm-dist
+bin: $(shell find . -not -path './vendor/*' -type f -name '*.go') go.mod go.sum $(shell find ./examples/templates)
+	@echo "== This builds slim binaries for command-line usage."
+	@echo "== Use \"make build\" to embed the site."
+
+	mkdir -p ./dist
+	rm -rf ./dist/coder-slim_*
+	rm -f ./site/out/bin/coder*
+	./scripts/build_go_slim.sh \
+		--compress 6 \
+		--version "$(VERSION)" \
+		--output ./dist/ \
+		linux:amd64,armv7,arm64 \
+		windows:amd64,arm64 \
+		darwin:amd64,arm64
 .PHONY: bin
 
-build: site/out bin
+build: site/out/index.html $(shell find . -not -path './vendor/*' -type f -name '*.go') go.mod go.sum $(shell find ./examples/templates)
+	rm -rf ./dist
+	mkdir -p ./dist
+	rm -f ./site/out/bin/coder*
+
+	# build slim artifacts and copy them to the site output directory
+	./scripts/build_go_slim.sh \
+		--version "$(VERSION)" \
+		--compress 6 \
+		--output ./dist/ \
+		linux:amd64,armv7,arm64 \
+		windows:amd64,arm64 \
+		darwin:amd64,arm64
+
+	# build not-so-slim artifacts with the default name format
+	./scripts/build_go_matrix.sh \
+		--version "$(VERSION)" \
+		--output ./dist/ \
+		--archive \
+		--package-linux \
+		linux:amd64,armv7,arm64 \
+		windows:amd64,arm64 \
+		darwin:amd64,arm64
 .PHONY: build
 
 # Runs migrations to output a dump of the database.
-database/dump.sql: $(wildcard database/migrations/*.sql)
-	go run database/dump/main.go
+coderd/database/dump.sql: coderd/database/dump/main.go $(wildcard coderd/database/migrations/*.sql)
+	go run coderd/database/dump/main.go
 
 # Generates Go code for querying the database.
-database/generate: fmt/sql database/dump.sql database/query.sql
-	cd database && sqlc generate && rm db_tmp.go
-	cd database && gofmt -w -r 'Querier -> querier' *.go
-	cd database && gofmt -w -r 'Queries -> sqlQuerier' *.go
-.PHONY: database/generate
-
-docker/image/coder: build
-	cp ./images/coder/run.sh ./dist/coder_$(GOOS)_$(GOARCH)
-	docker build --network=host -t us-docker.pkg.dev/coder-blacktriangle-dev/ci/coder:latest -f images/coder/Dockerfile ./dist/coder_$(GOOS)_$(GOARCH)
-.PHONY: docker/build
+coderd/database/querier.go: coderd/database/sqlc.yaml coderd/database/dump.sql $(wildcard coderd/database/queries/*.sql)
+	coderd/database/generate.sh
 
 fmt/prettier:
 	@echo "--- prettier"
+	cd site
 # Avoid writing files in CI to reduce file write activity
 ifdef CI
-	cd site && yarn run format:check
+	yarn run format:check
 else
-	cd site && yarn run format:write
+	yarn run format:write
 endif
 .PHONY: fmt/prettier
 
-fmt/sql: ./database/query.sql
-	npx sql-formatter \
-		--language postgresql \
-		--lines-between-queries 2 \
-		./database/query.sql \
-		--output ./database/query.sql
-	sed -i 's/@ /@/g' ./database/query.sql
+fmt/terraform: $(wildcard *.tf)
+	terraform fmt -recursive
+.PHONY: fmt/terraform
 
-fmt: fmt/prettier fmt/sql
+fmt/shfmt: $(shell shfmt -f .)
+	@echo "--- shfmt"
+# Only do diff check in CI, errors on diff.
+ifdef CI
+	shfmt -d $(shell shfmt -f .)
+else
+	shfmt -w $(shell shfmt -f .)
+endif
+.PHONY: fmt/shfmt
+
+fmt: fmt/prettier fmt/terraform fmt/shfmt
 .PHONY: fmt
 
-gen: database/generate peerbroker/proto provisionersdk/proto provisionerd/proto
+gen: coderd/database/querier.go peerbroker/proto/peerbroker.pb.go provisionersdk/proto/provisioner.pb.go provisionerd/proto/provisionerd.pb.go site/src/api/typesGenerated.ts
 .PHONY: gen
 
-install: bin
-	@echo "--- Copying from bin to $(INSTALL_DIR)"
-	cp -r ./dist/coder_$(GOOS)_$(GOARCH) $(INSTALL_DIR)
-	@echo "-- CLI available at $(shell ls $(INSTALL_DIR)/coder*)"
+install: site/out/index.html $(shell find . -not -path './vendor/*' -type f -name '*.go') go.mod go.sum $(shell find ./examples/templates)
+	@output_file="$(INSTALL_DIR)/coder"
+
+	@if [[ "$(GOOS)" == "windows" ]]; then
+		@output_file="$${output_file}.exe"
+	@fi
+
+	@echo "-- Building CLI for $(GOOS) $(GOARCH) at $$output_file"
+
+	./scripts/build_go.sh \
+		--version "$(VERSION)" \
+		--output "$$output_file" \
+		--os "$(GOOS)" \
+		--arch "$(GOARCH)"
+
+	@echo
 .PHONY: install
 
-peerbroker/proto: peerbroker/proto/peerbroker.proto
+lint: lint/shellcheck lint/go
+.PHONY: lint
+
+lint/go:
+	./scripts/check_enterprise_imports.sh
+	golangci-lint run
+.PHONY: lint/go
+
+# Use shfmt to determine the shell files, takes editorconfig into consideration.
+lint/shellcheck: $(shell shfmt -f .)
+	@echo "--- shellcheck"
+	shellcheck --external-sources $(shell shfmt -f .)
+.PHONY: lint/shellcheck
+
+peerbroker/proto/peerbroker.pb.go: peerbroker/proto/peerbroker.proto
 	protoc \
 		--go_out=. \
 		--go_opt=paths=source_relative \
 		--go-drpc_out=. \
 		--go-drpc_opt=paths=source_relative \
 		./peerbroker/proto/peerbroker.proto
-.PHONY: peerbroker/proto
 
-provisionerd/proto: provisionerd/proto/provisionerd.proto
+provisionerd/proto/provisionerd.pb.go: provisionerd/proto/provisionerd.proto
 	protoc \
 		--go_out=. \
 		--go_opt=paths=source_relative \
 		--go-drpc_out=. \
 		--go-drpc_opt=paths=source_relative \
 		./provisionerd/proto/provisionerd.proto
-.PHONY: provisionerd/proto
 
-provisionersdk/proto: provisionersdk/proto/provisioner.proto
+provisionersdk/proto/provisioner.pb.go: provisionersdk/proto/provisioner.proto
 	protoc \
 		--go_out=. \
 		--go_opt=paths=source_relative \
 		--go-drpc_out=. \
 		--go-drpc_opt=paths=source_relative \
 		./provisionersdk/proto/provisioner.proto
-.PHONY: provisionersdk/proto
 
-site/out: 
+site/out/index.html: $(shell find ./site -not -path './site/node_modules/*' -type f -name '*.tsx') $(shell find ./site -not -path './site/node_modules/*' -type f -name '*.ts') site/package.json
 	./scripts/yarn_install.sh
-	cd site && yarn build
+	cd site
+	yarn typegen
+	yarn build
 	# Restores GITKEEP files!
-	git checkout HEAD site/out
-.PHONY: site/out
+	git checkout HEAD out
 
-snapshot: 
-	goreleaser release --snapshot --rm-dist
-.PHONY: snapshot
+site/src/api/typesGenerated.ts: scripts/apitypings/main.go $(shell find codersdk -type f -name '*.go')
+	go run scripts/apitypings/main.go > site/src/api/typesGenerated.ts
+	cd site
+	yarn run format:types
+
+test: test-clean
+	gotestsum -- -v -short ./...
+.PHONY: test
+
+# When updating -timeout for this test, keep in sync with
+# test-go-postgres (.github/workflows/coder.yaml).
+test-postgres: test-clean test-postgres-docker
+	DB=ci DB_FROM=$(shell go run scripts/migrate-ci/main.go) gotestsum --junitfile="gotests.xml" --packages="./..." -- \
+		-covermode=atomic -coverprofile="gotests.coverage" -timeout=20m \
+		-coverpkg=./... \
+		-count=1 -race -failfast
+.PHONY: test-postgres
+
+test-postgres-docker:
+	docker rm -f test-postgres-docker || true
+	docker run \
+		--env POSTGRES_PASSWORD=postgres \
+		--env POSTGRES_USER=postgres \
+		--env POSTGRES_DB=postgres \
+		--env PGDATA=/tmp \
+		--tmpfs /tmp \
+		--publish 5432:5432 \
+		--name test-postgres-docker \
+		--restart no \
+		--detach \
+		postgres:13 \
+		-c shared_buffers=1GB \
+		-c max_connections=1000 \
+		-c fsync=off \
+		-c synchronous_commit=off \
+		-c full_page_writes=off
+	while ! pg_isready -h 127.0.0.1
+	do
+		echo "$(date) - waiting for database to start"
+		sleep 0.5
+	done
+.PHONY: test-postgres-docker
+
+test-clean:
+	go clean -testcache
+.PHONY: test-clean

README.md

@@ -1,78 +1,100 @@
-[![coder](https://github.com/coder/coder/actions/workflows/coder.yaml/badge.svg)](https://github.com/coder/coder/actions/workflows/coder.yaml)
+# Coder
+
+[!["Join us on
+Discord"](https://img.shields.io/badge/join-us%20on%20Discord-gray.svg?longCache=true&logo=discord&colorB=green)](https://discord.gg/coder)
 [![codecov](https://codecov.io/gh/coder/coder/branch/main/graph/badge.svg?token=TNLW3OAP6G)](https://codecov.io/gh/coder/coder)
+[![Go Reference](https://pkg.go.dev/badge/github.com/coder/coder.svg)](https://pkg.go.dev/github.com/coder/coder)
+[![Twitter
+Follow](https://img.shields.io/twitter/follow/coderhq?label=%40coderhq&style=social)](https://twitter.com/coderhq)
 
-# Coder v2
+Coder creates remote development machines so your team can develop from anywhere.
 
-This repository contains source code for Coder V2. Additional documentation:
+<p align="center">
+  <img src="./docs/images/hero-image.png">
+</p>
 
-- [Workspaces V2 RFC](https://www.notion.so/coderhq/b48040da8bfe46eca1f32749b69420dd?v=a4e7d23495094644b939b08caba8e381&p=e908a8cd54804ddd910367abf03c8d0a)
+**Manage less**
 
-## Directory Structure
+- Ensure your entire team is using the same tools and resources
+  - Rollout critical updates to your developers with one command
+- Automatically shut down expensive cloud resources
+- Keep your source code and data behind your firewall
 
-- `.github/`: Settings for [Dependabot for updating dependencies](https://docs.github.com/en/code-security/supply-chain-security/customizing-dependency-updates) and [build/deploy pipelines with GitHub Actions](https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions).
-  - [`semantic.yaml`](./github/semantic.yaml): Configuration for [semantic pull requests](https://github.com/apps/semantic-pull-requests)
-- `examples`: Example terraform project templates.
-- `site`: Front-end UI code.
+**Code more**
 
-## Development
+- Build and test faster
+  - Leveraging cloud CPUs, RAM, network speeds, etc.
+- Access your environment from any place on any client (even an iPad)
+- Onboard instantly then stay up to date continuously
 
-### Pre-requisites
+## Getting Started
 
-- `git`
-- `go` version 1.17, with the `GOPATH` environment variable set
-- `node`
-- `yarn`
+> **Note**:
+> Coder is in a beta state. [Report issues here](https://github.com/coder/coder/issues/new).
 
-### Cloning
+The easiest way to install Coder is to use our [install script](https://github.com/coder/coder/blob/main/install.sh) for Linux and macOS.
 
-- `git clone https://github.com/coder/coder`
-- `cd coder`
+To install, run:
 
-### Building
+```bash
+curl -L https://coder.com/install.sh | sh
+```
 
-- `make build`
-- `make install`
+You can preview what occurs during the install process:
 
-The `coder` CLI binary will now be available at `$GOPATH/bin/coder`
+```bash
+curl -L https://coder.com/install.sh | sh -s -- --dry-run
+```
 
-### Running
+You can modify the installation process by including flags. Run the help command for reference:
 
-After building, the binaries will be available at:
-- `dist/coder_{os}_{arch}/coder`
+```bash
+curl -L https://coder.com/install.sh | sh -s -- --help
+```
 
-For the purpose of these steps, an OS of `linux` and an arch of `amd64` is assumed.
+> See [install](docs/install.md) for additional methods.
 
-To manually run the server and go through first-time set up, run the following commands in separate terminals:
-- `dist/coder_linux_amd64/coder daemon` <-- starts the Coder server on port 3000
-- `dist/coder_linux_amd64/coder login http://localhost:3000` <-- runs through first-time setup, creating a user and org
+Once installed, you can start a production deployment<sup>1</sup> with a single command:
 
-You'll now be able to login and access the server.
+```sh
+# Automatically sets up an external access URL on *.try.coder.app
+coder server --tunnel
 
-To create a project, run:
-- `dist/coder_linux_amd64/coder projects create -d /path/to/project`
+# Requires a PostgreSQL instance and external access URL
+coder server --postgres-url <url> --access-url <url>
+```
 
-### Development
+> <sup>1</sup> The embedded database is great for trying out Coder with small deployments, but do consider using an external database for increased assurance and control.
 
-- `./develop.sh`
+Use `coder --help` to get a complete list of flags and environment variables. Use our [quickstart guide](https://coder.com/docs/coder-oss/latest/quickstart) for a full walkthrough.
 
-The `develop.sh` script does three things:
+## Documentation
 
-- runs `coder daemon` locally on port `3000`
-- runs `webpack-dev-server` on port `8080`
-- sets up an initial user and organization
+Visit our docs [here](https://coder.com/docs/coder-oss).
 
-This is the recommend flow for working on the front-end, as hot-reload is set up as part of the webpack config.
+## Comparison
 
-## Front-End Plan
+Please file [an issue](https://github.com/coder/coder/issues/new) if any information is out of date. Also refer to: [What Coder is not](https://coder.com/docs/coder-oss/latest/index#what-coder-is-not).
 
-For the front-end team, we're planning on 2 phases to the 'v2' work:
+| Tool                                                        | Type     | Delivery Model     | Cost                          | Environments                                                                                                                                               |
+| :---------------------------------------------------------- | :------- | :----------------- | :---------------------------- | :--------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| [Coder](https://github.com/coder/coder)                     | Platform | OSS + Self-Managed | Pay your cloud                | All [Terraform](https://www.terraform.io/registry/providers) resources, all clouds, multi-architecture: Linux, Mac, Windows, containers, VMs, amd64, arm64 |
+| [code-server](https://github.com/cdr/code-server)           | Web IDE  | OSS + Self-Managed | Pay your cloud                | Linux, Mac, Windows, containers, VMs, amd64, arm64                                                                                                         |
+| [Coder (Classic)](https://coder.com/docs)                   | Platform | Self-Managed       | Pay your cloud + license fees | Kubernetes Linux Containers                                                                                                                                |
+| [GitHub Codespaces](https://github.com/features/codespaces) | Platform | SaaS               | 2x Azure Compute              | Linux containers                                                                                                                                           |
 
-### Phase 1
+---
 
-Phase 1 is the 'new-wine-in-an-old-bottle' approach - we want to preserve the look and feel (UX) of v1, while testing and validating the market fit of our new v2 provisioner model. This means that we'll preserve Material UI and re-use components from v1 (porting them over to the v2 codebase).
+_Last updated: 5/27/22_
 
-### Phase 2
+## Community and Support
 
-Phase 2 is the 'new-wine-in-a-new-bottle' - which we can do once we've successfully packaged the new wine in the old bottle.
+Join our community on [Discord](https://discord.gg/coder) and [Twitter](https://twitter.com/coderhq)!
 
-In other words, once we've validated that the new strategy fits and is desirable for our customers, we'd like to build a new, v2-native UI (leveraging designers on the team to build a first-class experience around the new provisioner model).
+[Suggest improvements and report problems](https://github.com/coder/coder/issues/new/choose)
+
+## Contributing
+
+Read the [contributing docs](https://coder.com/docs/coder-oss/latest/CONTRIBUTING).
+
+Find our list of contributors [here](https://github.com/coder/coder/graphs/contributors).

agent/agent_test.go

@@ -1,15 +1,34 @@
 package agent_test
 
 import (
+	"bufio"
 	"context"
+	"encoding/json"
+	"fmt"
+	"io"
+	"net"
+	"os"
+	"os/exec"
+	"path/filepath"
 	"runtime"
+	"strconv"
 	"strings"
 	"testing"
+	"time"
 
+	"golang.org/x/xerrors"
+
+	scp "github.com/bramvdbogaerde/go-scp"
+	"github.com/google/uuid"
+	"github.com/pion/udp"
 	"github.com/pion/webrtc/v3"
+	"github.com/pkg/sftp"
+	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"go.uber.org/goleak"
 	"golang.org/x/crypto/ssh"
+	"golang.org/x/text/encoding/unicode"
+	"golang.org/x/text/transform"
 
 	"cdr.dev/slog"
 	"cdr.dev/slog/sloggers/slogtest"
@@ -19,6 +38,7 @@ import (
 	"github.com/coder/coder/peerbroker/proto"
 	"github.com/coder/coder/provisionersdk"
 	"github.com/coder/coder/pty/ptytest"
+	"github.com/coder/coder/testutil"
 )
 
 func TestMain(m *testing.M) {
@@ -29,20 +49,8 @@ func TestAgent(t *testing.T) {
 	t.Parallel()
 	t.Run("SessionExec", func(t *testing.T) {
 		t.Parallel()
-		api := setup(t)
-		stream, err := api.NegotiateConnection(context.Background())
-		require.NoError(t, err)
-		conn, err := peerbroker.Dial(stream, []webrtc.ICEServer{}, &peer.ConnOptions{
-			Logger: slogtest.Make(t, nil),
-		})
-		require.NoError(t, err)
-		t.Cleanup(func() {
-			_ = conn.Close()
-		})
-		sshClient, err := agent.DialSSHClient(conn)
-		require.NoError(t, err)
-		session, err := sshClient.NewSession()
-		require.NoError(t, err)
+		session := setupSSHSession(t, agent.Metadata{})
+
 		command := "echo test"
 		if runtime.GOOS == "windows" {
 			command = "cmd.exe /c echo test"
@@ -52,29 +60,32 @@ func TestAgent(t *testing.T) {
 		require.Equal(t, "test", strings.TrimSpace(string(output)))
 	})
 
-	t.Run("SessionTTY", func(t *testing.T) {
+	t.Run("GitSSH", func(t *testing.T) {
 		t.Parallel()
-		api := setup(t)
-		stream, err := api.NegotiateConnection(context.Background())
+		session := setupSSHSession(t, agent.Metadata{})
+		command := "sh -c 'echo $GIT_SSH_COMMAND'"
+		if runtime.GOOS == "windows" {
+			command = "cmd.exe /c echo %GIT_SSH_COMMAND%"
+		}
+		output, err := session.Output(command)
 		require.NoError(t, err)
-		conn, err := peerbroker.Dial(stream, []webrtc.ICEServer{}, &peer.ConnOptions{
-			Logger: slogtest.Make(t, nil),
-		})
-		require.NoError(t, err)
-		t.Cleanup(func() {
-			_ = conn.Close()
-		})
-		sshClient, err := agent.DialSSHClient(conn)
-		require.NoError(t, err)
-		session, err := sshClient.NewSession()
-		require.NoError(t, err)
-		prompt := "$"
+		require.True(t, strings.HasSuffix(strings.TrimSpace(string(output)), "gitssh --"))
+	})
+
+	t.Run("SessionTTYShell", func(t *testing.T) {
+		t.Parallel()
+		if runtime.GOOS == "windows" {
+			// This might be our implementation, or ConPTY itself.
+			// It's difficult to find extensive tests for it, so
+			// it seems like it could be either.
+			t.Skip("ConPTY appears to be inconsistent on Windows.")
+		}
+		session := setupSSHSession(t, agent.Metadata{})
 		command := "bash"
 		if runtime.GOOS == "windows" {
 			command = "cmd.exe"
-			prompt = ">"
 		}
-		err = session.RequestPty("xterm", 128, 128, ssh.TerminalModes{})
+		err := session.RequestPty("xterm", 128, 128, ssh.TerminalModes{})
 		require.NoError(t, err)
 		ptty := ptytest.New(t)
 		require.NoError(t, err)
@@ -83,26 +94,475 @@ func TestAgent(t *testing.T) {
 		session.Stdin = ptty.Input()
 		err = session.Start(command)
 		require.NoError(t, err)
-		ptty.ExpectMatch(prompt)
+		caret := "$"
+		if runtime.GOOS == "windows" {
+			caret = ">"
+		}
+		ptty.ExpectMatch(caret)
 		ptty.WriteLine("echo test")
 		ptty.ExpectMatch("test")
 		ptty.WriteLine("exit")
 		err = session.Wait()
 		require.NoError(t, err)
 	})
+
+	t.Run("SessionTTYExitCode", func(t *testing.T) {
+		t.Parallel()
+		session := setupSSHSession(t, agent.Metadata{})
+		command := "areallynotrealcommand"
+		err := session.RequestPty("xterm", 128, 128, ssh.TerminalModes{})
+		require.NoError(t, err)
+		ptty := ptytest.New(t)
+		require.NoError(t, err)
+		session.Stdout = ptty.Output()
+		session.Stderr = ptty.Output()
+		session.Stdin = ptty.Input()
+		err = session.Start(command)
+		require.NoError(t, err)
+		err = session.Wait()
+		exitErr := &ssh.ExitError{}
+		require.True(t, xerrors.As(err, &exitErr))
+		if runtime.GOOS == "windows" {
+			assert.Equal(t, 1, exitErr.ExitStatus())
+		} else {
+			assert.Equal(t, 127, exitErr.ExitStatus())
+		}
+	})
+
+	t.Run("LocalForwarding", func(t *testing.T) {
+		t.Parallel()
+		random, err := net.Listen("tcp", "127.0.0.1:0")
+		require.NoError(t, err)
+		_ = random.Close()
+		tcpAddr, valid := random.Addr().(*net.TCPAddr)
+		require.True(t, valid)
+		randomPort := tcpAddr.Port
+
+		local, err := net.Listen("tcp", "127.0.0.1:0")
+		require.NoError(t, err)
+		defer local.Close()
+		tcpAddr, valid = local.Addr().(*net.TCPAddr)
+		require.True(t, valid)
+		localPort := tcpAddr.Port
+		done := make(chan struct{})
+		go func() {
+			defer close(done)
+			conn, err := local.Accept()
+			if !assert.NoError(t, err) {
+				return
+			}
+			_ = conn.Close()
+		}()
+
+		err = setupSSHCommand(t, []string{"-L", fmt.Sprintf("%d:127.0.0.1:%d", randomPort, localPort)}, []string{"echo", "test"}).Start()
+		require.NoError(t, err)
+
+		conn, err := net.Dial("tcp", "127.0.0.1:"+strconv.Itoa(localPort))
+		require.NoError(t, err)
+		conn.Close()
+		<-done
+	})
+
+	t.Run("SFTP", func(t *testing.T) {
+		t.Parallel()
+		sshClient, err := setupAgent(t, agent.Metadata{}, 0).SSHClient()
+		require.NoError(t, err)
+		client, err := sftp.NewClient(sshClient)
+		require.NoError(t, err)
+		tempFile := filepath.Join(t.TempDir(), "sftp")
+		file, err := client.Create(tempFile)
+		require.NoError(t, err)
+		err = file.Close()
+		require.NoError(t, err)
+		_, err = os.Stat(tempFile)
+		require.NoError(t, err)
+	})
+
+	t.Run("SCP", func(t *testing.T) {
+		t.Parallel()
+		sshClient, err := setupAgent(t, agent.Metadata{}, 0).SSHClient()
+		require.NoError(t, err)
+		scpClient, err := scp.NewClientBySSH(sshClient)
+		require.NoError(t, err)
+		tempFile := filepath.Join(t.TempDir(), "scp")
+		content := "hello world"
+		err = scpClient.CopyFile(context.Background(), strings.NewReader(content), tempFile, "0755")
+		require.NoError(t, err)
+		_, err = os.Stat(tempFile)
+		require.NoError(t, err)
+	})
+
+	t.Run("EnvironmentVariables", func(t *testing.T) {
+		t.Parallel()
+		key := "EXAMPLE"
+		value := "value"
+		session := setupSSHSession(t, agent.Metadata{
+			EnvironmentVariables: map[string]string{
+				key: value,
+			},
+		})
+		command := "sh -c 'echo $" + key + "'"
+		if runtime.GOOS == "windows" {
+			command = "cmd.exe /c echo %" + key + "%"
+		}
+		output, err := session.Output(command)
+		require.NoError(t, err)
+		require.Equal(t, value, strings.TrimSpace(string(output)))
+	})
+
+	t.Run("EnvironmentVariableExpansion", func(t *testing.T) {
+		t.Parallel()
+		key := "EXAMPLE"
+		session := setupSSHSession(t, agent.Metadata{
+			EnvironmentVariables: map[string]string{
+				key: "$SOMETHINGNOTSET",
+			},
+		})
+		command := "sh -c 'echo $" + key + "'"
+		if runtime.GOOS == "windows" {
+			command = "cmd.exe /c echo %" + key + "%"
+		}
+		output, err := session.Output(command)
+		require.NoError(t, err)
+		expect := ""
+		if runtime.GOOS == "windows" {
+			expect = "%EXAMPLE%"
+		}
+		// Output should be empty, because the variable is not set!
+		require.Equal(t, expect, strings.TrimSpace(string(output)))
+	})
+
+	t.Run("Coder env vars", func(t *testing.T) {
+		t.Parallel()
+
+		for _, key := range []string{"CODER"} {
+			key := key
+			t.Run(key, func(t *testing.T) {
+				t.Parallel()
+
+				session := setupSSHSession(t, agent.Metadata{})
+				command := "sh -c 'echo $" + key + "'"
+				if runtime.GOOS == "windows" {
+					command = "cmd.exe /c echo %" + key + "%"
+				}
+				output, err := session.Output(command)
+				require.NoError(t, err)
+				require.NotEmpty(t, strings.TrimSpace(string(output)))
+			})
+		}
+	})
+
+	t.Run("SSH connection env vars", func(t *testing.T) {
+		t.Parallel()
+
+		// Note: the SSH_TTY environment variable should only be set for TTYs.
+		// For some reason this test produces a TTY locally and a non-TTY in CI
+		// so we don't test for the absence of SSH_TTY.
+		for _, key := range []string{"SSH_CONNECTION", "SSH_CLIENT"} {
+			key := key
+			t.Run(key, func(t *testing.T) {
+				t.Parallel()
+
+				session := setupSSHSession(t, agent.Metadata{})
+				command := "sh -c 'echo $" + key + "'"
+				if runtime.GOOS == "windows" {
+					command = "cmd.exe /c echo %" + key + "%"
+				}
+				output, err := session.Output(command)
+				require.NoError(t, err)
+				require.NotEmpty(t, strings.TrimSpace(string(output)))
+			})
+		}
+	})
+
+	t.Run("StartupScript", func(t *testing.T) {
+		t.Parallel()
+		tempPath := filepath.Join(t.TempDir(), "content.txt")
+		content := "somethingnice"
+		setupAgent(t, agent.Metadata{
+			StartupScript: fmt.Sprintf("echo %s > %s", content, tempPath),
+		}, 0)
+
+		var gotContent string
+		require.Eventually(t, func() bool {
+			content, err := os.ReadFile(tempPath)
+			if err != nil {
+				return false
+			}
+			if len(content) == 0 {
+				return false
+			}
+			if runtime.GOOS == "windows" {
+				// Windows uses UTF16! 🪟🪟🪟
+				content, _, err = transform.Bytes(unicode.UTF16(unicode.LittleEndian, unicode.UseBOM).NewDecoder(), content)
+				if !assert.NoError(t, err) {
+					return false
+				}
+			}
+			gotContent = string(content)
+			return true
+		}, testutil.WaitMedium, testutil.IntervalMedium)
+		require.Equal(t, content, strings.TrimSpace(gotContent))
+	})
+
+	t.Run("ReconnectingPTY", func(t *testing.T) {
+		t.Parallel()
+		if runtime.GOOS == "windows" {
+			// This might be our implementation, or ConPTY itself.
+			// It's difficult to find extensive tests for it, so
+			// it seems like it could be either.
+			t.Skip("ConPTY appears to be inconsistent on Windows.")
+		}
+
+		conn := setupAgent(t, agent.Metadata{}, 0)
+		id := uuid.NewString()
+		netConn, err := conn.ReconnectingPTY(id, 100, 100, "/bin/bash")
+		require.NoError(t, err)
+		bufRead := bufio.NewReader(netConn)
+
+		// Brief pause to reduce the likelihood that we send keystrokes while
+		// the shell is simultaneously sending a prompt.
+		time.Sleep(100 * time.Millisecond)
+
+		data, err := json.Marshal(agent.ReconnectingPTYRequest{
+			Data: "echo test\r\n",
+		})
+		require.NoError(t, err)
+		_, err = netConn.Write(data)
+		require.NoError(t, err)
+
+		expectLine := func(matcher func(string) bool) {
+			for {
+				line, err := bufRead.ReadString('\n')
+				require.NoError(t, err)
+				if matcher(line) {
+					break
+				}
+			}
+		}
+
+		matchEchoCommand := func(line string) bool {
+			return strings.Contains(line, "echo test")
+		}
+		matchEchoOutput := func(line string) bool {
+			return strings.Contains(line, "test") && !strings.Contains(line, "echo")
+		}
+
+		// Once for typing the command...
+		expectLine(matchEchoCommand)
+		// And another time for the actual output.
+		expectLine(matchEchoOutput)
+
+		_ = netConn.Close()
+		netConn, err = conn.ReconnectingPTY(id, 100, 100, "/bin/bash")
+		require.NoError(t, err)
+		bufRead = bufio.NewReader(netConn)
+
+		// Same output again!
+		expectLine(matchEchoCommand)
+		expectLine(matchEchoOutput)
+	})
+
+	t.Run("Dial", func(t *testing.T) {
+		t.Parallel()
+
+		cases := []struct {
+			name  string
+			setup func(t *testing.T) net.Listener
+		}{
+			{
+				name: "TCP",
+				setup: func(t *testing.T) net.Listener {
+					l, err := net.Listen("tcp", "127.0.0.1:0")
+					require.NoError(t, err, "create TCP listener")
+					return l
+				},
+			},
+			{
+				name: "UDP",
+				setup: func(t *testing.T) net.Listener {
+					addr := net.UDPAddr{
+						IP:   net.ParseIP("127.0.0.1"),
+						Port: 0,
+					}
+					l, err := udp.Listen("udp", &addr)
+					require.NoError(t, err, "create UDP listener")
+					return l
+				},
+			},
+			{
+				name: "Unix",
+				setup: func(t *testing.T) net.Listener {
+					if runtime.GOOS == "windows" {
+						t.Skip("Unix socket forwarding isn't supported on Windows")
+					}
+
+					tmpDir := t.TempDir()
+					l, err := net.Listen("unix", filepath.Join(tmpDir, "test.sock"))
+					require.NoError(t, err, "create UDP listener")
+					return l
+				},
+			},
+		}
+
+		for _, c := range cases {
+			c := c
+			t.Run(c.name, func(t *testing.T) {
+				t.Parallel()
+
+				// Setup listener
+				l := c.setup(t)
+				defer l.Close()
+				go func() {
+					for {
+						c, err := l.Accept()
+						if err != nil {
+							return
+						}
+
+						go testAccept(t, c)
+					}
+				}()
+
+				// Dial the listener over WebRTC twice and test out of order
+				conn := setupAgent(t, agent.Metadata{}, 0)
+				conn1, err := conn.DialContext(context.Background(), l.Addr().Network(), l.Addr().String())
+				require.NoError(t, err)
+				defer conn1.Close()
+				conn2, err := conn.DialContext(context.Background(), l.Addr().Network(), l.Addr().String())
+				require.NoError(t, err)
+				defer conn2.Close()
+				testDial(t, conn2)
+				testDial(t, conn1)
+			})
+		}
+	})
+
+	t.Run("DialError", func(t *testing.T) {
+		t.Parallel()
+
+		if runtime.GOOS == "windows" {
+			// This test uses Unix listeners so we can very easily ensure that
+			// no other tests decide to listen on the same random port we
+			// picked.
+			t.Skip("this test is unsupported on Windows")
+			return
+		}
+
+		tmpDir, err := os.MkdirTemp("", "coderd_agent_test_")
+		require.NoError(t, err, "create temp dir")
+		t.Cleanup(func() {
+			_ = os.RemoveAll(tmpDir)
+		})
+
+		// Try to dial the non-existent Unix socket over WebRTC
+		conn := setupAgent(t, agent.Metadata{}, 0)
+		netConn, err := conn.DialContext(context.Background(), "unix", filepath.Join(tmpDir, "test.sock"))
+		require.Error(t, err)
+		require.ErrorContains(t, err, "remote dial error")
+		require.ErrorContains(t, err, "no such file")
+		require.Nil(t, netConn)
+	})
 }
 
-func setup(t *testing.T) proto.DRPCPeerBrokerClient {
+func setupSSHCommand(t *testing.T, beforeArgs []string, afterArgs []string) *exec.Cmd {
+	agentConn := setupAgent(t, agent.Metadata{}, 0)
+	listener, err := net.Listen("tcp", "127.0.0.1:0")
+	require.NoError(t, err)
+	go func() {
+		defer listener.Close()
+		for {
+			conn, err := listener.Accept()
+			if err != nil {
+				return
+			}
+			ssh, err := agentConn.SSH()
+			if !assert.NoError(t, err) {
+				_ = conn.Close()
+				return
+			}
+			go agent.Bicopy(context.Background(), conn, ssh)
+		}
+	}()
+	t.Cleanup(func() {
+		_ = listener.Close()
+	})
+	tcpAddr, valid := listener.Addr().(*net.TCPAddr)
+	require.True(t, valid)
+	args := append(beforeArgs,
+		"-o", "HostName "+tcpAddr.IP.String(),
+		"-o", "Port "+strconv.Itoa(tcpAddr.Port),
+		"-o", "StrictHostKeyChecking=no", "host")
+	args = append(args, afterArgs...)
+	return exec.Command("ssh", args...)
+}
+
+func setupSSHSession(t *testing.T, options agent.Metadata) *ssh.Session {
+	sshClient, err := setupAgent(t, options, 0).SSHClient()
+	require.NoError(t, err)
+	session, err := sshClient.NewSession()
+	require.NoError(t, err)
+	return session
+}
+
+func setupAgent(t *testing.T, metadata agent.Metadata, ptyTimeout time.Duration) *agent.Conn {
 	client, server := provisionersdk.TransportPipe()
-	closer := agent.New(func(ctx context.Context, opts *peer.ConnOptions) (*peerbroker.Listener, error) {
-		return peerbroker.Listen(server, nil, opts)
-	}, &peer.ConnOptions{
-		Logger: slogtest.Make(t, nil).Leveled(slog.LevelDebug),
+	closer := agent.New(func(ctx context.Context, logger slog.Logger) (agent.Metadata, *peerbroker.Listener, error) {
+		listener, err := peerbroker.Listen(server, nil)
+		return metadata, listener, err
+	}, &agent.Options{
+		Logger:                 slogtest.Make(t, nil).Leveled(slog.LevelDebug),
+		ReconnectingPTYTimeout: ptyTimeout,
 	})
 	t.Cleanup(func() {
 		_ = client.Close()
 		_ = server.Close()
 		_ = closer.Close()
 	})
-	return proto.NewDRPCPeerBrokerClient(provisionersdk.Conn(client))
+	api := proto.NewDRPCPeerBrokerClient(provisionersdk.Conn(client))
+	stream, err := api.NegotiateConnection(context.Background())
+	assert.NoError(t, err)
+	conn, err := peerbroker.Dial(stream, []webrtc.ICEServer{}, &peer.ConnOptions{
+		Logger: slogtest.Make(t, nil),
+	})
+	require.NoError(t, err)
+	t.Cleanup(func() {
+		_ = conn.Close()
+	})
+
+	return &agent.Conn{
+		Negotiator: api,
+		Conn:       conn,
+	}
+}
+
+var dialTestPayload = []byte("dean-was-here123")
+
+func testDial(t *testing.T, c net.Conn) {
+	t.Helper()
+
+	assertWritePayload(t, c, dialTestPayload)
+	assertReadPayload(t, c, dialTestPayload)
+}
+
+func testAccept(t *testing.T, c net.Conn) {
+	t.Helper()
+	defer c.Close()
+
+	assertReadPayload(t, c, dialTestPayload)
+	assertWritePayload(t, c, dialTestPayload)
+}
+
+func assertReadPayload(t *testing.T, r io.Reader, payload []byte) {
+	b := make([]byte, len(payload)+16)
+	n, err := r.Read(b)
+	assert.NoError(t, err, "read payload")
+	assert.Equal(t, len(payload), n, "read payload length does not match")
+	assert.Equal(t, payload, b[:n])
+}
+
+func assertWritePayload(t *testing.T, w io.Writer, payload []byte) {
+	n, err := w.Write(payload)
+	assert.NoError(t, err, "write payload")
+	assert.Equal(t, len(payload), n, "payload length does not match")
 }

agent/conn.go

@@ -0,0 +1,118 @@
+package agent
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"net"
+	"net/url"
+	"strings"
+
+	"golang.org/x/crypto/ssh"
+	"golang.org/x/xerrors"
+
+	"github.com/coder/coder/peer"
+	"github.com/coder/coder/peerbroker/proto"
+)
+
+// ReconnectingPTYRequest is sent from the client to the server
+// to pipe data to a PTY.
+type ReconnectingPTYRequest struct {
+	Data   string `json:"data"`
+	Height uint16 `json:"height"`
+	Width  uint16 `json:"width"`
+}
+
+// Conn wraps a peer connection with helper functions to
+// communicate with the agent.
+type Conn struct {
+	// Negotiator is responsible for exchanging messages.
+	Negotiator proto.DRPCPeerBrokerClient
+
+	*peer.Conn
+}
+
+// ReconnectingPTY returns a connection serving a TTY that can
+// be reconnected to via ID.
+//
+// The command is optional and defaults to start a shell.
+func (c *Conn) ReconnectingPTY(id string, height, width uint16, command string) (net.Conn, error) {
+	channel, err := c.CreateChannel(context.Background(), fmt.Sprintf("%s:%d:%d:%s", id, height, width, command), &peer.ChannelOptions{
+		Protocol: ProtocolReconnectingPTY,
+	})
+	if err != nil {
+		return nil, xerrors.Errorf("pty: %w", err)
+	}
+	return channel.NetConn(), nil
+}
+
+// SSH dials the built-in SSH server.
+func (c *Conn) SSH() (net.Conn, error) {
+	channel, err := c.CreateChannel(context.Background(), "ssh", &peer.ChannelOptions{
+		Protocol: ProtocolSSH,
+	})
+	if err != nil {
+		return nil, xerrors.Errorf("dial: %w", err)
+	}
+	return channel.NetConn(), nil
+}
+
+// SSHClient calls SSH to create a client that uses a weak cipher
+// for high throughput.
+func (c *Conn) SSHClient() (*ssh.Client, error) {
+	netConn, err := c.SSH()
+	if err != nil {
+		return nil, xerrors.Errorf("ssh: %w", err)
+	}
+	sshConn, channels, requests, err := ssh.NewClientConn(netConn, "localhost:22", &ssh.ClientConfig{
+		// SSH host validation isn't helpful, because obtaining a peer
+		// connection already signifies user-intent to dial a workspace.
+		// #nosec
+		HostKeyCallback: ssh.InsecureIgnoreHostKey(),
+	})
+	if err != nil {
+		return nil, xerrors.Errorf("ssh conn: %w", err)
+	}
+	return ssh.NewClient(sshConn, channels, requests), nil
+}
+
+// DialContext dials an arbitrary protocol+address from inside the workspace and
+// proxies it through the provided net.Conn.
+func (c *Conn) DialContext(ctx context.Context, network string, addr string) (net.Conn, error) {
+	u := &url.URL{
+		Scheme: network,
+	}
+	if strings.HasPrefix(network, "unix") {
+		u.Path = addr
+	} else {
+		u.Host = addr
+	}
+
+	channel, err := c.CreateChannel(ctx, u.String(), &peer.ChannelOptions{
+		Protocol:  ProtocolDial,
+		Unordered: strings.HasPrefix(network, "udp"),
+	})
+	if err != nil {
+		return nil, xerrors.Errorf("create datachannel: %w", err)
+	}
+
+	// The first message written from the other side is a JSON payload
+	// containing the dial error.
+	dec := json.NewDecoder(channel)
+	var res dialResponse
+	err = dec.Decode(&res)
+	if err != nil {
+		return nil, xerrors.Errorf("decode agent dial response: %w", err)
+	}
+	if res.Error != "" {
+		_ = channel.Close()
+		return nil, xerrors.Errorf("remote dial error: %v", res.Error)
+	}
+
+	return channel.NetConn(), nil
+}
+
+func (c *Conn) Close() error {
+	_ = c.Negotiator.DRPCConn().Close()
+	return c.Conn.Close()
+}

agent/reaper/doc.go

@@ -0,0 +1,4 @@
+// Package reaper contains logic for reaping subprocesses. It is
+// specifically used in the agent to avoid the accumulation of
+// zombie processes.
+package reaper

agent/reaper/reaper.go

@@ -0,0 +1,28 @@
+package reaper
+
+import "github.com/hashicorp/go-reap"
+
+type Option func(o *options)
+
+// WithExecArgs specifies the exec arguments for the fork exec call.
+// By default the same arguments as the parent are used as dictated by
+// os.Args. Since ForkReap calls a fork-exec it is the responsibility of
+// the caller to avoid fork-bombing oneself.
+func WithExecArgs(args ...string) Option {
+	return func(o *options) {
+		o.ExecArgs = args
+	}
+}
+
+// WithPIDCallback sets the channel that reaped child process PIDs are pushed
+// onto.
+func WithPIDCallback(ch reap.PidCh) Option {
+	return func(o *options) {
+		o.PIDs = ch
+	}
+}
+
+type options struct {
+	ExecArgs []string
+	PIDs     reap.PidCh
+}

agent/reaper/reaper_stub.go

@@ -0,0 +1,12 @@
+//go:build !linux
+
+package reaper
+
+// IsInitProcess returns true if the current process's PID is 1.
+func IsInitProcess() bool {
+	return false
+}
+
+func ForkReap(_ ...Option) error {
+	return nil
+}

agent/reaper/reaper_test.go

@@ -0,0 +1,66 @@
+//go:build linux
+
+package reaper_test
+
+import (
+	"os"
+	"os/exec"
+	"testing"
+	"time"
+
+	"github.com/hashicorp/go-reap"
+	"github.com/stretchr/testify/require"
+
+	"github.com/coder/coder/agent/reaper"
+	"github.com/coder/coder/testutil"
+)
+
+func TestReap(t *testing.T) {
+	t.Parallel()
+
+	// Don't run the reaper test in CI. It does weird
+	// things like forkexecing which may have unintended
+	// consequences in CI.
+	if _, ok := os.LookupEnv("CI"); ok {
+		t.Skip("Detected CI, skipping reaper tests")
+	}
+
+	// OK checks that's the reaper is successfully reaping
+	// exited processes and passing the PIDs through the shared
+	// channel.
+	t.Run("OK", func(t *testing.T) {
+		t.Parallel()
+		pids := make(reap.PidCh, 1)
+		err := reaper.ForkReap(
+			reaper.WithPIDCallback(pids),
+			// Provide some argument that immediately exits.
+			reaper.WithExecArgs("/bin/sh", "-c", "exit 0"),
+		)
+		require.NoError(t, err)
+
+		cmd := exec.Command("tail", "-f", "/dev/null")
+		err = cmd.Start()
+		require.NoError(t, err)
+
+		cmd2 := exec.Command("tail", "-f", "/dev/null")
+		err = cmd2.Start()
+		require.NoError(t, err)
+
+		err = cmd.Process.Kill()
+		require.NoError(t, err)
+
+		err = cmd2.Process.Kill()
+		require.NoError(t, err)
+
+		expectedPIDs := []int{cmd.Process.Pid, cmd2.Process.Pid}
+
+		for i := 0; i < len(expectedPIDs); i++ {
+			select {
+			case <-time.After(testutil.WaitShort):
+				t.Fatalf("Timed out waiting for process")
+			case pid := <-pids:
+				require.Contains(t, expectedPIDs, pid)
+			}
+		}
+	})
+}

agent/reaper/reaper_unix.go

@@ -0,0 +1,63 @@
+//go:build linux
+
+package reaper
+
+import (
+	"os"
+	"syscall"
+
+	"github.com/hashicorp/go-reap"
+	"golang.org/x/xerrors"
+)
+
+// IsInitProcess returns true if the current process's PID is 1.
+func IsInitProcess() bool {
+	return os.Getpid() == 1
+}
+
+// ForkReap spawns a goroutine that reaps children. In order to avoid
+// complications with spawning `exec.Commands` in the same process that
+// is reaping, we forkexec a child process. This prevents a race between
+// the reaper and an exec.Command waiting for its process to complete.
+// The provided 'pids' channel may be nil if the caller does not care about the
+// reaped children PIDs.
+func ForkReap(opt ...Option) error {
+	opts := &options{
+		ExecArgs: os.Args,
+	}
+
+	for _, o := range opt {
+		o(opts)
+	}
+
+	go reap.ReapChildren(opts.PIDs, nil, nil, nil)
+
+	pwd, err := os.Getwd()
+	if err != nil {
+		return xerrors.Errorf("get wd: %w", err)
+	}
+
+	pattrs := &syscall.ProcAttr{
+		Dir: pwd,
+		Env: os.Environ(),
+		Sys: &syscall.SysProcAttr{
+			Setsid: true,
+		},
+		Files: []uintptr{
+			uintptr(syscall.Stdin),
+			uintptr(syscall.Stdout),
+			uintptr(syscall.Stderr),
+		},
+	}
+
+	//#nosec G204
+	pid, _ := syscall.ForkExec(opts.ExecArgs[0], opts.ExecArgs, pattrs)
+
+	var wstatus syscall.WaitStatus
+	_, err = syscall.Wait4(pid, &wstatus, 0, nil)
+	for xerrors.Is(err, syscall.EINTR) {
+		_, err = syscall.Wait4(pid, &wstatus, 0, nil)
+	}
+
+	return nil
+}

agent/usershell/usershell_darwin.go

@@ -3,8 +3,6 @@ package usershell
 import "os"
 
 // Get returns the $SHELL environment variable.
-// TODO: This should use "dscl" to fetch the proper value. See:
-// https://stackoverflow.com/questions/16375519/how-to-get-the-default-shell
-func Get(username string) (string, error) {
+func Get(_ string) (string, error) {
 	return os.Getenv("SHELL"), nil
 }

agent/usershell/usershell_other.go

@@ -27,5 +27,5 @@ func Get(username string) (string, error) {
 		}
 		return parts[6], nil
 	}
-	return "", xerrors.New("user not found in /etc/passwd and $SHELL not set")
+	return "", xerrors.Errorf("user %q not found in /etc/passwd", username)
 }

agent/usershell/usershell_windows.go

@@ -1,6 +1,12 @@
 package usershell
 
+import "os/exec"
+
 // Get returns the command prompt binary name.
 func Get(username string) (string, error) {
+	_, err := exec.LookPath("powershell.exe")
+	if err == nil {
+		return "powershell.exe", nil
+	}
 	return "cmd.exe", nil
 }

agent/wireguard.go

@@ -0,0 +1,97 @@
+package agent
+
+import (
+	"context"
+	"net"
+	"strconv"
+
+	"golang.org/x/xerrors"
+	"inet.af/netaddr"
+
+	"cdr.dev/slog"
+	"github.com/coder/coder/peer/peerwg"
+)
+
+func (a *agent) startWireguard(ctx context.Context, addrs []netaddr.IPPrefix) error {
+	if a.network != nil {
+		_ = a.network.Close()
+		a.network = nil
+	}
+
+	// We can't create a wireguard network without these.
+	if len(addrs) == 0 || a.listenWireguardPeers == nil || a.postKeys == nil {
+		return xerrors.New("wireguard is enabled, but no addresses were provided or necessary functions were not provided")
+	}
+
+	wg, err := peerwg.New(a.logger.Named("wireguard"), addrs)
+	if err != nil {
+		return xerrors.Errorf("create wireguard network: %w", err)
+	}
+
+	// A new keypair is generated on each agent start.
+	// This keypair must be sent to Coder to allow for incoming connections.
+	err = a.postKeys(ctx, WireguardPublicKeys{
+		Public: wg.NodePrivateKey.Public(),
+		Disco:  wg.DiscoPublicKey,
+	})
+	if err != nil {
+		a.logger.Warn(ctx, "post keys", slog.Error(err))
+	}
+
+	go func() {
+		for {
+			ch, listenClose, err := a.listenWireguardPeers(ctx, a.logger)
+			if err != nil {
+				a.logger.Warn(ctx, "listen wireguard peers", slog.Error(err))
+				return
+			}
+
+			for {
+				peer, ok := <-ch
+				if !ok {
+					break
+				}
+
+				err := wg.AddPeer(peer)
+				a.logger.Info(ctx, "added wireguard peer", slog.F("peer", peer.NodePublicKey.ShortString()), slog.Error(err))
+			}
+
+			listenClose()
+		}
+	}()
+
+	a.startWireguardListeners(ctx, wg, []handlerPort{
+		{port: 12212, handler: a.sshServer.HandleConn},
+	})
+
+	a.network = wg
+	return nil
+}
+
+type handlerPort struct {
+	handler func(conn net.Conn)
+	port    uint16
+}
+
+func (a *agent) startWireguardListeners(ctx context.Context, network *peerwg.Network, handlers []handlerPort) {
+	for _, h := range handlers {
+		go func(h handlerPort) {
+			a.logger.Debug(ctx, "starting wireguard listener", slog.F("port", h.port))
+
+			listener, err := network.Listen("tcp", net.JoinHostPort("", strconv.Itoa(int(h.port))))
+			if err != nil {
+				a.logger.Warn(ctx, "listen wireguard", slog.F("port", h.port), slog.Error(err))
+				return
+			}
+
+			for {
+				conn, err := listener.Accept()
+				if err != nil {
+					return
+				}
+
+				go h.handler(conn)
+			}
+		}(h)
+	}
+}

buildinfo/buildinfo.go

@@ -0,0 +1,121 @@
+package buildinfo
+
+import (
+	"fmt"
+	"runtime/debug"
+	"strings"
+	"sync"
+	"time"
+
+	"golang.org/x/mod/semver"
+)
+
+var (
+	buildInfo      *debug.BuildInfo
+	buildInfoValid bool
+	readBuildInfo  sync.Once
+
+	externalURL     string
+	readExternalURL sync.Once
+
+	version     string
+	readVersion sync.Once
+
+	// Injected with ldflags at build!
+	tag string
+)
+
+const (
+	// develPrefix is prefixed to developer versions of the application.
+	develPrefix = "v0.0.0-devel"
+)
+
+// Version returns the semantic version of the build.
+// Use golang.org/x/mod/semver to compare versions.
+func Version() string {
+	readVersion.Do(func() {
+		revision, valid := revision()
+		if valid {
+			revision = "+" + revision[:7]
+		}
+		if tag == "" {
+			// This occurs when the tag hasn't been injected,
+			// like when using "go run".
+			version = develPrefix + revision
+			return
+		}
+		version = "v" + tag
+		// The tag must be prefixed with "v" otherwise the
+		// semver library will return an empty string.
+		if semver.Build(version) == "" {
+			version += revision
+		}
+	})
+	return version
+}
+
+// VersionsMatch compares the two versions. It assumes the versions match if
+// the major and the minor versions are equivalent. Patch versions are
+// disregarded. If it detects that either version is a developer build it
+// returns true.
+func VersionsMatch(v1, v2 string) bool {
+	// Developer versions are disregarded...hopefully they know what they are
+	// doing.
+	if strings.HasPrefix(v1, develPrefix) || strings.HasPrefix(v2, develPrefix) {
+		return true
+	}
+
+	return semver.MajorMinor(v1) == semver.MajorMinor(v2)
+}
+
+// ExternalURL returns a URL referencing the current Coder version.
+// For production builds, this will link directly to a release.
+// For development builds, this will link to a commit.
+func ExternalURL() string {
+	readExternalURL.Do(func() {
+		repo := "https://github.com/coder/coder"
+		revision, valid := revision()
+		if !valid {
+			externalURL = repo
+			return
+		}
+		externalURL = fmt.Sprintf("%s/commit/%s", repo, revision)
+	})
+	return externalURL
+}
+
+// Time returns when the Git revision was published.
+func Time() (time.Time, bool) {
+	value, valid := find("vcs.time")
+	if !valid {
+		return time.Time{}, false
+	}
+	parsed, err := time.Parse(time.RFC3339, value)
+	if err != nil {
+		panic("couldn't parse time: " + err.Error())
+	}
+	return parsed, true
+}
+
+// revision returns the Git hash of the build.
+func revision() (string, bool) {
+	return find("vcs.revision")
+}
+
+// find panics if a setting with the specific key was not
+// found in the build info.
+func find(key string) (string, bool) {
+	readBuildInfo.Do(func() {
+		buildInfo, buildInfoValid = debug.ReadBuildInfo()
+	})
+	if !buildInfoValid {
+		panic("couldn't read build info")
+	}
+	for _, setting := range buildInfo.Settings {
+		if setting.Key != key {
+			continue
+		}
+		return setting.Value, true
+	}
+	return "", false
+}

buildinfo/buildinfo_test.go

@@ -0,0 +1,99 @@
+package buildinfo_test
+
+import (
+	"fmt"
+	"testing"
+
+	"github.com/stretchr/testify/require"
+	"golang.org/x/mod/semver"
+
+	"github.com/coder/coder/buildinfo"
+)
+
+func TestBuildInfo(t *testing.T) {
+	t.Parallel()
+	t.Run("Version", func(t *testing.T) {
+		t.Parallel()
+		version := buildinfo.Version()
+		require.True(t, semver.IsValid(version))
+		prerelease := semver.Prerelease(version)
+		require.Equal(t, "-devel", prerelease)
+		require.Equal(t, "v0", semver.Major(version))
+	})
+	t.Run("ExternalURL", func(t *testing.T) {
+		t.Parallel()
+		require.Equal(t, "https://github.com/coder/coder", buildinfo.ExternalURL())
+	})
+	// Tests don't include Go build info.
+	t.Run("NoTime", func(t *testing.T) {
+		t.Parallel()
+		_, valid := buildinfo.Time()
+		require.False(t, valid)
+	})
+
+	t.Run("VersionsMatch", func(t *testing.T) {
+		t.Parallel()
+
+		type testcase struct {
+			name        string
+			v1          string
+			v2          string
+			expectMatch bool
+		}
+
+		cases := []testcase{
+			{
+				name:        "OK",
+				v1:          "v1.2.3",
+				v2:          "v1.2.3",
+				expectMatch: true,
+			},
+			// Test that we return true if a developer version is detected.
+			// Developers do not need to be warned of mismatched versions.
+			{
+				name:        "DevelIgnored",
+				v1:          "v0.0.0-devel+123abac",
+				v2:          "v1.2.3",
+				expectMatch: true,
+			},
+			// Our CI instance uses a "-devel" prerelease
+			// flag. This is not the same as a developer WIP build.
+			{
+				name:        "DevelPreleaseNotIgnored",
+				v1:          "v1.1.1-devel+123abac",
+				v2:          "v1.2.3",
+				expectMatch: false,
+			},
+			{
+				name:        "MajorMismatch",
+				v1:          "v1.2.3",
+				v2:          "v0.1.2",
+				expectMatch: false,
+			},
+			{
+				name:        "MinorMismatch",
+				v1:          "v1.2.3",
+				v2:          "v1.3.2",
+				expectMatch: false,
+			},
+			// Different patches are ok, breaking changes are not allowed
+			// in patches.
+			{
+				name:        "PatchMismatch",
+				v1:          "v1.2.3+hash.whocares",
+				v2:          "v1.2.4+somestuff.hm.ok",
+				expectMatch: true,
+			},
+		}
+
+		for _, c := range cases {
+			c := c
+			t.Run(c.name, func(t *testing.T) {
+				t.Parallel()
+				require.Equal(t, c.expectMatch, buildinfo.VersionsMatch(c.v1, c.v2),
+					fmt.Sprintf("expected match=%v for version %s and %s", c.expectMatch, c.v1, c.v2),
+				)
+			})
+		}
+	})
+}

cli/agent.go

@@ -0,0 +1,197 @@
+package cli
+
+import (
+	"context"
+	"fmt"
+	"net/http"
+	_ "net/http/pprof" //nolint: gosec
+	"net/url"
+	"os"
+	"path/filepath"
+	"runtime"
+	"time"
+
+	"cloud.google.com/go/compute/metadata"
+	"github.com/spf13/cobra"
+	"golang.org/x/xerrors"
+	"gopkg.in/natefinch/lumberjack.v2"
+
+	"cdr.dev/slog"
+	"cdr.dev/slog/sloggers/sloghuman"
+	"github.com/coder/coder/agent"
+	"github.com/coder/coder/agent/reaper"
+	"github.com/coder/coder/cli/cliflag"
+	"github.com/coder/coder/codersdk"
+	"github.com/coder/retry"
+)
+
+func workspaceAgent() *cobra.Command {
+	var (
+		auth         string
+		pprofEnabled bool
+		pprofAddress string
+		noReap       bool
+		wireguard    bool
+	)
+	cmd := &cobra.Command{
+		Use: "agent",
+		// This command isn't useful to manually execute.
+		Hidden: true,
+		RunE: func(cmd *cobra.Command, args []string) error {
+			rawURL, err := cmd.Flags().GetString(varAgentURL)
+			if err != nil {
+				return xerrors.Errorf("CODER_AGENT_URL must be set: %w", err)
+			}
+			coderURL, err := url.Parse(rawURL)
+			if err != nil {
+				return xerrors.Errorf("parse %q: %w", rawURL, err)
+			}
+
+			logWriter := &lumberjack.Logger{
+				Filename: filepath.Join(os.TempDir(), "coder-agent.log"),
+				MaxSize:  5, // MB
+			}
+			defer logWriter.Close()
+			logger := slog.Make(sloghuman.Sink(cmd.ErrOrStderr()), sloghuman.Sink(logWriter)).Leveled(slog.LevelDebug)
+
+			isLinux := runtime.GOOS == "linux"
+
+			// Spawn a reaper so that we don't accumulate a ton
+			// of zombie processes.
+			if reaper.IsInitProcess() && !noReap && isLinux {
+				logger.Info(cmd.Context(), "spawning reaper process")
+				// Do not start a reaper on the child process. It's important
+				// to do this else we fork bomb ourselves.
+				args := append(os.Args, "--no-reap")
+				err := reaper.ForkReap(reaper.WithExecArgs(args...))
+				if err != nil {
+					logger.Error(cmd.Context(), "failed to reap", slog.Error(err))
+					return xerrors.Errorf("fork reap: %w", err)
+				}
+
+				logger.Info(cmd.Context(), "reaper process exiting")
+				return nil
+			}
+
+			logger.Info(cmd.Context(), "starting agent", slog.F("url", coderURL), slog.F("auth", auth))
+			client := codersdk.New(coderURL)
+
+			if pprofEnabled {
+				srvClose := serveHandler(cmd.Context(), logger, nil, pprofAddress, "pprof")
+				defer srvClose()
+			} else {
+				// If pprof wasn't enabled at startup, allow a
+				// `kill -USR1 $agent_pid` to start it (on Unix).
+				srvClose := agentStartPPROFOnUSR1(cmd.Context(), logger, pprofAddress)
+				defer srvClose()
+			}
+
+			// exchangeToken returns a session token.
+			// This is abstracted to allow for the same looping condition
+			// regardless of instance identity auth type.
+			var exchangeToken func(context.Context) (codersdk.WorkspaceAgentAuthenticateResponse, error)
+			switch auth {
+			case "token":
+				token, err := cmd.Flags().GetString(varAgentToken)
+				if err != nil {
+					return xerrors.Errorf("CODER_AGENT_TOKEN must be set for token auth: %w", err)
+				}
+				client.SessionToken = token
+			case "google-instance-identity":
+				// This is *only* done for testing to mock client authentication.
+				// This will never be set in a production scenario.
+				var gcpClient *metadata.Client
+				gcpClientRaw := cmd.Context().Value("gcp-client")
+				if gcpClientRaw != nil {
+					gcpClient, _ = gcpClientRaw.(*metadata.Client)
+				}
+				exchangeToken = func(ctx context.Context) (codersdk.WorkspaceAgentAuthenticateResponse, error) {
+					return client.AuthWorkspaceGoogleInstanceIdentity(ctx, "", gcpClient)
+				}
+			case "aws-instance-identity":
+				// This is *only* done for testing to mock client authentication.
+				// This will never be set in a production scenario.
+				var awsClient *http.Client
+				awsClientRaw := cmd.Context().Value("aws-client")
+				if awsClientRaw != nil {
+					awsClient, _ = awsClientRaw.(*http.Client)
+					if awsClient != nil {
+						client.HTTPClient = awsClient
+					}
+				}
+				exchangeToken = func(ctx context.Context) (codersdk.WorkspaceAgentAuthenticateResponse, error) {
+					return client.AuthWorkspaceAWSInstanceIdentity(ctx)
+				}
+			case "azure-instance-identity":
+				// This is *only* done for testing to mock client authentication.
+				// This will never be set in a production scenario.
+				var azureClient *http.Client
+				azureClientRaw := cmd.Context().Value("azure-client")
+				if azureClientRaw != nil {
+					azureClient, _ = azureClientRaw.(*http.Client)
+					if azureClient != nil {
+						client.HTTPClient = azureClient
+					}
+				}
+				exchangeToken = func(ctx context.Context) (codersdk.WorkspaceAgentAuthenticateResponse, error) {
+					return client.AuthWorkspaceAzureInstanceIdentity(ctx)
+				}
+			}
+
+			if exchangeToken != nil {
+				logger.Info(cmd.Context(), "exchanging identity token")
+				// Agent's can start before resources are returned from the provisioner
+				// daemon. If there are many resources being provisioned, this time
+				// could be significant. This is arbitrarily set at an hour to prevent
+				// tons of idle agents from pinging coderd.
+				ctx, cancelFunc := context.WithTimeout(cmd.Context(), time.Hour)
+				defer cancelFunc()
+				for retry.New(100*time.Millisecond, 5*time.Second).Wait(ctx) {
+					var response codersdk.WorkspaceAgentAuthenticateResponse
+
+					response, err = exchangeToken(ctx)
+					if err != nil {
+						logger.Warn(ctx, "authenticate workspace", slog.F("method", auth), slog.Error(err))
+						continue
+					}
+					client.SessionToken = response.SessionToken
+					logger.Info(ctx, "authenticated", slog.F("method", auth))
+					break
+				}
+				if err != nil {
+					return xerrors.Errorf("agent failed to authenticate in time: %w", err)
+				}
+			}
+
+			executablePath, err := os.Executable()
+			if err != nil {
+				return xerrors.Errorf("getting os executable: %w", err)
+			}
+			err = os.Setenv("PATH", fmt.Sprintf("%s%c%s", os.Getenv("PATH"), filepath.ListSeparator, filepath.Dir(executablePath)))
+			if err != nil {
+				return xerrors.Errorf("add executable to $PATH: %w", err)
+			}
+
+			closer := agent.New(client.ListenWorkspaceAgent, &agent.Options{
+				Logger: logger,
+				EnvironmentVariables: map[string]string{
+					// Override the "CODER_AGENT_TOKEN" variable in all
+					// shells so "gitssh" works!
+					"CODER_AGENT_TOKEN": client.SessionToken,
+				},
+				EnableWireguard:      wireguard,
+				UploadWireguardKeys:  client.UploadWorkspaceAgentKeys,
+				ListenWireguardPeers: client.WireguardPeerListener,
+			})
+			<-cmd.Context().Done()
+			return closer.Close()
+		},
+	}
+
+	cliflag.StringVarP(cmd.Flags(), &auth, "auth", "", "CODER_AGENT_AUTH", "token", "Specify the authentication type to use for the agent")
+	cliflag.BoolVarP(cmd.Flags(), &pprofEnabled, "pprof-enable", "", "CODER_AGENT_PPROF_ENABLE", false, "Enable serving pprof metrics on the address defined by --pprof-address.")
+	cliflag.BoolVarP(cmd.Flags(), &noReap, "no-reap", "", "", false, "Do not start a process reaper.")
+	cliflag.StringVarP(cmd.Flags(), &pprofAddress, "pprof-address", "", "CODER_AGENT_PPROF_ADDRESS", "127.0.0.1:6060", "The address to serve pprof.")
+	cliflag.BoolVarP(cmd.Flags(), &wireguard, "wireguard", "", "CODER_AGENT_WIREGUARD", true, "Whether to start the Wireguard interface.")
+	return cmd
+}

cli/agent_test.go

@@ -0,0 +1,181 @@
+package cli_test
+
+import (
+	"context"
+	"testing"
+
+	"github.com/stretchr/testify/require"
+
+	"github.com/coder/coder/cli/clitest"
+	"github.com/coder/coder/coderd/coderdtest"
+	"github.com/coder/coder/provisioner/echo"
+	"github.com/coder/coder/provisionersdk/proto"
+)
+
+func TestWorkspaceAgent(t *testing.T) {
+	t.Parallel()
+	t.Run("Azure", func(t *testing.T) {
+		t.Parallel()
+		instanceID := "instanceidentifier"
+		certificates, metadataClient := coderdtest.NewAzureInstanceIdentity(t, instanceID)
+		client := coderdtest.New(t, &coderdtest.Options{
+			AzureCertificates:   certificates,
+			IncludeProvisionerD: true,
+		})
+		user := coderdtest.CreateFirstUser(t, client)
+		version := coderdtest.CreateTemplateVersion(t, client, user.OrganizationID, &echo.Responses{
+			Parse: echo.ParseComplete,
+			Provision: []*proto.Provision_Response{{
+				Type: &proto.Provision_Response_Complete{
+					Complete: &proto.Provision_Complete{
+						Resources: []*proto.Resource{{
+							Name: "somename",
+							Type: "someinstance",
+							Agents: []*proto.Agent{{
+								Auth: &proto.Agent_InstanceId{
+									InstanceId: instanceID,
+								},
+							}},
+						}},
+					},
+				},
+			}},
+		})
+		template := coderdtest.CreateTemplate(t, client, user.OrganizationID, version.ID)
+		coderdtest.AwaitTemplateVersionJob(t, client, version.ID)
+		workspace := coderdtest.CreateWorkspace(t, client, user.OrganizationID, template.ID)
+		coderdtest.AwaitWorkspaceBuildJob(t, client, workspace.LatestBuild.ID)
+
+		cmd, _ := clitest.New(t, "agent", "--auth", "azure-instance-identity", "--agent-url", client.URL.String(), "--wireguard=false")
+		ctx, cancelFunc := context.WithCancel(context.Background())
+		defer cancelFunc()
+		errC := make(chan error)
+		go func() {
+			// A linting error occurs for weakly typing the context value here.
+			//nolint // The above seems reasonable for a one-off test.
+			ctx := context.WithValue(ctx, "azure-client", metadataClient)
+			errC <- cmd.ExecuteContext(ctx)
+		}()
+		coderdtest.AwaitWorkspaceAgents(t, client, workspace.LatestBuild.ID)
+		resources, err := client.WorkspaceResourcesByBuild(ctx, workspace.LatestBuild.ID)
+		require.NoError(t, err)
+		dialer, err := client.DialWorkspaceAgent(ctx, resources[0].Agents[0].ID, nil)
+		require.NoError(t, err)
+		defer dialer.Close()
+		_, err = dialer.Ping()
+		require.NoError(t, err)
+		cancelFunc()
+		err = <-errC
+		require.NoError(t, err)
+	})
+
+	t.Run("AWS", func(t *testing.T) {
+		t.Parallel()
+		instanceID := "instanceidentifier"
+		certificates, metadataClient := coderdtest.NewAWSInstanceIdentity(t, instanceID)
+		client := coderdtest.New(t, &coderdtest.Options{
+			AWSCertificates:     certificates,
+			IncludeProvisionerD: true,
+		})
+		user := coderdtest.CreateFirstUser(t, client)
+		version := coderdtest.CreateTemplateVersion(t, client, user.OrganizationID, &echo.Responses{
+			Parse: echo.ParseComplete,
+			Provision: []*proto.Provision_Response{{
+				Type: &proto.Provision_Response_Complete{
+					Complete: &proto.Provision_Complete{
+						Resources: []*proto.Resource{{
+							Name: "somename",
+							Type: "someinstance",
+							Agents: []*proto.Agent{{
+								Auth: &proto.Agent_InstanceId{
+									InstanceId: instanceID,
+								},
+							}},
+						}},
+					},
+				},
+			}},
+		})
+		template := coderdtest.CreateTemplate(t, client, user.OrganizationID, version.ID)
+		coderdtest.AwaitTemplateVersionJob(t, client, version.ID)
+		workspace := coderdtest.CreateWorkspace(t, client, user.OrganizationID, template.ID)
+		coderdtest.AwaitWorkspaceBuildJob(t, client, workspace.LatestBuild.ID)
+
+		cmd, _ := clitest.New(t, "agent", "--auth", "aws-instance-identity", "--agent-url", client.URL.String(), "--wireguard=false")
+		ctx, cancelFunc := context.WithCancel(context.Background())
+		defer cancelFunc()
+		errC := make(chan error)
+		go func() {
+			// A linting error occurs for weakly typing the context value here.
+			//nolint // The above seems reasonable for a one-off test.
+			ctx := context.WithValue(ctx, "aws-client", metadataClient)
+			errC <- cmd.ExecuteContext(ctx)
+		}()
+		coderdtest.AwaitWorkspaceAgents(t, client, workspace.LatestBuild.ID)
+		resources, err := client.WorkspaceResourcesByBuild(ctx, workspace.LatestBuild.ID)
+		require.NoError(t, err)
+		dialer, err := client.DialWorkspaceAgent(ctx, resources[0].Agents[0].ID, nil)
+		require.NoError(t, err)
+		defer dialer.Close()
+		_, err = dialer.Ping()
+		require.NoError(t, err)
+		cancelFunc()
+		err = <-errC
+		require.NoError(t, err)
+	})
+
+	t.Run("GoogleCloud", func(t *testing.T) {
+		t.Parallel()
+		instanceID := "instanceidentifier"
+		validator, metadata := coderdtest.NewGoogleInstanceIdentity(t, instanceID, false)
+		client := coderdtest.New(t, &coderdtest.Options{
+			GoogleTokenValidator: validator,
+			IncludeProvisionerD:  true,
+		})
+		user := coderdtest.CreateFirstUser(t, client)
+		version := coderdtest.CreateTemplateVersion(t, client, user.OrganizationID, &echo.Responses{
+			Parse: echo.ParseComplete,
+			Provision: []*proto.Provision_Response{{
+				Type: &proto.Provision_Response_Complete{
+					Complete: &proto.Provision_Complete{
+						Resources: []*proto.Resource{{
+							Name: "somename",
+							Type: "someinstance",
+							Agents: []*proto.Agent{{
+								Auth: &proto.Agent_InstanceId{
+									InstanceId: instanceID,
+								},
+							}},
+						}},
+					},
+				},
+			}},
+		})
+		template := coderdtest.CreateTemplate(t, client, user.OrganizationID, version.ID)
+		coderdtest.AwaitTemplateVersionJob(t, client, version.ID)
+		workspace := coderdtest.CreateWorkspace(t, client, user.OrganizationID, template.ID)
+		coderdtest.AwaitWorkspaceBuildJob(t, client, workspace.LatestBuild.ID)
+
+		cmd, _ := clitest.New(t, "agent", "--auth", "google-instance-identity", "--agent-url", client.URL.String(), "--wireguard=false")
+		ctx, cancelFunc := context.WithCancel(context.Background())
+		defer cancelFunc()
+		errC := make(chan error)
+		go func() {
+			// A linting error occurs for weakly typing the context value here.
+			//nolint // The above seems reasonable for a one-off test.
+			ctx := context.WithValue(ctx, "gcp-client", metadata)
+			errC <- cmd.ExecuteContext(ctx)
+		}()
+		coderdtest.AwaitWorkspaceAgents(t, client, workspace.LatestBuild.ID)
+		resources, err := client.WorkspaceResourcesByBuild(ctx, workspace.LatestBuild.ID)
+		require.NoError(t, err)
+		dialer, err := client.DialWorkspaceAgent(ctx, resources[0].Agents[0].ID, nil)
+		require.NoError(t, err)
+		defer dialer.Close()
+		_, err = dialer.Ping()
+		require.NoError(t, err)
+		cancelFunc()
+		err = <-errC
+		require.NoError(t, err)
+	})
+}

cli/agent_unix.go

@@ -0,0 +1,38 @@
+//go:build !windows
+
+package cli
+
+import (
+	"context"
+	"os"
+	"os/signal"
+	"syscall"
+
+	"cdr.dev/slog"
+)
+
+func agentStartPPROFOnUSR1(ctx context.Context, logger slog.Logger, pprofAddress string) (srvClose func()) {
+	ctx, cancel := context.WithCancel(ctx)
+
+	usr1 := make(chan os.Signal, 1)
+	signal.Notify(usr1, syscall.SIGUSR1)
+	go func() {
+		defer close(usr1)
+		defer signal.Stop(usr1)
+
+		select {
+		case <-usr1:
+			signal.Stop(usr1)
+			srvClose := serveHandler(ctx, logger, nil, pprofAddress, "pprof")
+			defer srvClose()
+		case <-ctx.Done():
+			return
+		}
+		<-ctx.Done() // Prevent defer close until done.
+	}()
+
+	return func() {
+		cancel()
+		<-usr1 // Wait until usr1 is closed, ensures srvClose was run.
+	}
+}

cli/agent_windows.go

@@ -0,0 +1,12 @@
+package cli
+
+import (
+	"context"
+
+	"cdr.dev/slog"
+)
+
+// agentStartPPROFOnUSR1 is no-op on Windows (no SIGUSR1 signal).
+func agentStartPPROFOnUSR1(ctx context.Context, logger slog.Logger, pprofAddress string) (srvClose func()) {
+	return func() {}
+}

cli/cliflag/cliflag.go

@@ -0,0 +1,154 @@
+// Package cliflag extends flagset with environment variable defaults.
+//
+// Usage:
+//
+// cliflag.String(root.Flags(), &address, "address", "a", "CODER_ADDRESS", "127.0.0.1:3000", "The address to serve the API and dashboard")
+//
+// Will produce the following usage docs:
+//
+//	-a, --address string              The address to serve the API and dashboard (uses $CODER_ADDRESS). (default "127.0.0.1:3000")
+package cliflag
+
+import (
+	"fmt"
+	"os"
+	"strconv"
+	"strings"
+	"time"
+
+	"github.com/spf13/cobra"
+	"github.com/spf13/pflag"
+)
+
+// IsSetBool returns the value of the boolean flag if it is set.
+// It returns false if the flag isn't set or if any error occurs attempting
+// to parse the value of the flag.
+func IsSetBool(cmd *cobra.Command, name string) bool {
+	val, ok := IsSet(cmd, name)
+	if !ok {
+		return false
+	}
+
+	b, err := strconv.ParseBool(val)
+	return err == nil && b
+}
+
+// IsSet returns the string value of the flag and whether it was set.
+func IsSet(cmd *cobra.Command, name string) (string, bool) {
+	flag := cmd.Flag(name)
+	if flag == nil {
+		return "", false
+	}
+
+	return flag.Value.String(), flag.Changed
+}
+
+// String sets a string flag on the given flag set.
+func String(flagset *pflag.FlagSet, name, shorthand, env, def, usage string) {
+	v, ok := os.LookupEnv(env)
+	if !ok || v == "" {
+		v = def
+	}
+	flagset.StringP(name, shorthand, v, fmtUsage(usage, env))
+}
+
+// StringVarP sets a string flag on the given flag set.
+func StringVarP(flagset *pflag.FlagSet, p *string, name string, shorthand string, env string, def string, usage string) {
+	v, ok := os.LookupEnv(env)
+	if !ok || v == "" {
+		v = def
+	}
+	flagset.StringVarP(p, name, shorthand, v, fmtUsage(usage, env))
+}
+
+func StringArrayVarP(flagset *pflag.FlagSet, ptr *[]string, name string, shorthand string, env string, def []string, usage string) {
+	val, ok := os.LookupEnv(env)
+	if ok {
+		if val == "" {
+			def = []string{}
+		} else {
+			def = strings.Split(val, ",")
+		}
+	}
+	flagset.StringArrayVarP(ptr, name, shorthand, def, fmtUsage(usage, env))
+}
+
+// Uint8VarP sets a uint8 flag on the given flag set.
+func Uint8VarP(flagset *pflag.FlagSet, ptr *uint8, name string, shorthand string, env string, def uint8, usage string) {
+	val, ok := os.LookupEnv(env)
+	if !ok || val == "" {
+		flagset.Uint8VarP(ptr, name, shorthand, def, fmtUsage(usage, env))
+		return
+	}
+
+	vi64, err := strconv.ParseUint(val, 10, 8)
+	if err != nil {
+		flagset.Uint8VarP(ptr, name, shorthand, def, fmtUsage(usage, env))
+		return
+	}
+
+	flagset.Uint8VarP(ptr, name, shorthand, uint8(vi64), fmtUsage(usage, env))
+}
+
+func Bool(flagset *pflag.FlagSet, name, shorthand, env string, def bool, usage string) {
+	val, ok := os.LookupEnv(env)
+	if !ok || val == "" {
+		flagset.BoolP(name, shorthand, def, fmtUsage(usage, env))
+		return
+	}
+
+	valb, err := strconv.ParseBool(val)
+	if err != nil {
+		flagset.BoolP(name, shorthand, def, fmtUsage(usage, env))
+		return
+	}
+
+	flagset.BoolP(name, shorthand, valb, fmtUsage(usage, env))
+}
+
+// BoolVarP sets a bool flag on the given flag set.
+func BoolVarP(flagset *pflag.FlagSet, ptr *bool, name string, shorthand string, env string, def bool, usage string) {
+	val, ok := os.LookupEnv(env)
+	if !ok || val == "" {
+		flagset.BoolVarP(ptr, name, shorthand, def, fmtUsage(usage, env))
+		return
+	}
+
+	valb, err := strconv.ParseBool(val)
+	if err != nil {
+		flagset.BoolVarP(ptr, name, shorthand, def, fmtUsage(usage, env))
+		return
+	}
+
+	flagset.BoolVarP(ptr, name, shorthand, valb, fmtUsage(usage, env))
+}
+
+// DurationVarP sets a time.Duration flag on the given flag set.
+func DurationVarP(flagset *pflag.FlagSet, ptr *time.Duration, name string, shorthand string, env string, def time.Duration, usage string) {
+	val, ok := os.LookupEnv(env)
+	if !ok || val == "" {
+		flagset.DurationVarP(ptr, name, shorthand, def, fmtUsage(usage, env))
+		return
+	}
+
+	valb, err := time.ParseDuration(val)
+	if err != nil {
+		flagset.DurationVarP(ptr, name, shorthand, def, fmtUsage(usage, env))
+		return
+	}
+
+	flagset.DurationVarP(ptr, name, shorthand, valb, fmtUsage(usage, env))
+}
+
+func fmtUsage(u string, env string) string {
+	if env != "" {
+		// Avoid double dotting.
+		dot := "."
+		if strings.HasSuffix(u, ".") {
+			dot = ""
+		}
+		u = fmt.Sprintf("%s%s\nConsumes $%s", u, dot, env)
+	}
+
+	return u
+}

cli/cliflag/cliflag_test.go

@@ -0,0 +1,238 @@
+package cliflag_test
+
+import (
+	"fmt"
+	"strconv"
+	"testing"
+	"time"
+
+	"github.com/spf13/pflag"
+	"github.com/stretchr/testify/require"
+
+	"github.com/coder/coder/cli/cliflag"
+	"github.com/coder/coder/cryptorand"
+)
+
+// Testcliflag cannot run in parallel because it uses t.Setenv.
+//
+//nolint:paralleltest
+func TestCliflag(t *testing.T) {
+	t.Run("StringDefault", func(t *testing.T) {
+		flagset, name, shorthand, env, usage := randomFlag()
+		def, _ := cryptorand.String(10)
+		cliflag.String(flagset, name, shorthand, env, def, usage)
+		got, err := flagset.GetString(name)
+		require.NoError(t, err)
+		require.Equal(t, def, got)
+		require.Contains(t, flagset.FlagUsages(), usage)
+		require.Contains(t, flagset.FlagUsages(), fmt.Sprintf("Consumes $%s", env))
+	})
+
+	t.Run("StringEnvVar", func(t *testing.T) {
+		flagset, name, shorthand, env, usage := randomFlag()
+		envValue, _ := cryptorand.String(10)
+		t.Setenv(env, envValue)
+		def, _ := cryptorand.String(10)
+		cliflag.String(flagset, name, shorthand, env, def, usage)
+		got, err := flagset.GetString(name)
+		require.NoError(t, err)
+		require.Equal(t, envValue, got)
+	})
+
+	t.Run("StringVarPDefault", func(t *testing.T) {
+		var ptr string
+		flagset, name, shorthand, env, usage := randomFlag()
+		def, _ := cryptorand.String(10)
+
+		cliflag.StringVarP(flagset, &ptr, name, shorthand, env, def, usage)
+		got, err := flagset.GetString(name)
+		require.NoError(t, err)
+		require.Equal(t, def, got)
+		require.Contains(t, flagset.FlagUsages(), usage)
+		require.Contains(t, flagset.FlagUsages(), fmt.Sprintf("Consumes $%s", env))
+	})
+
+	t.Run("StringVarPEnvVar", func(t *testing.T) {
+		var ptr string
+		flagset, name, shorthand, env, usage := randomFlag()
+		envValue, _ := cryptorand.String(10)
+		t.Setenv(env, envValue)
+		def, _ := cryptorand.String(10)
+
+		cliflag.StringVarP(flagset, &ptr, name, shorthand, env, def, usage)
+		got, err := flagset.GetString(name)
+		require.NoError(t, err)
+		require.Equal(t, envValue, got)
+	})
+
+	t.Run("EmptyEnvVar", func(t *testing.T) {
+		var ptr string
+		flagset, name, shorthand, _, usage := randomFlag()
+		def, _ := cryptorand.String(10)
+
+		cliflag.StringVarP(flagset, &ptr, name, shorthand, "", def, usage)
+		got, err := flagset.GetString(name)
+		require.NoError(t, err)
+		require.Equal(t, def, got)
+		require.Contains(t, flagset.FlagUsages(), usage)
+		require.NotContains(t, flagset.FlagUsages(), "Consumes")
+	})
+
+	t.Run("StringArrayDefault", func(t *testing.T) {
+		var ptr []string
+		flagset, name, shorthand, env, usage := randomFlag()
+		def := []string{"hello"}
+		cliflag.StringArrayVarP(flagset, &ptr, name, shorthand, env, def, usage)
+		got, err := flagset.GetStringArray(name)
+		require.NoError(t, err)
+		require.Equal(t, def, got)
+	})
+
+	t.Run("StringArrayEnvVar", func(t *testing.T) {
+		var ptr []string
+		flagset, name, shorthand, env, usage := randomFlag()
+		t.Setenv(env, "wow,test")
+		cliflag.StringArrayVarP(flagset, &ptr, name, shorthand, env, nil, usage)
+		got, err := flagset.GetStringArray(name)
+		require.NoError(t, err)
+		require.Equal(t, []string{"wow", "test"}, got)
+	})
+
+	t.Run("StringArrayEnvVarEmpty", func(t *testing.T) {
+		var ptr []string
+		flagset, name, shorthand, env, usage := randomFlag()
+		t.Setenv(env, "")
+		cliflag.StringArrayVarP(flagset, &ptr, name, shorthand, env, nil, usage)
+		got, err := flagset.GetStringArray(name)
+		require.NoError(t, err)
+		require.Equal(t, []string{}, got)
+	})
+
+	t.Run("IntDefault", func(t *testing.T) {
+		var ptr uint8
+		flagset, name, shorthand, env, usage := randomFlag()
+		def, _ := cryptorand.Int63n(10)
+
+		cliflag.Uint8VarP(flagset, &ptr, name, shorthand, env, uint8(def), usage)
+		got, err := flagset.GetUint8(name)
+		require.NoError(t, err)
+		require.Equal(t, uint8(def), got)
+		require.Contains(t, flagset.FlagUsages(), usage)
+		require.Contains(t, flagset.FlagUsages(), fmt.Sprintf("Consumes $%s", env))
+	})
+
+	t.Run("IntEnvVar", func(t *testing.T) {
+		var ptr uint8
+		flagset, name, shorthand, env, usage := randomFlag()
+		envValue, _ := cryptorand.Int63n(10)
+		t.Setenv(env, strconv.FormatUint(uint64(envValue), 10))
+		def, _ := cryptorand.Int()
+
+		cliflag.Uint8VarP(flagset, &ptr, name, shorthand, env, uint8(def), usage)
+		got, err := flagset.GetUint8(name)
+		require.NoError(t, err)
+		require.Equal(t, uint8(envValue), got)
+	})
+
+	t.Run("IntFailParse", func(t *testing.T) {
+		var ptr uint8
+		flagset, name, shorthand, env, usage := randomFlag()
+		envValue, _ := cryptorand.String(10)
+		t.Setenv(env, envValue)
+		def, _ := cryptorand.Int63n(10)
+
+		cliflag.Uint8VarP(flagset, &ptr, name, shorthand, env, uint8(def), usage)
+		got, err := flagset.GetUint8(name)
+		require.NoError(t, err)
+		require.Equal(t, uint8(def), got)
+	})
+
+	t.Run("BoolDefault", func(t *testing.T) {
+		var ptr bool
+		flagset, name, shorthand, env, usage := randomFlag()
+		def, _ := cryptorand.Bool()
+
+		cliflag.BoolVarP(flagset, &ptr, name, shorthand, env, def, usage)
+		got, err := flagset.GetBool(name)
+		require.NoError(t, err)
+		require.Equal(t, def, got)
+		require.Contains(t, flagset.FlagUsages(), usage)
+		require.Contains(t, flagset.FlagUsages(), fmt.Sprintf("Consumes $%s", env))
+	})
+
+	t.Run("BoolEnvVar", func(t *testing.T) {
+		var ptr bool
+		flagset, name, shorthand, env, usage := randomFlag()
+		envValue, _ := cryptorand.Bool()
+		t.Setenv(env, strconv.FormatBool(envValue))
+		def, _ := cryptorand.Bool()
+
+		cliflag.BoolVarP(flagset, &ptr, name, shorthand, env, def, usage)
+		got, err := flagset.GetBool(name)
+		require.NoError(t, err)
+		require.Equal(t, envValue, got)
+	})
+
+	t.Run("BoolFailParse", func(t *testing.T) {
+		var ptr bool
+		flagset, name, shorthand, env, usage := randomFlag()
+		envValue, _ := cryptorand.String(10)
+		t.Setenv(env, envValue)
+		def, _ := cryptorand.Bool()
+
+		cliflag.BoolVarP(flagset, &ptr, name, shorthand, env, def, usage)
+		got, err := flagset.GetBool(name)
+		require.NoError(t, err)
+		require.Equal(t, def, got)
+	})
+
+	t.Run("DurationDefault", func(t *testing.T) {
+		var ptr time.Duration
+		flagset, name, shorthand, env, usage := randomFlag()
+		def, _ := cryptorand.Duration()
+
+		cliflag.DurationVarP(flagset, &ptr, name, shorthand, env, def, usage)
+		got, err := flagset.GetDuration(name)
+		require.NoError(t, err)
+		require.Equal(t, def, got)
+		require.Contains(t, flagset.FlagUsages(), usage)
+		require.Contains(t, flagset.FlagUsages(), fmt.Sprintf("Consumes $%s", env))
+	})
+
+	t.Run("DurationEnvVar", func(t *testing.T) {
+		var ptr time.Duration
+		flagset, name, shorthand, env, usage := randomFlag()
+		envValue, _ := cryptorand.Duration()
+		t.Setenv(env, envValue.String())
+		def, _ := cryptorand.Duration()
+
+		cliflag.DurationVarP(flagset, &ptr, name, shorthand, env, def, usage)
+		got, err := flagset.GetDuration(name)
+		require.NoError(t, err)
+		require.Equal(t, envValue, got)
+	})
+
+	t.Run("DurationFailParse", func(t *testing.T) {
+		var ptr time.Duration
+		flagset, name, shorthand, env, usage := randomFlag()
+		envValue, _ := cryptorand.String(10)
+		t.Setenv(env, envValue)
+		def, _ := cryptorand.Duration()
+
+		cliflag.DurationVarP(flagset, &ptr, name, shorthand, env, def, usage)
+		got, err := flagset.GetDuration(name)
+		require.NoError(t, err)
+		require.Equal(t, def, got)
+	})
+}
+
+func randomFlag() (*pflag.FlagSet, string, string, string, string) {
+	fsname, _ := cryptorand.String(10)
+	flagset := pflag.NewFlagSet(fsname, pflag.PanicOnError)
+	name, _ := cryptorand.String(10)
+	shorthand, _ := cryptorand.String(1)
+	env, _ := cryptorand.String(10)
+	usage, _ := cryptorand.String(10)
+
+	return flagset, name, shorthand, env, usage
+}

cli/clitest/clitest.go

@@ -21,10 +21,22 @@ import (
 // New creates a CLI instance with a configuration pointed to a
 // temporary testing directory.
 func New(t *testing.T, args ...string) (*cobra.Command, config.Root) {
-	cmd := cli.Root()
+	return NewWithSubcommands(t, cli.AGPL(), args...)
+}
+
+func NewWithSubcommands(
+	t *testing.T, subcommands []*cobra.Command, args ...string,
+) (*cobra.Command, config.Root) {
+	cmd := cli.Root(subcommands)
 	dir := t.TempDir()
 	root := config.Root(dir)
 	cmd.SetArgs(append([]string{"--global-config", dir}, args...))
+
+	// We could consider using writers
+	// that log via t.Log here instead.
+	cmd.SetOut(io.Discard)
+	cmd.SetErr(io.Discard)
+
 	return cmd, root
 }
 
@@ -36,9 +48,9 @@ func SetupConfig(t *testing.T, client *codersdk.Client, root config.Root) {
 	require.NoError(t, err)
 }
 
-// CreateProjectVersionSource writes the echo provisioner responses into a
+// CreateTemplateVersionSource writes the echo provisioner responses into a
 // new temporary testing directory.
-func CreateProjectVersionSource(t *testing.T, responses *echo.Responses) string {
+func CreateTemplateVersionSource(t *testing.T, responses *echo.Responses) string {
 	directory := t.TempDir()
 	data, err := echo.Tar(responses)
 	require.NoError(t, err)

cli/clitest/clitest_test.go

@@ -3,7 +3,6 @@ package clitest_test
 import (
 	"testing"
 
-	"github.com/stretchr/testify/require"
 	"go.uber.org/goleak"
 
 	"github.com/coder/coder/cli/clitest"
@@ -17,7 +16,7 @@ func TestMain(m *testing.M) {
 
 func TestCli(t *testing.T) {
 	t.Parallel()
-	clitest.CreateProjectVersionSource(t, nil)
+	clitest.CreateTemplateVersionSource(t, nil)
 	client := coderdtest.New(t, nil)
 	cmd, config := clitest.New(t)
 	clitest.SetupConfig(t, client, config)
@@ -25,8 +24,7 @@ func TestCli(t *testing.T) {
 	cmd.SetIn(pty.Input())
 	cmd.SetOut(pty.Output())
 	go func() {
-		err := cmd.Execute()
-		require.NoError(t, err)
+		_ = cmd.Execute()
 	}()
 	pty.ExpectMatch("coder")
 }

cli/cliui/agent.go

@@ -0,0 +1,107 @@
+package cliui
+
+import (
+	"context"
+	"fmt"
+	"io"
+	"os"
+	"os/signal"
+	"sync"
+	"time"
+
+	"github.com/briandowns/spinner"
+	"golang.org/x/xerrors"
+
+	"github.com/coder/coder/codersdk"
+)
+
+type AgentOptions struct {
+	WorkspaceName string
+	Fetch         func(context.Context) (codersdk.WorkspaceAgent, error)
+	FetchInterval time.Duration
+	WarnInterval  time.Duration
+}
+
+// Agent displays a spinning indicator that waits for a workspace agent to connect.
+func Agent(ctx context.Context, writer io.Writer, opts AgentOptions) error {
+	if opts.FetchInterval == 0 {
+		opts.FetchInterval = 500 * time.Millisecond
+	}
+	if opts.WarnInterval == 0 {
+		opts.WarnInterval = 30 * time.Second
+	}
+	var resourceMutex sync.Mutex
+	agent, err := opts.Fetch(ctx)
+	if err != nil {
+		return xerrors.Errorf("fetch: %w", err)
+	}
+	if agent.Status == codersdk.WorkspaceAgentConnected {
+		return nil
+	}
+	if agent.Status == codersdk.WorkspaceAgentDisconnected {
+		opts.WarnInterval = 0
+	}
+	spin := spinner.New(spinner.CharSets[78], 100*time.Millisecond, spinner.WithColor("fgHiGreen"))
+	spin.Writer = writer
+	spin.ForceOutput = true
+	spin.Suffix = " Waiting for connection from " + Styles.Field.Render(agent.Name) + "..."
+	spin.Start()
+	defer spin.Stop()
+
+	ctx, cancelFunc := context.WithCancel(ctx)
+	defer cancelFunc()
+	stopSpin := make(chan os.Signal, 1)
+	signal.Notify(stopSpin, os.Interrupt)
+	defer signal.Stop(stopSpin)
+	go func() {
+		select {
+		case <-ctx.Done():
+			return
+		case <-stopSpin:
+		}
+		signal.Stop(stopSpin)
+		spin.Stop()
+		// nolint:revive
+		os.Exit(1)
+	}()
+
+	ticker := time.NewTicker(opts.FetchInterval)
+	defer ticker.Stop()
+	timer := time.NewTimer(opts.WarnInterval)
+	defer timer.Stop()
+	go func() {
+		select {
+		case <-ctx.Done():
+			return
+		case <-timer.C:
+		}
+		resourceMutex.Lock()
+		defer resourceMutex.Unlock()
+		message := "Don't panic, your workspace is booting up!"
+		if agent.Status == codersdk.WorkspaceAgentDisconnected {
+			message = "The workspace agent lost connection! Wait for it to reconnect or restart your workspace."
+		}
+		// This saves the cursor position, then defers clearing from the cursor
+		// position to the end of the screen.
+		_, _ = fmt.Fprintf(writer, "\033[s\r\033[2K%s\n\n", Styles.Paragraph.Render(Styles.Prompt.String()+message))
+		defer fmt.Fprintf(writer, "\033[u\033[J")
+	}()
+	for {
+		select {
+		case <-ctx.Done():
+			return ctx.Err()
+		case <-ticker.C:
+		}
+		resourceMutex.Lock()
+		agent, err = opts.Fetch(ctx)
+		if err != nil {
+			return xerrors.Errorf("fetch: %w", err)
+		}
+		if agent.Status != codersdk.WorkspaceAgentConnected {
+			resourceMutex.Unlock()
+			continue
+		}
+		resourceMutex.Unlock()
+		return nil
+	}
+}

cli/cliui/agent_test.go

@@ -0,0 +1,51 @@
+package cliui_test
+
+import (
+	"context"
+	"testing"
+	"time"
+
+	"github.com/spf13/cobra"
+	"github.com/stretchr/testify/assert"
+	"go.uber.org/atomic"
+
+	"github.com/coder/coder/cli/cliui"
+	"github.com/coder/coder/codersdk"
+	"github.com/coder/coder/pty/ptytest"
+)
+
+func TestAgent(t *testing.T) {
+	t.Parallel()
+	var disconnected atomic.Bool
+	ptty := ptytest.New(t)
+	cmd := &cobra.Command{
+		RunE: func(cmd *cobra.Command, args []string) error {
+			err := cliui.Agent(cmd.Context(), cmd.OutOrStdout(), cliui.AgentOptions{
+				WorkspaceName: "example",
+				Fetch: func(ctx context.Context) (codersdk.WorkspaceAgent, error) {
+					agent := codersdk.WorkspaceAgent{
+						Status: codersdk.WorkspaceAgentDisconnected,
+					}
+					if disconnected.Load() {
+						agent.Status = codersdk.WorkspaceAgentConnected
+					}
+					return agent, nil
+				},
+				FetchInterval: time.Millisecond,
+				WarnInterval:  10 * time.Millisecond,
+			})
+			return err
+		},
+	}
+	cmd.SetOutput(ptty.Output())
+	cmd.SetIn(ptty.Input())
+	done := make(chan struct{})
+	go func() {
+		defer close(done)
+		err := cmd.Execute()
+		assert.NoError(t, err)
+	}()
+	ptty.ExpectMatch("lost connection")
+	disconnected.Store(true)
+	<-done
+}

cli/cliui/cliui.go

@@ -0,0 +1,58 @@
+package cliui
+
+import (
+	"github.com/charmbracelet/charm/ui/common"
+	"github.com/charmbracelet/lipgloss"
+	"golang.org/x/xerrors"
+)
+
+var (
+	Canceled = xerrors.New("canceled")
+
+	defaultStyles = common.DefaultStyles()
+)
+
+// ValidateNotEmpty is a helper function to disallow empty inputs!
+func ValidateNotEmpty(s string) error {
+	if s == "" {
+		return xerrors.New("Must be provided!")
+	}
+	return nil
+}
+
+// Styles compose visual elements of the UI!
+var Styles = struct {
+	Bold,
+	Checkmark,
+	Code,
+	Crossmark,
+	DateTimeStamp,
+	Error,
+	Field,
+	Keyword,
+	Paragraph,
+	Placeholder,
+	Prompt,
+	FocusedPrompt,
+	Fuchsia,
+	Logo,
+	Warn,
+	Wrap lipgloss.Style
+}{
+	Bold:          lipgloss.NewStyle().Bold(true),
+	Checkmark:     defaultStyles.Checkmark,
+	Code:          defaultStyles.Code,
+	Crossmark:     defaultStyles.Error.Copy().SetString("✘"),
+	DateTimeStamp: defaultStyles.LabelDim,
+	Error:         defaultStyles.Error,
+	Field:         defaultStyles.Code.Copy().Foreground(lipgloss.AdaptiveColor{Light: "#000000", Dark: "#FFFFFF"}),
+	Keyword:       defaultStyles.Keyword,
+	Paragraph:     defaultStyles.Paragraph,
+	Placeholder:   lipgloss.NewStyle().Foreground(lipgloss.AdaptiveColor{Light: "#585858", Dark: "#005fff"}),
+	Prompt:        defaultStyles.Prompt.Foreground(lipgloss.AdaptiveColor{Light: "#9B9B9B", Dark: "#5C5C5C"}),
+	FocusedPrompt: defaultStyles.FocusedPrompt.Foreground(lipgloss.Color("#651fff")),
+	Fuchsia:       defaultStyles.SelectedMenuItem.Copy(),
+	Logo:          defaultStyles.Logo.SetString("Coder"),
+	Warn:          lipgloss.NewStyle().Foreground(lipgloss.AdaptiveColor{Light: "#04B575", Dark: "#ECFD65"}),
+	Wrap:          lipgloss.NewStyle().Width(80),
+}

cli/cliui/log.go

@@ -0,0 +1,38 @@
+package cliui
+
+import (
+	"fmt"
+	"io"
+	"strings"
+
+	"github.com/charmbracelet/lipgloss"
+)
+
+// cliMessage provides a human-readable message for CLI errors and messages.
+type cliMessage struct {
+	Level  string
+	Style  lipgloss.Style
+	Header string
+	Lines  []string
+}
+
+// String formats the CLI message for consumption by a human.
+func (m cliMessage) String() string {
+	var str strings.Builder
+	_, _ = fmt.Fprintf(&str, "%s\r\n",
+		Styles.Bold.Render(m.Header))
+	for _, line := range m.Lines {
+		_, _ = fmt.Fprintf(&str, "  %s %s\r\n", m.Style.Render("|"), line)
+	}
+	return str.String()
+}
+
+// Warn writes a log to the writer provided.
+func Warn(wtr io.Writer, header string, lines ...string) {
+	_, _ = fmt.Fprint(wtr, cliMessage{
+		Level:  "warning",
+		Style:  Styles.Warn,
+		Header: header,
+		Lines:  lines,
+	}.String())
+}

cli/cliui/parameter.go

@@ -0,0 +1,62 @@
+package cliui
+
+import (
+	"fmt"
+	"strings"
+
+	"github.com/spf13/cobra"
+
+	"github.com/coder/coder/coderd/parameter"
+	"github.com/coder/coder/codersdk"
+)
+
+func ParameterSchema(cmd *cobra.Command, parameterSchema codersdk.ParameterSchema) (string, error) {
+	_, _ = fmt.Fprintln(cmd.OutOrStdout(), Styles.Bold.Render("var."+parameterSchema.Name))
+	if parameterSchema.Description != "" {
+		_, _ = fmt.Fprintln(cmd.OutOrStdout(), "  "+strings.TrimSpace(strings.Join(strings.Split(parameterSchema.Description, "\n"), "\n  "))+"\n")
+	}
+
+	var err error
+	var options []string
+	if parameterSchema.ValidationCondition != "" {
+		options, _, err = parameter.Contains(parameterSchema.ValidationCondition)
+		if err != nil {
+			return "", err
+		}
+	}
+	var value string
+	if len(options) > 0 {
+		// Move the cursor up a single line for nicer display!
+		_, _ = fmt.Fprint(cmd.OutOrStdout(), "\033[1A")
+		value, err = Select(cmd, SelectOptions{
+			Options:    options,
+			Default:    parameterSchema.DefaultSourceValue,
+			HideSearch: true,
+		})
+		if err == nil {
+			_, _ = fmt.Fprintln(cmd.OutOrStdout())
+			_, _ = fmt.Fprintln(cmd.OutOrStdout(), "  "+Styles.Prompt.String()+Styles.Field.Render(value))
+		}
+	} else {
+		text := "Enter a value"
+		if parameterSchema.DefaultSourceValue != "" {
+			text += fmt.Sprintf(" (default: %q)", parameterSchema.DefaultSourceValue)
+		}
+		text += ":"
+
+		value, err = Prompt(cmd, PromptOptions{
+			Text: Styles.Bold.Render(text),
+		})
+		value = strings.TrimSpace(value)
+	}
+	if err != nil {
+		return "", err
+	}
+
+	// If they didn't specify anything, use the default value if set.
+	if len(options) == 0 && value == "" {
+		value = parameterSchema.DefaultSourceValue
+	}
+
+	return value, nil
+}

cli/cliui/prompt.go

@@ -0,0 +1,160 @@
+package cliui
+
+import (
+	"bufio"
+	"bytes"
+	"encoding/json"
+	"fmt"
+	"os"
+	"os/signal"
+	"strings"
+
+	"github.com/bgentry/speakeasy"
+	"github.com/mattn/go-isatty"
+	"github.com/spf13/cobra"
+	"golang.org/x/xerrors"
+)
+
+// PromptOptions supply a set of options to the prompt.
+type PromptOptions struct {
+	Text      string
+	Default   string
+	Secret    bool
+	IsConfirm bool
+	Validate  func(string) error
+}
+
+const skipPromptFlag = "yes"
+
+func AllowSkipPrompt(cmd *cobra.Command) {
+	cmd.Flags().BoolP(skipPromptFlag, "y", false, "Bypass prompts")
+}
+
+const (
+	ConfirmYes = "yes"
+	ConfirmNo  = "no"
+)
+
+// Prompt asks the user for input.
+func Prompt(cmd *cobra.Command, opts PromptOptions) (string, error) {
+	// If the cmd has a "yes" flag for skipping confirm prompts, honor it.
+	// If it's not a "Confirm" prompt, then don't skip. As the default value of
+	// "yes" makes no sense.
+	if opts.IsConfirm && cmd.Flags().Lookup(skipPromptFlag) != nil {
+		if skip, _ := cmd.Flags().GetBool(skipPromptFlag); skip {
+			return ConfirmYes, nil
+		}
+	}
+
+	_, _ = fmt.Fprint(cmd.OutOrStdout(), Styles.FocusedPrompt.String()+opts.Text+" ")
+	if opts.IsConfirm {
+		if len(opts.Default) == 0 {
+			opts.Default = ConfirmYes
+		}
+		renderedYes := Styles.Placeholder.Render(ConfirmYes)
+		renderedNo := Styles.Placeholder.Render(ConfirmNo)
+		if opts.Default == ConfirmYes {
+			renderedYes = Styles.Bold.Render(ConfirmYes)
+		} else {
+			renderedNo = Styles.Bold.Render(ConfirmNo)
+		}
+		_, _ = fmt.Fprint(cmd.OutOrStdout(), Styles.Placeholder.Render("("+renderedYes+Styles.Placeholder.Render("/"+renderedNo+Styles.Placeholder.Render(") "))))
+	} else if opts.Default != "" {
+		_, _ = fmt.Fprint(cmd.OutOrStdout(), Styles.Placeholder.Render("("+opts.Default+") "))
+	}
+	interrupt := make(chan os.Signal, 1)
+
+	errCh := make(chan error, 1)
+	lineCh := make(chan string)
+	go func() {
+		var line string
+		var err error
+
+		inFile, isInputFile := cmd.InOrStdin().(*os.File)
+		if opts.Secret && isInputFile && isatty.IsTerminal(inFile.Fd()) {
+			// we don't install a signal handler here because speakeasy has its own
+			line, err = speakeasy.Ask("")
+		} else {
+			signal.Notify(interrupt, os.Interrupt)
+			defer signal.Stop(interrupt)
+
+			reader := bufio.NewReader(cmd.InOrStdin())
+			line, err = reader.ReadString('\n')
+
+			// Check if the first line beings with JSON object or array chars.
+			// This enables multiline JSON to be pasted into an input, and have
+			// it parse properly.
+			if err == nil && (strings.HasPrefix(line, "{") || strings.HasPrefix(line, "[")) {
+				line, err = promptJSON(reader, line)
+			}
+		}
+		if err != nil {
+			errCh <- err
+			return
+		}
+		line = strings.TrimRight(line, "\r\n")
+		if line == "" {
+			line = opts.Default
+		}
+		lineCh <- line
+	}()
+
+	select {
+	case err := <-errCh:
+		return "", err
+	case line := <-lineCh:
+		if opts.IsConfirm && line != "yes" && line != "y" {
+			return line, xerrors.Errorf("got %q: %w", line, Canceled)
+		}
+		if opts.Validate != nil {
+			err := opts.Validate(line)
+			if err != nil {
+				_, _ = fmt.Fprintln(cmd.OutOrStdout(), defaultStyles.Error.Render(err.Error()))
+				return Prompt(cmd, opts)
+			}
+		}
+		return line, nil
+	case <-cmd.Context().Done():
+		return "", cmd.Context().Err()
+	case <-interrupt:
+		// Print a newline so that any further output starts properly on a new line.
+		_, _ = fmt.Fprintln(cmd.OutOrStdout())
+		return "", Canceled
+	}
+}
+
+func promptJSON(reader *bufio.Reader, line string) (string, error) {
+	var data bytes.Buffer
+	for {
+		_, _ = data.WriteString(line)
+		var rawMessage json.RawMessage
+		err := json.Unmarshal(data.Bytes(), &rawMessage)
+		if err != nil {
+			if err.Error() != "unexpected end of JSON input" {
+				// If a real syntax error occurs in JSON,
+				// we want to return that partial line to the user.
+				err = nil
+				line = data.String()
+				break
+			}
+
+			// Read line-by-line. We can't use a JSON decoder
+			// here because it doesn't work by newline, so
+			// reads will block.
+			line, err = reader.ReadString('\n')
+			if err != nil {
+				break
+			}
+			continue
+		}
+		// Compacting the JSON makes it easier for parsing and testing.
+		rawJSON := data.Bytes()
+		data.Reset()
+		err = json.Compact(&data, rawJSON)
+		if err != nil {
+			return line, xerrors.Errorf("compact json: %w", err)
+		}
+		return data.String(), nil
+	}
+	return line, nil
+}

cli/cliui/prompt_test.go

@@ -0,0 +1,220 @@
+package cliui_test
+
+import (
+	"bytes"
+	"context"
+	"io"
+	"os"
+	"os/exec"
+	"testing"
+
+	"github.com/spf13/cobra"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+
+	"github.com/coder/coder/cli/cliui"
+	"github.com/coder/coder/pty"
+	"github.com/coder/coder/pty/ptytest"
+	"github.com/coder/coder/testutil"
+)
+
+func TestPrompt(t *testing.T) {
+	t.Parallel()
+	t.Run("Success", func(t *testing.T) {
+		t.Parallel()
+		ptty := ptytest.New(t)
+		msgChan := make(chan string)
+		go func() {
+			resp, err := newPrompt(ptty, cliui.PromptOptions{
+				Text: "Example",
+			}, nil)
+			assert.NoError(t, err)
+			msgChan <- resp
+		}()
+		ptty.ExpectMatch("Example")
+		ptty.WriteLine("hello")
+		require.Equal(t, "hello", <-msgChan)
+	})
+
+	t.Run("Confirm", func(t *testing.T) {
+		t.Parallel()
+		ptty := ptytest.New(t)
+		doneChan := make(chan string)
+		go func() {
+			resp, err := newPrompt(ptty, cliui.PromptOptions{
+				Text:      "Example",
+				IsConfirm: true,
+			}, nil)
+			assert.NoError(t, err)
+			doneChan <- resp
+		}()
+		ptty.ExpectMatch("Example")
+		ptty.WriteLine("yes")
+		require.Equal(t, "yes", <-doneChan)
+	})
+
+	t.Run("Skip", func(t *testing.T) {
+		t.Parallel()
+		ptty := ptytest.New(t)
+		var buf bytes.Buffer
+
+		// Copy all data written out to a buffer. When we close the ptty, we can
+		// no longer read from the ptty.Output(), but we can read what was
+		// written to the buffer.
+		dataRead, doneReading := context.WithTimeout(context.Background(), testutil.WaitShort)
+		go func() {
+			// This will throw an error sometimes. The underlying ptty
+			// has its own cleanup routines in t.Cleanup. Instead of
+			// trying to control the close perfectly, just let the ptty
+			// double close. This error isn't important, we just
+			// want to know the ptty is done sending output.
+			_, _ = io.Copy(&buf, ptty.Output())
+			doneReading()
+		}()
+
+		doneChan := make(chan string)
+		go func() {
+			resp, err := newPrompt(ptty, cliui.PromptOptions{
+				Text:      "ShouldNotSeeThis",
+				IsConfirm: true,
+			}, func(cmd *cobra.Command) {
+				cliui.AllowSkipPrompt(cmd)
+				cmd.SetArgs([]string{"-y"})
+			})
+			assert.NoError(t, err)
+			doneChan <- resp
+		}()
+
+		require.Equal(t, "yes", <-doneChan)
+		// Close the reader to end the io.Copy
+		require.NoError(t, ptty.Close(), "close eof reader")
+		// Wait for the IO copy to finish
+		<-dataRead.Done()
+		// Timeout error means the output was hanging
+		require.ErrorIs(t, dataRead.Err(), context.Canceled, "should be canceled")
+		require.Len(t, buf.Bytes(), 0, "expect no output")
+	})
+	t.Run("JSON", func(t *testing.T) {
+		t.Parallel()
+		ptty := ptytest.New(t)
+		doneChan := make(chan string)
+		go func() {
+			resp, err := newPrompt(ptty, cliui.PromptOptions{
+				Text: "Example",
+			}, nil)
+			assert.NoError(t, err)
+			doneChan <- resp
+		}()
+		ptty.ExpectMatch("Example")
+		ptty.WriteLine("{}")
+		require.Equal(t, "{}", <-doneChan)
+	})
+
+	t.Run("BadJSON", func(t *testing.T) {
+		t.Parallel()
+		ptty := ptytest.New(t)
+		doneChan := make(chan string)
+		go func() {
+			resp, err := newPrompt(ptty, cliui.PromptOptions{
+				Text: "Example",
+			}, nil)
+			assert.NoError(t, err)
+			doneChan <- resp
+		}()
+		ptty.ExpectMatch("Example")
+		ptty.WriteLine("{a")
+		require.Equal(t, "{a", <-doneChan)
+	})
+
+	t.Run("MultilineJSON", func(t *testing.T) {
+		t.Parallel()
+		ptty := ptytest.New(t)
+		doneChan := make(chan string)
+		go func() {
+			resp, err := newPrompt(ptty, cliui.PromptOptions{
+				Text: "Example",
+			}, nil)
+			assert.NoError(t, err)
+			doneChan <- resp
+		}()
+		ptty.ExpectMatch("Example")
+		ptty.WriteLine(`{
+"test": "wow"
+}`)
+		require.Equal(t, `{"test":"wow"}`, <-doneChan)
+	})
+}
+
+func newPrompt(ptty *ptytest.PTY, opts cliui.PromptOptions, cmdOpt func(cmd *cobra.Command)) (string, error) {
+	value := ""
+	cmd := &cobra.Command{
+		RunE: func(cmd *cobra.Command, args []string) error {
+			var err error
+			value, err = cliui.Prompt(cmd, opts)
+			return err
+		},
+	}
+	// Optionally modify the cmd
+	if cmdOpt != nil {
+		cmdOpt(cmd)
+	}
+	cmd.SetOut(ptty.Output())
+	cmd.SetErr(ptty.Output())
+	cmd.SetIn(ptty.Input())
+	return value, cmd.ExecuteContext(context.Background())
+}
+
+func TestPasswordTerminalState(t *testing.T) {
+	if os.Getenv("TEST_SUBPROCESS") == "1" {
+		passwordHelper()
+		return
+	}
+	t.Parallel()
+
+	ptty := ptytest.New(t)
+	ptyWithFlags, ok := ptty.PTY.(pty.WithFlags)
+	if !ok {
+		t.Skip("unable to check PTY local echo on this platform")
+	}
+
+	cmd := exec.Command(os.Args[0], "-test.run=TestPasswordTerminalState") //nolint:gosec
+	cmd.Env = append(os.Environ(), "TEST_SUBPROCESS=1")
+	// connect the child process's stdio to the PTY directly, not via a pipe
+	cmd.Stdin = ptty.Input().Reader
+	cmd.Stdout = ptty.Output().Writer
+	cmd.Stderr = ptty.Output().Writer
+	err := cmd.Start()
+	require.NoError(t, err)
+	process := cmd.Process
+	defer process.Kill()
+
+	ptty.ExpectMatch("Password: ")
+
+	require.Eventually(t, func() bool {
+		echo, err := ptyWithFlags.EchoEnabled()
+		return err == nil && !echo
+	}, testutil.WaitShort, testutil.IntervalMedium, "echo is on while reading password")
+
+	err = process.Signal(os.Interrupt)
+	require.NoError(t, err)
+	_, err = process.Wait()
+	require.NoError(t, err)
+
+	require.Eventually(t, func() bool {
+		echo, err := ptyWithFlags.EchoEnabled()
+		return err == nil && echo
+	}, testutil.WaitShort, testutil.IntervalMedium, "echo is off after reading password")
+}
+
+// nolint:unused
+func passwordHelper() {
+	cmd := &cobra.Command{
+		Run: func(cmd *cobra.Command, args []string) {
+			cliui.Prompt(cmd, cliui.PromptOptions{
+				Text:   "Password:",
+				Secret: true,
+			})
+		},
+	}
+	cmd.ExecuteContext(context.Background())
+}

cli/cliui/provisionerjob.go

@@ -0,0 +1,217 @@
+package cliui
+
+import (
+	"bytes"
+	"context"
+	"fmt"
+	"io"
+	"os"
+	"os/signal"
+	"sync"
+	"time"
+
+	"github.com/google/uuid"
+	"golang.org/x/xerrors"
+
+	"github.com/coder/coder/codersdk"
+)
+
+func WorkspaceBuild(ctx context.Context, writer io.Writer, client *codersdk.Client, build uuid.UUID, before time.Time) error {
+	return ProvisionerJob(ctx, writer, ProvisionerJobOptions{
+		Fetch: func() (codersdk.ProvisionerJob, error) {
+			build, err := client.WorkspaceBuild(ctx, build)
+			return build.Job, err
+		},
+		Logs: func() (<-chan codersdk.ProvisionerJobLog, error) {
+			return client.WorkspaceBuildLogsAfter(ctx, build, before)
+		},
+	})
+}
+
+type ProvisionerJobOptions struct {
+	Fetch  func() (codersdk.ProvisionerJob, error)
+	Cancel func() error
+	Logs   func() (<-chan codersdk.ProvisionerJobLog, error)
+
+	FetchInterval time.Duration
+	// Verbose determines whether debug and trace logs will be shown.
+	Verbose bool
+	// Silent determines whether log output will be shown unless there is an
+	// error.
+	Silent bool
+}
+
+// ProvisionerJob renders a provisioner job with interactive cancellation.
+func ProvisionerJob(ctx context.Context, writer io.Writer, opts ProvisionerJobOptions) error {
+	if opts.FetchInterval == 0 {
+		opts.FetchInterval = time.Second
+	}
+	ctx, cancelFunc := context.WithCancel(ctx)
+	defer cancelFunc()
+
+	var (
+		currentStage          = "Queued"
+		currentStageStartedAt = time.Now().UTC()
+		didLogBetweenStage    = false
+
+		errChan  = make(chan error, 1)
+		job      codersdk.ProvisionerJob
+		jobMutex sync.Mutex
+	)
+
+	printStage := func() {
+		_, _ = fmt.Fprintf(writer, Styles.Prompt.Render("⧗")+"%s\n", Styles.Field.Render(currentStage))
+	}
+
+	updateStage := func(stage string, startedAt time.Time) {
+		if currentStage != "" {
+			prefix := ""
+			if !didLogBetweenStage {
+				prefix = "\033[1A\r"
+			}
+			mark := Styles.Checkmark
+			if job.CompletedAt != nil && job.Status != codersdk.ProvisionerJobSucceeded {
+				mark = Styles.Crossmark
+			}
+			_, _ = fmt.Fprintf(writer, prefix+mark.String()+Styles.Placeholder.Render(" %s [%dms]")+"\n", currentStage, startedAt.Sub(currentStageStartedAt).Milliseconds())
+		}
+		if stage == "" {
+			return
+		}
+		currentStage = stage
+		currentStageStartedAt = startedAt
+		didLogBetweenStage = false
+		printStage()
+	}
+
+	updateJob := func() {
+		var err error
+		jobMutex.Lock()
+		defer jobMutex.Unlock()
+		job, err = opts.Fetch()
+		if err != nil {
+			errChan <- xerrors.Errorf("fetch: %w", err)
+			return
+		}
+		if job.StartedAt == nil {
+			return
+		}
+		if currentStage != "Queued" {
+			// If another stage is already running, there's no need
+			// for us to notify the user we're running!
+			return
+		}
+		updateStage("Running", *job.StartedAt)
+	}
+	updateJob()
+
+	if opts.Cancel != nil {
+		// Handles ctrl+c to cancel a job.
+		stopChan := make(chan os.Signal, 1)
+		signal.Notify(stopChan, os.Interrupt)
+		go func() {
+			defer signal.Stop(stopChan)
+			select {
+			case <-ctx.Done():
+				return
+			case _, ok := <-stopChan:
+				if !ok {
+					return
+				}
+			}
+			_, _ = fmt.Fprintf(writer, "\033[2K\r\n"+Styles.FocusedPrompt.String()+Styles.Bold.Render("Gracefully canceling...")+"\n\n")
+			err := opts.Cancel()
+			if err != nil {
+				errChan <- xerrors.Errorf("cancel: %w", err)
+				return
+			}
+			updateJob()
+		}()
+	}
+
+	// The initial stage needs to print after the signal handler has been registered.
+	printStage()
+
+	logs, err := opts.Logs()
+	if err != nil {
+		return xerrors.Errorf("logs: %w", err)
+	}
+
+	var (
+		// logOutput is where log output is written
+		logOutput = writer
+		// logBuffer is where logs are buffered if opts.Silent is true
+		logBuffer = &bytes.Buffer{}
+	)
+	if opts.Silent {
+		logOutput = logBuffer
+	}
+	flushLogBuffer := func() {
+		if opts.Silent {
+			_, _ = io.Copy(writer, logBuffer)
+		}
+	}
+
+	ticker := time.NewTicker(opts.FetchInterval)
+	defer ticker.Stop()
+	for {
+		select {
+		case err = <-errChan:
+			flushLogBuffer()
+			return err
+		case <-ctx.Done():
+			flushLogBuffer()
+			return ctx.Err()
+		case <-ticker.C:
+			updateJob()
+		case log, ok := <-logs:
+			if !ok {
+				updateJob()
+				jobMutex.Lock()
+				if job.CompletedAt != nil {
+					updateStage("", *job.CompletedAt)
+				}
+				switch job.Status {
+				case codersdk.ProvisionerJobCanceled:
+					jobMutex.Unlock()
+					return Canceled
+				case codersdk.ProvisionerJobSucceeded:
+					jobMutex.Unlock()
+					return nil
+				case codersdk.ProvisionerJobFailed:
+				}
+				err = xerrors.New(job.Error)
+				jobMutex.Unlock()
+				flushLogBuffer()
+				return err
+			}
+
+			output := ""
+			switch log.Level {
+			case codersdk.LogLevelTrace, codersdk.LogLevelDebug:
+				if !opts.Verbose {
+					continue
+				}
+				output = Styles.Placeholder.Render(log.Output)
+			case codersdk.LogLevelError:
+				output = defaultStyles.Error.Render(log.Output)
+			case codersdk.LogLevelWarn:
+				output = Styles.Warn.Render(log.Output)
+			case codersdk.LogLevelInfo:
+				output = log.Output
+			}
+
+			jobMutex.Lock()
+			if log.Stage != currentStage && log.Stage != "" {
+				updateStage(log.Stage, log.CreatedAt)
+				jobMutex.Unlock()
+				continue
+			}
+			_, _ = fmt.Fprintf(logOutput, "%s %s\n", Styles.Placeholder.Render(" "), output)
+			if !opts.Silent {
+				didLogBetweenStage = true
+			}
+			jobMutex.Unlock()
+		}
+	}
+}

cli/cliui/provisionerjob_test.go

@@ -0,0 +1,166 @@
+package cliui_test
+
+import (
+	"context"
+	"os"
+	"runtime"
+	"sync"
+	"testing"
+	"time"
+
+	"github.com/spf13/cobra"
+	"github.com/stretchr/testify/assert"
+
+	"github.com/coder/coder/cli/cliui"
+	"github.com/coder/coder/coderd/database"
+	"github.com/coder/coder/codersdk"
+	"github.com/coder/coder/pty/ptytest"
+)
+
+// This cannot be ran in parallel because it uses a signal.
+// nolint:tparallel
+func TestProvisionerJob(t *testing.T) {
+	t.Run("NoLogs", func(t *testing.T) {
+		t.Parallel()
+
+		test := newProvisionerJob(t)
+		go func() {
+			<-test.Next
+			test.JobMutex.Lock()
+			test.Job.Status = codersdk.ProvisionerJobRunning
+			now := database.Now()
+			test.Job.StartedAt = &now
+			test.JobMutex.Unlock()
+			<-test.Next
+			test.JobMutex.Lock()
+			test.Job.Status = codersdk.ProvisionerJobSucceeded
+			now = database.Now()
+			test.Job.CompletedAt = &now
+			close(test.Logs)
+			test.JobMutex.Unlock()
+		}()
+		test.PTY.ExpectMatch("Queued")
+		test.Next <- struct{}{}
+		test.PTY.ExpectMatch("Queued")
+		test.PTY.ExpectMatch("Running")
+		test.Next <- struct{}{}
+		test.PTY.ExpectMatch("Running")
+	})
+
+	t.Run("Stages", func(t *testing.T) {
+		t.Parallel()
+
+		test := newProvisionerJob(t)
+		go func() {
+			<-test.Next
+			test.JobMutex.Lock()
+			test.Job.Status = codersdk.ProvisionerJobRunning
+			now := database.Now()
+			test.Job.StartedAt = &now
+			test.Logs <- codersdk.ProvisionerJobLog{
+				CreatedAt: database.Now(),
+				Stage:     "Something",
+			}
+			test.JobMutex.Unlock()
+			<-test.Next
+			test.JobMutex.Lock()
+			test.Job.Status = codersdk.ProvisionerJobSucceeded
+			now = database.Now()
+			test.Job.CompletedAt = &now
+			close(test.Logs)
+			test.JobMutex.Unlock()
+		}()
+		test.PTY.ExpectMatch("Queued")
+		test.Next <- struct{}{}
+		test.PTY.ExpectMatch("Queued")
+		test.PTY.ExpectMatch("Something")
+		test.Next <- struct{}{}
+		test.PTY.ExpectMatch("Something")
+	})
+
+	// This cannot be ran in parallel because it uses a signal.
+	// nolint:paralleltest
+	t.Run("Cancel", func(t *testing.T) {
+		if runtime.GOOS == "windows" {
+			// Sending interrupt signal isn't supported on Windows!
+			t.SkipNow()
+		}
+
+		test := newProvisionerJob(t)
+		go func() {
+			<-test.Next
+			currentProcess, err := os.FindProcess(os.Getpid())
+			assert.NoError(t, err)
+			err = currentProcess.Signal(os.Interrupt)
+			assert.NoError(t, err)
+			<-test.Next
+			test.JobMutex.Lock()
+			test.Job.Status = codersdk.ProvisionerJobCanceled
+			now := database.Now()
+			test.Job.CompletedAt = &now
+			close(test.Logs)
+			test.JobMutex.Unlock()
+		}()
+		test.PTY.ExpectMatch("Queued")
+		test.Next <- struct{}{}
+		test.PTY.ExpectMatch("Gracefully canceling")
+		test.Next <- struct{}{}
+		test.PTY.ExpectMatch("Queued")
+	})
+}
+
+type provisionerJobTest struct {
+	Next     chan struct{}
+	Job      *codersdk.ProvisionerJob
+	JobMutex *sync.Mutex
+	Logs     chan codersdk.ProvisionerJobLog
+	PTY      *ptytest.PTY
+}
+
+func newProvisionerJob(t *testing.T) provisionerJobTest {
+	job := &codersdk.ProvisionerJob{
+		Status:    codersdk.ProvisionerJobPending,
+		CreatedAt: database.Now(),
+	}
+	jobLock := sync.Mutex{}
+	logs := make(chan codersdk.ProvisionerJobLog, 1)
+	cmd := &cobra.Command{
+		RunE: func(cmd *cobra.Command, args []string) error {
+			return cliui.ProvisionerJob(cmd.Context(), cmd.OutOrStdout(), cliui.ProvisionerJobOptions{
+				FetchInterval: time.Millisecond,
+				Fetch: func() (codersdk.ProvisionerJob, error) {
+					jobLock.Lock()
+					defer jobLock.Unlock()
+					return *job, nil
+				},
+				Cancel: func() error {
+					return nil
+				},
+				Logs: func() (<-chan codersdk.ProvisionerJobLog, error) {
+					return logs, nil
+				},
+			})
+		},
+	}
+	ptty := ptytest.New(t)
+	cmd.SetOutput(ptty.Output())
+	cmd.SetIn(ptty.Input())
+	done := make(chan struct{})
+	go func() {
+		defer close(done)
+		err := cmd.ExecuteContext(context.Background())
+		if err != nil {
+			assert.ErrorIs(t, err, cliui.Canceled)
+		}
+	}()
+	t.Cleanup(func() {
+		<-done
+	})
+	return provisionerJobTest{
+		Next:     make(chan struct{}),
+		Job:      job,
+		JobMutex: &jobLock,
+		Logs:     logs,
+		PTY:      ptty,
+	}
+}

cli/cliui/resources.go

@@ -0,0 +1,124 @@
+package cliui
+
+import (
+	"fmt"
+	"io"
+	"sort"
+	"strconv"
+
+	"github.com/jedib0t/go-pretty/v6/table"
+
+	"github.com/coder/coder/coderd/database"
+
+	"github.com/coder/coder/codersdk"
+)
+
+type WorkspaceResourcesOptions struct {
+	WorkspaceName  string
+	HideAgentState bool
+	HideAccess     bool
+	Title          string
+}
+
+// WorkspaceResources displays the connection status and tree-view of provided resources.
+// ┌────────────────────────────────────────────────────────────────────────────┐
+// │ RESOURCE                     STATUS               ACCESS                   │
+// ├────────────────────────────────────────────────────────────────────────────┤
+// │ google_compute_disk.root                                                   │
+// ├────────────────────────────────────────────────────────────────────────────┤
+// │ google_compute_instance.dev                                                │
+// │ └─ dev (linux, amd64)        ⦾ connecting [10s]    coder ssh dev.dev       │
+// ├────────────────────────────────────────────────────────────────────────────┤
+// │ kubernetes_pod.dev                                                         │
+// │ ├─ go (linux, amd64)         ⦿ connected           coder ssh dev.go        │
+// │ └─ postgres (linux, amd64)   ⦾ disconnected [4s]   coder ssh dev.postgres  │
+// └────────────────────────────────────────────────────────────────────────────┘
+func WorkspaceResources(writer io.Writer, resources []codersdk.WorkspaceResource, options WorkspaceResourcesOptions) error {
+	// Sort resources by type for consistent output.
+	sort.Slice(resources, func(i, j int) bool {
+		return resources[i].Type < resources[j].Type
+	})
+
+	tableWriter := table.NewWriter()
+	if options.Title != "" {
+		tableWriter.SetTitle(options.Title)
+	}
+	tableWriter.SetStyle(table.StyleLight)
+	tableWriter.Style().Options.SeparateColumns = false
+	row := table.Row{"Resource"}
+	if !options.HideAgentState {
+		row = append(row, "Status")
+	}
+	if !options.HideAccess {
+		row = append(row, "Access")
+	}
+	tableWriter.AppendHeader(row)
+
+	totalAgents := 0
+	for _, resource := range resources {
+		totalAgents += len(resource.Agents)
+	}
+
+	for _, resource := range resources {
+		if resource.Type == "random_string" {
+			// Hide resources that aren't substantial to a user!
+			// This is an unfortunate case, and we should allow
+			// callers to hide resources eventually.
+			continue
+		}
+		resourceAddress := resource.Type + "." + resource.Name
+
+		// Sort agents by name for consistent output.
+		sort.Slice(resource.Agents, func(i, j int) bool {
+			return resource.Agents[i].Name < resource.Agents[j].Name
+		})
+
+		// Display a line for the resource.
+		tableWriter.AppendRow(table.Row{
+			Styles.Bold.Render(resourceAddress),
+			"",
+			"",
+		})
+		// Display all agents associated with the resource.
+		for index, agent := range resource.Agents {
+			pipe := "├"
+			if index == len(resource.Agents)-1 {
+				pipe = "└"
+			}
+			row := table.Row{
+				// These tree from a resource!
+				fmt.Sprintf("%s─ %s (%s, %s)", pipe, agent.Name, agent.OperatingSystem, agent.Architecture),
+			}
+			if !options.HideAgentState {
+				var agentStatus string
+				if !options.HideAgentState {
+					switch agent.Status {
+					case codersdk.WorkspaceAgentConnecting:
+						since := database.Now().Sub(agent.CreatedAt)
+						agentStatus = Styles.Warn.Render("⦾ connecting") + " " +
+							Styles.Placeholder.Render("["+strconv.Itoa(int(since.Seconds()))+"s]")
+					case codersdk.WorkspaceAgentDisconnected:
+						since := database.Now().Sub(*agent.DisconnectedAt)
+						agentStatus = Styles.Error.Render("⦾ disconnected") + " " +
+							Styles.Placeholder.Render("["+strconv.Itoa(int(since.Seconds()))+"s]")
+					case codersdk.WorkspaceAgentConnected:
+						agentStatus = Styles.Keyword.Render("⦿ connected")
+					}
+				}
+				row = append(row, agentStatus)
+			}
+			if !options.HideAccess {
+				sshCommand := "coder ssh " + options.WorkspaceName
+				if totalAgents > 1 {
+					sshCommand += "." + agent.Name
+				}
+				sshCommand = Styles.Code.Render(sshCommand)
+				row = append(row, sshCommand)
+			}
+			tableWriter.AppendRow(row)
+		}
+		tableWriter.AppendSeparator()
+	}
+	_, err := fmt.Fprintln(writer, tableWriter.Render())
+	return err
+}

cli/cliui/resources_test.go

@@ -0,0 +1,96 @@
+package cliui_test
+
+import (
+	"testing"
+	"time"
+
+	"github.com/stretchr/testify/assert"
+
+	"github.com/coder/coder/cli/cliui"
+	"github.com/coder/coder/coderd/database"
+	"github.com/coder/coder/codersdk"
+	"github.com/coder/coder/pty/ptytest"
+)
+
+func TestWorkspaceResources(t *testing.T) {
+	t.Parallel()
+	t.Run("SingleAgentSSH", func(t *testing.T) {
+		t.Parallel()
+		ptty := ptytest.New(t)
+		done := make(chan struct{})
+		go func() {
+			err := cliui.WorkspaceResources(ptty.Output(), []codersdk.WorkspaceResource{{
+				Type:       "google_compute_instance",
+				Name:       "dev",
+				Transition: codersdk.WorkspaceTransitionStart,
+				Agents: []codersdk.WorkspaceAgent{{
+					Name:            "dev",
+					Status:          codersdk.WorkspaceAgentConnected,
+					Architecture:    "amd64",
+					OperatingSystem: "linux",
+				}},
+			}}, cliui.WorkspaceResourcesOptions{
+				WorkspaceName: "example",
+			})
+			assert.NoError(t, err)
+			close(done)
+		}()
+		ptty.ExpectMatch("coder ssh example")
+		<-done
+	})
+
+	t.Run("MultipleStates", func(t *testing.T) {
+		t.Parallel()
+		ptty := ptytest.New(t)
+		disconnected := database.Now().Add(-4 * time.Second)
+		done := make(chan struct{})
+		go func() {
+			err := cliui.WorkspaceResources(ptty.Output(), []codersdk.WorkspaceResource{{
+				Transition: codersdk.WorkspaceTransitionStart,
+				Type:       "google_compute_disk",
+				Name:       "root",
+			}, {
+				Transition: codersdk.WorkspaceTransitionStop,
+				Type:       "google_compute_disk",
+				Name:       "root",
+			}, {
+				Transition: codersdk.WorkspaceTransitionStart,
+				Type:       "google_compute_instance",
+				Name:       "dev",
+				Agents: []codersdk.WorkspaceAgent{{
+					CreatedAt:       database.Now().Add(-10 * time.Second),
+					Status:          codersdk.WorkspaceAgentConnecting,
+					Name:            "dev",
+					OperatingSystem: "linux",
+					Architecture:    "amd64",
+				}},
+			}, {
+				Transition: codersdk.WorkspaceTransitionStart,
+				Type:       "kubernetes_pod",
+				Name:       "dev",
+				Agents: []codersdk.WorkspaceAgent{{
+					Status:          codersdk.WorkspaceAgentConnected,
+					Name:            "go",
+					Architecture:    "amd64",
+					OperatingSystem: "linux",
+				}, {
+					DisconnectedAt:  &disconnected,
+					Status:          codersdk.WorkspaceAgentDisconnected,
+					Name:            "postgres",
+					Architecture:    "amd64",
+					OperatingSystem: "linux",
+				}},
+			}}, cliui.WorkspaceResourcesOptions{
+				WorkspaceName:  "dev",
+				HideAgentState: false,
+				HideAccess:     false,
+			})
+			assert.NoError(t, err)
+			close(done)
+		}()
+		ptty.ExpectMatch("google_compute_disk.root")
+		ptty.ExpectMatch("google_compute_instance.dev")
+		ptty.ExpectMatch("coder ssh dev.postgres")
+		<-done
+	})
+}

cli/cliui/select.go

@@ -0,0 +1,95 @@
+package cliui
+
+import (
+	"errors"
+	"flag"
+	"io"
+	"os"
+
+	"github.com/AlecAivazis/survey/v2"
+	"github.com/AlecAivazis/survey/v2/terminal"
+	"github.com/spf13/cobra"
+)
+
+func init() {
+	survey.SelectQuestionTemplate = `
+{{- define "option"}}
+    {{- "  " }}{{- if eq .SelectedIndex .CurrentIndex }}{{color "green" }}{{ .Config.Icons.SelectFocus.Text }} {{else}}{{color "default"}}  {{end}}
+    {{- .CurrentOpt.Value}}
+    {{- color "reset"}}
+{{end}}
+
+{{- if not .ShowAnswer }}
+{{- if .Config.Icons.Help.Text }}
+{{- if .FilterMessage }}{{ "Search:" }}{{ .FilterMessage }}
+{{- else }}
+{{- color "black+h"}}{{- "Type to search" }}{{color "reset"}}
+{{- end }}
+{{- "\n" }}
+{{- end }}
+{{- "\n" }}
+{{- range $ix, $option := .PageEntries}}
+  {{- template "option" $.IterateOption $ix $option}}
+{{- end}}
+{{- end }}`
+}
+
+type SelectOptions struct {
+	Options []string
+	// Default will be highlighted first if it's a valid option.
+	Default    string
+	Size       int
+	HideSearch bool
+}
+
+// Select displays a list of user options.
+func Select(cmd *cobra.Command, opts SelectOptions) (string, error) {
+	// The survey library used *always* fails when testing on Windows,
+	// as it requires a live TTY (can't be a conpty). We should fork
+	// this library to add a dummy fallback, that simply reads/writes
+	// to the IO provided. See:
+	// https://github.com/AlecAivazis/survey/blob/master/terminal/runereader_windows.go#L94
+	if flag.Lookup("test.v") != nil {
+		return opts.Options[0], nil
+	}
+
+	var defaultOption interface{}
+	if opts.Default != "" {
+		defaultOption = opts.Default
+	}
+
+	var value string
+	err := survey.AskOne(&survey.Select{
+		Options:  opts.Options,
+		Default:  defaultOption,
+		PageSize: opts.Size,
+	}, &value, survey.WithIcons(func(is *survey.IconSet) {
+		is.Help.Text = "Type to search"
+		if opts.HideSearch {
+			is.Help.Text = ""
+		}
+	}), survey.WithStdio(fileReadWriter{
+		Reader: cmd.InOrStdin(),
+	}, fileReadWriter{
+		Writer: cmd.OutOrStdout(),
+	}, cmd.OutOrStdout()))
+	if errors.Is(err, terminal.InterruptErr) {
+		return value, Canceled
+	}
+	return value, err
+}
+
+type fileReadWriter struct {
+	io.Reader
+	io.Writer
+}
+
+func (f fileReadWriter) Fd() uintptr {
+	if file, ok := f.Reader.(*os.File); ok {
+		return file.Fd()
+	}
+	if file, ok := f.Writer.(*os.File); ok {
+		return file.Fd()
+	}
+	return 0
+}

cli/cliui/select_test.go

@@ -0,0 +1,44 @@
+package cliui_test
+
+import (
+	"context"
+	"testing"
+
+	"github.com/spf13/cobra"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+
+	"github.com/coder/coder/cli/cliui"
+	"github.com/coder/coder/pty/ptytest"
+)
+
+func TestSelect(t *testing.T) {
+	t.Parallel()
+	t.Run("Select", func(t *testing.T) {
+		t.Parallel()
+		ptty := ptytest.New(t)
+		msgChan := make(chan string)
+		go func() {
+			resp, err := newSelect(ptty, cliui.SelectOptions{
+				Options: []string{"First", "Second"},
+			})
+			assert.NoError(t, err)
+			msgChan <- resp
+		}()
+		require.Equal(t, "First", <-msgChan)
+	})
+}
+
+func newSelect(ptty *ptytest.PTY, opts cliui.SelectOptions) (string, error) {
+	value := ""
+	cmd := &cobra.Command{
+		RunE: func(cmd *cobra.Command, args []string) error {
+			var err error
+			value, err = cliui.Select(cmd, opts)
+			return err
+		},
+	}
+	cmd.SetOutput(ptty.Output())
+	cmd.SetIn(ptty.Input())
+	return value, cmd.ExecuteContext(context.Background())
+}

cli/cliui/table.go

@@ -0,0 +1,307 @@
+package cliui
+
+import (
+	"fmt"
+	"reflect"
+	"strings"
+	"time"
+
+	"github.com/fatih/structtag"
+	"github.com/jedib0t/go-pretty/v6/table"
+	"golang.org/x/xerrors"
+)
+
+// Table creates a new table with standardized styles.
+func Table() table.Writer {
+	tableWriter := table.NewWriter()
+	tableWriter.Style().Box.PaddingLeft = ""
+	tableWriter.Style().Box.PaddingRight = "  "
+	tableWriter.Style().Options.DrawBorder = false
+	tableWriter.Style().Options.SeparateHeader = false
+	tableWriter.Style().Options.SeparateColumns = false
+	return tableWriter
+}
+
+// FilterTableColumns returns configurations to hide columns
+// that are not provided in the array. If the array is empty,
+// no filtering will occur!
+func FilterTableColumns(header table.Row, columns []string) []table.ColumnConfig {
+	if len(columns) == 0 {
+		return nil
+	}
+	columnConfigs := make([]table.ColumnConfig, 0)
+	for _, headerTextRaw := range header {
+		headerText, _ := headerTextRaw.(string)
+		hidden := true
+		for _, column := range columns {
+			if strings.EqualFold(strings.ReplaceAll(column, "_", " "), headerText) {
+				hidden = false
+				break
+			}
+		}
+		columnConfigs = append(columnConfigs, table.ColumnConfig{
+			Name:   headerText,
+			Hidden: hidden,
+		})
+	}
+	return columnConfigs
+}
+
+// DisplayTable renders a table as a string. The input argument must be a slice
+// of structs. At least one field in the struct must have a `table:""` tag
+// containing the name of the column in the outputted table.
+//
+// Nested structs are processed if the field has the `table:"$NAME,recursive"`
+// tag and their fields will be named as `$PARENT_NAME $NAME`. If the tag is
+// malformed or a field is marked as recursive but does not contain a struct or
+// a pointer to a struct, this function will return an error (even with an empty
+// input slice).
+//
+// If sort is empty, the input order will be used. If filterColumns is empty or
+// nil, all available columns are included.
+func DisplayTable(out any, sort string, filterColumns []string) (string, error) {
+	v := reflect.Indirect(reflect.ValueOf(out))
+
+	if v.Kind() != reflect.Slice {
+		return "", xerrors.Errorf("DisplayTable called with a non-slice type")
+	}
+
+	// Get the list of table column headers.
+	headersRaw, err := typeToTableHeaders(v.Type().Elem())
+	if err != nil {
+		return "", xerrors.Errorf("get table headers recursively for type %q: %w", v.Type().Elem().String(), err)
+	}
+	if len(headersRaw) == 0 {
+		return "", xerrors.New(`no table headers found on the input type, make sure there is at least one "table" struct tag`)
+	}
+	headers := make(table.Row, len(headersRaw))
+	for i, header := range headersRaw {
+		headers[i] = header
+	}
+
+	// Verify that the given sort column and filter columns are valid.
+	if sort != "" || len(filterColumns) != 0 {
+		headersMap := make(map[string]string, len(headersRaw))
+		for _, header := range headersRaw {
+			headersMap[strings.ToLower(header)] = header
+		}
+
+		if sort != "" {
+			sort = strings.ToLower(strings.ReplaceAll(sort, "_", " "))
+			h, ok := headersMap[sort]
+			if !ok {
+				return "", xerrors.Errorf(`specified sort column %q not found in table headers, available columns are "%v"`, sort, strings.Join(headersRaw, `", "`))
+			}
+
+			// Autocorrect
+			sort = h
+		}
+
+		for i, column := range filterColumns {
+			column := strings.ToLower(strings.ReplaceAll(column, "_", " "))
+			h, ok := headersMap[column]
+			if !ok {
+				return "", xerrors.Errorf(`specified filter column %q not found in table headers, available columns are "%v"`, sort, strings.Join(headersRaw, `", "`))
+			}
+
+			// Autocorrect
+			filterColumns[i] = h
+		}
+	}
+
+	// Verify that the given sort column is valid.
+	if sort != "" {
+		sort = strings.ReplaceAll(sort, "_", " ")
+		found := false
+		for _, header := range headersRaw {
+			if strings.EqualFold(sort, header) {
+				found = true
+				sort = header
+				break
+			}
+		}
+		if !found {
+			return "", xerrors.Errorf("specified sort column %q not found in table headers, available columns are %q", sort, strings.Join(headersRaw, `", "`))
+		}
+	}
+
+	// Setup the table formatter.
+	tw := Table()
+	tw.AppendHeader(headers)
+	tw.SetColumnConfigs(FilterTableColumns(headers, filterColumns))
+	if sort != "" {
+		tw.SortBy([]table.SortBy{{
+			Name: sort,
+		}})
+	}
+
+	// Write each struct to the table.
+	for i := 0; i < v.Len(); i++ {
+		// Format the row as a slice.
+		rowMap, err := valueToTableMap(v.Index(i))
+		if err != nil {
+			return "", xerrors.Errorf("get table row map %v: %w", i, err)
+		}
+
+		rowSlice := make([]any, len(headers))
+		for i, h := range headersRaw {
+			v, ok := rowMap[h]
+			if !ok {
+				v = nil
+			}
+
+			// Special type formatting.
+			switch val := v.(type) {
+			case time.Time:
+				v = val.Format(time.Stamp)
+			case *time.Time:
+				if val != nil {
+					v = val.Format(time.Stamp)
+				}
+			case fmt.Stringer:
+				if val != nil {
+					v = val.String()
+				}
+			}
+
+			rowSlice[i] = v
+		}
+
+		tw.AppendRow(table.Row(rowSlice))
+	}
+
+	return tw.Render(), nil
+}
+
+// parseTableStructTag returns the name of the field according to the `table`
+// struct tag. If the table tag does not exist or is "-", an empty string is
+// returned. If the table tag is malformed, an error is returned.
+//
+// The returned name is transformed from "snake_case" to "normal text".
+func parseTableStructTag(field reflect.StructField) (name string, recurse bool, err error) {
+	tags, err := structtag.Parse(string(field.Tag))
+	if err != nil {
+		return "", false, xerrors.Errorf("parse struct field tag %q: %w", string(field.Tag), err)
+	}
+
+	tag, err := tags.Get("table")
+	if err != nil || tag.Name == "-" {
+		// tags.Get only returns an error if the tag is not found.
+		return "", false, nil
+	}
+
+	recursive := false
+	for _, opt := range tag.Options {
+		if opt == "recursive" {
+			recursive = true
+			continue
+		}
+
+		return "", false, xerrors.Errorf("unknown option %q in struct field tag", opt)
+	}
+
+	return strings.ReplaceAll(tag.Name, "_", " "), recursive, nil
+}
+
+func isStructOrStructPointer(t reflect.Type) bool {
+	return t.Kind() == reflect.Struct || (t.Kind() == reflect.Pointer && t.Elem().Kind() == reflect.Struct)
+}
+
+// typeToTableHeaders converts a type to a slice of column names. If the given
+// type is invalid (not a struct or a pointer to a struct, has invalid table
+// tags, etc.), an error is returned.
+func typeToTableHeaders(t reflect.Type) ([]string, error) {
+	if !isStructOrStructPointer(t) {
+		return nil, xerrors.Errorf("typeToTableHeaders called with a non-struct or a non-pointer-to-a-struct type")
+	}
+	if t.Kind() == reflect.Pointer {
+		t = t.Elem()
+	}
+
+	headers := []string{}
+	for i := 0; i < t.NumField(); i++ {
+		field := t.Field(i)
+		name, recursive, err := parseTableStructTag(field)
+		if err != nil {
+			return nil, xerrors.Errorf("parse struct tags for field %q in type %q: %w", field.Name, t.String(), err)
+		}
+		if name == "" {
+			continue
+		}
+
+		fieldType := field.Type
+		if recursive {
+			if !isStructOrStructPointer(fieldType) {
+				return nil, xerrors.Errorf("field %q in type %q is marked as recursive but does not contain a struct or a pointer to a struct", field.Name, t.String())
+			}
+
+			childNames, err := typeToTableHeaders(fieldType)
+			if err != nil {
+				return nil, xerrors.Errorf("get child field header names for field %q in type %q: %w", field.Name, fieldType.String(), err)
+			}
+			for _, childName := range childNames {
+				headers = append(headers, fmt.Sprintf("%s %s", name, childName))
+			}
+			continue
+		}
+
+		headers = append(headers, name)
+	}
+
+	return headers, nil
+}
+
+// valueToTableMap converts a struct to a map of column name to value. If the
+// given type is invalid (not a struct or a pointer to a struct, has invalid
+// table tags, etc.), an error is returned.
+func valueToTableMap(val reflect.Value) (map[string]any, error) {
+	if !isStructOrStructPointer(val.Type()) {
+		return nil, xerrors.Errorf("valueToTableMap called with a non-struct or a non-pointer-to-a-struct type")
+	}
+	if val.Kind() == reflect.Pointer {
+		if val.IsNil() {
+			// No data for this struct, so return an empty map. All values will
+			// be rendered as nil in the resulting table.
+			return map[string]any{}, nil
+		}
+
+		val = val.Elem()
+	}
+
+	row := map[string]any{}
+	for i := 0; i < val.NumField(); i++ {
+		field := val.Type().Field(i)
+		fieldVal := val.Field(i)
+		name, recursive, err := parseTableStructTag(field)
+		if err != nil {
+			return nil, xerrors.Errorf("parse struct tags for field %q in type %T: %w", field.Name, val, err)
+		}
+		if name == "" {
+			continue
+		}
+
+		// Recurse if it's a struct.
+		fieldType := field.Type
+		if recursive {
+			if !isStructOrStructPointer(fieldType) {
+				return nil, xerrors.Errorf("field %q in type %q is marked as recursive but does not contain a struct or a pointer to a struct", field.Name, fieldType.String())
+			}
+
+			// valueToTableMap does nothing on pointers so we don't need to
+			// filter here.
+			childMap, err := valueToTableMap(fieldVal)
+			if err != nil {
+				return nil, xerrors.Errorf("get child field values for field %q in type %q: %w", field.Name, fieldType.String(), err)
+			}
+			for childName, childValue := range childMap {
+				row[fmt.Sprintf("%s %s", name, childName)] = childValue
+			}
+			continue
+		}
+
+		// Otherwise, we just use the field value.
+		row[name] = val.Field(i).Interface()
+	}
+
+	return row, nil
+}

cli/cliui/table_test.go

@@ -0,0 +1,352 @@
+package cliui_test
+
+import (
+	"fmt"
+	"log"
+	"strings"
+	"testing"
+	"time"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+
+	"github.com/coder/coder/cli/cliui"
+)
+
+type stringWrapper struct {
+	str string
+}
+
+var _ fmt.Stringer = stringWrapper{}
+
+func (s stringWrapper) String() string {
+	return s.str
+}
+
+type tableTest1 struct {
+	Name        string      `table:"name"`
+	NotIncluded string      // no table tag
+	Age         int         `table:"age"`
+	Roles       []string    `table:"roles"`
+	Sub1        tableTest2  `table:"sub_1,recursive"`
+	Sub2        *tableTest2 `table:"sub_2,recursive"`
+	Sub3        tableTest3  `table:"sub 3,recursive"`
+	Sub4        tableTest2  `table:"sub 4"` // not recursive
+
+	// Types with special formatting.
+	Time    time.Time  `table:"time"`
+	TimePtr *time.Time `table:"time_ptr"`
+}
+
+type tableTest2 struct {
+	Name        stringWrapper `table:"name"`
+	Age         int           `table:"age"`
+	NotIncluded string        `table:"-"`
+}
+
+type tableTest3 struct {
+	NotIncluded string     // no table tag
+	Sub         tableTest2 `table:"inner,recursive"`
+}
+
+func Test_DisplayTable(t *testing.T) {
+	t.Parallel()
+
+	someTime := time.Date(2022, 8, 2, 15, 49, 10, 0, time.Local)
+	in := []tableTest1{
+		{
+			Name:  "foo",
+			Age:   10,
+			Roles: []string{"a", "b", "c"},
+			Sub1: tableTest2{
+				Name: stringWrapper{str: "foo1"},
+				Age:  11,
+			},
+			Sub2: &tableTest2{
+				Name: stringWrapper{str: "foo2"},
+				Age:  12,
+			},
+			Sub3: tableTest3{
+				Sub: tableTest2{
+					Name: stringWrapper{str: "foo3"},
+					Age:  13,
+				},
+			},
+			Sub4: tableTest2{
+				Name: stringWrapper{str: "foo4"},
+				Age:  14,
+			},
+			Time:    someTime,
+			TimePtr: &someTime,
+		},
+		{
+			Name:  "bar",
+			Age:   20,
+			Roles: []string{"a"},
+			Sub1: tableTest2{
+				Name: stringWrapper{str: "bar1"},
+				Age:  21,
+			},
+			Sub2: nil,
+			Sub3: tableTest3{
+				Sub: tableTest2{
+					Name: stringWrapper{str: "bar3"},
+					Age:  23,
+				},
+			},
+			Sub4: tableTest2{
+				Name: stringWrapper{str: "bar4"},
+				Age:  24,
+			},
+			Time:    someTime,
+			TimePtr: nil,
+		},
+		{
+			Name:  "baz",
+			Age:   30,
+			Roles: nil,
+			Sub1: tableTest2{
+				Name: stringWrapper{str: "baz1"},
+				Age:  31,
+			},
+			Sub2: nil,
+			Sub3: tableTest3{
+				Sub: tableTest2{
+					Name: stringWrapper{str: "baz3"},
+					Age:  33,
+				},
+			},
+			Sub4: tableTest2{
+				Name: stringWrapper{str: "baz4"},
+				Age:  34,
+			},
+			Time:    someTime,
+			TimePtr: nil,
+		},
+	}
+
+	// This test tests skipping fields without table tags, recursion, pointer
+	// dereferencing, and nil pointer skipping.
+	t.Run("OK", func(t *testing.T) {
+		t.Parallel()
+
+		expected := `
+NAME  AGE  ROLES    SUB 1 NAME  SUB 1 AGE  SUB 2 NAME  SUB 2 AGE  SUB 3 INNER NAME  SUB 3 INNER AGE  SUB 4       TIME             TIME PTR
+foo    10  [a b c]  foo1               11  foo2        12         foo3                           13  {foo4 14 }  Aug  2 15:49:10  Aug  2 15:49:10
+bar    20  [a]      bar1               21  <nil>       <nil>      bar3                           23  {bar4 24 }  Aug  2 15:49:10  <nil>
+baz    30  []       baz1               31  <nil>       <nil>      baz3                           33  {baz4 34 }  Aug  2 15:49:10  <nil>
+		`
+
+		// Test with non-pointer values.
+		out, err := cliui.DisplayTable(in, "", nil)
+		log.Println("rendered table:\n" + out)
+		require.NoError(t, err)
+		compareTables(t, expected, out)
+
+		// Test with pointer values.
+		inPtr := make([]*tableTest1, len(in))
+		for i, v := range in {
+			v := v
+			inPtr[i] = &v
+		}
+		out, err = cliui.DisplayTable(inPtr, "", nil)
+		require.NoError(t, err)
+		compareTables(t, expected, out)
+	})
+
+	t.Run("Sort", func(t *testing.T) {
+		t.Parallel()
+
+		expected := `
+NAME  AGE  ROLES    SUB 1 NAME  SUB 1 AGE  SUB 2 NAME  SUB 2 AGE  SUB 3 INNER NAME  SUB 3 INNER AGE  SUB 4       TIME             TIME PTR
+bar    20  [a]      bar1               21  <nil>       <nil>      bar3                           23  {bar4 24 }  Aug  2 15:49:10  <nil>
+baz    30  []       baz1               31  <nil>       <nil>      baz3                           33  {baz4 34 }  Aug  2 15:49:10  <nil>
+foo    10  [a b c]  foo1               11  foo2        12         foo3                           13  {foo4 14 }  Aug  2 15:49:10  Aug  2 15:49:10
+		`
+
+		out, err := cliui.DisplayTable(in, "name", nil)
+		log.Println("rendered table:\n" + out)
+		require.NoError(t, err)
+		compareTables(t, expected, out)
+	})
+
+	t.Run("Filter", func(t *testing.T) {
+		t.Parallel()
+
+		expected := `
+NAME  SUB 1 NAME  SUB 3 INNER NAME  TIME
+foo   foo1        foo3              Aug  2 15:49:10
+bar   bar1        bar3              Aug  2 15:49:10
+baz   baz1        baz3              Aug  2 15:49:10
+		`
+
+		out, err := cliui.DisplayTable(in, "", []string{"name", "sub_1_name", "sub_3 inner name", "time"})
+		log.Println("rendered table:\n" + out)
+		require.NoError(t, err)
+		compareTables(t, expected, out)
+	})
+
+	// This test ensures that safeties against invalid use of `table` tags
+	// causes errors (even without data).
+	t.Run("Errors", func(t *testing.T) {
+		t.Parallel()
+
+		t.Run("NotSlice", func(t *testing.T) {
+			t.Parallel()
+
+			var in string
+			_, err := cliui.DisplayTable(in, "", nil)
+			require.Error(t, err)
+		})
+
+		t.Run("BadSortColumn", func(t *testing.T) {
+			t.Parallel()
+
+			_, err := cliui.DisplayTable(in, "bad_column_does_not_exist", nil)
+			require.Error(t, err)
+		})
+
+		t.Run("BadFilterColumns", func(t *testing.T) {
+			t.Parallel()
+
+			_, err := cliui.DisplayTable(in, "", []string{"name", "bad_column_does_not_exist"})
+			require.Error(t, err)
+		})
+
+		t.Run("Interfaces", func(t *testing.T) {
+			t.Parallel()
+
+			t.Run("WithoutData", func(t *testing.T) {
+				t.Parallel()
+
+				var in []any
+				_, err := cliui.DisplayTable(in, "", nil)
+				require.Error(t, err)
+			})
+
+			t.Run("WithData", func(t *testing.T) {
+				t.Parallel()
+
+				in := []any{tableTest1{}}
+				_, err := cliui.DisplayTable(in, "", nil)
+				require.Error(t, err)
+			})
+		})
+
+		t.Run("NotStruct", func(t *testing.T) {
+			t.Parallel()
+
+			t.Run("WithoutData", func(t *testing.T) {
+				t.Parallel()
+
+				var in []string
+				_, err := cliui.DisplayTable(in, "", nil)
+				require.Error(t, err)
+			})
+
+			t.Run("WithData", func(t *testing.T) {
+				t.Parallel()
+
+				in := []string{"foo", "bar", "baz"}
+				_, err := cliui.DisplayTable(in, "", nil)
+				require.Error(t, err)
+			})
+		})
+
+		t.Run("NoTableTags", func(t *testing.T) {
+			t.Parallel()
+
+			type noTableTagsTest struct {
+				Field string `json:"field"`
+			}
+
+			t.Run("WithoutData", func(t *testing.T) {
+				t.Parallel()
+
+				var in []noTableTagsTest
+				_, err := cliui.DisplayTable(in, "", nil)
+				require.Error(t, err)
+			})
+
+			t.Run("WithData", func(t *testing.T) {
+				t.Parallel()
+
+				in := []noTableTagsTest{{Field: "hi"}}
+				_, err := cliui.DisplayTable(in, "", nil)
+				require.Error(t, err)
+			})
+		})
+
+		t.Run("InvalidTag/NoName", func(t *testing.T) {
+			t.Parallel()
+
+			type noNameTest struct {
+				Field string `table:""`
+			}
+
+			t.Run("WithoutData", func(t *testing.T) {
+				t.Parallel()
+
+				var in []noNameTest
+				_, err := cliui.DisplayTable(in, "", nil)
+				require.Error(t, err)
+			})
+
+			t.Run("WithData", func(t *testing.T) {
+				t.Parallel()
+
+				in := []noNameTest{{Field: "test"}}
+				_, err := cliui.DisplayTable(in, "", nil)
+				require.Error(t, err)
+			})
+		})
+
+		t.Run("InvalidTag/BadSyntax", func(t *testing.T) {
+			t.Parallel()
+
+			type invalidSyntaxTest struct {
+				Field string `table:"asda,asdjada"`
+			}
+
+			t.Run("WithoutData", func(t *testing.T) {
+				t.Parallel()
+
+				var in []invalidSyntaxTest
+				_, err := cliui.DisplayTable(in, "", nil)
+				require.Error(t, err)
+			})
+
+			t.Run("WithData", func(t *testing.T) {
+				t.Parallel()
+
+				in := []invalidSyntaxTest{{Field: "test"}}
+				_, err := cliui.DisplayTable(in, "", nil)
+				require.Error(t, err)
+			})
+		})
+	})
+}
+
+// compareTables normalizes the incoming table lines
+func compareTables(t *testing.T, expected, out string) {
+	t.Helper()
+
+	expectedLines := strings.Split(strings.TrimSpace(expected), "\n")
+	gotLines := strings.Split(strings.TrimSpace(out), "\n")
+	assert.Equal(t, len(expectedLines), len(gotLines), "expected line count does not match generated line count")
+
+	// Map the expected and got lines to normalize them.
+	expectedNormalized := make([]string, len(expectedLines))
+	gotNormalized := make([]string, len(gotLines))
+	normalizeLine := func(s string) string {
+		return strings.Join(strings.Fields(strings.TrimSpace(s)), " ")
+	}
+	for i, s := range expectedLines {
+		expectedNormalized[i] = normalizeLine(s)
+	}
+	for i, s := range gotLines {
+		gotNormalized[i] = normalizeLine(s)
+	}
+
+	require.Equal(t, expectedNormalized, gotNormalized, "expected lines to match generated lines")
+}

cli/config/file.go

@@ -1,7 +1,7 @@
 package config
 
 import (
-	"io/ioutil"
+	"io"
 	"os"
 	"path/filepath"
 )
@@ -21,6 +21,22 @@ func (r Root) Organization() File {
 	return File(filepath.Join(string(r), "organization"))
 }
 
+func (r Root) DotfilesURL() File {
+	return File(filepath.Join(string(r), "dotfilesurl"))
+}
+
+func (r Root) PostgresPath() string {
+	return filepath.Join(string(r), "postgres")
+}
+
+func (r Root) PostgresPassword() File {
+	return File(filepath.Join(r.PostgresPath(), "password"))
+}
+
+func (r Root) PostgresPort() File {
+	return File(filepath.Join(r.PostgresPath(), "port"))
+}
+
 // File provides convenience methods for interacting with *os.File.
 type File string
 
@@ -67,5 +83,5 @@ func read(path string) ([]byte, error) {
 		return nil, err
 	}
 	defer fi.Close()
-	return ioutil.ReadAll(fi)
+	return io.ReadAll(fi)
 }

cli/configssh.go

@@ -0,0 +1,551 @@
+package cli
+
+import (
+	"bufio"
+	"bytes"
+	"context"
+	"errors"
+	"fmt"
+	"io"
+	"io/fs"
+	"os"
+	"path/filepath"
+	"runtime"
+	"sort"
+	"strings"
+
+	"github.com/cli/safeexec"
+	"github.com/pkg/diff"
+	"github.com/pkg/diff/write"
+	"github.com/spf13/cobra"
+	"golang.org/x/exp/slices"
+	"golang.org/x/sync/errgroup"
+	"golang.org/x/xerrors"
+
+	"github.com/coder/coder/cli/cliflag"
+	"github.com/coder/coder/cli/cliui"
+	"github.com/coder/coder/codersdk"
+)
+
+const (
+	sshDefaultConfigFileName = "~/.ssh/config"
+	sshStartToken            = "# ------------START-CODER-----------"
+	sshEndToken              = "# ------------END-CODER------------"
+	sshConfigSectionHeader   = "# This section is managed by coder. DO NOT EDIT."
+	sshConfigDocsHeader      = `
+#
+# You should not hand-edit this section unless you are removing it, all
+# changes will be lost when running "coder config-ssh".
+`
+	sshConfigOptionsHeader = `#
+# Last config-ssh options:
+`
+)
+
+// sshConfigOptions represents options that can be stored and read
+// from the coder config in ~/.ssh/coder.
+type sshConfigOptions struct {
+	sshOptions []string
+}
+
+func (o sshConfigOptions) equal(other sshConfigOptions) bool {
+	// Compare without side-effects or regard to order.
+	opt1 := slices.Clone(o.sshOptions)
+	sort.Strings(opt1)
+	opt2 := slices.Clone(other.sshOptions)
+	sort.Strings(opt2)
+	return slices.Equal(opt1, opt2)
+}
+
+func (o sshConfigOptions) asList() (list []string) {
+	for _, opt := range o.sshOptions {
+		list = append(list, fmt.Sprintf("ssh-option: %s", opt))
+	}
+	return list
+}
+
+type sshWorkspaceConfig struct {
+	Name  string
+	Hosts []string
+}
+
+func sshFetchWorkspaceConfigs(ctx context.Context, client *codersdk.Client) ([]sshWorkspaceConfig, error) {
+	workspaces, err := client.Workspaces(ctx, codersdk.WorkspaceFilter{
+		Owner: codersdk.Me,
+	})
+	if err != nil {
+		return nil, err
+	}
+
+	var errGroup errgroup.Group
+	workspaceConfigs := make([]sshWorkspaceConfig, len(workspaces))
+	for i, workspace := range workspaces {
+		i := i
+		workspace := workspace
+		errGroup.Go(func() error {
+			resources, err := client.TemplateVersionResources(ctx, workspace.LatestBuild.TemplateVersionID)
+			if err != nil {
+				return err
+			}
+
+			wc := sshWorkspaceConfig{Name: workspace.Name}
+			var agents []codersdk.WorkspaceAgent
+			for _, resource := range resources {
+				if resource.Transition != codersdk.WorkspaceTransitionStart {
+					continue
+				}
+				agents = append(agents, resource.Agents...)
+			}
+
+			// handle both WORKSPACE and WORKSPACE.AGENT syntax
+			if len(agents) == 1 {
+				wc.Hosts = append(wc.Hosts, workspace.Name)
+			}
+			for _, agent := range agents {
+				hostname := workspace.Name + "." + agent.Name
+				wc.Hosts = append(wc.Hosts, hostname)
+			}
+
+			workspaceConfigs[i] = wc
+
+			return nil
+		})
+	}
+	err = errGroup.Wait()
+	if err != nil {
+		return nil, err
+	}
+
+	return workspaceConfigs, nil
+}
+
+func sshPrepareWorkspaceConfigs(ctx context.Context, client *codersdk.Client) (receive func() ([]sshWorkspaceConfig, error)) {
+	wcC := make(chan []sshWorkspaceConfig, 1)
+	errC := make(chan error, 1)
+	go func() {
+		wc, err := sshFetchWorkspaceConfigs(ctx, client)
+		wcC <- wc
+		errC <- err
+	}()
+	return func() ([]sshWorkspaceConfig, error) {
+		return <-wcC, <-errC
+	}
+}
+
+func configSSH() *cobra.Command {
+	var (
+		sshConfigFile    string
+		sshConfigOpts    sshConfigOptions
+		usePreviousOpts  bool
+		dryRun           bool
+		skipProxyCommand bool
+		wireguard        bool
+	)
+	cmd := &cobra.Command{
+		Annotations: workspaceCommand,
+		Use:         "config-ssh",
+		Short:       "Populate your SSH config with Host entries for all of your workspaces",
+		Example: formatExamples(
+			example{
+				Description: "You can use -o (or --ssh-option) so set SSH options to be used for all your workspaces",
+				Command:     "coder config-ssh -o ForwardAgent=yes",
+			},
+			example{
+				Description: "You can use --dry-run (or -n) to see the changes that would be made",
+				Command:     "coder config-ssh --dry-run",
+			},
+		),
+		Args: cobra.ExactArgs(0),
+		RunE: func(cmd *cobra.Command, _ []string) error {
+			client, err := CreateClient(cmd)
+			if err != nil {
+				return err
+			}
+
+			recvWorkspaceConfigs := sshPrepareWorkspaceConfigs(cmd.Context(), client)
+
+			out := cmd.OutOrStdout()
+			if dryRun {
+				// Print everything except diff to stderr so
+				// that it's possible to capture the diff.
+				out = cmd.OutOrStderr()
+			}
+			binaryFile, err := currentBinPath(out)
+			if err != nil {
+				return err
+			}
+
+			homedir, err := os.UserHomeDir()
+			if err != nil {
+				return xerrors.Errorf("user home dir failed: %w", err)
+			}
+
+			if strings.HasPrefix(sshConfigFile, "~/") {
+				sshConfigFile = filepath.Join(homedir, sshConfigFile[2:])
+			}
+
+			// Only allow not-exist errors to avoid trashing
+			// the users SSH config.
+			configRaw, err := os.ReadFile(sshConfigFile)
+			if err != nil && !errors.Is(err, fs.ErrNotExist) {
+				return xerrors.Errorf("read ssh config failed: %w", err)
+			}
+
+			// Keep track of changes we are making.
+			var changes []string
+
+			// Parse the previous configuration only if config-ssh
+			// has been run previously.
+			var lastConfig *sshConfigOptions
+			if section, ok := sshConfigGetCoderSection(configRaw); ok {
+				c := sshConfigParseLastOptions(bytes.NewReader(section))
+				lastConfig = &c
+			}
+
+			// Avoid prompting in diff mode (unexpected behavior)
+			// or when a previous config does not exist.
+			if usePreviousOpts && lastConfig != nil {
+				sshConfigOpts = *lastConfig
+			} else if lastConfig != nil && !sshConfigOpts.equal(*lastConfig) {
+				newOpts := sshConfigOpts.asList()
+				newOptsMsg := "\n\n  New options: none"
+				if len(newOpts) > 0 {
+					newOptsMsg = fmt.Sprintf("\n\n  New options:\n    * %s", strings.Join(newOpts, "\n    * "))
+				}
+				oldOpts := lastConfig.asList()
+				oldOptsMsg := "\n\n  Previous options: none"
+				if len(oldOpts) > 0 {
+					oldOptsMsg = fmt.Sprintf("\n\n  Previous options:\n    * %s", strings.Join(oldOpts, "\n    * "))
+				}
+
+				line, err := cliui.Prompt(cmd, cliui.PromptOptions{
+					Text:      fmt.Sprintf("New options differ from previous options:%s%s\n\n  Use new options?", newOptsMsg, oldOptsMsg),
+					IsConfirm: true,
+				})
+				if err != nil {
+					if line == "" && xerrors.Is(err, cliui.Canceled) {
+						return nil
+					}
+					// Selecting "no" will use the last config.
+					sshConfigOpts = *lastConfig
+				} else {
+					changes = append(changes, "Use new SSH options")
+				}
+				// Only print when prompts are shown.
+				if yes, _ := cmd.Flags().GetBool("yes"); !yes {
+					_, _ = fmt.Fprint(out, "\n")
+				}
+			}
+
+			configModified := configRaw
+			root := createConfig(cmd)
+
+			buf := &bytes.Buffer{}
+			before, after := sshConfigSplitOnCoderSection(configModified)
+			// Write the first half of the users config file to buf.
+			_, _ = buf.Write(before)
+
+			// Write comment and store the provided options as part
+			// of the config for future (re)use.
+			newline := len(before) > 0
+			sshConfigWriteSectionHeader(buf, newline, sshConfigOpts)
+
+			workspaceConfigs, err := recvWorkspaceConfigs()
+			if err != nil {
+				return xerrors.Errorf("fetch workspace configs failed: %w", err)
+			}
+			// Ensure stable sorting of output.
+			slices.SortFunc(workspaceConfigs, func(a, b sshWorkspaceConfig) bool {
+				return a.Name < b.Name
+			})
+			for _, wc := range workspaceConfigs {
+				sort.Strings(wc.Hosts)
+				// Write agent configuration.
+				for _, hostname := range wc.Hosts {
+					configOptions := []string{
+						"Host coder." + hostname,
+					}
+					for _, option := range sshConfigOpts.sshOptions {
+						configOptions = append(configOptions, "\t"+option)
+					}
+					configOptions = append(configOptions,
+						"\tHostName coder."+hostname,
+						"\tConnectTimeout=0",
+						"\tStrictHostKeyChecking=no",
+						// Without this, the "REMOTE HOST IDENTITY CHANGED"
+						// message will appear.
+						"\tUserKnownHostsFile=/dev/null",
+						// This disables the "Warning: Permanently added 'hostname' (RSA) to the list of known hosts."
+						// message from appearing on every SSH. This happens because we ignore the known hosts.
+						"\tLogLevel ERROR",
+					)
+					if !skipProxyCommand {
+						if !wireguard {
+							configOptions = append(configOptions, fmt.Sprintf("\tProxyCommand %q --global-config %q ssh --stdio %s", binaryFile, root, hostname))
+						} else {
+							configOptions = append(configOptions, fmt.Sprintf("\tProxyCommand %q --global-config %q ssh --wireguard --stdio %s", binaryFile, root, hostname))
+						}
+					}
+
+					_, _ = buf.WriteString(strings.Join(configOptions, "\n"))
+					_ = buf.WriteByte('\n')
+				}
+			}
+
+			sshConfigWriteSectionEnd(buf)
+
+			// Write the remainder of the users config file to buf.
+			_, _ = buf.Write(after)
+
+			if !bytes.Equal(configModified, buf.Bytes()) {
+				changes = append(changes, fmt.Sprintf("Update the coder section in %s", sshConfigFile))
+				configModified = buf.Bytes()
+			}
+
+			if len(changes) == 0 {
+				_, _ = fmt.Fprintf(out, "No changes to make.\n")
+				return nil
+			}
+
+			if dryRun {
+				_, _ = fmt.Fprintf(out, "Dry run, the following changes would be made to your SSH configuration:\n\n  * %s\n\n", strings.Join(changes, "\n  * "))
+
+				color := isTTYOut(cmd)
+				diff, err := diffBytes(sshConfigFile, configRaw, configModified, color)
+				if err != nil {
+					return xerrors.Errorf("diff failed: %w", err)
+				}
+				if len(diff) > 0 {
+					// Write diff to stdout.
+					_, _ = fmt.Fprintf(cmd.OutOrStdout(), "%s", diff)
+				}
+
+				return nil
+			}
+
+			if len(changes) > 0 {
+				_, err = cliui.Prompt(cmd, cliui.PromptOptions{
+					Text:      fmt.Sprintf("The following changes will be made to your SSH configuration:\n\n    * %s\n\n  Continue?", strings.Join(changes, "\n    * ")),
+					IsConfirm: true,
+				})
+				if err != nil {
+					return nil
+				}
+				// Only print when prompts are shown.
+				if yes, _ := cmd.Flags().GetBool("yes"); !yes {
+					_, _ = fmt.Fprint(out, "\n")
+				}
+			}
+
+			if !bytes.Equal(configRaw, configModified) {
+				err = writeWithTempFileAndMove(sshConfigFile, bytes.NewReader(configModified))
+				if err != nil {
+					return xerrors.Errorf("write ssh config failed: %w", err)
+				}
+			}
+
+			if len(workspaceConfigs) > 0 {
+				_, _ = fmt.Fprintln(out, "You should now be able to ssh into your workspace.")
+				_, _ = fmt.Fprintf(out, "For example, try running:\n\n\t$ ssh coder.%s\n", workspaceConfigs[0].Name)
+			} else {
+				_, _ = fmt.Fprint(out, "You don't have any workspaces yet, try creating one with:\n\n\t$ coder create <workspace>\n")
+			}
+			return nil
+		},
+	}
+	cliflag.StringVarP(cmd.Flags(), &sshConfigFile, "ssh-config-file", "", "CODER_SSH_CONFIG_FILE", sshDefaultConfigFileName, "Specifies the path to an SSH config.")
+	cmd.Flags().StringArrayVarP(&sshConfigOpts.sshOptions, "ssh-option", "o", []string{}, "Specifies additional SSH options to embed in each host stanza.")
+	cmd.Flags().BoolVarP(&dryRun, "dry-run", "n", false, "Perform a trial run with no changes made, showing a diff at the end.")
+	cmd.Flags().BoolVarP(&skipProxyCommand, "skip-proxy-command", "", false, "Specifies whether the ProxyCommand option should be skipped. Useful for testing.")
+	_ = cmd.Flags().MarkHidden("skip-proxy-command")
+	cliflag.BoolVarP(cmd.Flags(), &usePreviousOpts, "use-previous-options", "", "CODER_SSH_USE_PREVIOUS_OPTIONS", false, "Specifies whether or not to keep options from previous run of config-ssh.")
+	cliflag.BoolVarP(cmd.Flags(), &wireguard, "wireguard", "", "CODER_CONFIG_SSH_WIREGUARD", false, "Whether to use Wireguard for SSH tunneling.")
+	_ = cmd.Flags().MarkHidden("wireguard")
+
+	cliui.AllowSkipPrompt(cmd)
+
+	return cmd
+}
+
+//nolint:revive
+func sshConfigWriteSectionHeader(w io.Writer, addNewline bool, o sshConfigOptions) {
+	nl := "\n"
+	if !addNewline {
+		nl = ""
+	}
+	_, _ = fmt.Fprint(w, nl+sshStartToken+"\n")
+	_, _ = fmt.Fprint(w, sshConfigSectionHeader)
+	_, _ = fmt.Fprint(w, sshConfigDocsHeader)
+	if len(o.sshOptions) > 0 {
+		_, _ = fmt.Fprint(w, sshConfigOptionsHeader)
+		for _, opt := range o.sshOptions {
+			_, _ = fmt.Fprintf(w, "# :%s=%s\n", "ssh-option", opt)
+		}
+	}
+	_, _ = fmt.Fprint(w, "#\n")
+}
+
+func sshConfigWriteSectionEnd(w io.Writer) {
+	_, _ = fmt.Fprint(w, sshEndToken+"\n")
+}
+
+func sshConfigParseLastOptions(r io.Reader) (o sshConfigOptions) {
+	s := bufio.NewScanner(r)
+	for s.Scan() {
+		line := s.Text()
+		if strings.HasPrefix(line, "# :") {
+			line = strings.TrimPrefix(line, "# :")
+			parts := strings.SplitN(line, "=", 2)
+			switch parts[0] {
+			case "ssh-option":
+				o.sshOptions = append(o.sshOptions, parts[1])
+			default:
+				// Unknown option, ignore.
+			}
+		}
+	}
+	if err := s.Err(); err != nil {
+		panic(err)
+	}
+
+	return o
+}
+
+func sshConfigGetCoderSection(data []byte) (section []byte, ok bool) {
+	startIndex := bytes.Index(data, []byte(sshStartToken))
+	endIndex := bytes.Index(data, []byte(sshEndToken))
+	if startIndex != -1 && endIndex != -1 {
+		return data[startIndex : endIndex+len(sshEndToken)], true
+	}
+	return nil, false
+}
+
+// sshConfigSplitOnCoderSection splits the SSH config into two sections,
+// before contains the lines before sshStartToken and after contains the
+// lines after sshEndToken.
+func sshConfigSplitOnCoderSection(data []byte) (before, after []byte) {
+	startIndex := bytes.Index(data, []byte(sshStartToken))
+	endIndex := bytes.Index(data, []byte(sshEndToken))
+	if startIndex != -1 && endIndex != -1 {
+		// We use -1 and +1 here to also include the preceding
+		// and trailing newline, where applicable.
+		start := startIndex
+		if start > 0 {
+			start--
+		}
+		end := endIndex + len(sshEndToken)
+		if end < len(data) {
+			end++
+		}
+		return data[:start], data[end:]
+	}
+
+	return data, nil
+}
+
+// writeWithTempFileAndMove writes to a temporary file in the same
+// directory as path and renames the temp file to the file provided in
+// path. This ensure we avoid trashing the file we are writing due to
+// unforeseen circumstance like filesystem full, command killed, etc.
+func writeWithTempFileAndMove(path string, r io.Reader) (err error) {
+	dir := filepath.Dir(path)
+	name := filepath.Base(path)
+
+	// Create a tempfile in the same directory for ensuring write
+	// operation does not fail.
+	f, err := os.CreateTemp(dir, fmt.Sprintf(".%s.", name))
+	if err != nil {
+		return xerrors.Errorf("create temp file failed: %w", err)
+	}
+	defer func() {
+		if err != nil {
+			_ = os.Remove(f.Name()) // Cleanup in case a step failed.
+		}
+	}()
+
+	_, err = io.Copy(f, r)
+	if err != nil {
+		_ = f.Close()
+		return xerrors.Errorf("write temp file failed: %w", err)
+	}
+
+	err = f.Close()
+	if err != nil {
+		return xerrors.Errorf("close temp file failed: %w", err)
+	}
+
+	err = os.Rename(f.Name(), path)
+	if err != nil {
+		return xerrors.Errorf("rename temp file failed: %w", err)
+	}
+
+	return nil
+}
+
+// currentBinPath returns the path to the coder binary suitable for use in ssh
+// ProxyCommand.
+func currentBinPath(w io.Writer) (string, error) {
+	exePath, err := os.Executable()
+	if err != nil {
+		return "", xerrors.Errorf("get executable path: %w", err)
+	}
+
+	binName := filepath.Base(exePath)
+	// We use safeexec instead of os/exec because os/exec returns paths in
+	// the current working directory, which we will run into very often when
+	// looking for our own path.
+	pathPath, err := safeexec.LookPath(binName)
+	// On Windows, the coder-cli executable must be in $PATH for both Msys2/Git
+	// Bash and OpenSSH for Windows (used by Powershell and VS Code) to function
+	// correctly. Check if the current executable is in $PATH, and warn the user
+	// if it isn't.
+	if err != nil && runtime.GOOS == "windows" {
+		cliui.Warn(w,
+			"The current executable is not in $PATH.",
+			"This may lead to problems connecting to your workspace via SSH.",
+			fmt.Sprintf("Please move %q to a location in your $PATH (such as System32) and run `%s config-ssh` again.", binName, binName),
+		)
+		_, _ = fmt.Fprint(w, "\n")
+		// Return the exePath so SSH at least works outside of Msys2.
+		return exePath, nil
+	}
+
+	// Warn the user if the current executable is not the same as the one in
+	// $PATH.
+	if filepath.Clean(pathPath) != filepath.Clean(exePath) {
+		cliui.Warn(w,
+			"The current executable path does not match the executable path found in $PATH.",
+			"This may cause issues connecting to your workspace via SSH.",
+			fmt.Sprintf("\tCurrent executable path: %q", exePath),
+			fmt.Sprintf("\tExecutable path in $PATH: %q", pathPath),
+		)
+		_, _ = fmt.Fprint(w, "\n")
+	}
+
+	return exePath, nil
+}
+
+// diffBytes takes two byte slices and diffs them as if they were in a
+// file named name.
+// nolint: revive // Color is an option, not a control coupling.
+func diffBytes(name string, b1, b2 []byte, color bool) ([]byte, error) {
+	var buf bytes.Buffer
+	var opts []write.Option
+	if color {
+		opts = append(opts, write.TerminalColor())
+	}
+	err := diff.Text(name, name, b1, b2, &buf, opts...)
+	if err != nil {
+		return nil, err
+	}
+	b := buf.Bytes()
+	// Check if diff only output two lines, if yes, there's no diff.
+	//
+	// Example:
+	// 	--- /home/user/.ssh/config
+	// 	+++ /home/user/.ssh/config
+	if bytes.Count(b, []byte{'\n'}) == 2 {
+		b = nil
+	}
+	return b, nil
+}

cli/configssh_test.go

@@ -0,0 +1,717 @@
+package cli_test
+
+import (
+	"bufio"
+	"bytes"
+	"context"
+	"fmt"
+	"io"
+	"net"
+	"os"
+	"os/exec"
+	"path/filepath"
+	"strconv"
+	"strings"
+	"testing"
+
+	"github.com/google/uuid"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+
+	"cdr.dev/slog/sloggers/slogtest"
+
+	"github.com/coder/coder/agent"
+	"github.com/coder/coder/cli/clitest"
+	"github.com/coder/coder/coderd/coderdtest"
+	"github.com/coder/coder/codersdk"
+	"github.com/coder/coder/provisioner/echo"
+	"github.com/coder/coder/provisionersdk/proto"
+	"github.com/coder/coder/pty/ptytest"
+)
+
+func sshConfigFileName(t *testing.T) (sshConfig string) {
+	t.Helper()
+	tmpdir := t.TempDir()
+	dotssh := filepath.Join(tmpdir, ".ssh")
+	err := os.Mkdir(dotssh, 0o700)
+	require.NoError(t, err)
+	n := filepath.Join(dotssh, "config")
+	return n
+}
+
+func sshConfigFileCreate(t *testing.T, name string, data io.Reader) {
+	t.Helper()
+	t.Logf("Writing %s", name)
+	f, err := os.Create(name)
+	require.NoError(t, err)
+	n, err := io.Copy(f, data)
+	t.Logf("Wrote %d", n)
+	require.NoError(t, err)
+	err = f.Close()
+	require.NoError(t, err)
+}
+
+func sshConfigFileRead(t *testing.T, name string) string {
+	t.Helper()
+	b, err := os.ReadFile(name)
+	require.NoError(t, err)
+	return string(b)
+}
+
+func TestConfigSSH(t *testing.T) {
+	t.Parallel()
+
+	client := coderdtest.New(t, &coderdtest.Options{IncludeProvisionerD: true})
+	user := coderdtest.CreateFirstUser(t, client)
+	authToken := uuid.NewString()
+	version := coderdtest.CreateTemplateVersion(t, client, user.OrganizationID, &echo.Responses{
+		Parse: echo.ParseComplete,
+		ProvisionDryRun: []*proto.Provision_Response{{
+			Type: &proto.Provision_Response_Complete{
+				Complete: &proto.Provision_Complete{
+					Resources: []*proto.Resource{{
+						Name: "example",
+						Type: "aws_instance",
+						Agents: []*proto.Agent{{
+							Id:   uuid.NewString(),
+							Name: "example",
+						}},
+					}},
+				},
+			},
+		}},
+		Provision: []*proto.Provision_Response{{
+			Type: &proto.Provision_Response_Complete{
+				Complete: &proto.Provision_Complete{
+					Resources: []*proto.Resource{{
+						Name: "example",
+						Type: "aws_instance",
+						Agents: []*proto.Agent{{
+							Id:   uuid.NewString(),
+							Name: "example",
+							Auth: &proto.Agent_Token{
+								Token: authToken,
+							},
+						}},
+					}},
+				},
+			},
+		}},
+	})
+	coderdtest.AwaitTemplateVersionJob(t, client, version.ID)
+	template := coderdtest.CreateTemplate(t, client, user.OrganizationID, version.ID)
+	workspace := coderdtest.CreateWorkspace(t, client, user.OrganizationID, template.ID)
+	coderdtest.AwaitWorkspaceBuildJob(t, client, workspace.LatestBuild.ID)
+	agentClient := codersdk.New(client.URL)
+	agentClient.SessionToken = authToken
+	agentCloser := agent.New(agentClient.ListenWorkspaceAgent, &agent.Options{
+		Logger: slogtest.Make(t, nil),
+	})
+	defer func() {
+		_ = agentCloser.Close()
+	}()
+	resources := coderdtest.AwaitWorkspaceAgents(t, client, workspace.LatestBuild.ID)
+	agentConn, err := client.DialWorkspaceAgent(context.Background(), resources[0].Agents[0].ID, nil)
+	require.NoError(t, err)
+	defer agentConn.Close()
+
+	listener, err := net.Listen("tcp", "127.0.0.1:0")
+	require.NoError(t, err)
+	defer func() {
+		_ = listener.Close()
+	}()
+	go func() {
+		for {
+			conn, err := listener.Accept()
+			if err != nil {
+				return
+			}
+			ssh, err := agentConn.SSH()
+			assert.NoError(t, err)
+			go io.Copy(conn, ssh)
+			go io.Copy(ssh, conn)
+		}
+	}()
+
+	sshConfigFile := sshConfigFileName(t)
+
+	tcpAddr, valid := listener.Addr().(*net.TCPAddr)
+	require.True(t, valid)
+	cmd, root := clitest.New(t, "config-ssh",
+		"--ssh-option", "HostName "+tcpAddr.IP.String(),
+		"--ssh-option", "Port "+strconv.Itoa(tcpAddr.Port),
+		"--ssh-config-file", sshConfigFile,
+		"--skip-proxy-command")
+	clitest.SetupConfig(t, client, root)
+	doneChan := make(chan struct{})
+	pty := ptytest.New(t)
+	cmd.SetIn(pty.Input())
+	cmd.SetOut(pty.Output())
+	go func() {
+		defer close(doneChan)
+		err := cmd.Execute()
+		assert.NoError(t, err)
+	}()
+
+	matches := []struct {
+		match, write string
+	}{
+		{match: "Continue?", write: "yes"},
+	}
+	for _, m := range matches {
+		pty.ExpectMatch(m.match)
+		pty.WriteLine(m.write)
+	}
+
+	<-doneChan
+
+	home := filepath.Dir(filepath.Dir(sshConfigFile))
+	// #nosec
+	sshCmd := exec.Command("ssh", "-F", sshConfigFile, "coder."+workspace.Name, "echo", "test")
+	pty = ptytest.New(t)
+	// Set HOME because coder config is included from ~/.ssh/coder.
+	sshCmd.Env = append(sshCmd.Env, fmt.Sprintf("HOME=%s", home))
+	sshCmd.Stderr = pty.Output()
+	data, err := sshCmd.Output()
+	require.NoError(t, err)
+	require.Equal(t, "test", strings.TrimSpace(string(data)))
+}
+
+func TestConfigSSH_FileWriteAndOptionsFlow(t *testing.T) {
+	t.Parallel()
+
+	headerStart := strings.Join([]string{
+		"# ------------START-CODER-----------",
+		"# This section is managed by coder. DO NOT EDIT.",
+		"#",
+		"# You should not hand-edit this section unless you are removing it, all",
+		"# changes will be lost when running \"coder config-ssh\".",
+		"#",
+	}, "\n")
+	headerEnd := "# ------------END-CODER------------"
+	baseHeader := strings.Join([]string{
+		headerStart,
+		headerEnd,
+	}, "\n")
+
+	type writeConfig struct {
+		ssh string
+	}
+	type wantConfig struct {
+		ssh string
+	}
+	type match struct {
+		match, write string
+	}
+	tests := []struct {
+		name        string
+		args        []string
+		matches     []match
+		writeConfig writeConfig
+		wantConfig  wantConfig
+		wantErr     bool
+	}{
+		{
+			name: "Config file is created",
+			matches: []match{
+				{match: "Continue?", write: "yes"},
+			},
+			wantConfig: wantConfig{
+				ssh: strings.Join([]string{
+					baseHeader,
+					"",
+				}, "\n"),
+			},
+		},
+		{
+			name: "Section is written after user content",
+			writeConfig: writeConfig{
+				ssh: strings.Join([]string{
+					"Host myhost",
+					"	HostName myhost",
+				}, "\n"),
+			},
+			wantConfig: wantConfig{
+				ssh: strings.Join([]string{
+					"Host myhost",
+					"	HostName myhost",
+					baseHeader,
+					"",
+				}, "\n"),
+			},
+			matches: []match{
+				{match: "Continue?", write: "yes"},
+			},
+		},
+		{
+			name: "Section is not moved on re-run",
+			writeConfig: writeConfig{
+				ssh: strings.Join([]string{
+					"Host myhost",
+					"	HostName myhost",
+					"",
+					baseHeader,
+					"",
+					"Host otherhost",
+					"	HostName otherhost",
+					"",
+				}, "\n"),
+			},
+			wantConfig: wantConfig{
+				ssh: strings.Join([]string{
+					"Host myhost",
+					"	HostName myhost",
+					"",
+					baseHeader,
+					"",
+					"Host otherhost",
+					"	HostName otherhost",
+					"",
+				}, "\n"),
+			},
+		},
+		{
+			name: "Section is not moved on re-run with new options",
+			writeConfig: writeConfig{
+				ssh: strings.Join([]string{
+					"Host myhost",
+					"	HostName myhost",
+					"",
+					baseHeader,
+					"",
+					"Host otherhost",
+					"	HostName otherhost",
+					"",
+				}, "\n"),
+			},
+			wantConfig: wantConfig{
+				ssh: strings.Join([]string{
+					"Host myhost",
+					"	HostName myhost",
+					"",
+					headerStart,
+					"# Last config-ssh options:",
+					"# :ssh-option=ForwardAgent=yes",
+					"#",
+					headerEnd,
+					"",
+					"Host otherhost",
+					"	HostName otherhost",
+					"",
+				}, "\n"),
+			},
+			args: []string{
+				"--ssh-option", "ForwardAgent=yes",
+			},
+			matches: []match{
+				{match: "Use new options?", write: "yes"},
+				{match: "Continue?", write: "yes"},
+			},
+		},
+		{
+			name: "Adds newline at EOF",
+			writeConfig: writeConfig{
+				ssh: strings.Join([]string{
+					baseHeader,
+				}, "\n"),
+			},
+			wantConfig: wantConfig{
+				ssh: strings.Join([]string{
+					baseHeader,
+					"",
+				}, "\n"),
+			},
+			matches: []match{
+				{match: "Continue?", write: "yes"},
+			},
+		},
+		{
+			name: "Do not prompt for new options on first run",
+			writeConfig: writeConfig{
+				ssh: "",
+			},
+			wantConfig: wantConfig{
+				ssh: strings.Join([]string{
+					headerStart,
+					"# Last config-ssh options:",
+					"# :ssh-option=ForwardAgent=yes",
+					"#",
+					headerEnd,
+					"",
+				}, "\n"),
+			},
+			args: []string{"--ssh-option", "ForwardAgent=yes"},
+			matches: []match{
+				{match: "Continue?", write: "yes"},
+			},
+		},
+		{
+			name: "Prompt for new options when there are no previous options",
+			writeConfig: writeConfig{
+				ssh: strings.Join([]string{
+					baseHeader,
+				}, "\n"),
+			},
+			wantConfig: wantConfig{
+				ssh: strings.Join([]string{
+					headerStart,
+					"# Last config-ssh options:",
+					"# :ssh-option=ForwardAgent=yes",
+					"#",
+					headerEnd,
+					"",
+				}, "\n"),
+			},
+			args: []string{"--ssh-option", "ForwardAgent=yes"},
+			matches: []match{
+				{match: "Use new options?", write: "yes"},
+				{match: "Continue?", write: "yes"},
+			},
+		},
+		{
+			name: "Prompt for new options when there are previous options",
+			writeConfig: writeConfig{
+				ssh: strings.Join([]string{
+					headerStart,
+					"# Last config-ssh options:",
+					"# :ssh-option=ForwardAgent=yes",
+					"#",
+					headerEnd,
+				}, "\n"),
+			},
+			wantConfig: wantConfig{
+				ssh: strings.Join([]string{
+					baseHeader,
+					"",
+				}, "\n"),
+			},
+			matches: []match{
+				{match: "Use new options?", write: "yes"},
+				{match: "Continue?", write: "yes"},
+			},
+		},
+		{
+			name: "No prompt on no changes",
+			writeConfig: writeConfig{
+				ssh: strings.Join([]string{
+					headerStart,
+					"# Last config-ssh options:",
+					"# :ssh-option=ForwardAgent=yes",
+					"#",
+					headerEnd,
+					"",
+				}, "\n"),
+			},
+			wantConfig: wantConfig{
+				ssh: strings.Join([]string{
+					headerStart,
+					"# Last config-ssh options:",
+					"# :ssh-option=ForwardAgent=yes",
+					"#",
+					headerEnd,
+					"",
+				}, "\n"),
+			},
+			args: []string{"--ssh-option", "ForwardAgent=yes"},
+		},
+		{
+			name: "No changes when continue = no",
+			writeConfig: writeConfig{
+				ssh: strings.Join([]string{
+					headerStart,
+					"# Last config-ssh options:",
+					"# :ssh-option=ForwardAgent=yes",
+					"#",
+					headerEnd,
+					"",
+				}, "\n"),
+			},
+			wantConfig: wantConfig{
+				ssh: strings.Join([]string{
+					headerStart,
+					"# Last config-ssh options:",
+					"# :ssh-option=ForwardAgent=yes",
+					"#",
+					headerEnd,
+					"",
+				}, "\n"),
+			},
+			args: []string{"--ssh-option", "ForwardAgent=no"},
+			matches: []match{
+				{match: "Use new options?", write: "yes"},
+				{match: "Continue?", write: "no"},
+			},
+		},
+		{
+			name: "Do not prompt when using --yes",
+			writeConfig: writeConfig{
+				ssh: strings.Join([]string{
+					headerStart,
+					"# Last config-ssh options:",
+					"# :ssh-option=ForwardAgent=yes",
+					"#",
+					headerEnd,
+					"",
+				}, "\n"),
+			},
+			wantConfig: wantConfig{
+				ssh: strings.Join([]string{
+					// Last options overwritten.
+					baseHeader,
+					"",
+				}, "\n"),
+			},
+			args: []string{"--yes"},
+		},
+		{
+			name: "Do not prompt for new options when prev opts flag is set",
+			writeConfig: writeConfig{
+				ssh: strings.Join([]string{
+					headerStart,
+					"# Last config-ssh options:",
+					"# :ssh-option=ForwardAgent=yes",
+					"#",
+					headerEnd,
+					"",
+				}, "\n"),
+			},
+			wantConfig: wantConfig{
+				ssh: strings.Join([]string{
+					headerStart,
+					"# Last config-ssh options:",
+					"# :ssh-option=ForwardAgent=yes",
+					"#",
+					headerEnd,
+					"",
+				}, "\n"),
+			},
+			args: []string{
+				"--use-previous-options",
+				"--yes",
+			},
+		},
+		{
+			name: "Do not overwrite config when using --dry-run",
+			writeConfig: writeConfig{
+				ssh: strings.Join([]string{
+					baseHeader,
+					"",
+				}, "\n"),
+			},
+			wantConfig: wantConfig{
+				ssh: strings.Join([]string{
+					baseHeader,
+					"",
+				}, "\n"),
+			},
+			args: []string{
+				"--ssh-option", "ForwardAgent=yes",
+				"--dry-run",
+				"--yes",
+			},
+		},
+	}
+	for _, tt := range tests {
+		tt := tt
+		t.Run(tt.name, func(t *testing.T) {
+			t.Parallel()
+
+			var (
+				client    = coderdtest.New(t, &coderdtest.Options{IncludeProvisionerD: true})
+				user      = coderdtest.CreateFirstUser(t, client)
+				version   = coderdtest.CreateTemplateVersion(t, client, user.OrganizationID, nil)
+				_         = coderdtest.AwaitTemplateVersionJob(t, client, version.ID)
+				project   = coderdtest.CreateTemplate(t, client, user.OrganizationID, version.ID)
+				workspace = coderdtest.CreateWorkspace(t, client, user.OrganizationID, project.ID)
+				_         = coderdtest.AwaitWorkspaceBuildJob(t, client, workspace.LatestBuild.ID)
+			)
+
+			// Prepare ssh config files.
+			sshConfigName := sshConfigFileName(t)
+			if tt.writeConfig.ssh != "" {
+				sshConfigFileCreate(t, sshConfigName, strings.NewReader(tt.writeConfig.ssh))
+			}
+
+			args := []string{
+				"config-ssh",
+				"--ssh-config-file", sshConfigName,
+			}
+			args = append(args, tt.args...)
+			cmd, root := clitest.New(t, args...)
+			clitest.SetupConfig(t, client, root)
+
+			pty := ptytest.New(t)
+			cmd.SetIn(pty.Input())
+			cmd.SetOut(pty.Output())
+			done := tGo(t, func() {
+				err := cmd.Execute()
+				if !tt.wantErr {
+					assert.NoError(t, err)
+				} else {
+					assert.Error(t, err)
+				}
+			})
+
+			for _, m := range tt.matches {
+				pty.ExpectMatch(m.match)
+				pty.WriteLine(m.write)
+			}
+
+			<-done
+
+			if tt.wantConfig.ssh != "" {
+				got := sshConfigFileRead(t, sshConfigName)
+				assert.Equal(t, tt.wantConfig.ssh, got)
+			}
+		})
+	}
+}
+
+func TestConfigSSH_Hostnames(t *testing.T) {
+	t.Parallel()
+
+	type resourceSpec struct {
+		name   string
+		agents []string
+	}
+	tests := []struct {
+		name      string
+		resources []resourceSpec
+		expected  []string
+	}{
+		{
+			name: "one resource with one agent",
+			resources: []resourceSpec{
+				{name: "foo", agents: []string{"agent1"}},
+			},
+			expected: []string{"coder.@", "coder.@.agent1"},
+		},
+		{
+			name: "one resource with two agents",
+			resources: []resourceSpec{
+				{name: "foo", agents: []string{"agent1", "agent2"}},
+			},
+			expected: []string{"coder.@.agent1", "coder.@.agent2"},
+		},
+		{
+			name: "two resources with one agent",
+			resources: []resourceSpec{
+				{name: "foo", agents: []string{"agent1"}},
+				{name: "bar"},
+			},
+			expected: []string{"coder.@", "coder.@.agent1"},
+		},
+		{
+			name: "two resources with two agents",
+			resources: []resourceSpec{
+				{name: "foo", agents: []string{"agent1"}},
+				{name: "bar", agents: []string{"agent2"}},
+			},
+			expected: []string{"coder.@.agent1", "coder.@.agent2"},
+		},
+	}
+
+	for _, tt := range tests {
+		tt := tt
+		t.Run(tt.name, func(t *testing.T) {
+			t.Parallel()
+
+			var resources []*proto.Resource
+			for _, resourceSpec := range tt.resources {
+				resource := &proto.Resource{
+					Name: resourceSpec.name,
+					Type: "aws_instance",
+				}
+				for _, agentName := range resourceSpec.agents {
+					resource.Agents = append(resource.Agents, &proto.Agent{
+						Id:   uuid.NewString(),
+						Name: agentName,
+					})
+				}
+				resources = append(resources, resource)
+			}
+
+			provisionResponse := []*proto.Provision_Response{{
+				Type: &proto.Provision_Response_Complete{
+					Complete: &proto.Provision_Complete{
+						Resources: resources,
+					},
+				},
+			}}
+
+			client := coderdtest.New(t, &coderdtest.Options{IncludeProvisionerD: true})
+			user := coderdtest.CreateFirstUser(t, client)
+			// authToken := uuid.NewString()
+			version := coderdtest.CreateTemplateVersion(t, client, user.OrganizationID, &echo.Responses{
+				Parse:           echo.ParseComplete,
+				ProvisionDryRun: provisionResponse,
+				Provision:       provisionResponse,
+			})
+			coderdtest.AwaitTemplateVersionJob(t, client, version.ID)
+			template := coderdtest.CreateTemplate(t, client, user.OrganizationID, version.ID)
+			workspace := coderdtest.CreateWorkspace(t, client, user.OrganizationID, template.ID)
+			coderdtest.AwaitWorkspaceBuildJob(t, client, workspace.LatestBuild.ID)
+
+			sshConfigFile := sshConfigFileName(t)
+
+			cmd, root := clitest.New(t, "config-ssh", "--ssh-config-file", sshConfigFile)
+			clitest.SetupConfig(t, client, root)
+			doneChan := make(chan struct{})
+			pty := ptytest.New(t)
+			cmd.SetIn(pty.Input())
+			cmd.SetOut(pty.Output())
+			go func() {
+				defer close(doneChan)
+				err := cmd.Execute()
+				assert.NoError(t, err)
+			}()
+
+			matches := []struct {
+				match, write string
+			}{
+				{match: "Continue?", write: "yes"},
+			}
+			for _, m := range matches {
+				pty.ExpectMatch(m.match)
+				pty.WriteLine(m.write)
+			}
+
+			<-doneChan
+
+			var expectedHosts []string
+			for _, hostnamePattern := range tt.expected {
+				hostname := strings.ReplaceAll(hostnamePattern, "@", workspace.Name)
+				expectedHosts = append(expectedHosts, hostname)
+			}
+
+			hosts := sshConfigFileParseHosts(t, sshConfigFile)
+			require.ElementsMatch(t, expectedHosts, hosts)
+		})
+	}
+}
+
+// sshConfigFileParseHosts reads a file in the format of .ssh/config and extracts
+// the hostnames that are listed in "Host" directives.
+func sshConfigFileParseHosts(t *testing.T, name string) []string {
+	t.Helper()
+	b, err := os.ReadFile(name)
+	require.NoError(t, err)
+
+	var result []string
+	lineScanner := bufio.NewScanner(bytes.NewBuffer(b))
+	for lineScanner.Scan() {
+		line := lineScanner.Text()
+		line = strings.TrimSpace(line)
+
+		tokenScanner := bufio.NewScanner(bytes.NewBufferString(line))
+		tokenScanner.Split(bufio.ScanWords)
+		ok := tokenScanner.Scan()
+		if ok && tokenScanner.Text() == "Host" {
+			for tokenScanner.Scan() {
+				result = append(result, tokenScanner.Text())
+			}
+		}
+	}
+
+	return result
+}

cli/constants.go

@@ -0,0 +1,6 @@
+package cli
+
+const (
+	timeFormat = "3:04PM MST"
+	dateFormat = "Jan 2, 2006"
+)

cli/create.go

@@ -0,0 +1,284 @@
+package cli
+
+import (
+	"fmt"
+	"time"
+
+	"github.com/spf13/cobra"
+	"golang.org/x/exp/slices"
+	"golang.org/x/xerrors"
+
+	"github.com/coder/coder/cli/cliflag"
+	"github.com/coder/coder/cli/cliui"
+	"github.com/coder/coder/coderd/util/ptr"
+	"github.com/coder/coder/codersdk"
+)
+
+func create() *cobra.Command {
+	var (
+		parameterFile string
+		templateName  string
+		startAt       string
+		stopAfter     time.Duration
+		workspaceName string
+	)
+	cmd := &cobra.Command{
+		Annotations: workspaceCommand,
+		Use:         "create [name]",
+		Short:       "Create a workspace from a template",
+		RunE: func(cmd *cobra.Command, args []string) error {
+			client, err := CreateClient(cmd)
+			if err != nil {
+				return err
+			}
+
+			organization, err := currentOrganization(cmd, client)
+			if err != nil {
+				return err
+			}
+
+			if len(args) >= 1 {
+				workspaceName = args[0]
+			}
+
+			if workspaceName == "" {
+				workspaceName, err = cliui.Prompt(cmd, cliui.PromptOptions{
+					Text: "Specify a name for your workspace:",
+					Validate: func(workspaceName string) error {
+						_, err = client.WorkspaceByOwnerAndName(cmd.Context(), codersdk.Me, workspaceName, codersdk.WorkspaceOptions{})
+						if err == nil {
+							return xerrors.Errorf("A workspace already exists named %q!", workspaceName)
+						}
+						return nil
+					},
+				})
+				if err != nil {
+					return err
+				}
+			}
+
+			_, err = client.WorkspaceByOwnerAndName(cmd.Context(), codersdk.Me, workspaceName, codersdk.WorkspaceOptions{})
+			if err == nil {
+				return xerrors.Errorf("A workspace already exists named %q!", workspaceName)
+			}
+
+			var template codersdk.Template
+			if templateName == "" {
+				_, _ = fmt.Fprintln(cmd.OutOrStdout(), cliui.Styles.Wrap.Render("Select a template below to preview the provisioned infrastructure:"))
+
+				templates, err := client.TemplatesByOrganization(cmd.Context(), organization.ID)
+				if err != nil {
+					return err
+				}
+
+				slices.SortFunc(templates, func(a, b codersdk.Template) bool {
+					return a.WorkspaceOwnerCount > b.WorkspaceOwnerCount
+				})
+
+				templateNames := make([]string, 0, len(templates))
+				templateByName := make(map[string]codersdk.Template, len(templates))
+
+				for _, template := range templates {
+					templateName := template.Name
+
+					if template.WorkspaceOwnerCount > 0 {
+						developerText := "developer"
+						if template.WorkspaceOwnerCount != 1 {
+							developerText = "developers"
+						}
+
+						templateName += cliui.Styles.Placeholder.Render(fmt.Sprintf(" (used by %d %s)", template.WorkspaceOwnerCount, developerText))
+					}
+
+					templateNames = append(templateNames, templateName)
+					templateByName[templateName] = template
+				}
+
+				// Move the cursor up a single line for nicer display!
+				option, err := cliui.Select(cmd, cliui.SelectOptions{
+					Options:    templateNames,
+					HideSearch: true,
+				})
+				if err != nil {
+					return err
+				}
+
+				template = templateByName[option]
+			} else {
+				template, err = client.TemplateByName(cmd.Context(), organization.ID, templateName)
+				if err != nil {
+					return xerrors.Errorf("get template by name: %w", err)
+				}
+			}
+
+			var schedSpec *string
+			if startAt != "" {
+				sched, err := parseCLISchedule(startAt)
+				if err != nil {
+					return err
+				}
+				schedSpec = ptr.Ref(sched.String())
+			}
+
+			parameters, err := prepWorkspaceBuild(cmd, client, prepWorkspaceBuildArgs{
+				Template:         template,
+				ExistingParams:   []codersdk.Parameter{},
+				ParameterFile:    parameterFile,
+				NewWorkspaceName: workspaceName,
+			})
+			if err != nil {
+				return err
+			}
+
+			_, err = cliui.Prompt(cmd, cliui.PromptOptions{
+				Text:      "Confirm create?",
+				IsConfirm: true,
+			})
+			if err != nil {
+				return err
+			}
+
+			after := time.Now()
+			workspace, err := client.CreateWorkspace(cmd.Context(), organization.ID, codersdk.CreateWorkspaceRequest{
+				TemplateID:        template.ID,
+				Name:              workspaceName,
+				AutostartSchedule: schedSpec,
+				TTLMillis:         ptr.Ref(stopAfter.Milliseconds()),
+				ParameterValues:   parameters,
+			})
+			if err != nil {
+				return err
+			}
+
+			err = cliui.WorkspaceBuild(cmd.Context(), cmd.OutOrStdout(), client, workspace.LatestBuild.ID, after)
+			if err != nil {
+				return err
+			}
+
+			_, _ = fmt.Fprintf(cmd.OutOrStdout(), "\nThe %s workspace has been created at %s!\n", cliui.Styles.Keyword.Render(workspace.Name), cliui.Styles.DateTimeStamp.Render(time.Now().Format(time.Stamp)))
+			return nil
+		},
+	}
+
+	cliui.AllowSkipPrompt(cmd)
+	cliflag.StringVarP(cmd.Flags(), &templateName, "template", "t", "CODER_TEMPLATE_NAME", "", "Specify a template name.")
+	cliflag.StringVarP(cmd.Flags(), &parameterFile, "parameter-file", "", "CODER_PARAMETER_FILE", "", "Specify a file path with parameter values.")
+	cliflag.StringVarP(cmd.Flags(), &startAt, "start-at", "", "CODER_WORKSPACE_START_AT", "", "Specify the workspace autostart schedule. Check `coder schedule start --help` for the syntax.")
+	cliflag.DurationVarP(cmd.Flags(), &stopAfter, "stop-after", "", "CODER_WORKSPACE_STOP_AFTER", 8*time.Hour, "Specify a duration after which the workspace should shut down (e.g. 8h).")
+	return cmd
+}
+
+type prepWorkspaceBuildArgs struct {
+	Template         codersdk.Template
+	ExistingParams   []codersdk.Parameter
+	ParameterFile    string
+	NewWorkspaceName string
+}
+
+// prepWorkspaceBuild will ensure a workspace build will succeed on the latest template version.
+// Any missing params will be prompted to the user.
+func prepWorkspaceBuild(cmd *cobra.Command, client *codersdk.Client, args prepWorkspaceBuildArgs) ([]codersdk.CreateParameterRequest, error) {
+	ctx := cmd.Context()
+	templateVersion, err := client.TemplateVersion(ctx, args.Template.ActiveVersionID)
+	if err != nil {
+		return nil, err
+	}
+	parameterSchemas, err := client.TemplateVersionSchema(ctx, templateVersion.ID)
+	if err != nil {
+		return nil, err
+	}
+
+	// parameterMapFromFile can be nil if parameter file is not specified
+	var parameterMapFromFile map[string]string
+	useParamFile := false
+	if args.ParameterFile != "" {
+		useParamFile = true
+		_, _ = fmt.Fprintln(cmd.OutOrStdout(), cliui.Styles.Paragraph.Render("Attempting to read the variables from the parameter file.")+"\r\n")
+		parameterMapFromFile, err = createParameterMapFromFile(args.ParameterFile)
+		if err != nil {
+			return nil, err
+		}
+	}
+	disclaimerPrinted := false
+	parameters := make([]codersdk.CreateParameterRequest, 0)
+PromptParamLoop:
+	for _, parameterSchema := range parameterSchemas {
+		if !parameterSchema.AllowOverrideSource {
+			continue
+		}
+		if !disclaimerPrinted {
+			_, _ = fmt.Fprintln(cmd.OutOrStdout(), cliui.Styles.Paragraph.Render("This template has customizable parameters. Values can be changed after create, but may have unintended side effects (like data loss).")+"\r\n")
+			disclaimerPrinted = true
+		}
+
+		// Param file is all or nothing
+		if !useParamFile {
+			for _, e := range args.ExistingParams {
+				if e.Name == parameterSchema.Name {
+					// If the param already exists, we do not need to prompt it again.
+					// The workspace scope will reuse params for each build.
+					continue PromptParamLoop
+				}
+			}
+		}
+
+		parameterValue, err := getParameterValueFromMapOrInput(cmd, parameterMapFromFile, parameterSchema)
+		if err != nil {
+			return nil, err
+		}
+
+		parameters = append(parameters, codersdk.CreateParameterRequest{
+			Name:              parameterSchema.Name,
+			SourceValue:       parameterValue,
+			SourceScheme:      codersdk.ParameterSourceSchemeData,
+			DestinationScheme: parameterSchema.DefaultDestinationScheme,
+		})
+	}
+	_, _ = fmt.Fprintln(cmd.OutOrStdout())
+
+	// Run a dry-run with the given parameters to check correctness
+	after := time.Now()
+	dryRun, err := client.CreateTemplateVersionDryRun(cmd.Context(), templateVersion.ID, codersdk.CreateTemplateVersionDryRunRequest{
+		WorkspaceName:   args.NewWorkspaceName,
+		ParameterValues: parameters,
+	})
+	if err != nil {
+		return nil, xerrors.Errorf("begin workspace dry-run: %w", err)
+	}
+	_, _ = fmt.Fprintln(cmd.OutOrStdout(), "Planning workspace...")
+	err = cliui.ProvisionerJob(cmd.Context(), cmd.OutOrStdout(), cliui.ProvisionerJobOptions{
+		Fetch: func() (codersdk.ProvisionerJob, error) {
+			return client.TemplateVersionDryRun(cmd.Context(), templateVersion.ID, dryRun.ID)
+		},
+		Cancel: func() error {
+			return client.CancelTemplateVersionDryRun(cmd.Context(), templateVersion.ID, dryRun.ID)
+		},
+		Logs: func() (<-chan codersdk.ProvisionerJobLog, error) {
+			return client.TemplateVersionDryRunLogsAfter(cmd.Context(), templateVersion.ID, dryRun.ID, after)
+		},
+		// Don't show log output for the dry-run unless there's an error.
+		Silent: true,
+	})
+	if err != nil {
+		// TODO (Dean): reprompt for parameter values if we deem it to
+		// be a validation error
+		return nil, xerrors.Errorf("dry-run workspace: %w", err)
+	}
+
+	resources, err := client.TemplateVersionDryRunResources(cmd.Context(), templateVersion.ID, dryRun.ID)
+	if err != nil {
+		return nil, xerrors.Errorf("get workspace dry-run resources: %w", err)
+	}
+
+	err = cliui.WorkspaceResources(cmd.OutOrStdout(), resources, cliui.WorkspaceResourcesOptions{
+		WorkspaceName: args.NewWorkspaceName,
+		// Since agents haven't connected yet, hiding this makes more sense.
+		HideAgentState: true,
+		Title:          "Workspace Preview",
+	})
+	if err != nil {
+		return nil, err
+	}
+
+	return parameters, nil
+}

cli/create_test.go

@@ -0,0 +1,334 @@
+package cli_test
+
+import (
+	"context"
+	"fmt"
+	"os"
+	"testing"
+	"time"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+
+	"github.com/coder/coder/cli/clitest"
+	"github.com/coder/coder/coderd/coderdtest"
+	"github.com/coder/coder/codersdk"
+	"github.com/coder/coder/provisioner/echo"
+	"github.com/coder/coder/provisionersdk/proto"
+	"github.com/coder/coder/pty/ptytest"
+	"github.com/coder/coder/testutil"
+)
+
+func TestCreate(t *testing.T) {
+	t.Parallel()
+	t.Run("Create", func(t *testing.T) {
+		t.Parallel()
+		client := coderdtest.New(t, &coderdtest.Options{IncludeProvisionerD: true})
+		user := coderdtest.CreateFirstUser(t, client)
+		version := coderdtest.CreateTemplateVersion(t, client, user.OrganizationID, &echo.Responses{
+			Parse:           echo.ParseComplete,
+			Provision:       provisionCompleteWithAgent,
+			ProvisionDryRun: provisionCompleteWithAgent,
+		})
+		coderdtest.AwaitTemplateVersionJob(t, client, version.ID)
+		template := coderdtest.CreateTemplate(t, client, user.OrganizationID, version.ID)
+		args := []string{
+			"create",
+			"my-workspace",
+			"--template", template.Name,
+			"--start-at", "9:30AM Mon-Fri US/Central",
+			"--stop-after", "8h",
+		}
+		cmd, root := clitest.New(t, args...)
+		clitest.SetupConfig(t, client, root)
+		doneChan := make(chan struct{})
+		pty := ptytest.New(t)
+		cmd.SetIn(pty.Input())
+		cmd.SetOut(pty.Output())
+		go func() {
+			defer close(doneChan)
+			err := cmd.Execute()
+			assert.NoError(t, err)
+		}()
+		matches := []struct {
+			match string
+			write string
+		}{
+			{match: "compute.main"},
+			{match: "smith (linux, i386)"},
+			{match: "Confirm create", write: "yes"},
+		}
+		for _, m := range matches {
+			pty.ExpectMatch(m.match)
+			if len(m.write) > 0 {
+				pty.WriteLine(m.write)
+			}
+		}
+		<-doneChan
+
+		ws, err := client.WorkspaceByOwnerAndName(context.Background(), "testuser", "my-workspace", codersdk.WorkspaceOptions{})
+		if assert.NoError(t, err, "expected workspace to be created") {
+			assert.Equal(t, ws.TemplateName, template.Name)
+			if assert.NotNil(t, ws.AutostartSchedule) {
+				assert.Equal(t, *ws.AutostartSchedule, "CRON_TZ=US/Central 30 9 * * Mon-Fri")
+			}
+			if assert.NotNil(t, ws.TTLMillis) {
+				assert.Equal(t, *ws.TTLMillis, 8*time.Hour.Milliseconds())
+			}
+		}
+	})
+
+	t.Run("CreateFromListWithSkip", func(t *testing.T) {
+		t.Parallel()
+		client := coderdtest.New(t, &coderdtest.Options{IncludeProvisionerD: true})
+		user := coderdtest.CreateFirstUser(t, client)
+		version := coderdtest.CreateTemplateVersion(t, client, user.OrganizationID, nil)
+		coderdtest.AwaitTemplateVersionJob(t, client, version.ID)
+		_ = coderdtest.CreateTemplate(t, client, user.OrganizationID, version.ID)
+		cmd, root := clitest.New(t, "create", "my-workspace", "-y")
+
+		member := coderdtest.CreateAnotherUser(t, client, user.OrganizationID)
+		clitest.SetupConfig(t, member, root)
+		cmdCtx, done := context.WithTimeout(context.Background(), testutil.WaitLong)
+		go func() {
+			defer done()
+			err := cmd.ExecuteContext(cmdCtx)
+			assert.NoError(t, err)
+		}()
+		// No pty interaction needed since we use the -y skip prompt flag
+		<-cmdCtx.Done()
+		require.ErrorIs(t, cmdCtx.Err(), context.Canceled)
+	})
+
+	t.Run("FromNothing", func(t *testing.T) {
+		t.Parallel()
+		client := coderdtest.New(t, &coderdtest.Options{IncludeProvisionerD: true})
+		user := coderdtest.CreateFirstUser(t, client)
+		version := coderdtest.CreateTemplateVersion(t, client, user.OrganizationID, nil)
+		coderdtest.AwaitTemplateVersionJob(t, client, version.ID)
+		template := coderdtest.CreateTemplate(t, client, user.OrganizationID, version.ID)
+		cmd, root := clitest.New(t, "create", "")
+		clitest.SetupConfig(t, client, root)
+		doneChan := make(chan struct{})
+		pty := ptytest.New(t)
+		cmd.SetIn(pty.Input())
+		cmd.SetOut(pty.Output())
+		go func() {
+			defer close(doneChan)
+			err := cmd.Execute()
+			assert.NoError(t, err)
+		}()
+		matches := []string{
+			"Specify a name", "my-workspace",
+			"Confirm create?", "yes",
+		}
+		for i := 0; i < len(matches); i += 2 {
+			match := matches[i]
+			value := matches[i+1]
+			pty.ExpectMatch(match)
+			pty.WriteLine(value)
+		}
+		<-doneChan
+
+		ws, err := client.WorkspaceByOwnerAndName(cmd.Context(), "testuser", "my-workspace", codersdk.WorkspaceOptions{})
+		if assert.NoError(t, err, "expected workspace to be created") {
+			assert.Equal(t, ws.TemplateName, template.Name)
+			assert.Nil(t, ws.AutostartSchedule, "expected workspace autostart schedule to be nil")
+		}
+	})
+
+	t.Run("WithParameter", func(t *testing.T) {
+		t.Parallel()
+		client := coderdtest.New(t, &coderdtest.Options{IncludeProvisionerD: true})
+		user := coderdtest.CreateFirstUser(t, client)
+
+		defaultValue := "something"
+		version := coderdtest.CreateTemplateVersion(t, client, user.OrganizationID, &echo.Responses{
+			Parse:           createTestParseResponseWithDefault(defaultValue),
+			Provision:       echo.ProvisionComplete,
+			ProvisionDryRun: echo.ProvisionComplete,
+		})
+
+		coderdtest.AwaitTemplateVersionJob(t, client, version.ID)
+		_ = coderdtest.CreateTemplate(t, client, user.OrganizationID, version.ID)
+		cmd, root := clitest.New(t, "create", "")
+		clitest.SetupConfig(t, client, root)
+		doneChan := make(chan struct{})
+		pty := ptytest.New(t)
+		cmd.SetIn(pty.Input())
+		cmd.SetOut(pty.Output())
+		go func() {
+			defer close(doneChan)
+			err := cmd.Execute()
+			assert.NoError(t, err)
+		}()
+
+		matches := []string{
+			"Specify a name", "my-workspace",
+			fmt.Sprintf("Enter a value (default: %q):", defaultValue), "bingo",
+			"Enter a value:", "boingo",
+			"Confirm create?", "yes",
+		}
+		for i := 0; i < len(matches); i += 2 {
+			match := matches[i]
+			value := matches[i+1]
+			pty.ExpectMatch(match)
+			pty.WriteLine(value)
+		}
+		<-doneChan
+	})
+
+	t.Run("WithParameterFileContainingTheValue", func(t *testing.T) {
+		t.Parallel()
+		client := coderdtest.New(t, &coderdtest.Options{IncludeProvisionerD: true})
+		user := coderdtest.CreateFirstUser(t, client)
+
+		defaultValue := "something"
+		version := coderdtest.CreateTemplateVersion(t, client, user.OrganizationID, &echo.Responses{
+			Parse:           createTestParseResponseWithDefault(defaultValue),
+			Provision:       echo.ProvisionComplete,
+			ProvisionDryRun: echo.ProvisionComplete,
+		})
+
+		coderdtest.AwaitTemplateVersionJob(t, client, version.ID)
+		_ = coderdtest.CreateTemplate(t, client, user.OrganizationID, version.ID)
+		tempDir := t.TempDir()
+		removeTmpDirUntilSuccessAfterTest(t, tempDir)
+		parameterFile, _ := os.CreateTemp(tempDir, "testParameterFile*.yaml")
+		_, _ = parameterFile.WriteString("region: \"bingo\"\nusername: \"boingo\"")
+		cmd, root := clitest.New(t, "create", "", "--parameter-file", parameterFile.Name())
+		clitest.SetupConfig(t, client, root)
+		doneChan := make(chan struct{})
+		pty := ptytest.New(t)
+		cmd.SetIn(pty.Input())
+		cmd.SetOut(pty.Output())
+		go func() {
+			defer close(doneChan)
+			err := cmd.Execute()
+			assert.NoError(t, err)
+		}()
+
+		matches := []string{
+			"Specify a name", "my-workspace",
+			"Confirm create?", "yes",
+		}
+		for i := 0; i < len(matches); i += 2 {
+			match := matches[i]
+			value := matches[i+1]
+			pty.ExpectMatch(match)
+			pty.WriteLine(value)
+		}
+		<-doneChan
+	})
+
+	t.Run("WithParameterFileNotContainingTheValue", func(t *testing.T) {
+		t.Parallel()
+		client := coderdtest.New(t, &coderdtest.Options{IncludeProvisionerD: true})
+		user := coderdtest.CreateFirstUser(t, client)
+
+		defaultValue := "something"
+		version := coderdtest.CreateTemplateVersion(t, client, user.OrganizationID, &echo.Responses{
+			Parse:           createTestParseResponseWithDefault(defaultValue),
+			Provision:       echo.ProvisionComplete,
+			ProvisionDryRun: echo.ProvisionComplete,
+		})
+		coderdtest.AwaitTemplateVersionJob(t, client, version.ID)
+		template := coderdtest.CreateTemplate(t, client, user.OrganizationID, version.ID)
+		tempDir := t.TempDir()
+		removeTmpDirUntilSuccessAfterTest(t, tempDir)
+		parameterFile, _ := os.CreateTemp(tempDir, "testParameterFile*.yaml")
+		_, _ = parameterFile.WriteString("zone: \"bananas\"")
+		cmd, root := clitest.New(t, "create", "my-workspace", "--template", template.Name, "--parameter-file", parameterFile.Name())
+		clitest.SetupConfig(t, client, root)
+		doneChan := make(chan struct{})
+		pty := ptytest.New(t)
+		cmd.SetIn(pty.Input())
+		cmd.SetOut(pty.Output())
+		go func() {
+			defer close(doneChan)
+			err := cmd.Execute()
+			assert.EqualError(t, err, "Parameter value absent in parameter file for \"region\"!")
+		}()
+		<-doneChan
+	})
+
+	t.Run("FailedDryRun", func(t *testing.T) {
+		t.Parallel()
+		client := coderdtest.New(t, &coderdtest.Options{IncludeProvisionerD: true})
+		user := coderdtest.CreateFirstUser(t, client)
+		version := coderdtest.CreateTemplateVersion(t, client, user.OrganizationID, &echo.Responses{
+			Parse: []*proto.Parse_Response{{
+				Type: &proto.Parse_Response_Complete{
+					Complete: &proto.Parse_Complete{
+						ParameterSchemas: echo.ParameterSuccess,
+					},
+				},
+			}},
+			ProvisionDryRun: []*proto.Provision_Response{
+				{
+					Type: &proto.Provision_Response_Complete{
+						Complete: &proto.Provision_Complete{},
+					},
+				},
+			},
+		})
+
+		tempDir := t.TempDir()
+		parameterFile, err := os.CreateTemp(tempDir, "testParameterFile*.yaml")
+		require.NoError(t, err)
+		defer parameterFile.Close()
+		_, _ = parameterFile.WriteString(fmt.Sprintf("%s: %q", echo.ParameterExecKey, echo.ParameterError("fail")))
+
+		// The template import job should end up failed, but we need it to be
+		// succeeded so the dry-run can begin.
+		version = coderdtest.AwaitTemplateVersionJob(t, client, version.ID)
+		require.Equal(t, codersdk.ProvisionerJobSucceeded, version.Job.Status, "job is not failed")
+
+		_ = coderdtest.CreateTemplate(t, client, user.OrganizationID, version.ID)
+		cmd, root := clitest.New(t, "create", "test", "--parameter-file", parameterFile.Name())
+		clitest.SetupConfig(t, client, root)
+		pty := ptytest.New(t)
+		cmd.SetIn(pty.Input())
+		cmd.SetOut(pty.Output())
+
+		err = cmd.Execute()
+		require.Error(t, err)
+		require.ErrorContains(t, err, "dry-run workspace")
+	})
+}
+
+func createTestParseResponseWithDefault(defaultValue string) []*proto.Parse_Response {
+	return []*proto.Parse_Response{{
+		Type: &proto.Parse_Response_Complete{
+			Complete: &proto.Parse_Complete{
+				ParameterSchemas: []*proto.ParameterSchema{
+					{
+						AllowOverrideSource: true,
+						Name:                "region",
+						Description:         "description 1",
+						DefaultSource: &proto.ParameterSource{
+							Scheme: proto.ParameterSource_DATA,
+							Value:  defaultValue,
+						},
+						DefaultDestination: &proto.ParameterDestination{
+							Scheme: proto.ParameterDestination_PROVISIONER_VARIABLE,
+						},
+					},
+					{
+						AllowOverrideSource: true,
+						Name:                "username",
+						Description:         "description 2",
+						DefaultSource: &proto.ParameterSource{
+							Scheme: proto.ParameterSource_DATA,
+							// No default value
+							Value: "",
+						},
+						DefaultDestination: &proto.ParameterDestination{
+							Scheme: proto.ParameterDestination_PROVISIONER_VARIABLE,
+						},
+					},
+				},
+			},
+		},
+	}}
+}

cli/daemon.go

@@ -1,110 +0,0 @@
-package cli
-
-import (
-	"context"
-	"io"
-	"io/ioutil"
-	"net"
-	"net/http"
-	"net/url"
-	"os"
-	"time"
-
-	"github.com/spf13/cobra"
-	"golang.org/x/xerrors"
-
-	"cdr.dev/slog"
-	"cdr.dev/slog/sloggers/sloghuman"
-	"github.com/coder/coder/coderd"
-	"github.com/coder/coder/codersdk"
-	"github.com/coder/coder/database"
-	"github.com/coder/coder/database/databasefake"
-	"github.com/coder/coder/provisioner/terraform"
-	"github.com/coder/coder/provisionerd"
-	"github.com/coder/coder/provisionersdk"
-	"github.com/coder/coder/provisionersdk/proto"
-)
-
-func daemon() *cobra.Command {
-	var (
-		address string
-	)
-	root := &cobra.Command{
-		Use: "daemon",
-		RunE: func(cmd *cobra.Command, args []string) error {
-			logger := slog.Make(sloghuman.Sink(os.Stderr))
-			accessURL := &url.URL{
-				Scheme: "http",
-				Host:   address,
-			}
-			handler, closeCoderd := coderd.New(&coderd.Options{
-				AccessURL: accessURL,
-				Logger:    logger,
-				Database:  databasefake.New(),
-				Pubsub:    database.NewPubsubInMemory(),
-			})
-
-			listener, err := net.Listen("tcp", address)
-			if err != nil {
-				return xerrors.Errorf("listen %q: %w", address, err)
-			}
-			defer listener.Close()
-
-			client := codersdk.New(accessURL)
-			daemonClose, err := newProvisionerDaemon(cmd.Context(), client, logger)
-			if err != nil {
-				return xerrors.Errorf("create provisioner daemon: %w", err)
-			}
-			defer daemonClose.Close()
-
-			errCh := make(chan error)
-			go func() {
-				defer close(errCh)
-				errCh <- http.Serve(listener, handler)
-			}()
-
-			closeCoderd()
-			select {
-			case <-cmd.Context().Done():
-				return cmd.Context().Err()
-			case err := <-errCh:
-				return err
-			}
-		},
-	}
-	defaultAddress, ok := os.LookupEnv("ADDRESS")
-	if !ok {
-		defaultAddress = "127.0.0.1:3000"
-	}
-	root.Flags().StringVarP(&address, "address", "a", defaultAddress, "The address to serve the API and dashboard.")
-
-	return root
-}
-
-func newProvisionerDaemon(ctx context.Context, client *codersdk.Client, logger slog.Logger) (io.Closer, error) {
-	terraformClient, terraformServer := provisionersdk.TransportPipe()
-	go func() {
-		err := terraform.Serve(ctx, &terraform.ServeOptions{
-			ServeOptions: &provisionersdk.ServeOptions{
-				Listener: terraformServer,
-			},
-			Logger: logger,
-		})
-		if err != nil {
-			panic(err)
-		}
-	}()
-	tempDir, err := ioutil.TempDir("", "provisionerd")
-	if err != nil {
-		return nil, err
-	}
-	return provisionerd.New(client.ListenProvisionerDaemon, &provisionerd.Options{
-		Logger:         logger,
-		PollInterval:   50 * time.Millisecond,
-		UpdateInterval: 50 * time.Millisecond,
-		Provisioners: provisionerd.Provisioners{
-			string(database.ProvisionerTypeTerraform): proto.NewDRPCProvisionerClient(provisionersdk.Conn(terraformClient)),
-		},
-		WorkDirectory: tempDir,
-	}), nil
-}

cli/daemon_test.go

@@ -1,19 +0,0 @@
-package cli_test
-
-import (
-	"context"
-	"testing"
-
-	"github.com/stretchr/testify/require"
-
-	"github.com/coder/coder/cli/clitest"
-)
-
-func TestDaemon(t *testing.T) {
-	t.Parallel()
-	ctx, cancelFunc := context.WithCancel(context.Background())
-	go cancelFunc()
-	root, _ := clitest.New(t, "daemon")
-	err := root.ExecuteContext(ctx)
-	require.ErrorIs(t, err, context.Canceled)
-}

cli/delete.go

@@ -0,0 +1,58 @@
+package cli
+
+import (
+	"fmt"
+	"time"
+
+	"github.com/spf13/cobra"
+
+	"github.com/coder/coder/cli/cliui"
+	"github.com/coder/coder/codersdk"
+)
+
+// nolint
+func deleteWorkspace() *cobra.Command {
+	cmd := &cobra.Command{
+		Annotations: workspaceCommand,
+		Use:         "delete <workspace>",
+		Short:       "Delete a workspace",
+		Aliases:     []string{"rm"},
+		Args:        cobra.ExactArgs(1),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			_, err := cliui.Prompt(cmd, cliui.PromptOptions{
+				Text:      "Confirm delete workspace?",
+				IsConfirm: true,
+				Default:   cliui.ConfirmNo,
+			})
+			if err != nil {
+				return err
+			}
+
+			client, err := CreateClient(cmd)
+			if err != nil {
+				return err
+			}
+			workspace, err := namedWorkspace(cmd, client, args[0])
+			if err != nil {
+				return err
+			}
+			before := time.Now()
+			build, err := client.CreateWorkspaceBuild(cmd.Context(), workspace.ID, codersdk.CreateWorkspaceBuildRequest{
+				Transition: codersdk.WorkspaceTransitionDelete,
+			})
+			if err != nil {
+				return err
+			}
+
+			err = cliui.WorkspaceBuild(cmd.Context(), cmd.OutOrStdout(), client, build.ID, before)
+			if err != nil {
+				return err
+			}
+
+			_, _ = fmt.Fprintf(cmd.OutOrStdout(), "\nThe %s workspace has been deleted at %s!\n", cliui.Styles.Keyword.Render(workspace.Name), cliui.Styles.DateTimeStamp.Render(time.Now().Format(time.Stamp)))
+			return nil
+		},
+	}
+	cliui.AllowSkipPrompt(cmd)
+	return cmd
+}

cli/delete_test.go

@@ -0,0 +1,96 @@
+package cli_test
+
+import (
+	"context"
+	"io"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+
+	"github.com/coder/coder/cli/clitest"
+	"github.com/coder/coder/coderd/coderdtest"
+	"github.com/coder/coder/codersdk"
+	"github.com/coder/coder/pty/ptytest"
+)
+
+func TestDelete(t *testing.T) {
+	t.Parallel()
+	t.Run("WithParameter", func(t *testing.T) {
+		t.Parallel()
+		client := coderdtest.New(t, &coderdtest.Options{IncludeProvisionerD: true})
+		user := coderdtest.CreateFirstUser(t, client)
+		version := coderdtest.CreateTemplateVersion(t, client, user.OrganizationID, nil)
+		coderdtest.AwaitTemplateVersionJob(t, client, version.ID)
+		template := coderdtest.CreateTemplate(t, client, user.OrganizationID, version.ID)
+		workspace := coderdtest.CreateWorkspace(t, client, user.OrganizationID, template.ID)
+		coderdtest.AwaitWorkspaceBuildJob(t, client, workspace.LatestBuild.ID)
+		cmd, root := clitest.New(t, "delete", workspace.Name, "-y")
+		clitest.SetupConfig(t, client, root)
+		doneChan := make(chan struct{})
+		pty := ptytest.New(t)
+		cmd.SetIn(pty.Input())
+		cmd.SetOut(pty.Output())
+		go func() {
+			defer close(doneChan)
+			err := cmd.Execute()
+			// When running with the race detector on, we sometimes get an EOF.
+			if err != nil {
+				assert.ErrorIs(t, err, io.EOF)
+			}
+		}()
+		pty.ExpectMatch("Cleaning Up")
+		<-doneChan
+	})
+
+	t.Run("DifferentUser", func(t *testing.T) {
+		t.Parallel()
+		adminClient := coderdtest.New(t, &coderdtest.Options{IncludeProvisionerD: true})
+		adminUser := coderdtest.CreateFirstUser(t, adminClient)
+		orgID := adminUser.OrganizationID
+		client := coderdtest.CreateAnotherUser(t, adminClient, orgID)
+		user, err := client.User(context.Background(), codersdk.Me)
+		require.NoError(t, err)
+
+		version := coderdtest.CreateTemplateVersion(t, adminClient, orgID, nil)
+		coderdtest.AwaitTemplateVersionJob(t, adminClient, version.ID)
+		template := coderdtest.CreateTemplate(t, adminClient, orgID, version.ID)
+		workspace := coderdtest.CreateWorkspace(t, client, orgID, template.ID)
+		coderdtest.AwaitWorkspaceBuildJob(t, client, workspace.LatestBuild.ID)
+
+		cmd, root := clitest.New(t, "delete", user.Username+"/"+workspace.Name, "-y")
+		clitest.SetupConfig(t, adminClient, root)
+		doneChan := make(chan struct{})
+		pty := ptytest.New(t)
+		cmd.SetIn(pty.Input())
+		cmd.SetOut(pty.Output())
+		go func() {
+			defer close(doneChan)
+			err := cmd.Execute()
+			// When running with the race detector on, we sometimes get an EOF.
+			if err != nil {
+				assert.ErrorIs(t, err, io.EOF)
+			}
+		}()
+
+		pty.ExpectMatch("Cleaning Up")
+		<-doneChan
+
+		workspace, err = client.Workspace(context.Background(), workspace.ID)
+		require.ErrorContains(t, err, "was deleted")
+	})
+
+	t.Run("InvalidWorkspaceIdentifier", func(t *testing.T) {
+		t.Parallel()
+		client := coderdtest.New(t, nil)
+		cmd, root := clitest.New(t, "delete", "a/b/c", "-y")
+		clitest.SetupConfig(t, client, root)
+		doneChan := make(chan struct{})
+		go func() {
+			defer close(doneChan)
+			err := cmd.Execute()
+			assert.ErrorContains(t, err, "invalid workspace name: \"a/b/c\"")
+		}()
+		<-doneChan
+	})
+}

cli/dotfiles.go

@@ -0,0 +1,282 @@
+package cli
+
+import (
+	"errors"
+	"fmt"
+	"io/fs"
+	"os"
+	"os/exec"
+	"path/filepath"
+	"strings"
+	"time"
+
+	"github.com/spf13/cobra"
+	"golang.org/x/xerrors"
+
+	"github.com/coder/coder/cli/cliflag"
+	"github.com/coder/coder/cli/cliui"
+)
+
+func dotfiles() *cobra.Command {
+	var symlinkDir string
+	cmd := &cobra.Command{
+		Use:   "dotfiles [git_repo_url]",
+		Args:  cobra.ExactArgs(1),
+		Short: "Check out and install a dotfiles repository.",
+		Example: formatExamples(
+			example{
+				Description: "Check out and install a dotfiles repository without prompts",
+				Command:     "coder dotfiles --yes git@github.com:example/dotfiles.git",
+			},
+		),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			var (
+				dotfilesRepoDir = "dotfiles"
+				gitRepo         = args[0]
+				cfg             = createConfig(cmd)
+				cfgDir          = string(cfg)
+				dotfilesDir     = filepath.Join(cfgDir, dotfilesRepoDir)
+				// This follows the same pattern outlined by others in the market:
+				// https://github.com/coder/coder/pull/1696#issue-1245742312
+				installScriptSet = []string{
+					"install.sh",
+					"install",
+					"bootstrap.sh",
+					"bootstrap",
+					"script/bootstrap",
+					"setup.sh",
+					"setup",
+					"script/setup",
+				}
+			)
+
+			_, _ = fmt.Fprint(cmd.OutOrStdout(), "Checking if dotfiles repository already exists...\n")
+			dotfilesExists, err := dirExists(dotfilesDir)
+			if err != nil {
+				return xerrors.Errorf("checking dir %s: %w", dotfilesDir, err)
+			}
+
+			moved := false
+			if dotfilesExists {
+				du, err := cfg.DotfilesURL().Read()
+				if err != nil && !errors.Is(err, os.ErrNotExist) {
+					return xerrors.Errorf("reading dotfiles url config: %w", err)
+				}
+				// if the git url has changed we create a backup and clone fresh
+				if gitRepo != du {
+					backupDir := fmt.Sprintf("%s_backup_%s", dotfilesDir, time.Now().Format(time.RFC3339))
+					_, err = cliui.Prompt(cmd, cliui.PromptOptions{
+						Text:      fmt.Sprintf("The dotfiles URL has changed from %q to %q.\n  Coder will backup the existing repo to %s.\n\n  Continue?", du, gitRepo, backupDir),
+						IsConfirm: true,
+					})
+					if err != nil {
+						return err
+					}
+
+					err = os.Rename(dotfilesDir, backupDir)
+					if err != nil {
+						return xerrors.Errorf("renaming dir %s: %w", dotfilesDir, err)
+					}
+					_, _ = fmt.Fprint(cmd.OutOrStdout(), "Done backup up dotfiles.\n")
+					dotfilesExists = false
+					moved = true
+				}
+			}
+
+			var (
+				gitCmdDir   string
+				subcommands []string
+				promptText  string
+			)
+			if dotfilesExists {
+				_, _ = fmt.Fprintf(cmd.OutOrStdout(), "Found dotfiles repository at %s\n", dotfilesDir)
+				gitCmdDir = dotfilesDir
+				subcommands = []string{"pull", "--ff-only"}
+				promptText = fmt.Sprintf("Pulling latest from %s into directory %s.\n  Continue?", gitRepo, dotfilesDir)
+			} else {
+				if !moved {
+					_, _ = fmt.Fprintf(cmd.OutOrStdout(), "Did not find dotfiles repository at %s\n", dotfilesDir)
+				}
+				gitCmdDir = cfgDir
+				subcommands = []string{"clone", args[0], dotfilesRepoDir}
+				promptText = fmt.Sprintf("Cloning %s into directory %s.\n\n  Continue?", gitRepo, dotfilesDir)
+			}
+
+			_, err = cliui.Prompt(cmd, cliui.PromptOptions{
+				Text:      promptText,
+				IsConfirm: true,
+			})
+			if err != nil {
+				return err
+			}
+
+			// ensure command dir exists
+			err = os.MkdirAll(gitCmdDir, 0750)
+			if err != nil {
+				return xerrors.Errorf("ensuring dir at %s: %w", gitCmdDir, err)
+			}
+
+			// check if git ssh command already exists so we can just wrap it
+			gitsshCmd := os.Getenv("GIT_SSH_COMMAND")
+			if gitsshCmd == "" {
+				gitsshCmd = "ssh"
+			}
+
+			// clone or pull repo
+			c := exec.CommandContext(cmd.Context(), "git", subcommands...)
+			c.Dir = gitCmdDir
+			c.Env = append(os.Environ(), fmt.Sprintf(`GIT_SSH_COMMAND=%s -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no`, gitsshCmd))
+			c.Stdout = cmd.OutOrStdout()
+			c.Stderr = cmd.ErrOrStderr()
+			err = c.Run()
+			if err != nil {
+				if !dotfilesExists {
+					return err
+				}
+				// if the repo exists we soft fail the update operation and try to continue
+				_, _ = fmt.Fprintln(cmd.OutOrStdout(), cliui.Styles.Error.Render("Failed to update repo, continuing..."))
+			}
+
+			// save git repo url so we can detect changes next time
+			err = cfg.DotfilesURL().Write(gitRepo)
+			if err != nil {
+				return xerrors.Errorf("writing dotfiles url config: %w", err)
+			}
+
+			files, err := os.ReadDir(dotfilesDir)
+			if err != nil {
+				return xerrors.Errorf("reading files in dir %s: %w", dotfilesDir, err)
+			}
+
+			var dotfiles []string
+			for _, f := range files {
+				// make sure we do not copy `.git*` files
+				if strings.HasPrefix(f.Name(), ".") && !strings.HasPrefix(f.Name(), ".git") {
+					dotfiles = append(dotfiles, f.Name())
+				}
+			}
+
+			script := findScript(installScriptSet, files)
+			if script != "" {
+				_, err = cliui.Prompt(cmd, cliui.PromptOptions{
+					Text:      fmt.Sprintf("Running install script %s.\n\n  Continue?", script),
+					IsConfirm: true,
+				})
+				if err != nil {
+					return err
+				}
+
+				_, _ = fmt.Fprintf(cmd.OutOrStdout(), "Running %s...\n", script)
+				// it is safe to use a variable command here because it's from
+				// a filtered list of pre-approved install scripts
+				// nolint:gosec
+				scriptCmd := exec.CommandContext(cmd.Context(), filepath.Join(dotfilesDir, script))
+				scriptCmd.Dir = dotfilesDir
+				scriptCmd.Stdout = cmd.OutOrStdout()
+				scriptCmd.Stderr = cmd.ErrOrStderr()
+				err = scriptCmd.Run()
+				if err != nil {
+					return xerrors.Errorf("running %s: %w", script, err)
+				}
+
+				_, _ = fmt.Fprintln(cmd.OutOrStdout(), "Dotfiles installation complete.")
+				return nil
+			}
+
+			if len(dotfiles) == 0 {
+				_, _ = fmt.Fprintln(cmd.OutOrStdout(), "No install scripts or dotfiles found, nothing to do.")
+				return nil
+			}
+
+			_, err = cliui.Prompt(cmd, cliui.PromptOptions{
+				Text:      "No install scripts found, symlinking dotfiles to home directory.\n\n  Continue?",
+				IsConfirm: true,
+			})
+			if err != nil {
+				return err
+			}
+
+			if symlinkDir == "" {
+				symlinkDir, err = os.UserHomeDir()
+				if err != nil {
+					return xerrors.Errorf("getting user home: %w", err)
+				}
+			}
+
+			for _, df := range dotfiles {
+				from := filepath.Join(dotfilesDir, df)
+				to := filepath.Join(symlinkDir, df)
+				_, _ = fmt.Fprintf(cmd.OutOrStdout(), "Symlinking %s to %s...\n", from, to)
+
+				isRegular, err := isRegular(to)
+				if err != nil {
+					return xerrors.Errorf("checking symlink for %s: %w", to, err)
+				}
+				// move conflicting non-symlink files to file.ext.bak
+				if isRegular {
+					backup := fmt.Sprintf("%s.bak", to)
+					_, _ = fmt.Fprintf(cmd.OutOrStdout(), "Moving %s to %s...\n", to, backup)
+					err = os.Rename(to, backup)
+					if err != nil {
+						return xerrors.Errorf("renaming dir %s: %w", to, err)
+					}
+				}
+
+				err = os.Symlink(from, to)
+				if err != nil {
+					return xerrors.Errorf("symlinking %s to %s: %w", from, to, err)
+				}
+			}
+
+			_, _ = fmt.Fprintln(cmd.OutOrStdout(), "Dotfiles installation complete.")
+			return nil
+		},
+	}
+	cliui.AllowSkipPrompt(cmd)
+	cliflag.StringVarP(cmd.Flags(), &symlinkDir, "symlink-dir", "", "CODER_SYMLINK_DIR", "", "Specifies the directory for the dotfiles symlink destinations. If empty will use $HOME.")
+
+	return cmd
+}
+
+// dirExists checks if the path exists and is a directory.
+func dirExists(name string) (bool, error) {
+	fi, err := os.Stat(name)
+	if err != nil {
+		if os.IsNotExist(err) {
+			return false, nil
+		}
+
+		return false, xerrors.Errorf("stat dir: %w", err)
+	}
+	if !fi.IsDir() {
+		return false, xerrors.New("exists but not a directory")
+	}
+
+	return true, nil
+}
+
+// findScript will find the first file that matches the script set.
+func findScript(scriptSet []string, files []fs.DirEntry) string {
+	for _, i := range scriptSet {
+		for _, f := range files {
+			if f.Name() == i {
+				return f.Name()
+			}
+		}
+	}
+
+	return ""
+}
+
+// isRegular detects if the file exists and is not a symlink.
+func isRegular(to string) (bool, error) {
+	fi, err := os.Lstat(to)
+	if err != nil {
+		if errors.Is(err, os.ErrNotExist) {
+			return false, nil
+		}
+		return false, xerrors.Errorf("lstat %s: %w", to, err)
+	}
+
+	return fi.Mode().IsRegular(), nil
+}

cli/dotfiles_test.go

@@ -0,0 +1,141 @@
+package cli_test
+
+import (
+	"fmt"
+	"os"
+	"os/exec"
+	"path/filepath"
+	"runtime"
+	"testing"
+
+	"github.com/stretchr/testify/require"
+
+	"github.com/coder/coder/cli/clitest"
+	"github.com/coder/coder/cli/config"
+	"github.com/coder/coder/cryptorand"
+)
+
+// nolint:paralleltest
+func TestDotfiles(t *testing.T) {
+	t.Run("MissingArg", func(t *testing.T) {
+		cmd, _ := clitest.New(t, "dotfiles")
+		err := cmd.Execute()
+		require.Error(t, err)
+	})
+	t.Run("NoInstallScript", func(t *testing.T) {
+		_, root := clitest.New(t)
+		testRepo := testGitRepo(t, root)
+
+		// nolint:gosec
+		err := os.WriteFile(filepath.Join(testRepo, ".bashrc"), []byte("wow"), 0750)
+		require.NoError(t, err)
+
+		c := exec.Command("git", "add", ".bashrc")
+		c.Dir = testRepo
+		err = c.Run()
+		require.NoError(t, err)
+
+		c = exec.Command("git", "commit", "-m", `"add .bashrc"`)
+		c.Dir = testRepo
+		out, err := c.CombinedOutput()
+		require.NoError(t, err, string(out))
+
+		cmd, _ := clitest.New(t, "dotfiles", "--global-config", string(root), "--symlink-dir", string(root), "-y", testRepo)
+		err = cmd.Execute()
+		require.NoError(t, err)
+
+		b, err := os.ReadFile(filepath.Join(string(root), ".bashrc"))
+		require.NoError(t, err)
+		require.Equal(t, string(b), "wow")
+	})
+	t.Run("InstallScript", func(t *testing.T) {
+		if runtime.GOOS == "windows" {
+			t.Skip("install scripts on windows require sh and aren't very practical")
+		}
+		_, root := clitest.New(t)
+		testRepo := testGitRepo(t, root)
+
+		// nolint:gosec
+		err := os.WriteFile(filepath.Join(testRepo, "install.sh"), []byte("#!/bin/bash\necho wow > "+filepath.Join(string(root), ".bashrc")), 0750)
+		require.NoError(t, err)
+
+		c := exec.Command("git", "add", "install.sh")
+		c.Dir = testRepo
+		err = c.Run()
+		require.NoError(t, err)
+
+		c = exec.Command("git", "commit", "-m", `"add install.sh"`)
+		c.Dir = testRepo
+		err = c.Run()
+		require.NoError(t, err)
+
+		cmd, _ := clitest.New(t, "dotfiles", "--global-config", string(root), "--symlink-dir", string(root), "-y", testRepo)
+		err = cmd.Execute()
+		require.NoError(t, err)
+
+		b, err := os.ReadFile(filepath.Join(string(root), ".bashrc"))
+		require.NoError(t, err)
+		require.Equal(t, string(b), "wow\n")
+	})
+	t.Run("SymlinkBackup", func(t *testing.T) {
+		_, root := clitest.New(t)
+		testRepo := testGitRepo(t, root)
+
+		// nolint:gosec
+		err := os.WriteFile(filepath.Join(testRepo, ".bashrc"), []byte("wow"), 0750)
+		require.NoError(t, err)
+
+		// add a conflicting file at destination
+		// nolint:gosec
+		err = os.WriteFile(filepath.Join(string(root), ".bashrc"), []byte("backup"), 0750)
+		require.NoError(t, err)
+
+		c := exec.Command("git", "add", ".bashrc")
+		c.Dir = testRepo
+		err = c.Run()
+		require.NoError(t, err)
+
+		c = exec.Command("git", "commit", "-m", `"add .bashrc"`)
+		c.Dir = testRepo
+		out, err := c.CombinedOutput()
+		require.NoError(t, err, string(out))
+
+		cmd, _ := clitest.New(t, "dotfiles", "--global-config", string(root), "--symlink-dir", string(root), "-y", testRepo)
+		err = cmd.Execute()
+		require.NoError(t, err)
+
+		b, err := os.ReadFile(filepath.Join(string(root), ".bashrc"))
+		require.NoError(t, err)
+		require.Equal(t, string(b), "wow")
+
+		// check for backup file
+		b, err = os.ReadFile(filepath.Join(string(root), ".bashrc.bak"))
+		require.NoError(t, err)
+		require.Equal(t, string(b), "backup")
+	})
+}
+
+func testGitRepo(t *testing.T, root config.Root) string {
+	r, err := cryptorand.String(8)
+	require.NoError(t, err)
+	dir := filepath.Join(string(root), fmt.Sprintf("test-repo-%s", r))
+	err = os.MkdirAll(dir, 0750)
+	require.NoError(t, err)
+
+	c := exec.Command("git", "init")
+	c.Dir = dir
+	err = c.Run()
+	require.NoError(t, err)
+
+	c = exec.Command("git", "config", "user.email", "ci@coder.com")
+	c.Dir = dir
+	err = c.Run()
+	require.NoError(t, err)
+
+	c = exec.Command("git", "config", "user.name", "C I")
+	c.Dir = dir
+	err = c.Run()
+	require.NoError(t, err)
+
+	return dir
+}

cli/features.go

@@ -0,0 +1,102 @@
+package cli
+
+import (
+	"encoding/json"
+	"fmt"
+	"strings"
+
+	"github.com/spf13/cobra"
+	"golang.org/x/xerrors"
+
+	"github.com/coder/coder/cli/cliui"
+	"github.com/coder/coder/codersdk"
+)
+
+var featureColumns = []string{"Name", "Entitlement", "Enabled", "Limit", "Actual"}
+
+func features() *cobra.Command {
+	cmd := &cobra.Command{
+		Short:   "List features",
+		Use:     "features",
+		Aliases: []string{"feature"},
+	}
+	cmd.AddCommand(
+		featuresList(),
+	)
+	return cmd
+}
+
+func featuresList() *cobra.Command {
+	var (
+		columns      []string
+		outputFormat string
+	)
+
+	cmd := &cobra.Command{
+		Use:     "list",
+		Aliases: []string{"ls"},
+		RunE: func(cmd *cobra.Command, args []string) error {
+			client, err := CreateClient(cmd)
+			if err != nil {
+				return err
+			}
+			entitlements, err := client.Entitlements(cmd.Context())
+			if err != nil {
+				return err
+			}
+
+			out := ""
+			switch outputFormat {
+			case "table", "":
+				out, err = displayFeatures(columns, entitlements.Features)
+				if err != nil {
+					return xerrors.Errorf("render table: %w", err)
+				}
+			case "json":
+				outBytes, err := json.Marshal(entitlements)
+				if err != nil {
+					return xerrors.Errorf("marshal features to JSON: %w", err)
+				}
+
+				out = string(outBytes)
+			default:
+				return xerrors.Errorf(`unknown output format %q, only "table" and "json" are supported`, outputFormat)
+			}
+
+			_, err = fmt.Fprintln(cmd.OutOrStdout(), out)
+			return err
+		},
+	}
+
+	cmd.Flags().StringArrayVarP(&columns, "column", "c", featureColumns,
+		fmt.Sprintf("Specify a column to filter in the table. Available columns are: %s",
+			strings.Join(featureColumns, ", ")))
+	cmd.Flags().StringVarP(&outputFormat, "output", "o", "table", "Output format. Available formats are: table, json.")
+	return cmd
+}
+
+type featureRow struct {
+	Name        string `table:"name"`
+	Entitlement string `table:"entitlement"`
+	Enabled     bool   `table:"enabled"`
+	Limit       *int64 `table:"limit"`
+	Actual      *int64 `table:"actual"`
+}
+
+// displayFeatures will return a table displaying all features passed in.
+// filterColumns must be a subset of the feature fields and will determine which
+// columns to display
+func displayFeatures(filterColumns []string, features map[string]codersdk.Feature) (string, error) {
+	rows := make([]featureRow, 0, len(features))
+	for name, feat := range features {
+		rows = append(rows, featureRow{
+			Name:        name,
+			Entitlement: string(feat.Entitlement),
+			Enabled:     feat.Enabled,
+			Limit:       feat.Limit,
+			Actual:      feat.Actual,
+		})
+	}
+
+	return cliui.DisplayTable(rows, "name", filterColumns)
+}

cli/features_test.go

@@ -0,0 +1,66 @@
+package cli_test
+
+import (
+	"bytes"
+	"encoding/json"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+
+	"github.com/coder/coder/cli/clitest"
+	"github.com/coder/coder/coderd/coderdtest"
+	"github.com/coder/coder/codersdk"
+	"github.com/coder/coder/pty/ptytest"
+)
+
+func TestFeaturesList(t *testing.T) {
+	t.Parallel()
+	t.Run("Table", func(t *testing.T) {
+		t.Parallel()
+		client := coderdtest.New(t, nil)
+		coderdtest.CreateFirstUser(t, client)
+		cmd, root := clitest.New(t, "features", "list")
+		clitest.SetupConfig(t, client, root)
+		pty := ptytest.New(t)
+		cmd.SetIn(pty.Input())
+		cmd.SetOut(pty.Output())
+		errC := make(chan error)
+		go func() {
+			errC <- cmd.Execute()
+		}()
+		require.NoError(t, <-errC)
+		pty.ExpectMatch("user_limit")
+		pty.ExpectMatch("not_entitled")
+	})
+	t.Run("JSON", func(t *testing.T) {
+		t.Parallel()
+
+		client := coderdtest.New(t, nil)
+		coderdtest.CreateFirstUser(t, client)
+		cmd, root := clitest.New(t, "features", "list", "-o", "json")
+		clitest.SetupConfig(t, client, root)
+		doneChan := make(chan struct{})
+
+		buf := bytes.NewBuffer(nil)
+		cmd.SetOut(buf)
+		go func() {
+			defer close(doneChan)
+			err := cmd.Execute()
+			assert.NoError(t, err)
+		}()
+
+		<-doneChan
+
+		var entitlements codersdk.Entitlements
+		err := json.Unmarshal(buf.Bytes(), &entitlements)
+		require.NoError(t, err, "unmarshal JSON output")
+		assert.Len(t, entitlements.Features, 2)
+		assert.Empty(t, entitlements.Warnings)
+		assert.Equal(t, codersdk.EntitlementNotEntitled,
+			entitlements.Features[codersdk.FeatureUserLimit].Entitlement)
+		assert.Equal(t, codersdk.EntitlementNotEntitled,
+			entitlements.Features[codersdk.FeatureAuditLog].Entitlement)
+		assert.False(t, entitlements.HasLicense)
+	})
+}

cli/gitssh.go

@@ -0,0 +1,72 @@
+package cli
+
+import (
+	"fmt"
+	"os"
+	"os/exec"
+	"strings"
+
+	"github.com/spf13/cobra"
+	"golang.org/x/xerrors"
+
+	"github.com/coder/coder/cli/cliui"
+)
+
+func gitssh() *cobra.Command {
+	return &cobra.Command{
+		Use:    "gitssh",
+		Hidden: true,
+		Short:  `Wraps the "ssh" command and uses the coder gitssh key for authentication`,
+		RunE: func(cmd *cobra.Command, args []string) error {
+			client, err := createAgentClient(cmd)
+			if err != nil {
+				return xerrors.Errorf("create agent client: %w", err)
+			}
+			key, err := client.AgentGitSSHKey(cmd.Context())
+			if err != nil {
+				return xerrors.Errorf("get agent git ssh token: %w", err)
+			}
+
+			privateKeyFile, err := os.CreateTemp("", "coder-gitsshkey-*")
+			if err != nil {
+				return xerrors.Errorf("create temp gitsshkey file: %w", err)
+			}
+			defer func() {
+				_ = privateKeyFile.Close()
+				_ = os.Remove(privateKeyFile.Name())
+			}()
+			_, err = privateKeyFile.WriteString(key.PrivateKey)
+			if err != nil {
+				return xerrors.Errorf("write to temp gitsshkey file: %w", err)
+			}
+			err = privateKeyFile.Close()
+			if err != nil {
+				return xerrors.Errorf("close temp gitsshkey file: %w", err)
+			}
+
+			args = append([]string{"-i", privateKeyFile.Name()}, args...)
+			c := exec.CommandContext(cmd.Context(), "ssh", args...)
+			c.Stderr = cmd.ErrOrStderr()
+			c.Stdout = cmd.OutOrStdout()
+			c.Stdin = cmd.InOrStdin()
+			err = c.Run()
+			if err != nil {
+				exitErr := &exec.ExitError{}
+				if xerrors.As(err, &exitErr) && exitErr.ExitCode() == 255 {
+					_, _ = fmt.Fprintln(cmd.ErrOrStderr(),
+						"\n"+cliui.Styles.Wrap.Render("Coder authenticates with "+cliui.Styles.Field.Render("git")+
+							" using the public key below. All clones with SSH are authenticated automatically 🪄.")+"\n")
+					_, _ = fmt.Fprintln(cmd.ErrOrStderr(), cliui.Styles.Code.Render(strings.TrimSpace(key.PublicKey))+"\n")
+					_, _ = fmt.Fprintln(cmd.ErrOrStderr(), "Add to GitHub and GitLab:")
+					_, _ = fmt.Fprintln(cmd.ErrOrStderr(), cliui.Styles.Prompt.String()+"https://github.com/settings/ssh/new")
+					_, _ = fmt.Fprintln(cmd.ErrOrStderr(), cliui.Styles.Prompt.String()+"https://gitlab.com/-/profile/keys")
+					_, _ = fmt.Fprintln(cmd.ErrOrStderr())
+					return err
+				}
+				return xerrors.Errorf("run ssh command: %w", err)
+			}
+
+			return nil
+		},
+	}
+}

cli/gitssh_test.go

@@ -0,0 +1,115 @@
+package cli_test
+
+import (
+	"context"
+	"fmt"
+	"net"
+	"sync/atomic"
+	"testing"
+
+	"github.com/gliderlabs/ssh"
+	"github.com/google/uuid"
+	"github.com/stretchr/testify/require"
+	gossh "golang.org/x/crypto/ssh"
+
+	"github.com/coder/coder/cli/clitest"
+	"github.com/coder/coder/coderd/coderdtest"
+	"github.com/coder/coder/codersdk"
+	"github.com/coder/coder/provisioner/echo"
+	"github.com/coder/coder/provisionersdk/proto"
+)
+
+func TestGitSSH(t *testing.T) {
+	t.Parallel()
+	t.Run("Dial", func(t *testing.T) {
+		t.Parallel()
+		client := coderdtest.New(t, &coderdtest.Options{IncludeProvisionerD: true})
+		user := coderdtest.CreateFirstUser(t, client)
+
+		// get user public key
+		keypair, err := client.GitSSHKey(context.Background(), codersdk.Me)
+		require.NoError(t, err)
+		publicKey, _, _, _, err := gossh.ParseAuthorizedKey([]byte(keypair.PublicKey))
+		require.NoError(t, err)
+
+		// setup template
+		agentToken := uuid.NewString()
+		version := coderdtest.CreateTemplateVersion(t, client, user.OrganizationID, &echo.Responses{
+			Parse:           echo.ParseComplete,
+			ProvisionDryRun: echo.ProvisionComplete,
+			Provision: []*proto.Provision_Response{{
+				Type: &proto.Provision_Response_Complete{
+					Complete: &proto.Provision_Complete{
+						Resources: []*proto.Resource{{
+							Name: "somename",
+							Type: "someinstance",
+							Agents: []*proto.Agent{{
+								Auth: &proto.Agent_Token{
+									Token: agentToken,
+								},
+							}},
+						}},
+					},
+				},
+			}},
+		})
+		template := coderdtest.CreateTemplate(t, client, user.OrganizationID, version.ID)
+		coderdtest.AwaitTemplateVersionJob(t, client, version.ID)
+		workspace := coderdtest.CreateWorkspace(t, client, user.OrganizationID, template.ID)
+		coderdtest.AwaitWorkspaceBuildJob(t, client, workspace.LatestBuild.ID)
+
+		// start workspace agent
+		cmd, root := clitest.New(t, "agent", "--agent-token", agentToken, "--agent-url", client.URL.String(), "--wireguard=false")
+		agentClient := client
+		clitest.SetupConfig(t, agentClient, root)
+		ctx, cancelFunc := context.WithCancel(context.Background())
+		defer cancelFunc()
+		agentErrC := make(chan error)
+		go func() {
+			agentErrC <- cmd.ExecuteContext(ctx)
+		}()
+
+		coderdtest.AwaitWorkspaceAgents(t, client, workspace.LatestBuild.ID)
+		resources, err := client.WorkspaceResourcesByBuild(context.Background(), workspace.LatestBuild.ID)
+		require.NoError(t, err)
+		dialer, err := client.DialWorkspaceAgent(context.Background(), resources[0].Agents[0].ID, nil)
+		require.NoError(t, err)
+		defer dialer.Close()
+		_, err = dialer.Ping()
+		require.NoError(t, err)
+
+		// start ssh server
+		l, err := net.Listen("tcp", "localhost:0")
+		require.NoError(t, err)
+		defer l.Close()
+		publicKeyOption := ssh.PublicKeyAuth(func(ctx ssh.Context, key ssh.PublicKey) bool {
+			return ssh.KeysEqual(publicKey, key)
+		})
+		var inc int64
+		sshErrC := make(chan error)
+		go func() {
+			// as long as we get a successful session we don't care if the server errors
+			_ = ssh.Serve(l, func(s ssh.Session) {
+				atomic.AddInt64(&inc, 1)
+				t.Log("got authenticated session")
+				sshErrC <- s.Exit(0)
+			}, publicKeyOption)
+		}()
+
+		// start ssh session
+		addr, ok := l.Addr().(*net.TCPAddr)
+		require.True(t, ok)
+		// set to agent config dir
+		gitsshCmd, _ := clitest.New(t, "gitssh", "--agent-url", agentClient.URL.String(), "--agent-token", agentToken, "--", fmt.Sprintf("-p%d", addr.Port), "-o", "StrictHostKeyChecking=no", "-o", "IdentitiesOnly=yes", "127.0.0.1")
+		err = gitsshCmd.ExecuteContext(context.Background())
+		require.NoError(t, err)
+		require.EqualValues(t, 1, inc)
+
+		err = <-sshErrC
+		require.NoError(t, err, "error in ssh session exit")
+
+		cancelFunc()
+		err = <-agentErrC
+		require.NoError(t, err, "error in agent execute")
+	})
+}

cli/list.go

@@ -0,0 +1,126 @@
+package cli
+
+import (
+	"fmt"
+	"time"
+
+	"github.com/google/uuid"
+	"github.com/spf13/cobra"
+
+	"github.com/coder/coder/cli/cliui"
+	"github.com/coder/coder/coderd/autobuild/schedule"
+	"github.com/coder/coder/coderd/util/ptr"
+	"github.com/coder/coder/codersdk"
+)
+
+type workspaceListRow struct {
+	Workspace  string `table:"workspace"`
+	Template   string `table:"template"`
+	Status     string `table:"status"`
+	LastBuilt  string `table:"last built"`
+	Outdated   bool   `table:"outdated"`
+	StartsAt   string `table:"starts at"`
+	StopsAfter string `table:"stops after"`
+}
+
+func workspaceListRowFromWorkspace(now time.Time, usersByID map[uuid.UUID]codersdk.User, workspace codersdk.Workspace) workspaceListRow {
+	status := codersdk.WorkspaceDisplayStatus(workspace.LatestBuild.Job.Status, workspace.LatestBuild.Transition)
+
+	lastBuilt := now.UTC().Sub(workspace.LatestBuild.Job.CreatedAt).Truncate(time.Second)
+	autostartDisplay := "-"
+	if !ptr.NilOrEmpty(workspace.AutostartSchedule) {
+		if sched, err := schedule.Weekly(*workspace.AutostartSchedule); err == nil {
+			autostartDisplay = fmt.Sprintf("%s %s (%s)", sched.Time(), sched.DaysOfWeek(), sched.Location())
+		}
+	}
+
+	autostopDisplay := "-"
+	if !ptr.NilOrZero(workspace.TTLMillis) {
+		dur := time.Duration(*workspace.TTLMillis) * time.Millisecond
+		autostopDisplay = durationDisplay(dur)
+		if !workspace.LatestBuild.Deadline.IsZero() && workspace.LatestBuild.Deadline.Time.After(now) && status == "Running" {
+			remaining := time.Until(workspace.LatestBuild.Deadline.Time)
+			autostopDisplay = fmt.Sprintf("%s (%s)", autostopDisplay, relative(remaining))
+		}
+	}
+
+	user := usersByID[workspace.OwnerID]
+	return workspaceListRow{
+		Workspace:  user.Username + "/" + workspace.Name,
+		Template:   workspace.TemplateName,
+		Status:     status,
+		LastBuilt:  durationDisplay(lastBuilt),
+		Outdated:   workspace.Outdated,
+		StartsAt:   autostartDisplay,
+		StopsAfter: autostopDisplay,
+	}
+}
+
+func list() *cobra.Command {
+	var (
+		columns     []string
+		searchQuery string
+		me          bool
+	)
+	cmd := &cobra.Command{
+		Annotations: workspaceCommand,
+		Use:         "list",
+		Short:       "List all workspaces",
+		Aliases:     []string{"ls"},
+		Args:        cobra.ExactArgs(0),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			client, err := CreateClient(cmd)
+			if err != nil {
+				return err
+			}
+			filter := codersdk.WorkspaceFilter{
+				FilterQuery: searchQuery,
+			}
+			if me {
+				myUser, err := client.User(cmd.Context(), codersdk.Me)
+				if err != nil {
+					return err
+				}
+				filter.Owner = myUser.Username
+			}
+			workspaces, err := client.Workspaces(cmd.Context(), filter)
+			if err != nil {
+				return err
+			}
+			if len(workspaces) == 0 {
+				_, _ = fmt.Fprintln(cmd.ErrOrStderr(), cliui.Styles.Prompt.String()+"No workspaces found! Create one:")
+				_, _ = fmt.Fprintln(cmd.ErrOrStderr())
+				_, _ = fmt.Fprintln(cmd.ErrOrStderr(), "  "+cliui.Styles.Code.Render("coder create <name>"))
+				_, _ = fmt.Fprintln(cmd.ErrOrStderr())
+				return nil
+			}
+			users, err := client.Users(cmd.Context(), codersdk.UsersRequest{})
+			if err != nil {
+				return err
+			}
+			usersByID := map[uuid.UUID]codersdk.User{}
+			for _, user := range users {
+				usersByID[user.ID] = user
+			}
+
+			now := time.Now()
+			displayWorkspaces := make([]workspaceListRow, len(workspaces))
+			for i, workspace := range workspaces {
+				displayWorkspaces[i] = workspaceListRowFromWorkspace(now, usersByID, workspace)
+			}
+
+			out, err := cliui.DisplayTable(displayWorkspaces, "workspace", columns)
+			if err != nil {
+				return err
+			}
+
+			_, err = fmt.Fprintln(cmd.OutOrStdout(), out)
+			return err
+		},
+	}
+	cmd.Flags().StringArrayVarP(&columns, "column", "c", nil,
+		"Specify a column to filter in the table.")
+	cmd.Flags().StringVar(&searchQuery, "search", "", "Search for a workspace with a query.")
+	cmd.Flags().BoolVar(&me, "me", false, "Only show workspaces owned by the current user.")
+	return cmd
+}

cli/list_test.go

@@ -0,0 +1,45 @@
+package cli_test
+
+import (
+	"context"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+
+	"github.com/coder/coder/cli/clitest"
+	"github.com/coder/coder/coderd/coderdtest"
+	"github.com/coder/coder/pty/ptytest"
+	"github.com/coder/coder/testutil"
+)
+
+func TestList(t *testing.T) {
+	t.Parallel()
+	t.Run("Single", func(t *testing.T) {
+		t.Parallel()
+		client := coderdtest.New(t, &coderdtest.Options{IncludeProvisionerD: true})
+		user := coderdtest.CreateFirstUser(t, client)
+		version := coderdtest.CreateTemplateVersion(t, client, user.OrganizationID, nil)
+		coderdtest.AwaitTemplateVersionJob(t, client, version.ID)
+		template := coderdtest.CreateTemplate(t, client, user.OrganizationID, version.ID)
+		workspace := coderdtest.CreateWorkspace(t, client, user.OrganizationID, template.ID)
+		coderdtest.AwaitWorkspaceBuildJob(t, client, workspace.LatestBuild.ID)
+		cmd, root := clitest.New(t, "ls")
+		clitest.SetupConfig(t, client, root)
+		pty := ptytest.New(t)
+		cmd.SetIn(pty.Input())
+		cmd.SetOut(pty.Output())
+
+		ctx, cancelFunc := context.WithTimeout(context.Background(), testutil.WaitLong)
+		defer cancelFunc()
+		done := make(chan any)
+		go func() {
+			errC := cmd.ExecuteContext(ctx)
+			assert.NoError(t, errC)
+			close(done)
+		}()
+		pty.ExpectMatch(workspace.Name)
+		pty.ExpectMatch("Started")
+		cancelFunc()
+		<-done
+	})
+}

cli/login.go

@@ -1,22 +1,24 @@
 package cli
 
 import (
+	"errors"
 	"fmt"
-	"io/ioutil"
+	"io"
 	"net/url"
+	"os"
 	"os/exec"
 	"os/user"
+	"path"
 	"runtime"
 	"strings"
 
-	"github.com/fatih/color"
 	"github.com/go-playground/validator/v10"
-	"github.com/manifoldco/promptui"
 	"github.com/pkg/browser"
 	"github.com/spf13/cobra"
 	"golang.org/x/xerrors"
 
-	"github.com/coder/coder/coderd"
+	"github.com/coder/coder/cli/cliflag"
+	"github.com/coder/coder/cli/cliui"
 	"github.com/coder/coder/codersdk"
 )
 
@@ -31,14 +33,20 @@ func init() {
 	// when in SSH or another type of headless session
 	// NOTE: This needs to be in `init` to prevent data races
 	// (multiple threads trying to set the global browser.Std* variables)
-	browser.Stderr = ioutil.Discard
-	browser.Stdout = ioutil.Discard
+	browser.Stderr = io.Discard
+	browser.Stdout = io.Discard
 }
 
 func login() *cobra.Command {
-	return &cobra.Command{
-		Use:  "login <url>",
-		Args: cobra.ExactArgs(1),
+	var (
+		email    string
+		username string
+		password string
+	)
+	cmd := &cobra.Command{
+		Use:   "login <url>",
+		Short: "Authenticate with a Coder deployment",
+		Args:  cobra.ExactArgs(1),
 		RunE: func(cmd *cobra.Command, args []string) error {
 			rawURL := args[0]
 
@@ -59,76 +67,108 @@ func login() *cobra.Command {
 			}
 
 			client := codersdk.New(serverURL)
+
+			// Try to check the version of the server prior to logging in.
+			// It may be useful to warn the user if they are trying to login
+			// on a very old client.
+			err = checkVersions(cmd, client)
+			if err != nil {
+				// Checking versions isn't a fatal error so we print a warning
+				// and proceed.
+				_, _ = fmt.Fprintln(cmd.ErrOrStderr(), cliui.Styles.Warn.Render(err.Error()))
+			}
+
 			hasInitialUser, err := client.HasFirstUser(cmd.Context())
 			if err != nil {
 				return xerrors.Errorf("has initial user: %w", err)
 			}
 			if !hasInitialUser {
-				if !isTTY(cmd) {
-					return xerrors.New("the initial user cannot be created in non-interactive mode. use the API")
-				}
-				_, _ = fmt.Fprintf(cmd.OutOrStdout(), "%s Your Coder deployment hasn't been set up!\n", caret)
+				_, _ = fmt.Fprintf(cmd.OutOrStdout(), caret+"Your Coder deployment hasn't been set up!\n")
 
-				_, err := prompt(cmd, &promptui.Prompt{
-					Label:     "Would you like to create the first user?",
-					IsConfirm: true,
-					Default:   "y",
-				})
-				if err != nil {
-					return xerrors.Errorf("create user prompt: %w", err)
-				}
-				currentUser, err := user.Current()
-				if err != nil {
-					return xerrors.Errorf("get current user: %w", err)
-				}
-				username, err := prompt(cmd, &promptui.Prompt{
-					Label:   "What username would you like?",
-					Default: currentUser.Username,
-				})
-				if err != nil {
-					return xerrors.Errorf("pick username prompt: %w", err)
-				}
-
-				organization, err := prompt(cmd, &promptui.Prompt{
-					Label:   "What is the name of your organization?",
-					Default: "acme-corp",
-				})
-				if err != nil {
-					return xerrors.Errorf("pick organization prompt: %w", err)
-				}
-
-				email, err := prompt(cmd, &promptui.Prompt{
-					Label: "What's your email?",
-					Validate: func(s string) error {
-						err := validator.New().Var(s, "email")
-						if err != nil {
-							return xerrors.New("That's not a valid email address!")
-						}
+				if username == "" {
+					if !isTTY(cmd) {
+						return xerrors.New("the initial user cannot be created in non-interactive mode. use the API")
+					}
+					_, err := cliui.Prompt(cmd, cliui.PromptOptions{
+						Text:      "Would you like to create the first user?",
+						Default:   cliui.ConfirmYes,
+						IsConfirm: true,
+					})
+					if errors.Is(err, cliui.Canceled) {
+						return nil
+					}
+					if err != nil {
 						return err
-					},
-				})
-				if err != nil {
-					return xerrors.Errorf("specify email prompt: %w", err)
+					}
+					currentUser, err := user.Current()
+					if err != nil {
+						return xerrors.Errorf("get current user: %w", err)
+					}
+					username, err = cliui.Prompt(cmd, cliui.PromptOptions{
+						Text:    "What " + cliui.Styles.Field.Render("username") + " would you like?",
+						Default: currentUser.Username,
+					})
+					if errors.Is(err, cliui.Canceled) {
+						return nil
+					}
+					if err != nil {
+						return xerrors.Errorf("pick username prompt: %w", err)
+					}
 				}
 
-				password, err := prompt(cmd, &promptui.Prompt{
-					Label: "Enter a password:",
-					Mask:  '*',
-				})
-				if err != nil {
-					return xerrors.Errorf("specify password prompt: %w", err)
+				if email == "" {
+					email, err = cliui.Prompt(cmd, cliui.PromptOptions{
+						Text: "What's your " + cliui.Styles.Field.Render("email") + "?",
+						Validate: func(s string) error {
+							err := validator.New().Var(s, "email")
+							if err != nil {
+								return xerrors.New("That's not a valid email address!")
+							}
+							return err
+						},
+					})
+					if err != nil {
+						return xerrors.Errorf("specify email prompt: %w", err)
+					}
 				}
 
-				_, err = client.CreateFirstUser(cmd.Context(), coderd.CreateFirstUserRequest{
-					Email:        email,
-					Username:     username,
-					Password:     password,
-					Organization: organization,
+				if password == "" {
+					var matching bool
+
+					for !matching {
+						password, err = cliui.Prompt(cmd, cliui.PromptOptions{
+							Text:     "Enter a " + cliui.Styles.Field.Render("password") + ":",
+							Secret:   true,
+							Validate: cliui.ValidateNotEmpty,
+						})
+						if err != nil {
+							return xerrors.Errorf("specify password prompt: %w", err)
+						}
+						confirm, err := cliui.Prompt(cmd, cliui.PromptOptions{
+							Text:   "Confirm " + cliui.Styles.Field.Render("password") + ":",
+							Secret: true,
+						})
+						if err != nil {
+							return xerrors.Errorf("confirm password prompt: %w", err)
+						}
+
+						matching = confirm == password
+						if !matching {
+							_, _ = fmt.Fprintln(cmd.OutOrStdout(), cliui.Styles.Error.Render("Passwords do not match"))
+						}
+					}
+				}
+
+				_, err = client.CreateFirstUser(cmd.Context(), codersdk.CreateFirstUserRequest{
+					Email:            email,
+					Username:         username,
+					OrganizationName: username,
+					Password:         password,
 				})
 				if err != nil {
 					return xerrors.Errorf("create initial user: %w", err)
 				}
-				resp, err := client.LoginWithPassword(cmd.Context(), coderd.LoginWithPasswordRequest{
+				resp, err := client.LoginWithPassword(cmd.Context(), codersdk.LoginWithPasswordRequest{
 					Email:    email,
 					Password: password,
 				})
@@ -147,37 +187,46 @@ func login() *cobra.Command {
 					return xerrors.Errorf("write server url: %w", err)
 				}
 
-				_, _ = fmt.Fprintf(cmd.OutOrStdout(), "%s Welcome to Coder, %s! You're authenticated.\n", caret, color.HiCyanString(username))
+				_, _ = fmt.Fprintf(cmd.OutOrStdout(),
+					cliui.Styles.Paragraph.Render(fmt.Sprintf("Welcome to Coder, %s! You're authenticated.", cliui.Styles.Keyword.Render(username)))+"\n")
+
+				_, _ = fmt.Fprintf(cmd.OutOrStdout(),
+					cliui.Styles.Paragraph.Render("Get started by creating a template: "+cliui.Styles.Code.Render("coder templates init"))+"\n")
 				return nil
 			}
 
-			authURL := *serverURL
-			authURL.Path = serverURL.Path + "/cli-auth"
-			if err := openURL(cmd, authURL.String()); err != nil {
-				_, _ = fmt.Fprintf(cmd.OutOrStdout(), "Open the following in your browser:\n\n\t%s\n\n", authURL.String())
-			} else {
-				_, _ = fmt.Fprintf(cmd.OutOrStdout(), "Your browser has been opened to visit:\n\n\t%s\n\n", authURL.String())
-			}
+			sessionToken, _ := cmd.Flags().GetString(varToken)
+			if sessionToken == "" {
+				authURL := *serverURL
+				// Don't use filepath.Join, we don't want to use the os separator
+				// for a url.
+				authURL.Path = path.Join(serverURL.Path, "/cli-auth")
+				if err := openURL(cmd, authURL.String()); err != nil {
+					_, _ = fmt.Fprintf(cmd.OutOrStdout(), "Open the following in your browser:\n\n\t%s\n\n", authURL.String())
+				} else {
+					_, _ = fmt.Fprintf(cmd.OutOrStdout(), "Your browser has been opened to visit:\n\n\t%s\n\n", authURL.String())
+				}
 
-			sessionToken, err := prompt(cmd, &promptui.Prompt{
-				Label: "Paste your token here:",
-				Mask:  '*',
-				Validate: func(token string) error {
-					client.SessionToken = token
-					_, err := client.User(cmd.Context(), "me")
-					if err != nil {
-						return xerrors.New("That's not a valid token!")
-					}
-					return err
-				},
-			})
-			if err != nil {
-				return xerrors.Errorf("paste token prompt: %w", err)
+				sessionToken, err = cliui.Prompt(cmd, cliui.PromptOptions{
+					Text:   "Paste your token here:",
+					Secret: true,
+					Validate: func(token string) error {
+						client.SessionToken = token
+						_, err := client.User(cmd.Context(), codersdk.Me)
+						if err != nil {
+							return xerrors.New("That's not a valid token!")
+						}
+						return err
+					},
+				})
+				if err != nil {
+					return xerrors.Errorf("paste token prompt: %w", err)
+				}
 			}
 
 			// Login to get user data - verify it is OK before persisting
 			client.SessionToken = sessionToken
-			resp, err := client.User(cmd.Context(), "me")
+			resp, err := client.User(cmd.Context(), codersdk.Me)
 			if err != nil {
 				return xerrors.Errorf("get user: %w", err)
 			}
@@ -192,10 +241,14 @@ func login() *cobra.Command {
 				return xerrors.Errorf("write server url: %w", err)
 			}
 
-			_, _ = fmt.Fprintf(cmd.OutOrStdout(), "%s Welcome to Coder, %s! You're authenticated.\n", caret, color.HiCyanString(resp.Username))
+			_, _ = fmt.Fprintf(cmd.OutOrStdout(), caret+"Welcome to Coder, %s! You're authenticated.\n", cliui.Styles.Keyword.Render(resp.Username))
 			return nil
 		},
 	}
+	cliflag.StringVarP(cmd.Flags(), &email, "email", "e", "CODER_EMAIL", "", "Specifies an email address to authenticate with.")
+	cliflag.StringVarP(cmd.Flags(), &username, "username", "u", "CODER_USERNAME", "", "Specifies a username to authenticate with.")
+	cliflag.StringVarP(cmd.Flags(), &password, "password", "p", "CODER_PASSWORD", "", "Specifies a password to authenticate with.")
+	return cmd
 }
 
 // isWSL determines if coder-cli is running within Windows Subsystem for Linux
@@ -203,7 +256,7 @@ func isWSL() (bool, error) {
 	if runtime.GOOS == goosDarwin || runtime.GOOS == goosWindows {
 		return false, nil
 	}
-	data, err := ioutil.ReadFile("/proc/version")
+	data, err := os.ReadFile("/proc/version")
 	if err != nil {
 		return false, xerrors.Errorf("read /proc/version: %w", err)
 	}

cli/login_test.go

@@ -1,11 +1,14 @@
 package cli_test
 
 import (
+	"context"
 	"testing"
 
+	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 
 	"github.com/coder/coder/cli/clitest"
+	"github.com/coder/coder/cli/cliui"
 	"github.com/coder/coder/coderd/coderdtest"
 	"github.com/coder/coder/pty/ptytest"
 )
@@ -26,21 +29,23 @@ func TestLogin(t *testing.T) {
 		// The --force-tty flag is required on Windows, because the `isatty` library does not
 		// accurately detect Windows ptys when they are not attached to a process:
 		// https://github.com/mattn/go-isatty/issues/59
-		root, _ := clitest.New(t, "login", client.URL.String(), "--force-tty")
+		doneChan := make(chan struct{})
+		root, _ := clitest.New(t, "login", "--force-tty", client.URL.String())
 		pty := ptytest.New(t)
 		root.SetIn(pty.Input())
 		root.SetOut(pty.Output())
 		go func() {
+			defer close(doneChan)
 			err := root.Execute()
-			require.NoError(t, err)
+			assert.NoError(t, err)
 		}()
 
 		matches := []string{
-			"first user?", "y",
+			"first user?", "yes",
 			"username", "testuser",
-			"organization", "testorg",
 			"email", "user@coder.com",
 			"password", "password",
+			"password", "password", // Confirm.
 		}
 		for i := 0; i < len(matches); i += 2 {
 			match := matches[i]
@@ -49,6 +54,71 @@ func TestLogin(t *testing.T) {
 			pty.WriteLine(value)
 		}
 		pty.ExpectMatch("Welcome to Coder")
+		<-doneChan
+	})
+
+	t.Run("InitialUserFlags", func(t *testing.T) {
+		t.Parallel()
+		client := coderdtest.New(t, nil)
+		// The --force-tty flag is required on Windows, because the `isatty` library does not
+		// accurately detect Windows ptys when they are not attached to a process:
+		// https://github.com/mattn/go-isatty/issues/59
+		doneChan := make(chan struct{})
+		root, _ := clitest.New(t, "login", client.URL.String(), "--username", "testuser", "--email", "user@coder.com", "--password", "password")
+		pty := ptytest.New(t)
+		root.SetIn(pty.Input())
+		root.SetOut(pty.Output())
+		go func() {
+			defer close(doneChan)
+			err := root.Execute()
+			assert.NoError(t, err)
+		}()
+		pty.ExpectMatch("Welcome to Coder")
+		<-doneChan
+	})
+
+	t.Run("InitialUserTTYConfirmPasswordFailAndReprompt", func(t *testing.T) {
+		t.Parallel()
+		ctx, cancel := context.WithCancel(context.Background())
+		defer cancel()
+		client := coderdtest.New(t, nil)
+		// The --force-tty flag is required on Windows, because the `isatty` library does not
+		// accurately detect Windows ptys when they are not attached to a process:
+		// https://github.com/mattn/go-isatty/issues/59
+		doneChan := make(chan struct{})
+		root, _ := clitest.New(t, "login", "--force-tty", client.URL.String())
+		pty := ptytest.New(t)
+		root.SetIn(pty.Input())
+		root.SetOut(pty.Output())
+		go func() {
+			defer close(doneChan)
+			err := root.ExecuteContext(ctx)
+			assert.NoError(t, err)
+		}()
+
+		matches := []string{
+			"first user?", "yes",
+			"username", "testuser",
+			"email", "user@coder.com",
+			"password", "mypass",
+			"password", "wrongpass", // Confirm.
+		}
+		for i := 0; i < len(matches); i += 2 {
+			match := matches[i]
+			value := matches[i+1]
+			pty.ExpectMatch(match)
+			pty.WriteLine(value)
+		}
+
+		// Validate that we reprompt for matching passwords.
+		pty.ExpectMatch("Passwords do not match")
+		pty.ExpectMatch("Enter a " + cliui.Styles.Field.Render("password"))
+
+		pty.WriteLine("pass")
+		pty.ExpectMatch("Confirm")
+		pty.WriteLine("pass")
+		pty.ExpectMatch("Welcome to Coder")
+		<-doneChan
 	})
 
 	t.Run("ExistingUserValidTokenTTY", func(t *testing.T) {
@@ -56,18 +126,21 @@ func TestLogin(t *testing.T) {
 		client := coderdtest.New(t, nil)
 		coderdtest.CreateFirstUser(t, client)
 
-		root, _ := clitest.New(t, "login", client.URL.String(), "--force-tty", "--no-open")
+		doneChan := make(chan struct{})
+		root, _ := clitest.New(t, "login", "--force-tty", client.URL.String(), "--no-open")
 		pty := ptytest.New(t)
 		root.SetIn(pty.Input())
 		root.SetOut(pty.Output())
 		go func() {
+			defer close(doneChan)
 			err := root.Execute()
-			require.NoError(t, err)
+			assert.NoError(t, err)
 		}()
 
 		pty.ExpectMatch("Paste your token here:")
 		pty.WriteLine(client.SessionToken)
 		pty.ExpectMatch("Welcome to Coder")
+		<-doneChan
 	})
 
 	t.Run("ExistingUserInvalidTokenTTY", func(t *testing.T) {
@@ -75,18 +148,36 @@ func TestLogin(t *testing.T) {
 		client := coderdtest.New(t, nil)
 		coderdtest.CreateFirstUser(t, client)
 
-		root, _ := clitest.New(t, "login", client.URL.String(), "--force-tty", "--no-open")
+		ctx, cancelFunc := context.WithCancel(context.Background())
+		defer cancelFunc()
+		doneChan := make(chan struct{})
+		root, _ := clitest.New(t, "login", client.URL.String(), "--no-open")
 		pty := ptytest.New(t)
 		root.SetIn(pty.Input())
 		root.SetOut(pty.Output())
 		go func() {
-			err := root.Execute()
+			defer close(doneChan)
+			err := root.ExecuteContext(ctx)
 			// An error is expected in this case, since the login wasn't successful:
-			require.Error(t, err)
+			assert.Error(t, err)
 		}()
 
 		pty.ExpectMatch("Paste your token here:")
 		pty.WriteLine("an-invalid-token")
 		pty.ExpectMatch("That's not a valid token!")
+		cancelFunc()
+		<-doneChan
+	})
+
+	t.Run("TokenFlag", func(t *testing.T) {
+		t.Parallel()
+		client := coderdtest.New(t, nil)
+		coderdtest.CreateFirstUser(t, client)
+		root, cfg := clitest.New(t, "login", client.URL.String(), "--token", client.SessionToken)
+		err := root.Execute()
+		require.NoError(t, err)
+		sessionFile, err := cfg.Session().Read()
+		require.NoError(t, err)
+		require.Equal(t, client.SessionToken, sessionFile)
 	})
 }

cli/logout.go

@@ -0,0 +1,77 @@
+package cli
+
+import (
+	"fmt"
+	"os"
+	"strings"
+
+	"github.com/spf13/cobra"
+	"golang.org/x/xerrors"
+
+	"github.com/coder/coder/cli/cliui"
+)
+
+func logout() *cobra.Command {
+	cmd := &cobra.Command{
+		Use:   "logout",
+		Short: "Remove the local authenticated session",
+		RunE: func(cmd *cobra.Command, args []string) error {
+			client, err := CreateClient(cmd)
+			if err != nil {
+				return err
+			}
+
+			var errors []error
+
+			config := createConfig(cmd)
+
+			_, err = cliui.Prompt(cmd, cliui.PromptOptions{
+				Text:      "Are you sure you want to log out?",
+				IsConfirm: true,
+				Default:   cliui.ConfirmYes,
+			})
+			if err != nil {
+				return err
+			}
+
+			err = client.Logout(cmd.Context())
+			if err != nil {
+				errors = append(errors, xerrors.Errorf("logout api: %w", err))
+			}
+
+			err = config.URL().Delete()
+			// Only throw error if the URL configuration file is present,
+			// otherwise the user is already logged out, and we proceed
+			if err != nil && !os.IsNotExist(err) {
+				errors = append(errors, xerrors.Errorf("remove URL file: %w", err))
+			}
+
+			err = config.Session().Delete()
+			// Only throw error if the session configuration file is present,
+			// otherwise the user is already logged out, and we proceed
+			if err != nil && !os.IsNotExist(err) {
+				errors = append(errors, xerrors.Errorf("remove session file: %w", err))
+			}
+
+			err = config.Organization().Delete()
+			// If the organization configuration file is absent, we still proceed
+			if err != nil && !os.IsNotExist(err) {
+				errors = append(errors, xerrors.Errorf("remove organization file: %w", err))
+			}
+
+			if len(errors) > 0 {
+				var errorStringBuilder strings.Builder
+				for _, err := range errors {
+					_, _ = fmt.Fprint(&errorStringBuilder, "\t"+err.Error()+"\n")
+				}
+				errorString := strings.TrimRight(errorStringBuilder.String(), "\n")
+				return xerrors.New("Failed to log out.\n" + errorString)
+			}
+			_, _ = fmt.Fprintf(cmd.OutOrStdout(), caret+"You are no longer logged in. You can log in using 'coder login <url>'.\n")
+			return nil
+		},
+	}
+
+	cliui.AllowSkipPrompt(cmd)
+	return cmd
+}

cli/logout_test.go

@@ -0,0 +1,217 @@
+package cli_test
+
+import (
+	"fmt"
+	"os"
+	"regexp"
+	"runtime"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+
+	"github.com/coder/coder/cli/clitest"
+	"github.com/coder/coder/cli/config"
+	"github.com/coder/coder/coderd/coderdtest"
+	"github.com/coder/coder/pty/ptytest"
+)
+
+func TestLogout(t *testing.T) {
+	t.Parallel()
+	t.Run("Logout", func(t *testing.T) {
+		t.Parallel()
+
+		pty := ptytest.New(t)
+		config := login(t, pty)
+
+		// Ensure session files exist.
+		require.FileExists(t, string(config.URL()))
+		require.FileExists(t, string(config.Session()))
+
+		logoutChan := make(chan struct{})
+		logout, _ := clitest.New(t, "logout", "--global-config", string(config))
+		logout.SetIn(pty.Input())
+		logout.SetOut(pty.Output())
+
+		go func() {
+			defer close(logoutChan)
+			err := logout.Execute()
+			assert.NoError(t, err)
+			assert.NoFileExists(t, string(config.URL()))
+			assert.NoFileExists(t, string(config.Session()))
+		}()
+
+		pty.ExpectMatch("Are you sure you want to log out?")
+		pty.WriteLine("yes")
+		pty.ExpectMatch("You are no longer logged in. You can log in using 'coder login <url>'.")
+		<-logoutChan
+	})
+	t.Run("SkipPrompt", func(t *testing.T) {
+		t.Parallel()
+
+		pty := ptytest.New(t)
+		config := login(t, pty)
+
+		// Ensure session files exist.
+		require.FileExists(t, string(config.URL()))
+		require.FileExists(t, string(config.Session()))
+
+		logoutChan := make(chan struct{})
+		logout, _ := clitest.New(t, "logout", "--global-config", string(config), "-y")
+		logout.SetIn(pty.Input())
+		logout.SetOut(pty.Output())
+
+		go func() {
+			defer close(logoutChan)
+			err := logout.Execute()
+			assert.NoError(t, err)
+			assert.NoFileExists(t, string(config.URL()))
+			assert.NoFileExists(t, string(config.Session()))
+		}()
+
+		pty.ExpectMatch("You are no longer logged in. You can log in using 'coder login <url>'.")
+		<-logoutChan
+	})
+	t.Run("NoURLFile", func(t *testing.T) {
+		t.Parallel()
+
+		pty := ptytest.New(t)
+		config := login(t, pty)
+
+		// Ensure session files exist.
+		require.FileExists(t, string(config.URL()))
+		require.FileExists(t, string(config.Session()))
+
+		err := os.Remove(string(config.URL()))
+		require.NoError(t, err)
+
+		logoutChan := make(chan struct{})
+		logout, _ := clitest.New(t, "logout", "--global-config", string(config))
+
+		logout.SetIn(pty.Input())
+		logout.SetOut(pty.Output())
+
+		go func() {
+			defer close(logoutChan)
+			err := logout.Execute()
+			assert.EqualError(t, err, "You are not logged in. Try logging in using 'coder login <url>'.")
+		}()
+
+		<-logoutChan
+	})
+	t.Run("NoSessionFile", func(t *testing.T) {
+		t.Parallel()
+
+		pty := ptytest.New(t)
+		config := login(t, pty)
+
+		// Ensure session files exist.
+		require.FileExists(t, string(config.URL()))
+		require.FileExists(t, string(config.Session()))
+
+		err := os.Remove(string(config.Session()))
+		require.NoError(t, err)
+
+		logoutChan := make(chan struct{})
+		logout, _ := clitest.New(t, "logout", "--global-config", string(config))
+
+		logout.SetIn(pty.Input())
+		logout.SetOut(pty.Output())
+
+		go func() {
+			defer close(logoutChan)
+			err = logout.Execute()
+			assert.EqualError(t, err, "You are not logged in. Try logging in using 'coder login <url>'.")
+		}()
+
+		<-logoutChan
+	})
+	t.Run("CannotDeleteFiles", func(t *testing.T) {
+		t.Parallel()
+
+		pty := ptytest.New(t)
+		config := login(t, pty)
+
+		// Ensure session files exist.
+		require.FileExists(t, string(config.URL()))
+		require.FileExists(t, string(config.Session()))
+
+		var (
+			err         error
+			urlFile     *os.File
+			sessionFile *os.File
+		)
+		if runtime.GOOS == "windows" {
+			// Opening the files so Windows does not allow deleting them.
+			urlFile, err = os.Open(string(config.URL()))
+			require.NoError(t, err)
+			sessionFile, err = os.Open(string(config.Session()))
+			require.NoError(t, err)
+		} else {
+			// Changing the permissions to throw error during deletion.
+			err = os.Chmod(string(config), 0500)
+			require.NoError(t, err)
+		}
+		defer func() {
+			if runtime.GOOS == "windows" {
+				// Closing the opened files for cleanup.
+				err = urlFile.Close()
+				assert.NoError(t, err)
+				err = sessionFile.Close()
+				assert.NoError(t, err)
+			} else {
+				// Setting the permissions back for cleanup.
+				err = os.Chmod(string(config), 0o700)
+				assert.NoError(t, err)
+			}
+		}()
+
+		logoutChan := make(chan struct{})
+		logout, _ := clitest.New(t, "logout", "--global-config", string(config))
+
+		logout.SetIn(pty.Input())
+		logout.SetOut(pty.Output())
+
+		go func() {
+			defer close(logoutChan)
+			err := logout.Execute()
+			assert.NotNil(t, err)
+			var errorMessage string
+			if runtime.GOOS == "windows" {
+				errorMessage = "The process cannot access the file because it is being used by another process."
+			} else {
+				errorMessage = "permission denied"
+			}
+			errRegex := regexp.MustCompile(fmt.Sprintf("Failed to log out.\n\tremove URL file: .+: %s\n\tremove session file: .+: %s", errorMessage, errorMessage))
+			assert.Regexp(t, errRegex, err.Error())
+		}()
+
+		pty.ExpectMatch("Are you sure you want to log out?")
+		pty.WriteLine("yes")
+		<-logoutChan
+	})
+}
+
+func login(t *testing.T, pty *ptytest.PTY) config.Root {
+	t.Helper()
+
+	client := coderdtest.New(t, nil)
+	coderdtest.CreateFirstUser(t, client)
+
+	doneChan := make(chan struct{})
+	root, cfg := clitest.New(t, "login", "--force-tty", client.URL.String(), "--no-open")
+	root.SetIn(pty.Input())
+	root.SetOut(pty.Output())
+	go func() {
+		defer close(doneChan)
+		err := root.Execute()
+		assert.NoError(t, err)
+	}()
+
+	pty.ExpectMatch("Paste your token here:")
+	pty.WriteLine(client.SessionToken)
+	pty.ExpectMatch("Welcome to Coder")
+	<-doneChan
+
+	return cfg
+}

cli/parameter.go

@@ -0,0 +1,57 @@
+package cli
+
+import (
+	"os"
+
+	"golang.org/x/xerrors"
+	"gopkg.in/yaml.v3"
+
+	"github.com/spf13/cobra"
+
+	"github.com/coder/coder/cli/cliui"
+	"github.com/coder/coder/codersdk"
+)
+
+// Reads a YAML file and populates a string -> string map.
+// Throws an error if the file name is empty.
+func createParameterMapFromFile(parameterFile string) (map[string]string, error) {
+	if parameterFile != "" {
+		parameterMap := make(map[string]string)
+
+		parameterFileContents, err := os.ReadFile(parameterFile)
+
+		if err != nil {
+			return nil, err
+		}
+
+		err = yaml.Unmarshal(parameterFileContents, &parameterMap)
+
+		if err != nil {
+			return nil, err
+		}
+
+		return parameterMap, nil
+	}
+
+	return nil, xerrors.Errorf("Parameter file name is not specified")
+}
+
+// Returns a parameter value from a given map, if the map exists, else takes input from the user.
+// Throws an error if the map exists but does not include a value for the parameter.
+func getParameterValueFromMapOrInput(cmd *cobra.Command, parameterMap map[string]string, parameterSchema codersdk.ParameterSchema) (string, error) {
+	var parameterValue string
+	if parameterMap != nil {
+		var ok bool
+		parameterValue, ok = parameterMap[parameterSchema.Name]
+		if !ok {
+			return "", xerrors.Errorf("Parameter value absent in parameter file for %q!", parameterSchema.Name)
+		}
+	} else {
+		var err error
+		parameterValue, err = cliui.ParameterSchema(cmd, parameterSchema)
+		if err != nil {
+			return "", err
+		}
+	}
+	return parameterValue, nil
+}

cli/parameter_internal_test.go

@@ -0,0 +1,79 @@
+package cli
+
+import (
+	"os"
+	"runtime"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestCreateParameterMapFromFile(t *testing.T) {
+	t.Parallel()
+	t.Run("CreateParameterMapFromFile", func(t *testing.T) {
+		t.Parallel()
+		tempDir := t.TempDir()
+		parameterFile, _ := os.CreateTemp(tempDir, "testParameterFile*.yaml")
+		_, _ = parameterFile.WriteString("region: \"bananas\"\ndisk: \"20\"\n")
+
+		parameterMapFromFile, err := createParameterMapFromFile(parameterFile.Name())
+
+		expectedMap := map[string]string{
+			"region": "bananas",
+			"disk":   "20",
+		}
+
+		assert.Equal(t, expectedMap, parameterMapFromFile)
+		assert.Nil(t, err)
+
+		removeTmpDirUntilSuccess(t, tempDir)
+	})
+	t.Run("WithEmptyFilename", func(t *testing.T) {
+		t.Parallel()
+
+		parameterMapFromFile, err := createParameterMapFromFile("")
+
+		assert.Nil(t, parameterMapFromFile)
+		assert.EqualError(t, err, "Parameter file name is not specified")
+	})
+	t.Run("WithInvalidFilename", func(t *testing.T) {
+		t.Parallel()
+
+		parameterMapFromFile, err := createParameterMapFromFile("invalidFile.yaml")
+
+		assert.Nil(t, parameterMapFromFile)
+
+		// On Unix based systems, it is: `open invalidFile.yaml: no such file or directory`
+		// On Windows, it is `open invalidFile.yaml: The system cannot find the file specified.`
+		if runtime.GOOS == "windows" {
+			assert.EqualError(t, err, "open invalidFile.yaml: The system cannot find the file specified.")
+		} else {
+			assert.EqualError(t, err, "open invalidFile.yaml: no such file or directory")
+		}
+	})
+	t.Run("WithInvalidYAML", func(t *testing.T) {
+		t.Parallel()
+		tempDir := t.TempDir()
+		parameterFile, _ := os.CreateTemp(tempDir, "testParameterFile*.yaml")
+		_, _ = parameterFile.WriteString("region = \"bananas\"\ndisk = \"20\"\n")
+
+		parameterMapFromFile, err := createParameterMapFromFile(parameterFile.Name())
+
+		assert.Nil(t, parameterMapFromFile)
+		assert.EqualError(t, err, "yaml: unmarshal errors:\n  line 1: cannot unmarshal !!str `region ...` into map[string]string")
+
+		removeTmpDirUntilSuccess(t, tempDir)
+	})
+}
+
+// Need this for Windows because of a known issue with Go:
+// https://github.com/golang/go/issues/52986
+func removeTmpDirUntilSuccess(t *testing.T, tempDir string) {
+	t.Helper()
+	t.Cleanup(func() {
+		err := os.RemoveAll(tempDir)
+		for err != nil {
+			err = os.RemoveAll(tempDir)
+		}
+	})
+}

cli/parameters.go

@@ -0,0 +1,28 @@
+package cli
+
+import (
+	"github.com/spf13/cobra"
+)
+
+func parameters() *cobra.Command {
+	cmd := &cobra.Command{
+		Short: "List parameters for a given scope",
+		Example: formatExamples(
+			example{
+				Command: "coder parameters list workspace my-workspace",
+			},
+		),
+		Use: "parameters",
+		// Currently hidden as this shows parameter values, not parameter
+		// schemes. Until we have a good way to distinguish the two, it's better
+		// not to add confusion or lock ourselves into a certain api.
+		// This cmd is still valuable debugging tool for devs to avoid
+		// constructing curl requests.
+		Hidden:  true,
+		Aliases: []string{"params"},
+	}
+	cmd.AddCommand(
+		parameterList(),
+	)
+	return cmd
+}

cli/parameterslist.go

@@ -0,0 +1,86 @@
+package cli
+
+import (
+	"fmt"
+
+	"github.com/google/uuid"
+	"github.com/spf13/cobra"
+	"golang.org/x/xerrors"
+
+	"github.com/coder/coder/cli/cliui"
+	"github.com/coder/coder/codersdk"
+)
+
+func parameterList() *cobra.Command {
+	var (
+		columns []string
+	)
+	cmd := &cobra.Command{
+		Use:     "list",
+		Aliases: []string{"ls"},
+		Args:    cobra.ExactArgs(2),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			scope, name := args[0], args[1]
+
+			client, err := CreateClient(cmd)
+			if err != nil {
+				return err
+			}
+
+			organization, err := currentOrganization(cmd, client)
+			if err != nil {
+				return xerrors.Errorf("get current organization: %w", err)
+			}
+
+			var scopeID uuid.UUID
+			switch codersdk.ParameterScope(scope) {
+			case codersdk.ParameterWorkspace:
+				workspace, err := namedWorkspace(cmd, client, name)
+				if err != nil {
+					return err
+				}
+				scopeID = workspace.ID
+			case codersdk.ParameterTemplate:
+				template, err := client.TemplateByName(cmd.Context(), organization.ID, name)
+				if err != nil {
+					return xerrors.Errorf("get workspace template: %w", err)
+				}
+				scopeID = template.ID
+			case codersdk.ParameterImportJob, "template_version":
+				scope = string(codersdk.ParameterImportJob)
+				scopeID, err = uuid.Parse(name)
+				if err != nil {
+					return xerrors.Errorf("%q must be a uuid for this scope type", name)
+				}
+
+				// Could be a template_version id or a job id. Check for the
+				// version id.
+				tv, err := client.TemplateVersion(cmd.Context(), scopeID)
+				if err == nil {
+					scopeID = tv.Job.ID
+				}
+
+			default:
+				return xerrors.Errorf("%q is an unsupported scope, use %v", scope, []codersdk.ParameterScope{
+					codersdk.ParameterWorkspace, codersdk.ParameterTemplate, codersdk.ParameterImportJob,
+				})
+			}
+
+			params, err := client.Parameters(cmd.Context(), codersdk.ParameterScope(scope), scopeID)
+			if err != nil {
+				return xerrors.Errorf("fetch params: %w", err)
+			}
+
+			out, err := cliui.DisplayTable(params, "name", columns)
+			if err != nil {
+				return xerrors.Errorf("render table: %w", err)
+			}
+
+			_, err = fmt.Fprintln(cmd.OutOrStdout(), out)
+			return err
+		},
+	}
+	cmd.Flags().StringArrayVarP(&columns, "column", "c", []string{"name", "scope", "destination scheme"},
+		"Specify a column to filter in the table.")
+	return cmd
+}

cli/portforward.go

@@ -0,0 +1,380 @@
+package cli
+
+import (
+	"context"
+	"fmt"
+	"net"
+	"os"
+	"os/signal"
+	"runtime"
+	"strconv"
+	"strings"
+	"sync"
+	"syscall"
+
+	"github.com/pion/udp"
+	"github.com/spf13/cobra"
+	"golang.org/x/xerrors"
+
+	coderagent "github.com/coder/coder/agent"
+	"github.com/coder/coder/cli/cliui"
+	"github.com/coder/coder/codersdk"
+)
+
+func portForward() *cobra.Command {
+	var (
+		tcpForwards  []string // <port>:<port>
+		udpForwards  []string // <port>:<port>
+		unixForwards []string // <path>:<path> OR <port>:<path>
+	)
+	cmd := &cobra.Command{
+		Use:     "port-forward <workspace>",
+		Short:   "Forward one or more ports from the local machine to the remote workspace",
+		Aliases: []string{"tunnel"},
+		Args:    cobra.ExactArgs(1),
+		Example: formatExamples(
+			example{
+				Description: "Port forward a single TCP port from 1234 in the workspace to port 5678 on your local machine",
+				Command:     "coder port-forward <workspace> --tcp 5678:1234",
+			},
+			example{
+				Description: "Port forward a single UDP port from port 9000 to port 9000 on your local machine",
+				Command:     "coder port-forward <workspace> --udp 9000",
+			},
+			example{
+				Description: "Forward a Unix socket in the workspace to a local Unix socket",
+				Command:     "coder port-forward <workspace> --unix ./local.sock:~/remote.sock",
+			},
+			example{
+				Description: "Forward a Unix socket in the workspace to a local TCP port",
+				Command:     "coder port-forward <workspace> --unix 8080:~/remote.sock",
+			},
+			example{
+				Description: "Port forward multiple TCP ports and a UDP port",
+				Command:     "coder port-forward <workspace> --tcp 8080:8080 --tcp 9000:3000 --udp 5353:53",
+			},
+		),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			ctx, cancel := context.WithCancel(cmd.Context())
+			defer cancel()
+
+			specs, err := parsePortForwards(tcpForwards, udpForwards, unixForwards)
+			if err != nil {
+				return xerrors.Errorf("parse port-forward specs: %w", err)
+			}
+			if len(specs) == 0 {
+				err = cmd.Help()
+				if err != nil {
+					return xerrors.Errorf("generate help output: %w", err)
+				}
+				return xerrors.New("no port-forwards requested")
+			}
+
+			client, err := CreateClient(cmd)
+			if err != nil {
+				return err
+			}
+
+			workspace, agent, err := getWorkspaceAndAgent(ctx, cmd, client, codersdk.Me, args[0], false)
+			if err != nil {
+				return err
+			}
+			if workspace.LatestBuild.Transition != codersdk.WorkspaceTransitionStart {
+				return xerrors.New("workspace must be in start transition to port-forward")
+			}
+			if workspace.LatestBuild.Job.CompletedAt == nil {
+				err = cliui.WorkspaceBuild(ctx, cmd.ErrOrStderr(), client, workspace.LatestBuild.ID, workspace.CreatedAt)
+				if err != nil {
+					return err
+				}
+			}
+
+			err = cliui.Agent(ctx, cmd.ErrOrStderr(), cliui.AgentOptions{
+				WorkspaceName: workspace.Name,
+				Fetch: func(ctx context.Context) (codersdk.WorkspaceAgent, error) {
+					return client.WorkspaceAgent(ctx, agent.ID)
+				},
+			})
+			if err != nil {
+				return xerrors.Errorf("await agent: %w", err)
+			}
+
+			conn, err := client.DialWorkspaceAgent(ctx, agent.ID, nil)
+			if err != nil {
+				return xerrors.Errorf("dial workspace agent: %w", err)
+			}
+			defer conn.Close()
+
+			// Start all listeners.
+			var (
+				wg                = new(sync.WaitGroup)
+				listeners         = make([]net.Listener, len(specs))
+				closeAllListeners = func() {
+					for _, l := range listeners {
+						if l == nil {
+							continue
+						}
+						_ = l.Close()
+					}
+				}
+			)
+			defer closeAllListeners()
+
+			for i, spec := range specs {
+				l, err := listenAndPortForward(ctx, cmd, conn, wg, spec)
+				if err != nil {
+					return err
+				}
+				listeners[i] = l
+			}
+
+			// Wait for the context to be canceled or for a signal and close
+			// all listeners.
+			var closeErr error
+			wg.Add(1)
+			go func() {
+				defer wg.Done()
+
+				sigs := make(chan os.Signal, 1)
+				signal.Notify(sigs, syscall.SIGINT, syscall.SIGTERM)
+
+				select {
+				case <-ctx.Done():
+					closeErr = ctx.Err()
+				case <-sigs:
+					_, _ = fmt.Fprintln(cmd.OutOrStderr(), "Received signal, closing all listeners and active connections")
+					closeErr = xerrors.New("signal received")
+				}
+
+				cancel()
+				closeAllListeners()
+			}()
+
+			_, _ = fmt.Fprintln(cmd.OutOrStderr(), "Ready!")
+			wg.Wait()
+			return closeErr
+		},
+	}
+
+	cmd.Flags().StringArrayVarP(&tcpForwards, "tcp", "p", []string{}, "Forward a TCP port from the workspace to the local machine")
+	cmd.Flags().StringArrayVar(&udpForwards, "udp", []string{}, "Forward a UDP port from the workspace to the local machine. The UDP connection has TCP-like semantics to support stateful UDP protocols")
+	cmd.Flags().StringArrayVar(&unixForwards, "unix", []string{}, "Forward a Unix socket in the workspace to a local Unix socket or TCP port")
+
+	return cmd
+}
+
+func listenAndPortForward(ctx context.Context, cmd *cobra.Command, conn *coderagent.Conn, wg *sync.WaitGroup, spec portForwardSpec) (net.Listener, error) {
+	_, _ = fmt.Fprintf(cmd.OutOrStderr(), "Forwarding '%v://%v' locally to '%v://%v' in the workspace\n", spec.listenNetwork, spec.listenAddress, spec.dialNetwork, spec.dialAddress)
+
+	var (
+		l   net.Listener
+		err error
+	)
+	switch spec.listenNetwork {
+	case "tcp":
+		l, err = net.Listen(spec.listenNetwork, spec.listenAddress)
+	case "udp":
+		var host, port string
+		host, port, err = net.SplitHostPort(spec.listenAddress)
+		if err != nil {
+			return nil, xerrors.Errorf("split %q: %w", spec.listenAddress, err)
+		}
+
+		var portInt int
+		portInt, err = strconv.Atoi(port)
+		if err != nil {
+			return nil, xerrors.Errorf("parse port %v from %q as int: %w", port, spec.listenAddress, err)
+		}
+
+		l, err = udp.Listen(spec.listenNetwork, &net.UDPAddr{
+			IP:   net.ParseIP(host),
+			Port: portInt,
+		})
+	case "unix":
+		l, err = net.Listen(spec.listenNetwork, spec.listenAddress)
+	default:
+		return nil, xerrors.Errorf("unknown listen network %q", spec.listenNetwork)
+	}
+	if err != nil {
+		return nil, xerrors.Errorf("listen '%v://%v': %w", spec.listenNetwork, spec.listenAddress, err)
+	}
+
+	wg.Add(1)
+	go func(spec portForwardSpec) {
+		defer wg.Done()
+		for {
+			netConn, err := l.Accept()
+			if err != nil {
+				_, _ = fmt.Fprintf(cmd.OutOrStderr(), "Error accepting connection from '%v://%v': %+v\n", spec.listenNetwork, spec.listenAddress, err)
+				_, _ = fmt.Fprintln(cmd.OutOrStderr(), "Killing listener")
+				return
+			}
+
+			go func(netConn net.Conn) {
+				defer netConn.Close()
+				remoteConn, err := conn.DialContext(ctx, spec.dialNetwork, spec.dialAddress)
+				if err != nil {
+					_, _ = fmt.Fprintf(cmd.OutOrStderr(), "Failed to dial '%v://%v' in workspace: %s\n", spec.dialNetwork, spec.dialAddress, err)
+					return
+				}
+				defer remoteConn.Close()
+
+				coderagent.Bicopy(ctx, netConn, remoteConn)
+			}(netConn)
+		}
+	}(spec)
+
+	return l, nil
+}
+
+type portForwardSpec struct {
+	listenNetwork string // tcp, udp, unix
+	listenAddress string // <ip>:<port> or path
+
+	dialNetwork string // tcp, udp, unix
+	dialAddress string // <ip>:<port> or path
+}
+
+func parsePortForwards(tcpSpecs, udpSpecs, unixSpecs []string) ([]portForwardSpec, error) {
+	specs := []portForwardSpec{}
+
+	for _, spec := range tcpSpecs {
+		local, remote, err := parsePortPort(spec)
+		if err != nil {
+			return nil, xerrors.Errorf("failed to parse TCP port-forward specification %q: %w", spec, err)
+		}
+
+		specs = append(specs, portForwardSpec{
+			listenNetwork: "tcp",
+			listenAddress: fmt.Sprintf("127.0.0.1:%v", local),
+			dialNetwork:   "tcp",
+			dialAddress:   fmt.Sprintf("127.0.0.1:%v", remote),
+		})
+	}
+
+	for _, spec := range udpSpecs {
+		local, remote, err := parsePortPort(spec)
+		if err != nil {
+			return nil, xerrors.Errorf("failed to parse UDP port-forward specification %q: %w", spec, err)
+		}
+
+		specs = append(specs, portForwardSpec{
+			listenNetwork: "udp",
+			listenAddress: fmt.Sprintf("127.0.0.1:%v", local),
+			dialNetwork:   "udp",
+			dialAddress:   fmt.Sprintf("127.0.0.1:%v", remote),
+		})
+	}
+
+	for _, specStr := range unixSpecs {
+		localPath, localTCP, remotePath, err := parseUnixUnix(specStr)
+		if err != nil {
+			return nil, xerrors.Errorf("failed to parse Unix port-forward specification %q: %w", specStr, err)
+		}
+
+		spec := portForwardSpec{
+			dialNetwork: "unix",
+			dialAddress: remotePath,
+		}
+		if localPath == "" {
+			spec.listenNetwork = "tcp"
+			spec.listenAddress = fmt.Sprintf("127.0.0.1:%v", localTCP)
+		} else {
+			if runtime.GOOS == "windows" {
+				return nil, xerrors.Errorf("Unix port-forwarding is not supported on Windows")
+			}
+			spec.listenNetwork = "unix"
+			spec.listenAddress = localPath
+		}
+		specs = append(specs, spec)
+	}
+
+	// Check for duplicate entries.
+	locals := map[string]struct{}{}
+	for _, spec := range specs {
+		localStr := fmt.Sprintf("%v:%v", spec.listenNetwork, spec.listenAddress)
+		if _, ok := locals[localStr]; ok {
+			return nil, xerrors.Errorf("local %v %v is specified twice", spec.listenNetwork, spec.listenAddress)
+		}
+		locals[localStr] = struct{}{}
+	}
+
+	return specs, nil
+}
+
+func parsePort(in string) (uint16, error) {
+	port, err := strconv.ParseUint(strings.TrimSpace(in), 10, 16)
+	if err != nil {
+		return 0, xerrors.Errorf("parse port %q: %w", in, err)
+	}
+	if port == 0 {
+		return 0, xerrors.New("port cannot be 0")
+	}
+
+	return uint16(port), nil
+}
+
+func parseUnixPath(in string) (string, error) {
+	path, err := coderagent.ExpandRelativeHomePath(strings.TrimSpace(in))
+	if err != nil {
+		return "", xerrors.Errorf("tidy path %q: %w", in, err)
+	}
+
+	return path, nil
+}
+
+func parsePortPort(in string) (local uint16, remote uint16, err error) {
+	parts := strings.Split(in, ":")
+	if len(parts) > 2 {
+		return 0, 0, xerrors.Errorf("invalid port specification %q", in)
+	}
+	if len(parts) == 1 {
+		// Duplicate the single part
+		parts = append(parts, parts[0])
+	}
+
+	local, err = parsePort(parts[0])
+	if err != nil {
+		return 0, 0, xerrors.Errorf("parse local port from %q: %w", in, err)
+	}
+	remote, err = parsePort(parts[1])
+	if err != nil {
+		return 0, 0, xerrors.Errorf("parse remote port from %q: %w", in, err)
+	}
+
+	return local, remote, nil
+}
+
+func parsePortOrUnixPath(in string) (string, uint16, error) {
+	port, err := parsePort(in)
+	if err == nil {
+		return "", port, nil
+	}
+
+	path, err := parseUnixPath(in)
+	if err != nil {
+		return "", 0, xerrors.Errorf("could not parse port or unix path %q: %w", in, err)
+	}
+
+	return path, 0, nil
+}
+
+func parseUnixUnix(in string) (string, uint16, string, error) {
+	parts := strings.Split(in, ":")
+	if len(parts) > 2 {
+		return "", 0, "", xerrors.Errorf("invalid port-forward specification %q", in)
+	}
+	if len(parts) == 1 {
+		// Duplicate the single part
+		parts = append(parts, parts[0])
+	}
+
+	localPath, localPort, err := parsePortOrUnixPath(parts[0])
+	if err != nil {
+		return "", 0, "", xerrors.Errorf("parse local part of spec %q: %w", in, err)
+	}
+
+	// We don't really touch the remote path at all since it gets cleaned
+	// up/expanded on the remote.
+	return localPath, localPort, parts[1], nil
+}

cli/portforward_test.go

@@ -0,0 +1,546 @@
+package cli_test
+
+import (
+	"bytes"
+	"context"
+	"fmt"
+	"io"
+	"net"
+	"path/filepath"
+	"runtime"
+	"strings"
+	"sync"
+	"testing"
+	"time"
+
+	"github.com/google/uuid"
+	"github.com/pion/udp"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+
+	"github.com/coder/coder/cli/clitest"
+	"github.com/coder/coder/coderd/coderdtest"
+	"github.com/coder/coder/codersdk"
+	"github.com/coder/coder/provisioner/echo"
+	"github.com/coder/coder/provisionersdk/proto"
+	"github.com/coder/coder/testutil"
+)
+
+func TestPortForward(t *testing.T) {
+	t.Parallel()
+
+	t.Run("None", func(t *testing.T) {
+		t.Parallel()
+
+		client := coderdtest.New(t, nil)
+		_ = coderdtest.CreateFirstUser(t, client)
+
+		cmd, root := clitest.New(t, "port-forward", "blah")
+		clitest.SetupConfig(t, client, root)
+		buf := newThreadSafeBuffer()
+		cmd.SetOut(buf)
+
+		err := cmd.Execute()
+		require.Error(t, err)
+		require.ErrorContains(t, err, "no port-forwards")
+
+		// Check that the help was printed.
+		require.Contains(t, buf.String(), "port-forward <workspace>")
+	})
+
+	cases := []struct {
+		name    string
+		network string
+		// The flag to pass to `coder port-forward X` to port-forward this type
+		// of connection. Has two format args (both strings), the first is the
+		// local address and the second is the remote address.
+		flag string
+		// setupRemote creates a "remote" listener to emulate a service in the
+		// workspace.
+		setupRemote func(t *testing.T) net.Listener
+		// setupLocal returns an available port or Unix socket path that the
+		// port-forward command will listen on "locally". Returns the address
+		// you pass to net.Dial, and the port/path you pass to `coder
+		// port-forward`.
+		setupLocal func(t *testing.T) (string, string)
+	}{
+		{
+			name:    "TCP",
+			network: "tcp",
+			flag:    "--tcp=%v:%v",
+			setupRemote: func(t *testing.T) net.Listener {
+				l, err := net.Listen("tcp", "127.0.0.1:0")
+				require.NoError(t, err, "create TCP listener")
+				return l
+			},
+			setupLocal: func(t *testing.T) (string, string) {
+				l, err := net.Listen("tcp", "127.0.0.1:0")
+				require.NoError(t, err, "create TCP listener to generate random port")
+				defer l.Close()
+
+				_, port, err := net.SplitHostPort(l.Addr().String())
+				require.NoErrorf(t, err, "split TCP address %q", l.Addr().String())
+				return l.Addr().String(), port
+			},
+		},
+		{
+			name:    "UDP",
+			network: "udp",
+			flag:    "--udp=%v:%v",
+			setupRemote: func(t *testing.T) net.Listener {
+				addr := net.UDPAddr{
+					IP:   net.ParseIP("127.0.0.1"),
+					Port: 0,
+				}
+				l, err := udp.Listen("udp", &addr)
+				require.NoError(t, err, "create UDP listener")
+				return l
+			},
+			setupLocal: func(t *testing.T) (string, string) {
+				addr := net.UDPAddr{
+					IP:   net.ParseIP("127.0.0.1"),
+					Port: 0,
+				}
+				l, err := udp.Listen("udp", &addr)
+				require.NoError(t, err, "create UDP listener to generate random port")
+				defer l.Close()
+
+				_, port, err := net.SplitHostPort(l.Addr().String())
+				require.NoErrorf(t, err, "split UDP address %q", l.Addr().String())
+				return l.Addr().String(), port
+			},
+		},
+		{
+			name:    "Unix",
+			network: "unix",
+			flag:    "--unix=%v:%v",
+			setupRemote: func(t *testing.T) net.Listener {
+				if runtime.GOOS == "windows" {
+					t.Skip("Unix socket forwarding isn't supported on Windows")
+				}
+
+				tmpDir := t.TempDir()
+				l, err := net.Listen("unix", filepath.Join(tmpDir, "test.sock"))
+				require.NoError(t, err, "create UDP listener")
+				return l
+			},
+			setupLocal: func(t *testing.T) (string, string) {
+				tmpDir := t.TempDir()
+				path := filepath.Join(tmpDir, "test.sock")
+				return path, path
+			},
+		},
+	}
+
+	// Setup agent once to be shared between test-cases (avoid expensive
+	// non-parallel setup).
+	var (
+		client       = coderdtest.New(t, &coderdtest.Options{IncludeProvisionerD: true})
+		user         = coderdtest.CreateFirstUser(t, client)
+		_, workspace = runAgent(t, client, user.UserID)
+	)
+
+	for _, c := range cases { //nolint:paralleltest // the `c := c` confuses the linter
+		c := c
+		// Delay parallel tests here because setupLocal reserves
+		// a free open port which is not guaranteed to be free
+		// between the listener closing and port-forward ready.
+		t.Run(c.name, func(t *testing.T) {
+			t.Run("OnePort", func(t *testing.T) {
+				p1 := setupTestListener(t, c.setupRemote(t))
+
+				// Create a flag that forwards from local to listener 1.
+				localAddress, localFlag := c.setupLocal(t)
+				flag := fmt.Sprintf(c.flag, localFlag, p1)
+
+				// Launch port-forward in a goroutine so we can start dialing
+				// the "local" listener.
+				cmd, root := clitest.New(t, "port-forward", workspace.Name, flag)
+				clitest.SetupConfig(t, client, root)
+				buf := newThreadSafeBuffer()
+				cmd.SetOut(buf)
+				ctx, cancel := context.WithCancel(context.Background())
+				defer cancel()
+				errC := make(chan error)
+				go func() {
+					errC <- cmd.ExecuteContext(ctx)
+				}()
+				waitForPortForwardReady(t, buf)
+
+				t.Parallel() // Port is reserved, enable parallel execution.
+
+				// Open two connections simultaneously and test them out of
+				// sync.
+				d := net.Dialer{Timeout: testutil.WaitShort}
+				c1, err := d.DialContext(ctx, c.network, localAddress)
+				require.NoError(t, err, "open connection 1 to 'local' listener")
+				defer c1.Close()
+				c2, err := d.DialContext(ctx, c.network, localAddress)
+				require.NoError(t, err, "open connection 2 to 'local' listener")
+				defer c2.Close()
+				testDial(t, c2)
+				testDial(t, c1)
+
+				cancel()
+				err = <-errC
+				require.ErrorIs(t, err, context.Canceled)
+			})
+
+			//nolint:paralleltest
+			t.Run("TwoPorts", func(t *testing.T) {
+				var (
+					p1 = setupTestListener(t, c.setupRemote(t))
+					p2 = setupTestListener(t, c.setupRemote(t))
+				)
+
+				// Create a flags for listener 1 and listener 2.
+				localAddress1, localFlag1 := c.setupLocal(t)
+				localAddress2, localFlag2 := c.setupLocal(t)
+				flag1 := fmt.Sprintf(c.flag, localFlag1, p1)
+				flag2 := fmt.Sprintf(c.flag, localFlag2, p2)
+
+				// Launch port-forward in a goroutine so we can start dialing
+				// the "local" listeners.
+				cmd, root := clitest.New(t, "port-forward", workspace.Name, flag1, flag2)
+				clitest.SetupConfig(t, client, root)
+				buf := newThreadSafeBuffer()
+				cmd.SetOut(buf)
+				ctx, cancel := context.WithCancel(context.Background())
+				defer cancel()
+				errC := make(chan error)
+				go func() {
+					errC <- cmd.ExecuteContext(ctx)
+				}()
+				waitForPortForwardReady(t, buf)
+
+				t.Parallel() // Port is reserved, enable parallel execution.
+
+				// Open a connection to both listener 1 and 2 simultaneously and
+				// then test them out of order.
+				d := net.Dialer{Timeout: testutil.WaitShort}
+				c1, err := d.DialContext(ctx, c.network, localAddress1)
+				require.NoError(t, err, "open connection 1 to 'local' listener 1")
+				defer c1.Close()
+				c2, err := d.DialContext(ctx, c.network, localAddress2)
+				require.NoError(t, err, "open connection 2 to 'local' listener 2")
+				defer c2.Close()
+				testDial(t, c2)
+				testDial(t, c1)
+
+				cancel()
+				err = <-errC
+				require.ErrorIs(t, err, context.Canceled)
+			})
+		})
+	}
+
+	// Test doing a TCP -> Unix forward.
+	//nolint:paralleltest
+	t.Run("TCP2Unix", func(t *testing.T) {
+		var (
+			// Find the TCP and Unix cases so we can use their setupLocal and
+			// setupRemote methods respectively.
+			tcpCase  = cases[0]
+			unixCase = cases[2]
+
+			// Setup remote Unix listener.
+			p1 = setupTestListener(t, unixCase.setupRemote(t))
+		)
+
+		// Create a flag that forwards from local TCP to Unix listener 1.
+		// Notably this is a --unix flag.
+		localAddress, localFlag := tcpCase.setupLocal(t)
+		flag := fmt.Sprintf(unixCase.flag, localFlag, p1)
+
+		// Launch port-forward in a goroutine so we can start dialing
+		// the "local" listener.
+		cmd, root := clitest.New(t, "port-forward", workspace.Name, flag)
+		clitest.SetupConfig(t, client, root)
+		buf := newThreadSafeBuffer()
+		cmd.SetOut(buf)
+		ctx, cancel := context.WithCancel(context.Background())
+		defer cancel()
+		errC := make(chan error)
+		go func() {
+			errC <- cmd.ExecuteContext(ctx)
+		}()
+		waitForPortForwardReady(t, buf)
+
+		t.Parallel() // Port is reserved, enable parallel execution.
+
+		// Open two connections simultaneously and test them out of
+		// sync.
+		d := net.Dialer{Timeout: testutil.WaitShort}
+		c1, err := d.DialContext(ctx, tcpCase.network, localAddress)
+		require.NoError(t, err, "open connection 1 to 'local' listener")
+		defer c1.Close()
+		c2, err := d.DialContext(ctx, tcpCase.network, localAddress)
+		require.NoError(t, err, "open connection 2 to 'local' listener")
+		defer c2.Close()
+		testDial(t, c2)
+		testDial(t, c1)
+
+		cancel()
+		err = <-errC
+		require.ErrorIs(t, err, context.Canceled)
+	})
+
+	// Test doing TCP, UDP and Unix at the same time.
+	//nolint:paralleltest
+	t.Run("All", func(t *testing.T) {
+		var (
+			// These aren't fixed size because we exclude Unix on Windows.
+			dials = []addr{}
+			flags = []string{}
+		)
+
+		// Start listeners and populate arrays with the cases.
+		for _, c := range cases {
+			if strings.HasPrefix(c.network, "unix") && runtime.GOOS == "windows" {
+				// Unix isn't supported on Windows, but we can still
+				// test other protocols together.
+				continue
+			}
+
+			p := setupTestListener(t, c.setupRemote(t))
+
+			localAddress, localFlag := c.setupLocal(t)
+			dials = append(dials, addr{
+				network: c.network,
+				addr:    localAddress,
+			})
+			flags = append(flags, fmt.Sprintf(c.flag, localFlag, p))
+		}
+
+		// Launch port-forward in a goroutine so we can start dialing
+		// the "local" listeners.
+		cmd, root := clitest.New(t, append([]string{"port-forward", workspace.Name}, flags...)...)
+		clitest.SetupConfig(t, client, root)
+		buf := newThreadSafeBuffer()
+		cmd.SetOut(buf)
+		ctx, cancel := context.WithCancel(context.Background())
+		defer cancel()
+		errC := make(chan error)
+		go func() {
+			errC <- cmd.ExecuteContext(ctx)
+		}()
+		waitForPortForwardReady(t, buf)
+
+		t.Parallel() // Port is reserved, enable parallel execution.
+
+		// Open connections to all items in the "dial" array.
+		var (
+			d     = net.Dialer{Timeout: testutil.WaitShort}
+			conns = make([]net.Conn, len(dials))
+		)
+		for i, a := range dials {
+			c, err := d.DialContext(ctx, a.network, a.addr)
+			require.NoErrorf(t, err, "open connection %v to 'local' listener %v", i+1, i+1)
+			t.Cleanup(func() {
+				_ = c.Close()
+			})
+			conns[i] = c
+		}
+
+		// Test each connection in reverse order.
+		for i := len(conns) - 1; i >= 0; i-- {
+			testDial(t, conns[i])
+		}
+
+		cancel()
+		err := <-errC
+		require.ErrorIs(t, err, context.Canceled)
+	})
+}
+
+// runAgent creates a fake workspace and starts an agent locally for that
+// workspace. The agent will be cleaned up on test completion.
+func runAgent(t *testing.T, client *codersdk.Client, userID uuid.UUID) ([]codersdk.WorkspaceResource, codersdk.Workspace) {
+	ctx := context.Background()
+	user, err := client.User(ctx, userID.String())
+	require.NoError(t, err, "specified user does not exist")
+	require.Greater(t, len(user.OrganizationIDs), 0, "user has no organizations")
+	orgID := user.OrganizationIDs[0]
+
+	// Setup template
+	agentToken := uuid.NewString()
+	version := coderdtest.CreateTemplateVersion(t, client, orgID, &echo.Responses{
+		Parse:           echo.ParseComplete,
+		ProvisionDryRun: echo.ProvisionComplete,
+		Provision: []*proto.Provision_Response{{
+			Type: &proto.Provision_Response_Complete{
+				Complete: &proto.Provision_Complete{
+					Resources: []*proto.Resource{{
+						Name: "somename",
+						Type: "someinstance",
+						Agents: []*proto.Agent{{
+							Auth: &proto.Agent_Token{
+								Token: agentToken,
+							},
+						}},
+					}},
+				},
+			},
+		}},
+	})
+
+	// Create template and workspace
+	template := coderdtest.CreateTemplate(t, client, orgID, version.ID)
+	coderdtest.AwaitTemplateVersionJob(t, client, version.ID)
+	workspace := coderdtest.CreateWorkspace(t, client, orgID, template.ID)
+	coderdtest.AwaitWorkspaceBuildJob(t, client, workspace.LatestBuild.ID)
+
+	// Start workspace agent in a goroutine
+	cmd, root := clitest.New(t, "agent", "--agent-token", agentToken, "--agent-url", client.URL.String(), "--wireguard=false")
+	clitest.SetupConfig(t, client, root)
+	errC := make(chan error)
+	agentCtx, agentCancel := context.WithCancel(ctx)
+	t.Cleanup(func() {
+		agentCancel()
+		err := <-errC
+		require.NoError(t, err)
+	})
+	go func() {
+		errC <- cmd.ExecuteContext(agentCtx)
+	}()
+
+	coderdtest.AwaitWorkspaceAgents(t, client, workspace.LatestBuild.ID)
+	resources, err := client.WorkspaceResourcesByBuild(context.Background(), workspace.LatestBuild.ID)
+	require.NoError(t, err)
+
+	return resources, workspace
+}
+
+// setupTestListener starts accepting connections and echoing a single packet.
+// Returns the listener and the listen port or Unix path.
+func setupTestListener(t *testing.T, l net.Listener) string {
+	t.Helper()
+
+	// Wait for listener to completely exit before releasing.
+	done := make(chan struct{})
+	t.Cleanup(func() {
+		_ = l.Close()
+		<-done
+	})
+	go func() {
+		defer close(done)
+		// Guard against testAccept running require after test completion.
+		var wg sync.WaitGroup
+		defer wg.Wait()
+
+		for {
+			c, err := l.Accept()
+			if err != nil {
+				_ = l.Close()
+				return
+			}
+
+			wg.Add(1)
+			go func() {
+				testAccept(t, c)
+				wg.Done()
+			}()
+		}
+	}()
+
+	addr := l.Addr().String()
+	if !strings.HasPrefix(l.Addr().Network(), "unix") {
+		_, port, err := net.SplitHostPort(addr)
+		require.NoErrorf(t, err, "split non-Unix listen path %q", addr)
+		addr = port
+	}
+
+	return addr
+}
+
+var dialTestPayload = []byte("dean-was-here123")
+
+func testDial(t *testing.T, c net.Conn) {
+	t.Helper()
+
+	assertWritePayload(t, c, dialTestPayload)
+	assertReadPayload(t, c, dialTestPayload)
+}
+
+func testAccept(t *testing.T, c net.Conn) {
+	t.Helper()
+	defer c.Close()
+
+	assertReadPayload(t, c, dialTestPayload)
+	assertWritePayload(t, c, dialTestPayload)
+}
+
+func assertReadPayload(t *testing.T, r io.Reader, payload []byte) {
+	t.Helper()
+	b := make([]byte, len(payload)+16)
+	n, err := r.Read(b)
+	assert.NoError(t, err, "read payload")
+	assert.Equal(t, len(payload), n, "read payload length does not match")
+	assert.Equal(t, payload, b[:n])
+}
+
+func assertWritePayload(t *testing.T, w io.Writer, payload []byte) {
+	t.Helper()
+	n, err := w.Write(payload)
+	assert.NoError(t, err, "write payload")
+	assert.Equal(t, len(payload), n, "payload length does not match")
+}
+
+func waitForPortForwardReady(t *testing.T, output *threadSafeBuffer) {
+	t.Helper()
+	for i := 0; i < 100; i++ {
+		time.Sleep(testutil.IntervalMedium)
+
+		data := output.String()
+		if strings.Contains(data, "Ready!") {
+			return
+		}
+	}
+
+	t.Fatal("port-forward command did not become ready in time")
+}
+
+type addr struct {
+	network string
+	addr    string
+}
+
+type threadSafeBuffer struct {
+	b   *bytes.Buffer
+	mut *sync.RWMutex
+}
+
+func newThreadSafeBuffer() *threadSafeBuffer {
+	return &threadSafeBuffer{
+		b:   bytes.NewBuffer(nil),
+		mut: new(sync.RWMutex),
+	}
+}
+
+var (
+	_ io.Reader = &threadSafeBuffer{}
+	_ io.Writer = &threadSafeBuffer{}
+)
+
+// Read implements io.Reader.
+func (b *threadSafeBuffer) Read(p []byte) (int, error) {
+	b.mut.RLock()
+	defer b.mut.RUnlock()
+
+	return b.b.Read(p)
+}
+
+// Write implements io.Writer.
+func (b *threadSafeBuffer) Write(p []byte) (int, error) {
+	b.mut.Lock()
+	defer b.mut.Unlock()
+
+	return b.b.Write(p)
+}
+
+func (b *threadSafeBuffer) String() string {
+	b.mut.RLock()
+	defer b.mut.RUnlock()
+
+	return b.b.String()
+}

cli/projectcreate.go

@@ -1,260 +0,0 @@
-package cli
-
-import (
-	"archive/tar"
-	"bytes"
-	"errors"
-	"fmt"
-	"io"
-	"os"
-	"path/filepath"
-	"time"
-
-	"github.com/briandowns/spinner"
-	"github.com/fatih/color"
-	"github.com/google/uuid"
-	"github.com/manifoldco/promptui"
-	"github.com/spf13/cobra"
-	"golang.org/x/xerrors"
-
-	"github.com/coder/coder/coderd"
-	"github.com/coder/coder/codersdk"
-	"github.com/coder/coder/database"
-	"github.com/coder/coder/provisionerd"
-)
-
-func projectCreate() *cobra.Command {
-	var (
-		directory   string
-		provisioner string
-	)
-	cmd := &cobra.Command{
-		Use:   "create",
-		Short: "Create a project from the current directory",
-		RunE: func(cmd *cobra.Command, args []string) error {
-			client, err := createClient(cmd)
-			if err != nil {
-				return err
-			}
-			organization, err := currentOrganization(cmd, client)
-			if err != nil {
-				return err
-			}
-			_, err = prompt(cmd, &promptui.Prompt{
-				Default:   "y",
-				IsConfirm: true,
-				Label:     fmt.Sprintf("Set up %s in your organization?", color.New(color.FgHiCyan).Sprintf("%q", directory)),
-			})
-			if err != nil {
-				if errors.Is(err, promptui.ErrAbort) {
-					return nil
-				}
-				return err
-			}
-
-			name, err := prompt(cmd, &promptui.Prompt{
-				Default: filepath.Base(directory),
-				Label:   "What's your project's name?",
-				Validate: func(s string) error {
-					project, _ := client.ProjectByName(cmd.Context(), organization.ID, s)
-					if project.ID.String() != uuid.Nil.String() {
-						return xerrors.New("A project already exists with that name!")
-					}
-					return nil
-				},
-			})
-			if err != nil {
-				return err
-			}
-
-			job, err := validateProjectVersionSource(cmd, client, organization, database.ProvisionerType(provisioner), directory)
-			if err != nil {
-				return err
-			}
-			project, err := client.CreateProject(cmd.Context(), organization.ID, coderd.CreateProjectRequest{
-				Name:      name,
-				VersionID: job.ID,
-			})
-			if err != nil {
-				return err
-			}
-
-			_, err = prompt(cmd, &promptui.Prompt{
-				Label:     "Create project?",
-				IsConfirm: true,
-				Default:   "y",
-			})
-			if err != nil {
-				if errors.Is(err, promptui.ErrAbort) {
-					return nil
-				}
-				return err
-			}
-
-			_, _ = fmt.Fprintf(cmd.OutOrStdout(), "%s The %s project has been created!\n", caret, color.HiCyanString(project.Name))
-			_, err = prompt(cmd, &promptui.Prompt{
-				Label:     "Create a new workspace?",
-				IsConfirm: true,
-				Default:   "y",
-			})
-			if err != nil {
-				if errors.Is(err, promptui.ErrAbort) {
-					return nil
-				}
-				return err
-			}
-
-			return nil
-		},
-	}
-	currentDirectory, _ := os.Getwd()
-	cmd.Flags().StringVarP(&directory, "directory", "d", currentDirectory, "Specify the directory to create from")
-	cmd.Flags().StringVarP(&provisioner, "provisioner", "p", "terraform", "Customize the provisioner backend")
-	// This is for testing!
-	err := cmd.Flags().MarkHidden("provisioner")
-	if err != nil {
-		panic(err)
-	}
-	return cmd
-}
-
-func validateProjectVersionSource(cmd *cobra.Command, client *codersdk.Client, organization coderd.Organization, provisioner database.ProvisionerType, directory string, parameters ...coderd.CreateParameterRequest) (*coderd.ProjectVersion, error) {
-	spin := spinner.New(spinner.CharSets[5], 100*time.Millisecond)
-	spin.Writer = cmd.OutOrStdout()
-	spin.Suffix = " Uploading current directory..."
-	err := spin.Color("fgHiGreen")
-	if err != nil {
-		return nil, err
-	}
-	spin.Start()
-	defer spin.Stop()
-
-	tarData, err := tarDirectory(directory)
-	if err != nil {
-		return nil, err
-	}
-	resp, err := client.Upload(cmd.Context(), codersdk.ContentTypeTar, tarData)
-	if err != nil {
-		return nil, err
-	}
-
-	before := time.Now()
-	version, err := client.CreateProjectVersion(cmd.Context(), organization.ID, coderd.CreateProjectVersionRequest{
-		StorageMethod:   database.ProvisionerStorageMethodFile,
-		StorageSource:   resp.Hash,
-		Provisioner:     provisioner,
-		ParameterValues: parameters,
-	})
-	if err != nil {
-		return nil, err
-	}
-	spin.Suffix = " Waiting for the import to complete..."
-	logs, err := client.ProjectVersionLogsAfter(cmd.Context(), version.ID, before)
-	if err != nil {
-		return nil, err
-	}
-	logBuffer := make([]coderd.ProvisionerJobLog, 0, 64)
-	for {
-		log, ok := <-logs
-		if !ok {
-			break
-		}
-		logBuffer = append(logBuffer, log)
-	}
-
-	version, err = client.ProjectVersion(cmd.Context(), version.ID)
-	if err != nil {
-		return nil, err
-	}
-	parameterSchemas, err := client.ProjectVersionSchema(cmd.Context(), version.ID)
-	if err != nil {
-		return nil, err
-	}
-	parameterValues, err := client.ProjectVersionParameters(cmd.Context(), version.ID)
-	if err != nil {
-		return nil, err
-	}
-	spin.Stop()
-
-	if provisionerd.IsMissingParameterError(version.Job.Error) {
-		valuesBySchemaID := map[string]coderd.ProjectVersionParameter{}
-		for _, parameterValue := range parameterValues {
-			valuesBySchemaID[parameterValue.SchemaID.String()] = parameterValue
-		}
-		for _, parameterSchema := range parameterSchemas {
-			_, ok := valuesBySchemaID[parameterSchema.ID.String()]
-			if ok {
-				continue
-			}
-			value, err := prompt(cmd, &promptui.Prompt{
-				Label: fmt.Sprintf("Enter value for %s:", color.HiCyanString(parameterSchema.Name)),
-			})
-			if err != nil {
-				return nil, err
-			}
-			parameters = append(parameters, coderd.CreateParameterRequest{
-				Name:              parameterSchema.Name,
-				SourceValue:       value,
-				SourceScheme:      database.ParameterSourceSchemeData,
-				DestinationScheme: parameterSchema.DefaultDestinationScheme,
-			})
-		}
-		return validateProjectVersionSource(cmd, client, organization, provisioner, directory, parameters...)
-	}
-
-	if version.Job.Status != coderd.ProvisionerJobSucceeded {
-		for _, log := range logBuffer {
-			_, _ = fmt.Fprintf(cmd.OutOrStdout(), "%s %s\n", color.HiGreenString("[tf]"), log.Output)
-		}
-		return nil, xerrors.New(version.Job.Error)
-	}
-
-	_, _ = fmt.Fprintf(cmd.OutOrStdout(), "%s Successfully imported project source!\n", color.HiGreenString("✓"))
-
-	resources, err := client.ProjectVersionResources(cmd.Context(), version.ID)
-	if err != nil {
-		return nil, err
-	}
-	return &version, displayProjectImportInfo(cmd, parameterSchemas, parameterValues, resources)
-}
-
-func tarDirectory(directory string) ([]byte, error) {
-	var buffer bytes.Buffer
-	tarWriter := tar.NewWriter(&buffer)
-	err := filepath.Walk(directory, func(file string, fileInfo os.FileInfo, err error) error {
-		if err != nil {
-			return err
-		}
-		header, err := tar.FileInfoHeader(fileInfo, file)
-		if err != nil {
-			return err
-		}
-		rel, err := filepath.Rel(directory, file)
-		if err != nil {
-			return err
-		}
-		header.Name = rel
-		if err := tarWriter.WriteHeader(header); err != nil {
-			return err
-		}
-		if fileInfo.IsDir() {
-			return nil
-		}
-		data, err := os.Open(file)
-		if err != nil {
-			return err
-		}
-		if _, err := io.Copy(tarWriter, data); err != nil {
-			return err
-		}
-		return data.Close()
-	})
-	if err != nil {
-		return nil, err
-	}
-	err = tarWriter.Flush()
-	if err != nil {
-		return nil, err
-	}
-	return buffer.Bytes(), nil
-}

cli/projectcreate_test.go

@@ -1,101 +0,0 @@
-package cli_test
-
-import (
-	"testing"
-
-	"github.com/stretchr/testify/require"
-
-	"github.com/coder/coder/cli/clitest"
-	"github.com/coder/coder/coderd/coderdtest"
-	"github.com/coder/coder/database"
-	"github.com/coder/coder/provisioner/echo"
-	"github.com/coder/coder/provisionersdk/proto"
-	"github.com/coder/coder/pty/ptytest"
-)
-
-func TestProjectCreate(t *testing.T) {
-	t.Parallel()
-	t.Run("NoParameters", func(t *testing.T) {
-		t.Parallel()
-		client := coderdtest.New(t, nil)
-		coderdtest.CreateFirstUser(t, client)
-		source := clitest.CreateProjectVersionSource(t, &echo.Responses{
-			Parse:     echo.ParseComplete,
-			Provision: echo.ProvisionComplete,
-		})
-		cmd, root := clitest.New(t, "projects", "create", "--directory", source, "--provisioner", string(database.ProvisionerTypeEcho))
-		clitest.SetupConfig(t, client, root)
-		_ = coderdtest.NewProvisionerDaemon(t, client)
-		pty := ptytest.New(t)
-		cmd.SetIn(pty.Input())
-		cmd.SetOut(pty.Output())
-		closeChan := make(chan struct{})
-		go func() {
-			err := cmd.Execute()
-			require.NoError(t, err)
-			close(closeChan)
-		}()
-
-		matches := []string{
-			"organization?", "y",
-			"name?", "test-project",
-			"project?", "y",
-			"created!", "n",
-		}
-		for i := 0; i < len(matches); i += 2 {
-			match := matches[i]
-			value := matches[i+1]
-			pty.ExpectMatch(match)
-			pty.WriteLine(value)
-		}
-		<-closeChan
-	})
-
-	t.Run("Parameter", func(t *testing.T) {
-		t.Parallel()
-		client := coderdtest.New(t, nil)
-		coderdtest.CreateFirstUser(t, client)
-		source := clitest.CreateProjectVersionSource(t, &echo.Responses{
-			Parse: []*proto.Parse_Response{{
-				Type: &proto.Parse_Response_Complete{
-					Complete: &proto.Parse_Complete{
-						ParameterSchemas: []*proto.ParameterSchema{{
-							Name: "somevar",
-							DefaultDestination: &proto.ParameterDestination{
-								Scheme: proto.ParameterDestination_PROVISIONER_VARIABLE,
-							},
-						}},
-					},
-				},
-			}},
-			Provision: echo.ProvisionComplete,
-		})
-		cmd, root := clitest.New(t, "projects", "create", "--directory", source, "--provisioner", string(database.ProvisionerTypeEcho))
-		clitest.SetupConfig(t, client, root)
-		coderdtest.NewProvisionerDaemon(t, client)
-		pty := ptytest.New(t)
-		cmd.SetIn(pty.Input())
-		cmd.SetOut(pty.Output())
-		closeChan := make(chan struct{})
-		go func() {
-			err := cmd.Execute()
-			require.NoError(t, err)
-			close(closeChan)
-		}()
-
-		matches := []string{
-			"organization?", "y",
-			"name?", "test-project",
-			"somevar", "value",
-			"project?", "y",
-			"created!", "n",
-		}
-		for i := 0; i < len(matches); i += 2 {
-			match := matches[i]
-			value := matches[i+1]
-			pty.ExpectMatch(match)
-			pty.WriteLine(value)
-		}
-		<-closeChan
-	})
-}

cli/projectlist.go

@@ -1,63 +0,0 @@
-package cli
-
-import (
-	"fmt"
-	"text/tabwriter"
-	"time"
-
-	"github.com/fatih/color"
-	"github.com/spf13/cobra"
-)
-
-func projectList() *cobra.Command {
-	return &cobra.Command{
-		Use:     "list",
-		Aliases: []string{"ls"},
-		RunE: func(cmd *cobra.Command, args []string) error {
-			client, err := createClient(cmd)
-			if err != nil {
-				return err
-			}
-			start := time.Now()
-			organization, err := currentOrganization(cmd, client)
-			if err != nil {
-				return err
-			}
-			projects, err := client.ProjectsByOrganization(cmd.Context(), organization.ID)
-			if err != nil {
-				return err
-			}
-
-			if len(projects) == 0 {
-				_, _ = fmt.Fprintf(cmd.OutOrStdout(), "%s No projects found in %s! Create one:\n\n", caret, color.HiWhiteString(organization.Name))
-				_, _ = fmt.Fprintln(cmd.OutOrStdout(), color.HiMagentaString("  $ coder projects create <directory>\n"))
-				return nil
-			}
-
-			_, _ = fmt.Fprintf(cmd.OutOrStdout(), "%s Projects found in %s %s\n\n",
-				caret,
-				color.HiWhiteString(organization.Name),
-				color.HiBlackString("[%dms]",
-					time.Since(start).Milliseconds()))
-
-			writer := tabwriter.NewWriter(cmd.OutOrStdout(), 0, 0, 4, ' ', 0)
-			_, _ = fmt.Fprintf(writer, "%s\t%s\t%s\t%s\n",
-				color.HiBlackString("Project"),
-				color.HiBlackString("Source"),
-				color.HiBlackString("Last Updated"),
-				color.HiBlackString("Used By"))
-			for _, project := range projects {
-				suffix := ""
-				if project.WorkspaceOwnerCount != 1 {
-					suffix = "s"
-				}
-				_, _ = fmt.Fprintf(writer, "%s\t%s\t%s\t%s\n",
-					color.New(color.FgHiCyan).Sprint(project.Name),
-					color.WhiteString("Archive"),
-					color.WhiteString(project.UpdatedAt.Format("January 2, 2006")),
-					color.New(color.FgHiWhite).Sprintf("%d developer%s", project.WorkspaceOwnerCount, suffix))
-			}
-			return writer.Flush()
-		},
-	}
-}

cli/projectlist_test.go

@@ -1,56 +0,0 @@
-package cli_test
-
-import (
-	"testing"
-
-	"github.com/stretchr/testify/require"
-
-	"github.com/coder/coder/cli/clitest"
-	"github.com/coder/coder/coderd/coderdtest"
-	"github.com/coder/coder/pty/ptytest"
-)
-
-func TestProjectList(t *testing.T) {
-	t.Parallel()
-	t.Run("None", func(t *testing.T) {
-		t.Parallel()
-		client := coderdtest.New(t, nil)
-		coderdtest.CreateFirstUser(t, client)
-		cmd, root := clitest.New(t, "projects", "list")
-		clitest.SetupConfig(t, client, root)
-		pty := ptytest.New(t)
-		cmd.SetIn(pty.Input())
-		cmd.SetOut(pty.Output())
-		closeChan := make(chan struct{})
-		go func() {
-			err := cmd.Execute()
-			require.NoError(t, err)
-			close(closeChan)
-		}()
-		pty.ExpectMatch("No projects found")
-		<-closeChan
-	})
-	t.Run("List", func(t *testing.T) {
-		t.Parallel()
-		client := coderdtest.New(t, nil)
-		user := coderdtest.CreateFirstUser(t, client)
-		daemon := coderdtest.NewProvisionerDaemon(t, client)
-		version := coderdtest.CreateProjectVersion(t, client, user.OrganizationID, nil)
-		coderdtest.AwaitProjectVersionJob(t, client, version.ID)
-		_ = daemon.Close()
-		project := coderdtest.CreateProject(t, client, user.OrganizationID, version.ID)
-		cmd, root := clitest.New(t, "projects", "list")
-		clitest.SetupConfig(t, client, root)
-		pty := ptytest.New(t)
-		cmd.SetIn(pty.Input())
-		cmd.SetOut(pty.Output())
-		closeChan := make(chan struct{})
-		go func() {
-			err := cmd.Execute()
-			require.NoError(t, err)
-			close(closeChan)
-		}()
-		pty.ExpectMatch(project.Name)
-		<-closeChan
-	})
-}

cli/projects.go

@@ -1,84 +0,0 @@
-package cli
-
-import (
-	"fmt"
-	"strings"
-
-	"github.com/fatih/color"
-	"github.com/spf13/cobra"
-	"github.com/xlab/treeprint"
-	"golang.org/x/xerrors"
-
-	"github.com/coder/coder/coderd"
-	"github.com/coder/coder/database"
-)
-
-func projects() *cobra.Command {
-	cmd := &cobra.Command{
-		Use:     "projects",
-		Aliases: []string{"project"},
-		Example: `
-  - Create a project for developers to create workspaces
-
-    ` + color.New(color.FgHiMagenta).Sprint("$ coder projects create") + `
-
-  - Make changes to your project, and plan the changes
- 
-    ` + color.New(color.FgHiMagenta).Sprint("$ coder projects plan <name>") + `
-
-  - Update the project. Your developers can update their workspaces
-
-    ` + color.New(color.FgHiMagenta).Sprint("$ coder projects update <name>"),
-	}
-	cmd.AddCommand(
-		projectCreate(),
-		projectList(),
-		projectPlan(),
-		projectUpdate(),
-	)
-
-	return cmd
-}
-
-func displayProjectImportInfo(cmd *cobra.Command, parameterSchemas []coderd.ProjectVersionParameterSchema, parameterValues []coderd.ProjectVersionParameter, resources []coderd.WorkspaceResource) error {
-	schemaByID := map[string]coderd.ProjectVersionParameterSchema{}
-	for _, schema := range parameterSchemas {
-		schemaByID[schema.ID.String()] = schema
-	}
-
-	_, _ = fmt.Fprintf(cmd.OutOrStdout(), "\n  %s\n\n", color.HiBlackString("Parameters"))
-	for _, value := range parameterValues {
-		schema, ok := schemaByID[value.SchemaID.String()]
-		if !ok {
-			return xerrors.Errorf("schema not found: %s", value.Name)
-		}
-		displayValue := value.SourceValue
-		if !schema.RedisplayValue {
-			displayValue = "<redacted>"
-		}
-		output := fmt.Sprintf("%s %s %s", color.HiCyanString(value.Name), color.HiBlackString("="), displayValue)
-		if value.DefaultSourceValue {
-			output += " (default value)"
-		} else if value.Scope != database.ParameterScopeImportJob {
-			output += fmt.Sprintf(" (inherited from %s)", value.Scope)
-		}
-
-		root := treeprint.NewWithRoot(output)
-		if schema.Description != "" {
-			root.AddBranch(fmt.Sprintf("%s\n%s", color.HiBlackString("Description"), schema.Description))
-		}
-		if schema.AllowOverrideSource {
-			root.AddBranch(fmt.Sprintf("%s Users can customize this value!", color.HiYellowString("+")))
-		}
-		_, _ = fmt.Fprintln(cmd.OutOrStdout(), "    "+strings.Join(strings.Split(root.String(), "\n"), "\n    "))
-	}
-	_, _ = fmt.Fprintf(cmd.OutOrStdout(), "  %s\n\n", color.HiBlackString("Resources"))
-	for _, resource := range resources {
-		transition := color.HiGreenString("start")
-		if resource.Transition == database.WorkspaceTransitionStop {
-			transition = color.HiRedString("stop")
-		}
-		_, _ = fmt.Fprintf(cmd.OutOrStdout(), "    %s %s on %s\n\n", color.HiCyanString(resource.Type), color.HiCyanString(resource.Name), transition)
-	}
-	return nil
-}

cli/projectupdate.go

@@ -1,14 +0,0 @@
-package cli
-
-import "github.com/spf13/cobra"
-
-func projectUpdate() *cobra.Command {
-	return &cobra.Command{
-		Use:   "update <name>",
-		Args:  cobra.MinimumNArgs(1),
-		Short: "Update a project from the current directory",
-		RunE: func(cmd *cobra.Command, args []string) error {
-			return nil
-		},
-	}
-}

cli/publickey.go

@@ -0,0 +1,70 @@
+package cli
+
+import (
+	"strings"
+
+	"github.com/spf13/cobra"
+	"golang.org/x/xerrors"
+
+	"github.com/coder/coder/cli/cliui"
+	"github.com/coder/coder/codersdk"
+)
+
+func publickey() *cobra.Command {
+	var (
+		reset bool
+	)
+
+	cmd := &cobra.Command{
+		Use:     "publickey",
+		Aliases: []string{"pubkey"},
+		Short:   "Output your public key for Git operations",
+		RunE: func(cmd *cobra.Command, args []string) error {
+			client, err := CreateClient(cmd)
+			if err != nil {
+				return xerrors.Errorf("create codersdk client: %w", err)
+			}
+
+			if reset {
+				// Confirm prompt if using --reset. We don't want to accidentally
+				// reset our public key.
+				_, err := cliui.Prompt(cmd, cliui.PromptOptions{
+					Text: "Confirm regenerate a new sshkey for your workspaces? This will require updating the key " +
+						"on any services it is registered with. This action cannot be reverted.",
+					IsConfirm: true,
+				})
+				if err != nil {
+					return err
+				}
+
+				// Reset the public key, let the retrieve re-read it.
+				_, err = client.RegenerateGitSSHKey(cmd.Context(), codersdk.Me)
+				if err != nil {
+					return err
+				}
+			}
+
+			key, err := client.GitSSHKey(cmd.Context(), codersdk.Me)
+			if err != nil {
+				return xerrors.Errorf("create codersdk client: %w", err)
+			}
+
+			cmd.Println(cliui.Styles.Wrap.Render(
+				"This is your public key for using " + cliui.Styles.Field.Render("git") + " in " +
+					"Coder. All clones with SSH will be authenticated automatically 🪄.",
+			))
+			cmd.Println()
+			cmd.Println(cliui.Styles.Code.Render(strings.TrimSpace(key.PublicKey)))
+			cmd.Println()
+			cmd.Println("Add to GitHub and GitLab:")
+			cmd.Println(cliui.Styles.Prompt.String() + "https://github.com/settings/ssh/new")
+			cmd.Println(cliui.Styles.Prompt.String() + "https://gitlab.com/-/profile/keys")
+
+			return nil
+		},
+	}
+	cmd.Flags().BoolVar(&reset, "reset", false, "Regenerate your public key. This will require updating the key on any services it's registered with.")
+	cliui.AllowSkipPrompt(cmd)
+
+	return cmd
+}

cli/publickey_test.go

@@ -0,0 +1,28 @@
+package cli_test
+
+import (
+	"bytes"
+	"testing"
+
+	"github.com/stretchr/testify/require"
+
+	"github.com/coder/coder/cli/clitest"
+	"github.com/coder/coder/coderd/coderdtest"
+)
+
+func TestPublicKey(t *testing.T) {
+	t.Parallel()
+	t.Run("OK", func(t *testing.T) {
+		t.Parallel()
+		client := coderdtest.New(t, nil)
+		_ = coderdtest.CreateFirstUser(t, client)
+		cmd, root := clitest.New(t, "publickey")
+		clitest.SetupConfig(t, client, root)
+		buf := new(bytes.Buffer)
+		cmd.SetOut(buf)
+		err := cmd.Execute()
+		require.NoError(t, err)
+		publicKey := buf.String()
+		require.NotEmpty(t, publicKey)
+	})
+}

cli/rename.go

@@ -0,0 +1,62 @@
+package cli
+
+import (
+	"fmt"
+
+	"github.com/spf13/cobra"
+	"golang.org/x/xerrors"
+
+	"github.com/coder/coder/cli/cliui"
+	"github.com/coder/coder/codersdk"
+)
+
+func rename() *cobra.Command {
+	cmd := &cobra.Command{
+		Annotations: workspaceCommand,
+		Use:         "rename <workspace> <new name>",
+		Short:       "Rename a workspace",
+		Args:        cobra.ExactArgs(2),
+		// Keep hidden until renaming is safe, see:
+		// * https://github.com/coder/coder/issues/3000
+		// * https://github.com/coder/coder/issues/3386
+		Hidden: true,
+		RunE: func(cmd *cobra.Command, args []string) error {
+			client, err := CreateClient(cmd)
+			if err != nil {
+				return err
+			}
+			workspace, err := namedWorkspace(cmd, client, args[0])
+			if err != nil {
+				return xerrors.Errorf("get workspace: %w", err)
+			}
+
+			_, _ = fmt.Fprintf(cmd.OutOrStdout(), "%s\n\n",
+				cliui.Styles.Wrap.Render("WARNING: A rename can result in data loss if a resource references the workspace name in the template (e.g volumes)."),
+			)
+			_, err = cliui.Prompt(cmd, cliui.PromptOptions{
+				Text: fmt.Sprintf("Type %q to confirm rename:", workspace.Name),
+				Validate: func(s string) error {
+					if s == workspace.Name {
+						return nil
+					}
+					return xerrors.Errorf("Input %q does not match %q", s, workspace.Name)
+				},
+			})
+			if err != nil {
+				return err
+			}
+
+			err = client.UpdateWorkspace(cmd.Context(), workspace.ID, codersdk.UpdateWorkspaceRequest{
+				Name: args[1],
+			})
+			if err != nil {
+				return xerrors.Errorf("rename workspace: %w", err)
+			}
+			return nil
+		},
+	}
+
+	cliui.AllowSkipPrompt(cmd)
+
+	return cmd
+}

cli/rename_test.go

@@ -0,0 +1,52 @@
+package cli_test
+
+import (
+	"context"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+
+	"github.com/coder/coder/cli/clitest"
+	"github.com/coder/coder/coderd/coderdtest"
+	"github.com/coder/coder/pty/ptytest"
+	"github.com/coder/coder/testutil"
+)
+
+func TestRename(t *testing.T) {
+	t.Parallel()
+
+	client := coderdtest.New(t, &coderdtest.Options{IncludeProvisionerD: true})
+	user := coderdtest.CreateFirstUser(t, client)
+	version := coderdtest.CreateTemplateVersion(t, client, user.OrganizationID, nil)
+	coderdtest.AwaitTemplateVersionJob(t, client, version.ID)
+	template := coderdtest.CreateTemplate(t, client, user.OrganizationID, version.ID)
+	workspace := coderdtest.CreateWorkspace(t, client, user.OrganizationID, template.ID)
+	coderdtest.AwaitWorkspaceBuildJob(t, client, workspace.LatestBuild.ID)
+
+	ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitLong)
+	defer cancel()
+
+	want := workspace.Name + "-test"
+	cmd, root := clitest.New(t, "rename", workspace.Name, want, "--yes")
+	clitest.SetupConfig(t, client, root)
+	pty := ptytest.New(t)
+	cmd.SetIn(pty.Input())
+	cmd.SetOut(pty.Output())
+
+	errC := make(chan error, 1)
+	go func() {
+		errC <- cmd.ExecuteContext(ctx)
+	}()
+
+	pty.ExpectMatch("confirm rename:")
+	pty.WriteLine(workspace.Name)
+
+	require.NoError(t, <-errC)
+
+	ws, err := client.Workspace(ctx, workspace.ID)
+	assert.NoError(t, err)
+
+	got := ws.Name
+	assert.Equal(t, want, got, "workspace name did not change")
+}

cli/resetpassword.go

@@ -0,0 +1,92 @@
+package cli
+
+import (
+	"database/sql"
+	"fmt"
+
+	"github.com/spf13/cobra"
+	"golang.org/x/xerrors"
+
+	"github.com/coder/coder/cli/cliflag"
+	"github.com/coder/coder/cli/cliui"
+	"github.com/coder/coder/coderd/database"
+	"github.com/coder/coder/coderd/userpassword"
+)
+
+func resetPassword() *cobra.Command {
+	var (
+		postgresURL string
+	)
+
+	root := &cobra.Command{
+		Use:   "reset-password <username>",
+		Short: "Reset a user's password by directly updating the database",
+		Args:  cobra.ExactArgs(1),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			username := args[0]
+
+			sqlDB, err := sql.Open("postgres", postgresURL)
+			if err != nil {
+				return xerrors.Errorf("dial postgres: %w", err)
+			}
+			defer sqlDB.Close()
+			err = sqlDB.Ping()
+			if err != nil {
+				return xerrors.Errorf("ping postgres: %w", err)
+			}
+
+			err = database.EnsureClean(sqlDB)
+			if err != nil {
+				return xerrors.Errorf("database needs migration: %w", err)
+			}
+			db := database.New(sqlDB)
+
+			user, err := db.GetUserByEmailOrUsername(cmd.Context(), database.GetUserByEmailOrUsernameParams{
+				Username: username,
+			})
+			if err != nil {
+				return xerrors.Errorf("retrieving user: %w", err)
+			}
+
+			password, err := cliui.Prompt(cmd, cliui.PromptOptions{
+				Text:     "Enter new " + cliui.Styles.Field.Render("password") + ":",
+				Secret:   true,
+				Validate: cliui.ValidateNotEmpty,
+			})
+			if err != nil {
+				return xerrors.Errorf("password prompt: %w", err)
+			}
+			confirmedPassword, err := cliui.Prompt(cmd, cliui.PromptOptions{
+				Text:     "Confirm " + cliui.Styles.Field.Render("password") + ":",
+				Secret:   true,
+				Validate: cliui.ValidateNotEmpty,
+			})
+			if err != nil {
+				return xerrors.Errorf("confirm password prompt: %w", err)
+			}
+			if password != confirmedPassword {
+				return xerrors.New("Passwords do not match")
+			}
+
+			hashedPassword, err := userpassword.Hash(password)
+			if err != nil {
+				return xerrors.Errorf("hash password: %w", err)
+			}
+
+			err = db.UpdateUserHashedPassword(cmd.Context(), database.UpdateUserHashedPasswordParams{
+				ID:             user.ID,
+				HashedPassword: []byte(hashedPassword),
+			})
+			if err != nil {
+				return xerrors.Errorf("updating password: %w", err)
+			}
+
+			_, _ = fmt.Fprintf(cmd.OutOrStdout(), "\nPassword has been reset for user %s!\n", cliui.Styles.Keyword.Render(user.Username))
+			return nil
+		},
+	}
+
+	cliflag.StringVarP(root.Flags(), &postgresURL, "postgres-url", "", "CODER_PG_CONNECTION_URL", "", "URL of a PostgreSQL database to connect to")
+
+	return root
+}