Refactor upgrade message logic in CLI

- Prioritize custom messages from server if available.
- Recommend site-local install.sh for non-Windows with dashboard URL.
- Default to GitHub release page for Windows users.
- Ensure consistent version formatting across messages.

.github/actions/setup-sqlc/action.yaml

@@ -5,6 +5,13 @@ runs:
   using: "composite"
   steps:
     - name: Setup sqlc
-      uses: sqlc-dev/setup-sqlc@c0209b9199cd1cce6a14fc27cabcec491b651761 # v4.0.0
-      with:
-        sqlc-version: "1.27.0"
+      # uses: sqlc-dev/setup-sqlc@c0209b9199cd1cce6a14fc27cabcec491b651761 # v4.0.0
+      # with:
+      #   sqlc-version: "1.30.0"
+
+      # Switched to coder/sqlc fork to fix ambiguous column bug, see:
+      # - https://github.com/coder/sqlc/pull/1
+      # - https://github.com/sqlc-dev/sqlc/pull/4159
+      shell: bash
+      run: |
+        CGO_ENABLED=1 go install github.com/coder/sqlc/cmd/sqlc@aab4e865a51df0c43e1839f81a9d349b41d14f05

.github/actions/setup-tf/action.yaml

@@ -7,5 +7,5 @@ runs:
     - name: Install Terraform
       uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd # v3.1.2
       with:
-        terraform_version: 1.13.0
+        terraform_version: 1.13.4
         terraform_wrapper: false

.github/fly-wsproxies/sao-paulo-coder.toml

@@ -1,34 +0,0 @@
-app = "sao-paulo-coder"
-primary_region = "gru"
-
-[experimental]
-  entrypoint = ["/bin/sh", "-c", "CODER_DERP_SERVER_RELAY_URL=\"http://[${FLY_PRIVATE_IP}]:3000\" /opt/coder wsproxy server"]
-  auto_rollback = true
-
-[build]
-  image = "ghcr.io/coder/coder-preview:main"
-
-[env]
-  CODER_ACCESS_URL = "https://sao-paulo.fly.dev.coder.com"
-  CODER_HTTP_ADDRESS = "0.0.0.0:3000"
-  CODER_PRIMARY_ACCESS_URL = "https://dev.coder.com"
-  CODER_WILDCARD_ACCESS_URL = "*--apps.sao-paulo.fly.dev.coder.com"
-  CODER_VERBOSE = "true"
-
-[http_service]
-  internal_port = 3000
-  force_https = true
-  auto_stop_machines = true
-  auto_start_machines = true
-  min_machines_running = 0
-
-# Ref: https://fly.io/docs/reference/configuration/#http_service-concurrency
-[http_service.concurrency]
-  type = "requests"
-  soft_limit = 50
-  hard_limit = 100
-
-[[vm]]
-  cpu_kind = "shared"
-  cpus = 2
-  memory_mb = 512

.github/workflows/ci.yaml

@@ -230,7 +230,7 @@ jobs:
         shell: bash
 
   gen:
-    timeout-minutes: 8
+    timeout-minutes: 20
     runs-on: ${{ github.repository_owner == 'coder' && 'depot-ubuntu-22.04-8' || 'ubuntu-latest' }}
     if: ${{ !cancelled() }}
     steps:
@@ -271,6 +271,7 @@ jobs:
           popd
 
       - name: make gen
+        timeout-minutes: 8
         run: |
           # Remove golden files to detect discrepancy in generated files.
           make clean/golden-files
@@ -288,7 +289,7 @@ jobs:
     needs: changes
     if: needs.changes.outputs.offlinedocs-only == 'false' || needs.changes.outputs.ci == 'true' || github.ref == 'refs/heads/main'
     runs-on: ${{ github.repository_owner == 'coder' && 'depot-ubuntu-22.04-8' || 'ubuntu-latest' }}
-    timeout-minutes: 7
+    timeout-minutes: 20
     steps:
       - name: Harden Runner
         uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
@@ -315,6 +316,7 @@ jobs:
         run: go install mvdan.cc/sh/v3/cmd/shfmt@v3.7.0
 
       - name: make fmt
+        timeout-minutes: 7
         run: |
           PATH="${PATH}:$(go env GOPATH)/bin" \
             make --output-sync -j -B fmt

.github/workflows/deploy.yaml

@@ -163,12 +163,10 @@ jobs:
         run: |
           flyctl deploy --image "$IMAGE" --app paris-coder --config ./.github/fly-wsproxies/paris-coder.toml --env "CODER_PROXY_SESSION_TOKEN=$TOKEN_PARIS" --yes
           flyctl deploy --image "$IMAGE" --app sydney-coder --config ./.github/fly-wsproxies/sydney-coder.toml --env "CODER_PROXY_SESSION_TOKEN=$TOKEN_SYDNEY" --yes
-          flyctl deploy --image "$IMAGE" --app sao-paulo-coder --config ./.github/fly-wsproxies/sao-paulo-coder.toml --env "CODER_PROXY_SESSION_TOKEN=$TOKEN_SAO_PAULO" --yes
           flyctl deploy --image "$IMAGE" --app jnb-coder --config ./.github/fly-wsproxies/jnb-coder.toml --env "CODER_PROXY_SESSION_TOKEN=$TOKEN_JNB" --yes
         env:
           FLY_API_TOKEN: ${{ secrets.FLY_API_TOKEN }}
           IMAGE: ${{ inputs.image }}
           TOKEN_PARIS: ${{ secrets.FLY_PARIS_CODER_PROXY_SESSION_TOKEN }}
           TOKEN_SYDNEY: ${{ secrets.FLY_SYDNEY_CODER_PROXY_SESSION_TOKEN }}
-          TOKEN_SAO_PAULO: ${{ secrets.FLY_SAO_PAULO_CODER_PROXY_SESSION_TOKEN }}
           TOKEN_JNB: ${{ secrets.FLY_JNB_CODER_PROXY_SESSION_TOKEN }}

.github/workflows/dogfood.yaml

@@ -40,7 +40,7 @@ jobs:
         with:
           # Pinning to 2.28 here, as Nix gets a "error: [json.exception.type_error.302] type must be array, but is string"
           # on version 2.29 and above.
-          nix_version: "2.28.4"
+          nix_version: "2.28.5"
 
       - uses: nix-community/cache-nix-action@135667ec418502fa5a3598af6fb9eb733888ce6a # v6.1.3
         with:

Makefile

@@ -636,8 +636,8 @@ TAILNETTEST_MOCKS := \
 	tailnet/tailnettest/subscriptionmock.go
 
 AIBRIDGED_MOCKS := \
-	enterprise/x/aibridged/aibridgedmock/clientmock.go \
-	enterprise/x/aibridged/aibridgedmock/poolmock.go
+	enterprise/aibridged/aibridgedmock/clientmock.go \
+	enterprise/aibridged/aibridgedmock/poolmock.go
 
 GEN_FILES := \
 	tailnet/proto/tailnet.pb.go \
@@ -645,7 +645,7 @@ GEN_FILES := \
 	provisionersdk/proto/provisioner.pb.go \
 	provisionerd/proto/provisionerd.pb.go \
 	vpn/vpn.pb.go \
-	enterprise/x/aibridged/proto/aibridged.pb.go \
+	enterprise/aibridged/proto/aibridged.pb.go \
 	$(DB_GEN_FILES) \
 	$(SITE_GEN_FILES) \
 	coderd/rbac/object_gen.go \
@@ -697,7 +697,7 @@ gen/mark-fresh:
 		provisionersdk/proto/provisioner.pb.go \
 		provisionerd/proto/provisionerd.pb.go \
 		vpn/vpn.pb.go \
-		enterprise/x/aibridged/proto/aibridged.pb.go \
+		enterprise/aibridged/proto/aibridged.pb.go \
 		coderd/database/dump.sql \
 		$(DB_GEN_FILES) \
 		site/src/api/typesGenerated.ts \
@@ -768,8 +768,8 @@ codersdk/workspacesdk/agentconnmock/agentconnmock.go: codersdk/workspacesdk/agen
 	go generate ./codersdk/workspacesdk/agentconnmock/
 	touch "$@"
 
-$(AIBRIDGED_MOCKS): enterprise/x/aibridged/client.go enterprise/x/aibridged/pool.go
-	go generate ./enterprise/x/aibridged/aibridgedmock/
+$(AIBRIDGED_MOCKS): enterprise/aibridged/client.go enterprise/aibridged/pool.go
+	go generate ./enterprise/aibridged/aibridgedmock/
 	touch "$@"
 
 agent/agentcontainers/dcspec/dcspec_gen.go: \
@@ -822,13 +822,13 @@ vpn/vpn.pb.go: vpn/vpn.proto
 		--go_opt=paths=source_relative \
 		./vpn/vpn.proto
 
-enterprise/x/aibridged/proto/aibridged.pb.go: enterprise/x/aibridged/proto/aibridged.proto
+enterprise/aibridged/proto/aibridged.pb.go: enterprise/aibridged/proto/aibridged.proto
 	protoc \
 		--go_out=. \
 		--go_opt=paths=source_relative \
 		--go-drpc_out=. \
 		--go-drpc_opt=paths=source_relative \
-		./enterprise/x/aibridged/proto/aibridged.proto
+		./enterprise/aibridged/proto/aibridged.proto
 
 site/src/api/typesGenerated.ts: site/node_modules/.installed $(wildcard scripts/apitypings/*) $(shell find ./codersdk $(FIND_EXCLUSIONS) -type f -name '*.go')
 	# -C sets the directory for the go run command

agent/files.go

@@ -250,7 +250,9 @@ func (a *agent) editFile(ctx context.Context, path string, edits []workspacesdk.
 		transforms[i] = replace.String(edit.Search, edit.Replace)
 	}
 
-	tmpfile, err := afero.TempFile(a.filesystem, "", filepath.Base(path))
+	// Create an adjacent file to ensure it will be on the same device and can be
+	// moved atomically.
+	tmpfile, err := afero.TempFile(a.filesystem, filepath.Dir(path), filepath.Base(path))
 	if err != nil {
 		return http.StatusInternalServerError, err
 	}

cli/exp_scaletest.go

@@ -384,6 +384,88 @@ func (s *scaletestPrometheusFlags) attach(opts *serpent.OptionSet) {
 	)
 }
 
+// workspaceTargetFlags holds common flags for targeting specific workspaces in scale tests.
+type workspaceTargetFlags struct {
+	template         string
+	targetWorkspaces string
+	useHostLogin     bool
+}
+
+// attach adds the workspace target flags to the given options set.
+func (f *workspaceTargetFlags) attach(opts *serpent.OptionSet) {
+	*opts = append(*opts,
+		serpent.Option{
+			Flag:          "template",
+			FlagShorthand: "t",
+			Env:           "CODER_SCALETEST_TEMPLATE",
+			Description:   "Name or ID of the template. Traffic generation will be limited to workspaces created from this template.",
+			Value:         serpent.StringOf(&f.template),
+		},
+		serpent.Option{
+			Flag:        "target-workspaces",
+			Env:         "CODER_SCALETEST_TARGET_WORKSPACES",
+			Description: "Target a specific range of workspaces in the format [START]:[END] (exclusive). Example: 0:10 will target the 10 first alphabetically sorted workspaces (0-9).",
+			Value:       serpent.StringOf(&f.targetWorkspaces),
+		},
+		serpent.Option{
+			Flag:        "use-host-login",
+			Env:         "CODER_SCALETEST_USE_HOST_LOGIN",
+			Default:     "false",
+			Description: "Connect as the currently logged in user.",
+			Value:       serpent.BoolOf(&f.useHostLogin),
+		},
+	)
+}
+
+// getTargetedWorkspaces retrieves the workspaces based on the template filter and target range. warnWriter is where to
+// write a warning message if any workspaces were skipped due to ownership mismatch.
+func (f *workspaceTargetFlags) getTargetedWorkspaces(ctx context.Context, client *codersdk.Client, organizationIDs []uuid.UUID, warnWriter io.Writer) ([]codersdk.Workspace, error) {
+	// Validate template if provided
+	if f.template != "" {
+		_, err := parseTemplate(ctx, client, organizationIDs, f.template)
+		if err != nil {
+			return nil, xerrors.Errorf("parse template: %w", err)
+		}
+	}
+
+	// Parse target range
+	targetStart, targetEnd, err := parseTargetRange("workspaces", f.targetWorkspaces)
+	if err != nil {
+		return nil, xerrors.Errorf("parse target workspaces: %w", err)
+	}
+
+	// Determine owner based on useHostLogin
+	var owner string
+	if f.useHostLogin {
+		owner = codersdk.Me
+	}
+
+	// Get workspaces
+	workspaces, numSkipped, err := getScaletestWorkspaces(ctx, client, owner, f.template)
+	if err != nil {
+		return nil, err
+	}
+	if numSkipped > 0 {
+		cliui.Warnf(warnWriter, "CODER_DISABLE_OWNER_WORKSPACE_ACCESS is set on the deployment.\n\t%d workspace(s) were skipped due to ownership mismatch.\n\tSet --use-host-login to only target workspaces you own.", numSkipped)
+	}
+
+	// Adjust targetEnd if not specified
+	if targetEnd == 0 {
+		targetEnd = len(workspaces)
+	}
+
+	// Validate range
+	if len(workspaces) == 0 {
+		return nil, xerrors.Errorf("no scaletest workspaces exist")
+	}
+	if targetEnd > len(workspaces) {
+		return nil, xerrors.Errorf("target workspace end %d is greater than the number of workspaces %d", targetEnd, len(workspaces))
+	}
+
+	// Return the sliced workspaces
+	return workspaces[targetStart:targetEnd], nil
+}
+
 func requireAdmin(ctx context.Context, client *codersdk.Client) (codersdk.User, error) {
 	me, err := client.User(ctx, codersdk.Me)
 	if err != nil {
@@ -1193,12 +1275,10 @@ func (r *RootCmd) scaletestWorkspaceTraffic() *serpent.Command {
 		bytesPerTick      int64
 		ssh               bool
 		disableDirect     bool
-		useHostLogin      bool
 		app               string
-		template          string
-		targetWorkspaces  string
 		workspaceProxyURL string
 
+		targetFlags     = &workspaceTargetFlags{}
 		tracingFlags    = &scaletestTracingFlags{}
 		strategy        = &scaletestStrategyFlags{}
 		cleanupStrategy = newScaletestCleanupStrategy()
@@ -1243,15 +1323,9 @@ func (r *RootCmd) scaletestWorkspaceTraffic() *serpent.Command {
 				},
 			}
 
-			if template != "" {
-				_, err := parseTemplate(ctx, client, me.OrganizationIDs, template)
-				if err != nil {
-					return xerrors.Errorf("parse template: %w", err)
-				}
-			}
-			targetWorkspaceStart, targetWorkspaceEnd, err := parseTargetRange("workspaces", targetWorkspaces)
+			workspaces, err := targetFlags.getTargetedWorkspaces(ctx, client, me.OrganizationIDs, inv.Stdout)
 			if err != nil {
-				return xerrors.Errorf("parse target workspaces: %w", err)
+				return err
 			}
 
 			appHost, err := client.AppHost(ctx)
@@ -1259,30 +1333,6 @@ func (r *RootCmd) scaletestWorkspaceTraffic() *serpent.Command {
 				return xerrors.Errorf("get app host: %w", err)
 			}
 
-			var owner string
-			if useHostLogin {
-				owner = codersdk.Me
-			}
-
-			workspaces, numSkipped, err := getScaletestWorkspaces(inv.Context(), client, owner, template)
-			if err != nil {
-				return err
-			}
-			if numSkipped > 0 {
-				cliui.Warnf(inv.Stdout, "CODER_DISABLE_OWNER_WORKSPACE_ACCESS is set on the deployment.\n\t%d workspace(s) were skipped due to ownership mismatch.\n\tSet --use-host-login to only target workspaces you own.", numSkipped)
-			}
-
-			if targetWorkspaceEnd == 0 {
-				targetWorkspaceEnd = len(workspaces)
-			}
-
-			if len(workspaces) == 0 {
-				return xerrors.Errorf("no scaletest workspaces exist")
-			}
-			if targetWorkspaceEnd > len(workspaces) {
-				return xerrors.Errorf("target workspace end %d is greater than the number of workspaces %d", targetWorkspaceEnd, len(workspaces))
-			}
-
 			tracerProvider, closeTracing, tracingEnabled, err := tracingFlags.provider(ctx)
 			if err != nil {
 				return xerrors.Errorf("create tracer provider: %w", err)
@@ -1307,10 +1357,6 @@ func (r *RootCmd) scaletestWorkspaceTraffic() *serpent.Command {
 
 			th := harness.NewTestHarness(strategy.toStrategy(), cleanupStrategy.toStrategy())
 			for idx, ws := range workspaces {
-				if idx < targetWorkspaceStart || idx >= targetWorkspaceEnd {
-					continue
-				}
-
 				var (
 					agent codersdk.WorkspaceAgent
 					name  = "workspace-traffic"
@@ -1415,19 +1461,6 @@ func (r *RootCmd) scaletestWorkspaceTraffic() *serpent.Command {
 	}
 
 	cmd.Options = []serpent.Option{
-		{
-			Flag:          "template",
-			FlagShorthand: "t",
-			Env:           "CODER_SCALETEST_TEMPLATE",
-			Description:   "Name or ID of the template. Traffic generation will be limited to workspaces created from this template.",
-			Value:         serpent.StringOf(&template),
-		},
-		{
-			Flag:        "target-workspaces",
-			Env:         "CODER_SCALETEST_TARGET_WORKSPACES",
-			Description: "Target a specific range of workspaces in the format [START]:[END] (exclusive). Example: 0:10 will target the 10 first alphabetically sorted workspaces (0-9).",
-			Value:       serpent.StringOf(&targetWorkspaces),
-		},
 		{
 			Flag:        "bytes-per-tick",
 			Env:         "CODER_SCALETEST_WORKSPACE_TRAFFIC_BYTES_PER_TICK",
@@ -1463,13 +1496,6 @@ func (r *RootCmd) scaletestWorkspaceTraffic() *serpent.Command {
 			Description: "Send WebSocket traffic to a workspace app (proxied via coderd), cannot be used with --ssh.",
 			Value:       serpent.StringOf(&app),
 		},
-		{
-			Flag:        "use-host-login",
-			Env:         "CODER_SCALETEST_USE_HOST_LOGIN",
-			Default:     "false",
-			Description: "Connect as the currently logged in user.",
-			Value:       serpent.BoolOf(&useHostLogin),
-		},
 		{
 			Flag:        "workspace-proxy-url",
 			Env:         "CODER_SCALETEST_WORKSPACE_PROXY_URL",
@@ -1479,6 +1505,7 @@ func (r *RootCmd) scaletestWorkspaceTraffic() *serpent.Command {
 		},
 	}
 
+	targetFlags.attach(&cmd.Options)
 	tracingFlags.attach(&cmd.Options)
 	strategy.attach(&cmd.Options)
 	cleanupStrategy.attach(&cmd.Options)

cli/exp_scaletest_notifications.go

@@ -3,6 +3,7 @@
 package cli
 
 import (
+	"bytes"
 	"context"
 	"fmt"
 	"net/http"
@@ -29,12 +30,13 @@ import (
 
 func (r *RootCmd) scaletestNotifications() *serpent.Command {
 	var (
-		userCount           int64
-		ownerUserPercentage float64
-		notificationTimeout time.Duration
-		dialTimeout         time.Duration
-		noCleanup           bool
-		smtpAPIURL          string
+		userCount               int64
+		templateAdminPercentage float64
+		notificationTimeout     time.Duration
+		smtpRequestTimeout      time.Duration
+		dialTimeout             time.Duration
+		noCleanup               bool
+		smtpAPIURL              string
 
 		tracingFlags = &scaletestTracingFlags{}
 
@@ -77,24 +79,24 @@ func (r *RootCmd) scaletestNotifications() *serpent.Command {
 				return xerrors.Errorf("--user-count must be greater than 0")
 			}
 
-			if ownerUserPercentage < 0 || ownerUserPercentage > 100 {
-				return xerrors.Errorf("--owner-user-percentage must be between 0 and 100")
+			if templateAdminPercentage < 0 || templateAdminPercentage > 100 {
+				return xerrors.Errorf("--template-admin-percentage must be between 0 and 100")
 			}
 
 			if smtpAPIURL != "" && !strings.HasPrefix(smtpAPIURL, "http://") && !strings.HasPrefix(smtpAPIURL, "https://") {
 				return xerrors.Errorf("--smtp-api-url must start with http:// or https://")
 			}
 
-			ownerUserCount := int64(float64(userCount) * ownerUserPercentage / 100)
-			if ownerUserCount == 0 && ownerUserPercentage > 0 {
-				ownerUserCount = 1
+			templateAdminCount := int64(float64(userCount) * templateAdminPercentage / 100)
+			if templateAdminCount == 0 && templateAdminPercentage > 0 {
+				templateAdminCount = 1
 			}
-			regularUserCount := userCount - ownerUserCount
+			regularUserCount := userCount - templateAdminCount
 
 			_, _ = fmt.Fprintf(inv.Stderr, "Distribution plan:\n")
 			_, _ = fmt.Fprintf(inv.Stderr, "  Total users: %d\n", userCount)
-			_, _ = fmt.Fprintf(inv.Stderr, "  Owner users: %d (%.1f%%)\n", ownerUserCount, ownerUserPercentage)
-			_, _ = fmt.Fprintf(inv.Stderr, "  Regular users: %d (%.1f%%)\n", regularUserCount, 100.0-ownerUserPercentage)
+			_, _ = fmt.Fprintf(inv.Stderr, "  Template admins: %d (%.1f%%)\n", templateAdminCount, templateAdminPercentage)
+			_, _ = fmt.Fprintf(inv.Stderr, "  Regular users: %d (%.1f%%)\n", regularUserCount, 100.0-templateAdminPercentage)
 
 			outputs, err := output.parse()
 			if err != nil {
@@ -127,13 +129,12 @@ func (r *RootCmd) scaletestNotifications() *serpent.Command {
 			_, _ = fmt.Fprintln(inv.Stderr, "Creating users...")
 
 			dialBarrier := &sync.WaitGroup{}
-			ownerWatchBarrier := &sync.WaitGroup{}
+			templateAdminWatchBarrier := &sync.WaitGroup{}
 			dialBarrier.Add(int(userCount))
-			ownerWatchBarrier.Add(int(ownerUserCount))
+			templateAdminWatchBarrier.Add(int(templateAdminCount))
 
 			expectedNotificationIDs := map[uuid.UUID]struct{}{
-				notificationsLib.TemplateUserAccountCreated: {},
-				notificationsLib.TemplateUserAccountDeleted: {},
+				notificationsLib.TemplateTemplateDeleted: {},
 			}
 
 			triggerTimes := make(map[uuid.UUID]chan time.Time, len(expectedNotificationIDs))
@@ -142,19 +143,20 @@ func (r *RootCmd) scaletestNotifications() *serpent.Command {
 			}
 
 			configs := make([]notifications.Config, 0, userCount)
-			for range ownerUserCount {
+			for range templateAdminCount {
 				config := notifications.Config{
 					User: createusers.Config{
 						OrganizationID: me.OrganizationIDs[0],
 					},
-					Roles:                    []string{codersdk.RoleOwner},
+					Roles:                    []string{codersdk.RoleTemplateAdmin},
 					NotificationTimeout:      notificationTimeout,
 					DialTimeout:              dialTimeout,
 					DialBarrier:              dialBarrier,
-					ReceivingWatchBarrier:    ownerWatchBarrier,
+					ReceivingWatchBarrier:    templateAdminWatchBarrier,
 					ExpectedNotificationsIDs: expectedNotificationIDs,
 					Metrics:                  metrics,
 					SMTPApiURL:               smtpAPIURL,
+					SMTPRequestTimeout:       smtpRequestTimeout,
 				}
 				if err := config.Validate(); err != nil {
 					return xerrors.Errorf("validate config: %w", err)
@@ -170,9 +172,8 @@ func (r *RootCmd) scaletestNotifications() *serpent.Command {
 					NotificationTimeout:   notificationTimeout,
 					DialTimeout:           dialTimeout,
 					DialBarrier:           dialBarrier,
-					ReceivingWatchBarrier: ownerWatchBarrier,
+					ReceivingWatchBarrier: templateAdminWatchBarrier,
 					Metrics:               metrics,
-					SMTPApiURL:            smtpAPIURL,
 				}
 				if err := config.Validate(); err != nil {
 					return xerrors.Errorf("validate config: %w", err)
@@ -180,7 +181,7 @@ func (r *RootCmd) scaletestNotifications() *serpent.Command {
 				configs = append(configs, config)
 			}
 
-			go triggerUserNotifications(
+			go triggerNotifications(
 				ctx,
 				logger,
 				client,
@@ -261,23 +262,30 @@ func (r *RootCmd) scaletestNotifications() *serpent.Command {
 			Required:      true,
 		},
 		{
-			Flag:        "owner-user-percentage",
-			Env:         "CODER_SCALETEST_NOTIFICATION_OWNER_USER_PERCENTAGE",
+			Flag:        "template-admin-percentage",
+			Env:         "CODER_SCALETEST_NOTIFICATION_TEMPLATE_ADMIN_PERCENTAGE",
 			Default:     "20.0",
-			Description: "Percentage of users to assign Owner role to (0-100).",
-			Value:       serpent.Float64Of(&ownerUserPercentage),
+			Description: "Percentage of users to assign Template Admin role to (0-100).",
+			Value:       serpent.Float64Of(&templateAdminPercentage),
 		},
 		{
 			Flag:        "notification-timeout",
 			Env:         "CODER_SCALETEST_NOTIFICATION_TIMEOUT",
-			Default:     "5m",
+			Default:     "10m",
 			Description: "How long to wait for notifications after triggering.",
 			Value:       serpent.DurationOf(&notificationTimeout),
 		},
+		{
+			Flag:        "smtp-request-timeout",
+			Env:         "CODER_SCALETEST_SMTP_REQUEST_TIMEOUT",
+			Default:     "5m",
+			Description: "Timeout for SMTP requests.",
+			Value:       serpent.DurationOf(&smtpRequestTimeout),
+		},
 		{
 			Flag:        "dial-timeout",
 			Env:         "CODER_SCALETEST_DIAL_TIMEOUT",
-			Default:     "2m",
+			Default:     "10m",
 			Description: "Timeout for dialing the notification websocket endpoint.",
 			Value:       serpent.DurationOf(&dialTimeout),
 		},
@@ -379,9 +387,9 @@ func computeNotificationLatencies(
 	return nil
 }
 
-// triggerUserNotifications waits for all test users to connect,
-// then creates and deletes a test user to trigger notification events for testing.
-func triggerUserNotifications(
+// triggerNotifications waits for all test users to connect,
+// then creates and deletes a test template to trigger notification events for testing.
+func triggerNotifications(
 	ctx context.Context,
 	logger slog.Logger,
 	client *codersdk.Client,
@@ -414,34 +422,49 @@ func triggerUserNotifications(
 		return
 	}
 
-	const (
-		triggerUsername = "scaletest-trigger-user"
-		triggerEmail    = "scaletest-trigger@example.com"
-	)
+	logger.Info(ctx, "creating test template to test notifications")
 
-	logger.Info(ctx, "creating test user to test notifications",
-		slog.F("username", triggerUsername),
-		slog.F("email", triggerEmail),
-		slog.F("org_id", orgID))
+	// Upload empty template file.
+	file, err := client.Upload(ctx, codersdk.ContentTypeTar, bytes.NewReader([]byte{}))
+	if err != nil {
+		logger.Error(ctx, "upload test template", slog.Error(err))
+		return
+	}
+	logger.Info(ctx, "test template uploaded", slog.F("file_id", file.ID))
 
-	testUser, err := client.CreateUserWithOrgs(ctx, codersdk.CreateUserRequestWithOrgs{
-		OrganizationIDs: []uuid.UUID{orgID},
-		Username:        triggerUsername,
-		Email:           triggerEmail,
-		Password:        "test-password-123",
+	// Create template version.
+	version, err := client.CreateTemplateVersion(ctx, orgID, codersdk.CreateTemplateVersionRequest{
+		StorageMethod: codersdk.ProvisionerStorageMethodFile,
+		FileID:        file.ID,
+		Provisioner:   codersdk.ProvisionerTypeEcho,
 	})
 	if err != nil {
-		logger.Error(ctx, "create test user", slog.Error(err))
+		logger.Error(ctx, "create test template version", slog.Error(err))
 		return
 	}
-	expectedNotifications[notificationsLib.TemplateUserAccountCreated] <- time.Now()
+	logger.Info(ctx, "test template version created", slog.F("template_version_id", version.ID))
 
-	err = client.DeleteUser(ctx, testUser.ID)
+	// Create template.
+	testTemplate, err := client.CreateTemplate(ctx, orgID, codersdk.CreateTemplateRequest{
+		Name:        "scaletest-test-template",
+		Description: "scaletest-test-template",
+		VersionID:   version.ID,
+	})
 	if err != nil {
-		logger.Error(ctx, "delete test user", slog.Error(err))
+		logger.Error(ctx, "create test template", slog.Error(err))
 		return
 	}
-	expectedNotifications[notificationsLib.TemplateUserAccountDeleted] <- time.Now()
-	close(expectedNotifications[notificationsLib.TemplateUserAccountCreated])
-	close(expectedNotifications[notificationsLib.TemplateUserAccountDeleted])
+	logger.Info(ctx, "test template created", slog.F("template_id", testTemplate.ID))
+
+	// Delete template to trigger notification.
+	err = client.DeleteTemplate(ctx, testTemplate.ID)
+	if err != nil {
+		logger.Error(ctx, "delete test template", slog.Error(err))
+		return
+	}
+	logger.Info(ctx, "test template deleted", slog.F("template_id", testTemplate.ID))
+
+	// Record expected notification.
+	expectedNotifications[notificationsLib.TemplateTemplateDeleted] <- time.Now()
+	close(expectedNotifications[notificationsLib.TemplateTemplateDeleted])
 }

cli/exp_task_list_test.go

@@ -2,7 +2,6 @@ package cli_test
 
 import (
 	"bytes"
-	"context"
 	"database/sql"
 	"encoding/json"
 	"io"
@@ -19,10 +18,7 @@ import (
 	"github.com/coder/coder/v2/cli/clitest"
 	"github.com/coder/coder/v2/coderd/coderdtest"
 	"github.com/coder/coder/v2/coderd/database"
-	"github.com/coder/coder/v2/coderd/database/dbauthz"
 	"github.com/coder/coder/v2/coderd/database/dbfake"
-	"github.com/coder/coder/v2/coderd/database/dbgen"
-	"github.com/coder/coder/v2/coderd/database/dbtime"
 	"github.com/coder/coder/v2/coderd/util/slice"
 	"github.com/coder/coder/v2/codersdk"
 	"github.com/coder/coder/v2/pty/ptytest"
@@ -43,76 +39,22 @@ func makeAITask(t *testing.T, db database.Store, orgID, adminID, ownerID uuid.UU
 			},
 		}).Do()
 
-	ws := database.WorkspaceTable{
+	build := dbfake.WorkspaceBuild(t, db, database.WorkspaceTable{
 		OrganizationID: orgID,
 		OwnerID:        ownerID,
 		TemplateID:     tv.Template.ID,
-	}
-	build := dbfake.WorkspaceBuild(t, db, ws).
+	}).
 		Seed(database.WorkspaceBuild{
 			TemplateVersionID: tv.TemplateVersion.ID,
 			Transition:        transition,
-		}).WithAgent().Do()
-	dbgen.WorkspaceBuildParameters(t, db, []database.WorkspaceBuildParameter{
-		{
-			WorkspaceBuildID: build.Build.ID,
-			Name:             codersdk.AITaskPromptParameterName,
-			Value:            prompt,
-		},
-	})
-	agents, err := db.GetWorkspaceAgentsByWorkspaceAndBuildNumber(
-		dbauthz.AsSystemRestricted(context.Background()),
-		database.GetWorkspaceAgentsByWorkspaceAndBuildNumberParams{
-			WorkspaceID: build.Workspace.ID,
-			BuildNumber: build.Build.BuildNumber,
-		},
-	)
-	require.NoError(t, err)
-	require.NotEmpty(t, agents)
-	agentID := agents[0].ID
+		}).
+		WithAgent().
+		WithTask(database.TaskTable{
+			Prompt: prompt,
+		}, nil).
+		Do()
 
-	// Create a workspace app and set it as the sidebar app.
-	app := dbgen.WorkspaceApp(t, db, database.WorkspaceApp{
-		AgentID:     agentID,
-		Slug:        "task-sidebar",
-		DisplayName: "Task Sidebar",
-		External:    false,
-	})
-
-	// Update build flags to reference the sidebar app and HasAITask=true.
-	err = db.UpdateWorkspaceBuildFlagsByID(
-		dbauthz.AsSystemRestricted(context.Background()),
-		database.UpdateWorkspaceBuildFlagsByIDParams{
-			ID:               build.Build.ID,
-			HasAITask:        sql.NullBool{Bool: true, Valid: true},
-			HasExternalAgent: sql.NullBool{Bool: false, Valid: false},
-			SidebarAppID:     uuid.NullUUID{UUID: app.ID, Valid: true},
-			UpdatedAt:        build.Build.UpdatedAt,
-		},
-	)
-	require.NoError(t, err)
-
-	// Create a task record in the tasks table for the new data model.
-	task := dbgen.Task(t, db, database.TaskTable{
-		OrganizationID:     orgID,
-		OwnerID:            ownerID,
-		Name:               build.Workspace.Name,
-		WorkspaceID:        uuid.NullUUID{UUID: build.Workspace.ID, Valid: true},
-		TemplateVersionID:  tv.TemplateVersion.ID,
-		TemplateParameters: []byte("{}"),
-		Prompt:             prompt,
-		CreatedAt:          dbtime.Now(),
-	})
-
-	// Link the task to the workspace app.
-	dbgen.TaskWorkspaceApp(t, db, database.TaskWorkspaceApp{
-		TaskID:               task.ID,
-		WorkspaceBuildNumber: build.Build.BuildNumber,
-		WorkspaceAgentID:     uuid.NullUUID{UUID: agentID, Valid: true},
-		WorkspaceAppID:       uuid.NullUUID{UUID: app.ID, Valid: true},
-	})
-
-	return task
+	return build.Task
 }
 
 func TestExpTaskList(t *testing.T) {

cli/exp_task_test.go

@@ -293,7 +293,6 @@ func createAITaskTemplate(t *testing.T, client *codersdk.Client, orgID uuid.UUID
 			{
 				Type: &proto.Response_Plan{
 					Plan: &proto.PlanComplete{
-						Parameters: []*proto.RichParameter{{Name: codersdk.AITaskPromptParameterName, Type: "string"}},
 						HasAiTasks: true,
 					},
 				},
@@ -328,9 +327,7 @@ func createAITaskTemplate(t *testing.T, client *codersdk.Client, orgID uuid.UUID
 						},
 						AiTasks: []*proto.AITask{
 							{
-								SidebarApp: &proto.AITaskSidebarApp{
-									Id: taskAppID.String(),
-								},
+								AppId: taskAppID.String(),
 							},
 						},
 					},

cli/keyring_test.go

@@ -0,0 +1,355 @@
+package cli_test
+
+import (
+	"bytes"
+	"net/url"
+	"os"
+	"path"
+	"runtime"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+
+	"github.com/coder/coder/v2/cli"
+	"github.com/coder/coder/v2/cli/clitest"
+	"github.com/coder/coder/v2/coderd/coderdtest"
+	"github.com/coder/coder/v2/pty/ptytest"
+)
+
+// mockKeyring is a mock sessionstore.Backend implementation.
+type mockKeyring struct {
+	credentials map[string]string // service name -> credential
+}
+
+const mockServiceName = "mock-service-name"
+
+func newMockKeyring() *mockKeyring {
+	return &mockKeyring{credentials: make(map[string]string)}
+}
+
+func (m *mockKeyring) Read(_ *url.URL) (string, error) {
+	cred, ok := m.credentials[mockServiceName]
+	if !ok {
+		return "", os.ErrNotExist
+	}
+	return cred, nil
+}
+
+func (m *mockKeyring) Write(_ *url.URL, token string) error {
+	m.credentials[mockServiceName] = token
+	return nil
+}
+
+func (m *mockKeyring) Delete(_ *url.URL) error {
+	_, ok := m.credentials[mockServiceName]
+	if !ok {
+		return os.ErrNotExist
+	}
+	delete(m.credentials, mockServiceName)
+	return nil
+}
+
+func TestUseKeyring(t *testing.T) {
+	// Verify that the --use-keyring flag opts into using a keyring backend for
+	// storing session tokens instead of plain text files.
+	t.Parallel()
+
+	t.Run("Login", func(t *testing.T) {
+		t.Parallel()
+
+		// Create a test server
+		client := coderdtest.New(t, nil)
+		coderdtest.CreateFirstUser(t, client)
+
+		// Create a pty for interactive prompts
+		pty := ptytest.New(t)
+
+		// Create CLI invocation with --use-keyring flag
+		inv, cfg := clitest.New(t,
+			"login",
+			"--force-tty",
+			"--use-keyring",
+			"--no-open",
+			client.URL.String(),
+		)
+		inv.Stdin = pty.Input()
+		inv.Stdout = pty.Output()
+
+		// Inject the mock backend before running the command
+		var root cli.RootCmd
+		cmd, err := root.Command(root.AGPL())
+		require.NoError(t, err)
+		mockBackend := newMockKeyring()
+		root.WithSessionStorageBackend(mockBackend)
+		inv.Command = cmd
+
+		// Run login in background
+		doneChan := make(chan struct{})
+		go func() {
+			defer close(doneChan)
+			err := inv.Run()
+			assert.NoError(t, err)
+		}()
+
+		// Provide the token when prompted
+		pty.ExpectMatch("Paste your token here:")
+		pty.WriteLine(client.SessionToken())
+		pty.ExpectMatch("Welcome to Coder")
+		<-doneChan
+
+		// Verify that session file was NOT created (using keyring instead)
+		sessionFile := path.Join(string(cfg), "session")
+		_, err = os.Stat(sessionFile)
+		require.True(t, os.IsNotExist(err), "session file should not exist when using keyring")
+
+		// Verify that the credential IS stored in mock keyring
+		cred, err := mockBackend.Read(nil)
+		require.NoError(t, err, "credential should be stored in mock keyring")
+		require.Equal(t, client.SessionToken(), cred, "stored token should match login token")
+	})
+
+	t.Run("Logout", func(t *testing.T) {
+		t.Parallel()
+
+		// Create a test server
+		client := coderdtest.New(t, nil)
+		coderdtest.CreateFirstUser(t, client)
+
+		// Create a pty for interactive prompts
+		pty := ptytest.New(t)
+
+		// First, login with --use-keyring
+		loginInv, cfg := clitest.New(t,
+			"login",
+			"--force-tty",
+			"--use-keyring",
+			"--no-open",
+			client.URL.String(),
+		)
+		loginInv.Stdin = pty.Input()
+		loginInv.Stdout = pty.Output()
+
+		// Inject the mock backend
+		var loginRoot cli.RootCmd
+		loginCmd, err := loginRoot.Command(loginRoot.AGPL())
+		require.NoError(t, err)
+		mockBackend := newMockKeyring()
+		loginRoot.WithSessionStorageBackend(mockBackend)
+		loginInv.Command = loginCmd
+
+		doneChan := make(chan struct{})
+		go func() {
+			defer close(doneChan)
+			err := loginInv.Run()
+			assert.NoError(t, err)
+		}()
+
+		pty.ExpectMatch("Paste your token here:")
+		pty.WriteLine(client.SessionToken())
+		pty.ExpectMatch("Welcome to Coder")
+		<-doneChan
+
+		// Verify credential exists in mock keyring
+		cred, err := mockBackend.Read(nil)
+		require.NoError(t, err, "read credential should succeed before logout")
+		require.NotEmpty(t, cred, "credential should exist after logout")
+
+		// Now run logout with --use-keyring
+		logoutInv, _ := clitest.New(t,
+			"logout",
+			"--use-keyring",
+			"--yes",
+			"--global-config", string(cfg),
+		)
+
+		// Inject the same mock backend
+		var logoutRoot cli.RootCmd
+		logoutCmd, err := logoutRoot.Command(logoutRoot.AGPL())
+		require.NoError(t, err)
+		logoutRoot.WithSessionStorageBackend(mockBackend)
+		logoutInv.Command = logoutCmd
+
+		var logoutOut bytes.Buffer
+		logoutInv.Stdout = &logoutOut
+
+		err = logoutInv.Run()
+		require.NoError(t, err, "logout should succeed")
+
+		// Verify the credential was deleted from mock keyring
+		_, err = mockBackend.Read(nil)
+		require.ErrorIs(t, err, os.ErrNotExist, "credential should be deleted from keyring after logout")
+	})
+
+	t.Run("OmitFlag", func(t *testing.T) {
+		t.Parallel()
+
+		// Create a test server
+		client := coderdtest.New(t, nil)
+		coderdtest.CreateFirstUser(t, client)
+
+		// Create a pty for interactive prompts
+		pty := ptytest.New(t)
+
+		// --use-keyring flag omitted (should use file-based storage)
+		inv, cfg := clitest.New(t,
+			"login",
+			"--force-tty",
+			"--no-open",
+			client.URL.String(),
+		)
+		inv.Stdin = pty.Input()
+		inv.Stdout = pty.Output()
+
+		doneChan := make(chan struct{})
+		go func() {
+			defer close(doneChan)
+			err := inv.Run()
+			assert.NoError(t, err)
+		}()
+
+		pty.ExpectMatch("Paste your token here:")
+		pty.WriteLine(client.SessionToken())
+		pty.ExpectMatch("Welcome to Coder")
+		<-doneChan
+
+		// Verify that session file WAS created (not using keyring)
+		sessionFile := path.Join(string(cfg), "session")
+		_, err := os.Stat(sessionFile)
+		require.NoError(t, err, "session file should exist when NOT using --use-keyring")
+
+		// Read and verify the token from file
+		content, err := os.ReadFile(sessionFile)
+		require.NoError(t, err, "should be able to read session file")
+		require.Equal(t, client.SessionToken(), string(content), "file should contain the session token")
+	})
+
+	t.Run("EnvironmentVariable", func(t *testing.T) {
+		t.Parallel()
+
+		// Create a test server
+		client := coderdtest.New(t, nil)
+		coderdtest.CreateFirstUser(t, client)
+
+		// Create a pty for interactive prompts
+		pty := ptytest.New(t)
+
+		// Login using CODER_USE_KEYRING environment variable instead of flag
+		inv, cfg := clitest.New(t,
+			"login",
+			"--force-tty",
+			"--no-open",
+			client.URL.String(),
+		)
+		inv.Stdin = pty.Input()
+		inv.Stdout = pty.Output()
+		inv.Environ.Set("CODER_USE_KEYRING", "true")
+
+		// Inject the mock backend
+		var root cli.RootCmd
+		cmd, err := root.Command(root.AGPL())
+		require.NoError(t, err)
+		mockBackend := newMockKeyring()
+		root.WithSessionStorageBackend(mockBackend)
+		inv.Command = cmd
+
+		doneChan := make(chan struct{})
+		go func() {
+			defer close(doneChan)
+			err := inv.Run()
+			assert.NoError(t, err)
+		}()
+
+		pty.ExpectMatch("Paste your token here:")
+		pty.WriteLine(client.SessionToken())
+		pty.ExpectMatch("Welcome to Coder")
+		<-doneChan
+
+		// Verify that session file was NOT created (using keyring via env var)
+		sessionFile := path.Join(string(cfg), "session")
+		_, err = os.Stat(sessionFile)
+		require.True(t, os.IsNotExist(err), "session file should not exist when using keyring via env var")
+
+		// Verify credential is in mock keyring
+		cred, err := mockBackend.Read(nil)
+		require.NoError(t, err, "credential should be stored in keyring when CODER_USE_KEYRING=true")
+		require.NotEmpty(t, cred)
+	})
+}
+
+func TestUseKeyringUnsupportedOS(t *testing.T) {
+	// Verify that trying to use --use-keyring on an unsupported operating system produces
+	// a helpful error message.
+	t.Parallel()
+
+	// Skip on Windows since the keyring is actually supported.
+	if runtime.GOOS == "windows" {
+		t.Skip("Skipping unsupported OS test on Windows where keyring is supported")
+	}
+
+	const expMessage = "keyring storage is not supported on this operating system; remove the --use-keyring flag"
+
+	t.Run("LoginWithUnsupportedKeyring", func(t *testing.T) {
+		t.Parallel()
+
+		client := coderdtest.New(t, nil)
+		coderdtest.CreateFirstUser(t, client)
+
+		// Try to login with --use-keyring on an unsupported OS
+		inv, _ := clitest.New(t,
+			"login",
+			"--use-keyring",
+			client.URL.String(),
+		)
+
+		// The error should occur immediately, before any prompts
+		loginErr := inv.Run()
+
+		// Verify we got an error about unsupported OS
+		require.Error(t, loginErr)
+		require.Contains(t, loginErr.Error(), expMessage)
+	})
+
+	t.Run("LogoutWithUnsupportedKeyring", func(t *testing.T) {
+		t.Parallel()
+
+		client := coderdtest.New(t, nil)
+		coderdtest.CreateFirstUser(t, client)
+		pty := ptytest.New(t)
+
+		// First login without keyring to create a session
+		loginInv, cfg := clitest.New(t,
+			"login",
+			"--force-tty",
+			"--no-open",
+			client.URL.String(),
+		)
+		loginInv.Stdin = pty.Input()
+		loginInv.Stdout = pty.Output()
+
+		doneChan := make(chan struct{})
+		go func() {
+			defer close(doneChan)
+			err := loginInv.Run()
+			assert.NoError(t, err)
+		}()
+
+		pty.ExpectMatch("Paste your token here:")
+		pty.WriteLine(client.SessionToken())
+		pty.ExpectMatch("Welcome to Coder")
+		<-doneChan
+
+		// Now try to logout with --use-keyring on an unsupported OS
+		logoutInv, _ := clitest.New(t,
+			"logout",
+			"--use-keyring",
+			"--yes",
+			"--global-config", string(cfg),
+		)
+
+		err := logoutInv.Run()
+		// Verify we got an error about unsupported OS
+		require.Error(t, err)
+		require.Contains(t, err.Error(), expMessage)
+	})
+}

cli/login.go

@@ -19,6 +19,7 @@ import (
 	"github.com/coder/pretty"
 
 	"github.com/coder/coder/v2/cli/cliui"
+	"github.com/coder/coder/v2/cli/sessionstore"
 	"github.com/coder/coder/v2/coderd/userpassword"
 	"github.com/coder/coder/v2/codersdk"
 	"github.com/coder/serpent"
@@ -114,9 +115,11 @@ func (r *RootCmd) loginWithPassword(
 	}
 
 	sessionToken := resp.SessionToken
-	config := r.createConfig()
-	err = config.Session().Write(sessionToken)
+	err = r.ensureTokenBackend().Write(client.URL, sessionToken)
 	if err != nil {
+		if xerrors.Is(err, sessionstore.ErrNotImplemented) {
+			return errKeyringNotSupported
+		}
 		return xerrors.Errorf("write session token: %w", err)
 	}
 
@@ -149,11 +152,15 @@ func (r *RootCmd) login() *serpent.Command {
 		useTokenForSession bool
 	)
 	cmd := &serpent.Command{
-		Use:        "login [<url>]",
-		Short:      "Authenticate with Coder deployment",
+		Use:   "login [<url>]",
+		Short: "Authenticate with Coder deployment",
+		Long: "By default, the session token is stored in a plain text file. Use the " +
+			"--use-keyring flag or set CODER_USE_KEYRING=true to store the token in " +
+			"the operating system keyring instead.",
 		Middleware: serpent.RequireRangeArgs(0, 1),
 		Handler: func(inv *serpent.Invocation) error {
 			ctx := inv.Context()
+
 			rawURL := ""
 			var urlSource string
 
@@ -198,6 +205,15 @@ func (r *RootCmd) login() *serpent.Command {
 				return err
 			}
 
+			// Check keyring availability before prompting the user for a token to fail fast.
+			if r.useKeyring {
+				backend := r.ensureTokenBackend()
+				_, err := backend.Read(client.URL)
+				if err != nil && xerrors.Is(err, sessionstore.ErrNotImplemented) {
+					return errKeyringNotSupported
+				}
+			}
+
 			hasFirstUser, err := client.HasFirstUser(ctx)
 			if err != nil {
 				return xerrors.Errorf("Failed to check server %q for first user, is the URL correct and is coder accessible from your browser? Error - has initial user: %w", serverURL.String(), err)
@@ -394,8 +410,11 @@ func (r *RootCmd) login() *serpent.Command {
 			}
 
 			config := r.createConfig()
-			err = config.Session().Write(sessionToken)
+			err = r.ensureTokenBackend().Write(client.URL, sessionToken)
 			if err != nil {
+				if xerrors.Is(err, sessionstore.ErrNotImplemented) {
+					return errKeyringNotSupported
+				}
 				return xerrors.Errorf("write session token: %w", err)
 			}
 			err = config.URL().Write(serverURL.String())

cli/logout.go

@@ -8,6 +8,7 @@ import (
 	"golang.org/x/xerrors"
 
 	"github.com/coder/coder/v2/cli/cliui"
+	"github.com/coder/coder/v2/cli/sessionstore"
 	"github.com/coder/serpent"
 )
 
@@ -46,11 +47,15 @@ func (r *RootCmd) logout() *serpent.Command {
 				errors = append(errors, xerrors.Errorf("remove URL file: %w", err))
 			}
 
-			err = config.Session().Delete()
+			err = r.ensureTokenBackend().Delete(client.URL)
 			// Only throw error if the session configuration file is present,
 			// otherwise the user is already logged out, and we proceed
-			if err != nil && !os.IsNotExist(err) {
-				errors = append(errors, xerrors.Errorf("remove session file: %w", err))
+			if err != nil && !xerrors.Is(err, os.ErrNotExist) {
+				if xerrors.Is(err, sessionstore.ErrNotImplemented) {
+					errors = append(errors, errKeyringNotSupported)
+				} else {
+					errors = append(errors, xerrors.Errorf("remove session token: %w", err))
+				}
 			}
 
 			err = config.Organization().Delete()

cli/root.go

@@ -37,6 +37,7 @@ import (
 	"github.com/coder/coder/v2/cli/cliui"
 	"github.com/coder/coder/v2/cli/config"
 	"github.com/coder/coder/v2/cli/gitauth"
+	"github.com/coder/coder/v2/cli/sessionstore"
 	"github.com/coder/coder/v2/cli/telemetry"
 	"github.com/coder/coder/v2/codersdk"
 	"github.com/coder/coder/v2/codersdk/agentsdk"
@@ -54,6 +55,8 @@ var (
 	// ErrSilent is a sentinel error that tells the command handler to just exit with a non-zero error, but not print
 	// anything.
 	ErrSilent = xerrors.New("silent error")
+
+	errKeyringNotSupported = xerrors.New("keyring storage is not supported on this operating system; remove the --use-keyring flag to use file-based storage")
 )
 
 const (
@@ -68,12 +71,14 @@ const (
 	varVerbose                 = "verbose"
 	varDisableDirect           = "disable-direct-connections"
 	varDisableNetworkTelemetry = "disable-network-telemetry"
+	varUseKeyring              = "use-keyring"
 
 	notLoggedInMessage = "You are not logged in. Try logging in using '%s login <url>'."
 
 	envNoVersionCheck   = "CODER_NO_VERSION_WARNING"
 	envNoFeatureWarning = "CODER_NO_FEATURE_WARNING"
 	envSessionToken     = "CODER_SESSION_TOKEN"
+	envUseKeyring       = "CODER_USE_KEYRING"
 	//nolint:gosec
 	envAgentToken = "CODER_AGENT_TOKEN"
 	//nolint:gosec
@@ -474,6 +479,15 @@ func (r *RootCmd) Command(subcommands []*serpent.Command) (*serpent.Command, err
 			Value:       serpent.BoolOf(&r.disableNetworkTelemetry),
 			Group:       globalGroup,
 		},
+		{
+			Flag: varUseKeyring,
+			Env:  envUseKeyring,
+			Description: "Store and retrieve session tokens using the operating system " +
+				"keyring. Currently only supported on Windows. By default, tokens are " +
+				"stored in plain text files.",
+			Value: serpent.BoolOf(&r.useKeyring),
+			Group: globalGroup,
+		},
 		{
 			Flag:        "debug-http",
 			Description: "Debug codersdk HTTP requests.",
@@ -508,6 +522,7 @@ func (r *RootCmd) Command(subcommands []*serpent.Command) (*serpent.Command, err
 type RootCmd struct {
 	clientURL     *url.URL
 	token         string
+	tokenBackend  sessionstore.Backend
 	globalConfig  string
 	header        []string
 	headerCommand string
@@ -522,6 +537,7 @@ type RootCmd struct {
 	disableNetworkTelemetry bool
 	noVersionCheck          bool
 	noFeatureWarning        bool
+	useKeyring              bool
 }
 
 // InitClient creates and configures a new client with authentication, telemetry,
@@ -549,14 +565,19 @@ func (r *RootCmd) InitClient(inv *serpent.Invocation) (*codersdk.Client, error)
 			return nil, err
 		}
 	}
-	// Read the token stored on disk.
 	if r.token == "" {
-		r.token, err = conf.Session().Read()
+		tok, err := r.ensureTokenBackend().Read(r.clientURL)
 		// Even if there isn't a token, we don't care.
 		// Some API routes can be unauthenticated.
-		if err != nil && !os.IsNotExist(err) {
+		if err != nil && !xerrors.Is(err, os.ErrNotExist) {
+			if xerrors.Is(err, sessionstore.ErrNotImplemented) {
+				return nil, errKeyringNotSupported
+			}
 			return nil, err
 		}
+		if tok != "" {
+			r.token = tok
+		}
 	}
 
 	// Configure HTTP client with transport wrappers
@@ -588,7 +609,6 @@ func (r *RootCmd) InitClient(inv *serpent.Invocation) (*codersdk.Client, error)
 // This allows commands to run without requiring authentication, but still use auth if available.
 func (r *RootCmd) TryInitClient(inv *serpent.Invocation) (*codersdk.Client, error) {
 	conf := r.createConfig()
-	var err error
 	// Read the client URL stored on disk.
 	if r.clientURL == nil || r.clientURL.String() == "" {
 		rawURL, err := conf.URL().Read()
@@ -605,14 +625,19 @@ func (r *RootCmd) TryInitClient(inv *serpent.Invocation) (*codersdk.Client, erro
 			}
 		}
 	}
-	// Read the token stored on disk.
 	if r.token == "" {
-		r.token, err = conf.Session().Read()
+		tok, err := r.ensureTokenBackend().Read(r.clientURL)
 		// Even if there isn't a token, we don't care.
 		// Some API routes can be unauthenticated.
-		if err != nil && !os.IsNotExist(err) {
+		if err != nil && !xerrors.Is(err, os.ErrNotExist) {
+			if xerrors.Is(err, sessionstore.ErrNotImplemented) {
+				return nil, errKeyringNotSupported
+			}
 			return nil, err
 		}
+		if tok != "" {
+			r.token = tok
+		}
 	}
 
 	// Only configure the client if we have a URL
@@ -688,6 +713,24 @@ func (r *RootCmd) createUnauthenticatedClient(ctx context.Context, serverURL *ur
 	return client, nil
 }
 
+// ensureTokenBackend returns the session token storage backend, creating it if necessary.
+// This must be called after flags are parsed so we can respect the value of the --use-keyring
+// flag.
+func (r *RootCmd) ensureTokenBackend() sessionstore.Backend {
+	if r.tokenBackend == nil {
+		if r.useKeyring {
+			r.tokenBackend = sessionstore.NewKeyring()
+		} else {
+			r.tokenBackend = sessionstore.NewFile(r.createConfig)
+		}
+	}
+	return r.tokenBackend
+}
+
+func (r *RootCmd) WithSessionStorageBackend(backend sessionstore.Backend) {
+	r.tokenBackend = backend
+}
+
 type AgentAuth struct {
 	// Agent Client config
 	agentToken     string
@@ -1318,14 +1361,37 @@ func SlimUnsupported(w io.Writer, cmd string) {
 	os.Exit(1)
 }
 
-func defaultUpgradeMessage(version string) string {
-	// Our installation script doesn't work on Windows, so instead we direct the user
-	// to the GitHub release page to download the latest installer.
-	version = strings.TrimPrefix(version, "v")
-	if runtime.GOOS == "windows" {
-		return fmt.Sprintf("download the server version from: https://github.com/coder/coder/releases/v%s", version)
+// defaultUpgradeMessage builds an appropriate upgrade message for the platform.
+// Precedence:
+//  1. If a custom upgrade message is provided by the server, use it.
+//  2. If the server provides a dashboard URL (v2.19+) and the platform is not Windows,
+//     recommend the site-local install.sh.
+//  3. On Windows, point to the tagged GitHub release page where binaries are published.
+//  4. Otherwise, recommend the global install.sh with explicit version.
+func defaultUpgradeMessage(version, dashboardURL, customUpgradeMessage string) string {
+	if customUpgradeMessage != "" {
+		return customUpgradeMessage
 	}
-	return fmt.Sprintf("download the server version with: 'curl -L https://coder.com/install.sh | sh -s -- --version %s'", version)
+
+	// Ensure canonical semver for comparisons and display
+	canonical := semver.Canonical(version)
+	trimmed := strings.TrimPrefix(canonical, "v")
+
+	// The site-local `install.sh` was introduced in v2.19.0.
+	if dashboardURL != "" && semver.Compare(semver.MajorMinor(canonical), "v2.19") >= 0 {
+		// The site-local install.sh is only valid for macOS and Linux.
+		if runtime.GOOS != "windows" {
+			return fmt.Sprintf("download %s with: 'curl -fsSL %s/install.sh | sh'", canonical, dashboardURL)
+		}
+		// Fall through to Windows-specific suggestion below.
+	}
+
+	if runtime.GOOS == "windows" {
+		// Link directly to the release page; Windows binaries are published there.
+		return fmt.Sprintf("download the server version from: https://github.com/coder/coder/releases/v%s", trimmed)
+	}
+
+	return fmt.Sprintf("download the server version with: 'curl -L https://coder.com/install.sh | sh -s -- --version %s'", trimmed)
 }
 
 // wrapTransportWithEntitlementsCheck adds a middleware to the HTTP transport
@@ -1364,19 +1430,19 @@ func wrapTransportWithVersionMismatchCheck(rt http.RoundTripper, inv *serpent.In
 			if buildinfo.VersionsMatch(clientVersion, serverVersion) {
 				return
 			}
-			upgradeMessage := defaultUpgradeMessage(semver.Canonical(serverVersion))
+			var dashboardURL, customUpgradeMessage string
 			if serverInfo, err := getBuildInfo(inv.Context()); err == nil {
-				switch {
-				case serverInfo.UpgradeMessage != "":
-					upgradeMessage = serverInfo.UpgradeMessage
-				// The site-local `install.sh` was introduced in v2.19.0
-				case serverInfo.DashboardURL != "" && semver.Compare(semver.MajorMinor(serverVersion), "v2.19") >= 0:
-					upgradeMessage = fmt.Sprintf("download %s with: 'curl -fsSL %s/install.sh | sh'", serverVersion, serverInfo.DashboardURL)
-				}
+				dashboardURL = serverInfo.DashboardURL
+				customUpgradeMessage = serverInfo.UpgradeMessage
 			}
-			fmtWarningText := "version mismatch: client %s, server %s\n%s"
-			fmtWarn := pretty.Sprint(cliui.DefaultStyles.Warn, fmtWarningText)
-			warning := fmt.Sprintf(fmtWarn, clientVersion, serverVersion, upgradeMessage)
+			upgradeMessage := defaultUpgradeMessage(serverVersion, dashboardURL, customUpgradeMessage)
+			warning := pretty.Sprintf(
+				cliui.DefaultStyles.Warn,
+				"version mismatch: client %s, server %s\n%s",
+				clientVersion,
+				serverVersion,
+				upgradeMessage,
+			)
 
 			_, _ = fmt.Fprintln(inv.Stderr, warning)
 		})

cli/sessionstore/sessionstore.go

@@ -0,0 +1,239 @@
+// Package sessionstore provides CLI session token storage mechanisms.
+// Operating system keyring storage is intended to have compatibility with other Coder
+// applications (e.g. Coder Desktop, Coder provider for JetBrains Toolbox, etc) so that
+// applications can read/write the same credential stored in the keyring.
+//
+// Note that we aren't using an existing Go package zalando/go-keyring here for a few
+// reasons. 1) It prescribes the format of the target credential name in the OS keyrings,
+// which makes our life difficult for compatibility with other Coder applications. 2)
+// It uses init functions that make it difficult to test with. As a result, the OS
+// keyring implementations may be adapted from zalando/go-keyring source (i.e. Windows).
+package sessionstore
+
+import (
+	"encoding/json"
+	"errors"
+	"net/url"
+	"os"
+	"strings"
+
+	"golang.org/x/xerrors"
+
+	"github.com/coder/coder/v2/cli/config"
+)
+
+// Backend is a storage backend for session tokens.
+type Backend interface {
+	// Read returns the session token for the given server URL or an error, if any. It
+	// will return os.ErrNotExist if no token exists for the given URL.
+	Read(serverURL *url.URL) (string, error)
+	// Write stores the session token for the given server URL.
+	Write(serverURL *url.URL, token string) error
+	// Delete removes the session token for the given server URL or an error, if any.
+	// It will return os.ErrNotExist error if no token exists to delete.
+	Delete(serverURL *url.URL) error
+}
+
+var (
+
+	// ErrSetDataTooBig is returned if `keyringProvider.Set` was called with too much data.
+	// On macOS: The combination of service, username & password should not exceed ~3000 bytes
+	// On Windows: The service is limited to 32KiB while the password is limited to 2560 bytes
+	ErrSetDataTooBig = xerrors.New("data passed to Set was too big")
+
+	// ErrNotImplemented represents when keyring usage is not implemented on the current
+	// operating system.
+	ErrNotImplemented = xerrors.New("not implemented")
+)
+
+// keyringProvider represents an operating system keyring. The expectation
+// is these methods operate on the user/login keyring.
+type keyringProvider interface {
+	// Set stores the given credential for a service name in the operating system
+	// keyring.
+	Set(service, credential string) error
+	// Get retrieves the credential from the keyring. It must return os.ErrNotExist
+	// if the credential is not found.
+	Get(service string) ([]byte, error)
+	// Delete deletes the credential from the keyring. It must return os.ErrNotExist
+	// if the credential is not found.
+	Delete(service string) error
+}
+
+// credential represents a single credential entry.
+type credential struct {
+	CoderURL string `json:"coder_url"`
+	APIToken string `json:"api_token"`
+}
+
+// credentialsMap represents the JSON structure stored in the operating system keyring.
+// It supports storing multiple credentials for different server URLs.
+type credentialsMap map[string]credential
+
+// normalizeHost returns a normalized version of the URL host for use as a map key.
+func normalizeHost(u *url.URL) (string, error) {
+	if u == nil || u.Host == "" {
+		return "", xerrors.New("nil server URL")
+	}
+	return strings.TrimSpace(strings.ToLower(u.Host)), nil
+}
+
+// parseCredentialsJSON parses the JSON from the keyring into a credentialsMap.
+func parseCredentialsJSON(jsonData []byte) (credentialsMap, error) {
+	if len(jsonData) == 0 {
+		return make(credentialsMap), nil
+	}
+
+	var creds credentialsMap
+	if err := json.Unmarshal(jsonData, &creds); err != nil {
+		return nil, xerrors.Errorf("unmarshal credentials: %w", err)
+	}
+
+	return creds, nil
+}
+
+// Keyring is a Backend that exclusively stores the session token in the operating
+// system keyring. Happy path usage of this type should start with NewKeyring.
+// It stores a JSON object in the keyring that supports multiple credentials for
+// different server URLs, providing compatibility with Coder Desktop and other Coder
+// applications.
+type Keyring struct {
+	provider    keyringProvider
+	serviceName string
+}
+
+// NewKeyring creates a Keyring with the default service name for production use.
+func NewKeyring() Keyring {
+	return Keyring{
+		provider:    operatingSystemKeyring{},
+		serviceName: defaultServiceName,
+	}
+}
+
+// NewKeyringWithService creates a Keyring Backend that stores credentials under the
+// specified service name. This is primarily intended for testing to avoid conflicts
+// with production credentials and collisions between tests.
+func NewKeyringWithService(serviceName string) Keyring {
+	return Keyring{
+		provider:    operatingSystemKeyring{},
+		serviceName: serviceName,
+	}
+}
+
+func (o Keyring) Read(serverURL *url.URL) (string, error) {
+	host, err := normalizeHost(serverURL)
+	if err != nil {
+		return "", err
+	}
+
+	credJSON, err := o.provider.Get(o.serviceName)
+	if err != nil {
+		return "", err
+	}
+	if len(credJSON) == 0 {
+		return "", os.ErrNotExist
+	}
+
+	creds, err := parseCredentialsJSON(credJSON)
+	if err != nil {
+		return "", xerrors.Errorf("read: parse existing credentials: %w", err)
+	}
+
+	// Return the credential for the specified URL
+	cred, ok := creds[host]
+	if !ok {
+		return "", os.ErrNotExist
+	}
+	return cred.APIToken, nil
+}
+
+func (o Keyring) Write(serverURL *url.URL, token string) error {
+	host, err := normalizeHost(serverURL)
+	if err != nil {
+		return err
+	}
+
+	existingJSON, err := o.provider.Get(o.serviceName)
+	if err != nil && !errors.Is(err, os.ErrNotExist) {
+		return xerrors.Errorf("read existing credentials: %w", err)
+	}
+
+	creds, err := parseCredentialsJSON(existingJSON)
+	if err != nil {
+		return xerrors.Errorf("write: parse existing credentials: %w", err)
+	}
+
+	// Upsert the credential for this URL.
+	creds[host] = credential{
+		CoderURL: host,
+		APIToken: token,
+	}
+
+	credsJSON, err := json.Marshal(creds)
+	if err != nil {
+		return xerrors.Errorf("marshal credentials: %w", err)
+	}
+
+	err = o.provider.Set(o.serviceName, string(credsJSON))
+	if err != nil {
+		return xerrors.Errorf("write credentials to keyring: %w", err)
+	}
+	return nil
+}
+
+func (o Keyring) Delete(serverURL *url.URL) error {
+	host, err := normalizeHost(serverURL)
+	if err != nil {
+		return err
+	}
+
+	existingJSON, err := o.provider.Get(o.serviceName)
+	if err != nil {
+		return err
+	}
+
+	creds, err := parseCredentialsJSON(existingJSON)
+	if err != nil {
+		return xerrors.Errorf("failed to parse existing credentials: %w", err)
+	}
+
+	if _, ok := creds[host]; !ok {
+		return os.ErrNotExist
+	}
+
+	delete(creds, host)
+
+	// Delete the entire keyring entry when no credentials remain.
+	if len(creds) == 0 {
+		return o.provider.Delete(o.serviceName)
+	}
+
+	// Write back the updated credentials map.
+	credsJSON, err := json.Marshal(creds)
+	if err != nil {
+		return xerrors.Errorf("failed to marshal credentials: %w", err)
+	}
+
+	return o.provider.Set(o.serviceName, string(credsJSON))
+}
+
+// File is a Backend that exclusively stores the session token in a file on disk.
+type File struct {
+	config func() config.Root
+}
+
+func NewFile(f func() config.Root) *File {
+	return &File{config: f}
+}
+
+func (f *File) Read(_ *url.URL) (string, error) {
+	return f.config().Session().Read()
+}
+
+func (f *File) Write(_ *url.URL, token string) error {
+	return f.config().Session().Write(token)
+}
+
+func (f *File) Delete(_ *url.URL) error {
+	return f.config().Session().Delete()
+}

cli/sessionstore/sessionstore_internal_test.go

@@ -0,0 +1,121 @@
+package sessionstore
+
+import (
+	"encoding/json"
+	"net/url"
+	"testing"
+
+	"github.com/stretchr/testify/require"
+)
+
+func TestNormalizeHost(t *testing.T) {
+	t.Parallel()
+
+	tests := []struct {
+		name    string
+		url     *url.URL
+		want    string
+		wantErr bool
+	}{
+		{
+			name: "StandardHost",
+			url:  &url.URL{Host: "coder.example.com"},
+			want: "coder.example.com",
+		},
+		{
+			name: "HostWithPort",
+			url:  &url.URL{Host: "coder.example.com:8080"},
+			want: "coder.example.com:8080",
+		},
+		{
+			name: "UppercaseHost",
+			url:  &url.URL{Host: "CODER.EXAMPLE.COM"},
+			want: "coder.example.com",
+		},
+		{
+			name: "HostWithWhitespace",
+			url:  &url.URL{Host: "  coder.example.com  "},
+			want: "coder.example.com",
+		},
+		{
+			name:    "NilURL",
+			url:     nil,
+			want:    "",
+			wantErr: true,
+		},
+		{
+			name:    "EmptyHost",
+			url:     &url.URL{Host: ""},
+			want:    "",
+			wantErr: true,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			t.Parallel()
+			got, err := normalizeHost(tt.url)
+			if tt.wantErr {
+				require.Error(t, err)
+				return
+			}
+			require.NoError(t, err)
+			require.Equal(t, tt.want, got)
+		})
+	}
+}
+
+func TestParseCredentialsJSON(t *testing.T) {
+	t.Parallel()
+
+	t.Run("Empty", func(t *testing.T) {
+		t.Parallel()
+		creds, err := parseCredentialsJSON(nil)
+		require.NoError(t, err)
+		require.NotNil(t, creds)
+		require.Empty(t, creds)
+	})
+
+	t.Run("NewFormat", func(t *testing.T) {
+		t.Parallel()
+		jsonData := []byte(`{
+			"coder1.example.com": {"coder_url": "coder1.example.com", "api_token": "token1"},
+			"coder2.example.com": {"coder_url": "coder2.example.com", "api_token": "token2"}
+		}`)
+		creds, err := parseCredentialsJSON(jsonData)
+		require.NoError(t, err)
+		require.Len(t, creds, 2)
+		require.Equal(t, "token1", creds["coder1.example.com"].APIToken)
+		require.Equal(t, "token2", creds["coder2.example.com"].APIToken)
+	})
+
+	t.Run("InvalidJSON", func(t *testing.T) {
+		t.Parallel()
+		jsonData := []byte(`{invalid json}`)
+		_, err := parseCredentialsJSON(jsonData)
+		require.Error(t, err)
+	})
+}
+
+func TestCredentialsMap_RoundTrip(t *testing.T) {
+	t.Parallel()
+
+	creds := credentialsMap{
+		"coder1.example.com": {
+			CoderURL: "coder1.example.com",
+			APIToken: "token1",
+		},
+		"coder2.example.com:8080": {
+			CoderURL: "coder2.example.com:8080",
+			APIToken: "token2",
+		},
+	}
+
+	jsonData, err := json.Marshal(creds)
+	require.NoError(t, err)
+
+	parsed, err := parseCredentialsJSON(jsonData)
+	require.NoError(t, err)
+
+	require.Equal(t, creds, parsed)
+}

cli/sessionstore/sessionstore_other.go

@@ -0,0 +1,19 @@
+//go:build !windows
+
+package sessionstore
+
+const defaultServiceName = "not-implemented"
+
+type operatingSystemKeyring struct{}
+
+func (operatingSystemKeyring) Set(_, _ string) error {
+	return ErrNotImplemented
+}
+
+func (operatingSystemKeyring) Get(_ string) ([]byte, error) {
+	return nil, ErrNotImplemented
+}
+
+func (operatingSystemKeyring) Delete(_ string) error {
+	return ErrNotImplemented
+}

cli/sessionstore/sessionstore_test.go

@@ -0,0 +1,342 @@
+package sessionstore_test
+
+import (
+	"errors"
+	"fmt"
+	"net/url"
+	"os"
+	"path"
+	"runtime"
+	"testing"
+	"time"
+
+	"github.com/stretchr/testify/require"
+
+	"github.com/coder/coder/v2/cli/config"
+	"github.com/coder/coder/v2/cli/sessionstore"
+)
+
+// Generate a test service name for use with the OS keyring. It uses a combination
+// of the test name and a nanosecond timestamp to prevent collisions.
+func keyringTestServiceName(t *testing.T) string {
+	t.Helper()
+	return t.Name() + "_" + fmt.Sprintf("%v", time.Now().UnixNano())
+}
+
+func TestKeyring(t *testing.T) {
+	t.Parallel()
+
+	if runtime.GOOS != "windows" {
+		t.Skip("linux and darwin are not supported yet")
+	}
+
+	// This test exercises use of the operating system keyring. As a result,
+	// the operating system keyring is expected to be available.
+
+	const (
+		testURL  = "http://127.0.0.1:1337"
+		testURL2 = "http://127.0.0.1:1338"
+	)
+
+	t.Run("ReadNonExistent", func(t *testing.T) {
+		t.Parallel()
+
+		backend := sessionstore.NewKeyringWithService(keyringTestServiceName(t))
+		srvURL, err := url.Parse(testURL)
+		require.NoError(t, err)
+		t.Cleanup(func() { _ = backend.Delete(srvURL) })
+
+		_, err = backend.Read(srvURL)
+		require.Error(t, err)
+		require.True(t, os.IsNotExist(err), "expected os.ErrNotExist when reading non-existent token")
+	})
+
+	t.Run("DeleteNonExistent", func(t *testing.T) {
+		t.Parallel()
+
+		backend := sessionstore.NewKeyringWithService(keyringTestServiceName(t))
+		srvURL, err := url.Parse(testURL)
+		require.NoError(t, err)
+		t.Cleanup(func() { _ = backend.Delete(srvURL) })
+
+		err = backend.Delete(srvURL)
+		require.Error(t, err)
+		require.True(t, errors.Is(err, os.ErrNotExist), "expected os.ErrNotExist when deleting non-existent token")
+	})
+
+	t.Run("WriteAndRead", func(t *testing.T) {
+		t.Parallel()
+
+		backend := sessionstore.NewKeyringWithService(keyringTestServiceName(t))
+		srvURL, err := url.Parse(testURL)
+		require.NoError(t, err)
+		t.Cleanup(func() { _ = backend.Delete(srvURL) })
+
+		dir := t.TempDir()
+		expSessionFile := path.Join(dir, "session")
+
+		const inputToken = "test-keyring-token-12345"
+		err = backend.Write(srvURL, inputToken)
+		require.NoError(t, err)
+
+		// Verify no session file was created (keyring stores in OS keyring, not file)
+		_, err = os.Stat(expSessionFile)
+		require.True(t, errors.Is(err, os.ErrNotExist), "expected session token file to not exist when using keyring")
+
+		token, err := backend.Read(srvURL)
+		require.NoError(t, err)
+		require.Equal(t, inputToken, token)
+
+		// Clean up
+		err = backend.Delete(srvURL)
+		require.NoError(t, err)
+	})
+
+	t.Run("WriteAndDelete", func(t *testing.T) {
+		t.Parallel()
+
+		backend := sessionstore.NewKeyringWithService(keyringTestServiceName(t))
+		srvURL, err := url.Parse(testURL)
+		require.NoError(t, err)
+		t.Cleanup(func() { _ = backend.Delete(srvURL) })
+
+		const inputToken = "test-keyring-token-67890"
+		err = backend.Write(srvURL, inputToken)
+		require.NoError(t, err)
+
+		token, err := backend.Read(srvURL)
+		require.NoError(t, err)
+		require.Equal(t, inputToken, token)
+
+		err = backend.Delete(srvURL)
+		require.NoError(t, err)
+
+		_, err = backend.Read(srvURL)
+		require.Error(t, err)
+		require.True(t, os.IsNotExist(err), "expected os.ErrNotExist after deleting token")
+	})
+
+	t.Run("OverwriteToken", func(t *testing.T) {
+		t.Parallel()
+
+		backend := sessionstore.NewKeyringWithService(keyringTestServiceName(t))
+		srvURL, err := url.Parse(testURL)
+		require.NoError(t, err)
+		t.Cleanup(func() { _ = backend.Delete(srvURL) })
+
+		// Write first token
+		const firstToken = "first-keyring-token"
+		err = backend.Write(srvURL, firstToken)
+		require.NoError(t, err)
+
+		token, err := backend.Read(srvURL)
+		require.NoError(t, err)
+		require.Equal(t, firstToken, token)
+
+		// Overwrite with second token
+		const secondToken = "second-keyring-token"
+		err = backend.Write(srvURL, secondToken)
+		require.NoError(t, err)
+
+		token, err = backend.Read(srvURL)
+		require.NoError(t, err)
+		require.Equal(t, secondToken, token)
+
+		// Clean up
+		err = backend.Delete(srvURL)
+		require.NoError(t, err)
+	})
+
+	t.Run("MultipleServers", func(t *testing.T) {
+		t.Parallel()
+
+		backend := sessionstore.NewKeyringWithService(keyringTestServiceName(t))
+		srvURL, err := url.Parse(testURL)
+		require.NoError(t, err)
+		srvURL2, err := url.Parse(testURL2)
+		require.NoError(t, err)
+
+		t.Cleanup(func() {
+			_ = backend.Delete(srvURL)
+			_ = backend.Delete(srvURL2)
+		})
+
+		// Write token for server 1
+		const token1 = "token-for-server-1"
+		err = backend.Write(srvURL, token1)
+		require.NoError(t, err)
+
+		// Write token for server 2 (should NOT overwrite server 1)
+		const token2 = "token-for-server-2"
+		err = backend.Write(srvURL2, token2)
+		require.NoError(t, err)
+
+		// Read server 1's credential
+		token, err := backend.Read(srvURL)
+		require.NoError(t, err)
+		require.Equal(t, token1, token)
+
+		// Read server 2's credential
+		token, err = backend.Read(srvURL2)
+		require.NoError(t, err)
+		require.Equal(t, token2, token)
+
+		// Delete server 1's credential
+		err = backend.Delete(srvURL)
+		require.NoError(t, err)
+
+		// Verify server 1's credential is gone
+		_, err = backend.Read(srvURL)
+		require.Error(t, err)
+		require.True(t, os.IsNotExist(err))
+
+		// Verify server 2's credential still exists
+		token, err = backend.Read(srvURL2)
+		require.NoError(t, err)
+		require.Equal(t, token2, token)
+
+		// Clean up remaining credentials
+		err = backend.Delete(srvURL2)
+		require.NoError(t, err)
+	})
+}
+
+func TestFile(t *testing.T) {
+	const (
+		testURL  = "http://127.0.0.1:1337"
+		testURL2 = "http://127.0.0.1:1338"
+	)
+
+	t.Parallel()
+
+	t.Run("ReadNonExistent", func(t *testing.T) {
+		t.Parallel()
+
+		dir := t.TempDir()
+		backend := sessionstore.NewFile(func() config.Root { return config.Root(dir) })
+		srvURL, err := url.Parse(testURL)
+		require.NoError(t, err)
+
+		_, err = backend.Read(srvURL)
+		require.Error(t, err)
+		require.True(t, os.IsNotExist(err))
+	})
+
+	t.Run("WriteAndRead", func(t *testing.T) {
+		t.Parallel()
+
+		dir := t.TempDir()
+		backend := sessionstore.NewFile(func() config.Root { return config.Root(dir) })
+		srvURL, err := url.Parse(testURL)
+		require.NoError(t, err)
+
+		// Write a token
+		const inputToken = "test-token-12345"
+		err = backend.Write(srvURL, inputToken)
+		require.NoError(t, err)
+
+		// Verify the session file was created
+		sessionFile := config.Root(dir).Session()
+		require.True(t, sessionFile.Exists())
+
+		// Read the token back
+		token, err := backend.Read(srvURL)
+		require.NoError(t, err)
+		require.Equal(t, inputToken, token)
+	})
+
+	t.Run("WriteAndDelete", func(t *testing.T) {
+		t.Parallel()
+
+		dir := t.TempDir()
+		backend := sessionstore.NewFile(func() config.Root { return config.Root(dir) })
+		srvURL, err := url.Parse(testURL)
+		require.NoError(t, err)
+
+		// Write a token
+		const inputToken = "test-token-67890"
+		err = backend.Write(srvURL, inputToken)
+		require.NoError(t, err)
+
+		// Verify the token was written
+		token, err := backend.Read(srvURL)
+		require.NoError(t, err)
+		require.Equal(t, inputToken, token)
+
+		// Delete the token
+		err = backend.Delete(srvURL)
+		require.NoError(t, err)
+
+		// Verify the token is gone
+		_, err = backend.Read(srvURL)
+		require.Error(t, err)
+		require.True(t, os.IsNotExist(err))
+	})
+
+	t.Run("DeleteNonExistent", func(t *testing.T) {
+		t.Parallel()
+
+		dir := t.TempDir()
+		backend := sessionstore.NewFile(func() config.Root { return config.Root(dir) })
+		srvURL, err := url.Parse(testURL)
+		require.NoError(t, err)
+
+		// Attempt to delete a non-existent token
+		err = backend.Delete(srvURL)
+		require.Error(t, err)
+		require.True(t, os.IsNotExist(err))
+	})
+
+	t.Run("OverwriteToken", func(t *testing.T) {
+		t.Parallel()
+
+		dir := t.TempDir()
+		backend := sessionstore.NewFile(func() config.Root { return config.Root(dir) })
+		srvURL, err := url.Parse(testURL)
+		require.NoError(t, err)
+
+		// Write first token
+		const firstToken = "first-token"
+		err = backend.Write(srvURL, firstToken)
+		require.NoError(t, err)
+
+		token, err := backend.Read(srvURL)
+		require.NoError(t, err)
+		require.Equal(t, firstToken, token)
+
+		// Overwrite with second token
+		const secondToken = "second-token"
+		err = backend.Write(srvURL, secondToken)
+		require.NoError(t, err)
+
+		token, err = backend.Read(srvURL)
+		require.NoError(t, err)
+		require.Equal(t, secondToken, token)
+	})
+
+	t.Run("WriteIgnoresURL", func(t *testing.T) {
+		t.Parallel()
+
+		dir := t.TempDir()
+		backend := sessionstore.NewFile(func() config.Root { return config.Root(dir) })
+		srvURL, err := url.Parse(testURL)
+		require.NoError(t, err)
+		srvURL2, err := url.Parse(testURL2)
+		require.NoError(t, err)
+
+		//nolint:gosec // Write with first URL test token
+		const firstToken = "token-for-url1"
+		err = backend.Write(srvURL, firstToken)
+		require.NoError(t, err)
+
+		//nolint:gosec // Write with second URL - should overwrite
+		const secondToken = "token-for-url2"
+		err = backend.Write(srvURL2, secondToken)
+		require.NoError(t, err)
+
+		// Should have the second token (File backend doesn't differentiate by URL)
+		token, err := backend.Read(srvURL)
+		require.NoError(t, err)
+		require.Equal(t, secondToken, token)
+	})
+}

cli/sessionstore/sessionstore_windows.go

@@ -0,0 +1,66 @@
+//go:build windows
+
+package sessionstore
+
+import (
+	"errors"
+	"os"
+	"syscall"
+
+	"github.com/danieljoos/wincred"
+)
+
+const (
+	// defaultServiceName is the service name used in the Windows Credential Manager
+	// for storing Coder CLI session tokens.
+	defaultServiceName = "coder-v2-credentials"
+)
+
+// operatingSystemKeyring implements keyringProvider and uses Windows Credential Manager.
+// It is largely adapted from the zalando/go-keyring package.
+type operatingSystemKeyring struct{}
+
+func (operatingSystemKeyring) Set(service, credential string) error {
+	// password may not exceed 2560 bytes (https://github.com/jaraco/keyring/issues/540#issuecomment-968329967)
+	if len(credential) > 2560 {
+		return ErrSetDataTooBig
+	}
+
+	// service may not exceed 512 bytes (might need more testing)
+	if len(service) >= 512 {
+		return ErrSetDataTooBig
+	}
+
+	// service may not exceed 32k but problems occur before that
+	// so we limit it to 30k
+	if len(service) > 1024*30 {
+		return ErrSetDataTooBig
+	}
+
+	cred := wincred.NewGenericCredential(service)
+	cred.CredentialBlob = []byte(credential)
+	cred.Persist = wincred.PersistLocalMachine
+	return cred.Write()
+}
+
+func (operatingSystemKeyring) Get(service string) ([]byte, error) {
+	cred, err := wincred.GetGenericCredential(service)
+	if err != nil {
+		if errors.Is(err, syscall.ERROR_NOT_FOUND) {
+			return nil, os.ErrNotExist
+		}
+		return nil, err
+	}
+	return cred.CredentialBlob, nil
+}
+
+func (operatingSystemKeyring) Delete(service string) error {
+	cred, err := wincred.GetGenericCredential(service)
+	if err != nil {
+		if errors.Is(err, syscall.ERROR_NOT_FOUND) {
+			return os.ErrNotExist
+		}
+		return err
+	}
+	return cred.Delete()
+}

cli/sessionstore/sessionstore_windows_test.go

@@ -0,0 +1,127 @@
+//go:build windows
+
+package sessionstore_test
+
+import (
+	"encoding/json"
+	"net/url"
+	"os"
+	"testing"
+
+	"github.com/danieljoos/wincred"
+	"github.com/stretchr/testify/require"
+
+	"github.com/coder/coder/v2/cli/sessionstore"
+)
+
+func TestWindowsKeyring_WriteReadDelete(t *testing.T) {
+	t.Parallel()
+
+	const testURL = "http://127.0.0.1:1337"
+	srvURL, err := url.Parse(testURL)
+	require.NoError(t, err)
+
+	serviceName := keyringTestServiceName(t)
+	backend := sessionstore.NewKeyringWithService(serviceName)
+	t.Cleanup(func() { _ = backend.Delete(srvURL) })
+
+	// Verify no token exists initially
+	_, err = backend.Read(srvURL)
+	require.ErrorIs(t, err, os.ErrNotExist)
+
+	// Write a token
+	const inputToken = "test-token-12345"
+	err = backend.Write(srvURL, inputToken)
+	require.NoError(t, err)
+
+	// Verify the credential is stored in Windows Credential Manager with correct format
+	winCred, err := wincred.GetGenericCredential(serviceName)
+	require.NoError(t, err, "getting windows credential")
+
+	var storedCreds map[string]struct {
+		CoderURL string `json:"coder_url"`
+		APIToken string `json:"api_token"`
+	}
+	err = json.Unmarshal(winCred.CredentialBlob, &storedCreds)
+	require.NoError(t, err, "unmarshalling stored credentials")
+
+	// Verify the stored values
+	require.Len(t, storedCreds, 1)
+	cred, ok := storedCreds[srvURL.Host]
+	require.True(t, ok, "credential for URL should exist")
+	require.Equal(t, inputToken, cred.APIToken)
+	require.Equal(t, srvURL.Host, cred.CoderURL)
+
+	// Read the token back
+	token, err := backend.Read(srvURL)
+	require.NoError(t, err)
+	require.Equal(t, inputToken, token)
+
+	// Delete the token
+	err = backend.Delete(srvURL)
+	require.NoError(t, err)
+
+	// Verify token is deleted
+	_, err = backend.Read(srvURL)
+	require.ErrorIs(t, err, os.ErrNotExist)
+}
+
+func TestWindowsKeyring_MultipleServers(t *testing.T) {
+	t.Parallel()
+
+	const testURL1 = "http://127.0.0.1:1337"
+	srv1URL, err := url.Parse(testURL1)
+	require.NoError(t, err)
+
+	const testURL2 = "http://127.0.0.1:1338"
+	srv2URL, err := url.Parse(testURL2)
+	require.NoError(t, err)
+
+	serviceName := keyringTestServiceName(t)
+	backend := sessionstore.NewKeyringWithService(serviceName)
+	t.Cleanup(func() {
+		_ = backend.Delete(srv1URL)
+		_ = backend.Delete(srv2URL)
+	})
+
+	// Write token for server 1
+	const token1 = "token-server-1"
+	err = backend.Write(srv1URL, token1)
+	require.NoError(t, err)
+
+	// Write token for server 2 (should NOT overwrite server 1's token)
+	const token2 = "token-server-2"
+	err = backend.Write(srv2URL, token2)
+	require.NoError(t, err)
+
+	// Verify both credentials are stored in Windows Credential Manager
+	winCred, err := wincred.GetGenericCredential(serviceName)
+	require.NoError(t, err, "getting windows credential")
+
+	var storedCreds map[string]struct {
+		CoderURL string `json:"coder_url"`
+		APIToken string `json:"api_token"`
+	}
+	err = json.Unmarshal(winCred.CredentialBlob, &storedCreds)
+	require.NoError(t, err, "unmarshalling stored credentials")
+
+	// Both credentials should exist
+	require.Len(t, storedCreds, 2)
+	require.Equal(t, token1, storedCreds[srv1URL.Host].APIToken)
+	require.Equal(t, token2, storedCreds[srv2URL.Host].APIToken)
+
+	// Read individual credentials
+	token, err := backend.Read(srv1URL)
+	require.NoError(t, err)
+	require.Equal(t, token1, token)
+
+	token, err = backend.Read(srv2URL)
+	require.NoError(t, err)
+	require.Equal(t, token2, token)
+
+	// Cleanup
+	err = backend.Delete(srv1URL)
+	require.NoError(t, err)
+	err = backend.Delete(srv2URL)
+	require.NoError(t, err)
+}

cli/testdata/coder_--help.golden

@@ -108,6 +108,11 @@ variables or flags.
       --url url, $CODER_URL
           URL to a deployment.
 
+      --use-keyring bool, $CODER_USE_KEYRING
+          Store and retrieve session tokens using the operating system keyring.
+          Currently only supported on Windows. By default, tokens are stored in
+          plain text files.
+
   -v, --verbose bool, $CODER_VERBOSE
           Enable verbose output.
 

cli/testdata/coder_list_--output_json.golden

@@ -90,6 +90,7 @@
     "allow_renames": false,
     "favorite": false,
     "next_start_at": "====[timestamp]=====",
-    "is_prebuild": false
+    "is_prebuild": false,
+    "task_id": null
   }
 ]

cli/testdata/coder_login_--help.golden

@@ -5,6 +5,10 @@ USAGE:
 
   Authenticate with Coder deployment
 
+  By default, the session token is stored in a plain text file. Use the
+  --use-keyring flag or set CODER_USE_KEYRING=true to store the token in the
+  operating system keyring instead.
+
 OPTIONS:
       --first-user-email string, $CODER_FIRST_USER_EMAIL
           Specifies an email address to use if creating the first user for the

cli/testdata/coder_server_--help.golden

@@ -80,6 +80,41 @@ OPTIONS:
           Periodically check for new releases of Coder and inform the owner. The
           check is performed once per day.
 
+AIBRIDGE OPTIONS: 
+      --aibridge-anthropic-base-url string, $CODER_AIBRIDGE_ANTHROPIC_BASE_URL (default: https://api.anthropic.com/)
+          The base URL of the Anthropic API.
+
+      --aibridge-anthropic-key string, $CODER_AIBRIDGE_ANTHROPIC_KEY
+          The key to authenticate against the Anthropic API.
+
+      --aibridge-bedrock-access-key string, $CODER_AIBRIDGE_BEDROCK_ACCESS_KEY
+          The access key to authenticate against the AWS Bedrock API.
+
+      --aibridge-bedrock-access-key-secret string, $CODER_AIBRIDGE_BEDROCK_ACCESS_KEY_SECRET
+          The access key secret to use with the access key to authenticate
+          against the AWS Bedrock API.
+
+      --aibridge-bedrock-model string, $CODER_AIBRIDGE_BEDROCK_MODEL (default: global.anthropic.claude-sonnet-4-5-20250929-v1:0)
+          The model to use when making requests to the AWS Bedrock API.
+
+      --aibridge-bedrock-region string, $CODER_AIBRIDGE_BEDROCK_REGION
+          The AWS Bedrock API region.
+
+      --aibridge-bedrock-small-fastmodel string, $CODER_AIBRIDGE_BEDROCK_SMALL_FAST_MODEL (default: global.anthropic.claude-haiku-4-5-20251001-v1:0)
+          The small fast model to use when making requests to the AWS Bedrock
+          API. Claude Code uses Haiku-class models to perform background tasks.
+          See
+          https://docs.claude.com/en/docs/claude-code/settings#environment-variables.
+
+      --aibridge-enabled bool, $CODER_AIBRIDGE_ENABLED (default: false)
+          Whether to start an in-memory aibridged instance.
+
+      --aibridge-openai-base-url string, $CODER_AIBRIDGE_OPENAI_BASE_URL (default: https://api.openai.com/v1/)
+          The base URL of the OpenAI API.
+
+      --aibridge-openai-key string, $CODER_AIBRIDGE_OPENAI_KEY
+          The key to authenticate against the OpenAI API.
+
 CLIENT OPTIONS: 
 These options change the behavior of how clients interact with the Coder.
 Clients include the Coder CLI, Coder Desktop, IDE extensions, and the web UI.

cli/testdata/server-config.yaml.golden

@@ -714,8 +714,7 @@ workspace_prebuilds:
   # (default: 3, type: int)
   failure_hard_limit: 3
 aibridge:
-  # Whether to start an in-memory aibridged instance ("aibridge" experiment must be
-  # enabled, too).
+  # Whether to start an in-memory aibridged instance.
   # (default: false, type: bool)
   enabled: false
   # The base URL of the OpenAI API.

coderd/aitasks.go

@@ -7,7 +7,6 @@ import (
 	"net/http"
 	"net/url"
 	"slices"
-	"strings"
 	"time"
 
 	"github.com/google/uuid"
@@ -24,62 +23,12 @@ import (
 	"github.com/coder/coder/v2/coderd/rbac/policy"
 	"github.com/coder/coder/v2/coderd/searchquery"
 	"github.com/coder/coder/v2/coderd/taskname"
+	"github.com/coder/coder/v2/coderd/util/slice"
 	"github.com/coder/coder/v2/codersdk"
 
 	aiagentapi "github.com/coder/agentapi-sdk-go"
 )
 
-// This endpoint is experimental and not guaranteed to be stable, so we're not
-// generating public-facing documentation for it.
-func (api *API) aiTasksPrompts(rw http.ResponseWriter, r *http.Request) {
-	ctx := r.Context()
-
-	buildIDsParam := r.URL.Query().Get("build_ids")
-	if buildIDsParam == "" {
-		httpapi.Write(ctx, rw, http.StatusBadRequest, codersdk.Response{
-			Message: "build_ids query parameter is required",
-		})
-		return
-	}
-
-	// Parse build IDs
-	buildIDStrings := strings.Split(buildIDsParam, ",")
-	buildIDs := make([]uuid.UUID, 0, len(buildIDStrings))
-	for _, idStr := range buildIDStrings {
-		id, err := uuid.Parse(strings.TrimSpace(idStr))
-		if err != nil {
-			httpapi.Write(ctx, rw, http.StatusBadRequest, codersdk.Response{
-				Message: fmt.Sprintf("Invalid build ID format: %s", idStr),
-				Detail:  err.Error(),
-			})
-			return
-		}
-		buildIDs = append(buildIDs, id)
-	}
-
-	parameters, err := api.Database.GetWorkspaceBuildParametersByBuildIDs(ctx, buildIDs)
-	if err != nil {
-		httpapi.Write(ctx, rw, http.StatusInternalServerError, codersdk.Response{
-			Message: "Internal error fetching workspace build parameters.",
-			Detail:  err.Error(),
-		})
-		return
-	}
-
-	promptsByBuildID := make(map[string]string, len(parameters))
-	for _, param := range parameters {
-		if param.Name != codersdk.AITaskPromptParameterName {
-			continue
-		}
-		buildID := param.WorkspaceBuildID.String()
-		promptsByBuildID[buildID] = param.Value
-	}
-
-	httpapi.Write(ctx, rw, http.StatusOK, codersdk.AITasksPromptsResponse{
-		Prompts: promptsByBuildID,
-	})
-}
-
 // @Summary Create a new AI task
 // @Description: EXPERIMENTAL: this endpoint is experimental and not guaranteed to be stable.
 // @ID create-task
@@ -174,13 +123,31 @@ func (api *API) tasksCreate(rw http.ResponseWriter, r *http.Request) {
 		}
 	}
 
+	// Check if the template defines the AI Prompt parameter.
+	templateParams, err := api.Database.GetTemplateVersionParameters(ctx, req.TemplateVersionID)
+	if err != nil {
+		httpapi.Write(ctx, rw, http.StatusInternalServerError, codersdk.Response{
+			Message: "Internal error fetching template parameters.",
+			Detail:  err.Error(),
+		})
+		return
+	}
+
+	var richParams []codersdk.WorkspaceBuildParameter
+	if _, hasAIPromptParam := slice.Find(templateParams, func(param database.TemplateVersionParameter) bool {
+		return param.Name == codersdk.AITaskPromptParameterName
+	}); hasAIPromptParam {
+		// Only add the AI Prompt parameter if the template defines it.
+		richParams = []codersdk.WorkspaceBuildParameter{
+			{Name: codersdk.AITaskPromptParameterName, Value: req.Input},
+		}
+	}
+
 	createReq := codersdk.CreateWorkspaceRequest{
 		Name:                    taskName,
 		TemplateVersionID:       req.TemplateVersionID,
 		TemplateVersionPresetID: req.TemplateVersionPresetID,
-		RichParameterValues: []codersdk.WorkspaceBuildParameter{
-			{Name: codersdk.AITaskPromptParameterName, Value: req.Input},
-		},
+		RichParameterValues:     richParams,
 	}
 
 	var owner workspaceOwner

coderd/aitasks_test.go

@@ -2,15 +2,12 @@ package coderd_test
 
 import (
 	"context"
-	"database/sql"
 	"encoding/json"
 	"io"
 	"net/http"
 	"net/http/httptest"
-	"strings"
 	"testing"
 	"time"
-	"unicode/utf8"
 
 	"github.com/google/uuid"
 	"github.com/stretchr/testify/assert"
@@ -35,128 +32,6 @@ import (
 	"github.com/coder/coder/v2/testutil"
 )
 
-func TestAITasksPrompts(t *testing.T) {
-	t.Parallel()
-
-	t.Run("EmptyBuildIDs", func(t *testing.T) {
-		t.Parallel()
-		client := coderdtest.New(t, &coderdtest.Options{})
-		_ = coderdtest.CreateFirstUser(t, client)
-		experimentalClient := codersdk.NewExperimentalClient(client)
-
-		ctx := testutil.Context(t, testutil.WaitShort)
-
-		// Test with empty build IDs
-		prompts, err := experimentalClient.AITaskPrompts(ctx, []uuid.UUID{})
-		require.NoError(t, err)
-		require.Empty(t, prompts.Prompts)
-	})
-
-	t.Run("MultipleBuilds", func(t *testing.T) {
-		t.Parallel()
-
-		adminClient := coderdtest.New(t, &coderdtest.Options{IncludeProvisionerDaemon: true})
-		first := coderdtest.CreateFirstUser(t, adminClient)
-		memberClient, _ := coderdtest.CreateAnotherUser(t, adminClient, first.OrganizationID)
-
-		ctx := testutil.Context(t, testutil.WaitLong)
-
-		// Create a template with parameters
-		version := coderdtest.CreateTemplateVersion(t, adminClient, first.OrganizationID, &echo.Responses{
-			Parse: echo.ParseComplete,
-			ProvisionPlan: []*proto.Response{{
-				Type: &proto.Response_Plan{
-					Plan: &proto.PlanComplete{
-						Parameters: []*proto.RichParameter{
-							{
-								Name:         "param1",
-								Type:         "string",
-								DefaultValue: "default1",
-							},
-							{
-								Name:         codersdk.AITaskPromptParameterName,
-								Type:         "string",
-								DefaultValue: "default2",
-							},
-						},
-					},
-				},
-			}},
-			ProvisionApply: echo.ApplyComplete,
-		})
-		template := coderdtest.CreateTemplate(t, adminClient, first.OrganizationID, version.ID)
-		coderdtest.AwaitTemplateVersionJobCompleted(t, adminClient, version.ID)
-
-		// Create two workspaces with different parameters
-		workspace1 := coderdtest.CreateWorkspace(t, memberClient, template.ID, func(request *codersdk.CreateWorkspaceRequest) {
-			request.RichParameterValues = []codersdk.WorkspaceBuildParameter{
-				{Name: "param1", Value: "value1a"},
-				{Name: codersdk.AITaskPromptParameterName, Value: "value2a"},
-			}
-		})
-		coderdtest.AwaitWorkspaceBuildJobCompleted(t, memberClient, workspace1.LatestBuild.ID)
-
-		workspace2 := coderdtest.CreateWorkspace(t, memberClient, template.ID, func(request *codersdk.CreateWorkspaceRequest) {
-			request.RichParameterValues = []codersdk.WorkspaceBuildParameter{
-				{Name: "param1", Value: "value1b"},
-				{Name: codersdk.AITaskPromptParameterName, Value: "value2b"},
-			}
-		})
-		coderdtest.AwaitWorkspaceBuildJobCompleted(t, memberClient, workspace2.LatestBuild.ID)
-
-		workspace3 := coderdtest.CreateWorkspace(t, adminClient, template.ID, func(request *codersdk.CreateWorkspaceRequest) {
-			request.RichParameterValues = []codersdk.WorkspaceBuildParameter{
-				{Name: "param1", Value: "value1c"},
-				{Name: codersdk.AITaskPromptParameterName, Value: "value2c"},
-			}
-		})
-		coderdtest.AwaitWorkspaceBuildJobCompleted(t, adminClient, workspace3.LatestBuild.ID)
-		allBuildIDs := []uuid.UUID{workspace1.LatestBuild.ID, workspace2.LatestBuild.ID, workspace3.LatestBuild.ID}
-
-		experimentalMemberClient := codersdk.NewExperimentalClient(memberClient)
-		// Test parameters endpoint as member
-		prompts, err := experimentalMemberClient.AITaskPrompts(ctx, allBuildIDs)
-		require.NoError(t, err)
-		// we expect 2 prompts because the member client does not have access to workspace3
-		// since it was created by the admin client
-		require.Len(t, prompts.Prompts, 2)
-
-		// Check workspace1 parameters
-		build1Prompt := prompts.Prompts[workspace1.LatestBuild.ID.String()]
-		require.Equal(t, "value2a", build1Prompt)
-
-		// Check workspace2 parameters
-		build2Prompt := prompts.Prompts[workspace2.LatestBuild.ID.String()]
-		require.Equal(t, "value2b", build2Prompt)
-
-		experimentalAdminClient := codersdk.NewExperimentalClient(adminClient)
-		// Test parameters endpoint as admin
-		// we expect 3 prompts because the admin client has access to all workspaces
-		prompts, err = experimentalAdminClient.AITaskPrompts(ctx, allBuildIDs)
-		require.NoError(t, err)
-		require.Len(t, prompts.Prompts, 3)
-
-		// Check workspace3 parameters
-		build3Prompt := prompts.Prompts[workspace3.LatestBuild.ID.String()]
-		require.Equal(t, "value2c", build3Prompt)
-	})
-
-	t.Run("NonExistentBuildIDs", func(t *testing.T) {
-		t.Parallel()
-		client := coderdtest.New(t, &coderdtest.Options{})
-		_ = coderdtest.CreateFirstUser(t, client)
-
-		ctx := testutil.Context(t, testutil.WaitShort)
-
-		// Test with non-existent build IDs
-		nonExistentID := uuid.New()
-		experimentalClient := codersdk.NewExperimentalClient(client)
-		prompts, err := experimentalClient.AITaskPrompts(ctx, []uuid.UUID{nonExistentID})
-		require.NoError(t, err)
-		require.Empty(t, prompts.Prompts)
-	})
-}
-
 func TestTasks(t *testing.T) {
 	t.Parallel()
 
@@ -188,7 +63,6 @@ func TestTasks(t *testing.T) {
 				{
 					Type: &proto.Response_Plan{
 						Plan: &proto.PlanComplete{
-							Parameters: []*proto.RichParameter{{Name: codersdk.AITaskPromptParameterName, Type: "string"}},
 							HasAiTasks: true,
 						},
 					},
@@ -259,6 +133,9 @@ func TestTasks(t *testing.T) {
 		// Wait for the workspace to be built.
 		workspace, err := client.Workspace(ctx, task.WorkspaceID.UUID)
 		require.NoError(t, err)
+		if assert.True(t, workspace.TaskID.Valid, "task id should be set on workspace") {
+			assert.Equal(t, task.ID, workspace.TaskID.UUID, "workspace task id should match")
+		}
 		coderdtest.AwaitWorkspaceBuildJobCompleted(t, client, workspace.LatestBuild.ID)
 
 		// List tasks via experimental API and verify the prompt and status mapping.
@@ -297,6 +174,9 @@ func TestTasks(t *testing.T) {
 		// Get the workspace and wait for it to be ready.
 		ws, err := client.Workspace(ctx, task.WorkspaceID.UUID)
 		require.NoError(t, err)
+		if assert.True(t, ws.TaskID.Valid, "task id should be set on workspace") {
+			assert.Equal(t, task.ID, ws.TaskID.UUID, "workspace task id should match")
+		}
 		coderdtest.AwaitWorkspaceBuildJobCompleted(t, client, ws.LatestBuild.ID)
 		ws = coderdtest.MustWorkspace(t, client, task.WorkspaceID.UUID)
 		// Assert invariant: the workspace has exactly one resource with one agent with one app.
@@ -371,6 +251,9 @@ func TestTasks(t *testing.T) {
 			require.True(t, task.WorkspaceID.Valid, "task should have a workspace ID")
 			ws, err := client.Workspace(ctx, task.WorkspaceID.UUID)
 			require.NoError(t, err)
+			if assert.True(t, ws.TaskID.Valid, "task id should be set on workspace") {
+				assert.Equal(t, task.ID, ws.TaskID.UUID, "workspace task id should match")
+			}
 			coderdtest.AwaitWorkspaceBuildJobCompleted(t, client, ws.LatestBuild.ID)
 
 			err = exp.DeleteTask(ctx, "me", task.ID)
@@ -417,6 +300,9 @@ func TestTasks(t *testing.T) {
 			coderdtest.AwaitTemplateVersionJobCompleted(t, client, version.ID)
 			template := coderdtest.CreateTemplate(t, client, user.OrganizationID, version.ID)
 			ws := coderdtest.CreateWorkspace(t, client, template.ID)
+			if assert.False(t, ws.TaskID.Valid, "task id should not be set on non-task workspace") {
+				assert.Zero(t, ws.TaskID, "non-task workspace task id should be empty")
+			}
 			coderdtest.AwaitWorkspaceBuildJobCompleted(t, client, ws.LatestBuild.ID)
 
 			exp := codersdk.NewExperimentalClient(client)
@@ -466,10 +352,10 @@ func TestTasks(t *testing.T) {
 			}
 		})
 
-		t.Run("NoWorkspace", func(t *testing.T) {
+		t.Run("DeletedWorkspace", func(t *testing.T) {
 			t.Parallel()
 
-			client := coderdtest.New(t, &coderdtest.Options{IncludeProvisionerDaemon: true})
+			client, db := coderdtest.NewWithDatabase(t, &coderdtest.Options{IncludeProvisionerDaemon: true})
 			user := coderdtest.CreateFirstUser(t, client)
 			template := createAITemplate(t, client, user)
 			ctx := testutil.Context(t, testutil.WaitLong)
@@ -483,14 +369,54 @@ func TestTasks(t *testing.T) {
 			ws, err := client.Workspace(ctx, task.WorkspaceID.UUID)
 			require.NoError(t, err)
 			coderdtest.AwaitWorkspaceBuildJobCompleted(t, client, ws.LatestBuild.ID)
-			// Delete the task workspace
-			coderdtest.MustTransitionWorkspace(t, client, ws.ID, codersdk.WorkspaceTransitionStart, codersdk.WorkspaceTransitionDelete)
-			// We should still be able to fetch the task after deleting its workspace
+
+			// Mark the workspace as deleted directly in the database, bypassing provisionerd.
+			require.NoError(t, db.UpdateWorkspaceDeletedByID(dbauthz.AsProvisionerd(ctx), database.UpdateWorkspaceDeletedByIDParams{
+				ID:      ws.ID,
+				Deleted: true,
+			}))
+			// We should still be able to fetch the task if its workspace was deleted.
+			// Provisionerdserver will attempt delete the related task when deleting a workspace.
+			// This test ensures that we can still handle the case where, for some reason, the
+			// task has not been marked as deleted, but the workspace has.
 			task, err = exp.TaskByID(ctx, task.ID)
-			require.NoError(t, err, "fetching a task should still work after deleting its related workspace")
+			require.NoError(t, err, "fetching a task should still work if its related workspace is deleted")
 			err = exp.DeleteTask(ctx, task.OwnerID.String(), task.ID)
 			require.NoError(t, err, "should be possible to delete a task with no workspace")
 		})
+
+		t.Run("DeletingTaskWorkspaceDeletesTask", func(t *testing.T) {
+			t.Parallel()
+
+			client := coderdtest.New(t, &coderdtest.Options{IncludeProvisionerDaemon: true})
+			user := coderdtest.CreateFirstUser(t, client)
+			template := createAITemplate(t, client, user)
+
+			ctx := testutil.Context(t, testutil.WaitLong)
+
+			exp := codersdk.NewExperimentalClient(client)
+			task, err := exp.CreateTask(ctx, "me", codersdk.CreateTaskRequest{
+				TemplateVersionID: template.ActiveVersionID,
+				Input:             "delete me",
+			})
+			require.NoError(t, err)
+			require.True(t, task.WorkspaceID.Valid, "task should have a workspace ID")
+			ws, err := client.Workspace(ctx, task.WorkspaceID.UUID)
+			require.NoError(t, err)
+			if assert.True(t, ws.TaskID.Valid, "task id should be set on workspace") {
+				assert.Equal(t, task.ID, ws.TaskID.UUID, "workspace task id should match")
+			}
+			coderdtest.AwaitWorkspaceBuildJobCompleted(t, client, ws.LatestBuild.ID)
+
+			// When; the task workspace is deleted
+			coderdtest.MustTransitionWorkspace(t, client, ws.ID, codersdk.WorkspaceTransitionStart, codersdk.WorkspaceTransitionDelete)
+			// Then: the task associated with the workspace is also deleted
+			_, err = exp.TaskByID(ctx, task.ID)
+			require.Error(t, err, "expected an error fetching the task")
+			var sdkErr *codersdk.Error
+			require.ErrorAs(t, err, &sdkErr, "expected a codersdk.Error")
+			require.Equal(t, http.StatusNotFound, sdkErr.StatusCode())
+		})
 	})
 
 	t.Run("Send", func(t *testing.T) {
@@ -805,6 +731,51 @@ func TestTasksCreate(t *testing.T) {
 		client := coderdtest.New(t, &coderdtest.Options{IncludeProvisionerDaemon: true})
 		user := coderdtest.CreateFirstUser(t, client)
 
+		version := coderdtest.CreateTemplateVersion(t, client, user.OrganizationID, &echo.Responses{
+			Parse:          echo.ParseComplete,
+			ProvisionApply: echo.ApplyComplete,
+			ProvisionPlan: []*proto.Response{
+				{Type: &proto.Response_Plan{Plan: &proto.PlanComplete{
+					HasAiTasks: true,
+				}}},
+			},
+		})
+		coderdtest.AwaitTemplateVersionJobCompleted(t, client, version.ID)
+		template := coderdtest.CreateTemplate(t, client, user.OrganizationID, version.ID)
+
+		expClient := codersdk.NewExperimentalClient(client)
+
+		task, err := expClient.CreateTask(ctx, "me", codersdk.CreateTaskRequest{
+			TemplateVersionID: template.ActiveVersionID,
+			Input:             taskPrompt,
+		})
+		require.NoError(t, err)
+		require.True(t, task.WorkspaceID.Valid)
+
+		ws, err := client.Workspace(ctx, task.WorkspaceID.UUID)
+		require.NoError(t, err)
+		coderdtest.AwaitWorkspaceBuildJobCompleted(t, client, ws.LatestBuild.ID)
+
+		assert.NotEmpty(t, task.Name)
+		assert.Equal(t, template.ID, task.TemplateID)
+
+		parameters, err := client.WorkspaceBuildParameters(ctx, ws.LatestBuild.ID)
+		require.NoError(t, err)
+		require.Len(t, parameters, 0)
+	})
+
+	t.Run("OK AIPromptBackCompat", func(t *testing.T) {
+		t.Parallel()
+
+		var (
+			ctx = testutil.Context(t, testutil.WaitShort)
+
+			taskPrompt = "Some task prompt"
+		)
+
+		client := coderdtest.New(t, &coderdtest.Options{IncludeProvisionerDaemon: true})
+		user := coderdtest.CreateFirstUser(t, client)
+
 		// Given: A template with an "AI Prompt" parameter
 		version := coderdtest.CreateTemplateVersion(t, client, user.OrganizationID, &echo.Responses{
 			Parse:          echo.ParseComplete,
@@ -884,7 +855,6 @@ func TestTasksCreate(t *testing.T) {
 						ProvisionApply: echo.ApplyComplete,
 						ProvisionPlan: []*proto.Response{
 							{Type: &proto.Response_Plan{Plan: &proto.PlanComplete{
-								Parameters: []*proto.RichParameter{{Name: codersdk.AITaskPromptParameterName, Type: "string"}},
 								HasAiTasks: true,
 							}}},
 						},
@@ -1000,7 +970,6 @@ func TestTasksCreate(t *testing.T) {
 			ProvisionApply: echo.ApplyComplete,
 			ProvisionPlan: []*proto.Response{
 				{Type: &proto.Response_Plan{Plan: &proto.PlanComplete{
-					Parameters: []*proto.RichParameter{{Name: codersdk.AITaskPromptParameterName, Type: "string"}},
 					HasAiTasks: true,
 				}}},
 			},
@@ -1060,7 +1029,6 @@ func TestTasksCreate(t *testing.T) {
 			ProvisionApply: echo.ApplyComplete,
 			ProvisionPlan: []*proto.Response{
 				{Type: &proto.Response_Plan{Plan: &proto.PlanComplete{
-					Parameters: []*proto.RichParameter{{Name: codersdk.AITaskPromptParameterName, Type: "string"}},
 					HasAiTasks: true,
 				}}},
 			},
@@ -1097,7 +1065,6 @@ func TestTasksCreate(t *testing.T) {
 			ProvisionApply: echo.ApplyComplete,
 			ProvisionPlan: []*proto.Response{
 				{Type: &proto.Response_Plan{Plan: &proto.PlanComplete{
-					Parameters: []*proto.RichParameter{{Name: codersdk.AITaskPromptParameterName, Type: "string"}},
 					HasAiTasks: true,
 				}}},
 			},
@@ -1150,7 +1117,6 @@ func TestTasksCreate(t *testing.T) {
 			ProvisionApply: echo.ApplyComplete,
 			ProvisionPlan: []*proto.Response{
 				{Type: &proto.Response_Plan{Plan: &proto.PlanComplete{
-					Parameters: []*proto.RichParameter{{Name: codersdk.AITaskPromptParameterName, Type: "string"}},
 					HasAiTasks: true,
 				}}},
 			},
@@ -1163,7 +1129,6 @@ func TestTasksCreate(t *testing.T) {
 			ProvisionApply: echo.ApplyComplete,
 			ProvisionPlan: []*proto.Response{
 				{Type: &proto.Response_Plan{Plan: &proto.PlanComplete{
-					Parameters: []*proto.RichParameter{{Name: codersdk.AITaskPromptParameterName, Type: "string"}},
 					HasAiTasks: true,
 				}}},
 			},
@@ -1357,31 +1322,31 @@ func TestTasksNotification(t *testing.T) {
 			// Given: a workspace build with an agent containing an App
 			workspaceAgentAppID := uuid.New()
 			workspaceBuildID := uuid.New()
-			workspaceBuildSeed := database.WorkspaceBuild{
-				ID: workspaceBuildID,
-			}
-			if tc.isAITask {
-				workspaceBuildSeed = database.WorkspaceBuild{
-					ID: workspaceBuildID,
-					// AI Task configuration
-					HasAITask:          sql.NullBool{Bool: true, Valid: true},
-					AITaskSidebarAppID: uuid.NullUUID{UUID: workspaceAgentAppID, Valid: true},
-				}
-			}
-			workspaceBuild := dbfake.WorkspaceBuild(t, db, database.WorkspaceTable{
+			workspaceBuilder := dbfake.WorkspaceBuild(t, db, database.WorkspaceTable{
 				OrganizationID: ownerUser.OrganizationID,
 				OwnerID:        memberUser.ID,
-			}).Seed(workspaceBuildSeed).Params(database.WorkspaceBuildParameter{
-				WorkspaceBuildID: workspaceBuildID,
-				Name:             codersdk.AITaskPromptParameterName,
-				Value:            tc.taskPrompt,
-			}).WithAgent(func(agent []*proto.Agent) []*proto.Agent {
-				agent[0].Apps = []*proto.App{{
-					Id:   workspaceAgentAppID.String(),
-					Slug: "ccw",
-				}}
-				return agent
-			}).Do()
+			}).Seed(database.WorkspaceBuild{
+				ID: workspaceBuildID,
+			})
+			if tc.isAITask {
+				workspaceBuilder = workspaceBuilder.
+					WithTask(database.TaskTable{
+						Prompt: tc.taskPrompt,
+					}, &proto.App{
+						Id:   workspaceAgentAppID.String(),
+						Slug: "ccw",
+					})
+			} else {
+				workspaceBuilder = workspaceBuilder.
+					WithAgent(func(agent []*proto.Agent) []*proto.Agent {
+						agent[0].Apps = []*proto.App{{
+							Id:   workspaceAgentAppID.String(),
+							Slug: "ccw",
+						}}
+						return agent
+					})
+			}
+			workspaceBuild := workspaceBuilder.Do()
 
 			// Given: the workspace agent app has previous statuses
 			agentClient := agentsdk.New(client.URL, agentsdk.WithFixedToken(workspaceBuild.AgentToken))
@@ -1422,13 +1387,7 @@ func TestTasksNotification(t *testing.T) {
 				require.Len(t, sent, 1)
 				require.Equal(t, memberUser.ID, sent[0].UserID)
 				require.Len(t, sent[0].Labels, 2)
-				// NOTE: len(string) is the number of bytes in the string, not the number of runes.
-				require.LessOrEqual(t, utf8.RuneCountInString(sent[0].Labels["task"]), 160)
-				if len(tc.taskPrompt) > 160 {
-					require.Contains(t, tc.taskPrompt, strings.TrimSuffix(sent[0].Labels["task"], "…"))
-				} else {
-					require.Equal(t, tc.taskPrompt, sent[0].Labels["task"])
-				}
+				require.Equal(t, workspaceBuild.Task.Name, sent[0].Labels["task"])
 				require.Equal(t, workspace.Name, sent[0].Labels["workspace"])
 			} else {
 				// Then: No notification is sent

coderd/apidoc/docs.go

@@ -85,7 +85,7 @@ const docTemplate = `{
                 }
             }
         },
-        "/api/experimental/aibridge/interceptions": {
+        "/aibridge/interceptions": {
             "get": {
                 "security": [
                     {
@@ -14316,11 +14316,9 @@ const docTemplate = `{
                 "web-push",
                 "oauth2",
                 "mcp-server-http",
-                "workspace-sharing",
-                "aibridge"
+                "workspace-sharing"
             ],
             "x-enum-comments": {
-                "ExperimentAIBridge": "Enables AI Bridge functionality.",
                 "ExperimentAutoFillParameters": "This should not be taken out of experiments until we have redesigned the feature.",
                 "ExperimentExample": "This isn't used for anything.",
                 "ExperimentMCPServerHTTP": "Enables the MCP HTTP server functionality.",
@@ -14338,8 +14336,7 @@ const docTemplate = `{
                 "ExperimentWebPush",
                 "ExperimentOAuth2",
                 "ExperimentMCPServerHTTP",
-                "ExperimentWorkspaceSharing",
-                "ExperimentAIBridge"
+                "ExperimentWorkspaceSharing"
             ]
         },
         "codersdk.ExternalAPIKeyScopes": {
@@ -15438,6 +15435,9 @@ const docTemplate = `{
                         "type": "string"
                     }
                 },
+                "revocation_endpoint": {
+                    "type": "string"
+                },
                 "scopes_supported": {
                     "type": "array",
                     "items": {
@@ -19715,6 +19715,14 @@ const docTemplate = `{
                     "description": "OwnerName is the username of the owner of the workspace.",
                     "type": "string"
                 },
+                "task_id": {
+                    "description": "TaskID, if set, indicates that the workspace is relevant to the given codersdk.Task.",
+                    "allOf": [
+                        {
+                            "$ref": "#/definitions/uuid.NullUUID"
+                        }
+                    ]
+                },
                 "template_active_version_id": {
                     "type": "string",
                     "format": "uuid"
@@ -20522,7 +20530,7 @@ const docTemplate = `{
             "type": "object",
             "properties": {
                 "ai_task_sidebar_app_id": {
-                    "description": "Deprecated: This field has been replaced with ` + "`" + `TaskAppID` + "`" + `",
+                    "description": "Deprecated: This field has been replaced with ` + "`" + `Task.WorkspaceAppID` + "`" + `",
                     "type": "string",
                     "format": "uuid"
                 },
@@ -20604,10 +20612,6 @@ const docTemplate = `{
                         }
                     ]
                 },
-                "task_app_id": {
-                    "type": "string",
-                    "format": "uuid"
-                },
                 "template_version_id": {
                     "type": "string",
                     "format": "uuid"

coderd/apidoc/swagger.json

@@ -65,7 +65,7 @@
 				}
 			}
 		},
-		"/api/experimental/aibridge/interceptions": {
+		"/aibridge/interceptions": {
 			"get": {
 				"security": [
 					{
@@ -12923,11 +12923,9 @@
 				"web-push",
 				"oauth2",
 				"mcp-server-http",
-				"workspace-sharing",
-				"aibridge"
+				"workspace-sharing"
 			],
 			"x-enum-comments": {
-				"ExperimentAIBridge": "Enables AI Bridge functionality.",
 				"ExperimentAutoFillParameters": "This should not be taken out of experiments until we have redesigned the feature.",
 				"ExperimentExample": "This isn't used for anything.",
 				"ExperimentMCPServerHTTP": "Enables the MCP HTTP server functionality.",
@@ -12945,8 +12943,7 @@
 				"ExperimentWebPush",
 				"ExperimentOAuth2",
 				"ExperimentMCPServerHTTP",
-				"ExperimentWorkspaceSharing",
-				"ExperimentAIBridge"
+				"ExperimentWorkspaceSharing"
 			]
 		},
 		"codersdk.ExternalAPIKeyScopes": {
@@ -13992,6 +13989,9 @@
 						"type": "string"
 					}
 				},
+				"revocation_endpoint": {
+					"type": "string"
+				},
 				"scopes_supported": {
 					"type": "array",
 					"items": {
@@ -18101,6 +18101,14 @@
 					"description": "OwnerName is the username of the owner of the workspace.",
 					"type": "string"
 				},
+				"task_id": {
+					"description": "TaskID, if set, indicates that the workspace is relevant to the given codersdk.Task.",
+					"allOf": [
+						{
+							"$ref": "#/definitions/uuid.NullUUID"
+						}
+					]
+				},
 				"template_active_version_id": {
 					"type": "string",
 					"format": "uuid"
@@ -18856,7 +18864,7 @@
 			"type": "object",
 			"properties": {
 				"ai_task_sidebar_app_id": {
-					"description": "Deprecated: This field has been replaced with `TaskAppID`",
+					"description": "Deprecated: This field has been replaced with `Task.WorkspaceAppID`",
 					"type": "string",
 					"format": "uuid"
 				},
@@ -18934,10 +18942,6 @@
 						}
 					]
 				},
-				"task_app_id": {
-					"type": "string",
-					"format": "uuid"
-				},
 				"template_version_id": {
 					"type": "string",
 					"format": "uuid"

coderd/audit.go

@@ -509,11 +509,11 @@ func (api *API) auditLogResourceLink(ctx context.Context, alog database.GetAudit
 		if err != nil {
 			return ""
 		}
-		workspace, err := api.Database.GetWorkspaceByID(ctx, task.WorkspaceID.UUID)
+		user, err := api.Database.GetUserByID(ctx, task.OwnerID)
 		if err != nil {
 			return ""
 		}
-		return fmt.Sprintf("/tasks/%s/%s", workspace.OwnerName, task.Name)
+		return fmt.Sprintf("/tasks/%s/%s", user.Username, task.ID)
 
 	default:
 		return ""

coderd/autobuild/lifecycle_executor_test.go

@@ -1764,3 +1764,175 @@ func TestExecutorAutostartSkipsWhenNoProvisionersAvailable(t *testing.T) {
 
 	assert.Len(t, stats.Transitions, 1, "should create builds when provisioners are available")
 }
+
+func TestExecutorTaskWorkspace(t *testing.T) {
+	t.Parallel()
+
+	createTaskTemplate := func(t *testing.T, client *codersdk.Client, orgID uuid.UUID, ctx context.Context, defaultTTL time.Duration) codersdk.Template {
+		t.Helper()
+
+		taskAppID := uuid.New()
+		version := coderdtest.CreateTemplateVersion(t, client, orgID, &echo.Responses{
+			Parse: echo.ParseComplete,
+			ProvisionPlan: []*proto.Response{
+				{
+					Type: &proto.Response_Plan{
+						Plan: &proto.PlanComplete{HasAiTasks: true},
+					},
+				},
+			},
+			ProvisionApply: []*proto.Response{
+				{
+					Type: &proto.Response_Apply{
+						Apply: &proto.ApplyComplete{
+							Resources: []*proto.Resource{
+								{
+									Agents: []*proto.Agent{
+										{
+											Id:   uuid.NewString(),
+											Name: "dev",
+											Auth: &proto.Agent_Token{
+												Token: uuid.NewString(),
+											},
+											Apps: []*proto.App{
+												{
+													Id:   taskAppID.String(),
+													Slug: "task-app",
+												},
+											},
+										},
+									},
+								},
+							},
+							AiTasks: []*proto.AITask{
+								{
+									AppId: taskAppID.String(),
+								},
+							},
+						},
+					},
+				},
+			},
+		})
+		coderdtest.AwaitTemplateVersionJobCompleted(t, client, version.ID)
+		template := coderdtest.CreateTemplate(t, client, orgID, version.ID)
+
+		if defaultTTL > 0 {
+			_, err := client.UpdateTemplateMeta(ctx, template.ID, codersdk.UpdateTemplateMeta{
+				DefaultTTLMillis: defaultTTL.Milliseconds(),
+			})
+			require.NoError(t, err)
+		}
+
+		return template
+	}
+
+	createTaskWorkspace := func(t *testing.T, client *codersdk.Client, template codersdk.Template, ctx context.Context, input string) codersdk.Workspace {
+		t.Helper()
+
+		exp := codersdk.NewExperimentalClient(client)
+		task, err := exp.CreateTask(ctx, "me", codersdk.CreateTaskRequest{
+			TemplateVersionID: template.ActiveVersionID,
+			Input:             input,
+		})
+		require.NoError(t, err)
+		require.True(t, task.WorkspaceID.Valid, "task should have a workspace")
+
+		workspace, err := client.Workspace(ctx, task.WorkspaceID.UUID)
+		require.NoError(t, err)
+		coderdtest.AwaitWorkspaceBuildJobCompleted(t, client, workspace.LatestBuild.ID)
+
+		return workspace
+	}
+
+	t.Run("Autostart", func(t *testing.T) {
+		t.Parallel()
+
+		var (
+			ctx        = testutil.Context(t, testutil.WaitShort)
+			sched      = mustSchedule(t, "CRON_TZ=UTC 0 * * * *")
+			tickCh     = make(chan time.Time)
+			statsCh    = make(chan autobuild.Stats)
+			client, db = coderdtest.NewWithDatabase(t, &coderdtest.Options{
+				AutobuildTicker:          tickCh,
+				IncludeProvisionerDaemon: true,
+				AutobuildStats:           statsCh,
+			})
+			admin = coderdtest.CreateFirstUser(t, client)
+		)
+
+		// Given: A task workspace
+		template := createTaskTemplate(t, client, admin.OrganizationID, ctx, 0)
+		workspace := createTaskWorkspace(t, client, template, ctx, "test task for autostart")
+
+		// Given: The task workspace has an autostart schedule
+		err := client.UpdateWorkspaceAutostart(ctx, workspace.ID, codersdk.UpdateWorkspaceAutostartRequest{
+			Schedule: ptr.Ref(sched.String()),
+		})
+		require.NoError(t, err)
+
+		// Given: That the workspace is in a stopped state.
+		workspace = coderdtest.MustTransitionWorkspace(t, client, workspace.ID, codersdk.WorkspaceTransitionStart, codersdk.WorkspaceTransitionStop)
+
+		p, err := coderdtest.GetProvisionerForTags(db, time.Now(), workspace.OrganizationID, map[string]string{})
+		require.NoError(t, err)
+
+		// When: the autobuild executor ticks after the scheduled time
+		go func() {
+			tickTime := sched.Next(workspace.LatestBuild.CreatedAt)
+			coderdtest.UpdateProvisionerLastSeenAt(t, db, p.ID, tickTime)
+			tickCh <- tickTime
+			close(tickCh)
+		}()
+
+		// Then: We expect to see a start transition
+		stats := <-statsCh
+		require.Len(t, stats.Transitions, 1, "lifecycle executor should transition the task workspace")
+		assert.Contains(t, stats.Transitions, workspace.ID, "task workspace should be in transitions")
+		assert.Equal(t, database.WorkspaceTransitionStart, stats.Transitions[workspace.ID], "should autostart the workspace")
+		require.Empty(t, stats.Errors, "should have no errors when managing task workspaces")
+	})
+
+	t.Run("Autostop", func(t *testing.T) {
+		t.Parallel()
+
+		var (
+			ctx        = testutil.Context(t, testutil.WaitShort)
+			tickCh     = make(chan time.Time)
+			statsCh    = make(chan autobuild.Stats)
+			client, db = coderdtest.NewWithDatabase(t, &coderdtest.Options{
+				AutobuildTicker:          tickCh,
+				IncludeProvisionerDaemon: true,
+				AutobuildStats:           statsCh,
+			})
+			admin = coderdtest.CreateFirstUser(t, client)
+		)
+
+		// Given: A task workspace with an 8 hour deadline
+		template := createTaskTemplate(t, client, admin.OrganizationID, ctx, 8*time.Hour)
+		workspace := createTaskWorkspace(t, client, template, ctx, "test task for autostop")
+
+		// Given: The workspace is currently running
+		workspace = coderdtest.MustWorkspace(t, client, workspace.ID)
+		require.Equal(t, codersdk.WorkspaceTransitionStart, workspace.LatestBuild.Transition)
+		require.NotZero(t, workspace.LatestBuild.Deadline, "workspace should have a deadline for autostop")
+
+		p, err := coderdtest.GetProvisionerForTags(db, time.Now(), workspace.OrganizationID, map[string]string{})
+		require.NoError(t, err)
+
+		// When: the autobuild executor ticks after the deadline
+		go func() {
+			tickTime := workspace.LatestBuild.Deadline.Time.Add(time.Minute)
+			coderdtest.UpdateProvisionerLastSeenAt(t, db, p.ID, tickTime)
+			tickCh <- tickTime
+			close(tickCh)
+		}()
+
+		// Then: We expect to see a stop transition
+		stats := <-statsCh
+		require.Len(t, stats.Transitions, 1, "lifecycle executor should transition the task workspace")
+		assert.Contains(t, stats.Transitions, workspace.ID, "task workspace should be in transitions")
+		assert.Equal(t, database.WorkspaceTransitionStop, stats.Transitions[workspace.ID], "should autostop the workspace")
+		require.Empty(t, stats.Errors, "should have no errors when managing task workspaces")
+	})
+}

coderd/coderd.go

@@ -1021,10 +1021,7 @@ func New(options *Options) *API {
 			apiRateLimiter,
 			httpmw.ReportCLITelemetry(api.Logger, options.Telemetry),
 		)
-		r.Route("/aitasks", func(r chi.Router) {
-			r.Use(apiKeyMiddleware)
-			r.Get("/prompts", api.aiTasksPrompts)
-		})
+
 		r.Route("/tasks", func(r chi.Router) {
 			r.Use(apiKeyMiddleware)
 

coderd/coderdtest/coderdtest.go

@@ -1604,7 +1604,7 @@ func (nopcloser) Close() error { return nil }
 // SDKError coerces err into an SDK error.
 func SDKError(t testing.TB, err error) *codersdk.Error {
 	var cerr *codersdk.Error
-	require.True(t, errors.As(err, &cerr), "should be SDK error, got %w", err)
+	require.True(t, errors.As(err, &cerr), "should be SDK error, got %s", err)
 	return cerr
 }
 

coderd/database/dbauthz/dbauthz.go

@@ -219,8 +219,8 @@ var (
 					rbac.ResourceUser.Type:             {policy.ActionRead, policy.ActionReadPersonal, policy.ActionUpdatePersonal},
 					rbac.ResourceWorkspaceDormant.Type: {policy.ActionDelete, policy.ActionRead, policy.ActionUpdate, policy.ActionWorkspaceStop},
 					rbac.ResourceWorkspace.Type:        {policy.ActionDelete, policy.ActionRead, policy.ActionUpdate, policy.ActionWorkspaceStart, policy.ActionWorkspaceStop, policy.ActionCreateAgent},
-					// Provisionerd needs to read and update tasks associated with workspaces.
-					rbac.ResourceTask.Type:   {policy.ActionRead, policy.ActionUpdate},
+					// Provisionerd needs to read, update, and delete tasks associated with workspaces.
+					rbac.ResourceTask.Type:   {policy.ActionRead, policy.ActionUpdate, policy.ActionDelete},
 					rbac.ResourceApiKey.Type: {policy.WildcardSymbol},
 					// When org scoped provisioner credentials are implemented,
 					// this can be reduced to read a specific org.
@@ -254,6 +254,7 @@ var (
 					rbac.ResourceFile.Type:                {policy.ActionRead}, // Required to read terraform files
 					rbac.ResourceNotificationMessage.Type: {policy.ActionCreate, policy.ActionRead},
 					rbac.ResourceSystem.Type:              {policy.WildcardSymbol},
+					rbac.ResourceTask.Type:                {policy.ActionRead, policy.ActionUpdate},
 					rbac.ResourceTemplate.Type:            {policy.ActionRead, policy.ActionUpdate},
 					rbac.ResourceUser.Type:                {policy.ActionRead},
 					rbac.ResourceWorkspace.Type:           {policy.ActionDelete, policy.ActionRead, policy.ActionUpdate, policy.ActionWorkspaceStart, policy.ActionWorkspaceStop},
@@ -2648,6 +2649,13 @@ func (q *querier) GetOrganizationsByUserID(ctx context.Context, userID database.
 	return fetchWithPostFilter(q.auth, policy.ActionRead, q.db.GetOrganizationsByUserID)(ctx, userID)
 }
 
+func (q *querier) GetOrganizationsWithPrebuildStatus(ctx context.Context, arg database.GetOrganizationsWithPrebuildStatusParams) ([]database.GetOrganizationsWithPrebuildStatusRow, error) {
+	if err := q.authorizeContext(ctx, policy.ActionRead, rbac.ResourceOrganization.All()); err != nil {
+		return nil, err
+	}
+	return q.db.GetOrganizationsWithPrebuildStatus(ctx, arg)
+}
+
 func (q *querier) GetParameterSchemasByJobID(ctx context.Context, jobID uuid.UUID) ([]database.ParameterSchema, error) {
 	version, err := q.db.GetTemplateVersionByJobID(ctx, jobID)
 	if err != nil {
@@ -4933,10 +4941,10 @@ func (q *querier) UpdateOrganizationDeletedByID(ctx context.Context, arg databas
 	return deleteQ(q.log, q.auth, q.db.GetOrganizationByID, deleteF)(ctx, arg.ID)
 }
 
-func (q *querier) UpdatePrebuildProvisionerJobWithCancel(ctx context.Context, arg database.UpdatePrebuildProvisionerJobWithCancelParams) ([]uuid.UUID, error) {
+func (q *querier) UpdatePrebuildProvisionerJobWithCancel(ctx context.Context, arg database.UpdatePrebuildProvisionerJobWithCancelParams) ([]database.UpdatePrebuildProvisionerJobWithCancelRow, error) {
 	// Prebuild operation for canceling pending prebuild jobs from non-active template versions
 	if err := q.authorizeContext(ctx, policy.ActionUpdate, rbac.ResourcePrebuiltWorkspace); err != nil {
-		return []uuid.UUID{}, err
+		return []database.UpdatePrebuildProvisionerJobWithCancelRow{}, err
 	}
 	return q.db.UpdatePrebuildProvisionerJobWithCancel(ctx, arg)
 }

coderd/database/dbauthz/dbauthz_test.go

@@ -646,10 +646,13 @@ func (s *MethodTestSuite) TestProvisionerJob() {
 			PresetID: uuid.NullUUID{UUID: uuid.New(), Valid: true},
 			Now:      dbtime.Now(),
 		}
-		jobIDs := []uuid.UUID{uuid.New(), uuid.New()}
+		canceledJobs := []database.UpdatePrebuildProvisionerJobWithCancelRow{
+			{ID: uuid.New(), WorkspaceID: uuid.New(), TemplateID: uuid.New(), TemplateVersionPresetID: uuid.NullUUID{UUID: uuid.New(), Valid: true}},
+			{ID: uuid.New(), WorkspaceID: uuid.New(), TemplateID: uuid.New(), TemplateVersionPresetID: uuid.NullUUID{UUID: uuid.New(), Valid: true}},
+		}
 
-		dbm.EXPECT().UpdatePrebuildProvisionerJobWithCancel(gomock.Any(), arg).Return(jobIDs, nil).AnyTimes()
-		check.Args(arg).Asserts(rbac.ResourcePrebuiltWorkspace, policy.ActionUpdate).Returns(jobIDs)
+		dbm.EXPECT().UpdatePrebuildProvisionerJobWithCancel(gomock.Any(), arg).Return(canceledJobs, nil).AnyTimes()
+		check.Args(arg).Asserts(rbac.ResourcePrebuiltWorkspace, policy.ActionUpdate).Returns(canceledJobs)
 	}))
 	s.Run("GetProvisionerJobsByIDs", s.Mocked(func(dbm *dbmock.MockStore, faker *gofakeit.Faker, check *expects) {
 		org := testutil.Fake(s.T(), faker, database.Organization{})
@@ -3756,6 +3759,14 @@ func (s *MethodTestSuite) TestPrebuilds() {
 		dbm.EXPECT().GetPrebuildMetrics(gomock.Any()).Return([]database.GetPrebuildMetricsRow{}, nil).AnyTimes()
 		check.Args().Asserts(rbac.ResourceWorkspace.All(), policy.ActionRead)
 	}))
+	s.Run("GetOrganizationsWithPrebuildStatus", s.Mocked(func(dbm *dbmock.MockStore, faker *gofakeit.Faker, check *expects) {
+		arg := database.GetOrganizationsWithPrebuildStatusParams{
+			UserID:    uuid.New(),
+			GroupName: "test",
+		}
+		dbm.EXPECT().GetOrganizationsWithPrebuildStatus(gomock.Any(), arg).Return([]database.GetOrganizationsWithPrebuildStatusRow{}, nil).AnyTimes()
+		check.Args(arg).Asserts(rbac.ResourceOrganization.All(), policy.ActionRead)
+	}))
 	s.Run("GetPrebuildsSettings", s.Mocked(func(dbm *dbmock.MockStore, _ *gofakeit.Faker, check *expects) {
 		dbm.EXPECT().GetPrebuildsSettings(gomock.Any()).Return("{}", nil).AnyTimes()
 		check.Args().Asserts()

coderd/database/dbmetrics/querymetrics.go

@@ -1243,6 +1243,13 @@ func (m queryMetricsStore) GetOrganizationsByUserID(ctx context.Context, userID
 	return organizations, err
 }
 
+func (m queryMetricsStore) GetOrganizationsWithPrebuildStatus(ctx context.Context, arg database.GetOrganizationsWithPrebuildStatusParams) ([]database.GetOrganizationsWithPrebuildStatusRow, error) {
+	start := time.Now()
+	r0, r1 := m.s.GetOrganizationsWithPrebuildStatus(ctx, arg)
+	m.queryLatencies.WithLabelValues("GetOrganizationsWithPrebuildStatus").Observe(time.Since(start).Seconds())
+	return r0, r1
+}
+
 func (m queryMetricsStore) GetParameterSchemasByJobID(ctx context.Context, jobID uuid.UUID) ([]database.ParameterSchema, error) {
 	start := time.Now()
 	schemas, err := m.s.GetParameterSchemasByJobID(ctx, jobID)
@@ -3042,7 +3049,7 @@ func (m queryMetricsStore) UpdateOrganizationDeletedByID(ctx context.Context, ar
 	return r0
 }
 
-func (m queryMetricsStore) UpdatePrebuildProvisionerJobWithCancel(ctx context.Context, arg database.UpdatePrebuildProvisionerJobWithCancelParams) ([]uuid.UUID, error) {
+func (m queryMetricsStore) UpdatePrebuildProvisionerJobWithCancel(ctx context.Context, arg database.UpdatePrebuildProvisionerJobWithCancelParams) ([]database.UpdatePrebuildProvisionerJobWithCancelRow, error) {
 	start := time.Now()
 	r0, r1 := m.s.UpdatePrebuildProvisionerJobWithCancel(ctx, arg)
 	m.queryLatencies.WithLabelValues("UpdatePrebuildProvisionerJobWithCancel").Observe(time.Since(start).Seconds())

coderd/database/dbmock/dbmock.go

@@ -2622,6 +2622,21 @@ func (mr *MockStoreMockRecorder) GetOrganizationsByUserID(ctx, arg any) *gomock.
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetOrganizationsByUserID", reflect.TypeOf((*MockStore)(nil).GetOrganizationsByUserID), ctx, arg)
 }
 
+// GetOrganizationsWithPrebuildStatus mocks base method.
+func (m *MockStore) GetOrganizationsWithPrebuildStatus(ctx context.Context, arg database.GetOrganizationsWithPrebuildStatusParams) ([]database.GetOrganizationsWithPrebuildStatusRow, error) {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "GetOrganizationsWithPrebuildStatus", ctx, arg)
+	ret0, _ := ret[0].([]database.GetOrganizationsWithPrebuildStatusRow)
+	ret1, _ := ret[1].(error)
+	return ret0, ret1
+}
+
+// GetOrganizationsWithPrebuildStatus indicates an expected call of GetOrganizationsWithPrebuildStatus.
+func (mr *MockStoreMockRecorder) GetOrganizationsWithPrebuildStatus(ctx, arg any) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetOrganizationsWithPrebuildStatus", reflect.TypeOf((*MockStore)(nil).GetOrganizationsWithPrebuildStatus), ctx, arg)
+}
+
 // GetParameterSchemasByJobID mocks base method.
 func (m *MockStore) GetParameterSchemasByJobID(ctx context.Context, jobID uuid.UUID) ([]database.ParameterSchema, error) {
 	m.ctrl.T.Helper()
@@ -6540,10 +6555,10 @@ func (mr *MockStoreMockRecorder) UpdateOrganizationDeletedByID(ctx, arg any) *go
 }
 
 // UpdatePrebuildProvisionerJobWithCancel mocks base method.
-func (m *MockStore) UpdatePrebuildProvisionerJobWithCancel(ctx context.Context, arg database.UpdatePrebuildProvisionerJobWithCancelParams) ([]uuid.UUID, error) {
+func (m *MockStore) UpdatePrebuildProvisionerJobWithCancel(ctx context.Context, arg database.UpdatePrebuildProvisionerJobWithCancelParams) ([]database.UpdatePrebuildProvisionerJobWithCancelRow, error) {
 	m.ctrl.T.Helper()
 	ret := m.ctrl.Call(m, "UpdatePrebuildProvisionerJobWithCancel", ctx, arg)
-	ret0, _ := ret[0].([]uuid.UUID)
+	ret0, _ := ret[0].([]database.UpdatePrebuildProvisionerJobWithCancelRow)
 	ret1, _ := ret[1].(error)
 	return ret0, ret1
 }

coderd/database/dump.sql

@@ -2922,11 +2922,13 @@ CREATE VIEW workspaces_expanded AS
     templates.name AS template_name,
     templates.display_name AS template_display_name,
     templates.icon AS template_icon,
-    templates.description AS template_description
-   FROM (((workspaces
+    templates.description AS template_description,
+    tasks.id AS task_id
+   FROM ((((workspaces
      JOIN visible_users ON ((workspaces.owner_id = visible_users.id)))
      JOIN organizations ON ((workspaces.organization_id = organizations.id)))
-     JOIN templates ON ((workspaces.template_id = templates.id)));
+     JOIN templates ON ((workspaces.template_id = templates.id)))
+     LEFT JOIN tasks ON ((workspaces.id = tasks.workspace_id)));
 
 COMMENT ON VIEW workspaces_expanded IS 'Joins in the display name information such as username, avatar, and organization name.';
 

coderd/database/migrations/000393_workspaces_expanded_task_id.down.sql

@@ -0,0 +1,39 @@
+DROP VIEW workspaces_expanded;
+
+-- Recreate the view from 000354_workspace_acl.up.sql
+CREATE VIEW workspaces_expanded AS
+	SELECT workspaces.id,
+		workspaces.created_at,
+		workspaces.updated_at,
+		workspaces.owner_id,
+		workspaces.organization_id,
+		workspaces.template_id,
+		workspaces.deleted,
+		workspaces.name,
+		workspaces.autostart_schedule,
+		workspaces.ttl,
+		workspaces.last_used_at,
+		workspaces.dormant_at,
+		workspaces.deleting_at,
+		workspaces.automatic_updates,
+		workspaces.favorite,
+		workspaces.next_start_at,
+		workspaces.group_acl,
+		workspaces.user_acl,
+		visible_users.avatar_url AS owner_avatar_url,
+		visible_users.username AS owner_username,
+		visible_users.name AS owner_name,
+		organizations.name AS organization_name,
+		organizations.display_name AS organization_display_name,
+		organizations.icon AS organization_icon,
+		organizations.description AS organization_description,
+		templates.name AS template_name,
+		templates.display_name AS template_display_name,
+		templates.icon AS template_icon,
+		templates.description AS template_description
+	FROM (((workspaces
+		JOIN visible_users ON ((workspaces.owner_id = visible_users.id)))
+		JOIN organizations ON ((workspaces.organization_id = organizations.id)))
+		JOIN templates ON ((workspaces.template_id = templates.id)));
+
+COMMENT ON VIEW workspaces_expanded IS 'Joins in the display name information such as username, avatar, and organization name.';

coderd/database/migrations/000393_workspaces_expanded_task_id.up.sql

@@ -0,0 +1,42 @@
+DROP VIEW workspaces_expanded;
+
+-- Add nullable task_id to workspaces_expanded view
+CREATE VIEW workspaces_expanded AS
+	SELECT workspaces.id,
+		workspaces.created_at,
+		workspaces.updated_at,
+		workspaces.owner_id,
+		workspaces.organization_id,
+		workspaces.template_id,
+		workspaces.deleted,
+		workspaces.name,
+		workspaces.autostart_schedule,
+		workspaces.ttl,
+		workspaces.last_used_at,
+		workspaces.dormant_at,
+		workspaces.deleting_at,
+		workspaces.automatic_updates,
+		workspaces.favorite,
+		workspaces.next_start_at,
+		workspaces.group_acl,
+		workspaces.user_acl,
+		visible_users.avatar_url AS owner_avatar_url,
+		visible_users.username AS owner_username,
+		visible_users.name AS owner_name,
+		organizations.name AS organization_name,
+		organizations.display_name AS organization_display_name,
+		organizations.icon AS organization_icon,
+		organizations.description AS organization_description,
+		templates.name AS template_name,
+		templates.display_name AS template_display_name,
+		templates.icon AS template_icon,
+		templates.description AS template_description,
+		tasks.id AS task_id
+	FROM ((((workspaces
+		JOIN visible_users ON ((workspaces.owner_id = visible_users.id)))
+		JOIN organizations ON ((workspaces.organization_id = organizations.id)))
+		JOIN templates ON ((workspaces.template_id = templates.id)))
+		LEFT JOIN tasks ON ((workspaces.id = tasks.workspace_id)));
+
+COMMENT ON VIEW workspaces_expanded IS 'Joins in the display name information such as username, avatar, and organization name.';
+

coderd/database/modelqueries.go

@@ -321,6 +321,7 @@ func (q *sqlQuerier) GetAuthorizedWorkspaces(ctx context.Context, arg GetWorkspa
 			&i.TemplateDisplayName,
 			&i.TemplateIcon,
 			&i.TemplateDescription,
+			&i.TaskID,
 			&i.TemplateVersionID,
 			&i.TemplateVersionName,
 			&i.LatestBuildCompletedAt,
@@ -328,7 +329,6 @@ func (q *sqlQuerier) GetAuthorizedWorkspaces(ctx context.Context, arg GetWorkspa
 			&i.LatestBuildError,
 			&i.LatestBuildTransition,
 			&i.LatestBuildStatus,
-			&i.LatestBuildHasAITask,
 			&i.LatestBuildHasExternalAgent,
 			&i.Count,
 		); err != nil {

coderd/database/models.go

@@ -1,6 +1,6 @@
 // Code generated by sqlc. DO NOT EDIT.
 // versions:
-//   sqlc v1.27.0
+//   sqlc v1.30.0
 
 package database
 
@@ -4663,6 +4663,7 @@ type Workspace struct {
 	TemplateDisplayName     string           `db:"template_display_name" json:"template_display_name"`
 	TemplateIcon            string           `db:"template_icon" json:"template_icon"`
 	TemplateDescription     string           `db:"template_description" json:"template_description"`
+	TaskID                  uuid.NullUUID    `db:"task_id" json:"task_id"`
 }
 
 type WorkspaceAgent struct {

coderd/database/querier.go

@@ -1,6 +1,6 @@
 // Code generated by sqlc. DO NOT EDIT.
 // versions:
-//   sqlc v1.27.0
+//   sqlc v1.30.0
 
 package database
 
@@ -269,6 +269,9 @@ type sqlcQuerier interface {
 	GetOrganizationResourceCountByID(ctx context.Context, organizationID uuid.UUID) (GetOrganizationResourceCountByIDRow, error)
 	GetOrganizations(ctx context.Context, arg GetOrganizationsParams) ([]Organization, error)
 	GetOrganizationsByUserID(ctx context.Context, arg GetOrganizationsByUserIDParams) ([]Organization, error)
+	// GetOrganizationsWithPrebuildStatus returns organizations with prebuilds configured and their
+	// membership status for the prebuilds system user (org membership, group existence, group membership).
+	GetOrganizationsWithPrebuildStatus(ctx context.Context, arg GetOrganizationsWithPrebuildStatusParams) ([]GetOrganizationsWithPrebuildStatusRow, error)
 	GetParameterSchemasByJobID(ctx context.Context, jobID uuid.UUID) ([]ParameterSchema, error)
 	GetPrebuildMetrics(ctx context.Context) ([]GetPrebuildMetricsRow, error)
 	GetPrebuildsSettings(ctx context.Context) (string, error)
@@ -667,7 +670,7 @@ type sqlcQuerier interface {
 	// Cancels all pending provisioner jobs for prebuilt workspaces on a specific preset from an
 	// inactive template version.
 	// This is an optimization to clean up stale pending jobs.
-	UpdatePrebuildProvisionerJobWithCancel(ctx context.Context, arg UpdatePrebuildProvisionerJobWithCancelParams) ([]uuid.UUID, error)
+	UpdatePrebuildProvisionerJobWithCancel(ctx context.Context, arg UpdatePrebuildProvisionerJobWithCancelParams) ([]UpdatePrebuildProvisionerJobWithCancelRow, error)
 	UpdatePresetPrebuildStatus(ctx context.Context, arg UpdatePresetPrebuildStatusParams) error
 	UpdateProvisionerDaemonLastSeenAt(ctx context.Context, arg UpdateProvisionerDaemonLastSeenAtParams) error
 	UpdateProvisionerJobByID(ctx context.Context, arg UpdateProvisionerJobByIDParams) error

coderd/database/queries.sql.go

@@ -1,6 +1,6 @@
 // Code generated by sqlc. DO NOT EDIT.
 // versions:
-//   sqlc v1.27.0
+//   sqlc v1.30.0
 
 package database
 
@@ -8285,6 +8285,93 @@ func (q *sqlQuerier) FindMatchingPresetID(ctx context.Context, arg FindMatchingP
 	return template_version_preset_id, err
 }
 
+const getOrganizationsWithPrebuildStatus = `-- name: GetOrganizationsWithPrebuildStatus :many
+WITH orgs_with_prebuilds AS (
+	-- Get unique organizations that have presets with prebuilds configured
+	SELECT DISTINCT o.id, o.name
+	FROM organizations o
+	INNER JOIN templates t ON t.organization_id = o.id
+	INNER JOIN template_versions tv ON tv.template_id = t.id
+	INNER JOIN template_version_presets tvp ON tvp.template_version_id = tv.id
+	WHERE tvp.desired_instances IS NOT NULL
+),
+prebuild_user_membership AS (
+	-- Check if the user is a member of the organizations
+	SELECT om.organization_id
+	FROM organization_members om
+	INNER JOIN orgs_with_prebuilds owp ON owp.id = om.organization_id
+	WHERE om.user_id = $1::uuid
+),
+prebuild_groups AS (
+	-- Check if the organizations have the prebuilds group
+	SELECT g.organization_id, g.id as group_id
+	FROM groups g
+	INNER JOIN orgs_with_prebuilds owp ON owp.id = g.organization_id
+	WHERE g.name = $2::text
+),
+prebuild_group_membership AS (
+	-- Check if the user is in the prebuilds group
+	SELECT pg.organization_id
+	FROM prebuild_groups pg
+	INNER JOIN group_members gm ON gm.group_id = pg.group_id
+	WHERE gm.user_id = $1::uuid
+)
+SELECT
+	owp.id AS organization_id,
+	owp.name AS organization_name,
+	(pum.organization_id IS NOT NULL)::boolean AS has_prebuild_user,
+	pg.group_id AS prebuilds_group_id,
+	(pgm.organization_id IS NOT NULL)::boolean AS has_prebuild_user_in_group
+FROM orgs_with_prebuilds owp
+LEFT JOIN prebuild_groups pg ON pg.organization_id = owp.id
+LEFT JOIN prebuild_user_membership pum ON pum.organization_id = owp.id
+LEFT JOIN prebuild_group_membership pgm ON pgm.organization_id = owp.id
+`
+
+type GetOrganizationsWithPrebuildStatusParams struct {
+	UserID    uuid.UUID `db:"user_id" json:"user_id"`
+	GroupName string    `db:"group_name" json:"group_name"`
+}
+
+type GetOrganizationsWithPrebuildStatusRow struct {
+	OrganizationID         uuid.UUID     `db:"organization_id" json:"organization_id"`
+	OrganizationName       string        `db:"organization_name" json:"organization_name"`
+	HasPrebuildUser        bool          `db:"has_prebuild_user" json:"has_prebuild_user"`
+	PrebuildsGroupID       uuid.NullUUID `db:"prebuilds_group_id" json:"prebuilds_group_id"`
+	HasPrebuildUserInGroup bool          `db:"has_prebuild_user_in_group" json:"has_prebuild_user_in_group"`
+}
+
+// GetOrganizationsWithPrebuildStatus returns organizations with prebuilds configured and their
+// membership status for the prebuilds system user (org membership, group existence, group membership).
+func (q *sqlQuerier) GetOrganizationsWithPrebuildStatus(ctx context.Context, arg GetOrganizationsWithPrebuildStatusParams) ([]GetOrganizationsWithPrebuildStatusRow, error) {
+	rows, err := q.db.QueryContext(ctx, getOrganizationsWithPrebuildStatus, arg.UserID, arg.GroupName)
+	if err != nil {
+		return nil, err
+	}
+	defer rows.Close()
+	var items []GetOrganizationsWithPrebuildStatusRow
+	for rows.Next() {
+		var i GetOrganizationsWithPrebuildStatusRow
+		if err := rows.Scan(
+			&i.OrganizationID,
+			&i.OrganizationName,
+			&i.HasPrebuildUser,
+			&i.PrebuildsGroupID,
+			&i.HasPrebuildUserInGroup,
+		); err != nil {
+			return nil, err
+		}
+		items = append(items, i)
+	}
+	if err := rows.Close(); err != nil {
+		return nil, err
+	}
+	if err := rows.Err(); err != nil {
+		return nil, err
+	}
+	return items, nil
+}
+
 const getPrebuildMetrics = `-- name: GetPrebuildMetrics :many
 SELECT
 	t.name as template_name,
@@ -8687,12 +8774,8 @@ func (q *sqlQuerier) GetTemplatePresetsWithPrebuilds(ctx context.Context, templa
 }
 
 const updatePrebuildProvisionerJobWithCancel = `-- name: UpdatePrebuildProvisionerJobWithCancel :many
-UPDATE provisioner_jobs
-SET
-	canceled_at = $1::timestamptz,
-	completed_at = $1::timestamptz
-WHERE id IN (
-	SELECT pj.id
+WITH jobs_to_cancel AS (
+	SELECT pj.id, w.id AS workspace_id, w.template_id, wpb.template_version_preset_id
 	FROM provisioner_jobs pj
 	INNER JOIN workspace_prebuild_builds wpb ON wpb.job_id = pj.id
 	INNER JOIN workspaces w ON w.id = wpb.workspace_id
@@ -8711,7 +8794,13 @@ WHERE id IN (
 		AND pj.canceled_at IS NULL
 		AND pj.completed_at IS NULL
 )
-RETURNING id
+UPDATE provisioner_jobs
+SET
+	canceled_at = $1::timestamptz,
+	completed_at = $1::timestamptz
+FROM jobs_to_cancel
+WHERE provisioner_jobs.id = jobs_to_cancel.id
+RETURNING jobs_to_cancel.id, jobs_to_cancel.workspace_id, jobs_to_cancel.template_id, jobs_to_cancel.template_version_preset_id
 `
 
 type UpdatePrebuildProvisionerJobWithCancelParams struct {
@@ -8719,22 +8808,34 @@ type UpdatePrebuildProvisionerJobWithCancelParams struct {
 	PresetID uuid.NullUUID `db:"preset_id" json:"preset_id"`
 }
 
+type UpdatePrebuildProvisionerJobWithCancelRow struct {
+	ID                      uuid.UUID     `db:"id" json:"id"`
+	WorkspaceID             uuid.UUID     `db:"workspace_id" json:"workspace_id"`
+	TemplateID              uuid.UUID     `db:"template_id" json:"template_id"`
+	TemplateVersionPresetID uuid.NullUUID `db:"template_version_preset_id" json:"template_version_preset_id"`
+}
+
 // Cancels all pending provisioner jobs for prebuilt workspaces on a specific preset from an
 // inactive template version.
 // This is an optimization to clean up stale pending jobs.
-func (q *sqlQuerier) UpdatePrebuildProvisionerJobWithCancel(ctx context.Context, arg UpdatePrebuildProvisionerJobWithCancelParams) ([]uuid.UUID, error) {
+func (q *sqlQuerier) UpdatePrebuildProvisionerJobWithCancel(ctx context.Context, arg UpdatePrebuildProvisionerJobWithCancelParams) ([]UpdatePrebuildProvisionerJobWithCancelRow, error) {
 	rows, err := q.db.QueryContext(ctx, updatePrebuildProvisionerJobWithCancel, arg.Now, arg.PresetID)
 	if err != nil {
 		return nil, err
 	}
 	defer rows.Close()
-	var items []uuid.UUID
+	var items []UpdatePrebuildProvisionerJobWithCancelRow
 	for rows.Next() {
-		var id uuid.UUID
-		if err := rows.Scan(&id); err != nil {
+		var i UpdatePrebuildProvisionerJobWithCancelRow
+		if err := rows.Scan(
+			&i.ID,
+			&i.WorkspaceID,
+			&i.TemplateID,
+			&i.TemplateVersionPresetID,
+		); err != nil {
 			return nil, err
 		}
-		items = append(items, id)
+		items = append(items, i)
 	}
 	if err := rows.Close(); err != nil {
 		return nil, err
@@ -17468,7 +17569,8 @@ const getWorkspaceAgentAndLatestBuildByAuthToken = `-- name: GetWorkspaceAgentAn
 SELECT
 	workspaces.id, workspaces.created_at, workspaces.updated_at, workspaces.owner_id, workspaces.organization_id, workspaces.template_id, workspaces.deleted, workspaces.name, workspaces.autostart_schedule, workspaces.ttl, workspaces.last_used_at, workspaces.dormant_at, workspaces.deleting_at, workspaces.automatic_updates, workspaces.favorite, workspaces.next_start_at, workspaces.group_acl, workspaces.user_acl,
 	workspace_agents.id, workspace_agents.created_at, workspace_agents.updated_at, workspace_agents.name, workspace_agents.first_connected_at, workspace_agents.last_connected_at, workspace_agents.disconnected_at, workspace_agents.resource_id, workspace_agents.auth_token, workspace_agents.auth_instance_id, workspace_agents.architecture, workspace_agents.environment_variables, workspace_agents.operating_system, workspace_agents.instance_metadata, workspace_agents.resource_metadata, workspace_agents.directory, workspace_agents.version, workspace_agents.last_connected_replica_id, workspace_agents.connection_timeout_seconds, workspace_agents.troubleshooting_url, workspace_agents.motd_file, workspace_agents.lifecycle_state, workspace_agents.expanded_directory, workspace_agents.logs_length, workspace_agents.logs_overflowed, workspace_agents.started_at, workspace_agents.ready_at, workspace_agents.subsystems, workspace_agents.display_apps, workspace_agents.api_version, workspace_agents.display_order, workspace_agents.parent_id, workspace_agents.api_key_scope, workspace_agents.deleted,
-	workspace_build_with_user.id, workspace_build_with_user.created_at, workspace_build_with_user.updated_at, workspace_build_with_user.workspace_id, workspace_build_with_user.template_version_id, workspace_build_with_user.build_number, workspace_build_with_user.transition, workspace_build_with_user.initiator_id, workspace_build_with_user.provisioner_state, workspace_build_with_user.job_id, workspace_build_with_user.deadline, workspace_build_with_user.reason, workspace_build_with_user.daily_cost, workspace_build_with_user.max_deadline, workspace_build_with_user.template_version_preset_id, workspace_build_with_user.has_ai_task, workspace_build_with_user.ai_task_sidebar_app_id, workspace_build_with_user.has_external_agent, workspace_build_with_user.initiator_by_avatar_url, workspace_build_with_user.initiator_by_username, workspace_build_with_user.initiator_by_name
+	workspace_build_with_user.id, workspace_build_with_user.created_at, workspace_build_with_user.updated_at, workspace_build_with_user.workspace_id, workspace_build_with_user.template_version_id, workspace_build_with_user.build_number, workspace_build_with_user.transition, workspace_build_with_user.initiator_id, workspace_build_with_user.provisioner_state, workspace_build_with_user.job_id, workspace_build_with_user.deadline, workspace_build_with_user.reason, workspace_build_with_user.daily_cost, workspace_build_with_user.max_deadline, workspace_build_with_user.template_version_preset_id, workspace_build_with_user.has_ai_task, workspace_build_with_user.ai_task_sidebar_app_id, workspace_build_with_user.has_external_agent, workspace_build_with_user.initiator_by_avatar_url, workspace_build_with_user.initiator_by_username, workspace_build_with_user.initiator_by_name,
+	tasks.id AS task_id
 FROM
 	workspace_agents
 JOIN
@@ -17483,6 +17585,10 @@ JOIN
 	workspaces
 ON
 	workspace_build_with_user.workspace_id = workspaces.id
+LEFT JOIN
+	tasks
+ON
+	tasks.workspace_id = workspaces.id
 WHERE
 	-- This should only match 1 agent, so 1 returned row or 0.
 	workspace_agents.auth_token = $1::uuid
@@ -17506,6 +17612,7 @@ type GetWorkspaceAgentAndLatestBuildByAuthTokenRow struct {
 	WorkspaceTable WorkspaceTable `db:"workspace_table" json:"workspace_table"`
 	WorkspaceAgent WorkspaceAgent `db:"workspace_agent" json:"workspace_agent"`
 	WorkspaceBuild WorkspaceBuild `db:"workspace_build" json:"workspace_build"`
+	TaskID         uuid.NullUUID  `db:"task_id" json:"task_id"`
 }
 
 func (q *sqlQuerier) GetWorkspaceAgentAndLatestBuildByAuthToken(ctx context.Context, authToken uuid.UUID) (GetWorkspaceAgentAndLatestBuildByAuthTokenRow, error) {
@@ -17585,6 +17692,7 @@ func (q *sqlQuerier) GetWorkspaceAgentAndLatestBuildByAuthToken(ctx context.Cont
 		&i.WorkspaceBuild.InitiatorByAvatarUrl,
 		&i.WorkspaceBuild.InitiatorByUsername,
 		&i.WorkspaceBuild.InitiatorByName,
+		&i.TaskID,
 	)
 	return i, err
 }
@@ -21826,7 +21934,7 @@ func (q *sqlQuerier) GetWorkspaceACLByID(ctx context.Context, id uuid.UUID) (Get
 
 const getWorkspaceByAgentID = `-- name: GetWorkspaceByAgentID :one
 SELECT
-	id, created_at, updated_at, owner_id, organization_id, template_id, deleted, name, autostart_schedule, ttl, last_used_at, dormant_at, deleting_at, automatic_updates, favorite, next_start_at, group_acl, user_acl, owner_avatar_url, owner_username, owner_name, organization_name, organization_display_name, organization_icon, organization_description, template_name, template_display_name, template_icon, template_description
+	id, created_at, updated_at, owner_id, organization_id, template_id, deleted, name, autostart_schedule, ttl, last_used_at, dormant_at, deleting_at, automatic_updates, favorite, next_start_at, group_acl, user_acl, owner_avatar_url, owner_username, owner_name, organization_name, organization_display_name, organization_icon, organization_description, template_name, template_display_name, template_icon, template_description, task_id
 FROM
 	workspaces_expanded as workspaces
 WHERE
@@ -21887,13 +21995,14 @@ func (q *sqlQuerier) GetWorkspaceByAgentID(ctx context.Context, agentID uuid.UUI
 		&i.TemplateDisplayName,
 		&i.TemplateIcon,
 		&i.TemplateDescription,
+		&i.TaskID,
 	)
 	return i, err
 }
 
 const getWorkspaceByID = `-- name: GetWorkspaceByID :one
 SELECT
-	id, created_at, updated_at, owner_id, organization_id, template_id, deleted, name, autostart_schedule, ttl, last_used_at, dormant_at, deleting_at, automatic_updates, favorite, next_start_at, group_acl, user_acl, owner_avatar_url, owner_username, owner_name, organization_name, organization_display_name, organization_icon, organization_description, template_name, template_display_name, template_icon, template_description
+	id, created_at, updated_at, owner_id, organization_id, template_id, deleted, name, autostart_schedule, ttl, last_used_at, dormant_at, deleting_at, automatic_updates, favorite, next_start_at, group_acl, user_acl, owner_avatar_url, owner_username, owner_name, organization_name, organization_display_name, organization_icon, organization_description, template_name, template_display_name, template_icon, template_description, task_id
 FROM
 	workspaces_expanded
 WHERE
@@ -21935,13 +22044,14 @@ func (q *sqlQuerier) GetWorkspaceByID(ctx context.Context, id uuid.UUID) (Worksp
 		&i.TemplateDisplayName,
 		&i.TemplateIcon,
 		&i.TemplateDescription,
+		&i.TaskID,
 	)
 	return i, err
 }
 
 const getWorkspaceByOwnerIDAndName = `-- name: GetWorkspaceByOwnerIDAndName :one
 SELECT
-	id, created_at, updated_at, owner_id, organization_id, template_id, deleted, name, autostart_schedule, ttl, last_used_at, dormant_at, deleting_at, automatic_updates, favorite, next_start_at, group_acl, user_acl, owner_avatar_url, owner_username, owner_name, organization_name, organization_display_name, organization_icon, organization_description, template_name, template_display_name, template_icon, template_description
+	id, created_at, updated_at, owner_id, organization_id, template_id, deleted, name, autostart_schedule, ttl, last_used_at, dormant_at, deleting_at, automatic_updates, favorite, next_start_at, group_acl, user_acl, owner_avatar_url, owner_username, owner_name, organization_name, organization_display_name, organization_icon, organization_description, template_name, template_display_name, template_icon, template_description, task_id
 FROM
 	workspaces_expanded as workspaces
 WHERE
@@ -21990,13 +22100,14 @@ func (q *sqlQuerier) GetWorkspaceByOwnerIDAndName(ctx context.Context, arg GetWo
 		&i.TemplateDisplayName,
 		&i.TemplateIcon,
 		&i.TemplateDescription,
+		&i.TaskID,
 	)
 	return i, err
 }
 
 const getWorkspaceByResourceID = `-- name: GetWorkspaceByResourceID :one
 SELECT
-	id, created_at, updated_at, owner_id, organization_id, template_id, deleted, name, autostart_schedule, ttl, last_used_at, dormant_at, deleting_at, automatic_updates, favorite, next_start_at, group_acl, user_acl, owner_avatar_url, owner_username, owner_name, organization_name, organization_display_name, organization_icon, organization_description, template_name, template_display_name, template_icon, template_description
+	id, created_at, updated_at, owner_id, organization_id, template_id, deleted, name, autostart_schedule, ttl, last_used_at, dormant_at, deleting_at, automatic_updates, favorite, next_start_at, group_acl, user_acl, owner_avatar_url, owner_username, owner_name, organization_name, organization_display_name, organization_icon, organization_description, template_name, template_display_name, template_icon, template_description, task_id
 FROM
 	workspaces_expanded as workspaces
 WHERE
@@ -22052,13 +22163,14 @@ func (q *sqlQuerier) GetWorkspaceByResourceID(ctx context.Context, resourceID uu
 		&i.TemplateDisplayName,
 		&i.TemplateIcon,
 		&i.TemplateDescription,
+		&i.TaskID,
 	)
 	return i, err
 }
 
 const getWorkspaceByWorkspaceAppID = `-- name: GetWorkspaceByWorkspaceAppID :one
 SELECT
-	id, created_at, updated_at, owner_id, organization_id, template_id, deleted, name, autostart_schedule, ttl, last_used_at, dormant_at, deleting_at, automatic_updates, favorite, next_start_at, group_acl, user_acl, owner_avatar_url, owner_username, owner_name, organization_name, organization_display_name, organization_icon, organization_description, template_name, template_display_name, template_icon, template_description
+	id, created_at, updated_at, owner_id, organization_id, template_id, deleted, name, autostart_schedule, ttl, last_used_at, dormant_at, deleting_at, automatic_updates, favorite, next_start_at, group_acl, user_acl, owner_avatar_url, owner_username, owner_name, organization_name, organization_display_name, organization_icon, organization_description, template_name, template_display_name, template_icon, template_description, task_id
 FROM
 	workspaces_expanded as workspaces
 WHERE
@@ -22126,6 +22238,7 @@ func (q *sqlQuerier) GetWorkspaceByWorkspaceAppID(ctx context.Context, workspace
 		&i.TemplateDisplayName,
 		&i.TemplateIcon,
 		&i.TemplateDescription,
+		&i.TaskID,
 	)
 	return i, err
 }
@@ -22175,7 +22288,7 @@ SELECT
 ),
 filtered_workspaces AS (
 SELECT
-	workspaces.id, workspaces.created_at, workspaces.updated_at, workspaces.owner_id, workspaces.organization_id, workspaces.template_id, workspaces.deleted, workspaces.name, workspaces.autostart_schedule, workspaces.ttl, workspaces.last_used_at, workspaces.dormant_at, workspaces.deleting_at, workspaces.automatic_updates, workspaces.favorite, workspaces.next_start_at, workspaces.group_acl, workspaces.user_acl, workspaces.owner_avatar_url, workspaces.owner_username, workspaces.owner_name, workspaces.organization_name, workspaces.organization_display_name, workspaces.organization_icon, workspaces.organization_description, workspaces.template_name, workspaces.template_display_name, workspaces.template_icon, workspaces.template_description,
+	workspaces.id, workspaces.created_at, workspaces.updated_at, workspaces.owner_id, workspaces.organization_id, workspaces.template_id, workspaces.deleted, workspaces.name, workspaces.autostart_schedule, workspaces.ttl, workspaces.last_used_at, workspaces.dormant_at, workspaces.deleting_at, workspaces.automatic_updates, workspaces.favorite, workspaces.next_start_at, workspaces.group_acl, workspaces.user_acl, workspaces.owner_avatar_url, workspaces.owner_username, workspaces.owner_name, workspaces.organization_name, workspaces.organization_display_name, workspaces.organization_icon, workspaces.organization_description, workspaces.template_name, workspaces.template_display_name, workspaces.template_icon, workspaces.template_description, workspaces.task_id,
 	latest_build.template_version_id,
 	latest_build.template_version_name,
 	latest_build.completed_at as latest_build_completed_at,
@@ -22183,7 +22296,6 @@ SELECT
 	latest_build.error as latest_build_error,
 	latest_build.transition as latest_build_transition,
 	latest_build.job_status as latest_build_status,
-	latest_build.has_ai_task as latest_build_has_ai_task,
 	latest_build.has_external_agent as latest_build_has_external_agent
 FROM
 	workspaces_expanded as workspaces
@@ -22417,25 +22529,19 @@ WHERE
 			  (latest_build.template_version_id = template.active_version_id) = $18 :: boolean
 		  ELSE true
 	END
-	-- Filter by has_ai_task in latest build
+	-- Filter by has_ai_task, checks if this is a task workspace.
 	AND CASE
-		WHEN $19 :: boolean IS NOT NULL THEN
-			(COALESCE(latest_build.has_ai_task, false) OR (
-				-- If the build has no AI task, it means that the provisioner job is in progress
-				-- and we don't know if it has an AI task yet. In this case, we optimistically
-				-- assume that it has an AI task if the AI Prompt parameter is not empty. This
-				-- lets the AI Task frontend spawn a task and see it immediately after instead of
-				-- having to wait for the build to complete.
-				latest_build.has_ai_task IS NULL AND
-				latest_build.completed_at IS NULL AND
-				EXISTS (
-					SELECT 1
-					FROM workspace_build_parameters
-					WHERE workspace_build_parameters.workspace_build_id = latest_build.id
-					AND workspace_build_parameters.name = 'AI Prompt'
-					AND workspace_build_parameters.value != ''
-				)
-			)) = ($19 :: boolean)
+		WHEN $19::boolean IS NOT NULL
+		THEN $19::boolean = EXISTS (
+			SELECT
+				1
+			FROM
+				tasks
+			WHERE
+				-- Consider all tasks, deleting a task does not turn the
+				-- workspace into a non-task workspace.
+				tasks.workspace_id = workspaces.id
+		)
 		ELSE true
 	END
 	-- Filter by has_external_agent in latest build
@@ -22466,7 +22572,7 @@ WHERE
 	-- @authorize_filter
 ), filtered_workspaces_order AS (
 	SELECT
-		fw.id, fw.created_at, fw.updated_at, fw.owner_id, fw.organization_id, fw.template_id, fw.deleted, fw.name, fw.autostart_schedule, fw.ttl, fw.last_used_at, fw.dormant_at, fw.deleting_at, fw.automatic_updates, fw.favorite, fw.next_start_at, fw.group_acl, fw.user_acl, fw.owner_avatar_url, fw.owner_username, fw.owner_name, fw.organization_name, fw.organization_display_name, fw.organization_icon, fw.organization_description, fw.template_name, fw.template_display_name, fw.template_icon, fw.template_description, fw.template_version_id, fw.template_version_name, fw.latest_build_completed_at, fw.latest_build_canceled_at, fw.latest_build_error, fw.latest_build_transition, fw.latest_build_status, fw.latest_build_has_ai_task, fw.latest_build_has_external_agent
+		fw.id, fw.created_at, fw.updated_at, fw.owner_id, fw.organization_id, fw.template_id, fw.deleted, fw.name, fw.autostart_schedule, fw.ttl, fw.last_used_at, fw.dormant_at, fw.deleting_at, fw.automatic_updates, fw.favorite, fw.next_start_at, fw.group_acl, fw.user_acl, fw.owner_avatar_url, fw.owner_username, fw.owner_name, fw.organization_name, fw.organization_display_name, fw.organization_icon, fw.organization_description, fw.template_name, fw.template_display_name, fw.template_icon, fw.template_description, fw.task_id, fw.template_version_id, fw.template_version_name, fw.latest_build_completed_at, fw.latest_build_canceled_at, fw.latest_build_error, fw.latest_build_transition, fw.latest_build_status, fw.latest_build_has_external_agent
 	FROM
 		filtered_workspaces fw
 	ORDER BY
@@ -22487,7 +22593,7 @@ WHERE
 		$25
 ), filtered_workspaces_order_with_summary AS (
 	SELECT
-		fwo.id, fwo.created_at, fwo.updated_at, fwo.owner_id, fwo.organization_id, fwo.template_id, fwo.deleted, fwo.name, fwo.autostart_schedule, fwo.ttl, fwo.last_used_at, fwo.dormant_at, fwo.deleting_at, fwo.automatic_updates, fwo.favorite, fwo.next_start_at, fwo.group_acl, fwo.user_acl, fwo.owner_avatar_url, fwo.owner_username, fwo.owner_name, fwo.organization_name, fwo.organization_display_name, fwo.organization_icon, fwo.organization_description, fwo.template_name, fwo.template_display_name, fwo.template_icon, fwo.template_description, fwo.template_version_id, fwo.template_version_name, fwo.latest_build_completed_at, fwo.latest_build_canceled_at, fwo.latest_build_error, fwo.latest_build_transition, fwo.latest_build_status, fwo.latest_build_has_ai_task, fwo.latest_build_has_external_agent
+		fwo.id, fwo.created_at, fwo.updated_at, fwo.owner_id, fwo.organization_id, fwo.template_id, fwo.deleted, fwo.name, fwo.autostart_schedule, fwo.ttl, fwo.last_used_at, fwo.dormant_at, fwo.deleting_at, fwo.automatic_updates, fwo.favorite, fwo.next_start_at, fwo.group_acl, fwo.user_acl, fwo.owner_avatar_url, fwo.owner_username, fwo.owner_name, fwo.organization_name, fwo.organization_display_name, fwo.organization_icon, fwo.organization_description, fwo.template_name, fwo.template_display_name, fwo.template_icon, fwo.template_description, fwo.task_id, fwo.template_version_id, fwo.template_version_name, fwo.latest_build_completed_at, fwo.latest_build_canceled_at, fwo.latest_build_error, fwo.latest_build_transition, fwo.latest_build_status, fwo.latest_build_has_external_agent
 	FROM
 		filtered_workspaces_order fwo
 	-- Return a technical summary row with total count of workspaces.
@@ -22523,6 +22629,7 @@ WHERE
 		'', -- template_display_name
 		'', -- template_icon
 		'', -- template_description
+		'00000000-0000-0000-0000-000000000000'::uuid, -- task_id
 		-- Extra columns added to ` + "`" + `filtered_workspaces` + "`" + `
 		'00000000-0000-0000-0000-000000000000'::uuid, -- template_version_id
 		'', -- template_version_name
@@ -22531,7 +22638,6 @@ WHERE
 		'', -- latest_build_error
 		'start'::workspace_transition, -- latest_build_transition
 		'unknown'::provisioner_job_status, -- latest_build_status
-		false, -- latest_build_has_ai_task
 		false -- latest_build_has_external_agent
 	WHERE
 		$27 :: boolean = true
@@ -22542,7 +22648,7 @@ WHERE
 		filtered_workspaces
 )
 SELECT
-	fwos.id, fwos.created_at, fwos.updated_at, fwos.owner_id, fwos.organization_id, fwos.template_id, fwos.deleted, fwos.name, fwos.autostart_schedule, fwos.ttl, fwos.last_used_at, fwos.dormant_at, fwos.deleting_at, fwos.automatic_updates, fwos.favorite, fwos.next_start_at, fwos.group_acl, fwos.user_acl, fwos.owner_avatar_url, fwos.owner_username, fwos.owner_name, fwos.organization_name, fwos.organization_display_name, fwos.organization_icon, fwos.organization_description, fwos.template_name, fwos.template_display_name, fwos.template_icon, fwos.template_description, fwos.template_version_id, fwos.template_version_name, fwos.latest_build_completed_at, fwos.latest_build_canceled_at, fwos.latest_build_error, fwos.latest_build_transition, fwos.latest_build_status, fwos.latest_build_has_ai_task, fwos.latest_build_has_external_agent,
+	fwos.id, fwos.created_at, fwos.updated_at, fwos.owner_id, fwos.organization_id, fwos.template_id, fwos.deleted, fwos.name, fwos.autostart_schedule, fwos.ttl, fwos.last_used_at, fwos.dormant_at, fwos.deleting_at, fwos.automatic_updates, fwos.favorite, fwos.next_start_at, fwos.group_acl, fwos.user_acl, fwos.owner_avatar_url, fwos.owner_username, fwos.owner_name, fwos.organization_name, fwos.organization_display_name, fwos.organization_icon, fwos.organization_description, fwos.template_name, fwos.template_display_name, fwos.template_icon, fwos.template_description, fwos.task_id, fwos.template_version_id, fwos.template_version_name, fwos.latest_build_completed_at, fwos.latest_build_canceled_at, fwos.latest_build_error, fwos.latest_build_transition, fwos.latest_build_status, fwos.latest_build_has_external_agent,
 	tc.count
 FROM
 	filtered_workspaces_order_with_summary fwos
@@ -22610,6 +22716,7 @@ type GetWorkspacesRow struct {
 	TemplateDisplayName         string               `db:"template_display_name" json:"template_display_name"`
 	TemplateIcon                string               `db:"template_icon" json:"template_icon"`
 	TemplateDescription         string               `db:"template_description" json:"template_description"`
+	TaskID                      uuid.NullUUID        `db:"task_id" json:"task_id"`
 	TemplateVersionID           uuid.UUID            `db:"template_version_id" json:"template_version_id"`
 	TemplateVersionName         sql.NullString       `db:"template_version_name" json:"template_version_name"`
 	LatestBuildCompletedAt      sql.NullTime         `db:"latest_build_completed_at" json:"latest_build_completed_at"`
@@ -22617,7 +22724,6 @@ type GetWorkspacesRow struct {
 	LatestBuildError            sql.NullString       `db:"latest_build_error" json:"latest_build_error"`
 	LatestBuildTransition       WorkspaceTransition  `db:"latest_build_transition" json:"latest_build_transition"`
 	LatestBuildStatus           ProvisionerJobStatus `db:"latest_build_status" json:"latest_build_status"`
-	LatestBuildHasAITask        sql.NullBool         `db:"latest_build_has_ai_task" json:"latest_build_has_ai_task"`
 	LatestBuildHasExternalAgent sql.NullBool         `db:"latest_build_has_external_agent" json:"latest_build_has_external_agent"`
 	Count                       int64                `db:"count" json:"count"`
 }
@@ -22692,6 +22798,7 @@ func (q *sqlQuerier) GetWorkspaces(ctx context.Context, arg GetWorkspacesParams)
 			&i.TemplateDisplayName,
 			&i.TemplateIcon,
 			&i.TemplateDescription,
+			&i.TaskID,
 			&i.TemplateVersionID,
 			&i.TemplateVersionName,
 			&i.LatestBuildCompletedAt,
@@ -22699,7 +22806,6 @@ func (q *sqlQuerier) GetWorkspaces(ctx context.Context, arg GetWorkspacesParams)
 			&i.LatestBuildError,
 			&i.LatestBuildTransition,
 			&i.LatestBuildStatus,
-			&i.LatestBuildHasAITask,
 			&i.LatestBuildHasExternalAgent,
 			&i.Count,
 		); err != nil {

coderd/database/queries/prebuilds.sql

@@ -300,12 +300,8 @@ GROUP BY wpb.template_version_preset_id;
 -- Cancels all pending provisioner jobs for prebuilt workspaces on a specific preset from an
 -- inactive template version.
 -- This is an optimization to clean up stale pending jobs.
-UPDATE provisioner_jobs
-SET
-	canceled_at = @now::timestamptz,
-	completed_at = @now::timestamptz
-WHERE id IN (
-	SELECT pj.id
+WITH jobs_to_cancel AS (
+	SELECT pj.id, w.id AS workspace_id, w.template_id, wpb.template_version_preset_id
 	FROM provisioner_jobs pj
 	INNER JOIN workspace_prebuild_builds wpb ON wpb.job_id = pj.id
 	INNER JOIN workspaces w ON w.id = wpb.workspace_id
@@ -324,4 +320,54 @@ WHERE id IN (
 		AND pj.canceled_at IS NULL
 		AND pj.completed_at IS NULL
 )
-RETURNING id;
+UPDATE provisioner_jobs
+SET
+	canceled_at = @now::timestamptz,
+	completed_at = @now::timestamptz
+FROM jobs_to_cancel
+WHERE provisioner_jobs.id = jobs_to_cancel.id
+RETURNING jobs_to_cancel.id, jobs_to_cancel.workspace_id, jobs_to_cancel.template_id, jobs_to_cancel.template_version_preset_id;
+
+-- name: GetOrganizationsWithPrebuildStatus :many
+-- GetOrganizationsWithPrebuildStatus returns organizations with prebuilds configured and their
+-- membership status for the prebuilds system user (org membership, group existence, group membership).
+WITH orgs_with_prebuilds AS (
+	-- Get unique organizations that have presets with prebuilds configured
+	SELECT DISTINCT o.id, o.name
+	FROM organizations o
+	INNER JOIN templates t ON t.organization_id = o.id
+	INNER JOIN template_versions tv ON tv.template_id = t.id
+	INNER JOIN template_version_presets tvp ON tvp.template_version_id = tv.id
+	WHERE tvp.desired_instances IS NOT NULL
+),
+prebuild_user_membership AS (
+	-- Check if the user is a member of the organizations
+	SELECT om.organization_id
+	FROM organization_members om
+	INNER JOIN orgs_with_prebuilds owp ON owp.id = om.organization_id
+	WHERE om.user_id = @user_id::uuid
+),
+prebuild_groups AS (
+	-- Check if the organizations have the prebuilds group
+	SELECT g.organization_id, g.id as group_id
+	FROM groups g
+	INNER JOIN orgs_with_prebuilds owp ON owp.id = g.organization_id
+	WHERE g.name = @group_name::text
+),
+prebuild_group_membership AS (
+	-- Check if the user is in the prebuilds group
+	SELECT pg.organization_id
+	FROM prebuild_groups pg
+	INNER JOIN group_members gm ON gm.group_id = pg.group_id
+	WHERE gm.user_id = @user_id::uuid
+)
+SELECT
+	owp.id AS organization_id,
+	owp.name AS organization_name,
+	(pum.organization_id IS NOT NULL)::boolean AS has_prebuild_user,
+	pg.group_id AS prebuilds_group_id,
+	(pgm.organization_id IS NOT NULL)::boolean AS has_prebuild_user_in_group
+FROM orgs_with_prebuilds owp
+LEFT JOIN prebuild_groups pg ON pg.organization_id = owp.id
+LEFT JOIN prebuild_user_membership pum ON pum.organization_id = owp.id
+LEFT JOIN prebuild_group_membership pgm ON pgm.organization_id = owp.id;

coderd/database/queries/workspaceagents.sql

@@ -285,7 +285,8 @@ WHERE
 SELECT
 	sqlc.embed(workspaces),
 	sqlc.embed(workspace_agents),
-	sqlc.embed(workspace_build_with_user)
+	sqlc.embed(workspace_build_with_user),
+	tasks.id AS task_id
 FROM
 	workspace_agents
 JOIN
@@ -300,6 +301,10 @@ JOIN
 	workspaces
 ON
 	workspace_build_with_user.workspace_id = workspaces.id
+LEFT JOIN
+	tasks
+ON
+	tasks.workspace_id = workspaces.id
 WHERE
 	-- This should only match 1 agent, so 1 returned row or 0.
 	workspace_agents.auth_token = @auth_token::uuid

coderd/database/queries/workspaces.sql

@@ -117,7 +117,6 @@ SELECT
 	latest_build.error as latest_build_error,
 	latest_build.transition as latest_build_transition,
 	latest_build.job_status as latest_build_status,
-	latest_build.has_ai_task as latest_build_has_ai_task,
 	latest_build.has_external_agent as latest_build_has_external_agent
 FROM
 	workspaces_expanded as workspaces
@@ -351,25 +350,19 @@ WHERE
 			  (latest_build.template_version_id = template.active_version_id) = sqlc.narg('using_active') :: boolean
 		  ELSE true
 	END
-	-- Filter by has_ai_task in latest build
+	-- Filter by has_ai_task, checks if this is a task workspace.
 	AND CASE
-		WHEN sqlc.narg('has_ai_task') :: boolean IS NOT NULL THEN
-			(COALESCE(latest_build.has_ai_task, false) OR (
-				-- If the build has no AI task, it means that the provisioner job is in progress
-				-- and we don't know if it has an AI task yet. In this case, we optimistically
-				-- assume that it has an AI task if the AI Prompt parameter is not empty. This
-				-- lets the AI Task frontend spawn a task and see it immediately after instead of
-				-- having to wait for the build to complete.
-				latest_build.has_ai_task IS NULL AND
-				latest_build.completed_at IS NULL AND
-				EXISTS (
-					SELECT 1
-					FROM workspace_build_parameters
-					WHERE workspace_build_parameters.workspace_build_id = latest_build.id
-					AND workspace_build_parameters.name = 'AI Prompt'
-					AND workspace_build_parameters.value != ''
-				)
-			)) = (sqlc.narg('has_ai_task') :: boolean)
+		WHEN sqlc.narg('has_ai_task')::boolean IS NOT NULL
+		THEN sqlc.narg('has_ai_task')::boolean = EXISTS (
+			SELECT
+				1
+			FROM
+				tasks
+			WHERE
+				-- Consider all tasks, deleting a task does not turn the
+				-- workspace into a non-task workspace.
+				tasks.workspace_id = workspaces.id
+		)
 		ELSE true
 	END
 	-- Filter by has_external_agent in latest build
@@ -457,6 +450,7 @@ WHERE
 		'', -- template_display_name
 		'', -- template_icon
 		'', -- template_description
+		'00000000-0000-0000-0000-000000000000'::uuid, -- task_id
 		-- Extra columns added to `filtered_workspaces`
 		'00000000-0000-0000-0000-000000000000'::uuid, -- template_version_id
 		'', -- template_version_name
@@ -465,7 +459,6 @@ WHERE
 		'', -- latest_build_error
 		'start'::workspace_transition, -- latest_build_transition
 		'unknown'::provisioner_job_status, -- latest_build_status
-		false, -- latest_build_has_ai_task
 		false -- latest_build_has_external_agent
 	WHERE
 		@with_summary :: boolean = true

coderd/httpmw/workspaceagent.go

@@ -118,6 +118,7 @@ func ExtractWorkspaceAgentAndLatestBuild(opts ExtractWorkspaceAgentAndLatestBuil
 					OwnerID:       row.WorkspaceTable.OwnerID,
 					TemplateID:    row.WorkspaceTable.TemplateID,
 					VersionID:     row.WorkspaceBuild.TemplateVersionID,
+					TaskID:        row.TaskID,
 					BlockUserData: row.WorkspaceAgent.APIKeyScope == database.AgentKeyScopeEnumNoUserData,
 				}),
 			)

coderd/oauth2provider/metadata.go

@@ -18,6 +18,7 @@ func GetAuthorizationServerMetadata(accessURL *url.URL) http.HandlerFunc {
 			AuthorizationEndpoint:             accessURL.JoinPath("/oauth2/authorize").String(),
 			TokenEndpoint:                     accessURL.JoinPath("/oauth2/tokens").String(),
 			RegistrationEndpoint:              accessURL.JoinPath("/oauth2/register").String(), // RFC 7591
+			RevocationEndpoint:                accessURL.JoinPath("/oauth2/revoke").String(),   // RFC 7009
 			ResponseTypesSupported:            []string{"code"},
 			GrantTypesSupported:               []string{"authorization_code", "refresh_token"},
 			CodeChallengeMethodsSupported:     []string{"S256"},

coderd/prebuilds/api.go

@@ -37,13 +37,18 @@ type ReconciliationOrchestrator interface {
 	TrackResourceReplacement(ctx context.Context, workspaceID, buildID uuid.UUID, replacements []*sdkproto.ResourceReplacement)
 }
 
+// ReconcileStats contains statistics about a reconciliation cycle.
+type ReconcileStats struct {
+	Elapsed time.Duration
+}
+
 type Reconciler interface {
 	StateSnapshotter
 
 	// ReconcileAll orchestrates the reconciliation of all prebuilds across all templates.
 	// It takes a global snapshot of the system state and then reconciles each preset
 	// in parallel, creating or deleting prebuilds as needed to reach their desired states.
-	ReconcileAll(ctx context.Context) error
+	ReconcileAll(ctx context.Context) (ReconcileStats, error)
 }
 
 // StateSnapshotter defines the operations necessary to capture workspace prebuilds state.

coderd/prebuilds/noop.go

@@ -17,7 +17,11 @@ func (NoopReconciler) Run(context.Context)         {}
 func (NoopReconciler) Stop(context.Context, error) {}
 func (NoopReconciler) TrackResourceReplacement(context.Context, uuid.UUID, uuid.UUID, []*sdkproto.ResourceReplacement) {
 }
-func (NoopReconciler) ReconcileAll(context.Context) error { return nil }
+
+func (NoopReconciler) ReconcileAll(context.Context) (ReconcileStats, error) {
+	return ReconcileStats{}, nil
+}
+
 func (NoopReconciler) SnapshotState(context.Context, database.Store) (*GlobalSnapshot, error) {
 	return &GlobalSnapshot{}, nil
 }

coderd/provisionerdserver/provisionerdserver.go

@@ -2278,6 +2278,14 @@ func (s *server) completeWorkspaceBuildJob(ctx context.Context, job database.Pro
 		if err != nil {
 			return xerrors.Errorf("update workspace deleted: %w", err)
 		}
+		if workspace.TaskID.Valid {
+			if _, err := db.DeleteTask(ctx, database.DeleteTaskParams{
+				ID:        workspace.TaskID.UUID,
+				DeletedAt: dbtime.Now(),
+			}); err != nil && !errors.Is(err, sql.ErrNoRows) {
+				return xerrors.Errorf("delete task related to workspace: %w", err)
+			}
+		}
 
 		return nil
 	}, nil)

coderd/rbac/scopes.go

@@ -18,6 +18,7 @@ type WorkspaceAgentScopeParams struct {
 	OwnerID       uuid.UUID
 	TemplateID    uuid.UUID
 	VersionID     uuid.UUID
+	TaskID        uuid.NullUUID
 	BlockUserData bool
 }
 
@@ -42,6 +43,15 @@ func WorkspaceAgentScope(params WorkspaceAgentScopeParams) Scope {
 		panic("failed to expand scope, this should never happen")
 	}
 
+	// Include task in the allow list if the workspace has an associated task.
+	var extraAllowList []AllowListElement
+	if params.TaskID.Valid {
+		extraAllowList = append(extraAllowList, AllowListElement{
+			Type: ResourceTask.Type,
+			ID:   params.TaskID.UUID.String(),
+		})
+	}
+
 	return Scope{
 		// TODO: We want to limit the role too to be extra safe.
 		// Even though the allowlist blocks anything else, it is still good
@@ -52,12 +62,12 @@ func WorkspaceAgentScope(params WorkspaceAgentScopeParams) Scope {
 		// Limit the agent to only be able to access the singular workspace and
 		// the template/version it was created from. Add additional resources here
 		// as needed, but do not add more workspace or template resource ids.
-		AllowIDList: []AllowListElement{
+		AllowIDList: append([]AllowListElement{
 			{Type: ResourceWorkspace.Type, ID: params.WorkspaceID.String()},
 			{Type: ResourceTemplate.Type, ID: params.TemplateID.String()},
 			{Type: ResourceTemplate.Type, ID: params.VersionID.String()},
 			{Type: ResourceUser.Type, ID: params.OwnerID.String()},
-		},
+		}, extraAllowList...),
 	}
 }
 

coderd/workspaceagents.go

@@ -461,67 +461,55 @@ func (api *API) enqueueAITaskStateNotification(
 		return
 	}
 
-	workspaceBuild, err := api.Database.GetLatestWorkspaceBuildByWorkspaceID(ctx, workspace.ID)
-	if err != nil {
-		api.Logger.Warn(ctx, "failed to get workspace build", slog.Error(err))
+	if !workspace.TaskID.Valid {
+		// Workspace has no task ID, do nothing.
 		return
 	}
 
-	// Confirm Workspace Agent App is an AI Task
-	if workspaceBuild.HasAITask.Valid && workspaceBuild.HasAITask.Bool &&
-		workspaceBuild.AITaskSidebarAppID.Valid && workspaceBuild.AITaskSidebarAppID.UUID == appID {
-		// Skip if the latest persisted state equals the new state (no new transition)
-		if len(latestAppStatus) > 0 && latestAppStatus[0].State == database.WorkspaceAppStatusState(newAppStatus) {
-			return
-		}
+	task, err := api.Database.GetTaskByID(ctx, workspace.TaskID.UUID)
+	if err != nil {
+		api.Logger.Warn(ctx, "failed to get task", slog.Error(err))
+		return
+	}
 
-		// Skip the initial "Working" notification when task first starts.
-		// This is obvious to the user since they just created the task.
-		// We still notify on first "Idle" status and all subsequent transitions.
-		if len(latestAppStatus) == 0 && newAppStatus == codersdk.WorkspaceAppStatusStateWorking {
-			return
-		}
+	if !task.WorkspaceAppID.Valid || task.WorkspaceAppID.UUID != appID {
+		// Non-task app, do nothing.
+		return
+	}
 
-		// Use the task prompt as the "task" label, fallback to workspace name
-		parameters, err := api.Database.GetWorkspaceBuildParameters(ctx, workspaceBuild.ID)
-		if err != nil {
-			api.Logger.Warn(ctx, "failed to get workspace build parameters", slog.Error(err))
-			return
-		}
-		taskName := workspace.Name
-		for _, param := range parameters {
-			if param.Name == codersdk.AITaskPromptParameterName {
-				taskName = param.Value
-			}
-		}
+	// Skip if the latest persisted state equals the new state (no new transition)
+	if len(latestAppStatus) > 0 && latestAppStatus[0].State == database.WorkspaceAppStatusState(newAppStatus) {
+		return
+	}
 
-		// As task prompt may be particularly long, truncate it to 160 characters for notifications.
-		if len(taskName) > 160 {
-			taskName = strutil.Truncate(taskName, 160, strutil.TruncateWithEllipsis, strutil.TruncateWithFullWords)
-		}
+	// Skip the initial "Working" notification when task first starts.
+	// This is obvious to the user since they just created the task.
+	// We still notify on first "Idle" status and all subsequent transitions.
+	if len(latestAppStatus) == 0 && newAppStatus == codersdk.WorkspaceAppStatusStateWorking {
+		return
+	}
 
-		if _, err := api.NotificationsEnqueuer.EnqueueWithData(
-			// nolint:gocritic // Need notifier actor to enqueue notifications
-			dbauthz.AsNotifier(ctx),
-			workspace.OwnerID,
-			notificationTemplate,
-			map[string]string{
-				"task":      taskName,
-				"workspace": workspace.Name,
-			},
-			map[string]any{
-				// Use a 1-minute bucketed timestamp to bypass per-day dedupe,
-				// allowing identical content to resend within the same day
-				// (but not more than once every 10s).
-				"dedupe_bypass_ts": api.Clock.Now().UTC().Truncate(time.Minute),
-			},
-			"api-workspace-agent-app-status",
-			// Associate this notification with related entities
-			workspace.ID, workspace.OwnerID, workspace.OrganizationID, appID,
-		); err != nil {
-			api.Logger.Warn(ctx, "failed to notify of task state", slog.Error(err))
-			return
-		}
+	if _, err := api.NotificationsEnqueuer.EnqueueWithData(
+		// nolint:gocritic // Need notifier actor to enqueue notifications
+		dbauthz.AsNotifier(ctx),
+		workspace.OwnerID,
+		notificationTemplate,
+		map[string]string{
+			"task":      task.Name,
+			"workspace": workspace.Name,
+		},
+		map[string]any{
+			// Use a 1-minute bucketed timestamp to bypass per-day dedupe,
+			// allowing identical content to resend within the same day
+			// (but not more than once every 10s).
+			"dedupe_bypass_ts": api.Clock.Now().UTC().Truncate(time.Minute),
+		},
+		"api-workspace-agent-app-status",
+		// Associate this notification with related entities
+		workspace.ID, workspace.OwnerID, workspace.OrganizationID, appID,
+	); err != nil {
+		api.Logger.Warn(ctx, "failed to notify of task state", slog.Error(err))
+		return
 	}
 }
 

coderd/workspacebuilds.go

@@ -335,6 +335,15 @@ func (api *API) postWorkspaceBuilds(rw http.ResponseWriter, r *http.Request) {
 		return
 	}
 
+	// We want to allow a delete build for a deleted workspace, but not a start or stop build.
+	if workspace.Deleted && createBuild.Transition != codersdk.WorkspaceTransitionDelete {
+		httpapi.Write(ctx, rw, http.StatusConflict, codersdk.Response{
+			Message: fmt.Sprintf("Cannot %s a deleted workspace!", createBuild.Transition),
+			Detail:  "This workspace has been deleted and cannot be modified.",
+		})
+		return
+	}
+
 	apiBuild, err := api.postWorkspaceBuildsInternal(
 		ctx,
 		apiKey,
@@ -1219,7 +1228,6 @@ func (api *API) convertWorkspaceBuild(
 		TemplateVersionPresetID: presetID,
 		HasAITask:               hasAITask,
 		AITaskSidebarAppID:      taskAppID,
-		TaskAppID:               taskAppID,
 		HasExternalAgent:        hasExternalAgent,
 	}, nil
 }

coderd/workspacebuilds_test.go

@@ -1840,6 +1840,68 @@ func TestPostWorkspaceBuild(t *testing.T) {
 		require.NoError(t, err)
 		require.Equal(t, codersdk.BuildReasonDashboard, build.Reason)
 	})
+	t.Run("DeletedWorkspace", func(t *testing.T) {
+		t.Parallel()
+
+		// Given: a workspace that has already been deleted
+		var (
+			ctx             = testutil.Context(t, testutil.WaitShort)
+			logger          = slogtest.Make(t, &slogtest.Options{}).Leveled(slog.LevelError)
+			adminClient, db = coderdtest.NewWithDatabase(t, &coderdtest.Options{
+				Logger: &logger,
+			})
+			admin                         = coderdtest.CreateFirstUser(t, adminClient)
+			workspaceOwnerClient, member1 = coderdtest.CreateAnotherUser(t, adminClient, admin.OrganizationID)
+			otherMemberClient, _          = coderdtest.CreateAnotherUser(t, adminClient, admin.OrganizationID)
+			ws                            = dbfake.WorkspaceBuild(t, db, database.WorkspaceTable{OwnerID: member1.ID, OrganizationID: admin.OrganizationID}).
+							Seed(database.WorkspaceBuild{Transition: database.WorkspaceTransitionDelete}).
+							Do()
+		)
+
+		// This needs to be done separately as provisionerd handles marking the workspace as deleted
+		// and we're skipping provisionerd here for speed.
+		require.NoError(t, db.UpdateWorkspaceDeletedByID(dbauthz.AsProvisionerd(ctx), database.UpdateWorkspaceDeletedByIDParams{
+			ID:      ws.Workspace.ID,
+			Deleted: true,
+		}))
+
+		// Assert test invariant: Workspace should be deleted
+		dbWs, err := db.GetWorkspaceByID(dbauthz.AsProvisionerd(ctx), ws.Workspace.ID)
+		require.NoError(t, err)
+		require.True(t, dbWs.Deleted, "workspace should be deleted")
+
+		for _, tc := range []struct {
+			user         *codersdk.Client
+			tr           codersdk.WorkspaceTransition
+			expectStatus int
+		}{
+			// You should not be allowed to mess with a workspace you don't own, regardless of its deleted state.
+			{otherMemberClient, codersdk.WorkspaceTransitionStart, http.StatusNotFound},
+			{otherMemberClient, codersdk.WorkspaceTransitionStop, http.StatusNotFound},
+			{otherMemberClient, codersdk.WorkspaceTransitionDelete, http.StatusNotFound},
+			// Starting or stopping a workspace is not allowed when it is deleted.
+			{workspaceOwnerClient, codersdk.WorkspaceTransitionStart, http.StatusConflict},
+			{workspaceOwnerClient, codersdk.WorkspaceTransitionStop, http.StatusConflict},
+			// We allow a delete just in case a retry is required. In most cases, this will be a no-op.
+			// Note: this is the last test case because it will change the state of the workspace.
+			{workspaceOwnerClient, codersdk.WorkspaceTransitionDelete, http.StatusOK},
+		} {
+			// When: we create a workspace build with the given transition
+			_, err = tc.user.CreateWorkspaceBuild(ctx, ws.Workspace.ID, codersdk.CreateWorkspaceBuildRequest{
+				Transition: tc.tr,
+			})
+
+			// Then: we allow ONLY a delete build for a deleted workspace.
+			if tc.expectStatus < http.StatusBadRequest {
+				require.NoError(t, err, "creating a %s build for a deleted workspace should not error", tc.tr)
+			} else {
+				var apiError *codersdk.Error
+				require.Error(t, err, "creating a %s build for a deleted workspace should return an error", tc.tr)
+				require.ErrorAs(t, err, &apiError)
+				require.Equal(t, tc.expectStatus, apiError.StatusCode())
+			}
+		}
+	})
 }
 
 func TestWorkspaceBuildTimings(t *testing.T) {

coderd/workspaces.go

@@ -2654,6 +2654,7 @@ func convertWorkspace(
 		Favorite:         requesterFavorite,
 		NextStartAt:      nextStartAt,
 		IsPrebuild:       workspace.IsPrebuild(),
+		TaskID:           workspace.TaskID,
 	}, nil
 }
 

coderd/workspaces_test.go

@@ -4700,11 +4700,16 @@ func TestWorkspaceFilterHasAITask(t *testing.T) {
 
 	ctx := testutil.Context(t, testutil.WaitLong)
 
-	// Helper function to create workspace with AI task configuration
-	createWorkspaceWithAIConfig := func(hasAITask sql.NullBool, jobCompleted bool, aiTaskPrompt *string) database.WorkspaceTable {
+	// Helper function to create workspace with optional task.
+	createWorkspace := func(jobCompleted, createTask bool, prompt string) uuid.UUID {
+		// TODO(mafredri): The bellow comment is based on deprecated logic and
+		// kept only present to test that the old observable behavior works as
+		// intended.
+		//
 		// When a provisioner job uses these tags, no provisioner will match it.
-		// We do this so jobs will always be stuck in "pending", allowing us to exercise the intermediary state when
-		// has_ai_task is nil and we compensate by looking at pending provisioning jobs.
+		// We do this so jobs will always be stuck in "pending", allowing us to
+		// exercise the intermediary state when has_ai_task is nil and we
+		// compensate by looking at pending provisioning jobs.
 		// See GetWorkspaces clauses.
 		unpickableTags := database.StringMap{"custom": "true"}
 
@@ -4723,102 +4728,71 @@ func TestWorkspaceFilterHasAITask(t *testing.T) {
 			jobConfig.CompletedAt = sql.NullTime{Time: time.Now(), Valid: true}
 		}
 		job := dbgen.ProvisionerJob(t, db, pubsub, jobConfig)
-
 		res := dbgen.WorkspaceResource(t, db, database.WorkspaceResource{JobID: job.ID})
 		agnt := dbgen.WorkspaceAgent(t, db, database.WorkspaceAgent{ResourceID: res.ID})
-
-		var sidebarAppID uuid.UUID
-		if hasAITask.Bool {
-			sidebarApp := dbgen.WorkspaceApp(t, db, database.WorkspaceApp{AgentID: agnt.ID})
-			sidebarAppID = sidebarApp.ID
-		}
-
+		taskApp := dbgen.WorkspaceApp(t, db, database.WorkspaceApp{AgentID: agnt.ID})
 		build := dbgen.WorkspaceBuild(t, db, database.WorkspaceBuild{
 			WorkspaceID:        ws.ID,
 			TemplateVersionID:  version.ID,
 			InitiatorID:        user.UserID,
 			JobID:              job.ID,
 			BuildNumber:        1,
-			HasAITask:          hasAITask,
-			AITaskSidebarAppID: uuid.NullUUID{UUID: sidebarAppID, Valid: sidebarAppID != uuid.Nil},
+			AITaskSidebarAppID: uuid.NullUUID{UUID: taskApp.ID, Valid: createTask},
 		})
 
-		if aiTaskPrompt != nil {
-			err := db.InsertWorkspaceBuildParameters(dbauthz.AsSystemRestricted(ctx), database.InsertWorkspaceBuildParametersParams{
-				WorkspaceBuildID: build.ID,
-				Name:             []string{provider.TaskPromptParameterName},
-				Value:            []string{*aiTaskPrompt},
+		if createTask {
+			task := dbgen.Task(t, db, database.TaskTable{
+				WorkspaceID:       uuid.NullUUID{UUID: ws.ID, Valid: true},
+				OrganizationID:    user.OrganizationID,
+				OwnerID:           user.UserID,
+				TemplateVersionID: version.ID,
+				Prompt:            prompt,
+			})
+			dbgen.TaskWorkspaceApp(t, db, database.TaskWorkspaceApp{
+				TaskID:               task.ID,
+				WorkspaceBuildNumber: build.BuildNumber,
+				WorkspaceAgentID:     uuid.NullUUID{UUID: agnt.ID, Valid: true},
+				WorkspaceAppID:       uuid.NullUUID{UUID: taskApp.ID, Valid: true},
 			})
-			require.NoError(t, err)
 		}
 
-		return ws
+		return ws.ID
 	}
 
-	// Create test workspaces with different AI task configurations
-	wsWithAITask := createWorkspaceWithAIConfig(sql.NullBool{Bool: true, Valid: true}, true, nil)
-	wsWithoutAITask := createWorkspaceWithAIConfig(sql.NullBool{Bool: false, Valid: true}, false, nil)
+	// Create workspaces with tasks.
+	wsWithTask1 := createWorkspace(true, true, "Build me a web app")
+	wsWithTask2 := createWorkspace(false, true, "Another task")
 
-	aiTaskPrompt := "Build me a web app"
-	wsWithAITaskParam := createWorkspaceWithAIConfig(sql.NullBool{Valid: false}, false, &aiTaskPrompt)
-
-	anotherTaskPrompt := "Another task"
-	wsCompletedWithAITaskParam := createWorkspaceWithAIConfig(sql.NullBool{Valid: false}, true, &anotherTaskPrompt)
-
-	emptyPrompt := ""
-	wsWithEmptyAITaskParam := createWorkspaceWithAIConfig(sql.NullBool{Valid: false}, false, &emptyPrompt)
-
-	ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitLong)
-	defer cancel()
-
-	// Debug: Check all workspaces without filter first
-	allRes, err := client.Workspaces(ctx, codersdk.WorkspaceFilter{})
-	require.NoError(t, err)
-	t.Logf("Total workspaces created: %d", len(allRes.Workspaces))
-	for i, ws := range allRes.Workspaces {
-		t.Logf("All Workspace %d: ID=%s, Name=%s, Build ID=%s, Job ID=%s", i, ws.ID, ws.Name, ws.LatestBuild.ID, ws.LatestBuild.Job.ID)
-	}
+	// Create workspaces without tasks
+	wsWithoutTask1 := createWorkspace(true, false, "")
+	wsWithoutTask2 := createWorkspace(false, false, "")
 
 	// Test filtering for workspaces with AI tasks
-	// Should include: wsWithAITask (has_ai_task=true) and wsWithAITaskParam (null + incomplete + param)
+	// Should include: wsWithTask1 and wsWithTask2
 	res, err := client.Workspaces(ctx, codersdk.WorkspaceFilter{
 		FilterQuery: "has-ai-task:true",
 	})
 	require.NoError(t, err)
-	t.Logf("Expected 2 workspaces for has-ai-task:true, got %d", len(res.Workspaces))
-	t.Logf("Expected workspaces: %s, %s", wsWithAITask.ID, wsWithAITaskParam.ID)
-	for i, ws := range res.Workspaces {
-		t.Logf("AI Task True Workspace %d: ID=%s, Name=%s", i, ws.ID, ws.Name)
-	}
 	require.Len(t, res.Workspaces, 2)
 	workspaceIDs := []uuid.UUID{res.Workspaces[0].ID, res.Workspaces[1].ID}
-	require.Contains(t, workspaceIDs, wsWithAITask.ID)
-	require.Contains(t, workspaceIDs, wsWithAITaskParam.ID)
+	require.Contains(t, workspaceIDs, wsWithTask1)
+	require.Contains(t, workspaceIDs, wsWithTask2)
 
 	// Test filtering for workspaces without AI tasks
-	// Should include: wsWithoutAITask, wsCompletedWithAITaskParam, wsWithEmptyAITaskParam
+	// Should include: wsWithoutTask1, wsWithoutTask2, wsWithoutTask3
 	res, err = client.Workspaces(ctx, codersdk.WorkspaceFilter{
 		FilterQuery: "has-ai-task:false",
 	})
 	require.NoError(t, err)
-
-	// Debug: print what we got
-	t.Logf("Expected 3 workspaces for has-ai-task:false, got %d", len(res.Workspaces))
-	for i, ws := range res.Workspaces {
-		t.Logf("Workspace %d: ID=%s, Name=%s", i, ws.ID, ws.Name)
-	}
-	t.Logf("Expected IDs: %s, %s, %s", wsWithoutAITask.ID, wsCompletedWithAITaskParam.ID, wsWithEmptyAITaskParam.ID)
-
-	require.Len(t, res.Workspaces, 3)
-	workspaceIDs = []uuid.UUID{res.Workspaces[0].ID, res.Workspaces[1].ID, res.Workspaces[2].ID}
-	require.Contains(t, workspaceIDs, wsWithoutAITask.ID)
-	require.Contains(t, workspaceIDs, wsCompletedWithAITaskParam.ID)
-	require.Contains(t, workspaceIDs, wsWithEmptyAITaskParam.ID)
+	require.Len(t, res.Workspaces, 2)
+	workspaceIDs = []uuid.UUID{res.Workspaces[0].ID, res.Workspaces[1].ID}
+	require.Contains(t, workspaceIDs, wsWithoutTask1)
+	require.Contains(t, workspaceIDs, wsWithoutTask2)
 
 	// Test no filter returns all
 	res, err = client.Workspaces(ctx, codersdk.WorkspaceFilter{})
 	require.NoError(t, err)
-	require.Len(t, res.Workspaces, 5)
+	require.Len(t, res.Workspaces, 4)
 }
 
 func TestWorkspaceAppUpsertRestart(t *testing.T) {

codersdk/aibridge.go

@@ -113,8 +113,8 @@ func (f AIBridgeListInterceptionsFilter) asRequestOption() RequestOption {
 
 // AIBridgeListInterceptions returns AIBridge interceptions with the given
 // filter.
-func (c *ExperimentalClient) AIBridgeListInterceptions(ctx context.Context, filter AIBridgeListInterceptionsFilter) (AIBridgeListInterceptionsResponse, error) {
-	res, err := c.Request(ctx, http.MethodGet, "/api/experimental/aibridge/interceptions", nil, filter.asRequestOption(), filter.Pagination.asRequestOption(), filter.Pagination.asRequestOption())
+func (c *Client) AIBridgeListInterceptions(ctx context.Context, filter AIBridgeListInterceptionsFilter) (AIBridgeListInterceptionsResponse, error) {
+	res, err := c.Request(ctx, http.MethodGet, "/api/v2/aibridge/interceptions", nil, filter.asRequestOption(), filter.Pagination.asRequestOption(), filter.Pagination.asRequestOption())
 	if err != nil {
 		return AIBridgeListInterceptionsResponse{}, err
 	}

codersdk/aitasks.go

@@ -17,46 +17,16 @@ import (
 // AITaskPromptParameterName is the name of the parameter used to pass prompts
 // to AI tasks.
 //
-// Experimental: This value is experimental and may change in the future.
+// Deprecated: This constant is deprecated and maintained only for backwards
+// compatibility with older templates. Task prompts are now stored directly
+// in the tasks.prompt database column. New code should access prompts via
+// the Task.InitialPrompt field returned from task endpoints.
+//
+// This constant will be removed in a future major version. Templates should
+// not rely on this parameter name, as the backend will continue to create it
+// automatically for compatibility but reads from tasks.prompt.
 const AITaskPromptParameterName = provider.TaskPromptParameterName
 
-// AITasksPromptsResponse represents the response from the AITaskPrompts method.
-//
-// Experimental: This method is experimental and may change in the future.
-type AITasksPromptsResponse struct {
-	// Prompts is a map of workspace build IDs to prompts.
-	Prompts map[string]string `json:"prompts"`
-}
-
-// AITaskPrompts returns prompts for multiple workspace builds by their IDs.
-//
-// Experimental: This method is experimental and may change in the future.
-func (c *ExperimentalClient) AITaskPrompts(ctx context.Context, buildIDs []uuid.UUID) (AITasksPromptsResponse, error) {
-	if len(buildIDs) == 0 {
-		return AITasksPromptsResponse{
-			Prompts: make(map[string]string),
-		}, nil
-	}
-
-	// Convert UUIDs to strings and join them
-	buildIDStrings := make([]string, len(buildIDs))
-	for i, id := range buildIDs {
-		buildIDStrings[i] = id.String()
-	}
-	buildIDsParam := strings.Join(buildIDStrings, ",")
-
-	res, err := c.Request(ctx, http.MethodGet, "/api/experimental/aitasks/prompts", nil, WithQueryParam("build_ids", buildIDsParam))
-	if err != nil {
-		return AITasksPromptsResponse{}, err
-	}
-	defer res.Body.Close()
-	if res.StatusCode != http.StatusOK {
-		return AITasksPromptsResponse{}, ReadBodyAsError(res)
-	}
-	var prompts AITasksPromptsResponse
-	return prompts, json.NewDecoder(res.Body).Decode(&prompts)
-}
-
 // CreateTaskRequest represents the request to create a new task.
 //
 // Experimental: This type is experimental and may change in the future.

codersdk/deployment.go

@@ -3241,14 +3241,13 @@ Write out the current server config as YAML to stdout.`,
 		// AIBridge Options
 		{
 			Name:        "AIBridge Enabled",
-			Description: fmt.Sprintf("Whether to start an in-memory aibridged instance (%q experiment must be enabled, too).", ExperimentAIBridge),
+			Description: "Whether to start an in-memory aibridged instance.",
 			Flag:        "aibridge-enabled",
 			Env:         "CODER_AIBRIDGE_ENABLED",
 			Value:       &c.AI.BridgeConfig.Enabled,
 			Default:     "false",
 			Group:       &deploymentGroupAIBridge,
 			YAML:        "enabled",
-			Hidden:      true,
 		},
 		{
 			Name:        "AIBridge OpenAI Base URL",
@@ -3259,7 +3258,6 @@ Write out the current server config as YAML to stdout.`,
 			Default:     "https://api.openai.com/v1/",
 			Group:       &deploymentGroupAIBridge,
 			YAML:        "openai_base_url",
-			Hidden:      true,
 		},
 		{
 			Name:        "AIBridge OpenAI Key",
@@ -3270,7 +3268,6 @@ Write out the current server config as YAML to stdout.`,
 			Default:     "",
 			Group:       &deploymentGroupAIBridge,
 			YAML:        "openai_key",
-			Hidden:      true,
 		},
 		{
 			Name:        "AIBridge Anthropic Base URL",
@@ -3281,7 +3278,6 @@ Write out the current server config as YAML to stdout.`,
 			Default:     "https://api.anthropic.com/",
 			Group:       &deploymentGroupAIBridge,
 			YAML:        "anthropic_base_url",
-			Hidden:      true,
 		},
 		{
 			Name:        "AIBridge Anthropic Key",
@@ -3292,7 +3288,6 @@ Write out the current server config as YAML to stdout.`,
 			Default:     "",
 			Group:       &deploymentGroupAIBridge,
 			YAML:        "anthropic_key",
-			Hidden:      true,
 		},
 		{
 			Name:        "AIBridge Bedrock Region",
@@ -3303,7 +3298,6 @@ Write out the current server config as YAML to stdout.`,
 			Default:     "",
 			Group:       &deploymentGroupAIBridge,
 			YAML:        "bedrock_region",
-			Hidden:      true,
 		},
 		{
 			Name:        "AIBridge Bedrock Access Key",
@@ -3314,7 +3308,6 @@ Write out the current server config as YAML to stdout.`,
 			Default:     "",
 			Group:       &deploymentGroupAIBridge,
 			YAML:        "bedrock_access_key",
-			Hidden:      true,
 		},
 		{
 			Name:        "AIBridge Bedrock Access Key Secret",
@@ -3325,7 +3318,6 @@ Write out the current server config as YAML to stdout.`,
 			Default:     "",
 			Group:       &deploymentGroupAIBridge,
 			YAML:        "bedrock_access_key_secret",
-			Hidden:      true,
 		},
 		{
 			Name:        "AIBridge Bedrock Model",
@@ -3336,7 +3328,6 @@ Write out the current server config as YAML to stdout.`,
 			Default:     "global.anthropic.claude-sonnet-4-5-20250929-v1:0", // See https://docs.claude.com/en/api/claude-on-amazon-bedrock#accessing-bedrock.
 			Group:       &deploymentGroupAIBridge,
 			YAML:        "bedrock_model",
-			Hidden:      true,
 		},
 		{
 			Name:        "AIBridge Bedrock Small Fast Model",
@@ -3347,7 +3338,6 @@ Write out the current server config as YAML to stdout.`,
 			Default:     "global.anthropic.claude-haiku-4-5-20251001-v1:0", // See https://docs.claude.com/en/api/claude-on-amazon-bedrock#accessing-bedrock.
 			Group:       &deploymentGroupAIBridge,
 			YAML:        "bedrock_small_fast_model",
-			Hidden:      true,
 		},
 		{
 			Name: "Enable Authorization Recordings",
@@ -3645,7 +3635,6 @@ const (
 	ExperimentOAuth2             Experiment = "oauth2"               // Enables OAuth2 provider functionality.
 	ExperimentMCPServerHTTP      Experiment = "mcp-server-http"      // Enables the MCP HTTP server functionality.
 	ExperimentWorkspaceSharing   Experiment = "workspace-sharing"    // Enables updating workspace ACLs for sharing with users and groups.
-	ExperimentAIBridge           Experiment = "aibridge"             // Enables AI Bridge functionality.
 )
 
 func (e Experiment) DisplayName() string {
@@ -3666,8 +3655,6 @@ func (e Experiment) DisplayName() string {
 		return "MCP HTTP Server Functionality"
 	case ExperimentWorkspaceSharing:
 		return "Workspace Sharing"
-	case ExperimentAIBridge:
-		return "AI Bridge"
 	default:
 		// Split on hyphen and convert to title case
 		// e.g. "web-push" -> "Web Push", "mcp-server-http" -> "Mcp Server Http"
@@ -3686,7 +3673,6 @@ var ExperimentsKnown = Experiments{
 	ExperimentOAuth2,
 	ExperimentMCPServerHTTP,
 	ExperimentWorkspaceSharing,
-	ExperimentAIBridge,
 }
 
 // ExperimentsSafe should include all experiments that are safe for

codersdk/oauth2.go

@@ -262,6 +262,7 @@ type OAuth2AuthorizationServerMetadata struct {
 	AuthorizationEndpoint             string   `json:"authorization_endpoint"`
 	TokenEndpoint                     string   `json:"token_endpoint"`
 	RegistrationEndpoint              string   `json:"registration_endpoint,omitempty"`
+	RevocationEndpoint                string   `json:"revocation_endpoint,omitempty"`
 	ResponseTypesSupported            []string `json:"response_types_supported"`
 	GrantTypesSupported               []string `json:"grant_types_supported"`
 	CodeChallengeMethodsSupported     []string `json:"code_challenge_methods_supported"`

codersdk/toolsdk/toolsdk.go

@@ -317,13 +317,14 @@ type GetWorkspaceArgs struct {
 var GetWorkspace = Tool[GetWorkspaceArgs, codersdk.Workspace]{
 	Tool: aisdk.Tool{
 		Name: ToolNameGetWorkspace,
-		Description: `Get a workspace by ID.
+		Description: `Get a workspace by name or ID.
 
 This returns more data than list_workspaces to reduce token usage.`,
 		Schema: aisdk.Schema{
 			Properties: map[string]any{
 				"workspace_id": map[string]any{
-					"type": "string",
+					"type":        "string",
+					"description": workspaceDescription,
 				},
 			},
 			Required: []string{"workspace_id"},
@@ -332,7 +333,7 @@ This returns more data than list_workspaces to reduce token usage.`,
 	Handler: func(ctx context.Context, deps Deps, args GetWorkspaceArgs) (codersdk.Workspace, error) {
 		wsID, err := uuid.Parse(args.WorkspaceID)
 		if err != nil {
-			return codersdk.Workspace{}, xerrors.New("workspace_id must be a valid UUID")
+			return namedWorkspace(ctx, deps.coderClient, NormalizeWorkspaceInput(args.WorkspaceID))
 		}
 		return deps.coderClient.Workspace(ctx, wsID)
 	},
@@ -1432,7 +1433,7 @@ var WorkspaceLS = Tool[WorkspaceLSArgs, WorkspaceLSResponse]{
 			Properties: map[string]any{
 				"workspace": map[string]any{
 					"type":        "string",
-					"description": workspaceDescription,
+					"description": workspaceAgentDescription,
 				},
 				"path": map[string]any{
 					"type":        "string",
@@ -1489,7 +1490,7 @@ var WorkspaceReadFile = Tool[WorkspaceReadFileArgs, WorkspaceReadFileResponse]{
 			Properties: map[string]any{
 				"workspace": map[string]any{
 					"type":        "string",
-					"description": workspaceDescription,
+					"description": workspaceAgentDescription,
 				},
 				"path": map[string]any{
 					"type":        "string",
@@ -1566,7 +1567,7 @@ content you are trying to write, then re-encode it properly.
 			Properties: map[string]any{
 				"workspace": map[string]any{
 					"type":        "string",
-					"description": workspaceDescription,
+					"description": workspaceAgentDescription,
 				},
 				"path": map[string]any{
 					"type":        "string",
@@ -1614,7 +1615,7 @@ var WorkspaceEditFile = Tool[WorkspaceEditFileArgs, codersdk.Response]{
 			Properties: map[string]any{
 				"workspace": map[string]any{
 					"type":        "string",
-					"description": workspaceDescription,
+					"description": workspaceAgentDescription,
 				},
 				"path": map[string]any{
 					"type":        "string",
@@ -1681,7 +1682,7 @@ var WorkspaceEditFiles = Tool[WorkspaceEditFilesArgs, codersdk.Response]{
 			Properties: map[string]any{
 				"workspace": map[string]any{
 					"type":        "string",
-					"description": workspaceDescription,
+					"description": workspaceAgentDescription,
 				},
 				"files": map[string]any{
 					"type":        "array",
@@ -1755,7 +1756,7 @@ var WorkspacePortForward = Tool[WorkspacePortForwardArgs, WorkspacePortForwardRe
 			Properties: map[string]any{
 				"workspace": map[string]any{
 					"type":        "string",
-					"description": workspaceDescription,
+					"description": workspaceAgentDescription,
 				},
 				"port": map[string]any{
 					"type":        "number",
@@ -1812,7 +1813,7 @@ var WorkspaceListApps = Tool[WorkspaceListAppsArgs, WorkspaceListAppsResponse]{
 			Properties: map[string]any{
 				"workspace": map[string]any{
 					"type":        "string",
-					"description": workspaceDescription,
+					"description": workspaceAgentDescription,
 				},
 			},
 			Required: []string{"workspace"},
@@ -2199,7 +2200,9 @@ func newAgentConn(ctx context.Context, client *codersdk.Client, workspace string
 	return conn, nil
 }
 
-const workspaceDescription = "The workspace name in the format [owner/]workspace[.agent]. If an owner is not specified, the authenticated user is used."
+const workspaceDescription = "The workspace ID or name in the format [owner/]workspace. If an owner is not specified, the authenticated user is used."
+
+const workspaceAgentDescription = "The workspace name in the format [owner/]workspace[.agent]. If an owner is not specified, the authenticated user is used."
 
 func taskIDDescription(action string) string {
 	return fmt.Sprintf("ID or workspace identifier in the format [owner/]workspace[.agent] for the task to %s. If an owner is not specified, the authenticated user is used.", action)

codersdk/toolsdk/toolsdk_test.go

@@ -126,12 +126,32 @@ func TestTools(t *testing.T) {
 	t.Run("GetWorkspace", func(t *testing.T) {
 		tb, err := toolsdk.NewDeps(memberClient)
 		require.NoError(t, err)
-		result, err := testTool(t, toolsdk.GetWorkspace, tb, toolsdk.GetWorkspaceArgs{
-			WorkspaceID: r.Workspace.ID.String(),
-		})
 
-		require.NoError(t, err)
-		require.Equal(t, r.Workspace.ID, result.ID, "expected the workspace ID to match")
+		tests := []struct {
+			name      string
+			workspace string
+		}{
+			{
+				name:      "ByID",
+				workspace: r.Workspace.ID.String(),
+			},
+			{
+				name:      "ByName",
+				workspace: r.Workspace.Name,
+			},
+		}
+
+		for _, tt := range tests {
+			t.Run(tt.name, func(t *testing.T) {
+				t.Parallel()
+
+				result, err := testTool(t, toolsdk.GetWorkspace, tb, toolsdk.GetWorkspaceArgs{
+					WorkspaceID: tt.workspace,
+				})
+				require.NoError(t, err)
+				require.Equal(t, r.Workspace.ID, result.ID, "expected the workspace ID to match")
+			})
+		}
 	})
 
 	t.Run("ListTemplates", func(t *testing.T) {

codersdk/workspacebuilds.go

@@ -89,9 +89,8 @@ type WorkspaceBuild struct {
 	MatchedProvisioners     *MatchedProvisioners `json:"matched_provisioners,omitempty"`
 	TemplateVersionPresetID *uuid.UUID           `json:"template_version_preset_id" format:"uuid"`
 	HasAITask               *bool                `json:"has_ai_task,omitempty"`
-	// Deprecated: This field has been replaced with `TaskAppID`
+	// Deprecated: This field has been replaced with `Task.WorkspaceAppID`
 	AITaskSidebarAppID *uuid.UUID `json:"ai_task_sidebar_app_id,omitempty" format:"uuid"`
-	TaskAppID          *uuid.UUID `json:"task_app_id,omitempty" format:"uuid"`
 	HasExternalAgent   *bool      `json:"has_external_agent,omitempty"`
 }
 

codersdk/workspaces.go

@@ -72,6 +72,8 @@ type Workspace struct {
 	// Once a prebuilt workspace is claimed by a user, it transitions to a regular workspace,
 	// and IsPrebuild returns false.
 	IsPrebuild bool `json:"is_prebuild"`
+	// TaskID, if set, indicates that the workspace is relevant to the given codersdk.Task.
+	TaskID uuid.NullUUID `json:"task_id,omitempty"`
 }
 
 func (w Workspace) FullName() string {

docs/admin/infrastructure/validated-architectures/10k-users.md

@@ -1,124 +0,0 @@
-# Reference Architecture: up to 10,000 users
-
-> [!CAUTION]
-> This page is a work in progress.
->
-> We are actively testing different load profiles for this user target and will be updating
-> recommendations. Use these recommendations as a starting point, but monitor your cluster resource
-> utilization and adjust.
-
-The 10,000 users architecture targets large-scale enterprises with development
-teams in multiple geographic regions.
-
-**Geographic Distribution**: For these tests we deploy on 3 cloud-managed Kubernetes clusters in
-the following regions:
-
-1. USA - Primary - Coderd collocated with the PostgreSQL database deployment.
-2. Europe - Workspace Proxies
-3. Asia - Workspace Proxies
-
-**High Availability**: Typically, such scale requires a fully-managed HA
-PostgreSQL service, and all Coder observability features enabled for operational
-purposes.
-
-**Observability**: Deploy monitoring solutions to gather Prometheus metrics and
-visualize them with Grafana to gain detailed insights into infrastructure and
-application behavior. This allows operators to respond quickly to incidents and
-continuously improve the reliability and performance of the platform.
-
-## Testing Methodology
-
-### Workspace Network Traffic
-
-6000 concurrent workspaces (2000 per region), each sending 10 kB/s application traffic.
-
-Test procedure:
-
-1. Create workspaces. This happens simultaneously in each region with 200 provisioners (and thus 600 concurrent builds).
-2. Wait 5 minutes to establish baselines for metrics.
-3. Generate 10 kB/s traffic to each workspace (originating within the same region & cluster).
-
-After, we examine the Coderd, Workspace Proxy, and Database metrics to look for issues.
-
-### Dynamic Parameters
-
-1000 connections simulating changing parameters while configuring a new workspace.
-
-Test procedure:
-
-1. Create a template with complex parameter logic and multiple template versions.
-1. Partition the connections among the template versions (forces Coder to process multiple template files)
-1. Simultaneously connect to the dynamic-parameters API websocket endpoint for the template version
-1. Wait for the initial parameter update.
-1. Send a new parameter value that has cascading effects among other parameters.
-1. Wait for the next update.
-
-After, we examine the latency in the initial connection and update, as well as Coderd and Database metrics to look for
-issues.
-
-### API Request Traffic
-
-To be determined.
-
-## Hardware recommendations
-
-### Coderd
-
-These are deployed in the Primary region only.
-
-| vCPU Limit     | Memory Limit | Replicas | GCP Node Pool Machine Type |
-|----------------|--------------|----------|----------------------------|
-| 4 vCPU (4000m) | 12 GiB       | 10       | `c2d-standard-16`          |
-
-### Provisioners
-
-These are deployed in each of the 3 regions.
-
-| vCPU Limit      | Memory Limit | Replicas | GCP Node Pool Machine Type |
-|-----------------|--------------|----------|----------------------------|
-| 0.1 vCPU (100m) | 1 GiB        | 200      | `c2d-standard-16`          |
-
-**Footnotes**:
-
-- Each provisioner handles a single concurrent build, so this configuration implies 200 concurrent
-  workspace builds per region.
-- Provisioners are run as a separate Kubernetes Deployment from Coderd, although they may
-  share the same node pool.
-- Separate provisioners into different namespaces in favor of zero-trust or
-  multi-cloud deployments.
-
-### Workspace Proxies
-
-These are deployed in the non-Primary regions only.
-
-| vCPU Limit     | Memory Limit | Replicas | GCP Node Pool Machine Type |
-|----------------|--------------|----------|----------------------------|
-| 4 vCPU (4000m) | 12 GiB       | 10       | `c2d-standard-16`          |
-
-**Footnotes**:
-
-- Our testing implies this is somewhat overspecced for the loads we have tried. We are in process of revising these numbers.
-
-### Workspaces
-
-These numbers are for each of the 3 regions. We recommend that you use a separate node pool for user Workspaces.
-
-| Users       | Node capacity        | Replicas                      | GCP              | AWS          | Azure             |
-|-------------|----------------------|-------------------------------|------------------|--------------|-------------------|
-| Up to 3,000 | 8 vCPU, 32 GB memory | 256 nodes, 12 workspaces each | `t2d-standard-8` | `m5.2xlarge` | `Standard_D8s_v3` |
-
-**Footnotes**:
-
-- Assumed that a workspace user needs 2 GB memory to perform
-- Maximum number of Kubernetes workspace pods per node: 256
-- As workspace nodes can be distributed between regions, on-premises networks
-  and cloud areas, consider different namespaces in favor of zero-trust or
-  multi-cloud deployments.
-
-### Database nodes
-
-We conducted our test using the `db-custom-16-61440` tier on Google Cloud SQL.
-
-**Footnotes**:
-
-- This database tier was only just able to keep up with 600 concurrent builds in our tests.

docs/admin/infrastructure/validated-architectures/index.md

@@ -220,8 +220,6 @@ For sizing recommendations, see the below reference architectures:
 
 - [Up to 3,000 users](3k-users.md)
 
-- DRAFT: [Up to 10,000 users](10k-users.md)
-
 ### AWS Instance Types
 
 For production AWS deployments, we recommend using non-burstable instance types,

docs/admin/security/audit-logs.md

@@ -151,6 +151,36 @@ Should you wish to purge these records, it is safe to do so. This can only be do
 directly against the `audit_logs` table in the database. We advise users to only purge old records (>1yr)
 and in accordance with your compliance requirements.
 
+### Maintenance Procedures for the Audit Logs Table
+
+> [!NOTE]
+> `VACUUM FULL` acquires an exclusive lock on the table, blocking all reads and writes. For more information, see the [PostgreSQL VACUUM documentation](https://www.postgresql.org/docs/current/sql-vacuum.html).
+
+You may choose to run a `VACUUM` or `VACUUM FULL` operation on the audit logs table to reclaim disk space. If you choose to run the `FULL` operation, consider the following when doing so:
+
+- **Run during a planned mainteance window** to ensure ample time for the operation to complete and minimize impact to users
+- **Stop all running instances of `coderd`** to prevent connection errors while the table is locked. The actual steps for this will depend on your particular deployment setup. For example, if your `coderd` deployment is running on Kubernetes:
+
+  ```bash
+  kubectl scale deployment coder --replicas=0 -n coder
+  ```
+
+- **Terminate lingering connections** before running the `VACUUM` operation to ensure it starts immediately
+
+  ```sql
+  SELECT pg_terminate_backend(pg_stat_activity.pid)
+  FROM pg_stat_activity
+  WHERE pg_stat_activity.datname = 'coder' AND pid <> pg_backend_pid();
+  ```
+
+- **Only `coderd` needs to scale down** - external provisioner daemons, workspace proxies, and workspace agents don't connect to the database directly.
+
+After the vacuum completes, scale coderd back up:
+
+```bash
+kubectl scale deployment coder --replicas= -n coder
+```
+
 ### Backup/Archive
 
 Consider exporting or archiving these records before deletion:

docs/admin/templates/managing-templates/external-workspaces.md

@@ -20,7 +20,7 @@ External workspaces offer flexibility and control in complex environments:
 
 - **Incremental adoption of Coder**
 
-  Integrate with existing infrastructure gradually without needing to migrate everything at once. This is particularly useful when gradually migrating worklods to Coder without refactoring current infrastructure.
+  Integrate with existing infrastructure gradually without needing to migrate everything at once. This is particularly useful when gradually migrating workloads to Coder without refactoring current infrastructure.
 
 - **Flexibility**
 

docs/ai-coder/ai-bridge.md

@@ -1,8 +1,5 @@
 # AI Bridge
 
-> [!NOTE]
-> AI Bridge is currently an _experimental_ feature.
-
 ![AI bridge diagram](../images/aibridge/aibridge_diagram.png)
 
 Bridge is a smart proxy for AI. It acts as a man-in-the-middle between your users' coding agents / IDEs
@@ -45,17 +42,14 @@ Bridge runs inside the Coder control plane, requiring no separate compute to dep
 
 ### Activation
 
-To enable this feature, activate the `aibridge` experiment using an environment variable or a CLI flag.
-Additionally, you will need to enable Bridge explicitly:
+You will need to enable AI Bridge explicitly:
 
 ```sh
-CODER_EXPERIMENTS="aibridge" CODER_AIBRIDGE_ENABLED=true coder server
+CODER_AIBRIDGE_ENABLED=true coder server
 # or
-coder server --experiments=aibridge --aibridge-enabled=true
+coder server --aibridge-enabled=true
 ```
 
-_If you have other experiments enabled, separate them by commas._
-
 ### Providers
 
 Bridge currently supports OpenAI and Anthropic APIs.
@@ -89,8 +83,8 @@ Once AI Bridge is enabled on the server, your users need to configure their AI c
 
 The exact configuration method varies by client — some use environment variables, others use configuration files or UI settings:
 
-- **OpenAI-compatible clients**: Set the base URL (commonly via the `OPENAI_BASE_URL` environment variable) to `https://coder.example.com/api/experimental/aibridge/openai/v1`
-- **Anthropic-compatible clients**: Set the base URL (commonly via the `ANTHROPIC_BASE_URL` environment variable) to `https://coder.example.com/api/experimental/aibridge/anthropic`
+- **OpenAI-compatible clients**: Set the base URL (commonly via the `OPENAI_BASE_URL` environment variable) to `https://coder.example.com/api/v2/aibridge/openai/v1`
+- **Anthropic-compatible clients**: Set the base URL (commonly via the `ANTHROPIC_BASE_URL` environment variable) to `https://coder.example.com/api/v2/aibridge/anthropic`
 
 Replace `coder.example.com` with your actual Coder deployment URL.
 
@@ -133,7 +127,7 @@ All of these records are associated to an "interception" record, which maps 1:1
 
 These logs can be used to determine usage patterns, track costs, and evaluate tooling adoption.
 
-This data is currently accessible through the API and CLI (experimental), which we advise administrators export to their observability platform of choice. We've configured a Grafana dashboard to display Claude Code usage internally which can be imported as a starting point for your tooling adoption metrics.
+This data is currently accessible through the API and CLI, which we advise administrators export to their observability platform of choice. We've configured a Grafana dashboard to display Claude Code usage internally which can be imported as a starting point for your tooling adoption metrics.
 
 ![User Leaderboard](../images/aibridge/grafana_user_leaderboard.png)
 

docs/install/kubernetes.md

@@ -136,7 +136,7 @@ We support two release channels: mainline and stable - read the
     helm install coder coder-v2/coder \
         --namespace coder \
         --values values.yaml \
-        --version 2.27.1
+        --version 2.27.3
     ```
 
   - **OCI Registry**
@@ -147,7 +147,7 @@ We support two release channels: mainline and stable - read the
     helm install coder oci://ghcr.io/coder/chart/coder \
         --namespace coder \
         --values values.yaml \
-        --version 2.27.2
+        --version 2.27.3
     ```
 
 - **Stable** Coder release:

docs/install/rancher.md

@@ -134,7 +134,7 @@ kubectl create secret generic coder-db-url -n coder \
 
 1. Select a Coder version:
 
-   - **Mainline**: `2.27.2`
+   - **Mainline**: `2.27.3`
    - **Stable**: `2.26.3`
 
    Learn more about release channels in the [Releases documentation](./releases/index.md).

docs/install/releases/index.md

@@ -62,7 +62,7 @@ pages.
 | [2.24](https://coder.com/changelog/coder-2-24) | July 01, 2025      | Not Supported    | [v2.24.4](https://github.com/coder/coder/releases/tag/v2.24.4) |
 | [2.25](https://coder.com/changelog/coder-2-25) | August 05, 2025    | Security Support | [v2.25.3](https://github.com/coder/coder/releases/tag/v2.25.3) |
 | [2.26](https://coder.com/changelog/coder-2-26) | September 03, 2025 | Stable           | [v2.26.3](https://github.com/coder/coder/releases/tag/v2.26.3) |
-| [2.27](https://coder.com/changelog/coder-2-27) | October 02, 2025   | Mainline         | [v2.27.2](https://github.com/coder/coder/releases/tag/v2.27.2) |
+| [2.27](https://coder.com/changelog/coder-2-27) | October 02, 2025   | Mainline         | [v2.27.3](https://github.com/coder/coder/releases/tag/v2.27.3) |
 | 2.28                                           |                    | Not Released     | N/A                                                            |
 <!-- RELEASE_CALENDAR_END -->
 

docs/manifest.json

@@ -396,11 +396,6 @@
 									"title": "Up to 3,000 Users",
 									"description": "Enterprise-scale architecture recommendations for Coder deployments that support up to 3,000 users",
 									"path": "./admin/infrastructure/validated-architectures/3k-users.md"
-								},
-								{
-									"title": "Up to 10,000 Users",
-									"description": "Enterprise-scale architecture recommendations for Coder deployments that support up to 10,000 users",
-									"path": "./admin/infrastructure/validated-architectures/10k-users.md"
 								}
 							]
 						},
@@ -1180,6 +1175,21 @@
 					"path": "./reference/cli/index.md",
 					"icon_path": "./images/icons/terminal.svg",
 					"children": [
+						{
+							"title": "aibridge",
+							"description": "Manage AIBridge.",
+							"path": "reference/cli/aibridge.md"
+						},
+						{
+							"title": "aibridge interceptions",
+							"description": "Manage AIBridge interceptions.",
+							"path": "reference/cli/aibridge_interceptions.md"
+						},
+						{
+							"title": "aibridge interceptions list",
+							"description": "List AIBridge interceptions as JSON.",
+							"path": "reference/cli/aibridge_interceptions_list.md"
+						},
 						{
 							"title": "autoupdate",
 							"description": "Toggle auto-update policy for a workspace",

docs/reference/api/aibridge.md

@@ -6,12 +6,12 @@
 
 ```shell
 # Example request using curl
-curl -X GET http://coder-server:8080/api/v2/api/experimental/aibridge/interceptions \
+curl -X GET http://coder-server:8080/api/v2/aibridge/interceptions \
   -H 'Accept: application/json' \
   -H 'Coder-Session-Token: API_KEY'
 ```
 
-`GET /api/experimental/aibridge/interceptions`
+`GET /aibridge/interceptions`
 
 ### Parameters
 

docs/reference/api/builds.md

@@ -222,7 +222,6 @@ curl -X GET http://coder-server:8080/api/v2/users/{user}/workspace/{workspacenam
     }
   ],
   "status": "pending",
-  "task_app_id": "ca438251-3e16-4fae-b9ab-dd3c237c3735",
   "template_version_id": "0ba39c92-1f1b-4c32-aa3e-9925d7713eb1",
   "template_version_name": "string",
   "template_version_preset_id": "512a53a7-30da-446e-a1fc-713c630baff1",
@@ -464,7 +463,6 @@ curl -X GET http://coder-server:8080/api/v2/workspacebuilds/{workspacebuild} \
     }
   ],
   "status": "pending",
-  "task_app_id": "ca438251-3e16-4fae-b9ab-dd3c237c3735",
   "template_version_id": "0ba39c92-1f1b-4c32-aa3e-9925d7713eb1",
   "template_version_name": "string",
   "template_version_preset_id": "512a53a7-30da-446e-a1fc-713c630baff1",
@@ -1197,7 +1195,6 @@ curl -X GET http://coder-server:8080/api/v2/workspacebuilds/{workspacebuild}/sta
     }
   ],
   "status": "pending",
-  "task_app_id": "ca438251-3e16-4fae-b9ab-dd3c237c3735",
   "template_version_id": "0ba39c92-1f1b-4c32-aa3e-9925d7713eb1",
   "template_version_name": "string",
   "template_version_preset_id": "512a53a7-30da-446e-a1fc-713c630baff1",
@@ -1512,7 +1509,6 @@ curl -X GET http://coder-server:8080/api/v2/workspaces/{workspace}/builds \
       }
     ],
     "status": "pending",
-    "task_app_id": "ca438251-3e16-4fae-b9ab-dd3c237c3735",
     "template_version_id": "0ba39c92-1f1b-4c32-aa3e-9925d7713eb1",
     "template_version_name": "string",
     "template_version_preset_id": "512a53a7-30da-446e-a1fc-713c630baff1",
@@ -1540,7 +1536,7 @@ Status Code **200**
 | Name                             | Type                                                                                                   | Required | Restrictions | Description                                                                                                                                                                                                                                    |
 |----------------------------------|--------------------------------------------------------------------------------------------------------|----------|--------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
 | `[array item]`                   | array                                                                                                  | false    |              |                                                                                                                                                                                                                                                |
-| `» ai_task_sidebar_app_id`       | string(uuid)                                                                                           | false    |              | Deprecated: This field has been replaced with `TaskAppID`                                                                                                                                                                                      |
+| `» ai_task_sidebar_app_id`       | string(uuid)                                                                                           | false    |              | Deprecated: This field has been replaced with `Task.WorkspaceAppID`                                                                                                                                                                            |
 | `» build_number`                 | integer                                                                                                | false    |              |                                                                                                                                                                                                                                                |
 | `» created_at`                   | string(date-time)                                                                                      | false    |              |                                                                                                                                                                                                                                                |
 | `» daily_cost`                   | integer                                                                                                | false    |              |                                                                                                                                                                                                                                                |
@@ -1691,7 +1687,6 @@ Status Code **200**
 | `»» type`                        | string                                                                                                 | false    |              |                                                                                                                                                                                                                                                |
 | `»» workspace_transition`        | [codersdk.WorkspaceTransition](schemas.md#codersdkworkspacetransition)                                 | false    |              |                                                                                                                                                                                                                                                |
 | `» status`                       | [codersdk.WorkspaceStatus](schemas.md#codersdkworkspacestatus)                                         | false    |              |                                                                                                                                                                                                                                                |
-| `» task_app_id`                  | string(uuid)                                                                                           | false    |              |                                                                                                                                                                                                                                                |
 | `» template_version_id`          | string(uuid)                                                                                           | false    |              |                                                                                                                                                                                                                                                |
 | `» template_version_name`        | string                                                                                                 | false    |              |                                                                                                                                                                                                                                                |
 | `» template_version_preset_id`   | string(uuid)                                                                                           | false    |              |                                                                                                                                                                                                                                                |
@@ -2013,7 +2008,6 @@ curl -X POST http://coder-server:8080/api/v2/workspaces/{workspace}/builds \
     }
   ],
   "status": "pending",
-  "task_app_id": "ca438251-3e16-4fae-b9ab-dd3c237c3735",
   "template_version_id": "0ba39c92-1f1b-4c32-aa3e-9925d7713eb1",
   "template_version_name": "string",
   "template_version_preset_id": "512a53a7-30da-446e-a1fc-713c630baff1",

docs/reference/api/enterprise.md

@@ -30,6 +30,7 @@ curl -X GET http://coder-server:8080/api/v2/.well-known/oauth-authorization-serv
   "response_types_supported": [
     "string"
   ],
+  "revocation_endpoint": "string",
   "scopes_supported": [
     "string"
   ],

docs/reference/api/schemas.md

@@ -4059,7 +4059,6 @@ CreateWorkspaceRequest provides options for creating a new workspace. Only one o
 | `oauth2`               |
 | `mcp-server-http`      |
 | `workspace-sharing`    |
-| `aibridge`             |
 
 ## codersdk.ExternalAPIKeyScopes
 
@@ -5323,6 +5322,7 @@ Only certain features set these fields: - FeatureManagedAgentLimit|
   "response_types_supported": [
     "string"
   ],
+  "revocation_endpoint": "string",
   "scopes_supported": [
     "string"
   ],
@@ -5343,6 +5343,7 @@ Only certain features set these fields: - FeatureManagedAgentLimit|
 | `issuer`                                | string          | false    |              |             |
 | `registration_endpoint`                 | string          | false    |              |             |
 | `response_types_supported`              | array of string | false    |              |             |
+| `revocation_endpoint`                   | string          | false    |              |             |
 | `scopes_supported`                      | array of string | false    |              |             |
 | `token_endpoint`                        | string          | false    |              |             |
 | `token_endpoint_auth_methods_supported` | array of string | false    |              |             |
@@ -10165,7 +10166,6 @@ If the schedule is empty, the user will be updated to use the default schedule.|
       }
     ],
     "status": "pending",
-    "task_app_id": "ca438251-3e16-4fae-b9ab-dd3c237c3735",
     "template_version_id": "0ba39c92-1f1b-4c32-aa3e-9925d7713eb1",
     "template_version_name": "string",
     "template_version_preset_id": "512a53a7-30da-446e-a1fc-713c630baff1",
@@ -10185,6 +10185,10 @@ If the schedule is empty, the user will be updated to use the default schedule.|
   "owner_avatar_url": "string",
   "owner_id": "8826ee2e-7933-4665-aef2-2393f84a0d05",
   "owner_name": "string",
+  "task_id": {
+    "uuid": "string",
+    "valid": true
+  },
   "template_active_version_id": "b0da9c29-67d8-4c87-888c-bafe356f7f3c",
   "template_allow_user_cancel_workspace_jobs": true,
   "template_display_name": "string",
@@ -10223,6 +10227,7 @@ If the schedule is empty, the user will be updated to use the default schedule.|
 | `owner_avatar_url`                          | string                                                     | false    |              |                                                                                                                                                                                                                                                                                                                                             |
 | `owner_id`                                  | string                                                     | false    |              |                                                                                                                                                                                                                                                                                                                                             |
 | `owner_name`                                | string                                                     | false    |              | Owner name is the username of the owner of the workspace.                                                                                                                                                                                                                                                                                   |
+| `task_id`                                   | [uuid.NullUUID](#uuidnulluuid)                             | false    |              | Task ID if set, indicates that the workspace is relevant to the given codersdk.Task.                                                                                                                                                                                                                                                        |
 | `template_active_version_id`                | string                                                     | false    |              |                                                                                                                                                                                                                                                                                                                                             |
 | `template_allow_user_cancel_workspace_jobs` | boolean                                                    | false    |              |                                                                                                                                                                                                                                                                                                                                             |
 | `template_display_name`                     | string                                                     | false    |              |                                                                                                                                                                                                                                                                                                                                             |
@@ -11335,7 +11340,6 @@ If the schedule is empty, the user will be updated to use the default schedule.|
     }
   ],
   "status": "pending",
-  "task_app_id": "ca438251-3e16-4fae-b9ab-dd3c237c3735",
   "template_version_id": "0ba39c92-1f1b-4c32-aa3e-9925d7713eb1",
   "template_version_name": "string",
   "template_version_preset_id": "512a53a7-30da-446e-a1fc-713c630baff1",
@@ -11353,7 +11357,7 @@ If the schedule is empty, the user will be updated to use the default schedule.|
 
 | Name                         | Type                                                              | Required | Restrictions | Description                                                         |
 |------------------------------|-------------------------------------------------------------------|----------|--------------|---------------------------------------------------------------------|
-| `ai_task_sidebar_app_id`     | string                                                            | false    |              | Deprecated: This field has been replaced with `TaskAppID`           |
+| `ai_task_sidebar_app_id`     | string                                                            | false    |              | Deprecated: This field has been replaced with `Task.WorkspaceAppID` |
 | `build_number`               | integer                                                           | false    |              |                                                                     |
 | `created_at`                 | string                                                            | false    |              |                                                                     |
 | `daily_cost`                 | integer                                                           | false    |              |                                                                     |
@@ -11369,7 +11373,6 @@ If the schedule is empty, the user will be updated to use the default schedule.|
 | `reason`                     | [codersdk.BuildReason](#codersdkbuildreason)                      | false    |              |                                                                     |
 | `resources`                  | array of [codersdk.WorkspaceResource](#codersdkworkspaceresource) | false    |              |                                                                     |
 | `status`                     | [codersdk.WorkspaceStatus](#codersdkworkspacestatus)              | false    |              |                                                                     |
-| `task_app_id`                | string                                                            | false    |              |                                                                     |
 | `template_version_id`        | string                                                            | false    |              |                                                                     |
 | `template_version_name`      | string                                                            | false    |              |                                                                     |
 | `template_version_preset_id` | string                                                            | false    |              |                                                                     |
@@ -12159,7 +12162,6 @@ If the schedule is empty, the user will be updated to use the default schedule.|
           }
         ],
         "status": "pending",
-        "task_app_id": "ca438251-3e16-4fae-b9ab-dd3c237c3735",
         "template_version_id": "0ba39c92-1f1b-4c32-aa3e-9925d7713eb1",
         "template_version_name": "string",
         "template_version_preset_id": "512a53a7-30da-446e-a1fc-713c630baff1",
@@ -12179,6 +12181,10 @@ If the schedule is empty, the user will be updated to use the default schedule.|
       "owner_avatar_url": "string",
       "owner_id": "8826ee2e-7933-4665-aef2-2393f84a0d05",
       "owner_name": "string",
+      "task_id": {
+        "uuid": "string",
+        "valid": true
+      },
       "template_active_version_id": "b0da9c29-67d8-4c87-888c-bafe356f7f3c",
       "template_allow_user_cancel_workspace_jobs": true,
       "template_display_name": "string",

docs/reference/api/workspaces.md

@@ -277,7 +277,6 @@ of the template will be used.
       }
     ],
     "status": "pending",
-    "task_app_id": "ca438251-3e16-4fae-b9ab-dd3c237c3735",
     "template_version_id": "0ba39c92-1f1b-4c32-aa3e-9925d7713eb1",
     "template_version_name": "string",
     "template_version_preset_id": "512a53a7-30da-446e-a1fc-713c630baff1",
@@ -297,6 +296,10 @@ of the template will be used.
   "owner_avatar_url": "string",
   "owner_id": "8826ee2e-7933-4665-aef2-2393f84a0d05",
   "owner_name": "string",
+  "task_id": {
+    "uuid": "string",
+    "valid": true
+  },
   "template_active_version_id": "b0da9c29-67d8-4c87-888c-bafe356f7f3c",
   "template_allow_user_cancel_workspace_jobs": true,
   "template_display_name": "string",
@@ -569,7 +572,6 @@ curl -X GET http://coder-server:8080/api/v2/users/{user}/workspace/{workspacenam
       }
     ],
     "status": "pending",
-    "task_app_id": "ca438251-3e16-4fae-b9ab-dd3c237c3735",
     "template_version_id": "0ba39c92-1f1b-4c32-aa3e-9925d7713eb1",
     "template_version_name": "string",
     "template_version_preset_id": "512a53a7-30da-446e-a1fc-713c630baff1",
@@ -589,6 +591,10 @@ curl -X GET http://coder-server:8080/api/v2/users/{user}/workspace/{workspacenam
   "owner_avatar_url": "string",
   "owner_id": "8826ee2e-7933-4665-aef2-2393f84a0d05",
   "owner_name": "string",
+  "task_id": {
+    "uuid": "string",
+    "valid": true
+  },
   "template_active_version_id": "b0da9c29-67d8-4c87-888c-bafe356f7f3c",
   "template_allow_user_cancel_workspace_jobs": true,
   "template_display_name": "string",
@@ -886,7 +892,6 @@ of the template will be used.
       }
     ],
     "status": "pending",
-    "task_app_id": "ca438251-3e16-4fae-b9ab-dd3c237c3735",
     "template_version_id": "0ba39c92-1f1b-4c32-aa3e-9925d7713eb1",
     "template_version_name": "string",
     "template_version_preset_id": "512a53a7-30da-446e-a1fc-713c630baff1",
@@ -906,6 +911,10 @@ of the template will be used.
   "owner_avatar_url": "string",
   "owner_id": "8826ee2e-7933-4665-aef2-2393f84a0d05",
   "owner_name": "string",
+  "task_id": {
+    "uuid": "string",
+    "valid": true
+  },
   "template_active_version_id": "b0da9c29-67d8-4c87-888c-bafe356f7f3c",
   "template_allow_user_cancel_workspace_jobs": true,
   "template_display_name": "string",
@@ -1164,7 +1173,6 @@ curl -X GET http://coder-server:8080/api/v2/workspaces \
           }
         ],
         "status": "pending",
-        "task_app_id": "ca438251-3e16-4fae-b9ab-dd3c237c3735",
         "template_version_id": "0ba39c92-1f1b-4c32-aa3e-9925d7713eb1",
         "template_version_name": "string",
         "template_version_preset_id": "512a53a7-30da-446e-a1fc-713c630baff1",
@@ -1184,6 +1192,10 @@ curl -X GET http://coder-server:8080/api/v2/workspaces \
       "owner_avatar_url": "string",
       "owner_id": "8826ee2e-7933-4665-aef2-2393f84a0d05",
       "owner_name": "string",
+      "task_id": {
+        "uuid": "string",
+        "valid": true
+      },
       "template_active_version_id": "b0da9c29-67d8-4c87-888c-bafe356f7f3c",
       "template_allow_user_cancel_workspace_jobs": true,
       "template_display_name": "string",
@@ -1457,7 +1469,6 @@ curl -X GET http://coder-server:8080/api/v2/workspaces/{workspace} \
       }
     ],
     "status": "pending",
-    "task_app_id": "ca438251-3e16-4fae-b9ab-dd3c237c3735",
     "template_version_id": "0ba39c92-1f1b-4c32-aa3e-9925d7713eb1",
     "template_version_name": "string",
     "template_version_preset_id": "512a53a7-30da-446e-a1fc-713c630baff1",
@@ -1477,6 +1488,10 @@ curl -X GET http://coder-server:8080/api/v2/workspaces/{workspace} \
   "owner_avatar_url": "string",
   "owner_id": "8826ee2e-7933-4665-aef2-2393f84a0d05",
   "owner_name": "string",
+  "task_id": {
+    "uuid": "string",
+    "valid": true
+  },
   "template_active_version_id": "b0da9c29-67d8-4c87-888c-bafe356f7f3c",
   "template_allow_user_cancel_workspace_jobs": true,
   "template_display_name": "string",
@@ -2009,7 +2024,6 @@ curl -X PUT http://coder-server:8080/api/v2/workspaces/{workspace}/dormant \
       }
     ],
     "status": "pending",
-    "task_app_id": "ca438251-3e16-4fae-b9ab-dd3c237c3735",
     "template_version_id": "0ba39c92-1f1b-4c32-aa3e-9925d7713eb1",
     "template_version_name": "string",
     "template_version_preset_id": "512a53a7-30da-446e-a1fc-713c630baff1",
@@ -2029,6 +2043,10 @@ curl -X PUT http://coder-server:8080/api/v2/workspaces/{workspace}/dormant \
   "owner_avatar_url": "string",
   "owner_id": "8826ee2e-7933-4665-aef2-2393f84a0d05",
   "owner_name": "string",
+  "task_id": {
+    "uuid": "string",
+    "valid": true
+  },
   "template_active_version_id": "b0da9c29-67d8-4c87-888c-bafe356f7f3c",
   "template_allow_user_cancel_workspace_jobs": true,
   "template_display_name": "string",

docs/reference/cli/aibridge.md

@@ -0,0 +1,16 @@
+<!-- DO NOT EDIT | GENERATED CONTENT -->
+# aibridge
+
+Manage AIBridge.
+
+## Usage
+
+```console
+coder aibridge
+```
+
+## Subcommands
+
+| Name                                                      | Purpose                        |
+|-----------------------------------------------------------|--------------------------------|
+| [<code>interceptions</code>](./aibridge_interceptions.md) | Manage AIBridge interceptions. |

docs/reference/cli/aibridge_interceptions.md

@@ -0,0 +1,16 @@
+<!-- DO NOT EDIT | GENERATED CONTENT -->
+# aibridge interceptions
+
+Manage AIBridge interceptions.
+
+## Usage
+
+```console
+coder aibridge interceptions
+```
+
+## Subcommands
+
+| Name                                                  | Purpose                              |
+|-------------------------------------------------------|--------------------------------------|
+| [<code>list</code>](./aibridge_interceptions_list.md) | List AIBridge interceptions as JSON. |

docs/reference/cli/aibridge_interceptions_list.md

@@ -0,0 +1,69 @@
+<!-- DO NOT EDIT | GENERATED CONTENT -->
+# aibridge interceptions list
+
+List AIBridge interceptions as JSON.
+
+## Usage
+
+```console
+coder aibridge interceptions list [flags]
+```
+
+## Options
+
+### --initiator
+
+|      |                     |
+|------|---------------------|
+| Type | <code>string</code> |
+
+Only return interceptions initiated by this user. Accepts a user ID, username, or "me".
+
+### --started-before
+
+|      |                     |
+|------|---------------------|
+| Type | <code>string</code> |
+
+Only return interceptions started before this time. Must be after 'started-after' if set. Accepts a time in the RFC 3339 format, e.g. "2006-01-02T15:04:05Z07:00".
+
+### --started-after
+
+|      |                     |
+|------|---------------------|
+| Type | <code>string</code> |
+
+Only return interceptions started after this time. Must be before 'started-before' if set. Accepts a time in the RFC 3339 format, e.g. "2006-01-02T15:04:05Z07:00".
+
+### --provider
+
+|      |                     |
+|------|---------------------|
+| Type | <code>string</code> |
+
+Only return interceptions from this provider.
+
+### --model
+
+|      |                     |
+|------|---------------------|
+| Type | <code>string</code> |
+
+Only return interceptions from this model.
+
+### --after-id
+
+|      |                     |
+|------|---------------------|
+| Type | <code>string</code> |
+
+The ID of the last result on the previous page to use as a pagination cursor.
+
+### --limit
+
+|         |                  |
+|---------|------------------|
+| Type    | <code>int</code> |
+| Default | <code>100</code> |
+
+The limit of results to return. Must be between 1 and 1000.

docs/reference/cli/index.md

@@ -68,6 +68,7 @@ Coder — A tool for provisioning self-hosted development environments with Terr
 | [<code>groups</code>](./groups.md)                           | Manage groups                                                                                                                |
 | [<code>prebuilds</code>](./prebuilds.md)                     | Manage Coder prebuilds                                                                                                       |
 | [<code>external-workspaces</code>](./external-workspaces.md) | Create or manage external workspaces                                                                                         |
+| [<code>aibridge</code>](./aibridge.md)                       | Manage AIBridge.                                                                                                             |
 
 ## Options
 
@@ -169,6 +170,15 @@ Disable direct (P2P) connections to workspaces.
 
 Disable network telemetry. Network telemetry is collected when connecting to workspaces using the CLI, and is forwarded to the server. If telemetry is also enabled on the server, it may be sent to Coder. Network telemetry is used to measure network quality and detect regressions.
 
+### --use-keyring
+
+|             |                                 |
+|-------------|---------------------------------|
+| Type        | <code>bool</code>               |
+| Environment | <code>$CODER_USE_KEYRING</code> |
+
+Store and retrieve session tokens using the operating system keyring. Currently only supported on Windows. By default, tokens are stored in plain text files.
+
 ### --global-config
 
 |             |                                |

docs/reference/cli/login.md

@@ -9,6 +9,12 @@ Authenticate with Coder deployment
 coder login [flags] [<url>]
 ```
 
+## Description
+
+```console
+By default, the session token is stored in a plain text file. Use the --use-keyring flag or set CODER_USE_KEYRING=true to store the token in the operating system keyring instead.
+```
+
 ## Options
 
 ### --first-user-email

docs/reference/cli/server.md

@@ -1647,3 +1647,108 @@ How often to reconcile workspace prebuilds state.
 | Default     | <code>false</code>                |
 
 Hide AI tasks from the dashboard.
+
+### --aibridge-enabled
+
+|             |                                      |
+|-------------|--------------------------------------|
+| Type        | <code>bool</code>                    |
+| Environment | <code>$CODER_AIBRIDGE_ENABLED</code> |
+| YAML        | <code>aibridge.enabled</code>        |
+| Default     | <code>false</code>                   |
+
+Whether to start an in-memory aibridged instance.
+
+### --aibridge-openai-base-url
+
+|             |                                              |
+|-------------|----------------------------------------------|
+| Type        | <code>string</code>                          |
+| Environment | <code>$CODER_AIBRIDGE_OPENAI_BASE_URL</code> |
+| YAML        | <code>aibridge.openai_base_url</code>        |
+| Default     | <code>https://api.openai.com/v1/</code>      |
+
+The base URL of the OpenAI API.
+
+### --aibridge-openai-key
+
+|             |                                         |
+|-------------|-----------------------------------------|
+| Type        | <code>string</code>                     |
+| Environment | <code>$CODER_AIBRIDGE_OPENAI_KEY</code> |
+| YAML        | <code>aibridge.openai_key</code>        |
+
+The key to authenticate against the OpenAI API.
+
+### --aibridge-anthropic-base-url
+
+|             |                                                 |
+|-------------|-------------------------------------------------|
+| Type        | <code>string</code>                             |
+| Environment | <code>$CODER_AIBRIDGE_ANTHROPIC_BASE_URL</code> |
+| YAML        | <code>aibridge.anthropic_base_url</code>        |
+| Default     | <code>https://api.anthropic.com/</code>         |
+
+The base URL of the Anthropic API.
+
+### --aibridge-anthropic-key
+
+|             |                                            |
+|-------------|--------------------------------------------|
+| Type        | <code>string</code>                        |
+| Environment | <code>$CODER_AIBRIDGE_ANTHROPIC_KEY</code> |
+| YAML        | <code>aibridge.anthropic_key</code>        |
+
+The key to authenticate against the Anthropic API.
+
+### --aibridge-bedrock-region
+
+|             |                                             |
+|-------------|---------------------------------------------|
+| Type        | <code>string</code>                         |
+| Environment | <code>$CODER_AIBRIDGE_BEDROCK_REGION</code> |
+| YAML        | <code>aibridge.bedrock_region</code>        |
+
+The AWS Bedrock API region.
+
+### --aibridge-bedrock-access-key
+
+|             |                                                 |
+|-------------|-------------------------------------------------|
+| Type        | <code>string</code>                             |
+| Environment | <code>$CODER_AIBRIDGE_BEDROCK_ACCESS_KEY</code> |
+| YAML        | <code>aibridge.bedrock_access_key</code>        |
+
+The access key to authenticate against the AWS Bedrock API.
+
+### --aibridge-bedrock-access-key-secret
+
+|             |                                                        |
+|-------------|--------------------------------------------------------|
+| Type        | <code>string</code>                                    |
+| Environment | <code>$CODER_AIBRIDGE_BEDROCK_ACCESS_KEY_SECRET</code> |
+| YAML        | <code>aibridge.bedrock_access_key_secret</code>        |
+
+The access key secret to use with the access key to authenticate against the AWS Bedrock API.
+
+### --aibridge-bedrock-model
+
+|             |                                                               |
+|-------------|---------------------------------------------------------------|
+| Type        | <code>string</code>                                           |
+| Environment | <code>$CODER_AIBRIDGE_BEDROCK_MODEL</code>                    |
+| YAML        | <code>aibridge.bedrock_model</code>                           |
+| Default     | <code>global.anthropic.claude-sonnet-4-5-20250929-v1:0</code> |
+
+The model to use when making requests to the AWS Bedrock API.
+
+### --aibridge-bedrock-small-fastmodel
+
+|             |                                                              |
+|-------------|--------------------------------------------------------------|
+| Type        | <code>string</code>                                          |
+| Environment | <code>$CODER_AIBRIDGE_BEDROCK_SMALL_FAST_MODEL</code>        |
+| YAML        | <code>aibridge.bedrock_small_fast_model</code>               |
+| Default     | <code>global.anthropic.claude-haiku-4-5-20251001-v1:0</code> |
+
+The small fast model to use when making requests to the AWS Bedrock API. Claude Code uses Haiku-class models to perform background tasks. See https://docs.claude.com/en/docs/claude-code/settings#environment-variables.

dogfood/coder-envbuilder/main.tf

@@ -24,7 +24,6 @@ locals {
     // actually in Germany now.
     "eu-helsinki" = "tcp://katerose-fsn-cdr-dev.tailscale.svc.cluster.local:2375"
     "ap-sydney"   = "tcp://wolfgang-syd-cdr-dev.tailscale.svc.cluster.local:2375"
-    "sa-saopaulo" = "tcp://oberstein-sao-cdr-dev.tailscale.svc.cluster.local:2375"
     "za-jnb"      = "tcp://greenhill-jnb-cdr-dev.tailscale.svc.cluster.local:2375"
   }
 
@@ -72,11 +71,6 @@ data "coder_parameter" "region" {
     name  = "Sydney"
     value = "ap-sydney"
   }
-  option {
-    icon  = "/emojis/1f1e7-1f1f7.png"
-    name  = "São Paulo"
-    value = "sa-saopaulo"
-  }
   option {
     icon  = "/emojis/1f1ff-1f1e6.png"
     name  = "Johannesburg"
@@ -446,4 +440,4 @@ resource "coder_metadata" "container_info" {
     key   = "region"
     value = data.coder_parameter.region.option[index(data.coder_parameter.region.option.*.value, data.coder_parameter.region.value)].name
   }
-}
+}

dogfood/coder/Dockerfile

@@ -62,7 +62,12 @@ RUN apt-get update && \
 	# charts and values files
 	go install github.com/norwoodj/helm-docs/cmd/helm-docs@v1.5.0 && \
 	# sqlc for Go code generation
-	(CGO_ENABLED=1 go install github.com/sqlc-dev/sqlc/cmd/sqlc@v1.27.0) && \
+	# (CGO_ENABLED=1 go install github.com/sqlc-dev/sqlc/cmd/sqlc@v1.27.0) && \
+	#
+	# Switched to coder/sqlc fork to fix ambiguous column bug, see:
+	# - https://github.com/coder/sqlc/pull/1
+	# - https://github.com/sqlc-dev/sqlc/pull/4159
+	(CGO_ENABLED=1 go install github.com/coder/sqlc/cmd/sqlc@aab4e865a51df0c43e1839f81a9d349b41d14f05) && \
 	# gcr-cleaner-cli used by CI to prune unused images
 	go install github.com/sethvargo/gcr-cleaner/cmd/gcr-cleaner-cli@v0.5.1 && \
 	# ruleguard for checking custom rules, without needing to run all of
@@ -209,7 +214,7 @@ RUN sed -i 's|http://archive.ubuntu.com/ubuntu/|http://mirrors.edge.kernel.org/u
 
 # NOTE: In scripts/Dockerfile.base we specifically install Terraform version 1.12.2.
 # Installing the same version here to match.
-RUN wget -O /tmp/terraform.zip "https://releases.hashicorp.com/terraform/1.13.0/terraform_1.13.0_linux_amd64.zip" && \
+RUN wget -O /tmp/terraform.zip "https://releases.hashicorp.com/terraform/1.13.4/terraform_1.13.4_linux_amd64.zip" && \
 	unzip /tmp/terraform.zip -d /usr/local/bin && \
 	rm -f /tmp/terraform.zip && \
 	chmod +x /usr/local/bin/terraform && \

dogfood/coder/main.tf

@@ -31,7 +31,6 @@ locals {
     // actually in Germany now.
     "eu-helsinki" = "tcp://katerose-fsn-cdr-dev.tailscale.svc.cluster.local:2375"
     "ap-sydney"   = "tcp://wolfgang-syd-cdr-dev.tailscale.svc.cluster.local:2375"
-    "sa-saopaulo" = "tcp://oberstein-sao-cdr-dev.tailscale.svc.cluster.local:2375"
     "za-cpt"      = "tcp://schonkopf-cpt-cdr-dev.tailscale.svc.cluster.local:2375"
   }
 
@@ -109,23 +108,6 @@ data "coder_workspace_preset" "sydney" {
   }
 }
 
-data "coder_workspace_preset" "saopaulo" {
-  name        = "São Paulo"
-  description = "Development workspace hosted in Brazil with 1 prebuild instance"
-  icon        = "/emojis/1f1e7-1f1f7.png"
-  parameters = {
-    (data.coder_parameter.region.name)                   = "sa-saopaulo"
-    (data.coder_parameter.image_type.name)               = "codercom/oss-dogfood:latest"
-    (data.coder_parameter.repo_base_dir.name)            = "~"
-    (data.coder_parameter.res_mon_memory_threshold.name) = 80
-    (data.coder_parameter.res_mon_volume_threshold.name) = 90
-    (data.coder_parameter.res_mon_volume_path.name)      = "/home/coder"
-  }
-  prebuilds {
-    instances = 1
-  }
-}
-
 data "coder_parameter" "repo_base_dir" {
   type        = "string"
   name        = "Coder Repository Base Directory"
@@ -157,7 +139,6 @@ locals {
     "north-america" : "us-pittsburgh"
     "europe" : "eu-helsinki"
     "australia" : "ap-sydney"
-    "south-america" : "sa-saopaulo"
     "africa" : "za-cpt"
   }
 
@@ -190,11 +171,6 @@ data "coder_parameter" "region" {
     name  = "Sydney"
     value = "ap-sydney"
   }
-  option {
-    icon  = "/emojis/1f1e7-1f1f7.png"
-    name  = "São Paulo"
-    value = "sa-saopaulo"
-  }
   option {
     icon  = "/emojis/1f1ff-1f1e6.png"
     name  = "Cape Town"
@@ -409,12 +385,12 @@ module "vscode-web" {
 module "jetbrains" {
   count         = contains(jsondecode(data.coder_parameter.ide_choices.value), "jetbrains") ? data.coder_workspace.me.start_count : 0
   source        = "dev.registry.coder.com/coder/jetbrains/coder"
-  version       = "1.1.0"
+  version       = "1.1.1"
   agent_id      = coder_agent.dev.id
   agent_name    = "dev"
   folder        = local.repo_dir
   major_version = "latest"
-  tooltip       = "You need to [Install Coder Desktop](https://coder.com/docs/user-guides/desktop#install-coder-desktop) to use this button."
+  tooltip       = "You need to [install JetBrains Toolbox](https://coder.com/docs/user-guides/workspace-access/jetbrains/toolbox) to use this app."
 }
 
 module "filebrowser" {
@@ -479,7 +455,7 @@ resource "coder_agent" "dev" {
   dir  = local.repo_dir
   env = {
     OIDC_TOKEN : data.coder_workspace_owner.me.oidc_access_token,
-    ANTHROPIC_BASE_URL : "https://dev.coder.com/api/experimental/aibridge/anthropic",
+    ANTHROPIC_BASE_URL : "https://dev.coder.com/api/v2/aibridge/anthropic",
     ANTHROPIC_AUTH_TOKEN : data.coder_workspace_owner.me.session_token
   }
   startup_script_behavior = "blocking"
@@ -850,7 +826,7 @@ locals {
 module "claude-code" {
   count               = local.has_ai_prompt ? data.coder_workspace.me.start_count : 0
   source              = "dev.registry.coder.com/coder/claude-code/coder"
-  version             = "3.3.2"
+  version             = "3.4.4"
   agent_id            = coder_agent.dev.id
   workdir             = local.repo_dir
   claude_code_version = "latest"

dogfood/main.tf

@@ -9,6 +9,11 @@ terraform {
   }
 }
 
+import {
+  to = coderd_template.envbuilder_dogfood
+  id = "e75f1212-834c-4183-8bed-d6817cac60a5"
+}
+
 data "coderd_organization" "default" {
   is_default = true
 }

enterprise/aibridged/aibridged.go

@@ -19,7 +19,7 @@ var _ io.Closer = &Server{}
 
 // Server provides the AI Bridge functionality.
 // It is responsible for:
-//   - receiving requests on /api/experimental/aibridged/* // TODO: update endpoint once out of experimental
+//   - receiving requests on /api/v2/aibridged/*
 //   - manipulating the requests
 //   - relaying requests to upstream AI services and relaying responses to caller
 //

enterprise/aibridged/aibridged_integration_test.go

@@ -19,8 +19,8 @@ import (
 	"github.com/coder/coder/v2/coderd/database/dbtime"
 	"github.com/coder/coder/v2/coderd/externalauth"
 	"github.com/coder/coder/v2/codersdk"
+	"github.com/coder/coder/v2/enterprise/aibridged"
 	"github.com/coder/coder/v2/enterprise/coderd/coderdenttest"
-	"github.com/coder/coder/v2/enterprise/x/aibridged"
 	"github.com/coder/coder/v2/testutil"
 )
 

enterprise/aibridged/aibridged_test.go

@@ -18,9 +18,9 @@ import (
 	"cdr.dev/slog/sloggers/slogtest"
 	"github.com/coder/aibridge"
 	"github.com/coder/coder/v2/codersdk"
-	"github.com/coder/coder/v2/enterprise/x/aibridged"
-	mock "github.com/coder/coder/v2/enterprise/x/aibridged/aibridgedmock"
-	"github.com/coder/coder/v2/enterprise/x/aibridged/proto"
+	"github.com/coder/coder/v2/enterprise/aibridged"
+	mock "github.com/coder/coder/v2/enterprise/aibridged/aibridgedmock"
+	"github.com/coder/coder/v2/enterprise/aibridged/proto"
 	"github.com/coder/coder/v2/testutil"
 )
 

enterprise/aibridged/aibridgedmock/clientmock.go

@@ -1,9 +1,9 @@
 // Code generated by MockGen. DO NOT EDIT.
-// Source: github.com/coder/coder/v2/enterprise/x/aibridged (interfaces: DRPCClient)
+// Source: github.com/coder/coder/v2/enterprise/aibridged (interfaces: DRPCClient)
 //
 // Generated by this command:
 //
-//	mockgen -destination ./clientmock.go -package aibridgedmock github.com/coder/coder/v2/enterprise/x/aibridged DRPCClient
+//	mockgen -destination ./clientmock.go -package aibridgedmock github.com/coder/coder/v2/enterprise/aibridged DRPCClient
 //
 
 // Package aibridgedmock is a generated GoMock package.
@@ -13,7 +13,7 @@ import (
 	context "context"
 	reflect "reflect"
 
-	proto "github.com/coder/coder/v2/enterprise/x/aibridged/proto"
+	proto "github.com/coder/coder/v2/enterprise/aibridged/proto"
 	gomock "go.uber.org/mock/gomock"
 	drpc "storj.io/drpc"
 )

enterprise/aibridged/aibridgedmock/doc.go

@@ -1,4 +1,4 @@
 package aibridgedmock
 
-//go:generate mockgen -destination ./clientmock.go -package aibridgedmock github.com/coder/coder/v2/enterprise/x/aibridged DRPCClient
-//go:generate mockgen -destination ./poolmock.go -package aibridgedmock github.com/coder/coder/v2/enterprise/x/aibridged Pooler
+//go:generate mockgen -destination ./clientmock.go -package aibridgedmock github.com/coder/coder/v2/enterprise/aibridged DRPCClient
+//go:generate mockgen -destination ./poolmock.go -package aibridgedmock github.com/coder/coder/v2/enterprise/aibridged Pooler

enterprise/aibridged/aibridgedmock/poolmock.go

@@ -1,9 +1,9 @@
 // Code generated by MockGen. DO NOT EDIT.
-// Source: github.com/coder/coder/v2/enterprise/x/aibridged (interfaces: Pooler)
+// Source: github.com/coder/coder/v2/enterprise/aibridged (interfaces: Pooler)
 //
 // Generated by this command:
 //
-//	mockgen -destination ./poolmock.go -package aibridgedmock github.com/coder/coder/v2/enterprise/x/aibridged Pooler
+//	mockgen -destination ./poolmock.go -package aibridgedmock github.com/coder/coder/v2/enterprise/aibridged Pooler
 //
 
 // Package aibridgedmock is a generated GoMock package.
@@ -14,7 +14,7 @@ import (
 	http "net/http"
 	reflect "reflect"
 
-	aibridged "github.com/coder/coder/v2/enterprise/x/aibridged"
+	aibridged "github.com/coder/coder/v2/enterprise/aibridged"
 	gomock "go.uber.org/mock/gomock"
 )
 

enterprise/aibridged/client.go

@@ -5,7 +5,7 @@ import (
 
 	"storj.io/drpc"
 
-	"github.com/coder/coder/v2/enterprise/x/aibridged/proto"
+	"github.com/coder/coder/v2/enterprise/aibridged/proto"
 )
 
 type Dialer func(ctx context.Context) (DRPCClient, error)

enterprise/aibridged/http.go

@@ -9,7 +9,7 @@ import (
 
 	"cdr.dev/slog"
 	"github.com/coder/aibridge"
-	"github.com/coder/coder/v2/enterprise/x/aibridged/proto"
+	"github.com/coder/coder/v2/enterprise/aibridged/proto"
 )
 
 var _ http.Handler = &Server{}