1772 Commits

Author SHA1 Message Date
6746e16502 docs: add contribution documentation for modules and templates (#18820)
draft: add contribution docs for modules and templates individually to
be referenced in coder docs manifest.

---------

Co-authored-by: Atif Ali <atif@coder.com>
2025-07-17 16:23:42 -05:00
183a6ebbdf chore: add managed_agent_limit licensing feature (#18876)
Note that enforcement and checking usage will come in a future PR.

This feature is implemented differently than existing features in a few
ways.

It's highly recommended that reviewers read:
- This document which outlines the methods we could've used for license
enforcement:
https://www.notion.so/coderhq/AI-Agent-License-Enforcement-21ed579be59280c088b9c1dc5e364ee8
- Phase 0 of the actual RFC document:
https://www.notion.so/coderhq/Usage-based-Billing-AI-b-210d579be592800eb257de7eecd2d26d

### Multiple features in the license, a single feature in codersdk

Firstly, the feature is represented as a single feature in the codersdk
world, but is represented with multiple features in the license.

E.g. in the license you may have:

    {
      "features": {
        "managed_agent_limit_soft": 100,
        "managed_agent_limit_hard": 200
      }
    }

But the entitlements endpoint will return a single feature:

    {
      "features": {
        "managed_agent_limit": {
          "limit": 200,
          "soft_limit": 100
        }
      }
    }

This is required because of our rigid parsing that uses a
`map[string]int64` for features in the license. To avoid requiring all
customers to upgrade to use new licenses, the decision was made to just
use two features and merge them into one. Older Coder deployments will
parse this feature (from new licenses) as two separate features, but
it's not a problem because they don't get used anywhere obviously.

The reason we want to differentiate between a "soft" and "hard" limit is
so we can show admins how much of the usage is "included" vs. how much
they can use before they get hard cut-off.

### Usage period features will be compared and trump based on license
issuance time

The second major difference to other features is that "usage period"
features such as `managed_agent_limit` will now be primarily compared by
the `iat` (issued at) claim of the license they come from. This differs
from previous features. The reason this was done was so we could reduce
limits with newer licenses, which the current comparison code does not
allow for.

This effectively means if you have two active licenses:
- `iat`: 2025-07-14, `managed_agent_limit_soft`: 100,
`managed_agent_limit_hard`: 200
- `iat`: 2025-07-15, `managed_agent_limit_soft`: 50,
`managed_agent_limit_hard`: 100

Then the resulting `managed_agent_limit` entitlement will come from the
second license, even though the values are smaller than another valid
license. The existing comparison code would prefer the first license
even though it was issued earlier.

### Usage period features will count usage between the start and end
dates of the license

Existing limit features, like the user limit, just measure the current
usage value of the feature. The active user count is a gauge that goes
up and down, whereas agent usage can only be incremented, so it doesn't
make sense to use a continually incrementing counter forever and ever
for managed agents.

For managed agent limit, we count the usage between `nbf` (not before)
and `exp` (expires at) of the license that the entitlement comes from.
In the example above, we'd use the issued at date and expiry of the
second license as this date range.

This essentially means, when you get a new license, the usage resets to
zero.

The actual usage counting code will be implemented in a follow-up PR.

### Managed agent limit has a default entitlement value

Temporarily (until further notice), we will be providing licenses with
`feature_set` set to `premium` a default limit.
- Soft limit: `800 * user_limit`
- Hard limit: `1000 * user_limit`

"Enterprise" licenses do not get any default limit and are not entitled
to use the feature.

Unlicensed customers (e.g. OSS) will be permitted to use the feature as
much as they want without limits. This will be implemented when the
counting code is implemented in a follow-up PR.

Closes https://github.com/coder/internal/issues/760
2025-07-17 20:19:01 +10:00
d304fb4f2d docs: hotfix mainline version number in docs/install/releases to 2.24.2 (#18906)
hotfix

[preview](https://coder.com/docs/@2-24-mainline/install/releases)

Co-authored-by: EdwardAngert <17991901+EdwardAngert@users.noreply.github.com>
2025-07-17 10:16:59 +05:00
ca6b5e3415 docs: update port forwarding docs to include Coder Desktop (#18870)
Noticed that Coder Desktop was missing from port-forwarding docs which
is kind of a big feature for Coder Connect.


[preview](https://coder.com/docs/@atif%2Fdesktop-ports/user-guides/workspace-access/port-forwarding)

---------

Co-authored-by: EdwardAngert <17991901+EdwardAngert@users.noreply.github.com>
Co-authored-by: Edward Angert <EdwardAngert@users.noreply.github.com>
2025-07-16 19:57:55 +00:00
52c4b61391 feat: add search to parameter dropdowns (#18729) 2025-07-15 11:23:49 -06:00
dad033ee3d fix(site): exclude workspace schedule settings for prebuilt workspaces (#18826)
## Description

This PR updates the UI to avoid rendering workspace schedule settings
(autostop, autostart, etc.) for prebuilt workspaces. Instead, it
displays an informational message with a link to the relevant
documentation.

## Changes

* Introduce `IsPrebuild` parameter to `convertWorkspace` to indicate
whether the workspace is a prebuild.
* Prevent the Workspace Schedule settings form from rendering in the UI
for prebuilt workspaces.
* Display an info alert with a link to documentation when viewing a
prebuilt workspace.

<img width="2980" height="864" alt="Screenshot 2025-07-10 at 13 16 13"
src="https://github.com/user-attachments/assets/5f831c21-50bb-4e05-beea-dbeb930ddff8"
/>


Relates with: https://github.com/coder/coder/pull/18762

---------

Co-authored-by: BrunoQuaresma <bruno_nonato_quaresma@hotmail.com>
2025-07-15 14:11:04 +01:00
bfdacae286 chore: bump the x group across 1 directory with 9 updates (#18851)
Bumps the x group with 4 updates in the / directory:
[golang.org/x/crypto](https://github.com/golang/crypto),
[golang.org/x/mod](https://github.com/golang/mod),
[golang.org/x/net](https://github.com/golang/net) and
[golang.org/x/oauth2](https://github.com/golang/oauth2).

Updates `golang.org/x/crypto` from 0.39.0 to 0.40.0
<details>
<summary>Commits</summary>
<ul>
<li><a
href="459a9db11b"><code>459a9db</code></a>
go.mod: update golang.org/x dependencies</li>
<li><a
href="74e709ad8a"><code>74e709a</code></a>
ssh: add AlgorithmNegotiationError</li>
<li><a
href="b3790b8d91"><code>b3790b8</code></a>
acme: fix TLSALPN01ChallengeCert for IP address identifiers</li>
<li><a
href="1dc4269656"><code>1dc4269</code></a>
acme: add Pebble integration testing</li>
<li><a
href="97bf787255"><code>97bf787</code></a>
blake2b: implement hash.XOF</li>
<li><a
href="952517d181"><code>952517d</code></a>
x509roots/fallback: update bundle</li>
<li><a
href="c6fce02826"><code>c6fce02</code></a>
ssh: refuse to parse certificates that use a certificate as signing
key</li>
<li><a
href="0ae49b8145"><code>0ae49b8</code></a>
ssh: reject certificate keys used as signature keys for SSH certs</li>
<li>See full diff in <a
href="https://github.com/golang/crypto/compare/v0.39.0...v0.40.0">compare
view</a></li>
</ul>
</details>
<br />

Updates `golang.org/x/mod` from 0.25.0 to 0.26.0
<details>
<summary>Commits</summary>
<ul>
<li><a
href="ea04085b10"><code>ea04085</code></a>
go.mod: update golang.org/x dependencies</li>
<li>See full diff in <a
href="https://github.com/golang/mod/compare/v0.25.0...v0.26.0">compare
view</a></li>
</ul>
</details>
<br />

Updates `golang.org/x/net` from 0.41.0 to 0.42.0
<details>
<summary>Commits</summary>
<ul>
<li><a
href="76358aa57e"><code>76358aa</code></a>
go.mod: update golang.org/x dependencies</li>
<li>See full diff in <a
href="https://github.com/golang/net/compare/v0.41.0...v0.42.0">compare
view</a></li>
</ul>
</details>
<br />

Updates `golang.org/x/oauth2` from 0.29.0 to 0.30.0
<details>
<summary>Commits</summary>
<ul>
<li><a
href="cf14319341"><code>cf14319</code></a>
oauth2: fix expiration time window check</li>
<li><a
href="32d34ef364"><code>32d34ef</code></a>
internal: include clientID in auth style cache key</li>
<li><a
href="2d34e3091b"><code>2d34e30</code></a>
oauth2: replace a magic number with AuthStyleUnknown</li>
<li><a
href="696f7b3128"><code>696f7b3</code></a>
all: modernize with doc links and any</li>
<li><a
href="471209bbe2"><code>471209b</code></a>
oauth2: drop dependency on go-cmp</li>
<li><a
href="6968da209b"><code>6968da2</code></a>
oauth2: sync Token.ExpiresIn from internal Token</li>
<li><a
href="d2c4e0a625"><code>d2c4e0a</code></a>
oauth2: context instead of golang.org/x/net/context in doc</li>
<li><a
href="883dc3c9d8"><code>883dc3c</code></a>
endpoints: add various endpoints from stale CLs</li>
<li><a
href="1c06e8705e"><code>1c06e87</code></a>
all: make use of oauth.Token.ExpiresIn</li>
<li>See full diff in <a
href="https://github.com/golang/oauth2/compare/v0.29.0...v0.30.0">compare
view</a></li>
</ul>
</details>
<br />

Updates `golang.org/x/sync` from 0.15.0 to 0.16.0
<details>
<summary>Commits</summary>
<ul>
<li><a
href="7fad2c9213"><code>7fad2c9</code></a>
errgroup: revert propagation of panics</li>
<li>See full diff in <a
href="https://github.com/golang/sync/compare/v0.15.0...v0.16.0">compare
view</a></li>
</ul>
</details>
<br />

Updates `golang.org/x/sys` from 0.33.0 to 0.34.0
<details>
<summary>Commits</summary>
<ul>
<li><a
href="751c3c6ac2"><code>751c3c6</code></a>
unix: add missing NFT_PAYLOAD_* consts on linux</li>
<li><a
href="0c740cc0f8"><code>0c740cc</code></a>
unix: update Go to 1.24.3</li>
<li><a
href="d62d31c616"><code>d62d31c</code></a>
unix: update Linux constants and types to v6.14</li>
<li>See full diff in <a
href="https://github.com/golang/sys/compare/v0.33.0...v0.34.0">compare
view</a></li>
</ul>
</details>
<br />

Updates `golang.org/x/term` from 0.32.0 to 0.33.0
<details>
<summary>Commits</summary>
<ul>
<li><a
href="30da5dd58f"><code>30da5dd</code></a>
go.mod: update golang.org/x dependencies</li>
<li>See full diff in <a
href="https://github.com/golang/term/compare/v0.32.0...v0.33.0">compare
view</a></li>
</ul>
</details>
<br />

Updates `golang.org/x/text` from 0.26.0 to 0.27.0
<details>
<summary>Commits</summary>
<ul>
<li><a
href="b6d26456dd"><code>b6d2645</code></a>
go.mod: update golang.org/x dependencies</li>
<li>See full diff in <a
href="https://github.com/golang/text/compare/v0.26.0...v0.27.0">compare
view</a></li>
</ul>
</details>
<br />

Updates `golang.org/x/tools` from 0.33.0 to 0.34.0
<details>
<summary>Commits</summary>
<ul>
<li><a
href="578c121398"><code>578c121</code></a>
go.mod: update golang.org/x dependencies</li>
<li><a
href="f114dcf97d"><code>f114dcf</code></a>
gopls/internal/protocol: refine DocumentURI Clean method and its
usages</li>
<li><a
href="82ee0fd122"><code>82ee0fd</code></a>
internal/mcp: change paginateList to a generic helper</li>
<li><a
href="64bfecc32e"><code>64bfecc</code></a>
gopls/internal/golang: fix extract bug with anon functions</li>
<li><a
href="4546fbd0b2"><code>4546fbd</code></a>
internal/mcp: unify json tag parsing</li>
<li><a
href="82473ce934"><code>82473ce</code></a>
gopls/doc/release: tweak v0.19</li>
<li><a
href="f3c581ff0c"><code>f3c581f</code></a>
gopls/internal/protocol: add DocumentURI.Base accessor</li>
<li><a
href="d9bacab54d"><code>d9bacab</code></a>
gopls/internal/server: improve &quot;editing generated file&quot;
warning</li>
<li><a
href="1afeefa815"><code>1afeefa</code></a>
internal/mcp: unexport FileResourceHandler</li>
<li><a
href="33d59880f3"><code>33d5988</code></a>
gopls/internal/server: Organize Imports of generated files</li>
<li>Additional commits viewable in <a
href="https://github.com/golang/tools/compare/v0.33.0...v0.34.0">compare
view</a></li>
</ul>
</details>
<br />


Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore <dependency name> major version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's major version (unless you unignore this specific
dependency's major version or upgrade to it yourself)
- `@dependabot ignore <dependency name> minor version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's minor version (unless you unignore this specific
dependency's minor version or upgrade to it yourself)
- `@dependabot ignore <dependency name>` will close this group update PR
and stop Dependabot creating any more for the specific dependency
(unless you unignore this specific dependency or upgrade to it yourself)
- `@dependabot unignore <dependency name>` will remove all of the ignore
conditions of the specified dependency
- `@dependabot unignore <dependency name> <ignore condition>` will
remove the ignore condition of the specified dependency and ignore
conditions


</details>

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Ethan Dickson <ethan@coder.com>
2025-07-15 09:04:20 +00:00
87e5365f79 docs: add cloud-specific database instance recommendations (#18862)
Enhances the Performance efficiency section in the validated
architectures documentation with specific instance type recommendations
for AWS, Azure, and GCP.

**Changes:**
- Added recommended instance types for small, medium, and large
deployments across all three major cloud providers
- Included guidance on avoiding burstable instances (t-family, B-series)
for production workloads
- Added note about CPU baseline limitations for burstable instances

This addresses customer questions about appropriate database instance
sizing.

---------

Signed-off-by: Danny Kopping <dannykopping@gmail.com>
Co-authored-by: blink-so[bot] <211532188+blink-so[bot]@users.noreply.github.com>
Co-authored-by: dannykopping <373762+dannykopping@users.noreply.github.com>
Co-authored-by: Danny Kopping <dannykopping@gmail.com>
2025-07-15 09:53:34 +01:00
de4a270316 docs: improve audit logs copy (#18807)
Many of the issues with the copy on #18739 were because I blindly copied from the audit logs page. This PR adds Edward's copy suggestions from that PR to the audit logs page.

[preview](https://coder.com/docs/@ethan-improve-audit-logs-copy/admin/security/audit-logs)

I've included this in the PR stack, as the previous PR modifies the auto-gen docs for audit logs.
2025-07-15 16:14:30 +10:00
ef807e41ce chore: mark workspace apps and workspace agents as unaudited (#18761)
The main goal of this PR is to remove Workspace Apps and Workspace Agents from the auto-generated audit log documentation, that incorrectly claims they are audited resources (no longer true with the addition of the connection log).

Though I believe we haven't touched any codepaths for returning audit logs, this PR also adds a test that ensures we continue to return *existing* connection, disconnect and open events correctly from the audit log API.
2025-07-15 16:08:42 +10:00
6b17aee425 docs: add connection logs page (#18739)
This is the final PR for moving connection logs out of the audit log and into the new connection logs page.

This PR documents the feature.

[preview](https://coder.com/docs/@ethan%2Fdocs-add-connection-logs/admin/monitoring/connection-logs)
2025-07-15 15:52:41 +10:00
7a339a1ffe feat: add connectionlogs API (#18628)
This is the second PR for moving connection events out of the audit log.

This PR:
- Adds the `/api/v2/connectionlog` endpoint
- Adds filtering for `GetAuthorizedConnectionLogsOffset` and thus the endpoint. 
There's quite a few, but I was aiming for feature parity with the audit log.
  1. `organization:<id|name>`
  2. `workspace_owner:<username>`
  3. `workspace_owner_email:<email>`
  4. `type:<ssh|vscode|jetbrains|reconnecting_pty|workspace_app|port_forwarding>`
  5. `username:<username>` 
     - Only includes web-based connection events (workspace apps, web port forwarding) as only those include user metadata.
  6. `user_email:<email>`
  7. `connected_after:<time>`
  8. `connected_before:<time>`
  9. `workspace_id:<id>`
  10. `connection_id:<id>`
      - If you have one snapshot of the connection log, and some sessions are ongoing in that snapshot, you could use this filter to check if they've been closed since.
  11. `status:<connected|disconnected>`
       - If `connected` only sessions with a null `close_time` are returned, if `disconnected`, only those with a non-null `close_time`. If filter is omitted, both are returned.
       
Future PRs:
- Populate `count` on `ConnectionLogResponse` using a seperate query (to preemptively mitigate the issue described in #17689)
- Implement a table in the Web UI for viewing connection logs.
- Write a query to delete old events from the audit log, call it from dbpurge.
- Write documentation for the endpoint / feature (including these filters)
2025-07-15 14:55:34 +10:00
08e17a07fc chore!: route connection logs to new table (#18340)
### Breaking Change (changelog note):
> User connections to workspaces, and the opening of workspace apps or ports will no longer create entries in the audit log. Those events will now be included in the 'Connection Log'.
Please see the 'Connection Log' page in the dashboard, and the Connection Log [documentation](https://coder.com/docs/admin/monitoring/connection-logs) for details. Those with permission to view the Audit Log will also be able to view the Connection Log. The new Connection Log has the same licensing restrictions as the Audit Log, and requires a Premium Coder deployment.

### Context

This is the first PR of a few for moving connection events out of the audit log, and into a new database table and web UI page called the 'Connection Log'.

This PR:
- Creates the new table
- Adds and tests queries for inserting and reading, including reading with an RBAC filter.
- Implements the corresponding RBAC changes, such that anyone who can view the audit log can read from the table
- Implements, under the enterprise package, a `ConnectionLogger` abstraction to replace the `Auditor` abstraction for these logs. (No-op'd in AGPL, like the `Auditor`)
- Routes SSH connection and Workspace App events into the new `ConnectionLogger`
- Updates all existing tests to check the values of the `ConnectionLogger` instead of the `Auditor`.

Future PRs:
- Add filtering to the query
- Add an enterprise endpoint to query the new table
- Write a query to delete old events from the audit log, call it from dbpurge.
- Implement a table in the Web UI for viewing connection logs.


> [!NOTE]
> The PRs in this stack obviously won't be (completely) atomic. Whilst they'll each pass CI, the stack is designed to be merged all at once. I'm splitting them up for the sake of those reviewing, and so changes can be reviewed as early as possible.  Despite this, it's really hard to make this PR any smaller than it already is. I'll be keeping it in draft until it's actually ready to merge.
2025-07-15 14:36:06 +10:00
43b0bb7f61 feat(site): use websocket connection for devcontainer updates (#18808)
Instead of polling every 10 seconds, we instead use a WebSocket
connection for more timely updates.
2025-07-14 21:35:35 +01:00
7cf3263fbd docs: document issue with macos coder desktop behind vpn (#18855)
docs for https://github.com/coder/coder-desktop-macos/issues/201 and
https://github.com/coder/coder-desktop-windows/issues/147

> If the logged in Coder deployment requires a VPN to connect, Coder
Connect can't establish communication through the VPN,
> and will time out.


[preview](https://coder.com/docs/@201-desktop-mac-vpn/user-guides/desktop)

---------

Co-authored-by: EdwardAngert <17991901+EdwardAngert@users.noreply.github.com>
Co-authored-by: Dean Sheather <dean@deansheather.com>
2025-07-14 12:33:48 -04:00
78af5e0f53 docs: add note about incompatible immutable parameters behavior to parameters doc (#18814)
closes #18370 

workspace creation page checks for

1. required parameters
2. incompatible immutable parameters

and if there's an issue, disables the **Create workspace** button until
it's resolved


[preview](https://coder.com/docs/@18370-immutable-params/admin/templates/extending-templates/parameters#mutability)

---------

Co-authored-by: EdwardAngert <17991901+EdwardAngert@users.noreply.github.com>
2025-07-14 11:43:43 +00:00
3126f21d87 revert: "docs: add coder registry link to docs sidebar" (#18837) 2025-07-11 16:09:23 +00:00
c25e666d12 docs: add coder registry link to docs sidebar (#18585)
I am not sure if this works

---------

Co-authored-by: EdwardAngert <17991901+EdwardAngert@users.noreply.github.com>
Co-authored-by: Edward Angert <EdwardAngert@users.noreply.github.com>
2025-07-11 08:12:09 -04:00
040fa30aba docs: update screenshots with new logo (#18830)
stage 1 of many

- new login screenshot
- remove unused platforms screenshots
- update [screenshots
doc](https://coder.com/docs/@2025-screenshots/about/screenshots)
- update [quickstart
doc](https://coder.com/docs/@2025-screenshots/tutorials/quickstart)

closes #18813 

<details><summary>list of screenshots with old logo or that are
outdated</summary>

|docs/images/|notes?|
|--|--|
|logo-black.png| |
|jupyter-notebook.png| |
|platforms/docker/login.png| |
|platforms/docker/create-workspace.png| |
|platforms/docker/ides.png| |
|platforms/gcp/marketplace.png| |
|platforms/gcp/start.png| |
|platforms/aws/aws-linux.png| |
|platforms/aws/marketplace.png| |
|platforms/kubernetes/template-variables.png| |
|platforms/kubernetes/region-picker.png| |
|platforms/kubernetes/starter-template.png| |
|install/windows-installer.png| |
|install/homebrew.png| |
|screenshots/create-template.png| |
|screenshots/login.png| |
|screenshots/starter_templates.png| |
|screenshots/settings.png| |
|screenshots/audit.png| |
|screenshots/workspace-running-with-topbar.png| |
|screenshots/workspaces_listing.png| |
|screenshots/templates_listing.png| |
|screenshots/welcome-create-admin-user.png| |
|screenshots/workspace_launch.png| |
|screenshots/templates_insights.png| |
|screenshots/healthcheck.png| |
|screenshots/terraform.png| |
|deploy-pr-manually.png| |
|workspace-update.png| |
|custom-app.png| |
|code-server.png| |
|networking/annotatedports.png| |
|networking/portsharingmax.png| |
|networking/portforwarddashboard.png| |
|networking/listeningports.png| |
|agent-metadata.png| |
|jupyter.png| |
|admin/service-banner-maintenance.png| |
|admin/provisioner-tags.png| |
|admin/github-app-register.png| |
|admin/licenses/licenses-screen.png| |
|admin/licenses/licenses-nolicense.png| |
|admin/licenses/add-license-ui.png| |
|admin/service-banner-config.png| |
|admin/group-allowlist.png| |
|admin/networking/workspace-proxies/ws-proxy-picker.png| |
|admin/setup/appearance/application-name-logo-url.png| |
|admin/setup/appearance/announcement_banner_settings.png| |
|admin/setup/appearance/support-links.png| |
|admin/setup/appearance/service-banner-secret.png| |
|admin/quota-buildlog.png| |
|admin/integrations/kube-region-picker.png| |
|admin/integrations/coder-logstream-kube-logs-wrong-image.png| |
|admin/integrations/coder-logstream-kube-logs-pod-crashed.png| |
|admin/integrations/coder-logstream-kube-logs-normal.png| |
|admin/integrations/coder-logstream-kube-logs-quota-exceeded.png| |
|admin/git-auth-template.png| |
|admin/github-app-install.png| |
|admin/users/organizations/role-sync.png| |
|admin/users/organizations/group-sync-empty.png| |
|admin/users/organizations/workspace-list.png| |
|admin/users/organizations/new-organization.png| |
|admin/users/organizations/role-sync-empty.png| |
|admin/users/organizations/template-org-picker.png| |
|admin/users/organizations/organization-members.png| |
|admin/users/organizations/org-dropdown-create.png| |
|admin/users/organizations/default-organization-settings.png| |
|admin/users/organizations/group-sync.png| |
|admin/users/organizations/idp-org-sync.png| |
|admin/users/organizations/admin-settings-orgs.png| |
|admin/users/organizations/custom-roles.png| |
|admin/users/quotas/quota-groups.png| |
|admin/users/create-token.png| |
|admin/users/headless-user.png| |
|admin/provisioners/provisioner-jobs.png| |
|admin/github-app-permissions.png| |
|admin/templates/coder-apps-ui.png| |
|admin/templates/starter-templates.png| |
|admin/templates/create-template.png| |
|admin/templates/schedule/template-schedule-settings.png| |
|admin/templates/schedule/user-quiet-hours.png| |
|admin/templates/coder-metadata-ui.png| |
|admin/templates/duplicate-menu.png| |
|admin/templates/agent-metadata-ui.png| |
|admin/templates/troubleshooting/workspace-build-timings-ui.png| |
|admin/templates/duplicate-page.png| |
|admin/templates/new-duplicate-template.png| |
|admin/templates/import-template.png| |

|admin/templates/extend-templates/prebuilt/replacement-notification.png|
|
|admin/templates/extend-templates/prebuilt/prebuilt-workspaces.png| |

|admin/templates/extend-templates/dyn-params/dynamic-params-compare.png|
|

|admin/templates/extend-templates/dyn-params/enable-dynamic-parameters.png|
|
|admin/templates/extend-templates/template-preset-dropdown.png| |
|admin/monitoring/health-check.png| |
|admin/monitoring/logstream-kube.png| |
|admin/monitoring/notifications/user-notification-preferences.png| |
|admin/monitoring/notifications/notification-admin-prefs.png| |
|admin/workspace-proxy-picker.png| |
|admin/admin-settings-general.png| |
|admin/deployment-id-copy-clipboard.png| |
|icons-gallery.png| |
|start/setup-page.png| |
|start/workspace-schedule-settings.png| |
|start/build-template.png| |
|start/starter-templates.png| |
|start/create-template.png| |
|start/create-workspace.png| |
|start/template-preview.png| |
|start/blank-workspaces.png| |
|start/template-source-code.png| |
|start/first-template.png| |
|start/workspace-ready.png| |
|start/template-edit-source-code.png| |
|start/template-publish.png| |
|start/starter-templates-annotated.png| |
|display-apps.png| |
|workspace-automatic-updates.png| |
|workspaces/autostop.png| |
|workspaces/autostart.png| |
|create-workspace-from-templates-ui.png| |
|ide-row.png| |
|editors.png| |
|delete-template.png| |
|logo-white.png| |
|template-rbac.png| |
|coderapp-port-forward.png| |
|user-guides/terminal-access.png| |
|user-guides/workspace-bulk-actions.png| |
|user-guides/devcontainers/devcontainer-agent-ports.png| |
|user-guides/devcontainers/devcontainer-web-terminal.png| |
|user-guides/create-workspace-ui.png| |
|user-guides/workspace-view-connection-annotated.png| |
|user-guides/remote-desktops/web-rdp-demo.png| |
|user-guides/remote-desktops/amazon-dcv-windows-demo.png| |
|user-guides/desktop/coder-desktop-file-sync-add.png| |
|user-guides/desktop/coder-desktop-session-token.png| |
|user-guides/desktop/coder-desktop-win-pre-sign-in.png| |
|user-guides/desktop/coder-desktop-file-sync-conflicts-mouseover.png| |
|user-guides/desktop/coder-desktop-mac-pre-sign-in.png| |
|user-guides/desktop/coder-desktop-file-sync-watching.png| |
|user-guides/desktop/coder-desktop-win-enable-coder-connect.png| |
|user-guides/desktop/coder-desktop-sign-in.png| |
|user-guides/desktop/coder-desktop-file-sync.png| |
|user-guides/desktop/coder-desktop-file-sync-staging.png| |
|user-guides/desktop/chrome-insecure-origin.png| |
|user-guides/desktop/coder-desktop-workspaces.png| |
|user-guides/jetbrains/toolbox/workspaces.png| |
|user-guides/jetbrains/toolbox/install.png| |
|user-guides/jetbrains/toolbox/login-token.png| |
|user-guides/jetbrains/toolbox/login-url.png| |
|user-guides/schedule-settings-workspace.png| |
|user-guides/dotfiles-module.png| |
|user-guides/workspace-list-ui.png| |
|user-guides/workspace-settings-location.png| |
|template-variables.png| |
|ides/code-web-extensions.png| |
|ides/copilot.png| |
|architecture-multi-region.png| |
|external-apps.png| |
|guides/ai-agents/tasks-ui.png| |
|guides/ai-agents/duplicate.png| |
|guides/ai-agents/landing.png| |
|guides/ai-agents/workspace-page.png| |
|guides/ai-agents/realworld-ui.png| |
|guides/xray-integration/example.png| |
|guides/using-organizations/workspace-list.png| |
|guides/using-organizations/new-organization.png| |
|guides/using-organizations/template-org-picker.png| |
|guides/using-organizations/deployment-organizations.png| |
|guides/using-organizations/organization-members.png| |
|readme-logos.png| |
|metadata-ui.png| |
|secret-metadata-ui.png| |
|projector-intellij.png| |
|schedule.png| |
|ssh-keys.png| |
|template-scheduling.png| |
|templates/general-settings.png| |
|templates/build-template.png| |
|templates/update.png| |
|templates/starter-templates.png| |
|templates/create-template.png| |
|templates/select-template.png| |
|templates/pre-filled-parameters.png| |
|templates/source-code.png| |
|templates/upload-create-your-first-template.png| |
|templates/create-workspace.png| |
|templates/edit-source-code.png| |
|templates/permissions.png| |
|templates/coder-session-token.png| |
|templates/starter-templates-button.png| |
|templates/template-tour.png| |
|templates/edit-files.png| |
|templates/workspace-ready.png| |
|templates/template-menu-settings.png| |
|templates/workspace-apps.png| |
|templates/coder-login-web.png| |
|templates/new-workspace.png| |
|templates/template-variables.png| |
|templates/use-template.png| |
|templates/healthy-workspace-agent.png| |
|templates/update-policies.png| |
|templates/upload-create-template-form.png| |
|templates/develop-in-docker-template.png| |
|templates/publish.png| |
|templates/devcontainers.png| |
|templates/create-template-permissions.png| |
|port-forward-dashboard.png| |
|creating-workspace-ui.png| |
|parameters.png| |
|best-practice/build-timeline.png| |
|file-browser.png| |
|architecture-single-region.png| |
|gateway/plugin-settings-marketplace.png| |
|gateway/plugin-session-token.png| |
|gateway/plugin-connect-to-coder.png| |
|gateway/plugin-select-ide.png| |
|gateway/plugin-ide-list.png| |
|hero-image.png| |

</details>

---------

Co-authored-by: EdwardAngert <17991901+EdwardAngert@users.noreply.github.com>
2025-07-10 16:01:20 -04:00
b882d46d91 docs: fix relative links in about/contributing (#18818)
hotfix

---------

Co-authored-by: EdwardAngert <17991901+EdwardAngert@users.noreply.github.com>
2025-07-09 20:04:48 +00:00
3c2f3d640b chore: remove dbmem (#18803)
Remove the in-memory database. Addresses #15109.
2025-07-09 09:46:31 +02:00
39ed0c32e6 docs: simplify PostgreSQL setup by using 'postgresql' as release name (#18754)
Fixes #18751

Use `postgresql` as the Helm release name instead of `coder-db` to make
the service name more intuitive and eliminate confusion entirely.

## Changes
- Changed `helm install coder-db bitnami/postgresql` to `helm install
postgresql bitnami/postgresql`
- Updated PostgreSQL URLs from
`coder-db-postgresql.coder.svc.cluster.local` to
`postgresql.coder.svc.cluster.local`
- Removed explanatory notes about service naming (no longer needed)

## Benefits
 Makes examples work out-of-the-box for most users
 Uses the most straightforward and intuitive release name
 Eliminates confusion about service naming entirely
 Simpler documentation without complex explanations

## Testing
- Verified that `helm install postgresql bitnami/postgresql` creates
service named `postgresql`
- Confirmed this approach works with the connection URL
`postgresql.coder.svc.cluster.local`

Suggested by @EdwardAngert as a cleaner solution than explaining the
service naming dependency.

---------

Co-authored-by: blink-so[bot] <211532188+blink-so[bot]@users.noreply.github.com>
Co-authored-by: matifali <10648092+matifali@users.noreply.github.com>
Co-authored-by: EdwardAngert <17991901+EdwardAngert@users.noreply.github.com>
Co-authored-by: Edward Angert <EdwardAngert@users.noreply.github.com>
2025-07-08 13:20:15 -04:00
10c1e36fff feat: add publishing of helm charts to ghcr registry (#18316) 2025-07-08 22:19:12 +05:00
5f50dcce5a feat(cli): improve devcontainer support for coder show (#18793)
Fixes coder/internal#747
2025-07-08 16:16:00 +00:00
211393a69c fix: exclude prebuilt workspaces from lifecycle executor (#18762)
## Description

This PR updates the lifecycle executor to explicitly exclude prebuilt
workspaces from being considered for lifecycle operations such as
`autostart`, `autostop`, `dormancy`, `default TTL` and `failure TTL`.

Prebuilt workspaces (i.e., those owned by the prebuild system user) are
handled separately by the prebuild reconciliation loop. Including them
in the lifecycle executor could lead to unintended behavior such as
incorrect scheduling or state transitions.

## Changes

* Updated the lifecycle executor query
`GetWorkspacesEligibleForTransition` to exclude workspaces with
`owner_id = 'c42fdf75-3097-471c-8c33-fb52454d81c0'` (prebuilds).
* Added tests to verify prebuilt workspaces are not considered in:
  * Autostop
  * Autostart
  * Default TTL
  * Dormancy
  * Failure TTL

Fixes: https://github.com/coder/coder/issues/18740
Related to: https://github.com/coder/coder/issues/18658
2025-07-08 11:35:28 +01:00
8202514ce0 feat!: add ability to cancel pending workspace build (#18713)
Closes #17791 

This PR adds ability to cancel workspace builds that are in "pending"
status.

Breaking changes:
- CancelWorkspaceBuild method in codersdk now accepts an optional
request parameter

API:
- Added `expect_status` query parameter to the cancel workspace build
endpoint
- This parameter ensures the job hasn't changed state before canceling
- API returns `412 Precondition Failed` if the job is not in the
expected status
- Valid values: `running` or `pending`
- Wrapped the entire cancel method in a database transaction

UI:
- Added confirmation dialog to the `Cancel` button, since it's a
destructive operation

![image](https://github.com/user-attachments/assets/437aa5f4-5669-45b6-82a0-e46f277114bf)

![image](https://github.com/user-attachments/assets/423b5cb1-a4fb-4a10-933b-c1c73f4b838c)


- Enabled cancel action for pending workspaces (`expect_status=pending`
is sent if workspace is in pending status)

![image](https://github.com/user-attachments/assets/32d35ff1-12e6-4f7b-9f6c-fde9da9de6cf)

---------

Co-authored-by: Dean Sheather <dean@deansheather.com>
2025-07-08 11:02:58 +02:00
2f42b64182 docs: update dynamic parameters for beta release (#18512)
Co-authored-by: EdwardAngert <17991901+EdwardAngert@users.noreply.github.com>
Co-authored-by: Stephen Kirby <kirby@coder.com>
Co-authored-by: Stephen Kirby <58410745+stirby@users.noreply.github.com>
Co-authored-by: Atif Ali <atif@coder.com>
Co-authored-by: Jaayden Halko <jaayden.halko@gmail.com>
Co-authored-by: Mathias Fredriksson <mafredri@gmail.com>
Co-authored-by: Steven Masley <Emyrk@users.noreply.github.com>
Co-authored-by: Thomas Kosiewski <tk@coder.com>
Co-authored-by: blink-so[bot] <211532188+blink-so[bot]@users.noreply.github.com>
Co-authored-by: bpmct <22407953+bpmct@users.noreply.github.com>
Co-authored-by: Bruno Quaresma <bruno@coder.com>
Co-authored-by: BrunoQuaresma <3165839+BrunoQuaresma@users.noreply.github.com>
Co-authored-by: Claude <noreply@anthropic.com>
Co-authored-by: Ethan <39577870+ethanndickson@users.noreply.github.com>
Co-authored-by: kylecarbs <7122116+kylecarbs@users.noreply.github.com>
Co-authored-by: Ben Potter <ben@coder.com>
Co-authored-by: Hugo Dutka <hugo@coder.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: ケイラ <mckayla@hey.com>
2025-07-07 19:46:34 -05:00
83192e2462 docs: restore missing AI agent images to fix 404 errors (#18780)
Fixes #18767

This PR restores the missing `landing.png` and `duplicate.png` images
that were accidentally deleted in commit
b26c9e2432.

## Problem
The images were deleted during a documentation restructure, but external
links and cached website content are still referencing these image URLs,
causing 404 errors:
-
`https://raw.githubusercontent.com/coder/coder/main/docs/images/guides/ai-agents/landing.png`
-
`https://raw.githubusercontent.com/coder/coder/main/docs/images/guides/ai-agents/duplicate.png`

## Solution
Restore the original images from the git history to maintain backward
compatibility for external references while preserving the current
documentation structure.

## Testing
 Verified images are restored to correct location
 Confirmed file sizes match original images
 No conflicts with current documentation structure

Co-authored-by: blink-so[bot] <211532188+blink-so[bot]@users.noreply.github.com>
Co-authored-by: kylecarbs <7122116+kylecarbs@users.noreply.github.com>
2025-07-07 19:48:10 -04:00
f2983164f5 chore: fix some small groups and acl typos (#18732)
- Add `format:"uri"` to `Group.AvatarURL` (matches `User.AvatarURL`
field)
- `<user_id>` and `<group_id>` were backwards in the `example:` tags
- The `@Success` annotation for `/acl [get]` had an incorrect type
2025-07-07 11:01:17 -06:00
e3627fd562 docs: fix markdown in Windsurf doc (#18753)
hotfix


[preview](https://coder.com/docs/@18705-windsurf-md/user-guides/workspace-access/windsurf)

Co-authored-by: EdwardAngert <17991901+EdwardAngert@users.noreply.github.com>
2025-07-07 18:52:19 +05:00
1e715e2f66 chore: add suggestions to the tasks docs (#18766) 2025-07-07 09:15:53 -04:00
b26c9e2432 feat: update tasks docs (#18659)
Preview: https://coder.com/docs/@tasks-docs/ai-coder

---------

Co-authored-by: Hugo Dutka <hugo@coder.com>
2025-07-07 08:21:59 -04:00
aad14b8a6b docs: add RDP desktop button gif (#18758)
Forgot to add this in #18716
2025-07-06 20:15:37 +05:00
ca13b58d57 docs: reorganize remote desktop docs (#18716)
- Reorganize each option in two sections: Web and Desktop Client
- Moves the warning about UDP connections to the bottom
- Move Coder Desktop as the first option
- Links the Coder Desktop RDP module

Preview:
https://coder.com/docs/@remote-desktop-module/user-guides/workspace-access/remote-desktops
2025-07-06 15:46:15 +05:00
02372caf92 docs: align feature stages for July release (#18752)
some of these changes might also be in other PRs, but hopefully this
doesn't cause any merge conflicts

closes #18197

---------

Co-authored-by: EdwardAngert <17991901+EdwardAngert@users.noreply.github.com>
2025-07-04 09:34:49 -04:00
7fbb3ced5b feat: add MCP HTTP server experiment and improve experiment middleware (#18712)
# Add MCP HTTP Server Experiment

This PR adds a new experiment flag `mcp-server-http` to enable the MCP HTTP server functionality. The changes include:

1. Added a new experiment constant `ExperimentMCPServerHTTP` with the value "mcp-server-http"
2. Added display name and documentation for the new experiment
3. Improved the experiment middleware to:
   - Support requiring multiple experiments
   - Provide better error messages with experiment display names
   - Add a development mode bypass option
4. Applied the new experiment requirement to the MCP HTTP endpoint
5. Replaced the custom OAuth2 middleware with the standard experiment middleware

The PR also improves the `Enabled()` method on the `Experiments` type by using `slices.Contains()` for better readability.
2025-07-03 20:09:18 +02:00
15551541e8 feat: add OAuth2 provider functionality as an experiment (#18692)
# Add OAuth2 Provider Functionality as an Experiment

This PR adds a new experiment flag `oauth2` that enables OAuth2 provider functionality in Coder. When enabled, this experiment allows Coder to act as an OAuth2 provider.

The changes include:
- Added the new `ExperimentOAuth2` constant with appropriate documentation
- Updated the OAuth2 provider middleware to check for the experiment flag
- Modified the error message to indicate that the OAuth2 provider requires enabling the experiment
- Added the new experiment to the known experiments list in the SDK

Previously, OAuth2 provider functionality was only available in development mode. With this change, it can be enabled in production environments by activating the experiment.
2025-07-03 19:44:29 +02:00
494dccc510 feat: implement MCP HTTP server endpoint with authentication (#18670)
# Add MCP HTTP server with streamable transport support

- Add MCP HTTP server with streamable transport support
- Integrate with existing toolsdk for Coder workspace operations
- Add comprehensive E2E tests with OAuth2 bearer token support
- Register MCP endpoint at /api/experimental/mcp/http with authentication
- Support RFC 6750 Bearer token authentication for MCP clients

Change-Id: Ib9024569ae452729908797c42155006aa04330af
Signed-off-by: Thomas Kosiewski <tk@coder.com>
2025-07-03 19:27:41 +02:00
74e1d5c4b6 feat: implement OAuth2 dynamic client registration (RFC 7591/7592) (#18645)
# Implement OAuth2 Dynamic Client Registration (RFC 7591/7592)

This PR implements OAuth2 Dynamic Client Registration according to RFC 7591 and Client Configuration Management according to RFC 7592. These standards allow OAuth2 clients to register themselves programmatically with Coder as an authorization server.

Key changes include:

1. Added database schema extensions to support RFC 7591/7592 fields in the `oauth2_provider_apps` table
2. Implemented `/oauth2/register` endpoint for dynamic client registration (RFC 7591)
3. Added client configuration management endpoints (RFC 7592):
   - GET/PUT/DELETE `/oauth2/clients/{client_id}`
   - Registration access token validation middleware

4. Added comprehensive validation for OAuth2 client metadata:
   - URI validation with support for custom schemes for native apps
   - Grant type and response type validation
   - Token endpoint authentication method validation

5. Enhanced developer documentation with:
   - RFC compliance guidelines
   - Testing best practices to avoid race conditions
   - Systematic debugging approaches for OAuth2 implementations

The implementation follows security best practices from the RFCs, including proper token handling, secure defaults, and appropriate error responses. This enables third-party applications to integrate with Coder's OAuth2 provider capabilities programmatically.
2025-07-03 18:33:47 +02:00
7d412c2272 feat(examples/templates): add docker-devcontainer template and rename envbuilder template (#18741)
This change adds a new `docker-devcontainer` template which allows you
to provision a workspace running in Docker, that also creates workspaces
via Docker running inside (DinD).

- **chore(examples/templates): rename `docker-devcontainer` to
`docker-envbuilder`**
- **feat(examples/templates): add `docker-devcontainer` example
template**
2025-07-03 15:50:08 +03:00
351745752b docs: update release calendar with 2.24 release (#18742) 2025-07-03 11:20:16 +00:00
6db6f48300 chore: fix broken link in docs (#18733)
Fixes the "Helm README" link on
https://coder.com/docs/install/kubernetes so it goes to the right path.

Side note: I don't see any content in
https://coder.com/docs/about/contributing/documentation about to whom
such a PR should be assigned, if any. Edward was suggested and I see
you've worked on other PR's with the `docs` label, so going with that.
2025-07-02 22:34:29 -04:00
33bbf18a4b feat: add OAuth2 protected resource metadata endpoint for RFC 9728 (#18643)
# Add OAuth2 Protected Resource Metadata Endpoint

This PR implements the OAuth2 Protected Resource Metadata endpoint according to RFC 9728. The endpoint is available at `/.well-known/oauth-protected-resource` and provides information about Coder as an OAuth2 protected resource.

Key changes:
- Added a new endpoint at `/.well-known/oauth-protected-resource` that returns metadata about Coder as an OAuth2 protected resource
- Created a new `OAuth2ProtectedResourceMetadata` struct in the SDK
- Added tests to verify the endpoint functionality
- Updated API documentation to include the new endpoint

The implementation currently returns basic metadata including the resource identifier and authorization server URL. The `scopes_supported` field is empty until a scope system based on RBAC permissions is implemented. The `bearer_methods_supported` field is omitted as Coder uses custom authentication methods rather than standard RFC 6750 bearer tokens.

A TODO has been added to implement RFC 6750 bearer token support in the future.
2025-07-02 18:58:41 +02:00
01163ea57b feat: allow users to pause prebuilt workspace reconciliation (#18700)
This PR provides two commands:
* `coder prebuilds pause`
* `coder prebuilds resume`

These allow the suspension of all prebuilds activity, intended for use
if prebuilds are misbehaving.
2025-07-02 15:05:42 +00:00
4072d228c5 feat: support dynamic parameters on create template request (#18636)
Future work is to add this checkbox to the UI to opt into dynamic
parameters from the first template create.
2025-07-02 09:44:01 -05:00
91aa583ea4 docs: mention Windsurf module in Windsurf documentation (#18715)
Co-authored-by: blink-so[bot] <211532188+blink-so[bot]@users.noreply.github.com>
Co-authored-by: bpmct <22407953+bpmct@users.noreply.github.com>
2025-07-02 19:13:35 +05:00
0b8ed9c2bd docs: move the duplicate Coder Desktop install warning to Troubleshooting (#18691)
Co-authored-by: Edward Angert <EdwardAngert@users.noreply.github.com>
2025-07-02 11:22:58 +00:00
0b82f41a24 feat: allow masking workspace parameter inputs (#18595) 2025-07-01 16:27:43 -06:00
ab254adfb9 docs: add section about how to disable path based apps to security best practices (#18419)
add a new section specifically about how to disable path-based apps to
the security best practices doc

## todo

- [x] copy review
- [x] cross-linking

---------

Co-authored-by: EdwardAngert <17991901+EdwardAngert@users.noreply.github.com>
Co-authored-by: Dean Sheather <dean@deansheather.com>
2025-07-01 13:18:47 -04:00
6f2834f62a feat: oauth2 - add authorization server metadata endpoint and PKCE support (#18548)
## Summary

  This PR implements critical MCP OAuth2 compliance features for Coder's authorization server, adding PKCE support, resource parameter handling, and OAuth2 server metadata discovery. This brings Coder's OAuth2 implementation significantly closer to production readiness for MCP (Model Context Protocol)
  integrations.

  ## What's Added

  ### OAuth2 Authorization Server Metadata (RFC 8414)
  - Add `/.well-known/oauth-authorization-server` endpoint for automatic client discovery
  - Returns standardized metadata including supported grant types, response types, and PKCE methods
  - Essential for MCP client compatibility and OAuth2 standards compliance

  ### PKCE Support (RFC 7636)
  - Implement Proof Key for Code Exchange with S256 challenge method
  - Add `code_challenge` and `code_challenge_method` parameters to authorization flow
  - Add `code_verifier` validation in token exchange
  - Provides enhanced security for public clients (mobile apps, CLIs)

  ### Resource Parameter Support (RFC 8707)
  - Add `resource` parameter to authorization and token endpoints
  - Store resource URI and bind tokens to specific audiences
  - Critical for MCP's resource-bound token model

  ### Enhanced OAuth2 Error Handling
  - Add OAuth2-compliant error responses with proper error codes
  - Use standard error format: `{"error": "code", "error_description": "details"}`
  - Improve error consistency across OAuth2 endpoints

  ### Authorization UI Improvements
  - Fix authorization flow to use POST-based consent instead of GET redirects
  - Remove dependency on referer headers for security decisions
  - Improve CSRF protection with proper state parameter validation

  ## Why This Matters

  **For MCP Integration:** MCP requires OAuth2 authorization servers to support PKCE, resource parameters, and metadata discovery. Without these features, MCP clients cannot securely authenticate with Coder.

  **For Security:** PKCE prevents authorization code interception attacks, especially critical for public clients. Resource binding ensures tokens are only valid for intended services.

  **For Standards Compliance:** These are widely adopted OAuth2 extensions that improve interoperability with modern OAuth2 clients.

  ## Database Changes

  - **Migration 000343:** Adds `code_challenge`, `code_challenge_method`, `resource_uri` to `oauth2_provider_app_codes`
  - **Migration 000343:** Adds `audience` field to `oauth2_provider_app_tokens` for resource binding
  - **Audit Updates:** New OAuth2 fields properly tracked in audit system
  - **Backward Compatibility:** All changes maintain compatibility with existing OAuth2 flows

  ## Test Coverage

  - Comprehensive PKCE test suite in `coderd/identityprovider/pkce_test.go`
  - OAuth2 metadata endpoint tests in `coderd/oauth2_metadata_test.go`
  - Integration tests covering PKCE + resource parameter combinations
  - Negative tests for invalid PKCE verifiers and malformed requests

  ## Testing Instructions

  ```bash
  # Run the comprehensive OAuth2 test suite
  ./scripts/oauth2/test-mcp-oauth2.sh

  Manual Testing with Interactive Server

  # Start Coder in development mode
  ./scripts/develop.sh

  # In another terminal, set up test app and run interactive flow
  eval $(./scripts/oauth2/setup-test-app.sh)
  ./scripts/oauth2/test-manual-flow.sh
  # Opens browser with OAuth2 flow, handles callback automatically

  # Clean up when done
  ./scripts/oauth2/cleanup-test-app.sh

  Individual Component Testing

  # Test metadata endpoint
  curl -s http://localhost:3000/.well-known/oauth-authorization-server | jq .

  # Test PKCE generation
  ./scripts/oauth2/generate-pkce.sh

  # Run specific test suites
  go test -v ./coderd/identityprovider -run TestVerifyPKCE
  go test -v ./coderd -run TestOAuth2AuthorizationServerMetadata
```

  ### Breaking Changes

  None. All changes maintain backward compatibility with existing OAuth2 flows.

---

Change-Id: Ifbd0d9a543d545f9f56ecaa77ff2238542ff954a
Signed-off-by: Thomas Kosiewski <tk@coder.com>
2025-07-01 15:39:29 +02:00