diff --git a/.claude/docs/DATABASE.md b/.claude/docs/DATABASE.md index 84f6125fa4..331d662d20 100644 --- a/.claude/docs/DATABASE.md +++ b/.claude/docs/DATABASE.md @@ -41,6 +41,41 @@ dimension. - Avoid `ByX` names for grouped queries. +### Enum Changes Run in a Single Transaction + +All migrations run inside one transaction (`pgTxnDriver`). Postgres forbids +*using* an enum value added by `ALTER TYPE ... ADD VALUE` within the same +transaction that added it, so it fails with `unsafe use of new value`. + +Adding the value is fine; using it in the same batch is not. "Using it" +includes a later migration that casts to it (`col::my_enum`), inserts or +updates a row with it, or sets it as a column default. This only fails when a +row actually materializes the new value, so fresh databases and CI pass while +deployments with existing data break. + +**MUST DO**: If any migration uses a newly added enum value, recreate the type +instead of using `ADD VALUE`. A freshly created enum's values are usable +immediately in the same transaction. Precedent: `000144_user_status_dormant`. + +```sql +CREATE TYPE new_my_enum AS ENUM ('existing', 'value', 'new_value'); + +ALTER TABLE my_table + ALTER COLUMN col TYPE new_my_enum USING (col::text::new_my_enum); + +DROP TYPE my_enum; + +ALTER TYPE new_my_enum RENAME TO my_enum; +``` + +Recreating produces an identical schema, so `make gen` yields no `dump.sql` +diff and databases that already applied the migration see no drift. + +**Testing**: `migrations.Stepper` commits each migration separately, so tests +built on it cannot surface this. To catch it, seed a row using the new value, +then apply the affected migrations in a single transaction (see +`TestMigration000504AIProvidersBackfillEnumInSingleTxn`). + ## Handling Nullable Fields Use `sql.NullString`, `sql.NullBool`, etc. for optional database fields: diff --git a/.github/actions/go-cache/action.yml b/.github/actions/go-cache/action.yml new file mode 100644 index 0000000000..d77abaedec --- /dev/null +++ b/.github/actions/go-cache/action.yml @@ -0,0 +1,76 @@ +name: "Go cache" +description: Restore and save Go build and module caches. +inputs: + cache-path: + description: "Optional newline-delimited cache paths. Defaults to go env GOCACHE and GOMODCACHE." + required: false + default: "" + key-prefix: + description: "Prefix for the cache key." + required: false + default: "go" + download-modules: + description: "Whether to run go mod download after restoring cache." + required: false + default: "true" +runs: + using: "composite" + steps: + - name: Compute Go cache key + id: go-cache + shell: bash + run: | + set -euo pipefail + + if [[ -n "${INPUT_CACHE_PATH}" ]]; then + paths="${INPUT_CACHE_PATH}" + else + paths="$(printf '%s\n%s' "$(go env GOCACHE)" "$(go env GOMODCACHE)")" + fi + + go_version="$(go env GOVERSION)" + paths_hash="$(printf '%s\n' "${paths}" | git hash-object --stdin)" + hash="$( + { + printf '%s\n' "${go_version}" + for file in go.mod go.sum; do + if [[ -f "${file}" ]]; then + git hash-object "${file}" + fi + done + } | git hash-object --stdin + )" + + { + echo "path<> "$GITHUB_OUTPUT" + env: + INPUT_CACHE_PATH: ${{ inputs.cache-path }} + INPUT_KEY_PREFIX: ${{ inputs.key-prefix }} + + - name: Restore Go cache, save on main + if: ${{ github.ref == 'refs/heads/main' }} + uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 + with: + path: ${{ steps.go-cache.outputs.path }} + key: ${{ steps.go-cache.outputs.key }} + restore-keys: | + ${{ steps.go-cache.outputs.restore-key }} + + - name: Restore Go cache read-only + if: ${{ github.ref != 'refs/heads/main' }} + uses: actions/cache/restore@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 + with: + path: ${{ steps.go-cache.outputs.path }} + key: ${{ steps.go-cache.outputs.key }} + restore-keys: | + ${{ steps.go-cache.outputs.restore-key }} + + - name: Download Go modules + if: ${{ inputs.download-modules == 'true' }} + shell: bash + run: ./.github/scripts/retry.sh -- go mod download -x diff --git a/.github/actions/install-cosign/action.yaml b/.github/actions/install-cosign/action.yaml deleted file mode 100644 index acaf7ba1a7..0000000000 --- a/.github/actions/install-cosign/action.yaml +++ /dev/null @@ -1,10 +0,0 @@ -name: "Install cosign" -description: | - Cosign Github Action. -runs: - using: "composite" - steps: - - name: Install cosign - uses: sigstore/cosign-installer@d7d6bc7722e3daa8354c50bcb52f4837da5e9b6a # v3.8.1 - with: - cosign-release: "v2.4.3" diff --git a/.github/actions/install-syft/action.yaml b/.github/actions/install-syft/action.yaml deleted file mode 100644 index 0f8a440801..0000000000 --- a/.github/actions/install-syft/action.yaml +++ /dev/null @@ -1,10 +0,0 @@ -name: "Install syft" -description: | - Downloads Syft to the Action tool cache and provides a reference. -runs: - using: "composite" - steps: - - name: Install syft - uses: anchore/sbom-action/download-syft@e22c389904149dbc22b58101806040fa8d37a610 # v0.24.0 - with: - syft-version: "v1.26.1" diff --git a/.github/actions/pnpm-install/action.yml b/.github/actions/pnpm-install/action.yml new file mode 100644 index 0000000000..8ba01f6a32 --- /dev/null +++ b/.github/actions/pnpm-install/action.yml @@ -0,0 +1,59 @@ +name: "pnpm install" +description: Restore pnpm store cache and install root plus workspace dependencies. +inputs: + directory: + description: "Workspace directory to install after the repository root." + required: false + default: "site" +runs: + using: "composite" + steps: + - name: Compute pnpm cache key + id: pnpm-cache + shell: bash + run: | + set -euo pipefail + + store_path="$(pnpm store path --silent)" + hash="$( + for file in pnpm-lock.yaml "${INPUT_DIRECTORY}/pnpm-lock.yaml"; do + if [[ -f "${file}" ]]; then + git hash-object "${file}" + fi + done | git hash-object --stdin + )" + + { + echo "store-path=${store_path}" + echo "key=pnpm-${RUNNER_OS}-${RUNNER_ARCH}-${INPUT_DIRECTORY}-${hash}" + echo "restore-key=pnpm-${RUNNER_OS}-${RUNNER_ARCH}-${INPUT_DIRECTORY}-" + } >> "$GITHUB_OUTPUT" + env: + INPUT_DIRECTORY: ${{ inputs.directory }} + + - name: Restore and save pnpm cache + if: ${{ github.ref == 'refs/heads/main' }} + uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 + with: + path: ${{ steps.pnpm-cache.outputs.store-path }} + key: ${{ steps.pnpm-cache.outputs.key }} + restore-keys: | + ${{ steps.pnpm-cache.outputs.restore-key }} + + - name: Restore pnpm cache + if: ${{ github.ref != 'refs/heads/main' }} + uses: actions/cache/restore@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 + with: + path: ${{ steps.pnpm-cache.outputs.store-path }} + key: ${{ steps.pnpm-cache.outputs.key }} + restore-keys: | + ${{ steps.pnpm-cache.outputs.restore-key }} + + - name: Install root node_modules + shell: bash + run: ./scripts/pnpm_install.sh + + - name: Install node_modules + shell: bash + run: "${GITHUB_WORKSPACE}/scripts/pnpm_install.sh" + working-directory: ${{ github.workspace }}/${{ inputs.directory }} diff --git a/.github/actions/setup-go-tools/action.yaml b/.github/actions/setup-go-tools/action.yaml deleted file mode 100644 index c8e600d656..0000000000 --- a/.github/actions/setup-go-tools/action.yaml +++ /dev/null @@ -1,12 +0,0 @@ -name: "Setup Go tools" -description: | - Set up tools for `make gen`, `offlinedocs` and Schmoder CI. -runs: - using: "composite" - steps: - - name: go install tools - shell: bash - run: | - ./.github/scripts/retry.sh -- go install tool - # NOTE: protoc-gen-go cannot be installed with `go get` - ./.github/scripts/retry.sh -- go install google.golang.org/protobuf/cmd/protoc-gen-go@v1.30 diff --git a/.github/actions/setup-go/action.yaml b/.github/actions/setup-go/action.yaml deleted file mode 100644 index ee7f17a40e..0000000000 --- a/.github/actions/setup-go/action.yaml +++ /dev/null @@ -1,32 +0,0 @@ -name: "Setup Go" -description: | - Sets up the Go environment for tests, builds, etc. -inputs: - version: - description: "The Go version to use." - default: "1.26.2" - use-cache: - description: "Whether to use the cache." - default: "true" -runs: - using: "composite" - steps: - - name: Setup Go - uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5.6.0 - with: - go-version: ${{ inputs.version }} - cache: ${{ inputs.use-cache }} - - - name: Install gotestsum - shell: bash - run: ./.github/scripts/retry.sh -- go install gotest.tools/gotestsum@0d9599e513d70e5792bb9334869f82f6e8b53d4d # main as of 2025-05-15 - - - name: Install mtimehash - shell: bash - run: ./.github/scripts/retry.sh -- go install github.com/slsyy/mtimehash/cmd/mtimehash@a6b5da4ed2c4a40e7b805534b004e9fde7b53ce0 # v1.0.0 - - # It isn't necessary that we ever do this, but it helps - # separate the "setup" from the "run" times. - - name: go mod download - shell: bash - run: ./.github/scripts/retry.sh -- go mod download -x diff --git a/.github/actions/setup-mise/action.yml b/.github/actions/setup-mise/action.yml new file mode 100644 index 0000000000..39aa9ab27d --- /dev/null +++ b/.github/actions/setup-mise/action.yml @@ -0,0 +1,188 @@ +name: Setup mise +description: Install mise tools from SHA256-pinned binaries, with CI-layer caching. +inputs: + install-args: + description: Tool names or extra arguments passed to mise install. --locked is added by default. + required: false + default: "" + locked: + description: Whether to pass --locked to mise install. + required: false + default: "true" + cache-key-prefix: + description: Prefix for mise tool cache keys. + required: false + default: mise-ci-v1 + mise-version: + description: mise version to install. + required: false + default: "2026.5.12" + mise-sha256: + description: SHA256 checksum for the mise binary. + required: false + default: "" + use-cache: + description: Whether to restore and save mise tool caches. + required: false + default: "true" +runs: + using: composite + steps: + - name: Compute mise cache key + id: cache-key + shell: bash + env: + CACHE_KEY_PREFIX: ${{ inputs.cache-key-prefix }} + INPUT_INSTALL_ARGS: ${{ inputs.install-args }} + INPUT_LOCKED: ${{ inputs.locked }} + MISE_VERSION: ${{ inputs.mise-version }} + RUNNER_ARCH: ${{ runner.arch }} + RUNNER_OS: ${{ runner.os }} + run: | + set -euo pipefail + + case "${INPUT_LOCKED}" in + true) + if [[ -n "${INPUT_INSTALL_ARGS}" ]]; then + install_args="--locked ${INPUT_INSTALL_ARGS}" + else + install_args="--locked" + fi + ;; + false) + install_args="${INPUT_INSTALL_ARGS}" + ;; + *) + echo "::error::locked must be true or false." + exit 1 + ;; + esac + + install_args_hash="$(printf '%s' "$install_args" | git hash-object --stdin)" + files_hash="$(git hash-object mise.toml mise.lock | git hash-object --stdin)" + key="${CACHE_KEY_PREFIX}-${RUNNER_OS}-${RUNNER_ARCH}-${MISE_VERSION}-${install_args_hash}-${files_hash}" + restore_key="${CACHE_KEY_PREFIX}-${RUNNER_OS}-${RUNNER_ARCH}-${MISE_VERSION}-${install_args_hash}-" + + { + echo "install-args<> "$GITHUB_OUTPUT" + + - name: Select mise checksum + id: checksum + shell: bash + env: + CHECKSUMS_FILE: ${{ github.action_path }}/checksums.toml + INPUT_MISE_SHA256: ${{ inputs.mise-sha256 }} + MISE_CHECKSUM_SCRIPT: ${{ github.workspace }}/scripts/mise_checksum.sh + MISE_VERSION: ${{ inputs.mise-version }} + RUNNER_ARCH: ${{ runner.arch }} + RUNNER_OS: ${{ runner.os }} + run: | + set -euo pipefail + + checksum="${INPUT_MISE_SHA256}" + if [[ -z "${checksum}" ]]; then + case "${RUNNER_OS}-${RUNNER_ARCH}" in + Linux-X64) + target="linux-x64" + ;; + Linux-ARM64) + target="linux-arm64" + ;; + macOS-X64) + target="macos-x64" + ;; + macOS-ARM64) + target="macos-arm64" + ;; + Windows-X64) + target="windows-x64" + ;; + *) + echo "::error::No mise checksum is pinned for ${RUNNER_OS}-${RUNNER_ARCH}." + exit 1 + ;; + esac + + checksum="$("${MISE_CHECKSUM_SCRIPT}" "${CHECKSUMS_FILE}" "${MISE_VERSION}" "${target}")" + if [[ -z "${checksum}" ]]; then + echo "::error::No mise checksum is pinned for mise ${MISE_VERSION} on ${target}." + exit 1 + fi + fi + + echo "sha256=${checksum}" >> "$GITHUB_OUTPUT" + + - name: Configure mise data directory + id: mise-data-dir + shell: bash + env: + RUNNER_OS: ${{ runner.os }} + run: | # zizmor: ignore[github-env] MISE_DATA_DIR uses only runner-provided paths. + set -euo pipefail + + if [[ "${RUNNER_OS}" == "Windows" ]]; then + data_dir="${LOCALAPPDATA:-${USERPROFILE}\\AppData\\Local}\\mise" + else + data_dir="${RUNNER_TEMP}/mise-data" + fi + + { + printf 'path=%s\n' "${data_dir}" + } >> "$GITHUB_OUTPUT" + printf 'MISE_DATA_DIR=%s\n' "${data_dir}" >> "$GITHUB_ENV" + + - name: Cache mise tools + if: ${{ inputs.use-cache == 'true' && github.ref == 'refs/heads/main' }} + uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 + with: + path: | + ~/.cache/mise + ${{ steps.mise-data-dir.outputs.path }} + key: ${{ steps.cache-key.outputs.key }} + restore-keys: | + ${{ steps.cache-key.outputs.restore-key }} + + - name: Restore mise tools + if: ${{ inputs.use-cache == 'true' && github.ref != 'refs/heads/main' }} + uses: actions/cache/restore@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 + with: + path: | + ~/.cache/mise + ${{ steps.mise-data-dir.outputs.path }} + key: ${{ steps.cache-key.outputs.key }} + restore-keys: | + ${{ steps.cache-key.outputs.restore-key }} + + - name: Install mise tools + uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # v4.0.1 + with: + version: ${{ inputs.mise-version }} + sha256: ${{ steps.checksum.outputs.sha256 }} + mise_dir: ${{ steps.mise-data-dir.outputs.path }} + install_args: ${{ steps.cache-key.outputs.install-args }} + cache: "false" + + - name: Ensure Git usr/bin is in PATH (Windows) + if: runner.os == 'Windows' + shell: pwsh + # jdx/mise-action exports "Path" via GITHUB_ENV which may + # collide with bash's "PATH". Ensure Git usr/bin is present + # and remove any duplicate Path/PATH entries from GITHUB_ENV + # by writing both forms. + run: | # zizmor: ignore[github-env] + $gitdir = "C:\Program Files\Git\usr\bin" + $current = $env:Path + if ($current -notlike "*$gitdir*") { + $current = "$gitdir;$current" + } + # Write both Path and PATH to GITHUB_ENV so that both + # cmd.exe (uses Path) and bash/Go (uses PATH) see the + # same value including Git usr/bin. + "Path=$current" | Out-File -Append -FilePath $env:GITHUB_ENV -Encoding utf8 + "PATH=$current" | Out-File -Append -FilePath $env:GITHUB_ENV -Encoding utf8 + diff --git a/.github/actions/setup-mise/checksums.toml b/.github/actions/setup-mise/checksums.toml new file mode 100644 index 0000000000..046a08492d --- /dev/null +++ b/.github/actions/setup-mise/checksums.toml @@ -0,0 +1,9 @@ +# SHA256 hashes of the extracted mise binary verified by jdx/mise-action. +# Keys use the GitHub runner target for each release artifact. + +["2026.5.12"] +linux-x64 = "a238972a3162d710b85b28c324372e96ca4e4b486c81fe78695000d9fbc77c48" +linux-arm64 = "fd2d5227a8ad0b1e359c70527a8345a9ada72077f8dcbb559371653c3d95464f" +macos-x64 = "de57e8dc82bbd880a69c9bc8aee06b9dcc578184b3e5cf86fcef80635d6a90b4" +macos-arm64 = "e777070540ffe22cf8b2b9f88aed88b461d0887d940c4f1c1a97359463cde6e1" +windows-x64 = "adf1b4c9f51e7d15cff723056fcd8fd51f40ebacadcca97fd5758c44d469d5ea" diff --git a/.github/actions/setup-node/action.yaml b/.github/actions/setup-node/action.yaml deleted file mode 100644 index 0c276f0ab8..0000000000 --- a/.github/actions/setup-node/action.yaml +++ /dev/null @@ -1,44 +0,0 @@ -name: "Setup Node" -description: | - Sets up the node environment for tests, builds, etc. -inputs: - directory: - description: | - The directory to run the setup in. - required: false - default: "site" -runs: - using: "composite" - steps: - - name: Install pnpm - uses: pnpm/action-setup@739bfe42ca9233c5e6aca07c1a25a9d34aca49b0 # v6.0.7 - - - name: Setup Node - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 - with: - node-version: 22.19.0 - # See https://github.com/actions/setup-node#caching-global-packages-data - cache: "pnpm" - cache-dependency-path: ${{ inputs.directory }}/pnpm-lock.yaml - - - name: Verify Node - shell: bash - run: | - set -euo pipefail - - expected="v22.19.0" - actual="$(node --version)" - if [[ "$actual" != "$expected" ]]; then - echo "::error::Expected Node.js $expected, but got $actual from $(command -v node)." - exit 1 - fi - echo "Node.js $actual is active at $(command -v node)." - - - name: Install root node_modules - shell: bash - run: ./scripts/pnpm_install.sh - - - name: Install node_modules - shell: bash - run: ../scripts/pnpm_install.sh - working-directory: ${{ inputs.directory }} diff --git a/.github/actions/setup-sqlc/action.yaml b/.github/actions/setup-sqlc/action.yaml deleted file mode 100644 index 029a3f5fe4..0000000000 --- a/.github/actions/setup-sqlc/action.yaml +++ /dev/null @@ -1,17 +0,0 @@ -name: Setup sqlc -description: | - Sets up the sqlc environment for tests, builds, etc. -runs: - using: "composite" - steps: - - name: Setup sqlc - # uses: sqlc-dev/setup-sqlc@c0209b9199cd1cce6a14fc27cabcec491b651761 # v4.0.0 - # with: - # sqlc-version: "1.30.0" - - # Switched to coder/sqlc fork to fix ambiguous column bug, see: - # - https://github.com/coder/sqlc/pull/1 - # - https://github.com/sqlc-dev/sqlc/pull/4159 - shell: bash - run: | - ./.github/scripts/retry.sh -- env CGO_ENABLED=1 go install github.com/coder/sqlc/cmd/sqlc@337309bfb9524f38466a5090e310040fc7af0203 diff --git a/.github/actions/setup-tf/action.yaml b/.github/actions/setup-tf/action.yaml deleted file mode 100644 index 22c7253050..0000000000 --- a/.github/actions/setup-tf/action.yaml +++ /dev/null @@ -1,11 +0,0 @@ -name: "Setup Terraform" -description: | - Sets up Terraform for tests, builds, etc. -runs: - using: "composite" - steps: - - name: Install Terraform - uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd # v3.1.2 - with: - terraform_version: 1.15.5 - terraform_wrapper: false diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 78d6aba61a..63fd8f4359 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -151,8 +151,13 @@ jobs: fetch-depth: 1 persist-credentials: false - - name: Setup Node - uses: ./.github/actions/setup-node + - name: Set up mise tools + uses: ./.github/actions/setup-mise + with: + install-args: "node pnpm" + + - name: Install pnpm dependencies + uses: ./.github/actions/pnpm-install - name: Check docs run: pnpm check-docs @@ -171,8 +176,10 @@ jobs: # # See: https://github.com/stefanzweifel/git-auto-commit-action?tab=readme-ov-file#commits-made-by-this-action-do-not-trigger-new-workflow-runs # token: ${{ secrets.CDRCI_GITHUB_TOKEN }} - # - name: Setup Go - # uses: ./.github/actions/setup-go + # - name: Set up mise tools + # uses: ./.github/actions/setup-mise + # with: + # install-args: "go" # - name: Update Nix Flake SRI Hash # run: ./scripts/update-flake.sh @@ -208,18 +215,22 @@ jobs: fetch-depth: 1 persist-credentials: false - - name: Setup Node - uses: ./.github/actions/setup-node + - name: Set up mise tools + uses: ./.github/actions/setup-mise + with: + install-args: "go node pnpm helm actionlint aqua:crate-ci/typos" - - name: Setup Go - uses: ./.github/actions/setup-go + - name: Install pnpm dependencies + uses: ./.github/actions/pnpm-install + + - name: Restore Go cache + uses: ./.github/actions/go-cache + + - name: Install Go mise tools + run: ./.github/scripts/retry.sh -- mise install --locked go:github.com/golangci/golangci-lint/cmd/golangci-lint go:github.com/coder/paralleltestctx/cmd/paralleltestctx - name: Get golangci-lint cache dir run: | - # mise.toml is the source of truth for tool versions baked into - # the dogfood image; pull the same version for the lint job. - linter_ver=$(grep -Eo '^golangci-lint = "[^"]+"' mise.toml | sed -E 's/.*"([^"]+)"/\1/') - ./.github/scripts/retry.sh -- go install "github.com/golangci/golangci-lint/cmd/golangci-lint@v$linter_ver" dir=$(golangci-lint cache status | awk '/Dir/ { print $2 }') echo "LINT_CACHE_DIR=$dir" >> "$GITHUB_ENV" @@ -239,35 +250,13 @@ jobs: # Check for any typos - name: Check for typos - uses: crate-ci/typos@cf5f1c29a8ac336af8568821ec41919923b05a83 # v1.45.1 - with: - config: .github/workflows/typos.toml + run: typos --config .github/workflows/typos.toml - name: Fix the typos if: ${{ failure() }} run: | echo "::notice:: you can automatically fix typos from your CLI: - cargo install typos-cli - typos -c .github/workflows/typos.toml -w" - - # Needed for helm chart linting - - name: Install helm - uses: azure/setup-helm@dda3372f752e03dde6b3237bc9431cdc2f7a02a2 # v5.0.0 - with: - version: v3.9.2 - continue-on-error: true - id: setup-helm - - - name: Install helm (fallback) - if: steps.setup-helm.outcome == 'failure' - # Fallback to Buildkite's apt repository if get.helm.sh is down. - # See: https://github.com/coder/internal/issues/1109 - run: | - set -euo pipefail - curl -fsSL https://packages.buildkite.com/helm-linux/helm-debian/gpgkey | gpg --dearmor | sudo tee /usr/share/keyrings/helm.gpg > /dev/null - echo "deb [signed-by=/usr/share/keyrings/helm.gpg] https://packages.buildkite.com/helm-linux/helm-debian/any/ any main" | sudo tee /etc/apt/sources.list.d/helm-stable-debian.list - sudo apt-get update - sudo apt-get install -y helm=3.9.2-1 + mise exec aqua:crate-ci/typos -- typos -c .github/workflows/typos.toml -w" - name: Verify helm version run: helm version --short @@ -287,15 +276,11 @@ jobs: key: ${{ steps.golangci-lint-cache.outputs.cache-primary-key }} - name: Check workflow files - run: | - bash <(curl https://raw.githubusercontent.com/rhysd/actionlint/main/scripts/download-actionlint.bash) 1.7.4 - ./actionlint -color -shellcheck= -ignore "set-output" + run: actionlint -color -shellcheck= -ignore "set-output" shell: bash - name: Check for unstaged files - run: | - rm -f ./actionlint ./typos - ./scripts/check_unstaged.sh + run: ./scripts/check_unstaged.sh shell: bash lint-actions: @@ -303,7 +288,7 @@ jobs: # Only run this job if changes to CI workflow files are detected. This job # can flake as it reaches out to GitHub to check referenced actions. if: needs.changes.outputs.ci == 'true' - runs-on: ${{ github.repository_owner == 'coder' && 'depot-ubuntu-22.04-8' || 'ubuntu-latest' }} + runs-on: ${{ github.repository_owner == 'coder' && 'depot-ubuntu-24.04-8' || 'ubuntu-24.04' }} steps: - name: Harden Runner uses: step-security/harden-runner@f808768d1510423e83855289c910610ca9b43176 # v2.17.0 @@ -316,8 +301,10 @@ jobs: fetch-depth: 1 persist-credentials: false - - name: Setup Go - uses: ./.github/actions/setup-go + - name: Set up mise tools + uses: ./.github/actions/setup-mise + with: + install-args: "actionlint zizmor" - name: make lint/actions run: make --output-sync=line -j lint/actions @@ -341,30 +328,19 @@ jobs: fetch-depth: 1 persist-credentials: false - - name: Setup Node - uses: ./.github/actions/setup-node + - name: Set up mise tools + uses: ./.github/actions/setup-mise + with: + install-args: "go node pnpm terraform protoc protoc-gen-go" - - name: Setup Go - uses: ./.github/actions/setup-go + - name: Install pnpm dependencies + uses: ./.github/actions/pnpm-install - - name: Setup sqlc - uses: ./.github/actions/setup-sqlc + - name: Restore Go cache + uses: ./.github/actions/go-cache - - name: Setup Terraform - uses: ./.github/actions/setup-tf - - - name: go install tools - uses: ./.github/actions/setup-go-tools - - - name: Install Protoc - run: | - mkdir -p /tmp/proto - pushd /tmp/proto - curl -L -o protoc.zip https://github.com/protocolbuffers/protobuf/releases/download/v23.4/protoc-23.4-linux-x86_64.zip - unzip protoc.zip - sudo cp -r ./bin/* /usr/local/bin - sudo cp -r ./include /usr/local/bin/include - popd + - name: Install Go mise tools + run: ./.github/scripts/retry.sh -- mise install --locked go:storj.io/drpc/cmd/protoc-gen-go-drpc go:github.com/coder/sqlc/cmd/sqlc - name: make gen timeout-minutes: 8 @@ -396,24 +372,26 @@ jobs: fetch-depth: 1 persist-credentials: false - - name: Setup Node - uses: ./.github/actions/setup-node - - name: Check Go version run: IGNORE_NIX=true ./scripts/check_go_versions.sh - # Use default Go version - - name: Setup Go - uses: ./.github/actions/setup-go + - name: Set up mise tools + uses: ./.github/actions/setup-mise + with: + install-args: "go node pnpm terraform" - - name: Install shfmt - run: ./.github/scripts/retry.sh -- go install mvdan.cc/sh/v3/cmd/shfmt@v3.7.0 + - name: Install pnpm dependencies + uses: ./.github/actions/pnpm-install + + - name: Restore Go cache + uses: ./.github/actions/go-cache + + - name: Install Go mise tools + run: ./.github/scripts/retry.sh -- mise install --locked go:mvdan.cc/sh/v3/cmd/shfmt - name: make fmt timeout-minutes: 7 - run: | - PATH="${PATH}:$(go env GOPATH)/bin" \ - make --output-sync -j -B fmt + run: make --output-sync -j -B fmt - name: Check for unstaged files run: ./scripts/check_unstaged.sh @@ -476,13 +454,18 @@ jobs: - name: Setup GNU tools (macOS) uses: ./.github/actions/setup-gnu-tools - - name: Setup Go - uses: ./.github/actions/setup-go + - name: Set up mise tools + uses: ./.github/actions/setup-mise with: - use-cache: true + install-args: "go terraform" - - name: Setup Terraform - uses: ./.github/actions/setup-tf + - name: Restore Go cache + uses: ./.github/actions/go-cache + with: + cache-path: ${{ steps.go-paths.outputs.cached-dirs }} + + - name: Install Go mise tools + run: ./.github/scripts/retry.sh -- mise install --locked go:gotest.tools/gotestsum go:github.com/slsyy/mtimehash/cmd/mtimehash - name: Download Test Cache id: download-cache @@ -651,11 +634,16 @@ jobs: fetch-depth: 1 persist-credentials: false - - name: Setup Go - uses: ./.github/actions/setup-go + - name: Set up mise tools + uses: ./.github/actions/setup-mise + with: + install-args: "go terraform" - - name: Setup Terraform - uses: ./.github/actions/setup-tf + - name: Restore Go cache + uses: ./.github/actions/go-cache + + - name: Install Go mise tools + run: ./.github/scripts/retry.sh -- mise install --locked go:gotest.tools/gotestsum - name: Download Test Cache id: download-cache @@ -720,11 +708,16 @@ jobs: fetch-depth: 1 persist-credentials: false - - name: Setup Go - uses: ./.github/actions/setup-go + - name: Set up mise tools + uses: ./.github/actions/setup-mise + with: + install-args: "go terraform" - - name: Setup Terraform - uses: ./.github/actions/setup-tf + - name: Restore Go cache + uses: ./.github/actions/go-cache + + - name: Install Go mise tools + run: ./.github/scripts/retry.sh -- mise install --locked go:gotest.tools/gotestsum - name: Download Test Cache id: download-cache @@ -799,8 +792,13 @@ jobs: fetch-depth: 1 persist-credentials: false - - name: Setup Go - uses: ./.github/actions/setup-go + - name: Set up mise tools + uses: ./.github/actions/setup-mise + with: + install-args: "go" + + - name: Restore Go cache + uses: ./.github/actions/go-cache # Used by some integration tests. - name: Install Nginx @@ -826,8 +824,13 @@ jobs: fetch-depth: 1 persist-credentials: false - - name: Setup Node - uses: ./.github/actions/setup-node + - name: Set up mise tools + uses: ./.github/actions/setup-mise + with: + install-args: "node pnpm" + + - name: Install pnpm dependencies + uses: ./.github/actions/pnpm-install - run: pnpm test:ci --max-workers "$(nproc)" working-directory: site @@ -859,11 +862,16 @@ jobs: fetch-depth: 1 persist-credentials: false - - name: Setup Node - uses: ./.github/actions/setup-node + - name: Set up mise tools + uses: ./.github/actions/setup-mise + with: + install-args: "go node pnpm" - - name: Setup Go - uses: ./.github/actions/setup-go + - name: Install pnpm dependencies + uses: ./.github/actions/pnpm-install + + - name: Restore Go cache + uses: ./.github/actions/go-cache # Assume that the checked-in versions are up-to-date - run: make gen/mark-fresh @@ -951,8 +959,13 @@ jobs: ref: ${{ github.event.pull_request.head.ref }} persist-credentials: false - - name: Setup Node - uses: ./.github/actions/setup-node + - name: Set up mise tools + uses: ./.github/actions/setup-mise + with: + install-args: "node pnpm" + + - name: Install pnpm dependencies + uses: ./.github/actions/pnpm-install # This step is not meant for mainline because any detected changes to # storybook snapshots will require manual approval/review in order for @@ -1030,29 +1043,21 @@ jobs: fetch-depth: 0 persist-credentials: false - - name: Setup Node - uses: ./.github/actions/setup-node + - name: Set up mise tools + uses: ./.github/actions/setup-mise + with: + install-args: "go node pnpm protoc protoc-gen-go" + + - name: Install pnpm dependencies + uses: ./.github/actions/pnpm-install with: directory: offlinedocs - - name: Install Protoc - run: | - mkdir -p /tmp/proto - pushd /tmp/proto - curl -L -o protoc.zip https://github.com/protocolbuffers/protobuf/releases/download/v23.4/protoc-23.4-linux-x86_64.zip - unzip protoc.zip - sudo cp -r ./bin/* /usr/local/bin - sudo cp -r ./include /usr/local/bin/include - popd + - name: Restore Go cache + uses: ./.github/actions/go-cache - - name: Setup Go - uses: ./.github/actions/setup-go - - - name: Install go tools - uses: ./.github/actions/setup-go-tools - - - name: Setup sqlc - uses: ./.github/actions/setup-sqlc + - name: Install Go mise tools + run: ./.github/scripts/retry.sh -- mise install --locked go:storj.io/drpc/cmd/protoc-gen-go-drpc go:github.com/coder/sqlc/cmd/sqlc - name: Format run: | @@ -1144,17 +1149,19 @@ jobs: fetch-depth: 0 persist-credentials: false - - name: Setup Node - uses: ./.github/actions/setup-node + - name: Set up mise tools + uses: ./.github/actions/setup-mise + with: + install-args: "go node pnpm" - - name: Setup Go - uses: ./.github/actions/setup-go + - name: Install pnpm dependencies + uses: ./.github/actions/pnpm-install - - name: Install go-winres - run: ./.github/scripts/retry.sh -- go install github.com/tc-hib/go-winres@d743268d7ea168077ddd443c4240562d4f5e8c3e # v0.3.3 + - name: Restore Go cache + uses: ./.github/actions/go-cache - - name: Install nfpm - run: ./.github/scripts/retry.sh -- go install github.com/goreleaser/nfpm/v2/cmd/nfpm@v2.35.1 + - name: Install Go mise tools + run: ./.github/scripts/retry.sh -- mise install --locked go:github.com/tc-hib/go-winres go:github.com/goreleaser/nfpm/v2/cmd/nfpm - name: Install zstd run: sudo apt-get install -y zstd @@ -1205,13 +1212,19 @@ jobs: username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - - name: Setup Node - uses: ./.github/actions/setup-node - - - name: Setup Go - uses: ./.github/actions/setup-go + - name: Set up mise tools + uses: ./.github/actions/setup-mise with: - use-cache: false + install-args: "go node pnpm cosign syft" + + - name: Install pnpm dependencies + uses: ./.github/actions/pnpm-install + + - name: Restore Go cache + uses: ./.github/actions/go-cache + + - name: Install Go mise tools + run: ./.github/scripts/retry.sh -- mise install --locked go:github.com/tc-hib/go-winres go:github.com/goreleaser/nfpm/v2/cmd/nfpm - name: Install rcodesign run: | @@ -1241,21 +1254,9 @@ jobs: distribution: "zulu" java-version: "11.0" - - name: Install go-winres - run: ./.github/scripts/retry.sh -- go install github.com/tc-hib/go-winres@d743268d7ea168077ddd443c4240562d4f5e8c3e # v0.3.3 - - - name: Install nfpm - run: ./.github/scripts/retry.sh -- go install github.com/goreleaser/nfpm/v2/cmd/nfpm@v2.35.1 - - name: Install zstd run: sudo apt-get install -y zstd - - name: Install cosign - uses: ./.github/actions/install-cosign - - - name: Install syft - uses: ./.github/actions/install-syft - - name: Setup Windows EV Signing Certificate run: | set -euo pipefail @@ -1579,11 +1580,16 @@ jobs: with: fetch-depth: 1 persist-credentials: false - - name: Setup Go - uses: ./.github/actions/setup-go + - name: Set up mise tools + uses: ./.github/actions/setup-mise + with: + install-args: "go" - - name: Setup sqlc - uses: ./.github/actions/setup-sqlc + - name: Restore Go cache + uses: ./.github/actions/go-cache + + - name: Install Go mise tools + run: ./.github/scripts/retry.sh -- mise install --locked go:github.com/coder/sqlc/cmd/sqlc - name: Setup and run sqlc vet run: | diff --git a/.github/workflows/dogfood.yaml b/.github/workflows/dogfood.yaml index 9dcd853f79..c87b48b5ee 100644 --- a/.github/workflows/dogfood.yaml +++ b/.github/workflows/dogfood.yaml @@ -71,9 +71,6 @@ jobs: packages: write # push the dogfood base image to ghcr.io/coder/oss-dogfood-base env: # MISE_EXPERIMENTAL opts into the experimental `oci` subcommand. - # Trust is set via a config file (see the Install mise step - # below) rather than MISE_TRUSTED_CONFIG_PATHS so the workspace - # template can keep parity with the same file-based approach. MISE_EXPERIMENTAL: "1" steps: - name: Harden Runner @@ -135,32 +132,9 @@ jobs: uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0 if: matrix.image-version != 'nix' - - name: Install mise - if: matrix.image-version != 'nix' - # MISE_VERSION + MISE_SHA256 match dogfood/coder/ubuntu-*/Dockerfile.base - # so the mise binary baking the image is the same one a workspace - # ships with. `min_version` in mise.toml catches downgrades. - # Write trust config to ~/.config/mise/conf.d/ instead of using - # MISE_TRUSTED_CONFIG_PATHS so the same file-based approach - # works in workspaces (where the user owns the file). - env: - MISE_VERSION: v2026.5.12 - MISE_SHA256: a238972a3162d710b85b28c324372e96ca4e4b486c81fe78695000d9fbc77c48 - WORKSPACE: ${{ github.workspace }} - run: | - set -euo pipefail - curl --silent --show-error --location --fail \ - "https://github.com/jdx/mise/releases/download/${MISE_VERSION}/mise-${MISE_VERSION}-linux-x64" \ - --output /tmp/mise - echo "${MISE_SHA256} /tmp/mise" | sha256sum -c - sudo install -m 0755 /tmp/mise /usr/local/bin/mise - rm /tmp/mise - mise --version - mkdir -p "$HOME/.config/mise/conf.d" - cat > "$HOME/.config/mise/conf.d/00-ci-trust.toml" <> "$GITHUB_PATH" - - name: Build mise oci layer if: matrix.image-version != 'nix' && !github.event.pull_request.head.repo.fork env: @@ -360,8 +315,10 @@ jobs: with: persist-credentials: false - - name: Setup Terraform - uses: ./.github/actions/setup-tf + - name: Set up mise tools + uses: ./.github/actions/setup-mise + with: + install-args: "terraform" - name: Authenticate to Google Cloud uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3.0.0 diff --git a/.github/workflows/flake-go.yaml b/.github/workflows/flake-go.yaml index 1c7eb96dd0..b3226462d2 100644 --- a/.github/workflows/flake-go.yaml +++ b/.github/workflows/flake-go.yaml @@ -39,12 +39,16 @@ jobs: fetch-depth: 0 persist-credentials: false - - name: Setup Go - uses: ./.github/actions/setup-go + - name: Set up Go + uses: ./.github/actions/setup-mise + with: + install-args: "go" - - name: Install whichtests - shell: bash - run: ./.github/scripts/retry.sh -- go install github.com/coder/whichtests@ec33bab1ec04cd86beb7a61a069db4463dba63f5 + - name: Restore Go cache + uses: ./.github/actions/go-cache + + - name: Install Go mise tools + run: ./.github/scripts/retry.sh -- mise install --locked go:github.com/coder/whichtests go:gotest.tools/gotestsum - name: Select changed tests id: selector @@ -57,9 +61,11 @@ jobs: --coalesce \ --out-matrix "$RUNNER_TEMP/flake-matrix.json" - - name: Setup Terraform + - name: Set up Terraform if: ${{ fromJSON(steps.selector.outputs.matrix).include[0] != null }} - uses: ./.github/actions/setup-tf + uses: ./.github/actions/setup-mise + with: + install-args: "terraform" - name: Run targeted Go flake checks id: flake_check diff --git a/.github/workflows/nightly-gauntlet.yaml b/.github/workflows/nightly-gauntlet.yaml index 4d72ece76a..63aa8728e2 100644 --- a/.github/workflows/nightly-gauntlet.yaml +++ b/.github/workflows/nightly-gauntlet.yaml @@ -62,11 +62,16 @@ jobs: - name: Setup GNU tools (macOS) uses: ./.github/actions/setup-gnu-tools - - name: Setup Go - uses: ./.github/actions/setup-go + - name: Set up mise tools + uses: ./.github/actions/setup-mise + with: + install-args: "go terraform" - - name: Setup Terraform - uses: ./.github/actions/setup-tf + - name: Restore Go cache + uses: ./.github/actions/go-cache + + - name: Install Go mise tools + run: ./.github/scripts/retry.sh -- mise install --locked go:gotest.tools/gotestsum - name: Setup Embedded Postgres Cache Paths id: embedded-pg-cache diff --git a/.github/workflows/pr-deploy.yaml b/.github/workflows/pr-deploy.yaml index df2d24007f..47b80e29c3 100644 --- a/.github/workflows/pr-deploy.yaml +++ b/.github/workflows/pr-deploy.yaml @@ -238,14 +238,19 @@ jobs: fetch-depth: 0 persist-credentials: false - - name: Setup Node - uses: ./.github/actions/setup-node + - name: Set up mise tools + uses: ./.github/actions/setup-mise + with: + install-args: "go node pnpm" - - name: Setup Go - uses: ./.github/actions/setup-go + - name: Install pnpm dependencies + uses: ./.github/actions/pnpm-install - - name: Setup sqlc - uses: ./.github/actions/setup-sqlc + - name: Restore Go cache + uses: ./.github/actions/go-cache + + - name: Install Go mise tools + run: ./.github/scripts/retry.sh -- mise install --locked go:github.com/coder/sqlc/cmd/sqlc - name: GHCR Login uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0 diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index d7ef868576..2427e3586f 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -172,13 +172,16 @@ jobs: username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - - name: Setup Go - uses: ./.github/actions/setup-go + - name: Set up mise tools + uses: ./.github/actions/setup-mise with: - use-cache: false + install-args: "go node pnpm helm cosign syft" - - name: Setup Node - uses: ./.github/actions/setup-node + - name: Install pnpm dependencies + uses: ./.github/actions/pnpm-install + + - name: Install Go mise tools + run: ./.github/scripts/retry.sh -- mise install --locked go:github.com/tc-hib/go-winres go:github.com/goreleaser/nfpm/v2/cmd/nfpm # Necessary for signing Windows binaries. - name: Setup Java @@ -187,19 +190,9 @@ jobs: distribution: "zulu" java-version: "11.0" - - name: Install go-winres - run: ./.github/scripts/retry.sh -- go install github.com/tc-hib/go-winres@d743268d7ea168077ddd443c4240562d4f5e8c3e # v0.3.3 - - name: Install nsis and zstd run: sudo apt-get install -y nsis zstd - - name: Install nfpm - run: | - set -euo pipefail - wget -O /tmp/nfpm.deb https://github.com/goreleaser/nfpm/releases/download/v2.35.1/nfpm_2.35.1_amd64.deb - sudo dpkg -i /tmp/nfpm.deb - rm /tmp/nfpm.deb - - name: Install rcodesign run: | set -euo pipefail @@ -210,12 +203,6 @@ jobs: apple-codesign-0.22.0-x86_64-unknown-linux-musl/rcodesign rm /tmp/rcodesign.tar.gz - - name: Install cosign - uses: ./.github/actions/install-cosign - - - name: Install syft - uses: ./.github/actions/install-syft - - name: Setup Apple Developer certificate and API key run: | set -euo pipefail diff --git a/.github/workflows/security.yaml b/.github/workflows/security.yaml index 72eee31d2d..6787e32c19 100644 --- a/.github/workflows/security.yaml +++ b/.github/workflows/security.yaml @@ -36,8 +36,13 @@ jobs: with: persist-credentials: false - - name: Setup Go - uses: ./.github/actions/setup-go + - name: Set up mise tools + uses: ./.github/actions/setup-mise + with: + install-args: "go" + + - name: Restore Go cache + uses: ./.github/actions/go-cache - name: Initialize CodeQL uses: github/codeql-action/init@c10b8064de6f491fea524254123dbe5e09572f13 # v3.29.5 diff --git a/.github/workflows/weekly-docs.yaml b/.github/workflows/weekly-docs.yaml index 0d34ef1f43..85a14d8b6a 100644 --- a/.github/workflows/weekly-docs.yaml +++ b/.github/workflows/weekly-docs.yaml @@ -14,7 +14,54 @@ permissions: contents: read jobs: + prepare-linkspector-browser: + # later versions of Ubuntu have disabled unprivileged user namespaces, which are required by the action + runs-on: ubuntu-22.04 + permissions: + contents: read + env: + CHROME_BUILD_ID: "145.0.7632.77" + outputs: + browser-cache-key: ${{ steps.browser-versions.outputs.cache-key }} + chrome-path: ${{ steps.install-chrome.outputs.path }} + steps: + - name: Harden Runner + uses: step-security/harden-runner@f808768d1510423e83855289c910610ca9b43176 # v2.17.0 + with: + egress-policy: audit + + - name: Checkout + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false + + - name: Set up mise tools + uses: ./.github/actions/setup-mise + with: + install-args: "node npm:@puppeteer/browsers" + + - name: Get browser versions + id: browser-versions + run: | + set -euo pipefail + installer_version="$(mise current npm:@puppeteer/browsers)" + echo "cache-key=puppeteer-${RUNNER_OS}-${RUNNER_ARCH}-browsers-${installer_version}-chrome-${CHROME_BUILD_ID}" >> "$GITHUB_OUTPUT" + + - name: Restore Puppeteer browser cache + uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 + with: + path: ~/.cache/puppeteer + key: ${{ steps.browser-versions.outputs.cache-key }} + + - name: Install Linkspector Chrome + id: install-chrome + run: | + set -euo pipefail + chrome_path="$(browsers install "chrome@${CHROME_BUILD_ID}" --path "${HOME}/.cache/puppeteer" --format '{{path}}')" + echo "path=${chrome_path}" >> "$GITHUB_OUTPUT" + check-docs: + needs: prepare-linkspector-browser # later versions of Ubuntu have disabled unprivileged user namespaces, which are required by the action runs-on: ubuntu-22.04 permissions: @@ -54,10 +101,21 @@ jobs: corepack enable pnpm mkdir -p "$(pnpm store path --silent)" + - name: Restore Puppeteer browser cache + uses: actions/cache/restore@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 + with: + path: ~/.cache/puppeteer + key: ${{ needs.prepare-linkspector-browser.outputs.browser-cache-key }} + - name: Check Markdown links - uses: umbrelladocs/action-linkspector@37c85bcde51b30bf929936502bac6bfb7e8f0a4d # v1.4.1 + uses: umbrelladocs/action-linkspector@036f295d12b67b0c4b445bc83db0538afb78db69 # v1.5.2 id: markdown-link-check # checks all markdown files from /docs including all subfolders + env: + # Use the Chrome build prepared from mise-pinned Puppeteer instead + # of letting linkspector download a mutable browser at runtime. + # See: https://github.com/UmbrellaDocs/action-linkspector/issues/62 + PUPPETEER_EXECUTABLE_PATH: ${{ needs.prepare-linkspector-browser.outputs.chrome-path }} with: reporter: github-pr-review config_file: ".github/.linkspector.yml" diff --git a/Makefile b/Makefile index b58f80eb68..be1992cb21 100644 --- a/Makefile +++ b/Makefile @@ -728,11 +728,11 @@ endif # GitHub Actions linters are run in a separate CI job (lint-actions) that only # triggers when workflow files change, so we skip them here when CI=true. LINT_ACTIONS_TARGETS := $(if $(CI),,lint/actions/actionlint) -lint: lint/shellcheck lint/go lint/ts lint/examples lint/helm lint/site-icons lint/markdown lint/check-scopes lint/migrations lint/bootstrap lint/architecture lint/emdash lint/agents $(LINT_ACTIONS_TARGETS) +lint: lint/shellcheck lint/go lint/ts lint/examples lint/helm lint/site-icons lint/markdown lint/check-scopes lint/migrations lint/bootstrap lint/architecture lint/emdash lint/agents lint/mise-versions $(LINT_ACTIONS_TARGETS) .PHONY: lint -# Subset of lint that does not require Go or Node toolchains. -lint-light: lint/shellcheck lint/markdown lint/helm lint/bootstrap lint/migrations lint/actions/actionlint lint/typos lint/emdash +# Fast lint subset for lightweight hooks. Some targets use mise-managed tools. +lint-light: lint/shellcheck lint/markdown lint/helm lint/bootstrap lint/migrations lint/actions/actionlint lint/typos lint/emdash lint/mise-versions .PHONY: lint-light lint/site-icons: @@ -745,9 +745,8 @@ lint/ts: site/node_modules/.installed .PHONY: lint/ts lint/go: - linter_ver=$$(grep -Eo '^golangci-lint = "[^"]+"' mise.toml | sed -E 's/.*"([^"]+)"/\1/') - go run github.com/golangci/golangci-lint/cmd/golangci-lint@v$$linter_ver run - go tool github.com/coder/paralleltestctx/cmd/paralleltestctx -custom-funcs="testutil.Context,chatdTestContext" ./... + golangci-lint run + paralleltestctx -custom-funcs="testutil.Context,chatdTestContext" ./... go run ./scripts/intxcheck ./... .PHONY: lint/go @@ -790,16 +789,27 @@ lint/actions: lint/actions/actionlint lint/actions/zizmor .PHONY: lint/actions lint/actions/actionlint: - go tool github.com/rhysd/actionlint/cmd/actionlint + mise exec actionlint -- actionlint .PHONY: lint/actions/actionlint +# zizmor uses GH_TOKEN to fetch imported workflows from GitHub; without it, +# external action references are skipped silently. lint/actions/zizmor: - ./scripts/zizmor.sh \ + @set -euo pipefail; \ + if [ -z "$${GH_TOKEN:-}" ] && command -v gh >/dev/null 2>&1; then \ + GH_TOKEN="$$(gh auth token 2>/dev/null || true)"; \ + export GH_TOKEN; \ + fi; \ + mise exec zizmor -- zizmor \ --strict-collection \ --persona=regular \ . .PHONY: lint/actions/zizmor +lint/mise-versions: + ./scripts/check_mise_versions.sh +.PHONY: lint/mise-versions + # Verify api_key_scope enum contains all RBAC : values. lint/check-scopes: coderd/database/dump.sql | _gen/bin/check-scopes _gen/bin/check-scopes @@ -811,28 +821,8 @@ lint/migrations: ./scripts/check_pg_schema.sh "Fixtures" $(FIXTURE_FILES) .PHONY: lint/migrations -TYPOS_VERSION := $(shell grep -oP 'crate-ci/typos@\S+\s+\#\s+v\K[0-9.]+' .github/workflows/ci.yaml) - -# Map uname values to typos release asset names. -TYPOS_ARCH := $(shell uname -m) -# typos release assets use aarch64, but macOS ARM reports arm64 via uname -m. -ifeq ($(TYPOS_ARCH),arm64) -TYPOS_ARCH := aarch64 -endif -ifeq ($(shell uname -s),Darwin) -TYPOS_OS := apple-darwin -else -TYPOS_OS := unknown-linux-musl -endif - -build/typos-$(TYPOS_VERSION): - mkdir -p build/ - curl -sSfL "https://github.com/crate-ci/typos/releases/download/v$(TYPOS_VERSION)/typos-v$(TYPOS_VERSION)-$(TYPOS_ARCH)-$(TYPOS_OS).tar.gz" \ - | tar -xzf - -C build/ ./typos - mv build/typos "$@" - -lint/typos: build/typos-$(TYPOS_VERSION) - build/typos-$(TYPOS_VERSION) --config .github/workflows/typos.toml +lint/typos: + typos --config .github/workflows/typos.toml .PHONY: lint/typos # pre-commit and pre-push mirror CI checks locally. diff --git a/agent/x/agentmcp/manager.go b/agent/x/agentmcp/manager.go index 23cba06c18..cd6a705151 100644 --- a/agent/x/agentmcp/manager.go +++ b/agent/x/agentmcp/manager.go @@ -975,15 +975,19 @@ func (m *Manager) createTransport(ctx context.Context, cfg ServerConfig) (transp }), ), nil case "http", "": - return transport.NewStreamableHTTP( - cfg.URL, - transport.WithHTTPHeaders(cfg.Headers), - ) + var opts []transport.StreamableHTTPCOption + opts = append(opts, transport.WithHTTPHeaders(cfg.Headers)) + if c := mcpHTTPClient(); c != nil { + opts = append(opts, transport.WithHTTPBasicClient(c)) + } + return transport.NewStreamableHTTP(cfg.URL, opts...) case "sse": - return transport.NewSSE( - cfg.URL, - transport.WithHeaders(cfg.Headers), - ) + var sseOpts []transport.ClientOption + sseOpts = append(sseOpts, transport.WithHeaders(cfg.Headers)) + if c := mcpHTTPClient(); c != nil { + sseOpts = append(sseOpts, transport.WithHTTPClient(c)) + } + return transport.NewSSE(cfg.URL, sseOpts...) default: return nil, xerrors.Errorf("unsupported transport %q", cfg.Transport) } diff --git a/agent/x/agentmcp/mcphttpclient.go b/agent/x/agentmcp/mcphttpclient.go new file mode 100644 index 0000000000..7099c44281 --- /dev/null +++ b/agent/x/agentmcp/mcphttpclient.go @@ -0,0 +1,25 @@ +package agentmcp + +import ( + "net/http" + "testing" +) + +// mcpHTTPClient returns an isolated *http.Client when running +// inside tests, or nil for production. During tests, +// httptest.Server.Close() calls +// http.DefaultTransport.CloseIdleConnections(), which disrupts +// any MCP client sharing that transport. When DefaultTransport +// is a *http.Transport it is cloned; otherwise a minimal +// transport with ProxyFromEnvironment is created as a fallback. +func mcpHTTPClient() *http.Client { + if !testing.Testing() { + return nil + } + if dt, ok := http.DefaultTransport.(*http.Transport); ok { + return &http.Client{Transport: dt.Clone()} + } + return &http.Client{Transport: &http.Transport{ + Proxy: http.ProxyFromEnvironment, + }} +} diff --git a/aibridge/api.go b/aibridge/api.go index 809d452fe9..34dce84ef8 100644 --- a/aibridge/api.go +++ b/aibridge/api.go @@ -57,6 +57,14 @@ func NewCopilotProvider(cfg config.Copilot) provider.Provider { return provider.NewCopilot(cfg) } +// NewDisabledProviderStub returns a Provider that reports Enabled() == +// false and has no-op implementations for all other methods. Use this +// instead of constructing a concrete provider for disabled rows so that +// adding a new provider type does not require updating a switch here. +func NewDisabledProviderStub(name, providerType string) provider.Provider { + return provider.NewDisabledStub(name, providerType) +} + func NewMetrics(reg prometheus.Registerer) *metrics.Metrics { return metrics.NewMetrics(reg) } diff --git a/aibridge/bridge.go b/aibridge/bridge.go index f604d0a38a..daf103fb10 100644 --- a/aibridge/bridge.go +++ b/aibridge/bridge.go @@ -20,6 +20,7 @@ import ( "cdr.dev/slog/v3" "github.com/coder/coder/v2/aibridge/circuitbreaker" aibcontext "github.com/coder/coder/v2/aibridge/context" + "github.com/coder/coder/v2/aibridge/intercept" "github.com/coder/coder/v2/aibridge/mcp" "github.com/coder/coder/v2/aibridge/metrics" "github.com/coder/coder/v2/aibridge/provider" @@ -30,6 +31,11 @@ import ( const ( // The duration after which an async recording will be aborted. recordingTimeout = time.Second * 5 + + // ErrorCodeProviderDisabled is the code written in the response + // body when a request targets a configured-but-disabled provider. + // Paired with HTTP 503. + ErrorCodeProviderDisabled = "provider_disabled" ) // RequestBridge is an [http.Handler] which is capable of masquerading as AI providers' APIs; @@ -96,6 +102,14 @@ func NewRequestBridge(ctx context.Context, providers []provider.Provider, rec re mux := http.NewServeMux() for _, prov := range providers { + // Disabled providers serve a 503 sentinel on every path under + // "//". Bound to the bare name (not RoutePrefix) so paths + // outside the provider's normal "/v1" subtree are also caught. + if !prov.Enabled() { + prefix := fmt.Sprintf("/%s/", prov.Name()) + mux.HandleFunc(prefix, disabledProviderHandler(prov.Name(), logger)) + continue + } // Create per-provider circuit breaker if configured cfg := prov.CircuitBreakerConfig() providerName := prov.Name() @@ -170,6 +184,20 @@ func NewRequestBridge(ctx context.Context, providers []provider.Provider, rec re }, nil } +// disabledProviderHandler returns 503 with a body containing +// [ErrorCodeProviderDisabled] and the provider name for every request +// targeting name. +func disabledProviderHandler(name string, logger slog.Logger) http.HandlerFunc { + return func(w http.ResponseWriter, r *http.Request) { + logger.Debug(r.Context(), "refusing request for disabled ai provider", + slog.F("provider", name), + slog.F("path", r.URL.Path), + slog.F("method", r.Method), + ) + http.Error(w, fmt.Sprintf("%s: AI provider %q is disabled", ErrorCodeProviderDisabled, name), http.StatusServiceUnavailable) + } +} + // newInterceptionProcessor returns an [http.HandlerFunc] which is capable of creating a new interceptor and processing a given request // using [Provider] p, recording all usage events using [Recorder] rec. // If cbs is non-nil, circuit breaker protection is applied per endpoint/model tuple. @@ -248,11 +276,18 @@ func newInterceptionProcessor(p provider.Provider, cbs *circuitbreaker.ProviderC slog.F("user_agent", r.UserAgent()), slog.F("streaming", interceptor.Streaming()), slog.F("credential_kind", string(cred.Kind)), - slog.F("credential_hint", cred.Hint), - slog.F("credential_length", cred.Length), ) - log.Debug(ctx, "interception started") + // Log BYOK credentials. Centralized credentials are set by + // the key failover loop. + credLogFields := []slog.Field{} + if cred.Kind == intercept.CredentialKindBYOK { + credLogFields = append(credLogFields, + slog.F("credential_hint", cred.Hint), + slog.F("credential_length", cred.Length), + ) + } + log.Debug(ctx, "interception started", credLogFields...) if m != nil { m.InterceptionsInflight.WithLabelValues(p.Name(), interceptor.Model(), route).Add(1) defer func() { @@ -261,22 +296,30 @@ func newInterceptionProcessor(p provider.Provider, cbs *circuitbreaker.ProviderC } // Process request with circuit breaker protection if configured - if err := cbs.Execute(route, interceptor.Model(), w, func(rw http.ResponseWriter) error { + execErr := cbs.Execute(route, interceptor.Model(), w, func(rw http.ResponseWriter) error { return interceptor.ProcessRequest(rw, r) - }); err != nil { + }) + // For centralized, the hint now reflects the last attempted + // key from the failover loop. + credHint := interceptor.Credential().Hint + credLen := interceptor.Credential().Length + if execErr != nil { if m != nil { m.InterceptionCount.WithLabelValues(p.Name(), interceptor.Model(), metrics.InterceptionCountStatusFailed, route, r.Method, actor.ID, string(client)).Add(1) } - span.SetStatus(codes.Error, fmt.Sprintf("interception failed: %v", err)) - log.Warn(ctx, "interception failed", slog.Error(err)) + span.SetStatus(codes.Error, fmt.Sprintf("interception failed: %v", execErr)) + log.Warn(ctx, "interception failed", slog.Error(execErr), slog.F("credential_hint", credHint), slog.F("credential_length", credLen)) } else { if m != nil { m.InterceptionCount.WithLabelValues(p.Name(), interceptor.Model(), metrics.InterceptionCountStatusCompleted, route, r.Method, actor.ID, string(client)).Add(1) } - log.Debug(ctx, "interception ended") + log.Debug(ctx, "interception ended", slog.F("credential_hint", credHint), slog.F("credential_length", credLen)) } - _ = asyncRecorder.RecordInterceptionEnded(ctx, &recorder.InterceptionRecordEnded{ID: interceptor.ID().String()}) + _ = asyncRecorder.RecordInterceptionEnded(ctx, &recorder.InterceptionRecordEnded{ + ID: interceptor.ID().String(), + CredentialHint: credHint, + }) // Ensure all recording have completed before completing request. asyncRecorder.Wait() diff --git a/aibridge/bridge_test.go b/aibridge/bridge_test.go index f2657ab80f..93beb82de9 100644 --- a/aibridge/bridge_test.go +++ b/aibridge/bridge_test.go @@ -205,3 +205,58 @@ func TestPassthroughRoutesForProviders(t *testing.T) { }) } } + +// TestDisabledProviderHandler asserts that requests to a disabled +// provider return a 503 with an ErrorCodeProviderDisabled body and +// that a sibling enabled provider keeps routing normally. +func TestDisabledProviderHandler(t *testing.T) { + t.Parallel() + + logger := slogtest.Make(t, nil) + + upstream := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) { + _, _ = w.Write([]byte("upstream-reached")) + })) + t.Cleanup(upstream.Close) + + enabled := aibridge.NewOpenAIProvider(config.OpenAI{Name: "enabled-openai", BaseURL: upstream.URL}) + disabled := aibridge.NewDisabledProviderStub("disabled-openai", "openai") + bridge, err := aibridge.NewRequestBridge( + t.Context(), + []provider.Provider{enabled, disabled}, + nil, nil, logger, nil, bridgeTestTracer, + ) + require.NoError(t, err) + + for _, tc := range []struct { + name string + path string + }{ + {name: "Bridged", path: "/disabled-openai/v1/chat/completions"}, + {name: "Passthrough", path: "/disabled-openai/v1/models"}, + {name: "Unknown", path: "/disabled-openai/anything/else"}, + } { + t.Run("DisabledProviderReturnsSentinel/"+tc.name, func(t *testing.T) { + t.Parallel() + + req := httptest.NewRequest(http.MethodPost, tc.path, nil) + resp := httptest.NewRecorder() + bridge.ServeHTTP(resp, req) + + assert.Equal(t, http.StatusServiceUnavailable, resp.Code) + assert.Contains(t, resp.Body.String(), aibridge.ErrorCodeProviderDisabled) + assert.Contains(t, resp.Body.String(), "disabled-openai") + }) + } + + t.Run("EnabledProviderUnaffected", func(t *testing.T) { + t.Parallel() + + req := httptest.NewRequest(http.MethodGet, "/enabled-openai/v1/models", nil) + resp := httptest.NewRecorder() + bridge.ServeHTTP(resp, req) + + assert.Equal(t, http.StatusOK, resp.Code) + assert.Equal(t, "upstream-reached", resp.Body.String()) + }) +} diff --git a/aibridge/intercept/chatcompletions/blocking.go b/aibridge/intercept/chatcompletions/blocking.go index 95d065ce5b..fa1511f660 100644 --- a/aibridge/intercept/chatcompletions/blocking.go +++ b/aibridge/intercept/chatcompletions/blocking.go @@ -291,15 +291,16 @@ func (i *BlockingInterception) newChatCompletionWithKey(ctx context.Context, svc // 401/403. Errors that aren't key-specific don't trigger // failover and are returned to the caller. func (i *BlockingInterception) newChatCompletionWithKeyFailover(ctx context.Context, svc openai.ChatCompletionService, opts []option.RequestOption) (*openai.ChatCompletion, error) { - // TODO(ssncferreira): update the interception's credential - // hint with the actually-used key (the successful key on - // success, the last tried key on failure) in the upstack PR. walker := i.cfg.KeyPool.Walker() for { key, keyPoolErr := walker.Next() if keyPoolErr != nil { return nil, keyPoolErr } + // Record the key in use so the hint reflects the last attempted key. + i.credential = intercept.NewCredentialInfo(intercept.CredentialKindCentralized, key.Value()) + i.logger.Debug(ctx, "using centralized api key", + slog.F("credential_hint", i.Credential().Hint), slog.F("credential_length", i.Credential().Length)) requestOpts := append([]option.RequestOption{}, opts...) requestOpts = append(requestOpts, diff --git a/aibridge/intercept/chatcompletions/blocking_internal_test.go b/aibridge/intercept/chatcompletions/blocking_internal_test.go index 3b3a917a54..2b9afaadea 100644 --- a/aibridge/intercept/chatcompletions/blocking_internal_test.go +++ b/aibridge/intercept/chatcompletions/blocking_internal_test.go @@ -72,31 +72,35 @@ func TestBlockingInterception_KeyFailover(t *testing.T) { expectedRetryAfter string // Expected key states after the request, by index in keys. expectedKeyStates []keypool.KeyState + // Expected credential hint after ProcessRequest: last + // attempted key for centralized, user key from initial request for BYOK. + expectedCredentialHint string }{ { // Given: 1 valid key returning 200. // Then: 1 request, 200 response, key remains valid. name: "single_valid_key", - keys: []string{"k0"}, + keys: []string{"k0-long-key"}, responses: map[string]upstreamResponse{ - "k0": {statusCode: http.StatusOK, body: successBody}, + "k0-long-key": {statusCode: http.StatusOK, body: successBody}, }, - expectedRequestCount: 1, - expectedStatusCode: http.StatusOK, - expectedKeyStates: []keypool.KeyState{keypool.KeyStateValid}, + expectedRequestCount: 1, + expectedStatusCode: http.StatusOK, + expectedKeyStates: []keypool.KeyState{keypool.KeyStateValid}, + expectedCredentialHint: utils.MaskSecret("k0-long-key"), }, { // Given: 2 keys; key-0 returns 429, key-1 returns 200. // Then: 2 requests, 200 response, key-0 temporary, key-1 valid. name: "failover_after_429", - keys: []string{"k0", "k1"}, + keys: []string{"k0-long-key", "k1-long-key"}, responses: map[string]upstreamResponse{ - "k0": { + "k0-long-key": { statusCode: http.StatusTooManyRequests, headers: map[string]string{"Retry-After": "5"}, body: rateLimitBody, }, - "k1": {statusCode: http.StatusOK, body: successBody}, + "k1-long-key": {statusCode: http.StatusOK, body: successBody}, }, expectedRequestCount: 2, expectedStatusCode: http.StatusOK, @@ -104,15 +108,16 @@ func TestBlockingInterception_KeyFailover(t *testing.T) { keypool.KeyStateTemporary, keypool.KeyStateValid, }, + expectedCredentialHint: utils.MaskSecret("k1-long-key"), }, { // Given: 2 keys; key-0 returns 401, key-1 returns 200. // Then: 2 requests, 200 response, key-0 permanent, key-1 valid. name: "failover_after_401", - keys: []string{"k0", "k1"}, + keys: []string{"k0-long-key", "k1-long-key"}, responses: map[string]upstreamResponse{ - "k0": {statusCode: http.StatusUnauthorized, body: authErrorBody}, - "k1": {statusCode: http.StatusOK, body: successBody}, + "k0-long-key": {statusCode: http.StatusUnauthorized, body: authErrorBody}, + "k1-long-key": {statusCode: http.StatusOK, body: successBody}, }, expectedRequestCount: 2, expectedStatusCode: http.StatusOK, @@ -120,15 +125,16 @@ func TestBlockingInterception_KeyFailover(t *testing.T) { keypool.KeyStatePermanent, keypool.KeyStateValid, }, + expectedCredentialHint: utils.MaskSecret("k1-long-key"), }, { // Given: 2 keys; key-0 returns 403, key-1 returns 200. // Then: 2 requests, 200 response, key-0 permanent, key-1 valid. name: "failover_after_403", - keys: []string{"k0", "k1"}, + keys: []string{"k0-long-key", "k1-long-key"}, responses: map[string]upstreamResponse{ - "k0": {statusCode: http.StatusForbidden, body: authErrorBody}, - "k1": {statusCode: http.StatusOK, body: successBody}, + "k0-long-key": {statusCode: http.StatusForbidden, body: authErrorBody}, + "k1-long-key": {statusCode: http.StatusOK, body: successBody}, }, expectedRequestCount: 2, expectedStatusCode: http.StatusOK, @@ -136,25 +142,26 @@ func TestBlockingInterception_KeyFailover(t *testing.T) { keypool.KeyStatePermanent, keypool.KeyStateValid, }, + expectedCredentialHint: utils.MaskSecret("k1-long-key"), }, { // Given: 3 keys; all return 429 with cooldowns 5s, 3s, 10s. // Then: 3 requests, 429 response with smallest Retry-After, // all keys temporary. name: "all_keys_rate_limited", - keys: []string{"k0", "k1", "k2"}, + keys: []string{"k0-long-key", "k1-long-key", "k2-long-key"}, responses: map[string]upstreamResponse{ - "k0": { + "k0-long-key": { statusCode: http.StatusTooManyRequests, headers: map[string]string{"Retry-After": "5"}, body: rateLimitBody, }, - "k1": { + "k1-long-key": { statusCode: http.StatusTooManyRequests, headers: map[string]string{"Retry-After": "3"}, body: rateLimitBody, }, - "k2": { + "k2-long-key": { statusCode: http.StatusTooManyRequests, headers: map[string]string{"Retry-After": "10"}, body: rateLimitBody, @@ -168,15 +175,16 @@ func TestBlockingInterception_KeyFailover(t *testing.T) { keypool.KeyStateTemporary, keypool.KeyStateTemporary, }, + expectedCredentialHint: utils.MaskSecret("k2-long-key"), }, { // Given: 2 keys; both return 401. // Then: 2 requests, 502 api_error response, both keys permanent. name: "all_keys_unauthorized", - keys: []string{"k0", "k1"}, + keys: []string{"k0-long-key", "k1-long-key"}, responses: map[string]upstreamResponse{ - "k0": {statusCode: http.StatusUnauthorized, body: authErrorBody}, - "k1": {statusCode: http.StatusUnauthorized, body: authErrorBody}, + "k0-long-key": {statusCode: http.StatusUnauthorized, body: authErrorBody}, + "k1-long-key": {statusCode: http.StatusUnauthorized, body: authErrorBody}, }, expectedRequestCount: 2, expectedStatusCode: http.StatusBadGateway, @@ -184,14 +192,15 @@ func TestBlockingInterception_KeyFailover(t *testing.T) { keypool.KeyStatePermanent, keypool.KeyStatePermanent, }, + expectedCredentialHint: utils.MaskSecret("k1-long-key"), }, { // Given: 2 keys; key-0 returns 500. // Then: 1 request, 500 response, both keys remain valid. name: "server_error_no_failover", - keys: []string{"k0", "k1"}, + keys: []string{"k0-long-key", "k1-long-key"}, responses: map[string]upstreamResponse{ - "k0": {statusCode: http.StatusInternalServerError, body: serverErrorBody}, + "k0-long-key": {statusCode: http.StatusInternalServerError, body: serverErrorBody}, }, expectedRequestCount: 1, expectedStatusCode: http.StatusInternalServerError, @@ -199,6 +208,7 @@ func TestBlockingInterception_KeyFailover(t *testing.T) { keypool.KeyStateValid, keypool.KeyStateValid, }, + expectedCredentialHint: utils.MaskSecret("k0-long-key"), }, { // Given: BYOK with a single key returning 429. @@ -219,9 +229,10 @@ func TestBlockingInterception_KeyFailover(t *testing.T) { body: rateLimitBody, }, }, - expectedRequestCount: 1, - expectedStatusCode: http.StatusTooManyRequests, - expectedRetryAfter: "5", + expectedRequestCount: 1, + expectedStatusCode: http.StatusTooManyRequests, + expectedRetryAfter: "5", + expectedCredentialHint: utils.MaskSecret("user-byok"), }, } @@ -252,6 +263,7 @@ func TestBlockingInterception_KeyFailover(t *testing.T) { cfg := config.OpenAI{BaseURL: upstream.URL + "/"} var pool *keypool.Pool + credInfo := intercept.NewCredentialInfo(intercept.CredentialKindCentralized, "") if len(tc.keys) > 0 { var err error pool, err = keypool.New(tc.keys, quartz.NewMock(t)) @@ -259,6 +271,7 @@ func TestBlockingInterception_KeyFailover(t *testing.T) { cfg.KeyPool = pool } else if tc.byokKey != "" { cfg.Key = tc.byokKey + credInfo = intercept.NewCredentialInfo(intercept.CredentialKindBYOK, tc.byokKey) } interceptor := NewBlockingInterceptor( @@ -269,7 +282,7 @@ func TestBlockingInterception_KeyFailover(t *testing.T) { http.Header{}, "Authorization", otel.Tracer("blocking_test"), - intercept.NewCredentialInfo(intercept.CredentialKindCentralized, ""), + credInfo, ) interceptor.Setup(slog.Make(), &testutil.MockRecorder{}, nil) @@ -288,6 +301,7 @@ func TestBlockingInterception_KeyFailover(t *testing.T) { if pool != nil { assert.Equal(t, tc.expectedKeyStates, pool.PoolState(), "key states") } + assert.Equal(t, tc.expectedCredentialHint, interceptor.Credential().Hint, "credential hint") }) } } @@ -309,6 +323,9 @@ func TestBlockingInterception_AgenticLoopFailover(t *testing.T) { expectedSeenKeys []string expectedStatusCode int expectedKeyStates []keypool.KeyState + // Expected credential hint after ProcessRequest: hint of the + // last attempted key across all agentic-loop iterations. + expectedCredentialHint string }{ { // Given: 2 keys; both upstream calls succeed on key-0. @@ -319,12 +336,13 @@ func TestBlockingInterception_AgenticLoopFailover(t *testing.T) { {statusCode: http.StatusOK, body: textCompleteBody}, }, expectedRequestCount: 2, - expectedSeenKeys: []string{"k0", "k0"}, + expectedSeenKeys: []string{"k0-long-key", "k0-long-key"}, expectedStatusCode: http.StatusOK, expectedKeyStates: []keypool.KeyState{ keypool.KeyStateValid, keypool.KeyStateValid, }, + expectedCredentialHint: utils.MaskSecret("k0-long-key"), }, { // Given: 2 keys; key-0 succeeds initially, then 429s @@ -342,12 +360,13 @@ func TestBlockingInterception_AgenticLoopFailover(t *testing.T) { {statusCode: http.StatusOK, body: textCompleteBody}, }, expectedRequestCount: 3, - expectedSeenKeys: []string{"k0", "k0", "k1"}, + expectedSeenKeys: []string{"k0-long-key", "k0-long-key", "k1-long-key"}, expectedStatusCode: http.StatusOK, expectedKeyStates: []keypool.KeyState{ keypool.KeyStateTemporary, keypool.KeyStateValid, }, + expectedCredentialHint: utils.MaskSecret("k1-long-key"), }, { // Given: 2 keys; key-0 succeeds initially, then both @@ -369,12 +388,13 @@ func TestBlockingInterception_AgenticLoopFailover(t *testing.T) { }, }, expectedRequestCount: 3, - expectedSeenKeys: []string{"k0", "k0", "k1"}, + expectedSeenKeys: []string{"k0-long-key", "k0-long-key", "k1-long-key"}, expectedStatusCode: http.StatusTooManyRequests, expectedKeyStates: []keypool.KeyState{ keypool.KeyStateTemporary, keypool.KeyStateTemporary, }, + expectedCredentialHint: utils.MaskSecret("k1-long-key"), }, } @@ -409,7 +429,7 @@ func TestBlockingInterception_AgenticLoopFailover(t *testing.T) { })) t.Cleanup(upstream.Close) - pool, err := keypool.New([]string{"k0", "k1"}, quartz.NewMock(t)) + pool, err := keypool.New([]string{"k0-long-key", "k1-long-key"}, quartz.NewMock(t)) require.NoError(t, err) cfg := config.OpenAI{ @@ -459,6 +479,7 @@ func TestBlockingInterception_AgenticLoopFailover(t *testing.T) { defer seenKeysMu.Unlock() assert.Equal(t, tc.expectedSeenKeys, seenKeys, "seen keys") assert.Equal(t, tc.expectedKeyStates, pool.PoolState(), "key states") + assert.Equal(t, tc.expectedCredentialHint, interceptor.Credential().Hint, "credential hint") }) } } diff --git a/aibridge/intercept/chatcompletions/streaming.go b/aibridge/intercept/chatcompletions/streaming.go index 581ab49d03..e20a2a801d 100644 --- a/aibridge/intercept/chatcompletions/streaming.go +++ b/aibridge/intercept/chatcompletions/streaming.go @@ -164,6 +164,11 @@ func (i *StreamingInterception) ProcessRequest(w http.ResponseWriter, r *http.Re break } currentKey = key + // Record the key in use so the hint reflects the last attempted key. + i.credential = intercept.NewCredentialInfo(intercept.CredentialKindCentralized, key.Value()) + logger.Debug(ctx, "using centralized api key", + slog.F("credential_hint", i.Credential().Hint), slog.F("credential_length", i.Credential().Length)) + opts = append(opts, option.WithAPIKey(key.Value()), // Disable SDK retries because the failover diff --git a/aibridge/intercept/chatcompletions/streaming_internal_test.go b/aibridge/intercept/chatcompletions/streaming_internal_test.go index 82c58f9bc1..9561c0948a 100644 --- a/aibridge/intercept/chatcompletions/streaming_internal_test.go +++ b/aibridge/intercept/chatcompletions/streaming_internal_test.go @@ -144,36 +144,40 @@ func TestStreamingInterception_KeyFailover(t *testing.T) { expectedRetryAfter string // Expected key states after the request, by index in keys. expectedKeyStates []keypool.KeyState + // Expected credential hint after ProcessRequest: last + // attempted key for centralized, user key from initial request for BYOK. + expectedCredentialHint string }{ { // Given: 1 valid key returning a successful stream. // Then: 1 request, 200 response, key remains valid. name: "single_valid_key", - keys: []string{"k0"}, + keys: []string{"k0-long-key"}, responses: map[string]upstreamResponse{ - "k0": { + "k0-long-key": { statusCode: http.StatusOK, headers: map[string]string{"Content-Type": "text/event-stream"}, body: streamingSuccessBody, }, }, - expectedRequestCount: 1, - expectedStatusCode: http.StatusOK, - expectedKeyStates: []keypool.KeyState{keypool.KeyStateValid}, + expectedRequestCount: 1, + expectedStatusCode: http.StatusOK, + expectedKeyStates: []keypool.KeyState{keypool.KeyStateValid}, + expectedCredentialHint: utils.MaskSecret("k0-long-key"), }, { // Given: 2 keys; key-0 returns 429 pre-stream, key-1 // streams successfully. // Then: 2 requests, 200 response, key-0 temporary, key-1 valid. name: "failover_after_429", - keys: []string{"k0", "k1"}, + keys: []string{"k0-long-key", "k1-long-key"}, responses: map[string]upstreamResponse{ - "k0": { + "k0-long-key": { statusCode: http.StatusTooManyRequests, headers: map[string]string{"Retry-After": "5"}, body: rateLimitBody, }, - "k1": { + "k1-long-key": { statusCode: http.StatusOK, headers: map[string]string{"Content-Type": "text/event-stream"}, body: streamingSuccessBody, @@ -185,16 +189,17 @@ func TestStreamingInterception_KeyFailover(t *testing.T) { keypool.KeyStateTemporary, keypool.KeyStateValid, }, + expectedCredentialHint: utils.MaskSecret("k1-long-key"), }, { // Given: 2 keys; key-0 returns 401 pre-stream, key-1 // streams successfully. // Then: 2 requests, 200 response, key-0 permanent, key-1 valid. name: "failover_after_401", - keys: []string{"k0", "k1"}, + keys: []string{"k0-long-key", "k1-long-key"}, responses: map[string]upstreamResponse{ - "k0": {statusCode: http.StatusUnauthorized, body: authErrorBody}, - "k1": { + "k0-long-key": {statusCode: http.StatusUnauthorized, body: authErrorBody}, + "k1-long-key": { statusCode: http.StatusOK, headers: map[string]string{"Content-Type": "text/event-stream"}, body: streamingSuccessBody, @@ -206,15 +211,16 @@ func TestStreamingInterception_KeyFailover(t *testing.T) { keypool.KeyStatePermanent, keypool.KeyStateValid, }, + expectedCredentialHint: utils.MaskSecret("k1-long-key"), }, { // Given: 2 keys; key-0 returns 403 pre-stream, key-1 streams. // Then: 2 requests, 200 response, key-0 permanent, key-1 valid. name: "failover_after_403", - keys: []string{"k0", "k1"}, + keys: []string{"k0-long-key", "k1-long-key"}, responses: map[string]upstreamResponse{ - "k0": {statusCode: http.StatusForbidden, body: authErrorBody}, - "k1": { + "k0-long-key": {statusCode: http.StatusForbidden, body: authErrorBody}, + "k1-long-key": { statusCode: http.StatusOK, headers: map[string]string{"Content-Type": "text/event-stream"}, body: streamingSuccessBody, @@ -226,6 +232,7 @@ func TestStreamingInterception_KeyFailover(t *testing.T) { keypool.KeyStatePermanent, keypool.KeyStateValid, }, + expectedCredentialHint: utils.MaskSecret("k1-long-key"), }, { // Given: 3 keys; all return 429 pre-stream with @@ -233,19 +240,19 @@ func TestStreamingInterception_KeyFailover(t *testing.T) { // Then: 3 requests, 429 response with smallest // Retry-After, all keys temporary. name: "all_keys_rate_limited", - keys: []string{"k0", "k1", "k2"}, + keys: []string{"k0-long-key", "k1-long-key", "k2-long-key"}, responses: map[string]upstreamResponse{ - "k0": { + "k0-long-key": { statusCode: http.StatusTooManyRequests, headers: map[string]string{"Retry-After": "5"}, body: rateLimitBody, }, - "k1": { + "k1-long-key": { statusCode: http.StatusTooManyRequests, headers: map[string]string{"Retry-After": "3"}, body: rateLimitBody, }, - "k2": { + "k2-long-key": { statusCode: http.StatusTooManyRequests, headers: map[string]string{"Retry-After": "10"}, body: rateLimitBody, @@ -259,15 +266,16 @@ func TestStreamingInterception_KeyFailover(t *testing.T) { keypool.KeyStateTemporary, keypool.KeyStateTemporary, }, + expectedCredentialHint: utils.MaskSecret("k2-long-key"), }, { // Given: 2 keys; both return 401 pre-stream. // Then: 2 requests, 502 api_error response, both keys permanent. name: "all_keys_unauthorized", - keys: []string{"k0", "k1"}, + keys: []string{"k0-long-key", "k1-long-key"}, responses: map[string]upstreamResponse{ - "k0": {statusCode: http.StatusUnauthorized, body: authErrorBody}, - "k1": {statusCode: http.StatusUnauthorized, body: authErrorBody}, + "k0-long-key": {statusCode: http.StatusUnauthorized, body: authErrorBody}, + "k1-long-key": {statusCode: http.StatusUnauthorized, body: authErrorBody}, }, expectedRequestCount: 2, expectedStatusCode: http.StatusBadGateway, @@ -275,14 +283,15 @@ func TestStreamingInterception_KeyFailover(t *testing.T) { keypool.KeyStatePermanent, keypool.KeyStatePermanent, }, + expectedCredentialHint: utils.MaskSecret("k1-long-key"), }, { // Given: 2 keys; key-0 returns 500 pre-stream. // Then: 1 request, 500 response, both keys remain valid. name: "server_error_no_failover", - keys: []string{"k0", "k1"}, + keys: []string{"k0-long-key", "k1-long-key"}, responses: map[string]upstreamResponse{ - "k0": {statusCode: http.StatusInternalServerError, body: serverErrorBody}, + "k0-long-key": {statusCode: http.StatusInternalServerError, body: serverErrorBody}, }, expectedRequestCount: 1, expectedStatusCode: http.StatusInternalServerError, @@ -290,6 +299,7 @@ func TestStreamingInterception_KeyFailover(t *testing.T) { keypool.KeyStateValid, keypool.KeyStateValid, }, + expectedCredentialHint: utils.MaskSecret("k0-long-key"), }, { // Given: BYOK with a single key returning 429. @@ -310,9 +320,10 @@ func TestStreamingInterception_KeyFailover(t *testing.T) { body: rateLimitBody, }, }, - expectedRequestCount: 1, - expectedStatusCode: http.StatusTooManyRequests, - expectedRetryAfter: "5", + expectedRequestCount: 1, + expectedStatusCode: http.StatusTooManyRequests, + expectedRetryAfter: "5", + expectedCredentialHint: utils.MaskSecret("user-byok"), }, } @@ -342,6 +353,7 @@ func TestStreamingInterception_KeyFailover(t *testing.T) { cfg := config.OpenAI{BaseURL: upstream.URL + "/"} var pool *keypool.Pool + credInfo := intercept.NewCredentialInfo(intercept.CredentialKindCentralized, "") if len(tc.keys) > 0 { var err error pool, err = keypool.New(tc.keys, quartz.NewMock(t)) @@ -349,6 +361,7 @@ func TestStreamingInterception_KeyFailover(t *testing.T) { cfg.KeyPool = pool } else if tc.byokKey != "" { cfg.Key = tc.byokKey + credInfo = intercept.NewCredentialInfo(intercept.CredentialKindBYOK, tc.byokKey) } interceptor := NewStreamingInterceptor( @@ -359,7 +372,7 @@ func TestStreamingInterception_KeyFailover(t *testing.T) { http.Header{}, "Authorization", otel.Tracer("streaming_test"), - intercept.NewCredentialInfo(intercept.CredentialKindCentralized, ""), + credInfo, ) interceptor.Setup(slog.Make(), &testutil.MockRecorder{}, nil) @@ -378,6 +391,7 @@ func TestStreamingInterception_KeyFailover(t *testing.T) { if pool != nil { assert.Equal(t, tc.expectedKeyStates, pool.PoolState(), "key states") } + assert.Equal(t, tc.expectedCredentialHint, interceptor.Credential().Hint, "credential hint") }) } } @@ -435,6 +449,9 @@ func TestStreamingInterception_AgenticLoopFailover(t *testing.T) { // error (e.g. all keys exhausted). expectedErr bool expectedKeyStates []keypool.KeyState + // Expected credential hint after ProcessRequest: hint of the + // last attempted key across all agentic-loop iterations. + expectedCredentialHint string }{ { // Given: 2 keys; both upstream calls succeed on key-0. @@ -445,13 +462,14 @@ func TestStreamingInterception_AgenticLoopFailover(t *testing.T) { {statusCode: http.StatusOK, headers: sseHeaders, body: textStreamBody}, }, expectedRequestCount: 2, - expectedSeenKeys: []string{"k0", "k0"}, + expectedSeenKeys: []string{"k0-long-key", "k0-long-key"}, expectedBodyContains: "done", expectErrorAsSSEEvent: false, expectedKeyStates: []keypool.KeyState{ keypool.KeyStateValid, keypool.KeyStateValid, }, + expectedCredentialHint: utils.MaskSecret("k0-long-key"), }, { // Given: 2 keys; key-0 succeeds initially, then 429s @@ -469,13 +487,14 @@ func TestStreamingInterception_AgenticLoopFailover(t *testing.T) { {statusCode: http.StatusOK, headers: sseHeaders, body: textStreamBody}, }, expectedRequestCount: 3, - expectedSeenKeys: []string{"k0", "k0", "k1"}, + expectedSeenKeys: []string{"k0-long-key", "k0-long-key", "k1-long-key"}, expectedBodyContains: "done", expectErrorAsSSEEvent: false, expectedKeyStates: []keypool.KeyState{ keypool.KeyStateTemporary, keypool.KeyStateValid, }, + expectedCredentialHint: utils.MaskSecret("k1-long-key"), }, { // Given: 2 keys; key-0 succeeds initially, then both @@ -497,7 +516,7 @@ func TestStreamingInterception_AgenticLoopFailover(t *testing.T) { }, }, expectedRequestCount: 3, - expectedSeenKeys: []string{"k0", "k0", "k1"}, + expectedSeenKeys: []string{"k0-long-key", "k0-long-key", "k1-long-key"}, expectedBodyContains: "all configured keys are rate-limited", expectErrorAsSSEEvent: true, expectedErr: true, @@ -505,6 +524,7 @@ func TestStreamingInterception_AgenticLoopFailover(t *testing.T) { keypool.KeyStateTemporary, keypool.KeyStateTemporary, }, + expectedCredentialHint: utils.MaskSecret("k1-long-key"), }, } @@ -538,7 +558,7 @@ func TestStreamingInterception_AgenticLoopFailover(t *testing.T) { })) t.Cleanup(upstream.Close) - pool, err := keypool.New([]string{"k0", "k1"}, quartz.NewMock(t)) + pool, err := keypool.New([]string{"k0-long-key", "k1-long-key"}, quartz.NewMock(t)) require.NoError(t, err) cfg := config.OpenAI{ @@ -596,6 +616,7 @@ func TestStreamingInterception_AgenticLoopFailover(t *testing.T) { defer seenKeysMu.Unlock() assert.Equal(t, tc.expectedSeenKeys, seenKeys, "seen keys") assert.Equal(t, tc.expectedKeyStates, pool.PoolState(), "key states") + assert.Equal(t, tc.expectedCredentialHint, interceptor.Credential().Hint, "credential hint") }) } } diff --git a/aibridge/intercept/messages/blocking.go b/aibridge/intercept/messages/blocking.go index e91f80feb9..bf74885b2b 100644 --- a/aibridge/intercept/messages/blocking.go +++ b/aibridge/intercept/messages/blocking.go @@ -367,15 +367,16 @@ func (i *BlockingInterception) newMessageWithKey(ctx context.Context, svc anthro // Errors that aren't key-specific don't trigger failover and // are returned to the caller. func (i *BlockingInterception) newMessageWithKeyFailover(ctx context.Context, svc anthropic.MessageService) (*anthropic.Message, error) { - // TODO(ssncferreira): update the interception's credential - // hint with the actually-used key (the successful key on - // success, the last tried key on failure) in the upstack PR. walker := i.cfg.KeyPool.Walker() for { key, keyPoolErr := walker.Next() if keyPoolErr != nil { return nil, keyPoolErr } + // Record the key in use so the hint reflects the last attempted key. + i.credential = intercept.NewCredentialInfo(intercept.CredentialKindCentralized, key.Value()) + i.logger.Debug(ctx, "using centralized api key", + slog.F("credential_hint", i.Credential().Hint), slog.F("credential_length", i.Credential().Length)) msg, err := i.newMessageWithKey(ctx, svc, option.WithAPIKey(key.Value()), diff --git a/aibridge/intercept/messages/blocking_internal_test.go b/aibridge/intercept/messages/blocking_internal_test.go index 857d425fe3..9b3f0d447b 100644 --- a/aibridge/intercept/messages/blocking_internal_test.go +++ b/aibridge/intercept/messages/blocking_internal_test.go @@ -19,6 +19,7 @@ import ( "github.com/coder/coder/v2/aibridge/internal/testutil" "github.com/coder/coder/v2/aibridge/keypool" "github.com/coder/coder/v2/aibridge/mcp" + "github.com/coder/coder/v2/aibridge/utils" "github.com/coder/quartz" ) @@ -54,31 +55,35 @@ func TestBlockingInterception_KeyFailover(t *testing.T) { expectedRetryAfter string // Expected key states after the request, by index in keys. expectedKeyStates []keypool.KeyState + // Expected credential hint after ProcessRequest: last + // attempted key for centralized, user key from initial request for BYOK. + expectedCredentialHint string }{ { // Given: 1 valid key returning 200. // Then: 1 request, 200 response, key remains valid. name: "single_valid_key", - keys: []string{"k0"}, + keys: []string{"k0-long-key"}, responses: map[string]upstreamResponse{ - "k0": {statusCode: http.StatusOK, body: successBody}, + "k0-long-key": {statusCode: http.StatusOK, body: successBody}, }, - expectedRequestCount: 1, - expectedStatusCode: http.StatusOK, - expectedKeyStates: []keypool.KeyState{keypool.KeyStateValid}, + expectedRequestCount: 1, + expectedStatusCode: http.StatusOK, + expectedKeyStates: []keypool.KeyState{keypool.KeyStateValid}, + expectedCredentialHint: utils.MaskSecret("k0-long-key"), }, { // Given: 2 keys; key-0 returns 429, key-1 returns 200. // Then: 2 requests, 200 response, key-0 temporary, key-1 valid. name: "failover_after_429", - keys: []string{"k0", "k1"}, + keys: []string{"k0-long-key", "k1-long-key"}, responses: map[string]upstreamResponse{ - "k0": { + "k0-long-key": { statusCode: http.StatusTooManyRequests, headers: map[string]string{"Retry-After": "5"}, body: rateLimitBody, }, - "k1": {statusCode: http.StatusOK, body: successBody}, + "k1-long-key": {statusCode: http.StatusOK, body: successBody}, }, expectedRequestCount: 2, expectedStatusCode: http.StatusOK, @@ -86,15 +91,16 @@ func TestBlockingInterception_KeyFailover(t *testing.T) { keypool.KeyStateTemporary, keypool.KeyStateValid, }, + expectedCredentialHint: utils.MaskSecret("k1-long-key"), }, { // Given: 2 keys; key-0 returns 401, key-1 returns 200. // Then: 2 requests, 200 response, key-0 permanent, key-1 valid. name: "failover_after_401", - keys: []string{"k0", "k1"}, + keys: []string{"k0-long-key", "k1-long-key"}, responses: map[string]upstreamResponse{ - "k0": {statusCode: http.StatusUnauthorized, body: authErrorBody}, - "k1": {statusCode: http.StatusOK, body: successBody}, + "k0-long-key": {statusCode: http.StatusUnauthorized, body: authErrorBody}, + "k1-long-key": {statusCode: http.StatusOK, body: successBody}, }, expectedRequestCount: 2, expectedStatusCode: http.StatusOK, @@ -102,15 +108,16 @@ func TestBlockingInterception_KeyFailover(t *testing.T) { keypool.KeyStatePermanent, keypool.KeyStateValid, }, + expectedCredentialHint: utils.MaskSecret("k1-long-key"), }, { // Given: 2 keys; key-0 returns 403, key-1 returns 200. // Then: 2 requests, 200 response, key-0 permanent, key-1 valid. name: "failover_after_403", - keys: []string{"k0", "k1"}, + keys: []string{"k0-long-key", "k1-long-key"}, responses: map[string]upstreamResponse{ - "k0": {statusCode: http.StatusForbidden, body: authErrorBody}, - "k1": {statusCode: http.StatusOK, body: successBody}, + "k0-long-key": {statusCode: http.StatusForbidden, body: authErrorBody}, + "k1-long-key": {statusCode: http.StatusOK, body: successBody}, }, expectedRequestCount: 2, expectedStatusCode: http.StatusOK, @@ -118,25 +125,26 @@ func TestBlockingInterception_KeyFailover(t *testing.T) { keypool.KeyStatePermanent, keypool.KeyStateValid, }, + expectedCredentialHint: utils.MaskSecret("k1-long-key"), }, { // Given: 3 keys; all return 429 with cooldowns 5s, 3s, 10s. // Then: 3 requests, 429 response with smallest Retry-After, // all keys temporary. name: "all_keys_rate_limited", - keys: []string{"k0", "k1", "k2"}, + keys: []string{"k0-long-key", "k1-long-key", "k2-long-key"}, responses: map[string]upstreamResponse{ - "k0": { + "k0-long-key": { statusCode: http.StatusTooManyRequests, headers: map[string]string{"Retry-After": "5"}, body: rateLimitBody, }, - "k1": { + "k1-long-key": { statusCode: http.StatusTooManyRequests, headers: map[string]string{"Retry-After": "3"}, body: rateLimitBody, }, - "k2": { + "k2-long-key": { statusCode: http.StatusTooManyRequests, headers: map[string]string{"Retry-After": "10"}, body: rateLimitBody, @@ -150,15 +158,16 @@ func TestBlockingInterception_KeyFailover(t *testing.T) { keypool.KeyStateTemporary, keypool.KeyStateTemporary, }, + expectedCredentialHint: utils.MaskSecret("k2-long-key"), }, { // Given: 2 keys; both return 401. // Then: 2 requests, 502 api_error response, both keys permanent. name: "all_keys_unauthorized", - keys: []string{"k0", "k1"}, + keys: []string{"k0-long-key", "k1-long-key"}, responses: map[string]upstreamResponse{ - "k0": {statusCode: http.StatusUnauthorized, body: authErrorBody}, - "k1": {statusCode: http.StatusUnauthorized, body: authErrorBody}, + "k0-long-key": {statusCode: http.StatusUnauthorized, body: authErrorBody}, + "k1-long-key": {statusCode: http.StatusUnauthorized, body: authErrorBody}, }, expectedRequestCount: 2, expectedStatusCode: http.StatusBadGateway, @@ -166,14 +175,15 @@ func TestBlockingInterception_KeyFailover(t *testing.T) { keypool.KeyStatePermanent, keypool.KeyStatePermanent, }, + expectedCredentialHint: utils.MaskSecret("k1-long-key"), }, { // Given: 2 keys; key-0 returns 500. // Then: 1 request, 500 response, both keys remain valid. name: "server_error_no_failover", - keys: []string{"k0", "k1"}, + keys: []string{"k0-long-key", "k1-long-key"}, responses: map[string]upstreamResponse{ - "k0": {statusCode: http.StatusInternalServerError, body: serverErrorBody}, + "k0-long-key": {statusCode: http.StatusInternalServerError, body: serverErrorBody}, }, expectedRequestCount: 1, expectedStatusCode: http.StatusInternalServerError, @@ -181,6 +191,7 @@ func TestBlockingInterception_KeyFailover(t *testing.T) { keypool.KeyStateValid, keypool.KeyStateValid, }, + expectedCredentialHint: utils.MaskSecret("k0-long-key"), }, { // Given: BYOK with a single key returning 429. @@ -201,9 +212,10 @@ func TestBlockingInterception_KeyFailover(t *testing.T) { body: rateLimitBody, }, }, - expectedRequestCount: 1, - expectedStatusCode: http.StatusTooManyRequests, - expectedRetryAfter: "5", + expectedRequestCount: 1, + expectedStatusCode: http.StatusTooManyRequests, + expectedRetryAfter: "5", + expectedCredentialHint: utils.MaskSecret("user-byok"), }, } @@ -234,6 +246,7 @@ func TestBlockingInterception_KeyFailover(t *testing.T) { cfg := config.Anthropic{BaseURL: upstream.URL + "/"} var pool *keypool.Pool + credInfo := intercept.NewCredentialInfo(intercept.CredentialKindCentralized, "") if len(tc.keys) > 0 { var err error pool, err = keypool.New(tc.keys, quartz.NewMock(t)) @@ -241,6 +254,7 @@ func TestBlockingInterception_KeyFailover(t *testing.T) { cfg.KeyPool = pool } else if tc.byokKey != "" { cfg.Key = tc.byokKey + credInfo = intercept.NewCredentialInfo(intercept.CredentialKindBYOK, tc.byokKey) } payload, err := NewRequestPayload([]byte(requestBody)) @@ -255,7 +269,7 @@ func TestBlockingInterception_KeyFailover(t *testing.T) { http.Header{}, "X-Api-Key", otel.Tracer("blocking_test"), - intercept.NewCredentialInfo(intercept.CredentialKindCentralized, ""), + credInfo, ) interceptor.Setup(slog.Make(), &testutil.MockRecorder{}, nil) @@ -271,6 +285,7 @@ func TestBlockingInterception_KeyFailover(t *testing.T) { assert.Equal(t, tc.expectedRequestCount, requestCount.Load(), "upstream request count") assert.Equal(t, tc.expectedStatusCode, w.Code, "response status code") assert.Equal(t, tc.expectedRetryAfter, w.Header().Get("Retry-After"), "Retry-After header") + assert.Equal(t, tc.expectedCredentialHint, interceptor.Credential().Hint, "credential hint") if pool != nil { assert.Equal(t, tc.expectedKeyStates, pool.PoolState(), "key states") } @@ -296,6 +311,9 @@ func TestBlockingInterception_AgenticLoopFailover(t *testing.T) { expectedStatusCode int expectedRetryAfter string expectedKeyStates []keypool.KeyState + // Expected credential hint after ProcessRequest: hint of the + // last attempted key across all agentic-loop iterations. + expectedCredentialHint string }{ { // Given: 2 keys; both upstream calls succeed on key-0. @@ -306,12 +324,13 @@ func TestBlockingInterception_AgenticLoopFailover(t *testing.T) { {statusCode: http.StatusOK, body: successBody}, }, expectedRequestCount: 2, - expectedSeenKeys: []string{"k0", "k0"}, + expectedSeenKeys: []string{"k0-long-key", "k0-long-key"}, expectedStatusCode: http.StatusOK, expectedKeyStates: []keypool.KeyState{ keypool.KeyStateValid, keypool.KeyStateValid, }, + expectedCredentialHint: utils.MaskSecret("k0-long-key"), }, { // Given: 2 keys; key-0 succeeds initially, then 429s @@ -329,12 +348,13 @@ func TestBlockingInterception_AgenticLoopFailover(t *testing.T) { {statusCode: http.StatusOK, body: successBody}, }, expectedRequestCount: 3, - expectedSeenKeys: []string{"k0", "k0", "k1"}, + expectedSeenKeys: []string{"k0-long-key", "k0-long-key", "k1-long-key"}, expectedStatusCode: http.StatusOK, expectedKeyStates: []keypool.KeyState{ keypool.KeyStateTemporary, keypool.KeyStateValid, }, + expectedCredentialHint: utils.MaskSecret("k1-long-key"), }, { // Given: 2 keys; key-0 succeeds initially, then both @@ -356,13 +376,14 @@ func TestBlockingInterception_AgenticLoopFailover(t *testing.T) { }, }, expectedRequestCount: 3, - expectedSeenKeys: []string{"k0", "k0", "k1"}, + expectedSeenKeys: []string{"k0-long-key", "k0-long-key", "k1-long-key"}, expectedStatusCode: http.StatusTooManyRequests, expectedRetryAfter: "3", expectedKeyStates: []keypool.KeyState{ keypool.KeyStateTemporary, keypool.KeyStateTemporary, }, + expectedCredentialHint: utils.MaskSecret("k1-long-key"), }, } @@ -397,7 +418,7 @@ func TestBlockingInterception_AgenticLoopFailover(t *testing.T) { })) t.Cleanup(upstream.Close) - pool, err := keypool.New([]string{"k0", "k1"}, quartz.NewMock(t)) + pool, err := keypool.New([]string{"k0-long-key", "k1-long-key"}, quartz.NewMock(t)) require.NoError(t, err) cfg := config.Anthropic{ @@ -447,6 +468,7 @@ func TestBlockingInterception_AgenticLoopFailover(t *testing.T) { assert.Equal(t, tc.expectedRequestCount, requestCount.Load(), "upstream request count") assert.Equal(t, tc.expectedStatusCode, w.Code, "response status code") assert.Equal(t, tc.expectedRetryAfter, w.Header().Get("Retry-After"), "Retry-After header") + assert.Equal(t, tc.expectedCredentialHint, interceptor.Credential().Hint, "credential hint") seenKeysMu.Lock() defer seenKeysMu.Unlock() diff --git a/aibridge/intercept/messages/streaming.go b/aibridge/intercept/messages/streaming.go index 475f32c99c..47c49528a9 100644 --- a/aibridge/intercept/messages/streaming.go +++ b/aibridge/intercept/messages/streaming.go @@ -195,6 +195,11 @@ newStream: break } currentKey = key + // Record the key in use so the hint reflects the last attempted key. + i.credential = intercept.NewCredentialInfo(intercept.CredentialKindCentralized, key.Value()) + logger.Debug(ctx, "using centralized api key", + slog.F("credential_hint", i.Credential().Hint), slog.F("credential_length", i.Credential().Length)) + streamOpts = append(streamOpts, option.WithAPIKey(key.Value()), // Disable SDK retries because the failover diff --git a/aibridge/intercept/messages/streaming_internal_test.go b/aibridge/intercept/messages/streaming_internal_test.go index 97f48d4cc3..5fc7da00df 100644 --- a/aibridge/intercept/messages/streaming_internal_test.go +++ b/aibridge/intercept/messages/streaming_internal_test.go @@ -21,6 +21,7 @@ import ( "github.com/coder/coder/v2/aibridge/internal/testutil" "github.com/coder/coder/v2/aibridge/keypool" "github.com/coder/coder/v2/aibridge/mcp" + "github.com/coder/coder/v2/aibridge/utils" "github.com/coder/quartz" ) @@ -60,36 +61,40 @@ func TestStreamingInterception_KeyFailover(t *testing.T) { expectedRetryAfter string // Expected key states after the request, by index in keys. expectedKeyStates []keypool.KeyState + // Expected credential hint after ProcessRequest: last + // attempted key for centralized, user key from initial request for BYOK. + expectedCredentialHint string }{ { // Given: 1 valid key returning a successful stream. // Then: 1 request, 200 response, key remains valid. name: "single_valid_key", - keys: []string{"k0"}, + keys: []string{"k0-long-key"}, responses: map[string]upstreamResponse{ - "k0": { + "k0-long-key": { statusCode: http.StatusOK, headers: map[string]string{"Content-Type": "text/event-stream"}, body: streamingSuccessBody, }, }, - expectedRequestCount: 1, - expectedStatusCode: http.StatusOK, - expectedKeyStates: []keypool.KeyState{keypool.KeyStateValid}, + expectedRequestCount: 1, + expectedStatusCode: http.StatusOK, + expectedKeyStates: []keypool.KeyState{keypool.KeyStateValid}, + expectedCredentialHint: utils.MaskSecret("k0-long-key"), }, { // Given: 2 keys; key-0 returns 429 pre-stream, key-1 // streams successfully. // Then: 2 requests, 200 response, key-0 temporary, key-1 valid. name: "failover_after_429", - keys: []string{"k0", "k1"}, + keys: []string{"k0-long-key", "k1-long-key"}, responses: map[string]upstreamResponse{ - "k0": { + "k0-long-key": { statusCode: http.StatusTooManyRequests, headers: map[string]string{"Retry-After": "5"}, body: rateLimitBody, }, - "k1": { + "k1-long-key": { statusCode: http.StatusOK, headers: map[string]string{"Content-Type": "text/event-stream"}, body: streamingSuccessBody, @@ -101,16 +106,17 @@ func TestStreamingInterception_KeyFailover(t *testing.T) { keypool.KeyStateTemporary, keypool.KeyStateValid, }, + expectedCredentialHint: utils.MaskSecret("k1-long-key"), }, { // Given: 2 keys; key-0 returns 401 pre-stream, key-1 // streams successfully. // Then: 2 requests, 200 response, key-0 permanent, key-1 valid. name: "failover_after_401", - keys: []string{"k0", "k1"}, + keys: []string{"k0-long-key", "k1-long-key"}, responses: map[string]upstreamResponse{ - "k0": {statusCode: http.StatusUnauthorized, body: authErrorBody}, - "k1": { + "k0-long-key": {statusCode: http.StatusUnauthorized, body: authErrorBody}, + "k1-long-key": { statusCode: http.StatusOK, headers: map[string]string{"Content-Type": "text/event-stream"}, body: streamingSuccessBody, @@ -122,15 +128,16 @@ func TestStreamingInterception_KeyFailover(t *testing.T) { keypool.KeyStatePermanent, keypool.KeyStateValid, }, + expectedCredentialHint: utils.MaskSecret("k1-long-key"), }, { // Given: 2 keys; key-0 returns 403 pre-stream, key-1 streams. // Then: 2 requests, 200 response, key-0 permanent, key-1 valid. name: "failover_after_403", - keys: []string{"k0", "k1"}, + keys: []string{"k0-long-key", "k1-long-key"}, responses: map[string]upstreamResponse{ - "k0": {statusCode: http.StatusForbidden, body: authErrorBody}, - "k1": { + "k0-long-key": {statusCode: http.StatusForbidden, body: authErrorBody}, + "k1-long-key": { statusCode: http.StatusOK, headers: map[string]string{"Content-Type": "text/event-stream"}, body: streamingSuccessBody, @@ -142,6 +149,7 @@ func TestStreamingInterception_KeyFailover(t *testing.T) { keypool.KeyStatePermanent, keypool.KeyStateValid, }, + expectedCredentialHint: utils.MaskSecret("k1-long-key"), }, { // Given: 3 keys; all return 429 pre-stream with @@ -149,19 +157,19 @@ func TestStreamingInterception_KeyFailover(t *testing.T) { // Then: 3 requests, 429 response with smallest // Retry-After, all keys temporary. name: "all_keys_rate_limited", - keys: []string{"k0", "k1", "k2"}, + keys: []string{"k0-long-key", "k1-long-key", "k2-long-key"}, responses: map[string]upstreamResponse{ - "k0": { + "k0-long-key": { statusCode: http.StatusTooManyRequests, headers: map[string]string{"Retry-After": "5"}, body: rateLimitBody, }, - "k1": { + "k1-long-key": { statusCode: http.StatusTooManyRequests, headers: map[string]string{"Retry-After": "3"}, body: rateLimitBody, }, - "k2": { + "k2-long-key": { statusCode: http.StatusTooManyRequests, headers: map[string]string{"Retry-After": "10"}, body: rateLimitBody, @@ -175,15 +183,16 @@ func TestStreamingInterception_KeyFailover(t *testing.T) { keypool.KeyStateTemporary, keypool.KeyStateTemporary, }, + expectedCredentialHint: utils.MaskSecret("k2-long-key"), }, { // Given: 2 keys; both return 401 pre-stream. // Then: 2 requests, 502 api_error response, both keys permanent. name: "all_keys_unauthorized", - keys: []string{"k0", "k1"}, + keys: []string{"k0-long-key", "k1-long-key"}, responses: map[string]upstreamResponse{ - "k0": {statusCode: http.StatusUnauthorized, body: authErrorBody}, - "k1": {statusCode: http.StatusUnauthorized, body: authErrorBody}, + "k0-long-key": {statusCode: http.StatusUnauthorized, body: authErrorBody}, + "k1-long-key": {statusCode: http.StatusUnauthorized, body: authErrorBody}, }, expectedRequestCount: 2, expectedStatusCode: http.StatusBadGateway, @@ -191,14 +200,15 @@ func TestStreamingInterception_KeyFailover(t *testing.T) { keypool.KeyStatePermanent, keypool.KeyStatePermanent, }, + expectedCredentialHint: utils.MaskSecret("k1-long-key"), }, { // Given: 2 keys; key-0 returns 500 pre-stream. // Then: 1 request, 500 response, both keys remain valid. name: "server_error_no_failover", - keys: []string{"k0", "k1"}, + keys: []string{"k0-long-key", "k1-long-key"}, responses: map[string]upstreamResponse{ - "k0": {statusCode: http.StatusInternalServerError, body: serverErrorBody}, + "k0-long-key": {statusCode: http.StatusInternalServerError, body: serverErrorBody}, }, expectedRequestCount: 1, expectedStatusCode: http.StatusInternalServerError, @@ -206,6 +216,7 @@ func TestStreamingInterception_KeyFailover(t *testing.T) { keypool.KeyStateValid, keypool.KeyStateValid, }, + expectedCredentialHint: utils.MaskSecret("k0-long-key"), }, { // Given: BYOK with a single key returning 429. @@ -226,9 +237,10 @@ func TestStreamingInterception_KeyFailover(t *testing.T) { body: rateLimitBody, }, }, - expectedRequestCount: 1, - expectedStatusCode: http.StatusTooManyRequests, - expectedRetryAfter: "5", + expectedRequestCount: 1, + expectedStatusCode: http.StatusTooManyRequests, + expectedRetryAfter: "5", + expectedCredentialHint: utils.MaskSecret("user-byok"), }, } @@ -258,6 +270,7 @@ func TestStreamingInterception_KeyFailover(t *testing.T) { cfg := config.Anthropic{BaseURL: upstream.URL + "/"} var pool *keypool.Pool + credInfo := intercept.NewCredentialInfo(intercept.CredentialKindCentralized, "") if len(tc.keys) > 0 { var err error pool, err = keypool.New(tc.keys, quartz.NewMock(t)) @@ -265,6 +278,7 @@ func TestStreamingInterception_KeyFailover(t *testing.T) { cfg.KeyPool = pool } else if tc.byokKey != "" { cfg.Key = tc.byokKey + credInfo = intercept.NewCredentialInfo(intercept.CredentialKindBYOK, tc.byokKey) } payload, err := NewRequestPayload([]byte(requestBody)) @@ -279,7 +293,7 @@ func TestStreamingInterception_KeyFailover(t *testing.T) { http.Header{}, "X-Api-Key", otel.Tracer("streaming_test"), - intercept.NewCredentialInfo(intercept.CredentialKindCentralized, ""), + credInfo, ) interceptor.Setup(slog.Make(), &testutil.MockRecorder{}, nil) @@ -301,6 +315,7 @@ func TestStreamingInterception_KeyFailover(t *testing.T) { if pool != nil { assert.Equal(t, tc.expectedKeyStates, pool.PoolState(), "key states") } + assert.Equal(t, tc.expectedCredentialHint, interceptor.Credential().Hint, "credential hint") }) } } @@ -387,6 +402,9 @@ func TestStreamingInterception_AgenticLoopFailover(t *testing.T) { // error (e.g. all keys exhausted). expectedErr bool expectedKeyStates []keypool.KeyState + // Expected credential hint after ProcessRequest: hint of the + // last attempted key across all agentic-loop iterations. + expectedCredentialHint string }{ { // Given: 2 keys; both upstream calls succeed on key-0. @@ -397,13 +415,14 @@ func TestStreamingInterception_AgenticLoopFailover(t *testing.T) { {statusCode: http.StatusOK, headers: sseHeaders, body: textStreamBody}, }, expectedRequestCount: 2, - expectedSeenKeys: []string{"k0", "k0"}, + expectedSeenKeys: []string{"k0-long-key", "k0-long-key"}, expectedBodyContains: "done", expectErrorAsSSEEvent: false, expectedKeyStates: []keypool.KeyState{ keypool.KeyStateValid, keypool.KeyStateValid, }, + expectedCredentialHint: utils.MaskSecret("k0-long-key"), }, { // Given: 2 keys; key-0 succeeds initially, then 429s @@ -421,13 +440,14 @@ func TestStreamingInterception_AgenticLoopFailover(t *testing.T) { {statusCode: http.StatusOK, headers: sseHeaders, body: textStreamBody}, }, expectedRequestCount: 3, - expectedSeenKeys: []string{"k0", "k0", "k1"}, + expectedSeenKeys: []string{"k0-long-key", "k0-long-key", "k1-long-key"}, expectedBodyContains: "done", expectErrorAsSSEEvent: false, expectedKeyStates: []keypool.KeyState{ keypool.KeyStateTemporary, keypool.KeyStateValid, }, + expectedCredentialHint: utils.MaskSecret("k1-long-key"), }, { // Given: 2 keys; key-0 succeeds initially, then both @@ -453,7 +473,7 @@ func TestStreamingInterception_AgenticLoopFailover(t *testing.T) { }, }, expectedRequestCount: 3, - expectedSeenKeys: []string{"k0", "k0", "k1"}, + expectedSeenKeys: []string{"k0-long-key", "k0-long-key", "k1-long-key"}, expectedBodyContains: "all configured keys are rate-limited", expectErrorAsSSEEvent: true, expectedErr: true, @@ -461,6 +481,7 @@ func TestStreamingInterception_AgenticLoopFailover(t *testing.T) { keypool.KeyStateTemporary, keypool.KeyStateTemporary, }, + expectedCredentialHint: utils.MaskSecret("k1-long-key"), }, } @@ -494,7 +515,7 @@ func TestStreamingInterception_AgenticLoopFailover(t *testing.T) { })) t.Cleanup(upstream.Close) - pool, err := keypool.New([]string{"k0", "k1"}, quartz.NewMock(t)) + pool, err := keypool.New([]string{"k0-long-key", "k1-long-key"}, quartz.NewMock(t)) require.NoError(t, err) cfg := config.Anthropic{ @@ -553,6 +574,7 @@ func TestStreamingInterception_AgenticLoopFailover(t *testing.T) { defer seenKeysMu.Unlock() assert.Equal(t, tc.expectedSeenKeys, seenKeys, "seen keys") assert.Equal(t, tc.expectedKeyStates, pool.PoolState(), "key states") + assert.Equal(t, tc.expectedCredentialHint, interceptor.Credential().Hint, "credential hint") }) } } diff --git a/aibridge/intercept/responses/blocking.go b/aibridge/intercept/responses/blocking.go index 9726b6f750..892dc1e71d 100644 --- a/aibridge/intercept/responses/blocking.go +++ b/aibridge/intercept/responses/blocking.go @@ -171,15 +171,16 @@ func (i *BlockingResponsesInterceptor) newResponseWithKey(ctx context.Context, s // Errors that aren't key-specific don't trigger failover and // are returned to the caller. func (i *BlockingResponsesInterceptor) newResponseWithKeyFailover(ctx context.Context, srv responses.ResponseService, opts []option.RequestOption) (*responses.Response, error) { - // TODO(ssncferreira): update the interception's credential - // hint with the actually-used key (the successful key on - // success, the last tried key on failure) in the upstack PR. walker := i.cfg.KeyPool.Walker() for { key, keyPoolErr := walker.Next() if keyPoolErr != nil { return nil, keyPoolErr } + // Record the key in use so the hint reflects the last attempted key. + i.credential = intercept.NewCredentialInfo(intercept.CredentialKindCentralized, key.Value()) + i.logger.Debug(ctx, "using centralized api key", + slog.F("credential_hint", i.Credential().Hint), slog.F("credential_length", i.Credential().Length)) requestOpts := append([]option.RequestOption{}, opts...) requestOpts = append(requestOpts, diff --git a/aibridge/intercept/responses/blocking_internal_test.go b/aibridge/intercept/responses/blocking_internal_test.go index 678c2ce0f3..94acf0deef 100644 --- a/aibridge/intercept/responses/blocking_internal_test.go +++ b/aibridge/intercept/responses/blocking_internal_test.go @@ -58,31 +58,35 @@ func TestBlockingResponsesInterceptor_KeyFailover(t *testing.T) { expectedRetryAfter string // Expected key states after the request, by index in keys. expectedKeyStates []keypool.KeyState + // Expected credential hint after ProcessRequest: last + // attempted key for centralized, user key from initial request for BYOK. + expectedCredentialHint string }{ { // Given: 1 valid key returning 200. // Then: 1 request, 200 response, key remains valid. name: "single_valid_key", - keys: []string{"k0"}, + keys: []string{"k0-long-key"}, responses: map[string]upstreamResponse{ - "k0": {statusCode: http.StatusOK, body: successBody}, + "k0-long-key": {statusCode: http.StatusOK, body: successBody}, }, - expectedRequestCount: 1, - expectedStatusCode: http.StatusOK, - expectedKeyStates: []keypool.KeyState{keypool.KeyStateValid}, + expectedRequestCount: 1, + expectedStatusCode: http.StatusOK, + expectedKeyStates: []keypool.KeyState{keypool.KeyStateValid}, + expectedCredentialHint: utils.MaskSecret("k0-long-key"), }, { // Given: 2 keys; key-0 returns 429, key-1 returns 200. // Then: 2 requests, 200 response, key-0 temporary, key-1 valid. name: "failover_after_429", - keys: []string{"k0", "k1"}, + keys: []string{"k0-long-key", "k1-long-key"}, responses: map[string]upstreamResponse{ - "k0": { + "k0-long-key": { statusCode: http.StatusTooManyRequests, headers: map[string]string{"Retry-After": "5"}, body: rateLimitBody, }, - "k1": {statusCode: http.StatusOK, body: successBody}, + "k1-long-key": {statusCode: http.StatusOK, body: successBody}, }, expectedRequestCount: 2, expectedStatusCode: http.StatusOK, @@ -90,15 +94,16 @@ func TestBlockingResponsesInterceptor_KeyFailover(t *testing.T) { keypool.KeyStateTemporary, keypool.KeyStateValid, }, + expectedCredentialHint: utils.MaskSecret("k1-long-key"), }, { // Given: 2 keys; key-0 returns 401, key-1 returns 200. // Then: 2 requests, 200 response, key-0 permanent, key-1 valid. name: "failover_after_401", - keys: []string{"k0", "k1"}, + keys: []string{"k0-long-key", "k1-long-key"}, responses: map[string]upstreamResponse{ - "k0": {statusCode: http.StatusUnauthorized, body: authErrorBody}, - "k1": {statusCode: http.StatusOK, body: successBody}, + "k0-long-key": {statusCode: http.StatusUnauthorized, body: authErrorBody}, + "k1-long-key": {statusCode: http.StatusOK, body: successBody}, }, expectedRequestCount: 2, expectedStatusCode: http.StatusOK, @@ -106,15 +111,16 @@ func TestBlockingResponsesInterceptor_KeyFailover(t *testing.T) { keypool.KeyStatePermanent, keypool.KeyStateValid, }, + expectedCredentialHint: utils.MaskSecret("k1-long-key"), }, { // Given: 2 keys; key-0 returns 403, key-1 returns 200. // Then: 2 requests, 200 response, key-0 permanent, key-1 valid. name: "failover_after_403", - keys: []string{"k0", "k1"}, + keys: []string{"k0-long-key", "k1-long-key"}, responses: map[string]upstreamResponse{ - "k0": {statusCode: http.StatusForbidden, body: authErrorBody}, - "k1": {statusCode: http.StatusOK, body: successBody}, + "k0-long-key": {statusCode: http.StatusForbidden, body: authErrorBody}, + "k1-long-key": {statusCode: http.StatusOK, body: successBody}, }, expectedRequestCount: 2, expectedStatusCode: http.StatusOK, @@ -122,25 +128,26 @@ func TestBlockingResponsesInterceptor_KeyFailover(t *testing.T) { keypool.KeyStatePermanent, keypool.KeyStateValid, }, + expectedCredentialHint: utils.MaskSecret("k1-long-key"), }, { // Given: 3 keys; all return 429 with cooldowns 5s, 3s, 10s. // Then: 3 requests, 429 response with smallest Retry-After, // all keys temporary. name: "all_keys_rate_limited", - keys: []string{"k0", "k1", "k2"}, + keys: []string{"k0-long-key", "k1-long-key", "k2-long-key"}, responses: map[string]upstreamResponse{ - "k0": { + "k0-long-key": { statusCode: http.StatusTooManyRequests, headers: map[string]string{"Retry-After": "5"}, body: rateLimitBody, }, - "k1": { + "k1-long-key": { statusCode: http.StatusTooManyRequests, headers: map[string]string{"Retry-After": "3"}, body: rateLimitBody, }, - "k2": { + "k2-long-key": { statusCode: http.StatusTooManyRequests, headers: map[string]string{"Retry-After": "10"}, body: rateLimitBody, @@ -154,15 +161,16 @@ func TestBlockingResponsesInterceptor_KeyFailover(t *testing.T) { keypool.KeyStateTemporary, keypool.KeyStateTemporary, }, + expectedCredentialHint: utils.MaskSecret("k2-long-key"), }, { // Given: 2 keys; both return 401. // Then: 2 requests, 502 api_error response, both keys permanent. name: "all_keys_unauthorized", - keys: []string{"k0", "k1"}, + keys: []string{"k0-long-key", "k1-long-key"}, responses: map[string]upstreamResponse{ - "k0": {statusCode: http.StatusUnauthorized, body: authErrorBody}, - "k1": {statusCode: http.StatusUnauthorized, body: authErrorBody}, + "k0-long-key": {statusCode: http.StatusUnauthorized, body: authErrorBody}, + "k1-long-key": {statusCode: http.StatusUnauthorized, body: authErrorBody}, }, expectedRequestCount: 2, expectedStatusCode: http.StatusBadGateway, @@ -170,14 +178,15 @@ func TestBlockingResponsesInterceptor_KeyFailover(t *testing.T) { keypool.KeyStatePermanent, keypool.KeyStatePermanent, }, + expectedCredentialHint: utils.MaskSecret("k1-long-key"), }, { // Given: 2 keys; key-0 returns 500. // Then: 1 request, 500 response, both keys remain valid. name: "server_error_no_failover", - keys: []string{"k0", "k1"}, + keys: []string{"k0-long-key", "k1-long-key"}, responses: map[string]upstreamResponse{ - "k0": {statusCode: http.StatusInternalServerError, body: serverErrorBody}, + "k0-long-key": {statusCode: http.StatusInternalServerError, body: serverErrorBody}, }, expectedRequestCount: 1, expectedStatusCode: http.StatusInternalServerError, @@ -185,6 +194,7 @@ func TestBlockingResponsesInterceptor_KeyFailover(t *testing.T) { keypool.KeyStateValid, keypool.KeyStateValid, }, + expectedCredentialHint: utils.MaskSecret("k0-long-key"), }, { // Given: BYOK with a single key returning 429. @@ -204,8 +214,9 @@ func TestBlockingResponsesInterceptor_KeyFailover(t *testing.T) { body: rateLimitBody, }, }, - expectedRequestCount: 1, - expectedStatusCode: http.StatusTooManyRequests, + expectedRequestCount: 1, + expectedStatusCode: http.StatusTooManyRequests, + expectedCredentialHint: utils.MaskSecret("user-byok"), }, } @@ -235,6 +246,7 @@ func TestBlockingResponsesInterceptor_KeyFailover(t *testing.T) { t.Cleanup(upstream.Close) cfg := config.OpenAI{BaseURL: upstream.URL + "/"} + credInfo := intercept.NewCredentialInfo(intercept.CredentialKindCentralized, "") var pool *keypool.Pool if len(tc.keys) > 0 { var err error @@ -243,6 +255,7 @@ func TestBlockingResponsesInterceptor_KeyFailover(t *testing.T) { cfg.KeyPool = pool } else if tc.byokKey != "" { cfg.Key = tc.byokKey + credInfo = intercept.NewCredentialInfo(intercept.CredentialKindBYOK, tc.byokKey) } payload, err := NewRequestPayload([]byte(requestBody)) @@ -256,7 +269,7 @@ func TestBlockingResponsesInterceptor_KeyFailover(t *testing.T) { http.Header{}, "Authorization", otel.Tracer("blocking_test"), - intercept.NewCredentialInfo(intercept.CredentialKindCentralized, ""), + credInfo, ) interceptor.Setup(slog.Make(), &testutil.MockRecorder{}, nil) @@ -272,6 +285,7 @@ func TestBlockingResponsesInterceptor_KeyFailover(t *testing.T) { assert.Equal(t, tc.expectedRequestCount, requestCount.Load(), "upstream request count") assert.Equal(t, tc.expectedStatusCode, w.Code, "response status code") assert.Equal(t, tc.expectedRetryAfter, w.Header().Get("Retry-After"), "Retry-After header") + assert.Equal(t, tc.expectedCredentialHint, interceptor.Credential().Hint, "credential hint") if pool != nil { assert.Equal(t, tc.expectedKeyStates, pool.PoolState(), "key states") } @@ -296,6 +310,9 @@ func TestBlockingResponsesInterceptor_AgenticLoopFailover(t *testing.T) { expectedSeenKeys []string expectedStatusCode int expectedKeyStates []keypool.KeyState + // Expected credential hint after ProcessRequest: hint of the + // last attempted key across all agentic-loop iterations. + expectedCredentialHint string }{ { // Given: 2 keys; both upstream calls succeed on key-0. @@ -306,12 +323,13 @@ func TestBlockingResponsesInterceptor_AgenticLoopFailover(t *testing.T) { {statusCode: http.StatusOK, body: textCompleteBody}, }, expectedRequestCount: 2, - expectedSeenKeys: []string{"k0", "k0"}, + expectedSeenKeys: []string{"k0-long-key", "k0-long-key"}, expectedStatusCode: http.StatusOK, expectedKeyStates: []keypool.KeyState{ keypool.KeyStateValid, keypool.KeyStateValid, }, + expectedCredentialHint: utils.MaskSecret("k0-long-key"), }, { // Given: 2 keys; key-0 succeeds initially, then 429s @@ -329,12 +347,13 @@ func TestBlockingResponsesInterceptor_AgenticLoopFailover(t *testing.T) { {statusCode: http.StatusOK, body: textCompleteBody}, }, expectedRequestCount: 3, - expectedSeenKeys: []string{"k0", "k0", "k1"}, + expectedSeenKeys: []string{"k0-long-key", "k0-long-key", "k1-long-key"}, expectedStatusCode: http.StatusOK, expectedKeyStates: []keypool.KeyState{ keypool.KeyStateTemporary, keypool.KeyStateValid, }, + expectedCredentialHint: utils.MaskSecret("k1-long-key"), }, { // Given: 2 keys; key-0 succeeds initially, then both @@ -356,12 +375,13 @@ func TestBlockingResponsesInterceptor_AgenticLoopFailover(t *testing.T) { }, }, expectedRequestCount: 3, - expectedSeenKeys: []string{"k0", "k0", "k1"}, + expectedSeenKeys: []string{"k0-long-key", "k0-long-key", "k1-long-key"}, expectedStatusCode: http.StatusTooManyRequests, expectedKeyStates: []keypool.KeyState{ keypool.KeyStateTemporary, keypool.KeyStateTemporary, }, + expectedCredentialHint: utils.MaskSecret("k1-long-key"), }, } @@ -396,7 +416,7 @@ func TestBlockingResponsesInterceptor_AgenticLoopFailover(t *testing.T) { })) t.Cleanup(upstream.Close) - pool, err := keypool.New([]string{"k0", "k1"}, quartz.NewMock(t)) + pool, err := keypool.New([]string{"k0-long-key", "k1-long-key"}, quartz.NewMock(t)) require.NoError(t, err) cfg := config.OpenAI{ @@ -444,6 +464,7 @@ func TestBlockingResponsesInterceptor_AgenticLoopFailover(t *testing.T) { assert.Equal(t, tc.expectedRequestCount, requestCount.Load(), "upstream request count") assert.Equal(t, tc.expectedStatusCode, w.Code, "response status code") + assert.Equal(t, tc.expectedCredentialHint, interceptor.Credential().Hint, "credential hint") seenKeysMu.Lock() defer seenKeysMu.Unlock() diff --git a/aibridge/intercept/responses/streaming.go b/aibridge/intercept/responses/streaming.go index 2140c5e6c8..3b38b7a7e6 100644 --- a/aibridge/intercept/responses/streaming.go +++ b/aibridge/intercept/responses/streaming.go @@ -144,6 +144,11 @@ func (i *StreamingResponsesInterceptor) ProcessRequest(w http.ResponseWriter, r return xerrors.Errorf("key pool exhausted: %w", keyPoolErr) } currentKey = key + // Record the key in use so the hint reflects the last attempted key. + i.credential = intercept.NewCredentialInfo(intercept.CredentialKindCentralized, key.Value()) + i.logger.Debug(ctx, "using centralized api key", + slog.F("credential_hint", i.Credential().Hint), slog.F("credential_length", i.Credential().Length)) + opts = append(opts, option.WithAPIKey(key.Value()), // Disable SDK retries because the failover diff --git a/aibridge/intercept/responses/streaming_internal_test.go b/aibridge/intercept/responses/streaming_internal_test.go index 3226147cbd..4f20d76c17 100644 --- a/aibridge/intercept/responses/streaming_internal_test.go +++ b/aibridge/intercept/responses/streaming_internal_test.go @@ -51,36 +51,40 @@ func TestStreamingResponsesInterceptor_KeyFailover(t *testing.T) { expectedRetryAfter string // Expected key states after the request, by index in keys. expectedKeyStates []keypool.KeyState + // Expected credential hint after ProcessRequest: last + // attempted key for centralized, user key from initial request for BYOK. + expectedCredentialHint string }{ { // Given: 1 valid key returning a successful stream. // Then: 1 request, 200 response, key remains valid. name: "single_valid_key", - keys: []string{"k0"}, + keys: []string{"k0-long-key"}, responses: map[string]upstreamResponse{ - "k0": { + "k0-long-key": { statusCode: http.StatusOK, headers: map[string]string{"Content-Type": "text/event-stream"}, body: streamingSuccessBody, }, }, - expectedRequestCount: 1, - expectedStatusCode: http.StatusOK, - expectedKeyStates: []keypool.KeyState{keypool.KeyStateValid}, + expectedRequestCount: 1, + expectedStatusCode: http.StatusOK, + expectedKeyStates: []keypool.KeyState{keypool.KeyStateValid}, + expectedCredentialHint: utils.MaskSecret("k0-long-key"), }, { // Given: 2 keys; key-0 returns 429 pre-stream, key-1 // streams successfully. // Then: 2 requests, 200 response, key-0 temporary, key-1 valid. name: "failover_after_429", - keys: []string{"k0", "k1"}, + keys: []string{"k0-long-key", "k1-long-key"}, responses: map[string]upstreamResponse{ - "k0": { + "k0-long-key": { statusCode: http.StatusTooManyRequests, headers: map[string]string{"Retry-After": "5"}, body: rateLimitBody, }, - "k1": { + "k1-long-key": { statusCode: http.StatusOK, headers: map[string]string{"Content-Type": "text/event-stream"}, body: streamingSuccessBody, @@ -92,16 +96,17 @@ func TestStreamingResponsesInterceptor_KeyFailover(t *testing.T) { keypool.KeyStateTemporary, keypool.KeyStateValid, }, + expectedCredentialHint: utils.MaskSecret("k1-long-key"), }, { // Given: 2 keys; key-0 returns 401 pre-stream, key-1 // streams successfully. // Then: 2 requests, 200 response, key-0 permanent, key-1 valid. name: "failover_after_401", - keys: []string{"k0", "k1"}, + keys: []string{"k0-long-key", "k1-long-key"}, responses: map[string]upstreamResponse{ - "k0": {statusCode: http.StatusUnauthorized, body: authErrorBody}, - "k1": { + "k0-long-key": {statusCode: http.StatusUnauthorized, body: authErrorBody}, + "k1-long-key": { statusCode: http.StatusOK, headers: map[string]string{"Content-Type": "text/event-stream"}, body: streamingSuccessBody, @@ -113,15 +118,16 @@ func TestStreamingResponsesInterceptor_KeyFailover(t *testing.T) { keypool.KeyStatePermanent, keypool.KeyStateValid, }, + expectedCredentialHint: utils.MaskSecret("k1-long-key"), }, { // Given: 2 keys; key-0 returns 403 pre-stream, key-1 streams. // Then: 2 requests, 200 response, key-0 permanent, key-1 valid. name: "failover_after_403", - keys: []string{"k0", "k1"}, + keys: []string{"k0-long-key", "k1-long-key"}, responses: map[string]upstreamResponse{ - "k0": {statusCode: http.StatusForbidden, body: authErrorBody}, - "k1": { + "k0-long-key": {statusCode: http.StatusForbidden, body: authErrorBody}, + "k1-long-key": { statusCode: http.StatusOK, headers: map[string]string{"Content-Type": "text/event-stream"}, body: streamingSuccessBody, @@ -133,6 +139,7 @@ func TestStreamingResponsesInterceptor_KeyFailover(t *testing.T) { keypool.KeyStatePermanent, keypool.KeyStateValid, }, + expectedCredentialHint: utils.MaskSecret("k1-long-key"), }, { // Given: 3 keys; all return 429 pre-stream with @@ -140,19 +147,19 @@ func TestStreamingResponsesInterceptor_KeyFailover(t *testing.T) { // Then: 3 requests, 429 response with smallest // Retry-After, all keys temporary. name: "all_keys_rate_limited", - keys: []string{"k0", "k1", "k2"}, + keys: []string{"k0-long-key", "k1-long-key", "k2-long-key"}, responses: map[string]upstreamResponse{ - "k0": { + "k0-long-key": { statusCode: http.StatusTooManyRequests, headers: map[string]string{"Retry-After": "5"}, body: rateLimitBody, }, - "k1": { + "k1-long-key": { statusCode: http.StatusTooManyRequests, headers: map[string]string{"Retry-After": "3"}, body: rateLimitBody, }, - "k2": { + "k2-long-key": { statusCode: http.StatusTooManyRequests, headers: map[string]string{"Retry-After": "10"}, body: rateLimitBody, @@ -166,15 +173,16 @@ func TestStreamingResponsesInterceptor_KeyFailover(t *testing.T) { keypool.KeyStateTemporary, keypool.KeyStateTemporary, }, + expectedCredentialHint: utils.MaskSecret("k2-long-key"), }, { // Given: 2 keys; both return 401 pre-stream. // Then: 2 requests, 502 api_error response, both keys permanent. name: "all_keys_unauthorized", - keys: []string{"k0", "k1"}, + keys: []string{"k0-long-key", "k1-long-key"}, responses: map[string]upstreamResponse{ - "k0": {statusCode: http.StatusUnauthorized, body: authErrorBody}, - "k1": {statusCode: http.StatusUnauthorized, body: authErrorBody}, + "k0-long-key": {statusCode: http.StatusUnauthorized, body: authErrorBody}, + "k1-long-key": {statusCode: http.StatusUnauthorized, body: authErrorBody}, }, expectedRequestCount: 2, expectedStatusCode: http.StatusBadGateway, @@ -182,14 +190,15 @@ func TestStreamingResponsesInterceptor_KeyFailover(t *testing.T) { keypool.KeyStatePermanent, keypool.KeyStatePermanent, }, + expectedCredentialHint: utils.MaskSecret("k1-long-key"), }, { // Given: 2 keys; key-0 returns 500 pre-stream. // Then: 1 request, 500 response, both keys remain valid. name: "server_error_no_failover", - keys: []string{"k0", "k1"}, + keys: []string{"k0-long-key", "k1-long-key"}, responses: map[string]upstreamResponse{ - "k0": {statusCode: http.StatusInternalServerError, body: serverErrorBody}, + "k0-long-key": {statusCode: http.StatusInternalServerError, body: serverErrorBody}, }, expectedRequestCount: 1, expectedStatusCode: http.StatusInternalServerError, @@ -197,6 +206,7 @@ func TestStreamingResponsesInterceptor_KeyFailover(t *testing.T) { keypool.KeyStateValid, keypool.KeyStateValid, }, + expectedCredentialHint: utils.MaskSecret("k0-long-key"), }, { // Given: BYOK with a single key returning 429. @@ -216,8 +226,9 @@ func TestStreamingResponsesInterceptor_KeyFailover(t *testing.T) { body: rateLimitBody, }, }, - expectedRequestCount: 1, - expectedStatusCode: http.StatusTooManyRequests, + expectedRequestCount: 1, + expectedStatusCode: http.StatusTooManyRequests, + expectedCredentialHint: utils.MaskSecret("user-byok"), }, } @@ -246,6 +257,7 @@ func TestStreamingResponsesInterceptor_KeyFailover(t *testing.T) { t.Cleanup(upstream.Close) cfg := config.OpenAI{BaseURL: upstream.URL + "/"} + credInfo := intercept.NewCredentialInfo(intercept.CredentialKindCentralized, "") var pool *keypool.Pool if len(tc.keys) > 0 { var err error @@ -254,6 +266,7 @@ func TestStreamingResponsesInterceptor_KeyFailover(t *testing.T) { cfg.KeyPool = pool } else if tc.byokKey != "" { cfg.Key = tc.byokKey + credInfo = intercept.NewCredentialInfo(intercept.CredentialKindBYOK, tc.byokKey) } payload, err := NewRequestPayload([]byte(streamingRequestBody)) @@ -267,7 +280,7 @@ func TestStreamingResponsesInterceptor_KeyFailover(t *testing.T) { http.Header{}, "Authorization", otel.Tracer("streaming_test"), - intercept.NewCredentialInfo(intercept.CredentialKindCentralized, ""), + credInfo, ) interceptor.Setup(slog.Make(), &testutil.MockRecorder{}, nil) @@ -283,6 +296,7 @@ func TestStreamingResponsesInterceptor_KeyFailover(t *testing.T) { assert.Equal(t, tc.expectedRequestCount, requestCount.Load(), "upstream request count") assert.Equal(t, tc.expectedStatusCode, w.Code, "response status code") assert.Equal(t, tc.expectedRetryAfter, w.Header().Get("Retry-After"), "Retry-After header") + assert.Equal(t, tc.expectedCredentialHint, interceptor.Credential().Hint, "credential hint") if pool != nil { assert.Equal(t, tc.expectedKeyStates, pool.PoolState(), "key states") } @@ -339,6 +353,9 @@ func TestStreamingResponsesInterceptor_AgenticLoopFailover(t *testing.T) { // error (e.g. all keys exhausted). expectedErr bool expectedKeyStates []keypool.KeyState + // Expected credential hint after ProcessRequest: hint of the + // last attempted key across all agentic-loop iterations. + expectedCredentialHint string }{ { // Given: 2 keys; both upstream calls succeed on key-0. @@ -349,12 +366,13 @@ func TestStreamingResponsesInterceptor_AgenticLoopFailover(t *testing.T) { {statusCode: http.StatusOK, headers: sseHeaders, body: textStreamBody}, }, expectedRequestCount: 2, - expectedSeenKeys: []string{"k0", "k0"}, + expectedSeenKeys: []string{"k0-long-key", "k0-long-key"}, expectedBodyContains: "done", expectedKeyStates: []keypool.KeyState{ keypool.KeyStateValid, keypool.KeyStateValid, }, + expectedCredentialHint: utils.MaskSecret("k0-long-key"), }, { // Given: 2 keys; key-0 succeeds initially, then 429s @@ -372,12 +390,13 @@ func TestStreamingResponsesInterceptor_AgenticLoopFailover(t *testing.T) { {statusCode: http.StatusOK, headers: sseHeaders, body: textStreamBody}, }, expectedRequestCount: 3, - expectedSeenKeys: []string{"k0", "k0", "k1"}, + expectedSeenKeys: []string{"k0-long-key", "k0-long-key", "k1-long-key"}, expectedBodyContains: "done", expectedKeyStates: []keypool.KeyState{ keypool.KeyStateTemporary, keypool.KeyStateValid, }, + expectedCredentialHint: utils.MaskSecret("k1-long-key"), }, { // Given: 2 keys; key-0 succeeds initially, then both @@ -399,13 +418,14 @@ func TestStreamingResponsesInterceptor_AgenticLoopFailover(t *testing.T) { }, }, expectedRequestCount: 3, - expectedSeenKeys: []string{"k0", "k0", "k1"}, + expectedSeenKeys: []string{"k0-long-key", "k0-long-key", "k1-long-key"}, expectedBodyContains: "all configured keys are rate-limited", expectedErr: true, expectedKeyStates: []keypool.KeyState{ keypool.KeyStateTemporary, keypool.KeyStateTemporary, }, + expectedCredentialHint: utils.MaskSecret("k1-long-key"), }, } @@ -439,7 +459,7 @@ func TestStreamingResponsesInterceptor_AgenticLoopFailover(t *testing.T) { })) t.Cleanup(upstream.Close) - pool, err := keypool.New([]string{"k0", "k1"}, quartz.NewMock(t)) + pool, err := keypool.New([]string{"k0-long-key", "k1-long-key"}, quartz.NewMock(t)) require.NoError(t, err) cfg := config.OpenAI{ @@ -489,6 +509,7 @@ func TestStreamingResponsesInterceptor_AgenticLoopFailover(t *testing.T) { assert.Equal(t, tc.expectedRequestCount, requestCount.Load(), "upstream request count") body := w.Body.String() assert.Contains(t, body, tc.expectedBodyContains, "response body") + assert.Equal(t, tc.expectedCredentialHint, interceptor.Credential().Hint, "credential hint") seenKeysMu.Lock() defer seenKeysMu.Unlock() diff --git a/aibridge/internal/testutil/mockprovider.go b/aibridge/internal/testutil/mockprovider.go index 0fd85d2863..e5015cd870 100644 --- a/aibridge/internal/testutil/mockprovider.go +++ b/aibridge/internal/testutil/mockprovider.go @@ -15,6 +15,7 @@ import ( type MockProvider struct { NameStr string URL string + Disabled bool Bridged []string Passthrough []string InterceptorFunc func(w http.ResponseWriter, r *http.Request, tracer trace.Tracer) (intercept.Interceptor, error) @@ -22,6 +23,7 @@ type MockProvider struct { func (m *MockProvider) Type() string { return m.NameStr } func (m *MockProvider) Name() string { return m.NameStr } +func (m *MockProvider) Enabled() bool { return !m.Disabled } func (m *MockProvider) BaseURL() string { return m.URL } func (m *MockProvider) RoutePrefix() string { return fmt.Sprintf("/%s", m.NameStr) } func (m *MockProvider) BridgedRoutes() []string { return m.Bridged } diff --git a/aibridge/keypool/keymark.go b/aibridge/keypool/keymark.go index 9b00bb400a..9dfedb3e44 100644 --- a/aibridge/keypool/keymark.go +++ b/aibridge/keypool/keymark.go @@ -5,7 +5,6 @@ import ( "net/http" "cdr.dev/slog/v3" - "github.com/coder/coder/v2/aibridge/utils" ) // MarkKeyOnStatus marks key based on a key-specific HTTP @@ -32,7 +31,7 @@ func MarkKeyOnStatus( if key.MarkTemporary(cooldown) { logger.Info(ctx, "key marked temporary", slog.F("provider", providerName), - slog.F("api_key_hint", utils.MaskSecret(key.Value())), + slog.F("api_key_hint", key.Hint()), slog.F("status", statusCode), slog.F("cooldown", cooldown)) } @@ -41,7 +40,7 @@ func MarkKeyOnStatus( if key.MarkPermanent() { logger.Warn(ctx, "key marked permanent", slog.F("provider", providerName), - slog.F("api_key_hint", utils.MaskSecret(key.Value())), + slog.F("api_key_hint", key.Hint()), slog.F("status", statusCode)) } return true diff --git a/aibridge/keypool/keypool.go b/aibridge/keypool/keypool.go index 55d1712a93..e28ae78325 100644 --- a/aibridge/keypool/keypool.go +++ b/aibridge/keypool/keypool.go @@ -7,6 +7,7 @@ import ( "golang.org/x/xerrors" + "github.com/coder/coder/v2/aibridge/utils" "github.com/coder/quartz" ) @@ -116,6 +117,12 @@ func (k *Key) Value() string { return k.value } +// Hint returns a masked, identifiable fragment of the key, suitable +// for logs and persisted records. +func (k *Key) Hint() string { + return utils.MaskSecret(k.value) +} + // State returns the current state of the key, derived from its // permanent flag and cooldown deadline. func (k *Key) State() KeyState { diff --git a/aibridge/mcp/mcphttpclient.go b/aibridge/mcp/mcphttpclient.go new file mode 100644 index 0000000000..1685bcf795 --- /dev/null +++ b/aibridge/mcp/mcphttpclient.go @@ -0,0 +1,25 @@ +package mcp + +import ( + "net/http" + "testing" +) + +// mcpHTTPClient returns an isolated *http.Client when running +// inside tests, or nil for production. During tests, +// httptest.Server.Close() calls +// http.DefaultTransport.CloseIdleConnections(), which disrupts +// any MCP client sharing that transport. When DefaultTransport +// is a *http.Transport it is cloned; otherwise a minimal +// transport with ProxyFromEnvironment is created as a fallback. +func mcpHTTPClient() *http.Client { + if !testing.Testing() { + return nil + } + if dt, ok := http.DefaultTransport.(*http.Transport); ok { + return &http.Client{Transport: dt.Clone()} + } + return &http.Client{Transport: &http.Transport{ + Proxy: http.ProxyFromEnvironment, + }} +} diff --git a/aibridge/mcp/proxy_streamable_http.go b/aibridge/mcp/proxy_streamable_http.go index 132c03965a..108a710d19 100644 --- a/aibridge/mcp/proxy_streamable_http.go +++ b/aibridge/mcp/proxy_streamable_http.go @@ -39,6 +39,17 @@ func NewStreamableHTTPServerProxy(serverName, serverURL string, headers map[stri opts = append(opts, transport.WithHTTPHeaders(headers)) } + // Prepend an isolated HTTP client when running in tests so + // httptest.Server.Close() does not disrupt this proxy's + // connections via http.DefaultTransport.CloseIdleConnections(). + // Caller-provided WithHTTPBasicClient in opts overrides this + // (last-wins). + if c := mcpHTTPClient(); c != nil { + opts = append([]transport.StreamableHTTPCOption{ + transport.WithHTTPBasicClient(c), + }, opts...) + } + mcpClient, err := client.NewStreamableHttpClient(serverURL, opts...) if err != nil { return nil, xerrors.Errorf("create streamable http client: %w", err) diff --git a/aibridge/provider/anthropic.go b/aibridge/provider/anthropic.go index eb50a3b296..d053cce903 100644 --- a/aibridge/provider/anthropic.go +++ b/aibridge/provider/anthropic.go @@ -95,6 +95,8 @@ func (p *Anthropic) Name() string { return p.cfg.Name } +func (*Anthropic) Enabled() bool { return true } + func (p *Anthropic) RoutePrefix() string { return fmt.Sprintf("/%s", p.Name()) } @@ -168,15 +170,10 @@ func (p *Anthropic) CreateInterceptor(_ http.ResponseWriter, r *http.Request, tr authHeaderName = "Authorization" credKind = intercept.CredentialKindBYOK credSecret = token - } else if cfg.KeyPool != nil { - // Centralized: use the first key as a placeholder hint. - // TODO(ssncferreira): record the actually-used key in - // the interception record to reflect failover. - if key, keyPoolErr := cfg.KeyPool.Walker().Next(); keyPoolErr == nil { - credSecret = key.Value() - } } - + // Centralized leaves credSecret empty: the hint is set by the + // failover loop on each key attempt and persisted at + // end-of-interception. cred := intercept.NewCredentialInfo(credKind, credSecret) var interceptor intercept.Interceptor diff --git a/aibridge/provider/anthropic_internal_test.go b/aibridge/provider/anthropic_internal_test.go index b3d89556a8..815a83ba03 100644 --- a/aibridge/provider/anthropic_internal_test.go +++ b/aibridge/provider/anthropic_internal_test.go @@ -257,7 +257,9 @@ func TestAnthropic_CreateInterceptor_BYOK(t *testing.T) { setHeaders: map[string]string{}, wantXApiKey: "test-key", wantCredentialKind: intercept.CredentialKindCentralized, - wantCredentialHint: "t...y", + // Centralized hint is empty at CreateInterceptor; set + // by the key failover loop during ProcessRequest. + wantCredentialHint: "", }, { name: "Messages_BYOK_BearerToken_And_APIKey", diff --git a/aibridge/provider/copilot.go b/aibridge/provider/copilot.go index 1186e8b253..fd317aadab 100644 --- a/aibridge/provider/copilot.go +++ b/aibridge/provider/copilot.go @@ -78,6 +78,8 @@ func (p *Copilot) Name() string { return p.cfg.Name } +func (*Copilot) Enabled() bool { return true } + func (p *Copilot) BaseURL() string { return p.cfg.BaseURL } diff --git a/aibridge/provider/disabled.go b/aibridge/provider/disabled.go new file mode 100644 index 0000000000..95384b4952 --- /dev/null +++ b/aibridge/provider/disabled.go @@ -0,0 +1,47 @@ +package provider + +import ( + "fmt" + "net/http" + + "go.opentelemetry.io/otel/trace" + + "cdr.dev/slog/v3" + "github.com/coder/coder/v2/aibridge/config" + "github.com/coder/coder/v2/aibridge/intercept" + "github.com/coder/coder/v2/aibridge/keypool" +) + +// DisabledStub is a Provider placeholder for a configured-but-disabled +// provider. Only Name and Enabled return meaningful values; all other +// methods return empty/nil so the stub never influences routing. +type DisabledStub struct { + name string + providerType string +} + +// NewDisabledStub returns a Provider stub that reports Enabled() == false. +// The type string is preserved so callers can distinguish provider families. +func NewDisabledStub(name, providerType string) *DisabledStub { + return &DisabledStub{name: name, providerType: providerType} +} + +func (d *DisabledStub) Type() string { return d.providerType } +func (d *DisabledStub) Name() string { return d.name } +func (*DisabledStub) Enabled() bool { return false } +func (*DisabledStub) BaseURL() string { return "" } +func (d *DisabledStub) RoutePrefix() string { + return fmt.Sprintf("/%s", d.name) +} +func (*DisabledStub) BridgedRoutes() []string { return nil } +func (*DisabledStub) PassthroughRoutes() []string { return nil } +func (*DisabledStub) AuthHeader() string { return "" } +func (*DisabledStub) KeyFailoverConfig(_ slog.Logger) keypool.KeyFailoverConfig { + return keypool.KeyFailoverConfig{} +} +func (*DisabledStub) CircuitBreakerConfig() *config.CircuitBreaker { return nil } +func (*DisabledStub) APIDumpDir() string { return "" } +func (*DisabledStub) CreateInterceptor(_ http.ResponseWriter, _ *http.Request, _ trace.Tracer) (intercept.Interceptor, error) { + //nolint:nilnil // disabled providers never reach the interceptor. + return nil, nil +} diff --git a/aibridge/provider/openai.go b/aibridge/provider/openai.go index 177ae03409..88020b7eb2 100644 --- a/aibridge/provider/openai.go +++ b/aibridge/provider/openai.go @@ -84,6 +84,8 @@ func (p *OpenAI) Name() string { return p.cfg.Name } +func (*OpenAI) Enabled() bool { return true } + func (p *OpenAI) RoutePrefix() string { // Route prefix includes version to match default OpenAI base URL. // More detailed explanation: https://github.com/coder/aibridge/pull/174#discussion_r2782320152 @@ -141,14 +143,10 @@ func (p *OpenAI) CreateInterceptor(_ http.ResponseWriter, r *http.Request, trace cfg.KeyPool = nil credKind = intercept.CredentialKindBYOK credSecret = token - } else if cfg.KeyPool != nil { - // Centralized: use the first key as a placeholder hint. - // TODO(ssncferreira): record the actually-used key in - // the interception record to reflect failover. - if key, keyPoolErr := cfg.KeyPool.Walker().Next(); keyPoolErr == nil { - credSecret = key.Value() - } } + // Centralized leaves credSecret empty: the hint is set by the + // failover loop on each key attempt and persisted at + // end-of-interception. cred := intercept.NewCredentialInfo(credKind, credSecret) path := strings.TrimPrefix(r.URL.Path, p.RoutePrefix()) diff --git a/aibridge/provider/openai_internal_test.go b/aibridge/provider/openai_internal_test.go index e1afcc872c..1922d22c30 100644 --- a/aibridge/provider/openai_internal_test.go +++ b/aibridge/provider/openai_internal_test.go @@ -229,7 +229,9 @@ func TestOpenAI_CreateInterceptor(t *testing.T) { setHeaders: map[string]string{}, wantAuthorization: "Bearer centralized-key", wantCredentialKind: intercept.CredentialKindCentralized, - wantCredentialHint: "ce...ey", + // Centralized hint is empty at CreateInterceptor; set + // by the key failover loop during ProcessRequest. + wantCredentialHint: "", }, { name: "Responses_BYOK", @@ -249,7 +251,9 @@ func TestOpenAI_CreateInterceptor(t *testing.T) { setHeaders: map[string]string{}, wantAuthorization: "Bearer centralized-key", wantCredentialKind: intercept.CredentialKindCentralized, - wantCredentialHint: "ce...ey", + // Centralized hint is empty at CreateInterceptor; set + // by the key failover loop during ProcessRequest. + wantCredentialHint: "", }, // X-Api-Key should not appear in production since clients use Authorization, // but ensure it is stripped if it does arrive. diff --git a/aibridge/provider/provider.go b/aibridge/provider/provider.go index 7520333b53..6f21d7290d 100644 --- a/aibridge/provider/provider.go +++ b/aibridge/provider/provider.go @@ -53,6 +53,8 @@ type Provider interface { // Name returns the provider instance name. // Defaults to Type() when not explicitly configured. Name() string + // Enabled reports whether the provider should serve requests. + Enabled() bool // BaseURL defines the base URL endpoint for this provider's API. BaseURL() string diff --git a/aibridge/recorder/types.go b/aibridge/recorder/types.go index cd541eebd4..faa5713900 100644 --- a/aibridge/recorder/types.go +++ b/aibridge/recorder/types.go @@ -39,13 +39,20 @@ type InterceptionRecord struct { Client string UserAgent string CorrelatingToolCallID *string - CredentialKind string - CredentialHint string + // CredentialKind is always set: either BYOK or centralized. + CredentialKind string + // CredentialHint is only set for BYOK, where the key is known + // from the request. Centralized uses key failover, so the hint + // can only be determined at end-of-interception. + CredentialHint string } type InterceptionRecordEnded struct { ID string EndedAt time.Time + // CredentialHint is the hint observed at end-of-interception. + // Only applied to the DB row for centralized; ignored for BYOK. + CredentialHint string } type TokenUsageRecord struct { diff --git a/cli/agent_test.go b/cli/agent_test.go index 60e8f68642..9ea7afdcb1 100644 --- a/cli/agent_test.go +++ b/cli/agent_test.go @@ -146,8 +146,10 @@ func TestWorkspaceAgent(t *testing.T) { }).WithAgent().Do() coderURLEnv := "$CODER_URL" + headerCmd := "printf X-Process-Testing=very-wow-" + coderURLEnv + "'\\r\\n'X-Process-Testing2=more-wow" if runtime.GOOS == "windows" { coderURLEnv = "%CODER_URL%" + headerCmd = "echo X-Process-Testing=very-wow-" + coderURLEnv + "& echo X-Process-Testing2=more-wow" } logDir := t.TempDir() @@ -159,7 +161,7 @@ func TestWorkspaceAgent(t *testing.T) { "--log-dir", logDir, "--agent-header", "X-Testing=agent", "--agent-header", "Cool-Header=Ethan was Here!", - "--agent-header-command", "printf X-Process-Testing=very-wow-"+coderURLEnv+"'\\r\\n'X-Process-Testing2=more-wow", + "--agent-header-command", headerCmd, "--socket-path", testutil.AgentSocketPath(t), ) clitest.Start(t, agentInv) diff --git a/cli/aibridged.go b/cli/aibridged.go index caf67082fc..a890488a10 100644 --- a/cli/aibridged.go +++ b/cli/aibridged.go @@ -4,6 +4,7 @@ package cli import ( "context" + "slices" "github.com/google/uuid" "github.com/prometheus/client_golang/prometheus" @@ -101,10 +102,18 @@ func (r *poolDBReloader) Reload(ctx context.Context) error { return nil } -// BuildProviders loads every ai_providers row (including disabled) -// and returns the active provider list plus per-row outcomes. Per-row -// build errors are logged and excluded from providers but recorded in -// outcomes; only DB query failures propagate. +// BuildProviders loads all ai_providers rows (enabled and disabled), +// attaches keys to enabled rows, and constructs the equivalent +// [aibridge.Provider] instances. The database is the single source of +// truth for runtime provider configuration. +// +// Disabled rows produce a Provider stub with Enabled() == false so the +// bridge can answer requests targeting them with a 503 sentinel. +// +// Per-provider construction errors are logged and the offending row is +// excluded from the returned snapshot; only a failure of the DB query +// itself is propagated. This keeps a single misconfigured row from +// taking the whole daemon down. func BuildProviders(ctx context.Context, db database.Store, cfg codersdk.AIBridgeConfig, logger slog.Logger) ([]aibridge.Provider, []aibridged.ProviderOutcome, error) { //nolint:gocritic // AsAIBridged has a minimal permission set for this purpose. authCtx := dbauthz.AsAIBridged(ctx) @@ -160,12 +169,9 @@ func BuildProviders(ctx context.Context, db database.Store, cfg codersdk.AIBridg Name: row.Name, Type: string(row.Type), } - if !row.Enabled { - outcome.Status = aibridged.ProviderStatusDisabled - outcomes = append(outcomes, outcome) - continue + if row.Enabled { + enabledCount++ } - enabledCount++ prov, err := buildAIProviderFromRow(row, keysByProvider[row.ID], cfg) if err != nil { outcome.Status = aibridged.ProviderStatusError @@ -179,13 +185,17 @@ func BuildProviders(ctx context.Context, db database.Store, cfg codersdk.AIBridg ) continue } - outcome.Status = aibridged.ProviderStatusEnabled + if row.Enabled { + outcome.Status = aibridged.ProviderStatusEnabled + } else { + outcome.Status = aibridged.ProviderStatusDisabled + } outcomes = append(outcomes, outcome) providers = append(providers, prov) } - if enabledCount > 0 && len(providers) == 0 { - logger.Warn(ctx, "all enabled ai providers failed to build; daemon will start with zero providers") + if enabledCount > 0 && !slices.ContainsFunc(providers, func(p aibridge.Provider) bool { return p.Enabled() }) { + logger.Warn(ctx, "all enabled ai providers failed to build; only disabled providers remain") } return providers, outcomes, nil @@ -193,11 +203,18 @@ func BuildProviders(ctx context.Context, db database.Store, cfg codersdk.AIBridg // buildAIProviderFromRow decodes the settings blob and constructs the // appropriate [aibridge.Provider] for a single ai_providers row. +// Disabled rows return a Provider stub carrying only Name and +// Disabled: true; settings decode, key loading, and credential checks +// are skipped because the provider will never call upstream. func buildAIProviderFromRow( row database.AIProvider, keys []database.AIProviderKey, cfg codersdk.AIBridgeConfig, ) (aibridge.Provider, error) { + if !row.Enabled { + return disabledProviderFromRow(row) + } + settings, err := db2sdk.AIProviderSettings(row.Settings) if err != nil { return nil, xerrors.Errorf("decode settings: %w", err) @@ -287,6 +304,14 @@ func buildAIProviderFromRow( } } +// disabledProviderFromRow builds a Provider stub for a disabled row. +// Using provider.DisabledStub rather than a concrete provider avoids +// duplicating the row.Type switch and ensures that a new AiProviderType +// value is automatically handled without requiring a matching case here. +func disabledProviderFromRow(row database.AIProvider) (aibridge.Provider, error) { + return aibridge.NewDisabledProviderStub(row.Name, string(row.Type)), nil +} + // buildAIProviderKeyPool builds a [keypool.Pool]. Callers must check // len(keys) > 0 first; keypool.New rejects empty input. func buildAIProviderKeyPool(keys []database.AIProviderKey) (*keypool.Pool, error) { diff --git a/cli/aibridged_internal_test.go b/cli/aibridged_internal_test.go index 0226974520..6b3e1eb7ac 100644 --- a/cli/aibridged_internal_test.go +++ b/cli/aibridged_internal_test.go @@ -393,25 +393,60 @@ func TestBuildProvidersSkipsBadRows(t *testing.T) { t.Run("DisabledRowClassifiedAsDisabled", func(t *testing.T) { t.Parallel() - db, _ := dbtestutil.NewDB(t) - ctx := testutil.Context(t, testutil.WaitShort) - logger := slogtest.Make(t, nil) - dbgen.AIProvider(t, db, database.AIProvider{ - Type: database.AiProviderTypeOpenai, - Name: "openai-off", - BaseUrl: "https://api.openai.com/", - }, func(p *database.InsertAIProviderParams) { - p.Enabled = false - }) + for _, tc := range []struct { + name string + row database.AIProvider + }{ + { + name: "OpenAI", + row: database.AIProvider{ + Type: database.AiProviderTypeOpenai, + Name: "openai-off", + BaseUrl: "https://api.openai.com/", + }, + }, + { + // Anthropic and Bedrock have stricter credential checks + // than the OpenAI family; the disabled short-circuit + // must reach them too. No keys, no bedrock settings. + name: "Anthropic", + row: database.AIProvider{ + Type: database.AiProviderTypeAnthropic, + Name: "anthropic-off", + BaseUrl: "https://api.anthropic.com/", + }, + }, + { + name: "Bedrock", + row: database.AIProvider{ + Type: database.AiProviderTypeBedrock, + Name: "bedrock-off", + BaseUrl: "https://bedrock-runtime.us-east-1.amazonaws.com/", + }, + }, + } { + t.Run(tc.name, func(t *testing.T) { + t.Parallel() + db, _ := dbtestutil.NewDB(t) + ctx := testutil.Context(t, testutil.WaitShort) + logger := slogtest.Make(t, nil) - providers, outcomes, err := BuildProviders(ctx, db, codersdk.AIBridgeConfig{}, logger) - require.NoError(t, err) - assert.Empty(t, providers, "disabled providers must not be in the active snapshot") - require.Len(t, outcomes, 1) - assert.Equal(t, "openai-off", outcomes[0].Name) - assert.Equal(t, aibridged.ProviderStatusDisabled, outcomes[0].Status) - assert.NoError(t, outcomes[0].Err) + dbgen.AIProvider(t, db, tc.row, func(p *database.InsertAIProviderParams) { + p.Enabled = false + }) + + providers, outcomes, err := BuildProviders(ctx, db, codersdk.AIBridgeConfig{}, logger) + require.NoError(t, err) + require.Len(t, providers, 1, "disabled providers stay in the snapshot so the bridge can serve a 503 sentinel") + assert.Equal(t, tc.row.Name, providers[0].Name()) + assert.False(t, providers[0].Enabled()) + require.Len(t, outcomes, 1) + assert.Equal(t, tc.row.Name, outcomes[0].Name) + assert.Equal(t, aibridged.ProviderStatusDisabled, outcomes[0].Status) + assert.NoError(t, outcomes[0].Err) + }) + } }) } diff --git a/cli/clitest/clitest_test.go b/cli/clitest/clitest_test.go index c214981387..d683af8d34 100644 --- a/cli/clitest/clitest_test.go +++ b/cli/clitest/clitest_test.go @@ -7,8 +7,8 @@ import ( "github.com/coder/coder/v2/cli/clitest" "github.com/coder/coder/v2/coderd/coderdtest" - "github.com/coder/coder/v2/pty/ptytest" "github.com/coder/coder/v2/testutil" + "github.com/coder/coder/v2/testutil/expecter" ) func TestMain(m *testing.M) { @@ -17,11 +17,12 @@ func TestMain(m *testing.M) { func TestCli(t *testing.T) { t.Parallel() + ctx := testutil.Context(t, testutil.WaitMedium) clitest.CreateTemplateVersionSource(t, nil) client := coderdtest.New(t, nil) i, config := clitest.New(t) clitest.SetupConfig(t, client, config) - pty := ptytest.New(t).Attach(i) + stdout := expecter.NewAttachedToInvocation(t, i) clitest.Start(t, i) - pty.ExpectMatch("coder") + stdout.ExpectMatchContext(ctx, "coder") } diff --git a/cli/cliui/externalauth_test.go b/cli/cliui/externalauth_test.go index 1482aacc2d..3a7359a485 100644 --- a/cli/cliui/externalauth_test.go +++ b/cli/cliui/externalauth_test.go @@ -10,8 +10,8 @@ import ( "github.com/coder/coder/v2/cli/cliui" "github.com/coder/coder/v2/codersdk" - "github.com/coder/coder/v2/pty/ptytest" "github.com/coder/coder/v2/testutil" + "github.com/coder/coder/v2/testutil/expecter" "github.com/coder/serpent" ) @@ -21,7 +21,6 @@ func TestExternalAuth(t *testing.T) { ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitShort) defer cancel() - ptty := ptytest.New(t) cmd := &serpent.Command{ Handler: func(inv *serpent.Invocation) error { var fetched atomic.Bool @@ -42,16 +41,16 @@ func TestExternalAuth(t *testing.T) { } inv := cmd.Invoke().WithContext(ctx) + stdout := expecter.NewAttachedToInvocation(t, inv) - ptty.Attach(inv) done := make(chan struct{}) go func() { defer close(done) err := inv.Run() assert.NoError(t, err) }() - ptty.ExpectMatchContext(ctx, "You must authenticate with") - ptty.ExpectMatchContext(ctx, "https://example.com/gitauth/github") - ptty.ExpectMatchContext(ctx, "Successfully authenticated with GitHub") + stdout.ExpectMatchContext(ctx, "You must authenticate with") + stdout.ExpectMatchContext(ctx, "https://example.com/gitauth/github") + stdout.ExpectMatchContext(ctx, "Successfully authenticated with GitHub") <-done } diff --git a/cli/cliui/provisionerjob_test.go b/cli/cliui/provisionerjob_test.go index 304e0608b8..b2ad8eb293 100644 --- a/cli/cliui/provisionerjob_test.go +++ b/cli/cliui/provisionerjob_test.go @@ -16,8 +16,8 @@ import ( "github.com/coder/coder/v2/cli/cliui" "github.com/coder/coder/v2/coderd/database/dbtime" "github.com/coder/coder/v2/codersdk" - "github.com/coder/coder/v2/pty/ptytest" "github.com/coder/coder/v2/testutil" + "github.com/coder/coder/v2/testutil/expecter" "github.com/coder/serpent" ) @@ -48,12 +48,12 @@ func TestProvisionerJob(t *testing.T) { test.JobMutex.Unlock() }) testutil.Eventually(ctx, t, func(ctx context.Context) (done bool) { - test.PTY.ExpectMatch(cliui.ProvisioningStateQueued) + test.Stdout.ExpectMatchContext(ctx, cliui.ProvisioningStateQueued) test.Next <- struct{}{} - test.PTY.ExpectMatch(cliui.ProvisioningStateQueued) - test.PTY.ExpectMatch(cliui.ProvisioningStateRunning) + test.Stdout.ExpectMatchContext(ctx, cliui.ProvisioningStateQueued) + test.Stdout.ExpectMatchContext(ctx, cliui.ProvisioningStateRunning) test.Next <- struct{}{} - test.PTY.ExpectMatch(cliui.ProvisioningStateRunning) + test.Stdout.ExpectMatchContext(ctx, cliui.ProvisioningStateRunning) return true }, testutil.IntervalFast) }) @@ -85,12 +85,12 @@ func TestProvisionerJob(t *testing.T) { test.JobMutex.Unlock() }) testutil.Eventually(ctx, t, func(ctx context.Context) (done bool) { - test.PTY.ExpectMatch(cliui.ProvisioningStateQueued) + test.Stdout.ExpectMatchContext(ctx, cliui.ProvisioningStateQueued) test.Next <- struct{}{} - test.PTY.ExpectMatch(cliui.ProvisioningStateQueued) - test.PTY.ExpectMatch("Something") + test.Stdout.ExpectMatchContext(ctx, cliui.ProvisioningStateQueued) + test.Stdout.ExpectMatchContext(ctx, "Something") test.Next <- struct{}{} - test.PTY.ExpectMatch("Something") + test.Stdout.ExpectMatchContext(ctx, "Something") return true }, testutil.IntervalFast) }) @@ -151,12 +151,12 @@ func TestProvisionerJob(t *testing.T) { test.JobMutex.Unlock() }) testutil.Eventually(ctx, t, func(ctx context.Context) (done bool) { - test.PTY.ExpectRegexMatch(tc.expected) + test.Stdout.ExpectRegexMatchContext(ctx, tc.expected) test.Next <- struct{}{} - test.PTY.ExpectMatch(cliui.ProvisioningStateQueued) // step completed - test.PTY.ExpectMatch(cliui.ProvisioningStateRunning) + test.Stdout.ExpectMatchContext(ctx, cliui.ProvisioningStateQueued) // step completed + test.Stdout.ExpectMatchContext(ctx, cliui.ProvisioningStateRunning) test.Next <- struct{}{} - test.PTY.ExpectMatch(cliui.ProvisioningStateRunning) + test.Stdout.ExpectMatchContext(ctx, cliui.ProvisioningStateRunning) return true }, testutil.IntervalFast) }) @@ -193,11 +193,11 @@ func TestProvisionerJob(t *testing.T) { test.JobMutex.Unlock() }) testutil.Eventually(ctx, t, func(ctx context.Context) (done bool) { - test.PTY.ExpectMatch(cliui.ProvisioningStateQueued) + test.Stdout.ExpectMatchContext(ctx, cliui.ProvisioningStateQueued) test.Next <- struct{}{} - test.PTY.ExpectMatch("Gracefully canceling") + test.Stdout.ExpectMatchContext(ctx, "Gracefully canceling") test.Next <- struct{}{} - test.PTY.ExpectMatch(cliui.ProvisioningStateQueued) + test.Stdout.ExpectMatchContext(ctx, cliui.ProvisioningStateQueued) return true }, testutil.IntervalFast) }) @@ -208,7 +208,7 @@ type provisionerJobTest struct { Job *codersdk.ProvisionerJob JobMutex *sync.Mutex Logs chan codersdk.ProvisionerJobLog - PTY *ptytest.PTY + Stdout *expecter.Expecter } func newProvisionerJob(t *testing.T) provisionerJobTest { @@ -240,8 +240,7 @@ func newProvisionerJob(t *testing.T) provisionerJobTest { } inv := cmd.Invoke() - ptty := ptytest.New(t) - ptty.Attach(inv) + stdout := expecter.NewAttachedToInvocation(t, inv) done := make(chan struct{}) go func() { defer close(done) @@ -258,7 +257,7 @@ func newProvisionerJob(t *testing.T) provisionerJobTest { Job: job, JobMutex: &jobLock, Logs: logs, - PTY: ptty, + Stdout: stdout, } } diff --git a/cli/cliui/select_test.go b/cli/cliui/select_test.go index 55ab81f50f..d532ff19eb 100644 --- a/cli/cliui/select_test.go +++ b/cli/cliui/select_test.go @@ -8,7 +8,6 @@ import ( "github.com/coder/coder/v2/cli/cliui" "github.com/coder/coder/v2/codersdk" - "github.com/coder/coder/v2/pty/ptytest" "github.com/coder/serpent" ) @@ -16,10 +15,9 @@ func TestSelect(t *testing.T) { t.Parallel() t.Run("Select", func(t *testing.T) { t.Parallel() - ptty := ptytest.New(t) msgChan := make(chan string) go func() { - resp, err := newSelect(ptty, cliui.SelectOptions{ + resp, err := newSelect(cliui.SelectOptions{ Options: []string{"First", "Second"}, }) assert.NoError(t, err) @@ -29,7 +27,7 @@ func TestSelect(t *testing.T) { }) } -func newSelect(ptty *ptytest.PTY, opts cliui.SelectOptions) (string, error) { +func newSelect(opts cliui.SelectOptions) (string, error) { value := "" cmd := &serpent.Command{ Handler: func(inv *serpent.Invocation) error { @@ -39,7 +37,6 @@ func newSelect(ptty *ptytest.PTY, opts cliui.SelectOptions) (string, error) { }, } inv := cmd.Invoke() - ptty.Attach(inv) return value, inv.Run() } @@ -47,10 +44,10 @@ func TestRichSelect(t *testing.T) { t.Parallel() t.Run("RichSelect", func(t *testing.T) { t.Parallel() - ptty := ptytest.New(t) + msgChan := make(chan string) go func() { - resp, err := newRichSelect(ptty, cliui.RichSelectOptions{ + resp, err := newRichSelect(cliui.RichSelectOptions{ Options: []codersdk.TemplateVersionParameterOption{ {Name: "A-Name", Value: "A-Value", Description: "A-Description."}, {Name: "B-Name", Value: "B-Value", Description: "B-Description."}, @@ -63,7 +60,7 @@ func TestRichSelect(t *testing.T) { }) } -func newRichSelect(ptty *ptytest.PTY, opts cliui.RichSelectOptions) (string, error) { +func newRichSelect(opts cliui.RichSelectOptions) (string, error) { value := "" cmd := &serpent.Command{ Handler: func(inv *serpent.Invocation) error { @@ -75,7 +72,6 @@ func newRichSelect(ptty *ptytest.PTY, opts cliui.RichSelectOptions) (string, err }, } inv := cmd.Invoke() - ptty.Attach(inv) return value, inv.Run() } @@ -181,11 +177,10 @@ func TestMultiSelect(t *testing.T) { t.Run(tt.name, func(t *testing.T) { t.Parallel() - ptty := ptytest.New(t) msgChan := make(chan []string) go func() { - resp, err := newMultiSelect(ptty, tt.items, tt.allowCustom) + resp, err := newMultiSelect(tt.items, tt.allowCustom) assert.NoError(t, err) msgChan <- resp }() @@ -195,7 +190,7 @@ func TestMultiSelect(t *testing.T) { } } -func newMultiSelect(pty *ptytest.PTY, items []string, custom bool) ([]string, error) { +func newMultiSelect(items []string, custom bool) ([]string, error) { var values []string cmd := &serpent.Command{ Handler: func(inv *serpent.Invocation) error { @@ -211,6 +206,5 @@ func newMultiSelect(pty *ptytest.PTY, items []string, custom bool) ([]string, er }, } inv := cmd.Invoke() - pty.Attach(inv) return values, inv.Run() } diff --git a/cli/configssh_internal_test.go b/cli/configssh_internal_test.go index 0ea2ae6ea5..59b57439af 100644 --- a/cli/configssh_internal_test.go +++ b/cli/configssh_internal_test.go @@ -229,8 +229,15 @@ func Test_sshConfigMatchExecEscape(t *testing.T) { // OpenSSH processes %% escape sequences into % escaped = strings.ReplaceAll(escaped, "%%", "%") - b, err := exec.Command(cmd, arg, escaped).CombinedOutput() //nolint:gosec - require.NoError(t, err) + c := exec.Command(cmd, arg, escaped) //nolint:gosec + if runtime.GOOS == "windows" { + // Deduplicate Path/PATH env vars so cmd.exe + // subprocesses (like powershell.exe used for + // paths with spaces) resolve correctly. + c.Env = appendAndDedupEnv(os.Environ()) + } + b, err := c.CombinedOutput() + require.NoError(t, err, "command output: %s", string(b)) got := strings.TrimSpace(string(b)) require.Equal(t, "yay", got) }) diff --git a/cli/configssh_test.go b/cli/configssh_test.go index 7e42bfe81a..61588e4fb9 100644 --- a/cli/configssh_test.go +++ b/cli/configssh_test.go @@ -24,8 +24,8 @@ import ( "github.com/coder/coder/v2/coderd/database/dbfake" "github.com/coder/coder/v2/codersdk" "github.com/coder/coder/v2/codersdk/workspacesdk" - "github.com/coder/coder/v2/pty/ptytest" "github.com/coder/coder/v2/testutil" + "github.com/coder/coder/v2/testutil/expecter" ) func sshConfigFileName(t *testing.T) (sshConfig string) { @@ -64,6 +64,8 @@ func TestConfigSSH(t *testing.T) { t.Skip("See coder/internal#117") } + logger := testutil.Logger(t) + ctx := testutil.Context(t, testutil.WaitMedium) const hostname = "test-coder." const expectedKey = "ConnectionAttempts" const removeKey = "ConnectTimeout" @@ -131,9 +133,8 @@ func TestConfigSSH(t *testing.T) { "--ssh-config-file", sshConfigFile, "--skip-proxy-command") clitest.SetupConfig(t, member, root) - pty := ptytest.New(t) - inv.Stdin = pty.Input() - inv.Stdout = pty.Output() + stdout := expecter.NewAttachedToInvocation(t, inv) + stdin := testutil.NewWriterAttachedToInvocation(t, logger.Named("stdin"), inv) waiter := clitest.StartWithWaiter(t, inv) @@ -143,8 +144,8 @@ func TestConfigSSH(t *testing.T) { {match: "Continue?", write: "yes"}, } for _, m := range matches { - pty.ExpectMatch(m.match) - pty.WriteLine(m.write) + stdout.ExpectMatchContext(ctx, m.match) + stdin.WriteLine(m.write) } waiter.RequireSuccess() @@ -157,10 +158,8 @@ func TestConfigSSH(t *testing.T) { home := filepath.Dir(filepath.Dir(sshConfigFile)) // #nosec sshCmd := exec.Command("ssh", "-F", sshConfigFile, hostname+r.Workspace.Name, "echo", "test") - pty = ptytest.New(t) // Set HOME because coder config is included from ~/.ssh/coder. sshCmd.Env = append(sshCmd.Env, fmt.Sprintf("HOME=%s", home)) - inv.Stderr = pty.Output() data, err := sshCmd.Output() require.NoError(t, err) require.Equal(t, "test", strings.TrimSpace(string(data))) @@ -693,6 +692,8 @@ func TestConfigSSH_FileWriteAndOptionsFlow(t *testing.T) { for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { t.Parallel() + logger := testutil.Logger(t) + ctx := testutil.Context(t, testutil.WaitMedium) client, db := coderdtest.NewWithDatabase(t, nil) user := coderdtest.CreateFirstUser(t, client) @@ -718,8 +719,8 @@ func TestConfigSSH_FileWriteAndOptionsFlow(t *testing.T) { //nolint:gocritic // This has always ran with the admin user. clitest.SetupConfig(t, client, root) - pty := ptytest.New(t) - pty.Attach(inv) + stdout := expecter.NewAttachedToInvocation(t, inv) + stdin := testutil.NewWriterAttachedToInvocation(t, logger.Named("stdin"), inv) done := tGo(t, func() { err := inv.Run() if !tt.wantErr { @@ -730,8 +731,8 @@ func TestConfigSSH_FileWriteAndOptionsFlow(t *testing.T) { }) for _, m := range tt.matches { - pty.ExpectMatch(m.match) - pty.WriteLine(m.write) + stdout.ExpectMatchContext(ctx, m.match) + stdin.WriteLine(m.write) } <-done diff --git a/cli/configssh_windows.go b/cli/configssh_windows.go index db81bce1ff..53473c7aa4 100644 --- a/cli/configssh_windows.go +++ b/cli/configssh_windows.go @@ -4,6 +4,8 @@ package cli import ( "fmt" + "os" + "path/filepath" "strings" "golang.org/x/xerrors" @@ -50,7 +52,13 @@ func sshConfigMatchExecEscape(path string) (string, error) { if strings.ContainsAny(path, " ") { // c.f. function comment for how this works. - path = fmt.Sprintf("for /f %%%%a in ('powershell.exe -Command [char]34') do @cmd.exe /c %%%%a%s%%%%a", path) //nolint:gocritic // We don't want %q here. + // Use absolute paths for powershell.exe and cmd.exe + // to avoid PATH resolution issues when both Path and + // PATH (MSYS-translated) exist in the environment. + sysRoot := os.Getenv("SYSTEMROOT") + pwsh := filepath.Join(sysRoot, "System32", "WindowsPowerShell", "v1.0", "powershell.exe") + cmd := filepath.Join(sysRoot, "System32", "cmd.exe") + path = fmt.Sprintf("for /f %%%%a in ('%s -Command [char]34') do @%s /c %%%%a%s%%%%a", pwsh, cmd, path) //nolint:gocritic // We don't want %q here. } return path, nil } diff --git a/cli/create_test.go b/cli/create_test.go index 670f785791..043148d178 100644 --- a/cli/create_test.go +++ b/cli/create_test.go @@ -20,8 +20,8 @@ import ( "github.com/coder/coder/v2/codersdk" "github.com/coder/coder/v2/provisioner/echo" "github.com/coder/coder/v2/provisionersdk/proto" - "github.com/coder/coder/v2/pty/ptytest" "github.com/coder/coder/v2/testutil" + "github.com/coder/coder/v2/testutil/expecter" ) func TestCreateDynamic(t *testing.T) { @@ -74,14 +74,14 @@ func TestCreateDynamic(t *testing.T) { } inv, root := clitest.New(t, args...) clitest.SetupConfig(t, member, root) - pty := ptytest.New(t).Attach(inv) + stdout := expecter.NewAttachedToInvocation(t, inv) doneChan := make(chan error) go func() { doneChan <- inv.Run() }() - pty.ExpectMatchContext(ctx, "has been created") + stdout.ExpectMatchContext(ctx, "has been created") err := testutil.RequireReceive(ctx, t, doneChan) require.NoError(t, err) @@ -103,14 +103,14 @@ func TestCreateDynamic(t *testing.T) { } inv, root = clitest.New(t, args...) clitest.SetupConfig(t, member, root) - pty = ptytest.New(t).Attach(inv) + stdout = expecter.NewAttachedToInvocation(t, inv) doneChan = make(chan error) go func() { doneChan <- inv.Run() }() - pty.ExpectMatchContext(ctx, "has been created") + stdout.ExpectMatchContext(ctx, "has been created") err = testutil.RequireReceive(ctx, t, doneChan) require.NoError(t, err) @@ -129,7 +129,8 @@ func TestCreateDynamic(t *testing.T) { // When enable_region=true, the region parameter becomes required and CLI should prompt. t.Run("PromptForConditionalParam", func(t *testing.T) { t.Parallel() - ctx := testutil.Context(t, testutil.WaitLong) + ctx := testutil.Context(t, time.Hour) + logger := testutil.Logger(t) template, _ := coderdtest.DynamicParameterTemplate(t, owner, first.OrganizationID, coderdtest.DynamicParameterTemplateParams{ MainTF: conditionalParamTF, @@ -143,7 +144,8 @@ func TestCreateDynamic(t *testing.T) { } inv, root := clitest.New(t, args...) clitest.SetupConfig(t, member, root) - pty := ptytest.New(t).Attach(inv) + stdout := expecter.NewAttachedToInvocation(t, inv) + stdin := testutil.NewWriterAttachedToInvocation(t, logger.Named("stdin"), inv) doneChan := make(chan error) go func() { @@ -151,14 +153,14 @@ func TestCreateDynamic(t *testing.T) { }() // CLI should prompt for the region parameter since enable_region=true - pty.ExpectMatchContext(ctx, "region") - pty.WriteLine("eu-west") + stdout.ExpectMatchContext(ctx, "region") + stdin.WriteLine("eu-west") // Confirm creation - pty.ExpectMatchContext(ctx, "Confirm create?") - pty.WriteLine("yes") + stdout.ExpectMatchContext(ctx, "Confirm create?") + stdin.WriteLine("yes") - pty.ExpectMatchContext(ctx, "has been created") + stdout.ExpectMatchContext(ctx, "has been created") err := <-doneChan require.NoError(t, err) @@ -305,14 +307,14 @@ func TestCreateDynamic(t *testing.T) { "-y", ) clitest.SetupConfig(t, member, root) - pty := ptytest.New(t).Attach(inv) + stdout := expecter.NewAttachedToInvocation(t, inv) doneChan := make(chan error) go func() { doneChan <- inv.Run() }() - pty.ExpectMatchContext(ctx, "has been created") + stdout.ExpectMatchContext(ctx, "has been created") err = <-doneChan require.NoError(t, err, "slider=8 should succeed when max_slider=10") @@ -331,6 +333,8 @@ func TestCreate(t *testing.T) { t.Parallel() t.Run("Create", func(t *testing.T) { t.Parallel() + logger := testutil.Logger(t) + ctx := testutil.Context(t, testutil.WaitMedium) client := coderdtest.New(t, &coderdtest.Options{IncludeProvisionerDaemon: true}) owner := coderdtest.CreateFirstUser(t, client) member, _ := coderdtest.CreateAnotherUser(t, client, owner.OrganizationID) @@ -348,7 +352,8 @@ func TestCreate(t *testing.T) { inv, root := clitest.New(t, args...) clitest.SetupConfig(t, member, root) doneChan := make(chan struct{}) - pty := ptytest.New(t).Attach(inv) + stdout := expecter.NewAttachedToInvocation(t, inv) + stdin := testutil.NewWriterAttachedToInvocation(t, logger.Named("stdin"), inv) go func() { defer close(doneChan) err := inv.Run() @@ -363,9 +368,9 @@ func TestCreate(t *testing.T) { {match: "Confirm create", write: "yes"}, } for _, m := range matches { - pty.ExpectMatch(m.match) + stdout.ExpectMatchContext(ctx, m.match) if len(m.write) > 0 { - pty.WriteLine(m.write) + stdin.WriteLine(m.write) } } <-doneChan @@ -385,6 +390,8 @@ func TestCreate(t *testing.T) { t.Run("CreateForOtherUser", func(t *testing.T) { t.Parallel() + logger := testutil.Logger(t) + ctx := testutil.Context(t, testutil.WaitMedium) client := coderdtest.New(t, &coderdtest.Options{IncludeProvisionerDaemon: true}) owner := coderdtest.CreateFirstUser(t, client) version := coderdtest.CreateTemplateVersion(t, client, owner.OrganizationID, completeWithAgent()) @@ -403,7 +410,8 @@ func TestCreate(t *testing.T) { //nolint:gocritic // Creating a workspace for another user requires owner permissions. clitest.SetupConfig(t, client, root) doneChan := make(chan struct{}) - pty := ptytest.New(t).Attach(inv) + stdout := expecter.NewAttachedToInvocation(t, inv) + stdin := testutil.NewWriterAttachedToInvocation(t, logger.Named("stdin"), inv) go func() { defer close(doneChan) err := inv.Run() @@ -418,9 +426,9 @@ func TestCreate(t *testing.T) { {match: "Confirm create", write: "yes"}, } for _, m := range matches { - pty.ExpectMatch(m.match) + stdout.ExpectMatchContext(ctx, m.match) if len(m.write) > 0 { - pty.WriteLine(m.write) + stdin.WriteLine(m.write) } } <-doneChan @@ -439,6 +447,8 @@ func TestCreate(t *testing.T) { t.Run("CreateWithSpecificTemplateVersion", func(t *testing.T) { t.Parallel() + logger := testutil.Logger(t) + ctx := testutil.Context(t, testutil.WaitMedium) client := coderdtest.New(t, &coderdtest.Options{IncludeProvisionerDaemon: true}) owner := coderdtest.CreateFirstUser(t, client) member, _ := coderdtest.CreateAnotherUser(t, client, owner.OrganizationID) @@ -467,7 +477,8 @@ func TestCreate(t *testing.T) { inv, root := clitest.New(t, args...) clitest.SetupConfig(t, member, root) doneChan := make(chan struct{}) - pty := ptytest.New(t).Attach(inv) + stdout := expecter.NewAttachedToInvocation(t, inv) + stdin := testutil.NewWriterAttachedToInvocation(t, logger.Named("stdin"), inv) go func() { defer close(doneChan) err := inv.Run() @@ -482,9 +493,9 @@ func TestCreate(t *testing.T) { {match: "Confirm create", write: "yes"}, } for _, m := range matches { - pty.ExpectMatch(m.match) + stdout.ExpectMatchContext(ctx, m.match) if len(m.write) > 0 { - pty.WriteLine(m.write) + stdin.WriteLine(m.write) } } <-doneChan @@ -506,6 +517,8 @@ func TestCreate(t *testing.T) { t.Run("InheritStopAfterFromTemplate", func(t *testing.T) { t.Parallel() + logger := testutil.Logger(t) + ctx := testutil.Context(t, testutil.WaitMedium) client := coderdtest.New(t, &coderdtest.Options{IncludeProvisionerDaemon: true}) owner := coderdtest.CreateFirstUser(t, client) member, _ := coderdtest.CreateAnotherUser(t, client, owner.OrganizationID) @@ -522,7 +535,8 @@ func TestCreate(t *testing.T) { } inv, root := clitest.New(t, args...) clitest.SetupConfig(t, member, root) - pty := ptytest.New(t).Attach(inv) + stdout := expecter.NewAttachedToInvocation(t, inv) + stdin := testutil.NewWriterAttachedToInvocation(t, logger.Named("stdin"), inv) waiter := clitest.StartWithWaiter(t, inv) matches := []struct { match string @@ -533,9 +547,9 @@ func TestCreate(t *testing.T) { {match: "Confirm create", write: "yes"}, } for _, m := range matches { - pty.ExpectMatch(m.match) + stdout.ExpectMatchContext(ctx, m.match) if len(m.write) > 0 { - pty.WriteLine(m.write) + stdin.WriteLine(m.write) } } waiter.RequireSuccess() @@ -570,6 +584,8 @@ func TestCreate(t *testing.T) { t.Run("FromNothing", func(t *testing.T) { t.Parallel() + logger := testutil.Logger(t) + ctx := testutil.Context(t, testutil.WaitMedium) client := coderdtest.New(t, &coderdtest.Options{IncludeProvisionerDaemon: true}) owner := coderdtest.CreateFirstUser(t, client) member, _ := coderdtest.CreateAnotherUser(t, client, owner.OrganizationID) @@ -579,7 +595,8 @@ func TestCreate(t *testing.T) { inv, root := clitest.New(t, "create", "") clitest.SetupConfig(t, member, root) doneChan := make(chan struct{}) - pty := ptytest.New(t).Attach(inv) + stdout := expecter.NewAttachedToInvocation(t, inv) + stdin := testutil.NewWriterAttachedToInvocation(t, logger.Named("stdin"), inv) go func() { defer close(doneChan) err := inv.Run() @@ -592,8 +609,8 @@ func TestCreate(t *testing.T) { for i := 0; i < len(matches); i += 2 { match := matches[i] value := matches[i+1] - pty.ExpectMatch(match) - pty.WriteLine(value) + stdout.ExpectMatchContext(ctx, match) + stdin.WriteLine(value) } <-doneChan @@ -621,14 +638,14 @@ func TestCreate(t *testing.T) { ) clitest.SetupConfig(t, member, root) doneChan := make(chan struct{}) - pty := ptytest.New(t).Attach(inv) + stdout := expecter.NewAttachedToInvocation(t, inv) go func() { defer close(doneChan) err := inv.Run() assert.NoError(t, err) }() - pty.ExpectMatchContext(ctx, "building in the background") + stdout.ExpectMatchContext(ctx, "building in the background") _ = testutil.TryReceive(ctx, t, doneChan) // Verify workspace was actually created. @@ -658,14 +675,14 @@ func TestCreate(t *testing.T) { ) clitest.SetupConfig(t, member, root) doneChan := make(chan struct{}) - pty := ptytest.New(t).Attach(inv) + stdout := expecter.NewAttachedToInvocation(t, inv) go func() { defer close(doneChan) err := inv.Run() assert.NoError(t, err) }() - pty.ExpectMatchContext(ctx, "building in the background") + stdout.ExpectMatchContext(ctx, "building in the background") _ = testutil.TryReceive(ctx, t, doneChan) // Verify workspace was created and parameters were applied. @@ -706,14 +723,14 @@ func TestCreate(t *testing.T) { ) clitest.SetupConfig(t, member, root) doneChan := make(chan struct{}) - pty := ptytest.New(t).Attach(inv) + stdout := expecter.NewAttachedToInvocation(t, inv) go func() { defer close(doneChan) err := inv.Run() assert.NoError(t, err) }() - pty.ExpectMatchContext(ctx, "building in the background") + stdout.ExpectMatchContext(ctx, "building in the background") _ = testutil.TryReceive(ctx, t, doneChan) ws, err := member.WorkspaceByOwnerAndName(ctx, codersdk.Me, "my-workspace", codersdk.WorkspaceOptions{}) @@ -801,7 +818,7 @@ func TestCreateWithRichParameters(t *testing.T) { setup func() []string // handlePty optionally runs after the command is started. It should handle // all expected prompts from the pty. - handlePty func(pty *ptytest.PTY) + handlePty func(ctx context.Context, stdout *expecter.Expecter, stdin *testutil.Writer) // postRun runs after the command has finished but before the workspace is // verified. It must return the workspace name to check (used for the copy // workspace tests). @@ -818,15 +835,15 @@ func TestCreateWithRichParameters(t *testing.T) { }{ { name: "ValuesFromPrompt", - handlePty: func(pty *ptytest.PTY) { + handlePty: func(ctx context.Context, stdout *expecter.Expecter, stdin *testutil.Writer) { // Enter the value for each parameter as prompted. for _, param := range params { - pty.ExpectMatch(param.name) - pty.WriteLine(param.value) + stdout.ExpectMatchContext(ctx, param.name) + stdin.WriteLine(param.value) } // Confirm the creation. - pty.ExpectMatch("Confirm create?") - pty.WriteLine("yes") + stdout.ExpectMatchContext(ctx, "Confirm create?") + stdin.WriteLine("yes") }, }, { @@ -839,16 +856,16 @@ func TestCreateWithRichParameters(t *testing.T) { } return args }, - handlePty: func(pty *ptytest.PTY) { + handlePty: func(ctx context.Context, stdout *expecter.Expecter, stdin *testutil.Writer) { // Simply accept the defaults. for _, param := range params { - pty.ExpectMatch(param.name) - pty.ExpectMatch(`Enter a value (default: "` + param.value + `")`) - pty.WriteLine("") + stdout.ExpectMatchContext(ctx, param.name) + stdout.ExpectMatchContext(ctx, `Enter a value (default: "`+param.value+`")`) + stdin.WriteLine("") } // Confirm the creation. - pty.ExpectMatch("Confirm create?") - pty.WriteLine("yes") + stdout.ExpectMatchContext(ctx, "Confirm create?") + stdin.WriteLine("yes") }, }, { @@ -865,10 +882,10 @@ func TestCreateWithRichParameters(t *testing.T) { return []string{"--rich-parameter-file", parameterFile.Name()} }, - handlePty: func(pty *ptytest.PTY) { + handlePty: func(ctx context.Context, stdout *expecter.Expecter, stdin *testutil.Writer) { // No prompts, we only need to confirm. - pty.ExpectMatch("Confirm create?") - pty.WriteLine("yes") + stdout.ExpectMatchContext(ctx, "Confirm create?") + stdin.WriteLine("yes") }, }, { @@ -881,10 +898,10 @@ func TestCreateWithRichParameters(t *testing.T) { } return args }, - handlePty: func(pty *ptytest.PTY) { + handlePty: func(ctx context.Context, stdout *expecter.Expecter, stdin *testutil.Writer) { // No prompts, we only need to confirm. - pty.ExpectMatch("Confirm create?") - pty.WriteLine("yes") + stdout.ExpectMatchContext(ctx, "Confirm create?") + stdin.WriteLine("yes") }, }, { @@ -920,9 +937,6 @@ func TestCreateWithRichParameters(t *testing.T) { postRun: func(t *testing.T, tctx testContext) string { inv, root := clitest.New(t, "create", "--copy-parameters-from", tctx.workspaceName, "other-workspace", "-y") clitest.SetupConfig(t, tctx.member, root) - pty := ptytest.New(t).Attach(inv) - inv.Stdout = pty.Output() - inv.Stderr = pty.Output() err := inv.Run() require.NoError(t, err, "failed to create a workspace based on the source workspace") return "other-workspace" @@ -952,9 +966,6 @@ func TestCreateWithRichParameters(t *testing.T) { // Then create the copy. It should use the old template version. inv, root := clitest.New(t, "create", "--copy-parameters-from", tctx.workspaceName, "other-workspace", "-y") clitest.SetupConfig(t, tctx.member, root) - pty := ptytest.New(t).Attach(inv) - inv.Stdout = pty.Output() - inv.Stderr = pty.Output() err := inv.Run() require.NoError(t, err, "failed to create a workspace based on the source workspace") return "other-workspace" @@ -962,16 +973,16 @@ func TestCreateWithRichParameters(t *testing.T) { }, { name: "ValuesFromTemplateDefaults", - handlePty: func(pty *ptytest.PTY) { + handlePty: func(ctx context.Context, stdout *expecter.Expecter, stdin *testutil.Writer) { // Simply accept the defaults. for _, param := range params { - pty.ExpectMatch(param.name) - pty.ExpectMatch(`Enter a value (default: "` + param.value + `")`) - pty.WriteLine("") + stdout.ExpectMatchContext(ctx, param.name) + stdout.ExpectMatchContext(ctx, `Enter a value (default: "`+param.value+`")`) + stdin.WriteLine("") } // Confirm the creation. - pty.ExpectMatch("Confirm create?") - pty.WriteLine("yes") + stdout.ExpectMatchContext(ctx, "Confirm create?") + stdin.WriteLine("yes") }, withDefaults: true, }, @@ -980,14 +991,14 @@ func TestCreateWithRichParameters(t *testing.T) { setup: func() []string { return []string{"--use-parameter-defaults"} }, - handlePty: func(pty *ptytest.PTY) { + handlePty: func(ctx context.Context, stdout *expecter.Expecter, stdin *testutil.Writer) { // Default values should get printed. for _, param := range params { - pty.ExpectMatch(fmt.Sprintf("%s: '%s'", param.name, param.value)) + stdout.ExpectMatchContext(ctx, fmt.Sprintf("%s: '%s'", param.name, param.value)) } // No prompts, we only need to confirm. - pty.ExpectMatch("Confirm create?") - pty.WriteLine("yes") + stdout.ExpectMatchContext(ctx, "Confirm create?") + stdin.WriteLine("yes") }, withDefaults: true, }, @@ -1001,14 +1012,14 @@ func TestCreateWithRichParameters(t *testing.T) { } return args }, - handlePty: func(pty *ptytest.PTY) { + handlePty: func(ctx context.Context, stdout *expecter.Expecter, stdin *testutil.Writer) { // Default values should get printed. for _, param := range params { - pty.ExpectMatch(fmt.Sprintf("%s: '%s'", param.name, param.value)) + stdout.ExpectMatchContext(ctx, fmt.Sprintf("%s: '%s'", param.name, param.value)) } // No prompts, we only need to confirm. - pty.ExpectMatch("Confirm create?") - pty.WriteLine("yes") + stdout.ExpectMatchContext(ctx, "Confirm create?") + stdin.WriteLine("yes") }, }, { @@ -1031,14 +1042,14 @@ cli_param: from file`) "--parameter", "cli_param=from cli", } }, - handlePty: func(pty *ptytest.PTY) { + handlePty: func(ctx context.Context, stdout *expecter.Expecter, stdin *testutil.Writer) { // Should get prompted for the input param since it has no default. - pty.ExpectMatch("input_param") - pty.WriteLine("from input") + stdout.ExpectMatchContext(ctx, "input_param") + stdin.WriteLine("from input") // Confirm the creation. - pty.ExpectMatch("Confirm create?") - pty.WriteLine("yes") + stdout.ExpectMatchContext(ctx, "Confirm create?") + stdin.WriteLine("yes") }, withDefaults: true, inputParameters: []param{ @@ -1082,6 +1093,8 @@ cli_param: from file`) for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { t.Parallel() + logger := testutil.Logger(t) + ctx := testutil.Context(t, testutil.WaitMedium) parameters := params if len(tt.inputParameters) > 0 { @@ -1122,14 +1135,15 @@ cli_param: from file`) inv, root := clitest.New(t, args...) clitest.SetupConfig(t, member, root) doneChan := make(chan error) - pty := ptytest.New(t).Attach(inv) + stdout := expecter.NewAttachedToInvocation(t, inv) + stdin := testutil.NewWriterAttachedToInvocation(t, logger.Named("stdin"), inv) go func() { doneChan <- inv.Run() }() // The test may do something with the pty. if tt.handlePty != nil { - tt.handlePty(pty) + tt.handlePty(ctx, stdout, stdin) } // Wait for the command to exit. @@ -1235,6 +1249,7 @@ func TestCreateWithPreset(t *testing.T) { // the CLI uses the specified preset instead of the default t.Run("PresetFlag", func(t *testing.T) { t.Parallel() + ctx := testutil.Context(t, testutil.WaitMedium) client := coderdtest.New(t, &coderdtest.Options{IncludeProvisionerDaemon: true}) owner := coderdtest.CreateFirstUser(t, client) @@ -1263,17 +1278,15 @@ func TestCreateWithPreset(t *testing.T) { workspaceName := "my-workspace" inv, root := clitest.New(t, "create", workspaceName, "--template", template.Name, "-y", "--preset", preset.Name) clitest.SetupConfig(t, member, root) - pty := ptytest.New(t).Attach(inv) - inv.Stdout = pty.Output() - inv.Stderr = pty.Output() + stdout := expecter.NewAttachedToInvocation(t, inv) err := inv.Run() require.NoError(t, err) // Should: display the selected preset as well as its parameters presetName := fmt.Sprintf("Preset '%s' applied:", preset.Name) - pty.ExpectMatch(presetName) - pty.ExpectMatch(fmt.Sprintf("%s: '%s'", firstParameterName, secondOptionalParameterValue)) - pty.ExpectMatch(fmt.Sprintf("%s: '%s'", thirdParameterName, thirdParameterValue)) + stdout.ExpectMatchContext(ctx, presetName) + stdout.ExpectMatchContext(ctx, fmt.Sprintf("%s: '%s'", firstParameterName, secondOptionalParameterValue)) + stdout.ExpectMatchContext(ctx, fmt.Sprintf("%s: '%s'", thirdParameterName, thirdParameterValue)) // Verify if the new workspace uses expected parameters. ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitShort) @@ -1312,6 +1325,7 @@ func TestCreateWithPreset(t *testing.T) { // the CLI automatically uses the default preset to create the workspace t.Run("DefaultPreset", func(t *testing.T) { t.Parallel() + ctx := testutil.Context(t, testutil.WaitMedium) client := coderdtest.New(t, &coderdtest.Options{IncludeProvisionerDaemon: true}) owner := coderdtest.CreateFirstUser(t, client) @@ -1340,22 +1354,17 @@ func TestCreateWithPreset(t *testing.T) { workspaceName := "my-workspace" inv, root := clitest.New(t, "create", workspaceName, "--template", template.Name, "-y") clitest.SetupConfig(t, member, root) - pty := ptytest.New(t).Attach(inv) - inv.Stdout = pty.Output() - inv.Stderr = pty.Output() + stdout := expecter.NewAttachedToInvocation(t, inv) err := inv.Run() require.NoError(t, err) // Should: display the default preset as well as its parameters presetName := fmt.Sprintf("Preset '%s' (default) applied:", defaultPreset.Name) - pty.ExpectMatch(presetName) - pty.ExpectMatch(fmt.Sprintf("%s: '%s'", firstParameterName, secondOptionalParameterValue)) - pty.ExpectMatch(fmt.Sprintf("%s: '%s'", thirdParameterName, thirdParameterValue)) + stdout.ExpectMatchContext(ctx, presetName) + stdout.ExpectMatchContext(ctx, fmt.Sprintf("%s: '%s'", firstParameterName, secondOptionalParameterValue)) + stdout.ExpectMatchContext(ctx, fmt.Sprintf("%s: '%s'", thirdParameterName, thirdParameterValue)) // Verify if the new workspace uses expected parameters. - ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitShort) - defer cancel() - tvPresets, err := client.TemplateVersionPresets(ctx, version.ID) require.NoError(t, err) require.Len(t, tvPresets, 2) @@ -1389,12 +1398,14 @@ func TestCreateWithPreset(t *testing.T) { // the CLI prompts the user to select a preset. t.Run("NoDefaultPresetPromptUser", func(t *testing.T) { t.Parallel() + logger := testutil.Logger(t) + ctx := testutil.Context(t, testutil.WaitMedium) client := coderdtest.New(t, &coderdtest.Options{IncludeProvisionerDaemon: true}) owner := coderdtest.CreateFirstUser(t, client) member, _ := coderdtest.CreateAnotherUser(t, client, owner.OrganizationID) - // Given: a template and a template version with two presets + // Given: a template and a template version with a single, non-default preset. preset := proto.Preset{ Name: "preset-test", Description: "Preset Test.", @@ -1414,7 +1425,8 @@ func TestCreateWithPreset(t *testing.T) { "--parameter", fmt.Sprintf("%s=%s", thirdParameterName, thirdParameterValue)) clitest.SetupConfig(t, member, root) doneChan := make(chan struct{}) - pty := ptytest.New(t).Attach(inv) + stdout := expecter.NewAttachedToInvocation(t, inv) + stdin := testutil.NewWriterAttachedToInvocation(t, logger.Named("stdin"), inv) go func() { defer close(doneChan) err := inv.Run() @@ -1422,18 +1434,16 @@ func TestCreateWithPreset(t *testing.T) { }() // Should: prompt the user for the preset - pty.ExpectMatch("Select a preset below:") - pty.WriteLine("\n") - pty.ExpectMatch("Preset 'preset-test' applied") - pty.ExpectMatch("Confirm create?") - pty.WriteLine("yes") + stdout.ExpectMatchContext(ctx, "Select a preset below:") + // We don't actually have to respond to the selector, since we hardcode the cliui.Select to return the + // first option in test scenarios (c.f. cliui/select.go) + stdout.ExpectMatchContext(ctx, "Preset 'preset-test' applied") + stdout.ExpectMatchContext(ctx, "Confirm create?") + stdin.WriteLine("yes") <-doneChan // Verify if the new workspace uses expected parameters. - ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitShort) - defer cancel() - tvPresets, err := client.TemplateVersionPresets(ctx, version.ID) require.NoError(t, err) require.Len(t, tvPresets, 1) @@ -1460,6 +1470,7 @@ func TestCreateWithPreset(t *testing.T) { // with workspace creation without applying any preset. t.Run("TemplateVersionWithoutPresets", func(t *testing.T) { t.Parallel() + ctx := testutil.Context(t, testutil.WaitMedium) client := coderdtest.New(t, &coderdtest.Options{IncludeProvisionerDaemon: true}) owner := coderdtest.CreateFirstUser(t, client) @@ -1476,17 +1487,12 @@ func TestCreateWithPreset(t *testing.T) { "--parameter", fmt.Sprintf("%s=%s", firstParameterName, firstOptionalParameterValue), "--parameter", fmt.Sprintf("%s=%s", thirdParameterName, thirdParameterValue)) clitest.SetupConfig(t, member, root) - pty := ptytest.New(t).Attach(inv) - inv.Stdout = pty.Output() - inv.Stderr = pty.Output() + stdout := expecter.NewAttachedToInvocation(t, inv) err := inv.Run() require.NoError(t, err) - pty.ExpectMatch("No preset applied.") + stdout.ExpectMatchContext(ctx, "No preset applied.") // Verify if the new workspace uses expected parameters. - ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitShort) - defer cancel() - workspaces, err := client.Workspaces(ctx, codersdk.WorkspaceFilter{ Name: workspaceName, }) @@ -1509,6 +1515,7 @@ func TestCreateWithPreset(t *testing.T) { // The workspace should be created without using any preset-defined parameters. t.Run("PresetFlagNone", func(t *testing.T) { t.Parallel() + ctx := testutil.Context(t, testutil.WaitMedium) client := coderdtest.New(t, &coderdtest.Options{IncludeProvisionerDaemon: true}) owner := coderdtest.CreateFirstUser(t, client) @@ -1533,17 +1540,12 @@ func TestCreateWithPreset(t *testing.T) { "--parameter", fmt.Sprintf("%s=%s", firstParameterName, firstOptionalParameterValue), "--parameter", fmt.Sprintf("%s=%s", thirdParameterName, thirdParameterValue)) clitest.SetupConfig(t, member, root) - pty := ptytest.New(t).Attach(inv) - inv.Stdout = pty.Output() - inv.Stderr = pty.Output() + stdout := expecter.NewAttachedToInvocation(t, inv) err := inv.Run() require.NoError(t, err) - pty.ExpectMatch("No preset applied.") + stdout.ExpectMatchContext(ctx, "No preset applied.") // Verify that the new workspace doesn't use the preset parameters. - ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitShort) - defer cancel() - tvPresets, err := client.TemplateVersionPresets(ctx, version.ID) require.NoError(t, err) require.Len(t, tvPresets, 1) @@ -1591,9 +1593,6 @@ func TestCreateWithPreset(t *testing.T) { workspaceName := "my-workspace" inv, root := clitest.New(t, "create", workspaceName, "--template", template.Name, "-y", "--preset", "invalid-preset") clitest.SetupConfig(t, member, root) - pty := ptytest.New(t).Attach(inv) - inv.Stdout = pty.Output() - inv.Stderr = pty.Output() err := inv.Run() // Should: fail with an error indicating the preset was not found @@ -1610,6 +1609,7 @@ func TestCreateWithPreset(t *testing.T) { // - and the value of parameter B from the parameter flag. t.Run("PresetOverridesParameterFlagValues", func(t *testing.T) { t.Parallel() + ctx := testutil.Context(t, testutil.WaitMedium) client := coderdtest.New(t, &coderdtest.Options{IncludeProvisionerDaemon: true}) owner := coderdtest.CreateFirstUser(t, client) @@ -1633,21 +1633,16 @@ func TestCreateWithPreset(t *testing.T) { "--parameter", fmt.Sprintf("%s=%s", firstParameterName, firstOptionalParameterValue), "--parameter", fmt.Sprintf("%s=%s", thirdParameterName, thirdParameterValue)) clitest.SetupConfig(t, member, root) - pty := ptytest.New(t).Attach(inv) - inv.Stdout = pty.Output() - inv.Stderr = pty.Output() + stdout := expecter.NewAttachedToInvocation(t, inv) err := inv.Run() require.NoError(t, err) // Should: display the selected preset as well as its parameter presetName := fmt.Sprintf("Preset '%s' applied:", preset.Name) - pty.ExpectMatch(presetName) - pty.ExpectMatch(fmt.Sprintf("%s: '%s'", firstParameterName, secondOptionalParameterValue)) + stdout.ExpectMatchContext(ctx, presetName) + stdout.ExpectMatchContext(ctx, fmt.Sprintf("%s: '%s'", firstParameterName, secondOptionalParameterValue)) // Verify if the new workspace uses expected parameters. - ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitShort) - defer cancel() - tvPresets, err := client.TemplateVersionPresets(ctx, version.ID) require.NoError(t, err) require.Len(t, tvPresets, 1) @@ -1679,6 +1674,7 @@ func TestCreateWithPreset(t *testing.T) { // - and the value of parameter B from the file. t.Run("PresetOverridesParameterFileValues", func(t *testing.T) { t.Parallel() + ctx := testutil.Context(t, testutil.WaitMedium) client := coderdtest.New(t, &coderdtest.Options{IncludeProvisionerDaemon: true}) owner := coderdtest.CreateFirstUser(t, client) @@ -1707,21 +1703,16 @@ func TestCreateWithPreset(t *testing.T) { "--preset", preset.Name, "--rich-parameter-file", parameterFile.Name()) clitest.SetupConfig(t, member, root) - pty := ptytest.New(t).Attach(inv) - inv.Stdout = pty.Output() - inv.Stderr = pty.Output() + stdout := expecter.NewAttachedToInvocation(t, inv) err := inv.Run() require.NoError(t, err) // Should: display the selected preset as well as its parameter presetName := fmt.Sprintf("Preset '%s' applied:", preset.Name) - pty.ExpectMatch(presetName) - pty.ExpectMatch(fmt.Sprintf("%s: '%s'", firstParameterName, secondOptionalParameterValue)) + stdout.ExpectMatchContext(ctx, presetName) + stdout.ExpectMatchContext(ctx, fmt.Sprintf("%s: '%s'", firstParameterName, secondOptionalParameterValue)) // Verify if the new workspace uses expected parameters. - ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitShort) - defer cancel() - tvPresets, err := client.TemplateVersionPresets(ctx, version.ID) require.NoError(t, err) require.Len(t, tvPresets, 1) @@ -1748,7 +1739,8 @@ func TestCreateWithPreset(t *testing.T) { // the CLI prompts the user for input to fill in the missing parameters. t.Run("PromptsForMissingParametersWhenPresetIsIncomplete", func(t *testing.T) { t.Parallel() - + ctx := testutil.Context(t, testutil.WaitMedium) + logger := testutil.Logger(t) client := coderdtest.New(t, &coderdtest.Options{IncludeProvisionerDaemon: true}) owner := coderdtest.CreateFirstUser(t, client) member, _ := coderdtest.CreateAnotherUser(t, client, owner.OrganizationID) @@ -1769,7 +1761,8 @@ func TestCreateWithPreset(t *testing.T) { inv, root := clitest.New(t, "create", workspaceName, "--template", template.Name, "--preset", preset.Name) clitest.SetupConfig(t, member, root) doneChan := make(chan struct{}) - pty := ptytest.New(t).Attach(inv) + stdout := expecter.NewAttachedToInvocation(t, inv) + stdin := testutil.NewWriterAttachedToInvocation(t, logger.Named("stdin"), inv) go func() { defer close(doneChan) err := inv.Run() @@ -1778,21 +1771,18 @@ func TestCreateWithPreset(t *testing.T) { // Should: display the selected preset as well as its parameters presetName := fmt.Sprintf("Preset '%s' applied:", preset.Name) - pty.ExpectMatch(presetName) - pty.ExpectMatch(fmt.Sprintf("%s: '%s'", firstParameterName, secondOptionalParameterValue)) + stdout.ExpectMatchContext(ctx, presetName) + stdout.ExpectMatchContext(ctx, fmt.Sprintf("%s: '%s'", firstParameterName, secondOptionalParameterValue)) // Should: prompt for the missing parameter - pty.ExpectMatch(thirdParameterDescription) - pty.WriteLine(thirdParameterValue) - pty.ExpectMatch("Confirm create?") - pty.WriteLine("yes") + stdout.ExpectMatchContext(ctx, thirdParameterDescription) + stdin.WriteLine(thirdParameterValue) + stdout.ExpectMatchContext(ctx, "Confirm create?") + stdin.WriteLine("yes") <-doneChan // Verify if the new workspace uses expected parameters. - ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitLong) - defer cancel() - tvPresets, err := client.TemplateVersionPresets(ctx, version.ID) require.NoError(t, err) require.Len(t, tvPresets, 1) @@ -1857,7 +1847,8 @@ func TestCreateValidateRichParameters(t *testing.T) { t.Run("ValidateString", func(t *testing.T) { t.Parallel() - + logger := testutil.Logger(t) + ctx := testutil.Context(t, testutil.WaitMedium) client := coderdtest.New(t, &coderdtest.Options{IncludeProvisionerDaemon: true}) owner := coderdtest.CreateFirstUser(t, client) member, _ := coderdtest.CreateAnotherUser(t, client, owner.OrganizationID) @@ -1869,7 +1860,8 @@ func TestCreateValidateRichParameters(t *testing.T) { inv, root := clitest.New(t, "create", "my-workspace", "--template", template.Name) clitest.SetupConfig(t, member, root) doneChan := make(chan struct{}) - pty := ptytest.New(t).Attach(inv) + stdout := expecter.NewAttachedToInvocation(t, inv) + stdin := testutil.NewWriterAttachedToInvocation(t, logger.Named("stdin"), inv) go func() { defer close(doneChan) err := inv.Run() @@ -1885,9 +1877,9 @@ func TestCreateValidateRichParameters(t *testing.T) { for i := 0; i < len(matches); i += 2 { match := matches[i] value := matches[i+1] - pty.ExpectMatch(match) + stdout.ExpectMatchContext(ctx, match) if value != "" { - pty.WriteLine(value) + stdin.WriteLine(value) } } <-doneChan @@ -1895,6 +1887,8 @@ func TestCreateValidateRichParameters(t *testing.T) { t.Run("ValidateNumber", func(t *testing.T) { t.Parallel() + logger := testutil.Logger(t) + ctx := testutil.Context(t, testutil.WaitMedium) client := coderdtest.New(t, &coderdtest.Options{IncludeProvisionerDaemon: true}) owner := coderdtest.CreateFirstUser(t, client) @@ -1907,7 +1901,8 @@ func TestCreateValidateRichParameters(t *testing.T) { inv, root := clitest.New(t, "create", "my-workspace", "--template", template.Name) clitest.SetupConfig(t, member, root) doneChan := make(chan struct{}) - pty := ptytest.New(t).Attach(inv) + stdout := expecter.NewAttachedToInvocation(t, inv) + stdin := testutil.NewWriterAttachedToInvocation(t, logger.Named("stdin"), inv) go func() { defer close(doneChan) err := inv.Run() @@ -1923,9 +1918,9 @@ func TestCreateValidateRichParameters(t *testing.T) { for i := 0; i < len(matches); i += 2 { match := matches[i] value := matches[i+1] - pty.ExpectMatch(match) + stdout.ExpectMatchContext(ctx, match) if value != "" { - pty.WriteLine(value) + stdin.WriteLine(value) } } <-doneChan @@ -1933,6 +1928,8 @@ func TestCreateValidateRichParameters(t *testing.T) { t.Run("ValidateNumber_CustomError", func(t *testing.T) { t.Parallel() + logger := testutil.Logger(t) + ctx := testutil.Context(t, testutil.WaitMedium) client := coderdtest.New(t, &coderdtest.Options{IncludeProvisionerDaemon: true}) owner := coderdtest.CreateFirstUser(t, client) @@ -1945,7 +1942,8 @@ func TestCreateValidateRichParameters(t *testing.T) { inv, root := clitest.New(t, "create", "my-workspace", "--template", template.Name) clitest.SetupConfig(t, member, root) doneChan := make(chan struct{}) - pty := ptytest.New(t).Attach(inv) + stdout := expecter.NewAttachedToInvocation(t, inv) + stdin := testutil.NewWriterAttachedToInvocation(t, logger.Named("stdin"), inv) go func() { defer close(doneChan) err := inv.Run() @@ -1961,9 +1959,9 @@ func TestCreateValidateRichParameters(t *testing.T) { for i := 0; i < len(matches); i += 2 { match := matches[i] value := matches[i+1] - pty.ExpectMatch(match) + stdout.ExpectMatchContext(ctx, match) if value != "" { - pty.WriteLine(value) + stdin.WriteLine(value) } } <-doneChan @@ -1971,6 +1969,8 @@ func TestCreateValidateRichParameters(t *testing.T) { t.Run("ValidateBool", func(t *testing.T) { t.Parallel() + logger := testutil.Logger(t) + ctx := testutil.Context(t, testutil.WaitMedium) client := coderdtest.New(t, &coderdtest.Options{IncludeProvisionerDaemon: true}) owner := coderdtest.CreateFirstUser(t, client) @@ -1983,7 +1983,8 @@ func TestCreateValidateRichParameters(t *testing.T) { inv, root := clitest.New(t, "create", "my-workspace", "--template", template.Name) clitest.SetupConfig(t, member, root) doneChan := make(chan struct{}) - pty := ptytest.New(t).Attach(inv) + stdout := expecter.NewAttachedToInvocation(t, inv) + stdin := testutil.NewWriterAttachedToInvocation(t, logger.Named("stdin"), inv) go func() { defer close(doneChan) err := inv.Run() @@ -1999,9 +2000,9 @@ func TestCreateValidateRichParameters(t *testing.T) { for i := 0; i < len(matches); i += 2 { match := matches[i] value := matches[i+1] - pty.ExpectMatch(match) + stdout.ExpectMatchContext(ctx, match) if value != "" { - pty.WriteLine(value) + stdin.WriteLine(value) } } <-doneChan @@ -2018,15 +2019,18 @@ func TestCreateValidateRichParameters(t *testing.T) { template := coderdtest.CreateTemplate(t, client, owner.OrganizationID, version.ID) t.Run("Prompt", func(t *testing.T) { + logger := testutil.Logger(t) + ctx := testutil.Context(t, testutil.WaitMedium) inv, root := clitest.New(t, "create", "my-workspace-1", "--template", template.Name) clitest.SetupConfig(t, member, root) - pty := ptytest.New(t).Attach(inv) + stdout := expecter.NewAttachedToInvocation(t, inv) + stdin := testutil.NewWriterAttachedToInvocation(t, logger.Named("stdin"), inv) clitest.Start(t, inv) - pty.ExpectMatch(listOfStringsParameterName) - pty.ExpectMatch("aaa, bbb, ccc") - pty.ExpectMatch("Confirm create?") - pty.WriteLine("yes") + stdout.ExpectMatchContext(ctx, listOfStringsParameterName) + stdout.ExpectMatchContext(ctx, "aaa, bbb, ccc") + stdout.ExpectMatchContext(ctx, "Confirm create?") + stdin.WriteLine("yes") }) t.Run("Default", func(t *testing.T) { @@ -2049,6 +2053,8 @@ func TestCreateValidateRichParameters(t *testing.T) { t.Run("ValidateListOfStrings_YAMLFile", func(t *testing.T) { t.Parallel() + logger := testutil.Logger(t) + ctx := testutil.Context(t, testutil.WaitMedium) client := coderdtest.New(t, &coderdtest.Options{IncludeProvisionerDaemon: true}) owner := coderdtest.CreateFirstUser(t, client) @@ -2066,8 +2072,8 @@ func TestCreateValidateRichParameters(t *testing.T) { - fff`) inv, root := clitest.New(t, "create", "my-workspace", "--template", template.Name, "--rich-parameter-file", parameterFile.Name()) clitest.SetupConfig(t, member, root) - pty := ptytest.New(t).Attach(inv) - + stdout := expecter.NewAttachedToInvocation(t, inv) + stdin := testutil.NewWriterAttachedToInvocation(t, logger.Named("stdin"), inv) clitest.Start(t, inv) matches := []string{ @@ -2076,9 +2082,9 @@ func TestCreateValidateRichParameters(t *testing.T) { for i := 0; i < len(matches); i += 2 { match := matches[i] value := matches[i+1] - pty.ExpectMatch(match) + stdout.ExpectMatchContext(ctx, match) if value != "" { - pty.WriteLine(value) + stdin.WriteLine(value) } } }) @@ -2086,6 +2092,8 @@ func TestCreateValidateRichParameters(t *testing.T) { func TestCreateWithGitAuth(t *testing.T) { t.Parallel() + logger := testutil.Logger(t) + ctx := testutil.Context(t, testutil.WaitMedium) echoResponses := &echo.Responses{ Parse: echo.ParseComplete, ProvisionInit: echo.InitComplete, @@ -2120,13 +2128,14 @@ func TestCreateWithGitAuth(t *testing.T) { inv, root := clitest.New(t, "create", "my-workspace", "--template", template.Name) clitest.SetupConfig(t, member, root) - pty := ptytest.New(t).Attach(inv) + stdout := expecter.NewAttachedToInvocation(t, inv) + stdin := testutil.NewWriterAttachedToInvocation(t, logger.Named("stdin"), inv) clitest.Start(t, inv) - pty.ExpectMatch("You must authenticate with GitHub to create a workspace") + stdout.ExpectMatchContext(ctx, "You must authenticate with GitHub to create a workspace") resp := coderdtest.RequestExternalAuthCallback(t, "github", member) _ = resp.Body.Close() require.Equal(t, http.StatusTemporaryRedirect, resp.StatusCode) - pty.ExpectMatch("Confirm create?") - pty.WriteLine("yes") + stdout.ExpectMatchContext(ctx, "Confirm create?") + stdin.WriteLine("yes") } diff --git a/cli/delete_test.go b/cli/delete_test.go index 909166876d..c8dff9646a 100644 --- a/cli/delete_test.go +++ b/cli/delete_test.go @@ -22,8 +22,8 @@ import ( "github.com/coder/coder/v2/coderd/database/pubsub" "github.com/coder/coder/v2/coderd/rbac" "github.com/coder/coder/v2/codersdk" - "github.com/coder/coder/v2/pty/ptytest" "github.com/coder/coder/v2/testutil" + "github.com/coder/coder/v2/testutil/expecter" "github.com/coder/quartz" ) @@ -31,6 +31,7 @@ func TestDelete(t *testing.T) { t.Parallel() t.Run("WithParameter", func(t *testing.T) { t.Parallel() + ctx := testutil.Context(t, testutil.WaitMedium) client := coderdtest.New(t, &coderdtest.Options{IncludeProvisionerDaemon: true}) owner := coderdtest.CreateFirstUser(t, client) member, _ := coderdtest.CreateAnotherUser(t, client, owner.OrganizationID) @@ -42,7 +43,7 @@ func TestDelete(t *testing.T) { inv, root := clitest.New(t, "delete", workspace.Name, "-y") clitest.SetupConfig(t, member, root) doneChan := make(chan struct{}) - pty := ptytest.New(t).Attach(inv) + stdout := expecter.NewAttachedToInvocation(t, inv) go func() { defer close(doneChan) err := inv.Run() @@ -51,7 +52,7 @@ func TestDelete(t *testing.T) { assert.ErrorIs(t, err, io.EOF) } }() - pty.ExpectMatch("has been deleted") + stdout.ExpectMatchContext(ctx, "has been deleted") <-doneChan }) @@ -71,8 +72,7 @@ func TestDelete(t *testing.T) { clitest.SetupConfig(t, templateAdmin, root) doneChan := make(chan struct{}) - pty := ptytest.New(t).Attach(inv) - inv.Stderr = pty.Output() + stdout := expecter.NewAttachedToInvocation(t, inv) go func() { defer close(doneChan) err := inv.WithContext(ctx).Run() @@ -81,7 +81,7 @@ func TestDelete(t *testing.T) { assert.ErrorIs(t, err, io.EOF) } }() - pty.ExpectMatch("has been deleted") + stdout.ExpectMatchContext(ctx, "has been deleted") testutil.TryReceive(ctx, t, doneChan) _, err := client.Workspace(ctx, workspace.ID) @@ -117,8 +117,7 @@ func TestDelete(t *testing.T) { //nolint:gocritic // Deleting orphaned workspaces requires an admin. clitest.SetupConfig(t, client, root) doneChan := make(chan struct{}) - pty := ptytest.New(t).Attach(inv) - inv.Stderr = pty.Output() + stdout := expecter.NewAttachedToInvocation(t, inv) go func() { defer close(doneChan) err := inv.Run() @@ -127,7 +126,7 @@ func TestDelete(t *testing.T) { assert.ErrorIs(t, err, io.EOF) } }() - pty.ExpectMatch("has been deleted") + stdout.ExpectMatchContext(ctx, "has been deleted") <-doneChan }) @@ -146,11 +145,12 @@ func TestDelete(t *testing.T) { workspace := coderdtest.CreateWorkspace(t, client, template.ID) coderdtest.AwaitWorkspaceBuildJobCompleted(t, client, workspace.LatestBuild.ID) + ctx := testutil.Context(t, testutil.WaitMedium) inv, root := clitest.New(t, "delete", user.Username+"/"+workspace.Name, "-y") //nolint:gocritic // This requires an admin. clitest.SetupConfig(t, adminClient, root) doneChan := make(chan struct{}) - pty := ptytest.New(t).Attach(inv) + stdout := expecter.NewAttachedToInvocation(t, inv) go func() { defer close(doneChan) err := inv.Run() @@ -160,7 +160,7 @@ func TestDelete(t *testing.T) { } }() - pty.ExpectMatch("has been deleted") + stdout.ExpectMatchContext(ctx, "has been deleted") <-doneChan workspace, err = client.Workspace(context.Background(), workspace.ID) @@ -207,7 +207,7 @@ func TestDelete(t *testing.T) { // Then: the workspace deletion should warn about no provisioners inv, root := clitest.New(t, "delete", workspace.Name, "-y") - pty := ptytest.New(t).Attach(inv) + stdout := expecter.NewAttachedToInvocation(t, inv) clitest.SetupConfig(t, templateAdmin, root) doneChan := make(chan struct{}) ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitLong) @@ -216,7 +216,7 @@ func TestDelete(t *testing.T) { defer close(doneChan) _ = inv.WithContext(ctx).Run() }() - pty.ExpectMatch("there are no provisioners that accept the required tags") + stdout.ExpectMatchContext(ctx, "there are no provisioners that accept the required tags") cancel() <-doneChan }) @@ -311,7 +311,7 @@ func TestDelete(t *testing.T) { inv, root := clitest.New(t, "delete", workspaceOwner+"/"+workspace.Name, "-y") clitest.SetupConfig(t, runClient, root) doneChan := make(chan struct{}) - pty := ptytest.New(t).Attach(inv) + stdout := expecter.NewAttachedToInvocation(t, inv) var runErr error go func() { defer close(doneChan) @@ -324,7 +324,7 @@ func TestDelete(t *testing.T) { require.Error(t, runErr) require.Contains(t, runErr.Error(), expectedErr) } else { - pty.ExpectMatch("has been deleted") + stdout.ExpectMatchContext(ctx, "has been deleted") <-doneChan // When running with the race detector on, we sometimes get an EOF. diff --git a/cli/exp_rpty_test.go b/cli/exp_rpty_test.go index eb29190c6f..72548188ea 100644 --- a/cli/exp_rpty_test.go +++ b/cli/exp_rpty_test.go @@ -15,8 +15,8 @@ import ( "github.com/coder/coder/v2/agent/agenttest" "github.com/coder/coder/v2/cli/clitest" "github.com/coder/coder/v2/coderd/coderdtest" - "github.com/coder/coder/v2/pty/ptytest" "github.com/coder/coder/v2/testutil" + "github.com/coder/coder/v2/testutil/expecter" ) func TestExpRpty(t *testing.T) { @@ -28,7 +28,7 @@ func TestExpRpty(t *testing.T) { client, workspace, agentToken := setupWorkspaceForAgent(t) inv, root := clitest.New(t, "exp", "rpty", workspace.Name) clitest.SetupConfig(t, client, root) - pty := ptytest.New(t).Attach(inv) + stdin := testutil.NewWriterAttachedToInvocation(t, testutil.Logger(t), inv) ctx := testutil.Context(t, testutil.WaitLong) @@ -40,7 +40,7 @@ func TestExpRpty(t *testing.T) { assert.NoError(t, err) }) - pty.WriteLine("exit") + stdin.WriteLine("exit") <-cmdDone }) @@ -51,7 +51,7 @@ func TestExpRpty(t *testing.T) { randStr := uuid.NewString() inv, root := clitest.New(t, "exp", "rpty", workspace.Name, "echo", randStr) clitest.SetupConfig(t, client, root) - pty := ptytest.New(t).Attach(inv) + stdout := expecter.NewAttachedToInvocation(t, inv) ctx := testutil.Context(t, testutil.WaitLong) @@ -63,7 +63,7 @@ func TestExpRpty(t *testing.T) { assert.NoError(t, err) }) - pty.ExpectMatch(randStr) + stdout.ExpectMatchContext(ctx, randStr) <-cmdDone }) @@ -86,6 +86,7 @@ func TestExpRpty(t *testing.T) { t.Skip("Skipping test on non-Linux platform") } + logger := testutil.Logger(t) wantLabel := "coder.devcontainers.TestExpRpty.Container" client, workspace, agentToken := setupWorkspaceForAgent(t) @@ -124,7 +125,8 @@ func TestExpRpty(t *testing.T) { inv, root := clitest.New(t, "exp", "rpty", workspace.Name, "-c", ct.Container.ID) clitest.SetupConfig(t, client, root) - pty := ptytest.New(t).Attach(inv) + stdout := expecter.NewAttachedToInvocation(t, inv) + stdin := testutil.NewWriterAttachedToInvocation(t, logger.Named("stdin"), inv) ctx := testutil.Context(t, testutil.WaitLong) cmdDone := tGo(t, func() { @@ -132,10 +134,10 @@ func TestExpRpty(t *testing.T) { assert.NoError(t, err) }) - pty.ExpectMatchContext(ctx, " #") - pty.WriteLine("hostname") - pty.ExpectMatchContext(ctx, ct.Container.Config.Hostname) - pty.WriteLine("exit") + stdout.ExpectMatchContext(ctx, " #") + stdin.WriteLine("hostname") + stdout.ExpectMatchContext(ctx, ct.Container.Config.Hostname) + stdin.WriteLine("exit") <-cmdDone }) } diff --git a/cli/list_test.go b/cli/list_test.go index 8cdde03072..201188ad1e 100644 --- a/cli/list_test.go +++ b/cli/list_test.go @@ -15,8 +15,8 @@ import ( "github.com/coder/coder/v2/coderd/database/dbfake" "github.com/coder/coder/v2/coderd/rbac" "github.com/coder/coder/v2/codersdk" - "github.com/coder/coder/v2/pty/ptytest" "github.com/coder/coder/v2/testutil" + "github.com/coder/coder/v2/testutil/expecter" ) func TestList(t *testing.T) { @@ -34,7 +34,7 @@ func TestList(t *testing.T) { inv, root := clitest.New(t, "ls") clitest.SetupConfig(t, member, root) - pty := ptytest.New(t).Attach(inv) + stdout := expecter.NewAttachedToInvocation(t, inv) ctx, cancelFunc := context.WithTimeout(context.Background(), testutil.WaitLong) defer cancelFunc() @@ -44,8 +44,8 @@ func TestList(t *testing.T) { assert.NoError(t, errC) close(done) }() - pty.ExpectMatch(r.Workspace.Name) - pty.ExpectMatch("Started") + stdout.ExpectMatchContext(ctx, r.Workspace.Name) + stdout.ExpectMatchContext(ctx, "Started") cancelFunc() <-done }) diff --git a/cli/login_test.go b/cli/login_test.go index 6d6e54eb6e..5768a68127 100644 --- a/cli/login_test.go +++ b/cli/login_test.go @@ -5,7 +5,6 @@ import ( "fmt" "net/http" "net/http/httptest" - "runtime" "testing" "github.com/stretchr/testify/assert" @@ -15,8 +14,8 @@ import ( "github.com/coder/coder/v2/cli/cliui" "github.com/coder/coder/v2/coderd/coderdtest" "github.com/coder/coder/v2/codersdk" - "github.com/coder/coder/v2/pty/ptytest" "github.com/coder/coder/v2/testutil" + "github.com/coder/coder/v2/testutil/expecter" "github.com/coder/pretty" ) @@ -74,13 +73,16 @@ func TestLogin(t *testing.T) { t.Run("InitialUserTTY", func(t *testing.T) { t.Parallel() + logger := testutil.Logger(t) client := coderdtest.New(t, nil) // The --force-tty flag is required on Windows, because the `isatty` library does not // accurately detect Windows ptys when they are not attached to a process: // https://github.com/mattn/go-isatty/issues/59 doneChan := make(chan struct{}) root, _ := clitest.New(t, "login", "--force-tty", client.URL.String()) - pty := ptytest.New(t).Attach(root) + stdout := expecter.NewAttachedToInvocation(t, root) + stdin := testutil.NewWriterAttachedToInvocation(t, logger.Named("stdin"), root) + ctx := testutil.Context(t, testutil.WaitMedium) go func() { defer close(doneChan) err := root.Run() @@ -105,12 +107,11 @@ func TestLogin(t *testing.T) { for i := 0; i < len(matches); i += 2 { match := matches[i] value := matches[i+1] - pty.ExpectMatch(match) - pty.WriteLine(value) + stdout.ExpectMatchContext(ctx, match) + stdin.WriteLine(value) } - pty.ExpectMatch("Welcome to Coder") + stdout.ExpectMatchContext(ctx, "Welcome to Coder") <-doneChan - ctx := testutil.Context(t, testutil.WaitShort) resp, err := client.LoginWithPassword(ctx, codersdk.LoginWithPasswordRequest{ Email: coderdtest.FirstUserParams.Email, Password: coderdtest.FirstUserParams.Password, @@ -126,13 +127,16 @@ func TestLogin(t *testing.T) { t.Run("InitialUserTTYWithNoTrial", func(t *testing.T) { t.Parallel() + logger := testutil.Logger(t) client := coderdtest.New(t, nil) // The --force-tty flag is required on Windows, because the `isatty` library does not // accurately detect Windows ptys when they are not attached to a process: // https://github.com/mattn/go-isatty/issues/59 doneChan := make(chan struct{}) root, _ := clitest.New(t, "login", "--force-tty", client.URL.String()) - pty := ptytest.New(t).Attach(root) + stdout := expecter.NewAttachedToInvocation(t, root) + stdin := testutil.NewWriterAttachedToInvocation(t, logger.Named("stdin"), root) + ctx := testutil.Context(t, testutil.WaitMedium) go func() { defer close(doneChan) err := root.Run() @@ -151,12 +155,11 @@ func TestLogin(t *testing.T) { for i := 0; i < len(matches); i += 2 { match := matches[i] value := matches[i+1] - pty.ExpectMatch(match) - pty.WriteLine(value) + stdout.ExpectMatchContext(ctx, match) + stdin.WriteLine(value) } - pty.ExpectMatch("Welcome to Coder") + stdout.ExpectMatchContext(ctx, "Welcome to Coder") <-doneChan - ctx := testutil.Context(t, testutil.WaitShort) resp, err := client.LoginWithPassword(ctx, codersdk.LoginWithPasswordRequest{ Email: coderdtest.FirstUserParams.Email, Password: coderdtest.FirstUserParams.Password, @@ -172,13 +175,16 @@ func TestLogin(t *testing.T) { t.Run("InitialUserTTYNameOptional", func(t *testing.T) { t.Parallel() + logger := testutil.Logger(t) client := coderdtest.New(t, nil) // The --force-tty flag is required on Windows, because the `isatty` library does not // accurately detect Windows ptys when they are not attached to a process: // https://github.com/mattn/go-isatty/issues/59 doneChan := make(chan struct{}) root, _ := clitest.New(t, "login", "--force-tty", client.URL.String()) - pty := ptytest.New(t).Attach(root) + stdout := expecter.NewAttachedToInvocation(t, root) + stdin := testutil.NewWriterAttachedToInvocation(t, logger.Named("stdin"), root) + ctx := testutil.Context(t, testutil.WaitMedium) go func() { defer close(doneChan) err := root.Run() @@ -203,12 +209,11 @@ func TestLogin(t *testing.T) { for i := 0; i < len(matches); i += 2 { match := matches[i] value := matches[i+1] - pty.ExpectMatch(match) - pty.WriteLine(value) + stdout.ExpectMatchContext(ctx, match) + stdin.WriteLine(value) } - pty.ExpectMatch("Welcome to Coder") + stdout.ExpectMatchContext(ctx, "Welcome to Coder") <-doneChan - ctx := testutil.Context(t, testutil.WaitShort) resp, err := client.LoginWithPassword(ctx, codersdk.LoginWithPasswordRequest{ Email: coderdtest.FirstUserParams.Email, Password: coderdtest.FirstUserParams.Password, @@ -224,16 +229,19 @@ func TestLogin(t *testing.T) { t.Run("InitialUserTTYFlag", func(t *testing.T) { t.Parallel() + logger := testutil.Logger(t) client := coderdtest.New(t, nil) // The --force-tty flag is required on Windows, because the `isatty` library does not // accurately detect Windows ptys when they are not attached to a process: // https://github.com/mattn/go-isatty/issues/59 inv, _ := clitest.New(t, "--url", client.URL.String(), "login", "--force-tty") - pty := ptytest.New(t).Attach(inv) + stdout := expecter.NewAttachedToInvocation(t, inv) + stdin := testutil.NewWriterAttachedToInvocation(t, logger.Named("stdin"), inv) + ctx := testutil.Context(t, testutil.WaitMedium) clitest.Start(t, inv) - pty.ExpectMatch(fmt.Sprintf("Attempting to authenticate with flag URL: '%s'", client.URL.String())) + stdout.ExpectMatchContext(ctx, fmt.Sprintf("Attempting to authenticate with flag URL: '%s'", client.URL.String())) matches := []string{ "first user?", "yes", "username", coderdtest.FirstUserParams.Username, @@ -252,11 +260,10 @@ func TestLogin(t *testing.T) { for i := 0; i < len(matches); i += 2 { match := matches[i] value := matches[i+1] - pty.ExpectMatch(match) - pty.WriteLine(value) + stdout.ExpectMatchContext(ctx, match) + stdin.WriteLine(value) } - pty.ExpectMatch("Welcome to Coder") - ctx := testutil.Context(t, testutil.WaitShort) + stdout.ExpectMatchContext(ctx, "Welcome to Coder") resp, err := client.LoginWithPassword(ctx, codersdk.LoginWithPasswordRequest{ Email: coderdtest.FirstUserParams.Email, Password: coderdtest.FirstUserParams.Password, @@ -272,6 +279,7 @@ func TestLogin(t *testing.T) { t.Run("InitialUserFlags", func(t *testing.T) { t.Parallel() + logger := testutil.Logger(t) client := coderdtest.New(t, nil) inv, _ := clitest.New( t, "login", client.URL.String(), @@ -281,22 +289,23 @@ func TestLogin(t *testing.T) { "--first-user-password", coderdtest.FirstUserParams.Password, "--first-user-trial", ) - pty := ptytest.New(t).Attach(inv) + stdout := expecter.NewAttachedToInvocation(t, inv) + stdin := testutil.NewWriterAttachedToInvocation(t, logger.Named("stdin"), inv) + ctx := testutil.Context(t, testutil.WaitMedium) w := clitest.StartWithWaiter(t, inv) - pty.ExpectMatch("firstName") - pty.WriteLine(coderdtest.TrialUserParams.FirstName) - pty.ExpectMatch("lastName") - pty.WriteLine(coderdtest.TrialUserParams.LastName) - pty.ExpectMatch("phoneNumber") - pty.WriteLine(coderdtest.TrialUserParams.PhoneNumber) - pty.ExpectMatch("jobTitle") - pty.WriteLine(coderdtest.TrialUserParams.JobTitle) - pty.ExpectMatch("companyName") - pty.WriteLine(coderdtest.TrialUserParams.CompanyName) + stdout.ExpectMatchContext(ctx, "firstName") + stdin.WriteLine(coderdtest.TrialUserParams.FirstName) + stdout.ExpectMatchContext(ctx, "lastName") + stdin.WriteLine(coderdtest.TrialUserParams.LastName) + stdout.ExpectMatchContext(ctx, "phoneNumber") + stdin.WriteLine(coderdtest.TrialUserParams.PhoneNumber) + stdout.ExpectMatchContext(ctx, "jobTitle") + stdin.WriteLine(coderdtest.TrialUserParams.JobTitle) + stdout.ExpectMatchContext(ctx, "companyName") + stdin.WriteLine(coderdtest.TrialUserParams.CompanyName) // `developers` and `country` `cliui.Select` automatically selects the first option during tests. - pty.ExpectMatch("Welcome to Coder") + stdout.ExpectMatchContext(ctx, "Welcome to Coder") w.RequireSuccess() - ctx := testutil.Context(t, testutil.WaitShort) resp, err := client.LoginWithPassword(ctx, codersdk.LoginWithPasswordRequest{ Email: coderdtest.FirstUserParams.Email, Password: coderdtest.FirstUserParams.Password, @@ -312,6 +321,7 @@ func TestLogin(t *testing.T) { t.Run("InitialUserFlagsNameOptional", func(t *testing.T) { t.Parallel() + logger := testutil.Logger(t) client := coderdtest.New(t, nil) inv, _ := clitest.New( t, "login", client.URL.String(), @@ -320,22 +330,23 @@ func TestLogin(t *testing.T) { "--first-user-password", coderdtest.FirstUserParams.Password, "--first-user-trial", ) - pty := ptytest.New(t).Attach(inv) + stdout := expecter.NewAttachedToInvocation(t, inv) + stdin := testutil.NewWriterAttachedToInvocation(t, logger.Named("stdin"), inv) + ctx := testutil.Context(t, testutil.WaitMedium) w := clitest.StartWithWaiter(t, inv) - pty.ExpectMatch("firstName") - pty.WriteLine(coderdtest.TrialUserParams.FirstName) - pty.ExpectMatch("lastName") - pty.WriteLine(coderdtest.TrialUserParams.LastName) - pty.ExpectMatch("phoneNumber") - pty.WriteLine(coderdtest.TrialUserParams.PhoneNumber) - pty.ExpectMatch("jobTitle") - pty.WriteLine(coderdtest.TrialUserParams.JobTitle) - pty.ExpectMatch("companyName") - pty.WriteLine(coderdtest.TrialUserParams.CompanyName) + stdout.ExpectMatchContext(ctx, "firstName") + stdin.WriteLine(coderdtest.TrialUserParams.FirstName) + stdout.ExpectMatchContext(ctx, "lastName") + stdin.WriteLine(coderdtest.TrialUserParams.LastName) + stdout.ExpectMatchContext(ctx, "phoneNumber") + stdin.WriteLine(coderdtest.TrialUserParams.PhoneNumber) + stdout.ExpectMatchContext(ctx, "jobTitle") + stdin.WriteLine(coderdtest.TrialUserParams.JobTitle) + stdout.ExpectMatchContext(ctx, "companyName") + stdin.WriteLine(coderdtest.TrialUserParams.CompanyName) // `developers` and `country` `cliui.Select` automatically selects the first option during tests. - pty.ExpectMatch("Welcome to Coder") + stdout.ExpectMatchContext(ctx, "Welcome to Coder") w.RequireSuccess() - ctx := testutil.Context(t, testutil.WaitShort) resp, err := client.LoginWithPassword(ctx, codersdk.LoginWithPasswordRequest{ Email: coderdtest.FirstUserParams.Email, Password: coderdtest.FirstUserParams.Password, @@ -351,6 +362,7 @@ func TestLogin(t *testing.T) { t.Run("InitialUserTTYConfirmPasswordFailAndReprompt", func(t *testing.T) { t.Parallel() + logger := testutil.Logger(t) ctx, cancel := context.WithCancel(context.Background()) defer cancel() client := coderdtest.New(t, nil) @@ -359,7 +371,8 @@ func TestLogin(t *testing.T) { // https://github.com/mattn/go-isatty/issues/59 doneChan := make(chan struct{}) root, _ := clitest.New(t, "login", "--force-tty", client.URL.String()) - pty := ptytest.New(t).Attach(root) + stdout := expecter.NewAttachedToInvocation(t, root) + stdin := testutil.NewWriterAttachedToInvocation(t, logger.Named("stdin"), root) go func() { defer close(doneChan) err := root.WithContext(ctx).Run() @@ -377,59 +390,60 @@ func TestLogin(t *testing.T) { for i := 0; i < len(matches); i += 2 { match := matches[i] value := matches[i+1] - pty.ExpectMatch(match) - pty.WriteLine(value) + stdout.ExpectMatchContext(ctx, match) + stdin.WriteLine(value) } // Validate that we reprompt for matching passwords. - pty.ExpectMatch("Passwords do not match") - pty.ExpectMatch("Enter a " + pretty.Sprint(cliui.DefaultStyles.Field, "password")) - pty.WriteLine(coderdtest.FirstUserParams.Password) - pty.ExpectMatch("Confirm") - pty.WriteLine(coderdtest.FirstUserParams.Password) - pty.ExpectMatch("trial") - pty.WriteLine("yes") - pty.ExpectMatch("firstName") - pty.WriteLine(coderdtest.TrialUserParams.FirstName) - pty.ExpectMatch("lastName") - pty.WriteLine(coderdtest.TrialUserParams.LastName) - pty.ExpectMatch("phoneNumber") - pty.WriteLine(coderdtest.TrialUserParams.PhoneNumber) - pty.ExpectMatch("jobTitle") - pty.WriteLine(coderdtest.TrialUserParams.JobTitle) - pty.ExpectMatch("companyName") - pty.WriteLine(coderdtest.TrialUserParams.CompanyName) - pty.ExpectMatch("Welcome to Coder") + stdout.ExpectMatchContext(ctx, "Passwords do not match") + stdout.ExpectMatchContext(ctx, "Enter a "+pretty.Sprint(cliui.DefaultStyles.Field, "password")) + stdin.WriteLine(coderdtest.FirstUserParams.Password) + stdout.ExpectMatchContext(ctx, "Confirm") + stdin.WriteLine(coderdtest.FirstUserParams.Password) + stdout.ExpectMatchContext(ctx, "trial") + stdin.WriteLine("yes") + stdout.ExpectMatchContext(ctx, "firstName") + stdin.WriteLine(coderdtest.TrialUserParams.FirstName) + stdout.ExpectMatchContext(ctx, "lastName") + stdin.WriteLine(coderdtest.TrialUserParams.LastName) + stdout.ExpectMatchContext(ctx, "phoneNumber") + stdin.WriteLine(coderdtest.TrialUserParams.PhoneNumber) + stdout.ExpectMatchContext(ctx, "jobTitle") + stdin.WriteLine(coderdtest.TrialUserParams.JobTitle) + stdout.ExpectMatchContext(ctx, "companyName") + stdin.WriteLine(coderdtest.TrialUserParams.CompanyName) + stdout.ExpectMatchContext(ctx, "Welcome to Coder") <-doneChan }) t.Run("ExistingUserValidTokenTTY", func(t *testing.T) { t.Parallel() + logger := testutil.Logger(t) client := coderdtest.New(t, nil) coderdtest.CreateFirstUser(t, client) + ctx := testutil.Context(t, testutil.WaitMedium) doneChan := make(chan struct{}) root, _ := clitest.New(t, "login", "--force-tty", client.URL.String(), "--no-open") - pty := ptytest.New(t).Attach(root) + stdout := expecter.NewAttachedToInvocation(t, root) + stdin := testutil.NewWriterAttachedToInvocation(t, logger.Named("stdin"), root) go func() { defer close(doneChan) err := root.Run() assert.NoError(t, err) }() - pty.ExpectMatch(fmt.Sprintf("Attempting to authenticate with argument URL: '%s'", client.URL.String())) - pty.ExpectMatch("Paste your token here:") - pty.WriteLine(client.SessionToken()) - if runtime.GOOS != "windows" { - // For some reason, the match does not show up on Windows. - pty.ExpectMatch(client.SessionToken()) - } - pty.ExpectMatch("Welcome to Coder") + stdout.ExpectMatchContext(ctx, fmt.Sprintf("Attempting to authenticate with argument URL: '%s'", client.URL.String())) + stdout.ExpectMatchContext(ctx, "Paste your token here:") + stdin.WriteLine(client.SessionToken()) + stdout.ExpectMatchContext(ctx, "Welcome to Coder") <-doneChan }) t.Run("ExistingUserURLSavedInConfig", func(t *testing.T) { t.Parallel() + logger := testutil.Logger(t) + ctx := testutil.Context(t, testutil.WaitMedium) client := coderdtest.New(t, nil) url := client.URL.String() coderdtest.CreateFirstUser(t, client) @@ -438,21 +452,24 @@ func TestLogin(t *testing.T) { clitest.SetupConfig(t, client, root) doneChan := make(chan struct{}) - pty := ptytest.New(t).Attach(inv) + stdout := expecter.NewAttachedToInvocation(t, inv) + stdin := testutil.NewWriterAttachedToInvocation(t, logger.Named("stdin"), inv) go func() { defer close(doneChan) err := inv.Run() assert.NoError(t, err) }() - pty.ExpectMatch(fmt.Sprintf("Attempting to authenticate with config URL: '%s'", url)) - pty.ExpectMatch("Paste your token here:") - pty.WriteLine(client.SessionToken()) + stdout.ExpectMatchContext(ctx, fmt.Sprintf("Attempting to authenticate with config URL: '%s'", url)) + stdout.ExpectMatchContext(ctx, "Paste your token here:") + stdin.WriteLine(client.SessionToken()) <-doneChan }) t.Run("ExistingUserURLSavedInEnv", func(t *testing.T) { t.Parallel() + logger := testutil.Logger(t) + ctx := testutil.Context(t, testutil.WaitMedium) client := coderdtest.New(t, nil) url := client.URL.String() coderdtest.CreateFirstUser(t, client) @@ -461,21 +478,23 @@ func TestLogin(t *testing.T) { inv.Environ.Set("CODER_URL", url) doneChan := make(chan struct{}) - pty := ptytest.New(t).Attach(inv) + stdout := expecter.NewAttachedToInvocation(t, inv) + stdin := testutil.NewWriterAttachedToInvocation(t, logger.Named("stdin"), inv) go func() { defer close(doneChan) err := inv.Run() assert.NoError(t, err) }() - pty.ExpectMatch(fmt.Sprintf("Attempting to authenticate with environment URL: '%s'", url)) - pty.ExpectMatch("Paste your token here:") - pty.WriteLine(client.SessionToken()) + stdout.ExpectMatchContext(ctx, fmt.Sprintf("Attempting to authenticate with environment URL: '%s'", url)) + stdout.ExpectMatchContext(ctx, "Paste your token here:") + stdin.WriteLine(client.SessionToken()) <-doneChan }) t.Run("ExistingUserInvalidTokenTTY", func(t *testing.T) { t.Parallel() + logger := testutil.Logger(t) client := coderdtest.New(t, nil) coderdtest.CreateFirstUser(t, client) @@ -483,7 +502,8 @@ func TestLogin(t *testing.T) { defer cancelFunc() doneChan := make(chan struct{}) root, _ := clitest.New(t, "login", client.URL.String(), "--no-open") - pty := ptytest.New(t).Attach(root) + stdout := expecter.NewAttachedToInvocation(t, root) + stdin := testutil.NewWriterAttachedToInvocation(t, logger.Named("stdin"), root) go func() { defer close(doneChan) err := root.WithContext(ctx).Run() @@ -491,13 +511,9 @@ func TestLogin(t *testing.T) { assert.Error(t, err) }() - pty.ExpectMatch("Paste your token here:") - pty.WriteLine("an-invalid-token") - if runtime.GOOS != "windows" { - // For some reason, the match does not show up on Windows. - pty.ExpectMatch("an-invalid-token") - } - pty.ExpectMatch("That's not a valid token!") + stdout.ExpectMatchContext(ctx, "Paste your token here:") + stdin.WriteLine("an-invalid-token") + stdout.ExpectMatchContext(ctx, "That's not a valid token!") cancelFunc() <-doneChan }) @@ -582,12 +598,12 @@ func TestLoginToken(t *testing.T) { inv, root := clitest.New(t, "login", "token", "--url", client.URL.String()) clitest.SetupConfig(t, client, root) - pty := ptytest.New(t).Attach(inv) + stdout := expecter.NewAttachedToInvocation(t, inv) ctx := testutil.Context(t, testutil.WaitShort) err := inv.WithContext(ctx).Run() require.NoError(t, err) - pty.ExpectMatch(client.SessionToken()) + stdout.ExpectMatchContext(ctx, client.SessionToken()) }) t.Run("NoTokenStored", func(t *testing.T) { diff --git a/cli/organization_test.go b/cli/organization_test.go index 8c4997f4ae..ab5751b513 100644 --- a/cli/organization_test.go +++ b/cli/organization_test.go @@ -17,7 +17,8 @@ import ( "github.com/coder/coder/v2/cli/clitest" "github.com/coder/coder/v2/cli/cliui" "github.com/coder/coder/v2/codersdk" - "github.com/coder/coder/v2/pty/ptytest" + "github.com/coder/coder/v2/testutil" + "github.com/coder/coder/v2/testutil/expecter" "github.com/coder/pretty" ) @@ -29,6 +30,7 @@ func TestCurrentOrganization(t *testing.T) { // 2. The user is connecting to an older Coder instance. t.Run("no-default", func(t *testing.T) { t.Parallel() + ctx := testutil.Context(t, testutil.WaitMedium) orgID := uuid.New() srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { @@ -49,13 +51,13 @@ func TestCurrentOrganization(t *testing.T) { client := codersdk.New(must(url.Parse(srv.URL))) inv, root := clitest.New(t, "organizations", "show", "selected") clitest.SetupConfig(t, client, root) - pty := ptytest.New(t).Attach(inv) + stdout := expecter.NewAttachedToInvocation(t, inv) errC := make(chan error) go func() { errC <- inv.Run() }() require.NoError(t, <-errC) - pty.ExpectMatch(orgID.String()) + stdout.ExpectMatchContext(ctx, orgID.String()) }) } @@ -140,6 +142,8 @@ func TestOrganizationDelete(t *testing.T) { t.Run("Prompted", func(t *testing.T) { t.Parallel() + logger := testutil.Logger(t) + ctx := testutil.Context(t, testutil.WaitMedium) orgID := uuid.New() var deleteCalled atomic.Bool @@ -167,15 +171,16 @@ func TestOrganizationDelete(t *testing.T) { client := codersdk.New(must(url.Parse(server.URL))) inv, root := clitest.New(t, "organizations", "delete", "my-org") clitest.SetupConfig(t, client, root) - pty := ptytest.New(t).Attach(inv) + stdout := expecter.NewAttachedToInvocation(t, inv) + stdin := testutil.NewWriterAttachedToInvocation(t, logger.Named("stdin"), inv) execDone := make(chan error) go func() { execDone <- inv.Run() }() - pty.ExpectMatch(fmt.Sprintf("Delete organization %s?", pretty.Sprint(cliui.DefaultStyles.Code, "my-org"))) - pty.WriteLine("yes") + stdout.ExpectMatchContext(ctx, fmt.Sprintf("Delete organization %s?", pretty.Sprint(cliui.DefaultStyles.Code, "my-org"))) + stdin.WriteLine("yes") require.NoError(t, <-execDone) require.True(t, deleteCalled.Load(), "expected delete request") diff --git a/cli/portforward_test.go b/cli/portforward_test.go index 91c13efabe..d0cfeeb8fb 100644 --- a/cli/portforward_test.go +++ b/cli/portforward_test.go @@ -25,8 +25,8 @@ import ( "github.com/coder/coder/v2/coderd/database/dbfake" "github.com/coder/coder/v2/coderd/database/dbtime" "github.com/coder/coder/v2/codersdk" - "github.com/coder/coder/v2/pty/ptytest" "github.com/coder/coder/v2/testutil" + "github.com/coder/coder/v2/testutil/expecter" ) func TestPortForward_None(t *testing.T) { @@ -160,10 +160,7 @@ func TestPortForward(t *testing.T) { // the "local" listener. inv, root := clitest.New(t, "-v", "port-forward", workspace.Name, flag) clitest.SetupConfig(t, member, root) - pty := ptytest.New(t) - inv.Stdin = pty.Input() - inv.Stdout = pty.Output() - inv.Stderr = pty.Output() + stdout := expecter.NewAttachedToInvocation(t, inv) iNet := testutil.NewInProcNet() inv.Net = iNet @@ -175,7 +172,7 @@ func TestPortForward(t *testing.T) { t.Logf("command complete; err=%s", err.Error()) errC <- err }() - pty.ExpectMatchContext(ctx, "Ready!") + stdout.ExpectMatchContext(ctx, "Ready!") // Open two connections simultaneously and test them out of // sync. @@ -216,10 +213,7 @@ func TestPortForward(t *testing.T) { // the "local" listeners. inv, root := clitest.New(t, "-v", "port-forward", workspace.Name, flag1, flag2) clitest.SetupConfig(t, member, root) - pty := ptytest.New(t) - inv.Stdin = pty.Input() - inv.Stdout = pty.Output() - inv.Stderr = pty.Output() + stdout := expecter.NewAttachedToInvocation(t, inv) iNet := testutil.NewInProcNet() inv.Net = iNet @@ -229,7 +223,7 @@ func TestPortForward(t *testing.T) { go func() { errC <- inv.WithContext(ctx).Run() }() - pty.ExpectMatchContext(ctx, "Ready!") + stdout.ExpectMatchContext(ctx, "Ready!") // Open a connection to both listener 1 and 2 simultaneously and // then test them out of order. @@ -277,8 +271,7 @@ func TestPortForward(t *testing.T) { // the "local" listeners. inv, root := clitest.New(t, append([]string{"-v", "port-forward", workspace.Name}, flags...)...) clitest.SetupConfig(t, member, root) - pty := ptytest.New(t).Attach(inv) - inv.Stderr = pty.Output() + stdout := expecter.NewAttachedToInvocation(t, inv) iNet := testutil.NewInProcNet() inv.Net = iNet @@ -288,7 +281,7 @@ func TestPortForward(t *testing.T) { go func() { errC <- inv.WithContext(ctx).Run() }() - pty.ExpectMatchContext(ctx, "Ready!") + stdout.ExpectMatchContext(ctx, "Ready!") // Open connections to all items in the "dial" array. var ( @@ -338,10 +331,7 @@ func TestPortForward(t *testing.T) { // the "local" listener. inv, root := clitest.New(t, "-v", "port-forward", workspace.Name, flag) clitest.SetupConfig(t, member, root) - pty := ptytest.New(t) - inv.Stdin = pty.Input() - inv.Stdout = pty.Output() - inv.Stderr = pty.Output() + stdout := expecter.NewAttachedToInvocation(t, inv) iNet := testutil.NewInProcNet() inv.Net = iNet @@ -359,7 +349,7 @@ func TestPortForward(t *testing.T) { t.Logf("command complete; err=%s", err.Error()) errC <- err }() - pty.ExpectMatchContext(ctx, "Ready!") + stdout.ExpectMatchContext(ctx, "Ready!") // Test IPv4 still works dialCtx, dialCtxCancel := context.WithTimeout(ctx, testutil.WaitShort) diff --git a/cli/rename_test.go b/cli/rename_test.go index 31d14e5e08..e9aa8d480d 100644 --- a/cli/rename_test.go +++ b/cli/rename_test.go @@ -8,12 +8,13 @@ import ( "github.com/coder/coder/v2/cli/clitest" "github.com/coder/coder/v2/coderd/coderdtest" - "github.com/coder/coder/v2/pty/ptytest" "github.com/coder/coder/v2/testutil" + "github.com/coder/coder/v2/testutil/expecter" ) func TestRename(t *testing.T) { t.Parallel() + logger := testutil.Logger(t) client := coderdtest.New(t, &coderdtest.Options{IncludeProvisionerDaemon: true, AllowWorkspaceRenames: true}) owner := coderdtest.CreateFirstUser(t, client) @@ -30,13 +31,13 @@ func TestRename(t *testing.T) { want := coderdtest.RandomUsername(t) inv, root := clitest.New(t, "rename", workspace.Name, want, "--yes") clitest.SetupConfig(t, member, root) - pty := ptytest.New(t) - pty.Attach(inv) + stdout := expecter.NewAttachedToInvocation(t, inv) + stdin := testutil.NewWriterAttachedToInvocation(t, logger.Named("stdin"), inv) clitest.Start(t, inv) - pty.ExpectMatch("confirm rename:") - pty.WriteLine(workspace.Name) - pty.ExpectMatch("renamed to") + stdout.ExpectMatchContext(ctx, "confirm rename:") + stdin.WriteLine(workspace.Name) + stdout.ExpectMatchContext(ctx, "renamed to") ws, err := client.Workspace(ctx, workspace.ID) assert.NoError(t, err) diff --git a/cli/restart_test.go b/cli/restart_test.go index a8cd7ee5f3..3506d313a2 100644 --- a/cli/restart_test.go +++ b/cli/restart_test.go @@ -1,7 +1,6 @@ package cli_test import ( - "context" "fmt" "testing" @@ -14,8 +13,8 @@ import ( "github.com/coder/coder/v2/codersdk" "github.com/coder/coder/v2/provisioner/echo" "github.com/coder/coder/v2/provisionersdk/proto" - "github.com/coder/coder/v2/pty/ptytest" "github.com/coder/coder/v2/testutil" + "github.com/coder/coder/v2/testutil/expecter" ) func TestRestart(t *testing.T) { @@ -49,15 +48,15 @@ func TestRestart(t *testing.T) { inv, root := clitest.New(t, "restart", workspace.Name, "--yes") clitest.SetupConfig(t, member, root) - pty := ptytest.New(t).Attach(inv) + stdout := expecter.NewAttachedToInvocation(t, inv) done := make(chan error, 1) go func() { done <- inv.WithContext(ctx).Run() }() - pty.ExpectMatch("Stopping workspace") - pty.ExpectMatch("Starting workspace") - pty.ExpectMatch("workspace has been restarted") + stdout.ExpectMatchContext(ctx, "Stopping workspace") + stdout.ExpectMatchContext(ctx, "Starting workspace") + stdout.ExpectMatchContext(ctx, "workspace has been restarted") err := <-done require.NoError(t, err, "execute failed") @@ -66,6 +65,7 @@ func TestRestart(t *testing.T) { t.Run("PromptEphemeralParameters", func(t *testing.T) { t.Parallel() + logger := testutil.Logger(t) client := coderdtest.New(t, &coderdtest.Options{IncludeProvisionerDaemon: true}) owner := coderdtest.CreateFirstUser(t, client) member, memberUser := coderdtest.CreateAnotherUser(t, client, owner.OrganizationID) @@ -84,13 +84,15 @@ func TestRestart(t *testing.T) { inv, root := clitest.New(t, "restart", workspace.Name, "--prompt-ephemeral-parameters") clitest.SetupConfig(t, member, root) doneChan := make(chan struct{}) - pty := ptytest.New(t).Attach(inv) + stdout := expecter.NewAttachedToInvocation(t, inv) + stdin := testutil.NewWriterAttachedToInvocation(t, logger.Named("stdin"), inv) go func() { defer close(doneChan) err := inv.Run() assert.NoError(t, err) }() + ctx := testutil.Context(t, testutil.WaitShort) matches := []string{ ephemeralParameterDescription, ephemeralParameterValue, "Restart workspace?", "yes", @@ -101,18 +103,15 @@ func TestRestart(t *testing.T) { for i := 0; i < len(matches); i += 2 { match := matches[i] value := matches[i+1] - pty.ExpectMatch(match) + stdout.ExpectMatchContext(ctx, match) if value != "" { - pty.WriteLine(value) + stdin.WriteLine(value) } } <-doneChan // Verify if build option is set - ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitShort) - defer cancel() - workspace, err := client.WorkspaceByOwnerAndName(ctx, memberUser.ID.String(), workspace.Name, codersdk.WorkspaceOptions{}) require.NoError(t, err) actualParameters, err := client.WorkspaceBuildParameters(ctx, workspace.LatestBuild.ID) @@ -126,6 +125,7 @@ func TestRestart(t *testing.T) { t.Run("EphemeralParameterFlags", func(t *testing.T) { t.Parallel() + logger := testutil.Logger(t) client := coderdtest.New(t, &coderdtest.Options{IncludeProvisionerDaemon: true}) owner := coderdtest.CreateFirstUser(t, client) member, memberUser := coderdtest.CreateAnotherUser(t, client, owner.OrganizationID) @@ -143,13 +143,15 @@ func TestRestart(t *testing.T) { "--ephemeral-parameter", fmt.Sprintf("%s=%s", ephemeralParameterName, ephemeralParameterValue)) clitest.SetupConfig(t, member, root) doneChan := make(chan struct{}) - pty := ptytest.New(t).Attach(inv) + stdout := expecter.NewAttachedToInvocation(t, inv) + stdin := testutil.NewWriterAttachedToInvocation(t, logger.Named("stdin"), inv) go func() { defer close(doneChan) err := inv.Run() assert.NoError(t, err) }() + ctx := testutil.Context(t, testutil.WaitShort) matches := []string{ "Restart workspace?", "yes", "Stopping workspace", "", @@ -159,18 +161,15 @@ func TestRestart(t *testing.T) { for i := 0; i < len(matches); i += 2 { match := matches[i] value := matches[i+1] - pty.ExpectMatch(match) + stdout.ExpectMatchContext(ctx, match) if value != "" { - pty.WriteLine(value) + stdin.WriteLine(value) } } <-doneChan // Verify if build option is set - ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitShort) - defer cancel() - workspace, err := client.WorkspaceByOwnerAndName(ctx, memberUser.ID.String(), workspace.Name, codersdk.WorkspaceOptions{}) require.NoError(t, err) actualParameters, err := client.WorkspaceBuildParameters(ctx, workspace.LatestBuild.ID) @@ -184,6 +183,7 @@ func TestRestart(t *testing.T) { t.Run("with deprecated build-options flag", func(t *testing.T) { t.Parallel() + logger := testutil.Logger(t) client := coderdtest.New(t, &coderdtest.Options{IncludeProvisionerDaemon: true}) owner := coderdtest.CreateFirstUser(t, client) member, memberUser := coderdtest.CreateAnotherUser(t, client, owner.OrganizationID) @@ -202,13 +202,15 @@ func TestRestart(t *testing.T) { inv, root := clitest.New(t, "restart", workspace.Name, "--build-options") clitest.SetupConfig(t, member, root) doneChan := make(chan struct{}) - pty := ptytest.New(t).Attach(inv) + stdout := expecter.NewAttachedToInvocation(t, inv) + stdin := testutil.NewWriterAttachedToInvocation(t, logger.Named("stdin"), inv) go func() { defer close(doneChan) err := inv.Run() assert.NoError(t, err) }() + ctx := testutil.Context(t, testutil.WaitShort) matches := []string{ ephemeralParameterDescription, ephemeralParameterValue, "Restart workspace?", "yes", @@ -219,18 +221,15 @@ func TestRestart(t *testing.T) { for i := 0; i < len(matches); i += 2 { match := matches[i] value := matches[i+1] - pty.ExpectMatch(match) + stdout.ExpectMatchContext(ctx, match) if value != "" { - pty.WriteLine(value) + stdin.WriteLine(value) } } <-doneChan // Verify if build option is set - ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitShort) - defer cancel() - workspace, err := client.WorkspaceByOwnerAndName(ctx, memberUser.ID.String(), workspace.Name, codersdk.WorkspaceOptions{}) require.NoError(t, err) actualParameters, err := client.WorkspaceBuildParameters(ctx, workspace.LatestBuild.ID) @@ -244,6 +243,7 @@ func TestRestart(t *testing.T) { t.Run("with deprecated build-option flag", func(t *testing.T) { t.Parallel() + logger := testutil.Logger(t) client := coderdtest.New(t, &coderdtest.Options{IncludeProvisionerDaemon: true}) owner := coderdtest.CreateFirstUser(t, client) member, memberUser := coderdtest.CreateAnotherUser(t, client, owner.OrganizationID) @@ -261,13 +261,15 @@ func TestRestart(t *testing.T) { "--build-option", fmt.Sprintf("%s=%s", ephemeralParameterName, ephemeralParameterValue)) clitest.SetupConfig(t, member, root) doneChan := make(chan struct{}) - pty := ptytest.New(t).Attach(inv) + stdout := expecter.NewAttachedToInvocation(t, inv) + stdin := testutil.NewWriterAttachedToInvocation(t, logger.Named("stdin"), inv) go func() { defer close(doneChan) err := inv.Run() assert.NoError(t, err) }() + ctx := testutil.Context(t, testutil.WaitShort) matches := []string{ "Restart workspace?", "yes", "Stopping workspace", "", @@ -277,18 +279,15 @@ func TestRestart(t *testing.T) { for i := 0; i < len(matches); i += 2 { match := matches[i] value := matches[i+1] - pty.ExpectMatch(match) + stdout.ExpectMatchContext(ctx, match) if value != "" { - pty.WriteLine(value) + stdin.WriteLine(value) } } <-doneChan // Verify if build option is set - ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitShort) - defer cancel() - workspace, err := client.WorkspaceByOwnerAndName(ctx, memberUser.ID.String(), workspace.Name, codersdk.WorkspaceOptions{}) require.NoError(t, err) actualParameters, err := client.WorkspaceBuildParameters(ctx, workspace.LatestBuild.ID) @@ -349,20 +348,18 @@ func TestRestartWithParameters(t *testing.T) { inv, root := clitest.New(t, "restart", workspace.Name, "-y") clitest.SetupConfig(t, member, root) doneChan := make(chan struct{}) - pty := ptytest.New(t).Attach(inv) + stdout := expecter.NewAttachedToInvocation(t, inv) go func() { defer close(doneChan) err := inv.Run() assert.NoError(t, err) }() + ctx := testutil.Context(t, testutil.WaitShort) - pty.ExpectMatch("workspace has been restarted") + stdout.ExpectMatchContext(ctx, "workspace has been restarted") <-doneChan // Verify if immutable parameter is set - ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitShort) - defer cancel() - workspace, err := client.WorkspaceByOwnerAndName(ctx, workspace.OwnerName, workspace.Name, codersdk.WorkspaceOptions{}) require.NoError(t, err) actualParameters, err := client.WorkspaceBuildParameters(ctx, workspace.LatestBuild.ID) @@ -376,6 +373,7 @@ func TestRestartWithParameters(t *testing.T) { t.Run("AlwaysPrompt", func(t *testing.T) { t.Parallel() + logger := testutil.Logger(t) // Create the workspace client := coderdtest.New(t, &coderdtest.Options{IncludeProvisionerDaemon: true}) owner := coderdtest.CreateFirstUser(t, client) @@ -396,24 +394,23 @@ func TestRestartWithParameters(t *testing.T) { inv, root := clitest.New(t, "restart", workspace.Name, "-y", "--always-prompt") clitest.SetupConfig(t, member, root) doneChan := make(chan struct{}) - pty := ptytest.New(t).Attach(inv) + stdout := expecter.NewAttachedToInvocation(t, inv) + stdin := testutil.NewWriterAttachedToInvocation(t, logger.Named("stdin"), inv) go func() { defer close(doneChan) err := inv.Run() assert.NoError(t, err) }() + ctx := testutil.Context(t, testutil.WaitShort) // We should be prompted for the parameters again. newValue := "xyz" - pty.ExpectMatch(mutableParameterName) - pty.WriteLine(newValue) - pty.ExpectMatch("workspace has been restarted") + stdout.ExpectMatchContext(ctx, mutableParameterName) + stdin.WriteLine(newValue) + stdout.ExpectMatchContext(ctx, "workspace has been restarted") <-doneChan // Verify that the updated values are persisted. - ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitShort) - defer cancel() - workspace, err := client.WorkspaceByOwnerAndName(ctx, workspace.OwnerName, workspace.Name, codersdk.WorkspaceOptions{}) require.NoError(t, err) actualParameters, err := client.WorkspaceBuildParameters(ctx, workspace.LatestBuild.ID) diff --git a/cli/root.go b/cli/root.go index a40ac7c3c2..2e4aa7dd17 100644 --- a/cli/root.go +++ b/cli/root.go @@ -1701,7 +1701,44 @@ func (r roundTripper) RoundTrip(req *http.Request) (*http.Response, error) { return r(req) } -// HeaderTransport creates a new transport that executes `--header-command` +// appendAndDedupEnv appends extra environment variables and +// deduplicates entries with the same key (case-insensitive on +// Windows). For the PATH variable specifically, it prefers the +// value that contains native Windows paths (with backslashes) +// over MSYS-translated paths (with forward slashes). For all +// other variables, the last value wins. +func appendAndDedupEnv(env []string, extra ...string) []string { + env = append(env, extra...) + if runtime.GOOS != "windows" { + return env + } + seen := make(map[string]int, len(env)) + result := make([]string, 0, len(env)) + for _, e := range env { + key, val, ok := strings.Cut(e, "=") + if !ok { + result = append(result, e) + continue + } + upper := strings.ToUpper(key) + if idx, exists := seen[upper]; exists { + if upper == "PATH" { + // Prefer the value with native Windows paths. + existingVal := result[idx][len(key)+1:] + if strings.Contains(existingVal, "\\") && !strings.Contains(val, "\\") { + continue + } + } + result[idx] = e + continue + } + seen[upper] = len(result) + result = append(result, e) + } + return result +} + +// headerTransport creates a new transport that executes `--header-command` // if it is set to add headers for all outbound requests. func headerTransport(ctx context.Context, serverURL *url.URL, header []string, headerCommand string) (*codersdk.HeaderTransport, error) { transport := &codersdk.HeaderTransport{ @@ -1719,7 +1756,7 @@ func headerTransport(ctx context.Context, serverURL *url.URL, header []string, h var outBuf bytes.Buffer // #nosec cmd := exec.CommandContext(ctx, shell, caller, headerCommand) - cmd.Env = append(os.Environ(), "CODER_URL="+serverURL.String()) + cmd.Env = appendAndDedupEnv(os.Environ(), "CODER_URL="+serverURL.String()) cmd.Stdout = &outBuf cmd.Stderr = io.Discard err := cmd.Run() diff --git a/cli/root_test.go b/cli/root_test.go index fefb87382c..aaf81f574e 100644 --- a/cli/root_test.go +++ b/cli/root_test.go @@ -177,15 +177,17 @@ func TestRoot(t *testing.T) { url = srv.URL buf := new(bytes.Buffer) coderURLEnv := "$CODER_URL" + headerCmd := "printf X-Process-Testing=very-wow-" + coderURLEnv + "'\\r\\n'X-Process-Testing2=more-wow" if runtime.GOOS == "windows" { coderURLEnv = "%CODER_URL%" + headerCmd = "echo X-Process-Testing=very-wow-" + coderURLEnv + "& echo X-Process-Testing2=more-wow" } inv, _ := clitest.New(t, "--no-feature-warning", "--no-version-warning", "--header", "X-Testing=wow", "--header", "Cool-Header=Dean was Here!", - "--header-command", "printf X-Process-Testing=very-wow-"+coderURLEnv+"'\\r\\n'X-Process-Testing2=more-wow", + "--header-command", headerCmd, "login", srv.URL, ) inv.Stdout = buf @@ -266,7 +268,7 @@ func TestDERPHeaders(t *testing.T) { "--no-version-warning", "ping", workspace.Name, "-n", "1", - "--header-command", "printf X-Process-Testing=very-wow", + "--header-command", "echo X-Process-Testing=very-wow", } for k, v := range expectedHeaders { if k != "X-Process-Testing" { diff --git a/cli/schedule_test.go b/cli/schedule_test.go index ed9c5b1743..c9f61345a1 100644 --- a/cli/schedule_test.go +++ b/cli/schedule_test.go @@ -19,8 +19,8 @@ import ( "github.com/coder/coder/v2/coderd/schedule/cron" "github.com/coder/coder/v2/coderd/util/tz" "github.com/coder/coder/v2/codersdk" - "github.com/coder/coder/v2/pty/ptytest" "github.com/coder/coder/v2/testutil" + "github.com/coder/coder/v2/testutil/expecter" ) // setupTestSchedule creates 4 workspaces: @@ -97,20 +97,21 @@ func TestScheduleShow(t *testing.T) { inv, root := clitest.New(t, "schedule", "show") //nolint:gocritic // Testing that owner user sees all clitest.SetupConfig(t, ownerClient, root) - pty := ptytest.New(t).Attach(inv) + stdout := expecter.NewAttachedToInvocation(t, inv) + ctx := testutil.Context(t, testutil.WaitShort) require.NoError(t, inv.Run()) // Then: they should see their own workspaces. // 1st workspace: a-owner-ws1 has both autostart and autostop enabled. - pty.ExpectMatch(ws[0].OwnerName + "/" + ws[0].Name) - pty.ExpectMatch(sched.Humanize()) - pty.ExpectMatch(sched.Next(now).In(loc).Format(time.RFC3339)) - pty.ExpectMatch("8h") - pty.ExpectMatch(ws[0].LatestBuild.Deadline.Time.In(loc).Format(time.RFC3339)) + stdout.ExpectMatchContext(ctx, ws[0].OwnerName+"/"+ws[0].Name) + stdout.ExpectMatchContext(ctx, sched.Humanize()) + stdout.ExpectMatchContext(ctx, sched.Next(now).In(loc).Format(time.RFC3339)) + stdout.ExpectMatchContext(ctx, "8h") + stdout.ExpectMatchContext(ctx, ws[0].LatestBuild.Deadline.Time.In(loc).Format(time.RFC3339)) // 2nd workspace: b-owner-ws2 has only autostart enabled. - pty.ExpectMatch(ws[1].OwnerName + "/" + ws[1].Name) - pty.ExpectMatch(sched.Humanize()) - pty.ExpectMatch(sched.Next(now).In(loc).Format(time.RFC3339)) + stdout.ExpectMatchContext(ctx, ws[1].OwnerName+"/"+ws[1].Name) + stdout.ExpectMatchContext(ctx, sched.Humanize()) + stdout.ExpectMatchContext(ctx, sched.Next(now).In(loc).Format(time.RFC3339)) }) t.Run("OwnerAll", func(t *testing.T) { @@ -118,26 +119,27 @@ func TestScheduleShow(t *testing.T) { inv, root := clitest.New(t, "schedule", "show", "--all") //nolint:gocritic // Testing that owner user sees all clitest.SetupConfig(t, ownerClient, root) - pty := ptytest.New(t).Attach(inv) + stdout := expecter.NewAttachedToInvocation(t, inv) + ctx := testutil.Context(t, testutil.WaitShort) require.NoError(t, inv.Run()) // Then: they should see all workspaces // 1st workspace: a-owner-ws1 has both autostart and autostop enabled. - pty.ExpectMatch(ws[0].OwnerName + "/" + ws[0].Name) - pty.ExpectMatch(sched.Humanize()) - pty.ExpectMatch(sched.Next(now).In(loc).Format(time.RFC3339)) - pty.ExpectMatch("8h") - pty.ExpectMatch(ws[0].LatestBuild.Deadline.Time.In(loc).Format(time.RFC3339)) + stdout.ExpectMatchContext(ctx, ws[0].OwnerName+"/"+ws[0].Name) + stdout.ExpectMatchContext(ctx, sched.Humanize()) + stdout.ExpectMatchContext(ctx, sched.Next(now).In(loc).Format(time.RFC3339)) + stdout.ExpectMatchContext(ctx, "8h") + stdout.ExpectMatchContext(ctx, ws[0].LatestBuild.Deadline.Time.In(loc).Format(time.RFC3339)) // 2nd workspace: b-owner-ws2 has only autostart enabled. - pty.ExpectMatch(ws[1].OwnerName + "/" + ws[1].Name) - pty.ExpectMatch(sched.Humanize()) - pty.ExpectMatch(sched.Next(now).In(loc).Format(time.RFC3339)) + stdout.ExpectMatchContext(ctx, ws[1].OwnerName+"/"+ws[1].Name) + stdout.ExpectMatchContext(ctx, sched.Humanize()) + stdout.ExpectMatchContext(ctx, sched.Next(now).In(loc).Format(time.RFC3339)) // 3rd workspace: c-member-ws3 has only autostop enabled. - pty.ExpectMatch(ws[2].OwnerName + "/" + ws[2].Name) - pty.ExpectMatch("8h") - pty.ExpectMatch(ws[2].LatestBuild.Deadline.Time.In(loc).Format(time.RFC3339)) + stdout.ExpectMatchContext(ctx, ws[2].OwnerName+"/"+ws[2].Name) + stdout.ExpectMatchContext(ctx, "8h") + stdout.ExpectMatchContext(ctx, ws[2].LatestBuild.Deadline.Time.In(loc).Format(time.RFC3339)) // 4th workspace: d-member-ws4 has neither autostart nor autostop enabled. - pty.ExpectMatch(ws[3].OwnerName + "/" + ws[3].Name) + stdout.ExpectMatchContext(ctx, ws[3].OwnerName+"/"+ws[3].Name) }) t.Run("OwnerSearchByName", func(t *testing.T) { @@ -145,14 +147,15 @@ func TestScheduleShow(t *testing.T) { inv, root := clitest.New(t, "schedule", "show", "--search", "name:"+ws[1].Name) //nolint:gocritic // Testing that owner user sees all clitest.SetupConfig(t, ownerClient, root) - pty := ptytest.New(t).Attach(inv) + stdout := expecter.NewAttachedToInvocation(t, inv) + ctx := testutil.Context(t, testutil.WaitShort) require.NoError(t, inv.Run()) // Then: they should see workspaces matching that query // 2nd workspace: b-owner-ws2 has only autostart enabled. - pty.ExpectMatch(ws[1].OwnerName + "/" + ws[1].Name) - pty.ExpectMatch(sched.Humanize()) - pty.ExpectMatch(sched.Next(now).In(loc).Format(time.RFC3339)) + stdout.ExpectMatchContext(ctx, ws[1].OwnerName+"/"+ws[1].Name) + stdout.ExpectMatchContext(ctx, sched.Humanize()) + stdout.ExpectMatchContext(ctx, sched.Next(now).In(loc).Format(time.RFC3339)) }) t.Run("OwnerOneArg", func(t *testing.T) { @@ -160,37 +163,39 @@ func TestScheduleShow(t *testing.T) { inv, root := clitest.New(t, "schedule", "show", ws[2].OwnerName+"/"+ws[2].Name) //nolint:gocritic // Testing that owner user sees all clitest.SetupConfig(t, ownerClient, root) - pty := ptytest.New(t).Attach(inv) + stdout := expecter.NewAttachedToInvocation(t, inv) + ctx := testutil.Context(t, testutil.WaitShort) require.NoError(t, inv.Run()) // Then: they should see that workspace // 3rd workspace: c-member-ws3 has only autostop enabled. - pty.ExpectMatch(ws[2].OwnerName + "/" + ws[2].Name) - pty.ExpectMatch("8h") - pty.ExpectMatch(ws[2].LatestBuild.Deadline.Time.In(loc).Format(time.RFC3339)) + stdout.ExpectMatchContext(ctx, ws[2].OwnerName+"/"+ws[2].Name) + stdout.ExpectMatchContext(ctx, "8h") + stdout.ExpectMatchContext(ctx, ws[2].LatestBuild.Deadline.Time.In(loc).Format(time.RFC3339)) }) t.Run("MemberNoArgs", func(t *testing.T) { // When: a member specifies no args inv, root := clitest.New(t, "schedule", "show") clitest.SetupConfig(t, memberClient, root) - pty := ptytest.New(t).Attach(inv) + stdout := expecter.NewAttachedToInvocation(t, inv) + ctx := testutil.Context(t, testutil.WaitShort) require.NoError(t, inv.Run()) // Then: they should see their own workspaces // 1st workspace: c-member-ws3 has only autostop enabled. - pty.ExpectMatch(ws[2].OwnerName + "/" + ws[2].Name) - pty.ExpectMatch("8h") - pty.ExpectMatch(ws[2].LatestBuild.Deadline.Time.In(loc).Format(time.RFC3339)) + stdout.ExpectMatchContext(ctx, ws[2].OwnerName+"/"+ws[2].Name) + stdout.ExpectMatchContext(ctx, "8h") + stdout.ExpectMatchContext(ctx, ws[2].LatestBuild.Deadline.Time.In(loc).Format(time.RFC3339)) // 2nd workspace: d-member-ws4 has neither autostart nor autostop enabled. - pty.ExpectMatch(ws[3].OwnerName + "/" + ws[3].Name) + stdout.ExpectMatchContext(ctx, ws[3].OwnerName+"/"+ws[3].Name) }) t.Run("MemberAll", func(t *testing.T) { // When: a member lists all workspaces inv, root := clitest.New(t, "schedule", "show", "--all") clitest.SetupConfig(t, memberClient, root) - pty := ptytest.New(t).Attach(inv) + stdout := expecter.NewAttachedToInvocation(t, inv) ctx := testutil.Context(t, testutil.WaitShort) errC := make(chan error) go func() { @@ -200,11 +205,11 @@ func TestScheduleShow(t *testing.T) { // Then: they should only see their own // 1st workspace: c-member-ws3 has only autostop enabled. - pty.ExpectMatch(ws[2].OwnerName + "/" + ws[2].Name) - pty.ExpectMatch("8h") - pty.ExpectMatch(ws[2].LatestBuild.Deadline.Time.In(loc).Format(time.RFC3339)) + stdout.ExpectMatchContext(ctx, ws[2].OwnerName+"/"+ws[2].Name) + stdout.ExpectMatchContext(ctx, "8h") + stdout.ExpectMatchContext(ctx, ws[2].LatestBuild.Deadline.Time.In(loc).Format(time.RFC3339)) // 2nd workspace: d-member-ws4 has neither autostart nor autostop enabled. - pty.ExpectMatch(ws[3].OwnerName + "/" + ws[3].Name) + stdout.ExpectMatchContext(ctx, ws[3].OwnerName+"/"+ws[3].Name) }) t.Run("JSON", func(t *testing.T) { @@ -276,13 +281,14 @@ func TestScheduleModify(t *testing.T) { ) //nolint:gocritic // this workspace is not owned by the same user clitest.SetupConfig(t, ownerClient, root) - pty := ptytest.New(t).Attach(inv) + stdout := expecter.NewAttachedToInvocation(t, inv) + ctx := testutil.Context(t, testutil.WaitShort) require.NoError(t, inv.Run()) // Then: the updated schedule should be shown - pty.ExpectMatch(ws[3].OwnerName + "/" + ws[3].Name) - pty.ExpectMatch(sched.Humanize()) - pty.ExpectMatch(sched.Next(now).In(loc).Format(time.RFC3339)) + stdout.ExpectMatchContext(ctx, ws[3].OwnerName+"/"+ws[3].Name) + stdout.ExpectMatchContext(ctx, sched.Humanize()) + stdout.ExpectMatchContext(ctx, sched.Next(now).In(loc).Format(time.RFC3339)) }) t.Run("SetStop", func(t *testing.T) { @@ -292,13 +298,14 @@ func TestScheduleModify(t *testing.T) { ) //nolint:gocritic // this workspace is not owned by the same user clitest.SetupConfig(t, ownerClient, root) - pty := ptytest.New(t).Attach(inv) + stdout := expecter.NewAttachedToInvocation(t, inv) + ctx := testutil.Context(t, testutil.WaitShort) require.NoError(t, inv.Run()) // Then: the updated schedule should be shown - pty.ExpectMatch(ws[2].OwnerName + "/" + ws[2].Name) - pty.ExpectMatch("8h30m") - pty.ExpectMatch(ws[2].LatestBuild.Deadline.Time.In(loc).Format(time.RFC3339)) + stdout.ExpectMatchContext(ctx, ws[2].OwnerName+"/"+ws[2].Name) + stdout.ExpectMatchContext(ctx, "8h30m") + stdout.ExpectMatchContext(ctx, ws[2].LatestBuild.Deadline.Time.In(loc).Format(time.RFC3339)) }) t.Run("UnsetStart", func(t *testing.T) { @@ -308,11 +315,12 @@ func TestScheduleModify(t *testing.T) { ) //nolint:gocritic // this workspace is owned by owner clitest.SetupConfig(t, ownerClient, root) - pty := ptytest.New(t).Attach(inv) + stdout := expecter.NewAttachedToInvocation(t, inv) + ctx := testutil.Context(t, testutil.WaitShort) require.NoError(t, inv.Run()) // Then: the updated schedule should be shown - pty.ExpectMatch(ws[1].OwnerName + "/" + ws[1].Name) + stdout.ExpectMatchContext(ctx, ws[1].OwnerName+"/"+ws[1].Name) }) t.Run("UnsetStop", func(t *testing.T) { @@ -322,11 +330,12 @@ func TestScheduleModify(t *testing.T) { ) //nolint:gocritic // this workspace is owned by owner clitest.SetupConfig(t, ownerClient, root) - pty := ptytest.New(t).Attach(inv) + stdout := expecter.NewAttachedToInvocation(t, inv) + ctx := testutil.Context(t, testutil.WaitShort) require.NoError(t, inv.Run()) // Then: the updated schedule should be shown - pty.ExpectMatch(ws[0].OwnerName + "/" + ws[0].Name) + stdout.ExpectMatchContext(ctx, ws[0].OwnerName+"/"+ws[0].Name) }) } @@ -359,7 +368,8 @@ func TestScheduleOverride(t *testing.T) { ) clitest.SetupConfig(t, ownerClient, root) - pty := ptytest.New(t).Attach(inv) + stdout := expecter.NewAttachedToInvocation(t, inv) + ctx := testutil.Context(t, testutil.WaitShort) require.NoError(t, inv.Run()) // Fetch the workspace to get the actual deadline set by the @@ -376,11 +386,11 @@ func TestScheduleOverride(t *testing.T) { expectedDeadline := updated.LatestBuild.Deadline.Time.In(loc).Format(time.RFC3339) // Then: the updated schedule should be shown - pty.ExpectMatch(ws[0].OwnerName + "/" + ws[0].Name) - pty.ExpectMatch(sched.Humanize()) - pty.ExpectMatch(sched.Next(now).In(loc).Format(time.RFC3339)) - pty.ExpectMatch("8h") - pty.ExpectMatch(expectedDeadline) + stdout.ExpectMatchContext(ctx, ws[0].OwnerName+"/"+ws[0].Name) + stdout.ExpectMatchContext(ctx, sched.Humanize()) + stdout.ExpectMatchContext(ctx, sched.Next(now).In(loc).Format(time.RFC3339)) + stdout.ExpectMatchContext(ctx, "8h") + stdout.ExpectMatchContext(ctx, expectedDeadline) }) } } @@ -422,13 +432,14 @@ func TestScheduleStart_TemplateAutostartRequirement(t *testing.T) { "schedule", "start", workspace.Name, "9:30AM", "Mon-Fri", ) clitest.SetupConfig(t, client, root) - pty := ptytest.New(t).Attach(inv) + stdout := expecter.NewAttachedToInvocation(t, inv) + ctx := testutil.Context(t, testutil.WaitShort) require.NoError(t, inv.Run()) // Then: warning should be shown // In AGPL, this will show all days (enterprise feature defaults to all days allowed) - pty.ExpectMatch("Warning") - pty.ExpectMatch("may only autostart") + stdout.ExpectMatchContext(ctx, "Warning") + stdout.ExpectMatchContext(ctx, "may only autostart") }) t.Run("NoWarningWhenManual", func(t *testing.T) { diff --git a/cli/secret_test.go b/cli/secret_test.go index 3cbb6b89b8..06224d45c6 100644 --- a/cli/secret_test.go +++ b/cli/secret_test.go @@ -14,8 +14,8 @@ import ( "github.com/coder/coder/v2/coderd/database" "github.com/coder/coder/v2/coderd/database/dbauthz" "github.com/coder/coder/v2/codersdk" - "github.com/coder/coder/v2/pty/ptytest" "github.com/coder/coder/v2/testutil" + "github.com/coder/coder/v2/testutil/expecter" ) func TestSecretCreate(t *testing.T) { @@ -501,6 +501,7 @@ func TestSecretDelete(t *testing.T) { t.Run("Success", func(t *testing.T) { t.Parallel() + logger := testutil.Logger(t) client := coderdtest.New(t, nil) _ = coderdtest.CreateFirstUser(t, client) @@ -516,12 +517,13 @@ func TestSecretDelete(t *testing.T) { ctx := testutil.Context(t, testutil.WaitMedium) inv = inv.WithContext(ctx) - pty := ptytest.New(t).Attach(inv) + stdout := expecter.NewAttachedToInvocation(t, inv) + stdin := testutil.NewWriterAttachedToInvocation(t, logger.Named("stdin"), inv) waiter := clitest.StartWithWaiter(t, inv) - pty.ExpectMatchContext(ctx, "Delete secret") - pty.ExpectMatchContext(ctx, "service-token") - pty.WriteLine("yes") - pty.ExpectMatchContext(ctx, "Deleted secret") + stdout.ExpectMatchContext(ctx, "Delete secret") + stdout.ExpectMatchContext(ctx, "service-token") + stdin.WriteLine("yes") + stdout.ExpectMatchContext(ctx, "Deleted secret") require.NoError(t, waiter.Wait()) @@ -566,6 +568,7 @@ func TestSecretDelete(t *testing.T) { t.Run("NotFound", func(t *testing.T) { t.Parallel() + logger := testutil.Logger(t) client := coderdtest.New(t, nil) _ = coderdtest.CreateFirstUser(t, client) @@ -574,11 +577,12 @@ func TestSecretDelete(t *testing.T) { ctx := testutil.Context(t, testutil.WaitMedium) inv = inv.WithContext(ctx) - pty := ptytest.New(t).Attach(inv) + stdout := expecter.NewAttachedToInvocation(t, inv) + stdin := testutil.NewWriterAttachedToInvocation(t, logger.Named("stdin"), inv) waiter := clitest.StartWithWaiter(t, inv) - pty.ExpectMatchContext(ctx, "Delete secret") - pty.ExpectMatchContext(ctx, "missing-secret") - pty.WriteLine("yes") + stdout.ExpectMatchContext(ctx, "Delete secret") + stdout.ExpectMatchContext(ctx, "missing-secret") + stdin.WriteLine("yes") err := waiter.Wait() require.ErrorContains(t, err, `delete secret "missing-secret"`) diff --git a/cli/server.go b/cli/server.go index b2fa89fd3b..e8b8768eea 100644 --- a/cli/server.go +++ b/cli/server.go @@ -2979,6 +2979,11 @@ func parseExternalAuthProvidersFromEnv(prefix string, environ []string) ([]coder return providers, nil } +const ( + aiGatewayProviderEnvPrefix = "CODER_AI_GATEWAY_PROVIDER_" + aiBridgeProviderEnvPrefix = "CODER_AIBRIDGE_PROVIDER_" +) + // ReadAIProvidersFromEnv parses CODER_AI_GATEWAY_PROVIDER__ // environment variables into a slice of AIProviderConfig. // Deprecated alias env vars with the CODER_AIBRIDGE_PROVIDER__ @@ -2986,16 +2991,22 @@ func parseExternalAuthProvidersFromEnv(prefix string, environ []string) ([]coder // // This follows the same indexed pattern as ReadExternalAuthProvidersFromEnv. func ReadAIProvidersFromEnv(logger slog.Logger, environ []string) ([]codersdk.AIProviderConfig, error) { - providers, err := readAIProvidersForPrefix(logger, environ, "CODER_AIBRIDGE_PROVIDER_") + providers, err := readAIProvidersForPrefix(logger, environ, aiBridgeProviderEnvPrefix) if err != nil { return nil, err } - gatewayProviders, err := readAIProvidersForPrefix(logger, environ, "CODER_AI_GATEWAY_PROVIDER_") + gatewayProviders, err := readAIProvidersForPrefix(logger, environ, aiGatewayProviderEnvPrefix) if err != nil { return nil, err } if len(providers) > 0 && len(gatewayProviders) > 0 { - return nil, xerrors.New("cannot mix CODER_AIBRIDGE_PROVIDER_* and CODER_AI_GATEWAY_PROVIDER_* environment variables, please consolidate onto CODER_AI_GATEWAY_PROVIDER_*") + return nil, xerrors.Errorf("cannot mix %s* and %s* environment variables, please consolidate onto %s*", aiBridgeProviderEnvPrefix, aiGatewayProviderEnvPrefix, aiGatewayProviderEnvPrefix) + } + var activePrefix string + if len(providers) > 0 { + activePrefix = aiBridgeProviderEnvPrefix + } else if len(gatewayProviders) > 0 { + activePrefix = aiGatewayProviderEnvPrefix } providers = append(providers, gatewayProviders...) @@ -3077,9 +3088,27 @@ func ReadAIProvidersFromEnv(logger slog.Logger, environ []string) ([]codersdk.AI names[p.Name] = i } + warnIfAIProvidersConfiguredFromEnv(context.Background(), logger, activePrefix, providers) + return providers, nil } +func warnIfAIProvidersConfiguredFromEnv(ctx context.Context, logger slog.Logger, prefix string, providers []codersdk.AIProviderConfig) { + if len(providers) == 0 { + return + } + + if prefix == "" { + return + } + + logger.Warn(ctx, + "ai provider environment variables are deprecated for provider management and only seed provider configuration at startup", + slog.F("env_prefix", prefix), + slog.F("replacement", "Manage AI Providers from the Coder UI or HTTP API."), + ) +} + // readAIProvidersForPrefix parses provider env vars under a single // indexed prefix (e.g. CODER_AI_GATEWAY_PROVIDER_) into a slice of // AIProviderConfig. Per-field syntax errors and unknown keys are diff --git a/cli/server_aibridge_internal_test.go b/cli/server_aibridge_internal_test.go index 6b712a6352..fce45aa674 100644 --- a/cli/server_aibridge_internal_test.go +++ b/cli/server_aibridge_internal_test.go @@ -1,6 +1,7 @@ package cli import ( + "context" "database/sql" "encoding/json" "fmt" @@ -575,6 +576,58 @@ func TestValidateLegacyAIBridgeConfig(t *testing.T) { } } +func TestWarnIfAIProvidersConfiguredFromEnv(t *testing.T) { + t.Parallel() + + t.Run("NoProviders", func(t *testing.T) { + t.Parallel() + + sink := testutil.NewFakeSink(t) + warnIfAIProvidersConfiguredFromEnv(context.Background(), sink.Logger(), aiGatewayProviderEnvPrefix, nil) + + require.Empty(t, sink.Entries()) + }) + + t.Run("EmptyPrefix", func(t *testing.T) { + t.Parallel() + + sink := testutil.NewFakeSink(t) + warnIfAIProvidersConfiguredFromEnv(context.Background(), sink.Logger(), "", []codersdk.AIProviderConfig{{Type: "openai", Name: "openai"}}) + + require.Empty(t, sink.Entries()) + }) + + t.Run("AIGatewayPrefix", func(t *testing.T) { + t.Parallel() + + sink := testutil.NewFakeSink(t) + warnIfAIProvidersConfiguredFromEnv(context.Background(), sink.Logger(), aiGatewayProviderEnvPrefix, []codersdk.AIProviderConfig{{Type: "openai", Name: "openai"}}) + + entries := sink.Entries(func(e slog.SinkEntry) bool { + return e.Message == "ai provider environment variables are deprecated for provider management and only seed provider configuration at startup" + }) + require.Len(t, entries, 1) + require.Len(t, entries[0].Fields, 2) + assertFieldValue(t, entries[0].Fields, "env_prefix", aiGatewayProviderEnvPrefix) + assertFieldValue(t, entries[0].Fields, "replacement", "Manage AI Providers from the Coder UI or HTTP API.") + }) + + t.Run("AIBridgePrefix", func(t *testing.T) { + t.Parallel() + + sink := testutil.NewFakeSink(t) + warnIfAIProvidersConfiguredFromEnv(context.Background(), sink.Logger(), aiBridgeProviderEnvPrefix, []codersdk.AIProviderConfig{{Type: "openai", Name: "openai"}}) + + entries := sink.Entries(func(e slog.SinkEntry) bool { + return e.Message == "ai provider environment variables are deprecated for provider management and only seed provider configuration at startup" + }) + require.Len(t, entries, 1) + require.Len(t, entries[0].Fields, 2) + assertFieldValue(t, entries[0].Fields, "env_prefix", aiBridgeProviderEnvPrefix) + assertFieldValue(t, entries[0].Fields, "replacement", "Manage AI Providers from the Coder UI or HTTP API.") + }) +} + func TestBuildAIProviderFromRowSetsAPIDumpDir(t *testing.T) { t.Parallel() @@ -588,6 +641,7 @@ func TestBuildAIProviderFromRowSetsAPIDumpDir(t *testing.T) { { name: "OpenAI", row: database.AIProvider{ + Enabled: true, Type: database.AiProviderTypeOpenai, Name: "openai", BaseUrl: "https://api.openai.com/", @@ -597,6 +651,7 @@ func TestBuildAIProviderFromRowSetsAPIDumpDir(t *testing.T) { { name: "Anthropic", row: database.AIProvider{ + Enabled: true, Type: database.AiProviderTypeAnthropic, Name: "anthropic", BaseUrl: "https://api.anthropic.com/", @@ -606,6 +661,7 @@ func TestBuildAIProviderFromRowSetsAPIDumpDir(t *testing.T) { { name: "Copilot", row: database.AIProvider{ + Enabled: true, Type: database.AiProviderTypeCopilot, Name: "copilot", BaseUrl: "https://api.githubcopilot.com/", @@ -615,6 +671,7 @@ func TestBuildAIProviderFromRowSetsAPIDumpDir(t *testing.T) { { name: "Azure", row: database.AIProvider{ + Enabled: true, Type: database.AiProviderTypeAzure, Name: "azure", BaseUrl: "https://example.openai.azure.com/", @@ -624,6 +681,7 @@ func TestBuildAIProviderFromRowSetsAPIDumpDir(t *testing.T) { { name: "Google", row: database.AIProvider{ + Enabled: true, Type: database.AiProviderTypeGoogle, Name: "google", BaseUrl: "https://generativelanguage.googleapis.com/v1beta/openai/", @@ -633,6 +691,7 @@ func TestBuildAIProviderFromRowSetsAPIDumpDir(t *testing.T) { { name: "OpenAICompat", row: database.AIProvider{ + Enabled: true, Type: database.AiProviderTypeOpenaiCompat, Name: "openai-compat", BaseUrl: "https://compat.example.com/v1/", @@ -642,6 +701,7 @@ func TestBuildAIProviderFromRowSetsAPIDumpDir(t *testing.T) { { name: "OpenRouter", row: database.AIProvider{ + Enabled: true, Type: database.AiProviderTypeOpenrouter, Name: "openrouter", BaseUrl: "https://openrouter.ai/api/v1/", @@ -651,6 +711,7 @@ func TestBuildAIProviderFromRowSetsAPIDumpDir(t *testing.T) { { name: "Vercel", row: database.AIProvider{ + Enabled: true, Type: database.AiProviderTypeVercel, Name: "vercel", BaseUrl: "https://api.v0.dev/v1/", @@ -660,6 +721,7 @@ func TestBuildAIProviderFromRowSetsAPIDumpDir(t *testing.T) { { name: "Bedrock", row: database.AIProvider{ + Enabled: true, Type: database.AiProviderTypeBedrock, Name: "bedrock", BaseUrl: "https://bedrock-runtime.us-east-1.amazonaws.com/", @@ -694,6 +756,7 @@ func TestBuildAIProviderFromRowBedrockWithoutSettings(t *testing.T) { t.Parallel() _, err := buildAIProviderFromRow(database.AIProvider{ + Enabled: true, Type: database.AiProviderTypeBedrock, Name: "bedrock-no-settings", BaseUrl: "https://bedrock-runtime.us-east-1.amazonaws.com/", @@ -711,3 +774,14 @@ func mustMarshalSettings(s codersdk.AIProviderSettings) sql.NullString { } return sql.NullString{String: string(data), Valid: true} } + +func assertFieldValue(t *testing.T, fields slog.Map, name string, expected interface{}) { + t.Helper() + for _, f := range fields { + if f.Name == name { + assert.Equal(t, expected, f.Value) + return + } + } + t.Errorf("field %q not found", name) +} diff --git a/cli/server_createadminuser_test.go b/cli/server_createadminuser_test.go index c0883a2d27..d0eef5f72d 100644 --- a/cli/server_createadminuser_test.go +++ b/cli/server_createadminuser_test.go @@ -21,6 +21,7 @@ import ( "github.com/coder/coder/v2/codersdk" "github.com/coder/coder/v2/pty/ptytest" "github.com/coder/coder/v2/testutil" + "github.com/coder/coder/v2/testutil/expecter" ) //nolint:paralleltest, tparallel @@ -128,19 +129,17 @@ func TestServerCreateAdminUser(t *testing.T) { "--email", email, "--password", password, ) - pty := ptytest.New(t) - inv.Stdout = pty.Output() - inv.Stderr = pty.Output() + stdout := expecter.NewAttachedToInvocation(t, inv) clitest.Start(t, inv) - pty.ExpectMatchContext(ctx, "Creating user...") - pty.ExpectMatchContext(ctx, "Generating user SSH key...") - pty.ExpectMatchContext(ctx, fmt.Sprintf("Adding user to organization %q (%s) as admin...", org1Name, org1ID.String())) - pty.ExpectMatchContext(ctx, fmt.Sprintf("Adding user to organization %q (%s) as admin...", org2Name, org2ID.String())) - pty.ExpectMatchContext(ctx, "User created successfully.") - pty.ExpectMatchContext(ctx, username) - pty.ExpectMatchContext(ctx, email) - pty.ExpectMatchContext(ctx, "****") + stdout.ExpectMatchContext(ctx, "Creating user...") + stdout.ExpectMatchContext(ctx, "Generating user SSH key...") + stdout.ExpectMatchContext(ctx, fmt.Sprintf("Adding user to organization %q (%s) as admin...", org1Name, org1ID.String())) + stdout.ExpectMatchContext(ctx, fmt.Sprintf("Adding user to organization %q (%s) as admin...", org2Name, org2ID.String())) + stdout.ExpectMatchContext(ctx, "User created successfully.") + stdout.ExpectMatchContext(ctx, username) + stdout.ExpectMatchContext(ctx, email) + stdout.ExpectMatchContext(ctx, "****") verifyUser(t, connectionURL, username, email, password) }) @@ -184,6 +183,7 @@ func TestServerCreateAdminUser(t *testing.T) { // Skip on non-Linux because it spawns a PostgreSQL instance. t.SkipNow() } + logger := testutil.Logger(t) connectionURL, err := dbtestutil.Open(t) require.NoError(t, err) @@ -195,23 +195,24 @@ func TestServerCreateAdminUser(t *testing.T) { "--postgres-url", connectionURL, "--ssh-keygen-algorithm", "ed25519", ) - pty := ptytest.New(t).Attach(inv) + stdout := expecter.NewAttachedToInvocation(t, inv) + stdin := testutil.NewWriterAttachedToInvocation(t, logger.Named("stdin"), inv) clitest.Start(t, inv) - pty.ExpectMatchContext(ctx, "Username") - pty.WriteLine(username) - pty.ExpectMatchContext(ctx, "Email") - pty.WriteLine(email) - pty.ExpectMatchContext(ctx, "Password") - pty.WriteLine(password) - pty.ExpectMatchContext(ctx, "Confirm password") - pty.WriteLine(password) + stdout.ExpectMatchContext(ctx, "Username") + stdin.WriteLine(username) + stdout.ExpectMatchContext(ctx, "Email") + stdin.WriteLine(email) + stdout.ExpectMatchContext(ctx, "Password") + stdin.WriteLine(password) + stdout.ExpectMatchContext(ctx, "Confirm password") + stdin.WriteLine(password) - pty.ExpectMatchContext(ctx, "User created successfully.") - pty.ExpectMatchContext(ctx, username) - pty.ExpectMatchContext(ctx, email) - pty.ExpectMatchContext(ctx, "****") + stdout.ExpectMatchContext(ctx, "User created successfully.") + stdout.ExpectMatchContext(ctx, username) + stdout.ExpectMatchContext(ctx, email) + stdout.ExpectMatchContext(ctx, "****") verifyUser(t, connectionURL, username, email, password) }) diff --git a/cli/server_test.go b/cli/server_test.go index 89e0ba7048..6776e84424 100644 --- a/cli/server_test.go +++ b/cli/server_test.go @@ -59,6 +59,7 @@ import ( "github.com/coder/coder/v2/pty/ptytest" "github.com/coder/coder/v2/tailnet/tailnettest" "github.com/coder/coder/v2/testutil" + "github.com/coder/coder/v2/testutil/expecter" "github.com/coder/serpent" ) @@ -229,7 +230,7 @@ func TestServer(t *testing.T) { "--access-url", "http://example.com", "--ephemeral", ) - pty := ptytest.New(t).Attach(inv) + stdout := expecter.NewAttachedToInvocation(t, inv) // Embedded postgres takes a while to fire up. const superDuperLong = testutil.WaitSuperLong * 3 @@ -240,7 +241,7 @@ func TestServer(t *testing.T) { }() matchCh1 := make(chan string, 1) go func() { - matchCh1 <- pty.ExpectMatchContext(ctx, "Using an ephemeral deployment directory") + matchCh1 <- stdout.ExpectMatchContext(ctx, "Using an ephemeral deployment directory") }() select { case err := <-errCh: @@ -248,7 +249,7 @@ func TestServer(t *testing.T) { case <-matchCh1: // OK! } - rootDirLine := pty.ReadLine(ctx) + rootDirLine := stdout.ReadLine(ctx) rootDir := strings.TrimPrefix(rootDirLine, "Using an ephemeral deployment directory") rootDir = strings.TrimSpace(rootDir) rootDir = strings.TrimPrefix(rootDir, "(") @@ -259,7 +260,7 @@ func TestServer(t *testing.T) { matchCh2 := make(chan string, 1) go func() { // The "View the Web UI" log is a decent indicator that the server was successfully started. - matchCh2 <- pty.ExpectMatchContext(ctx, "View the Web UI") + matchCh2 <- stdout.ExpectMatchContext(ctx, "View the Web UI") }() select { case err := <-errCh: @@ -276,24 +277,23 @@ func TestServer(t *testing.T) { t.Run("BuiltinPostgresURL", func(t *testing.T) { t.Parallel() root, _ := clitest.New(t, "server", "postgres-builtin-url") - pty := ptytest.New(t) - root.Stdout = pty.Output() + stdout := expecter.NewAttachedToInvocation(t, root) + ctx := testutil.Context(t, testutil.WaitShort) err := root.Run() require.NoError(t, err) - pty.ExpectMatch("psql") + stdout.ExpectMatchContext(ctx, "psql") }) t.Run("BuiltinPostgresURLRaw", func(t *testing.T) { t.Parallel() ctx := testutil.Context(t, testutil.WaitLong) root, _ := clitest.New(t, "server", "postgres-builtin-url", "--raw-url") - pty := ptytest.New(t) - root.Stdout = pty.Output() + stdout := expecter.NewAttachedToInvocation(t, root) err := root.WithContext(ctx).Run() require.NoError(t, err) - got := pty.ReadLine(ctx) + got := stdout.ReadLine(ctx) if !strings.HasPrefix(got, "postgres://") { t.Fatalf("expected postgres URL to start with \"postgres://\", got %q", got) } @@ -506,6 +506,7 @@ func TestServer(t *testing.T) { // reachable. t.Run("LocalAccessURL", func(t *testing.T) { t.Parallel() + ctx := testutil.Context(t, testutil.WaitShort) inv, cfg := clitest.New(t, "server", dbArg(t), @@ -513,7 +514,7 @@ func TestServer(t *testing.T) { "--access-url", "http://localhost:3000/", "--cache-dir", t.TempDir(), ) - pty := ptytest.New(t).Attach(inv) + stdout := expecter.NewAttachedToInvocation(t, inv) // Since we end the test after seeing the log lines about the access url, we could cancel the test before // our initial interactions with PostgreSQL are complete. So, ignore errors of that type for this test. startIgnoringPostgresQueryCancel(t, inv) @@ -521,9 +522,9 @@ func TestServer(t *testing.T) { // Just wait for startup _ = waitAccessURL(t, cfg) - pty.ExpectMatch("this may cause unexpected problems when creating workspaces") - pty.ExpectMatch("View the Web UI:") - pty.ExpectMatch("http://localhost:3000/") + stdout.ExpectMatchContext(ctx, "this may cause unexpected problems when creating workspaces") + stdout.ExpectMatchContext(ctx, "View the Web UI:") + stdout.ExpectMatchContext(ctx, "http://localhost:3000/") }) // Validate that an https scheme is prepended to a remote access URL @@ -531,6 +532,7 @@ func TestServer(t *testing.T) { t.Run("RemoteAccessURL", func(t *testing.T) { t.Parallel() + ctx := testutil.Context(t, testutil.WaitShort) inv, cfg := clitest.New(t, "server", dbArg(t), @@ -538,7 +540,7 @@ func TestServer(t *testing.T) { "--access-url", "https://foobarbaz.mydomain", "--cache-dir", t.TempDir(), ) - pty := ptytest.New(t).Attach(inv) + stdout := expecter.NewAttachedToInvocation(t, inv) // Since we end the test after seeing the log lines about the access url, we could cancel the test before // our initial interactions with PostgreSQL are complete. So, ignore errors of that type for this test. @@ -547,13 +549,14 @@ func TestServer(t *testing.T) { // Just wait for startup _ = waitAccessURL(t, cfg) - pty.ExpectMatch("this may cause unexpected problems when creating workspaces") - pty.ExpectMatch("View the Web UI:") - pty.ExpectMatch("https://foobarbaz.mydomain") + stdout.ExpectMatchContext(ctx, "this may cause unexpected problems when creating workspaces") + stdout.ExpectMatchContext(ctx, "View the Web UI:") + stdout.ExpectMatchContext(ctx, "https://foobarbaz.mydomain") }) t.Run("NoWarningWithRemoteAccessURL", func(t *testing.T) { t.Parallel() + ctx := testutil.Context(t, testutil.WaitShort) inv, cfg := clitest.New(t, "server", dbArg(t), @@ -561,7 +564,7 @@ func TestServer(t *testing.T) { "--access-url", "https://google.com", "--cache-dir", t.TempDir(), ) - pty := ptytest.New(t).Attach(inv) + stdout := expecter.NewAttachedToInvocation(t, inv) // Since we end the test after seeing the log lines about the access url, we could cancel the test before // our initial interactions with PostgreSQL are complete. So, ignore errors of that type for this test. startIgnoringPostgresQueryCancel(t, inv) @@ -569,8 +572,8 @@ func TestServer(t *testing.T) { // Just wait for startup _ = waitAccessURL(t, cfg) - pty.ExpectMatch("View the Web UI:") - pty.ExpectMatch("https://google.com") + stdout.ExpectMatchContext(ctx, "View the Web UI:") + stdout.ExpectMatchContext(ctx, "https://google.com") }) t.Run("NoSchemeAccessURL", func(t *testing.T) { @@ -735,8 +738,6 @@ func TestServer(t *testing.T) { "--tls-key-file", key2Path, "--cache-dir", t.TempDir(), ) - pty := ptytest.New(t) - root.Stdout = pty.Output() clitest.Start(t, root.WithContext(ctx)) accessURL := waitAccessURL(t, cfg) @@ -814,18 +815,18 @@ func TestServer(t *testing.T) { "--tls-key-file", keyPath, "--cache-dir", t.TempDir(), ) - pty := ptytest.New(t).Attach(inv) + stdout := expecter.NewAttachedToInvocation(t, inv) clitest.Start(t, inv) // We can't use waitAccessURL as it will only return the HTTP URL. const httpLinePrefix = "Started HTTP listener at" - pty.ExpectMatch(httpLinePrefix) - httpLine := pty.ReadLine(ctx) + stdout.ExpectMatchContext(ctx, httpLinePrefix) + httpLine := stdout.ReadLine(ctx) httpAddr := strings.TrimSpace(strings.TrimPrefix(httpLine, httpLinePrefix)) require.NotEmpty(t, httpAddr) const tlsLinePrefix = "Started TLS/HTTPS listener at " - pty.ExpectMatch(tlsLinePrefix) - tlsLine := pty.ReadLine(ctx) + stdout.ExpectMatchContext(ctx, tlsLinePrefix) + tlsLine := stdout.ReadLine(ctx) tlsAddr := strings.TrimSpace(strings.TrimPrefix(tlsLine, tlsLinePrefix)) require.NotEmpty(t, tlsAddr) @@ -951,8 +952,7 @@ func TestServer(t *testing.T) { } inv, _ := clitest.New(t, flags...) - pty := ptytest.New(t) - pty.Attach(inv) + stdout := expecter.NewAttachedToInvocation(t, inv) clitest.Start(t, inv) @@ -963,15 +963,15 @@ func TestServer(t *testing.T) { // We can't use waitAccessURL as it will only return the HTTP URL. if c.httpListener { const httpLinePrefix = "Started HTTP listener at" - pty.ExpectMatch(httpLinePrefix) - httpLine := pty.ReadLine(ctx) + stdout.ExpectMatchContext(ctx, httpLinePrefix) + httpLine := stdout.ReadLine(ctx) httpAddr = strings.TrimSpace(strings.TrimPrefix(httpLine, httpLinePrefix)) require.NotEmpty(t, httpAddr) } if c.tlsListener { const tlsLinePrefix = "Started TLS/HTTPS listener at" - pty.ExpectMatch(tlsLinePrefix) - tlsLine := pty.ReadLine(ctx) + stdout.ExpectMatchContext(ctx, tlsLinePrefix) + tlsLine := stdout.ReadLine(ctx) tlsAddr = strings.TrimSpace(strings.TrimPrefix(tlsLine, tlsLinePrefix)) require.NotEmpty(t, tlsAddr) } @@ -1041,6 +1041,7 @@ func TestServer(t *testing.T) { t.Run("CanListenUnspecifiedv4", func(t *testing.T) { t.Parallel() + ctx := testutil.Context(t, testutil.WaitShort) inv, _ := clitest.New(t, "server", dbArg(t), @@ -1048,18 +1049,19 @@ func TestServer(t *testing.T) { "--access-url", "http://example.com", ) - pty := ptytest.New(t).Attach(inv) + stdout := expecter.NewAttachedToInvocation(t, inv) // Since we end the test after seeing the log lines about the HTTP listener, we could cancel the test before // our initial interactions with PostgreSQL are complete. So, ignore errors of that type for this test. startIgnoringPostgresQueryCancel(t, inv) - pty.ExpectMatch("Started HTTP listener") - pty.ExpectMatch("http://0.0.0.0:") + stdout.ExpectMatchContext(ctx, "Started HTTP listener") + stdout.ExpectMatchContext(ctx, "http://0.0.0.0:") }) t.Run("CanListenUnspecifiedv6", func(t *testing.T) { t.Parallel() + ctx := testutil.Context(t, testutil.WaitShort) inv, _ := clitest.New(t, "server", dbArg(t), @@ -1067,13 +1069,13 @@ func TestServer(t *testing.T) { "--access-url", "http://example.com", ) - pty := ptytest.New(t).Attach(inv) + stdout := expecter.NewAttachedToInvocation(t, inv) // Since we end the test after seeing the log lines about the HTTP listener, we could cancel the test before // our initial interactions with PostgreSQL are complete. So, ignore errors of that type for this test. startIgnoringPostgresQueryCancel(t, inv) - pty.ExpectMatch("Started HTTP listener at") - pty.ExpectMatch("http://[::]:") + stdout.ExpectMatchContext(ctx, "Started HTTP listener at") + stdout.ExpectMatchContext(ctx, "http://[::]:") }) t.Run("NoAddress", func(t *testing.T) { @@ -1128,12 +1130,10 @@ func TestServer(t *testing.T) { "--access-url", "http://example.com", "--cache-dir", t.TempDir(), ) - pty := ptytest.New(t) - inv.Stdout = pty.Output() - inv.Stderr = pty.Output() + stdout := expecter.NewAttachedToInvocation(t, inv) clitest.Start(t, inv.WithContext(ctx)) - pty.ExpectMatch("is deprecated") + stdout.ExpectMatchContext(ctx, "is deprecated") accessURL := waitAccessURL(t, cfg) require.Equal(t, "http", accessURL.Scheme) @@ -1158,12 +1158,10 @@ func TestServer(t *testing.T) { "--tls-key-file", keyPath, "--cache-dir", t.TempDir(), ) - pty := ptytest.New(t) - root.Stdout = pty.Output() - root.Stderr = pty.Output() + stdout := expecter.NewAttachedToInvocation(t, root) clitest.Start(t, root.WithContext(ctx)) - pty.ExpectMatch("is deprecated") + stdout.ExpectMatchContext(ctx, "is deprecated") accessURL := waitAccessURL(t, cfg) require.Equal(t, "https", accessURL.Scheme) @@ -1259,15 +1257,13 @@ func TestServer(t *testing.T) { "--cache-dir", t.TempDir(), ) - pty := ptytest.New(t) - inv.Stdout = pty.Output() - inv.Stderr = pty.Output() + stdout := expecter.NewAttachedToInvocation(t, inv) clitest.Start(t, inv) // Wait until we see the prometheus address in the logs. addrMatchExpr := `http server listening\s+addr=(\S+)\s+name=prometheus` - lineMatch := pty.ExpectRegexMatchContext(ctx, addrMatchExpr) + lineMatch := stdout.ExpectRegexMatchContext(ctx, addrMatchExpr) promAddr := regexp.MustCompile(addrMatchExpr).FindStringSubmatch(lineMatch)[1] testutil.Eventually(ctx, t, func(ctx context.Context) bool { @@ -1322,15 +1318,13 @@ func TestServer(t *testing.T) { "--cache-dir", t.TempDir(), ) - pty := ptytest.New(t) - inv.Stdout = pty.Output() - inv.Stderr = pty.Output() + stdout := expecter.NewAttachedToInvocation(t, inv) clitest.Start(t, inv) // Wait until we see the prometheus address in the logs. addrMatchExpr := `http server listening\s+addr=(\S+)\s+name=prometheus` - lineMatch := pty.ExpectRegexMatchContext(ctx, addrMatchExpr) + lineMatch := stdout.ExpectRegexMatchContext(ctx, addrMatchExpr) promAddr := regexp.MustCompile(addrMatchExpr).FindStringSubmatch(lineMatch)[1] testutil.Eventually(ctx, t, func(ctx context.Context) bool { @@ -1751,7 +1745,6 @@ func TestServer(t *testing.T) { inv, cfg := clitest.New(t, args..., ) - ptytest.New(t).Attach(inv) inv = inv.WithContext(ctx) w := clitest.StartWithWaiter(t, inv) gotURL := waitAccessURL(t, cfg) @@ -2019,15 +2012,15 @@ func TestServer_Logging_NoParallel(t *testing.T) { "--provisioner-types=echo", "--log-stackdriver", fi, ) - // Attach pty so we get debug output from the command if this test + // Attach expecter so we get debug output from the command if this test // fails. - pty := ptytest.New(t).Attach(inv) + stdout := expecter.NewAttachedToInvocation(t, inv) startIgnoringPostgresQueryCancel(t, inv.WithContext(ctx)) // Wait for server to listen on HTTP, this is a good // starting point for expecting logs. - _ = pty.ExpectMatchContext(ctx, "Started HTTP listener at") + _ = stdout.ExpectMatchContext(ctx, "Started HTTP listener at") loggingWaitFile(t, fi, testutil.WaitSuperLong) }) @@ -2056,15 +2049,15 @@ func TestServer_Logging_NoParallel(t *testing.T) { "--log-json", fi2, "--log-stackdriver", fi3, ) - // Attach pty so we get debug output from the command if this test + // Attach expecter so we get debug output from the command if this test // fails. - pty := ptytest.New(t).Attach(inv) + stdout := expecter.NewAttachedToInvocation(t, inv) startIgnoringPostgresQueryCancel(t, inv) // Wait for server to listen on HTTP, this is a good // starting point for expecting logs. - _ = pty.ExpectMatchContext(ctx, "Started HTTP listener at") + _ = stdout.ExpectMatchContext(ctx, "Started HTTP listener at") loggingWaitFile(t, fi1, testutil.WaitSuperLong) loggingWaitFile(t, fi2, testutil.WaitSuperLong) @@ -2258,7 +2251,7 @@ func TestServer_GracefulShutdown(t *testing.T) { return ctx, stopFunc }) serverErr := make(chan error, 1) - pty := ptytest.New(t).Attach(root) + stdout := expecter.NewAttachedToInvocation(t, root) go func() { serverErr <- root.WithContext(ctx).Run() }() @@ -2266,7 +2259,7 @@ func TestServer_GracefulShutdown(t *testing.T) { // It's fair to assume `stopFunc` isn't nil here, because the server // has started and access URL is propagated. stopFunc() - pty.ExpectMatch("waiting for provisioner jobs to complete") + stdout.ExpectMatchContext(ctx, "waiting for provisioner jobs to complete") err := <-serverErr require.NoError(t, err) } @@ -2501,19 +2494,19 @@ func TestServer_TelemetryDisabled_FinalReport(t *testing.T) { inv.Logger = inv.Logger.Named(opts.name) errChan := make(chan error, 1) - pty := ptytest.New(t).Named(opts.name).Attach(inv) + stdout := expecter.NewAttachedToInvocation(t, inv) go func() { errChan <- inv.WithContext(ctx).Run() // close the pty here so that we can start tearing down resources. This test creates multiple servers with // associated ptys. There is a `t.Cleanup()` that does this, but it waits until the whole test is complete. - _ = pty.Close() + stdout.Close("invocation complete") }() if opts.waitForSnapshot { - pty.ExpectMatchContext(testutil.Context(t, testutil.WaitLong), "submitted snapshot") + stdout.ExpectMatchContext(testutil.Context(t, testutil.WaitLong), "submitted snapshot") } if opts.waitForTelemetryDisabledCheck { - pty.ExpectMatchContext(testutil.Context(t, testutil.WaitLong), "finished telemetry status check") + stdout.ExpectMatchContext(testutil.Context(t, testutil.WaitLong), "finished telemetry status check") } return errChan, cancelFunc } diff --git a/cli/task_send_test.go b/cli/task_send_test.go index e545da80d1..1590bcab29 100644 --- a/cli/task_send_test.go +++ b/cli/task_send_test.go @@ -237,7 +237,10 @@ func Test_TaskSend(t *testing.T) { t.Parallel() // Given: An initializing task (workspace running, no agent - // connected). + // connected). Close the agent, pause, then resume so the + // workspace is started but no agent is connected. The + // command enters waitForTaskIdle directly (initializing + // path), where we verify it handles an external pause. setupCtx := testutil.Context(t, testutil.WaitLong) setup := setupCLITaskTest(setupCtx, t, nil) @@ -245,8 +248,13 @@ func Test_TaskSend(t *testing.T) { pauseTask(setupCtx, t, setup.userClient, setup.task) resumeTask(setupCtx, t, setup.userClient, setup.task) + // Set up mock clock and traps before starting the command. + mClock := quartz.NewMock(t) + tickTrap := mClock.Trap().NewTicker("task_send", "poll") + resetTrap := mClock.Trap().TickerReset("task_send", "poll") + // When: We attempt to send input to the initializing task. - inv, root := clitest.New(t, "task", "send", setup.task.Name, "some task input") + inv, root := clitest.NewWithClock(t, mClock, "task", "send", setup.task.Name, "some task input") clitest.SetupConfig(t, setup.userClient, root) ctx := testutil.Context(t, testutil.WaitLong) @@ -259,11 +267,34 @@ func Test_TaskSend(t *testing.T) { // of waitForTaskIdle. pty.ExpectMatchContext(ctx, "Waiting for task to become idle") - // Pause the task while waitForTaskIdle is polling. Since - // no agent is connected, the task stays initializing until - // we pause it, at which point the status becomes paused. + // Wait for ticker creation and release it. + tickCall := tickTrap.MustWait(ctx) + tickCall.MustRelease(ctx) + tickTrap.Close() + + // Fire the first poll. The goroutine calls ticker.Reset + // which the trap catches, freezing the goroutine BEFORE + // client.TaskByID runs. Release it so the first poll + // sees 'initializing' and continues. + mClock.Advance(time.Nanosecond).MustWait(ctx) + resetCall := resetTrap.MustWait(ctx) + resetCall.MustRelease(ctx) + + // Fire the second poll. The goroutine is again frozen at + // ticker.Reset by the trap. + mClock.Advance(5 * time.Second).MustWait(ctx) + resetCall = resetTrap.MustWait(ctx) + + // While the goroutine is frozen (before client.TaskByID), + // pause the task. The stop build completes, so the DB has + // (stop, succeeded) = 'paused'. pauseTask(ctx, t, setup.userClient, setup.task) + // Release the trap. The goroutine unfreezes and + // client.TaskByID deterministically sees 'paused'. + resetCall.MustRelease(ctx) + resetTrap.Close() + // Then: The command should fail because the task was paused. err := w.Wait() require.Error(t, err) @@ -303,23 +334,31 @@ func Test_TaskSend(t *testing.T) { tickCall.MustRelease(ctx) tickTrap.Close() - // Fire the immediate first poll (time.Nanosecond initial interval). + // Fire the first poll. The goroutine calls ticker.Reset + // which the trap catches, freezing the goroutine BEFORE + // client.TaskByID runs. Release it so the first poll + // sees "working" and continues. mClock.Advance(time.Nanosecond).MustWait(ctx) - - // Wait for Reset (confirms first poll completed and saw "working"). resetCall := resetTrap.MustWait(ctx) resetCall.MustRelease(ctx) - resetTrap.Close() - // Transition the app back to idle so waitForTaskIdle proceeds. + // Fire the second poll. The goroutine is again frozen + // at ticker.Reset by the trap. + mClock.Advance(5 * time.Second).MustWait(ctx) + resetCall = resetTrap.MustWait(ctx) + + // While the goroutine is frozen (before client.TaskByID), + // transition the app to idle. require.NoError(t, agentClient.PatchAppStatus(ctx, agentsdk.PatchAppStatus{ AppSlug: "task-sidebar", State: codersdk.WorkspaceAppStatusStateIdle, Message: "ready", })) - // Fire second poll at the regular 5s interval. - mClock.Advance(5 * time.Second).MustWait(ctx) + // Release the trap. The goroutine unfreezes and + // client.TaskByID deterministically sees "idle". + resetCall.MustRelease(ctx) + resetTrap.Close() // Then: The command should complete successfully. require.NoError(t, w.Wait()) diff --git a/cli/testdata/coder_server_--help.golden b/cli/testdata/coder_server_--help.golden index 4bcf9efda9..53ccf77f7c 100644 --- a/cli/testdata/coder_server_--help.golden +++ b/cli/testdata/coder_server_--help.golden @@ -124,35 +124,55 @@ AI GATEWAY OPTIONS: disabled, only centralized key authentication is permitted. --ai-gateway-anthropic-base-url string, $CODER_AI_GATEWAY_ANTHROPIC_BASE_URL (default: https://api.anthropic.com/) - The base URL of the Anthropic API. + Deprecated: manage AI Providers from the Coder UI or HTTP API. If set, + this option seeds provider configuration at startup only exactly once. + It will not be used in service runtime. The base URL of the Anthropic + API. --ai-gateway-anthropic-key string, $CODER_AI_GATEWAY_ANTHROPIC_KEY - The key to authenticate against the Anthropic API. + Deprecated: manage AI Providers from the Coder UI or HTTP API. If set, + this option seeds provider configuration at startup only exactly once. + It will not be used in service runtime. The key to authenticate + against the Anthropic API. --ai-gateway-bedrock-access-key string, $CODER_AI_GATEWAY_BEDROCK_ACCESS_KEY - The access key to authenticate against the AWS Bedrock API. - - --ai-gateway-bedrock-access-key-secret string, $CODER_AI_GATEWAY_BEDROCK_ACCESS_KEY_SECRET - The access key secret to use with the access key to authenticate + Deprecated: manage AI Providers from the Coder UI or HTTP API. If set, + this option seeds provider configuration at startup only exactly once. + It will not be used in service runtime. The access key to authenticate against the AWS Bedrock API. + --ai-gateway-bedrock-access-key-secret string, $CODER_AI_GATEWAY_BEDROCK_ACCESS_KEY_SECRET + Deprecated: manage AI Providers from the Coder UI or HTTP API. If set, + this option seeds provider configuration at startup only exactly once. + It will not be used in service runtime. The access key secret to use + with the access key to authenticate against the AWS Bedrock API. + --ai-gateway-bedrock-base-url string, $CODER_AI_GATEWAY_BEDROCK_BASE_URL - The base URL to use for the AWS Bedrock API. Use this setting to - specify an exact URL to use. Takes precedence over - CODER_AI_GATEWAY_BEDROCK_REGION. + Deprecated: manage AI Providers from the Coder UI or HTTP API. If set, + this option seeds provider configuration at startup only exactly once. + It will not be used in service runtime. The base URL to use for the + AWS Bedrock API. Use this setting to specify an exact URL to use. + Takes precedence over CODER_AI_GATEWAY_BEDROCK_REGION. --ai-gateway-bedrock-model string, $CODER_AI_GATEWAY_BEDROCK_MODEL (default: global.anthropic.claude-sonnet-4-5-20250929-v1:0) - The model to use when making requests to the AWS Bedrock API. + Deprecated: manage AI Providers from the Coder UI or HTTP API. If set, + this option seeds provider configuration at startup only exactly once. + It will not be used in service runtime. The model to use when making + requests to the AWS Bedrock API. --ai-gateway-bedrock-region string, $CODER_AI_GATEWAY_BEDROCK_REGION - The AWS Bedrock API region to use. Constructs a base URL to use for - the AWS Bedrock API in the form of - 'https://bedrock-runtime..amazonaws.com'. + Deprecated: manage AI Providers from the Coder UI or HTTP API. If set, + this option seeds provider configuration at startup only exactly once. + It will not be used in service runtime. The AWS Bedrock API region to + use. Constructs a base URL to use for the AWS Bedrock API in the form + of 'https://bedrock-runtime..amazonaws.com'. --ai-gateway-bedrock-small-fastmodel string, $CODER_AI_GATEWAY_BEDROCK_SMALL_FAST_MODEL (default: global.anthropic.claude-haiku-4-5-20251001-v1:0) - The small fast model to use when making requests to the AWS Bedrock - API. Claude Code uses Haiku-class models to perform background tasks. - See + Deprecated: manage AI Providers from the Coder UI or HTTP API. If set, + this option seeds provider configuration at startup only exactly once. + It will not be used in service runtime. The small fast model to use + when making requests to the AWS Bedrock API. Claude Code uses + Haiku-class models to perform background tasks. See https://docs.claude.com/en/docs/claude-code/settings#environment-variables. --ai-gateway-circuit-breaker-enabled bool, $CODER_AI_GATEWAY_CIRCUIT_BREAKER_ENABLED (default: false) @@ -171,10 +191,16 @@ AI GATEWAY OPTIONS: to disable (unlimited). --ai-gateway-openai-base-url string, $CODER_AI_GATEWAY_OPENAI_BASE_URL (default: https://api.openai.com/v1/) - The base URL of the OpenAI API. + Deprecated: manage AI Providers from the Coder UI or HTTP API. If set, + this option seeds provider configuration at startup only exactly once. + It will not be used in service runtime. The base URL of the OpenAI + API. --ai-gateway-openai-key string, $CODER_AI_GATEWAY_OPENAI_KEY - The key to authenticate against the OpenAI API. + Deprecated: manage AI Providers from the Coder UI or HTTP API. If set, + this option seeds provider configuration at startup only exactly once. + It will not be used in service runtime. The key to authenticate + against the OpenAI API. --ai-gateway-rate-limit int, $CODER_AI_GATEWAY_RATE_LIMIT (default: 0) Maximum number of AI Gateway requests per second per replica. Set to 0 diff --git a/cli/testdata/server-config.yaml.golden b/cli/testdata/server-config.yaml.golden index 5bc02e0ae6..613b639553 100644 --- a/cli/testdata/server-config.yaml.golden +++ b/cli/testdata/server-config.yaml.golden @@ -874,25 +874,41 @@ ai_gateway: # Whether to start an in-memory AI Gateway instance. # (default: true, type: bool) enabled: true - # The base URL of the OpenAI API. + # Deprecated: manage AI Providers from the Coder UI or HTTP API. If set, this + # option seeds provider configuration at startup only exactly once. It will not be + # used in service runtime. The base URL of the OpenAI API. # (default: https://api.openai.com/v1/, type: string) openai_base_url: https://api.openai.com/v1/ - # The base URL of the Anthropic API. + # Deprecated: manage AI Providers from the Coder UI or HTTP API. If set, this + # option seeds provider configuration at startup only exactly once. It will not be + # used in service runtime. The base URL of the Anthropic API. # (default: https://api.anthropic.com/, type: string) anthropic_base_url: https://api.anthropic.com/ - # The base URL to use for the AWS Bedrock API. Use this setting to specify an - # exact URL to use. Takes precedence over CODER_AI_GATEWAY_BEDROCK_REGION. + # Deprecated: manage AI Providers from the Coder UI or HTTP API. If set, this + # option seeds provider configuration at startup only exactly once. It will not be + # used in service runtime. The base URL to use for the AWS Bedrock API. Use this + # setting to specify an exact URL to use. Takes precedence over + # CODER_AI_GATEWAY_BEDROCK_REGION. # (default: , type: string) bedrock_base_url: "" - # The AWS Bedrock API region to use. Constructs a base URL to use for the AWS - # Bedrock API in the form of 'https://bedrock-runtime..amazonaws.com'. + # Deprecated: manage AI Providers from the Coder UI or HTTP API. If set, this + # option seeds provider configuration at startup only exactly once. It will not be + # used in service runtime. The AWS Bedrock API region to use. Constructs a base + # URL to use for the AWS Bedrock API in the form of + # 'https://bedrock-runtime..amazonaws.com'. # (default: , type: string) bedrock_region: "" - # The model to use when making requests to the AWS Bedrock API. + # Deprecated: manage AI Providers from the Coder UI or HTTP API. If set, this + # option seeds provider configuration at startup only exactly once. It will not be + # used in service runtime. The model to use when making requests to the AWS + # Bedrock API. # (default: global.anthropic.claude-sonnet-4-5-20250929-v1:0, type: string) bedrock_model: global.anthropic.claude-sonnet-4-5-20250929-v1:0 - # The small fast model to use when making requests to the AWS Bedrock API. Claude - # Code uses Haiku-class models to perform background tasks. See + # Deprecated: manage AI Providers from the Coder UI or HTTP API. If set, this + # option seeds provider configuration at startup only exactly once. It will not be + # used in service runtime. The small fast model to use when making requests to the + # AWS Bedrock API. Claude Code uses Haiku-class models to perform background + # tasks. See # https://docs.claude.com/en/docs/claude-code/settings#environment-variables. # (default: global.anthropic.claude-haiku-4-5-20251001-v1:0, type: string) bedrock_small_fast_model: global.anthropic.claude-haiku-4-5-20251001-v1:0 diff --git a/coderd/ai_providers.go b/coderd/ai_providers.go index 78ca50ecc9..0637822592 100644 --- a/coderd/ai_providers.go +++ b/coderd/ai_providers.go @@ -340,6 +340,10 @@ func (api *API) aiProvidersUpdate(rw http.ResponseWriter, r *http.Request) { return errBedrockRejectsAPIKeys } + if req.APIKeys != nil && old.Type == database.AiProviderTypeCopilot && len(*req.APIKeys) > 0 { + return errCopilotRejectsAPIKeys + } + displayName := old.DisplayName if req.DisplayName != nil { // Empty string clears the column. @@ -383,6 +387,12 @@ func (api *API) aiProvidersUpdate(rw http.ResponseWriter, r *http.Request) { }) return } + if errors.Is(err, errCopilotRejectsAPIKeys) { + httpapi.Write(ctx, rw, http.StatusBadRequest, codersdk.Response{ + Message: "Copilot providers do not accept api_keys; they authenticate via request-time GitHub OAuth tokens.", + }) + return + } if errors.Is(err, errAIProviderBedrockTypeMismatch) { httpapi.Write(ctx, rw, http.StatusBadRequest, codersdk.Response{ Message: "Bedrock settings are only valid for type=anthropic or type=bedrock.", @@ -483,6 +493,12 @@ func (api *API) publishAIProvidersChanged(ctx context.Context) { // Bedrock-typed provider; the outer handler translates it into a 400. var errBedrockRejectsAPIKeys = xerrors.New("bedrock providers do not accept api_keys") +// errCopilotRejectsAPIKeys is the sentinel returned from inside the +// update transaction when a caller attempts to attach api_keys to a +// Copilot-typed provider; the outer handler translates it into a 400. +// Copilot authenticates via request-time GitHub OAuth tokens. +var errCopilotRejectsAPIKeys = xerrors.New("copilot providers do not accept api_keys") + // errAIProviderBedrockTypeMismatch is the sentinel returned from // inside the update transaction when the post-merge settings carry a // Bedrock block but the provider is not anthropic- or bedrock-typed; diff --git a/coderd/ai_providers_migrate.go b/coderd/ai_providers_migrate.go index 6bc99ad840..055877ecce 100644 --- a/coderd/ai_providers_migrate.go +++ b/coderd/ai_providers_migrate.go @@ -116,10 +116,21 @@ func SeedAIProvidersFromEnv( if err != nil { return xerrors.Errorf("decode existing settings for %q: %w", dp.Name, err) } + // Load existing bearer keys so the canonical hash + // includes credentials for comparison. + existingKeyRows, err := tx.GetAIProviderKeysByProviderID(sysCtx, existing.ID) + if err != nil { + return xerrors.Errorf("load existing keys for %q: %w", dp.Name, err) + } + existingKeys := make([]string, 0, len(existingKeyRows)) + for _, k := range existingKeyRows { + existingKeys = append(existingKeys, k.APIKey) + } existingDP := desiredAIProvider{ Type: existing.Type, BaseURL: existing.BaseUrl, Bedrock: existingSettings.Bedrock, + Keys: existingKeys, } existingHash := computeProviderHash(existingDP.canonical()) if existingHash == dp.Hash { @@ -196,18 +207,15 @@ func SeedAIProvidersFromEnv( // canonicalAIProvider is the shape we hash to detect drift between the // configured environment and the row stored in the database. The fields // we hash are exactly the operator-controllable inputs that affect -// runtime behavior. Credentials are intentionally NOT part of the hash -// so operators can rotate them via the API without forcing a server -// restart. This applies to both bearer API keys (stored in -// ai_provider_keys) and to Bedrock access key/secret pairs (stored in -// the settings blob because Bedrock authenticates via settings rather -// than a bearer token). +// runtime behavior, including credentials. +// // Model and SmallFastModel are excluded: they're tunables, and their // serpent defaults shift across releases. type canonicalAIProvider struct { Type string `json:"type"` BaseURL string `json:"base_url"` BedrockRegion string `json:"bedrock_region"` + KeysHash string `json:"keys_hash"` } // desiredAIProvider is a normalized provider description sourced from @@ -235,9 +243,39 @@ func (d desiredAIProvider) canonical() canonicalAIProvider { if d.Bedrock != nil { c.BedrockRegion = d.Bedrock.Region } + c.KeysHash = computeKeysHash(d.Keys, d.Bedrock) return c } +// computeKeysHash produces a deterministic hash over the bearer API +// keys and, for Bedrock providers, the access key and secret. +func computeKeysHash(bearerKeys []string, bedrock *codersdk.AIProviderBedrockSettings) string { + // Collect all credential material in a deterministic order. + // Bearer keys are sorted so reordering in env vars does not + // trigger a false-positive drift. + sorted := make([]string, len(bearerKeys)) + copy(sorted, bearerKeys) + slices.Sort(sorted) + + h := sha256.New() + for _, k := range sorted { + _, _ = h.Write([]byte(k)) + // Separator so "ab"+"c" != "a"+"bc". + _, _ = h.Write([]byte{0}) + } + if bedrock != nil { + if bedrock.AccessKey != nil { + _, _ = h.Write([]byte(*bedrock.AccessKey)) + } + _, _ = h.Write([]byte{0}) + if bedrock.AccessKeySecret != nil { + _, _ = h.Write([]byte(*bedrock.AccessKeySecret)) + } + _, _ = h.Write([]byte{0}) + } + return hex.EncodeToString(h.Sum(nil)) +} + func computeProviderHash(c canonicalAIProvider) string { // json.Marshal is deterministic for structs because field order is // fixed by the struct definition. diff --git a/coderd/ai_providers_migrate_test.go b/coderd/ai_providers_migrate_test.go index d4a07bfdc2..89165002b0 100644 --- a/coderd/ai_providers_migrate_test.go +++ b/coderd/ai_providers_migrate_test.go @@ -91,21 +91,23 @@ func TestSeedAIProvidersFromEnv(t *testing.T) { } require.NoError(t, coderd.SeedAIProvidersFromEnv(ctx, db, cfg, testLogger(t))) - // Changing the API key alone does NOT count as drift: keys - // live in a separate table and operators rotate them via the - // API. Only changes to non-credential provider-level fields - // (base_url, type, Bedrock region/model) trip the drift check. + // Changing the API key counts as drift: keys are included + // in the canonical hash so operators notice when env-var + // credential changes are ignored by an existing provider. cfg.LegacyOpenAI.Key = serpent.String("sk-rotated") - require.NoError(t, coderd.SeedAIProvidersFromEnv(ctx, db, cfg, testLogger(t))) - - // Changing the base URL is real drift. - cfg.LegacyOpenAI.BaseURL = serpent.String("https://api.openai.com/v2") err := coderd.SeedAIProvidersFromEnv(ctx, db, cfg, testLogger(t)) require.Error(t, err) require.Contains(t, err.Error(), "differs from the current environment configuration") + + // Changing the base URL is also real drift. + cfg.LegacyOpenAI.Key = serpent.String("sk-original") + cfg.LegacyOpenAI.BaseURL = serpent.String("https://api.openai.com/v2") + err = coderd.SeedAIProvidersFromEnv(ctx, db, cfg, testLogger(t)) + require.Error(t, err) + require.Contains(t, err.Error(), "differs from the current environment configuration") }) - t.Run("BedrockCredentialRotationIsNotDrift", func(t *testing.T) { + t.Run("BedrockCredentialChangeIsDrift", func(t *testing.T) { t.Parallel() db, _ := dbtestutil.NewDB(t) ctx := testutil.Context(t, testutil.WaitShort) @@ -120,17 +122,20 @@ func TestSeedAIProvidersFromEnv(t *testing.T) { } require.NoError(t, coderd.SeedAIProvidersFromEnv(ctx, db, cfg, testLogger(t))) - // Rotating the Bedrock access key and secret in env must NOT - // trip the drift check: they're credentials, equivalent to - // bearer API keys, and operators rotate them via the API. + // Rotating the Bedrock access key in env trips the drift + // check so operators know the change did not take effect. cfg.LegacyBedrock.AccessKey = serpent.String("AKIA-rotated") cfg.LegacyBedrock.AccessKeySecret = serpent.String("secret-rotated") - require.NoError(t, coderd.SeedAIProvidersFromEnv(ctx, db, cfg, testLogger(t))) + err := coderd.SeedAIProvidersFromEnv(ctx, db, cfg, testLogger(t)) + require.Error(t, err) + require.Contains(t, err.Error(), "differs from the current environment configuration") // Changing the Bedrock region (a non-credential field) is - // real drift. + // also real drift. + cfg.LegacyBedrock.AccessKey = serpent.String("AKIA-original") + cfg.LegacyBedrock.AccessKeySecret = serpent.String("secret-original") cfg.LegacyBedrock.Region = serpent.String("us-west-2") - err := coderd.SeedAIProvidersFromEnv(ctx, db, cfg, testLogger(t)) + err = coderd.SeedAIProvidersFromEnv(ctx, db, cfg, testLogger(t)) require.Error(t, err) require.Contains(t, err.Error(), "differs from the current environment configuration") }) @@ -293,6 +298,57 @@ func TestSeedAIProvidersFromEnv(t *testing.T) { require.Equal(t, "sk-ant-1", anKeys[0].APIKey) }) + t.Run("IndexedProvidersKeyDriftWithMultipleKeysAndProviders", func(t *testing.T) { + t.Parallel() + db, _ := dbtestutil.NewDB(t) + ctx := testutil.Context(t, testutil.WaitShort) + + cfg := codersdk.AIBridgeConfig{ + Providers: []codersdk.AIProviderConfig{ + { + Type: "openai", + Name: "primary-openai", + BaseURL: "https://api.openai.com/v1", + Keys: []string{"sk-openai-1", "sk-openai-2"}, + }, + { + Type: "anthropic", + Name: "primary-anthropic", + BaseURL: "https://api.anthropic.com/", + Keys: []string{"sk-ant-1", "sk-ant-2"}, + }, + }, + } + require.NoError(t, coderd.SeedAIProvidersFromEnv(ctx, db, cfg, testLogger(t))) + + // Reordering keys must not count as drift. The canonical hash + // sorts keys before hashing, so equivalent key sets remain + // stable across restarts. + cfg.Providers[0].Keys = []string{"sk-openai-2", "sk-openai-1"} + cfg.Providers[1].Keys = []string{"sk-ant-2", "sk-ant-1"} + require.NoError(t, coderd.SeedAIProvidersFromEnv(ctx, db, cfg, testLogger(t))) + + // Changing one key on one provider must block startup even + // when multiple providers are configured. + cfg.Providers[1].Keys = []string{"sk-ant-2", "sk-ant-rotated"} + err := coderd.SeedAIProvidersFromEnv(ctx, db, cfg, testLogger(t)) + require.Error(t, err) + require.Contains(t, err.Error(), "differs from the current environment configuration") + require.Contains(t, err.Error(), `"primary-anthropic"`) + + oa, err := db.GetAIProviderByName(ctx, "primary-openai") + require.NoError(t, err) + oaKeys, err := db.GetAIProviderKeysByProviderID(ctx, oa.ID) + require.NoError(t, err) + require.ElementsMatch(t, []string{"sk-openai-1", "sk-openai-2"}, []string{oaKeys[0].APIKey, oaKeys[1].APIKey}) + + an, err := db.GetAIProviderByName(ctx, "primary-anthropic") + require.NoError(t, err) + anKeys, err := db.GetAIProviderKeysByProviderID(ctx, an.ID) + require.NoError(t, err) + require.ElementsMatch(t, []string{"sk-ant-1", "sk-ant-2"}, []string{anKeys[0].APIKey, anKeys[1].APIKey}) + }) + t.Run("BedrockIndexedProviderHasNoKeys", func(t *testing.T) { t.Parallel() db, _ := dbtestutil.NewDB(t) @@ -424,7 +480,7 @@ func TestSeedAIProvidersFromEnv(t *testing.T) { require.Empty(t, all, "expected no active rows after soft-delete + re-seed") }) - t.Run("ExistingKeysArePreserved", func(t *testing.T) { + t.Run("ExistingKeysBlockOnDrift", func(t *testing.T) { t.Parallel() db, _ := dbtestutil.NewDB(t) ctx := testutil.Context(t, testutil.WaitShort) @@ -440,15 +496,17 @@ func TestSeedAIProvidersFromEnv(t *testing.T) { row, err := db.GetAIProviderByName(ctx, "openai") require.NoError(t, err) - // Operator rotates the env key. The seed must not duplicate - // keys on a row that already exists; the new key is only - // installed via the API/CRUD layer in this flow. + // Operator rotates the env key. The seed now blocks startup + // because the keys differ, alerting the operator. cfg.LegacyOpenAI.Key = serpent.String("sk-rotated") - require.NoError(t, coderd.SeedAIProvidersFromEnv(ctx, db, cfg, testLogger(t))) + err = coderd.SeedAIProvidersFromEnv(ctx, db, cfg, testLogger(t)) + require.Error(t, err) + require.Contains(t, err.Error(), "differs from the current environment configuration") + // The original key is still in the database. keys, err := db.GetAIProviderKeysByProviderID(ctx, row.ID) require.NoError(t, err) - require.Len(t, keys, 1, "env reseed must not duplicate keys on existing rows") + require.Len(t, keys, 1) require.Equal(t, "sk-original", keys[0].APIKey) }) @@ -482,6 +540,40 @@ func TestSeedAIProvidersFromEnv(t *testing.T) { require.Len(t, all, 1, "duplicate indexed entries with matching hash must produce a single row") }) + t.Run("IndexedDuplicateNameMatchingHashDedupesReorderedKeys", func(t *testing.T) { + t.Parallel() + db, _ := dbtestutil.NewDB(t) + ctx := testutil.Context(t, testutil.WaitShort) + + // Key order should not affect the canonical hash. Reordered + // duplicates under the same name should still dedupe. + cfg := codersdk.AIBridgeConfig{ + Providers: []codersdk.AIProviderConfig{ + { + Type: "openai", + Name: "shared", + BaseURL: "https://api.openai.com/v1", + Keys: []string{"sk-1", "sk-2"}, + }, + { + Type: "openai", + Name: "shared", + BaseURL: "https://api.openai.com/v1", + Keys: []string{"sk-2", "sk-1"}, + }, + }, + } + require.NoError(t, coderd.SeedAIProvidersFromEnv(ctx, db, cfg, testLogger(t))) + + all, err := db.GetAIProviders(ctx, database.GetAIProvidersParams{}) + require.NoError(t, err) + require.Len(t, all, 1) + keys, err := db.GetAIProviderKeysByProviderID(ctx, all[0].ID) + require.NoError(t, err) + require.Len(t, keys, 2) + require.ElementsMatch(t, []string{"sk-1", "sk-2"}, []string{keys[0].APIKey, keys[1].APIKey}) + }) + t.Run("IndexedDuplicateNameMismatchingHashFails", func(t *testing.T) { t.Parallel() db, _ := dbtestutil.NewDB(t) diff --git a/coderd/ai_providers_test.go b/coderd/ai_providers_test.go index c020f90c26..e4f4f27a06 100644 --- a/coderd/ai_providers_test.go +++ b/coderd/ai_providers_test.go @@ -889,6 +889,75 @@ func TestAIProvidersKeyManagement(t *testing.T) { require.Contains(t, sdkErr.Message, "Bedrock providers do not accept api_keys") }) + t.Run("CopilotCreateWithoutKeys", func(t *testing.T) { + t.Parallel() + client := coderdtest.New(t, nil) + _ = coderdtest.CreateFirstUser(t, client) + ctx := testutil.Context(t, testutil.WaitLong) + + //nolint:gocritic // Owner role is the audience for this endpoint. + provider, err := client.CreateAIProvider(ctx, codersdk.CreateAIProviderRequest{ + Type: codersdk.AIProviderTypeCopilot, + Name: "keys-copilot", + Enabled: true, + BaseURL: "https://api.business.githubcopilot.com", + }) + require.NoError(t, err) + require.Equal(t, codersdk.AIProviderTypeCopilot, provider.Type) + require.Empty(t, provider.APIKeys) + }) + + t.Run("CopilotRejectsCreateWithKeys", func(t *testing.T) { + t.Parallel() + client := coderdtest.New(t, nil) + _ = coderdtest.CreateFirstUser(t, client) + ctx := testutil.Context(t, testutil.WaitLong) + + //nolint:gocritic // Owner role is the audience for this endpoint. + _, err := client.CreateAIProvider(ctx, codersdk.CreateAIProviderRequest{ + Type: codersdk.AIProviderTypeCopilot, + Name: "keys-copilot-create", + Enabled: true, + BaseURL: "https://api.business.githubcopilot.com", + APIKeys: []string{"sk-should-be-rejected"}, //nolint:gosec // test fixture, not a real credential + }) + require.Error(t, err) + var sdkErr *codersdk.Error + require.ErrorAs(t, err, &sdkErr) + require.Equal(t, http.StatusBadRequest, sdkErr.StatusCode()) + require.Len(t, sdkErr.Validations, 1) + require.Equal(t, "api_keys", sdkErr.Validations[0].Field) + require.Contains(t, sdkErr.Validations[0].Detail, "type=copilot does not accept api_keys") + }) + + t.Run("CopilotRejectsUpdateWithKeys", func(t *testing.T) { + t.Parallel() + client := coderdtest.New(t, nil) + _ = coderdtest.CreateFirstUser(t, client) + ctx := testutil.Context(t, testutil.WaitLong) + + //nolint:gocritic // Owner role is the audience for this endpoint. + provider, err := client.CreateAIProvider(ctx, codersdk.CreateAIProviderRequest{ + Type: codersdk.AIProviderTypeCopilot, + Name: "keys-copilot-update", + Enabled: true, + BaseURL: "https://api.business.githubcopilot.com", + }) + require.NoError(t, err) + + rejected := []codersdk.AIProviderKeyMutation{ + {APIKey: ptr.Ref("sk-copilot-no")}, //nolint:gosec // test fixture, not a real credential + } + _, err = client.UpdateAIProvider(ctx, provider.Name, codersdk.UpdateAIProviderRequest{ + APIKeys: &rejected, + }) + require.Error(t, err) + var sdkErr *codersdk.Error + require.ErrorAs(t, err, &sdkErr) + require.Equal(t, http.StatusBadRequest, sdkErr.StatusCode()) + require.Contains(t, sdkErr.Message, "Copilot providers do not accept api_keys") + }) + t.Run("EmptyKeyRejected", func(t *testing.T) { t.Parallel() client := coderdtest.New(t, nil) diff --git a/coderd/aibridged/pool.go b/coderd/aibridged/pool.go index 3b7e60955c..b86cefe00a 100644 --- a/coderd/aibridged/pool.go +++ b/coderd/aibridged/pool.go @@ -30,7 +30,9 @@ const ( type Pooler interface { Acquire(ctx context.Context, req Request, clientFn ClientFunc, mcpBootstrapper MCPProxyBuilder) (http.Handler, error) // ReplaceProviders swaps the providers used to construct future - // RequestBridge instances and clears the cache. + // RequestBridge instances and clears the cache. Disabled providers + // must be included; the bridge serves a 503 sentinel on their + // routes. ReplaceProviders(providers []aibridge.Provider) Shutdown(ctx context.Context) error } @@ -53,7 +55,8 @@ var _ Pooler = &CachedBridgePool{} type CachedBridgePool struct { cache *ristretto.Cache[string, *aibridge.RequestBridge] - // providers is the live provider set used by new RequestBridge instances. + // providers is the live provider set used by new RequestBridge + // instances. Includes disabled providers. providers atomic.Pointer[[]aibridge.Provider] providerVersion atomic.Int64 logger slog.Logger diff --git a/coderd/aibridged/proto/aibridged.pb.go b/coderd/aibridged/proto/aibridged.pb.go index c364aeda40..17fef851ea 100644 --- a/coderd/aibridged/proto/aibridged.pb.go +++ b/coderd/aibridged/proto/aibridged.pb.go @@ -216,8 +216,9 @@ type RecordInterceptionEndedRequest struct { sizeCache protoimpl.SizeCache unknownFields protoimpl.UnknownFields - Id string `protobuf:"bytes,1,opt,name=id,proto3" json:"id,omitempty"` // UUID. - EndedAt *timestamppb.Timestamp `protobuf:"bytes,2,opt,name=ended_at,json=endedAt,proto3" json:"ended_at,omitempty"` + Id string `protobuf:"bytes,1,opt,name=id,proto3" json:"id,omitempty"` // UUID. + EndedAt *timestamppb.Timestamp `protobuf:"bytes,2,opt,name=ended_at,json=endedAt,proto3" json:"ended_at,omitempty"` + CredentialHint string `protobuf:"bytes,3,opt,name=credential_hint,json=credentialHint,proto3" json:"credential_hint,omitempty"` } func (x *RecordInterceptionEndedRequest) Reset() { @@ -266,6 +267,13 @@ func (x *RecordInterceptionEndedRequest) GetEndedAt() *timestamppb.Timestamp { return nil } +func (x *RecordInterceptionEndedRequest) GetCredentialHint() string { + if x != nil { + return x.CredentialHint + } + return "" +} + type RecordInterceptionEndedResponse struct { state protoimpl.MessageState sizeCache protoimpl.SizeCache @@ -1295,249 +1303,252 @@ var file_coderd_aibridged_proto_aibridged_proto_rawDesc = []byte{ 0x42, 0x14, 0x0a, 0x12, 0x5f, 0x63, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x5f, 0x73, 0x65, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x5f, 0x69, 0x64, 0x22, 0x1c, 0x0a, 0x1a, 0x52, 0x65, 0x63, 0x6f, 0x72, 0x64, 0x49, 0x6e, 0x74, 0x65, 0x72, 0x63, 0x65, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x52, 0x65, 0x73, 0x70, - 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x67, 0x0a, 0x1e, 0x52, 0x65, 0x63, 0x6f, 0x72, 0x64, 0x49, 0x6e, - 0x74, 0x65, 0x72, 0x63, 0x65, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x45, 0x6e, 0x64, 0x65, 0x64, 0x52, - 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x0e, 0x0a, 0x02, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, - 0x28, 0x09, 0x52, 0x02, 0x69, 0x64, 0x12, 0x35, 0x0a, 0x08, 0x65, 0x6e, 0x64, 0x65, 0x64, 0x5f, - 0x61, 0x74, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, - 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x54, 0x69, 0x6d, 0x65, 0x73, - 0x74, 0x61, 0x6d, 0x70, 0x52, 0x07, 0x65, 0x6e, 0x64, 0x65, 0x64, 0x41, 0x74, 0x22, 0x21, 0x0a, - 0x1f, 0x52, 0x65, 0x63, 0x6f, 0x72, 0x64, 0x49, 0x6e, 0x74, 0x65, 0x72, 0x63, 0x65, 0x70, 0x74, - 0x69, 0x6f, 0x6e, 0x45, 0x6e, 0x64, 0x65, 0x64, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, - 0x22, 0xe9, 0x03, 0x0a, 0x17, 0x52, 0x65, 0x63, 0x6f, 0x72, 0x64, 0x54, 0x6f, 0x6b, 0x65, 0x6e, - 0x55, 0x73, 0x61, 0x67, 0x65, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x27, 0x0a, 0x0f, - 0x69, 0x6e, 0x74, 0x65, 0x72, 0x63, 0x65, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x69, 0x64, 0x18, - 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0e, 0x69, 0x6e, 0x74, 0x65, 0x72, 0x63, 0x65, 0x70, 0x74, - 0x69, 0x6f, 0x6e, 0x49, 0x64, 0x12, 0x15, 0x0a, 0x06, 0x6d, 0x73, 0x67, 0x5f, 0x69, 0x64, 0x18, - 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x6d, 0x73, 0x67, 0x49, 0x64, 0x12, 0x21, 0x0a, 0x0c, - 0x69, 0x6e, 0x70, 0x75, 0x74, 0x5f, 0x74, 0x6f, 0x6b, 0x65, 0x6e, 0x73, 0x18, 0x03, 0x20, 0x01, - 0x28, 0x03, 0x52, 0x0b, 0x69, 0x6e, 0x70, 0x75, 0x74, 0x54, 0x6f, 0x6b, 0x65, 0x6e, 0x73, 0x12, - 0x23, 0x0a, 0x0d, 0x6f, 0x75, 0x74, 0x70, 0x75, 0x74, 0x5f, 0x74, 0x6f, 0x6b, 0x65, 0x6e, 0x73, - 0x18, 0x04, 0x20, 0x01, 0x28, 0x03, 0x52, 0x0c, 0x6f, 0x75, 0x74, 0x70, 0x75, 0x74, 0x54, 0x6f, - 0x6b, 0x65, 0x6e, 0x73, 0x12, 0x48, 0x0a, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, - 0x18, 0x05, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x2c, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2e, 0x52, + 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x90, 0x01, 0x0a, 0x1e, 0x52, 0x65, 0x63, 0x6f, 0x72, 0x64, 0x49, + 0x6e, 0x74, 0x65, 0x72, 0x63, 0x65, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x45, 0x6e, 0x64, 0x65, 0x64, + 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x0e, 0x0a, 0x02, 0x69, 0x64, 0x18, 0x01, 0x20, + 0x01, 0x28, 0x09, 0x52, 0x02, 0x69, 0x64, 0x12, 0x35, 0x0a, 0x08, 0x65, 0x6e, 0x64, 0x65, 0x64, + 0x5f, 0x61, 0x74, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x6f, 0x6f, 0x67, + 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x54, 0x69, 0x6d, 0x65, + 0x73, 0x74, 0x61, 0x6d, 0x70, 0x52, 0x07, 0x65, 0x6e, 0x64, 0x65, 0x64, 0x41, 0x74, 0x12, 0x27, + 0x0a, 0x0f, 0x63, 0x72, 0x65, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x61, 0x6c, 0x5f, 0x68, 0x69, 0x6e, + 0x74, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0e, 0x63, 0x72, 0x65, 0x64, 0x65, 0x6e, 0x74, + 0x69, 0x61, 0x6c, 0x48, 0x69, 0x6e, 0x74, 0x22, 0x21, 0x0a, 0x1f, 0x52, 0x65, 0x63, 0x6f, 0x72, + 0x64, 0x49, 0x6e, 0x74, 0x65, 0x72, 0x63, 0x65, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x45, 0x6e, 0x64, + 0x65, 0x64, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0xe9, 0x03, 0x0a, 0x17, 0x52, 0x65, 0x63, 0x6f, 0x72, 0x64, 0x54, 0x6f, 0x6b, 0x65, 0x6e, 0x55, 0x73, 0x61, 0x67, 0x65, 0x52, - 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x2e, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x45, - 0x6e, 0x74, 0x72, 0x79, 0x52, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x12, 0x39, - 0x0a, 0x0a, 0x63, 0x72, 0x65, 0x61, 0x74, 0x65, 0x64, 0x5f, 0x61, 0x74, 0x18, 0x06, 0x20, 0x01, - 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, - 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x54, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x52, 0x09, - 0x63, 0x72, 0x65, 0x61, 0x74, 0x65, 0x64, 0x41, 0x74, 0x12, 0x35, 0x0a, 0x17, 0x63, 0x61, 0x63, - 0x68, 0x65, 0x5f, 0x72, 0x65, 0x61, 0x64, 0x5f, 0x69, 0x6e, 0x70, 0x75, 0x74, 0x5f, 0x74, 0x6f, - 0x6b, 0x65, 0x6e, 0x73, 0x18, 0x07, 0x20, 0x01, 0x28, 0x03, 0x52, 0x14, 0x63, 0x61, 0x63, 0x68, - 0x65, 0x52, 0x65, 0x61, 0x64, 0x49, 0x6e, 0x70, 0x75, 0x74, 0x54, 0x6f, 0x6b, 0x65, 0x6e, 0x73, - 0x12, 0x37, 0x0a, 0x18, 0x63, 0x61, 0x63, 0x68, 0x65, 0x5f, 0x77, 0x72, 0x69, 0x74, 0x65, 0x5f, - 0x69, 0x6e, 0x70, 0x75, 0x74, 0x5f, 0x74, 0x6f, 0x6b, 0x65, 0x6e, 0x73, 0x18, 0x08, 0x20, 0x01, - 0x28, 0x03, 0x52, 0x15, 0x63, 0x61, 0x63, 0x68, 0x65, 0x57, 0x72, 0x69, 0x74, 0x65, 0x49, 0x6e, - 0x70, 0x75, 0x74, 0x54, 0x6f, 0x6b, 0x65, 0x6e, 0x73, 0x1a, 0x51, 0x0a, 0x0d, 0x4d, 0x65, 0x74, - 0x61, 0x64, 0x61, 0x74, 0x61, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x12, 0x10, 0x0a, 0x03, 0x6b, 0x65, - 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x6b, 0x65, 0x79, 0x12, 0x2a, 0x0a, 0x05, - 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x14, 0x2e, 0x67, 0x6f, - 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x41, 0x6e, - 0x79, 0x52, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x3a, 0x02, 0x38, 0x01, 0x22, 0x1a, 0x0a, 0x18, - 0x52, 0x65, 0x63, 0x6f, 0x72, 0x64, 0x54, 0x6f, 0x6b, 0x65, 0x6e, 0x55, 0x73, 0x61, 0x67, 0x65, - 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0xcb, 0x02, 0x0a, 0x18, 0x52, 0x65, 0x63, - 0x6f, 0x72, 0x64, 0x50, 0x72, 0x6f, 0x6d, 0x70, 0x74, 0x55, 0x73, 0x61, 0x67, 0x65, 0x52, 0x65, - 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x27, 0x0a, 0x0f, 0x69, 0x6e, 0x74, 0x65, 0x72, 0x63, 0x65, - 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0e, - 0x69, 0x6e, 0x74, 0x65, 0x72, 0x63, 0x65, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x49, 0x64, 0x12, 0x15, - 0x0a, 0x06, 0x6d, 0x73, 0x67, 0x5f, 0x69, 0x64, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, - 0x6d, 0x73, 0x67, 0x49, 0x64, 0x12, 0x16, 0x0a, 0x06, 0x70, 0x72, 0x6f, 0x6d, 0x70, 0x74, 0x18, - 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x70, 0x72, 0x6f, 0x6d, 0x70, 0x74, 0x12, 0x49, 0x0a, - 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x18, 0x04, 0x20, 0x03, 0x28, 0x0b, 0x32, - 0x2d, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2e, 0x52, 0x65, 0x63, 0x6f, 0x72, 0x64, 0x50, 0x72, - 0x6f, 0x6d, 0x70, 0x74, 0x55, 0x73, 0x61, 0x67, 0x65, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, + 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x27, 0x0a, 0x0f, 0x69, 0x6e, 0x74, 0x65, 0x72, 0x63, + 0x65, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, + 0x0e, 0x69, 0x6e, 0x74, 0x65, 0x72, 0x63, 0x65, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x49, 0x64, 0x12, + 0x15, 0x0a, 0x06, 0x6d, 0x73, 0x67, 0x5f, 0x69, 0x64, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, + 0x05, 0x6d, 0x73, 0x67, 0x49, 0x64, 0x12, 0x21, 0x0a, 0x0c, 0x69, 0x6e, 0x70, 0x75, 0x74, 0x5f, + 0x74, 0x6f, 0x6b, 0x65, 0x6e, 0x73, 0x18, 0x03, 0x20, 0x01, 0x28, 0x03, 0x52, 0x0b, 0x69, 0x6e, + 0x70, 0x75, 0x74, 0x54, 0x6f, 0x6b, 0x65, 0x6e, 0x73, 0x12, 0x23, 0x0a, 0x0d, 0x6f, 0x75, 0x74, + 0x70, 0x75, 0x74, 0x5f, 0x74, 0x6f, 0x6b, 0x65, 0x6e, 0x73, 0x18, 0x04, 0x20, 0x01, 0x28, 0x03, + 0x52, 0x0c, 0x6f, 0x75, 0x74, 0x70, 0x75, 0x74, 0x54, 0x6f, 0x6b, 0x65, 0x6e, 0x73, 0x12, 0x48, + 0x0a, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x18, 0x05, 0x20, 0x03, 0x28, 0x0b, + 0x32, 0x2c, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2e, 0x52, 0x65, 0x63, 0x6f, 0x72, 0x64, 0x54, + 0x6f, 0x6b, 0x65, 0x6e, 0x55, 0x73, 0x61, 0x67, 0x65, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x2e, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x52, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x12, 0x39, 0x0a, 0x0a, 0x63, 0x72, 0x65, 0x61, - 0x74, 0x65, 0x64, 0x5f, 0x61, 0x74, 0x18, 0x05, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67, + 0x74, 0x65, 0x64, 0x5f, 0x61, 0x74, 0x18, 0x06, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x54, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x52, 0x09, 0x63, 0x72, 0x65, 0x61, 0x74, 0x65, - 0x64, 0x41, 0x74, 0x1a, 0x51, 0x0a, 0x0d, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x45, + 0x64, 0x41, 0x74, 0x12, 0x35, 0x0a, 0x17, 0x63, 0x61, 0x63, 0x68, 0x65, 0x5f, 0x72, 0x65, 0x61, + 0x64, 0x5f, 0x69, 0x6e, 0x70, 0x75, 0x74, 0x5f, 0x74, 0x6f, 0x6b, 0x65, 0x6e, 0x73, 0x18, 0x07, + 0x20, 0x01, 0x28, 0x03, 0x52, 0x14, 0x63, 0x61, 0x63, 0x68, 0x65, 0x52, 0x65, 0x61, 0x64, 0x49, + 0x6e, 0x70, 0x75, 0x74, 0x54, 0x6f, 0x6b, 0x65, 0x6e, 0x73, 0x12, 0x37, 0x0a, 0x18, 0x63, 0x61, + 0x63, 0x68, 0x65, 0x5f, 0x77, 0x72, 0x69, 0x74, 0x65, 0x5f, 0x69, 0x6e, 0x70, 0x75, 0x74, 0x5f, + 0x74, 0x6f, 0x6b, 0x65, 0x6e, 0x73, 0x18, 0x08, 0x20, 0x01, 0x28, 0x03, 0x52, 0x15, 0x63, 0x61, + 0x63, 0x68, 0x65, 0x57, 0x72, 0x69, 0x74, 0x65, 0x49, 0x6e, 0x70, 0x75, 0x74, 0x54, 0x6f, 0x6b, + 0x65, 0x6e, 0x73, 0x1a, 0x51, 0x0a, 0x0d, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x12, 0x10, 0x0a, 0x03, 0x6b, 0x65, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x6b, 0x65, 0x79, 0x12, 0x2a, 0x0a, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x14, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x41, 0x6e, 0x79, 0x52, 0x05, 0x76, 0x61, 0x6c, - 0x75, 0x65, 0x3a, 0x02, 0x38, 0x01, 0x22, 0x1b, 0x0a, 0x19, 0x52, 0x65, 0x63, 0x6f, 0x72, 0x64, - 0x50, 0x72, 0x6f, 0x6d, 0x70, 0x74, 0x55, 0x73, 0x61, 0x67, 0x65, 0x52, 0x65, 0x73, 0x70, 0x6f, - 0x6e, 0x73, 0x65, 0x22, 0x8f, 0x04, 0x0a, 0x16, 0x52, 0x65, 0x63, 0x6f, 0x72, 0x64, 0x54, 0x6f, - 0x6f, 0x6c, 0x55, 0x73, 0x61, 0x67, 0x65, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x27, - 0x0a, 0x0f, 0x69, 0x6e, 0x74, 0x65, 0x72, 0x63, 0x65, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x69, - 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0e, 0x69, 0x6e, 0x74, 0x65, 0x72, 0x63, 0x65, - 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x49, 0x64, 0x12, 0x15, 0x0a, 0x06, 0x6d, 0x73, 0x67, 0x5f, 0x69, - 0x64, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x6d, 0x73, 0x67, 0x49, 0x64, 0x12, 0x22, - 0x0a, 0x0a, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x5f, 0x75, 0x72, 0x6c, 0x18, 0x03, 0x20, 0x01, - 0x28, 0x09, 0x48, 0x00, 0x52, 0x09, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x55, 0x72, 0x6c, 0x88, - 0x01, 0x01, 0x12, 0x12, 0x0a, 0x04, 0x74, 0x6f, 0x6f, 0x6c, 0x18, 0x04, 0x20, 0x01, 0x28, 0x09, - 0x52, 0x04, 0x74, 0x6f, 0x6f, 0x6c, 0x12, 0x14, 0x0a, 0x05, 0x69, 0x6e, 0x70, 0x75, 0x74, 0x18, - 0x05, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x69, 0x6e, 0x70, 0x75, 0x74, 0x12, 0x1a, 0x0a, 0x08, - 0x69, 0x6e, 0x6a, 0x65, 0x63, 0x74, 0x65, 0x64, 0x18, 0x06, 0x20, 0x01, 0x28, 0x08, 0x52, 0x08, - 0x69, 0x6e, 0x6a, 0x65, 0x63, 0x74, 0x65, 0x64, 0x12, 0x2e, 0x0a, 0x10, 0x69, 0x6e, 0x76, 0x6f, - 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x65, 0x72, 0x72, 0x6f, 0x72, 0x18, 0x07, 0x20, 0x01, - 0x28, 0x09, 0x48, 0x01, 0x52, 0x0f, 0x69, 0x6e, 0x76, 0x6f, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, - 0x45, 0x72, 0x72, 0x6f, 0x72, 0x88, 0x01, 0x01, 0x12, 0x47, 0x0a, 0x08, 0x6d, 0x65, 0x74, 0x61, - 0x64, 0x61, 0x74, 0x61, 0x18, 0x08, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x2b, 0x2e, 0x70, 0x72, 0x6f, - 0x74, 0x6f, 0x2e, 0x52, 0x65, 0x63, 0x6f, 0x72, 0x64, 0x54, 0x6f, 0x6f, 0x6c, 0x55, 0x73, 0x61, - 0x67, 0x65, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x2e, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, - 0x74, 0x61, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x52, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, - 0x61, 0x12, 0x39, 0x0a, 0x0a, 0x63, 0x72, 0x65, 0x61, 0x74, 0x65, 0x64, 0x5f, 0x61, 0x74, 0x18, - 0x09, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, - 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x54, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, - 0x70, 0x52, 0x09, 0x63, 0x72, 0x65, 0x61, 0x74, 0x65, 0x64, 0x41, 0x74, 0x12, 0x20, 0x0a, 0x0c, - 0x74, 0x6f, 0x6f, 0x6c, 0x5f, 0x63, 0x61, 0x6c, 0x6c, 0x5f, 0x69, 0x64, 0x18, 0x0a, 0x20, 0x01, - 0x28, 0x09, 0x52, 0x0a, 0x74, 0x6f, 0x6f, 0x6c, 0x43, 0x61, 0x6c, 0x6c, 0x49, 0x64, 0x1a, 0x51, - 0x0a, 0x0d, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x12, - 0x10, 0x0a, 0x03, 0x6b, 0x65, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x6b, 0x65, - 0x79, 0x12, 0x2a, 0x0a, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, - 0x32, 0x14, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, - 0x75, 0x66, 0x2e, 0x41, 0x6e, 0x79, 0x52, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x3a, 0x02, 0x38, - 0x01, 0x42, 0x0d, 0x0a, 0x0b, 0x5f, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x5f, 0x75, 0x72, 0x6c, - 0x42, 0x13, 0x0a, 0x11, 0x5f, 0x69, 0x6e, 0x76, 0x6f, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x5f, - 0x65, 0x72, 0x72, 0x6f, 0x72, 0x22, 0x19, 0x0a, 0x17, 0x52, 0x65, 0x63, 0x6f, 0x72, 0x64, 0x54, - 0x6f, 0x6f, 0x6c, 0x55, 0x73, 0x61, 0x67, 0x65, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, - 0x22, 0xb8, 0x02, 0x0a, 0x19, 0x52, 0x65, 0x63, 0x6f, 0x72, 0x64, 0x4d, 0x6f, 0x64, 0x65, 0x6c, - 0x54, 0x68, 0x6f, 0x75, 0x67, 0x68, 0x74, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x27, - 0x0a, 0x0f, 0x69, 0x6e, 0x74, 0x65, 0x72, 0x63, 0x65, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x69, - 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0e, 0x69, 0x6e, 0x74, 0x65, 0x72, 0x63, 0x65, - 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x49, 0x64, 0x12, 0x18, 0x0a, 0x07, 0x63, 0x6f, 0x6e, 0x74, 0x65, - 0x6e, 0x74, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x07, 0x63, 0x6f, 0x6e, 0x74, 0x65, 0x6e, - 0x74, 0x12, 0x4a, 0x0a, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x18, 0x03, 0x20, - 0x03, 0x28, 0x0b, 0x32, 0x2e, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2e, 0x52, 0x65, 0x63, 0x6f, - 0x72, 0x64, 0x4d, 0x6f, 0x64, 0x65, 0x6c, 0x54, 0x68, 0x6f, 0x75, 0x67, 0x68, 0x74, 0x52, 0x65, - 0x71, 0x75, 0x65, 0x73, 0x74, 0x2e, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x45, 0x6e, - 0x74, 0x72, 0x79, 0x52, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x12, 0x39, 0x0a, - 0x0a, 0x63, 0x72, 0x65, 0x61, 0x74, 0x65, 0x64, 0x5f, 0x61, 0x74, 0x18, 0x04, 0x20, 0x01, 0x28, - 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, - 0x62, 0x75, 0x66, 0x2e, 0x54, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x52, 0x09, 0x63, - 0x72, 0x65, 0x61, 0x74, 0x65, 0x64, 0x41, 0x74, 0x1a, 0x51, 0x0a, 0x0d, 0x4d, 0x65, 0x74, 0x61, + 0x75, 0x65, 0x3a, 0x02, 0x38, 0x01, 0x22, 0x1a, 0x0a, 0x18, 0x52, 0x65, 0x63, 0x6f, 0x72, 0x64, + 0x54, 0x6f, 0x6b, 0x65, 0x6e, 0x55, 0x73, 0x61, 0x67, 0x65, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, + 0x73, 0x65, 0x22, 0xcb, 0x02, 0x0a, 0x18, 0x52, 0x65, 0x63, 0x6f, 0x72, 0x64, 0x50, 0x72, 0x6f, + 0x6d, 0x70, 0x74, 0x55, 0x73, 0x61, 0x67, 0x65, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, + 0x27, 0x0a, 0x0f, 0x69, 0x6e, 0x74, 0x65, 0x72, 0x63, 0x65, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x5f, + 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0e, 0x69, 0x6e, 0x74, 0x65, 0x72, 0x63, + 0x65, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x49, 0x64, 0x12, 0x15, 0x0a, 0x06, 0x6d, 0x73, 0x67, 0x5f, + 0x69, 0x64, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x6d, 0x73, 0x67, 0x49, 0x64, 0x12, + 0x16, 0x0a, 0x06, 0x70, 0x72, 0x6f, 0x6d, 0x70, 0x74, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, + 0x06, 0x70, 0x72, 0x6f, 0x6d, 0x70, 0x74, 0x12, 0x49, 0x0a, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, + 0x61, 0x74, 0x61, 0x18, 0x04, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x2d, 0x2e, 0x70, 0x72, 0x6f, 0x74, + 0x6f, 0x2e, 0x52, 0x65, 0x63, 0x6f, 0x72, 0x64, 0x50, 0x72, 0x6f, 0x6d, 0x70, 0x74, 0x55, 0x73, + 0x61, 0x67, 0x65, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x2e, 0x4d, 0x65, 0x74, 0x61, 0x64, + 0x61, 0x74, 0x61, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x52, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, + 0x74, 0x61, 0x12, 0x39, 0x0a, 0x0a, 0x63, 0x72, 0x65, 0x61, 0x74, 0x65, 0x64, 0x5f, 0x61, 0x74, + 0x18, 0x05, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, + 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x54, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, + 0x6d, 0x70, 0x52, 0x09, 0x63, 0x72, 0x65, 0x61, 0x74, 0x65, 0x64, 0x41, 0x74, 0x1a, 0x51, 0x0a, + 0x0d, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x12, 0x10, + 0x0a, 0x03, 0x6b, 0x65, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x6b, 0x65, 0x79, + 0x12, 0x2a, 0x0a, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, + 0x14, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, + 0x66, 0x2e, 0x41, 0x6e, 0x79, 0x52, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x3a, 0x02, 0x38, 0x01, + 0x22, 0x1b, 0x0a, 0x19, 0x52, 0x65, 0x63, 0x6f, 0x72, 0x64, 0x50, 0x72, 0x6f, 0x6d, 0x70, 0x74, + 0x55, 0x73, 0x61, 0x67, 0x65, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x8f, 0x04, + 0x0a, 0x16, 0x52, 0x65, 0x63, 0x6f, 0x72, 0x64, 0x54, 0x6f, 0x6f, 0x6c, 0x55, 0x73, 0x61, 0x67, + 0x65, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x27, 0x0a, 0x0f, 0x69, 0x6e, 0x74, 0x65, + 0x72, 0x63, 0x65, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, + 0x09, 0x52, 0x0e, 0x69, 0x6e, 0x74, 0x65, 0x72, 0x63, 0x65, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x49, + 0x64, 0x12, 0x15, 0x0a, 0x06, 0x6d, 0x73, 0x67, 0x5f, 0x69, 0x64, 0x18, 0x02, 0x20, 0x01, 0x28, + 0x09, 0x52, 0x05, 0x6d, 0x73, 0x67, 0x49, 0x64, 0x12, 0x22, 0x0a, 0x0a, 0x73, 0x65, 0x72, 0x76, + 0x65, 0x72, 0x5f, 0x75, 0x72, 0x6c, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x48, 0x00, 0x52, 0x09, + 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x55, 0x72, 0x6c, 0x88, 0x01, 0x01, 0x12, 0x12, 0x0a, 0x04, + 0x74, 0x6f, 0x6f, 0x6c, 0x18, 0x04, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x74, 0x6f, 0x6f, 0x6c, + 0x12, 0x14, 0x0a, 0x05, 0x69, 0x6e, 0x70, 0x75, 0x74, 0x18, 0x05, 0x20, 0x01, 0x28, 0x09, 0x52, + 0x05, 0x69, 0x6e, 0x70, 0x75, 0x74, 0x12, 0x1a, 0x0a, 0x08, 0x69, 0x6e, 0x6a, 0x65, 0x63, 0x74, + 0x65, 0x64, 0x18, 0x06, 0x20, 0x01, 0x28, 0x08, 0x52, 0x08, 0x69, 0x6e, 0x6a, 0x65, 0x63, 0x74, + 0x65, 0x64, 0x12, 0x2e, 0x0a, 0x10, 0x69, 0x6e, 0x76, 0x6f, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, + 0x5f, 0x65, 0x72, 0x72, 0x6f, 0x72, 0x18, 0x07, 0x20, 0x01, 0x28, 0x09, 0x48, 0x01, 0x52, 0x0f, + 0x69, 0x6e, 0x76, 0x6f, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x45, 0x72, 0x72, 0x6f, 0x72, 0x88, + 0x01, 0x01, 0x12, 0x47, 0x0a, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x18, 0x08, + 0x20, 0x03, 0x28, 0x0b, 0x32, 0x2b, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2e, 0x52, 0x65, 0x63, + 0x6f, 0x72, 0x64, 0x54, 0x6f, 0x6f, 0x6c, 0x55, 0x73, 0x61, 0x67, 0x65, 0x52, 0x65, 0x71, 0x75, + 0x65, 0x73, 0x74, 0x2e, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x45, 0x6e, 0x74, 0x72, + 0x79, 0x52, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x12, 0x39, 0x0a, 0x0a, 0x63, + 0x72, 0x65, 0x61, 0x74, 0x65, 0x64, 0x5f, 0x61, 0x74, 0x18, 0x09, 0x20, 0x01, 0x28, 0x0b, 0x32, + 0x1a, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, + 0x66, 0x2e, 0x54, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x52, 0x09, 0x63, 0x72, 0x65, + 0x61, 0x74, 0x65, 0x64, 0x41, 0x74, 0x12, 0x20, 0x0a, 0x0c, 0x74, 0x6f, 0x6f, 0x6c, 0x5f, 0x63, + 0x61, 0x6c, 0x6c, 0x5f, 0x69, 0x64, 0x18, 0x0a, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0a, 0x74, 0x6f, + 0x6f, 0x6c, 0x43, 0x61, 0x6c, 0x6c, 0x49, 0x64, 0x1a, 0x51, 0x0a, 0x0d, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x12, 0x10, 0x0a, 0x03, 0x6b, 0x65, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x6b, 0x65, 0x79, 0x12, 0x2a, 0x0a, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x14, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x41, 0x6e, 0x79, - 0x52, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x3a, 0x02, 0x38, 0x01, 0x22, 0x1c, 0x0a, 0x1a, 0x52, + 0x52, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x3a, 0x02, 0x38, 0x01, 0x42, 0x0d, 0x0a, 0x0b, 0x5f, + 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x5f, 0x75, 0x72, 0x6c, 0x42, 0x13, 0x0a, 0x11, 0x5f, 0x69, + 0x6e, 0x76, 0x6f, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x65, 0x72, 0x72, 0x6f, 0x72, 0x22, + 0x19, 0x0a, 0x17, 0x52, 0x65, 0x63, 0x6f, 0x72, 0x64, 0x54, 0x6f, 0x6f, 0x6c, 0x55, 0x73, 0x61, + 0x67, 0x65, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0xb8, 0x02, 0x0a, 0x19, 0x52, 0x65, 0x63, 0x6f, 0x72, 0x64, 0x4d, 0x6f, 0x64, 0x65, 0x6c, 0x54, 0x68, 0x6f, 0x75, 0x67, 0x68, - 0x74, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x35, 0x0a, 0x1a, 0x47, 0x65, 0x74, - 0x4d, 0x43, 0x50, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x73, - 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x17, 0x0a, 0x07, 0x75, 0x73, 0x65, 0x72, 0x5f, - 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x75, 0x73, 0x65, 0x72, 0x49, 0x64, - 0x22, 0xb2, 0x01, 0x0a, 0x1b, 0x47, 0x65, 0x74, 0x4d, 0x43, 0x50, 0x53, 0x65, 0x72, 0x76, 0x65, - 0x72, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x73, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, - 0x12, 0x40, 0x0a, 0x10, 0x63, 0x6f, 0x64, 0x65, 0x72, 0x5f, 0x6d, 0x63, 0x70, 0x5f, 0x63, 0x6f, - 0x6e, 0x66, 0x69, 0x67, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x16, 0x2e, 0x70, 0x72, 0x6f, - 0x74, 0x6f, 0x2e, 0x4d, 0x43, 0x50, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x43, 0x6f, 0x6e, 0x66, - 0x69, 0x67, 0x52, 0x0e, 0x63, 0x6f, 0x64, 0x65, 0x72, 0x4d, 0x63, 0x70, 0x43, 0x6f, 0x6e, 0x66, - 0x69, 0x67, 0x12, 0x51, 0x0a, 0x19, 0x65, 0x78, 0x74, 0x65, 0x72, 0x6e, 0x61, 0x6c, 0x5f, 0x61, - 0x75, 0x74, 0x68, 0x5f, 0x6d, 0x63, 0x70, 0x5f, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x73, 0x18, - 0x02, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x16, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2e, 0x4d, 0x43, - 0x50, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x52, 0x16, 0x65, - 0x78, 0x74, 0x65, 0x72, 0x6e, 0x61, 0x6c, 0x41, 0x75, 0x74, 0x68, 0x4d, 0x63, 0x70, 0x43, 0x6f, - 0x6e, 0x66, 0x69, 0x67, 0x73, 0x22, 0x85, 0x01, 0x0a, 0x0f, 0x4d, 0x43, 0x50, 0x53, 0x65, 0x72, - 0x76, 0x65, 0x72, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x12, 0x0e, 0x0a, 0x02, 0x69, 0x64, 0x18, - 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x02, 0x69, 0x64, 0x12, 0x10, 0x0a, 0x03, 0x75, 0x72, 0x6c, - 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x75, 0x72, 0x6c, 0x12, 0x28, 0x0a, 0x10, 0x74, - 0x6f, 0x6f, 0x6c, 0x5f, 0x61, 0x6c, 0x6c, 0x6f, 0x77, 0x5f, 0x72, 0x65, 0x67, 0x65, 0x78, 0x18, - 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0e, 0x74, 0x6f, 0x6f, 0x6c, 0x41, 0x6c, 0x6c, 0x6f, 0x77, - 0x52, 0x65, 0x67, 0x65, 0x78, 0x12, 0x26, 0x0a, 0x0f, 0x74, 0x6f, 0x6f, 0x6c, 0x5f, 0x64, 0x65, - 0x6e, 0x79, 0x5f, 0x72, 0x65, 0x67, 0x65, 0x78, 0x18, 0x04, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0d, - 0x74, 0x6f, 0x6f, 0x6c, 0x44, 0x65, 0x6e, 0x79, 0x52, 0x65, 0x67, 0x65, 0x78, 0x22, 0x72, 0x0a, - 0x24, 0x47, 0x65, 0x74, 0x4d, 0x43, 0x50, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x41, 0x63, 0x63, - 0x65, 0x73, 0x73, 0x54, 0x6f, 0x6b, 0x65, 0x6e, 0x73, 0x42, 0x61, 0x74, 0x63, 0x68, 0x52, 0x65, - 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x17, 0x0a, 0x07, 0x75, 0x73, 0x65, 0x72, 0x5f, 0x69, 0x64, - 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x75, 0x73, 0x65, 0x72, 0x49, 0x64, 0x12, 0x31, - 0x0a, 0x15, 0x6d, 0x63, 0x70, 0x5f, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x5f, 0x63, 0x6f, 0x6e, - 0x66, 0x69, 0x67, 0x5f, 0x69, 0x64, 0x73, 0x18, 0x02, 0x20, 0x03, 0x28, 0x09, 0x52, 0x12, 0x6d, - 0x63, 0x70, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x49, 0x64, - 0x73, 0x22, 0xda, 0x02, 0x0a, 0x25, 0x47, 0x65, 0x74, 0x4d, 0x43, 0x50, 0x53, 0x65, 0x72, 0x76, - 0x65, 0x72, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x54, 0x6f, 0x6b, 0x65, 0x6e, 0x73, 0x42, 0x61, - 0x74, 0x63, 0x68, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x63, 0x0a, 0x0d, 0x61, - 0x63, 0x63, 0x65, 0x73, 0x73, 0x5f, 0x74, 0x6f, 0x6b, 0x65, 0x6e, 0x73, 0x18, 0x01, 0x20, 0x03, - 0x28, 0x0b, 0x32, 0x3e, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2e, 0x47, 0x65, 0x74, 0x4d, 0x43, - 0x50, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x54, 0x6f, 0x6b, - 0x65, 0x6e, 0x73, 0x42, 0x61, 0x74, 0x63, 0x68, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, - 0x2e, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x54, 0x6f, 0x6b, 0x65, 0x6e, 0x73, 0x45, 0x6e, 0x74, - 0x72, 0x79, 0x52, 0x0c, 0x61, 0x63, 0x63, 0x65, 0x73, 0x73, 0x54, 0x6f, 0x6b, 0x65, 0x6e, 0x73, - 0x12, 0x50, 0x0a, 0x06, 0x65, 0x72, 0x72, 0x6f, 0x72, 0x73, 0x18, 0x02, 0x20, 0x03, 0x28, 0x0b, - 0x32, 0x38, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2e, 0x47, 0x65, 0x74, 0x4d, 0x43, 0x50, 0x53, - 0x65, 0x72, 0x76, 0x65, 0x72, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x54, 0x6f, 0x6b, 0x65, 0x6e, - 0x73, 0x42, 0x61, 0x74, 0x63, 0x68, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x2e, 0x45, - 0x72, 0x72, 0x6f, 0x72, 0x73, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x52, 0x06, 0x65, 0x72, 0x72, 0x6f, - 0x72, 0x73, 0x1a, 0x3f, 0x0a, 0x11, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x54, 0x6f, 0x6b, 0x65, - 0x6e, 0x73, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x12, 0x10, 0x0a, 0x03, 0x6b, 0x65, 0x79, 0x18, 0x01, - 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x6b, 0x65, 0x79, 0x12, 0x14, 0x0a, 0x05, 0x76, 0x61, 0x6c, - 0x75, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x3a, - 0x02, 0x38, 0x01, 0x1a, 0x39, 0x0a, 0x0b, 0x45, 0x72, 0x72, 0x6f, 0x72, 0x73, 0x45, 0x6e, 0x74, - 0x72, 0x79, 0x12, 0x10, 0x0a, 0x03, 0x6b, 0x65, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, - 0x03, 0x6b, 0x65, 0x79, 0x12, 0x14, 0x0a, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x02, 0x20, - 0x01, 0x28, 0x09, 0x52, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x3a, 0x02, 0x38, 0x01, 0x22, 0x3e, - 0x0a, 0x13, 0x49, 0x73, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x7a, 0x65, 0x64, 0x52, 0x65, - 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x10, 0x0a, 0x03, 0x6b, 0x65, 0x79, 0x18, 0x01, 0x20, 0x01, - 0x28, 0x09, 0x52, 0x03, 0x6b, 0x65, 0x79, 0x12, 0x15, 0x0a, 0x06, 0x6b, 0x65, 0x79, 0x5f, 0x69, - 0x64, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x6b, 0x65, 0x79, 0x49, 0x64, 0x22, 0x6b, - 0x0a, 0x14, 0x49, 0x73, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x7a, 0x65, 0x64, 0x52, 0x65, - 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x19, 0x0a, 0x08, 0x6f, 0x77, 0x6e, 0x65, 0x72, 0x5f, - 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x07, 0x6f, 0x77, 0x6e, 0x65, 0x72, 0x49, - 0x64, 0x12, 0x1c, 0x0a, 0x0a, 0x61, 0x70, 0x69, 0x5f, 0x6b, 0x65, 0x79, 0x5f, 0x69, 0x64, 0x18, - 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x61, 0x70, 0x69, 0x4b, 0x65, 0x79, 0x49, 0x64, 0x12, - 0x1a, 0x0a, 0x08, 0x75, 0x73, 0x65, 0x72, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x03, 0x20, 0x01, 0x28, - 0x09, 0x52, 0x08, 0x75, 0x73, 0x65, 0x72, 0x6e, 0x61, 0x6d, 0x65, 0x32, 0xa9, 0x04, 0x0a, 0x08, - 0x52, 0x65, 0x63, 0x6f, 0x72, 0x64, 0x65, 0x72, 0x12, 0x59, 0x0a, 0x12, 0x52, 0x65, 0x63, 0x6f, - 0x72, 0x64, 0x49, 0x6e, 0x74, 0x65, 0x72, 0x63, 0x65, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x20, - 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2e, 0x52, 0x65, 0x63, 0x6f, 0x72, 0x64, 0x49, 0x6e, 0x74, - 0x65, 0x72, 0x63, 0x65, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, - 0x1a, 0x21, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2e, 0x52, 0x65, 0x63, 0x6f, 0x72, 0x64, 0x49, - 0x6e, 0x74, 0x65, 0x72, 0x63, 0x65, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x52, 0x65, 0x73, 0x70, 0x6f, - 0x6e, 0x73, 0x65, 0x12, 0x68, 0x0a, 0x17, 0x52, 0x65, 0x63, 0x6f, 0x72, 0x64, 0x49, 0x6e, 0x74, - 0x65, 0x72, 0x63, 0x65, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x45, 0x6e, 0x64, 0x65, 0x64, 0x12, 0x25, - 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2e, 0x52, 0x65, 0x63, 0x6f, 0x72, 0x64, 0x49, 0x6e, 0x74, - 0x65, 0x72, 0x63, 0x65, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x45, 0x6e, 0x64, 0x65, 0x64, 0x52, 0x65, - 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x26, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2e, 0x52, 0x65, - 0x63, 0x6f, 0x72, 0x64, 0x49, 0x6e, 0x74, 0x65, 0x72, 0x63, 0x65, 0x70, 0x74, 0x69, 0x6f, 0x6e, - 0x45, 0x6e, 0x64, 0x65, 0x64, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x53, 0x0a, - 0x10, 0x52, 0x65, 0x63, 0x6f, 0x72, 0x64, 0x54, 0x6f, 0x6b, 0x65, 0x6e, 0x55, 0x73, 0x61, 0x67, - 0x65, 0x12, 0x1e, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2e, 0x52, 0x65, 0x63, 0x6f, 0x72, 0x64, - 0x54, 0x6f, 0x6b, 0x65, 0x6e, 0x55, 0x73, 0x61, 0x67, 0x65, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, - 0x74, 0x1a, 0x1f, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2e, 0x52, 0x65, 0x63, 0x6f, 0x72, 0x64, - 0x54, 0x6f, 0x6b, 0x65, 0x6e, 0x55, 0x73, 0x61, 0x67, 0x65, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, - 0x73, 0x65, 0x12, 0x56, 0x0a, 0x11, 0x52, 0x65, 0x63, 0x6f, 0x72, 0x64, 0x50, 0x72, 0x6f, 0x6d, - 0x70, 0x74, 0x55, 0x73, 0x61, 0x67, 0x65, 0x12, 0x1f, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2e, - 0x52, 0x65, 0x63, 0x6f, 0x72, 0x64, 0x50, 0x72, 0x6f, 0x6d, 0x70, 0x74, 0x55, 0x73, 0x61, 0x67, - 0x65, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x20, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, - 0x2e, 0x52, 0x65, 0x63, 0x6f, 0x72, 0x64, 0x50, 0x72, 0x6f, 0x6d, 0x70, 0x74, 0x55, 0x73, 0x61, - 0x67, 0x65, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x50, 0x0a, 0x0f, 0x52, 0x65, - 0x63, 0x6f, 0x72, 0x64, 0x54, 0x6f, 0x6f, 0x6c, 0x55, 0x73, 0x61, 0x67, 0x65, 0x12, 0x1d, 0x2e, - 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2e, 0x52, 0x65, 0x63, 0x6f, 0x72, 0x64, 0x54, 0x6f, 0x6f, 0x6c, - 0x55, 0x73, 0x61, 0x67, 0x65, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x1e, 0x2e, 0x70, - 0x72, 0x6f, 0x74, 0x6f, 0x2e, 0x52, 0x65, 0x63, 0x6f, 0x72, 0x64, 0x54, 0x6f, 0x6f, 0x6c, 0x55, - 0x73, 0x61, 0x67, 0x65, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x59, 0x0a, 0x12, - 0x52, 0x65, 0x63, 0x6f, 0x72, 0x64, 0x4d, 0x6f, 0x64, 0x65, 0x6c, 0x54, 0x68, 0x6f, 0x75, 0x67, - 0x68, 0x74, 0x12, 0x20, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2e, 0x52, 0x65, 0x63, 0x6f, 0x72, - 0x64, 0x4d, 0x6f, 0x64, 0x65, 0x6c, 0x54, 0x68, 0x6f, 0x75, 0x67, 0x68, 0x74, 0x52, 0x65, 0x71, - 0x75, 0x65, 0x73, 0x74, 0x1a, 0x21, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2e, 0x52, 0x65, 0x63, - 0x6f, 0x72, 0x64, 0x4d, 0x6f, 0x64, 0x65, 0x6c, 0x54, 0x68, 0x6f, 0x75, 0x67, 0x68, 0x74, 0x52, - 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x32, 0xeb, 0x01, 0x0a, 0x0f, 0x4d, 0x43, 0x50, 0x43, - 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x75, 0x72, 0x61, 0x74, 0x6f, 0x72, 0x12, 0x5c, 0x0a, 0x13, 0x47, + 0x74, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x27, 0x0a, 0x0f, 0x69, 0x6e, 0x74, 0x65, + 0x72, 0x63, 0x65, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, + 0x09, 0x52, 0x0e, 0x69, 0x6e, 0x74, 0x65, 0x72, 0x63, 0x65, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x49, + 0x64, 0x12, 0x18, 0x0a, 0x07, 0x63, 0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x18, 0x02, 0x20, 0x01, + 0x28, 0x09, 0x52, 0x07, 0x63, 0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x12, 0x4a, 0x0a, 0x08, 0x6d, + 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x18, 0x03, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x2e, 0x2e, + 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2e, 0x52, 0x65, 0x63, 0x6f, 0x72, 0x64, 0x4d, 0x6f, 0x64, 0x65, + 0x6c, 0x54, 0x68, 0x6f, 0x75, 0x67, 0x68, 0x74, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x2e, + 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x52, 0x08, 0x6d, + 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x12, 0x39, 0x0a, 0x0a, 0x63, 0x72, 0x65, 0x61, 0x74, + 0x65, 0x64, 0x5f, 0x61, 0x74, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x6f, + 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x54, 0x69, + 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x52, 0x09, 0x63, 0x72, 0x65, 0x61, 0x74, 0x65, 0x64, + 0x41, 0x74, 0x1a, 0x51, 0x0a, 0x0d, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x45, 0x6e, + 0x74, 0x72, 0x79, 0x12, 0x10, 0x0a, 0x03, 0x6b, 0x65, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, + 0x52, 0x03, 0x6b, 0x65, 0x79, 0x12, 0x2a, 0x0a, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x02, + 0x20, 0x01, 0x28, 0x0b, 0x32, 0x14, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, + 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x41, 0x6e, 0x79, 0x52, 0x05, 0x76, 0x61, 0x6c, 0x75, + 0x65, 0x3a, 0x02, 0x38, 0x01, 0x22, 0x1c, 0x0a, 0x1a, 0x52, 0x65, 0x63, 0x6f, 0x72, 0x64, 0x4d, + 0x6f, 0x64, 0x65, 0x6c, 0x54, 0x68, 0x6f, 0x75, 0x67, 0x68, 0x74, 0x52, 0x65, 0x73, 0x70, 0x6f, + 0x6e, 0x73, 0x65, 0x22, 0x35, 0x0a, 0x1a, 0x47, 0x65, 0x74, 0x4d, 0x43, 0x50, 0x53, 0x65, 0x72, + 0x76, 0x65, 0x72, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, + 0x74, 0x12, 0x17, 0x0a, 0x07, 0x75, 0x73, 0x65, 0x72, 0x5f, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, + 0x28, 0x09, 0x52, 0x06, 0x75, 0x73, 0x65, 0x72, 0x49, 0x64, 0x22, 0xb2, 0x01, 0x0a, 0x1b, 0x47, 0x65, 0x74, 0x4d, 0x43, 0x50, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x43, 0x6f, 0x6e, 0x66, 0x69, - 0x67, 0x73, 0x12, 0x21, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2e, 0x47, 0x65, 0x74, 0x4d, 0x43, - 0x50, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x73, 0x52, 0x65, - 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x22, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2e, 0x47, 0x65, - 0x74, 0x4d, 0x43, 0x50, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, - 0x73, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x7a, 0x0a, 0x1d, 0x47, 0x65, 0x74, - 0x4d, 0x43, 0x50, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x54, - 0x6f, 0x6b, 0x65, 0x6e, 0x73, 0x42, 0x61, 0x74, 0x63, 0x68, 0x12, 0x2b, 0x2e, 0x70, 0x72, 0x6f, - 0x74, 0x6f, 0x2e, 0x47, 0x65, 0x74, 0x4d, 0x43, 0x50, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x41, - 0x63, 0x63, 0x65, 0x73, 0x73, 0x54, 0x6f, 0x6b, 0x65, 0x6e, 0x73, 0x42, 0x61, 0x74, 0x63, 0x68, - 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x2c, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2e, + 0x67, 0x73, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x40, 0x0a, 0x10, 0x63, 0x6f, + 0x64, 0x65, 0x72, 0x5f, 0x6d, 0x63, 0x70, 0x5f, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x18, 0x01, + 0x20, 0x01, 0x28, 0x0b, 0x32, 0x16, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2e, 0x4d, 0x43, 0x50, + 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x52, 0x0e, 0x63, 0x6f, + 0x64, 0x65, 0x72, 0x4d, 0x63, 0x70, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x12, 0x51, 0x0a, 0x19, + 0x65, 0x78, 0x74, 0x65, 0x72, 0x6e, 0x61, 0x6c, 0x5f, 0x61, 0x75, 0x74, 0x68, 0x5f, 0x6d, 0x63, + 0x70, 0x5f, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x73, 0x18, 0x02, 0x20, 0x03, 0x28, 0x0b, 0x32, + 0x16, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2e, 0x4d, 0x43, 0x50, 0x53, 0x65, 0x72, 0x76, 0x65, + 0x72, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x52, 0x16, 0x65, 0x78, 0x74, 0x65, 0x72, 0x6e, 0x61, + 0x6c, 0x41, 0x75, 0x74, 0x68, 0x4d, 0x63, 0x70, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x73, 0x22, + 0x85, 0x01, 0x0a, 0x0f, 0x4d, 0x43, 0x50, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x43, 0x6f, 0x6e, + 0x66, 0x69, 0x67, 0x12, 0x0e, 0x0a, 0x02, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, + 0x02, 0x69, 0x64, 0x12, 0x10, 0x0a, 0x03, 0x75, 0x72, 0x6c, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, + 0x52, 0x03, 0x75, 0x72, 0x6c, 0x12, 0x28, 0x0a, 0x10, 0x74, 0x6f, 0x6f, 0x6c, 0x5f, 0x61, 0x6c, + 0x6c, 0x6f, 0x77, 0x5f, 0x72, 0x65, 0x67, 0x65, 0x78, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, + 0x0e, 0x74, 0x6f, 0x6f, 0x6c, 0x41, 0x6c, 0x6c, 0x6f, 0x77, 0x52, 0x65, 0x67, 0x65, 0x78, 0x12, + 0x26, 0x0a, 0x0f, 0x74, 0x6f, 0x6f, 0x6c, 0x5f, 0x64, 0x65, 0x6e, 0x79, 0x5f, 0x72, 0x65, 0x67, + 0x65, 0x78, 0x18, 0x04, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0d, 0x74, 0x6f, 0x6f, 0x6c, 0x44, 0x65, + 0x6e, 0x79, 0x52, 0x65, 0x67, 0x65, 0x78, 0x22, 0x72, 0x0a, 0x24, 0x47, 0x65, 0x74, 0x4d, 0x43, + 0x50, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x54, 0x6f, 0x6b, + 0x65, 0x6e, 0x73, 0x42, 0x61, 0x74, 0x63, 0x68, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, + 0x17, 0x0a, 0x07, 0x75, 0x73, 0x65, 0x72, 0x5f, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, + 0x52, 0x06, 0x75, 0x73, 0x65, 0x72, 0x49, 0x64, 0x12, 0x31, 0x0a, 0x15, 0x6d, 0x63, 0x70, 0x5f, + 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x5f, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x5f, 0x69, 0x64, + 0x73, 0x18, 0x02, 0x20, 0x03, 0x28, 0x09, 0x52, 0x12, 0x6d, 0x63, 0x70, 0x53, 0x65, 0x72, 0x76, + 0x65, 0x72, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x49, 0x64, 0x73, 0x22, 0xda, 0x02, 0x0a, 0x25, 0x47, 0x65, 0x74, 0x4d, 0x43, 0x50, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x54, 0x6f, 0x6b, 0x65, 0x6e, 0x73, 0x42, 0x61, 0x74, 0x63, 0x68, 0x52, 0x65, 0x73, - 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x32, 0x55, 0x0a, 0x0a, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, - 0x7a, 0x65, 0x72, 0x12, 0x47, 0x0a, 0x0c, 0x49, 0x73, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, - 0x7a, 0x65, 0x64, 0x12, 0x1a, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2e, 0x49, 0x73, 0x41, 0x75, - 0x74, 0x68, 0x6f, 0x72, 0x69, 0x7a, 0x65, 0x64, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, - 0x1b, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2e, 0x49, 0x73, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, - 0x69, 0x7a, 0x65, 0x64, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x42, 0x32, 0x5a, 0x30, - 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x63, 0x6f, 0x64, 0x65, 0x72, - 0x2f, 0x63, 0x6f, 0x64, 0x65, 0x72, 0x2f, 0x76, 0x32, 0x2f, 0x63, 0x6f, 0x64, 0x65, 0x72, 0x64, - 0x2f, 0x61, 0x69, 0x62, 0x72, 0x69, 0x64, 0x67, 0x65, 0x64, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, - 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, + 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x63, 0x0a, 0x0d, 0x61, 0x63, 0x63, 0x65, 0x73, 0x73, 0x5f, + 0x74, 0x6f, 0x6b, 0x65, 0x6e, 0x73, 0x18, 0x01, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x3e, 0x2e, 0x70, + 0x72, 0x6f, 0x74, 0x6f, 0x2e, 0x47, 0x65, 0x74, 0x4d, 0x43, 0x50, 0x53, 0x65, 0x72, 0x76, 0x65, + 0x72, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x54, 0x6f, 0x6b, 0x65, 0x6e, 0x73, 0x42, 0x61, 0x74, + 0x63, 0x68, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x2e, 0x41, 0x63, 0x63, 0x65, 0x73, + 0x73, 0x54, 0x6f, 0x6b, 0x65, 0x6e, 0x73, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x52, 0x0c, 0x61, 0x63, + 0x63, 0x65, 0x73, 0x73, 0x54, 0x6f, 0x6b, 0x65, 0x6e, 0x73, 0x12, 0x50, 0x0a, 0x06, 0x65, 0x72, + 0x72, 0x6f, 0x72, 0x73, 0x18, 0x02, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x38, 0x2e, 0x70, 0x72, 0x6f, + 0x74, 0x6f, 0x2e, 0x47, 0x65, 0x74, 0x4d, 0x43, 0x50, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x41, + 0x63, 0x63, 0x65, 0x73, 0x73, 0x54, 0x6f, 0x6b, 0x65, 0x6e, 0x73, 0x42, 0x61, 0x74, 0x63, 0x68, + 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x2e, 0x45, 0x72, 0x72, 0x6f, 0x72, 0x73, 0x45, + 0x6e, 0x74, 0x72, 0x79, 0x52, 0x06, 0x65, 0x72, 0x72, 0x6f, 0x72, 0x73, 0x1a, 0x3f, 0x0a, 0x11, + 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x54, 0x6f, 0x6b, 0x65, 0x6e, 0x73, 0x45, 0x6e, 0x74, 0x72, + 0x79, 0x12, 0x10, 0x0a, 0x03, 0x6b, 0x65, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, + 0x6b, 0x65, 0x79, 0x12, 0x14, 0x0a, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x02, 0x20, 0x01, + 0x28, 0x09, 0x52, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x3a, 0x02, 0x38, 0x01, 0x1a, 0x39, 0x0a, + 0x0b, 0x45, 0x72, 0x72, 0x6f, 0x72, 0x73, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x12, 0x10, 0x0a, 0x03, + 0x6b, 0x65, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x6b, 0x65, 0x79, 0x12, 0x14, + 0x0a, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x76, + 0x61, 0x6c, 0x75, 0x65, 0x3a, 0x02, 0x38, 0x01, 0x22, 0x3e, 0x0a, 0x13, 0x49, 0x73, 0x41, 0x75, + 0x74, 0x68, 0x6f, 0x72, 0x69, 0x7a, 0x65, 0x64, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, + 0x10, 0x0a, 0x03, 0x6b, 0x65, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x6b, 0x65, + 0x79, 0x12, 0x15, 0x0a, 0x06, 0x6b, 0x65, 0x79, 0x5f, 0x69, 0x64, 0x18, 0x02, 0x20, 0x01, 0x28, + 0x09, 0x52, 0x05, 0x6b, 0x65, 0x79, 0x49, 0x64, 0x22, 0x6b, 0x0a, 0x14, 0x49, 0x73, 0x41, 0x75, + 0x74, 0x68, 0x6f, 0x72, 0x69, 0x7a, 0x65, 0x64, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, + 0x12, 0x19, 0x0a, 0x08, 0x6f, 0x77, 0x6e, 0x65, 0x72, 0x5f, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, + 0x28, 0x09, 0x52, 0x07, 0x6f, 0x77, 0x6e, 0x65, 0x72, 0x49, 0x64, 0x12, 0x1c, 0x0a, 0x0a, 0x61, + 0x70, 0x69, 0x5f, 0x6b, 0x65, 0x79, 0x5f, 0x69, 0x64, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, + 0x08, 0x61, 0x70, 0x69, 0x4b, 0x65, 0x79, 0x49, 0x64, 0x12, 0x1a, 0x0a, 0x08, 0x75, 0x73, 0x65, + 0x72, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x75, 0x73, 0x65, + 0x72, 0x6e, 0x61, 0x6d, 0x65, 0x32, 0xa9, 0x04, 0x0a, 0x08, 0x52, 0x65, 0x63, 0x6f, 0x72, 0x64, + 0x65, 0x72, 0x12, 0x59, 0x0a, 0x12, 0x52, 0x65, 0x63, 0x6f, 0x72, 0x64, 0x49, 0x6e, 0x74, 0x65, + 0x72, 0x63, 0x65, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x20, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, + 0x2e, 0x52, 0x65, 0x63, 0x6f, 0x72, 0x64, 0x49, 0x6e, 0x74, 0x65, 0x72, 0x63, 0x65, 0x70, 0x74, + 0x69, 0x6f, 0x6e, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x21, 0x2e, 0x70, 0x72, 0x6f, + 0x74, 0x6f, 0x2e, 0x52, 0x65, 0x63, 0x6f, 0x72, 0x64, 0x49, 0x6e, 0x74, 0x65, 0x72, 0x63, 0x65, + 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x68, 0x0a, + 0x17, 0x52, 0x65, 0x63, 0x6f, 0x72, 0x64, 0x49, 0x6e, 0x74, 0x65, 0x72, 0x63, 0x65, 0x70, 0x74, + 0x69, 0x6f, 0x6e, 0x45, 0x6e, 0x64, 0x65, 0x64, 0x12, 0x25, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, + 0x2e, 0x52, 0x65, 0x63, 0x6f, 0x72, 0x64, 0x49, 0x6e, 0x74, 0x65, 0x72, 0x63, 0x65, 0x70, 0x74, + 0x69, 0x6f, 0x6e, 0x45, 0x6e, 0x64, 0x65, 0x64, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, + 0x26, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2e, 0x52, 0x65, 0x63, 0x6f, 0x72, 0x64, 0x49, 0x6e, + 0x74, 0x65, 0x72, 0x63, 0x65, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x45, 0x6e, 0x64, 0x65, 0x64, 0x52, + 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x53, 0x0a, 0x10, 0x52, 0x65, 0x63, 0x6f, 0x72, + 0x64, 0x54, 0x6f, 0x6b, 0x65, 0x6e, 0x55, 0x73, 0x61, 0x67, 0x65, 0x12, 0x1e, 0x2e, 0x70, 0x72, + 0x6f, 0x74, 0x6f, 0x2e, 0x52, 0x65, 0x63, 0x6f, 0x72, 0x64, 0x54, 0x6f, 0x6b, 0x65, 0x6e, 0x55, + 0x73, 0x61, 0x67, 0x65, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x1f, 0x2e, 0x70, 0x72, + 0x6f, 0x74, 0x6f, 0x2e, 0x52, 0x65, 0x63, 0x6f, 0x72, 0x64, 0x54, 0x6f, 0x6b, 0x65, 0x6e, 0x55, + 0x73, 0x61, 0x67, 0x65, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x56, 0x0a, 0x11, + 0x52, 0x65, 0x63, 0x6f, 0x72, 0x64, 0x50, 0x72, 0x6f, 0x6d, 0x70, 0x74, 0x55, 0x73, 0x61, 0x67, + 0x65, 0x12, 0x1f, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2e, 0x52, 0x65, 0x63, 0x6f, 0x72, 0x64, + 0x50, 0x72, 0x6f, 0x6d, 0x70, 0x74, 0x55, 0x73, 0x61, 0x67, 0x65, 0x52, 0x65, 0x71, 0x75, 0x65, + 0x73, 0x74, 0x1a, 0x20, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2e, 0x52, 0x65, 0x63, 0x6f, 0x72, + 0x64, 0x50, 0x72, 0x6f, 0x6d, 0x70, 0x74, 0x55, 0x73, 0x61, 0x67, 0x65, 0x52, 0x65, 0x73, 0x70, + 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x50, 0x0a, 0x0f, 0x52, 0x65, 0x63, 0x6f, 0x72, 0x64, 0x54, 0x6f, + 0x6f, 0x6c, 0x55, 0x73, 0x61, 0x67, 0x65, 0x12, 0x1d, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2e, + 0x52, 0x65, 0x63, 0x6f, 0x72, 0x64, 0x54, 0x6f, 0x6f, 0x6c, 0x55, 0x73, 0x61, 0x67, 0x65, 0x52, + 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x1e, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2e, 0x52, + 0x65, 0x63, 0x6f, 0x72, 0x64, 0x54, 0x6f, 0x6f, 0x6c, 0x55, 0x73, 0x61, 0x67, 0x65, 0x52, 0x65, + 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x59, 0x0a, 0x12, 0x52, 0x65, 0x63, 0x6f, 0x72, 0x64, + 0x4d, 0x6f, 0x64, 0x65, 0x6c, 0x54, 0x68, 0x6f, 0x75, 0x67, 0x68, 0x74, 0x12, 0x20, 0x2e, 0x70, + 0x72, 0x6f, 0x74, 0x6f, 0x2e, 0x52, 0x65, 0x63, 0x6f, 0x72, 0x64, 0x4d, 0x6f, 0x64, 0x65, 0x6c, + 0x54, 0x68, 0x6f, 0x75, 0x67, 0x68, 0x74, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x21, + 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2e, 0x52, 0x65, 0x63, 0x6f, 0x72, 0x64, 0x4d, 0x6f, 0x64, + 0x65, 0x6c, 0x54, 0x68, 0x6f, 0x75, 0x67, 0x68, 0x74, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, + 0x65, 0x32, 0xeb, 0x01, 0x0a, 0x0f, 0x4d, 0x43, 0x50, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x75, + 0x72, 0x61, 0x74, 0x6f, 0x72, 0x12, 0x5c, 0x0a, 0x13, 0x47, 0x65, 0x74, 0x4d, 0x43, 0x50, 0x53, + 0x65, 0x72, 0x76, 0x65, 0x72, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x73, 0x12, 0x21, 0x2e, 0x70, + 0x72, 0x6f, 0x74, 0x6f, 0x2e, 0x47, 0x65, 0x74, 0x4d, 0x43, 0x50, 0x53, 0x65, 0x72, 0x76, 0x65, + 0x72, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, + 0x22, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2e, 0x47, 0x65, 0x74, 0x4d, 0x43, 0x50, 0x53, 0x65, + 0x72, 0x76, 0x65, 0x72, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x73, 0x52, 0x65, 0x73, 0x70, 0x6f, + 0x6e, 0x73, 0x65, 0x12, 0x7a, 0x0a, 0x1d, 0x47, 0x65, 0x74, 0x4d, 0x43, 0x50, 0x53, 0x65, 0x72, + 0x76, 0x65, 0x72, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x54, 0x6f, 0x6b, 0x65, 0x6e, 0x73, 0x42, + 0x61, 0x74, 0x63, 0x68, 0x12, 0x2b, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2e, 0x47, 0x65, 0x74, + 0x4d, 0x43, 0x50, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x54, + 0x6f, 0x6b, 0x65, 0x6e, 0x73, 0x42, 0x61, 0x74, 0x63, 0x68, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, + 0x74, 0x1a, 0x2c, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2e, 0x47, 0x65, 0x74, 0x4d, 0x43, 0x50, + 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x54, 0x6f, 0x6b, 0x65, + 0x6e, 0x73, 0x42, 0x61, 0x74, 0x63, 0x68, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x32, + 0x55, 0x0a, 0x0a, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x7a, 0x65, 0x72, 0x12, 0x47, 0x0a, + 0x0c, 0x49, 0x73, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x7a, 0x65, 0x64, 0x12, 0x1a, 0x2e, + 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2e, 0x49, 0x73, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x7a, + 0x65, 0x64, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x1b, 0x2e, 0x70, 0x72, 0x6f, 0x74, + 0x6f, 0x2e, 0x49, 0x73, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x7a, 0x65, 0x64, 0x52, 0x65, + 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x42, 0x32, 0x5a, 0x30, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, + 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x63, 0x6f, 0x64, 0x65, 0x72, 0x2f, 0x63, 0x6f, 0x64, 0x65, 0x72, + 0x2f, 0x76, 0x32, 0x2f, 0x63, 0x6f, 0x64, 0x65, 0x72, 0x64, 0x2f, 0x61, 0x69, 0x62, 0x72, 0x69, + 0x64, 0x67, 0x65, 0x64, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, + 0x6f, 0x33, } var ( diff --git a/coderd/aibridged/proto/aibridged.proto b/coderd/aibridged/proto/aibridged.proto index cd61411516..08fceee676 100644 --- a/coderd/aibridged/proto/aibridged.proto +++ b/coderd/aibridged/proto/aibridged.proto @@ -58,6 +58,7 @@ message RecordInterceptionResponse {} message RecordInterceptionEndedRequest { string id = 1; // UUID. google.protobuf.Timestamp ended_at = 2; + string credential_hint = 3; } message RecordInterceptionEndedResponse {} diff --git a/coderd/aibridged/provider.go b/coderd/aibridged/provider.go index 6fb53e1a93..9d2faa030b 100644 --- a/coderd/aibridged/provider.go +++ b/coderd/aibridged/provider.go @@ -17,9 +17,9 @@ const ( ) // ProviderOutcome classifies one ai_providers row, including disabled -// and errored rows the pool excludes. Err is populated only when -// Status == ProviderStatusError; the build error is already logged at -// the call site. +// rows (which the pool keeps as 503 stubs) and errored rows (which the +// pool excludes). Err is populated only when Status == ProviderStatusError; +// the build error is already logged at the call site. type ProviderOutcome struct { Name string Type string diff --git a/coderd/aibridged/translator.go b/coderd/aibridged/translator.go index 2769ef0d89..6d251df0fe 100644 --- a/coderd/aibridged/translator.go +++ b/coderd/aibridged/translator.go @@ -45,8 +45,9 @@ func (t *recorderTranslation) RecordInterception(ctx context.Context, req *aibri func (t *recorderTranslation) RecordInterceptionEnded(ctx context.Context, req *aibridge.InterceptionRecordEnded) error { _, err := t.client.RecordInterceptionEnded(ctx, &proto.RecordInterceptionEndedRequest{ - Id: req.ID, - EndedAt: timestamppb.New(req.EndedAt), + Id: req.ID, + EndedAt: timestamppb.New(req.EndedAt), + CredentialHint: req.CredentialHint, }) return err } diff --git a/coderd/aibridgedserver/aibridgedserver.go b/coderd/aibridgedserver/aibridgedserver.go index c593b18f79..8dbaa10bfa 100644 --- a/coderd/aibridgedserver/aibridgedserver.go +++ b/coderd/aibridgedserver/aibridgedserver.go @@ -222,8 +222,9 @@ func (s *Server) RecordInterceptionEnded(ctx context.Context, in *proto.RecordIn } _, err = s.store.UpdateAIBridgeInterceptionEnded(ctx, database.UpdateAIBridgeInterceptionEndedParams{ - ID: intcID, - EndedAt: in.EndedAt.AsTime(), + ID: intcID, + EndedAt: in.EndedAt.AsTime(), + CredentialHint: in.CredentialHint, }) if err != nil { return nil, xerrors.Errorf("end interception: %w", err) diff --git a/coderd/aibridgedserver/aibridgedserver_test.go b/coderd/aibridgedserver/aibridgedserver_test.go index eb2f413e1e..9aeb082069 100644 --- a/coderd/aibridgedserver/aibridgedserver_test.go +++ b/coderd/aibridgedserver/aibridgedserver_test.go @@ -944,23 +944,26 @@ func TestRecordInterceptionEnded(t *testing.T) { { name: "ok", request: &proto.RecordInterceptionEndedRequest{ - Id: uuid.UUID{1}.String(), - EndedAt: timestamppb.Now(), + Id: uuid.UUID{1}.String(), + EndedAt: timestamppb.Now(), + CredentialHint: "sk-a...efgh", }, setupMocks: func(t *testing.T, db *dbmock.MockStore, req *proto.RecordInterceptionEndedRequest) { interceptionID, err := uuid.Parse(req.GetId()) assert.NoError(t, err, "parse interception UUID") db.EXPECT().UpdateAIBridgeInterceptionEnded(gomock.Any(), database.UpdateAIBridgeInterceptionEndedParams{ - ID: interceptionID, - EndedAt: req.EndedAt.AsTime(), + ID: interceptionID, + EndedAt: req.EndedAt.AsTime(), + CredentialHint: req.CredentialHint, }).Return(database.AIBridgeInterception{ - ID: interceptionID, - InitiatorID: uuid.UUID{2}, - Provider: "prov", - Model: "mod", - StartedAt: time.Now(), - EndedAt: sql.NullTime{Time: req.EndedAt.AsTime(), Valid: true}, + ID: interceptionID, + InitiatorID: uuid.UUID{2}, + Provider: "prov", + Model: "mod", + StartedAt: time.Now(), + EndedAt: sql.NullTime{Time: req.EndedAt.AsTime(), Valid: true}, + CredentialHint: req.CredentialHint, }, nil) }, }, diff --git a/coderd/apidoc/docs.go b/coderd/apidoc/docs.go index 22616628d9..7aca308f9d 100644 --- a/coderd/apidoc/docs.go +++ b/coderd/apidoc/docs.go @@ -9171,6 +9171,110 @@ const docTemplate = `{ ] } }, + "/api/v2/users/{user}/ai/budget": { + "get": { + "produces": [ + "application/json" + ], + "tags": [ + "Enterprise" + ], + "summary": "Get user AI budget override", + "operationId": "get-user-ai-budget-override", + "parameters": [ + { + "type": "string", + "description": "User ID, username, or me", + "name": "user", + "in": "path", + "required": true + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/codersdk.UserAIBudgetOverride" + } + } + }, + "security": [ + { + "CoderSessionToken": [] + } + ] + }, + "put": { + "consumes": [ + "application/json" + ], + "produces": [ + "application/json" + ], + "tags": [ + "Enterprise" + ], + "summary": "Upsert user AI budget override", + "operationId": "upsert-user-ai-budget-override", + "parameters": [ + { + "type": "string", + "description": "User ID, username, or me", + "name": "user", + "in": "path", + "required": true + }, + { + "description": "Upsert user AI budget override request", + "name": "request", + "in": "body", + "required": true, + "schema": { + "$ref": "#/definitions/codersdk.UpsertUserAIBudgetOverrideRequest" + } + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/codersdk.UserAIBudgetOverride" + } + } + }, + "security": [ + { + "CoderSessionToken": [] + } + ] + }, + "delete": { + "tags": [ + "Enterprise" + ], + "summary": "Delete user AI budget override", + "operationId": "delete-user-ai-budget-override", + "parameters": [ + { + "type": "string", + "description": "User ID, username, or me", + "name": "user", + "in": "path", + "required": true + } + ], + "responses": { + "204": { + "description": "No Content" + } + }, + "security": [ + { + "CoderSessionToken": [] + } + ] + } + }, "/api/v2/users/{user}/appearance": { "get": { "produces": [ @@ -15165,6 +15269,10 @@ const docTemplate = `{ "enum": [ "all", "application_connect", + "ai_gateway_key:*", + "ai_gateway_key:create", + "ai_gateway_key:delete", + "ai_gateway_key:read", "ai_model_price:*", "ai_model_price:read", "ai_model_price:update", @@ -15199,6 +15307,10 @@ const docTemplate = `{ "audit_log:*", "audit_log:create", "audit_log:read", + "boundary_log:*", + "boundary_log:create", + "boundary_log:delete", + "boundary_log:read", "boundary_usage:*", "boundary_usage:delete", "boundary_usage:read", @@ -15391,6 +15503,10 @@ const docTemplate = `{ "x-enum-varnames": [ "APIKeyScopeAll", "APIKeyScopeApplicationConnect", + "APIKeyScopeAiGatewayKeyAll", + "APIKeyScopeAiGatewayKeyCreate", + "APIKeyScopeAiGatewayKeyDelete", + "APIKeyScopeAiGatewayKeyRead", "APIKeyScopeAiModelPriceAll", "APIKeyScopeAiModelPriceRead", "APIKeyScopeAiModelPriceUpdate", @@ -15425,6 +15541,10 @@ const docTemplate = `{ "APIKeyScopeAuditLogAll", "APIKeyScopeAuditLogCreate", "APIKeyScopeAuditLogRead", + "APIKeyScopeBoundaryLogAll", + "APIKeyScopeBoundaryLogCreate", + "APIKeyScopeBoundaryLogDelete", + "APIKeyScopeBoundaryLogRead", "APIKeyScopeBoundaryUsageAll", "APIKeyScopeBoundaryUsageDelete", "APIKeyScopeBoundaryUsageRead", @@ -16490,7 +16610,8 @@ const docTemplate = `{ "auth", "config", "usage_limit", - "missing_key" + "missing_key", + "provider_disabled" ], "x-enum-varnames": [ "ChatErrorKindGeneric", @@ -16501,7 +16622,8 @@ const docTemplate = `{ "ChatErrorKindAuth", "ChatErrorKindConfig", "ChatErrorKindUsageLimit", - "ChatErrorKindMissingKey" + "ChatErrorKindMissingKey", + "ChatErrorKindProviderDisabled" ] }, "codersdk.ChatFileMetadata": { @@ -22215,6 +22337,7 @@ const docTemplate = `{ "type": "string", "enum": [ "*", + "ai_gateway_key", "ai_model_price", "ai_provider", "ai_seat", @@ -22223,6 +22346,7 @@ const docTemplate = `{ "assign_org_role", "assign_role", "audit_log", + "boundary_log", "boundary_usage", "chat", "connection_log", @@ -22265,6 +22389,7 @@ const docTemplate = `{ ], "x-enum-varnames": [ "ResourceWildcard", + "ResourceAIGatewayKey", "ResourceAiModelPrice", "ResourceAIProvider", "ResourceAiSeat", @@ -22273,6 +22398,7 @@ const docTemplate = `{ "ResourceAssignOrgRole", "ResourceAssignRole", "ResourceAuditLog", + "ResourceBoundaryLog", "ResourceBoundaryUsage", "ResourceChat", "ResourceConnectionLog", @@ -22525,6 +22651,7 @@ const docTemplate = `{ "ai_seat", "ai_provider", "ai_provider_key", + "ai_gateway_key", "group_ai_budget", "chat", "user_secret", @@ -22560,6 +22687,7 @@ const docTemplate = `{ "ResourceTypeAISeat", "ResourceTypeAIProvider", "ResourceTypeAIProviderKey", + "ResourceTypeAIGatewayKey", "ResourceTypeGroupAIBudget", "ResourceTypeChat", "ResourceTypeUserSecret", @@ -24651,6 +24779,23 @@ const docTemplate = `{ } } }, + "codersdk.UpsertUserAIBudgetOverrideRequest": { + "type": "object", + "required": [ + "group_id" + ], + "properties": { + "group_id": { + "description": "GroupID is the group the user's spend is attributed to. The user must\nbe a member of this group.", + "type": "string", + "format": "uuid" + }, + "spend_limit_micros": { + "type": "integer", + "minimum": 0 + } + } + }, "codersdk.UpsertWorkspaceAgentPortShareRequest": { "type": "object", "properties": { @@ -24805,6 +24950,30 @@ const docTemplate = `{ } } }, + "codersdk.UserAIBudgetOverride": { + "type": "object", + "properties": { + "created_at": { + "type": "string", + "format": "date-time" + }, + "group_id": { + "type": "string", + "format": "uuid" + }, + "spend_limit_micros": { + "type": "integer" + }, + "updated_at": { + "type": "string", + "format": "date-time" + }, + "user_id": { + "type": "string", + "format": "uuid" + } + } + }, "codersdk.UserActivity": { "type": "object", "properties": { diff --git a/coderd/apidoc/swagger.json b/coderd/apidoc/swagger.json index b32ea11968..842eac0c08 100644 --- a/coderd/apidoc/swagger.json +++ b/coderd/apidoc/swagger.json @@ -8132,6 +8132,98 @@ ] } }, + "/api/v2/users/{user}/ai/budget": { + "get": { + "produces": ["application/json"], + "tags": ["Enterprise"], + "summary": "Get user AI budget override", + "operationId": "get-user-ai-budget-override", + "parameters": [ + { + "type": "string", + "description": "User ID, username, or me", + "name": "user", + "in": "path", + "required": true + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/codersdk.UserAIBudgetOverride" + } + } + }, + "security": [ + { + "CoderSessionToken": [] + } + ] + }, + "put": { + "consumes": ["application/json"], + "produces": ["application/json"], + "tags": ["Enterprise"], + "summary": "Upsert user AI budget override", + "operationId": "upsert-user-ai-budget-override", + "parameters": [ + { + "type": "string", + "description": "User ID, username, or me", + "name": "user", + "in": "path", + "required": true + }, + { + "description": "Upsert user AI budget override request", + "name": "request", + "in": "body", + "required": true, + "schema": { + "$ref": "#/definitions/codersdk.UpsertUserAIBudgetOverrideRequest" + } + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/codersdk.UserAIBudgetOverride" + } + } + }, + "security": [ + { + "CoderSessionToken": [] + } + ] + }, + "delete": { + "tags": ["Enterprise"], + "summary": "Delete user AI budget override", + "operationId": "delete-user-ai-budget-override", + "parameters": [ + { + "type": "string", + "description": "User ID, username, or me", + "name": "user", + "in": "path", + "required": true + } + ], + "responses": { + "204": { + "description": "No Content" + } + }, + "security": [ + { + "CoderSessionToken": [] + } + ] + } + }, "/api/v2/users/{user}/appearance": { "get": { "produces": ["application/json"], @@ -13561,6 +13653,10 @@ "enum": [ "all", "application_connect", + "ai_gateway_key:*", + "ai_gateway_key:create", + "ai_gateway_key:delete", + "ai_gateway_key:read", "ai_model_price:*", "ai_model_price:read", "ai_model_price:update", @@ -13595,6 +13691,10 @@ "audit_log:*", "audit_log:create", "audit_log:read", + "boundary_log:*", + "boundary_log:create", + "boundary_log:delete", + "boundary_log:read", "boundary_usage:*", "boundary_usage:delete", "boundary_usage:read", @@ -13787,6 +13887,10 @@ "x-enum-varnames": [ "APIKeyScopeAll", "APIKeyScopeApplicationConnect", + "APIKeyScopeAiGatewayKeyAll", + "APIKeyScopeAiGatewayKeyCreate", + "APIKeyScopeAiGatewayKeyDelete", + "APIKeyScopeAiGatewayKeyRead", "APIKeyScopeAiModelPriceAll", "APIKeyScopeAiModelPriceRead", "APIKeyScopeAiModelPriceUpdate", @@ -13821,6 +13925,10 @@ "APIKeyScopeAuditLogAll", "APIKeyScopeAuditLogCreate", "APIKeyScopeAuditLogRead", + "APIKeyScopeBoundaryLogAll", + "APIKeyScopeBoundaryLogCreate", + "APIKeyScopeBoundaryLogDelete", + "APIKeyScopeBoundaryLogRead", "APIKeyScopeBoundaryUsageAll", "APIKeyScopeBoundaryUsageDelete", "APIKeyScopeBoundaryUsageRead", @@ -14840,7 +14948,8 @@ "auth", "config", "usage_limit", - "missing_key" + "missing_key", + "provider_disabled" ], "x-enum-varnames": [ "ChatErrorKindGeneric", @@ -14851,7 +14960,8 @@ "ChatErrorKindAuth", "ChatErrorKindConfig", "ChatErrorKindUsageLimit", - "ChatErrorKindMissingKey" + "ChatErrorKindMissingKey", + "ChatErrorKindProviderDisabled" ] }, "codersdk.ChatFileMetadata": { @@ -20358,6 +20468,7 @@ "type": "string", "enum": [ "*", + "ai_gateway_key", "ai_model_price", "ai_provider", "ai_seat", @@ -20366,6 +20477,7 @@ "assign_org_role", "assign_role", "audit_log", + "boundary_log", "boundary_usage", "chat", "connection_log", @@ -20408,6 +20520,7 @@ ], "x-enum-varnames": [ "ResourceWildcard", + "ResourceAIGatewayKey", "ResourceAiModelPrice", "ResourceAIProvider", "ResourceAiSeat", @@ -20416,6 +20529,7 @@ "ResourceAssignOrgRole", "ResourceAssignRole", "ResourceAuditLog", + "ResourceBoundaryLog", "ResourceBoundaryUsage", "ResourceChat", "ResourceConnectionLog", @@ -20658,6 +20772,7 @@ "ai_seat", "ai_provider", "ai_provider_key", + "ai_gateway_key", "group_ai_budget", "chat", "user_secret", @@ -20693,6 +20808,7 @@ "ResourceTypeAISeat", "ResourceTypeAIProvider", "ResourceTypeAIProviderKey", + "ResourceTypeAIGatewayKey", "ResourceTypeGroupAIBudget", "ResourceTypeChat", "ResourceTypeUserSecret", @@ -22684,6 +22800,21 @@ } } }, + "codersdk.UpsertUserAIBudgetOverrideRequest": { + "type": "object", + "required": ["group_id"], + "properties": { + "group_id": { + "description": "GroupID is the group the user's spend is attributed to. The user must\nbe a member of this group.", + "type": "string", + "format": "uuid" + }, + "spend_limit_micros": { + "type": "integer", + "minimum": 0 + } + } + }, "codersdk.UpsertWorkspaceAgentPortShareRequest": { "type": "object", "properties": { @@ -22817,6 +22948,30 @@ } } }, + "codersdk.UserAIBudgetOverride": { + "type": "object", + "properties": { + "created_at": { + "type": "string", + "format": "date-time" + }, + "group_id": { + "type": "string", + "format": "uuid" + }, + "spend_limit_micros": { + "type": "integer" + }, + "updated_at": { + "type": "string", + "format": "date-time" + }, + "user_id": { + "type": "string", + "format": "uuid" + } + } + }, "codersdk.UserActivity": { "type": "object", "properties": { diff --git a/coderd/audit/diff.go b/coderd/audit/diff.go index a26924552b..0beec46153 100644 --- a/coderd/audit/diff.go +++ b/coderd/audit/diff.go @@ -36,6 +36,7 @@ type Auditable interface { database.AiSeatState | database.AIProvider | database.AIProviderKey | + database.AIGatewayKey | database.Chat | database.AuditableGroupAiBudget | database.UserSecret | diff --git a/coderd/audit/request.go b/coderd/audit/request.go index c690bd56f1..2304d37e82 100644 --- a/coderd/audit/request.go +++ b/coderd/audit/request.go @@ -138,6 +138,8 @@ func ResourceTarget[T Auditable](tgt T) string { return typed.Name case database.AIProviderKey: return typed.ID.String() + case database.AIGatewayKey: + return typed.Name case database.AuditableGroupAiBudget: return typed.GroupName case database.Chat: @@ -222,6 +224,8 @@ func ResourceID[T Auditable](tgt T) uuid.UUID { return typed.ID case database.AIProviderKey: return typed.ID + case database.AIGatewayKey: + return typed.ID case database.AuditableGroupAiBudget: return typed.GroupID case database.Chat: @@ -291,6 +295,8 @@ func ResourceType[T Auditable](tgt T) database.ResourceType { return database.ResourceTypeAIProvider case database.AIProviderKey: return database.ResourceTypeAIProviderKey + case database.AIGatewayKey: + return database.ResourceTypeAIGatewayKey case database.AuditableGroupAiBudget: return database.ResourceTypeGroupAiBudget case database.Chat: @@ -366,6 +372,9 @@ func ResourceRequiresOrgID[T Auditable]() bool { // AI provider keys inherit the deployment scope of their parent // provider. return false + case database.AIGatewayKey: + // AI Gateway keys are deployment-scoped, not org-scoped. + return false case database.AuditableGroupAiBudget: // Group AI budgets are org-scoped through their parent group. return true diff --git a/coderd/autobuild/lifecycle_executor.go b/coderd/autobuild/lifecycle_executor.go index 84fff375e0..5a141ce8cf 100644 --- a/coderd/autobuild/lifecycle_executor.go +++ b/coderd/autobuild/lifecycle_executor.go @@ -422,6 +422,23 @@ func (e *Executor) runOnce(t time.Time) Stats { Isolation: sql.LevelRepeatableRead, TxIdentifier: "lifecycle", }) + // A concurrent build (e.g. from the API or another lifecycle + // executor) may have already inserted a build with the same + // number. This is a benign race; the other actor's build + // will take effect. Clear the error so downstream checks + // (audit, notification, stats) treat this as a no-op. + if database.IsUniqueViolation(err, database.UniqueWorkspaceBuildsWorkspaceIDBuildNumberKey) { + log.Info(e.ctx, "skipping workspace: concurrent build already inserted", slog.Error(err)) + err = nil + // Reset notification flags set before builder.Build. + // The build was rolled back, so this executor did not + // perform the transition. The concurrent actor handles + // both the build and any notifications. Without these + // resets, downstream code would send duplicate or + // incorrect notifications. + didAutoUpdate = false + shouldNotifyTaskPause = false + } if auditLog != nil { // If the transition didn't succeed then updating the workspace // to indicate dormant didn't either. diff --git a/coderd/autobuild/lifecycle_executor_test.go b/coderd/autobuild/lifecycle_executor_test.go index 345647977d..89805429b9 100644 --- a/coderd/autobuild/lifecycle_executor_test.go +++ b/coderd/autobuild/lifecycle_executor_test.go @@ -4,10 +4,12 @@ import ( "context" "database/sql" "errors" + "sync/atomic" "testing" "time" "github.com/google/uuid" + "github.com/lib/pq" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" "go.uber.org/goleak" @@ -160,6 +162,92 @@ func TestMultipleLifecycleExecutors(t *testing.T) { assert.Equal(t, database.WorkspaceTransitionStart, stats.Transitions[workspace.ID]) } +// uniqueViolationStore wraps a database.Store and injects a unique violation +// error from InsertWorkspaceBuild after a configurable number of successful +// calls. This simulates a concurrent build race (e.g. an API-driven start +// racing with the lifecycle executor autostart). +type uniqueViolationStore struct { + database.Store + insertCount *atomic.Int32 // pointer: shared across InTx copies + failAfterN int32 +} + +func newUniqueViolationStore(db database.Store, failAfterN int32) *uniqueViolationStore { + return &uniqueViolationStore{ + Store: db, + insertCount: &atomic.Int32{}, + failAfterN: failAfterN, + } +} + +func (s *uniqueViolationStore) InTx(fn func(database.Store) error, opts *database.TxOptions) error { + return s.Store.InTx(func(tx database.Store) error { + return fn(&uniqueViolationStore{ + Store: tx, + insertCount: s.insertCount, // shared pointer + failAfterN: s.failAfterN, + }) + }, opts) +} + +func (s *uniqueViolationStore) InsertWorkspaceBuild(ctx context.Context, arg database.InsertWorkspaceBuildParams) error { + n := s.insertCount.Add(1) + if n > s.failAfterN { + return &pq.Error{ + Code: pq.ErrorCode("23505"), + Constraint: string(database.UniqueWorkspaceBuildsWorkspaceIDBuildNumberKey), + Message: `duplicate key value violates unique constraint "workspace_builds_workspace_id_build_number_key"`, + } + } + return s.Store.InsertWorkspaceBuild(ctx, arg) +} + +func TestExecutorBuildNumberRaceIsHandled(t *testing.T) { + t.Parallel() + + // The lifecycle executor must handle a unique-violation from + // InsertWorkspaceBuild gracefully. This error occurs when a concurrent + // actor (API handler, another executor, prebuilds reconciler) inserts a + // build with the same number before the executor's INSERT lands. + // + // We inject the error via a store wrapper. The first two + // InsertWorkspaceBuild calls succeed (setup builds), then the third + // (the lifecycle executor's autostart build) gets a unique violation. + + realDB, ps := dbtestutil.NewDB(t) + wrappedDB := newUniqueViolationStore(realDB, 2) // Allow builds 1 (start) and 2 (stop); fail build 3 (autostart) + + var ( + sched, _ = cron.Weekly("CRON_TZ=UTC 0 * * * *") + tickCh = make(chan time.Time) + statsCh = make(chan autobuild.Stats) + client = coderdtest.New(t, &coderdtest.Options{ + IncludeProvisionerDaemon: true, + AutobuildTicker: tickCh, + AutobuildStats: statsCh, + Database: wrappedDB, + Pubsub: ps, + }) + workspace = mustProvisionWorkspace(t, client, func(cwr *codersdk.CreateWorkspaceRequest) { + cwr.AutostartSchedule = ptr.Ref(sched.String()) + }) + ) + + workspace = coderdtest.MustTransitionWorkspace(t, client, workspace.ID, codersdk.WorkspaceTransitionStart, codersdk.WorkspaceTransitionStop) + + p, err := coderdtest.GetProvisionerForTags(realDB, time.Now(), workspace.OrganizationID, nil) + require.NoError(t, err) + next := sched.Next(workspace.LatestBuild.CreatedAt) + coderdtest.UpdateProvisionerLastSeenAt(t, realDB, p.ID, next) + + tickCh <- next + stats := <-statsCh + + // The lifecycle executor should treat the unique violation as a benign + // race, not as a hard error. + assert.Empty(t, stats.Errors, "lifecycle executor should not report unique-violation as error") +} + func TestExecutorAutostartTemplateUpdated(t *testing.T) { t.Parallel() diff --git a/coderd/database/check_constraint.go b/coderd/database/check_constraint.go index 5682341ef9..c1fa991032 100644 --- a/coderd/database/check_constraint.go +++ b/coderd/database/check_constraint.go @@ -6,6 +6,9 @@ type CheckConstraint string // CheckConstraint enums. const ( + CheckAiGatewayKeysHashedSecretCheck CheckConstraint = "ai_gateway_keys_hashed_secret_check" // ai_gateway_keys + CheckAiGatewayKeysNameCheck CheckConstraint = "ai_gateway_keys_name_check" // ai_gateway_keys + CheckAiGatewayKeysSecretPrefixCheck CheckConstraint = "ai_gateway_keys_secret_prefix_check" // ai_gateway_keys CheckAiModelPricesCacheReadPriceCheck CheckConstraint = "ai_model_prices_cache_read_price_check" // ai_model_prices CheckAiModelPricesCacheWritePriceCheck CheckConstraint = "ai_model_prices_cache_write_price_check" // ai_model_prices CheckAiModelPricesInputPriceCheck CheckConstraint = "ai_model_prices_input_price_check" // ai_model_prices @@ -44,6 +47,7 @@ const ( CheckTelemetryLockEventTypeConstraint CheckConstraint = "telemetry_lock_event_type_constraint" // telemetry_locks CheckValidationMonotonicOrder CheckConstraint = "validation_monotonic_order" // template_version_parameters CheckUsageEventTypeCheck CheckConstraint = "usage_event_type_check" // usage_events + CheckUserAiBudgetOverridesSpendLimitMicrosCheck CheckConstraint = "user_ai_budget_overrides_spend_limit_micros_check" // user_ai_budget_overrides CheckUserAiProviderKeysAPIKeyCheck CheckConstraint = "user_ai_provider_keys_api_key_check" // user_ai_provider_keys CheckUserSkillsContentSize CheckConstraint = "user_skills_content_size" // user_skills CheckUserSkillsDescriptionSize CheckConstraint = "user_skills_description_size" // user_skills diff --git a/coderd/database/db2sdk/db2sdk.go b/coderd/database/db2sdk/db2sdk.go index 36b081b86b..bc93df7cd3 100644 --- a/coderd/database/db2sdk/db2sdk.go +++ b/coderd/database/db2sdk/db2sdk.go @@ -1509,6 +1509,16 @@ func GroupAIBudget(b database.GroupAiBudget) codersdk.GroupAIBudget { } } +func UserAIBudgetOverride(o database.UserAiBudgetOverride) codersdk.UserAIBudgetOverride { + return codersdk.UserAIBudgetOverride{ + UserID: o.UserID, + GroupID: o.GroupID, + SpendLimitMicros: o.SpendLimitMicros, + CreatedAt: o.CreatedAt, + UpdatedAt: o.UpdatedAt, + } +} + func InvalidatedPresets(invalidatedPresets []database.UpdatePresetsLastInvalidatedAtRow) []codersdk.InvalidatedPreset { var presets []codersdk.InvalidatedPreset for _, p := range invalidatedPresets { diff --git a/coderd/database/dbauthz/dbauthz.go b/coderd/database/dbauthz/dbauthz.go index 3e41260d82..a1a7497153 100644 --- a/coderd/database/dbauthz/dbauthz.go +++ b/coderd/database/dbauthz/dbauthz.go @@ -651,6 +651,8 @@ var ( rbac.ResourceAibridgeInterception.Type: {policy.ActionDelete}, // Chat auto-archive sets archived=true on inactive chats. rbac.ResourceChat.Type: {policy.ActionRead, policy.ActionUpdate}, + // Purge old boundary logs past the retention period. + rbac.ResourceBoundaryLog.Type: {policy.ActionDelete}, }), User: []rbac.Permission{}, ByOrgID: map[string]rbac.OrgPermissions{}, @@ -2191,9 +2193,8 @@ func (q *querier) DeleteOldAuditLogs(ctx context.Context, arg database.DeleteOld return q.db.DeleteOldAuditLogs(ctx, arg) } -// TODO (PR #24810): Replace rbac.ResourceSystem with dedicated boundary_log resource type. func (q *querier) DeleteOldBoundaryLogs(ctx context.Context, arg database.DeleteOldBoundaryLogsParams) (int64, error) { - if err := q.authorizeContext(ctx, policy.ActionDelete, rbac.ResourceSystem); err != nil { + if err := q.authorizeContext(ctx, policy.ActionDelete, rbac.ResourceBoundaryLog); err != nil { return 0, err } return q.db.DeleteOldBoundaryLogs(ctx, arg) @@ -2322,6 +2323,32 @@ func (q *querier) DeleteTask(ctx context.Context, arg database.DeleteTaskParams) return q.db.DeleteTask(ctx, arg) } +func (q *querier) DeleteUserAIBudgetOverride(ctx context.Context, userID uuid.UUID) (database.UserAiBudgetOverride, error) { + // Removing a user's AI budget override affects both the user (clearing + // their per-user spend cap) and the group it was attributed to. + u, err := q.db.GetUserByID(ctx, userID) + if err != nil { + return database.UserAiBudgetOverride{}, err + } + if err := q.authorizeContext(ctx, policy.ActionUpdate, u); err != nil { + return database.UserAiBudgetOverride{}, err + } + // Fetch the existing override to learn which group it attributes spend to, + // so we can authorize the caller against that group as well. + userOverride, err := q.db.GetUserAIBudgetOverride(ctx, userID) + if err != nil { + return database.UserAiBudgetOverride{}, err + } + g, err := q.db.GetGroupByID(ctx, userOverride.GroupID) + if err != nil { + return database.UserAiBudgetOverride{}, err + } + if err := q.authorizeContext(ctx, policy.ActionUpdate, g); err != nil { + return database.UserAiBudgetOverride{}, err + } + return q.db.DeleteUserAIBudgetOverride(ctx, userID) +} + func (q *querier) DeleteUserAIProviderKey(ctx context.Context, arg database.DeleteUserAIProviderKeyParams) error { u, err := q.db.GetUserByID(ctx, arg.UserID) if err != nil { @@ -2780,17 +2807,15 @@ func (q *querier) GetAuthorizationUserRoles(ctx context.Context, userID uuid.UUI return q.db.GetAuthorizationUserRoles(ctx, userID) } -// TODO (PR #24810): Replace rbac.ResourceAuditLog with dedicated boundary_log resource type. func (q *querier) GetBoundaryLogByID(ctx context.Context, id uuid.UUID) (database.BoundaryLog, error) { - if err := q.authorizeContext(ctx, policy.ActionRead, rbac.ResourceAuditLog); err != nil { + if err := q.authorizeContext(ctx, policy.ActionRead, rbac.ResourceBoundaryLog); err != nil { return database.BoundaryLog{}, err } return q.db.GetBoundaryLogByID(ctx, id) } -// TODO (PR #24810): Replace rbac.ResourceAuditLog with dedicated boundary_log resource type. func (q *querier) GetBoundarySessionByID(ctx context.Context, id uuid.UUID) (database.BoundarySession, error) { - if err := q.authorizeContext(ctx, policy.ActionRead, rbac.ResourceAuditLog); err != nil { + if err := q.authorizeContext(ctx, policy.ActionRead, rbac.ResourceBoundaryLog); err != nil { return database.BoundarySession{}, err } return q.db.GetBoundarySessionByID(ctx, id) @@ -4537,6 +4562,13 @@ func (q *querier) GetUnexpiredLicenses(ctx context.Context) ([]database.License, return q.db.GetUnexpiredLicenses(ctx) } +func (q *querier) GetUserAIBudgetOverride(ctx context.Context, userID uuid.UUID) (database.UserAiBudgetOverride, error) { + if _, err := q.GetUserByID(ctx, userID); err != nil { // AuthZ check + return database.UserAiBudgetOverride{}, err + } + return q.db.GetUserAIBudgetOverride(ctx, userID) +} + func (q *querier) GetUserAIProviderKeyByProviderID(ctx context.Context, arg database.GetUserAIProviderKeyByProviderIDParams) (database.UserAiProviderKey, error) { u, err := q.db.GetUserByID(ctx, arg.UserID) if err != nil { @@ -5468,14 +5500,29 @@ func (q *querier) InsertAuditLog(ctx context.Context, arg database.InsertAuditLo return insert(q.log, q.auth, rbac.ResourceAuditLog, q.db.InsertAuditLog)(ctx, arg) } -// TODO (PR #24810): Replace rbac.ResourceAuditLog with dedicated boundary_log resource type. -func (q *querier) InsertBoundaryLog(ctx context.Context, arg database.InsertBoundaryLogParams) (database.BoundaryLog, error) { - return insert(q.log, q.auth, rbac.ResourceAuditLog, q.db.InsertBoundaryLog)(ctx, arg) +func (q *querier) InsertBoundaryLogs(ctx context.Context, arg database.InsertBoundaryLogsParams) ([]database.BoundaryLog, error) { + session, err := q.db.GetBoundarySessionByID(ctx, arg.SessionID) + if err != nil { + return nil, xerrors.Errorf("get boundary session for owner: %w", err) + } + if err := q.authorizeContext(ctx, policy.ActionCreate, + rbac.ResourceBoundaryLog.WithOwner(session.OwnerID.UUID.String())); err != nil { + return nil, err + } + return q.db.InsertBoundaryLogs(ctx, arg) } -// TODO (PR #24810): Replace rbac.ResourceAuditLog with dedicated boundary_log resource type. func (q *querier) InsertBoundarySession(ctx context.Context, arg database.InsertBoundarySessionParams) (database.BoundarySession, error) { - return insert(q.log, q.auth, rbac.ResourceAuditLog, q.db.InsertBoundarySession)(ctx, arg) + row, err := q.db.GetWorkspaceAgentAndWorkspaceByID(ctx, arg.WorkspaceAgentID) + if err != nil { + return database.BoundarySession{}, xerrors.Errorf("get workspace for boundary session owner: %w", err) + } + arg.OwnerID = uuid.NullUUID{UUID: row.WorkspaceTable.OwnerID, Valid: true} + if err := q.authorizeContext(ctx, policy.ActionCreate, + rbac.ResourceBoundaryLog.WithOwner(arg.OwnerID.UUID.String())); err != nil { + return database.BoundarySession{}, err + } + return q.db.InsertBoundarySession(ctx, arg) } func (q *querier) InsertChat(ctx context.Context, arg database.InsertChatParams) (database.Chat, error) { @@ -6191,9 +6238,8 @@ func (q *querier) ListAIBridgeUserPromptsByInterceptionIDs(ctx context.Context, return q.db.ListAIBridgeUserPromptsByInterceptionIDs(ctx, interceptionIDs) } -// TODO (PR #24810): Replace rbac.ResourceAuditLog with dedicated boundary_log resource type. func (q *querier) ListBoundaryLogsBySessionID(ctx context.Context, arg database.ListBoundaryLogsBySessionIDParams) ([]database.BoundaryLog, error) { - if err := q.authorizeContext(ctx, policy.ActionRead, rbac.ResourceAuditLog); err != nil { + if err := q.authorizeContext(ctx, policy.ActionRead, rbac.ResourceBoundaryLog); err != nil { return nil, err } return q.db.ListBoundaryLogsBySessionID(ctx, arg) @@ -8329,6 +8375,26 @@ func (q *querier) UpsertTemplateUsageStats(ctx context.Context) error { return q.db.UpsertTemplateUsageStats(ctx) } +func (q *querier) UpsertUserAIBudgetOverride(ctx context.Context, arg database.UpsertUserAIBudgetOverrideParams) (database.UserAiBudgetOverride, error) { + // Setting a user's AI budget override affects both the user (their + // per-user spend cap) and the group (spend attribution). + u, err := q.db.GetUserByID(ctx, arg.UserID) + if err != nil { + return database.UserAiBudgetOverride{}, err + } + if err := q.authorizeContext(ctx, policy.ActionUpdate, u); err != nil { + return database.UserAiBudgetOverride{}, err + } + g, err := q.db.GetGroupByID(ctx, arg.GroupID) + if err != nil { + return database.UserAiBudgetOverride{}, err + } + if err := q.authorizeContext(ctx, policy.ActionUpdate, g); err != nil { + return database.UserAiBudgetOverride{}, err + } + return q.db.UpsertUserAIBudgetOverride(ctx, arg) +} + func (q *querier) UpsertUserAIProviderKey(ctx context.Context, arg database.UpsertUserAIProviderKeyParams) (database.UserAiProviderKey, error) { u, err := q.db.GetUserByID(ctx, arg.UserID) if err != nil { diff --git a/coderd/database/dbauthz/dbauthz_test.go b/coderd/database/dbauthz/dbauthz_test.go index 3296d5cebe..f788fa71e2 100644 --- a/coderd/database/dbauthz/dbauthz_test.go +++ b/coderd/database/dbauthz/dbauthz_test.go @@ -440,35 +440,55 @@ func (s *MethodTestSuite) TestAuditLogs() { })) } -// TODO (PR #24810): These RBAC assertions use placeholder resource types. -// They will be updated when the dedicated boundary_log resource type is added. func (s *MethodTestSuite) TestBoundaryLogs() { - s.Run("InsertBoundarySession", s.Mocked(func(dbm *dbmock.MockStore, _ *gofakeit.Faker, check *expects) { - arg := database.InsertBoundarySessionParams{} - dbm.EXPECT().InsertBoundarySession(gomock.Any(), arg).Return(database.BoundarySession{}, nil).AnyTimes() - check.Args(arg).Asserts(rbac.ResourceAuditLog, policy.ActionCreate) + s.Run("InsertBoundarySession", s.Mocked(func(dbm *dbmock.MockStore, faker *gofakeit.Faker, check *expects) { + aww := testutil.Fake(s.T(), faker, database.GetWorkspaceAgentAndWorkspaceByIDRow{}) + arg := database.InsertBoundarySessionParams{ + WorkspaceAgentID: aww.WorkspaceAgent.ID, + } + dbm.EXPECT().GetWorkspaceAgentAndWorkspaceByID(gomock.Any(), aww.WorkspaceAgent.ID).Return(aww, nil).AnyTimes() + expectedArg := database.InsertBoundarySessionParams{ + WorkspaceAgentID: aww.WorkspaceAgent.ID, + OwnerID: uuid.NullUUID{UUID: aww.WorkspaceTable.OwnerID, Valid: true}, + } + dbm.EXPECT().InsertBoundarySession(gomock.Any(), expectedArg).Return(database.BoundarySession{}, nil).AnyTimes() + check.Args(arg).Asserts( + rbac.ResourceBoundaryLog.WithOwner(aww.WorkspaceTable.OwnerID.String()), policy.ActionCreate, + ) })) s.Run("GetBoundarySessionByID", s.Mocked(func(dbm *dbmock.MockStore, _ *gofakeit.Faker, check *expects) { dbm.EXPECT().GetBoundarySessionByID(gomock.Any(), uuid.Nil).Return(database.BoundarySession{}, nil).AnyTimes() - check.Args(uuid.Nil).Asserts(rbac.ResourceAuditLog, policy.ActionRead) + check.Args(uuid.Nil).Asserts(rbac.ResourceBoundaryLog, policy.ActionRead) })) - s.Run("InsertBoundaryLog", s.Mocked(func(dbm *dbmock.MockStore, _ *gofakeit.Faker, check *expects) { - arg := database.InsertBoundaryLogParams{} - dbm.EXPECT().InsertBoundaryLog(gomock.Any(), arg).Return(database.BoundaryLog{}, nil).AnyTimes() - check.Args(arg).Asserts(rbac.ResourceAuditLog, policy.ActionCreate) + s.Run("InsertBoundaryLogs", s.Mocked(func(dbm *dbmock.MockStore, faker *gofakeit.Faker, check *expects) { + ownerID := uuid.New() + sessionID := uuid.New() + session := database.BoundarySession{ + ID: sessionID, + OwnerID: uuid.NullUUID{UUID: ownerID, Valid: true}, + } + arg := database.InsertBoundaryLogsParams{ + SessionID: sessionID, + ID: []uuid.UUID{uuid.New(), uuid.New()}, + } + dbm.EXPECT().GetBoundarySessionByID(gomock.Any(), sessionID).Return(session, nil).AnyTimes() + dbm.EXPECT().InsertBoundaryLogs(gomock.Any(), arg).Return([]database.BoundaryLog{}, nil).AnyTimes() + check.Args(arg).Asserts( + rbac.ResourceBoundaryLog.WithOwner(ownerID.String()), policy.ActionCreate, + ) })) s.Run("GetBoundaryLogByID", s.Mocked(func(dbm *dbmock.MockStore, _ *gofakeit.Faker, check *expects) { dbm.EXPECT().GetBoundaryLogByID(gomock.Any(), uuid.Nil).Return(database.BoundaryLog{}, nil).AnyTimes() - check.Args(uuid.Nil).Asserts(rbac.ResourceAuditLog, policy.ActionRead) + check.Args(uuid.Nil).Asserts(rbac.ResourceBoundaryLog, policy.ActionRead) })) s.Run("ListBoundaryLogsBySessionID", s.Mocked(func(dbm *dbmock.MockStore, _ *gofakeit.Faker, check *expects) { arg := database.ListBoundaryLogsBySessionIDParams{} dbm.EXPECT().ListBoundaryLogsBySessionID(gomock.Any(), arg).Return([]database.BoundaryLog{}, nil).AnyTimes() - check.Args(arg).Asserts(rbac.ResourceAuditLog, policy.ActionRead) + check.Args(arg).Asserts(rbac.ResourceBoundaryLog, policy.ActionRead) })) s.Run("DeleteOldBoundaryLogs", s.Mocked(func(dbm *dbmock.MockStore, _ *gofakeit.Faker, check *expects) { dbm.EXPECT().DeleteOldBoundaryLogs(gomock.Any(), database.DeleteOldBoundaryLogsParams{}).Return(int64(0), nil).AnyTimes() - check.Args(database.DeleteOldBoundaryLogsParams{}).Asserts(rbac.ResourceSystem, policy.ActionDelete) + check.Args(database.DeleteOldBoundaryLogsParams{}).Asserts(rbac.ResourceBoundaryLog, policy.ActionDelete) })) } @@ -6455,6 +6475,36 @@ func (s *MethodTestSuite) TestAIBridge() { check.Args(g.ID).Asserts(g, policy.ActionUpdate).Returns(b) })) + s.Run("GetUserAIBudgetOverride", s.Mocked(func(dbm *dbmock.MockStore, faker *gofakeit.Faker, check *expects) { + user := testutil.Fake(s.T(), faker, database.User{}) + override := testutil.Fake(s.T(), faker, database.UserAiBudgetOverride{UserID: user.ID}) + dbm.EXPECT().GetUserByID(gomock.Any(), user.ID).Return(user, nil).AnyTimes() + dbm.EXPECT().GetUserAIBudgetOverride(gomock.Any(), user.ID).Return(override, nil).AnyTimes() + check.Args(user.ID).Asserts(user, policy.ActionRead).Returns(override) + })) + + s.Run("UpsertUserAIBudgetOverride", s.Mocked(func(dbm *dbmock.MockStore, faker *gofakeit.Faker, check *expects) { + user := testutil.Fake(s.T(), faker, database.User{}) + group := testutil.Fake(s.T(), faker, database.Group{}) + override := testutil.Fake(s.T(), faker, database.UserAiBudgetOverride{UserID: user.ID, GroupID: group.ID}) + arg := database.UpsertUserAIBudgetOverrideParams{UserID: user.ID, GroupID: group.ID, SpendLimitMicros: override.SpendLimitMicros} + dbm.EXPECT().GetUserByID(gomock.Any(), user.ID).Return(user, nil).AnyTimes() + dbm.EXPECT().GetGroupByID(gomock.Any(), group.ID).Return(group, nil).AnyTimes() + dbm.EXPECT().UpsertUserAIBudgetOverride(gomock.Any(), arg).Return(override, nil).AnyTimes() + check.Args(arg).Asserts(user, policy.ActionUpdate, group, policy.ActionUpdate).Returns(override) + })) + + s.Run("DeleteUserAIBudgetOverride", s.Mocked(func(dbm *dbmock.MockStore, faker *gofakeit.Faker, check *expects) { + user := testutil.Fake(s.T(), faker, database.User{}) + group := testutil.Fake(s.T(), faker, database.Group{}) + override := testutil.Fake(s.T(), faker, database.UserAiBudgetOverride{UserID: user.ID, GroupID: group.ID}) + dbm.EXPECT().GetUserByID(gomock.Any(), user.ID).Return(user, nil).AnyTimes() + dbm.EXPECT().GetUserAIBudgetOverride(gomock.Any(), user.ID).Return(override, nil).AnyTimes() + dbm.EXPECT().GetGroupByID(gomock.Any(), group.ID).Return(group, nil).AnyTimes() + dbm.EXPECT().DeleteUserAIBudgetOverride(gomock.Any(), user.ID).Return(override, nil).AnyTimes() + check.Args(user.ID).Asserts(user, policy.ActionUpdate, group, policy.ActionUpdate).Returns(override) + })) + s.Run("GetAIProviderByID", s.Mocked(func(dbm *dbmock.MockStore, faker *gofakeit.Faker, check *expects) { provider := testutil.Fake(s.T(), faker, database.AIProvider{}) dbm.EXPECT().GetAIProviderByID(gomock.Any(), provider.ID).Return(provider, nil).AnyTimes() diff --git a/coderd/database/dbgen/dbgen.go b/coderd/database/dbgen/dbgen.go index 834bad6274..416a2b7257 100644 --- a/coderd/database/dbgen/dbgen.go +++ b/coderd/database/dbgen/dbgen.go @@ -458,6 +458,7 @@ func BoundarySession(t testing.TB, db database.Store, seed database.BoundarySess session, err := db.InsertBoundarySession(genCtx, database.InsertBoundarySessionParams{ ID: takeFirst(seed.ID, uuid.New()), WorkspaceAgentID: takeFirst(seed.WorkspaceAgentID, uuid.New()), + OwnerID: takeFirst(seed.OwnerID, uuid.NullUUID{UUID: uuid.New(), Valid: true}), ConfinedProcessName: takeFirst(seed.ConfinedProcessName, "claude-code"), StartedAt: takeFirst(seed.StartedAt, dbtime.Now()), UpdatedAt: takeFirst(seed.UpdatedAt, dbtime.Now()), @@ -466,20 +467,52 @@ func BoundarySession(t testing.TB, db database.Store, seed database.BoundarySess return session } -func BoundaryLog(t testing.TB, db database.Store, seed database.BoundaryLog) database.BoundaryLog { - log, err := db.InsertBoundaryLog(genCtx, database.InsertBoundaryLogParams{ - ID: takeFirst(seed.ID, uuid.New()), - SessionID: seed.SessionID, - SequenceNumber: takeFirst(seed.SequenceNumber, 0), - CapturedAt: takeFirst(seed.CapturedAt, dbtime.Now()), - CreatedAt: takeFirst(seed.CreatedAt, dbtime.Now()), - Proto: takeFirst(seed.Proto, "http"), - Method: takeFirst(seed.Method, "GET"), - Detail: takeFirst(seed.Detail, "https://example.com"), - MatchedRule: seed.MatchedRule, +func BoundaryLogs(t testing.TB, db database.Store, seed []database.BoundaryLog) []database.BoundaryLog { + ids := make([]uuid.UUID, 0, len(seed)) + sessionID := seed[0].SessionID + sequenceNumbers := make([]int32, 0, len(seed)) + capturedAt := make([]time.Time, 0, len(seed)) + createdAt := make([]time.Time, 0, len(seed)) + protos := make([]string, 0, len(seed)) + method := make([]string, 0, len(seed)) + detail := make([]string, 0, len(seed)) + matchedRule := make([]string, 0, len(seed)) + for _, log := range seed { + log = takeFirstBoundaryLog(log) + ids = append(ids, log.ID) + sequenceNumbers = append(sequenceNumbers, log.SequenceNumber) + capturedAt = append(capturedAt, log.CapturedAt) + createdAt = append(createdAt, log.CreatedAt) + protos = append(protos, log.Proto) + method = append(method, log.Method) + detail = append(detail, log.Detail) + matchedRule = append(matchedRule, log.MatchedRule.String) + } + logs, err := db.InsertBoundaryLogs(genCtx, database.InsertBoundaryLogsParams{ + ID: ids, + SessionID: sessionID, + SequenceNumber: sequenceNumbers, + CapturedAt: capturedAt, + CreatedAt: createdAt, + Proto: protos, + Method: method, + Detail: detail, + MatchedRule: matchedRule, }) - require.NoError(t, err, "insert boundary log") - return log + require.NoError(t, err, "insert boundary logs") + return logs +} + +func takeFirstBoundaryLog(seed database.BoundaryLog) database.BoundaryLog { + seed.ID = takeFirst(seed.ID, uuid.New()) + seed.SessionID = takeFirst(seed.SessionID, uuid.New()) + seed.SequenceNumber = takeFirst(seed.SequenceNumber, 0) + seed.CapturedAt = takeFirst(seed.CapturedAt, dbtime.Now()) + seed.CreatedAt = takeFirst(seed.CreatedAt, dbtime.Now()) + seed.Proto = takeFirst(seed.Proto, "http") + seed.Method = takeFirst(seed.Method, "GET") + seed.Detail = takeFirst(seed.Detail, "https://example.com") + return seed } func Template(t testing.TB, db database.Store, seed database.Template) database.Template { @@ -1969,8 +2002,9 @@ func AIBridgeInterception(t testing.TB, db database.Store, seed database.InsertA }) if endedAt != nil { interception, err = db.UpdateAIBridgeInterceptionEnded(genCtx, database.UpdateAIBridgeInterceptionEndedParams{ - ID: interception.ID, - EndedAt: *endedAt, + ID: interception.ID, + EndedAt: *endedAt, + CredentialHint: takeFirst(seed.CredentialHint, ""), }) require.NoError(t, err, "insert aibridge interception") } diff --git a/coderd/database/dbmetrics/querymetrics.go b/coderd/database/dbmetrics/querymetrics.go index fd4537ccec..e7120ec588 100644 --- a/coderd/database/dbmetrics/querymetrics.go +++ b/coderd/database/dbmetrics/querymetrics.go @@ -793,6 +793,14 @@ func (m queryMetricsStore) DeleteTask(ctx context.Context, arg database.DeleteTa return r0, r1 } +func (m queryMetricsStore) DeleteUserAIBudgetOverride(ctx context.Context, userID uuid.UUID) (database.UserAiBudgetOverride, error) { + start := time.Now() + r0, r1 := m.s.DeleteUserAIBudgetOverride(ctx, userID) + m.queryLatencies.WithLabelValues("DeleteUserAIBudgetOverride").Observe(time.Since(start).Seconds()) + m.queryCounts.WithLabelValues(httpmw.ExtractHTTPRoute(ctx), httpmw.ExtractHTTPMethod(ctx), "DeleteUserAIBudgetOverride").Inc() + return r0, r1 +} + func (m queryMetricsStore) DeleteUserAIProviderKey(ctx context.Context, arg database.DeleteUserAIProviderKeyParams) error { start := time.Now() r0 := m.s.DeleteUserAIProviderKey(ctx, arg) @@ -2905,6 +2913,14 @@ func (m queryMetricsStore) GetUnexpiredLicenses(ctx context.Context) ([]database return r0, r1 } +func (m queryMetricsStore) GetUserAIBudgetOverride(ctx context.Context, userID uuid.UUID) (database.UserAiBudgetOverride, error) { + start := time.Now() + r0, r1 := m.s.GetUserAIBudgetOverride(ctx, userID) + m.queryLatencies.WithLabelValues("GetUserAIBudgetOverride").Observe(time.Since(start).Seconds()) + m.queryCounts.WithLabelValues(httpmw.ExtractHTTPRoute(ctx), httpmw.ExtractHTTPMethod(ctx), "GetUserAIBudgetOverride").Inc() + return r0, r1 +} + func (m queryMetricsStore) GetUserAIProviderKeyByProviderID(ctx context.Context, arg database.GetUserAIProviderKeyByProviderIDParams) (database.UserAiProviderKey, error) { start := time.Now() r0, r1 := m.s.GetUserAIProviderKeyByProviderID(ctx, arg) @@ -3745,11 +3761,11 @@ func (m queryMetricsStore) InsertAuditLog(ctx context.Context, arg database.Inse return r0, r1 } -func (m queryMetricsStore) InsertBoundaryLog(ctx context.Context, arg database.InsertBoundaryLogParams) (database.BoundaryLog, error) { +func (m queryMetricsStore) InsertBoundaryLogs(ctx context.Context, arg database.InsertBoundaryLogsParams) ([]database.BoundaryLog, error) { start := time.Now() - r0, r1 := m.s.InsertBoundaryLog(ctx, arg) - m.queryLatencies.WithLabelValues("InsertBoundaryLog").Observe(time.Since(start).Seconds()) - m.queryCounts.WithLabelValues(httpmw.ExtractHTTPRoute(ctx), httpmw.ExtractHTTPMethod(ctx), "InsertBoundaryLog").Inc() + r0, r1 := m.s.InsertBoundaryLogs(ctx, arg) + m.queryLatencies.WithLabelValues("InsertBoundaryLogs").Observe(time.Since(start).Seconds()) + m.queryCounts.WithLabelValues(httpmw.ExtractHTTPRoute(ctx), httpmw.ExtractHTTPMethod(ctx), "InsertBoundaryLogs").Inc() return r0, r1 } @@ -6049,6 +6065,14 @@ func (m queryMetricsStore) UpsertTemplateUsageStats(ctx context.Context) error { return r0 } +func (m queryMetricsStore) UpsertUserAIBudgetOverride(ctx context.Context, arg database.UpsertUserAIBudgetOverrideParams) (database.UserAiBudgetOverride, error) { + start := time.Now() + r0, r1 := m.s.UpsertUserAIBudgetOverride(ctx, arg) + m.queryLatencies.WithLabelValues("UpsertUserAIBudgetOverride").Observe(time.Since(start).Seconds()) + m.queryCounts.WithLabelValues(httpmw.ExtractHTTPRoute(ctx), httpmw.ExtractHTTPMethod(ctx), "UpsertUserAIBudgetOverride").Inc() + return r0, r1 +} + func (m queryMetricsStore) UpsertUserAIProviderKey(ctx context.Context, arg database.UpsertUserAIProviderKeyParams) (database.UserAiProviderKey, error) { start := time.Now() r0, r1 := m.s.UpsertUserAIProviderKey(ctx, arg) diff --git a/coderd/database/dbmock/dbmock.go b/coderd/database/dbmock/dbmock.go index 36f8429e8f..0f6799e638 100644 --- a/coderd/database/dbmock/dbmock.go +++ b/coderd/database/dbmock/dbmock.go @@ -1349,6 +1349,21 @@ func (mr *MockStoreMockRecorder) DeleteTask(ctx, arg any) *gomock.Call { return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "DeleteTask", reflect.TypeOf((*MockStore)(nil).DeleteTask), ctx, arg) } +// DeleteUserAIBudgetOverride mocks base method. +func (m *MockStore) DeleteUserAIBudgetOverride(ctx context.Context, userID uuid.UUID) (database.UserAiBudgetOverride, error) { + m.ctrl.T.Helper() + ret := m.ctrl.Call(m, "DeleteUserAIBudgetOverride", ctx, userID) + ret0, _ := ret[0].(database.UserAiBudgetOverride) + ret1, _ := ret[1].(error) + return ret0, ret1 +} + +// DeleteUserAIBudgetOverride indicates an expected call of DeleteUserAIBudgetOverride. +func (mr *MockStoreMockRecorder) DeleteUserAIBudgetOverride(ctx, userID any) *gomock.Call { + mr.mock.ctrl.T.Helper() + return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "DeleteUserAIBudgetOverride", reflect.TypeOf((*MockStore)(nil).DeleteUserAIBudgetOverride), ctx, userID) +} + // DeleteUserAIProviderKey mocks base method. func (m *MockStore) DeleteUserAIProviderKey(ctx context.Context, arg database.DeleteUserAIProviderKeyParams) error { m.ctrl.T.Helper() @@ -5445,6 +5460,21 @@ func (mr *MockStoreMockRecorder) GetUnexpiredLicenses(ctx any) *gomock.Call { return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetUnexpiredLicenses", reflect.TypeOf((*MockStore)(nil).GetUnexpiredLicenses), ctx) } +// GetUserAIBudgetOverride mocks base method. +func (m *MockStore) GetUserAIBudgetOverride(ctx context.Context, userID uuid.UUID) (database.UserAiBudgetOverride, error) { + m.ctrl.T.Helper() + ret := m.ctrl.Call(m, "GetUserAIBudgetOverride", ctx, userID) + ret0, _ := ret[0].(database.UserAiBudgetOverride) + ret1, _ := ret[1].(error) + return ret0, ret1 +} + +// GetUserAIBudgetOverride indicates an expected call of GetUserAIBudgetOverride. +func (mr *MockStoreMockRecorder) GetUserAIBudgetOverride(ctx, userID any) *gomock.Call { + mr.mock.ctrl.T.Helper() + return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetUserAIBudgetOverride", reflect.TypeOf((*MockStore)(nil).GetUserAIBudgetOverride), ctx, userID) +} + // GetUserAIProviderKeyByProviderID mocks base method. func (m *MockStore) GetUserAIProviderKeyByProviderID(ctx context.Context, arg database.GetUserAIProviderKeyByProviderIDParams) (database.UserAiProviderKey, error) { m.ctrl.T.Helper() @@ -7034,19 +7064,19 @@ func (mr *MockStoreMockRecorder) InsertAuditLog(ctx, arg any) *gomock.Call { return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "InsertAuditLog", reflect.TypeOf((*MockStore)(nil).InsertAuditLog), ctx, arg) } -// InsertBoundaryLog mocks base method. -func (m *MockStore) InsertBoundaryLog(ctx context.Context, arg database.InsertBoundaryLogParams) (database.BoundaryLog, error) { +// InsertBoundaryLogs mocks base method. +func (m *MockStore) InsertBoundaryLogs(ctx context.Context, arg database.InsertBoundaryLogsParams) ([]database.BoundaryLog, error) { m.ctrl.T.Helper() - ret := m.ctrl.Call(m, "InsertBoundaryLog", ctx, arg) - ret0, _ := ret[0].(database.BoundaryLog) + ret := m.ctrl.Call(m, "InsertBoundaryLogs", ctx, arg) + ret0, _ := ret[0].([]database.BoundaryLog) ret1, _ := ret[1].(error) return ret0, ret1 } -// InsertBoundaryLog indicates an expected call of InsertBoundaryLog. -func (mr *MockStoreMockRecorder) InsertBoundaryLog(ctx, arg any) *gomock.Call { +// InsertBoundaryLogs indicates an expected call of InsertBoundaryLogs. +func (mr *MockStoreMockRecorder) InsertBoundaryLogs(ctx, arg any) *gomock.Call { mr.mock.ctrl.T.Helper() - return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "InsertBoundaryLog", reflect.TypeOf((*MockStore)(nil).InsertBoundaryLog), ctx, arg) + return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "InsertBoundaryLogs", reflect.TypeOf((*MockStore)(nil).InsertBoundaryLogs), ctx, arg) } // InsertBoundarySession mocks base method. @@ -11344,6 +11374,21 @@ func (mr *MockStoreMockRecorder) UpsertTemplateUsageStats(ctx any) *gomock.Call return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "UpsertTemplateUsageStats", reflect.TypeOf((*MockStore)(nil).UpsertTemplateUsageStats), ctx) } +// UpsertUserAIBudgetOverride mocks base method. +func (m *MockStore) UpsertUserAIBudgetOverride(ctx context.Context, arg database.UpsertUserAIBudgetOverrideParams) (database.UserAiBudgetOverride, error) { + m.ctrl.T.Helper() + ret := m.ctrl.Call(m, "UpsertUserAIBudgetOverride", ctx, arg) + ret0, _ := ret[0].(database.UserAiBudgetOverride) + ret1, _ := ret[1].(error) + return ret0, ret1 +} + +// UpsertUserAIBudgetOverride indicates an expected call of UpsertUserAIBudgetOverride. +func (mr *MockStoreMockRecorder) UpsertUserAIBudgetOverride(ctx, arg any) *gomock.Call { + mr.mock.ctrl.T.Helper() + return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "UpsertUserAIBudgetOverride", reflect.TypeOf((*MockStore)(nil).UpsertUserAIBudgetOverride), ctx, arg) +} + // UpsertUserAIProviderKey mocks base method. func (m *MockStore) UpsertUserAIProviderKey(ctx context.Context, arg database.UpsertUserAIProviderKeyParams) (database.UserAiProviderKey, error) { m.ctrl.T.Helper() diff --git a/coderd/database/dump.sql b/coderd/database/dump.sql index 9c2df36cab..0bc0874e51 100644 --- a/coderd/database/dump.sql +++ b/coderd/database/dump.sql @@ -249,7 +249,15 @@ CREATE TYPE api_key_scope AS ENUM ( 'user_skill:read', 'user_skill:update', 'user_skill:delete', - 'user_skill:*' + 'user_skill:*', + 'boundary_log:*', + 'boundary_log:create', + 'boundary_log:delete', + 'boundary_log:read', + 'ai_gateway_key:*', + 'ai_gateway_key:create', + 'ai_gateway_key:delete', + 'ai_gateway_key:read' ); CREATE TYPE app_sharing_level AS ENUM ( @@ -560,7 +568,8 @@ CREATE TYPE resource_type AS ENUM ( 'ai_provider', 'ai_provider_key', 'group_ai_budget', - 'user_skill' + 'user_skill', + 'ai_gateway_key' ); CREATE TYPE shareable_workspace_owners AS ENUM ( @@ -837,6 +846,42 @@ BEGIN END; $$; +CREATE FUNCTION delete_user_ai_budget_overrides_on_group_member_delete() RETURNS trigger + LANGUAGE plpgsql + AS $$ +BEGIN + DELETE FROM user_ai_budget_overrides + WHERE user_id = OLD.user_id AND group_id = OLD.group_id; + RETURN OLD; +END; +$$; + +CREATE FUNCTION delete_user_ai_budget_overrides_on_org_member_delete() RETURNS trigger + LANGUAGE plpgsql + AS $$ +BEGIN + DELETE FROM user_ai_budget_overrides + WHERE user_id = OLD.user_id AND group_id = OLD.organization_id; + RETURN OLD; +END; +$$; + +CREATE FUNCTION enforce_user_ai_budget_override_membership() RETURNS trigger + LANGUAGE plpgsql + AS $$ +BEGIN + IF NOT EXISTS ( + SELECT 1 FROM group_members_expanded + WHERE user_id = NEW.user_id AND group_id = NEW.group_id + ) THEN + RAISE EXCEPTION 'user % is not a member of group %', NEW.user_id, NEW.group_id + USING ERRCODE = 'check_violation', + CONSTRAINT = 'user_ai_budget_overrides_must_be_group_member'; + END IF; + RETURN NEW; +END; +$$; + CREATE FUNCTION enforce_user_secrets_per_user_limits() RETURNS trigger LANGUAGE plpgsql AS $$ @@ -1216,6 +1261,17 @@ BEGIN END; $$; +CREATE FUNCTION remove_mcp_server_config_id_from_chats() RETURNS trigger + LANGUAGE plpgsql + AS $$ +BEGIN + UPDATE chats + SET mcp_server_ids = array_remove(mcp_server_ids, OLD.id) + WHERE OLD.id = ANY(mcp_server_ids); + RETURN OLD; +END; +$$; + CREATE FUNCTION remove_organization_member_role() RETURNS trigger LANGUAGE plpgsql AS $$ @@ -1236,6 +1292,22 @@ BEGIN END; $$; +CREATE TABLE ai_gateway_keys ( + id uuid NOT NULL, + created_at timestamp with time zone NOT NULL, + name text NOT NULL, + secret_prefix character varying(11) NOT NULL, + hashed_secret bytea NOT NULL, + last_used_at timestamp with time zone, + CONSTRAINT ai_gateway_keys_hashed_secret_check CHECK ((length(hashed_secret) > 0)), + CONSTRAINT ai_gateway_keys_name_check CHECK (((length(name) <= 64) AND (name ~ '^[a-z0-9]+(-[a-z0-9]+)*$'::text))), + CONSTRAINT ai_gateway_keys_secret_prefix_check CHECK ((length((secret_prefix)::text) = 11)) +); + +COMMENT ON TABLE ai_gateway_keys IS 'Hashed bearer secrets used by AI Gateway standalone replicas to authenticate into coderd.'; + +COMMENT ON COLUMN ai_gateway_keys.secret_prefix IS 'Public token prefix for display and audit correlation. Auth uses hashed_secret.'; + CREATE TABLE ai_model_prices ( provider text NOT NULL, model text NOT NULL, @@ -1474,7 +1546,8 @@ CREATE TABLE boundary_sessions ( workspace_agent_id uuid NOT NULL, confined_process_name text NOT NULL, started_at timestamp with time zone NOT NULL, - updated_at timestamp with time zone NOT NULL + updated_at timestamp with time zone NOT NULL, + owner_id uuid ); COMMENT ON TABLE boundary_sessions IS 'Boundary session metadata. Each row represents a single invocation of a Boundary process wrapping a confined agent.'; @@ -1489,6 +1562,8 @@ COMMENT ON COLUMN boundary_sessions.started_at IS 'Time when the first log for t COMMENT ON COLUMN boundary_sessions.updated_at IS 'Time when the session was last updated.'; +COMMENT ON COLUMN boundary_sessions.owner_id IS 'The ID of the user who owns the workspace. NULL if the user has been deleted.'; + CREATE TABLE boundary_usage_stats ( replica_id uuid NOT NULL, unique_workspaces_count bigint DEFAULT 0 NOT NULL, @@ -3119,6 +3194,17 @@ COMMENT ON TABLE usage_events_daily IS 'usage_events_daily is a daily rollup of COMMENT ON COLUMN usage_events_daily.day IS 'The date of the summed usage events, always in UTC.'; +CREATE TABLE user_ai_budget_overrides ( + user_id uuid NOT NULL, + group_id uuid NOT NULL, + spend_limit_micros bigint NOT NULL, + created_at timestamp with time zone DEFAULT now() NOT NULL, + updated_at timestamp with time zone DEFAULT now() NOT NULL, + CONSTRAINT user_ai_budget_overrides_spend_limit_micros_check CHECK ((spend_limit_micros >= 0)) +); + +COMMENT ON TABLE user_ai_budget_overrides IS 'Per-user AI spend override that supersedes group budget resolution.'; + CREATE TABLE user_ai_provider_keys ( id uuid DEFAULT gen_random_uuid() NOT NULL, user_id uuid NOT NULL, @@ -3698,6 +3784,9 @@ ALTER TABLE ONLY workspace_resource_metadata ALTER COLUMN id SET DEFAULT nextval ALTER TABLE ONLY workspace_agent_stats ADD CONSTRAINT agent_stats_pkey PRIMARY KEY (id); +ALTER TABLE ONLY ai_gateway_keys + ADD CONSTRAINT ai_gateway_keys_pkey PRIMARY KEY (id); + ALTER TABLE ONLY ai_model_prices ADD CONSTRAINT ai_model_prices_pkey PRIMARY KEY (provider, model); @@ -3968,6 +4057,9 @@ ALTER TABLE ONLY usage_events_daily ALTER TABLE ONLY usage_events ADD CONSTRAINT usage_events_pkey PRIMARY KEY (id); +ALTER TABLE ONLY user_ai_budget_overrides + ADD CONSTRAINT user_ai_budget_overrides_pkey PRIMARY KEY (user_id); + ALTER TABLE ONLY user_ai_provider_keys ADD CONSTRAINT user_ai_provider_keys_pkey PRIMARY KEY (id); @@ -4079,6 +4171,12 @@ ALTER TABLE ONLY workspace_resources ALTER TABLE ONLY workspaces ADD CONSTRAINT workspaces_pkey PRIMARY KEY (id); +CREATE UNIQUE INDEX ai_gateway_keys_hashed_secret_idx ON ai_gateway_keys USING btree (hashed_secret); + +CREATE UNIQUE INDEX ai_gateway_keys_name_idx ON ai_gateway_keys USING btree (lower(name)); + +CREATE UNIQUE INDEX ai_gateway_keys_secret_prefix_idx ON ai_gateway_keys USING btree (secret_prefix); + CREATE UNIQUE INDEX ai_providers_name_unique ON ai_providers USING btree (name) WHERE (deleted = false); CREATE INDEX api_keys_last_used_idx ON api_keys USING btree (last_used DESC); @@ -4435,6 +4533,10 @@ CREATE TRIGGER inhibit_enqueue_if_disabled BEFORE INSERT ON notification_message CREATE TRIGGER protect_deleting_organizations BEFORE UPDATE ON organizations FOR EACH ROW WHEN (((new.deleted = true) AND (old.deleted = false))) EXECUTE FUNCTION protect_deleting_organizations(); +CREATE TRIGGER remove_chat_mcp_server_config_id BEFORE DELETE ON mcp_server_configs FOR EACH ROW EXECUTE FUNCTION remove_mcp_server_config_id_from_chats(); + +COMMENT ON TRIGGER remove_chat_mcp_server_config_id ON mcp_server_configs IS 'When an MCP server config is deleted, this trigger removes its ID from all chats.'; + CREATE TRIGGER remove_organization_member_custom_role BEFORE DELETE ON custom_roles FOR EACH ROW EXECUTE FUNCTION remove_organization_member_role(); COMMENT ON TRIGGER remove_organization_member_custom_role ON custom_roles IS 'When a custom_role is deleted, this trigger removes the role from all organization members.'; @@ -4445,6 +4547,12 @@ CREATE TRIGGER trigger_delete_group_members_on_org_member_delete BEFORE DELETE O CREATE TRIGGER trigger_delete_oauth2_provider_app_token AFTER DELETE ON oauth2_provider_app_tokens FOR EACH ROW EXECUTE FUNCTION delete_deleted_oauth2_provider_app_token_api_key(); +CREATE TRIGGER trigger_delete_user_ai_budget_overrides_on_group_member_delete BEFORE DELETE ON group_members FOR EACH ROW EXECUTE FUNCTION delete_user_ai_budget_overrides_on_group_member_delete(); + +CREATE TRIGGER trigger_delete_user_ai_budget_overrides_on_org_member_delete BEFORE DELETE ON organization_members FOR EACH ROW EXECUTE FUNCTION delete_user_ai_budget_overrides_on_org_member_delete(); + +CREATE TRIGGER trigger_enforce_user_ai_budget_override_membership BEFORE INSERT OR UPDATE ON user_ai_budget_overrides FOR EACH ROW EXECUTE FUNCTION enforce_user_ai_budget_override_membership(); + CREATE TRIGGER trigger_insert_apikeys BEFORE INSERT ON api_keys FOR EACH ROW EXECUTE FUNCTION insert_apikey_fail_if_user_deleted(); CREATE TRIGGER trigger_insert_organization_system_roles AFTER INSERT ON organizations FOR EACH ROW EXECUTE FUNCTION insert_organization_system_roles(); @@ -4494,6 +4602,9 @@ ALTER TABLE ONLY api_keys ALTER TABLE ONLY boundary_logs ADD CONSTRAINT boundary_logs_session_id_fkey FOREIGN KEY (session_id) REFERENCES boundary_sessions(id) ON DELETE CASCADE; +ALTER TABLE ONLY boundary_sessions + ADD CONSTRAINT boundary_sessions_owner_id_fkey FOREIGN KEY (owner_id) REFERENCES users(id) ON DELETE SET NULL; + ALTER TABLE ONLY boundary_sessions ADD CONSTRAINT boundary_sessions_workspace_agent_id_fkey FOREIGN KEY (workspace_agent_id) REFERENCES workspace_agents(id); @@ -4767,6 +4878,12 @@ ALTER TABLE ONLY templates ALTER TABLE ONLY templates ADD CONSTRAINT templates_organization_id_fkey FOREIGN KEY (organization_id) REFERENCES organizations(id) ON DELETE CASCADE; +ALTER TABLE ONLY user_ai_budget_overrides + ADD CONSTRAINT user_ai_budget_overrides_group_id_fkey FOREIGN KEY (group_id) REFERENCES groups(id) ON DELETE CASCADE; + +ALTER TABLE ONLY user_ai_budget_overrides + ADD CONSTRAINT user_ai_budget_overrides_user_id_fkey FOREIGN KEY (user_id) REFERENCES users(id) ON DELETE CASCADE; + ALTER TABLE ONLY user_ai_provider_keys ADD CONSTRAINT user_ai_provider_keys_ai_provider_id_fkey FOREIGN KEY (ai_provider_id) REFERENCES ai_providers(id) ON DELETE CASCADE; diff --git a/coderd/database/foreign_key_constraint.go b/coderd/database/foreign_key_constraint.go index 624f3229b6..5eeb24587a 100644 --- a/coderd/database/foreign_key_constraint.go +++ b/coderd/database/foreign_key_constraint.go @@ -13,6 +13,7 @@ const ( ForeignKeyAibridgeInterceptionsInitiatorID ForeignKeyConstraint = "aibridge_interceptions_initiator_id_fkey" // ALTER TABLE ONLY aibridge_interceptions ADD CONSTRAINT aibridge_interceptions_initiator_id_fkey FOREIGN KEY (initiator_id) REFERENCES users(id); ForeignKeyAPIKeysUserIDUUID ForeignKeyConstraint = "api_keys_user_id_uuid_fkey" // ALTER TABLE ONLY api_keys ADD CONSTRAINT api_keys_user_id_uuid_fkey FOREIGN KEY (user_id) REFERENCES users(id) ON DELETE CASCADE; ForeignKeyBoundaryLogsSessionID ForeignKeyConstraint = "boundary_logs_session_id_fkey" // ALTER TABLE ONLY boundary_logs ADD CONSTRAINT boundary_logs_session_id_fkey FOREIGN KEY (session_id) REFERENCES boundary_sessions(id) ON DELETE CASCADE; + ForeignKeyBoundarySessionsOwnerID ForeignKeyConstraint = "boundary_sessions_owner_id_fkey" // ALTER TABLE ONLY boundary_sessions ADD CONSTRAINT boundary_sessions_owner_id_fkey FOREIGN KEY (owner_id) REFERENCES users(id) ON DELETE SET NULL; ForeignKeyBoundarySessionsWorkspaceAgentID ForeignKeyConstraint = "boundary_sessions_workspace_agent_id_fkey" // ALTER TABLE ONLY boundary_sessions ADD CONSTRAINT boundary_sessions_workspace_agent_id_fkey FOREIGN KEY (workspace_agent_id) REFERENCES workspace_agents(id); ForeignKeyChatDebugRunsChatID ForeignKeyConstraint = "chat_debug_runs_chat_id_fkey" // ALTER TABLE ONLY chat_debug_runs ADD CONSTRAINT chat_debug_runs_chat_id_fkey FOREIGN KEY (chat_id) REFERENCES chats(id) ON DELETE CASCADE; ForeignKeyChatDebugStepsChatID ForeignKeyConstraint = "chat_debug_steps_chat_id_fkey" // ALTER TABLE ONLY chat_debug_steps ADD CONSTRAINT chat_debug_steps_chat_id_fkey FOREIGN KEY (chat_id) REFERENCES chats(id) ON DELETE CASCADE; @@ -104,6 +105,8 @@ const ( ForeignKeyTemplateVersionsTemplateID ForeignKeyConstraint = "template_versions_template_id_fkey" // ALTER TABLE ONLY template_versions ADD CONSTRAINT template_versions_template_id_fkey FOREIGN KEY (template_id) REFERENCES templates(id) ON DELETE CASCADE; ForeignKeyTemplatesCreatedBy ForeignKeyConstraint = "templates_created_by_fkey" // ALTER TABLE ONLY templates ADD CONSTRAINT templates_created_by_fkey FOREIGN KEY (created_by) REFERENCES users(id) ON DELETE RESTRICT; ForeignKeyTemplatesOrganizationID ForeignKeyConstraint = "templates_organization_id_fkey" // ALTER TABLE ONLY templates ADD CONSTRAINT templates_organization_id_fkey FOREIGN KEY (organization_id) REFERENCES organizations(id) ON DELETE CASCADE; + ForeignKeyUserAiBudgetOverridesGroupID ForeignKeyConstraint = "user_ai_budget_overrides_group_id_fkey" // ALTER TABLE ONLY user_ai_budget_overrides ADD CONSTRAINT user_ai_budget_overrides_group_id_fkey FOREIGN KEY (group_id) REFERENCES groups(id) ON DELETE CASCADE; + ForeignKeyUserAiBudgetOverridesUserID ForeignKeyConstraint = "user_ai_budget_overrides_user_id_fkey" // ALTER TABLE ONLY user_ai_budget_overrides ADD CONSTRAINT user_ai_budget_overrides_user_id_fkey FOREIGN KEY (user_id) REFERENCES users(id) ON DELETE CASCADE; ForeignKeyUserAiProviderKeysAiProviderID ForeignKeyConstraint = "user_ai_provider_keys_ai_provider_id_fkey" // ALTER TABLE ONLY user_ai_provider_keys ADD CONSTRAINT user_ai_provider_keys_ai_provider_id_fkey FOREIGN KEY (ai_provider_id) REFERENCES ai_providers(id) ON DELETE CASCADE; ForeignKeyUserAiProviderKeysAPIKeyKeyID ForeignKeyConstraint = "user_ai_provider_keys_api_key_key_id_fkey" // ALTER TABLE ONLY user_ai_provider_keys ADD CONSTRAINT user_ai_provider_keys_api_key_key_id_fkey FOREIGN KEY (api_key_key_id) REFERENCES dbcrypt_keys(active_key_digest); ForeignKeyUserAiProviderKeysUserID ForeignKeyConstraint = "user_ai_provider_keys_user_id_fkey" // ALTER TABLE ONLY user_ai_provider_keys ADD CONSTRAINT user_ai_provider_keys_user_id_fkey FOREIGN KEY (user_id) REFERENCES users(id) ON DELETE CASCADE; diff --git a/coderd/database/migrations/000499_ai_provider_type_chatd_values.down.sql b/coderd/database/migrations/000499_ai_provider_type_chatd_values.down.sql index a8b89359aa..ab84bd795f 100644 --- a/coderd/database/migrations/000499_ai_provider_type_chatd_values.down.sql +++ b/coderd/database/migrations/000499_ai_provider_type_chatd_values.down.sql @@ -1,3 +1,4 @@ --- No-op: Postgres does not allow removing enum values safely. --- Matches the precedent in 000495_ai_providers.down.sql for ALTER --- TYPE resource_type / api_key_scope ADD VALUE. +-- No-op: the up recreates ai_provider_type with a wider value set, but the +-- down does not narrow it back. Narrowing would drop rows that already use the +-- new values, and 000495_ai_providers.down.sql drops the type wholesale when +-- migrating all the way down. diff --git a/coderd/database/migrations/000499_ai_provider_type_chatd_values.up.sql b/coderd/database/migrations/000499_ai_provider_type_chatd_values.up.sql index 104514d32c..30df7758dd 100644 --- a/coderd/database/migrations/000499_ai_provider_type_chatd_values.up.sql +++ b/coderd/database/migrations/000499_ai_provider_type_chatd_values.up.sql @@ -7,9 +7,27 @@ -- OpenAI-compatible endpoints. Native gateway-side support for these -- providers comes later, at which point this enum already carries the -- right discriminator and no further migration is needed. -ALTER TYPE ai_provider_type ADD VALUE IF NOT EXISTS 'azure'; -ALTER TYPE ai_provider_type ADD VALUE IF NOT EXISTS 'bedrock'; -ALTER TYPE ai_provider_type ADD VALUE IF NOT EXISTS 'google'; -ALTER TYPE ai_provider_type ADD VALUE IF NOT EXISTS 'openai-compat'; -ALTER TYPE ai_provider_type ADD VALUE IF NOT EXISTS 'openrouter'; -ALTER TYPE ai_provider_type ADD VALUE IF NOT EXISTS 'vercel'; +-- +-- Recreate the type rather than using ALTER TYPE ... ADD VALUE. Postgres +-- forbids using a value added by ADD VALUE within the same transaction, and +-- all migrations run in one transaction. 000504 casts existing chat_providers +-- rows to these new values in that same transaction, so ADD VALUE fails with +-- "unsafe use of new value". A freshly created enum's values are usable +-- immediately, so the cast in 000504 succeeds. +CREATE TYPE new_ai_provider_type AS ENUM ( + 'openai', + 'anthropic', + 'azure', + 'bedrock', + 'google', + 'openai-compat', + 'openrouter', + 'vercel' +); + +ALTER TABLE ai_providers + ALTER COLUMN type TYPE new_ai_provider_type USING (type::text::new_ai_provider_type); + +DROP TYPE ai_provider_type; + +ALTER TYPE new_ai_provider_type RENAME TO ai_provider_type; diff --git a/coderd/database/migrations/000510_cleanup_chats_mcp_server_ids_on_delete.down.sql b/coderd/database/migrations/000510_cleanup_chats_mcp_server_ids_on_delete.down.sql new file mode 100644 index 0000000000..15c10e19e6 --- /dev/null +++ b/coderd/database/migrations/000510_cleanup_chats_mcp_server_ids_on_delete.down.sql @@ -0,0 +1,2 @@ +DROP TRIGGER IF EXISTS remove_chat_mcp_server_config_id ON mcp_server_configs; +DROP FUNCTION IF EXISTS remove_mcp_server_config_id_from_chats; diff --git a/coderd/database/migrations/000510_cleanup_chats_mcp_server_ids_on_delete.up.sql b/coderd/database/migrations/000510_cleanup_chats_mcp_server_ids_on_delete.up.sql new file mode 100644 index 0000000000..5366328b3c --- /dev/null +++ b/coderd/database/migrations/000510_cleanup_chats_mcp_server_ids_on_delete.up.sql @@ -0,0 +1,41 @@ +-- Remove already-stale MCP server references before future deletes are +-- handled by the trigger below. +UPDATE chats +SET mcp_server_ids = ( + SELECT COALESCE(array_agg(ids.mcp_server_id ORDER BY ids.position), '{}'::uuid[]) + FROM unnest(chats.mcp_server_ids) WITH ORDINALITY AS ids(mcp_server_id, position) + WHERE EXISTS ( + SELECT 1 + FROM mcp_server_configs + WHERE mcp_server_configs.id = ids.mcp_server_id + ) +) +WHERE EXISTS ( + SELECT 1 + FROM unnest(chats.mcp_server_ids) AS ids(mcp_server_id) + WHERE NOT EXISTS ( + SELECT 1 + FROM mcp_server_configs + WHERE mcp_server_configs.id = ids.mcp_server_id + ) +); + +CREATE OR REPLACE FUNCTION remove_mcp_server_config_id_from_chats() + RETURNS TRIGGER AS +$$ +BEGIN + UPDATE chats + SET mcp_server_ids = array_remove(mcp_server_ids, OLD.id) + WHERE OLD.id = ANY(mcp_server_ids); + RETURN OLD; +END; +$$ LANGUAGE plpgsql; + +CREATE TRIGGER remove_chat_mcp_server_config_id + BEFORE DELETE ON mcp_server_configs FOR EACH ROW + EXECUTE PROCEDURE remove_mcp_server_config_id_from_chats(); + +COMMENT ON TRIGGER + remove_chat_mcp_server_config_id + ON mcp_server_configs IS + 'When an MCP server config is deleted, this trigger removes its ID from all chats.'; diff --git a/coderd/database/migrations/000511_boundary_log_scopes.down.sql b/coderd/database/migrations/000511_boundary_log_scopes.down.sql new file mode 100644 index 0000000000..5a1baaa20c --- /dev/null +++ b/coderd/database/migrations/000511_boundary_log_scopes.down.sql @@ -0,0 +1 @@ +-- No-op for boundary_log scopes: keep enum values to avoid dependency churn. diff --git a/coderd/database/migrations/000511_boundary_log_scopes.up.sql b/coderd/database/migrations/000511_boundary_log_scopes.up.sql new file mode 100644 index 0000000000..12ec141591 --- /dev/null +++ b/coderd/database/migrations/000511_boundary_log_scopes.up.sql @@ -0,0 +1,5 @@ +-- Add boundary_log scopes for RBAC. +ALTER TYPE api_key_scope ADD VALUE IF NOT EXISTS 'boundary_log:*'; +ALTER TYPE api_key_scope ADD VALUE IF NOT EXISTS 'boundary_log:create'; +ALTER TYPE api_key_scope ADD VALUE IF NOT EXISTS 'boundary_log:delete'; +ALTER TYPE api_key_scope ADD VALUE IF NOT EXISTS 'boundary_log:read'; diff --git a/coderd/database/migrations/000512_boundary_session_owner.down.sql b/coderd/database/migrations/000512_boundary_session_owner.down.sql new file mode 100644 index 0000000000..3429fee351 --- /dev/null +++ b/coderd/database/migrations/000512_boundary_session_owner.down.sql @@ -0,0 +1,2 @@ +ALTER TABLE boundary_sessions DROP CONSTRAINT IF EXISTS boundary_sessions_owner_id_fkey; +ALTER TABLE boundary_sessions DROP COLUMN IF EXISTS owner_id; diff --git a/coderd/database/migrations/000512_boundary_session_owner.up.sql b/coderd/database/migrations/000512_boundary_session_owner.up.sql new file mode 100644 index 0000000000..d97140df57 --- /dev/null +++ b/coderd/database/migrations/000512_boundary_session_owner.up.sql @@ -0,0 +1,28 @@ +-- Add owner_id to boundary_sessions to avoid expensive JOINs when +-- deriving the workspace owner for RBAC checks during log insertion. +ALTER TABLE boundary_sessions ADD COLUMN owner_id uuid; + +COMMENT ON COLUMN boundary_sessions.owner_id IS 'The ID of the user who owns the workspace. NULL if the user has been deleted.'; + +-- Backfill owner_id from the workspace agent -> workspace -> owner chain. +-- Soft-deleted agents and workspaces are included so that their audit +-- data is preserved. +UPDATE boundary_sessions bs +SET owner_id = w.owner_id +FROM workspace_agents wa +JOIN workspace_resources wr ON wa.resource_id = wr.id +JOIN provisioner_jobs pj ON wr.job_id = pj.id +JOIN workspace_builds wb ON pj.id = wb.job_id +JOIN workspaces w ON wb.workspace_id = w.id +WHERE wa.id = bs.workspace_agent_id + AND pj.type = 'workspace_build'; + +-- Delete any sessions that could not be backfilled (orphaned data +-- with no resolvable workspace agent or workspace build chain). +DELETE FROM boundary_sessions WHERE owner_id IS NULL; + +-- Add FK constraint. SET NULL preserves audit data when a user is +-- hard-deleted; the session and its logs survive with a NULL owner. +ALTER TABLE boundary_sessions + ADD CONSTRAINT boundary_sessions_owner_id_fkey + FOREIGN KEY (owner_id) REFERENCES users(id) ON DELETE SET NULL; diff --git a/coderd/database/migrations/000513_user_ai_budget_overrides.down.sql b/coderd/database/migrations/000513_user_ai_budget_overrides.down.sql new file mode 100644 index 0000000000..1a1a8e2160 --- /dev/null +++ b/coderd/database/migrations/000513_user_ai_budget_overrides.down.sql @@ -0,0 +1,7 @@ +DROP TRIGGER IF EXISTS trigger_delete_user_ai_budget_overrides_on_org_member_delete ON organization_members; +DROP FUNCTION IF EXISTS delete_user_ai_budget_overrides_on_org_member_delete; +DROP TRIGGER IF EXISTS trigger_delete_user_ai_budget_overrides_on_group_member_delete ON group_members; +DROP FUNCTION IF EXISTS delete_user_ai_budget_overrides_on_group_member_delete; +DROP TRIGGER IF EXISTS trigger_enforce_user_ai_budget_override_membership ON user_ai_budget_overrides; +DROP FUNCTION IF EXISTS enforce_user_ai_budget_override_membership; +DROP TABLE IF EXISTS user_ai_budget_overrides CASCADE; diff --git a/coderd/database/migrations/000513_user_ai_budget_overrides.up.sql b/coderd/database/migrations/000513_user_ai_budget_overrides.up.sql new file mode 100644 index 0000000000..b1ab1cd9d2 --- /dev/null +++ b/coderd/database/migrations/000513_user_ai_budget_overrides.up.sql @@ -0,0 +1,76 @@ +CREATE TABLE user_ai_budget_overrides ( + user_id UUID PRIMARY KEY REFERENCES users(id) ON DELETE CASCADE, + group_id UUID NOT NULL REFERENCES groups(id) ON DELETE CASCADE, + -- Spend limit applied to the user, in micro-units (1 unit = 1,000,000). + spend_limit_micros BIGINT NOT NULL CHECK (spend_limit_micros >= 0), + created_at TIMESTAMPTZ NOT NULL DEFAULT NOW(), + updated_at TIMESTAMPTZ NOT NULL DEFAULT NOW() + -- The membership invariant (user must be a member of the attributed + -- group, including when that group is "Everyone") would naturally be + -- a composite FK to group_members_expanded, but PostgreSQL does not + -- allow FKs to views. It's enforced instead by a write-time trigger + -- on this table and removal-time triggers on the underlying + -- membership tables. +); + +COMMENT ON TABLE user_ai_budget_overrides IS 'Per-user AI spend override that supersedes group budget resolution.'; + +-- Write-time membership check. Reads from group_members_expanded so +-- the "Everyone" group (whose membership lives in organization_members) +-- is correctly handled. Raises check_violation with a constraint name +-- so callers can match it via database.IsCheckViolation in Go. +CREATE FUNCTION enforce_user_ai_budget_override_membership() RETURNS TRIGGER + LANGUAGE plpgsql +AS $$ +BEGIN + IF NOT EXISTS ( + SELECT 1 FROM group_members_expanded + WHERE user_id = NEW.user_id AND group_id = NEW.group_id + ) THEN + RAISE EXCEPTION 'user % is not a member of group %', NEW.user_id, NEW.group_id + USING ERRCODE = 'check_violation', + CONSTRAINT = 'user_ai_budget_overrides_must_be_group_member'; + END IF; + RETURN NEW; +END; +$$; + +CREATE TRIGGER trigger_enforce_user_ai_budget_override_membership + BEFORE INSERT OR UPDATE ON user_ai_budget_overrides + FOR EACH ROW +EXECUTE PROCEDURE enforce_user_ai_budget_override_membership(); + +-- When a user is removed from a regular group (any group except +-- "Everyone"), delete any override attributed to that group. +CREATE FUNCTION delete_user_ai_budget_overrides_on_group_member_delete() RETURNS TRIGGER + LANGUAGE plpgsql +AS $$ +BEGIN + DELETE FROM user_ai_budget_overrides + WHERE user_id = OLD.user_id AND group_id = OLD.group_id; + RETURN OLD; +END; +$$; + +CREATE TRIGGER trigger_delete_user_ai_budget_overrides_on_group_member_delete + BEFORE DELETE ON group_members + FOR EACH ROW +EXECUTE PROCEDURE delete_user_ai_budget_overrides_on_group_member_delete(); + +-- When a user is removed from an organization, delete any override +-- attributed to that organization's "Everyone" group (which has +-- id == organization_id). +CREATE FUNCTION delete_user_ai_budget_overrides_on_org_member_delete() RETURNS TRIGGER + LANGUAGE plpgsql +AS $$ +BEGIN + DELETE FROM user_ai_budget_overrides + WHERE user_id = OLD.user_id AND group_id = OLD.organization_id; + RETURN OLD; +END; +$$; + +CREATE TRIGGER trigger_delete_user_ai_budget_overrides_on_org_member_delete + BEFORE DELETE ON organization_members + FOR EACH ROW +EXECUTE PROCEDURE delete_user_ai_budget_overrides_on_org_member_delete(); diff --git a/coderd/database/migrations/000514_ai_gateway_keys.down.sql b/coderd/database/migrations/000514_ai_gateway_keys.down.sql new file mode 100644 index 0000000000..698983673f --- /dev/null +++ b/coderd/database/migrations/000514_ai_gateway_keys.down.sql @@ -0,0 +1,6 @@ +-- Enum additions to resource_type and api_key_scope are intentionally not +-- reverted because Postgres cannot drop enum values safely. +DROP INDEX IF EXISTS ai_gateway_keys_hashed_secret_idx; +DROP INDEX IF EXISTS ai_gateway_keys_secret_prefix_idx; +DROP INDEX IF EXISTS ai_gateway_keys_name_idx; +DROP TABLE IF EXISTS ai_gateway_keys; diff --git a/coderd/database/migrations/000514_ai_gateway_keys.up.sql b/coderd/database/migrations/000514_ai_gateway_keys.up.sql new file mode 100644 index 0000000000..537f437ce5 --- /dev/null +++ b/coderd/database/migrations/000514_ai_gateway_keys.up.sql @@ -0,0 +1,25 @@ +CREATE TABLE ai_gateway_keys ( + id uuid PRIMARY KEY, + created_at timestamptz NOT NULL, + name text NOT NULL, + secret_prefix varchar(11) NOT NULL, + hashed_secret bytea NOT NULL, + last_used_at timestamptz NULL, + CONSTRAINT ai_gateway_keys_name_check CHECK (length(name) <= 64 AND name ~ '^[a-z0-9]+(-[a-z0-9]+)*$'), + CONSTRAINT ai_gateway_keys_secret_prefix_check CHECK (length(secret_prefix) = 11), + CONSTRAINT ai_gateway_keys_hashed_secret_check CHECK (length(hashed_secret) > 0) +); + +COMMENT ON TABLE ai_gateway_keys IS 'Hashed bearer secrets used by AI Gateway standalone replicas to authenticate into coderd.'; +COMMENT ON COLUMN ai_gateway_keys.secret_prefix IS 'Public token prefix for display and audit correlation. Auth uses hashed_secret.'; + +CREATE UNIQUE INDEX ai_gateway_keys_name_idx ON ai_gateway_keys USING btree (lower(name)); +CREATE UNIQUE INDEX ai_gateway_keys_secret_prefix_idx ON ai_gateway_keys USING btree (secret_prefix); +CREATE UNIQUE INDEX ai_gateway_keys_hashed_secret_idx ON ai_gateway_keys USING btree (hashed_secret); + +ALTER TYPE resource_type ADD VALUE IF NOT EXISTS 'ai_gateway_key'; + +ALTER TYPE api_key_scope ADD VALUE IF NOT EXISTS 'ai_gateway_key:*'; +ALTER TYPE api_key_scope ADD VALUE IF NOT EXISTS 'ai_gateway_key:create'; +ALTER TYPE api_key_scope ADD VALUE IF NOT EXISTS 'ai_gateway_key:delete'; +ALTER TYPE api_key_scope ADD VALUE IF NOT EXISTS 'ai_gateway_key:read'; diff --git a/coderd/database/migrations/migrate_test.go b/coderd/database/migrations/migrate_test.go index 0b3e0c240c..f148860bc5 100644 --- a/coderd/database/migrations/migrate_test.go +++ b/coderd/database/migrations/migrate_test.go @@ -7,6 +7,7 @@ import ( "os" "path/filepath" "slices" + "strings" "sync" "testing" "time" @@ -1502,6 +1503,85 @@ func TestMigration000504AIProvidersBackfillOverridesNameConflict(t *testing.T) { require.True(t, fresh.Enabled) } +// TestMigration000504AIProvidersBackfillEnumInSingleTxn reproduces the +// production migration path, where every pending migration runs inside a +// single transaction (see pgTxnDriver). Migration 000499 widens +// ai_provider_type with ALTER TYPE ... ADD VALUE, and 000504 casts existing +// chat_providers rows to that enum. Postgres forbids using an enum value +// added by ADD VALUE within the same transaction, so when a legacy provider +// uses one of the new values (for example openai-compat) the batch fails with +// "unsafe use of new value". The per-step Stepper used by the other tests +// commits each migration separately and cannot surface this. +func TestMigration000504AIProvidersBackfillEnumInSingleTxn(t *testing.T) { + t.Parallel() + + sqlDB := testSQLDB(t) + ctx := testutil.Context(t, testutil.WaitSuperLong) + + // Apply everything through 498 and commit, so chat_providers exists and is + // populated before the batch under test runs, matching a deployment that + // ran an earlier migration batch before this one. + applyMigrationsInTxn(ctx, t, sqlDB, 1, 498) + + now := time.Now().UTC().Truncate(time.Microsecond) + providerID := uuid.New() + + // A legacy provider whose type is one of the values added in 000499. + _, err := sqlDB.ExecContext(ctx, ` + INSERT INTO chat_providers (id, provider, display_name, api_key, enabled, base_url, created_at, updated_at) + VALUES ($1, 'openai-compat', 'OpenAI Compatible', '', TRUE, 'https://api.example.com/v1', $2, $2) + `, providerID, now) + require.NoError(t, err) + + // Apply 000499 through 000504 in a single transaction, as production does. + applyMigrationsInTxn(ctx, t, sqlDB, 499, 504) + + var typ string + err = sqlDB.QueryRowContext(ctx, + `SELECT type FROM ai_providers WHERE id = $1`, providerID, + ).Scan(&typ) + require.NoError(t, err) + require.Equal(t, "openai-compat", typ) +} + +// applyMigrationsInTxn executes the up SQL for every migration whose version is +// in [from, to] inside a single transaction, mirroring pgTxnDriver. The whole +// batch commits or rolls back together. +func applyMigrationsInTxn(ctx context.Context, t *testing.T, sqlDB *sql.DB, from, to int) { + t.Helper() + + entries, err := os.ReadDir(".") + require.NoError(t, err) + + var files []string + for _, entry := range entries { + name := entry.Name() + if !strings.HasSuffix(name, ".up.sql") { + continue + } + var version int + if _, err := fmt.Sscanf(name, "%06d_", &version); err != nil { + continue + } + if version >= from && version <= to { + files = append(files, name) + } + } + slices.Sort(files) + + tx, err := sqlDB.BeginTx(ctx, nil) + require.NoError(t, err) + defer tx.Rollback() + + for _, name := range files { + query, err := os.ReadFile(name) + require.NoError(t, err) + _, err = tx.ExecContext(ctx, string(query)) + require.NoErrorf(t, err, "apply migration %s", name) + } + require.NoError(t, tx.Commit()) +} + func TestMigration000498SoftDeleteStaleWorkspaceAgents(t *testing.T) { t.Parallel() diff --git a/coderd/database/migrations/testdata/fixtures/000512_boundary_session_owner.up.sql b/coderd/database/migrations/testdata/fixtures/000512_boundary_session_owner.up.sql new file mode 100644 index 0000000000..d1942bd5a5 --- /dev/null +++ b/coderd/database/migrations/testdata/fixtures/000512_boundary_session_owner.up.sql @@ -0,0 +1,42 @@ +-- Re-insert boundary session and log fixture data after migration 000511 +-- deletes orphaned rows (the original fixture's workspace_agent links to a +-- template_version_import job, not a workspace_build, so the backfill +-- cannot resolve the owner). + +INSERT INTO boundary_sessions ( + id, + workspace_agent_id, + confined_process_name, + started_at, + updated_at, + owner_id +) VALUES ( + 'a1b2c3d4-e5f6-4890-abcd-ef1234567890', + '45e89705-e09d-4850-bcec-f9a937f5d78d', + 'claude-code', + '2026-04-01 10:00:00+00', + '2026-04-01 10:00:00+00', + '30095c71-380b-457a-8995-97b8ee6e5307' +); + +INSERT INTO boundary_logs ( + id, + session_id, + sequence_number, + captured_at, + created_at, + proto, + method, + detail, + matched_rule +) VALUES ( + 'b2c3d4e5-f6a7-4901-bcde-f12345678901', + 'a1b2c3d4-e5f6-4890-abcd-ef1234567890', + 0, + '2026-04-01 10:00:01+00', + '2026-04-01 10:00:00+00', + 'http', + 'GET', + 'https://api.anthropic.com/v1/messages', + 'domain=api.anthropic.com' +); diff --git a/coderd/database/migrations/testdata/fixtures/000513_user_ai_budget_overrides.up.sql b/coderd/database/migrations/testdata/fixtures/000513_user_ai_budget_overrides.up.sql new file mode 100644 index 0000000000..787b808b7d --- /dev/null +++ b/coderd/database/migrations/testdata/fixtures/000513_user_ai_budget_overrides.up.sql @@ -0,0 +1,15 @@ +-- Seed a group_members row so the override below references a real +-- membership. +INSERT INTO group_members ( + user_id, + group_id +) VALUES + ('30095c71-380b-457a-8995-97b8ee6e5307', 'bb640d07-ca8a-4869-b6bc-ae61ebb2fda1') +ON CONFLICT DO NOTHING; + +INSERT INTO user_ai_budget_overrides ( + user_id, + group_id, + spend_limit_micros +) VALUES + ('30095c71-380b-457a-8995-97b8ee6e5307', 'bb640d07-ca8a-4869-b6bc-ae61ebb2fda1', 500000000); diff --git a/coderd/database/migrations/testdata/fixtures/000514_ai_gateway_keys.up.sql b/coderd/database/migrations/testdata/fixtures/000514_ai_gateway_keys.up.sql new file mode 100644 index 0000000000..531946e06f --- /dev/null +++ b/coderd/database/migrations/testdata/fixtures/000514_ai_gateway_keys.up.sql @@ -0,0 +1,15 @@ +INSERT INTO ai_gateway_keys ( + id, + created_at, + name, + secret_prefix, + hashed_secret, + last_used_at +) VALUES ( + '8b6f0a82-9a3a-4d2e-8c0c-2c9c9b9b1a01', + '2026-05-21 00:00:00+00', + 'example-key', + 'cdr_1234567', + '\x00'::bytea, + NULL +); diff --git a/coderd/database/modelmethods.go b/coderd/database/modelmethods.go index bab9759762..62eb12a1d2 100644 --- a/coderd/database/modelmethods.go +++ b/coderd/database/modelmethods.go @@ -1003,3 +1003,10 @@ type UpsertConnectionLogParams struct { func (r GetLatestWorkspaceBuildWithStatusByWorkspaceIDRow) RBACObject() rbac.Object { return r.WorkspaceTable.RBACObject() } + +func (s BoundarySession) RBACObject() rbac.Object { + if s.OwnerID.Valid { + return rbac.ResourceBoundaryLog.WithOwner(s.OwnerID.UUID.String()) + } + return rbac.ResourceBoundaryLog +} diff --git a/coderd/database/models.go b/coderd/database/models.go index 940904385a..b2d7fda98f 100644 --- a/coderd/database/models.go +++ b/coderd/database/models.go @@ -320,6 +320,14 @@ const ( ApiKeyScopeUserSkillUpdate APIKeyScope = "user_skill:update" ApiKeyScopeUserSkillDelete APIKeyScope = "user_skill:delete" ApiKeyScopeUserSkill APIKeyScope = "user_skill:*" + ApiKeyScopeBoundaryLog APIKeyScope = "boundary_log:*" + ApiKeyScopeBoundaryLogCreate APIKeyScope = "boundary_log:create" + ApiKeyScopeBoundaryLogDelete APIKeyScope = "boundary_log:delete" + ApiKeyScopeBoundaryLogRead APIKeyScope = "boundary_log:read" + ApiKeyScopeAiGatewayKey APIKeyScope = "ai_gateway_key:*" + ApiKeyScopeAiGatewayKeyCreate APIKeyScope = "ai_gateway_key:create" + ApiKeyScopeAiGatewayKeyDelete APIKeyScope = "ai_gateway_key:delete" + ApiKeyScopeAiGatewayKeyRead APIKeyScope = "ai_gateway_key:read" ) func (e *APIKeyScope) Scan(src interface{}) error { @@ -580,7 +588,15 @@ func (e APIKeyScope) Valid() bool { ApiKeyScopeUserSkillRead, ApiKeyScopeUserSkillUpdate, ApiKeyScopeUserSkillDelete, - ApiKeyScopeUserSkill: + ApiKeyScopeUserSkill, + ApiKeyScopeBoundaryLog, + ApiKeyScopeBoundaryLogCreate, + ApiKeyScopeBoundaryLogDelete, + ApiKeyScopeBoundaryLogRead, + ApiKeyScopeAiGatewayKey, + ApiKeyScopeAiGatewayKeyCreate, + ApiKeyScopeAiGatewayKeyDelete, + ApiKeyScopeAiGatewayKeyRead: return true } return false @@ -810,6 +826,14 @@ func AllAPIKeyScopeValues() []APIKeyScope { ApiKeyScopeUserSkillUpdate, ApiKeyScopeUserSkillDelete, ApiKeyScopeUserSkill, + ApiKeyScopeBoundaryLog, + ApiKeyScopeBoundaryLogCreate, + ApiKeyScopeBoundaryLogDelete, + ApiKeyScopeBoundaryLogRead, + ApiKeyScopeAiGatewayKey, + ApiKeyScopeAiGatewayKeyCreate, + ApiKeyScopeAiGatewayKeyDelete, + ApiKeyScopeAiGatewayKeyRead, } } @@ -3341,6 +3365,7 @@ const ( ResourceTypeAIProviderKey ResourceType = "ai_provider_key" ResourceTypeGroupAiBudget ResourceType = "group_ai_budget" ResourceTypeUserSkill ResourceType = "user_skill" + ResourceTypeAIGatewayKey ResourceType = "ai_gateway_key" ) func (e *ResourceType) Scan(src interface{}) error { @@ -3412,7 +3437,8 @@ func (e ResourceType) Valid() bool { ResourceTypeAIProvider, ResourceTypeAIProviderKey, ResourceTypeGroupAiBudget, - ResourceTypeUserSkill: + ResourceTypeUserSkill, + ResourceTypeAIGatewayKey: return true } return false @@ -3453,6 +3479,7 @@ func AllResourceTypeValues() []ResourceType { ResourceTypeAIProviderKey, ResourceTypeGroupAiBudget, ResourceTypeUserSkill, + ResourceTypeAIGatewayKey, } } @@ -4423,6 +4450,17 @@ type AIBridgeUserPrompt struct { CreatedAt time.Time `db:"created_at" json:"created_at"` } +// Hashed bearer secrets used by AI Gateway standalone replicas to authenticate into coderd. +type AIGatewayKey struct { + ID uuid.UUID `db:"id" json:"id"` + CreatedAt time.Time `db:"created_at" json:"created_at"` + Name string `db:"name" json:"name"` + // Public token prefix for display and audit correlation. Auth uses hashed_secret. + SecretPrefix string `db:"secret_prefix" json:"secret_prefix"` + HashedSecret []byte `db:"hashed_secret" json:"hashed_secret"` + LastUsedAt sql.NullTime `db:"last_used_at" json:"last_used_at"` +} + // Runtime configuration for AI providers. Authoritative source for the provider set served by aibridged. Replaces deployment-time CODER_AIBRIDGE_* environment variables. type AIProvider struct { ID uuid.UUID `db:"id" json:"id"` @@ -4543,6 +4581,8 @@ type BoundarySession struct { StartedAt time.Time `db:"started_at" json:"started_at"` // Time when the session was last updated. UpdatedAt time.Time `db:"updated_at" json:"updated_at"` + // The ID of the user who owns the workspace. NULL if the user has been deleted. + OwnerID uuid.NullUUID `db:"owner_id" json:"owner_id"` } // Per-replica boundary usage statistics for telemetry aggregation. @@ -5716,6 +5756,15 @@ type User struct { ChatSpendLimitMicros sql.NullInt64 `db:"chat_spend_limit_micros" json:"chat_spend_limit_micros"` } +// Per-user AI spend override that supersedes group budget resolution. +type UserAiBudgetOverride struct { + UserID uuid.UUID `db:"user_id" json:"user_id"` + GroupID uuid.UUID `db:"group_id" json:"group_id"` + SpendLimitMicros int64 `db:"spend_limit_micros" json:"spend_limit_micros"` + CreatedAt time.Time `db:"created_at" json:"created_at"` + UpdatedAt time.Time `db:"updated_at" json:"updated_at"` +} + // User-owned API keys associated with AI providers. These keys are used only when BYOK is enabled. type UserAiProviderKey struct { ID uuid.UUID `db:"id" json:"id"` diff --git a/coderd/database/querier.go b/coderd/database/querier.go index 6b16e0771a..a6c8f3e7db 100644 --- a/coderd/database/querier.go +++ b/coderd/database/querier.go @@ -198,6 +198,7 @@ type sqlcQuerier interface { DeleteTailnetPeer(ctx context.Context, arg DeleteTailnetPeerParams) (DeleteTailnetPeerRow, error) DeleteTailnetTunnel(ctx context.Context, arg DeleteTailnetTunnelParams) (DeleteTailnetTunnelRow, error) DeleteTask(ctx context.Context, arg DeleteTaskParams) (uuid.UUID, error) + DeleteUserAIBudgetOverride(ctx context.Context, userID uuid.UUID) (UserAiBudgetOverride, error) DeleteUserAIProviderKey(ctx context.Context, arg DeleteUserAIProviderKeyParams) error DeleteUserAIProviderKeysByProviderID(ctx context.Context, aiProviderID uuid.UUID) error DeleteUserChatCompactionThreshold(ctx context.Context, arg DeleteUserChatCompactionThresholdParams) error @@ -738,6 +739,7 @@ type sqlcQuerier interface { // inclusive. GetTotalUsageDCManagedAgentsV1(ctx context.Context, arg GetTotalUsageDCManagedAgentsV1Params) (int64, error) GetUnexpiredLicenses(ctx context.Context) ([]License, error) + GetUserAIBudgetOverride(ctx context.Context, userID uuid.UUID) (UserAiBudgetOverride, error) GetUserAIProviderKeyByProviderID(ctx context.Context, arg GetUserAIProviderKeyByProviderIDParams) (UserAiProviderKey, error) // GetUserAIProviderKeys is used by dbcrypt key rotation. Request paths should use // user-scoped lookups instead of this bulk accessor. @@ -920,7 +922,7 @@ type sqlcQuerier interface { // every member of the org. InsertAllUsersGroup(ctx context.Context, organizationID uuid.UUID) (Group, error) InsertAuditLog(ctx context.Context, arg InsertAuditLogParams) (AuditLog, error) - InsertBoundaryLog(ctx context.Context, arg InsertBoundaryLogParams) (BoundaryLog, error) + InsertBoundaryLogs(ctx context.Context, arg InsertBoundaryLogsParams) ([]BoundaryLog, error) InsertBoundarySession(ctx context.Context, arg InsertBoundarySessionParams) (BoundarySession, error) InsertChat(ctx context.Context, arg InsertChatParams) (Chat, error) // updated_at is the retention clock used by DeleteOldChatDebugRuns. @@ -1407,6 +1409,7 @@ type sqlcQuerier interface { // used to store the data, and the minutes are summed for each user and template // combination. The result is stored in the template_usage_stats table. UpsertTemplateUsageStats(ctx context.Context) error + UpsertUserAIBudgetOverride(ctx context.Context, arg UpsertUserAIBudgetOverrideParams) (UserAiBudgetOverride, error) // UpsertUserAIProviderKey preserves the original id and created_at when the // user/provider pair already exists. On conflict, callers provide id and // created_at for the insert path only. diff --git a/coderd/database/querier_test.go b/coderd/database/querier_test.go index f181e2e94b..cefe6a866e 100644 --- a/coderd/database/querier_test.go +++ b/coderd/database/querier_test.go @@ -9921,8 +9921,9 @@ func TestUpdateAIBridgeInterceptionEnded(t *testing.T) { ctx := testutil.Context(t, testutil.WaitLong) got, err := db.UpdateAIBridgeInterceptionEnded(ctx, database.UpdateAIBridgeInterceptionEndedParams{ - ID: uuid.New(), - EndedAt: time.Now(), + ID: uuid.New(), + EndedAt: time.Now(), + CredentialHint: "sk-a...efgh", }) require.ErrorContains(t, err, "no rows in result set") require.EqualValues(t, database.AIBridgeInterception{}, got) @@ -9957,18 +9958,21 @@ func TestUpdateAIBridgeInterceptionEnded(t *testing.T) { endedAt := time.Now() // Mark first interception as done updated, err := db.UpdateAIBridgeInterceptionEnded(ctx, database.UpdateAIBridgeInterceptionEndedParams{ - ID: intc0.ID, - EndedAt: endedAt, + ID: intc0.ID, + EndedAt: endedAt, + CredentialHint: "sk-a...efgh", }) require.NoError(t, err) require.EqualValues(t, updated.ID, intc0.ID) require.True(t, updated.EndedAt.Valid) require.WithinDuration(t, endedAt, updated.EndedAt.Time, 5*time.Second) + require.Equal(t, "sk-a...efgh", updated.CredentialHint) // Updating first interception again should fail updated, err = db.UpdateAIBridgeInterceptionEnded(ctx, database.UpdateAIBridgeInterceptionEndedParams{ - ID: intc0.ID, - EndedAt: endedAt.Add(time.Hour), + ID: intc0.ID, + EndedAt: endedAt.Add(time.Hour), + CredentialHint: "sk-a...efgh", }) require.ErrorIs(t, err, sql.ErrNoRows) @@ -9979,6 +9983,52 @@ func TestUpdateAIBridgeInterceptionEnded(t *testing.T) { require.False(t, got.EndedAt.Valid) } }) + + t.Run("CentralizedHintUpdated", func(t *testing.T) { + t.Parallel() + ctx := testutil.Context(t, testutil.WaitLong) + + user := dbgen.User(t, db, database.User{}) + intc, err := db.InsertAIBridgeInterception(ctx, database.InsertAIBridgeInterceptionParams{ + ID: uuid.New(), + InitiatorID: user.ID, + Metadata: json.RawMessage("{}"), + CredentialKind: database.CredentialKindCentralized, + CredentialHint: "", + }) + require.NoError(t, err) + + updated, err := db.UpdateAIBridgeInterceptionEnded(ctx, database.UpdateAIBridgeInterceptionEndedParams{ + ID: intc.ID, + EndedAt: time.Now(), + CredentialHint: "sk-a...efgh", + }) + require.NoError(t, err) + require.Equal(t, "sk-a...efgh", updated.CredentialHint) + }) + + t.Run("BYOKHintPreserved", func(t *testing.T) { + t.Parallel() + ctx := testutil.Context(t, testutil.WaitLong) + + user := dbgen.User(t, db, database.User{}) + intc, err := db.InsertAIBridgeInterception(ctx, database.InsertAIBridgeInterceptionParams{ + ID: uuid.New(), + InitiatorID: user.ID, + Metadata: json.RawMessage("{}"), + CredentialKind: database.CredentialKindByok, + CredentialHint: "sk-u...byok", + }) + require.NoError(t, err) + + updated, err := db.UpdateAIBridgeInterceptionEnded(ctx, database.UpdateAIBridgeInterceptionEndedParams{ + ID: intc.ID, + EndedAt: time.Now(), + CredentialHint: "sk-a...efgh", + }) + require.NoError(t, err) + require.Equal(t, "sk-u...byok", updated.CredentialHint) + }) } func TestDeleteExpiredAPIKeys(t *testing.T) { diff --git a/coderd/database/queries.sql.go b/coderd/database/queries.sql.go index 1c04d4906b..dc646121dc 100644 --- a/coderd/database/queries.sql.go +++ b/coderd/database/queries.sql.go @@ -2389,20 +2389,28 @@ func (q *sqlQuerier) ListAIBridgeUserPromptsByInterceptionIDs(ctx context.Contex const updateAIBridgeInterceptionEnded = `-- name: UpdateAIBridgeInterceptionEnded :one UPDATE aibridge_interceptions - SET ended_at = $1::timestamptz + SET ended_at = $1::timestamptz, + -- BYOK records its hint at the start of the interception. + -- Centralized uses key failover, so its hint is only known + -- at end-of-interception. + credential_hint = CASE + WHEN credential_kind = 'centralized' THEN $2::text + ELSE credential_hint + END WHERE - id = $2::uuid + id = $3::uuid AND ended_at IS NULL RETURNING id, initiator_id, provider, model, started_at, metadata, ended_at, api_key_id, client, thread_parent_id, thread_root_id, client_session_id, session_id, provider_name, credential_kind, credential_hint ` type UpdateAIBridgeInterceptionEndedParams struct { - EndedAt time.Time `db:"ended_at" json:"ended_at"` - ID uuid.UUID `db:"id" json:"id"` + EndedAt time.Time `db:"ended_at" json:"ended_at"` + CredentialHint string `db:"credential_hint" json:"credential_hint"` + ID uuid.UUID `db:"id" json:"id"` } func (q *sqlQuerier) UpdateAIBridgeInterceptionEnded(ctx context.Context, arg UpdateAIBridgeInterceptionEndedParams) (AIBridgeInterception, error) { - row := q.db.QueryRowContext(ctx, updateAIBridgeInterceptionEnded, arg.EndedAt, arg.ID) + row := q.db.QueryRowContext(ctx, updateAIBridgeInterceptionEnded, arg.EndedAt, arg.CredentialHint, arg.ID) var i AIBridgeInterception err := row.Scan( &i.ID, @@ -2441,6 +2449,23 @@ func (q *sqlQuerier) DeleteGroupAIBudget(ctx context.Context, groupID uuid.UUID) return i, err } +const deleteUserAIBudgetOverride = `-- name: DeleteUserAIBudgetOverride :one +DELETE FROM user_ai_budget_overrides WHERE user_id = $1 RETURNING user_id, group_id, spend_limit_micros, created_at, updated_at +` + +func (q *sqlQuerier) DeleteUserAIBudgetOverride(ctx context.Context, userID uuid.UUID) (UserAiBudgetOverride, error) { + row := q.db.QueryRowContext(ctx, deleteUserAIBudgetOverride, userID) + var i UserAiBudgetOverride + err := row.Scan( + &i.UserID, + &i.GroupID, + &i.SpendLimitMicros, + &i.CreatedAt, + &i.UpdatedAt, + ) + return i, err +} + const getAIModelPriceByProviderModel = `-- name: GetAIModelPriceByProviderModel :one SELECT provider, model, input_price, output_price, cache_read_price, cache_write_price, created_at, updated_at FROM ai_model_prices @@ -2486,6 +2511,25 @@ func (q *sqlQuerier) GetGroupAIBudget(ctx context.Context, groupID uuid.UUID) (G return i, err } +const getUserAIBudgetOverride = `-- name: GetUserAIBudgetOverride :one +SELECT user_id, group_id, spend_limit_micros, created_at, updated_at +FROM user_ai_budget_overrides +WHERE user_id = $1 +` + +func (q *sqlQuerier) GetUserAIBudgetOverride(ctx context.Context, userID uuid.UUID) (UserAiBudgetOverride, error) { + row := q.db.QueryRowContext(ctx, getUserAIBudgetOverride, userID) + var i UserAiBudgetOverride + err := row.Scan( + &i.UserID, + &i.GroupID, + &i.SpendLimitMicros, + &i.CreatedAt, + &i.UpdatedAt, + ) + return i, err +} + const upsertAIModelPrices = `-- name: UpsertAIModelPrices :exec INSERT INTO ai_model_prices ( provider, model, input_price, output_price, cache_read_price, cache_write_price @@ -2540,6 +2584,35 @@ func (q *sqlQuerier) UpsertGroupAIBudget(ctx context.Context, arg UpsertGroupAIB return i, err } +const upsertUserAIBudgetOverride = `-- name: UpsertUserAIBudgetOverride :one +INSERT INTO user_ai_budget_overrides (user_id, group_id, spend_limit_micros) +VALUES ($1, $2, $3) +ON CONFLICT (user_id) DO UPDATE SET + group_id = EXCLUDED.group_id, + spend_limit_micros = EXCLUDED.spend_limit_micros, + updated_at = NOW() +RETURNING user_id, group_id, spend_limit_micros, created_at, updated_at +` + +type UpsertUserAIBudgetOverrideParams struct { + UserID uuid.UUID `db:"user_id" json:"user_id"` + GroupID uuid.UUID `db:"group_id" json:"group_id"` + SpendLimitMicros int64 `db:"spend_limit_micros" json:"spend_limit_micros"` +} + +func (q *sqlQuerier) UpsertUserAIBudgetOverride(ctx context.Context, arg UpsertUserAIBudgetOverrideParams) (UserAiBudgetOverride, error) { + row := q.db.QueryRowContext(ctx, upsertUserAIBudgetOverride, arg.UserID, arg.GroupID, arg.SpendLimitMicros) + var i UserAiBudgetOverride + err := row.Scan( + &i.UserID, + &i.GroupID, + &i.SpendLimitMicros, + &i.CreatedAt, + &i.UpdatedAt, + ) + return i, err +} + const getActiveAISeatCount = `-- name: GetActiveAISeatCount :one SELECT COUNT(*) @@ -3627,7 +3700,7 @@ func (q *sqlQuerier) GetBoundaryLogByID(ctx context.Context, id uuid.UUID) (Boun } const getBoundarySessionByID = `-- name: GetBoundarySessionByID :one -SELECT id, workspace_agent_id, confined_process_name, started_at, updated_at FROM boundary_sessions WHERE id = $1 +SELECT id, workspace_agent_id, confined_process_name, started_at, updated_at, owner_id FROM boundary_sessions WHERE id = $1 ` func (q *sqlQuerier) GetBoundarySessionByID(ctx context.Context, id uuid.UUID) (BoundarySession, error) { @@ -3639,11 +3712,12 @@ func (q *sqlQuerier) GetBoundarySessionByID(ctx context.Context, id uuid.UUID) ( &i.ConfinedProcessName, &i.StartedAt, &i.UpdatedAt, + &i.OwnerID, ) return i, err } -const insertBoundaryLog = `-- name: InsertBoundaryLog :one +const insertBoundaryLogs = `-- name: InsertBoundaryLogs :many INSERT INTO boundary_logs ( id, session_id, @@ -3654,62 +3728,80 @@ INSERT INTO boundary_logs ( method, detail, matched_rule -) VALUES ( - $1, - $2, - $3, - $4, - $5, - $6, - $7, - $8, - $9 -) RETURNING id, session_id, sequence_number, captured_at, created_at, proto, method, detail, matched_rule +) +SELECT + unnest($1 :: uuid[]), + $2 :: uuid, + unnest($3 :: int[]), + unnest($4 :: timestamptz[]), + unnest($5 :: timestamptz[]), + unnest($6 :: text[]), + unnest($7 :: text[]), + unnest($8 :: text[]), + unnest($9 :: text[]) +RETURNING id, session_id, sequence_number, captured_at, created_at, proto, method, detail, matched_rule ` -type InsertBoundaryLogParams struct { - ID uuid.UUID `db:"id" json:"id"` - SessionID uuid.UUID `db:"session_id" json:"session_id"` - SequenceNumber int32 `db:"sequence_number" json:"sequence_number"` - CapturedAt time.Time `db:"captured_at" json:"captured_at"` - CreatedAt time.Time `db:"created_at" json:"created_at"` - Proto string `db:"proto" json:"proto"` - Method string `db:"method" json:"method"` - Detail string `db:"detail" json:"detail"` - MatchedRule sql.NullString `db:"matched_rule" json:"matched_rule"` +type InsertBoundaryLogsParams struct { + ID []uuid.UUID `db:"id" json:"id"` + SessionID uuid.UUID `db:"session_id" json:"session_id"` + SequenceNumber []int32 `db:"sequence_number" json:"sequence_number"` + CapturedAt []time.Time `db:"captured_at" json:"captured_at"` + CreatedAt []time.Time `db:"created_at" json:"created_at"` + Proto []string `db:"proto" json:"proto"` + Method []string `db:"method" json:"method"` + Detail []string `db:"detail" json:"detail"` + MatchedRule []string `db:"matched_rule" json:"matched_rule"` } -func (q *sqlQuerier) InsertBoundaryLog(ctx context.Context, arg InsertBoundaryLogParams) (BoundaryLog, error) { - row := q.db.QueryRowContext(ctx, insertBoundaryLog, - arg.ID, +func (q *sqlQuerier) InsertBoundaryLogs(ctx context.Context, arg InsertBoundaryLogsParams) ([]BoundaryLog, error) { + rows, err := q.db.QueryContext(ctx, insertBoundaryLogs, + pq.Array(arg.ID), arg.SessionID, - arg.SequenceNumber, - arg.CapturedAt, - arg.CreatedAt, - arg.Proto, - arg.Method, - arg.Detail, - arg.MatchedRule, + pq.Array(arg.SequenceNumber), + pq.Array(arg.CapturedAt), + pq.Array(arg.CreatedAt), + pq.Array(arg.Proto), + pq.Array(arg.Method), + pq.Array(arg.Detail), + pq.Array(arg.MatchedRule), ) - var i BoundaryLog - err := row.Scan( - &i.ID, - &i.SessionID, - &i.SequenceNumber, - &i.CapturedAt, - &i.CreatedAt, - &i.Proto, - &i.Method, - &i.Detail, - &i.MatchedRule, - ) - return i, err + if err != nil { + return nil, err + } + defer rows.Close() + var items []BoundaryLog + for rows.Next() { + var i BoundaryLog + if err := rows.Scan( + &i.ID, + &i.SessionID, + &i.SequenceNumber, + &i.CapturedAt, + &i.CreatedAt, + &i.Proto, + &i.Method, + &i.Detail, + &i.MatchedRule, + ); err != nil { + return nil, err + } + items = append(items, i) + } + if err := rows.Close(); err != nil { + return nil, err + } + if err := rows.Err(); err != nil { + return nil, err + } + return items, nil } const insertBoundarySession = `-- name: InsertBoundarySession :one INSERT INTO boundary_sessions ( id, workspace_agent_id, + owner_id, confined_process_name, started_at, updated_at @@ -3718,22 +3810,25 @@ INSERT INTO boundary_sessions ( $2, $3, $4, - $5 -) RETURNING id, workspace_agent_id, confined_process_name, started_at, updated_at + $5, + $6 +) RETURNING id, workspace_agent_id, confined_process_name, started_at, updated_at, owner_id ` type InsertBoundarySessionParams struct { - ID uuid.UUID `db:"id" json:"id"` - WorkspaceAgentID uuid.UUID `db:"workspace_agent_id" json:"workspace_agent_id"` - ConfinedProcessName string `db:"confined_process_name" json:"confined_process_name"` - StartedAt time.Time `db:"started_at" json:"started_at"` - UpdatedAt time.Time `db:"updated_at" json:"updated_at"` + ID uuid.UUID `db:"id" json:"id"` + WorkspaceAgentID uuid.UUID `db:"workspace_agent_id" json:"workspace_agent_id"` + OwnerID uuid.NullUUID `db:"owner_id" json:"owner_id"` + ConfinedProcessName string `db:"confined_process_name" json:"confined_process_name"` + StartedAt time.Time `db:"started_at" json:"started_at"` + UpdatedAt time.Time `db:"updated_at" json:"updated_at"` } func (q *sqlQuerier) InsertBoundarySession(ctx context.Context, arg InsertBoundarySessionParams) (BoundarySession, error) { row := q.db.QueryRowContext(ctx, insertBoundarySession, arg.ID, arg.WorkspaceAgentID, + arg.OwnerID, arg.ConfinedProcessName, arg.StartedAt, arg.UpdatedAt, @@ -3745,6 +3840,7 @@ func (q *sqlQuerier) InsertBoundarySession(ctx context.Context, arg InsertBounda &i.ConfinedProcessName, &i.StartedAt, &i.UpdatedAt, + &i.OwnerID, ) return i, err } diff --git a/coderd/database/queries/aibridge.sql b/coderd/database/queries/aibridge.sql index 7756c7086b..a1b49d25cd 100644 --- a/coderd/database/queries/aibridge.sql +++ b/coderd/database/queries/aibridge.sql @@ -8,7 +8,14 @@ RETURNING *; -- name: UpdateAIBridgeInterceptionEnded :one UPDATE aibridge_interceptions - SET ended_at = @ended_at::timestamptz + SET ended_at = @ended_at::timestamptz, + -- BYOK records its hint at the start of the interception. + -- Centralized uses key failover, so its hint is only known + -- at end-of-interception. + credential_hint = CASE + WHEN credential_kind = 'centralized' THEN @credential_hint::text + ELSE credential_hint + END WHERE id = @id::uuid AND ended_at IS NULL diff --git a/coderd/database/queries/aicostcontrol.sql b/coderd/database/queries/aicostcontrol.sql index 6740b2568c..188ec7357e 100644 --- a/coderd/database/queries/aicostcontrol.sql +++ b/coderd/database/queries/aicostcontrol.sql @@ -40,3 +40,20 @@ RETURNING *; -- name: DeleteGroupAIBudget :one DELETE FROM group_ai_budgets WHERE group_id = @group_id RETURNING *; + +-- name: GetUserAIBudgetOverride :one +SELECT * +FROM user_ai_budget_overrides +WHERE user_id = @user_id; + +-- name: UpsertUserAIBudgetOverride :one +INSERT INTO user_ai_budget_overrides (user_id, group_id, spend_limit_micros) +VALUES (@user_id, @group_id, @spend_limit_micros) +ON CONFLICT (user_id) DO UPDATE SET + group_id = EXCLUDED.group_id, + spend_limit_micros = EXCLUDED.spend_limit_micros, + updated_at = NOW() +RETURNING *; + +-- name: DeleteUserAIBudgetOverride :one +DELETE FROM user_ai_budget_overrides WHERE user_id = @user_id RETURNING *; diff --git a/coderd/database/queries/boundarylogs.sql b/coderd/database/queries/boundarylogs.sql index d8c35fd7eb..3abeb618a5 100644 --- a/coderd/database/queries/boundarylogs.sql +++ b/coderd/database/queries/boundarylogs.sql @@ -2,12 +2,14 @@ INSERT INTO boundary_sessions ( id, workspace_agent_id, + owner_id, confined_process_name, started_at, updated_at ) VALUES ( @id, @workspace_agent_id, + @owner_id, @confined_process_name, @started_at, @updated_at @@ -16,7 +18,7 @@ INSERT INTO boundary_sessions ( -- name: GetBoundarySessionByID :one SELECT * FROM boundary_sessions WHERE id = @id; --- name: InsertBoundaryLog :one +-- name: InsertBoundaryLogs :many INSERT INTO boundary_logs ( id, session_id, @@ -27,17 +29,18 @@ INSERT INTO boundary_logs ( method, detail, matched_rule -) VALUES ( - @id, - @session_id, - @sequence_number, - @captured_at, - @created_at, - @proto, - @method, - @detail, - @matched_rule -) RETURNING *; +) +SELECT + unnest(@id :: uuid[]), + @session_id :: uuid, + unnest(@sequence_number :: int[]), + unnest(@captured_at :: timestamptz[]), + unnest(@created_at :: timestamptz[]), + unnest(@proto :: text[]), + unnest(@method :: text[]), + unnest(@detail :: text[]), + unnest(@matched_rule :: text[]) +RETURNING *; -- name: GetBoundaryLogByID :one SELECT * FROM boundary_logs WHERE id = @id; diff --git a/coderd/database/sqlc.yaml b/coderd/database/sqlc.yaml index 18c738c992..78448df9de 100644 --- a/coderd/database/sqlc.yaml +++ b/coderd/database/sqlc.yaml @@ -261,8 +261,10 @@ sql: ai_provider: AIProvider ai_provider_key: AIProviderKey ai_provider_type: AIProviderType + ai_gateway_key: AIGatewayKey resource_type_ai_provider: ResourceTypeAIProvider resource_type_ai_provider_key: ResourceTypeAIProviderKey + resource_type_ai_gateway_key: ResourceTypeAIGatewayKey mcp_server_config: MCPServerConfig mcp_server_configs: MCPServerConfigs mcp_server_user_token: MCPServerUserToken diff --git a/coderd/database/unique_constraint.go b/coderd/database/unique_constraint.go index 8ef517a9cb..fd11ab2e06 100644 --- a/coderd/database/unique_constraint.go +++ b/coderd/database/unique_constraint.go @@ -7,6 +7,7 @@ type UniqueConstraint string // UniqueConstraint enums. const ( UniqueAgentStatsPkey UniqueConstraint = "agent_stats_pkey" // ALTER TABLE ONLY workspace_agent_stats ADD CONSTRAINT agent_stats_pkey PRIMARY KEY (id); + UniqueAiGatewayKeysPkey UniqueConstraint = "ai_gateway_keys_pkey" // ALTER TABLE ONLY ai_gateway_keys ADD CONSTRAINT ai_gateway_keys_pkey PRIMARY KEY (id); UniqueAiModelPricesPkey UniqueConstraint = "ai_model_prices_pkey" // ALTER TABLE ONLY ai_model_prices ADD CONSTRAINT ai_model_prices_pkey PRIMARY KEY (provider, model); UniqueAiProviderKeysPkey UniqueConstraint = "ai_provider_keys_pkey" // ALTER TABLE ONLY ai_provider_keys ADD CONSTRAINT ai_provider_keys_pkey PRIMARY KEY (id); UniqueAiProvidersPkey UniqueConstraint = "ai_providers_pkey" // ALTER TABLE ONLY ai_providers ADD CONSTRAINT ai_providers_pkey PRIMARY KEY (id); @@ -97,6 +98,7 @@ const ( UniqueTemplatesPkey UniqueConstraint = "templates_pkey" // ALTER TABLE ONLY templates ADD CONSTRAINT templates_pkey PRIMARY KEY (id); UniqueUsageEventsDailyPkey UniqueConstraint = "usage_events_daily_pkey" // ALTER TABLE ONLY usage_events_daily ADD CONSTRAINT usage_events_daily_pkey PRIMARY KEY (day, event_type); UniqueUsageEventsPkey UniqueConstraint = "usage_events_pkey" // ALTER TABLE ONLY usage_events ADD CONSTRAINT usage_events_pkey PRIMARY KEY (id); + UniqueUserAiBudgetOverridesPkey UniqueConstraint = "user_ai_budget_overrides_pkey" // ALTER TABLE ONLY user_ai_budget_overrides ADD CONSTRAINT user_ai_budget_overrides_pkey PRIMARY KEY (user_id); UniqueUserAiProviderKeysPkey UniqueConstraint = "user_ai_provider_keys_pkey" // ALTER TABLE ONLY user_ai_provider_keys ADD CONSTRAINT user_ai_provider_keys_pkey PRIMARY KEY (id); UniqueUserAiProviderKeysUserIDAiProviderIDKey UniqueConstraint = "user_ai_provider_keys_user_id_ai_provider_id_key" // ALTER TABLE ONLY user_ai_provider_keys ADD CONSTRAINT user_ai_provider_keys_user_id_ai_provider_id_key UNIQUE (user_id, ai_provider_id); UniqueUserConfigsPkey UniqueConstraint = "user_configs_pkey" // ALTER TABLE ONLY user_configs ADD CONSTRAINT user_configs_pkey PRIMARY KEY (user_id, key); @@ -134,6 +136,9 @@ const ( UniqueWorkspaceResourceMetadataPkey UniqueConstraint = "workspace_resource_metadata_pkey" // ALTER TABLE ONLY workspace_resource_metadata ADD CONSTRAINT workspace_resource_metadata_pkey PRIMARY KEY (id); UniqueWorkspaceResourcesPkey UniqueConstraint = "workspace_resources_pkey" // ALTER TABLE ONLY workspace_resources ADD CONSTRAINT workspace_resources_pkey PRIMARY KEY (id); UniqueWorkspacesPkey UniqueConstraint = "workspaces_pkey" // ALTER TABLE ONLY workspaces ADD CONSTRAINT workspaces_pkey PRIMARY KEY (id); + UniqueAiGatewayKeysHashedSecretIndex UniqueConstraint = "ai_gateway_keys_hashed_secret_idx" // CREATE UNIQUE INDEX ai_gateway_keys_hashed_secret_idx ON ai_gateway_keys USING btree (hashed_secret); + UniqueAiGatewayKeysNameIndex UniqueConstraint = "ai_gateway_keys_name_idx" // CREATE UNIQUE INDEX ai_gateway_keys_name_idx ON ai_gateway_keys USING btree (lower(name)); + UniqueAiGatewayKeysSecretPrefixIndex UniqueConstraint = "ai_gateway_keys_secret_prefix_idx" // CREATE UNIQUE INDEX ai_gateway_keys_secret_prefix_idx ON ai_gateway_keys USING btree (secret_prefix); UniqueAiProvidersNameUnique UniqueConstraint = "ai_providers_name_unique" // CREATE UNIQUE INDEX ai_providers_name_unique ON ai_providers USING btree (name) WHERE (deleted = false); UniqueIndexAPIKeyName UniqueConstraint = "idx_api_key_name" // CREATE UNIQUE INDEX idx_api_key_name ON api_keys USING btree (user_id, token_name) WHERE (login_type = 'token'::login_type); UniqueIndexChatDebugRunsIDChat UniqueConstraint = "idx_chat_debug_runs_id_chat" // CREATE UNIQUE INDEX idx_chat_debug_runs_id_chat ON chat_debug_runs USING btree (id, chat_id); diff --git a/coderd/mcp/mcp_e2e_test.go b/coderd/mcp/mcp_e2e_test.go index 5b374e36b8..633c68582a 100644 --- a/coderd/mcp/mcp_e2e_test.go +++ b/coderd/mcp/mcp_e2e_test.go @@ -12,6 +12,7 @@ import ( "os" "path/filepath" "strings" + "sync/atomic" "testing" "github.com/google/uuid" @@ -57,11 +58,10 @@ func TestMCPHTTP_E2E_ClientIntegration(t *testing.T) { mcpURL := api.AccessURL.String() + mcpserver.MCPEndpoint // Configure client with authentication headers using RFC 6750 Bearer token - mcpClient, err := mcpclient.NewStreamableHttpClient(mcpURL, + mcpClient := newIsolatedMCPClient(t, mcpURL, transport.WithHTTPHeaders(map[string]string{ "Authorization": "Bearer " + coderClient.SessionToken(), })) - require.NoError(t, err) defer func() { if closeErr := mcpClient.Close(); closeErr != nil { t.Logf("Failed to close MCP client: %v", closeErr) @@ -72,7 +72,7 @@ func TestMCPHTTP_E2E_ClientIntegration(t *testing.T) { defer cancel() // Start client - err = mcpClient.Start(ctx) + err := mcpClient.Start(ctx) require.NoError(t, err) // Initialize connection @@ -190,8 +190,7 @@ func TestMCPHTTP_E2E_UnauthenticatedAccess(t *testing.T) { require.Equal(t, http.StatusUnauthorized, resp.StatusCode, "Should get HTTP 401 for unauthenticated access") // Also test with MCP client to ensure it handles the error gracefully - mcpClient, err := mcpclient.NewStreamableHttpClient(mcpURL) - require.NoError(t, err, "Should be able to create MCP client without authentication") + mcpClient := newIsolatedMCPClient(t, mcpURL) defer func() { if closeErr := mcpClient.Close(); closeErr != nil { t.Logf("Failed to close MCP client: %v", closeErr) @@ -245,11 +244,10 @@ func TestMCPHTTP_E2E_ToolWithWorkspace(t *testing.T) { coderdtest.NewWorkspaceAgentWaiter(t, coderClient, r.Workspace.ID).Wait() mcpURL := api.AccessURL.String() + mcpserver.MCPEndpoint - mcpClient, err := mcpclient.NewStreamableHttpClient(mcpURL, + mcpClient := newIsolatedMCPClient(t, mcpURL, transport.WithHTTPHeaders(map[string]string{ "Authorization": "Bearer " + coderClient.SessionToken(), })) - require.NoError(t, err) defer func() { if closeErr := mcpClient.Close(); closeErr != nil { t.Logf("Failed to close MCP client: %v", closeErr) @@ -260,7 +258,7 @@ func TestMCPHTTP_E2E_ToolWithWorkspace(t *testing.T) { defer cancel() require.NoError(t, mcpClient.Start(ctx)) - _, err = mcpClient.Initialize(ctx, mcp.InitializeRequest{ + _, err := mcpClient.Initialize(ctx, mcp.InitializeRequest{ Params: mcp.InitializeParams{ ProtocolVersion: mcp.LATEST_PROTOCOL_VERSION, ClientInfo: mcp.Implementation{ @@ -307,11 +305,10 @@ func TestMCPHTTP_E2E_ErrorHandling(t *testing.T) { // Create MCP client mcpURL := api.AccessURL.String() + mcpserver.MCPEndpoint - mcpClient, err := mcpclient.NewStreamableHttpClient(mcpURL, + mcpClient := newIsolatedMCPClient(t, mcpURL, transport.WithHTTPHeaders(map[string]string{ "Authorization": "Bearer " + coderClient.SessionToken(), })) - require.NoError(t, err) defer func() { if closeErr := mcpClient.Close(); closeErr != nil { t.Logf("Failed to close MCP client: %v", closeErr) @@ -322,7 +319,7 @@ func TestMCPHTTP_E2E_ErrorHandling(t *testing.T) { defer cancel() // Start and initialize client - err = mcpClient.Start(ctx) + err := mcpClient.Start(ctx) require.NoError(t, err) initReq := mcp.InitializeRequest{ @@ -366,11 +363,10 @@ func TestMCPHTTP_E2E_ConcurrentRequests(t *testing.T) { // Create MCP client mcpURL := api.AccessURL.String() + mcpserver.MCPEndpoint - mcpClient, err := mcpclient.NewStreamableHttpClient(mcpURL, + mcpClient := newIsolatedMCPClient(t, mcpURL, transport.WithHTTPHeaders(map[string]string{ "Authorization": "Bearer " + coderClient.SessionToken(), })) - require.NoError(t, err) defer func() { if closeErr := mcpClient.Close(); closeErr != nil { t.Logf("Failed to close MCP client: %v", closeErr) @@ -381,7 +377,7 @@ func TestMCPHTTP_E2E_ConcurrentRequests(t *testing.T) { defer cancel() // Start and initialize client - err = mcpClient.Start(ctx) + err := mcpClient.Start(ctx) require.NoError(t, err) initReq := mcp.InitializeRequest{ @@ -520,11 +516,10 @@ func TestMCPHTTP_E2E_OAuth2_EndToEnd(t *testing.T) { sessionToken := coderClient.SessionToken() mcpURL := api.AccessURL.String() + mcpserver.MCPEndpoint - mcpClient, err := mcpclient.NewStreamableHttpClient(mcpURL, + mcpClient := newIsolatedMCPClient(t, mcpURL, transport.WithHTTPHeaders(map[string]string{ "Authorization": "Bearer " + sessionToken, })) - require.NoError(t, err) defer func() { if closeErr := mcpClient.Close(); closeErr != nil { t.Logf("Failed to close MCP client: %v", closeErr) @@ -669,11 +664,10 @@ func TestMCPHTTP_E2E_OAuth2_EndToEnd(t *testing.T) { // Step 3: Use access token to authenticate with MCP endpoint mcpURL := api.AccessURL.String() + mcpserver.MCPEndpoint - mcpClient, err := mcpclient.NewStreamableHttpClient(mcpURL, + mcpClient := newIsolatedMCPClient(t, mcpURL, transport.WithHTTPHeaders(map[string]string{ "Authorization": "Bearer " + accessToken, })) - require.NoError(t, err) defer func() { if closeErr := mcpClient.Close(); closeErr != nil { t.Logf("Failed to close MCP client: %v", closeErr) @@ -762,11 +756,10 @@ func TestMCPHTTP_E2E_OAuth2_EndToEnd(t *testing.T) { t.Logf("Successfully refreshed token: %s...", newAccessToken[:10]) // Step 5: Use new access token to create another MCP connection - newMcpClient, err := mcpclient.NewStreamableHttpClient(mcpURL, + newMcpClient := newIsolatedMCPClient(t, mcpURL, transport.WithHTTPHeaders(map[string]string{ "Authorization": "Bearer " + newAccessToken, })) - require.NoError(t, err) defer func() { if closeErr := newMcpClient.Close(); closeErr != nil { t.Logf("Failed to close new MCP client: %v", closeErr) @@ -990,11 +983,10 @@ func TestMCPHTTP_E2E_OAuth2_EndToEnd(t *testing.T) { t.Logf("Successfully obtained access token: %s...", accessToken[:10]) // Step 5: Use access token to get user information via MCP - mcpClient, err := mcpclient.NewStreamableHttpClient(mcpURL, + mcpClient := newIsolatedMCPClient(t, mcpURL, transport.WithHTTPHeaders(map[string]string{ "Authorization": "Bearer " + accessToken, })) - require.NoError(t, err) defer func() { if closeErr := mcpClient.Close(); closeErr != nil { t.Logf("Failed to close MCP client: %v", closeErr) @@ -1088,11 +1080,10 @@ func TestMCPHTTP_E2E_OAuth2_EndToEnd(t *testing.T) { t.Logf("Successfully refreshed token: %s...", newAccessToken[:10]) // Step 7: Use refreshed token to get user information again via MCP - newMcpClient, err := mcpclient.NewStreamableHttpClient(mcpURL, + newMcpClient := newIsolatedMCPClient(t, mcpURL, transport.WithHTTPHeaders(map[string]string{ "Authorization": "Bearer " + newAccessToken, })) - require.NoError(t, err) defer func() { if closeErr := newMcpClient.Close(); closeErr != nil { t.Logf("Failed to close new MCP client: %v", closeErr) @@ -1268,11 +1259,10 @@ func TestMCPHTTP_E2E_ChatGPTEndpoint(t *testing.T) { mcpURL := api.AccessURL.String() + mcpserver.MCPEndpoint + "?toolset=chatgpt" // Configure client with authentication headers using RFC 6750 Bearer token - mcpClient, err := mcpclient.NewStreamableHttpClient(mcpURL, + mcpClient := newIsolatedMCPClient(t, mcpURL, transport.WithHTTPHeaders(map[string]string{ "Authorization": "Bearer " + coderClient.SessionToken(), })) - require.NoError(t, err) t.Cleanup(func() { if closeErr := mcpClient.Close(); closeErr != nil { t.Logf("Failed to close MCP client: %v", closeErr) @@ -1283,7 +1273,7 @@ func TestMCPHTTP_E2E_ChatGPTEndpoint(t *testing.T) { defer cancel() // Start client - err = mcpClient.Start(ctx) + err := mcpClient.Start(ctx) require.NoError(t, err) // Initialize connection @@ -1433,11 +1423,10 @@ func TestMCPHTTP_E2E_WorkspaceSSHAuthz(t *testing.T) { // Connect with the template-admin user. mcpURL := api.AccessURL.String() + mcpserver.MCPEndpoint - mcpClient, err := mcpclient.NewStreamableHttpClient(mcpURL, + mcpClient := newIsolatedMCPClient(t, mcpURL, transport.WithHTTPHeaders(map[string]string{ "Authorization": "Bearer " + tmplAdminClient.SessionToken(), })) - require.NoError(t, err) defer func() { _ = mcpClient.Close() }() @@ -1446,7 +1435,7 @@ func TestMCPHTTP_E2E_WorkspaceSSHAuthz(t *testing.T) { defer cancel() require.NoError(t, mcpClient.Start(ctx)) - _, err = mcpClient.Initialize(ctx, mcp.InitializeRequest{ + _, err := mcpClient.Initialize(ctx, mcp.InitializeRequest{ Params: mcp.InitializeParams{ ProtocolVersion: mcp.LATEST_PROTOCOL_VERSION, ClientInfo: mcp.Implementation{ @@ -1489,3 +1478,91 @@ func mustParseURL(t *testing.T, rawURL string) *url.URL { require.NoError(t, err, "Failed to parse URL %q", rawURL) return u } + +// newIsolatedMCPClient creates a streamable HTTP MCP client that uses +// an isolated http.Transport cloned from http.DefaultTransport. +// This prevents httptest.Server.Close() (which calls +// http.DefaultTransport.CloseIdleConnections()) from disrupting the +// client's connections during parallel tests. +func newIsolatedMCPClient(t *testing.T, mcpURL string, opts ...transport.StreamableHTTPCOption) *mcpclient.Client { + t.Helper() + isolated := coderdtest.NewIsolatedHTTPClient(nil) + opts = append([]transport.StreamableHTTPCOption{transport.WithHTTPBasicClient(isolated)}, opts...) + client, err := mcpclient.NewStreamableHttpClient(mcpURL, opts...) + require.NoError(t, err) + return client +} + +// sentinelTransport wraps an http.RoundTripper and counts how many +// requests flow through it. Used as a test sentinel to verify +// whether a client is (or is not) using http.DefaultTransport. +type sentinelTransport struct { + inner http.RoundTripper + hits atomic.Int64 +} + +func (s *sentinelTransport) RoundTrip(req *http.Request) (*http.Response, error) { + s.hits.Add(1) + return s.inner.RoundTrip(req) +} + +// TestMCPHTTP_E2E_TransportIsolation verifies that the +// newIsolatedMCPClient helper creates clients that do NOT route +// requests through http.DefaultTransport, while raw +// mcpclient.NewStreamableHttpClient (without explicit +// WithHTTPBasicClient) does use it. +// +//nolint:paralleltest // Mutates http.DefaultTransport. +func TestMCPHTTP_E2E_TransportIsolation(t *testing.T) { + // Replace DefaultTransport with a counting sentinel. + original := http.DefaultTransport + sentinel := &sentinelTransport{inner: original} + http.DefaultTransport = sentinel + t.Cleanup(func() { http.DefaultTransport = original }) + + coderClient, closer, api := coderdtest.NewWithAPI(t, nil) + t.Cleanup(func() { closer.Close() }) + _ = coderdtest.CreateFirstUser(t, coderClient) + + mcpURL := api.AccessURL.String() + mcpserver.MCPEndpoint + authOpt := transport.WithHTTPHeaders(map[string]string{ + "Authorization": "Bearer " + coderClient.SessionToken(), + }) + + ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitLong) + defer cancel() + + initReq := mcp.InitializeRequest{ + Params: mcp.InitializeParams{ + ProtocolVersion: mcp.LATEST_PROTOCOL_VERSION, + ClientInfo: mcp.Implementation{Name: "sentinel-test", Version: "1.0.0"}, + }, + } + + t.Run("RawClientUsesDefaultTransport", func(t *testing.T) { + sentinel.hits.Store(0) + rawClient, err := mcpclient.NewStreamableHttpClient(mcpURL, authOpt) + require.NoError(t, err) + defer func() { _ = rawClient.Close() }() + + require.NoError(t, rawClient.Start(ctx)) + _, err = rawClient.Initialize(ctx, initReq) + require.NoError(t, err) + + require.Greater(t, sentinel.hits.Load(), int64(0), + "raw client should route requests through http.DefaultTransport") + }) + + t.Run("IsolatedClientBypassesDefaultTransport", func(t *testing.T) { + sentinel.hits.Store(0) + isoClient := newIsolatedMCPClient(t, mcpURL, authOpt) + defer func() { _ = isoClient.Close() }() + + require.NoError(t, isoClient.Start(ctx)) + _, err := isoClient.Initialize(ctx, initReq) + require.NoError(t, err) + + require.Equal(t, int64(0), sentinel.hits.Load(), + "isolated client must NOT route requests through http.DefaultTransport") + }) +} diff --git a/coderd/mcp_test.go b/coderd/mcp_test.go index add730960f..dde85f12e7 100644 --- a/coderd/mcp_test.go +++ b/coderd/mcp_test.go @@ -1396,10 +1396,11 @@ func TestChatWithMCPServerIDs(t *testing.T) { // Create the chat model config required for creating a chat. _ = createChatModelConfigForMCP(t, expClient) - // Create an enabled MCP server config. - mcpConfig := createMCPServerConfig(t, client, "chat-mcp-server", true) + // Create enabled MCP server configs. + mcpConfigA := createMCPServerConfig(t, client, "chat-mcp-server-a", true) + mcpConfigB := createMCPServerConfig(t, client, "chat-mcp-server-b", true) - // Create a chat referencing the MCP server. + // Create a chat referencing the MCP servers. chat, err := expClient.CreateChat(ctx, codersdk.CreateChatRequest{ OrganizationID: firstUser.OrganizationID, Content: []codersdk.ChatInputPart{ @@ -1408,16 +1409,24 @@ func TestChatWithMCPServerIDs(t *testing.T) { Text: "hello with mcp server", }, }, - MCPServerIDs: []uuid.UUID{mcpConfig.ID}, + MCPServerIDs: []uuid.UUID{mcpConfigA.ID, mcpConfigB.ID}, }) require.NoError(t, err) require.NotEqual(t, uuid.Nil, chat.ID) - require.Contains(t, chat.MCPServerIDs, mcpConfig.ID) + require.ElementsMatch(t, []uuid.UUID{mcpConfigA.ID, mcpConfigB.ID}, chat.MCPServerIDs) // Fetch the chat and verify the MCP server IDs persist. fetched, err := expClient.GetChat(ctx, chat.ID) require.NoError(t, err) - require.Contains(t, fetched.MCPServerIDs, mcpConfig.ID) + require.ElementsMatch(t, []uuid.UUID{mcpConfigA.ID, mcpConfigB.ID}, fetched.MCPServerIDs) + + err = client.DeleteMCPServerConfig(ctx, mcpConfigA.ID) + require.NoError(t, err) + + fetched, err = expClient.GetChat(ctx, chat.ID) + require.NoError(t, err) + require.NotContains(t, fetched.MCPServerIDs, mcpConfigA.ID) + require.Contains(t, fetched.MCPServerIDs, mcpConfigB.ID) } func createChatModelConfigForMCP(t testing.TB, client *codersdk.ExperimentalClient) codersdk.ChatModelConfig { diff --git a/coderd/notifications/manager.go b/coderd/notifications/manager.go index f65fc3ff7f..4d44563fce 100644 --- a/coderd/notifications/manager.go +++ b/coderd/notifications/manager.go @@ -237,9 +237,7 @@ func (m *Manager) BufferedUpdatesCount() (success int, failure int) { // syncUpdates updates messages in the store based on the given successful and failed message dispatch results. func (m *Manager) syncUpdates(ctx context.Context) { // Ensure we update the metrics to reflect the current state after each invocation. - defer func() { - m.metrics.PendingUpdates.Set(float64(len(m.success) + len(m.failure))) - }() + defer m.metrics.pendingUpdatesGauge.set(func() int { return len(m.success) + len(m.failure) }) select { case <-ctx.Done(): @@ -250,7 +248,7 @@ func (m *Manager) syncUpdates(ctx context.Context) { nSuccess := len(m.success) nFailure := len(m.failure) - m.metrics.PendingUpdates.Set(float64(nSuccess + nFailure)) + m.metrics.pendingUpdatesGauge.set(func() int { return len(m.success) + len(m.failure) }) // Nothing to do. if nSuccess+nFailure == 0 { diff --git a/coderd/notifications/metrics.go b/coderd/notifications/metrics.go index 204bc260c7..69a262bb47 100644 --- a/coderd/notifications/metrics.go +++ b/coderd/notifications/metrics.go @@ -3,6 +3,7 @@ package notifications import ( "fmt" "strings" + "sync" "github.com/prometheus/client_golang/prometheus" "github.com/prometheus/client_golang/prometheus/promauto" @@ -17,8 +18,28 @@ type Metrics struct { InflightDispatches *prometheus.GaugeVec DispatcherSendSeconds *prometheus.HistogramVec - PendingUpdates prometheus.Gauge + PendingUpdates prometheus.Collector SyncedUpdates prometheus.Counter + + pendingUpdatesGauge *pendingUpdatesGauge +} + +// pendingUpdatesGauge serializes count evaluation with the gauge write, +// preventing stale snapshots when concurrent goroutines race to update +// the metric. +type pendingUpdatesGauge struct { + gauge prometheus.Gauge + mu sync.Mutex +} + +// set evaluates count under the lock and writes the result to the gauge. +// count is a function, not a value, so the channel length is read atomically +// with the write; passing a pre-evaluated int would reintroduce the race. +func (g *pendingUpdatesGauge) set(count func() int) { + g.mu.Lock() + defer g.mu.Unlock() + + g.gauge.Set(float64(count())) } const ( @@ -35,6 +56,11 @@ const ( ) func NewMetrics(reg prometheus.Registerer) *Metrics { + pendingUpdates := promauto.With(reg).NewGauge(prometheus.GaugeOpts{ + Name: "pending_updates", Namespace: ns, Subsystem: subsystem, + Help: "The number of dispatch attempt results waiting to be flushed to the store.", + }) + return &Metrics{ DispatchAttempts: promauto.With(reg).NewCounterVec(prometheus.CounterOpts{ Name: "dispatch_attempts_total", Namespace: ns, Subsystem: subsystem, @@ -68,10 +94,10 @@ func NewMetrics(reg prometheus.Registerer) *Metrics { }, []string{LabelMethod}), // Currently no requirement to discriminate between success and failure updates which are pending. - PendingUpdates: promauto.With(reg).NewGauge(prometheus.GaugeOpts{ - Name: "pending_updates", Namespace: ns, Subsystem: subsystem, - Help: "The number of dispatch attempt results waiting to be flushed to the store.", - }), + PendingUpdates: pendingUpdates, + pendingUpdatesGauge: &pendingUpdatesGauge{ + gauge: pendingUpdates, + }, SyncedUpdates: promauto.With(reg).NewCounter(prometheus.CounterOpts{ Name: "synced_updates_total", Namespace: ns, Subsystem: subsystem, Help: "The number of dispatch attempt results flushed to the store.", diff --git a/coderd/notifications/metrics_internal_test.go b/coderd/notifications/metrics_internal_test.go new file mode 100644 index 0000000000..04360dc221 --- /dev/null +++ b/coderd/notifications/metrics_internal_test.go @@ -0,0 +1,85 @@ +package notifications + +import ( + "sync" + "testing" + + "github.com/prometheus/client_golang/prometheus" + promtest "github.com/prometheus/client_golang/prometheus/testutil" + "github.com/stretchr/testify/require" + + "github.com/coder/coder/v2/testutil" +) + +func TestMetricsSetPendingUpdatesSerializesGaugeWrites(t *testing.T) { + t.Parallel() + + realGauge := prometheus.NewGauge(prometheus.GaugeOpts{ + Name: "test_pending_updates", + Help: "test pending updates gauge", + }) + blockingGauge := &pendingUpdatesBlockingGauge{ + Gauge: realGauge, + blockValue: 3, + entered: make(chan struct{}), + release: make(chan struct{}), + } + metrics := &Metrics{ + PendingUpdates: blockingGauge, + pendingUpdatesGauge: &pendingUpdatesGauge{gauge: blockingGauge}, + } + + success := make(chan dispatchResult, 4) + failure := make(chan dispatchResult, 4) + success <- dispatchResult{} + success <- dispatchResult{} + + firstDone := make(chan struct{}) + go func() { + defer close(firstDone) + failure <- dispatchResult{} + // The first writer observes total=3 and blocks inside Set(3) + // while still holding the pendingUpdatesGauge mutex. + metrics.pendingUpdatesGauge.set(func() int { return len(success) + len(failure) }) + }() + + testutil.TryReceive(testutil.Context(t, testutil.WaitShort), t, blockingGauge.entered) + + // The main goroutine raises the real total to 4 before a second + // writer queues behind the locked gauge. + success <- dispatchResult{} + + secondDone := make(chan struct{}) + go func() { + defer close(secondDone) + // This count must be evaluated after release, while holding the + // mutex, so the final gauge value cannot regress to 3. + metrics.pendingUpdatesGauge.set(func() int { return len(success) + len(failure) }) + }() + + close(blockingGauge.release) + testutil.TryReceive(testutil.Context(t, testutil.WaitShort), t, firstDone) + testutil.TryReceive(testutil.Context(t, testutil.WaitShort), t, secondDone) + + require.Equal(t, 4, len(success)+len(failure)) + require.EqualValues(t, 4, promtest.ToFloat64(metrics.PendingUpdates)) +} + +type pendingUpdatesBlockingGauge struct { + prometheus.Gauge + + blockValue float64 + entered chan struct{} + release chan struct{} + once sync.Once +} + +func (g *pendingUpdatesBlockingGauge) Set(value float64) { + if value == g.blockValue { + g.once.Do(func() { + close(g.entered) + <-g.release + }) + } + g.Gauge.Set(value) +} diff --git a/coderd/notifications/metrics_test.go b/coderd/notifications/metrics_test.go index 5562ded86e..3a2d7fbc34 100644 --- a/coderd/notifications/metrics_test.go +++ b/coderd/notifications/metrics_test.go @@ -276,17 +276,24 @@ func TestPendingUpdatesMetric(t *testing.T) { mClock.Advance(cfg.FetchInterval.Value()).MustWait(ctx) // THEN: - // handler has dispatched the given notifications. - func() { + // Both handlers have dispatched the given notifications, and their + // results are pending in the metrics. + require.EventuallyWithT(t, func(ct *assert.CollectT) { handler.mu.RLock() + inboxHandler.mu.RLock() defer handler.mu.RUnlock() + defer inboxHandler.mu.RUnlock() - require.Len(t, handler.succeeded, 1) - require.Len(t, handler.failed, 1) - }() + assert.Len(ct, handler.succeeded, 1) + assert.Len(ct, handler.failed, 1) + assert.Len(ct, inboxHandler.succeeded, 1) + assert.Len(ct, inboxHandler.failed, 1) - // Both handler calls should be pending in the metrics. - require.EqualValues(t, 4, promtest.ToFloat64(metrics.PendingUpdates)) + success, failure := mgr.BufferedUpdatesCount() + assert.Equal(ct, 2, success) + assert.Equal(ct, 2, failure) + assert.EqualValues(ct, 4, promtest.ToFloat64(metrics.PendingUpdates)) + }, testutil.WaitShort, testutil.IntervalFast) // THEN: // Trigger syncing updates diff --git a/coderd/notifications/notifier.go b/coderd/notifications/notifier.go index 391c7c9bdb..9c7284c019 100644 --- a/coderd/notifications/notifier.go +++ b/coderd/notifications/notifier.go @@ -172,6 +172,7 @@ func (n *notifier) process(ctx context.Context, success chan<- dispatchResult, f // If a notification template has been disabled by the user after a notification was enqueued, mark it as inhibited if msg.Disabled { failure <- n.newInhibitedDispatch(msg) + n.metrics.pendingUpdatesGauge.set(func() int { return len(success) + len(failure) }) continue } @@ -184,7 +185,7 @@ func (n *notifier) process(ctx context.Context, success chan<- dispatchResult, f n.log.Error(ctx, "dispatcher construction failed", slog.F("msg_id", msg.ID), slog.Error(err)) } failure <- n.newFailedDispatch(msg, err, xerrors.Is(err, decorateHelpersError{})) - n.metrics.PendingUpdates.Set(float64(len(success) + len(failure))) + n.metrics.pendingUpdatesGauge.set(func() int { return len(success) + len(failure) }) continue } @@ -316,7 +317,7 @@ func (n *notifier) deliver(ctx context.Context, msg database.AcquireNotification logger.Debug(ctx, "message dispatch succeeded") } } - n.metrics.PendingUpdates.Set(float64(len(success) + len(failure))) + n.metrics.pendingUpdatesGauge.set(func() int { return len(success) + len(failure) }) return nil } diff --git a/coderd/rbac/object_gen.go b/coderd/rbac/object_gen.go index 340221f611..5ff60562b1 100644 --- a/coderd/rbac/object_gen.go +++ b/coderd/rbac/object_gen.go @@ -15,6 +15,15 @@ var ( Type: "*", } + // ResourceAIGatewayKey + // Valid Actions + // - "ActionCreate" :: create an AI Gateway key + // - "ActionDelete" :: delete an AI Gateway key + // - "ActionRead" :: read AI Gateway keys + ResourceAIGatewayKey = Object{ + Type: "ai_gateway_key", + } + // ResourceAiModelPrice // Valid Actions // - "ActionRead" :: read AI model prices @@ -89,6 +98,15 @@ var ( Type: "audit_log", } + // ResourceBoundaryLog + // Valid Actions + // - "ActionCreate" :: create boundary log records + // - "ActionDelete" :: delete boundary logs + // - "ActionRead" :: read boundary logs and session metadata + ResourceBoundaryLog = Object{ + Type: "boundary_log", + } + // ResourceBoundaryUsage // Valid Actions // - "ActionDelete" :: delete boundary usage statistics @@ -470,6 +488,7 @@ var ( func AllResources() []Objecter { return []Objecter{ ResourceWildcard, + ResourceAIGatewayKey, ResourceAiModelPrice, ResourceAIProvider, ResourceAiSeat, @@ -478,6 +497,7 @@ func AllResources() []Objecter { ResourceAssignOrgRole, ResourceAssignRole, ResourceAuditLog, + ResourceBoundaryLog, ResourceBoundaryUsage, ResourceChat, ResourceConnectionLog, diff --git a/coderd/rbac/policy/policy.go b/coderd/rbac/policy/policy.go index 7d7a42110d..f97b2a78bc 100644 --- a/coderd/rbac/policy/policy.go +++ b/coderd/rbac/policy/policy.go @@ -422,6 +422,21 @@ var RBACPermissions = map[string]PermissionDefinition{ ActionRead: "read AI seat state", }, }, + "boundary_log": { + Actions: map[Action]ActionDefinition{ + ActionCreate: "create boundary log records", + ActionRead: "read boundary logs and session metadata", + ActionDelete: "delete boundary logs", + }, + }, + "ai_gateway_key": { + Name: "AIGatewayKey", + Actions: map[Action]ActionDefinition{ + ActionCreate: "create an AI Gateway key", + ActionRead: "read AI Gateway keys", + ActionDelete: "delete an AI Gateway key", + }, + }, "boundary_usage": { Actions: map[Action]ActionDefinition{ ActionRead: "read boundary usage statistics", diff --git a/coderd/rbac/roles.go b/coderd/rbac/roles.go index cbaf49f9c0..1b19947ea6 100644 --- a/coderd/rbac/roles.go +++ b/coderd/rbac/roles.go @@ -303,7 +303,7 @@ func ReloadBuiltinRoles(opts *RoleOptions) { // Workspace is specifically handled based on the opts.NoOwnerWorkspaceExec. // Owners can inspect and delete personal skills for operability and // abuse handling, but cannot create or edit user-authored instructions. - allPermsExcept(ResourceWorkspaceDormant, ResourcePrebuiltWorkspace, ResourceWorkspace, ResourceUserSecret, ResourceUserSkill, ResourceUsageEvent, ResourceBoundaryUsage, ResourceAiSeat), + allPermsExcept(ResourceWorkspaceDormant, ResourcePrebuiltWorkspace, ResourceWorkspace, ResourceUserSecret, ResourceUserSkill, ResourceUsageEvent, ResourceBoundaryUsage, ResourceBoundaryLog, ResourceAiSeat), // This adds back in the Workspace permissions. Permissions(map[string][]policy.Action{ ResourceWorkspace.Type: ownerWorkspaceActions, @@ -313,6 +313,9 @@ func ReloadBuiltinRoles(opts *RoleOptions) { // Explicitly setting PrebuiltWorkspace permissions for clarity. // Note: even without PrebuiltWorkspace permissions, access is still granted via Workspace permissions. ResourcePrebuiltWorkspace.Type: {policy.ActionUpdate, policy.ActionDelete}, + // Owners can read all boundary logs. Delete is reserved for + // DBPurge only. Create is user-scoped (inherited from member). + ResourceBoundaryLog.Type: {policy.ActionRead}, })..., ), User: []Permission{}, @@ -332,7 +335,7 @@ func ReloadBuiltinRoles(opts *RoleOptions) { denyPermissions..., ), User: append( - allPermsExcept(ResourceWorkspaceDormant, ResourcePrebuiltWorkspace, ResourceWorkspace, ResourceUser, ResourceOrganizationMember, ResourceBoundaryUsage, ResourceAibridgeInterception, ResourceChat, ResourceAiSeat), + allPermsExcept(ResourceWorkspaceDormant, ResourcePrebuiltWorkspace, ResourceWorkspace, ResourceUser, ResourceOrganizationMember, ResourceBoundaryUsage, ResourceBoundaryLog, ResourceAibridgeInterception, ResourceChat, ResourceAiSeat), Permissions(map[string][]policy.Action{ // Users cannot do create/update/delete on themselves, but they // can read their own details. @@ -342,6 +345,11 @@ func ReloadBuiltinRoles(opts *RoleOptions) { // Members can create and update AI Bridge interceptions but // cannot read them back. ResourceAibridgeInterception.Type: {policy.ActionCreate, policy.ActionUpdate}, + // Workspace agents create boundary logs under their owner's + // identity. Create is user-scoped so agents can only write + // logs owned by their workspace owner. + // Read: owners and auditors. Delete: DBPurge only. + ResourceBoundaryLog.Type: {policy.ActionCreate}, })..., ), ByOrgID: map[string]OrgPermissions{}, @@ -366,6 +374,8 @@ func ReloadBuiltinRoles(opts *RoleOptions) { ResourceDeploymentConfig.Type: {policy.ActionRead}, // Allow auditors to query AI Bridge interceptions. ResourceAibridgeInterception.Type: {policy.ActionRead}, + // Allow auditors to read boundary logs. + ResourceBoundaryLog.Type: {policy.ActionRead}, }), User: []Permission{}, ByOrgID: map[string]OrgPermissions{}, @@ -465,7 +475,7 @@ func ReloadBuiltinRoles(opts *RoleOptions) { // Org admins should not have workspace exec perms. organizationID.String(): { Org: append( - allPermsExcept(ResourceWorkspace, ResourceWorkspaceDormant, ResourcePrebuiltWorkspace, ResourceAssignRole, ResourceUserSecret, ResourceBoundaryUsage, ResourceAiSeat), + allPermsExcept(ResourceWorkspace, ResourceWorkspaceDormant, ResourcePrebuiltWorkspace, ResourceAssignRole, ResourceUserSecret, ResourceBoundaryUsage, ResourceBoundaryLog, ResourceAiSeat), Permissions(map[string][]policy.Action{ ResourceWorkspace.Type: slice.Omit(ResourceWorkspace.AvailableActions(), policy.ActionApplicationConnect, policy.ActionSSH), ResourceWorkspaceDormant.Type: {policy.ActionRead, policy.ActionDelete, policy.ActionCreate, policy.ActionUpdate, policy.ActionWorkspaceStop, policy.ActionCreateAgent, policy.ActionDeleteAgent, policy.ActionUpdateAgent}, @@ -1052,6 +1062,7 @@ func OrgMemberPermissions(org OrgSettings) OrgRolePermissions { ResourcePrebuiltWorkspace, ResourceUser, ResourceOrganizationMember, + ResourceBoundaryLog, ResourceAibridgeInterception, // Chat access requires the agents-access role. ResourceChat, @@ -1137,6 +1148,7 @@ func OrgServiceAccountPermissions(org OrgSettings) OrgRolePermissions { ResourcePrebuiltWorkspace, ResourceUser, ResourceOrganizationMember, + ResourceBoundaryLog, ResourceAibridgeInterception, // Chat access requires the agents-access role. ResourceChat, diff --git a/coderd/rbac/roles_test.go b/coderd/rbac/roles_test.go index 0170d308e0..7fee71935c 100644 --- a/coderd/rbac/roles_test.go +++ b/coderd/rbac/roles_test.go @@ -1204,6 +1204,24 @@ func TestRolePermissions(t *testing.T) { }, }, }, + { + // Only owners can manage AI Gateway keys. They hold + // a hashed bearer secret used to authenticate Gateway + // replicas to coderd. Keys are deployment-wide. + Name: "AIGatewayKey", + Actions: []policy.Action{policy.ActionCreate, policy.ActionRead, policy.ActionDelete}, + Resource: rbac.ResourceAIGatewayKey, + AuthorizeMap: map[bool][]hasAuthSubjects{ + true: {owner}, + false: { + memberMe, agentsAccessUser, + orgAdmin, otherOrgAdmin, + orgAuditor, otherOrgAuditor, + templateAdmin, orgTemplateAdmin, otherOrgTemplateAdmin, + userAdmin, orgUserAdmin, otherOrgUserAdmin, + }, + }, + }, { Name: "BoundaryUsage", Actions: []policy.Action{policy.ActionRead, policy.ActionUpdate, policy.ActionDelete}, @@ -1229,6 +1247,75 @@ func TestRolePermissions(t *testing.T) { false: {setOtherOrg, setOrgNotMe, memberMe, agentsAccessUser, templateAdmin, userAdmin}, }, }, + { + // Boundary logs: members can create logs they own (user-scoped). + // memberMe and agentsAccessUser have ID == currentUser, so they + // match the resource owner. Other subjects have different IDs. + Name: "BoundaryLogCreate", + Actions: []policy.Action{policy.ActionCreate}, + Resource: rbac.ResourceBoundaryLog.WithOwner(currentUser.String()), + AuthorizeMap: map[bool][]hasAuthSubjects{ + true: {memberMe, agentsAccessUser}, + false: { + owner, + orgAdmin, otherOrgAdmin, + orgAuditor, otherOrgAuditor, auditor, + templateAdmin, orgTemplateAdmin, otherOrgTemplateAdmin, + userAdmin, orgUserAdmin, otherOrgUserAdmin, + }, + }, + }, + { + // Cross-user isolation: no subject can create boundary logs + // owned by a different user. The resource owner is a random + // UUID that does not match any test subject's ID. + Name: "BoundaryLogCreateOther", + Actions: []policy.Action{policy.ActionCreate}, + Resource: rbac.ResourceBoundaryLog.WithOwner(uuid.New().String()), + AuthorizeMap: map[bool][]hasAuthSubjects{ + true: {}, + false: { + owner, memberMe, agentsAccessUser, + orgAdmin, otherOrgAdmin, + orgAuditor, otherOrgAuditor, auditor, + templateAdmin, orgTemplateAdmin, otherOrgTemplateAdmin, + userAdmin, orgUserAdmin, otherOrgUserAdmin, + }, + }, + }, + { + // Boundary logs: only DBPurge can delete. No human role + // has delete; DBPurge is a system subject outside this matrix. + Name: "BoundaryLogDelete", + Actions: []policy.Action{policy.ActionDelete}, + Resource: rbac.ResourceBoundaryLog, + AuthorizeMap: map[bool][]hasAuthSubjects{ + true: {}, + false: { + owner, memberMe, agentsAccessUser, + orgAdmin, otherOrgAdmin, + orgAuditor, otherOrgAuditor, auditor, + templateAdmin, orgTemplateAdmin, otherOrgTemplateAdmin, + userAdmin, orgUserAdmin, otherOrgUserAdmin, + }, + }, + }, + { + // Boundary logs: owner and auditor get read. + Name: "BoundaryLogRead", + Actions: []policy.Action{policy.ActionRead}, + Resource: rbac.ResourceBoundaryLog, + AuthorizeMap: map[bool][]hasAuthSubjects{ + true: {owner, auditor}, + false: { + memberMe, agentsAccessUser, + orgAdmin, otherOrgAdmin, + orgAuditor, otherOrgAuditor, + templateAdmin, orgTemplateAdmin, otherOrgTemplateAdmin, + userAdmin, orgUserAdmin, otherOrgUserAdmin, + }, + }, + }, { Name: "ChatUsageCRU", Actions: []policy.Action{policy.ActionCreate, policy.ActionRead, policy.ActionUpdate}, @@ -1471,3 +1558,121 @@ func TestChangeSet(t *testing.T) { }) } } + +// TestWorkspaceAgentScopeBoundaryLog verifies that a real workspace agent +// scope (not ScopeAll) can create boundary logs for its own owner but +// cannot create them for other users, and cannot read or delete them. +func TestWorkspaceAgentScopeBoundaryLog(t *testing.T) { + t.Parallel() + + auth := rbac.NewStrictAuthorizer(prometheus.NewRegistry()) + + ownerID := uuid.New() + otherOwnerID := uuid.New() + workspaceID := uuid.New() + templateID := uuid.New() + versionID := uuid.New() + + agentScope := rbac.WorkspaceAgentScope(rbac.WorkspaceAgentScopeParams{ + WorkspaceID: workspaceID, + OwnerID: ownerID, + TemplateID: templateID, + VersionID: versionID, + }) + + memberRole, err := rbac.RoleByName(rbac.RoleMember()) + require.NoError(t, err) + + agent := rbac.Subject{ + ID: ownerID.String(), + Roles: rbac.Roles{memberRole}, + Scope: agentScope, + }.WithCachedASTValue() + + // Agent can create boundary logs for its own owner. + err = auth.Authorize(context.Background(), agent, policy.ActionCreate, + rbac.ResourceBoundaryLog.WithOwner(ownerID.String())) + require.NoError(t, err, "agent should create boundary logs for own owner") + + // Agent cannot create boundary logs for a different owner. + err = auth.Authorize(context.Background(), agent, policy.ActionCreate, + rbac.ResourceBoundaryLog.WithOwner(otherOwnerID.String())) + require.Error(t, err, "agent must not create boundary logs for other owner") + + // Agent cannot read boundary logs (even its own owner's). + err = auth.Authorize(context.Background(), agent, policy.ActionRead, + rbac.ResourceBoundaryLog.WithOwner(ownerID.String())) + require.Error(t, err, "agent must not read boundary logs") + + // Agent cannot delete boundary logs (even its own owner's). + err = auth.Authorize(context.Background(), agent, policy.ActionDelete, + rbac.ResourceBoundaryLog.WithOwner(ownerID.String())) + require.Error(t, err, "agent must not delete boundary logs") + + // When the workspace owner is a site admin, the agent scope + // wildcard for boundary_log combined with the owner role's site-level + // read grant means the agent CAN read all boundary logs. This is an + // accepted consequence of the wildcard scope needed for creation. + ownerRole, err := rbac.RoleByName(rbac.RoleOwner()) + require.NoError(t, err) + + adminAgent := rbac.Subject{ + ID: ownerID.String(), + Roles: rbac.Roles{memberRole, ownerRole}, + Scope: agentScope, + }.WithCachedASTValue() + + // Admin-owned agent CAN read boundary logs due to site-level owner + // role + wildcard scope. + err = auth.Authorize(context.Background(), adminAgent, policy.ActionRead, + rbac.ResourceBoundaryLog.WithOwner(otherOwnerID.String())) + require.NoError(t, err, "admin agent inherits site-level read via owner role") + + // Admin-owned agent still cannot create boundary logs for another owner + // because member-level create is user-scoped (subject.id must match owner). + err = auth.Authorize(context.Background(), adminAgent, policy.ActionCreate, + rbac.ResourceBoundaryLog.WithOwner(otherOwnerID.String())) + require.Error(t, err, "admin agent must not create boundary logs for other owner") +} + +// TestDBPurgeBoundaryLogDelete verifies that the DBPurge system subject +// can delete boundary logs but cannot create or read them. +func TestDBPurgeBoundaryLogDelete(t *testing.T) { + t.Parallel() + + auth := rbac.NewStrictAuthorizer(prometheus.NewRegistry()) + + // Build the DBPurge subject the same way dbauthz does. + dbPurge := rbac.Subject{ + Type: rbac.SubjectTypeDBPurge, + FriendlyName: "DB Purge", + ID: uuid.Nil.String(), + Roles: rbac.Roles([]rbac.Role{ + { + Identifier: rbac.RoleIdentifier{Name: "dbpurge"}, + DisplayName: "DB Purge Daemon", + Site: rbac.Permissions(map[string][]policy.Action{ + rbac.ResourceBoundaryLog.Type: {policy.ActionDelete}, + }), + User: []rbac.Permission{}, + ByOrgID: map[string]rbac.OrgPermissions{}, + }, + }), + Scope: rbac.ScopeAll, + }.WithCachedASTValue() + + // DBPurge can delete boundary logs. + err := auth.Authorize(context.Background(), dbPurge, policy.ActionDelete, + rbac.ResourceBoundaryLog) + require.NoError(t, err, "DBPurge should delete boundary logs") + + // DBPurge cannot create boundary logs. + err = auth.Authorize(context.Background(), dbPurge, policy.ActionCreate, + rbac.ResourceBoundaryLog.WithOwner(uuid.New().String())) + require.Error(t, err, "DBPurge must not create boundary logs") + + // DBPurge cannot read boundary logs. + err = auth.Authorize(context.Background(), dbPurge, policy.ActionRead, + rbac.ResourceBoundaryLog) + require.Error(t, err, "DBPurge must not read boundary logs") +} diff --git a/coderd/rbac/scopes.go b/coderd/rbac/scopes.go index 17e3990c31..7cbec46d74 100644 --- a/coderd/rbac/scopes.go +++ b/coderd/rbac/scopes.go @@ -65,6 +65,11 @@ func WorkspaceAgentScope(params WorkspaceAgentScopeParams) Scope { {Type: ResourceTemplate.Type, ID: params.TemplateID.String()}, {Type: ResourceTemplate.Type, ID: params.VersionID.String()}, {Type: ResourceUser.Type, ID: params.OwnerID.String()}, + // No pre-existing ID for new records; wildcard is required. + // Owner-scoped create (user-level) limits agents to their own + // logs. Adding site-level actions to the member role would + // bypass this and grant deployment-wide access. + {Type: ResourceBoundaryLog.Type, ID: policy.WildcardSymbol}, }, extraAllowList...), } } diff --git a/coderd/rbac/scopes_constants_gen.go b/coderd/rbac/scopes_constants_gen.go index c12cba430a..3adad84a59 100644 --- a/coderd/rbac/scopes_constants_gen.go +++ b/coderd/rbac/scopes_constants_gen.go @@ -7,6 +7,9 @@ package rbac // declared in code, not here, to avoid duplication. const ( + ScopeAiGatewayKeyCreate ScopeName = "ai_gateway_key:create" + ScopeAiGatewayKeyDelete ScopeName = "ai_gateway_key:delete" + ScopeAiGatewayKeyRead ScopeName = "ai_gateway_key:read" ScopeAiModelPriceRead ScopeName = "ai_model_price:read" ScopeAiModelPriceUpdate ScopeName = "ai_model_price:update" ScopeAiProviderCreate ScopeName = "ai_provider:create" @@ -33,6 +36,9 @@ const ( ScopeAssignRoleUnassign ScopeName = "assign_role:unassign" ScopeAuditLogCreate ScopeName = "audit_log:create" ScopeAuditLogRead ScopeName = "audit_log:read" + ScopeBoundaryLogCreate ScopeName = "boundary_log:create" + ScopeBoundaryLogDelete ScopeName = "boundary_log:delete" + ScopeBoundaryLogRead ScopeName = "boundary_log:read" ScopeBoundaryUsageDelete ScopeName = "boundary_usage:delete" ScopeBoundaryUsageRead ScopeName = "boundary_usage:read" ScopeBoundaryUsageUpdate ScopeName = "boundary_usage:update" @@ -184,6 +190,9 @@ func (e ScopeName) Valid() bool { case ScopeName("coder:all"), ScopeName("coder:application_connect"), ScopeName("no_user_data"), + ScopeAiGatewayKeyCreate, + ScopeAiGatewayKeyDelete, + ScopeAiGatewayKeyRead, ScopeAiModelPriceRead, ScopeAiModelPriceUpdate, ScopeAiProviderCreate, @@ -210,6 +219,9 @@ func (e ScopeName) Valid() bool { ScopeAssignRoleUnassign, ScopeAuditLogCreate, ScopeAuditLogRead, + ScopeBoundaryLogCreate, + ScopeBoundaryLogDelete, + ScopeBoundaryLogRead, ScopeBoundaryUsageDelete, ScopeBoundaryUsageRead, ScopeBoundaryUsageUpdate, @@ -362,6 +374,9 @@ func AllScopeNameValues() []ScopeName { ScopeName("coder:all"), ScopeName("coder:application_connect"), ScopeName("no_user_data"), + ScopeAiGatewayKeyCreate, + ScopeAiGatewayKeyDelete, + ScopeAiGatewayKeyRead, ScopeAiModelPriceRead, ScopeAiModelPriceUpdate, ScopeAiProviderCreate, @@ -388,6 +403,9 @@ func AllScopeNameValues() []ScopeName { ScopeAssignRoleUnassign, ScopeAuditLogCreate, ScopeAuditLogRead, + ScopeBoundaryLogCreate, + ScopeBoundaryLogDelete, + ScopeBoundaryLogRead, ScopeBoundaryUsageDelete, ScopeBoundaryUsageRead, ScopeBoundaryUsageUpdate, diff --git a/coderd/workspaceagents.go b/coderd/workspaceagents.go index 097d4ff41b..074ca687b1 100644 --- a/coderd/workspaceagents.go +++ b/coderd/workspaceagents.go @@ -1096,6 +1096,11 @@ func (api *API) workspaceAgentRecreateDevcontainer(rw http.ResponseWriter, r *ht ctx := r.Context() waws := httpmw.WorkspaceAgentAndWorkspaceParam(r) + if !api.Authorize(r, policy.ActionUpdate, waws.WorkspaceTable) { + httpapi.Forbidden(rw) + return + } + devcontainer := chi.URLParam(r, "devcontainer") if devcontainer == "" { httpapi.Write(ctx, rw, http.StatusBadRequest, codersdk.Response{ diff --git a/coderd/workspaceagents_test.go b/coderd/workspaceagents_test.go index 0fff131f5a..9b36d11c27 100644 --- a/coderd/workspaceagents_test.go +++ b/coderd/workspaceagents_test.go @@ -1876,6 +1876,51 @@ func TestWorkspaceAgentRecreateDevcontainer(t *testing.T) { }) } +func TestWorkspaceAgentRecreateDevcontainerAuthorization(t *testing.T) { + t.Parallel() + + for _, tc := range []struct { + name string + role func(uuid.UUID) rbac.RoleIdentifier + }{ + { + name: "TemplateAdmin", + role: func(uuid.UUID) rbac.RoleIdentifier { + return rbac.RoleTemplateAdmin() + }, + }, + { + name: "OrgTemplateAdmin", + role: rbac.ScopedRoleOrgTemplateAdmin, + }, + } { + t.Run(tc.name, func(t *testing.T) { + t.Parallel() + + var ( + ctx = testutil.Context(t, testutil.WaitMedium) + client, db = coderdtest.NewWithDatabase(t, nil) + admin = coderdtest.CreateFirstUser(t, client) + _, workspaceOwner = coderdtest.CreateAnotherUser(t, client, admin.OrganizationID) + templateAdminClient, _ = coderdtest.CreateAnotherUser(t, client, admin.OrganizationID, tc.role(admin.OrganizationID)) + workspace = dbfake.WorkspaceBuild(t, db, database.WorkspaceTable{ + OrganizationID: admin.OrganizationID, + OwnerID: workspaceOwner.ID, + }).WithAgent(func(agents []*proto.Agent) []*proto.Agent { + return agents + }).Do() + ) + + _, err := templateAdminClient.WorkspaceAgentRecreateDevcontainer(ctx, workspace.Agents[0].ID, uuid.NewString()) + require.Error(t, err) + + var sdkErr *codersdk.Error + require.ErrorAs(t, err, &sdkErr) + require.Equal(t, http.StatusForbidden, sdkErr.StatusCode()) + }) + } +} + func TestWorkspaceAgentDeleteDevcontainer(t *testing.T) { t.Parallel() diff --git a/coderd/x/chatd/chaterror/classify.go b/coderd/x/chatd/chaterror/classify.go index 73e50f083b..4bf28efd4f 100644 --- a/coderd/x/chatd/chaterror/classify.go +++ b/coderd/x/chatd/chaterror/classify.go @@ -195,6 +195,7 @@ func Classify(err error) ClassifiedError { } retryableHTTP2StreamReset, hasHTTP2StreamReset := classifyHTTP2StreamReset(err) + providerDisabledMatch := containsAny(lower, providerDisabledPatterns...) deadline := errors.Is(err, context.DeadlineExceeded) || strings.Contains(lower, "context deadline exceeded") overloadedMatch := statusCode == 529 || containsAny(lower, overloadedPatterns...) usageLimitMatch := containsAny(lower, usageLimitPatterns...) @@ -221,6 +222,8 @@ func Classify(err error) ClassifiedError { // over whatever HTTP status code the provider happened to use. // Strong auth still stays above config because bad credentials are // the root cause when both signals appear. + // Provider-disabled must precede timeout because disabled providers + // return 503, which matches the timeout rule. rules := []struct { match bool kind codersdk.ChatErrorKind @@ -251,6 +254,11 @@ func Classify(err error) ClassifiedError { kind: codersdk.ChatErrorKindRateLimit, retryable: true, }, + { + match: providerDisabledMatch, + kind: codersdk.ChatErrorKindProviderDisabled, + retryable: false, + }, { match: timeoutMatch && !configMatch, kind: codersdk.ChatErrorKindTimeout, diff --git a/coderd/x/chatd/chaterror/classify_test.go b/coderd/x/chatd/chaterror/classify_test.go index 8e1a9783c3..0e2e008bb8 100644 --- a/coderd/x/chatd/chaterror/classify_test.go +++ b/coderd/x/chatd/chaterror/classify_test.go @@ -2,6 +2,7 @@ package chaterror_test import ( "context" + "fmt" "io" "net/http" "strings" @@ -218,6 +219,85 @@ func TestClassify(t *testing.T) { StatusCode: 0, }, }, + // The next cases model the error that fantasy produces + // when aibridge's disabledProviderHandler returns a 503 + // plain-text sentinel. Fantasy sets Title from the HTTP + // status text and Message from the response body (including + // the trailing newline written by http.Error). + { + name: "ProviderDisabled503ClassifiesAsProviderDisabled", + err: &fantasy.ProviderError{ + Title: fantasy.ErrorTitleForStatusCode(http.StatusServiceUnavailable), + Message: fmt.Sprintf("%s: AI provider %q is disabled\n", codersdk.ChatErrorKindProviderDisabled, "openai"), + StatusCode: http.StatusServiceUnavailable, + }, + want: chaterror.ClassifiedError{ + Message: "The OpenAI provider has been disabled. Contact your Coder administrator.", + Detail: fmt.Sprintf("%s: AI provider %q is disabled", codersdk.ChatErrorKindProviderDisabled, "openai"), + Kind: codersdk.ChatErrorKindProviderDisabled, + Provider: "openai", + Retryable: false, + StatusCode: 503, + }, + }, + { + name: "ProviderDisabled503UnknownProvider", + err: &fantasy.ProviderError{ + Title: fantasy.ErrorTitleForStatusCode(http.StatusServiceUnavailable), + Message: fmt.Sprintf("%s: AI provider %q is disabled\n", codersdk.ChatErrorKindProviderDisabled, "mycustomprovider"), + StatusCode: http.StatusServiceUnavailable, + }, + want: chaterror.ClassifiedError{ + Message: "The AI provider has been disabled. Contact your Coder administrator.", + Detail: fmt.Sprintf("%s: AI provider %q is disabled", codersdk.ChatErrorKindProviderDisabled, "mycustomprovider"), + Kind: codersdk.ChatErrorKindProviderDisabled, + Provider: "", + Retryable: false, + StatusCode: 503, + }, + }, + { + name: "ProviderDisabledPlainErrorString", + err: xerrors.New(fmt.Sprintf("%s: AI provider %q is disabled", codersdk.ChatErrorKindProviderDisabled, "anthropic")), + want: chaterror.ClassifiedError{ + Message: "The Anthropic provider has been disabled. Contact your Coder administrator.", + Kind: codersdk.ChatErrorKindProviderDisabled, + Provider: "anthropic", + Retryable: false, + StatusCode: 0, + }, + }, + { + name: "ProviderDisabledBeatsTimeout503", + err: &fantasy.ProviderError{ + Title: fantasy.ErrorTitleForStatusCode(http.StatusServiceUnavailable), + Message: fmt.Sprintf("%s: AI provider %q is disabled\n", codersdk.ChatErrorKindProviderDisabled, "google"), + StatusCode: http.StatusServiceUnavailable, + }, + want: chaterror.ClassifiedError{ + Message: "The Google provider has been disabled. Contact your Coder administrator.", + Detail: fmt.Sprintf("%s: AI provider %q is disabled", codersdk.ChatErrorKindProviderDisabled, "google"), + Kind: codersdk.ChatErrorKindProviderDisabled, + Provider: "google", + Retryable: false, + StatusCode: 503, + }, + }, + { + name: "Generic503StillClassifiesAsTimeout", + err: &fantasy.ProviderError{ + Message: "service unavailable", + StatusCode: 503, + }, + want: chaterror.ClassifiedError{ + Message: "The AI provider is temporarily unavailable.", + Detail: "service unavailable", + Kind: codersdk.ChatErrorKindTimeout, + Provider: "", + Retryable: true, + StatusCode: 503, + }, + }, } for _, tt := range tests { @@ -363,6 +443,7 @@ func TestClassify_PatternCoverage(t *testing.T) { {name: "OperationInterruptedLiteral", err: "operation interrupted", wantKind: codersdk.ChatErrorKindGeneric, wantRetry: false}, {name: "Status408", err: "status 408", wantKind: codersdk.ChatErrorKindTimeout, wantRetry: true}, {name: "Status500", err: "status 500", wantKind: codersdk.ChatErrorKindGeneric, wantRetry: true}, + {name: "ProviderDisabledLiteral", err: "provider_disabled", wantKind: codersdk.ChatErrorKindProviderDisabled, wantRetry: false}, } for _, tt := range tests { diff --git a/coderd/x/chatd/chaterror/message.go b/coderd/x/chatd/chaterror/message.go index 5257420061..fef3ba78fa 100644 --- a/coderd/x/chatd/chaterror/message.go +++ b/coderd/x/chatd/chaterror/message.go @@ -4,6 +4,7 @@ import ( "fmt" "strings" + stringutil "github.com/coder/coder/v2/coderd/util/strings" "github.com/coder/coder/v2/codersdk" ) @@ -16,60 +17,58 @@ func terminalMessage(classified ClassifiedError) string { subject := providerSubject(classified.Provider) switch classified.Kind { case codersdk.ChatErrorKindOverloaded: - return fmt.Sprintf("%s is temporarily overloaded.", subject) + return stringutil.Capitalize(fmt.Sprintf("%s is temporarily overloaded.", subject)) case codersdk.ChatErrorKindRateLimit: - return fmt.Sprintf("%s is rate limiting requests.", subject) + return stringutil.Capitalize(fmt.Sprintf("%s is rate limiting requests.", subject)) case codersdk.ChatErrorKindTimeout: if !classified.Retryable && classified.StatusCode == 0 { return "The request timed out before it completed." } - return fmt.Sprintf("%s is temporarily unavailable.", subject) + return stringutil.Capitalize(fmt.Sprintf("%s is temporarily unavailable.", subject)) case codersdk.ChatErrorKindStartupTimeout: - return fmt.Sprintf( + return stringutil.Capitalize(fmt.Sprintf( "%s did not start responding in time.", subject, - ) + )) case codersdk.ChatErrorKindUsageLimit: - displayName := providerDisplayName(classified.Provider) - if displayName == "" { - displayName = "the AI provider" - } - return fmt.Sprintf( + return stringutil.Capitalize(fmt.Sprintf( "The usage quota for %s has been exceeded."+ " Check the billing and quota settings for the provider account.", - displayName, - ) + subject, + )) case codersdk.ChatErrorKindAuth: - displayName := providerDisplayName(classified.Provider) - if displayName == "" { - displayName = "the AI provider" - } return fmt.Sprintf( "Authentication with %s failed."+ " Check the API key and permissions.", - displayName, + subject, ) case codersdk.ChatErrorKindConfig: - return fmt.Sprintf( + return stringutil.Capitalize(fmt.Sprintf( "%s rejected the model configuration."+ " Check the selected model and provider settings.", subject, - ) + )) case codersdk.ChatErrorKindMissingKey: return "This conversation was started with an API key that is no longer available." + " Send your message again to continue." - + case codersdk.ChatErrorKindProviderDisabled: + displayName := providerDisplayName(classified.Provider) + return fmt.Sprintf( + "The %s provider has been disabled."+ + " Contact your Coder administrator.", + displayName, + ) default: if !classified.Retryable && classified.StatusCode == 0 { return "The chat request failed unexpectedly." } - return fmt.Sprintf("%s returned an unexpected error.", subject) + return stringutil.Capitalize(fmt.Sprintf("%s returned an unexpected error.", subject)) } } @@ -85,41 +84,43 @@ func retryMessage(classified ClassifiedError) string { subject := providerSubject(classified.Provider) switch classified.Kind { case codersdk.ChatErrorKindOverloaded: - return fmt.Sprintf("%s is temporarily overloaded.", subject) + return stringutil.Capitalize(fmt.Sprintf("%s is temporarily overloaded.", subject)) case codersdk.ChatErrorKindRateLimit: - return fmt.Sprintf("%s is rate limiting requests.", subject) + return stringutil.Capitalize(fmt.Sprintf("%s is rate limiting requests.", subject)) case codersdk.ChatErrorKindTimeout: - return fmt.Sprintf("%s is temporarily unavailable.", subject) + return stringutil.Capitalize(fmt.Sprintf("%s is temporarily unavailable.", subject)) case codersdk.ChatErrorKindStartupTimeout: - return fmt.Sprintf( + return stringutil.Capitalize(fmt.Sprintf( "%s did not start responding in time.", subject, - ) + )) case codersdk.ChatErrorKindAuth: - displayName := providerDisplayName(classified.Provider) - if displayName == "" { - displayName = "the AI provider" - } return fmt.Sprintf( - "Authentication with %s failed.", displayName, + "Authentication with %s failed.", subject, ) case codersdk.ChatErrorKindConfig: - return fmt.Sprintf( + return stringutil.Capitalize(fmt.Sprintf( "%s rejected the model configuration.", subject, - ) + )) case codersdk.ChatErrorKindMissingKey: return "The API key for this conversation is no longer available." - default: + case codersdk.ChatErrorKindProviderDisabled: + displayName := providerDisplayName(classified.Provider) return fmt.Sprintf( - "%s returned an unexpected error.", subject, + "The %s provider has been disabled by an administrator.", + displayName, ) + default: + return stringutil.Capitalize(fmt.Sprintf( + "%s returned an unexpected error.", subject, + )) } } func providerSubject(provider string) string { - if displayName := providerDisplayName(provider); displayName != "" { + if displayName := providerDisplayName(provider); displayName != "AI" && displayName != "" { return displayName } - return "The AI provider" + return "the AI provider" } func providerDisplayName(provider string) string { @@ -141,7 +142,7 @@ func providerDisplayName(provider string) string { case "vercel": return "Vercel AI Gateway" default: - return "" + return "AI" } } diff --git a/coderd/x/chatd/chaterror/signals.go b/coderd/x/chatd/chaterror/signals.go index ebe6ff939b..8dad919127 100644 --- a/coderd/x/chatd/chaterror/signals.go +++ b/coderd/x/chatd/chaterror/signals.go @@ -4,6 +4,8 @@ import ( "regexp" "strconv" "strings" + + "github.com/coder/coder/v2/aibridge" ) type providerHint struct { @@ -83,6 +85,7 @@ var ( } genericRetryablePatterns = []string{"server error", "internal server error"} interruptedPatterns = []string{"chat interrupted", "request interrupted", "operation interrupted"} + providerDisabledPatterns = []string{aibridge.ErrorCodeProviderDisabled} ) func extractStatusCode(lower string) int { diff --git a/coderd/x/chatd/chatloop/compaction.go b/coderd/x/chatd/chatloop/compaction.go index 503eff51bc..b267f17e2a 100644 --- a/coderd/x/chatd/chatloop/compaction.go +++ b/coderd/x/chatd/chatloop/compaction.go @@ -35,14 +35,22 @@ const ( "- Key decisions made and their rationale\n" + "- Concrete technical details: file paths, function names, " + "commands, APIs, and configurations\n" + - "- Errors encountered and how they were resolved\n" + + "- Errors encountered and how they were resolved. Keep error " + + "notes specific: name the file, the error, and the fix. Do not " + + "generalize from a specific failure to a blanket tool-avoidance " + + "rule (e.g. \"tool X is unreliable\" or \"always use Y instead " + + "of Z\")\n" + "- Current state of the work: what is DONE, what is IN PROGRESS, " + "and what REMAINS to be done\n" + "- The specific action the assistant was performing or about to " + "perform when this summary was triggered\n\n" + "Be dense and factual. Every sentence should convey essential " + "context for continuation. Do not include pleasantries or " + - "conversational filler." + "conversational filler. For content that can be reproduced " + + "(repo files, command output, API responses), reference how to " + + "obtain it (file path, command, URL) rather than inlining the " + + "full content. Include brief inline summaries when the content " + + "itself would exceed a few lines." defaultCompactionSystemSummaryPrefix = "The following is a summary of " + "the earlier conversation. The assistant was actively working when " + "the context was compacted. Continue the work described below:" diff --git a/coderd/x/chatd/chattool/createworkspace.go b/coderd/x/chatd/chattool/createworkspace.go index de0d617218..f65247fd02 100644 --- a/coderd/x/chatd/chattool/createworkspace.go +++ b/coderd/x/chatd/chattool/createworkspace.go @@ -5,6 +5,7 @@ import ( "database/sql" "errors" "fmt" + "net/http" "strings" "sync" "time" @@ -238,7 +239,7 @@ func CreateWorkspace(db database.Store, organizationID, chatID uuid.UUID, option ) } - workspace, err := options.CreateFn(ctx, ownerID, createReq) + workspace, err := createWorkspaceWithNameRetry(ctx, ownerID, createReq, options.CreateFn) if err != nil { if responseErr, ok := httperror.IsResponder(err); ok { _, resp := responseErr.Response() @@ -703,6 +704,41 @@ func waitForAgentReady( } } +func createWorkspaceWithNameRetry( + ctx context.Context, + ownerID uuid.UUID, + req codersdk.CreateWorkspaceRequest, + createFn CreateWorkspaceFn, +) (codersdk.Workspace, error) { + workspace, err := createFn(ctx, ownerID, req) + if err == nil { + return workspace, nil + } + if !isWorkspaceNameConflict(err) { + return codersdk.Workspace{}, err + } + + req.Name = generatedWorkspaceName(req.Name) + return createFn(ctx, ownerID, req) +} + +func isWorkspaceNameConflict(err error) bool { + responseErr, ok := httperror.IsResponder(err) + if !ok { + return false + } + status, resp := responseErr.Response() + if status != http.StatusConflict { + return false + } + for _, validation := range resp.Validations { + if validation.Field == "name" { + return true + } + } + return false +} + func generatedWorkspaceName(seed string) string { base := codersdk.UsernameFrom(strings.TrimSpace(strings.ToLower(seed))) if strings.TrimSpace(base) == "" { diff --git a/coderd/x/chatd/chattool/createworkspace_internal_test.go b/coderd/x/chatd/chattool/createworkspace_internal_test.go index 06c4a95a84..13f009d668 100644 --- a/coderd/x/chatd/chattool/createworkspace_internal_test.go +++ b/coderd/x/chatd/chattool/createworkspace_internal_test.go @@ -5,6 +5,7 @@ import ( "database/sql" "encoding/json" "fmt" + "net/http" "sync" "testing" "time" @@ -855,6 +856,70 @@ func TestCreateWorkspace_ResponderErrorPreservesStructuredFields(t *testing.T) { }}, result.Validations) } +func TestCreateWorkspaceWithNameRetry(t *testing.T) { + t.Parallel() + + t.Run("NameConflictRetriesWithGeneratedName", func(t *testing.T) { + t.Parallel() + + var names []string + workspace, err := createWorkspaceWithNameRetry( + context.Background(), + uuid.New(), + codersdk.CreateWorkspaceRequest{Name: "fun-dashboard"}, + func(_ context.Context, _ uuid.UUID, req codersdk.CreateWorkspaceRequest) (codersdk.Workspace, error) { + names = append(names, req.Name) + if len(names) == 1 { + return codersdk.Workspace{}, workspaceNameConflictError(req.Name) + } + + require.Regexp(t, `^fun-dashboard-[0-9a-f]{4}$`, req.Name) + return codersdk.Workspace{Name: req.Name}, nil + }, + ) + + require.NoError(t, err) + require.Len(t, names, 2) + require.Equal(t, "fun-dashboard", names[0]) + require.Equal(t, names[1], workspace.Name) + }) + + t.Run("OtherConflictDoesNotRetry", func(t *testing.T) { + t.Parallel() + + calls := 0 + wantErr := httperror.NewResponseError(http.StatusConflict, codersdk.Response{ + Message: "quota exceeded", + Validations: []codersdk.ValidationError{{ + Field: "quota", + Detail: "quota exceeded", + }}, + }) + _, err := createWorkspaceWithNameRetry( + context.Background(), + uuid.New(), + codersdk.CreateWorkspaceRequest{Name: "fun-dashboard"}, + func(context.Context, uuid.UUID, codersdk.CreateWorkspaceRequest) (codersdk.Workspace, error) { + calls++ + return codersdk.Workspace{}, wantErr + }, + ) + + require.Same(t, wantErr, err) + require.Equal(t, 1, calls) + }) +} + +func workspaceNameConflictError(name string) error { + return httperror.NewResponseError(http.StatusConflict, codersdk.Response{ + Message: fmt.Sprintf("Workspace %q already exists.", name), + Validations: []codersdk.ValidationError{{ + Field: "name", + Detail: "This value is already in use and should be unique.", + }}, + }) +} + func TestCreateWorkspace_GlobalTTL(t *testing.T) { t.Parallel() diff --git a/coderd/x/chatd/mcpclient/mcpclient.go b/coderd/x/chatd/mcpclient/mcpclient.go index 16ef5ed9fd..cb7e0322c2 100644 --- a/coderd/x/chatd/mcpclient/mcpclient.go +++ b/coderd/x/chatd/mcpclient/mcpclient.go @@ -285,31 +285,24 @@ func createTransport( cfg database.MCPServerConfig, headers map[string]string, ) (transport.Interface, error) { - // Each connection gets its own HTTP client with a dedicated - // transport so that httptest.Server.Close() (which calls - // CloseIdleConnections on http.DefaultTransport) does not - // disrupt unrelated connections during parallel tests. - var httpClient *http.Client - if dt, ok := http.DefaultTransport.(*http.Transport); ok { - httpClient = &http.Client{Transport: dt.Clone()} - } else { - httpClient = &http.Client{} - } + httpClient := mcpHTTPClient() switch cfg.Transport { case "sse": - return transport.NewSSE( - cfg.Url, - transport.WithHeaders(headers), - transport.WithHTTPClient(httpClient), - ) + var opts []transport.ClientOption + opts = append(opts, transport.WithHeaders(headers)) + if httpClient != nil { + opts = append(opts, transport.WithHTTPClient(httpClient)) + } + return transport.NewSSE(cfg.Url, opts...) case "", "streamable_http": // Default to streamable HTTP, the newer transport. - return transport.NewStreamableHTTP( - cfg.Url, - transport.WithHTTPHeaders(headers), - transport.WithHTTPBasicClient(httpClient), - ) + var opts []transport.StreamableHTTPCOption + opts = append(opts, transport.WithHTTPHeaders(headers)) + if httpClient != nil { + opts = append(opts, transport.WithHTTPBasicClient(httpClient)) + } + return transport.NewStreamableHTTP(cfg.Url, opts...) default: return nil, xerrors.Errorf( "unsupported transport %q", cfg.Transport, diff --git a/coderd/x/chatd/mcpclient/mcphttpclient.go b/coderd/x/chatd/mcpclient/mcphttpclient.go new file mode 100644 index 0000000000..c34ff59262 --- /dev/null +++ b/coderd/x/chatd/mcpclient/mcphttpclient.go @@ -0,0 +1,25 @@ +package mcpclient + +import ( + "net/http" + "testing" +) + +// mcpHTTPClient returns an isolated *http.Client when running +// inside tests, or nil for production. During tests, +// httptest.Server.Close() calls +// http.DefaultTransport.CloseIdleConnections(), which disrupts +// any MCP client sharing that transport. When DefaultTransport +// is a *http.Transport it is cloned; otherwise a minimal +// transport with ProxyFromEnvironment is created as a fallback. +func mcpHTTPClient() *http.Client { + if !testing.Testing() { + return nil + } + if dt, ok := http.DefaultTransport.(*http.Transport); ok { + return &http.Client{Transport: dt.Clone()} + } + return &http.Client{Transport: &http.Transport{ + Proxy: http.ProxyFromEnvironment, + }} +} diff --git a/coderd/x/nats/cluster.go b/coderd/x/nats/cluster.go new file mode 100644 index 0000000000..7b0fd1ab80 --- /dev/null +++ b/coderd/x/nats/cluster.go @@ -0,0 +1,148 @@ +package nats + +import ( + "net" + "net/url" + "slices" + "strconv" + "strings" + + "golang.org/x/xerrors" +) + +// SetPeerAddresses replaces the configured NATS cluster peer routes. +func (p *Pubsub) SetPeerAddresses(addresses []string) error { + p.clusterMu.Lock() + defer p.clusterMu.Unlock() + + if p.ctx.Err() != nil { + return errClosed + } + if !p.clustered { + return xerrors.New("nats pubsub was not started with clustering enabled") + } + + routes, err := parsePeerAddresses(addresses) + if err != nil { + return err + } + + self := &url.URL{Scheme: "nats", Host: p.ns.ClusterAddr().String()} + routes = filterSelfRoutes(routes, self) + routes = sortRouteURLs(routes) + + if sortedURLsEqual(p.currentRoutes, routes) { + return nil + } + + newOpts := p.serverOpts.Clone() + newOpts.Routes = cloneRouteURLs(routes) + if err := p.ns.ReloadOptions(newOpts); err != nil { + return xerrors.Errorf("reload nats peer addresses: %w", err) + } + p.serverOpts = newOpts.Clone() + p.currentRoutes = cloneRouteURLs(routes) + return nil +} + +func parsePeerAddresses(addresses []string) ([]*url.URL, error) { + routesByAddress := make(map[string]*url.URL, len(addresses)) + for i, address := range addresses { + trimmed := strings.TrimSpace(address) + if trimmed == "" { + return nil, xerrors.Errorf("peer address %d is empty", i) + } + + normalizedHost, err := normalizeHostPort(trimmed) + if err != nil { + return nil, err + } + + routesByAddress[normalizedHost] = &url.URL{ + Scheme: "nats", + Host: normalizedHost, + } + } + + routes := make([]*url.URL, 0, len(routesByAddress)) + for _, route := range routesByAddress { + routes = append(routes, route) + } + return routes, nil +} + +func filterSelfRoutes(routes []*url.URL, self *url.URL) []*url.URL { + filtered := make([]*url.URL, 0, len(routes)) + for _, route := range routes { + if route.String() == self.String() { + continue + } + filtered = append(filtered, route) + } + return filtered +} + +func normalizeHostPort(address string) (string, error) { + route, err := url.Parse(address) + if err != nil { + return "", xerrors.Errorf("parse peer address %q: %w", address, err) + } + if route.User != nil { + return "", xerrors.Errorf("peer address %q must not include userinfo", address) + } + if route.Path != "" || route.RawQuery != "" || route.Fragment != "" { + return "", xerrors.Errorf("peer address %q must not include path, query, or fragment", address) + } + + host, port, err := net.SplitHostPort(route.Host) + if err != nil { + return "", xerrors.Errorf("split %q host port: %w", address, err) + } + if host == "" || port == "" { + return "", xerrors.Errorf("%q must include host and port", address) + } + + portNumber, err := strconv.Atoi(port) + if err != nil { + return "", xerrors.Errorf("parse %q port: %w", address, err) + } + if portNumber <= 0 || portNumber > 65535 { + return "", xerrors.Errorf("peer address %q must include a valid port", address) + } + return net.JoinHostPort(host, strconv.Itoa(portNumber)), nil +} + +func sortRouteURLs(routes []*url.URL) []*url.URL { + slices.SortFunc(routes, func(a, b *url.URL) int { + return strings.Compare(a.String(), b.String()) + }) + return routes +} + +// sortedURLsEqual assumes sorted slices. +func sortedURLsEqual(a, b []*url.URL) bool { + if len(a) != len(b) { + return false + } + for i := range a { + if a[i].String() != b[i].String() { + return false + } + } + return true +} + +func cloneRouteURLs(routes []*url.URL) []*url.URL { + if routes == nil { + return nil + } + clones := make([]*url.URL, len(routes)) + for i, route := range routes { + if route == nil { + continue + } + clone := *route + clones[i] = &clone + } + return clones +} diff --git a/coderd/x/nats/cluster_internal_test.go b/coderd/x/nats/cluster_internal_test.go new file mode 100644 index 0000000000..eadf2e561f --- /dev/null +++ b/coderd/x/nats/cluster_internal_test.go @@ -0,0 +1,134 @@ +package nats + +import ( + "errors" + "net/url" + "testing" + + "github.com/stretchr/testify/require" +) + +func Test_parsePeerAddresses(t *testing.T) { + t.Parallel() + + t.Run("Valid", func(t *testing.T) { + t.Parallel() + routes, err := parsePeerAddresses([]string{ + "whatever://127.0.0.1:4222 ", + "http://[::1]:7222", + "nats://example.com:6222", + }) + require.NoError(t, err) + require.ElementsMatch(t, []string{ + "nats://127.0.0.1:4222", + "nats://[::1]:7222", + "nats://example.com:6222", + }, routeStrings(routes)) + }) + + t.Run("Empty", func(t *testing.T) { + t.Parallel() + routes, err := parsePeerAddresses(nil) + require.NoError(t, err) + require.Empty(t, routes) + }) + + t.Run("Dedupes", func(t *testing.T) { + t.Parallel() + routes, err := parsePeerAddresses([]string{ + "nats://b.example:6222", + "nats://a.example:6222", + "nats://b.example:6222", + }) + require.NoError(t, err) + require.ElementsMatch(t, []string{ + "nats://a.example:6222", + "nats://b.example:6222", + }, routeStrings(routes)) + }) + + t.Run("Invalid", func(t *testing.T) { + t.Parallel() + for _, address := range []string{ + "", + " ", + "127.0.0.1:4222", + "127.0.0.1", + ":4222", + "127.0.0.1:0", + "127.0.0.1:bad", + "nats://127.0.0.1", + "nats://:4222", + "nats://127.0.0.1:0", + "nats://127.0.0.1:bad", + "nats://user@127.0.0.1:4222", + "nats://127.0.0.1:4222/path", + "nats://127.0.0.1:4222?x=1", + "nats://127.0.0.1:4222#frag", + } { + t.Run(address, func(t *testing.T) { + t.Parallel() + _, err := parsePeerAddresses([]string{address}) + require.Error(t, err) + }) + } + }) +} + +func Test_filterSelfRoutes(t *testing.T) { + t.Parallel() + + routes, err := parsePeerAddresses([]string{ + "nats://b.example:6222", + "http://self.example:6222", + }) + require.NoError(t, err) + + routes = filterSelfRoutes(routes, &url.URL{Scheme: "nats", Host: "self.example:6222"}) + require.Equal(t, []string{"nats://b.example:6222"}, routeStrings(routes)) +} + +// Cluster tests bind free ports and reload shared route state. +func TestPubsub_SetPeerAddresses(t *testing.T) { + t.Parallel() + t.Run("OK", func(t *testing.T) { + t.Parallel() + a := newTestPubsub(t, clusterTestOptions(t)) + b := newTestPubsub(t, clusterTestOptions(t)) + c := newTestPubsub(t, clusterTestOptions(t)) + + addrB := clusterRouteAddress(t, b) + addrC := clusterRouteAddress(t, c) + require.NoError(t, a.SetPeerAddresses([]string{addrC, addrB})) + requireRoutesEqual(t, a.currentRoutes, addrB, addrC) + + require.NoError(t, a.SetPeerAddresses([]string{addrB, addrC})) + requireRoutesEqual(t, a.currentRoutes, addrB, addrC) + + require.NoError(t, a.SetPeerAddresses(nil)) + require.Empty(t, a.currentRoutes) + require.Empty(t, a.serverOpts.Routes) + }) + + t.Run("StandaloneConfigError", func(t *testing.T) { + t.Parallel() + ps := newTestPubsub(t, defaultTestOptions()) + err := ps.SetPeerAddresses(nil) + require.ErrorContains(t, err, "not started with clustering enabled") + }) + + t.Run("Closed", func(t *testing.T) { + t.Parallel() + ps := newTestPubsub(t, clusterTestOptions(t)) + require.NoError(t, ps.Close()) + err := ps.SetPeerAddresses(nil) + require.True(t, errors.Is(err, errClosed), "got %v", err) + }) + + t.Run("DropsSelfRoute", func(t *testing.T) { + t.Parallel() + ps := newTestPubsub(t, clusterTestOptions(t)) + require.NoError(t, ps.SetPeerAddresses([]string{clusterRouteAddress(t, ps)})) + require.Empty(t, ps.currentRoutes) + }) +} diff --git a/coderd/x/nats/pubsub.go b/coderd/x/nats/pubsub.go index afb6776a7f..a41247ed09 100644 --- a/coderd/x/nats/pubsub.go +++ b/coderd/x/nats/pubsub.go @@ -5,6 +5,7 @@ import ( "errors" "fmt" "hash/fnv" + "net/url" "sync" "time" @@ -19,6 +20,12 @@ import ( // DefaultMaxPending is the per-client outbound pending byte budget. const DefaultMaxPending int64 = 128 << 20 +const ( + defaultClusterName = "coder" + defaultClusterPort = 6222 + defaultRoutePoolSize = 3 +) + var errClosed = xerrors.New("nats pubsub closed") // PendingLimits configures per-subscription NATS pending limits set @@ -65,6 +72,23 @@ type Options struct { // shared subscription is pinned to one connection by a stable hash // of its subject. Zero or negative means 1. SubscribeConns int + + // ClusterHost is the embedded NATS route listener host. Empty means + // all interfaces when cluster mode is enabled. + ClusterHost string + + // ClusterPort is the embedded NATS route listener port. Zero means + // 6222 when cluster mode is enabled. + ClusterPort int + + // RoutePoolSize is the NATS route pool size. Zero means the package + // default when cluster mode is enabled. + RoutePoolSize int + + // disableCluster is intended only for testing. Since we cannot reload a server + // with a cluster host/port after initialization, we start all production servers + // with clustering enabled. + disableCluster bool } // Pubsub is an embedded NATS-backed implementation of pubsub.Pubsub. @@ -97,6 +121,11 @@ type Pubsub struct { // cleanup observes the canceled context. ctx context.Context cancel context.CancelFunc + + clusterMu sync.Mutex + clustered bool + serverOpts *natsserver.Options + currentRoutes []*url.URL } // natsSub maps to one underlying *natsgo.Subscription. The first @@ -203,13 +232,25 @@ func (p *Pubsub) buildConnHandlers() connHandlers { // embedded server and the publisher and subscriber connection pools. // Close shuts down all owned resources. func New(ctx context.Context, logger slog.Logger, opts Options) (*Pubsub, error) { - ns, err := startEmbeddedServer(logger, opts) + sopts, err := buildServerOptions(opts) if err != nil { return nil, err } + ns, err := startEmbeddedServer(sopts) + if err != nil { + return nil, err + } + + logger.Info(context.Background(), "embedded nats server started", + slog.F("client_url", ns.ClientURL()), + ) + p := newPubsub(ctx, logger, opts) p.ns = ns + p.clustered = !opts.disableCluster + p.serverOpts = sopts.Clone() + p.currentRoutes = cloneRouteURLs(sopts.Routes) handlers := p.buildConnHandlers() publishPool, err := newConnPool(ns, opts, handlers, opts.PublishConns, "coder-pubsub-pub") diff --git a/coderd/x/nats/pubsub_internal_test.go b/coderd/x/nats/pubsub_internal_test.go index 35abb84ed6..3b5263654e 100644 --- a/coderd/x/nats/pubsub_internal_test.go +++ b/coderd/x/nats/pubsub_internal_test.go @@ -1,18 +1,20 @@ -package nats //nolint:testpackage // Exercises internal pubsub state and helpers. +package nats import ( "context" "errors" "fmt" + "net/url" "sync" "sync/atomic" "testing" + "time" + natsserver "github.com/nats-io/nats-server/v2/server" natsgo "github.com/nats-io/nats.go" "github.com/stretchr/testify/require" "golang.org/x/xerrors" - "cdr.dev/slog/v3" "cdr.dev/slog/v3/sloggers/slogtest" "github.com/coder/coder/v2/coderd/database/pubsub" "github.com/coder/coder/v2/testutil" @@ -82,7 +84,7 @@ func Test_pickConn(t *testing.T) { func subjectForConn(t *testing.T, pool []*natsgo.Conn, conn *natsgo.Conn, prefix string) string { t.Helper() - for i := 0; i < 10_000; i++ { + for i := range 10_000 { subject := fmt.Sprintf("%s_%d", prefix, i) if pickConn(pool, subject) == conn { return subject @@ -97,17 +99,13 @@ func Test_New(t *testing.T) { t.Run("ConnectionCount", func(t *testing.T) { t.Parallel() - logger := slogtest.Make(t, &slogtest.Options{IgnoreErrors: true}).Leveled(slog.LevelDebug) - ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitShort) - defer cancel() - ps, err := New(ctx, logger, Options{}) - require.NoError(t, err) + ps := newTestPubsub(t, defaultTestOptions()) t.Cleanup(func() { _ = ps.Close() }) const n = 50 cancels := make([]func(), 0, n) - for i := 0; i < n; i++ { - c, err := ps.Subscribe(fmt.Sprintf("cc_evt_%d", i), func(context.Context, []byte) {}) + for i := range n { + c, err := ps.Subscribe(fmt.Sprintf("cc_evt_%d", i), func(_ context.Context, _ []byte) {}) require.NoError(t, err) cancels = append(cancels, c) } @@ -130,10 +128,9 @@ func Test_SubscribeWithErr(t *testing.T) { t.Run("SameSubjectSharesSubscription", func(t *testing.T) { t.Parallel() - logger := slogtest.Make(t, &slogtest.Options{IgnoreErrors: true}).Leveled(slog.LevelDebug) - ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitShort) - defer cancel() - ps, err := New(ctx, logger, Options{}) + logger := slogtest.Make(t, nil) + ctx := testutil.Context(t, testutil.WaitShort) + ps, err := New(ctx, logger, defaultTestOptions()) require.NoError(t, err) t.Cleanup(func() { _ = ps.Close() }) @@ -155,10 +152,10 @@ func Test_Pubsub_buildConnHandlers(t *testing.T) { t.Run("DisconnectSignalsDropsForMatchingSubscriberConn", func(t *testing.T) { t.Parallel() - logger := slogtest.Make(t, &slogtest.Options{IgnoreErrors: true}).Leveled(slog.LevelDebug) - ctx, cancel := context.WithCancel(context.Background()) - defer cancel() - ps := newPubsub(ctx, logger, Options{}) + + logger := slogtest.Make(t, nil) + ctx := testutil.Context(t, testutil.WaitShort) + ps := newPubsub(ctx, logger, defaultTestOptions()) var subConnA, subConnB, pubConn natsgo.Conn ps.subscribePool = []*natsgo.Conn{&subConnA, &subConnB} @@ -205,8 +202,7 @@ func Test_localSub_init(t *testing.T) { t.Run("SerializesCallbacks", func(t *testing.T) { t.Parallel() - ctx, cancel := context.WithCancel(context.Background()) - defer cancel() + ctx := testutil.Context(t, testutil.WaitShort) dataStarted := make(chan struct{}) dropDelivered := make(chan struct{}) @@ -219,7 +215,7 @@ func Test_localSub_init(t *testing.T) { s := &localSub{ ctx: ctx, - cancel: cancel, + cancel: func() {}, listener: func(_ context.Context, _ []byte, ferr error) { if active.Add(1) != 1 { concurrent.Store(true) @@ -279,10 +275,9 @@ func Test_localSub_init(t *testing.T) { t.Run("CrossSubjectListenerIsolation", func(t *testing.T) { t.Parallel() - logger := slogtest.Make(t, &slogtest.Options{IgnoreErrors: true}).Leveled(slog.LevelDebug) - ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitLong) - defer cancel() - ps, err := New(ctx, logger, Options{}) + logger := slogtest.Make(t, nil) + ctx := testutil.Context(t, testutil.WaitLong) + ps, err := New(ctx, logger, defaultTestOptions()) require.NoError(t, err) t.Cleanup(func() { _ = ps.Close() }) @@ -312,7 +307,7 @@ func Test_localSub_init(t *testing.T) { total := defaultListenerQueueSize + 256 payload := make([]byte, 4*1024) - for i := 0; i < total; i++ { + for range total { require.NoError(t, ps.Publish("iso_slow", payload)) require.NoError(t, ps.Publish("iso_fast", []byte("ping"))) } @@ -337,3 +332,161 @@ func Test_localSub_init(t *testing.T) { require.Equal(t, 2, ps.ns.NumClients(), "slow consumer must not disconnect subConn") }) } + +func TestPubsubCluster(t *testing.T) { + t.Parallel() + + // OK verifies that SetPeerAddresses changes the active cluster topology. + // A starts connected to B, then C is added and receives both global and + // C-only messages. B is then removed from A's peers, while C continues to + // receive global and C-only messages. + t.Run("OK", func(t *testing.T) { + t.Parallel() + + a := newTestPubsub(t, clusterTestOptions(t)) + b := newTestPubsub(t, clusterTestOptions(t)) + c := newTestPubsub(t, clusterTestOptions(t)) + + addrB := clusterRouteAddress(t, b) + addrC := clusterRouteAddress(t, c) + + require.NoError(t, a.SetPeerAddresses([]string{addrB})) + requireRoutesEqual(t, a.currentRoutes, addrB) + + globalEvent := "global" + bGlobal := make(chan []byte, 8) + cancelBGlobal, err := b.Subscribe(globalEvent, func(_ context.Context, msg []byte) { + bGlobal <- msg + }) + require.NoError(t, err) + defer cancelBGlobal() + + waitForRouteSubscription(t, a, globalEvent) + publishAndFlush(t, a, globalEvent, "from-a-to-b") + require.Equal(t, "from-a-to-b", string(receiveMessage(t, bGlobal))) + + // Add C's subscriptions before adding C as an extra peer to A. + cGlobal := make(chan []byte, 8) + cancelCGlobal, err := c.Subscribe(globalEvent, func(_ context.Context, msg []byte) { + cGlobal <- msg + }) + require.NoError(t, err) + defer cancelCGlobal() + + cSubject := "c-only-subscriber" + cUnique := make(chan []byte, 8) + cancelCUnique, err := c.Subscribe(cSubject, func(_ context.Context, msg []byte) { + cUnique <- msg + }) + require.NoError(t, err) + defer cancelCUnique() + + // Add C to A's peer list. B and C should both receive global messages, + // while the C-only subject should route only to C. + require.NoError(t, a.SetPeerAddresses([]string{addrC, addrB})) + requireRoutesEqual(t, a.currentRoutes, addrB, addrC) + + waitForRouteSubscription(t, a, globalEvent) + waitForRouteSubscription(t, a, cSubject) + + publishAndFlush(t, a, globalEvent, "new-global-msg") + require.Equal(t, "new-global-msg", string(receiveMessage(t, bGlobal))) + require.Equal(t, "new-global-msg", string(receiveMessage(t, cGlobal))) + + publishAndFlush(t, a, cSubject, "c-unique-msg") + require.Equal(t, "c-unique-msg", string(receiveMessage(t, cUnique))) + + // Remove B from A's peer list. Only C should receive the next messages. + require.NoError(t, a.SetPeerAddresses([]string{addrC})) + requireRoutesEqual(t, a.currentRoutes, addrC) + + publishAndFlush(t, a, globalEvent, "no-b-peer") + require.Equal(t, "no-b-peer", string(receiveMessage(t, cGlobal))) + + publishAndFlush(t, a, cSubject, "c-messages-still-work") + require.Equal(t, "c-messages-still-work", string(receiveMessage(t, cUnique))) + }) +} + +func defaultTestOptions() Options { + return Options{disableCluster: true} +} + +func clusterTestOptions(t *testing.T) Options { + t.Helper() + return Options{ + ClusterHost: "127.0.0.1", + ClusterPort: natsserver.RANDOM_PORT, + disableCluster: false, + } +} + +func newTestPubsub(t *testing.T, opts Options) *Pubsub { + t.Helper() + logger := slogtest.Make(t, nil) + ctx := testutil.Context(t, testutil.WaitLong) + ps, err := New(ctx, logger, opts) + require.NoError(t, err) + t.Cleanup(func() { + _ = ps.Close() + }) + return ps +} + +func clusterRouteAddress(t *testing.T, ps *Pubsub) string { + t.Helper() + addr := ps.ns.ClusterAddr() + require.NotNil(t, addr) + return "nats://" + addr.String() +} + +func waitForRouteSubscription(t *testing.T, ps *Pubsub, subject string) { + t.Helper() + require.Eventually(t, func() bool { + routes, err := ps.ns.Routez(&natsserver.RoutezOptions{Subscriptions: true}) + if err != nil { + return false + } + for _, route := range routes.Routes { + for _, sub := range route.Subs { + if sub == subject { + return true + } + } + } + return false + }, testutil.WaitShort, testutil.IntervalFast) +} + +func publishAndFlush(t *testing.T, ps *Pubsub, event, message string) { + t.Helper() + require.NoError(t, ps.Publish(event, []byte(message))) + require.NoError(t, ps.Flush()) +} + +func receiveMessage(t *testing.T, got <-chan []byte) []byte { + t.Helper() + select { + case msg := <-got: + return msg + case <-time.After(testutil.WaitShort): + t.Fatal("timed out waiting for message") + return nil + } +} + +func requireRoutesEqual(t *testing.T, routes []*url.URL, addresses ...string) { + t.Helper() + want, err := parsePeerAddresses(addresses) + require.NoError(t, err) + want = sortRouteURLs(want) + require.True(t, sortedURLsEqual(want, routes), "want %v, got %v", routeStrings(want), routeStrings(routes)) +} + +func routeStrings(routes []*url.URL) []string { + strings := make([]string, 0, len(routes)) + for _, route := range routes { + strings = append(strings, route.String()) + } + return strings +} diff --git a/coderd/x/nats/pubsub_test.go b/coderd/x/nats/pubsub_test.go index 5be9f766f4..7b65228b7a 100644 --- a/coderd/x/nats/pubsub_test.go +++ b/coderd/x/nats/pubsub_test.go @@ -7,25 +7,30 @@ import ( "testing" "time" + natsserver "github.com/nats-io/nats-server/v2/server" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" "cdr.dev/slog/v3" "cdr.dev/slog/v3/sloggers/slogtest" "github.com/coder/coder/v2/coderd/database/pubsub" - xnats "github.com/coder/coder/v2/coderd/x/nats" + "github.com/coder/coder/v2/coderd/x/nats" "github.com/coder/coder/v2/testutil" ) -func newTestPubsub(t *testing.T, opts xnats.Options) *xnats.Pubsub { +func newPubsub(t *testing.T, opts nats.Options) *nats.Pubsub { t.Helper() - logger := slogtest.Make(t, &slogtest.Options{IgnoreErrors: true}).Leveled(slog.LevelDebug) - ctx, cancel := context.WithCancel(context.Background()) - ps, err := xnats.New(ctx, logger, opts) + + if opts.ClusterPort == 0 { + opts.ClusterPort = natsserver.RANDOM_PORT + } + + logger := slogtest.Make(t, nil) + ctx := testutil.Context(t, testutil.WaitLong) + ps, err := nats.New(ctx, logger, opts) require.NoError(t, err) t.Cleanup(func() { _ = ps.Close() - cancel() }) return ps } @@ -35,7 +40,7 @@ func TestPubsub(t *testing.T) { t.Run("RoundTrip", func(t *testing.T) { t.Parallel() - ps := newTestPubsub(t, xnats.Options{}) + ps := newPubsub(t, nats.Options{}) got := make(chan []byte, 1) cancel, err := ps.Subscribe("test_event", func(_ context.Context, msg []byte) { @@ -56,7 +61,7 @@ func TestPubsub(t *testing.T) { t.Run("SubscribeWithErrNormalMessage", func(t *testing.T) { t.Parallel() - ps := newTestPubsub(t, xnats.Options{}) + ps := newPubsub(t, nats.Options{}) got := make(chan []byte, 1) cancel, err := ps.SubscribeWithErr("evt", func(_ context.Context, msg []byte, err error) { @@ -78,7 +83,7 @@ func TestPubsub(t *testing.T) { t.Run("EchoDefault", func(t *testing.T) { t.Parallel() - ps := newTestPubsub(t, xnats.Options{}) + ps := newPubsub(t, nats.Options{}) got := make(chan []byte, 1) cancel, err := ps.Subscribe("echo_evt", func(_ context.Context, msg []byte) { @@ -99,7 +104,7 @@ func TestPubsub(t *testing.T) { t.Run("Ordering", func(t *testing.T) { t.Parallel() - ps := newTestPubsub(t, xnats.Options{}) + ps := newPubsub(t, nats.Options{}) const n = 100 got := make(chan []byte, n) @@ -129,7 +134,7 @@ func TestPubsub(t *testing.T) { logger := slogtest.Make(t, &slogtest.Options{IgnoreErrors: true}).Leveled(slog.LevelDebug) ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitShort) defer cancel() - ps, err := xnats.New(ctx, logger, xnats.Options{}) + ps, err := nats.New(ctx, logger, nats.Options{}) require.NoError(t, err) var first, second error @@ -147,8 +152,8 @@ func TestPubsub(t *testing.T) { t.Run("SubscribeWithErrReceivesDropError", func(t *testing.T) { t.Parallel() - ps := newTestPubsub(t, xnats.Options{ - PendingLimits: xnats.PendingLimits{Msgs: 1, Bytes: 1024 * 1024}, + ps := newPubsub(t, nats.Options{ + PendingLimits: nats.PendingLimits{Msgs: 1, Bytes: 1024 * 1024}, }) const event = "slow_evt_sync" diff --git a/coderd/x/nats/server.go b/coderd/x/nats/server.go index c7e038a06d..6013c44feb 100644 --- a/coderd/x/nats/server.go +++ b/coderd/x/nats/server.go @@ -1,20 +1,18 @@ package nats import ( - "context" "time" natsserver "github.com/nats-io/nats-server/v2/server" natsgo "github.com/nats-io/nats.go" "golang.org/x/xerrors" - - "cdr.dev/slog/v3" ) const readyTimeout = 10 * time.Second // buildServerOptions constructs the embedded NATS server options. The -// server runs standalone with a loopback random client listener. +// server runs with a loopback random client listener and an optional +// cluster route listener. func buildServerOptions(opts Options) (*natsserver.Options, error) { maxPayload := opts.MaxPayload if maxPayload == 0 { @@ -37,16 +35,34 @@ func buildServerOptions(opts Options) (*natsserver.Options, error) { sopts.Host = "127.0.0.1" sopts.Port = natsserver.RANDOM_PORT + if !opts.disableCluster { + clusterHost := opts.ClusterHost + if clusterHost == "" { + clusterHost = natsserver.DEFAULT_HOST + } + clusterPort := opts.ClusterPort + if clusterPort == 0 { + clusterPort = defaultClusterPort + } + routePoolSize := opts.RoutePoolSize + if routePoolSize == 0 { + routePoolSize = defaultRoutePoolSize + } + + sopts.Cluster = natsserver.ClusterOpts{ + Name: defaultClusterName, + Host: clusterHost, + Port: clusterPort, + PoolSize: routePoolSize, + } + } + return sopts, nil } -// startEmbeddedServer starts an in-process standalone NATS server. -func startEmbeddedServer(logger slog.Logger, opts Options) (*natsserver.Server, error) { - sopts, err := buildServerOptions(opts) - if err != nil { - return nil, err - } - ns, err := natsserver.NewServer(sopts) +// startEmbeddedServer starts an in-process NATS server. +func startEmbeddedServer(opts *natsserver.Options) (*natsserver.Server, error) { + ns, err := natsserver.NewServer(opts) if err != nil { return nil, xerrors.Errorf("new embedded nats server: %w", err) } @@ -56,9 +72,6 @@ func startEmbeddedServer(logger slog.Logger, opts Options) (*natsserver.Server, ns.WaitForShutdown() return nil, xerrors.Errorf("embedded nats server not ready within %s", readyTimeout) } - logger.Info(context.Background(), "embedded nats server started", - slog.F("client_url", ns.ClientURL()), - ) return ns, nil } @@ -92,13 +105,13 @@ func connectClient(ns *natsserver.Server, opts Options, handlers connHandlers, c if handlers.errH != nil { connOpts = append(connOpts, natsgo.ErrorHandler(handlers.errH)) } - url := ns.ClientURL() + clientURL := ns.ClientURL() if opts.InProcess { // InProcessServer overrides URL dialing with a net.Pipe; the - // url argument is ignored but must still be syntactically valid. + // URL argument is ignored but must still be syntactically valid. connOpts = append(connOpts, natsgo.InProcessServer(ns)) } - nc, err := natsgo.Connect(url, connOpts...) + nc, err := natsgo.Connect(clientURL, connOpts...) if err != nil { return nil, xerrors.Errorf("connect client: %w", err) } diff --git a/codersdk/aibridge.go b/codersdk/aibridge.go index 9bb7df0aac..d04359acb3 100644 --- a/codersdk/aibridge.go +++ b/codersdk/aibridge.go @@ -435,3 +435,71 @@ func (c *Client) DeleteGroupAIBudget(ctx context.Context, group uuid.UUID) error } return nil } + +type UserAIBudgetOverride struct { + UserID uuid.UUID `json:"user_id" format:"uuid"` + GroupID uuid.UUID `json:"group_id" format:"uuid"` + SpendLimitMicros int64 `json:"spend_limit_micros"` + CreatedAt time.Time `json:"created_at" format:"date-time"` + UpdatedAt time.Time `json:"updated_at" format:"date-time"` +} + +type UpsertUserAIBudgetOverrideRequest struct { + // GroupID is the group the user's spend is attributed to. The user must + // be a member of this group. + GroupID uuid.UUID `json:"group_id" format:"uuid" validate:"required"` + SpendLimitMicros int64 `json:"spend_limit_micros" validate:"gte=0"` +} + +// UserAIBudgetOverride returns the AI spend budget override configured for the given user. +func (c *Client) UserAIBudgetOverride(ctx context.Context, user uuid.UUID) (UserAIBudgetOverride, error) { + res, err := c.Request(ctx, http.MethodGet, + fmt.Sprintf("/api/v2/users/%s/ai/budget", user.String()), + nil, + ) + if err != nil { + return UserAIBudgetOverride{}, xerrors.Errorf("make request: %w", err) + } + defer res.Body.Close() + + if res.StatusCode != http.StatusOK { + return UserAIBudgetOverride{}, ReadBodyAsError(res) + } + var resp UserAIBudgetOverride + return resp, json.NewDecoder(res.Body).Decode(&resp) +} + +// UpsertUserAIBudgetOverride creates or updates the AI spend budget override for the given user. +func (c *Client) UpsertUserAIBudgetOverride(ctx context.Context, user uuid.UUID, req UpsertUserAIBudgetOverrideRequest) (UserAIBudgetOverride, error) { + res, err := c.Request(ctx, http.MethodPut, + fmt.Sprintf("/api/v2/users/%s/ai/budget", user.String()), + req, + ) + if err != nil { + return UserAIBudgetOverride{}, xerrors.Errorf("make request: %w", err) + } + defer res.Body.Close() + + if res.StatusCode != http.StatusOK { + return UserAIBudgetOverride{}, ReadBodyAsError(res) + } + var resp UserAIBudgetOverride + return resp, json.NewDecoder(res.Body).Decode(&resp) +} + +// DeleteUserAIBudgetOverride removes the AI spend budget override for the given user. +func (c *Client) DeleteUserAIBudgetOverride(ctx context.Context, user uuid.UUID) error { + res, err := c.Request(ctx, http.MethodDelete, + fmt.Sprintf("/api/v2/users/%s/ai/budget", user.String()), + nil, + ) + if err != nil { + return xerrors.Errorf("make request: %w", err) + } + defer res.Body.Close() + + if res.StatusCode != http.StatusNoContent { + return ReadBodyAsError(res) + } + return nil +} diff --git a/codersdk/aiproviders.go b/codersdk/aiproviders.go index fe34b9c03c..7b513340bc 100644 --- a/codersdk/aiproviders.go +++ b/codersdk/aiproviders.go @@ -188,8 +188,9 @@ type AIProviderKey struct { // CreateAIProviderRequest is the payload for creating a new AI // provider. Name and Type are required. APIKeys carries the plaintext -// keys for OpenAI/Anthropic providers; Bedrock providers authenticate -// via Settings and must omit APIKeys. +// keys for OpenAI/Anthropic providers; Bedrock and Copilot providers +// must omit APIKeys (Bedrock authenticates via Settings, Copilot via +// request-time GitHub OAuth tokens). type CreateAIProviderRequest struct { Type AIProviderType `json:"type"` Name string `json:"name"` @@ -209,6 +210,7 @@ func (req CreateAIProviderRequest) Validate() []ValidationError { AIProviderTypeAnthropic, AIProviderTypeAzure, AIProviderTypeBedrock, + AIProviderTypeCopilot, AIProviderTypeGoogle, AIProviderTypeOpenAICompat, AIProviderTypeOpenrouter, @@ -244,6 +246,12 @@ func (req CreateAIProviderRequest) Validate() []ValidationError { Detail: "type=bedrock does not accept api_keys", }) } + if req.Type == AIProviderTypeCopilot && len(req.APIKeys) > 0 { + validations = append(validations, ValidationError{ + Field: "api_keys", + Detail: "type=copilot does not accept api_keys", + }) + } return validations } diff --git a/codersdk/apikey_scopes_gen.go b/codersdk/apikey_scopes_gen.go index 7bad39ccc2..450a5221f0 100644 --- a/codersdk/apikey_scopes_gen.go +++ b/codersdk/apikey_scopes_gen.go @@ -6,6 +6,10 @@ const ( APIKeyScopeAll APIKeyScope = "all" // Deprecated: use codersdk.APIKeyScopeCoderApplicationConnect instead. APIKeyScopeApplicationConnect APIKeyScope = "application_connect" + APIKeyScopeAiGatewayKeyAll APIKeyScope = "ai_gateway_key:*" + APIKeyScopeAiGatewayKeyCreate APIKeyScope = "ai_gateway_key:create" + APIKeyScopeAiGatewayKeyDelete APIKeyScope = "ai_gateway_key:delete" + APIKeyScopeAiGatewayKeyRead APIKeyScope = "ai_gateway_key:read" APIKeyScopeAiModelPriceAll APIKeyScope = "ai_model_price:*" APIKeyScopeAiModelPriceRead APIKeyScope = "ai_model_price:read" APIKeyScopeAiModelPriceUpdate APIKeyScope = "ai_model_price:update" @@ -40,6 +44,10 @@ const ( APIKeyScopeAuditLogAll APIKeyScope = "audit_log:*" APIKeyScopeAuditLogCreate APIKeyScope = "audit_log:create" APIKeyScopeAuditLogRead APIKeyScope = "audit_log:read" + APIKeyScopeBoundaryLogAll APIKeyScope = "boundary_log:*" + APIKeyScopeBoundaryLogCreate APIKeyScope = "boundary_log:create" + APIKeyScopeBoundaryLogDelete APIKeyScope = "boundary_log:delete" + APIKeyScopeBoundaryLogRead APIKeyScope = "boundary_log:read" APIKeyScopeBoundaryUsageAll APIKeyScope = "boundary_usage:*" APIKeyScopeBoundaryUsageDelete APIKeyScope = "boundary_usage:delete" APIKeyScopeBoundaryUsageRead APIKeyScope = "boundary_usage:read" diff --git a/codersdk/audit.go b/codersdk/audit.go index eceae40649..e58bbb71f7 100644 --- a/codersdk/audit.go +++ b/codersdk/audit.go @@ -48,6 +48,7 @@ const ( ResourceTypeAISeat ResourceType = "ai_seat" ResourceTypeAIProvider ResourceType = "ai_provider" ResourceTypeAIProviderKey ResourceType = "ai_provider_key" + ResourceTypeAIGatewayKey ResourceType = "ai_gateway_key" ResourceTypeGroupAIBudget ResourceType = "group_ai_budget" ResourceTypeChat ResourceType = "chat" ResourceTypeUserSecret ResourceType = "user_secret" @@ -116,6 +117,8 @@ func (r ResourceType) FriendlyString() string { return "ai provider" case ResourceTypeAIProviderKey: return "ai provider key" + case ResourceTypeAIGatewayKey: + return "ai gateway key" case ResourceTypeGroupAIBudget: return "group ai budget" case ResourceTypeChat: diff --git a/codersdk/chats.go b/codersdk/chats.go index c6deeb35aa..bcf235f590 100644 --- a/codersdk/chats.go +++ b/codersdk/chats.go @@ -1525,15 +1525,16 @@ type ChatStreamStatus struct { type ChatErrorKind string const ( - ChatErrorKindGeneric ChatErrorKind = "generic" - ChatErrorKindOverloaded ChatErrorKind = "overloaded" - ChatErrorKindRateLimit ChatErrorKind = "rate_limit" - ChatErrorKindTimeout ChatErrorKind = "timeout" - ChatErrorKindStartupTimeout ChatErrorKind = "startup_timeout" - ChatErrorKindAuth ChatErrorKind = "auth" - ChatErrorKindConfig ChatErrorKind = "config" - ChatErrorKindUsageLimit ChatErrorKind = "usage_limit" - ChatErrorKindMissingKey ChatErrorKind = "missing_key" + ChatErrorKindGeneric ChatErrorKind = "generic" + ChatErrorKindOverloaded ChatErrorKind = "overloaded" + ChatErrorKindRateLimit ChatErrorKind = "rate_limit" + ChatErrorKindTimeout ChatErrorKind = "timeout" + ChatErrorKindStartupTimeout ChatErrorKind = "startup_timeout" + ChatErrorKindAuth ChatErrorKind = "auth" + ChatErrorKindConfig ChatErrorKind = "config" + ChatErrorKindUsageLimit ChatErrorKind = "usage_limit" + ChatErrorKindMissingKey ChatErrorKind = "missing_key" + ChatErrorKindProviderDisabled ChatErrorKind = "provider_disabled" ) // AllChatErrorKinds contains every ChatErrorKind value. @@ -1548,6 +1549,7 @@ var AllChatErrorKinds = []ChatErrorKind{ ChatErrorKindConfig, ChatErrorKindUsageLimit, ChatErrorKindMissingKey, + ChatErrorKindProviderDisabled, } // ChatError represents a terminal chat error in persisted chat state or the diff --git a/codersdk/deployment.go b/codersdk/deployment.go index 3fb36c587f..8164222831 100644 --- a/codersdk/deployment.go +++ b/codersdk/deployment.go @@ -1700,6 +1700,7 @@ func (c *DeploymentValues) Options() serpent.OptionSet { } // AI Gateway options + aiGatewayProviderSeedingDeprecated := "Deprecated: manage AI Providers from the Coder UI or HTTP API. If set, this option seeds provider configuration at startup only exactly once. It will not be used in service runtime. " aiGatewayEnabled := serpent.Option{ Name: "AI Gateway Enabled", Description: "Whether to start an in-memory AI Gateway instance.", @@ -1712,7 +1713,7 @@ func (c *DeploymentValues) Options() serpent.OptionSet { } aiGatewayOpenAIBaseURL := serpent.Option{ Name: "AI Gateway OpenAI Base URL", - Description: "The base URL of the OpenAI API.", + Description: aiGatewayProviderSeedingDeprecated + "The base URL of the OpenAI API.", Flag: "ai-gateway-openai-base-url", Env: "CODER_AI_GATEWAY_OPENAI_BASE_URL", Value: &c.AI.BridgeConfig.LegacyOpenAI.BaseURL, @@ -1722,7 +1723,7 @@ func (c *DeploymentValues) Options() serpent.OptionSet { } aiGatewayOpenAIKey := serpent.Option{ Name: "AI Gateway OpenAI Key", - Description: "The key to authenticate against the OpenAI API.", + Description: aiGatewayProviderSeedingDeprecated + "The key to authenticate against the OpenAI API.", Flag: "ai-gateway-openai-key", Env: "CODER_AI_GATEWAY_OPENAI_KEY", Value: &c.AI.BridgeConfig.LegacyOpenAI.Key, @@ -1732,7 +1733,7 @@ func (c *DeploymentValues) Options() serpent.OptionSet { } aiGatewayAnthropicBaseURL := serpent.Option{ Name: "AI Gateway Anthropic Base URL", - Description: "The base URL of the Anthropic API.", + Description: aiGatewayProviderSeedingDeprecated + "The base URL of the Anthropic API.", Flag: "ai-gateway-anthropic-base-url", Env: "CODER_AI_GATEWAY_ANTHROPIC_BASE_URL", Value: &c.AI.BridgeConfig.LegacyAnthropic.BaseURL, @@ -1742,7 +1743,7 @@ func (c *DeploymentValues) Options() serpent.OptionSet { } aiGatewayAnthropicKey := serpent.Option{ Name: "AI Gateway Anthropic Key", - Description: "The key to authenticate against the Anthropic API.", + Description: aiGatewayProviderSeedingDeprecated + "The key to authenticate against the Anthropic API.", Flag: "ai-gateway-anthropic-key", Env: "CODER_AI_GATEWAY_ANTHROPIC_KEY", Value: &c.AI.BridgeConfig.LegacyAnthropic.Key, @@ -1751,30 +1752,28 @@ func (c *DeploymentValues) Options() serpent.OptionSet { Annotations: serpent.Annotations{}.Mark(annotationSecretKey, "true"), } aiGatewayBedrockBaseURL := serpent.Option{ - Name: "AI Gateway Bedrock Base URL", - Description: "The base URL to use for the AWS Bedrock API. Use this setting to specify an exact URL to use. Takes precedence " + - "over CODER_AI_GATEWAY_BEDROCK_REGION.", - Flag: "ai-gateway-bedrock-base-url", - Env: "CODER_AI_GATEWAY_BEDROCK_BASE_URL", - Value: &c.AI.BridgeConfig.LegacyBedrock.BaseURL, - Default: "", - Group: &deploymentGroupAIGateway, - YAML: "bedrock_base_url", + Name: "AI Gateway Bedrock Base URL", + Description: aiGatewayProviderSeedingDeprecated + "The base URL to use for the AWS Bedrock API. Use this setting to specify an exact URL to use. Takes precedence over CODER_AI_GATEWAY_BEDROCK_REGION.", + Flag: "ai-gateway-bedrock-base-url", + Env: "CODER_AI_GATEWAY_BEDROCK_BASE_URL", + Value: &c.AI.BridgeConfig.LegacyBedrock.BaseURL, + Default: "", + Group: &deploymentGroupAIGateway, + YAML: "bedrock_base_url", } aiGatewayBedrockRegion := serpent.Option{ - Name: "AI Gateway Bedrock Region", - Description: "The AWS Bedrock API region to use. Constructs a base URL to use for the AWS Bedrock API in the form of " + - "'https://bedrock-runtime..amazonaws.com'.", - Flag: "ai-gateway-bedrock-region", - Env: "CODER_AI_GATEWAY_BEDROCK_REGION", - Value: &c.AI.BridgeConfig.LegacyBedrock.Region, - Default: "", - Group: &deploymentGroupAIGateway, - YAML: "bedrock_region", + Name: "AI Gateway Bedrock Region", + Description: aiGatewayProviderSeedingDeprecated + "The AWS Bedrock API region to use. Constructs a base URL to use for the AWS Bedrock API in the form of 'https://bedrock-runtime..amazonaws.com'.", + Flag: "ai-gateway-bedrock-region", + Env: "CODER_AI_GATEWAY_BEDROCK_REGION", + Value: &c.AI.BridgeConfig.LegacyBedrock.Region, + Default: "", + Group: &deploymentGroupAIGateway, + YAML: "bedrock_region", } aiGatewayBedrockAccessKey := serpent.Option{ Name: "AI Gateway Bedrock Access Key", - Description: "The access key to authenticate against the AWS Bedrock API.", + Description: aiGatewayProviderSeedingDeprecated + "The access key to authenticate against the AWS Bedrock API.", Flag: "ai-gateway-bedrock-access-key", Env: "CODER_AI_GATEWAY_BEDROCK_ACCESS_KEY", Value: &c.AI.BridgeConfig.LegacyBedrock.AccessKey, @@ -1784,7 +1783,7 @@ func (c *DeploymentValues) Options() serpent.OptionSet { } aiGatewayBedrockAccessKeySecret := serpent.Option{ Name: "AI Gateway Bedrock Access Key Secret", - Description: "The access key secret to use with the access key to authenticate against the AWS Bedrock API.", + Description: aiGatewayProviderSeedingDeprecated + "The access key secret to use with the access key to authenticate against the AWS Bedrock API.", Flag: "ai-gateway-bedrock-access-key-secret", Env: "CODER_AI_GATEWAY_BEDROCK_ACCESS_KEY_SECRET", Value: &c.AI.BridgeConfig.LegacyBedrock.AccessKeySecret, @@ -1794,7 +1793,7 @@ func (c *DeploymentValues) Options() serpent.OptionSet { } aiGatewayBedrockModel := serpent.Option{ Name: "AI Gateway Bedrock Model", - Description: "The model to use when making requests to the AWS Bedrock API.", + Description: aiGatewayProviderSeedingDeprecated + "The model to use when making requests to the AWS Bedrock API.", Flag: "ai-gateway-bedrock-model", Env: "CODER_AI_GATEWAY_BEDROCK_MODEL", Value: &c.AI.BridgeConfig.LegacyBedrock.Model, @@ -1804,7 +1803,7 @@ func (c *DeploymentValues) Options() serpent.OptionSet { } aiGatewayBedrockSmallFastModel := serpent.Option{ Name: "AI Gateway Bedrock Small Fast Model", - Description: "The small fast model to use when making requests to the AWS Bedrock API. Claude Code uses Haiku-class models to perform background tasks. See https://docs.claude.com/en/docs/claude-code/settings#environment-variables.", + Description: aiGatewayProviderSeedingDeprecated + "The small fast model to use when making requests to the AWS Bedrock API. Claude Code uses Haiku-class models to perform background tasks. See https://docs.claude.com/en/docs/claude-code/settings#environment-variables.", Flag: "ai-gateway-bedrock-small-fastmodel", Env: "CODER_AI_GATEWAY_BEDROCK_SMALL_FAST_MODEL", Value: &c.AI.BridgeConfig.LegacyBedrock.SmallFastModel, diff --git a/codersdk/rbacresources_gen.go b/codersdk/rbacresources_gen.go index 11b6488182..622c59c54b 100644 --- a/codersdk/rbacresources_gen.go +++ b/codersdk/rbacresources_gen.go @@ -5,6 +5,7 @@ type RBACResource string const ( ResourceWildcard RBACResource = "*" + ResourceAIGatewayKey RBACResource = "ai_gateway_key" ResourceAiModelPrice RBACResource = "ai_model_price" ResourceAIProvider RBACResource = "ai_provider" ResourceAiSeat RBACResource = "ai_seat" @@ -13,6 +14,7 @@ const ( ResourceAssignOrgRole RBACResource = "assign_org_role" ResourceAssignRole RBACResource = "assign_role" ResourceAuditLog RBACResource = "audit_log" + ResourceBoundaryLog RBACResource = "boundary_log" ResourceBoundaryUsage RBACResource = "boundary_usage" ResourceChat RBACResource = "chat" ResourceConnectionLog RBACResource = "connection_log" @@ -81,6 +83,7 @@ const ( // said resource type. var RBACResourceActions = map[RBACResource][]RBACAction{ ResourceWildcard: {}, + ResourceAIGatewayKey: {ActionCreate, ActionDelete, ActionRead}, ResourceAiModelPrice: {ActionRead, ActionUpdate}, ResourceAIProvider: {ActionCreate, ActionDelete, ActionRead, ActionUpdate}, ResourceAiSeat: {ActionCreate, ActionRead}, @@ -89,6 +92,7 @@ var RBACResourceActions = map[RBACResource][]RBACAction{ ResourceAssignOrgRole: {ActionAssign, ActionCreate, ActionDelete, ActionRead, ActionUnassign, ActionUpdate}, ResourceAssignRole: {ActionAssign, ActionRead, ActionUnassign}, ResourceAuditLog: {ActionCreate, ActionRead}, + ResourceBoundaryLog: {ActionCreate, ActionDelete, ActionRead}, ResourceBoundaryUsage: {ActionDelete, ActionRead, ActionUpdate}, ResourceChat: {ActionCreate, ActionDelete, ActionRead, ActionShare, ActionUpdate}, ResourceConnectionLog: {ActionRead, ActionUpdate}, diff --git a/codersdk/toolsdk/toolsdk_test.go b/codersdk/toolsdk/toolsdk_test.go index 41bb6fe28a..bd4949baaa 100644 --- a/codersdk/toolsdk/toolsdk_test.go +++ b/codersdk/toolsdk/toolsdk_test.go @@ -4,12 +4,12 @@ import ( "context" "database/sql" "encoding/json" + "flag" "fmt" "net/http" "net/http/httptest" "os" "path/filepath" - "runtime" "sort" "sync" "testing" @@ -1048,9 +1048,6 @@ func TestTools(t *testing.T) { }) t.Run("WorkspaceSSHExec", func(t *testing.T) { - if runtime.GOOS == "windows" { - t.Skip("WorkspaceSSHExec is not supported on Windows") - } // Setup workspace exactly like main SSH tests client, workspace, agentToken := setupWorkspaceForAgent(t, nil) @@ -1076,7 +1073,7 @@ func TestTools(t *testing.T) { // Test output trimming result, err = testTool(t, toolsdk.WorkspaceBash, tb, toolsdk.WorkspaceBashArgs{ Workspace: workspace.Name, - Command: "echo -e '\\n test with whitespace \\n'", + Command: "echo ' test with whitespace '", }) require.NoError(t, err) require.Equal(t, 0, result.ExitCode) @@ -2576,29 +2573,31 @@ func TestMain(m *testing.M) { var untested []string for _, tool := range toolsdk.All { if tested, ok := testedTools.Load(tool.Name); !ok || !tested.(bool) { - // Test is skipped on Windows - if runtime.GOOS == "windows" && tool.Name == "coder_workspace_bash" { - continue - } untested = append(untested, tool.Name) } } if len(untested) > 0 && code == 0 { - code = 1 - println("The following tools were not tested:") + _, _ = fmt.Fprintln(os.Stderr, "The following tools were not tested:") for _, tool := range untested { - println(" - " + tool) + _, _ = fmt.Fprintf(os.Stderr, " - %s\n", tool) + } + _, _ = fmt.Fprintln(os.Stderr, "Please ensure that all tools are tested using testTool().") + _, _ = fmt.Fprintln(os.Stderr, "If you just added a new tool, please add a test for it.") + // Only fail when the full suite ran. When -run filters to a + // subset (e.g. CI flake checks use -run ^TestTools), tools + // covered by other top-level functions appear untested. + if f := flag.Lookup("test.run"); f == nil || f.Value.String() == "" { + code = 1 + } else { + _, _ = fmt.Fprintln(os.Stderr, "NOTE: if you just ran an individual test, this is expected.") } - println("Please ensure that all tools are tested using testTool().") - println("If you just added a new tool, please add a test for it.") - println("NOTE: if you just ran an individual test, this is expected.") } // Check for goroutine leaks. Below is adapted from goleak.VerifyTestMain: if code == 0 { if err := goleak.Find(testutil.GoleakOptions...); err != nil { - println("goleak: Errors on successful test run: ", err.Error()) + _, _ = fmt.Fprintln(os.Stderr, "goleak: Errors on successful test run:", err.Error()) code = 1 } } diff --git a/docs/about/contributing/CONTRIBUTING.md b/docs/about/contributing/CONTRIBUTING.md index 164d52df24..16795b188a 100644 --- a/docs/about/contributing/CONTRIBUTING.md +++ b/docs/about/contributing/CONTRIBUTING.md @@ -58,7 +58,11 @@ Learn more [how Nix works](https://nixos.org/guides/how-nix-works). If you're not using the Nix environment, you can launch a local [DevContainer](https://github.com/coder/coder/tree/main/.devcontainer) to get a fully configured development environment. -DevContainers are supported in tools like **VS Code** and **GitHub Codespaces**, and come preloaded with all required dependencies: Docker, Go, Node.js with `pnpm`, and `make`. +DevContainers are supported in tools like **VS Code** and **GitHub Codespaces**, and come preloaded with all required dependencies: Docker, Go, Node.js with `pnpm`, `mise`, and `make`. + +For manual setup outside Nix and DevContainers, install Docker, `mise`, and +`make`. Run `mise install` from the repository root to install Go, Node.js +with `pnpm`, and development tools at the versions pinned in `mise.toml`. diff --git a/docs/about/contributing/backend.md b/docs/about/contributing/backend.md index bc159fe580..c568d53cd7 100644 --- a/docs/about/contributing/backend.md +++ b/docs/about/contributing/backend.md @@ -169,9 +169,9 @@ There are two types of fixtures that are used to test that migrations don't break existing Coder deployments: * Partial fixtures - [`migrations/testdata/fixtures`](../../../coderd/database/migrations/testdata/fixtures) + [`migrations/testdata/fixtures`](https://github.com/coder/coder/tree/main/coderd/database/migrations/testdata/fixtures) * Full database dumps - [`migrations/testdata/full_dumps`](../../../coderd/database/migrations/testdata/full_dumps) + [`migrations/testdata/full_dumps`](https://github.com/coder/coder/tree/main/coderd/database/migrations/testdata/full_dumps) Both types behave like database migrations (they also [`migrate`](https://github.com/golang-migrate/migrate)). Their behavior mirrors @@ -194,7 +194,7 @@ To add a new partial fixture, run the following command: ``` Then add some queries to insert data and commit the file to the repo. See -[`000024_example.up.sql`](../../../coderd/database/migrations/testdata/fixtures/000024_example.up.sql) +[`000024_example.up.sql`](https://github.com/coder/coder/blob/main/coderd/database/migrations/testdata/fixtures/000024_example.up.sql) for an example. To create a full dump, run a fully fledged Coder deployment and use it to diff --git a/docs/admin/infrastructure/architecture.md b/docs/admin/infrastructure/architecture.md index c409feeba9..7576712ef3 100644 --- a/docs/admin/infrastructure/architecture.md +++ b/docs/admin/infrastructure/architecture.md @@ -142,7 +142,7 @@ as OpenAI and Anthropic. Users authenticate through Coder instead of managing se provider API keys. All prompts, token usage, and tool invocations are recorded for compliance and cost tracking. -Learn more: [AI Gateway](../../ai-coder/ai-gateway) +Learn more: [AI Gateway](../../ai-coder/ai-gateway/index.md) ### Agent Firewall diff --git a/docs/admin/security/0001_user_apikeys_invalidation.md b/docs/admin/security/0001_user_apikeys_invalidation.md deleted file mode 100644 index 203a891766..0000000000 --- a/docs/admin/security/0001_user_apikeys_invalidation.md +++ /dev/null @@ -1,89 +0,0 @@ -# API Tokens of deleted users not invalidated - ---- - -## Summary - -Coder identified an issue in -[https://github.com/coder/coder](https://github.com/coder/coder) where API -tokens belonging to a deleted user were not invalidated. A deleted user in -possession of a valid and non-expired API token is still able to use the above -token with their full suite of capabilities. - -## Impact: HIGH - -If exploited, an attacker could perform any action that the deleted user was -authorized to perform. - -## Exploitability: HIGH - -The CLI writes the API key to `~/.coderv2/session` by default, so any deleted -user who previously logged in via the Coder CLI has the potential to exploit -this. Note that there is a time window for exploitation; API tokens have a -maximum lifetime after which they are no longer valid. - -The issue only affects users who were active (not suspended) at the time they -were deleted. Users who were first suspended and later deleted cannot exploit -this issue. - -## Affected Versions - -All versions of Coder between v0.8.15 and v0.22.2 (inclusive) are affected. - -All customers are advised to upgrade to -[v0.23.0](https://github.com/coder/coder/releases/tag/v0.23.0) as soon as -possible. - -## Details - -Coder incorrectly failed to invalidate API keys belonging to a user when they -were deleted. When authenticating a user via their API key, Coder incorrectly -failed to check whether the API key corresponds to a deleted user. - -## Indications of Compromise - -> [!TIP] -> Automated remediation steps in the upgrade purge all affected API keys. -> Either perform the following query before upgrade or run it on a backup of -> your database from before the upgrade. - -Execute the following SQL query: - -```sql -SELECT - users.email, - users.updated_at, - api_keys.id, - api_keys.last_used -FROM - users -LEFT JOIN - api_keys -ON - api_keys.user_id = users.id -WHERE - users.deleted -AND - api_keys.last_used > users.updated_at -; -``` - -If the output is similar to the below, then you are not affected: - -```sql ------ -(0 rows) -``` - -Otherwise, the following information will be reported: - -- User email -- Time the user was last modified (i.e. deleted) -- User API key ID -- Time the affected API key was last used - -> [!TIP] -> If your license includes the -> [Audit Logs](https://coder.com/docs/admin/audit-logs#filtering-logs) feature, -> you can then query all actions performed by the above users by using the -> filter `email:$USER_EMAIL`. diff --git a/docs/admin/security/audit-logs.md b/docs/admin/security/audit-logs.md index 712724e064..6e65c5fec5 100644 --- a/docs/admin/security/audit-logs.md +++ b/docs/admin/security/audit-logs.md @@ -15,6 +15,7 @@ We track the following resources: | Resource | | | |-----------------------------------------------------------------|----------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| AIGatewayKey
create, delete | |
FieldTracked
created_atfalse
hashed_secrettrue
idtrue
last_used_atfalse
nametrue
secret_prefixtrue
| | AIProvider
create, write, delete | |
FieldTracked
base_urltrue
created_atfalse
deletedtrue
display_nametrue
enabledtrue
idtrue
nametrue
settingstrue
settings_key_idfalse
typetrue
updated_atfalse
| | AIProviderKey
create, delete | |
FieldTracked
api_keytrue
api_key_key_idfalse
created_atfalse
idtrue
provider_idtrue
updated_atfalse
| | APIKey
login, logout, register, create, write, delete | |
FieldTracked
allow_listfalse
created_attrue
expires_attrue
hashed_secretfalse
idfalse
ip_addressfalse
last_usedtrue
lifetime_secondsfalse
login_typefalse
scopesfalse
token_namefalse
updated_atfalse
user_idtrue
| diff --git a/docs/admin/security/index.md b/docs/admin/security/index.md index 37028093f8..f6684519e8 100644 --- a/docs/admin/security/index.md +++ b/docs/admin/security/index.md @@ -11,17 +11,6 @@ For other security tips, visit our guide to > If you discover a vulnerability in Coder, please do not hesitate to report it > to us by following the [security policy](https://github.com/coder/coder/blob/main/SECURITY.md). -From time to time, Coder employees or other community members may discover -vulnerabilities in the product. - -If a vulnerability requires an immediate upgrade to mitigate a potential -security risk, we will add it to the below table. - -Click on the description links to view more details about each specific -vulnerability. - ---- - -| Description | Severity | Fix | Vulnerable Versions | -|-----------------------------------------------------------------------------------------------------------------------------------------------|----------|----------------------------------------------------------------|---------------------| -| [API tokens of deleted users not invalidated](https://github.com/coder/coder/blob/main/docs/admin/security/0001_user_apikeys_invalidation.md) | HIGH | [v0.23.0](https://github.com/coder/coder/releases/tag/v0.23.0) | v0.8.25 - v0.22.2 | +Security advisories are published on the +[GitHub Security Advisories](https://github.com/coder/coder/security/advisories) +page. diff --git a/docs/admin/templates/extending-templates/web-ides.md b/docs/admin/templates/extending-templates/web-ides.md index 4240dfe552..dae3fc593b 100644 --- a/docs/admin/templates/extending-templates/web-ides.md +++ b/docs/admin/templates/extending-templates/web-ides.md @@ -55,7 +55,7 @@ resource "coder_agent" "main" { For advanced use, we recommend installing code-server in your VM snapshot or container image. Here's a Dockerfile which leverages some special -[code-server features](https://coder.com/docs/code-server/): +[code-server features](https://coder.com/docs/code-server): ```Dockerfile FROM codercom/enterprise-base:ubuntu diff --git a/docs/ai-coder/agent-firewall/index.md b/docs/ai-coder/agent-firewall/index.md index d5d2921097..8fe5192756 100644 --- a/docs/ai-coder/agent-firewall/index.md +++ b/docs/ai-coder/agent-firewall/index.md @@ -48,8 +48,8 @@ In your Terraform module, enable Agent Firewall with minimal configuration: ```tf module "claude-code" { - source = "dev.registry.coder.com/coder/claude-code/coder" - version = "4.7.0" + source = "registry.coder.com/coder/claude-code/coder" + version = "5.2.0" enable_boundary = true } ``` @@ -59,7 +59,7 @@ Claude Code module, use the following minimal configuration: ```yaml allowlist: - - "domain=dev.coder.com" # Required - use your Coder deployment domain + - "domain=coder.example.com" # Required - use your Coder deployment domain - "domain=api.anthropic.com" # Required - API endpoint for Claude - "domain=statsig.anthropic.com" # Required - Feature flags and analytics - "domain=claude.ai" # Recommended - WebFetch/WebSearch features @@ -225,5 +225,5 @@ such as Grafana Loki. Example of an allowed request (assuming stderr): ```console -2026-01-16 00:11:40.564 [info] coderd.agentrpc: boundary_request owner=joe workspace_name=some-task-c88d agent_name=dev decision=allow workspace_id=f2bd4e9f-7e27-49fc-961e-be4d1c2aa987 http_method=GET http_url=https://dev.coder.com event_time=2026-01-16T00:11:39.388607657Z matched_rule=domain=dev.coder.com request_id=9f30d667-1fc9-47ba-b9e5-8eac46e0abef trace=478b2b45577307c4fd1bcfc64fad6ffb span=9ece4bc70c311edb +2026-01-16 00:11:40.564 [info] coderd.agentrpc: boundary_request owner=joe workspace_name=some-task-c88d agent_name=dev decision=allow workspace_id=f2bd4e9f-7e27-49fc-961e-be4d1c2aa987 http_method=GET http_url=https://coder.example.com event_time=2026-01-16T00:11:39.388607657Z matched_rule=domain=coder.example.com request_id=9f30d667-1fc9-47ba-b9e5-8eac46e0abef trace=478b2b45577307c4fd1bcfc64fad6ffb span=9ece4bc70c311edb ``` diff --git a/docs/ai-coder/agents/chat-sharing.md b/docs/ai-coder/agents/chat-sharing.md new file mode 100644 index 0000000000..89a9391d0e --- /dev/null +++ b/docs/ai-coder/agents/chat-sharing.md @@ -0,0 +1,24 @@ +# Chat Sharing + +Chat sharing lets you give other users or groups read-only access to a Coder Agents conversation. + +## Share a chat + +1. Open the chat you want to share on the **Agents** page. Only top-level chats can be shared; sub-agent chats inherit sharing from their parent. +1. Click the share icon in the chat top bar. +1. Click the **Search for user or group** field. +1. Search for and select a user or group. +1. Click **Add member** to grant **Read** access. +1. Copy the chat URL from your browser and send it to the recipients. + +Coder does not create a separate share link or notify recipients. They must open the chat from the URL you send them. + +## Shared chat access + +Viewers can open the chat from a direct link, view messages, stream live updates, and download chat attachments. They reach sub-agent chats by following sub-agent links inside the parent chat or by opening a direct URL. + +Shared chats do not appear in the viewer's normal chat list. Viewers have read-only access: they cannot send or edit messages, regenerate the chat title, archive the chat, or change its sharing settings. + +## Disable chat sharing + +Administrators can disable chat sharing for a deployment with `--disable-chat-sharing`, `CODER_DISABLE_CHAT_SHARING`, or `disableChatSharing`. When disabled, only chat owners can access their chats. diff --git a/docs/ai-coder/ai-gateway/auth.md b/docs/ai-coder/ai-gateway/auth.md index d7bb48aa85..e35e4f3d6b 100644 --- a/docs/ai-coder/ai-gateway/auth.md +++ b/docs/ai-coder/ai-gateway/auth.md @@ -92,6 +92,10 @@ When no user credential is present, AI Gateway falls back to the admin-configure This approach offers centralized keys as a default, while allowing individual users to bring their own key. +> [!NOTE] +> When a BYOK credential is present, [key failover](./providers.md#key-failover) +> is skipped. + Visit individual [client pages](./clients/index.md) for configuration details. ### Enable or disable BYOK diff --git a/docs/ai-coder/ai-gateway/monitoring.md b/docs/ai-coder/ai-gateway/monitoring.md index 703938a891..7b9e680905 100644 --- a/docs/ai-coder/ai-gateway/monitoring.md +++ b/docs/ai-coder/ai-gateway/monitoring.md @@ -15,6 +15,46 @@ We provide an example Grafana dashboard that you can import as a starting point These logs and metrics can be used to determine usage patterns, track costs, and evaluate tooling adoption. +## Provider metrics + +`aibridged` (the in-process daemon) and `aibridgeproxyd` (the external +proxy) each export Prometheus metrics describing the configured +provider pool and its reload loop. See +[Provider Configuration](./providers.md) for the lifecycle these +metrics describe. + +| Metric | Type | Labels | Purpose | +|------------------------------------------------------------------------|---------|--------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------| +| `coder_aibridged_provider_info` | gauge | `provider_name`, `provider_type`, `status` | One series per configured provider. Value is always `1`; the `status` label (`enabled`, `disabled`, `error`) carries the alertable signal. | +| `coder_aibridged_providers_last_reload_timestamp_seconds` | gauge | | Unix timestamp of the last reload attempt, success or failure. | +| `coder_aibridged_providers_last_reload_success_timestamp_seconds` | gauge | | Unix timestamp of the last reload that successfully refreshed the pool. | +| `coder_aibridgeproxyd_provider_info` | gauge | `provider_name`, `provider_type`, `status` | Same shape as `aibridged_provider_info` but reported by the external proxy. | +| `coder_aibridgeproxyd_providers_last_reload_timestamp_seconds` | gauge | | Last reload attempt timestamp in `aibridgeproxyd`. | +| `coder_aibridgeproxyd_providers_last_reload_success_timestamp_seconds` | gauge | | Last successful reload timestamp in `aibridgeproxyd`. | +| `coder_aibridgeproxyd_connect_sessions_total` | counter | `type` (`mitm`, `tunneled`) | CONNECT sessions established by the proxy. | +| `coder_aibridgeproxyd_mitm_requests_total` | counter | `provider` | MITM requests handled. | +| `coder_aibridgeproxyd_inflight_mitm_requests` | gauge | `provider` | In-flight MITM requests. | +| `coder_aibridgeproxyd_mitm_responses_total` | counter | `code`, `provider` | MITM responses by HTTP status code. | + +### Suggested alerts + +Alert on any provider entering a non-`enabled` status: + +```promql +sum by (provider_name, status) (coder_aibridged_provider_info{status!="enabled"}) > 0 +``` + +Alert when the reload loop is firing but failing to refresh the pool +for longer than a few minutes: + +```promql +(coder_aibridged_providers_last_reload_timestamp_seconds + - coder_aibridged_providers_last_reload_success_timestamp_seconds) > 300 +``` + +Repeat the same query against `coder_aibridgeproxyd_*` if you run the +external proxy. + ## Structured Logging AI Bridge can emit structured logs for every interception event to your diff --git a/docs/ai-coder/ai-gateway/providers.md b/docs/ai-coder/ai-gateway/providers.md new file mode 100644 index 0000000000..084a3227db --- /dev/null +++ b/docs/ai-coder/ai-gateway/providers.md @@ -0,0 +1,214 @@ +# Provider Configuration + +> [!NOTE] +> AI Gateway requires the [AI Governance Add-On](../ai-governance.md). + +Providers are deployment-scoped and managed from the dashboard or the +[AI Providers API](../../reference/api/aiproviders.md). See +[Setup](./setup.md#configure-providers) for the steps to add, edit, and +disable a provider. + +This page covers the provider types AI Gateway supports, the setup +considerations for each, how a provider's lifecycle affects request +handling, and how to monitor providers. + +## Database management of providers + +> [!NOTE] +> Since v2.34, provider environment variables and flags, including +> `CODER_AI_GATEWAY_PROVIDER__*`, `CODER_AI_GATEWAY_OPENAI_*`, +> `CODER_AI_GATEWAY_ANTHROPIC_*`, and their `--aibridge/ai-gateway-*` +> equivalents, are deprecated. Provider configuration is now stored in +> the database, and any environment variables set on startup are used to +> seed it. +> +> This is a once-off operation. The environment variables have no effect +> once seeding has completed. +> +> **Any changes to the provider environment variables after seeding will +> cause the server to fail to start, to prevent operators from updating a +> configuration that is ineffectual.** +> +> The environment variables can be safely removed once seeding has +> completed. Visit `https:///ai/settings` to see which +> providers have been seeded. + +After seeding, manage providers through the dashboard or API. A provider +that has been edited or removed there is not recreated or overwritten +from the environment on the next restart. + +## Provider types + +AI Gateway speaks two upstream API formats: the **OpenAI** format +(Chat Completions and Responses) and the **Anthropic** format +(Messages). Every provider type maps to one of these. + +| Type | API format | Setup notes | +|-----------------|------------|-------------------------------------------------------------------| +| `openai` | OpenAI | Native OpenAI, or any OpenAI-compatible endpoint via the base URL | +| `anthropic` | Anthropic | Native Anthropic, or an Anthropic-compatible broker | +| `bedrock` | Anthropic | Anthropic models hosted on AWS Bedrock; authenticates via AWS | +| `copilot` | OpenAI | GitHub Copilot; authenticates via each user's GitHub OAuth token | +| `azure` | OpenAI | OpenAI-compatible endpoint only | +| `google` | OpenAI | OpenAI-compatible endpoint only | +| `openrouter` | OpenAI | OpenAI-compatible endpoint only | +| `vercel` | OpenAI | OpenAI-compatible endpoint only | +| `openai-compat` | OpenAI | Generic OpenAI-compatible endpoint | + +`azure`, `google`, `openrouter`, `vercel`, and `openai-compat` are +supported only as OpenAI-compatible endpoints: AI Gateway sends them +OpenAI-format requests, so each must expose an OpenAI-compatible API at +its base URL. They have no provider-specific integration beyond that. + +### OpenAI + +Set the base URL to the upstream endpoint and provide an API key. The +default `https://api.openai.com/v1/` targets the native OpenAI service; +point it at any OpenAI-compatible endpoint (for example, a hosted proxy +or LiteLLM deployment) when needed. + +If you create an [OpenAI key](https://platform.openai.com/api-keys) +with minimal privileges, this is the minimum required set: + +![List Models scope should be set to "Read", Model Capabilities set to "Request"](../../images/aibridge/openai_key_scope.png) + +### Anthropic + +Set the base URL and provide an API key. The default +`https://api.anthropic.com/` targets Anthropic's public API; override it +for Anthropic-compatible brokers. + +Anthropic does not allow [API keys](https://console.anthropic.com/settings/keys) +to have restricted permissions at the time of writing (June 2026). + +### Amazon Bedrock + +Bedrock providers serve Anthropic models hosted on AWS and authenticate +with AWS credentials rather than a registered API key. Configure: + +- A **region** (or a full base URL when routing through a proxy or a + non-standard endpoint that does not follow the + `https://bedrock-runtime..amazonaws.com` format). +- The **model** and **small fast model** identifiers. + +Do not attach API keys to a Bedrock provider. + +AI Gateway resolves AWS credentials one of two ways: + +- **AWS SDK default credential chain (recommended).** When no explicit + credentials are configured, the AWS SDK resolves them automatically + from the environment: IAM Roles (instance profiles, IRSA, ECS task + roles), shared config files, environment variables, SSO, and more. + Attaching an IAM Role to the compute running Coder follows + [AWS best practices](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html) + for temporary credentials. The role must permit `bedrock:InvokeModel` + and `bedrock:InvokeModelWithResponseStream` for the configured models. +- **Static credentials.** Provide an access key and secret for an IAM + user with the same Bedrock permissions. + +### GitHub Copilot + +GitHub Copilot offers three plans: Individual, Business, and Enterprise, +each with its own API endpoint. Add one `copilot` provider per plan your +organization uses, setting the base URL accordingly: + +| Plan | Base URL | +|------------|--------------------------------------------| +| Individual | `https://api.individual.githubcopilot.com` | +| Business | `https://api.business.githubcopilot.com` | +| Enterprise | `https://api.enterprise.githubcopilot.com` | + +Copilot providers authenticate with each user's request-time GitHub +OAuth token, so do not attach API keys. For client-side setup (proxy, +certificates, IDE configuration), see +[GitHub Copilot client configuration](./clients/copilot.md). + +### OpenAI-compatible providers + +Azure-hosted OpenAI, Google, OpenRouter, Vercel, and any other +OpenAI-compatible service are configured with the matching type (or the +generic `openai-compat`), the provider's OpenAI-compatible base URL, and +an API key. + +> [!NOTE] +> See the [Supported APIs](./reference.md#supported-apis) section for +> precise endpoint coverage and interception behavior. + +## Provider lifecycle + +Every provider carries an explicit status, surfaced through the +[`provider_info`](./monitoring.md#provider-metrics) metric and the API: + +| Status | Meaning | Effect on requests | +|------------|-------------------------------------------------------------------------------|--------------------------------------------------| +| `enabled` | Configuration is valid and the provider is serving traffic | Requests are proxied to the upstream | +| `disabled` | The provider exists but has been turned off | Requests are rejected with a non-retryable error | +| `error` | The provider is enabled but cannot be built (missing credentials, bad config) | Requests fail; the error is surfaced in metrics | + +Disabling a provider does not delete it, its credentials, or its +historical interception data. Re-enabling restores it to service. + +## Monitoring and reloads + +Provider configuration changes take effect automatically, without +restarting `coderd`. AI Gateway records the timestamp of each reload +attempt and each successful reload, exposed as Prometheus metrics: + +- `coder_aibridged_providers_last_reload_timestamp_seconds` +- `coder_aibridged_providers_last_reload_success_timestamp_seconds` + +If you run the [external proxy](./ai-gateway-proxy/index.md), it exposes +the same pair under the `coder_aibridgeproxyd_` prefix. + +A growing gap between the attempt and success timestamps means reloads +are firing but failing to apply. Alert on that gap rather than on a +single failure, which may resolve on the next change. See +[Monitoring](./monitoring.md#provider-metrics) for the full metric list +and sample alert queries. + +## Key failover + +You can configure multiple centralized API keys for a single provider instance +so that AI Gateway automatically retries with the next key when one fails. This +is transparent to end users, and clients see no difference in behavior or need +any configuration changes. + +Key failover is supported for **OpenAI** and **Anthropic** providers. Amazon +Bedrock and GitHub Copilot do not support key failover. + +Multiple keys can be added per provider through the +[AI Providers API](../../reference/api/aiproviders.md). Each provider supports +a maximum of **5 keys**. + +### Failover behavior + +Every request starts with the first key in the list. If a key is rate-limited +or returns an authentication error, AI Gateway automatically retries the request +with the next available key. + +> [!WARNING] +> A key that fails with an authentication error (`401 Unauthorized` or +> `403 Forbidden`) is permanently disabled and will not be used again until the +> server is restarted or the provider configuration is reloaded. + +If all keys in the pool are exhausted, AI Gateway returns: + +- `429 Too Many Requests` when at least one key is rate-limited, with a `Retry-After` header set to the shortest cooldown across all keys. +- `502 Bad Gateway` when every key has failed permanently. + +## Bring Your Own Key + +A provider's configured credentials are the centralized default. When +Bring Your Own Key (BYOK) is enabled, a user's own credential takes +precedence over the provider's for that user's requests, and AI Gateway +falls back to the provider credentials when the user has none. See +[Authentication](./auth.md#bring-your-own-key-byok) for the BYOK flow +and how to enable or disable it. + +## Failure modes + +| Symptom | Likely cause | Corrective action | +|------------------------------------------------|------------------------------------------------------------|------------------------------------------| +| Startup fails referencing an existing provider | Env config drifted from a provider already in the database | Remove the provider env vars and restart | +| Provider returns errors with no upstream call | The provider is `disabled` or in `error` status | Consult the server logs for details | +| Configuration changes not taking effect | Reloads are firing but failing to apply | Consult the server logs for details | diff --git a/docs/ai-coder/ai-gateway/setup.md b/docs/ai-coder/ai-gateway/setup.md index 27aed7c050..d0050ad965 100644 --- a/docs/ai-coder/ai-gateway/setup.md +++ b/docs/ai-coder/ai-gateway/setup.md @@ -2,20 +2,17 @@ AI Gateway runs inside the Coder control plane (`coderd`), requiring no separate compute to deploy or scale. Once enabled, `coderd` runs the `aibridged` in-memory and brokers traffic to your configured AI providers on behalf of authenticated users. -**Required**: - -1. The [AI Governance Add-On](../ai-governance.md) license. -1. Feature must be [enabled](#activation) using the server flag -1. One or more [providers](#configure-providers) API key(s) must be configured - > [!NOTE] -> AI Gateway environment variables and CLI flags have migrated to the new -> `CODER_AI_GATEWAY_*` and `--ai-gateway-*` naming scheme. The earlier -> `CODER_AIBRIDGE_*` and `--aibridge-*` names continue to work as aliases. +> Since v2.34, provider environment variables and flags are deprecated. +> Provider configuration is now stored in the database, and any +> environment variables set on startup are used to seed it once. See +> [Database management of providers](./providers.md#database-management-of-providers) +> for details. ## Activation -You will need to enable AI Gateway explicitly: +AI Gateway must be enabled in deployment config before users can authenticate +to it. ```sh export CODER_AI_GATEWAY_ENABLED=true @@ -24,224 +21,41 @@ coder server coder server --ai-gateway-enabled=true ``` +_AI Gateway is enabled by default as of v2.34._ + ## Configure Providers -AI Gateway proxies requests to upstream LLM APIs. Configure at least one provider before exposing AI Gateway to end users. +Configure at least one provider before exposing AI Gateway to end users. -
+Providers are deployment-scoped. Add them from the dashboard or the +[AI Providers API](../../reference/api/aiproviders.md). Changes take effect +without restarting `coderd`. -### OpenAI +### Dashboard -Set the following when routing [OpenAI-compatible](https://coder.com/docs/reference/cli/server#--ai-gateway-openai-key) traffic through AI Gateway: +1. Navigate to **Admin settings** > **AI** +1. Select **Providers** +1. Click **Add provider** +1. Select the provider type +1. Enter a unique lowercase name, the upstream endpoint, and the credentials +1. Save the provider -- `CODER_AI_GATEWAY_OPENAI_KEY` or `--ai-gateway-openai-key` -- `CODER_AI_GATEWAY_OPENAI_BASE_URL` or `--ai-gateway-openai-base-url` - -The default base URL (`https://api.openai.com/v1/`) works for the native OpenAI service. Point the base URL at your preferred OpenAI-compatible endpoint (for example, a hosted proxy or LiteLLM deployment) when needed. - -If you'd like to create an [OpenAI key](https://platform.openai.com/api-keys) with minimal privileges, this is the minimum required set: - -![List Models scope should be set to "Read", Model Capabilities set to "Request"](../../images/aibridge/openai_key_scope.png) - -### Anthropic - -Set the following when routing [Anthropic-compatible](https://coder.com/docs/reference/cli/server#--ai-gateway-anthropic-key) traffic through AI Gateway: - -- `CODER_AI_GATEWAY_ANTHROPIC_KEY` or `--ai-gateway-anthropic-key` -- `CODER_AI_GATEWAY_ANTHROPIC_BASE_URL` or `--ai-gateway-anthropic-base-url` - -The default base URL (`https://api.anthropic.com/`) targets Anthropic's public API. Override it for Anthropic-compatible brokers. - -Anthropic does not allow [API keys](https://console.anthropic.com/settings/keys) to have restricted permissions at the time of writing (Nov 2025). - -### Amazon Bedrock - -Set the following when routing [Amazon Bedrock](https://coder.com/docs/reference/cli/server#--ai-gateway-bedrock-region) traffic through AI Gateway: - -**Required:** - -- `CODER_AI_GATEWAY_BEDROCK_REGION` or `--ai-gateway-bedrock-region`. -Alternatively, set `CODER_AI_GATEWAY_BEDROCK_BASE_URL` or `--ai-gateway-bedrock-base-url` to a full URL (e.g., when routing through a proxy between AI Gateway and AWS Bedrock or using a non-standard endpoint that doesn't follow the `https://bedrock-runtime..amazonaws.com` format). -If both are set, `CODER_AI_GATEWAY_BEDROCK_BASE_URL` takes precedence. -- `CODER_AI_GATEWAY_BEDROCK_MODEL` or `--ai-gateway-bedrock-model` -- `CODER_AI_GATEWAY_BEDROCK_SMALL_FAST_MODEL` or `--ai-gateway-bedrock-small-fastmodel` +Each provider gets its own AI Gateway route at +`/api/v2/aibridge//`. > [!NOTE] -> These Bedrock settings configure AI Gateway only. To configure Bedrock as an -> Agents provider, see [Configuring AWS Bedrock](../agents/models.md#configuring-aws-bedrock). +> Provider names must be unique and use lowercase, hyphen-separated identifiers +> such as `anthropic-corp` or `azure-openai`. Once deleted, another provider +> may reuse the name. -**Optional:** +![AI Providers list page](../../images/aibridge/providers-list.png) -- `CODER_AI_GATEWAY_BEDROCK_ACCESS_KEY` or `--ai-gateway-bedrock-access-key` -- `CODER_AI_GATEWAY_BEDROCK_ACCESS_KEY_SECRET` or `--ai-gateway-bedrock-access-key-secret` +![Add Anthropic provider form](../../images/aibridge/provider-add-anthropic.png) -#### Authentication +Open an existing provider to rotate credentials, update its endpoint, or +disable it without restarting `coderd`. -AI Gateway supports two credential configuration paths: - -##### AWS SDK default credential chain (recommended) - -When no credentials are set in AI Gateway config, the AWS SDK resolves them automatically from the environment. -This includes IAM Roles (instance profiles, IRSA, ECS task roles), shared config files, environment variables, SSO, and more. - -**IAM Roles are the recommended approach** when AI Gateway runs on AWS infrastructure. -Attach an IAM Role with Bedrock permissions to the compute running AI Gateway (EC2 instance, EKS pod via IRSA, or ECS task), no credentials need to be configured in AI Gateway itself. - -The IAM Role must have permission to invoke the Bedrock models configured for AI Gateway (`bedrock:InvokeModel` and `bedrock:InvokeModelWithResponseStream`). -See [Amazon Bedrock identity-based policy examples](https://docs.aws.amazon.com/bedrock/latest/userguide/security_iam_id-based-policy-examples.html) for policy examples, -and [AWS IAM role creation](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-service.html) for general guidance on attaching roles to AWS services. - -This aligns with [AWS best practices](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html) for using temporary credentials instead of long-lived access keys. - -##### Static credentials - -For deployments when explicit credentials are preferred, provide an access key and secret for an IAM User: - -1. **Choose a region** where you want to use Bedrock. - -2. **Generate API keys** in the [AWS Bedrock console](https://us-east-1.console.aws.amazon.com/bedrock/home?region=us-east-1#/api-keys/long-term/create) (replace `us-east-1` in the URL with your chosen region): - - Choose an expiry period for the key. - - Click **Generate**. - - This creates an IAM user with strictly-scoped permissions for Bedrock access. - -3. **Create an access key** for the IAM user: - - After generating the API key, click **"You can directly modify permissions for the IAM user associated"**. - - In the IAM user page, navigate to the **Security credentials** tab. - - Under **Access keys**, click **Create access key**. - - Select **"Application running outside AWS"** as the use case. - - Click **Next**. - - Add a description like "Coder AI Gateway token". - - Click **Create access key**. - - Save both the access key ID and secret access key securely. - -4. **Configure your Coder deployment** with the credentials: - - ```sh - export CODER_AI_GATEWAY_BEDROCK_REGION=us-east-1 - export CODER_AI_GATEWAY_BEDROCK_ACCESS_KEY= - export CODER_AI_GATEWAY_BEDROCK_ACCESS_KEY_SECRET= - coder server - ``` - -### GitHub Copilot - -GitHub Copilot offers three plans: Individual, Business, and Enterprise, -each with its own API endpoint. Configure one or more `copilot` providers -using the [indexed provider format](#multiple-instances-of-the-same-provider) -depending on which plans your organization uses. -Copilot providers use OAuth app installations for authentication rather than -static API keys. - -```sh -# GitHub Copilot (Individual) -export CODER_AI_GATEWAY_PROVIDER_0_TYPE=copilot -export CODER_AI_GATEWAY_PROVIDER_0_NAME=copilot - -# GitHub Copilot Business -export CODER_AI_GATEWAY_PROVIDER_1_TYPE=copilot -export CODER_AI_GATEWAY_PROVIDER_1_NAME=copilot-business -export CODER_AI_GATEWAY_PROVIDER_1_BASE_URL=https://api.business.githubcopilot.com - -# GitHub Copilot Enterprise -export CODER_AI_GATEWAY_PROVIDER_2_TYPE=copilot -export CODER_AI_GATEWAY_PROVIDER_2_NAME=copilot-enterprise -export CODER_AI_GATEWAY_PROVIDER_2_BASE_URL=https://api.enterprise.githubcopilot.com -``` - -The default base URL targets the individual Copilot API -(`api.individual.githubcopilot.com`). Override `CODER_AI_GATEWAY_PROVIDER__BASE_URL` -for Business or Enterprise tiers as shown above. - -For client-side setup (proxy, certificates, IDE configuration), see -[GitHub Copilot client configuration](./clients/copilot.md). - -### ChatGPT - -Configure a ChatGPT provider by creating an `openai`-typed instance with the -ChatGPT Codex base URL: - -```sh -export CODER_AI_GATEWAY_PROVIDER_0_TYPE=openai -export CODER_AI_GATEWAY_PROVIDER_0_NAME=chatgpt -export CODER_AI_GATEWAY_PROVIDER_0_BASE_URL=https://chatgpt.com/backend-api/codex -``` - -
- -> [!NOTE] -> See the [Supported APIs](./reference.md#supported-apis) section below for precise endpoint coverage and interception behavior. - -### Multiple instances of the same provider - -You can configure multiple instances of the same provider type, for example, to -route different teams to separate API keys, use different base URLs per region, or -connect to both a direct API and a proxy simultaneously. Use indexed environment -variables following the pattern `CODER_AI_GATEWAY_PROVIDER__`: - -```sh -# Anthropic routed through a corporate proxy -export CODER_AI_GATEWAY_PROVIDER_0_TYPE=anthropic -export CODER_AI_GATEWAY_PROVIDER_0_NAME=anthropic-corp -export CODER_AI_GATEWAY_PROVIDER_0_KEY=sk-ant-corp-xxx -export CODER_AI_GATEWAY_PROVIDER_0_BASE_URL=https://llm-proxy.internal.example.com/anthropic - -# Anthropic direct (for teams that need direct access) -export CODER_AI_GATEWAY_PROVIDER_1_TYPE=anthropic -export CODER_AI_GATEWAY_PROVIDER_1_NAME=anthropic-direct -export CODER_AI_GATEWAY_PROVIDER_1_KEY=sk-ant-direct-yyy - -# Azure-hosted OpenAI deployment -export CODER_AI_GATEWAY_PROVIDER_2_TYPE=openai -export CODER_AI_GATEWAY_PROVIDER_2_NAME=azure-openai -export CODER_AI_GATEWAY_PROVIDER_2_KEY=azure-key-zzz -export CODER_AI_GATEWAY_PROVIDER_2_BASE_URL=https://my-deployment.openai.azure.com/ - -# Anthropic via AWS Bedrock -export CODER_AI_GATEWAY_PROVIDER_3_TYPE=anthropic -export CODER_AI_GATEWAY_PROVIDER_3_NAME=anthropic-bedrock -export CODER_AI_GATEWAY_PROVIDER_3_BEDROCK_REGION=us-west-2 -export CODER_AI_GATEWAY_PROVIDER_3_BEDROCK_ACCESS_KEY=AKIAIOSFODNN7EXAMPLE -export CODER_AI_GATEWAY_PROVIDER_3_BEDROCK_ACCESS_KEY_SECRET=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY - -coder server -``` - -Each provider instance gets a unique route based on its `NAME`. Clients send -requests to `/api/v2/aibridge//` to target a specific instance: - -| Instance name | Route | -|---------------------|-----------------------------------------------------| -| `anthropic-corp` | `/api/v2/aibridge/anthropic-corp/v1/messages` | -| `anthropic-direct` | `/api/v2/aibridge/anthropic-direct/v1/messages` | -| `azure-openai` | `/api/v2/aibridge/azure-openai/v1/chat/completions` | -| `anthropic-bedrock` | `/api/v2/aibridge/anthropic-bedrock/v1/messages` | - -**Supported keys per provider:** - -| Key | Required | Description | -|------------|----------|------------------------------------------------------| -| `TYPE` | Yes | Provider type: `openai`, `anthropic`, or `copilot` | -| `NAME` | No | Unique instance name for routing. Defaults to `TYPE` | -| `KEY` | No | API key for upstream authentication (alias: `KEYS`) | -| `BASE_URL` | No | Base URL of the upstream API | - -For `anthropic` providers using AWS Bedrock, the following keys are also -available: `BEDROCK_BASE_URL`, `BEDROCK_REGION`, -`BEDROCK_ACCESS_KEY` (alias: `BEDROCK_ACCESS_KEYS`), -`BEDROCK_ACCESS_KEY_SECRET` (alias: `BEDROCK_ACCESS_KEY_SECRETS`), -`BEDROCK_MODEL`, `BEDROCK_SMALL_FAST_MODEL`. - -> [!NOTE] -> Indices must be contiguous and start at `0`. Each instance must have a unique -> `NAME`. If two instances of the same `TYPE` omit `NAME`, they will both -> default to the type name and fail with a duplicate name error. -> -> The legacy single-provider environment variables (`CODER_AI_GATEWAY_OPENAI_KEY`, -> `CODER_AI_GATEWAY_ANTHROPIC_KEY`, etc.) continue to work. However, setting -> both a legacy variable and an indexed provider with the same default name -> (e.g. `CODER_AI_GATEWAY_OPENAI_KEY` and an indexed provider named `openai`) -> will produce a startup error. Remove one or the other to resolve the -> conflict. +![Edit Anthropic provider form](../../images/aibridge/provider-edit-anthropic.png) ## API Dumps diff --git a/docs/ai-coder/ai-governance.md b/docs/ai-coder/ai-governance.md index 1581a972c8..ce786ea53e 100644 --- a/docs/ai-coder/ai-governance.md +++ b/docs/ai-coder/ai-governance.md @@ -51,12 +51,10 @@ being used across the organization. AI Gateway provides audit trails of prompts, token usage, and tool invocations, giving administrators insight into AI adoption patterns and potential issues. -### Restricting agent network and command access +### Restricting agent network access -AI agents can make arbitrary network requests, potentially accessing -unauthorized services or exfiltrating data. They can also execute destructive -commands within a workspace. Agent Firewall enforces process-level policies -that restrict which domains agents can reach and what actions they can perform, +AI agents can make arbitrary network requests, potentially accessing unauthorized services or exfiltrating data. +Agent Firewall enforces process-level policies that restrict which domains agents can reach and what actions they can perform, preventing unintended data exposure and destructive operations like `rm -rf`. ### Centralizing API key management diff --git a/docs/ai-coder/tasks-core-principles.md b/docs/ai-coder/tasks-core-principles.md index c172d33907..771680cb8f 100644 --- a/docs/ai-coder/tasks-core-principles.md +++ b/docs/ai-coder/tasks-core-principles.md @@ -17,7 +17,7 @@ Coder Tasks is Coder's platform for managing coding agents. With Coder Tasks, yo ![Tasks UI](../images/guides/ai-agents/tasks-ui.png)Coder Tasks Dashboard view to see all available tasks. -Coder Tasks allows you and your organization to build and automate workflows to fully leverage AI. Tasks operate through Coder Workspaces. We support interacting with an agent through the Task UI and CLI. Some Tasks can also be accessed through the Coder Workspace IDE; see [connect via an IDE](../user-guides/workspace-access). +Coder Tasks allows you and your organization to build and automate workflows to fully leverage AI. Tasks operate through Coder Workspaces. We support interacting with an agent through the Task UI and CLI. Some Tasks can also be accessed through the Coder Workspace IDE; see [connect via an IDE](../user-guides/workspace-access/index.md). ## Why Use Tasks? diff --git a/docs/ai-coder/tasks.md b/docs/ai-coder/tasks.md index a39292f570..aedf76f9fa 100644 --- a/docs/ai-coder/tasks.md +++ b/docs/ai-coder/tasks.md @@ -11,7 +11,7 @@ Coder Tasks is an interface for running & managing coding agents such as Claude ![Tasks UI](../images/guides/ai-agents/tasks-ui.png) -Coder Tasks is best for cases where the IDE is secondary, such as prototyping or running long-running background jobs. However, tasks run inside full workspaces so developers can [connect via an IDE](../user-guides/workspace-access) to take a task to completion. +Coder Tasks is best for cases where the IDE is secondary, such as prototyping or running long-running background jobs. However, tasks run inside full workspaces so developers can [connect via an IDE](../user-guides/workspace-access/index.md) to take a task to completion. You can also interact with Coder Tasks from your IDE. The [Coder extension for VS Code](https://marketplace.visualstudio.com/items?itemName=coder.coder-remote) (and compatible forks like Cursor) enables you to create, monitor, and manage Tasks directly from the IDE, eliminating the need to context-switch to a browser. After logging in, you get access to a dedicated Tasks view in the sidebar that lets you select a template, configure parameters, prompt an agent, and track task status or download logs. Your tasks run in Coder workspaces with access to your repos, credentials, and internal network. diff --git a/docs/ai-coder/usage-data-reporting.md b/docs/ai-coder/usage-data-reporting.md index 9d8fe08bfa..21c1e42d47 100644 --- a/docs/ai-coder/usage-data-reporting.md +++ b/docs/ai-coder/usage-data-reporting.md @@ -5,7 +5,7 @@ The [AI Governance Add-On](./ai-governance.md) requires reporting usage data to - number of agent workspace builds consumed - number of AI Governance seats consumed -No user-identifiable information or additional metrics are sent to Tallyman. This information is also shared with [Metronome](https://metronome.com), a Stripe product and Coder partner for usage-based and reporting. +No user-identifiable information or additional metrics are sent to Tallyman. This information is also shared with [Metronome](https://metronome.com), a Stripe product and Coder partner for usage-based billing and reporting. To send usage data, your Coder deployment must be able to make outbound HTTPS requests to `https://tallyman-prod.coder.com`. Usage data is sent approximately every 17 minutes and can be monitored via `coderd` logs. @@ -17,7 +17,7 @@ Example of a successful request (requires debug logging enabled [`CODER_LOG_FILT Example of a request payload: -```sh +```txt POST /api/v1/events/ingest HTTP/1.1 Host: tallyman-prod.coder.com Content-Type: application/json diff --git a/docs/images/aibridge/provider-add-anthropic.png b/docs/images/aibridge/provider-add-anthropic.png new file mode 100644 index 0000000000..7a718be5e4 Binary files /dev/null and b/docs/images/aibridge/provider-add-anthropic.png differ diff --git a/docs/images/aibridge/provider-edit-anthropic.png b/docs/images/aibridge/provider-edit-anthropic.png new file mode 100644 index 0000000000..e960aed025 Binary files /dev/null and b/docs/images/aibridge/provider-edit-anthropic.png differ diff --git a/docs/images/aibridge/providers-list.png b/docs/images/aibridge/providers-list.png new file mode 100644 index 0000000000..578b82a656 Binary files /dev/null and b/docs/images/aibridge/providers-list.png differ diff --git a/docs/install/cloud/azure-vm.md b/docs/install/cloud/azure-vm.md index 2ab41bc53a..6cc2163105 100644 --- a/docs/install/cloud/azure-vm.md +++ b/docs/install/cloud/azure-vm.md @@ -56,7 +56,7 @@ as a system service. For this instance, we will run Coder as a system service, however you can run Coder a multitude of different ways. You can learn more about those -[here](https://coder.com/docs/coder-oss/latest/install). +[here](https://coder.com/docs/install). In the Azure VM instance, run the following command to install Coder diff --git a/docs/install/upgrade.md b/docs/install/upgrade.md index 2559217edc..8c4282202d 100644 --- a/docs/install/upgrade.md +++ b/docs/install/upgrade.md @@ -12,7 +12,7 @@ For upgrade recommendations and troubleshooting, see ## Reinstall Coder to upgrade To upgrade your Coder server, reinstall Coder using your original method -of [install](../install). +of [install](../install/index.md). ### Coder install script diff --git a/docs/manifest.json b/docs/manifest.json index cbbeceefbe..d0485b6ca8 100644 --- a/docs/manifest.json +++ b/docs/manifest.json @@ -1007,6 +1007,12 @@ "path": "./ai-coder/agents/architecture.md", "state": ["beta"] }, + { + "title": "Chat Sharing", + "description": "Share Coder Agents conversations with users and groups", + "path": "./ai-coder/agents/chat-sharing.md", + "state": ["beta"] + }, { "title": "Models", "description": "Configure LLM providers and models for Coder Agents", @@ -1144,85 +1150,99 @@ { "title": "Setup", "description": "How to set up and configure AI Gateway", - "path": "./ai-coder/ai-gateway/setup.md" + "path": "./ai-coder/ai-gateway/setup.md", + "state": ["ai governance add-on"] }, { "title": "Authentication", "description": "Learn how to authenticate against AI Gateway", - "path": "./ai-coder/ai-gateway/auth.md" + "path": "./ai-coder/ai-gateway/auth.md", + "state": ["ai governance add-on"] }, { "title": "Client Configuration", "description": "How to configure your AI coding tools to use AI Gateway", "path": "./ai-coder/ai-gateway/clients/index.md", + "state": ["ai governance add-on"], "children": [ { "title": "Coder Agents", "description": "Route Coder Agents traffic through AI Gateway", - "path": "./ai-coder/ai-gateway/clients/coder-agents.md" + "path": "./ai-coder/ai-gateway/clients/coder-agents.md", + "state": ["ai governance add-on"] }, { "title": "Claude Code", "description": "Configure Claude Code to use AI Gateway", - "path": "./ai-coder/ai-gateway/clients/claude-code.md" + "path": "./ai-coder/ai-gateway/clients/claude-code.md", + "state": ["ai governance add-on"] }, { "title": "Codex", "description": "Configure Codex to use AI Gateway", - "path": "./ai-coder/ai-gateway/clients/codex.md" + "path": "./ai-coder/ai-gateway/clients/codex.md", + "state": ["ai governance add-on"] }, { "title": "Mux", "description": "Configure Mux to use AI Gateway", - "path": "./ai-coder/ai-gateway/clients/mux.md" + "path": "./ai-coder/ai-gateway/clients/mux.md", + "state": ["ai governance add-on"] }, { "title": "OpenCode", "description": "Configure OpenCode to use AI Gateway", - "path": "./ai-coder/ai-gateway/clients/opencode.md" + "path": "./ai-coder/ai-gateway/clients/opencode.md", + "state": ["ai governance add-on"] }, { "title": "Factory", "description": "Configure Factory to use AI Gateway", - "path": "./ai-coder/ai-gateway/clients/factory.md" + "path": "./ai-coder/ai-gateway/clients/factory.md", + "state": ["ai governance add-on"] }, { "title": "Cline", "description": "Configure Cline to use AI Gateway", - "path": "./ai-coder/ai-gateway/clients/cline.md" + "path": "./ai-coder/ai-gateway/clients/cline.md", + "state": ["ai governance add-on"] }, { "title": "Kilo Code", "description": "Configure Kilo Code to use AI Gateway", - "path": "./ai-coder/ai-gateway/clients/kilo-code.md" + "path": "./ai-coder/ai-gateway/clients/kilo-code.md", + "state": ["ai governance add-on"] }, { "title": "VS Code", "description": "Configure VS Code to use AI Gateway", - "path": "./ai-coder/ai-gateway/clients/vscode.md" + "path": "./ai-coder/ai-gateway/clients/vscode.md", + "state": ["ai governance add-on"] }, { "title": "JetBrains", "description": "Configure JetBrains IDEs to use AI Gateway", - "path": "./ai-coder/ai-gateway/clients/jetbrains.md" + "path": "./ai-coder/ai-gateway/clients/jetbrains.md", + "state": ["ai governance add-on"] }, { "title": "Zed", "description": "Configure Zed to use AI Gateway", - "path": "./ai-coder/ai-gateway/clients/zed.md" + "path": "./ai-coder/ai-gateway/clients/zed.md", + "state": ["ai governance add-on"] }, { "title": "GitHub Copilot", "description": "Configure GitHub Copilot to use AI Gateway via AI Gateway Proxy", - "path": "./ai-coder/ai-gateway/clients/copilot.md" + "path": "./ai-coder/ai-gateway/clients/copilot.md", + "state": ["ai governance add-on"] } ] }, { "title": "MCP Tools Injection", "description": "How to configure MCP servers for tools injection through AI Gateway", - "path": "./ai-coder/ai-gateway/mcp.md", - "state": ["early access"] + "path": "./ai-coder/ai-gateway/mcp.md" }, { "title": "AI Gateway Proxy", @@ -1233,31 +1253,42 @@ { "title": "Setup", "description": "How to set up and configure AI Gateway Proxy", - "path": "./ai-coder/ai-gateway/ai-gateway-proxy/setup.md" + "path": "./ai-coder/ai-gateway/ai-gateway-proxy/setup.md", + "state": ["ai governance add-on"] } ] }, + { + "title": "Provider Configuration", + "description": "How AI Gateway stores, seeds, and reloads provider configuration", + "path": "./ai-coder/ai-gateway/providers.md", + "state": ["ai governance add-on"] + }, { "title": "Auditing AI Sessions", "description": "How to audit AI sessions", - "path": "./ai-coder/ai-gateway/audit.md" + "path": "./ai-coder/ai-gateway/audit.md", + "state": ["ai governance add-on"] }, { "title": "Monitoring", "description": "How to monitor AI Gateway", - "path": "./ai-coder/ai-gateway/monitoring.md" + "path": "./ai-coder/ai-gateway/monitoring.md", + "state": ["ai governance add-on"] }, { "title": "Reference", "description": "Technical reference for AI Gateway", - "path": "./ai-coder/ai-gateway/reference.md" + "path": "./ai-coder/ai-gateway/reference.md", + "state": ["ai governance add-on"] } ] }, { "title": "Usage Data Reporting", "description": "Configure AI usage data reporting", - "path": "./ai-coder/usage-data-reporting.md" + "path": "./ai-coder/usage-data-reporting.md", + "state": ["ai governance add-on"] } ] }, diff --git a/docs/reference/api/chats.md b/docs/reference/api/chats.md index 691b2a2bc5..f475d8482d 100644 --- a/docs/reference/api/chats.md +++ b/docs/reference/api/chats.md @@ -292,13 +292,13 @@ Status Code **200** #### Enumerated Values -| Property | Value(s) | -|---------------|---------------------------------------------------------------------------------------------------------------------| -| `client_type` | `api`, `ui` | -| `kind` | `auth`, `config`, `generic`, `missing_key`, `overloaded`, `rate_limit`, `startup_timeout`, `timeout`, `usage_limit` | -| `type` | `context-file`, `file`, `file-reference`, `reasoning`, `skill`, `source`, `text`, `tool-call`, `tool-result` | -| `plan_mode` | `plan` | -| `status` | `completed`, `error`, `paused`, `pending`, `requires_action`, `running`, `waiting` | +| Property | Value(s) | +|---------------|------------------------------------------------------------------------------------------------------------------------------------------| +| `client_type` | `api`, `ui` | +| `kind` | `auth`, `config`, `generic`, `missing_key`, `overloaded`, `provider_disabled`, `rate_limit`, `startup_timeout`, `timeout`, `usage_limit` | +| `type` | `context-file`, `file`, `file-reference`, `reasoning`, `skill`, `source`, `text`, `tool-call`, `tool-result` | +| `plan_mode` | `plan` | +| `status` | `completed`, `error`, `paused`, `pending`, `requires_action`, `running`, `waiting` | To perform this operation, you must be authenticated. [Learn more](authentication.md). diff --git a/docs/reference/api/enterprise.md b/docs/reference/api/enterprise.md index eca72025c0..ed1ce268e7 100644 --- a/docs/reference/api/enterprise.md +++ b/docs/reference/api/enterprise.md @@ -3418,6 +3418,125 @@ curl -X POST http://coder-server:8080/api/v2/templates/{template}/prebuilds/inva To perform this operation, you must be authenticated. [Learn more](authentication.md). +## Get user AI budget override + +### Code samples + +```shell +# Example request using curl +curl -X GET http://coder-server:8080/api/v2/users/{user}/ai/budget \ + -H 'Accept: application/json' \ + -H 'Coder-Session-Token: API_KEY' +``` + +`GET /api/v2/users/{user}/ai/budget` + +### Parameters + +| Name | In | Type | Required | Description | +|--------|------|--------|----------|--------------------------| +| `user` | path | string | true | User ID, username, or me | + +### Example responses + +> 200 Response + +```json +{ + "created_at": "2019-08-24T14:15:22Z", + "group_id": "306db4e0-7449-4501-b76f-075576fe2d8f", + "spend_limit_micros": 0, + "updated_at": "2019-08-24T14:15:22Z", + "user_id": "a169451c-8525-4352-b8ca-070dd449a1a5" +} +``` + +### Responses + +| Status | Meaning | Description | Schema | +|--------|---------------------------------------------------------|-------------|--------------------------------------------------------------------------| +| 200 | [OK](https://tools.ietf.org/html/rfc7231#section-6.3.1) | OK | [codersdk.UserAIBudgetOverride](schemas.md#codersdkuseraibudgetoverride) | + +To perform this operation, you must be authenticated. [Learn more](authentication.md). + +## Upsert user AI budget override + +### Code samples + +```shell +# Example request using curl +curl -X PUT http://coder-server:8080/api/v2/users/{user}/ai/budget \ + -H 'Content-Type: application/json' \ + -H 'Accept: application/json' \ + -H 'Coder-Session-Token: API_KEY' +``` + +`PUT /api/v2/users/{user}/ai/budget` + +> Body parameter + +```json +{ + "group_id": "306db4e0-7449-4501-b76f-075576fe2d8f", + "spend_limit_micros": 0 +} +``` + +### Parameters + +| Name | In | Type | Required | Description | +|--------|------|----------------------------------------------------------------------------------------------------|----------|----------------------------------------| +| `user` | path | string | true | User ID, username, or me | +| `body` | body | [codersdk.UpsertUserAIBudgetOverrideRequest](schemas.md#codersdkupsertuseraibudgetoverriderequest) | true | Upsert user AI budget override request | + +### Example responses + +> 200 Response + +```json +{ + "created_at": "2019-08-24T14:15:22Z", + "group_id": "306db4e0-7449-4501-b76f-075576fe2d8f", + "spend_limit_micros": 0, + "updated_at": "2019-08-24T14:15:22Z", + "user_id": "a169451c-8525-4352-b8ca-070dd449a1a5" +} +``` + +### Responses + +| Status | Meaning | Description | Schema | +|--------|---------------------------------------------------------|-------------|--------------------------------------------------------------------------| +| 200 | [OK](https://tools.ietf.org/html/rfc7231#section-6.3.1) | OK | [codersdk.UserAIBudgetOverride](schemas.md#codersdkuseraibudgetoverride) | + +To perform this operation, you must be authenticated. [Learn more](authentication.md). + +## Delete user AI budget override + +### Code samples + +```shell +# Example request using curl +curl -X DELETE http://coder-server:8080/api/v2/users/{user}/ai/budget \ + -H 'Coder-Session-Token: API_KEY' +``` + +`DELETE /api/v2/users/{user}/ai/budget` + +### Parameters + +| Name | In | Type | Required | Description | +|--------|------|--------|----------|--------------------------| +| `user` | path | string | true | User ID, username, or me | + +### Responses + +| Status | Meaning | Description | Schema | +|--------|-----------------------------------------------------------------|-------------|--------| +| 204 | [No Content](https://tools.ietf.org/html/rfc7231#section-6.3.5) | No Content | | + +To perform this operation, you must be authenticated. [Learn more](authentication.md). + ## Get user quiet hours schedule ### Code samples diff --git a/docs/reference/api/members.md b/docs/reference/api/members.md index 1556ced557..602577852e 100644 --- a/docs/reference/api/members.md +++ b/docs/reference/api/members.md @@ -193,10 +193,10 @@ Status Code **200** #### Enumerated Values -| Property | Value(s) | -|-----------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| `action` | `application_connect`, `assign`, `create`, `create_agent`, `delete`, `delete_agent`, `read`, `read_personal`, `share`, `ssh`, `start`, `stop`, `unassign`, `update`, `update_agent`, `update_personal`, `use`, `view_insights` | -| `resource_type` | `*`, `ai_model_price`, `ai_provider`, `ai_seat`, `aibridge_interception`, `api_key`, `assign_org_role`, `assign_role`, `audit_log`, `boundary_usage`, `chat`, `connection_log`, `crypto_key`, `debug_info`, `deployment_config`, `deployment_stats`, `file`, `group`, `group_member`, `idpsync_settings`, `inbox_notification`, `license`, `notification_message`, `notification_preference`, `notification_template`, `oauth2_app`, `oauth2_app_code_token`, `oauth2_app_secret`, `organization`, `organization_member`, `prebuilt_workspace`, `provisioner_daemon`, `provisioner_jobs`, `replicas`, `system`, `tailnet_coordinator`, `task`, `template`, `usage_event`, `user`, `user_secret`, `user_skill`, `webpush_subscription`, `workspace`, `workspace_agent_devcontainers`, `workspace_agent_resource_monitor`, `workspace_dormant`, `workspace_proxy` | +| Property | Value(s) | +|-----------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| `action` | `application_connect`, `assign`, `create`, `create_agent`, `delete`, `delete_agent`, `read`, `read_personal`, `share`, `ssh`, `start`, `stop`, `unassign`, `update`, `update_agent`, `update_personal`, `use`, `view_insights` | +| `resource_type` | `*`, `ai_gateway_key`, `ai_model_price`, `ai_provider`, `ai_seat`, `aibridge_interception`, `api_key`, `assign_org_role`, `assign_role`, `audit_log`, `boundary_log`, `boundary_usage`, `chat`, `connection_log`, `crypto_key`, `debug_info`, `deployment_config`, `deployment_stats`, `file`, `group`, `group_member`, `idpsync_settings`, `inbox_notification`, `license`, `notification_message`, `notification_preference`, `notification_template`, `oauth2_app`, `oauth2_app_code_token`, `oauth2_app_secret`, `organization`, `organization_member`, `prebuilt_workspace`, `provisioner_daemon`, `provisioner_jobs`, `replicas`, `system`, `tailnet_coordinator`, `task`, `template`, `usage_event`, `user`, `user_secret`, `user_skill`, `webpush_subscription`, `workspace`, `workspace_agent_devcontainers`, `workspace_agent_resource_monitor`, `workspace_dormant`, `workspace_proxy` | To perform this operation, you must be authenticated. [Learn more](authentication.md). @@ -326,10 +326,10 @@ Status Code **200** #### Enumerated Values -| Property | Value(s) | -|-----------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| `action` | `application_connect`, `assign`, `create`, `create_agent`, `delete`, `delete_agent`, `read`, `read_personal`, `share`, `ssh`, `start`, `stop`, `unassign`, `update`, `update_agent`, `update_personal`, `use`, `view_insights` | -| `resource_type` | `*`, `ai_model_price`, `ai_provider`, `ai_seat`, `aibridge_interception`, `api_key`, `assign_org_role`, `assign_role`, `audit_log`, `boundary_usage`, `chat`, `connection_log`, `crypto_key`, `debug_info`, `deployment_config`, `deployment_stats`, `file`, `group`, `group_member`, `idpsync_settings`, `inbox_notification`, `license`, `notification_message`, `notification_preference`, `notification_template`, `oauth2_app`, `oauth2_app_code_token`, `oauth2_app_secret`, `organization`, `organization_member`, `prebuilt_workspace`, `provisioner_daemon`, `provisioner_jobs`, `replicas`, `system`, `tailnet_coordinator`, `task`, `template`, `usage_event`, `user`, `user_secret`, `user_skill`, `webpush_subscription`, `workspace`, `workspace_agent_devcontainers`, `workspace_agent_resource_monitor`, `workspace_dormant`, `workspace_proxy` | +| Property | Value(s) | +|-----------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| `action` | `application_connect`, `assign`, `create`, `create_agent`, `delete`, `delete_agent`, `read`, `read_personal`, `share`, `ssh`, `start`, `stop`, `unassign`, `update`, `update_agent`, `update_personal`, `use`, `view_insights` | +| `resource_type` | `*`, `ai_gateway_key`, `ai_model_price`, `ai_provider`, `ai_seat`, `aibridge_interception`, `api_key`, `assign_org_role`, `assign_role`, `audit_log`, `boundary_log`, `boundary_usage`, `chat`, `connection_log`, `crypto_key`, `debug_info`, `deployment_config`, `deployment_stats`, `file`, `group`, `group_member`, `idpsync_settings`, `inbox_notification`, `license`, `notification_message`, `notification_preference`, `notification_template`, `oauth2_app`, `oauth2_app_code_token`, `oauth2_app_secret`, `organization`, `organization_member`, `prebuilt_workspace`, `provisioner_daemon`, `provisioner_jobs`, `replicas`, `system`, `tailnet_coordinator`, `task`, `template`, `usage_event`, `user`, `user_secret`, `user_skill`, `webpush_subscription`, `workspace`, `workspace_agent_devcontainers`, `workspace_agent_resource_monitor`, `workspace_dormant`, `workspace_proxy` | To perform this operation, you must be authenticated. [Learn more](authentication.md). @@ -459,10 +459,10 @@ Status Code **200** #### Enumerated Values -| Property | Value(s) | -|-----------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| `action` | `application_connect`, `assign`, `create`, `create_agent`, `delete`, `delete_agent`, `read`, `read_personal`, `share`, `ssh`, `start`, `stop`, `unassign`, `update`, `update_agent`, `update_personal`, `use`, `view_insights` | -| `resource_type` | `*`, `ai_model_price`, `ai_provider`, `ai_seat`, `aibridge_interception`, `api_key`, `assign_org_role`, `assign_role`, `audit_log`, `boundary_usage`, `chat`, `connection_log`, `crypto_key`, `debug_info`, `deployment_config`, `deployment_stats`, `file`, `group`, `group_member`, `idpsync_settings`, `inbox_notification`, `license`, `notification_message`, `notification_preference`, `notification_template`, `oauth2_app`, `oauth2_app_code_token`, `oauth2_app_secret`, `organization`, `organization_member`, `prebuilt_workspace`, `provisioner_daemon`, `provisioner_jobs`, `replicas`, `system`, `tailnet_coordinator`, `task`, `template`, `usage_event`, `user`, `user_secret`, `user_skill`, `webpush_subscription`, `workspace`, `workspace_agent_devcontainers`, `workspace_agent_resource_monitor`, `workspace_dormant`, `workspace_proxy` | +| Property | Value(s) | +|-----------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| `action` | `application_connect`, `assign`, `create`, `create_agent`, `delete`, `delete_agent`, `read`, `read_personal`, `share`, `ssh`, `start`, `stop`, `unassign`, `update`, `update_agent`, `update_personal`, `use`, `view_insights` | +| `resource_type` | `*`, `ai_gateway_key`, `ai_model_price`, `ai_provider`, `ai_seat`, `aibridge_interception`, `api_key`, `assign_org_role`, `assign_role`, `audit_log`, `boundary_log`, `boundary_usage`, `chat`, `connection_log`, `crypto_key`, `debug_info`, `deployment_config`, `deployment_stats`, `file`, `group`, `group_member`, `idpsync_settings`, `inbox_notification`, `license`, `notification_message`, `notification_preference`, `notification_template`, `oauth2_app`, `oauth2_app_code_token`, `oauth2_app_secret`, `organization`, `organization_member`, `prebuilt_workspace`, `provisioner_daemon`, `provisioner_jobs`, `replicas`, `system`, `tailnet_coordinator`, `task`, `template`, `usage_event`, `user`, `user_secret`, `user_skill`, `webpush_subscription`, `workspace`, `workspace_agent_devcontainers`, `workspace_agent_resource_monitor`, `workspace_dormant`, `workspace_proxy` | To perform this operation, you must be authenticated. [Learn more](authentication.md). @@ -554,10 +554,10 @@ Status Code **200** #### Enumerated Values -| Property | Value(s) | -|-----------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| `action` | `application_connect`, `assign`, `create`, `create_agent`, `delete`, `delete_agent`, `read`, `read_personal`, `share`, `ssh`, `start`, `stop`, `unassign`, `update`, `update_agent`, `update_personal`, `use`, `view_insights` | -| `resource_type` | `*`, `ai_model_price`, `ai_provider`, `ai_seat`, `aibridge_interception`, `api_key`, `assign_org_role`, `assign_role`, `audit_log`, `boundary_usage`, `chat`, `connection_log`, `crypto_key`, `debug_info`, `deployment_config`, `deployment_stats`, `file`, `group`, `group_member`, `idpsync_settings`, `inbox_notification`, `license`, `notification_message`, `notification_preference`, `notification_template`, `oauth2_app`, `oauth2_app_code_token`, `oauth2_app_secret`, `organization`, `organization_member`, `prebuilt_workspace`, `provisioner_daemon`, `provisioner_jobs`, `replicas`, `system`, `tailnet_coordinator`, `task`, `template`, `usage_event`, `user`, `user_secret`, `user_skill`, `webpush_subscription`, `workspace`, `workspace_agent_devcontainers`, `workspace_agent_resource_monitor`, `workspace_dormant`, `workspace_proxy` | +| Property | Value(s) | +|-----------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| `action` | `application_connect`, `assign`, `create`, `create_agent`, `delete`, `delete_agent`, `read`, `read_personal`, `share`, `ssh`, `start`, `stop`, `unassign`, `update`, `update_agent`, `update_personal`, `use`, `view_insights` | +| `resource_type` | `*`, `ai_gateway_key`, `ai_model_price`, `ai_provider`, `ai_seat`, `aibridge_interception`, `api_key`, `assign_org_role`, `assign_role`, `audit_log`, `boundary_log`, `boundary_usage`, `chat`, `connection_log`, `crypto_key`, `debug_info`, `deployment_config`, `deployment_stats`, `file`, `group`, `group_member`, `idpsync_settings`, `inbox_notification`, `license`, `notification_message`, `notification_preference`, `notification_template`, `oauth2_app`, `oauth2_app_code_token`, `oauth2_app_secret`, `organization`, `organization_member`, `prebuilt_workspace`, `provisioner_daemon`, `provisioner_jobs`, `replicas`, `system`, `tailnet_coordinator`, `task`, `template`, `usage_event`, `user`, `user_secret`, `user_skill`, `webpush_subscription`, `workspace`, `workspace_agent_devcontainers`, `workspace_agent_resource_monitor`, `workspace_dormant`, `workspace_proxy` | To perform this operation, you must be authenticated. [Learn more](authentication.md). @@ -960,9 +960,9 @@ Status Code **200** #### Enumerated Values -| Property | Value(s) | -|-----------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| `action` | `application_connect`, `assign`, `create`, `create_agent`, `delete`, `delete_agent`, `read`, `read_personal`, `share`, `ssh`, `start`, `stop`, `unassign`, `update`, `update_agent`, `update_personal`, `use`, `view_insights` | -| `resource_type` | `*`, `ai_model_price`, `ai_provider`, `ai_seat`, `aibridge_interception`, `api_key`, `assign_org_role`, `assign_role`, `audit_log`, `boundary_usage`, `chat`, `connection_log`, `crypto_key`, `debug_info`, `deployment_config`, `deployment_stats`, `file`, `group`, `group_member`, `idpsync_settings`, `inbox_notification`, `license`, `notification_message`, `notification_preference`, `notification_template`, `oauth2_app`, `oauth2_app_code_token`, `oauth2_app_secret`, `organization`, `organization_member`, `prebuilt_workspace`, `provisioner_daemon`, `provisioner_jobs`, `replicas`, `system`, `tailnet_coordinator`, `task`, `template`, `usage_event`, `user`, `user_secret`, `user_skill`, `webpush_subscription`, `workspace`, `workspace_agent_devcontainers`, `workspace_agent_resource_monitor`, `workspace_dormant`, `workspace_proxy` | +| Property | Value(s) | +|-----------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| `action` | `application_connect`, `assign`, `create`, `create_agent`, `delete`, `delete_agent`, `read`, `read_personal`, `share`, `ssh`, `start`, `stop`, `unassign`, `update`, `update_agent`, `update_personal`, `use`, `view_insights` | +| `resource_type` | `*`, `ai_gateway_key`, `ai_model_price`, `ai_provider`, `ai_seat`, `aibridge_interception`, `api_key`, `assign_org_role`, `assign_role`, `audit_log`, `boundary_log`, `boundary_usage`, `chat`, `connection_log`, `crypto_key`, `debug_info`, `deployment_config`, `deployment_stats`, `file`, `group`, `group_member`, `idpsync_settings`, `inbox_notification`, `license`, `notification_message`, `notification_preference`, `notification_template`, `oauth2_app`, `oauth2_app_code_token`, `oauth2_app_secret`, `organization`, `organization_member`, `prebuilt_workspace`, `provisioner_daemon`, `provisioner_jobs`, `replicas`, `system`, `tailnet_coordinator`, `task`, `template`, `usage_event`, `user`, `user_secret`, `user_skill`, `webpush_subscription`, `workspace`, `workspace_agent_devcontainers`, `workspace_agent_resource_monitor`, `workspace_dormant`, `workspace_proxy` | To perform this operation, you must be authenticated. [Learn more](authentication.md). diff --git a/docs/reference/api/schemas.md b/docs/reference/api/schemas.md index 8ab5372f65..47268ba974 100644 --- a/docs/reference/api/schemas.md +++ b/docs/reference/api/schemas.md @@ -1444,9 +1444,9 @@ None #### Enumerated Values -| Value(s) | -|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| `ai_model_price:*`, `ai_model_price:read`, `ai_model_price:update`, `ai_provider:*`, `ai_provider:create`, `ai_provider:delete`, `ai_provider:read`, `ai_provider:update`, `ai_seat:*`, `ai_seat:create`, `ai_seat:read`, `aibridge_interception:*`, `aibridge_interception:create`, `aibridge_interception:read`, `aibridge_interception:update`, `all`, `api_key:*`, `api_key:create`, `api_key:delete`, `api_key:read`, `api_key:update`, `application_connect`, `assign_org_role:*`, `assign_org_role:assign`, `assign_org_role:create`, `assign_org_role:delete`, `assign_org_role:read`, `assign_org_role:unassign`, `assign_org_role:update`, `assign_role:*`, `assign_role:assign`, `assign_role:read`, `assign_role:unassign`, `audit_log:*`, `audit_log:create`, `audit_log:read`, `boundary_usage:*`, `boundary_usage:delete`, `boundary_usage:read`, `boundary_usage:update`, `chat:*`, `chat:create`, `chat:delete`, `chat:read`, `chat:share`, `chat:update`, `coder:all`, `coder:apikeys.manage_self`, `coder:application_connect`, `coder:templates.author`, `coder:templates.build`, `coder:workspaces.access`, `coder:workspaces.create`, `coder:workspaces.delete`, `coder:workspaces.operate`, `connection_log:*`, `connection_log:read`, `connection_log:update`, `crypto_key:*`, `crypto_key:create`, `crypto_key:delete`, `crypto_key:read`, `crypto_key:update`, `debug_info:*`, `debug_info:read`, `deployment_config:*`, `deployment_config:read`, `deployment_config:update`, `deployment_stats:*`, `deployment_stats:read`, `file:*`, `file:create`, `file:read`, `group:*`, `group:create`, `group:delete`, `group:read`, `group:update`, `group_member:*`, `group_member:read`, `idpsync_settings:*`, `idpsync_settings:read`, `idpsync_settings:update`, `inbox_notification:*`, `inbox_notification:create`, `inbox_notification:read`, `inbox_notification:update`, `license:*`, `license:create`, `license:delete`, `license:read`, `notification_message:*`, `notification_message:create`, `notification_message:delete`, `notification_message:read`, `notification_message:update`, `notification_preference:*`, `notification_preference:read`, `notification_preference:update`, `notification_template:*`, `notification_template:read`, `notification_template:update`, `oauth2_app:*`, `oauth2_app:create`, `oauth2_app:delete`, `oauth2_app:read`, `oauth2_app:update`, `oauth2_app_code_token:*`, `oauth2_app_code_token:create`, `oauth2_app_code_token:delete`, `oauth2_app_code_token:read`, `oauth2_app_secret:*`, `oauth2_app_secret:create`, `oauth2_app_secret:delete`, `oauth2_app_secret:read`, `oauth2_app_secret:update`, `organization:*`, `organization:create`, `organization:delete`, `organization:read`, `organization:update`, `organization_member:*`, `organization_member:create`, `organization_member:delete`, `organization_member:read`, `organization_member:update`, `prebuilt_workspace:*`, `prebuilt_workspace:delete`, `prebuilt_workspace:update`, `provisioner_daemon:*`, `provisioner_daemon:create`, `provisioner_daemon:delete`, `provisioner_daemon:read`, `provisioner_daemon:update`, `provisioner_jobs:*`, `provisioner_jobs:create`, `provisioner_jobs:read`, `provisioner_jobs:update`, `replicas:*`, `replicas:read`, `system:*`, `system:create`, `system:delete`, `system:read`, `system:update`, `tailnet_coordinator:*`, `tailnet_coordinator:create`, `tailnet_coordinator:delete`, `tailnet_coordinator:read`, `tailnet_coordinator:update`, `task:*`, `task:create`, `task:delete`, `task:read`, `task:update`, `template:*`, `template:create`, `template:delete`, `template:read`, `template:update`, `template:use`, `template:view_insights`, `usage_event:*`, `usage_event:create`, `usage_event:read`, `usage_event:update`, `user:*`, `user:create`, `user:delete`, `user:read`, `user:read_personal`, `user:update`, `user:update_personal`, `user_secret:*`, `user_secret:create`, `user_secret:delete`, `user_secret:read`, `user_secret:update`, `user_skill:*`, `user_skill:create`, `user_skill:delete`, `user_skill:read`, `user_skill:update`, `webpush_subscription:*`, `webpush_subscription:create`, `webpush_subscription:delete`, `webpush_subscription:read`, `workspace:*`, `workspace:application_connect`, `workspace:create`, `workspace:create_agent`, `workspace:delete`, `workspace:delete_agent`, `workspace:read`, `workspace:share`, `workspace:ssh`, `workspace:start`, `workspace:stop`, `workspace:update`, `workspace:update_agent`, `workspace_agent_devcontainers:*`, `workspace_agent_devcontainers:create`, `workspace_agent_resource_monitor:*`, `workspace_agent_resource_monitor:create`, `workspace_agent_resource_monitor:read`, `workspace_agent_resource_monitor:update`, `workspace_dormant:*`, `workspace_dormant:application_connect`, `workspace_dormant:create`, `workspace_dormant:create_agent`, `workspace_dormant:delete`, `workspace_dormant:delete_agent`, `workspace_dormant:read`, `workspace_dormant:share`, `workspace_dormant:ssh`, `workspace_dormant:start`, `workspace_dormant:stop`, `workspace_dormant:update`, `workspace_dormant:update_agent`, `workspace_proxy:*`, `workspace_proxy:create`, `workspace_proxy:delete`, `workspace_proxy:read`, `workspace_proxy:update` | +| Value(s) | +|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| `ai_gateway_key:*`, `ai_gateway_key:create`, `ai_gateway_key:delete`, `ai_gateway_key:read`, `ai_model_price:*`, `ai_model_price:read`, `ai_model_price:update`, `ai_provider:*`, `ai_provider:create`, `ai_provider:delete`, `ai_provider:read`, `ai_provider:update`, `ai_seat:*`, `ai_seat:create`, `ai_seat:read`, `aibridge_interception:*`, `aibridge_interception:create`, `aibridge_interception:read`, `aibridge_interception:update`, `all`, `api_key:*`, `api_key:create`, `api_key:delete`, `api_key:read`, `api_key:update`, `application_connect`, `assign_org_role:*`, `assign_org_role:assign`, `assign_org_role:create`, `assign_org_role:delete`, `assign_org_role:read`, `assign_org_role:unassign`, `assign_org_role:update`, `assign_role:*`, `assign_role:assign`, `assign_role:read`, `assign_role:unassign`, `audit_log:*`, `audit_log:create`, `audit_log:read`, `boundary_log:*`, `boundary_log:create`, `boundary_log:delete`, `boundary_log:read`, `boundary_usage:*`, `boundary_usage:delete`, `boundary_usage:read`, `boundary_usage:update`, `chat:*`, `chat:create`, `chat:delete`, `chat:read`, `chat:share`, `chat:update`, `coder:all`, `coder:apikeys.manage_self`, `coder:application_connect`, `coder:templates.author`, `coder:templates.build`, `coder:workspaces.access`, `coder:workspaces.create`, `coder:workspaces.delete`, `coder:workspaces.operate`, `connection_log:*`, `connection_log:read`, `connection_log:update`, `crypto_key:*`, `crypto_key:create`, `crypto_key:delete`, `crypto_key:read`, `crypto_key:update`, `debug_info:*`, `debug_info:read`, `deployment_config:*`, `deployment_config:read`, `deployment_config:update`, `deployment_stats:*`, `deployment_stats:read`, `file:*`, `file:create`, `file:read`, `group:*`, `group:create`, `group:delete`, `group:read`, `group:update`, `group_member:*`, `group_member:read`, `idpsync_settings:*`, `idpsync_settings:read`, `idpsync_settings:update`, `inbox_notification:*`, `inbox_notification:create`, `inbox_notification:read`, `inbox_notification:update`, `license:*`, `license:create`, `license:delete`, `license:read`, `notification_message:*`, `notification_message:create`, `notification_message:delete`, `notification_message:read`, `notification_message:update`, `notification_preference:*`, `notification_preference:read`, `notification_preference:update`, `notification_template:*`, `notification_template:read`, `notification_template:update`, `oauth2_app:*`, `oauth2_app:create`, `oauth2_app:delete`, `oauth2_app:read`, `oauth2_app:update`, `oauth2_app_code_token:*`, `oauth2_app_code_token:create`, `oauth2_app_code_token:delete`, `oauth2_app_code_token:read`, `oauth2_app_secret:*`, `oauth2_app_secret:create`, `oauth2_app_secret:delete`, `oauth2_app_secret:read`, `oauth2_app_secret:update`, `organization:*`, `organization:create`, `organization:delete`, `organization:read`, `organization:update`, `organization_member:*`, `organization_member:create`, `organization_member:delete`, `organization_member:read`, `organization_member:update`, `prebuilt_workspace:*`, `prebuilt_workspace:delete`, `prebuilt_workspace:update`, `provisioner_daemon:*`, `provisioner_daemon:create`, `provisioner_daemon:delete`, `provisioner_daemon:read`, `provisioner_daemon:update`, `provisioner_jobs:*`, `provisioner_jobs:create`, `provisioner_jobs:read`, `provisioner_jobs:update`, `replicas:*`, `replicas:read`, `system:*`, `system:create`, `system:delete`, `system:read`, `system:update`, `tailnet_coordinator:*`, `tailnet_coordinator:create`, `tailnet_coordinator:delete`, `tailnet_coordinator:read`, `tailnet_coordinator:update`, `task:*`, `task:create`, `task:delete`, `task:read`, `task:update`, `template:*`, `template:create`, `template:delete`, `template:read`, `template:update`, `template:use`, `template:view_insights`, `usage_event:*`, `usage_event:create`, `usage_event:read`, `usage_event:update`, `user:*`, `user:create`, `user:delete`, `user:read`, `user:read_personal`, `user:update`, `user:update_personal`, `user_secret:*`, `user_secret:create`, `user_secret:delete`, `user_secret:read`, `user_secret:update`, `user_skill:*`, `user_skill:create`, `user_skill:delete`, `user_skill:read`, `user_skill:update`, `webpush_subscription:*`, `webpush_subscription:create`, `webpush_subscription:delete`, `webpush_subscription:read`, `workspace:*`, `workspace:application_connect`, `workspace:create`, `workspace:create_agent`, `workspace:delete`, `workspace:delete_agent`, `workspace:read`, `workspace:share`, `workspace:ssh`, `workspace:start`, `workspace:stop`, `workspace:update`, `workspace:update_agent`, `workspace_agent_devcontainers:*`, `workspace_agent_devcontainers:create`, `workspace_agent_resource_monitor:*`, `workspace_agent_resource_monitor:create`, `workspace_agent_resource_monitor:read`, `workspace_agent_resource_monitor:update`, `workspace_dormant:*`, `workspace_dormant:application_connect`, `workspace_dormant:create`, `workspace_dormant:create_agent`, `workspace_dormant:delete`, `workspace_dormant:delete_agent`, `workspace_dormant:read`, `workspace_dormant:share`, `workspace_dormant:ssh`, `workspace_dormant:start`, `workspace_dormant:stop`, `workspace_dormant:update`, `workspace_dormant:update_agent`, `workspace_proxy:*`, `workspace_proxy:create`, `workspace_proxy:delete`, `workspace_proxy:read`, `workspace_proxy:update` | ## codersdk.AddLicenseRequest @@ -2681,9 +2681,9 @@ AuthorizationObject can represent a "set" of objects, such as: all workspaces in #### Enumerated Values -| Value(s) | -|---------------------------------------------------------------------------------------------------------------------| -| `auth`, `config`, `generic`, `missing_key`, `overloaded`, `rate_limit`, `startup_timeout`, `timeout`, `usage_limit` | +| Value(s) | +|------------------------------------------------------------------------------------------------------------------------------------------| +| `auth`, `config`, `generic`, `missing_key`, `overloaded`, `provider_disabled`, `rate_limit`, `startup_timeout`, `timeout`, `usage_limit` | ## codersdk.ChatFileMetadata @@ -10818,9 +10818,9 @@ Only certain features set these fields: - FeatureManagedAgentLimit| #### Enumerated Values -| Value(s) | -|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| `*`, `ai_model_price`, `ai_provider`, `ai_seat`, `aibridge_interception`, `api_key`, `assign_org_role`, `assign_role`, `audit_log`, `boundary_usage`, `chat`, `connection_log`, `crypto_key`, `debug_info`, `deployment_config`, `deployment_stats`, `file`, `group`, `group_member`, `idpsync_settings`, `inbox_notification`, `license`, `notification_message`, `notification_preference`, `notification_template`, `oauth2_app`, `oauth2_app_code_token`, `oauth2_app_secret`, `organization`, `organization_member`, `prebuilt_workspace`, `provisioner_daemon`, `provisioner_jobs`, `replicas`, `system`, `tailnet_coordinator`, `task`, `template`, `usage_event`, `user`, `user_secret`, `user_skill`, `webpush_subscription`, `workspace`, `workspace_agent_devcontainers`, `workspace_agent_resource_monitor`, `workspace_dormant`, `workspace_proxy` | +| Value(s) | +|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| `*`, `ai_gateway_key`, `ai_model_price`, `ai_provider`, `ai_seat`, `aibridge_interception`, `api_key`, `assign_org_role`, `assign_role`, `audit_log`, `boundary_log`, `boundary_usage`, `chat`, `connection_log`, `crypto_key`, `debug_info`, `deployment_config`, `deployment_stats`, `file`, `group`, `group_member`, `idpsync_settings`, `inbox_notification`, `license`, `notification_message`, `notification_preference`, `notification_template`, `oauth2_app`, `oauth2_app_code_token`, `oauth2_app_secret`, `organization`, `organization_member`, `prebuilt_workspace`, `provisioner_daemon`, `provisioner_jobs`, `replicas`, `system`, `tailnet_coordinator`, `task`, `template`, `usage_event`, `user`, `user_secret`, `user_skill`, `webpush_subscription`, `workspace`, `workspace_agent_devcontainers`, `workspace_agent_resource_monitor`, `workspace_dormant`, `workspace_proxy` | ## codersdk.RateLimitConfig @@ -11036,9 +11036,9 @@ Only certain features set these fields: - FeatureManagedAgentLimit| #### Enumerated Values -| Value(s) | -|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| `ai_provider`, `ai_provider_key`, `ai_seat`, `api_key`, `chat`, `convert_login`, `custom_role`, `git_ssh_key`, `group`, `group_ai_budget`, `health_settings`, `idp_sync_settings_group`, `idp_sync_settings_organization`, `idp_sync_settings_role`, `license`, `notification_template`, `notifications_settings`, `oauth2_provider_app`, `oauth2_provider_app_secret`, `organization`, `organization_member`, `prebuilds_settings`, `task`, `template`, `template_version`, `user`, `user_secret`, `user_skill`, `workspace`, `workspace_agent`, `workspace_app`, `workspace_build`, `workspace_proxy` | +| Value(s) | +|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| `ai_gateway_key`, `ai_provider`, `ai_provider_key`, `ai_seat`, `api_key`, `chat`, `convert_login`, `custom_role`, `git_ssh_key`, `group`, `group_ai_budget`, `health_settings`, `idp_sync_settings_group`, `idp_sync_settings_organization`, `idp_sync_settings_role`, `license`, `notification_template`, `notifications_settings`, `oauth2_provider_app`, `oauth2_provider_app_secret`, `organization`, `organization_member`, `prebuilds_settings`, `task`, `template`, `template_version`, `user`, `user_secret`, `user_skill`, `workspace`, `workspace_agent`, `workspace_app`, `workspace_build`, `workspace_proxy` | ## codersdk.Response @@ -13601,6 +13601,22 @@ If the schedule is empty, the user will be updated to use the default schedule.| |----------------------|---------|----------|--------------|-------------| | `spend_limit_micros` | integer | false | | | +## codersdk.UpsertUserAIBudgetOverrideRequest + +```json +{ + "group_id": "306db4e0-7449-4501-b76f-075576fe2d8f", + "spend_limit_micros": 0 +} +``` + +### Properties + +| Name | Type | Required | Restrictions | Description | +|----------------------|---------|----------|--------------|---------------------------------------------------------------------------------------------------| +| `group_id` | string | true | | Group ID is the group the user's spend is attributed to. The user must be a member of this group. | +| `spend_limit_micros` | integer | false | | | + ## codersdk.UpsertWorkspaceAgentPortShareRequest ```json @@ -13730,6 +13746,28 @@ If the schedule is empty, the user will be updated to use the default schedule.| |----------|-----------------------| | `status` | `active`, `suspended` | +## codersdk.UserAIBudgetOverride + +```json +{ + "created_at": "2019-08-24T14:15:22Z", + "group_id": "306db4e0-7449-4501-b76f-075576fe2d8f", + "spend_limit_micros": 0, + "updated_at": "2019-08-24T14:15:22Z", + "user_id": "a169451c-8525-4352-b8ca-070dd449a1a5" +} +``` + +### Properties + +| Name | Type | Required | Restrictions | Description | +|----------------------|---------|----------|--------------|-------------| +| `created_at` | string | false | | | +| `group_id` | string | false | | | +| `spend_limit_micros` | integer | false | | | +| `updated_at` | string | false | | | +| `user_id` | string | false | | | + ## codersdk.UserActivity ```json diff --git a/docs/reference/api/users.md b/docs/reference/api/users.md index 376a415031..c82ca65701 100644 --- a/docs/reference/api/users.md +++ b/docs/reference/api/users.md @@ -865,11 +865,11 @@ Status Code **200** #### Enumerated Values -| Property | Value(s) | -|--------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| `type` | `*`, `ai_model_price`, `ai_provider`, `ai_seat`, `aibridge_interception`, `api_key`, `assign_org_role`, `assign_role`, `audit_log`, `boundary_usage`, `chat`, `connection_log`, `crypto_key`, `debug_info`, `deployment_config`, `deployment_stats`, `file`, `group`, `group_member`, `idpsync_settings`, `inbox_notification`, `license`, `notification_message`, `notification_preference`, `notification_template`, `oauth2_app`, `oauth2_app_code_token`, `oauth2_app_secret`, `organization`, `organization_member`, `prebuilt_workspace`, `provisioner_daemon`, `provisioner_jobs`, `replicas`, `system`, `tailnet_coordinator`, `task`, `template`, `usage_event`, `user`, `user_secret`, `user_skill`, `webpush_subscription`, `workspace`, `workspace_agent_devcontainers`, `workspace_agent_resource_monitor`, `workspace_dormant`, `workspace_proxy` | -| `login_type` | `github`, `oidc`, `password`, `token` | -| `scope` | `all`, `application_connect` | +| Property | Value(s) | +|--------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| `type` | `*`, `ai_gateway_key`, `ai_model_price`, `ai_provider`, `ai_seat`, `aibridge_interception`, `api_key`, `assign_org_role`, `assign_role`, `audit_log`, `boundary_log`, `boundary_usage`, `chat`, `connection_log`, `crypto_key`, `debug_info`, `deployment_config`, `deployment_stats`, `file`, `group`, `group_member`, `idpsync_settings`, `inbox_notification`, `license`, `notification_message`, `notification_preference`, `notification_template`, `oauth2_app`, `oauth2_app_code_token`, `oauth2_app_secret`, `organization`, `organization_member`, `prebuilt_workspace`, `provisioner_daemon`, `provisioner_jobs`, `replicas`, `system`, `tailnet_coordinator`, `task`, `template`, `usage_event`, `user`, `user_secret`, `user_skill`, `webpush_subscription`, `workspace`, `workspace_agent_devcontainers`, `workspace_agent_resource_monitor`, `workspace_dormant`, `workspace_proxy` | +| `login_type` | `github`, `oidc`, `password`, `token` | +| `scope` | `all`, `application_connect` | To perform this operation, you must be authenticated. [Learn more](authentication.md). diff --git a/docs/reference/cli/server.md b/docs/reference/cli/server.md index de694faa79..2de88e4960 100644 --- a/docs/reference/cli/server.md +++ b/docs/reference/cli/server.md @@ -1743,7 +1743,7 @@ Whether to start an in-memory AI Gateway instance. | YAML | ai_gateway.openai_base_url | | Default | https://api.openai.com/v1/ | -The base URL of the OpenAI API. +Deprecated: manage AI Providers from the Coder UI or HTTP API. If set, this option seeds provider configuration at startup only exactly once. It will not be used in service runtime. The base URL of the OpenAI API. ### --ai-gateway-openai-key @@ -1752,7 +1752,7 @@ The base URL of the OpenAI API. | Type | string | | Environment | $CODER_AI_GATEWAY_OPENAI_KEY | -The key to authenticate against the OpenAI API. +Deprecated: manage AI Providers from the Coder UI or HTTP API. If set, this option seeds provider configuration at startup only exactly once. It will not be used in service runtime. The key to authenticate against the OpenAI API. ### --ai-gateway-anthropic-base-url @@ -1763,7 +1763,7 @@ The key to authenticate against the OpenAI API. | YAML | ai_gateway.anthropic_base_url | | Default | https://api.anthropic.com/ | -The base URL of the Anthropic API. +Deprecated: manage AI Providers from the Coder UI or HTTP API. If set, this option seeds provider configuration at startup only exactly once. It will not be used in service runtime. The base URL of the Anthropic API. ### --ai-gateway-anthropic-key @@ -1772,7 +1772,7 @@ The base URL of the Anthropic API. | Type | string | | Environment | $CODER_AI_GATEWAY_ANTHROPIC_KEY | -The key to authenticate against the Anthropic API. +Deprecated: manage AI Providers from the Coder UI or HTTP API. If set, this option seeds provider configuration at startup only exactly once. It will not be used in service runtime. The key to authenticate against the Anthropic API. ### --ai-gateway-bedrock-base-url @@ -1782,7 +1782,7 @@ The key to authenticate against the Anthropic API. | Environment | $CODER_AI_GATEWAY_BEDROCK_BASE_URL | | YAML | ai_gateway.bedrock_base_url | -The base URL to use for the AWS Bedrock API. Use this setting to specify an exact URL to use. Takes precedence over CODER_AI_GATEWAY_BEDROCK_REGION. +Deprecated: manage AI Providers from the Coder UI or HTTP API. If set, this option seeds provider configuration at startup only exactly once. It will not be used in service runtime. The base URL to use for the AWS Bedrock API. Use this setting to specify an exact URL to use. Takes precedence over CODER_AI_GATEWAY_BEDROCK_REGION. ### --ai-gateway-bedrock-region @@ -1792,7 +1792,7 @@ The base URL to use for the AWS Bedrock API. Use this setting to specify an exac | Environment | $CODER_AI_GATEWAY_BEDROCK_REGION | | YAML | ai_gateway.bedrock_region | -The AWS Bedrock API region to use. Constructs a base URL to use for the AWS Bedrock API in the form of 'https://bedrock-runtime..amazonaws.com'. +Deprecated: manage AI Providers from the Coder UI or HTTP API. If set, this option seeds provider configuration at startup only exactly once. It will not be used in service runtime. The AWS Bedrock API region to use. Constructs a base URL to use for the AWS Bedrock API in the form of 'https://bedrock-runtime..amazonaws.com'. ### --ai-gateway-bedrock-access-key @@ -1801,7 +1801,7 @@ The AWS Bedrock API region to use. Constructs a base URL to use for the AWS Bedr | Type | string | | Environment | $CODER_AI_GATEWAY_BEDROCK_ACCESS_KEY | -The access key to authenticate against the AWS Bedrock API. +Deprecated: manage AI Providers from the Coder UI or HTTP API. If set, this option seeds provider configuration at startup only exactly once. It will not be used in service runtime. The access key to authenticate against the AWS Bedrock API. ### --ai-gateway-bedrock-access-key-secret @@ -1810,7 +1810,7 @@ The access key to authenticate against the AWS Bedrock API. | Type | string | | Environment | $CODER_AI_GATEWAY_BEDROCK_ACCESS_KEY_SECRET | -The access key secret to use with the access key to authenticate against the AWS Bedrock API. +Deprecated: manage AI Providers from the Coder UI or HTTP API. If set, this option seeds provider configuration at startup only exactly once. It will not be used in service runtime. The access key secret to use with the access key to authenticate against the AWS Bedrock API. ### --ai-gateway-bedrock-model @@ -1821,7 +1821,7 @@ The access key secret to use with the access key to authenticate against the AWS | YAML | ai_gateway.bedrock_model | | Default | global.anthropic.claude-sonnet-4-5-20250929-v1:0 | -The model to use when making requests to the AWS Bedrock API. +Deprecated: manage AI Providers from the Coder UI or HTTP API. If set, this option seeds provider configuration at startup only exactly once. It will not be used in service runtime. The model to use when making requests to the AWS Bedrock API. ### --ai-gateway-bedrock-small-fastmodel @@ -1832,7 +1832,7 @@ The model to use when making requests to the AWS Bedrock API. | YAML | ai_gateway.bedrock_small_fast_model | | Default | global.anthropic.claude-haiku-4-5-20251001-v1:0 | -The small fast model to use when making requests to the AWS Bedrock API. Claude Code uses Haiku-class models to perform background tasks. See https://docs.claude.com/en/docs/claude-code/settings#environment-variables. +Deprecated: manage AI Providers from the Coder UI or HTTP API. If set, this option seeds provider configuration at startup only exactly once. It will not be used in service runtime. The small fast model to use when making requests to the AWS Bedrock API. Claude Code uses Haiku-class models to perform background tasks. See https://docs.claude.com/en/docs/claude-code/settings#environment-variables. ### --ai-gateway-retention diff --git a/docs/start/first-template.md b/docs/start/first-template.md index 3b9d49fc59..ba7a2a802c 100644 --- a/docs/start/first-template.md +++ b/docs/start/first-template.md @@ -67,7 +67,7 @@ This starter template lets you connect to your workspace in a few ways: - VS Code Desktop: Loads your workspace into [VS Code Desktop](https://code.visualstudio.com/Download) installed on your local computer. -- code-server: Opens [browser-based VS Code](../ides/web-ides.md) with your +- code-server: Opens [browser-based VS Code](../user-guides/workspace-access/web-ides.md) with your workspace. - Terminal: Opens a browser-based terminal with a shell in the workspace's Docker instance. @@ -77,7 +77,7 @@ This starter template lets you connect to your workspace in a few ways: > [!TIP] > You can edit the template to let developers connect to a workspace in -> [a few more ways](../ides.md). +> [a few more ways](../user-guides/workspace-access/index.md). When you're done, you can stop the workspace. --> diff --git a/docs/tutorials/example-guide.md b/docs/tutorials/example-guide.md index 71d5ff15cd..5ede1a7344 100644 --- a/docs/tutorials/example-guide.md +++ b/docs/tutorials/example-guide.md @@ -16,7 +16,7 @@ repository. ## Content -Defer to our [Contributing/Documentation](../contributing/documentation.md) page +Defer to our [Contributing/Documentation](../about/contributing/documentation.md) page for rules on technical writing. ### Adding Photos diff --git a/docs/user-guides/workspace-access/index.md b/docs/user-guides/workspace-access/index.md index da72459cbb..ee1bd9aa5c 100644 --- a/docs/user-guides/workspace-access/index.md +++ b/docs/user-guides/workspace-access/index.md @@ -132,7 +132,7 @@ on connecting your JetBrains IDEs. [code-server](https://github.com/coder/code-server) is our supported method of running VS Code in the web browser. Learn more about [what makes code-server different from VS Code web](./code-server.md) or visit the -[documentation for code-server](https://coder.com/docs/code-server/latest). +[documentation for code-server](https://coder.com/docs/code-server). ![code-server in a workspace](../../images/code-server-ide.png) diff --git a/dogfood/coder/main.tf b/dogfood/coder/main.tf index aad65c886f..ad576e543f 100644 --- a/dogfood/coder/main.tf +++ b/dogfood/coder/main.tf @@ -277,7 +277,6 @@ data "coder_external_auth" "github" { data "coder_workspace" "me" {} data "coder_workspace_owner" "me" {} -data "coder_task" "me" {} data "coder_workspace_tags" "tags" { tags = { "cluster" : "dogfood-v2" @@ -991,10 +990,6 @@ resource "coder_metadata" "container_info" { key = "region" value = data.coder_parameter.region.option[index(data.coder_parameter.region.option.*.value, data.coder_parameter.region.value)].name } - item { - key = "ai_task" - value = data.coder_task.me.enabled ? "yes" : "no" - } } resource "coder_script" "boundary_config_setup" { diff --git a/dogfood/vscode-coder/main.tf b/dogfood/vscode-coder/main.tf index eece70b548..791136979f 100644 --- a/dogfood/vscode-coder/main.tf +++ b/dogfood/vscode-coder/main.tf @@ -204,7 +204,6 @@ data "coder_external_auth" "github" { data "coder_workspace" "me" {} data "coder_workspace_owner" "me" {} -data "coder_task" "me" {} data "coder_workspace_tags" "tags" { tags = { "cluster" : "dogfood-v2" @@ -541,99 +540,28 @@ resource "coder_metadata" "container_info" { key = "region" value = data.coder_parameter.region.option[index(data.coder_parameter.region.option.*.value, data.coder_parameter.region.value)].name } - item { - key = "ai_task" - value = data.coder_task.me.enabled ? "yes" : "no" - } -} - -# --- AI task support --- - -locals { - claude_system_prompt = <<-EOT - -- Framing -- - You are a helpful coding assistant working on the coder/vscode-coder - VS Code extension. Aim to autonomously investigate and solve issues - the user gives you and test your work, whenever possible. - - Avoid shortcuts like mocking tests. When you get stuck, you can ask - the user but opt for autonomy. - - -- Tool Selection -- - - Built-in tools for everything: - (file operations, git commands, builds & installs, one-off shell commands) - - -- Testing -- - Integration tests launch a real VS Code instance and require a - virtual framebuffer. Run them headlessly with: - xvfb-run -a pnpm test:integration - This matches how CI runs them. Unit tests do not need xvfb-run: - pnpm test - - -- Workflow -- - When starting new work: - 1. If given a GitHub issue URL, use the `gh` CLI to read the full - issue details with `gh issue view `. - 2. Create a feature branch for the work using a descriptive name - based on the issue or task. - Example: `git checkout -b fix/issue-123-ssh-retry` - 3. Proceed with implementation following the AGENTS.md guidelines. - - -- Context -- - This is the coder/vscode-coder VS Code extension. It is a real-world - production extension used by developers to connect to Coder workspaces. - Be sure to read AGENTS.md before making any changes. - EOT } module "claude-code" { - count = data.coder_task.me.enabled ? data.coder_workspace.me.start_count : 0 - source = "dev.registry.coder.com/coder/claude-code/coder" - version = "4.9.2" - enable_boundary = true - agent_id = coder_agent.dev.id - workdir = local.repo_dir - claude_code_version = "latest" - model = "opus" - order = 999 - claude_api_key = data.coder_parameter.use_ai_bridge.value ? data.coder_workspace_owner.me.session_token : var.anthropic_api_key - agentapi_version = "latest" - system_prompt = local.claude_system_prompt - ai_prompt = data.coder_task.me.prompt + count = data.coder_workspace.me.start_count + source = "dev.registry.coder.com/coder/claude-code/coder" + version = "5.2.0" + enable_ai_gateway = data.coder_parameter.use_ai_bridge.value + anthropic_api_key = data.coder_parameter.use_ai_bridge.value ? "" : var.anthropic_api_key + agent_id = coder_agent.dev.id + workdir = local.repo_dir } -resource "coder_ai_task" "task" { - count = data.coder_task.me.enabled ? data.coder_workspace.me.start_count : 0 - app_id = module.claude-code[count.index].task_app_id -} - -resource "coder_app" "watch" { - count = data.coder_task.me.enabled ? data.coder_workspace.me.start_count : 0 +resource "coder_app" "claude" { agent_id = coder_agent.dev.id - slug = "watch" - display_name = "pnpm watch" - icon = "${data.coder_workspace.me.access_url}/icon/code.svg" - command = "screen -x pnpm_watch" - share = "authenticated" - open_in = "tab" - order = 0 -} - -resource "coder_script" "watch" { - count = data.coder_task.me.enabled ? data.coder_workspace.me.start_count : 0 - display_name = "pnpm watch" - agent_id = coder_agent.dev.id - run_on_start = true - start_blocks_login = false - icon = "${data.coder_workspace.me.access_url}/icon/code.svg" - script = <<-EOT - #!/usr/bin/env bash - set -eux -o pipefail - - trap 'coder exp sync complete pnpm-watch' EXIT - coder exp sync want pnpm-watch install-deps - coder exp sync start pnpm-watch - - cd "${local.repo_dir}" && screen -dmS pnpm_watch /bin/sh -c 'while true; do pnpm watch; echo "pnpm watch exited with code $? restarting in 10s"; sleep 10; done' + slug = "claude" + display_name = "Claude Code" + icon = "/icon/claude.svg" + open_in = "slim-window" + command = <<-EOT + #!/bin/bash + set -e + cd "${local.repo_dir}" + exec tmux new-session -A -s claude claude EOT } diff --git a/enterprise/aibridgeproxyd/aibridgeproxyd.go b/enterprise/aibridgeproxyd/aibridgeproxyd.go index cfcb2071c4..438d7c46b7 100644 --- a/enterprise/aibridgeproxyd/aibridgeproxyd.go +++ b/enterprise/aibridgeproxyd/aibridgeproxyd.go @@ -1076,9 +1076,11 @@ func (s *Server) handleResponse(resp *http.Response, ctx *goproxy.ProxyCtx) *htt switch { case resp.StatusCode >= http.StatusInternalServerError: - logger.Error(s.ctx, "received error response from aibridged") + logger.Error(s.ctx, "received error response from aibridged", + slog.F("response_body", s.readErrorBodyForLog(resp, logger))) case resp.StatusCode >= http.StatusBadRequest: - logger.Warn(s.ctx, "received error response from aibridged") + logger.Warn(s.ctx, "received error response from aibridged", + slog.F("response_body", s.readErrorBodyForLog(resp, logger))) default: logger.Debug(s.ctx, "received response from aibridged") } @@ -1101,6 +1103,35 @@ func (s *Server) handleResponse(resp *http.Response, ctx *goproxy.ProxyCtx) *htt return resp } +// maxLoggedErrorBodyBytes bounds how much of an aibridged error response +// body is rendered into a log line, so a large upstream error payload +// cannot blow up log volume. +const maxLoggedErrorBodyBytes = 16 << 10 // 16 KiB + +// readErrorBodyForLog reads resp.Body for diagnostic logging and restores +// it with an equivalent reader, so the proxy still forwards the body +// downstream and the response dumper can read it again. The returned +// string is truncated to maxLoggedErrorBodyBytes; the restored body is +// always complete. +func (s *Server) readErrorBodyForLog(resp *http.Response, logger slog.Logger) string { + if resp.Body == nil { + return "" + } + body, err := io.ReadAll(resp.Body) + _ = resp.Body.Close() + // Restore the full body even on a read error: the proxy and dumper + // downstream still expect a readable body, and a partial body is + // better than a nil one. + resp.Body = io.NopCloser(bytes.NewReader(body)) + if err != nil { + logger.Warn(s.ctx, "failed to read aibridged error response body", slog.Error(err)) + } + if len(body) > maxLoggedErrorBodyBytes { + return string(body[:maxLoggedErrorBodyBytes]) + "...(truncated)" + } + return string(body) +} + // Handler returns an HTTP handler for the AI Bridge Proxy's HTTP endpoints. // This is separate from the proxy server itself and is used by coderd to // serve endpoints like the CA certificate. diff --git a/enterprise/aibridgeproxyd/aibridgeproxyd_internal_test.go b/enterprise/aibridgeproxyd/aibridgeproxyd_internal_test.go new file mode 100644 index 0000000000..397ed1cf3e --- /dev/null +++ b/enterprise/aibridgeproxyd/aibridgeproxyd_internal_test.go @@ -0,0 +1,68 @@ +package aibridgeproxyd + +import ( + "bytes" + "io" + "net/http" + "strings" + "testing" + + "github.com/stretchr/testify/require" + + "cdr.dev/slog/v3/sloggers/slogtest" +) + +// TestReadErrorBodyForLog verifies that reading an aibridged error +// response body for logging leaves the body intact for downstream +// consumers (the proxy forwards it, and the response dumper reads it +// again), and that the logged rendering is capped. +func TestReadErrorBodyForLog(t *testing.T) { + t.Parallel() + + newResponse := func(body string) *http.Response { + return &http.Response{ + StatusCode: http.StatusBadRequest, + Body: io.NopCloser(strings.NewReader(body)), + } + } + + t.Run("ReturnsBodyAndRestores", func(t *testing.T) { + t.Parallel() + s := &Server{ctx: t.Context(), logger: slogtest.Make(t, nil)} + resp := newResponse(`{"error":"bad request"}`) + + got := s.readErrorBodyForLog(resp, s.logger) + require.Equal(t, `{"error":"bad request"}`, got) + + // The body must still be readable in full for the proxy and the + // response dumper. + restored, err := io.ReadAll(resp.Body) + require.NoError(t, err) + require.Equal(t, `{"error":"bad request"}`, string(restored)) + }) + + t.Run("TruncatesLargeBodyButRestoresFull", func(t *testing.T) { + t.Parallel() + s := &Server{ctx: t.Context(), logger: slogtest.Make(t, nil)} + full := bytes.Repeat([]byte("a"), maxLoggedErrorBodyBytes+512) + resp := newResponse(string(full)) + + got := s.readErrorBodyForLog(resp, s.logger) + require.Len(t, got, maxLoggedErrorBodyBytes+len("...(truncated)")) + require.True(t, strings.HasSuffix(got, "...(truncated)")) + + // Truncation only affects the log string; the restored body is + // the complete payload. + restored, err := io.ReadAll(resp.Body) + require.NoError(t, err) + require.Equal(t, full, restored) + }) + + t.Run("NilBody", func(t *testing.T) { + t.Parallel() + s := &Server{ctx: t.Context(), logger: slogtest.Make(t, nil)} + resp := &http.Response{StatusCode: http.StatusInternalServerError, Body: nil} + + require.Equal(t, "", s.readErrorBodyForLog(resp, s.logger)) + }) +} diff --git a/enterprise/audit/table.go b/enterprise/audit/table.go index e97a76daed..315f6af228 100644 --- a/enterprise/audit/table.go +++ b/enterprise/audit/table.go @@ -31,6 +31,7 @@ var AuditActionMap = map[string][]codersdk.AuditAction{ "AiSeatState": {codersdk.AuditActionCreate}, "AIProvider": {codersdk.AuditActionCreate, codersdk.AuditActionWrite, codersdk.AuditActionDelete}, "AIProviderKey": {codersdk.AuditActionCreate, codersdk.AuditActionDelete}, + "AIGatewayKey": {codersdk.AuditActionCreate, codersdk.AuditActionDelete}, "AuditableGroupAiBudget": {codersdk.AuditActionWrite, codersdk.AuditActionDelete}, "Chat": {codersdk.AuditActionCreate, codersdk.AuditActionWrite}, // chats get 'archived' by users, not deleted. "UserSecret": {codersdk.AuditActionCreate, codersdk.AuditActionWrite, codersdk.AuditActionDelete}, @@ -400,6 +401,14 @@ var auditableResourcesTypes = map[any]map[string]Action{ "created_at": ActionIgnore, // Implicit; not useful in a diff. "updated_at": ActionIgnore, // Changes; not useful in a diff. }, + &database.AIGatewayKey{}: { + "id": ActionTrack, + "name": ActionTrack, + "secret_prefix": ActionTrack, + "hashed_secret": ActionSecret, // Bearer token hash, never expose. + "created_at": ActionIgnore, // Implicit; not useful in a diff. + "last_used_at": ActionIgnore, // Bumped on every use. + }, &database.TaskTable{}: { "id": ActionTrack, "organization_id": ActionIgnore, // Never changes. diff --git a/enterprise/cli/proxyserver_test.go b/enterprise/cli/proxyserver_test.go index 556597ab76..15f0003099 100644 --- a/enterprise/cli/proxyserver_test.go +++ b/enterprise/cli/proxyserver_test.go @@ -48,7 +48,7 @@ func Test_ProxyServer_Headers(t *testing.T) { "--access-url", "http://localhost:8080", "--http-address", ":0", "--header", fmt.Sprintf("%s=%s", headerName1, headerVal1), - "--header-command", fmt.Sprintf("printf %s=%s", headerName2, headerVal2), + "--header-command", fmt.Sprintf("echo %s=%s", headerName2, headerVal2), ) pty := ptytest.New(t) inv.Stdout = pty.Output() diff --git a/enterprise/cli/testdata/coder_server_--help.golden b/enterprise/cli/testdata/coder_server_--help.golden index a9062a426f..addd3dc256 100644 --- a/enterprise/cli/testdata/coder_server_--help.golden +++ b/enterprise/cli/testdata/coder_server_--help.golden @@ -125,35 +125,55 @@ AI GATEWAY OPTIONS: disabled, only centralized key authentication is permitted. --ai-gateway-anthropic-base-url string, $CODER_AI_GATEWAY_ANTHROPIC_BASE_URL (default: https://api.anthropic.com/) - The base URL of the Anthropic API. + Deprecated: manage AI Providers from the Coder UI or HTTP API. If set, + this option seeds provider configuration at startup only exactly once. + It will not be used in service runtime. The base URL of the Anthropic + API. --ai-gateway-anthropic-key string, $CODER_AI_GATEWAY_ANTHROPIC_KEY - The key to authenticate against the Anthropic API. + Deprecated: manage AI Providers from the Coder UI or HTTP API. If set, + this option seeds provider configuration at startup only exactly once. + It will not be used in service runtime. The key to authenticate + against the Anthropic API. --ai-gateway-bedrock-access-key string, $CODER_AI_GATEWAY_BEDROCK_ACCESS_KEY - The access key to authenticate against the AWS Bedrock API. - - --ai-gateway-bedrock-access-key-secret string, $CODER_AI_GATEWAY_BEDROCK_ACCESS_KEY_SECRET - The access key secret to use with the access key to authenticate + Deprecated: manage AI Providers from the Coder UI or HTTP API. If set, + this option seeds provider configuration at startup only exactly once. + It will not be used in service runtime. The access key to authenticate against the AWS Bedrock API. + --ai-gateway-bedrock-access-key-secret string, $CODER_AI_GATEWAY_BEDROCK_ACCESS_KEY_SECRET + Deprecated: manage AI Providers from the Coder UI or HTTP API. If set, + this option seeds provider configuration at startup only exactly once. + It will not be used in service runtime. The access key secret to use + with the access key to authenticate against the AWS Bedrock API. + --ai-gateway-bedrock-base-url string, $CODER_AI_GATEWAY_BEDROCK_BASE_URL - The base URL to use for the AWS Bedrock API. Use this setting to - specify an exact URL to use. Takes precedence over - CODER_AI_GATEWAY_BEDROCK_REGION. + Deprecated: manage AI Providers from the Coder UI or HTTP API. If set, + this option seeds provider configuration at startup only exactly once. + It will not be used in service runtime. The base URL to use for the + AWS Bedrock API. Use this setting to specify an exact URL to use. + Takes precedence over CODER_AI_GATEWAY_BEDROCK_REGION. --ai-gateway-bedrock-model string, $CODER_AI_GATEWAY_BEDROCK_MODEL (default: global.anthropic.claude-sonnet-4-5-20250929-v1:0) - The model to use when making requests to the AWS Bedrock API. + Deprecated: manage AI Providers from the Coder UI or HTTP API. If set, + this option seeds provider configuration at startup only exactly once. + It will not be used in service runtime. The model to use when making + requests to the AWS Bedrock API. --ai-gateway-bedrock-region string, $CODER_AI_GATEWAY_BEDROCK_REGION - The AWS Bedrock API region to use. Constructs a base URL to use for - the AWS Bedrock API in the form of - 'https://bedrock-runtime..amazonaws.com'. + Deprecated: manage AI Providers from the Coder UI or HTTP API. If set, + this option seeds provider configuration at startup only exactly once. + It will not be used in service runtime. The AWS Bedrock API region to + use. Constructs a base URL to use for the AWS Bedrock API in the form + of 'https://bedrock-runtime..amazonaws.com'. --ai-gateway-bedrock-small-fastmodel string, $CODER_AI_GATEWAY_BEDROCK_SMALL_FAST_MODEL (default: global.anthropic.claude-haiku-4-5-20251001-v1:0) - The small fast model to use when making requests to the AWS Bedrock - API. Claude Code uses Haiku-class models to perform background tasks. - See + Deprecated: manage AI Providers from the Coder UI or HTTP API. If set, + this option seeds provider configuration at startup only exactly once. + It will not be used in service runtime. The small fast model to use + when making requests to the AWS Bedrock API. Claude Code uses + Haiku-class models to perform background tasks. See https://docs.claude.com/en/docs/claude-code/settings#environment-variables. --ai-gateway-circuit-breaker-enabled bool, $CODER_AI_GATEWAY_CIRCUIT_BREAKER_ENABLED (default: false) @@ -172,10 +192,16 @@ AI GATEWAY OPTIONS: to disable (unlimited). --ai-gateway-openai-base-url string, $CODER_AI_GATEWAY_OPENAI_BASE_URL (default: https://api.openai.com/v1/) - The base URL of the OpenAI API. + Deprecated: manage AI Providers from the Coder UI or HTTP API. If set, + this option seeds provider configuration at startup only exactly once. + It will not be used in service runtime. The base URL of the OpenAI + API. --ai-gateway-openai-key string, $CODER_AI_GATEWAY_OPENAI_KEY - The key to authenticate against the OpenAI API. + Deprecated: manage AI Providers from the Coder UI or HTTP API. If set, + this option seeds provider configuration at startup only exactly once. + It will not be used in service runtime. The key to authenticate + against the OpenAI API. --ai-gateway-rate-limit int, $CODER_AI_GATEWAY_RATE_LIMIT (default: 0) Maximum number of AI Gateway requests per second per replica. Set to 0 diff --git a/enterprise/coderd/aibridge.go b/enterprise/coderd/aibridge.go index 9773dba352..8a220760de 100644 --- a/enterprise/coderd/aibridge.go +++ b/enterprise/coderd/aibridge.go @@ -43,6 +43,11 @@ const ( // reference a valid resource in the expected scope. var errInvalidCursor = xerrors.New("invalid pagination cursor") +// This name is raised by a trigger function with USING CONSTRAINT. +// It is not a table CHECK constraint, so dbgen does not emit it in +// check_constraint.go. +const userAIBudgetOverridesMustBeGroupMemberConstraint database.CheckConstraint = "user_ai_budget_overrides_must_be_group_member" + // aibridgeHandler handles all aibridged-related endpoints. func aibridgeHandler(api *API, middlewares ...func(http.Handler) http.Handler) func(r chi.Router) { // Build the overload protection middleware chain for the aibridged handler. @@ -821,3 +826,116 @@ func (api *API) deleteGroupAIBudget(rw http.ResponseWriter, r *http.Request) { rw.WriteHeader(http.StatusNoContent) } + +// @Summary Get user AI budget override +// @ID get-user-ai-budget-override +// @Security CoderSessionToken +// @Produce json +// @Tags Enterprise +// @Param user path string true "User ID, username, or me" +// @Success 200 {object} codersdk.UserAIBudgetOverride +// @Router /api/v2/users/{user}/ai/budget [get] +func (api *API) userAIBudgetOverride(rw http.ResponseWriter, r *http.Request) { + ctx := r.Context() + user := httpmw.UserParam(r) + + override, err := api.Database.GetUserAIBudgetOverride(ctx, user.ID) + if httpapi.Is404Error(err) { + httpapi.ResourceNotFound(rw) + return + } + if err != nil { + api.Logger.Error(ctx, "get user AI budget override", slog.Error(err)) + httpapi.InternalServerError(rw, err) + return + } + + httpapi.Write(ctx, rw, http.StatusOK, db2sdk.UserAIBudgetOverride(override)) +} + +// @Summary Upsert user AI budget override +// @ID upsert-user-ai-budget-override +// @Security CoderSessionToken +// @Accept json +// @Produce json +// @Tags Enterprise +// @Param user path string true "User ID, username, or me" +// @Param request body codersdk.UpsertUserAIBudgetOverrideRequest true "Upsert user AI budget override request" +// @Success 200 {object} codersdk.UserAIBudgetOverride +// @Router /api/v2/users/{user}/ai/budget [put] +func (api *API) upsertUserAIBudgetOverride(rw http.ResponseWriter, r *http.Request) { + ctx := r.Context() + user := httpmw.UserParam(r) + + var req codersdk.UpsertUserAIBudgetOverrideRequest + if !httpapi.Read(ctx, rw, r, &req) { + return + } + + // Look up the group first so a missing or forbidden group_id returns + // 404, distinct from the 400 "not a member" case handled below. + if _, err := api.Database.GetGroupByID(ctx, req.GroupID); err != nil { + if httpapi.Is404Error(err) { + httpapi.ResourceNotFound(rw) + return + } + api.Logger.Error(ctx, "get group for user AI budget override", slog.Error(err)) + httpapi.InternalServerError(rw, err) + return + } + + override, err := api.Database.UpsertUserAIBudgetOverride(ctx, database.UpsertUserAIBudgetOverrideParams{ + UserID: user.ID, + GroupID: req.GroupID, + SpendLimitMicros: req.SpendLimitMicros, + }) + // A trigger enforces that the user must be a member of the attributed + // group; it raises check_violation with this constraint name. Map + // the violation to a structured 400. + if database.IsCheckViolation(err, userAIBudgetOverridesMustBeGroupMemberConstraint) { + httpapi.Write(ctx, rw, http.StatusBadRequest, codersdk.Response{ + Message: "User is not a member of the referenced group.", + Validations: []codersdk.ValidationError{{ + Field: "group_id", + Detail: "user must be a member of this group", + }}, + }) + return + } + if httpapi.Is404Error(err) { + httpapi.ResourceNotFound(rw) + return + } + if err != nil { + api.Logger.Error(ctx, "upsert user AI budget override", slog.Error(err)) + httpapi.InternalServerError(rw, err) + return + } + + httpapi.Write(ctx, rw, http.StatusOK, db2sdk.UserAIBudgetOverride(override)) +} + +// @Summary Delete user AI budget override +// @ID delete-user-ai-budget-override +// @Security CoderSessionToken +// @Tags Enterprise +// @Param user path string true "User ID, username, or me" +// @Success 204 +// @Router /api/v2/users/{user}/ai/budget [delete] +func (api *API) deleteUserAIBudgetOverride(rw http.ResponseWriter, r *http.Request) { + ctx := r.Context() + user := httpmw.UserParam(r) + + _, err := api.Database.DeleteUserAIBudgetOverride(ctx, user.ID) + if httpapi.Is404Error(err) { + httpapi.ResourceNotFound(rw) + return + } + if err != nil { + api.Logger.Error(ctx, "delete user AI budget override", slog.Error(err)) + httpapi.InternalServerError(rw, err) + return + } + + rw.WriteHeader(http.StatusNoContent) +} diff --git a/enterprise/coderd/aibridge_reload_test.go b/enterprise/coderd/aibridge_reload_test.go index 65f678df6e..e3370c8f7d 100644 --- a/enterprise/coderd/aibridge_reload_test.go +++ b/enterprise/coderd/aibridge_reload_test.go @@ -211,6 +211,18 @@ func TestAIBridgeProviderHotReload(t *testing.T) { "expected provider %q to stop routing", providerName) } + // requireDisabledSentinel polls until the provider name yields a + // 503 with the provider_disabled body, indicating the disabled + // handler is wired up for the row. + requireDisabledSentinel := func(t *testing.T, providerName string) { + t.Helper() + require.Eventuallyf(t, func() bool { + status, _ := sendRequest(providerName) + return status == http.StatusServiceUnavailable + }, testutil.WaitShort, testutil.IntervalFast, + "expected provider %q to serve the disabled sentinel", providerName) + } + // 1. Create: provider points at upstream A. created, err := client.CreateAIProvider(ctx, codersdk.CreateAIProviderRequest{ Type: codersdk.AIProviderTypeOpenAI, @@ -233,14 +245,14 @@ func TestAIBridgeProviderHotReload(t *testing.T) { requireRoutesTo(t, "primary", upstreamB) requireProviderStatus(t, "primary", "enabled") - // 3. Disable: the provider drops out of the snapshot, requests - // stop reaching any upstream. The metric flips to "disabled". + // 3. Disable: requests stop reaching upstream and the bridge + // answers with the 503 sentinel. The metric flips to "disabled". disabled := false _, err = client.UpdateAIProvider(ctx, "primary", codersdk.UpdateAIProviderRequest{ Enabled: &disabled, }) require.NoError(t, err) - requireRoutingGone(t, "primary") + requireDisabledSentinel(t, "primary") requireProviderStatus(t, "primary", "disabled") // 4. Re-enable: routing comes back at the most recent BaseURL. diff --git a/enterprise/coderd/aibridge_test.go b/enterprise/coderd/aibridge_test.go index 158f682842..1faadd1f53 100644 --- a/enterprise/coderd/aibridge_test.go +++ b/enterprise/coderd/aibridge_test.go @@ -2871,6 +2871,447 @@ func TestGroupAIBudget(t *testing.T) { }) } +func TestUserAIBudgetOverride(t *testing.T) { + t.Parallel() + + t.Run("Upsert/CreatesAndUpdates", func(t *testing.T) { + t.Parallel() + + adminClient, targetUser, group := setupUserAIBudgetOverrideTest(t) + ctx := testutil.Context(t, testutil.WaitLong) + + // First upsert creates the override. + newOverride, err := adminClient.UpsertUserAIBudgetOverride(ctx, targetUser.ID, codersdk.UpsertUserAIBudgetOverrideRequest{ + GroupID: group.ID, + SpendLimitMicros: 500_000_000, + }) + require.NoError(t, err) + require.Equal(t, targetUser.ID, newOverride.UserID) + require.Equal(t, group.ID, newOverride.GroupID) + require.EqualValues(t, 500_000_000, newOverride.SpendLimitMicros) + + // Second upsert updates the existing override. + updatedOverride, err := adminClient.UpsertUserAIBudgetOverride(ctx, targetUser.ID, codersdk.UpsertUserAIBudgetOverrideRequest{ + GroupID: group.ID, + SpendLimitMicros: 1_000_000_000, + }) + require.NoError(t, err) + require.EqualValues(t, 1_000_000_000, updatedOverride.SpendLimitMicros) + + // GET returns the latest value. + currentOverride, err := adminClient.UserAIBudgetOverride(ctx, targetUser.ID) + require.NoError(t, err) + require.EqualValues(t, 1_000_000_000, currentOverride.SpendLimitMicros) + }) + + t.Run("Upsert/ReassignsGroup", func(t *testing.T) { + t.Parallel() + + adminClient, targetUser, groupA := setupUserAIBudgetOverrideTest(t) + ctx := testutil.Context(t, testutil.WaitLong) + + // First upsert: attribute spend to groupA. + _, err := adminClient.UpsertUserAIBudgetOverride(ctx, targetUser.ID, codersdk.UpsertUserAIBudgetOverrideRequest{ + GroupID: groupA.ID, + SpendLimitMicros: 500_000_000, + }) + require.NoError(t, err) + + // Create groupB in the same org and add the target user. + groupB, err := adminClient.CreateGroup(ctx, targetUser.OrganizationIDs[0], codersdk.CreateGroupRequest{ + Name: "reassign-test-group-b", + }) + require.NoError(t, err) + _, err = adminClient.PatchGroup(ctx, groupB.ID, codersdk.PatchGroupRequest{ + AddUsers: []string{targetUser.ID.String()}, + }) + require.NoError(t, err) + + // Reassign the override's attribution to groupB. + updated, err := adminClient.UpsertUserAIBudgetOverride(ctx, targetUser.ID, codersdk.UpsertUserAIBudgetOverrideRequest{ + GroupID: groupB.ID, + SpendLimitMicros: 500_000_000, + }) + require.NoError(t, err) + require.Equal(t, groupB.ID, updated.GroupID, "upsert should change attributed group") + + // GET reflects the new group. + got, err := adminClient.UserAIBudgetOverride(ctx, targetUser.ID) + require.NoError(t, err) + require.Equal(t, groupB.ID, got.GroupID, "GET should reflect new group") + }) + + t.Run("Upsert/EveryoneGroup", func(t *testing.T) { + t.Parallel() + + adminClient, targetUser, _ := setupUserAIBudgetOverrideTest(t) + ctx := testutil.Context(t, testutil.WaitLong) + + // The Everyone group has id == organization_id, and the target user + // is implicitly a member via organization_members rather than + // group_members. The membership trigger queries + // group_members_expanded (a UNION of both tables), so this case + // exercises the organization_members branch. + everyoneGroupID := targetUser.OrganizationIDs[0] + + override, err := adminClient.UpsertUserAIBudgetOverride(ctx, targetUser.ID, codersdk.UpsertUserAIBudgetOverrideRequest{ + GroupID: everyoneGroupID, + SpendLimitMicros: 500_000_000, + }) + require.NoError(t, err, "should be able to attribute override to Everyone group") + require.Equal(t, targetUser.ID, override.UserID) + require.Equal(t, everyoneGroupID, override.GroupID) + require.EqualValues(t, 500_000_000, override.SpendLimitMicros) + }) + + t.Run("Upsert/AcceptsZeroSpendLimit", func(t *testing.T) { + t.Parallel() + + adminClient, targetUser, group := setupUserAIBudgetOverrideTest(t) + ctx := testutil.Context(t, testutil.WaitLong) + + // 0 is a valid value: it blocks all spend for the user. + override, err := adminClient.UpsertUserAIBudgetOverride(ctx, targetUser.ID, codersdk.UpsertUserAIBudgetOverrideRequest{ + GroupID: group.ID, + SpendLimitMicros: 0, + }) + require.NoError(t, err) + require.EqualValues(t, 0, override.SpendLimitMicros) + }) + + t.Run("Upsert/RejectsNegativeSpend", func(t *testing.T) { + t.Parallel() + + adminClient, targetUser, group := setupUserAIBudgetOverrideTest(t) + ctx := testutil.Context(t, testutil.WaitLong) + + _, err := adminClient.UpsertUserAIBudgetOverride(ctx, targetUser.ID, codersdk.UpsertUserAIBudgetOverrideRequest{ + GroupID: group.ID, + SpendLimitMicros: -1, + }) + var sdkErr *codersdk.Error + require.ErrorAs(t, err, &sdkErr) + require.Equal(t, http.StatusBadRequest, sdkErr.StatusCode()) + }) + + t.Run("Upsert/RejectsUnknownGroup", func(t *testing.T) { + t.Parallel() + + adminClient, targetUser, _ := setupUserAIBudgetOverrideTest(t) + ctx := testutil.Context(t, testutil.WaitLong) + + // A group_id that doesn't exist (or that the caller can't see) + // is rejected by the visibility check before the membership check. + _, err := adminClient.UpsertUserAIBudgetOverride(ctx, targetUser.ID, codersdk.UpsertUserAIBudgetOverrideRequest{ + GroupID: uuid.New(), + SpendLimitMicros: 500_000_000, + }) + var sdkErr *codersdk.Error + require.ErrorAs(t, err, &sdkErr) + require.Equal(t, http.StatusNotFound, sdkErr.StatusCode()) + }) + + t.Run("Upsert/RejectsNonMemberGroup", func(t *testing.T) { + t.Parallel() + + adminClient, targetUser, _ := setupUserAIBudgetOverrideTest(t) + ctx := testutil.Context(t, testutil.WaitLong) + + // Create a second group the target is NOT a member of. + outsiderGroup, err := adminClient.CreateGroup(ctx, targetUser.OrganizationIDs[0], codersdk.CreateGroupRequest{ + Name: "outsider-group", + }) + require.NoError(t, err) + + _, err = adminClient.UpsertUserAIBudgetOverride(ctx, targetUser.ID, codersdk.UpsertUserAIBudgetOverrideRequest{ + GroupID: outsiderGroup.ID, + SpendLimitMicros: 500_000_000, + }) + var sdkErr *codersdk.Error + require.ErrorAs(t, err, &sdkErr) + require.Equal(t, http.StatusBadRequest, sdkErr.StatusCode()) + }) + + t.Run("Get/AbsentReturns404", func(t *testing.T) { + t.Parallel() + + adminClient, targetUser, _ := setupUserAIBudgetOverrideTest(t) + ctx := testutil.Context(t, testutil.WaitLong) + + _, err := adminClient.UserAIBudgetOverride(ctx, targetUser.ID) + var sdkErr *codersdk.Error + require.ErrorAs(t, err, &sdkErr) + require.Equal(t, http.StatusNotFound, sdkErr.StatusCode()) + }) + + t.Run("Get/UnknownUserReturns404", func(t *testing.T) { + t.Parallel() + + adminClient, _, _ := setupUserAIBudgetOverrideTest(t) + ctx := testutil.Context(t, testutil.WaitLong) + + _, err := adminClient.UserAIBudgetOverride(ctx, uuid.New()) + var sdkErr *codersdk.Error + require.ErrorAs(t, err, &sdkErr) + require.Equal(t, http.StatusNotFound, sdkErr.StatusCode()) + }) + + t.Run("Delete/RoundTrip", func(t *testing.T) { + t.Parallel() + + adminClient, targetUser, group := setupUserAIBudgetOverrideTest(t) + ctx := testutil.Context(t, testutil.WaitLong) + + _, err := adminClient.UpsertUserAIBudgetOverride(ctx, targetUser.ID, codersdk.UpsertUserAIBudgetOverrideRequest{ + GroupID: group.ID, + SpendLimitMicros: 500_000_000, + }) + require.NoError(t, err) + + require.NoError(t, adminClient.DeleteUserAIBudgetOverride(ctx, targetUser.ID)) + + _, err = adminClient.UserAIBudgetOverride(ctx, targetUser.ID) + var sdkErr *codersdk.Error + require.ErrorAs(t, err, &sdkErr) + require.Equal(t, http.StatusNotFound, sdkErr.StatusCode()) + }) + + t.Run("Delete/AbsentReturns404", func(t *testing.T) { + t.Parallel() + + adminClient, targetUser, _ := setupUserAIBudgetOverrideTest(t) + ctx := testutil.Context(t, testutil.WaitLong) + + err := adminClient.DeleteUserAIBudgetOverride(ctx, targetUser.ID) + var sdkErr *codersdk.Error + require.ErrorAs(t, err, &sdkErr) + require.Equal(t, http.StatusNotFound, sdkErr.StatusCode()) + }) +} + +// TestUserAIBudgetOverrideRoleAccess verifies the authz matrix for the roles +// expected to interact with user budget overrides: +// +// - Owner / UserAdmin: full CRUD. +// - OrgAdmin / OrgUserAdmin: read-only. Writes require ActionUpdate on the +// User resource (site-scoped), which neither role has. +// +//nolint:tparallel // Subtests run sequentially: they share the same deployment and group, and parallel PatchGroup calls on the same group race. +func TestUserAIBudgetOverrideRoleAccess(t *testing.T) { + t.Parallel() + + dv := coderdtest.DeploymentValues(t) + dv.AI.BridgeConfig.Enabled = serpent.Bool(true) + ownerClient, owner := coderdenttest.New(t, &coderdenttest.Options{ + Options: &coderdtest.Options{DeploymentValues: dv}, + LicenseOptions: &coderdenttest.LicenseOptions{ + Features: license.Features{ + codersdk.FeatureTemplateRBAC: 1, + codersdk.FeatureAIBridge: 1, + }, + }, + }) + userAdminClient, _ := coderdtest.CreateAnotherUser(t, ownerClient, owner.OrganizationID, rbac.RoleUserAdmin()) + orgAdminClient, _ := coderdtest.CreateAnotherUser(t, ownerClient, owner.OrganizationID, rbac.ScopedRoleOrgAdmin(owner.OrganizationID)) + orgUserAdminClient, _ := coderdtest.CreateAnotherUser(t, ownerClient, owner.OrganizationID, rbac.ScopedRoleOrgUserAdmin(owner.OrganizationID)) + + setupCtx := testutil.Context(t, testutil.WaitLong) + group, err := userAdminClient.CreateGroup(setupCtx, owner.OrganizationID, codersdk.CreateGroupRequest{ + Name: "role-access-group", + }) + require.NoError(t, err) + + cases := []struct { + Name string + Client *codersdk.Client + CanWrite bool + }{ + {Name: "Owner", Client: ownerClient, CanWrite: true}, + {Name: "UserAdmin", Client: userAdminClient, CanWrite: true}, + {Name: "OrgAdmin", Client: orgAdminClient, CanWrite: false}, + {Name: "OrgUserAdmin", Client: orgUserAdminClient, CanWrite: false}, + } + + //nolint:paralleltest // Subtests run sequentially: they share the same deployment and group, and parallel PatchGroup calls on the same group race. + for _, tc := range cases { + t.Run(tc.Name, func(t *testing.T) { + ctx := testutil.Context(t, testutil.WaitLong) + + // Each case gets a fresh target user. + _, targetUser := coderdtest.CreateAnotherUser(t, ownerClient, owner.OrganizationID) + _, err := userAdminClient.PatchGroup(ctx, group.ID, codersdk.PatchGroupRequest{ + AddUsers: []string{targetUser.ID.String()}, + }) + require.NoError(t, err) + + upsertReq := codersdk.UpsertUserAIBudgetOverrideRequest{ + GroupID: group.ID, + SpendLimitMicros: 500_000_000, + } + + if tc.CanWrite { + // Full CRUD lifecycle. + override, err := tc.Client.UpsertUserAIBudgetOverride(ctx, targetUser.ID, upsertReq) + require.NoError(t, err, "PUT") + require.Equal(t, group.ID, override.GroupID) + + got, err := tc.Client.UserAIBudgetOverride(ctx, targetUser.ID) + require.NoError(t, err, "GET") + require.EqualValues(t, 500_000_000, got.SpendLimitMicros) + + err = tc.Client.DeleteUserAIBudgetOverride(ctx, targetUser.ID) + require.NoError(t, err, "DELETE") + } else { + // PUT rejected. + _, err := tc.Client.UpsertUserAIBudgetOverride(ctx, targetUser.ID, upsertReq) + var sdkErr *codersdk.Error + require.ErrorAs(t, err, &sdkErr) + require.Equal(t, http.StatusNotFound, sdkErr.StatusCode(), "PUT") + + // Seed a row via UserAdmin so we can verify read access still works. + _, err = userAdminClient.UpsertUserAIBudgetOverride(ctx, targetUser.ID, upsertReq) + require.NoError(t, err) + + // GET still works (all roles have ActionRead on User). + got, err := tc.Client.UserAIBudgetOverride(ctx, targetUser.ID) + require.NoError(t, err, "GET") + require.EqualValues(t, 500_000_000, got.SpendLimitMicros) + + // DELETE rejected. + err = tc.Client.DeleteUserAIBudgetOverride(ctx, targetUser.ID) + require.ErrorAs(t, err, &sdkErr) + require.Equal(t, http.StatusNotFound, sdkErr.StatusCode(), "DELETE") + } + }) + } +} + +// TestUserAIBudgetOverrideDeletedOnMembershipRemoval verifies that a per-user +// override is deleted automatically when the user loses membership in the +// attributed group. Two paths are exercised: +// +// - RegularGroup: membership stored in group_members; removed via +// PatchGroup with RemoveUsers. +// - EveryoneGroup: membership stored in organization_members; removed +// via DeleteOrganizationMember. +func TestUserAIBudgetOverrideDeletedOnMembershipRemoval(t *testing.T) { + t.Parallel() + + dv := coderdtest.DeploymentValues(t) + dv.AI.BridgeConfig.Enabled = serpent.Bool(true) + ownerClient, owner := coderdenttest.New(t, &coderdenttest.Options{ + Options: &coderdtest.Options{DeploymentValues: dv}, + LicenseOptions: &coderdenttest.LicenseOptions{ + Features: license.Features{ + codersdk.FeatureTemplateRBAC: 1, + codersdk.FeatureAIBridge: 1, + }, + }, + }) + adminClient, _ := coderdtest.CreateAnotherUser(t, ownerClient, owner.OrganizationID, rbac.RoleUserAdmin()) + + // "Regular group" means any group except "Everyone". + t.Run("RegularGroup", func(t *testing.T) { + t.Parallel() + + ctx := testutil.Context(t, testutil.WaitLong) + + _, targetUser := coderdtest.CreateAnotherUser(t, ownerClient, owner.OrganizationID) + + group, err := adminClient.CreateGroup(ctx, owner.OrganizationID, codersdk.CreateGroupRequest{ + Name: "cascade-regular-group", + }) + require.NoError(t, err) + + _, err = adminClient.PatchGroup(ctx, group.ID, codersdk.PatchGroupRequest{ + AddUsers: []string{targetUser.ID.String()}, + }) + require.NoError(t, err) + + _, err = adminClient.UpsertUserAIBudgetOverride(ctx, targetUser.ID, codersdk.UpsertUserAIBudgetOverrideRequest{ + GroupID: group.ID, + SpendLimitMicros: 500_000_000, + }) + require.NoError(t, err, "set override") + + // Sanity-check the override exists. + _, err = adminClient.UserAIBudgetOverride(ctx, targetUser.ID) + require.NoError(t, err, "override should exist before removal") + + _, err = adminClient.PatchGroup(ctx, group.ID, codersdk.PatchGroupRequest{ + RemoveUsers: []string{targetUser.ID.String()}, + }) + require.NoError(t, err, "remove user from group") + + _, err = adminClient.UserAIBudgetOverride(ctx, targetUser.ID) + var sdkErr *codersdk.Error + require.ErrorAs(t, err, &sdkErr) + require.Equal(t, http.StatusNotFound, sdkErr.StatusCode(), + "override should be deleted after user is removed from the attributed group") + }) + + t.Run("EveryoneGroup", func(t *testing.T) { + t.Parallel() + + ctx := testutil.Context(t, testutil.WaitLong) + + _, targetUser := coderdtest.CreateAnotherUser(t, ownerClient, owner.OrganizationID) + + // The Everyone group has id == organization_id. + everyoneGroupID := owner.OrganizationID + + _, err := adminClient.UpsertUserAIBudgetOverride(ctx, targetUser.ID, codersdk.UpsertUserAIBudgetOverrideRequest{ + GroupID: everyoneGroupID, + SpendLimitMicros: 500_000_000, + }) + require.NoError(t, err, "set override") + + // Sanity-check the override exists. + _, err = adminClient.UserAIBudgetOverride(ctx, targetUser.ID) + require.NoError(t, err, "override should exist before removal") + + err = adminClient.DeleteOrganizationMember(ctx, owner.OrganizationID, targetUser.ID.String()) + require.NoError(t, err, "remove user from organization") + + _, err = adminClient.UserAIBudgetOverride(ctx, targetUser.ID) + var sdkErr *codersdk.Error + require.ErrorAs(t, err, &sdkErr) + require.Equal(t, http.StatusNotFound, sdkErr.StatusCode(), + "override should be deleted after user is removed from the organization") + }) +} + +// setupUserAIBudgetOverrideTest returns an Admin client, a target user, and a +// group the target user is a member of. +func setupUserAIBudgetOverrideTest(t *testing.T) (adminClient *codersdk.Client, targetUser codersdk.User, group codersdk.Group) { + t.Helper() + + dv := coderdtest.DeploymentValues(t) + dv.AI.BridgeConfig.Enabled = serpent.Bool(true) + ownerClient, owner := coderdenttest.New(t, &coderdenttest.Options{ + Options: &coderdtest.Options{DeploymentValues: dv}, + LicenseOptions: &coderdenttest.LicenseOptions{ + Features: license.Features{ + codersdk.FeatureTemplateRBAC: 1, + codersdk.FeatureAIBridge: 1, + }, + }, + }) + adminClient, _ = coderdtest.CreateAnotherUser(t, ownerClient, owner.OrganizationID, rbac.RoleUserAdmin()) + _, targetUser = coderdtest.CreateAnotherUser(t, ownerClient, owner.OrganizationID) + + ctx := testutil.Context(t, testutil.WaitLong) + g, err := adminClient.CreateGroup(ctx, owner.OrganizationID, codersdk.CreateGroupRequest{ + Name: "override-test-group", + }) + require.NoError(t, err) + g, err = adminClient.PatchGroup(ctx, g.ID, codersdk.PatchGroupRequest{ + AddUsers: []string{targetUser.ID.String()}, + }) + require.NoError(t, err) + return adminClient, targetUser, g +} + // setupGroupAIBudgetTest returns an Admin client along with a newly created group inside it. func setupGroupAIBudgetTest(t *testing.T) (adminClient *codersdk.Client, group codersdk.Group) { t.Helper() diff --git a/enterprise/coderd/coderd.go b/enterprise/coderd/coderd.go index 2a55c6218f..33732eea3d 100644 --- a/enterprise/coderd/coderd.go +++ b/enterprise/coderd/coderd.go @@ -596,6 +596,17 @@ func New(ctx context.Context, options *Options) (_ *API, err error) { r.Get("/", api.userQuietHoursSchedule) r.Put("/", api.putUserQuietHoursSchedule) }) + r.Route("/users/{user}/ai/budget", func(r chi.Router) { + // AI cost controls are a paid feature (AI Governance add-on). + r.Use( + api.RequireFeatureMW(codersdk.FeatureAIBridge), + apiKeyMiddleware, + httpmw.ExtractUserParam(options.Database), + ) + r.Get("/", api.userAIBudgetOverride) + r.Put("/", api.upsertUserAIBudgetOverride) + r.Delete("/", api.deleteUserAIBudgetOverride) + }) r.Route("/prebuilds", func(r chi.Router) { r.Use( apiKeyMiddleware, diff --git a/flake.nix b/flake.nix index d22dbcd72c..5b92eb07ce 100644 --- a/flake.nix +++ b/flake.nix @@ -61,6 +61,30 @@ inherit nodejs; # Ensure it points to the above nodejs version }; + mise = pkgs.stdenvNoCC.mkDerivation rec { + pname = "mise"; + version = "2026.5.12"; + target = { + x86_64-linux = "linux-x64"; + aarch64-linux = "linux-arm64"; + x86_64-darwin = "macos-x64"; + aarch64-darwin = "macos-arm64"; + }.${system}; + src = pkgs.fetchurl { + url = "https://github.com/jdx/mise/releases/download/v${version}/mise-v${version}-${target}"; + hash = { + x86_64-linux = "sha256-ojiXKjFi1xC4WyjDJDculspOS0hsgf54aVAA2fvHfEg="; + aarch64-linux = "sha256-/S1SJ6itCx41nHBSeoNFqa2nIHf43LtVk3FlPD2VRk8="; + x86_64-darwin = "sha256-3lfo3IK72ICmnJvIruBrncxXgYSz5c+G/O+AY11qkLQ="; + aarch64-darwin = "sha256-53cHBUD/4iz4srn4iu2ItGHQiH2UDE8cGpc1lGPN5uE="; + }.${system}; + }; + dontUnpack = true; + installPhase = '' + install -Dm755 "$src" "$out/bin/mise" + ''; + }; + # Check in https://search.nixos.org/packages to find new packages. # Use `nix --extra-experimental-features nix-command --extra-experimental-features flakes flake update` # to update the lock file if packages are out-of-date. @@ -109,6 +133,21 @@ vendorHash = "sha256-4Cb15MhKyhRvYVKfMqBwuC3WBBIJE6AinJt02+TSMVY="; }; + paralleltestctx = unstablePkgs.buildGo126Module { + pname = "paralleltestctx"; + version = "0.0.2"; + + src = pkgs.fetchFromGitHub { + owner = "coder"; + repo = "paralleltestctx"; + rev = "v0.0.2"; + sha256 = "sha256-qFQ4LZR2IwqscypD0URSZKXTlhUcz/axDb8NTH5CxLw="; + }; + + subPackages = [ "cmd/paralleltestctx" ]; + vendorHash = "sha256-OuQWmZmofdJKq1hvk43RPkILQwAuFzqhmB22Xf6Z3lA="; + }; + # Keep Terraform aligned with provisioner/terraform/testdata/version.txt # so `make gen` remains deterministic in Nix shells. terraform_1_15_5 = @@ -188,6 +227,7 @@ lazydocker lazygit less + mise unstablePkgs.mockgen moreutils nfpm @@ -195,6 +235,7 @@ nodejs openssh openssl + paralleltestctx pango pixman pkg-config @@ -295,14 +336,6 @@ lib.optionalDrvAttr stdenv.isLinux "${glibcLocales}/lib/locale/locale-archive"; NODE_OPTIONS = "--max-old-space-size=8192"; - BIOME_BINARY = - if pkgs.stdenv.isLinux then - if pkgs.stdenv.hostPlatform.isAarch64 then - "@biomejs/cli-linux-arm64-musl/biome" - else - "@biomejs/cli-linux-x64-musl/biome" - else - ""; GOPRIVATE = "coder.com,cdr.dev,go.coder.com,github.com/cdr,github.com/coder"; }; }; diff --git a/go.mod b/go.mod index fc7e53722e..d4ea36cb27 100644 --- a/go.mod +++ b/go.mod @@ -36,7 +36,7 @@ replace github.com/tcnksm/go-httpstat => github.com/coder/go-httpstat v0.0.0-202 // There are a few minor changes we make to Tailscale that we're slowly upstreaming. Compare here: // https://github.com/tailscale/tailscale/compare/main...coder:tailscale:main -replace tailscale.com => github.com/coder/tailscale v1.1.1-0.20260519043957-6f014ff9434f +replace tailscale.com => github.com/coder/tailscale v1.1.1-0.20260529105257-b7c5fc6e6399 // This is replaced to include // 1. a fix for a data race: c.f. https://github.com/tailscale/wireguard-go/pull/25 @@ -571,7 +571,6 @@ require ( github.com/clipperhouse/displaywidth v0.10.0 // indirect github.com/clipperhouse/uax29/v2 v2.6.0 // indirect github.com/cncf/xds/go v0.0.0-20260202195803-dba9d589def2 // indirect - github.com/coder/paralleltestctx v0.0.2 // indirect github.com/containerd/errdefs v1.0.0 // indirect github.com/containerd/errdefs/pkg v0.3.0 // indirect github.com/cpuguy83/go-md2man/v2 v2.0.7 // indirect @@ -618,7 +617,6 @@ require ( github.com/lestrrat-go/httprc/v3 v3.0.5 // indirect github.com/lestrrat-go/jwx/v3 v3.1.1 // indirect github.com/lestrrat-go/option/v2 v2.0.0 // indirect - github.com/mattn/go-shellwords v1.0.12 // indirect github.com/minio/highwayhash v1.0.4-0.20251030100505-070ab1a87a76 // indirect github.com/moby/moby/api v1.54.0 // indirect github.com/moby/moby/client v0.3.0 // indirect @@ -632,7 +630,6 @@ require ( github.com/pb33f/ordered-map/v2 v2.3.1 // indirect github.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10 // indirect github.com/puzpuzpuz/xsync/v3 v3.5.1 // indirect - github.com/rhysd/actionlint v1.7.10 // indirect github.com/russross/blackfriday/v2 v2.1.0 // indirect github.com/samber/lo v1.52.0 // indirect github.com/segmentio/asm v1.2.1 // indirect @@ -664,9 +661,7 @@ require ( ) tool ( - github.com/coder/paralleltestctx/cmd/paralleltestctx github.com/daixiang0/gci - github.com/rhysd/actionlint/cmd/actionlint github.com/swaggo/swag/cmd/swag go.uber.org/mock/mockgen golang.org/x/tools/cmd/goimports diff --git a/go.sum b/go.sum index 3c08d31834..5840cb7bf5 100644 --- a/go.sum +++ b/go.sum @@ -334,8 +334,6 @@ github.com/coder/go-scim/pkg/v2 v2.0.0-20230221055123-1d63c1222136 h1:0RgB61LcNs github.com/coder/go-scim/pkg/v2 v2.0.0-20230221055123-1d63c1222136/go.mod h1:VkD1P761nykiq75dz+4iFqIQIZka189tx1BQLOp0Skc= github.com/coder/guts v1.7.0 h1:TaZ/PR9wgN8dlbcckaWV1MxkkuEFZRwSRwBBEm8dYXs= github.com/coder/guts v1.7.0/go.mod h1:30SShdvpmsauNlsNjECRB5AppScjYk08rf2ZVpH3MFg= -github.com/coder/paralleltestctx v0.0.2 h1:0akzA1oSV0LOl7loR8Mmoq/mu7qGDaFV8DpojotmXiE= -github.com/coder/paralleltestctx v0.0.2/go.mod h1:q/wi6cmlBOhrJKjUtouTn4J9xZlRhK0MbgHvJNdGW3w= github.com/coder/pq v1.10.5-0.20250807075151-6ad9b0a25151 h1:YAxwg3lraGNRwoQ18H7R7n+wsCqNve7Brdvj0F1rDnU= github.com/coder/pq v1.10.5-0.20250807075151-6ad9b0a25151/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o= github.com/coder/pretty v0.0.0-20230908205945-e89ba86370e0 h1:3A0ES21Ke+FxEM8CXx9n47SZOKOpgSE1bbJzlE4qPVs= @@ -350,8 +348,8 @@ github.com/coder/serpent v0.15.0 h1:jobR7DnPsxzEMD0cRiailwlY+4v6HAPS/8emIgBpaIU= github.com/coder/serpent v0.15.0/go.mod h1:7OIvFBYMd+OqarMy5einBl8AtRr8LliopVU7pyrwucY= github.com/coder/ssh v0.0.0-20231128192721-70855dedb788 h1:YoUSJ19E8AtuUFVYBpXuOD6a/zVP3rcxezNsoDseTUw= github.com/coder/ssh v0.0.0-20231128192721-70855dedb788/go.mod h1:aGQbuCLyhRLMzZF067xc84Lh7JDs1FKwCmF1Crl9dxQ= -github.com/coder/tailscale v1.1.1-0.20260519043957-6f014ff9434f h1:gYivllu5CHhvRr4SM93zSQDj9cG2V+Pc0URTFy3fF/Y= -github.com/coder/tailscale v1.1.1-0.20260519043957-6f014ff9434f/go.mod h1:WTWP5ZNODDXHwWlQ1Jc2MFhqxu93pUs7lIy28Fd5a5E= +github.com/coder/tailscale v1.1.1-0.20260529105257-b7c5fc6e6399 h1:4IhFSmu0DSfWrvmHCb8aXDjWqSEYoIDA1L7Ar82Dm84= +github.com/coder/tailscale v1.1.1-0.20260529105257-b7c5fc6e6399/go.mod h1:IatCC3hlq/ncu6DjZ+GJ/hNjSf5TmO+Xtc6B20k0q/c= github.com/coder/terraform-config-inspect v0.0.0-20250107175719-6d06d90c630e h1:JNLPDi2P73laR1oAclY6jWzAbucf70ASAvf5mh2cME0= github.com/coder/terraform-config-inspect v0.0.0-20250107175719-6d06d90c630e/go.mod h1:Gz/z9Hbn+4KSp8A2FBtNszfLSdT2Tn/uAKGuVqqWmDI= github.com/coder/terraform-provider-coder/v2 v2.18.0 h1:b60ixwf7pVPuiL0GkHZf+1mVj94/HZhCNpsfjAK34mI= @@ -881,8 +879,6 @@ github.com/mattn/go-localereader v0.0.1/go.mod h1:8fBrzywKY7BI3czFoHkuzRoWE9C+Ei github.com/mattn/go-runewidth v0.0.12/go.mod h1:RAqKPSqVFrSLVXbA8x7dzmKdmGzieGRCM46jaSJTDAk= github.com/mattn/go-runewidth v0.0.19 h1:v++JhqYnZuu5jSKrk9RbgF5v4CGUjqRfBm05byFGLdw= github.com/mattn/go-runewidth v0.0.19/go.mod h1:XBkDxAl56ILZc9knddidhrOlY5R/pDhgLpndooCuJAs= -github.com/mattn/go-shellwords v1.0.12 h1:M2zGm7EW6UQJvDeQxo4T51eKPurbeFbe8WtebGE2xrk= -github.com/mattn/go-shellwords v1.0.12/go.mod h1:EZzvwXDESEeg03EKmM+RmDnNOPKG4lLtQsUlTZDWQ8Y= github.com/mattn/go-sqlite3 v1.14.22 h1:2gZY6PC6kBnID23Tichd1K+Z0oS6nE/XwU+Vz/5o4kU= github.com/mattn/go-sqlite3 v1.14.22/go.mod h1:Uh1q+B4BYcTPb+yiD3kU8Ct7aC0hY9fxUwlHK0RXw+Y= github.com/mdlayher/genetlink v1.3.2 h1:KdrNKe+CTu+IbZnm/GVUMXSqBBLqcGpRDa0xkQy56gw= @@ -1063,8 +1059,6 @@ github.com/quasilyte/go-ruleguard/dsl v0.3.23 h1:lxjt5B6ZCiBeeNO8/oQsegE6fLeCzuM github.com/quasilyte/go-ruleguard/dsl v0.3.23/go.mod h1:KeCP03KrjuSO0H1kTuZQCWlQPulDV6YMIXmpQss17rU= github.com/rcrowley/go-metrics v0.0.0-20250401214520-65e299d6c5c9 h1:bsUq1dX0N8AOIL7EB/X911+m4EHsnWEHeJ0c+3TTBrg= github.com/rcrowley/go-metrics v0.0.0-20250401214520-65e299d6c5c9/go.mod h1:bCqnVzQkZxMG4s8nGwiZ5l3QUCyqpo9Y+/ZMZ9VjZe4= -github.com/rhysd/actionlint v1.7.10 h1:FL3XIEs72G4/++168vlv5FKOWMSWvWIQw1kBCadyOcM= -github.com/rhysd/actionlint v1.7.10/go.mod h1:ZHX/hrmknlsJN73InPTKsKdXpAv9wVdrJy8h8HAwFHg= github.com/riandyrn/otelchi v0.5.1 h1:0/45omeqpP7f/cvdL16GddQBfAEmZvUyl2QzLSE6uYo= github.com/riandyrn/otelchi v0.5.1/go.mod h1:ZxVxNEl+jQ9uHseRYIxKWRb3OY8YXFEu+EkNiiSNUEA= github.com/richardartoul/molecule v1.0.1-0.20240531184615-7ca0df43c0b3 h1:4+LEVOB87y175cLJC/mbsgKmoDOjrBldtXvioEy96WY= diff --git a/mise.lock b/mise.lock index babc55e498..9acd58a7c9 100644 --- a/mise.lock +++ b/mise.lock @@ -1,5 +1,53 @@ # @generated - this file is auto-generated by `mise lock` https://mise.en.dev/dev-tools/mise-lock.html +[[tools.actionlint]] +version = "1.7.10" +backend = "aqua:rhysd/actionlint" + +[tools.actionlint."platforms.linux-arm64"] +checksum = "sha256:cd3dfe5f66887ec6b987752d8d9614e59fd22f39415c5ad9f28374623f41773a" +url = "https://github.com/rhysd/actionlint/releases/download/v1.7.10/actionlint_1.7.10_linux_arm64.tar.gz" + +[tools.actionlint."platforms.linux-arm64-musl"] +checksum = "sha256:cd3dfe5f66887ec6b987752d8d9614e59fd22f39415c5ad9f28374623f41773a" +url = "https://github.com/rhysd/actionlint/releases/download/v1.7.10/actionlint_1.7.10_linux_arm64.tar.gz" + +[tools.actionlint."platforms.linux-x64"] +checksum = "sha256:f4c76b71db5755a713e6055cbb0857ed07e103e028bda117817660ebadb4386f" +url = "https://github.com/rhysd/actionlint/releases/download/v1.7.10/actionlint_1.7.10_linux_amd64.tar.gz" + +[tools.actionlint."platforms.linux-x64-baseline"] +checksum = "sha256:f4c76b71db5755a713e6055cbb0857ed07e103e028bda117817660ebadb4386f" +url = "https://github.com/rhysd/actionlint/releases/download/v1.7.10/actionlint_1.7.10_linux_amd64.tar.gz" + +[tools.actionlint."platforms.linux-x64-musl"] +checksum = "sha256:f4c76b71db5755a713e6055cbb0857ed07e103e028bda117817660ebadb4386f" +url = "https://github.com/rhysd/actionlint/releases/download/v1.7.10/actionlint_1.7.10_linux_amd64.tar.gz" + +[tools.actionlint."platforms.linux-x64-musl-baseline"] +checksum = "sha256:f4c76b71db5755a713e6055cbb0857ed07e103e028bda117817660ebadb4386f" +url = "https://github.com/rhysd/actionlint/releases/download/v1.7.10/actionlint_1.7.10_linux_amd64.tar.gz" + +[tools.actionlint."platforms.macos-arm64"] +checksum = "sha256:004ca87b367b37f4d75c55ab6cf80f9b8c043adbfbd440f31c604d417939c442" +url = "https://github.com/rhysd/actionlint/releases/download/v1.7.10/actionlint_1.7.10_darwin_arm64.tar.gz" + +[tools.actionlint."platforms.macos-x64"] +checksum = "sha256:16782c41f2af264db80f855ee5d09164ca98fc78edf3bcd0f46eecff279682ba" +url = "https://github.com/rhysd/actionlint/releases/download/v1.7.10/actionlint_1.7.10_darwin_amd64.tar.gz" + +[tools.actionlint."platforms.macos-x64-baseline"] +checksum = "sha256:16782c41f2af264db80f855ee5d09164ca98fc78edf3bcd0f46eecff279682ba" +url = "https://github.com/rhysd/actionlint/releases/download/v1.7.10/actionlint_1.7.10_darwin_amd64.tar.gz" + +[tools.actionlint."platforms.windows-x64"] +checksum = "sha256:283467f9d6202a8cb8c00ad8dd0ee4e685b71fb86a6a56c68fcbb9ae8ed91237" +url = "https://github.com/rhysd/actionlint/releases/download/v1.7.10/actionlint_1.7.10_windows_amd64.zip" + +[tools.actionlint."platforms.windows-x64-baseline"] +checksum = "sha256:283467f9d6202a8cb8c00ad8dd0ee4e685b71fb86a6a56c68fcbb9ae8ed91237" +url = "https://github.com/rhysd/actionlint/releases/download/v1.7.10/actionlint_1.7.10_windows_amd64.zip" + [[tools."aqua:ahmetb/kubectx/kubens"]] version = "0.9.4" backend = "aqua:ahmetb/kubectx/kubens" @@ -432,14 +480,26 @@ url = "https://dl.google.com/go/go1.26.2.windows-amd64.zip" checksum = "sha256:98eb3570bade15cb826b0909338df6cc6d2cf590bc39c471142002db3832b708" url = "https://dl.google.com/go/go1.26.2.windows-amd64.zip" +[[tools."go:github.com/coder/paralleltestctx/cmd/paralleltestctx"]] +version = "0.0.2" +backend = "go:github.com/coder/paralleltestctx/cmd/paralleltestctx" + [[tools."go:github.com/coder/sqlc/cmd/sqlc"]] version = "337309bfb9524f38466a5090e310040fc7af0203" backend = "go:github.com/coder/sqlc/cmd/sqlc" +[[tools."go:github.com/coder/whichtests"]] +version = "ec33bab1ec04cd86beb7a61a069db4463dba63f5" +backend = "go:github.com/coder/whichtests" + [[tools."go:github.com/golang-migrate/migrate/v4/cmd/migrate"]] version = "v4.19.0" backend = "go:github.com/golang-migrate/migrate/v4/cmd/migrate" +[[tools."go:github.com/golangci/golangci-lint/cmd/golangci-lint"]] +version = "1.64.8" +backend = "go:github.com/golangci/golangci-lint/cmd/golangci-lint" + [[tools."go:github.com/goreleaser/nfpm/v2/cmd/nfpm"]] version = "v2.35.1" backend = "go:github.com/goreleaser/nfpm/v2/cmd/nfpm" @@ -452,10 +512,18 @@ backend = "go:github.com/mikefarah/yq/v4" version = "v0.3.13" backend = "go:github.com/quasilyte/go-ruleguard/cmd/ruleguard" +[[tools."go:github.com/slsyy/mtimehash/cmd/mtimehash"]] +version = "1.0.0" +backend = "go:github.com/slsyy/mtimehash/cmd/mtimehash" + [[tools."go:github.com/swaggo/swag/cmd/swag"]] version = "v1.16.2" backend = "go:github.com/swaggo/swag/cmd/swag" +[[tools."go:github.com/tc-hib/go-winres"]] +version = "0.3.3" +backend = "go:github.com/tc-hib/go-winres" + [[tools."go:go.uber.org/mock/mockgen"]] version = "v0.6.0" backend = "go:go.uber.org/mock/mockgen" @@ -480,54 +548,6 @@ backend = "go:mvdan.cc/sh/v3/cmd/shfmt" version = "v0.0.34" backend = "go:storj.io/drpc/cmd/protoc-gen-go-drpc" -[[tools.golangci-lint]] -version = "1.64.8" -backend = "aqua:golangci/golangci-lint" - -[tools.golangci-lint."platforms.linux-arm64"] -checksum = "sha256:a6ab58ebcb1c48572622146cdaec2956f56871038a54ed1149f1386e287789a5" -url = "https://github.com/golangci/golangci-lint/releases/download/v1.64.8/golangci-lint-1.64.8-linux-arm64.tar.gz" - -[tools.golangci-lint."platforms.linux-arm64-musl"] -checksum = "sha256:a6ab58ebcb1c48572622146cdaec2956f56871038a54ed1149f1386e287789a5" -url = "https://github.com/golangci/golangci-lint/releases/download/v1.64.8/golangci-lint-1.64.8-linux-arm64.tar.gz" - -[tools.golangci-lint."platforms.linux-x64"] -checksum = "sha256:b6270687afb143d019f387c791cd2a6f1cb383be9b3124d241ca11bd3ce2e54e" -url = "https://github.com/golangci/golangci-lint/releases/download/v1.64.8/golangci-lint-1.64.8-linux-amd64.tar.gz" - -[tools.golangci-lint."platforms.linux-x64-baseline"] -checksum = "sha256:b6270687afb143d019f387c791cd2a6f1cb383be9b3124d241ca11bd3ce2e54e" -url = "https://github.com/golangci/golangci-lint/releases/download/v1.64.8/golangci-lint-1.64.8-linux-amd64.tar.gz" - -[tools.golangci-lint."platforms.linux-x64-musl"] -checksum = "sha256:b6270687afb143d019f387c791cd2a6f1cb383be9b3124d241ca11bd3ce2e54e" -url = "https://github.com/golangci/golangci-lint/releases/download/v1.64.8/golangci-lint-1.64.8-linux-amd64.tar.gz" - -[tools.golangci-lint."platforms.linux-x64-musl-baseline"] -checksum = "sha256:b6270687afb143d019f387c791cd2a6f1cb383be9b3124d241ca11bd3ce2e54e" -url = "https://github.com/golangci/golangci-lint/releases/download/v1.64.8/golangci-lint-1.64.8-linux-amd64.tar.gz" - -[tools.golangci-lint."platforms.macos-arm64"] -checksum = "sha256:70543d21e5b02a94079be8aa11267a5b060865583e337fe768d39b5d3e2faf1f" -url = "https://github.com/golangci/golangci-lint/releases/download/v1.64.8/golangci-lint-1.64.8-darwin-arm64.tar.gz" - -[tools.golangci-lint."platforms.macos-x64"] -checksum = "sha256:b52aebb8cb51e00bfd5976099083fbe2c43ef556cef9c87e58a8ae656e740444" -url = "https://github.com/golangci/golangci-lint/releases/download/v1.64.8/golangci-lint-1.64.8-darwin-amd64.tar.gz" - -[tools.golangci-lint."platforms.macos-x64-baseline"] -checksum = "sha256:b52aebb8cb51e00bfd5976099083fbe2c43ef556cef9c87e58a8ae656e740444" -url = "https://github.com/golangci/golangci-lint/releases/download/v1.64.8/golangci-lint-1.64.8-darwin-amd64.tar.gz" - -[tools.golangci-lint."platforms.windows-x64"] -checksum = "sha256:54c2ed3a6b4f2f5da1056fb6e83d6b73b592e06684b65a5999174fabbb251a8f" -url = "https://github.com/golangci/golangci-lint/releases/download/v1.64.8/golangci-lint-1.64.8-windows-amd64.zip" - -[tools.golangci-lint."platforms.windows-x64-baseline"] -checksum = "sha256:54c2ed3a6b4f2f5da1056fb6e83d6b73b592e06684b65a5999174fabbb251a8f" -url = "https://github.com/golangci/golangci-lint/releases/download/v1.64.8/golangci-lint-1.64.8-windows-amd64.zip" - [[tools.helm]] version = "3.21.0" backend = "aqua:helm/helm" @@ -723,6 +743,10 @@ url = "https://nodejs.org/dist/v22.19.0/node-v22.19.0-win-x64.zip" version = "0.87.0" backend = "npm:@devcontainers/cli" +[[tools."npm:@puppeteer/browsers"]] +version = "2.13.0" +backend = "npm:@puppeteer/browsers" + [[tools.pnpm]] version = "10.33.2" backend = "aqua:pnpm/pnpm" @@ -848,52 +872,52 @@ url = "https://github.com/protocolbuffers/protobuf-go/releases/download/v1.30.0/ url = "https://github.com/protocolbuffers/protobuf-go/releases/download/v1.30.0/protoc-gen-go.v1.30.0.windows.amd64.zip" [[tools.syft]] -version = "1.20.0" +version = "1.26.1" backend = "aqua:anchore/syft" [tools.syft."platforms.linux-arm64"] -checksum = "sha256:53f76737ddbf425c89240d5b0be0990b1a71e66890b44f19743221b17e6ee635" -url = "https://github.com/anchore/syft/releases/download/v1.20.0/syft_1.20.0_linux_arm64.tar.gz" +checksum = "sha256:ed3915cbc9c039f0501cb49d4485125befbd729acc263e767f70a18de3fec10d" +url = "https://github.com/anchore/syft/releases/download/v1.26.1/syft_1.26.1_linux_arm64.tar.gz" [tools.syft."platforms.linux-arm64-musl"] -checksum = "sha256:53f76737ddbf425c89240d5b0be0990b1a71e66890b44f19743221b17e6ee635" -url = "https://github.com/anchore/syft/releases/download/v1.20.0/syft_1.20.0_linux_arm64.tar.gz" +checksum = "sha256:ed3915cbc9c039f0501cb49d4485125befbd729acc263e767f70a18de3fec10d" +url = "https://github.com/anchore/syft/releases/download/v1.26.1/syft_1.26.1_linux_arm64.tar.gz" [tools.syft."platforms.linux-x64"] -checksum = "sha256:689e12c5cbf67521ce61b9c126068f9eaabe1223e77971b2fede50033ff6b5cc" -url = "https://github.com/anchore/syft/releases/download/v1.20.0/syft_1.20.0_linux_amd64.tar.gz" +checksum = "sha256:4f3e84f9467080c876deb0fa968da54309c6d21fb8c00fd3a4e547eb9f006835" +url = "https://github.com/anchore/syft/releases/download/v1.26.1/syft_1.26.1_linux_amd64.tar.gz" [tools.syft."platforms.linux-x64-baseline"] -checksum = "sha256:689e12c5cbf67521ce61b9c126068f9eaabe1223e77971b2fede50033ff6b5cc" -url = "https://github.com/anchore/syft/releases/download/v1.20.0/syft_1.20.0_linux_amd64.tar.gz" +checksum = "sha256:4f3e84f9467080c876deb0fa968da54309c6d21fb8c00fd3a4e547eb9f006835" +url = "https://github.com/anchore/syft/releases/download/v1.26.1/syft_1.26.1_linux_amd64.tar.gz" [tools.syft."platforms.linux-x64-musl"] -checksum = "sha256:689e12c5cbf67521ce61b9c126068f9eaabe1223e77971b2fede50033ff6b5cc" -url = "https://github.com/anchore/syft/releases/download/v1.20.0/syft_1.20.0_linux_amd64.tar.gz" +checksum = "sha256:4f3e84f9467080c876deb0fa968da54309c6d21fb8c00fd3a4e547eb9f006835" +url = "https://github.com/anchore/syft/releases/download/v1.26.1/syft_1.26.1_linux_amd64.tar.gz" [tools.syft."platforms.linux-x64-musl-baseline"] -checksum = "sha256:689e12c5cbf67521ce61b9c126068f9eaabe1223e77971b2fede50033ff6b5cc" -url = "https://github.com/anchore/syft/releases/download/v1.20.0/syft_1.20.0_linux_amd64.tar.gz" +checksum = "sha256:4f3e84f9467080c876deb0fa968da54309c6d21fb8c00fd3a4e547eb9f006835" +url = "https://github.com/anchore/syft/releases/download/v1.26.1/syft_1.26.1_linux_amd64.tar.gz" [tools.syft."platforms.macos-arm64"] -checksum = "sha256:91365712a06af0c0dcd06f5e87fc8791c4332831b3dd6f5474acaaf803d71d82" -url = "https://github.com/anchore/syft/releases/download/v1.20.0/syft_1.20.0_darwin_arm64.tar.gz" +checksum = "sha256:00435a3fe2ae940203708ee2eae9976d1719982c628d30b2b78aacd36133ec6b" +url = "https://github.com/anchore/syft/releases/download/v1.26.1/syft_1.26.1_darwin_arm64.tar.gz" [tools.syft."platforms.macos-x64"] -checksum = "sha256:5fdf7afd0f1bfdbb2a1a575eacef8e10edfcb4783631baaa7572a9f4a4d86441" -url = "https://github.com/anchore/syft/releases/download/v1.20.0/syft_1.20.0_darwin_amd64.tar.gz" +checksum = "sha256:2eae0b76a208c5916cf02847b94e861024c7a5a6c1e2e606f5436f97747b1f76" +url = "https://github.com/anchore/syft/releases/download/v1.26.1/syft_1.26.1_darwin_amd64.tar.gz" [tools.syft."platforms.macos-x64-baseline"] -checksum = "sha256:5fdf7afd0f1bfdbb2a1a575eacef8e10edfcb4783631baaa7572a9f4a4d86441" -url = "https://github.com/anchore/syft/releases/download/v1.20.0/syft_1.20.0_darwin_amd64.tar.gz" +checksum = "sha256:2eae0b76a208c5916cf02847b94e861024c7a5a6c1e2e606f5436f97747b1f76" +url = "https://github.com/anchore/syft/releases/download/v1.26.1/syft_1.26.1_darwin_amd64.tar.gz" [tools.syft."platforms.windows-x64"] -checksum = "sha256:b8bfdedb261de2a69768097422a73bc72273ee92136ff676a20c3161e658881f" -url = "https://github.com/anchore/syft/releases/download/v1.20.0/syft_1.20.0_windows_amd64.zip" +checksum = "sha256:7af7acb9f81bdddbc343855cb3a42e1d38ae9a1b044bfcd9b975a118d107849e" +url = "https://github.com/anchore/syft/releases/download/v1.26.1/syft_1.26.1_windows_amd64.zip" [tools.syft."platforms.windows-x64-baseline"] -checksum = "sha256:b8bfdedb261de2a69768097422a73bc72273ee92136ff676a20c3161e658881f" -url = "https://github.com/anchore/syft/releases/download/v1.20.0/syft_1.20.0_windows_amd64.zip" +checksum = "sha256:7af7acb9f81bdddbc343855cb3a42e1d38ae9a1b044bfcd9b975a118d107849e" +url = "https://github.com/anchore/syft/releases/download/v1.26.1/syft_1.26.1_windows_amd64.zip" [[tools.terraform]] version = "1.15.5" @@ -942,3 +966,56 @@ url = "https://releases.hashicorp.com/terraform/1.15.5/terraform_1.15.5_windows_ [tools.terraform."platforms.windows-x64-baseline"] checksum = "sha256:2f652dd854af7b7fbb51301afc55b5ef1d3f6e287be7889d4cc3818df891cd38" url = "https://releases.hashicorp.com/terraform/1.15.5/terraform_1.15.5_windows_amd64.zip" + +[[tools.zizmor]] +version = "1.11.0" +backend = "aqua:zizmorcore/zizmor" + +[tools.zizmor."platforms.linux-arm64"] +checksum = "sha256:ce6d71e796b7d3663449151b08cee7c659f89bf36095c432e25169c857f479f0" +url = "https://github.com/zizmorcore/zizmor/releases/download/v1.11.0/zizmor-aarch64-unknown-linux-gnu.tar.gz" +provenance = "github-attestations" + +[tools.zizmor."platforms.linux-arm64-musl"] +provenance = "github-attestations" + +[tools.zizmor."platforms.linux-x64"] +checksum = "sha256:da35e666827cbb1e6ca98b18b7969657b9f186467bfebfa25e730aac527c36f8" +url = "https://github.com/zizmorcore/zizmor/releases/download/v1.11.0/zizmor-x86_64-unknown-linux-gnu.tar.gz" +provenance = "github-attestations" + +[tools.zizmor."platforms.linux-x64-baseline"] +checksum = "sha256:da35e666827cbb1e6ca98b18b7969657b9f186467bfebfa25e730aac527c36f8" +url = "https://github.com/zizmorcore/zizmor/releases/download/v1.11.0/zizmor-x86_64-unknown-linux-gnu.tar.gz" +provenance = "github-attestations" + +[tools.zizmor."platforms.linux-x64-musl"] +provenance = "github-attestations" + +[tools.zizmor."platforms.linux-x64-musl-baseline"] +provenance = "github-attestations" + +[tools.zizmor."platforms.macos-arm64"] +checksum = "sha256:7cf59f08cb50f539ab9ddc6be1d463c81e31f5b189d148fc6f786adf9fc42a5f" +url = "https://github.com/zizmorcore/zizmor/releases/download/v1.11.0/zizmor-aarch64-apple-darwin.tar.gz" +provenance = "github-attestations" + +[tools.zizmor."platforms.macos-x64"] +checksum = "sha256:a1f60dd09527ce546ff86e49ebfa1ab4a6c5d16365662e6932f8d0f46fbb18b2" +url = "https://github.com/zizmorcore/zizmor/releases/download/v1.11.0/zizmor-x86_64-apple-darwin.tar.gz" +provenance = "github-attestations" + +[tools.zizmor."platforms.macos-x64-baseline"] +checksum = "sha256:a1f60dd09527ce546ff86e49ebfa1ab4a6c5d16365662e6932f8d0f46fbb18b2" +url = "https://github.com/zizmorcore/zizmor/releases/download/v1.11.0/zizmor-x86_64-apple-darwin.tar.gz" +provenance = "github-attestations" + +[tools.zizmor."platforms.windows-x64"] +checksum = "sha256:35e038bdbde6fcfdf947c947c7c3fc83c5043e0ded0e5b0d59c30c8eda97fd3a" +url = "https://github.com/zizmorcore/zizmor/releases/download/v1.11.0/zizmor-x86_64-pc-windows-msvc.zip" +provenance = "github-attestations" + +[tools.zizmor."platforms.windows-x64-baseline"] +checksum = "sha256:35e038bdbde6fcfdf947c947c7c3fc83c5043e0ded0e5b0d59c30c8eda97fd3a" +url = "https://github.com/zizmorcore/zizmor/releases/download/v1.11.0/zizmor-x86_64-pc-windows-msvc.zip" +provenance = "github-attestations" diff --git a/mise.toml b/mise.toml index b148fe41c6..4ce58d3c86 100644 --- a/mise.toml +++ b/mise.toml @@ -1,5 +1,6 @@ -# Keep in lockstep with MISE_VERSION in dogfood/coder/ubuntu-*/Dockerfile.base, -# .github/workflows/dogfood.yaml, and scripts/dogfood/mise-oci-wrapper.sh. +# Keep in lockstep with .github/actions/setup-mise/action.yml, +# .github/actions/setup-mise/checksums.toml, flake.nix, +# dogfood/coder/ubuntu-*/Dockerfile.base, and scripts/dogfood/mise-oci-wrapper.sh. min_version = "2026.5.12" [settings] @@ -19,8 +20,17 @@ protoc = "23.4" protoc-gen-go = "1.30.0" # Go development tools. +"go:github.com/coder/paralleltestctx/cmd/paralleltestctx" = "v0.0.2" +"go:github.com/coder/whichtests" = "ec33bab1ec04cd86beb7a61a069db4463dba63f5" +# Keep golangci-lint on the Go backend while pinned to v1. The upstream +# precompiled v1 binary is built with an older Go toolchain and cannot lint +# this module's Go version. Upgrading to v2 should let us use the native +# golangci-lint mise/aqua backend and GitHub release binaries. +"go:github.com/golangci/golangci-lint/cmd/golangci-lint" = "v1.64.8" "go:github.com/golang-migrate/migrate/v4/cmd/migrate" = "v4.19.0" "go:github.com/goreleaser/nfpm/v2/cmd/nfpm" = "v2.35.1" +"go:github.com/slsyy/mtimehash/cmd/mtimehash" = "v1.0.0" +"go:github.com/tc-hib/go-winres" = "v0.3.3" "go:github.com/mikefarah/yq/v4" = "v4.44.3" "go:github.com/quasilyte/go-ruleguard/cmd/ruleguard" = "v0.3.13" "go:github.com/swaggo/swag/cmd/swag" = "v1.16.2" @@ -30,17 +40,18 @@ protoc-gen-go = "1.30.0" "go:mvdan.cc/sh/v3/cmd/shfmt" = "v3.12.0" # Infrastructure, release, and lint CLIs. +actionlint = "1.7.10" "aqua:ahmetb/kubectx/kubens" = "0.9.4" cosign = "2.4.3" # crane is the registry client `mise oci push` shells out to. Sourced # here so it travels with the rest of the mise toolset (one source of # truth, deterministic version, no apt drift across CI / wrapper). crane = "0.21.6" -golangci-lint = "1.64.8" helm = "3.21.0" kubectx = "0.9.4" -syft = "1.20.0" +syft = "1.26.1" terraform = "1.15.5" +zizmor = "1.11.0" # Developer-environment niceties for the dogfood image. Non-dogfood # users who run `mise install` here will pull these too; they are @@ -60,6 +71,9 @@ lazygit = "0.61.1" # Pre-installs the binary so the upstream devcontainers-cli coder # module's `command -v devcontainer` short-circuit fires "npm:@devcontainers/cli" = "0.87.0" +# weekly-docs uses this pinned Puppeteer browser installer to install Chrome for +# action-linkspector without resolving mutable npm metadata at runtime. +"npm:@puppeteer/browsers" = "2.13.0" # sqlc (coder fork) bundles sqlite via cgo, so the `go install` build # needs CGO_ENABLED=1. Scope it with `install_env` so it only applies diff --git a/offlinedocs/package.json b/offlinedocs/package.json index cdc35b1e50..94720c7a06 100644 --- a/offlinedocs/package.json +++ b/offlinedocs/package.json @@ -31,7 +31,7 @@ }, "devDependencies": { "@types/lodash": "4.17.24", - "@types/node": "20.19.39", + "@types/node": "20.19.41", "@types/react": "18.3.12", "@types/react-dom": "18.3.1", "@types/sanitize-html": "2.16.1", diff --git a/offlinedocs/pnpm-lock.yaml b/offlinedocs/pnpm-lock.yaml index 60120df521..5d266d8204 100644 --- a/offlinedocs/pnpm-lock.yaml +++ b/offlinedocs/pnpm-lock.yaml @@ -69,8 +69,8 @@ importers: specifier: 4.17.24 version: 4.17.24 '@types/node': - specifier: 20.19.39 - version: 20.19.39 + specifier: 20.19.41 + version: 20.19.41 '@types/react': specifier: 18.3.12 version: 18.3.12 @@ -585,8 +585,8 @@ packages: '@types/ms@2.1.0': resolution: {integrity: sha512-GsCCIZDE/p3i96vtEqx+7dBUGXrc7zeSK3wwPHIaRThS+9OhWIXRqzs4d6k1SVU8g91DrNRWxWUGhp5KXQb2VA==} - '@types/node@20.19.39': - resolution: {integrity: sha512-orrrD74MBUyK8jOAD/r0+lfa1I2MO6I+vAkmAWzMYbCcgrN4lCrmK52gRFQq/JRxfYPfonkr4b0jcY7Olqdqbw==} + '@types/node@20.19.41': + resolution: {integrity: sha512-ECymXOukMnOoVkC2bb1Vc/w/836DXncOg5m8Xj1RH7xSHZJWNYY6Zh7EH477vcnD5egKNNfy2RpNOmuChhFPgQ==} '@types/parse-json@4.0.2': resolution: {integrity: sha512-dISoDXWWQwUquiKsyZ4Ng+HX2KsPL7LyHKHQwgGFEA3IaKac4Obd+h2a/a6waisAoepJlBcx9paWqjA8/HVjCw==} @@ -3093,7 +3093,7 @@ snapshots: '@types/ms@2.1.0': {} - '@types/node@20.19.39': + '@types/node@20.19.41': dependencies: undici-types: 6.21.0 diff --git a/provisioner/terraform/provision.go b/provisioner/terraform/provision.go index 592bc3c9cc..90c96403bc 100644 --- a/provisioner/terraform/provision.go +++ b/provisioner/terraform/provision.go @@ -381,7 +381,7 @@ func provisionEnv( "CODER_WORKSPACE_BUILD_ID="+metadata.GetWorkspaceBuildId(), "CODER_TASK_ID="+metadata.GetTaskId(), "CODER_TASK_PROMPT="+metadata.GetTaskPrompt(), - "AWS_SDK_UA_APP_ID=APN_1.1/pc_cdfmjwn8i6u8l9fwz8h82e4w3$", + awsSDKUserAgentEnv(safeEnvironValue(env, awsSDKUserAgentEnvKey)), ) if metadata.GetPrebuiltWorkspaceBuildStage().IsPrebuild() { env = append(env, provider.IsPrebuildEnvironmentVariable()+"=true") diff --git a/provisioner/terraform/safeenv.go b/provisioner/terraform/safeenv.go index 4da2fc32cd..a42a899bc8 100644 --- a/provisioner/terraform/safeenv.go +++ b/provisioner/terraform/safeenv.go @@ -53,3 +53,39 @@ func safeEnviron() []string { } return strippedEnv } + +// safeEnvironValue returns the value of the named variable in the given +// `KEY=VALUE` environment slice, or an empty string if it is not present. +func safeEnvironValue(env []string, name string) string { + prefix := name + "=" + for _, e := range env { + if strings.HasPrefix(e, prefix) { + return strings.TrimPrefix(e, prefix) + } + } + return "" +} + +const ( + awsSDKUserAgentEnvKey = "AWS_SDK_UA_APP_ID" + // awsSDKUserAgentCoder is Coder's AWS Partner Revenue Measurement + // User-Agent string. The `APN_1.1/pc_$` format and the + // space-delimited append behavior below follow AWS's guidance: + // https://docs.aws.amazon.com/PRM/latest/aws-prm-onboarding-guide/automated-user-agent.html + awsSDKUserAgentCoder = "APN_1.1/pc_cdfmjwn8i6u8l9fwz8h82e4w3$" +) + +// awsSDKUserAgentEnv returns the AWS_SDK_UA_APP_ID value to pass to the +// Terraform subprocess. If the caller's environment already configures an +// Application ID (e.g. an operator who is also an AWS Partner and wants +// their own revenue attribution), Coder's value is appended with a space +// delimiter so both attributions are preserved. Otherwise Coder's value is +// used on its own. +// +// See: https://docs.aws.amazon.com/PRM/latest/aws-prm-onboarding-guide/automated-user-agent.html +func awsSDKUserAgentEnv(existing string) string { + if existing == "" { + return awsSDKUserAgentEnvKey + "=" + awsSDKUserAgentCoder + } + return awsSDKUserAgentEnvKey + "=" + existing + " " + awsSDKUserAgentCoder +} diff --git a/provisioner/terraform/safeenv_internal_test.go b/provisioner/terraform/safeenv_internal_test.go new file mode 100644 index 0000000000..1863f8fee1 --- /dev/null +++ b/provisioner/terraform/safeenv_internal_test.go @@ -0,0 +1,44 @@ +package terraform + +import ( + "testing" + + "github.com/stretchr/testify/require" +) + +func TestSafeEnvironValue(t *testing.T) { + t.Parallel() + + env := []string{ + "FOO=bar", + "AWS_SDK_UA_APP_ID=my-existing-id", + "BAZ=qux", + } + require.Equal(t, "my-existing-id", safeEnvironValue(env, "AWS_SDK_UA_APP_ID")) + require.Equal(t, "bar", safeEnvironValue(env, "FOO")) + require.Equal(t, "", safeEnvironValue(env, "MISSING")) +} + +func TestAWSSDKUserAgentEnv(t *testing.T) { + t.Parallel() + + t.Run("NoExisting", func(t *testing.T) { + t.Parallel() + require.Equal(t, + "AWS_SDK_UA_APP_ID=APN_1.1/pc_cdfmjwn8i6u8l9fwz8h82e4w3$", + awsSDKUserAgentEnv(""), + ) + }) + + t.Run("AppendToExisting", func(t *testing.T) { + t.Parallel() + // When the operator is themselves an AWS Partner and has set their own + // Application ID, we append Coder's with a space delimiter so both + // attributions are preserved. See: + // https://docs.aws.amazon.com/PRM/latest/aws-prm-onboarding-guide/automated-user-agent.html + require.Equal(t, + "AWS_SDK_UA_APP_ID=EXISTING_APP_ID APN_1.1/pc_cdfmjwn8i6u8l9fwz8h82e4w3$", + awsSDKUserAgentEnv("EXISTING_APP_ID"), + ) + }) +} diff --git a/pty/ptytest/ptytest.go b/pty/ptytest/ptytest.go index 7aaac5b2dc..191f4cf622 100644 --- a/pty/ptytest/ptytest.go +++ b/pty/ptytest/ptytest.go @@ -1,27 +1,14 @@ package ptytest import ( - "bufio" - "bytes" - "context" - "fmt" - "io" - "regexp" "runtime" - "slices" - "strings" "sync" "testing" - "time" - "unicode/utf8" - "github.com/acarl005/stripansi" "github.com/stretchr/testify/require" - "go.uber.org/atomic" - "golang.org/x/xerrors" "github.com/coder/coder/v2/pty" - "github.com/coder/coder/v2/testutil" + "github.com/coder/coder/v2/testutil/expecter" "github.com/coder/serpent" ) @@ -31,10 +18,11 @@ func New(t *testing.T, opts ...pty.Option) *PTY { ptty, err := newTestPTY(opts...) require.NoError(t, err) - e := newExpecter(t, ptty.Output(), "cmd") + e := expecter.New(t, ptty.Output(), "cmd") r := &PTY{ - outExpecter: e, - PTY: ptty, + t: t, + Expecter: *e, + PTY: ptty, } // Ensure pty is cleaned up at the end of test. t.Cleanup(func() { @@ -54,11 +42,12 @@ func Start(t *testing.T, cmd *pty.Cmd, opts ...pty.StartOption) (*PTYCmd, pty.Pr _ = ps.Kill() _ = ps.Wait() }) - ex := newExpecter(t, ptty.OutputReader(), cmd.Args[0]) + ex := expecter.New(t, ptty.OutputReader(), cmd.Args[0]) r := &PTYCmd{ - outExpecter: ex, - PTYCmd: ptty, + Expecter: *ex, + PTYCmd: ptty, + t: t, } t.Cleanup(func() { _ = r.Close() @@ -66,322 +55,12 @@ func Start(t *testing.T, cmd *pty.Cmd, opts ...pty.StartOption) (*PTYCmd, pty.Pr return r, ps } -func newExpecter(t *testing.T, r io.Reader, name string) outExpecter { - // Use pipe for logging. - logDone := make(chan struct{}) - logr, logw := io.Pipe() - - // Write to log and output buffer. - copyDone := make(chan struct{}) - out := newStdbuf() - w := io.MultiWriter(logw, out) - - ex := outExpecter{ - t: t, - out: out, - name: atomic.NewString(name), - - runeReader: bufio.NewReaderSize(out, utf8.UTFMax), - } - - logClose := func(name string, c io.Closer) { - ex.logf("closing %s", name) - err := c.Close() - ex.logf("closed %s: %v", name, err) - } - // Set the actual close function for the outExpecter. - ex.close = func(reason string) error { - ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitShort) - defer cancel() - - ex.logf("closing expecter: %s", reason) - - // Caller needs to have closed the PTY so that copying can complete - select { - case <-ctx.Done(): - ex.fatalf("close", "copy did not close in time") - case <-copyDone: - } - - logClose("logw", logw) - logClose("logr", logr) - select { - case <-ctx.Done(): - ex.fatalf("close", "log pipe did not close in time") - case <-logDone: - } - - ex.logf("closed expecter") - - return nil - } - - go func() { - defer close(copyDone) - _, err := io.Copy(w, r) - ex.logf("copy done: %v", err) - ex.logf("closing out") - err = out.closeErr(err) - ex.logf("closed out: %v", err) - }() - - // Log all output as part of test for easier debugging on errors. - go func() { - defer close(logDone) - s := bufio.NewScanner(logr) - for s.Scan() { - ex.logf("%q", stripansi.Strip(s.Text())) - } - // Surface non-EOF scanner errors; otherwise they're invisible. - if err := s.Err(); err != nil { - ex.logf("log scanner stopped: %v", err) - } - }() - - return ex -} - -type outExpecter struct { - t *testing.T - close func(reason string) error - out *stdbuf - name *atomic.String - - runeReader *bufio.Reader -} - -// Deprecated: use ExpectMatchContext instead. -// This uses a background context, so will not respect the test's context. -func (e *outExpecter) ExpectMatch(str string) string { - return e.expectMatchContextFunc(str, e.ExpectMatchContext) -} - -func (e *outExpecter) ExpectRegexMatch(str string) string { - return e.expectMatchContextFunc(str, e.ExpectRegexMatchContext) -} - -func (e *outExpecter) expectMatchContextFunc(str string, fn func(ctx context.Context, str string) string) string { - e.t.Helper() - - timeout, cancel := context.WithTimeout(context.Background(), testutil.WaitMedium) - defer cancel() - - return fn(timeout, str) -} - -// TODO(mafredri): Rename this to ExpectMatch when refactoring. -func (e *outExpecter) ExpectMatchContext(ctx context.Context, str string) string { - return e.expectMatcherFunc(ctx, str, strings.Contains) -} - -func (e *outExpecter) ExpectRegexMatchContext(ctx context.Context, str string) string { - return e.expectMatcherFunc(ctx, str, func(src, pattern string) bool { - return regexp.MustCompile(pattern).MatchString(src) - }) -} - -func (e *outExpecter) expectMatcherFunc(ctx context.Context, str string, fn func(src, pattern string) bool) string { - e.t.Helper() - - var buffer bytes.Buffer - err := e.doMatchWithDeadline(ctx, "ExpectMatchContext", func(rd *bufio.Reader) error { - for { - r, _, err := rd.ReadRune() - if err != nil { - return err - } - _, err = buffer.WriteRune(r) - if err != nil { - return err - } - if fn(buffer.String(), str) { - return nil - } - } - }) - if err != nil { - e.fatalf("read error", "%v (wanted %q; got %q)", err, str, buffer.String()) - return "" - } - e.logf("matched %q = %q", str, buffer.String()) - return buffer.String() -} - -// ExpectNoMatchBefore validates that `match` does not occur before `before`. -func (e *outExpecter) ExpectNoMatchBefore(ctx context.Context, match, before string) string { - e.t.Helper() - - var buffer bytes.Buffer - err := e.doMatchWithDeadline(ctx, "ExpectNoMatchBefore", func(rd *bufio.Reader) error { - for { - r, _, err := rd.ReadRune() - if err != nil { - return err - } - _, err = buffer.WriteRune(r) - if err != nil { - return err - } - - if strings.Contains(buffer.String(), match) { - return xerrors.Errorf("found %q before %q", match, before) - } - - if strings.Contains(buffer.String(), before) { - return nil - } - } - }) - if err != nil { - e.fatalf("read error", "%v (wanted no %q before %q; got %q)", err, match, before, buffer.String()) - return "" - } - e.logf("matched %q = %q", before, stripansi.Strip(buffer.String())) - return buffer.String() -} - -func (e *outExpecter) Peek(ctx context.Context, n int) []byte { - e.t.Helper() - - var out []byte - err := e.doMatchWithDeadline(ctx, "Peek", func(rd *bufio.Reader) error { - var err error - out, err = rd.Peek(n) - return err - }) - if err != nil { - e.fatalf("read error", "%v (wanted %d bytes; got %d: %q)", err, n, len(out), out) - return nil - } - e.logf("peeked %d/%d bytes = %q", len(out), n, out) - return slices.Clone(out) -} - //nolint:govet // We don't care about conforming to ReadRune() (rune, int, error). -func (e *outExpecter) ReadRune(ctx context.Context) rune { - e.t.Helper() - - var r rune - err := e.doMatchWithDeadline(ctx, "ReadRune", func(rd *bufio.Reader) error { - var err error - r, _, err = rd.ReadRune() - return err - }) - if err != nil { - e.fatalf("read error", "%v (wanted rune; got %q)", err, r) - return 0 - } - e.logf("matched rune = %q", r) - return r -} - -func (e *outExpecter) ReadLine(ctx context.Context) string { - e.t.Helper() - - var buffer bytes.Buffer - err := e.doMatchWithDeadline(ctx, "ReadLine", func(rd *bufio.Reader) error { - for { - r, _, err := rd.ReadRune() - if err != nil { - return err - } - if r == '\n' { - return nil - } - if r == '\r' { - // Peek the next rune to see if it's an LF and then consume - // it. - - // Unicode code points can be up to 4 bytes, but the - // ones we're looking for are only 1 byte. - b, _ := rd.Peek(1) - if len(b) == 0 { - return nil - } - - r, _ = utf8.DecodeRune(b) - if r == '\n' { - _, _, err = rd.ReadRune() - if err != nil { - return err - } - } - - return nil - } - - _, err = buffer.WriteRune(r) - if err != nil { - return err - } - } - }) - if err != nil { - e.fatalf("read error", "%v (wanted newline; got %q)", err, buffer.String()) - return "" - } - e.logf("matched newline = %q", buffer.String()) - return buffer.String() -} - -func (e *outExpecter) ReadAll() []byte { - e.t.Helper() - return e.out.ReadAll() -} - -func (e *outExpecter) doMatchWithDeadline(ctx context.Context, name string, fn func(*bufio.Reader) error) error { - e.t.Helper() - - // A timeout is mandatory, caller can decide by passing a context - // that times out. - if _, ok := ctx.Deadline(); !ok { - timeout := testutil.WaitMedium - e.logf("%s ctx has no deadline, using %s", name, timeout) - var cancel context.CancelFunc - //nolint:gocritic // Rule guard doesn't detect that we're using testutil.Wait*. - ctx, cancel = context.WithTimeout(ctx, timeout) - defer cancel() - } - - match := make(chan error, 1) - go func() { - defer close(match) - match <- fn(e.runeReader) - }() - select { - case err := <-match: - return err - case <-ctx.Done(): - // Ensure goroutine is cleaned up before test exit, do not call - // (*outExpecter).close here to let the caller decide. - _ = e.out.Close() - <-match - - return xerrors.Errorf("match deadline exceeded: %w", ctx.Err()) - } -} - -func (e *outExpecter) logf(format string, args ...interface{}) { - e.t.Helper() - - // Match regular logger timestamp format, we seem to be logging in - // UTC in other places as well, so match here. - e.t.Logf("%s: %s: %s", time.Now().UTC().Format("2006-01-02 15:04:05.000"), e.name.Load(), fmt.Sprintf(format, args...)) -} - -func (e *outExpecter) fatalf(reason string, format string, args ...interface{}) { - e.t.Helper() - - // Ensure the message is part of the normal log stream before - // failing the test. - e.logf("%s: %s", reason, fmt.Sprintf(format, args...)) - - require.FailNowf(e.t, reason, format, args...) -} type PTY struct { - outExpecter + expecter.Expecter pty.PTY + t *testing.T closeOnce sync.Once closeErr error } @@ -391,17 +70,12 @@ func (p *PTY) Close() error { p.closeOnce.Do(func() { pErr := p.PTY.Close() if pErr != nil { - p.logf("PTY: Close failed: %v", pErr) - } - eErr := p.outExpecter.close("PTY close") - if eErr != nil { - p.logf("PTY: close expecter failed: %v", eErr) + p.Logf("PTY: Close failed: %v", pErr) } + p.Expecter.Close("PTY close") if pErr != nil { p.closeErr = pErr - return } - p.closeErr = eErr }) return p.closeErr } @@ -418,7 +92,7 @@ func (p *PTY) Attach(inv *serpent.Invocation) *PTY { func (p *PTY) Write(r rune) { p.t.Helper() - p.logf("stdin: %q", r) + p.Logf("stdin: %q", r) _, err := p.Input().Write([]byte{byte(r)}) require.NoError(p.t, err, "write failed") } @@ -430,7 +104,7 @@ func (p *PTY) WriteLine(str string) { if runtime.GOOS == "windows" { newline = append(newline, '\n') } - p.logf("stdin: %q", str+string(newline)) + p.Logf("stdin: %q", str+string(newline)) _, err := p.Input().Write(append([]byte(str), newline...)) require.NoError(p.t, err, "write line failed") } @@ -440,137 +114,22 @@ func (p *PTY) WriteLine(str string) { // // p := New(t).Named("myCmd") func (p *PTY) Named(name string) *PTY { - p.name.Store(name) + p.Rename(name) return p } type PTYCmd struct { - outExpecter + expecter.Expecter pty.PTYCmd + t *testing.T } func (p *PTYCmd) Close() error { p.t.Helper() pErr := p.PTYCmd.Close() if pErr != nil { - p.logf("PTYCmd: Close failed: %v", pErr) + p.Logf("PTYCmd: Close failed: %v", pErr) } - eErr := p.outExpecter.close("PTYCmd close") - if eErr != nil { - p.logf("PTYCmd: close expecter failed: %v", eErr) - } - if pErr != nil { - return pErr - } - return eErr -} - -// stdbuf is like a buffered stdout, it buffers writes until read. -type stdbuf struct { - r io.Reader - - mu sync.Mutex // Protects following. - b []byte - more chan struct{} - err error -} - -func newStdbuf() *stdbuf { - return &stdbuf{more: make(chan struct{}, 1)} -} - -func (b *stdbuf) ReadAll() []byte { - b.mu.Lock() - defer b.mu.Unlock() - - if b.err != nil { - return nil - } - p := append([]byte(nil), b.b...) - b.b = b.b[len(b.b):] - return p -} - -func (b *stdbuf) Read(p []byte) (int, error) { - if b.r == nil { - return b.readOrWaitForMore(p) - } - - n, err := b.r.Read(p) - if xerrors.Is(err, io.EOF) { - b.r = nil - err = nil - if n == 0 { - return b.readOrWaitForMore(p) - } - } - return n, err -} - -func (b *stdbuf) readOrWaitForMore(p []byte) (int, error) { - b.mu.Lock() - defer b.mu.Unlock() - - // Deplete channel so that more check - // is for future input into buffer. - select { - case <-b.more: - default: - } - - if len(b.b) == 0 { - if b.err != nil { - return 0, b.err - } - - b.mu.Unlock() - <-b.more - b.mu.Lock() - } - - b.r = bytes.NewReader(b.b) - b.b = b.b[len(b.b):] - - return b.r.Read(p) -} - -func (b *stdbuf) Write(p []byte) (int, error) { - if len(p) == 0 { - return 0, nil - } - - b.mu.Lock() - defer b.mu.Unlock() - - if b.err != nil { - return 0, b.err - } - - b.b = append(b.b, p...) - - select { - case b.more <- struct{}{}: - default: - } - - return len(p), nil -} - -func (b *stdbuf) Close() error { - return b.closeErr(nil) -} - -func (b *stdbuf) closeErr(err error) error { - b.mu.Lock() - defer b.mu.Unlock() - if b.err != nil { - return err - } - if err == nil { - b.err = io.EOF - } else { - b.err = err - } - close(b.more) - return err + p.Expecter.Close("PTYCmd close") + return pErr } diff --git a/scripts/check_go_versions.sh b/scripts/check_go_versions.sh index fb811838a6..5cbd9c5fb9 100755 --- a/scripts/check_go_versions.sh +++ b/scripts/check_go_versions.sh @@ -5,7 +5,6 @@ # - go.mod # - mise.toml (the dogfood image installs from this manifest) # - flake.nix -# - .github/actions/setup-go/action.yml # The version of Go in go.mod is considered the source of truth. set -euo pipefail @@ -19,23 +18,17 @@ IGNORE_NIX=${IGNORE_NIX:-false} GO_VERSION_GO_MOD=$(grep -Eo 'go [0-9]+\.[0-9]+\.[0-9]+' ./go.mod | cut -d' ' -f2) GO_VERSION_MISE_TOML=$(grep -Eo '^go = "[0-9]+\.[0-9]+\.[0-9]+"' ./mise.toml | sed -E 's/.*"([^"]+)"/\1/') -GO_VERSION_SETUP_GO=$(yq '.inputs.version.default' .github/actions/setup-go/action.yaml) GO_VERSION_FLAKE_NIX=$(grep -Eo '\bgo_[0-9]+_[0-9]+\b' ./flake.nix) # Convert to major.minor format. GO_VERSION_FLAKE_NIX_MAJOR_MINOR=$(echo "$GO_VERSION_FLAKE_NIX" | cut -d '_' -f 2-3 | tr '_' '.') log "INFO : go.mod : $GO_VERSION_GO_MOD" log "INFO : mise.toml : $GO_VERSION_MISE_TOML" -log "INFO : setup-go/action.yaml : $GO_VERSION_SETUP_GO" log "INFO : flake.nix : $GO_VERSION_FLAKE_NIX_MAJOR_MINOR" if [ "$GO_VERSION_GO_MOD" != "$GO_VERSION_MISE_TOML" ]; then error "Go version mismatch between go.mod and mise.toml" fi -if [ "$GO_VERSION_GO_MOD" != "$GO_VERSION_SETUP_GO" ]; then - error "Go version mismatch between go.mod and .github/actions/setup-go/action.yaml" -fi - # At the time of writing, Nix only constrains the major.minor version. # We need to check that specifically. if [ "$IGNORE_NIX" = "false" ]; then diff --git a/scripts/check_mise_versions.sh b/scripts/check_mise_versions.sh new file mode 100755 index 0000000000..20ad1bc929 --- /dev/null +++ b/scripts/check_mise_versions.sh @@ -0,0 +1,150 @@ +#!/usr/bin/env bash + +# This script checks the mise values used by CI and dogfood images: +# - mise.toml min_version is the source of truth for the mise version. +# - .github/actions/setup-mise/checksums.toml stores pinned binary checksums. +# - .github/actions/setup-mise/action.yml +# - flake.nix +# - scripts/dogfood/mise-oci-wrapper.sh +# - dogfood/coder/ubuntu-*/Dockerfile.base + +set -euo pipefail +# shellcheck source=scripts/lib.sh +source "$(dirname "${BASH_SOURCE[0]}")/lib.sh" +cdroot + +check_not_empty() { + local label="$1" + local value="$2" + + log "INFO : ${label}: ${value}" + if [[ -z "${value}" ]]; then + error "Missing mise value for ${label}" + fi +} + +check_equal() { + local label="$1" + local actual="$2" + local expected="$3" + + check_not_empty "${label}" "${actual}" + if [[ "${actual}" != "${expected}" ]]; then + error "Mise mismatch for ${label}: expected ${expected}, got ${actual}" + fi +} + +check_sha256_format() { + local label="$1" + local value="$2" + + if [[ -z "${value}" ]]; then + error "Missing mise value for ${label}" + fi + if [[ ! "${value}" =~ ^[a-f0-9]{64}$ ]]; then + error "Expected 64-character lowercase SHA256 for ${label}: ${value}" + fi +} + +mise_version="$(sed -n 's/^min_version = "\([^"]*\)"/\1/p' mise.toml)" +check_not_empty "mise.toml min_version" "${mise_version}" + +action_version="$( + awk ' + $1 == "mise-version:" { in_input = 1; next } + in_input && /^ [A-Za-z0-9_-]+:/ { exit } + in_input && $1 == "default:" { + gsub(/"/, "", $2) + print $2 + exit + } + ' .github/actions/setup-mise/action.yml +)" +check_equal ".github/actions/setup-mise/action.yml" "${action_version}" "${mise_version}" + +checksum_version="$( + awk -v version="${mise_version}" ' + $0 == "[\"" version "\"]" { + print version + exit + } + ' .github/actions/setup-mise/checksums.toml +)" +check_equal ".github/actions/setup-mise/checksums.toml" "${checksum_version}" "${mise_version}" + +declare -A setup_mise_checksums=() +for target in linux-x64 linux-arm64 macos-x64 macos-arm64 windows-x64; do + checksum="$(./scripts/mise_checksum.sh .github/actions/setup-mise/checksums.toml "${mise_version}" "${target}")" + check_not_empty ".github/actions/setup-mise/checksums.toml ${target}" "${checksum}" + check_sha256_format ".github/actions/setup-mise/checksums.toml ${target}" "${checksum}" + setup_mise_checksums["${target}"]="${checksum}" +done +linux_x64_checksum="${setup_mise_checksums["linux-x64"]}" + +sri_sha256_to_hex() { + local label="$1" + local sri="$2" + + if [[ "${sri}" != sha256-* ]]; then + error "Expected SRI SHA256 hash for ${label}: ${sri}" + fi + + printf '%s' "${sri#sha256-}" | openssl base64 -A -d | od -An -tx1 -v | tr -d ' \n' +} + +flake_version="$( + awk ' + /^[[:space:]]*mise = / { in_mise = 1; next } + in_mise && /^[[:space:]]*version = / { + gsub(/[";]/, "", $3) + print $3 + exit + } + in_mise && /^[[:space:]]*};/ { exit } + ' flake.nix +)" +check_equal "flake.nix" "${flake_version}" "${mise_version}" + +declare -A flake_targets=( + ["x86_64-linux"]="linux-x64" + ["aarch64-linux"]="linux-arm64" + ["x86_64-darwin"]="macos-x64" + ["aarch64-darwin"]="macos-arm64" +) +for system in "${!flake_targets[@]}"; do + target="${flake_targets[${system}]}" + expected_checksum="${setup_mise_checksums[${target}]}" + + flake_hash="$( + awk -v nix_system="${system}" ' + /^[[:space:]]*hash = \{/ { in_hash = 1; next } + in_hash && $1 == nix_system { + gsub(/[";]/, "", $3) + print $3 + exit + } + in_hash && /^[[:space:]]*};/ { exit } + ' flake.nix + )" + check_not_empty "flake.nix ${system} hash" "${flake_hash}" + + actual_checksum="$(sri_sha256_to_hex "flake.nix ${system}" "${flake_hash}")" + check_equal "flake.nix ${system} sha256" "${actual_checksum}" "${expected_checksum}" +done + +wrapper_version="$(sed -n 's/^MISE_VERSION="v\([^"]*\)"/\1/p' scripts/dogfood/mise-oci-wrapper.sh)" +check_equal "scripts/dogfood/mise-oci-wrapper.sh" "${wrapper_version}" "${mise_version}" +wrapper_checksum="$(sed -n 's/^MISE_SHA256="\([a-f0-9]*\)"/\1/p' scripts/dogfood/mise-oci-wrapper.sh)" +check_equal "scripts/dogfood/mise-oci-wrapper.sh sha256" "${wrapper_checksum}" "${linux_x64_checksum}" +check_sha256_format "scripts/dogfood/mise-oci-wrapper.sh sha256" "${wrapper_checksum}" + +for dockerfile in dogfood/coder/ubuntu-*/Dockerfile.base; do + dockerfile_version="$(sed -n 's/.*MISE_VERSION=v\([0-9.]*\).*/\1/p' "${dockerfile}" | head -n 1)" + check_equal "${dockerfile}" "${dockerfile_version}" "${mise_version}" + + dockerfile_checksum="$(sed -n 's/.*MISE_SHA256=\([a-f0-9]*\).*/\1/p' "${dockerfile}" | head -n 1)" + check_equal "${dockerfile} sha256" "${dockerfile_checksum}" "${linux_x64_checksum}" + check_sha256_format "${dockerfile} sha256" "${dockerfile_checksum}" +done + +log "Mise version check passed, all versions are ${mise_version}" diff --git a/scripts/mise_checksum.sh b/scripts/mise_checksum.sh new file mode 100755 index 0000000000..52fcc73aa1 --- /dev/null +++ b/scripts/mise_checksum.sh @@ -0,0 +1,30 @@ +#!/usr/bin/env bash + +# Print the pinned mise SHA256 checksum for a version and release target. + +set -euo pipefail + +if [[ "$#" -ne 3 ]]; then + echo "usage: $0 " >&2 + exit 1 +fi + +checksums_file="$1" +mise_version="$2" +target="$3" + +awk -F= -v version="${mise_version}" -v target="${target}" ' + $0 == "[\"" version "\"]" { in_table = 1; next } + /^\[/ { in_table = 0 } + in_table { + key = $1 + gsub(/^[[:space:]]+|[[:space:]]+$/, "", key) + if (key == target) { + value = $2 + gsub(/^[[:space:]]+|[[:space:]]+$/, "", value) + gsub(/^"|"$/, "", value) + print value + exit + } + } +' "${checksums_file}" diff --git a/scripts/should_deploy.sh b/scripts/should_deploy.sh index 6259f9e109..a23d3293d6 100755 --- a/scripts/should_deploy.sh +++ b/scripts/should_deploy.sh @@ -1,7 +1,6 @@ #!/usr/bin/env bash -# This script determines if a commit in either the main branch or a -# `release/x.y` branch should be deployed to dogfood. +# This script determines if the current branch should be deployed to dogfood. # # To avoid masking unrelated failures, this script will return 0 in either case, # and will print `DEPLOY` or `NOOP` to stdout. @@ -11,59 +10,16 @@ set -euo pipefail source "$(dirname "${BASH_SOURCE[0]}")/lib.sh" cdroot -deploy_branch=main - -# Determine the current branch name and check that it is one of the supported -# branch names. branch_name=$(git branch --show-current) -if [[ "$branch_name" != "main" && ! "$branch_name" =~ ^release/[0-9]+\.[0-9]+$ ]]; then - error "Current branch '$branch_name' is not a supported branch name for dogfood, must be 'main' or 'release/x.y'" -fi -log "Current branch '$branch_name'" - -# Determine the remote name -remote=$(git remote -v | grep coder/coder | awk '{print $1}' | head -n1) -if [[ -z "${remote}" ]]; then - error "Could not find remote for coder/coder" -fi -log "Using remote '$remote'" - -# Step 1: List all release branches and sort them by major/minor so we can find -# the latest release branch. -release_branches=$( - git branch -r --format='%(refname:short)' | - grep -E "${remote}/release/[0-9]+\.[0-9]+$" | - sed "s|${remote}/||" | - sort -V -) - -# As a sanity check, release/2.26 should exist. -if ! echo "$release_branches" | grep "release/2.26" >/dev/null; then - error "Could not find existing release branches. Did you run 'git fetch -ap ${remote}'?" -fi - -latest_release_branch=$(echo "$release_branches" | tail -n 1) -latest_release_branch_version=${latest_release_branch#release/} -log "Latest release branch: $latest_release_branch" -log "Latest release branch version: $latest_release_branch_version" - -# Step 2: check if a matching tag `v.0` exists. If it does not, we will -# use the release branch as the deploy branch. -if ! git rev-parse "refs/tags/v${latest_release_branch_version}.0" >/dev/null 2>&1; then - log "Tag 'v${latest_release_branch_version}.0' does not exist, using release branch as deploy branch" - deploy_branch=$latest_release_branch -else - log "Matching tag 'v${latest_release_branch_version}.0' exists, using main as deploy branch" -fi -log "Deploy branch: $deploy_branch" - -# Finally, check if the current branch is the deploy branch. -log -if [[ "$branch_name" != "$deploy_branch" ]]; then - log "VERDICT: DO NOT DEPLOY" - echo "NOOP" # stdout -else +# We no longer deploy release branches to dogfood, and instead test them on the +# stable deployment. +# TODO: once we're happy with the new deployment process, we can remove this +# script and the related GitHub workflow. +if [[ "$branch_name" == "main" ]]; then log "VERDICT: DEPLOY" echo "DEPLOY" # stdout +else + log "VERDICT: NOOP" + echo "NOOP" # stdout fi diff --git a/scripts/zizmor.sh b/scripts/zizmor.sh deleted file mode 100755 index a9326e2ee0..0000000000 --- a/scripts/zizmor.sh +++ /dev/null @@ -1,46 +0,0 @@ -#!/usr/bin/env bash - -# Usage: ./zizmor.sh [args...] -# -# This script is a wrapper around the zizmor Docker image. Zizmor lints GitHub -# actions workflows. -# -# We use Docker to run zizmor since it's written in Rust and is difficult to -# install on Ubuntu runners without building it with a Rust toolchain, which -# takes a long time. -# -# The repo is mounted at /repo and the working directory is set to /repo. - -set -euo pipefail -# shellcheck source=scripts/lib.sh -source "$(dirname "${BASH_SOURCE[0]}")/lib.sh" - -cdroot - -image_tag="ghcr.io/zizmorcore/zizmor:1.11.0" -docker_args=( - "--rm" - "--volume" "$(pwd):/repo" - "--workdir" "/repo" - "--network" "host" -) - -if [[ -t 0 ]]; then - docker_args+=("-it") -fi - -# If no GH_TOKEN is set, try to get one from `gh auth token`. -if [[ "${GH_TOKEN:-}" == "" ]] && command -v gh &>/dev/null; then - set +e - GH_TOKEN="$(gh auth token)" - export GH_TOKEN - set -e -fi - -# Pass through the GitHub token if it's set, which allows zizmor to scan -# imported workflows too. -if [[ "${GH_TOKEN:-}" != "" ]]; then - docker_args+=("--env" "GH_TOKEN") -fi - -logrun exec docker run "${docker_args[@]}" "$image_tag" "$@" diff --git a/site/package.json b/site/package.json index d2cf5e5512..ac5ada7669 100644 --- a/site/package.json +++ b/site/package.json @@ -48,7 +48,7 @@ "@emotion/css": "11.13.5", "@emotion/react": "11.14.0", "@emotion/styled": "11.14.1", - "@fontsource-variable/geist": "5.2.8", + "@fontsource-variable/geist": "5.2.9", "@fontsource-variable/geist-mono": "5.2.7", "@fontsource/fira-code": "5.2.7", "@fontsource/ibm-plex-mono": "5.2.7", @@ -69,7 +69,7 @@ "@xterm/addon-webgl": "0.19.0", "@xterm/xterm": "5.5.0", "ansi-to-html": "0.7.2", - "axios": "1.15.2", + "axios": "1.16.1", "chroma-js": "2.6.0", "class-variance-authority": "0.7.1", "clsx": "2.1.1", @@ -92,11 +92,11 @@ "motion": "12.38.0", "pretty-bytes": "6.1.1", "radix-ui": "1.4.3", - "react": "19.2.5", + "react": "19.2.6", "react-color": "2.19.3", "react-confetti": "6.4.0", "react-day-picker": "9.14.0", - "react-dom": "19.2.5", + "react-dom": "19.2.6", "react-infinite-scroll-component": "7.1.0", "react-markdown": "9.1.0", "react-query": "npm:@tanstack/react-query@5.77.0", @@ -122,7 +122,7 @@ "yup": "1.7.1" }, "devDependencies": { - "@babel/core": "7.29.0", + "@babel/core": "7.29.7", "@babel/plugin-syntax-typescript": "7.28.6", "@biomejs/biome": "2.4.10", "@chromatic-com/storybook": "5.0.1", @@ -148,7 +148,7 @@ "@types/lodash": "4.17.21", "@types/node": "20.19.39", "@types/novnc__novnc": "1.5.0", - "@types/react": "19.2.14", + "@types/react": "19.2.15", "@types/react-color": "3.0.13", "@types/react-dom": "19.2.3", "@types/react-syntax-highlighter": "15.5.13", @@ -171,7 +171,7 @@ "knip": "5.71.0", "msw": "2.4.8", "postcss": "8.5.10", - "protobufjs": "7.5.6", + "protobufjs": "7.6.1", "resize-observer-polyfill": "1.5.1", "rollup-plugin-visualizer": "7.0.1", "rxjs": "7.8.2", diff --git a/site/pnpm-lock.yaml b/site/pnpm-lock.yaml index be78e8c75d..23d9664bdc 100644 --- a/site/pnpm-lock.yaml +++ b/site/pnpm-lock.yaml @@ -34,19 +34,19 @@ importers: dependencies: '@dnd-kit/core': specifier: 6.3.1 - version: 6.3.1(react-dom@19.2.5(react@19.2.5))(react@19.2.5) + version: 6.3.1(react-dom@19.2.6(react@19.2.6))(react@19.2.6) '@dnd-kit/sortable': specifier: 10.0.0 - version: 10.0.0(@dnd-kit/core@6.3.1(react-dom@19.2.5(react@19.2.5))(react@19.2.5))(react@19.2.5) + version: 10.0.0(@dnd-kit/core@6.3.1(react-dom@19.2.6(react@19.2.6))(react@19.2.6))(react@19.2.6) '@dnd-kit/utilities': specifier: 3.2.2 - version: 3.2.2(react@19.2.5) + version: 3.2.2(react@19.2.6) '@emoji-mart/data': specifier: 1.2.1 version: 1.2.1 '@emoji-mart/react': specifier: 1.1.1 - version: 1.1.1(emoji-mart@5.6.0)(react@19.2.5) + version: 1.1.1(emoji-mart@5.6.0)(react@19.2.6) '@emotion/cache': specifier: 11.14.0 version: 11.14.0 @@ -55,13 +55,13 @@ importers: version: 11.13.5 '@emotion/react': specifier: 11.14.0 - version: 11.14.0(@types/react@19.2.14)(react@19.2.5) + version: 11.14.0(@types/react@19.2.15)(react@19.2.6) '@emotion/styled': specifier: 11.14.1 - version: 11.14.1(@emotion/react@11.14.0(@types/react@19.2.14)(react@19.2.5))(@types/react@19.2.14)(react@19.2.5) + version: 11.14.1(@emotion/react@11.14.0(@types/react@19.2.15)(react@19.2.6))(@types/react@19.2.15)(react@19.2.6) '@fontsource-variable/geist': - specifier: 5.2.8 - version: 5.2.8 + specifier: 5.2.9 + version: 5.2.9 '@fontsource-variable/geist-mono': specifier: 5.2.7 version: 5.2.7 @@ -79,28 +79,28 @@ importers: version: 5.2.7 '@lexical/react': specifier: 0.44.0 - version: 0.44.0(react-dom@19.2.5(react@19.2.5))(react@19.2.5)(yjs@13.6.29) + version: 0.44.0(react-dom@19.2.6(react@19.2.6))(react@19.2.6)(yjs@13.6.29) '@lexical/utils': specifier: 0.44.0 version: 0.44.0 '@monaco-editor/react': specifier: 4.7.0 - version: 4.7.0(monaco-editor@0.55.1)(react-dom@19.2.5(react@19.2.5))(react@19.2.5) + version: 4.7.0(monaco-editor@0.55.1)(react-dom@19.2.6(react@19.2.6))(react@19.2.6) '@mui/material': specifier: 5.18.0 - version: 5.18.0(@emotion/react@11.14.0(@types/react@19.2.14)(react@19.2.5))(@emotion/styled@11.14.1(@emotion/react@11.14.0(@types/react@19.2.14)(react@19.2.5))(@types/react@19.2.14)(react@19.2.5))(@types/react@19.2.14)(react-dom@19.2.5(react@19.2.5))(react@19.2.5) + version: 5.18.0(@emotion/react@11.14.0(@types/react@19.2.15)(react@19.2.6))(@emotion/styled@11.14.1(@emotion/react@11.14.0(@types/react@19.2.15)(react@19.2.6))(@types/react@19.2.15)(react@19.2.6))(@types/react@19.2.15)(react-dom@19.2.6(react@19.2.6))(react@19.2.6) '@mui/system': specifier: 5.18.0 - version: 5.18.0(@emotion/react@11.14.0(@types/react@19.2.14)(react@19.2.5))(@emotion/styled@11.14.1(@emotion/react@11.14.0(@types/react@19.2.14)(react@19.2.5))(@types/react@19.2.14)(react@19.2.5))(@types/react@19.2.14)(react@19.2.5) + version: 5.18.0(@emotion/react@11.14.0(@types/react@19.2.15)(react@19.2.6))(@emotion/styled@11.14.1(@emotion/react@11.14.0(@types/react@19.2.15)(react@19.2.6))(@types/react@19.2.15)(react@19.2.6))(@types/react@19.2.15)(react@19.2.6) '@novnc/novnc': specifier: ^1.5.0 version: 1.5.0 '@pierre/diffs': specifier: 1.1.19 - version: 1.1.19(react-dom@19.2.5(react@19.2.5))(react@19.2.5) + version: 1.1.19(react-dom@19.2.6(react@19.2.6))(react@19.2.6) '@tanstack/react-query-devtools': specifier: 5.77.0 - version: 5.77.0(@tanstack/react-query@5.77.0(react@19.2.5))(react@19.2.5) + version: 5.77.0(@tanstack/react-query@5.77.0(react@19.2.6))(react@19.2.6) '@xterm/addon-canvas': specifier: 0.7.0 version: 0.7.0(@xterm/xterm@5.5.0) @@ -123,8 +123,8 @@ importers: specifier: 0.7.2 version: 0.7.2 axios: - specifier: 1.15.2 - version: 1.15.2 + specifier: 1.16.1 + version: 1.16.1 chroma-js: specifier: 2.6.0 version: 2.6.0 @@ -136,7 +136,7 @@ importers: version: 2.1.1 cmdk: specifier: 1.1.1 - version: 1.1.1(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.5(react@19.2.5))(react@19.2.5) + version: 1.1.1(@types/react-dom@19.2.3(@types/react@19.2.15))(@types/react@19.2.15)(react-dom@19.2.6(react@19.2.6))(react@19.2.6) color-convert: specifier: 2.0.1 version: 2.0.1 @@ -160,7 +160,7 @@ importers: version: 2.0.5 formik: specifier: 2.4.9 - version: 2.4.9(@types/react@19.2.14)(react@19.2.5) + version: 2.4.9(@types/react@19.2.15)(react@19.2.6) front-matter: specifier: 4.0.2 version: 4.0.2 @@ -178,64 +178,64 @@ importers: version: 4.18.1 lucide-react: specifier: 0.555.0 - version: 0.555.0(react@19.2.5) + version: 0.555.0(react@19.2.6) monaco-editor: specifier: 0.55.1 version: 0.55.1 motion: specifier: 12.38.0 - version: 12.38.0(@emotion/is-prop-valid@1.4.0)(react-dom@19.2.5(react@19.2.5))(react@19.2.5) + version: 12.38.0(@emotion/is-prop-valid@1.4.0)(react-dom@19.2.6(react@19.2.6))(react@19.2.6) pretty-bytes: specifier: 6.1.1 version: 6.1.1 radix-ui: specifier: 1.4.3 - version: 1.4.3(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.5(react@19.2.5))(react@19.2.5) + version: 1.4.3(@types/react-dom@19.2.3(@types/react@19.2.15))(@types/react@19.2.15)(react-dom@19.2.6(react@19.2.6))(react@19.2.6) react: - specifier: 19.2.5 - version: 19.2.5 + specifier: 19.2.6 + version: 19.2.6 react-color: specifier: 2.19.3 - version: 2.19.3(react@19.2.5) + version: 2.19.3(react@19.2.6) react-confetti: specifier: 6.4.0 - version: 6.4.0(react@19.2.5) + version: 6.4.0(react@19.2.6) react-day-picker: specifier: 9.14.0 - version: 9.14.0(react@19.2.5) + version: 9.14.0(react@19.2.6) react-dom: - specifier: 19.2.5 - version: 19.2.5(react@19.2.5) + specifier: 19.2.6 + version: 19.2.6(react@19.2.6) react-infinite-scroll-component: specifier: 7.1.0 - version: 7.1.0(react-dom@19.2.5(react@19.2.5))(react@19.2.5) + version: 7.1.0(react-dom@19.2.6(react@19.2.6))(react@19.2.6) react-markdown: specifier: 9.1.0 - version: 9.1.0(@types/react@19.2.14)(react@19.2.5) + version: 9.1.0(@types/react@19.2.15)(react@19.2.6) react-query: specifier: npm:@tanstack/react-query@5.77.0 - version: '@tanstack/react-query@5.77.0(react@19.2.5)' + version: '@tanstack/react-query@5.77.0(react@19.2.6)' react-resizable-panels: specifier: 3.0.6 - version: 3.0.6(react-dom@19.2.5(react@19.2.5))(react@19.2.5) + version: 3.0.6(react-dom@19.2.6(react@19.2.6))(react@19.2.6) react-router: specifier: 7.12.0 - version: 7.12.0(react-dom@19.2.5(react@19.2.5))(react@19.2.5) + version: 7.12.0(react-dom@19.2.6(react@19.2.6))(react@19.2.6) react-syntax-highlighter: specifier: 15.6.6 - version: 15.6.6(react@19.2.5) + version: 15.6.6(react@19.2.6) react-textarea-autosize: specifier: 8.5.9 - version: 8.5.9(@types/react@19.2.14)(react@19.2.5) + version: 8.5.9(@types/react@19.2.15)(react@19.2.6) react-virtualized-auto-sizer: specifier: 1.0.26 - version: 1.0.26(react-dom@19.2.5(react@19.2.5))(react@19.2.5) + version: 1.0.26(react-dom@19.2.6(react@19.2.6))(react@19.2.6) react-window: specifier: 1.8.11 - version: 1.8.11(react-dom@19.2.5(react@19.2.5))(react@19.2.5) + version: 1.8.11(react-dom@19.2.6(react@19.2.6))(react@19.2.6) recharts: specifier: 2.15.4 - version: 2.15.4(react-dom@19.2.5(react@19.2.5))(react@19.2.5) + version: 2.15.4(react-dom@19.2.6(react@19.2.6))(react@19.2.6) remark-gfm: specifier: 4.0.1 version: 4.0.1 @@ -244,10 +244,10 @@ importers: version: 7.7.3 sonner: specifier: 2.0.7 - version: 2.0.7(react-dom@19.2.5(react@19.2.5))(react@19.2.5) + version: 2.0.7(react-dom@19.2.6(react@19.2.6))(react@19.2.6) streamdown: specifier: 2.5.0 - version: 2.5.0(react-dom@19.2.5(react@19.2.5))(react@19.2.5) + version: 2.5.0(react-dom@19.2.6(react@19.2.6))(react@19.2.6) tailwind-merge: specifier: 2.6.0 version: 2.6.0 @@ -277,17 +277,17 @@ importers: version: 1.7.1 devDependencies: '@babel/core': - specifier: 7.29.0 - version: 7.29.0 + specifier: 7.29.7 + version: 7.29.7 '@babel/plugin-syntax-typescript': specifier: 7.28.6 - version: 7.28.6(@babel/core@7.29.0) + version: 7.28.6(@babel/core@7.29.7) '@biomejs/biome': specifier: 2.4.10 version: 2.4.10 '@chromatic-com/storybook': specifier: 5.0.1 - version: 5.0.1(storybook@10.3.3(@testing-library/dom@10.4.0)(prettier@3.4.1)(react-dom@19.2.5(react@19.2.5))(react@19.2.5)) + version: 5.0.1(storybook@10.3.3(@testing-library/dom@10.4.0)(prettier@3.4.1)(react-dom@19.2.6(react@19.2.6))(react@19.2.6)) '@octokit/types': specifier: 12.6.0 version: 12.6.0 @@ -296,28 +296,28 @@ importers: version: 1.50.1 '@rolldown/plugin-babel': specifier: 0.2.3 - version: 0.2.3(@babel/core@7.29.0)(@babel/runtime@7.26.10)(rolldown@1.0.0-rc.17)(vite@8.0.10(@types/node@20.19.39)(esbuild@0.25.12)(jiti@1.21.7)(yaml@2.8.3)) + version: 0.2.3(@babel/core@7.29.7)(@babel/runtime@7.26.10)(rolldown@1.0.0-rc.17)(vite@8.0.10(@types/node@20.19.39)(esbuild@0.25.12)(jiti@1.21.7)(yaml@2.8.3)) '@storybook/addon-a11y': specifier: 10.3.3 - version: 10.3.3(storybook@10.3.3(@testing-library/dom@10.4.0)(prettier@3.4.1)(react-dom@19.2.5(react@19.2.5))(react@19.2.5)) + version: 10.3.3(storybook@10.3.3(@testing-library/dom@10.4.0)(prettier@3.4.1)(react-dom@19.2.6(react@19.2.6))(react@19.2.6)) '@storybook/addon-docs': specifier: 10.3.3 - version: 10.3.3(@types/react@19.2.14)(esbuild@0.25.12)(storybook@10.3.3(@testing-library/dom@10.4.0)(prettier@3.4.1)(react-dom@19.2.5(react@19.2.5))(react@19.2.5))(vite@8.0.10(@types/node@20.19.39)(esbuild@0.25.12)(jiti@1.21.7)(yaml@2.8.3)) + version: 10.3.3(@types/react@19.2.15)(esbuild@0.25.12)(storybook@10.3.3(@testing-library/dom@10.4.0)(prettier@3.4.1)(react-dom@19.2.6(react@19.2.6))(react@19.2.6))(vite@8.0.10(@types/node@20.19.39)(esbuild@0.25.12)(jiti@1.21.7)(yaml@2.8.3)) '@storybook/addon-links': specifier: 10.3.3 - version: 10.3.3(react@19.2.5)(storybook@10.3.3(@testing-library/dom@10.4.0)(prettier@3.4.1)(react-dom@19.2.5(react@19.2.5))(react@19.2.5)) + version: 10.3.3(react@19.2.6)(storybook@10.3.3(@testing-library/dom@10.4.0)(prettier@3.4.1)(react-dom@19.2.6(react@19.2.6))(react@19.2.6)) '@storybook/addon-mcp': specifier: ^0.6.0 - version: 0.6.0(@storybook/addon-vitest@10.3.3(@vitest/browser-playwright@4.1.1)(@vitest/browser@4.1.1(msw@2.4.8(typescript@6.0.2))(vite@8.0.10(@types/node@20.19.39)(esbuild@0.25.12)(jiti@1.21.7)(yaml@2.8.3))(vitest@4.1.5))(@vitest/runner@4.1.5)(react-dom@19.2.5(react@19.2.5))(react@19.2.5)(storybook@10.3.3(@testing-library/dom@10.4.0)(prettier@3.4.1)(react-dom@19.2.5(react@19.2.5))(react@19.2.5))(vitest@4.1.5))(storybook@10.3.3(@testing-library/dom@10.4.0)(prettier@3.4.1)(react-dom@19.2.5(react@19.2.5))(react@19.2.5))(typescript@6.0.2) + version: 0.6.0(@storybook/addon-vitest@10.3.3(@vitest/browser-playwright@4.1.1)(@vitest/browser@4.1.1(msw@2.4.8(typescript@6.0.2))(vite@8.0.10(@types/node@20.19.39)(esbuild@0.25.12)(jiti@1.21.7)(yaml@2.8.3))(vitest@4.1.5))(@vitest/runner@4.1.5)(react-dom@19.2.6(react@19.2.6))(react@19.2.6)(storybook@10.3.3(@testing-library/dom@10.4.0)(prettier@3.4.1)(react-dom@19.2.6(react@19.2.6))(react@19.2.6))(vitest@4.1.5))(storybook@10.3.3(@testing-library/dom@10.4.0)(prettier@3.4.1)(react-dom@19.2.6(react@19.2.6))(react@19.2.6))(typescript@6.0.2) '@storybook/addon-themes': specifier: 10.3.3 - version: 10.3.3(storybook@10.3.3(@testing-library/dom@10.4.0)(prettier@3.4.1)(react-dom@19.2.5(react@19.2.5))(react@19.2.5)) + version: 10.3.3(storybook@10.3.3(@testing-library/dom@10.4.0)(prettier@3.4.1)(react-dom@19.2.6(react@19.2.6))(react@19.2.6)) '@storybook/addon-vitest': specifier: 10.3.3 - version: 10.3.3(@vitest/browser-playwright@4.1.1)(@vitest/browser@4.1.1(msw@2.4.8(typescript@6.0.2))(vite@8.0.10(@types/node@20.19.39)(esbuild@0.25.12)(jiti@1.21.7)(yaml@2.8.3))(vitest@4.1.5))(@vitest/runner@4.1.5)(react-dom@19.2.5(react@19.2.5))(react@19.2.5)(storybook@10.3.3(@testing-library/dom@10.4.0)(prettier@3.4.1)(react-dom@19.2.5(react@19.2.5))(react@19.2.5))(vitest@4.1.5) + version: 10.3.3(@vitest/browser-playwright@4.1.1)(@vitest/browser@4.1.1(msw@2.4.8(typescript@6.0.2))(vite@8.0.10(@types/node@20.19.39)(esbuild@0.25.12)(jiti@1.21.7)(yaml@2.8.3))(vitest@4.1.5))(@vitest/runner@4.1.5)(react-dom@19.2.6(react@19.2.6))(react@19.2.6)(storybook@10.3.3(@testing-library/dom@10.4.0)(prettier@3.4.1)(react-dom@19.2.6(react@19.2.6))(react@19.2.6))(vitest@4.1.5) '@storybook/react-vite': specifier: 10.3.3 - version: 10.3.3(esbuild@0.25.12)(react-dom@19.2.5(react@19.2.5))(react@19.2.5)(storybook@10.3.3(@testing-library/dom@10.4.0)(prettier@3.4.1)(react-dom@19.2.5(react@19.2.5))(react@19.2.5))(typescript@6.0.2)(vite@8.0.10(@types/node@20.19.39)(esbuild@0.25.12)(jiti@1.21.7)(yaml@2.8.3)) + version: 10.3.3(esbuild@0.25.12)(react-dom@19.2.6(react@19.2.6))(react@19.2.6)(storybook@10.3.3(@testing-library/dom@10.4.0)(prettier@3.4.1)(react-dom@19.2.6(react@19.2.6))(react@19.2.6))(typescript@6.0.2)(vite@8.0.10(@types/node@20.19.39)(esbuild@0.25.12)(jiti@1.21.7)(yaml@2.8.3)) '@tailwindcss/typography': specifier: 0.5.19 version: 0.5.19(tailwindcss@3.4.18(yaml@2.8.3)) @@ -326,7 +326,7 @@ importers: version: 6.9.1 '@testing-library/react': specifier: 14.3.1 - version: 14.3.1(@types/react@19.2.14)(react-dom@19.2.5(react@19.2.5))(react@19.2.5) + version: 14.3.1(@types/react@19.2.15)(react-dom@19.2.6(react@19.2.6))(react@19.2.6) '@testing-library/user-event': specifier: 14.6.1 version: 14.6.1(@testing-library/dom@10.4.0) @@ -355,20 +355,20 @@ importers: specifier: 1.5.0 version: 1.5.0 '@types/react': - specifier: 19.2.14 - version: 19.2.14 + specifier: 19.2.15 + version: 19.2.15 '@types/react-color': specifier: 3.0.13 - version: 3.0.13(@types/react@19.2.14) + version: 3.0.13(@types/react@19.2.15) '@types/react-dom': specifier: 19.2.3 - version: 19.2.3(@types/react@19.2.14) + version: 19.2.3(@types/react@19.2.15) '@types/react-syntax-highlighter': specifier: 15.5.13 version: 15.5.13 '@types/react-virtualized-auto-sizer': specifier: 1.0.8 - version: 1.0.8(react-dom@19.2.5(react@19.2.5))(react@19.2.5) + version: 1.0.8(react-dom@19.2.6(react@19.2.6))(react@19.2.6) '@types/react-window': specifier: 1.8.8 version: 1.8.8 @@ -386,7 +386,7 @@ importers: version: 9.0.2 '@vitejs/plugin-react': specifier: 6.0.1 - version: 6.0.1(@rolldown/plugin-babel@0.2.3(@babel/core@7.29.0)(@babel/runtime@7.26.10)(rolldown@1.0.0-rc.17)(vite@8.0.10(@types/node@20.19.39)(esbuild@0.25.12)(jiti@1.21.7)(yaml@2.8.3)))(babel-plugin-react-compiler@1.0.0)(vite@8.0.10(@types/node@20.19.39)(esbuild@0.25.12)(jiti@1.21.7)(yaml@2.8.3)) + version: 6.0.1(@rolldown/plugin-babel@0.2.3(@babel/core@7.29.7)(@babel/runtime@7.26.10)(rolldown@1.0.0-rc.17)(vite@8.0.10(@types/node@20.19.39)(esbuild@0.25.12)(jiti@1.21.7)(yaml@2.8.3)))(babel-plugin-react-compiler@1.0.0)(vite@8.0.10(@types/node@20.19.39)(esbuild@0.25.12)(jiti@1.21.7)(yaml@2.8.3)) '@vitest/browser-playwright': specifier: 4.1.1 version: 4.1.1(msw@2.4.8(typescript@6.0.2))(playwright@1.55.1)(vite@8.0.10(@types/node@20.19.39)(esbuild@0.25.12)(jiti@1.21.7)(yaml@2.8.3))(vitest@4.1.5) @@ -424,8 +424,8 @@ importers: specifier: 8.5.10 version: 8.5.10 protobufjs: - specifier: 7.5.6 - version: 7.5.6 + specifier: 7.6.1 + version: 7.6.1 resize-observer-polyfill: specifier: 1.5.1 version: 1.5.1 @@ -440,10 +440,10 @@ importers: version: 1.17.0 storybook: specifier: 10.3.3 - version: 10.3.3(@testing-library/dom@10.4.0)(prettier@3.4.1)(react-dom@19.2.5(react@19.2.5))(react@19.2.5) + version: 10.3.3(@testing-library/dom@10.4.0)(prettier@3.4.1)(react-dom@19.2.6(react@19.2.6))(react@19.2.6) storybook-addon-remix-react-router: specifier: 6.0.0 - version: 6.0.0(react-dom@19.2.5(react@19.2.5))(react-router@7.12.0(react-dom@19.2.5(react@19.2.5))(react@19.2.5))(react@19.2.5)(storybook@10.3.3(@testing-library/dom@10.4.0)(prettier@3.4.1)(react-dom@19.2.5(react@19.2.5))(react@19.2.5)) + version: 6.0.0(react-dom@19.2.6(react@19.2.6))(react-router@7.12.0(react-dom@19.2.6(react@19.2.6))(react@19.2.6))(react@19.2.6)(storybook@10.3.3(@testing-library/dom@10.4.0)(prettier@3.4.1)(react-dom@19.2.6(react@19.2.6))(react@19.2.6)) tailwindcss: specifier: 3.4.18 version: 3.4.18(yaml@2.8.3) @@ -495,40 +495,40 @@ packages: resolution: {integrity: sha512-9NhCeYjq9+3uxgdtp20LSiJXJvN0FeCtNGpJxuMFZ1Kv3cWUNb6DOhJwUvcVCzKGR66cw4njwM6hrJLqgOwbcw==, tarball: https://registry.npmjs.org/@babel/code-frame/-/code-frame-7.29.0.tgz} engines: {node: '>=6.9.0'} - '@babel/compat-data@7.29.0': - resolution: {integrity: sha512-T1NCJqT/j9+cn8fvkt7jtwbLBfLC/1y1c7NtCeXFRgzGTsafi68MRv8yzkYSapBnFA6L3U2VSc02ciDzoAJhJg==, tarball: https://registry.npmjs.org/@babel/compat-data/-/compat-data-7.29.0.tgz} + '@babel/code-frame@7.29.7': + resolution: {integrity: sha512-Aup7aUOfpbAUg2ROOJN6Iw5f9DMBlzu0mIkm/malLQFN/YQgO48wCj0Kxa3sEHJvPVFg7siR+qRInwXd2qhQKw==, tarball: https://registry.npmjs.org/@babel/code-frame/-/code-frame-7.29.7.tgz} engines: {node: '>=6.9.0'} - '@babel/core@7.29.0': - resolution: {integrity: sha512-CGOfOJqWjg2qW/Mb6zNsDm+u5vFQ8DxXfbM09z69p5Z6+mE1ikP2jUXw+j42Pf1XTYED2Rni5f95npYeuwMDQA==, tarball: https://registry.npmjs.org/@babel/core/-/core-7.29.0.tgz} + '@babel/compat-data@7.29.7': + resolution: {integrity: sha512-locTkQyKvwIEgBzVrn8693ebc97F2U8ZHjbXwDXJ5Fn2TCpNwTlKcaKLkdHop5c/icOFE7qt7Q9JC5hnKNa6Gg==, tarball: https://registry.npmjs.org/@babel/compat-data/-/compat-data-7.29.7.tgz} engines: {node: '>=6.9.0'} - '@babel/generator@7.28.5': - resolution: {integrity: sha512-3EwLFhZ38J4VyIP6WNtt2kUdW9dokXA9Cr4IVIFHuCpZ3H8/YFOl5JjZHisrn1fATPBmKKqXzDFvh9fUwHz6CQ==, tarball: https://registry.npmjs.org/@babel/generator/-/generator-7.28.5.tgz} + '@babel/core@7.29.7': + resolution: {integrity: sha512-RgHBCvtjbOK2gXSNBNIkNoEc9qoVEtau3hj8gEqKQuL3HZAibKarWFEI3Lfm6EYKkLalOh8eSrj9b+ch9H/VBA==, tarball: https://registry.npmjs.org/@babel/core/-/core-7.29.7.tgz} engines: {node: '>=6.9.0'} - '@babel/generator@7.29.1': - resolution: {integrity: sha512-qsaF+9Qcm2Qv8SRIMMscAvG4O3lJ0F1GuMo5HR/Bp02LopNgnZBC/EkbevHFeGs4ls/oPz9v+Bsmzbkbe+0dUw==, tarball: https://registry.npmjs.org/@babel/generator/-/generator-7.29.1.tgz} + '@babel/generator@7.29.7': + resolution: {integrity: sha512-DkXD5OJQaAQIdZ1bt3UZdEnHAn9Imd3IVBdX03UFe+ony9Ojw5pzr9YVKGDY1jt+Gcn/FnGkNf8r+Vj5NOJWtQ==, tarball: https://registry.npmjs.org/@babel/generator/-/generator-7.29.7.tgz} engines: {node: '>=6.9.0'} - '@babel/helper-compilation-targets@7.28.6': - resolution: {integrity: sha512-JYtls3hqi15fcx5GaSNL7SCTJ2MNmjrkHXg4FSpOA/grxK8KwyZ5bubHsCq8FXCkua6xhuaaBit+3b7+VZRfcA==, tarball: https://registry.npmjs.org/@babel/helper-compilation-targets/-/helper-compilation-targets-7.28.6.tgz} + '@babel/helper-compilation-targets@7.29.7': + resolution: {integrity: sha512-wem6WaBj4NaVYVdNhLPPVacES6ZJ+KBBfSkTMD3YZxbP3rm3Di85tJU5ljaUNhaOynt+Aj0xruhYuzQBt8n71g==, tarball: https://registry.npmjs.org/@babel/helper-compilation-targets/-/helper-compilation-targets-7.29.7.tgz} engines: {node: '>=6.9.0'} - '@babel/helper-globals@7.28.0': - resolution: {integrity: sha512-+W6cISkXFa1jXsDEdYA8HeevQT/FULhxzR99pxphltZcVaugps53THCeiWA8SguxxpSp3gKPiuYfSWopkLQ4hw==, tarball: https://registry.npmjs.org/@babel/helper-globals/-/helper-globals-7.28.0.tgz} + '@babel/helper-globals@7.29.7': + resolution: {integrity: sha512-3nQVUAtvkKH9zahfWgw96Jc/uFOmjACE1kQz82E2lqWmHBgjzbNlsC22nuQTfahmWeQtTq5nQ/4Nnd2A1wj4zA==, tarball: https://registry.npmjs.org/@babel/helper-globals/-/helper-globals-7.29.7.tgz} engines: {node: '>=6.9.0'} '@babel/helper-module-imports@7.27.1': resolution: {integrity: sha512-0gSFWUPNXNopqtIPQvlD5WgXYI5GY2kP2cCvoT8kczjbfcfuIljTbcWrulD1CIPIX2gt1wghbDy08yE1p+/r3w==, tarball: https://registry.npmjs.org/@babel/helper-module-imports/-/helper-module-imports-7.27.1.tgz} engines: {node: '>=6.9.0'} - '@babel/helper-module-imports@7.28.6': - resolution: {integrity: sha512-l5XkZK7r7wa9LucGw9LwZyyCUscb4x37JWTPz7swwFE/0FMQAGpiWUZn8u9DzkSBWEcK25jmvubfpw2dnAMdbw==, tarball: https://registry.npmjs.org/@babel/helper-module-imports/-/helper-module-imports-7.28.6.tgz} + '@babel/helper-module-imports@7.29.7': + resolution: {integrity: sha512-ejHwrQQYcm9xnTivShn2IDOlIzInN34AXskvq9QicvCtEzq1Vzclu/tKF8Jq1Cg8JG2GL6/EmjgsCT7lXepE3g==, tarball: https://registry.npmjs.org/@babel/helper-module-imports/-/helper-module-imports-7.29.7.tgz} engines: {node: '>=6.9.0'} - '@babel/helper-module-transforms@7.28.6': - resolution: {integrity: sha512-67oXFAYr2cDLDVGLXTEABjdBJZ6drElUSI7WKp70NrpyISso3plG9SAGEF6y7zbha/wOzUByWWTJvEDVNIUGcA==, tarball: https://registry.npmjs.org/@babel/helper-module-transforms/-/helper-module-transforms-7.28.6.tgz} + '@babel/helper-module-transforms@7.29.7': + resolution: {integrity: sha512-UPUVSyXbOh627KiCIGQSgwWzGeBKLkaJ9PJEdrngIwMSzxLR4jS4+f1f1jb7VzBbg8nFLaYotvVPFCTqdrmTAg==, tarball: https://registry.npmjs.org/@babel/helper-module-transforms/-/helper-module-transforms-7.29.7.tgz} engines: {node: '>=6.9.0'} peerDependencies: '@babel/core': ^7.0.0 @@ -541,25 +541,28 @@ packages: resolution: {integrity: sha512-qMlSxKbpRlAridDExk92nSobyDdpPijUq2DW6oDnUqd0iOGxmQjyqhMIihI9+zv4LPyZdRje2cavWPbCbWm3eA==, tarball: https://registry.npmjs.org/@babel/helper-string-parser/-/helper-string-parser-7.27.1.tgz} engines: {node: '>=6.9.0'} + '@babel/helper-string-parser@7.29.7': + resolution: {integrity: sha512-Pb5ijPrZ89GDH8223L4UP8i6QApWxs04RbPQJTeWDV0/keR2E36MeKnyr6LYmUUvqRRI+Iv87SuF1W6ErINzYw==, tarball: https://registry.npmjs.org/@babel/helper-string-parser/-/helper-string-parser-7.29.7.tgz} + engines: {node: '>=6.9.0'} + '@babel/helper-validator-identifier@7.28.5': resolution: {integrity: sha512-qSs4ifwzKJSV39ucNjsvc6WVHs6b7S03sOh2OcHF9UHfVPqWWALUsNUVzhSBiItjRZoLHx7nIarVjqKVusUZ1Q==, tarball: https://registry.npmjs.org/@babel/helper-validator-identifier/-/helper-validator-identifier-7.28.5.tgz} engines: {node: '>=6.9.0'} - '@babel/helper-validator-option@7.27.1': - resolution: {integrity: sha512-YvjJow9FxbhFFKDSuFnVCe2WxXk1zWc22fFePVNEaWJEu8IrZVlda6N0uHwzZrUM1il7NC9Mlp4MaJYbYd9JSg==, tarball: https://registry.npmjs.org/@babel/helper-validator-option/-/helper-validator-option-7.27.1.tgz} + '@babel/helper-validator-identifier@7.29.7': + resolution: {integrity: sha512-qehxGkRj55h/ff8EMaJ+cYhyaKlHIxqYDn682wQD7RNp9UujOQsHog2uS0r2vzr4pW+sXf90NeeayjcNaX3fFg==, tarball: https://registry.npmjs.org/@babel/helper-validator-identifier/-/helper-validator-identifier-7.29.7.tgz} + engines: {node: '>=6.9.0'} + + '@babel/helper-validator-option@7.29.7': + resolution: {integrity: sha512-N9ZErrD+yW5geCDtBqnOoxmR8+tNKiGuxKlDpuJxfsqpa2dFcexaziGAE/qoHLiDDreVNMupxGmSoNlyvsA3gw==, tarball: https://registry.npmjs.org/@babel/helper-validator-option/-/helper-validator-option-7.29.7.tgz} engines: {node: '>=6.9.0'} '@babel/helpers@7.26.10': resolution: {integrity: sha512-UPYc3SauzZ3JGgj87GgZ89JVdC5dj0AoetR5Bw6wj4niittNyFh6+eOGonYvJ1ao6B8lEa3Q3klS7ADZ53bc5g==, tarball: https://registry.npmjs.org/@babel/helpers/-/helpers-7.26.10.tgz} engines: {node: '>=6.9.0'} - '@babel/parser@7.28.5': - resolution: {integrity: sha512-KKBU1VGYR7ORr3At5HAtUQ+TV3SzRCXmA/8OdDZiLDBIZxVyzXuztPjfLd3BV1PRAQGCMWWSHYhL0F8d5uHBDQ==, tarball: https://registry.npmjs.org/@babel/parser/-/parser-7.28.5.tgz} - engines: {node: '>=6.0.0'} - hasBin: true - - '@babel/parser@7.29.2': - resolution: {integrity: sha512-4GgRzy/+fsBa72/RZVJmGKPmZu9Byn8o4MoLpmNe1m8ZfYnz5emHLQz3U4gLud6Zwl0RZIcgiLD7Uq7ySFuDLA==, tarball: https://registry.npmjs.org/@babel/parser/-/parser-7.29.2.tgz} + '@babel/parser@7.29.7': + resolution: {integrity: sha512-hnORnjP/1P/zFEndoeX+n+t1RwWRJiJpM/jO7FW32Kn9r5+sJB2JWOdYo4L6k78j15eCwY3Gm/7364B1EMwtNg==, tarball: https://registry.npmjs.org/@babel/parser/-/parser-7.29.7.tgz} engines: {node: '>=6.0.0'} hasBin: true @@ -573,28 +576,20 @@ packages: resolution: {integrity: sha512-2WJMeRQPHKSPemqk/awGrAiuFfzBmOIPXKizAsVhWH9YJqLZ0H+HS4c8loHGgW6utJ3E/ejXQUsiGaQy2NZ9Fw==, tarball: https://registry.npmjs.org/@babel/runtime/-/runtime-7.26.10.tgz} engines: {node: '>=6.9.0'} - '@babel/template@7.27.2': - resolution: {integrity: sha512-LPDZ85aEJyYSd18/DkjNh4/y1ntkE5KwUHWTiqgRxruuZL2F1yuHligVHLvcHY2vMHXttKFpJn6LwfI7cw7ODw==, tarball: https://registry.npmjs.org/@babel/template/-/template-7.27.2.tgz} + '@babel/template@7.29.7': + resolution: {integrity: sha512-puq+Gf35oI24FeN11LkoUQFqv9uwNeWpxXZi/Ji3rRIoKAzKnxRaZ+Gkj0vKS9ZCiTESfng1N9LyOyXvo+m+Gg==, tarball: https://registry.npmjs.org/@babel/template/-/template-7.29.7.tgz} engines: {node: '>=6.9.0'} - '@babel/template@7.28.6': - resolution: {integrity: sha512-YA6Ma2KsCdGb+WC6UpBVFJGXL58MDA6oyONbjyF/+5sBgxY/dwkhLogbMT2GXXyU84/IhRw/2D1Os1B/giz+BQ==, tarball: https://registry.npmjs.org/@babel/template/-/template-7.28.6.tgz} - engines: {node: '>=6.9.0'} - - '@babel/traverse@7.28.5': - resolution: {integrity: sha512-TCCj4t55U90khlYkVV/0TfkJkAkUg3jZFA3Neb7unZT8CPok7iiRfaX0F+WnqWqt7OxhOn0uBKXCw4lbL8W0aQ==, tarball: https://registry.npmjs.org/@babel/traverse/-/traverse-7.28.5.tgz} - engines: {node: '>=6.9.0'} - - '@babel/traverse@7.29.0': - resolution: {integrity: sha512-4HPiQr0X7+waHfyXPZpWPfWL/J7dcN1mx9gL6WdQVMbPnF3+ZhSMs8tCxN7oHddJE9fhNE7+lxdnlyemKfJRuA==, tarball: https://registry.npmjs.org/@babel/traverse/-/traverse-7.29.0.tgz} + '@babel/traverse@7.29.7': + resolution: {integrity: sha512-EhlfNQtZ+NK22w5BM61ciuiq1m58ed33Wr1Xan//ZRTy6hgjnwyCffRYwzsGXdASJSUJ1guZILsErh1eQcl+zw==, tarball: https://registry.npmjs.org/@babel/traverse/-/traverse-7.29.7.tgz} engines: {node: '>=6.9.0'} '@babel/types@7.28.5': resolution: {integrity: sha512-qQ5m48eI/MFLQ5PxQj4PFaprjyCTLI37ElWMmNs0K8Lk3dVeOdNpB3ks8jc7yM5CDmVC73eMVk/trk3fgmrUpA==, tarball: https://registry.npmjs.org/@babel/types/-/types-7.28.5.tgz} engines: {node: '>=6.9.0'} - '@babel/types@7.29.0': - resolution: {integrity: sha512-LwdZHpScM4Qz8Xw2iKSzS+cfglZzJGvofQICy7W7v4caru4EaAmyUuO6BGrbyQ2mYV11W0U8j5mBhd14dd3B0A==, tarball: https://registry.npmjs.org/@babel/types/-/types-7.29.0.tgz} + '@babel/types@7.29.7': + resolution: {integrity: sha512-4zBIxpPzowiZpusoFkyGVwakdRJUyuH5PxQ/PrqghfdFWWasvnCdPfQXHrenDai+gyLARulZjZowCOj6fjT4pA==, tarball: https://registry.npmjs.org/@babel/types/-/types-7.29.7.tgz} engines: {node: '>=6.9.0'} '@biomejs/biome@2.4.10': @@ -1002,8 +997,8 @@ packages: '@fontsource-variable/geist-mono@5.2.7': resolution: {integrity: sha512-ZKlZ5sjtalb2TwXKs400mAGDlt/+2ENLNySPx0wTz3bP3mWARCsUW+rpxzZc7e05d2qGch70pItt3K4qttbIYA==, tarball: https://registry.npmjs.org/@fontsource-variable/geist-mono/-/geist-mono-5.2.7.tgz} - '@fontsource-variable/geist@5.2.8': - resolution: {integrity: sha512-cJ6m9e+8MQ5dCYJsLylfZrgBh6KkG4bOLckB35Tr9J/EqdkEM6QllH5PxqP1dhTvFup+HtMRPuz9xOjxXJggxw==, tarball: https://registry.npmjs.org/@fontsource-variable/geist/-/geist-5.2.8.tgz} + '@fontsource-variable/geist@5.2.9': + resolution: {integrity: sha512-TP+QSBG3wxKGPE33CbMy/L0Nu3qvJ6Fy81Yc4LnQ95xH+i+cfEp8fyU8/kfV14YwszxIFPhnoMTbjL71waVpyQ==, tarball: https://registry.npmjs.org/@fontsource-variable/geist/-/geist-5.2.9.tgz} '@fontsource/fira-code@5.2.7': resolution: {integrity: sha512-tnB9NNund9TwIym8/7DMJe573nlPEQb+fKUV5GL8TBYXjIhDvL0D7mgmNVNQUPhXp+R7RylQeiBdkA4EbOHPGQ==, tarball: https://registry.npmjs.org/@fontsource/fira-code/-/fira-code-5.2.7.tgz} @@ -1453,17 +1448,17 @@ packages: '@protobufjs/codegen@2.0.5': resolution: {integrity: sha512-zgXFLzW3Ap33e6d0Wlj4MGIm6Ce8O89n/apUaGNB/jx+hw+ruWEp7EwGUshdLKVRCxZW12fp9r40E1mQrf/34g==, tarball: https://registry.npmjs.org/@protobufjs/codegen/-/codegen-2.0.5.tgz} - '@protobufjs/eventemitter@1.1.0': - resolution: {integrity: sha512-j9ednRT81vYJ9OfVuXG6ERSTdEL1xVsNgqpkxMsbIabzSo3goCjDIveeGv5d03om39ML71RdmrGNjG5SReBP/Q==, tarball: https://registry.npmjs.org/@protobufjs/eventemitter/-/eventemitter-1.1.0.tgz} + '@protobufjs/eventemitter@1.1.1': + resolution: {integrity: sha512-vW1GmwMZNnL+gMRaovlh9yZX74kc+TTU3FObkkurpMaRtBfLP3ldjS9KQWlwZgraRE0+dheEEoAxdzcJQ8eXZg==, tarball: https://registry.npmjs.org/@protobufjs/eventemitter/-/eventemitter-1.1.1.tgz} - '@protobufjs/fetch@1.1.0': - resolution: {integrity: sha512-lljVXpqXebpsijW71PZaCYeIcE5on1w5DlQy5WH6GLbFryLUrBD4932W/E2BSpfRJWseIL4v/KPgBFxDOIdKpQ==, tarball: https://registry.npmjs.org/@protobufjs/fetch/-/fetch-1.1.0.tgz} + '@protobufjs/fetch@1.1.1': + resolution: {integrity: sha512-GpptLrs57adMSuHi3VNj0mAF8dwh36LMaYF6XyJ6JMWlVsc+t42tm1HSEDmOs3A8fC9yyeisgLhsTVQokOZ0zw==, tarball: https://registry.npmjs.org/@protobufjs/fetch/-/fetch-1.1.1.tgz} '@protobufjs/float@1.0.2': resolution: {integrity: sha512-Ddb+kVXlXst9d+R9PfTIxh1EdNkgoRe5tOX6t01f1lYWOvJnSPDBlG241QLzcyPdoNTsblLUdujGSE4RzrTZGQ==, tarball: https://registry.npmjs.org/@protobufjs/float/-/float-1.0.2.tgz} - '@protobufjs/inquire@1.1.1': - resolution: {integrity: sha512-mnzgDV26ueAvk7rsbt9L7bE0SuAoqyuys/sMMrmVcN5x9VsxpcG3rqAUSgDyLp0UZlmNfIbQ4fHfCtreVBk8Ew==, tarball: https://registry.npmjs.org/@protobufjs/inquire/-/inquire-1.1.1.tgz} + '@protobufjs/inquire@1.1.2': + resolution: {integrity: sha512-pa0vFRuws4wkvaXKK1uXZMAwAX4/t8ANaJo45iw/oQHNQ9q5xUzwgFmVJGXiga2BeN+zpX7Vf9vmsiIa2J+MUw==, tarball: https://registry.npmjs.org/@protobufjs/inquire/-/inquire-1.1.2.tgz} '@protobufjs/path@1.1.2': resolution: {integrity: sha512-6JOcJ5Tm08dOHAbdR3GrvP+yUUfkjG5ePsHYczMFLq3ZmMkAD98cDgcT2iA1lJ9NVwFd4tH/iSSoe44YWkltEA==, tarball: https://registry.npmjs.org/@protobufjs/path/-/path-1.1.2.tgz} @@ -2762,8 +2757,8 @@ packages: '@types/react-window@1.8.8': resolution: {integrity: sha512-8Ls660bHR1AUA2kuRvVG9D/4XpRC6wjAaPT9dil7Ckc76eP9TKWZwwmgfq8Q1LANX3QNDnoU4Zp48A3w+zK69Q==, tarball: https://registry.npmjs.org/@types/react-window/-/react-window-1.8.8.tgz} - '@types/react@19.2.14': - resolution: {integrity: sha512-ilcTH/UniCkMdtexkoCN0bI7pMcJDvmQFPvuPvmEaYA/NSfFTAgdUSLAoVjaRJm7+6PvcM+q1zYOwS4wTYMF9w==, tarball: https://registry.npmjs.org/@types/react/-/react-19.2.14.tgz} + '@types/react@19.2.15': + resolution: {integrity: sha512-eRwcGNHve+E8qtEQSSRl6urh+rFop4v8gm6O8rGv25CodbvFdLjA1vVQ1KkiFE0w0UPOnb8tDiFKL5lp0rtY5Q==, tarball: https://registry.npmjs.org/@types/react/-/react-19.2.15.tgz} '@types/reactcss@1.2.13': resolution: {integrity: sha512-gi3S+aUi6kpkF5vdhUsnkwbiSEIU/BEJyD7kBy2SudWBUuKmJk8AQKE0OVcQQeEy40Azh0lV6uynxlikYIJuwg==, tarball: https://registry.npmjs.org/@types/reactcss/-/reactcss-1.2.13.tgz} @@ -2935,6 +2930,10 @@ packages: engines: {node: '>=0.4.0'} hasBin: true + agent-base@6.0.2: + resolution: {integrity: sha512-RZNwNclF7+MS/8bDg70amg32dyeZGZxiDuQmZxKLAlQjr3jGyLx+4Kkk58UO7D2QdgFIQCovuSuZESne6RG6XQ==, tarball: https://registry.npmjs.org/agent-base/-/agent-base-6.0.2.tgz} + engines: {node: '>= 6.0.0'} + agent-base@7.1.4: resolution: {integrity: sha512-MnA+YT8fwfJPgBx3m60MNqakm30XOkyIoH1y6huTQvC0PwZG7ki8NacLBcrPbNoo8vEZy7Jpuk7+jMO+CUovTQ==, tarball: https://registry.npmjs.org/agent-base/-/agent-base-7.1.4.tgz} engines: {node: '>= 14'} @@ -3030,8 +3029,8 @@ packages: resolution: {integrity: sha512-BASOg+YwO2C+346x3LZOeoovTIoTrRqEsqMa6fmfAV0P+U9mFr9NsyOEpiYvFjbc64NMrSswhV50WdXzdb/Z5A==, tarball: https://registry.npmjs.org/axe-core/-/axe-core-4.11.1.tgz} engines: {node: '>=4'} - axios@1.15.2: - resolution: {integrity: sha512-wLrXxPtcrPTsNlJmKjkPnNPK2Ihe0hn0wGSaTEiHRPxwjvJwT3hKmXF4dpqxmPO9SoNb2FsYXj/xEo0gHN+D5A==, tarball: https://registry.npmjs.org/axios/-/axios-1.15.2.tgz} + axios@1.16.1: + resolution: {integrity: sha512-caYkukvroVPO8KrzuJEb50Hm07KwfBZPEC3VeFHTsqWHvKTsy54hjJz9BS/cdaypROE2rH6xvm9mHX4fgWkr3A==, tarball: https://registry.npmjs.org/axios/-/axios-1.16.1.tgz} babel-plugin-macros@3.1.0: resolution: {integrity: sha512-Cg7TFGpIr01vOQNODXOOaGz2NpCU5gl8x1qJFbb6hbZxR7XrcE2vtbAsTAbJ7/xwJtUuJEw8K8Zr/AE0LHlesg==, tarball: https://registry.npmjs.org/babel-plugin-macros/-/babel-plugin-macros-3.1.0.tgz} @@ -3746,8 +3745,8 @@ packages: es-module-lexer@2.1.0: resolution: {integrity: sha512-n27zTYMjYu1aj4MjCWzSP7G9r75utsaoc8m61weK+W8JMBGGQybd43GstCXZ3WNmSFtGT9wi59qQTW6mhTR5LQ==, tarball: https://registry.npmjs.org/es-module-lexer/-/es-module-lexer-2.1.0.tgz} - es-object-atoms@1.1.1: - resolution: {integrity: sha512-FGgH2h8zKNim9ljj7dankFPcICIK9Cp5bm+c2gQSYePhpaG5+esrLODihIorn+Pe6FGJzWhXQotPv73jTaldXA==, tarball: https://registry.npmjs.org/es-object-atoms/-/es-object-atoms-1.1.1.tgz} + es-object-atoms@1.1.2: + resolution: {integrity: sha512-HWcBoN6NileqtSydK2FqHbS/LoDd2pqrnQHLyJzBj4kOp/ky2MWMN694xOfkK8/SnUsW2DH7EfyVlydKCsm1Zw==, tarball: https://registry.npmjs.org/es-object-atoms/-/es-object-atoms-1.1.2.tgz} engines: {node: '>= 0.4'} es-set-tostringtag@2.1.0: @@ -4015,8 +4014,8 @@ packages: resolution: {integrity: sha512-NqADB8VjPFLM2V0VvHUewwwsw0ZWBaIdgo+ieHtK3hasLz4qeCRjYcqfB6AQrBggRKppKF8L52/VqdVsO47Dlw==, tarball: https://registry.npmjs.org/has-tostringtag/-/has-tostringtag-1.0.2.tgz} engines: {node: '>= 0.4'} - hasown@2.0.3: - resolution: {integrity: sha512-ej4AhfhfL2Q2zpMmLo7U1Uv9+PyhIZpgQLGT1F9miIGmiCJIoCgSmczFdrc97mWT4kVY72KA+WnnhJ5pghSvSg==, tarball: https://registry.npmjs.org/hasown/-/hasown-2.0.3.tgz} + hasown@2.0.4: + resolution: {integrity: sha512-T2UbfbBEF32wiepXIsMlTW9+dDYC6wMh/t/vYA4tuOMKqWz/n3vr1NFSxQiyP+zk2mXsoMA/i/7qV6LKut1t1A==, tarball: https://registry.npmjs.org/hasown/-/hasown-2.0.4.tgz} engines: {node: '>= 0.4'} hast-util-from-parse5@8.0.3: @@ -4082,6 +4081,10 @@ packages: resolution: {integrity: sha512-T1gkAiYYDWYx3V5Bmyu7HcfcvL7mUrTWiM6yOfa3PIphViJ/gFPbvidQ+veqSOHci/PxBcDabeUNCzpOODJZig==, tarball: https://registry.npmjs.org/http-proxy-agent/-/http-proxy-agent-7.0.2.tgz} engines: {node: '>= 14'} + https-proxy-agent@5.0.1: + resolution: {integrity: sha512-dFcAjpTQFgoLMzC2VwU+C/CbS7uRL0lWmxDITmqm7C+7F0Odmj6s9l6alZc6AELXhrnggM2CeWSXHGOdX2YtwA==, tarball: https://registry.npmjs.org/https-proxy-agent/-/https-proxy-agent-5.0.1.tgz} + engines: {node: '>= 6'} + https-proxy-agent@7.0.6: resolution: {integrity: sha512-vK9P5/iUfdl95AI+JVyUuIcVtd4ofvtrOr3HNtM2yxC9bnMbEdp3x01OhQNnjb8IJYi38VlTE3mBXwcfvywuSw==, tarball: https://registry.npmjs.org/https-proxy-agent/-/https-proxy-agent-7.0.6.tgz} engines: {node: '>= 14'} @@ -4508,6 +4511,10 @@ packages: resolution: {integrity: sha512-B5Y16Jr9LB9dHVkh6ZevG+vAbOsNOYCX+sXvFWFu7B3Iz5mijW3zdbMyhsh8ANd2mSWBYdJgnqi+mL7/LrOPYg==, tarball: https://registry.npmjs.org/lru-cache/-/lru-cache-11.2.4.tgz} engines: {node: 20 || >=22} + lru-cache@11.5.1: + resolution: {integrity: sha512-RPimw/7aMdv2oqRrxKwvZXcPfwBrn/JZ2xYcY9Hus/6LaS3VOAKVWKWgNLCFSiOm1ESXinjsDlidVU7JlnCN2A==, tarball: https://registry.npmjs.org/lru-cache/-/lru-cache-11.5.1.tgz} + engines: {node: 20 || >=22} + lru-cache@5.1.1: resolution: {integrity: sha512-KpNARQA3Iwv+jTA0utUVVbrh+Jlrr1Fv0e56GGzAFOXN7dk/FviaDW8LHmK52DlcH4WP2n6gI8vN1aesBFgo9w==, tarball: https://registry.npmjs.org/lru-cache/-/lru-cache-5.1.1.tgz} @@ -5105,8 +5112,8 @@ packages: property-information@7.1.0: resolution: {integrity: sha512-TwEZ+X+yCJmYfL7TPUOcvBZ4QfoT5YenQiJuX//0th53DE6w0xxLEtfK3iyryQFddXuvkIk51EEgrJQ0WJkOmQ==, tarball: https://registry.npmjs.org/property-information/-/property-information-7.1.0.tgz} - protobufjs@7.5.6: - resolution: {integrity: sha512-M71sTMB146U3u0di3yup8iM+zv8yPRNQVr1KK4tyBitl3qFvEGucq/rGDRShD2rsJhtN02RJaJ7j5X5hmy8SJg==, tarball: https://registry.npmjs.org/protobufjs/-/protobufjs-7.5.6.tgz} + protobufjs@7.6.1: + resolution: {integrity: sha512-4K0myLaWL5EteuSAro91EGFgcfVgxb64Jx+7oDAY6GOkXD4M69yuSEljNcInGVCA5sOPxmZ/EqDLj2x0Q0+Ygg==, tarball: https://registry.npmjs.org/protobufjs/-/protobufjs-7.6.1.tgz} engines: {node: '>=12.0.0'} proxy-addr@2.0.7: @@ -5181,10 +5188,10 @@ packages: resolution: {integrity: sha512-+NRMYs2DyTP4/tqWz371Oo50JqmWltR1h2gcdgUMAWZJIAvrd0/SqlCfx7tpzpl/s36rzw6qH2MjoNrxtRNYhA==, tarball: https://registry.npmjs.org/react-docgen/-/react-docgen-8.0.2.tgz} engines: {node: ^20.9.0 || >=22} - react-dom@19.2.5: - resolution: {integrity: sha512-J5bAZz+DXMMwW/wV3xzKke59Af6CHY7G4uYLN1OvBcKEsWOs4pQExj86BBKamxl/Ik5bx9whOrvBlSDfWzgSag==, tarball: https://registry.npmjs.org/react-dom/-/react-dom-19.2.5.tgz} + react-dom@19.2.6: + resolution: {integrity: sha512-0prMI+hvBbPjsWnxDLxlCGyM8PN6UuWjEUCYmZhO67xIV9Xasa/r/vDnq+Xyq4Lo27g8QSbO5YzARu0D1Sps3g==, tarball: https://registry.npmjs.org/react-dom/-/react-dom-19.2.6.tgz} peerDependencies: - react: ^19.2.5 + react: ^19.2.6 react-error-boundary@6.1.1: resolution: {integrity: sha512-BrYwPOdXi5mqkk5lw+Uvt0ThHx32rCt3BkukS4X23A2AIWDPSGX6iaWTc0y9TU/mHDA/6qOSGel+B2ERkOvD1w==, tarball: https://registry.npmjs.org/react-error-boundary/-/react-error-boundary-6.1.1.tgz} @@ -5306,8 +5313,8 @@ packages: react: ^15.0.0 || ^16.0.0 || ^17.0.0 || ^18.0.0 || ^19.0.0 react-dom: ^15.0.0 || ^16.0.0 || ^17.0.0 || ^18.0.0 || ^19.0.0 - react@19.2.5: - resolution: {integrity: sha512-llUJLzz1zTUBrskt2pwZgLq59AemifIftw4aB7JxOqf1HY2FDaGDxgwpAPVzHU1kdWabH7FauP4i1oEeer2WCA==, tarball: https://registry.npmjs.org/react/-/react-19.2.5.tgz} + react@19.2.6: + resolution: {integrity: sha512-sfWGGfavi0xr8Pg0sVsyHMAOziVYKgPLNrS7ig+ivMNb3wbCBw3KxtflsGBAwD3gYQlE/AEZsTLgToRrSCjb0Q==, tarball: https://registry.npmjs.org/react/-/react-19.2.6.tgz} engines: {node: '>=0.10.0'} reactcss@1.2.3: @@ -5343,6 +5350,7 @@ packages: recharts@2.15.4: resolution: {integrity: sha512-UT/q6fwS3c1dHbXv2uFgYJ9BMFHu3fwnd7AYZaEQhXuYQ4hgsxLvsUXzGdKeZrW5xopzDCvuA2N41WJ88I7zIw==, tarball: https://registry.npmjs.org/recharts/-/recharts-2.15.4.tgz} engines: {node: '>=14'} + deprecated: 1.x and 2.x branches are no longer active. Bump to Recharts v3 to receive latest features and bugfixes. See https://github.com/recharts/recharts/wiki/3.0-migration-guide peerDependencies: react: ^16.0.0 || ^17.0.0 || ^18.0.0 || ^19.0.0 react-dom: ^16.0.0 || ^17.0.0 || ^18.0.0 || ^19.0.0 @@ -6383,7 +6391,7 @@ snapshots: '@csstools/css-color-parser': 3.1.0(@csstools/css-parser-algorithms@3.0.5(@csstools/css-tokenizer@3.0.4))(@csstools/css-tokenizer@3.0.4) '@csstools/css-parser-algorithms': 3.0.5(@csstools/css-tokenizer@3.0.4) '@csstools/css-tokenizer': 3.0.4 - lru-cache: 11.2.4 + lru-cache: 11.5.1 '@asamuzakjp/dom-selector@6.7.5': dependencies: @@ -6401,19 +6409,25 @@ snapshots: js-tokens: 4.0.0 picocolors: 1.1.1 - '@babel/compat-data@7.29.0': {} - - '@babel/core@7.29.0': + '@babel/code-frame@7.29.7': dependencies: - '@babel/code-frame': 7.29.0 - '@babel/generator': 7.29.1 - '@babel/helper-compilation-targets': 7.28.6 - '@babel/helper-module-transforms': 7.28.6(@babel/core@7.29.0) + '@babel/helper-validator-identifier': 7.29.7 + js-tokens: 4.0.0 + picocolors: 1.1.1 + + '@babel/compat-data@7.29.7': {} + + '@babel/core@7.29.7': + dependencies: + '@babel/code-frame': 7.29.7 + '@babel/generator': 7.29.7 + '@babel/helper-compilation-targets': 7.29.7 + '@babel/helper-module-transforms': 7.29.7(@babel/core@7.29.7) '@babel/helpers': 7.26.10 - '@babel/parser': 7.29.2 - '@babel/template': 7.28.6 - '@babel/traverse': 7.29.0 - '@babel/types': 7.29.0 + '@babel/parser': 7.29.7 + '@babel/template': 7.29.7 + '@babel/traverse': 7.29.7 + '@babel/types': 7.29.7 '@jridgewell/remapping': 2.3.5 convert-source-map: 2.0.0 debug: 4.4.3 @@ -6423,52 +6437,44 @@ snapshots: transitivePeerDependencies: - supports-color - '@babel/generator@7.28.5': + '@babel/generator@7.29.7': dependencies: - '@babel/parser': 7.28.5 - '@babel/types': 7.28.5 + '@babel/parser': 7.29.7 + '@babel/types': 7.29.7 '@jridgewell/gen-mapping': 0.3.13 '@jridgewell/trace-mapping': 0.3.31 jsesc: 3.1.0 - '@babel/generator@7.29.1': + '@babel/helper-compilation-targets@7.29.7': dependencies: - '@babel/parser': 7.29.2 - '@babel/types': 7.29.0 - '@jridgewell/gen-mapping': 0.3.13 - '@jridgewell/trace-mapping': 0.3.31 - jsesc: 3.1.0 - - '@babel/helper-compilation-targets@7.28.6': - dependencies: - '@babel/compat-data': 7.29.0 - '@babel/helper-validator-option': 7.27.1 + '@babel/compat-data': 7.29.7 + '@babel/helper-validator-option': 7.29.7 browserslist: 4.28.2 lru-cache: 5.1.1 semver: 7.7.3 - '@babel/helper-globals@7.28.0': {} + '@babel/helper-globals@7.29.7': {} '@babel/helper-module-imports@7.27.1': dependencies: - '@babel/traverse': 7.28.5 - '@babel/types': 7.28.5 + '@babel/traverse': 7.29.7 + '@babel/types': 7.29.7 transitivePeerDependencies: - supports-color - '@babel/helper-module-imports@7.28.6': + '@babel/helper-module-imports@7.29.7': dependencies: - '@babel/traverse': 7.29.0 - '@babel/types': 7.29.0 + '@babel/traverse': 7.29.7 + '@babel/types': 7.29.7 transitivePeerDependencies: - supports-color - '@babel/helper-module-transforms@7.28.6(@babel/core@7.29.0)': + '@babel/helper-module-transforms@7.29.7(@babel/core@7.29.7)': dependencies: - '@babel/core': 7.29.0 - '@babel/helper-module-imports': 7.28.6 - '@babel/helper-validator-identifier': 7.28.5 - '@babel/traverse': 7.29.0 + '@babel/core': 7.29.7 + '@babel/helper-module-imports': 7.29.7 + '@babel/helper-validator-identifier': 7.29.7 + '@babel/traverse': 7.29.7 transitivePeerDependencies: - supports-color @@ -6476,64 +6482,46 @@ snapshots: '@babel/helper-string-parser@7.27.1': {} + '@babel/helper-string-parser@7.29.7': {} + '@babel/helper-validator-identifier@7.28.5': {} - '@babel/helper-validator-option@7.27.1': {} + '@babel/helper-validator-identifier@7.29.7': {} + + '@babel/helper-validator-option@7.29.7': {} '@babel/helpers@7.26.10': dependencies: - '@babel/template': 7.28.6 - '@babel/types': 7.29.0 + '@babel/template': 7.29.7 + '@babel/types': 7.29.7 - '@babel/parser@7.28.5': + '@babel/parser@7.29.7': dependencies: - '@babel/types': 7.28.5 + '@babel/types': 7.29.7 - '@babel/parser@7.29.2': + '@babel/plugin-syntax-typescript@7.28.6(@babel/core@7.29.7)': dependencies: - '@babel/types': 7.29.0 - - '@babel/plugin-syntax-typescript@7.28.6(@babel/core@7.29.0)': - dependencies: - '@babel/core': 7.29.0 + '@babel/core': 7.29.7 '@babel/helper-plugin-utils': 7.28.6 '@babel/runtime@7.26.10': dependencies: regenerator-runtime: 0.14.1 - '@babel/template@7.27.2': + '@babel/template@7.29.7': dependencies: - '@babel/code-frame': 7.29.0 - '@babel/parser': 7.28.5 - '@babel/types': 7.28.5 + '@babel/code-frame': 7.29.7 + '@babel/parser': 7.29.7 + '@babel/types': 7.29.7 - '@babel/template@7.28.6': + '@babel/traverse@7.29.7': dependencies: - '@babel/code-frame': 7.29.0 - '@babel/parser': 7.29.2 - '@babel/types': 7.29.0 - - '@babel/traverse@7.28.5': - dependencies: - '@babel/code-frame': 7.29.0 - '@babel/generator': 7.28.5 - '@babel/helper-globals': 7.28.0 - '@babel/parser': 7.28.5 - '@babel/template': 7.27.2 - '@babel/types': 7.28.5 - debug: 4.4.3 - transitivePeerDependencies: - - supports-color - - '@babel/traverse@7.29.0': - dependencies: - '@babel/code-frame': 7.29.0 - '@babel/generator': 7.29.1 - '@babel/helper-globals': 7.28.0 - '@babel/parser': 7.29.2 - '@babel/template': 7.28.6 - '@babel/types': 7.29.0 + '@babel/code-frame': 7.29.7 + '@babel/generator': 7.29.7 + '@babel/helper-globals': 7.29.7 + '@babel/parser': 7.29.7 + '@babel/template': 7.29.7 + '@babel/types': 7.29.7 debug: 4.4.3 transitivePeerDependencies: - supports-color @@ -6543,10 +6531,10 @@ snapshots: '@babel/helper-string-parser': 7.27.1 '@babel/helper-validator-identifier': 7.28.5 - '@babel/types@7.29.0': + '@babel/types@7.29.7': dependencies: - '@babel/helper-string-parser': 7.27.1 - '@babel/helper-validator-identifier': 7.28.5 + '@babel/helper-string-parser': 7.29.7 + '@babel/helper-validator-identifier': 7.29.7 '@biomejs/biome@2.4.10': optionalDependencies: @@ -6617,13 +6605,13 @@ snapshots: '@chevrotain/utils@11.1.2': {} - '@chromatic-com/storybook@5.0.1(storybook@10.3.3(@testing-library/dom@10.4.0)(prettier@3.4.1)(react-dom@19.2.5(react@19.2.5))(react@19.2.5))': + '@chromatic-com/storybook@5.0.1(storybook@10.3.3(@testing-library/dom@10.4.0)(prettier@3.4.1)(react-dom@19.2.6(react@19.2.6))(react@19.2.6))': dependencies: '@neoconfetti/react': 1.0.0 chromatic: 13.3.4 filesize: 10.1.6 jsonfile: 6.2.0 - storybook: 10.3.3(@testing-library/dom@10.4.0)(prettier@3.4.1)(react-dom@19.2.5(react@19.2.5))(react@19.2.5) + storybook: 10.3.3(@testing-library/dom@10.4.0)(prettier@3.4.1)(react-dom@19.2.6(react@19.2.6))(react@19.2.6) strip-ansi: 7.1.2 transitivePeerDependencies: - '@chromatic-com/cypress' @@ -6653,29 +6641,29 @@ snapshots: '@date-fns/tz@1.4.1': {} - '@dnd-kit/accessibility@3.1.1(react@19.2.5)': + '@dnd-kit/accessibility@3.1.1(react@19.2.6)': dependencies: - react: 19.2.5 + react: 19.2.6 tslib: 2.8.1 - '@dnd-kit/core@6.3.1(react-dom@19.2.5(react@19.2.5))(react@19.2.5)': + '@dnd-kit/core@6.3.1(react-dom@19.2.6(react@19.2.6))(react@19.2.6)': dependencies: - '@dnd-kit/accessibility': 3.1.1(react@19.2.5) - '@dnd-kit/utilities': 3.2.2(react@19.2.5) - react: 19.2.5 - react-dom: 19.2.5(react@19.2.5) + '@dnd-kit/accessibility': 3.1.1(react@19.2.6) + '@dnd-kit/utilities': 3.2.2(react@19.2.6) + react: 19.2.6 + react-dom: 19.2.6(react@19.2.6) tslib: 2.8.1 - '@dnd-kit/sortable@10.0.0(@dnd-kit/core@6.3.1(react-dom@19.2.5(react@19.2.5))(react@19.2.5))(react@19.2.5)': + '@dnd-kit/sortable@10.0.0(@dnd-kit/core@6.3.1(react-dom@19.2.6(react@19.2.6))(react@19.2.6))(react@19.2.6)': dependencies: - '@dnd-kit/core': 6.3.1(react-dom@19.2.5(react@19.2.5))(react@19.2.5) - '@dnd-kit/utilities': 3.2.2(react@19.2.5) - react: 19.2.5 + '@dnd-kit/core': 6.3.1(react-dom@19.2.6(react@19.2.6))(react@19.2.6) + '@dnd-kit/utilities': 3.2.2(react@19.2.6) + react: 19.2.6 tslib: 2.8.1 - '@dnd-kit/utilities@3.2.2(react@19.2.5)': + '@dnd-kit/utilities@3.2.2(react@19.2.6)': dependencies: - react: 19.2.5 + react: 19.2.6 tslib: 2.8.1 '@emnapi/core@1.10.0': @@ -6696,10 +6684,10 @@ snapshots: '@emoji-mart/data@1.2.1': {} - '@emoji-mart/react@1.1.1(emoji-mart@5.6.0)(react@19.2.5)': + '@emoji-mart/react@1.1.1(emoji-mart@5.6.0)(react@19.2.6)': dependencies: emoji-mart: 5.6.0 - react: 19.2.5 + react: 19.2.6 '@emotion/babel-plugin@11.13.5': dependencies: @@ -6743,19 +6731,19 @@ snapshots: '@emotion/memoize@0.9.0': {} - '@emotion/react@11.14.0(@types/react@19.2.14)(react@19.2.5)': + '@emotion/react@11.14.0(@types/react@19.2.15)(react@19.2.6)': dependencies: '@babel/runtime': 7.26.10 '@emotion/babel-plugin': 11.13.5 '@emotion/cache': 11.14.0 '@emotion/serialize': 1.3.3 - '@emotion/use-insertion-effect-with-fallbacks': 1.2.0(react@19.2.5) + '@emotion/use-insertion-effect-with-fallbacks': 1.2.0(react@19.2.6) '@emotion/utils': 1.4.2 '@emotion/weak-memoize': 0.4.0 hoist-non-react-statics: 3.3.2 - react: 19.2.5 + react: 19.2.6 optionalDependencies: - '@types/react': 19.2.14 + '@types/react': 19.2.15 transitivePeerDependencies: - supports-color @@ -6769,26 +6757,26 @@ snapshots: '@emotion/sheet@1.4.0': {} - '@emotion/styled@11.14.1(@emotion/react@11.14.0(@types/react@19.2.14)(react@19.2.5))(@types/react@19.2.14)(react@19.2.5)': + '@emotion/styled@11.14.1(@emotion/react@11.14.0(@types/react@19.2.15)(react@19.2.6))(@types/react@19.2.15)(react@19.2.6)': dependencies: '@babel/runtime': 7.26.10 '@emotion/babel-plugin': 11.13.5 '@emotion/is-prop-valid': 1.4.0 - '@emotion/react': 11.14.0(@types/react@19.2.14)(react@19.2.5) + '@emotion/react': 11.14.0(@types/react@19.2.15)(react@19.2.6) '@emotion/serialize': 1.3.3 - '@emotion/use-insertion-effect-with-fallbacks': 1.2.0(react@19.2.5) + '@emotion/use-insertion-effect-with-fallbacks': 1.2.0(react@19.2.6) '@emotion/utils': 1.4.2 - react: 19.2.5 + react: 19.2.6 optionalDependencies: - '@types/react': 19.2.14 + '@types/react': 19.2.15 transitivePeerDependencies: - supports-color '@emotion/unitless@0.10.0': {} - '@emotion/use-insertion-effect-with-fallbacks@1.2.0(react@19.2.5)': + '@emotion/use-insertion-effect-with-fallbacks@1.2.0(react@19.2.6)': dependencies: - react: 19.2.5 + react: 19.2.6 '@emotion/utils@1.4.2': {} @@ -6881,25 +6869,25 @@ snapshots: '@floating-ui/core': 1.7.4 '@floating-ui/utils': 0.2.10 - '@floating-ui/react-dom@2.1.7(react-dom@19.2.5(react@19.2.5))(react@19.2.5)': + '@floating-ui/react-dom@2.1.7(react-dom@19.2.6(react@19.2.6))(react@19.2.6)': dependencies: '@floating-ui/dom': 1.7.5 - react: 19.2.5 - react-dom: 19.2.5(react@19.2.5) + react: 19.2.6 + react-dom: 19.2.6(react@19.2.6) - '@floating-ui/react@0.27.18(react-dom@19.2.5(react@19.2.5))(react@19.2.5)': + '@floating-ui/react@0.27.18(react-dom@19.2.6(react@19.2.6))(react@19.2.6)': dependencies: - '@floating-ui/react-dom': 2.1.7(react-dom@19.2.5(react@19.2.5))(react@19.2.5) + '@floating-ui/react-dom': 2.1.7(react-dom@19.2.6(react@19.2.6))(react@19.2.6) '@floating-ui/utils': 0.2.10 - react: 19.2.5 - react-dom: 19.2.5(react@19.2.5) + react: 19.2.6 + react-dom: 19.2.6(react@19.2.6) tabbable: 6.4.0 '@floating-ui/utils@0.2.10': {} '@fontsource-variable/geist-mono@5.2.7': {} - '@fontsource-variable/geist@5.2.8': {} + '@fontsource-variable/geist@5.2.9': {} '@fontsource/fira-code@5.2.7': {} @@ -6917,9 +6905,9 @@ snapshots: '@iconify/types': 2.0.0 mlly: 1.8.2 - '@icons/material@0.2.4(react@19.2.5)': + '@icons/material@0.2.4(react@19.2.6)': dependencies: - react: 19.2.5 + react: 19.2.6 '@inquirer/confirm@3.2.0': dependencies: @@ -7008,7 +6996,7 @@ snapshots: '@lexical/extension': 0.44.0 lexical: 0.44.0 - '@lexical/devtools-core@0.44.0(react-dom@19.2.5(react@19.2.5))(react@19.2.5)': + '@lexical/devtools-core@0.44.0(react-dom@19.2.6(react@19.2.6))(react@19.2.6)': dependencies: '@lexical/html': 0.44.0 '@lexical/link': 0.44.0 @@ -7016,8 +7004,8 @@ snapshots: '@lexical/table': 0.44.0 '@lexical/utils': 0.44.0 lexical: 0.44.0 - react: 19.2.5 - react-dom: 19.2.5(react@19.2.5) + react: 19.2.6 + react-dom: 19.2.6(react@19.2.6) '@lexical/dragon@0.44.0': dependencies: @@ -7088,10 +7076,10 @@ snapshots: '@lexical/utils': 0.44.0 lexical: 0.44.0 - '@lexical/react@0.44.0(react-dom@19.2.5(react@19.2.5))(react@19.2.5)(yjs@13.6.29)': + '@lexical/react@0.44.0(react-dom@19.2.6(react@19.2.6))(react@19.2.6)(yjs@13.6.29)': dependencies: - '@floating-ui/react': 0.27.18(react-dom@19.2.5(react@19.2.5))(react@19.2.5) - '@lexical/devtools-core': 0.44.0(react-dom@19.2.5(react@19.2.5))(react@19.2.5) + '@floating-ui/react': 0.27.18(react-dom@19.2.6(react@19.2.6))(react@19.2.6) + '@lexical/devtools-core': 0.44.0(react-dom@19.2.6(react@19.2.6))(react@19.2.6) '@lexical/dragon': 0.44.0 '@lexical/extension': 0.44.0 '@lexical/hashtag': 0.44.0 @@ -7108,9 +7096,9 @@ snapshots: '@lexical/utils': 0.44.0 '@lexical/yjs': 0.44.0(yjs@13.6.29) lexical: 0.44.0 - react: 19.2.5 - react-dom: 19.2.5(react@19.2.5) - react-error-boundary: 6.1.1(react@19.2.5) + react: 19.2.6 + react-dom: 19.2.6(react@19.2.6) + react-error-boundary: 6.1.1(react@19.2.6) optionalDependencies: yjs: 13.6.29 @@ -7148,11 +7136,11 @@ snapshots: lexical: 0.44.0 yjs: 13.6.29 - '@mdx-js/react@3.1.1(@types/react@19.2.14)(react@19.2.5)': + '@mdx-js/react@3.1.1(@types/react@19.2.15)(react@19.2.6)': dependencies: '@types/mdx': 2.0.13 - '@types/react': 19.2.14 - react: 19.2.5 + '@types/react': 19.2.15 + react: 19.2.6 '@mermaid-js/parser@1.0.1': dependencies: @@ -7172,12 +7160,12 @@ snapshots: dependencies: state-local: 1.0.7 - '@monaco-editor/react@4.7.0(monaco-editor@0.55.1)(react-dom@19.2.5(react@19.2.5))(react@19.2.5)': + '@monaco-editor/react@4.7.0(monaco-editor@0.55.1)(react-dom@19.2.6(react@19.2.6))(react@19.2.6)': dependencies: '@monaco-editor/loader': 1.5.0 monaco-editor: 0.55.1 - react: 19.2.5 - react-dom: 19.2.5(react@19.2.5) + react: 19.2.6 + react-dom: 19.2.6(react@19.2.6) '@mswjs/interceptors@0.35.9': dependencies: @@ -7190,79 +7178,79 @@ snapshots: '@mui/core-downloads-tracker@5.18.0': {} - '@mui/material@5.18.0(@emotion/react@11.14.0(@types/react@19.2.14)(react@19.2.5))(@emotion/styled@11.14.1(@emotion/react@11.14.0(@types/react@19.2.14)(react@19.2.5))(@types/react@19.2.14)(react@19.2.5))(@types/react@19.2.14)(react-dom@19.2.5(react@19.2.5))(react@19.2.5)': + '@mui/material@5.18.0(@emotion/react@11.14.0(@types/react@19.2.15)(react@19.2.6))(@emotion/styled@11.14.1(@emotion/react@11.14.0(@types/react@19.2.15)(react@19.2.6))(@types/react@19.2.15)(react@19.2.6))(@types/react@19.2.15)(react-dom@19.2.6(react@19.2.6))(react@19.2.6)': dependencies: '@babel/runtime': 7.26.10 '@mui/core-downloads-tracker': 5.18.0 - '@mui/system': 5.18.0(@emotion/react@11.14.0(@types/react@19.2.14)(react@19.2.5))(@emotion/styled@11.14.1(@emotion/react@11.14.0(@types/react@19.2.14)(react@19.2.5))(@types/react@19.2.14)(react@19.2.5))(@types/react@19.2.14)(react@19.2.5) - '@mui/types': 7.2.24(@types/react@19.2.14) - '@mui/utils': 5.17.1(@types/react@19.2.14)(react@19.2.5) + '@mui/system': 5.18.0(@emotion/react@11.14.0(@types/react@19.2.15)(react@19.2.6))(@emotion/styled@11.14.1(@emotion/react@11.14.0(@types/react@19.2.15)(react@19.2.6))(@types/react@19.2.15)(react@19.2.6))(@types/react@19.2.15)(react@19.2.6) + '@mui/types': 7.2.24(@types/react@19.2.15) + '@mui/utils': 5.17.1(@types/react@19.2.15)(react@19.2.6) '@popperjs/core': 2.11.8 - '@types/react-transition-group': 4.4.12(@types/react@19.2.14) + '@types/react-transition-group': 4.4.12(@types/react@19.2.15) clsx: 2.1.1 csstype: 3.1.3 prop-types: 15.8.1 - react: 19.2.5 - react-dom: 19.2.5(react@19.2.5) + react: 19.2.6 + react-dom: 19.2.6(react@19.2.6) react-is: 19.1.1 - react-transition-group: 4.4.5(react-dom@19.2.5(react@19.2.5))(react@19.2.5) + react-transition-group: 4.4.5(react-dom@19.2.6(react@19.2.6))(react@19.2.6) optionalDependencies: - '@emotion/react': 11.14.0(@types/react@19.2.14)(react@19.2.5) - '@emotion/styled': 11.14.1(@emotion/react@11.14.0(@types/react@19.2.14)(react@19.2.5))(@types/react@19.2.14)(react@19.2.5) - '@types/react': 19.2.14 + '@emotion/react': 11.14.0(@types/react@19.2.15)(react@19.2.6) + '@emotion/styled': 11.14.1(@emotion/react@11.14.0(@types/react@19.2.15)(react@19.2.6))(@types/react@19.2.15)(react@19.2.6) + '@types/react': 19.2.15 - '@mui/private-theming@5.17.1(@types/react@19.2.14)(react@19.2.5)': + '@mui/private-theming@5.17.1(@types/react@19.2.15)(react@19.2.6)': dependencies: '@babel/runtime': 7.26.10 - '@mui/utils': 5.17.1(@types/react@19.2.14)(react@19.2.5) + '@mui/utils': 5.17.1(@types/react@19.2.15)(react@19.2.6) prop-types: 15.8.1 - react: 19.2.5 + react: 19.2.6 optionalDependencies: - '@types/react': 19.2.14 + '@types/react': 19.2.15 - '@mui/styled-engine@5.18.0(@emotion/react@11.14.0(@types/react@19.2.14)(react@19.2.5))(@emotion/styled@11.14.1(@emotion/react@11.14.0(@types/react@19.2.14)(react@19.2.5))(@types/react@19.2.14)(react@19.2.5))(react@19.2.5)': + '@mui/styled-engine@5.18.0(@emotion/react@11.14.0(@types/react@19.2.15)(react@19.2.6))(@emotion/styled@11.14.1(@emotion/react@11.14.0(@types/react@19.2.15)(react@19.2.6))(@types/react@19.2.15)(react@19.2.6))(react@19.2.6)': dependencies: '@babel/runtime': 7.26.10 '@emotion/cache': 11.14.0 '@emotion/serialize': 1.3.3 csstype: 3.2.3 prop-types: 15.8.1 - react: 19.2.5 + react: 19.2.6 optionalDependencies: - '@emotion/react': 11.14.0(@types/react@19.2.14)(react@19.2.5) - '@emotion/styled': 11.14.1(@emotion/react@11.14.0(@types/react@19.2.14)(react@19.2.5))(@types/react@19.2.14)(react@19.2.5) + '@emotion/react': 11.14.0(@types/react@19.2.15)(react@19.2.6) + '@emotion/styled': 11.14.1(@emotion/react@11.14.0(@types/react@19.2.15)(react@19.2.6))(@types/react@19.2.15)(react@19.2.6) - '@mui/system@5.18.0(@emotion/react@11.14.0(@types/react@19.2.14)(react@19.2.5))(@emotion/styled@11.14.1(@emotion/react@11.14.0(@types/react@19.2.14)(react@19.2.5))(@types/react@19.2.14)(react@19.2.5))(@types/react@19.2.14)(react@19.2.5)': + '@mui/system@5.18.0(@emotion/react@11.14.0(@types/react@19.2.15)(react@19.2.6))(@emotion/styled@11.14.1(@emotion/react@11.14.0(@types/react@19.2.15)(react@19.2.6))(@types/react@19.2.15)(react@19.2.6))(@types/react@19.2.15)(react@19.2.6)': dependencies: '@babel/runtime': 7.26.10 - '@mui/private-theming': 5.17.1(@types/react@19.2.14)(react@19.2.5) - '@mui/styled-engine': 5.18.0(@emotion/react@11.14.0(@types/react@19.2.14)(react@19.2.5))(@emotion/styled@11.14.1(@emotion/react@11.14.0(@types/react@19.2.14)(react@19.2.5))(@types/react@19.2.14)(react@19.2.5))(react@19.2.5) - '@mui/types': 7.2.24(@types/react@19.2.14) - '@mui/utils': 5.17.1(@types/react@19.2.14)(react@19.2.5) + '@mui/private-theming': 5.17.1(@types/react@19.2.15)(react@19.2.6) + '@mui/styled-engine': 5.18.0(@emotion/react@11.14.0(@types/react@19.2.15)(react@19.2.6))(@emotion/styled@11.14.1(@emotion/react@11.14.0(@types/react@19.2.15)(react@19.2.6))(@types/react@19.2.15)(react@19.2.6))(react@19.2.6) + '@mui/types': 7.2.24(@types/react@19.2.15) + '@mui/utils': 5.17.1(@types/react@19.2.15)(react@19.2.6) clsx: 2.1.1 csstype: 3.1.3 prop-types: 15.8.1 - react: 19.2.5 + react: 19.2.6 optionalDependencies: - '@emotion/react': 11.14.0(@types/react@19.2.14)(react@19.2.5) - '@emotion/styled': 11.14.1(@emotion/react@11.14.0(@types/react@19.2.14)(react@19.2.5))(@types/react@19.2.14)(react@19.2.5) - '@types/react': 19.2.14 + '@emotion/react': 11.14.0(@types/react@19.2.15)(react@19.2.6) + '@emotion/styled': 11.14.1(@emotion/react@11.14.0(@types/react@19.2.15)(react@19.2.6))(@types/react@19.2.15)(react@19.2.6) + '@types/react': 19.2.15 - '@mui/types@7.2.24(@types/react@19.2.14)': + '@mui/types@7.2.24(@types/react@19.2.15)': optionalDependencies: - '@types/react': 19.2.14 + '@types/react': 19.2.15 - '@mui/utils@5.17.1(@types/react@19.2.14)(react@19.2.5)': + '@mui/utils@5.17.1(@types/react@19.2.15)(react@19.2.6)': dependencies: '@babel/runtime': 7.26.10 - '@mui/types': 7.2.24(@types/react@19.2.14) + '@mui/types': 7.2.24(@types/react@19.2.15) '@types/prop-types': 15.7.15 clsx: 2.1.1 prop-types: 15.8.1 - react: 19.2.5 + react: 19.2.6 react-is: 19.1.1 optionalDependencies: - '@types/react': 19.2.14 + '@types/react': 19.2.15 '@napi-rs/wasm-runtime@1.0.7': dependencies: @@ -7370,15 +7358,15 @@ snapshots: '@oxc-resolver/binding-win32-x64-msvc@11.14.0': optional: true - '@pierre/diffs@1.1.19(react-dom@19.2.5(react@19.2.5))(react@19.2.5)': + '@pierre/diffs@1.1.19(react-dom@19.2.6(react@19.2.6))(react@19.2.6)': dependencies: '@pierre/theme': 0.0.28 '@shikijs/transformers': 3.23.0 diff: 8.0.3 hast-util-to-html: 9.0.5 lru_map: 0.4.1 - react: 19.2.5 - react-dom: 19.2.5(react@19.2.5) + react: 19.2.6 + react-dom: 19.2.6(react@19.2.6) shiki: 3.23.0 '@pierre/theme@0.0.28': {} @@ -7402,16 +7390,15 @@ snapshots: '@protobufjs/codegen@2.0.5': {} - '@protobufjs/eventemitter@1.1.0': {} + '@protobufjs/eventemitter@1.1.1': {} - '@protobufjs/fetch@1.1.0': + '@protobufjs/fetch@1.1.1': dependencies: '@protobufjs/aspromise': 1.1.2 - '@protobufjs/inquire': 1.1.1 '@protobufjs/float@1.0.2': {} - '@protobufjs/inquire@1.1.1': {} + '@protobufjs/inquire@1.1.2': {} '@protobufjs/path@1.1.2': {} @@ -7423,746 +7410,746 @@ snapshots: '@radix-ui/primitive@1.1.3': {} - '@radix-ui/react-accessible-icon@1.1.7(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.5(react@19.2.5))(react@19.2.5)': + '@radix-ui/react-accessible-icon@1.1.7(@types/react-dom@19.2.3(@types/react@19.2.15))(@types/react@19.2.15)(react-dom@19.2.6(react@19.2.6))(react@19.2.6)': dependencies: - '@radix-ui/react-visually-hidden': 1.2.3(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.5(react@19.2.5))(react@19.2.5) - react: 19.2.5 - react-dom: 19.2.5(react@19.2.5) + '@radix-ui/react-visually-hidden': 1.2.3(@types/react-dom@19.2.3(@types/react@19.2.15))(@types/react@19.2.15)(react-dom@19.2.6(react@19.2.6))(react@19.2.6) + react: 19.2.6 + react-dom: 19.2.6(react@19.2.6) optionalDependencies: - '@types/react': 19.2.14 - '@types/react-dom': 19.2.3(@types/react@19.2.14) + '@types/react': 19.2.15 + '@types/react-dom': 19.2.3(@types/react@19.2.15) - '@radix-ui/react-accordion@1.2.12(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.5(react@19.2.5))(react@19.2.5)': + '@radix-ui/react-accordion@1.2.12(@types/react-dom@19.2.3(@types/react@19.2.15))(@types/react@19.2.15)(react-dom@19.2.6(react@19.2.6))(react@19.2.6)': dependencies: '@radix-ui/primitive': 1.1.3 - '@radix-ui/react-collapsible': 1.1.12(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.5(react@19.2.5))(react@19.2.5) - '@radix-ui/react-collection': 1.1.7(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.5(react@19.2.5))(react@19.2.5) - '@radix-ui/react-compose-refs': 1.1.2(@types/react@19.2.14)(react@19.2.5) - '@radix-ui/react-context': 1.1.2(@types/react@19.2.14)(react@19.2.5) - '@radix-ui/react-direction': 1.1.1(@types/react@19.2.14)(react@19.2.5) - '@radix-ui/react-id': 1.1.1(@types/react@19.2.14)(react@19.2.5) - '@radix-ui/react-primitive': 2.1.3(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.5(react@19.2.5))(react@19.2.5) - '@radix-ui/react-use-controllable-state': 1.2.2(@types/react@19.2.14)(react@19.2.5) - react: 19.2.5 - react-dom: 19.2.5(react@19.2.5) + '@radix-ui/react-collapsible': 1.1.12(@types/react-dom@19.2.3(@types/react@19.2.15))(@types/react@19.2.15)(react-dom@19.2.6(react@19.2.6))(react@19.2.6) + '@radix-ui/react-collection': 1.1.7(@types/react-dom@19.2.3(@types/react@19.2.15))(@types/react@19.2.15)(react-dom@19.2.6(react@19.2.6))(react@19.2.6) + '@radix-ui/react-compose-refs': 1.1.2(@types/react@19.2.15)(react@19.2.6) + '@radix-ui/react-context': 1.1.2(@types/react@19.2.15)(react@19.2.6) + '@radix-ui/react-direction': 1.1.1(@types/react@19.2.15)(react@19.2.6) + '@radix-ui/react-id': 1.1.1(@types/react@19.2.15)(react@19.2.6) + '@radix-ui/react-primitive': 2.1.3(@types/react-dom@19.2.3(@types/react@19.2.15))(@types/react@19.2.15)(react-dom@19.2.6(react@19.2.6))(react@19.2.6) + '@radix-ui/react-use-controllable-state': 1.2.2(@types/react@19.2.15)(react@19.2.6) + react: 19.2.6 + react-dom: 19.2.6(react@19.2.6) optionalDependencies: - '@types/react': 19.2.14 - '@types/react-dom': 19.2.3(@types/react@19.2.14) + '@types/react': 19.2.15 + '@types/react-dom': 19.2.3(@types/react@19.2.15) - '@radix-ui/react-alert-dialog@1.1.15(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.5(react@19.2.5))(react@19.2.5)': + '@radix-ui/react-alert-dialog@1.1.15(@types/react-dom@19.2.3(@types/react@19.2.15))(@types/react@19.2.15)(react-dom@19.2.6(react@19.2.6))(react@19.2.6)': dependencies: '@radix-ui/primitive': 1.1.3 - '@radix-ui/react-compose-refs': 1.1.2(@types/react@19.2.14)(react@19.2.5) - '@radix-ui/react-context': 1.1.2(@types/react@19.2.14)(react@19.2.5) - '@radix-ui/react-dialog': 1.1.15(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.5(react@19.2.5))(react@19.2.5) - '@radix-ui/react-primitive': 2.1.3(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.5(react@19.2.5))(react@19.2.5) - '@radix-ui/react-slot': 1.2.3(@types/react@19.2.14)(react@19.2.5) - react: 19.2.5 - react-dom: 19.2.5(react@19.2.5) + '@radix-ui/react-compose-refs': 1.1.2(@types/react@19.2.15)(react@19.2.6) + '@radix-ui/react-context': 1.1.2(@types/react@19.2.15)(react@19.2.6) + '@radix-ui/react-dialog': 1.1.15(@types/react-dom@19.2.3(@types/react@19.2.15))(@types/react@19.2.15)(react-dom@19.2.6(react@19.2.6))(react@19.2.6) + '@radix-ui/react-primitive': 2.1.3(@types/react-dom@19.2.3(@types/react@19.2.15))(@types/react@19.2.15)(react-dom@19.2.6(react@19.2.6))(react@19.2.6) + '@radix-ui/react-slot': 1.2.3(@types/react@19.2.15)(react@19.2.6) + react: 19.2.6 + react-dom: 19.2.6(react@19.2.6) optionalDependencies: - '@types/react': 19.2.14 - '@types/react-dom': 19.2.3(@types/react@19.2.14) + '@types/react': 19.2.15 + '@types/react-dom': 19.2.3(@types/react@19.2.15) - '@radix-ui/react-arrow@1.1.7(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.5(react@19.2.5))(react@19.2.5)': + '@radix-ui/react-arrow@1.1.7(@types/react-dom@19.2.3(@types/react@19.2.15))(@types/react@19.2.15)(react-dom@19.2.6(react@19.2.6))(react@19.2.6)': dependencies: - '@radix-ui/react-primitive': 2.1.3(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.5(react@19.2.5))(react@19.2.5) - react: 19.2.5 - react-dom: 19.2.5(react@19.2.5) + '@radix-ui/react-primitive': 2.1.3(@types/react-dom@19.2.3(@types/react@19.2.15))(@types/react@19.2.15)(react-dom@19.2.6(react@19.2.6))(react@19.2.6) + react: 19.2.6 + react-dom: 19.2.6(react@19.2.6) optionalDependencies: - '@types/react': 19.2.14 - '@types/react-dom': 19.2.3(@types/react@19.2.14) + '@types/react': 19.2.15 + '@types/react-dom': 19.2.3(@types/react@19.2.15) - '@radix-ui/react-aspect-ratio@1.1.7(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.5(react@19.2.5))(react@19.2.5)': + '@radix-ui/react-aspect-ratio@1.1.7(@types/react-dom@19.2.3(@types/react@19.2.15))(@types/react@19.2.15)(react-dom@19.2.6(react@19.2.6))(react@19.2.6)': dependencies: - '@radix-ui/react-primitive': 2.1.3(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.5(react@19.2.5))(react@19.2.5) - react: 19.2.5 - react-dom: 19.2.5(react@19.2.5) + '@radix-ui/react-primitive': 2.1.3(@types/react-dom@19.2.3(@types/react@19.2.15))(@types/react@19.2.15)(react-dom@19.2.6(react@19.2.6))(react@19.2.6) + react: 19.2.6 + react-dom: 19.2.6(react@19.2.6) optionalDependencies: - '@types/react': 19.2.14 - '@types/react-dom': 19.2.3(@types/react@19.2.14) + '@types/react': 19.2.15 + '@types/react-dom': 19.2.3(@types/react@19.2.15) - '@radix-ui/react-avatar@1.1.10(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.5(react@19.2.5))(react@19.2.5)': + '@radix-ui/react-avatar@1.1.10(@types/react-dom@19.2.3(@types/react@19.2.15))(@types/react@19.2.15)(react-dom@19.2.6(react@19.2.6))(react@19.2.6)': dependencies: - '@radix-ui/react-context': 1.1.2(@types/react@19.2.14)(react@19.2.5) - '@radix-ui/react-primitive': 2.1.3(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.5(react@19.2.5))(react@19.2.5) - '@radix-ui/react-use-callback-ref': 1.1.1(@types/react@19.2.14)(react@19.2.5) - '@radix-ui/react-use-is-hydrated': 0.1.0(@types/react@19.2.14)(react@19.2.5) - '@radix-ui/react-use-layout-effect': 1.1.1(@types/react@19.2.14)(react@19.2.5) - react: 19.2.5 - react-dom: 19.2.5(react@19.2.5) + '@radix-ui/react-context': 1.1.2(@types/react@19.2.15)(react@19.2.6) + '@radix-ui/react-primitive': 2.1.3(@types/react-dom@19.2.3(@types/react@19.2.15))(@types/react@19.2.15)(react-dom@19.2.6(react@19.2.6))(react@19.2.6) + '@radix-ui/react-use-callback-ref': 1.1.1(@types/react@19.2.15)(react@19.2.6) + '@radix-ui/react-use-is-hydrated': 0.1.0(@types/react@19.2.15)(react@19.2.6) + '@radix-ui/react-use-layout-effect': 1.1.1(@types/react@19.2.15)(react@19.2.6) + react: 19.2.6 + react-dom: 19.2.6(react@19.2.6) optionalDependencies: - '@types/react': 19.2.14 - '@types/react-dom': 19.2.3(@types/react@19.2.14) + '@types/react': 19.2.15 + '@types/react-dom': 19.2.3(@types/react@19.2.15) - '@radix-ui/react-checkbox@1.3.3(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.5(react@19.2.5))(react@19.2.5)': + '@radix-ui/react-checkbox@1.3.3(@types/react-dom@19.2.3(@types/react@19.2.15))(@types/react@19.2.15)(react-dom@19.2.6(react@19.2.6))(react@19.2.6)': dependencies: '@radix-ui/primitive': 1.1.3 - '@radix-ui/react-compose-refs': 1.1.2(@types/react@19.2.14)(react@19.2.5) - '@radix-ui/react-context': 1.1.2(@types/react@19.2.14)(react@19.2.5) - '@radix-ui/react-presence': 1.1.5(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.5(react@19.2.5))(react@19.2.5) - '@radix-ui/react-primitive': 2.1.3(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.5(react@19.2.5))(react@19.2.5) - '@radix-ui/react-use-controllable-state': 1.2.2(@types/react@19.2.14)(react@19.2.5) - '@radix-ui/react-use-previous': 1.1.1(@types/react@19.2.14)(react@19.2.5) - '@radix-ui/react-use-size': 1.1.1(@types/react@19.2.14)(react@19.2.5) - react: 19.2.5 - react-dom: 19.2.5(react@19.2.5) + '@radix-ui/react-compose-refs': 1.1.2(@types/react@19.2.15)(react@19.2.6) + '@radix-ui/react-context': 1.1.2(@types/react@19.2.15)(react@19.2.6) + '@radix-ui/react-presence': 1.1.5(@types/react-dom@19.2.3(@types/react@19.2.15))(@types/react@19.2.15)(react-dom@19.2.6(react@19.2.6))(react@19.2.6) + '@radix-ui/react-primitive': 2.1.3(@types/react-dom@19.2.3(@types/react@19.2.15))(@types/react@19.2.15)(react-dom@19.2.6(react@19.2.6))(react@19.2.6) + '@radix-ui/react-use-controllable-state': 1.2.2(@types/react@19.2.15)(react@19.2.6) + '@radix-ui/react-use-previous': 1.1.1(@types/react@19.2.15)(react@19.2.6) + '@radix-ui/react-use-size': 1.1.1(@types/react@19.2.15)(react@19.2.6) + react: 19.2.6 + react-dom: 19.2.6(react@19.2.6) optionalDependencies: - '@types/react': 19.2.14 - '@types/react-dom': 19.2.3(@types/react@19.2.14) + '@types/react': 19.2.15 + '@types/react-dom': 19.2.3(@types/react@19.2.15) - '@radix-ui/react-collapsible@1.1.12(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.5(react@19.2.5))(react@19.2.5)': + '@radix-ui/react-collapsible@1.1.12(@types/react-dom@19.2.3(@types/react@19.2.15))(@types/react@19.2.15)(react-dom@19.2.6(react@19.2.6))(react@19.2.6)': dependencies: '@radix-ui/primitive': 1.1.3 - '@radix-ui/react-compose-refs': 1.1.2(@types/react@19.2.14)(react@19.2.5) - '@radix-ui/react-context': 1.1.2(@types/react@19.2.14)(react@19.2.5) - '@radix-ui/react-id': 1.1.1(@types/react@19.2.14)(react@19.2.5) - '@radix-ui/react-presence': 1.1.5(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.5(react@19.2.5))(react@19.2.5) - '@radix-ui/react-primitive': 2.1.3(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.5(react@19.2.5))(react@19.2.5) - '@radix-ui/react-use-controllable-state': 1.2.2(@types/react@19.2.14)(react@19.2.5) - '@radix-ui/react-use-layout-effect': 1.1.1(@types/react@19.2.14)(react@19.2.5) - react: 19.2.5 - react-dom: 19.2.5(react@19.2.5) + '@radix-ui/react-compose-refs': 1.1.2(@types/react@19.2.15)(react@19.2.6) + '@radix-ui/react-context': 1.1.2(@types/react@19.2.15)(react@19.2.6) + '@radix-ui/react-id': 1.1.1(@types/react@19.2.15)(react@19.2.6) + '@radix-ui/react-presence': 1.1.5(@types/react-dom@19.2.3(@types/react@19.2.15))(@types/react@19.2.15)(react-dom@19.2.6(react@19.2.6))(react@19.2.6) + '@radix-ui/react-primitive': 2.1.3(@types/react-dom@19.2.3(@types/react@19.2.15))(@types/react@19.2.15)(react-dom@19.2.6(react@19.2.6))(react@19.2.6) + '@radix-ui/react-use-controllable-state': 1.2.2(@types/react@19.2.15)(react@19.2.6) + '@radix-ui/react-use-layout-effect': 1.1.1(@types/react@19.2.15)(react@19.2.6) + react: 19.2.6 + react-dom: 19.2.6(react@19.2.6) optionalDependencies: - '@types/react': 19.2.14 - '@types/react-dom': 19.2.3(@types/react@19.2.14) + '@types/react': 19.2.15 + '@types/react-dom': 19.2.3(@types/react@19.2.15) - '@radix-ui/react-collection@1.1.7(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.5(react@19.2.5))(react@19.2.5)': + '@radix-ui/react-collection@1.1.7(@types/react-dom@19.2.3(@types/react@19.2.15))(@types/react@19.2.15)(react-dom@19.2.6(react@19.2.6))(react@19.2.6)': dependencies: - '@radix-ui/react-compose-refs': 1.1.2(@types/react@19.2.14)(react@19.2.5) - '@radix-ui/react-context': 1.1.2(@types/react@19.2.14)(react@19.2.5) - '@radix-ui/react-primitive': 2.1.3(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.5(react@19.2.5))(react@19.2.5) - '@radix-ui/react-slot': 1.2.3(@types/react@19.2.14)(react@19.2.5) - react: 19.2.5 - react-dom: 19.2.5(react@19.2.5) + '@radix-ui/react-compose-refs': 1.1.2(@types/react@19.2.15)(react@19.2.6) + '@radix-ui/react-context': 1.1.2(@types/react@19.2.15)(react@19.2.6) + '@radix-ui/react-primitive': 2.1.3(@types/react-dom@19.2.3(@types/react@19.2.15))(@types/react@19.2.15)(react-dom@19.2.6(react@19.2.6))(react@19.2.6) + '@radix-ui/react-slot': 1.2.3(@types/react@19.2.15)(react@19.2.6) + react: 19.2.6 + react-dom: 19.2.6(react@19.2.6) optionalDependencies: - '@types/react': 19.2.14 - '@types/react-dom': 19.2.3(@types/react@19.2.14) + '@types/react': 19.2.15 + '@types/react-dom': 19.2.3(@types/react@19.2.15) - '@radix-ui/react-compose-refs@1.1.2(@types/react@19.2.14)(react@19.2.5)': + '@radix-ui/react-compose-refs@1.1.2(@types/react@19.2.15)(react@19.2.6)': dependencies: - react: 19.2.5 + react: 19.2.6 optionalDependencies: - '@types/react': 19.2.14 + '@types/react': 19.2.15 - '@radix-ui/react-context-menu@2.2.16(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.5(react@19.2.5))(react@19.2.5)': + '@radix-ui/react-context-menu@2.2.16(@types/react-dom@19.2.3(@types/react@19.2.15))(@types/react@19.2.15)(react-dom@19.2.6(react@19.2.6))(react@19.2.6)': dependencies: '@radix-ui/primitive': 1.1.3 - '@radix-ui/react-context': 1.1.2(@types/react@19.2.14)(react@19.2.5) - '@radix-ui/react-menu': 2.1.16(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.5(react@19.2.5))(react@19.2.5) - '@radix-ui/react-primitive': 2.1.3(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.5(react@19.2.5))(react@19.2.5) - '@radix-ui/react-use-callback-ref': 1.1.1(@types/react@19.2.14)(react@19.2.5) - '@radix-ui/react-use-controllable-state': 1.2.2(@types/react@19.2.14)(react@19.2.5) - react: 19.2.5 - react-dom: 19.2.5(react@19.2.5) + '@radix-ui/react-context': 1.1.2(@types/react@19.2.15)(react@19.2.6) + '@radix-ui/react-menu': 2.1.16(@types/react-dom@19.2.3(@types/react@19.2.15))(@types/react@19.2.15)(react-dom@19.2.6(react@19.2.6))(react@19.2.6) + '@radix-ui/react-primitive': 2.1.3(@types/react-dom@19.2.3(@types/react@19.2.15))(@types/react@19.2.15)(react-dom@19.2.6(react@19.2.6))(react@19.2.6) + '@radix-ui/react-use-callback-ref': 1.1.1(@types/react@19.2.15)(react@19.2.6) + '@radix-ui/react-use-controllable-state': 1.2.2(@types/react@19.2.15)(react@19.2.6) + react: 19.2.6 + react-dom: 19.2.6(react@19.2.6) optionalDependencies: - '@types/react': 19.2.14 - '@types/react-dom': 19.2.3(@types/react@19.2.14) + '@types/react': 19.2.15 + '@types/react-dom': 19.2.3(@types/react@19.2.15) - '@radix-ui/react-context@1.1.2(@types/react@19.2.14)(react@19.2.5)': + '@radix-ui/react-context@1.1.2(@types/react@19.2.15)(react@19.2.6)': dependencies: - react: 19.2.5 + react: 19.2.6 optionalDependencies: - '@types/react': 19.2.14 + '@types/react': 19.2.15 - '@radix-ui/react-dialog@1.1.15(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.5(react@19.2.5))(react@19.2.5)': + '@radix-ui/react-dialog@1.1.15(@types/react-dom@19.2.3(@types/react@19.2.15))(@types/react@19.2.15)(react-dom@19.2.6(react@19.2.6))(react@19.2.6)': dependencies: '@radix-ui/primitive': 1.1.3 - '@radix-ui/react-compose-refs': 1.1.2(@types/react@19.2.14)(react@19.2.5) - '@radix-ui/react-context': 1.1.2(@types/react@19.2.14)(react@19.2.5) - '@radix-ui/react-dismissable-layer': 1.1.11(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.5(react@19.2.5))(react@19.2.5) - '@radix-ui/react-focus-guards': 1.1.3(@types/react@19.2.14)(react@19.2.5) - '@radix-ui/react-focus-scope': 1.1.7(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.5(react@19.2.5))(react@19.2.5) - '@radix-ui/react-id': 1.1.1(@types/react@19.2.14)(react@19.2.5) - '@radix-ui/react-portal': 1.1.9(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.5(react@19.2.5))(react@19.2.5) - '@radix-ui/react-presence': 1.1.5(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.5(react@19.2.5))(react@19.2.5) - '@radix-ui/react-primitive': 2.1.3(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.5(react@19.2.5))(react@19.2.5) - '@radix-ui/react-slot': 1.2.3(@types/react@19.2.14)(react@19.2.5) - '@radix-ui/react-use-controllable-state': 1.2.2(@types/react@19.2.14)(react@19.2.5) + '@radix-ui/react-compose-refs': 1.1.2(@types/react@19.2.15)(react@19.2.6) + '@radix-ui/react-context': 1.1.2(@types/react@19.2.15)(react@19.2.6) + '@radix-ui/react-dismissable-layer': 1.1.11(@types/react-dom@19.2.3(@types/react@19.2.15))(@types/react@19.2.15)(react-dom@19.2.6(react@19.2.6))(react@19.2.6) + '@radix-ui/react-focus-guards': 1.1.3(@types/react@19.2.15)(react@19.2.6) + '@radix-ui/react-focus-scope': 1.1.7(@types/react-dom@19.2.3(@types/react@19.2.15))(@types/react@19.2.15)(react-dom@19.2.6(react@19.2.6))(react@19.2.6) + '@radix-ui/react-id': 1.1.1(@types/react@19.2.15)(react@19.2.6) + '@radix-ui/react-portal': 1.1.9(@types/react-dom@19.2.3(@types/react@19.2.15))(@types/react@19.2.15)(react-dom@19.2.6(react@19.2.6))(react@19.2.6) + '@radix-ui/react-presence': 1.1.5(@types/react-dom@19.2.3(@types/react@19.2.15))(@types/react@19.2.15)(react-dom@19.2.6(react@19.2.6))(react@19.2.6) + '@radix-ui/react-primitive': 2.1.3(@types/react-dom@19.2.3(@types/react@19.2.15))(@types/react@19.2.15)(react-dom@19.2.6(react@19.2.6))(react@19.2.6) + '@radix-ui/react-slot': 1.2.3(@types/react@19.2.15)(react@19.2.6) + '@radix-ui/react-use-controllable-state': 1.2.2(@types/react@19.2.15)(react@19.2.6) aria-hidden: 1.2.6 - react: 19.2.5 - react-dom: 19.2.5(react@19.2.5) - react-remove-scroll: 2.7.1(@types/react@19.2.14)(react@19.2.5) + react: 19.2.6 + react-dom: 19.2.6(react@19.2.6) + react-remove-scroll: 2.7.1(@types/react@19.2.15)(react@19.2.6) optionalDependencies: - '@types/react': 19.2.14 - '@types/react-dom': 19.2.3(@types/react@19.2.14) + '@types/react': 19.2.15 + '@types/react-dom': 19.2.3(@types/react@19.2.15) - '@radix-ui/react-direction@1.1.1(@types/react@19.2.14)(react@19.2.5)': + '@radix-ui/react-direction@1.1.1(@types/react@19.2.15)(react@19.2.6)': dependencies: - react: 19.2.5 + react: 19.2.6 optionalDependencies: - '@types/react': 19.2.14 + '@types/react': 19.2.15 - '@radix-ui/react-dismissable-layer@1.1.11(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.5(react@19.2.5))(react@19.2.5)': + '@radix-ui/react-dismissable-layer@1.1.11(@types/react-dom@19.2.3(@types/react@19.2.15))(@types/react@19.2.15)(react-dom@19.2.6(react@19.2.6))(react@19.2.6)': dependencies: '@radix-ui/primitive': 1.1.3 - '@radix-ui/react-compose-refs': 1.1.2(@types/react@19.2.14)(react@19.2.5) - '@radix-ui/react-primitive': 2.1.3(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.5(react@19.2.5))(react@19.2.5) - '@radix-ui/react-use-callback-ref': 1.1.1(@types/react@19.2.14)(react@19.2.5) - '@radix-ui/react-use-escape-keydown': 1.1.1(@types/react@19.2.14)(react@19.2.5) - react: 19.2.5 - react-dom: 19.2.5(react@19.2.5) + '@radix-ui/react-compose-refs': 1.1.2(@types/react@19.2.15)(react@19.2.6) + '@radix-ui/react-primitive': 2.1.3(@types/react-dom@19.2.3(@types/react@19.2.15))(@types/react@19.2.15)(react-dom@19.2.6(react@19.2.6))(react@19.2.6) + '@radix-ui/react-use-callback-ref': 1.1.1(@types/react@19.2.15)(react@19.2.6) + '@radix-ui/react-use-escape-keydown': 1.1.1(@types/react@19.2.15)(react@19.2.6) + react: 19.2.6 + react-dom: 19.2.6(react@19.2.6) optionalDependencies: - '@types/react': 19.2.14 - '@types/react-dom': 19.2.3(@types/react@19.2.14) + '@types/react': 19.2.15 + '@types/react-dom': 19.2.3(@types/react@19.2.15) - '@radix-ui/react-dropdown-menu@2.1.16(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.5(react@19.2.5))(react@19.2.5)': + '@radix-ui/react-dropdown-menu@2.1.16(@types/react-dom@19.2.3(@types/react@19.2.15))(@types/react@19.2.15)(react-dom@19.2.6(react@19.2.6))(react@19.2.6)': dependencies: '@radix-ui/primitive': 1.1.3 - '@radix-ui/react-compose-refs': 1.1.2(@types/react@19.2.14)(react@19.2.5) - '@radix-ui/react-context': 1.1.2(@types/react@19.2.14)(react@19.2.5) - '@radix-ui/react-id': 1.1.1(@types/react@19.2.14)(react@19.2.5) - '@radix-ui/react-menu': 2.1.16(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.5(react@19.2.5))(react@19.2.5) - '@radix-ui/react-primitive': 2.1.3(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.5(react@19.2.5))(react@19.2.5) - '@radix-ui/react-use-controllable-state': 1.2.2(@types/react@19.2.14)(react@19.2.5) - react: 19.2.5 - react-dom: 19.2.5(react@19.2.5) + '@radix-ui/react-compose-refs': 1.1.2(@types/react@19.2.15)(react@19.2.6) + '@radix-ui/react-context': 1.1.2(@types/react@19.2.15)(react@19.2.6) + '@radix-ui/react-id': 1.1.1(@types/react@19.2.15)(react@19.2.6) + '@radix-ui/react-menu': 2.1.16(@types/react-dom@19.2.3(@types/react@19.2.15))(@types/react@19.2.15)(react-dom@19.2.6(react@19.2.6))(react@19.2.6) + '@radix-ui/react-primitive': 2.1.3(@types/react-dom@19.2.3(@types/react@19.2.15))(@types/react@19.2.15)(react-dom@19.2.6(react@19.2.6))(react@19.2.6) + '@radix-ui/react-use-controllable-state': 1.2.2(@types/react@19.2.15)(react@19.2.6) + react: 19.2.6 + react-dom: 19.2.6(react@19.2.6) optionalDependencies: - '@types/react': 19.2.14 - '@types/react-dom': 19.2.3(@types/react@19.2.14) + '@types/react': 19.2.15 + '@types/react-dom': 19.2.3(@types/react@19.2.15) - '@radix-ui/react-focus-guards@1.1.3(@types/react@19.2.14)(react@19.2.5)': + '@radix-ui/react-focus-guards@1.1.3(@types/react@19.2.15)(react@19.2.6)': dependencies: - react: 19.2.5 + react: 19.2.6 optionalDependencies: - '@types/react': 19.2.14 + '@types/react': 19.2.15 - '@radix-ui/react-focus-scope@1.1.7(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.5(react@19.2.5))(react@19.2.5)': + '@radix-ui/react-focus-scope@1.1.7(@types/react-dom@19.2.3(@types/react@19.2.15))(@types/react@19.2.15)(react-dom@19.2.6(react@19.2.6))(react@19.2.6)': dependencies: - '@radix-ui/react-compose-refs': 1.1.2(@types/react@19.2.14)(react@19.2.5) - '@radix-ui/react-primitive': 2.1.3(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.5(react@19.2.5))(react@19.2.5) - '@radix-ui/react-use-callback-ref': 1.1.1(@types/react@19.2.14)(react@19.2.5) - react: 19.2.5 - react-dom: 19.2.5(react@19.2.5) + '@radix-ui/react-compose-refs': 1.1.2(@types/react@19.2.15)(react@19.2.6) + '@radix-ui/react-primitive': 2.1.3(@types/react-dom@19.2.3(@types/react@19.2.15))(@types/react@19.2.15)(react-dom@19.2.6(react@19.2.6))(react@19.2.6) + '@radix-ui/react-use-callback-ref': 1.1.1(@types/react@19.2.15)(react@19.2.6) + react: 19.2.6 + react-dom: 19.2.6(react@19.2.6) optionalDependencies: - '@types/react': 19.2.14 - '@types/react-dom': 19.2.3(@types/react@19.2.14) + '@types/react': 19.2.15 + '@types/react-dom': 19.2.3(@types/react@19.2.15) - '@radix-ui/react-form@0.1.8(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.5(react@19.2.5))(react@19.2.5)': + '@radix-ui/react-form@0.1.8(@types/react-dom@19.2.3(@types/react@19.2.15))(@types/react@19.2.15)(react-dom@19.2.6(react@19.2.6))(react@19.2.6)': dependencies: '@radix-ui/primitive': 1.1.3 - '@radix-ui/react-compose-refs': 1.1.2(@types/react@19.2.14)(react@19.2.5) - '@radix-ui/react-context': 1.1.2(@types/react@19.2.14)(react@19.2.5) - '@radix-ui/react-id': 1.1.1(@types/react@19.2.14)(react@19.2.5) - '@radix-ui/react-label': 2.1.7(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.5(react@19.2.5))(react@19.2.5) - '@radix-ui/react-primitive': 2.1.3(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.5(react@19.2.5))(react@19.2.5) - react: 19.2.5 - react-dom: 19.2.5(react@19.2.5) + '@radix-ui/react-compose-refs': 1.1.2(@types/react@19.2.15)(react@19.2.6) + '@radix-ui/react-context': 1.1.2(@types/react@19.2.15)(react@19.2.6) + '@radix-ui/react-id': 1.1.1(@types/react@19.2.15)(react@19.2.6) + '@radix-ui/react-label': 2.1.7(@types/react-dom@19.2.3(@types/react@19.2.15))(@types/react@19.2.15)(react-dom@19.2.6(react@19.2.6))(react@19.2.6) + '@radix-ui/react-primitive': 2.1.3(@types/react-dom@19.2.3(@types/react@19.2.15))(@types/react@19.2.15)(react-dom@19.2.6(react@19.2.6))(react@19.2.6) + react: 19.2.6 + react-dom: 19.2.6(react@19.2.6) optionalDependencies: - '@types/react': 19.2.14 - '@types/react-dom': 19.2.3(@types/react@19.2.14) + '@types/react': 19.2.15 + '@types/react-dom': 19.2.3(@types/react@19.2.15) - '@radix-ui/react-hover-card@1.1.15(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.5(react@19.2.5))(react@19.2.5)': + '@radix-ui/react-hover-card@1.1.15(@types/react-dom@19.2.3(@types/react@19.2.15))(@types/react@19.2.15)(react-dom@19.2.6(react@19.2.6))(react@19.2.6)': dependencies: '@radix-ui/primitive': 1.1.3 - '@radix-ui/react-compose-refs': 1.1.2(@types/react@19.2.14)(react@19.2.5) - '@radix-ui/react-context': 1.1.2(@types/react@19.2.14)(react@19.2.5) - '@radix-ui/react-dismissable-layer': 1.1.11(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.5(react@19.2.5))(react@19.2.5) - '@radix-ui/react-popper': 1.2.8(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.5(react@19.2.5))(react@19.2.5) - '@radix-ui/react-portal': 1.1.9(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.5(react@19.2.5))(react@19.2.5) - '@radix-ui/react-presence': 1.1.5(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.5(react@19.2.5))(react@19.2.5) - '@radix-ui/react-primitive': 2.1.3(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.5(react@19.2.5))(react@19.2.5) - '@radix-ui/react-use-controllable-state': 1.2.2(@types/react@19.2.14)(react@19.2.5) - react: 19.2.5 - react-dom: 19.2.5(react@19.2.5) + '@radix-ui/react-compose-refs': 1.1.2(@types/react@19.2.15)(react@19.2.6) + '@radix-ui/react-context': 1.1.2(@types/react@19.2.15)(react@19.2.6) + '@radix-ui/react-dismissable-layer': 1.1.11(@types/react-dom@19.2.3(@types/react@19.2.15))(@types/react@19.2.15)(react-dom@19.2.6(react@19.2.6))(react@19.2.6) + '@radix-ui/react-popper': 1.2.8(@types/react-dom@19.2.3(@types/react@19.2.15))(@types/react@19.2.15)(react-dom@19.2.6(react@19.2.6))(react@19.2.6) + '@radix-ui/react-portal': 1.1.9(@types/react-dom@19.2.3(@types/react@19.2.15))(@types/react@19.2.15)(react-dom@19.2.6(react@19.2.6))(react@19.2.6) + '@radix-ui/react-presence': 1.1.5(@types/react-dom@19.2.3(@types/react@19.2.15))(@types/react@19.2.15)(react-dom@19.2.6(react@19.2.6))(react@19.2.6) + '@radix-ui/react-primitive': 2.1.3(@types/react-dom@19.2.3(@types/react@19.2.15))(@types/react@19.2.15)(react-dom@19.2.6(react@19.2.6))(react@19.2.6) + '@radix-ui/react-use-controllable-state': 1.2.2(@types/react@19.2.15)(react@19.2.6) + react: 19.2.6 + react-dom: 19.2.6(react@19.2.6) optionalDependencies: - '@types/react': 19.2.14 - '@types/react-dom': 19.2.3(@types/react@19.2.14) + '@types/react': 19.2.15 + '@types/react-dom': 19.2.3(@types/react@19.2.15) - '@radix-ui/react-id@1.1.1(@types/react@19.2.14)(react@19.2.5)': + '@radix-ui/react-id@1.1.1(@types/react@19.2.15)(react@19.2.6)': dependencies: - '@radix-ui/react-use-layout-effect': 1.1.1(@types/react@19.2.14)(react@19.2.5) - react: 19.2.5 + '@radix-ui/react-use-layout-effect': 1.1.1(@types/react@19.2.15)(react@19.2.6) + react: 19.2.6 optionalDependencies: - '@types/react': 19.2.14 + '@types/react': 19.2.15 - '@radix-ui/react-label@2.1.7(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.5(react@19.2.5))(react@19.2.5)': + '@radix-ui/react-label@2.1.7(@types/react-dom@19.2.3(@types/react@19.2.15))(@types/react@19.2.15)(react-dom@19.2.6(react@19.2.6))(react@19.2.6)': dependencies: - '@radix-ui/react-primitive': 2.1.3(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.5(react@19.2.5))(react@19.2.5) - react: 19.2.5 - react-dom: 19.2.5(react@19.2.5) + '@radix-ui/react-primitive': 2.1.3(@types/react-dom@19.2.3(@types/react@19.2.15))(@types/react@19.2.15)(react-dom@19.2.6(react@19.2.6))(react@19.2.6) + react: 19.2.6 + react-dom: 19.2.6(react@19.2.6) optionalDependencies: - '@types/react': 19.2.14 - '@types/react-dom': 19.2.3(@types/react@19.2.14) + '@types/react': 19.2.15 + '@types/react-dom': 19.2.3(@types/react@19.2.15) - '@radix-ui/react-menu@2.1.16(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.5(react@19.2.5))(react@19.2.5)': + '@radix-ui/react-menu@2.1.16(@types/react-dom@19.2.3(@types/react@19.2.15))(@types/react@19.2.15)(react-dom@19.2.6(react@19.2.6))(react@19.2.6)': dependencies: '@radix-ui/primitive': 1.1.3 - '@radix-ui/react-collection': 1.1.7(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.5(react@19.2.5))(react@19.2.5) - '@radix-ui/react-compose-refs': 1.1.2(@types/react@19.2.14)(react@19.2.5) - '@radix-ui/react-context': 1.1.2(@types/react@19.2.14)(react@19.2.5) - '@radix-ui/react-direction': 1.1.1(@types/react@19.2.14)(react@19.2.5) - '@radix-ui/react-dismissable-layer': 1.1.11(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.5(react@19.2.5))(react@19.2.5) - '@radix-ui/react-focus-guards': 1.1.3(@types/react@19.2.14)(react@19.2.5) - '@radix-ui/react-focus-scope': 1.1.7(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.5(react@19.2.5))(react@19.2.5) - '@radix-ui/react-id': 1.1.1(@types/react@19.2.14)(react@19.2.5) - '@radix-ui/react-popper': 1.2.8(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.5(react@19.2.5))(react@19.2.5) - '@radix-ui/react-portal': 1.1.9(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.5(react@19.2.5))(react@19.2.5) - '@radix-ui/react-presence': 1.1.5(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.5(react@19.2.5))(react@19.2.5) - '@radix-ui/react-primitive': 2.1.3(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.5(react@19.2.5))(react@19.2.5) - '@radix-ui/react-roving-focus': 1.1.11(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.5(react@19.2.5))(react@19.2.5) - '@radix-ui/react-slot': 1.2.3(@types/react@19.2.14)(react@19.2.5) - '@radix-ui/react-use-callback-ref': 1.1.1(@types/react@19.2.14)(react@19.2.5) + '@radix-ui/react-collection': 1.1.7(@types/react-dom@19.2.3(@types/react@19.2.15))(@types/react@19.2.15)(react-dom@19.2.6(react@19.2.6))(react@19.2.6) + '@radix-ui/react-compose-refs': 1.1.2(@types/react@19.2.15)(react@19.2.6) + '@radix-ui/react-context': 1.1.2(@types/react@19.2.15)(react@19.2.6) + '@radix-ui/react-direction': 1.1.1(@types/react@19.2.15)(react@19.2.6) + '@radix-ui/react-dismissable-layer': 1.1.11(@types/react-dom@19.2.3(@types/react@19.2.15))(@types/react@19.2.15)(react-dom@19.2.6(react@19.2.6))(react@19.2.6) + '@radix-ui/react-focus-guards': 1.1.3(@types/react@19.2.15)(react@19.2.6) + '@radix-ui/react-focus-scope': 1.1.7(@types/react-dom@19.2.3(@types/react@19.2.15))(@types/react@19.2.15)(react-dom@19.2.6(react@19.2.6))(react@19.2.6) + '@radix-ui/react-id': 1.1.1(@types/react@19.2.15)(react@19.2.6) + '@radix-ui/react-popper': 1.2.8(@types/react-dom@19.2.3(@types/react@19.2.15))(@types/react@19.2.15)(react-dom@19.2.6(react@19.2.6))(react@19.2.6) + '@radix-ui/react-portal': 1.1.9(@types/react-dom@19.2.3(@types/react@19.2.15))(@types/react@19.2.15)(react-dom@19.2.6(react@19.2.6))(react@19.2.6) + '@radix-ui/react-presence': 1.1.5(@types/react-dom@19.2.3(@types/react@19.2.15))(@types/react@19.2.15)(react-dom@19.2.6(react@19.2.6))(react@19.2.6) + '@radix-ui/react-primitive': 2.1.3(@types/react-dom@19.2.3(@types/react@19.2.15))(@types/react@19.2.15)(react-dom@19.2.6(react@19.2.6))(react@19.2.6) + '@radix-ui/react-roving-focus': 1.1.11(@types/react-dom@19.2.3(@types/react@19.2.15))(@types/react@19.2.15)(react-dom@19.2.6(react@19.2.6))(react@19.2.6) + '@radix-ui/react-slot': 1.2.3(@types/react@19.2.15)(react@19.2.6) + '@radix-ui/react-use-callback-ref': 1.1.1(@types/react@19.2.15)(react@19.2.6) aria-hidden: 1.2.6 - react: 19.2.5 - react-dom: 19.2.5(react@19.2.5) - react-remove-scroll: 2.7.1(@types/react@19.2.14)(react@19.2.5) + react: 19.2.6 + react-dom: 19.2.6(react@19.2.6) + react-remove-scroll: 2.7.1(@types/react@19.2.15)(react@19.2.6) optionalDependencies: - '@types/react': 19.2.14 - '@types/react-dom': 19.2.3(@types/react@19.2.14) + '@types/react': 19.2.15 + '@types/react-dom': 19.2.3(@types/react@19.2.15) - '@radix-ui/react-menubar@1.1.16(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.5(react@19.2.5))(react@19.2.5)': + '@radix-ui/react-menubar@1.1.16(@types/react-dom@19.2.3(@types/react@19.2.15))(@types/react@19.2.15)(react-dom@19.2.6(react@19.2.6))(react@19.2.6)': dependencies: '@radix-ui/primitive': 1.1.3 - '@radix-ui/react-collection': 1.1.7(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.5(react@19.2.5))(react@19.2.5) - '@radix-ui/react-compose-refs': 1.1.2(@types/react@19.2.14)(react@19.2.5) - '@radix-ui/react-context': 1.1.2(@types/react@19.2.14)(react@19.2.5) - '@radix-ui/react-direction': 1.1.1(@types/react@19.2.14)(react@19.2.5) - '@radix-ui/react-id': 1.1.1(@types/react@19.2.14)(react@19.2.5) - '@radix-ui/react-menu': 2.1.16(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.5(react@19.2.5))(react@19.2.5) - '@radix-ui/react-primitive': 2.1.3(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.5(react@19.2.5))(react@19.2.5) - '@radix-ui/react-roving-focus': 1.1.11(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.5(react@19.2.5))(react@19.2.5) - '@radix-ui/react-use-controllable-state': 1.2.2(@types/react@19.2.14)(react@19.2.5) - react: 19.2.5 - react-dom: 19.2.5(react@19.2.5) + '@radix-ui/react-collection': 1.1.7(@types/react-dom@19.2.3(@types/react@19.2.15))(@types/react@19.2.15)(react-dom@19.2.6(react@19.2.6))(react@19.2.6) + '@radix-ui/react-compose-refs': 1.1.2(@types/react@19.2.15)(react@19.2.6) + '@radix-ui/react-context': 1.1.2(@types/react@19.2.15)(react@19.2.6) + '@radix-ui/react-direction': 1.1.1(@types/react@19.2.15)(react@19.2.6) + '@radix-ui/react-id': 1.1.1(@types/react@19.2.15)(react@19.2.6) + '@radix-ui/react-menu': 2.1.16(@types/react-dom@19.2.3(@types/react@19.2.15))(@types/react@19.2.15)(react-dom@19.2.6(react@19.2.6))(react@19.2.6) + '@radix-ui/react-primitive': 2.1.3(@types/react-dom@19.2.3(@types/react@19.2.15))(@types/react@19.2.15)(react-dom@19.2.6(react@19.2.6))(react@19.2.6) + '@radix-ui/react-roving-focus': 1.1.11(@types/react-dom@19.2.3(@types/react@19.2.15))(@types/react@19.2.15)(react-dom@19.2.6(react@19.2.6))(react@19.2.6) + '@radix-ui/react-use-controllable-state': 1.2.2(@types/react@19.2.15)(react@19.2.6) + react: 19.2.6 + react-dom: 19.2.6(react@19.2.6) optionalDependencies: - '@types/react': 19.2.14 - '@types/react-dom': 19.2.3(@types/react@19.2.14) + '@types/react': 19.2.15 + '@types/react-dom': 19.2.3(@types/react@19.2.15) - '@radix-ui/react-navigation-menu@1.2.14(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.5(react@19.2.5))(react@19.2.5)': + '@radix-ui/react-navigation-menu@1.2.14(@types/react-dom@19.2.3(@types/react@19.2.15))(@types/react@19.2.15)(react-dom@19.2.6(react@19.2.6))(react@19.2.6)': dependencies: '@radix-ui/primitive': 1.1.3 - '@radix-ui/react-collection': 1.1.7(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.5(react@19.2.5))(react@19.2.5) - '@radix-ui/react-compose-refs': 1.1.2(@types/react@19.2.14)(react@19.2.5) - '@radix-ui/react-context': 1.1.2(@types/react@19.2.14)(react@19.2.5) - '@radix-ui/react-direction': 1.1.1(@types/react@19.2.14)(react@19.2.5) - '@radix-ui/react-dismissable-layer': 1.1.11(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.5(react@19.2.5))(react@19.2.5) - '@radix-ui/react-id': 1.1.1(@types/react@19.2.14)(react@19.2.5) - '@radix-ui/react-presence': 1.1.5(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.5(react@19.2.5))(react@19.2.5) - '@radix-ui/react-primitive': 2.1.3(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.5(react@19.2.5))(react@19.2.5) - '@radix-ui/react-use-callback-ref': 1.1.1(@types/react@19.2.14)(react@19.2.5) - '@radix-ui/react-use-controllable-state': 1.2.2(@types/react@19.2.14)(react@19.2.5) - '@radix-ui/react-use-layout-effect': 1.1.1(@types/react@19.2.14)(react@19.2.5) - '@radix-ui/react-use-previous': 1.1.1(@types/react@19.2.14)(react@19.2.5) - '@radix-ui/react-visually-hidden': 1.2.3(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.5(react@19.2.5))(react@19.2.5) - react: 19.2.5 - react-dom: 19.2.5(react@19.2.5) + '@radix-ui/react-collection': 1.1.7(@types/react-dom@19.2.3(@types/react@19.2.15))(@types/react@19.2.15)(react-dom@19.2.6(react@19.2.6))(react@19.2.6) + '@radix-ui/react-compose-refs': 1.1.2(@types/react@19.2.15)(react@19.2.6) + '@radix-ui/react-context': 1.1.2(@types/react@19.2.15)(react@19.2.6) + '@radix-ui/react-direction': 1.1.1(@types/react@19.2.15)(react@19.2.6) + '@radix-ui/react-dismissable-layer': 1.1.11(@types/react-dom@19.2.3(@types/react@19.2.15))(@types/react@19.2.15)(react-dom@19.2.6(react@19.2.6))(react@19.2.6) + '@radix-ui/react-id': 1.1.1(@types/react@19.2.15)(react@19.2.6) + '@radix-ui/react-presence': 1.1.5(@types/react-dom@19.2.3(@types/react@19.2.15))(@types/react@19.2.15)(react-dom@19.2.6(react@19.2.6))(react@19.2.6) + '@radix-ui/react-primitive': 2.1.3(@types/react-dom@19.2.3(@types/react@19.2.15))(@types/react@19.2.15)(react-dom@19.2.6(react@19.2.6))(react@19.2.6) + '@radix-ui/react-use-callback-ref': 1.1.1(@types/react@19.2.15)(react@19.2.6) + '@radix-ui/react-use-controllable-state': 1.2.2(@types/react@19.2.15)(react@19.2.6) + '@radix-ui/react-use-layout-effect': 1.1.1(@types/react@19.2.15)(react@19.2.6) + '@radix-ui/react-use-previous': 1.1.1(@types/react@19.2.15)(react@19.2.6) + '@radix-ui/react-visually-hidden': 1.2.3(@types/react-dom@19.2.3(@types/react@19.2.15))(@types/react@19.2.15)(react-dom@19.2.6(react@19.2.6))(react@19.2.6) + react: 19.2.6 + react-dom: 19.2.6(react@19.2.6) optionalDependencies: - '@types/react': 19.2.14 - '@types/react-dom': 19.2.3(@types/react@19.2.14) + '@types/react': 19.2.15 + '@types/react-dom': 19.2.3(@types/react@19.2.15) - '@radix-ui/react-one-time-password-field@0.1.8(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.5(react@19.2.5))(react@19.2.5)': + '@radix-ui/react-one-time-password-field@0.1.8(@types/react-dom@19.2.3(@types/react@19.2.15))(@types/react@19.2.15)(react-dom@19.2.6(react@19.2.6))(react@19.2.6)': dependencies: '@radix-ui/number': 1.1.1 '@radix-ui/primitive': 1.1.3 - '@radix-ui/react-collection': 1.1.7(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.5(react@19.2.5))(react@19.2.5) - '@radix-ui/react-compose-refs': 1.1.2(@types/react@19.2.14)(react@19.2.5) - '@radix-ui/react-context': 1.1.2(@types/react@19.2.14)(react@19.2.5) - '@radix-ui/react-direction': 1.1.1(@types/react@19.2.14)(react@19.2.5) - '@radix-ui/react-primitive': 2.1.3(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.5(react@19.2.5))(react@19.2.5) - '@radix-ui/react-roving-focus': 1.1.11(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.5(react@19.2.5))(react@19.2.5) - '@radix-ui/react-use-controllable-state': 1.2.2(@types/react@19.2.14)(react@19.2.5) - '@radix-ui/react-use-effect-event': 0.0.2(@types/react@19.2.14)(react@19.2.5) - '@radix-ui/react-use-is-hydrated': 0.1.0(@types/react@19.2.14)(react@19.2.5) - '@radix-ui/react-use-layout-effect': 1.1.1(@types/react@19.2.14)(react@19.2.5) - react: 19.2.5 - react-dom: 19.2.5(react@19.2.5) + '@radix-ui/react-collection': 1.1.7(@types/react-dom@19.2.3(@types/react@19.2.15))(@types/react@19.2.15)(react-dom@19.2.6(react@19.2.6))(react@19.2.6) + '@radix-ui/react-compose-refs': 1.1.2(@types/react@19.2.15)(react@19.2.6) + '@radix-ui/react-context': 1.1.2(@types/react@19.2.15)(react@19.2.6) + '@radix-ui/react-direction': 1.1.1(@types/react@19.2.15)(react@19.2.6) + '@radix-ui/react-primitive': 2.1.3(@types/react-dom@19.2.3(@types/react@19.2.15))(@types/react@19.2.15)(react-dom@19.2.6(react@19.2.6))(react@19.2.6) + '@radix-ui/react-roving-focus': 1.1.11(@types/react-dom@19.2.3(@types/react@19.2.15))(@types/react@19.2.15)(react-dom@19.2.6(react@19.2.6))(react@19.2.6) + '@radix-ui/react-use-controllable-state': 1.2.2(@types/react@19.2.15)(react@19.2.6) + '@radix-ui/react-use-effect-event': 0.0.2(@types/react@19.2.15)(react@19.2.6) + '@radix-ui/react-use-is-hydrated': 0.1.0(@types/react@19.2.15)(react@19.2.6) + '@radix-ui/react-use-layout-effect': 1.1.1(@types/react@19.2.15)(react@19.2.6) + react: 19.2.6 + react-dom: 19.2.6(react@19.2.6) optionalDependencies: - '@types/react': 19.2.14 - '@types/react-dom': 19.2.3(@types/react@19.2.14) + '@types/react': 19.2.15 + '@types/react-dom': 19.2.3(@types/react@19.2.15) - '@radix-ui/react-password-toggle-field@0.1.3(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.5(react@19.2.5))(react@19.2.5)': + '@radix-ui/react-password-toggle-field@0.1.3(@types/react-dom@19.2.3(@types/react@19.2.15))(@types/react@19.2.15)(react-dom@19.2.6(react@19.2.6))(react@19.2.6)': dependencies: '@radix-ui/primitive': 1.1.3 - '@radix-ui/react-compose-refs': 1.1.2(@types/react@19.2.14)(react@19.2.5) - '@radix-ui/react-context': 1.1.2(@types/react@19.2.14)(react@19.2.5) - '@radix-ui/react-id': 1.1.1(@types/react@19.2.14)(react@19.2.5) - '@radix-ui/react-primitive': 2.1.3(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.5(react@19.2.5))(react@19.2.5) - '@radix-ui/react-use-controllable-state': 1.2.2(@types/react@19.2.14)(react@19.2.5) - '@radix-ui/react-use-effect-event': 0.0.2(@types/react@19.2.14)(react@19.2.5) - '@radix-ui/react-use-is-hydrated': 0.1.0(@types/react@19.2.14)(react@19.2.5) - react: 19.2.5 - react-dom: 19.2.5(react@19.2.5) + '@radix-ui/react-compose-refs': 1.1.2(@types/react@19.2.15)(react@19.2.6) + '@radix-ui/react-context': 1.1.2(@types/react@19.2.15)(react@19.2.6) + '@radix-ui/react-id': 1.1.1(@types/react@19.2.15)(react@19.2.6) + '@radix-ui/react-primitive': 2.1.3(@types/react-dom@19.2.3(@types/react@19.2.15))(@types/react@19.2.15)(react-dom@19.2.6(react@19.2.6))(react@19.2.6) + '@radix-ui/react-use-controllable-state': 1.2.2(@types/react@19.2.15)(react@19.2.6) + '@radix-ui/react-use-effect-event': 0.0.2(@types/react@19.2.15)(react@19.2.6) + '@radix-ui/react-use-is-hydrated': 0.1.0(@types/react@19.2.15)(react@19.2.6) + react: 19.2.6 + react-dom: 19.2.6(react@19.2.6) optionalDependencies: - '@types/react': 19.2.14 - '@types/react-dom': 19.2.3(@types/react@19.2.14) + '@types/react': 19.2.15 + '@types/react-dom': 19.2.3(@types/react@19.2.15) - '@radix-ui/react-popover@1.1.15(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.5(react@19.2.5))(react@19.2.5)': + '@radix-ui/react-popover@1.1.15(@types/react-dom@19.2.3(@types/react@19.2.15))(@types/react@19.2.15)(react-dom@19.2.6(react@19.2.6))(react@19.2.6)': dependencies: '@radix-ui/primitive': 1.1.3 - '@radix-ui/react-compose-refs': 1.1.2(@types/react@19.2.14)(react@19.2.5) - '@radix-ui/react-context': 1.1.2(@types/react@19.2.14)(react@19.2.5) - '@radix-ui/react-dismissable-layer': 1.1.11(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.5(react@19.2.5))(react@19.2.5) - '@radix-ui/react-focus-guards': 1.1.3(@types/react@19.2.14)(react@19.2.5) - '@radix-ui/react-focus-scope': 1.1.7(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.5(react@19.2.5))(react@19.2.5) - '@radix-ui/react-id': 1.1.1(@types/react@19.2.14)(react@19.2.5) - '@radix-ui/react-popper': 1.2.8(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.5(react@19.2.5))(react@19.2.5) - '@radix-ui/react-portal': 1.1.9(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.5(react@19.2.5))(react@19.2.5) - '@radix-ui/react-presence': 1.1.5(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.5(react@19.2.5))(react@19.2.5) - '@radix-ui/react-primitive': 2.1.3(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.5(react@19.2.5))(react@19.2.5) - '@radix-ui/react-slot': 1.2.3(@types/react@19.2.14)(react@19.2.5) - '@radix-ui/react-use-controllable-state': 1.2.2(@types/react@19.2.14)(react@19.2.5) + '@radix-ui/react-compose-refs': 1.1.2(@types/react@19.2.15)(react@19.2.6) + '@radix-ui/react-context': 1.1.2(@types/react@19.2.15)(react@19.2.6) + '@radix-ui/react-dismissable-layer': 1.1.11(@types/react-dom@19.2.3(@types/react@19.2.15))(@types/react@19.2.15)(react-dom@19.2.6(react@19.2.6))(react@19.2.6) + '@radix-ui/react-focus-guards': 1.1.3(@types/react@19.2.15)(react@19.2.6) + '@radix-ui/react-focus-scope': 1.1.7(@types/react-dom@19.2.3(@types/react@19.2.15))(@types/react@19.2.15)(react-dom@19.2.6(react@19.2.6))(react@19.2.6) + '@radix-ui/react-id': 1.1.1(@types/react@19.2.15)(react@19.2.6) + '@radix-ui/react-popper': 1.2.8(@types/react-dom@19.2.3(@types/react@19.2.15))(@types/react@19.2.15)(react-dom@19.2.6(react@19.2.6))(react@19.2.6) + '@radix-ui/react-portal': 1.1.9(@types/react-dom@19.2.3(@types/react@19.2.15))(@types/react@19.2.15)(react-dom@19.2.6(react@19.2.6))(react@19.2.6) + '@radix-ui/react-presence': 1.1.5(@types/react-dom@19.2.3(@types/react@19.2.15))(@types/react@19.2.15)(react-dom@19.2.6(react@19.2.6))(react@19.2.6) + '@radix-ui/react-primitive': 2.1.3(@types/react-dom@19.2.3(@types/react@19.2.15))(@types/react@19.2.15)(react-dom@19.2.6(react@19.2.6))(react@19.2.6) + '@radix-ui/react-slot': 1.2.3(@types/react@19.2.15)(react@19.2.6) + '@radix-ui/react-use-controllable-state': 1.2.2(@types/react@19.2.15)(react@19.2.6) aria-hidden: 1.2.6 - react: 19.2.5 - react-dom: 19.2.5(react@19.2.5) - react-remove-scroll: 2.7.1(@types/react@19.2.14)(react@19.2.5) + react: 19.2.6 + react-dom: 19.2.6(react@19.2.6) + react-remove-scroll: 2.7.1(@types/react@19.2.15)(react@19.2.6) optionalDependencies: - '@types/react': 19.2.14 - '@types/react-dom': 19.2.3(@types/react@19.2.14) + '@types/react': 19.2.15 + '@types/react-dom': 19.2.3(@types/react@19.2.15) - '@radix-ui/react-popper@1.2.8(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.5(react@19.2.5))(react@19.2.5)': + '@radix-ui/react-popper@1.2.8(@types/react-dom@19.2.3(@types/react@19.2.15))(@types/react@19.2.15)(react-dom@19.2.6(react@19.2.6))(react@19.2.6)': dependencies: - '@floating-ui/react-dom': 2.1.7(react-dom@19.2.5(react@19.2.5))(react@19.2.5) - '@radix-ui/react-arrow': 1.1.7(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.5(react@19.2.5))(react@19.2.5) - '@radix-ui/react-compose-refs': 1.1.2(@types/react@19.2.14)(react@19.2.5) - '@radix-ui/react-context': 1.1.2(@types/react@19.2.14)(react@19.2.5) - '@radix-ui/react-primitive': 2.1.3(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.5(react@19.2.5))(react@19.2.5) - '@radix-ui/react-use-callback-ref': 1.1.1(@types/react@19.2.14)(react@19.2.5) - '@radix-ui/react-use-layout-effect': 1.1.1(@types/react@19.2.14)(react@19.2.5) - '@radix-ui/react-use-rect': 1.1.1(@types/react@19.2.14)(react@19.2.5) - '@radix-ui/react-use-size': 1.1.1(@types/react@19.2.14)(react@19.2.5) + '@floating-ui/react-dom': 2.1.7(react-dom@19.2.6(react@19.2.6))(react@19.2.6) + '@radix-ui/react-arrow': 1.1.7(@types/react-dom@19.2.3(@types/react@19.2.15))(@types/react@19.2.15)(react-dom@19.2.6(react@19.2.6))(react@19.2.6) + '@radix-ui/react-compose-refs': 1.1.2(@types/react@19.2.15)(react@19.2.6) + '@radix-ui/react-context': 1.1.2(@types/react@19.2.15)(react@19.2.6) + '@radix-ui/react-primitive': 2.1.3(@types/react-dom@19.2.3(@types/react@19.2.15))(@types/react@19.2.15)(react-dom@19.2.6(react@19.2.6))(react@19.2.6) + '@radix-ui/react-use-callback-ref': 1.1.1(@types/react@19.2.15)(react@19.2.6) + '@radix-ui/react-use-layout-effect': 1.1.1(@types/react@19.2.15)(react@19.2.6) + '@radix-ui/react-use-rect': 1.1.1(@types/react@19.2.15)(react@19.2.6) + '@radix-ui/react-use-size': 1.1.1(@types/react@19.2.15)(react@19.2.6) '@radix-ui/rect': 1.1.1 - react: 19.2.5 - react-dom: 19.2.5(react@19.2.5) + react: 19.2.6 + react-dom: 19.2.6(react@19.2.6) optionalDependencies: - '@types/react': 19.2.14 - '@types/react-dom': 19.2.3(@types/react@19.2.14) + '@types/react': 19.2.15 + '@types/react-dom': 19.2.3(@types/react@19.2.15) - '@radix-ui/react-portal@1.1.9(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.5(react@19.2.5))(react@19.2.5)': + '@radix-ui/react-portal@1.1.9(@types/react-dom@19.2.3(@types/react@19.2.15))(@types/react@19.2.15)(react-dom@19.2.6(react@19.2.6))(react@19.2.6)': dependencies: - '@radix-ui/react-primitive': 2.1.3(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.5(react@19.2.5))(react@19.2.5) - '@radix-ui/react-use-layout-effect': 1.1.1(@types/react@19.2.14)(react@19.2.5) - react: 19.2.5 - react-dom: 19.2.5(react@19.2.5) + '@radix-ui/react-primitive': 2.1.3(@types/react-dom@19.2.3(@types/react@19.2.15))(@types/react@19.2.15)(react-dom@19.2.6(react@19.2.6))(react@19.2.6) + '@radix-ui/react-use-layout-effect': 1.1.1(@types/react@19.2.15)(react@19.2.6) + react: 19.2.6 + react-dom: 19.2.6(react@19.2.6) optionalDependencies: - '@types/react': 19.2.14 - '@types/react-dom': 19.2.3(@types/react@19.2.14) + '@types/react': 19.2.15 + '@types/react-dom': 19.2.3(@types/react@19.2.15) - '@radix-ui/react-presence@1.1.5(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.5(react@19.2.5))(react@19.2.5)': + '@radix-ui/react-presence@1.1.5(@types/react-dom@19.2.3(@types/react@19.2.15))(@types/react@19.2.15)(react-dom@19.2.6(react@19.2.6))(react@19.2.6)': dependencies: - '@radix-ui/react-compose-refs': 1.1.2(@types/react@19.2.14)(react@19.2.5) - '@radix-ui/react-use-layout-effect': 1.1.1(@types/react@19.2.14)(react@19.2.5) - react: 19.2.5 - react-dom: 19.2.5(react@19.2.5) + '@radix-ui/react-compose-refs': 1.1.2(@types/react@19.2.15)(react@19.2.6) + '@radix-ui/react-use-layout-effect': 1.1.1(@types/react@19.2.15)(react@19.2.6) + react: 19.2.6 + react-dom: 19.2.6(react@19.2.6) optionalDependencies: - '@types/react': 19.2.14 - '@types/react-dom': 19.2.3(@types/react@19.2.14) + '@types/react': 19.2.15 + '@types/react-dom': 19.2.3(@types/react@19.2.15) - '@radix-ui/react-primitive@2.1.3(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.5(react@19.2.5))(react@19.2.5)': + '@radix-ui/react-primitive@2.1.3(@types/react-dom@19.2.3(@types/react@19.2.15))(@types/react@19.2.15)(react-dom@19.2.6(react@19.2.6))(react@19.2.6)': dependencies: - '@radix-ui/react-slot': 1.2.3(@types/react@19.2.14)(react@19.2.5) - react: 19.2.5 - react-dom: 19.2.5(react@19.2.5) + '@radix-ui/react-slot': 1.2.3(@types/react@19.2.15)(react@19.2.6) + react: 19.2.6 + react-dom: 19.2.6(react@19.2.6) optionalDependencies: - '@types/react': 19.2.14 - '@types/react-dom': 19.2.3(@types/react@19.2.14) + '@types/react': 19.2.15 + '@types/react-dom': 19.2.3(@types/react@19.2.15) - '@radix-ui/react-progress@1.1.7(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.5(react@19.2.5))(react@19.2.5)': + '@radix-ui/react-progress@1.1.7(@types/react-dom@19.2.3(@types/react@19.2.15))(@types/react@19.2.15)(react-dom@19.2.6(react@19.2.6))(react@19.2.6)': dependencies: - '@radix-ui/react-context': 1.1.2(@types/react@19.2.14)(react@19.2.5) - '@radix-ui/react-primitive': 2.1.3(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.5(react@19.2.5))(react@19.2.5) - react: 19.2.5 - react-dom: 19.2.5(react@19.2.5) + '@radix-ui/react-context': 1.1.2(@types/react@19.2.15)(react@19.2.6) + '@radix-ui/react-primitive': 2.1.3(@types/react-dom@19.2.3(@types/react@19.2.15))(@types/react@19.2.15)(react-dom@19.2.6(react@19.2.6))(react@19.2.6) + react: 19.2.6 + react-dom: 19.2.6(react@19.2.6) optionalDependencies: - '@types/react': 19.2.14 - '@types/react-dom': 19.2.3(@types/react@19.2.14) + '@types/react': 19.2.15 + '@types/react-dom': 19.2.3(@types/react@19.2.15) - '@radix-ui/react-radio-group@1.3.8(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.5(react@19.2.5))(react@19.2.5)': + '@radix-ui/react-radio-group@1.3.8(@types/react-dom@19.2.3(@types/react@19.2.15))(@types/react@19.2.15)(react-dom@19.2.6(react@19.2.6))(react@19.2.6)': dependencies: '@radix-ui/primitive': 1.1.3 - '@radix-ui/react-compose-refs': 1.1.2(@types/react@19.2.14)(react@19.2.5) - '@radix-ui/react-context': 1.1.2(@types/react@19.2.14)(react@19.2.5) - '@radix-ui/react-direction': 1.1.1(@types/react@19.2.14)(react@19.2.5) - '@radix-ui/react-presence': 1.1.5(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.5(react@19.2.5))(react@19.2.5) - '@radix-ui/react-primitive': 2.1.3(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.5(react@19.2.5))(react@19.2.5) - '@radix-ui/react-roving-focus': 1.1.11(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.5(react@19.2.5))(react@19.2.5) - '@radix-ui/react-use-controllable-state': 1.2.2(@types/react@19.2.14)(react@19.2.5) - '@radix-ui/react-use-previous': 1.1.1(@types/react@19.2.14)(react@19.2.5) - '@radix-ui/react-use-size': 1.1.1(@types/react@19.2.14)(react@19.2.5) - react: 19.2.5 - react-dom: 19.2.5(react@19.2.5) + '@radix-ui/react-compose-refs': 1.1.2(@types/react@19.2.15)(react@19.2.6) + '@radix-ui/react-context': 1.1.2(@types/react@19.2.15)(react@19.2.6) + '@radix-ui/react-direction': 1.1.1(@types/react@19.2.15)(react@19.2.6) + '@radix-ui/react-presence': 1.1.5(@types/react-dom@19.2.3(@types/react@19.2.15))(@types/react@19.2.15)(react-dom@19.2.6(react@19.2.6))(react@19.2.6) + '@radix-ui/react-primitive': 2.1.3(@types/react-dom@19.2.3(@types/react@19.2.15))(@types/react@19.2.15)(react-dom@19.2.6(react@19.2.6))(react@19.2.6) + '@radix-ui/react-roving-focus': 1.1.11(@types/react-dom@19.2.3(@types/react@19.2.15))(@types/react@19.2.15)(react-dom@19.2.6(react@19.2.6))(react@19.2.6) + '@radix-ui/react-use-controllable-state': 1.2.2(@types/react@19.2.15)(react@19.2.6) + '@radix-ui/react-use-previous': 1.1.1(@types/react@19.2.15)(react@19.2.6) + '@radix-ui/react-use-size': 1.1.1(@types/react@19.2.15)(react@19.2.6) + react: 19.2.6 + react-dom: 19.2.6(react@19.2.6) optionalDependencies: - '@types/react': 19.2.14 - '@types/react-dom': 19.2.3(@types/react@19.2.14) + '@types/react': 19.2.15 + '@types/react-dom': 19.2.3(@types/react@19.2.15) - '@radix-ui/react-roving-focus@1.1.11(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.5(react@19.2.5))(react@19.2.5)': + '@radix-ui/react-roving-focus@1.1.11(@types/react-dom@19.2.3(@types/react@19.2.15))(@types/react@19.2.15)(react-dom@19.2.6(react@19.2.6))(react@19.2.6)': dependencies: '@radix-ui/primitive': 1.1.3 - '@radix-ui/react-collection': 1.1.7(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.5(react@19.2.5))(react@19.2.5) - '@radix-ui/react-compose-refs': 1.1.2(@types/react@19.2.14)(react@19.2.5) - '@radix-ui/react-context': 1.1.2(@types/react@19.2.14)(react@19.2.5) - '@radix-ui/react-direction': 1.1.1(@types/react@19.2.14)(react@19.2.5) - '@radix-ui/react-id': 1.1.1(@types/react@19.2.14)(react@19.2.5) - '@radix-ui/react-primitive': 2.1.3(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.5(react@19.2.5))(react@19.2.5) - '@radix-ui/react-use-callback-ref': 1.1.1(@types/react@19.2.14)(react@19.2.5) - '@radix-ui/react-use-controllable-state': 1.2.2(@types/react@19.2.14)(react@19.2.5) - react: 19.2.5 - react-dom: 19.2.5(react@19.2.5) + '@radix-ui/react-collection': 1.1.7(@types/react-dom@19.2.3(@types/react@19.2.15))(@types/react@19.2.15)(react-dom@19.2.6(react@19.2.6))(react@19.2.6) + '@radix-ui/react-compose-refs': 1.1.2(@types/react@19.2.15)(react@19.2.6) + '@radix-ui/react-context': 1.1.2(@types/react@19.2.15)(react@19.2.6) + '@radix-ui/react-direction': 1.1.1(@types/react@19.2.15)(react@19.2.6) + '@radix-ui/react-id': 1.1.1(@types/react@19.2.15)(react@19.2.6) + '@radix-ui/react-primitive': 2.1.3(@types/react-dom@19.2.3(@types/react@19.2.15))(@types/react@19.2.15)(react-dom@19.2.6(react@19.2.6))(react@19.2.6) + '@radix-ui/react-use-callback-ref': 1.1.1(@types/react@19.2.15)(react@19.2.6) + '@radix-ui/react-use-controllable-state': 1.2.2(@types/react@19.2.15)(react@19.2.6) + react: 19.2.6 + react-dom: 19.2.6(react@19.2.6) optionalDependencies: - '@types/react': 19.2.14 - '@types/react-dom': 19.2.3(@types/react@19.2.14) + '@types/react': 19.2.15 + '@types/react-dom': 19.2.3(@types/react@19.2.15) - '@radix-ui/react-scroll-area@1.2.10(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.5(react@19.2.5))(react@19.2.5)': + '@radix-ui/react-scroll-area@1.2.10(@types/react-dom@19.2.3(@types/react@19.2.15))(@types/react@19.2.15)(react-dom@19.2.6(react@19.2.6))(react@19.2.6)': dependencies: '@radix-ui/number': 1.1.1 '@radix-ui/primitive': 1.1.3 - '@radix-ui/react-compose-refs': 1.1.2(@types/react@19.2.14)(react@19.2.5) - '@radix-ui/react-context': 1.1.2(@types/react@19.2.14)(react@19.2.5) - '@radix-ui/react-direction': 1.1.1(@types/react@19.2.14)(react@19.2.5) - '@radix-ui/react-presence': 1.1.5(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.5(react@19.2.5))(react@19.2.5) - '@radix-ui/react-primitive': 2.1.3(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.5(react@19.2.5))(react@19.2.5) - '@radix-ui/react-use-callback-ref': 1.1.1(@types/react@19.2.14)(react@19.2.5) - '@radix-ui/react-use-layout-effect': 1.1.1(@types/react@19.2.14)(react@19.2.5) - react: 19.2.5 - react-dom: 19.2.5(react@19.2.5) + '@radix-ui/react-compose-refs': 1.1.2(@types/react@19.2.15)(react@19.2.6) + '@radix-ui/react-context': 1.1.2(@types/react@19.2.15)(react@19.2.6) + '@radix-ui/react-direction': 1.1.1(@types/react@19.2.15)(react@19.2.6) + '@radix-ui/react-presence': 1.1.5(@types/react-dom@19.2.3(@types/react@19.2.15))(@types/react@19.2.15)(react-dom@19.2.6(react@19.2.6))(react@19.2.6) + '@radix-ui/react-primitive': 2.1.3(@types/react-dom@19.2.3(@types/react@19.2.15))(@types/react@19.2.15)(react-dom@19.2.6(react@19.2.6))(react@19.2.6) + '@radix-ui/react-use-callback-ref': 1.1.1(@types/react@19.2.15)(react@19.2.6) + '@radix-ui/react-use-layout-effect': 1.1.1(@types/react@19.2.15)(react@19.2.6) + react: 19.2.6 + react-dom: 19.2.6(react@19.2.6) optionalDependencies: - '@types/react': 19.2.14 - '@types/react-dom': 19.2.3(@types/react@19.2.14) + '@types/react': 19.2.15 + '@types/react-dom': 19.2.3(@types/react@19.2.15) - '@radix-ui/react-select@2.2.6(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.5(react@19.2.5))(react@19.2.5)': + '@radix-ui/react-select@2.2.6(@types/react-dom@19.2.3(@types/react@19.2.15))(@types/react@19.2.15)(react-dom@19.2.6(react@19.2.6))(react@19.2.6)': dependencies: '@radix-ui/number': 1.1.1 '@radix-ui/primitive': 1.1.3 - '@radix-ui/react-collection': 1.1.7(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.5(react@19.2.5))(react@19.2.5) - '@radix-ui/react-compose-refs': 1.1.2(@types/react@19.2.14)(react@19.2.5) - '@radix-ui/react-context': 1.1.2(@types/react@19.2.14)(react@19.2.5) - '@radix-ui/react-direction': 1.1.1(@types/react@19.2.14)(react@19.2.5) - '@radix-ui/react-dismissable-layer': 1.1.11(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.5(react@19.2.5))(react@19.2.5) - '@radix-ui/react-focus-guards': 1.1.3(@types/react@19.2.14)(react@19.2.5) - '@radix-ui/react-focus-scope': 1.1.7(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.5(react@19.2.5))(react@19.2.5) - '@radix-ui/react-id': 1.1.1(@types/react@19.2.14)(react@19.2.5) - '@radix-ui/react-popper': 1.2.8(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.5(react@19.2.5))(react@19.2.5) - '@radix-ui/react-portal': 1.1.9(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.5(react@19.2.5))(react@19.2.5) - '@radix-ui/react-primitive': 2.1.3(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.5(react@19.2.5))(react@19.2.5) - '@radix-ui/react-slot': 1.2.3(@types/react@19.2.14)(react@19.2.5) - '@radix-ui/react-use-callback-ref': 1.1.1(@types/react@19.2.14)(react@19.2.5) - '@radix-ui/react-use-controllable-state': 1.2.2(@types/react@19.2.14)(react@19.2.5) - '@radix-ui/react-use-layout-effect': 1.1.1(@types/react@19.2.14)(react@19.2.5) - '@radix-ui/react-use-previous': 1.1.1(@types/react@19.2.14)(react@19.2.5) - '@radix-ui/react-visually-hidden': 1.2.3(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.5(react@19.2.5))(react@19.2.5) + '@radix-ui/react-collection': 1.1.7(@types/react-dom@19.2.3(@types/react@19.2.15))(@types/react@19.2.15)(react-dom@19.2.6(react@19.2.6))(react@19.2.6) + '@radix-ui/react-compose-refs': 1.1.2(@types/react@19.2.15)(react@19.2.6) + '@radix-ui/react-context': 1.1.2(@types/react@19.2.15)(react@19.2.6) + '@radix-ui/react-direction': 1.1.1(@types/react@19.2.15)(react@19.2.6) + '@radix-ui/react-dismissable-layer': 1.1.11(@types/react-dom@19.2.3(@types/react@19.2.15))(@types/react@19.2.15)(react-dom@19.2.6(react@19.2.6))(react@19.2.6) + '@radix-ui/react-focus-guards': 1.1.3(@types/react@19.2.15)(react@19.2.6) + '@radix-ui/react-focus-scope': 1.1.7(@types/react-dom@19.2.3(@types/react@19.2.15))(@types/react@19.2.15)(react-dom@19.2.6(react@19.2.6))(react@19.2.6) + '@radix-ui/react-id': 1.1.1(@types/react@19.2.15)(react@19.2.6) + '@radix-ui/react-popper': 1.2.8(@types/react-dom@19.2.3(@types/react@19.2.15))(@types/react@19.2.15)(react-dom@19.2.6(react@19.2.6))(react@19.2.6) + '@radix-ui/react-portal': 1.1.9(@types/react-dom@19.2.3(@types/react@19.2.15))(@types/react@19.2.15)(react-dom@19.2.6(react@19.2.6))(react@19.2.6) + '@radix-ui/react-primitive': 2.1.3(@types/react-dom@19.2.3(@types/react@19.2.15))(@types/react@19.2.15)(react-dom@19.2.6(react@19.2.6))(react@19.2.6) + '@radix-ui/react-slot': 1.2.3(@types/react@19.2.15)(react@19.2.6) + '@radix-ui/react-use-callback-ref': 1.1.1(@types/react@19.2.15)(react@19.2.6) + '@radix-ui/react-use-controllable-state': 1.2.2(@types/react@19.2.15)(react@19.2.6) + '@radix-ui/react-use-layout-effect': 1.1.1(@types/react@19.2.15)(react@19.2.6) + '@radix-ui/react-use-previous': 1.1.1(@types/react@19.2.15)(react@19.2.6) + '@radix-ui/react-visually-hidden': 1.2.3(@types/react-dom@19.2.3(@types/react@19.2.15))(@types/react@19.2.15)(react-dom@19.2.6(react@19.2.6))(react@19.2.6) aria-hidden: 1.2.6 - react: 19.2.5 - react-dom: 19.2.5(react@19.2.5) - react-remove-scroll: 2.7.1(@types/react@19.2.14)(react@19.2.5) + react: 19.2.6 + react-dom: 19.2.6(react@19.2.6) + react-remove-scroll: 2.7.1(@types/react@19.2.15)(react@19.2.6) optionalDependencies: - '@types/react': 19.2.14 - '@types/react-dom': 19.2.3(@types/react@19.2.14) + '@types/react': 19.2.15 + '@types/react-dom': 19.2.3(@types/react@19.2.15) - '@radix-ui/react-separator@1.1.7(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.5(react@19.2.5))(react@19.2.5)': + '@radix-ui/react-separator@1.1.7(@types/react-dom@19.2.3(@types/react@19.2.15))(@types/react@19.2.15)(react-dom@19.2.6(react@19.2.6))(react@19.2.6)': dependencies: - '@radix-ui/react-primitive': 2.1.3(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.5(react@19.2.5))(react@19.2.5) - react: 19.2.5 - react-dom: 19.2.5(react@19.2.5) + '@radix-ui/react-primitive': 2.1.3(@types/react-dom@19.2.3(@types/react@19.2.15))(@types/react@19.2.15)(react-dom@19.2.6(react@19.2.6))(react@19.2.6) + react: 19.2.6 + react-dom: 19.2.6(react@19.2.6) optionalDependencies: - '@types/react': 19.2.14 - '@types/react-dom': 19.2.3(@types/react@19.2.14) + '@types/react': 19.2.15 + '@types/react-dom': 19.2.3(@types/react@19.2.15) - '@radix-ui/react-slider@1.3.6(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.5(react@19.2.5))(react@19.2.5)': + '@radix-ui/react-slider@1.3.6(@types/react-dom@19.2.3(@types/react@19.2.15))(@types/react@19.2.15)(react-dom@19.2.6(react@19.2.6))(react@19.2.6)': dependencies: '@radix-ui/number': 1.1.1 '@radix-ui/primitive': 1.1.3 - '@radix-ui/react-collection': 1.1.7(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.5(react@19.2.5))(react@19.2.5) - '@radix-ui/react-compose-refs': 1.1.2(@types/react@19.2.14)(react@19.2.5) - '@radix-ui/react-context': 1.1.2(@types/react@19.2.14)(react@19.2.5) - '@radix-ui/react-direction': 1.1.1(@types/react@19.2.14)(react@19.2.5) - '@radix-ui/react-primitive': 2.1.3(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.5(react@19.2.5))(react@19.2.5) - '@radix-ui/react-use-controllable-state': 1.2.2(@types/react@19.2.14)(react@19.2.5) - '@radix-ui/react-use-layout-effect': 1.1.1(@types/react@19.2.14)(react@19.2.5) - '@radix-ui/react-use-previous': 1.1.1(@types/react@19.2.14)(react@19.2.5) - '@radix-ui/react-use-size': 1.1.1(@types/react@19.2.14)(react@19.2.5) - react: 19.2.5 - react-dom: 19.2.5(react@19.2.5) + '@radix-ui/react-collection': 1.1.7(@types/react-dom@19.2.3(@types/react@19.2.15))(@types/react@19.2.15)(react-dom@19.2.6(react@19.2.6))(react@19.2.6) + '@radix-ui/react-compose-refs': 1.1.2(@types/react@19.2.15)(react@19.2.6) + '@radix-ui/react-context': 1.1.2(@types/react@19.2.15)(react@19.2.6) + '@radix-ui/react-direction': 1.1.1(@types/react@19.2.15)(react@19.2.6) + '@radix-ui/react-primitive': 2.1.3(@types/react-dom@19.2.3(@types/react@19.2.15))(@types/react@19.2.15)(react-dom@19.2.6(react@19.2.6))(react@19.2.6) + '@radix-ui/react-use-controllable-state': 1.2.2(@types/react@19.2.15)(react@19.2.6) + '@radix-ui/react-use-layout-effect': 1.1.1(@types/react@19.2.15)(react@19.2.6) + '@radix-ui/react-use-previous': 1.1.1(@types/react@19.2.15)(react@19.2.6) + '@radix-ui/react-use-size': 1.1.1(@types/react@19.2.15)(react@19.2.6) + react: 19.2.6 + react-dom: 19.2.6(react@19.2.6) optionalDependencies: - '@types/react': 19.2.14 - '@types/react-dom': 19.2.3(@types/react@19.2.14) + '@types/react': 19.2.15 + '@types/react-dom': 19.2.3(@types/react@19.2.15) - '@radix-ui/react-slot@1.2.3(@types/react@19.2.14)(react@19.2.5)': + '@radix-ui/react-slot@1.2.3(@types/react@19.2.15)(react@19.2.6)': dependencies: - '@radix-ui/react-compose-refs': 1.1.2(@types/react@19.2.14)(react@19.2.5) - react: 19.2.5 + '@radix-ui/react-compose-refs': 1.1.2(@types/react@19.2.15)(react@19.2.6) + react: 19.2.6 optionalDependencies: - '@types/react': 19.2.14 + '@types/react': 19.2.15 - '@radix-ui/react-switch@1.2.6(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.5(react@19.2.5))(react@19.2.5)': + '@radix-ui/react-switch@1.2.6(@types/react-dom@19.2.3(@types/react@19.2.15))(@types/react@19.2.15)(react-dom@19.2.6(react@19.2.6))(react@19.2.6)': dependencies: '@radix-ui/primitive': 1.1.3 - '@radix-ui/react-compose-refs': 1.1.2(@types/react@19.2.14)(react@19.2.5) - '@radix-ui/react-context': 1.1.2(@types/react@19.2.14)(react@19.2.5) - '@radix-ui/react-primitive': 2.1.3(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.5(react@19.2.5))(react@19.2.5) - '@radix-ui/react-use-controllable-state': 1.2.2(@types/react@19.2.14)(react@19.2.5) - '@radix-ui/react-use-previous': 1.1.1(@types/react@19.2.14)(react@19.2.5) - '@radix-ui/react-use-size': 1.1.1(@types/react@19.2.14)(react@19.2.5) - react: 19.2.5 - react-dom: 19.2.5(react@19.2.5) + '@radix-ui/react-compose-refs': 1.1.2(@types/react@19.2.15)(react@19.2.6) + '@radix-ui/react-context': 1.1.2(@types/react@19.2.15)(react@19.2.6) + '@radix-ui/react-primitive': 2.1.3(@types/react-dom@19.2.3(@types/react@19.2.15))(@types/react@19.2.15)(react-dom@19.2.6(react@19.2.6))(react@19.2.6) + '@radix-ui/react-use-controllable-state': 1.2.2(@types/react@19.2.15)(react@19.2.6) + '@radix-ui/react-use-previous': 1.1.1(@types/react@19.2.15)(react@19.2.6) + '@radix-ui/react-use-size': 1.1.1(@types/react@19.2.15)(react@19.2.6) + react: 19.2.6 + react-dom: 19.2.6(react@19.2.6) optionalDependencies: - '@types/react': 19.2.14 - '@types/react-dom': 19.2.3(@types/react@19.2.14) + '@types/react': 19.2.15 + '@types/react-dom': 19.2.3(@types/react@19.2.15) - '@radix-ui/react-tabs@1.1.13(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.5(react@19.2.5))(react@19.2.5)': + '@radix-ui/react-tabs@1.1.13(@types/react-dom@19.2.3(@types/react@19.2.15))(@types/react@19.2.15)(react-dom@19.2.6(react@19.2.6))(react@19.2.6)': dependencies: '@radix-ui/primitive': 1.1.3 - '@radix-ui/react-context': 1.1.2(@types/react@19.2.14)(react@19.2.5) - '@radix-ui/react-direction': 1.1.1(@types/react@19.2.14)(react@19.2.5) - '@radix-ui/react-id': 1.1.1(@types/react@19.2.14)(react@19.2.5) - '@radix-ui/react-presence': 1.1.5(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.5(react@19.2.5))(react@19.2.5) - '@radix-ui/react-primitive': 2.1.3(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.5(react@19.2.5))(react@19.2.5) - '@radix-ui/react-roving-focus': 1.1.11(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.5(react@19.2.5))(react@19.2.5) - '@radix-ui/react-use-controllable-state': 1.2.2(@types/react@19.2.14)(react@19.2.5) - react: 19.2.5 - react-dom: 19.2.5(react@19.2.5) + '@radix-ui/react-context': 1.1.2(@types/react@19.2.15)(react@19.2.6) + '@radix-ui/react-direction': 1.1.1(@types/react@19.2.15)(react@19.2.6) + '@radix-ui/react-id': 1.1.1(@types/react@19.2.15)(react@19.2.6) + '@radix-ui/react-presence': 1.1.5(@types/react-dom@19.2.3(@types/react@19.2.15))(@types/react@19.2.15)(react-dom@19.2.6(react@19.2.6))(react@19.2.6) + '@radix-ui/react-primitive': 2.1.3(@types/react-dom@19.2.3(@types/react@19.2.15))(@types/react@19.2.15)(react-dom@19.2.6(react@19.2.6))(react@19.2.6) + '@radix-ui/react-roving-focus': 1.1.11(@types/react-dom@19.2.3(@types/react@19.2.15))(@types/react@19.2.15)(react-dom@19.2.6(react@19.2.6))(react@19.2.6) + '@radix-ui/react-use-controllable-state': 1.2.2(@types/react@19.2.15)(react@19.2.6) + react: 19.2.6 + react-dom: 19.2.6(react@19.2.6) optionalDependencies: - '@types/react': 19.2.14 - '@types/react-dom': 19.2.3(@types/react@19.2.14) + '@types/react': 19.2.15 + '@types/react-dom': 19.2.3(@types/react@19.2.15) - '@radix-ui/react-toast@1.2.15(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.5(react@19.2.5))(react@19.2.5)': + '@radix-ui/react-toast@1.2.15(@types/react-dom@19.2.3(@types/react@19.2.15))(@types/react@19.2.15)(react-dom@19.2.6(react@19.2.6))(react@19.2.6)': dependencies: '@radix-ui/primitive': 1.1.3 - '@radix-ui/react-collection': 1.1.7(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.5(react@19.2.5))(react@19.2.5) - '@radix-ui/react-compose-refs': 1.1.2(@types/react@19.2.14)(react@19.2.5) - '@radix-ui/react-context': 1.1.2(@types/react@19.2.14)(react@19.2.5) - '@radix-ui/react-dismissable-layer': 1.1.11(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.5(react@19.2.5))(react@19.2.5) - '@radix-ui/react-portal': 1.1.9(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.5(react@19.2.5))(react@19.2.5) - '@radix-ui/react-presence': 1.1.5(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.5(react@19.2.5))(react@19.2.5) - '@radix-ui/react-primitive': 2.1.3(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.5(react@19.2.5))(react@19.2.5) - '@radix-ui/react-use-callback-ref': 1.1.1(@types/react@19.2.14)(react@19.2.5) - '@radix-ui/react-use-controllable-state': 1.2.2(@types/react@19.2.14)(react@19.2.5) - '@radix-ui/react-use-layout-effect': 1.1.1(@types/react@19.2.14)(react@19.2.5) - '@radix-ui/react-visually-hidden': 1.2.3(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.5(react@19.2.5))(react@19.2.5) - react: 19.2.5 - react-dom: 19.2.5(react@19.2.5) + '@radix-ui/react-collection': 1.1.7(@types/react-dom@19.2.3(@types/react@19.2.15))(@types/react@19.2.15)(react-dom@19.2.6(react@19.2.6))(react@19.2.6) + '@radix-ui/react-compose-refs': 1.1.2(@types/react@19.2.15)(react@19.2.6) + '@radix-ui/react-context': 1.1.2(@types/react@19.2.15)(react@19.2.6) + '@radix-ui/react-dismissable-layer': 1.1.11(@types/react-dom@19.2.3(@types/react@19.2.15))(@types/react@19.2.15)(react-dom@19.2.6(react@19.2.6))(react@19.2.6) + '@radix-ui/react-portal': 1.1.9(@types/react-dom@19.2.3(@types/react@19.2.15))(@types/react@19.2.15)(react-dom@19.2.6(react@19.2.6))(react@19.2.6) + '@radix-ui/react-presence': 1.1.5(@types/react-dom@19.2.3(@types/react@19.2.15))(@types/react@19.2.15)(react-dom@19.2.6(react@19.2.6))(react@19.2.6) + '@radix-ui/react-primitive': 2.1.3(@types/react-dom@19.2.3(@types/react@19.2.15))(@types/react@19.2.15)(react-dom@19.2.6(react@19.2.6))(react@19.2.6) + '@radix-ui/react-use-callback-ref': 1.1.1(@types/react@19.2.15)(react@19.2.6) + '@radix-ui/react-use-controllable-state': 1.2.2(@types/react@19.2.15)(react@19.2.6) + '@radix-ui/react-use-layout-effect': 1.1.1(@types/react@19.2.15)(react@19.2.6) + '@radix-ui/react-visually-hidden': 1.2.3(@types/react-dom@19.2.3(@types/react@19.2.15))(@types/react@19.2.15)(react-dom@19.2.6(react@19.2.6))(react@19.2.6) + react: 19.2.6 + react-dom: 19.2.6(react@19.2.6) optionalDependencies: - '@types/react': 19.2.14 - '@types/react-dom': 19.2.3(@types/react@19.2.14) + '@types/react': 19.2.15 + '@types/react-dom': 19.2.3(@types/react@19.2.15) - '@radix-ui/react-toggle-group@1.1.11(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.5(react@19.2.5))(react@19.2.5)': + '@radix-ui/react-toggle-group@1.1.11(@types/react-dom@19.2.3(@types/react@19.2.15))(@types/react@19.2.15)(react-dom@19.2.6(react@19.2.6))(react@19.2.6)': dependencies: '@radix-ui/primitive': 1.1.3 - '@radix-ui/react-context': 1.1.2(@types/react@19.2.14)(react@19.2.5) - '@radix-ui/react-direction': 1.1.1(@types/react@19.2.14)(react@19.2.5) - '@radix-ui/react-primitive': 2.1.3(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.5(react@19.2.5))(react@19.2.5) - '@radix-ui/react-roving-focus': 1.1.11(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.5(react@19.2.5))(react@19.2.5) - '@radix-ui/react-toggle': 1.1.10(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.5(react@19.2.5))(react@19.2.5) - '@radix-ui/react-use-controllable-state': 1.2.2(@types/react@19.2.14)(react@19.2.5) - react: 19.2.5 - react-dom: 19.2.5(react@19.2.5) + '@radix-ui/react-context': 1.1.2(@types/react@19.2.15)(react@19.2.6) + '@radix-ui/react-direction': 1.1.1(@types/react@19.2.15)(react@19.2.6) + '@radix-ui/react-primitive': 2.1.3(@types/react-dom@19.2.3(@types/react@19.2.15))(@types/react@19.2.15)(react-dom@19.2.6(react@19.2.6))(react@19.2.6) + '@radix-ui/react-roving-focus': 1.1.11(@types/react-dom@19.2.3(@types/react@19.2.15))(@types/react@19.2.15)(react-dom@19.2.6(react@19.2.6))(react@19.2.6) + '@radix-ui/react-toggle': 1.1.10(@types/react-dom@19.2.3(@types/react@19.2.15))(@types/react@19.2.15)(react-dom@19.2.6(react@19.2.6))(react@19.2.6) + '@radix-ui/react-use-controllable-state': 1.2.2(@types/react@19.2.15)(react@19.2.6) + react: 19.2.6 + react-dom: 19.2.6(react@19.2.6) optionalDependencies: - '@types/react': 19.2.14 - '@types/react-dom': 19.2.3(@types/react@19.2.14) + '@types/react': 19.2.15 + '@types/react-dom': 19.2.3(@types/react@19.2.15) - '@radix-ui/react-toggle@1.1.10(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.5(react@19.2.5))(react@19.2.5)': + '@radix-ui/react-toggle@1.1.10(@types/react-dom@19.2.3(@types/react@19.2.15))(@types/react@19.2.15)(react-dom@19.2.6(react@19.2.6))(react@19.2.6)': dependencies: '@radix-ui/primitive': 1.1.3 - '@radix-ui/react-primitive': 2.1.3(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.5(react@19.2.5))(react@19.2.5) - '@radix-ui/react-use-controllable-state': 1.2.2(@types/react@19.2.14)(react@19.2.5) - react: 19.2.5 - react-dom: 19.2.5(react@19.2.5) + '@radix-ui/react-primitive': 2.1.3(@types/react-dom@19.2.3(@types/react@19.2.15))(@types/react@19.2.15)(react-dom@19.2.6(react@19.2.6))(react@19.2.6) + '@radix-ui/react-use-controllable-state': 1.2.2(@types/react@19.2.15)(react@19.2.6) + react: 19.2.6 + react-dom: 19.2.6(react@19.2.6) optionalDependencies: - '@types/react': 19.2.14 - '@types/react-dom': 19.2.3(@types/react@19.2.14) + '@types/react': 19.2.15 + '@types/react-dom': 19.2.3(@types/react@19.2.15) - '@radix-ui/react-toolbar@1.1.11(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.5(react@19.2.5))(react@19.2.5)': + '@radix-ui/react-toolbar@1.1.11(@types/react-dom@19.2.3(@types/react@19.2.15))(@types/react@19.2.15)(react-dom@19.2.6(react@19.2.6))(react@19.2.6)': dependencies: '@radix-ui/primitive': 1.1.3 - '@radix-ui/react-context': 1.1.2(@types/react@19.2.14)(react@19.2.5) - '@radix-ui/react-direction': 1.1.1(@types/react@19.2.14)(react@19.2.5) - '@radix-ui/react-primitive': 2.1.3(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.5(react@19.2.5))(react@19.2.5) - '@radix-ui/react-roving-focus': 1.1.11(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.5(react@19.2.5))(react@19.2.5) - '@radix-ui/react-separator': 1.1.7(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.5(react@19.2.5))(react@19.2.5) - '@radix-ui/react-toggle-group': 1.1.11(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.5(react@19.2.5))(react@19.2.5) - react: 19.2.5 - react-dom: 19.2.5(react@19.2.5) + '@radix-ui/react-context': 1.1.2(@types/react@19.2.15)(react@19.2.6) + '@radix-ui/react-direction': 1.1.1(@types/react@19.2.15)(react@19.2.6) + '@radix-ui/react-primitive': 2.1.3(@types/react-dom@19.2.3(@types/react@19.2.15))(@types/react@19.2.15)(react-dom@19.2.6(react@19.2.6))(react@19.2.6) + '@radix-ui/react-roving-focus': 1.1.11(@types/react-dom@19.2.3(@types/react@19.2.15))(@types/react@19.2.15)(react-dom@19.2.6(react@19.2.6))(react@19.2.6) + '@radix-ui/react-separator': 1.1.7(@types/react-dom@19.2.3(@types/react@19.2.15))(@types/react@19.2.15)(react-dom@19.2.6(react@19.2.6))(react@19.2.6) + '@radix-ui/react-toggle-group': 1.1.11(@types/react-dom@19.2.3(@types/react@19.2.15))(@types/react@19.2.15)(react-dom@19.2.6(react@19.2.6))(react@19.2.6) + react: 19.2.6 + react-dom: 19.2.6(react@19.2.6) optionalDependencies: - '@types/react': 19.2.14 - '@types/react-dom': 19.2.3(@types/react@19.2.14) + '@types/react': 19.2.15 + '@types/react-dom': 19.2.3(@types/react@19.2.15) - '@radix-ui/react-tooltip@1.2.8(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.5(react@19.2.5))(react@19.2.5)': + '@radix-ui/react-tooltip@1.2.8(@types/react-dom@19.2.3(@types/react@19.2.15))(@types/react@19.2.15)(react-dom@19.2.6(react@19.2.6))(react@19.2.6)': dependencies: '@radix-ui/primitive': 1.1.3 - '@radix-ui/react-compose-refs': 1.1.2(@types/react@19.2.14)(react@19.2.5) - '@radix-ui/react-context': 1.1.2(@types/react@19.2.14)(react@19.2.5) - '@radix-ui/react-dismissable-layer': 1.1.11(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.5(react@19.2.5))(react@19.2.5) - '@radix-ui/react-id': 1.1.1(@types/react@19.2.14)(react@19.2.5) - '@radix-ui/react-popper': 1.2.8(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.5(react@19.2.5))(react@19.2.5) - '@radix-ui/react-portal': 1.1.9(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.5(react@19.2.5))(react@19.2.5) - '@radix-ui/react-presence': 1.1.5(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.5(react@19.2.5))(react@19.2.5) - '@radix-ui/react-primitive': 2.1.3(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.5(react@19.2.5))(react@19.2.5) - '@radix-ui/react-slot': 1.2.3(@types/react@19.2.14)(react@19.2.5) - '@radix-ui/react-use-controllable-state': 1.2.2(@types/react@19.2.14)(react@19.2.5) - '@radix-ui/react-visually-hidden': 1.2.3(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.5(react@19.2.5))(react@19.2.5) - react: 19.2.5 - react-dom: 19.2.5(react@19.2.5) + '@radix-ui/react-compose-refs': 1.1.2(@types/react@19.2.15)(react@19.2.6) + '@radix-ui/react-context': 1.1.2(@types/react@19.2.15)(react@19.2.6) + '@radix-ui/react-dismissable-layer': 1.1.11(@types/react-dom@19.2.3(@types/react@19.2.15))(@types/react@19.2.15)(react-dom@19.2.6(react@19.2.6))(react@19.2.6) + '@radix-ui/react-id': 1.1.1(@types/react@19.2.15)(react@19.2.6) + '@radix-ui/react-popper': 1.2.8(@types/react-dom@19.2.3(@types/react@19.2.15))(@types/react@19.2.15)(react-dom@19.2.6(react@19.2.6))(react@19.2.6) + '@radix-ui/react-portal': 1.1.9(@types/react-dom@19.2.3(@types/react@19.2.15))(@types/react@19.2.15)(react-dom@19.2.6(react@19.2.6))(react@19.2.6) + '@radix-ui/react-presence': 1.1.5(@types/react-dom@19.2.3(@types/react@19.2.15))(@types/react@19.2.15)(react-dom@19.2.6(react@19.2.6))(react@19.2.6) + '@radix-ui/react-primitive': 2.1.3(@types/react-dom@19.2.3(@types/react@19.2.15))(@types/react@19.2.15)(react-dom@19.2.6(react@19.2.6))(react@19.2.6) + '@radix-ui/react-slot': 1.2.3(@types/react@19.2.15)(react@19.2.6) + '@radix-ui/react-use-controllable-state': 1.2.2(@types/react@19.2.15)(react@19.2.6) + '@radix-ui/react-visually-hidden': 1.2.3(@types/react-dom@19.2.3(@types/react@19.2.15))(@types/react@19.2.15)(react-dom@19.2.6(react@19.2.6))(react@19.2.6) + react: 19.2.6 + react-dom: 19.2.6(react@19.2.6) optionalDependencies: - '@types/react': 19.2.14 - '@types/react-dom': 19.2.3(@types/react@19.2.14) + '@types/react': 19.2.15 + '@types/react-dom': 19.2.3(@types/react@19.2.15) - '@radix-ui/react-use-callback-ref@1.1.1(@types/react@19.2.14)(react@19.2.5)': + '@radix-ui/react-use-callback-ref@1.1.1(@types/react@19.2.15)(react@19.2.6)': dependencies: - react: 19.2.5 + react: 19.2.6 optionalDependencies: - '@types/react': 19.2.14 + '@types/react': 19.2.15 - '@radix-ui/react-use-controllable-state@1.2.2(@types/react@19.2.14)(react@19.2.5)': + '@radix-ui/react-use-controllable-state@1.2.2(@types/react@19.2.15)(react@19.2.6)': dependencies: - '@radix-ui/react-use-effect-event': 0.0.2(@types/react@19.2.14)(react@19.2.5) - '@radix-ui/react-use-layout-effect': 1.1.1(@types/react@19.2.14)(react@19.2.5) - react: 19.2.5 + '@radix-ui/react-use-effect-event': 0.0.2(@types/react@19.2.15)(react@19.2.6) + '@radix-ui/react-use-layout-effect': 1.1.1(@types/react@19.2.15)(react@19.2.6) + react: 19.2.6 optionalDependencies: - '@types/react': 19.2.14 + '@types/react': 19.2.15 - '@radix-ui/react-use-effect-event@0.0.2(@types/react@19.2.14)(react@19.2.5)': + '@radix-ui/react-use-effect-event@0.0.2(@types/react@19.2.15)(react@19.2.6)': dependencies: - '@radix-ui/react-use-layout-effect': 1.1.1(@types/react@19.2.14)(react@19.2.5) - react: 19.2.5 + '@radix-ui/react-use-layout-effect': 1.1.1(@types/react@19.2.15)(react@19.2.6) + react: 19.2.6 optionalDependencies: - '@types/react': 19.2.14 + '@types/react': 19.2.15 - '@radix-ui/react-use-escape-keydown@1.1.1(@types/react@19.2.14)(react@19.2.5)': + '@radix-ui/react-use-escape-keydown@1.1.1(@types/react@19.2.15)(react@19.2.6)': dependencies: - '@radix-ui/react-use-callback-ref': 1.1.1(@types/react@19.2.14)(react@19.2.5) - react: 19.2.5 + '@radix-ui/react-use-callback-ref': 1.1.1(@types/react@19.2.15)(react@19.2.6) + react: 19.2.6 optionalDependencies: - '@types/react': 19.2.14 + '@types/react': 19.2.15 - '@radix-ui/react-use-is-hydrated@0.1.0(@types/react@19.2.14)(react@19.2.5)': + '@radix-ui/react-use-is-hydrated@0.1.0(@types/react@19.2.15)(react@19.2.6)': dependencies: - react: 19.2.5 - use-sync-external-store: 1.6.0(react@19.2.5) + react: 19.2.6 + use-sync-external-store: 1.6.0(react@19.2.6) optionalDependencies: - '@types/react': 19.2.14 + '@types/react': 19.2.15 - '@radix-ui/react-use-layout-effect@1.1.1(@types/react@19.2.14)(react@19.2.5)': + '@radix-ui/react-use-layout-effect@1.1.1(@types/react@19.2.15)(react@19.2.6)': dependencies: - react: 19.2.5 + react: 19.2.6 optionalDependencies: - '@types/react': 19.2.14 + '@types/react': 19.2.15 - '@radix-ui/react-use-previous@1.1.1(@types/react@19.2.14)(react@19.2.5)': + '@radix-ui/react-use-previous@1.1.1(@types/react@19.2.15)(react@19.2.6)': dependencies: - react: 19.2.5 + react: 19.2.6 optionalDependencies: - '@types/react': 19.2.14 + '@types/react': 19.2.15 - '@radix-ui/react-use-rect@1.1.1(@types/react@19.2.14)(react@19.2.5)': + '@radix-ui/react-use-rect@1.1.1(@types/react@19.2.15)(react@19.2.6)': dependencies: '@radix-ui/rect': 1.1.1 - react: 19.2.5 + react: 19.2.6 optionalDependencies: - '@types/react': 19.2.14 + '@types/react': 19.2.15 - '@radix-ui/react-use-size@1.1.1(@types/react@19.2.14)(react@19.2.5)': + '@radix-ui/react-use-size@1.1.1(@types/react@19.2.15)(react@19.2.6)': dependencies: - '@radix-ui/react-use-layout-effect': 1.1.1(@types/react@19.2.14)(react@19.2.5) - react: 19.2.5 + '@radix-ui/react-use-layout-effect': 1.1.1(@types/react@19.2.15)(react@19.2.6) + react: 19.2.6 optionalDependencies: - '@types/react': 19.2.14 + '@types/react': 19.2.15 - '@radix-ui/react-visually-hidden@1.2.3(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.5(react@19.2.5))(react@19.2.5)': + '@radix-ui/react-visually-hidden@1.2.3(@types/react-dom@19.2.3(@types/react@19.2.15))(@types/react@19.2.15)(react-dom@19.2.6(react@19.2.6))(react@19.2.6)': dependencies: - '@radix-ui/react-primitive': 2.1.3(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.5(react@19.2.5))(react@19.2.5) - react: 19.2.5 - react-dom: 19.2.5(react@19.2.5) + '@radix-ui/react-primitive': 2.1.3(@types/react-dom@19.2.3(@types/react@19.2.15))(@types/react@19.2.15)(react-dom@19.2.6(react@19.2.6))(react@19.2.6) + react: 19.2.6 + react-dom: 19.2.6(react@19.2.6) optionalDependencies: - '@types/react': 19.2.14 - '@types/react-dom': 19.2.3(@types/react@19.2.14) + '@types/react': 19.2.15 + '@types/react-dom': 19.2.3(@types/react@19.2.15) '@radix-ui/rect@1.1.1': {} @@ -8215,9 +8202,9 @@ snapshots: '@rolldown/binding-win32-x64-msvc@1.0.0-rc.17': optional: true - '@rolldown/plugin-babel@0.2.3(@babel/core@7.29.0)(@babel/runtime@7.26.10)(rolldown@1.0.0-rc.17)(vite@8.0.10(@types/node@20.19.39)(esbuild@0.25.12)(jiti@1.21.7)(yaml@2.8.3))': + '@rolldown/plugin-babel@0.2.3(@babel/core@7.29.7)(@babel/runtime@7.26.10)(rolldown@1.0.0-rc.17)(vite@8.0.10(@types/node@20.19.39)(esbuild@0.25.12)(jiti@1.21.7)(yaml@2.8.3))': dependencies: - '@babel/core': 7.29.0 + '@babel/core': 7.29.7 picomatch: 4.0.4 rolldown: 1.0.0-rc.17 optionalDependencies: @@ -8276,21 +8263,21 @@ snapshots: '@standard-schema/spec@1.1.0': {} - '@storybook/addon-a11y@10.3.3(storybook@10.3.3(@testing-library/dom@10.4.0)(prettier@3.4.1)(react-dom@19.2.5(react@19.2.5))(react@19.2.5))': + '@storybook/addon-a11y@10.3.3(storybook@10.3.3(@testing-library/dom@10.4.0)(prettier@3.4.1)(react-dom@19.2.6(react@19.2.6))(react@19.2.6))': dependencies: '@storybook/global': 5.0.0 axe-core: 4.11.1 - storybook: 10.3.3(@testing-library/dom@10.4.0)(prettier@3.4.1)(react-dom@19.2.5(react@19.2.5))(react@19.2.5) + storybook: 10.3.3(@testing-library/dom@10.4.0)(prettier@3.4.1)(react-dom@19.2.6(react@19.2.6))(react@19.2.6) - '@storybook/addon-docs@10.3.3(@types/react@19.2.14)(esbuild@0.25.12)(storybook@10.3.3(@testing-library/dom@10.4.0)(prettier@3.4.1)(react-dom@19.2.5(react@19.2.5))(react@19.2.5))(vite@8.0.10(@types/node@20.19.39)(esbuild@0.25.12)(jiti@1.21.7)(yaml@2.8.3))': + '@storybook/addon-docs@10.3.3(@types/react@19.2.15)(esbuild@0.25.12)(storybook@10.3.3(@testing-library/dom@10.4.0)(prettier@3.4.1)(react-dom@19.2.6(react@19.2.6))(react@19.2.6))(vite@8.0.10(@types/node@20.19.39)(esbuild@0.25.12)(jiti@1.21.7)(yaml@2.8.3))': dependencies: - '@mdx-js/react': 3.1.1(@types/react@19.2.14)(react@19.2.5) - '@storybook/csf-plugin': 10.3.3(esbuild@0.25.12)(storybook@10.3.3(@testing-library/dom@10.4.0)(prettier@3.4.1)(react-dom@19.2.5(react@19.2.5))(react@19.2.5))(vite@8.0.10(@types/node@20.19.39)(esbuild@0.25.12)(jiti@1.21.7)(yaml@2.8.3)) - '@storybook/icons': 2.0.1(react-dom@19.2.5(react@19.2.5))(react@19.2.5) - '@storybook/react-dom-shim': 10.3.3(react-dom@19.2.5(react@19.2.5))(react@19.2.5)(storybook@10.3.3(@testing-library/dom@10.4.0)(prettier@3.4.1)(react-dom@19.2.5(react@19.2.5))(react@19.2.5)) - react: 19.2.5 - react-dom: 19.2.5(react@19.2.5) - storybook: 10.3.3(@testing-library/dom@10.4.0)(prettier@3.4.1)(react-dom@19.2.5(react@19.2.5))(react@19.2.5) + '@mdx-js/react': 3.1.1(@types/react@19.2.15)(react@19.2.6) + '@storybook/csf-plugin': 10.3.3(esbuild@0.25.12)(storybook@10.3.3(@testing-library/dom@10.4.0)(prettier@3.4.1)(react-dom@19.2.6(react@19.2.6))(react@19.2.6))(vite@8.0.10(@types/node@20.19.39)(esbuild@0.25.12)(jiti@1.21.7)(yaml@2.8.3)) + '@storybook/icons': 2.0.1(react-dom@19.2.6(react@19.2.6))(react@19.2.6) + '@storybook/react-dom-shim': 10.3.3(react-dom@19.2.6(react@19.2.6))(react@19.2.6)(storybook@10.3.3(@testing-library/dom@10.4.0)(prettier@3.4.1)(react-dom@19.2.6(react@19.2.6))(react@19.2.6)) + react: 19.2.6 + react-dom: 19.2.6(react@19.2.6) + storybook: 10.3.3(@testing-library/dom@10.4.0)(prettier@3.4.1)(react-dom@19.2.6(react@19.2.6))(react@19.2.6) ts-dedent: 2.2.0 transitivePeerDependencies: - '@types/react' @@ -8299,38 +8286,38 @@ snapshots: - vite - webpack - '@storybook/addon-links@10.3.3(react@19.2.5)(storybook@10.3.3(@testing-library/dom@10.4.0)(prettier@3.4.1)(react-dom@19.2.5(react@19.2.5))(react@19.2.5))': + '@storybook/addon-links@10.3.3(react@19.2.6)(storybook@10.3.3(@testing-library/dom@10.4.0)(prettier@3.4.1)(react-dom@19.2.6(react@19.2.6))(react@19.2.6))': dependencies: '@storybook/global': 5.0.0 - storybook: 10.3.3(@testing-library/dom@10.4.0)(prettier@3.4.1)(react-dom@19.2.5(react@19.2.5))(react@19.2.5) + storybook: 10.3.3(@testing-library/dom@10.4.0)(prettier@3.4.1)(react-dom@19.2.6(react@19.2.6))(react@19.2.6) optionalDependencies: - react: 19.2.5 + react: 19.2.6 - '@storybook/addon-mcp@0.6.0(@storybook/addon-vitest@10.3.3(@vitest/browser-playwright@4.1.1)(@vitest/browser@4.1.1(msw@2.4.8(typescript@6.0.2))(vite@8.0.10(@types/node@20.19.39)(esbuild@0.25.12)(jiti@1.21.7)(yaml@2.8.3))(vitest@4.1.5))(@vitest/runner@4.1.5)(react-dom@19.2.5(react@19.2.5))(react@19.2.5)(storybook@10.3.3(@testing-library/dom@10.4.0)(prettier@3.4.1)(react-dom@19.2.5(react@19.2.5))(react@19.2.5))(vitest@4.1.5))(storybook@10.3.3(@testing-library/dom@10.4.0)(prettier@3.4.1)(react-dom@19.2.5(react@19.2.5))(react@19.2.5))(typescript@6.0.2)': + '@storybook/addon-mcp@0.6.0(@storybook/addon-vitest@10.3.3(@vitest/browser-playwright@4.1.1)(@vitest/browser@4.1.1(msw@2.4.8(typescript@6.0.2))(vite@8.0.10(@types/node@20.19.39)(esbuild@0.25.12)(jiti@1.21.7)(yaml@2.8.3))(vitest@4.1.5))(@vitest/runner@4.1.5)(react-dom@19.2.6(react@19.2.6))(react@19.2.6)(storybook@10.3.3(@testing-library/dom@10.4.0)(prettier@3.4.1)(react-dom@19.2.6(react@19.2.6))(react@19.2.6))(vitest@4.1.5))(storybook@10.3.3(@testing-library/dom@10.4.0)(prettier@3.4.1)(react-dom@19.2.6(react@19.2.6))(react@19.2.6))(typescript@6.0.2)': dependencies: '@storybook/mcp': 0.7.0(typescript@6.0.2) '@tmcp/adapter-valibot': 0.1.5(tmcp@1.19.3(typescript@6.0.2))(valibot@1.2.0(typescript@6.0.2)) '@tmcp/transport-http': 0.8.5(tmcp@1.19.3(typescript@6.0.2)) picoquery: 2.5.0 - storybook: 10.3.3(@testing-library/dom@10.4.0)(prettier@3.4.1)(react-dom@19.2.5(react@19.2.5))(react@19.2.5) + storybook: 10.3.3(@testing-library/dom@10.4.0)(prettier@3.4.1)(react-dom@19.2.6(react@19.2.6))(react@19.2.6) tmcp: 1.19.3(typescript@6.0.2) valibot: 1.2.0(typescript@6.0.2) optionalDependencies: - '@storybook/addon-vitest': 10.3.3(@vitest/browser-playwright@4.1.1)(@vitest/browser@4.1.1(msw@2.4.8(typescript@6.0.2))(vite@8.0.10(@types/node@20.19.39)(esbuild@0.25.12)(jiti@1.21.7)(yaml@2.8.3))(vitest@4.1.5))(@vitest/runner@4.1.5)(react-dom@19.2.5(react@19.2.5))(react@19.2.5)(storybook@10.3.3(@testing-library/dom@10.4.0)(prettier@3.4.1)(react-dom@19.2.5(react@19.2.5))(react@19.2.5))(vitest@4.1.5) + '@storybook/addon-vitest': 10.3.3(@vitest/browser-playwright@4.1.1)(@vitest/browser@4.1.1(msw@2.4.8(typescript@6.0.2))(vite@8.0.10(@types/node@20.19.39)(esbuild@0.25.12)(jiti@1.21.7)(yaml@2.8.3))(vitest@4.1.5))(@vitest/runner@4.1.5)(react-dom@19.2.6(react@19.2.6))(react@19.2.6)(storybook@10.3.3(@testing-library/dom@10.4.0)(prettier@3.4.1)(react-dom@19.2.6(react@19.2.6))(react@19.2.6))(vitest@4.1.5) transitivePeerDependencies: - '@tmcp/auth' - typescript - '@storybook/addon-themes@10.3.3(storybook@10.3.3(@testing-library/dom@10.4.0)(prettier@3.4.1)(react-dom@19.2.5(react@19.2.5))(react@19.2.5))': + '@storybook/addon-themes@10.3.3(storybook@10.3.3(@testing-library/dom@10.4.0)(prettier@3.4.1)(react-dom@19.2.6(react@19.2.6))(react@19.2.6))': dependencies: - storybook: 10.3.3(@testing-library/dom@10.4.0)(prettier@3.4.1)(react-dom@19.2.5(react@19.2.5))(react@19.2.5) + storybook: 10.3.3(@testing-library/dom@10.4.0)(prettier@3.4.1)(react-dom@19.2.6(react@19.2.6))(react@19.2.6) ts-dedent: 2.2.0 - '@storybook/addon-vitest@10.3.3(@vitest/browser-playwright@4.1.1)(@vitest/browser@4.1.1(msw@2.4.8(typescript@6.0.2))(vite@8.0.10(@types/node@20.19.39)(esbuild@0.25.12)(jiti@1.21.7)(yaml@2.8.3))(vitest@4.1.5))(@vitest/runner@4.1.5)(react-dom@19.2.5(react@19.2.5))(react@19.2.5)(storybook@10.3.3(@testing-library/dom@10.4.0)(prettier@3.4.1)(react-dom@19.2.5(react@19.2.5))(react@19.2.5))(vitest@4.1.5)': + '@storybook/addon-vitest@10.3.3(@vitest/browser-playwright@4.1.1)(@vitest/browser@4.1.1(msw@2.4.8(typescript@6.0.2))(vite@8.0.10(@types/node@20.19.39)(esbuild@0.25.12)(jiti@1.21.7)(yaml@2.8.3))(vitest@4.1.5))(@vitest/runner@4.1.5)(react-dom@19.2.6(react@19.2.6))(react@19.2.6)(storybook@10.3.3(@testing-library/dom@10.4.0)(prettier@3.4.1)(react-dom@19.2.6(react@19.2.6))(react@19.2.6))(vitest@4.1.5)': dependencies: '@storybook/global': 5.0.0 - '@storybook/icons': 2.0.1(react-dom@19.2.5(react@19.2.5))(react@19.2.5) - storybook: 10.3.3(@testing-library/dom@10.4.0)(prettier@3.4.1)(react-dom@19.2.5(react@19.2.5))(react@19.2.5) + '@storybook/icons': 2.0.1(react-dom@19.2.6(react@19.2.6))(react@19.2.6) + storybook: 10.3.3(@testing-library/dom@10.4.0)(prettier@3.4.1)(react-dom@19.2.6(react@19.2.6))(react@19.2.6) optionalDependencies: '@vitest/browser': 4.1.1(msw@2.4.8(typescript@6.0.2))(vite@8.0.10(@types/node@20.19.39)(esbuild@0.25.12)(jiti@1.21.7)(yaml@2.8.3))(vitest@4.1.5) '@vitest/browser-playwright': 4.1.1(msw@2.4.8(typescript@6.0.2))(playwright@1.55.1)(vite@8.0.10(@types/node@20.19.39)(esbuild@0.25.12)(jiti@1.21.7)(yaml@2.8.3))(vitest@4.1.5) @@ -8340,10 +8327,10 @@ snapshots: - react - react-dom - '@storybook/builder-vite@10.3.3(esbuild@0.25.12)(storybook@10.3.3(@testing-library/dom@10.4.0)(prettier@3.4.1)(react-dom@19.2.5(react@19.2.5))(react@19.2.5))(vite@8.0.10(@types/node@20.19.39)(esbuild@0.25.12)(jiti@1.21.7)(yaml@2.8.3))': + '@storybook/builder-vite@10.3.3(esbuild@0.25.12)(storybook@10.3.3(@testing-library/dom@10.4.0)(prettier@3.4.1)(react-dom@19.2.6(react@19.2.6))(react@19.2.6))(vite@8.0.10(@types/node@20.19.39)(esbuild@0.25.12)(jiti@1.21.7)(yaml@2.8.3))': dependencies: - '@storybook/csf-plugin': 10.3.3(esbuild@0.25.12)(storybook@10.3.3(@testing-library/dom@10.4.0)(prettier@3.4.1)(react-dom@19.2.5(react@19.2.5))(react@19.2.5))(vite@8.0.10(@types/node@20.19.39)(esbuild@0.25.12)(jiti@1.21.7)(yaml@2.8.3)) - storybook: 10.3.3(@testing-library/dom@10.4.0)(prettier@3.4.1)(react-dom@19.2.5(react@19.2.5))(react@19.2.5) + '@storybook/csf-plugin': 10.3.3(esbuild@0.25.12)(storybook@10.3.3(@testing-library/dom@10.4.0)(prettier@3.4.1)(react-dom@19.2.6(react@19.2.6))(react@19.2.6))(vite@8.0.10(@types/node@20.19.39)(esbuild@0.25.12)(jiti@1.21.7)(yaml@2.8.3)) + storybook: 10.3.3(@testing-library/dom@10.4.0)(prettier@3.4.1)(react-dom@19.2.6(react@19.2.6))(react@19.2.6) ts-dedent: 2.2.0 vite: 8.0.10(@types/node@20.19.39)(esbuild@0.25.12)(jiti@1.21.7)(yaml@2.8.3) transitivePeerDependencies: @@ -8351,9 +8338,9 @@ snapshots: - rollup - webpack - '@storybook/csf-plugin@10.3.3(esbuild@0.25.12)(storybook@10.3.3(@testing-library/dom@10.4.0)(prettier@3.4.1)(react-dom@19.2.5(react@19.2.5))(react@19.2.5))(vite@8.0.10(@types/node@20.19.39)(esbuild@0.25.12)(jiti@1.21.7)(yaml@2.8.3))': + '@storybook/csf-plugin@10.3.3(esbuild@0.25.12)(storybook@10.3.3(@testing-library/dom@10.4.0)(prettier@3.4.1)(react-dom@19.2.6(react@19.2.6))(react@19.2.6))(vite@8.0.10(@types/node@20.19.39)(esbuild@0.25.12)(jiti@1.21.7)(yaml@2.8.3))': dependencies: - storybook: 10.3.3(@testing-library/dom@10.4.0)(prettier@3.4.1)(react-dom@19.2.5(react@19.2.5))(react@19.2.5) + storybook: 10.3.3(@testing-library/dom@10.4.0)(prettier@3.4.1)(react-dom@19.2.6(react@19.2.6))(react@19.2.6) unplugin: 2.3.11 optionalDependencies: esbuild: 0.25.12 @@ -8361,10 +8348,10 @@ snapshots: '@storybook/global@5.0.0': {} - '@storybook/icons@2.0.1(react-dom@19.2.5(react@19.2.5))(react@19.2.5)': + '@storybook/icons@2.0.1(react-dom@19.2.6(react@19.2.6))(react@19.2.6)': dependencies: - react: 19.2.5 - react-dom: 19.2.5(react@19.2.5) + react: 19.2.6 + react-dom: 19.2.6(react@19.2.6) '@storybook/mcp@0.7.0(typescript@6.0.2)': dependencies: @@ -8376,25 +8363,25 @@ snapshots: - '@tmcp/auth' - typescript - '@storybook/react-dom-shim@10.3.3(react-dom@19.2.5(react@19.2.5))(react@19.2.5)(storybook@10.3.3(@testing-library/dom@10.4.0)(prettier@3.4.1)(react-dom@19.2.5(react@19.2.5))(react@19.2.5))': + '@storybook/react-dom-shim@10.3.3(react-dom@19.2.6(react@19.2.6))(react@19.2.6)(storybook@10.3.3(@testing-library/dom@10.4.0)(prettier@3.4.1)(react-dom@19.2.6(react@19.2.6))(react@19.2.6))': dependencies: - react: 19.2.5 - react-dom: 19.2.5(react@19.2.5) - storybook: 10.3.3(@testing-library/dom@10.4.0)(prettier@3.4.1)(react-dom@19.2.5(react@19.2.5))(react@19.2.5) + react: 19.2.6 + react-dom: 19.2.6(react@19.2.6) + storybook: 10.3.3(@testing-library/dom@10.4.0)(prettier@3.4.1)(react-dom@19.2.6(react@19.2.6))(react@19.2.6) - '@storybook/react-vite@10.3.3(esbuild@0.25.12)(react-dom@19.2.5(react@19.2.5))(react@19.2.5)(storybook@10.3.3(@testing-library/dom@10.4.0)(prettier@3.4.1)(react-dom@19.2.5(react@19.2.5))(react@19.2.5))(typescript@6.0.2)(vite@8.0.10(@types/node@20.19.39)(esbuild@0.25.12)(jiti@1.21.7)(yaml@2.8.3))': + '@storybook/react-vite@10.3.3(esbuild@0.25.12)(react-dom@19.2.6(react@19.2.6))(react@19.2.6)(storybook@10.3.3(@testing-library/dom@10.4.0)(prettier@3.4.1)(react-dom@19.2.6(react@19.2.6))(react@19.2.6))(typescript@6.0.2)(vite@8.0.10(@types/node@20.19.39)(esbuild@0.25.12)(jiti@1.21.7)(yaml@2.8.3))': dependencies: '@joshwooding/vite-plugin-react-docgen-typescript': 0.6.4(typescript@6.0.2)(vite@8.0.10(@types/node@20.19.39)(esbuild@0.25.12)(jiti@1.21.7)(yaml@2.8.3)) '@rollup/pluginutils': 5.3.0 - '@storybook/builder-vite': 10.3.3(esbuild@0.25.12)(storybook@10.3.3(@testing-library/dom@10.4.0)(prettier@3.4.1)(react-dom@19.2.5(react@19.2.5))(react@19.2.5))(vite@8.0.10(@types/node@20.19.39)(esbuild@0.25.12)(jiti@1.21.7)(yaml@2.8.3)) - '@storybook/react': 10.3.3(react-dom@19.2.5(react@19.2.5))(react@19.2.5)(storybook@10.3.3(@testing-library/dom@10.4.0)(prettier@3.4.1)(react-dom@19.2.5(react@19.2.5))(react@19.2.5))(typescript@6.0.2) + '@storybook/builder-vite': 10.3.3(esbuild@0.25.12)(storybook@10.3.3(@testing-library/dom@10.4.0)(prettier@3.4.1)(react-dom@19.2.6(react@19.2.6))(react@19.2.6))(vite@8.0.10(@types/node@20.19.39)(esbuild@0.25.12)(jiti@1.21.7)(yaml@2.8.3)) + '@storybook/react': 10.3.3(react-dom@19.2.6(react@19.2.6))(react@19.2.6)(storybook@10.3.3(@testing-library/dom@10.4.0)(prettier@3.4.1)(react-dom@19.2.6(react@19.2.6))(react@19.2.6))(typescript@6.0.2) empathic: 2.0.0 magic-string: 0.30.21 - react: 19.2.5 + react: 19.2.6 react-docgen: 8.0.2 - react-dom: 19.2.5(react@19.2.5) + react-dom: 19.2.6(react@19.2.6) resolve: 1.22.11 - storybook: 10.3.3(@testing-library/dom@10.4.0)(prettier@3.4.1)(react-dom@19.2.5(react@19.2.5))(react@19.2.5) + storybook: 10.3.3(@testing-library/dom@10.4.0)(prettier@3.4.1)(react-dom@19.2.6(react@19.2.6))(react@19.2.6) tsconfig-paths: 4.2.0 vite: 8.0.10(@types/node@20.19.39)(esbuild@0.25.12)(jiti@1.21.7)(yaml@2.8.3) transitivePeerDependencies: @@ -8404,15 +8391,15 @@ snapshots: - typescript - webpack - '@storybook/react@10.3.3(react-dom@19.2.5(react@19.2.5))(react@19.2.5)(storybook@10.3.3(@testing-library/dom@10.4.0)(prettier@3.4.1)(react-dom@19.2.5(react@19.2.5))(react@19.2.5))(typescript@6.0.2)': + '@storybook/react@10.3.3(react-dom@19.2.6(react@19.2.6))(react@19.2.6)(storybook@10.3.3(@testing-library/dom@10.4.0)(prettier@3.4.1)(react-dom@19.2.6(react@19.2.6))(react@19.2.6))(typescript@6.0.2)': dependencies: '@storybook/global': 5.0.0 - '@storybook/react-dom-shim': 10.3.3(react-dom@19.2.5(react@19.2.5))(react@19.2.5)(storybook@10.3.3(@testing-library/dom@10.4.0)(prettier@3.4.1)(react-dom@19.2.5(react@19.2.5))(react@19.2.5)) - react: 19.2.5 + '@storybook/react-dom-shim': 10.3.3(react-dom@19.2.6(react@19.2.6))(react@19.2.6)(storybook@10.3.3(@testing-library/dom@10.4.0)(prettier@3.4.1)(react-dom@19.2.6(react@19.2.6))(react@19.2.6)) + react: 19.2.6 react-docgen: 8.0.2 react-docgen-typescript: 2.4.0(typescript@6.0.2) - react-dom: 19.2.5(react@19.2.5) - storybook: 10.3.3(@testing-library/dom@10.4.0)(prettier@3.4.1)(react-dom@19.2.5(react@19.2.5))(react@19.2.5) + react-dom: 19.2.6(react@19.2.6) + storybook: 10.3.3(@testing-library/dom@10.4.0)(prettier@3.4.1)(react-dom@19.2.6(react@19.2.6))(react@19.2.6) optionalDependencies: typescript: 6.0.2 transitivePeerDependencies: @@ -8429,20 +8416,20 @@ snapshots: '@tanstack/query-devtools@5.76.0': {} - '@tanstack/react-query-devtools@5.77.0(@tanstack/react-query@5.77.0(react@19.2.5))(react@19.2.5)': + '@tanstack/react-query-devtools@5.77.0(@tanstack/react-query@5.77.0(react@19.2.6))(react@19.2.6)': dependencies: '@tanstack/query-devtools': 5.76.0 - '@tanstack/react-query': 5.77.0(react@19.2.5) - react: 19.2.5 + '@tanstack/react-query': 5.77.0(react@19.2.6) + react: 19.2.6 - '@tanstack/react-query@5.77.0(react@19.2.5)': + '@tanstack/react-query@5.77.0(react@19.2.6)': dependencies: '@tanstack/query-core': 5.77.0 - react: 19.2.5 + react: 19.2.6 '@testing-library/dom@10.4.0': dependencies: - '@babel/code-frame': 7.29.0 + '@babel/code-frame': 7.29.7 '@babel/runtime': 7.26.10 '@types/aria-query': 5.0.4 aria-query: 5.3.0 @@ -8453,7 +8440,7 @@ snapshots: '@testing-library/dom@9.3.3': dependencies: - '@babel/code-frame': 7.29.0 + '@babel/code-frame': 7.29.7 '@babel/runtime': 7.26.10 '@types/aria-query': 5.0.3 aria-query: 5.1.3 @@ -8471,13 +8458,13 @@ snapshots: picocolors: 1.1.1 redent: 3.0.0 - '@testing-library/react@14.3.1(@types/react@19.2.14)(react-dom@19.2.5(react@19.2.5))(react@19.2.5)': + '@testing-library/react@14.3.1(@types/react@19.2.15)(react-dom@19.2.6(react@19.2.6))(react@19.2.6)': dependencies: '@babel/runtime': 7.26.10 '@testing-library/dom': 9.3.3 - '@types/react-dom': 18.3.7(@types/react@19.2.14) - react: 19.2.5 - react-dom: 19.2.5(react@19.2.5) + '@types/react-dom': 18.3.7(@types/react@19.2.15) + react: 19.2.6 + react-dom: 19.2.6(react@19.2.6) transitivePeerDependencies: - '@types/react' @@ -8513,24 +8500,24 @@ snapshots: '@types/babel__core@7.20.5': dependencies: - '@babel/parser': 7.28.5 - '@babel/types': 7.28.5 + '@babel/parser': 7.29.7 + '@babel/types': 7.29.7 '@types/babel__generator': 7.27.0 '@types/babel__template': 7.4.4 '@types/babel__traverse': 7.28.0 '@types/babel__generator@7.27.0': dependencies: - '@babel/types': 7.28.5 + '@babel/types': 7.29.7 '@types/babel__template@7.4.4': dependencies: - '@babel/parser': 7.28.5 - '@babel/types': 7.28.5 + '@babel/parser': 7.29.7 + '@babel/types': 7.29.7 '@types/babel__traverse@7.28.0': dependencies: - '@babel/types': 7.28.5 + '@babel/types': 7.29.7 '@types/body-parser@1.19.2': dependencies: @@ -8717,9 +8704,9 @@ snapshots: dependencies: '@types/unist': 3.0.3 - '@types/hoist-non-react-statics@3.3.7(@types/react@19.2.14)': + '@types/hoist-non-react-statics@3.3.7(@types/react@19.2.15)': dependencies: - '@types/react': 19.2.14 + '@types/react': 19.2.15 hoist-non-react-statics: 3.3.2 '@types/http-errors@2.0.1': {} @@ -8766,45 +8753,45 @@ snapshots: '@types/range-parser@1.2.4': {} - '@types/react-color@3.0.13(@types/react@19.2.14)': + '@types/react-color@3.0.13(@types/react@19.2.15)': dependencies: - '@types/react': 19.2.14 - '@types/reactcss': 1.2.13(@types/react@19.2.14) + '@types/react': 19.2.15 + '@types/reactcss': 1.2.13(@types/react@19.2.15) - '@types/react-dom@18.3.7(@types/react@19.2.14)': + '@types/react-dom@18.3.7(@types/react@19.2.15)': dependencies: - '@types/react': 19.2.14 + '@types/react': 19.2.15 - '@types/react-dom@19.2.3(@types/react@19.2.14)': + '@types/react-dom@19.2.3(@types/react@19.2.15)': dependencies: - '@types/react': 19.2.14 + '@types/react': 19.2.15 '@types/react-syntax-highlighter@15.5.13': dependencies: - '@types/react': 19.2.14 + '@types/react': 19.2.15 - '@types/react-transition-group@4.4.12(@types/react@19.2.14)': + '@types/react-transition-group@4.4.12(@types/react@19.2.15)': dependencies: - '@types/react': 19.2.14 + '@types/react': 19.2.15 - '@types/react-virtualized-auto-sizer@1.0.8(react-dom@19.2.5(react@19.2.5))(react@19.2.5)': + '@types/react-virtualized-auto-sizer@1.0.8(react-dom@19.2.6(react@19.2.6))(react@19.2.6)': dependencies: - react-virtualized-auto-sizer: 1.0.26(react-dom@19.2.5(react@19.2.5))(react@19.2.5) + react-virtualized-auto-sizer: 1.0.26(react-dom@19.2.6(react@19.2.6))(react@19.2.6) transitivePeerDependencies: - react - react-dom '@types/react-window@1.8.8': dependencies: - '@types/react': 19.2.14 + '@types/react': 19.2.15 - '@types/react@19.2.14': + '@types/react@19.2.15': dependencies: csstype: 3.2.3 - '@types/reactcss@1.2.13(@types/react@19.2.14)': + '@types/reactcss@1.2.13(@types/react@19.2.15)': dependencies: - '@types/react': 19.2.14 + '@types/react': 19.2.15 '@types/resolve@1.20.6': {} @@ -8852,12 +8839,12 @@ snapshots: dependencies: valibot: 1.2.0(typescript@6.0.2) - '@vitejs/plugin-react@6.0.1(@rolldown/plugin-babel@0.2.3(@babel/core@7.29.0)(@babel/runtime@7.26.10)(rolldown@1.0.0-rc.17)(vite@8.0.10(@types/node@20.19.39)(esbuild@0.25.12)(jiti@1.21.7)(yaml@2.8.3)))(babel-plugin-react-compiler@1.0.0)(vite@8.0.10(@types/node@20.19.39)(esbuild@0.25.12)(jiti@1.21.7)(yaml@2.8.3))': + '@vitejs/plugin-react@6.0.1(@rolldown/plugin-babel@0.2.3(@babel/core@7.29.7)(@babel/runtime@7.26.10)(rolldown@1.0.0-rc.17)(vite@8.0.10(@types/node@20.19.39)(esbuild@0.25.12)(jiti@1.21.7)(yaml@2.8.3)))(babel-plugin-react-compiler@1.0.0)(vite@8.0.10(@types/node@20.19.39)(esbuild@0.25.12)(jiti@1.21.7)(yaml@2.8.3))': dependencies: '@rolldown/pluginutils': 1.0.0-rc.7 vite: 8.0.10(@types/node@20.19.39)(esbuild@0.25.12)(jiti@1.21.7)(yaml@2.8.3) optionalDependencies: - '@rolldown/plugin-babel': 0.2.3(@babel/core@7.29.0)(@babel/runtime@7.26.10)(rolldown@1.0.0-rc.17)(vite@8.0.10(@types/node@20.19.39)(esbuild@0.25.12)(jiti@1.21.7)(yaml@2.8.3)) + '@rolldown/plugin-babel': 0.2.3(@babel/core@7.29.7)(@babel/runtime@7.26.10)(rolldown@1.0.0-rc.17)(vite@8.0.10(@types/node@20.19.39)(esbuild@0.25.12)(jiti@1.21.7)(yaml@2.8.3)) babel-plugin-react-compiler: 1.0.0 '@vitest/browser-playwright@4.1.1(msw@2.4.8(typescript@6.0.2))(playwright@1.55.1)(vite@8.0.10(@types/node@20.19.39)(esbuild@0.25.12)(jiti@1.21.7)(yaml@2.8.3))(vitest@4.1.5)': @@ -8996,6 +8983,12 @@ snapshots: acorn@8.16.0: {} + agent-base@6.0.2: + dependencies: + debug: 4.4.3 + transitivePeerDependencies: + - supports-color + agent-base@7.1.4: {} ansi-escapes@4.3.2: @@ -9079,13 +9072,15 @@ snapshots: axe-core@4.11.1: {} - axios@1.15.2: + axios@1.16.1: dependencies: follow-redirects: 1.16.0 form-data: 4.0.4 + https-proxy-agent: 5.0.1 proxy-from-env: 2.1.0 transitivePeerDependencies: - debug + - supports-color babel-plugin-macros@3.1.0: dependencies: @@ -9299,14 +9294,14 @@ snapshots: clsx@2.1.1: {} - cmdk@1.1.1(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.5(react@19.2.5))(react@19.2.5): + cmdk@1.1.1(@types/react-dom@19.2.3(@types/react@19.2.15))(@types/react@19.2.15)(react-dom@19.2.6(react@19.2.6))(react@19.2.6): dependencies: - '@radix-ui/react-compose-refs': 1.1.2(@types/react@19.2.14)(react@19.2.5) - '@radix-ui/react-dialog': 1.1.15(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.5(react@19.2.5))(react@19.2.5) - '@radix-ui/react-id': 1.1.1(@types/react@19.2.14)(react@19.2.5) - '@radix-ui/react-primitive': 2.1.3(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.5(react@19.2.5))(react@19.2.5) - react: 19.2.5 - react-dom: 19.2.5(react@19.2.5) + '@radix-ui/react-compose-refs': 1.1.2(@types/react@19.2.15)(react@19.2.6) + '@radix-ui/react-dialog': 1.1.15(@types/react-dom@19.2.3(@types/react@19.2.15))(@types/react@19.2.15)(react-dom@19.2.6(react@19.2.6))(react@19.2.6) + '@radix-ui/react-id': 1.1.1(@types/react@19.2.15)(react@19.2.6) + '@radix-ui/react-primitive': 2.1.3(@types/react-dom@19.2.3(@types/react@19.2.15))(@types/react@19.2.15)(react-dom@19.2.6(react@19.2.6))(react@19.2.6) + react: 19.2.6 + react-dom: 19.2.6(react@19.2.6) transitivePeerDependencies: - '@types/react' - '@types/react-dom' @@ -9799,7 +9794,7 @@ snapshots: es-module-lexer@2.1.0: {} - es-object-atoms@1.1.1: + es-object-atoms@1.1.2: dependencies: es-errors: 1.3.0 @@ -9808,7 +9803,7 @@ snapshots: es-errors: 1.3.0 get-intrinsic: 1.3.0 has-tostringtag: 1.0.2 - hasown: 2.0.3 + hasown: 2.0.4 esbuild@0.25.12: optionalDependencies: @@ -9972,7 +9967,7 @@ snapshots: asynckit: 0.4.0 combined-stream: 1.0.8 es-set-tostringtag: 2.1.0 - hasown: 2.0.3 + hasown: 2.0.4 mime-types: 2.1.35 format@0.2.2: {} @@ -9981,14 +9976,14 @@ snapshots: dependencies: fd-package-json: 2.0.0 - formik@2.4.9(@types/react@19.2.14)(react@19.2.5): + formik@2.4.9(@types/react@19.2.15)(react@19.2.6): dependencies: - '@types/hoist-non-react-statics': 3.3.7(@types/react@19.2.14) + '@types/hoist-non-react-statics': 3.3.7(@types/react@19.2.15) deepmerge: 2.2.1 hoist-non-react-statics: 3.3.2 lodash: 4.18.1 lodash-es: 4.18.1 - react: 19.2.5 + react: 19.2.6 react-fast-compare: 2.0.4 tiny-warning: 1.0.3 tslib: 2.8.1 @@ -9999,15 +9994,15 @@ snapshots: fraction.js@5.3.4: {} - framer-motion@12.38.0(@emotion/is-prop-valid@1.4.0)(react-dom@19.2.5(react@19.2.5))(react@19.2.5): + framer-motion@12.38.0(@emotion/is-prop-valid@1.4.0)(react-dom@19.2.6(react@19.2.6))(react@19.2.6): dependencies: motion-dom: 12.38.0 motion-utils: 12.36.0 tslib: 2.8.1 optionalDependencies: '@emotion/is-prop-valid': 1.4.0 - react: 19.2.5 - react-dom: 19.2.5(react@19.2.5) + react: 19.2.6 + react-dom: 19.2.6(react@19.2.6) fresh@0.5.2: {} @@ -10042,12 +10037,12 @@ snapshots: call-bind-apply-helpers: 1.0.2 es-define-property: 1.0.1 es-errors: 1.3.0 - es-object-atoms: 1.1.1 + es-object-atoms: 1.1.2 function-bind: 1.1.2 get-proto: 1.0.1 gopd: 1.2.0 has-symbols: 1.1.0 - hasown: 2.0.3 + hasown: 2.0.4 math-intrinsics: 1.1.0 get-nonce@1.0.1: {} @@ -10055,7 +10050,7 @@ snapshots: get-proto@1.0.1: dependencies: dunder-proto: 1.0.1 - es-object-atoms: 1.1.1 + es-object-atoms: 1.1.2 glob-parent@5.1.2: dependencies: @@ -10100,7 +10095,7 @@ snapshots: dependencies: has-symbols: 1.1.0 - hasown@2.0.3: + hasown@2.0.4: dependencies: function-bind: 1.1.2 @@ -10240,6 +10235,13 @@ snapshots: transitivePeerDependencies: - supports-color + https-proxy-agent@5.0.1: + dependencies: + agent-base: 6.0.2 + debug: 4.4.3 + transitivePeerDependencies: + - supports-color + https-proxy-agent@7.0.6: dependencies: agent-base: 7.1.4 @@ -10275,7 +10277,7 @@ snapshots: internal-slot@1.0.6: dependencies: get-intrinsic: 1.3.0 - hasown: 2.0.3 + hasown: 2.0.4 side-channel: 1.1.0 internmap@1.0.1: {} @@ -10328,7 +10330,7 @@ snapshots: is-core-module@2.16.1: dependencies: - hasown: 2.0.3 + hasown: 2.0.4 is-date-object@1.0.5: dependencies: @@ -10640,15 +10642,17 @@ snapshots: lru-cache@11.2.4: {} + lru-cache@11.5.1: {} + lru-cache@5.1.1: dependencies: yallist: 3.1.1 lru_map@0.4.1: {} - lucide-react@0.555.0(react@19.2.5): + lucide-react@0.555.0(react@19.2.6): dependencies: - react: 19.2.5 + react: 19.2.6 luxon@3.3.0: {} @@ -11099,14 +11103,14 @@ snapshots: motion-utils@12.36.0: {} - motion@12.38.0(@emotion/is-prop-valid@1.4.0)(react-dom@19.2.5(react@19.2.5))(react@19.2.5): + motion@12.38.0(@emotion/is-prop-valid@1.4.0)(react-dom@19.2.6(react@19.2.6))(react@19.2.6): dependencies: - framer-motion: 12.38.0(@emotion/is-prop-valid@1.4.0)(react-dom@19.2.5(react@19.2.5))(react@19.2.5) + framer-motion: 12.38.0(@emotion/is-prop-valid@1.4.0)(react-dom@19.2.6(react@19.2.6))(react@19.2.6) tslib: 2.8.1 optionalDependencies: '@emotion/is-prop-valid': 1.4.0 - react: 19.2.5 - react-dom: 19.2.5(react@19.2.5) + react: 19.2.6 + react-dom: 19.2.6(react@19.2.6) mrmime@2.0.1: {} @@ -11291,7 +11295,7 @@ snapshots: parse-json@5.2.0: dependencies: - '@babel/code-frame': 7.29.0 + '@babel/code-frame': 7.29.7 error-ex: 1.3.2 json-parse-even-better-errors: 2.3.1 lines-and-columns: 1.2.4 @@ -11455,15 +11459,15 @@ snapshots: property-information@7.1.0: {} - protobufjs@7.5.6: + protobufjs@7.6.1: dependencies: '@protobufjs/aspromise': 1.1.2 '@protobufjs/base64': 1.1.2 '@protobufjs/codegen': 2.0.5 - '@protobufjs/eventemitter': 1.1.0 - '@protobufjs/fetch': 1.1.0 + '@protobufjs/eventemitter': 1.1.1 + '@protobufjs/fetch': 1.1.1 '@protobufjs/float': 1.0.2 - '@protobufjs/inquire': 1.1.1 + '@protobufjs/inquire': 1.1.2 '@protobufjs/path': 1.1.2 '@protobufjs/pool': 1.1.0 '@protobufjs/utf8': 1.1.1 @@ -11489,68 +11493,68 @@ snapshots: queue-microtask@1.2.3: {} - radix-ui@1.4.3(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.5(react@19.2.5))(react@19.2.5): + radix-ui@1.4.3(@types/react-dom@19.2.3(@types/react@19.2.15))(@types/react@19.2.15)(react-dom@19.2.6(react@19.2.6))(react@19.2.6): dependencies: '@radix-ui/primitive': 1.1.3 - '@radix-ui/react-accessible-icon': 1.1.7(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.5(react@19.2.5))(react@19.2.5) - '@radix-ui/react-accordion': 1.2.12(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.5(react@19.2.5))(react@19.2.5) - '@radix-ui/react-alert-dialog': 1.1.15(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.5(react@19.2.5))(react@19.2.5) - '@radix-ui/react-arrow': 1.1.7(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.5(react@19.2.5))(react@19.2.5) - '@radix-ui/react-aspect-ratio': 1.1.7(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.5(react@19.2.5))(react@19.2.5) - '@radix-ui/react-avatar': 1.1.10(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.5(react@19.2.5))(react@19.2.5) - '@radix-ui/react-checkbox': 1.3.3(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.5(react@19.2.5))(react@19.2.5) - '@radix-ui/react-collapsible': 1.1.12(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.5(react@19.2.5))(react@19.2.5) - '@radix-ui/react-collection': 1.1.7(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.5(react@19.2.5))(react@19.2.5) - '@radix-ui/react-compose-refs': 1.1.2(@types/react@19.2.14)(react@19.2.5) - '@radix-ui/react-context': 1.1.2(@types/react@19.2.14)(react@19.2.5) - '@radix-ui/react-context-menu': 2.2.16(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.5(react@19.2.5))(react@19.2.5) - '@radix-ui/react-dialog': 1.1.15(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.5(react@19.2.5))(react@19.2.5) - '@radix-ui/react-direction': 1.1.1(@types/react@19.2.14)(react@19.2.5) - '@radix-ui/react-dismissable-layer': 1.1.11(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.5(react@19.2.5))(react@19.2.5) - '@radix-ui/react-dropdown-menu': 2.1.16(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.5(react@19.2.5))(react@19.2.5) - '@radix-ui/react-focus-guards': 1.1.3(@types/react@19.2.14)(react@19.2.5) - '@radix-ui/react-focus-scope': 1.1.7(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.5(react@19.2.5))(react@19.2.5) - '@radix-ui/react-form': 0.1.8(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.5(react@19.2.5))(react@19.2.5) - '@radix-ui/react-hover-card': 1.1.15(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.5(react@19.2.5))(react@19.2.5) - '@radix-ui/react-label': 2.1.7(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.5(react@19.2.5))(react@19.2.5) - '@radix-ui/react-menu': 2.1.16(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.5(react@19.2.5))(react@19.2.5) - '@radix-ui/react-menubar': 1.1.16(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.5(react@19.2.5))(react@19.2.5) - '@radix-ui/react-navigation-menu': 1.2.14(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.5(react@19.2.5))(react@19.2.5) - '@radix-ui/react-one-time-password-field': 0.1.8(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.5(react@19.2.5))(react@19.2.5) - '@radix-ui/react-password-toggle-field': 0.1.3(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.5(react@19.2.5))(react@19.2.5) - '@radix-ui/react-popover': 1.1.15(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.5(react@19.2.5))(react@19.2.5) - '@radix-ui/react-popper': 1.2.8(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.5(react@19.2.5))(react@19.2.5) - '@radix-ui/react-portal': 1.1.9(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.5(react@19.2.5))(react@19.2.5) - '@radix-ui/react-presence': 1.1.5(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.5(react@19.2.5))(react@19.2.5) - '@radix-ui/react-primitive': 2.1.3(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.5(react@19.2.5))(react@19.2.5) - '@radix-ui/react-progress': 1.1.7(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.5(react@19.2.5))(react@19.2.5) - '@radix-ui/react-radio-group': 1.3.8(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.5(react@19.2.5))(react@19.2.5) - '@radix-ui/react-roving-focus': 1.1.11(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.5(react@19.2.5))(react@19.2.5) - '@radix-ui/react-scroll-area': 1.2.10(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.5(react@19.2.5))(react@19.2.5) - '@radix-ui/react-select': 2.2.6(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.5(react@19.2.5))(react@19.2.5) - '@radix-ui/react-separator': 1.1.7(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.5(react@19.2.5))(react@19.2.5) - '@radix-ui/react-slider': 1.3.6(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.5(react@19.2.5))(react@19.2.5) - '@radix-ui/react-slot': 1.2.3(@types/react@19.2.14)(react@19.2.5) - '@radix-ui/react-switch': 1.2.6(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.5(react@19.2.5))(react@19.2.5) - '@radix-ui/react-tabs': 1.1.13(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.5(react@19.2.5))(react@19.2.5) - '@radix-ui/react-toast': 1.2.15(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.5(react@19.2.5))(react@19.2.5) - '@radix-ui/react-toggle': 1.1.10(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.5(react@19.2.5))(react@19.2.5) - '@radix-ui/react-toggle-group': 1.1.11(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.5(react@19.2.5))(react@19.2.5) - '@radix-ui/react-toolbar': 1.1.11(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.5(react@19.2.5))(react@19.2.5) - '@radix-ui/react-tooltip': 1.2.8(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.5(react@19.2.5))(react@19.2.5) - '@radix-ui/react-use-callback-ref': 1.1.1(@types/react@19.2.14)(react@19.2.5) - '@radix-ui/react-use-controllable-state': 1.2.2(@types/react@19.2.14)(react@19.2.5) - '@radix-ui/react-use-effect-event': 0.0.2(@types/react@19.2.14)(react@19.2.5) - '@radix-ui/react-use-escape-keydown': 1.1.1(@types/react@19.2.14)(react@19.2.5) - '@radix-ui/react-use-is-hydrated': 0.1.0(@types/react@19.2.14)(react@19.2.5) - '@radix-ui/react-use-layout-effect': 1.1.1(@types/react@19.2.14)(react@19.2.5) - '@radix-ui/react-use-size': 1.1.1(@types/react@19.2.14)(react@19.2.5) - '@radix-ui/react-visually-hidden': 1.2.3(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.5(react@19.2.5))(react@19.2.5) - react: 19.2.5 - react-dom: 19.2.5(react@19.2.5) + '@radix-ui/react-accessible-icon': 1.1.7(@types/react-dom@19.2.3(@types/react@19.2.15))(@types/react@19.2.15)(react-dom@19.2.6(react@19.2.6))(react@19.2.6) + '@radix-ui/react-accordion': 1.2.12(@types/react-dom@19.2.3(@types/react@19.2.15))(@types/react@19.2.15)(react-dom@19.2.6(react@19.2.6))(react@19.2.6) + '@radix-ui/react-alert-dialog': 1.1.15(@types/react-dom@19.2.3(@types/react@19.2.15))(@types/react@19.2.15)(react-dom@19.2.6(react@19.2.6))(react@19.2.6) + '@radix-ui/react-arrow': 1.1.7(@types/react-dom@19.2.3(@types/react@19.2.15))(@types/react@19.2.15)(react-dom@19.2.6(react@19.2.6))(react@19.2.6) + '@radix-ui/react-aspect-ratio': 1.1.7(@types/react-dom@19.2.3(@types/react@19.2.15))(@types/react@19.2.15)(react-dom@19.2.6(react@19.2.6))(react@19.2.6) + '@radix-ui/react-avatar': 1.1.10(@types/react-dom@19.2.3(@types/react@19.2.15))(@types/react@19.2.15)(react-dom@19.2.6(react@19.2.6))(react@19.2.6) + '@radix-ui/react-checkbox': 1.3.3(@types/react-dom@19.2.3(@types/react@19.2.15))(@types/react@19.2.15)(react-dom@19.2.6(react@19.2.6))(react@19.2.6) + '@radix-ui/react-collapsible': 1.1.12(@types/react-dom@19.2.3(@types/react@19.2.15))(@types/react@19.2.15)(react-dom@19.2.6(react@19.2.6))(react@19.2.6) + '@radix-ui/react-collection': 1.1.7(@types/react-dom@19.2.3(@types/react@19.2.15))(@types/react@19.2.15)(react-dom@19.2.6(react@19.2.6))(react@19.2.6) + '@radix-ui/react-compose-refs': 1.1.2(@types/react@19.2.15)(react@19.2.6) + '@radix-ui/react-context': 1.1.2(@types/react@19.2.15)(react@19.2.6) + '@radix-ui/react-context-menu': 2.2.16(@types/react-dom@19.2.3(@types/react@19.2.15))(@types/react@19.2.15)(react-dom@19.2.6(react@19.2.6))(react@19.2.6) + '@radix-ui/react-dialog': 1.1.15(@types/react-dom@19.2.3(@types/react@19.2.15))(@types/react@19.2.15)(react-dom@19.2.6(react@19.2.6))(react@19.2.6) + '@radix-ui/react-direction': 1.1.1(@types/react@19.2.15)(react@19.2.6) + '@radix-ui/react-dismissable-layer': 1.1.11(@types/react-dom@19.2.3(@types/react@19.2.15))(@types/react@19.2.15)(react-dom@19.2.6(react@19.2.6))(react@19.2.6) + '@radix-ui/react-dropdown-menu': 2.1.16(@types/react-dom@19.2.3(@types/react@19.2.15))(@types/react@19.2.15)(react-dom@19.2.6(react@19.2.6))(react@19.2.6) + '@radix-ui/react-focus-guards': 1.1.3(@types/react@19.2.15)(react@19.2.6) + '@radix-ui/react-focus-scope': 1.1.7(@types/react-dom@19.2.3(@types/react@19.2.15))(@types/react@19.2.15)(react-dom@19.2.6(react@19.2.6))(react@19.2.6) + '@radix-ui/react-form': 0.1.8(@types/react-dom@19.2.3(@types/react@19.2.15))(@types/react@19.2.15)(react-dom@19.2.6(react@19.2.6))(react@19.2.6) + '@radix-ui/react-hover-card': 1.1.15(@types/react-dom@19.2.3(@types/react@19.2.15))(@types/react@19.2.15)(react-dom@19.2.6(react@19.2.6))(react@19.2.6) + '@radix-ui/react-label': 2.1.7(@types/react-dom@19.2.3(@types/react@19.2.15))(@types/react@19.2.15)(react-dom@19.2.6(react@19.2.6))(react@19.2.6) + '@radix-ui/react-menu': 2.1.16(@types/react-dom@19.2.3(@types/react@19.2.15))(@types/react@19.2.15)(react-dom@19.2.6(react@19.2.6))(react@19.2.6) + '@radix-ui/react-menubar': 1.1.16(@types/react-dom@19.2.3(@types/react@19.2.15))(@types/react@19.2.15)(react-dom@19.2.6(react@19.2.6))(react@19.2.6) + '@radix-ui/react-navigation-menu': 1.2.14(@types/react-dom@19.2.3(@types/react@19.2.15))(@types/react@19.2.15)(react-dom@19.2.6(react@19.2.6))(react@19.2.6) + '@radix-ui/react-one-time-password-field': 0.1.8(@types/react-dom@19.2.3(@types/react@19.2.15))(@types/react@19.2.15)(react-dom@19.2.6(react@19.2.6))(react@19.2.6) + '@radix-ui/react-password-toggle-field': 0.1.3(@types/react-dom@19.2.3(@types/react@19.2.15))(@types/react@19.2.15)(react-dom@19.2.6(react@19.2.6))(react@19.2.6) + '@radix-ui/react-popover': 1.1.15(@types/react-dom@19.2.3(@types/react@19.2.15))(@types/react@19.2.15)(react-dom@19.2.6(react@19.2.6))(react@19.2.6) + '@radix-ui/react-popper': 1.2.8(@types/react-dom@19.2.3(@types/react@19.2.15))(@types/react@19.2.15)(react-dom@19.2.6(react@19.2.6))(react@19.2.6) + '@radix-ui/react-portal': 1.1.9(@types/react-dom@19.2.3(@types/react@19.2.15))(@types/react@19.2.15)(react-dom@19.2.6(react@19.2.6))(react@19.2.6) + '@radix-ui/react-presence': 1.1.5(@types/react-dom@19.2.3(@types/react@19.2.15))(@types/react@19.2.15)(react-dom@19.2.6(react@19.2.6))(react@19.2.6) + '@radix-ui/react-primitive': 2.1.3(@types/react-dom@19.2.3(@types/react@19.2.15))(@types/react@19.2.15)(react-dom@19.2.6(react@19.2.6))(react@19.2.6) + '@radix-ui/react-progress': 1.1.7(@types/react-dom@19.2.3(@types/react@19.2.15))(@types/react@19.2.15)(react-dom@19.2.6(react@19.2.6))(react@19.2.6) + '@radix-ui/react-radio-group': 1.3.8(@types/react-dom@19.2.3(@types/react@19.2.15))(@types/react@19.2.15)(react-dom@19.2.6(react@19.2.6))(react@19.2.6) + '@radix-ui/react-roving-focus': 1.1.11(@types/react-dom@19.2.3(@types/react@19.2.15))(@types/react@19.2.15)(react-dom@19.2.6(react@19.2.6))(react@19.2.6) + '@radix-ui/react-scroll-area': 1.2.10(@types/react-dom@19.2.3(@types/react@19.2.15))(@types/react@19.2.15)(react-dom@19.2.6(react@19.2.6))(react@19.2.6) + '@radix-ui/react-select': 2.2.6(@types/react-dom@19.2.3(@types/react@19.2.15))(@types/react@19.2.15)(react-dom@19.2.6(react@19.2.6))(react@19.2.6) + '@radix-ui/react-separator': 1.1.7(@types/react-dom@19.2.3(@types/react@19.2.15))(@types/react@19.2.15)(react-dom@19.2.6(react@19.2.6))(react@19.2.6) + '@radix-ui/react-slider': 1.3.6(@types/react-dom@19.2.3(@types/react@19.2.15))(@types/react@19.2.15)(react-dom@19.2.6(react@19.2.6))(react@19.2.6) + '@radix-ui/react-slot': 1.2.3(@types/react@19.2.15)(react@19.2.6) + '@radix-ui/react-switch': 1.2.6(@types/react-dom@19.2.3(@types/react@19.2.15))(@types/react@19.2.15)(react-dom@19.2.6(react@19.2.6))(react@19.2.6) + '@radix-ui/react-tabs': 1.1.13(@types/react-dom@19.2.3(@types/react@19.2.15))(@types/react@19.2.15)(react-dom@19.2.6(react@19.2.6))(react@19.2.6) + '@radix-ui/react-toast': 1.2.15(@types/react-dom@19.2.3(@types/react@19.2.15))(@types/react@19.2.15)(react-dom@19.2.6(react@19.2.6))(react@19.2.6) + '@radix-ui/react-toggle': 1.1.10(@types/react-dom@19.2.3(@types/react@19.2.15))(@types/react@19.2.15)(react-dom@19.2.6(react@19.2.6))(react@19.2.6) + '@radix-ui/react-toggle-group': 1.1.11(@types/react-dom@19.2.3(@types/react@19.2.15))(@types/react@19.2.15)(react-dom@19.2.6(react@19.2.6))(react@19.2.6) + '@radix-ui/react-toolbar': 1.1.11(@types/react-dom@19.2.3(@types/react@19.2.15))(@types/react@19.2.15)(react-dom@19.2.6(react@19.2.6))(react@19.2.6) + '@radix-ui/react-tooltip': 1.2.8(@types/react-dom@19.2.3(@types/react@19.2.15))(@types/react@19.2.15)(react-dom@19.2.6(react@19.2.6))(react@19.2.6) + '@radix-ui/react-use-callback-ref': 1.1.1(@types/react@19.2.15)(react@19.2.6) + '@radix-ui/react-use-controllable-state': 1.2.2(@types/react@19.2.15)(react@19.2.6) + '@radix-ui/react-use-effect-event': 0.0.2(@types/react@19.2.15)(react@19.2.6) + '@radix-ui/react-use-escape-keydown': 1.1.1(@types/react@19.2.15)(react@19.2.6) + '@radix-ui/react-use-is-hydrated': 0.1.0(@types/react@19.2.15)(react@19.2.6) + '@radix-ui/react-use-layout-effect': 1.1.1(@types/react@19.2.15)(react@19.2.6) + '@radix-ui/react-use-size': 1.1.1(@types/react@19.2.15)(react@19.2.6) + '@radix-ui/react-visually-hidden': 1.2.3(@types/react-dom@19.2.3(@types/react@19.2.15))(@types/react@19.2.15)(react-dom@19.2.6(react@19.2.6))(react@19.2.6) + react: 19.2.6 + react-dom: 19.2.6(react@19.2.6) optionalDependencies: - '@types/react': 19.2.14 - '@types/react-dom': 19.2.3(@types/react@19.2.14) + '@types/react': 19.2.15 + '@types/react-dom': 19.2.3(@types/react@19.2.15) range-parser@1.2.1: {} @@ -11561,29 +11565,29 @@ snapshots: iconv-lite: 0.4.24 unpipe: 1.0.0 - react-color@2.19.3(react@19.2.5): + react-color@2.19.3(react@19.2.6): dependencies: - '@icons/material': 0.2.4(react@19.2.5) + '@icons/material': 0.2.4(react@19.2.6) lodash: 4.18.1 lodash-es: 4.18.1 material-colors: 1.2.6 prop-types: 15.8.1 - react: 19.2.5 - reactcss: 1.2.3(react@19.2.5) + react: 19.2.6 + reactcss: 1.2.3(react@19.2.6) tinycolor2: 1.6.0 - react-confetti@6.4.0(react@19.2.5): + react-confetti@6.4.0(react@19.2.6): dependencies: - react: 19.2.5 + react: 19.2.6 tween-functions: 1.2.0 - react-day-picker@9.14.0(react@19.2.5): + react-day-picker@9.14.0(react@19.2.6): dependencies: '@date-fns/tz': 1.4.1 '@tabby_ai/hijri-converter': 1.0.5 date-fns: 4.1.0 date-fns-jalali: 4.1.0-0 - react: 19.2.5 + react: 19.2.6 react-docgen-typescript@2.4.0(typescript@6.0.2): dependencies: @@ -11591,9 +11595,9 @@ snapshots: react-docgen@8.0.2: dependencies: - '@babel/core': 7.29.0 - '@babel/traverse': 7.29.0 - '@babel/types': 7.29.0 + '@babel/core': 7.29.7 + '@babel/traverse': 7.29.7 + '@babel/types': 7.29.7 '@types/babel__core': 7.20.5 '@types/babel__traverse': 7.28.0 '@types/doctrine': 0.0.9 @@ -11604,25 +11608,25 @@ snapshots: transitivePeerDependencies: - supports-color - react-dom@19.2.5(react@19.2.5): + react-dom@19.2.6(react@19.2.6): dependencies: - react: 19.2.5 + react: 19.2.6 scheduler: 0.27.0 - react-error-boundary@6.1.1(react@19.2.5): + react-error-boundary@6.1.1(react@19.2.6): dependencies: - react: 19.2.5 + react: 19.2.6 react-fast-compare@2.0.4: {} - react-infinite-scroll-component@7.1.0(react-dom@19.2.5(react@19.2.5))(react@19.2.5): + react-infinite-scroll-component@7.1.0(react-dom@19.2.6(react@19.2.6))(react@19.2.6): dependencies: - react: 19.2.5 - react-dom: 19.2.5(react@19.2.5) + react: 19.2.6 + react-dom: 19.2.6(react@19.2.6) - react-inspector@6.0.2(react@19.2.5): + react-inspector@6.0.2(react@19.2.6): dependencies: - react: 19.2.5 + react: 19.2.6 react-is@16.13.1: {} @@ -11632,16 +11636,16 @@ snapshots: react-is@19.1.1: {} - react-markdown@9.1.0(@types/react@19.2.14)(react@19.2.5): + react-markdown@9.1.0(@types/react@19.2.15)(react@19.2.6): dependencies: '@types/hast': 3.0.4 '@types/mdast': 4.0.4 - '@types/react': 19.2.14 + '@types/react': 19.2.15 devlop: 1.1.0 hast-util-to-jsx-runtime: 2.3.6 html-url-attributes: 3.0.1 mdast-util-to-hast: 13.2.1 - react: 19.2.5 + react: 19.2.6 remark-parse: 11.0.0 remark-rehype: 11.1.2 unified: 11.0.5 @@ -11650,100 +11654,100 @@ snapshots: transitivePeerDependencies: - supports-color - react-remove-scroll-bar@2.3.8(@types/react@19.2.14)(react@19.2.5): + react-remove-scroll-bar@2.3.8(@types/react@19.2.15)(react@19.2.6): dependencies: - react: 19.2.5 - react-style-singleton: 2.2.3(@types/react@19.2.14)(react@19.2.5) + react: 19.2.6 + react-style-singleton: 2.2.3(@types/react@19.2.15)(react@19.2.6) tslib: 2.8.1 optionalDependencies: - '@types/react': 19.2.14 + '@types/react': 19.2.15 - react-remove-scroll@2.7.1(@types/react@19.2.14)(react@19.2.5): + react-remove-scroll@2.7.1(@types/react@19.2.15)(react@19.2.6): dependencies: - react: 19.2.5 - react-remove-scroll-bar: 2.3.8(@types/react@19.2.14)(react@19.2.5) - react-style-singleton: 2.2.3(@types/react@19.2.14)(react@19.2.5) + react: 19.2.6 + react-remove-scroll-bar: 2.3.8(@types/react@19.2.15)(react@19.2.6) + react-style-singleton: 2.2.3(@types/react@19.2.15)(react@19.2.6) tslib: 2.8.1 - use-callback-ref: 1.3.3(@types/react@19.2.14)(react@19.2.5) - use-sidecar: 1.1.3(@types/react@19.2.14)(react@19.2.5) + use-callback-ref: 1.3.3(@types/react@19.2.15)(react@19.2.6) + use-sidecar: 1.1.3(@types/react@19.2.15)(react@19.2.6) optionalDependencies: - '@types/react': 19.2.14 + '@types/react': 19.2.15 - react-resizable-panels@3.0.6(react-dom@19.2.5(react@19.2.5))(react@19.2.5): + react-resizable-panels@3.0.6(react-dom@19.2.6(react@19.2.6))(react@19.2.6): dependencies: - react: 19.2.5 - react-dom: 19.2.5(react@19.2.5) + react: 19.2.6 + react-dom: 19.2.6(react@19.2.6) - react-router@7.12.0(react-dom@19.2.5(react@19.2.5))(react@19.2.5): + react-router@7.12.0(react-dom@19.2.6(react@19.2.6))(react@19.2.6): dependencies: cookie: 1.1.1 - react: 19.2.5 + react: 19.2.6 set-cookie-parser: 2.7.2 optionalDependencies: - react-dom: 19.2.5(react@19.2.5) + react-dom: 19.2.6(react@19.2.6) - react-smooth@4.0.4(react-dom@19.2.5(react@19.2.5))(react@19.2.5): + react-smooth@4.0.4(react-dom@19.2.6(react@19.2.6))(react@19.2.6): dependencies: fast-equals: 5.3.2 prop-types: 15.8.1 - react: 19.2.5 - react-dom: 19.2.5(react@19.2.5) - react-transition-group: 4.4.5(react-dom@19.2.5(react@19.2.5))(react@19.2.5) + react: 19.2.6 + react-dom: 19.2.6(react@19.2.6) + react-transition-group: 4.4.5(react-dom@19.2.6(react@19.2.6))(react@19.2.6) - react-style-singleton@2.2.3(@types/react@19.2.14)(react@19.2.5): + react-style-singleton@2.2.3(@types/react@19.2.15)(react@19.2.6): dependencies: get-nonce: 1.0.1 - react: 19.2.5 + react: 19.2.6 tslib: 2.8.1 optionalDependencies: - '@types/react': 19.2.14 + '@types/react': 19.2.15 - react-syntax-highlighter@15.6.6(react@19.2.5): + react-syntax-highlighter@15.6.6(react@19.2.6): dependencies: '@babel/runtime': 7.26.10 highlight.js: 10.7.3 highlightjs-vue: 1.0.0 lowlight: 1.20.0 prismjs: 1.30.0 - react: 19.2.5 + react: 19.2.6 refractor: 3.6.0 - react-textarea-autosize@8.5.9(@types/react@19.2.14)(react@19.2.5): + react-textarea-autosize@8.5.9(@types/react@19.2.15)(react@19.2.6): dependencies: '@babel/runtime': 7.26.10 - react: 19.2.5 - use-composed-ref: 1.4.0(@types/react@19.2.14)(react@19.2.5) - use-latest: 1.3.0(@types/react@19.2.14)(react@19.2.5) + react: 19.2.6 + use-composed-ref: 1.4.0(@types/react@19.2.15)(react@19.2.6) + use-latest: 1.3.0(@types/react@19.2.15)(react@19.2.6) transitivePeerDependencies: - '@types/react' - react-transition-group@4.4.5(react-dom@19.2.5(react@19.2.5))(react@19.2.5): + react-transition-group@4.4.5(react-dom@19.2.6(react@19.2.6))(react@19.2.6): dependencies: '@babel/runtime': 7.26.10 dom-helpers: 5.2.1 loose-envify: 1.4.0 prop-types: 15.8.1 - react: 19.2.5 - react-dom: 19.2.5(react@19.2.5) + react: 19.2.6 + react-dom: 19.2.6(react@19.2.6) - react-virtualized-auto-sizer@1.0.26(react-dom@19.2.5(react@19.2.5))(react@19.2.5): + react-virtualized-auto-sizer@1.0.26(react-dom@19.2.6(react@19.2.6))(react@19.2.6): dependencies: - react: 19.2.5 - react-dom: 19.2.5(react@19.2.5) + react: 19.2.6 + react-dom: 19.2.6(react@19.2.6) - react-window@1.8.11(react-dom@19.2.5(react@19.2.5))(react@19.2.5): + react-window@1.8.11(react-dom@19.2.6(react@19.2.6))(react@19.2.6): dependencies: '@babel/runtime': 7.26.10 memoize-one: 5.2.1 - react: 19.2.5 - react-dom: 19.2.5(react@19.2.5) + react: 19.2.6 + react-dom: 19.2.6(react@19.2.6) - react@19.2.5: {} + react@19.2.6: {} - reactcss@1.2.3(react@19.2.5): + reactcss@1.2.3(react@19.2.6): dependencies: lodash: 4.18.1 - react: 19.2.5 + react: 19.2.6 read-cache@1.0.0: dependencies: @@ -11783,15 +11787,15 @@ snapshots: dependencies: decimal.js-light: 2.5.1 - recharts@2.15.4(react-dom@19.2.5(react@19.2.5))(react@19.2.5): + recharts@2.15.4(react-dom@19.2.6(react@19.2.6))(react@19.2.6): dependencies: clsx: 2.1.1 eventemitter3: 4.0.7 lodash: 4.18.1 - react: 19.2.5 - react-dom: 19.2.5(react@19.2.5) + react: 19.2.6 + react-dom: 19.2.6(react@19.2.6) react-is: 18.3.1 - react-smooth: 4.0.4(react-dom@19.2.5(react@19.2.5))(react@19.2.5) + react-smooth: 4.0.4(react-dom@19.2.6(react@19.2.6))(react@19.2.6) recharts-scale: 0.4.5 tiny-invariant: 1.3.3 victory-vendor: 36.9.2 @@ -12079,10 +12083,10 @@ snapshots: smol-toml@1.5.2: {} - sonner@2.0.7(react-dom@19.2.5(react@19.2.5))(react@19.2.5): + sonner@2.0.7(react-dom@19.2.6(react@19.2.6))(react@19.2.6): dependencies: - react: 19.2.5 - react-dom: 19.2.5(react@19.2.5) + react: 19.2.6 + react-dom: 19.2.6(react@19.2.6) source-map-js@1.2.1: {} @@ -12122,21 +12126,21 @@ snapshots: dependencies: internal-slot: 1.0.6 - storybook-addon-remix-react-router@6.0.0(react-dom@19.2.5(react@19.2.5))(react-router@7.12.0(react-dom@19.2.5(react@19.2.5))(react@19.2.5))(react@19.2.5)(storybook@10.3.3(@testing-library/dom@10.4.0)(prettier@3.4.1)(react-dom@19.2.5(react@19.2.5))(react@19.2.5)): + storybook-addon-remix-react-router@6.0.0(react-dom@19.2.6(react@19.2.6))(react-router@7.12.0(react-dom@19.2.6(react@19.2.6))(react@19.2.6))(react@19.2.6)(storybook@10.3.3(@testing-library/dom@10.4.0)(prettier@3.4.1)(react-dom@19.2.6(react@19.2.6))(react@19.2.6)): dependencies: '@mjackson/form-data-parser': 0.4.0 compare-versions: 6.1.0 - react-inspector: 6.0.2(react@19.2.5) - react-router: 7.12.0(react-dom@19.2.5(react@19.2.5))(react@19.2.5) - storybook: 10.3.3(@testing-library/dom@10.4.0)(prettier@3.4.1)(react-dom@19.2.5(react@19.2.5))(react@19.2.5) + react-inspector: 6.0.2(react@19.2.6) + react-router: 7.12.0(react-dom@19.2.6(react@19.2.6))(react@19.2.6) + storybook: 10.3.3(@testing-library/dom@10.4.0)(prettier@3.4.1)(react-dom@19.2.6(react@19.2.6))(react@19.2.6) optionalDependencies: - react: 19.2.5 - react-dom: 19.2.5(react@19.2.5) + react: 19.2.6 + react-dom: 19.2.6(react@19.2.6) - storybook@10.3.3(@testing-library/dom@10.4.0)(prettier@3.4.1)(react-dom@19.2.5(react@19.2.5))(react@19.2.5): + storybook@10.3.3(@testing-library/dom@10.4.0)(prettier@3.4.1)(react-dom@19.2.6(react@19.2.6))(react@19.2.6): dependencies: '@storybook/global': 5.0.0 - '@storybook/icons': 2.0.1(react-dom@19.2.5(react@19.2.5))(react@19.2.5) + '@storybook/icons': 2.0.1(react-dom@19.2.6(react@19.2.6))(react@19.2.6) '@testing-library/jest-dom': 6.9.1 '@testing-library/user-event': 14.6.1(@testing-library/dom@10.4.0) '@vitest/expect': 3.2.4 @@ -12145,7 +12149,7 @@ snapshots: open: 10.2.0 recast: 0.23.11 semver: 7.7.3 - use-sync-external-store: 1.6.0(react@19.2.5) + use-sync-external-store: 1.6.0(react@19.2.6) ws: 8.20.0 optionalDependencies: prettier: 3.4.1 @@ -12156,15 +12160,15 @@ snapshots: - react-dom - utf-8-validate - streamdown@2.5.0(react-dom@19.2.5(react@19.2.5))(react@19.2.5): + streamdown@2.5.0(react-dom@19.2.6(react@19.2.6))(react@19.2.6): dependencies: clsx: 2.1.1 hast-util-to-jsx-runtime: 2.3.6 html-url-attributes: 3.0.1 marked: 17.0.5 mermaid: 11.13.0 - react: 19.2.5 - react-dom: 19.2.5(react@19.2.5) + react: 19.2.6 + react-dom: 19.2.6(react@19.2.6) rehype-harden: 1.1.8 rehype-raw: 7.0.0 rehype-sanitize: 6.0.0 @@ -12389,12 +12393,12 @@ snapshots: ts-proto-descriptors@1.16.0: dependencies: long: 5.3.2 - protobufjs: 7.5.6 + protobufjs: 7.6.1 ts-proto@1.181.2: dependencies: case-anything: 2.1.13 - protobufjs: 7.5.6 + protobufjs: 7.6.1 ts-poet: 6.12.0 ts-proto-descriptors: 1.16.0 @@ -12518,43 +12522,43 @@ snapshots: querystringify: 2.2.0 requires-port: 1.0.0 - use-callback-ref@1.3.3(@types/react@19.2.14)(react@19.2.5): + use-callback-ref@1.3.3(@types/react@19.2.15)(react@19.2.6): dependencies: - react: 19.2.5 + react: 19.2.6 tslib: 2.8.1 optionalDependencies: - '@types/react': 19.2.14 + '@types/react': 19.2.15 - use-composed-ref@1.4.0(@types/react@19.2.14)(react@19.2.5): + use-composed-ref@1.4.0(@types/react@19.2.15)(react@19.2.6): dependencies: - react: 19.2.5 + react: 19.2.6 optionalDependencies: - '@types/react': 19.2.14 + '@types/react': 19.2.15 - use-isomorphic-layout-effect@1.2.1(@types/react@19.2.14)(react@19.2.5): + use-isomorphic-layout-effect@1.2.1(@types/react@19.2.15)(react@19.2.6): dependencies: - react: 19.2.5 + react: 19.2.6 optionalDependencies: - '@types/react': 19.2.14 + '@types/react': 19.2.15 - use-latest@1.3.0(@types/react@19.2.14)(react@19.2.5): + use-latest@1.3.0(@types/react@19.2.15)(react@19.2.6): dependencies: - react: 19.2.5 - use-isomorphic-layout-effect: 1.2.1(@types/react@19.2.14)(react@19.2.5) + react: 19.2.6 + use-isomorphic-layout-effect: 1.2.1(@types/react@19.2.15)(react@19.2.6) optionalDependencies: - '@types/react': 19.2.14 + '@types/react': 19.2.15 - use-sidecar@1.1.3(@types/react@19.2.14)(react@19.2.5): + use-sidecar@1.1.3(@types/react@19.2.15)(react@19.2.6): dependencies: detect-node-es: 1.1.0 - react: 19.2.5 + react: 19.2.6 tslib: 2.8.1 optionalDependencies: - '@types/react': 19.2.14 + '@types/react': 19.2.15 - use-sync-external-store@1.6.0(react@19.2.5): + use-sync-external-store@1.6.0(react@19.2.6): dependencies: - react: 19.2.5 + react: 19.2.6 util-deprecate@1.0.2: {} diff --git a/site/src/api/rbacresourcesGenerated.ts b/site/src/api/rbacresourcesGenerated.ts index 23bd95350c..15fd4a0f43 100644 --- a/site/src/api/rbacresourcesGenerated.ts +++ b/site/src/api/rbacresourcesGenerated.ts @@ -8,6 +8,11 @@ import type { RBACAction, RBACResource } from "./typesGenerated"; export const RBACResourceActions: Partial< Record>> > = { + ai_gateway_key: { + create: "create an AI Gateway key", + delete: "delete an AI Gateway key", + read: "read AI Gateway keys", + }, ai_model_price: { read: "read AI model prices", update: "update AI model prices", @@ -50,6 +55,11 @@ export const RBACResourceActions: Partial< create: "create new audit log entries", read: "read audit logs", }, + boundary_log: { + create: "create boundary log records", + delete: "delete boundary logs", + read: "read boundary logs and session metadata", + }, boundary_usage: { delete: "delete boundary usage statistics", read: "read boundary usage statistics", diff --git a/site/src/api/typesGenerated.ts b/site/src/api/typesGenerated.ts index 11d33b28a8..a0aad00206 100644 --- a/site/src/api/typesGenerated.ts +++ b/site/src/api/typesGenerated.ts @@ -518,6 +518,10 @@ export interface APIKey { // From codersdk/apikey.go export type APIKeyScope = + | "ai_gateway_key:*" + | "ai_gateway_key:create" + | "ai_gateway_key:delete" + | "ai_gateway_key:read" | "ai_model_price:*" | "ai_model_price:read" | "ai_model_price:update" @@ -554,6 +558,10 @@ export type APIKeyScope = | "audit_log:*" | "audit_log:create" | "audit_log:read" + | "boundary_log:*" + | "boundary_log:create" + | "boundary_log:delete" + | "boundary_log:read" | "boundary_usage:*" | "boundary_usage:delete" | "boundary_usage:read" @@ -744,6 +752,10 @@ export type APIKeyScope = | "workspace:update_agent"; export const APIKeyScopes: APIKeyScope[] = [ + "ai_gateway_key:*", + "ai_gateway_key:create", + "ai_gateway_key:delete", + "ai_gateway_key:read", "ai_model_price:*", "ai_model_price:read", "ai_model_price:update", @@ -780,6 +792,10 @@ export const APIKeyScopes: APIKeyScope[] = [ "audit_log:*", "audit_log:create", "audit_log:read", + "boundary_log:*", + "boundary_log:create", + "boundary_log:delete", + "boundary_log:read", "boundary_usage:*", "boundary_usage:delete", "boundary_usage:read", @@ -1961,6 +1977,7 @@ export type ChatErrorKind = | "generic" | "missing_key" | "overloaded" + | "provider_disabled" | "rate_limit" | "startup_timeout" | "timeout" @@ -1972,6 +1989,7 @@ export const ChatErrorKinds: ChatErrorKind[] = [ "generic", "missing_key", "overloaded", + "provider_disabled", "rate_limit", "startup_timeout", "timeout", @@ -3230,8 +3248,9 @@ export interface ConvertLoginRequest { /** * CreateAIProviderRequest is the payload for creating a new AI * provider. Name and Type are required. APIKeys carries the plaintext - * keys for OpenAI/Anthropic providers; Bedrock providers authenticate - * via Settings and must omit APIKeys. + * keys for OpenAI/Anthropic providers; Bedrock and Copilot providers + * must omit APIKeys (Bedrock authenticates via Settings, Copilot via + * request-time GitHub OAuth tokens). */ export interface CreateAIProviderRequest { readonly type: AIProviderType; @@ -6862,6 +6881,7 @@ export const RBACActions: RBACAction[] = [ // From codersdk/rbacresources_gen.go export type RBACResource = + | "ai_gateway_key" | "ai_provider" | "ai_model_price" | "ai_seat" @@ -6870,6 +6890,7 @@ export type RBACResource = | "assign_org_role" | "assign_role" | "audit_log" + | "boundary_log" | "boundary_usage" | "chat" | "connection_log" @@ -6912,6 +6933,7 @@ export type RBACResource = | "workspace_proxy"; export const RBACResources: RBACResource[] = [ + "ai_gateway_key", "ai_provider", "ai_model_price", "ai_seat", @@ -6920,6 +6942,7 @@ export const RBACResources: RBACResource[] = [ "assign_org_role", "assign_role", "audit_log", + "boundary_log", "boundary_usage", "chat", "connection_log", @@ -7067,6 +7090,7 @@ export interface ResolveAutostartResponse { // From codersdk/audit.go export type ResourceType = + | "ai_gateway_key" | "ai_provider" | "ai_provider_key" | "ai_seat" @@ -7102,6 +7126,7 @@ export type ResourceType = | "workspace_proxy"; export const ResourceTypes: ResourceType[] = [ + "ai_gateway_key", "ai_provider", "ai_provider_key", "ai_seat", @@ -9148,6 +9173,16 @@ export interface UpsertGroupAIBudgetRequest { readonly spend_limit_micros: number; } +// From codersdk/aibridge.go +export interface UpsertUserAIBudgetOverrideRequest { + /** + * GroupID is the group the user's spend is attributed to. The user must + * be a member of this group. + */ + readonly group_id: string; + readonly spend_limit_micros: number; +} + // From codersdk/workspaceagentportshare.go export interface UpsertWorkspaceAgentPortShareRequest { readonly agent_name: string; @@ -9192,6 +9227,15 @@ export interface User extends ReducedUser { readonly has_ai_seat: boolean; } +// From codersdk/aibridge.go +export interface UserAIBudgetOverride { + readonly user_id: string; + readonly group_id: string; + readonly spend_limit_micros: number; + readonly created_at: string; + readonly updated_at: string; +} + // From codersdk/chats.go /** * UserAIProviderKeyConfig is a provider summary from the current user's diff --git a/site/src/modules/apps/apps.test.ts b/site/src/modules/apps/apps.test.ts index 146964af78..6f8bc73f67 100644 --- a/site/src/modules/apps/apps.test.ts +++ b/site/src/modules/apps/apps.test.ts @@ -129,7 +129,7 @@ describe("getAppHref", () => { path: "/path-base", }); expect(href).toBe( - `/path-base/@${MockWorkspace.owner_name}/Test-Workspace.a-workspace-agent/apps/${app.slug}/`, + `/path-base/@${MockWorkspace.owner_name}/test-workspace.a-workspace-agent/apps/${app.slug}/`, ); }); @@ -145,7 +145,7 @@ describe("getAppHref", () => { path: "", }); expect(href).toBe( - `/@${MockWorkspace.owner_name}/Test-Workspace.a-workspace-agent/terminal?app=${app.slug}`, + `/@${MockWorkspace.owner_name}/test-workspace.a-workspace-agent/terminal?app=${app.slug}`, ); }); @@ -177,7 +177,7 @@ describe("getAppHref", () => { path: "/path-base", }); expect(href).toBe( - `/path-base/@${MockWorkspace.owner_name}/Test-Workspace.a-workspace-agent/apps/${app.slug}/`, + `/path-base/@${MockWorkspace.owner_name}/test-workspace.a-workspace-agent/apps/${app.slug}/`, ); }); }); diff --git a/site/src/modules/resources/DownloadAgentLogsButton.stories.tsx b/site/src/modules/resources/DownloadAgentLogsButton.stories.tsx index 08f3f60e5d..b2c9114a46 100644 --- a/site/src/modules/resources/DownloadAgentLogsButton.stories.tsx +++ b/site/src/modules/resources/DownloadAgentLogsButton.stories.tsx @@ -34,7 +34,7 @@ export const ClickOnDownload: Story = { play: async ({ canvasElement, args }) => { const canvas = within(canvasElement); await userEvent.click( - canvas.getByRole("button", { name: "Download logs" }), + canvas.getByRole("button", { name: "Download agent logs" }), ); await waitFor(() => expect(args.download).toHaveBeenCalledWith( diff --git a/site/src/modules/resources/DownloadAgentLogsButton.tsx b/site/src/modules/resources/DownloadAgentLogsButton.tsx index 6850578897..fbc676d9d9 100644 --- a/site/src/modules/resources/DownloadAgentLogsButton.tsx +++ b/site/src/modules/resources/DownloadAgentLogsButton.tsx @@ -58,7 +58,7 @@ export const DownloadAgentLogsButton: FC = ({ }} > - {isDownloading ? "Downloading..." : "Download logs"} + {isDownloading ? "Downloading..." : "Download agent logs"} ); }; diff --git a/site/src/modules/resources/DownloadSelectedAgentLogsButton.tsx b/site/src/modules/resources/DownloadSelectedAgentLogsButton.tsx index 7aab6fd56c..16509cb568 100644 --- a/site/src/modules/resources/DownloadSelectedAgentLogsButton.tsx +++ b/site/src/modules/resources/DownloadSelectedAgentLogsButton.tsx @@ -63,7 +63,7 @@ export const DownloadSelectedAgentLogsButton: FC< > - {isDownloading ? "Downloading..." : "Download logs"} + {isDownloading ? "Downloading..." : "Download agent logs"} diff --git a/site/src/pages/AIBridgePage/ListSessionsPage/ListSessionsPageView.stories.tsx b/site/src/pages/AIBridgePage/ListSessionsPage/ListSessionsPageView.stories.tsx index 0c5f021969..ede9692b8e 100644 --- a/site/src/pages/AIBridgePage/ListSessionsPage/ListSessionsPageView.stories.tsx +++ b/site/src/pages/AIBridgePage/ListSessionsPage/ListSessionsPageView.stories.tsx @@ -92,6 +92,7 @@ export const MultipleSessions: Story = { ...MockSession, id: `session-${i}`, threads: i + 1, + providers: i % 2 === 0 ? ["anthropic", "openai"] : ["anthropic"], last_prompt: [ "But *can* I really fix it?", "Can you refactor the entire authentication module to use JWT tokens instead of session cookies?", diff --git a/site/src/pages/AIBridgePage/ListSessionsPage/ListSessionsRow.stories.tsx b/site/src/pages/AIBridgePage/ListSessionsPage/ListSessionsRow.stories.tsx index 1407977398..18db56d938 100644 --- a/site/src/pages/AIBridgePage/ListSessionsPage/ListSessionsRow.stories.tsx +++ b/site/src/pages/AIBridgePage/ListSessionsPage/ListSessionsRow.stories.tsx @@ -30,6 +30,33 @@ export const Default: Story = { }, }; +export const SingleProvider: Story = { + args: { + session: { + ...MockSession, + providers: ["anthropic"], + }, + }, +}; + +export const MultipleProviders: Story = { + args: { + session: { + ...MockSession, + providers: ["anthropic", "openai", "copilot"], + }, + }, +}; + +export const EmptyProviders: Story = { + args: { + session: { + ...MockSession, + providers: [], + }, + }, +}; + export const NullClient: Story = { args: { session: { ...MockSession, client: null }, diff --git a/site/src/pages/AIBridgePage/ListSessionsPage/ListSessionsRow.tsx b/site/src/pages/AIBridgePage/ListSessionsPage/ListSessionsRow.tsx index a630512b49..92dd035178 100644 --- a/site/src/pages/AIBridgePage/ListSessionsPage/ListSessionsRow.tsx +++ b/site/src/pages/AIBridgePage/ListSessionsPage/ListSessionsRow.tsx @@ -63,17 +63,23 @@ export const ListSessionsRow: FC = ({
- -
- -
- - {getProviderDisplayName(session.providers[0])} - - + {session.providers.length > 1 ? ( + + {session.providers.length} providers + + ) : session.providers.length === 1 ? ( + +
+ +
+ + {getProviderDisplayName(session.providers[0])} + + + ) : null}
diff --git a/site/src/pages/AISettingsPage/ProvidersPage/AddProviderPage/AddProviderPageView.stories.tsx b/site/src/pages/AISettingsPage/ProvidersPage/AddProviderPage/AddProviderPageView.stories.tsx index f7bbab9761..176f8fb9ed 100644 --- a/site/src/pages/AISettingsPage/ProvidersPage/AddProviderPage/AddProviderPageView.stories.tsx +++ b/site/src/pages/AISettingsPage/ProvidersPage/AddProviderPage/AddProviderPageView.stories.tsx @@ -1,4 +1,5 @@ import type { Meta, StoryObj } from "@storybook/react-vite"; +import { within } from "storybook/test"; import { reactRouterParameters } from "storybook-addon-remix-react-router"; import { withToaster } from "#/testHelpers/storybook"; import { addableProviders } from "../components/addableProviderTypes"; @@ -26,16 +27,38 @@ export const AddAnthropic: Story = { args: { provider: addableProviders.find((p) => p.value === "anthropic")!, }, + play: async ({ canvasElement }) => { + const canvas = within(canvasElement); + await canvas.findByText("Add an Anthropic provider"); + }, }; export const AddOpenAI: Story = { args: { provider: addableProviders.find((p) => p.value === "openai")!, }, + play: async ({ canvasElement }) => { + const canvas = within(canvasElement); + await canvas.findByText("Add an OpenAI provider"); + }, }; export const AddBedrock: Story = { args: { provider: addableProviders.find((p) => p.value === "bedrock")!, }, + play: async ({ canvasElement }) => { + const canvas = within(canvasElement); + await canvas.findByText("Add an AWS Bedrock provider"); + }, +}; + +export const AddCopilot: Story = { + args: { + provider: addableProviders.find((p) => p.value === "copilot")!, + }, + play: async ({ canvasElement }) => { + const canvas = within(canvasElement); + await canvas.findByText("Add a GitHub Copilot provider"); + }, }; diff --git a/site/src/pages/AISettingsPage/ProvidersPage/AddProviderPage/AddProviderPageView.tsx b/site/src/pages/AISettingsPage/ProvidersPage/AddProviderPage/AddProviderPageView.tsx index 6f21156077..dbdb31b36a 100644 --- a/site/src/pages/AISettingsPage/ProvidersPage/AddProviderPage/AddProviderPageView.tsx +++ b/site/src/pages/AISettingsPage/ProvidersPage/AddProviderPage/AddProviderPageView.tsx @@ -16,6 +16,9 @@ interface AddProviderPageViewProps { provider: AddableProvider; } +const indefiniteArticle = (word: string): string => + /^[aeiou]/i.test(word) ? "an" : "a"; + const AddProviderPageView: React.FC = ({ provider, }) => { @@ -38,7 +41,9 @@ const AddProviderPageView: React.FC = ({ size="lg" src={getProviderIcon(provider.value)} /> - {`Add a ${provider.label} provider`} + {`Add ${indefiniteArticle( + provider.label, + )} ${provider.label} provider`}

Configure connection details and credentials. diff --git a/site/src/pages/AISettingsPage/ProvidersPage/UpdateProviderPage/UpdateProviderPageView.stories.tsx b/site/src/pages/AISettingsPage/ProvidersPage/UpdateProviderPage/UpdateProviderPageView.stories.tsx index 15713428f9..4d212d2b14 100644 --- a/site/src/pages/AISettingsPage/ProvidersPage/UpdateProviderPage/UpdateProviderPageView.stories.tsx +++ b/site/src/pages/AISettingsPage/ProvidersPage/UpdateProviderPage/UpdateProviderPageView.stories.tsx @@ -5,6 +5,7 @@ import type { AIProvider } from "#/api/typesGenerated"; import { MockAIProviderAnthropic, MockAIProviderBedrock, + MockAIProviderCopilot, MockAIProviderOpenAI, } from "#/testHelpers/entities"; import { withToaster } from "#/testHelpers/storybook"; @@ -53,6 +54,21 @@ export const Bedrock: Story = { }, }; +// Copilot has no stored credential, so the edit form renders no API key +// field and keeps the immutable name disabled. +export const Copilot: Story = { + parameters: { + reactRouter: routingFor(`/ai/settings/${MockAIProviderCopilot.name}`), + ...seed(MockAIProviderCopilot), + }, + play: async ({ canvasElement }) => { + const canvas = within(canvasElement); + const name = await canvas.findByLabelText(/^name/i); + expect(name).toBeDisabled(); + expect(canvas.queryByLabelText(/api key/i)).not.toBeInTheDocument(); + }, +}; + // No seeded query: the page renders the loader while useQuery fetches. export const Loading: Story = { parameters: { diff --git a/site/src/pages/AISettingsPage/ProvidersPage/UpdateProviderPage/UpdateProviderPageView.tsx b/site/src/pages/AISettingsPage/ProvidersPage/UpdateProviderPage/UpdateProviderPageView.tsx index dbeb16003d..9991c3b8f6 100644 --- a/site/src/pages/AISettingsPage/ProvidersPage/UpdateProviderPage/UpdateProviderPageView.tsx +++ b/site/src/pages/AISettingsPage/ProvidersPage/UpdateProviderPage/UpdateProviderPageView.tsx @@ -43,8 +43,12 @@ const UpdateProviderPageView: React.FC = () => { }); const provider = providerQuery.data; - const providerIsOpenAiAnthropic = - provider !== undefined && !isBedrockProvider(provider); + // Copilot has no stored credential, and Bedrock keeps its secrets in + // settings, so only the remaining types surface the api_keys UI. + const providerUsesApiKeys = + provider !== undefined && + !isBedrockProvider(provider) && + provider.type !== "copilot"; const updateMutation = useMutation( updateAIProviderMutation(queryClient, providerId ?? ""), @@ -109,8 +113,8 @@ const UpdateProviderPageView: React.FC = () => { } const openAiAnthropicSavedApiKey = - providerIsOpenAiAnthropic && provider.api_keys.length > 0; - const openAiAnthropicMaskedApiKey = providerIsOpenAiAnthropic + providerUsesApiKeys && provider.api_keys.length > 0; + const openAiAnthropicMaskedApiKey = providerUsesApiKeys ? provider.api_keys[0]?.masked : undefined; diff --git a/site/src/pages/AISettingsPage/ProvidersPage/components/ProviderForm.stories.tsx b/site/src/pages/AISettingsPage/ProvidersPage/components/ProviderForm.stories.tsx index 8fda28fae2..181a786a32 100644 --- a/site/src/pages/AISettingsPage/ProvidersPage/components/ProviderForm.stories.tsx +++ b/site/src/pages/AISettingsPage/ProvidersPage/components/ProviderForm.stories.tsx @@ -64,6 +64,38 @@ export const EditBedrockKeepCredentials: Story = { }, }; +export const AddCopilot: Story = { + args: { + // The real add flow passes only the type; the form fills name and + // endpoint from the copilot defaults. + initialValues: { type: "copilot" }, + }, + play: async ({ canvasElement }) => { + const canvas = within(canvasElement); + await canvas.findByLabelText(/endpoint/i); + expect(canvas.queryByLabelText(/api key/i)).not.toBeInTheDocument(); + }, +}; + +export const EditCopilot: Story = { + args: { + editing: true, + initialValues: { + type: "copilot", + name: "copilot", + displayName: "GitHub Copilot", + baseUrl: "https://api.business.githubcopilot.com", + enabled: true, + }, + }, + play: async ({ canvasElement }) => { + const canvas = within(canvasElement); + const name = await canvas.findByLabelText(/^name/i); + expect(name).toBeDisabled(); + expect(canvas.queryByLabelText(/api key/i)).not.toBeInTheDocument(); + }, +}; + export const EditProvider: Story = { args: { editing: true, diff --git a/site/src/pages/AISettingsPage/ProvidersPage/components/ProviderForm.tsx b/site/src/pages/AISettingsPage/ProvidersPage/components/ProviderForm.tsx index 0a609de2ac..7468d39b86 100644 --- a/site/src/pages/AISettingsPage/ProvidersPage/components/ProviderForm.tsx +++ b/site/src/pages/AISettingsPage/ProvidersPage/components/ProviderForm.tsx @@ -81,6 +81,10 @@ const providerDefaults: Partial< name: "azure", baseUrl: "https://YOUR-RESOURCE.openai.azure.com/openai/v1", }, + copilot: { + name: "copilot", + baseUrl: "https://api.business.githubcopilot.com", + }, google: { name: "google", baseUrl: "https://generativelanguage.googleapis.com/v1beta/openai/", @@ -164,6 +168,20 @@ const makeBedrockSchema = (editing: boolean) => enabled: Yup.boolean(), }); +const makeCopilotSchema = (editing: boolean) => + Yup.object({ + type: Yup.string() + .oneOf(["copilot"] as const) + .required(), + name: makeNameSchema(editing), + displayName: makeDisplayNameSchema(editing), + baseUrl: Yup.string() + .url("Endpoint must be a valid URL") + .matches(HTTP_SCHEME_REGEX, "Endpoint must use http or https.") + .required("Endpoint is required"), + enabled: Yup.boolean(), + }); + const getProviderFormSchema = (editing: boolean) => Yup.lazy((value: { type?: AIProviderType } | undefined) => { switch (value?.type) { @@ -177,6 +195,8 @@ const getProviderFormSchema = (editing: boolean) => return makeOpenAiAnthropicSchema(editing); case "bedrock": return makeBedrockSchema(editing); + case "copilot": + return makeCopilotSchema(editing); default: return Yup.object({ type: Yup.string() @@ -185,6 +205,7 @@ const getProviderFormSchema = (editing: boolean) => "anthropic", "bedrock", "azure", + "copilot", "google", "openai-compat", "openrouter", @@ -319,18 +340,38 @@ export const ProviderForm: FC = ({ required field={getFieldHelpers("baseUrl")} label="Endpoint" - description="The base URL where the provider's API is hosted." + description={ + typeSelectValue === "copilot" ? ( + <> + The base URL for your Copilot tier:{" "} + https://api.individual.githubcopilot.com,{" "} + https://api.business.githubcopilot.com, or{" "} + https://api.enterprise.githubcopilot.com. + + ) : ( + "The base URL where the provider's API is hosted." + ) + } className="w-full" placeholder={baseUrlPlaceholder(form.values.type)} /> - handleCredentialFocus("apiKey")} - autoComplete="new-password" - placeholder={apiKeyPlaceholder(form.values.type)} - /> + {typeSelectValue === "copilot" ? ( +

+ Copilot authenticates with each user's GitHub OAuth token at + request time, so there is no API key to configure here. This + requires a GitHub external authentication provider to be + configured. +

+ ) : ( + handleCredentialFocus("apiKey")} + autoComplete="new-password" + placeholder={apiKeyPlaceholder(form.values.type)} + /> + )} )} @@ -409,7 +450,7 @@ export const ProviderForm: FC = ({ ); @@ -233,18 +235,28 @@ const ToolBadge: FC<{ return ( - - {badge.statusIcon} - {badge.name} - + + {badge.statusIcon} + {badge.name} + + {onRemoveWorkspace && ( + + )} + {badge.statusLabel} @@ -491,10 +503,12 @@ export const AgentChatInput: FC = ({ const selectedWorkspace = workspaceOptions?.find( (ws) => ws.id === selectedWorkspaceId, ); + const canUseWorkspacePicker = + Boolean(onWorkspaceChange) && !isWorkspaceLoading; + const linkedWorkspaceId = workspace?.id ?? attachedWorkspace?.id; const shouldShowSelectedWorkspaceBadge = selectedWorkspace - ? Boolean(onWorkspaceChange) && - selectedWorkspace.id !== attachedWorkspace?.id + ? selectedWorkspace.id !== linkedWorkspaceId : false; const enabledMcpServers = mcpServers?.filter((s) => s.enabled) ?? []; @@ -529,6 +543,9 @@ export const AgentChatInput: FC = ({ const overflowBadges = allBadges.slice(visibleCount); const handleRemoveWorkspace = () => onWorkspaceChange?.(null); + const removeWorkspaceHandler = onWorkspaceChange + ? handleRemoveWorkspace + : undefined; const handleRemoveMcp = (serverId: string) => handleMcpToggle(serverId, false); @@ -1128,7 +1145,9 @@ export const AgentChatInput: FC = ({ variant="subtle" size="icon" className="size-7 shrink-0 rounded-full [&>svg]:!size-icon-sm [&>svg]:p-0" - disabled={isDisabled && !agentSetupNotice} + disabled={ + isDisabled && !agentSetupNotice && !canUseWorkspacePicker + } aria-label="More options" > @@ -1197,7 +1216,7 @@ export const AgentChatInput: FC = ({ (isBelowMdViewport() ? ( + )} + + + + = ({ "sm:[mask-image:none] sm:[-webkit-mask-image:none]", )} > -
-
-

- Chats -

-
- - - - - - - - {getOSKey()} - K - - Search chats - - - - -
-
+
{loadError ? (
diff --git a/site/src/pages/AgentsPage/components/ChatsSidebar/dialogs/ChatSearchDialog.stories.tsx b/site/src/pages/AgentsPage/components/ChatsSidebar/dialogs/ChatSearchDialog.stories.tsx index 523c0f6266..24ffe62b86 100644 --- a/site/src/pages/AgentsPage/components/ChatsSidebar/dialogs/ChatSearchDialog.stories.tsx +++ b/site/src/pages/AgentsPage/components/ChatsSidebar/dialogs/ChatSearchDialog.stories.tsx @@ -91,6 +91,7 @@ const meta: Meta = { args: { open: true, onOpenChange: fn(), + recentChats: mockChats, location: { pathname: "/agents", search: "", @@ -106,6 +107,8 @@ const meta: Meta = { { path: "/agents", useStoryElement: true }, { path: "/agents/:agentId", useStoryElement: true }, { path: "/agents/settings", useStoryElement: true }, + { path: "/agents/settings/personal-skills", useStoryElement: true }, + { path: "/agents/analytics", useStoryElement: true }, ], }), }, @@ -188,6 +191,13 @@ export const RefreshingResults: Story = { // spinner were always visible. expect(body.queryByLabelText("Searching chats")).not.toBeInTheDocument(); + // Ensure the first debounced API call has been registered before + // clearing, so the clear+retype cycle triggers a distinct second call + // rather than coalescing within a single debounce window. + await waitFor(() => { + expect(API.experimental.getChats).toHaveBeenCalledTimes(1); + }); + await userEvent.clear(searchInput); await userEvent.type(searchInput, "review"); @@ -338,3 +348,197 @@ export const ErrorState: Story = { await expect(await body.findByRole("alert")).toBeInTheDocument(); }, }; + +export const ErrorStateWithStackTrace: Story = { + beforeEach: () => { + const err = new Error( + "NetworkError: Failed to fetch chats from the server API endpoint /api/v2/chats", + ); + err.stack = [ + "Error: NetworkError: Failed to fetch chats from the server API endpoint /api/v2/chats", + " at fetchChats (http://localhost:6006/src/api/queries/chats.ts:42:11)", + " at async queryFn (http://localhost:6006/src/api/queries/chats.ts:58:14)", + " at async Object.fetchQuery (http://localhost:6006/node_modules/@tanstack/react-query/src/queryClient.ts:198:16)", + " at async ChatSearchDialogContent (http://localhost:6006/src/pages/AgentsPage/components/ChatsSidebar/dialogs/ChatSearchDialog.tsx:180:20)", + " at async renderWithHooks (http://localhost:6006/node_modules/react-dom/cjs/react-dom.development.js:14985:18)", + " at async mountIndeterminateComponent (http://localhost:6006/node_modules/react-dom/cjs/react-dom.development.js:17811:13)", + " at async beginWork (http://localhost:6006/node_modules/react-dom/cjs/react-dom.development.js:19049:16)", + ].join("\n"); + spyOn(API.experimental, "getChats").mockRejectedValue(err); + }, + play: async () => { + const body = within(document.body); + await userEvent.type( + body.getByRole("combobox", { name: "Search chats" }), + "title:", + ); + const alert = await body.findByRole("alert"); + await expect(alert).toBeInTheDocument(); + + // Open the stack trace details and verify it stays contained. + const details = body.getByText("Stack Trace"); + await userEvent.click(details); + await expect(body.getByText(/fetchChats/)).toBeInTheDocument(); + }, +}; + +// --------------------------------------------------------------------------- +// Interaction states: default view, filter pills, dropdown. +// --------------------------------------------------------------------------- + +export const DefaultViewWithRecentChats: Story = { + play: async () => { + const body = within(document.body); + await expect(await body.findByText("Recent chats")).toBeInTheDocument(); + await expect( + body.getByText("Fix race condition in auth middleware"), + ).toBeInTheDocument(); + }, +}; + +export const FilterDropdownOnFocus: Story = { + play: async () => { + const body = within(document.body); + const toggleButton = body.getByRole("button", { name: "Toggle filters" }); + + await userEvent.click(toggleButton); + await expect(await body.findByText("Filter by")).toBeInTheDocument(); + await expect(body.getByText("Unread")).toBeInTheDocument(); + await expect(body.getByText("Archived")).toBeInTheDocument(); + await expect(body.getByText("PR status")).toBeInTheDocument(); + await expect(body.getByText("Diff URL")).toBeInTheDocument(); + }, +}; + +export const BooleanFilterPill: Story = { + play: async () => { + const body = within(document.body); + const toggleButton = body.getByRole("button", { name: "Toggle filters" }); + + await userEvent.click(toggleButton); + await userEvent.click(await body.findByText("Unread")); + + await expect(await body.findByText("has_unread:true")).toBeInTheDocument(); + await expect( + body.getByRole("button", { name: "Remove has_unread filter" }), + ).toBeInTheDocument(); + + await waitFor(() => { + expect(API.experimental.getChats).toHaveBeenCalledWith({ + limit: CHAT_SEARCH_LIMIT, + q: "has_unread:true", + }); + }); + }, +}; + +export const ParameterizedFilterPill: Story = { + beforeEach: () => { + spyOn(API.experimental, "getChats").mockResolvedValue(mockChats); + }, + play: async () => { + const body = within(document.body); + const searchInput = body.getByRole("combobox", { name: "Search chats" }); + const toggleButton = body.getByRole("button", { name: "Toggle filters" }); + + await userEvent.click(toggleButton); + await userEvent.click(await body.findByText("PR status")); + + await expect(await body.findByText("pr_status:")).toBeInTheDocument(); + + await userEvent.click(searchInput); + await userEvent.type(searchInput, "open "); + + await expect(await body.findByText("pr_status:open")).toBeInTheDocument(); + + await waitFor(() => { + expect(API.experimental.getChats).toHaveBeenCalledWith({ + limit: CHAT_SEARCH_LIMIT, + q: "pr_status:open", + }); + }); + }, +}; + +export const ParameterizedFilterPillEnterCommit: Story = { + beforeEach: () => { + spyOn(API.experimental, "getChats").mockResolvedValue(mockChats); + }, + play: async () => { + const body = within(document.body); + const searchInput = body.getByRole("combobox", { name: "Search chats" }); + const toggleButton = body.getByRole("button", { name: "Toggle filters" }); + + await userEvent.click(toggleButton); + await userEvent.click(await body.findByText("PR status")); + + await expect(await body.findByText("pr_status:")).toBeInTheDocument(); + + await userEvent.click(searchInput); + await userEvent.type(searchInput, "closed"); + await userEvent.keyboard("{Enter}"); + + await expect(await body.findByText("pr_status:closed")).toBeInTheDocument(); + + await waitFor(() => { + expect(API.experimental.getChats).toHaveBeenCalledWith({ + limit: CHAT_SEARCH_LIMIT, + q: "pr_status:closed", + }); + }); + }, +}; + +export const BackspaceRemovesFilter: Story = { + play: async () => { + const body = within(document.body); + const searchInput = body.getByRole("combobox", { name: "Search chats" }); + const toggleButton = body.getByRole("button", { name: "Toggle filters" }); + + await userEvent.click(toggleButton); + await userEvent.click(await body.findByText("Unread")); + await expect(await body.findByText("has_unread:true")).toBeInTheDocument(); + + await userEvent.click(searchInput); + await userEvent.keyboard("{Backspace}"); + await waitFor(() => { + expect(body.queryByText("has_unread:true")).not.toBeInTheDocument(); + }); + }, +}; + +export const TypedFilterAutoDetection: Story = { + play: async () => { + const body = within(document.body); + const searchInput = body.getByRole("combobox", { name: "Search chats" }); + + await userEvent.type(searchInput, "has_unread:true "); + + await expect(await body.findByText("has_unread:true")).toBeInTheDocument(); + await expect( + body.getByRole("button", { name: "Remove has_unread filter" }), + ).toBeInTheDocument(); + }, +}; + +export const CombinedFilterAndText: Story = { + play: async () => { + const body = within(document.body); + const searchInput = body.getByRole("combobox", { name: "Search chats" }); + const toggleButton = body.getByRole("button", { name: "Toggle filters" }); + + await userEvent.click(toggleButton); + await userEvent.click(await body.findByText("Unread")); + await expect(await body.findByText("has_unread:true")).toBeInTheDocument(); + + await userEvent.click(searchInput); + await userEvent.type(searchInput, "Fix"); + + await waitFor(() => { + expect(API.experimental.getChats).toHaveBeenCalledWith({ + limit: CHAT_SEARCH_LIMIT, + q: 'has_unread:true title:"Fix"', + }); + }); + }, +}; diff --git a/site/src/pages/AgentsPage/components/ChatsSidebar/dialogs/ChatSearchDialog.tsx b/site/src/pages/AgentsPage/components/ChatsSidebar/dialogs/ChatSearchDialog.tsx index 912fe40271..25aa41dca7 100644 --- a/site/src/pages/AgentsPage/components/ChatsSidebar/dialogs/ChatSearchDialog.tsx +++ b/site/src/pages/AgentsPage/components/ChatsSidebar/dialogs/ChatSearchDialog.tsx @@ -1,18 +1,72 @@ +import { + ArchiveIcon, + CircleDotIcon, + FileTextIcon, + LinkIcon, +} from "lucide-react"; import type { FC, RefObject } from "react"; -import { type KeyboardEventHandler, useId, useRef, useState } from "react"; +import { + type KeyboardEventHandler, + useId, + useMemo, + useRef, + useState, +} from "react"; import { keepPreviousData, useQuery } from "react-query"; import { type Location, useNavigate } from "react-router"; import { chatSearch } from "#/api/queries/chats"; +import type { Chat } from "#/api/typesGenerated"; +import { Button } from "#/components/Button/Button"; import { Dialog, DialogContent, DialogTitle } from "#/components/Dialog/Dialog"; import { useDebouncedValue } from "#/hooks/debounce"; -import { ChatSearchInput } from "./ChatSearchInput"; +import { ChatSearchInput, type SearchFilter } from "./ChatSearchInput"; import { ChatSearchResults } from "./ChatSearchResults"; import { normalizeChatSearchInput } from "./searchQuery"; +// Filter definitions. Filters with a defaultValue are inserted as complete +// pills (e.g. has_unread:true). Filters without one are inserted as +// incomplete pills so the user can type the value. +type FilterDefinition = { + readonly key: string; + readonly label: string; + readonly icon: FC<{ className?: string }>; + readonly defaultValue: string | null; +}; + +const FILTER_DEFINITIONS: readonly FilterDefinition[] = [ + { + key: "has_unread", + label: "Unread", + icon: CircleDotIcon, + defaultValue: "true", + }, + { + key: "archived", + label: "Archived", + icon: ArchiveIcon, + defaultValue: "true", + }, + { + key: "pr_status", + label: "PR status", + icon: FileTextIcon, + defaultValue: null, + }, + { key: "diff_url", label: "Diff URL", icon: LinkIcon, defaultValue: null }, +]; + +// Set of recognized filter keys for detecting typed filter patterns +// (e.g. "has_unread:true" typed directly into the input). Derived from +// FILTER_DEFINITIONS; the backend equivalent lives in searchQuery.ts as +// passthroughChatSearchFilterKeys. +const KNOWN_FILTER_KEYS = new Set(FILTER_DEFINITIONS.map((def) => def.key)); + type ChatSearchDialogProps = { readonly open: boolean; readonly onOpenChange: (open: boolean) => void; + readonly focusInputOnOpen?: boolean; readonly location: Location; + readonly recentChats?: readonly Chat[]; }; const SEARCH_DEBOUNCE_MS = 500; @@ -20,13 +74,17 @@ const SEARCH_DEBOUNCE_MS = 500; export const ChatSearchDialog: FC = ({ open, onOpenChange, + focusInputOnOpen = true, location, + recentChats = [], }) => { + const contentRef = useRef(null); const inputRef = useRef(null); return ( = ({ // dialog resizing visibly as results stream in. style={{ animation: "none", transition: "none" }} aria-describedby={undefined} + tabIndex={-1} + // When opened from the mobile sidebar button, skip autofocusing + // the input so the virtual keyboard doesn't push the dialog + // off-screen. Focus the dialog container instead to keep the + // element in the accessibility tree. onOpenAutoFocus={(event) => { + if (focusInputOnOpen) { + return; + } event.preventDefault(); - requestAnimationFrame(() => { - inputRef.current?.focus(); - }); + contentRef.current?.focus({ preventScroll: true }); }} > = ({ onOpenChange={onOpenChange} location={location} inputRef={inputRef} + recentChats={recentChats} /> ); }; -type ChatSearchDialogContentProps = ChatSearchDialogProps & { +type ChatSearchDialogContentProps = Omit< + ChatSearchDialogProps, + "focusInputOnOpen" +> & { readonly inputRef: RefObject; }; +// Build a raw query string from structured filters + freeform text, then +// normalize it through the existing parser that the backend expects. +const buildQuery = ( + filters: readonly SearchFilter[], + freeText: string, +): string | undefined => { + const parts: string[] = []; + for (const f of filters) { + if (f.value !== null && f.value !== "") { + // Strip internal quotes before wrapping so the resulting + // key:"value" token stays well-formed for the backend. + const stripped = f.value.replaceAll('"', ""); + const v = stripped.includes(" ") ? `"${stripped}"` : stripped; + parts.push(`${f.key}:${v}`); + } + } + if (freeText.trim()) { + parts.push(freeText.trim()); + } + const raw = parts.join(" "); + return normalizeChatSearchInput(raw); +}; + const ChatSearchDialogContent: FC = ({ open, onOpenChange, location, inputRef, + recentChats = [], }) => { const navigate = useNavigate(); - const [inputValue, setInputValue] = useState(""); + const [filters, setFilters] = useState([]); + const [freeText, setFreeText] = useState(""); + // Tracks the key of a parameterized filter being typed (e.g. "pr_status"). + // While set, freeText holds the in-progress value and the pill shows as + // incomplete (dashed border). Space or Enter commits the value. + const [incompleteFilterKey, setIncompleteFilterKey] = useState( + null, + ); + const [isDropdownOpen, setIsDropdownOpen] = useState(false); const [selectedChatIndex, setSelectedChatIndex] = useState< number | undefined >(undefined); const listboxId = useId(); - const debouncedInput = useDebouncedValue(inputValue, SEARCH_DEBOUNCE_MS); - const normalizedQuery = normalizeChatSearchInput(debouncedInput); - const hasQuery = inputValue.trim() !== "" && normalizedQuery !== undefined; + + // Build the full filter list for query building. When an incomplete filter + // has text, include it so debounced search can run against partial values. + const effectiveFilters = useMemo( + () => + incompleteFilterKey && freeText.trim() + ? [...filters, { key: incompleteFilterKey, value: freeText.trim() }] + : filters, + [filters, incompleteFilterKey, freeText], + ); + const hasActiveSearch = effectiveFilters.length > 0 || freeText.trim() !== ""; + + const debouncedFreeText = useDebouncedValue(freeText, SEARCH_DEBOUNCE_MS); + const debouncedFilters = useDebouncedValue( + effectiveFilters, + SEARCH_DEBOUNCE_MS, + ); + // When typing into an incomplete filter, only send the filter (not + // freeText as bare title search). + // When freeText is cleared (e.g. after committing a filter), zero + // queryFreeText immediately instead of waiting for the debounce to + // flush. Otherwise the stale debouncedFreeText leaks into the query. + const queryFreeText = + incompleteFilterKey || !freeText.trim() ? "" : debouncedFreeText; + const normalizedQuery = buildQuery(debouncedFilters, queryFreeText); + const hasQuery = hasActiveSearch && normalizedQuery !== undefined; const searchQuery = useQuery({ ...chatSearch(normalizedQuery ?? ""), @@ -85,14 +208,21 @@ const ChatSearchDialogContent: FC = ({ placeholderData: keepPreviousData, }); - const resultCount = searchQuery.data?.length ?? 0; + // Use search results count when a query is active, otherwise count + // recent chats so keyboard navigation works in the default view too. + const recentChatsSlice = (recentChats ?? []).slice(0, 10); + const resultCount = hasQuery + ? (searchQuery.data?.length ?? 0) + : recentChatsSlice.length; const safeSelectedChatIndex = selectedChatIndex !== undefined && selectedChatIndex < resultCount ? selectedChatIndex : undefined; const selectedChat = safeSelectedChatIndex !== undefined - ? searchQuery.data?.[safeSelectedChatIndex] + ? hasQuery + ? searchQuery.data?.[safeSelectedChatIndex] + : recentChatsSlice[safeSelectedChatIndex] : undefined; const activeResultId = safeSelectedChatIndex !== undefined @@ -109,9 +239,130 @@ const ChatSearchDialogContent: FC = ({ searchQuery.isFetching && searchQuery.isPlaceholderData && !showResultsLoading; + + const commitIncompleteFilter = () => { + if (incompleteFilterKey && freeText.trim()) { + setFilters((prev) => [ + ...prev, + { key: incompleteFilterKey, value: freeText.trim() }, + ]); + setFreeText(""); + setIncompleteFilterKey(null); + } + }; + + const addFilter = (def: FilterDefinition) => { + if ( + filters.some((f) => f.key === def.key) || + incompleteFilterKey === def.key + ) { + return; + } + commitIncompleteFilter(); + + if (def.defaultValue !== null) { + setFilters((prev) => [ + ...prev, + { key: def.key, value: def.defaultValue }, + ]); + } else { + setIncompleteFilterKey(def.key); + setFreeText(""); + } + setIsDropdownOpen(false); + setSelectedChatIndex(undefined); + requestAnimationFrame(() => inputRef.current?.focus()); + }; + + const removeFilter = (key: string) => { + if (incompleteFilterKey === key) { + setIncompleteFilterKey(null); + setFreeText(""); + } else { + setFilters((prev) => prev.filter((f) => f.key !== key)); + } + setSelectedChatIndex(undefined); + requestAnimationFrame(() => inputRef.current?.focus()); + }; + + const handleInputChange = (value: string) => { + setFreeText(value); + setSelectedChatIndex(undefined); + }; + + // Build the display filters for ChatSearchInput: completed filters plus + // the incomplete one (shown with dashed border). + const displayFilters: SearchFilter[] = incompleteFilterKey + ? [...filters, { key: incompleteFilterKey, value: null }] + : filters; + const handleInputKeyDown: KeyboardEventHandler = ( event, ) => { + if ( + (event.key === " " || event.key === "Enter") && + incompleteFilterKey && + freeText.trim() + ) { + event.preventDefault(); + commitIncompleteFilter(); + return; + } + + if ( + (event.key === " " || event.key === "Enter") && + !incompleteFilterKey && + freeText.trim() + ) { + const activeKeys = new Set(filters.map((f) => f.key)); + const tokens = freeText.trim().split(/\s+/); + const newFilters: SearchFilter[] = []; + const remaining: string[] = []; + + for (const token of tokens) { + const colonIndex = token.indexOf(":"); + if (colonIndex > 0 && colonIndex < token.length - 1) { + const key = token.slice(0, colonIndex); + const val = token.slice(colonIndex + 1); + if (KNOWN_FILTER_KEYS.has(key)) { + // Drop duplicate filter keys silently instead of + // letting them fall through to freeform text. + if (!activeKeys.has(key)) { + newFilters.push({ key, value: val }); + activeKeys.add(key); + } + continue; + } + } + remaining.push(token); + } + + if (newFilters.length > 0) { + event.preventDefault(); + setFilters((prev) => [...prev, ...newFilters]); + setFreeText(remaining.join(" ")); + return; + } + } + + if (event.key === "Backspace" && freeText === "") { + if (incompleteFilterKey) { + setIncompleteFilterKey(null); + return; + } + if (filters.length > 0) { + const lastFilter = filters[filters.length - 1]; + removeFilter(lastFilter.key); + return; + } + } + + if (event.key === "Escape" && isDropdownOpen) { + setIsDropdownOpen(false); + event.stopPropagation(); + return; + } + if (event.key === "ArrowDown" || event.key === "ArrowUp") { if (resultCount === 0) { return; @@ -145,21 +396,38 @@ const ChatSearchDialogContent: FC = ({ return ( <> Search chats - 0} - inputRef={inputRef} - listboxId={listboxId} - value={inputValue} - onChange={(event) => { - setInputValue(event.target.value); - setSelectedChatIndex(undefined); + {/* Wrap input + dropdown so onBlur on the container closes + the dropdown, but clicks within the dropdown (which is + inside the same container) don't trigger blur. */} +
{ + if (!e.currentTarget.contains(e.relatedTarget)) { + setIsDropdownOpen(false); + } }} - onKeyDown={handleInputKeyDown} - /> + > + 0} + inputRef={inputRef} + listboxId={listboxId} + filters={displayFilters} + value={freeText} + onChange={(event) => handleInputChange(event.target.value)} + onKeyDown={handleInputKeyDown} + onRemoveFilter={removeFilter} + isDropdownOpen={isDropdownOpen} + onToggleDropdown={() => setIsDropdownOpen((prev) => !prev)} + /> + {isDropdownOpen && ( + + )} +
= ({ selectedChatIndex={safeSelectedChatIndex} showLoading={showResultsLoading} isRefreshing={isRefreshing} - onSelectChat={closeDialog} + onDismiss={closeDialog} /> ); }; + +// --------------------------------------------------------------------------- +// Filter dropdown: appears on focus, shows clickable filter chips. +// --------------------------------------------------------------------------- + +const FilterDropdown: FC<{ + readonly filters: readonly SearchFilter[]; + readonly onSelectFilter: (def: FilterDefinition) => void; +}> = ({ filters, onSelectFilter }) => { + const activeKeys = new Set(filters.map((f) => f.key)); + + return ( +
+

+ Filter by +

+
+ {FILTER_DEFINITIONS.map((def) => { + const Icon = def.icon; + const isActive = activeKeys.has(def.key); + return ( + + ); + })} +
+
+ ); +}; diff --git a/site/src/pages/AgentsPage/components/ChatsSidebar/dialogs/ChatSearchInput.tsx b/site/src/pages/AgentsPage/components/ChatsSidebar/dialogs/ChatSearchInput.tsx index 1d5cc66dc0..b134f8854b 100644 --- a/site/src/pages/AgentsPage/components/ChatsSidebar/dialogs/ChatSearchInput.tsx +++ b/site/src/pages/AgentsPage/components/ChatsSidebar/dialogs/ChatSearchInput.tsx @@ -1,20 +1,29 @@ -import { SearchIcon } from "lucide-react"; +import { ListFilterIcon, SearchIcon, XIcon } from "lucide-react"; import type { ChangeEventHandler, FC, KeyboardEventHandler, RefObject, } from "react"; -import { Input } from "#/components/Input/Input"; +import { cn } from "#/utils/cn"; + +export type SearchFilter = { + readonly key: string; + readonly value: string | null; +}; type ChatSearchInputProps = { readonly activeResultId: string | undefined; readonly hasResults: boolean; readonly inputRef: RefObject; readonly listboxId: string; + readonly filters: readonly SearchFilter[]; readonly value: string; readonly onChange: ChangeEventHandler; readonly onKeyDown: KeyboardEventHandler; + readonly onRemoveFilter: (key: string) => void; + readonly isDropdownOpen: boolean; + readonly onToggleDropdown: () => void; }; export const ChatSearchInput: FC = ({ @@ -22,20 +31,58 @@ export const ChatSearchInput: FC = ({ hasResults, inputRef, listboxId, + filters, value, onChange, onKeyDown, + onRemoveFilter, + isDropdownOpen, + onToggleDropdown, }) => { + const completedFilters = filters.filter((f) => f.value !== null); + const incompleteFilter = filters.find((f) => f.value === null); + return ( -
- - + + {completedFilters.map((f) => ( + + + {f.key}:{f.value} + + + + ))} + {incompleteFilter && ( + + {incompleteFilter.key}: + + )} + 0 ? "" : "Search chats..."} + className="min-w-[60px] flex-1 border-none bg-transparent py-2 text-sm text-content-primary outline-none placeholder:text-content-disabled" aria-label="Search chats" role="combobox" aria-controls={hasResults ? listboxId : undefined} @@ -43,6 +90,18 @@ export const ChatSearchInput: FC = ({ aria-haspopup="listbox" aria-activedescendant={activeResultId} /> +
); }; diff --git a/site/src/pages/AgentsPage/components/ChatsSidebar/dialogs/ChatSearchResults.tsx b/site/src/pages/AgentsPage/components/ChatsSidebar/dialogs/ChatSearchResults.tsx index e4a2cb170a..c49c900332 100644 --- a/site/src/pages/AgentsPage/components/ChatsSidebar/dialogs/ChatSearchResults.tsx +++ b/site/src/pages/AgentsPage/components/ChatsSidebar/dialogs/ChatSearchResults.tsx @@ -12,6 +12,7 @@ import { getChatDisplayConfig } from "../tree/statusConfig"; type ChatSearchResultsProps = { readonly chats: readonly Chat[] | undefined; + readonly recentChats: readonly Chat[]; readonly error: unknown; readonly hasQuery: boolean; readonly location: Location; @@ -19,11 +20,23 @@ type ChatSearchResultsProps = { readonly selectedChatIndex: number | undefined; readonly showLoading: boolean; readonly isRefreshing: boolean; - readonly onSelectChat: () => void; + readonly onDismiss: () => void; +}; + +const RECENT_CHATS_COUNT = 10; + +// !block overrides Radix ScrollArea viewport's display:table so truncated text can shrink. +const SCROLL_AREA_PROPS = { + className: + "h-[300px] w-full [&_[data-radix-scroll-area-viewport]>div]:!block", + scrollBarClassName: "w-[0.375rem]", + viewportClassName: "pr-3", + viewportTabIndex: -1, }; export const ChatSearchResults: FC = ({ chats, + recentChats, error, hasQuery, location, @@ -31,25 +44,28 @@ export const ChatSearchResults: FC = ({ selectedChatIndex, showLoading, isRefreshing, - onSelectChat, + onDismiss, }) => { if (error) { return (
- +
); } if (!hasQuery) { return ( -
-
- Type to search by title, or use filters like{" "} - has_unread:true, archived:true,{" "} - pr_status:open, or diff_url:"...". -
-
+ ); } @@ -71,33 +87,25 @@ export const ChatSearchResults: FC = ({ return (
-

+

{resultSummary} {isRefreshing && ( )}

- +
@@ -105,13 +113,72 @@ export const ChatSearchResults: FC = ({ ); }; +// --------------------------------------------------------------------------- +// Default view: recent chats (shown when no query is active). +// --------------------------------------------------------------------------- + +type DefaultViewProps = { + readonly recentChats: readonly Chat[]; + readonly location: Location; + readonly listboxId: string; + readonly selectedChatIndex: number | undefined; + readonly onDismiss: () => void; +}; + +const DefaultView: FC = ({ + recentChats, + location, + listboxId, + selectedChatIndex, + onDismiss, +}) => { + const visibleRecentChats = recentChats.slice(0, RECENT_CHATS_COUNT); + + return ( +
+
+ {visibleRecentChats.length > 0 && ( +
+

+ Recent chats +

+ +
+ {visibleRecentChats.map((chat, index) => ( + + ))} +
+ +
+ )} +
+
+ ); +}; + +// --------------------------------------------------------------------------- +// Results list and row components. +// --------------------------------------------------------------------------- + type ChatSearchResultsListProps = { readonly chats: readonly Chat[] | undefined; readonly location: Location; readonly listboxId: string; readonly selectedChatIndex: number | undefined; readonly showLoading: boolean; - readonly onSelectChat: () => void; + readonly onDismiss: () => void; }; const ChatSearchResultsList: FC = ({ @@ -120,7 +187,7 @@ const ChatSearchResultsList: FC = ({ listboxId, selectedChatIndex, showLoading, - onSelectChat, + onDismiss, }) => { if (showLoading) { return ; @@ -128,9 +195,9 @@ const ChatSearchResultsList: FC = ({ if ((chats?.length ?? 0) === 0) { return ( -

- No matching chats -

+
+

No matching chats

+
); } @@ -148,7 +215,7 @@ const ChatSearchResultsList: FC = ({ id={`${listboxId}-option-${index}`} isSelected={selectedChatIndex === index} location={location} - onSelect={onSelectChat} + onSelect={onDismiss} /> ))}
diff --git a/site/src/pages/AgentsPage/components/ChatsSidebar/filters/FilterPopover.tsx b/site/src/pages/AgentsPage/components/ChatsSidebar/filters/FilterPopover.tsx index 4241209507..9c017a0e74 100644 --- a/site/src/pages/AgentsPage/components/ChatsSidebar/filters/FilterPopover.tsx +++ b/site/src/pages/AgentsPage/components/ChatsSidebar/filters/FilterPopover.tsx @@ -226,7 +226,7 @@ export const FilterPopover: FC = ({ size="icon" aria-label="Filter agents" className={cn( - "h-7 w-7 min-w-0 justify-end rounded-none px-0 text-content-secondary hover:text-content-primary", + "h-7 w-7 min-w-0 -mr-0.5 justify-end px-0 text-content-secondary hover:text-content-primary", hasActiveFilters(filters) && "text-content-primary", )} > diff --git a/site/src/pages/AgentsPage/components/ChatsSidebar/settings/SettingsNavItem.tsx b/site/src/pages/AgentsPage/components/ChatsSidebar/settings/SettingsNavItem.tsx index 83566ff389..97a6fbc856 100644 --- a/site/src/pages/AgentsPage/components/ChatsSidebar/settings/SettingsNavItem.tsx +++ b/site/src/pages/AgentsPage/components/ChatsSidebar/settings/SettingsNavItem.tsx @@ -1,6 +1,6 @@ import { ShieldIcon } from "lucide-react"; -import type { FC } from "react"; -import { Link, type To } from "react-router"; +import type { ComponentProps, FC, ReactNode } from "react"; +import { Link } from "react-router"; import { Tooltip, TooltipContent, @@ -13,32 +13,52 @@ type SettingsNavItemProps = { label: string; active: boolean; adminOnly?: boolean; + ariaLabel?: string; + className?: string; disabled?: boolean; + trailing?: ReactNode; trailingIcon?: FC<{ className?: string }>; } & ( - | { to: To; replace?: boolean; state?: unknown; onClick?: () => void } + | { + to: ComponentProps["to"]; + replace?: boolean; + state?: unknown; + onClick?: () => void; + } | { to?: never; replace?: never; state?: never; onClick: () => void } ); -const navItemClassName = (active: boolean, disabled: boolean | undefined) => +const navItemClassName = ( + active: boolean, + disabled: boolean | undefined, + className: string | undefined, +) => cn( - "flex w-full items-center gap-2.5 rounded-md border-0 px-2.5 py-2 text-left text-sm cursor-pointer transition-colors no-underline", + "flex w-full items-center gap-2.5 rounded-md border-0 px-2.5 py-1.5 text-left text-sm cursor-pointer transition-colors no-underline", active ? "bg-surface-quaternary/25 text-content-primary font-medium" : "bg-transparent text-content-secondary hover:bg-surface-tertiary/50 hover:text-content-primary", disabled && "opacity-50 pointer-events-none", + className, ); const NavItemContent: FC<{ icon: FC<{ className?: string }>; label: string; adminOnly?: boolean; + trailing?: ReactNode; trailingIcon?: FC<{ className?: string }>; -}> = ({ icon: Icon, label, adminOnly, trailingIcon: TrailingIcon }) => ( +}> = ({ + icon: Icon, + label, + adminOnly, + trailing, + trailingIcon: TrailingIcon, +}) => ( <> {label} - {(adminOnly || TrailingIcon) && ( + {(adminOnly || trailing || TrailingIcon) && ( {adminOnly && ( @@ -51,6 +71,7 @@ const NavItemContent: FC<{ )} {TrailingIcon && } + {trailing} )} @@ -61,7 +82,10 @@ export const SettingsNavItem: FC = ({ label, active, adminOnly, + ariaLabel, + className, disabled, + trailing, trailingIcon, ...rest }) => { @@ -72,14 +96,16 @@ export const SettingsNavItem: FC = ({ replace={rest.replace} state={rest.state} onClick={rest.onClick} - className={navItemClassName(active, disabled)} + className={navItemClassName(active, disabled, className)} aria-current={active ? "page" : undefined} + aria-label={ariaLabel} tabIndex={disabled ? -1 : undefined} > @@ -91,13 +117,15 @@ export const SettingsNavItem: FC = ({ type="button" onClick={rest.onClick} disabled={disabled} - className={navItemClassName(active, disabled)} + className={navItemClassName(active, disabled, className)} aria-current={active ? "page" : undefined} + aria-label={ariaLabel} > diff --git a/site/src/pages/AgentsPage/components/ChatsSidebar/tree/ChatTreeNode.tsx b/site/src/pages/AgentsPage/components/ChatsSidebar/tree/ChatTreeNode.tsx index 155058f4c0..aa0a693b40 100644 --- a/site/src/pages/AgentsPage/components/ChatsSidebar/tree/ChatTreeNode.tsx +++ b/site/src/pages/AgentsPage/components/ChatsSidebar/tree/ChatTreeNode.tsx @@ -208,7 +208,7 @@ export const ChatTreeNode: FC = ({ chat, isChildNode }) => { ); return ( -
+
= ({ chat, isChildNode }) => { {chat.has_unread && !isActiveChat ? (