refactor: add wildcard scope entries for API key scopes (#20032)

# Add API Key Scope Wildcards This PR adds wildcard API key scopes (`resource:*`) for all RBAC resources to ensure every resource has a matching wildcard value. It also adds all individual `resource:action` scopes to the API documentation and TypeScript definitions. The changes include: - Adding a new database migration (000377) that adds wildcard API key scopes - Updating the API documentation to include all available scopes - Enhancing the scope generation scripts to include all resource wildcards - Updating the TypeScript definitions to match the expanded scope list These changes make creating API keys with comprehensive permissions for specific resource types easier.
2026-06-02 20:48:20 +00:00 · 2025-10-06 12:08:17 +02:00
parent d17dd5d787
commit b60ae0a0c4
12 changed files with 1551 additions and 141 deletions
@@ -11530,11 +11530,29 @@ const docTemplate = `{
            "enum": [
                "all",
                "application_connect",
+                "aibridge_interception:*",
+                "aibridge_interception:create",
+                "aibridge_interception:read",
+                "aibridge_interception:update",
                "api_key:*",
                "api_key:create",
                "api_key:delete",
                "api_key:read",
                "api_key:update",
+                "assign_org_role:*",
+                "assign_org_role:assign",
+                "assign_org_role:create",
+                "assign_org_role:delete",
+                "assign_org_role:read",
+                "assign_org_role:unassign",
+                "assign_org_role:update",
+                "assign_role:*",
+                "assign_role:assign",
+                "assign_role:read",
+                "assign_role:unassign",
+                "audit_log:*",
+                "audit_log:create",
+                "audit_log:read",
                "coder:all",
                "coder:apikeys.manage_self",
                "coder:application_connect",
@@ -11544,40 +11562,188 @@ const docTemplate = `{
                "coder:workspaces.create",
                "coder:workspaces.delete",
                "coder:workspaces.operate",
+                "connection_log:*",
+                "connection_log:read",
+                "connection_log:update",
+                "crypto_key:*",
+                "crypto_key:create",
+                "crypto_key:delete",
+                "crypto_key:read",
+                "crypto_key:update",
+                "debug_info:*",
+                "debug_info:read",
+                "deployment_config:*",
+                "deployment_config:read",
+                "deployment_config:update",
+                "deployment_stats:*",
+                "deployment_stats:read",
                "file:*",
                "file:create",
                "file:read",
+                "group:*",
+                "group:create",
+                "group:delete",
+                "group:read",
+                "group:update",
+                "group_member:*",
+                "group_member:read",
+                "idpsync_settings:*",
+                "idpsync_settings:read",
+                "idpsync_settings:update",
+                "inbox_notification:*",
+                "inbox_notification:create",
+                "inbox_notification:read",
+                "inbox_notification:update",
+                "license:*",
+                "license:create",
+                "license:delete",
+                "license:read",
+                "notification_message:*",
+                "notification_message:create",
+                "notification_message:delete",
+                "notification_message:read",
+                "notification_message:update",
+                "notification_preference:*",
+                "notification_preference:read",
+                "notification_preference:update",
+                "notification_template:*",
+                "notification_template:read",
+                "notification_template:update",
+                "oauth2_app:*",
+                "oauth2_app:create",
+                "oauth2_app:delete",
+                "oauth2_app:read",
+                "oauth2_app:update",
+                "oauth2_app_code_token:*",
+                "oauth2_app_code_token:create",
+                "oauth2_app_code_token:delete",
+                "oauth2_app_code_token:read",
+                "oauth2_app_secret:*",
+                "oauth2_app_secret:create",
+                "oauth2_app_secret:delete",
+                "oauth2_app_secret:read",
+                "oauth2_app_secret:update",
+                "organization:*",
+                "organization:create",
+                "organization:delete",
+                "organization:read",
+                "organization:update",
+                "organization_member:*",
+                "organization_member:create",
+                "organization_member:delete",
+                "organization_member:read",
+                "organization_member:update",
+                "prebuilt_workspace:*",
+                "prebuilt_workspace:delete",
+                "prebuilt_workspace:update",
+                "provisioner_daemon:*",
+                "provisioner_daemon:create",
+                "provisioner_daemon:delete",
+                "provisioner_daemon:read",
+                "provisioner_daemon:update",
+                "provisioner_jobs:*",
+                "provisioner_jobs:create",
+                "provisioner_jobs:read",
+                "provisioner_jobs:update",
+                "replicas:*",
+                "replicas:read",
+                "system:*",
+                "system:create",
+                "system:delete",
+                "system:read",
+                "system:update",
+                "tailnet_coordinator:*",
+                "tailnet_coordinator:create",
+                "tailnet_coordinator:delete",
+                "tailnet_coordinator:read",
+                "tailnet_coordinator:update",
                "template:*",
                "template:create",
                "template:delete",
                "template:read",
                "template:update",
                "template:use",
+                "template:view_insights",
+                "usage_event:*",
+                "usage_event:create",
+                "usage_event:read",
+                "usage_event:update",
+                "user:*",
+                "user:create",
+                "user:delete",
+                "user:read",
                "user:read_personal",
+                "user:update",
                "user:update_personal",
                "user_secret:*",
                "user_secret:create",
                "user_secret:delete",
                "user_secret:read",
                "user_secret:update",
+                "webpush_subscription:*",
+                "webpush_subscription:create",
+                "webpush_subscription:delete",
+                "webpush_subscription:read",
                "workspace:*",
                "workspace:application_connect",
                "workspace:create",
+                "workspace:create_agent",
                "workspace:delete",
+                "workspace:delete_agent",
                "workspace:read",
                "workspace:ssh",
                "workspace:start",
                "workspace:stop",
-                "workspace:update"
+                "workspace:update",
+                "workspace_agent_devcontainers:*",
+                "workspace_agent_devcontainers:create",
+                "workspace_agent_resource_monitor:*",
+                "workspace_agent_resource_monitor:create",
+                "workspace_agent_resource_monitor:read",
+                "workspace_agent_resource_monitor:update",
+                "workspace_dormant:*",
+                "workspace_dormant:application_connect",
+                "workspace_dormant:create",
+                "workspace_dormant:create_agent",
+                "workspace_dormant:delete",
+                "workspace_dormant:delete_agent",
+                "workspace_dormant:read",
+                "workspace_dormant:ssh",
+                "workspace_dormant:start",
+                "workspace_dormant:stop",
+                "workspace_dormant:update",
+                "workspace_proxy:*",
+                "workspace_proxy:create",
+                "workspace_proxy:delete",
+                "workspace_proxy:read",
+                "workspace_proxy:update"
            ],
            "x-enum-varnames": [
                "APIKeyScopeAll",
                "APIKeyScopeApplicationConnect",
+                "APIKeyScopeAibridgeInterceptionAll",
+                "APIKeyScopeAibridgeInterceptionCreate",
+                "APIKeyScopeAibridgeInterceptionRead",
+                "APIKeyScopeAibridgeInterceptionUpdate",
                "APIKeyScopeApiKeyAll",
                "APIKeyScopeApiKeyCreate",
                "APIKeyScopeApiKeyDelete",
                "APIKeyScopeApiKeyRead",
                "APIKeyScopeApiKeyUpdate",
+                "APIKeyScopeAssignOrgRoleAll",
+                "APIKeyScopeAssignOrgRoleAssign",
+                "APIKeyScopeAssignOrgRoleCreate",
+                "APIKeyScopeAssignOrgRoleDelete",
+                "APIKeyScopeAssignOrgRoleRead",
+                "APIKeyScopeAssignOrgRoleUnassign",
+                "APIKeyScopeAssignOrgRoleUpdate",
+                "APIKeyScopeAssignRoleAll",
+                "APIKeyScopeAssignRoleAssign",
+                "APIKeyScopeAssignRoleRead",
+                "APIKeyScopeAssignRoleUnassign",
+                "APIKeyScopeAuditLogAll",
+                "APIKeyScopeAuditLogCreate",
+                "APIKeyScopeAuditLogRead",
                "APIKeyScopeCoderAll",
                "APIKeyScopeCoderApikeysManageSelf",
                "APIKeyScopeCoderApplicationConnect",
@@ -11587,31 +11753,161 @@ const docTemplate = `{
                "APIKeyScopeCoderWorkspacesCreate",
                "APIKeyScopeCoderWorkspacesDelete",
                "APIKeyScopeCoderWorkspacesOperate",
+                "APIKeyScopeConnectionLogAll",
+                "APIKeyScopeConnectionLogRead",
+                "APIKeyScopeConnectionLogUpdate",
+                "APIKeyScopeCryptoKeyAll",
+                "APIKeyScopeCryptoKeyCreate",
+                "APIKeyScopeCryptoKeyDelete",
+                "APIKeyScopeCryptoKeyRead",
+                "APIKeyScopeCryptoKeyUpdate",
+                "APIKeyScopeDebugInfoAll",
+                "APIKeyScopeDebugInfoRead",
+                "APIKeyScopeDeploymentConfigAll",
+                "APIKeyScopeDeploymentConfigRead",
+                "APIKeyScopeDeploymentConfigUpdate",
+                "APIKeyScopeDeploymentStatsAll",
+                "APIKeyScopeDeploymentStatsRead",
                "APIKeyScopeFileAll",
                "APIKeyScopeFileCreate",
                "APIKeyScopeFileRead",
+                "APIKeyScopeGroupAll",
+                "APIKeyScopeGroupCreate",
+                "APIKeyScopeGroupDelete",
+                "APIKeyScopeGroupRead",
+                "APIKeyScopeGroupUpdate",
+                "APIKeyScopeGroupMemberAll",
+                "APIKeyScopeGroupMemberRead",
+                "APIKeyScopeIdpsyncSettingsAll",
+                "APIKeyScopeIdpsyncSettingsRead",
+                "APIKeyScopeIdpsyncSettingsUpdate",
+                "APIKeyScopeInboxNotificationAll",
+                "APIKeyScopeInboxNotificationCreate",
+                "APIKeyScopeInboxNotificationRead",
+                "APIKeyScopeInboxNotificationUpdate",
+                "APIKeyScopeLicenseAll",
+                "APIKeyScopeLicenseCreate",
+                "APIKeyScopeLicenseDelete",
+                "APIKeyScopeLicenseRead",
+                "APIKeyScopeNotificationMessageAll",
+                "APIKeyScopeNotificationMessageCreate",
+                "APIKeyScopeNotificationMessageDelete",
+                "APIKeyScopeNotificationMessageRead",
+                "APIKeyScopeNotificationMessageUpdate",
+                "APIKeyScopeNotificationPreferenceAll",
+                "APIKeyScopeNotificationPreferenceRead",
+                "APIKeyScopeNotificationPreferenceUpdate",
+                "APIKeyScopeNotificationTemplateAll",
+                "APIKeyScopeNotificationTemplateRead",
+                "APIKeyScopeNotificationTemplateUpdate",
+                "APIKeyScopeOauth2AppAll",
+                "APIKeyScopeOauth2AppCreate",
+                "APIKeyScopeOauth2AppDelete",
+                "APIKeyScopeOauth2AppRead",
+                "APIKeyScopeOauth2AppUpdate",
+                "APIKeyScopeOauth2AppCodeTokenAll",
+                "APIKeyScopeOauth2AppCodeTokenCreate",
+                "APIKeyScopeOauth2AppCodeTokenDelete",
+                "APIKeyScopeOauth2AppCodeTokenRead",
+                "APIKeyScopeOauth2AppSecretAll",
+                "APIKeyScopeOauth2AppSecretCreate",
+                "APIKeyScopeOauth2AppSecretDelete",
+                "APIKeyScopeOauth2AppSecretRead",
+                "APIKeyScopeOauth2AppSecretUpdate",
+                "APIKeyScopeOrganizationAll",
+                "APIKeyScopeOrganizationCreate",
+                "APIKeyScopeOrganizationDelete",
+                "APIKeyScopeOrganizationRead",
+                "APIKeyScopeOrganizationUpdate",
+                "APIKeyScopeOrganizationMemberAll",
+                "APIKeyScopeOrganizationMemberCreate",
+                "APIKeyScopeOrganizationMemberDelete",
+                "APIKeyScopeOrganizationMemberRead",
+                "APIKeyScopeOrganizationMemberUpdate",
+                "APIKeyScopePrebuiltWorkspaceAll",
+                "APIKeyScopePrebuiltWorkspaceDelete",
+                "APIKeyScopePrebuiltWorkspaceUpdate",
+                "APIKeyScopeProvisionerDaemonAll",
+                "APIKeyScopeProvisionerDaemonCreate",
+                "APIKeyScopeProvisionerDaemonDelete",
+                "APIKeyScopeProvisionerDaemonRead",
+                "APIKeyScopeProvisionerDaemonUpdate",
+                "APIKeyScopeProvisionerJobsAll",
+                "APIKeyScopeProvisionerJobsCreate",
+                "APIKeyScopeProvisionerJobsRead",
+                "APIKeyScopeProvisionerJobsUpdate",
+                "APIKeyScopeReplicasAll",
+                "APIKeyScopeReplicasRead",
+                "APIKeyScopeSystemAll",
+                "APIKeyScopeSystemCreate",
+                "APIKeyScopeSystemDelete",
+                "APIKeyScopeSystemRead",
+                "APIKeyScopeSystemUpdate",
+                "APIKeyScopeTailnetCoordinatorAll",
+                "APIKeyScopeTailnetCoordinatorCreate",
+                "APIKeyScopeTailnetCoordinatorDelete",
+                "APIKeyScopeTailnetCoordinatorRead",
+                "APIKeyScopeTailnetCoordinatorUpdate",
                "APIKeyScopeTemplateAll",
                "APIKeyScopeTemplateCreate",
                "APIKeyScopeTemplateDelete",
                "APIKeyScopeTemplateRead",
                "APIKeyScopeTemplateUpdate",
                "APIKeyScopeTemplateUse",
+                "APIKeyScopeTemplateViewInsights",
+                "APIKeyScopeUsageEventAll",
+                "APIKeyScopeUsageEventCreate",
+                "APIKeyScopeUsageEventRead",
+                "APIKeyScopeUsageEventUpdate",
+                "APIKeyScopeUserAll",
+                "APIKeyScopeUserCreate",
+                "APIKeyScopeUserDelete",
+                "APIKeyScopeUserRead",
                "APIKeyScopeUserReadPersonal",
+                "APIKeyScopeUserUpdate",
                "APIKeyScopeUserUpdatePersonal",
                "APIKeyScopeUserSecretAll",
                "APIKeyScopeUserSecretCreate",
                "APIKeyScopeUserSecretDelete",
                "APIKeyScopeUserSecretRead",
                "APIKeyScopeUserSecretUpdate",
+                "APIKeyScopeWebpushSubscriptionAll",
+                "APIKeyScopeWebpushSubscriptionCreate",
+                "APIKeyScopeWebpushSubscriptionDelete",
+                "APIKeyScopeWebpushSubscriptionRead",
                "APIKeyScopeWorkspaceAll",
                "APIKeyScopeWorkspaceApplicationConnect",
                "APIKeyScopeWorkspaceCreate",
+                "APIKeyScopeWorkspaceCreateAgent",
                "APIKeyScopeWorkspaceDelete",
+                "APIKeyScopeWorkspaceDeleteAgent",
                "APIKeyScopeWorkspaceRead",
                "APIKeyScopeWorkspaceSsh",
                "APIKeyScopeWorkspaceStart",
                "APIKeyScopeWorkspaceStop",
-                "APIKeyScopeWorkspaceUpdate"
+                "APIKeyScopeWorkspaceUpdate",
+                "APIKeyScopeWorkspaceAgentDevcontainersAll",
+                "APIKeyScopeWorkspaceAgentDevcontainersCreate",
+                "APIKeyScopeWorkspaceAgentResourceMonitorAll",
+                "APIKeyScopeWorkspaceAgentResourceMonitorCreate",
+                "APIKeyScopeWorkspaceAgentResourceMonitorRead",
+                "APIKeyScopeWorkspaceAgentResourceMonitorUpdate",
+                "APIKeyScopeWorkspaceDormantAll",
+                "APIKeyScopeWorkspaceDormantApplicationConnect",
+                "APIKeyScopeWorkspaceDormantCreate",
+                "APIKeyScopeWorkspaceDormantCreateAgent",
+                "APIKeyScopeWorkspaceDormantDelete",
+                "APIKeyScopeWorkspaceDormantDeleteAgent",
+                "APIKeyScopeWorkspaceDormantRead",
+                "APIKeyScopeWorkspaceDormantSsh",
+                "APIKeyScopeWorkspaceDormantStart",
+                "APIKeyScopeWorkspaceDormantStop",
+                "APIKeyScopeWorkspaceDormantUpdate",
+                "APIKeyScopeWorkspaceProxyAll",
+                "APIKeyScopeWorkspaceProxyCreate",
+                "APIKeyScopeWorkspaceProxyDelete",
+                "APIKeyScopeWorkspaceProxyRead",
+                "APIKeyScopeWorkspaceProxyUpdate"
            ]
        },
        "codersdk.AddLicenseRequest": {
@@ -10246,11 +10246,29 @@
 			"enum": [
 				"all",
 				"application_connect",
+				"aibridge_interception:*",
+				"aibridge_interception:create",
+				"aibridge_interception:read",
+				"aibridge_interception:update",
 				"api_key:*",
 				"api_key:create",
 				"api_key:delete",
 				"api_key:read",
 				"api_key:update",
+				"assign_org_role:*",
+				"assign_org_role:assign",
+				"assign_org_role:create",
+				"assign_org_role:delete",
+				"assign_org_role:read",
+				"assign_org_role:unassign",
+				"assign_org_role:update",
+				"assign_role:*",
+				"assign_role:assign",
+				"assign_role:read",
+				"assign_role:unassign",
+				"audit_log:*",
+				"audit_log:create",
+				"audit_log:read",
 				"coder:all",
 				"coder:apikeys.manage_self",
 				"coder:application_connect",
@@ -10260,40 +10278,188 @@
 				"coder:workspaces.create",
 				"coder:workspaces.delete",
 				"coder:workspaces.operate",
+				"connection_log:*",
+				"connection_log:read",
+				"connection_log:update",
+				"crypto_key:*",
+				"crypto_key:create",
+				"crypto_key:delete",
+				"crypto_key:read",
+				"crypto_key:update",
+				"debug_info:*",
+				"debug_info:read",
+				"deployment_config:*",
+				"deployment_config:read",
+				"deployment_config:update",
+				"deployment_stats:*",
+				"deployment_stats:read",
 				"file:*",
 				"file:create",
 				"file:read",
+				"group:*",
+				"group:create",
+				"group:delete",
+				"group:read",
+				"group:update",
+				"group_member:*",
+				"group_member:read",
+				"idpsync_settings:*",
+				"idpsync_settings:read",
+				"idpsync_settings:update",
+				"inbox_notification:*",
+				"inbox_notification:create",
+				"inbox_notification:read",
+				"inbox_notification:update",
+				"license:*",
+				"license:create",
+				"license:delete",
+				"license:read",
+				"notification_message:*",
+				"notification_message:create",
+				"notification_message:delete",
+				"notification_message:read",
+				"notification_message:update",
+				"notification_preference:*",
+				"notification_preference:read",
+				"notification_preference:update",
+				"notification_template:*",
+				"notification_template:read",
+				"notification_template:update",
+				"oauth2_app:*",
+				"oauth2_app:create",
+				"oauth2_app:delete",
+				"oauth2_app:read",
+				"oauth2_app:update",
+				"oauth2_app_code_token:*",
+				"oauth2_app_code_token:create",
+				"oauth2_app_code_token:delete",
+				"oauth2_app_code_token:read",
+				"oauth2_app_secret:*",
+				"oauth2_app_secret:create",
+				"oauth2_app_secret:delete",
+				"oauth2_app_secret:read",
+				"oauth2_app_secret:update",
+				"organization:*",
+				"organization:create",
+				"organization:delete",
+				"organization:read",
+				"organization:update",
+				"organization_member:*",
+				"organization_member:create",
+				"organization_member:delete",
+				"organization_member:read",
+				"organization_member:update",
+				"prebuilt_workspace:*",
+				"prebuilt_workspace:delete",
+				"prebuilt_workspace:update",
+				"provisioner_daemon:*",
+				"provisioner_daemon:create",
+				"provisioner_daemon:delete",
+				"provisioner_daemon:read",
+				"provisioner_daemon:update",
+				"provisioner_jobs:*",
+				"provisioner_jobs:create",
+				"provisioner_jobs:read",
+				"provisioner_jobs:update",
+				"replicas:*",
+				"replicas:read",
+				"system:*",
+				"system:create",
+				"system:delete",
+				"system:read",
+				"system:update",
+				"tailnet_coordinator:*",
+				"tailnet_coordinator:create",
+				"tailnet_coordinator:delete",
+				"tailnet_coordinator:read",
+				"tailnet_coordinator:update",
 				"template:*",
 				"template:create",
 				"template:delete",
 				"template:read",
 				"template:update",
 				"template:use",
+				"template:view_insights",
+				"usage_event:*",
+				"usage_event:create",
+				"usage_event:read",
+				"usage_event:update",
+				"user:*",
+				"user:create",
+				"user:delete",
+				"user:read",
 				"user:read_personal",
+				"user:update",
 				"user:update_personal",
 				"user_secret:*",
 				"user_secret:create",
 				"user_secret:delete",
 				"user_secret:read",
 				"user_secret:update",
+				"webpush_subscription:*",
+				"webpush_subscription:create",
+				"webpush_subscription:delete",
+				"webpush_subscription:read",
 				"workspace:*",
 				"workspace:application_connect",
 				"workspace:create",
+				"workspace:create_agent",
 				"workspace:delete",
+				"workspace:delete_agent",
 				"workspace:read",
 				"workspace:ssh",
 				"workspace:start",
 				"workspace:stop",
-				"workspace:update"
+				"workspace:update",
+				"workspace_agent_devcontainers:*",
+				"workspace_agent_devcontainers:create",
+				"workspace_agent_resource_monitor:*",
+				"workspace_agent_resource_monitor:create",
+				"workspace_agent_resource_monitor:read",
+				"workspace_agent_resource_monitor:update",
+				"workspace_dormant:*",
+				"workspace_dormant:application_connect",
+				"workspace_dormant:create",
+				"workspace_dormant:create_agent",
+				"workspace_dormant:delete",
+				"workspace_dormant:delete_agent",
+				"workspace_dormant:read",
+				"workspace_dormant:ssh",
+				"workspace_dormant:start",
+				"workspace_dormant:stop",
+				"workspace_dormant:update",
+				"workspace_proxy:*",
+				"workspace_proxy:create",
+				"workspace_proxy:delete",
+				"workspace_proxy:read",
+				"workspace_proxy:update"
 			],
 			"x-enum-varnames": [
 				"APIKeyScopeAll",
 				"APIKeyScopeApplicationConnect",
+				"APIKeyScopeAibridgeInterceptionAll",
+				"APIKeyScopeAibridgeInterceptionCreate",
+				"APIKeyScopeAibridgeInterceptionRead",
+				"APIKeyScopeAibridgeInterceptionUpdate",
 				"APIKeyScopeApiKeyAll",
 				"APIKeyScopeApiKeyCreate",
 				"APIKeyScopeApiKeyDelete",
 				"APIKeyScopeApiKeyRead",
 				"APIKeyScopeApiKeyUpdate",
+				"APIKeyScopeAssignOrgRoleAll",
+				"APIKeyScopeAssignOrgRoleAssign",
+				"APIKeyScopeAssignOrgRoleCreate",
+				"APIKeyScopeAssignOrgRoleDelete",
+				"APIKeyScopeAssignOrgRoleRead",
+				"APIKeyScopeAssignOrgRoleUnassign",
+				"APIKeyScopeAssignOrgRoleUpdate",
+				"APIKeyScopeAssignRoleAll",
+				"APIKeyScopeAssignRoleAssign",
+				"APIKeyScopeAssignRoleRead",
+				"APIKeyScopeAssignRoleUnassign",
+				"APIKeyScopeAuditLogAll",
+				"APIKeyScopeAuditLogCreate",
+				"APIKeyScopeAuditLogRead",
 				"APIKeyScopeCoderAll",
 				"APIKeyScopeCoderApikeysManageSelf",
 				"APIKeyScopeCoderApplicationConnect",
@@ -10303,31 +10469,161 @@
 				"APIKeyScopeCoderWorkspacesCreate",
 				"APIKeyScopeCoderWorkspacesDelete",
 				"APIKeyScopeCoderWorkspacesOperate",
+				"APIKeyScopeConnectionLogAll",
+				"APIKeyScopeConnectionLogRead",
+				"APIKeyScopeConnectionLogUpdate",
+				"APIKeyScopeCryptoKeyAll",
+				"APIKeyScopeCryptoKeyCreate",
+				"APIKeyScopeCryptoKeyDelete",
+				"APIKeyScopeCryptoKeyRead",
+				"APIKeyScopeCryptoKeyUpdate",
+				"APIKeyScopeDebugInfoAll",
+				"APIKeyScopeDebugInfoRead",
+				"APIKeyScopeDeploymentConfigAll",
+				"APIKeyScopeDeploymentConfigRead",
+				"APIKeyScopeDeploymentConfigUpdate",
+				"APIKeyScopeDeploymentStatsAll",
+				"APIKeyScopeDeploymentStatsRead",
 				"APIKeyScopeFileAll",
 				"APIKeyScopeFileCreate",
 				"APIKeyScopeFileRead",
+				"APIKeyScopeGroupAll",
+				"APIKeyScopeGroupCreate",
+				"APIKeyScopeGroupDelete",
+				"APIKeyScopeGroupRead",
+				"APIKeyScopeGroupUpdate",
+				"APIKeyScopeGroupMemberAll",
+				"APIKeyScopeGroupMemberRead",
+				"APIKeyScopeIdpsyncSettingsAll",
+				"APIKeyScopeIdpsyncSettingsRead",
+				"APIKeyScopeIdpsyncSettingsUpdate",
+				"APIKeyScopeInboxNotificationAll",
+				"APIKeyScopeInboxNotificationCreate",
+				"APIKeyScopeInboxNotificationRead",
+				"APIKeyScopeInboxNotificationUpdate",
+				"APIKeyScopeLicenseAll",
+				"APIKeyScopeLicenseCreate",
+				"APIKeyScopeLicenseDelete",
+				"APIKeyScopeLicenseRead",
+				"APIKeyScopeNotificationMessageAll",
+				"APIKeyScopeNotificationMessageCreate",
+				"APIKeyScopeNotificationMessageDelete",
+				"APIKeyScopeNotificationMessageRead",
+				"APIKeyScopeNotificationMessageUpdate",
+				"APIKeyScopeNotificationPreferenceAll",
+				"APIKeyScopeNotificationPreferenceRead",
+				"APIKeyScopeNotificationPreferenceUpdate",
+				"APIKeyScopeNotificationTemplateAll",
+				"APIKeyScopeNotificationTemplateRead",
+				"APIKeyScopeNotificationTemplateUpdate",
+				"APIKeyScopeOauth2AppAll",
+				"APIKeyScopeOauth2AppCreate",
+				"APIKeyScopeOauth2AppDelete",
+				"APIKeyScopeOauth2AppRead",
+				"APIKeyScopeOauth2AppUpdate",
+				"APIKeyScopeOauth2AppCodeTokenAll",
+				"APIKeyScopeOauth2AppCodeTokenCreate",
+				"APIKeyScopeOauth2AppCodeTokenDelete",
+				"APIKeyScopeOauth2AppCodeTokenRead",
+				"APIKeyScopeOauth2AppSecretAll",
+				"APIKeyScopeOauth2AppSecretCreate",
+				"APIKeyScopeOauth2AppSecretDelete",
+				"APIKeyScopeOauth2AppSecretRead",
+				"APIKeyScopeOauth2AppSecretUpdate",
+				"APIKeyScopeOrganizationAll",
+				"APIKeyScopeOrganizationCreate",
+				"APIKeyScopeOrganizationDelete",
+				"APIKeyScopeOrganizationRead",
+				"APIKeyScopeOrganizationUpdate",
+				"APIKeyScopeOrganizationMemberAll",
+				"APIKeyScopeOrganizationMemberCreate",
+				"APIKeyScopeOrganizationMemberDelete",
+				"APIKeyScopeOrganizationMemberRead",
+				"APIKeyScopeOrganizationMemberUpdate",
+				"APIKeyScopePrebuiltWorkspaceAll",
+				"APIKeyScopePrebuiltWorkspaceDelete",
+				"APIKeyScopePrebuiltWorkspaceUpdate",
+				"APIKeyScopeProvisionerDaemonAll",
+				"APIKeyScopeProvisionerDaemonCreate",
+				"APIKeyScopeProvisionerDaemonDelete",
+				"APIKeyScopeProvisionerDaemonRead",
+				"APIKeyScopeProvisionerDaemonUpdate",
+				"APIKeyScopeProvisionerJobsAll",
+				"APIKeyScopeProvisionerJobsCreate",
+				"APIKeyScopeProvisionerJobsRead",
+				"APIKeyScopeProvisionerJobsUpdate",
+				"APIKeyScopeReplicasAll",
+				"APIKeyScopeReplicasRead",
+				"APIKeyScopeSystemAll",
+				"APIKeyScopeSystemCreate",
+				"APIKeyScopeSystemDelete",
+				"APIKeyScopeSystemRead",
+				"APIKeyScopeSystemUpdate",
+				"APIKeyScopeTailnetCoordinatorAll",
+				"APIKeyScopeTailnetCoordinatorCreate",
+				"APIKeyScopeTailnetCoordinatorDelete",
+				"APIKeyScopeTailnetCoordinatorRead",
+				"APIKeyScopeTailnetCoordinatorUpdate",
 				"APIKeyScopeTemplateAll",
 				"APIKeyScopeTemplateCreate",
 				"APIKeyScopeTemplateDelete",
 				"APIKeyScopeTemplateRead",
 				"APIKeyScopeTemplateUpdate",
 				"APIKeyScopeTemplateUse",
+				"APIKeyScopeTemplateViewInsights",
+				"APIKeyScopeUsageEventAll",
+				"APIKeyScopeUsageEventCreate",
+				"APIKeyScopeUsageEventRead",
+				"APIKeyScopeUsageEventUpdate",
+				"APIKeyScopeUserAll",
+				"APIKeyScopeUserCreate",
+				"APIKeyScopeUserDelete",
+				"APIKeyScopeUserRead",
 				"APIKeyScopeUserReadPersonal",
+				"APIKeyScopeUserUpdate",
 				"APIKeyScopeUserUpdatePersonal",
 				"APIKeyScopeUserSecretAll",
 				"APIKeyScopeUserSecretCreate",
 				"APIKeyScopeUserSecretDelete",
 				"APIKeyScopeUserSecretRead",
 				"APIKeyScopeUserSecretUpdate",
+				"APIKeyScopeWebpushSubscriptionAll",
+				"APIKeyScopeWebpushSubscriptionCreate",
+				"APIKeyScopeWebpushSubscriptionDelete",
+				"APIKeyScopeWebpushSubscriptionRead",
 				"APIKeyScopeWorkspaceAll",
 				"APIKeyScopeWorkspaceApplicationConnect",
 				"APIKeyScopeWorkspaceCreate",
+				"APIKeyScopeWorkspaceCreateAgent",
 				"APIKeyScopeWorkspaceDelete",
+				"APIKeyScopeWorkspaceDeleteAgent",
 				"APIKeyScopeWorkspaceRead",
 				"APIKeyScopeWorkspaceSsh",
 				"APIKeyScopeWorkspaceStart",
 				"APIKeyScopeWorkspaceStop",
-				"APIKeyScopeWorkspaceUpdate"
+				"APIKeyScopeWorkspaceUpdate",
+				"APIKeyScopeWorkspaceAgentDevcontainersAll",
+				"APIKeyScopeWorkspaceAgentDevcontainersCreate",
+				"APIKeyScopeWorkspaceAgentResourceMonitorAll",
+				"APIKeyScopeWorkspaceAgentResourceMonitorCreate",
+				"APIKeyScopeWorkspaceAgentResourceMonitorRead",
+				"APIKeyScopeWorkspaceAgentResourceMonitorUpdate",
+				"APIKeyScopeWorkspaceDormantAll",
+				"APIKeyScopeWorkspaceDormantApplicationConnect",
+				"APIKeyScopeWorkspaceDormantCreate",
+				"APIKeyScopeWorkspaceDormantCreateAgent",
+				"APIKeyScopeWorkspaceDormantDelete",
+				"APIKeyScopeWorkspaceDormantDeleteAgent",
+				"APIKeyScopeWorkspaceDormantRead",
+				"APIKeyScopeWorkspaceDormantSsh",
+				"APIKeyScopeWorkspaceDormantStart",
+				"APIKeyScopeWorkspaceDormantStop",
+				"APIKeyScopeWorkspaceDormantUpdate",
+				"APIKeyScopeWorkspaceProxyAll",
+				"APIKeyScopeWorkspaceProxyCreate",
+				"APIKeyScopeWorkspaceProxyDelete",
+				"APIKeyScopeWorkspaceProxyRead",
+				"APIKeyScopeWorkspaceProxyUpdate"
 			]
 		},
 		"codersdk.AddLicenseRequest": {
@@ -157,7 +157,47 @@ CREATE TYPE api_key_scope AS ENUM (
    'coder:workspaces.access',
    'coder:templates.build',
    'coder:templates.author',
-    'coder:apikeys.manage_self'
+    'coder:apikeys.manage_self',
+    'aibridge_interception:*',
+    'api_key:*',
+    'assign_org_role:*',
+    'assign_role:*',
+    'audit_log:*',
+    'connection_log:*',
+    'crypto_key:*',
+    'debug_info:*',
+    'deployment_config:*',
+    'deployment_stats:*',
+    'file:*',
+    'group:*',
+    'group_member:*',
+    'idpsync_settings:*',
+    'inbox_notification:*',
+    'license:*',
+    'notification_message:*',
+    'notification_preference:*',
+    'notification_template:*',
+    'oauth2_app:*',
+    'oauth2_app_code_token:*',
+    'oauth2_app_secret:*',
+    'organization:*',
+    'organization_member:*',
+    'prebuilt_workspace:*',
+    'provisioner_daemon:*',
+    'provisioner_jobs:*',
+    'replicas:*',
+    'system:*',
+    'tailnet_coordinator:*',
+    'template:*',
+    'usage_event:*',
+    'user:*',
+    'user_secret:*',
+    'webpush_subscription:*',
+    'workspace:*',
+    'workspace_agent_devcontainers:*',
+    'workspace_agent_resource_monitor:*',
+    'workspace_dormant:*',
+    'workspace_proxy:*'
 );

 CREATE TYPE app_sharing_level AS ENUM (
@@ -0,0 +1,2 @@
+-- No-op: enum values remain to avoid churn. Removing enum values requires
+-- doing a create/cast/drop cycle which is intentionally omitted here.
@@ -0,0 +1,42 @@
+-- Add wildcard api_key_scope entries so every RBAC resource has a matching resource:* value.
+-- Generated via: CGO_ENABLED=0 go run ./scripts/generate_api_key_scope_enum
+ALTER TYPE api_key_scope ADD VALUE IF NOT EXISTS 'aibridge_interception:*';
+ALTER TYPE api_key_scope ADD VALUE IF NOT EXISTS 'api_key:*';
+ALTER TYPE api_key_scope ADD VALUE IF NOT EXISTS 'assign_org_role:*';
+ALTER TYPE api_key_scope ADD VALUE IF NOT EXISTS 'assign_role:*';
+ALTER TYPE api_key_scope ADD VALUE IF NOT EXISTS 'audit_log:*';
+ALTER TYPE api_key_scope ADD VALUE IF NOT EXISTS 'connection_log:*';
+ALTER TYPE api_key_scope ADD VALUE IF NOT EXISTS 'crypto_key:*';
+ALTER TYPE api_key_scope ADD VALUE IF NOT EXISTS 'debug_info:*';
+ALTER TYPE api_key_scope ADD VALUE IF NOT EXISTS 'deployment_config:*';
+ALTER TYPE api_key_scope ADD VALUE IF NOT EXISTS 'deployment_stats:*';
+ALTER TYPE api_key_scope ADD VALUE IF NOT EXISTS 'file:*';
+ALTER TYPE api_key_scope ADD VALUE IF NOT EXISTS 'group:*';
+ALTER TYPE api_key_scope ADD VALUE IF NOT EXISTS 'group_member:*';
+ALTER TYPE api_key_scope ADD VALUE IF NOT EXISTS 'idpsync_settings:*';
+ALTER TYPE api_key_scope ADD VALUE IF NOT EXISTS 'inbox_notification:*';
+ALTER TYPE api_key_scope ADD VALUE IF NOT EXISTS 'license:*';
+ALTER TYPE api_key_scope ADD VALUE IF NOT EXISTS 'notification_message:*';
+ALTER TYPE api_key_scope ADD VALUE IF NOT EXISTS 'notification_preference:*';
+ALTER TYPE api_key_scope ADD VALUE IF NOT EXISTS 'notification_template:*';
+ALTER TYPE api_key_scope ADD VALUE IF NOT EXISTS 'oauth2_app:*';
+ALTER TYPE api_key_scope ADD VALUE IF NOT EXISTS 'oauth2_app_code_token:*';
+ALTER TYPE api_key_scope ADD VALUE IF NOT EXISTS 'oauth2_app_secret:*';
+ALTER TYPE api_key_scope ADD VALUE IF NOT EXISTS 'organization:*';
+ALTER TYPE api_key_scope ADD VALUE IF NOT EXISTS 'organization_member:*';
+ALTER TYPE api_key_scope ADD VALUE IF NOT EXISTS 'prebuilt_workspace:*';
+ALTER TYPE api_key_scope ADD VALUE IF NOT EXISTS 'provisioner_daemon:*';
+ALTER TYPE api_key_scope ADD VALUE IF NOT EXISTS 'provisioner_jobs:*';
+ALTER TYPE api_key_scope ADD VALUE IF NOT EXISTS 'replicas:*';
+ALTER TYPE api_key_scope ADD VALUE IF NOT EXISTS 'system:*';
+ALTER TYPE api_key_scope ADD VALUE IF NOT EXISTS 'tailnet_coordinator:*';
+ALTER TYPE api_key_scope ADD VALUE IF NOT EXISTS 'template:*';
+ALTER TYPE api_key_scope ADD VALUE IF NOT EXISTS 'usage_event:*';
+ALTER TYPE api_key_scope ADD VALUE IF NOT EXISTS 'user:*';
+ALTER TYPE api_key_scope ADD VALUE IF NOT EXISTS 'user_secret:*';
+ALTER TYPE api_key_scope ADD VALUE IF NOT EXISTS 'webpush_subscription:*';
+ALTER TYPE api_key_scope ADD VALUE IF NOT EXISTS 'workspace:*';
+ALTER TYPE api_key_scope ADD VALUE IF NOT EXISTS 'workspace_agent_devcontainers:*';
+ALTER TYPE api_key_scope ADD VALUE IF NOT EXISTS 'workspace_agent_resource_monitor:*';
+ALTER TYPE api_key_scope ADD VALUE IF NOT EXISTS 'workspace_dormant:*';
+ALTER TYPE api_key_scope ADD VALUE IF NOT EXISTS 'workspace_proxy:*';
@@ -166,6 +166,46 @@ const (
 	ApiKeyScopeCoderTemplatesbuild                 APIKeyScope = "coder:templates.build"
 	ApiKeyScopeCoderTemplatesauthor                APIKeyScope = "coder:templates.author"
 	ApiKeyScopeCoderApikeysmanageSelf              APIKeyScope = "coder:apikeys.manage_self"
+	ApiKeyScopeAibridgeInterception                APIKeyScope = "aibridge_interception:*"
+	ApiKeyScopeApiKey                              APIKeyScope = "api_key:*"
+	ApiKeyScopeAssignOrgRole                       APIKeyScope = "assign_org_role:*"
+	ApiKeyScopeAssignRole                          APIKeyScope = "assign_role:*"
+	ApiKeyScopeAuditLog                            APIKeyScope = "audit_log:*"
+	ApiKeyScopeConnectionLog                       APIKeyScope = "connection_log:*"
+	ApiKeyScopeCryptoKey                           APIKeyScope = "crypto_key:*"
+	ApiKeyScopeDebugInfo                           APIKeyScope = "debug_info:*"
+	ApiKeyScopeDeploymentConfig                    APIKeyScope = "deployment_config:*"
+	ApiKeyScopeDeploymentStats                     APIKeyScope = "deployment_stats:*"
+	ApiKeyScopeFile                                APIKeyScope = "file:*"
+	ApiKeyScopeGroup                               APIKeyScope = "group:*"
+	ApiKeyScopeGroupMember                         APIKeyScope = "group_member:*"
+	ApiKeyScopeIdpsyncSettings                     APIKeyScope = "idpsync_settings:*"
+	ApiKeyScopeInboxNotification                   APIKeyScope = "inbox_notification:*"
+	ApiKeyScopeLicense                             APIKeyScope = "license:*"
+	ApiKeyScopeNotificationMessage                 APIKeyScope = "notification_message:*"
+	ApiKeyScopeNotificationPreference              APIKeyScope = "notification_preference:*"
+	ApiKeyScopeNotificationTemplate                APIKeyScope = "notification_template:*"
+	ApiKeyScopeOauth2App                           APIKeyScope = "oauth2_app:*"
+	ApiKeyScopeOauth2AppCodeToken                  APIKeyScope = "oauth2_app_code_token:*"
+	ApiKeyScopeOauth2AppSecret                     APIKeyScope = "oauth2_app_secret:*"
+	ApiKeyScopeOrganization                        APIKeyScope = "organization:*"
+	ApiKeyScopeOrganizationMember                  APIKeyScope = "organization_member:*"
+	ApiKeyScopePrebuiltWorkspace                   APIKeyScope = "prebuilt_workspace:*"
+	ApiKeyScopeProvisionerDaemon                   APIKeyScope = "provisioner_daemon:*"
+	ApiKeyScopeProvisionerJobs                     APIKeyScope = "provisioner_jobs:*"
+	ApiKeyScopeReplicas                            APIKeyScope = "replicas:*"
+	ApiKeyScopeSystem                              APIKeyScope = "system:*"
+	ApiKeyScopeTailnetCoordinator                  APIKeyScope = "tailnet_coordinator:*"
+	ApiKeyScopeTemplate                            APIKeyScope = "template:*"
+	ApiKeyScopeUsageEvent                          APIKeyScope = "usage_event:*"
+	ApiKeyScopeUser                                APIKeyScope = "user:*"
+	ApiKeyScopeUserSecret                          APIKeyScope = "user_secret:*"
+	ApiKeyScopeWebpushSubscription                 APIKeyScope = "webpush_subscription:*"
+	ApiKeyScopeWorkspace                           APIKeyScope = "workspace:*"
+	ApiKeyScopeWorkspaceAgentDevcontainers         APIKeyScope = "workspace_agent_devcontainers:*"
+	ApiKeyScopeWorkspaceAgentResourceMonitor       APIKeyScope = "workspace_agent_resource_monitor:*"
+	ApiKeyScopeWorkspaceDormant                    APIKeyScope = "workspace_dormant:*"
+	ApiKeyScopeWorkspaceProxy                      APIKeyScope = "workspace_proxy:*"
 )

 func (e *APIKeyScope) Scan(src interface{}) error {
@@ -351,7 +391,47 @@ func (e APIKeyScope) Valid() bool {
 		ApiKeyScopeCoderWorkspacesaccess,
 		ApiKeyScopeCoderTemplatesbuild,
 		ApiKeyScopeCoderTemplatesauthor,
-		ApiKeyScopeCoderApikeysmanageSelf:
+		ApiKeyScopeCoderApikeysmanageSelf,
+		ApiKeyScopeAibridgeInterception,
+		ApiKeyScopeApiKey,
+		ApiKeyScopeAssignOrgRole,
+		ApiKeyScopeAssignRole,
+		ApiKeyScopeAuditLog,
+		ApiKeyScopeConnectionLog,
+		ApiKeyScopeCryptoKey,
+		ApiKeyScopeDebugInfo,
+		ApiKeyScopeDeploymentConfig,
+		ApiKeyScopeDeploymentStats,
+		ApiKeyScopeFile,
+		ApiKeyScopeGroup,
+		ApiKeyScopeGroupMember,
+		ApiKeyScopeIdpsyncSettings,
+		ApiKeyScopeInboxNotification,
+		ApiKeyScopeLicense,
+		ApiKeyScopeNotificationMessage,
+		ApiKeyScopeNotificationPreference,
+		ApiKeyScopeNotificationTemplate,
+		ApiKeyScopeOauth2App,
+		ApiKeyScopeOauth2AppCodeToken,
+		ApiKeyScopeOauth2AppSecret,
+		ApiKeyScopeOrganization,
+		ApiKeyScopeOrganizationMember,
+		ApiKeyScopePrebuiltWorkspace,
+		ApiKeyScopeProvisionerDaemon,
+		ApiKeyScopeProvisionerJobs,
+		ApiKeyScopeReplicas,
+		ApiKeyScopeSystem,
+		ApiKeyScopeTailnetCoordinator,
+		ApiKeyScopeTemplate,
+		ApiKeyScopeUsageEvent,
+		ApiKeyScopeUser,
+		ApiKeyScopeUserSecret,
+		ApiKeyScopeWebpushSubscription,
+		ApiKeyScopeWorkspace,
+		ApiKeyScopeWorkspaceAgentDevcontainers,
+		ApiKeyScopeWorkspaceAgentResourceMonitor,
+		ApiKeyScopeWorkspaceDormant,
+		ApiKeyScopeWorkspaceProxy:
 		return true
 	}
 	return false
@@ -506,6 +586,46 @@ func AllAPIKeyScopeValues() []APIKeyScope {
 		ApiKeyScopeCoderTemplatesbuild,
 		ApiKeyScopeCoderTemplatesauthor,
 		ApiKeyScopeCoderApikeysmanageSelf,
+		ApiKeyScopeAibridgeInterception,
+		ApiKeyScopeApiKey,
+		ApiKeyScopeAssignOrgRole,
+		ApiKeyScopeAssignRole,
+		ApiKeyScopeAuditLog,
+		ApiKeyScopeConnectionLog,
+		ApiKeyScopeCryptoKey,
+		ApiKeyScopeDebugInfo,
+		ApiKeyScopeDeploymentConfig,
+		ApiKeyScopeDeploymentStats,
+		ApiKeyScopeFile,
+		ApiKeyScopeGroup,
+		ApiKeyScopeGroupMember,
+		ApiKeyScopeIdpsyncSettings,
+		ApiKeyScopeInboxNotification,
+		ApiKeyScopeLicense,
+		ApiKeyScopeNotificationMessage,
+		ApiKeyScopeNotificationPreference,
+		ApiKeyScopeNotificationTemplate,
+		ApiKeyScopeOauth2App,
+		ApiKeyScopeOauth2AppCodeToken,
+		ApiKeyScopeOauth2AppSecret,
+		ApiKeyScopeOrganization,
+		ApiKeyScopeOrganizationMember,
+		ApiKeyScopePrebuiltWorkspace,
+		ApiKeyScopeProvisionerDaemon,
+		ApiKeyScopeProvisionerJobs,
+		ApiKeyScopeReplicas,
+		ApiKeyScopeSystem,
+		ApiKeyScopeTailnetCoordinator,
+		ApiKeyScopeTemplate,
+		ApiKeyScopeUsageEvent,
+		ApiKeyScopeUser,
+		ApiKeyScopeUserSecret,
+		ApiKeyScopeWebpushSubscription,
+		ApiKeyScopeWorkspace,
+		ApiKeyScopeWorkspaceAgentDevcontainers,
+		ApiKeyScopeWorkspaceAgentResourceMonitor,
+		ApiKeyScopeWorkspaceDormant,
+		ApiKeyScopeWorkspaceProxy,
 	}
 }

@@ -5,46 +5,194 @@ const (
 	// Deprecated: use codersdk.APIKeyScopeCoderAll instead.
 	APIKeyScopeAll APIKeyScope = "all"
 	// Deprecated: use codersdk.APIKeyScopeCoderApplicationConnect instead.
-	APIKeyScopeApplicationConnect          APIKeyScope = "application_connect"
-	APIKeyScopeApiKeyAll                   APIKeyScope = "api_key:*"
-	APIKeyScopeApiKeyCreate                APIKeyScope = "api_key:create"
-	APIKeyScopeApiKeyDelete                APIKeyScope = "api_key:delete"
-	APIKeyScopeApiKeyRead                  APIKeyScope = "api_key:read"
-	APIKeyScopeApiKeyUpdate                APIKeyScope = "api_key:update"
-	APIKeyScopeCoderAll                    APIKeyScope = "coder:all"
-	APIKeyScopeCoderApikeysManageSelf      APIKeyScope = "coder:apikeys.manage_self"
-	APIKeyScopeCoderApplicationConnect     APIKeyScope = "coder:application_connect"
-	APIKeyScopeCoderTemplatesAuthor        APIKeyScope = "coder:templates.author"
-	APIKeyScopeCoderTemplatesBuild         APIKeyScope = "coder:templates.build"
-	APIKeyScopeCoderWorkspacesAccess       APIKeyScope = "coder:workspaces.access"
-	APIKeyScopeCoderWorkspacesCreate       APIKeyScope = "coder:workspaces.create"
-	APIKeyScopeCoderWorkspacesDelete       APIKeyScope = "coder:workspaces.delete"
-	APIKeyScopeCoderWorkspacesOperate      APIKeyScope = "coder:workspaces.operate"
-	APIKeyScopeFileAll                     APIKeyScope = "file:*"
-	APIKeyScopeFileCreate                  APIKeyScope = "file:create"
-	APIKeyScopeFileRead                    APIKeyScope = "file:read"
-	APIKeyScopeTemplateAll                 APIKeyScope = "template:*"
-	APIKeyScopeTemplateCreate              APIKeyScope = "template:create"
-	APIKeyScopeTemplateDelete              APIKeyScope = "template:delete"
-	APIKeyScopeTemplateRead                APIKeyScope = "template:read"
-	APIKeyScopeTemplateUpdate              APIKeyScope = "template:update"
-	APIKeyScopeTemplateUse                 APIKeyScope = "template:use"
-	APIKeyScopeUserReadPersonal            APIKeyScope = "user:read_personal"
-	APIKeyScopeUserUpdatePersonal          APIKeyScope = "user:update_personal"
-	APIKeyScopeUserSecretAll               APIKeyScope = "user_secret:*"
-	APIKeyScopeUserSecretCreate            APIKeyScope = "user_secret:create"
-	APIKeyScopeUserSecretDelete            APIKeyScope = "user_secret:delete"
-	APIKeyScopeUserSecretRead              APIKeyScope = "user_secret:read"
-	APIKeyScopeUserSecretUpdate            APIKeyScope = "user_secret:update"
-	APIKeyScopeWorkspaceAll                APIKeyScope = "workspace:*"
-	APIKeyScopeWorkspaceApplicationConnect APIKeyScope = "workspace:application_connect"
-	APIKeyScopeWorkspaceCreate             APIKeyScope = "workspace:create"
-	APIKeyScopeWorkspaceDelete             APIKeyScope = "workspace:delete"
-	APIKeyScopeWorkspaceRead               APIKeyScope = "workspace:read"
-	APIKeyScopeWorkspaceSsh                APIKeyScope = "workspace:ssh"
-	APIKeyScopeWorkspaceStart              APIKeyScope = "workspace:start"
-	APIKeyScopeWorkspaceStop               APIKeyScope = "workspace:stop"
-	APIKeyScopeWorkspaceUpdate             APIKeyScope = "workspace:update"
+	APIKeyScopeApplicationConnect                  APIKeyScope = "application_connect"
+	APIKeyScopeAibridgeInterceptionAll             APIKeyScope = "aibridge_interception:*"
+	APIKeyScopeAibridgeInterceptionCreate          APIKeyScope = "aibridge_interception:create"
+	APIKeyScopeAibridgeInterceptionRead            APIKeyScope = "aibridge_interception:read"
+	APIKeyScopeAibridgeInterceptionUpdate          APIKeyScope = "aibridge_interception:update"
+	APIKeyScopeApiKeyAll                           APIKeyScope = "api_key:*"
+	APIKeyScopeApiKeyCreate                        APIKeyScope = "api_key:create"
+	APIKeyScopeApiKeyDelete                        APIKeyScope = "api_key:delete"
+	APIKeyScopeApiKeyRead                          APIKeyScope = "api_key:read"
+	APIKeyScopeApiKeyUpdate                        APIKeyScope = "api_key:update"
+	APIKeyScopeAssignOrgRoleAll                    APIKeyScope = "assign_org_role:*"
+	APIKeyScopeAssignOrgRoleAssign                 APIKeyScope = "assign_org_role:assign"
+	APIKeyScopeAssignOrgRoleCreate                 APIKeyScope = "assign_org_role:create"
+	APIKeyScopeAssignOrgRoleDelete                 APIKeyScope = "assign_org_role:delete"
+	APIKeyScopeAssignOrgRoleRead                   APIKeyScope = "assign_org_role:read"
+	APIKeyScopeAssignOrgRoleUnassign               APIKeyScope = "assign_org_role:unassign"
+	APIKeyScopeAssignOrgRoleUpdate                 APIKeyScope = "assign_org_role:update"
+	APIKeyScopeAssignRoleAll                       APIKeyScope = "assign_role:*"
+	APIKeyScopeAssignRoleAssign                    APIKeyScope = "assign_role:assign"
+	APIKeyScopeAssignRoleRead                      APIKeyScope = "assign_role:read"
+	APIKeyScopeAssignRoleUnassign                  APIKeyScope = "assign_role:unassign"
+	APIKeyScopeAuditLogAll                         APIKeyScope = "audit_log:*"
+	APIKeyScopeAuditLogCreate                      APIKeyScope = "audit_log:create"
+	APIKeyScopeAuditLogRead                        APIKeyScope = "audit_log:read"
+	APIKeyScopeCoderAll                            APIKeyScope = "coder:all"
+	APIKeyScopeCoderApikeysManageSelf              APIKeyScope = "coder:apikeys.manage_self"
+	APIKeyScopeCoderApplicationConnect             APIKeyScope = "coder:application_connect"
+	APIKeyScopeCoderTemplatesAuthor                APIKeyScope = "coder:templates.author"
+	APIKeyScopeCoderTemplatesBuild                 APIKeyScope = "coder:templates.build"
+	APIKeyScopeCoderWorkspacesAccess               APIKeyScope = "coder:workspaces.access"
+	APIKeyScopeCoderWorkspacesCreate               APIKeyScope = "coder:workspaces.create"
+	APIKeyScopeCoderWorkspacesDelete               APIKeyScope = "coder:workspaces.delete"
+	APIKeyScopeCoderWorkspacesOperate              APIKeyScope = "coder:workspaces.operate"
+	APIKeyScopeConnectionLogAll                    APIKeyScope = "connection_log:*"
+	APIKeyScopeConnectionLogRead                   APIKeyScope = "connection_log:read"
+	APIKeyScopeConnectionLogUpdate                 APIKeyScope = "connection_log:update"
+	APIKeyScopeCryptoKeyAll                        APIKeyScope = "crypto_key:*"
+	APIKeyScopeCryptoKeyCreate                     APIKeyScope = "crypto_key:create"
+	APIKeyScopeCryptoKeyDelete                     APIKeyScope = "crypto_key:delete"
+	APIKeyScopeCryptoKeyRead                       APIKeyScope = "crypto_key:read"
+	APIKeyScopeCryptoKeyUpdate                     APIKeyScope = "crypto_key:update"
+	APIKeyScopeDebugInfoAll                        APIKeyScope = "debug_info:*"
+	APIKeyScopeDebugInfoRead                       APIKeyScope = "debug_info:read"
+	APIKeyScopeDeploymentConfigAll                 APIKeyScope = "deployment_config:*"
+	APIKeyScopeDeploymentConfigRead                APIKeyScope = "deployment_config:read"
+	APIKeyScopeDeploymentConfigUpdate              APIKeyScope = "deployment_config:update"
+	APIKeyScopeDeploymentStatsAll                  APIKeyScope = "deployment_stats:*"
+	APIKeyScopeDeploymentStatsRead                 APIKeyScope = "deployment_stats:read"
+	APIKeyScopeFileAll                             APIKeyScope = "file:*"
+	APIKeyScopeFileCreate                          APIKeyScope = "file:create"
+	APIKeyScopeFileRead                            APIKeyScope = "file:read"
+	APIKeyScopeGroupAll                            APIKeyScope = "group:*"
+	APIKeyScopeGroupCreate                         APIKeyScope = "group:create"
+	APIKeyScopeGroupDelete                         APIKeyScope = "group:delete"
+	APIKeyScopeGroupRead                           APIKeyScope = "group:read"
+	APIKeyScopeGroupUpdate                         APIKeyScope = "group:update"
+	APIKeyScopeGroupMemberAll                      APIKeyScope = "group_member:*"
+	APIKeyScopeGroupMemberRead                     APIKeyScope = "group_member:read"
+	APIKeyScopeIdpsyncSettingsAll                  APIKeyScope = "idpsync_settings:*"
+	APIKeyScopeIdpsyncSettingsRead                 APIKeyScope = "idpsync_settings:read"
+	APIKeyScopeIdpsyncSettingsUpdate               APIKeyScope = "idpsync_settings:update"
+	APIKeyScopeInboxNotificationAll                APIKeyScope = "inbox_notification:*"
+	APIKeyScopeInboxNotificationCreate             APIKeyScope = "inbox_notification:create"
+	APIKeyScopeInboxNotificationRead               APIKeyScope = "inbox_notification:read"
+	APIKeyScopeInboxNotificationUpdate             APIKeyScope = "inbox_notification:update"
+	APIKeyScopeLicenseAll                          APIKeyScope = "license:*"
+	APIKeyScopeLicenseCreate                       APIKeyScope = "license:create"
+	APIKeyScopeLicenseDelete                       APIKeyScope = "license:delete"
+	APIKeyScopeLicenseRead                         APIKeyScope = "license:read"
+	APIKeyScopeNotificationMessageAll              APIKeyScope = "notification_message:*"
+	APIKeyScopeNotificationMessageCreate           APIKeyScope = "notification_message:create"
+	APIKeyScopeNotificationMessageDelete           APIKeyScope = "notification_message:delete"
+	APIKeyScopeNotificationMessageRead             APIKeyScope = "notification_message:read"
+	APIKeyScopeNotificationMessageUpdate           APIKeyScope = "notification_message:update"
+	APIKeyScopeNotificationPreferenceAll           APIKeyScope = "notification_preference:*"
+	APIKeyScopeNotificationPreferenceRead          APIKeyScope = "notification_preference:read"
+	APIKeyScopeNotificationPreferenceUpdate        APIKeyScope = "notification_preference:update"
+	APIKeyScopeNotificationTemplateAll             APIKeyScope = "notification_template:*"
+	APIKeyScopeNotificationTemplateRead            APIKeyScope = "notification_template:read"
+	APIKeyScopeNotificationTemplateUpdate          APIKeyScope = "notification_template:update"
+	APIKeyScopeOauth2AppAll                        APIKeyScope = "oauth2_app:*"
+	APIKeyScopeOauth2AppCreate                     APIKeyScope = "oauth2_app:create"
+	APIKeyScopeOauth2AppDelete                     APIKeyScope = "oauth2_app:delete"
+	APIKeyScopeOauth2AppRead                       APIKeyScope = "oauth2_app:read"
+	APIKeyScopeOauth2AppUpdate                     APIKeyScope = "oauth2_app:update"
+	APIKeyScopeOauth2AppCodeTokenAll               APIKeyScope = "oauth2_app_code_token:*"
+	APIKeyScopeOauth2AppCodeTokenCreate            APIKeyScope = "oauth2_app_code_token:create"
+	APIKeyScopeOauth2AppCodeTokenDelete            APIKeyScope = "oauth2_app_code_token:delete"
+	APIKeyScopeOauth2AppCodeTokenRead              APIKeyScope = "oauth2_app_code_token:read"
+	APIKeyScopeOauth2AppSecretAll                  APIKeyScope = "oauth2_app_secret:*"
+	APIKeyScopeOauth2AppSecretCreate               APIKeyScope = "oauth2_app_secret:create"
+	APIKeyScopeOauth2AppSecretDelete               APIKeyScope = "oauth2_app_secret:delete"
+	APIKeyScopeOauth2AppSecretRead                 APIKeyScope = "oauth2_app_secret:read"
+	APIKeyScopeOauth2AppSecretUpdate               APIKeyScope = "oauth2_app_secret:update"
+	APIKeyScopeOrganizationAll                     APIKeyScope = "organization:*"
+	APIKeyScopeOrganizationCreate                  APIKeyScope = "organization:create"
+	APIKeyScopeOrganizationDelete                  APIKeyScope = "organization:delete"
+	APIKeyScopeOrganizationRead                    APIKeyScope = "organization:read"
+	APIKeyScopeOrganizationUpdate                  APIKeyScope = "organization:update"
+	APIKeyScopeOrganizationMemberAll               APIKeyScope = "organization_member:*"
+	APIKeyScopeOrganizationMemberCreate            APIKeyScope = "organization_member:create"
+	APIKeyScopeOrganizationMemberDelete            APIKeyScope = "organization_member:delete"
+	APIKeyScopeOrganizationMemberRead              APIKeyScope = "organization_member:read"
+	APIKeyScopeOrganizationMemberUpdate            APIKeyScope = "organization_member:update"
+	APIKeyScopePrebuiltWorkspaceAll                APIKeyScope = "prebuilt_workspace:*"
+	APIKeyScopePrebuiltWorkspaceDelete             APIKeyScope = "prebuilt_workspace:delete"
+	APIKeyScopePrebuiltWorkspaceUpdate             APIKeyScope = "prebuilt_workspace:update"
+	APIKeyScopeProvisionerDaemonAll                APIKeyScope = "provisioner_daemon:*"
+	APIKeyScopeProvisionerDaemonCreate             APIKeyScope = "provisioner_daemon:create"
+	APIKeyScopeProvisionerDaemonDelete             APIKeyScope = "provisioner_daemon:delete"
+	APIKeyScopeProvisionerDaemonRead               APIKeyScope = "provisioner_daemon:read"
+	APIKeyScopeProvisionerDaemonUpdate             APIKeyScope = "provisioner_daemon:update"
+	APIKeyScopeProvisionerJobsAll                  APIKeyScope = "provisioner_jobs:*"
+	APIKeyScopeProvisionerJobsCreate               APIKeyScope = "provisioner_jobs:create"
+	APIKeyScopeProvisionerJobsRead                 APIKeyScope = "provisioner_jobs:read"
+	APIKeyScopeProvisionerJobsUpdate               APIKeyScope = "provisioner_jobs:update"
+	APIKeyScopeReplicasAll                         APIKeyScope = "replicas:*"
+	APIKeyScopeReplicasRead                        APIKeyScope = "replicas:read"
+	APIKeyScopeSystemAll                           APIKeyScope = "system:*"
+	APIKeyScopeSystemCreate                        APIKeyScope = "system:create"
+	APIKeyScopeSystemDelete                        APIKeyScope = "system:delete"
+	APIKeyScopeSystemRead                          APIKeyScope = "system:read"
+	APIKeyScopeSystemUpdate                        APIKeyScope = "system:update"
+	APIKeyScopeTailnetCoordinatorAll               APIKeyScope = "tailnet_coordinator:*"
+	APIKeyScopeTailnetCoordinatorCreate            APIKeyScope = "tailnet_coordinator:create"
+	APIKeyScopeTailnetCoordinatorDelete            APIKeyScope = "tailnet_coordinator:delete"
+	APIKeyScopeTailnetCoordinatorRead              APIKeyScope = "tailnet_coordinator:read"
+	APIKeyScopeTailnetCoordinatorUpdate            APIKeyScope = "tailnet_coordinator:update"
+	APIKeyScopeTemplateAll                         APIKeyScope = "template:*"
+	APIKeyScopeTemplateCreate                      APIKeyScope = "template:create"
+	APIKeyScopeTemplateDelete                      APIKeyScope = "template:delete"
+	APIKeyScopeTemplateRead                        APIKeyScope = "template:read"
+	APIKeyScopeTemplateUpdate                      APIKeyScope = "template:update"
+	APIKeyScopeTemplateUse                         APIKeyScope = "template:use"
+	APIKeyScopeTemplateViewInsights                APIKeyScope = "template:view_insights"
+	APIKeyScopeUsageEventAll                       APIKeyScope = "usage_event:*"
+	APIKeyScopeUsageEventCreate                    APIKeyScope = "usage_event:create"
+	APIKeyScopeUsageEventRead                      APIKeyScope = "usage_event:read"
+	APIKeyScopeUsageEventUpdate                    APIKeyScope = "usage_event:update"
+	APIKeyScopeUserAll                             APIKeyScope = "user:*"
+	APIKeyScopeUserCreate                          APIKeyScope = "user:create"
+	APIKeyScopeUserDelete                          APIKeyScope = "user:delete"
+	APIKeyScopeUserRead                            APIKeyScope = "user:read"
+	APIKeyScopeUserReadPersonal                    APIKeyScope = "user:read_personal"
+	APIKeyScopeUserUpdate                          APIKeyScope = "user:update"
+	APIKeyScopeUserUpdatePersonal                  APIKeyScope = "user:update_personal"
+	APIKeyScopeUserSecretAll                       APIKeyScope = "user_secret:*"
+	APIKeyScopeUserSecretCreate                    APIKeyScope = "user_secret:create"
+	APIKeyScopeUserSecretDelete                    APIKeyScope = "user_secret:delete"
+	APIKeyScopeUserSecretRead                      APIKeyScope = "user_secret:read"
+	APIKeyScopeUserSecretUpdate                    APIKeyScope = "user_secret:update"
+	APIKeyScopeWebpushSubscriptionAll              APIKeyScope = "webpush_subscription:*"
+	APIKeyScopeWebpushSubscriptionCreate           APIKeyScope = "webpush_subscription:create"
+	APIKeyScopeWebpushSubscriptionDelete           APIKeyScope = "webpush_subscription:delete"
+	APIKeyScopeWebpushSubscriptionRead             APIKeyScope = "webpush_subscription:read"
+	APIKeyScopeWorkspaceAll                        APIKeyScope = "workspace:*"
+	APIKeyScopeWorkspaceApplicationConnect         APIKeyScope = "workspace:application_connect"
+	APIKeyScopeWorkspaceCreate                     APIKeyScope = "workspace:create"
+	APIKeyScopeWorkspaceCreateAgent                APIKeyScope = "workspace:create_agent"
+	APIKeyScopeWorkspaceDelete                     APIKeyScope = "workspace:delete"
+	APIKeyScopeWorkspaceDeleteAgent                APIKeyScope = "workspace:delete_agent"
+	APIKeyScopeWorkspaceRead                       APIKeyScope = "workspace:read"
+	APIKeyScopeWorkspaceSsh                        APIKeyScope = "workspace:ssh"
+	APIKeyScopeWorkspaceStart                      APIKeyScope = "workspace:start"
+	APIKeyScopeWorkspaceStop                       APIKeyScope = "workspace:stop"
+	APIKeyScopeWorkspaceUpdate                     APIKeyScope = "workspace:update"
+	APIKeyScopeWorkspaceAgentDevcontainersAll      APIKeyScope = "workspace_agent_devcontainers:*"
+	APIKeyScopeWorkspaceAgentDevcontainersCreate   APIKeyScope = "workspace_agent_devcontainers:create"
+	APIKeyScopeWorkspaceAgentResourceMonitorAll    APIKeyScope = "workspace_agent_resource_monitor:*"
+	APIKeyScopeWorkspaceAgentResourceMonitorCreate APIKeyScope = "workspace_agent_resource_monitor:create"
+	APIKeyScopeWorkspaceAgentResourceMonitorRead   APIKeyScope = "workspace_agent_resource_monitor:read"
+	APIKeyScopeWorkspaceAgentResourceMonitorUpdate APIKeyScope = "workspace_agent_resource_monitor:update"
+	APIKeyScopeWorkspaceDormantAll                 APIKeyScope = "workspace_dormant:*"
+	APIKeyScopeWorkspaceDormantApplicationConnect  APIKeyScope = "workspace_dormant:application_connect"
+	APIKeyScopeWorkspaceDormantCreate              APIKeyScope = "workspace_dormant:create"
+	APIKeyScopeWorkspaceDormantCreateAgent         APIKeyScope = "workspace_dormant:create_agent"
+	APIKeyScopeWorkspaceDormantDelete              APIKeyScope = "workspace_dormant:delete"
+	APIKeyScopeWorkspaceDormantDeleteAgent         APIKeyScope = "workspace_dormant:delete_agent"
+	APIKeyScopeWorkspaceDormantRead                APIKeyScope = "workspace_dormant:read"
+	APIKeyScopeWorkspaceDormantSsh                 APIKeyScope = "workspace_dormant:ssh"
+	APIKeyScopeWorkspaceDormantStart               APIKeyScope = "workspace_dormant:start"
+	APIKeyScopeWorkspaceDormantStop                APIKeyScope = "workspace_dormant:stop"
+	APIKeyScopeWorkspaceDormantUpdate              APIKeyScope = "workspace_dormant:update"
+	APIKeyScopeWorkspaceProxyAll                   APIKeyScope = "workspace_proxy:*"
+	APIKeyScopeWorkspaceProxyCreate                APIKeyScope = "workspace_proxy:create"
+	APIKeyScopeWorkspaceProxyDelete                APIKeyScope = "workspace_proxy:delete"
+	APIKeyScopeWorkspaceProxyRead                  APIKeyScope = "workspace_proxy:read"
+	APIKeyScopeWorkspaceProxyUpdate                APIKeyScope = "workspace_proxy:update"
 )

 // PublicAPIKeyScopes lists all public low-level API key scopes.
@@ -711,49 +711,197 @@

 #### Enumerated Values

-| Value                           |
-|---------------------------------|
-| `all`                           |
-| `application_connect`           |
-| `api_key:*`                     |
-| `api_key:create`                |
-| `api_key:delete`                |
-| `api_key:read`                  |
-| `api_key:update`                |
-| `coder:all`                     |
-| `coder:apikeys.manage_self`     |
-| `coder:application_connect`     |
-| `coder:templates.author`        |
-| `coder:templates.build`         |
-| `coder:workspaces.access`       |
-| `coder:workspaces.create`       |
-| `coder:workspaces.delete`       |
-| `coder:workspaces.operate`      |
-| `file:*`                        |
-| `file:create`                   |
-| `file:read`                     |
-| `template:*`                    |
-| `template:create`               |
-| `template:delete`               |
-| `template:read`                 |
-| `template:update`               |
-| `template:use`                  |
-| `user:read_personal`            |
-| `user:update_personal`          |
-| `user_secret:*`                 |
-| `user_secret:create`            |
-| `user_secret:delete`            |
-| `user_secret:read`              |
-| `user_secret:update`            |
-| `workspace:*`                   |
-| `workspace:application_connect` |
-| `workspace:create`              |
-| `workspace:delete`              |
-| `workspace:read`                |
-| `workspace:ssh`                 |
-| `workspace:start`               |
-| `workspace:stop`                |
-| `workspace:update`              |
+| Value                                     |
+|-------------------------------------------|
+| `all`                                     |
+| `application_connect`                     |
+| `aibridge_interception:*`                 |
+| `aibridge_interception:create`            |
+| `aibridge_interception:read`              |
+| `aibridge_interception:update`            |
+| `api_key:*`                               |
+| `api_key:create`                          |
+| `api_key:delete`                          |
+| `api_key:read`                            |
+| `api_key:update`                          |
+| `assign_org_role:*`                       |
+| `assign_org_role:assign`                  |
+| `assign_org_role:create`                  |
+| `assign_org_role:delete`                  |
+| `assign_org_role:read`                    |
+| `assign_org_role:unassign`                |
+| `assign_org_role:update`                  |
+| `assign_role:*`                           |
+| `assign_role:assign`                      |
+| `assign_role:read`                        |
+| `assign_role:unassign`                    |
+| `audit_log:*`                             |
+| `audit_log:create`                        |
+| `audit_log:read`                          |
+| `coder:all`                               |
+| `coder:apikeys.manage_self`               |
+| `coder:application_connect`               |
+| `coder:templates.author`                  |
+| `coder:templates.build`                   |
+| `coder:workspaces.access`                 |
+| `coder:workspaces.create`                 |
+| `coder:workspaces.delete`                 |
+| `coder:workspaces.operate`                |
+| `connection_log:*`                        |
+| `connection_log:read`                     |
+| `connection_log:update`                   |
+| `crypto_key:*`                            |
+| `crypto_key:create`                       |
+| `crypto_key:delete`                       |
+| `crypto_key:read`                         |
+| `crypto_key:update`                       |
+| `debug_info:*`                            |
+| `debug_info:read`                         |
+| `deployment_config:*`                     |
+| `deployment_config:read`                  |
+| `deployment_config:update`                |
+| `deployment_stats:*`                      |
+| `deployment_stats:read`                   |
+| `file:*`                                  |
+| `file:create`                             |
+| `file:read`                               |
+| `group:*`                                 |
+| `group:create`                            |
+| `group:delete`                            |
+| `group:read`                              |
+| `group:update`                            |
+| `group_member:*`                          |
+| `group_member:read`                       |
+| `idpsync_settings:*`                      |
+| `idpsync_settings:read`                   |
+| `idpsync_settings:update`                 |
+| `inbox_notification:*`                    |
+| `inbox_notification:create`               |
+| `inbox_notification:read`                 |
+| `inbox_notification:update`               |
+| `license:*`                               |
+| `license:create`                          |
+| `license:delete`                          |
+| `license:read`                            |
+| `notification_message:*`                  |
+| `notification_message:create`             |
+| `notification_message:delete`             |
+| `notification_message:read`               |
+| `notification_message:update`             |
+| `notification_preference:*`               |
+| `notification_preference:read`            |
+| `notification_preference:update`          |
+| `notification_template:*`                 |
+| `notification_template:read`              |
+| `notification_template:update`            |
+| `oauth2_app:*`                            |
+| `oauth2_app:create`                       |
+| `oauth2_app:delete`                       |
+| `oauth2_app:read`                         |
+| `oauth2_app:update`                       |
+| `oauth2_app_code_token:*`                 |
+| `oauth2_app_code_token:create`            |
+| `oauth2_app_code_token:delete`            |
+| `oauth2_app_code_token:read`              |
+| `oauth2_app_secret:*`                     |
+| `oauth2_app_secret:create`                |
+| `oauth2_app_secret:delete`                |
+| `oauth2_app_secret:read`                  |
+| `oauth2_app_secret:update`                |
+| `organization:*`                          |
+| `organization:create`                     |
+| `organization:delete`                     |
+| `organization:read`                       |
+| `organization:update`                     |
+| `organization_member:*`                   |
+| `organization_member:create`              |
+| `organization_member:delete`              |
+| `organization_member:read`                |
+| `organization_member:update`              |
+| `prebuilt_workspace:*`                    |
+| `prebuilt_workspace:delete`               |
+| `prebuilt_workspace:update`               |
+| `provisioner_daemon:*`                    |
+| `provisioner_daemon:create`               |
+| `provisioner_daemon:delete`               |
+| `provisioner_daemon:read`                 |
+| `provisioner_daemon:update`               |
+| `provisioner_jobs:*`                      |
+| `provisioner_jobs:create`                 |
+| `provisioner_jobs:read`                   |
+| `provisioner_jobs:update`                 |
+| `replicas:*`                              |
+| `replicas:read`                           |
+| `system:*`                                |
+| `system:create`                           |
+| `system:delete`                           |
+| `system:read`                             |
+| `system:update`                           |
+| `tailnet_coordinator:*`                   |
+| `tailnet_coordinator:create`              |
+| `tailnet_coordinator:delete`              |
+| `tailnet_coordinator:read`                |
+| `tailnet_coordinator:update`              |
+| `template:*`                              |
+| `template:create`                         |
+| `template:delete`                         |
+| `template:read`                           |
+| `template:update`                         |
+| `template:use`                            |
+| `template:view_insights`                  |
+| `usage_event:*`                           |
+| `usage_event:create`                      |
+| `usage_event:read`                        |
+| `usage_event:update`                      |
+| `user:*`                                  |
+| `user:create`                             |
+| `user:delete`                             |
+| `user:read`                               |
+| `user:read_personal`                      |
+| `user:update`                             |
+| `user:update_personal`                    |
+| `user_secret:*`                           |
+| `user_secret:create`                      |
+| `user_secret:delete`                      |
+| `user_secret:read`                        |
+| `user_secret:update`                      |
+| `webpush_subscription:*`                  |
+| `webpush_subscription:create`             |
+| `webpush_subscription:delete`             |
+| `webpush_subscription:read`               |
+| `workspace:*`                             |
+| `workspace:application_connect`           |
+| `workspace:create`                        |
+| `workspace:create_agent`                  |
+| `workspace:delete`                        |
+| `workspace:delete_agent`                  |
+| `workspace:read`                          |
+| `workspace:ssh`                           |
+| `workspace:start`                         |
+| `workspace:stop`                          |
+| `workspace:update`                        |
+| `workspace_agent_devcontainers:*`         |
+| `workspace_agent_devcontainers:create`    |
+| `workspace_agent_resource_monitor:*`      |
+| `workspace_agent_resource_monitor:create` |
+| `workspace_agent_resource_monitor:read`   |
+| `workspace_agent_resource_monitor:update` |
+| `workspace_dormant:*`                     |
+| `workspace_dormant:application_connect`   |
+| `workspace_dormant:create`                |
+| `workspace_dormant:create_agent`          |
+| `workspace_dormant:delete`                |
+| `workspace_dormant:delete_agent`          |
+| `workspace_dormant:read`                  |
+| `workspace_dormant:ssh`                   |
+| `workspace_dormant:start`                 |
+| `workspace_dormant:stop`                  |
+| `workspace_dormant:update`                |
+| `workspace_proxy:*`                       |
+| `workspace_proxy:create`                  |
+| `workspace_proxy:delete`                  |
+| `workspace_proxy:read`                    |
+| `workspace_proxy:update`                  |

 ## codersdk.AddLicenseRequest

@@ -25,8 +25,8 @@ func main() {
 }

 func generate() ([]byte, error) {
-	names := rbac.ExternalScopeNames()
-	slices.Sort(names)
+	allNames := collectAllScopeNames()
+	publicNames := rbac.ExternalScopeNames()

 	var b bytes.Buffer
 	if _, err := b.WriteString("// Code generated by scripts/apikeyscopesgen. DO NOT EDIT.\n"); err != nil {
@@ -61,13 +61,9 @@ func generate() ([]byte, error) {
 	if _, err := b.WriteString("\tAPIKeyScopeApplicationConnect APIKeyScope = \"application_connect\"\n"); err != nil {
 		return nil, err
 	}
-	for _, n := range names {
-		res, act := splitRA(n)
-		if act == policy.WildcardSymbol {
-			act = "All"
-		}
-		constName := fmt.Sprintf("APIKeyScope%s%s", pascal(res), pascal(act))
-		if _, err := fmt.Fprintf(&b, "\t%s APIKeyScope = \"%s\"\n", constName, n); err != nil {
+	for _, name := range allNames {
+		constName := constNameForScope(name)
+		if _, err := fmt.Fprintf(&b, "\t%s APIKeyScope = \"%s\"\n", constName, name); err != nil {
 			return nil, err
 		}
 	}
@@ -82,12 +78,8 @@ func generate() ([]byte, error) {
 	if _, err := b.WriteString("var PublicAPIKeyScopes = []APIKeyScope{\n"); err != nil {
 		return nil, err
 	}
-	for _, n := range names {
-		res, act := splitRA(n)
-		if act == policy.WildcardSymbol {
-			act = "All"
-		}
-		constName := fmt.Sprintf("APIKeyScope%s%s", pascal(res), pascal(act))
+	for _, name := range publicNames {
+		constName := constNameForScope(name)
 		if _, err := fmt.Fprintf(&b, "\t%s,\n", constName); err != nil {
 			return nil, err
 		}
@@ -99,6 +91,54 @@ func generate() ([]byte, error) {
 	return format.Source(b.Bytes())
 }

+func collectAllScopeNames() []string {
+	seen := make(map[string]struct{})
+	var names []string
+	add := func(name string) {
+		if name == "" {
+			return
+		}
+		if _, ok := seen[name]; ok {
+			return
+		}
+		seen[name] = struct{}{}
+		names = append(names, name)
+	}
+
+	for resource, def := range policy.RBACPermissions {
+		if resource == policy.WildcardSymbol {
+			continue
+		}
+		add(resource + ":" + policy.WildcardSymbol)
+		for action := range def.Actions {
+			add(resource + ":" + string(action))
+		}
+	}
+
+	for _, name := range rbac.CompositeScopeNames() {
+		add(name)
+	}
+
+	for _, name := range rbac.BuiltinScopeNames() {
+		s := string(name)
+		if !strings.Contains(s, ":") {
+			continue
+		}
+		add(s)
+	}
+
+	slices.Sort(names)
+	return names
+}
+
+func constNameForScope(name string) string {
+	resource, action := splitRA(name)
+	if action == policy.WildcardSymbol {
+		action = "All"
+	}
+	return fmt.Sprintf("APIKeyScope%s%s", pascal(resource), pascal(action))
+}
+
 func splitRA(name string) (resource string, action string) {
 	parts := strings.SplitN(name, ":", 2)
 	if len(parts) != 2 {
@@ -58,23 +58,37 @@ func main() {
 	os.Exit(1)
 }

-// expectedFromRBAC returns the set of <resource>:<action> pairs derived from RBACPermissions.
+// expectedFromRBAC returns the set of scope names the DB enum must support.
 func expectedFromRBAC() map[string]struct{} {
 	want := make(map[string]struct{})
-	// Low-level <resource>:<action>
+	add := func(name string) {
+		if name == "" {
+			return
+		}
+		want[name] = struct{}{}
+	}
+	// Low-level <resource>:<action> and synthesized <resource>:* wildcards
 	for resource, def := range policy.RBACPermissions {
 		if resource == policy.WildcardSymbol {
 			// Ignore wildcard entry; it has no concrete <resource>:<action> pairs.
 			continue
 		}
+		add(resource + ":" + policy.WildcardSymbol)
 		for action := range def.Actions {
-			key := resource + ":" + string(action)
-			want[key] = struct{}{}
+			add(resource + ":" + string(action))
 		}
 	}
 	// Composite coder:* names
 	for _, n := range rbac.CompositeScopeNames() {
-		want[n] = struct{}{}
+		add(n)
+	}
+	// Built-in coder-prefixed scopes such as coder:all
+	for _, n := range rbac.BuiltinScopeNames() {
+		s := string(n)
+		if !strings.Contains(s, ":") {
+			continue
+		}
+		add(s)
 	}
 	return want
 }
@@ -1,32 +0,0 @@
-package main
-
-import (
-	"fmt"
-	"sort"
-
-	"github.com/coder/coder/v2/coderd/rbac"
-	"github.com/coder/coder/v2/coderd/rbac/policy"
-)
-
-func main() {
-	seen := map[string]struct{}{}
-	var vals []string
-	for resource, def := range policy.RBACPermissions {
-		if resource == policy.WildcardSymbol {
-			continue
-		}
-		for action := range def.Actions {
-			vals = append(vals, fmt.Sprintf("%s:%s", resource, action))
-		}
-	}
-	// Include composite coder:* scopes as first-class enum values
-	vals = append(vals, rbac.CompositeScopeNames()...)
-	sort.Strings(vals)
-	for _, v := range vals {
-		if _, ok := seen[v]; ok {
-			continue
-		}
-		seen[v] = struct{}{}
-		_, _ = fmt.Printf("ALTER TYPE api_key_scope ADD VALUE IF NOT EXISTS '%s';\n", v)
-	}
-}
@@ -112,6 +112,10 @@ export interface APIKey {

 // From codersdk/apikey.go
 export type APIKeyScope =
+	| "aibridge_interception:*"
+	| "aibridge_interception:create"
+	| "aibridge_interception:read"
+	| "aibridge_interception:update"
 	| "all"
 	| "api_key:*"
 	| "api_key:create"
@@ -119,6 +123,20 @@ export type APIKeyScope =
 	| "api_key:read"
 	| "api_key:update"
 	| "application_connect"
+	| "assign_org_role:*"
+	| "assign_org_role:assign"
+	| "assign_org_role:create"
+	| "assign_org_role:delete"
+	| "assign_org_role:read"
+	| "assign_org_role:unassign"
+	| "assign_org_role:update"
+	| "assign_role:*"
+	| "assign_role:assign"
+	| "assign_role:read"
+	| "assign_role:unassign"
+	| "audit_log:*"
+	| "audit_log:create"
+	| "audit_log:read"
 	| "coder:all"
 	| "coder:apikeys.manage_self"
 	| "coder:application_connect"
@@ -128,26 +146,156 @@ export type APIKeyScope =
 	| "coder:workspaces.create"
 	| "coder:workspaces.delete"
 	| "coder:workspaces.operate"
+	| "connection_log:*"
+	| "connection_log:read"
+	| "connection_log:update"
+	| "crypto_key:*"
+	| "crypto_key:create"
+	| "crypto_key:delete"
+	| "crypto_key:read"
+	| "crypto_key:update"
+	| "debug_info:*"
+	| "debug_info:read"
+	| "deployment_config:*"
+	| "deployment_config:read"
+	| "deployment_config:update"
+	| "deployment_stats:*"
+	| "deployment_stats:read"
 	| "file:*"
 	| "file:create"
 	| "file:read"
+	| "group:*"
+	| "group:create"
+	| "group:delete"
+	| "group_member:*"
+	| "group_member:read"
+	| "group:read"
+	| "group:update"
+	| "idpsync_settings:*"
+	| "idpsync_settings:read"
+	| "idpsync_settings:update"
+	| "inbox_notification:*"
+	| "inbox_notification:create"
+	| "inbox_notification:read"
+	| "inbox_notification:update"
+	| "license:*"
+	| "license:create"
+	| "license:delete"
+	| "license:read"
+	| "notification_message:*"
+	| "notification_message:create"
+	| "notification_message:delete"
+	| "notification_message:read"
+	| "notification_message:update"
+	| "notification_preference:*"
+	| "notification_preference:read"
+	| "notification_preference:update"
+	| "notification_template:*"
+	| "notification_template:read"
+	| "notification_template:update"
+	| "oauth2_app:*"
+	| "oauth2_app_code_token:*"
+	| "oauth2_app_code_token:create"
+	| "oauth2_app_code_token:delete"
+	| "oauth2_app_code_token:read"
+	| "oauth2_app:create"
+	| "oauth2_app:delete"
+	| "oauth2_app:read"
+	| "oauth2_app_secret:*"
+	| "oauth2_app_secret:create"
+	| "oauth2_app_secret:delete"
+	| "oauth2_app_secret:read"
+	| "oauth2_app_secret:update"
+	| "oauth2_app:update"
+	| "organization:*"
+	| "organization:create"
+	| "organization:delete"
+	| "organization_member:*"
+	| "organization_member:create"
+	| "organization_member:delete"
+	| "organization_member:read"
+	| "organization_member:update"
+	| "organization:read"
+	| "organization:update"
+	| "prebuilt_workspace:*"
+	| "prebuilt_workspace:delete"
+	| "prebuilt_workspace:update"
+	| "provisioner_daemon:*"
+	| "provisioner_daemon:create"
+	| "provisioner_daemon:delete"
+	| "provisioner_daemon:read"
+	| "provisioner_daemon:update"
+	| "provisioner_jobs:*"
+	| "provisioner_jobs:create"
+	| "provisioner_jobs:read"
+	| "provisioner_jobs:update"
+	| "replicas:*"
+	| "replicas:read"
+	| "system:*"
+	| "system:create"
+	| "system:delete"
+	| "system:read"
+	| "system:update"
+	| "tailnet_coordinator:*"
+	| "tailnet_coordinator:create"
+	| "tailnet_coordinator:delete"
+	| "tailnet_coordinator:read"
+	| "tailnet_coordinator:update"
 	| "template:*"
 	| "template:create"
 	| "template:delete"
 	| "template:read"
 	| "template:update"
 	| "template:use"
+	| "template:view_insights"
+	| "usage_event:*"
+	| "usage_event:create"
+	| "usage_event:read"
+	| "usage_event:update"
+	| "user:*"
+	| "user:create"
+	| "user:delete"
+	| "user:read"
 	| "user:read_personal"
 	| "user_secret:*"
 	| "user_secret:create"
 	| "user_secret:delete"
 	| "user_secret:read"
 	| "user_secret:update"
+	| "user:update"
 	| "user:update_personal"
+	| "webpush_subscription:*"
+	| "webpush_subscription:create"
+	| "webpush_subscription:delete"
+	| "webpush_subscription:read"
+	| "workspace_agent_devcontainers:*"
+	| "workspace_agent_devcontainers:create"
+	| "workspace_agent_resource_monitor:*"
+	| "workspace_agent_resource_monitor:create"
+	| "workspace_agent_resource_monitor:read"
+	| "workspace_agent_resource_monitor:update"
 	| "workspace:*"
 	| "workspace:application_connect"
 	| "workspace:create"
+	| "workspace:create_agent"
 	| "workspace:delete"
+	| "workspace:delete_agent"
+	| "workspace_dormant:*"
+	| "workspace_dormant:application_connect"
+	| "workspace_dormant:create"
+	| "workspace_dormant:create_agent"
+	| "workspace_dormant:delete"
+	| "workspace_dormant:delete_agent"
+	| "workspace_dormant:read"
+	| "workspace_dormant:ssh"
+	| "workspace_dormant:start"
+	| "workspace_dormant:stop"
+	| "workspace_dormant:update"
+	| "workspace_proxy:*"
+	| "workspace_proxy:create"
+	| "workspace_proxy:delete"
+	| "workspace_proxy:read"
+	| "workspace_proxy:update"
 	| "workspace:read"
 	| "workspace:ssh"
 	| "workspace:start"
@@ -155,6 +303,10 @@ export type APIKeyScope =
 	| "workspace:update";

 export const APIKeyScopes: APIKeyScope[] = [
+	"aibridge_interception:*",
+	"aibridge_interception:create",
+	"aibridge_interception:read",
+	"aibridge_interception:update",
 	"all",
 	"api_key:*",
 	"api_key:create",
@@ -162,6 +314,20 @@ export const APIKeyScopes: APIKeyScope[] = [
 	"api_key:read",
 	"api_key:update",
 	"application_connect",
+	"assign_org_role:*",
+	"assign_org_role:assign",
+	"assign_org_role:create",
+	"assign_org_role:delete",
+	"assign_org_role:read",
+	"assign_org_role:unassign",
+	"assign_org_role:update",
+	"assign_role:*",
+	"assign_role:assign",
+	"assign_role:read",
+	"assign_role:unassign",
+	"audit_log:*",
+	"audit_log:create",
+	"audit_log:read",
 	"coder:all",
 	"coder:apikeys.manage_self",
 	"coder:application_connect",
@@ -171,26 +337,156 @@ export const APIKeyScopes: APIKeyScope[] = [
 	"coder:workspaces.create",
 	"coder:workspaces.delete",
 	"coder:workspaces.operate",
+	"connection_log:*",
+	"connection_log:read",
+	"connection_log:update",
+	"crypto_key:*",
+	"crypto_key:create",
+	"crypto_key:delete",
+	"crypto_key:read",
+	"crypto_key:update",
+	"debug_info:*",
+	"debug_info:read",
+	"deployment_config:*",
+	"deployment_config:read",
+	"deployment_config:update",
+	"deployment_stats:*",
+	"deployment_stats:read",
 	"file:*",
 	"file:create",
 	"file:read",
+	"group:*",
+	"group:create",
+	"group:delete",
+	"group_member:*",
+	"group_member:read",
+	"group:read",
+	"group:update",
+	"idpsync_settings:*",
+	"idpsync_settings:read",
+	"idpsync_settings:update",
+	"inbox_notification:*",
+	"inbox_notification:create",
+	"inbox_notification:read",
+	"inbox_notification:update",
+	"license:*",
+	"license:create",
+	"license:delete",
+	"license:read",
+	"notification_message:*",
+	"notification_message:create",
+	"notification_message:delete",
+	"notification_message:read",
+	"notification_message:update",
+	"notification_preference:*",
+	"notification_preference:read",
+	"notification_preference:update",
+	"notification_template:*",
+	"notification_template:read",
+	"notification_template:update",
+	"oauth2_app:*",
+	"oauth2_app_code_token:*",
+	"oauth2_app_code_token:create",
+	"oauth2_app_code_token:delete",
+	"oauth2_app_code_token:read",
+	"oauth2_app:create",
+	"oauth2_app:delete",
+	"oauth2_app:read",
+	"oauth2_app_secret:*",
+	"oauth2_app_secret:create",
+	"oauth2_app_secret:delete",
+	"oauth2_app_secret:read",
+	"oauth2_app_secret:update",
+	"oauth2_app:update",
+	"organization:*",
+	"organization:create",
+	"organization:delete",
+	"organization_member:*",
+	"organization_member:create",
+	"organization_member:delete",
+	"organization_member:read",
+	"organization_member:update",
+	"organization:read",
+	"organization:update",
+	"prebuilt_workspace:*",
+	"prebuilt_workspace:delete",
+	"prebuilt_workspace:update",
+	"provisioner_daemon:*",
+	"provisioner_daemon:create",
+	"provisioner_daemon:delete",
+	"provisioner_daemon:read",
+	"provisioner_daemon:update",
+	"provisioner_jobs:*",
+	"provisioner_jobs:create",
+	"provisioner_jobs:read",
+	"provisioner_jobs:update",
+	"replicas:*",
+	"replicas:read",
+	"system:*",
+	"system:create",
+	"system:delete",
+	"system:read",
+	"system:update",
+	"tailnet_coordinator:*",
+	"tailnet_coordinator:create",
+	"tailnet_coordinator:delete",
+	"tailnet_coordinator:read",
+	"tailnet_coordinator:update",
 	"template:*",
 	"template:create",
 	"template:delete",
 	"template:read",
 	"template:update",
 	"template:use",
+	"template:view_insights",
+	"usage_event:*",
+	"usage_event:create",
+	"usage_event:read",
+	"usage_event:update",
+	"user:*",
+	"user:create",
+	"user:delete",
+	"user:read",
 	"user:read_personal",
 	"user_secret:*",
 	"user_secret:create",
 	"user_secret:delete",
 	"user_secret:read",
 	"user_secret:update",
+	"user:update",
 	"user:update_personal",
+	"webpush_subscription:*",
+	"webpush_subscription:create",
+	"webpush_subscription:delete",
+	"webpush_subscription:read",
+	"workspace_agent_devcontainers:*",
+	"workspace_agent_devcontainers:create",
+	"workspace_agent_resource_monitor:*",
+	"workspace_agent_resource_monitor:create",
+	"workspace_agent_resource_monitor:read",
+	"workspace_agent_resource_monitor:update",
 	"workspace:*",
 	"workspace:application_connect",
 	"workspace:create",
+	"workspace:create_agent",
 	"workspace:delete",
+	"workspace:delete_agent",
+	"workspace_dormant:*",
+	"workspace_dormant:application_connect",
+	"workspace_dormant:create",
+	"workspace_dormant:create_agent",
+	"workspace_dormant:delete",
+	"workspace_dormant:delete_agent",
+	"workspace_dormant:read",
+	"workspace_dormant:ssh",
+	"workspace_dormant:start",
+	"workspace_dormant:stop",
+	"workspace_dormant:update",
+	"workspace_proxy:*",
+	"workspace_proxy:create",
+	"workspace_proxy:delete",
+	"workspace_proxy:read",
+	"workspace_proxy:update",
 	"workspace:read",
 	"workspace:ssh",
 	"workspace:start",