feat: add experimental agents support (#22290)

feat: add AI chat system with agent tools and chat UI

Introduce the chatd subsystem and Agents UI for AI-powered chat
within Coder workspaces.

- Add chatd package with chat loop, message compaction, prompt
  management, and LLM provider integration (OpenAI, Anthropic)
- Add agent tools: create workspace, list/read templates, read/write/
  edit files, execute commands
- Add chat API endpoints with streaming, message editing, and
  durable reconnection
- Add database schema and migrations for chats, chat messages, chat
  providers, and chat model configs
- Add RBAC policies and dbauthz enforcement for chat resources
- Add Agents UI pages with conversation timeline, queued messages
  list, diff viewer, and model configuration panel
- Add comprehensive test coverage including coderd integration tests,
  chatd unit tests, and Storybook stories
- Gate feature behind experiments flag

---------

Co-authored-by: Cian Johnston <cian@coder.com>
Co-authored-by: Danielle Maywood <danielle@themaywoods.com>
Co-authored-by: Jeremy Ruppel <jeremy@coder.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>

cli/gitaskpass.go

@@ -4,6 +4,9 @@ import (
 	"errors"
 	"fmt"
 	"net/http"
+	"os"
+	"os/exec"
+	"strings"
 	"time"
 
 	"golang.org/x/xerrors"
@@ -16,6 +19,29 @@ import (
 	"github.com/coder/serpent"
 )
 
+// detectGitRef attempts to resolve the current git branch and remote
+// origin URL from the given working directory. These are sent to the
+// control plane so it can look up PR/diff status via the GitHub API
+// without SSHing into the workspace. Failures are silently ignored
+// since this is best-effort.
+func detectGitRef(workingDirectory string) (branch string, remoteOrigin string) {
+	run := func(args ...string) string {
+		//nolint:gosec
+		cmd := exec.Command(args[0], args[1:]...)
+		if workingDirectory != "" {
+			cmd.Dir = workingDirectory
+		}
+		out, err := cmd.Output()
+		if err != nil {
+			return ""
+		}
+		return strings.TrimSpace(string(out))
+	}
+	branch = run("git", "rev-parse", "--abbrev-ref", "HEAD")
+	remoteOrigin = run("git", "config", "--get", "remote.origin.url")
+	return branch, remoteOrigin
+}
+
 // gitAskpass is used by the Coder agent to automatically authenticate
 // with Git providers based on a hostname.
 func gitAskpass(agentAuth *AgentAuth) *serpent.Command {
@@ -38,8 +64,20 @@ func gitAskpass(agentAuth *AgentAuth) *serpent.Command {
 				return xerrors.Errorf("create agent client: %w", err)
 			}
 
+			workingDirectory, err := os.Getwd()
+			if err != nil {
+				workingDirectory = ""
+			}
+
+			// Detect the current git branch and remote origin so
+			// the control plane can resolve diffs without needing
+			// to SSH back into the workspace.
+			gitBranch, gitRemoteOrigin := detectGitRef(workingDirectory)
+
 			token, err := client.ExternalAuth(ctx, agentsdk.ExternalAuthRequest{
-				Match: host,
+				Match:           host,
+				GitBranch:       gitBranch,
+				GitRemoteOrigin: gitRemoteOrigin,
 			})
 			if err != nil {
 				var apiError *codersdk.Error
@@ -58,6 +96,12 @@ func gitAskpass(agentAuth *AgentAuth) *serpent.Command {
 				return xerrors.Errorf("get git token: %w", err)
 			}
 			if token.URL != "" {
+				// This is to help the agent authenticate with Git.
+				if inv.Environ.Get("CODER_CHAT_AGENT") == "true" {
+					_, _ = fmt.Fprintf(inv.Stderr, `You must notify the user to authenticate with Git.\n\nThe URL is: %s\n`, token.URL)
+					return cliui.ErrCanceled
+				}
+
 				if err := openURL(inv, token.URL); err == nil {
 					cliui.Infof(inv.Stderr, "Your browser has been opened to authenticate with Git:\n%s", token.URL)
 				} else {