feat: add experimental agents support (#22290)

feat: add AI chat system with agent tools and chat UI Introduce the chatd subsystem and Agents UI for AI-powered chat within Coder workspaces. - Add chatd package with chat loop, message compaction, prompt management, and LLM provider integration (OpenAI, Anthropic) - Add agent tools: create workspace, list/read templates, read/write/ edit files, execute commands - Add chat API endpoints with streaming, message editing, and durable reconnection - Add database schema and migrations for chats, chat messages, chat providers, and chat model configs - Add RBAC policies and dbauthz enforcement for chat resources - Add Agents UI pages with conversation timeline, queued messages list, diff viewer, and model configuration panel - Add comprehensive test coverage including coderd integration tests, chatd unit tests, and Storybook stories - Gate feature behind experiments flag --------- Co-authored-by: Cian Johnston <cian@coder.com> Co-authored-by: Danielle Maywood <danielle@themaywoods.com> Co-authored-by: Jeremy Ruppel <jeremy@coder.com> Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-06-02 20:48:20 +00:00 · 2026-02-27 11:50:56 -05:00
parent 67da4e8b56
commit edee917d88
201 changed files with 44828 additions and 1859 deletions
@@ -1,6 +1,7 @@
 package coderd

 import (
+	"context"
 	"fmt"
 	"net/http"

@@ -8,6 +9,7 @@ import (
 	"golang.org/x/xerrors"

 	"cdr.dev/slog/v3"
+	"github.com/coder/coder/v2/coderd/database/dbauthz"
 	"github.com/coder/coder/v2/coderd/httpapi"
 	"github.com/coder/coder/v2/coderd/httpmw"
 	"github.com/coder/coder/v2/coderd/rbac"
@@ -91,6 +93,36 @@ func (h *HTTPAuthorizer) Authorize(r *http.Request, action policy.Action, object
 	return true
 }

+// AuthorizeContext checks whether the RBAC subject on the context
+// is authorized to perform the given action. The subject must have
+// been set via dbauthz.As or the ExtractAPIKey middleware. Returns
+// false if the subject is missing or unauthorized.
+func (h *HTTPAuthorizer) AuthorizeContext(ctx context.Context, action policy.Action, object rbac.Objecter) bool {
+	roles, ok := dbauthz.ActorFromContext(ctx)
+	if !ok {
+		h.Logger.Error(ctx, "no authorization actor in context")
+		return false
+	}
+	err := h.Authorizer.Authorize(ctx, roles, action, object.RBACObject())
+	if err != nil {
+		internalError := new(rbac.UnauthorizedError)
+		logger := h.Logger
+		if xerrors.As(err, internalError) {
+			logger = h.Logger.With(slog.F("internal_error", internalError.Internal()))
+		}
+		logger.Warn(ctx, "requester is not authorized to access the object",
+			slog.F("roles", roles.SafeRoleNames()),
+			slog.F("actor_id", roles.ID),
+			slog.F("actor_name", roles),
+			slog.F("scope", roles.SafeScopeName()),
+			slog.F("action", action),
+			slog.F("object", object),
+		)
+		return false
+	}
+	return true
+}
+
 // AuthorizeSQLFilter returns an authorization filter that can used in a
 // SQL 'WHERE' clause. If the filter is used, the resulting rows returned
 // from postgres are already authorized, and the caller does not need to
@@ -106,6 +138,22 @@ func (h *HTTPAuthorizer) AuthorizeSQLFilter(r *http.Request, action policy.Actio
 	return prepared, nil
 }

+// AuthorizeSQLFilterContext is like AuthorizeSQLFilter but reads the
+// RBAC subject from the context directly rather than from an
+// *http.Request. The subject must have been set via dbauthz.As.
+func (h *HTTPAuthorizer) AuthorizeSQLFilterContext(ctx context.Context, action policy.Action, objectType string) (rbac.PreparedAuthorized, error) {
+	roles, ok := dbauthz.ActorFromContext(ctx)
+	if !ok {
+		return nil, xerrors.New("no authorization actor in context")
+	}
+	prepared, err := h.Authorizer.Prepare(ctx, roles, action, objectType)
+	if err != nil {
+		return nil, xerrors.Errorf("prepare filter: %w", err)
+	}
+
+	return prepared, nil
+}
+
 // checkAuthorization returns if the current API key can use the given
 // permissions, factoring in the current user's roles and the API key scopes.
 //