update claude-code module version (#498)

The version for the claude-code module should have been updated in
https://github.com/coder/registry/pull/455. This PR updates the module
version so we can cut a release 😎

.github/typos.toml

@@ -5,6 +5,7 @@ Hashi = "Hashi"
 HashiCorp = "HashiCorp"
 mavrickrishi = "mavrickrishi" # Username
 mavrick = "mavrick" # Username
+inh = "inh" # Option in setpriv command
 
 [files]
 extend-exclude = ["registry/coder/templates/aws-devcontainer/architecture.svg"] #False positive

.github/workflows/ci.yaml

@@ -13,6 +13,26 @@ jobs:
     steps:
       - name: Check out code
         uses: actions/checkout@v5
+      - name: Detect changed files
+        uses: dorny/paths-filter@v3
+        id: filter
+        with:
+          list-files: shell
+          filters: |
+            shared:
+              - 'test/**'
+              - 'package.json'
+              - 'bun.lock'
+              - 'bunfig.toml'
+              - 'tsconfig.json'
+              - '.github/workflows/ci.yaml'
+              - 'scripts/ts_test_auto.sh'
+              - 'scripts/terraform_test_all.sh'
+              - 'scripts/terraform_validate.sh'
+            modules:
+              - 'registry/**/modules/**'
+            all:
+              - '**'
       - name: Set up Terraform
         uses: coder/coder/.github/actions/setup-tf@main
       - name: Set up Bun
@@ -27,10 +47,22 @@ jobs:
       - name: Install dependencies
         run: bun install
       - name: Run TypeScript tests
-        run: bun test
+        env:
+          ALL_CHANGED_FILES: ${{ steps.filter.outputs.all_files }}
+          SHARED_CHANGED: ${{ steps.filter.outputs.shared }}
+          MODULE_CHANGED_FILES: ${{ steps.filter.outputs.modules_files }}
+        run: bun tstest
       - name: Run Terraform tests
-        run: ./scripts/terraform_test_all.sh
+        env:
+          ALL_CHANGED_FILES: ${{ steps.filter.outputs.all_files }}
+          SHARED_CHANGED: ${{ steps.filter.outputs.shared }}
+          MODULE_CHANGED_FILES: ${{ steps.filter.outputs.modules_files }}
+        run: bun tftest
       - name: Run Terraform Validate
+        env:
+          ALL_CHANGED_FILES: ${{ steps.filter.outputs.all_files }}
+          SHARED_CHANGED: ${{ steps.filter.outputs.shared }}
+          MODULE_CHANGED_FILES: ${{ steps.filter.outputs.modules_files }}
         run: bun terraform-validate
   validate-style:
     name: Check for typos and unformatted code

.icons/folder.svg

@@ -0,0 +1 @@
+<svg xmlns="http://www.w3.org/2000/svg" height="48" width="48" fill="#FFF"><path d="M7.05 40q-1.2 0-2.1-.925-.9-.925-.9-2.075V11q0-1.15.9-2.075Q5.85 8 7.05 8h14l3 3h17q1.15 0 2.075.925.925.925.925 2.075v23q0 1.15-.925 2.075Q42.2 40 41.05 40Zm0-29v26h34V14H22.8l-3-3H7.05Zm0 0v26Z"/></svg>

package.json

@@ -4,7 +4,8 @@
     "fmt": "bun x prettier --write . && terraform fmt -recursive -diff",
     "fmt:ci": "bun x prettier --check . && terraform fmt -check -recursive -diff",
     "terraform-validate": "./scripts/terraform_validate.sh",
-    "test": "./scripts/terraform_test_all.sh",
+    "tftest": "./scripts/terraform_test_all.sh",
+    "tstest": "./scripts/ts_test_auto.sh",
     "update-version": "./update-version.sh"
   },
   "devDependencies": {

registry/coder-labs/modules/archive/README.md

@@ -0,0 +1,163 @@
+---
+display_name: Archive
+description: Create automated and user-invocable scripts that archive and extract selected files/directories with optional compression (gzip or zstd).
+icon: ../../../../.icons/folder.svg
+verified: false
+tags: [backup, archive, tar, helper]
+---
+
+# Archive
+
+This module installs small, robust scripts in your workspace to create and extract tar archives from a list of files and directories. It supports optional compression (gzip or zstd). The create command prints only the resulting archive path to stdout; operational logs go to stderr. An optional stop hook can also create an archive automatically when the workspace stops, and an optional start hook can wait for an archive on-disk and extract it on start.
+
+```tf
+module "archive" {
+  count    = data.coder_workspace.me.start_count
+  source   = "registry.coder.com/coder-labs/archive/coder"
+  version  = "0.0.1"
+  agent_id = coder_agent.example.id
+
+  paths = ["./projects", "./code"]
+}
+```
+
+## Features
+
+- Installs two commands into the workspace `$PATH`: `coder-archive-create` and `coder-archive-extract`.
+- Creates a single `.tar`, `.tar.gz`, or `.tar.zst` containing selected paths (depends on `tar`).
+- Optional compression: `gzip`, `zstd` (depends on `gzip` or `zstd`).
+- Stores defaults so commands can be run without arguments (supports overriding via CLI flags).
+- Logs and status messages go to stderr, the create command prints only the final archive path to stdout.
+- Optional:
+  - `create_on_stop` to create an archive automatically when the workspace stops.
+  - `extract_on_start` to wait for an archive to appear and extract it on start.
+
+> [!WARNING]
+> The `create_on_stop` feature uses the `coder_script` `run_on_stop` which may not work as expected on certain templates without additional provider configuration. The agent may be terminated before the script completes. See [coder/coder#6174](https://github.com/coder/coder/issues/6174) for provider-specific workarounds and [coder/coder#6175](https://github.com/coder/coder/issues/6175) for tracking a fix.
+
+## Usage
+
+Basic example:
+
+```tf
+module "archive" {
+  count    = data.coder_workspace.me.start_count
+  source   = "registry.coder.com/coder-labs/archive/coder"
+  version  = "0.0.1"
+  agent_id = coder_agent.example.id
+
+  # Paths to include in the archive (files or directories).
+  directory = "~"
+  paths = [
+    "./projects",
+    "./code",
+  ]
+}
+```
+
+Customize compression and output:
+
+```tf
+module "archive" {
+  count    = data.coder_workspace.me.start_count
+  source   = "registry.coder.com/coder-labs/archive/coder"
+  version  = "0.0.1"
+  agent_id = coder_agent.example.id
+
+  directory    = "/"
+  paths        = ["/etc", "/home"]
+  compression  = "zstd"        # "gzip" | "zstd" | "none"
+  output_dir   = "/tmp/backup" # defaults to /tmp
+  archive_name = "my-backup"   # base name (extension is inferred from compression)
+}
+```
+
+Enable auto-archive on stop:
+
+```tf
+module "archive" {
+  count    = data.coder_workspace.me.start_count
+  source   = "registry.coder.com/coder-labs/archive/coder"
+  version  = "0.0.1"
+  agent_id = coder_agent.example.id
+
+  # Creates /tmp/coder-archive.tar.gz of the users home directory (defaults).
+  create_on_stop = true
+}
+```
+
+Extract on start:
+
+```tf
+module "archive" {
+  count    = data.coder_workspace.me.start_count
+  source   = "registry.coder.com/coder-labs/archive/coder"
+  version  = "0.0.1"
+  agent_id = coder_agent.example.id
+
+  # Where to look for the archive file to extract:
+  output_dir   = "/tmp"
+  archive_name = "my-archive"
+  compression  = "gzip"
+
+  # Waits up to 5 minutes for /tmp/my-archive.tar.gz to be present, note that
+  # using a long timeout will delay every workspace start by this much until the
+  # archive is present.
+  extract_on_start             = true
+  extract_wait_timeout_seconds = 300
+}
+```
+
+## Command usage
+
+The installer writes the following files:
+
+- `$CODER_SCRIPT_DATA_DIR/archive-lib.sh`
+- `$CODER_SCRIPT_BIN_DIR/coder-archive-create`
+- `$CODER_SCRIPT_BIN_DIR/coder-archive-extract`
+
+Create usage:
+
+```console
+coder-archive-create [OPTIONS] [PATHS...]
+  -c, --compression <gzip|zstd|none>   Compression algorithm (default from module)
+  -C, --directory <DIRECTORY>          Change to directory for archiving (default from module)
+  -f, --file <ARCHIVE>                 Output archive file (default from module)
+  -h, --help                           Show help
+```
+
+Extract usage:
+
+```console
+coder-archive-extract [OPTIONS]
+  -c, --compression <gzip|zstd|none>   Compression algorithm (default from module)
+  -C, --directory <DIRECTORY>          Extract into directory (default from module)
+  -f, --file <ARCHIVE>                 Archive file to extract (default from module)
+  -h, --help                           Show help
+```
+
+Examples:
+
+- Use Terraform defaults:
+
+  ```
+  coder-archive-create
+  ```
+
+- Override compression and output file at runtime:
+
+  ```
+  coder-archive-create --compression zstd --file /tmp/backups/archive.tar.zst
+  ```
+
+- Add extra paths on the fly (in addition to the Terraform defaults):
+
+  ```
+  coder-archive-create /etc/hosts
+  ```
+
+- Extract an archive into a directory:
+
+  ```
+  coder-archive-extract --file /tmp/backups/archive.tar.gz --directory /tmp/restore
+  ```

registry/coder-labs/modules/archive/archive.tftest.hcl

@@ -0,0 +1,33 @@
+mock_provider "coder" {}
+
+run "apply_defaults" {
+  command = apply
+
+  variables {
+    agent_id = "agent-123"
+    paths    = ["~/project", "/etc/hosts"]
+  }
+
+  assert {
+    condition     = output.archive_path == "/tmp/coder-archive.tar.gz"
+    error_message = "archive_path should be empty when archive_name is not set"
+  }
+}
+
+run "apply_with_name" {
+  command = apply
+
+  variables {
+    agent_id               = "agent-123"
+    paths                  = ["/etc/hosts"]
+    archive_name           = "nightly"
+    output_dir             = "/tmp/backups"
+    compression            = "zstd"
+    create_archive_on_stop = true
+  }
+
+  assert {
+    condition     = output.archive_path == "/tmp/backups/nightly.tar.zst"
+    error_message = "archive_path should be computed from archive_name + output_dir + extension"
+  }
+}

registry/coder-labs/modules/archive/main.test.ts

@@ -0,0 +1,348 @@
+import { describe, expect, it, beforeAll } from "bun:test";
+import {
+  execContainer,
+  findResourceInstance,
+  runContainer,
+  runTerraformApply,
+  runTerraformInit,
+  testRequiredVariables,
+  type TerraformState,
+} from "~test";
+
+const USE_XTRACE =
+  process.env.ARCHIVE_TEST_XTRACE === "1" || process.env.XTRACE === "1";
+
+const IMAGE = "alpine";
+const BIN_DIR = "/tmp/coder-script-data/bin";
+const DATA_DIR = "/tmp/coder-script-data";
+
+type ExecResult = {
+  exitCode: number;
+  stdout: string;
+  stderr: string;
+};
+
+const ensureRunOk = (label: string, res: ExecResult) => {
+  if (res.exitCode !== 0) {
+    console.error(
+      `[${label}] non-zero exit code: ${res.exitCode}\n--- stdout ---\n${res.stdout.trim()}\n--- stderr ---\n${res.stderr.trim()}\n--------------`,
+    );
+  }
+  expect(res.exitCode).toBe(0);
+};
+
+const sh = async (id: string, cmd: string): Promise<ExecResult> => {
+  const res = await execContainer(id, ["sh", "-c", cmd]);
+  return res;
+};
+
+const bashRun = async (id: string, cmd: string): Promise<ExecResult> => {
+  const injected = USE_XTRACE ? `/bin/bash -x ${cmd}` : cmd;
+  return sh(id, injected);
+};
+
+const prepareContainer = async (image = IMAGE) => {
+  const id = await runContainer(image);
+  // Prepare script dirs and deps.
+  ensureRunOk(
+    "mkdirs",
+    await sh(id, `mkdir -p ${BIN_DIR} ${DATA_DIR} /tmp/backup`),
+  );
+
+  // Install tools used by tests.
+  ensureRunOk(
+    "apk add",
+    await sh(id, "apk add --no-cache bash tar gzip zstd coreutils"),
+  );
+
+  return id;
+};
+
+const installArchive = async (
+  state: TerraformState,
+  opts?: { env?: string[] },
+) => {
+  const instance = findResourceInstance(state, "coder_script");
+  const id = await prepareContainer();
+  // Run installer script with correct env for CODER_SCRIPT paths.
+  const args = ["bash"];
+  if (USE_XTRACE) args.push("-x");
+  args.push("-c", instance.script);
+
+  const resp = await execContainer(id, args, [
+    "--env",
+    `CODER_SCRIPT_BIN_DIR=${BIN_DIR}`,
+    "--env",
+    `CODER_SCRIPT_DATA_DIR=${DATA_DIR}`,
+    ...(opts?.env ?? []),
+  ]);
+
+  return {
+    id,
+    install: {
+      exitCode: resp.exitCode,
+      stdout: resp.stdout.trim(),
+      stderr: resp.stderr.trim(),
+    },
+  };
+};
+
+const fileExists = async (id: string, path: string) => {
+  const res = await sh(id, `test -f ${path} && echo yes || echo no`);
+  return res.stdout.trim() === "yes";
+};
+
+const isExecutable = async (id: string, path: string) => {
+  const res = await sh(id, `test -x ${path} && echo yes || echo no`);
+  return res.stdout.trim() === "yes";
+};
+
+const listTar = async (id: string, path: string) => {
+  // Try to autodetect compression flags from extension.
+  let cmd = "";
+  if (path.endsWith(".tar.gz")) {
+    cmd = `tar -tzf ${path}`;
+  } else if (path.endsWith(".tar.zst")) {
+    // validate with zstd and ask tar to list via --zstd.
+    cmd = `zstd -t -q ${path} && tar --zstd -tf ${path}`;
+  } else {
+    cmd = `tar -tf ${path}`;
+  }
+  return sh(id, cmd);
+};
+
+describe("archive", () => {
+  beforeAll(async () => {
+    await runTerraformInit(import.meta.dir);
+  });
+
+  // Ensure required variables are enforced.
+  testRequiredVariables(import.meta.dir, {
+    agent_id: "agent-123",
+  });
+
+  it("installs wrapper scripts to BIN_DIR and library to DATA_DIR", async () => {
+    const state = await runTerraformApply(import.meta.dir, {
+      agent_id: "agent-123",
+    });
+
+    // The Terraform output should reflect defaults from main.tf.
+    expect(state.outputs.archive_path.value).toEqual(
+      "/tmp/coder-archive.tar.gz",
+    );
+
+    const { id, install } = await installArchive(state);
+    ensureRunOk("install", install);
+
+    expect(install.stdout).toContain(
+      `Installed archive library to: ${DATA_DIR}/archive-lib.sh`,
+    );
+    expect(install.stdout).toContain(
+      `Installed create script to:   ${BIN_DIR}/coder-archive-create`,
+    );
+    expect(install.stdout).toContain(
+      `Installed extract script to:  ${BIN_DIR}/coder-archive-extract`,
+    );
+    expect(await isExecutable(id, `${BIN_DIR}/coder-archive-create`)).toBe(
+      true,
+    );
+    expect(await isExecutable(id, `${BIN_DIR}/coder-archive-extract`)).toBe(
+      true,
+    );
+  });
+
+  it("uses sane defaults: creates gzip archive at the default path and logs to stderr", async () => {
+    const state = await runTerraformApply(import.meta.dir, {
+      agent_id: "agent-123",
+      // Keep defaults: compression=gzip, output_dir=/tmp, archive_name=coder-archive.
+    });
+
+    const { id } = await installArchive(state);
+
+    const createTestdata = await bashRun(
+      id,
+      `mkdir ~/gzip; touch ~/gzip/defaults.txt`,
+    );
+    ensureRunOk("create testdata", createTestdata);
+
+    const run = await bashRun(id, `${BIN_DIR}/coder-archive-create`);
+    ensureRunOk("archive-create default run", run);
+
+    // Only the archive path should print to stdout.
+    expect(run.stdout.trim()).toEqual("/tmp/coder-archive.tar.gz");
+    expect(await fileExists(id, "/tmp/coder-archive.tar.gz")).toBe(true);
+
+    // Some useful diagnostics should be on stderr.
+    expect(run.stderr).toContain("Creating archive:");
+    expect(run.stderr).toContain("Compression: gzip");
+
+    const list = await listTar(id, "/tmp/coder-archive.tar.gz");
+    ensureRunOk("list default archive", list);
+    expect(list.stdout).toContain("gzip/defaults.txt");
+  }, 20000);
+
+  it("creates a gzip archive with explicit -f and includes extra CLI paths", async () => {
+    const state = await runTerraformApply(import.meta.dir, {
+      agent_id: "agent-123",
+      // Provide a simple default path so we can assert contents.
+      paths: `["~/gzip"]`,
+      compression: "gzip",
+    });
+
+    const { id } = await installArchive(state);
+
+    const createTestdata = await bashRun(
+      id,
+      `mkdir ~/gzip; touch ~/gzip/test.txt; touch ~/gziptest.txt`,
+    );
+    ensureRunOk("create testdata", createTestdata);
+
+    const out = "/tmp/backup/test-archive.tar.gz";
+    const run = await bashRun(
+      id,
+      `${BIN_DIR}/coder-archive-create -f ${out} ~/gziptest.txt`,
+    );
+    ensureRunOk("archive-create gzip explicit -f", run);
+
+    expect(run.stdout.trim()).toEqual(out);
+    expect(await fileExists(id, out)).toBe(true);
+
+    const list = await sh(id, `tar -tzf ${out}`);
+    ensureRunOk("tar -tzf contents (gzip)", list);
+    expect(list.stdout).toContain("gzip/test.txt");
+    expect(list.stdout).toContain("gziptest.txt");
+  }, 20000);
+
+  it("creates a zstd-compressed archive when requested via CLI override", async () => {
+    const state = await runTerraformApply(import.meta.dir, {
+      agent_id: "agent-123",
+      paths: `["/etc/hostname"]`,
+      // Module default is gzip, override at runtime to zstd.
+    });
+
+    const { id } = await installArchive(state);
+
+    const out = "/tmp/backup/zstd-archive.tar.zst";
+    const run = await bashRun(
+      id,
+      `${BIN_DIR}/coder-archive-create --compression zstd -f ${out}`,
+    );
+    ensureRunOk("archive-create zstd", run);
+
+    expect(run.stdout.trim()).toEqual(out);
+
+    // Check integrity via zstd and that tar can list it.
+    ensureRunOk("zstd -t", await sh(id, `test -f ${out} && zstd -t -q ${out}`));
+    ensureRunOk("tar --zstd -tf", await sh(id, `tar --zstd -tf ${out}`));
+  }, 30000);
+
+  it("creates an uncompressed tar when compression=none", async () => {
+    const state = await runTerraformApply(import.meta.dir, {
+      agent_id: "agent-123",
+      // Keep module defaults but override at runtime.
+    });
+
+    const { id } = await installArchive(state);
+
+    const out = "/tmp/backup/raw-archive.tar";
+    const run = await bashRun(
+      id,
+      `${BIN_DIR}/coder-archive-create --compression none -f ${out}`,
+    );
+    ensureRunOk("archive-create none", run);
+
+    expect(run.stdout.trim()).toEqual(out);
+    ensureRunOk("tar -tf (none)", await sh(id, `tar -tf ${out} >/dev/null`));
+  }, 20000);
+
+  it("applies exclude patterns from Terraform", async () => {
+    // Include a file, but also exclude it via Terraform defaults to ensure
+    // exclusion flows through.
+    const state = await runTerraformApply(import.meta.dir, {
+      agent_id: "agent-123",
+      paths: `["/etc/hostname"]`,
+      exclude_patterns: `["/etc/hostname"]`,
+    });
+
+    const { id } = await installArchive(state);
+
+    const out = "/tmp/backup/excluded.tar.gz";
+    const run = await bashRun(id, `${BIN_DIR}/coder-archive-create -f ${out}`);
+    ensureRunOk("archive-create with exclude_patterns", run);
+
+    const list = await sh(id, `tar -tzf ${out}`);
+    ensureRunOk("tar -tzf contents (exclude)", list);
+    expect(list.stdout).not.toContain("etc/hostname"); // Excluded by Terraform default.
+  }, 20000);
+
+  it("adds a run_on_stop script when enabled", async () => {
+    const state = await runTerraformApply(import.meta.dir, {
+      agent_id: "agent-123",
+      create_on_stop: true,
+    });
+
+    const coderScripts = state.resources.filter(
+      (r) => r.type === "coder_script",
+    );
+    // Installer (run_on_start) + run_on_stop.
+    expect(coderScripts.length).toBe(2);
+  });
+
+  it("extracts a previously created archive into a target directory", async () => {
+    const state = await runTerraformApply(import.meta.dir, {
+      agent_id: "agent-123",
+      paths: `["/etc/hostname"]`,
+      compression: "gzip",
+    });
+
+    const { id } = await installArchive(state);
+
+    // Create archive.
+    const out = "/tmp/backup/extract-test.tar.gz";
+    const created = await bashRun(
+      id,
+      `${BIN_DIR}/coder-archive-create -f ${out} /etc/hosts`,
+    );
+    ensureRunOk("create for extract", created);
+
+    // Extract archive.
+    const extractDir = "/tmp/extract";
+    const extract = await bashRun(
+      id,
+      `${BIN_DIR}/coder-archive-extract -f ${out} -C ${extractDir}`,
+    );
+    ensureRunOk("archive-extract", extract);
+
+    // Verify a known file exists after extraction.
+    const exists = await sh(
+      id,
+      `test -f ${extractDir}/etc/hosts && echo ok || echo no`,
+    );
+    expect(exists.stdout.trim()).toEqual("ok");
+  }, 20000);
+
+  it("honors Terraform defaults without CLI args (compression, name, output_dir)", async () => {
+    const state = await runTerraformApply(import.meta.dir, {
+      agent_id: "agent-123",
+      compression: "zstd",
+      archive_name: "my-default",
+      output_dir: "/tmp/defout",
+    });
+
+    const { id } = await installArchive(state);
+
+    const run = await bashRun(id, `${BIN_DIR}/coder-archive-create`);
+    ensureRunOk("archive-create terraform defaults", run);
+    expect(run.stdout.trim()).toEqual("/tmp/defout/my-default.tar.zst");
+    expect(run.stderr).toContain("Creating archive:");
+    expect(run.stderr).toContain("Compression: zstd");
+    ensureRunOk(
+      "zstd -t",
+      await sh(id, "zstd -t -q /tmp/defout/my-default.tar.zst"),
+    );
+    ensureRunOk(
+      "tar --zstd -tf",
+      await sh(id, "tar --zstd -tf /tmp/defout/my-default.tar.zst"),
+    );
+  }, 30000);
+});

registry/coder-labs/modules/archive/main.tf

@@ -0,0 +1,134 @@
+terraform {
+  required_version = ">= 1.0"
+
+  required_providers {
+    coder = {
+      source  = "coder/coder"
+      version = ">= 0.12"
+    }
+  }
+}
+
+variable "agent_id" {
+  description = "The ID of a Coder agent."
+  type        = string
+}
+
+variable "paths" {
+  description = "List of files/directories to include in the archive. Defaults to the current directory."
+  type        = list(string)
+  default     = ["."]
+}
+
+variable "exclude_patterns" {
+  description = "Exclude patterns for the archive."
+  type        = list(string)
+  default     = []
+}
+
+variable "compression" {
+  description = "Compression algorithm for the archive. Supported: gzip, zstd, none."
+  type        = string
+  default     = "gzip"
+  validation {
+    condition     = contains(["gzip", "zstd", "none"], var.compression)
+    error_message = "compression must be one of: gzip, zstd, none."
+  }
+}
+
+variable "archive_name" {
+  description = "Optional archive base name without extension. If empty, defaults to \"coder-archive\"."
+  type        = string
+  default     = "coder-archive"
+}
+
+variable "output_dir" {
+  description = "Optional output directory where the archive will be written. Defaults to \"/tmp\"."
+  type        = string
+  default     = "/tmp"
+}
+
+variable "directory" {
+  description = "Change current directory to this path before creating or extracting the archive. Defaults to the user's home directory."
+  type        = string
+  default     = "~"
+}
+
+variable "create_on_stop" {
+  description = "If true, also create a run_on_stop script that creates the archive automatically on workspace stop."
+  type        = bool
+  default     = false
+}
+
+variable "extract_on_start" {
+  description = "If true, the installer will wait for an archive and extract it on start."
+  type        = bool
+  default     = false
+}
+
+variable "extract_wait_timeout_seconds" {
+  description = "Timeout (seconds) to wait for an archive when extract_on_start is true."
+  type        = number
+  default     = 5
+}
+
+# Provide a stable script filename and sensible defaults.
+locals {
+  extension = var.compression == "gzip" ? ".tar.gz" : var.compression == "zstd" ? ".tar.zst" : ".tar"
+
+  # Ensure ~ is expanded because it cannot be expanded inside quotes in a
+  # templated shell script.
+  paths            = [for v in var.paths : replace(v, "/^~(\\/|$)/", "$$HOME$1")]
+  exclude_patterns = [for v in var.exclude_patterns : replace(v, "/^~(\\/|$)/", "$$HOME$1")]
+  directory        = replace(var.directory, "/^~(\\/|$)/", "$$HOME$1")
+  output_dir       = replace(var.output_dir, "/^~(\\/|$)/", "$$HOME$1")
+
+  archive_path = "${local.output_dir}/${var.archive_name}${local.extension}"
+}
+
+output "archive_path" {
+  description = "Full path to the archive file that will be created, extracted, or both."
+  value       = local.archive_path
+}
+
+# This script installs the user-facing archive script into $CODER_SCRIPT_BIN_DIR.
+# The installed script can be run manually by the user to create an archive.
+resource "coder_script" "archive_start_script" {
+  agent_id           = var.agent_id
+  display_name       = "Archive"
+  icon               = "/icon/folder.svg"
+  run_on_start       = true
+  start_blocks_login = var.extract_on_start
+
+  # Render the user-facing archive script with Terraform defaults, then write it to $CODER_SCRIPT_BIN_DIR
+  script = templatefile("${path.module}/run.sh", {
+    TF_LIB_B64              = base64encode(file("${path.module}/scripts/archive-lib.sh")),
+    TF_PATHS                = join(" ", formatlist("%q", local.paths)),
+    TF_EXCLUDE_PATTERNS     = join(" ", formatlist("%q", local.exclude_patterns)),
+    TF_COMPRESSION          = var.compression,
+    TF_ARCHIVE_PATH         = local.archive_path,
+    TF_DIRECTORY            = local.directory,
+    TF_EXTRACT_ON_START     = var.extract_on_start,
+    TF_EXTRACT_WAIT_TIMEOUT = var.extract_wait_timeout_seconds,
+  })
+}
+
+# Optionally, also register a run_on_stop script that creates the archive automatically
+# when the workspace stops. It simply invokes the installed archive script.
+resource "coder_script" "archive_stop_script" {
+  count              = var.create_on_stop ? 1 : 0
+  agent_id           = var.agent_id
+  display_name       = "Archive"
+  icon               = "/icon/folder.svg"
+  run_on_stop        = true
+  start_blocks_login = false
+
+  # Call the installed script. It will log to stderr and print the archive path to stdout.
+  # We redirect stdout to stderr to avoid surfacing the path in system logs if undesired.
+  # Remove the redirection if you want the path to appear in stdout on stop as well.
+  script = <<-EOT
+    #!/usr/bin/env bash
+    set -euo pipefail
+    "$CODER_SCRIPT_BIN_DIR/coder-archive-create"
+  EOT
+}

registry/coder-labs/modules/archive/run.sh

@@ -0,0 +1,75 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+LIB_B64="${TF_LIB_B64}"
+EXTRACT_ON_START="${TF_EXTRACT_ON_START}"
+EXTRACT_WAIT_TIMEOUT="${TF_EXTRACT_WAIT_TIMEOUT}"
+
+# Set script defaults from Terraform.
+DEFAULT_PATHS=(${TF_PATHS})
+DEFAULT_EXCLUDE_PATTERNS=(${TF_EXCLUDE_PATTERNS})
+DEFAULT_COMPRESSION="${TF_COMPRESSION}"
+DEFAULT_ARCHIVE_PATH="${TF_ARCHIVE_PATH}"
+DEFAULT_DIRECTORY="${TF_DIRECTORY}"
+
+# 1) Decode the library into $CODER_SCRIPT_DATA_DIR/archive-lib.sh (static, sourceable).
+LIB_PATH="$CODER_SCRIPT_DATA_DIR/archive-lib.sh"
+lib_tmp="$(mktemp -t coder-module-archive.XXXXXX))"
+trap 'rm -f "$lib_tmp" 2>/dev/null || true' EXIT
+
+# Decode the base64 content safely.
+if ! printf '%s' "$LIB_B64" | base64 -d > "$lib_tmp"; then
+  echo "ERROR: Failed to decode archive library from base64." >&2
+  exit 1
+fi
+chmod 0644 "$lib_tmp"
+mv "$lib_tmp" "$LIB_PATH"
+
+# 2) Generate the wrapper scripts (create and extract).
+create_wrapper() {
+  tmp="$(mktemp -t coder-module-archive.XXXXXX)"
+  trap 'rm -f "$tmp" 2>/dev/null || true' EXIT
+  cat > "$tmp" << EOF
+#!/usr/bin/env bash
+set -euo pipefail
+
+. "$LIB_PATH"
+
+# Set defaults from Terraform (through installer).
+$(
+    declare -p \
+      DEFAULT_PATHS \
+      DEFAULT_EXCLUDE_PATTERNS \
+      DEFAULT_COMPRESSION \
+      DEFAULT_ARCHIVE_PATH \
+      DEFAULT_DIRECTORY
+  )
+
+$1 "\$@"
+EOF
+  chmod 0755 "$tmp"
+  mv "$tmp" "$2"
+}
+
+CREATE_WRAPPER_PATH="$CODER_SCRIPT_BIN_DIR/coder-archive-create"
+EXTRACT_WRAPPER_PATH="$CODER_SCRIPT_BIN_DIR/coder-archive-extract"
+create_wrapper archive_create "$CREATE_WRAPPER_PATH"
+create_wrapper archive_extract "$EXTRACT_WRAPPER_PATH"
+
+echo "Installed archive library to: $LIB_PATH"
+echo "Installed create script to:   $CREATE_WRAPPER_PATH"
+echo "Installed extract script to:  $EXTRACT_WRAPPER_PATH"
+
+# 3) Optionally wait for and extract an archive on start.
+if [[ $EXTRACT_ON_START = true ]]; then
+  . "$LIB_PATH"
+
+  archive_wait_and_extract "$EXTRACT_WAIT_TIMEOUT" quiet || {
+    exit_code=$?
+    if [[ $exit_code -eq 2 ]]; then
+      echo "WARNING: Archive not found in backup path (this is expected with new workspaces)."
+    else
+      exit $exit_code
+    fi
+  }
+fi

registry/coder-labs/modules/archive/scripts/archive-lib.sh

@@ -0,0 +1,279 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+log() {
+  printf '%s\n' "$@" >&2
+}
+warn() {
+  printf 'WARNING: %s\n' "$1" >&2
+}
+error() {
+  printf 'ERROR: %s\n' "$1" >&2
+  exit 1
+}
+
+load_defaults() {
+  DEFAULT_PATHS=("${DEFAULT_PATHS[@]:-.}")
+  DEFAULT_EXCLUDE_PATTERNS=("${DEFAULT_EXCLUDE_PATTERNS[@]:-}")
+  DEFAULT_COMPRESSION="${DEFAULT_COMPRESSION:-gzip}"
+  DEFAULT_ARCHIVE_PATH="${DEFAULT_ARCHIVE_PATH:-/tmp/coder-archive.tar.gz}"
+  DEFAULT_DIRECTORY="${DEFAULT_DIRECTORY:-$HOME}"
+}
+
+ensure_tools() {
+  command -v tar > /dev/null 2>&1 || error "tar is required"
+  case "$1" in
+    gzip)
+      command -v gzip > /dev/null 2>&1 || error "gzip is required for gzip compression"
+      ;;
+    zstd)
+      command -v zstd > /dev/null 2>&1 || error "zstd is required for zstd compression"
+      ;;
+    none) ;;
+    *)
+      error "Unsupported compression algorithm: $1"
+      ;;
+  esac
+}
+
+usage_archive_create() {
+  load_defaults
+
+  cat >&2 << USAGE
+Usage: coder-archive-create [OPTIONS] [[PATHS] ...]
+Options:
+  -c, --compression <gzip|zstd|none>   Compression algorithm (default "${DEFAULT_COMPRESSION}")
+  -C, --directory <DIRECTORY>          Change to directory (default "${DEFAULT_DIRECTORY}")
+  -f, --file <ARCHIVE>                 Output archive file (default "${DEFAULT_ARCHIVE_PATH}")
+  -h, --help                           Show this help
+USAGE
+}
+
+archive_create() {
+  load_defaults
+
+  local compression="${DEFAULT_COMPRESSION}"
+  local directory="${DEFAULT_DIRECTORY}"
+  local file="${DEFAULT_ARCHIVE_PATH}"
+  local paths=("${DEFAULT_PATHS[@]}")
+
+  while [[ $# -gt 0 ]]; do
+    case "$1" in
+      -c | --compression)
+        if [[ $# -lt 2 ]]; then
+          usage_archive_create
+          error "Missing value for $1"
+        fi
+        compression="$2"
+        shift 2
+        ;;
+      -C | --directory)
+        if [[ $# -lt 2 ]]; then
+          usage_archive_create
+          error "Missing value for $1"
+        fi
+        directory="$2"
+        shift 2
+        ;;
+      -f | --file)
+        if [[ $# -lt 2 ]]; then
+          usage_archive_create
+          error "Missing value for $1"
+        fi
+        file="$2"
+        shift 2
+        ;;
+      -h | --help)
+        usage_archive_create
+        exit 0
+        ;;
+      --)
+        shift
+        while [[ $# -gt 0 ]]; do
+          paths+=("$1")
+          shift
+        done
+        ;;
+      -*)
+        usage_archive_create
+        error "Unknown option: $1"
+        ;;
+      *)
+        paths+=("$1")
+        shift
+        ;;
+    esac
+  done
+
+  ensure_tools "$compression"
+
+  local -a tar_opts=(-c -f "$file" -C "$directory")
+  case "$compression" in
+    gzip)
+      tar_opts+=(-z)
+      ;;
+    zstd)
+      tar_opts+=(--zstd)
+      ;;
+    none) ;;
+    *)
+      error "Unsupported compression algorithm: $compression"
+      ;;
+  esac
+
+  for path in "${DEFAULT_EXCLUDE_PATTERNS[@]}"; do
+    if [[ -n $path ]]; then
+      tar_opts+=(--exclude "$path")
+    fi
+  done
+
+  # Ensure destination directory exists.
+  dest="$(dirname "$file")"
+  mkdir -p "$dest" 2> /dev/null || error "Failed to create output dir: $dest"
+
+  log "Creating archive:"
+  log "  Compression: $compression"
+  log "  Directory:   $directory"
+  log "  Archive:     $file"
+  log "  Paths:       ${paths[*]}"
+  log "  Exclude:     ${DEFAULT_EXCLUDE_PATTERNS[*]}"
+
+  umask 077
+  tar "${tar_opts[@]}" "${paths[@]}"
+
+  printf '%s\n' "$file"
+}
+
+usage_archive_extract() {
+  load_defaults
+
+  cat >&2 << USAGE
+Usage: coder-archive-extract [OPTIONS]
+Options:
+  -c, --compression <gzip|zstd|none>   Compression algorithm (default "${DEFAULT_COMPRESSION}")
+  -C, --directory <DIRECTORY>          Change to directory (default "${DEFAULT_DIRECTORY}")
+  -f, --file <ARCHIVE>                 Output archive file (default "${DEFAULT_ARCHIVE_PATH}")
+  -h, --help                           Show this help
+USAGE
+}
+
+archive_extract() {
+  load_defaults
+
+  local compression="${DEFAULT_COMPRESSION}"
+  local directory="${DEFAULT_DIRECTORY}"
+  local file="${DEFAULT_ARCHIVE_PATH}"
+
+  while [[ $# -gt 0 ]]; do
+    case "$1" in
+      -c | --compression)
+        if [[ $# -lt 2 ]]; then
+          usage_archive_extract
+          error "Missing value for $1"
+        fi
+        compression="$2"
+        shift 2
+        ;;
+      -C | --directory)
+        if [[ $# -lt 2 ]]; then
+          usage_archive_extract
+          error "Missing value for $1"
+        fi
+        directory="$2"
+        shift 2
+        ;;
+      -f | --file)
+        if [[ $# -lt 2 ]]; then
+          usage_archive_extract
+          error "Missing value for $1"
+        fi
+        file="$2"
+        shift 2
+        ;;
+      -h | --help)
+        usage_archive_extract
+        exit 0
+        ;;
+      --)
+        shift
+        while [[ $# -gt 0 ]]; do
+          shift
+        done
+        ;;
+      -*)
+        usage_archive_extract
+        error "Unknown option: $1"
+        ;;
+      *)
+        shift
+        ;;
+    esac
+  done
+
+  ensure_tools "$compression"
+
+  local -a tar_opts=(-x -f "$file" -C "$directory")
+  case "$compression" in
+    gzip)
+      tar_opts+=(-z)
+      ;;
+    zstd)
+      tar_opts+=(--zstd)
+      ;;
+    none) ;;
+    *)
+      error "Unsupported compression algorithm: $compression"
+      ;;
+  esac
+
+  for path in "${DEFAULT_EXCLUDE_PATTERNS[@]}"; do
+    if [[ -n $path ]]; then
+      tar_opts+=(--exclude "$path")
+    fi
+  done
+
+  # Ensure destination directory exists.
+  mkdir -p "$directory" || error "Failed to create directory: $directory"
+
+  log "Extracting archive:"
+  log "  Compression: $compression"
+  log "  Directory:   $directory"
+  log "  Archive:     $file"
+  log "  Exclude:     ${DEFAULT_EXCLUDE_PATTERNS[*]}"
+
+  umask 077
+  tar "${tar_opts[@]}" "${paths[@]}"
+
+  printf 'Extracted %s into %s\n' "$file" "$directory"
+}
+
+archive_wait_and_extract() {
+  load_defaults
+
+  local timeout="${1:-300}"
+  local quiet="${2:-}"
+  local file="${DEFAULT_ARCHIVE_PATH}"
+
+  local start now
+  start=$(date +%s)
+  while true; do
+    if [[ -f "$file" ]]; then
+      archive_extract -f "$file"
+      return 0
+    fi
+
+    if ((timeout <= 0)); then
+      break
+    fi
+    now=$(date +%s)
+    if ((now - start >= timeout)); then
+      break
+    fi
+    sleep 5
+  done
+
+  if [[ -z $quiet ]]; then
+    printf 'ERROR: Timed out waiting for archive: %s\n' "$file" >&2
+  fi
+  return 2
+}

registry/coder-labs/modules/codex/README.md

@@ -13,10 +13,10 @@ Run Codex CLI in your workspace to access OpenAI's models through the Codex inte
 ```tf
 module "codex" {
   source         = "registry.coder.com/coder-labs/codex/coder"
-  version        = "2.1.1"
+  version        = "3.0.0"
   agent_id       = coder_agent.example.id
   openai_api_key = var.openai_api_key
-  folder         = "/home/coder/project"
+  workdir        = "/home/coder/project"
 }
 ```
 
@@ -33,10 +33,11 @@ module "codex" {
 module "codex" {
   count          = data.coder_workspace.me.start_count
   source         = "registry.coder.com/coder-labs/codex/coder"
-  version        = "2.1.1"
+  version        = "3.0.0"
   agent_id       = coder_agent.example.id
   openai_api_key = "..."
-  folder         = "/home/coder/project"
+  workdir        = "/home/coder/project"
+  report_tasks   = false
 }
 ```
 
@@ -60,11 +61,11 @@ module "coder-login" {
 
 module "codex" {
   source         = "registry.coder.com/coder-labs/codex/coder"
-  version        = "2.1.1"
+  version        = "3.0.0"
   agent_id       = coder_agent.example.id
   openai_api_key = "..."
   ai_prompt      = data.coder_parameter.ai_prompt.value
-  folder         = "/home/coder/project"
+  workdir        = "/home/coder/project"
 
   # Custom configuration for full auto mode
   base_config_toml = <<-EOT
@@ -75,7 +76,7 @@ module "codex" {
 ```
 
 > [!WARNING]
-> This module configures Codex with a `workspace-write` sandbox that allows AI tasks to read/write files in the specified folder. While the sandbox provides security boundaries, Codex can still modify files within the workspace. Use this module _only_ in trusted environments and be aware of the security implications.
+> This module configures Codex with a `workspace-write` sandbox that allows AI tasks to read/write files in the specified workdir. While the sandbox provides security boundaries, Codex can still modify files within the workspace. Use this module _only_ in trusted environments and be aware of the security implications.
 
 ## How it Works
 
@@ -106,7 +107,7 @@ For custom Codex configuration, use `base_config_toml` and/or `additional_mcp_se
 ```tf
 module "codex" {
   source  = "registry.coder.com/coder-labs/codex/coder"
-  version = "2.1.1"
+  version = "3.0.0"
   # ... other variables ...
 
   # Override default configuration
@@ -137,7 +138,7 @@ module "codex" {
 > [!IMPORTANT]
 > To use tasks with Codex CLI, ensure you have the `openai_api_key` variable set, and **you create a `coder_parameter` named `"AI Prompt"` and pass its value to the codex module's `ai_prompt` variable**. [Tasks Template Example](https://registry.coder.com/templates/coder-labs/tasks-docker).
 > The module automatically configures Codex with your API key and model preferences.
-> folder is a required variable for the module to function correctly.
+> workdir is a required variable for the module to function correctly.
 
 ## References
 

registry/coder-labs/modules/codex/main.test.ts

@@ -47,7 +47,7 @@ const setup = async (props?: SetupProps): Promise<{ id: string }> => {
       install_codex: props?.skipCodexMock ? "true" : "false",
       install_agentapi: props?.skipAgentAPIMock ? "true" : "false",
       codex_model: "gpt-4-turbo",
-      folder: "/home/coder",
+      workdir: "/home/coder",
       ...props?.moduleVariables,
     },
     registerCleanup,
@@ -166,12 +166,12 @@ describe("codex", async () => {
     expect(postInstallLog).toContain("post-install-script");
   });
 
-  test("folder-variable", async () => {
-    const folder = "/tmp/codex-test-folder";
+  test("workdir-variable", async () => {
+    const workdir = "/tmp/codex-test-workdir";
     const { id } = await setup({
       skipCodexMock: false,
       moduleVariables: {
-        folder,
+        workdir,
       },
     });
     await execModuleScript(id);
@@ -179,7 +179,7 @@ describe("codex", async () => {
       id,
       "/home/coder/.codex-module/install.log",
     );
-    expect(resp).toContain(folder);
+    expect(resp).toContain(workdir);
   });
 
   test("additional-mcp-servers", async () => {

registry/coder-labs/modules/codex/main.tf

@@ -36,11 +36,41 @@ variable "icon" {
   default     = "/icon/openai.svg"
 }
 
-variable "folder" {
+variable "workdir" {
   type        = string
   description = "The folder to run Codex in."
 }
 
+variable "report_tasks" {
+  type        = bool
+  description = "Whether to enable task reporting to Coder UI via AgentAPI"
+  default     = true
+}
+
+variable "subdomain" {
+  type        = bool
+  description = "Whether to use a subdomain for AgentAPI."
+  default     = false
+}
+
+variable "cli_app" {
+  type        = bool
+  description = "Whether to create a CLI app for Codex"
+  default     = false
+}
+
+variable "web_app_display_name" {
+  type        = string
+  description = "Display name for the web app"
+  default     = "Codex"
+}
+
+variable "cli_app_display_name" {
+  type        = string
+  description = "Display name for the CLI app"
+  default     = "Codex CLI"
+}
+
 variable "install_codex" {
   type        = bool
   description = "Whether to install Codex."
@@ -120,6 +150,7 @@ resource "coder_env" "openai_api_key" {
 }
 
 locals {
+  workdir         = trimsuffix(var.workdir, "/")
   app_slug        = "codex"
   install_script  = file("${path.module}/scripts/install.sh")
   start_script    = file("${path.module}/scripts/start.sh")
@@ -131,16 +162,18 @@ module "agentapi" {
   version = "1.2.0"
 
   agent_id             = var.agent_id
-  folder               = var.folder
+  folder               = local.workdir
   web_app_slug         = local.app_slug
   web_app_order        = var.order
   web_app_group        = var.group
   web_app_icon         = var.icon
-  web_app_display_name = "Codex"
-  cli_app_slug         = "${local.app_slug}-cli"
-  cli_app_display_name = "Codex CLI"
+  web_app_display_name = var.web_app_display_name
+  cli_app              = var.cli_app
+  cli_app_slug         = var.cli_app ? "${local.app_slug}-cli" : null
+  cli_app_display_name = var.cli_app ? var.cli_app_display_name : null
   module_dir_name      = local.module_dir_name
   install_agentapi     = var.install_agentapi
+  agentapi_subdomain   = var.subdomain
   agentapi_version     = var.agentapi_version
   pre_install_script   = var.pre_install_script
   post_install_script  = var.post_install_script
@@ -152,8 +185,9 @@ module "agentapi" {
      echo -n '${base64encode(local.start_script)}' | base64 -d > /tmp/start.sh
      chmod +x /tmp/start.sh
      ARG_OPENAI_API_KEY='${var.openai_api_key}' \
+     ARG_REPORT_TASKS='${var.report_tasks}' \
      ARG_CODEX_MODEL='${var.codex_model}' \
-     ARG_CODEX_START_DIRECTORY='${var.folder}' \
+     ARG_CODEX_START_DIRECTORY='${var.workdir}' \
      ARG_CODEX_TASK_PROMPT='${base64encode(var.ai_prompt)}' \
      /tmp/start.sh
    EOT
@@ -165,12 +199,14 @@ module "agentapi" {
 
     echo -n '${base64encode(local.install_script)}' | base64 -d > /tmp/install.sh
     chmod +x /tmp/install.sh
+    ARG_OPENAI_API_KEY='${var.openai_api_key}' \
+    ARG_REPORT_TASKS='${var.report_tasks}' \
     ARG_INSTALL='${var.install_codex}' \
     ARG_CODEX_VERSION='${var.codex_version}' \
     ARG_BASE_CONFIG_TOML='${base64encode(var.base_config_toml)}' \
     ARG_ADDITIONAL_MCP_SERVERS='${base64encode(var.additional_mcp_servers)}' \
     ARG_CODER_MCP_APP_STATUS_SLUG='${local.app_slug}' \
-    ARG_CODEX_START_DIRECTORY='${var.folder}' \
+    ARG_CODEX_START_DIRECTORY='${var.workdir}' \
     ARG_CODEX_INSTRUCTION_PROMPT='${base64encode(var.codex_system_prompt)}' \
     /tmp/install.sh
   EOT

registry/coder-labs/modules/codex/scripts/install.sh

@@ -22,6 +22,8 @@ printf "Start Directory: %s\n" "$ARG_CODEX_START_DIRECTORY"
 printf "Has Base Config: %s\n" "$([ -n "$ARG_BASE_CONFIG_TOML" ] && echo "Yes" || echo "No")"
 printf "Has Additional MCP: %s\n" "$([ -n "$ARG_ADDITIONAL_MCP_SERVERS" ] && echo "Yes" || echo "No")"
 printf "Has System Prompt: %s\n" "$([ -n "$ARG_CODEX_INSTRUCTION_PROMPT" ] && echo "Yes" || echo "No")"
+printf "OpenAI API Key: %s\n" "$([ -n "$ARG_OPENAI_API_KEY" ] && echo "Provided" || echo "Not provided")"
+printf "Report Tasks: %s\n" "$ARG_REPORT_TASKS"
 echo "======================================"
 
 set +o nounset
@@ -100,13 +102,20 @@ EOF
 append_mcp_servers_section() {
   local config_path="$1"
 
+  if [ "${ARG_REPORT_TASKS}" == "false" ]; then
+    ARG_CODER_MCP_APP_STATUS_SLUG=""
+    CODER_MCP_AI_AGENTAPI_URL=""
+  else
+    CODER_MCP_AI_AGENTAPI_URL="http://localhost:3284"
+  fi
+
   cat << EOF >> "$config_path"
 
 # MCP Servers Configuration
 [mcp_servers.Coder]
 command = "coder"
 args = ["exp", "mcp", "server"]
-env = { "CODER_MCP_APP_STATUS_SLUG" = "${ARG_CODER_MCP_APP_STATUS_SLUG}", "CODER_MCP_AI_AGENTAPI_URL" = "http://localhost:3284", "CODER_AGENT_URL" = "${CODER_AGENT_URL}", "CODER_AGENT_TOKEN" = "${CODER_AGENT_TOKEN}" }
+env = { "CODER_MCP_APP_STATUS_SLUG" = "${ARG_CODER_MCP_APP_STATUS_SLUG}", "CODER_MCP_AI_AGENTAPI_URL" = "${CODER_MCP_AI_AGENTAPI_URL}" , "CODER_AGENT_URL" = "${CODER_AGENT_URL}", "CODER_AGENT_TOKEN" = "${CODER_AGENT_TOKEN}" }
 description = "Report ALL tasks and statuses (in progress, done, failed) you are working on."
 type = "stdio"
 
@@ -159,7 +168,21 @@ function add_instruction_prompt_if_exists() {
   fi
 }
 
+function add_auth_json() {
+  AUTH_JSON_PATH="$HOME/.codex/auth.json"
+  mkdir -p "$(dirname "$AUTH_JSON_PATH")"
+  AUTH_JSON=$(
+    cat << EOF
+{
+  "OPENAI_API_KEY": "${ARG_OPENAI_API_KEY}"
+}
+EOF
+  )
+  echo "$AUTH_JSON" > "$AUTH_JSON_PATH"
+}
+
 install_codex
 codex --version
 populate_config_toml
 add_instruction_prompt_if_exists
+add_auth_json

registry/coder-labs/modules/codex/scripts/start.sh

@@ -22,6 +22,7 @@ printf "OpenAI API Key: %s\n" "$([ -n "$ARG_OPENAI_API_KEY" ] && echo "Provided"
 printf "Codex Model: %s\n" "${ARG_CODEX_MODEL:-"Default"}"
 printf "Start Directory: %s\n" "$ARG_CODEX_START_DIRECTORY"
 printf "Has Task Prompt: %s\n" "$([ -n "$ARG_CODEX_TASK_PROMPT" ] && echo "Yes" || echo "No")"
+printf "Report Tasks: %s\n" "$ARG_REPORT_TASKS"
 echo "======================================"
 set +o nounset
 CODEX_ARGS=()
@@ -57,7 +58,11 @@ fi
 
 if [ -n "$ARG_CODEX_TASK_PROMPT" ]; then
   printf "Running the task prompt %s\n" "$ARG_CODEX_TASK_PROMPT"
-  PROMPT="Complete the task at hand in one go. Every step of the way, report your progress using coder_report_task tool with proper summary and statuses. Your task at hand: $ARG_CODEX_TASK_PROMPT"
+  if [ "${ARG_REPORT_TASKS}" == "true" ]; then
+    PROMPT="Complete the task at hand in one go. Every step of the way, report your progress using coder_report_task tool with proper summary and statuses. Your task at hand: $ARG_CODEX_TASK_PROMPT"
+  else
+    PROMPT="Your task at hand: $ARG_CODEX_TASK_PROMPT"
+  fi
   CODEX_ARGS+=("$PROMPT")
 else
   printf "No task prompt given.\n"

registry/coder-labs/modules/sourcegraph-amp/README.md

@@ -1,5 +1,5 @@
 ---
-display_name: Amp CLI
+display_name: Amp
 icon: ../../../../.icons/sourcegraph-amp.svg
 description: Sourcegraph's AI coding agent with deep codebase understanding and intelligent code search capabilities
 verified: true
@@ -13,7 +13,7 @@ Run [Amp CLI](https://ampcode.com/) in your workspace to access Sourcegraph's AI
 ```tf
 module "amp-cli" {
   source                  = "registry.coder.com/coder-labs/sourcegraph-amp/coder"
-  version                 = "1.1.1"
+  version                 = "2.0.0"
   agent_id                = coder_agent.example.id
   sourcegraph_amp_api_key = var.sourcegraph_amp_api_key
   install_sourcegraph_amp = true
@@ -23,8 +23,10 @@ module "amp-cli" {
 
 ## Prerequisites
 
-- Include the [Coder Login](https://registry.coder.com/modules/coder-login/coder) module in your template
-- Node.js and npm are automatically installed (via NVM) if not already available
+- **Default (official installer)**: No prerequisites - the official installer includes its own runtime (Bun)
+- **npm installation (`install_via_npm = true`)**: Requires Node.js and npm to be installed before Amp installation
+  - Required for Alpine Linux or other musl-based systems
+  - Ensure Node.js and npm are available in your workspace image or via earlier provisioning steps
 
 ## Usage Example
 
@@ -35,52 +37,55 @@ data "coder_parameter" "ai_prompt" {
   type        = "string"
   default     = ""
   mutable     = true
-
 }
 
-# Set system prompt for Amp CLI via environment variables
-resource "coder_agent" "main" {
-  # ...
-  env = {
-    SOURCEGRAPH_AMP_SYSTEM_PROMPT = <<-EOT
-      You are an Amp assistant that helps developers debug and write code efficiently.
-
-      Always log task status to Coder.
-    EOT
-    SOURCEGRAPH_AMP_TASK_PROMPT   = data.coder_parameter.ai_prompt.value
-  }
-}
-
-variable "sourcegraph_amp_api_key" {
+variable "amp_api_key" {
   type        = string
   description = "Sourcegraph Amp API key. Get one at https://ampcode.com/settings"
   sensitive   = true
 }
 
 module "amp-cli" {
-  count                   = data.coder_workspace.me.start_count
-  source                  = "registry.coder.com/coder-labs/sourcegraph-amp/coder"
-  version                 = "1.1.1"
-  agent_id                = coder_agent.example.id
-  sourcegraph_amp_api_key = var.sourcegraph_amp_api_key # recommended for authenticated usage
-  install_sourcegraph_amp = true
+  count              = data.coder_workspace.me.start_count
+  source             = "registry.coder.com/coder-labs/sourcegraph-amp/coder"
+  amp_version        = "2.0.0"
+  agent_id           = coder_agent.example.id
+  amp_api_key        = var.amp_api_key # recommended for tasks usage
+  workdir            = "/home/coder/project"
+  instruction_prompt = <<-EOT
+      # Instructions
+      - Start every response with `amp > `
+EOT
+  ai_prompt          = data.coder_parameter.ai_prompt.value
+  base_amp_config = jsonencode({
+    "amp.anthropic.thinking.enabled"              = true
+    "amp.todos.enabled"                           = true
+    "amp.tools.stopTimeout"                       = 600
+    "amp.git.commit.ampThread.enabled"            = true
+    "amp.git.commit.coauthor.enabled"             = true
+    "amp.terminal.commands.nodeSpawn.loadProfile" = "daily"
+    "amp.permissions" = [
+      { "tool" : "mcp__coder__*", "action" : "allow" },
+      { "tool" : "Bash", "action" : "allow", "context" : "thread" },
+      { "tool" : "Bash", "matches" : { "cmd" : ["rm -rf /*", "rm -rf ~/*"] }, "action" : "reject", "context" : "subagent" },
+      { "tool" : "edit_file", "action" : "allow" },
+      { "tool" : "write_file", "action" : "allow" },
+      { "tool" : "read_file", "action" : "allow" },
+      { "tool" : "Grep", "action" : "allow" }
+    ]
+  })
 }
 ```
 
-## How it Works
-
-- **Install**: Installs Sourcegraph Amp CLI using npm (installs Node.js via NVM if required)
-- **Start**: Launches Amp CLI in the specified directory, wrapped with AgentAPI to enable tasks and AI interactions
-- **Environment Variables**: Sets `SOURCEGRAPH_AMP_API_KEY` and `SOURCEGRAPH_AMP_START_DIRECTORY` for the CLI execution
-
 ## Troubleshooting
 
-- If `amp` is not found, ensure `install_sourcegraph_amp = true` and your API key is valid
-- Logs are written under `/home/coder/.sourcegraph-amp-module/` (`install.log`, `agentapi-start.log`) for debugging
+- If `amp` is not found, ensure `install_amp = true` and your API key is valid
+- Logs are written under `/home/coder/.amp-module/` (`install.log`, `agentapi-start.log`) for debugging
 - If AgentAPI fails to start, verify that your container has network access and executable permissions for the scripts
 
 > [!IMPORTANT]
-> For using **Coder Tasks** with Amp CLI, make sure to pass the `AI Prompt` parameter and set `sourcegraph_amp_api_key`.
+> To use tasks with Amp CLI, create a `coder_parameter` named `"AI Prompt"` and pass its value to the amp-cli module's `ai_prompt` variable. The `folder` variable is required for the module to function correctly.
+> For using **Coder Tasks** with Amp CLI, make sure to set `amp_api_key`.
 > This ensures task reporting and status updates work seamlessly.
 
 ## References

registry/coder-labs/modules/sourcegraph-amp/main.test.ts

@@ -43,9 +43,9 @@ const setup = async (props?: SetupProps): Promise<{ id: string }> => {
   const { id } = await setupUtil({
     moduleDir: import.meta.dir,
     moduleVariables: {
-      install_sourcegraph_amp: props?.skipAmpMock ? "true" : "false",
+      workdir: "/home/coder",
+      install_amp: props?.skipAmpMock ? "true" : "false",
       install_agentapi: props?.skipAgentAPIMock ? "true" : "false",
-      sourcegraph_amp_model: "test-model",
       ...props?.moduleVariables,
     },
     registerCleanup,
@@ -68,45 +68,94 @@ const setup = async (props?: SetupProps): Promise<{ id: string }> => {
 
 setDefaultTimeout(60 * 1000);
 
-describe("sourcegraph-amp", async () => {
+describe("amp", async () => {
   beforeAll(async () => {
     await runTerraformInit(import.meta.dir);
   });
 
-  test("happy-path", async () => {
-    const { id } = await setup();
+  // test("happy-path", async () => {
+  //   const { id } = await setup();
+  //   await execModuleScript(id);
+  //   await expectAgentAPIStarted(id);
+  // });
+  //
+  // test("api-key", async () => {
+  //   const apiKey = "test-api-key-123";
+  //   const { id } = await setup({
+  //     moduleVariables: {
+  //       amp_api_key: apiKey,
+  //     },
+  //   });
+  //   await execModuleScript(id);
+  //   const resp = await readFileContainer(
+  //     id,
+  //     "/home/coder/.amp-module/agentapi-start.log",
+  //   );
+  //   expect(resp).toContain("amp_api_key provided !");
+  // });
+  //
+  test("install-latest-version", async () => {
+    const { id } = await setup({
+      skipAmpMock: true,
+      skipAgentAPIMock: true,
+      moduleVariables: {
+        amp_version: "",
+      },
+    });
     await execModuleScript(id);
     await expectAgentAPIStarted(id);
   });
 
-  test("api-key", async () => {
-    const apiKey = "test-api-key-123";
+  test("install-specific-version", async () => {
     const { id } = await setup({
+      skipAmpMock: true,
       moduleVariables: {
-        sourcegraph_amp_api_key: apiKey,
+        amp_version: "0.0.1755964909-g31e083",
       },
     });
     await execModuleScript(id);
     const resp = await readFileContainer(
       id,
-      "/home/coder/.sourcegraph-amp-module/agentapi-start.log",
+      "/home/coder/.amp-module/agentapi-start.log",
     );
-    expect(resp).toContain("sourcegraph_amp_api_key provided !");
+    expect(resp).toContain("0.0.1755964909-g31e08");
   });
 
-  test("custom-folder", async () => {
-    const folder = "/tmp/sourcegraph-amp-test";
+  test("install-via-npm", async () => {
+    const { id } = await setup({
+      skipAmpMock: true,
+      moduleVariables: {
+        install_via_npm: "true",
+      },
+    });
+    await execModuleScript(id);
+
+    const installLog = await readFileContainer(
+      id,
+      "/home/coder/.amp-module/install.log",
+    );
+    expect(installLog).toContain("Installing Amp via npm");
+
+    const startLog = await readFileContainer(
+      id,
+      "/home/coder/.amp-module/agentapi-start.log",
+    );
+    expect(startLog).toContain("AMP version:");
+  });
+
+  test("custom-workdir", async () => {
+    const workdir = "/tmp/amp-test";
     const { id } = await setup({
       moduleVariables: {
-        folder,
+        workdir,
       },
     });
     await execModuleScript(id);
     const resp = await readFileContainer(
       id,
-      "/home/coder/.sourcegraph-amp-module/install.log",
+      "/home/coder/.amp-module/agentapi-start.log",
     );
-    expect(resp).toContain(folder);
+    expect(resp).toContain(workdir);
   });
 
   test("pre-post-install-scripts", async () => {
@@ -119,39 +168,104 @@ describe("sourcegraph-amp", async () => {
     await execModuleScript(id);
     const preLog = await readFileContainer(
       id,
-      "/home/coder/.sourcegraph-amp-module/pre_install.log",
+      "/home/coder/.amp-module/pre_install.log",
     );
     expect(preLog).toContain("pre-install-script");
     const postLog = await readFileContainer(
       id,
-      "/home/coder/.sourcegraph-amp-module/post_install.log",
+      "/home/coder/.amp-module/post_install.log",
     );
     expect(postLog).toContain("post-install-script");
   });
 
-  test("system-prompt", async () => {
-    const prompt = "this is a system prompt for AMP";
-    const { id } = await setup();
-    await execModuleScript(id, {
-      SOURCEGRAPH_AMP_SYSTEM_PROMPT: prompt,
+  test("instruction-prompt", async () => {
+    const prompt = "this is a instruction prompt for AMP";
+    const { id } = await setup({
+      moduleVariables: {
+        instruction_prompt: prompt,
+      },
     });
-    const resp = await readFileContainer(
-      id,
-      "/home/coder/.sourcegraph-amp-module/SYSTEM_PROMPT.md",
-    );
+    await execModuleScript(id);
+    const resp = await readFileContainer(id, "/home/coder/.config/AGENTS.md");
     expect(resp).toContain(prompt);
   });
 
-  test("task-prompt", async () => {
+  test("ai-prompt", async () => {
     const prompt = "this is a task prompt for AMP";
-    const { id } = await setup();
-    await execModuleScript(id, {
-      SOURCEGRAPH_AMP_TASK_PROMPT: prompt,
+    const { id } = await setup({
+      moduleVariables: {
+        ai_prompt: prompt,
+      },
     });
+    await execModuleScript(id);
     const resp = await readFileContainer(
       id,
-      "/home/coder/.sourcegraph-amp-module/agentapi-start.log",
+      "/home/coder/.amp-module/agentapi-start.log",
     );
-    expect(resp).toContain(`sourcegraph amp task prompt provided : ${prompt}`);
+    expect(resp).toContain(`amp task prompt provided : ${prompt}`);
+  });
+
+  test("custom-base-config", async () => {
+    const customConfig = JSON.stringify({
+      "amp.anthropic.thinking.enabled": false,
+      "amp.todos.enabled": false,
+      "amp.tools.stopTimeout": 900,
+      "amp.git.commit.ampThread.enabled": true,
+    });
+    const customMcp = JSON.stringify({
+      "test-server": {
+        command: "/usr/bin/test-mcp",
+        args: ["--test-arg"],
+        type: "stdio",
+      },
+    });
+    const { id } = await setup({
+      moduleVariables: {
+        base_amp_config: customConfig,
+        mcp: customMcp,
+      },
+    });
+    await execModuleScript(id, {
+      CODER_AGENT_TOKEN: "test-token",
+      CODER_AGENT_URL: "http://test-url:3000",
+    });
+    const settingsContent = await readFileContainer(
+      id,
+      "/home/coder/.config/amp/settings.json",
+    );
+    const settings = JSON.parse(settingsContent);
+
+    expect(settings["amp.anthropic.thinking.enabled"]).toBe(false);
+    expect(settings["amp.todos.enabled"]).toBe(false);
+    expect(settings["amp.tools.stopTimeout"]).toBe(900);
+    expect(settings["amp.git.commit.ampThread.enabled"]).toBe(true);
+    expect(settings["amp.mcpServers"]).toBeDefined();
+    expect(settings["amp.mcpServers"].coder).toBeDefined();
+    expect(settings["amp.mcpServers"]["test-server"]).toBeDefined();
+    expect(settings["amp.mcpServers"]["test-server"].command).toBe(
+      "/usr/bin/test-mcp",
+    );
+    expect(settings["amp.mcpServers"]["test-server"].args).toEqual([
+      "--test-arg",
+    ]);
+  });
+
+  test("default-base-config", async () => {
+    const { id } = await setup();
+    await execModuleScript(id, {
+      CODER_AGENT_TOKEN: "test-token",
+      CODER_AGENT_URL: "http://test-url:3000",
+    });
+    const settingsContent = await readFileContainer(
+      id,
+      "/home/coder/.config/amp/settings.json",
+    );
+    const settings = JSON.parse(settingsContent);
+
+    expect(settings["amp.anthropic.thinking.enabled"]).toBe(true);
+    expect(settings["amp.todos.enabled"]).toBe(true);
+    expect(settings["amp.mcpServers"]).toBeDefined();
+    expect(settings["amp.mcpServers"].coder).toBeDefined();
+    expect(settings["amp.mcpServers"].coder.command).toBe("coder");
   });
 });

registry/coder-labs/modules/sourcegraph-amp/main.tf

@@ -36,28 +36,9 @@ variable "icon" {
   default     = "/icon/sourcegraph-amp.svg"
 }
 
-variable "folder" {
+variable "workdir" {
   type        = string
-  description = "The folder to run sourcegraph_amp in."
-  default     = "/home/coder"
-}
-
-variable "install_sourcegraph_amp" {
-  type        = bool
-  description = "Whether to install sourcegraph-amp."
-  default     = true
-}
-
-variable "sourcegraph_amp_api_key" {
-  type        = string
-  description = "sourcegraph-amp API Key"
-  default     = ""
-}
-
-resource "coder_env" "sourcegraph_amp_api_key" {
-  agent_id = var.agent_id
-  name     = "SOURCEGRAPH_AMP_API_KEY"
-  value    = var.sourcegraph_amp_api_key
+  description = "The folder to run AMP CLI in."
 }
 
 variable "install_agentapi" {
@@ -72,18 +53,84 @@ variable "agentapi_version" {
   default     = "v0.10.0"
 }
 
+variable "cli_app" {
+  type        = bool
+  description = "Whether to create a CLI app for Claude Code"
+  default     = false
+}
+
+variable "web_app_display_name" {
+  type        = string
+  description = "Display name for the web app"
+  default     = "Amp"
+}
+
+variable "cli_app_display_name" {
+  type        = string
+  description = "Display name for the CLI app"
+  default     = "Amp CLI"
+}
+
 variable "pre_install_script" {
   type        = string
-  description = "Custom script to run before installing sourcegraph_amp"
+  description = "Custom script to run before installing amp cli"
   default     = null
 }
 
 variable "post_install_script" {
   type        = string
-  description = "Custom script to run after installing sourcegraph_amp."
+  description = "Custom script to run after installing amp cli."
   default     = null
 }
 
+variable "report_tasks" {
+  type        = bool
+  description = "Whether to enable task reporting to Coder UI"
+  default     = true
+}
+
+variable "install_amp" {
+  type        = bool
+  description = "Whether to install amp cli."
+  default     = true
+}
+
+variable "install_via_npm" {
+  type        = bool
+  description = "Install Amp via npm instead of the official installer."
+  default     = false
+}
+
+variable "amp_api_key" {
+  type        = string
+  description = "amp cli API Key"
+  default     = ""
+}
+
+variable "amp_version" {
+  type        = string
+  description = "The version of amp cli to install."
+  default     = ""
+}
+
+variable "ai_prompt" {
+  type        = string
+  description = "Task prompt for the Amp CLI"
+  default     = ""
+}
+
+variable "instruction_prompt" {
+  type        = string
+  description = "Instruction prompt for the Amp CLI. https://ampcode.com/manual#AGENTS.md"
+  default     = ""
+}
+
+resource "coder_env" "amp_api_key" {
+  agent_id = var.agent_id
+  name     = "AMP_API_KEY"
+  value    = var.amp_api_key
+}
+
 variable "base_amp_config" {
   type        = string
   description = <<-EOT
@@ -102,22 +149,25 @@ variable "base_amp_config" {
   default     = ""
 }
 
-variable "additional_mcp_servers" {
+variable "mcp" {
   type        = string
   description = "Additional MCP servers configuration in JSON format to append to amp.mcpServers."
   default     = null
 }
 
+data "external" "env" {
+  program = ["sh", "-c", "echo '{\"CODER_AGENT_TOKEN\":\"'$CODER_AGENT_TOKEN'\",\"CODER_AGENT_URL\":\"'$CODER_AGENT_URL'\"}'"]
+}
+
 locals {
   app_slug = "amp"
 
-  default_base_config = {
+  default_base_config = jsonencode({
     "amp.anthropic.thinking.enabled" = true
     "amp.todos.enabled"              = true
-  }
+  })
 
-  # Use provided config or default, then extract base settings (excluding mcpServers)
-  user_config       = var.base_amp_config != "" ? jsondecode(var.base_amp_config) : local.default_base_config
+  user_config       = jsondecode(var.base_amp_config != "" ? var.base_amp_config : local.default_base_config)
   base_amp_settings = { for k, v in local.user_config : k => v if k != "amp.mcpServers" }
 
   coder_mcp = {
@@ -125,14 +175,16 @@ locals {
       "command" = "coder"
       "args"    = ["exp", "mcp", "server"]
       "env" = {
-        "CODER_MCP_APP_STATUS_SLUG" = local.app_slug
-        "CODER_MCP_AI_AGENTAPI_URL" = "http://localhost:3284"
+        "CODER_MCP_APP_STATUS_SLUG" = var.report_tasks == true ? local.app_slug : ""
+        "CODER_MCP_AI_AGENTAPI_URL" = var.report_tasks == true ? "http://localhost:3284" : ""
+        "CODER_AGENT_TOKEN"         = data.external.env.result.CODER_AGENT_TOKEN
+        "CODER_AGENT_URL"           = data.external.env.result.CODER_AGENT_URL
       }
       "type" = "stdio"
     }
   }
 
-  additional_mcp = var.additional_mcp_servers != null ? jsondecode(var.additional_mcp_servers) : {}
+  additional_mcp = var.mcp != null ? jsondecode(var.mcp) : {}
 
   merged_mcp_servers = merge(
     lookup(local.user_config, "amp.mcpServers", {}),
@@ -146,8 +198,8 @@ locals {
 
   install_script  = file("${path.module}/scripts/install.sh")
   start_script    = file("${path.module}/scripts/start.sh")
-  module_dir_name = ".sourcegraph-amp-module"
-  folder          = trimsuffix(var.folder, "/")
+  module_dir_name = ".amp-module"
+  workdir         = trimsuffix(var.workdir, "/")
 }
 
 module "agentapi" {
@@ -155,14 +207,15 @@ module "agentapi" {
   version = "1.2.0"
 
   agent_id             = var.agent_id
-  folder               = local.folder
+  folder               = local.workdir
   web_app_slug         = local.app_slug
   web_app_order        = var.order
   web_app_group        = var.group
   web_app_icon         = var.icon
-  web_app_display_name = "Sourcegraph Amp"
-  cli_app_slug         = "${local.app_slug}-cli"
-  cli_app_display_name = "Sourcegraph Amp CLI"
+  web_app_display_name = var.web_app_display_name
+  cli_app              = var.cli_app
+  cli_app_slug         = var.cli_app ? "${local.app_slug}-cli" : null
+  cli_app_display_name = var.cli_app ? var.cli_app_display_name : null
   module_dir_name      = local.module_dir_name
   install_agentapi     = var.install_agentapi
   agentapi_version     = var.agentapi_version
@@ -175,8 +228,10 @@ module "agentapi" {
 
      echo -n '${base64encode(local.start_script)}' | base64 -d > /tmp/start.sh
      chmod +x /tmp/start.sh
-     SOURCEGRAPH_AMP_API_KEY='${var.sourcegraph_amp_api_key}' \
-     SOURCEGRAPH_AMP_START_DIRECTORY='${var.folder}' \
+     ARG_AMP_API_KEY='${var.amp_api_key}' \
+     ARG_AMP_START_DIRECTORY='${var.workdir}' \
+     ARG_AMP_TASK_PROMPT='${base64encode(var.ai_prompt)}' \
+     ARG_REPORT_TASKS='${var.report_tasks}' \
      /tmp/start.sh
    EOT
 
@@ -187,9 +242,11 @@ module "agentapi" {
 
     echo -n '${base64encode(local.install_script)}' | base64 -d > /tmp/install.sh
     chmod +x /tmp/install.sh
-    ARG_INSTALL_SOURCEGRAPH_AMP='${var.install_sourcegraph_amp}' \
-    SOURCEGRAPH_AMP_START_DIRECTORY='${var.folder}' \
-    ARG_AMP_CONFIG="$(echo -n '${base64encode(jsonencode(local.final_config))}' | base64 -d)" \
+    ARG_INSTALL_AMP='${var.install_amp}' \
+    ARG_INSTALL_VIA_NPM='${var.install_via_npm}' \
+    ARG_AMP_CONFIG="${base64encode(jsonencode(local.final_config))}" \
+    ARG_AMP_VERSION='${var.amp_version}' \
+    ARG_AMP_INSTRUCTION_PROMPT='${base64encode(var.instruction_prompt)}' \
     /tmp/install.sh
   EOT
 }

registry/coder-labs/modules/sourcegraph-amp/scripts/install.sh

@@ -1,77 +1,119 @@
 #!/bin/bash
 set -euo pipefail
 
+source "$HOME"/.bashrc
+
 # ANSI colors
 BOLD='\033[1m'
+GREEN='\033[0;32m'
+YELLOW='\033[1;33m'
+NC='\033[0m'
+
+ARG_INSTALL_AMP=${ARG_INSTALL_AMP:-true}
+ARG_INSTALL_VIA_NPM=${ARG_INSTALL_VIA_NPM:-false}
+ARG_AMP_VERSION=${ARG_AMP_VERSION:-}
+ARG_AMP_INSTRUCTION_PROMPT=$(echo -n "${ARG_AMP_INSTRUCTION_PROMPT:-}" | base64 -d)
+ARG_AMP_CONFIG=$(echo -n "${ARG_AMP_CONFIG:-}" | base64 -d)
 
 echo "--------------------------------"
-echo "Install flag: $ARG_INSTALL_SOURCEGRAPH_AMP"
-echo "Workspace: $SOURCEGRAPH_AMP_START_DIRECTORY"
+printf "Install flag: %s\n" "$ARG_INSTALL_AMP"
+printf "Install via npm: %s\n" "$ARG_INSTALL_VIA_NPM"
+printf "Amp Version: %s\n" "$ARG_AMP_VERSION"
+printf "AMP Config: %s\n" "$ARG_AMP_CONFIG"
+printf "Instruction Prompt: %s\n" "$ARG_AMP_INSTRUCTION_PROMPT"
 echo "--------------------------------"
 
-# Helper function to check if a command exists
 command_exists() {
   command -v "$1" > /dev/null 2>&1
 }
 
-function install_node() {
-  if ! command_exists npm; then
-    printf "npm not found, checking for Node.js installation...\n"
-    if ! command_exists node; then
-      printf "Node.js not found, installing Node.js via NVM...\n"
-      export NVM_DIR="$HOME/.nvm"
-      if [ ! -d "$NVM_DIR" ]; then
-        mkdir -p "$NVM_DIR"
-        curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.39.7/install.sh | bash
-        [ -s "$NVM_DIR/nvm.sh" ] && \. "$NVM_DIR/nvm.sh"
-      else
-        [ -s "$NVM_DIR/nvm.sh" ] && \. "$NVM_DIR/nvm.sh"
-      fi
+install_amp_npm() {
+  printf "%s${YELLOW}Installing Amp via npm${NC}\n" "${BOLD}"
 
-      # Temporarily disable nounset (-u) for nvm to avoid PROVIDED_VERSION error
-      set +u
-      nvm install --lts
-      nvm use --lts
-      nvm alias default node
-      set -u
-
-      printf "Node.js installed: %s\n" "$(node --version)"
-      printf "npm installed: %s\n" "$(npm --version)"
-    else
-      printf "Node.js is installed but npm is not available. Please install npm manually.\n"
-      exit 1
-    fi
+  # Load nvm if available
+  # shellcheck source=/dev/null
+  if [ -f "$HOME/.nvm/nvm.sh" ]; then
+    source "$HOME/.nvm/nvm.sh"
   fi
-}
 
-function install_sourcegraph_amp() {
-  if [ "${ARG_INSTALL_SOURCEGRAPH_AMP}" = "true" ]; then
-    install_node
-
-    # If nvm is not used, set up user npm global directory
-    if ! command_exists nvm; then
-      mkdir -p "$HOME/.npm-global"
-      npm config set prefix "$HOME/.npm-global"
-      export PATH="$HOME/.npm-global/bin:$PATH"
-      if ! grep -q "export PATH=$HOME/.npm-global/bin:\$PATH" ~/.bashrc; then
-        echo "export PATH=$HOME/.npm-global/bin:\$PATH" >> ~/.bashrc
-      fi
-    fi
-
-    printf "%s Installing Sourcegraph AMP CLI...\n" "${BOLD}"
-    npm install -g @sourcegraph/amp@0.0.1754179307-gba1f97
-    printf "%s Successfully installed Sourcegraph AMP CLI. Version: %s\n" "${BOLD}" "$(amp --version)"
+  if ! command_exists node || ! command_exists npm; then
+    printf "${YELLOW}Warning: Node.js/npm not found. Skipping Amp installation.${NC}\n"
+    printf "To install Amp via npm, please install Node.js and npm first.\n"
+    return 1
   fi
-}
 
-function setup_system_prompt() {
-  if [ -n "${SOURCEGRAPH_AMP_SYSTEM_PROMPT:-}" ]; then
-    echo "Setting Sourcegraph AMP system prompt..."
-    mkdir -p "$HOME/.sourcegraph-amp-module"
-    echo "$SOURCEGRAPH_AMP_SYSTEM_PROMPT" > "$HOME/.sourcegraph-amp-module/SYSTEM_PROMPT.md"
-    echo "System prompt saved to $HOME/.sourcegraph-amp-module/SYSTEM_PROMPT.md"
+  printf "Node.js version: %s\n" "$(node --version)"
+  printf "npm version: %s\n" "$(npm --version)"
+
+  NPM_GLOBAL_PREFIX="${HOME}/.npm-global"
+  if [ ! -d "$NPM_GLOBAL_PREFIX" ]; then
+    mkdir -p "$NPM_GLOBAL_PREFIX"
+  fi
+
+  npm config set prefix "$NPM_GLOBAL_PREFIX"
+  export PATH="$NPM_GLOBAL_PREFIX/bin:$PATH"
+
+  if [ -n "$ARG_AMP_VERSION" ]; then
+    npm install -g "@sourcegraph/amp@$ARG_AMP_VERSION"
   else
-    echo "No system prompt provided for Sourcegraph AMP."
+    npm install -g "@sourcegraph/amp"
+  fi
+
+  if ! grep -q 'export PATH="$HOME/.npm-global/bin:$PATH"' "$HOME/.bashrc"; then
+    echo 'export PATH="$HOME/.npm-global/bin:$PATH"' >> "$HOME/.bashrc"
+  fi
+}
+
+install_amp_official() {
+  printf "%s Installing Amp using official installer\n" "${BOLD}"
+
+  if [ -n "$ARG_AMP_VERSION" ]; then
+    export AMP_VERSION="$ARG_AMP_VERSION"
+    printf "Installing Amp version: %s\n" "$AMP_VERSION"
+  fi
+
+  if curl -fsSL https://ampcode.com/install.sh | bash; then
+    export PATH="$HOME/.local/bin:$HOME/.amp/bin:$PATH"
+
+    if ! grep -q 'export PATH="$HOME/.local/bin:$PATH"' "$HOME/.bashrc"; then
+      echo 'export PATH="$HOME/.local/bin:$PATH"' >> "$HOME/.bashrc"
+    fi
+  else
+    printf "${YELLOW}Warning: Official installer failed. Installation skipped.${NC}\n"
+    return 1
+  fi
+}
+
+function install_amp() {
+  if [ "${ARG_INSTALL_AMP}" = "true" ]; then
+    if [ "${ARG_INSTALL_VIA_NPM}" = "true" ]; then
+      install_amp_npm || {
+        printf "${YELLOW}Amp installation via npm failed.${NC}\n"
+        return 0
+      }
+    else
+      install_amp_official || {
+        printf "${YELLOW}Amp installation via official installer failed.${NC}\n"
+        return 0
+      }
+    fi
+
+    if command_exists amp; then
+      printf "%s${GREEN}Successfully installed Sourcegraph Amp CLI. Version: %s${NC}\n" "${BOLD}" "$(amp --version)"
+    fi
+  else
+    printf "Skipping Sourcegraph Amp CLI installation (install_amp=false)\n"
+  fi
+}
+
+function setup_instruction_prompt() {
+  if [ -n "${ARG_AMP_INSTRUCTION_PROMPT:-}" ]; then
+    echo "Setting AMP instruction prompt..."
+    mkdir -p "$HOME/.config"
+    echo "$ARG_AMP_INSTRUCTION_PROMPT" > "$HOME/.config/AGENTS.md"
+    echo "Instruction prompt saved to $HOME/.config/AGENTS.md"
+  else
+    echo "No instruction prompt provided for Sourcegraph AMP."
   fi
 }
 
@@ -86,11 +128,17 @@ function configure_amp_settings() {
   fi
 
   echo "Writing AMP configuration to $SETTINGS_PATH"
-  printf '%s\n' "$ARG_AMP_CONFIG" > "$SETTINGS_PATH"
+  UPDATED_CONFIG=$(echo "$ARG_AMP_CONFIG" | jq --arg token "$CODER_AGENT_TOKEN" --arg url "$CODER_AGENT_URL" \
+    ".[\"amp.mcpServers\"].coder.env += {
+      \"CODER_AGENT_TOKEN\": \"$CODER_AGENT_TOKEN\",
+      \"CODER_AGENT_URL\": \"$CODER_AGENT_URL\"
+    }")
+  printf "UPDATED_CONFIG: %s\n" "$UPDATED_CONFIG"
+  printf '%s\n' "$UPDATED_CONFIG" > "$SETTINGS_PATH"
 
   echo "AMP configuration complete"
 }
 
-install_sourcegraph_amp
-setup_system_prompt
+install_amp
+setup_instruction_prompt
 configure_amp_settings

registry/coder-labs/modules/sourcegraph-amp/scripts/start.sh

@@ -6,11 +6,11 @@ set -euo pipefail
 source "$HOME/.bashrc"
 # shellcheck source=/dev/null
 if [ -f "$HOME/.nvm/nvm.sh" ]; then
-  source "$HOME"/.nvm/nvm.sh
-else
-  export PATH="$HOME/.npm-global/bin:$PATH"
+  source "$HOME/.nvm/nvm.sh"
 fi
 
+export PATH="$HOME/.local/bin:$HOME/.amp/bin:$HOME/.npm-global/bin:$PATH"
+
 function ensure_command() {
   command -v "$1" &> /dev/null || {
     echo "Error: '$1' not found." >&2
@@ -18,10 +18,21 @@ function ensure_command() {
   }
 }
 
+ARG_AMP_START_DIRECTORY=${ARG_AMP_START_DIRECTORY:-"$HOME"}
+ARG_AMP_API_KEY=${ARG_AMP_API_KEY:-}
+ARG_AMP_TASK_PROMPT=$(echo -n "${ARG_AMP_TASK_PROMPT:-}" | base64 -d)
+ARG_REPORT_TASKS=${ARG_REPORT_TASKS:-true}
+
+echo "--------------------------------"
+printf "Workspace: %s\n" "$ARG_AMP_START_DIRECTORY"
+printf "Task Prompt: %s\n" "$ARG_AMP_TASK_PROMPT"
+printf "ARG_REPORT_TASKS: %s\n" "$ARG_REPORT_TASKS"
+echo "--------------------------------"
+
 ensure_command amp
 echo "AMP version: $(amp --version)"
 
-dir="$SOURCEGRAPH_AMP_START_DIRECTORY"
+dir="$ARG_AMP_START_DIRECTORY"
 if [[ -d "$dir" ]]; then
   echo "Using existing directory: $dir"
 else
@@ -30,20 +41,23 @@ else
 fi
 cd "$dir"
 
-if [ -n "$SOURCEGRAPH_AMP_API_KEY" ]; then
-  printf "sourcegraph_amp_api_key provided !\n"
-  export AMP_API_KEY=$SOURCEGRAPH_AMP_API_KEY
+if [ -n "$ARG_AMP_API_KEY" ]; then
+  printf "amp_api_key provided !\n"
+  export AMP_API_KEY=$ARG_AMP_API_KEY
 else
-  printf "sourcegraph_amp_api_key not provided\n"
+  printf "amp_api_key not provided\n"
 fi
 
-if [ -n "${SOURCEGRAPH_AMP_TASK_PROMPT:-}" ]; then
-  printf "sourcegraph amp task prompt provided : $SOURCEGRAPH_AMP_TASK_PROMPT"
-  PROMPT="Every step of the way, report tasks to Coder with proper descriptions and statuses. Your task at hand: $SOURCEGRAPH_AMP_TASK_PROMPT"
-
+if [ -n "$ARG_AMP_TASK_PROMPT" ]; then
+  if [ "$ARG_REPORT_TASKS" == "true" ]; then
+    printf "amp task prompt provided : %s" "$ARG_AMP_TASK_PROMPT\n"
+    PROMPT="Every step of the way, report your progress using coder_report_task tool with proper summary and statuses. Your task at hand: $ARG_AMP_TASK_PROMPT"
+  else
+    PROMPT="$ARG_AMP_TASK_PROMPT"
+  fi
   # Pipe the prompt into amp, which will be run inside agentapi
-  agentapi server --term-width=67 --term-height=1190 -- bash -c "echo \"$PROMPT\" | amp"
+  agentapi server --type amp --term-width=67 --term-height=1190 -- bash -c "echo \"$PROMPT\" | amp"
 else
   printf "No task prompt given.\n"
-  agentapi server --term-width=67 --term-height=1190 -- amp
+  agentapi server --type amp --term-width=67 --term-height=1190 -- amp
 fi

registry/coder/modules/claude-code/README.md

@@ -13,7 +13,7 @@ Run the [Claude Code](https://docs.anthropic.com/en/docs/agents-and-tools/claude
 ```tf
 module "claude-code" {
   source         = "registry.coder.com/coder/claude-code/coder"
-  version        = "3.1.1"
+  version        = "3.2.0"
   agent_id       = coder_agent.example.id
   workdir        = "/home/coder/project"
   claude_api_key = "xxxx-xxxxx-xxxx"
@@ -49,7 +49,7 @@ data "coder_parameter" "ai_prompt" {
 
 module "claude-code" {
   source   = "registry.coder.com/coder/claude-code/coder"
-  version  = "3.1.1"
+  version  = "3.2.0"
   agent_id = coder_agent.example.id
   workdir  = "/home/coder/project"
 
@@ -85,7 +85,7 @@ Run and configure Claude Code as a standalone CLI in your workspace.
 ```tf
 module "claude-code" {
   source              = "registry.coder.com/coder/claude-code/coder"
-  version             = "3.1.1"
+  version             = "3.2.0"
   agent_id            = coder_agent.example.id
   workdir             = "/home/coder"
   install_claude_code = true
@@ -108,7 +108,7 @@ variable "claude_code_oauth_token" {
 
 module "claude-code" {
   source                  = "registry.coder.com/coder/claude-code/coder"
-  version                 = "3.1.1"
+  version                 = "3.2.0"
   agent_id                = coder_agent.example.id
   workdir                 = "/home/coder/project"
   claude_code_oauth_token = var.claude_code_oauth_token
@@ -181,7 +181,7 @@ resource "coder_env" "bedrock_api_key" {
 
 module "claude-code" {
   source   = "registry.coder.com/coder/claude-code/coder"
-  version  = "3.1.1"
+  version  = "3.2.0"
   agent_id = coder_agent.example.id
   workdir  = "/home/coder/project"
   model    = "global.anthropic.claude-sonnet-4-5-20250929-v1:0"
@@ -238,7 +238,7 @@ resource "coder_env" "google_application_credentials" {
 
 module "claude-code" {
   source   = "registry.coder.com/coder/claude-code/coder"
-  version  = "3.1.1"
+  version  = "3.2.0"
   agent_id = coder_agent.example.id
   workdir  = "/home/coder/project"
   model    = "claude-sonnet-4@20250514"

registry/coder/modules/claude-code/main.tf

@@ -192,6 +192,42 @@ variable "claude_md_path" {
   default     = "$HOME/.claude/CLAUDE.md"
 }
 
+variable "enable_boundary" {
+  type        = bool
+  description = "Whether to enable coder boundary for network filtering"
+  default     = false
+}
+
+variable "boundary_version" {
+  type        = string
+  description = "Boundary version, valid git reference should be provided (tag, commit, branch)"
+  default     = "main"
+}
+
+variable "boundary_log_dir" {
+  type        = string
+  description = "Directory for boundary logs"
+  default     = "/tmp/boundary_logs"
+}
+
+variable "boundary_log_level" {
+  type        = string
+  description = "Log level for boundary process"
+  default     = "WARN"
+}
+
+variable "boundary_additional_allowed_urls" {
+  type        = list(string)
+  description = "Additional URLs to allow through boundary (in addition to default allowed URLs)"
+  default     = []
+}
+
+variable "boundary_proxy_port" {
+  type        = string
+  description = "Port for HTTP Proxy used by Boundary"
+  default     = "8087"
+}
+
 resource "coder_env" "claude_code_md_path" {
   count = var.claude_md_path == "" ? 0 : 1
 
@@ -229,6 +265,8 @@ locals {
   start_script                      = file("${path.module}/scripts/start.sh")
   module_dir_name                   = ".claude-module"
   remove_last_session_id_script_b64 = base64encode(file("${path.module}/scripts/remove-last-session-id.sh"))
+  # Extract hostname from access_url for boundary --allow flag
+  coder_host = replace(replace(data.coder_workspace.me.access_url, "https://", ""), "http://", "")
 
   # Required prompts for the module to properly report task status to Coder
   report_tasks_system_prompt = <<-EOT
@@ -299,6 +337,13 @@ module "agentapi" {
      ARG_PERMISSION_MODE='${var.permission_mode}' \
      ARG_WORKDIR='${local.workdir}' \
      ARG_AI_PROMPT='${base64encode(var.ai_prompt)}' \
+     ARG_ENABLE_BOUNDARY='${var.enable_boundary}' \
+     ARG_BOUNDARY_VERSION='${var.boundary_version}' \
+     ARG_BOUNDARY_LOG_DIR='${var.boundary_log_dir}' \
+     ARG_BOUNDARY_LOG_LEVEL='${var.boundary_log_level}' \
+     ARG_BOUNDARY_ADDITIONAL_ALLOWED_URLS='${join(" ", var.boundary_additional_allowed_urls)}' \
+     ARG_BOUNDARY_PROXY_PORT='${var.boundary_proxy_port}' \
+     ARG_CODER_HOST='${local.coder_host}' \
      /tmp/start.sh
    EOT
 

registry/coder/modules/claude-code/main.tftest.hcl

@@ -188,6 +188,32 @@ run "test_claude_code_permission_mode_validation" {
   }
 }
 
+run "test_claude_code_with_boundary" {
+  command = plan
+
+  variables {
+    agent_id         = "test-agent-boundary"
+    workdir          = "/home/coder/boundary-test"
+    enable_boundary  = true
+    boundary_log_dir = "/tmp/test-boundary-logs"
+  }
+
+  assert {
+    condition     = var.enable_boundary == true
+    error_message = "Boundary should be enabled"
+  }
+
+  assert {
+    condition     = var.boundary_log_dir == "/tmp/test-boundary-logs"
+    error_message = "Boundary log dir should be set correctly"
+  }
+
+  assert {
+    condition     = local.coder_host != ""
+    error_message = "Coder host should be extracted from access URL"
+  }
+}
+
 run "test_claude_code_system_prompt" {
   command = plan
 
@@ -267,4 +293,4 @@ run "test_claude_report_tasks_disabled" {
     condition     = endswith(trimspace(coder_env.claude_code_system_prompt.value), "</system>")
     error_message = "System prompt should end with </system>"
   }
-}
+}

registry/coder/modules/claude-code/scripts/start.sh

@@ -17,6 +17,12 @@ ARG_DANGEROUSLY_SKIP_PERMISSIONS=${ARG_DANGEROUSLY_SKIP_PERMISSIONS:-}
 ARG_PERMISSION_MODE=${ARG_PERMISSION_MODE:-}
 ARG_WORKDIR=${ARG_WORKDIR:-"$HOME"}
 ARG_AI_PROMPT=$(echo -n "${ARG_AI_PROMPT:-}" | base64 -d)
+ARG_ENABLE_BOUNDARY=${ARG_ENABLE_BOUNDARY:-false}
+ARG_BOUNDARY_VERSION=${ARG_BOUNDARY_VERSION:-"main"}
+ARG_BOUNDARY_LOG_DIR=${ARG_BOUNDARY_LOG_DIR:-"/tmp/boundary_logs"}
+ARG_BOUNDARY_LOG_LEVEL=${ARG_BOUNDARY_LOG_LEVEL:-"WARN"}
+ARG_BOUNDARY_PROXY_PORT=${ARG_BOUNDARY_PROXY_PORT:-"8087"}
+ARG_CODER_HOST=${ARG_CODER_HOST:-}
 
 echo "--------------------------------"
 
@@ -27,6 +33,12 @@ printf "ARG_DANGEROUSLY_SKIP_PERMISSIONS: %s\n" "$ARG_DANGEROUSLY_SKIP_PERMISSIO
 printf "ARG_PERMISSION_MODE: %s\n" "$ARG_PERMISSION_MODE"
 printf "ARG_AI_PROMPT: %s\n" "$ARG_AI_PROMPT"
 printf "ARG_WORKDIR: %s\n" "$ARG_WORKDIR"
+printf "ARG_ENABLE_BOUNDARY: %s\n" "$ARG_ENABLE_BOUNDARY"
+printf "ARG_BOUNDARY_VERSION: %s\n" "$ARG_BOUNDARY_VERSION"
+printf "ARG_BOUNDARY_LOG_DIR: %s\n" "$ARG_BOUNDARY_LOG_DIR"
+printf "ARG_BOUNDARY_LOG_LEVEL: %s\n" "$ARG_BOUNDARY_LOG_LEVEL"
+printf "ARG_BOUNDARY_PROXY_PORT: %s\n" "$ARG_BOUNDARY_PROXY_PORT"
+printf "ARG_CODER_HOST: %s\n" "$ARG_CODER_HOST"
 
 echo "--------------------------------"
 
@@ -35,6 +47,14 @@ echo "--------------------------------"
 # avoid exiting if the script fails
 bash "/tmp/remove-last-session-id.sh" "$(pwd)" 2> /dev/null || true
 
+function install_boundary() {
+  # Install boundary from public github repo
+  git clone https://github.com/coder/boundary
+  cd boundary
+  git checkout $ARG_BOUNDARY_VERSION
+  go install ./cmd/...
+}
+
 function validate_claude_installation() {
   if command_exists claude; then
     printf "Claude Code is installed\n"
@@ -76,7 +96,47 @@ function start_agentapi() {
     fi
   fi
   printf "Running claude code with args: %s\n" "$(printf '%q ' "${ARGS[@]}")"
-  agentapi server --type claude --term-width 67 --term-height 1190 -- claude "${ARGS[@]}"
+
+  if [ "${ARG_ENABLE_BOUNDARY:-false}" = "true" ]; then
+    install_boundary
+
+    mkdir -p "$ARG_BOUNDARY_LOG_DIR"
+    printf "Starting with coder boundary enabled\n"
+
+    # Build boundary args with conditional --unprivileged flag
+    BOUNDARY_ARGS=(--log-dir "$ARG_BOUNDARY_LOG_DIR")
+    # Add default allowed URLs
+    BOUNDARY_ARGS+=(--allow "*anthropic.com" --allow "registry.npmjs.org" --allow "*sentry.io" --allow "claude.ai" --allow "$ARG_CODER_HOST")
+
+    # Add any additional allowed URLs from the variable
+    if [ -n "$ARG_BOUNDARY_ADDITIONAL_ALLOWED_URLS" ]; then
+      IFS=' ' read -ra ADDITIONAL_URLS <<< "$ARG_BOUNDARY_ADDITIONAL_ALLOWED_URLS"
+      for url in "${ADDITIONAL_URLS[@]}"; do
+        BOUNDARY_ARGS+=(--allow "$url")
+      done
+    fi
+
+    # Set HTTP Proxy port used by Boundary
+    BOUNDARY_ARGS+=(--proxy-port $ARG_BOUNDARY_PROXY_PORT)
+
+    # Set log level for boundary
+    BOUNDARY_ARGS+=(--log-level $ARG_BOUNDARY_LOG_LEVEL)
+
+    # Remove --dangerously-skip-permissions from ARGS when using boundary (it doesn't work with elevated permissions)
+    # Create a new array without the dangerous permissions flag
+    CLAUDE_ARGS=()
+    for arg in "${ARGS[@]}"; do
+      if [ "$arg" != "--dangerously-skip-permissions" ]; then
+        CLAUDE_ARGS+=("$arg")
+      fi
+    done
+
+    agentapi server --allowed-hosts="*" --type claude --term-width 67 --term-height 1190 -- \
+      sudo -E env PATH=$PATH setpriv --inh-caps=+net_admin --ambient-caps=+net_admin --bounding-set=+net_admin boundary "${BOUNDARY_ARGS[@]}" -- \
+      claude "${CLAUDE_ARGS[@]}"
+  else
+    agentapi server --type claude --term-width 67 --term-height 1190 -- claude "${ARGS[@]}"
+  fi
 }
 
 validate_claude_installation

scripts/terraform_test_all.sh

@@ -1,7 +1,14 @@
 #!/usr/bin/env bash
 set -euo pipefail
 
-# Find all directories that contain any .tftest.hcl files and run terraform test in each
+# Auto-detect which Terraform tests to run based on changed files from paths-filter
+# Uses paths-filter outputs from GitHub Actions:
+#   ALL_CHANGED_FILES - all files changed in the PR (for logging)
+#   SHARED_CHANGED - boolean indicating if shared infrastructure changed
+#   MODULE_CHANGED_FILES - only files in registry/**/modules/** (for processing)
+# Runs all tests if shared infrastructure changes, or skips if no changes detected
+#
+# This script only runs tests for changed modules. Documentation and template changes are ignored.
 
 run_dir() {
   local dir="$1"
@@ -9,13 +16,72 @@ run_dir() {
   (cd "$dir" && terraform init -upgrade -input=false -no-color > /dev/null && terraform test -no-color -verbose)
 }
 
-mapfile -t test_dirs < <(find . -type f -name "*.tftest.hcl" -print0 | xargs -0 -I{} dirname {} | sort -u)
+echo "==> Detecting changed files..."
+
+if [[ -n "${ALL_CHANGED_FILES:-}" ]]; then
+  echo "Changed files in PR:"
+  echo "$ALL_CHANGED_FILES" | tr ' ' '\n' | sed 's/^/  - /'
+  echo ""
+fi
+
+if [[ "${SHARED_CHANGED:-false}" == "true" ]]; then
+  echo "==> Shared infrastructure changed"
+  echo "==> Running all tests for safety"
+  mapfile -t test_dirs < <(find . -type f -name "*.tftest.hcl" -print0 | xargs -0 -I{} dirname {} | sort -u)
+elif [[ -z "${MODULE_CHANGED_FILES:-}" ]]; then
+  echo "✓ No module files changed, skipping tests"
+  exit 0
+else
+  CHANGED_FILES=$(echo "$MODULE_CHANGED_FILES" | tr ' ' '\n')
+
+  MODULE_DIRS=()
+  while IFS= read -r file; do
+    if [[ "$file" =~ \.(md|png|jpg|jpeg|svg)$ ]]; then
+      continue
+    fi
+
+    if [[ "$file" =~ ^registry/([^/]+)/modules/([^/]+)/ ]]; then
+      namespace="${BASH_REMATCH[1]}"
+      module="${BASH_REMATCH[2]}"
+      module_dir="registry/${namespace}/modules/${module}"
+
+      if [[ -d "$module_dir" ]] && [[ ! " ${MODULE_DIRS[*]} " =~ " ${module_dir} " ]]; then
+        MODULE_DIRS+=("$module_dir")
+      fi
+    fi
+  done <<< "$CHANGED_FILES"
+
+  if [[ ${#MODULE_DIRS[@]} -eq 0 ]]; then
+    echo "✓ No Terraform tests to run"
+    echo "  (documentation, templates, namespace files, or modules without changes)"
+    exit 0
+  fi
+
+  echo "==> Finding .tftest.hcl files in ${#MODULE_DIRS[@]} changed module(s):"
+  for dir in "${MODULE_DIRS[@]}"; do
+    echo "  - $dir"
+  done
+  echo ""
+
+  test_dirs=()
+  for module_dir in "${MODULE_DIRS[@]}"; do
+    while IFS= read -r test_file; do
+      test_dir=$(dirname "$test_file")
+      if [[ ! " ${test_dirs[*]} " =~ " ${test_dir} " ]]; then
+        test_dirs+=("$test_dir")
+      fi
+    done < <(find "$module_dir" -type f -name "*.tftest.hcl")
+  done
+fi
 
 if [[ ${#test_dirs[@]} -eq 0 ]]; then
-  echo "No .tftest.hcl tests found."
+  echo "✓ No .tftest.hcl tests found in changed modules"
   exit 0
 fi
 
+echo "==> Running terraform test in ${#test_dirs[@]} directory(ies)"
+echo ""
+
 status=0
 for d in "${test_dirs[@]}"; do
   if ! run_dir "$d"; then

scripts/terraform_validate.sh

@@ -2,36 +2,90 @@
 
 set -euo pipefail
 
+# Auto-detect which Terraform modules to validate based on changed files from paths-filter
+# Uses paths-filter outputs from GitHub Actions:
+#   ALL_CHANGED_FILES - all files changed in the PR (for logging)
+#   SHARED_CHANGED - boolean indicating if shared infrastructure changed
+#   MODULE_CHANGED_FILES - only files in registry/**/modules/** (for processing)
+# Validates all modules if shared infrastructure changes, or skips if no changes detected
+#
+# This script only validates changed modules. Documentation and template changes are ignored.
+
 validate_terraform_directory() {
   local dir="$1"
   echo "Running \`terraform validate\` in $dir"
-  pushd "$dir"
+  pushd "$dir" > /dev/null
   terraform init -upgrade
   terraform validate
-  popd
+  popd > /dev/null
 }
 
 main() {
-  # Get the directory of the script
+  echo "==> Detecting changed files..."
+
+  if [[ -n "${ALL_CHANGED_FILES:-}" ]]; then
+    echo "Changed files in PR:"
+    echo "$ALL_CHANGED_FILES" | tr ' ' '\n' | sed 's/^/  - /'
+    echo ""
+  fi
+
   local script_dir=$(dirname "$(readlink -f "$0")")
+  local registry_dir=$(readlink -f "$script_dir/../registry")
 
-  # Code assumes that registry directory will always be in same position
-  # relative to the main script directory
-  local registry_dir="$script_dir/../registry"
+  if [[ "${SHARED_CHANGED:-false}" == "true" ]]; then
+    echo "==> Shared infrastructure changed"
+    echo "==> Validating all modules for safety"
+    local subdirs=$(find "$registry_dir" -mindepth 3 -maxdepth 3 -path "*/modules/*" -type d | sort)
+  elif [[ -z "${MODULE_CHANGED_FILES:-}" ]]; then
+    echo "✓ No module files changed, skipping validation"
+    exit 0
+  else
+    CHANGED_FILES=$(echo "$MODULE_CHANGED_FILES" | tr ' ' '\n')
 
-  # Get all module subdirectories in the registry directory. Code assumes that
-  # Terraform module directories won't begin to appear until three levels deep into
-  # the registry (e.g., registry/coder/modules/coder-login, which will then
-  # have a main.tf file inside it)
-  local subdirs=$(find "$registry_dir" -mindepth 3 -path "*/modules/*" -type d | sort)
+    MODULE_DIRS=()
+    while IFS= read -r file; do
+      if [[ "$file" =~ \.(md|png|jpg|jpeg|svg)$ ]]; then
+        continue
+      fi
 
+      if [[ "$file" =~ ^registry/([^/]+)/modules/([^/]+)/ ]]; then
+        namespace="${BASH_REMATCH[1]}"
+        module="${BASH_REMATCH[2]}"
+        module_dir="registry/${namespace}/modules/${module}"
+
+        if [[ -d "$module_dir" ]] && [[ ! " ${MODULE_DIRS[*]} " =~ " ${module_dir} " ]]; then
+          MODULE_DIRS+=("$module_dir")
+        fi
+      fi
+    done <<< "$CHANGED_FILES"
+
+    if [[ ${#MODULE_DIRS[@]} -eq 0 ]]; then
+      echo "✓ No modules to validate"
+      echo "  (documentation, templates, namespace files, or modules without changes)"
+      exit 0
+    fi
+
+    echo "==> Validating ${#MODULE_DIRS[@]} changed module(s):"
+    for dir in "${MODULE_DIRS[@]}"; do
+      echo "  - $dir"
+    done
+    echo ""
+
+    local subdirs="${MODULE_DIRS[*]}"
+  fi
+
+  status=0
   for dir in $subdirs; do
     # Skip over any directories that obviously don't have the necessary
     # files
     if test -f "$dir/main.tf"; then
-      validate_terraform_directory "$dir"
+      if ! validate_terraform_directory "$dir"; then
+        status=1
+      fi
     fi
   done
+
+  exit $status
 }
 
 main

scripts/ts_test_auto.sh

@@ -0,0 +1,63 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# Auto-detect which TypeScript tests to run based on changed files from paths-filter
+# Uses paths-filter outputs from GitHub Actions:
+#   ALL_CHANGED_FILES - all files changed in the PR (for logging)
+#   SHARED_CHANGED - boolean indicating if shared infrastructure changed
+#   MODULE_CHANGED_FILES - only files in registry/**/modules/** (for processing)
+# Runs all tests if shared infrastructure changes
+#
+# This script only runs tests for changed modules. Documentation and template changes are ignored.
+
+echo "==> Detecting changed files..."
+
+if [[ -n "${ALL_CHANGED_FILES:-}" ]]; then
+  echo "Changed files in PR:"
+  echo "$ALL_CHANGED_FILES" | tr ' ' '\n' | sed 's/^/  - /'
+  echo ""
+fi
+
+if [[ "${SHARED_CHANGED:-false}" == "true" ]]; then
+  echo "==> Shared infrastructure changed"
+  echo "==> Running all tests for safety"
+  exec bun test
+fi
+
+if [[ -z "${MODULE_CHANGED_FILES:-}" ]]; then
+  echo "✓ No module files changed, skipping tests"
+  exit 0
+fi
+
+CHANGED_FILES=$(echo "$MODULE_CHANGED_FILES" | tr ' ' '\n')
+
+MODULE_DIRS=()
+while IFS= read -r file; do
+  if [[ "$file" =~ \.(md|png|jpg|jpeg|svg)$ ]]; then
+    continue
+  fi
+
+  if [[ "$file" =~ ^registry/([^/]+)/modules/([^/]+)/ ]]; then
+    namespace="${BASH_REMATCH[1]}"
+    module="${BASH_REMATCH[2]}"
+    module_dir="registry/${namespace}/modules/${module}"
+
+    if [[ -f "$module_dir/main.test.ts" ]] && [[ ! " ${MODULE_DIRS[*]} " =~ " ${module_dir} " ]]; then
+      MODULE_DIRS+=("$module_dir")
+    fi
+  fi
+done <<< "$CHANGED_FILES"
+
+if [[ ${#MODULE_DIRS[@]} -eq 0 ]]; then
+  echo "✓ No TypeScript tests to run"
+  echo "  (documentation, templates, namespace files, or modules without tests)"
+  exit 0
+fi
+
+echo "==> Running TypeScript tests for ${#MODULE_DIRS[@]} changed module(s):"
+for dir in "${MODULE_DIRS[@]}"; do
+  echo "  - $dir"
+done
+echo ""
+
+exec bun test "${MODULE_DIRS[@]}"