feat(agentapi,claude-code): add web_app variable to disable the web app (#764)

Adds a `web_app` variable (default: `true`) to both the `claude-code`
and `agentapi` modules. When set to `false`, AgentAPI still runs but the
web UI app icon is not shown in the Coder dashboard.

This mirrors the existing `cli_app` toggle pattern.

## Changes

### `agentapi` module
- New `web_app` variable (bool, default `true`)
- `coder_app.agentapi_web` now has `count = local.web_app ? 1 : 0`
- **Task-safe:** `local.web_app` is computed as `var.web_app ||
local.is_task`, where `is_task = try(data.coder_task.me.enabled,
false)`. This means the web app is always created when the workspace is
a Task, regardless of the `web_app` variable.
- `task_app_id` output returns `""` when `local.web_app` is `false`

### `claude-code` module
- New `web_app` variable (bool, default `true`)
- `TODO` comment to wire `web_app` through to agentapi once published

## Usage (once fully wired)

```hcl
module "claude-code" {
  source  = "registry.coder.com/coder/claude-code/coder"
  ...
  web_app = false  # hides the Claude Code web UI from the dashboard
}
```

Setting `web_app = false` is safe even in templates that use
`coder_ai_task` — the module detects Tasks via
`data.coder_task.me.enabled` and automatically enables the web app.

## Merge strategy

This needs to land in two steps:
1. **Merge this PR** — publishes the agentapi module with `web_app`
support, and adds the `web_app` variable to claude-code (not yet wired
through)
2. **Follow-up PR** — bump the agentapi version in claude-code and
replace the `TODO` with `web_app = var.web_app`

---------

Co-authored-by: blink-so[bot] <211532188+blink-so[bot]@users.noreply.github.com>
Co-authored-by: DevCats <christofer@coder.com>

.agents/skills/coder-modules/SKILL.md

@@ -0,0 +1,369 @@
+---
+name: coder-modules
+description: Creates and updates Coder Registry modules with proper scaffolding, Terraform testing, README frontmatter, and version management
+---
+
+# Coder Modules
+
+Coder Registry modules are reusable Terraform components that live under `registry/<namespace>/modules/<name>/` and are consumed by templates via `module` blocks.
+
+## Before You Start
+
+Before writing or modifying any code:
+
+1. **Understand the request.** What tool, integration, or functionality is the module providing? What Coder resources does it need (`coder_script`, `coder_app`, `coder_env`, etc.)? Read the official documentation for the target tool or integration (installation steps, CLI flags, config files, environment variables, ports) so you can implement the module properly without guessing.
+2. **Research existing modules.** Search the registry for similar modules. Read their `main.tf` to understand patterns, variable conventions, and how they solve similar problems. Avoid duplicating existing functionality.
+3. **Check the Coder provider docs.** Verify that the resources and attributes you plan to use exist in the provider version you're targeting. Use the version-specific docs URL if needed.
+4. **Clarify before building.** If the request is ambiguous (e.g. unclear which Coder resource to use, whether a `coder_app` vs `coder_script` is appropriate, what variables to expose, or which namespace to use), ask for clarification rather than guessing. Never assume a namespace; always confirm with the user.
+5. **Plan the structure.** Decide on script organization (root `run.sh`, `scripts/` directory, or inline), what variables to expose, and what tests to write.
+
+Always prefer the proper implementation over a simpler shortcut. Modules are infrastructure that users depend on. Doing less work is not the same as reducing complexity if it leaves the module incomplete or fragile.
+
+## Documentation References
+
+### Coder
+
+- Coder docs (latest): <https://coder.com/docs>
+- Version-specific Coder docs: `https://coder.com/docs/@v{MAJOR}.{MINOR}.{PATCH}` (e.g. <https://coder.com/docs/@v2.31.5>)
+- Coder Registry: <https://registry.coder.com>
+
+### Coder Terraform provider
+
+- Provider docs (latest): <https://registry.terraform.io/providers/coder/coder/latest/docs>
+- Version-specific provider docs: replace `latest` with a version number (e.g. <https://registry.terraform.io/providers/coder/coder/2.13.1/docs>)
+
+Resources:
+
+| Resource         | Docs                                                                                 |
+| ---------------- | ------------------------------------------------------------------------------------ |
+| `coder_app`      | <https://registry.terraform.io/providers/coder/coder/latest/docs/resources/app>      |
+| `coder_script`   | <https://registry.terraform.io/providers/coder/coder/latest/docs/resources/script>   |
+| `coder_env`      | <https://registry.terraform.io/providers/coder/coder/latest/docs/resources/env>      |
+| `coder_metadata` | <https://registry.terraform.io/providers/coder/coder/latest/docs/resources/metadata> |
+
+Data sources:
+
+| Data Source             | Docs                                                                                           |
+| ----------------------- | ---------------------------------------------------------------------------------------------- |
+| `coder_parameter`       | <https://registry.terraform.io/providers/coder/coder/latest/docs/data-sources/parameter>       |
+| `coder_workspace`       | <https://registry.terraform.io/providers/coder/coder/latest/docs/data-sources/workspace>       |
+| `coder_workspace_owner` | <https://registry.terraform.io/providers/coder/coder/latest/docs/data-sources/workspace_owner> |
+
+## Scaffolding a New Module
+
+Only use this when creating a brand new module that does not yet exist. When updating an existing module, edit its files directly.
+
+From repo root:
+
+```bash
+./scripts/new_module.sh namespace/module-name
+```
+
+Names must be lowercase alphanumeric with hyphens (e.g. `coder/my-tool`). Underscores are not allowed.
+
+Creates `registry/<namespace>/modules/<module-name>/` with:
+
+- `main.tf`: Terraform config with common resource patterns and variables — read this as the primary reference for module structure
+- `README.md`: frontmatter and usage examples
+- `MODULE_NAME.tftest.hcl`: Terraform native tests
+- `run.sh`: install/start-up script template
+
+If the namespace is new, the script also creates `registry/<namespace>/` with a README. New namespaces additionally need:
+
+- `registry/<namespace>/.images/avatar.svg` (or `.png`): square image, 400x400px minimum
+- The namespace README `avatar` field pointing to `./.images/avatar.svg`
+
+The scaffolding script does not create the `.images/` directory or avatar file. When a new namespace is created, create `registry/<namespace>/.images/` and add a placeholder `avatar.svg` so the directory structure is ready for the user to replace with their real avatar.
+
+The generated namespace README contains placeholder fields (`display_name`, `bio`, `status`, `github`, `avatar`, etc.) that the user must fill out. The `status` field is required and must be `official`, `partner`, or `community` (typically `community` for new contributors).
+
+## Key Patterns
+
+- Provider version constraints must reflect actual functionality requirements. Only raise the minimum `coder` provider version (e.g. `>= 2.5` to `>= 2.8`) when the module uses a resource, attribute, or behavior introduced in that version; check the provider changelog to confirm.
+- Variable names MUST be `snake_case` (no hyphens; validation rejects them)
+- New variables must have sensible defaults for backward compatibility
+- Common variable: `agent_id` (string, required, no default)
+- Common variable: `order` (number, default `null`, controls UI position)
+- Use `locals {}` for computed values: URL normalization, base64 encoding, `file()` script content, config assembly
+- Modules can consume other registry modules via `module` blocks (e.g. `cursor` uses `vscode-desktop-core`, CLI wrappers use `agentapi`). Before consuming a module, read its `main.tf` and `README.md` to understand the full interface: accepted variables, outputs, prerequisites, and runtime requirements. If you are inside the registry repo, read these files directly. Otherwise, read the module's page at `https://registry.coder.com/modules/<namespace>/<module-name>` which includes the full source, README, and variable definitions. Never pass arguments without confirming they exist.
+- Most modules expose configuration via `variable` blocks, letting the template pass values. Use `coder_parameter` inside a module only when the module needs to present a UI choice directly to the workspace user (e.g. region selectors, IDE pickers).
+- For parameter-only modules (region selectors, etc.), use `dynamic "option"` with `for_each` from a `locals` map and expose an `output` for the selected value.
+- `coder_script` icons use the `/icon/<name>.svg` format. The `display_name` is typically the product name (e.g. "code-server", "Git Clone", "File Browser").
+- Do not add comments that narrate what the code does or label sections. Only comment when explaining something non-obvious (e.g. why a workaround exists, a subtle constraint, or an unusual design choice).
+
+## README.md
+
+Required YAML frontmatter:
+
+```yaml
+---
+display_name: My Tool
+description: Short description of what this module does
+icon: ../../../../.icons/tool.svg
+verified: false
+tags: [helper, ide]
+---
+```
+
+Content rules:
+
+- Single H1 heading matching `display_name`, directly below frontmatter
+- When increasing header levels, increment by one each time (h1 -> h2 -> h3, not h1 -> h3)
+- Usage snippet with `registry.coder.com/<ns>/<module>/coder` and pinned `version`
+- Code fences labeled `tf` (NOT `hcl`)
+- Relative icon paths (e.g. `../../../../.icons/`)
+- **Do NOT include tables or lists that enumerate variables, parameters, or outputs.** The registry generates variable and output documentation automatically from the Terraform source. Describe what the module does and how to use it in prose, not by listing every configurable field.
+- Usage examples are encouraged
+- Use [GFM alerts](https://docs.github.com/en/get-started/writing-on-github/getting-started-with-writing-and-formatting-on-github/basic-writing-and-formatting-syntax#alerts) for callouts: `> [!NOTE]`, `> [!TIP]`, `> [!IMPORTANT]`, `> [!WARNING]`, `> [!CAUTION]`
+
+```tf
+module "my_tool" {
+  count    = data.coder_workspace.me.start_count
+  source   = "registry.coder.com/namespace/my-tool/coder"
+  version  = "1.0.0"
+  agent_id = coder_agent.main.id
+}
+```
+
+## Icons
+
+Modules reference icons in two places with different path systems:
+
+- **README frontmatter** `icon:` uses a relative path to the repo's `.icons/` directory (e.g. `../../../../.icons/my-tool.svg`). Displayed on the registry website.
+- **`coder_script` / `coder_app`** `icon =` uses an absolute `/icon/<name>.svg` path served by the Coder deployment from `site/static/icon/` in the `coder/coder` repo. Displayed in the workspace agent bar.
+
+Workflow:
+
+1. **Check what exists.** List the `.icons/` directory at the repo root for available SVGs. For `/icon/` paths, look at what similar modules already use.
+2. **Use existing icons when they fit.** If the tool already has an icon in `.icons/` and `/icon/`, use those.
+3. **When an icon doesn't exist,** reference the expected path anyway (e.g. `../../../../.icons/my-tool.svg` and `/icon/my-tool.svg`) so the structure is correct. Try to source the official SVG from the tool's branding page or repository. If you can obtain it, add it to `.icons/` in this repo.
+4. **Don't substitute a generic icon.** If the tool has its own brand identity, use the correct name even if the file doesn't exist yet. Don't fall back to generic icons like `coder.svg` or `terminal.svg`.
+5. **Track missing icons** so you can report them in your response.
+
+## Scripts
+
+Modules use three patterns for shell logic, depending on complexity:
+
+### Root `run.sh` + `templatefile()` (simple modules)
+
+A single `run.sh` at the module root, loaded via `templatefile()` to inject Terraform variables. Used by `code-server`, `vscode-web`, `git-clone`, `dotfiles`, `filebrowser`.
+
+```tf
+resource "coder_script" "my_tool" {
+  agent_id     = var.agent_id
+  display_name = "My Tool"
+  icon         = "/icon/my-tool.svg"
+  script = templatefile("${path.module}/run.sh", {
+    LOG_PATH : var.log_path,
+  })
+  run_on_start = true
+}
+```
+
+Use `$${VAR}` (double dollar) in the shell script for Terraform `templatefile` escaping.
+
+If a script sources external files (`$HOME/.bashrc`, `/etc/bashrc`, `/etc/os-release`), the `source` statement must come before `set -u`; CI enforces this ordering.
+
+### `scripts/` directory + `file()` (complex modules)
+
+Separate `scripts/install.sh` and `scripts/start.sh` loaded via `file()` into `locals`, then passed to a child module or encoded inline. Used by `coder/claude-code`, `coder-labs/copilot`, `coder-labs/codex`, `coder-labs/cursor-cli`, `coder/amazon-q` for example.
+
+```tf
+locals {
+  install_script = file("${path.module}/scripts/install.sh")
+  start_script   = file("${path.module}/scripts/start.sh")
+}
+```
+
+Use `file()` when scripts don't need Terraform variable interpolation. For config templates, use a `templates/` directory with `templatefile()` (e.g. `coder/amazon-q/templates/agent-config.json.tpl`).
+
+### Inline heredoc (minimal modules)
+
+For trivial logic, embed the script directly in the `coder_script` resource. Used by `cursor`, `zed`.
+
+Modules that use a `scripts/` directory often also have a `testdata/` directory containing mock scripts for testing (e.g. `testdata/my-tool-mock.sh`).
+
+## Testing
+
+### .tftest.hcl (Required)
+
+Every module must have Terraform native tests. The file can be named `main.tftest.hcl` or `<module-name>.tftest.hcl`. Use `command = plan` for most cases:
+
+```hcl
+run "plan_with_defaults" {
+  command = plan
+
+  variables {
+    agent_id = "test-agent-id"
+  }
+
+  assert {
+    condition     = var.agent_id == "test-agent-id"
+    error_message = "agent_id should be set"
+  }
+}
+
+run "custom_port" {
+  command = plan
+
+  variables {
+    agent_id = "test-agent-id"
+    port     = 8080
+  }
+
+  assert {
+    condition     = resource.coder_app.my_tool.url == "http://localhost:8080"
+    error_message = "App URL should use configured port"
+  }
+}
+```
+
+Advanced patterns:
+
+- `override_data` to mock data sources like `coder_workspace` and `coder_workspace_owner`
+- `command = apply` when testing outputs or computed values
+- `expect_failures` to test validation rules
+- `regexall()` / `startswith()` / `endswith()` for string assertions
+- Assert on `coder_env`, `coder_script`, `coder_app` resource attributes
+
+```hcl
+run "with_mocked_workspace" {
+  command = apply
+
+  variables {
+    agent_id = "foo"
+  }
+
+  override_data {
+    target = data.coder_workspace.me
+    values = {
+      name = "test-workspace"
+    }
+  }
+
+  assert {
+    condition     = output.url == "expected-value"
+    error_message = "URL should match expected format"
+  }
+}
+
+run "validation_rejects_conflict" {
+  command = plan
+
+  variables {
+    agent_id       = "test"
+    option_a       = true
+    option_b       = true
+  }
+
+  expect_failures = [
+    var.option_a,
+  ]
+}
+```
+
+### main.test.ts (Optional)
+
+For more complex testing (Docker containers, script execution, HTTP mocking).
+Import from `~test` (mapped to `test/test.ts` via `tsconfig.json`):
+
+```typescript
+import { describe, expect, it } from "bun:test";
+import {
+  runTerraformApply,
+  runTerraformInit,
+  testRequiredVariables,
+  findResourceInstance,
+} from "~test";
+
+describe("my-tool", () => {
+  it("should init successfully", async () => {
+    await runTerraformInit(import.meta.dir);
+  });
+
+  testRequiredVariables(import.meta.dir, {
+    agent_id: "test-agent",
+  });
+
+  it("should apply with defaults", async () => {
+    const state = await runTerraformApply(import.meta.dir, {
+      agent_id: "test-agent",
+    });
+    const app = findResourceInstance(state, "coder_app");
+    expect(app.slug).toBe("my-tool");
+    expect(app.display_name).toBe("My Tool");
+  });
+});
+```
+
+### Test utility API (`~test`)
+
+**Terraform helpers:**
+
+- `runTerraformInit(dir)`: runs `terraform init`.
+- `runTerraformApply(dir, vars, customEnv?)`: runs `terraform apply` with a random state file and returns `TerraformState`. Variables are passed as `TF_VAR_*`. Safe to run in parallel. `TerraformState` has `outputs: Record<string, TerraformOutput>` and `resources: TerraformStateResource[]`.
+- `testRequiredVariables(dir, vars)`: auto-generates test cases (one success with all vars, plus one per var verifying apply fails without it). Pass `{}` if there are no required vars.
+- `findResourceInstance(state, type, name?)`: finds the first resource instance by type. Throws if not found. Optionally filters by name.
+
+**Docker helpers** (require `--network host`, Linux/Colima/OrbStack):
+
+- `runContainer(image, init?)`: starts a detached container and returns its ID. Labeled `modules-test=true` for auto-cleanup.
+- `removeContainer(id)`: force-removes a container.
+- `execContainer(id, cmd[], args?[])`: runs a command in a container and returns `{ exitCode, stdout, stderr }`.
+- `executeScriptInContainer(state, image, shell?, before?)`: finds `coder_script` in state, runs it in a container, and returns `{ exitCode, stdout: string[], stderr: string[] }`.
+
+**File helpers:**
+
+- `writeCoder(id, script)`: writes a mock `coder` CLI to `/usr/bin/coder` in the container.
+- `writeFileContainer(id, path, content, { user? })`: writes a file to the container via base64.
+- `readFileContainer(id, path)`: reads a file from the container as root.
+
+**HTTP helpers:**
+
+- `createJSONResponse(obj, statusCode?)`: creates a `Response` with a JSON body (defaults to 200).
+
+Cleanup of `*.tfstate` files and `modules-test` Docker containers is handled automatically by `setup.ts` (preloaded via `bunfig.toml`).
+
+## Commands
+
+| Task             | Command                                               | Scope      |
+| ---------------- | ----------------------------------------------------- | ---------- |
+| Format all       | `bun run fmt`                                         | Repo       |
+| Terraform tests  | `bun run tftest`                                      | Repo       |
+| TypeScript tests | `bun run tstest`                                      | Repo       |
+| Single TF test   | `terraform init -upgrade && terraform test -verbose`  | Module dir |
+| Single TS test   | `bun test main.test.ts`                               | Module dir |
+| Validate         | `./scripts/terraform_validate.sh`                     | Repo       |
+| ShellCheck       | `bun run shellcheck`                                  | Repo       |
+| Version bump     | `.github/scripts/version-bump.sh patch\|minor\|major` | Repo       |
+
+## Version Management
+
+Bump version via `.github/scripts/version-bump.sh` when modifying modules:
+
+- `patch`: bugfixes
+- `minor`: new features, new variables with defaults
+- `major`: breaking changes (removed inputs, changed defaults, new required variables)
+
+The script automatically updates `version` references in README usage examples.
+
+## Final Checks
+
+Before considering the work complete, verify:
+
+- Tests pass: `bun run tftest` and `bun run tstest`
+- `bun run fmt` has been run
+- `bun run shellcheck` passes if the module includes shell scripts
+- New variables have sensible defaults for backward compatibility
+- Breaking changes are documented if any inputs were removed, defaults changed, or new required variables added
+- Shell scripts handle errors gracefully (`|| echo "Warning..."` for non-fatal failures)
+- No hardcoded values that should be configurable via variables
+- Asset and icon paths in frontmatter and Terraform must be relative (e.g. `../../../../.icons/`), not absolute. External hyperlinks to docs or other websites are fine.
+
+## Response to the User
+
+In your response, include:
+
+- If a new namespace was created, remind the user to fill out the namespace README (`display_name`, `bio`, `status`, `github`, etc.) and replace the placeholder avatar. Note that this is only needed if they plan to contribute to the registry.
+- If any icons were referenced but not found, list them and note they need to be sourced and added to both this repo's `.icons/` directory and the `coder/coder` repo at `site/static/icon/`.
+- A note that to contribute the module to the public registry, they can open a pull request to <https://github.com/coder/registry>.

.agents/skills/coder-templates/SKILL.md

@@ -0,0 +1,321 @@
+---
+name: coder-templates
+description: Creates and updates Coder Registry workspace templates with agent setup, infrastructure provisioning, and module consumption
+---
+
+# Coder Templates
+
+Coder workspace templates are complete workspace definitions that live under `registry/<namespace>/templates/<name>/` and provision the infrastructure that workspaces run on.
+
+## Before You Start
+
+Before writing or modifying any code:
+
+1. **Understand the request.** What platform is the template targeting (Docker, AWS, GCP, Azure, Kubernetes)? What kind of workspace (VM, container, devcontainer)?
+2. **Research existing templates and modules.** Look under `registry/` in this repo for similar templates and modules first; if you are not in the repo or cannot find a match, browse <https://registry.coder.com>. Read `main.tf` to understand patterns for that platform, especially how they handle agent setup, persistent storage, and module consumption. Prefer platform-specific helper modules (e.g. region selectors) that provide ready-made `coder_parameter` blocks over hard-coding option lists.
+3. **Check provider docs.** Verify the infrastructure provider resources you plan to use. Check both the Coder provider and the platform provider (AWS, Docker, etc.) version-specific docs if needed.
+4. **Clarify before building.** If the request is ambiguous (e.g. unclear platform, whether to use devcontainers vs plain VMs, what parameters to expose, or which namespace to use), ask for clarification rather than guessing. Never assume a namespace; always confirm with the user.
+5. **Plan the structure.** Decide on infrastructure resources, what `coder_parameter` options to expose, which registry modules to consume, and whether additional files like cloud-init configs are needed. When the user describes requirements in terms of their development needs rather than specific Terraform changes (e.g. "I need Node 20 + Postgres 16" or "make this template work for data science"), summarize what you plan to add or change before proceeding. Keep it brief: list the parameters, modules, and infrastructure changes. Skip this for straightforward requests where the action is clear (e.g. "add the code-server module" or "change the default region to us-west-2").
+
+When updating an existing template, read and understand all of its current resources, parameters, and module consumption before making changes. If you observe patterns that deviate from the coder template standards (e.g. missing metadata blocks, hardcoded values that should be parameters, inline implementations that existing modules could replace, missing error handling in scripts), note these to the user as improvement opportunities in your response.
+
+Always prefer the proper implementation over a simpler shortcut. Templates are infrastructure that users depend on. Doing less work is not the same as reducing complexity if it leaves the template incomplete or fragile.
+
+Features marked as "Premium" in this skill require a Coder Premium license. When your implementation uses a Premium feature, note this in your response to the user so they can verify their deployment supports it.
+
+## Documentation References
+
+### Coder
+
+- Platform docs (latest): <https://coder.com/docs>
+- Version-specific docs: `https://coder.com/docs/@v{MAJOR}.{MINOR}.{PATCH}` (e.g. <https://coder.com/docs/@v2.31.5>)
+- Creating templates: <https://coder.com/docs/admin/templates/creating-templates>
+- Extending templates: <https://coder.com/docs/admin/templates/extending-templates>
+- Template parameters: <https://coder.com/docs/admin/templates/extending-templates/parameters>
+- Dynamic parameters: <https://coder.com/docs/admin/templates/extending-templates/dynamic-parameters>
+- Workspace presets: <https://coder.com/docs/admin/templates/extending-templates/parameters#workspace-presets>
+- Prebuilt workspaces: <https://coder.com/docs/admin/templates/extending-templates/prebuilt-workspaces>
+- Tasks: <https://coder.com/docs/ai-coder/tasks>
+- Agent Boundaries: <https://coder.com/docs/ai-coder/agent-boundaries>
+- Coder Registry: <https://registry.coder.com>
+
+### Coder Terraform provider
+
+- Provider docs (latest): <https://registry.terraform.io/providers/coder/coder/latest/docs>
+- Version-specific provider docs: replace `latest` with a version number (e.g. <https://registry.terraform.io/providers/coder/coder/2.13.1/docs>)
+
+Resources:
+
+| Resource         | Docs                                                                                 |
+| ---------------- | ------------------------------------------------------------------------------------ |
+| `coder_agent`    | <https://registry.terraform.io/providers/coder/coder/latest/docs/resources/agent>    |
+| `coder_app`      | <https://registry.terraform.io/providers/coder/coder/latest/docs/resources/app>      |
+| `coder_script`   | <https://registry.terraform.io/providers/coder/coder/latest/docs/resources/script>   |
+| `coder_env`      | <https://registry.terraform.io/providers/coder/coder/latest/docs/resources/env>      |
+| `coder_metadata` | <https://registry.terraform.io/providers/coder/coder/latest/docs/resources/metadata> |
+| `coder_ai_task`  | <https://registry.terraform.io/providers/coder/coder/latest/docs/resources/ai_task>  |
+
+Data sources:
+
+| Data Source              | Docs                                                                                            |
+| ------------------------ | ----------------------------------------------------------------------------------------------- |
+| `coder_parameter`        | <https://registry.terraform.io/providers/coder/coder/latest/docs/data-sources/parameter>        |
+| `coder_workspace`        | <https://registry.terraform.io/providers/coder/coder/latest/docs/data-sources/workspace>        |
+| `coder_workspace_owner`  | <https://registry.terraform.io/providers/coder/coder/latest/docs/data-sources/workspace_owner>  |
+| `coder_provisioner`      | <https://registry.terraform.io/providers/coder/coder/latest/docs/data-sources/provisioner>      |
+| `coder_workspace_preset` | <https://registry.terraform.io/providers/coder/coder/latest/docs/data-sources/workspace_preset> |
+| `coder_task`             | <https://registry.terraform.io/providers/coder/coder/latest/docs/data-sources/task>             |
+
+### Terraform providers commonly used in templates
+
+All provider docs follow `https://registry.terraform.io/providers/ORG/NAME/latest/docs`:
+
+| Provider   | Source                 |
+| ---------- | ---------------------- |
+| Docker     | `kreuzwerker/docker`   |
+| AWS        | `hashicorp/aws`        |
+| Azure      | `hashicorp/azurerm`    |
+| GCP        | `hashicorp/google`     |
+| Kubernetes | `hashicorp/kubernetes` |
+| Cloud-Init | `hashicorp/cloudinit`  |
+
+Browse all providers: <https://registry.terraform.io/browse/providers>
+
+## Scaffolding a New Template
+
+Only use this when creating a brand new template that does not yet exist. When updating an existing template, edit its files directly.
+
+From repo root:
+
+```bash
+./scripts/new_template.sh namespace/template-name
+```
+
+Names must be lowercase alphanumeric with hyphens (e.g. `my-org/aws-ec2`). Underscores are not allowed.
+
+Creates `registry/<namespace>/templates/<template-name>/` with:
+
+- `main.tf`: full workspace Terraform config with common patterns — read this as the primary reference for template structure
+- `README.md`: frontmatter and documentation
+
+If the namespace is new, the script also creates `registry/<namespace>/` with a README. New namespaces additionally need:
+
+- `registry/<namespace>/.images/avatar.svg` (or `.png`): square image, 400x400px minimum
+- The namespace README `avatar` field pointing to `./.images/avatar.svg`
+
+The scaffolding script does not create the `.images/` directory or avatar file. When a new namespace is created, create `registry/<namespace>/.images/` and add a placeholder `avatar.svg` so the directory structure is ready for the user to replace with their real avatar.
+
+The generated namespace README contains placeholder fields (`display_name`, `bio`, `status`, `github`, `avatar`, etc.) that the user must fill out. The `status` field is required and must be `official`, `partner`, or `community` (typically `community` for new contributors).
+
+## Key Patterns
+
+- Provider version constraints must reflect actual functionality requirements. Only set a minimum `coder` provider version when the template uses a resource, attribute, or behavior introduced in that version. The same applies to infrastructure providers (Docker, AWS, etc.); check provider changelogs to confirm.
+- Include `data.coder_workspace.me` and `data.coder_workspace_owner.me` for workspace and owner metadata. Include `data.coder_provisioner.me` only when you need the provisioner's `arch` or `os` for `coder_agent` (typical for Docker, Kubernetes, Incus); omit when the workspace OS/arch is fixed (e.g. cloud VMs with a known image).
+- Use `locals {}` for computed values: username, environment variables, startup scripts, URL assembly
+- Use `data.coder_workspace.me.start_count` as `count` on ephemeral resources
+- Connect containers/VMs to the agent via `coder_agent.main.init_script` and `CODER_AGENT_TOKEN`
+- Add `metadata` blocks for workspace dashboard stats (`coder stat cpu`, `coder stat mem`, etc.)
+- Use `coder_metadata` on the primary compute resource to surface key details (region, instance type, image, disk size) in the workspace dashboard
+- Optionally use `display_apps` block to hide specific built-in apps (defaults show all)
+- Before implementing functionality from scratch, look for an existing module under `registry/*/modules/` in this repo; if you cannot find one or are not in the repo, search <https://registry.coder.com>. If a module already exists for what you need, consume it rather than reimplementing it. When multiple modules serve similar purposes, prefer the actively maintained one and check that you are not using a deprecated or superseded module.
+- Before consuming a module, read its `main.tf` and `README.md` to understand the full interface: accepted variables, outputs, prerequisites, and runtime requirements. Prefer paths under `registry/<namespace>/modules/<name>/` in this workspace; otherwise use `https://registry.coder.com/modules/<namespace>/<module-name>`. Never pass arguments without confirming they exist.
+- After identifying a module's prerequisites, verify the template's base image satisfies them. If it lacks a required tool, either switch to an image that includes it or ensure the prerequisite is installed before the module's script runs. These runtime issues are not caught by `terraform validate`; they only surface when the workspace starts.
+- Module source URLs use `registry.coder.com/<namespace>/<module>/coder`. Older templates may use `registry.coder.com/modules/...`; prefer the shorter form when writing new modules or templates.
+- Label infrastructure resources with `coder.owner` and `coder.workspace_id` for tracking orphans
+- Use `lifecycle { ignore_changes = all }` on persistent volumes to prevent data loss
+- Do not add comments that narrate what the code does or label sections. Only comment when explaining something non-obvious (e.g. why a workaround exists, a subtle constraint, or an unusual design choice).
+
+### Additional files
+
+Templates can include files beyond `main.tf` + `README.md`:
+
+- `cloud-init/*.tftpl`: cloud-init configs for VM provisioning (AWS, Azure, GCP), loaded via `templatefile()`. Prefer this subdirectory over placing cloud-init files at the template root.
+- `build/Dockerfile`: custom container images built by the template
+- `.tftpl` files: any Terraform template files for scripts, configs, or cloud-init data
+
+### Parameters
+
+Use `data "coder_parameter"` for user-facing workspace options. Typical parameters: region/instance type/CPU/memory/disk for cloud VMs; container image or runtime version for Docker (pass as `build_arg` when using a local Dockerfile). Use same-platform templates in `registry/` as a starting reference, not a rigid pattern. Expose stated preferences as the parameter `default` with additional sensible `option` values unless the user explicitly restricts it.
+
+- Prefer `dynamic "option"` blocks with `for_each` from a `locals` map over static `option` blocks. See the region selector modules (e.g. `coder/aws-region`) for the pattern.
+- Use `form_type` for richer UI controls: `dropdown` (searchable), `multi-select` (for `list(string)`), `slider` (numeric), `radio`, `checkbox`, `textarea`.
+- Conditional parameters: use `count` to show/hide a parameter based on another parameter's value.
+- `mutable = false` for infrastructure that can't change after creation (region, disk); `mutable = true` for runtime config.
+- `ephemeral = true` for one-shot build options that don't persist between starts.
+- `validation {}` with `min`/`max`/`monotonic` for numbers, `regex`/`error` for strings.
+- Dynamic parameter features require Coder provider `>= 2.4.0`.
+
+### Presets
+
+Workspace presets bundle commonly-used parameter combinations into selectable options. When a user creates a workspace, they can pick a preset to auto-fill multiple parameters at once. Define presets with `data "coder_workspace_preset"`:
+
+```tf
+data "coder_workspace_preset" "default" {
+  name    = "Standard Dev Environment"
+  default = true
+
+  parameters = {
+    "region"          = "us-east-1"
+    "cpu"             = "4"
+    "memory"          = "8"
+    "container_image" = "codercom/enterprise-base:ubuntu"
+  }
+}
+```
+
+- The keys in `parameters` must match the `name` attribute of `coder_parameter` data sources in the same template.
+- Set `default = true` on at most one preset to pre-select it in the UI.
+- A template can define multiple presets for different use cases.
+- Optional fields: `description` (context text in UI) and `icon` (e.g. `/emojis/1f680.png`).
+
+### Prebuilds (Premium)
+
+Prebuilds maintain an automatically-managed pool of pre-provisioned workspaces for a preset, reducing workspace creation time. This is a Premium feature. Prebuilds are configured as a nested block inside a preset:
+
+```tf
+data "coder_workspace_preset" "goland" {
+  name = "GoLand: Large"
+  parameters = {
+    "jetbrains_ide" = "GO"
+    "cpu"           = "8"
+    "memory"        = "16"
+  }
+
+  prebuilds {
+    instances = 3
+
+    expiration_policy {
+      ttl = 86400
+    }
+
+    scheduling {
+      timezone = "UTC"
+      schedule {
+        cron      = "* 8-18 * * 1-5"
+        instances = 5
+      }
+    }
+  }
+}
+```
+
+- `instances`: number of prebuilt workspaces to keep in the pool (base count when no schedule matches).
+- `expiration_policy.ttl`: seconds before unclaimed prebuilds are cleaned up.
+- `scheduling`: scale the pool up or down on a time-based cron schedule. The `cron` minute field must always be `*`.
+- The preset must define all required parameters needed to build the workspace.
+- When a prebuild is claimed, ownership transfers to the real user. Use `lifecycle { ignore_changes = [...] }` on resources that reference owner-specific values to prevent unnecessary recreation.
+
+### Task-Oriented Templates
+
+A template becomes task-capable by adding a `coder_ai_task` resource, which enables the Coder Tasks UI for AI agent workflows. Task templates require three additions on top of a regular template:
+
+```tf
+resource "coder_ai_task" "task" {
+  count  = data.coder_workspace.me.start_count
+  app_id = module.claude-code[count.index].task_app_id
+}
+
+data "coder_task" "me" {}
+
+module "claude-code" {
+  count           = data.coder_workspace.me.start_count
+  source          = "registry.coder.com/coder/claude-code/coder"
+  version         = "~> 4.0"
+  agent_id        = coder_agent.main.id
+  workdir         = "/home/coder/projects"
+  ai_prompt       = data.coder_task.me.prompt
+  system_prompt   = data.coder_parameter.system_prompt.value
+  model           = "sonnet"
+  permission_mode = "plan"
+  enable_boundary = true
+}
+```
+
+- `coder_ai_task`: declares the template as task-capable. Its `app_id` must point to the agent module's `task_app_id` output.
+- `data "coder_task"`: reads the user's task prompt. Pass it to the agent module via `ai_prompt`.
+- Agent module: consume an AI agent module (`claude-code`, `codex`, etc.) with task-specific variables. Key variables include `ai_prompt`, `system_prompt`, `permission_mode`, and `enable_boundary`.
+- Boundaries: set `enable_boundary = true` on the agent module to enable network-level filtering for the AI agent. See <https://coder.com/docs/ai-coder/agent-boundaries> for allowlist configuration.
+- A `coder_app` with `slug = "preview"` gets special treatment in the Tasks UI navbar.
+- Task templates heavily use presets to define scenarios (different repos, system prompts, setup scripts, container images).
+- See `registry/coder-labs/templates/tasks-docker` as a reference implementation.
+
+Docs: <https://coder.com/docs/ai-coder/tasks>
+
+## README.md
+
+Required YAML frontmatter:
+
+```yaml
+---
+display_name: Docker Containers
+description: Provision Docker containers with persistent home volumes as Coder workspaces
+icon: ../../../../.icons/docker.svg
+verified: false
+tags: [docker, container]
+---
+```
+
+Content rules:
+
+- Single H1 heading matching `display_name`, directly below frontmatter
+- When increasing header levels, increment by one each time (h1 -> h2 -> h3, not h1 -> h3)
+- Opening paragraph describing what the template provisions. Be specific about the platform, compute type, and key capabilities (e.g. "Provision Kubernetes pods on an existing Amazon EKS cluster as Coder workspaces with persistent home volumes") rather than generic (e.g. "AWS Kubernetes template"). The frontmatter `description` field should follow the same principle.
+- **Prerequisites** section (infrastructure requirements, provider credentials)
+- **Architecture** section (what resources are created, what's ephemeral vs persistent)
+- Code fences labeled `tf` (NOT `hcl`)
+- Relative icon paths (e.g. `../../../../.icons/`)
+- **Do NOT include tables or lists that enumerate variables, parameters, or outputs.** The registry generates variable and output documentation automatically from the Terraform source. Workspace parameter options are visible in the Coder UI. Describe what the template does and how to use it in prose, not by listing every configurable field.
+- Use [GFM alerts](https://docs.github.com/en/get-started/writing-on-github/getting-started-with-writing-and-formatting-on-github/basic-writing-and-formatting-syntax#alerts) for callouts: `> [!NOTE]`, `> [!TIP]`, `> [!IMPORTANT]`, `> [!WARNING]`, `> [!CAUTION]`
+
+## Icons
+
+Templates reference icons in the README frontmatter `icon:` field using a relative path to the repo's `.icons/` directory (e.g. `../../../../.icons/aws.svg`). This icon is displayed on the registry website.
+
+Workflow:
+
+1. **Check what exists.** List the `.icons/` directory at the repo root for available SVGs.
+2. **Use existing icons when they fit.** Most templates use a platform icon (aws, gcp, azure, docker, kubernetes) that already exists.
+3. **When an icon doesn't exist,** reference the expected path anyway so the structure is correct. Try to source the official SVG from the platform's branding page or repository. If you can obtain it, add it to `.icons/` in this repo.
+4. **Don't substitute a generic icon.** If the platform has its own brand identity, use the correct name even if the file doesn't exist yet.
+5. **Track missing icons** so you can report them in your response.
+
+## Testing
+
+Templates do NOT require `.tftest.hcl` or `main.test.ts`. Testing is done by pushing the template to a Coder deployment.
+
+## Commands
+
+| Task       | Command                           | Scope |
+| ---------- | --------------------------------- | ----- |
+| Format all | `bun run fmt`                     | Repo  |
+| Validate   | `./scripts/terraform_validate.sh` | Repo  |
+| ShellCheck | `bun run shellcheck`              | Repo  |
+
+## Final Checks
+
+Before considering the work complete, verify:
+
+- `terraform init && terraform validate` passes in the template directory
+- `bun run fmt` has been run
+- `bun run shellcheck` passes if the template includes shell scripts
+- README documents prerequisites and architecture
+- Shell scripts handle errors gracefully (`|| echo "Warning..."` for non-fatal failures). If a script sources external files (`$HOME/.bashrc`, `/etc/bashrc`, `/etc/os-release`), the `source` must come before `set -u`; CI enforces this ordering.
+- No hardcoded values that should be configurable via variables or parameters
+- Asset and icon paths in frontmatter and Terraform must be relative (e.g. `../../../../.icons/`), not absolute. External hyperlinks to docs or other websites are fine.
+
+## Response to the User
+
+In your response, include:
+
+- A ready-to-run push command with real values filled in. Use `-d` to point at the template directory (so it works from the repo root), `-m` for a short description, and `-y` to skip interactive prompts:
+
+```bash
+coder templates push \
+  registry/ \
+  -m "Initial version: <brief description>" \
+  -y < template-name > -d < namespace > /templates/ < template-name > /
+```
+
+- If a new namespace was created, remind the user to fill out the namespace README (`display_name`, `bio`, `status`, `github`, etc.) and replace the placeholder avatar. Note that this is only needed if they plan to contribute to the registry.
+- If any icons were referenced but not found, list them and note they need to be sourced and added to both this repo's `.icons/` directory and the `coder/coder` repo at `site/static/icon/`.
+- A note that to contribute the template to the public registry, they can open a pull request to <https://github.com/coder/registry>.

.claude/skills

@@ -0,0 +1 @@
+../.agents/skills

.github/workflows/ci.yaml

@@ -37,7 +37,7 @@ jobs:
             all:
               - '**'
       - name: Set up Terraform
-        uses: coder/coder/.github/actions/setup-tf@1a774ab7ce99063a2e01beb94de3fcbccaf84dbe # v2.31.5
+        uses: coder/coder/.github/actions/setup-tf@f7650296ceb9b020c79cd525ac7bd3c7f252ae1d # v2.31.6
       - name: Set up Bun
         uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2
         with:
@@ -87,7 +87,7 @@ jobs:
           bun-version: latest
       # Need Terraform for its formatter
       - name: Install Terraform
-        uses: coder/coder/.github/actions/setup-tf@1a774ab7ce99063a2e01beb94de3fcbccaf84dbe # v2.31.5
+        uses: coder/coder/.github/actions/setup-tf@f7650296ceb9b020c79cd525ac7bd3c7f252ae1d # v2.31.6
       - name: Install dependencies
         run: bun install
       - name: Validate formatting
@@ -106,7 +106,7 @@ jobs:
       - name: Check out code
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       - name: Set up Go
-        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6
+        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6
         with:
           go-version: "1.24.0"
       - name: Validate contributors

.github/workflows/golangci-lint.yml

@@ -15,7 +15,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-      - uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6
+      - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6
         with:
           go-version: stable
       - name: golangci-lint

.github/workflows/version-bump.yaml

@@ -31,7 +31,7 @@ jobs:
           bun-version: latest
 
       - name: Set up Terraform
-        uses: coder/coder/.github/actions/setup-tf@1a774ab7ce99063a2e01beb94de3fcbccaf84dbe # v2.31.5
+        uses: coder/coder/.github/actions/setup-tf@f7650296ceb9b020c79cd525ac7bd3c7f252ae1d # v2.31.6
 
       - name: Install dependencies
         run: bun install

.icons/1password.svg

@@ -0,0 +1 @@
+<svg role="img" viewBox="0 0 24 24" xmlns="http://www.w3.org/2000/svg"><title>1Password</title><circle cx="12" cy="12" r="12" fill="#0572EC"/><path fill="#fff" d="M11.105 4.864h1.788c.484 0 .729.002.914.096a.86.86 0 0 1 .377.377c.094.185.095.428.095.912v6.016c0 .12 0 .182-.015.238a.427.427 0 0 1-.067.137.923.923 0 0 1-.174.162l-.695.564c-.113.092-.17.138-.191.194a.216.216 0 0 0 0 .15c.02.055.078.101.191.193l.695.565c.094.076.14.115.174.162.03.042.053.087.067.137a.936.936 0 0 1 .015.238v2.746c0 .484-.001.727-.095.912a.86.86 0 0 1-.377.377c-.185.094-.43.096-.914.096h-1.788c-.484 0-.726-.002-.912-.096a.86.86 0 0 1-.377-.377c-.094-.185-.095-.428-.095-.912v-6.016c0-.12 0-.182.015-.238a.437.437 0 0 1 .067-.139c.034-.047.08-.083.174-.16l.695-.564c.113-.092.17-.138.191-.194a.216.216 0 0 0 0-.15c-.02-.055-.078-.101-.191-.193l-.695-.565a.92.92 0 0 1-.174-.162.437.437 0 0 1-.067-.139.92.92 0 0 1-.015-.236V6.25c0-.484.001-.727.095-.912a.86.86 0 0 1 .377-.377c.186-.094.428-.096.912-.096z"/></svg>

registry/bpmct/README.md

@@ -0,0 +1,11 @@
+---
+display_name: Ben Potter
+bio: Tinkerer and Product Manager at Coder
+github: bpmct
+avatar: ./.images/avatar.png
+status: community
+---
+
+# Ben Potter
+
+Tinkerer and Product Manager at Coder. Building modules to make dev environments better.

registry/bpmct/modules/onepassword/README.md

@@ -0,0 +1,97 @@
+---
+display_name: "1Password"
+description: "Install the 1Password CLI and VS Code extension in your Coder workspace"
+icon: ../../../../.icons/1password.svg
+verified: false
+tags: [integration, 1password, secrets]
+---
+
+# 1Password
+
+Install the [1Password CLI](https://developer.1password.com/docs/cli/)
+(`op`) in your Coder workspace and optionally authenticate with a service
+account token. Can also install the
+[1Password VS Code extension](https://marketplace.visualstudio.com/items?itemName=1Password.op-vscode)
+for code-server and VS Code.
+
+![1Password module in Coder](../../.images/onepassword-demo.png)
+
+```tf
+module "onepassword" {
+  source                = "registry.coder.com/bpmct/onepassword/coder"
+  version               = "1.0.2"
+  agent_id              = coder_agent.main.id
+  service_account_token = var.op_service_account_token
+}
+```
+
+## Authentication
+
+### Service Account (recommended)
+
+Create a [1Password service account](https://developer.1password.com/docs/service-accounts/get-started/)
+and pass the token as a Terraform variable. The module sets
+`OP_SERVICE_ACCOUNT_TOKEN` in the workspace so `op` commands work
+immediately.
+
+```tf
+variable "op_service_account_token" {
+  type      = string
+  sensitive = true
+}
+
+module "onepassword" {
+  source                = "registry.coder.com/bpmct/onepassword/coder"
+  version               = "1.0.2"
+  agent_id              = coder_agent.main.id
+  service_account_token = var.op_service_account_token
+}
+```
+
+### Personal Account
+
+Pass your account details and the module will pre-register the account.
+You'll be prompted for your password when you run `op signin` in the
+terminal.
+
+```tf
+module "onepassword" {
+  source             = "registry.coder.com/bpmct/onepassword/coder"
+  version            = "1.0.2"
+  agent_id           = coder_agent.main.id
+  account_address    = "myteam.1password.com"
+  account_email      = "you@example.com"
+  account_secret_key = var.op_secret_key
+}
+```
+
+## VS Code Extension
+
+Set `install_vscode_extension = true` to install the 1Password extension
+for code-server and VS Code.
+
+```tf
+module "onepassword" {
+  source                   = "registry.coder.com/bpmct/onepassword/coder"
+  version                  = "1.0.2"
+  agent_id                 = coder_agent.main.id
+  service_account_token    = var.op_service_account_token
+  install_vscode_extension = true
+}
+```
+
+## Custom Scripts
+
+Run custom logic before or after the CLI is installed.
+
+```tf
+module "onepassword" {
+  source                = "registry.coder.com/bpmct/onepassword/coder"
+  version               = "1.0.2"
+  agent_id              = coder_agent.main.id
+  service_account_token = var.op_service_account_token
+  post_install_script   = <<-EOT
+    op read "op://Vault/item/field" > ~/.secret
+  EOT
+}
+```

registry/bpmct/modules/onepassword/main.tf

@@ -0,0 +1,112 @@
+terraform {
+  required_version = ">= 1.0"
+
+  required_providers {
+    coder = {
+      source  = "coder/coder"
+      version = ">= 0.17"
+    }
+  }
+}
+
+variable "agent_id" {
+  type        = string
+  description = "The ID of a Coder agent."
+}
+
+variable "service_account_token" {
+  type        = string
+  description = "A 1Password service account token. If set, account-based sign-in is skipped."
+  default     = ""
+  sensitive   = true
+}
+
+variable "account_address" {
+  type        = string
+  description = "The 1Password account sign-in address (e.g. myteam.1password.com)."
+  default     = ""
+}
+
+variable "account_email" {
+  type        = string
+  description = "The email address for the 1Password account."
+  default     = ""
+}
+
+variable "account_secret_key" {
+  type        = string
+  description = "The Secret Key for the 1Password account."
+  default     = ""
+  sensitive   = true
+}
+
+variable "install_dir" {
+  type        = string
+  description = "The directory to install the 1Password CLI to."
+  default     = "/usr/local/bin"
+}
+
+variable "op_cli_version" {
+  type        = string
+  description = "The version of the 1Password CLI to install."
+  default     = "latest"
+  validation {
+    condition     = var.op_cli_version == "latest" || can(regex("^[0-9]+\\.[0-9]+\\.[0-9]+$", var.op_cli_version))
+    error_message = "op_cli_version must be either 'latest' or a semantic version (e.g., '2.30.0')."
+  }
+}
+
+variable "install_vscode_extension" {
+  type        = bool
+  description = "Install the 1Password VS Code extension for both VS Code and code-server."
+  default     = false
+}
+
+variable "pre_install_script" {
+  type        = string
+  description = "Custom script to run before installing the 1Password CLI."
+  default     = null
+}
+
+variable "post_install_script" {
+  type        = string
+  description = "Custom script to run after installing the 1Password CLI."
+  default     = null
+}
+
+data "coder_parameter" "account_password" {
+  count        = var.account_address != "" && var.service_account_token == "" ? 1 : 0
+  type         = "string"
+  name         = "op_account_password"
+  display_name = "1Password Account Password"
+  description  = "Your 1Password account password. Used to sign in to the CLI."
+  mutable      = true
+  default      = ""
+}
+
+resource "coder_script" "onepassword" {
+  agent_id     = var.agent_id
+  display_name = "1Password CLI"
+  icon         = "/icon/1password.svg"
+  script = templatefile("${path.module}/run.sh", {
+    SERVICE_ACCOUNT_TOKEN    = var.service_account_token
+    ACCOUNT_ADDRESS          = var.account_address
+    ACCOUNT_EMAIL            = var.account_email
+    ACCOUNT_SECRET_KEY       = var.account_secret_key
+    ACCOUNT_PASSWORD         = var.account_address != "" && var.service_account_token == "" ? data.coder_parameter.account_password[0].value : ""
+    INSTALL_DIR              = var.install_dir
+    OP_CLI_VERSION           = var.op_cli_version
+    INSTALL_VSCODE_EXTENSION = var.install_vscode_extension
+    PRE_INSTALL_SCRIPT       = var.pre_install_script != null ? base64encode(var.pre_install_script) : ""
+    POST_INSTALL_SCRIPT      = var.post_install_script != null ? base64encode(var.post_install_script) : ""
+  })
+  run_on_start       = true
+  start_blocks_login = true
+}
+
+resource "coder_env" "op_service_account_token" {
+  count    = var.service_account_token != "" ? 1 : 0
+  agent_id = var.agent_id
+  name     = "OP_SERVICE_ACCOUNT_TOKEN"
+  value    = var.service_account_token
+}

registry/bpmct/modules/onepassword/run.sh

@@ -0,0 +1,176 @@
+#!/usr/bin/env bash
+
+SERVICE_ACCOUNT_TOKEN="${SERVICE_ACCOUNT_TOKEN}"
+ACCOUNT_ADDRESS="${ACCOUNT_ADDRESS}"
+ACCOUNT_EMAIL="${ACCOUNT_EMAIL}"
+ACCOUNT_SECRET_KEY="${ACCOUNT_SECRET_KEY}"
+ACCOUNT_PASSWORD="${ACCOUNT_PASSWORD}"
+INSTALL_DIR="${INSTALL_DIR}"
+OP_CLI_VERSION="${OP_CLI_VERSION}"
+INSTALL_VSCODE_EXTENSION="${INSTALL_VSCODE_EXTENSION}"
+PRE_INSTALL_SCRIPT="${PRE_INSTALL_SCRIPT}"
+POST_INSTALL_SCRIPT="${POST_INSTALL_SCRIPT}"
+
+fetch() {
+  if command -v curl > /dev/null 2>&1; then
+    curl -sSL --fail "$1"
+  elif command -v wget > /dev/null 2>&1; then
+    wget -qO- "$1"
+  else
+    printf "curl or wget is not installed.\n" && return 1
+  fi
+}
+
+fetch_to_file() {
+  if command -v curl > /dev/null 2>&1; then
+    curl -sSL --fail "$2" -o "$1"
+  elif command -v wget > /dev/null 2>&1; then
+    wget -O "$1" "$2"
+  else
+    printf "curl or wget is not installed.\n" && return 1
+  fi
+}
+
+run_script() {
+  local ENCODED="$1" LABEL="$2"
+  if [ -n "$${ENCODED}" ]; then
+    printf "Running %s script...\n" "$${LABEL}"
+    SCRIPT_PATH=$(mktemp /tmp/op-"$${LABEL}"-XXXXXX.sh)
+    printf '%s' "$${ENCODED}" | base64 -d > "$${SCRIPT_PATH}"
+    chmod +x "$${SCRIPT_PATH}"
+    # shellcheck disable=SC2288
+    "$${SCRIPT_PATH}" || printf "WARNING: %s script failed.\n" "$${LABEL}"
+    rm -f "$${SCRIPT_PATH}"
+  fi
+}
+
+install() {
+  ARCH=$(uname -m)
+  if [ "$${ARCH}" = "x86_64" ]; then
+    ARCH="amd64"
+  elif [ "$${ARCH}" = "aarch64" ]; then
+    ARCH="arm64"
+  else
+    printf "Unsupported architecture: %s\n" "$${ARCH}" && return 1
+  fi
+
+  OS=$(uname -s | tr '[:upper:]' '[:lower:]')
+  if [ "$${OS}" != "linux" ] && [ "$${OS}" != "darwin" ]; then
+    printf "Unsupported OS: %s\n" "$${OS}" && return 1
+  fi
+
+  if [ "$${OP_CLI_VERSION}" = "latest" ]; then
+    OP_CLI_VERSION=$(fetch "https://app-updates.agilebits.com/check/1/0/CLI2/en/2.0.0/N" \
+      | grep -oE '"version":"[^"]+"' | head -1 | cut -d'"' -f4) || true
+    if [ -z "$${OP_CLI_VERSION}" ]; then
+      printf "Failed to resolve latest version, falling back to 2.30.3.\n"
+      OP_CLI_VERSION="2.30.3"
+    fi
+  fi
+
+  printf "1Password CLI version: %s\n" "$${OP_CLI_VERSION}"
+
+  if command -v op > /dev/null 2>&1; then
+    CURRENT_VERSION=$(op --version 2> /dev/null || true)
+    if [ "$${CURRENT_VERSION}" = "$${OP_CLI_VERSION}" ]; then
+      printf "Already installed.\n"
+      return 0
+    fi
+  fi
+
+  DOWNLOAD_URL="https://cache.agilebits.com/dist/1P/op2/pkg/v$${OP_CLI_VERSION}/op_$${OS}_$${ARCH}_v$${OP_CLI_VERSION}.zip"
+
+  TEMP_DIR=$(mktemp -d)
+  cd "$${TEMP_DIR}" || return 1
+
+  if ! fetch_to_file op.zip "$${DOWNLOAD_URL}"; then
+    rm -rf "$${TEMP_DIR}" && return 1
+  fi
+
+  if command -v unzip > /dev/null 2>&1; then
+    unzip -o op.zip -d . > /dev/null
+  elif command -v busybox > /dev/null 2>&1; then
+    busybox unzip op.zip -d .
+  else
+    printf "unzip is not installed.\n"
+    rm -rf "$${TEMP_DIR}" && return 1
+  fi
+
+  chmod +x op
+
+  if [ -n "$${INSTALL_DIR}" ] && [ -w "$${INSTALL_DIR}" ]; then
+    mv op "$${INSTALL_DIR}/op"
+  elif [ -n "$${INSTALL_DIR}" ] && sudo mv op "$${INSTALL_DIR}/op" 2> /dev/null; then
+    true
+  else
+    mkdir -p ~/.local/bin && mv op ~/.local/bin/op
+    INSTALL_DIR=~/.local/bin
+  fi
+  printf "Installed to %s.\n" "$${INSTALL_DIR}"
+
+  rm -rf "$${TEMP_DIR}"
+}
+
+run_script "$${PRE_INSTALL_SCRIPT}" "pre-install"
+
+if ! install; then
+  printf "Failed to install 1Password CLI.\n"
+  exit 1
+fi
+
+if [ -n "$${SERVICE_ACCOUNT_TOKEN}" ]; then
+  printf "Service account token configured.\n"
+elif [ -n "$${ACCOUNT_ADDRESS}" ] && [ -n "$${ACCOUNT_EMAIL}" ]; then
+  ADD_ARGS="--address $${ACCOUNT_ADDRESS} --email $${ACCOUNT_EMAIL}"
+  if [ -n "$${ACCOUNT_SECRET_KEY}" ]; then
+    ADD_ARGS="$${ADD_ARGS} --secret-key $${ACCOUNT_SECRET_KEY}"
+  fi
+
+  if [ -n "$${ACCOUNT_PASSWORD}" ] && command -v expect > /dev/null 2>&1; then
+    OP_SESSION=$(expect -c "
+      log_user 0
+      spawn op account add $${ADD_ARGS} --raw
+      expect \"Enter the password*\"
+      send \"$${ACCOUNT_PASSWORD}\r\"
+      expect eof
+      catch wait result
+      set output \$expect_out(buffer)
+      puts -nonewline \$output
+    " 2>&1)
+    if op account list 2> /dev/null | grep -q "$${ACCOUNT_ADDRESS}"; then
+      printf "Signed in to %s.\n" "$${ACCOUNT_ADDRESS}"
+      if [ -n "$${OP_SESSION}" ]; then
+        mkdir -p "$${HOME}/.op"
+        SESSION_VAR="OP_SESSION_$(printf '%s' "$${ACCOUNT_ADDRESS}" | tr '.' '_' | tr '-' '_')"
+        printf 'export %s="%s"\n' "$${SESSION_VAR}" "$${OP_SESSION}" > "$${HOME}/.op/session"
+        chmod 600 "$${HOME}/.op/session"
+        for rc in "$${HOME}/.bashrc" "$${HOME}/.zshrc"; do
+          if [ -f "$${rc}" ] && ! grep -q ".op/session" "$${rc}" 2> /dev/null; then
+            printf '\n[ -f ~/.op/session ] && . ~/.op/session\n' >> "$${rc}"
+          fi
+        done
+      fi
+    else
+      printf "Sign-in failed. Run manually: op signin --account %s\n" "$${ACCOUNT_ADDRESS}"
+    fi
+  else
+    printf "To sign in, run in your terminal:\n"
+    printf "  op account add %s\n" "$${ADD_ARGS}"
+  fi
+fi
+
+if [ "$${INSTALL_VSCODE_EXTENSION}" = "true" ]; then
+  EXTENSION_ID="1Password.op-vscode"
+  for _ in 1 2 3 4 5 6; do
+    command -v code-server > /dev/null 2>&1 || command -v code > /dev/null 2>&1 && break
+    sleep 5
+  done
+  if command -v code-server > /dev/null 2>&1; then
+    cd /tmp && code-server --install-extension "$${EXTENSION_ID}" --force 2>&1 || true
+  fi
+  if command -v code > /dev/null 2>&1; then
+    cd /tmp && code --install-extension "$${EXTENSION_ID}" --force 2>&1 || true
+  fi
+fi
+
+run_script "$${POST_INSTALL_SCRIPT}" "post-install"

registry/coder/modules/agentapi/README.md

@@ -16,7 +16,7 @@ The AgentAPI module is a building block for modules that need to run an AgentAPI
 ```tf
 module "agentapi" {
   source  = "registry.coder.com/coder/agentapi/coder"
-  version = "2.3.0"
+  version = "2.4.0"
 
   agent_id             = var.agent_id
   web_app_slug         = local.app_slug

registry/coder/modules/agentapi/main.tf

@@ -53,6 +53,12 @@ variable "folder" {
   default     = "/home/coder"
 }
 
+variable "web_app" {
+  type        = bool
+  description = "Whether to create the web workspace app. This is automatically enabled when using Coder Tasks, regardless of this setting."
+  default     = true
+}
+
 variable "cli_app" {
   type        = bool
   description = "Whether to create the CLI workspace app."
@@ -220,6 +226,11 @@ resource "coder_env" "boundary_config" {
 }
 
 locals {
+  # If this is a Task, always create the web app regardless of var.web_app
+  # since coder_ai_task requires the app to function.
+  is_task = try(data.coder_task.me.enabled, false)
+  web_app = var.web_app || local.is_task
+
   # we always trim the slash for consistency
   workdir                            = trimsuffix(var.folder, "/")
   encoded_pre_install_script         = var.pre_install_script != null ? base64encode(var.pre_install_script) : ""
@@ -305,6 +316,8 @@ resource "coder_script" "agentapi_shutdown" {
 }
 
 resource "coder_app" "agentapi_web" {
+  count = local.web_app ? 1 : 0
+
   slug         = var.web_app_slug
   display_name = var.web_app_display_name
   agent_id     = var.agent_id
@@ -341,5 +354,5 @@ resource "coder_app" "agentapi_cli" {
 }
 
 output "task_app_id" {
-  value = coder_app.agentapi_web.id
+  value = local.web_app ? coder_app.agentapi_web[0].id : ""
 }

registry/coder/modules/claude-code/README.md

@@ -13,7 +13,7 @@ Run the [Claude Code](https://docs.anthropic.com/en/docs/agents-and-tools/claude
 ```tf
 module "claude-code" {
   source         = "registry.coder.com/coder/claude-code/coder"
-  version        = "4.8.2"
+  version        = "4.9.0"
   agent_id       = coder_agent.main.id
   workdir        = "/home/coder/project"
   claude_api_key = "xxxx-xxxxx-xxxx"
@@ -60,7 +60,7 @@ By default, when `enable_boundary = true`, the module uses `coder boundary` subc
 ```tf
 module "claude-code" {
   source          = "registry.coder.com/coder/claude-code/coder"
-  version         = "4.8.2"
+  version         = "4.9.0"
   agent_id        = coder_agent.main.id
   workdir         = "/home/coder/project"
   enable_boundary = true
@@ -81,7 +81,7 @@ For tasks integration with AI Bridge, add `enable_aibridge = true` to the [Usage
 ```tf
 module "claude-code" {
   source          = "registry.coder.com/coder/claude-code/coder"
-  version         = "4.8.2"
+  version         = "4.9.0"
   agent_id        = coder_agent.main.id
   workdir         = "/home/coder/project"
   enable_aibridge = true
@@ -110,7 +110,7 @@ data "coder_task" "me" {}
 
 module "claude-code" {
   source    = "registry.coder.com/coder/claude-code/coder"
-  version   = "4.8.2"
+  version   = "4.9.0"
   agent_id  = coder_agent.main.id
   workdir   = "/home/coder/project"
   ai_prompt = data.coder_task.me.prompt
@@ -133,7 +133,7 @@ This example shows additional configuration options for version pinning, custom
 ```tf
 module "claude-code" {
   source   = "registry.coder.com/coder/claude-code/coder"
-  version  = "4.8.2"
+  version  = "4.9.0"
   agent_id = coder_agent.main.id
   workdir  = "/home/coder/project"
 
@@ -189,7 +189,7 @@ Run and configure Claude Code as a standalone CLI in your workspace.
 ```tf
 module "claude-code" {
   source              = "registry.coder.com/coder/claude-code/coder"
-  version             = "4.8.2"
+  version             = "4.9.0"
   agent_id            = coder_agent.main.id
   workdir             = "/home/coder/project"
   install_claude_code = true
@@ -211,7 +211,7 @@ variable "claude_code_oauth_token" {
 
 module "claude-code" {
   source                  = "registry.coder.com/coder/claude-code/coder"
-  version                 = "4.8.2"
+  version                 = "4.9.0"
   agent_id                = coder_agent.main.id
   workdir                 = "/home/coder/project"
   claude_code_oauth_token = var.claude_code_oauth_token
@@ -284,7 +284,7 @@ resource "coder_env" "bedrock_api_key" {
 
 module "claude-code" {
   source   = "registry.coder.com/coder/claude-code/coder"
-  version  = "4.8.2"
+  version  = "4.9.0"
   agent_id = coder_agent.main.id
   workdir  = "/home/coder/project"
   model    = "global.anthropic.claude-sonnet-4-5-20250929-v1:0"
@@ -341,7 +341,7 @@ resource "coder_env" "google_application_credentials" {
 
 module "claude-code" {
   source   = "registry.coder.com/coder/claude-code/coder"
-  version  = "4.8.2"
+  version  = "4.9.0"
   agent_id = coder_agent.main.id
   workdir  = "/home/coder/project"
   model    = "claude-sonnet-4@20250514"

registry/coder/modules/claude-code/main.tf

@@ -47,6 +47,12 @@ variable "report_tasks" {
   default     = true
 }
 
+variable "web_app" {
+  type        = bool
+  description = "Whether to create the web app for Claude Code. When false, AgentAPI still runs but no web UI app icon is shown in the Coder dashboard. This is automatically enabled when using Coder Tasks, regardless of this setting."
+  default     = true
+}
+
 variable "cli_app" {
   type        = bool
   description = "Whether to create a CLI app for Claude Code"
@@ -362,9 +368,10 @@ locals {
 
 module "agentapi" {
   source  = "registry.coder.com/coder/agentapi/coder"
-  version = "2.2.0"
+  version = "2.3.0"
 
-  agent_id                 = var.agent_id
+  agent_id = var.agent_id
+  # TODO: pass web_app = var.web_app once agentapi module is published with web_app support
   web_app_slug             = local.app_slug
   web_app_order            = var.order
   web_app_group            = var.group

registry/coder/modules/code-server/README.md

@@ -14,7 +14,7 @@ Automatically install [code-server](https://github.com/coder/code-server) in a w
 module "code-server" {
   count    = data.coder_workspace.me.start_count
   source   = "registry.coder.com/coder/code-server/coder"
-  version  = "1.4.3"
+  version  = "1.4.4"
   agent_id = coder_agent.example.id
 }
 ```
@@ -29,7 +29,7 @@ module "code-server" {
 module "code-server" {
   count           = data.coder_workspace.me.start_count
   source          = "registry.coder.com/coder/code-server/coder"
-  version         = "1.4.3"
+  version         = "1.4.4"
   agent_id        = coder_agent.example.id
   install_version = "4.106.3"
 }
@@ -43,7 +43,7 @@ Install the Dracula theme from [OpenVSX](https://open-vsx.org/):
 module "code-server" {
   count    = data.coder_workspace.me.start_count
   source   = "registry.coder.com/coder/code-server/coder"
-  version  = "1.4.3"
+  version  = "1.4.4"
   agent_id = coder_agent.example.id
   extensions = [
     "dracula-theme.theme-dracula"
@@ -61,7 +61,7 @@ Configure VS Code's [settings.json](https://code.visualstudio.com/docs/getstarte
 module "code-server" {
   count      = data.coder_workspace.me.start_count
   source     = "registry.coder.com/coder/code-server/coder"
-  version    = "1.4.3"
+  version    = "1.4.4"
   agent_id   = coder_agent.example.id
   extensions = ["dracula-theme.theme-dracula"]
   settings = {
@@ -72,13 +72,13 @@ module "code-server" {
 
 ### Install multiple extensions
 
-Just run code-server in the background, don't fetch it from GitHub:
+Install multiple extensions from [OpenVSX](https://open-vsx.org/) by adding them to the `extensions` list:
 
 ```tf
 module "code-server" {
   count      = data.coder_workspace.me.start_count
   source     = "registry.coder.com/coder/code-server/coder"
-  version    = "1.4.3"
+  version    = "1.4.4"
   agent_id   = coder_agent.example.id
   extensions = ["dracula-theme.theme-dracula", "ms-azuretools.vscode-docker"]
 }
@@ -92,7 +92,7 @@ You can pass additional command-line arguments to code-server using the `additio
 module "code-server" {
   count           = data.coder_workspace.me.start_count
   source          = "registry.coder.com/coder/code-server/coder"
-  version         = "1.4.3"
+  version         = "1.4.4"
   agent_id        = coder_agent.example.id
   additional_args = "--disable-workspace-trust"
 }
@@ -108,7 +108,7 @@ Run an existing copy of code-server if found, otherwise download from GitHub:
 module "code-server" {
   count      = data.coder_workspace.me.start_count
   source     = "registry.coder.com/coder/code-server/coder"
-  version    = "1.4.3"
+  version    = "1.4.4"
   agent_id   = coder_agent.example.id
   use_cached = true
   extensions = ["dracula-theme.theme-dracula", "ms-azuretools.vscode-docker"]
@@ -121,7 +121,7 @@ Just run code-server in the background, don't fetch it from GitHub:
 module "code-server" {
   count    = data.coder_workspace.me.start_count
   source   = "registry.coder.com/coder/code-server/coder"
-  version  = "1.4.3"
+  version  = "1.4.4"
   agent_id = coder_agent.example.id
   offline  = true
 }

registry/coder/modules/coder-utils/README.md

@@ -1,26 +1,26 @@
 ---
-display_name: Agent Helper
+display_name: Coder Utils
 description: Building block for modules that need orchestrated script execution
 icon: ../../../../.icons/coder.svg
 verified: false
 tags: [internal, library]
 ---
 
-# Agent Helper
+# Coder Utils
 
 > [!CAUTION]
 > We do not recommend using this module directly. It is intended primarily for internal use by Coder to create modules with orchestrated script execution.
 
-The Agent Helper module is a building block for modules that need to run multiple scripts in a specific order. It uses `coder exp sync` for dependency management and is designed for orchestrating pre-install, install, post-install, and start scripts.
+The Coder Utils module is a building block for modules that need to run multiple scripts in a specific order. It uses `coder exp sync` for dependency management and is designed for orchestrating pre-install, install, post-install, and start scripts.
 
 > [!NOTE]
 >
 > - The `agent_name` should be the same as that of the agentapi module's `agent_name` if used together.
 
 ```tf
-module "agent_helper" {
-  source  = "registry.coder.com/coder/agent-helper/coder"
-  version = "1.0.0"
+module "coder_utils" {
+  source  = "registry.coder.com/coder/coder-utils/coder"
+  version = "1.0.1"
 
   agent_id        = coder_agent.main.id
   agent_name      = "myagent"

registry/coder/modules/coder-utils/main.test.ts

@@ -1,7 +1,7 @@
 import { describe } from "bun:test";
 import { runTerraformInit, testRequiredVariables } from "~test";
 
-describe("agent-helper", async () => {
+describe("coder-utils", async () => {
   await runTerraformInit(import.meta.dir);
 
   testRequiredVariables(import.meta.dir, {

registry/coder/modules/coder-utils/main.tftest.hcl

@@ -1,4 +1,4 @@
-# Test for agent-helper module
+# Test for coder-utils module
 
 # Test with all scripts provided
 run "test_with_all_scripts" {

registry/coder/modules/jetbrains/README.md

@@ -14,7 +14,7 @@ This module adds JetBrains IDE buttons to launch IDEs directly from the dashboar
 module "jetbrains" {
   count    = data.coder_workspace.me.start_count
   source   = "registry.coder.com/coder/jetbrains/coder"
-  version  = "1.3.0"
+  version  = "1.3.1"
   agent_id = coder_agent.main.id
   folder   = "/home/coder/project"
 }
@@ -39,7 +39,7 @@ When `default` contains IDE codes, those IDEs are created directly without user
 module "jetbrains" {
   count    = data.coder_workspace.me.start_count
   source   = "registry.coder.com/coder/jetbrains/coder"
-  version  = "1.3.0"
+  version  = "1.3.1"
   agent_id = coder_agent.main.id
   folder   = "/home/coder/project"
   default  = ["PY", "IU"] # Pre-configure PyCharm and IntelliJ IDEA
@@ -52,7 +52,7 @@ module "jetbrains" {
 module "jetbrains" {
   count    = data.coder_workspace.me.start_count
   source   = "registry.coder.com/coder/jetbrains/coder"
-  version  = "1.3.0"
+  version  = "1.3.1"
   agent_id = coder_agent.main.id
   folder   = "/home/coder/project"
   # Show parameter with limited options
@@ -66,7 +66,7 @@ module "jetbrains" {
 module "jetbrains" {
   count         = data.coder_workspace.me.start_count
   source        = "registry.coder.com/coder/jetbrains/coder"
-  version       = "1.3.0"
+  version       = "1.3.1"
   agent_id      = coder_agent.main.id
   folder        = "/home/coder/project"
   default       = ["IU", "PY"]
@@ -81,7 +81,7 @@ module "jetbrains" {
 module "jetbrains" {
   count    = data.coder_workspace.me.start_count
   source   = "registry.coder.com/coder/jetbrains/coder"
-  version  = "1.3.0"
+  version  = "1.3.1"
   agent_id = coder_agent.main.id
   folder   = "/workspace/project"
 
@@ -108,7 +108,7 @@ module "jetbrains" {
 module "jetbrains_pycharm" {
   count    = data.coder_workspace.me.start_count
   source   = "registry.coder.com/coder/jetbrains/coder"
-  version  = "1.3.0"
+  version  = "1.3.1"
   agent_id = coder_agent.main.id
   folder   = "/workspace/project"
 
@@ -128,7 +128,7 @@ Add helpful tooltip text that appears when users hover over the IDE app buttons:
 module "jetbrains" {
   count    = data.coder_workspace.me.start_count
   source   = "registry.coder.com/coder/jetbrains/coder"
-  version  = "1.3.0"
+  version  = "1.3.1"
   agent_id = coder_agent.main.id
   folder   = "/home/coder/project"
   default  = ["IU", "PY"]

registry/coder/modules/jetbrains/main.tf

@@ -125,7 +125,7 @@ variable "download_base_link" {
 }
 
 data "http" "jetbrains_ide_versions" {
-  for_each = length(var.default) == 0 ? var.options : var.default
+  for_each = local.selected_ides
   url      = "${var.releases_base_link}/products/releases?code=${each.key}&type=${var.channel}${var.major_version == "latest" ? "&latest=true" : ""}"
 }
 
@@ -174,9 +174,14 @@ variable "ide_config" {
 }
 
 locals {
+  # Determine the user's actual IDE selection.
+  # This is computed before the HTTP data source so that version lookups
+  # are only performed for IDEs the user chose — not every option.
+  selected_ides = length(var.default) == 0 ? toset(jsondecode(coalesce(data.coder_parameter.jetbrains_ides[0].value, "[]"))) : toset(var.default)
+
   # Parse HTTP responses once with error handling for air-gapped environments
   parsed_responses = {
-    for code in length(var.default) == 0 ? var.options : var.default : code => try(
+    for code in local.selected_ides : code => try(
       jsondecode(data.http.jetbrains_ide_versions[code].response_body),
       {} # Return empty object if API call fails
     )
@@ -184,7 +189,7 @@ locals {
 
   # Filter the parsed response for the requested major version if not "latest"
   filtered_releases = {
-    for code in length(var.default) == 0 ? var.options : var.default : code => [
+    for code in local.selected_ides : code => [
       for r in try(local.parsed_responses[code][keys(local.parsed_responses[code])[0]], []) :
       r if var.major_version == "latest" || r.majorVersion == var.major_version
     ]
@@ -192,13 +197,13 @@ locals {
 
   # Select the latest release for the requested major version (first item in the filtered list)
   selected_releases = {
-    for code in length(var.default) == 0 ? var.options : var.default : code =>
+    for code in local.selected_ides : code =>
     length(local.filtered_releases[code]) > 0 ? local.filtered_releases[code][0] : null
   }
 
-  # Dynamically generate IDE configurations based on options with fallback to ide_config
+  # Dynamically generate IDE configurations based on selected IDEs with fallback to ide_config
   options_metadata = {
-    for code in length(var.default) == 0 ? var.options : var.default : code => {
+    for code in local.selected_ides : code => {
       icon       = var.ide_config[code].icon
       name       = var.ide_config[code].name
       identifier = code
@@ -211,9 +216,6 @@ locals {
       json_data = local.selected_releases[code]
     }
   }
-
-  # Convert the parameter value to a set for for_each
-  selected_ides = length(var.default) == 0 ? toset(jsondecode(coalesce(data.coder_parameter.jetbrains_ides[0].value, "[]"))) : toset(var.default)
 }
 
 data "coder_parameter" "jetbrains_ides" {

registry/coder/templates/docker-rstudio/README.md

@@ -0,0 +1,98 @@
+---
+display_name: Docker RStudio
+description: Provision Docker containers with RStudio, code-server, and RMarkdown
+icon: ../../../../.icons/rstudio.svg
+verified: true
+tags: [docker, rstudio, r, rmarkdown, code-server]
+---
+
+# R Development on Docker Containers
+
+Provision Docker containers pre-configured for R development as [Coder workspaces](https://coder.com/docs/workspaces) with this template.
+
+Each workspace comes with:
+
+- **RStudio Server** — full-featured R IDE in the browser.
+- **code-server** — VS Code in the browser for general editing.
+- **RMarkdown** — author reproducible documents, reports, and presentations.
+
+The workspace is based on the [rocker/rstudio](https://rocker-project.org/) image, which ships R and RStudio Server pre-installed.
+
+## Prerequisites
+
+### Infrastructure
+
+#### Running Coder inside Docker
+
+If you installed Coder as a container within Docker, you will have to do the following things:
+
+- Make the Docker socket available to the container
+  - **(recommended) Mount `/var/run/docker.sock` via `--mount`/`volume`**
+  - _(advanced) Restrict the Docker socket via https://github.com/Tecnativa/docker-socket-proxy_
+- Set `--group-add`/`group_add` to the GID of the Docker group on the **host** machine
+  - You can get the GID by running `getent group docker` on the **host** machine
+
+#### Running Coder outside of Docker
+
+If you installed Coder as a system package, the VM you run Coder on must have a running Docker socket and the `coder` user must be added to the Docker group:
+
+```sh
+# Add coder user to Docker group
+sudo adduser coder docker
+
+# Restart Coder server
+sudo systemctl restart coder
+
+# Test Docker
+sudo -u coder docker ps
+```
+
+## Architecture
+
+This template provisions the following resources:
+
+- Docker image (built from `build/Dockerfile`, extending `rocker/rstudio` with system dependencies)
+- Docker container (ephemeral — destroyed on workspace stop)
+- Docker volume (persistent on `/home/rstudio`)
+
+When the workspace restarts, tools and files outside `/home/rstudio` are not persisted. The R library path defaults to a subdirectory of the home folder, so installed packages (including RMarkdown) survive restarts.
+
+> [!NOTE]
+> This template is designed to be a starting point! Edit the Terraform to extend it for your use case.
+
+## Customization
+
+### Changing the R version
+
+Set the `rstudio_version` variable to any valid [rocker/rstudio tag](https://hub.docker.com/r/rocker/rstudio/tags) (for example `4.4.2`, `4.3`, or `latest`).
+
+### Installing additional R packages
+
+R packages are pre-installed via the `build/Dockerfile` so they are available immediately when the workspace starts. To add more packages, add `install.packages()` calls to the Dockerfile:
+
+```dockerfile
+RUN R -e "install.packages(c('tidyverse', 'shiny'))"
+```
+
+The image is pre-configured to use [Posit Package Manager](https://packagemanager.posit.co/) which provides pre-compiled binary packages for fast installation. Packages installed at build time avoid long startup delays from compiling from source on every workspace start.
+
+### Adding system dependencies
+
+The `build/Dockerfile` extends the `rocker/rstudio` base image with system packages required by modules (e.g. `curl` for code-server, `cmake` for R package compilation). If you add modules that need additional system-level tools, add them to the `Dockerfile`:
+
+```dockerfile
+RUN apt-get update \
+ && apt-get install -y \
+  curl \
+  cmake \
+  your-package-here \
+ && rm -rf /var/lib/apt/lists/*
+```
+
+### Adding LaTeX for PDF rendering
+
+RMarkdown can render PDF output when LaTeX is available. Add the following to the startup script to install TinyTeX:
+
+```sh
+R --quiet -e "if (!require('tinytex', quietly = TRUE)) { install.packages('tinytex', repos = 'https://cloud.r-project.org'); tinytex::install_tinytex() }"
+```

registry/coder/templates/docker-rstudio/build/Dockerfile

@@ -0,0 +1,12 @@
+ARG RSTUDIO_VERSION=4
+FROM rocker/rstudio:${RSTUDIO_VERSION}
+
+RUN apt-get update \
+ && apt-get install -y \
+  curl \
+  cmake \
+ && rm -rf /var/lib/apt/lists/*
+
+RUN R -e "install.packages('rmarkdown')"
+
+RUN echo "auth-minimum-user-id=0" >>/etc/rstudio/rserver.conf

registry/coder/templates/docker-rstudio/main.tf

@@ -0,0 +1,244 @@
+terraform {
+  required_providers {
+    coder = {
+      source = "coder/coder"
+    }
+    docker = {
+      source = "kreuzwerker/docker"
+    }
+  }
+}
+
+locals {
+  username = data.coder_workspace_owner.me.name
+}
+
+variable "docker_socket" {
+  default     = ""
+  description = "(Optional) Docker socket URI"
+  type        = string
+}
+
+variable "rstudio_version" {
+  default     = "4"
+  description = "The rocker/rstudio image tag to use (e.g. 4, 4.4, 4.4.2)"
+  type        = string
+}
+
+provider "docker" {
+  # Defaulting to null if the variable is an empty string lets us
+  # have an optional variable without having to set our own default.
+  host = var.docker_socket != "" ? var.docker_socket : null
+}
+
+data "coder_provisioner" "me" {}
+data "coder_workspace" "me" {}
+data "coder_workspace_owner" "me" {}
+
+resource "coder_agent" "main" {
+  arch           = data.coder_provisioner.me.arch
+  os             = "linux"
+  startup_script = <<-EOT
+    set -e
+
+    # Prepare user home with default files on first start.
+    if [ ! -f ~/.init_done ]; then
+      cp -rT /etc/skel ~ 2>/dev/null || true
+      touch ~/.init_done
+    fi
+
+    # Start RStudio Server. The rocker/rstudio image ships the
+    # server pre-installed. We disable authentication because
+    # the Coder proxy handles access control.
+    if command -v rserver > /dev/null 2>&1; then
+      sudo rserver \
+        --server-daemonize=0 \
+        --auth-none=1 \
+        --www-port=8787 \
+        --server-user=rstudio > /tmp/rserver.log 2>&1 &
+    elif [ -x /usr/lib/rstudio-server/bin/rserver ]; then
+      sudo /usr/lib/rstudio-server/bin/rserver \
+        --server-daemonize=0 \
+        --auth-none=1 \
+        --www-port=8787 \
+        --server-user=rstudio > /tmp/rserver.log 2>&1 &
+    fi
+  EOT
+
+  # These environment variables allow you to make Git commits
+  # right away after creating a workspace. They take precedence
+  # over configuration in ~/.gitconfig. Remove this block if
+  # you prefer to configure Git manually or via dotfiles.
+  env = {
+    GIT_AUTHOR_NAME     = coalesce(data.coder_workspace_owner.me.full_name, data.coder_workspace_owner.me.name)
+    GIT_AUTHOR_EMAIL    = "${data.coder_workspace_owner.me.email}"
+    GIT_COMMITTER_NAME  = coalesce(data.coder_workspace_owner.me.full_name, data.coder_workspace_owner.me.name)
+    GIT_COMMITTER_EMAIL = "${data.coder_workspace_owner.me.email}"
+  }
+
+  metadata {
+    display_name = "CPU Usage"
+    key          = "0_cpu_usage"
+    script       = "coder stat cpu"
+    interval     = 10
+    timeout      = 1
+  }
+
+  metadata {
+    display_name = "RAM Usage"
+    key          = "1_ram_usage"
+    script       = "coder stat mem"
+    interval     = 10
+    timeout      = 1
+  }
+
+  metadata {
+    display_name = "Home Disk"
+    key          = "3_home_disk"
+    script       = "coder stat disk --path $${HOME}"
+    interval     = 60
+    timeout      = 1
+  }
+
+  metadata {
+    display_name = "CPU Usage (Host)"
+    key          = "4_cpu_usage_host"
+    script       = "coder stat cpu --host"
+    interval     = 10
+    timeout      = 1
+  }
+
+  metadata {
+    display_name = "Memory Usage (Host)"
+    key          = "5_mem_usage_host"
+    script       = "coder stat mem --host"
+    interval     = 10
+    timeout      = 1
+  }
+
+  metadata {
+    display_name = "Load Average (Host)"
+    key          = "6_load_host"
+    # Get load average scaled by number of cores.
+    script   = <<EOT
+      echo "`cat /proc/loadavg | awk '{ print $1 }'` `nproc`" | awk '{ printf "%0.2f", $1/$2 }'
+    EOT
+    interval = 60
+    timeout  = 1
+  }
+
+  metadata {
+    display_name = "Swap Usage (Host)"
+    key          = "7_swap_host"
+    script       = <<EOT
+      free -b | awk '/^Swap/ { printf("%.1f/%.1f", $3/1024.0/1024.0/1024.0, $2/1024.0/1024.0/1024.0) }'
+    EOT
+    interval     = 10
+    timeout      = 1
+  }
+}
+
+# RStudio Server — served through the Coder proxy so users can
+# open the full RStudio IDE directly from the dashboard.
+resource "coder_app" "rstudio" {
+  agent_id     = coder_agent.main.id
+  slug         = "rstudio"
+  display_name = "RStudio"
+  url          = "http://localhost:8787"
+  icon         = "/icon/rstudio.svg"
+  subdomain    = true
+  share        = "owner"
+  order        = 1
+}
+
+# See https://registry.coder.com/modules/coder/code-server
+module "code-server" {
+  count  = data.coder_workspace.me.start_count
+  source = "registry.coder.com/coder/code-server/coder"
+
+  # This ensures that the latest non-breaking version of the
+  # module gets downloaded. You can also pin the module version
+  # to prevent breaking changes in production.
+  version = "~> 1.0"
+
+  agent_id = coder_agent.main.id
+  order    = 2
+  folder   = "/home/rstudio"
+}
+
+resource "docker_image" "main" {
+  name = "coder-${data.coder_workspace.me.id}-rstudio"
+  build {
+    context = "./build"
+    build_args = {
+      RSTUDIO_VERSION = var.rstudio_version
+    }
+  }
+}
+
+resource "docker_volume" "home_volume" {
+  name = "coder-${data.coder_workspace.me.id}-home"
+  # Protect the volume from being deleted due to changes in
+  # attributes.
+  lifecycle {
+    ignore_changes = all
+  }
+  # Add labels in Docker to keep track of orphan resources.
+  labels {
+    label = "coder.owner"
+    value = data.coder_workspace_owner.me.name
+  }
+  labels {
+    label = "coder.owner_id"
+    value = data.coder_workspace_owner.me.id
+  }
+  labels {
+    label = "coder.workspace_id"
+    value = data.coder_workspace.me.id
+  }
+  # This field becomes outdated if the workspace is renamed but
+  # can be useful for debugging or cleaning out dangling volumes.
+  labels {
+    label = "coder.workspace_name_at_creation"
+    value = data.coder_workspace.me.name
+  }
+}
+
+resource "docker_container" "workspace" {
+  count = data.coder_workspace.me.start_count
+  image = docker_image.main.image_id
+  # Uses lower() to avoid Docker restriction on container names.
+  name = "coder-${data.coder_workspace_owner.me.name}-${lower(data.coder_workspace.me.name)}"
+  # Hostname makes the shell more user friendly: rstudio@my-workspace:~$
+  hostname = data.coder_workspace.me.name
+  # Use the docker gateway if the access URL is 127.0.0.1.
+  entrypoint = ["sh", "-c", replace(coder_agent.main.init_script, "/localhost|127\\.0\\.0\\.1/", "host.docker.internal")]
+  env        = ["CODER_AGENT_TOKEN=${coder_agent.main.token}"]
+  host {
+    host = "host.docker.internal"
+    ip   = "host-gateway"
+  }
+  volumes {
+    container_path = "/home/rstudio"
+    volume_name    = docker_volume.home_volume.name
+    read_only      = false
+  }
+
+  # Add labels in Docker to keep track of orphan resources.
+  labels {
+    label = "coder.owner"
+    value = data.coder_workspace_owner.me.name
+  }
+  labels {
+    label = "coder.owner_id"
+    value = data.coder_workspace_owner.me.id
+  }
+  labels {
+    label = "coder.workspace_id"
+    value = data.coder_workspace.me.id
+  }
+  labels {
+    label = "coder.workspace_name"
+    value = data.coder_workspace.me.name
+  }
+}