fix(coder-labs/modules/sourcegraph-amp): explicitly require external provider (#519)

Co-authored-by: Atif Ali <atif@coder.com>

registry/coder-labs/modules/codex/README.md

@@ -13,7 +13,7 @@ Run Codex CLI in your workspace to access OpenAI's models through the Codex inte
 ```tf
 module "codex" {
   source         = "registry.coder.com/coder-labs/codex/coder"
-  version        = "3.0.0"
+  version        = "3.1.0"
   agent_id       = coder_agent.example.id
   openai_api_key = var.openai_api_key
   workdir        = "/home/coder/project"
@@ -33,7 +33,7 @@ module "codex" {
 module "codex" {
   count          = data.coder_workspace.me.start_count
   source         = "registry.coder.com/coder-labs/codex/coder"
-  version        = "3.0.0"
+  version        = "3.1.0"
   agent_id       = coder_agent.example.id
   openai_api_key = "..."
   workdir        = "/home/coder/project"
@@ -61,7 +61,7 @@ module "coder-login" {
 
 module "codex" {
   source         = "registry.coder.com/coder-labs/codex/coder"
-  version        = "3.0.0"
+  version        = "3.1.0"
   agent_id       = coder_agent.example.id
   openai_api_key = "..."
   ai_prompt      = data.coder_parameter.ai_prompt.value
@@ -84,6 +84,7 @@ module "codex" {
 - **System Prompt**: If `codex_system_prompt` is set, writes the prompt to `AGENTS.md` in the `~/.codex/` directory
 - **Start**: Launches Codex CLI in the specified directory, wrapped by AgentAPI
 - **Configuration**: Sets `OPENAI_API_KEY` environment variable and passes `--model` flag to Codex CLI (if variables provided)
+- **Session Continuity**: When `continue = true` (default), the module automatically tracks task sessions in `~/.codex-module/.codex-task-session`. On workspace restart, it resumes the existing session with full conversation history. Set `continue = false` to always start fresh sessions.
 
 ## Configuration
 
@@ -107,7 +108,7 @@ For custom Codex configuration, use `base_config_toml` and/or `additional_mcp_se
 ```tf
 module "codex" {
   source  = "registry.coder.com/coder-labs/codex/coder"
-  version = "3.0.0"
+  version = "3.1.0"
   # ... other variables ...
 
   # Override default configuration

registry/coder-labs/modules/codex/main.test.ts

@@ -368,4 +368,90 @@ describe("codex", async () => {
     expect(prompt.exitCode).not.toBe(0);
     expect(prompt.stderr).toContain("No such file or directory");
   });
+
+  test("codex-continue-capture-new-session", async () => {
+    const { id } = await setup({
+      moduleVariables: {
+        continue: "true",
+        ai_prompt: "test task",
+      },
+    });
+
+    const workdir = "/home/coder";
+    const expectedSessionId = "019a1234-5678-9abc-def0-123456789012";
+    const sessionsDir = "/home/coder/.codex/sessions";
+    const sessionFile = `${sessionsDir}/${expectedSessionId}.jsonl`;
+
+    await execContainer(id, ["mkdir", "-p", sessionsDir]);
+    await execContainer(id, [
+      "bash",
+      "-c",
+      `echo '{"id":"${expectedSessionId}","cwd":"${workdir}","created":"2024-10-24T20:00:00Z","model":"gpt-4-turbo"}' > ${sessionFile}`,
+    ]);
+
+    await execModuleScript(id);
+
+    await expectAgentAPIStarted(id);
+
+    const trackingFile = "/home/coder/.codex-module/.codex-task-session";
+    const maxAttempts = 30;
+    let trackingFileContents = "";
+    for (let attempt = 0; attempt < maxAttempts; attempt++) {
+      const result = await execContainer(id, [
+        "bash",
+        "-c",
+        `cat ${trackingFile} 2>/dev/null || echo ""`,
+      ]);
+      if (result.stdout.trim().length > 0) {
+        trackingFileContents = result.stdout;
+        break;
+      }
+      await new Promise((resolve) => setTimeout(resolve, 500));
+    }
+
+    expect(trackingFileContents).toContain(`${workdir}|${expectedSessionId}`);
+
+    const startLog = await readFileContainer(
+      id,
+      "/home/coder/.codex-module/agentapi-start.log",
+    );
+    expect(startLog).toContain("Capturing new session ID");
+    expect(startLog).toContain("Session tracked");
+    expect(startLog).toContain(expectedSessionId);
+  });
+
+  test("codex-continue-resume-existing-session", async () => {
+    const { id } = await setup({
+      moduleVariables: {
+        continue: "true",
+        ai_prompt: "test prompt",
+      },
+    });
+
+    const workdir = "/home/coder";
+    const mockSessionId = "019a1234-5678-9abc-def0-123456789012";
+    const trackingFile = "/home/coder/.codex-module/.codex-task-session";
+
+    await execContainer(id, ["mkdir", "-p", "/home/coder/.codex-module"]);
+    await execContainer(id, [
+      "bash",
+      "-c",
+      `echo "${workdir}|${mockSessionId}" > ${trackingFile}`,
+    ]);
+
+    await execModuleScript(id);
+
+    const startLog = await execContainer(id, [
+      "bash",
+      "-c",
+      "cat /home/coder/.codex-module/agentapi-start.log",
+    ]);
+    expect(startLog.stdout).toContain("Found existing task session");
+    expect(startLog.stdout).toContain(mockSessionId);
+    expect(startLog.stdout).toContain("Resuming existing session");
+    expect(startLog.stdout).toContain(
+      `Starting Codex with arguments: --model gpt-4-turbo resume ${mockSessionId}`,
+    );
+    expect(startLog.stdout).not.toContain("test prompt");
+  });
 });

registry/coder-labs/modules/codex/main.tf

@@ -137,6 +137,12 @@ variable "ai_prompt" {
   default     = ""
 }
 
+variable "continue" {
+  type        = bool
+  description = "Automatically continue existing sessions on workspace restart. When true, resumes existing conversation if found, otherwise runs prompt or starts new session. When false, always starts fresh (ignores existing sessions)."
+  default     = true
+}
+
 variable "codex_system_prompt" {
   type        = string
   description = "System instructions written to AGENTS.md in the ~/.codex directory"
@@ -187,8 +193,9 @@ module "agentapi" {
      ARG_OPENAI_API_KEY='${var.openai_api_key}' \
      ARG_REPORT_TASKS='${var.report_tasks}' \
      ARG_CODEX_MODEL='${var.codex_model}' \
-     ARG_CODEX_START_DIRECTORY='${var.workdir}' \
+     ARG_CODEX_START_DIRECTORY='${local.workdir}' \
      ARG_CODEX_TASK_PROMPT='${base64encode(var.ai_prompt)}' \
+     ARG_CONTINUE='${var.continue}' \
      /tmp/start.sh
    EOT
 
@@ -206,7 +213,7 @@ module "agentapi" {
     ARG_BASE_CONFIG_TOML='${base64encode(var.base_config_toml)}' \
     ARG_ADDITIONAL_MCP_SERVERS='${base64encode(var.additional_mcp_servers)}' \
     ARG_CODER_MCP_APP_STATUS_SLUG='${local.app_slug}' \
-    ARG_CODEX_START_DIRECTORY='${var.workdir}' \
+    ARG_CODEX_START_DIRECTORY='${local.workdir}' \
     ARG_CODEX_INSTRUCTION_PROMPT='${base64encode(var.codex_system_prompt)}' \
     /tmp/install.sh
   EOT

registry/coder-labs/modules/codex/scripts/start.sh

@@ -3,6 +3,7 @@
 source "$HOME"/.bashrc
 set -o errexit
 set -o pipefail
+
 command_exists() {
   command -v "$1" > /dev/null 2>&1
 }
@@ -16,6 +17,7 @@ fi
 printf "Version: %s\n" "$(codex --version)"
 set -o nounset
 ARG_CODEX_TASK_PROMPT=$(echo -n "$ARG_CODEX_TASK_PROMPT" | base64 -d)
+ARG_CONTINUE=${ARG_CONTINUE:-true}
 
 echo "=== Codex Launch Configuration ==="
 printf "OpenAI API Key: %s\n" "$([ -n "$ARG_OPENAI_API_KEY" ] && echo "Provided" || echo "Not provided")"
@@ -23,53 +25,187 @@ printf "Codex Model: %s\n" "${ARG_CODEX_MODEL:-"Default"}"
 printf "Start Directory: %s\n" "$ARG_CODEX_START_DIRECTORY"
 printf "Has Task Prompt: %s\n" "$([ -n "$ARG_CODEX_TASK_PROMPT" ] && echo "Yes" || echo "No")"
 printf "Report Tasks: %s\n" "$ARG_REPORT_TASKS"
+printf "Continue Sessions: %s\n" "$ARG_CONTINUE"
 echo "======================================"
 set +o nounset
-CODEX_ARGS=()
 
-if command_exists codex; then
-  printf "Codex is installed\n"
-else
-  printf "Error: Codex is not installed. Please enable install_codex or install it manually\n"
-  exit 1
-fi
+SESSION_TRACKING_FILE="$HOME/.codex-module/.codex-task-session"
 
-if [ -d "${ARG_CODEX_START_DIRECTORY}" ]; then
-  printf "Directory '%s' exists. Changing to it.\\n" "${ARG_CODEX_START_DIRECTORY}"
-  cd "${ARG_CODEX_START_DIRECTORY}" || {
-    printf "Error: Could not change to directory '%s'.\\n" "${ARG_CODEX_START_DIRECTORY}"
-    exit 1
-  }
-else
-  printf "Directory '%s' does not exist. Creating and changing to it.\\n" "${ARG_CODEX_START_DIRECTORY}"
-  mkdir -p "${ARG_CODEX_START_DIRECTORY}" || {
-    printf "Error: Could not create directory '%s'.\\n" "${ARG_CODEX_START_DIRECTORY}"
-    exit 1
-  }
-  cd "${ARG_CODEX_START_DIRECTORY}" || {
-    printf "Error: Could not change to directory '%s'.\\n" "${ARG_CODEX_START_DIRECTORY}"
-    exit 1
-  }
-fi
+find_session_for_directory() {
+  local target_dir="$1"
 
-if [ -n "$ARG_CODEX_MODEL" ]; then
-  CODEX_ARGS+=("--model" "$ARG_CODEX_MODEL")
-fi
-
-if [ -n "$ARG_CODEX_TASK_PROMPT" ]; then
-  printf "Running the task prompt %s\n" "$ARG_CODEX_TASK_PROMPT"
-  if [ "${ARG_REPORT_TASKS}" == "true" ]; then
-    PROMPT="Complete the task at hand in one go. Every step of the way, report your progress using coder_report_task tool with proper summary and statuses. Your task at hand: $ARG_CODEX_TASK_PROMPT"
-  else
-    PROMPT="Your task at hand: $ARG_CODEX_TASK_PROMPT"
+  if [ ! -f "$SESSION_TRACKING_FILE" ]; then
+    return 1
   fi
-  CODEX_ARGS+=("$PROMPT")
-else
-  printf "No task prompt given.\n"
-fi
 
-# Terminal dimensions optimized for Coder Tasks UI sidebar:
-# - Width 67: fits comfortably in sidebar
-# - Height 1190: adjusted due to Codex terminal height bug
-printf "Starting Codex with arguments: %s\n" "${CODEX_ARGS[*]}"
-agentapi server --term-width 67 --term-height 1190 -- codex "${CODEX_ARGS[@]}"
+  local session_id=$(grep "^$target_dir|" "$SESSION_TRACKING_FILE" | cut -d'|' -f2 | head -1)
+
+  if [ -n "$session_id" ]; then
+    echo "$session_id"
+    return 0
+  fi
+
+  return 1
+}
+
+store_session_mapping() {
+  local dir="$1"
+  local session_id="$2"
+
+  mkdir -p "$(dirname "$SESSION_TRACKING_FILE")"
+
+  if [ -f "$SESSION_TRACKING_FILE" ]; then
+    grep -v "^$dir|" "$SESSION_TRACKING_FILE" > "$SESSION_TRACKING_FILE.tmp" 2> /dev/null || true
+    mv "$SESSION_TRACKING_FILE.tmp" "$SESSION_TRACKING_FILE"
+  fi
+
+  echo "$dir|$session_id" >> "$SESSION_TRACKING_FILE"
+}
+
+find_recent_session_file() {
+  local target_dir="$1"
+  local sessions_dir="$HOME/.codex/sessions"
+
+  if [ ! -d "$sessions_dir" ]; then
+    return 1
+  fi
+
+  local latest_file=""
+  local latest_time=0
+
+  while IFS= read -r session_file; do
+    local file_time=$(stat -c %Y "$session_file" 2> /dev/null || stat -f %m "$session_file" 2> /dev/null || echo "0")
+    local first_line=$(head -n 1 "$session_file" 2> /dev/null)
+    local session_cwd=$(echo "$first_line" | grep -o '"cwd":"[^"]*"' | cut -d'"' -f4)
+
+    if [ "$session_cwd" = "$target_dir" ] && [ "$file_time" -gt "$latest_time" ]; then
+      latest_file="$session_file"
+      latest_time="$file_time"
+    fi
+  done < <(find "$sessions_dir" -type f -name "*.jsonl" 2> /dev/null)
+
+  if [ -n "$latest_file" ]; then
+    local first_line=$(head -n 1 "$latest_file")
+    local session_id=$(echo "$first_line" | grep -o '"id":"[^"]*"' | cut -d'"' -f4)
+    if [ -n "$session_id" ]; then
+      echo "$session_id"
+      return 0
+    fi
+  fi
+
+  return 1
+}
+
+wait_for_session_file() {
+  local target_dir="$1"
+  local max_attempts=20
+  local attempt=0
+
+  while [ $attempt -lt $max_attempts ]; do
+    local session_id=$(find_recent_session_file "$target_dir" 2> /dev/null || echo "")
+    if [ -n "$session_id" ]; then
+      echo "$session_id"
+      return 0
+    fi
+    sleep 0.5
+    attempt=$((attempt + 1))
+  done
+
+  return 1
+}
+
+validate_codex_installation() {
+  if command_exists codex; then
+    printf "Codex is installed\n"
+  else
+    printf "Error: Codex is not installed. Please enable install_codex or install it manually\n"
+    exit 1
+  fi
+}
+
+setup_workdir() {
+  if [ -d "${ARG_CODEX_START_DIRECTORY}" ]; then
+    printf "Directory '%s' exists. Changing to it.\\n" "${ARG_CODEX_START_DIRECTORY}"
+    cd "${ARG_CODEX_START_DIRECTORY}" || {
+      printf "Error: Could not change to directory '%s'.\\n" "${ARG_CODEX_START_DIRECTORY}"
+      exit 1
+    }
+  else
+    printf "Directory '%s' does not exist. Creating and changing to it.\\n" "${ARG_CODEX_START_DIRECTORY}"
+    mkdir -p "${ARG_CODEX_START_DIRECTORY}" || {
+      printf "Error: Could not create directory '%s'.\\n" "${ARG_CODEX_START_DIRECTORY}"
+      exit 1
+    }
+    cd "${ARG_CODEX_START_DIRECTORY}" || {
+      printf "Error: Could not change to directory '%s'.\\n" "${ARG_CODEX_START_DIRECTORY}"
+      exit 1
+    }
+  fi
+}
+
+build_codex_args() {
+  CODEX_ARGS=()
+
+  if [ -n "$ARG_CODEX_MODEL" ]; then
+    CODEX_ARGS+=("--model" "$ARG_CODEX_MODEL")
+  fi
+
+  if [ "$ARG_CONTINUE" = "true" ]; then
+    existing_session=$(find_session_for_directory "$ARG_CODEX_START_DIRECTORY" 2> /dev/null || echo "")
+
+    if [ -n "$existing_session" ]; then
+      printf "Found existing task session for this directory: %s\n" "$existing_session"
+      printf "Resuming existing session...\n"
+      CODEX_ARGS+=("resume" "$existing_session")
+    else
+      printf "No existing task session found for this directory\n"
+      printf "Starting new task session...\n"
+
+      if [ -n "$ARG_CODEX_TASK_PROMPT" ]; then
+        if [ "${ARG_REPORT_TASKS}" == "true" ]; then
+          PROMPT="Complete the task at hand in one go. Every step of the way, report your progress using coder_report_task tool with proper summary and statuses. Your task at hand: $ARG_CODEX_TASK_PROMPT"
+        else
+          PROMPT="Your task at hand: $ARG_CODEX_TASK_PROMPT"
+        fi
+        CODEX_ARGS+=("$PROMPT")
+      fi
+    fi
+  else
+    printf "Continue disabled, starting fresh session\n"
+
+    if [ -n "$ARG_CODEX_TASK_PROMPT" ]; then
+      if [ "${ARG_REPORT_TASKS}" == "true" ]; then
+        PROMPT="Complete the task at hand in one go. Every step of the way, report your progress using coder_report_task tool with proper summary and statuses. Your task at hand: $ARG_CODEX_TASK_PROMPT"
+      else
+        PROMPT="Your task at hand: $ARG_CODEX_TASK_PROMPT"
+      fi
+      CODEX_ARGS+=("$PROMPT")
+    fi
+  fi
+}
+
+capture_session_id() {
+  if [ "$ARG_CONTINUE" = "true" ] && [ -z "$existing_session" ]; then
+    printf "Capturing new session ID...\n"
+    new_session=$(wait_for_session_file "$ARG_CODEX_START_DIRECTORY" || echo "")
+
+    if [ -n "$new_session" ]; then
+      store_session_mapping "$ARG_CODEX_START_DIRECTORY" "$new_session"
+      printf "✓ Session tracked: %s\n" "$new_session"
+      printf "This session will be automatically resumed on next restart\n"
+    else
+      printf "⚠ Could not capture session ID after 10s timeout\n"
+    fi
+  fi
+}
+
+start_codex() {
+  printf "Starting Codex with arguments: %s\n" "${CODEX_ARGS[*]}"
+  agentapi server --term-width 67 --term-height 1190 -- codex "${CODEX_ARGS[@]}" &
+  capture_session_id
+}
+
+validate_codex_installation
+setup_workdir
+build_codex_args
+start_codex

registry/coder-labs/modules/codex/testdata/codex-mock.sh

@@ -1,5 +1,6 @@
 #!/bin/bash
 
+# Handle --version flag
 if [[ "$1" == "--version" ]]; then
   echo "HELLO: $(bash -c env)"
   echo "codex version v1.0.0"
@@ -8,7 +9,30 @@ fi
 
 set -e
 
+SESSION_ID=""
+IS_RESUME=false
+
+while [[ $# -gt 0 ]]; do
+  case $1 in
+    resume)
+      IS_RESUME=true
+      SESSION_ID="$2"
+      shift 2
+      ;;
+    *)
+      shift
+      ;;
+  esac
+done
+
+if [ "$IS_RESUME" = false ]; then
+  SESSION_ID="019a1234-5678-9abc-def0-123456789012"
+  echo "Created new session: $SESSION_ID"
+else
+  echo "Resuming session: $SESSION_ID"
+fi
+
 while true; do
-  echo "$(date) - codex-mock"
+  echo "$(date) - codex-mock (session: $SESSION_ID)"
   sleep 15
 done

registry/coder-labs/modules/sourcegraph-amp/README.md

@@ -13,7 +13,7 @@ Run [Amp CLI](https://ampcode.com/) in your workspace to access Sourcegraph's AI
 ```tf
 module "amp-cli" {
   source                  = "registry.coder.com/coder-labs/sourcegraph-amp/coder"
-  version                 = "2.0.0"
+  version                 = "2.0.1"
   agent_id                = coder_agent.example.id
   sourcegraph_amp_api_key = var.sourcegraph_amp_api_key
   install_sourcegraph_amp = true
@@ -48,7 +48,7 @@ variable "amp_api_key" {
 module "amp-cli" {
   count              = data.coder_workspace.me.start_count
   source             = "registry.coder.com/coder-labs/sourcegraph-amp/coder"
-  amp_version        = "2.0.0"
+  amp_version        = "2.0.1"
   agent_id           = coder_agent.example.id
   amp_api_key        = var.amp_api_key # recommended for tasks usage
   workdir            = "/home/coder/project"

registry/coder-labs/modules/sourcegraph-amp/main.tf

@@ -6,7 +6,12 @@ terraform {
       source  = "coder/coder"
       version = ">= 2.7"
     }
+    external = {
+      source  = "hashicorp/external"
+      version = "2.3.5"
+    }
   }
+
 }
 
 variable "agent_id" {

registry/coder/modules/claude-code/README.md

@@ -13,7 +13,7 @@ Run the [Claude Code](https://docs.anthropic.com/en/docs/agents-and-tools/claude
 ```tf
 module "claude-code" {
   source         = "registry.coder.com/coder/claude-code/coder"
-  version        = "3.3.2"
+  version        = "3.4.3"
   agent_id       = coder_agent.example.id
   workdir        = "/home/coder/project"
   claude_api_key = "xxxx-xxxxx-xxxx"
@@ -51,7 +51,7 @@ module "claude-code" {
   boundary_log_level               = "WARN"
   boundary_additional_allowed_urls = ["GET *google.com"]
   boundary_proxy_port              = "8087"
-  version                          = "3.3.2"
+  version                          = "3.4.3"
 }
 ```
 
@@ -70,7 +70,7 @@ data "coder_parameter" "ai_prompt" {
 
 module "claude-code" {
   source   = "registry.coder.com/coder/claude-code/coder"
-  version  = "3.3.2"
+  version  = "3.4.3"
   agent_id = coder_agent.example.id
   workdir  = "/home/coder/project"
 
@@ -106,7 +106,7 @@ Run and configure Claude Code as a standalone CLI in your workspace.
 ```tf
 module "claude-code" {
   source              = "registry.coder.com/coder/claude-code/coder"
-  version             = "3.3.2"
+  version             = "3.4.3"
   agent_id            = coder_agent.example.id
   workdir             = "/home/coder"
   install_claude_code = true
@@ -129,7 +129,7 @@ variable "claude_code_oauth_token" {
 
 module "claude-code" {
   source                  = "registry.coder.com/coder/claude-code/coder"
-  version                 = "3.3.2"
+  version                 = "3.4.3"
   agent_id                = coder_agent.example.id
   workdir                 = "/home/coder/project"
   claude_code_oauth_token = var.claude_code_oauth_token
@@ -202,7 +202,7 @@ resource "coder_env" "bedrock_api_key" {
 
 module "claude-code" {
   source   = "registry.coder.com/coder/claude-code/coder"
-  version  = "3.3.2"
+  version  = "3.4.3"
   agent_id = coder_agent.example.id
   workdir  = "/home/coder/project"
   model    = "global.anthropic.claude-sonnet-4-5-20250929-v1:0"
@@ -259,7 +259,7 @@ resource "coder_env" "google_application_credentials" {
 
 module "claude-code" {
   source   = "registry.coder.com/coder/claude-code/coder"
-  version  = "3.3.2"
+  version  = "3.4.3"
   agent_id = coder_agent.example.id
   workdir  = "/home/coder/project"
   model    = "claude-sonnet-4@20250514"

registry/coder/modules/claude-code/main.tf

@@ -353,7 +353,7 @@ module "agentapi" {
      ARG_BOUNDARY_VERSION='${var.boundary_version}' \
      ARG_BOUNDARY_LOG_DIR='${var.boundary_log_dir}' \
      ARG_BOUNDARY_LOG_LEVEL='${var.boundary_log_level}' \
-     ARG_BOUNDARY_ADDITIONAL_ALLOWED_URLS='${join(" ", var.boundary_additional_allowed_urls)}' \
+     ARG_BOUNDARY_ADDITIONAL_ALLOWED_URLS='${join("|", var.boundary_additional_allowed_urls)}' \
      ARG_BOUNDARY_PROXY_PORT='${var.boundary_proxy_port}' \
      ARG_ENABLE_BOUNDARY_PPROF='${var.enable_boundary_pprof}' \
      ARG_BOUNDARY_PPROF_PORT='${var.boundary_pprof_port}' \

registry/coder/modules/claude-code/scripts/start.sh

@@ -144,12 +144,13 @@ function start_agentapi() {
     # Build boundary args with conditional --unprivileged flag
     BOUNDARY_ARGS=(--log-dir "$ARG_BOUNDARY_LOG_DIR")
     # Add default allowed URLs
-    BOUNDARY_ARGS+=(--allow "*anthropic.com" --allow "registry.npmjs.org" --allow "*sentry.io" --allow "claude.ai" --allow "$ARG_CODER_HOST")
+    BOUNDARY_ARGS+=(--allow "domain=anthropic.com" --allow "domain=registry.npmjs.org" --allow "domain=sentry.io" --allow "domain=claude.ai" --allow "domain=$ARG_CODER_HOST")
 
     # Add any additional allowed URLs from the variable
     if [ -n "$ARG_BOUNDARY_ADDITIONAL_ALLOWED_URLS" ]; then
-      IFS=' ' read -ra ADDITIONAL_URLS <<< "$ARG_BOUNDARY_ADDITIONAL_ALLOWED_URLS"
+      IFS='|' read -ra ADDITIONAL_URLS <<< "$ARG_BOUNDARY_ADDITIONAL_ALLOWED_URLS"
       for url in "${ADDITIONAL_URLS[@]}"; do
+        # Quote the URL to preserve spaces within the allow rule
         BOUNDARY_ARGS+=(--allow "$url")
       done
     fi
@@ -167,7 +168,8 @@ function start_agentapi() {
     fi
 
     agentapi server --allowed-hosts="*" --type claude --term-width 67 --term-height 1190 -- \
-      sudo -E env PATH=$PATH setpriv --inh-caps=+net_admin --ambient-caps=+net_admin --bounding-set=+net_admin boundary "${BOUNDARY_ARGS[@]}" -- \
+      sudo -E env PATH=$PATH setpriv --reuid=$(id -u) --regid=$(id -g) --clear-groups \
+      --inh-caps=+net_admin --ambient-caps=+net_admin --bounding-set=+net_admin boundary "${BOUNDARY_ARGS[@]}" -- \
       claude "${ARGS[@]}"
   else
     agentapi server --type claude --term-width 67 --term-height 1190 -- claude "${ARGS[@]}"

registry/coder/modules/jetbrains/README.md

@@ -14,7 +14,7 @@ This module adds JetBrains IDE buttons to launch IDEs directly from the dashboar
 module "jetbrains" {
   count    = data.coder_workspace.me.start_count
   source   = "registry.coder.com/coder/jetbrains/coder"
-  version  = "1.1.0"
+  version  = "1.1.1"
   agent_id = coder_agent.example.id
   folder   = "/home/coder/project"
   # tooltip  = "You need to [Install Coder Desktop](https://coder.com/docs/user-guides/desktop#install-coder-desktop) to use this button."  # Optional
@@ -40,7 +40,7 @@ When `default` contains IDE codes, those IDEs are created directly without user
 module "jetbrains" {
   count    = data.coder_workspace.me.start_count
   source   = "registry.coder.com/coder/jetbrains/coder"
-  version  = "1.1.0"
+  version  = "1.1.1"
   agent_id = coder_agent.example.id
   folder   = "/home/coder/project"
   default  = ["PY", "IU"] # Pre-configure GoLand and IntelliJ IDEA
@@ -53,7 +53,7 @@ module "jetbrains" {
 module "jetbrains" {
   count    = data.coder_workspace.me.start_count
   source   = "registry.coder.com/coder/jetbrains/coder"
-  version  = "1.1.0"
+  version  = "1.1.1"
   agent_id = coder_agent.example.id
   folder   = "/home/coder/project"
   # Show parameter with limited options
@@ -67,7 +67,7 @@ module "jetbrains" {
 module "jetbrains" {
   count         = data.coder_workspace.me.start_count
   source        = "registry.coder.com/coder/jetbrains/coder"
-  version       = "1.1.0"
+  version       = "1.1.1"
   agent_id      = coder_agent.example.id
   folder        = "/home/coder/project"
   default       = ["IU", "PY"]
@@ -82,7 +82,7 @@ module "jetbrains" {
 module "jetbrains" {
   count    = data.coder_workspace.me.start_count
   source   = "registry.coder.com/coder/jetbrains/coder"
-  version  = "1.1.0"
+  version  = "1.1.1"
   agent_id = coder_agent.example.id
   folder   = "/workspace/project"
 
@@ -108,7 +108,7 @@ module "jetbrains" {
 module "jetbrains_pycharm" {
   count    = data.coder_workspace.me.start_count
   source   = "registry.coder.com/coder/jetbrains/coder"
-  version  = "1.1.0"
+  version  = "1.1.1"
   agent_id = coder_agent.example.id
   folder   = "/workspace/project"
 
@@ -128,7 +128,7 @@ Add helpful tooltip text that appears when users hover over the IDE app buttons:
 module "jetbrains" {
   count    = data.coder_workspace.me.start_count
   source   = "registry.coder.com/coder/jetbrains/coder"
-  version  = "1.1.0"
+  version  = "1.1.1"
   agent_id = coder_agent.example.id
   folder   = "/home/coder/project"
   default  = ["IU", "PY"]

registry/coder/modules/jetbrains/main.tf

@@ -1,5 +1,5 @@
 terraform {
-  required_version = ">= 1.0"
+  required_version = ">= 1.9"
 
   required_providers {
     coder = {
@@ -163,7 +163,8 @@ variable "ide_config" {
     condition     = length(var.ide_config) > 0
     error_message = "The ide_config must not be empty."
   }
-  # ide_config must be a superset of var.. options
+  # ide_config must be a superset of var.options
+  # Requires Terraform 1.9+ for cross-variable validation references
   validation {
     condition = alltrue([
       for code in var.options : contains(keys(var.ide_config), code)

registry/coder/modules/vault-token/README.md

@@ -19,7 +19,7 @@ variable "vault_token" {
 
 module "vault" {
   source          = "registry.coder.com/coder/vault-token/coder"
-  version         = "1.2.1"
+  version         = "1.2.2"
   agent_id        = coder_agent.example.id
   vault_token     = var.token # optional
   vault_addr      = "https://vault.example.com"
@@ -73,7 +73,7 @@ variable "vault_token" {
 
 module "vault" {
   source            = "registry.coder.com/coder/vault-token/coder"
-  version           = "1.2.1"
+  version           = "1.2.2"
   agent_id          = coder_agent.example.id
   vault_addr        = "https://vault.example.com"
   vault_token       = var.token

registry/coder/modules/vault-token/run.sh

@@ -68,7 +68,7 @@ install() {
     else
       printf "Upgrading Vault CLI from version %s to %s ...\n\n" "$${CURRENT_VERSION}" "${INSTALL_VERSION}"
     fi
-    fetch vault.zip "https://releases.hashicorp.com/vault/$${INSTALL_VERSION}/vault_$${INSTALL_VERSION}_linux_amd64.zip"
+    fetch vault.zip "https://releases.hashicorp.com/vault/$${INSTALL_VERSION}/vault_$${INSTALL_VERSION}_linux_$${ARCH}.zip"
     if [ $? -ne 0 ]; then
       printf "Failed to download Vault.\n"
       return 1

registry/coder/modules/windows-rdp/README.md

@@ -15,7 +15,7 @@ Enable Remote Desktop + a web based client on Windows workspaces, powered by [de
 module "windows_rdp" {
   count    = data.coder_workspace.me.start_count
   source   = "registry.coder.com/coder/windows-rdp/coder"
-  version  = "1.2.3"
+  version  = "1.3.0"
   agent_id = resource.coder_agent.main.id
 }
 ```
@@ -32,7 +32,7 @@ module "windows_rdp" {
 module "windows_rdp" {
   count    = data.coder_workspace.me.start_count
   source   = "registry.coder.com/coder/windows-rdp/coder"
-  version  = "1.2.3"
+  version  = "1.3.0"
   agent_id = resource.coder_agent.main.id
 }
 ```
@@ -43,7 +43,7 @@ module "windows_rdp" {
 module "windows_rdp" {
   count    = data.coder_workspace.me.start_count
   source   = "registry.coder.com/coder/windows-rdp/coder"
-  version  = "1.2.3"
+  version  = "1.3.0"
   agent_id = resource.coder_agent.main.id
 }
 ```
@@ -54,7 +54,7 @@ module "windows_rdp" {
 module "windows_rdp" {
   count                       = data.coder_workspace.me.start_count
   source                      = "registry.coder.com/coder/windows-rdp/coder"
-  version                     = "1.2.3"
+  version                     = "1.3.0"
   agent_id                    = resource.coder_agent.main.id
   devolutions_gateway_version = "2025.2.2" # Specify a specific version
 }

registry/coder/modules/windows-rdp/devolutions-patch.js

@@ -25,401 +25,426 @@
  * @typedef {Readonly<{ querySelector: string; value: string; }>} FormFieldEntry
  * @typedef {Readonly<Record<string, FormFieldEntry>>} FormFieldEntries
  */
+(function () {
+  /**
+   * The communication protocol to set Devolutions to.
+   */
+  const PROTOCOL = "RDP";
 
-/**
- * The communication protocol to set Devolutions to.
- */
-const PROTOCOL = "RDP";
+  /**
+   * The hostname to use with Devolutions.
+   */
+  const HOSTNAME = "localhost";
 
-/**
- * The hostname to use with Devolutions.
- */
-const HOSTNAME = "localhost";
+  /**
+   * How often to poll the screen for the main Devolutions form.
+   */
+  const POLL_INTERVAL_MS = 500;
 
-/**
- * How often to poll the screen for the main Devolutions form.
- */
-const SCREEN_POLL_INTERVAL_MS = 500;
-
-/**
- * The fields in the Devolutions sign-in form that should be populated with
- * values from the Coder workspace.
- *
- * All properties should be defined as placeholder templates in the form
- * VALUE_NAME. The Coder module, when spun up, should then run some logic to
- * replace the template slots with actual values. These values should never
- * change from within JavaScript itself.
- *
- * @satisfies {FormFieldEntries}
- */
-const formFieldEntries = {
-  /** @readonly */
-  username: {
+  /**
+   * The fields in the Devolutions sign-in form that should be populated with
+   * values from the Coder workspace.
+   *
+   * All properties should be defined as placeholder templates in the form
+   * VALUE_NAME. The Coder module, when spun up, should then run some logic to
+   * replace the template slots with actual values. These values should never
+   * change from within JavaScript itself.
+   *
+   * @satisfies {FormFieldEntries}
+   */
+  const formFieldEntries = {
     /** @readonly */
-    querySelector: "web-client-username-control input",
+    username: {
+      /** @readonly */
+      querySelector: "web-client-username-control input",
 
+      /** @readonly */
+      value: "${CODER_USERNAME}",
+    },
     /** @readonly */
-    value: "${CODER_USERNAME}",
-  },
+    password: {
+      /** @readonly */
+      querySelector: "web-client-password-control input",
 
-  /** @readonly */
-  password: {
-    /** @readonly */
-    querySelector: "web-client-password-control input",
-
-    /** @readonly */
-    value: "${CODER_PASSWORD}",
-  },
-};
-
-/**
- * Handles typing in the values for the input form. All values are written
- * immediately, even though that would be physically impossible with a real
- * keyboard.
- *
- * Note: this code will never break, but you might get warnings in the console
- * from Angular about unexpected value changes. Angular patches over a lot of
- * the built-in browser APIs to support its component change detection system.
- * As part of that, it has validations for checking whether an input it
- * previously had control over changed without it doing anything.
- *
- * But the only way to simulate a keyboard input is by setting the input's
- * .value property, and then firing an input event. So basically, the inner
- * value will change, which Angular won't be happy about, but then the input
- * event will fire and sync everything back together.
- *
- * @param {HTMLInputElement} inputField
- * @param {string} inputText
- * @returns {Promise<void>}
- */
-function setInputValue(inputField, inputText) {
-  return new Promise((resolve, reject) => {
-    // Adding timeout for input event, even though we'll be dispatching it
-    // immediately, just in the off chance that something in the Angular app
-    // intercepts it or stops it from propagating properly
-    const timeoutId = window.setTimeout(() => {
-      reject(new Error("Input event did not get processed correctly in time."));
-    }, 3_000);
-
-    const handleSuccessfulDispatch = () => {
-      window.clearTimeout(timeoutId);
-      inputField.removeEventListener("input", handleSuccessfulDispatch);
-      resolve();
-    };
-
-    inputField.addEventListener("input", handleSuccessfulDispatch);
-
-    // Code assumes that Angular will have an event handler in place to handle
-    // the new event
-    const inputEvent = new Event("input", {
-      bubbles: true,
-      cancelable: true,
-    });
-
-    inputField.value = inputText;
-    inputField.dispatchEvent(inputEvent);
-  });
-}
-
-/**
- * Takes a Devolutions remote session form, auto-fills it with data, and then
- * submits it.
- *
- * The logic here is more convoluted than it should be for two main reasons:
- * 1. Devolutions' HTML markup has errors. There are labels, but they aren't
- *    bound to the inputs they're supposed to describe. This means no easy hooks
- *    for selecting the elements, unfortunately.
- * 2. Trying to modify the .value properties on some of the inputs doesn't
- *    work. Probably some combo of Angular data-binding and some inputs having
- *    the readonly attribute. Have to simulate user input to get around this.
- *
- * @param {HTMLFormElement} myForm
- * @returns {Promise<void>}
- */
-async function autoSubmitForm(myForm) {
-  const setProtocolValue = () => {
-    /** @type {HTMLDivElement | null} */
-    const protocolDropdownTrigger = myForm.querySelector('div[role="button"]');
-    if (protocolDropdownTrigger === null) {
-      throw new Error("No clickable trigger for setting protocol value");
-    }
-
-    protocolDropdownTrigger.click();
-
-    // Can't use form as container for querying the list of dropdown options,
-    // because the elements don't actually exist inside the form. They're placed
-    // in the top level of the HTML doc, and repositioned to make it look like
-    // they're part of the form. Avoids CSS stacking context issues, maybe?
-    /** @type {HTMLLIElement | null} */
-    const protocolOption = document.querySelector(
-      // biome-ignore lint/style/useTemplate: Have to skip interpolation for the main.tf interpolation
-      'p-dropdownitem[ng-reflect-label="' + PROTOCOL + '"] li',
-    );
-
-    if (protocolOption === null) {
-      throw new Error(
-        "Unable to find protocol option on screen that matches desired protocol",
-      );
-    }
-
-    protocolOption.click();
+      /** @readonly */
+      value: "${CODER_PASSWORD}",
+    },
   };
 
-  const setHostname = () => {
-    /** @type {HTMLInputElement | null} */
-    const hostnameInput = myForm.querySelector("p-autocomplete#hostname input");
+  /**
+   * This ensures that the Devolutions login form (which by default, always shows
+   * up on screen when the app first launches) stays visually hidden from the user
+   * when they open Devolutions via the Coder module.
+   *
+   * The form will still be filled out automatically and submitted in the
+   * background via the rest of the logic in this file, so this function is mainly
+   * to help avoid screen flickering and make the overall experience feel a little
+   * more polished (even though it's just one giant hack).
+   *
+   * @returns {void}
+   */
+  function hideFormForInitialSubmission() {
+    const styleId = "coder-patch--styles-initial-submission";
+    const cssOpacityVariableName = "--coder-opacity-multiplier";
 
-    if (hostnameInput === null) {
-      throw new Error("Unable to find field for adding hostname");
+    /** @type {HTMLStyleElement | null} */
+    // biome-ignore lint/style/useTemplate: Have to skip interpolation for the main.tf interpolation
+    let styleContainer = document.querySelector("#" + styleId);
+    if (!styleContainer) {
+      styleContainer = document.createElement("style");
+      styleContainer.id = styleId;
+      styleContainer.innerHTML = `
+        /*
+          Have to use opacity instead of visibility, because the element still
+          needs to be interactive via the script so that it can be auto-filled.
+        */
+        :root {
+          /*
+            Can be 0 or 1. Start off invisible to avoid risks of UI flickering,
+            but the rest of the function should be in charge of making the form
+            container visible again if something goes wrong during setup.
+
+            Double dollar sign needed to avoid Terraform script false positives
+          */
+          $${cssOpacityVariableName}: 0;
+        }
+
+        /*
+          web-client-form is the container for the main session form, while
+          the div is for the dropdown that is used for selecting the protocol.
+          The dropdown is not inside of the form for CSS styling reasons, so we
+          need to select both.
+        */
+        web-client-form,
+        body > div.p-overlay {
+          /*
+            Double dollar sign needed to avoid Terraform script false positives
+          */
+          opacity: calc(100% * var($${cssOpacityVariableName})) !important;
+        }
+      `;
+
+      document.head.appendChild(styleContainer);
     }
 
-    return setInputValue(hostnameInput, HOSTNAME);
-  };
-
-  const setCoderFormFieldValues = async () => {
-    // The RDP form will not appear on screen unless the dropdown is set to use
-    // the RDP protocol
-    const rdpSubsection = myForm.querySelector("rdp-form");
-    if (rdpSubsection === null) {
-      throw new Error(
-        "Unable to find RDP subsection. Is the value of the protocol set to RDP?",
-      );
-    }
-
-    for (const { value, querySelector } of Object.values(formFieldEntries)) {
-      /** @type {HTMLInputElement | null} */
-      const input = document.querySelector(querySelector);
-
-      if (input === null) {
-        throw new Error(
-          // biome-ignore lint/style/useTemplate: Have to skip interpolation for the main.tf interpolation
-          'Unable to element that matches query "' + querySelector + '"',
-        );
-      }
-
-      await setInputValue(input, value);
-    }
-  };
-
-  const triggerSubmission = () => {
-    /** @type {HTMLButtonElement | null} */
-    const submitButton = myForm.querySelector(
-      'p-button[ng-reflect-type="submit"] button',
-    );
-
-    if (submitButton === null) {
-      throw new Error("Unable to find submission button");
-    }
-
-    if (submitButton.disabled) {
-      throw new Error(
-        "Unable to submit form because submit button is disabled. Are all fields filled out correctly?",
-      );
-    }
-
-    submitButton.click();
-  };
-
-  setProtocolValue();
-  await setHostname();
-  await setCoderFormFieldValues();
-  triggerSubmission();
-}
-
-/**
- * Sets up logic for auto-populating the form data when the form appears on
- * screen.
- *
- * @returns {void}
- */
-function setupFormDetection() {
-  /** @type {HTMLFormElement | null} */
-  let formValueFromLastMutation = null;
-
-  /** @returns {void} */
-  const onDynamicTabMutation = () => {
-    /** @type {HTMLFormElement | null} */
-    const latestForm = document.querySelector("web-client-form > form");
-
-    // Only try to auto-fill if we went from having no form on screen to
-    // having a form on screen. That way, we don't accidentally override the
-    // form if the user is trying to customize values, and this essentially
-    // makes the script values function as default values
-    const mounted = formValueFromLastMutation === null && latestForm !== null;
-    if (mounted) {
-      autoSubmitForm(latestForm);
-    }
-
-    formValueFromLastMutation = latestForm;
-  };
-
-  /** @type {number | undefined} */
-  let pollingId = undefined;
-
-  /** @returns {void} */
-  const checkScreenForDynamicTab = () => {
-    const dynamicTab = document.querySelector("web-client-dynamic-tab");
-
-    // Keep polling until the main content container is on screen
-    if (dynamicTab === null) {
+    // The root node being undefined should be physically impossible (if it's
+    // undefined, the browser itself is busted), but we need to do a type check
+    // here so that the rest of the function doesn't need to do type checks over
+    // and over.
+    const rootNode = document.querySelector(":root");
+    if (!(rootNode instanceof HTMLHtmlElement)) {
+      // Remove the container entirely because if the browser is busted, who knows
+      // if the CSS variables can be applied correctly. Better to have something
+      // be a bit more ugly/painful to use, than have it be impossible to use
+      styleContainer.remove();
       return;
     }
 
-    window.clearInterval(pollingId);
+    // It's safe to make the form visible preemptively because Devolutions
+    // outputs the Windows view through an HTML canvas that it overlays on top
+    // of the rest of the app. Even if the form isn't hidden at the style level,
+    // it will still be covered up.
+    const restoreOpacity = () => {
+      rootNode.style.setProperty(cssOpacityVariableName, "1");
+    };
 
-    // Call the mutation callback manually, to ensure it runs at least once
-    onDynamicTabMutation();
+    // If this file gets more complicated, it might make sense to set up the
+    // timeout and event listener so that if one triggers, it cancels the other,
+    // but having restoreOpacity run more than once is a no-op for right now.
+    // Not a big deal if these don't get cleaned up.
 
-    // Having the mutation observer is kind of an extra safety net that isn't
-    // really expected to run that often. Most of the content in the dynamic
-    // tab is being rendered through Canvas, which won't trigger any mutations
-    // that the observer can detect
-    const dynamicTabObserver = new MutationObserver(onDynamicTabMutation);
-    dynamicTabObserver.observe(dynamicTab, {
-      subtree: true,
-      childList: true,
-    });
-  };
+    // Have the form automatically reappear no matter what, so that if something
+    // does break, the user isn't left out to dry
+    window.setTimeout(restoreOpacity, 5_000);
 
-  pollingId = window.setInterval(
-    checkScreenForDynamicTab,
-    SCREEN_POLL_INTERVAL_MS,
-  );
-}
-
-/**
- * Sets up custom styles for hiding default Devolutions elements that Coder
- * users shouldn't need to care about.
- *
- * @returns {void}
- */
-function setupAlwaysOnStyles() {
-  const styleId = "coder-patch--styles-always-on";
-  // biome-ignore lint/style/useTemplate: Have to skip interpolation for the main.tf interpolation
-  const existingContainer = document.querySelector("#" + styleId);
-  if (existingContainer) {
-    return;
+    /** @type {HTMLFormElement | null} */
+    const form = document.querySelector("web-client-form > form");
+    form?.addEventListener(
+      "submit",
+      () => {
+        // Not restoring opacity right away just to give the HTML canvas a little
+        // bit of time to get spun up and cover up the main form
+        window.setTimeout(restoreOpacity, 1_000);
+      },
+      { once: true },
+    );
   }
 
-  const styleContainer = document.createElement("style");
-  styleContainer.id = styleId;
-  styleContainer.innerHTML = `
-    /* app-menu corresponds to the sidebar of the default view. */
-    app-menu {
-      display: none !important;
+  /**
+   * Sets up custom styles for hiding default Devolutions elements that Coder
+   * users shouldn't need to care about.
+   *
+   * @returns {void}
+   */
+  function setupAlwaysOnStyles() {
+    const styleId = "coder-patch--styles-always-on";
+    // biome-ignore lint/style/useTemplate: Have to skip interpolation for the main.tf interpolation
+    const existingContainer = document.querySelector("#" + styleId);
+    if (existingContainer) {
+      return;
     }
-  `;
 
-  document.head.appendChild(styleContainer);
-}
-
-/**
- * This ensures that the Devolutions login form (which by default, always shows
- * up on screen when the app first launches) stays visually hidden from the user
- * when they open Devolutions via the Coder module.
- *
- * The form will still be filled out automatically and submitted in the
- * background via the rest of the logic in this file, so this function is mainly
- * to help avoid screen flickering and make the overall experience feel a little
- * more polished (even though it's just one giant hack).
- *
- * @returns {void}
- */
-function hideFormForInitialSubmission() {
-  const styleId = "coder-patch--styles-initial-submission";
-  const cssOpacityVariableName = "--coder-opacity-multiplier";
-
-  /** @type {HTMLStyleElement | null} */
-  // biome-ignore lint/style/useTemplate: Have to skip interpolation for the main.tf interpolation
-  let styleContainer = document.querySelector("#" + styleId);
-  if (!styleContainer) {
-    styleContainer = document.createElement("style");
+    const styleContainer = document.createElement("style");
     styleContainer.id = styleId;
     styleContainer.innerHTML = `
-      /*
-        Have to use opacity instead of visibility, because the element still
-        needs to be interactive via the script so that it can be auto-filled.
-      */
-      :root {
-        /*
-          Can be 0 or 1. Start off invisible to avoid risks of UI flickering,
-          but the rest of the function should be in charge of making the form
-          container visible again if something goes wrong during setup.
-
-          Double dollar sign needed to avoid Terraform script false positives
-        */
-        $${cssOpacityVariableName}: 0;
+      /* app-menu corresponds to the sidebar of the default view. */
+      app-menu {
+        display: none !important;
       }
 
-      /*
-        web-client-form is the container for the main session form, while
-        the div is for the dropdown that is used for selecting the protocol.
-        The dropdown is not inside of the form for CSS styling reasons, so we
-        need to select both.
-       */
-      web-client-form,
-      body > div.p-overlay {
-        /*
-          Double dollar sign needed to avoid Terraform script false positives
-        */
-        opacity: calc(100% * var($${cssOpacityVariableName})) !important;
+      /* app-net-scan corresponds to the auto-discovery feature. */
+      app-net-scan {
+        display: none !important;
       }
     `;
 
     document.head.appendChild(styleContainer);
   }
 
-  // The root node being undefined should be physically impossible (if it's
-  // undefined, the browser itself is busted), but we need to do a type check
-  // here so that the rest of the function doesn't need to do type checks over
-  // and over.
-  const rootNode = document.querySelector(":root");
-  if (!(rootNode instanceof HTMLHtmlElement)) {
-    // Remove the container entirely because if the browser is busted, who knows
-    // if the CSS variables can be applied correctly. Better to have something
-    // be a bit more ugly/painful to use, than have it be impossible to use
-    styleContainer.remove();
-    return;
+  /**
+   * Handles typing in the values for the input form. All values are written
+   * immediately, even though that would be physically impossible with a real
+   * keyboard.
+   *
+   * Note: this code will never break, but you might get warnings in the console
+   * from Angular about unexpected value changes. Angular patches over a lot of
+   * the built-in browser APIs to support its component change detection system.
+   * As part of that, it has validations for checking whether an input it
+   * previously had control over changed without it doing anything.
+   *
+   * But the only way to simulate a keyboard input is by setting the input's
+   * .value property, and then firing an input event. So basically, the inner
+   * value will change, which Angular won't be happy about, but then the input
+   * event will fire and sync everything back together.
+   *
+   * @param {HTMLInputElement} inputField
+   * @param {string} inputText
+   * @returns {Promise<void>}
+   */
+  function setInputValue(inputField, inputText) {
+    return new Promise((resolve, reject) => {
+      // Adding timeout for input event, even though we'll be dispatching it
+      // immediately, just in the off chance that something in the Angular app
+      // intercepts it or stops it from propagating properly
+      const timeoutId = window.setTimeout(() => {
+        reject(
+          new Error("Input event did not get processed correctly in time."),
+        );
+      }, 3_000);
+
+      const handleSuccessfulDispatch = () => {
+        window.clearTimeout(timeoutId);
+        inputField.removeEventListener("input", handleSuccessfulDispatch);
+        resolve();
+      };
+
+      inputField.addEventListener("input", handleSuccessfulDispatch);
+
+      // Code assumes that Angular will have an event handler in place to handle
+      // the new event
+      const inputEvent = new Event("input", {
+        bubbles: true,
+        cancelable: true,
+      });
+
+      inputField.value = inputText;
+      inputField.dispatchEvent(inputEvent);
+    });
   }
 
-  // It's safe to make the form visible preemptively because Devolutions
-  // outputs the Windows view through an HTML canvas that it overlays on top
-  // of the rest of the app. Even if the form isn't hidden at the style level,
-  // it will still be covered up.
-  const restoreOpacity = () => {
-    rootNode.style.setProperty(cssOpacityVariableName, "1");
-  };
+  /**
+   * Takes a Devolutions remote session form, auto-fills it with data, and then
+   * submits it.
+   *
+   * The logic here is more convoluted than it should be for two main reasons:
+   * 1. Devolutions' HTML markup has errors. There are labels, but they aren't
+   *    bound to the inputs they're supposed to describe. This means no easy hooks
+   *    for selecting the elements, unfortunately.
+   * 2. Trying to modify the .value properties on some of the inputs doesn't
+   *    work. Probably some combo of Angular data-binding and some inputs having
+   *    the readonly attribute. Have to simulate user input to get around this.
+   *
+   * @param {HTMLFormElement} form
+   */
+  async function fillForm(form) {
+    try {
+      log("Form detected. Starting auto-fill...");
 
-  // If this file gets more complicated, it might make sense to set up the
-  // timeout and event listener so that if one triggers, it cancels the other,
-  // but having restoreOpacity run more than once is a no-op for right now.
-  // Not a big deal if these don't get cleaned up.
+      // By default, RDP is selected. Leaving this here if needed
+      // in the future.
+      const protocolTrigger = form.querySelector('p-dropdown[id="protocol"]');
+      if (protocolTrigger) {
+        protocolTrigger.click();
+        const protocolOption = document.querySelector(
+          `li[aria-label="$${PROTOCOL}"]`,
+        );
+        if (protocolOption) {
+          protocolOption.click();
+          log(`Protocol set to $${PROTOCOL}`);
+        } else {
+          log("Protocol option not found.");
+        }
+      } else {
+        log("Protocol dropdown trigger not found.");
+      }
 
-  // Have the form automatically reappear no matter what, so that if something
-  // does break, the user isn't left out to dry
-  window.setTimeout(restoreOpacity, 5_000);
+      const hostnameInput = form.querySelector("p-autocomplete#hostname input");
+      if (hostnameInput) {
+        await setInputValue(hostnameInput, HOSTNAME);
+        log(`Hostname set to $${HOSTNAME}`);
+      } else {
+        log("Hostname input not found.");
+      }
 
-  /** @type {HTMLFormElement | null} */
-  const form = document.querySelector("web-client-form > form");
-  form?.addEventListener(
-    "submit",
-    () => {
-      // Not restoring opacity right away just to give the HTML canvas a little
-      // bit of time to get spun up and cover up the main form
-      window.setTimeout(restoreOpacity, 1_000);
-    },
-    { once: true },
-  );
-}
+      for (const [key, { querySelector, value }] of Object.entries(
+        formFieldEntries,
+      )) {
+        const input = document.querySelector(querySelector);
+        if (input) {
+          await setInputValue(input, value);
+          log(`Set $${key} to $${value}`);
+        } else {
+          log(`Input for $${key} not found with selector: $${querySelector}`);
+        }
+      }
 
-// Always safe to call these immediately because even if the Angular app isn't
-// loaded by the time the function gets called, the CSS will always be globally
-// available for when Angular is finally ready
-setupAlwaysOnStyles();
-hideFormForInitialSubmission();
+      const submitButton = form.querySelector(
+        'p-button[class="p-element"] button',
+      );
+      if (submitButton && !submitButton.disabled) {
+        submitButton.click();
+        log("Form submitted.");
+      } else {
+        log("Submit button not found or disabled.");
+      }
+    } catch (err) {
+      console.error("[Devolutions Patch] Error during form fill:", err);
+    }
+  }
 
-if (document.readyState === "loading") {
-  document.addEventListener("DOMContentLoaded", setupFormDetection);
-} else {
-  setupFormDetection();
-}
+  /**
+   * Attaches a click event listener to the "Close Session" button within the provided top bar element.
+   * When clicked, the listener triggers the window to close.
+   * Logs a message indicating whether the listener was successfully attached or if the button was not found.
+   *
+   * @param {HTMLElement} topBar - The container element that includes the "Close Session" button.
+   * @returns {void}
+   */
+  function attachCloseListener(topBar) {
+    const buttons = topBar.querySelectorAll("button");
+
+    const closeButton = Array.from(buttons).find((button) => {
+      const labelSpan = button.querySelector(".p-button-label");
+      return labelSpan && labelSpan.textContent.trim() === "Close Session";
+    });
+
+    if (closeButton) {
+      closeButton.parentElement.addEventListener("click", () => {
+        window.close();
+      });
+      log("Close listener attached.");
+    } else {
+      log("Close button not found in top bar.");
+    }
+  }
+
+  /**
+   * Sets the checked state of a checkbox based on its label text.
+   * Searches all <p-checkbox> components in the document and identifies the one
+   * whose label matches the provided `filterText`. Once found, it sets the checkbox
+   * to the specified `checked` state (true or false) and dispatches a change event
+   * to ensure any bound listeners (e.g., Angular change detection) are triggered.
+   * Logs the outcome of the operation for debugging or audit purposes.
+   *
+   * @param {string} filterText - The exact label text of the checkbox to target.
+   * @param {boolean} checked - The desired checked state (true to check, false to uncheck).
+   * @returns {void}
+   */
+  function setCheckbox(filterText, checked) {
+    const checkboxes = document.querySelectorAll("p-checkbox");
+
+    const targetCheckbox = Array.from(checkboxes).find((checkbox) => {
+      const label = checkbox.querySelector(".p-checkbox-label");
+      return label && label.textContent.trim() === filterText;
+    });
+
+    if (targetCheckbox) {
+      const input = targetCheckbox.querySelector('input[type="checkbox"]');
+      if (input) {
+        input.checked = checked;
+        input.dispatchEvent(new Event("change", { bubbles: true }));
+      }
+      log(`$${filterText} set to $${checked}.`);
+    } else {
+      log(`$${filterText} checkbox not found in top bar.`);
+    }
+  }
+
+  /**
+   * Continuously polls the DOM for a specific form element.
+   * - Searches for a <form> inside a <web-client-form> element.
+   * - If found, calls `fillForm(form)` to process it.
+   * - If not found, logs a retry message and schedules another check after a delay.
+   *
+   * @returns {void}
+   */
+  function pollForForm() {
+    const form = document.querySelector("web-client-form form");
+    if (form) {
+      fillForm(form);
+
+      // Start polling for top bar after form is filled
+      pollForSessionToolBar();
+    } else {
+      log("Form not yet available. Retrying...");
+      setTimeout(pollForForm, POLL_INTERVAL_MS);
+    }
+  }
+
+  /**
+   * Continuously polls the DOM for a specific form element.
+   * - Searches for a <session-toolbar> element.
+   * - If found, adds another listener to session toolbar
+   * - If not found, logs a retry message and schedules another check after a delay.
+   *
+   * @returns {void}
+   */
+  function pollForSessionToolBar() {
+    const sessionToolBar = document.querySelector("session-toolbar");
+    if (sessionToolBar) {
+      log("Top bar detected. Proceeding with next steps...");
+      attachCloseListener(sessionToolBar);
+
+      // Automatically set checkboxes to improve user experience
+      setCheckbox("Unicode Keyboard Mode", true);
+      setCheckbox("Dynamic Resize", true);
+    } else {
+      log("Top bar not yet available. Retrying...");
+      setTimeout(pollForSessionToolBar, POLL_INTERVAL_MS);
+    }
+  }
+
+  /**
+   * Logs a message to the console with a standardized prefix.
+   * Format: [Devolutions Patch] $<message>
+   *
+   * @param {string} msg - The message to log.
+   * @returns {void}
+   */
+  function log(msg) {
+    console.log(`[Devolutions Patch] $${msg}`);
+  }
+
+  // Always safe to call these immediately because even if the Angular app isn't
+  // loaded by the time the function gets called, the CSS will always be globally
+  // available for when Angular is finally ready
+  setupAlwaysOnStyles();
+  hideFormForInitialSubmission();
+
+  log("Script loaded. Starting form detection...");
+  if (document.readyState === "loading") {
+    document.addEventListener("DOMContentLoaded", pollForForm);
+  } else {
+    pollForForm();
+  }
+})();

registry/coder/modules/windows-rdp/main.test.ts

@@ -59,9 +59,11 @@ describe("Web RDP", async () => {
     expect(lines).toEqual(
       expect.arrayContaining<string>([
         '$moduleName = "DevolutionsGateway"',
-        // Devolutions does versioning in the format year.minor.patch
-        expect.stringMatching(/^\$moduleVersion = "\d{4}\.\d+\.\d+"$/),
-        "Install-Module -Name $moduleName -RequiredVersion $moduleVersion -Force",
+        // Default is "latest" to automatically get the newest version
+        '$moduleVersion = "latest"',
+        "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12",
+        "Set-PSRepository -Name PSGallery -InstallationPolicy Trusted",
+        "Install-Module -Name $moduleName -Force",
       ]),
     );
   });
@@ -86,7 +88,7 @@ describe("Web RDP", async () => {
      * @see {@link https://regex101.com/r/UMgQpv/2}
      */
     const formEntryValuesRe =
-      /^const formFieldEntries = \{$.*?^\s+username: \{$.*?^\s*?querySelector.*?,$.*?^\s*value: "(?<username>.+?)",$.*?password: \{$.*?^\s+querySelector: .*?,$.*?^\s*value: "(?<password>.+?)",$.*?^};$/ms;
+      /username:\s*\{[\s\S]*?value:\s*"(?<username>[^"]+)"[\s\S]*?password:\s*\{[\s\S]*?value:\s*"(?<password>[^"]+)"/;
 
     // Test that things work with the default username/password
     const defaultState = await runTerraformApply<TestVariables>(

registry/coder/modules/windows-rdp/main.tf

@@ -9,6 +9,24 @@ terraform {
   }
 }
 
+variable "display_name" {
+  type        = string
+  description = "The display name for the Web RDP application."
+  default     = "Web RDP"
+}
+
+variable "slug" {
+  type        = string
+  description = "The slug for the Web RDP application."
+  default     = "web-rdp"
+}
+
+variable "icon" {
+  type        = string
+  description = "The icon for the Web RDP application."
+  default     = "/icon/desktop.svg"
+}
+
 variable "order" {
   type        = number
   description = "The order determines the position of app in the UI presentation. The lowest order is shown first and apps with equal order are sorted by name (ascending order)."
@@ -48,8 +66,8 @@ variable "admin_password" {
 
 variable "devolutions_gateway_version" {
   type        = string
-  default     = "2025.2.2"
-  description = "Version of Devolutions Gateway to install. Defaults to the latest available version."
+  default     = "latest"
+  description = "Version of Devolutions Gateway to install. Use 'latest' for the most recent version, or specify a version like '2025.3.2'."
 }
 
 resource "coder_script" "windows-rdp" {
@@ -77,10 +95,10 @@ resource "coder_script" "windows-rdp" {
 resource "coder_app" "windows-rdp" {
   agent_id     = var.agent_id
   share        = var.share
-  slug         = "web-rdp"
-  display_name = "Web RDP"
+  slug         = var.slug
+  display_name = var.display_name
   url          = "http://localhost:7171"
-  icon         = "/icon/desktop.svg"
+  icon         = var.icon
   subdomain    = true
   order        = var.order
   group        = var.group

registry/coder/modules/windows-rdp/powershell-installation-script.tftpl

@@ -2,6 +2,9 @@ function Set-AdminPassword {
     param (
         [string]$adminPassword
     )
+    # Explicitly import LocalAccounts module
+    Import-Module Microsoft.PowerShell.LocalAccounts -ErrorAction SilentlyContinue
+    
     # Set admin password
     Get-LocalUser -Name "${admin_username}" | Set-LocalUser -Password (ConvertTo-SecureString -AsPlainText $adminPassword -Force)
     # Enable admin user
@@ -28,23 +31,61 @@ function Install-DevolutionsGateway {
 $moduleName = "DevolutionsGateway"
 $moduleVersion = "${devolutions_gateway_version}"
 
+# Ensure TLS 1.2 is enabled for PSGallery
+[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+
 # Install the module with the specified version for all users
 # This requires administrator privileges
 try {
     # Install-PackageProvider is required for AWS. Need to set command to
     # terminate on failure so that try/catch actually triggers
     Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force -ErrorAction Stop
-    Install-Module -Name $moduleName -RequiredVersion $moduleVersion -Force
+    
+    # Set PSGallery as trusted after NuGet is installed
+    Set-PSRepository -Name PSGallery -InstallationPolicy Trusted
+    
+    if ($moduleVersion -eq "latest" -or [string]::IsNullOrWhiteSpace($moduleVersion)) {
+        Install-Module -Name $moduleName -Force
+    } else {
+        Install-Module -Name $moduleName -RequiredVersion $moduleVersion -Force
+    }
 }
 catch {
     # If the first command failed, assume that we're on GCP and run
     # Install-Module only
-    Install-Module -Name $moduleName -RequiredVersion $moduleVersion -Force
+    if ($moduleVersion -eq "latest" -or [string]::IsNullOrWhiteSpace($moduleVersion)) {
+        Install-Module -Name $moduleName -Force
+    } else {
+        Install-Module -Name $moduleName -RequiredVersion $moduleVersion -Force
+    }
 }
 
 # Construct the module path for system-wide installation
-$moduleBasePath = "C:\Windows\system32\config\systemprofile\Documents\PowerShell\Modules\$moduleName\$moduleVersion"
-$modulePath = Join-Path -Path $moduleBasePath -ChildPath "$moduleName.psd1"
+$modulePath = $null # Declare outside the loop
+
+if ($moduleVersion -eq "latest" -or [string]::IsNullOrWhiteSpace($moduleVersion)) {
+    $installedModule = Get-InstalledModule -Name $moduleName -ErrorAction SilentlyContinue
+    if ($installedModule) {
+        $installedVersion = $installedModule.Version.ToString()
+    }
+} else {
+    $installedVersion = $moduleVersion
+}
+
+$paths = $env:PSModulePath -split ';'
+
+foreach ($path in $paths) {
+    $candidatePath = Join-Path -Path $path -ChildPath $moduleName
+    if ($installedVersion) {
+        $candidatePath = Join-Path -Path $candidatePath -ChildPath $installedVersion
+    }
+
+    $psd1Path = Join-Path -Path $candidatePath -ChildPath "$moduleName.psd1"
+    if (Test-Path $psd1Path) {
+        $modulePath = $psd1Path
+        break
+    }
+}
 
 # Import the module using the full path
 Import-Module $modulePath