chore: remove test from cloud-dev template

refactor(github-upload-public-key): enhance test structure and cleanup handling
fix(nboyers/templates/cloud-dev): fix broken template icon (#633 )
2026-06-03 04:58:15 +00:00 · 2026-01-05 15:35:26 -06:00 · 2026-01-05 12:58:34 -06:00 · 2026-01-05 13:47:22 +05:30 · 2026-01-04 03:12:20 +00:00 · 2026-01-02 22:18:24 +00:00
136 changed files with 7549 additions and 1137 deletions
@@ -1,14 +1,18 @@
 #!/bin/bash

 # Version Bump Script
-# Usage: ./version-bump.sh <bump_type> [base_ref]
+# Usage: ./version-bump.sh [--ci] <bump_type> [base_ref]
+#   --ci: CI mode - run bump, check for changes, exit 1 if changes needed
 #   bump_type: patch, minor, or major
 #   base_ref: base reference for diff (default: origin/main)

 set -euo pipefail

+CI_MODE=false
+
 usage() {
-  echo "Usage: $0 <bump_type> [base_ref]"
+  echo "Usage: $0 [--ci] <bump_type> [base_ref]"
+  echo "  --ci: CI mode - validates versions are already bumped (exits 1 if not)"
  echo "  bump_type: patch, minor, or major"
  echo "  base_ref: base reference for diff (default: origin/main)"
  echo ""
@@ -16,6 +20,7 @@ usage() {
  echo "  $0 patch                    # Update versions with patch bump"
  echo "  $0 minor                    # Update versions with minor bump"
  echo "  $0 major                    # Update versions with major bump"
+  echo "  $0 --ci patch               # CI check: verify patch bump has been applied"
  exit 1
 }

@@ -85,7 +90,7 @@ update_readme_version() {
            in_module_block = 0
            if (module_has_target_source) {
              num_lines = split(module_content, lines, "\n")
-              for (i = 1; i <= num_lines; i++) {
+              for (i = 1; i < num_lines; i++) {
                line = lines[i]
                if (line ~ /^[[:space:]]*version[[:space:]]*=/) {
                  match(line, /^[[:space:]]*/)
@@ -115,6 +120,11 @@ update_readme_version() {
 }

 main() {
+  if [ "${1:-}" = "--ci" ]; then
+    CI_MODE=true
+    shift
+  fi
+
  if [ $# -lt 1 ] || [ $# -gt 2 ]; then
    usage
  fi
@@ -152,6 +162,8 @@ main() {
  local untagged_modules=""
  local has_changes=false

+  declare -a modified_readme_files=()
+
  while IFS= read -r module_path; do
    if [ -z "$module_path" ]; then continue; fi

@@ -202,6 +214,7 @@ main() {

    if update_readme_version "$readme_path" "$namespace" "$module_name" "$new_version"; then
      updated_readmes="$updated_readmes\n- $namespace/$module_name"
+      modified_readme_files+=("$readme_path")
      has_changes=true
    fi

@@ -210,19 +223,22 @@ main() {

  done <<< "$modules"

-  # Always run formatter to ensure consistent formatting
-  echo "🔧 Running formatter to ensure consistent formatting..."
-  if command -v bun > /dev/null 2>&1; then
-    bun fmt > /dev/null 2>&1 || echo "⚠️  Warning: bun fmt failed, but continuing..."
-  else
-    echo "⚠️  Warning: bun not found, skipping formatting"
+  if [ ${#modified_readme_files[@]} -gt 0 ]; then
+    echo "🔧 Formatting modified README files..."
+    if command -v bun > /dev/null 2>&1; then
+      for readme_file in "${modified_readme_files[@]}"; do
+        bun run prettier --write "$readme_file" 2> /dev/null || true
+      done
+    else
+      echo "⚠️  Warning: bun not found, skipping formatting"
+    fi
+    echo ""
  fi
-  echo ""

  echo "📋 Summary:"
  echo "Bump Type: $bump_type"
  echo ""
-  echo "Modules Updated:"
+  echo "Modules Processed:"
  echo -e "$bumped_modules"
  echo ""

@@ -239,6 +255,19 @@ main() {
    echo ""
  fi

+  if [ "$CI_MODE" = true ]; then
+    echo "🔍 Comparing files to committed versions..."
+    if git diff --quiet; then
+      echo "✅ PASS: All versions match - no changes needed"
+      exit 0
+    else
+      echo "❌ FAIL: Module versions need to be updated"
+      echo ""
+      echo "Run './.github/scripts/version-bump.sh $bump_type' locally and commit the changes"
+      exit 1
+    fi
+  fi
+
  if [ "$has_changes" = true ]; then
    echo "✅ Version bump completed successfully!"
    echo "📝 README files have been updated with new versions."
@@ -3,6 +3,7 @@ muc = "muc" # For Munich location code
 tyo = "tyo" # For Tokyo location code
 Hashi = "Hashi"
 HashiCorp = "HashiCorp"
+hel = "hel" # For Helsinki location code
 mavrickrishi = "mavrickrishi" # Username
 mavrick = "mavrick" # Username
 inh = "inh" # Option in setpriv command
@@ -93,7 +93,7 @@ jobs:
      - name: Validate formatting
        run: bun fmt:ci
      - name: Check for typos
-        uses: crate-ci/typos@v1.39.2
+        uses: crate-ci/typos@v1.40.0
        with:
          config: .github/typos.toml
  validate-readme-files:
@@ -55,62 +55,35 @@ jobs:
              ;;
          esac

-      - name: Check version bump requirements
-        id: version-check
-        run: |
-          output_file=$(mktemp)
-          if ./.github/scripts/version-bump.sh "${{ steps.bump-type.outputs.type }}" origin/main > "$output_file" 2>&1; then
-            echo "Script completed successfully"
-          else
-            echo "Script failed"
-            cat "$output_file"
-            exit 1
-          fi
+      - name: Check version bump
+        run: ./.github/scripts/version-bump.sh --ci "${{ steps.bump-type.outputs.type }}" origin/main

-          {
-            echo "output<<EOF"
-            cat "$output_file"
-            echo "EOF"
-          } >> $GITHUB_OUTPUT
-
-          cat "$output_file"
-
-          if git diff --quiet; then
-            echo "versions_up_to_date=true" >> $GITHUB_OUTPUT
-            echo "✅ All module versions are already up to date"
-          else
-            echo "versions_up_to_date=false" >> $GITHUB_OUTPUT
-            echo "❌ Module versions need to be updated"
-            echo "Files that would be changed:"
-            git diff --name-only
-            echo ""
-            echo "Diff preview:"
-            git diff
-            
-            git checkout .
-            git clean -fd
-            
-            exit 1
-          fi
-
-      - name: Comment on PR - Failure
-        if: failure() && steps.version-check.outputs.versions_up_to_date == 'false'
+      - name: Comment on PR - Version bump required
+        if: failure()
        uses: actions/github-script@v8
        with:
          github-token: ${{ secrets.GITHUB_TOKEN }}
          script: |
-            const output = `${{ steps.version-check.outputs.output }}`;
            const bumpType = `${{ steps.bump-type.outputs.type }}`;

-            let comment = `## ❌ Version Bump Validation Failed\n\n`;
-            comment += `**Bump Type:** \`${bumpType}\`\n\n`;
-            comment += `Module versions need to be updated but haven't been bumped yet.\n\n`;
-            comment += `**Required Actions:**\n`;
-            comment += `1. Run the version bump script locally: \`./.github/scripts/version-bump.sh ${bumpType}\`\n`;
-            comment += `2. Commit the changes: \`git add . && git commit -m "chore: bump module versions (${bumpType})"\`\n`;
-            comment += `3. Push the changes: \`git push\`\n\n`;
-            comment += `### Script Output:\n\`\`\`\n${output}\n\`\`\`\n\n`;
-            comment += `> Please update the module versions and push the changes to continue.`;
+            const comment = [
+              '## Version Bump Required',
+              '',
+              'One or more modules in this PR need their versions updated.',
+              '',
+              '**To fix this:**',
+              '1. Run the version bump script locally:',
+              '   ```bash',
+              `   ./.github/scripts/version-bump.sh ${bumpType}`,
+              '   ```',
+              '2. Commit the changes:',
+              '   ```bash',
+              `   git add . && git commit -m "chore: bump module versions (${bumpType})"`,
+              '   ```',
+              '3. Push your changes',
+              '',
+              'The CI will automatically re-run once you push the updated versions.'
+            ].join('\n');

            github.rest.issues.createComment({
              issue_number: context.issue.number,
@@ -1,3 +1,4 @@
+.DS_Store
 # Logs
 logs
 *.log
@@ -0,0 +1,5 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<svg viewBox="0 0 500 500" xmlns="http://www.w3.org/2000/svg">
+    <circle cx="250" cy="250" r="250" fill="#fff"/>
+    <path d="m335 150h40v200h-40zm-130 0a100 100 0 1 0 0 200 100 100 0 1 0 0-200zm0 40a60 60 0 1 1 0 120 60 60 0 1 1 0-120z"/>
+</svg>
@@ -0,0 +1,8 @@
+<svg width="256" height="256" viewBox="0 0 256 256" xmlns="http://www.w3.org/2000/svg">
+  <circle cx="128" cy="128" r="120" fill="black"/>
+  <polygon 
+    points="128,70 178,170 78,170"
+    fill="white"
+  />
+</svg>
+
@@ -0,0 +1,2 @@
+<?xml version="1.0" encoding="utf-8"?><!-- Uploaded to: SVG Repo, www.svgrepo.com, Generator: SVG Repo Mixer Tools -->
+<svg fill="#000000" width="800px" height="800px" viewBox="0 0 24 24" role="img" xmlns="http://www.w3.org/2000/svg"><title>Scaleway icon</title><path d="M16.61 11.11v5.72a1.77 1.77 0 0 1-1.54 1.69h-4a1.43 1.43 0 0 1-1.31-1.22 1.09 1.09 0 0 1 0-.18 1.37 1.37 0 0 1 1.37-1.36h1.74a1 1 0 0 0 1-1v-3.62a1.4 1.4 0 0 1 1.18-1.39h.17a1.37 1.37 0 0 1 1.39 1.36zm-6.46 1.74V9.26a1 1 0 0 1 1-1H13a1.37 1.37 0 0 0 1.37-1.37 1 1 0 0 0 0-.17 1.45 1.45 0 0 0-1.41-1.2H9a1.81 1.81 0 0 0-1.58 1.66v5.7a1.37 1.37 0 0 0 1.37 1.37H9a1.4 1.4 0 0 0 1.15-1.4zm12-4.29V20A4.53 4.53 0 0 1 18 24h-7.58a8.57 8.57 0 0 1-8.56-8.57V4.54A4.54 4.54 0 0 1 6.4 0h7.18a8.56 8.56 0 0 1 8.56 8.56zm-2.74 0a5.83 5.83 0 0 0-5.82-5.82H6.4a1.79 1.79 0 0 0-1.8 1.8v10.89a5.83 5.83 0 0 0 5.82 5.8h7.44a1.79 1.79 0 0 0 1.54-1.48z"/></svg>
@@ -1,15 +1,16 @@
 {
  "lockfileVersion": 1,
+  "configVersion": 0,
  "workspaces": {
    "": {
      "name": "registry",
      "devDependencies": {
-        "@types/bun": "^1.2.21",
-        "bun-types": "^1.2.21",
-        "dedent": "^1.6.0",
+        "@types/bun": "^1.3.4",
+        "bun-types": "^1.3.4",
+        "dedent": "^1.7.0",
        "gray-matter": "^4.0.3",
-        "marked": "^16.2.0",
-        "prettier": "^3.6.2",
+        "marked": "^16.4.2",
+        "prettier": "^3.7.4",
        "prettier-plugin-sh": "^0.18.0",
        "prettier-plugin-terraform-formatter": "^1.2.1",
        "shellcheck": "^4.1.0",
@@ -30,12 +31,10 @@

    "@tokenizer/token": ["@tokenizer/token@0.3.0", "", {}, "sha512-OvjF+z51L3ov0OyAU0duzsYuvO01PH7x4t6DJx+guahgTnBHkhJdG7soQeTSFLWN3efnHyibZ4Z8l2EuWwJN3A=="],

-    "@types/bun": ["@types/bun@1.2.21", "", { "dependencies": { "bun-types": "1.2.21" } }, "sha512-NiDnvEqmbfQ6dmZ3EeUO577s4P5bf4HCTXtI6trMc6f6RzirY5IrF3aIookuSpyslFzrnvv2lmEWv5HyC1X79A=="],
+    "@types/bun": ["@types/bun@1.3.4", "", { "dependencies": { "bun-types": "1.3.4" } }, "sha512-EEPTKXHP+zKGPkhRLv+HI0UEX8/o+65hqARxLy8Ov5rIxMBPNTjeZww00CIihrIQGEQBYg+0roO5qOnS/7boGA=="],

    "@types/node": ["@types/node@24.0.14", "", { "dependencies": { "undici-types": "~7.8.0" } }, "sha512-4zXMWD91vBLGRtHK3YbIoFMia+1nqEz72coM42C5ETjnNCa/heoj7NT1G67iAfOqMmcfhuCZ4uNpyz8EjlAejw=="],

-    "@types/react": ["@types/react@19.1.8", "", { "dependencies": { "csstype": "^3.0.2" } }, "sha512-AwAfQ2Wa5bCx9WP8nZL2uMZWod7J7/JSplxbTmBQ5ms6QpqNYm672H0Vu9ZVKVngQ+ii4R/byguVEUZQyeg44g=="],
-
    "@xhmikosr/decompress-tar": ["@xhmikosr/decompress-tar@8.1.0", "", { "dependencies": { "file-type": "^20.5.0", "is-stream": "^2.0.1", "tar-stream": "^3.1.7" } }, "sha512-m0q8x6lwxenh1CrsTby0Jrjq4vzW/QU1OLhTHMQLEdHpmjR1lgahGz++seZI0bXF3XcZw3U3xHfqZSz+JPP2Gg=="],

    "@xhmikosr/decompress-unzip": ["@xhmikosr/decompress-unzip@7.1.0", "", { "dependencies": { "file-type": "^20.5.0", "get-stream": "^6.0.1", "yauzl": "^3.1.2" } }, "sha512-oqTYAcObqTlg8owulxFTqiaJkfv2SHsxxxz9Wg4krJAHVzGWlZsU8tAB30R6ow+aHrfv4Kub6WQ8u04NWVPUpA=="],
@@ -64,7 +63,7 @@

    "buffer-fill": ["buffer-fill@1.0.0", "", {}, "sha512-T7zexNBwiiaCOGDg9xNX9PBmjrubblRkENuptryuI64URkXDFum9il/JGL8Lm8wYfAXpredVXXZz7eMHilimiQ=="],

-    "bun-types": ["bun-types@1.2.21", "", { "dependencies": { "@types/node": "*" }, "peerDependencies": { "@types/react": "^19" } }, "sha512-sa2Tj77Ijc/NTLS0/Odjq/qngmEPZfbfnOERi0KRUYhT9R8M4VBioWVmMWE5GrYbKMc+5lVybXygLdibHaqVqw=="],
+    "bun-types": ["bun-types@1.3.4", "", { "dependencies": { "@types/node": "*" } }, "sha512-5ua817+BZPZOlNaRgGBpZJOSAQ9RQ17pkwPD0yR7CfJg+r8DgIILByFifDTa+IPDDxzf5VNhtNlcKqFzDgJvlQ=="],

    "call-bind": ["call-bind@1.0.8", "", { "dependencies": { "call-bind-apply-helpers": "^1.0.0", "es-define-property": "^1.0.0", "get-intrinsic": "^1.2.4", "set-function-length": "^1.2.2" } }, "sha512-oKlSFMcMwpUg2ednkhQ454wfWiU/ul3CkJe/PEHcTKuiX6RpbehUiFMXu13HalGZxfUwCQzZG747YXBn1im9ww=="],

@@ -76,8 +75,6 @@

    "core-util-is": ["core-util-is@1.0.3", "", {}, "sha512-ZQBvi1DcpJ4GDqanjucZ2Hj3wEO5pZDS89BWbkcrvdxksJorwUDDZamX9ldFkp9aw2lmBDLgkObEA4DWNJ9FYQ=="],

-    "csstype": ["csstype@3.1.3", "", {}, "sha512-M1uQkMl8rQK/szD0LNhtqxIPLpimGm8sOBwU7lLnCpSbTyY3yeU1Vc7l4KT5zT4s/yOxHH5O7tIuuLOCnLADRw=="],
-
    "debug": ["debug@4.4.3", "", { "dependencies": { "ms": "^2.1.3" } }, "sha512-RGwwWnwQvkVfavKVt22FGLw+xYSdzARwm0ru6DhTVA3umU5hZc28V3kO4stgYryrTlLpuvgI9GiijltAjNbcqA=="],

    "decompress": ["decompress@4.2.1", "", { "dependencies": { "decompress-tar": "^4.0.0", "decompress-tarbz2": "^4.0.0", "decompress-targz": "^4.0.0", "decompress-unzip": "^4.0.1", "graceful-fs": "^4.1.10", "make-dir": "^1.0.0", "pify": "^2.3.0", "strip-dirs": "^2.0.0" } }, "sha512-e48kc2IjU+2Zw8cTb6VZcJQ3lgVbS4uuB1TfCHbiZIP/haNXm+SVyhu+87jts5/3ROpd82GSVCoNs/z8l4ZOaQ=="],
@@ -90,7 +87,7 @@

    "decompress-unzip": ["decompress-unzip@4.0.1", "", { "dependencies": { "file-type": "^3.8.0", "get-stream": "^2.2.0", "pify": "^2.3.0", "yauzl": "^2.4.2" } }, "sha512-1fqeluvxgnn86MOh66u8FjbtJpAFv5wgCT9Iw8rcBqQcCo5tO8eiJw7NNTrvt9n4CRBVq7CstiS922oPgyGLrw=="],

-    "dedent": ["dedent@1.6.0", "", { "peerDependencies": { "babel-plugin-macros": "^3.1.0" }, "optionalPeers": ["babel-plugin-macros"] }, "sha512-F1Z+5UCFpmQUzJa11agbyPVMbpgT/qA3/SKyJ1jyBgm7dUcUEa8v9JwDkerSQXfakBwFljIxhOJqGkjUwZ9FSA=="],
+    "dedent": ["dedent@1.7.0", "", { "peerDependencies": { "babel-plugin-macros": "^3.1.0" }, "optionalPeers": ["babel-plugin-macros"] }, "sha512-HGFtf8yhuhGhqO07SV79tRp+br4MnbdjeVxotpn1QBl30pcLLCQjX5b2295ll0fv8RKDKsmWYrl05usHM9CewQ=="],

    "define-data-property": ["define-data-property@1.1.4", "", { "dependencies": { "es-define-property": "^1.0.0", "es-errors": "^1.3.0", "gopd": "^1.0.1" } }, "sha512-rBMvIzlpA8v6E+SJZoo++HAYqsLrkg7MSfIinMPFhmkorw7X+dOXVJQs+QT69zGkzMyfDnIMN2Wid1+NbL3T+A=="],

@@ -182,7 +179,7 @@

    "make-dir": ["make-dir@1.3.0", "", { "dependencies": { "pify": "^3.0.0" } }, "sha512-2w31R7SJtieJJnQtGc7RVL2StM2vGYVfqUOvUDxH6bC6aJTxPxTF0GnIgCyu7tjockiUWAYQRbxa7vKn34s5sQ=="],

-    "marked": ["marked@16.2.0", "", { "bin": { "marked": "bin/marked.js" } }, "sha512-LbbTuye+0dWRz2TS9KJ7wsnD4KAtpj0MVkWc90XvBa6AslXsT0hTBVH5k32pcSyHH1fst9XEFJunXHktVy0zlg=="],
+    "marked": ["marked@16.4.2", "", { "bin": { "marked": "bin/marked.js" } }, "sha512-TI3V8YYWvkVf3KJe1dRkpnjs68JUPyEa5vjKrp1XEEJUAOaQc+Qj+L1qWbPd0SJuAdQkFU0h73sXXqwDYxsiDA=="],

    "matcher": ["matcher@3.0.0", "", { "dependencies": { "escape-string-regexp": "^4.0.0" } }, "sha512-OkeDaAZ/bQCxeFAozM55PKcKU0yJMPGifLwV4Qgjitu+5MoAfSQN4lsLJeXZ1b8w0x+/Emda6MZgXS1jvsapng=="],

@@ -206,7 +203,7 @@

    "possible-typed-array-names": ["possible-typed-array-names@1.1.0", "", {}, "sha512-/+5VFTchJDoVj3bhoqi6UeymcD00DAwb1nJwamzPvHEszJ4FpF6SNNbUbOS8yI56qHzdV8eK0qEfOSiodkTdxg=="],

-    "prettier": ["prettier@3.6.2", "", { "bin": { "prettier": "bin/prettier.cjs" } }, "sha512-I7AIg5boAr5R0FFtJ6rCfD+LFsWHp81dolrFD8S79U9tb8Az2nGrJncnMSnys+bpQJfRUzqs9hnA81OAA3hCuQ=="],
+    "prettier": ["prettier@3.7.4", "", { "bin": { "prettier": "bin/prettier.cjs" } }, "sha512-v6UNi1+3hSlVvv8fSaoUbggEM5VErKmmpGA7Pl3HF8V6uKY7rvClBOJlH6yNwQtfTueNkGVpOv/mtWL9L4bgRA=="],

    "prettier-plugin-sh": ["prettier-plugin-sh@0.18.0", "", { "dependencies": { "@reteps/dockerfmt": "^0.3.6", "sh-syntax": "^0.5.8" }, "peerDependencies": { "prettier": "^3.6.0" } }, "sha512-cW1XL27FOJQ/qGHOW6IHwdCiNWQsAgK+feA8V6+xUTaH0cD3Mh+tFAtBvEEWvuY6hTDzRV943Fzeii+qMOh7nQ=="],

@@ -10,12 +10,12 @@
    "update-version": "./update-version.sh"
  },
  "devDependencies": {
-    "@types/bun": "^1.2.21",
-    "bun-types": "^1.2.21",
-    "dedent": "^1.6.0",
+    "@types/bun": "^1.3.4",
+    "bun-types": "^1.3.4",
+    "dedent": "^1.7.0",
    "gray-matter": "^4.0.3",
-    "marked": "^16.2.0",
-    "prettier": "^3.6.2",
+    "marked": "^16.4.2",
+    "prettier": "^3.7.4",
    "prettier-plugin-sh": "^0.18.0",
    "prettier-plugin-terraform-formatter": "^1.2.1",
    "shellcheck": "^4.1.0"
@@ -0,0 +1,7 @@
+---
+display_name: "Excellencedev"
+bio: "Love to contribute"
+avatar: "./.images/avatar.png"
+support_email: "ademiluyisuccessandexcellence@gmail.com"
+status: "community"
+---
@@ -0,0 +1,32 @@
+---
+display_name: Hetzner Cloud Server
+description: Provision Hetzner Cloud servers as Coder workspaces
+icon: ../../../../.icons/hetzner.svg
+tags: [vm, linux, hetzner]
+---
+
+# Remote Development on Hetzner Cloud (Linux)
+
+Provision Hetzner Cloud servers as [Coder workspaces](https://coder.com/docs/workspaces) with this example template.
+
+> [!WARNING]
+> **Workspace Storage Persistence:** When a workspace is stopped, the Hetzner Cloud server instance is stopped but your home volume and stored data persist. This means your files and data remain intact when you resume the workspace.
+
+> [!IMPORTANT]
+> **Volume Management & Costs:** Hetzner Cloud volumes persist even when workspaces are stopped and will continue to incur storage costs (€0.0476/GB/month). Volumes are only automatically deleted when the workspace is completely deleted. Monitor your volumes in the [Hetzner Cloud Console](https://console.hetzner.cloud/) to manage costs effectively.
+
+## Prerequisites
+
+To deploy workspaces as Hetzner Cloud servers, you'll need:
+
+- Hetzner Cloud [API token](https://console.hetzner.cloud/projects) (create under Security > API Tokens)
+
+### Authentication
+
+This template assumes that the Coder Provisioner is run in an environment that is authenticated with Hetzner Cloud.
+
+Obtain a Hetzner Cloud API token from your [Hetzner Cloud Console](https://console.hetzner.cloud/projects) and provide it as the `hcloud_token` variable when creating a workspace.
+For more authentication options, see the [Terraform provider documentation](https://registry.terraform.io/providers/hetznercloud/hcloud/latest/docs#authentication).
+
+> [!NOTE]
+> This template is designed to be a starting point. Edit the Terraform to extend the template to support your use case.
@@ -0,0 +1,62 @@
+#cloud-config
+users:
+  - name: ${username}
+    sudo: ["ALL=(ALL) NOPASSWD:ALL"]
+    groups: sudo
+    shell: /bin/bash
+packages:
+  - git
+%{ if home_volume_label != "" ~}
+fs_setup:
+  - device: /dev/disk/by-id/scsi-0HC_Volume_${volume_id}
+    filesystem: ext4
+    label: ${home_volume_label}
+    overwrite: false # This prevents reformatting the disk on every boot
+
+mounts:
+  - [
+      "/dev/disk/by-id/scsi-0HC_Volume_${volume_id}",
+      "/home/${username}",
+      ext4,
+      "defaults,uid=1000,gid=1000",
+    ]
+%{ endif ~}
+write_files:
+  - path: /opt/coder/init
+    permissions: "0755"
+    encoding: b64
+    content: ${init_script}
+  - path: /etc/systemd/system/coder-agent.service
+    permissions: "0644"
+    content: |
+      [Unit]
+      Description=Coder Agent
+      After=network-online.target
+      Wants=network-online.target
+
+      [Service]
+      User=${username}
+      ExecStart=/opt/coder/init
+      Environment=CODER_AGENT_TOKEN=${coder_agent_token}
+      Restart=always
+      RestartSec=10
+      TimeoutStopSec=90
+      KillMode=process
+
+      OOMScoreAdjust=-900
+      SyslogIdentifier=coder-agent
+
+      [Install]
+      WantedBy=multi-user.target
+runcmd:
+%{ if home_volume_label != "" ~}
+  - |
+    until [ -e /dev/disk/by-id/scsi-0HC_Volume_${volume_id} ]; do
+      echo "Waiting for volume device..."
+      sleep 2
+    done
+%{ endif ~}
+  - mount -a
+  - chown ${username}:${username} /home/${username}
+  - systemctl enable coder-agent
+  - systemctl start coder-agent
@@ -0,0 +1,27 @@
+{
+  "type_meta": {
+    "cx22":  { "cores": 2,  "memory_gb": 4,  "disk_gb": 40 },
+    "cx32":  { "cores": 4,  "memory_gb": 8,  "disk_gb": 80 },
+    "cx42":  { "cores": 8,  "memory_gb": 16, "disk_gb": 160 },
+    "cx52":  { "cores": 16, "memory_gb": 32, "disk_gb": 320 },
+    "cpx11": { "cores": 2,  "memory_gb": 2,  "disk_gb": 40 },
+    "cpx21": { "cores": 3,  "memory_gb": 4,  "disk_gb": 80 },
+    "cpx31": { "cores": 4,  "memory_gb": 8,  "disk_gb": 160 },
+    "cpx41": { "cores": 8,  "memory_gb": 16, "disk_gb": 240 },
+    "cpx51": { "cores": 16, "memory_gb": 32, "disk_gb": 360 },
+    "ccx13": { "cores": 2,  "memory_gb": 8,   "disk_gb": 80 },
+    "ccx23": { "cores": 4,  "memory_gb": 16,  "disk_gb": 160 },
+    "ccx33": { "cores": 8,  "memory_gb": 32,  "disk_gb": 240 },
+    "ccx43": { "cores": 16, "memory_gb": 64,  "disk_gb": 360 },
+    "ccx53": { "cores": 32, "memory_gb": 128, "disk_gb": 600 },
+    "ccx63": { "cores": 48, "memory_gb": 192, "disk_gb": 960 }
+  },
+  "availability": {
+    "fsn1": ["cpx11", "cpx21", "cpx31", "cpx41", "cpx51", "ccx13", "ccx23", "ccx33"],
+    "ash":  ["cpx11", "cpx21", "cpx31", "cpx41", "cpx51", "ccx13", "ccx23", "ccx33"],
+    "hel1": ["cx22", "cpx11", "cpx21", "cpx31", "cpx41", "cpx51", "ccx13", "ccx23", "ccx33"],
+    "hil":  ["cpx11", "cpx21", "cpx31", "cpx41", "ccx13", "ccx23", "ccx33"],
+    "nbg1": ["cx22", "cx32", "cx42", "cx52", "cpx11", "cpx21", "cpx31", "cpx41", "cpx51", "ccx13", "ccx23", "ccx33"],
+    "sin":  ["cpx11", "cpx21", "cpx31", "cpx41", "cpx51", "ccx13", "ccx23", "ccx33"]
+  }
+}
@@ -0,0 +1,183 @@
+terraform {
+  required_providers {
+    hcloud = {
+      source = "hetznercloud/hcloud"
+    }
+    coder = {
+      source = "coder/coder"
+    }
+  }
+}
+
+variable "hcloud_token" {
+  sensitive = true
+}
+
+provider "hcloud" {
+  token = var.hcloud_token
+}
+
+# Available locations: https://docs.hetzner.com/cloud/general/locations/
+data "coder_parameter" "hcloud_location" {
+  name         = "hcloud_location"
+  display_name = "Hetzner Location"
+  description  = "Select the Hetzner Cloud location for your workspace."
+  type         = "string"
+  default      = "fsn1"
+  option {
+    name  = "DE Falkenstein"
+    value = "fsn1"
+  }
+  option {
+    name  = "US Ashburn, VA"
+    value = "ash"
+  }
+  option {
+    name  = "US Hillsboro, OR"
+    value = "hil"
+  }
+  option {
+    name  = "SG Singapore"
+    value = "sin"
+  }
+  option {
+    name  = "DE Nuremberg"
+    value = "nbg1"
+  }
+  option {
+    name  = "FI Helsinki"
+    value = "hel1"
+  }
+}
+
+# Available server types: https://docs.hetzner.com/cloud/servers/overview/
+data "coder_parameter" "hcloud_server_type" {
+  name         = "hcloud_server_type"
+  display_name = "Hetzner Server Type"
+  description  = "Select the Hetzner Cloud server type for your workspace."
+  type         = "string"
+
+  dynamic "option" {
+    for_each = local.hcloud_server_type_options_for_selected_location
+    content {
+      name  = option.value.name
+      value = option.value.value
+    }
+  }
+}
+
+resource "hcloud_server" "dev" {
+  count       = data.coder_workspace.me.start_count
+  name        = "coder-${data.coder_workspace.me.name}-dev"
+  image       = "ubuntu-24.04"
+  server_type = data.coder_parameter.hcloud_server_type.value
+  location    = data.coder_parameter.hcloud_location.value
+  public_net {
+    ipv4_enabled = true
+    ipv6_enabled = true
+  }
+  user_data = templatefile("cloud-config.yaml.tftpl", {
+    username          = lower(data.coder_workspace_owner.me.name)
+    home_volume_label = "coder-${data.coder_workspace.me.id}-home"
+    volume_id         = hcloud_volume.home_volume.id
+    init_script       = base64encode(coder_agent.main.init_script)
+    coder_agent_token = coder_agent.main.token
+  })
+  labels = {
+    "coder_workspace_name"  = data.coder_workspace.me.name,
+    "coder_workspace_owner" = data.coder_workspace_owner.me.name,
+  }
+}
+
+resource "hcloud_volume" "home_volume" {
+  name     = "coder-${data.coder_workspace.me.id}-home"
+  size     = data.coder_parameter.home_volume_size.value
+  location = data.coder_parameter.hcloud_location.value
+  labels = {
+    "coder_workspace_name"  = data.coder_workspace.me.name,
+    "coder_workspace_owner" = data.coder_workspace_owner.me.name,
+  }
+}
+
+resource "hcloud_volume_attachment" "home_volume_attachment" {
+  count     = data.coder_workspace.me.start_count
+  volume_id = hcloud_volume.home_volume.id
+  server_id = hcloud_server.dev[count.index].id
+  automount = false
+}
+
+locals {
+  username = lower(data.coder_workspace_owner.me.name)
+
+  # Data source: local JSON file under the module directory
+  # Check API for latest server types & availability: https://docs.hetzner.cloud/reference/cloud#server-types
+  hcloud_server_types_data        = jsondecode(file("${path.module}/hetzner_server_types.json"))
+  hcloud_server_type_meta         = local.hcloud_server_types_data.type_meta
+  hcloud_server_types_by_location = local.hcloud_server_types_data.availability
+
+  hcloud_server_type_options_for_selected_location = [
+    for type_name in lookup(local.hcloud_server_types_by_location, data.coder_parameter.hcloud_location.value, []) : {
+      name  = format("%s (%d vCPU, %dGB RAM, %dGB)", upper(type_name), local.hcloud_server_type_meta[type_name].cores, local.hcloud_server_type_meta[type_name].memory_gb, local.hcloud_server_type_meta[type_name].disk_gb)
+      value = type_name
+    }
+  ]
+}
+
+data "coder_provisioner" "me" {}
+
+provider "coder" {}
+
+data "coder_workspace" "me" {}
+
+data "coder_workspace_owner" "me" {}
+
+data "coder_parameter" "home_volume_size" {
+  name         = "home_volume_size"
+  display_name = "Home volume size"
+  description  = "How large would you like your home volume to be (in GB)?"
+  type         = "number"
+  default      = "20"
+  mutable      = false
+  validation {
+    min = 1
+    max = 100 # Adjust the max size as needed
+  }
+}
+
+resource "coder_agent" "main" {
+  os   = "linux"
+  arch = "amd64"
+
+  metadata {
+    key          = "cpu"
+    display_name = "CPU Usage"
+    interval     = 5
+    timeout      = 5
+    script       = "coder stat cpu"
+  }
+  metadata {
+    key          = "memory"
+    display_name = "Memory Usage"
+    interval     = 5
+    timeout      = 5
+    script       = "coder stat mem"
+  }
+  metadata {
+    key          = "home"
+    display_name = "Home Usage"
+    interval     = 600 # every 10 minutes
+    timeout      = 30  # df can take a while on large filesystems
+    script       = "coder stat disk --path /home/${local.username}"
+  }
+}
+
+module "code-server" {
+  count  = data.coder_workspace.me.start_count
+  source = "registry.coder.com/coder/code-server/coder"
+
+  # This ensures that the latest non-breaking version of the module gets downloaded, you can also pin the module version to prevent breaking changes in production.
+  version = "~> 1.0"
+
+  agent_id = coder_agent.main.id
+  order    = 1
+}
@@ -15,7 +15,7 @@ up a default or custom tmux configuration with session save/restore capabilities
 ```tf
 module "tmux" {
  source   = "registry.coder.com/anomaly/tmux/coder"
-  version  = "1.0.3"
+  version  = "1.0.4"
  agent_id = coder_agent.example.id
 }
 ```
@@ -39,7 +39,7 @@ module "tmux" {
 ```tf
 module "tmux" {
  source        = "registry.coder.com/anomaly/tmux/coder"
-  version       = "1.0.3"
+  version       = "1.0.4"
  agent_id      = coder_agent.example.id
  tmux_config   = ""                        # Optional: custom tmux.conf content
  save_interval = 1                         # Optional: save interval in minutes
@@ -78,7 +78,7 @@ This module can provision multiple tmux sessions, each as a separate app in the
 ```tf
 module "tmux" {
  source      = "registry.coder.com/anomaly/tmux/coder"
-  version     = "1.0.3"
+  version     = "1.0.4"
  agent_id    = var.agent_id
  sessions    = ["default", "dev", "anomaly"]
  tmux_config = <<-EOT
@@ -55,7 +55,7 @@ resource "coder_script" "tmux" {
  display_name = "tmux"
  icon         = "/icon/terminal.svg"
  script = templatefile("${path.module}/scripts/run.sh", {
-    TMUX_CONFIG   = var.tmux_config
+    TMUX_CONFIG   = base64encode(var.tmux_config)
    SAVE_INTERVAL = var.save_interval
  })
  run_on_start = true
@@ -4,7 +4,7 @@ BOLD='\033[0;1m'

 # Convert templated variables to shell variables
 SAVE_INTERVAL="${SAVE_INTERVAL}"
-TMUX_CONFIG="${TMUX_CONFIG}"
+TMUX_CONFIG=$(echo -n "${TMUX_CONFIG}" | base64 -d)

 # Function to install tmux
 install_tmux() {
@@ -73,7 +73,7 @@ setup_tmux_config() {
  mkdir -p "$config_dir"

  if [ -n "$TMUX_CONFIG" ]; then
-    printf "$TMUX_CONFIG" > "$config_file"
+    printf "%s" "$TMUX_CONFIG" > "$config_file"
    printf "$${BOLD}Custom tmux configuration applied at {$config_file} \n\n"
  else
    cat > "$config_file" << EOF
@@ -13,7 +13,7 @@ Run Auggie CLI in your workspace to access Augment's AI coding assistant with ad
 ```tf
 module "auggie" {
  source   = "registry.coder.com/coder-labs/auggie/coder"
-  version  = "0.2.2"
+  version  = "0.3.0"
  agent_id = coder_agent.example.id
  folder   = "/home/coder/project"
 }
@@ -47,7 +47,7 @@ module "coder-login" {

 module "auggie" {
  source   = "registry.coder.com/coder-labs/auggie/coder"
-  version  = "0.2.2"
+  version  = "0.3.0"
  agent_id = coder_agent.example.id
  folder   = "/home/coder/project"

@@ -103,7 +103,7 @@ EOF
 ```tf
 module "auggie" {
  source   = "registry.coder.com/coder-labs/auggie/coder"
-  version  = "0.2.2"
+  version  = "0.3.0"
  agent_id = coder_agent.example.id
  folder   = "/home/coder/project"

@@ -4,7 +4,7 @@ terraform {
  required_providers {
    coder = {
      source  = "coder/coder"
-      version = ">= 2.7"
+      version = ">= 2.12"
    }
  }
 }
@@ -179,7 +179,7 @@ locals {

 module "agentapi" {
  source  = "registry.coder.com/coder/agentapi/coder"
-  version = "1.2.0"
+  version = "2.0.0"

  agent_id             = var.agent_id
  folder               = local.folder
@@ -229,4 +229,8 @@ module "agentapi" {
    ARG_MCP_CONFIG='${var.mcp != null ? base64encode(replace(var.mcp, "'", "'\\''")) : ""}' \
    /tmp/install.sh
  EOT
-}
+}
+
+output "task_app_id" {
+  value = module.agentapi.task_app_id
+}
@@ -13,7 +13,7 @@ Run [GitHub Copilot CLI](https://docs.github.com/copilot/concepts/agents/about-c
 ```tf
 module "copilot" {
  source   = "registry.coder.com/coder-labs/copilot/coder"
-  version  = "0.2.3"
+  version  = "0.3.0"
  agent_id = coder_agent.example.id
  workdir  = "/home/coder/projects"
 }
@@ -51,7 +51,7 @@ data "coder_parameter" "ai_prompt" {

 module "copilot" {
  source   = "registry.coder.com/coder-labs/copilot/coder"
-  version  = "0.2.3"
+  version  = "0.3.0"
  agent_id = coder_agent.example.id
  workdir  = "/home/coder/projects"

@@ -71,7 +71,7 @@ Customize tool permissions, MCP servers, and Copilot settings:
 ```tf
 module "copilot" {
  source   = "registry.coder.com/coder-labs/copilot/coder"
-  version  = "0.2.3"
+  version  = "0.3.0"
  agent_id = coder_agent.example.id
  workdir  = "/home/coder/projects"

@@ -142,7 +142,7 @@ variable "github_token" {

 module "copilot" {
  source       = "registry.coder.com/coder-labs/copilot/coder"
-  version      = "0.2.3"
+  version      = "0.3.0"
  agent_id     = coder_agent.example.id
  workdir      = "/home/coder/projects"
  github_token = var.github_token
@@ -156,7 +156,7 @@ Run Copilot as a command-line tool without task reporting or web interface. This
 ```tf
 module "copilot" {
  source       = "registry.coder.com/coder-labs/copilot/coder"
-  version      = "0.2.3"
+  version      = "0.3.0"
  agent_id     = coder_agent.example.id
  workdir      = "/home/coder"
  report_tasks = false
@@ -3,7 +3,7 @@ terraform {
  required_providers {
    coder = {
      source  = "coder/coder"
-      version = ">= 2.7"
+      version = ">= 2.12"
    }
  }
 }
@@ -242,7 +242,7 @@ resource "coder_env" "github_token" {

 module "agentapi" {
  source  = "registry.coder.com/coder/agentapi/coder"
-  version = "1.2.0"
+  version = "2.0.0"

  agent_id             = var.agent_id
  folder               = local.workdir
@@ -268,7 +268,7 @@ module "agentapi" {
    set -o pipefail
    echo -n '${base64encode(local.start_script)}' | base64 -d > /tmp/start.sh
    chmod +x /tmp/start.sh
-    
+
    ARG_WORKDIR='${local.workdir}' \
    ARG_AI_PROMPT='${base64encode(var.ai_prompt)}' \
    ARG_SYSTEM_PROMPT='${base64encode(local.final_system_prompt)}' \
@@ -288,7 +288,7 @@ module "agentapi" {
    set -o pipefail
    echo -n '${base64encode(local.install_script)}' | base64 -d > /tmp/install.sh
    chmod +x /tmp/install.sh
-    
+
    ARG_MCP_APP_STATUS_SLUG='${local.app_slug}' \
    ARG_REPORT_TASKS='${var.report_tasks}' \
    ARG_WORKDIR='${local.workdir}' \
@@ -299,4 +299,8 @@ module "agentapi" {
    ARG_COPILOT_MODEL='${var.copilot_model}' \
    /tmp/install.sh
  EOT
-}
+}
+
+output "task_app_id" {
+  value = module.agentapi.task_app_id
+}
@@ -13,7 +13,7 @@ Run the Cursor Agent CLI in your workspace for interactive coding assistance and
 ```tf
 module "cursor_cli" {
  source   = "registry.coder.com/coder-labs/cursor-cli/coder"
-  version  = "0.2.2"
+  version  = "0.3.0"
  agent_id = coder_agent.main.id
  folder   = "/home/coder/project"
 }
@@ -42,7 +42,7 @@ module "coder-login" {

 module "cursor_cli" {
  source   = "registry.coder.com/coder-labs/cursor-cli/coder"
-  version  = "0.2.2"
+  version  = "0.3.0"
  agent_id = coder_agent.main.id
  folder   = "/home/coder/project"

@@ -159,7 +159,7 @@ describe("cursor-cli", async () => {
      "-c",
      "cat /home/coder/.cursor-cli-module/agentapi-start.log || cat /home/coder/.cursor-cli-module/start.log || true",
    ]);
-    expect(startLog.stdout).toContain(`-m ${model}`);
+    expect(startLog.stdout).toContain(`--model ${model}`);
    expect(startLog.stdout).toContain("-f");
    expect(startLog.stdout).toContain("test prompt");
  });
@@ -4,7 +4,7 @@ terraform {
  required_providers {
    coder = {
      source  = "coder/coder"
-      version = ">= 2.7"
+      version = ">= 2.12"
    }
  }
 }
@@ -132,7 +132,7 @@ resource "coder_env" "cursor_api_key" {

 module "agentapi" {
  source  = "registry.coder.com/coder/agentapi/coder"
-  version = "1.2.0"
+  version = "2.0.0"

  agent_id             = var.agent_id
  folder               = local.folder
@@ -179,3 +179,7 @@ module "agentapi" {
    /tmp/install.sh
  EOT
 }
+
+output "task_app_id" {
+  value = module.agentapi.task_app_id
+}
@@ -50,7 +50,7 @@ ARGS=()

 # global flags
 if [ -n "$ARG_MODEL" ]; then
-  ARGS+=("-m" "$ARG_MODEL")
+  ARGS+=("--model" "$ARG_MODEL")
 fi
 if [ "$ARG_FORCE" = "true" ]; then
  ARGS+=("-f")
@@ -13,7 +13,7 @@ Run [Gemini CLI](https://github.com/google-gemini/gemini-cli) in your workspace
 ```tf
 module "gemini" {
  source   = "registry.coder.com/coder-labs/gemini/coder"
-  version  = "2.1.2"
+  version  = "3.0.0"
  agent_id = coder_agent.main.id
  folder   = "/home/coder/project"
 }
@@ -46,7 +46,7 @@ variable "gemini_api_key" {

 module "gemini" {
  source         = "registry.coder.com/coder-labs/gemini/coder"
-  version        = "2.1.2"
+  version        = "3.0.0"
  agent_id       = coder_agent.main.id
  gemini_api_key = var.gemini_api_key
  folder         = "/home/coder/project"
@@ -94,7 +94,7 @@ data "coder_parameter" "ai_prompt" {
 module "gemini" {
  count                = data.coder_workspace.me.start_count
  source               = "registry.coder.com/coder-labs/gemini/coder"
-  version              = "2.1.2"
+  version              = "3.0.0"
  agent_id             = coder_agent.main.id
  gemini_api_key       = var.gemini_api_key
  gemini_model         = "gemini-2.5-flash"
@@ -118,7 +118,7 @@ For enterprise users who prefer Google's Vertex AI platform:
 ```tf
 module "gemini" {
  source         = "registry.coder.com/coder-labs/gemini/coder"
-  version        = "2.1.2"
+  version        = "3.0.0"
  agent_id       = coder_agent.main.id
  gemini_api_key = var.gemini_api_key
  folder         = "/home/coder/project"
@@ -4,7 +4,7 @@ terraform {
  required_providers {
    coder = {
      source  = "coder/coder"
-      version = ">= 2.7"
+      version = ">= 2.12"
    }
  }
 }
@@ -177,7 +177,7 @@ EOT

 module "agentapi" {
  source  = "registry.coder.com/coder/agentapi/coder"
-  version = "1.2.0"
+  version = "2.0.0"

  agent_id             = var.agent_id
  folder               = local.folder
@@ -225,4 +225,8 @@ module "agentapi" {
     GEMINI_TASK_PROMPT='${var.task_prompt}' \
     /tmp/start.sh
   EOT
-}
+}
+
+output "task_app_id" {
+  value = module.agentapi.task_app_id
+}
@@ -0,0 +1,64 @@
+---
+display_name: Open WebUI
+description: A self-hosted AI chat interface supporting various LLM providers
+icon: ../../../../.icons/openwebui.svg
+verified: false
+tags: [ai, llm, chat, web, python]
+---
+
+# Open WebUI
+
+Open WebUI is a user-friendly web interface for interacting with Large Language Models. It provides a ChatGPT-like interface that can connect to various LLM providers including OpenAI, Ollama, and more.
+
+```tf
+module "open-webui" {
+  count    = data.coder_workspace.me.start_count
+  source   = "registry.coder.com/coder-labs/open-webui/coder"
+  version  = "1.0.0"
+  agent_id = coder_agent.main.id
+}
+```
+
+![Open WebUI](../../.images/openwebui.png)
+
+## Prerequisites
+
+- **Python 3.11 or higher** must be installed in your image (with `venv` module)
+- Port 7800 (default) or your custom port must be available
+
+For Ubuntu/Debian, you can install Python 3.11 from [deadsnakes PPA](https://launchpad.net/~deadsnakes/+archive/ubuntu/ppa):
+
+```shell
+sudo add-apt-repository -y ppa:deadsnakes/ppa
+sudo apt-get update
+sudo apt-get install -y python3.11 python3.11-venv
+```
+
+## Examples
+
+### With OpenAI API Key
+
+```tf
+module "open-webui" {
+  count    = data.coder_workspace.me.start_count
+  source   = "registry.coder.com/coder-labs/open-webui/coder"
+  version  = "1.0.0"
+  agent_id = coder_agent.main.id
+
+  openai_api_key = var.openai_api_key
+}
+```
+
+### Custom Port and Data Directory
+
+```tf
+module "open-webui" {
+  count    = data.coder_workspace.me.start_count
+  source   = "registry.coder.com/coder-labs/open-webui/coder"
+  version  = "1.0.0"
+  agent_id = coder_agent.main.id
+
+  http_server_port = 8080
+  data_dir         = "/home/coder/open-webui-data"
+}
+```
@@ -0,0 +1,94 @@
+terraform {
+  required_version = ">= 1.0"
+
+  required_providers {
+    coder = {
+      source  = "coder/coder"
+      version = ">= 2.5"
+    }
+  }
+}
+
+variable "agent_id" {
+  type        = string
+  description = "The ID of a Coder agent."
+}
+
+variable "http_server_log_path" {
+  type        = string
+  description = "The path to log Open WebUI to."
+  default     = "/tmp/open-webui.log"
+}
+
+variable "http_server_port" {
+  type        = number
+  description = "The port to run Open WebUI on."
+  default     = 7800
+}
+
+variable "open_webui_version" {
+  type        = string
+  description = "The version of Open WebUI to install"
+  default     = "latest"
+}
+
+variable "data_dir" {
+  type        = string
+  description = "The directory where Open WebUI stores its data (database, uploads, vector_db, cache)."
+  default     = ".open-webui"
+}
+
+variable "openai_api_key" {
+  type        = string
+  description = "OpenAI API key for accessing OpenAI models. If not provided, OpenAI integration will need to be configured manually in the UI."
+  default     = ""
+  sensitive   = true
+}
+
+variable "share" {
+  type        = string
+  description = "The sharing level for the Open WebUI app. Set to 'owner' for private access, 'authenticated' for access by any authenticated user, or 'public' for public access."
+  default     = "owner"
+  validation {
+    condition     = var.share == "owner" || var.share == "authenticated" || var.share == "public"
+    error_message = "Incorrect value. Please set either 'owner', 'authenticated', or 'public'."
+  }
+}
+
+variable "order" {
+  type        = number
+  description = "The order determines the position of app in the UI presentation. The lowest order is shown first and apps with equal order are sorted by name (ascending order)."
+  default     = null
+}
+
+variable "group" {
+  type        = string
+  description = "The name of a group that this app belongs to."
+  default     = null
+}
+
+resource "coder_script" "open-webui" {
+  agent_id     = var.agent_id
+  display_name = "open-webui"
+  icon         = "/icon/openwebui.svg"
+  script = templatefile("${path.module}/run.sh", {
+    HTTP_SERVER_LOG_PATH : var.http_server_log_path,
+    HTTP_SERVER_PORT : var.http_server_port,
+    VERSION : var.open_webui_version,
+    DATA_DIR : var.data_dir,
+    OPENAI_API_KEY : var.openai_api_key,
+  })
+  run_on_start = true
+}
+
+resource "coder_app" "open-webui" {
+  agent_id     = var.agent_id
+  slug         = "open-webui"
+  display_name = "Open WebUI"
+  url          = "http://localhost:${var.http_server_port}"
+  icon         = "/icon/openwebui.svg"
+  subdomain    = true
+  share        = var.share
+  order        = var.order
+  group        = var.group
+}
@@ -0,0 +1,188 @@
+mock_provider "coder" {}
+
+run "test_defaults" {
+  command = plan
+
+  variables {
+    agent_id = "test-agent-123"
+  }
+
+  assert {
+    condition     = var.http_server_port == 7800
+    error_message = "Default port should be 7800"
+  }
+
+  assert {
+    condition     = var.http_server_log_path == "/tmp/open-webui.log"
+    error_message = "Default log path should be /tmp/open-webui.log"
+  }
+
+  assert {
+    condition     = var.share == "owner"
+    error_message = "Default share should be 'owner'"
+  }
+
+  assert {
+    condition     = var.open_webui_version == "latest"
+    error_message = "Default version should be 'latest'"
+  }
+
+  assert {
+    condition     = coder_app.open-webui.subdomain == true
+    error_message = "App should use subdomain"
+  }
+
+  assert {
+    condition     = coder_app.open-webui.display_name == "Open WebUI"
+    error_message = "App display name should be 'Open WebUI'"
+  }
+}
+
+run "test_custom_port" {
+  command = plan
+
+  variables {
+    agent_id         = "test-agent-456"
+    http_server_port = 9000
+  }
+
+  assert {
+    condition     = var.http_server_port == 9000
+    error_message = "Custom port should be 9000"
+  }
+
+  assert {
+    condition     = coder_app.open-webui.url == "http://localhost:9000"
+    error_message = "App URL should use custom port"
+  }
+}
+
+run "test_custom_log_path" {
+  command = plan
+
+  variables {
+    agent_id             = "test-agent-789"
+    http_server_log_path = "/var/log/open-webui.log"
+  }
+
+  assert {
+    condition     = var.http_server_log_path == "/var/log/open-webui.log"
+    error_message = "Custom log path should be set"
+  }
+}
+
+run "test_share_authenticated" {
+  command = plan
+
+  variables {
+    agent_id = "test-agent-auth"
+    share    = "authenticated"
+  }
+
+  assert {
+    condition     = coder_app.open-webui.share == "authenticated"
+    error_message = "Share should be 'authenticated'"
+  }
+}
+
+run "test_share_public" {
+  command = plan
+
+  variables {
+    agent_id = "test-agent-public"
+    share    = "public"
+  }
+
+  assert {
+    condition     = coder_app.open-webui.share == "public"
+    error_message = "Share should be 'public'"
+  }
+}
+
+run "test_order_and_group" {
+  command = plan
+
+  variables {
+    agent_id = "test-agent-order"
+    order    = 10
+    group    = "AI Tools"
+  }
+
+  assert {
+    condition     = coder_app.open-webui.order == 10
+    error_message = "Order should be 10"
+  }
+
+  assert {
+    condition     = coder_app.open-webui.group == "AI Tools"
+    error_message = "Group should be 'AI Tools'"
+  }
+}
+
+run "test_custom_version" {
+  command = plan
+
+  variables {
+    agent_id           = "test-agent-version"
+    open_webui_version = "0.5.0"
+  }
+
+  assert {
+    condition     = var.open_webui_version == "0.5.0"
+    error_message = "Custom version should be '0.5.0'"
+  }
+}
+
+run "test_custom_data_dir" {
+  command = plan
+
+  variables {
+    agent_id = "test-agent-data"
+    data_dir = "/home/coder/open-webui-data"
+  }
+
+  assert {
+    condition     = var.data_dir == "/home/coder/open-webui-data"
+    error_message = "Custom data_dir should be set"
+  }
+}
+
+run "test_default_data_dir" {
+  command = plan
+
+  variables {
+    agent_id = "test-agent-data-default"
+  }
+
+  assert {
+    condition     = var.data_dir == ".open-webui"
+    error_message = "Default data_dir should be '.open-webui'"
+  }
+}
+
+run "test_openai_api_key" {
+  command = plan
+
+  variables {
+    agent_id       = "test-agent-openai"
+    openai_api_key = "sk-test-key-123"
+  }
+
+  assert {
+    condition     = var.openai_api_key == "sk-test-key-123"
+    error_message = "OpenAI API key should be set"
+  }
+}
+
+run "test_default_openai_api_key" {
+  command = plan
+
+  variables {
+    agent_id = "test-agent-openai-default"
+  }
+
+  assert {
+    condition     = var.openai_api_key == ""
+    error_message = "Default OpenAI API key should be empty"
+  }
+}
@@ -0,0 +1,66 @@
+#!/usr/bin/env sh
+
+set -eu
+
+printf '\033[0;1mInstalling Open WebUI %s...\n\n' "${VERSION}"
+
+check_python_version() {
+  python_cmd="$1"
+  if command -v "$python_cmd" > /dev/null 2>&1; then
+    version=$("$python_cmd" --version 2>&1 | awk '{print $2}')
+    major=$(echo "$version" | cut -d. -f1)
+    minor=$(echo "$version" | cut -d. -f2)
+    if [ "$major" -eq 3 ] && [ "$minor" -ge 11 ]; then
+      echo "$python_cmd"
+      return 0
+    fi
+  fi
+  return 1
+}
+
+PYTHON_CMD=""
+for cmd in python3.13 python3.12 python3.11 python3 python; do
+  if result=$(check_python_version "$cmd"); then
+    PYTHON_CMD="$result"
+    echo "✅ Found suitable Python: $PYTHON_CMD ($($PYTHON_CMD --version 2>&1))"
+    break
+  fi
+done
+
+if [ -z "$PYTHON_CMD" ]; then
+  echo "❌ Python 3.11 or higher is required but not found."
+  echo ""
+  echo "Please install Python 3.11+ in your image. For example on Ubuntu/Debian:"
+  echo "  sudo add-apt-repository -y ppa:deadsnakes/ppa"
+  echo "  sudo apt-get update"
+  echo "  sudo apt-get install -y python3.11 python3.11-venv"
+  exit 1
+fi
+
+VENV_DIR="$HOME/.open-webui-venv"
+if [ ! -d "$VENV_DIR" ]; then
+  echo "📦 Creating virtual environment..."
+  "$PYTHON_CMD" -m venv "$VENV_DIR"
+fi
+. "$VENV_DIR/bin/activate"
+
+if ! pip show open-webui > /dev/null 2>&1; then
+  echo "📦 Installing Open WebUI version ${VERSION}..."
+  if [ "${VERSION}" = "latest" ]; then
+    pip install open-webui
+  else
+    pip install "open-webui==${VERSION}"
+  fi
+  echo "🥳 Open WebUI has been installed"
+else
+  echo "✅ Open WebUI is already installed"
+fi
+
+echo "👷 Starting Open WebUI in background..."
+echo "Check logs at ${HTTP_SERVER_LOG_PATH}"
+
+DATA_DIR="${DATA_DIR}" \
+  OPENAI_API_KEY="${OPENAI_API_KEY}" \
+  open-webui serve --host 0.0.0.0 --port "${HTTP_SERVER_PORT}" > "${HTTP_SERVER_LOG_PATH}" 2>&1 &
+
+echo "🥳 Open WebUI is ready. HTTP server is listening on port ${HTTP_SERVER_PORT}"
@@ -0,0 +1,55 @@
+---
+display_name: Perplexica
+description: Run Perplexica AI search engine in your workspace via Docker
+icon: ../../../../.icons/perplexica.svg
+verified: false
+tags: [ai, search, docker]
+---
+
+# Perplexica
+
+Run [Perplexica](https://github.com/ItzCrazyKns/Perplexica), a privacy-focused AI search engine, in your Coder workspace. Supports cloud providers (OpenAI, Anthropic Claude) and local LLMs via Ollama.
+
+```tf
+module "perplexica" {
+  count    = data.coder_workspace.me.start_count
+  source   = "registry.coder.com/coder-labs/perplexica/coder"
+  version  = "1.0.0"
+  agent_id = coder_agent.main.id
+}
+```
+
+This module uses the full Perplexica image with embedded SearXNG for simpler setup with no external dependencies.
+
+![Perplexica](../../.images/perplexica.png)
+
+## Prerequisites
+
+This module requires Docker to be available on the host.
+
+## Examples
+
+### With API Keys
+
+```tf
+module "perplexica" {
+  count             = data.coder_workspace.me.start_count
+  source            = "registry.coder.com/coder-labs/perplexica/coder"
+  version           = "1.0.0"
+  agent_id          = coder_agent.main.id
+  openai_api_key    = var.openai_api_key
+  anthropic_api_key = var.anthropic_api_key
+}
+```
+
+### With Local Ollama
+
+```tf
+module "perplexica" {
+  count          = data.coder_workspace.me.start_count
+  source         = "registry.coder.com/coder-labs/perplexica/coder"
+  version        = "1.0.0"
+  agent_id       = coder_agent.main.id
+  ollama_api_url = "http://ollama-external-endpoint:11434"
+}
+```
@@ -0,0 +1,108 @@
+terraform {
+  required_version = ">= 1.0"
+
+  required_providers {
+    coder = {
+      source  = "coder/coder"
+      version = ">= 2.5"
+    }
+  }
+}
+
+variable "agent_id" {
+  type        = string
+  description = "The ID of a Coder agent."
+}
+
+variable "docker_socket" {
+  type        = string
+  description = "(Optional) Docker socket URI"
+  default     = ""
+}
+
+variable "port" {
+  type        = number
+  description = "The port to run Perplexica on."
+  default     = 3000
+}
+
+variable "data_path" {
+  type        = string
+  description = "Host path to mount for Perplexica data persistence."
+  default     = "./perplexica-data"
+}
+
+variable "uploads_path" {
+  type        = string
+  description = "Host path to mount for Perplexica file uploads."
+  default     = "./perplexica-uploads"
+}
+
+variable "openai_api_key" {
+  type        = string
+  description = "OpenAI API key."
+  default     = ""
+  sensitive   = true
+}
+
+variable "anthropic_api_key" {
+  type        = string
+  description = "Anthropic API key for Claude models."
+  default     = ""
+  sensitive   = true
+}
+
+variable "ollama_api_url" {
+  type        = string
+  description = "Ollama API URL for local LLM support."
+  default     = ""
+}
+
+variable "share" {
+  type    = string
+  default = "owner"
+  validation {
+    condition     = var.share == "owner" || var.share == "authenticated" || var.share == "public"
+    error_message = "Incorrect value. Please set either 'owner', 'authenticated', or 'public'."
+  }
+}
+
+variable "order" {
+  type        = number
+  description = "The order determines the position of app in the UI presentation. The lowest order is shown first and apps with equal order are sorted by name (ascending order)."
+  default     = null
+}
+
+variable "group" {
+  type        = string
+  description = "The name of a group that this app belongs to."
+  default     = null
+}
+
+resource "coder_script" "perplexica" {
+  agent_id     = var.agent_id
+  display_name = "Perplexica"
+  icon         = "/icon/perplexica.svg"
+  script = templatefile("${path.module}/run.sh", {
+    DOCKER_HOST : var.docker_socket,
+    PORT : var.port,
+    DATA_PATH : var.data_path,
+    UPLOADS_PATH : var.uploads_path,
+    OPENAI_API_KEY : var.openai_api_key,
+    ANTHROPIC_API_KEY : var.anthropic_api_key,
+    OLLAMA_API_URL : var.ollama_api_url,
+  })
+  run_on_start = true
+}
+
+resource "coder_app" "perplexica" {
+  agent_id     = var.agent_id
+  slug         = "perplexica"
+  display_name = "Perplexica"
+  url          = "http://localhost:${var.port}"
+  icon         = "/icon/perplexica.svg"
+  subdomain    = true
+  share        = var.share
+  order        = var.order
+  group        = var.group
+}
@@ -0,0 +1,26 @@
+run "plan_basic" {
+  command = plan
+
+  variables {
+    agent_id = "test-agent"
+  }
+
+  assert {
+    condition     = resource.coder_app.perplexica.url == "http://localhost:3000"
+    error_message = "Default port should be 3000"
+  }
+}
+
+run "plan_custom_port" {
+  command = plan
+
+  variables {
+    agent_id = "test-agent"
+    port     = 8080
+  }
+
+  assert {
+    condition     = resource.coder_app.perplexica.url == "http://localhost:8080"
+    error_message = "Should use custom port"
+  }
+}
@@ -0,0 +1,67 @@
+#!/usr/bin/env sh
+
+set -eu
+
+BOLD='\033[0;1m'
+RESET='\033[0m'
+
+printf "$${BOLD}Starting Perplexica...$${RESET}\n"
+
+# Set Docker host if provided
+if [ -n "${DOCKER_HOST}" ]; then
+  export DOCKER_HOST="${DOCKER_HOST}"
+fi
+
+# Wait for docker to become ready
+max_attempts=10
+delay=2
+attempt=1
+
+while ! docker ps; do
+  if [ $attempt -ge $max_attempts ]; then
+    echo "Failed to list containers after $${max_attempts} attempts."
+    exit 1
+  fi
+  echo "Attempt $${attempt} failed, retrying in $${delay}s..."
+  sleep $delay
+  attempt=$(expr "$attempt" + 1)
+  delay=$(expr "$delay" \* 2)
+done
+
+# Pull the image
+IMAGE="itzcrazykns1337/perplexica:latest"
+docker pull "$${IMAGE}"
+
+# Build docker run command
+DOCKER_ARGS="-d --rm --name perplexica -p ${PORT}:3000"
+
+# Add mounts - convert relative paths to absolute
+DATA_PATH="${DATA_PATH}"
+UPLOADS_PATH="${UPLOADS_PATH}"
+
+mkdir -p "$${DATA_PATH}"
+mkdir -p "$${UPLOADS_PATH}"
+
+DATA_PATH_ABS=$(cd "$${DATA_PATH}" && pwd)
+UPLOADS_PATH_ABS=$(cd "$${UPLOADS_PATH}" && pwd)
+
+DOCKER_ARGS="$${DOCKER_ARGS} -v $${DATA_PATH_ABS}:/home/perplexica/data"
+DOCKER_ARGS="$${DOCKER_ARGS} -v $${UPLOADS_PATH_ABS}:/home/perplexica/uploads"
+
+# Add environment variables if provided
+if [ -n "${OPENAI_API_KEY}" ]; then
+  DOCKER_ARGS="$${DOCKER_ARGS} -e OPENAI_API_KEY=${OPENAI_API_KEY}"
+fi
+
+if [ -n "${ANTHROPIC_API_KEY}" ]; then
+  DOCKER_ARGS="$${DOCKER_ARGS} -e ANTHROPIC_API_KEY=${ANTHROPIC_API_KEY}"
+fi
+
+if [ -n "${OLLAMA_API_URL}" ]; then
+  DOCKER_ARGS="$${DOCKER_ARGS} -e OLLAMA_API_URL=${OLLAMA_API_URL}"
+fi
+
+# Run container
+docker run $${DOCKER_ARGS} "$${IMAGE}"
+
+printf "\n$${BOLD}Perplexica is running on port ${PORT}$${RESET}\n"
@@ -12,12 +12,12 @@ Run [Amp CLI](https://ampcode.com/) in your workspace to access Sourcegraph's AI

 ```tf
 module "amp-cli" {
-  source                  = "registry.coder.com/coder-labs/sourcegraph-amp/coder"
-  version                 = "2.0.2"
-  agent_id                = coder_agent.example.id
-  sourcegraph_amp_api_key = var.sourcegraph_amp_api_key
-  install_sourcegraph_amp = true
-  agentapi_version        = "2.0.2"
+  source           = "registry.coder.com/coder-labs/sourcegraph-amp/coder"
+  version          = "3.0.0"
+  agent_id         = coder_agent.example.id
+  amp_api_key      = var.amp_api_key
+  install_amp      = true
+  agentapi_version = "latest"
 }
 ```

@@ -48,7 +48,7 @@ variable "amp_api_key" {
 module "amp-cli" {
  count              = data.coder_workspace.me.start_count
  source             = "registry.coder.com/coder-labs/sourcegraph-amp/coder"
-  amp_version        = "2.0.2"
+  amp_version        = "3.0.0"
  agent_id           = coder_agent.example.id
  amp_api_key        = var.amp_api_key # recommended for tasks usage
  workdir            = "/home/coder/project"
@@ -110,6 +110,7 @@ describe("amp", async () => {
    const { id } = await setup({
      skipAmpMock: true,
      moduleVariables: {
+        install_via_npm: "true",
        amp_version: "0.0.1755964909-g31e083",
      },
    });
@@ -4,7 +4,7 @@ terraform {
  required_providers {
    coder = {
      source  = "coder/coder"
-      version = ">= 2.7"
+      version = ">= 2.12"
    }
    external = {
      source  = "hashicorp/external"
@@ -55,7 +55,7 @@ variable "install_agentapi" {
 variable "agentapi_version" {
  type        = string
  description = "The version of AgentAPI to install."
-  default     = "v0.10.0"
+  default     = "v0.11.1"
 }

 variable "cli_app" {
@@ -140,7 +140,7 @@ variable "base_amp_config" {
  type        = string
  description = <<-EOT
    Base AMP configuration in JSON format. Can be overridden to customize AMP settings.
-    
+
    If empty, defaults enable thinking and todos for autonomous operation. Additional options include:
    - "amp.permissions": [] (tool permissions)
    - "amp.tools.stopTimeout": 600 (extend timeout for long operations)
@@ -148,7 +148,7 @@ variable "base_amp_config" {
    - "amp.tools.disable": ["builtin:open"] (disable tools for containers)
    - "amp.git.commit.ampThread.enabled": true (link commits to threads)
    - "amp.git.commit.coauthor.enabled": true (add Amp as co-author)
-    
+
    Reference: https://ampcode.com/manual
  EOT
  default     = ""
@@ -160,6 +160,16 @@ variable "mcp" {
  default     = null
 }

+variable "mode" {
+  type        = string
+  description = "Set the agent mode (free, rush, smart) — controls the model, system prompt, and tool selection. Default: smart"
+  default     = "smart"
+  validation {
+    condition     = contains(["", "free", "rush", "smart"], var.mode)
+    error_message = "Invalid mode. Select one from (free, rush, smart)"
+  }
+}
+
 data "external" "env" {
  program = ["sh", "-c", "echo '{\"CODER_AGENT_TOKEN\":\"'$CODER_AGENT_TOKEN'\",\"CODER_AGENT_URL\":\"'$CODER_AGENT_URL'\"}'"]
 }
@@ -170,6 +180,7 @@ locals {
  default_base_config = jsonencode({
    "amp.anthropic.thinking.enabled" = true
    "amp.todos.enabled"              = true
+    "amp.terminal.animation"         = false
  })

  user_config       = jsondecode(var.base_amp_config != "" ? var.base_amp_config : local.default_base_config)
@@ -209,7 +220,7 @@ locals {

 module "agentapi" {
  source  = "registry.coder.com/coder/agentapi/coder"
-  version = "1.2.0"
+  version = "2.0.0"

  agent_id             = var.agent_id
  folder               = local.workdir
@@ -237,6 +248,7 @@ module "agentapi" {
     ARG_AMP_START_DIRECTORY='${var.workdir}' \
     ARG_AMP_TASK_PROMPT='${base64encode(var.ai_prompt)}' \
     ARG_REPORT_TASKS='${var.report_tasks}' \
+     ARG_MODE='${var.mode}' \
     /tmp/start.sh
   EOT

@@ -256,4 +268,6 @@ module "agentapi" {
  EOT
 }

-
+output "task_app_id" {
+  value = module.agentapi.task_app_id
+}
@@ -1,9 +1,4 @@
 #!/bin/bash
-
-if [ -f "$HOME/.bashrc" ]; then
-  source "$HOME"/.bashrc
-fi
-
 set -euo pipefail

 # ANSI colors
@@ -29,6 +29,7 @@ echo "--------------------------------"
 printf "Workspace: %s\n" "$ARG_AMP_START_DIRECTORY"
 printf "Task Prompt: %s\n" "$ARG_AMP_TASK_PROMPT"
 printf "ARG_REPORT_TASKS: %s\n" "$ARG_REPORT_TASKS"
+printf "ARG_MODE: %s\n" "$ARG_MODE"
 echo "--------------------------------"

 ensure_command amp
@@ -50,6 +51,13 @@ else
  printf "amp_api_key not provided\n"
 fi

+ARGS=()
+
+if [ -n "$ARG_MODE" ]; then
+  printf "Running agent in: %s mode" "$ARG_MODE"
+  ARGS+=(--mode "$ARG_MODE")
+fi
+
 if [ -n "$ARG_AMP_TASK_PROMPT" ]; then
  if [ "$ARG_REPORT_TASKS" == "true" ]; then
    printf "amp task prompt provided : %s" "$ARG_AMP_TASK_PROMPT\n"
@@ -58,8 +66,8 @@ if [ -n "$ARG_AMP_TASK_PROMPT" ]; then
    PROMPT="$ARG_AMP_TASK_PROMPT"
  fi
  # Pipe the prompt into amp, which will be run inside agentapi
-  agentapi server --type amp --term-width=67 --term-height=1190 -- bash -c "echo \"$PROMPT\" | amp"
+  agentapi server --type amp --term-width=67 --term-height=1190 -- bash -c "echo \"$PROMPT\" | amp" "${ARGS[@]}"
 else
  printf "No task prompt given.\n"
-  agentapi server --type amp --term-width=67 --term-height=1190 -- amp
+  agentapi server --type amp --term-width=67 --term-height=1190 -- amp "${ARGS[@]}"
 fi
@@ -4,11 +4,35 @@ import {
  removeContainer,
  runContainer,
  runTerraformApply,
+  TerraformState,
  writeFileContainer,
 } from "~test";
 import path from "path";
 import { expect } from "bun:test";

+/**
+ * Extracts all coder_env resources from Terraform state and returns them as
+ * a Record of environment variable names to values.
+ */
+export const extractCoderEnvVars = (
+  state: TerraformState,
+): Record<string, string> => {
+  const envVars: Record<string, string> = {};
+
+  for (const resource of state.resources) {
+    if (resource.type === "coder_env" && resource.instances.length > 0) {
+      const instance = resource.instances[0].attributes;
+      const name = instance.name as string;
+      const value = instance.value as string;
+      if (name && value) {
+        envVars[name] = value;
+      }
+    }
+  }
+
+  return envVars;
+};
+
 export const setupContainer = async ({
  moduleDir,
  image,
@@ -23,10 +47,12 @@ export const setupContainer = async ({
    ...vars,
  });
  const coderScript = findResourceInstance(state, "coder_script");
+  const coderEnvVars = extractCoderEnvVars(state);
  const id = await runContainer(image ?? "codercom/enterprise-node:latest");
  return {
    id,
    coderScript,
+    coderEnvVars,
    cleanup: async () => {
      if (
        process.env["DEBUG"] === "true" ||
@@ -79,9 +105,11 @@ interface SetupProps {
  agentapiMockScript?: string;
 }

-export const setup = async (props: SetupProps): Promise<{ id: string }> => {
+export const setup = async (
+  props: SetupProps,
+): Promise<{ id: string; coderEnvVars: Record<string, string> }> => {
  const projectDir = props.projectDir ?? "/home/coder/project";
-  const { id, coderScript, cleanup } = await setupContainer({
+  const { id, coderScript, coderEnvVars, cleanup } = await setupContainer({
    moduleDir: props.moduleDir,
    vars: props.moduleVariables,
  });
@@ -101,7 +129,7 @@ export const setup = async (props: SetupProps): Promise<{ id: string }> => {
    filePath: "/home/coder/script.sh",
    content: coderScript.script,
  });
-  return { id };
+  return { id, coderEnvVars };
 };

 export const expectAgentAPIStarted = async (
@@ -125,18 +153,16 @@ export const execModuleScript = async (
  id: string,
  env?: Record<string, string>,
 ) => {
-  const envArgs = Object.entries(env ?? {})
-    .map(([key, value]) => ["--env", `${key}=${value}`])
-    .flat();
-  const resp = await execContainer(
-    id,
-    [
-      "bash",
-      "-c",
-      `set -o errexit; set -o pipefail; cd /home/coder && ./script.sh 2>&1 | tee /home/coder/script.log`,
-    ],
-    envArgs,
-  );
+  const envArgs = env
+    ? Object.entries(env)
+        .map(([key, value]) => `export ${key}="${value.replace(/"/g, '\\"')}"`)
+        .join(" && ") + " && "
+    : "";
+  const resp = await execContainer(id, [
+    "bash",
+    "-c",
+    `${envArgs}set -o errexit; set -o pipefail; cd /home/coder && ./script.sh 2>&1 | tee /home/coder/script.log`,
+  ]);
  if (resp.exitCode !== 0) {
    console.log(resp.stdout);
    console.log(resp.stderr);
@@ -0,0 +1,67 @@
+---
+display_name: Antigravity
+description: Add a one-click button to launch Google Antigravity
+icon: ../../../../.icons/antigravity.svg
+verified: true
+tags: [ide, antigravity, ai, google]
+---
+
+# Antigravity IDE
+
+Add a button to open any workspace with a single click in [Antigravity IDE](https://antigravity.google).
+
+Uses the [Coder Remote VS Code Extension](https://github.com/coder/vscode-coder).
+
+```tf
+module "antigravity" {
+  count    = data.coder_workspace.me.start_count
+  source   = "registry.coder.com/coder/antigravity/coder"
+  version  = "1.0.0"
+  agent_id = coder_agent.example.id
+}
+```
+
+## Examples
+
+### Open in a specific directory
+
+```tf
+module "antigravity" {
+  count    = data.coder_workspace.me.start_count
+  source   = "registry.coder.com/coder/antigravity/coder"
+  version  = "1.0.0"
+  agent_id = coder_agent.example.id
+  folder   = "/home/coder/project"
+}
+```
+
+### Configure MCP servers for Antigravity
+
+Provide a JSON-encoded string via the `mcp` input. When set, the module writes the value to `~/.gemini/antigravity/mcp_config.json` using a `coder_script` on workspace start.
+
+The following example configures Antigravity to use the GitHub MCP server with authentication facilitated by the [`coder_external_auth`](https://coder.com/docs/admin/external-auth#configure-a-github-oauth-app) resource.
+
+```tf
+module "antigravity" {
+  count    = data.coder_workspace.me.start_count
+  source   = "registry.coder.com/coder/antigravity/coder"
+  version  = "1.0.0"
+  agent_id = coder_agent.example.id
+  folder   = "/home/coder/project"
+  mcp = jsonencode({
+    mcpServers = {
+      "github" : {
+        "url" : "https://api.githubcopilot.com/mcp/",
+        "headers" : {
+          "Authorization" : "Bearer ${data.coder_external_auth.github.access_token}",
+        },
+        "type" : "http"
+      }
+    }
+  })
+}
+
+data "coder_external_auth" "github" {
+  id = "github"
+}
+```
@@ -0,0 +1,130 @@
+import { describe, it, expect } from "bun:test";
+import {
+  runTerraformApply,
+  runTerraformInit,
+  testRequiredVariables,
+  runContainer,
+  execContainer,
+  removeContainer,
+  findResourceInstance,
+  readFileContainer,
+} from "~test";
+
+describe("antigravity", async () => {
+  await runTerraformInit(import.meta.dir);
+
+  testRequiredVariables(import.meta.dir, {
+    agent_id: "foo",
+  });
+
+  it("default output", async () => {
+    const state = await runTerraformApply(import.meta.dir, {
+      agent_id: "foo",
+    });
+    expect(state.outputs.antigravity_url.value).toBe(
+      "antigravity://coder.coder-remote/open?owner=default&workspace=default&url=https://mydeployment.coder.com&token=$SESSION_TOKEN",
+    );
+
+    const coder_app = state.resources.find(
+      (res) =>
+        res.type === "coder_app" &&
+        res.module === "module.vscode-desktop-core" &&
+        res.name === "vscode-desktop",
+    );
+
+    expect(coder_app).not.toBeNull();
+    expect(coder_app?.instances.length).toBe(1);
+    expect(coder_app?.instances[0].attributes.order).toBeNull();
+  });
+
+  it("adds folder", async () => {
+    const state = await runTerraformApply(import.meta.dir, {
+      agent_id: "foo",
+      folder: "/foo/bar",
+    });
+    expect(state.outputs.antigravity_url.value).toBe(
+      "antigravity://coder.coder-remote/open?owner=default&workspace=default&folder=/foo/bar&url=https://mydeployment.coder.com&token=$SESSION_TOKEN",
+    );
+  });
+
+  it("adds folder and open_recent", async () => {
+    const state = await runTerraformApply(import.meta.dir, {
+      agent_id: "foo",
+      folder: "/foo/bar",
+      open_recent: "true",
+    });
+    expect(state.outputs.antigravity_url.value).toBe(
+      "antigravity://coder.coder-remote/open?owner=default&workspace=default&folder=/foo/bar&openRecent&url=https://mydeployment.coder.com&token=$SESSION_TOKEN",
+    );
+  });
+
+  it("adds folder but not open_recent", async () => {
+    const state = await runTerraformApply(import.meta.dir, {
+      agent_id: "foo",
+      folder: "/foo/bar",
+      open_recent: "false",
+    });
+    expect(state.outputs.antigravity_url.value).toBe(
+      "antigravity://coder.coder-remote/open?owner=default&workspace=default&folder=/foo/bar&url=https://mydeployment.coder.com&token=$SESSION_TOKEN",
+    );
+  });
+
+  it("adds open_recent", async () => {
+    const state = await runTerraformApply(import.meta.dir, {
+      agent_id: "foo",
+      open_recent: "true",
+    });
+    expect(state.outputs.antigravity_url.value).toBe(
+      "antigravity://coder.coder-remote/open?owner=default&workspace=default&openRecent&url=https://mydeployment.coder.com&token=$SESSION_TOKEN",
+    );
+  });
+
+  it("expect order to be set", async () => {
+    const state = await runTerraformApply(import.meta.dir, {
+      agent_id: "foo",
+      order: "22",
+    });
+
+    const coder_app = state.resources.find(
+      (res) =>
+        res.type === "coder_app" &&
+        res.module === "module.vscode-desktop-core" &&
+        res.name === "vscode-desktop",
+    );
+
+    expect(coder_app).not.toBeNull();
+    expect(coder_app?.instances.length).toBe(1);
+    expect(coder_app?.instances[0].attributes.order).toBe(22);
+  });
+
+  it("writes ~/.gemini/antigravity/mcp_config.json when mcp provided", async () => {
+    const id = await runContainer("alpine");
+    try {
+      const mcp = JSON.stringify({
+        servers: { demo: { url: "http://localhost:1234" } },
+      });
+      const state = await runTerraformApply(import.meta.dir, {
+        agent_id: "foo",
+        mcp,
+      });
+      const script = findResourceInstance(
+        state,
+        "coder_script",
+        "antigravity_mcp",
+      ).script;
+      const resp = await execContainer(id, ["sh", "-c", script]);
+      if (resp.exitCode !== 0) {
+        console.log(resp.stdout);
+        console.log(resp.stderr);
+      }
+      expect(resp.exitCode).toBe(0);
+      const content = await readFileContainer(
+        id,
+        "/root/.gemini/antigravity/mcp_config.json",
+      );
+      expect(content).toBe(mcp);
+    } finally {
+      await removeContainer(id);
+    }
+  }, 10000);
+});
@@ -0,0 +1,104 @@
+terraform {
+  required_version = ">= 1.0"
+
+  required_providers {
+    coder = {
+      source  = "coder/coder"
+      version = ">= 2.5"
+    }
+  }
+}
+
+variable "agent_id" {
+  type        = string
+  description = "The ID of a Coder agent."
+}
+
+variable "folder" {
+  type        = string
+  description = "The folder to open in Antigravity IDE."
+  default     = ""
+}
+
+variable "open_recent" {
+  type        = bool
+  description = "Open the most recent workspace or folder. Falls back to the folder if there is no recent workspace or folder to open."
+  default     = false
+}
+
+variable "order" {
+  type        = number
+  description = "The order determines the position of app in the UI presentation. The lowest order is shown first and apps with equal order are sorted by name (ascending order)."
+  default     = null
+}
+
+variable "group" {
+  type        = string
+  description = "The name of a group that this app belongs to."
+  default     = null
+}
+
+variable "slug" {
+  type        = string
+  description = "The slug of the app."
+  default     = "antigravity"
+}
+
+variable "display_name" {
+  type        = string
+  description = "The display name of the app."
+  default     = "Antigravity IDE"
+}
+
+variable "mcp" {
+  type        = string
+  description = "JSON-encoded string to configure MCP servers for Antigravity. When set, writes ~/.gemini/antigravity/mcp_config.json."
+  default     = ""
+}
+
+data "coder_workspace" "me" {}
+
+data "coder_workspace_owner" "me" {}
+
+locals {
+  mcp_b64 = var.mcp != "" ? base64encode(var.mcp) : ""
+}
+
+module "vscode-desktop-core" {
+  source  = "registry.coder.com/coder/vscode-desktop-core/coder"
+  version = "1.0.1"
+
+  agent_id = var.agent_id
+
+  web_app_icon         = "/icon/antigravity.svg"
+  web_app_slug         = var.slug
+  web_app_display_name = var.display_name
+  web_app_order        = var.order
+  web_app_group        = var.group
+
+  folder      = var.folder
+  open_recent = var.open_recent
+  protocol    = "antigravity"
+}
+
+resource "coder_script" "antigravity_mcp" {
+  count              = var.mcp != "" ? 1 : 0
+  agent_id           = var.agent_id
+  display_name       = "Antigravity MCP"
+  icon               = "/icon/antigravity.svg"
+  run_on_start       = true
+  start_blocks_login = false
+  script             = <<-EOT
+    #!/bin/sh
+    set -eu
+    mkdir -p "$HOME/.gemini/antigravity"
+    echo -n "${local.mcp_b64}" | base64 -d > "$HOME/.gemini/antigravity/mcp_config.json"
+    chmod 600 "$HOME/.gemini/antigravity/mcp_config.json"
+  EOT
+}
+
+output "antigravity_url" {
+  value       = module.vscode-desktop-core.ide_uri
+  description = "Antigravity IDE URL."
+}
+
@@ -13,8 +13,8 @@ Run the [Claude Code](https://docs.anthropic.com/en/docs/agents-and-tools/claude
 ```tf
 module "claude-code" {
  source         = "registry.coder.com/coder/claude-code/coder"
-  version        = "4.2.2"
-  agent_id       = coder_agent.example.id
+  version        = "4.2.8"
+  agent_id       = coder_agent.main.id
  workdir        = "/home/coder/project"
  claude_api_key = "xxxx-xxxxx-xxxx"
 }
@@ -45,13 +45,15 @@ This example shows how to configure the Claude Code module to run the agent behi
 ```tf
 module "claude-code" {
  source                           = "dev.registry.coder.com/coder/claude-code/coder"
+  version                          = "4.2.8"
+  agent_id                         = coder_agent.main.id
+  workdir                          = "/home/coder/project"
  enable_boundary                  = true
-  boundary_version                 = "4.2.2"
+  boundary_version                 = "main"
  boundary_log_dir                 = "/tmp/boundary_logs"
  boundary_log_level               = "WARN"
  boundary_additional_allowed_urls = ["GET *google.com"]
  boundary_proxy_port              = "8087"
-  version                          = "4.2.2"
 }
 ```

@@ -70,16 +72,16 @@ data "coder_parameter" "ai_prompt" {

 module "claude-code" {
  source   = "registry.coder.com/coder/claude-code/coder"
-  version  = "4.2.2"
-  agent_id = coder_agent.example.id
+  version  = "4.2.8"
+  agent_id = coder_agent.main.id
  workdir  = "/home/coder/project"

  claude_api_key = "xxxx-xxxxx-xxxx"
  # OR
  claude_code_oauth_token = "xxxxx-xxxx-xxxx"

-  claude_code_version = "4.2.2" # Pin to a specific version
-  agentapi_version    = "4.2.2"
+  claude_code_version = "2.0.62" # Pin to a specific version
+  agentapi_version    = "0.11.4"

  ai_prompt = data.coder_parameter.ai_prompt.value
  model     = "sonnet"
@@ -90,7 +92,7 @@ module "claude-code" {
  {
    "mcpServers": {
      "my-custom-tool": {
-        "command": "my-tool-server"
+        "command": "my-tool-server",
        "args": ["--port", "8080"]
      }
    }
@@ -106,13 +108,12 @@ Run and configure Claude Code as a standalone CLI in your workspace.
 ```tf
 module "claude-code" {
  source              = "registry.coder.com/coder/claude-code/coder"
-  version             = "4.2.2"
-  agent_id            = coder_agent.example.id
-  workdir             = "/home/coder"
+  version             = "4.2.8"
+  agent_id            = coder_agent.main.id
+  workdir             = "/home/coder/project"
  install_claude_code = true
-  claude_code_version = "4.2.2"
+  claude_code_version = "2.0.62"
  report_tasks        = false
-  cli_app             = true
 }
 ```

@@ -129,8 +130,8 @@ variable "claude_code_oauth_token" {

 module "claude-code" {
  source                  = "registry.coder.com/coder/claude-code/coder"
-  version                 = "4.2.2"
-  agent_id                = coder_agent.example.id
+  version                 = "4.2.8"
+  agent_id                = coder_agent.main.id
  workdir                 = "/home/coder/project"
  claude_code_oauth_token = var.claude_code_oauth_token
 }
@@ -146,13 +147,13 @@ Configure Claude Code to use AWS Bedrock for accessing Claude models through you

 ```tf
 resource "coder_env" "bedrock_use" {
-  agent_id = coder_agent.example.id
+  agent_id = coder_agent.main.id
  name     = "CLAUDE_CODE_USE_BEDROCK"
  value    = "1"
 }

 resource "coder_env" "aws_region" {
-  agent_id = coder_agent.example.id
+  agent_id = coder_agent.main.id
  name     = "AWS_REGION"
  value    = "us-east-1" # Choose your preferred region
 }
@@ -174,13 +175,13 @@ variable "aws_secret_access_key" {
 }

 resource "coder_env" "aws_access_key_id" {
-  agent_id = coder_agent.example.id
+  agent_id = coder_agent.main.id
  name     = "AWS_ACCESS_KEY_ID"
  value    = var.aws_access_key_id
 }

 resource "coder_env" "aws_secret_access_key" {
-  agent_id = coder_agent.example.id
+  agent_id = coder_agent.main.id
  name     = "AWS_SECRET_ACCESS_KEY"
  value    = var.aws_secret_access_key
 }
@@ -195,15 +196,15 @@ variable "aws_bearer_token_bedrock" {
 }

 resource "coder_env" "bedrock_api_key" {
-  agent_id = coder_agent.example.id
+  agent_id = coder_agent.main.id
  name     = "AWS_BEARER_TOKEN_BEDROCK"
  value    = var.aws_bearer_token_bedrock
 }

 module "claude-code" {
  source   = "registry.coder.com/coder/claude-code/coder"
-  version  = "4.2.2"
-  agent_id = coder_agent.example.id
+  version  = "4.2.8"
+  agent_id = coder_agent.main.id
  workdir  = "/home/coder/project"
  model    = "global.anthropic.claude-sonnet-4-5-20250929-v1:0"
 }
@@ -228,39 +229,39 @@ variable "vertex_sa_json" {
 }

 resource "coder_env" "vertex_use" {
-  agent_id = coder_agent.example.id
+  agent_id = coder_agent.main.id
  name     = "CLAUDE_CODE_USE_VERTEX"
  value    = "1"
 }

 resource "coder_env" "vertex_project_id" {
-  agent_id = coder_agent.example.id
+  agent_id = coder_agent.main.id
  name     = "ANTHROPIC_VERTEX_PROJECT_ID"
  value    = "your-gcp-project-id"
 }

 resource "coder_env" "cloud_ml_region" {
-  agent_id = coder_agent.example.id
+  agent_id = coder_agent.main.id
  name     = "CLOUD_ML_REGION"
  value    = "global"
 }

 resource "coder_env" "vertex_sa_json" {
-  agent_id = coder_agent.example.id
+  agent_id = coder_agent.main.id
  name     = "VERTEX_SA_JSON"
  value    = var.vertex_sa_json
 }

 resource "coder_env" "google_application_credentials" {
-  agent_id = coder_agent.example.id
+  agent_id = coder_agent.main.id
  name     = "GOOGLE_APPLICATION_CREDENTIALS"
  value    = "/tmp/gcp-sa.json"
 }

 module "claude-code" {
  source   = "registry.coder.com/coder/claude-code/coder"
-  version  = "4.2.2"
-  agent_id = coder_agent.example.id
+  version  = "4.2.8"
+  agent_id = coder_agent.main.id
  workdir  = "/home/coder/project"
  model    = "claude-sonnet-4@20250514"

@@ -39,9 +39,11 @@ interface SetupProps {
  agentapiMockScript?: string;
 }

-const setup = async (props?: SetupProps): Promise<{ id: string }> => {
+const setup = async (
+  props?: SetupProps,
+): Promise<{ id: string; coderEnvVars: Record<string, string> }> => {
  const projectDir = "/home/coder/project";
-  const { id } = await setupUtil({
+  const { id, coderEnvVars } = await setupUtil({
    moduleDir: import.meta.dir,
    moduleVariables: {
      install_claude_code: props?.skipClaudeMock ? "true" : "false",
@@ -61,7 +63,7 @@ const setup = async (props?: SetupProps): Promise<{ id: string }> => {
      content: await loadTestFile(import.meta.dir, "claude-mock.sh"),
    });
  }
-  return { id };
+  return { id, coderEnvVars };
 };

 setDefaultTimeout(60 * 1000);
@@ -79,14 +81,14 @@ describe("claude-code", async () => {

  test("install-claude-code-version", async () => {
    const version_to_install = "1.0.40";
-    const { id } = await setup({
+    const { id, coderEnvVars } = await setup({
      skipClaudeMock: true,
      moduleVariables: {
        install_claude_code: "true",
        claude_code_version: version_to_install,
      },
    });
-    await execModuleScript(id);
+    await execModuleScript(id, coderEnvVars);
    const resp = await execContainer(id, [
      "bash",
      "-c",
@@ -96,14 +98,14 @@ describe("claude-code", async () => {
  });

  test("check-latest-claude-code-version-works", async () => {
-    const { id } = await setup({
+    const { id, coderEnvVars } = await setup({
      skipClaudeMock: true,
      skipAgentAPIMock: true,
      moduleVariables: {
        install_claude_code: "true",
      },
    });
-    await execModuleScript(id);
+    await execModuleScript(id, coderEnvVars);
    await expectAgentAPIStarted(id);
  });

@@ -133,13 +135,13 @@ describe("claude-code", async () => {
        },
      },
    });
-    const { id } = await setup({
+    const { id, coderEnvVars } = await setup({
      skipClaudeMock: true,
      moduleVariables: {
        mcp: mcpConfig,
      },
    });
-    await execModuleScript(id);
+    await execModuleScript(id, coderEnvVars);

    const resp = await readFileContainer(id, "/home/coder/.claude.json");
    expect(resp).toContain("test-cmd");
@@ -208,13 +210,17 @@ describe("claude-code", async () => {
    });

    // Create a mock task session file with the hardcoded task session ID
+    // Note: Claude CLI creates files without "session-" prefix when using --session-id
    const taskSessionId = "cd32e253-ca16-4fd3-9825-d837e74ae3c2";
    const sessionDir = `/home/coder/.claude/projects/-home-coder-project`;
    await execContainer(id, ["mkdir", "-p", sessionDir]);
    await execContainer(id, [
      "bash",
      "-c",
-      `touch ${sessionDir}/session-${taskSessionId}.jsonl`,
+      `cat > ${sessionDir}/${taskSessionId}.jsonl << 'SESSIONEOF'
+{"sessionId":"${taskSessionId}","message":{"content":"Task"},"timestamp":"2020-01-01T10:00:00.000Z"}
+{"type":"assistant","message":{"content":"Response"},"timestamp":"2020-01-01T10:00:05.000Z"}
+SESSIONEOF`,
    ]);

    await execModuleScript(id);
@@ -226,46 +232,10 @@ describe("claude-code", async () => {
    ]);
    expect(startLog.stdout).toContain("--resume");
    expect(startLog.stdout).toContain(taskSessionId);
-    expect(startLog.stdout).toContain("Resuming existing task session");
+    expect(startLog.stdout).toContain("Resuming task session");
    expect(startLog.stdout).toContain("--dangerously-skip-permissions");
  });

-  test("claude-continue-resume-standalone-session", async () => {
-    const { id } = await setup({
-      moduleVariables: {
-        continue: "true",
-        report_tasks: "false",
-        ai_prompt: "test prompt",
-      },
-    });
-
-    const sessionId = "some-random-session-id";
-    const workdir = "/home/coder/project";
-    const claudeJson = {
-      projects: {
-        [workdir]: {
-          lastSessionId: sessionId,
-        },
-      },
-    };
-
-    await execContainer(id, [
-      "bash",
-      "-c",
-      `echo '${JSON.stringify(claudeJson)}' > /home/coder/.claude.json`,
-    ]);
-
-    await execModuleScript(id);
-
-    const startLog = await execContainer(id, [
-      "bash",
-      "-c",
-      "cat /home/coder/.claude-module/agentapi-start.log",
-    ]);
-    expect(startLog.stdout).toContain("--continue");
-    expect(startLog.stdout).toContain("Resuming existing session");
-  });
-
  test("pre-post-install-scripts", async () => {
    const { id } = await setup({
      moduleVariables: {
@@ -360,4 +330,140 @@ describe("claude-code", async () => {
      "ARG_AGENTAPI_CHAT_BASE_PATH=/@default/default.foo/apps/ccw/chat",
    );
  });
+
+  test("partial-initialization-detection", async () => {
+    const { id } = await setup({
+      moduleVariables: {
+        continue: "true",
+        report_tasks: "true",
+        ai_prompt: "test prompt",
+      },
+    });
+
+    const taskSessionId = "cd32e253-ca16-4fd3-9825-d837e74ae3c2";
+    const sessionDir = `/home/coder/.claude/projects/-home-coder-project`;
+    await execContainer(id, ["mkdir", "-p", sessionDir]);
+
+    await execContainer(id, [
+      "bash",
+      "-c",
+      `echo '{"sessionId":"${taskSessionId}"}' > ${sessionDir}/${taskSessionId}.jsonl`,
+    ]);
+
+    await execModuleScript(id);
+
+    const startLog = await execContainer(id, [
+      "bash",
+      "-c",
+      "cat /home/coder/.claude-module/agentapi-start.log",
+    ]);
+
+    // Should start new session, not try to resume invalid one
+    expect(startLog.stdout).toContain("Starting new task session");
+    expect(startLog.stdout).toContain("--session-id");
+  });
+
+  test("standalone-first-build-no-sessions", async () => {
+    const { id } = await setup({
+      moduleVariables: {
+        continue: "true",
+        report_tasks: "false",
+      },
+    });
+
+    await execModuleScript(id);
+
+    const startLog = await execContainer(id, [
+      "bash",
+      "-c",
+      "cat /home/coder/.claude-module/agentapi-start.log",
+    ]);
+
+    // Should start fresh, not try to continue
+    expect(startLog.stdout).toContain("No sessions found");
+    expect(startLog.stdout).toContain("starting fresh standalone session");
+    expect(startLog.stdout).not.toContain("--continue");
+  });
+
+  test("standalone-with-sessions-continues", async () => {
+    const { id } = await setup({
+      moduleVariables: {
+        continue: "true",
+        report_tasks: "false",
+      },
+    });
+
+    const sessionDir = `/home/coder/.claude/projects/-home-coder-project`;
+    await execContainer(id, ["mkdir", "-p", sessionDir]);
+    await execContainer(id, [
+      "bash",
+      "-c",
+      `cat > ${sessionDir}/generic-123.jsonl << 'EOF'
+{"sessionId":"generic-123","message":{"content":"User session"},"timestamp":"2020-01-01T10:00:00.000Z"}
+{"type":"assistant","message":{"content":"Response"},"timestamp":"2020-01-01T10:00:05.000Z"}
+EOF`,
+    ]);
+
+    await execModuleScript(id);
+
+    const startLog = await execContainer(id, [
+      "bash",
+      "-c",
+      "cat /home/coder/.claude-module/agentapi-start.log",
+    ]);
+
+    // Should continue existing session
+    expect(startLog.stdout).toContain("Sessions found");
+    expect(startLog.stdout).toContain(
+      "Continuing most recent standalone session",
+    );
+    expect(startLog.stdout).toContain("--continue");
+  });
+
+  test("task-mode-ignores-manual-sessions", async () => {
+    const { id } = await setup({
+      moduleVariables: {
+        continue: "true",
+        report_tasks: "true",
+        ai_prompt: "test prompt",
+      },
+    });
+
+    const taskSessionId = "cd32e253-ca16-4fd3-9825-d837e74ae3c2";
+    const sessionDir = `/home/coder/.claude/projects/-home-coder-project`;
+    await execContainer(id, ["mkdir", "-p", sessionDir]);
+
+    // Create task session (without "session-" prefix, as CLI does)
+    await execContainer(id, [
+      "bash",
+      "-c",
+      `cat > ${sessionDir}/${taskSessionId}.jsonl << 'EOF'
+{"sessionId":"${taskSessionId}","message":{"content":"Task"},"timestamp":"2020-01-01T10:00:00.000Z"}
+{"type":"assistant","message":{"content":"Response"},"timestamp":"2020-01-01T10:00:05.000Z"}
+EOF`,
+    ]);
+
+    // Create manual session (newer)
+    await execContainer(id, [
+      "bash",
+      "-c",
+      `cat > ${sessionDir}/manual-456.jsonl << 'EOF'
+{"sessionId":"manual-456","message":{"content":"Manual"},"timestamp":"2020-01-02T10:00:00.000Z"}
+{"type":"assistant","message":{"content":"Response"},"timestamp":"2020-01-02T10:00:05.000Z"}
+EOF`,
+    ]);
+
+    await execModuleScript(id);
+
+    const startLog = await execContainer(id, [
+      "bash",
+      "-c",
+      "cat /home/coder/.claude-module/agentapi-start.log",
+    ]);
+
+    // Should resume task session, not manual session
+    expect(startLog.stdout).toContain("Resuming task session");
+    expect(startLog.stdout).toContain(taskSessionId);
+    expect(startLog.stdout).not.toContain("manual-456");
+  });
 });
@@ -86,7 +86,7 @@ variable "install_agentapi" {
 variable "agentapi_version" {
  type        = string
  description = "The version of AgentAPI to install."
-  default     = "v0.10.0"
+  default     = "v0.11.6"
 }

 variable "ai_prompt" {
@@ -288,15 +288,20 @@ resource "coder_env" "disable_autoupdater" {
  value    = "1"
 }

+resource "coder_env" "claude_binary_path" {
+  agent_id = var.agent_id
+  name     = "PATH"
+  value    = "$HOME/.local/bin:$PATH"
+}
+
 locals {
  # we have to trim the slash because otherwise coder exp mcp will
  # set up an invalid claude config
-  workdir                           = trimsuffix(var.workdir, "/")
-  app_slug                          = "ccw"
-  install_script                    = file("${path.module}/scripts/install.sh")
-  start_script                      = file("${path.module}/scripts/start.sh")
-  module_dir_name                   = ".claude-module"
-  remove_last_session_id_script_b64 = base64encode(file("${path.module}/scripts/remove-last-session-id.sh"))
+  workdir         = trimsuffix(var.workdir, "/")
+  app_slug        = "ccw"
+  install_script  = file("${path.module}/scripts/install.sh")
+  start_script    = file("${path.module}/scripts/start.sh")
+  module_dir_name = ".claude-module"
  # Extract hostname from access_url for boundary --allow flag
  coder_host = replace(replace(data.coder_workspace.me.access_url, "https://", ""), "http://", "")

@@ -357,9 +362,7 @@ module "agentapi" {
     set -o errexit
     set -o pipefail
     echo -n '${base64encode(local.start_script)}' | base64 -d > /tmp/start.sh
-     echo -n "${local.remove_last_session_id_script_b64}" | base64 -d > "/tmp/remove-last-session-id.sh"
     chmod +x /tmp/start.sh
-     chmod +x /tmp/remove-last-session-id.sh

     ARG_MODEL='${var.model}' \
     ARG_RESUME_SESSION_ID='${var.resume_session_id}' \
@@ -1,10 +1,5 @@
 #!/bin/bash

-if [ -f "$HOME/.bashrc" ]; then
-  source "$HOME"/.bashrc
-fi
-
-# Set strict error handling AFTER sourcing bashrc to avoid unbound variable errors from user dotfiles
 set -euo pipefail

 BOLD='\033[0;1m'
@@ -45,11 +40,6 @@ function install_claude_code_cli() {
    if [ $CURL_EXIT -ne 0 ]; then
      echo "Claude Code installer failed with exit code $$CURL_EXIT"
    fi
-
-    # Ensure binaries are discoverable.
-    echo "Creating a symlink for claude"
-    sudo ln -s /home/coder/.local/bin/claude /usr/local/bin/claude
-
    echo "Installed Claude Code successfully. Version: $(claude --version || echo 'unknown')"
  else
    echo "Skipping Claude Code installation as per configuration."
@@ -90,12 +80,63 @@ function setup_claude_configurations() {

 }

+function configure_standalone_mode() {
+  echo "Configuring Claude Code for standalone mode..."
+
+  if [ -z "${CLAUDE_API_KEY:-}" ]; then
+    echo "Note: CLAUDE_API_KEY not set, skipping authentication setup"
+    return
+  fi
+
+  local claude_config="$HOME/.claude.json"
+  local workdir_normalized
+  workdir_normalized=$(echo "$ARG_WORKDIR" | tr '/' '-')
+
+  # Create or update .claude.json with minimal configuration for API key auth
+  # This skips the interactive login prompt and onboarding screens
+  if [ -f "$claude_config" ]; then
+    echo "Updating existing Claude configuration at $claude_config"
+
+    jq --arg apikey "${CLAUDE_API_KEY:-}" \
+      --arg workdir "$ARG_WORKDIR" \
+      '.autoUpdaterStatus = "disabled" |
+        .bypassPermissionsModeAccepted = true |
+        .hasAcknowledgedCostThreshold = true |
+        .hasCompletedOnboarding = true |
+        .primaryApiKey = $apikey |
+        .projects[$workdir].hasCompletedProjectOnboarding = true |
+        .projects[$workdir].hasTrustDialogAccepted = true' \
+      "$claude_config" > "${claude_config}.tmp" && mv "${claude_config}.tmp" "$claude_config"
+  else
+    echo "Creating new Claude configuration at $claude_config"
+    cat > "$claude_config" << EOF
+{
+  "autoUpdaterStatus": "disabled",
+  "bypassPermissionsModeAccepted": true,
+  "hasAcknowledgedCostThreshold": true,
+  "hasCompletedOnboarding": true,
+  "primaryApiKey": "${CLAUDE_API_KEY:-}",
+  "projects": {
+    "$ARG_WORKDIR": {
+      "hasCompletedProjectOnboarding": true,
+      "hasTrustDialogAccepted": true
+    }
+  }
+}
+EOF
+  fi
+
+  echo "Standalone mode configured successfully"
+}
+
 function report_tasks() {
  if [ "$ARG_REPORT_TASKS" = "true" ]; then
    echo "Configuring Claude Code to report tasks via Coder MCP..."
    export CODER_MCP_APP_STATUS_SLUG="$ARG_MCP_APP_STATUS_SLUG"
    export CODER_MCP_AI_AGENTAPI_URL="http://localhost:3284"
    coder exp mcp configure claude-code "$ARG_WORKDIR"
+  else
+    configure_standalone_mode
  fi
 }

@@ -1,44 +0,0 @@
-# If lastSessionId is present in .claude.json, claude --continue will start a
-# conversation starting from that session. The problem is that lastSessionId
-# doesn't always point to the last session. The field is updated by claude only
-# at the point of normal CLI exit. If Claude exits with an error, or if the user
-# restarts the Coder workspace, lastSessionId will be stale, and claude --continue
-# will start from an old session.
-#
-# If lastSessionId is missing, claude seems to accurately figure out where to
-# start using the conversation history - even if the CLI previously exited with
-# an error.
-#
-# This script removes the lastSessionId field from .claude.json.
-if [ $# -eq 0 ]; then
-  echo "No working directory provided - it must be the first argument"
-  exit 1
-fi
-
-# Get absolute path of working directory
-working_dir=$(realpath "$1")
-echo "workingDir $working_dir"
-
-# Path to .claude.json
-claude_json_path="$HOME/.claude.json"
-echo ".claude.json path $claude_json_path"
-
-# Check if .claude.json exists
-if [ ! -f "$claude_json_path" ]; then
-  echo "No .claude.json file found"
-  exit 1
-fi
-
-# Use jq to check if lastSessionId exists for the working directory and remove it
-
-if jq -e ".projects[\"$working_dir\"].lastSessionId" "$claude_json_path" > /dev/null 2>&1; then
-  # Remove lastSessionId and update the file
-  if jq "del(.projects[\"$working_dir\"].lastSessionId)" "$claude_json_path" > "${claude_json_path}.tmp" && mv "${claude_json_path}.tmp" "$claude_json_path"; then
-    echo "Removed lastSessionId from .claude.json"
-    exit 0
-  else
-    echo "Failed to remove lastSessionId from .claude.json"
-  fi
-else
-  echo "No lastSessionId found in .claude.json - nothing to do"
-fi
@@ -1,14 +1,7 @@
 #!/bin/bash

-if [ -f "$HOME/.bashrc" ]; then
-  source "$HOME"/.bashrc
-fi
-
-# Set strict error handling AFTER sourcing bashrc to avoid unbound variable errors from user dotfiles
 set -euo pipefail

-export PATH="$HOME/.local/bin:$PATH"
-
 command_exists() {
  command -v "$1" > /dev/null 2>&1
 }
@@ -51,19 +44,6 @@ printf "ARG_CODER_HOST: %s\n" "$ARG_CODER_HOST"

 echo "--------------------------------"

-# Clean up stale session data (see remove-last-session-id.sh for details)
-CAN_CONTINUE_CONVERSATION=false
-set +e
-bash "/tmp/remove-last-session-id.sh" "$(pwd)" 2> /dev/null
-session_cleanup_exit_code=$?
-set -e
-
-case $session_cleanup_exit_code in
-  0)
-    CAN_CONTINUE_CONVERSATION=true
-    ;;
-esac
-
 function install_boundary() {
  if [ "${ARG_COMPILE_FROM_SOURCE:-false}" = "true" ]; then
    # Install boundary by compiling from source
@@ -99,18 +79,85 @@ function validate_claude_installation() {
 # This ensures all task sessions use a consistent, predictable ID
 TASK_SESSION_ID="cd32e253-ca16-4fd3-9825-d837e74ae3c2"

-task_session_exists() {
+get_project_dir() {
  local workdir_normalized
  workdir_normalized=$(echo "$ARG_WORKDIR" | tr '/' '-')
-  local project_dir="$HOME/.claude/projects/${workdir_normalized}"
+  echo "$HOME/.claude/projects/${workdir_normalized}"
+}

-  printf "PROJECT_DIR: %s, workdir_normalized: %s\n" "$project_dir" "$workdir_normalized"
+get_task_session_file() {
+  echo "$(get_project_dir)/${TASK_SESSION_ID}.jsonl"
+}

-  if [ -d "$project_dir" ] && find "$project_dir" -type f -name "*${TASK_SESSION_ID}*" 2> /dev/null | grep -q .; then
-    printf "TASK_SESSION_ID: %s file found\n" "$TASK_SESSION_ID"
+task_session_exists() {
+  local session_file
+  session_file=$(get_task_session_file)
+
+  if [ -f "$session_file" ]; then
+    printf "Task session file found: %s\n" "$session_file"
    return 0
  else
-    printf "TASK_SESSION_ID: %s file not found\n" "$TASK_SESSION_ID"
+    printf "Task session file not found: %s\n" "$session_file"
+    return 1
+  fi
+}
+
+is_valid_session() {
+  local session_file="$1"
+
+  # Check if file exists and is not empty
+  # Empty files indicate the session was created but never used so they need to be removed
+  if [ ! -f "$session_file" ]; then
+    printf "Session validation failed: file does not exist\n"
+    return 1
+  fi
+
+  if [ ! -s "$session_file" ]; then
+    printf "Session validation failed: file is empty, removing stale file\n"
+    rm -f "$session_file"
+    return 1
+  fi
+
+  # Check for minimum session content
+  # Valid sessions need at least 2 lines: initial message and first response
+  local line_count
+  line_count=$(wc -l < "$session_file")
+  if [ "$line_count" -lt 2 ]; then
+    printf "Session validation failed: incomplete (only %s lines), removing incomplete file\n" "$line_count"
+    rm -f "$session_file"
+    return 1
+  fi
+
+  # Validate JSONL format by checking first 3 lines
+  # Claude session files use JSONL (JSON Lines) format where each line is valid JSON
+  if ! head -3 "$session_file" | jq empty 2> /dev/null; then
+    printf "Session validation failed: invalid JSONL format, removing corrupt file\n"
+    rm -f "$session_file"
+    return 1
+  fi
+
+  # Verify the session has a valid sessionId field
+  # This ensures the file structure matches Claude's session format
+  if ! grep -q '"sessionId"' "$session_file" \
+    || ! grep -m 1 '"sessionId"' "$session_file" | jq -e '.sessionId' > /dev/null 2>&1; then
+    printf "Session validation failed: no valid sessionId found, removing malformed file\n"
+    rm -f "$session_file"
+    return 1
+  fi
+
+  printf "Session validation passed: %s\n" "$session_file"
+  return 0
+}
+
+has_any_sessions() {
+  local project_dir
+  project_dir=$(get_project_dir)
+
+  if [ -d "$project_dir" ] && find "$project_dir" -maxdepth 1 -name "*.jsonl" -size +0c 2> /dev/null | grep -q .; then
+    printf "Sessions found in: %s\n" "$project_dir"
+    return 0
+  else
+    printf "No sessions found in: %s\n" "$project_dir"
    return 1
  fi
 }
@@ -133,75 +180,41 @@ function start_agentapi() {
  fi

  if [ -n "$ARG_RESUME_SESSION_ID" ]; then
-    echo "Resuming task session by ID: $ARG_RESUME_SESSION_ID"
+    echo "Resuming specified session: $ARG_RESUME_SESSION_ID"
    ARGS+=(--resume "$ARG_RESUME_SESSION_ID")
-    if [ "$ARG_DANGEROUSLY_SKIP_PERMISSIONS" = "true" ]; then
-      ARGS+=(--dangerously-skip-permissions)
-    fi
+    [ "$ARG_DANGEROUSLY_SKIP_PERMISSIONS" = "true" ] && ARGS+=(--dangerously-skip-permissions)
+
  elif [ "$ARG_CONTINUE" = "true" ]; then
-    if [ "$ARG_REPORT_TASKS" = "true" ] && task_session_exists; then
-      echo "Task session detected (ID: $TASK_SESSION_ID)"
-      ARGS+=(--resume "$TASK_SESSION_ID")
-      ARGS+=(--dangerously-skip-permissions)
-      echo "Resuming existing task session"
-    elif [ "$ARG_REPORT_TASKS" = "false" ] && [ "$CAN_CONTINUE_CONVERSATION" = true ]; then
-      echo "Previous session exists"
-      ARGS+=(--continue)
-      if [ "$ARG_DANGEROUSLY_SKIP_PERMISSIONS" = "true" ]; then
-        ARGS+=(--dangerously-skip-permissions)
-      fi
-      echo "Resuming existing session"
-    else
-      echo "No existing session found"
-      if [ "$ARG_REPORT_TASKS" = "true" ]; then
-        if task_session_exists; then
-          ARGS+=(--resume "$TASK_SESSION_ID")
-        else
-          ARGS+=(--session-id "$TASK_SESSION_ID")
-        fi
-      fi
-      if [ -n "$ARG_AI_PROMPT" ]; then
-        if [ "$ARG_REPORT_TASKS" = "true" ]; then
-          ARGS+=(--dangerously-skip-permissions -- "$ARG_AI_PROMPT")
-        else
-          if [ "$ARG_DANGEROUSLY_SKIP_PERMISSIONS" = "true" ]; then
-            ARGS+=(--dangerously-skip-permissions)
-          fi
-          ARGS+=(-- "$ARG_AI_PROMPT")
-        fi
-        echo "Starting new session with prompt"
+
+    if [ "$ARG_REPORT_TASKS" = "true" ]; then
+      local session_file
+      session_file=$(get_task_session_file)
+
+      if task_session_exists && is_valid_session "$session_file"; then
+        echo "Resuming task session: $TASK_SESSION_ID"
+        ARGS+=(--resume "$TASK_SESSION_ID" --dangerously-skip-permissions)
      else
-        if [ "$ARG_REPORT_TASKS" = "true" ] || [ "$ARG_DANGEROUSLY_SKIP_PERMISSIONS" = "true" ]; then
-          ARGS+=(--dangerously-skip-permissions)
-        fi
-        echo "Starting new session"
+        echo "Starting new task session: $TASK_SESSION_ID"
+        ARGS+=(--session-id "$TASK_SESSION_ID" --dangerously-skip-permissions)
+        [ -n "$ARG_AI_PROMPT" ] && ARGS+=(-- "$ARG_AI_PROMPT")
+      fi
+
+    else
+      if has_any_sessions; then
+        echo "Continuing most recent standalone session"
+        ARGS+=(--continue)
+        [ "$ARG_DANGEROUSLY_SKIP_PERMISSIONS" = "true" ] && ARGS+=(--dangerously-skip-permissions)
+      else
+        echo "No sessions found, starting fresh standalone session"
+        [ "$ARG_DANGEROUSLY_SKIP_PERMISSIONS" = "true" ] && ARGS+=(--dangerously-skip-permissions)
+        [ -n "$ARG_AI_PROMPT" ] && ARGS+=(-- "$ARG_AI_PROMPT")
      fi
    fi
+
  else
    echo "Continue disabled, starting fresh session"
-    if [ "$ARG_REPORT_TASKS" = "true" ]; then
-      if task_session_exists; then
-        ARGS+=(--resume "$TASK_SESSION_ID")
-      else
-        ARGS+=(--session-id "$TASK_SESSION_ID")
-      fi
-    fi
-    if [ -n "$ARG_AI_PROMPT" ]; then
-      if [ "$ARG_REPORT_TASKS" = "true" ]; then
-        ARGS+=(--dangerously-skip-permissions -- "$ARG_AI_PROMPT")
-      else
-        if [ "$ARG_DANGEROUSLY_SKIP_PERMISSIONS" = "true" ]; then
-          ARGS+=(--dangerously-skip-permissions)
-        fi
-        ARGS+=(-- "$ARG_AI_PROMPT")
-      fi
-      echo "Starting new session with prompt"
-    else
-      if [ "$ARG_REPORT_TASKS" = "true" ] || [ "$ARG_DANGEROUSLY_SKIP_PERMISSIONS" = "true" ]; then
-        ARGS+=(--dangerously-skip-permissions)
-      fi
-      echo "Starting claude code session"
-    fi
+    [ "$ARG_DANGEROUSLY_SKIP_PERMISSIONS" = "true" ] && ARGS+=(--dangerously-skip-permissions)
+    [ -n "$ARG_AI_PROMPT" ] && ARGS+=(-- "$ARG_AI_PROMPT")
  fi

  printf "Running claude code with args: %s\n" "$(printf '%q ' "${ARGS[@]}")"
@@ -14,7 +14,7 @@ Automatically install [code-server](https://github.com/coder/code-server) in a w
 module "code-server" {
  count    = data.coder_workspace.me.start_count
  source   = "registry.coder.com/coder/code-server/coder"
-  version  = "1.4.1"
+  version  = "1.4.2"
  agent_id = coder_agent.example.id
 }
 ```
@@ -29,9 +29,9 @@ module "code-server" {
 module "code-server" {
  count           = data.coder_workspace.me.start_count
  source          = "registry.coder.com/coder/code-server/coder"
-  version         = "1.4.1"
+  version         = "1.4.2"
  agent_id        = coder_agent.example.id
-  install_version = "1.4.1"
+  install_version = "4.106.3"
 }
 ```

@@ -43,7 +43,7 @@ Install the Dracula theme from [OpenVSX](https://open-vsx.org/):
 module "code-server" {
  count    = data.coder_workspace.me.start_count
  source   = "registry.coder.com/coder/code-server/coder"
-  version  = "1.4.1"
+  version  = "1.4.2"
  agent_id = coder_agent.example.id
  extensions = [
    "dracula-theme.theme-dracula"
@@ -61,7 +61,7 @@ Configure VS Code's [settings.json](https://code.visualstudio.com/docs/getstarte
 module "code-server" {
  count      = data.coder_workspace.me.start_count
  source     = "registry.coder.com/coder/code-server/coder"
-  version    = "1.4.1"
+  version    = "1.4.2"
  agent_id   = coder_agent.example.id
  extensions = ["dracula-theme.theme-dracula"]
  settings = {
@@ -78,7 +78,7 @@ Just run code-server in the background, don't fetch it from GitHub:
 module "code-server" {
  count      = data.coder_workspace.me.start_count
  source     = "registry.coder.com/coder/code-server/coder"
-  version    = "1.4.1"
+  version    = "1.4.2"
  agent_id   = coder_agent.example.id
  extensions = ["dracula-theme.theme-dracula", "ms-azuretools.vscode-docker"]
 }
@@ -92,7 +92,7 @@ You can pass additional command-line arguments to code-server using the `additio
 module "code-server" {
  count           = data.coder_workspace.me.start_count
  source          = "registry.coder.com/coder/code-server/coder"
-  version         = "1.4.1"
+  version         = "1.4.2"
  agent_id        = coder_agent.example.id
  additional_args = "--disable-workspace-trust"
 }
@@ -108,7 +108,7 @@ Run an existing copy of code-server if found, otherwise download from GitHub:
 module "code-server" {
  count      = data.coder_workspace.me.start_count
  source     = "registry.coder.com/coder/code-server/coder"
-  version    = "1.4.1"
+  version    = "1.4.2"
  agent_id   = coder_agent.example.id
  use_cached = true
  extensions = ["dracula-theme.theme-dracula", "ms-azuretools.vscode-docker"]
@@ -121,8 +121,10 @@ Just run code-server in the background, don't fetch it from GitHub:
 module "code-server" {
  count    = data.coder_workspace.me.start_count
  source   = "registry.coder.com/coder/code-server/coder"
-  version  = "1.4.1"
+  version  = "1.4.2"
  agent_id = coder_agent.example.id
  offline  = true
 }
 ```
+
+Some of the key differences between code-server and [VS Code Web](https://registry.coder.com/modules/coder/vscode-web) are listed in [docs](https://coder.com/docs/user-guides/workspace-access/code-server#differences-between-code-server-and-vs-code-web).
@@ -16,7 +16,7 @@ Uses the [Coder Remote VS Code Extension](https://github.com/coder/vscode-coder)
 module "cursor" {
  count    = data.coder_workspace.me.start_count
  source   = "registry.coder.com/coder/cursor/coder"
-  version  = "1.3.3"
+  version  = "1.4.0"
  agent_id = coder_agent.main.id
 }
 ```
@@ -29,7 +29,7 @@ module "cursor" {
 module "cursor" {
  count    = data.coder_workspace.me.start_count
  source   = "registry.coder.com/coder/cursor/coder"
-  version  = "1.3.3"
+  version  = "1.4.0"
  agent_id = coder_agent.main.id
  folder   = "/home/coder/project"
 }
@@ -45,7 +45,7 @@ The following example configures Cursor to use the GitHub MCP server with authen
 module "cursor" {
  count    = data.coder_workspace.me.start_count
  source   = "registry.coder.com/coder/cursor/coder"
-  version  = "1.3.3"
+  version  = "1.4.0"
  agent_id = coder_agent.main.id
  folder   = "/home/coder/project"
  mcp = jsonencode({
@@ -58,6 +58,7 @@ module "cursor" {
        "type" : "http"
      }

+
    }
  })
 }
@@ -26,7 +26,10 @@ describe("cursor", async () => {
    );

    const coder_app = state.resources.find(
-      (res) => res.type === "coder_app" && res.name === "cursor",
+      (res) =>
+        res.type === "coder_app" &&
+        res.module === "module.vscode-desktop-core" &&
+        res.name === "vscode-desktop",
    );

    expect(coder_app).not.toBeNull();
@@ -76,21 +79,6 @@ describe("cursor", async () => {
    );
  });

-  it("expect order to be set", async () => {
-    const state = await runTerraformApply(import.meta.dir, {
-      agent_id: "foo",
-      order: "22",
-    });
-
-    const coder_app = state.resources.find(
-      (res) => res.type === "coder_app" && res.name === "cursor",
-    );
-
-    expect(coder_app).not.toBeNull();
-    expect(coder_app?.instances.length).toBe(1);
-    expect(coder_app?.instances[0].attributes.order).toBe(22);
-  });
-
  it("writes ~/.cursor/mcp.json when mcp provided", async () => {
    const id = await runContainer("alpine");
    try {
@@ -64,26 +64,21 @@ locals {
  mcp_b64 = var.mcp != "" ? base64encode(var.mcp) : ""
 }

-resource "coder_app" "cursor" {
-  agent_id     = var.agent_id
-  external     = true
-  icon         = "/icon/cursor.svg"
-  slug         = var.slug
-  display_name = var.display_name
-  order        = var.order
-  group        = var.group
-  url = join("", [
-    "cursor://coder.coder-remote/open",
-    "?owner=",
-    data.coder_workspace_owner.me.name,
-    "&workspace=",
-    data.coder_workspace.me.name,
-    var.folder != "" ? join("", ["&folder=", var.folder]) : "",
-    var.open_recent ? "&openRecent" : "",
-    "&url=",
-    data.coder_workspace.me.access_url,
-    "&token=$SESSION_TOKEN",
-  ])
+module "vscode-desktop-core" {
+  source  = "registry.coder.com/coder/vscode-desktop-core/coder"
+  version = "1.0.0"
+
+  agent_id = var.agent_id
+
+  coder_app_icon         = "/icon/cursor.svg"
+  coder_app_slug         = var.slug
+  coder_app_display_name = var.display_name
+  coder_app_order        = var.order
+  coder_app_group        = var.group
+
+  folder      = var.folder
+  open_recent = var.open_recent
+  protocol    = "cursor"
 }

 resource "coder_script" "cursor_mcp" {
@@ -103,6 +98,6 @@ resource "coder_script" "cursor_mcp" {
 }

 output "cursor_url" {
-  value       = coder_app.cursor.url
+  value       = module.vscode-desktop-core.ide_uri
  description = "Cursor IDE Desktop URL."
-}
+}
@@ -14,7 +14,7 @@ A file browser for your workspace.
 module "filebrowser" {
  count    = data.coder_workspace.me.start_count
  source   = "registry.coder.com/coder/filebrowser/coder"
-  version  = "1.1.3"
+  version  = "1.1.4"
  agent_id = coder_agent.main.id
 }
 ```
@@ -29,7 +29,7 @@ module "filebrowser" {
 module "filebrowser" {
  count    = data.coder_workspace.me.start_count
  source   = "registry.coder.com/coder/filebrowser/coder"
-  version  = "1.1.3"
+  version  = "1.1.4"
  agent_id = coder_agent.main.id
  folder   = "/home/coder/project"
 }
@@ -41,7 +41,7 @@ module "filebrowser" {
 module "filebrowser" {
  count         = data.coder_workspace.me.start_count
  source        = "registry.coder.com/coder/filebrowser/coder"
-  version       = "1.1.3"
+  version       = "1.1.4"
  agent_id      = coder_agent.main.id
  database_path = ".config/filebrowser.db"
 }
@@ -53,7 +53,7 @@ module "filebrowser" {
 module "filebrowser" {
  count      = data.coder_workspace.me.start_count
  source     = "registry.coder.com/coder/filebrowser/coder"
-  version    = "1.1.3"
+  version    = "1.1.4"
  agent_id   = coder_agent.main.id
  agent_name = "main"
  subdomain  = false
@@ -28,7 +28,7 @@ if [[ ! -f "${DB_PATH}" ]]; then
  filebrowser users add admin "coderPASSWORD" --perm.admin=true --viewMode=mosaic 2>&1 | tee -a ${LOG_PATH}
 fi

-filebrowser config set --baseurl=${SERVER_BASE_PATH} --port=${PORT} --auth.method=noauth --root=$ROOT_DIR 2>&1 | tee -a ${LOG_PATH}
+filebrowser config set --baseURL=${SERVER_BASE_PATH} --port=${PORT} --auth.method=noauth --root=$ROOT_DIR 2>&1 | tee -a ${LOG_PATH}

 printf "👷 Starting filebrowser in background... \n\n"

@@ -14,7 +14,7 @@ This module allows you to automatically clone a repository by URL and skip if it
 module "git-clone" {
  count    = data.coder_workspace.me.start_count
  source   = "registry.coder.com/coder/git-clone/coder"
-  version  = "1.2.2"
+  version  = "1.2.3"
  agent_id = coder_agent.example.id
  url      = "https://github.com/coder/coder"
 }
@@ -28,7 +28,7 @@ module "git-clone" {
 module "git-clone" {
  count    = data.coder_workspace.me.start_count
  source   = "registry.coder.com/coder/git-clone/coder"
-  version  = "1.2.2"
+  version  = "1.2.3"
  agent_id = coder_agent.example.id
  url      = "https://github.com/coder/coder"
  base_dir = "~/projects/coder"
@@ -43,11 +43,12 @@ To use with [Git Authentication](https://coder.com/docs/v2/latest/admin/git-prov
 module "git-clone" {
  count    = data.coder_workspace.me.start_count
  source   = "registry.coder.com/coder/git-clone/coder"
-  version  = "1.2.2"
+  version  = "1.2.3"
  agent_id = coder_agent.example.id
  url      = "https://github.com/coder/coder"
 }

+
 data "coder_external_auth" "github" {
  id = "github"
 }
@@ -69,11 +70,12 @@ data "coder_parameter" "git_repo" {
 module "git_clone" {
  count    = data.coder_workspace.me.start_count
  source   = "registry.coder.com/coder/git-clone/coder"
-  version  = "1.2.2"
+  version  = "1.2.3"
  agent_id = coder_agent.example.id
  url      = data.coder_parameter.git_repo.value
 }

+
 # Create a code-server instance for the cloned repository
 module "code-server" {
  count    = data.coder_workspace.me.start_count
@@ -103,13 +105,14 @@ Configuring `git-clone` for a self-hosted GitHub Enterprise Server running at `g
 module "git-clone" {
  count    = data.coder_workspace.me.start_count
  source   = "registry.coder.com/coder/git-clone/coder"
-  version  = "1.2.2"
+  version  = "1.2.3"
  agent_id = coder_agent.example.id
  url      = "https://github.example.com/coder/coder/tree/feat/example"
  git_providers = {
    "https://github.example.com/" = {
      provider = "github"
    }
+
  }
 }
 ```
@@ -122,7 +125,7 @@ To GitLab clone with a specific branch like `feat/example`
 module "git-clone" {
  count    = data.coder_workspace.me.start_count
  source   = "registry.coder.com/coder/git-clone/coder"
-  version  = "1.2.2"
+  version  = "1.2.3"
  agent_id = coder_agent.example.id
  url      = "https://gitlab.com/coder/coder/-/tree/feat/example"
 }
@@ -134,13 +137,14 @@ Configuring `git-clone` for a self-hosted GitLab running at `gitlab.example.com`
 module "git-clone" {
  count    = data.coder_workspace.me.start_count
  source   = "registry.coder.com/coder/git-clone/coder"
-  version  = "1.2.2"
+  version  = "1.2.3"
  agent_id = coder_agent.example.id
  url      = "https://gitlab.example.com/coder/coder/-/tree/feat/example"
  git_providers = {
    "https://gitlab.example.com/" = {
      provider = "gitlab"
    }
+
  }
 }
 ```
@@ -155,7 +159,7 @@ For example, to clone the `feat/example` branch:
 module "git-clone" {
  count       = data.coder_workspace.me.start_count
  source      = "registry.coder.com/coder/git-clone/coder"
-  version     = "1.2.2"
+  version     = "1.2.3"
  agent_id    = coder_agent.example.id
  url         = "https://github.com/coder/coder"
  branch_name = "feat/example"
@@ -173,7 +177,7 @@ For example, this will clone into the `~/projects/coder/coder-dev` folder:
 module "git-clone" {
  count       = data.coder_workspace.me.start_count
  source      = "registry.coder.com/coder/git-clone/coder"
-  version     = "1.2.2"
+  version     = "1.2.3"
  agent_id    = coder_agent.example.id
  url         = "https://github.com/coder/coder"
  folder_name = "coder-dev"
@@ -191,8 +195,8 @@ If not defined, the default, `0`, performs a full clone.
 ```tf
 module "git-clone" {
  count    = data.coder_workspace.me.start_count
-  source   = "registry.coder.com/modules/git-clone/coder"
-  version  = "1.2.2"
+  source   = "registry.coder.com/coder/git-clone/coder"
+  version  = "1.2.3"
  agent_id = coder_agent.example.id
  url      = "https://github.com/coder/coder"
  depth    = 1
@@ -208,7 +212,7 @@ This is useful for running initialization tasks like installing dependencies or
 module "git-clone" {
  count             = data.coder_workspace.me.start_count
  source            = "registry.coder.com/coder/git-clone/coder"
-  version           = "1.2.2"
+  version           = "1.2.3"
  agent_id          = coder_agent.example.id
  url               = "https://github.com/coder/coder"
  post_clone_script = <<-EOT
@@ -58,9 +58,10 @@ fi
 # Run post-clone script if provided
 if [ -n "$POST_CLONE_SCRIPT" ]; then
  echo "Running post-clone script..."
-  echo "$POST_CLONE_SCRIPT" | base64 -d > /tmp/post_clone.sh
-  chmod +x /tmp/post_clone.sh
+  POST_CLONE_TMP=$(mktemp)
+  echo "$POST_CLONE_SCRIPT" | base64 -d > "$POST_CLONE_TMP"
+  chmod +x "$POST_CLONE_TMP"
  cd "$CLONE_PATH" || exit
-  /tmp/post_clone.sh
-  rm /tmp/post_clone.sh
+  $POST_CLONE_TMP
+  rm "$POST_CLONE_TMP"
 fi
@@ -1,9 +1,17 @@
-import { type Server, serve } from "bun";
-import { describe, expect, it } from "bun:test";
+import { serve } from "bun";
+import {
+  afterEach,
+  beforeAll,
+  describe,
+  expect,
+  it,
+  setDefaultTimeout,
+} from "bun:test";
 import {
  createJSONResponse,
  execContainer,
  findResourceInstance,
+  removeContainer,
  runContainer,
  runTerraformApply,
  runTerraformInit,
@@ -11,77 +19,48 @@ import {
  writeCoder,
 } from "~test";

-describe("github-upload-public-key", async () => {
-  await runTerraformInit(import.meta.dir);
-
-  testRequiredVariables(import.meta.dir, {
-    agent_id: "foo",
-  });
-
-  it("creates new key if one does not exist", async () => {
-    const { instance, id, server } = await setupContainer();
-    await writeCoder(id, "echo foo");
-
-    const url = server.url.toString().slice(0, -1);
-    const exec = await execContainer(id, [
-      "env",
-      `CODER_ACCESS_URL=${url}`,
-      `GITHUB_API_URL=${url}`,
-      "CODER_OWNER_SESSION_TOKEN=foo",
-      "CODER_EXTERNAL_AUTH_ID=github",
-      "bash",
-      "-c",
-      instance.script,
-    ]);
-    expect(exec.stdout).toContain(
-      "Your Coder public key has been added to GitHub!",
-    );
-    expect(exec.exitCode).toBe(0);
-    // we need to increase timeout to pull the container
-  }, 15000);
-
-  it("does nothing if one already exists", async () => {
-    const { instance, id, server } = await setupContainer();
-    // use keyword to make server return a existing key
-    await writeCoder(id, "echo findkey");
-
-    const url = server.url.toString().slice(0, -1);
-    const exec = await execContainer(id, [
-      "env",
-      `CODER_ACCESS_URL=${url}`,
-      `GITHUB_API_URL=${url}`,
-      "CODER_OWNER_SESSION_TOKEN=foo",
-      "CODER_EXTERNAL_AUTH_ID=github",
-      "bash",
-      "-c",
-      instance.script,
-    ]);
-    expect(exec.stdout).toContain(
-      "Your Coder public key is already on GitHub!",
-    );
-    expect(exec.exitCode).toBe(0);
-  });
+let cleanupFunctions: (() => Promise<void>)[] = [];
+const registerCleanup = (cleanup: () => Promise<void>) => {
+  cleanupFunctions.push(cleanup);
+};
+afterEach(async () => {
+  const cleanupFnsCopy = cleanupFunctions.slice().reverse();
+  cleanupFunctions = [];
+  for (const cleanup of cleanupFnsCopy) {
+    try {
+      await cleanup();
+    } catch (error) {
+      console.error("Error during cleanup:", error);
+    }
+  }
 });

 const setupContainer = async (
  image = "lorello/alpine-bash",
  vars: Record<string, string> = {},
 ) => {
-  const server = await setupServer();
+  const server = setupServer();
  const state = await runTerraformApply(import.meta.dir, {
    agent_id: "foo",
    ...vars,
  });
  const instance = findResourceInstance(state, "coder_script");
  const id = await runContainer(image);
+
+  registerCleanup(async () => {
+    server.stop();
+  });
+  registerCleanup(async () => {
+    await removeContainer(id);
+  });
+
  return { id, instance, server };
 };

-const setupServer = async (): Promise<Server> => {
-  let url: URL;
-  const fakeSlackHost = serve({
+const setupServer = () => {
+  const fakeGithubHost = serve({
    fetch: (req) => {
-      url = new URL(req.url);
+      const url = new URL(req.url);
      if (url.pathname === "/api/v2/users/me/gitsshkey") {
        return createJSONResponse({
          public_key: "exists",
@@ -128,5 +107,60 @@ const setupServer = async (): Promise<Server> => {
    port: 0,
  });

-  return fakeSlackHost;
+  return fakeGithubHost;
 };
+
+setDefaultTimeout(30 * 1000);
+
+describe("github-upload-public-key", () => {
+  beforeAll(async () => {
+    await runTerraformInit(import.meta.dir);
+  });
+
+  testRequiredVariables(import.meta.dir, {
+    agent_id: "foo",
+  });
+
+  it("creates new key if one does not exist", async () => {
+    const { instance, id, server } = await setupContainer();
+    await writeCoder(id, "echo foo");
+
+    const url = server.url.toString().slice(0, -1);
+    const exec = await execContainer(id, [
+      "env",
+      `CODER_ACCESS_URL=${url}`,
+      `GITHUB_API_URL=${url}`,
+      "CODER_OWNER_SESSION_TOKEN=foo",
+      "CODER_EXTERNAL_AUTH_ID=github",
+      "bash",
+      "-c",
+      instance.script,
+    ]);
+    expect(exec.stdout).toContain(
+      "Your Coder public key has been added to GitHub!",
+    );
+    expect(exec.exitCode).toBe(0);
+  });
+
+  it("does nothing if one already exists", async () => {
+    const { instance, id, server } = await setupContainer();
+    // use keyword to make server return a existing key
+    await writeCoder(id, "echo findkey");
+
+    const url = server.url.toString().slice(0, -1);
+    const exec = await execContainer(id, [
+      "env",
+      `CODER_ACCESS_URL=${url}`,
+      `GITHUB_API_URL=${url}`,
+      "CODER_OWNER_SESSION_TOKEN=foo",
+      "CODER_EXTERNAL_AUTH_ID=github",
+      "bash",
+      "-c",
+      instance.script,
+    ]);
+    expect(exec.stdout).toContain(
+      "Your Coder public key is already on GitHub!",
+    );
+    expect(exec.exitCode).toBe(0);
+  });
+});
@@ -16,7 +16,7 @@ Install the JF CLI and authenticate package managers with Artifactory using OAut
 module "jfrog" {
  count          = data.coder_workspace.me.start_count
  source         = "registry.coder.com/coder/jfrog-oauth/coder"
-  version        = "1.2.3"
+  version        = "1.2.4"
  agent_id       = coder_agent.main.id
  jfrog_url      = "https://example.jfrog.io"
  username_field = "username" # If you are using GitHub to login to both Coder and Artifactory, use username_field = "username"
@@ -57,7 +57,7 @@ Configure the Python pip package manager to fetch packages from Artifactory whil
 module "jfrog" {
  count          = data.coder_workspace.me.start_count
  source         = "registry.coder.com/coder/jfrog-oauth/coder"
-  version        = "1.2.3"
+  version        = "1.2.4"
  agent_id       = coder_agent.main.id
  jfrog_url      = "https://example.jfrog.io"
  username_field = "email"
@@ -0,0 +1,400 @@
+# Test for jfrog-oauth module
+
+run "test_required_vars" {
+  command = plan
+
+  variables {
+    agent_id         = "test-agent-id"
+    jfrog_url        = "https://example.jfrog.io"
+    package_managers = {}
+  }
+
+  # Mock external auth with valid access token for basic test
+  override_data {
+    target = data.coder_external_auth.jfrog
+    values = {
+      access_token = "valid-token-value"
+    }
+  }
+}
+
+run "test_empty_access_token_fails" {
+  command = plan
+
+  variables {
+    agent_id         = "test-agent-id"
+    jfrog_url        = "https://example.jfrog.io"
+    package_managers = {}
+  }
+
+  # Mock external auth with empty access token
+  override_data {
+    target = data.coder_external_auth.jfrog
+    values = {
+      access_token = ""
+    }
+  }
+
+  expect_failures = [
+    resource.coder_script.jfrog
+  ]
+}
+
+run "test_valid_access_token_succeeds" {
+  command = plan
+
+  variables {
+    agent_id         = "test-agent-id"
+    jfrog_url        = "https://example.jfrog.io"
+    package_managers = {}
+  }
+
+  # Mock external auth with valid access token
+  override_data {
+    target = data.coder_external_auth.jfrog
+    values = {
+      access_token = "valid-token-value"
+    }
+  }
+
+  # Verify the script resource is created
+  assert {
+    condition     = resource.coder_script.jfrog.agent_id == "test-agent-id"
+    error_message = "coder_script agent_id should match the input variable"
+  }
+
+  assert {
+    condition     = resource.coder_script.jfrog.display_name == "jfrog"
+    error_message = "coder_script display_name should be 'jfrog'"
+  }
+}
+
+run "test_jfrog_url_validation" {
+  command = plan
+
+  variables {
+    agent_id         = "test-agent-id"
+    jfrog_url        = "invalid-url"
+    package_managers = {}
+  }
+
+  override_data {
+    target = data.coder_external_auth.jfrog
+    values = {
+      access_token = "valid-token-value"
+    }
+  }
+
+  expect_failures = [
+    var.jfrog_url
+  ]
+}
+
+run "test_username_field_validation" {
+  command = plan
+
+  variables {
+    agent_id         = "test-agent-id"
+    jfrog_url        = "https://example.jfrog.io"
+    username_field   = "invalid"
+    package_managers = {}
+  }
+
+  override_data {
+    target = data.coder_external_auth.jfrog
+    values = {
+      access_token = "valid-token-value"
+    }
+  }
+
+  expect_failures = [
+    var.username_field
+  ]
+}
+
+run "test_with_npm_package_manager" {
+  command = plan
+
+  variables {
+    agent_id  = "test-agent-id"
+    jfrog_url = "https://example.jfrog.io"
+    package_managers = {
+      npm = ["global", "@foo:foo", "@bar:bar"]
+    }
+  }
+
+  override_data {
+    target = data.coder_external_auth.jfrog
+    values = {
+      access_token = "valid-token-value"
+    }
+  }
+
+  assert {
+    condition     = resource.coder_script.jfrog.run_on_start == true
+    error_message = "coder_script should run on start"
+  }
+
+  # Verify npm configuration is in script
+  assert {
+    condition     = strcontains(resource.coder_script.jfrog.script, "jf npmc --global --repo-resolve \"global\"")
+    error_message = "script should contain jf npmc command for npm"
+  }
+
+  assert {
+    condition     = strcontains(resource.coder_script.jfrog.script, "@foo:registry=https://example.jfrog.io/artifactory/api/npm/foo")
+    error_message = "script should contain scoped npm registry for @foo"
+  }
+
+  assert {
+    condition     = strcontains(resource.coder_script.jfrog.script, "@bar:registry=https://example.jfrog.io/artifactory/api/npm/bar")
+    error_message = "script should contain scoped npm registry for @bar"
+  }
+}
+
+run "test_configure_code_server" {
+  command = plan
+
+  variables {
+    agent_id              = "test-agent-id"
+    jfrog_url             = "https://example.jfrog.io"
+    configure_code_server = true
+    package_managers      = {}
+  }
+
+  override_data {
+    target = data.coder_external_auth.jfrog
+    values = {
+      access_token = "valid-token-value"
+    }
+  }
+
+  # When configure_code_server is true, env vars should be created
+  assert {
+    condition     = length(resource.coder_env.jfrog_ide_url) == 1
+    error_message = "coder_env.jfrog_ide_url should be created when configure_code_server is true"
+  }
+
+  assert {
+    condition     = length(resource.coder_env.jfrog_ide_access_token) == 1
+    error_message = "coder_env.jfrog_ide_access_token should be created when configure_code_server is true"
+  }
+}
+
+run "test_go_proxy_env" {
+  command = plan
+
+  variables {
+    agent_id  = "test-agent-id"
+    jfrog_url = "https://example.jfrog.io"
+    package_managers = {
+      go = ["foo", "bar", "baz"]
+    }
+  }
+
+  override_data {
+    target = data.coder_external_auth.jfrog
+    values = {
+      access_token = "valid-token-value"
+    }
+  }
+
+  # When go package manager is configured, GOPROXY env should be set
+  assert {
+    condition     = length(resource.coder_env.goproxy) == 1
+    error_message = "coder_env.goproxy should be created when go package manager is configured"
+  }
+
+  # Verify GOPROXY contains all repos
+  assert {
+    condition     = strcontains(resource.coder_env.goproxy[0].value, "example.jfrog.io/artifactory/api/go/foo")
+    error_message = "GOPROXY should contain foo repo"
+  }
+
+  assert {
+    condition     = strcontains(resource.coder_env.goproxy[0].value, "example.jfrog.io/artifactory/api/go/bar")
+    error_message = "GOPROXY should contain bar repo"
+  }
+
+  assert {
+    condition     = strcontains(resource.coder_env.goproxy[0].value, "example.jfrog.io/artifactory/api/go/baz")
+    error_message = "GOPROXY should contain baz repo"
+  }
+
+  # Verify script contains go configuration
+  assert {
+    condition     = strcontains(resource.coder_script.jfrog.script, "jf goc --global --repo-resolve \"foo\"")
+    error_message = "script should contain jf goc command"
+  }
+}
+
+run "test_pypi_package_manager" {
+  command = plan
+
+  variables {
+    agent_id  = "test-agent-id"
+    jfrog_url = "https://example.jfrog.io"
+    package_managers = {
+      pypi = ["global", "foo", "bar"]
+    }
+  }
+
+  override_data {
+    target = data.coder_external_auth.jfrog
+    values = {
+      access_token = "valid-token-value"
+    }
+  }
+
+  # Verify pip configuration in script
+  assert {
+    condition     = strcontains(resource.coder_script.jfrog.script, "jf pipc --global --repo-resolve \"global\"")
+    error_message = "script should contain jf pipc command"
+  }
+
+  assert {
+    condition     = strcontains(resource.coder_script.jfrog.script, "index-url = https://default:valid-token-value@example.jfrog.io/artifactory/api/pypi/global/simple")
+    error_message = "script should contain pip index-url configuration"
+  }
+
+  assert {
+    condition     = strcontains(resource.coder_script.jfrog.script, "extra-index-url")
+    error_message = "script should contain extra-index-url for additional repos"
+  }
+}
+
+run "test_docker_package_manager" {
+  command = plan
+
+  variables {
+    agent_id  = "test-agent-id"
+    jfrog_url = "https://example.jfrog.io"
+    package_managers = {
+      docker = ["foo.jfrog.io", "bar.jfrog.io", "baz.jfrog.io"]
+    }
+  }
+
+  override_data {
+    target = data.coder_external_auth.jfrog
+    values = {
+      access_token = "valid-token-value"
+    }
+  }
+
+  # Verify docker registration commands in script
+  assert {
+    condition     = strcontains(resource.coder_script.jfrog.script, "register_docker \"foo.jfrog.io\"")
+    error_message = "script should contain register_docker for foo.jfrog.io"
+  }
+
+  assert {
+    condition     = strcontains(resource.coder_script.jfrog.script, "register_docker \"bar.jfrog.io\"")
+    error_message = "script should contain register_docker for bar.jfrog.io"
+  }
+
+  assert {
+    condition     = strcontains(resource.coder_script.jfrog.script, "register_docker \"baz.jfrog.io\"")
+    error_message = "script should contain register_docker for baz.jfrog.io"
+  }
+}
+
+run "test_conda_package_manager" {
+  command = plan
+
+  variables {
+    agent_id  = "test-agent-id"
+    jfrog_url = "https://example.jfrog.io"
+    package_managers = {
+      conda = ["conda-main", "conda-secondary", "conda-local"]
+    }
+  }
+
+  override_data {
+    target = data.coder_external_auth.jfrog
+    values = {
+      access_token = "valid-token-value"
+    }
+  }
+
+  # Verify conda configuration in script
+  assert {
+    condition     = strcontains(resource.coder_script.jfrog.script, "channels:")
+    error_message = "script should contain conda channels configuration"
+  }
+
+  assert {
+    condition     = strcontains(resource.coder_script.jfrog.script, "example.jfrog.io/artifactory/api/conda/conda-main")
+    error_message = "script should contain conda-main channel"
+  }
+
+  assert {
+    condition     = strcontains(resource.coder_script.jfrog.script, "example.jfrog.io/artifactory/api/conda/conda-secondary")
+    error_message = "script should contain conda-secondary channel"
+  }
+
+  assert {
+    condition     = strcontains(resource.coder_script.jfrog.script, "example.jfrog.io/artifactory/api/conda/conda-local")
+    error_message = "script should contain conda-local channel"
+  }
+}
+
+run "test_maven_package_manager" {
+  command = plan
+
+  variables {
+    agent_id  = "test-agent-id"
+    jfrog_url = "https://example.jfrog.io"
+    package_managers = {
+      maven = ["central", "snapshots", "local"]
+    }
+  }
+
+  override_data {
+    target = data.coder_external_auth.jfrog
+    values = {
+      access_token = "valid-token-value"
+    }
+  }
+
+  # Verify maven jf mvnc command
+  assert {
+    condition     = strcontains(resource.coder_script.jfrog.script, "jf mvnc --global")
+    error_message = "script should contain jf mvnc command"
+  }
+
+  assert {
+    condition     = strcontains(resource.coder_script.jfrog.script, "--repo-resolve-releases \"central\"")
+    error_message = "script should contain repo-resolve-releases for central"
+  }
+
+  assert {
+    condition     = strcontains(resource.coder_script.jfrog.script, "--repo-resolve-snapshots \"central\"")
+    error_message = "script should contain repo-resolve-snapshots for central"
+  }
+
+  # Verify settings.xml content
+  assert {
+    condition     = strcontains(resource.coder_script.jfrog.script, "<servers>")
+    error_message = "script should contain maven servers configuration"
+  }
+
+  assert {
+    condition     = strcontains(resource.coder_script.jfrog.script, "<id>central</id>")
+    error_message = "script should contain central server id"
+  }
+
+  assert {
+    condition     = strcontains(resource.coder_script.jfrog.script, "<id>snapshots</id>")
+    error_message = "script should contain snapshots server id"
+  }
+
+  assert {
+    condition     = strcontains(resource.coder_script.jfrog.script, "<id>local</id>")
+    error_message = "script should contain local server id"
+  }
+
+  assert {
+    condition     = strcontains(resource.coder_script.jfrog.script, "<url>https://example.jfrog.io/artifactory/central</url>")
+    error_message = "script should contain central repository URL"
+  }
+}
@@ -1,189 +0,0 @@
-import { describe, expect, it } from "bun:test";
-import {
-  findResourceInstance,
-  runTerraformInit,
-  runTerraformApply,
-  testRequiredVariables,
-} from "~test";
-
-describe("jfrog-oauth", async () => {
-  type TestVariables = {
-    agent_id: string;
-    jfrog_url: string;
-    package_managers: string;
-
-    username_field?: string;
-    jfrog_server_id?: string;
-    external_auth_id?: string;
-    configure_code_server?: boolean;
-  };
-
-  await runTerraformInit(import.meta.dir);
-
-  const fakeFrogApi = "localhost:8081/artifactory/api";
-  const fakeFrogUrl = "http://localhost:8081";
-  const user = "default";
-
-  testRequiredVariables<TestVariables>(import.meta.dir, {
-    agent_id: "some-agent-id",
-    jfrog_url: fakeFrogUrl,
-    package_managers: "{}",
-  });
-
-  it("generates an npmrc with scoped repos", async () => {
-    const state = await runTerraformApply<TestVariables>(import.meta.dir, {
-      agent_id: "some-agent-id",
-      jfrog_url: fakeFrogUrl,
-      package_managers: JSON.stringify({
-        npm: ["global", "@foo:foo", "@bar:bar"],
-      }),
-    });
-    const coderScript = findResourceInstance(state, "coder_script");
-    const npmrcStanza = `cat << EOF > ~/.npmrc
-email=${user}@example.com
-registry=http://${fakeFrogApi}/npm/global
-//${fakeFrogApi}/npm/global/:_authToken=
-@foo:registry=http://${fakeFrogApi}/npm/foo
-//${fakeFrogApi}/npm/foo/:_authToken=
-@bar:registry=http://${fakeFrogApi}/npm/bar
-//${fakeFrogApi}/npm/bar/:_authToken=
-
-EOF`;
-    expect(coderScript.script).toContain(npmrcStanza);
-    expect(coderScript.script).toContain(
-      'jf npmc --global --repo-resolve "global"',
-    );
-    expect(coderScript.script).toContain(
-      'if [ -z "YES" ]; then\n  not_configured npm',
-    );
-  });
-
-  it("generates a pip config with extra-indexes", async () => {
-    const state = await runTerraformApply<TestVariables>(import.meta.dir, {
-      agent_id: "some-agent-id",
-      jfrog_url: fakeFrogUrl,
-      package_managers: JSON.stringify({
-        pypi: ["global", "foo", "bar"],
-      }),
-    });
-    const coderScript = findResourceInstance(state, "coder_script");
-    const pipStanza = `cat << EOF > ~/.pip/pip.conf
-[global]
-index-url = https://${user}:@${fakeFrogApi}/pypi/global/simple
-extra-index-url =
-    https://${user}:@${fakeFrogApi}/pypi/foo/simple
-    https://${user}:@${fakeFrogApi}/pypi/bar/simple
-
-EOF`;
-    expect(coderScript.script).toContain(pipStanza);
-    expect(coderScript.script).toContain(
-      'jf pipc --global --repo-resolve "global"',
-    );
-    expect(coderScript.script).toContain(
-      'if [ -z "YES" ]; then\n  not_configured pypi',
-    );
-  });
-
-  it("registers multiple docker repos", async () => {
-    const state = await runTerraformApply<TestVariables>(import.meta.dir, {
-      agent_id: "some-agent-id",
-      jfrog_url: fakeFrogUrl,
-      package_managers: JSON.stringify({
-        docker: ["foo.jfrog.io", "bar.jfrog.io", "baz.jfrog.io"],
-      }),
-    });
-    const coderScript = findResourceInstance(state, "coder_script");
-    const dockerStanza = ["foo", "bar", "baz"]
-      .map((r) => `register_docker "${r}.jfrog.io"`)
-      .join("\n");
-    expect(coderScript.script).toContain(dockerStanza);
-    expect(coderScript.script).toContain(
-      'if [ -z "YES" ]; then\n  not_configured docker',
-    );
-  });
-
-  it("sets goproxy with multiple repos", async () => {
-    const state = await runTerraformApply<TestVariables>(import.meta.dir, {
-      agent_id: "some-agent-id",
-      jfrog_url: fakeFrogUrl,
-      package_managers: JSON.stringify({
-        go: ["foo", "bar", "baz"],
-      }),
-    });
-    const proxyEnv = findResourceInstance(state, "coder_env", "goproxy");
-    const proxies = ["foo", "bar", "baz"]
-      .map((r) => `https://${user}:@${fakeFrogApi}/go/${r}`)
-      .join(",");
-    expect(proxyEnv.value).toEqual(proxies);
-
-    const coderScript = findResourceInstance(state, "coder_script");
-    expect(coderScript.script).toContain(
-      'jf goc --global --repo-resolve "foo"',
-    );
-    expect(coderScript.script).toContain(
-      'if [ -z "YES" ]; then\n  not_configured go',
-    );
-  });
-
-  it("generates a conda config with multiple repos", async () => {
-    const state = await runTerraformApply<TestVariables>(import.meta.dir, {
-      agent_id: "some-agent-id",
-      jfrog_url: fakeFrogUrl,
-      package_managers: JSON.stringify({
-        conda: ["conda-main", "conda-secondary", "conda-local"],
-      }),
-    });
-    const coderScript = findResourceInstance(state, "coder_script");
-    const condaStanza = `cat << EOF > ~/.condarc
-channels:
-  - https://${user}:@${fakeFrogApi}/conda/conda-main
-  - https://${user}:@${fakeFrogApi}/conda/conda-secondary
-  - https://${user}:@${fakeFrogApi}/conda/conda-local
-  - defaults
-ssl_verify: true
-
-EOF`;
-    expect(coderScript.script).toContain(condaStanza);
-    expect(coderScript.script).toContain(
-      'if [ -z "YES" ]; then\n  not_configured conda',
-    );
-  });
-  it("generates a maven settings.xml with multiple repos", async () => {
-    const state = await runTerraformApply<TestVariables>(import.meta.dir, {
-      agent_id: "some-agent-id",
-      jfrog_url: fakeFrogUrl,
-      package_managers: JSON.stringify({
-        maven: ["central", "snapshots", "local"],
-      }),
-    });
-
-    const coderScript = findResourceInstance(state, "coder_script");
-
-    expect(coderScript.script).toContain("jf mvnc --global");
-    expect(coderScript.script).toContain('--server-id-resolve="0"');
-    expect(coderScript.script).toContain('--repo-resolve-releases "central"');
-    expect(coderScript.script).toContain('--repo-resolve-snapshots "central"');
-    expect(coderScript.script).toContain('--server-id-deploy="0"');
-    expect(coderScript.script).toContain('--repo-deploy-releases "central"');
-    expect(coderScript.script).toContain('--repo-deploy-snapshots "central"');
-
-    expect(coderScript.script).toContain("<servers>");
-    expect(coderScript.script).toContain("<id>central</id>");
-    expect(coderScript.script).toContain("<id>snapshots</id>");
-    expect(coderScript.script).toContain("<id>local</id>");
-
-    expect(coderScript.script).toContain(
-      "<url>http://localhost:8081/artifactory/central</url>",
-    );
-    expect(coderScript.script).toContain(
-      "<url>http://localhost:8081/artifactory/snapshots</url>",
-    );
-    expect(coderScript.script).toContain(
-      "<url>http://localhost:8081/artifactory/local</url>",
-    );
-
-    expect(coderScript.script).toContain(
-      'if [ -z "YES" ]; then\n  not_configured maven',
-    );
-  });
-});
@@ -163,6 +163,13 @@ resource "coder_script" "jfrog" {
    }
  ))
  run_on_start = true
+
+  lifecycle {
+    precondition {
+      condition     = data.coder_external_auth.jfrog.access_token != ""
+      error_message = "JFrog access token is empty. Please authenticate with JFrog using external auth."
+    }
+  }
 }

 resource "coder_env" "jfrog_ide_url" {
@@ -14,7 +14,7 @@ Automatically install [KasmVNC](https://kasmweb.com/kasmvnc) in a workspace, and
 module "kasmvnc" {
  count               = data.coder_workspace.me.start_count
  source              = "registry.coder.com/coder/kasmvnc/coder"
-  version             = "1.2.6"
+  version             = "1.2.7"
  agent_id            = coder_agent.example.id
  desktop_environment = "xfce"
  subdomain           = true
@@ -31,7 +31,7 @@ variable "desktop_environment" {
  description = "Specifies the desktop environment of the workspace. This should be pre-installed on the workspace."

  validation {
-    condition     = contains(["xfce", "kde", "gnome", "lxde", "lxqt"], var.desktop_environment)
+    condition     = contains(["cinnamon", "mate", "lxde", "lxqt", "kde", "gnome", "xfce", "manual"], var.desktop_environment)
    error_message = "Invalid desktop environment. Please specify a valid desktop environment."
  }
 }
@@ -18,7 +18,7 @@ Uses the [Coder Remote VS Code Extension](https://github.com/coder/vscode-coder)
 module "kiro" {
  count    = data.coder_workspace.me.start_count
  source   = "registry.coder.com/coder/kiro/coder"
-  version  = "1.1.1"
+  version  = "1.2.0"
  agent_id = coder_agent.main.id
 }
 ```
@@ -31,7 +31,7 @@ module "kiro" {
 module "kiro" {
  count    = data.coder_workspace.me.start_count
  source   = "registry.coder.com/coder/kiro/coder"
-  version  = "1.1.1"
+  version  = "1.2.0"
  agent_id = coder_agent.main.id
  folder   = "/home/coder/project"
 }
@@ -47,7 +47,7 @@ The following example configures Kiro to use the GitHub MCP server with authenti
 module "kiro" {
  count    = data.coder_workspace.me.start_count
  source   = "registry.coder.com/coder/kiro/coder"
-  version  = "1.1.1"
+  version  = "1.2.0"
  agent_id = coder_agent.main.id
  folder   = "/home/coder/project"
  mcp = jsonencode({
@@ -60,6 +60,7 @@ module "kiro" {
        "type" : "http"
      }

+
    }
  })
 }
@@ -17,11 +17,6 @@ run "default_output" {
    condition     = output.kiro_url == "kiro://coder.coder-remote/open?owner=default&workspace=default&url=https://mydeployment.coder.com&token=$SESSION_TOKEN"
    error_message = "Default kiro_url must match expected value"
  }
-
-  assert {
-    condition     = coder_app.kiro.order == null
-    error_message = "coder_app order must be null by default"
-  }
 }

 run "adds_folder" {
@@ -53,54 +48,6 @@ run "folder_and_open_recent" {
  }
 }

-run "custom_slug_display_name" {
-  command = plan
-
-  variables {
-    agent_id     = "foo"
-    slug         = "kiro-ai"
-    display_name = "Kiro AI IDE"
-  }
-
-  assert {
-    condition     = coder_app.kiro.slug == "kiro-ai"
-    error_message = "coder_app slug must be set to kiro-ai"
-  }
-
-  assert {
-    condition     = coder_app.kiro.display_name == "Kiro AI IDE"
-    error_message = "coder_app display_name must be set to Kiro AI IDE"
-  }
-}
-
-run "sets_order" {
-  command = plan
-
-  variables {
-    agent_id = "foo"
-    order    = 5
-  }
-
-  assert {
-    condition     = coder_app.kiro.order == 5
-    error_message = "coder_app order must be set to 5"
-  }
-}
-
-run "sets_group" {
-  command = plan
-
-  variables {
-    agent_id = "foo"
-    group    = "AI IDEs"
-  }
-
-  assert {
-    condition     = coder_app.kiro.group == "AI IDEs"
-    error_message = "coder_app group must be set to AI IDEs"
-  }
-}
-
 run "writes_mcp_json" {
  command = plan

@@ -26,7 +26,10 @@ describe("kiro", async () => {
    );

    const coder_app = state.resources.find(
-      (res) => res.type === "coder_app" && res.name === "kiro",
+      (res) =>
+        res.type === "coder_app" &&
+        res.module === "module.vscode-desktop-core" &&
+        res.name === "vscode-desktop",
    );

    expect(coder_app).not.toBeNull();
@@ -55,47 +58,6 @@ describe("kiro", async () => {
    );
  });

-  it("custom slug and display_name", async () => {
-    const state = await runTerraformApply(import.meta.dir, {
-      agent_id: "foo",
-      slug: "kiro-ai",
-      display_name: "Kiro AI IDE",
-    });
-
-    const coder_app = state.resources.find(
-      (res) => res.type === "coder_app" && res.name === "kiro",
-    );
-
-    expect(coder_app?.instances[0].attributes.slug).toBe("kiro-ai");
-    expect(coder_app?.instances[0].attributes.display_name).toBe("Kiro AI IDE");
-  });
-
-  it("sets order", async () => {
-    const state = await runTerraformApply(import.meta.dir, {
-      agent_id: "foo",
-      order: "5",
-    });
-
-    const coder_app = state.resources.find(
-      (res) => res.type === "coder_app" && res.name === "kiro",
-    );
-
-    expect(coder_app?.instances[0].attributes.order).toBe(5);
-  });
-
-  it("sets group", async () => {
-    const state = await runTerraformApply(import.meta.dir, {
-      agent_id: "foo",
-      group: "AI IDEs",
-    });
-
-    const coder_app = state.resources.find(
-      (res) => res.type === "coder_app" && res.name === "kiro",
-    );
-
-    expect(coder_app?.instances[0].attributes.group).toBe("AI IDEs");
-  });
-
  it("writes ~/.kiro/settings/mcp.json when mcp provided", async () => {
    const id = await runContainer("alpine");
    try {
@@ -38,18 +38,6 @@ variable "group" {
  default     = null
 }

-variable "slug" {
-  type        = string
-  description = "The slug of the app."
-  default     = "kiro"
-}
-
-variable "display_name" {
-  type        = string
-  description = "The display name of the app."
-  default     = "Kiro IDE"
-}
-
 variable "mcp" {
  type        = string
  description = "JSON-encoded string to configure MCP servers for Kiro. When set, writes ~/.kiro/settings/mcp.json."
@@ -63,26 +51,21 @@ locals {
  mcp_b64 = var.mcp != "" ? base64encode(var.mcp) : ""
 }

-resource "coder_app" "kiro" {
-  agent_id     = var.agent_id
-  external     = true
-  icon         = "/icon/kiro.svg"
-  slug         = var.slug
-  display_name = var.display_name
-  order        = var.order
-  group        = var.group
-  url = join("", [
-    "kiro://coder.coder-remote/open",
-    "?owner=",
-    data.coder_workspace_owner.me.name,
-    "&workspace=",
-    data.coder_workspace.me.name,
-    var.folder != "" ? join("", ["&folder=", var.folder]) : "",
-    var.open_recent ? "&openRecent" : "",
-    "&url=",
-    data.coder_workspace.me.access_url,
-    "&token=$SESSION_TOKEN",
-  ])
+module "vscode-desktop-core" {
+  source  = "registry.coder.com/coder/vscode-desktop-core/coder"
+  version = "1.0.0"
+
+  agent_id = var.agent_id
+
+  coder_app_icon         = "/icon/kiro.svg"
+  coder_app_slug         = "kiro-ai"
+  coder_app_display_name = "Kiro AI IDE"
+  coder_app_order        = var.order
+  coder_app_group        = var.group
+
+  folder      = var.folder
+  open_recent = var.open_recent
+  protocol    = "kiro"
 }

 resource "coder_script" "kiro_mcp" {
@@ -102,6 +85,6 @@ resource "coder_script" "kiro_mcp" {
 }

 output "kiro_url" {
-  value       = coder_app.kiro.url
+  value       = module.vscode-desktop-core.ide_uri
  description = "Kiro IDE URL."
-}
+}
@@ -2,23 +2,25 @@
 display_name: mux
 description: Coding Agent Multiplexer - Run multiple AI agents in parallel
 icon: ../../../../.icons/mux.svg
-verified: false
+verified: true
 tags: [ai, agents, development, multiplexer]
 ---

 # mux

-Automatically install and run mux in a Coder workspace. By default, the module installs `mux@next` from npm (with a fallback to downloading the npm tarball if npm is unavailable). mux is a desktop application for parallel agentic development that enables developers to run multiple AI agents simultaneously across isolated workspaces.
+Automatically install and run [mux](https://github.com/coder/mux) in a Coder workspace. By default, the module installs `mux@next` from npm (with a fallback to downloading the npm tarball if npm is unavailable). mux is a desktop application for parallel agentic development that enables developers to run multiple AI agents simultaneously across isolated workspaces.

 ```tf
 module "mux" {
  count    = data.coder_workspace.me.start_count
  source   = "registry.coder.com/coder/mux/coder"
-  version  = "1.0.2"
+  version  = "1.0.6"
  agent_id = coder_agent.main.id
 }
 ```

+![mux](../../.images/mux-product-hero.webp)
+
 ## Features

 - **Parallel Agent Execution**: Run multiple AI agents simultaneously on different tasks
@@ -35,7 +37,7 @@ module "mux" {
 module "mux" {
  count    = data.coder_workspace.me.start_count
  source   = "registry.coder.com/coder/mux/coder"
-  version  = "1.0.2"
+  version  = "1.0.6"
  agent_id = coder_agent.main.id
 }
 ```
@@ -46,7 +48,7 @@ module "mux" {
 module "mux" {
  count    = data.coder_workspace.me.start_count
  source   = "registry.coder.com/coder/mux/coder"
-  version  = "1.0.2"
+  version  = "1.0.6"
  agent_id = coder_agent.main.id
  # Default is "latest"; set to a specific version to pin
  install_version = "0.4.0"
@@ -59,7 +61,7 @@ module "mux" {
 module "mux" {
  count    = data.coder_workspace.me.start_count
  source   = "registry.coder.com/coder/mux/coder"
-  version  = "1.0.2"
+  version  = "1.0.6"
  agent_id = coder_agent.main.id
  port     = 8080
 }
@@ -73,7 +75,7 @@ Run an existing copy of mux if found, otherwise install from npm:
 module "mux" {
  count      = data.coder_workspace.me.start_count
  source     = "registry.coder.com/coder/mux/coder"
-  version    = "1.0.2"
+  version    = "1.0.6"
  agent_id   = coder_agent.main.id
  use_cached = true
 }
@@ -87,7 +89,7 @@ Run without installing from the network (requires mux to be pre-installed):
 module "mux" {
  count    = data.coder_workspace.me.start_count
  source   = "registry.coder.com/coder/mux/coder"
-  version  = "1.0.2"
+  version  = "1.0.6"
  agent_id = coder_agent.main.id
  install  = false
 }
@@ -5,6 +5,9 @@ RESET='\033[0m'
 MUX_BINARY="${INSTALL_PREFIX}/mux"

 function run_mux() {
+  # Remove stale server lock if present
+  rm -f "$HOME/.mux/server.lock"
+
  local port_value
  port_value="${PORT}"
  if [ -z "$port_value" ]; then
@@ -94,7 +97,7 @@ if [ ! -f "$MUX_BINARY" ] || [ "${USE_CACHED}" != true ]; then
    fi
    # sed-based fallback
    if [ -z "$TARBALL_URL" ]; then
-      TARBALL_URL="$(printf "%s" "$META_ONE_LINE" | sed -n 's/.*\"tarball\":\"\\([^\"]*\\)\".*/\\1/p' | head -n1)"
+      TARBALL_URL="$(printf "%s" "$META_ONE_LINE" | sed -n 's/.*"tarball":"\([^"]*\)".*/\1/p' | head -n1)"
    fi
    # Fallback: resolve version then construct tarball URL
    if [ -z "$TARBALL_URL" ]; then
@@ -103,10 +106,10 @@ if [ ! -f "$MUX_BINARY" ] || [ "${USE_CACHED}" != true ]; then
        RESOLVED_VERSION="$(printf "%s" "$META_JSON" | node -e 'try{const fs=require("fs");const data=JSON.parse(fs.readFileSync(0,"utf8"));if(data&&data.version){console.log(data.version);}}catch(e){}')"
      fi
      if [ -z "$RESOLVED_VERSION" ]; then
-        RESOLVED_VERSION="$(printf "%s" "$META_ONE_LINE" | sed -n 's/.*\"version\":\"\\([^\"]*\\)\".*/\\1/p' | head -n1)"
+        RESOLVED_VERSION="$(printf "%s" "$META_ONE_LINE" | sed -n 's/.*"version":"\([^"]*\)".*/\1/p' | head -n1)"
      fi
      if [ -z "$RESOLVED_VERSION" ]; then
-        RESOLVED_VERSION="$(printf "%s" "$META_ONE_LINE" | grep -o '\"version\":\"[^\"]*\"' | head -n1 | cut -d '\"' -f4)"
+        RESOLVED_VERSION="$(printf "%s" "$META_ONE_LINE" | grep -o '"version":"[^"]*"' | head -n1 | cut -d '"' -f4)"
      fi
      if [ -n "$RESOLVED_VERSION" ]; then
        VERSION_TO_USE="$RESOLVED_VERSION"
@@ -138,9 +141,9 @@ if [ ! -f "$MUX_BINARY" ] || [ "${USE_CACHED}" != true ]; then
      fi
      if [ -z "$BIN_PATH" ]; then
        # sed fallbacks (handle both string and object forms)
-        BIN_PATH=$(sed -n 's/.*\"bin\"[[:space:]]*:[[:space:]]*\"\\([^\"]*\\)\".*/\\1/p' "$TMP_DIR/package/package.json" | head -n1)
+        BIN_PATH=$(sed -n 's/.*"bin"[[:space:]]*:[[:space:]]*"\([^"]*\)".*/\1/p' "$TMP_DIR/package/package.json" | head -n1)
        if [ -z "$BIN_PATH" ]; then
-          BIN_PATH=$(sed -n '/\"bin\"[[:space:]]*:[[:space:]]*{/,/}/p' "$TMP_DIR/package/package.json" | sed -n 's/.*\"mux\"[[:space:]]*:[[:space:]]*\"\\([^\"]*\\)\".*/\\1/p' | head -n1)
+          BIN_PATH=$(sed -n '/"bin"[[:space:]]*:[[:space:]]*{/,/}/p' "$TMP_DIR/package/package.json" | sed -n 's/.*"mux"[[:space:]]*:[[:space:]]*"\([^"]*\)".*/\1/p' | head -n1)
        fi
      fi
      if [ -n "$BIN_PATH" ] && [ -f "$TMP_DIR/package/$BIN_PATH" ]; then
@@ -0,0 +1,121 @@
+---
+display_name: Vault CLI
+description: Installs the Hashicorp Vault CLI and optionally configures token authentication
+icon: ../../../../.icons/vault.svg
+verified: true
+tags: [helper, integration, vault, cli]
+---
+
+# Vault CLI
+
+Installs the [Vault](https://www.vaultproject.io/) CLI and optionally configures token authentication. This module focuses on CLI installation and can be used standalone or as a base for other authentication methods.
+
+```tf
+module "vault_cli" {
+  source     = "registry.coder.com/coder/vault-cli/coder"
+  version    = "1.1.1"
+  agent_id   = coder_agent.example.id
+  vault_addr = "https://vault.example.com"
+}
+```
+
+## Prerequisites
+
+The following tools are required in the workspace image:
+
+- **HTTP client**: `curl`, `wget`, or `busybox` (at least one)
+- **Archive utility**: `unzip` or `busybox` (at least one)
+- **jq**: Optional but recommended for reliable JSON parsing (falls back to sed if not available)
+
+## With Token Authentication
+
+If you have a Vault token, you can provide it to automatically configure authentication:
+
+```tf
+module "vault_cli" {
+  source      = "registry.coder.com/coder/vault-cli/coder"
+  version     = "1.1.1"
+  agent_id    = coder_agent.example.id
+  vault_addr  = "https://vault.example.com"
+  vault_token = var.vault_token # Optional
+}
+```
+
+## Examples
+
+### Basic Installation (CLI Only)
+
+Install the Vault CLI without any authentication:
+
+```tf
+module "vault_cli" {
+  source     = "registry.coder.com/coder/vault-cli/coder"
+  version    = "1.1.1"
+  agent_id   = coder_agent.example.id
+  vault_addr = "https://vault.example.com"
+}
+```
+
+### With Specific Version
+
+```tf
+module "vault_cli" {
+  source            = "registry.coder.com/coder/vault-cli/coder"
+  version           = "1.1.1"
+  agent_id          = coder_agent.example.id
+  vault_addr        = "https://vault.example.com"
+  vault_cli_version = "1.15.0"
+}
+```
+
+### Custom Installation Directory
+
+```tf
+module "vault_cli" {
+  source      = "registry.coder.com/coder/vault-cli/coder"
+  version     = "1.1.1"
+  agent_id    = coder_agent.example.id
+  vault_addr  = "https://vault.example.com"
+  install_dir = "/home/coder/bin"
+}
+```
+
+### With Vault Enterprise Namespace
+
+For Vault Enterprise users who need to specify a namespace:
+
+```tf
+module "vault_cli" {
+  source          = "registry.coder.com/coder/vault-cli/coder"
+  version         = "1.1.1"
+  agent_id        = coder_agent.example.id
+  vault_addr      = "https://vault.example.com"
+  vault_token     = var.vault_token
+  vault_namespace = "admin/my-namespace"
+}
+```
+
+### Vault Enterprise Binary
+
+Install the Vault Enterprise binary. This is required if using SAML authentication to Vault:
+
+```tf
+module "vault_cli" {
+  source     = "registry.coder.com/coder/vault-cli/coder"
+  version    = "1.1.1"
+  agent_id   = coder_agent.example.id
+  vault_addr = "https://vault.example.com"
+  enterprise = true
+}
+```
+
+## Related Modules
+
+For more advanced authentication methods, see:
+
+- [vault-github](https://registry.coder.com/modules/coder/vault-github) - Authenticate with Vault using GitHub tokens
+- [vault-jwt](https://registry.coder.com/modules/coder/vault-jwt) - Authenticate with Vault using OIDC/JWT
+
+For simple token-based authentication, see:
+
+- [vault-token](https://registry.coder.com/modules/coder/vault-token) - Authenticate with Vault using a token
@@ -0,0 +1,97 @@
+terraform {
+  required_version = ">= 1.0"
+
+  required_providers {
+    coder = {
+      source  = "coder/coder"
+      version = ">= 0.17"
+    }
+  }
+}
+
+variable "agent_id" {
+  type        = string
+  description = "The ID of a Coder agent."
+}
+
+variable "vault_addr" {
+  type        = string
+  description = "The address of the Vault server."
+}
+
+variable "vault_token" {
+  type        = string
+  description = "The Vault token to use for authentication. If not provided, only the CLI will be installed."
+  default     = ""
+  sensitive   = true
+}
+
+variable "install_dir" {
+  type        = string
+  description = "The directory to install the Vault CLI to."
+  default     = "/usr/local/bin"
+}
+
+variable "vault_cli_version" {
+  type        = string
+  description = "The version of the Vault CLI to install."
+  default     = "latest"
+  validation {
+    condition     = var.vault_cli_version == "latest" || can(regex("^[0-9]+\\.[0-9]+\\.[0-9]+$", var.vault_cli_version))
+    error_message = "vault_cli_version must be either 'latest' or a semantic version (e.g., '1.15.0')."
+  }
+}
+
+variable "vault_namespace" {
+  type        = string
+  description = "The Vault Enterprise namespace to use. If not provided, no namespace will be configured."
+  default     = null
+}
+
+variable "enterprise" {
+  type        = bool
+  description = "Whether to install the enterprise version of the Vault CLI. Required if using SAML authentication to Vault."
+  default     = false
+}
+
+data "coder_workspace" "me" {}
+
+resource "coder_script" "vault_cli" {
+  agent_id     = var.agent_id
+  display_name = "Vault CLI"
+  icon         = "/icon/vault.svg"
+  script = templatefile("${path.module}/run.sh", {
+    VAULT_ADDR        = var.vault_addr
+    VAULT_TOKEN       = var.vault_token
+    INSTALL_DIR       = var.install_dir
+    VAULT_CLI_VERSION = var.vault_cli_version
+    ENTERPRISE        = var.enterprise
+  })
+  run_on_start       = true
+  start_blocks_login = true
+}
+
+resource "coder_env" "vault_addr" {
+  agent_id = var.agent_id
+  name     = "VAULT_ADDR"
+  value    = var.vault_addr
+}
+
+resource "coder_env" "vault_token" {
+  count    = var.vault_token != "" ? 1 : 0
+  agent_id = var.agent_id
+  name     = "VAULT_TOKEN"
+  value    = var.vault_token
+}
+
+resource "coder_env" "vault_namespace" {
+  count    = var.vault_namespace != null ? 1 : 0
+  agent_id = var.agent_id
+  name     = "VAULT_NAMESPACE"
+  value    = var.vault_namespace
+}
+
+output "vault_cli_version" {
+  description = "The version of the Vault CLI that was installed."
+  value       = var.vault_cli_version
+}
@@ -0,0 +1,176 @@
+mock_provider "coder" {}
+
+variables {
+  agent_id   = "test-agent-id"
+  vault_addr = "https://vault.example.com"
+}
+
+run "test_vault_cli_without_token" {
+  assert {
+    condition     = resource.coder_script.vault_cli.display_name == "Vault CLI"
+    error_message = "Display name should be 'Vault CLI'"
+  }
+
+  assert {
+    condition     = resource.coder_env.vault_addr.name == "VAULT_ADDR"
+    error_message = "VAULT_ADDR environment variable should be set"
+  }
+
+  assert {
+    condition     = resource.coder_env.vault_addr.value == "https://vault.example.com"
+    error_message = "VAULT_ADDR should match the provided vault_addr"
+  }
+
+  assert {
+    condition     = length(resource.coder_env.vault_token) == 0
+    error_message = "VAULT_TOKEN should not be set when vault_token is not provided"
+  }
+
+  assert {
+    condition     = length(resource.coder_env.vault_namespace) == 0
+    error_message = "VAULT_NAMESPACE should not be set when vault_namespace is not provided"
+  }
+}
+
+run "test_vault_cli_with_token" {
+  variables {
+    vault_token = "test-vault-token"
+  }
+
+  assert {
+    condition     = resource.coder_script.vault_cli.display_name == "Vault CLI"
+    error_message = "Display name should be 'Vault CLI'"
+  }
+
+  assert {
+    condition     = resource.coder_env.vault_addr.name == "VAULT_ADDR"
+    error_message = "VAULT_ADDR environment variable should be set"
+  }
+
+  assert {
+    condition     = length(resource.coder_env.vault_token) == 1
+    error_message = "VAULT_TOKEN should be set when vault_token is provided"
+  }
+
+  assert {
+    condition     = resource.coder_env.vault_token[0].name == "VAULT_TOKEN"
+    error_message = "VAULT_TOKEN environment variable name should be correct"
+  }
+
+  assert {
+    condition     = resource.coder_env.vault_token[0].value == "test-vault-token"
+    error_message = "VAULT_TOKEN should match the provided vault_token"
+  }
+}
+
+run "test_vault_cli_custom_version" {
+  variables {
+    vault_cli_version = "1.15.0"
+  }
+
+  assert {
+    condition     = output.vault_cli_version == "1.15.0"
+    error_message = "Vault CLI version output should match the provided version"
+  }
+}
+
+run "test_vault_cli_custom_install_dir" {
+  variables {
+    install_dir = "/custom/install/dir"
+  }
+
+  assert {
+    condition     = resource.coder_script.vault_cli.display_name == "Vault CLI"
+    error_message = "Display name should be 'Vault CLI'"
+  }
+}
+
+run "test_vault_cli_invalid_version" {
+  command = plan
+
+  variables {
+    vault_cli_version = "invalid-version"
+  }
+
+  expect_failures = [var.vault_cli_version]
+}
+
+run "test_vault_cli_valid_semver" {
+  variables {
+    vault_cli_version = "1.18.3"
+  }
+
+  assert {
+    condition     = output.vault_cli_version == "1.18.3"
+    error_message = "Vault CLI version output should match the provided version"
+  }
+}
+
+run "test_vault_cli_rejects_v_prefix" {
+  command = plan
+
+  variables {
+    vault_cli_version = "v1.18.3"
+  }
+
+  expect_failures = [var.vault_cli_version]
+}
+
+run "test_vault_cli_with_namespace" {
+  variables {
+    vault_namespace = "admin/my-namespace"
+  }
+
+  assert {
+    condition     = length(resource.coder_env.vault_namespace) == 1
+    error_message = "VAULT_NAMESPACE should be set when vault_namespace is provided"
+  }
+
+  assert {
+    condition     = resource.coder_env.vault_namespace[0].name == "VAULT_NAMESPACE"
+    error_message = "VAULT_NAMESPACE environment variable name should be correct"
+  }
+
+  assert {
+    condition     = resource.coder_env.vault_namespace[0].value == "admin/my-namespace"
+    error_message = "VAULT_NAMESPACE should match the provided vault_namespace"
+  }
+}
+
+run "test_vault_cli_with_token_and_namespace" {
+  variables {
+    vault_token     = "test-vault-token"
+    vault_namespace = "admin/my-namespace"
+  }
+
+  assert {
+    condition     = length(resource.coder_env.vault_token) == 1
+    error_message = "VAULT_TOKEN should be set when vault_token is provided"
+  }
+
+  assert {
+    condition     = length(resource.coder_env.vault_namespace) == 1
+    error_message = "VAULT_NAMESPACE should be set when vault_namespace is provided"
+  }
+
+  assert {
+    condition     = resource.coder_env.vault_token[0].value == "test-vault-token"
+    error_message = "VAULT_TOKEN should match the provided vault_token"
+  }
+
+  assert {
+    condition     = resource.coder_env.vault_namespace[0].value == "admin/my-namespace"
+    error_message = "VAULT_NAMESPACE should match the provided vault_namespace"
+  }
+}
+
+run "test_vault_cli_enterprise" {
+  variables {
+    enterprise = true
+  }
+
+  assert {
+    condition     = resource.coder_script.vault_cli.display_name == "Vault CLI"
+    error_message = "Display name should be 'Vault CLI'"
+  }
+}
@@ -0,0 +1,198 @@
+#!/usr/bin/env bash
+
+# Convert all templated variables to shell variables
+VAULT_ADDR=${VAULT_ADDR}
+VAULT_TOKEN=${VAULT_TOKEN}
+INSTALL_DIR=${INSTALL_DIR}
+VAULT_CLI_VERSION=${VAULT_CLI_VERSION}
+ENTERPRISE=${ENTERPRISE}
+
+# Fetch URL content to stdout
+fetch() {
+  url="$1"
+  if command -v curl > /dev/null 2>&1; then
+    curl -sSL --fail "$${url}"
+  elif command -v wget > /dev/null 2>&1; then
+    wget -qO- "$${url}"
+  elif command -v busybox > /dev/null 2>&1; then
+    busybox wget -qO- "$${url}"
+  else
+    printf "curl, wget, or busybox is not installed. Please install curl or wget in your image.\n"
+    return 1
+  fi
+}
+
+# Download URL to a file
+fetch_to_file() {
+  dest="$1"
+  url="$2"
+  if command -v curl > /dev/null 2>&1; then
+    curl -sSL --fail "$${url}" -o "$${dest}"
+  elif command -v wget > /dev/null 2>&1; then
+    wget -O "$${dest}" "$${url}"
+  elif command -v busybox > /dev/null 2>&1; then
+    busybox wget -O "$${dest}" "$${url}"
+  else
+    printf "curl, wget, or busybox is not installed. Please install curl or wget in your image.\n"
+    return 1
+  fi
+}
+
+unzip_safe() {
+  if command -v unzip > /dev/null 2>&1; then
+    command unzip "$@"
+  elif command -v busybox > /dev/null 2>&1; then
+    busybox unzip "$@"
+  else
+    printf "unzip or busybox is not installed. Please install unzip in your image.\n"
+    return 1
+  fi
+}
+
+install() {
+  # Get the architecture of the system
+  ARCH=$(uname -m)
+  if [ "$${ARCH}" = "x86_64" ]; then
+    ARCH="amd64"
+  elif [ "$${ARCH}" = "aarch64" ]; then
+    ARCH="arm64"
+  else
+    printf "Unsupported architecture: %s\n" "$${ARCH}"
+    return 1
+  fi
+
+  # Determine OS and validate
+  OS=$(uname -s | tr '[:upper:]' '[:lower:]')
+  if [ "$${OS}" != "linux" ] && [ "$${OS}" != "darwin" ]; then
+    printf "Unsupported OS: %s. Only linux and darwin are supported.\n" "$${OS}"
+    return 1
+  fi
+
+  # Fetch release information from HashiCorp API
+  if [ "$${VAULT_CLI_VERSION}" = "latest" ]; then
+    if [ "$${ENTERPRISE}" = "true" ]; then
+      API_URL="https://api.releases.hashicorp.com/v1/releases/vault/latest?license_class=enterprise"
+    else
+      API_URL="https://api.releases.hashicorp.com/v1/releases/vault/latest"
+    fi
+  else
+    # For specific version, append +ent suffix for enterprise
+    if [ "$${ENTERPRISE}" = "true" ]; then
+      API_URL="https://api.releases.hashicorp.com/v1/releases/vault/$${VAULT_CLI_VERSION}+ent"
+    else
+      API_URL="https://api.releases.hashicorp.com/v1/releases/vault/$${VAULT_CLI_VERSION}"
+    fi
+  fi
+
+  API_RESPONSE=$(fetch "$${API_URL}")
+  if [ -z "$${API_RESPONSE}" ]; then
+    printf "Failed to fetch release information from HashiCorp API.\n"
+    return 1
+  fi
+
+  # Parse version and download URL from API response
+  if command -v jq > /dev/null 2>&1; then
+    VAULT_CLI_VERSION=$(printf '%s' "$${API_RESPONSE}" | jq -r '.version')
+    DOWNLOAD_URL=$(printf '%s' "$${API_RESPONSE}" | jq -r --arg os "$${OS}" --arg arch "$${ARCH}" '.builds[] | select(.os == $os and .arch == $arch) | .url')
+  else
+    VAULT_CLI_VERSION=$(printf '%s' "$${API_RESPONSE}" | sed -n 's/.*"version":"\([^"]*\)".*/\1/p')
+    # Fallback: construct URL manually if jq not available
+    DOWNLOAD_URL="https://releases.hashicorp.com/vault/$${VAULT_CLI_VERSION}/vault_$${VAULT_CLI_VERSION}_$${OS}_$${ARCH}.zip"
+  fi
+
+  if [ -z "$${VAULT_CLI_VERSION}" ]; then
+    printf "Failed to determine Vault version.\n"
+    return 1
+  fi
+
+  if [ -z "$${DOWNLOAD_URL}" ]; then
+    printf "Failed to determine download URL for Vault %s (%s/%s).\n" "$${VAULT_CLI_VERSION}" "$${OS}" "$${ARCH}"
+    return 1
+  fi
+
+  printf "Vault version: %s\n" "$${VAULT_CLI_VERSION}"
+
+  # Check if the vault CLI is installed and has the correct version
+  installation_needed=1
+  if command -v vault > /dev/null 2>&1; then
+    CURRENT_VERSION=$(vault version | grep -oE '[0-9]+\.[0-9]+\.[0-9]+')
+    if [ "$${CURRENT_VERSION}" = "$${VAULT_CLI_VERSION}" ]; then
+      printf "Vault version %s is already installed and up-to-date.\n\n" "$${CURRENT_VERSION}"
+      installation_needed=0
+    fi
+  fi
+
+  if [ "$${installation_needed}" = "1" ]; then
+    # Download and install Vault
+    if [ -z "$${CURRENT_VERSION}" ]; then
+      printf "Installing Vault CLI ...\n\n"
+    else
+      printf "Upgrading Vault CLI from version %s to %s ...\n\n" "$${CURRENT_VERSION}" "$${VAULT_CLI_VERSION}"
+    fi
+
+    # Create temporary directory for download
+    TEMP_DIR=$(mktemp -d)
+    cd "$${TEMP_DIR}" || return 1
+
+    printf "Downloading from %s\n" "$${DOWNLOAD_URL}"
+    if ! fetch_to_file vault.zip "$${DOWNLOAD_URL}"; then
+      printf "Failed to download Vault.\n"
+      rm -rf "$${TEMP_DIR}"
+      return 1
+    fi
+    if ! unzip_safe vault.zip; then
+      printf "Failed to unzip Vault.\n"
+      rm -rf "$${TEMP_DIR}"
+      return 1
+    fi
+
+    # Install to the specified directory
+    if [ -n "$${INSTALL_DIR}" ] && [ -w "$${INSTALL_DIR}" ]; then
+      mv vault "$${INSTALL_DIR}/vault"
+      printf "Vault installed to %s successfully!\n\n" "$${INSTALL_DIR}"
+    elif [ -n "$${INSTALL_DIR}" ] && [ ! -w "$${INSTALL_DIR}" ]; then
+      # Try with sudo if install dir specified but not writable
+      if sudo mv vault "$${INSTALL_DIR}/vault" 2> /dev/null; then
+        printf "Vault installed to %s successfully!\n\n" "$${INSTALL_DIR}"
+      else
+        printf "Warning: Cannot write to %s. " "$${INSTALL_DIR}"
+        mkdir -p ~/.local/bin
+        if mv vault ~/.local/bin/vault; then
+          printf "Installed to ~/.local/bin instead.\n"
+          printf "Please add ~/.local/bin to your PATH to use vault CLI.\n"
+        else
+          printf "Failed to install Vault.\n"
+          rm -rf "$${TEMP_DIR}"
+          return 1
+        fi
+      fi
+    elif sudo mv vault /usr/local/bin/vault 2> /dev/null; then
+      printf "Vault installed successfully!\n\n"
+    else
+      mkdir -p ~/.local/bin
+      if ! mv vault ~/.local/bin/vault; then
+        printf "Failed to move Vault to local bin.\n"
+        rm -rf "$${TEMP_DIR}"
+        return 1
+      fi
+      printf "Please add ~/.local/bin to your PATH to use vault CLI.\n"
+    fi
+
+    # Clean up temp directory
+    rm -rf "$${TEMP_DIR}"
+  fi
+  return 0
+}
+
+# Run installation
+if ! install; then
+  printf "Failed to install Vault CLI.\n"
+  exit 1
+fi
+
+# Indicate token configuration status
+if [ -n "$${VAULT_TOKEN}" ]; then
+  printf "Vault token has been configured via VAULT_TOKEN environment variable.\n"
+else
+  printf "No Vault token provided. Use 'vault login' or set VAULT_TOKEN to authenticate.\n"
+fi
@@ -1,5 +1,5 @@
 ---
-display_name: VSCode Desktop Core
+display_name: Coder VSCode Desktop Core
 description: Building block for modules that need to link to an external VSCode-based IDE
 icon: ../../../../.icons/coder.svg
 verified: true
@@ -11,20 +11,20 @@ tags: [internal, library]
 > [!CAUTION]
 > We do not recommend using this module directly. Instead, please consider using one of our [Desktop IDE modules](https://registry.coder.com/modules?search=tag%3Aide).

-The VSCode Desktop Core module is a building block for modules that need to expose access to VSCode-based IDEs. It is intended primarily to be used as a library to create modules for VSCode-based IDEs.
+The VSCode Desktop Core module is a building block for modules that need to expose access to VSCode-based IDEs. It is intended primarily for internal use by Coder to create modules for VSCode-based IDEs.

 ```tf
 module "vscode-desktop-core" {
  source  = "registry.coder.com/coder/vscode-desktop-core/coder"
-  version = "1.0.0"
+  version = "1.0.1"

  agent_id = var.agent_id

-  coder_app_icon         = "/icon/code.svg"
-  coder_app_slug         = "vscode"
-  coder_app_display_name = "VS Code Desktop"
-  coder_app_order        = var.order
-  coder_app_group        = var.group
+  web_app_icon         = "/icon/code.svg"
+  web_app_slug         = "vscode"
+  web_app_display_name = "VS Code Desktop"
+  web_app_order        = var.order
+  web_app_group        = var.group

  folder      = var.folder
  open_recent = var.open_recent
@@ -10,9 +10,11 @@ const appName = "vscode-desktop";

 const defaultVariables = {
  agent_id: "foo",
-  coder_app_icon: "/icon/code.svg",
-  coder_app_slug: "vscode",
-  coder_app_display_name: "VS Code Desktop",
+
+  web_app_icon: "/icon/code.svg",
+  web_app_slug: "vscode",
+  web_app_display_name: "VS Code Desktop",
+
  protocol: "vscode",
 };

@@ -21,80 +23,115 @@ describe("vscode-desktop-core", async () => {

  testRequiredVariables(import.meta.dir, defaultVariables);

-  it("default output", async () => {
-    const state = await runTerraformApply(import.meta.dir, defaultVariables);
-    expect(state.outputs.ide_uri.value).toBe(
-      `${defaultVariables.protocol}://coder.coder-remote/open?owner=default&workspace=default&url=https://mydeployment.coder.com&token=$SESSION_TOKEN`,
-    );
+  describe("coder_app", () => {
+    describe("IDE URI attributes", () => {
+      it("default output", async () => {
+        const state = await runTerraformApply(
+          import.meta.dir,
+          defaultVariables,
+        );
+        expect(state.outputs.ide_uri.value).toBe(
+          `${defaultVariables.protocol}://coder.coder-remote/open?owner=default&workspace=default&url=https://mydeployment.coder.com&token=$SESSION_TOKEN`,
+        );

-    const coder_app = state.resources.find(
-      (res) => res.type === "coder_app" && res.name === appName,
-    );
+        const coder_app = state.resources.find(
+          (res) => res.type === "coder_app" && res.name === appName,
+        );

-    expect(coder_app).not.toBeNull();
-    expect(coder_app?.instances.length).toBe(1);
-    expect(coder_app?.instances[0].attributes.order).toBeNull();
-  });
+        expect(coder_app).not.toBeNull();
+        expect(coder_app?.instances.length).toBe(1);
+        expect(coder_app?.instances[0].attributes.order).toBeNull();
+      });

-  it("adds folder", async () => {
-    const state = await runTerraformApply(import.meta.dir, {
-      folder: "/foo/bar",
+      it("adds folder", async () => {
+        const state = await runTerraformApply(import.meta.dir, {
+          folder: "/foo/bar",

-      ...defaultVariables,
+          ...defaultVariables,
+        });
+
+        expect(state.outputs.ide_uri.value).toBe(
+          `${defaultVariables.protocol}://coder.coder-remote/open?owner=default&workspace=default&folder=/foo/bar&url=https://mydeployment.coder.com&token=$SESSION_TOKEN`,
+        );
+      });
+
+      it("adds folder and open_recent", async () => {
+        const state = await runTerraformApply(import.meta.dir, {
+          folder: "/foo/bar",
+          open_recent: "true",
+
+          ...defaultVariables,
+        });
+        expect(state.outputs.ide_uri.value).toBe(
+          `${defaultVariables.protocol}://coder.coder-remote/open?owner=default&workspace=default&folder=/foo/bar&openRecent&url=https://mydeployment.coder.com&token=$SESSION_TOKEN`,
+        );
+      });
+
+      it("adds folder but not open_recent", async () => {
+        const state = await runTerraformApply(import.meta.dir, {
+          folder: "/foo/bar",
+          openRecent: "false",
+
+          ...defaultVariables,
+        });
+        expect(state.outputs.ide_uri.value).toBe(
+          `${defaultVariables.protocol}://coder.coder-remote/open?owner=default&workspace=default&folder=/foo/bar&url=https://mydeployment.coder.com&token=$SESSION_TOKEN`,
+        );
+      });
+
+      it("adds open_recent", async () => {
+        const state = await runTerraformApply(import.meta.dir, {
+          open_recent: "true",
+
+          ...defaultVariables,
+        });
+        expect(state.outputs.ide_uri.value).toBe(
+          `${defaultVariables.protocol}://coder.coder-remote/open?owner=default&workspace=default&openRecent&url=https://mydeployment.coder.com&token=$SESSION_TOKEN`,
+        );
+      });
    });

-    expect(state.outputs.ide_uri.value).toBe(
-      `${defaultVariables.protocol}://coder.coder-remote/open?owner=default&workspace=default&folder=/foo/bar&url=https://mydeployment.coder.com&token=$SESSION_TOKEN`,
-    );
-  });
+    it("sets custom slug and display_name", async () => {
+      const state = await runTerraformApply(import.meta.dir, defaultVariables);

-  it("adds folder and open_recent", async () => {
-    const state = await runTerraformApply(import.meta.dir, {
-      folder: "/foo/bar",
-      open_recent: "true",
+      const coder_app = state.resources.find(
+        (res) => res.type === "coder_app" && res.name === appName,
+      );

-      ...defaultVariables,
-    });
-    expect(state.outputs.ide_uri.value).toBe(
-      `${defaultVariables.protocol}://coder.coder-remote/open?owner=default&workspace=default&folder=/foo/bar&openRecent&url=https://mydeployment.coder.com&token=$SESSION_TOKEN`,
-    );
-  });
-
-  it("adds folder but not open_recent", async () => {
-    const state = await runTerraformApply(import.meta.dir, {
-      folder: "/foo/bar",
-      openRecent: "false",
-
-      ...defaultVariables,
-    });
-    expect(state.outputs.ide_uri.value).toBe(
-      `${defaultVariables.protocol}://coder.coder-remote/open?owner=default&workspace=default&folder=/foo/bar&url=https://mydeployment.coder.com&token=$SESSION_TOKEN`,
-    );
-  });
-
-  it("adds open_recent", async () => {
-    const state = await runTerraformApply(import.meta.dir, {
-      open_recent: "true",
-
-      ...defaultVariables,
-    });
-    expect(state.outputs.ide_uri.value).toBe(
-      `${defaultVariables.protocol}://coder.coder-remote/open?owner=default&workspace=default&openRecent&url=https://mydeployment.coder.com&token=$SESSION_TOKEN`,
-    );
-  });
-
-  it("expect order to be set", async () => {
-    const state = await runTerraformApply(import.meta.dir, {
-      coder_app_order: "22",
-      ...defaultVariables,
+      expect(coder_app?.instances[0].attributes.slug).toBe(
+        defaultVariables.web_app_slug,
+      );
+      expect(coder_app?.instances[0].attributes.display_name).toBe(
+        defaultVariables.web_app_display_name,
+      );
    });

-    const coder_app = state.resources.find(
-      (res) => res.type === "coder_app" && res.name === appName,
-    );
+    it("sets order", async () => {
+      const state = await runTerraformApply(import.meta.dir, {
+        web_app_order: "5",

-    expect(coder_app).not.toBeNull();
-    expect(coder_app?.instances.length).toBe(1);
-    expect(coder_app?.instances[0].attributes.order).toBe(22);
+        ...defaultVariables,
+      });
+
+      const coder_app = state.resources.find(
+        (res) => res.type === "coder_app" && res.name === appName,
+      );
+
+      expect(coder_app?.instances[0].attributes.order).toBe(5);
+    });
+
+    it("sets group", async () => {
+      const state = await runTerraformApply(import.meta.dir, {
+        web_app_group: "web-app-group",
+
+        ...defaultVariables,
+      });
+
+      const coder_app = state.resources.find(
+        (res) => res.type === "coder_app" && res.name === appName,
+      );
+
+      expect(coder_app?.instances[0].attributes.group).toBe("web-app-group");
+    });
  });
 });
@@ -28,31 +28,31 @@ variable "open_recent" {

 variable "protocol" {
  type        = string
-  description = "The URI protocol for the IDE."
+  description = "The URI protocol the IDE."
 }

-variable "coder_app_icon" {
+variable "web_app_icon" {
  type        = string
  description = "The icon of the coder_app."
 }

-variable "coder_app_slug" {
+variable "web_app_slug" {
  type        = string
  description = "The slug of the coder_app."
 }

-variable "coder_app_display_name" {
+variable "web_app_display_name" {
  type        = string
  description = "The display name of the coder_app."
 }

-variable "coder_app_order" {
+variable "web_app_order" {
  type        = number
  description = "The order of the coder_app."
  default     = null
 }

-variable "coder_app_group" {
+variable "web_app_group" {
  type        = string
  description = "The group of the coder_app."
  default     = null
@@ -65,25 +65,38 @@ resource "coder_app" "vscode-desktop" {
  agent_id = var.agent_id
  external = true

-  icon         = var.coder_app_icon
-  slug         = var.coder_app_slug
-  display_name = var.coder_app_display_name
+  icon         = var.web_app_icon
+  slug         = var.web_app_slug
+  display_name = var.web_app_display_name

-  order = var.coder_app_order
-  group = var.coder_app_group
+  order = var.web_app_order
+  group = var.web_app_group

-  # While the call to "join" is not strictly necessary, it makes the URL more readable.
  url = join("", [
-    "${var.protocol}://coder.coder-remote/open",
+    var.protocol,
+    "://coder.coder-remote/open",
+    "?owner=",
+    data.coder_workspace_owner.me.name,
+    "&workspace=",
+    data.coder_workspace.me.name,
+    var.folder != "" ? join("", ["&folder=", var.folder]) : "",
+    var.open_recent ? "&openRecent" : "",
+    "&url=",
+    data.coder_workspace.me.access_url,
+    "&token=$SESSION_TOKEN",
+  ])
+
+  /*
+    url = join("", [
+    "vscode://coder.coder-remote/open",
    "?owner=${data.coder_workspace_owner.me.name}",
    "&workspace=${data.coder_workspace.me.name}",
    var.folder != "" ? join("", ["&folder=", var.folder]) : "",
    var.open_recent ? "&openRecent" : "",
    "&url=${data.coder_workspace.me.access_url}",
-    # NOTE: There is a protocol whitelist for the token replacement, so this will only work with the protocols hardcoded in the front-end.
-    # (https://github.com/coder/coder/blob/6ba4b5bbc95e2e528d7f5b1e31fffa200ae1a6db/site/src/modules/apps/apps.ts#L18)
    "&token=$SESSION_TOKEN",
  ])
+  */
 }

 output "ide_uri" {
@@ -16,7 +16,7 @@ Uses the [Coder Remote VS Code Extension](https://github.com/coder/vscode-coder)
 module "vscode" {
  count    = data.coder_workspace.me.start_count
  source   = "registry.coder.com/coder/vscode-desktop/coder"
-  version  = "1.1.2"
+  version  = "1.2.0"
  agent_id = coder_agent.main.id
 }
 ```
@@ -29,7 +29,7 @@ module "vscode" {
 module "vscode" {
  count    = data.coder_workspace.me.start_count
  source   = "registry.coder.com/coder/vscode-desktop/coder"
-  version  = "1.1.2"
+  version  = "1.2.0"
  agent_id = coder_agent.main.id
  folder   = "/home/coder/project"
 }
@@ -22,7 +22,10 @@ describe("vscode-desktop", async () => {
    );

    const coder_app = state.resources.find(
-      (res) => res.type === "coder_app" && res.name === "vscode",
+      (res) =>
+        res.type === "coder_app" &&
+        res.module === "module.vscode-desktop-core" &&
+        res.name === "vscode-desktop",
    );

    expect(coder_app).not.toBeNull();
@@ -71,19 +74,4 @@ describe("vscode-desktop", async () => {
      "vscode://coder.coder-remote/open?owner=default&workspace=default&openRecent&url=https://mydeployment.coder.com&token=$SESSION_TOKEN",
    );
  });
-
-  it("expect order to be set", async () => {
-    const state = await runTerraformApply(import.meta.dir, {
-      agent_id: "foo",
-      order: "22",
-    });
-
-    const coder_app = state.resources.find(
-      (res) => res.type === "coder_app" && res.name === "vscode",
-    );
-
-    expect(coder_app).not.toBeNull();
-    expect(coder_app?.instances.length).toBe(1);
-    expect(coder_app?.instances[0].attributes.order).toBe(22);
-  });
 });
@@ -38,33 +38,24 @@ variable "group" {
  default     = null
 }

-data "coder_workspace" "me" {}
-data "coder_workspace_owner" "me" {}
+module "vscode-desktop-core" {
+  source  = "registry.coder.com/coder/vscode-desktop-core/coder"
+  version = "1.0.0"

-resource "coder_app" "vscode" {
-  agent_id     = var.agent_id
-  external     = true
-  icon         = "/icon/code.svg"
-  slug         = "vscode"
-  display_name = "VS Code Desktop"
-  order        = var.order
-  group        = var.group
+  agent_id = var.agent_id

-  url = join("", [
-    "vscode://coder.coder-remote/open",
-    "?owner=",
-    data.coder_workspace_owner.me.name,
-    "&workspace=",
-    data.coder_workspace.me.name,
-    var.folder != "" ? join("", ["&folder=", var.folder]) : "",
-    var.open_recent ? "&openRecent" : "",
-    "&url=",
-    data.coder_workspace.me.access_url,
-    "&token=$SESSION_TOKEN",
-  ])
+  coder_app_icon         = "/icon/code.svg"
+  coder_app_slug         = "vscode"
+  coder_app_display_name = "VS Code Desktop"
+  coder_app_order        = var.order
+  coder_app_group        = var.group
+
+  folder      = var.folder
+  open_recent = var.open_recent
+  protocol    = "vscode"
 }

 output "vscode_url" {
-  value       = coder_app.vscode.url
+  value       = module.vscode-desktop-core.ide_uri
  description = "VS Code Desktop URL."
-}
+}
@@ -16,7 +16,7 @@ Uses the [Coder Remote VS Code Extension](https://github.com/coder/vscode-coder)
 module "windsurf" {
  count    = data.coder_workspace.me.start_count
  source   = "registry.coder.com/coder/windsurf/coder"
-  version  = "1.2.1"
+  version  = "1.3.0"
  agent_id = coder_agent.main.id
 }
 ```
@@ -29,7 +29,7 @@ module "windsurf" {
 module "windsurf" {
  count    = data.coder_workspace.me.start_count
  source   = "registry.coder.com/coder/windsurf/coder"
-  version  = "1.2.1"
+  version  = "1.3.0"
  agent_id = coder_agent.main.id
  folder   = "/home/coder/project"
 }
@@ -45,7 +45,7 @@ The following example configures Windsurf to use the GitHub MCP server with auth
 module "windsurf" {
  count    = data.coder_workspace.me.start_count
  source   = "registry.coder.com/coder/windsurf/coder"
-  version  = "1.2.1"
+  version  = "1.3.0"
  agent_id = coder_agent.main.id
  folder   = "/home/coder/project"
  mcp = jsonencode({
@@ -58,6 +58,7 @@ module "windsurf" {
        "type" : "http"
      }

+
    }
  })
 }
@@ -26,7 +26,10 @@ describe("windsurf", async () => {
    );

    const coder_app = state.resources.find(
-      (res) => res.type === "coder_app" && res.name === "windsurf",
+      (res) =>
+        res.type === "coder_app" &&
+        res.module === "module.vscode-desktop-core" &&
+        res.name === "vscode-desktop",
    );

    expect(coder_app).not.toBeNull();
@@ -76,21 +79,6 @@ describe("windsurf", async () => {
    );
  });

-  it("expect order to be set", async () => {
-    const state = await runTerraformApply(import.meta.dir, {
-      agent_id: "foo",
-      order: 22,
-    });
-
-    const coder_app = state.resources.find(
-      (res) => res.type === "coder_app" && res.name === "windsurf",
-    );
-
-    expect(coder_app).not.toBeNull();
-    expect(coder_app?.instances.length).toBe(1);
-    expect(coder_app?.instances[0].attributes.order).toBe(22);
-  });
-
  it("writes ~/.codeium/windsurf/mcp_config.json when mcp provided", async () => {
    const id = await runContainer("alpine");
    try {
@@ -16,7 +16,7 @@ variable "agent_id" {

 variable "folder" {
  type        = string
-  description = "The folder to open in Cursor IDE."
+  description = "The folder to open in Windsurf Editor."
  default     = ""
 }

@@ -63,26 +63,21 @@ locals {
  mcp_b64 = var.mcp != "" ? base64encode(var.mcp) : ""
 }

-resource "coder_app" "windsurf" {
-  agent_id     = var.agent_id
-  external     = true
-  icon         = "/icon/windsurf.svg"
-  slug         = var.slug
-  display_name = var.display_name
-  order        = var.order
-  group        = var.group
-  url = join("", [
-    "windsurf://coder.coder-remote/open",
-    "?owner=",
-    data.coder_workspace_owner.me.name,
-    "&workspace=",
-    data.coder_workspace.me.name,
-    var.folder != "" ? join("", ["&folder=", var.folder]) : "",
-    var.open_recent ? "&openRecent" : "",
-    "&url=",
-    data.coder_workspace.me.access_url,
-    "&token=$SESSION_TOKEN",
-  ])
+module "vscode-desktop-core" {
+  source  = "registry.coder.com/coder/vscode-desktop-core/coder"
+  version = "1.0.0"
+
+  agent_id = var.agent_id
+
+  coder_app_icon         = "/icon/windsurf.svg"
+  coder_app_slug         = "windsurf"
+  coder_app_display_name = "Windsurf Editor"
+  coder_app_order        = var.order
+  coder_app_group        = var.group
+
+  folder      = var.folder
+  open_recent = var.open_recent
+  protocol    = "windsurf"
 }

 resource "coder_script" "windsurf_mcp" {
@@ -102,6 +97,6 @@ resource "coder_script" "windsurf_mcp" {
 }

 output "windsurf_url" {
-  value       = coder_app.windsurf.url
+  value       = module.vscode-desktop-core.ide_uri
  description = "Windsurf Editor URL."
-}
+}
@@ -19,7 +19,7 @@ Zed is a high-performance, multiplayer code editor from the creators of Atom and
 module "zed" {
  count    = data.coder_workspace.me.start_count
  source   = "registry.coder.com/coder/zed/coder"
-  version  = "1.1.2"
+  version  = "1.1.4"
  agent_id = coder_agent.main.id
 }
 ```
@@ -32,7 +32,7 @@ module "zed" {
 module "zed" {
  count    = data.coder_workspace.me.start_count
  source   = "registry.coder.com/coder/zed/coder"
-  version  = "1.1.2"
+  version  = "1.1.4"
  agent_id = coder_agent.main.id
  folder   = "/home/coder/project"
 }
@@ -44,7 +44,7 @@ module "zed" {
 module "zed" {
  count        = data.coder_workspace.me.start_count
  source       = "registry.coder.com/coder/zed/coder"
-  version      = "1.1.2"
+  version      = "1.1.4"
  agent_id     = coder_agent.main.id
  display_name = "Zed Editor"
  order        = 1
@@ -57,7 +57,7 @@ module "zed" {
 module "zed" {
  count      = data.coder_workspace.me.start_count
  source     = "registry.coder.com/coder/zed/coder"
-  version    = "1.1.2"
+  version    = "1.1.4"
  agent_id   = coder_agent.main.id
  agent_name = coder_agent.example.name
 }
@@ -73,7 +73,7 @@ You can declaratively set/merge settings with the `settings` input. Provide a JS
 module "zed" {
  count    = data.coder_workspace.me.start_count
  source   = "registry.coder.com/coder/zed/coder"
-  version  = "1.1.2"
+  version  = "1.1.4"
  agent_id = coder_agent.main.id

  settings = jsonencode({
@@ -85,6 +85,7 @@ module "zed" {
        env     = {}
      }

+
    }
  })
 }
@@ -1,5 +1,9 @@
 import { describe, expect, it } from "bun:test";
 import {
+  execContainer,
+  findResourceInstance,
+  removeContainer,
+  runContainer,
  runTerraformApply,
  runTerraformInit,
  testRequiredVariables,
@@ -12,66 +16,114 @@ describe("zed", async () => {
    agent_id: "foo",
  });

-  it("default output", async () => {
+  it("creates settings file with correct JSON", async () => {
+    const settings = {
+      theme: "One Dark",
+      buffer_font_size: 14,
+      vim_mode: true,
+      telemetry: {
+        diagnostics: false,
+        metrics: false,
+      },
+      // Test special characters: single quotes, backslashes, URLs
+      message: "it's working",
+      path: "C:\\Users\\test",
+      api_url: "https://api.example.com/v1?token=abc&user=test",
+    };
+
    const state = await runTerraformApply(import.meta.dir, {
      agent_id: "foo",
+      settings: JSON.stringify(settings),
    });
-    expect(state.outputs.zed_url.value).toBe("zed://ssh/default.coder");

-    const coder_app = state.resources.find(
-      (res) => res.type === "coder_app" && res.name === "zed",
-    );
+    const instance = findResourceInstance(state, "coder_script");
+    const id = await runContainer("alpine:latest");

-    expect(coder_app).not.toBeNull();
-    expect(coder_app?.instances.length).toBe(1);
-    expect(coder_app?.instances[0].attributes.order).toBeNull();
-  });
+    try {
+      const result = await execContainer(id, ["sh", "-c", instance.script]);
+      expect(result.exitCode).toBe(0);
+
+      const catResult = await execContainer(id, [
+        "cat",
+        "/root/.config/zed/settings.json",
+      ]);
+      expect(catResult.exitCode).toBe(0);
+
+      const written = JSON.parse(catResult.stdout.trim());
+      expect(written).toEqual(settings);
+    } finally {
+      await removeContainer(id);
+    }
+  }, 30000);
+
+  it("merges settings with existing file when jq available", async () => {
+    const existingSettings = {
+      theme: "Solarized Dark",
+      vim_mode: true,
+    };
+
+    const newSettings = {
+      theme: "One Dark",
+      buffer_font_size: 14,
+    };

-  it("adds folder", async () => {
    const state = await runTerraformApply(import.meta.dir, {
      agent_id: "foo",
-      folder: "/foo/bar",
+      settings: JSON.stringify(newSettings),
    });
-    expect(state.outputs.zed_url.value).toBe("zed://ssh/default.coder/foo/bar");
-  });

-  it("expect order to be set", async () => {
+    const instance = findResourceInstance(state, "coder_script");
+    const id = await runContainer("alpine:latest");
+
+    try {
+      // Install jq and create existing settings file
+      await execContainer(id, ["apk", "add", "--no-cache", "jq"]);
+      await execContainer(id, ["mkdir", "-p", "/root/.config/zed"]);
+      await execContainer(id, [
+        "sh",
+        "-c",
+        `echo '${JSON.stringify(existingSettings)}' > /root/.config/zed/settings.json`,
+      ]);
+
+      const result = await execContainer(id, ["sh", "-c", instance.script]);
+      expect(result.exitCode).toBe(0);
+
+      const catResult = await execContainer(id, [
+        "cat",
+        "/root/.config/zed/settings.json",
+      ]);
+      expect(catResult.exitCode).toBe(0);
+
+      const merged = JSON.parse(catResult.stdout.trim());
+      expect(merged.theme).toBe("One Dark"); // overwritten
+      expect(merged.buffer_font_size).toBe(14); // added
+      expect(merged.vim_mode).toBe(true); // preserved
+    } finally {
+      await removeContainer(id);
+    }
+  }, 30000);
+
+  it("exits early with empty settings", async () => {
    const state = await runTerraformApply(import.meta.dir, {
      agent_id: "foo",
-      order: "22",
+      settings: "",
    });

-    const coder_app = state.resources.find(
-      (res) => res.type === "coder_app" && res.name === "zed",
-    );
+    const instance = findResourceInstance(state, "coder_script");
+    const id = await runContainer("alpine:latest");

-    expect(coder_app).not.toBeNull();
-    expect(coder_app?.instances.length).toBe(1);
-    expect(coder_app?.instances[0].attributes.order).toBe(22);
-  });
+    try {
+      const result = await execContainer(id, ["sh", "-c", instance.script]);
+      expect(result.exitCode).toBe(0);

-  it("expect display_name to be set", async () => {
-    const state = await runTerraformApply(import.meta.dir, {
-      agent_id: "foo",
-      display_name: "Custom Zed",
-    });
-
-    const coder_app = state.resources.find(
-      (res) => res.type === "coder_app" && res.name === "zed",
-    );
-
-    expect(coder_app).not.toBeNull();
-    expect(coder_app?.instances.length).toBe(1);
-    expect(coder_app?.instances[0].attributes.display_name).toBe("Custom Zed");
-  });
-
-  it("adds agent_name to hostname", async () => {
-    const state = await runTerraformApply(import.meta.dir, {
-      agent_id: "foo",
-      agent_name: "myagent",
-    });
-    expect(state.outputs.zed_url.value).toBe(
-      "zed://ssh/myagent.default.default.coder",
-    );
-  });
+      // Settings file should not be created
+      const catResult = await execContainer(id, [
+        "cat",
+        "/root/.config/zed/settings.json",
+      ]);
+      expect(catResult.exitCode).not.toBe(0);
+    } finally {
+      await removeContainer(id);
+    }
+  }, 30000);
 });
@@ -65,6 +65,7 @@ locals {
  owner_name     = lower(data.coder_workspace_owner.me.name)
  agent_name     = lower(var.agent_name)
  hostname       = var.agent_name != "" ? "${local.agent_name}.${local.workspace_name}.${local.owner_name}.coder" : "${local.workspace_name}.coder"
+  settings_b64   = var.settings != "" ? base64encode(var.settings) : ""
 }

 resource "coder_script" "zed_settings" {
@@ -73,9 +74,13 @@ resource "coder_script" "zed_settings" {
  icon         = "/icon/zed.svg"
  run_on_start = true
  script       = <<-EOT
-    #!/bin/sh
+    #!/usr/bin/env bash
    set -eu
-    SETTINGS_JSON='${replace(var.settings, "\"", "\\\"")}'
+    SETTINGS_B64='${local.settings_b64}'
+    if [ -z "$${SETTINGS_B64}" ]; then
+      exit 0
+    fi
+    SETTINGS_JSON="$(echo -n "$${SETTINGS_B64}" | base64 -d)"
    if [ -z "$${SETTINGS_JSON}" ] || [ "$${SETTINGS_JSON}" = "{}" ]; then
      exit 0
    fi
--- a/Show More
+++ b/Show More