Merge branch 'main' into aws-cli-module

## Description

Claude-Code auto-updates itself unless the `DISABLE_AUTOUPDATER` env is
set. This PR adds a `disable_autoupdater` variable which allows the user
to disable claude-code's auto updating feature. This should resolve the
issue where claude-code updates itself when a user defines a specific
claude-code version to be installed which was confusing for the end
user.

<!-- Briefly describe what this PR does and why -->

## Type of Change

- [ ] New module
- [ ] New template
- [X] Bug fix
- [ ] Feature/enhancement
- [ ] Documentation
- [ ] Other

## Module Information

<!-- Delete this section if not applicable -->

**Path:** `registry/coder/modules/claude-code`  
**New version:** `v4.2.0`  
**Breaking change:** [ ] Yes [X] No

## Testing & Validation

- [X] Tests pass (`bun test`)
- [X] Code formatted (`bun fmt`)
- [X] Changes tested locally

## Related Issues

<!-- Link related issues or write "None" if not applicable -->

bun.lock

@@ -1,5 +1,6 @@
 {
   "lockfileVersion": 1,
+  "configVersion": 0,
   "workspaces": {
     "": {
       "name": "registry",

registry/ausbru87/README.md

@@ -0,0 +1,32 @@
+---
+display_name: Austen Bruhn
+bio: Solution Engineer at Coder, OSS enthusiast
+github: ausbru87
+avatar: ./.images/avatar.png
+linkedin: https://www.linkedin.com/in/austen-bruhn-b0a646a1/
+status: community
+---
+
+# ausbru87
+
+Brief description of what this namespace provides. Include information about:
+
+- What types of templates/modules you offer
+- Your focus areas (e.g., specific cloud providers, technologies)
+- Any special features or configurations
+
+## Templates
+
+List your available templates here:
+
+- **template-name**: Brief description
+
+## Modules
+
+List your available modules here:
+
+- **module-name**: Brief description
+
+## Contributing
+
+If you'd like to contribute to this namespace, please [open an issue](https://github.com/coder/registry/issues) or submit a pull request.

registry/ausbru87/modules/aws-cli/README.md

@@ -0,0 +1,78 @@
+---
+display_name: AWS CLI
+description: Install AWS CLI v2 in your workspace
+icon: ../../../../.icons/aws.svg
+verified: false
+tags: [helper, aws, cli]
+---
+
+# AWS CLI
+
+Automatically install the [AWS CLI v2](https://aws.amazon.com/cli/) in your Coder workspace with command autocomplete support for bash, zsh, and fish shells.
+
+```tf
+module "aws-cli" {
+  count    = data.coder_workspace.me.start_count
+  source   = "registry.coder.com/ausbru87/aws-cli/coder"
+  version  = "1.0.0"
+  agent_id = coder_agent.example.id
+}
+```
+
+## Features
+
+- Installs AWS CLI v2 for Linux and macOS
+- Supports x86_64 and ARM64 architectures
+- Optional version pinning
+- **Auto-configures command autocomplete** for bash, zsh, and fish shells
+
+## Examples
+
+### Basic Installation
+
+```tf
+module "aws-cli" {
+  count    = data.coder_workspace.me.start_count
+  source   = "registry.coder.com/ausbru87/aws-cli/coder"
+  version  = "1.0.0"
+  agent_id = coder_agent.example.id
+}
+```
+
+### Pin to Specific Version
+
+```tf
+module "aws-cli" {
+  count           = data.coder_workspace.me.start_count
+  source          = "registry.coder.com/ausbru87/aws-cli/coder"
+  version         = "1.0.0"
+  agent_id        = coder_agent.example.id
+  install_version = "2.15.0"
+}
+```
+
+### Custom Log Path
+
+```tf
+module "aws-cli" {
+  count    = data.coder_workspace.me.start_count
+  source   = "registry.coder.com/ausbru87/aws-cli/coder"
+  version  = "1.0.0"
+  agent_id = coder_agent.example.id
+  log_path = "/var/log/aws-cli.log"
+}
+```
+
+### Airgapped Environment
+
+Use a custom download URL for environments without internet access to AWS:
+
+```tf
+module "aws-cli" {
+  count        = data.coder_workspace.me.start_count
+  source       = "registry.coder.com/ausbru87/aws-cli/coder"
+  version      = "1.0.0"
+  agent_id     = coder_agent.example.id
+  download_url = "https://internal-mirror.company.com/awscli-exe-linux-x86_64.zip"
+}
+```

registry/ausbru87/modules/aws-cli/aws-cli.tftest.hcl

@@ -0,0 +1,34 @@
+run "required_vars" {
+  command = plan
+
+  variables {
+    agent_id = "test-agent-id"
+  }
+}
+
+run "with_custom_version" {
+  command = plan
+
+  variables {
+    agent_id        = "test-agent-id"
+    install_version = "2.15.0"
+  }
+}
+
+run "with_custom_log_path" {
+  command = plan
+
+  variables {
+    agent_id = "test-agent-id"
+    log_path = "/var/log/aws-cli.log"
+  }
+}
+
+run "with_custom_download_url" {
+  command = plan
+
+  variables {
+    agent_id     = "test-agent-id"
+    download_url = "https://internal-mirror.company.com/awscli-exe-linux-x86_64.zip"
+  }
+}

registry/ausbru87/modules/aws-cli/main.tf

@@ -0,0 +1,46 @@
+terraform {
+  required_version = ">= 1.0"
+
+  required_providers {
+    coder = {
+      source  = "coder/coder"
+      version = ">= 2.5"
+    }
+  }
+}
+
+variable "agent_id" {
+  type        = string
+  description = "The ID of a Coder agent."
+}
+
+variable "install_version" {
+  type        = string
+  description = "The version of AWS CLI to install."
+  default     = ""
+}
+
+variable "download_url" {
+  type        = string
+  description = "Custom download URL for AWS CLI. Useful for airgapped environments. If not set, uses the official AWS download URL."
+  default     = ""
+}
+
+variable "log_path" {
+  type        = string
+  description = "The path to the AWS CLI installation log file."
+  default     = "/tmp/aws-cli-install.log"
+}
+
+resource "coder_script" "aws-cli" {
+  agent_id     = var.agent_id
+  display_name = "AWS CLI"
+  icon         = "/icon/aws.svg"
+  script = templatefile("${path.module}/run.sh", {
+    LOG_PATH : var.log_path,
+    VERSION : var.install_version,
+    DOWNLOAD_URL : var.download_url,
+  })
+  run_on_start = true
+  run_on_stop  = false
+}

registry/ausbru87/modules/aws-cli/run.sh

@@ -0,0 +1,129 @@
+#!/usr/bin/env sh
+
+set -e
+
+LOG_PATH=${LOG_PATH}
+VERSION=${VERSION}
+DOWNLOAD_URL=${DOWNLOAD_URL}
+
+BOLD='\\033[0;1m'
+RESET='\\033[0m'
+
+printf "${BOLD}Installing AWS CLI...\\n${RESET}"
+
+# Check if AWS CLI is already installed
+if command -v aws > /dev/null 2>&1; then
+  INSTALLED_VERSION=$(aws --version 2>&1 | cut -d' ' -f1 | cut -d'/' -f2)
+  if [ -n "$VERSION" ] && [ "$INSTALLED_VERSION" != "$VERSION" ]; then
+    printf "❌ AWS CLI $INSTALLED_VERSION is installed, but version $VERSION was requested.\\n"
+    printf "Note: AWS CLI installer does not support version-specific installation.\\n"
+    exit 1
+  else
+    printf "AWS CLI is already installed ($INSTALLED_VERSION). Skipping installation.\\n"
+    exit 0
+  fi
+fi
+
+# Determine OS and architecture
+OS=$(uname -s | tr '[:upper:]' '[:lower:]')
+ARCH=$(uname -m)
+
+case "$ARCH" in
+  x86_64) ARCH="x86_64" ;;
+  aarch64 | arm64) ARCH="aarch64" ;;
+  *)
+    printf "Unsupported architecture: $ARCH\\n" >> "${LOG_PATH}" 2>&1
+    exit 1
+    ;;
+esac
+
+# Install AWS CLI
+if [ "$OS" = "linux" ]; then
+  # Use custom download URL if provided, otherwise use default AWS URL
+  if [ -z "$DOWNLOAD_URL" ]; then
+    DOWNLOAD_URL="https://awscli.amazonaws.com/awscli-exe-linux-${ARCH}.zip"
+  fi
+
+  printf "Downloading AWS CLI from $DOWNLOAD_URL...\\n"
+  curl -fsSL "$DOWNLOAD_URL" -o /tmp/awscliv2.zip >> "${LOG_PATH}" 2>&1 || exit 1
+
+  unzip -q /tmp/awscliv2.zip -d /tmp >> "${LOG_PATH}" 2>&1 || exit 1
+  sudo /tmp/aws/install >> "${LOG_PATH}" 2>&1 || exit 1
+
+  rm -rf /tmp/awscliv2.zip /tmp/aws
+
+elif [ "$OS" = "darwin" ]; then
+  # Use custom download URL if provided, otherwise use architecture-specific AWS URL
+  if [ -z "$DOWNLOAD_URL" ]; then
+    case "$ARCH" in
+      x86_64)
+        DOWNLOAD_URL="https://awscli.amazonaws.com/AWSCLIV2-x86_64.pkg"
+        ;;
+      aarch64)
+        DOWNLOAD_URL="https://awscli.amazonaws.com/AWSCLIV2-arm64.pkg"
+        ;;
+      *)
+        DOWNLOAD_URL="https://awscli.amazonaws.com/AWSCLIV2.pkg"
+        ;;
+    esac
+  fi
+
+  printf "Downloading AWS CLI from $DOWNLOAD_URL...\\n"
+  curl -fsSL "$DOWNLOAD_URL" -o /tmp/AWSCLIV2.pkg >> "${LOG_PATH}" 2>&1 || exit 1
+
+  sudo installer -pkg /tmp/AWSCLIV2.pkg -target / >> "${LOG_PATH}" 2>&1 || exit 1
+
+  rm -f /tmp/AWSCLIV2.pkg
+
+else
+  printf "Unsupported OS: $OS\\n" >> "${LOG_PATH}" 2>&1
+  exit 1
+fi
+
+# Verify installation was successful
+if command -v aws > /dev/null 2>&1; then
+  printf "🥳 AWS CLI installed successfully!\\n"
+  aws --version
+
+  # Configure autocomplete for common shells
+  if command -v aws_completer > /dev/null 2>&1; then
+    AWS_COMPLETER_PATH=$(which aws_completer)
+
+    # Bash autocomplete
+    if [ -f ~/.bashrc ]; then
+      if ! grep -q "aws_completer.*aws" ~/.bashrc; then
+        echo "complete -C '$AWS_COMPLETER_PATH' aws" >> ~/.bashrc
+        printf "✓ Configured AWS CLI autocomplete for bash\\n"
+      fi
+    fi
+
+    # Zsh autocomplete
+    if [ -f ~/.zshrc ] || [ -d ~/.oh-my-zsh ]; then
+      if ! grep -q "aws_completer.*aws" ~/.zshrc 2> /dev/null; then
+        cat >> ~/.zshrc << ZSHEOF
+
+# AWS CLI autocomplete
+autoload bashcompinit && bashcompinit
+autoload -Uz compinit && compinit
+complete -C '$AWS_COMPLETER_PATH' aws
+ZSHEOF
+        printf "✓ Configured AWS CLI autocomplete for zsh\\n"
+      fi
+    fi
+
+    # Fish autocomplete
+    if [ -d ~/.config/fish ] || command -v fish > /dev/null 2>&1; then
+      mkdir -p ~/.config/fish/completions
+      FISH_COMPLETION=~/.config/fish/completions/aws.fish
+      if [ ! -f "$FISH_COMPLETION" ]; then
+        cat > "$FISH_COMPLETION" << 'FISHEOF'
+complete --command aws --no-files --arguments '(begin; set --local --export COMP_SHELL fish; set --local --export COMP_LINE (commandline); aws_completer | sed '"'"'s/ $//'"'"'; end)'
+FISHEOF
+        printf "✓ Configured AWS CLI autocomplete for fish\\n"
+      fi
+    fi
+  fi
+else
+  printf "❌ AWS CLI installation failed. Check logs at ${LOG_PATH}\\n"
+  exit 1
+fi

registry/coder/modules/claude-code/README.md

@@ -13,7 +13,7 @@ Run the [Claude Code](https://docs.anthropic.com/en/docs/agents-and-tools/claude
 ```tf
 module "claude-code" {
   source         = "registry.coder.com/coder/claude-code/coder"
-  version        = "4.0.1"
+  version        = "4.2.0"
   agent_id       = coder_agent.example.id
   workdir        = "/home/coder/project"
   claude_api_key = "xxxx-xxxxx-xxxx"
@@ -70,7 +70,7 @@ data "coder_parameter" "ai_prompt" {
 
 module "claude-code" {
   source   = "registry.coder.com/coder/claude-code/coder"
-  version  = "4.0.1"
+  version  = "4.2.0"
   agent_id = coder_agent.example.id
   workdir  = "/home/coder/project"
 
@@ -106,7 +106,7 @@ Run and configure Claude Code as a standalone CLI in your workspace.
 ```tf
 module "claude-code" {
   source              = "registry.coder.com/coder/claude-code/coder"
-  version             = "4.0.1"
+  version             = "4.2.0"
   agent_id            = coder_agent.example.id
   workdir             = "/home/coder"
   install_claude_code = true
@@ -129,7 +129,7 @@ variable "claude_code_oauth_token" {
 
 module "claude-code" {
   source                  = "registry.coder.com/coder/claude-code/coder"
-  version                 = "4.0.1"
+  version                 = "4.2.0"
   agent_id                = coder_agent.example.id
   workdir                 = "/home/coder/project"
   claude_code_oauth_token = var.claude_code_oauth_token
@@ -202,7 +202,7 @@ resource "coder_env" "bedrock_api_key" {
 
 module "claude-code" {
   source   = "registry.coder.com/coder/claude-code/coder"
-  version  = "4.0.1"
+  version  = "4.2.0"
   agent_id = coder_agent.example.id
   workdir  = "/home/coder/project"
   model    = "global.anthropic.claude-sonnet-4-5-20250929-v1:0"
@@ -259,7 +259,7 @@ resource "coder_env" "google_application_credentials" {
 
 module "claude-code" {
   source   = "registry.coder.com/coder/claude-code/coder"
-  version  = "4.0.1"
+  version  = "4.2.0"
   agent_id = coder_agent.example.id
   workdir  = "/home/coder/project"
   model    = "claude-sonnet-4@20250514"

registry/coder/modules/claude-code/main.tf

@@ -114,6 +114,12 @@ variable "claude_code_version" {
   default     = "latest"
 }
 
+variable "disable_autoupdater" {
+  type        = bool
+  description = "Disable Claude Code automatic updates. When true, Claude Code will stay on the installed version."
+  default     = false
+}
+
 variable "claude_api_key" {
   type        = string
   description = "The API key to use for the Claude Code server."
@@ -240,6 +246,12 @@ variable "boundary_pprof_port" {
   default     = "6067"
 }
 
+variable "compile_boundary_from_source" {
+  type        = bool
+  description = "Whether to compile boundary from source instead of using the official install script"
+  default     = false
+}
+
 resource "coder_env" "claude_code_md_path" {
   count = var.claude_md_path == "" ? 0 : 1
 
@@ -268,6 +280,14 @@ resource "coder_env" "claude_api_key" {
   value    = var.claude_api_key
 }
 
+resource "coder_env" "disable_autoupdater" {
+  count = var.disable_autoupdater ? 1 : 0
+
+  agent_id = var.agent_id
+  name     = "DISABLE_AUTOUPDATER"
+  value    = "1"
+}
+
 locals {
   # we have to trim the slash because otherwise coder exp mcp will
   # set up an invalid claude config
@@ -357,6 +377,7 @@ module "agentapi" {
      ARG_BOUNDARY_PROXY_PORT='${var.boundary_proxy_port}' \
      ARG_ENABLE_BOUNDARY_PPROF='${var.enable_boundary_pprof}' \
      ARG_BOUNDARY_PPROF_PORT='${var.boundary_pprof_port}' \
+     ARG_COMPILE_FROM_SOURCE='${var.compile_boundary_from_source}' \
      ARG_CODER_HOST='${local.coder_host}' \
      /tmp/start.sh
    EOT

registry/coder/modules/claude-code/scripts/start.sh

@@ -28,6 +28,7 @@ ARG_BOUNDARY_LOG_LEVEL=${ARG_BOUNDARY_LOG_LEVEL:-"WARN"}
 ARG_BOUNDARY_PROXY_PORT=${ARG_BOUNDARY_PROXY_PORT:-"8087"}
 ARG_ENABLE_BOUNDARY_PPROF=${ARG_ENABLE_BOUNDARY_PPROF:-false}
 ARG_BOUNDARY_PPROF_PORT=${ARG_BOUNDARY_PPROF_PORT:-"6067"}
+ARG_COMPILE_FROM_SOURCE=${ARG_COMPILE_FROM_SOURCE:-false}
 ARG_CODER_HOST=${ARG_CODER_HOST:-}
 
 echo "--------------------------------"
@@ -45,6 +46,7 @@ printf "ARG_BOUNDARY_VERSION: %s\n" "$ARG_BOUNDARY_VERSION"
 printf "ARG_BOUNDARY_LOG_DIR: %s\n" "$ARG_BOUNDARY_LOG_DIR"
 printf "ARG_BOUNDARY_LOG_LEVEL: %s\n" "$ARG_BOUNDARY_LOG_LEVEL"
 printf "ARG_BOUNDARY_PROXY_PORT: %s\n" "$ARG_BOUNDARY_PROXY_PORT"
+printf "ARG_COMPILE_FROM_SOURCE: %s\n" "$ARG_COMPILE_FROM_SOURCE"
 printf "ARG_CODER_HOST: %s\n" "$ARG_CODER_HOST"
 
 echo "--------------------------------"
@@ -63,11 +65,25 @@ case $session_cleanup_exit_code in
 esac
 
 function install_boundary() {
-  # Install boundary from public github repo
-  git clone https://github.com/coder/boundary
-  cd boundary
-  git checkout $ARG_BOUNDARY_VERSION
-  go install ./cmd/...
+  if [ "${ARG_COMPILE_FROM_SOURCE:-false}" = "true" ]; then
+    # Install boundary by compiling from source
+    echo "Compiling boundary from source (version: $ARG_BOUNDARY_VERSION)"
+    git clone https://github.com/coder/boundary.git
+    cd boundary
+    git checkout "$ARG_BOUNDARY_VERSION"
+
+    # Build the binary
+    make build
+
+    # Install binary and wrapper script (optional)
+    sudo cp boundary /usr/local/bin/
+    sudo cp scripts/boundary-wrapper.sh /usr/local/bin/boundary-run
+    sudo chmod +x /usr/local/bin/boundary-run
+  else
+    # Install boundary using official install script
+    echo "Installing boundary using official install script (version: $ARG_BOUNDARY_VERSION)"
+    curl -fsSL https://raw.githubusercontent.com/coder/boundary/main/install.sh | bash -s -- --version "$ARG_BOUNDARY_VERSION"
+  fi
 }
 
 function validate_claude_installation() {
@@ -209,9 +225,8 @@ function start_agentapi() {
       BOUNDARY_ARGS+=(--pprof-port ${ARG_BOUNDARY_PPROF_PORT})
     fi
 
-    agentapi server --allowed-hosts="*" --type claude --term-width 67 --term-height 1190 -- \
-      sudo -E env PATH=$PATH setpriv --reuid=$(id -u) --regid=$(id -g) --clear-groups \
-      --inh-caps=+net_admin --ambient-caps=+net_admin --bounding-set=+net_admin boundary "${BOUNDARY_ARGS[@]}" -- \
+    agentapi server --type claude --term-width 67 --term-height 1190 -- \
+      boundary-run "${BOUNDARY_ARGS[@]}" -- \
       claude "${ARGS[@]}"
   else
     agentapi server --type claude --term-width 67 --term-height 1190 -- claude "${ARGS[@]}"

registry/coder/modules/jfrog-oauth/README.md

@@ -16,7 +16,7 @@ Install the JF CLI and authenticate package managers with Artifactory using OAut
 module "jfrog" {
   count          = data.coder_workspace.me.start_count
   source         = "registry.coder.com/coder/jfrog-oauth/coder"
-  version        = "1.2.1"
+  version        = "1.2.2"
   agent_id       = coder_agent.example.id
   jfrog_url      = "https://example.jfrog.io"
   username_field = "username" # If you are using GitHub to login to both Coder and Artifactory, use username_field = "username"
@@ -39,6 +39,15 @@ module "jfrog" {
 
 This module is usable by JFrog self-hosted (on-premises) Artifactory as it requires configuring a custom integration. This integration benefits from Coder's [external-auth](https://coder.com/docs/v2/latest/admin/external-auth) feature and allows each user to authenticate with Artifactory using an OAuth flow and issues user-scoped tokens to each user. For configuration instructions, see this [guide](https://coder.com/docs/v2/latest/guides/artifactory-integration#jfrog-oauth) on the Coder documentation.
 
+## Username Handling
+
+The module automatically extracts your JFrog username directly from the OAuth token's JWT payload. This preserves special characters like dots (`.`), hyphens (`-`), and accented characters that Coder normalizes in usernames.
+
+**Priority order:**
+
+1. **JWT extraction** (default) - Extracts username from OAuth token, preserving special characters
+2. **Fallback to `username_field`** - If JWT extraction fails, uses Coder username or email
+
 ## Examples
 
 Configure the Python pip package manager to fetch packages from Artifactory while mapping the Coder email to the Artifactory username.
@@ -47,7 +56,7 @@ Configure the Python pip package manager to fetch packages from Artifactory whil
 module "jfrog" {
   count          = data.coder_workspace.me.start_count
   source         = "registry.coder.com/coder/jfrog-oauth/coder"
-  version        = "1.2.1"
+  version        = "1.2.2"
   agent_id       = coder_agent.example.id
   jfrog_url      = "https://example.jfrog.io"
   username_field = "email"
@@ -76,7 +85,7 @@ The [JFrog extension](https://open-vsx.org/extension/JFrog/jfrog-vscode-extensio
 module "jfrog" {
   count                 = data.coder_workspace.me.start_count
   source                = "registry.coder.com/coder/jfrog-oauth/coder"
-  version               = "1.2.1"
+  version               = "1.2.2"
   agent_id              = coder_agent.example.id
   jfrog_url             = "https://example.jfrog.io"
   username_field        = "username" # If you are using GitHub to login to both Coder and Artifactory, use username_field = "username"

registry/coder/modules/jfrog-oauth/main.tf

@@ -76,8 +76,27 @@ variable "package_managers" {
 }
 
 locals {
-  # The username field to use for artifactory
-  username   = var.username_field == "email" ? data.coder_workspace_owner.me.email : data.coder_workspace_owner.me.name
+  jwt_parts   = try(split(".", data.coder_external_auth.jfrog.access_token), [])
+  jwt_payload = try(local.jwt_parts[1], "")
+  payload_padding = local.jwt_payload == "" ? "" : (
+    length(local.jwt_payload) % 4 == 0 ? "" :
+    length(local.jwt_payload) % 4 == 2 ? "==" :
+    length(local.jwt_payload) % 4 == 3 ? "=" :
+    ""
+  )
+
+  jwt_username = try(
+    regex(
+      "/users/([^/]+)",
+      jsondecode(base64decode("${local.jwt_payload}${local.payload_padding}"))["sub"]
+    )[0],
+    ""
+  )
+
+  username = coalesce(
+    local.jwt_username != "" ? local.jwt_username : null,
+    var.username_field == "email" ? data.coder_workspace_owner.me.email : data.coder_workspace_owner.me.name
+  )
   jfrog_host = split("://", var.jfrog_url)[1]
   common_values = {
     JFROG_URL                = var.jfrog_url