### Summary
Temporary workaround for non-deterministic PATH handling when using
`coder_env` across multiple modules
([coder/coder#21885](https://github.com/coder/coder/issues/21885)).
### Problem
When multiple modules define `coder_env` with the same `name` (e.g.,
`PATH`), the final value is non-deterministic due to Go map iteration
order. This caused PATH overwrites instead of appending, breaking Claude
Code discovery in workspaces using multiple modules.
### Solution
Replace `coder_env` PATH manipulation with script-based PATH handling:
- **Install script**: Exports PATH and adds claude binary directory to
shell profiles (`.profile`, `.bashrc`, `.zshrc`, fish) for interactive
shell access
- **Start script**: Exports PATH at script execution time
- **Symlink**: Creates symlink in `CODER_SCRIPT_BIN_DIR` as additional
fallback
- **Validation**: Prevents invalid configuration where
`claude_binary_path` is customized but `install_claude_code=true`
(official installer doesn't support custom paths)
### Changes
- Removed `coder_env` resource for PATH
- Added PATH export to `install.sh` and `start.sh`
- Added shell profile modifications for cross-shell compatibility (bash,
zsh, fish)
- Added variable validation for `claude_binary_path`
### Note
This is a temporary fix until
[coder/coder#21885](https://github.com/coder/coder/issues/21885) is
resolved with a proper `merge_strategy` attribute for `coder_env`.
## Type of Change
- [ ] New module
- [ ] New template
- [X] Bug fix
- [ ] Feature/enhancement
- [ ] Documentation
- [ ] Other
## Module Information
<!-- Delete this section if not applicable -->
**Path:** `registry/coder/modules/claude-code`
**New version:** `v4.7.5`
**Breaking change:** [ ] Yes [X] No
## Testing & Validation
- [X] Tests pass (`bun test`)
- [X] Code formatted (`bun fmt`)
- [X] Changes tested locally
## Related Issues
([coder/coder#21885](https://github.com/coder/coder/issues/21885))
## Description
At the moment, the `CLAUDE_API_KEY` coder_env will always be created,
even if the variable itself is not. This can lead to the environment
variable being unset if it has been set outside of Terraform.
With this PR, we make the `claude_api_key` coder_env conditional, so it
will only be created if an API key has been set.
## Type of Change
- [ ] New module
- [ ] New template
- [x] Bug fix
- [ ] Feature/enhancement
- [ ] Documentation
- [ ] Other
## Module Information
<!-- Delete this section if not applicable -->
**Path:** `registry/coder/modules/claude-code/main.tf`
**New version:** `v4.7.4`
**Breaking change:** [ ] Yes [x] No
## Testing & Validation
- [x] Tests pass (`bun test`)
- [x] Code formatted (`bun fmt`)
- [x] Changes tested locally
## Related Issues
None
---------
Co-authored-by: 35C4n0r <70096901+35C4n0r@users.noreply.github.com>
Captures the last 10 messages from AgentAPI when task workspaces stop,
allowing users to view conversation history while the task is paused.
The shutdown script fetches messages, builds a payload with last 10
messages, truncates to 64KB if needed (removes old messages first, then
truncates content of the last message), and posts to the log snapshot
endpoint.
Gracefully handles non-task workspaces (skips), older Coder versions
without the endpoint (logs and continues), and empty message sets.
Enabled by default via task_log_snapshot variable. Task ID is
automatically resolved from data.coder_task when available.
Updates coder/internal#1257
## Description
- Update claude-code module to use binary installation incase of
specific version pinning unless use npm is specified.
- Add a deprecation warning in the install script and readme for npm.
## Type of Change
- [ ] New module
- [ ] New template
- [x] Bug fix
- [ ] Feature/enhancement
- [ ] Documentation
- [ ] Other
## Module Information
<!-- Delete this section if not applicable -->
**Path:** `registry/coder/modules/claude-code`
**New version:** `v4.7.1`
**Breaking change:** [ ] Yes [x] No
## Testing & Validation
- [x] Tests pass (`bun test`)
- [x] Code formatted (`bun fmt`)
- [x] Changes tested locally
## Related Issues
<!-- Link related issues or write "None" if not applicable -->
## Description
<!-- Briefly describe what this PR does and why -->
A draft that allow user connect existing linux system though coder by
ssh
## Type of Change
- [ ] New module
- [x] New template
- [ ] Bug fix
- [ ] Feature/enhancement
- [x] Documentation
- [ ] Other
## Template Information
<!-- Delete this section if not applicable -->
**Path:** `registry/IamTaoChen/templates/ssh-linux`
## Testing & Validation
- [ ] Tests pass (`bun test`)
- [x] Code formatted (`bun fmt`)
- [x] Changes tested locally
## Related Issues
<!-- Link related issues or write "None" if not applicable -->
---------
Co-authored-by: DevCats <christofer@coder.com>
## Summary
- Default `subdomain` to `true` so Mux uses subdomain routing by
default.
- Default `display_name` to `Mux`.
- Make `add-project` optional (`null` by default) and pass
`--add-project` to `mux server` when set.
- Bump mux module README example version to `1.0.8`.
## Notes
Changing the `subdomain` default may affect workspaces without wildcard
subdomain support configured (they can explicitly set `subdomain =
false`).
## Testing
- `terraform validate` (registry/coder/modules/mux)
- `terraform test -verbose` (registry/coder/modules/mux)
---
Generated with Mux (AI coding agent).
## Description
This PR adds a zizmor security scan to the CI pipeline to analyze new
and existing GitHub Actions workflows under .github/workflows/.
- Runs zizmor on PRs and fails the check when HIGH severity (or above)
issues are found, so they can block merges.
- Runs zizmor on main to produce security reporting (where applicable),
keeping visibility into findings over time.
- Intended to be added as a required status check so workflow-security
regressions can’t land unnoticed.
Reference: coder/registry#642 (comment) / zizmor-action
## Type of Change
- [ ] New module
- [ ] New template
- [ ] Bug fix
- [ ] Feature/enhancement
- [ ] Documentation
- [x] Other - CI / security tooling
## Testing & Validation
- Validation via PR check - opened a test PR with a deliberately risky
workflow and confirmed zizmor reports and blocks on HIGH findings
## Related Issues
coder/registry#642 (comment) / zizmor-action
## Description
Updates AGENTS.md to be more concise (~36 lines) while adding missing
commands and a PR review checklist based on recent PR feedback.
## Changes
- **Commands section**: Added `bun run tftest`, `bun run tstest`, single
test commands, and version-bump script
- **Structure section**: Added note that URLs must be relative (from
#639)
- **Code Style section**: Added `tf` vs `hcl` guidance and relative icon
paths
- **New PR Review Checklist**: Based on patterns from recent PRs
including:
- Version bumping requirements (#661, #617)
- Breaking changes documentation (#636)
- Graceful error handling in scripts (#658)
- Diagnostic logging for tests (#643)
- **AI attribution requirement**: PRs should note model/tool used
## Type of Change
- [ ] New module
- [ ] New template
- [ ] Bug fix
- [ ] Feature/enhancement
- [x] Documentation
- [ ] Other
---
Generated with
[Amp](https://ampcode.com/threads/T-019bcb7e-2e92-76f2-a1aa-2023ecdb0763)
using Claude Sonnet 4
## Description
Adds a `claude_path` variable to override the path that the `coder_env`
sets for claude-code.
Adds a `install_via_npm` variable to override the official installation
and use npm to install claude-code ( this doesn't change any behaviour,
simply just the options available to the user )
Model now uses `coder_env` to set the `ANTHROPIC_MODEL` env instead of
using the `--model` cli flag which did not set the anthropic model
globally in the workspace.
Normal Usage -> Official Installer
Specific Version Set -> NPM Install
Install Via NPM -> NPM Install
The idea with `claude_path` is that someone who wants to source claude
another way can install it and utilize that install in the module. If
install is true and a custom path is provided there is a tf precondition
that will disallow this.
<!-- Briefly describe what this PR does and why -->
## Type of Change
- [ ] New module
- [ ] New template
- [ ] Bug fix
- [X] Feature/enhancement
- [ ] Documentation
- [ ] Other
## Module Information
<!-- Delete this section if not applicable -->
**Path:** `registry/coder/modules/claude-code`
**New version:** `v4.4.0`
**Breaking change:** [ ] Yes [X] No
## Testing & Validation
- [X] Tests pass (`bun test`)
- [X] Code formatted (`bun fmt`)
- [X] Changes tested locally
## Related Issues
<!-- Link related issues or write "None" if not applicable -->
## Description
Adds e2e test for code-server that actually installs and health checks
code-server
<!-- Briefly describe what this PR does and why -->
## Type of Change
- [ ] New module
- [ ] New template
- [ ] Bug fix
- [ ] Feature/enhancement
- [ ] Documentation
- [X] Other
## Testing & Validation
- [X] Tests pass (`bun test`)
- [X] Code formatted (`bun fmt`)
- [X] Changes tested locally
## Related Issues
<!-- Link related issues or write "None" if not applicable -->
## Summary
Adds a `CODEOWNERS` file to enforce code review requirements for GitHub
Actions workflow changes.
- Creates `CODEOWNERS` file designating `@jdomeracki-coder` as owner of
`.github/` directory
- All changes to GitHub Actions workflows (`.github/` directory) now
require approval from the designated code owner
- Improves security posture by preventing unauthorized modifications to
CI/CD pipelines
## Why this change?
GitHub Actions workflows have elevated privileges and can access
repository secrets. Requiring explicit approval for workflow changes
helps prevent:
- Accidental or malicious modifications to CI/CD pipelines
- Unauthorized access to secrets
- Supply chain security vulnerabilities
## Test plan
- [x] Verify CODEOWNERS file is properly formatted
- [ ] Test that PRs modifying `.github/` directory require approval from
`@jdomeracki-coder`
- [ ] Confirm existing PRs not touching `.github/` continue to work
normally
## Description
- Minor maintenance and update codex to use coder_ai_task.
## Type of Change
- [ ] New module
- [ ] New template
- [ ] Bug fix
- [x] Feature/enhancement
- [ ] Documentation
- [ ] Other
## Module Information
<!-- Delete this section if not applicable -->
**Path:** `registry/coder-labs/modules/codex`
**New version:** `v4.0.0`
**Breaking change:** [x] Yes [ ] No
## Testing & Validation
- [x] Tests pass (`bun test`)
- [x] Code formatted (`bun fmt`)
- [x] Changes tested locally
## Related Issues
<!-- Link related issues or write "None" if not applicable -->
---------
Co-authored-by: Atif Ali <atif@coder.com>
This pull request updates the `claude-code` module to version 4.3.0 and
significantly simplifies the configuration and startup logic for the
Boundary integration. The changes remove several Boundary-related
configuration variables and options, streamlining both Terraform and
shell script code. The documentation is updated to reflect these changes
and the new version.
**Boundary integration simplification:**
* Removed multiple Boundary-related variables from `main.tf`, including
log directory, log level, additional allowed URLs, proxy port, and pprof
options, as well as their usage in the module and test files.
(`registry/coder/modules/claude-code/main.tf`
[[1]](diffhunk://#diff-e7adc2da34facfd5d16deb23876fca7ae4cb11c8a68a0cfbe37a044bb69932f0L213-L248)
[[2]](diffhunk://#diff-e7adc2da34facfd5d16deb23876fca7ae4cb11c8a68a0cfbe37a044bb69932f0L377-L382);
`registry/coder/modules/claude-code/main.tftest.hcl`
[[3]](diffhunk://#diff-46ca9cfb5cdd077a9c42f7f62ab3f45583196a05edc29838eda0c6bd0ea63edcL198-L210)
* Updated the Boundary startup logic in `start.sh` to remove handling
and passing of the eliminated variables, resulting in a simpler and more
maintainable script.
(`registry/coder/modules/claude-code/scripts/start.sh`
[[1]](diffhunk://#diff-decfa0cea699ba8bf5e89b60ee677c361d2e9cc8b4792ed54ac1da66b4bd9315L19-L23)
[[2]](diffhunk://#diff-decfa0cea699ba8bf5e89b60ee677c361d2e9cc8b4792ed54ac1da66b4bd9315L39-L41)
[[3]](diffhunk://#diff-decfa0cea699ba8bf5e89b60ee677c361d2e9cc8b4792ed54ac1da66b4bd9315L232-L260)
**Documentation updates:**
* Updated all usage examples in `README.md` to reference version 4.3.0
and reflect the new, simplified Boundary configuration.
(`registry/coder/modules/claude-code/README.md`
[[1]](diffhunk://#diff-3f433388cb775dcc77c38911e23acbd2eb64e26e26c25d46b045724dfe5136bbL16-R16)
[[2]](diffhunk://#diff-3f433388cb775dcc77c38911e23acbd2eb64e26e26c25d46b045724dfe5136bbL48-R52)
[[3]](diffhunk://#diff-3f433388cb775dcc77c38911e23acbd2eb64e26e26c25d46b045724dfe5136bbL75-R71)
[[4]](diffhunk://#diff-3f433388cb775dcc77c38911e23acbd2eb64e26e26c25d46b045724dfe5136bbL111-R107)
[[5]](diffhunk://#diff-3f433388cb775dcc77c38911e23acbd2eb64e26e26c25d46b045724dfe5136bbL133-R129)
[[6]](diffhunk://#diff-3f433388cb775dcc77c38911e23acbd2eb64e26e26c25d46b045724dfe5136bbL206-R202)
[[7]](diffhunk://#diff-3f433388cb775dcc77c38911e23acbd2eb64e26e26c25d46b045724dfe5136bbL263-R259)
**Version bump:**
* Bumped the module version from 4.2.9 to 4.3.0 throughout all
documentation and configuration examples.
(`registry/coder/modules/claude-code/README.md`
[[1]](diffhunk://#diff-3f433388cb775dcc77c38911e23acbd2eb64e26e26c25d46b045724dfe5136bbL16-R16)
[[2]](diffhunk://#diff-3f433388cb775dcc77c38911e23acbd2eb64e26e26c25d46b045724dfe5136bbL48-R52)
[[3]](diffhunk://#diff-3f433388cb775dcc77c38911e23acbd2eb64e26e26c25d46b045724dfe5136bbL75-R71)
[[4]](diffhunk://#diff-3f433388cb775dcc77c38911e23acbd2eb64e26e26c25d46b045724dfe5136bbL111-R107)
[[5]](diffhunk://#diff-3f433388cb775dcc77c38911e23acbd2eb64e26e26c25d46b045724dfe5136bbL133-R129)
[[6]](diffhunk://#diff-3f433388cb775dcc77c38911e23acbd2eb64e26e26c25d46b045724dfe5136bbL206-R202)
[[7]](diffhunk://#diff-3f433388cb775dcc77c38911e23acbd2eb64e26e26c25d46b045724dfe5136bbL263-R259)
---------
Co-authored-by: DevCats <christofer@coder.com>
## Description
Remove test from `cloud-dev` template since templates generally have no
tests.
<!-- Briefly describe what this PR does and why -->
## Type of Change
- [ ] New module
- [ ] New template
- [X] Bug fix
- [ ] Feature/enhancement
- [ ] Documentation
- [ ] Other
## Template Information
<!-- Delete this section if not applicable -->
**Path:** `registry/nboyers/templates/cloud-dev`
## Testing & Validation
- [X] Tests pass (`bun test`)
- [X] Code formatted (`bun fmt`)
- [X] Changes tested locally
## Related Issues
<!-- Link related issues or write "None" if not applicable -->
## Description
Better test cleanup, and resolve flakiness.
<!-- Briefly describe what this PR does and why -->
## Type of Change
- [ ] New module
- [ ] New template
- [X] Bug fix
- [ ] Feature/enhancement
- [ ] Documentation
- [ ] Other
## Module Information
<!-- Delete this section if not applicable -->
**Path:** `registry/coder/modules/github-upload-public-key`
**New version:** `v1.0.32`
**Breaking change:** [ ] Yes [ ] No
## Testing & Validation
- [X] Tests pass (`bun test`)
- [X] Code formatted (`bun fmt`)
- [X] Changes tested locally
## Related Issues
<!-- Link related issues or write "None" if not applicable -->
## Description
bump agentapi version to 0.11.6.
This version of agentapi introduces tool_call logging and improved
tool_call parsing
## Type of Change
- [ ] New module
- [ ] New template
- [ ] Bug fix
- [x] Feature/enhancement
- [ ] Documentation
- [ ] Other
## Module Information
<!-- Delete this section if not applicable -->
**Path:** `registry/coder/modules/claude-code`
**New version:** `v4.2.8`
**Breaking change:** [ ] Yes [x] No
## Testing & Validation
- [x] Tests pass (`bun test`)
- [x] Code formatted (`bun fmt`)
- [x] Changes tested locally
## Related Issues
<!-- Link related issues or write "None" if not applicable -->
## Description
As part of
https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/guides/v3-upgrade-guide
various resources change from non versioned to versioned. This PR
changes the Coder authored templates to versioned resources.
- Updated kubernetes_persistent_volume_claim to
kubernetes_persistent_volume_claim_v1
- Updated kubernetes_deployment to kubernetes_deployment_v1
- Updated kubernetes_pod to kubernetes_pod_v1
- Updated kubernetes_secret to kubernetes_secret_v1
- Updated all resource references and dependencies
I also had to fix up a couple of templates, i.e. remove `agent_name` as
it wasn't valid usage, `agent_id` remains. The `source` parameter for
jetbrains module in
[registry/coder/templates/kubernetes-envbox/main.tf](https://github.com/coder/registry/pull/616/changes#diff-83996ad9def3fae3b69981faee7d682964acc8716a4d04edfd7c4374f0a1d15c)
also had to be fixed.
## Type of Change
- [ ] New module
- [ ] New template
- [ ] Bug fix
- [x] Feature/enhancement
- [ ] Documentation
- [ ] Other
## Template Information
**Path:**
- registry/coder/templates/kubernetes
- registry/coder/templates/kubernetes-devcontainer
- registry/coder/templates/kubernetes-envbox
## Testing & Validation
- [ ] Tests pass (`bun test`)
- [ ] Code formatted (`bun fmt`)
- [x] Changes tested locally
## Related Issues
## Problem
The Zed module's settings parsing was broken. The previous
implementation used quote escaping:
```hcl
SETTINGS_JSON='${replace(var.settings, "\"", "\\\"")}'
```
This produced invalid JSON like `{\"theme\":\"dark\"}` which **jq could
not parse** because the backslash-escaped quotes are not valid JSON
syntax.
## Solution
Changed to use base64 encoding internally:
```hcl
locals {
settings_b64 = var.settings != "" ? base64encode(var.settings) : ""
}
# In the script:
SETTINGS_B64='${local.settings_b64}'
SETTINGS_JSON="$(echo -n "${SETTINGS_B64}" | base64 -d)"
```
**User interface remains the same** - users still provide plain JSON via
`jsonencode()` or heredoc:
```hcl
module "zed" {
source = "..."
agent_id = coder_agent.main.id
settings = jsonencode({
theme = "dark"
fontSize = 14
})
}
```
## Testing
Added comprehensive tests:
**Terraform tests (5):**
- URL generation (default, folder, agent_name)
- Settings base64 encoding verification
- Empty settings edge case
**Container e2e tests (3):**
- Creates settings file with correct JSON (including special chars:
quotes, backslashes, URLs)
- Merges with existing settings via jq
- Exits early with empty settings
Also fixed existing tests to use `override_data` for proper workspace
mocking.
---------
Signed-off-by: Muhammad Atif Ali <me@matifali.dev>
Co-authored-by: DevCats <christofer@coder.com>
