helm/coder-v2/coder 2.30.0 on Artifact Hub

Changelog

Note

This is a mainline Coder release. We advise enterprise customers without a staging environment to install our latest stable release while we refine this version. Learn more about our Release Schedule.

BREAKING CHANGES

feat!: Cached Terraform Modules speed up workspace startup (#21398, 60b3fd0) (@Emyrk)

Terraform modules are now downloaded once per template version and reused on every workspace start. Modules are fetched and pinned when the template version is created, then cached and reused across all workspace starts. This prevents upstream module changes from breaking workspace restarts and reduces repeated downloads and startup time.
feat!: implement AI Bridge heading to /deployment/observability (#20791, ab4366f) (@jakehwll)

The experimental AI Bridge API endpoints /api/experimental/aibridge/* have been removed. AI Bridge API was promoted to stable in v2.29.0, and all clients, scripts, or integrations must now use the stable /api/v2/aibridge/* routes instead. This follows standard deprecation practice—experimental endpoints are removed once the feature reaches general availability.
feat!: support PKCE in the oauth2 client's auth/exchange flow (#21215, 8fefd91) (@Emyrk)

This PR adds PKCE (Proof Key for Code Exchange) support to Coder's OAuth2 client flow when authenticating with external identity providers. Unknown external OAuth providers now default to using PKCE, which will cause authentication failures if the provider doesn't actually support it. To resolve this, set CODER_EXTERNAL_AUTH__PKCE_METHODS=none in your environment configuration to disable PKCE for incompatible providers.
fix(agent/agentssh)!: use configured directory for SFTP connections (#21194, 6bea82b) (@mafredri)

If your workspace agent has a custom dir configured in Terraform, SFTP and SCP connections will now land there instead of $HOME. Previously, only SSH and rsync respected this setting, which caused confusing behavior where scp file.txt coder:. and rsync file.txt coder:. would put files in different places. If you have scripts that relied on SFTP/SCP always using $HOME regardless of agent configuration, you may need to use explicit paths instead.

Other Major Callouts

This release includes the GA of Coder AI Bridge and Agent Boundaries through Coder's AI Governance Add-On. A future release of Coder will require the add-on license in order to continue using these features.

Agent Boundaries goes GA:
- Observability and monitoring — You can now analyze AI agent HTTP requests with centralized machine-parsable logs
- New mode (landjail) - This form of Agent Boundaries requires no changes to permissions to be granted in order to use and supports a wider range of environments
- Rules engine documentation — Admins can self-serve on writing granular network policies without guesswork
AI Bridge goes GA:
- Responses API: AI Bridge can now intercept requests to OpenAI's Responses API, supported by most popular tools
- Proxy Mode: For tools which don't support Base URL overrides, we have now introduced a new AI Bridge Proxy which can intercept HTTP traffic and pass it through to AI Bridge transparently
- Expanded client support: With the introduction of Proxy Mode, AI Bridge can now intercept GitHub Copilot requests from both the CLI and VS Code / JetBrains plugins
- Structured Logging: AI Bridge's observability data can now be logged & exported to external SIEM services
- Detailed Client Config Docs: We now publish detailed client config docs for AI Bridge.
Shared Workspaces is Early Access:
- You can now allow a workspace owner to securely share access to an existing Coder workspace with another trusted user or group
- Shared users authenticate with their existing Coder account
- Access is role-based and auditable; ownership does not transfer
- TODO
Starting in v2.30, the default PostgreSQL connection pool settings have increased from 10 max open connections to 30, and from 3 idle connections to 15 per Coder replica. Operators with multi-replica deployments should verify their PostgreSQL max_connections setting can accommodate this increase before upgrading—the default PostgreSQL limit of 100 connections may be insufficient for larger installations. See the Scale Coder for additional guidance.

Features

AI Bridge

Add tracing to aibridge (#21106, e24cc5e) (@pawbana)
Add core AI MITM proxy daemon (#21296, b975722) (@ssncferreira)
Add proxy authorization to aibridgeproxyd (#21342, 3517772) (@ssncferreira)
Add certificate caching for AI Bridge Proxy (#21344, b522c94) (@ssncferreira)
Implement selective MITM with configurable domain allowlist in aibridgeproxyd (#21473, 74b6d12) (@ssncferreira)
Add upstream proxy support to aiproxy for passthrough requests (#21512, a406ed7) (@ssncferreira)
Validate aiproxy allowlisted domains have aibridge provider mappings at startup (#21577, 09f5004) (@ssncferreira)
Support custom bedrock base url (#21582, a14a22e) (@dannykopping)
Use coder specific header for aibridge authentication from AI proxy (#21590, 47b3846) (@ssncferreira)
SDK: Add circuit breaker configuration support for aibridge (#21546, ed679bb) (@kacpersaw)

Boundary

Add boundary log forwarding from agent to coderd (#21345, 0792403) (@zedkipp)
Include template ID in re-emitted boundary logs (#21618, 6d8e6d4) (@zedkipp)
Implement boundary usage tracker and telemetry collection (#21716, 2204731) (@zedkipp)

CLI

Implement agent socket api, client and cli (#20758, ce627bf) (@SasSwart)
CLI: Add logs cmd (#21430, 0f446f9) (@johnstcn)
CLI: Enrich user-agent header for client requests (#21483, 2b448c7) (@johnstcn)
Add --max-failures to coder exp scaletest create-workspaces (#21315, cac6d4c) (@spikecurtis)
Add --use-parameter-defaults flag (#21119, 4d414a0) (@code-asher)

Dashboard

Show sharing info at bottom of AppLink's tooltip (#21197, a87a444) (@aqandrew)
Add workspace sharing page (#20931, b9f8295) (@jaaydenh)
Add workspace share button and dialog (#21299, e4a06f8) (@jaaydenh)
Add workspace filter for shared workspaces (#21310, 2de2cd5) (@jaaydenh)
Add workspace sharing toggle on organization settings page (#21456, d25d952) (@jaaydenh)
Add flag to disable template insights (#20940, 27f0413) (@code-asher)
Dashboard: Add bulk delete for tasks (#20905, ee58f40) (@mafredri)
Dashboard: Add tab to invalidate prebuilds (#20864, a8862be) (@mtojek)
Dashboard: Add cmd+enter to submit tasks immediately (#21182, 8e460ca) (@bpmct)
Dashboard: Allow modifying task prompts for starting tasks (#20812, e7bbfe2) (@DanielleMaywood)

Database

Database: Add schema for task pause/resume lifecycle (#21557, 2132c53) (@mafredri)
Database: Add retention for connection logs (#21022, 9ebcca5) (@mafredri)
Database: Add retention for audit logs (#21025, c85d79b) (@mafredri)
Database: Make API keys retention configurable (#21037, 9ec90cf) (@mafredri)
Add retention config for workspace_agent_logs (#21039, ff46917) (@mafredri)
Make database connection pool size configurable (#21403, 49a42ef) (@dannykopping)

Enterprise

Add deployment-wide option to disable workspace sharing (#21172, 4379230) (@geokat)
Add sharing info to /workspaces endpoint (#21049, 103967e) (@geokat)
Enterprise: Implement organization "disable workspace sharing" option (#21376, 0712fae) (@geokat)

Server

Server: Add retention policy configuration (#21021, 56e7858) (@mafredri)
Server: Add overload protection with rate limiting and concurrency control (#21161, 6f86f67) (@kacpersaw)
Server: Support deleting dev containers (#21248, 0552913) (@DanielleMaywood)
Server: Bump workspace deadline on AI agent activity (#21584, 4c7844a) (@mafredri)
Server: Add task log snapshot storage endpoint (#21644, 25d7f27) (@mafredri)
Server: Make organization-member a per-org system custom role (#21359, cc2efe9) (@geokat)
Add prometheus observability metrics for dbpurge (#21074, 00793cc) (@jakehwll)
Add rbac specificity for dbpurge (#21088, ea00e72) (@jakehwll)
Extend biome.jsonc with "useConsistentCurlyBraces": "error" (#21379, df6b316) (@jakehwll)
Add user_agent to loggermw (#21485, 64e7a77) (@johnstcn)
Support bundle updates to enable pprof and telemetry collection (#21486, b163b4c) (@rowansmithau)

Tasks

Agent: Support deleting dev containers (#21247, 44a46db) (@DanielleMaywood)

Bug fixes

Pass context with authorization to agentapi (#20959, d22d34e) (@cstyan)
Ensure we check if the user can actually see ai bridge (#20942, caf711d) (@jakehwll)
Do not log CSRF error in Electron environments (#21054, 5224355) (@EhabY)
Export site public API to be used in the VS Code extension (#21165, ac1d51a) (@EhabY)
Allow stops and deletes after breaching AI limit (#21186, b199eb1) (@deansheather)
Improve task naming prompt to avoid URL content guessing (#21151, 4844c97) (@app/blinkagent)
Use task display_name in browser tab title (#21147, 67024b8) (@bpmct)
Handle scenario where provisionerdserver deletes task before coderd (#21220, c3224b7) (@DanielleMaywood)
Add id-token permission to classify-issue-severity workflow (#21234, 614e72a) (@david-fraley)
Stop disconnecting from coderd early and record disconnect correctly (#21250, 71c6dc4) (@spikecurtis)
Isolate keyring usage by parallel test processes (#21256, 7ecfd1a) (@zedkipp)
Mark users seen when activating on login (#21305, bd753d9) (@spikecurtis)
Report correct request paths from workspace proxy metrics (#21302, c5fc6de) (@spikecurtis)
Show exclamation mark on negated permissions in org custom roles page (#21314, b187d33) (@deansheather)
Improve AI Bridge request logs UI/UX (#21252, ca971dd) (@jakehwll)
Increase workspace <Avatar /> size props (#21321, 7fb9d51) (@jakehwll)
Use separate HTTP clients in scale test load generators (#21288, 73253df) (@spikecurtis)
Remove state information from apply (#21373, 61d7d29) (@Emyrk)
Sort latest key by sequence correctly (#21425, 41a966c) (@spikecurtis)
Prevent notification for dormant delete on dormant-removal (#21427, 467c8bb) (@DanielleMaywood)
Reuse reconciliation lock transaction for read operations in prebuilds (#21408, 000bc33) (@ssncferreira)
Fix navigation when clicking on share workspace from the task overview page (#21523, 3db5558) (@jaaydenh)
Remove unreachable exit after error call in check_pg_schema.sh (#21530, 3b07f7b) (@app/blinkagent)
Support open_in for external apps with HTTP URLs (#21558, 12a6a9b) (@app/blinkagent)
Limit concurrent database connections in prebuild reconciliation (#20908, 6ef9670) (@ssncferreira)
Unregister metrics on reconciler stop to prevent panic on restart (#21647, f5858c8) (@ssncferreira)
Resolve organization member visibility issue during owned work sharing (#21657, f2e9988) (@zenithwolf1000)
Return proxy auth challenge on missing/invalid credentials (#21677, c3f41ce) (@ssncferreira)
Do not enforce managed agent limit for non-task workspaces (#21689, 799b190) (@Emyrk)
Agent: Ignore EOF errors during shutdown (#21187, ce9e7ad) (@spikecurtis)
Agent: Allow lifecycle script error on devcontainer up (#21020, 74d0c39) (@mafredri)
Agent: Broadcast devcontainer dirty status over websocket (#21100, d915910) (@mafredri)
CLI: Close prebuild runner prometheus server last (#21053, bf40d67) (@ethanndickson)
CLI: Allow coder ssh --stdio to exit when parent process dies (#21583, f799cba) (@johnstcn)
Server: Exclude sub-agents from workspace health calculation (#21098, 532a1f3) (@mafredri)
Server: Wake dormant workspace when attempting to start it (#21306, 8248fa3) (@johnstcn)
Server: Allow agent auth during workspace shutdown (#21538, 97e8a5b) (@mafredri)
Server: Handle rbac.NotAuthorizedError when deleting template (#21645, fa7baeb) (@johnstcn)
Server: Authorize workspace start/stop/delete by transition action (#21691, c352a51) (@geokat)
Database: Allow same custom role name for different orgs (#21312, e10fceb) (@geokat)
Database: Remove hardcoded public schema from migration 000401 (#21493, b3a81be) (@app/blinkagent)
Database: Fix incorrect query label in GetWorkspaceAgentAndWorkspaceByID (#21576, 9776dc1) (@johnstcn)
Database: Allow disabling AI Bridge retention with 0 (#21062, ad93262) (@mafredri)
Server: Correct managed agent tracking (#21696, 7b44976) (@johnstcn)
Server: Reinstate deployment-wide workspace.share permission for owner role (#21620, d29a168) (@geokat)
Dashboard: Only show active tasks in waiting for input tab (#20933, b7d8918) (@mafredri)
Dashboard: Simplify bulk task delete confirmation UI (#20979, 2f82928) (@mafredri)
Dashboard: Show command apps in Tasks view (#21185, f6b025e) (@bpmct)
Dashboard: Allow updating workspace in TaskPage (#21316, 1de952b) (@johnstcn)
Dashboard: Show apps with disabled health status on workspaces list (#21428, a581431) (@EhabY)
Fix reaper process to propagate child exit codes correctly (#21864, 017f676) (@sreya)
Support authentication for upstream proxy (#21849, 5e2f845) (@ssncferreira)
Allow overriding CODER_PPROF_ADDRESS and CODER_PROMETHEUS_ADDRESS (#21871, 6e1fe14) (@rowansmithau)
Use existing transaction to claim prebuild (#21868, c0b939f) (@sreya)

Documentation

Add data retention and export documentation for AI Bridge (#21055, f1b2715) (@mafredri)
Update AI Bridge description for H2 2025 (#21126, 82bb833) (@aqandrew)
Update Codex CLI compatibility in AI Bridge docs (#21292, 55f4efd) (@app/blinkagent)
Update boundary docs (#20958, a6a8a06) (@evgeniy-scherbina)
Introduce landjail for boundary (#21420, f792f0b) (@evgeniy-scherbina)
Fix boundary log proto docs (#21451, 1081d42) (@zedkipp)
Update boundary docs (#21458, 1e8c292) (@evgeniy-scherbina)
Add docs for boundary rules engine (#21471, 1bfd776) (@evgeniy-scherbina)
Update boundary docs (#21524, 61961db) (@evgeniy-scherbina)
Add documentation for boundary audit logs (#21529, ea465d4) (@zedkipp)
Clarify boundary logs are independent from app logs (#21578, d2e5481) (@zedkipp)
Add GitHub to Coder Task Workflow Guide (#20928, afbe9ea) (@david-fraley)
Mention AI Governance add-on (#21592, 6346eb7) (@bpmct)
Update AI Governance nav label to AI Governance Add-On (#21616, e78d896) (@mattvollmer)
Add data retention documentation (#21038, d9888ce) (@mafredri)
Regenerate feature-stages experiments table (#21024, 0873d9a) (@app/blinkagent)
Add documentation for preset invalidation (#21018, 65ef6df) (@mtojek)
Delete references to adding database replicas (#21077, d5bb136) (@spikecurtis)
Add ESR to Release Channels (#21060, c4bf5a2) (@david-fraley)
Document coder_script resource (#21409, 989def7) (@matifali)
Add documentation for coder script ordering (#21090, ffa83a4) (@SasSwart)
Clarify max_connections implications (#21596, 1dd0519) (@dannykopping)
Update metrics docs to include metadata batcher metrics (#21665, 806d7e4) (@cstyan)
Rewrite dev containers documentation for GA (#21080, 61beb7b) (@mafredri)
Restructure dev container documentation (#21157, 97bc7eb) (@mafredri)
Add guidance on when to use Project Discovery for Dev Containers (#21190, f3e26ca) (@mafredri)
Clarify dev containers entry point and reduce callouts (#21188, ea9f003) (@mafredri)
Add dev container screenshots (#21191, 8f15caa) (@mafredri)
Simplify 1k scale architecture and change db recommendation (#21362, ed6d41a) (@spikecurtis)
Update scale architecture and add 10k user doc (#21454, 4bc49ed) (@spikecurtis)
Fix 10k docs to include 600 provisioners (#21597, f0152e2) (@spikecurtis)
Add link to new ROS2 community template (#20902, 9d7509a) (@brtmax)
Add deprecation warning to gateway docs and direct to toolbox (#21210, 05b02cf) (@jcjiang)
Document multiple agents for port-forwarding (#21221, 5b3c24c) (@bjornrobertsson)
Provide guidance on shared workspaces (#21214, a09d85c) (@jcjiang)
Add administrator configuration for disabling Coder Desktop auto-updates (#21641, 1375fd9) (@app/blinkagent)
Group enumerated values by property in API docs (#21372, 0af038b) (@mtojek)
Update VS Code Web subpath comment to reflect current support (#21375, 874f399) (@app/blinkagent)
Document 200 OK response for upload file API when file exists (#21071, 50d42ab) (@app/blinkagent)
Mention usage data reporting in AI Gov docs (#21664, ece531a) (@bpmct)
Update example URL format in AI Bridge docs (#21435, ef45ce4) (@matifali)

Performance improvements

Optimize GetDeploymentWorkspaceAgentStats by eliminating 2nd select (#21112, 6abb889) (@cstyan)
Optimize GetTemplateAppInsightsByTemplate by pre-filtering on start/end times (#20669, a59a84b) (@cstyan)
Support fastpath in dbauthz GetLatestWorkspaceBuildByWorkspaceID (#21047, 27c3ec0) (@cstyan)
Reduce calls to GetWorkspaceByAgentID in GetWorkspaceAgentByID (#21046, 8ed1c1d) (@cstyan)
Increase bridge pool cache size limit (#21399, 39bf9ed) (@dannykopping)
Reduce number of queries made by /api/v2/workspaceagents/{id} (#21522, 08343a7) (@johnstcn)
Reduce pg_notify call volume by batching together agent metadata updates (#21330, e195856) (@cstyan)
Use the more efficient dannykopping/anthropic-sdk-go for AI Bridge (#21695, 59b2afa) (@SasSwart)
Database: Add index on workspace_app_statuses.app_id (#21099, cfdd4a9) (@mafredri)
Update AIBridge for improved memory use at scale (#21896, 43e67d1) (@SasSwart)

Chores

Document bedrock setup process for aibridge (#20956, ebbdfa0) (@dannykopping)
Enforce cooldown period (#21079, 0f05409) (@jdomeracki-coder)
Update react to apply patch for CVE-2025-55182 (#21084, 770fdb3) (@jdomeracki-coder)
Add support for antigravity external app protocol (#20873, 8e0516a) (@DevelopmentCats)
Display the starting date when the license becomes active (#21162, 731683a) (@jaaydenh)
Update slog to pull in entry human perf. improvements (#21128, aba0e36) (@cstyan)
Fix race condition on aggregating terraform logs (#21067, b073357) (@Emyrk)
Distinct operations for provisioner's 'parse', 'init', 'plan', 'apply', 'graph' (#21064, 3194bcf) (@Emyrk)
Create Workspace sharing form component using workspace sharing hook (#21276, 9f34a1d) (@jaaydenh)
Update organizations.md for Terraform provider support (#21300, 0ba3f7e) (@rowansmithau)
Add tracing to prebuilds (#21443, 9a0024c) (@SasSwart)
Update protobuf to reuse file request (#21447, d2044c2) (@Emyrk)
Clean up coder build directory on shutdown (#21490, 8dd7d8b) (@johnstcn)
Add scaletesting tools for aibridge (#21279, 0ebe8e5) (@SasSwart)
Add script to calculate workspace 'on' hours in a given time window (#21505, 1b03202) (@Emyrk)
Reword unhealthy agents on workspace page depending on the failure (#21622, e1282b6) (@Emyrk)
Fix failing agent tests with non-default shell (#21671, 0d21365) (@johnstcn)
Remove unused tailnet v1 tables and queries (#21646, f47f89d) (@spikecurtis)
Replace httpapi.Heartbeat with httpapi.HeartbeatClose (#21676, 612aae2) (@johnstcn)
Convert tailnet tables to UNLOGGED for improved write performance (#21607, f358a6d) (@spikecurtis)
Renumber duplicate migration 000411 (#21720, 7090a1e) (@spikecurtis)
Server: Extract HTTPRoute middleware (#21498, 3235426) (@johnstcn)
Dashboard: Mark MUI components and Stack as deprecated (#20973, a6285dd) (@jaaydenh)
Dashboard: Align AI Bridge Request logs page wording with docs (#21203, 3641404) (@matifali)

Compare: v2.29.4...v2.30.0

Container image

docker pull ghcr.io/coder/coder:v2.30.0

Install/upgrade

Refer to our docs to install or upgrade Coder, or use a release asset below.

helm/coder-v2/coder 2.30.0 v2.30.0 on Artifact Hub