coder

Changelog

BREAKING CHANGES

• chore!: remove api.ts unnecessary calls (#22168, 4caa52844d) (@jakehwll)
• Dashboard: Require confirmation before executing terminal command from URL (#24650, 66abd8a271) (@Shelnutt2)

SECURITY

• Bump Go toolchain to 1.25.9 (#24293, 03d662a06c) (@CommanderK5)
• Replace trivy with osv-scanner (#24311, 75f712feb7) (@CommanderK5)
• Bump gomarkdown to patched revision (#24567, 869168b316) (@CommanderK5)
• Keep OSV findings from failing security job (#24378, 9e771c4fc1) (@CommanderK5)
• Widen engines.node to include Node.js 24 LTS (#24419, 1f194dcdff) (@jdomeracki-coder)

Features

• Add chat and chat_files cleanup to dbpurge (#23833, 233343c010) (@johnstcn)
• Dashboard: Take/release control agents desktop buttons (#24009, da5395a8ae) (@hugodutka)
• Server: Add telemetry for agents chats and messages (#24068, c5d720f73d) (@kylecarbs)
• Support disabling reverse/local port forwarding in agent SSH server (#24026, 7b7baea851) (@f0ssel)
• Add dynamic tools support for chat API (#24036, b969d66978) (@kylecarbs)
• Add CreatedAt to tool-call and tool-result ChatMessageParts (#24101, 35c26ce22a) (@kylecarbs)
• Byok-observability for aibridge (#23808, 7f496c2f18) (@evgeniy-scherbina)
• Add httproute for K8s Gateway API (#23501, e3a0dcd6fc) (@cfi2017)
• Dashboard: Add under-construction navbar stripes for pre-release builds (#24157, 461a31e5d8) (@johnstcn)
• Add user secrets SDK types and db2sdk converters (#24102, 9b91af8ab7) (@zedkipp)
• Add input validation for user secret env names and file paths (#24103, 7caef4987f) (@zedkipp)
• Dashboard: Hide agents desktop tab when workspace is stopped (#24191, 33d9d0d875) (@hugodutka)
• Agents desktop recording thumbnail backend (#24022, efb19eb748) (@hugodutka)
• Dashboard: Agents desktop recording thumbnail frontend (#24023, 128a7c23e6) (@hugodutka)
• Merge Limits + Usage into unified Spend page (#24093, 29ad2c6201) (@DanielleMaywood)
• Add CLI commands for managing chat context from workspaces (#24105, 391b22aef7) (@kylecarbs)
• Byok observability api (#24207, 8237822441) (@evgeniy-scherbina)
• Warn in CLI when server runs dev or RC builds (#24158, 1e40cea199) (@johnstcn)
• Add REST API handlers and client methods for user secrets (#24107, 95cff8c5fb) (@zedkipp)
• Resolve useTime() thunk() error (#24234, 82456ff62e) (@jakehwll)
• Stack insights tables vertically and paginate Pull requests table (#24198, 36141fafad) (@mattvollmer)
• Add workspace build transition to provisioner job list (#24131, 7bde763b66) (@jscottmiller)
• Comment on original PR after cherry-pick PR is created (#24243, e0fbb0e4ec) (@f0ssel)
• User secret database encryption (#24218, 508114d484) (@zedkipp)
• Agent: Add user secrets to agent manifest (#24252, 2f52de7cfc) (@zedkipp)
• Refactor <AgentLogs /> error state (#24233, 7b02a51841) (@jakehwll)
• Add a debounce to menu filtering (#24048, 982739f3bf) (@jakehwll)
• Show build logs in chat for start_workspace and create_workspace tools (#24194, cb0b84a2d3) (@DanielleMaywood)
• Add organization scoping to chats (#23827, 22062ec52e) (@johnstcn)
• De-mui <Skeleton /> component (#24278, 58c6855c59) (@jakehwll)
• Add chat debug log tables, queries, and SDK types (#23913, 6ab30123bf) (@ThomasK33)
• Add secret value and file path validation (#24269, 4854f33678) (@zedkipp)
• Make sure creds are always masked (#24241, b78eba9f9d) (@evgeniy-scherbina)
• Demui the <LinearProgress /> dependency (#24275, e0902e3c27) (@jakehwll)
• Dashboard: Add full-width chat layout toggle (#24307, a414d37165) (@kylecarbs)
• Add types, context, and model normalization (#23914, 8382e96a81) (@ThomasK33)
• Add texlive.svg icon (#24312, 3d8d89e56c) (@DevelopmentCats)
• De-mui the <UserGroupsCell /> component (#24277, 60aed55eaa) (@jakehwll)
• Graduate web-push from experiment to always-on (#24310, 116323d3cf) (@johnstcn)
• Add Prometheus metric for agent first connection duration (#24179, 20b953a99d) (@jscottmiller)
• Link group names to group page in agents limit settings (#24212, 214351ebe1) (@aslilac)
• Configure multiple AI Bridge providers of the same type (#23948, 08045c2aac) (@dannykopping)
• Dashboard: Expose workspace apps in chat workspace pill (#24295, e317f3b239) (@DanielleMaywood)
• Add coder_build_info metric (#24365, 48b90f8cc8) (@dannykopping)
• Server: Add recorder, transport, and redaction (#23915, 4651ca5a9a) (@ThomasK33)
• Dashboard: Make org selector compact (#24318, 93a1a5145a) (@DanielleMaywood)
• Add allow-byok option for ai-gateway (#24274, dd73ea54bd) (@evgeniy-scherbina)
• Add Prometheus metrics for chatd subsystem (#24371, d7439a9de0) (@johnstcn)
• Add plan mode with restricted tool boundary (#24236, 1cf0354f72) (@ibetitsmike)
• Support multiple agents with shared instance-identity auth (#24325, e5707a13d6) (@ibetitsmike)
• Add internal subagent model override wiring (#24399, 1092093e98) (@ibetitsmike)
• Accept xhigh effort for Anthropic (#24439, 15d8e4ff9f) (@DanielleMaywood)
• Add CLI support for user secrets (#24270, 7270e01390) (@dylanhuff-at-coder)
• Wire DERPTLSConfig through CLI, SDK, tailnet, VPN, agent, and health checks (#24435, 4c1a32cd7c) (@spikecurtis)
• CLI: Add experimental agents TUI (#24150, de30488b20) (@ibetitsmike)
• Add Explore mode as subagent-only modality (#24448, 73b5058923) (@ibetitsmike)
• Server: Add PR status summary to telemetry snapshots (#24379, 4ba74dcdc8) (@deansheather)
• feat(scripts/develop): enable prometheus metrics by default (#24389, a23a38c1f3) (@johnstcn)
• Server: Add chat debug service and summary aggregation (#23916, 91f9de27a1) (@ThomasK33)
• Label chatd metrics by model, add stream-state diagnostics (#24475, 4b585465b8) (@johnstcn)
• Runtime user secrets injection into workspaces (#24313, 72f35e1cd3) (@zedkipp)
• Server: Agent-created file attachments in chat (#24280, ef6969dd70) (@ethanndickson)
• Support AWS SDK default credential chain for Bedrock authentication (#24346, 522118ab20) (@ssncferreira)
• Server: Wire debug logging into chat lifecycle (#23917, df7e838c21) (@ThomasK33)
• Add chat debug HTTP handlers and API docs (#23918, 18a30a7a10) (@ThomasK33)
• Allow renaming of agent chat title (#24489, 410f9a5e19) (@jaaydenh)
• feat(scripts/develop): add --prometheus-server flag to run Prometheus UI (#24408, d99949df43) (@johnstcn)
• Server: Accept parameters in start_workspace tool (#24434, 1203f625b7) (@ethanndickson)
• Make database.Chat auditable (#24485, c968a1f3a3) (@johnstcn)
• Allow approved external MCP tools in root plan mode (#24509, 9d0469fc4c) (@ibetitsmike)
• Surface upstream provider error details in chat callout (#24546, 2295e9d5be) (@ethanndickson)
• Dashboard: Show MCP settings and hide insights in sidebar (#24428, 7f4127bc61) (@DanielleMaywood)
• Server: Add description tags to tool parameter structs (#24394, 79a9f437d7) (@app/blinkagent)
• Rebucket "Number of developers" onboarding options (#24573, f77827e84a) (@david-fraley)
• Dashboard: Display file attachments in chat UI (#24281, cc4e04afde) (@ethanndickson)
• Dashboard: Add chat debug API layer and panel utilities (#23919, 8c0fe6d5f2) (@ThomasK33)
• Dashboard: Add Debug panel components and settings (#23920, 249b71b96a) (@ThomasK33)
• Sort AI sessions by last prompt time (#24440, c23abc691f) (@jeremyruppel)
• Add chatd tool call error metrics and logging (#24559, 72e3ae9c5f) (@johnstcn)
• Add dependabot security backport labels (#24484, 06d7fc5200) (@CommanderK5)
• Add lima incus example (#24640, f5ccf68e53) (@johnstcn)
• Dashboard: Allow disengaging plan mode from Planning badge (#24651, 50dbb3d2cb) (@david-fraley)
• Migrate agents-access to org-scoped system role for proper chat RBAC (#24438, b5a625549e) (@johnstcn)
• Snapshot explore subagent tool entitlements (#24638, dbcc654d28) (@ibetitsmike)
• Add general subagent model override (#24610, 3d90546aae) (@ibetitsmike)
• Add collapsible thinking blocks with configurable display mode (#24635, 3a9a60dff8) (@DanielleMaywood)
• Dashboard: Add Charm Crush client icon to AI Bridge UI (#24662, 346b46228f) (@dannykopping)
• Auto-archive inactive chats with audit trail (#24642, a876287d36) (@johnstcn)
• Add alert with link to template agent skill on page after template creation (#24588, c488658fd2) (@DevelopmentCats)
• Dashboard: Opt AI Gateway pages into React Compiler (#24713, 780aa6ce94) (@jeremyruppel)
• Add admin UI control for chat auto-archive days (#24704, 2f26903af9) (@johnstcn)
• Plumb user secrets through provisioner chain to terraform (#24542, 79735f2d45) (@zedkipp)
• Dashboard: Add duplicate model action (#24728, ebed01ac55) (@ibetitsmike)
• Chat auto-archive owner digest notifications (#24643, 70d6efa311) (@johnstcn)
• Add after_id pagination for chat messages (#24531, 5222db86c7) (@david-fraley)
• Reload MCP config on change via lazy stat-on-request (#24700, 881df9a5b0) (@mafredri)
• Add --skip-setup flag to develop script (#24794, dcb32165fa) (@aslilac)
• Add hostAliases support to Coder helm chart (#24729, 76242f8202) (@rowansmithau)
• Audit user secret create, update, and delete (#24756, df1bfe6479) (@zedkipp)
• Dashboard: Remove visible text from copy/download logs buttons (#24852, 75fc13d889) (@jeremyruppel)

Bug fixes

• Dashboard: Inline dl/dt/dd classNames and use justify-between layout in session tables (#24118, 7d3c5ac78c) (@jeremyruppel)
• fix(scripts/githooks): clear all repo-local Git env vars in hooks (#24138, be686a8d0d) (@ethanndickson)
• Dashboard: Standardize scrollbar styling with global baseline (#24019, 1f808cdc62) (@jaaydenh)
• Pin fixed anthropic/fantasy forks for streaming token accounting (#24077, 590235138f) (@ibetitsmike)
• Dashboard: Scroll when request logs tool call is huge (#24162, de61ac529d) (@jeremyruppel)
• Dashboard: Fix agents right panel layout on small landscape viewports (#24161, 477d6d0cde) (@hugodutka)
• Revert auto-assign agents-access role enabled (#24170, 7b0421d8c6) (@johnstcn)
• Dashboard: Move pagination test from vitest to storybook story (#24165, 12ada0115f) (@DanielleMaywood)
• Sanitize workspace agent logs before insert (#24028, f4240bb8c1) (@dylanhuff-at-coder)
• Dashboard: Replace Tooltip with HelpPop… (#24057, f95a5202bf) (@code-qtzl)
• Mark connecting agents as unhealthy instead of healthy (#24044, 584c61acb5) (@matifali)
• Dashboard: Add padding below thinking-only assistant messages (#24140, f957981c8b) (@jaaydenh)
• Resolve <Badge /> incorrect sizes (#22539, 2e6fdf2344) (@jakehwll)
• Dashboard: Request logs and sessions page UI consistency (#24163, 2505f6245f) (@jeremyruppel)
• Dashboard: Use locale string for token usage tooltip (#24177, 3f519744aa) (@jeremyruppel)
• Dashboard: Replace expandable agentic loop section with cool design (#24171, fb0ed1162b) (@jeremyruppel)
• Server: Stabilize startup-timeout tests with quartz (#24193, 65bf7c3b18) (@ethanndickson)
• Bump coder/tailscale to pick up RTM_MISS fix (#24187, ad2415ede7) (@ethanndickson)
• CLI: Retry dial timeouts in SSH connection setup (#24199, 1d0653cdab) (@EhabY)
• OAuth2 cancel button in the authorization page not working (#24058, 83fd4cf5c2) (@fioan89)
• Resolve <WorkspaceTimings /> size (#24235, 4018320614) (@jakehwll)
• Fix 4px layout shift on streaming commit in chat (#24203, 1a3a92bd1b) (@jaaydenh)
• Dashboard: Add bottom spacing for sources-only assistant messages (#24202, 76d89f59af) (@jaaydenh)
• Remove double bottom border on build logs table (#24000, 2c32d84f12) (@DanielleMaywood)
• Update directory for terraform-managed subagents (#24220, 3462c31f43) (@f0ssel)
• Server: Sort pinned chats first in GetChats pagination (#24222, a62ead8588) (@mafredri)
• Resolve idle timeout recording test flake on macOS (#24240, 8dff1cbc57) (@kylecarbs)
• Dashboard: Show "Preparing" in workspace pill during agent startup scripts (#24286, 39ceb8cfe3) (@DanielleMaywood)
• Resolve flaky TestWatchChats/DiffStatusChangeIncludesDiffStatus (#24298, 69917b4516) (@kylecarbs)
• Dashboard: Use readonly Organization[] and explicit is_default lookups (#24288, 11fe4972b6) (@johnstcn)
• Validate individual edit entries in parseEditFilesArgs (#24301, 1458861fd2) (@DanielleMaywood)
• Use per-chat plan file paths (#24268, a554de372a) (@ibetitsmike)
• Prevent site storybook tests from hanging after completion (#23936, a1ef3043bb) (@mafredri)
• Dashboard: Hide bottom spacer on last session thread (#24248, 4d4266a4ad) (@jeremyruppel)
• Stop group spend limits from leaking across org boundaries (#24294, c552f9f281) (@johnstcn)
• Remove OIDC_TOKEN from secrets deny lsit (#24337, 6fb27c980d) (@zedkipp)
• fix(.github/workflows/contrib): use @actions/github instead of @octokit/rest in community-label job (#24343, 7e68d18e04) (@f0ssel)
• Relax secrets env var denylist for model providers (#24344, 0832033a73) (@zedkipp)
• fix(Makefile): rebuild clidocgen when Go sources or template change (#24302, 0080bcbf33) (@ethanndickson)
• Fix false positive disconnected agent metric reporting (#24225, 730edba87a) (@cstyan)
• Resolve double border on <WorkspaceTimings /> (#24358, 44f361d1a5) (@jakehwll)
• Server: Validate webpush subscription endpoints (#24347, 5812f84e1c) (@ThomasK33)
• Address post-merge review findings for chat org scoping (#24297, 6194bd6f57) (@johnstcn)
• Use findByRole in ProviderWithUserKeysOnly storybook to avoid race condition (#24367, 70840441e4) (@DanielleMaywood)
• Use VSCode icons instead of ExternalLinkIcon on agent page workspace selector (#24370, 49d8c9e018) (@DanielleMaywood)
• Dashboard: Remove double border at top of RightPanel (#24364, 0360bc33f8) (@DanielleMaywood)
• Dashboard: Style navbar version badge as a notch (#24372, f8d521d527) (@johnstcn)
• Server: Hoist system prompt fetch out of chat creation transactions (#24369, e7883d4573) (@ethanndickson)
• Prevent 'See all templates' from overlapping template list in New Workspace dropdown (#24356, 517bb1f9f7) (@35C4n0r)
• Dashboard: Prevent empty organization_id when permittedOrgs resolves to empty (#24393, 91446ac7ca) (@DanielleMaywood)
• CLI: Prevent false deprecation warnings for renamed options (#23931, e3f2398343) (@stirby)
• Re-fetch context files and skills from workspace on each turn (#24360, d11849d94a) (@kylecarbs)
• Don't skip tag naming when building nix image (#24403, 280735db0f) (@aslilac)
• Fix dogfood template presets (#24406, fda05938bb) (@aslilac)
• Move OnChatUpdated call after agent is ready in create/start workspace (#24410, 9c74c8c674) (@kylecarbs)
• Fix image_type options (#24411, fded2cb5c9) (@aslilac)
• Dashboard: Truncate long workspace name in chat input toolbar (#24412, 8bc91d982f) (@kylecarbs)
• Remove mui dependency on useClickableTableRow() (#24373, 51ac35cc64) (@jakehwll)
• Restore kebab menu flex (#24359, 074ff79af7) (@jakehwll)
• Server: Auto-update workspace to active template version on chat start (#24424, 91b35a25ee) (@ethanndickson)
• Add missing ClientType to InsertChat test params (#24436, eae9444dbe) (@ethanndickson)
• Dashboard: Allow search by label in MultiSelectComboBox (#24421, 383b10f71e) (@johnstcn)
• Associate computer use recordings with chats (#24471, db8191277b) (@hugodutka)
• fix(.github/workflows): upgrade github-script to v9 in community-label job (#24479, d8d63ad9a0) (@jdomeracki-coder)
• fix(dogfood): fix capitalization typo and extra blank line (#24481, a41c8d73b1) (@EhabY)
• fix(dogfood): update display name and add README (#24487, ee563636ed) (@EhabY)
• Reap idle chatd stream states on a timer (#24476, 3f6b40a833) (@johnstcn)
• Dashboard: Insert newline on mobile Enter (#24498, c40f45b986) (@david-fraley)
• Dashboard: Use hard reload after login to reload metadata (#24239, a2b9b74f4a) (@jeremyruppel)
• Dashboard: Fix flaky CreateWorkspacePage tests (#24480, a53f52ee38) (@DanielleMaywood)
• Server: Save refreshed token before validation (#24332, 2a1984f0e8) (@mafredri)
• Server-side diffs and stricter fuzzy splicing for edit_files (#24454, 6b0bb02e5d) (@mafredri)
• Resolve <ChatTopBar /> fmt issue (#24515, 5f6c74adfa) (@jakehwll)
• Server: Reduce relay reconnect spam (#24495, 12e49c18a5) (@johnstcn)
• Dashboard: Prevent workspace icon from shrinking in chat pill (#24521, f688e85898) (@DanielleMaywood)
• Classify HTTP/2 transport failures as retryable timeouts (#24502, df429b7f60) (@johnstcn)
• Exclude subagent chats from sidebar pagination (#24404, fc2493780f) (@mafredri)
• Sort child chats newest-first and prepend on creation (#24524, 467430d8fa) (@mafredri)
• Server: Add frame-ancestors CSP directive to prevent clickjacking (#24474, 615be176b8) (@jdomeracki-coder)
• Server: Enforce workspace authz on watchChatGit (#24477, ea00d2d396) (@deansheather)
• Server: Omit frame-ancestors CSP for embed routes (#24529, 411ed21059) (@jdomeracki-coder)
• Dashboard: Stabilize app.spec.ts e2e test (#24400, 4b755e514a) (@jeremyruppel)
• Dashboard: Stabilize agent form stories (#24532, 2f0d715e9f) (@johnstcn)
• Dashboard: Simplify prerelease css (#24514, 3b561dcea9) (@jakehwll)
• Dashboard: Replace misused useEffectEvent with correct patterns (#24525, bf885ccc71) (@DanielleMaywood)
• Dashboard: Polish table alignment for workspace proxies (#24538, 3b0cd5bb12) (@tracyjohnsonux)
• Reuse shared tailnet for coderd-hosted MCP workspace tools (#24460, 181e103201) (@ethanndickson)
• Dashboard: Implement agent logs improvements (#24455, 3466806a66) (@jakehwll)
• Server: Add chattest.OpenAI() default fake server (#24540, 5f3effd839) (@johnstcn)
• Database: Renumber duplicate MCP migration (#24552, cb67e71835) (@ibetitsmike)
• Server: Deflake TestSubscribeRelayDrainWithinGraceLeavesBufferRetained (#24549, f56adf5731) (@johnstcn)
• Dashboard: Fix flaky TemplateVariablesPage submit test (#24459, a62c0c1afc) (@jakehwll)
• Stop tracking chat title in audit logs (#24564, 4d45b69b03) (@johnstcn)
• Dashboard: Wait for file upload before submitting create template form (#24548, 2b8a2c9c5d) (@jakehwll)
• Rebuild modeloptionsgen when codersdk changes (#24543, ef2b3a7263) (@ethanndickson)
• Dashboard: Show startup script failure message without restart suggestion (#24449, b4eb0e20e5) (@jeremyruppel)
• Server: Fix TestPatchChat/Title flake by waiting for chat to settle (#24572, 148e56b5d9) (@jaaydenh)
• Handle expired chat file attachments in replay and UI (#24518, 353e522614) (@ethanndickson)
• Dashboard: Add bottom spacing for no-renderable assistant fallback messages (#24551, b62881eb85) (@jaaydenh)
• Server: Use waitChatSettled in remaining title tests (#24585, 360e119b43) (@johnstcn)
• Server: Allow deleting chat providers used in historical chats (#24568, ad1906589d) (@ethanndickson)
• Server: Enforce ActionSSH in MCP HTTP agent connection path (#24607, 86b2db60b2) (@jdomeracki-coder)
• Server: Detect disconnected agents in getWorkspaceConn (#24336, 78d9a220cf) (@mafredri)
• Support Bedrock ambient AWS credentials for Agents providers (#24397, 9634739aed) (@ibetitsmike)
• Server: Record SSE attempts on EOF (#24565, 26b64fa523) (@ThomasK33)
• Server: Allow Anthropic per-modality ratelimit headers (#24592, b7c2c59931) (@ThomasK33)
• Infer workspace from env in coder support bundle (#24617, 3362b5ae7e) (@EhabY)
• Grant AsAIBridged ResourceSystem.ActionCreate for UpsertAISeatState (#24603, ec91ac5427) (@mtojek)
• Fall back to local git watcher for chat diff drawer (#24512, 7904bed947) (@ibetitsmike)
• fix(aibridge): track Charm Crush client and session ID (#24630, 8aa3294f06) (@dannykopping)
• Dashboard: Make workspace notification pills keyboard accessible (#24536, 075face3cb) (@code-qtzl)
• Dashboard: Fix workspace unhealthy dialog stories (#24637, 514b4994c6) (@jeremyruppel)
• Server: Remove cache-miss check blocking agent recovery (#24634, 1ace519c6e) (@mafredri)
• Server: Fix TestListChats/PinnedOnFirstPage race timeout (#24641, be1256c418) (@johnstcn)
• Scale Testing: Make measureDeletion more reliable/less brittle (#23614, b714fe8e71) (@cstyan)
• Scale Testing: Fix Runner.Cleanup() to delete workspaces (#23627, 7d044fa598) (@cstyan)
• Dashboard: Remove agent settings insights menu link (#24644, 73857222ab) (@ibetitsmike)
• Server: Deflake relay drain test for multiple timers (#24609, d9e3e206cc) (@johnstcn)
• CLI: Fix flaky TestExpAgentsE2E/ExistingChatHistory (#24661, be011b210b) (@johnstcn)
• Dashboard: Prevent sticky message cycling when submitting edited message (#24292, 6edb49dcfa) (@DanielleMaywood)
• Server: Fix flaky TestSpawnComputerUseAgentInheritsContext (#24666, 2e5c7d99c2) (@johnstcn)
• Dashboard: Improve agents page mobile view (#24508, 95386f526a) (@tracyjohnsonux)
• Agent: Flaky TestPortableDesktop_StopRecording_WithThumbnail (#24671, 397c9fb76a) (@hugodutka)
• Stabilize git tab during edit_files (#24648, ca14aa37c4) (@johnstcn)
• Dashboard: Fix action bar hidden after null-returning assistant messages (#24566, e17da2f648) (@jaaydenh)
• Promote MCP server display name to a required form field (#24652, f96f7b992f) (@david-fraley)
• Dashboard: Use highlight-orange for warning badge text and border (#24674, e56b409873) (@tracyjohnsonux)
• Dashboard: Remove last-checked label from git diff panel (#24675, a13f7f18e5) (@johnstcn)
• Server: Reject API operations on archived chats (#24633, f8fe5d680b) (@mafredri)
• Dashboard: Focus agents terminal on tab switch (#24677, c56061a09d) (@hugodutka)
• Dashboard: Fix OpensAdminSubPanelOnMobile story on mobile viewport (#24678, 7efccfa996) (@johnstcn)
• Server: Reject pinning child chats in patchChat handler (#24669, c602a31856) (@johnstcn)
• Server: Prevent invalid tool results from poisoning chat history (#24663, a02339c66a) (@johnstcn)
• fix(Makefile): run storybook tests after Go tests in pre-push (#24703, ce125831d3) (@mafredri)
• Persist per-turn model on chats and queued messages (#24688, c7cac9debe) (@ibetitsmike)
• Database: Rename duplicate migration 477 (#24707, 0ccfd575d0) (@johnstcn)
• Fixes aibridge integration tests failing on windows (#24665, b8906c84a1) (@pawbana)
• Dashboard: Add copy buttons to raw attempts (#24705, 88b62a3359) (@ThomasK33)
• Do not clobber dynamic parameters (#24645, d958d89b6f) (@code-asher)
• Reduce re-registration interval to 5s to prevent replica staleness flapping (#24597, 6ac25c9ece) (@sreya)
• Honor parameter defaults in --use-parameter-defaults and SSH auto-start (#24591, 02b123518c) (@jeremyruppel)
• Server: Sanitize Anthropic provider tool history (#24706, 0211448d09) (@ibetitsmike)
• Resolve outsideBox style for tabs (#24561, 056203f8fc) (@jakehwll)
• Dashboard: Persist chat draft attachments (#24709, aee85040f0) (@ibetitsmike)
• Server: Wake after auto-promoting queued message (#24714, ed33e28b13) (@ibetitsmike)
• Prevent malformed OpenAI Responses continuations (#24725, 62e9752acd) (@ibetitsmike)
• Clean Bedrock headers (#24718, 99a83a2702) (@ibetitsmike)
• Recover web push subscriptions after PWA reinstall (#24720, 069223ae26) (@kylecarbs)
• Restore osv scanner workflow (#24702, 2446be44b8) (@CommanderK5)
• Remember last active sidebar tab per agent session (#24631, 23b30b7285) (@jaaydenh)
• Fall back to name lookup for UUID-shaped workspace names (#24340, d5a5be116d) (@johnstcn)
• Dashboard: Use theme-aware color for agent row tab bottom border (#24737, 33ffedf411) (@jeremyruppel)
• Dashboard: Align thinking disclosure (#24743, ad3095106d) (@kylecarbs)
• Redirect OAuth2 authorization page to dashboard (#24499, a8e7f329ac) (@fioan89)
• Dashboard: Close terminal window on command confirmation cancel (#24765, 06ebde3894) (@jdomeracki-coder)
• Dashboard: Support archived URL query (#24742, 68c8499c9a) (@johnstcn)
• Server: Repair Anthropic provider tool history (#24744, 99eb46dac1) (@ibetitsmike)
• Set Bedrock streaming accept headers (#24776, dec3e98e54) (@ibetitsmike)
• Match Bedrock streaming accept headers (#24781, 8fe11e9b14) (@ibetitsmike)
• Server: Block chain mode when provider missing tool results (#24782, 1666bff1f9) (@johnstcn)
• Pass agent context config explicitly instead of reading env (#24759, 3c450899ea) (@mafredri)
• Server: Detect rate-limit 403/429 and narrow isFailedRefresh (#24334, 1926b7e658) (@mafredri)
• Allow coderd to start with an empty DERP map when built-in DERP is disabled (#24544, 3f0e015fe5) (@geokat)
• Server: Restore request body after capture (#24784, 1d8e29815e) (@ibetitsmike)
• Server: Avoid data races in DERP report (#24795, 9538390107) (@geokat)
• Dashboard: Remove Request Logs from admin menu, redirect /aibridge to sessions (#24840, feca4c25d8) (@dannykopping)
• Add preset support to MCP tools (#24694, eabb68d89e) (@johnstcn)
• Server: Detect concurrent refresh race to prevent cache poisoning (#24228, e67d027786) (@jasonwbarnett)
• Server: Cut DB fan-out on agent instance-identity auth (backport #24973) (#24982, f009c17217)

Documentation

• Replace dockerd with service docker start in Sysbox examples (#24004, 983819860f) (@matifali)
• Add AI Bridge structured log record types and monitoring cross-link (#23979, c2592c9f12) (@jcjiang)
• Update release calendar to reflect 2.31 as stable (#24159, 543c448b72) (@app/blinkagent)
• Add BYOK docs, fix tool tables, add platform controls (#24178, 506fba9ebf) (@mattvollmer)
• Rename "Security implications" to "Security posture" (#24181, d954460380) (@mattvollmer)
• Rename AI Bridge to AI Gateway and Agent Boundaries to Agent Firewall (#24094, 7a94a683c4) (@dannykopping)
• Documentation: Document AI Gateway Proxy private IP restrictions (#24209, d9700baa8d) (@ssncferreira)
• Byok docs (#24032, ff6f5893df) (@evgeniy-scherbina)
• Use coder-api-token instead of coder-session-token (#24316, 95fd3e5e23) (@evgeniy-scherbina)
• Add BYOK compatibility table (#24315, 574979a5f3) (@evgeniy-scherbina)
• Move copilot provider config from clients to setup (#24382, ba6bef1ac7) (@matifali)
• Clarify copilot plans in provider config (#24433, f07a33225e) (@matifali)
• Add coder-templates skill references to quickstart and template contribution guides (#24383, b89ddb593d) (@DevelopmentCats)
• Add git providers and PR Insights pages for Coder Agents (#24447, cc4eaff248) (@mattvollmer)
• Remove unused paused and completed chat statuses, add requires_action (#24264, 1feb183a87) (@david-fraley)
• Update MCP Server description for clarity (#24655, ff1308c0b1) (@matifali)
• Documentation: Add Governance Layer section to architecture page (#24587, fb26b39780) (@jcjiang)
• Add v2.32 to release calendar (#24589, 135ab29aa8) (@dannykopping)
• Documentation: Clarify MCP tools injection deprecation timeline (#24750, adea1fa28f) (@jcjiang)
• Add deprecation warning for login-type none (#24594, 4820f13eb4) (@zenithwolf1000)
• Clarify PR body wrapping (#24764, bf66f63ac5) (@ibetitsmike)
• Document terminal command confirmation dialog (#24771, 1c70c9638d) (@jdomeracki-coder)
• Add early access user secrets guide (#24735, 55ed6cfa06) (@matifali)

Code refactoring

• Dashboard: Extract BackButton and AdminBadge (#24130, 17a71aea72) (@DanielleMaywood)
• Dashboard: Extract ConfirmDeleteDialog component (#24128, 3a612898c6) (@DanielleMaywood)
• Replace useEffectEvent polyfill with native React 19.2 hook (#24060, 86b919e4f7) (@DanielleMaywood)
• Decompose AgentSettingsBehaviorPageView + remove kyleosophy (#24141, f820945d9f) (@johnstcn)
• Dashboard: Replace !! with Boolean() for boolean coercion (#24180, 3d139c1a24) (@DanielleMaywood)
• Dashboard: Remove mui from a few components (#24125, 224db483d7) (@aslilac)
• Dashboard: Migrate some components from emotion to tailwind (#24182, 9d6557d173) (@aslilac)
• Send raw typed payloads over chat WebSockets (#24148, 38d4da82b9) (@DanielleMaywood)
• Dashboard: Convert OrganizationAutocomplete to fully controlled component (#24211, 0a14bb529e) (@johnstcn)
• Dashboard: Address plan-mode frontend review feedback (#24426, 6bb44447d4) (@ibetitsmike)
• Replace @mui/x-tree-view with simple tree components (#24266, 72c3563257) (@aslilac)
• Dashboard: Replace shadcn color aliases with semantic design tokens (#24284, 23f9e26796) (@chrifro)
• Unify subagent spawn behind spawn_subagent (#24535, f073323c89) (@ibetitsmike)
• Dashboard: Rename border-hover token to border-secondary (#24553, 5cce3ee5f4) (@chrifro)
• Dashboard: Split Agent Settings Behavior into focused destinations (#24574, 60186b2489) (@ibetitsmike)
• Dashboard: Replace custom scroll implementation with react-infinite-scroll-component (#24687, 4505278a9f) (@DanielleMaywood)
• Dashboard: Drop redundant window. prefix on browser globals (#24500, d78a78ffa1) (@aslilac)
• Dashboard: Align tool-call and message styling (#24790, 4a91656fe5) (@kylecarbs)
• Dashboard: Remove Stack component (#24503, 5afb297042) (@aslilac)

Performance improvements

• Reorder declarations to fix React Compiler scope pruning (#24098, 3f7a3e3354) (@DanielleMaywood)
• Dashboard: Add reconnect jitter to reconnectingWebsocket (#24096, f219834f5c) (@ethanndickson)
• Dashboard: Split InlineMarkdown out of Markdown to avoid loading PrismJS in initial bundle (#24192, 19e0e0e8e6) (@jaaydenh)
• Dashboard: Optimistically edit chat messages (#23976, a0ea71b74c) (@ethanndickson)
• Server: Cheaper chatd org membership checks (#24361, 227f20df6a) (@ethanndickson)
• Fix DiffViewer scroll performance (#24300, e421c2f747) (@jaaydenh)

Tests

• Skip TestSubscribeRelayEstablishedMidStream (#24431, b9bc0ad6df) (@ethanndickson)
• Pin DateRangePicker calendar today to caller-supplied clock (#24517, 596e55b136) (@ethanndickson)
• Server: Deflake stale control notification test (#24545, c1421b4ead) (@ethanndickson)
• Add regression guard for chat title masking (#24584, 38f5d3f0b2) (@johnstcn)
• Dashboard: Add Debug panel Storybook stories (#23921, 5c316d4252) (@ThomasK33)
• Server: Seed anthropic provider for computer_use tests (#24611, 9b5d09ebdc) (@ibetitsmike)

Continuous integration

• Add cherry-pick to latest release workflow (#24051, ab77154975) (@f0ssel)
• Add automatic backport workflow (#24025, a3de0fc78d) (@f0ssel)
• Attribute cherry-pick/backport PRs to the requesting user (#24195, 2c499484b7) (@f0ssel)
• Add cherry-pick PR check for release branches (#24121, 76cbc580f0) (@f0ssel)
• Use GitHub App for community label org membership check (#24149, 079dc48ba0) (@f0ssel)
• Fix texlive.svg viewBox and add icon paths to CI go filter (#24322, 47a12d26bc) (@ethanndickson)
• Broaden workflow path filter and fix zizmor lint findings (#24323, 155e98914d) (@ethanndickson)
• Add build provenance attestation for release binaries (#24345, d0c9571f62) (@matifali)
• Migrate doc-check workflow from Coder Tasks to Coder Agents (#24388, 630de40160) (@stirby)
• Add InTx linter replacing ruleguard rule (#24422, 55e525fc28) (@ethanndickson)
• Post docs preview link on PRs that change docs (#24283, d3cc23d8ba) (@dannykopping)
• Pass github.repository through env var (#24605, e3a1fb0c89) (@jdomeracki-coder)
• ci(.github/workflows/contrib): skip community label for dependabot (#24660, 9f02fec3a9) (@jdomeracki-coder)
• Add permissions section to backport.yaml (#24654, 1e21b288b9) (@matifali)

Chores

• Revert force deploying main (#23290, 497f637f58) (@johnstcn)
• Update to our fork of charm.land/fantasy with appendCompact perf improvement (#24142, 27e5ff0a8e) (@johnstcn)
• chore(Makefile): use go build -o for helper binaries to reduce GOCACHE growth (#24197, f8e8f979a2) (@ibetitsmike)
• Complete jest to vitest migration (#24216, b149433138) (@aslilac)
• Fix typescript skill table (#24217, c67c93982b) (@aslilac)
• Update EA text and docs link in Coder Agents UI (#24255, bd467ce443) (@david-fraley)
• Bump aibridge version (#24368, 34f3d4a92a) (@pawbana)
• Documentation: Remove misleading chat forking reference (#24396, dd7397b42e) (@mattvollmer)
• Update our fork of fantasy/anthropic-sdk-go to fix MarshalJSON over-allocations (#24390, 2b68a1f4bd) (@johnstcn)
• Upgrade to ubuntu 26.04 (#24267, d23a6959fc) (@aslilac)
• Increase coderd_chatd_message_count histogram max bucket to 1024 (#24409, e996f6d44b) (@app/blinkagent)
• Follow-ups from #23948 (#24377, 914a0f7830) (@dannykopping)
• Improve design of agents behavior settings page (#24324, 509784a2a3) (@jaaydenh)
• Update design of add users dialog (#24287, 4064b602de) (@jaaydenh)
• Add client_type field to chats and telemetry (#24342, 3452ab3166) (@deansheather)
• Add dogfood template for coder/vscode-coder development (#24306, 890c610e08) (@EhabY)
• Add import block for vscode-coder template in dogfood (#24472, c0abf8f7e3) (@deansheather)
• Add GetLatestWorkspaceBuildWithStatusByWorkspaceID query (#24441, e19b21b7d5) (@spikecurtis)
• Split Pubsub interface into Publisher and Subscriber (#24442, 2ea27e897b) (@spikecurtis)
• Use coder/hc-install fork to fix expired PGP key verification (#24516, 7e89534d32) (@ethanndickson)
• Add devcontainers icon (#24478, 81bd78d1c0) (@matifali)
• Dashboard: Demui <Avatar /> and <AvatarCard /> (#24527, 7f1b9cb648) (@jakehwll)
• Dashboard: Demui <CodeExample /> (#24528, 9324c16c97) (@jakehwll)
• Dashboard: Replace inline add member form with dialog on <OrganizationMembersPage /> (#24429, e186dc3222) (@jakehwll)
• Tighten .vscode IDE and typescript configuration (#24537, 67c57abb63) (@jakehwll)
• Dashboard: Decss the <WorkspaceBuild* /> pages (#24530, ac6c9452c0) (@jakehwll)
• Bump hashicorp/hc-install to v0.9.4 and drop coder fork replace (#24547, bd3ed18fb1) (@ethanndickson)
• Add no-emdash/endash rule to agent instructions and CI lint (#24375, 623e72d72d) (@mafredri)
• Move aibridge library code into coder repo (#24190, e00e85765b) (@pawbana)
• Examples: Update incus template (#24616, 68508e1fd3) (@johnstcn)
• chore(dogfood): add CODER_AGENT_EXP_MCP_CONFIG_FILES env var (#24664, 7e29a67b50) (@mafredri)
• De-css <UserSettingsPage /> children (#24647, 537e35dd94) (@jakehwll)
• Deprecate /api/v2/aibridge/interceptions endpoint (#24670, a8613b2209) (@dannykopping)
• Bump coder/fantasy to include gpt-5.5 Responses API support (#24712, a497d934db) (@app/blinkagent)
• Uprev coder/terraform-provider-coder to v2.16.0 (#24719, ef6e452825) (@zedkipp)
• Upgrade to pnpm 10.33 (#24746, 12e9f5bb61) (@aslilac)
• Include pgcoordinator schema changes in 2.33 (#24931, 17635dde5c)

Compare: v2.32.1...v2.33.0

Container image

• docker pull ghcr.io/coder/coder:2.33.0

Install/upgrade

Refer to our docs to install or upgrade Coder, or use a release asset below.