coder
diff --git a/‎.github/workflows/ci.yaml
+46-11 b/‎.github/workflows/ci.yaml
+46-11
diff --git a/‎.github/workflows/contrib.yaml
+2-1 b/‎.github/workflows/contrib.yaml
+2-1
diff --git a/‎.prettierrc.yaml
+5-5 b/‎.prettierrc.yaml
+5-5
diff --git a/‎Makefile
+9-5 b/‎Makefile
+9-5
diff --git a/‎README.md
+1-1 b/‎README.md
+1-1
diff --git a/‎SECURITY.md
+47-39 b/‎SECURITY.md
+47-39
diff --git a/‎agent/agent.go
+12-9 b/‎agent/agent.go
+12-9
diff --git a/‎cli/agent_test.go
+9-9 b/‎cli/agent_test.go
+9-9
@@ -137,7 +137,7 @@ jobs:
 
       # Check for any typos
       - name: Check for typos
-        uses: crate-ci/typos@v1.16.4
+        uses: crate-ci/typos@v1.16.6
         with:
           config: .github/workflows/typos.toml
 
@@ -169,14 +169,35 @@ jobs:
         with:
           fetch-depth: 1
 
-      - name: Install Nix
-        uses: DeterminateSystems/nix-installer-action@v4
+      - name: Setup Node
+        uses: ./.github/actions/setup-node
+
+      - name: Setup Go
+        uses: ./.github/actions/setup-go
 
-      - name: Run the Magic Nix Cache
-        uses: DeterminateSystems/magic-nix-cache-action@v2
+      - name: Setup sqlc
+        uses: ./.github/actions/setup-sqlc
+
+      - name: go install tools
+        run: |
+          go install google.golang.org/protobuf/cmd/protoc-gen-go@v1.30
+          go install storj.io/drpc/cmd/protoc-gen-go-drpc@v0.0.33
+          go install golang.org/x/tools/cmd/goimports@latest
+          go install github.com/mikefarah/yq/v4@v4.30.6
+          go install github.com/golang/mock/mockgen@v1.6.0
+
+      - name: Install Protoc
+        run: |
+          mkdir -p /tmp/proto
+          pushd /tmp/proto
+          curl -L -o protoc.zip https://github.com/protocolbuffers/protobuf/releases/download/v23.3/protoc-23.3-linux-x86_64.zip
+          unzip protoc.zip
+          cp -r ./bin/* /usr/local/bin
+          cp -r ./include /usr/local/bin/include
+          popd
 
       - name: make gen
-        run: "nix-shell --command 'make --output-sync -j -B gen'"
+        run: "make --output-sync -j -B gen"
 
       - name: Check for unstaged files
         run: ./scripts/check_unstaged.sh
@@ -508,15 +529,27 @@ jobs:
       - name: Setup Terraform
         uses: ./.github/actions/setup-tf
 
-      - name: Install Nix
-        uses: DeterminateSystems/nix-installer-action@v4
+      - name: go install tools
+        run: |
+          go install google.golang.org/protobuf/cmd/protoc-gen-go@v1.30
+          go install storj.io/drpc/cmd/protoc-gen-go-drpc@v0.0.33
+          go install golang.org/x/tools/cmd/goimports@latest
+          go install github.com/mikefarah/yq/v4@v4.30.6
+          go install github.com/golang/mock/mockgen@v1.6.0
 
-      - name: Run the Magic Nix Cache
-        uses: DeterminateSystems/magic-nix-cache-action@v2
+      - name: Install Protoc
+        run: |
+          mkdir -p /tmp/proto
+          pushd /tmp/proto
+          curl -L -o protoc.zip https://github.com/protocolbuffers/protobuf/releases/download/v23.3/protoc-23.3-linux-x86_64.zip
+          unzip protoc.zip
+          cp -r ./bin/* /usr/local/bin
+          cp -r ./include /usr/local/bin/include
+          popd
 
       - name: Build
         run: |
-          nix-shell --command 'make -B site/out/index.html'
+          make -B site/out/index.html
 
       - run: pnpm playwright:install
         working-directory: site
@@ -568,6 +601,7 @@ jobs:
           # https://www.chromatic.com/docs/github-actions#forked-repositories
           projectToken: 695c25b6cb65
           workingDir: "./site"
+          storybookBaseDir: "./site"
           # Prevent excessive build runs on minor version changes
           skip: "@(renovate/**|dependabot/**)"
           # Run TurboSnap to trace file dependencies to related stories
@@ -593,6 +627,7 @@ jobs:
           buildScriptName: "storybook:build"
           projectToken: 695c25b6cb65
           workingDir: "./site"
+          storybookBaseDir: "./site"
           # Run TurboSnap to trace file dependencies to related stories
           # and tell chromatic to only take snapshots of relevent stories
           onlyChanged: true
 
@@ -46,7 +46,8 @@ jobs:
           path-to-document: "https://github.com/coder/cla/blob/main/README.md"
           # branch should not be protected
           branch: "main"
-          allowlist: dependabot*
+          # Some users have signed a corporate CLA with Coder so are exempt from signing our community one.
+          allowlist: "coryb,aaronlehmann,dependabot*"
 
   release-labels:
     runs-on: ubuntu-latest
 
@@ -2,17 +2,17 @@
 # formatting for prettier-supported files. See `.editorconfig` and
 # `site/.editorconfig`for whitespace formatting options.
 printWidth: 80
+proseWrap: always
 semi: false
 trailingComma: all
 useTabs: false
 tabWidth: 2
 overrides:
   - files:
       - README.md
+      - docs/api/**/*.md
+      - docs/cli/**/*.md
+      - .github/**/*.{yaml,yml,toml}
+      - scripts/**/*.{yaml,yml,toml}
     options:
       proseWrap: preserve
-  - files:
-      - "site/**/*.yaml"
-      - "site/**/*.yml"
-    options:
-      proseWrap: always
@@ -456,10 +456,10 @@ DB_GEN_FILES := \
 
 # all gen targets should be added here and to gen/mark-fresh
 gen: \
-	coderd/database/dump.sql \
-	$(DB_GEN_FILES) \
 	provisionersdk/proto/provisioner.pb.go \
 	provisionerd/proto/provisionerd.pb.go \
+	coderd/database/dump.sql \
+	$(DB_GEN_FILES) \
 	site/src/api/typesGenerated.ts \
 	coderd/rbac/object_gen.go \
 	docs/admin/prometheus.md \
@@ -478,10 +478,10 @@ gen: \
 # used during releases so we don't run generation scripts.
 gen/mark-fresh:
 	files="\
-		coderd/database/dump.sql \
-		$(DB_GEN_FILES) \
 		provisionersdk/proto/provisioner.pb.go \
 		provisionerd/proto/provisionerd.pb.go \
+		coderd/database/dump.sql \
+		$(DB_GEN_FILES) \
 		site/src/api/typesGenerated.ts \
 		coderd/rbac/object_gen.go \
 		docs/admin/prometheus.md \
@@ -564,7 +564,7 @@ coderd/apidoc/swagger.json: $(shell find ./scripts/apidocgen $(FIND_EXCLUSIONS)
 	./scripts/apidocgen/generate.sh
 	pnpm run format:write:only ./docs/api ./docs/manifest.json ./coderd/apidoc/swagger.json
 
-update-golden-files: cli/testdata/.gen-golden helm/coder/tests/testdata/.gen-golden helm/provisioner/tests/testdata/.gen-golden scripts/ci-report/testdata/.gen-golden enterprise/cli/testdata/.gen-golden
+update-golden-files: cli/testdata/.gen-golden helm/coder/tests/testdata/.gen-golden helm/provisioner/tests/testdata/.gen-golden scripts/ci-report/testdata/.gen-golden enterprise/cli/testdata/.gen-golden coderd/.gen-golden
 .PHONY: update-golden-files
 
 cli/testdata/.gen-golden: $(wildcard cli/testdata/*.golden) $(wildcard cli/*.tpl) $(GO_SRC_FILES) $(wildcard cli/*_test.go)
@@ -583,6 +583,10 @@ helm/provisioner/tests/testdata/.gen-golden: $(wildcard helm/provisioner/tests/t
 	go test ./helm/provisioner/tests -run=TestUpdateGoldenFiles -update
 	touch "$@"
 
+coderd/.gen-golden: $(wildcard coderd/testdata/*/*.golden) $(GO_SRC_FILES) $(wildcard coderd/*_test.go)
+	go test ./coderd -run="Test.*Golden$$" -update
+	touch "$@"
+
 scripts/ci-report/testdata/.gen-golden: $(wildcard scripts/ci-report/testdata/*) $(wildcard scripts/ci-report/*.go)
 	go test ./scripts/ci-report -run=TestOutputMatchesGoldenFile -update
 	touch "$@"
 
@@ -74,7 +74,7 @@ You can run the install script with `--dry-run` to see the commands that will be
 
 Once installed, you can start a production deployment<sup>1</sup> with a single command:
 
-```console
+```shell
 # Automatically sets up an external access URL on *.try.coder.app
 coder server
 
 
@@ -1,7 +1,7 @@
 # Coder Security
 
-Coder welcomes feedback from security researchers and the general public
-to help improve our security. If you believe you have discovered a vulnerability,
+Coder welcomes feedback from security researchers and the general public to help
+improve our security. If you believe you have discovered a vulnerability,
 privacy issue, exposed data, or other security issues in any of our assets, we
 want to hear from you. This policy outlines steps for reporting vulnerabilities
 to us, what we expect, what you can expect from us.
@@ -10,64 +10,72 @@ You can see the pretty version [here](https://coder.com/security/policy)
 
 # Why Coder's security matters
 
-If an attacker could fully compromise a Coder installation, they could spin
-up expensive workstations, steal valuable credentials, or steal proprietary
-source code. We take this risk very seriously and employ routine pen testing,
-vulnerability scanning, and code reviews. We also welcome the contributions
-from the community that helped make this product possible.
+If an attacker could fully compromise a Coder installation, they could spin up
+expensive workstations, steal valuable credentials, or steal proprietary source
+code. We take this risk very seriously and employ routine pen testing,
+vulnerability scanning, and code reviews. We also welcome the contributions from
+the community that helped make this product possible.
 
 # Where should I report security issues?
 
-Please report security issues to security@coder.com, providing
-all relevant information. The more details you provide, the easier it will be
-for us to triage and fix the issue.
+Please report security issues to security@coder.com, providing all relevant
+information. The more details you provide, the easier it will be for us to
+triage and fix the issue.
 
 # Out of Scope
 
-Our primary concern is around an abuse of the Coder application that allows
-an attacker to gain access to another users workspace, or spin up unwanted
+Our primary concern is around an abuse of the Coder application that allows an
+attacker to gain access to another users workspace, or spin up unwanted
 workspaces.
 
 - DOS/DDOS attacks affecting availability --> While we do support rate limiting
-  of requests, we primarily leave this to the owner of the Coder installation. Our
-  rationale is that a DOS attack only affecting availability is not a valuable
-  target for attackers.
+  of requests, we primarily leave this to the owner of the Coder installation.
+  Our rationale is that a DOS attack only affecting availability is not a
+  valuable target for attackers.
 - Abuse of a compromised user credential --> If a user credential is compromised
-  outside of the Coder ecosystem, then we consider it beyond the scope of our application.
-  However, if an unprivileged user could escalate their permissions or gain access
-  to another workspace, that is a cause for concern.
+  outside of the Coder ecosystem, then we consider it beyond the scope of our
+  application. However, if an unprivileged user could escalate their permissions
+  or gain access to another workspace, that is a cause for concern.
 - Vulnerabilities in third party systems --> Vulnerabilities discovered in
-  out-of-scope systems should be reported to the appropriate vendor or applicable authority.
+  out-of-scope systems should be reported to the appropriate vendor or
+  applicable authority.
 
 # Our Commitments
 
 When working with us, according to this policy, you can expect us to:
 
-- Respond to your report promptly, and work with you to understand and validate your report;
-- Strive to keep you informed about the progress of a vulnerability as it is processed;
-- Work to remediate discovered vulnerabilities in a timely manner, within our operational constraints; and
-- Extend Safe Harbor for your vulnerability research that is related to this policy.
+- Respond to your report promptly, and work with you to understand and validate
+  your report;
+- Strive to keep you informed about the progress of a vulnerability as it is
+  processed;
+- Work to remediate discovered vulnerabilities in a timely manner, within our
+  operational constraints; and
+- Extend Safe Harbor for your vulnerability research that is related to this
+  policy.
 
 # Our Expectations
 
-In participating in our vulnerability disclosure program in good faith, we ask that you:
+In participating in our vulnerability disclosure program in good faith, we ask
+that you:
 
-- Play by the rules, including following this policy and any other relevant agreements.
-  If there is any inconsistency between this policy and any other applicable terms, the
-  terms of this policy will prevail;
+- Play by the rules, including following this policy and any other relevant
+  agreements. If there is any inconsistency between this policy and any other
+  applicable terms, the terms of this policy will prevail;
 - Report any vulnerability you’ve discovered promptly;
-- Avoid violating the privacy of others, disrupting our systems, destroying data, and/or
-  harming user experience;
+- Avoid violating the privacy of others, disrupting our systems, destroying
+  data, and/or harming user experience;
 - Use only the Official Channels to discuss vulnerability information with us;
-- Provide us a reasonable amount of time (at least 90 days from the initial report) to
-  resolve the issue before you disclose it publicly;
-- Perform testing only on in-scope systems, and respect systems and activities which
-  are out-of-scope;
-- If a vulnerability provides unintended access to data: Limit the amount of data you
-  access to the minimum required for effectively demonstrating a Proof of Concept; and
-  cease testing and submit a report immediately if you encounter any user data during testing,
-  such as Personally Identifiable Information (PII), Personal Healthcare Information (PHI),
-  credit card data, or proprietary information;
-- You should only interact with test accounts you own or with explicit permission from
+- Provide us a reasonable amount of time (at least 90 days from the initial
+  report) to resolve the issue before you disclose it publicly;
+- Perform testing only on in-scope systems, and respect systems and activities
+  which are out-of-scope;
+- If a vulnerability provides unintended access to data: Limit the amount of
+  data you access to the minimum required for effectively demonstrating a Proof
+  of Concept; and cease testing and submit a report immediately if you encounter
+  any user data during testing, such as Personally Identifiable Information
+  (PII), Personal Healthcare Information (PHI), credit card data, or proprietary
+  information;
+- You should only interact with test accounts you own or with explicit
+  permission from
 - the account holder; and
 - Do not engage in extortion.
@@ -678,7 +678,7 @@ func (a *agent) run(ctx context.Context) error {
 	network := a.network
 	a.closeMutex.Unlock()
 	if network == nil {
-		network, err = a.createTailnet(ctx, manifest.AgentID, manifest.DERPMap, manifest.DisableDirectConnections)
+		network, err = a.createTailnet(ctx, manifest.AgentID, manifest.DERPMap, manifest.DERPForceWebSockets, manifest.DisableDirectConnections)
 		if err != nil {
 			return xerrors.Errorf("create tailnet: %w", err)
 		}
@@ -701,8 +701,10 @@ func (a *agent) run(ctx context.Context) error {
 		if err != nil {
 			a.logger.Error(ctx, "update tailnet addresses", slog.Error(err))
 		}
-		// Update the DERP map and allow/disallow direct connections.
+		// Update the DERP map, force WebSocket setting and allow/disallow
+		// direct connections.
 		network.SetDERPMap(manifest.DERPMap)
+		network.SetDERPForceWebSockets(manifest.DERPForceWebSockets)
 		network.SetBlockEndpoints(manifest.DisableDirectConnections)
 	}
 
@@ -756,14 +758,15 @@ func (a *agent) trackConnGoroutine(fn func()) error {
 	return nil
 }
 
-func (a *agent) createTailnet(ctx context.Context, agentID uuid.UUID, derpMap *tailcfg.DERPMap, disableDirectConnections bool) (_ *tailnet.Conn, err error) {
+func (a *agent) createTailnet(ctx context.Context, agentID uuid.UUID, derpMap *tailcfg.DERPMap, derpForceWebSockets, disableDirectConnections bool) (_ *tailnet.Conn, err error) {
 	network, err := tailnet.NewConn(&tailnet.Options{
-		ID:             agentID,
-		Addresses:      a.wireguardAddresses(agentID),
-		DERPMap:        derpMap,
-		Logger:         a.logger.Named("net.tailnet"),
-		ListenPort:     a.tailnetListenPort,
-		BlockEndpoints: disableDirectConnections,
+		ID:                  agentID,
+		Addresses:           a.wireguardAddresses(agentID),
+		DERPMap:             derpMap,
+		DERPForceWebSockets: derpForceWebSockets,
+		Logger:              a.logger.Named("net.tailnet"),
+		ListenPort:          a.tailnetListenPort,
+		BlockEndpoints:      disableDirectConnections,
 	})
 	if err != nil {
 		return nil, xerrors.Errorf("create tailnet: %w", err)
 
@@ -75,9 +75,9 @@ func TestWorkspaceAgent(t *testing.T) {
 		user := coderdtest.CreateFirstUser(t, client)
 		version := coderdtest.CreateTemplateVersion(t, client, user.OrganizationID, &echo.Responses{
 			Parse: echo.ParseComplete,
-			ProvisionApply: []*proto.Provision_Response{{
-				Type: &proto.Provision_Response_Complete{
-					Complete: &proto.Provision_Complete{
+			ProvisionApply: []*proto.Response{{
+				Type: &proto.Response_Apply{
+					Apply: &proto.ApplyComplete{
 						Resources: []*proto.Resource{{
 							Name: "somename",
 							Type: "someinstance",
@@ -127,9 +127,9 @@ func TestWorkspaceAgent(t *testing.T) {
 		user := coderdtest.CreateFirstUser(t, client)
 		version := coderdtest.CreateTemplateVersion(t, client, user.OrganizationID, &echo.Responses{
 			Parse: echo.ParseComplete,
-			ProvisionApply: []*proto.Provision_Response{{
-				Type: &proto.Provision_Response_Complete{
-					Complete: &proto.Provision_Complete{
+			ProvisionApply: []*proto.Response{{
+				Type: &proto.Response_Apply{
+					Apply: &proto.ApplyComplete{
 						Resources: []*proto.Resource{{
 							Name: "somename",
 							Type: "someinstance",
@@ -179,9 +179,9 @@ func TestWorkspaceAgent(t *testing.T) {
 		user := coderdtest.CreateFirstUser(t, client)
 		version := coderdtest.CreateTemplateVersion(t, client, user.OrganizationID, &echo.Responses{
 			Parse: echo.ParseComplete,
-			ProvisionApply: []*proto.Provision_Response{{
-				Type: &proto.Provision_Response_Complete{
-					Complete: &proto.Provision_Complete{
+			ProvisionApply: []*proto.Response{{
+				Type: &proto.Response_Apply{
+					Apply: &proto.ApplyComplete{
 						Resources: []*proto.Resource{{
 							Name: "somename",
 							Type: "someinstance",