coder
diff --git a/‎.github/actions/setup-go/action.yaml
Lines changed: 1 addition & 1 deletion b/‎.github/actions/setup-go/action.yaml
Lines changed: 1 addition & 1 deletion
diff --git a/‎.github/dependabot.yaml
Lines changed: 36 additions & 0 deletions b/‎.github/dependabot.yaml
Lines changed: 36 additions & 0 deletions
diff --git a/‎.golangci.yaml
Lines changed: 5 additions & 0 deletions b/‎.golangci.yaml
Lines changed: 5 additions & 0 deletions
diff --git a/‎cli/configssh.go
Lines changed: 26 additions & 32 deletions b/‎cli/configssh.go
Lines changed: 26 additions & 32 deletions
diff --git a/‎cli/configssh_internal_test.go
Lines changed: 4 additions & 4 deletions b/‎cli/configssh_internal_test.go
Lines changed: 4 additions & 4 deletions
diff --git a/‎cli/configssh_test.go
Lines changed: 14 additions & 1 deletion b/‎cli/configssh_test.go
Lines changed: 14 additions & 1 deletion
diff --git a/‎cli/server.go
Lines changed: 64 additions & 6 deletions b/‎cli/server.go
Lines changed: 64 additions & 6 deletions
@@ -4,7 +4,7 @@ description: |
 inputs:
   version:
     description: "The Go version to use."
-    default: "1.22.4"
+    default: "1.22.5"
 runs:
   using: "composite"
   steps:
 
@@ -39,6 +39,10 @@ updates:
       prefix: "chore"
     labels: []
     open-pull-requests-limit: 15
+    groups:
+      x:
+        patterns:
+          - "golang.org/x/*"
     ignore:
       # Ignore patch updates for all dependencies
       - dependency-name: "*"
@@ -73,6 +77,32 @@ updates:
     commit-message:
       prefix: "chore"
     labels: []
+    groups:
+      xterm:
+        patterns:
+          - "@xterm*"
+      mui:
+        patterns:
+          - "@mui*"
+      react:
+        patterns:
+          - "react*"
+          - "@types/react*"
+      emotion:
+        patterns:
+          - "@emotion*"
+      eslint:
+        patterns:
+          - "eslint*"
+          - "@typescript-eslint*"
+      jest:
+        patterns:
+          - "jest*"
+          - "@types/jest"
+      vite:
+        patterns:
+          - "vite*"
+          - "@vitejs/plugin-react"
     ignore:
       # Ignore patch updates for all dependencies
       - dependency-name: "*"
@@ -83,4 +113,10 @@ updates:
       - dependency-name: "@types/node"
         update-types:
           - version-update:semver-major
+      # Ignore @storybook updates, run `pnpm dlx storybook@latest upgrade` to upgrade manually
+      - dependency-name: "*storybook*" # matches @storybook/* and storybook*
+        update-types:
+          - version-update:semver-major
+          - version-update:semver-minor
+          - version-update:semver-patch
     open-pull-requests-limit: 15
@@ -195,6 +195,11 @@ linters-settings:
       - name: var-naming
       - name: waitgroup-by-value
 
+  # irrelevant as of Go v1.22: https://go.dev/blog/loopvar-preview
+  govet:
+    disable:
+      - loopclosure
+
 issues:
   # Rules listed here: https://github.com/securego/gosec#available-rules
   exclude-rules:
 
@@ -54,6 +54,7 @@ type sshConfigOptions struct {
 	disableAutostart bool
 	header           []string
 	headerCommand    string
+	removedKeys      map[string]bool
 }
 
 // addOptions expects options in the form of "option=value" or "option value".
@@ -74,30 +75,20 @@ func (o *sshConfigOptions) addOption(option string) error {
 	if err != nil {
 		return err
 	}
-	for i, existing := range o.sshOptions {
-		// Override existing option if they share the same key.
-		// This is case-insensitive. Parsing each time might be a little slow,
-		// but it is ok.
-		existingKey, _, err := codersdk.ParseSSHConfigOption(existing)
-		if err != nil {
-			// Don't mess with original values if there is an error.
-			// This could have come from the user's manual edits.
-			continue
-		}
-		if strings.EqualFold(existingKey, key) {
-			if value == "" {
-				// Delete existing option.
-				o.sshOptions = append(o.sshOptions[:i], o.sshOptions[i+1:]...)
-			} else {
-				// Override existing option.
-				o.sshOptions[i] = option
-			}
-			return nil
-		}
+	lowerKey := strings.ToLower(key)
+	if o.removedKeys != nil && o.removedKeys[lowerKey] {
+		// Key marked as removed, skip.
+		return nil
 	}
-	// Only append the option if it is not empty.
+	// Only append the option if it is not empty
+	// (we interpret empty as removal).
 	if value != "" {
 		o.sshOptions = append(o.sshOptions, option)
+	} else {
+		if o.removedKeys == nil {
+			o.removedKeys = make(map[string]bool)
+		}
+		o.removedKeys[lowerKey] = true
 	}
 	return nil
 }
@@ -440,26 +431,29 @@ func (r *RootCmd) configSSH() *serpent.Command {
 					configOptions := sshConfigOpts
 					configOptions.sshOptions = nil
 
-					// Add standard options.
-					err := configOptions.addOptions(defaultOptions...)
-					if err != nil {
-						return err
+					// User options first (SSH only uses the first
+					// option unless it can be given multiple times)
+					for _, opt := range sshConfigOpts.sshOptions {
+						err := configOptions.addOptions(opt)
+						if err != nil {
+							return xerrors.Errorf("add flag config option %q: %w", opt, err)
+						}
 					}
 
-					// Override with deployment options
+					// Deployment options second, allow them to
+					// override standard options.
 					for k, v := range coderdConfig.SSHConfigOptions {
 						opt := fmt.Sprintf("%s %s", k, v)
 						err := configOptions.addOptions(opt)
 						if err != nil {
 							return xerrors.Errorf("add coderd config option %q: %w", opt, err)
 						}
 					}
-					// Override with flag options
-					for _, opt := range sshConfigOpts.sshOptions {
-						err := configOptions.addOptions(opt)
-						if err != nil {
-							return xerrors.Errorf("add flag config option %q: %w", opt, err)
-						}
+
+					// Finally, add the standard options.
+					err := configOptions.addOptions(defaultOptions...)
+					if err != nil {
+						return err
 					}
 
 					hostBlock := []string{
 
@@ -272,32 +272,32 @@ func Test_sshConfigOptions_addOption(t *testing.T) {
 			},
 		},
 		{
-			Name: "Replace",
+			Name: "AddTwo",
 			Start: []string{
 				"foo bar",
 			},
 			Add: []string{"Foo baz"},
 			Expect: []string{
+				"foo bar",
 				"Foo baz",
 			},
 		},
 		{
-			Name: "AddAndReplace",
+			Name: "AddAndRemove",
 			Start: []string{
-				"a b",
 				"foo bar",
 				"buzz bazz",
 			},
 			Add: []string{
 				"b c",
+				"a ", // Empty value, means remove all following entries that start with "a", i.e. next line.
 				"A hello",
 				"hello world",
 			},
 			Expect: []string{
 				"foo bar",
 				"buzz bazz",
 				"b c",
-				"A hello",
 				"hello world",
 			},
 		},
 
@@ -65,7 +65,7 @@ func TestConfigSSH(t *testing.T) {
 
 	const hostname = "test-coder."
 	const expectedKey = "ConnectionAttempts"
-	const removeKey = "ConnectionTimeout"
+	const removeKey = "ConnectTimeout"
 	client, db := coderdtest.NewWithDatabase(t, &coderdtest.Options{
 		ConfigSSH: codersdk.SSHConfigResponse{
 			HostnamePrefix: hostname,
@@ -620,6 +620,19 @@ func TestConfigSSH_FileWriteAndOptionsFlow(t *testing.T) {
 				regexMatch: `ProxyCommand .* --header-command "printf h1=v1 h2='v2'" ssh`,
 			},
 		},
+		{
+			name: "Multiple remote forwards",
+			args: []string{
+				"--yes",
+				"--ssh-option", "RemoteForward 2222 192.168.11.1:2222",
+				"--ssh-option", "RemoteForward 2223 192.168.11.1:2223",
+			},
+			wantErr:  false,
+			hasAgent: true,
+			wantConfig: wantConfig{
+				regexMatch: "RemoteForward 2222 192.168.11.1:2222.*\n.*RemoteForward 2223 192.168.11.1:2223",
+			},
+		},
 	}
 	for _, tt := range tests {
 		tt := tt
 
@@ -55,6 +55,11 @@ import (
 
 	"cdr.dev/slog"
 	"cdr.dev/slog/sloggers/sloghuman"
+	"github.com/coder/pretty"
+	"github.com/coder/retry"
+	"github.com/coder/serpent"
+	"github.com/coder/wgtunnel/tunnelsdk"
+
 	"github.com/coder/coder/v2/buildinfo"
 	"github.com/coder/coder/v2/cli/clilog"
 	"github.com/coder/coder/v2/cli/cliui"
@@ -64,6 +69,7 @@ import (
 	"github.com/coder/coder/v2/coderd/autobuild"
 	"github.com/coder/coder/v2/coderd/database"
 	"github.com/coder/coder/v2/coderd/database/awsiamrds"
+	"github.com/coder/coder/v2/coderd/database/dbauthz"
 	"github.com/coder/coder/v2/coderd/database/dbmem"
 	"github.com/coder/coder/v2/coderd/database/dbmetrics"
 	"github.com/coder/coder/v2/coderd/database/dbpurge"
@@ -73,6 +79,7 @@ import (
 	"github.com/coder/coder/v2/coderd/externalauth"
 	"github.com/coder/coder/v2/coderd/gitsshkey"
 	"github.com/coder/coder/v2/coderd/httpmw"
+	"github.com/coder/coder/v2/coderd/notifications"
 	"github.com/coder/coder/v2/coderd/oauthpki"
 	"github.com/coder/coder/v2/coderd/prometheusmetrics"
 	"github.com/coder/coder/v2/coderd/prometheusmetrics/insights"
@@ -97,10 +104,6 @@ import (
 	"github.com/coder/coder/v2/provisionersdk"
 	sdkproto "github.com/coder/coder/v2/provisionersdk/proto"
 	"github.com/coder/coder/v2/tailnet"
-	"github.com/coder/pretty"
-	"github.com/coder/retry"
-	"github.com/coder/serpent"
-	"github.com/coder/wgtunnel/tunnelsdk"
 )
 
 func createOIDCConfig(ctx context.Context, vals *codersdk.DeploymentValues) (*coderd.OIDCConfig, error) {
@@ -592,6 +595,7 @@ func (r *RootCmd) Server(newAPI func(context.Context, *coderd.Options) (*coderd.
 					SSHConfigOptions: configSSHOptions,
 				},
 				AllowWorkspaceRenames: vals.AllowWorkspaceRenames.Value(),
+				NotificationsEnqueuer: notifications.NewNoopEnqueuer(), // Changed further down if notifications enabled.
 			}
 			if httpServers.TLSConfig != nil {
 				options.TLSCertificates = httpServers.TLSConfig.Certificates
@@ -660,6 +664,10 @@ func (r *RootCmd) Server(newAPI func(context.Context, *coderd.Options) (*coderd.
 				options.OIDCConfig = oc
 			}
 
+			experiments := coderd.ReadExperiments(
+				options.Logger, options.DeploymentValues.Experiments.Value(),
+			)
+
 			// We'll read from this channel in the select below that tracks shutdown.  If it remains
 			// nil, that case of the select will just never fire, but it's important not to have a
 			// "bare" read on this channel.
@@ -969,6 +977,32 @@ func (r *RootCmd) Server(newAPI func(context.Context, *coderd.Options) (*coderd.
 			options.WorkspaceUsageTracker = tracker
 			defer tracker.Close()
 
+			// Manage notifications.
+			var (
+				notificationsManager *notifications.Manager
+			)
+			if experiments.Enabled(codersdk.ExperimentNotifications) {
+				cfg := options.DeploymentValues.Notifications
+
+				// The enqueuer is responsible for enqueueing notifications to the given store.
+				enqueuer, err := notifications.NewStoreEnqueuer(cfg, options.Database, templateHelpers(options), logger.Named("notifications.enqueuer"))
+				if err != nil {
+					return xerrors.Errorf("failed to instantiate notification store enqueuer: %w", err)
+				}
+				options.NotificationsEnqueuer = enqueuer
+
+				// The notification manager is responsible for:
+				//   - creating notifiers and managing their lifecycles (notifiers are responsible for dequeueing/sending notifications)
+				//   - keeping the store updated with status updates
+				notificationsManager, err = notifications.NewManager(cfg, options.Database, logger.Named("notifications.manager"))
+				if err != nil {
+					return xerrors.Errorf("failed to instantiate notification manager: %w", err)
+				}
+
+				// nolint:gocritic // TODO: create own role.
+				notificationsManager.Run(dbauthz.AsSystemRestricted(ctx))
+			}
+
 			// Wrap the server in middleware that redirects to the access URL if
 			// the request is not to a local IP.
 			var handler http.Handler = coderAPI.RootHandler
@@ -1049,10 +1083,10 @@ func (r *RootCmd) Server(newAPI func(context.Context, *coderd.Options) (*coderd.
 			case <-stopCtx.Done():
 				exitErr = stopCtx.Err()
 				waitForProvisionerJobs = true
-				_, _ = io.WriteString(inv.Stdout, cliui.Bold("Stop caught, waiting for provisioner jobs to complete and gracefully exiting. Use ctrl+\\ to force quit"))
+				_, _ = io.WriteString(inv.Stdout, cliui.Bold("Stop caught, waiting for provisioner jobs to complete and gracefully exiting. Use ctrl+\\ to force quit\n"))
 			case <-interruptCtx.Done():
 				exitErr = interruptCtx.Err()
-				_, _ = io.WriteString(inv.Stdout, cliui.Bold("Interrupt caught, gracefully exiting. Use ctrl+\\ to force quit"))
+				_, _ = io.WriteString(inv.Stdout, cliui.Bold("Interrupt caught, gracefully exiting. Use ctrl+\\ to force quit\n"))
 			case <-tunnelDone:
 				exitErr = xerrors.New("dev tunnel closed unexpectedly")
 			case <-pubsubWatchdogTimeout:
@@ -1088,6 +1122,21 @@ func (r *RootCmd) Server(newAPI func(context.Context, *coderd.Options) (*coderd.
 			// Cancel any remaining in-flight requests.
 			shutdownConns()
 
+			if notificationsManager != nil {
+				// Stop the notification manager, which will cause any buffered updates to the store to be flushed.
+				// If the Stop() call times out, messages that were sent but not reflected as such in the store will have
+				// their leases expire after a period of time and will be re-queued for sending.
+				// See CODER_NOTIFICATIONS_LEASE_PERIOD.
+				cliui.Info(inv.Stdout, "Shutting down notifications manager..."+"\n")
+				err = shutdownWithTimeout(notificationsManager.Stop, 5*time.Second)
+				if err != nil {
+					cliui.Warnf(inv.Stderr, "Notifications manager shutdown took longer than 5s, "+
+						"this may result in duplicate notifications being sent: %s\n", err)
+				} else {
+					cliui.Info(inv.Stdout, "Gracefully shut down notifications manager\n")
+				}
+			}
+
 			// Shut down provisioners before waiting for WebSockets
 			// connections to close.
 			var wg sync.WaitGroup
@@ -1227,6 +1276,15 @@ func (r *RootCmd) Server(newAPI func(context.Context, *coderd.Options) (*coderd.
 	return serverCmd
 }
 
+// templateHelpers builds a set of functions which can be called in templates.
+// We build them here to avoid an import cycle by using coderd.Options in notifications.Manager.
+// We can later use this to inject whitelabel fields when app name / logo URL are overridden.
+func templateHelpers(options *coderd.Options) map[string]any {
+	return map[string]any{
+		"base_url": func() string { return options.AccessURL.String() },
+	}
+}
+
 // printDeprecatedOptions loops through all command options, and prints
 // a warning for usage of deprecated options.
 func PrintDeprecatedOptions() serpent.MiddlewareFunc {