) (#26620)

Backport of #26545

Original PR: #26545 — chore: skip failing azureidentity test while under
investigation
Merge commit: a12b051
Requested by: @ethanndickson

Co-authored-by: Cian Johnston <cian@coder.com>

Backport of #26600 to `release/2.34`.

Original PR: #26600 - fix: pin workspace agent API client to intended
agent
Merge commit: eeb2624
Requested by: @ethanndickson

## What this fixes

The workspace agent API client followed HTTP redirects and trusted the
redirected host, letting a malicious agent bounce a coderd request onto
a different agent's unauthenticated port-4 API (cross-tenant file
read/write and RCE, Cure53 CODAGT-668). `apiClient` now refuses
redirects and pins every dial to the intended agent address, and the
task-app / scaletest clients share `AppHTTPClient`, which blocks
redirects too.

## Conflict resolution

The automatic cherry-pick conflicted because #26600 was built on a
separate request-context refactor of `apiClient` that is not present on
this release branch. The redirect block and agent-address pinning are
applied to the existing `apiClient()` here, and the
request-context-bounded dial test (which depends on that refactor) is
omitted. This branch had no `agentconn_test.go`, so the redirect tests
are added as a new `agentconn_test.go`. The two redirect regression
tests added by #26600 are included.

Co-authored-by: Ethan Dickson <ethan@coder.com>

…6313) (#26603)

Cherry-pick of #26313

Original PR: #26313 — fix(site): set external auth provider polling
status individually
Merge commit: 61fa2ab
Requested by: @matifali

Co-authored-by: Andrew Aquino <dawneraq@gmail.com>

)

backport of #26548 for 2.34

## Problem

#23108 made prebuild claim delivery durable: when an agent connects to
`/api/v2/workspaceagents/me/reinit?wait=true`, the handler checks
whether the workspace's first build was created by the prebuilds system
user and whether its latest build succeeded, and if so pre-seeds a
`prebuild_claimed` reinitialization event in case the original pubsub
event was missed.

The check does not verify that the latest build is the claim build, so
it keeps firing for the rest of the workspace's life. Any workspace that
was claimed from a prebuild receives a spurious "prebuild claimed"
reinit every time its agent (re)opens the `/reinit` connection: after
every agent restart, every coderd deploy or replica restart, and every
dropped SSE connection. Each one shuts the agent down and reinitializes
it, killing SSH/IDE sessions and re-running startup scripts. In our
deployment, where most workspaces are claimed from prebuilds, this
caused fleet-wide "agent disconnected" blips whenever a coderd replica
restarted, and a few workspaces whose container exits when the agent
restarts went into a restart loop every 15-60 minutes. The agent-side
dedup (`lastOwnerID` in `cli/agent.go`) only suppresses the second event
within one agent process, so every new agent process takes at least one
spurious restart.

## Fix

Only seed the reinitialization event while the latest build is the claim
build itself, determined from the build job's input
(`prebuilt_workspace_stage`), the same signal `provisionerdserver` uses
when publishing the claim event:

- Latest build is the claim build: behavior unchanged (seed when the job
succeeded, 409 when it failed permanently, wait on pubsub while it is in
progress).
- Latest build is still a prebuilds-initiated build (claim build not
created yet): fall through to the pubsub subscription, which delivers
the claim event when the claim build completes.
- Latest build is any later user-initiated build: the claim was already
handled, so return 409 and the agent stops polling, the same as a
regular workspace.

`dbfake` gains a `MarkPrebuiltWorkspaceClaim()` builder option so tests
can model claim builds' job input, and the existing `TestReinit` claim
subtests now use it. A new subtest covers the long-claimed workspace
case.

One deliberate behavior change worth calling out: if a claim build fails
and the owner retries with another start build, the handler now returns
409 for that retry build rather than seeding a reinit. This matches the
existing treatment of failed claim builds as terminal for the reinit
poller.

## Verification

- `go test ./coderd/ -run TestReinit` against Postgres 17: all subtests
pass, including the new `workspace claimed in the past gets 409` case.
- `gofmt`, `go vet`, and `golangci-lint` (v1.64.8) are clean on the
touched packages.
- The fix mirrors behavior validated by hand against an affected
deployment: for a long-claimed workspace, `/reinit?wait=true` returned
the seeded `prebuild_claimed` event on every connection before the
change and a 409 afterwards.

Note: this branch was prepared in an environment without the full local
toolchain, so the repo's pre-commit hook (`make pre-commit`) was not run
locally; relying on CI for the full gen/fmt/lint suite. Opening as a
draft mainly to report the issue and propose a fix; happy to rework it
to the maintainers' preferred approach.

Co-authored-by: Leon Zhang <leonzh@anthropic.com>
Co-authored-by: Sas Swart <sas.swart.cdk@gmail.com>

…) (#26722)

Backport of #26559 to `release/2.34`.

- Original PR: #26559
- Merge commit: `116a220ff67c7acd745ffd96765357d9f1eb42b7`

---
This backport PR was created by Coder Agents on behalf of @aslilac.

Backport of #26431 to `release/2.34`.

- Original PR: #26431
- Merge commit: `4c8c4969793475994d873f62288790a3f5297b29`

---
This backport PR was created by Coder Agents on behalf of @aslilac.

…26708)

Bedrock rejects legacy `thinking.type=enabled` requests for Claude Opus
4.8 because the model requires adaptive thinking. The AI Bridge Bedrock
shim only recognized Opus 4.7 as adaptive-only, so Opus 4.8 requests
could fall through and produce Bedrock 400 responses.

Add Opus 4.8 to the adaptive-only model detection and cover the regional
Bedrock model ID form with a regression test.

<details>
<summary>Coder Agents disclosure</summary>

This PR was generated by Coder Agents on behalf of @ericpaulsen.

</details>

(cherry picked from commit 96aecd8)

<!--

If you have used AI to produce some or all of this PR, please ensure you
have read our [AI Contribution
guidelines](https://coder.com/docs/about/contributing/AI_CONTRIBUTING)
before submitting.

-->

Co-authored-by: Eric Paulsen <ericpaulsen@coder.com>

…arded Host header (#26656) (#26663)

Backport of #26656

Original PR: #26656 — fix(enterprise/aibridgeproxyd): stop injecting
default port into forwarded Host header
Merge commit: c41d219
Requested by: @ssncferreira

Co-authored-by: Susana Ferreira <susana@coder.com>
Co-authored-by: Garrett Delfosse <delfossegarrett@gmail.com>

)

Backport of #25068

Original PR: #25068 — fix(site): keep TemplateVersionEditor file tree in
sync
Merge commit: 7481e1a
Requested by: @aslilac

Co-authored-by: McKayla はな <mckayla@hey.com>
Co-authored-by: Garrett Delfosse <delfossegarrett@gmail.com>