coder
diff --git a/‎.github/.linkspector.yml
Lines changed: 1 addition & 0 deletions b/‎.github/.linkspector.yml
Lines changed: 1 addition & 0 deletions
diff --git a/‎.github/workflows/ci.yaml
Lines changed: 2 additions & 2 deletions b/‎.github/workflows/ci.yaml
Lines changed: 2 additions & 2 deletions
diff --git a/‎.github/workflows/docker-base.yaml
Lines changed: 1 addition & 1 deletion b/‎.github/workflows/docker-base.yaml
Lines changed: 1 addition & 1 deletion
diff --git a/‎.github/workflows/docs-ci.yaml
Lines changed: 1 addition & 1 deletion b/‎.github/workflows/docs-ci.yaml
Lines changed: 1 addition & 1 deletion
diff --git a/‎.github/workflows/dogfood.yaml
Lines changed: 3 additions & 3 deletions b/‎.github/workflows/dogfood.yaml
Lines changed: 3 additions & 3 deletions
diff --git a/‎.github/workflows/release.yaml
Lines changed: 1 addition & 1 deletion b/‎.github/workflows/release.yaml
Lines changed: 1 addition & 1 deletion
diff --git a/‎CLAUDE.md
Lines changed: 0 additions & 1 deletion b/‎CLAUDE.md
Lines changed: 0 additions & 1 deletion
diff --git a/‎agent/agentcontainers/api.go
Lines changed: 33 additions & 1 deletion b/‎agent/agentcontainers/api.go
Lines changed: 33 additions & 1 deletion
diff --git a/‎agent/agentcontainers/api_test.go
Lines changed: 86 additions & 0 deletions b/‎agent/agentcontainers/api_test.go
Lines changed: 86 additions & 0 deletions
diff --git a/‎agent/agentcontainers/devcontainercli.go
Lines changed: 0 additions & 2 deletions b/‎agent/agentcontainers/devcontainercli.go
Lines changed: 0 additions & 2 deletions
diff --git a/‎agent/agentcontainers/execer.go
Lines changed: 77 additions & 0 deletions b/‎agent/agentcontainers/execer.go
Lines changed: 77 additions & 0 deletions
@@ -24,5 +24,6 @@ ignorePatterns:
   - pattern: "mutagen.io"
   - pattern: "docs.github.com"
   - pattern: "claude.ai"
+  - pattern: "splunk.com"
 aliveStatusCodes:
   - 200
@@ -902,7 +902,7 @@ jobs:
       # the check to pass. This is desired in PRs, but not in mainline.
       - name: Publish to Chromatic (non-mainline)
         if: github.ref != 'refs/heads/main' && github.repository_owner == 'coder'
-        uses: chromaui/action@c50adf8eaa8c2878af3263499a73077854de39d4 # v12.2.0
+        uses: chromaui/action@b5848056bb67ce5f1cccca8e62a37cbd9dd42871 # v13.0.1
         env:
           NODE_OPTIONS: "--max_old_space_size=4096"
           STORYBOOK: true
@@ -934,7 +934,7 @@ jobs:
       # infinitely "in progress" in mainline unless we re-review each build.
       - name: Publish to Chromatic (mainline)
         if: github.ref == 'refs/heads/main' && github.repository_owner == 'coder'
-        uses: chromaui/action@c50adf8eaa8c2878af3263499a73077854de39d4 # v12.2.0
+        uses: chromaui/action@b5848056bb67ce5f1cccca8e62a37cbd9dd42871 # v13.0.1
         env:
           NODE_OPTIONS: "--max_old_space_size=4096"
           STORYBOOK: true
 
@@ -60,7 +60,7 @@ jobs:
 
       # This uses OIDC authentication, so no auth variables are required.
       - name: Build base Docker image via depot.dev
-        uses: depot/build-push-action@636daae76684e38c301daa0c5eca1c095b24e780 # v1.14.0
+        uses: depot/build-push-action@2583627a84956d07561420dcc1d0eb1f2af3fac0 # v1.15.0
         with:
           project: wl5hnrrkns
           context: base-build-context
 
@@ -28,7 +28,7 @@ jobs:
       - name: Setup Node
         uses: ./.github/actions/setup-node
 
-      - uses: tj-actions/changed-files@d52d20fa3f981cb852b861fd8f55308b5fe29637 # v45.0.7
+      - uses: tj-actions/changed-files@666c9d29007687c52e3c7aa2aac6c0ffcadeadc3 # v45.0.7
         id: changed-files
         with:
           files: |
 
@@ -35,7 +35,7 @@ jobs:
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Setup Nix
-        uses: nixbuild/nix-quick-install-action@5bb6a3b3abe66fd09bbf250dce8ada94f856a703 # v30
+        uses: nixbuild/nix-quick-install-action@889f3180bb5f064ee9e3201428d04ae9e41d54ad # v31
 
       - uses: nix-community/cache-nix-action@135667ec418502fa5a3598af6fb9eb733888ce6a # v6.1.3
         with:
@@ -72,7 +72,7 @@ jobs:
         uses: depot/setup-action@b0b1ea4f69e92ebf5dea3f8713a1b0c37b2126a5 # v1.6.0
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3.10.0
+        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
 
       - name: Login to DockerHub
         if: github.ref == 'refs/heads/main'
@@ -82,7 +82,7 @@ jobs:
           password: ${{ secrets.DOCKERHUB_PASSWORD }}
 
       - name: Build and push Non-Nix image
-        uses: depot/build-push-action@636daae76684e38c301daa0c5eca1c095b24e780 # v1.14.0
+        uses: depot/build-push-action@2583627a84956d07561420dcc1d0eb1f2af3fac0 # v1.15.0
         with:
           project: b4q6ltmpzh
           token: ${{ secrets.DEPOT_TOKEN }}
 
@@ -364,7 +364,7 @@ jobs:
       # This uses OIDC authentication, so no auth variables are required.
       - name: Build base Docker image via depot.dev
         if: steps.image-base-tag.outputs.tag != ''
-        uses: depot/build-push-action@636daae76684e38c301daa0c5eca1c095b24e780 # v1.14.0
+        uses: depot/build-push-action@2583627a84956d07561420dcc1d0eb1f2af3fac0 # v1.15.0
         with:
           project: wl5hnrrkns
           context: base-build-context
 
@@ -103,5 +103,4 @@ Read [cursor rules](.cursorrules).
 
 The frontend is contained in the site folder.
 
-For building Frontend refer to [this document](docs/contributing/frontend.md)
 For building Frontend refer to [this document](docs/about/contributing/frontend.md)
@@ -24,6 +24,7 @@ import (
 	"cdr.dev/slog"
 	"github.com/coder/coder/v2/agent/agentcontainers/watcher"
 	"github.com/coder/coder/v2/agent/agentexec"
+	"github.com/coder/coder/v2/agent/usershell"
 	"github.com/coder/coder/v2/coderd/httpapi"
 	"github.com/coder/coder/v2/codersdk"
 	"github.com/coder/coder/v2/codersdk/agentsdk"
@@ -58,6 +59,7 @@ type API struct {
 	logger                      slog.Logger
 	watcher                     watcher.Watcher
 	execer                      agentexec.Execer
+	commandEnv                  CommandEnv
 	ccli                        ContainerCLI
 	containerLabelIncludeFilter map[string]string // Labels to filter containers by.
 	dccli                       DevcontainerCLI
@@ -111,6 +113,29 @@ func WithExecer(execer agentexec.Execer) Option {
 	}
 }
 
+// WithCommandEnv sets the CommandEnv implementation to use.
+func WithCommandEnv(ce CommandEnv) Option {
+	return func(api *API) {
+		api.commandEnv = func(ei usershell.EnvInfoer, preEnv []string) (string, string, []string, error) {
+			shell, dir, env, err := ce(ei, preEnv)
+			if err != nil {
+				return shell, dir, env, err
+			}
+			env = slices.DeleteFunc(env, func(s string) bool {
+				// Ensure we filter out environment variables that come
+				// from the parent agent and are incorrect or not
+				// relevant for the devcontainer.
+				return strings.HasPrefix(s, "CODER_WORKSPACE_AGENT_NAME=") ||
+					strings.HasPrefix(s, "CODER_WORKSPACE_AGENT_URL=") ||
+					strings.HasPrefix(s, "CODER_AGENT_TOKEN=") ||
+					strings.HasPrefix(s, "CODER_AGENT_AUTH=") ||
+					strings.HasPrefix(s, "CODER_AGENT_DEVCONTAINERS_ENABLE=")
+			})
+			return shell, dir, env, nil
+		}
+	}
+}
+
 // WithContainerCLI sets the agentcontainers.ContainerCLI implementation
 // to use. The default implementation uses the Docker CLI.
 func WithContainerCLI(ccli ContainerCLI) Option {
@@ -153,7 +178,7 @@ func WithSubAgentURL(url string) Option {
 	}
 }
 
-// WithSubAgent sets the environment variables for the sub-agent.
+// WithSubAgentEnv sets the environment variables for the sub-agent.
 func WithSubAgentEnv(env ...string) Option {
 	return func(api *API) {
 		api.subAgentEnv = env
@@ -262,6 +287,13 @@ func NewAPI(logger slog.Logger, options ...Option) *API {
 	for _, opt := range options {
 		opt(api)
 	}
+	if api.commandEnv != nil {
+		api.execer = newCommandEnvExecer(
+			api.logger,
+			api.commandEnv,
+			api.execer,
+		)
+	}
 	if api.ccli == nil {
 		api.ccli = NewDockerCLI(api.execer)
 	}
 
@@ -8,6 +8,7 @@ import (
 	"net/http"
 	"net/http/httptest"
 	"os"
+	"os/exec"
 	"runtime"
 	"slices"
 	"strings"
@@ -30,7 +31,9 @@ import (
 	"github.com/coder/coder/v2/agent/agentcontainers/acmock"
 	"github.com/coder/coder/v2/agent/agentcontainers/watcher"
 	"github.com/coder/coder/v2/agent/agentexec"
+	"github.com/coder/coder/v2/agent/usershell"
 	"github.com/coder/coder/v2/codersdk"
+	"github.com/coder/coder/v2/pty"
 	"github.com/coder/coder/v2/testutil"
 	"github.com/coder/quartz"
 )
@@ -305,6 +308,38 @@ func (m *fakeSubAgentClient) Delete(ctx context.Context, id uuid.UUID) error {
 	return nil
 }
 
+// fakeExecer implements agentexec.Execer for testing and tracks execution details.
+type fakeExecer struct {
+	commands        [][]string
+	createdCommands []*exec.Cmd
+}
+
+func (f *fakeExecer) CommandContext(ctx context.Context, cmd string, args ...string) *exec.Cmd {
+	f.commands = append(f.commands, append([]string{cmd}, args...))
+	// Create a command that returns empty JSON for docker commands.
+	c := exec.CommandContext(ctx, "echo", "[]")
+	f.createdCommands = append(f.createdCommands, c)
+	return c
+}
+
+func (f *fakeExecer) PTYCommandContext(ctx context.Context, cmd string, args ...string) *pty.Cmd {
+	f.commands = append(f.commands, append([]string{cmd}, args...))
+	return &pty.Cmd{
+		Context: ctx,
+		Path:    cmd,
+		Args:    append([]string{cmd}, args...),
+		Env:     []string{},
+		Dir:     "",
+	}
+}
+
+func (f *fakeExecer) getLastCommand() *exec.Cmd {
+	if len(f.createdCommands) == 0 {
+		return nil
+	}
+	return f.createdCommands[len(f.createdCommands)-1]
+}
+
 func TestAPI(t *testing.T) {
 	t.Parallel()
 
@@ -1984,6 +2019,57 @@ func TestAPI(t *testing.T) {
 		// Then: We expected it to succeed
 		require.Len(t, fSAC.created, 1)
 	})
+
+	t.Run("CommandEnv", func(t *testing.T) {
+		t.Parallel()
+
+		ctx := testutil.Context(t, testutil.WaitShort)
+		logger := slogtest.Make(t, &slogtest.Options{IgnoreErrors: true}).Leveled(slog.LevelDebug)
+
+		// Create fake execer to track execution details.
+		fakeExec := &fakeExecer{}
+
+		// Custom CommandEnv that returns specific values.
+		testShell := "/bin/custom-shell"
+		testDir := t.TempDir()
+		testEnv := []string{"CUSTOM_VAR=test_value", "PATH=/custom/path"}
+
+		commandEnv := func(ei usershell.EnvInfoer, addEnv []string) (shell, dir string, env []string, err error) {
+			return testShell, testDir, testEnv, nil
+		}
+
+		mClock := quartz.NewMock(t) // Stop time.
+
+		// Create API with CommandEnv.
+		api := agentcontainers.NewAPI(logger,
+			agentcontainers.WithClock(mClock),
+			agentcontainers.WithExecer(fakeExec),
+			agentcontainers.WithCommandEnv(commandEnv),
+		)
+		defer api.Close()
+
+		// Call RefreshContainers directly to trigger CommandEnv usage.
+		_ = api.RefreshContainers(ctx) // Ignore error since docker commands will fail.
+
+		// Verify commands were executed through the custom shell and environment.
+		require.NotEmpty(t, fakeExec.commands, "commands should be executed")
+
+		// Want: /bin/custom-shell -c "docker ps --all --quiet --no-trunc"
+		require.Equal(t, testShell, fakeExec.commands[0][0], "custom shell should be used")
+		if runtime.GOOS == "windows" {
+			require.Equal(t, "/c", fakeExec.commands[0][1], "shell should be called with /c on Windows")
+		} else {
+			require.Equal(t, "-c", fakeExec.commands[0][1], "shell should be called with -c")
+		}
+		require.Len(t, fakeExec.commands[0], 3, "command should have 3 arguments")
+		require.GreaterOrEqual(t, strings.Count(fakeExec.commands[0][2], " "), 2, "command/script should have multiple arguments")
+
+		// Verify the environment was set on the command.
+		lastCmd := fakeExec.getLastCommand()
+		require.NotNil(t, lastCmd, "command should be created")
+		require.Equal(t, testDir, lastCmd.Dir, "custom directory should be used")
+		require.Equal(t, testEnv, lastCmd.Env, "custom environment should be used")
+	})
 }
 
 // mustFindDevcontainerByPath returns the devcontainer with the given workspace
 
@@ -7,7 +7,6 @@ import (
 	"encoding/json"
 	"errors"
 	"io"
-	"os"
 
 	"golang.org/x/xerrors"
 
@@ -280,7 +279,6 @@ func (d *devcontainerCLI) ReadConfig(ctx context.Context, workspaceFolder, confi
 	}
 
 	c := d.execer.CommandContext(ctx, "devcontainer", args...)
-	c.Env = append(c.Env, "PATH="+os.Getenv("PATH"))
 	c.Env = append(c.Env, env...)
 
 	var stdoutBuf bytes.Buffer
 
@@ -0,0 +1,77 @@
+package agentcontainers
+
+import (
+	"context"
+	"os/exec"
+	"runtime"
+
+	"github.com/kballard/go-shellquote"
+
+	"cdr.dev/slog"
+	"github.com/coder/coder/v2/agent/agentexec"
+	"github.com/coder/coder/v2/agent/usershell"
+	"github.com/coder/coder/v2/pty"
+)
+
+// CommandEnv is a function that returns the shell, working directory,
+// and environment variables to use when executing a command. It takes
+// an EnvInfoer and a pre-existing environment slice as arguments.
+// This signature matches agentssh.Server.CommandEnv.
+type CommandEnv func(ei usershell.EnvInfoer, addEnv []string) (shell, dir string, env []string, err error)
+
+// commandEnvExecer is an agentexec.Execer that uses a CommandEnv to
+// determine the shell, working directory, and environment variables
+// for commands. It wraps another agentexec.Execer to provide the
+// necessary context.
+type commandEnvExecer struct {
+	logger     slog.Logger
+	commandEnv CommandEnv
+	execer     agentexec.Execer
+}
+
+func newCommandEnvExecer(
+	logger slog.Logger,
+	commandEnv CommandEnv,
+	execer agentexec.Execer,
+) *commandEnvExecer {
+	return &commandEnvExecer{
+		logger:     logger,
+		commandEnv: commandEnv,
+		execer:     execer,
+	}
+}
+
+// Ensure commandEnvExecer implements agentexec.Execer.
+var _ agentexec.Execer = (*commandEnvExecer)(nil)
+
+func (e *commandEnvExecer) prepare(ctx context.Context, inName string, inArgs ...string) (name string, args []string, dir string, env []string) {
+	shell, dir, env, err := e.commandEnv(nil, nil)
+	if err != nil {
+		e.logger.Error(ctx, "get command environment failed", slog.Error(err))
+		return inName, inArgs, "", nil
+	}
+
+	caller := "-c"
+	if runtime.GOOS == "windows" {
+		caller = "/c"
+	}
+	name = shell
+	args = []string{caller, shellquote.Join(append([]string{inName}, inArgs...)...)}
+	return name, args, dir, env
+}
+
+func (e *commandEnvExecer) CommandContext(ctx context.Context, cmd string, args ...string) *exec.Cmd {
+	name, args, dir, env := e.prepare(ctx, cmd, args...)
+	c := e.execer.CommandContext(ctx, name, args...)
+	c.Dir = dir
+	c.Env = env
+	return c
+}
+
+func (e *commandEnvExecer) PTYCommandContext(ctx context.Context, cmd string, args ...string) *pty.Cmd {
+	name, args, dir, env := e.prepare(ctx, cmd, args...)
+	c := e.execer.PTYCommandContext(ctx, name, args...)
+	c.Dir = dir
+	c.Env = env
+	return c
+}
Original file line number	Diff line number	Diff line change
`@@ -103,5 +103,4 @@ Read [cursor rules](.cursorrules).`
`103`	`103`
`104`	`104`	`The frontend is contained in the site folder.`
`105`	`105`
`106`		`-For building Frontend refer to [this document](docs/contributing/frontend.md)`
`107`	`106`	`For building Frontend refer to [this document](docs/about/contributing/frontend.md)`