← Back to all sparks
C

Coder

INFRA · APIS
Velocity7.5

Self-hosted cloud development environments on your infrastructure.

Coder hardens its core and quietly builds aibridge into a governed AI-agent gateway.

devtoolssecurityai-gatewayself-hostedoidc-authenterprise
Current state
Coder's recent releases split between security maturation and AI infrastructure. A coordinated multi-advisory hardening pass—disclosed via Anthropic's Project Glasswing—tightened OIDC auth, workspace isolation, and agent command handling, with breaking changes, while parallel patches land across four supported release branches (2.29 through 2.34). Underneath, 'aibridge' is emerging as a governed AI gateway.
Where it's heading
The throughline is Coder positioning its self-hosted workspaces to host AI coding agents safely: aibridge now tracks new models (Bedrock Opus 4.8, Gemini), enforces auth and request-size limits, and ships under an AI Governance license tier. Security hardening and AI-gateway buildout are advancing in tandem.
Prediction
Expect aibridge to keep absorbing model support and governance controls; the breaking OIDC changes suggest more auth-surface tightening ahead as enterprise deployments consolidate onto the 2.33/2.34 lines.

Recent moves

  1. 3d ago

    Enforce external auth on workspace create; add OIDC broker flag

    A small hardening patch on the stable line: workspace creation now enforces required external auth, plus an opt-in (and explicitly INSECURE) OIDC email-fallback flag for IdP brokers. Continues the post-disclosure auth-tightening arc.

    View source ↗
  2. 3d ago

    Backport OIDC broker fallback flag to the 2.32 branch

    Backports the INSECURE OIDC broker fallback flag and a workspaces-table dashboard fix to the 2.32 branch. Parallel-branch maintenance rather than new capability.

    View source ↗
  3. 5d ago

    Pin agent API client; skip flaky Azure identity test (2.29)

    Bug-fix-only patch on the oldest supported branch: pins the workspace agent API client to its intended agent and skips a flaky Azure identity test. Routine stability upkeep.

    View source ↗
  4. 5d ago

    aibridge adds Bedrock Opus 4.8 adaptive thinking; bug fixes

    A mixed bug-fix release whose notable item is aibridge gaining support for Bedrock Opus 4.8 adaptive thinking, alongside prebuild-claim and enterprise proxy-header fixes. Small but on-trend for the AI-gateway buildout.

    View source ↗
  5. 15d ago

    Backport OIDC repair; enforce CLI token lifetime (2.29)

    Maintenance backport to 2.29: restores OIDC auth-link repair, honors fixed lifetimes for CLI API tokens, and checks user-active status in aibridge auth. Keeps the older branch aligned with mainline security fixes.

    View source ↗
  6. 21d ago

    Coordinated security hardening: 15+ advisories, breaking OIDC changes

    ⚡ SPARK

    The anchor of this window: a coordinated security-hardening release fixing 15+ advisories with breaking OIDC and proxy-trust changes. It marks the point where Coder's security posture—aibridge's in particular—got a systematic overhaul.

    View source ↗