Documentation Check

Updates Needed

• docs/admin/templates/open-in-coder.md - Update section 4 (line 100-108, "Optional: pre-fill parameter values") to mention the new consent dialog that appears when using mode=auto with prefilled parameters. Users will see a warning dialog showing all param.* values and must click "Confirm and Create" before the workspace is created.

  ⚠️ No documentation changes found in this PR - still needs to be addressed

• docs/admin/templates/extending-templates/parameters.md - Update "Create Autofill" section (lines 408-428) to document the security consent dialog that appears when URL param.* parameters are used with automatic workspace creation. The dialog warns users about running scripts from untrusted sources and displays all prefilled parameter values for review.

  ⚠️ No documentation changes found in this PR - still needs to be addressed

Context

This PR adds an important security feature: when a workspace creation link uses mode=auto with prefilled parameters, users now see a consent dialog before the workspace is automatically created. The dialog:

• Shows a warning icon and "Warning: Automatic Workspace Creation" title
• Warns that "Running scripts from untrusted sources can be dangerous"
• Lists all prefilled parameter names and values in a scrollable code block
• Requires explicit "Confirm and Create" action (or "Cancel" to fall back to form view)

This protects users from malicious workspace creation links that could execute arbitrary code via template parameters like dotfiles_uri or startup_script.

Latest update (2026-02-11): Added Storybook stories for the dialog component (including scenarios with many parameters and long values), updated E2E tests to handle the consent dialog flow, and addressed PR review feedback. The implementation is complete and tested, but documentation still needs to be updated.

Automated review via Coder Tasks

Size of the dialog box should be set dynamically - currently it doesn't fit longer than usual params

Documentation Check

Updates Needed

• docs/admin/templates/open-in-coder.md - Document the new security consent dialog that appears when using mode=auto with prefilled parameters
  • Explain that users must explicitly confirm workspace creation when parameters are prefilled via URL
  • Show what information is displayed (all param.* values from the URL)
  • Explain the security rationale (protecting against malicious URLs with untrusted configurations like dotfiles or startup scripts)
  • Consider adding a screenshot of the consent dialog

Automated review via Coder Tasks

Documentation Check

Updates Needed

• docs/admin/templates/open-in-coder.md - Document the new security consent dialog that appears when using mode=auto with prefilled parameters
  • ✅ Added comprehensive "Security: consent dialog for automatic creation" section
  • ✅ Explains user must explicitly confirm workspace creation
  • ✅ Lists what information is displayed in the dialog
  • ✅ Provides security rationale (protection against malicious links)
  • ✅ Includes screenshot of the consent dialog

All documentation requirements have been addressed in the latest commits.

Automated review via Coder Tasks

Another minor nit on the color of the button. Do we have another option, as red is usually used for destructive operations?
cc: @chrifro

Another minor nit on the color of the button. Do we have another option, as red is usually used for destructive operations? cc: @chrifro

@matifali
We can use our default variant for a button. WDYT?

@kacpersaw, yes, this looks better to me.

@kacpersaw, yes, this looks better to me.

@matifali done! 👍