feat(provider): add Coder SSH-lease provider

README.md

@@ -192,6 +192,7 @@ from the CLI.
 | [Semaphore](docs/providers/semaphore.md) — `semaphore` (`sem`) | Linux · direct | A Semaphore CI job leased as a testbox. |
 | [Sprites](docs/providers/sprites.md) — `sprites` | Linux · direct | Sprites microVMs through `sprite proxy`. |
 | [Tenki](docs/providers/tenki.md) — `tenki` | Linux · direct | Tenki sandbox VMs through `tenki sandbox ssh-proxy`. |
+| [Coder](docs/providers/coder.md) — `coder` | Linux · direct | Coder workspaces through `coder ssh --stdio`; stops by default, deletes only by opt-in. |
 | [Daytona](docs/providers/daytona.md) — `daytona` | Linux · direct | Daytona-managed dev sandbox over SSH. |
 | [Morph](docs/providers/morph.md) — `morph` | Linux · direct | Morph Cloud snapshot-backed instances over the shared SSH gateway. |
 | [RunPod](docs/providers/runpod.md) — `runpod` (`run-pod`, `runpodio`) | Linux · direct | RunPod GPU pods with public SSH. |

docs/README.md

@@ -157,6 +157,7 @@ Pick whichever matches your intent:
   [Namespace Compute Instance](providers/namespace-instance.md),
   [Semaphore](providers/semaphore.md), [Sprites](providers/sprites.md),
   [Tenki](providers/tenki.md),
+  [Coder](providers/coder.md),
   [Daytona](providers/daytona.md), [Islo](providers/islo.md),
   [E2B](providers/e2b.md), [Modal](providers/modal.md),
   [Agent Sandbox](providers/agent-sandbox.md),

docs/commands/cleanup.md

@@ -10,6 +10,7 @@ crabbox cleanup
 crabbox cleanup --provider namespace-devbox --dry-run
 crabbox cleanup --provider namespace-devbox
 crabbox cleanup --provider hostinger --dry-run
+crabbox cleanup --provider coder --dry-run
 ```
 
 `crabbox machine cleanup` is preserved as a compatibility alias and behaves
@@ -55,6 +56,12 @@ What cleanup does depends on the selected provider:
   provider scope. It deletes idle-expired Crabbox-owned sandboxes and keeps
   missing-or-inaccessible claims unless
   `--cloudflare-sandbox-forget-missing` is explicit.
+- **`coder`** lists workspaces with Crabbox ownership evidence, such as the
+  configured workspace prefix or Crabbox labels in Coder JSON, but mutates only
+  workspaces that also have a local Crabbox claim with cleanup metadata. It
+  uses the release action persisted in each local claim: new delete-on-release
+  claims delete, stop-on-release claims stop, and older claims without that
+  metadata default to stop.
 - Providers that have nothing to sweep return an error rather than acting. For
   example `provider=ssh` (static / bring-your-own hosts) reports:
 
@@ -123,10 +130,16 @@ When no matching files exist:
 namespace ssh cleanup no crabbox files found
 ```
 
+Coder cleanup prints one line per cleanup-eligible claimed workspace:
+
+```text
+coder cleanup stop workspace=crabbox-blue dry_run=true
+```
+
 ## Flags
 
 ```text
---provider hetzner|aws|azure|gcp|proxmox|xcp-ng|hostinger|namespace-devbox|cloudflare|cloudflare-dynamic-workers|cloudflare-sandbox|blaxel|multipass|vercel-sandbox
+--provider hetzner|aws|azure|gcp|proxmox|xcp-ng|hostinger|namespace-devbox|namespace-instance|coder|cloudflare|cloudflare-dynamic-workers|cloudflare-sandbox|blaxel|multipass|vercel-sandbox
                                                                        provider to sweep (default from config)
 --dry-run                                                              print decisions without making provider calls
 ```

docs/commands/doctor.md

@@ -91,6 +91,10 @@ Provider readiness validates the selected provider without creating a lease.
   auth/inventory access, project scoping readiness, and local `vsbx_...`
   inventory without creating resources. Blacksmith Testbox reports runtime as
   provider-hydrated because GitHub Actions hydration is owned by Testbox.
+- `provider=coder` runs only non-mutating Coder CLI checks: `coder version`,
+  `coder whoami -o json`, and workspace inventory. Missing login is reported as
+  `auth=missing_login` with `mutation=false`; doctor does not create, start,
+  stop, or delete Coder workspaces.
 - Providers with no direct doctor print `skip provider ... direct_doctor=unsupported`.
 
 The provider check is bounded to a 10s timeout. A failure adds a `class`

docs/commands/providers.md

@@ -363,6 +363,9 @@ Direct self-hosted SSH-lease providers such as `firecracker`, `proxmox`, and
 ]
 ```
 
+`coder` appears as an SSH-lease provider with Linux target, `ssh`,
+`crabbox-sync`, and `cleanup` features, and `coordinator: never`.
+
 ## Fields
 
 - `provider`: canonical provider name (the value you pass to `--provider`).

docs/commands/run.md

@@ -126,6 +126,12 @@ Crabbox prints the exact `crabbox stop --provider docker-sandbox <slug>`
 command for manual cleanup. Reused `--id` Docker Sandbox runs keep their
 existing lifecycle behavior.
 
+`--provider coder` remains on the normal SSH-run path. Crabbox asks the local
+`coder` CLI to create or start a Linux workspace, syncs into
+`coder.workRoot`, runs the command over `coder ssh --stdio`, and then stops the
+workspace by default for one-shot cleanup. Set `--coder-delete-on-release` only
+for disposable workspaces that should be deleted instead of stopped.
+
 ## Sync
 
 Sync builds a file manifest with `git ls-files --cached --others

docs/commands/ssh.md

@@ -56,6 +56,9 @@ providers resolve access lazily or wrap the connection:
 - **`provider=xcp-ng`** resolves the VM IPv4 address from XCP-ng guest metrics
   during provisioning, then prints the normal per-lease SSH command for the
   cloud-init user.
+- **`provider=coder`** prints a proxy-backed SSH command that uses
+  `coder ssh --stdio --wait <mode> <workspace>`. Coder owns authentication and
+  tunneling; Crabbox does not print or pass Coder tokens on argv.
 - **Provider-routed direct providers** accept the same provider-specific routing
   flags here as `status` and `stop`; for example `--kubevirt-context` or
   `--external-routing-file` can select the exact lease backend when config

docs/commands/status.md

@@ -39,6 +39,9 @@ addition to the Crabbox lease ID and local slug:
 - `sprites` — resolves local claims, Sprites labels, and SSH readiness through
   `sprite proxy`.
 - `daytona` — resolves Crabbox labels and sandbox state through the Daytona API.
+- `coder` — accepts a Crabbox lease ID, local slug, Coder workspace name, or
+  `owner/workspace`; plain status reads Coder inventory without starting stopped
+  workspaces.
 - `islo` — accepts an `isb_...` ID, a Crabbox-created sandbox name, or a local
   slug.
 - `e2b` — accepts a lease ID, local slug, or a Crabbox-owned E2B sandbox ID in
@@ -64,7 +67,7 @@ from idling out.
 
 ```text
 --id <lease-id-or-slug>
---provider hetzner|aws|azure|azure-dynamic-sessions|gcp|proxmox|ssh|exe-dev|blacksmith-testbox|blaxel|namespace-devbox|semaphore|sprites|daytona|islo|e2b|vercel-sandbox
+--provider hetzner|aws|azure|azure-dynamic-sessions|gcp|proxmox|ssh|exe-dev|blacksmith-testbox|blaxel|namespace-devbox|semaphore|sprites|tenki|coder|daytona|islo|e2b|vercel-sandbox
 --target linux|macos|windows
 --windows-mode normal|wsl2
 --static-host <host>

docs/commands/stop.md

@@ -46,6 +46,9 @@ Crabbox lease ID and local slug:
 - `semaphore` — stops the Semaphore CI job and removes the local claim.
 - `sprites` — deletes the Sprites sprite and removes the local claim.
 - `daytona` — deletes the Daytona sandbox.
+- `coder` — stops the Coder workspace by default and removes the local claim.
+  Set `coder.deleteOnRelease` or pass `--coder-delete-on-release` to delete the
+  workspace instead.
 - `islo` — accepts an `isb_...` ID, a Crabbox-created sandbox name, or a local
   slug and deletes the Islo sandbox.
 - `e2b` — accepts a Crabbox lease ID, a local slug, or a Crabbox-owned E2B
@@ -126,6 +129,7 @@ Each provider also registers its own flags; the ones relevant to `stop` include:
 
 ```text
 --namespace-delete-on-release            delete the Namespace Devbox instead of shutting it down
+--coder-delete-on-release                delete the Coder workspace instead of stopping it
 --exe-dev-control-host <host>            exe.dev SSH API host
 --sprites-api-url <url>                  Sprites API URL
 --e2b-api-url <url>                      E2B API URL

docs/commands/warmup.md

@@ -151,6 +151,15 @@ username, and password must come from config or environment before warmup can
 create a lease. Keep the XAPI endpoint on a management network or VPN, prefer
 trusted certificates, and treat `--xcp-ng-insecure-tls` as private-lab only.
 
+### coder
+
+`--provider coder` creates or reuses a Linux Coder workspace through the local
+`coder` CLI. New workspaces require `--coder-template` or `coder.template`.
+Crabbox connects through `coder ssh --stdio`, so no raw public host or provider
+SSH key is needed. Run `crabbox doctor --provider coder` first; if the local
+Coder CLI is not logged in, doctor reports `auth=missing_login` without
+mutating workspaces.
+
 ### aws — Windows
 
 `--provider aws --target windows --windows-mode normal --desktop` creates a real

docs/features/provider-landscape.md

@@ -37,7 +37,7 @@ That means:
 | --- | --- | --- | --- |
 | CI proof runners | Blacksmith Testbox, Semaphore, GitHub Actions-style runners | Strong fit. Crabbox already separates proof-runner semantics from generic VM semantics through `ci-proof-runner` providers and `providers recommend ci-proof`. | Keep run proof, artifacts, downloads, and status records normalized across providers. |
 | Hosted agent sandboxes | E2B, Vercel Sandbox, Modal Sandboxes, Cloudflare Sandbox SDK, OpenSandbox, smolvm, Upstash Box | Good fit when the provider owns process execution and files. These map to `delegated-run` better than SSH leases. | Improve artifact/download parity, preview URL reporting, timeout/error taxonomy, and optional MCP attachment routing. |
-| Remote developer environments | Daytona, Namespace Devbox, CodeSandbox, Morph, OpenComputer, Codespaces-like tools | Good fit when Crabbox can either SSH into the workspace or delegate a command with archive sync. `providers recommend remote-dev` is the routing surface. | Add clearer live smoke docs per provider, surface pause/resume support, and keep local-editor, remote-compute flows distinct from CI proof. |
+| Remote developer environments | Coder, Daytona, Namespace Devbox, CodeSandbox, Morph, OpenComputer, Codespaces-like tools | Good fit when Crabbox can either SSH into the workspace or delegate a command with archive sync. `providers recommend remote-dev` is the routing surface. | Add clearer live smoke docs per provider, surface pause/resume support, and keep local-editor, remote-compute flows distinct from CI proof. |
 | Forkable/versioned workspaces | Mitos, Firecracker snapshot systems, local-container, Parallels | Partial fit. Crabbox already has provider-neutral checkpoint/fork/restore capability names and checkpoint fan-out via `checkpoint fork --count`, but only local providers advertise the fast path today. | Harden `versioned-workspace` behavior before adding any runtime-specific fork API. Do not add Mitos-only flags. |
 | Worker and module runtimes | Cloudflare Dynamic Workers, Cloudflare Sandbox SDK, Vercel/edge-adjacent runtimes | Narrow fit. `cloudflare-dynamic-workers` is a module-run provider; generic container sandboxes need a separate lifecycle and file/process contract. | Keep worker-runtime separate from Linux sandbox execution unless the provider can expose files, process status, logs, preview URLs, and cleanup. |
 | Self-hosted virtualization | Proxmox, XCP-ng, Incus, KubeVirt, local VMs | Strong fit when Crabbox gets a normal SSH lease and lifecycle hooks. | Keep provider-specific reconciliation behind adapters; no provider-specific branching in core. |
@@ -97,7 +97,7 @@ an opt-in live smoke. Until then, document it as an observed adjacent system.
 | Morph | Supported as `morph`. | Managed SSH lease fits local-editor, remote-compute workflows. |
 | OpenComputer | Supported as `opencomputer`. | Delegated Linux execution fits remote-dev and sandbox routing, but evidence parity should improve. |
 | DevPod | Do not support directly. | It is already a provider-agnostic dev environment layer. Use the resulting SSH/container target through `ssh`, `local-container`, or `external`. |
-| Coder | Do not support directly by default. | A Coder workspace should enter Crabbox as a stable host or external provider unless there is a narrow lifecycle contract to own. |
+| Coder | Supported as `coder`. | The built-in contract is intentionally narrow: local Coder CLI auth, Linux SSH proxy execution, stop-by-default release, delete only by opt-in, and cleanup only for locally claimed workspaces. Use `ssh` or `external` for existing workspaces that Crabbox should not manage. |
 | Kubernetes Agent Sandbox | Supported as `agent-sandbox`. | SandboxClaim-style delegated execution belongs behind the existing Kubernetes-native adapter. |
 | OpenSandbox, Microsandbox, Moru-like runtimes | Candidate only. | Add only when one has a stable lifecycle and evidence contract that is meaningfully different from existing delegated sandboxes. |
 

docs/features/provider-selection.md

@@ -105,7 +105,7 @@ first-class providers just because they are adjacent.
 | [Modal](../providers/modal.md) | Already supported as delegated run. Use it for provider-owned container execution, especially Python/GPU-shaped jobs. |
 | [Morph](../providers/morph.md) | Already supported as an SSH lease. Use it when a managed Linux VM with provider-side state reuse fits better than a pure delegated sandbox. |
 | [Kubernetes Agent Sandbox](../providers/agent-sandbox.md) | Already supported as delegated run. Use it for Kubernetes-hosted SandboxClaim workflows. |
-| [Coder](https://github.com/coder/coder) | Do not mirror as a first-class provider unless there is a narrow lifecycle contract. For now, connect through `ssh` or an `external` provider when a Coder workspace exposes a stable host contract. |
+| [Coder](../providers/coder.md) | Supported as a narrow direct SSH-lease provider. Crabbox uses the local `coder` CLI, stops claimed workspaces by default, deletes only by opt-in, and mutates cleanup-eligible workspaces only when a local Crabbox claim exists. Use `ssh` or `external` instead when you want to target an existing Coder workspace without Crabbox lifecycle ownership. |
 | [DevPod](https://github.com/loft-sh/devpod) | Do not mirror as a first-class provider. It is already a provider-agnostic dev environment layer; use its resulting SSH/container target through `ssh`, `local-container`, or `external` when needed. |
 | [Cloudflare Sandbox SDK](https://developers.cloudflare.com/sandbox/) | Keep separate from the existing Cloudflare providers until the runtime contract maps cleanly to a Crabbox backend. Prefer the current Cloudflare providers for built-in Worker/container flows. |
 

docs/operations.md

@@ -52,6 +52,7 @@ CRABBOX_LIVE=1 CRABBOX_LIVE_PROVIDERS=hetzner           CRABBOX_LIVE_REPO=/path/
 CRABBOX_LIVE=1 CRABBOX_LIVE_PROVIDERS=blacksmith-testbox CRABBOX_LIVE_REPO=/path/to/my-app scripts/live-smoke.sh
 CRABBOX_LIVE=1 CRABBOX_LIVE_PROVIDERS=e2b               CRABBOX_LIVE_REPO=/path/to/my-app scripts/live-smoke.sh
 CRABBOX_LIVE=1 CRABBOX_LIVE_PROVIDERS=modal             CRABBOX_LIVE_REPO=/path/to/my-app scripts/live-smoke.sh
+CRABBOX_LIVE=1 CRABBOX_LIVE_PROVIDERS=coder CRABBOX_LIVE_COORDINATOR=0 CRABBOX_LIVE_CODER_TEMPLATE=go-dev CRABBOX_LIVE_REPO=/path/to/my-app scripts/live-smoke.sh
 CRABBOX_LIVE=1 CRABBOX_LIVE_PROVIDERS=daytona           CRABBOX_LIVE_REPO=/path/to/my-app scripts/live-smoke.sh
 CRABBOX_LIVE=1 CRABBOX_LIVE_PROVIDERS=namespace-devbox  CRABBOX_LIVE_REPO=/path/to/my-app scripts/live-smoke.sh
 CRABBOX_LIVE=1 CRABBOX_LIVE_PROVIDERS=namespace-instance CRABBOX_LIVE_COORDINATOR=0 CRABBOX_LIVE_REPO=/path/to/my-app scripts/live-smoke.sh
@@ -103,6 +104,12 @@ Per-provider smoke prerequisites:
   the configured Python binary can import the Modal client, then creates one
   sandbox, waits for status, runs one no-sync command, lists normalized
   inventory, and stops the lease.
+- **Coder** — authenticated `coder` CLI on `PATH` plus an explicit disposable
+  template from `CRABBOX_LIVE_CODER_TEMPLATE`, `CRABBOX_CODER_TEMPLATE`, or
+  `coder.template`. `scripts/live-smoke.sh` refuses to mutate Coder until a
+  template is selected, then proves doctor, dry-run cleanup, stop-by-default
+  warmup/run/stop/status, delete-on-release warmup/run/stop, list, and final
+  dry-run cleanup.
 - **Semaphore** — `CRABBOX_SEMAPHORE_HOST`, `CRABBOX_SEMAPHORE_PROJECT`,
   and `CRABBOX_SEMAPHORE_TOKEN`, or the equivalent user config.
   `scripts/live-smoke.sh` refuses to call Semaphore until those values are

docs/providers/README.md

@@ -61,7 +61,7 @@ selection metadata. Regenerate it with `node scripts/generate-provider-matrix.mj
 `scripts/check-docs.sh` fails when provider registration, metadata, docs paths, or
 this generated table drift.
 
-Current built-in surface: 66 providers (38 SSH lease, 26 delegated run, 2 service control).
+Current built-in surface: 67 providers (39 SSH lease, 26 delegated run, 2 service control).
 
 Access terms:
 
@@ -86,6 +86,7 @@ Access terms:
 | [cloudflare](cloudflare.md) (`cf`) | built-in; `delegated-run` · delegated-sandbox | No SSH; `archive-sync` · direct only; features: `archive-sync`, `cleanup`, `run-session` | `linux`; Cloudflare Container | `cloud`; GPU: no | Cloudflare Worker; container delete | Fast delegated Linux container execution | Requires Worker deployment and container availability |
 | [cloudflare-dynamic-workers](cloudflare-dynamic-workers.md) (`cf-dynamic`, `cfdw`) | built-in; `delegated-run` · delegated-sandbox | No SSH; `provider-owned` · direct only; features: `cleanup`, `module-run`, `run-session` | `worker-runtime`; Cloudflare Dynamic Worker | `cloud`; GPU: no | Cloudflare loader Worker; terminal metadata and local claim removal | Hosted Worker module execution | No shell, SSH, or filesystem sync; Dynamic Workers must be enabled |
 | [cloudflare-sandbox](cloudflare-sandbox.md) | built-in; `delegated-run` · delegated-sandbox | No SSH; `archive-sync` · direct only; features: `archive-sync`, `cleanup` | `linux`; Cloudflare Sandbox bridge | `cloud`; GPU: no | Cloudflare Sandbox bridge; sandbox delete | Cloudflare Sandbox Linux command execution through a bridge | Requires a configured bridge URL; no SSH, browser, Tailscale, URL sessions, mounts, or checkpoints |
+| [coder](coder.md) | built-in; `ssh-lease` · direct-cloud | Crabbox-managed SSH; `crabbox-sync` · direct only; features: `ssh`, `crabbox-sync`, `cleanup` | `linux`; Coder workspace | `provider-managed`; GPU: unknown | Coder CLI; workspace stop or delete | Coder-backed Linux workspace over SSH proxy | Requires the coder CLI, login, template access, and workspace quota |
 | [codesandbox](codesandbox.md) (`csb`, `code-sandbox`) | built-in; `delegated-run` · delegated-sandbox | No SSH; `archive-sync` · direct only; features: `archive-sync`, `cleanup`, `pause-resume`, `run-session` | `linux`; CodeSandbox SDK sandbox | `provider-managed`; GPU: no | CodeSandbox; sandbox delete | Managed CodeSandbox Linux development environments | Requires env-only SDK auth and a local Node bridge |
 | [daytona](daytona.md) | built-in; `ssh-lease` · direct-cloud | Crabbox-managed SSH; `archive-sync` · direct only; features: `ssh`, `crabbox-sync` | `linux`; Daytona sandbox | `provider-managed`; GPU: unknown | Daytona; sandbox delete | Managed development sandbox with delegated archive sync and execution | SSH access is short-lived; run and sync use Daytona toolbox APIs |
 | [digitalocean](digitalocean.md) | built-in; `ssh-lease` · direct-cloud | Crabbox-managed SSH; `crabbox-sync` · direct only; features: `ssh`, `crabbox-sync`, `cleanup`, `tailscale` | `linux`; DigitalOcean Droplet | `cloud`; GPU: optional | Crabbox; Droplet and key delete | Simple direct Linux VM | Direct-only; no coordinator scheduling |