…ools

address review comments

- Use map[uuid.UUID]bool for allowlist type (comment 1)
- Return generic 'template not found' for blocked templates (comments 2, 4)
- Consolidate tool tests to single DB (comment 3)
- Use AsChatd ctx instead of AsSystemRestricted (comment 5)
- Require ActionRead on ResourceDeploymentConfig for GET (comment 6)
- Consolidate API tests to single coderdtest instance (comment 7)

… chat tools

address self-review findings

- Log error and fail-open when allowlist DB read fails (P1)
- Add isDirty guard to prevent spurious saves on Enter (P1)
- Add error state with retry for failed data fetch (P1)
- Deduplicate template IDs in PUT handler (P2)
- Add role=alert to save error message (P2)
- Add aria-live to selection count (P2)
- Disable checkboxes during save (P3)
- Differentiate empty state messages (P3)
- Add CreateWorkspace allowlist test (P3)
- Document StartWorkspace intentionally not gated (P4)

…ist for chat tools

fixup! fixup! fixup! feat(chatd): add deployment-wide template allowlist for chat tools

Review round 2 fixes:
- chatd: log JSON parse errors and invalid UUIDs in allowlist (P2 correctness)
- PUT handler: canonicalize UUIDs to lowercase for case-insensitive dedup (P3 correctness)
- Sidebar: fix indentation corruption, remove stray 'replace' prop (P3 UX)
- Settings: always render aria-live region for screen readers (P2 a11y)
- Settings: add role=group + aria-label to checkbox list (P2 a11y)
- Settings: rename 'Clear' to 'Deselect All' for clarity (P2 UX)

… allowlist

Swap the custom checkbox list + SearchField for the design system's
MultiSelectCombobox component. This gives us consistent styling,
built-in search/filter, badge display for selections, keyboard
navigation, and proper focus management — all for free.

Removes ~50 lines of bespoke UI code.

…d allowlist

Review round 3 fixes:
- Add aria-label to MultiSelectCombobox input for screen readers (P1 a11y)
- Log at ERROR when all UUIDs in allowlist are invalid, producing a
  silent fail-open (P2 correctness)
- Fix indentation in chatd allowlist parsing block

…templates chosen

The component initializes its internal 'selected' state from
defaultOptions on mount, but our data loads asynchronously after
mount. Pass both defaultOptions and value, and add a key derived
from the server selection so the component remounts when server
data arrives — ensuring badges render from the start.

Combines TemplatesSection and TemplatesManySelected into one
TemplateAllowlist story with a play function that exercises the
full admin workflow:
1. Starts empty — verifies 'no templates selected' and Save disabled
2. Selects one template, verifies badge + status, saves
3. Adds remaining seven, verifies '8 templates selected', saves

Uses stateful mocks so getChatTemplateAllowlist returns the
updated value after each save.

Addresses Copilot review comment: the custom queryKey ["templates"]
creates a separate cache entry from the shared helper in
api/queries/templates.ts. Switch to templates() for consistent
caching and invalidation.

- parseChatTemplateAllowlist now returns error instead of silently
  swallowing corrupt JSON; GET handler returns 500 for corrupt data
- PUT handler validates template IDs exist in the DB (400 on unknown)
- Add doc comment on GetChatTemplateAllowlist explaining stricter
  auth policy vs peer getters
- Add descriptive SQL comment on GetChatTemplateAllowlist query
- Use slices.Collect(maps.Keys(...)) instead of manual loop
- Restructure TestListTemplates into t.Run subtests grouped by tool,
  rename to TestTemplateAllowlistEnforcement
- Add happy-path CreateWorkspace test with allowed template
- Remove redundant useMemo wrappers (React Compiler handles it)
- Remove unnecessary type predicate (TS 5.5+ infers it)

The PUT handler now validates template existence via GetTemplateByID,
so tests using uuid.NewString() get 400 instead of succeeding.

- Switch to a single shared coderdtest instance with two real
  templates created via dbgen.Template
- Use real template IDs in AdminCanSet, AdminCanClear, DeduplicatesIDs
- Keep random UUIDs for NonAdminWriteFails and UnauthenticatedFails
  (they fail on authz before reaching validation)
- Add NonexistentTemplateRejected subtest for the new 400 path
- Add chatd comment noting API-vs-runtime fail-open asymmetry

- Add doc comments to generated querier.go and queries.sql.go to
  match the SQL comment added in the previous commit
- Add nolint:tparallel,paralleltest to test functions with
  sequential subtests sharing state
- Fix CreateWorkspace/Allowed test: don't assert resp.IsError since
  the tool does additional work (asOwner, workspace lookup) beyond
  the allowlist gate

…cess

Non-admin users shouldn't learn the endpoint exists. Return
ResourceNotFound (404) instead of Forbidden (403) on both GET
and PUT handlers, consistent with the 'don't leak information'
principle.

Three improvements to the template allowlist:

1. Chat tools now accept a function (func() map[uuid.UUID]bool)
   instead of a static map. The chatd runtime builds a closure
   that re-reads the allowlist from the DB on each tool call,
   so admin changes take effect without restarting the chat.
   A nil function fails open (all templates allowed).

2. PUT handler validates templates in a single GetTemplatesWithFilter
   call that also filters out deprecated templates, wrapped in
   a transaction with the upsert. Reports which specific IDs
   are missing or deprecated in the 400 response.

3. Added DeprecatedTemplateRejected test case.