Backport of #25314

Original PR: #25314 — docs: update screenshot to point to generic URL
Merge commit: 7aaa848
Requested by: @nickvigilante

Co-authored-by: Nick Vigilante <[email protected]>

…) (#25348)

Backport of #25243

Original PR: #25243 — fix(coderd/azureidentity): add Azure IMDS G2 chain
certificates
Merge commit: 49c6191
Requested by: @geokat

Co-authored-by: George K <[email protected]>

## Summary
Backports #25089 to `release/2.32` so `coder exp sync want` and `coder
exp sync start` print the dependency units involved in startup
coordination instead of generic success messages.

## Validation
- `git diff --check origin/release/2.32..HEAD`
- `go test ./cli -run TestSyncCommands -count=1`

> [!NOTE]
> `make test RUN=TestSyncCommands` hit an unrelated `codersdk/toolsdk`
filtered-test failure because that package expects all tools to be
tested. The affected CLI test passed with the package-scoped command
above.

> 🤖 This PR was created with the help of Coder Agents, and needs a human
review. 🧑💻

Co-authored-by: Max Schwenk <[email protected]>

#25343)

Backport of #25341

Original PR: #25341 — docs: Fix the display of the tab block in External
Workspaces
Merge commit: 507ece3
Requested by: @nickvigilante

Co-authored-by: Nick Vigilante <[email protected]>

#25300)

Anthropic task name responses can include valid JSON followed by a
closing fence or extra text, which made `json.Unmarshal` fail with
trailing-character errors and forced fallback naming.

This updates task name JSON extraction to accept the first JSON value
after optional fences and adds regression coverage for fenced and bare
JSON with trailing content.

(cherry picked from commit 87d580d)

<!--

If you have used AI to produce some or all of this PR, please ensure you
have read our [AI Contribution
guidelines](https://coder.com/docs/about/contributing/AI_CONTRIBUTING)
before submitting.

-->

Co-authored-by: Max Schwenk <[email protected]>

…25259)

## Summary

Fixes the bundled Terraform binary in IronBank images being compiled
with an older Go toolchain that exposes 9 CVEs (1 Critical, 5 High, 3
Medium) fixed in Go 1.25.9.

## Problem

No upstream Terraform release is yet compiled with Go 1.25.9+:
- Terraform 1.14.5 (used by provisioner): compiled with **Go 1.25.6**
- Terraform 1.15.2 (latest stable): compiled with **Go 1.25.8**
- The previous IronBank manifest referenced Terraform 1.3.7, compiled
with Go ~1.19

## Fix

The IronBank build script now compiles Terraform **from source** using
the same Go toolchain as Coder (>= 1.25.9), ensuring all CVEs in the Go
stdlib are addressed.

### Changes

**`scripts/ironbank/build_ironbank.sh`**:
- Builds Terraform 1.14.5 from source instead of downloading a
precompiled binary
- Adds `go`, `zip`, and `git` as build dependencies
- Reads `TERRAFORM_VERSION` from `hardening_manifest.yaml`

**`scripts/ironbank/hardening_manifest.yaml`**:
- Updated all versions to match release/2.32 (was severely outdated):
  - Coder: 0.15.3 -> 2.32.1
  - Terraform: 1.3.7 -> 1.14.5 (built from source)
  - Provider: 0.6.10 -> 2.15.0
- Replaced precompiled Terraform binary URL with source tarball
reference
- Added `TERRAFORM_VERSION` build arg for the build script

<details>
<summary>Decision log</summary>

- **Why build from source?** Neither the latest Terraform 1.14.5 (Go
1.25.6) nor 1.15.2 (Go 1.25.8) is compiled with Go 1.25.9+. Building
from source with our Go toolchain is the only way to address the CVEs
without waiting for an upstream release.
- **Why not bump to Terraform 1.15.x?** The provisioner on release/2.32
has `maxTerraformVersion = 1.14.9`. Bumping to 1.15.x would require
provisioner changes, which is risky on a release branch.
- **Why update the entire manifest?** The manifest was pinned to Coder
0.15.3, Terraform 1.3.7, and provider 0.6.10, all severely outdated and
inconsistent with the release/2.32 branch.

</details>

> Generated by Coder Agents. [Issue
ENT-23](https://linear.app/codercom/issue/ENT-23)