From 245aff98e4028eb4f4741f0e6b999652dba59e3c Mon Sep 17 00:00:00 2001
From: Chad Woolley <cwoolley@gitlab.com>
Date: Fri, 13 Sep 2024 20:25:16 -0700
Subject: [PATCH 1/2] Support workspace suspension

- See https://gitlab.com/groups/gitlab-org/-/work_items/14910

Changelog: added
---
 ...dd_workspace_delayed_termination_fields.rb |  25 +
 ...rkspace_delayed_termination_constraints.rb |  34 +
 db/schema_migrations/20240913000001           |   1 +
 db/schema_migrations/20240913000002           |   1 +
 db/structure.sql                              |   5 +
 .../workspace/gitlab_agent_configuration.md   |  60 ++
 doc/user/workspace/index.md                   |   7 +
 .../workspaces_list/workspaces_table.vue      |  18 -
 .../workspaces/user/pages/create.vue          |  21 -
 .../remote_development_agent_config.rb        |   8 +-
 ee/app/models/remote_development/workspace.rb |   2 +-
 .../workspaces_agent_config.rb                |  34 +-
 .../agent_config_operations/updater.rb        | 120 ++--
 .../settings/default_settings.rb              |  34 +-
 .../create/personal_access_token_creator.rb   |  13 +-
 .../max_hours_before_termination.rb           |  13 +
 .../workspace_operations/reconcile/main.rb    |   1 +
 .../output/response_payload_builder.rb        |   2 +-
 .../workspaces_from_agent_infos_updater.rb    |   8 -
 .../workspaces_lifecycle_manager.rb           |  81 +++
 .../remote_development/workspaces_spec.rb     | 257 +++++---
 .../workspaces_list/workspaces_table_spec.js  |   2 -
 .../workspaces/user/pages/create_spec.js      |  40 +-
 .../agent_config_operations/updater_spec.rb   | 172 ++---
 .../settings/settings_initializer_spec.rb     | 105 +--
 .../personal_access_token_creator_spec.rb     |  10 +-
 .../reconcile/main_integration_spec.rb        |  60 +-
 .../reconcile/main_spec.rb                    |   1 +
 .../output/desired_config_generator_spec.rb   |  10 +-
 .../reconcile/output/devfile_parser_spec.rb   |   5 +-
 ...orkspaces_from_agent_infos_updater_spec.rb |  11 -
 .../workspaces_lifecycle_manager_spec.rb      | 112 ++++
 .../workspaces_agent_config_spec.rb           |  68 +-
 .../remote_development/integration_spec.rb    | 348 +++++-----
 .../integration_spec_helpers.rb               | 596 ++++++++++++++----
 .../remote_development_shared_contexts.rb     |   6 +-
 locale/gitlab.pot                             |   3 -
 spec/fast_spec_helper.rb                      |   2 +
 38 files changed, 1564 insertions(+), 732 deletions(-)
 create mode 100644 db/migrate/20240913000001_add_workspace_delayed_termination_fields.rb
 create mode 100644 db/migrate/20240913000002_add_workspace_delayed_termination_constraints.rb
 create mode 100644 db/schema_migrations/20240913000001
 create mode 100644 db/schema_migrations/20240913000002
 create mode 100644 ee/lib/remote_development/workspace_operations/max_hours_before_termination.rb
 create mode 100644 ee/lib/remote_development/workspace_operations/reconcile/persistence/workspaces_lifecycle_manager.rb
 create mode 100644 ee/spec/lib/remote_development/workspace_operations/reconcile/persistence/workspaces_lifecycle_manager_spec.rb

diff --git a/db/migrate/20240913000001_add_workspace_delayed_termination_fields.rb b/db/migrate/20240913000001_add_workspace_delayed_termination_fields.rb
new file mode 100644
index 00000000000000..2cee117bbe894a
--- /dev/null
+++ b/db/migrate/20240913000001_add_workspace_delayed_termination_fields.rb
@@ -0,0 +1,25 @@
+# frozen_string_literal: true
+
+class AddWorkspaceDelayedTerminationFields < Gitlab::Database::Migration[2.2]
+  milestone '17.5'
+  disable_ddl_transaction!
+
+  def up
+    with_lock_retries do
+      # Default max_active_hours_before_stop to 1.5 days, so that workspace should usually
+      # stop outside of working hours, assuming it was last restarted during working hours.
+      add_column :workspaces_agent_configs, :max_active_hours_before_stop, :smallint, default: 36, null: false,
+        if_not_exists: true
+      # Default max_stopped_hours_before_termination to 1 month (31 days)
+      add_column :workspaces_agent_configs, :max_stopped_hours_before_termination, :smallint, default: 744, null: false,
+        if_not_exists: true
+    end
+  end
+
+  def down
+    with_lock_retries do
+      remove_column :workspaces_agent_configs, :max_active_hours_before_stop, if_exists: true
+      remove_column :workspaces_agent_configs, :max_stopped_hours_before_termination, if_exists: true
+    end
+  end
+end
diff --git a/db/migrate/20240913000002_add_workspace_delayed_termination_constraints.rb b/db/migrate/20240913000002_add_workspace_delayed_termination_constraints.rb
new file mode 100644
index 00000000000000..0e5cab703c6860
--- /dev/null
+++ b/db/migrate/20240913000002_add_workspace_delayed_termination_constraints.rb
@@ -0,0 +1,34 @@
+# frozen_string_literal: true
+
+class AddWorkspaceDelayedTerminationConstraints < Gitlab::Database::Migration[2.2]
+  milestone "17.5"
+  disable_ddl_transaction!
+
+  TABLE_NAME = :workspaces_agent_configs
+
+  def constraint_1_name
+    check_constraint_name TABLE_NAME,
+      "max_active_hours_before_stop and max_stopped_hours_before_termination", "max_total_size_1_year"
+  end
+
+  def constraint_2_name
+    check_constraint_name TABLE_NAME, :max_active_hours_before_stop, "min_size_0"
+  end
+
+  def constraint_3_name
+    check_constraint_name TABLE_NAME, :max_stopped_hours_before_termination, "min_size_0"
+  end
+
+  def up
+    add_check_constraint TABLE_NAME,
+      "(max_active_hours_before_stop + max_stopped_hours_before_termination) <= 8760", constraint_1_name
+    add_check_constraint TABLE_NAME, "max_active_hours_before_stop > 0", constraint_2_name
+    add_check_constraint TABLE_NAME, "max_stopped_hours_before_termination > 0", constraint_3_name
+  end
+
+  def down
+    remove_check_constraint TABLE_NAME, constraint_1_name
+    remove_check_constraint TABLE_NAME, constraint_2_name
+    remove_check_constraint TABLE_NAME, constraint_3_name
+  end
+end
diff --git a/db/schema_migrations/20240913000001 b/db/schema_migrations/20240913000001
new file mode 100644
index 00000000000000..c4d464a12c1232
--- /dev/null
+++ b/db/schema_migrations/20240913000001
@@ -0,0 +1 @@
+2fd7e382f30772901fecd8ef1e38cd1a2610673912813432654a6e088f8ce553
\ No newline at end of file
diff --git a/db/schema_migrations/20240913000002 b/db/schema_migrations/20240913000002
new file mode 100644
index 00000000000000..91a8a944fed2e2
--- /dev/null
+++ b/db/schema_migrations/20240913000002
@@ -0,0 +1 @@
+a923994ddf6244057a357ec96fe04900dba401e4c3fa0b6a3dafb663935b7a91
\ No newline at end of file
diff --git a/db/structure.sql b/db/structure.sql
index aec532237c3749..6fe99675759671 100644
--- a/db/structure.sql
+++ b/db/structure.sql
@@ -21986,9 +21986,14 @@ CREATE TABLE workspaces_agent_configs (
     annotations jsonb DEFAULT '{}'::jsonb NOT NULL,
     labels jsonb DEFAULT '{}'::jsonb NOT NULL,
     image_pull_secrets jsonb DEFAULT '[]'::jsonb NOT NULL,
+    max_active_hours_before_stop smallint DEFAULT 36 NOT NULL,
+    max_stopped_hours_before_termination smallint DEFAULT 744 NOT NULL,
+    CONSTRAINT check_557e75a230 CHECK ((max_stopped_hours_before_termination > 0)),
     CONSTRAINT check_58759a890a CHECK ((char_length(dns_zone) <= 256)),
+    CONSTRAINT check_6d7baef494 CHECK (((max_active_hours_before_stop + max_stopped_hours_before_termination) <= 8760)),
     CONSTRAINT check_720388a28c CHECK ((char_length(default_runtime_class) <= 253)),
     CONSTRAINT check_dca877fba1 CHECK ((default_max_hours_before_termination <= 8760)),
+    CONSTRAINT check_df26c047a9 CHECK ((max_active_hours_before_stop > 0)),
     CONSTRAINT check_eab6e375ad CHECK ((max_hours_before_termination_limit <= 8760)),
     CONSTRAINT check_ee2464835c CHECK ((char_length(gitlab_workspaces_proxy_namespace) <= 63))
 );
diff --git a/doc/user/workspace/gitlab_agent_configuration.md b/doc/user/workspace/gitlab_agent_configuration.md
index 8c21ab5d968806..e3530cd6ce19e0 100644
--- a/doc/user/workspace/gitlab_agent_configuration.md
+++ b/doc/user/workspace/gitlab_agent_configuration.md
@@ -112,6 +112,8 @@ you can use any configured agent in `top-level-group` and in any of its subgroup
 | [`allow_privilege_escalation`](#allow_privilege_escalation)                               | No       | `false`                                 | Allow privilege escalation. |
 | [`annotations`](#annotations)                                                             | No       | `{}`                                    | Annotations to apply to Kubernetes objects. |
 | [`labels`](#labels)                                                                       | No       | `{}`                                    | Labels to apply to Kubernetes objects. |
+| [`max_active_hours_before_stop`](#max_active_hours_before_stop) | No | `36` | Maximum number of hours a workspace can be active before it is stopped. |
+| [`max_stopped_hours_before_termination`](#max_stopped_hours_before_termination) | No | `744` | Maximum number of hours a workspace can be stopped before it is terminated. |
 
 NOTE:
 If a setting has an invalid value, it's not possible to update any setting until you fix that value.
@@ -464,6 +466,64 @@ A valid label value:
 For more information about `labels`, see
 [Labels](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/).
 
+### `max_active_hours_before_stop`
+
+> - [Introduced](https://gitlab.com/groups/gitlab-org/-/epics/14910) in GitLab 17.6.
+
+Use this setting to automatically stop the agent's workspaces after the specified number of hours
+have passed since the workspace last transitioned to an active state.
+An "active state" is defined as any non-stopped or non-terminated state.
+
+The timer for this setting starts when the workspace is created, and is reset every time the
+workspace is restarted.
+It also applies even if the workspace is in an error or failure state.
+
+The default value is `36`, or one and a half days. This avoids stopping the workspace during
+the user's normal working hours.
+
+**Example configuration:**
+
+```yaml
+remote_development:
+  max_active_hours_before_stop: 60
+```
+
+A valid value:
+
+- Is an integer.
+- Is greater than or equal to `1`.
+- Is less than or equal to `8760` (one year).
+- `max_active_hours_before_stop` + `max_stopped_hours_before_termination` must be less than or equal to `8760`.
+
+The automatic stop is only triggered on a full reconciliation, which happens every hour.
+This means that the workspace might be active for up to one hour longer than the configured value.
+
+### `max_stopped_hours_before_termination`
+
+> - [Introduced](https://gitlab.com/groups/gitlab-org/-/epics/14910) in GitLab 17.6.
+
+Use this setting to automatically terminate the agent's workspaces after they have been in the stopped
+state for the specified number of hours.
+
+The default value is `722`, or approximately one month.
+
+**Example configuration:**
+
+```yaml
+remote_development:
+  max_stopped_hours_before_termination: 4332
+```
+
+A valid value:
+
+- Is an integer.
+- Is greater than or equal to `1`.
+- Is less than or equal to `8760` (one year).
+- `max_active_hours_before_stop` + `max_stopped_hours_before_termination` must be less than or equal to `8760`.
+
+The automatic termination is only triggered on a full reconciliation, which happens every hour.
+This means that the workspace might be stopped for up to one hour longer than the configured value.
+
 ## Configuring user access with remote development
 
 You can configure the `user_access` module to access the connected Kubernetes cluster with your GitLab credentials.
diff --git a/doc/user/workspace/index.md b/doc/user/workspace/index.md
index ee7303d1ff6fd6..0dc53a969a1e55 100644
--- a/doc/user/workspace/index.md
+++ b/doc/user/workspace/index.md
@@ -247,6 +247,13 @@ However, the volume provisioned for the workspace still exists.
 
 To delete the provisioned volume, you must terminate the workspace.
 
+## Automatic workspace stop and termination
+
+1. A workspace will automatically stop 36 hours after it was last started or restarted.
+   For more details, see [the agent configuration setting documentation for `max_active_hours_before_stop`](gitlab_agent_configuration.md#max_active_hours_before_stop).
+1. A workspace will automatically terminate 722 hours after it was last stopped.
+   For more details, see [the agent configuration setting documentation for `max_stopped_hours_before_termination`](gitlab_agent_configuration.md#max_stopped_hours_before_termination).
+
 ## Arbitrary user IDs
 
 You can provide your own container image, which can run as any Linux user ID.
diff --git a/ee/app/assets/javascripts/workspaces/common/components/workspaces_list/workspaces_table.vue b/ee/app/assets/javascripts/workspaces/common/components/workspaces_list/workspaces_table.vue
index a4ead1ee31b78c..f373be423abd77 100644
--- a/ee/app/assets/javascripts/workspaces/common/components/workspaces_list/workspaces_table.vue
+++ b/ee/app/assets/javascripts/workspaces/common/components/workspaces_list/workspaces_table.vue
@@ -1,5 +1,4 @@
 <script>
-import { getTimeago, nSecondsAfter } from '~/lib/utils/datetime_utility';
 import { __, sprintf } from '~/locale';
 import TimeAgoTooltip from '~/vue_shared/components/time_ago_tooltip.vue';
 import { WORKSPACE_STATES, WORKSPACE_DESIRED_STATES } from '../../constants';
@@ -11,7 +10,6 @@ import { calculateDisplayState } from '../../services/calculate_display_state';
 
 export const i18n = {
   created: __('Created'),
-  terminates: __('Terminates'),
 };
 
 export default {
@@ -45,15 +43,6 @@ export default {
       }
       return sprintf(__(`%{path} on %{ref}`), { ref, path });
     },
-    terminatesIn(workspace) {
-      const createdAt = new Date(workspace.createdAt);
-      const terminationDate = nSecondsAfter(
-        createdAt,
-        workspace.maxHoursBeforeTermination * 60 * 60,
-      );
-
-      return getTimeago().format(terminationDate, { relativeDate: createdAt });
-    },
     isTerminated(workspace) {
       return workspace.actualState === WORKSPACE_STATES.terminated;
     },
@@ -97,13 +86,6 @@ export default {
                   class="gl-font-sm-600 gl-whitespace-nowrap gl-text-secondary"
                   :time="item.createdAt"
                 />
-                <span v-if="!isTerminated(item)">
-                  &middot;
-                  {{ $options.i18n.terminates }}
-                  <span data-testid="workspace-termination">
-                    {{ terminatesIn(item) }}
-                  </span>
-                </span>
               </div>
             </div>
             <div class="gl-flex gl-w-full gl-gap-3 sm:gl-w-auto">
diff --git a/ee/app/assets/javascripts/workspaces/user/pages/create.vue b/ee/app/assets/javascripts/workspaces/user/pages/create.vue
index 4f569125d62971..a5243368730925 100644
--- a/ee/app/assets/javascripts/workspaces/user/pages/create.vue
+++ b/ee/app/assets/javascripts/workspaces/user/pages/create.vue
@@ -392,27 +392,6 @@ export default {
               />
             </gl-form-input-group>
           </gl-form-group>
-          <gl-form-group
-            data-testid="max-hours-before-termination"
-            :label="$options.i18n.form.maxHoursBeforeTermination"
-            label-for="workspace-max-hours-before-termination"
-          >
-            <gl-form-input-group>
-              <gl-form-input
-                id="workspace-max-hours-before-termination"
-                v-model="maxHoursBeforeTermination"
-                type="number"
-                required
-                autocomplete="off"
-                width="xs"
-              />
-              <template #append>
-                <div class="input-group-text">
-                  {{ $options.i18n.form.maxHoursSuffix }}
-                </div>
-              </template>
-            </gl-form-input-group>
-          </gl-form-group>
           <workspace-variables
             v-model="workspaceVariables"
             class="mb-3"
diff --git a/ee/app/models/remote_development/remote_development_agent_config.rb b/ee/app/models/remote_development/remote_development_agent_config.rb
index 46a843136c3a3d..b820fdf7a9ed58 100644
--- a/ee/app/models/remote_development/remote_development_agent_config.rb
+++ b/ee/app/models/remote_development/remote_development_agent_config.rb
@@ -11,10 +11,10 @@ class RemoteDevelopmentAgentConfig < ApplicationRecord
     include Sortable
 
     UNLIMITED_QUOTA = -1
-    MINIMUM_HOURS_BEFORE_TERMINATION = 1
+    MIN_HOURS_BEFORE_TERMINATION = 1
     # NOTE: see the following issue for the reasoning behind this value being the hard maximum termination limit:
     #      https://gitlab.com/gitlab-org/gitlab/-/issues/471994
-    MAXIMUM_HOURS_BEFORE_TERMINATION = 8760
+    MAX_HOURS_BEFORE_TERMINATION = 8760
 
     belongs_to :agent,
       class_name: 'Clusters::Agent', foreign_key: 'cluster_agent_id', inverse_of: :remote_development_agent_config
@@ -41,11 +41,11 @@ class RemoteDevelopmentAgentConfig < ApplicationRecord
     validates :max_hours_before_termination_limit,
       numericality: {
         only_integer: true, greater_than_or_equal_to: :default_max_hours_before_termination,
-        less_than_or_equal_to: MAXIMUM_HOURS_BEFORE_TERMINATION
+        less_than_or_equal_to: MAX_HOURS_BEFORE_TERMINATION
       }
     validates :default_max_hours_before_termination,
       numericality: {
-        only_integer: true, greater_than_or_equal_to: MINIMUM_HOURS_BEFORE_TERMINATION,
+        only_integer: true, greater_than_or_equal_to: MIN_HOURS_BEFORE_TERMINATION,
         less_than_or_equal_to: :max_hours_before_termination_limit
       }
     validates :allow_privilege_escalation, inclusion: { in: [true, false] }
diff --git a/ee/app/models/remote_development/workspace.rb b/ee/app/models/remote_development/workspace.rb
index 3fe7d762d0789d..48101db5a1c521 100644
--- a/ee/app/models/remote_development/workspace.rb
+++ b/ee/app/models/remote_development/workspace.rb
@@ -103,7 +103,7 @@ def workspaces_agent_config
     def desired_state_updated_more_recently_than_last_response_to_agent?
       return true if responded_to_agent_at.nil?
 
-      desired_state_updated_at >= responded_to_agent_at
+      desired_state_updated_at > responded_to_agent_at
     end
 
     def workspaces_count_for_current_user_and_agent
diff --git a/ee/app/models/remote_development/workspaces_agent_config.rb b/ee/app/models/remote_development/workspaces_agent_config.rb
index 278c2fc58748df..0a046020d6aa4a 100644
--- a/ee/app/models/remote_development/workspaces_agent_config.rb
+++ b/ee/app/models/remote_development/workspaces_agent_config.rb
@@ -8,10 +8,7 @@ class WorkspacesAgentConfig < ApplicationRecord
     include Sortable
 
     UNLIMITED_QUOTA = -1
-    MINIMUM_HOURS_BEFORE_TERMINATION = 1
-    # NOTE: see the following issue for the reasoning behind this value being the hard maximum termination limit:
-    #      https://gitlab.com/gitlab-org/gitlab/-/issues/471994
-    MAXIMUM_HOURS_BEFORE_TERMINATION = 8760
+    MIN_HOURS_BEFORE_TERMINATION = 1
 
     has_paper_trail versions: {
       class_name: 'RemoteDevelopment::WorkspacesAgentConfigVersion'
@@ -43,11 +40,11 @@ class WorkspacesAgentConfig < ApplicationRecord
     validates :max_hours_before_termination_limit,
       numericality: {
         only_integer: true, greater_than_or_equal_to: :default_max_hours_before_termination,
-        less_than_or_equal_to: MAXIMUM_HOURS_BEFORE_TERMINATION
+        less_than_or_equal_to: WorkspaceOperations::MaxHoursBeforeTermination::MAX_HOURS_BEFORE_TERMINATION
       }
     validates :default_max_hours_before_termination,
       numericality: {
-        only_integer: true, greater_than_or_equal_to: MINIMUM_HOURS_BEFORE_TERMINATION,
+        only_integer: true, greater_than_or_equal_to: MIN_HOURS_BEFORE_TERMINATION,
         less_than_or_equal_to: :max_hours_before_termination_limit
       }
     validates :allow_privilege_escalation, inclusion: { in: [true, false] }
@@ -60,12 +57,37 @@ class WorkspacesAgentConfig < ApplicationRecord
       json_schema: { filename: 'workspaces_agent_configs_image_pull_secrets', detail_errors: true }
     validates :image_pull_secrets, 'remote_development/image_pull_secrets': true
 
+    validates :max_active_hours_before_stop,
+      numericality: {
+        only_integer: true, greater_than_or_equal_to: 1,
+        less_than_or_equal_to: WorkspaceOperations::MaxHoursBeforeTermination::MAX_HOURS_BEFORE_TERMINATION
+      }
+    validates :max_stopped_hours_before_termination,
+      numericality: {
+        only_integer: true, greater_than_or_equal_to: 1,
+        less_than_or_equal_to: WorkspaceOperations::MaxHoursBeforeTermination::MAX_HOURS_BEFORE_TERMINATION
+      }
+
+    validate :validate_sum_of_delayed_termination_fields_does_not_exceed_max_hours_before_termination_limit
+
     validate :validate_allow_privilege_escalation
 
     scope :by_cluster_agent_ids, ->(ids) { where(cluster_agent_id: ids) }
 
     private
 
+    def validate_sum_of_delayed_termination_fields_does_not_exceed_max_hours_before_termination_limit
+      max_hours_before_termination = WorkspaceOperations::MaxHoursBeforeTermination::MAX_HOURS_BEFORE_TERMINATION
+
+      return if max_active_hours_before_stop + max_stopped_hours_before_termination <= max_hours_before_termination
+
+      msg = "Sum of max_active_hours_before_stop and max_stopped_hours_before_termination must not exceed " \
+        "%{maximum_hours_before_termination} hours"
+
+      errors.add(:base, format(_(msg), maximum_hours_before_termination: max_hours_before_termination))
+      false
+    end
+
     # allow_privilege_escalation is allowed to be set to true only if
     # - either use_kubernetes_user_namespaces is true
     # - or default_runtime_class is set to a non-empty value
diff --git a/ee/lib/remote_development/agent_config_operations/updater.rb b/ee/lib/remote_development/agent_config_operations/updater.rb
index 2ec74dce9aff24..4747f9b155d207 100644
--- a/ee/lib/remote_development/agent_config_operations/updater.rb
+++ b/ee/lib/remote_development/agent_config_operations/updater.rb
@@ -17,7 +17,7 @@ def self.update(context)
           )
         end
 
-        workspaces_agent_config = find_or_initialize_workspaces_agent_config(
+        workspaces_agent_config = update_or_initialize_workspaces_agent_config(
           agent: agent,
           config_from_agent_config_file: config_from_agent_config_file
         )
@@ -34,9 +34,8 @@ def self.update(context)
       # @param [Clusters::Agent] agent
       # @param [Hash] config_from_agent_config_file
       # @return [RemoteDevelopment::WorkspacesAgentConfig]
-      # rubocop:disable Metrics/AbcSize -- This is being resolved by refactoring in https://gitlab.com/gitlab-org/gitlab/-/merge_requests/166065
-      def self.find_or_initialize_workspaces_agent_config(agent:, config_from_agent_config_file:)
-        model_instance = WorkspacesAgentConfig.find_or_initialize_by(agent: agent) # rubocop:disable CodeReuse/ActiveRecord -- We don't want to use a finder, we want to use find_or_initialize_by because it's more concise
+      def self.update_or_initialize_workspaces_agent_config(agent:, config_from_agent_config_file:)
+        agent_config_model_instance = WorkspacesAgentConfig.find_or_initialize_by(agent: agent) # rubocop:disable CodeReuse/ActiveRecord -- We don't want to use a finder, we want to use find_or_initialize_by because it's more concise
 
         normalized_config_from_file = config_from_agent_config_file.dup.to_h.transform_keys(&:to_sym)
 
@@ -49,65 +48,104 @@ def self.find_or_initialize_workspaces_agent_config(agent:, config_from_agent_co
         #       Same for `network_policy_enabled` and `network_policy_egress` db fields - rename them from the
         #       network_policy field in the config_from_agent_config_file spec
         network_policy_enabled = normalized_config_from_file.dig(:network_policy, :enabled)
-        normalized_config_from_file[:network_policy_enabled] = network_policy_enabled if network_policy_enabled
+        normalized_config_from_file[:network_policy_enabled] = network_policy_enabled unless network_policy_enabled.nil?
         network_policy_egress = normalized_config_from_file.dig(:network_policy, :egress)
         normalized_config_from_file[:network_policy_egress] = network_policy_egress if network_policy_egress
 
+        # NOTE: `enabled` is the one field we can't easily move into the Settings module, so its default
+        #       remains hardcoded here. It may also be a string or a boolean.
+        normalized_config_from_file[:enabled] = ["true", true].include?(normalized_config_from_file[:enabled])
+
         # NOTE: We rely on the settings module to fetch the defaults of all values except `enabled` in the
         #       agent config file. This is temporary pending completion of the settings module/UI which will
         #       remove the dependence on the agent config file for these values.
 
         agent_config_settings = Settings.get(
           [
+            :allow_privilege_escalation,
+            :annotations,
             :default_max_hours_before_termination,
             :default_resources_per_workspace_container,
+            :default_runtime_class,
             :gitlab_workspaces_proxy_namespace,
+            :image_pull_secrets,
+            :labels,
+            :max_active_hours_before_stop,
             :max_hours_before_termination_limit,
             :max_resources_per_workspace,
+            :max_stopped_hours_before_termination,
             :network_policy_egress,
             :network_policy_enabled,
-            :workspaces_per_user_quota,
-            :workspaces_quota,
-            :allow_privilege_escalation,
             :use_kubernetes_user_namespaces,
-            :default_runtime_class,
-            :annotations,
-            :labels,
-            :image_pull_secrets
+            :workspaces_per_user_quota,
+            :workspaces_quota
           ]
         )
-        agent_config_values = agent_config_settings.merge(normalized_config_from_file)
+        values = agent_config_settings.merge(normalized_config_from_file)
 
-        # NOTE: `enabled` is the one field we can't easily move into the Settings module, so its default
-        #       remains hardcoded here.
-        model_instance.enabled = agent_config_values.fetch(:enabled, false)
-
-        model_instance.project_id = agent.project_id
-        model_instance.workspaces_quota = agent_config_values.fetch(:workspaces_quota)
-        model_instance.workspaces_per_user_quota = agent_config_values.fetch(:workspaces_per_user_quota)
-        model_instance.dns_zone = agent_config_values[:dns_zone]
-        model_instance.network_policy_enabled = agent_config_values.fetch(:network_policy_enabled)
-        model_instance.network_policy_egress = agent_config_values.fetch(:network_policy_egress)
-        model_instance.gitlab_workspaces_proxy_namespace = agent_config_values.fetch(:gitlab_workspaces_proxy_namespace)
-        model_instance.default_resources_per_workspace_container =
-          agent_config_values.fetch(:default_resources_per_workspace_container)
-        model_instance.max_resources_per_workspace = agent_config_values.fetch(:max_resources_per_workspace)
-        model_instance.default_max_hours_before_termination =
-          agent_config_values.fetch(:default_max_hours_before_termination)
-        model_instance.max_hours_before_termination_limit =
-          agent_config_values.fetch(:max_hours_before_termination_limit)
-        model_instance.allow_privilege_escalation = agent_config_values.fetch(:allow_privilege_escalation)
-        model_instance.use_kubernetes_user_namespaces = agent_config_values.fetch(:use_kubernetes_user_namespaces)
-        model_instance.default_runtime_class = agent_config_values.fetch(:default_runtime_class)
-        model_instance.annotations = agent_config_values.fetch(:annotations)
-        model_instance.labels = agent_config_values.fetch(:labels)
-        model_instance.image_pull_secrets = agent_config_values.fetch(:image_pull_secrets)
-
-        model_instance
+        set_attributes_on_agent_config_model_instance(
+          agent_config_model: agent_config_model_instance,
+          values: values,
+          agent_model: agent
+        )
+
+        agent_config_model_instance
+      end
+
+      # @param [WorkspacesAgentConfig] agent_config_model
+      # @param [Hash] values
+      # @param [Clusters::Agent] agent_model
+      # @return [RemoteDevelopment::WorkspacesAgentConfig]
+      # noinspection RubyResolve -- https://handbook.gitlab.com/handbook/tools-and-tips/editors-and-ides/jetbrains-ides/tracked-jetbrains-issues/#ruby-32301
+      def self.set_attributes_on_agent_config_model_instance(agent_config_model:, values:, agent_model:)
+        # Type check all the values via rightward assignment destructuring
+        values => {
+          allow_privilege_escalation: (TrueClass | FalseClass) => allow_privilege_escalation,
+          annotations: Hash => annotations,
+          default_max_hours_before_termination: Integer => default_max_hours_before_termination,
+          default_resources_per_workspace_container: Hash => default_resources_per_workspace_container,
+          default_runtime_class: String => default_runtime_class,
+          dns_zone: String => dns_zone,
+          enabled: (TrueClass | FalseClass) => enabled,
+          gitlab_workspaces_proxy_namespace: String => gitlab_workspaces_proxy_namespace,
+          image_pull_secrets: Array => image_pull_secrets,
+          labels: Hash => labels,
+          max_active_hours_before_stop: Integer => max_active_hours_before_stop,
+          max_hours_before_termination_limit: Integer => max_hours_before_termination_limit,
+          max_resources_per_workspace: Hash => max_resources_per_workspace,
+          max_stopped_hours_before_termination: Integer => max_stopped_hours_before_termination,
+          network_policy_egress: Array => network_policy_egress,
+          network_policy_enabled: (TrueClass | FalseClass) => network_policy_enabled,
+          use_kubernetes_user_namespaces: (TrueClass | FalseClass) => use_kubernetes_user_namespaces,
+          workspaces_per_user_quota: Integer => workspaces_per_user_quota,
+          workspaces_quota: Integer => workspaces_quota
+        }
+
+        agent_config_model.assign_attributes({
+          allow_privilege_escalation: allow_privilege_escalation,
+          annotations: annotations,
+          default_max_hours_before_termination: default_max_hours_before_termination,
+          default_resources_per_workspace_container: default_resources_per_workspace_container,
+          default_runtime_class: default_runtime_class,
+          dns_zone: dns_zone,
+          enabled: enabled,
+          gitlab_workspaces_proxy_namespace: gitlab_workspaces_proxy_namespace,
+          image_pull_secrets: image_pull_secrets,
+          labels: labels,
+          max_active_hours_before_stop: max_active_hours_before_stop,
+          max_hours_before_termination_limit: max_hours_before_termination_limit,
+          max_resources_per_workspace: max_resources_per_workspace,
+          max_stopped_hours_before_termination: max_stopped_hours_before_termination,
+          network_policy_egress: network_policy_egress,
+          network_policy_enabled: network_policy_enabled,
+          project_id: agent_model.project_id,
+          use_kubernetes_user_namespaces: use_kubernetes_user_namespaces,
+          workspaces_per_user_quota: workspaces_per_user_quota,
+          workspaces_quota: workspaces_quota
+        })
       end
-      # rubocop:enable Metrics/AbcSize
 
-      private_class_method :find_or_initialize_workspaces_agent_config
+      private_class_method :update_or_initialize_workspaces_agent_config, :set_attributes_on_agent_config_model_instance
     end
   end
 end
diff --git a/ee/lib/remote_development/settings/default_settings.rb b/ee/lib/remote_development/settings/default_settings.rb
index 181552af196b7c..3adf0f976d7565 100644
--- a/ee/lib/remote_development/settings/default_settings.rb
+++ b/ee/lib/remote_development/settings/default_settings.rb
@@ -10,34 +10,36 @@ class DefaultSettings
       # @return [Hash]
       def self.default_settings
         {
+          allow_privilege_escalation: [false, :Boolean],
+          annotations: [{}, Hash],
           # NOTE: default_branch_name is not actually used by Remote Development, it is simply a placeholder to drive
           #       the logic for reading settings from ::Gitlab::CurrentSettings. It can be replaced when there is an
           #       actual Remote Development entry in ::Gitlab::CurrentSettings.
           default_branch_name: [UNDEFINED, String],
           default_max_hours_before_termination: [24, Integer],
-          max_hours_before_termination_limit: [120, Integer],
-          project_cloner_image: ["alpine/git:2.45.2", String],
-          tools_injector_image: [
-            "registry.gitlab.com/gitlab-org/remote-development/gitlab-workspaces-tools:2.0.0", String
-          ],
+          default_resources_per_workspace_container: [{}, Hash],
+          default_runtime_class: ["", String],
           full_reconciliation_interval_seconds: [3600, Integer],
-          partial_reconciliation_interval_seconds: [10, Integer],
-          workspaces_quota: [-1, Integer],
-          workspaces_per_user_quota: [-1, Integer],
+          gitlab_workspaces_proxy_namespace: ["gitlab-workspaces", String],
+          image_pull_secrets: [[], Array],
+          labels: [{}, Hash],
+          max_active_hours_before_stop: [36, Integer],
+          max_hours_before_termination_limit: [120, Integer],
+          max_resources_per_workspace: [{}, Hash],
+          max_stopped_hours_before_termination: [744, Integer],
           network_policy_egress: [[{
             allow: "0.0.0.0/0",
             except: %w[10.0.0.0/8 172.16.0.0/12 192.168.0.0/16]
           }], Array],
-          default_resources_per_workspace_container: [{}, Hash],
-          max_resources_per_workspace: [{}, Hash],
-          gitlab_workspaces_proxy_namespace: [{}, Hash],
           network_policy_enabled: [true, :Boolean],
-          allow_privilege_escalation: [false, :Boolean],
+          partial_reconciliation_interval_seconds: [10, Integer],
+          project_cloner_image: ["alpine/git:2.45.2", String],
+          tools_injector_image: [
+            "registry.gitlab.com/gitlab-org/remote-development/gitlab-workspaces-tools:2.0.0", String
+          ],
           use_kubernetes_user_namespaces: [false, :Boolean],
-          default_runtime_class: ["", String],
-          annotations: [{}, Hash],
-          labels: [{}, Hash],
-          image_pull_secrets: [[], Array]
+          workspaces_per_user_quota: [-1, Integer],
+          workspaces_quota: [-1, Integer]
         }
       end
     end
diff --git a/ee/lib/remote_development/workspace_operations/create/personal_access_token_creator.rb b/ee/lib/remote_development/workspace_operations/create/personal_access_token_creator.rb
index 7b7508cc3f64d9..e8f18608a0e5ed 100644
--- a/ee/lib/remote_development/workspace_operations/create/personal_access_token_creator.rb
+++ b/ee/lib/remote_development/workspace_operations/create/personal_access_token_creator.rb
@@ -15,7 +15,6 @@ def self.create(context)
             params: Hash => params
           }
           params => {
-            max_hours_before_termination: Integer => max_hours_before_termination,
             project: Project => project
           }
 
@@ -25,11 +24,7 @@ def self.create(context)
             impersonation: false,
             scopes: [:write_repository, :api],
             organization: project.organization,
-            # Since expires_at is a date, we need to set it to the round it off to the next day.
-            # e.g. If the max_hours_before_termination of the workspace is 1 hour
-            # and the workspace is created at 2023-08-20 05:30:00,
-            # then the expires_at of the PAT would be 2023-08-21.
-            expires_at: max_hours_before_termination.hours.from_now.to_date.next_day
+            expires_at: max_allowed_personal_access_token_expires_at
           )
           personal_access_token.save
 
@@ -45,6 +40,12 @@ def self.create(context)
             })
           )
         end
+
+        # @return [ActiveSupport::TimeWithZone]
+        def self.max_allowed_personal_access_token_expires_at
+          MaxHoursBeforeTermination::MAX_HOURS_BEFORE_TERMINATION.hours.from_now.to_date.next_day - 1.second
+        end
+        private_class_method :max_allowed_personal_access_token_expires_at
       end
     end
   end
diff --git a/ee/lib/remote_development/workspace_operations/max_hours_before_termination.rb b/ee/lib/remote_development/workspace_operations/max_hours_before_termination.rb
new file mode 100644
index 00000000000000..ecd548f3dbe55c
--- /dev/null
+++ b/ee/lib/remote_development/workspace_operations/max_hours_before_termination.rb
@@ -0,0 +1,13 @@
+# frozen_string_literal: true
+
+module RemoteDevelopment
+  module WorkspaceOperations
+    class MaxHoursBeforeTermination
+      # NOTE: see the following issue for the reasoning behind this value being the hard maximum termination limit:
+      #      https://gitlab.com/gitlab-org/gitlab/-/issues/471994
+      # This may be configurable again in the future if we move away from Personal Access Tokens, but for now
+      # it's a hardcoded constant.
+      MAX_HOURS_BEFORE_TERMINATION = 8760
+    end
+  end
+end
diff --git a/ee/lib/remote_development/workspace_operations/reconcile/main.rb b/ee/lib/remote_development/workspace_operations/reconcile/main.rb
index c5e7a127abccfe..ce2bae1c4915d8 100644
--- a/ee/lib/remote_development/workspace_operations/reconcile/main.rb
+++ b/ee/lib/remote_development/workspace_operations/reconcile/main.rb
@@ -21,6 +21,7 @@ def self.main(context)
               .map(Input::AgentInfosObserver.method(:observe))
               .map(Persistence::WorkspacesFromAgentInfosUpdater.method(:update))
               .map(Persistence::OrphanedWorkspacesObserver.method(:observe))
+              .map(Persistence::WorkspacesLifecycleManager.method(:manage))
               .map(Persistence::WorkspacesToBeReturnedFinder.method(:find))
               .map(Output::ResponsePayloadBuilder.method(:build))
               .map(Persistence::WorkspacesToBeReturnedUpdater.method(:update))
diff --git a/ee/lib/remote_development/workspace_operations/reconcile/output/response_payload_builder.rb b/ee/lib/remote_development/workspace_operations/reconcile/output/response_payload_builder.rb
index 7acb5f1e0a5b10..bb6858b81ebfac 100644
--- a/ee/lib/remote_development/workspace_operations/reconcile/output/response_payload_builder.rb
+++ b/ee/lib/remote_development/workspace_operations/reconcile/output/response_payload_builder.rb
@@ -44,7 +44,7 @@ def self.build(context)
                 deployment_resource_version: workspace.deployment_resource_version,
                 # NOTE: config_to_apply should be returned as null if config_to_apply returned nil
                 config_to_apply: config_to_apply,
-                image_pull_secrets: workspace.workspaces_agent_config.image_pull_secrets
+                image_pull_secrets: workspace.workspaces_agent_config.image_pull_secrets.map(&:symbolize_keys)
               }
             end
 
diff --git a/ee/lib/remote_development/workspace_operations/reconcile/persistence/workspaces_from_agent_infos_updater.rb b/ee/lib/remote_development/workspace_operations/reconcile/persistence/workspaces_from_agent_infos_updater.rb
index 9c1c77a490755e..e11ae03e15a2a3 100644
--- a/ee/lib/remote_development/workspace_operations/reconcile/persistence/workspaces_from_agent_infos_updater.rb
+++ b/ee/lib/remote_development/workspace_operations/reconcile/persistence/workspaces_from_agent_infos_updater.rb
@@ -48,14 +48,6 @@ def self.update_persisted_workspace_with_latest_info(
               persisted_workspace.desired_state = States::RUNNING
             end
 
-            # Ensure workspaces are terminated after max time-to-live. This is a temporary approach, we eventually want
-            # to replace this with some mechanism to detect workspace activity and only shut down inactive workspaces.
-            # Until then, this is the workaround to ensure workspaces don't live indefinitely.
-            # See https://gitlab.com/gitlab-org/gitlab/-/issues/390597
-            if (persisted_workspace.created_at + persisted_workspace.max_hours_before_termination.hours).past?
-              persisted_workspace.desired_state = States::TERMINATED
-            end
-
             persisted_workspace.actual_state = actual_state
 
             # In some cases a deployment resource version may not be present, e.g. if the initial creation request for
diff --git a/ee/lib/remote_development/workspace_operations/reconcile/persistence/workspaces_lifecycle_manager.rb b/ee/lib/remote_development/workspace_operations/reconcile/persistence/workspaces_lifecycle_manager.rb
new file mode 100644
index 00000000000000..a125c2aa1f23fd
--- /dev/null
+++ b/ee/lib/remote_development/workspace_operations/reconcile/persistence/workspaces_lifecycle_manager.rb
@@ -0,0 +1,81 @@
+# frozen_string_literal: true
+
+module RemoteDevelopment
+  module WorkspaceOperations
+    module Reconcile
+      module Persistence
+        class WorkspacesLifecycleManager
+          # @param [Hash] context
+          # @return [Hash]
+          def self.manage(context)
+            context => {
+              workspaces_from_agent_infos: Array => workspaces_from_agent_infos,
+            }
+
+            # Ensure workspaces do not exist indefinitely. This is a temporary approach, we eventually want
+            # to replace this with some mechanism to detect workspace activity and only shut down inactive workspaces.
+            # Until then, this is the workaround to ensure workspaces don't live indefinitely.
+            # See https://gitlab.com/gitlab-org/gitlab/-/issues/390597
+            workspaces_from_agent_infos.each do |workspace|
+              # We don't care about workspaces that are already in desired_state of Terminated
+              next if [States::TERMINATED].include?(workspace.desired_state)
+
+              terminate_if_exceeded_max_hours_before_termination(workspace: workspace) ||
+                stop_if_exceeded_max_active_hours_before_stop(workspace: workspace) ||
+                terminate_if_exceeded_max_stopped_hours_before_termination(workspace: workspace)
+            end
+
+            context
+          end
+
+          # @param [RemoteDevelopment::Workspace] workspace
+          # @return [Boolean] true if the condition matched and the workspace was updated, false if it was not
+          def self.terminate_if_exceeded_max_hours_before_termination(workspace:)
+            max_hours_before_termination = MaxHoursBeforeTermination::MAX_HOURS_BEFORE_TERMINATION
+
+            return false unless (workspace.created_at + max_hours_before_termination.hours).past?
+
+            workspace.update!(desired_state: States::TERMINATED)
+
+            true
+          end
+
+          # @param [RemoteDevelopment::Workspace] workspace
+          # @return [Boolean] true if the condition matched and the workspace was updated, false if it was not
+          def self.stop_if_exceeded_max_active_hours_before_stop(workspace:)
+            # We only want to stop "active" workspaces, which means in desired_state of RestartRequested or Running
+            return false if workspace.desired_state == States::STOPPED
+
+            time_to_stop = workspace.desired_state_updated_at +
+              workspace.workspaces_agent_config.max_active_hours_before_stop.hours
+            return false unless time_to_stop.past?
+
+            workspace.update!(desired_state: States::STOPPED)
+
+            true
+          end
+
+          # @param [RemoteDevelopment::Workspace] workspace
+          # @return [Boolean] true if the condition matched and the workspace was updated, false if it was not
+          def self.terminate_if_exceeded_max_stopped_hours_before_termination(workspace:)
+            # We only want to terminate stopped workspaces
+            return false unless workspace.desired_state == States::STOPPED
+
+            hours_since_stop = (Time.zone.now - workspace.desired_state_updated_at) / 1.hour
+            unless hours_since_stop > workspace.workspaces_agent_config.max_stopped_hours_before_termination
+              return false
+            end
+
+            workspace.update!(desired_state: States::TERMINATED)
+
+            true
+          end
+
+          private_class_method :terminate_if_exceeded_max_hours_before_termination,
+            :stop_if_exceeded_max_active_hours_before_stop,
+            :terminate_if_exceeded_max_stopped_hours_before_termination
+        end
+      end
+    end
+  end
+end
diff --git a/ee/spec/features/remote_development/workspaces_spec.rb b/ee/spec/features/remote_development/workspaces_spec.rb
index f42a54eceb7b09..39b94dbb45cd2c 100644
--- a/ee/spec/features/remote_development/workspaces_spec.rb
+++ b/ee/spec/features/remote_development/workspaces_spec.rb
@@ -3,12 +3,13 @@
 require 'spec_helper'
 require_relative "../../support/helpers/remote_development/integration_spec_helpers"
 
-RSpec.describe 'Remote Development workspaces', :api, :js, feature_category: :workspaces do
+RSpec.describe 'Remote Development workspaces', :freeze_time, :api, :js, feature_category: :workspaces do
   include RemoteDevelopment::IntegrationSpecHelpers
 
   include_context 'with remote development shared fixtures'
   include_context 'file upload requests helpers'
 
+  let(:states) { RemoteDevelopment::WorkspaceOperations::States }
   let_it_be(:user) { create(:user) }
   let_it_be(:group) { create(:group, name: 'test-group', developers: user, owners: user) }
   let_it_be(:devfile_path) { '.devfile.yaml' }
@@ -18,8 +19,11 @@
     create(:project, :public, :in_group, :custom_repo, path: 'test-project', files: files, namespace: group)
   end
 
-  let_it_be(:agent) do
-    create(:ee_cluster_agent, :with_existing_workspaces_agent_config, project: project, created_by_user: user)
+  let_it_be(:image_pull_secrets) { [{ name: 'secret-name', namespace: 'secret-namespace' }] }
+
+  let_it_be(:agent, refind: true) { create(:cluster_agent, project: project, created_by_user: user) }
+  let_it_be(:workspaces_agent_config, refind: true) do
+    create(:workspaces_agent_config, agent: agent, image_pull_secrets: image_pull_secrets)
   end
 
   let_it_be(:agent_token) { create(:cluster_agent_token, agent: agent, created_by_user: user) }
@@ -28,32 +32,85 @@
   let(:variable_value) { "value 1" }
   let(:workspaces_group_settings_path) { "/groups/#{group.name}/-/settings/workspaces" }
 
-  before do
-    stub_licensed_features(remote_development: true)
-    allow(Gitlab::Kas).to receive(:verify_api_request).and_return(true)
+  # @param [String] state
+  def expect_workspace_state_indicator(state)
+    indicator = find_by_testid('workspace-state-indicator')
 
-    # rubocop:disable RSpec/AnyInstanceOf -- It's NOT the next instance...
-    allow_any_instance_of(Gitlab::Auth::AuthFinders)
-      .to receive(:cluster_agent_token_from_authorization_token) { agent_token }
-    # rubocop:enable RSpec/AnyInstanceOf
+    expect(indicator).to have_text(state)
+  end
 
-    sign_in(user)
+  # @param [String] agent_name
+  # @param [String] group_name
+  def do_create_mapping(agent_name:, group_name:)
+    workspaces_group_settings_path = "/groups/#{group_name}/-/settings/workspaces"
+    gitlab_badge_selector = '.gl-badge-content'
+    visit workspaces_group_settings_path
     wait_for_requests
+
+    # enable agent for group
+    click_link 'All agents'
+    expect(page).to have_content agent_name
+    first_agent_row_selector = 'tbody tr:first-child'
+    expect(page).not_to have_selector(gitlab_badge_selector, text: 'Allowed')
+    within first_agent_row_selector do
+      click_button 'Allow'
+      wait_for_requests
+    end
+    click_button 'Allow agent'
+    expect(page).to have_selector(gitlab_badge_selector, text: 'Allowed')
   end
 
-  shared_examples 'creates a workspace' do
-    it 'creates a workspace' do
+  # @param [Hash] params
+  # @param [QA::Resource::Clusters::AgentToken] agent_token
+  # @return [Hash] response_json with deep symbolized keys
+  def do_reconcile_post(params:, agent_token:)
+    # Custom logic to perform the reconcile post for a _FEATURE_ (Capybara) spec
+
+    agent_token_headers = { 'Content-Type' => 'application/json' }
+    reconcile_url = capybara_url(
+      api('/internal/kubernetes/modules/remote_development/reconcile', personal_access_token: agent_token)
+    )
+
+    # Note: HTTParty doesn't handle empty arrays right, so we have to be explicit with content type and send JSON.
+    #       See https://github.com/jnunemaker/httparty/issues/494
+    reconcile_post_response = HTTParty.post(
+      reconcile_url,
+      headers: agent_token_headers,
+      body: params.compact.to_json
+    )
+
+    expect(reconcile_post_response.code).to eq(HTTP::Status::CREATED)
+
+    json_response = Gitlab::Json.parse(reconcile_post_response.body)
+
+    # noinspection RubyMismatchedReturnType -- Typing is wrong, RubyMine doesn't think this returns a Hash
+    json_response.deep_symbolize_keys
+  end
+
+  shared_examples 'workspace lifecycle' do
+    before do
+      stub_licensed_features(remote_development: true)
+      allow(Gitlab::Kas).to receive(:verify_api_request).and_return(true)
+
+      # rubocop:disable RSpec/AnyInstanceOf -- It's NOT the next instance...
+      allow_any_instance_of(Gitlab::Auth::AuthFinders)
+        .to receive(:cluster_agent_token_from_authorization_token) { agent_token }
+      # rubocop:enable RSpec/AnyInstanceOf
+
+      sign_in(user)
+      wait_for_requests
+    end
+
+    it "successfully exercises the full lifecycle of a workspace", :unlimited_max_formatted_output_length do
       # Tips:
       # use live_debug to pause when WEBDRIVER_HEADLESS=0
       # live_debug
 
-      # noinspection RubyResolve - https://handbook.gitlab.com/handbook/tools-and-tips/editors-and-ides/jetbrains-ides/tracked-jetbrains-issues/#ruby-31542
-
-      # ENABLE AGENT FOR GROUP
-      enable_agent_for_group(agent_name: agent.name, group_name: group.name)
+      # CREATE THE MAPPING, SO WE HAVE PROPER AUTHORIZATION
+      do_create_mapping(agent_name: agent.name, group_name: group.name)
 
       # NAVIGATE TO WORKSPACES PAGE
-      # noinspection RubyResolve -- https://handbook.gitlab.com/handbook/tools-and-tips/editors-and-ides/jetbrains-ides/tracked-jetbrains-issues/#ruby-32301
+      # noinspection RubyResolve -- https://handbook.gitlab.com/handbook/tools-and-tips/editors-and-ides/jetbrains-ides/tracked-jetbrains-issues/#ruby-31542
       visit remote_development_workspaces_path
       wait_for_requests
 
@@ -66,11 +123,6 @@
       # noinspection RubyMismatchedArgumentType -- Rubymine is finding the wrong `select`
       select agent.name, from: 'Cluster agent'
       # this field should be auto-fill when selecting agent
-      expect(page).to have_field(
-        'Workspace automatically terminates after',
-        with: agent.unversioned_latest_workspaces_agent_config.default_max_hours_before_termination
-      )
-      fill_in 'Workspace automatically terminates after', with: '20'
       click_button 'Add variable'
       fill_in 'Variable Key', with: variable_key
       fill_in 'Variable Value', with: variable_value
@@ -102,34 +154,24 @@
       additional_args_for_expected_config_to_apply =
         build_additional_args_for_expected_config_to_apply(
           network_policy_enabled: true,
-          dns_zone: agent.unversioned_latest_workspaces_agent_config.dns_zone,
+          dns_zone: workspaces_agent_config.dns_zone,
           namespace_path: group.path,
-          project_name: project.path
+          project_name: project.path,
+          image_pull_secrets: image_pull_secrets
         )
 
-      # SIMULATE FIRST POLL FROM AGENTK TO PICK UP NEW WORKSPACE
+      # SIMULATE RECONCILE RESPONSE TO AGENTK SENDING NEW WORKSPACE
       simulate_first_poll(
         workspace: workspace.reload,
+        agent_token: agent_token,
         **additional_args_for_expected_config_to_apply
-      ) do |workspace_agent_infos:, update_type:|
-        simulate_agentk_reconcile_post(
-          agent_token: agent_token,
-          workspace_agent_infos: workspace_agent_infos,
-          update_type: update_type
-        )
-      end
-
-      # SIMULATE SECOND POLL FROM AGENTK TO UPDATE WORKSPACE TO RUNNING STATE
-      simulate_second_poll(workspace: workspace.reload) do |workspace_agent_infos:, update_type:|
-        simulate_agentk_reconcile_post(
-          agent_token: agent_token,
-          workspace_agent_infos: workspace_agent_infos,
-          update_type: update_type
-        )
-      end
+      )
+
+      # SIMULATE RECONCILE REQUEST FROM AGENTK UPDATING WORKSPACE TO RUNNING ACTUAL_STATE
+      simulate_second_poll(workspace: workspace.reload, agent_token: agent_token)
 
       # ASSERT WORKSPACE SHOWS RUNNING STATE IN UI AND UPDATES URL
-      expect_workspace_state_indicator(RemoteDevelopment::WorkspaceOperations::States::RUNNING)
+      expect_workspace_state_indicator(states::RUNNING)
       expect(find_open_workspace_button).to have_text('Open workspace')
       expect(find_open_workspace_button[:href]).to eq(workspace.url)
 
@@ -138,92 +180,105 @@
       expect(page).to have_button('Stop')
       expect(page).to have_button('Terminate')
 
+      # UPDATE WORKSPACE DESIRED_STATE TO STOPPED
       click_button 'Stop'
 
-      # SIMULATE THIRD POLL FROM AGENTK TO UPDATE WORKSPACE TO STOPPING STATE
+      # SIMULATE RECONCILE RESPONSE TO AGENTK UPDATING WORKSPACE TO STOPPED DESIRED_STATE
       simulate_third_poll(
         workspace: workspace.reload,
+        agent_token: agent_token,
         **additional_args_for_expected_config_to_apply
-      ) do |workspace_agent_infos:, update_type:|
-        simulate_agentk_reconcile_post(
-          agent_token: agent_token,
-          workspace_agent_infos: workspace_agent_infos,
-          update_type: update_type
-        )
-      end
+      )
+
+      # SIMULATE RECONCILE REQUEST FROM AGENTK UPDATING WORKSPACE TO STOPPING ACTUAL_STATE
+      simulate_fourth_poll(workspace: workspace.reload, agent_token: agent_token)
 
       # ASSERT WORKSPACE SHOWS STOPPING STATE IN UI
-      expect_workspace_state_indicator(RemoteDevelopment::WorkspaceOperations::States::STOPPING)
+      expect_workspace_state_indicator(states::STOPPING)
 
       # ASSERT ACTION BUTTONS ARE CORRECT FOR STOPPING STATE
       click_button 'Actions'
       expect(page).to have_button('Terminate')
 
-      # SIMULATE FOURTH POLL FROM AGENTK TO UPDATE WORKSPACE TO STOPPED STATE
-      simulate_fourth_poll(workspace: workspace.reload) do |workspace_agent_infos:, update_type:|
-        simulate_agentk_reconcile_post(
-          agent_token: agent_token,
-          workspace_agent_infos: workspace_agent_infos,
-          update_type: update_type
-        )
-      end
+      # SIMULATE RECONCILE REQUEST FROM AGENTK UPDATING WORKSPACE TO STOPPED ACTUAL_STATE
+      simulate_fifth_poll(workspace: workspace.reload, agent_token: agent_token)
 
       # ASSERT WORKSPACE SHOWS STOPPED STATE IN UI
-      expect_workspace_state_indicator(RemoteDevelopment::WorkspaceOperations::States::STOPPED)
+      expect_workspace_state_indicator(states::STOPPED)
 
       # ASSERT ACTION BUTTONS ARE CORRECT FOR STOPPED STATE
       expect(page).to have_button('Start')
       expect(page).to have_button('Terminate')
 
-      # SIMULATE FIFTH POLL FROM AGENTK FOR PARTIAL RECONCILE TO SHOW NO RAILS_INFOS ARE SENT
-      simulate_fifth_poll do |workspace_agent_infos:, update_type:|
-        simulate_agentk_reconcile_post(
-          agent_token: agent_token,
-          workspace_agent_infos: workspace_agent_infos,
-          update_type: update_type
-        )
-      end
+      # SIMULATE RECONCILE RESPONSE TO AGENTK FOR PARTIAL RECONCILE TO SHOW NO RAILS_INFOS ARE SENT
+      simulate_sixth_poll(agent_token: agent_token)
 
-      # SIMULATE SIXTH POLL FROM AGENTK FOR FULL RECONCILE TO SHOW ALL WORKSPACES ARE SENT IN RAILS_INFOS
-      simulate_sixth_poll(
+      # SIMULATE RECONCILE RESPONSE TO AGENTK FOR FULL RECONCILE TO SHOW ALL WORKSPACES ARE SENT IN RAILS_INFOS
+      simulate_seventh_poll(
         workspace: workspace.reload,
+        agent_token: agent_token,
         **additional_args_for_expected_config_to_apply
-      ) do |workspace_agent_infos:, update_type:|
-        simulate_agentk_reconcile_post(
-          agent_token: agent_token,
-          workspace_agent_infos: workspace_agent_infos,
-          update_type: update_type
-        )
-      end
-    end
+      )
 
-    def expect_workspace_state_indicator(state)
-      indicator = find_by_testid('workspace-state-indicator')
+      # UPDATE WORKSPACE DESIRED_STATE BACK TO RUNNING
+      click_button 'Start'
 
-      expect(indicator).to have_text(state)
-    end
+      # SIMULATE RECONCILE RESPONSE TO AGENTK UPDATING WORKSPACE TO RUNNING DESIRED_STATE
+      simulate_eighth_poll(
+        workspace: workspace.reload,
+        agent_token: agent_token,
+        **additional_args_for_expected_config_to_apply
+      )
+
+      # SIMULATE RECONCILE REQUEST FROM AGENTK UPDATING WORKSPACE TO RUNNING ACTUAL_STATE
+      simulate_ninth_poll(
+        workspace: workspace.reload,
+        agent_token: agent_token,
+        # TRAVEL FORWARD IN TIME MAX_ACTIVE_HOURS_BEFORE_STOP HOURS
+        time_to_travel_after_poll: workspace.workspaces_agent_config.max_active_hours_before_stop.hours
+      )
+
+      # ASSERT WORKSPACE SHOWS RUNNING STATE IN UI AND UPDATES URL
+      expect_workspace_state_indicator(states::RUNNING)
 
-    def simulate_agentk_reconcile_post(agent_token:, workspace_agent_infos:, update_type:)
-      post_params = {
-        workspace_agent_infos: workspace_agent_infos,
-        update_type: update_type
-      }
+      # SIMULATE RECONCILE RESPONSE TO AGENTK UPDATING WORKSPACE TO STOPPED DESIRED_STATE
+      simulate_tenth_poll(
+        workspace: workspace.reload,
+        agent_token: agent_token,
+        **additional_args_for_expected_config_to_apply
+      )
+
+      # SIMULATE RECONCILE REQUEST FROM AGENTK UPDATING WORKSPACE TO STOPPING ACTUAL_STATE
+      simulate_eleventh_poll(workspace: workspace.reload, agent_token: agent_token)
+
+      # ASSERT WORKSPACE SHOWS STOPPING STATE IN UI
+      expect_workspace_state_indicator(states::STOPPING)
 
-      reconcile_url = capybara_url(
-        api('/internal/kubernetes/modules/remote_development/reconcile', personal_access_token: agent_token)
+      # SIMULATE RECONCILE REQUEST FROM AGENTK UPDATING WORKSPACE TO STOPPED ACTUAL_STATE
+      simulate_twelfth_poll(
+        workspace: workspace.reload,
+        agent_token: agent_token,
+        # TRAVEL FORWARD IN TIME MAX_STOPPED_HOURS_BEFORE_TERMINATION HOURS
+        time_to_travel_after_poll: workspace.workspaces_agent_config.max_stopped_hours_before_termination.hours
       )
 
-      # Note: HTTParty doesn't handle empty arrays right, so we have to be explicit with content type and send JSON.
-      #       See https://github.com/jnunemaker/httparty/issues/494
-      reconcile_post_response = HTTParty.post(
-        reconcile_url,
-        headers: { 'Content-Type' => 'application/json' },
-        body: post_params.compact.to_json
+      # ASSERT WORKSPACE SHOWS STOPPED STATE IN UI
+      expect_workspace_state_indicator(states::STOPPED)
+
+      # SIMULATE RECONCILE RESPONSE TO AGENTK UPDATING WORKSPACE TO TERMINATED DESIRED_STATE
+      simulate_thirteenth_poll(
+        workspace: workspace.reload,
+        agent_token: agent_token,
+        **additional_args_for_expected_config_to_apply
       )
 
-      expect(reconcile_post_response.code).to eq(HTTP::Status::CREATED)
+      # SIMULATE RECONCILE REQUEST FROM AGENTK UPDATING WORKSPACE TO TERMINATING ACTUAL_STATE
+      simulate_fourteenth_poll(workspace: workspace.reload,
+        agent_token: agent_token
+      )
 
-      Gitlab::Json.parse(reconcile_post_response.body).deep_symbolize_keys
+      # SIMULATE RECONCILE REQUEST FROM AGENTK UPDATING WORKSPACE TO TERMINATED ACTUAL_STATE
+      simulate_fifteenth_poll(workspace: workspace.reload, agent_token: agent_token)
     end
   end
 
@@ -231,7 +286,9 @@ def find_open_workspace_button
     page.first('[data-testid="workspace-open-button"]', minimum: 0)
   end
 
-  context 'when creating a workspace' do
-    it_behaves_like 'creates a workspace'
+  describe "a happy path workspace lifecycle" do
+    # NOTE: Even though this is only called once, we leave it as a shared example, so that we can easily
+    #       introduce additional contexts with different behavior for temporary feature flag testing.
+    it_behaves_like 'workspace lifecycle'
   end
 end
diff --git a/ee/spec/frontend/workspaces/common/components/workspaces_list/workspaces_table_spec.js b/ee/spec/frontend/workspaces/common/components/workspaces_list/workspaces_table_spec.js
index 8f38bc839d7618..3ee6d762ecc387 100644
--- a/ee/spec/frontend/workspaces/common/components/workspaces_list/workspaces_table_spec.js
+++ b/ee/spec/frontend/workspaces/common/components/workspaces_list/workspaces_table_spec.js
@@ -37,7 +37,6 @@ const findTableRowsAsData = (wrapper) =>
       },
       nameText: x.find('[data-testid="workspace-name"]').text(),
       createdAt: x.findComponent(TimeAgoTooltip).props().time,
-      terminates: x.find('[data-testid="workspace-termination"]').text(),
     };
 
     return rowData;
@@ -102,7 +101,6 @@ describe('workspaces/common/components/workspaces_list/workspaces_table.vue', ()
           return {
             nameText: workspace.name,
             createdAt: workspace.createdAt,
-            terminates: workspace.name === 'workspace-1-1-idmi02' ? 'in 54 minutes' : 'in 2 days',
             workspaceActionsProps: {
               workspaceDisplayState,
             },
diff --git a/ee/spec/frontend/workspaces/user/pages/create_spec.js b/ee/spec/frontend/workspaces/user/pages/create_spec.js
index c4a1a973cda328..83a01c7f657c40 100644
--- a/ee/spec/frontend/workspaces/user/pages/create_spec.js
+++ b/ee/spec/frontend/workspaces/user/pages/create_spec.js
@@ -185,21 +185,6 @@ describe('workspaces/user/pages/create.vue', () => {
 
   const findMaxHoursBeforeTerminationField = () =>
     wrapper.findByTestId('max-hours-before-termination');
-  const findMaxHoursBeforeTerminationInputGroup = () =>
-    findMaxHoursBeforeTerminationField().findComponent(GlFormInputGroup);
-  const findMaxHoursBeforeTerminationInput = () =>
-    findMaxHoursBeforeTerminationInputGroup().findComponent(GlFormInput);
-  const findMaxHoursBeforeTerminationFieldParts = () => {
-    const field = findMaxHoursBeforeTerminationField();
-    const inputAppendText = findMaxHoursBeforeTerminationInputGroup().text();
-    const inputValue = findMaxHoursBeforeTerminationInput();
-
-    return {
-      label: field.attributes('label'),
-      inputAppendText,
-      inputValue: parseInt(inputValue.attributes('value'), 10),
-    };
-  };
 
   const emitGetProjectDetailsQueryResult = ({
     clusterAgents = [],
@@ -347,29 +332,11 @@ describe('workspaces/user/pages/create.vue', () => {
       });
     });
 
-    describe('max hours before termination field', () => {
-      it('renders parts', () => {
-        expect(findMaxHoursBeforeTerminationFieldParts()).toEqual({
-          label: 'Workspace automatically terminates after',
-          inputAppendText: 'hours',
-          inputValue: clusterAgentOneDefaultMaxHours,
-        });
-      });
-    });
-
     describe('when selecting a different cluster agent', () => {
       beforeEach(async () => {
         await selectClusterAgent(selectedClusterAgentTwoIDFixture);
       });
 
-      it('auto-populates max hours before termination field value to new agent value', () => {
-        expect(findMaxHoursBeforeTerminationFieldParts()).toEqual({
-          label: 'Workspace automatically terminates after',
-          inputAppendText: 'hours',
-          inputValue: clusterAgentTwoDefaultMaxHours,
-        });
-      });
-
       it('submits workspaceCreate mutation with correct data', async () => {
         const devfileRef = 'mybranch';
         findDevfileRefRefSelector().vm.$emit('input', devfileRef);
@@ -408,12 +375,7 @@ describe('workspaces/user/pages/create.vue', () => {
 
     describe('when clicking Create Workspace button', () => {
       it('submits workspaceCreate mutation', async () => {
-        const maxHoursBeforeTermination = 10;
-        findMaxHoursBeforeTerminationInput().vm.$emit(
-          'input',
-          maxHoursBeforeTermination.toString(),
-        );
-
+        const maxHoursBeforeTermination = 100;
         const devfileRef = 'mybranch';
         findDevfileRefRefSelector().vm.$emit('input', devfileRef);
 
diff --git a/ee/spec/lib/remote_development/agent_config_operations/updater_spec.rb b/ee/spec/lib/remote_development/agent_config_operations/updater_spec.rb
index 031374e3256f21..0f2d95b6b5853a 100644
--- a/ee/spec/lib/remote_development/agent_config_operations/updater_spec.rb
+++ b/ee/spec/lib/remote_development/agent_config_operations/updater_spec.rb
@@ -7,20 +7,20 @@
   include ResultMatchers
 
   let(:enabled) { true }
+  let(:enabled_present) { true }
   let_it_be(:dns_zone) { 'my-awesome-domain.me' }
-  let(:termination_limits_sets) { false }
-  let(:default_unlimited_quota) { -1 }
+  let(:unlimited_quota) { -1 }
   let(:saved_quota) { 5 }
   let(:quota) { 5 }
+
   let(:network_policy_present) { false }
-  let(:default_network_policy_egress) do
+  let(:network_policy_egress) do
     [{
       allow: "0.0.0.0/0",
       except: %w[10.0.0.0/8 172.16.0.0/12 192.168.0.0/16]
     }]
   end
 
-  let(:network_policy_egress) { default_network_policy_egress }
   let(:network_policy_enabled) { true }
   let(:network_policy_without_egress) do
     { enabled: network_policy_enabled }
@@ -36,16 +36,22 @@
   let(:network_policy) { network_policy_without_egress }
   let(:gitlab_workspaces_proxy_present) { false }
   let(:gitlab_workspaces_proxy_namespace) { 'gitlab-workspaces' }
-  let(:gitlab_workspaces_proxy) do
-    { namespace: gitlab_workspaces_proxy_namespace }
-  end
+  let(:gitlab_workspaces_proxy) { { namespace: gitlab_workspaces_proxy_namespace } }
+  let(:gitlab_workspaces_proxy_namespace_present) { true }
+
+  let(:default_resources_per_workspace_container) { {} }
+  let(:max_resources_per_workspace) { {} }
 
-  let(:default_default_resources_per_workspace_container) { {} }
-  let(:default_resources_per_workspace_container) { default_default_resources_per_workspace_container }
-  let(:default_max_resources_per_workspace) { {} }
-  let(:max_resources_per_workspace) { default_max_resources_per_workspace }
   let(:default_max_hours_before_termination) { 24 }
+  let(:default_max_hours_before_termination_present) { false }
   let(:max_hours_before_termination_limit) { 120 }
+  let(:max_hours_before_termination_limit_present) { false }
+
+  let(:max_active_hours_before_stop) { 36 }
+  let(:max_active_hours_before_stop_present) { false }
+  let(:max_stopped_hours_before_termination) { 744 }
+  let(:max_stopped_hours_before_termination_present) { false }
+
   let(:allow_privilege_escalation) { false }
   let(:use_kubernetes_user_namespaces) { false }
   let(:default_runtime_class) { "" }
@@ -59,19 +65,37 @@
 
   let(:config) do
     remote_development_config = {
-      'enabled' => enabled,
       'dns_zone' => dns_zone_in_config
     }
+    remote_development_config['enabled'] = enabled if enabled_present
     remote_development_config['network_policy'] = network_policy if network_policy_present
-    remote_development_config['gitlab_workspaces_proxy'] = gitlab_workspaces_proxy if gitlab_workspaces_proxy_present
+
+    remote_development_config['gitlab_workspaces_proxy'] =
+      if gitlab_workspaces_proxy_present && gitlab_workspaces_proxy_namespace_present
+        gitlab_workspaces_proxy
+      elsif gitlab_workspaces_proxy_present
+        {}
+      end
+
     remote_development_config['default_resources_per_workspace_container'] = default_resources_per_workspace_container
     remote_development_config['max_resources_per_workspace'] = max_resources_per_workspace
 
-    if termination_limits_sets
+    if default_max_hours_before_termination_present
       remote_development_config['default_max_hours_before_termination'] = default_max_hours_before_termination
+    end
+
+    if max_hours_before_termination_limit_present
       remote_development_config['max_hours_before_termination_limit'] = max_hours_before_termination_limit
     end
 
+    if max_active_hours_before_stop_present
+      remote_development_config['max_active_hours_before_stop'] = max_active_hours_before_stop
+    end
+
+    if max_stopped_hours_before_termination_present
+      remote_development_config['max_stopped_hours_before_termination'] = max_stopped_hours_before_termination
+    end
+
     if quota
       remote_development_config['workspaces_quota'] = quota
       remote_development_config['workspaces_per_user_quota'] = quota
@@ -89,51 +113,6 @@
     }
   end
 
-  let(:agent_config_setting_names) do
-    [
-      :default_max_hours_before_termination,
-      :default_resources_per_workspace_container,
-      :gitlab_workspaces_proxy_namespace,
-      :max_hours_before_termination_limit,
-      :max_resources_per_workspace,
-      :network_policy_egress,
-      :network_policy_enabled,
-      :workspaces_per_user_quota,
-      :workspaces_quota,
-      :allow_privilege_escalation,
-      :use_kubernetes_user_namespaces,
-      :default_runtime_class,
-      :annotations,
-      :labels,
-      :image_pull_secrets
-    ]
-  end
-
-  let(:agent_config_setting_values) do
-    {
-      default_max_hours_before_termination: default_max_hours_before_termination,
-      default_resources_per_workspace_container: default_default_resources_per_workspace_container,
-      gitlab_workspaces_proxy_namespace: "gitlab-workspaces",
-      max_hours_before_termination_limit: max_hours_before_termination_limit,
-      max_resources_per_workspace: default_max_resources_per_workspace,
-      network_policy_egress: default_network_policy_egress,
-      network_policy_enabled: network_policy_enabled,
-      workspaces_per_user_quota: default_unlimited_quota,
-      workspaces_quota: default_unlimited_quota,
-      allow_privilege_escalation: allow_privilege_escalation,
-      use_kubernetes_user_namespaces: use_kubernetes_user_namespaces,
-      default_runtime_class: default_runtime_class,
-      annotations: annotations,
-      labels: labels,
-      image_pull_secrets: image_pull_secrets
-    }
-  end
-
-  before do
-    allow(RemoteDevelopment::Settings)
-      .to receive(:get).with(agent_config_setting_names).and_return(agent_config_setting_values)
-  end
-
   subject(:result) do
     described_class.update(agent: agent, config: config) # rubocop:disable Rails/SaveBang -- this isn't ActiveRecord
   end
@@ -157,27 +136,26 @@
         expect { result }.to change { RemoteDevelopment::WorkspacesAgentConfig.count }.by(expected_configs_created)
 
         config_instance = agent.reload.unversioned_latest_workspaces_agent_config
-        expect(config_instance.enabled).to eq(enabled)
-        expect(config_instance.project_id).to eq(agent.project_id)
-        expect(config_instance.dns_zone).to eq(expected_dns_zone)
-        expect(config_instance.network_policy_enabled).to eq(network_policy_enabled)
-        expect(config_instance.network_policy_egress.map(&:deep_symbolize_keys)).to eq(network_policy_egress)
-        expect(config_instance.gitlab_workspaces_proxy_namespace).to eq(gitlab_workspaces_proxy_namespace)
+        expect(config_instance.allow_privilege_escalation).to eq(allow_privilege_escalation)
+        expect(config_instance.annotations.deep_symbolize_keys).to eq(annotations)
+        expect(config_instance.default_max_hours_before_termination).to eq(default_max_hours_before_termination)
         expect(config_instance.default_resources_per_workspace_container.deep_symbolize_keys)
           .to eq(default_resources_per_workspace_container)
-        expect(config_instance.max_resources_per_workspace.deep_symbolize_keys)
-          .to eq(max_resources_per_workspace)
-        # noinspection RubyResolve - https://handbook.gitlab.com/handbook/tools-and-tips/editors-and-ides/jetbrains-ides/tracked-jetbrains-issues/#ruby-31542
-        expect(config_instance.workspaces_quota).to eq(saved_quota)
-        # noinspection RubyResolve - https://handbook.gitlab.com/handbook/tools-and-tips/editors-and-ides/jetbrains-ides/tracked-jetbrains-issues/#ruby-31542
-        expect(config_instance.workspaces_per_user_quota).to eq(saved_quota)
-        expect(config_instance.default_max_hours_before_termination).to eq(default_max_hours_before_termination)
-        expect(config_instance.max_hours_before_termination_limit).to eq(max_hours_before_termination_limit)
-        expect(config_instance.allow_privilege_escalation).to eq(allow_privilege_escalation)
-        expect(config_instance.use_kubernetes_user_namespaces).to eq(use_kubernetes_user_namespaces)
         expect(config_instance.default_runtime_class).to eq(default_runtime_class)
-        expect(config_instance.annotations.deep_symbolize_keys).to eq(annotations)
+        expect(config_instance.dns_zone).to eq(expected_dns_zone)
+        expect(config_instance.enabled).to eq(expected_enabled)
+        expect(config_instance.gitlab_workspaces_proxy_namespace).to eq(gitlab_workspaces_proxy_namespace)
         expect(config_instance.labels.deep_symbolize_keys).to eq(labels)
+        expect(config_instance.max_active_hours_before_stop).to eq(max_active_hours_before_stop)
+        expect(config_instance.max_hours_before_termination_limit).to eq(max_hours_before_termination_limit)
+        expect(config_instance.max_resources_per_workspace.deep_symbolize_keys).to eq(max_resources_per_workspace)
+        expect(config_instance.max_stopped_hours_before_termination).to eq(max_stopped_hours_before_termination)
+        expect(config_instance.network_policy_egress.map(&:deep_symbolize_keys)).to eq(network_policy_egress)
+        expect(config_instance.network_policy_enabled).to eq(network_policy_enabled)
+        expect(config_instance.project_id).to eq(agent.project_id)
+        expect(config_instance.use_kubernetes_user_namespaces).to eq(use_kubernetes_user_namespaces)
+        expect(config_instance.workspaces_per_user_quota).to eq(saved_quota)
+        expect(config_instance.workspaces_quota).to eq(saved_quota)
         expect(config_instance.image_pull_secrets).to eq(image_pull_secrets)
 
         expect(result)
@@ -191,6 +169,7 @@
     end
 
     context 'when a config file is valid' do
+      let(:expected_enabled) { true }
       let(:expected_dns_zone) { dns_zone }
       let(:expected_configs_created) { 1 }
 
@@ -238,12 +217,22 @@
           end
 
           context 'when default and max_hours_before_termination are explicitly specified in the config passed' do
-            let(:termination_limits_sets) { true }
+            let(:default_max_hours_before_termination_present) { true }
+            let(:max_hours_before_termination_limit_present) { true }
             let(:default_max_hours_before_termination) { 20 }
             let(:max_hours_before_termination_limit) { 220 }
 
             it_behaves_like 'successful update'
           end
+
+          context 'when delayed termination fields are explicitly specified in the config passed' do
+            let(:max_active_hours_before_stop_present) { true }
+            let(:max_stopped_hours_before_termination_present) { true }
+            let(:max_active_hours_before_stop) { 24 }
+            let(:max_stopped_hours_before_termination) { 168 }
+
+            it_behaves_like 'successful update'
+          end
         end
 
         context 'when gitlab_workspaces_proxy is present in the config passed' do
@@ -354,6 +343,35 @@
 
         it_behaves_like 'successful update'
       end
+
+      context "when enabled is a string" do
+        context "and is 'true'" do
+          let(:enabled) { "true" }
+
+          it_behaves_like 'successful update'
+        end
+
+        context "and is 'false'" do
+          let(:enabled) { "false" }
+          let(:expected_enabled) { false }
+
+          it_behaves_like 'successful update'
+        end
+      end
+
+      context "when enabled is false" do
+        let(:enabled) { false }
+        let(:expected_enabled) { false }
+
+        it_behaves_like 'successful update'
+      end
+
+      context "when enabled is not present" do
+        let(:enabled_present) { false }
+        let(:expected_enabled) { false }
+
+        it_behaves_like 'successful update'
+      end
     end
 
     context 'when config file is invalid' do
diff --git a/ee/spec/lib/remote_development/settings/settings_initializer_spec.rb b/ee/spec/lib/remote_development/settings/settings_initializer_spec.rb
index bfde5b84baf78a..056c1a99afb69e 100644
--- a/ee/spec/lib/remote_development/settings/settings_initializer_spec.rb
+++ b/ee/spec/lib/remote_development/settings/settings_initializer_spec.rb
@@ -17,74 +17,83 @@
   it "invokes DefaultSettingsParser and sets up necessary values in context for subsequent steps" do
     expect(returned_value).to match(
       {
-        requested_setting_names: [
-          :default_branch_name,
-          :default_max_hours_before_termination,
-          :max_hours_before_termination_limit,
-          :project_cloner_image,
-          :tools_injector_image,
-          :full_reconciliation_interval_seconds,
-          :partial_reconciliation_interval_seconds,
-          :workspaces_quota,
-          :workspaces_per_user_quota,
-          :network_policy_egress,
-          :default_resources_per_workspace_container,
-          :max_resources_per_workspace,
-          :gitlab_workspaces_proxy_namespace,
-          :network_policy_enabled,
-          :allow_privilege_escalation,
-          :use_kubernetes_user_namespaces,
-          :default_runtime_class,
-          :annotations,
-          :labels,
-          :image_pull_secrets
-        ],
+        requested_setting_names:
+          # NOTE: This fixture array is sorted to enforce that the actual order of the keys
+          #       in default_settings is kept in alphabetical order.
+          [
+            :allow_privilege_escalation,
+            :annotations,
+            :default_branch_name,
+            :default_max_hours_before_termination,
+            :default_resources_per_workspace_container,
+            :default_runtime_class,
+            :full_reconciliation_interval_seconds,
+            :gitlab_workspaces_proxy_namespace,
+            :image_pull_secrets,
+            :labels,
+            :max_active_hours_before_stop,
+            :max_hours_before_termination_limit,
+            :max_resources_per_workspace,
+            :max_stopped_hours_before_termination,
+            :network_policy_egress,
+            :network_policy_enabled,
+            :partial_reconciliation_interval_seconds,
+            :project_cloner_image,
+            :tools_injector_image,
+            :use_kubernetes_user_namespaces,
+            :workspaces_per_user_quota,
+            :workspaces_quota
+          ].sort,
         settings: {
+          allow_privilege_escalation: false,
+          annotations: {},
           default_branch_name: nil,
           default_max_hours_before_termination: 24,
-          max_hours_before_termination_limit: 120,
-          project_cloner_image: "alpine/git:2.45.2",
-          tools_injector_image: "registry.gitlab.com/gitlab-org/remote-development/gitlab-workspaces-tools:2.0.0",
+          default_resources_per_workspace_container: {},
+          default_runtime_class: "",
           full_reconciliation_interval_seconds: 3600,
-          partial_reconciliation_interval_seconds: 10,
-          workspaces_quota: -1,
-          workspaces_per_user_quota: -1,
+          gitlab_workspaces_proxy_namespace: "gitlab-workspaces",
+          image_pull_secrets: [],
+          labels: {},
+          max_active_hours_before_stop: 36,
+          max_hours_before_termination_limit: 120,
+          max_resources_per_workspace: {},
+          max_stopped_hours_before_termination: 744,
           network_policy_egress: [{
             allow: "0.0.0.0/0",
             except: %w[10.0.0.0/8 172.16.0.0/12 192.168.0.0/16]
           }],
-          default_resources_per_workspace_container: {},
-          max_resources_per_workspace: {},
-          gitlab_workspaces_proxy_namespace: {},
           network_policy_enabled: true,
-          allow_privilege_escalation: false,
+          partial_reconciliation_interval_seconds: 10,
+          project_cloner_image: "alpine/git:2.45.2",
+          tools_injector_image: "registry.gitlab.com/gitlab-org/remote-development/gitlab-workspaces-tools:2.0.0",
           use_kubernetes_user_namespaces: false,
-          default_runtime_class: "",
-          annotations: {},
-          labels: {},
-          image_pull_secrets: []
+          workspaces_per_user_quota: -1,
+          workspaces_quota: -1
         },
         setting_types: {
+          allow_privilege_escalation: :Boolean,
+          annotations: Hash,
           default_branch_name: String,
           default_max_hours_before_termination: Integer,
+          default_resources_per_workspace_container: Hash,
+          default_runtime_class: String,
           full_reconciliation_interval_seconds: Integer,
+          gitlab_workspaces_proxy_namespace: String,
+          image_pull_secrets: Array,
+          labels: Hash,
+          max_active_hours_before_stop: Integer,
           max_hours_before_termination_limit: Integer,
+          max_resources_per_workspace: Hash,
+          max_stopped_hours_before_termination: Integer,
+          network_policy_egress: Array,
+          network_policy_enabled: Object,
           partial_reconciliation_interval_seconds: Integer,
           project_cloner_image: String,
           tools_injector_image: String,
-          workspaces_quota: Integer,
-          workspaces_per_user_quota: Integer,
-          network_policy_egress: Array,
-          default_resources_per_workspace_container: Hash,
-          max_resources_per_workspace: Hash,
-          gitlab_workspaces_proxy_namespace: Hash,
-          network_policy_enabled: Object,
-          allow_privilege_escalation: :Boolean,
           use_kubernetes_user_namespaces: :Boolean,
-          default_runtime_class: String,
-          annotations: Hash,
-          labels: Hash,
-          image_pull_secrets: Array
+          workspaces_per_user_quota: Integer,
+          workspaces_quota: Integer
         },
         env_var_prefix: "GITLAB_REMOTE_DEVELOPMENT",
         env_var_failed_message_class: RemoteDevelopment::Settings::Messages::SettingsEnvironmentVariableOverrideFailed
diff --git a/ee/spec/lib/remote_development/workspace_operations/create/personal_access_token_creator_spec.rb b/ee/spec/lib/remote_development/workspace_operations/create/personal_access_token_creator_spec.rb
index 03ca27e0aadf7e..07107f3c30ed3e 100644
--- a/ee/spec/lib/remote_development/workspace_operations/create/personal_access_token_creator_spec.rb
+++ b/ee/spec/lib/remote_development/workspace_operations/create/personal_access_token_creator_spec.rb
@@ -10,10 +10,8 @@
   let_it_be(:user) { create(:user) }
   let_it_be(:project) { create(:project, :in_group, :repository) }
   let(:workspace_name) { "workspace-example_agent_id-example_user_id-example_random_string" }
-  let(:max_hours_before_termination) { 24 }
   let(:params) do
     {
-      max_hours_before_termination: max_hours_before_termination,
       project: project
     }
   end
@@ -42,7 +40,13 @@
   end
 
   context 'when personal access token creation fails' do
-    let(:max_hours_before_termination) { 999999999999 }
+    before do
+      invalid_token_expiration_lifetime_in_hours =
+        ((PersonalAccessToken.new.send(:max_expiration_lifetime_in_days) + 1) * 24).hours
+      allow(described_class)
+        .to receive(:max_allowed_personal_access_token_expires_at)
+              .and_return(invalid_token_expiration_lifetime_in_hours.from_now.to_date)
+    end
 
     it 'returns an error result containing a failed message with model errors' do
       expect { result }.not_to change { user.personal_access_tokens.count }
diff --git a/ee/spec/lib/remote_development/workspace_operations/reconcile/main_integration_spec.rb b/ee/spec/lib/remote_development/workspace_operations/reconcile/main_integration_spec.rb
index ddd0ad6f026854..b6dac6677909ef 100644
--- a/ee/spec/lib/remote_development/workspace_operations/reconcile/main_integration_spec.rb
+++ b/ee/spec/lib/remote_development/workspace_operations/reconcile/main_integration_spec.rb
@@ -6,13 +6,13 @@
 RSpec.describe RemoteDevelopment::WorkspaceOperations::Reconcile::Main, "Integration", :freeze_time, feature_category: :workspaces do
   include_context 'with remote development shared fixtures'
 
-  shared_examples 'max_hours_before_termination handling' do
-    it 'sets desired_state to Terminated' do
+  shared_examples 'workspace lifecycle management expectations' do |expected_desired_state:|
+    it "sets desired_state to #{expected_desired_state}" do
       response = subject
       expect(response[:message]).to be_nil
       expect(response.dig(:payload, :workspace_rails_infos)).not_to be_nil
 
-      expect(workspace.reload.desired_state).to eq(RemoteDevelopment::WorkspaceOperations::States::TERMINATED)
+      expect(workspace.reload.desired_state).to eq(expected_desired_state)
     end
   end
 
@@ -45,7 +45,7 @@
     end
   end
 
-  let_it_be(:image_pull_secrets) { [{ "name" => "secret-name", "namespace" => "secret-namespace" }] }
+  let_it_be(:image_pull_secrets) { [{ name: "secret-name", namespace: "secret-namespace" }] }
   let_it_be(:dns_zone) { 'workspaces.localdev.me' }
   let_it_be(:user) { create(:user) }
   let_it_be(:agent, refind: true) { create(:cluster_agent) }
@@ -53,10 +53,11 @@
     create(:workspaces_agent_config, dns_zone: dns_zone, agent: agent, image_pull_secrets: image_pull_secrets)
   end
 
-  let(:egress_ip_rules) { agent.unversioned_latest_workspaces_agent_config.network_policy_egress }
-  let(:max_resources_per_workspace) { agent.unversioned_latest_workspaces_agent_config.max_resources_per_workspace }
+  let(:unversioned_latest_workspaces_agent_config) { agent.unversioned_latest_workspaces_agent_config }
+  let(:egress_ip_rules) { unversioned_latest_workspaces_agent_config.network_policy_egress }
+  let(:max_resources_per_workspace) { unversioned_latest_workspaces_agent_config.max_resources_per_workspace }
   let(:default_resources_per_workspace_container) do
-    agent.unversioned_latest_workspaces_agent_config.default_resources_per_workspace_container
+    unversioned_latest_workspaces_agent_config.default_resources_per_workspace_container
   end
 
   let(:full_reconciliation_interval_seconds) { 3600 }
@@ -68,7 +69,7 @@
 
   subject(:response) do
     described_class.main(
-      agent: agent,
+      agent: agent.reload,
       logger: logger,
       original_params: {
         workspace_agent_infos: workspace_agent_infos,
@@ -135,7 +136,7 @@
 
       let(:workspace_agent_info) do
         create_workspace_agent_info_hash(
-          workspace: workspace,
+          workspace: workspace.reload,
           previous_actual_state: previous_actual_state,
           current_actual_state: current_actual_state,
           workspace_exists: workspace_exists,
@@ -171,33 +172,46 @@
         )
       end
 
-      context 'with max_hours_before_termination expired' do
+      describe 'workspace lifecycle management' do
+        let(:max_hours_before_termination) do
+          RemoteDevelopment::WorkspaceOperations::MaxHoursBeforeTermination::MAX_HOURS_BEFORE_TERMINATION
+        end
+
         let(:workspace) do
-          create(
+          workspace = create(
             :workspace,
             :without_realistic_after_create_timestamp_updates,
-            agent: agent,
+            agent: agent.reload,
             user: user,
             desired_state: desired_state,
             actual_state: actual_state,
-            max_hours_before_termination: 24,
-            created_at: 25.hours.ago,
+            created_at: created_at,
             force_include_all_resources: false
           )
+          workspace.update!(desired_state_updated_at: desired_state_updated_at)
+          workspace
         end
 
-        context 'when state would otherwise be sent' do
-          let(:desired_state) { RemoteDevelopment::WorkspaceOperations::States::STOPPED }
+        context 'when max_active_hours_before_stop has passed' do
+          let(:desired_state) { RemoteDevelopment::WorkspaceOperations::States::RUNNING }
           let(:actual_state) { RemoteDevelopment::WorkspaceOperations::States::RUNNING }
+          let(:created_at) { max_hours_before_termination.hours.ago + 1.minute }
+          let(:desired_state_updated_at) { workspaces_agent_config.max_active_hours_before_stop.hours.ago - 1.minute }
 
-          it_behaves_like 'max_hours_before_termination handling'
+          it_behaves_like 'workspace lifecycle management expectations',
+            expected_desired_state: RemoteDevelopment::WorkspaceOperations::States::STOPPED
         end
 
-        context 'when desired_state is RestartRequested and actual_state is Stopped' do
-          let(:desired_state) { RemoteDevelopment::WorkspaceOperations::States::RESTART_REQUESTED }
+        context 'when max_stopped_hours_before_termination has passed' do
+          let(:desired_state) { RemoteDevelopment::WorkspaceOperations::States::STOPPED }
           let(:actual_state) { RemoteDevelopment::WorkspaceOperations::States::STOPPED }
+          let(:created_at) { max_hours_before_termination.hours.ago + 1.minute }
+          let(:desired_state_updated_at) do
+            workspaces_agent_config.max_stopped_hours_before_termination.hours.ago - 1.minute
+          end
 
-          it_behaves_like 'max_hours_before_termination handling'
+          it_behaves_like 'workspace lifecycle management expectations',
+            expected_desired_state: RemoteDevelopment::WorkspaceOperations::States::TERMINATED
         end
       end
 
@@ -403,7 +417,7 @@
               egress_ip_rules: egress_ip_rules,
               max_resources_per_workspace: max_resources_per_workspace,
               default_resources_per_workspace_container: default_resources_per_workspace_container,
-              workspace_image_pull_secrets: workspace.workspaces_agent_config.image_pull_secrets
+              image_pull_secrets: image_pull_secrets
             )
           end
 
@@ -513,7 +527,7 @@
                 egress_ip_rules: egress_ip_rules,
                 max_resources_per_workspace: max_resources_per_workspace,
                 default_resources_per_workspace_container: default_resources_per_workspace_container,
-                workspace_image_pull_secrets: workspace.workspaces_agent_config.image_pull_secrets
+                image_pull_secrets: image_pull_secrets
               )
             end
 
@@ -594,7 +608,7 @@
           egress_ip_rules: egress_ip_rules,
           max_resources_per_workspace: max_resources_per_workspace,
           default_resources_per_workspace_container: default_resources_per_workspace_container,
-          workspace_image_pull_secrets: unprovisioned_workspace.workspaces_agent_config.image_pull_secrets
+          image_pull_secrets: unprovisioned_workspace.workspaces_agent_config.image_pull_secrets
         )
       end
 
diff --git a/ee/spec/lib/remote_development/workspace_operations/reconcile/main_spec.rb b/ee/spec/lib/remote_development/workspace_operations/reconcile/main_spec.rb
index e805807ec7f309..0464b71f2019ee 100644
--- a/ee/spec/lib/remote_development/workspace_operations/reconcile/main_spec.rb
+++ b/ee/spec/lib/remote_development/workspace_operations/reconcile/main_spec.rb
@@ -19,6 +19,7 @@
       [RemoteDevelopment::WorkspaceOperations::Reconcile::Input::AgentInfosObserver, :map],
       [RemoteDevelopment::WorkspaceOperations::Reconcile::Persistence::WorkspacesFromAgentInfosUpdater, :map],
       [RemoteDevelopment::WorkspaceOperations::Reconcile::Persistence::OrphanedWorkspacesObserver, :map],
+      [RemoteDevelopment::WorkspaceOperations::Reconcile::Persistence::WorkspacesLifecycleManager, :map],
       [RemoteDevelopment::WorkspaceOperations::Reconcile::Persistence::WorkspacesToBeReturnedFinder, :map],
       [RemoteDevelopment::WorkspaceOperations::Reconcile::Output::ResponsePayloadBuilder, :map],
       [RemoteDevelopment::WorkspaceOperations::Reconcile::Persistence::WorkspacesToBeReturnedUpdater, :map],
diff --git a/ee/spec/lib/remote_development/workspace_operations/reconcile/output/desired_config_generator_spec.rb b/ee/spec/lib/remote_development/workspace_operations/reconcile/output/desired_config_generator_spec.rb
index 5e1e3114fb14a2..f20f94b6589c83 100644
--- a/ee/spec/lib/remote_development/workspace_operations/reconcile/output/desired_config_generator_spec.rb
+++ b/ee/spec/lib/remote_development/workspace_operations/reconcile/output/desired_config_generator_spec.rb
@@ -58,7 +58,7 @@
           default_runtime_class: workspace.workspaces_agent_config.default_runtime_class,
           agent_labels: workspace.workspaces_agent_config.labels,
           agent_annotations: workspace.workspaces_agent_config.annotations,
-          workspace_image_pull_secrets: workspace.workspaces_agent_config.image_pull_secrets
+          image_pull_secrets: image_pull_secrets
         )
       )
     end
@@ -118,15 +118,13 @@
     end
 
     context 'when there are image-pull-secrets' do
-      let(:image_pull_secrets) { [{ 'name' => 'secret-name', 'namespace' => 'secret-namespace' }] }
-      let(:image_pull_secrets_names) do
-        image_pull_secrets.map { |secret| { 'name' => secret.fetch('name') } }
-      end
+      let(:image_pull_secrets) { [{ name: 'secret-name', namespace: 'secret-namespace' }] }
+      let(:expected_image_pull_secrets_names) { [{ 'name' => 'secret-name' }] }
 
       it 'returns expected config with a service account resource configured' do
         expect(workspace_resources).to eq(expected_config)
         service_account_resource = workspace_resources.find { |resource| resource.fetch('kind') == 'ServiceAccount' }
-        expect(service_account_resource.fetch('imagePullSecrets')).to eq(image_pull_secrets_names)
+        expect(service_account_resource.fetch('imagePullSecrets')).to eq(expected_image_pull_secrets_names)
       end
     end
 
diff --git a/ee/spec/lib/remote_development/workspace_operations/reconcile/output/devfile_parser_spec.rb b/ee/spec/lib/remote_development/workspace_operations/reconcile/output/devfile_parser_spec.rb
index 933205a16ad08c..034342a9771419 100644
--- a/ee/spec/lib/remote_development/workspace_operations/reconcile/output/devfile_parser_spec.rb
+++ b/ee/spec/lib/remote_development/workspace_operations/reconcile/output/devfile_parser_spec.rb
@@ -10,8 +10,9 @@
   # rubocop:disable RSpec/VerifiedDoubleReference -- We're using the quoted version of these models, so we can use fast_spec_helper.
   let(:user) { instance_double("User", name: "name", email: "name@example.com") }
   let(:agent) { instance_double("Clusters::Agent", id: 1) }
+  let(:image_pull_secrets) { [{ name: 'secret-name', namespace: 'secret-namespace' }] }
   let(:workspaces_agent_config) do
-    instance_double("RemoteDevelopment::WorkspacesAgentConfig", image_pull_secrets: [])
+    instance_double("RemoteDevelopment::WorkspacesAgentConfig", image_pull_secrets: image_pull_secrets)
   end
 
   let(:workspace) do
@@ -89,7 +90,7 @@
         default_runtime_class: default_runtime_class,
         agent_labels: agent_labels,
         agent_annotations: agent_annotations,
-        workspace_image_pull_secrets: workspace.workspaces_agent_config.image_pull_secrets,
+        image_pull_secrets: image_pull_secrets,
         core_resources_only: true
       )
     )
diff --git a/ee/spec/lib/remote_development/workspace_operations/reconcile/persistence/workspaces_from_agent_infos_updater_spec.rb b/ee/spec/lib/remote_development/workspace_operations/reconcile/persistence/workspaces_from_agent_infos_updater_spec.rb
index 33d88e7df861f4..9266eb39bde8d7 100644
--- a/ee/spec/lib/remote_development/workspace_operations/reconcile/persistence/workspaces_from_agent_infos_updater_spec.rb
+++ b/ee/spec/lib/remote_development/workspace_operations/reconcile/persistence/workspaces_from_agent_infos_updater_spec.rb
@@ -60,15 +60,4 @@
       expect(workspace.reload.desired_state).to eq(RemoteDevelopment::WorkspaceOperations::States::RUNNING)
     end
   end
-
-  context "when persisted workspace created_at + max_hours_before_termination.hours is in the past" do
-    before do
-      workspace.update!(created_at: 2.days.ago, max_hours_before_termination: 1)
-    end
-
-    it "sets persisted workspace desired state to TERMINATED" do
-      expect(returned_value).to eq(context.merge(workspaces_from_agent_infos: [workspace]))
-      expect(workspace.reload.desired_state).to eq(RemoteDevelopment::WorkspaceOperations::States::TERMINATED)
-    end
-  end
 end
diff --git a/ee/spec/lib/remote_development/workspace_operations/reconcile/persistence/workspaces_lifecycle_manager_spec.rb b/ee/spec/lib/remote_development/workspace_operations/reconcile/persistence/workspaces_lifecycle_manager_spec.rb
new file mode 100644
index 00000000000000..0a72041a4a8fcf
--- /dev/null
+++ b/ee/spec/lib/remote_development/workspace_operations/reconcile/persistence/workspaces_lifecycle_manager_spec.rb
@@ -0,0 +1,112 @@
+# frozen_string_literal: true
+
+require "fast_spec_helper"
+
+RSpec.describe RemoteDevelopment::WorkspaceOperations::Reconcile::Persistence::WorkspacesLifecycleManager, feature_category: :workspaces do
+  let!(:now) do
+    # NOTE: There's a few necessary things going on here in this `let!(:now) declaration:
+    #       1. We can't use :freeze_time RSpec annotation, because that happens in an "around" block
+    #          after the `let` block for `now` is evaluated
+    #       2. Furthermore, we can't freeze time in ANY before/after/around block, because these all happen
+    #          after the various `let` blocks have already been evaluted. This is because many of the
+    #          `let` blocks, including this one for `now`, are triggered by the processing of the
+    #          `where` block scenario declarations for RSpec::Parameterized
+    #       3. Thus, to ensure that `now` is frozen early enough - before ANY other references to it
+    #          or Time.zone.now, we we need to freeze time _WITHIN_ this `let!` block, then manually
+    #          travel back to the original time in an `after` block.
+    #       4. This has to be a `let!` block, not a `let` block, because we need to ensure that
+    #          it is eagerly evaluated, not lazily when it is first referenced.
+    #       5. We also use a hardcoded time to freeze to, instead of Time.zone.now, so that we can
+    #          do a fixture sanity check inside the actual test block context, to ensure that
+    #          `now` has been properly frozen.
+    #       6. Finally, note this will _NOT_ always cause problems when used via `fast_spec_helper`,
+    #          it will only cause problems if this spec file happens to be run in when
+    #          the regular `spec_helper` has already been initialized and is in effect.
+    time = Time.utc(2021, 1, 1)
+    travel_to(time)
+    time
+  end
+
+  let(:max_hours_before_termination) do
+    RemoteDevelopment::WorkspaceOperations::MaxHoursBeforeTermination::MAX_HOURS_BEFORE_TERMINATION
+  end
+
+  let(:max_active_hours_before_stop) { RemoteDevelopment::Settings.get_single_setting(:max_active_hours_before_stop) }
+  let(:max_stopped_hours_before_termination) do
+    RemoteDevelopment::Settings.get_single_setting(:max_stopped_hours_before_termination)
+  end
+
+  let(:max_allowable_workspace_age) { now - max_hours_before_termination.hours }
+
+  let(:running) { RemoteDevelopment::WorkspaceOperations::States::RUNNING }
+  let(:stopped) { RemoteDevelopment::WorkspaceOperations::States::STOPPED }
+  let(:terminated) { RemoteDevelopment::WorkspaceOperations::States::TERMINATED }
+
+  let(:workspaces_from_agent_infos) { [workspace] }
+
+  let(:context) do
+    {
+      workspaces_from_agent_infos: workspaces_from_agent_infos
+    }
+  end
+
+  subject(:returned_value) do
+    described_class.manage(context)
+  end
+
+  after do
+    travel_back
+  end
+
+  context 'with various workspace states and conditions' do
+    using RSpec::Parameterized::TableSyntax
+
+    # rubocop:disable Layout/LineLength -- We don't want to wrap RSpec::Parameterized::TableSyntax, it hurts readability
+    where(:scenario, :created_at, :desired_state_updated_at, :initial_desired_state, :expected_desired_state) do
+      "No limits exceeded, workspace just created, expect no state change" | now | now | running | running
+      "No limits exceeded, workspace is at max allowable active hours, no state change" | (now - max_active_hours_before_stop.hours + 1) | (now - max_active_hours_before_stop.hours + 1) | running | running
+      "No limits exceeded, workspace is at max allowable age, desired_state just updated, expect no state change" | max_allowable_workspace_age | now | running | running
+      "max_hours_before_termination limit exceeded, not already terminated, expect state to change to terminated" | (max_allowable_workspace_age - 1) | now | running | terminated
+      "max_hours_before_termination limit exceeded, already terminated, expect no state change" | (max_allowable_workspace_age - 1) | now | terminated | terminated
+      "max_active_hours_before_stop limit exceeded, not already stopped, expect state to change to stopped" | max_allowable_workspace_age | (now - max_active_hours_before_stop.hours - 1) | running | stopped
+      "max_active_hours_before_stop limit exceeded, already stopped, expect no state change" | max_allowable_workspace_age | (now - max_active_hours_before_stop.hours - 1) | stopped | stopped
+      "max_active_hours_before_stop limit exceeded, already terminated, expect no state change" | max_allowable_workspace_age | (now - max_active_hours_before_stop.hours - 1) | terminated | terminated
+      "max_stopped_hours_before_termination limit exceeded, not already terminated, expect state to change to terminated" | max_allowable_workspace_age | (now - max_stopped_hours_before_termination.hours - 1) | stopped | terminated
+      "max_stopped_hours_before_termination limit exceeded, already terminated, expect no state change" | max_allowable_workspace_age | (now - max_stopped_hours_before_termination.hours - 1) | terminated | terminated
+    end
+    # rubocop:enable Layout/LineLength -- We don't want to wrap RSpec::Parameterized::TableSyntax, it hurts readability
+
+    with_them do
+      let(:workspaces_agent_config) do
+        instance_double(
+          "RemoteDevelopment::WorkspacesAgentConfig", # rubocop:disable RSpec/VerifiedDoubleReference -- We're using the quoted version so we can use fast_spec_helper
+          max_active_hours_before_stop: max_active_hours_before_stop,
+          max_stopped_hours_before_termination: max_stopped_hours_before_termination
+        )
+      end
+
+      let(:workspace) do
+        instance_double(
+          "RemoteDevelopment::Workspace", # rubocop:disable RSpec/VerifiedDoubleReference -- We're using the quoted version so we can use fast_spec_helper
+          created_at: created_at,
+          desired_state_updated_at: desired_state_updated_at,
+          desired_state: initial_desired_state,
+          workspaces_agent_config: workspaces_agent_config
+        )
+      end
+
+      it "correctly updates (or not) desired_state" do
+        # "now" time fixture sanity check - ensure that time is properly frozen
+        expect(Time.zone.now.to_i).to eq(Time.utc(2021, 1, 1).to_i)
+
+        if expected_desired_state == initial_desired_state
+          expect(workspace).not_to receive(:update!)
+        else
+          expect(workspace).to receive(:update!).with(desired_state: expected_desired_state).once
+        end
+
+        expect(returned_value).to eq(context)
+      end
+    end
+  end
+end
diff --git a/ee/spec/models/remote_development/workspaces_agent_config_spec.rb b/ee/spec/models/remote_development/workspaces_agent_config_spec.rb
index c04bdeb5017270..21b2eb8bcd57cb 100644
--- a/ee/spec/models/remote_development/workspaces_agent_config_spec.rb
+++ b/ee/spec/models/remote_development/workspaces_agent_config_spec.rb
@@ -11,9 +11,9 @@
       {
         allow: "0.0.0.0/0",
         except: [
-          - "10.0.0.0/8",
-          - "172.16.0.0/12",
-          - "192.168.0.0/16"
+          -"10.0.0.0/8",
+          -"172.16.0.0/12",
+          -"192.168.0.0/16"
         ]
       }.deep_stringify_keys
     ]
@@ -27,6 +27,37 @@
 
   subject(:config) { agent.unversioned_latest_workspaces_agent_config }
 
+  describe "database defaults" do
+    let_it_be(:agent_config_with_defaults) { described_class.new }
+
+    where(:field) do
+      %i[
+        allow_privilege_escalation
+        annotations
+        default_resources_per_workspace_container
+        default_runtime_class
+        gitlab_workspaces_proxy_namespace
+        labels
+        max_active_hours_before_stop
+        max_resources_per_workspace
+        max_stopped_hours_before_termination
+        network_policy_egress
+        network_policy_enabled
+        use_kubernetes_user_namespaces
+        workspaces_per_user_quota
+        workspaces_quota
+      ].map { |field| [field] }
+    end
+
+    with_them do
+      it "have same defaults as the Settings defaults" do
+        default_value_from_db = agent_config_with_defaults.send(field)
+        default_value_from_db.each(&:deep_symbolize_keys!) if [:network_policy_egress].include?(field)
+        expect(default_value_from_db).to eq(RemoteDevelopment::Settings.get_single_setting(field))
+      end
+    end
+  end
+
   describe 'associations' do
     it { is_expected.to belong_to(:agent) }
     it { is_expected.to have_many(:workspaces) }
@@ -198,16 +229,37 @@
     it 'allows numerical values for max_hours_before_termination_limit greater or equal to' \
       'default_max_hours_before_termination and less than or equal to 8760' do
       is_expected.to validate_numericality_of(:max_hours_before_termination_limit)
-        .only_integer
-        .is_less_than_or_equal_to(8760)
-        .is_greater_than_or_equal_to(default_max_hours_before_termination_default_value)
+                       .only_integer
+                       .is_less_than_or_equal_to(8760)
+                       .is_greater_than_or_equal_to(default_max_hours_before_termination_default_value)
     end
 
     it 'allows numerical values for default_max_hours_before_termination greater or equal to 1' \
       'and less than or equal to max_hours_before_termination_limit' do
       is_expected.to validate_numericality_of(:default_max_hours_before_termination)
-        .only_integer.is_less_than_or_equal_to(max_hours_before_termination_limit_default_value)
-        .is_greater_than_or_equal_to(1)
+                       .only_integer.is_less_than_or_equal_to(max_hours_before_termination_limit_default_value)
+                       .is_greater_than_or_equal_to(1)
+    end
+
+    it 'allows numerical values for max_active_hours_before_stop greater or equal to 1' do
+      is_expected.to validate_numericality_of(:max_active_hours_before_stop)
+                       .only_integer.is_greater_than_or_equal_to(1)
+    end
+
+    it 'allows numerical values for max_stopped_hours_before_termination greater or equal to 1' do
+      is_expected.to validate_numericality_of(:max_stopped_hours_before_termination)
+                       .only_integer.is_greater_than_or_equal_to(1)
+    end
+
+    it 'prevents max_active_hours_before_stop + max_stopped_hours_before_termination > 1 year' do
+      # noinspection RubyResolve - https://handbook.gitlab.com/handbook/tools-and-tips/editors-and-ides/jetbrains-ides/tracked-jetbrains-issues/#ruby-31542
+      config.max_active_hours_before_stop = 8760
+      # noinspection RubyResolve - https://handbook.gitlab.com/handbook/tools-and-tips/editors-and-ides/jetbrains-ides/tracked-jetbrains-issues/#ruby-31542
+      config.max_stopped_hours_before_termination = 1
+      expect(config).not_to be_valid
+      expect(config.errors[:base]).to include(
+        "Sum of max_active_hours_before_stop and max_stopped_hours_before_termination must not exceed 8760 hours"
+      )
     end
   end
 
diff --git a/ee/spec/requests/remote_development/integration_spec.rb b/ee/spec/requests/remote_development/integration_spec.rb
index 7df93643a22d64..d86a50c7300847 100644
--- a/ee/spec/requests/remote_development/integration_spec.rb
+++ b/ee/spec/requests/remote_development/integration_spec.rb
@@ -9,11 +9,12 @@
   include RemoteDevelopment::IntegrationSpecHelpers
   include_context "with remote development shared fixtures"
 
+  let(:states) { ::RemoteDevelopment::WorkspaceOperations::States }
   let(:agent_admin_user) { create(:user, name: "Agent Admin User") }
   # Agent setup
   let(:jwt_secret) { SecureRandom.random_bytes(Gitlab::Kas::SECRET_LENGTH) }
   let(:agent_token) { create(:cluster_agent_token, agent: agent) }
-  let(:cluster_agents_query) do
+  let(:workspaces_agents_config_query) do
     <<~GRAPHQL
       query {
           namespace(fullPath: "#{common_parent_namespace.full_path}") {
@@ -41,27 +42,8 @@
 
   let(:gitlab_workspaces_proxy_namespace) { "gitlab-workspaces" }
   let(:dns_zone) { "integration-spec-workspaces.localdev.me" }
-  let(:network_policy_enabled) { true }
   let(:workspaces_per_user_quota) { 20 }
   let(:workspaces_quota) { 100 }
-  let(:default_max_hours_before_termination) { 48 }
-  let(:max_hours_before_termination_limit) { 240 }
-
-  let(:expected_agent_config) do
-    {
-      "id" => "gid://gitlab/RemoteDevelopment::WorkspacesAgentConfig/#{workspaces_agent_config.id}",
-      "projectId" => agent_project.id.to_s,
-      "enabled" => true,
-      "gitlabWorkspacesProxyNamespace" => "gitlab-workspaces",
-      "networkPolicyEnabled" => network_policy_enabled,
-      "dnsZone" => dns_zone,
-      "workspacesPerUserQuota" => workspaces_per_user_quota,
-      "workspacesQuota" => workspaces_quota,
-      "defaultMaxHoursBeforeTermination" => default_max_hours_before_termination,
-      "maxHoursBeforeTerminationLimit" => max_hours_before_termination_limit
-    }
-  end
-
   let(:user) { create(:user, name: "Workspaces User", email: "workspaces-user@example.org") }
   let(:current_user) { user }
   let(:common_parent_namespace_name) { "common-parent-group" }
@@ -135,52 +117,82 @@
       namespace: workspace_project_namespace, developers: user)
   end
 
+  let(:image_pull_secrets) { [{ name: 'secret-name', namespace: 'secret-namespace' }] }
+
+  let(:agent_config_file_hash) do
+    {
+      remote_development: {
+        enabled: true,
+        dns_zone: dns_zone,
+        workspaces_per_user_quota: workspaces_per_user_quota,
+        workspaces_quota: workspaces_quota,
+        image_pull_secrets: image_pull_secrets
+      }
+    }
+  end
+
   let(:agent_project) do
-    create(:project, path: "agent-project", developers: user, namespace: agent_project_namespace)
+    create(:project, :in_group, path: "agent-project", namespace: agent_project_namespace, developers: user)
   end
 
   let(:agent) do
     create(:ee_cluster_agent, project: agent_project, created_by_user: agent_admin_user, project_id: agent_project.id)
   end
 
-  let(:image_pull_secrets) { [{ name: 'secret-name', namespace: 'secret-namespace' }] }
-
-  # TODO: We should create the workspaces_agent_config via an API call to update the agent config
-  #       with the relevant fixture values in its config file to represent a remote_development enabled agent.
-  #       And, as we migrate the settings from the agent config file to the settings UI, we should add
-  #       simulated API calls for setting the values that way too.
-  let!(:workspaces_agent_config) do
-    create(
-      :workspaces_agent_config,
-      agent: agent,
-      gitlab_workspaces_proxy_namespace: gitlab_workspaces_proxy_namespace,
-      dns_zone: dns_zone,
-      network_policy_enabled: network_policy_enabled,
-      workspaces_per_user_quota: workspaces_per_user_quota,
-      workspaces_quota: workspaces_quota,
-      default_max_hours_before_termination: default_max_hours_before_termination,
-      max_hours_before_termination_limit: max_hours_before_termination_limit,
-      image_pull_secrets: image_pull_secrets
-    )
-  end
+  def do_create_workspaces_agent_config
+    # Perform an agent update post which will cause a workspaces_agent_config record to be created
+    # based on the cluster agent's config file.
 
-  let(:namespace_create_remote_development_cluster_agent_mapping_create_mutation_args) do
-    {
-      namespace_id: common_parent_namespace.to_global_id.to_s,
-      cluster_agent_id: agent.to_global_id.to_s
+    params = {
+      agent_id: agent.id,
+      agent_config: agent_config_file_hash
     }
-  end
-
-  before do
-    stub_licensed_features(remote_development: true)
-    allow(SecureRandom).to receive(:alphanumeric) { random_string }
-
-    allow(Gitlab::Kas).to receive(:secret).and_return(jwt_secret)
 
-    allow(workspace_project.repository).to receive_message_chain(:blob_at_branch, :data) { devfile_yaml }
+    jwt_token = JWT.encode(
+      { "iss" => Gitlab::Kas::JWT_ISSUER, 'aud' => Gitlab::Kas::JWT_AUDIENCE },
+      Gitlab::Kas.secret,
+      "HS256"
+    )
+    agent_token_headers = {
+      "Authorization" => "Bearer #{agent_token.token}",
+      Gitlab::Kas::INTERNAL_API_KAS_REQUEST_HEADER => jwt_token
+    }
+    agent_configuration_url = api("/internal/kubernetes/agent_configuration", personal_access_token: agent_token)
+
+    post agent_configuration_url, params: params, headers: agent_token_headers, as: :json
+
+    # The internal kubernetes agent_configuration API endpoint does not return any response,
+    # it only returns 204 No Content.
+    expect(response).to have_gitlab_http_status(:no_content)
+
+    workspaces_agent_config = RemoteDevelopment::WorkspacesAgentConfig.find_by_cluster_agent_id(agent.id)
+
+    # Get the agent config via the GraphQL API to verify it was created correctly
+    get_graphql(workspaces_agents_config_query, current_user: agent_admin_user)
+    expected_agent_config =
+      {
+        "id" => "gid://gitlab/RemoteDevelopment::WorkspacesAgentConfig/#{workspaces_agent_config.id}",
+        "projectId" => agent_project.id.to_s,
+        "enabled" => true,
+        "gitlabWorkspacesProxyNamespace" => "gitlab-workspaces",
+        "networkPolicyEnabled" => true,
+        "dnsZone" => dns_zone,
+        "workspacesPerUserQuota" => workspaces_per_user_quota,
+        "workspacesQuota" => workspaces_quota,
+        "defaultMaxHoursBeforeTermination" => 24,
+        "maxHoursBeforeTerminationLimit" => 120
+      }
+    expect(
+      graphql_data_at(:namespace, :remoteDevelopmentClusterAgents, :nodes, 0, :workspacesAgentConfig)
+    ).to eq(expected_agent_config)
   end
 
   def do_create_mapping
+    namespace_create_remote_development_cluster_agent_mapping_create_mutation_args =
+      {
+        namespace_id: common_parent_namespace.to_global_id.to_s,
+        cluster_agent_id: agent.to_global_id.to_s
+      }
     do_graphql_mutation_post(
       name: :namespace_create_remote_development_cluster_agent_mapping,
       input: namespace_create_remote_development_cluster_agent_mapping_create_mutation_args,
@@ -188,21 +200,14 @@ def do_create_mapping
     )
   end
 
-  def fetch_agent_config
-    get_graphql(cluster_agents_query, current_user: agent_admin_user)
-
-    expect(
-      graphql_data_at(:namespace, :remoteDevelopmentClusterAgents, :nodes, 0, :workspacesAgentConfig)
-    ).to eq(expected_agent_config)
-
-    graphql_data_at(:namespace, :remoteDevelopmentClusterAgents, :nodes, 0, :id)
-  end
-
   # rubocop:disable Metrics/AbcSize -- We want this to stay a single method
-  def do_create_workspace(cluster_agent_id)
+  def do_create_workspace
+    # FETCH THE AGENT CONFIG VIA THE GRAPHQL API, SO WE CAN USE ITS VALUES WHEN CREATING WORKSPACE
+    cluster_agent_gid = "gid://gitlab/Clusters::Agent/#{agent.id}"
+
     create_mutation_response = do_graphql_mutation_post(
       name: :workspace_create,
-      input: workspace_create_mutation_args(cluster_agent_id),
+      input: workspace_create_mutation_args(cluster_agent_gid),
       user: user
     )
 
@@ -259,12 +264,13 @@ def do_create_workspace(cluster_agent_id)
 
   # rubocop:enable Metrics/AbcSize
 
-  def workspace_create_mutation_args(cluster_agent_id)
+  # @param [String] cluster_agent_gid
+  def workspace_create_mutation_args(cluster_agent_gid)
     {
-      desired_state: RemoteDevelopment::WorkspaceOperations::States::RUNNING,
+      desired_state: states::RUNNING,
       editor: "webide",
       max_hours_before_termination: 24,
-      cluster_agent_id: cluster_agent_id,
+      cluster_agent_id: cluster_agent_gid,
       project_id: workspace_project.to_global_id.to_s,
       devfile_ref: devfile_ref,
       devfile_path: devfile_path,
@@ -274,10 +280,22 @@ def workspace_create_mutation_args(cluster_agent_id)
     }
   end
 
+  # @param [RemoteDevelopment::Workspace] workspace
+  def do_start_workspace(workspace)
+    do_change_workspace_state(workspace: workspace, desired_state: states::RUNNING)
+  end
+
+  # @param [RemoteDevelopment::Workspace] workspace
   def do_stop_workspace(workspace)
+    do_change_workspace_state(workspace: workspace, desired_state: states::STOPPED)
+  end
+
+  # @param [RemoteDevelopment::Workspace] workspace
+  # @param [String] desired_state
+  def do_change_workspace_state(workspace:, desired_state:)
     workspace_update_mutation_args = {
       id: global_id_of(workspace),
-      desired_state: RemoteDevelopment::WorkspaceOperations::States::STOPPED
+      desired_state: desired_state
     }
 
     do_graphql_mutation_post(
@@ -293,6 +311,9 @@ def do_stop_workspace(workspace)
     expect(workspace.reload.desired_state_updated_at).to eq(Time.current)
   end
 
+  # @param [Symbol] name
+  # @param [Hash] input
+  # @param [User] user
   def do_graphql_mutation_post(name:, input:, user:)
     mutation = graphql_mutation(name, input)
     post_graphql_mutation(mutation, current_user: user)
@@ -302,14 +323,11 @@ def do_graphql_mutation_post(name:, input:, user:)
     mutation_response
   end
 
-  def simulate_agentk_reconcile_post(workspace_agent_infos:, update_type:, agent_token:)
-    # Add `travel(...)` based on full or partial reconciliation interval in response body
-    partial_reconciliation_interval_seconds =
-      RemoteDevelopment::Settings
-        .get([:full_reconciliation_interval_seconds, :partial_reconciliation_interval_seconds])
-        .fetch(:partial_reconciliation_interval_seconds)
-        .to_i
-    travel(partial_reconciliation_interval_seconds)
+  # @param [Hash] params
+  # @param [QA::Resource::Clusters::AgentToken] agent_token
+  # @return [Hash] response_json with deep symbolized keys
+  def do_reconcile_post(params:, agent_token:)
+    # Custom logic to perform the reconcile post for a _REQUEST_ spec
 
     jwt_token = JWT.encode(
       { "iss" => Gitlab::Kas::JWT_ISSUER, 'aud' => Gitlab::Kas::JWT_AUDIENCE },
@@ -320,110 +338,134 @@ def simulate_agentk_reconcile_post(workspace_agent_infos:, update_type:, agent_t
       "Authorization" => "Bearer #{agent_token.token}",
       Gitlab::Kas::INTERNAL_API_KAS_REQUEST_HEADER => jwt_token
     }
-
-    post_params = {
-      update_type: update_type,
-      workspace_agent_infos: workspace_agent_infos
-    }
     reconcile_url = api("/internal/kubernetes/modules/remote_development/reconcile", personal_access_token: agent_token)
-    post reconcile_url, params: post_params, headers: agent_token_headers, as: :json
+
+    post reconcile_url, params: params, headers: agent_token_headers, as: :json
 
     expect(response).to have_gitlab_http_status(:created)
-    response_json = json_response.deep_symbolize_keys
+    json_response.deep_symbolize_keys
+  end
 
-    reconciliation_interval_from_response =
-      response_json.fetch(:settings).fetch(:partial_reconciliation_interval_seconds).to_i
-    expect(reconciliation_interval_from_response).to eq(partial_reconciliation_interval_seconds)
+  shared_examples 'workspace lifecycle' do
+    before do
+      stub_licensed_features(remote_development: true)
+      allow(SecureRandom).to receive(:alphanumeric) { random_string }
 
-    response_json
-  end
+      allow(Gitlab::Kas).to receive(:secret).and_return(jwt_secret)
 
-  it "successfully exercises the full lifecycle of a workspace", :unlimited_max_formatted_output_length do
-    # CREATE THE MAPPING VIA GRAPHQL API, SO WE HAVE PROPER AUTHORIZATION
-    do_create_mapping
+      allow(workspace_project.repository).to receive_message_chain(:blob_at_branch, :data) { devfile_yaml }
+    end
 
-    # FETCH THE AGENT CONFIG VIA THE GRAPHQL API, SO WE CAN USE ITS VALUES WHEN CREATING WORKSPACE
-    cluster_agent_id = fetch_agent_config
+    it "successfully exercises the full lifecycle of a workspace", :unlimited_max_formatted_output_length do # rubocop:disable RSpec/NoExpectationExample -- the expectations are in the called methods
+      # CREATE THE MAPPING VIA GRAPHQL API, SO WE HAVE PROPER AUTHORIZATION
+      do_create_mapping
 
-    # DO THE INITAL WORKSPACE CREATION VIA GRAPHQL API
-    workspace = do_create_workspace(cluster_agent_id)
+      # CREATE THE WorkspacesAgentConfig VIA GRAPHQL API
+      do_create_workspaces_agent_config
 
-    additional_args_for_expected_config_to_apply =
-      build_additional_args_for_expected_config_to_apply(
-        network_policy_enabled: network_policy_enabled,
-        dns_zone: dns_zone,
-        namespace_path: workspace_project_namespace.full_path,
-        project_name: workspace_project_name
+      # CREATE WORKSPACE VIA GRAPHQL API
+      workspace = do_create_workspace
+
+      additional_args_for_expected_config_to_apply =
+        build_additional_args_for_expected_config_to_apply(
+          network_policy_enabled: true,
+          dns_zone: dns_zone,
+          namespace_path: workspace_project_namespace.full_path,
+          project_name: workspace_project_name,
+          image_pull_secrets: image_pull_secrets
+        )
+
+      # SIMULATE RECONCILE RESPONSE TO AGENTK SENDING NEW WORKSPACE
+      simulate_first_poll(
+        workspace: workspace.reload,
+        agent_token: agent_token,
+        **additional_args_for_expected_config_to_apply
       )
 
-    # SIMULATE FIRST POLL FROM AGENTK TO PICK UP NEW WORKSPACE
-    simulate_first_poll(
-      workspace: workspace.reload,
-      **additional_args_for_expected_config_to_apply
-    ) do |workspace_agent_infos:, update_type:|
-      simulate_agentk_reconcile_post(
-        workspace_agent_infos: workspace_agent_infos,
-        update_type: update_type,
-        agent_token: agent_token
+      # SIMULATE RECONCILE REQUEST FROM AGENTK UPDATING WORKSPACE TO RUNNING ACTUAL_STATE
+      simulate_second_poll(workspace: workspace.reload, agent_token: agent_token)
+
+      # UPDATE WORKSPACE DESIRED_STATE TO STOPPED VIA GRAPHQL API
+      do_stop_workspace(workspace)
+
+      # SIMULATE RECONCILE RESPONSE TO AGENTK UPDATING WORKSPACE TO STOPPED DESIRED_STATE
+      simulate_third_poll(
+        workspace: workspace.reload,
+        agent_token: agent_token,
+        **additional_args_for_expected_config_to_apply
       )
-    end
 
-    # noinspection RubyResolve
-    expect(workspace.reload.responded_to_agent_at).to eq(Time.current)
-
-    # SIMULATE SECOND POLL FROM AGENTK TO UPDATE WORKSPACE TO RUNNING STATE
-    simulate_second_poll(workspace: workspace.reload) do |workspace_agent_infos:, update_type:|
-      simulate_agentk_reconcile_post(
-        workspace_agent_infos: workspace_agent_infos,
-        update_type: update_type,
-        agent_token: agent_token
+      # SIMULATE RECONCILE REQUEST FROM AGENTK UPDATING WORKSPACE TO STOPPING ACTUAL_STATE
+      simulate_fourth_poll(workspace: workspace.reload, agent_token: agent_token)
+
+      # SIMULATE RECONCILE REQUEST FROM AGENTK UPDATING WORKSPACE TO STOPPED ACTUAL_STATE
+      simulate_fifth_poll(workspace: workspace.reload, agent_token: agent_token)
+
+      # SIMULATE RECONCILE RESPONSE TO AGENTK FOR PARTIAL RECONCILE TO SHOW NO RAILS_INFOS ARE SENT
+      simulate_sixth_poll(agent_token: agent_token)
+
+      # SIMULATE RECONCILE RESPONSE TO AGENTK FOR FULL RECONCILE TO SHOW ALL WORKSPACES ARE SENT IN RAILS_INFOS
+      simulate_seventh_poll(
+        workspace: workspace.reload,
+        agent_token: agent_token,
+        **additional_args_for_expected_config_to_apply
       )
-    end
 
-    # UPDATE WORKSPACE DESIRED_STATE TO STOPPED VIA GRAPHQL API
-    do_stop_workspace(workspace)
+      # UPDATE WORKSPACE DESIRED_STATE BACK TO RUNNING VIA GRAPHQL API
+      do_start_workspace(workspace)
 
-    # SIMULATE THIRD POLL FROM AGENTK TO UPDATE WORKSPACE TO STOPPING STATE
-    simulate_third_poll(
-      workspace: workspace.reload,
-      **additional_args_for_expected_config_to_apply
-    ) do |workspace_agent_infos:, update_type:|
-      simulate_agentk_reconcile_post(
+      # SIMULATE RECONCILE RESPONSE TO AGENTK UPDATING WORKSPACE TO RUNNING DESIRED_STATE
+      simulate_eighth_poll(
+        workspace: workspace.reload,
         agent_token: agent_token,
-        workspace_agent_infos: workspace_agent_infos,
-        update_type: update_type
+        **additional_args_for_expected_config_to_apply
       )
-    end
 
-    # SIMULATE FOURTH POLL FROM AGENTK TO UPDATE WORKSPACE TO STOPPED STATE
-    simulate_fourth_poll(workspace: workspace.reload) do |workspace_agent_infos:, update_type:|
-      simulate_agentk_reconcile_post(
+      # SIMULATE RECONCILE REQUEST FROM AGENTK UPDATING WORKSPACE TO RUNNING ACTUAL_STATE
+      simulate_ninth_poll(
+        workspace: workspace.reload,
         agent_token: agent_token,
-        workspace_agent_infos: workspace_agent_infos,
-        update_type: update_type
+        # TRAVEL FORWARD IN TIME MAX_ACTIVE_HOURS_BEFORE_STOP HOURS
+        time_to_travel_after_poll: workspace.workspaces_agent_config.max_active_hours_before_stop.hours
       )
-    end
 
-    # SIMULATE FIFTH POLL FROM AGENTK FOR PARTIAL RECONCILE TO SHOW NO RAILS_INFOS ARE SENT
-    simulate_fifth_poll do |workspace_agent_infos:, update_type:|
-      simulate_agentk_reconcile_post(
+      # SIMULATE RECONCILE RESPONSE TO AGENTK UPDATING WORKSPACE TO STOPPED DESIRED_STATE
+      simulate_tenth_poll(
+        workspace: workspace.reload,
         agent_token: agent_token,
-        workspace_agent_infos: workspace_agent_infos,
-        update_type: update_type
+        **additional_args_for_expected_config_to_apply
+      )
+
+      # SIMULATE RECONCILE REQUEST FROM AGENTK UPDATING WORKSPACE TO STOPPING ACTUAL_STATE
+      simulate_eleventh_poll(workspace: workspace.reload, agent_token: agent_token)
+
+      # SIMULATE RECONCILE REQUEST FROM AGENTK UPDATING WORKSPACE TO STOPPED ACTUAL_STATE
+      simulate_twelfth_poll(
+        workspace: workspace.reload,
+        agent_token: agent_token,
+        # TRAVEL FORWARD IN TIME MAX_STOPPED_HOURS_BEFORE_TERMINATION HOURS
+        time_to_travel_after_poll: workspace.workspaces_agent_config.max_stopped_hours_before_termination.hours
       )
-    end
 
-    # SIMULATE SIXTH POLL FROM AGENTK FOR FULL RECONCILE TO SHOW ALL WORKSPACES ARE SENT IN RAILS_INFOS
-    simulate_sixth_poll(
-      workspace: workspace.reload,
-      **additional_args_for_expected_config_to_apply
-    ) do |workspace_agent_infos:, update_type:|
-      simulate_agentk_reconcile_post(
+      # SIMULATE RECONCILE RESPONSE TO AGENTK UPDATING WORKSPACE TO TERMINATED DESIRED_STATE
+      simulate_thirteenth_poll(
+        workspace: workspace.reload,
         agent_token: agent_token,
-        workspace_agent_infos: workspace_agent_infos,
-        update_type: update_type
+        **additional_args_for_expected_config_to_apply
       )
+
+      # SIMULATE RECONCILE REQUEST FROM AGENTK UPDATING WORKSPACE TO TERMINATING ACTUAL_STATE
+      simulate_fourteenth_poll(workspace: workspace.reload, agent_token: agent_token)
+
+      # SIMULATE RECONCILE REQUEST FROM AGENTK UPDATING WORKSPACE TO TERMINATED ACTUAL_STATE
+      simulate_fifteenth_poll(workspace: workspace.reload, agent_token: agent_token)
     end
   end
+
+  describe "a happy path workspace lifecycle" do
+    # NOTE: Even though this is only called once, we leave it as a shared example, so that we can easily
+    #       introduce additional contexts with different behavior for temporary feature flag testing.
+    it_behaves_like 'workspace lifecycle'
+  end
 end
 # rubocop:enable RSpec/MultipleMemoizedHelpers
diff --git a/ee/spec/support/helpers/remote_development/integration_spec_helpers.rb b/ee/spec/support/helpers/remote_development/integration_spec_helpers.rb
index bd6ce5b709c26a..67a18a0c0fe2c2 100644
--- a/ee/spec/support/helpers/remote_development/integration_spec_helpers.rb
+++ b/ee/spec/support/helpers/remote_development/integration_spec_helpers.rb
@@ -2,247 +2,579 @@
 
 module RemoteDevelopment
   module IntegrationSpecHelpers
-    def enable_agent_for_group(agent_name:, group_name:)
-      workspaces_group_settings_path = "/groups/#{group_name}/-/settings/workspaces"
-      gitlab_badge_selector = '.gl-badge-content'
-      visit workspaces_group_settings_path
-      wait_for_requests
-
-      # enable agent for group
-      click_link 'All agents'
-      expect(page).to have_content agent_name
-      first_agent_row_selector = 'tbody tr:first-child'
-      expect(page).not_to have_selector(gitlab_badge_selector, text: 'Allowed')
-      within first_agent_row_selector do
-        click_button 'Allow'
-        wait_for_requests
-      end
-      click_button 'Allow agent'
-      expect(page).to have_selector(gitlab_badge_selector, text: 'Allowed')
-    end
+    include ::RemoteDevelopment::WorkspaceOperations::States
 
+    # @param [Boolean] network_policy_enabled
+    # @param [String] dns_zone
+    # @param [String] namespace_path
+    # @param [String] project_name
     def build_additional_args_for_expected_config_to_apply(
       network_policy_enabled:,
       dns_zone:,
-      namespace_path: workspace_project_namespace.full_path,
-      project_name: workspace_project_name
+      namespace_path:,
+      project_name:,
+      image_pull_secrets:
     )
       {
         dns_zone: dns_zone,
         namespace_path: namespace_path,
         project_name: project_name,
-        include_network_policy: network_policy_enabled
+        include_network_policy: network_policy_enabled,
+        image_pull_secrets: image_pull_secrets
+      }
+    end
+
+    # @param [Array] workspace_agent_infos
+    # @param [String] update_type
+    # @param [QA::Resource::Clusters::AgentToken] agent_token
+    # @param [settingd] Hash
+    def simulate_agentk_reconcile_post(workspace_agent_infos:, update_type:, agent_token:, settings:)
+      post_params = {
+        update_type: update_type,
+        workspace_agent_infos: workspace_agent_infos
       }
+
+      # do_reconcile_post contains custom logic for either the request spec or the feature spec.
+      response_json = do_reconcile_post(params: post_params, agent_token: agent_token)
+
+      # Assert on settings returned in reconcilation response payload
+      expect(response_json.fetch(:settings)).to eq(settings)
+
+      response_json
     end
 
-    def simulate_first_poll(
+    # @param [Workspace] workspace
+    # @param [QA::Resource::Clusters::AgentToken] agent_token
+    # @param [String] update_type
+    # @param [Array] workspace_agent_infos
+    # @param [String] expected_desired_state
+    # @param [String] expected_actual_state
+    # @param [String] expected_resource_version
+    # @param [Hash] expected_config_to_apply
+    # @param [Integer] expected_rails_infos_count
+    # rubocop:disable Metrics/ParameterLists -- This is a test helper, not worth introducing a parameters object, at least for now.
+    def simulate_poll(
       workspace:,
-      **additional_args_for_create_config_to_apply,
-      &simulate_agentk_reconcile_post_block
+      agent_token:,
+      update_type:,
+      workspace_agent_infos:,
+      expected_desired_state:,
+      expected_actual_state:,
+      expected_resource_version:,
+      expected_config_to_apply:,
+      expected_rails_infos_count: 1,
+      time_to_travel_after_poll: nil
     )
-      # SIMULATE FIRST POLL REQUEST FROM AGENTK TO GET NEW WORKSPACE
+      settings = RemoteDevelopment::Settings.get(
+        [
+          :partial_reconciliation_interval_seconds,
+          :full_reconciliation_interval_seconds
+        ]
+      )
 
-      update_type = "partial"
-      response_json = simulate_agentk_reconcile_post_block.yield(
-        workspace_agent_infos: [],
-        update_type: update_type
+      # rubocop:enable Metrics/ParameterLists
+      response_json = simulate_agentk_reconcile_post(
+        workspace_agent_infos: workspace_agent_infos,
+        update_type: update_type,
+        agent_token: agent_token,
+        settings: settings
+      )
+
+      assert_response(
+        response_json,
+        workspace: workspace,
+        expected_desired_state: expected_desired_state,
+        expected_actual_state: expected_actual_state,
+        expected_resource_version: expected_resource_version,
+        expected_config_to_apply: expected_config_to_apply,
+        expected_rails_infos_count: expected_rails_infos_count
       )
 
-      # ASSERT ON RESPONSE TO FIRST POLL REQUEST CONTAINING NEW WORKSPACE
+      # TRAVEL FORWARD IN TIME TO SIMULATE PASSING TIME BETWEEN RECONCILE REQUESTS
+      if time_to_travel_after_poll
+        travel(time_to_travel_after_poll)
+      else
+        reconciliation_interval_seconds = settings.fetch(:"#{update_type}_reconciliation_interval_seconds")
+
+        # Add `travel(...)` based on full or partial reconciliation interval, to control realistic
+        # behavior of the `with_desired_state_updated_more_recently_than_last_response_to_agent` scope in
+        # `.../workspace_operations/reconcile/persistence/workspaces_to_be_returned_finder.rb`
+        travel(reconciliation_interval_seconds)
+      end
+    end
 
+    # @param [Hash] response_json
+    # @param [Workspace] workspace
+    # @param [String] expected_desired_state
+    # @param [String] expected_actual_state
+    # @param [String] expected_resource_version
+    # @param [Hash] expected_config_to_apply
+    # @param [Integer] expected_rails_infos_count
+    def assert_response(
+      response_json,
+      workspace:,
+      expected_desired_state:,
+      expected_actual_state:,
+      expected_resource_version:,
+      expected_config_to_apply:,
+      expected_rails_infos_count:
+    )
       infos = response_json.fetch(:workspace_rails_infos)
-      expect(infos.length).to eq(1)
+      expect(infos.length).to eq(expected_rails_infos_count)
+
+      return unless expected_rails_infos_count > 0
+
+      workspace.reload
+
+      expect(workspace.responded_to_agent_at).to eq(Time.current)
+
       info = infos.first
 
       expect(info.fetch(:name)).to eq(workspace.name)
       expect(info.fetch(:namespace)).to eq(workspace.namespace)
-      expect(info.fetch(:desired_state)).to eq(RemoteDevelopment::WorkspaceOperations::States::RUNNING)
-      expect(info.fetch(:actual_state)).to eq(RemoteDevelopment::WorkspaceOperations::States::CREATION_REQUESTED)
-      expect(info.fetch(:deployment_resource_version)).to be_nil
+      expect(info.fetch(:desired_state)).to eq(expected_desired_state)
+      expect(info.fetch(:actual_state)).to eq(expected_actual_state)
+      expect(info.fetch(:deployment_resource_version)).to eq(expected_resource_version)
+
+      config_to_apply = info.fetch(:config_to_apply)
+      expect(config_to_apply).to eq(expected_config_to_apply)
+    end
+
+    # @param [Workspace] workspace
+    # @param [QA::Resource::Clusters::AgentToken] agent_token
+    # @param [Hash] additional_args_for_create_config_to_apply
+    def simulate_first_poll(workspace:, agent_token:, **additional_args_for_create_config_to_apply)
+      # SIMULATE RECONCILE RESPONSE TO AGENTK SENDING NEW WORKSPACE
 
       expected_config_to_apply = create_config_to_apply(
         workspace: workspace,
         started: true,
         include_all_resources: true,
-        workspace_image_pull_secrets: workspace.workspaces_agent_config.image_pull_secrets,
         **additional_args_for_create_config_to_apply
       )
 
-      config_to_apply = info.fetch(:config_to_apply)
-      expect(config_to_apply).to eq(expected_config_to_apply)
+      simulate_poll(
+        workspace: workspace,
+        agent_token: agent_token,
+        update_type: "partial",
+        workspace_agent_infos: [],
+        expected_resource_version: nil,
+        expected_desired_state: RUNNING,
+        expected_actual_state: CREATION_REQUESTED,
+        expected_config_to_apply: expected_config_to_apply
+      )
     end
 
-    def simulate_second_poll(
-      workspace:,
-      &simulate_agentk_reconcile_post_block
-    )
-      # SIMULATE SECOND POLL REQUEST FROM AGENTK TO UPDATE WORKSPACE TO RUNNING STATE
+    # @param [Workspace] workspace
+    # @param [QA::Resource::Clusters::AgentToken] agent_token
+    def simulate_second_poll(workspace:, agent_token:)
+      # SIMULATE RECONCILE REQUEST FROM AGENTK UPDATING WORKSPACE TO RUNNING ACTUAL_STATE
 
       resource_version = '1'
       workspace_agent_info = create_workspace_agent_info_hash(
         workspace: workspace,
-        previous_actual_state: RemoteDevelopment::WorkspaceOperations::States::STARTING,
-        current_actual_state: RemoteDevelopment::WorkspaceOperations::States::RUNNING,
-        workspace_exists: false,
+        previous_actual_state: STARTING,
+        current_actual_state: RUNNING,
+        workspace_exists: true,
         resource_version: resource_version
       )
 
-      update_type = "partial"
-      response_json = simulate_agentk_reconcile_post_block.yield(
+      simulate_poll(
+        workspace: workspace,
+        agent_token: agent_token,
+        update_type: "partial",
         workspace_agent_infos: [workspace_agent_info],
-        update_type: update_type
+        expected_desired_state: RUNNING,
+        expected_actual_state: RUNNING,
+        expected_resource_version: resource_version,
+        expected_config_to_apply: nil
       )
-
-      # ASSERT ON RESPONSE TO SECOND POLL REQUEST
-
-      infos = response_json.fetch(:workspace_rails_infos)
-      expect(infos.length).to eq(1)
-      info = infos.first
-
-      expect(info.fetch(:name)).to eq(workspace.name)
-      expect(info.fetch(:namespace)).to eq(workspace.namespace)
-      expect(info.fetch(:desired_state)).to eq(RemoteDevelopment::WorkspaceOperations::States::RUNNING)
-      expect(info.fetch(:actual_state)).to eq(RemoteDevelopment::WorkspaceOperations::States::RUNNING)
-      expect(info.fetch(:deployment_resource_version)).to eq(resource_version)
-      expect(info.fetch(:config_to_apply)).to be_nil
     end
 
+    # @param [Workspace] workspace
+    # @param [QA::Resource::Clusters::AgentToken] agent_token
+    # @param [Hash] additional_args_for_create_config_to_apply
     def simulate_third_poll(
       workspace:,
-      **additional_args_for_create_config_to_apply,
-      &simulate_agentk_reconcile_post_block
+      agent_token:,
+      **additional_args_for_create_config_to_apply
     )
-      # SIMULATE THIRD POLL REQUEST FROM AGENTK TO UPDATE WORKSPACE TO STOPPING STATE
+      # SIMULATE RECONCILE RESPONSE TO AGENTK UPDATING WORKSPACE TO STOPPED DESIRED_STATE
 
       resource_version = '1'
       workspace_agent_info = create_workspace_agent_info_hash(
         workspace: workspace,
-        previous_actual_state: RemoteDevelopment::WorkspaceOperations::States::RUNNING,
-        current_actual_state: RemoteDevelopment::WorkspaceOperations::States::STOPPING,
+        previous_actual_state: STARTING,
+        current_actual_state: RUNNING,
+        workspace_exists: true,
+        resource_version: resource_version
+      )
+
+      expected_config_to_apply = create_config_to_apply(
+        workspace: workspace,
+        started: false,
+        **additional_args_for_create_config_to_apply
+      )
+
+      simulate_poll(
+        workspace: workspace,
+        agent_token: agent_token,
+        update_type: "partial",
+        workspace_agent_infos: [workspace_agent_info],
+        expected_desired_state: STOPPED,
+        expected_actual_state: RUNNING,
+        expected_resource_version: resource_version,
+        expected_config_to_apply: expected_config_to_apply
+      )
+    end
+
+    # @param [Workspace] workspace
+    # @param [QA::Resource::Clusters::AgentToken] agent_token
+    def simulate_fourth_poll(workspace:, agent_token:)
+      # SIMULATE RECONCILE REQUEST FROM AGENTK UPDATING WORKSPACE TO STOPPING ACTUAL_STATE
+
+      resource_version = '2'
+      workspace_agent_info = create_workspace_agent_info_hash(
+        workspace: workspace,
+        previous_actual_state: RUNNING,
+        current_actual_state: STOPPING,
         workspace_exists: true,
         resource_version: resource_version
       )
 
-      update_type = "partial"
-      response_json = simulate_agentk_reconcile_post_block.yield(
+      simulate_poll(
+        workspace: workspace,
+        agent_token: agent_token,
+        update_type: "partial",
         workspace_agent_infos: [workspace_agent_info],
-        update_type: update_type
+        expected_desired_state: STOPPED,
+        expected_actual_state: STOPPING,
+        expected_resource_version: resource_version,
+        expected_config_to_apply: nil
       )
+    end
 
-      # ASSERT ON RESPONSE TO THIRD POLL REQUEST
+    # @param [Workspace] workspace
+    # @param [QA::Resource::Clusters::AgentToken] agent_token
+    def simulate_fifth_poll(workspace:, agent_token:)
+      # SIMULATE RECONCILE REQUEST FROM AGENTK UPDATING WORKSPACE TO STOPPED ACTUAL_STATE
 
-      infos = response_json.fetch(:workspace_rails_infos)
-      expect(infos.length).to eq(1)
-      info = infos.first
+      resource_version = '3'
+      workspace_agent_info = create_workspace_agent_info_hash(
+        workspace: workspace,
+        previous_actual_state: STOPPING,
+        current_actual_state: STOPPED,
+        workspace_exists: false,
+        resource_version: resource_version
+      )
 
-      expect(info.fetch(:name)).to eq(workspace.name)
-      expect(info.fetch(:namespace)).to eq(workspace.namespace)
-      expect(info.fetch(:desired_state)).to eq(RemoteDevelopment::WorkspaceOperations::States::STOPPED)
-      expect(info.fetch(:actual_state)).to eq(RemoteDevelopment::WorkspaceOperations::States::STOPPING)
-      expect(info.fetch(:deployment_resource_version)).to eq(resource_version)
+      simulate_poll(
+        workspace: workspace,
+        agent_token: agent_token,
+        update_type: "partial",
+        workspace_agent_infos: [workspace_agent_info],
+        expected_desired_state: STOPPED,
+        expected_actual_state: STOPPED,
+        expected_resource_version: resource_version,
+        expected_config_to_apply: nil
+      )
+    end
+
+    # @param [QA::Resource::Clusters::AgentToken] agent_token
+    def simulate_sixth_poll(agent_token:)
+      # SIMULATE RECONCILE RESPONSE TO AGENTK FOR PARTIAL RECONCILE TO SHOW NO RAILS_INFOS ARE SENT
+
+      resource_version = '3'
+      simulate_poll(
+        workspace: nil,
+        agent_token: agent_token,
+        update_type: "partial",
+        workspace_agent_infos: [],
+        expected_desired_state: STOPPING,
+        expected_actual_state: STOPPED,
+        expected_resource_version: resource_version,
+        expected_config_to_apply: nil,
+        expected_rails_infos_count: 0
+      )
+    end
+
+    # @param [Workspace] workspace
+    # @param [QA::Resource::Clusters::AgentToken] agent_token
+    # @param [Hash] additional_args_for_create_config_to_apply
+    def simulate_seventh_poll(
+      workspace:,
+      agent_token:,
+      **additional_args_for_create_config_to_apply
+    )
+      # SIMULATE RECONCILE RESPONSE TO AGENTK FOR FULL RECONCILE TO SHOW ALL WORKSPACES ARE SENT IN RAILS_INFOS
+
+      resource_version = '3'
+      workspace_agent_info = create_workspace_agent_info_hash(
+        workspace: workspace,
+        previous_actual_state: STOPPING,
+        current_actual_state: STOPPED,
+        workspace_exists: false,
+        resource_version: resource_version
+      )
 
       expected_config_to_apply = create_config_to_apply(
         workspace: workspace,
         started: false,
-        workspace_image_pull_secrets: workspace.workspaces_agent_config.image_pull_secrets,
+        include_all_resources: true,
         **additional_args_for_create_config_to_apply
       )
 
-      config_to_apply = info.fetch(:config_to_apply)
-      expect(config_to_apply).to eq(expected_config_to_apply)
+      simulate_poll(
+        workspace: workspace,
+        agent_token: agent_token,
+        update_type: "full",
+        workspace_agent_infos: [workspace_agent_info],
+        expected_desired_state: STOPPED,
+        expected_actual_state: STOPPED,
+        expected_resource_version: resource_version,
+        expected_config_to_apply: expected_config_to_apply
+      )
     end
 
-    def simulate_fourth_poll(
+    # @param [Workspace] workspace
+    # @param [QA::Resource::Clusters::AgentToken] agent_token
+    # @param [Hash] additional_args_for_create_config_to_apply
+    def simulate_eighth_poll(
       workspace:,
-      &simulate_agentk_reconcile_post_block
+      agent_token:,
+      **additional_args_for_create_config_to_apply
     )
-      # SIMULATE FOURTH POLL REQUEST FROM AGENTK TO UPDATE WORKSPACE TO STOPPED STATE
+      # SIMULATE RECONCILE RESPONSE TO AGENTK UPDATING WORKSPACE TO RUNNING DESIRED_STATE
 
-      resource_version = '2'
+      resource_version = '3'
       workspace_agent_info = create_workspace_agent_info_hash(
         workspace: workspace,
-        previous_actual_state: RemoteDevelopment::WorkspaceOperations::States::STOPPING,
-        current_actual_state: RemoteDevelopment::WorkspaceOperations::States::STOPPED,
-        workspace_exists: true,
+        previous_actual_state: STOPPING,
+        current_actual_state: STOPPED,
+        workspace_exists: false,
         resource_version: resource_version
       )
 
-      update_type = "partial"
-      response_json = simulate_agentk_reconcile_post_block.yield(
+      expected_config_to_apply = create_config_to_apply(
+        workspace: workspace,
+        started: true,
+        **additional_args_for_create_config_to_apply
+      )
+
+      simulate_poll(
+        workspace: workspace,
+        agent_token: agent_token,
+        update_type: "partial",
         workspace_agent_infos: [workspace_agent_info],
-        update_type: update_type
+        expected_desired_state: RUNNING,
+        expected_actual_state: STOPPED,
+        expected_resource_version: resource_version,
+        expected_config_to_apply: expected_config_to_apply
       )
+    end
 
-      # ASSERT ON RESPONSE TO FOURTH POLL REQUEST
+    # @param [Workspace] workspace
+    # @param [QA::Resource::Clusters::AgentToken] agent_token
+    def simulate_ninth_poll(workspace:, agent_token:, time_to_travel_after_poll:)
+      # SIMULATE RECONCILE REQUEST FROM AGENTK UPDATING WORKSPACE TO RUNNING ACTUAL_STATE
 
-      infos = response_json.fetch(:workspace_rails_infos)
-      expect(infos.length).to eq(1)
-      info = infos.first
+      resource_version = '4'
+      workspace_agent_info = create_workspace_agent_info_hash(
+        workspace: workspace,
+        previous_actual_state: STARTING,
+        current_actual_state: RUNNING,
+        workspace_exists: true,
+        resource_version: resource_version
+      )
 
-      expect(info.fetch(:name)).to eq(workspace.name)
-      expect(info.fetch(:namespace)).to eq(workspace.namespace)
-      expect(info.fetch(:desired_state)).to eq(RemoteDevelopment::WorkspaceOperations::States::STOPPED)
-      expect(info.fetch(:actual_state)).to eq(RemoteDevelopment::WorkspaceOperations::States::STOPPED)
-      expect(info.fetch(:deployment_resource_version)).to eq(resource_version)
-      expect(info.fetch(:config_to_apply)).to be_nil
+      simulate_poll(
+        workspace: workspace,
+        agent_token: agent_token,
+        update_type: "partial",
+        workspace_agent_infos: [workspace_agent_info],
+        expected_desired_state: RUNNING,
+        expected_actual_state: RUNNING,
+        expected_resource_version: resource_version,
+        expected_config_to_apply: nil,
+        time_to_travel_after_poll: time_to_travel_after_poll
+      )
     end
 
-    def simulate_fifth_poll(&simulate_agentk_reconcile_post_block)
-      # SIMULATE FIFTH POLL FROM AGENTK FOR PARTIAL RECONCILE TO SHOW NO RAILS_INFOS ARE SENT
+    # @param [Workspace] workspace
+    # @param [QA::Resource::Clusters::AgentToken] agent_token
+    # @param [Hash] additional_args_for_create_config_to_apply
+    def simulate_tenth_poll(
+      workspace:,
+      agent_token:,
+      **additional_args_for_create_config_to_apply
+    )
+      # SIMULATE RECONCILE RESPONSE TO AGENTK UPDATING WORKSPACE TO STOPPED DESIRED_STATE
 
-      update_type = "partial"
-      response_json = simulate_agentk_reconcile_post_block.yield(
-        workspace_agent_infos: [],
-        update_type: update_type
+      resource_version = '4'
+      workspace_agent_info = create_workspace_agent_info_hash(
+        workspace: workspace,
+        previous_actual_state: STARTING,
+        current_actual_state: RUNNING,
+        workspace_exists: false,
+        resource_version: resource_version
       )
 
-      # ASSERT ON RESPONSE TO FIFTH POLL REQUEST
+      expected_config_to_apply = create_config_to_apply(
+        workspace: workspace,
+        started: false,
+        **additional_args_for_create_config_to_apply
+      )
 
-      infos = response_json.fetch(:workspace_rails_infos)
-      expect(infos.length).to eq(0)
+      simulate_poll(
+        workspace: workspace,
+        agent_token: agent_token,
+        update_type: "partial",
+        workspace_agent_infos: [workspace_agent_info],
+        expected_desired_state: STOPPED,
+        expected_actual_state: RUNNING,
+        expected_resource_version: resource_version,
+        expected_config_to_apply: expected_config_to_apply
+      )
     end
 
-    def simulate_sixth_poll(
-      workspace:,
-      **additional_args_for_create_config_to_apply,
-      &simulate_agentk_reconcile_post_block
-    )
-      # SIMULATE FIFTH POLL FROM AGENTK FOR FULL RECONCILE TO SHOW ALL WORKSPACES ARE SENT IN RAILS_INFOS
+    # @param [Workspace] workspace
+    # @param [QA::Resource::Clusters::AgentToken] agent_token
+    def simulate_eleventh_poll(workspace:, agent_token:)
+      # SIMULATE RECONCILE REQUEST FROM AGENTK UPDATING WORKSPACE TO STOPPING ACTUAL_STATE
 
-      resource_version = '2'
+      resource_version = '5'
       workspace_agent_info = create_workspace_agent_info_hash(
         workspace: workspace,
-        previous_actual_state: RemoteDevelopment::WorkspaceOperations::States::STOPPED,
-        current_actual_state: RemoteDevelopment::WorkspaceOperations::States::STOPPED,
+        previous_actual_state: RUNNING,
+        current_actual_state: STOPPING,
         workspace_exists: true,
         resource_version: resource_version
       )
 
-      update_type = "full"
-      response_json = simulate_agentk_reconcile_post_block.yield(
+      simulate_poll(
+        workspace: workspace,
+        agent_token: agent_token,
+        update_type: "partial",
         workspace_agent_infos: [workspace_agent_info],
-        update_type: update_type
+        expected_desired_state: STOPPED,
+        expected_actual_state: STOPPING,
+        expected_resource_version: resource_version,
+        expected_config_to_apply: nil
       )
+    end
 
-      # ASSERT ON RESPONSE TO SIXTH POLL REQUEST CONTAINING NEW WORKSPACE
+    # @param [Workspace] workspace
+    # @param [QA::Resource::Clusters::AgentToken] agent_token
+    def simulate_twelfth_poll(workspace:, agent_token:, time_to_travel_after_poll:)
+      # SIMULATE RECONCILE REQUEST FROM AGENTK UPDATING WORKSPACE TO STOPPED ACTUAL_STATE
 
-      infos = response_json.fetch(:workspace_rails_infos)
-      expect(infos.length).to eq(1)
-      info = infos.first
+      resource_version = '6'
+      workspace_agent_info = create_workspace_agent_info_hash(
+        workspace: workspace,
+        previous_actual_state: STOPPING,
+        current_actual_state: STOPPED,
+        workspace_exists: false,
+        resource_version: resource_version
+      )
 
-      expect(info.fetch(:name)).to eq(workspace.name)
-      expect(info.fetch(:deployment_resource_version)).to eq(resource_version)
+      simulate_poll(
+        workspace: workspace,
+        agent_token: agent_token,
+        update_type: "partial",
+        workspace_agent_infos: [workspace_agent_info],
+        expected_desired_state: STOPPED,
+        expected_actual_state: STOPPED,
+        expected_resource_version: resource_version,
+        expected_config_to_apply: nil,
+        time_to_travel_after_poll: time_to_travel_after_poll
+      )
+    end
+
+    # @param [Workspace] workspace
+    # @param [QA::Resource::Clusters::AgentToken] agent_token
+    # @param [Hash] additional_args_for_create_config_to_apply
+    def simulate_thirteenth_poll(
+      workspace:,
+      agent_token:,
+      **additional_args_for_create_config_to_apply
+    )
+      # SIMULATE RECONCILE RESPONSE TO AGENTK UPDATING WORKSPACE TO TERMINATED DESIRED_STATE
+
+      resource_version = '6'
+      workspace_agent_info = create_workspace_agent_info_hash(
+        workspace: workspace,
+        previous_actual_state: STOPPING,
+        current_actual_state: STOPPED,
+        workspace_exists: false,
+        resource_version: resource_version
+      )
 
       expected_config_to_apply = create_config_to_apply(
         workspace: workspace,
         started: false,
-        include_all_resources: true,
-        workspace_image_pull_secrets: workspace.workspaces_agent_config.image_pull_secrets,
         **additional_args_for_create_config_to_apply
       )
 
-      config_to_apply = info.fetch(:config_to_apply)
-      expect(config_to_apply).to eq(expected_config_to_apply)
+      simulate_poll(
+        workspace: workspace,
+        agent_token: agent_token,
+        update_type: "partial",
+        workspace_agent_infos: [workspace_agent_info],
+        expected_desired_state: TERMINATED,
+        expected_actual_state: STOPPED,
+        expected_resource_version: resource_version,
+        expected_config_to_apply: expected_config_to_apply
+      )
+    end
+
+    # @param [Workspace] workspace
+    # @param [QA::Resource::Clusters::AgentToken] agent_token
+    def simulate_fourteenth_poll(workspace:, agent_token:)
+      # SIMULATE RECONCILE REQUEST FROM AGENTK UPDATING WORKSPACE TO STOPPING ACTUAL_STATE
+
+      workspace_agent_info = create_workspace_agent_info_hash(
+        workspace: workspace,
+        previous_actual_state: STOPPED,
+        current_actual_state: TERMINATING,
+        workspace_exists: true,
+        resource_version: nil # NOTE: Resource version returned in agent_infos is null in actual_state=Terminating case
+      )
+
+      simulate_poll(
+        workspace: workspace,
+        agent_token: agent_token,
+        update_type: "partial",
+        workspace_agent_infos: [workspace_agent_info],
+        expected_desired_state: TERMINATED,
+        expected_actual_state: TERMINATING,
+        expected_resource_version: '6',
+        expected_config_to_apply: nil
+      )
+    end
+
+    # @param [Workspace] workspace
+    # @param [QA::Resource::Clusters::AgentToken] agent_token
+    def simulate_fifteenth_poll(workspace:, agent_token:)
+      # SIMULATE RECONCILE REQUEST FROM AGENTK UPDATING WORKSPACE TO TERMINATED ACTUAL_STATE
+
+      workspace_agent_info = create_workspace_agent_info_hash(
+        workspace: workspace,
+        previous_actual_state: TERMINATING,
+        current_actual_state: TERMINATED,
+        workspace_exists: false,
+        resource_version: nil
+      )
+
+      simulate_poll(
+        workspace: workspace,
+        agent_token: agent_token,
+        update_type: "partial",
+        workspace_agent_infos: [workspace_agent_info],
+        expected_desired_state: TERMINATED,
+        expected_actual_state: TERMINATED,
+        expected_resource_version: '6',
+        expected_config_to_apply: nil
+      )
     end
   end
 end
diff --git a/ee/spec/support/shared_contexts/remote_development/remote_development_shared_contexts.rb b/ee/spec/support/shared_contexts/remote_development/remote_development_shared_contexts.rb
index 3148b7acc65b76..86acda26bf142a 100644
--- a/ee/spec/support/shared_contexts/remote_development/remote_development_shared_contexts.rb
+++ b/ee/spec/support/shared_contexts/remote_development/remote_development_shared_contexts.rb
@@ -346,7 +346,7 @@ def create_config_to_apply_v3(
     agent_annotations: {},
     project_name: "test-project",
     namespace_path: "test-group",
-    workspace_image_pull_secrets: [],
+    image_pull_secrets: [],
     core_resources_only: false
   )
     desired_config_generator_version = RemoteDevelopment::WorkspaceOperations::DesiredConfigGeneratorVersion::VERSION_3
@@ -456,7 +456,7 @@ def create_config_to_apply_v3(
     workspace_service_account = workspace_service_account(
       name: workspace.name,
       namespace: workspace.namespace,
-      image_pull_secrets: workspace_image_pull_secrets,
+      image_pull_secrets: image_pull_secrets,
       labels: labels,
       annotations: annotations
     )
@@ -1133,7 +1133,7 @@ def workspace_service_account(
     annotations:
   )
 
-    image_pull_secrets_names = image_pull_secrets.map { |secret| { name: secret.fetch('name') } }
+    image_pull_secrets_names = image_pull_secrets.map { |secret| { name: secret.symbolize_keys.fetch(:name) } }
     {
       kind: 'ServiceAccount',
       apiVersion: 'v1',
diff --git a/locale/gitlab.pot b/locale/gitlab.pot
index 466485608c80f2..dcc6c77541f63b 100644
--- a/locale/gitlab.pot
+++ b/locale/gitlab.pot
@@ -54737,9 +54737,6 @@ msgstr ""
 msgid "Terminal sync service is running"
 msgstr ""
 
-msgid "Terminates"
-msgstr ""
-
 msgid "Terms"
 msgstr ""
 
diff --git a/spec/fast_spec_helper.rb b/spec/fast_spec_helper.rb
index 8c425e7133b419..b3004fb40e2323 100644
--- a/spec/fast_spec_helper.rb
+++ b/spec/fast_spec_helper.rb
@@ -44,6 +44,8 @@ def self.spec_requires_and_configuration
         mocks.verify_doubled_constant_names = false # Allow mocking of non-lib module/class names from Rails
       end
     end
+
+    Time.zone = 'UTC' # rubocop:disable Gitlab/ChangeTimezone -- allow Time.zone to not be nil in fast_spec_helper, so Time.zone.now works
   end
 
   def self.domain_specific_spec_helper_support
-- 
GitLab


From f218591d1bad79790e7b3192b26b7df3163faa56 Mon Sep 17 00:00:00 2001
From: Chad Woolley <cwoolley@gitlab.com>
Date: Sat, 9 Nov 2024 21:38:42 -0800
Subject: [PATCH 2/2] Update migration timestamps and releases

---
 ... 20241009000001_add_workspace_delayed_termination_fields.rb} | 2 +-
 ...1009000002_add_workspace_delayed_termination_constraints.rb} | 2 +-
 db/schema_migrations/20240913000001                             | 1 -
 db/schema_migrations/20240913000002                             | 1 -
 db/schema_migrations/20241009000001                             | 1 +
 db/schema_migrations/20241009000002                             | 1 +
 6 files changed, 4 insertions(+), 4 deletions(-)
 rename db/migrate/{20240913000001_add_workspace_delayed_termination_fields.rb => 20241009000001_add_workspace_delayed_termination_fields.rb} (98%)
 rename db/migrate/{20240913000002_add_workspace_delayed_termination_constraints.rb => 20241009000002_add_workspace_delayed_termination_constraints.rb} (98%)
 delete mode 100644 db/schema_migrations/20240913000001
 delete mode 100644 db/schema_migrations/20240913000002
 create mode 100644 db/schema_migrations/20241009000001
 create mode 100644 db/schema_migrations/20241009000002

diff --git a/db/migrate/20240913000001_add_workspace_delayed_termination_fields.rb b/db/migrate/20241009000001_add_workspace_delayed_termination_fields.rb
similarity index 98%
rename from db/migrate/20240913000001_add_workspace_delayed_termination_fields.rb
rename to db/migrate/20241009000001_add_workspace_delayed_termination_fields.rb
index 2cee117bbe894a..0e0b0bf2e847b5 100644
--- a/db/migrate/20240913000001_add_workspace_delayed_termination_fields.rb
+++ b/db/migrate/20241009000001_add_workspace_delayed_termination_fields.rb
@@ -1,7 +1,7 @@
 # frozen_string_literal: true
 
 class AddWorkspaceDelayedTerminationFields < Gitlab::Database::Migration[2.2]
-  milestone '17.5'
+  milestone '17.6'
   disable_ddl_transaction!
 
   def up
diff --git a/db/migrate/20240913000002_add_workspace_delayed_termination_constraints.rb b/db/migrate/20241009000002_add_workspace_delayed_termination_constraints.rb
similarity index 98%
rename from db/migrate/20240913000002_add_workspace_delayed_termination_constraints.rb
rename to db/migrate/20241009000002_add_workspace_delayed_termination_constraints.rb
index 0e5cab703c6860..9f0cb8fd4f8f58 100644
--- a/db/migrate/20240913000002_add_workspace_delayed_termination_constraints.rb
+++ b/db/migrate/20241009000002_add_workspace_delayed_termination_constraints.rb
@@ -1,7 +1,7 @@
 # frozen_string_literal: true
 
 class AddWorkspaceDelayedTerminationConstraints < Gitlab::Database::Migration[2.2]
-  milestone "17.5"
+  milestone "17.6"
   disable_ddl_transaction!
 
   TABLE_NAME = :workspaces_agent_configs
diff --git a/db/schema_migrations/20240913000001 b/db/schema_migrations/20240913000001
deleted file mode 100644
index c4d464a12c1232..00000000000000
--- a/db/schema_migrations/20240913000001
+++ /dev/null
@@ -1 +0,0 @@
-2fd7e382f30772901fecd8ef1e38cd1a2610673912813432654a6e088f8ce553
\ No newline at end of file
diff --git a/db/schema_migrations/20240913000002 b/db/schema_migrations/20240913000002
deleted file mode 100644
index 91a8a944fed2e2..00000000000000
--- a/db/schema_migrations/20240913000002
+++ /dev/null
@@ -1 +0,0 @@
-a923994ddf6244057a357ec96fe04900dba401e4c3fa0b6a3dafb663935b7a91
\ No newline at end of file
diff --git a/db/schema_migrations/20241009000001 b/db/schema_migrations/20241009000001
new file mode 100644
index 00000000000000..af64f2d823cfd6
--- /dev/null
+++ b/db/schema_migrations/20241009000001
@@ -0,0 +1 @@
+c1f9b34f09c731c413ddd313e1b37dbc4fb23075f992b3872be421f07ec4ca27
\ No newline at end of file
diff --git a/db/schema_migrations/20241009000002 b/db/schema_migrations/20241009000002
new file mode 100644
index 00000000000000..193900d599f6e6
--- /dev/null
+++ b/db/schema_migrations/20241009000002
@@ -0,0 +1 @@
+ef1526d594ef3f8e867fdcabcf14f407e682f6b7e04f2a4fd89ca2fc007f6d8c
\ No newline at end of file
-- 
GitLab