Pass CLI login tokens via CODER_SESSION_TOKEN instead of --token

Switch the CLI manager to provide session tokens through the
CODER_SESSION_TOKEN environment variable when running `coder login`
instead of appending `--token <value>` to the process arguments.

We’re making this change for security reasons. Command-line arguments are
more likely to be exposed through process listings, shell history, CI/job
logs, and command auditing, while environment variables have a smaller
exposure surface on typical systems. This aligns the plugin with the Coder
CLI guidance that prefers CODER_SESSION_TOKEN over `--token`.

Author: fioan89

CHANGELOG.md

@@ -2,6 +2,10 @@
 
 ## Unreleased
 
+### Changed
+
+- reduce token exposure in process arguments and command logs
+
 ## 0.9.0 - 2026-05-14
 
 ### Added

README.md

@@ -539,6 +539,10 @@ support, may trigger regeneration of SSH configurations.
 > [!IMPORTANT]
 > Token authentication is required when TLS certificates are not configured.
 
+When the plugin logs the Coder CLI in with a session token, it passes that token through the
+`CODER_SESSION_TOKEN` environment variable instead of `--token`. This reduces the chances of the token showing up in
+process listings, shell history, or command-line audit logs.
+
 ## Releasing
 
 1. Check that the changelog lists all the important changes.

src/main/kotlin/com/coder/toolbox/cli/CoderCLIManager.kt

@@ -265,10 +265,9 @@ class CoderCLIManager(
     fun login(token: String): String {
         context.logger.info("Storing CLI credentials in $coderConfigPath")
         return exec(
+            env = mapOf(CODER_SESSION_TOKEN_ENV_VAR to token),
             "login",
             deploymentURL.toString(),
-            "--token",
-            token,
             "--global-config",
             coderConfigPath.toString(),
         )
@@ -534,17 +533,23 @@ class CoderCLIManager(
         return matches
     }
 
-    private fun exec(vararg args: String): String {
-        val stdout =
-            ProcessExecutor()
-                .command(localBinaryPath.toString(), *args)
-                .environment("CODER_HEADER_COMMAND", context.settingsStore.headerCommand)
-                .exitValues(0)
-                .readOutput(true)
-                .execute()
-                .outputUTF8()
-        val redactedArgs = listOf(*args).joinToString(" ").replace(tokenRegex, "--token <redacted>")
-        context.logger.info("`$localBinaryPath $redactedArgs`: $stdout")
+    private fun exec(vararg args: String): String = exec(env = emptyMap(), *args)
+
+    private fun exec(env: Map<String, String>, vararg args: String): String {
+        val executor = ProcessExecutor()
+            .command(localBinaryPath.toString(), *args)
+            .exitValues(0)
+            .readOutput(true)
+
+        context.settingsStore.headerCommand?.let {
+            executor.environment("CODER_HEADER_COMMAND", it)
+        }
+        env.forEach { (key, value) ->
+            executor.environment(key, value)
+        }
+
+        val stdout = executor.execute().outputUTF8()
+        context.logger.info("`$localBinaryPath ${listOf(*args).joinToString(" ")}`: $stdout")
         return stdout
     }
 
@@ -572,7 +577,7 @@ class CoderCLIManager(
     }
 
     companion object {
-        private val tokenRegex = "--token [^ ]+".toRegex()
+        private const val CODER_SESSION_TOKEN_ENV_VAR = "CODER_SESSION_TOKEN"
 
         private fun getHostnamePrefix(url: URL): String = "coder-jetbrains-toolbox-${url.safeHost()}"