feat: store session tokens in the OS keyring

On macOS and Windows with CLI >= 2.29.0, write session tokens to the OS
keyring (Keychain / Credential Manager) instead of plaintext files.
The CLI reads from the keyring when invoked with --url instead of
--global-config. Falls back to file storage on Linux, older CLIs,
or if the keyring write fails.

Key changes:
- Add KeyringStore wrapping @napi-rs/keyring with the CLI's credential
  format (JSON map keyed by host, base64 on macOS, raw bytes on Windows)
- Add CliAuth discriminated union ("global-config" | "url") threaded
  through proxy command building and workspace state machine
- Add shouldUseKeyring() as single source of truth gating on CLI version,
  platform, and coder.useKeyring setting
- Restructure remote.ts setup() to call configure() after featureSet is
  known, so the keyring decision can be made
- Add keyring read fallback in LoginCoordinator for tokens written by
  `coder login` from the terminal
- Add vendor-keyring.mjs build script to copy native binaries into
  dist/node_modules/ for VSIX packaging (vsce can't follow pnpm symlinks)
- Harden file fallback with mode 0o600

Author: EhabY

esbuild.mjs

@@ -32,7 +32,7 @@ const buildOptions = {
 		// undefined when bundled to CJS, causing runtime errors.
 		openpgp: "./node_modules/openpgp/dist/node/openpgp.min.cjs",
 	},
-	external: ["vscode"],
+	external: ["vscode", "@napi-rs/keyring"],
 	sourcemap: production ? "external" : true,
 	minify: production,
 	plugins: watch ? [logRebuildPlugin] : [],

eslint.config.mjs

@@ -154,7 +154,7 @@ export default defineConfig(
 
 	// Build config - ESM with Node globals
 	{
-		files: ["esbuild.mjs"],
+		files: ["esbuild.mjs", "scripts/*.mjs"],
 		languageOptions: {
 			globals: {
 				...globals.node,

package.json

@@ -32,7 +32,7 @@
 		"test:integration": "tsc -p test --outDir out --noCheck && node esbuild.mjs && vscode-test",
 		"test:webview": "vitest --project webview",
 		"typecheck": "concurrently -g \"tsc --noEmit\" \"tsc --noEmit -p test\"",
-		"vscode:prepublish": "pnpm build:production",
+		"vscode:prepublish": "pnpm build:production && node scripts/vendor-keyring.mjs",
 		"watch": "concurrently -n extension,webviews \"pnpm watch:extension\" \"pnpm watch:webviews\"",
 		"watch:extension": "node esbuild.mjs --watch",
 		"watch:webviews": "pnpm -r --filter \"./packages/*\" --parallel dev"
@@ -156,6 +156,11 @@
 						"type": "string"
 					}
 				},
+				"coder.useKeyring": {
+					"markdownDescription": "Store session tokens in the OS keyring (macOS Keychain, Windows Credential Manager) instead of plaintext files. Requires CLI >= 2.29.0. Has no effect on Linux.",
+					"type": "boolean",
+					"default": true
+				},
 				"coder.httpClientLogLevel": {
 					"markdownDescription": "Controls the verbosity of HTTP client logging. This affects what details are logged for each HTTP request and response.",
 					"type": "string",
@@ -463,6 +468,7 @@
 		"word-wrap": "1.2.5"
 	},
 	"dependencies": {
+		"@napi-rs/keyring": "^1.2.0",
 		"@peculiar/x509": "^1.14.3",
 		"@repo/shared": "workspace:*",
 		"axios": "1.13.6",

pnpm-lock.yaml

@@ -27,3 +27,16 @@ onlyBuiltDependencies:
   - keytar
   - unrs-resolver
   - utf-8-validate
+
+# Install @napi-rs/keyring native binaries for macOS and Windows so they're
+# available when building the universal VSIX (even on Linux CI).
+# Only macOS and Windows use the keyring; Linux falls back to file storage.
+supportedArchitectures:
+  os:
+    - current
+    - darwin
+    - win32
+  cpu:
+    - current
+    - x64
+    - arm64

pnpm-workspace.yaml

@@ -0,0 +1,52 @@
+/**
+ * Vendor @napi-rs/keyring into dist/node_modules/ for VSIX packaging.
+ *
+ * pnpm uses symlinks that vsce can't follow.  This script resolves them and
+ * copies the JS wrapper plus macOS/Windows .node binaries into dist/, where
+ * Node's require() resolution finds them from dist/extension.js.
+ */
+import { cpSync, existsSync, mkdirSync, realpathSync, rmSync } from "node:fs";
+import { join, resolve, basename } from "node:path";
+
+const outputDir = resolve("dist/node_modules/@napi-rs/keyring");
+const keyringPkg = resolve("node_modules/@napi-rs/keyring");
+
+if (!existsSync(keyringPkg)) {
+	console.log("@napi-rs/keyring not found, skipping");
+	process.exit(0);
+}
+
+const resolvedPkg = realpathSync(keyringPkg);
+
+rmSync(outputDir, { recursive: true, force: true });
+mkdirSync(outputDir, { recursive: true });
+cpSync(resolvedPkg, outputDir, { recursive: true });
+
+// Platform packages are siblings of the resolved keyring package in pnpm's layout.
+// Exact file names so the build fails loudly if the native module renames anything.
+const siblingsDir = resolve(resolvedPkg, "..");
+const binaries = [
+	"keyring-darwin-arm64/keyring.darwin-arm64.node",
+	"keyring-darwin-x64/keyring.darwin-x64.node",
+	"keyring-win32-arm64-msvc/keyring.win32-arm64-msvc.node",
+	"keyring-win32-x64-msvc/keyring.win32-x64-msvc.node",
+];
+
+for (const binary of binaries) {
+	const symlink = join(siblingsDir, binary);
+	if (!existsSync(symlink)) {
+		console.error(
+			`Missing native binary: ${binary}\n` +
+				"Ensure .npmrc includes supportedArchitectures for all target OS/CPU combinations.",
+		);
+		process.exit(1);
+	}
+	const src = realpathSync(symlink);
+	const filename = basename(binary);
+	const dest = join(outputDir, filename);
+	cpSync(src, dest);
+}
+
+console.log(
+	`Vendored @napi-rs/keyring with ${binaries.length} platform binaries into dist/`,
+);

scripts/vendor-keyring.mjs

@@ -7,7 +7,7 @@ import {
 import { spawn } from "node:child_process";
 import * as vscode from "vscode";
 
-import { getGlobalFlags } from "../cliConfig";
+import { type CliAuth, getGlobalFlags } from "../cliConfig";
 import { type FeatureSet } from "../featureSet";
 import { escapeCommandArg } from "../util";
 import { type UnidirectionalStream } from "../websocket/eventStreamConnection";
@@ -50,7 +50,7 @@ export class LazyStream<T> {
  */
 export async function startWorkspaceIfStoppedOrFailed(
 	restClient: Api,
-	globalConfigDir: string,
+	auth: CliAuth,
 	binPath: string,
 	workspace: Workspace,
 	writeEmitter: vscode.EventEmitter<string>,
@@ -65,7 +65,7 @@ export async function startWorkspaceIfStoppedOrFailed(
 
 	return new Promise((resolve, reject) => {
 		const startArgs = [
-			...getGlobalFlags(vscode.workspace.getConfiguration(), globalConfigDir),
+			...getGlobalFlags(vscode.workspace.getConfiguration(), auth),
 			"start",
 			"--yes",
 			createWorkspaceIdentifier(workspace),

src/api/workspace.ts

@@ -1,39 +1,76 @@
-import { type WorkspaceConfiguration } from "vscode";
+import * as vscode from "vscode";
 
+import { type FeatureSet } from "./featureSet";
 import { getHeaderArgs } from "./headers";
+import { isKeyringSupported } from "./keyringStore";
 import { escapeCommandArg } from "./util";
 
+export type CliAuth =
+	| { mode: "global-config"; configDir: string }
+	| { mode: "url"; url: string };
+
 /**
  * Returns the raw global flags from user configuration.
  */
 export function getGlobalFlagsRaw(
-	configs: Pick<WorkspaceConfiguration, "get">,
+	configs: Pick<vscode.WorkspaceConfiguration, "get">,
 ): string[] {
 	return configs.get<string[]>("coder.globalFlags", []);
 }
 
 /**
  * Returns global configuration flags for Coder CLI commands.
- * Always includes the `--global-config` argument with the specified config directory.
+ * Includes either `--global-config` or `--url` depending on the auth mode.
  */
 export function getGlobalFlags(
-	configs: Pick<WorkspaceConfiguration, "get">,
-	configDir: string,
+	configs: Pick<vscode.WorkspaceConfiguration, "get">,
+	auth: CliAuth,
 ): string[] {
+	const authFlags =
+		auth.mode === "url"
+			? ["--url", escapeCommandArg(auth.url)]
+			: ["--global-config", escapeCommandArg(auth.configDir)];
+
 	// Last takes precedence/overrides previous ones
 	return [
 		...getGlobalFlagsRaw(configs),
-		"--global-config",
-		escapeCommandArg(configDir),
+		...authFlags,
 		...getHeaderArgs(configs),
 	];
 }
 
+/**
+ * Single source of truth: should the extension use the OS keyring for this session?
+ * Requires CLI >= 2.29.0, macOS or Windows, and the coder.useKeyring setting enabled.
+ */
+export function shouldUseKeyring(featureSet: FeatureSet): boolean {
+	return (
+		featureSet.keyringAuth &&
+		isKeyringSupported() &&
+		vscode.workspace.getConfiguration().get<boolean>("coder.useKeyring", true)
+	);
+}
+
+/**
+ * Resolves how the CLI should authenticate: via the keyring (`--url`) or via
+ * the global config directory (`--global-config`).
+ */
+export function resolveCliAuth(
+	featureSet: FeatureSet,
+	deploymentUrl: string | undefined,
+	configDir: string,
+): CliAuth {
+	if (shouldUseKeyring(featureSet) && deploymentUrl) {
+		return { mode: "url", url: deploymentUrl };
+	}
+	return { mode: "global-config", configDir };
+}
+
 /**
  * Returns SSH flags for the `coder ssh` command from user configuration.
  */
 export function getSshFlags(
-	configs: Pick<WorkspaceConfiguration, "get">,
+	configs: Pick<vscode.WorkspaceConfiguration, "get">,
 ): string[] {
 	// Make sure to match this default with the one in the package.json
 	return configs.get<string[]>("coder.sshFlags", ["--disable-autostart"]);