feat: store session tokens in the OS keyring (#808)

On macOS and Windows with CLI >= 2.29.0, write session tokens to the OS
keyring (Keychain / Credential Manager) instead of plaintext files.
The CLI reads from the keyring when invoked with --url instead of
--global-config. Falls back to file storage on Linux, or older CLIs.

Key changes:

- Harden file fallback with mode 0o600
- Add shouldUseKeyring() as single source of truth gating on CLI version,
  platform, and coder.useKeyring setting
- Restructure remote.ts setup() to call configure() after featureSet is
  known, so the keyring decision can be made
- Add keyring read fallback in LoginCoordinator for tokens written by
  `coder login` from the terminal
- Add vendor-keyring.mjs build script to copy native binaries into
  dist/node_modules/ for VSIX packaging (vsce can't follow pnpm symlinks)
- Add KeyringStore wrapping @napi-rs/keyring with the CLI's credential
  format (JSON map keyed by host, base64 on macOS, raw bytes on Windows)

Author: EhabY

CHANGELOG.md

@@ -2,6 +2,12 @@
 
 ## Unreleased
 
+### Added
+
+- Session tokens are now stored in the OS keyring (Keychain on macOS, Credential Manager on
+  Windows) instead of plaintext files, when using CLI >= 2.29.0. Falls back to file storage on
+  Linux, older CLIs, or if the keyring write fails. Controlled via the `coder.useKeyring` setting.
+
 ## [v1.13.0](https://github.com/coder/vscode-coder/releases/tag/v1.13.0) 2026-03-03
 
 ### Added

esbuild.mjs

@@ -32,7 +32,7 @@ const buildOptions = {
 		// undefined when bundled to CJS, causing runtime errors.
 		openpgp: "./node_modules/openpgp/dist/node/openpgp.min.cjs",
 	},
-	external: ["vscode"],
+	external: ["vscode", "@napi-rs/keyring"],
 	sourcemap: production ? "external" : true,
 	minify: production,
 	plugins: watch ? [logRebuildPlugin] : [],

eslint.config.mjs

@@ -154,7 +154,7 @@ export default defineConfig(
 
 	// Build config - ESM with Node globals
 	{
-		files: ["esbuild.mjs"],
+		files: ["esbuild.mjs", "scripts/*.mjs"],
 		languageOptions: {
 			globals: {
 				...globals.node,

package.json

@@ -32,7 +32,7 @@
 		"test:integration": "tsc -p test --outDir out --noCheck && node esbuild.mjs && vscode-test",
 		"test:webview": "vitest --project webview",
 		"typecheck": "concurrently -g \"tsc --noEmit\" \"tsc --noEmit -p test\"",
-		"vscode:prepublish": "pnpm build:production",
+		"vscode:prepublish": "pnpm build:production && node scripts/vendor-keyring.mjs",
 		"watch": "concurrently -n extension,webviews \"pnpm watch:extension\" \"pnpm watch:webviews\"",
 		"watch:extension": "node esbuild.mjs --watch",
 		"watch:webviews": "pnpm -r --filter \"./packages/*\" --parallel dev"
@@ -156,6 +156,11 @@
 						"type": "string"
 					}
 				},
+				"coder.useKeyring": {
+					"markdownDescription": "Store session tokens in the OS keyring (macOS Keychain, Windows Credential Manager) instead of plaintext files. Requires CLI >= 2.29.0. Has no effect on Linux.",
+					"type": "boolean",
+					"default": true
+				},
 				"coder.httpClientLogLevel": {
 					"markdownDescription": "Controls the verbosity of HTTP client logging. This affects what details are logged for each HTTP request and response.",
 					"type": "string",
@@ -463,6 +468,7 @@
 		"word-wrap": "1.2.5"
 	},
 	"dependencies": {
+		"@napi-rs/keyring": "^1.2.0",
 		"@peculiar/x509": "^1.14.3",
 		"@repo/shared": "workspace:*",
 		"axios": "1.13.6",

pnpm-lock.yaml

@@ -27,3 +27,16 @@ onlyBuiltDependencies:
   - keytar
   - unrs-resolver
   - utf-8-validate
+
+# Install @napi-rs/keyring native binaries for macOS and Windows so they're
+# available when building the universal VSIX (even on Linux CI).
+# Only macOS and Windows use the keyring; Linux falls back to file storage.
+supportedArchitectures:
+  os:
+    - current
+    - darwin
+    - win32
+  cpu:
+    - current
+    - x64
+    - arm64

pnpm-workspace.yaml

@@ -0,0 +1,61 @@
+/**
+ * Vendor @napi-rs/keyring into dist/node_modules/ for VSIX packaging.
+ *
+ * pnpm uses symlinks that vsce can't follow. This script resolves them and
+ * copies the JS wrapper plus macOS/Windows .node binaries into dist/, where
+ * Node's require() resolution finds them from dist/extension.js.
+ */
+import {
+	cpSync,
+	existsSync,
+	mkdirSync,
+	readdirSync,
+	realpathSync,
+	rmSync,
+} from "node:fs";
+import { join, resolve } from "node:path";
+
+const keyringPkg = resolve("node_modules/@napi-rs/keyring");
+const outputDir = resolve("dist/node_modules/@napi-rs/keyring");
+
+if (!existsSync(keyringPkg)) {
+	console.error("@napi-rs/keyring not found — run pnpm install first");
+	process.exit(1);
+}
+
+// Copy the JS wrapper package (resolving pnpm symlinks)
+const resolvedPkg = realpathSync(keyringPkg);
+rmSync(outputDir, { recursive: true, force: true });
+mkdirSync(outputDir, { recursive: true });
+cpSync(resolvedPkg, outputDir, { recursive: true });
+
+// Native binary packages live as siblings of the resolved keyring package in
+// pnpm's content-addressable store (they aren't hoisted to node_modules).
+const siblingsDir = resolve(resolvedPkg, "..");
+const nativePackages = [
+	"keyring-darwin-arm64",
+	"keyring-darwin-x64",
+	"keyring-win32-arm64-msvc",
+	"keyring-win32-x64-msvc",
+];
+
+for (const pkg of nativePackages) {
+	const pkgDir = join(siblingsDir, pkg);
+	if (!existsSync(pkgDir)) {
+		console.error(
+			`Missing native package: ${pkg}\n` +
+				"Ensure supportedArchitectures in pnpm-workspace.yaml includes all target platforms.",
+		);
+		process.exit(1);
+	}
+	const nodeFile = readdirSync(pkgDir).find((f) => f.endsWith(".node"));
+	if (!nodeFile) {
+		console.error(`No .node binary found in ${pkg}`);
+		process.exit(1);
+	}
+	cpSync(join(pkgDir, nodeFile), join(outputDir, nodeFile));
+}
+
+console.log(
+	`Vendored @napi-rs/keyring with ${nativePackages.length} platform binaries into dist/`,
+);

scripts/vendor-keyring.mjs

@@ -7,7 +7,7 @@ import {
 import { spawn } from "node:child_process";
 import * as vscode from "vscode";
 
-import { getGlobalFlags } from "../cliConfig";
+import { type CliAuth, getGlobalFlags } from "../cliConfig";
 import { type FeatureSet } from "../featureSet";
 import { escapeCommandArg } from "../util";
 import { type UnidirectionalStream } from "../websocket/eventStreamConnection";
@@ -50,7 +50,7 @@ export class LazyStream<T> {
  */
 export async function startWorkspaceIfStoppedOrFailed(
 	restClient: Api,
-	globalConfigDir: string,
+	auth: CliAuth,
 	binPath: string,
 	workspace: Workspace,
 	writeEmitter: vscode.EventEmitter<string>,
@@ -65,7 +65,7 @@ export async function startWorkspaceIfStoppedOrFailed(
 
 	return new Promise((resolve, reject) => {
 		const startArgs = [
-			...getGlobalFlags(vscode.workspace.getConfiguration(), globalConfigDir),
+			...getGlobalFlags(vscode.workspace.getConfiguration(), auth),
 			"start",
 			"--yes",
 			createWorkspaceIdentifier(workspace),