feat: delegate keyring operations to CLI instead of native binaries

Replace @napi-rs/keyring (4 native .node binaries) with CLI subprocess
calls. The extension now runs `coder login --use-token-as-session` to
store tokens and `coder login token --url` to read them, keeping the
credential format in sync with the CLI automatically.

- Add CliCredentialManager that shells out to the Coder CLI
- Update CliManager.configure() to accept binPath and delegate to CLI
- Update LoginCoordinator to fetch CLI binary for keyring reads
- Remove clearCredentials keyring cleanup (stale entries are harmless)
- Remove @napi-rs/keyring dep, vendor script, supportedArchitectures
- Delete KeyringStore and its tests

Author: EhabY

esbuild.mjs

@@ -32,7 +32,7 @@ const buildOptions = {
 		// undefined when bundled to CJS, causing runtime errors.
 		openpgp: "./node_modules/openpgp/dist/node/openpgp.min.cjs",
 	},
-	external: ["vscode", "@napi-rs/keyring"],
+	external: ["vscode"],
 	sourcemap: production ? "external" : true,
 	minify: production,
 	plugins: watch ? [logRebuildPlugin] : [],

package.json

@@ -32,7 +32,7 @@
 		"test:integration": "tsc -p test --outDir out --noCheck && node esbuild.mjs && vscode-test",
 		"test:webview": "vitest --project webview",
 		"typecheck": "concurrently -g \"tsc --noEmit\" \"tsc --noEmit -p test\"",
-		"vscode:prepublish": "pnpm build:production && node scripts/vendor-keyring.mjs",
+		"vscode:prepublish": "pnpm build:production",
 		"watch": "concurrently -n extension,webviews \"pnpm watch:extension\" \"pnpm watch:webviews\"",
 		"watch:extension": "node esbuild.mjs --watch",
 		"watch:webviews": "pnpm -r --filter \"./packages/*\" --parallel dev"
@@ -468,7 +468,6 @@
 		"word-wrap": "1.2.5"
 	},
 	"dependencies": {
-		"@napi-rs/keyring": "^1.2.0",
 		"@peculiar/x509": "^1.14.3",
 		"@repo/shared": "workspace:*",
 		"axios": "1.13.6",

pnpm-lock.yaml

@@ -27,16 +27,3 @@ onlyBuiltDependencies:
   - keytar
   - unrs-resolver
   - utf-8-validate
-
-# Install @napi-rs/keyring native binaries for macOS and Windows so they're
-# available when building the universal VSIX (even on Linux CI).
-# Only macOS and Windows use the keyring; Linux falls back to file storage.
-supportedArchitectures:
-  os:
-    - current
-    - darwin
-    - win32
-  cpu:
-    - current
-    - x64
-    - arm64

pnpm-workspace.yaml

@@ -1,5 +1,5 @@
+import { isKeyringSupported } from "./core/cliCredentialManager";
 import { getHeaderArgs } from "./headers";
-import { isKeyringSupported } from "./keyringStore";
 import { escapeCommandArg } from "./util";
 
 import type { WorkspaceConfiguration } from "vscode";

scripts/vendor-keyring.mjs

@@ -0,0 +1,76 @@
+import { execFile } from "node:child_process";
+import { promisify } from "node:util";
+
+import { getHeaderArgs } from "../headers";
+
+import type { WorkspaceConfiguration } from "vscode";
+
+import type { Logger } from "../logging/logger";
+
+const execFileAsync = promisify(execFile);
+
+/**
+ * Returns true on platforms where the OS keyring is supported (macOS, Windows).
+ */
+export function isKeyringSupported(): boolean {
+	return process.platform === "darwin" || process.platform === "win32";
+}
+
+/**
+ * Delegates credential storage to the Coder CLI to keep the credentials in sync.
+ */
+export class CliCredentialManager {
+	constructor(private readonly logger: Logger) {}
+
+	/**
+	 * Store a token by running:
+	 *   CODER_SESSION_TOKEN=<token> <bin> login --use-token-as-session <url>
+	 *
+	 * The token is passed via environment variable so it never appears in
+	 * process argument lists.
+	 */
+	async storeToken(
+		binPath: string,
+		url: string,
+		token: string,
+		configs: Pick<WorkspaceConfiguration, "get">,
+	): Promise<void> {
+		const args = [
+			...getHeaderArgs(configs),
+			"login",
+			"--use-token-as-session",
+			url,
+		];
+		try {
+			await execFileAsync(binPath, args, {
+				env: { ...process.env, CODER_SESSION_TOKEN: token },
+			});
+			this.logger.info("Stored token via CLI for", url);
+		} catch (error) {
+			this.logger.error("Failed to store token via CLI:", error);
+			throw error;
+		}
+	}
+
+	/**
+	 * Read a token by running:
+	 *   <bin> login token --url <url>
+	 *
+	 * Returns trimmed stdout, or undefined on any failure.
+	 */
+	async readToken(
+		binPath: string,
+		url: string,
+		configs: Pick<WorkspaceConfiguration, "get">,
+	): Promise<string | undefined> {
+		const args = [...getHeaderArgs(configs), "login", "token", "--url", url];
+		try {
+			const { stdout } = await execFileAsync(binPath, args);
+			const token = stdout.trim();
+			return token || undefined;
+		} catch (error) {
+			this.logger.warn("Failed to read token via CLI:", error);
+			return undefined;
+		}
+	}
+}