feat: store session tokens in the OS keyring

On macOS and Windows with CLI >= 2.29.0, write session tokens to the OS
keyring (Keychain / Credential Manager) instead of plaintext files.
The CLI reads from the keyring when invoked with --url instead of
--global-config. Falls back to file storage on Linux, older CLIs,
or if the keyring write fails.

Key changes:
- Add KeyringStore wrapping @napi-rs/keyring with the CLI's credential
  format (JSON map keyed by host, base64 on macOS, raw bytes on Windows)
- Add CliAuth discriminated union ("global-config" | "url") threaded
  through proxy command building and workspace state machine
- Add shouldUseKeyring() as single source of truth gating on CLI version,
  platform, and coder.useKeyring setting
- Restructure remote.ts setup() to call configure() after featureSet is
  known, so the keyring decision can be made
- Add keyring read fallback in LoginCoordinator for tokens written by
  `coder login` from the terminal
- Add vendor-keyring.mjs build script to copy native binaries into
  dist/node_modules/ for VSIX packaging (vsce can't follow pnpm symlinks)
- Harden file fallback with mode 0o600

Author: EhabY

.npmrc

@@ -0,0 +1,9 @@
+# Install @napi-rs/keyring native binaries for macOS and Windows so they're
+# available when building the universal VSIX (even on Linux CI).
+# Only macOS and Windows use the keyring; Linux falls back to file storage.
+supportedArchitectures.os[]=current
+supportedArchitectures.os[]=darwin
+supportedArchitectures.os[]=win32
+supportedArchitectures.cpu[]=current
+supportedArchitectures.cpu[]=x64
+supportedArchitectures.cpu[]=arm64

esbuild.mjs

@@ -32,7 +32,7 @@ const buildOptions = {
 		// undefined when bundled to CJS, causing runtime errors.
 		openpgp: "./node_modules/openpgp/dist/node/openpgp.min.cjs",
 	},
-	external: ["vscode"],
+	external: ["vscode", "@napi-rs/keyring"],
 	sourcemap: production ? "external" : true,
 	minify: production,
 	plugins: watch ? [logRebuildPlugin] : [],

eslint.config.mjs

@@ -158,7 +158,7 @@ export default defineConfig(
 
 	// Build config - ESM with Node globals
 	{
-		files: ["esbuild.mjs"],
+		files: ["esbuild.mjs", "scripts/*.mjs"],
 		languageOptions: {
 			globals: {
 				...globals.node,

package.json

@@ -32,7 +32,7 @@
 		"test:integration": "tsc -p test --outDir out --noCheck && node esbuild.mjs && vscode-test",
 		"test:webview": "vitest --project webview",
 		"typecheck": "concurrently -g \"tsc --noEmit\" \"tsc --noEmit -p test\"",
-		"vscode:prepublish": "pnpm build:production",
+		"vscode:prepublish": "pnpm build:production && node scripts/vendor-keyring.mjs",
 		"watch": "concurrently -n extension,webviews \"pnpm watch:extension\" \"pnpm watch:webviews\"",
 		"watch:extension": "node esbuild.mjs --watch",
 		"watch:webviews": "pnpm -r --filter \"./packages/*\" --parallel dev"
@@ -164,6 +164,11 @@
 						"type": "string"
 					}
 				},
+				"coder.useKeyring": {
+					"markdownDescription": "Store session tokens in the OS keyring (macOS Keychain, Windows Credential Manager) instead of plaintext files. Requires CLI >= 2.29.0. Has no effect on Linux.",
+					"type": "boolean",
+					"default": true
+				},
 				"coder.httpClientLogLevel": {
 					"markdownDescription": "Controls the verbosity of HTTP client logging. This affects what details are logged for each HTTP request and response.",
 					"type": "string",
@@ -471,6 +476,7 @@
 		"word-wrap": "1.2.5"
 	},
 	"dependencies": {
+		"@napi-rs/keyring": "^1.2.0",
 		"@peculiar/x509": "^1.14.3",
 		"@repo/shared": "workspace:*",
 		"axios": "1.13.5",

pnpm-lock.yaml

@@ -0,0 +1,52 @@
+/**
+ * Vendor @napi-rs/keyring into dist/node_modules/ for VSIX packaging.
+ *
+ * pnpm uses symlinks that vsce can't follow.  This script resolves them and
+ * copies the JS wrapper plus macOS/Windows .node binaries into dist/, where
+ * Node's require() resolution finds them from dist/extension.js.
+ */
+import { cpSync, existsSync, mkdirSync, realpathSync, rmSync } from "node:fs";
+import { join, resolve, basename } from "node:path";
+
+const outputDir = resolve("dist/node_modules/@napi-rs/keyring");
+const keyringPkg = resolve("node_modules/@napi-rs/keyring");
+
+if (!existsSync(keyringPkg)) {
+	console.log("@napi-rs/keyring not found, skipping");
+	process.exit(0);
+}
+
+const resolvedPkg = realpathSync(keyringPkg);
+
+rmSync(outputDir, { recursive: true, force: true });
+mkdirSync(outputDir, { recursive: true });
+cpSync(resolvedPkg, outputDir, { recursive: true });
+
+// Platform packages are siblings of the resolved keyring package in pnpm's layout.
+// Exact file names so the build fails loudly if the native module renames anything.
+const siblingsDir = resolve(resolvedPkg, "..");
+const binaries = [
+	"keyring-darwin-arm64/keyring.darwin-arm64.node",
+	"keyring-darwin-x64/keyring.darwin-x64.node",
+	"keyring-win32-arm64-msvc/keyring.win32-arm64-msvc.node",
+	"keyring-win32-x64-msvc/keyring.win32-x64-msvc.node",
+];
+
+for (const binary of binaries) {
+	const symlink = join(siblingsDir, binary);
+	if (!existsSync(symlink)) {
+		console.error(
+			`Missing native binary: ${binary}\n` +
+				"Ensure .npmrc includes supportedArchitectures for all target OS/CPU combinations.",
+		);
+		process.exit(1);
+	}
+	const src = realpathSync(symlink);
+	const filename = basename(binary);
+	const dest = join(outputDir, filename);
+	cpSync(src, dest);
+}
+
+console.log(
+	`Vendored @napi-rs/keyring with ${binaries.length} platform binaries into dist/`,
+);

scripts/vendor-keyring.mjs

@@ -7,7 +7,7 @@ import {
 import { spawn } from "node:child_process";
 import * as vscode from "vscode";
 
-import { getGlobalFlags } from "../cliConfig";
+import { type CliAuth, getGlobalFlags } from "../cliConfig";
 import { type FeatureSet } from "../featureSet";
 import { escapeCommandArg } from "../util";
 import { type UnidirectionalStream } from "../websocket/eventStreamConnection";
@@ -50,7 +50,7 @@ export class LazyStream<T> {
  */
 export async function startWorkspaceIfStoppedOrFailed(
 	restClient: Api,
-	globalConfigDir: string,
+	auth: CliAuth,
 	binPath: string,
 	workspace: Workspace,
 	writeEmitter: vscode.EventEmitter<string>,
@@ -65,7 +65,7 @@ export async function startWorkspaceIfStoppedOrFailed(
 
 	return new Promise((resolve, reject) => {
 		const startArgs = [
-			...getGlobalFlags(vscode.workspace.getConfiguration(), globalConfigDir),
+			...getGlobalFlags(vscode.workspace.getConfiguration(), auth),
 			"start",
 			"--yes",
 			createWorkspaceIdentifier(workspace),