Conversation
EhabY
force-pushed
the
add-keyring-support
branch
3 times, most recently
from
bbe05fe to
f5ec9a3
Compare
EhabY
force-pushed
the
add-keyring-support
branch
from
f5ec9a3 to
45383e8
Compare
EhabY
commented
Feb 26, 2026
zedkipp
reviewed
Feb 27, 2026
ethanndickson
approved these changes
Mar 2, 2026
Member
ethanndickson
left a comment
ethanndickson
left a comment
There was a problem hiding this comment.
I gave this a quick sanity check on macOS since IIRC you don't have a mac and it worked great. The CLI was able to pickup the VS Code created credentials and vice-versa.
No blocking comments from me.
EhabY
force-pushed
the
add-keyring-support
branch
from
21481f3 to
60892cb
Compare
jdomeracki-coder
approved these changes
Mar 2, 2026
zedkipp
reviewed
Mar 2, 2026
zedkipp
approved these changes
Mar 2, 2026
EhabY
force-pushed
the
add-keyring-support
branch
2 times, most recently
from
73b126c to
2c03884
Compare
On macOS and Windows with CLI >= 2.29.0, write session tokens to the OS
keyring (Keychain / Credential Manager) instead of plaintext files.
The CLI reads from the keyring when invoked with --url instead of
--global-config. Falls back to file storage on Linux, older CLIs,
or if the keyring write fails.
Key changes:
- Add KeyringStore wrapping @napi-rs/keyring with the CLI's credential
format (JSON map keyed by host, base64 on macOS, raw bytes on Windows)
- Add CliAuth discriminated union ("global-config" | "url") threaded
through proxy command building and workspace state machine
- Add shouldUseKeyring() as single source of truth gating on CLI version,
platform, and coder.useKeyring setting
- Restructure remote.ts setup() to call configure() after featureSet is
known, so the keyring decision can be made
- Add keyring read fallback in LoginCoordinator for tokens written by
`coder login` from the terminal
- Add vendor-keyring.mjs build script to copy native binaries into
dist/node_modules/ for VSIX packaging (vsce can't follow pnpm symlinks)
- Harden file fallback with mode 0o600
EhabY
force-pushed
the
add-keyring-support
branch
from
2c03884 to
eb46d87
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
--urlinstead of--global-configso the CLI reads tokens from the keyring0o600permissions) on Linux, older CLIs, or if the keyring write failscoder loginin the terminal are picked up automaticallyHow it works
KeyringStorewraps@napi-rs/keyringusing the exact credential format the CLI expects (JSON map keyed by host, base64 on macOS, raw UTF-8 bytes on Windows)CliAuthdiscriminated union ("global-config"|"url") is threaded through proxy command building and the workspace state machineshouldUseKeyring()gates on CLI version, platform, andcoder.useKeyringsettingremote.tssetup()is restructured soconfigure()runs after the CLI feature set is knownvendor-keyring.mjscopies native binaries intodist/node_modules/at build time for VSIX packaging (vsce can't follow pnpm symlinks)