Open
Conversation
EhabY
force-pushed
the
add-keyring-support
branch
3 times, most recently
from
bbe05fe to
f5ec9a3
Compare
On macOS and Windows with CLI >= 2.29.0, write session tokens to the OS
keyring (Keychain / Credential Manager) instead of plaintext files.
The CLI reads from the keyring when invoked with --url instead of
--global-config. Falls back to file storage on Linux, older CLIs,
or if the keyring write fails.
Key changes:
- Add KeyringStore wrapping @napi-rs/keyring with the CLI's credential
format (JSON map keyed by host, base64 on macOS, raw bytes on Windows)
- Add CliAuth discriminated union ("global-config" | "url") threaded
through proxy command building and workspace state machine
- Add shouldUseKeyring() as single source of truth gating on CLI version,
platform, and coder.useKeyring setting
- Restructure remote.ts setup() to call configure() after featureSet is
known, so the keyring decision can be made
- Add keyring read fallback in LoginCoordinator for tokens written by
`coder login` from the terminal
- Add vendor-keyring.mjs build script to copy native binaries into
dist/node_modules/ for VSIX packaging (vsce can't follow pnpm symlinks)
- Harden file fallback with mode 0o600
EhabY
force-pushed
the
add-keyring-support
branch
from
f5ec9a3 to
45383e8
Compare
EhabY
commented
Feb 26, 2026
Comment on lines
+35
to
+40
| const nativePackages = [ | ||
| "keyring-darwin-arm64", | ||
| "keyring-darwin-x64", | ||
| "keyring-win32-arm64-msvc", | ||
| "keyring-win32-x64-msvc", | ||
| ]; |
Collaborator
Author
There was a problem hiding this comment.
To make a universal VSIX, we have to package all of these (x64 and arm64 for macOS and Windows). Potentially we can split this into separate VSIXs (esp. when we have linux which has even more).
The universal VSIX went from 1.02MB to 1.80MB. Almost doubled but still acceptable IMO
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
--urlinstead of--global-configso the CLI reads tokens from the keyring0o600permissions) on Linux, older CLIs, or if the keyring write failscoder loginin the terminal are picked up automaticallyHow it works
KeyringStorewraps@napi-rs/keyringusing the exact credential format the CLI expects (JSON map keyed by host, base64 on macOS, raw UTF-8 bytes on Windows)CliAuthdiscriminated union ("global-config"|"url") is threaded through proxy command building and the workspace state machineshouldUseKeyring()gates on CLI version, platform, andcoder.useKeyringsettingremote.tssetup()is restructured soconfigure()runs after the CLI feature set is knownvendor-keyring.mjscopies native binaries intodist/node_modules/at build time for VSIX packaging (vsce can't follow pnpm symlinks)