Store session tokens in the OS keyring

esbuild.mjs

@@ -32,7 +32,7 @@ const buildOptions = {
 		// undefined when bundled to CJS, causing runtime errors.
 		openpgp: "./node_modules/openpgp/dist/node/openpgp.min.cjs",
 	},
-	external: ["vscode"],
+	external: ["vscode", "@napi-rs/keyring"],
 	sourcemap: production ? "external" : true,
 	minify: production,
 	plugins: watch ? [logRebuildPlugin] : [],

eslint.config.mjs

@@ -158,7 +158,7 @@ export default defineConfig(
 
 	// Build config - ESM with Node globals
 	{
-		files: ["esbuild.mjs"],
+		files: ["esbuild.mjs", "scripts/*.mjs"],
 		languageOptions: {
 			globals: {
 				...globals.node,

package.json

@@ -32,7 +32,7 @@
 		"test:integration": "tsc -p test --outDir out --noCheck && node esbuild.mjs && vscode-test",
 		"test:webview": "vitest --project webview",
 		"typecheck": "concurrently -g \"tsc --noEmit\" \"tsc --noEmit -p test\"",
-		"vscode:prepublish": "pnpm build:production",
+		"vscode:prepublish": "pnpm build:production && node scripts/vendor-keyring.mjs",
 		"watch": "concurrently -n extension,webviews \"pnpm watch:extension\" \"pnpm watch:webviews\"",
 		"watch:extension": "node esbuild.mjs --watch",
 		"watch:webviews": "pnpm -r --filter \"./packages/*\" --parallel dev"
@@ -164,6 +164,11 @@
 						"type": "string"
 					}
 				},
+				"coder.useKeyring": {
+					"markdownDescription": "Store session tokens in the OS keyring (macOS Keychain, Windows Credential Manager) instead of plaintext files. Requires CLI >= 2.29.0. Has no effect on Linux.",
+					"type": "boolean",
+					"default": true
+				},
 				"coder.httpClientLogLevel": {
 					"markdownDescription": "Controls the verbosity of HTTP client logging. This affects what details are logged for each HTTP request and response.",
 					"type": "string",
@@ -471,6 +476,7 @@
 		"word-wrap": "1.2.5"
 	},
 	"dependencies": {
+		"@napi-rs/keyring": "^1.2.0",
 		"@peculiar/x509": "^1.14.3",
 		"@repo/shared": "workspace:*",
 		"axios": "1.13.5",

pnpm-workspace.yaml

@@ -26,3 +26,16 @@ onlyBuiltDependencies:
   - keytar
   - unrs-resolver
   - utf-8-validate
+
+# Install @napi-rs/keyring native binaries for macOS and Windows so they're
+# available when building the universal VSIX (even on Linux CI).
+# Only macOS and Windows use the keyring; Linux falls back to file storage.
+supportedArchitectures:
+  os:
+    - current
+    - darwin
+    - win32
+  cpu:
+    - current
+    - x64
+    - arm64

scripts/vendor-keyring.mjs

@@ -0,0 +1,61 @@
+/**
+ * Vendor @napi-rs/keyring into dist/node_modules/ for VSIX packaging.
+ *
+ * pnpm uses symlinks that vsce can't follow. This script resolves them and
+ * copies the JS wrapper plus macOS/Windows .node binaries into dist/, where
+ * Node's require() resolution finds them from dist/extension.js.
+ */
+import {
+	cpSync,
+	existsSync,
+	mkdirSync,
+	readdirSync,
+	realpathSync,
+	rmSync,
+} from "node:fs";
+import { join, resolve } from "node:path";
+
+const keyringPkg = resolve("node_modules/@napi-rs/keyring");
+const outputDir = resolve("dist/node_modules/@napi-rs/keyring");
+
+if (!existsSync(keyringPkg)) {
+	console.error("@napi-rs/keyring not found — run pnpm install first");
+	process.exit(1);
+}
+
+// Copy the JS wrapper package (resolving pnpm symlinks)
+const resolvedPkg = realpathSync(keyringPkg);
+rmSync(outputDir, { recursive: true, force: true });
+mkdirSync(outputDir, { recursive: true });
+cpSync(resolvedPkg, outputDir, { recursive: true });
+
+// Native binary packages live as siblings of the resolved keyring package in
+// pnpm's content-addressable store (they aren't hoisted to node_modules).
+const siblingsDir = resolve(resolvedPkg, "..");
+const nativePackages = [
+	"keyring-darwin-arm64",
+	"keyring-darwin-x64",
+	"keyring-win32-arm64-msvc",
+	"keyring-win32-x64-msvc",
+];
+
+for (const pkg of nativePackages) {
+	const pkgDir = join(siblingsDir, pkg);
+	if (!existsSync(pkgDir)) {
+		console.error(
+			`Missing native package: ${pkg}\n` +
+				"Ensure supportedArchitectures in pnpm-workspace.yaml includes all target platforms.",
+		);
+		process.exit(1);
+	}
+	const nodeFile = readdirSync(pkgDir).find((f) => f.endsWith(".node"));
+	if (!nodeFile) {
+		console.error(`No .node binary found in ${pkg}`);
+		process.exit(1);
+	}
+	cpSync(join(pkgDir, nodeFile), join(outputDir, nodeFile));
+}
+
+console.log(
+	`Vendored @napi-rs/keyring with ${nativePackages.length} platform binaries into dist/`,
+);

src/api/workspace.ts

@@ -7,7 +7,7 @@ import {
 import { spawn } from "node:child_process";
 import * as vscode from "vscode";
 
-import { getGlobalFlags } from "../cliConfig";
+import { type CliAuth, getGlobalFlags } from "../cliConfig";
 import { type FeatureSet } from "../featureSet";
 import { escapeCommandArg } from "../util";
 import { type UnidirectionalStream } from "../websocket/eventStreamConnection";
@@ -50,7 +50,7 @@ export class LazyStream<T> {
  */
 export async function startWorkspaceIfStoppedOrFailed(
 	restClient: Api,
-	globalConfigDir: string,
+	auth: CliAuth,
 	binPath: string,
 	workspace: Workspace,
 	writeEmitter: vscode.EventEmitter<string>,
@@ -65,7 +65,7 @@ export async function startWorkspaceIfStoppedOrFailed(
 
 	return new Promise((resolve, reject) => {
 		const startArgs = [
-			...getGlobalFlags(vscode.workspace.getConfiguration(), globalConfigDir),
+			...getGlobalFlags(vscode.workspace.getConfiguration(), auth),
 			"start",
 			"--yes",
 			createWorkspaceIdentifier(workspace),