feat: add cancellable progress monitors for credential operations

Show VS Code progress notifications with Cancel support during
storeToken/deleteToken CLI calls. Thread AbortSignal through the
credential manager and add a reusable withCancellableProgress util.

Author: EhabY

src/cliConfig.ts

@@ -33,22 +33,27 @@ export function getGlobalFlags(
 			: ["--global-config", escapeCommandArg(auth.configDir)];
 
 	const raw = getGlobalFlagsRaw(configs);
+	const filtered = stripManagedFlags(raw);
+
+	return [...filtered, ...authFlags, ...getHeaderArgs(configs)];
+}
+
+function stripManagedFlags(rawFlags: string[]): string[] {
 	const filtered: string[] = [];
-	for (let i = 0; i < raw.length; i++) {
-		if (isFlag(raw[i], "--use-keyring")) {
+	for (let i = 0; i < rawFlags.length; i++) {
+		if (isFlag(rawFlags[i], "--use-keyring")) {
 			continue;
 		}
-		if (isFlag(raw[i], "--global-config")) {
+		if (isFlag(rawFlags[i], "--global-config")) {
 			// Skip the next item too when the value is a separate entry.
-			if (raw[i] === "--global-config") {
+			if (rawFlags[i] === "--global-config") {
 				i++;
 			}
 			continue;
 		}
-		filtered.push(raw[i]);
+		filtered.push(rawFlags[i]);
 	}
-
-	return [...filtered, ...authFlags, ...getHeaderArgs(configs)];
+	return filtered;
 }
 
 function isFlag(item: string, name: string): boolean {
@@ -66,17 +71,6 @@ export function isKeyringEnabled(
 	return isKeyringSupported() && configs.get<boolean>("coder.useKeyring", true);
 }
 
-/**
- * Single source of truth: should the extension use the OS keyring for this session?
- * Requires CLI >= 2.29.0, macOS or Windows, and the coder.useKeyring setting enabled.
- */
-export function shouldUseKeyring(
-	configs: Pick<WorkspaceConfiguration, "get">,
-	featureSet: FeatureSet,
-): boolean {
-	return isKeyringEnabled(configs) && featureSet.keyringAuth;
-}
-
 /**
  * Resolves how the CLI should authenticate: via the keyring (`--url`) or via
  * the global config directory (`--global-config`).
@@ -87,7 +81,7 @@ export function resolveCliAuth(
 	deploymentUrl: string,
 	configDir: string,
 ): CliAuth {
-	if (shouldUseKeyring(configs, featureSet)) {
+	if (isKeyringEnabled(configs) && featureSet.keyringAuth) {
 		return { mode: "url", url: deploymentUrl };
 	}
 	return { mode: "global-config", configDir };

src/core/cliCredentialManager.ts

@@ -1,20 +1,32 @@
 import { execFile } from "node:child_process";
+import fs from "node:fs/promises";
+import path from "node:path";
 import { promisify } from "node:util";
+import * as semver from "semver";
 
 import { isKeyringEnabled } from "../cliConfig";
+import { featureSetForVersion } from "../featureSet";
 import { getHeaderArgs } from "../headers";
+import { toSafeHost } from "../util";
+
+import * as cliUtils from "./cliUtils";
 
 import type { WorkspaceConfiguration } from "vscode";
 
 import type { Logger } from "../logging/logger";
 
+import type { PathResolver } from "./pathResolver";
+
 const execFileAsync = promisify(execFile);
 
+const EXEC_TIMEOUT_MS = 60_000;
+const EXEC_LOG_INTERVAL_MS = 5_000;
+
 /**
  * Resolves a CLI binary path for a given deployment URL, fetching/downloading
  * if needed. Returns the path or throws if unavailable.
  */
-export type BinaryResolver = (url: string) => Promise<string>;
+export type BinaryResolver = (deploymentUrl: string) => Promise<string>;
 
 /**
  * Returns true on platforms where the OS keyring is supported (macOS, Windows).
@@ -24,30 +36,33 @@ export function isKeyringSupported(): boolean {
 }
 
 /**
- * Delegates credential storage to the Coder CLI. All operations resolve the
- * binary via the injected BinaryResolver before invoking it.
+ * Delegates credential storage to the Coder CLI. Owns all credential
+ * persistence: keyring-backed (via CLI) and file-based (plaintext).
  */
 export class CliCredentialManager {
 	constructor(
 		private readonly logger: Logger,
 		private readonly resolveBinary: BinaryResolver,
+		private readonly pathResolver: PathResolver,
 	) {}
 
 	/**
-	 * Store a token via `coder login --use-token-as-session`.
-	 * Token is passed via CODER_SESSION_TOKEN env var, never in args.
+	 * Store credentials for a deployment URL. Uses the OS keyring when the
+	 * setting is enabled and the CLI supports it; otherwise writes plaintext
+	 * files under --global-config.
+	 *
+	 * Keyring and files are mutually exclusive — never both.
 	 */
 	public async storeToken(
 		url: string,
 		token: string,
 		configs: Pick<WorkspaceConfiguration, "get">,
+		signal?: AbortSignal,
 	): Promise<void> {
-		let binPath: string;
-		try {
-			binPath = await this.resolveBinary(url);
-		} catch (error) {
-			this.logger.debug("Could not resolve CLI binary for token store:", error);
-			throw error;
+		const binPath = await this.resolveKeyringBinary(url, configs);
+		if (!binPath) {
+			await this.writeCredentialFiles(url, token);
+			return;
 		}
 
 		const args = [
@@ -57,12 +72,13 @@ export class CliCredentialManager {
 			url,
 		];
 		try {
-			await execFileAsync(binPath, args, {
+			await this.execWithTimeout(binPath, args, {
 				env: { ...process.env, CODER_SESSION_TOKEN: token },
+				signal,
 			});
 			this.logger.info("Stored token via CLI for", url);
 		} catch (error) {
-			this.logger.debug("Failed to store token via CLI:", error);
+			this.logger.warn("Failed to store token via CLI:", error);
 			throw error;
 		}
 	}
@@ -83,49 +99,160 @@ export class CliCredentialManager {
 		try {
 			binPath = await this.resolveBinary(url);
 		} catch (error) {
-			this.logger.debug("Could not resolve CLI binary for token read:", error);
+			this.logger.warn("Could not resolve CLI binary for token read:", error);
 			return undefined;
 		}
 
 		const args = [...getHeaderArgs(configs), "login", "token", "--url", url];
 		try {
-			const { stdout } = await execFileAsync(binPath, args);
+			const { stdout } = await this.execWithTimeout(binPath, args);
 			const token = stdout.trim();
 			return token || undefined;
 		} catch (error) {
-			this.logger.debug("Failed to read token via CLI:", error);
+			this.logger.warn("Failed to read token via CLI:", error);
 			return undefined;
 		}
 	}
 
 	/**
-	 * Delete a token via `coder logout --url`. Best-effort: never throws.
+	 * Delete credentials for a deployment. Runs file deletion and keyring
+	 * deletion in parallel, both best-effort (never throws).
 	 */
 	public async deleteToken(
 		url: string,
 		configs: Pick<WorkspaceConfiguration, "get">,
+		signal?: AbortSignal,
 	): Promise<void> {
+		await Promise.all([
+			this.deleteCredentialFiles(url),
+			this.deleteKeyringToken(url, configs, signal),
+		]);
+	}
+
+	/**
+	 * Resolve a CLI binary for keyring operations. Returns the binary path
+	 * when keyring is enabled in settings and the CLI version supports it,
+	 * or undefined to fall back to file-based storage.
+	 *
+	 * Throws on binary resolution or version-check failure (caller decides
+	 * whether to catch or propagate).
+	 */
+	private async resolveKeyringBinary(
+		url: string,
+		configs: Pick<WorkspaceConfiguration, "get">,
+	): Promise<string | undefined> {
 		if (!isKeyringEnabled(configs)) {
-			return;
+			return undefined;
 		}
+		const binPath = await this.resolveBinary(url);
+		const version = semver.parse(await cliUtils.version(binPath));
+		return featureSetForVersion(version).keyringAuth ? binPath : undefined;
+	}
 
-		let binPath: string;
+	/**
+	 * Wrap execFileAsync with a 60s timeout and periodic debug logging.
+	 */
+	private async execWithTimeout(
+		binPath: string,
+		args: string[],
+		options: { env?: NodeJS.ProcessEnv; signal?: AbortSignal } = {},
+	): Promise<{ stdout: string; stderr: string }> {
+		const { signal, ...execOptions } = options;
+		const timer = setInterval(() => {
+			this.logger.debug(`CLI command still running: coder ${args[0]} ...`);
+		}, EXEC_LOG_INTERVAL_MS);
 		try {
-			binPath = await this.resolveBinary(url);
+			return await execFileAsync(binPath, args, {
+				...execOptions,
+				timeout: EXEC_TIMEOUT_MS,
+				signal,
+			});
+		} finally {
+			clearInterval(timer);
+		}
+	}
+
+	/**
+	 * Write URL and token files under --global-config.
+	 */
+	private async writeCredentialFiles(
+		url: string,
+		token: string,
+	): Promise<void> {
+		const safeHostname = toSafeHost(url);
+		await Promise.all([
+			this.atomicWriteFile(this.pathResolver.getUrlPath(safeHostname), url),
+			this.atomicWriteFile(
+				this.pathResolver.getSessionTokenPath(safeHostname),
+				token,
+			),
+		]);
+	}
+
+	/**
+	 * Delete URL and token files. Best-effort: never throws.
+	 */
+	private async deleteCredentialFiles(url: string): Promise<void> {
+		const safeHostname = toSafeHost(url);
+		const paths = [
+			this.pathResolver.getSessionTokenPath(safeHostname),
+			this.pathResolver.getUrlPath(safeHostname),
+		];
+		await Promise.all(
+			paths.map((p) =>
+				fs.rm(p, { force: true }).catch((error) => {
+					this.logger.warn("Failed to remove credential file", p, error);
+				}),
+			),
+		);
+	}
+
+	/**
+	 * Delete keyring token via `coder logout`. Best-effort: never throws.
+	 */
+	private async deleteKeyringToken(
+		url: string,
+		configs: Pick<WorkspaceConfiguration, "get">,
+		signal?: AbortSignal,
+	): Promise<void> {
+		let binPath: string | undefined;
+		try {
+			binPath = await this.resolveKeyringBinary(url, configs);
 		} catch (error) {
-			this.logger.debug(
-				"Could not resolve CLI binary for token delete:",
-				error,
-			);
+			this.logger.warn("Could not resolve keyring binary for delete:", error);
+			return;
+		}
+		if (!binPath) {
 			return;
 		}
 
 		const args = [...getHeaderArgs(configs), "logout", "--url", url, "--yes"];
 		try {
-			await execFileAsync(binPath, args);
+			await this.execWithTimeout(binPath, args, { signal });
 			this.logger.info("Deleted token via CLI for", url);
 		} catch (error) {
-			this.logger.debug("Failed to delete token via CLI:", error);
+			this.logger.warn("Failed to delete token via CLI:", error);
+		}
+	}
+
+	/**
+	 * Atomically write content to a file via temp-file + rename.
+	 */
+	private async atomicWriteFile(
+		filePath: string,
+		content: string,
+	): Promise<void> {
+		await fs.mkdir(path.dirname(filePath), { recursive: true });
+		const tempPath =
+			filePath + ".temp-" + Math.random().toString(36).substring(8);
+		try {
+			await fs.writeFile(tempPath, content, { mode: 0o600 });
+			await fs.rename(tempPath, filePath);
+		} catch (err) {
+			await fs.rm(tempPath, { force: true }).catch((rmErr) => {
+				this.logger.warn("Failed to delete temp file", tempPath, rmErr);
+			});
+			throw err;
 		}
 	}
 }