Add support to coder.sshFlags array for user configurable SSH options

Author: EhabY

package.json

@@ -130,11 +130,18 @@
 					],
 					"markdownEnumDescriptions": [
 						"Disables autostart on macOS only (recommended to avoid sleep/wake issues)",
-						"Disables on all platforms",
+						"Disables autostart on all platforms",
 						"Keeps autostart enabled on all platforms"
 					],
 					"default": "auto"
 				},
+				"coder.sshFlags": {
+					"markdownDescription": "Additional flags to pass to the `coder ssh` command when establishing SSH connections. Enter each flag as a separate array item; values are passed verbatim and in order. See the [CLI ssh reference](https://coder.com/docs/reference/cli/ssh) for available flags.\n\nNote that the following flags are ignored because they are managed internally by the extension: `--network-info-dir`, `--log-dir`, `--ssh-host-prefix`. To manage the `--disable-autostart` flag, use the `coder.disableAutostart` setting.",
+					"type": "array",
+					"items": {
+						"type": "string"
+					}
+				},
 				"coder.globalFlags": {
 					"markdownDescription": "Global flags to pass to every Coder CLI invocation. Enter each flag as a separate array item; values are passed verbatim and in order. Do **not** include the `coder` command itself. See the [CLI reference](https://coder.com/docs/reference/cli) for available global flags.\n\nNote that for `--header-command`, precedence is: `#coder.headerCommand#` setting, then `CODER_HEADER_COMMAND` environment variable, then the value specified here. The `--global-config` flag is explicitly ignored.",
 					"type": "array",

src/cliConfig.ts

@@ -38,3 +38,10 @@ export function shouldDisableAutostart(
 	);
 	return setting === "always" || (setting === "auto" && platform === "darwin");
 }
+
+/**
+ * Returns SSH flags for the `coder ssh` command from user configuration.
+ */
+export function getSshFlags(configs: WorkspaceConfiguration): string[] {
+	return configs.get<string[]>("coder.sshFlags") || [];
+}

src/remote/remote.ts

@@ -20,7 +20,11 @@ import {
 import { extractAgents } from "../api/api-helper";
 import { CoderApi } from "../api/coderApi";
 import { needToken } from "../api/utils";
-import { getGlobalFlags, shouldDisableAutostart } from "../cliConfig";
+import {
+	getGlobalFlags,
+	getSshFlags,
+	shouldDisableAutostart,
+} from "../cliConfig";
 import { type Commands } from "../commands";
 import { type CliManager } from "../core/cliManager";
 import * as cliUtils from "../core/cliUtils";
@@ -571,16 +575,85 @@ export class Remote {
 	}
 
 	/**
-	 * Formats the --log-dir argument for the ProxyCommand after making sure it
+	 * Builds the ProxyCommand for SSH connections to Coder workspaces.
+	 * Uses `coder ssh` for modern deployments with wildcard support,
+	 * or falls back to `coder vscodessh` for older deployments.
+	 */
+	private async buildProxyCommand(
+		binaryPath: string,
+		label: string,
+		hostPrefix: string,
+		logDir: string,
+		useWildcardSSH: boolean,
+	): Promise<string> {
+		const vscodeConfig = vscode.workspace.getConfiguration();
+
+		const escapedBinaryPath = escapeCommandArg(binaryPath);
+		const globalConfig = getGlobalFlags(
+			vscodeConfig,
+			this.pathResolver.getGlobalConfigDir(label),
+		);
+		const logArgs = await this.getLogArgs(logDir);
+
+		if (useWildcardSSH) {
+			// User SSH flags are included first; internally-managed flags
+			// are appended last so they take precedence.
+			const userSSHFlags = getSshFlags(vscodeConfig);
+			const disableAutostart = shouldDisableAutostart(
+				vscodeConfig,
+				process.platform,
+			)
+				? ["--disable-autostart"]
+				: [];
+			const internalFlags = [
+				"--stdio",
+				"--usage-app=vscode",
+				"--network-info-dir",
+				escapeCommandArg(this.pathResolver.getNetworkInfoPath()),
+				...logArgs,
+				...disableAutostart,
+				"--ssh-host-prefix",
+				hostPrefix,
+				"%h",
+			];
+
+			const allFlags = [...userSSHFlags, ...internalFlags];
+			return `${escapedBinaryPath} ${globalConfig.join(" ")} ssh ${allFlags.join(" ")}`;
+		} else {
+			const networkInfoDir = escapeCommandArg(
+				this.pathResolver.getNetworkInfoPath(),
+			);
+			const sessionTokenFile = escapeCommandArg(
+				this.pathResolver.getSessionTokenPath(label),
+			);
+			const urlFile = escapeCommandArg(this.pathResolver.getUrlPath(label));
+
+			const sshFlags = [
+				"--network-info-dir",
+				networkInfoDir,
+				...logArgs,
+				"--session-token-file",
+				sessionTokenFile,
+				"--url-file",
+				urlFile,
+				"%h",
+			];
+
+			return `${escapedBinaryPath} ${globalConfig.join(" ")} vscodessh ${sshFlags.join(" ")}`;
+		}
+	}
+
+	/**
+	 * Returns the --log-dir argument for the ProxyCommand after making sure it
 	 * has been created.
 	 */
-	private async formatLogArg(logDir: string): Promise<string> {
+	private async getLogArgs(logDir: string): Promise<string[]> {
 		if (!logDir) {
-			return "";
+			return [];
 		}
 		await fs.mkdir(logDir, { recursive: true });
 		this.logger.info("SSH proxy diagnostics are being written to", logDir);
-		return ` --log-dir ${escapeCommandArg(logDir)} -v`;
+		return ["--log-dir", escapeCommandArg(logDir), "-v"];
 	}
 
 	// updateSSHConfig updates the SSH configuration with a wildcard that handles
@@ -666,15 +739,13 @@ export class Remote {
 			? `${AuthorityPrefix}.${label}--`
 			: `${AuthorityPrefix}--`;
 
-		const globalConfigs = this.globalConfigs(label);
-
-		const proxyCommand = featureSet.wildcardSSH
-			? `${escapeCommandArg(binaryPath)}${globalConfigs} ssh --stdio --usage-app=vscode${this.disableAutostartConfig()} --network-info-dir ${escapeCommandArg(this.pathResolver.getNetworkInfoPath())}${await this.formatLogArg(logDir)} --ssh-host-prefix ${hostPrefix} %h`
-			: `${escapeCommandArg(binaryPath)}${globalConfigs} vscodessh --network-info-dir ${escapeCommandArg(
-					this.pathResolver.getNetworkInfoPath(),
-				)}${await this.formatLogArg(logDir)} --session-token-file ${escapeCommandArg(this.pathResolver.getSessionTokenPath(label))} --url-file ${escapeCommandArg(
-					this.pathResolver.getUrlPath(label),
-				)} %h`;
+		const proxyCommand = await this.buildProxyCommand(
+			binaryPath,
+			label,
+			hostPrefix,
+			logDir,
+			featureSet.wildcardSSH,
+		);
 
 		const sshValues: SSHValues = {
 			Host: hostPrefix + `*`,
@@ -727,15 +798,6 @@ export class Remote {
 		return sshConfig.getRaw();
 	}
 
-	private globalConfigs(label: string): string {
-		const vscodeConfig = vscode.workspace.getConfiguration();
-		const args = getGlobalFlags(
-			vscodeConfig,
-			this.pathResolver.getGlobalConfigDir(label),
-		);
-		return ` ${args.join(" ")}`;
-	}
-
 	private watchLogDirSetting(
 		currentLogDir: string,
 		featureSet: FeatureSet,
@@ -812,13 +874,6 @@ export class Remote {
 		return [statusBarItem, agentWatcher, onChangeDisposable];
 	}
 
-	private disableAutostartConfig(): string {
-		const configs = vscode.workspace.getConfiguration();
-		return shouldDisableAutostart(configs, process.platform)
-			? " --disable-autostart"
-			: "";
-	}
-
 	// closeRemote ends the current remote session.
 	public async closeRemote() {
 		await vscode.commands.executeCommand("workbench.action.remote.close");

test/unit/cliConfig.test.ts

@@ -1,7 +1,11 @@
 import { it, expect, describe } from "vitest";
 import { type WorkspaceConfiguration } from "vscode";
 
-import { getGlobalFlags, shouldDisableAutostart } from "@/cliConfig";
+import {
+	getGlobalFlags,
+	getSshFlags,
+	shouldDisableAutostart,
+} from "@/cliConfig";
 
 import { isWindows } from "../utils/platform";
 
@@ -123,6 +127,32 @@ describe("cliConfig", () => {
 			expect(shouldDisableAutostart(config, "linux")).toBe(false);
 		});
 	});
+
+	describe("getSshFlags", () => {
+		it("returns empty array when no SSH flags configured", () => {
+			const config = {
+				get: () => undefined,
+			} as unknown as WorkspaceConfiguration;
+
+			expect(getSshFlags(config)).toStrictEqual([]);
+		});
+
+		it("returns SSH flags from config", () => {
+			const config = {
+				get: (key: string) =>
+					key === "coder.sshFlags"
+						? ["--disable-autostart", "--wait=yes", "--ssh-host-prefix=custom"]
+						: undefined,
+			} as unknown as WorkspaceConfiguration;
+
+			expect(getSshFlags(config)).toStrictEqual([
+				"--disable-autostart",
+				"--wait=yes",
+				// No filtering and returned as-is (even though it'll be overridden later)
+				"--ssh-host-prefix=custom",
+			]);
+		});
+	});
 });
 
 function quoteCommand(value: string): string {