feat: host-browser passthrough, xdg-open shim, and code bridge for idc shell/copilot#15
Merged
Merged
Conversation
…e bridge from connected VS Code Discover a connected VS Code's IPC socket and browser helper and inject BROWSER + VSCODE_IPC_HOOK_CLI on docker exec, so browser logins (az, gh, glab, snowflake) reach the host. Also drop an xdg-open shim (+ aliases) that forwards to the helper, fixing tools that ignore $BROWSER (e.g. Atlassian acli) which VS Code itself can't forward. idc shell additionally prepends VS Code's remote-cli dir so `code` opens in the connected window. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Piggyback on a connected VS Code session so
idc shellandidc copilotreproduce VS Code's terminal host-bridges — without VS Code having to be the thing you launched. Same parasitic trick already used forSSH_AUTH_SOCK.When a VS Code window is attached to the devcontainer,
idcdiscovers its CLI IPC socket and browser helper inside the container (find_vscode_bridges, mirroringfind_ssh_socket) and injects them ondocker exec:BROWSER+VSCODE_IPC_HOOK_CLI, so browser logins (az login,gh auth login,glab auth login,snowflake, …) open your host browser, and the OAuthlocalhostcallback completes via VS Code's automatic port forwarding. Applies to bothidc shellandidc copilot.xdg-openshim — materializes anxdg-open(plusx-www-browser/gnome-open/gnome-www-browser/sensible-browser/www-browseraliases) ahead ofPATHthatexecs the VS Code browser helper. This fixes tools that callxdg-opendirectly and ignore$BROWSER— which neither VS Code nor a plain$BROWSERexport can forward. Applies to both subcommands.codebridge —idc shellprepends VS Code'sremote-clidir toPATHsocode <file>opens in the connected window.All of this needs VS Code connected; otherwise
idcprints a one-line hint and continues unchanged (no behavior change, argv identical to today).Why the
xdg-openshim (the Atlassianaclicase)Verified by inspecting both the macOS and
acli_linux_amd64binaries:acli(Go) opens the browser via its ownOpenBrowserutil —openon macOS, barexdg-openon Linux — with zero$BROWSERreferences and no fallback chain. VS Code only sets$BROWSERand never shimsxdg-open, soacliworks on a Mac host but silently no-ops in a VS Code dev container. Because it calls barexdg-open(PATH-resolved), the shim intercepts it → host browser. This makesidcstrictly better than a plain VS Code terminal here.How it works (mechanism, verified against
microsoft/vscode)BROWSER=<server>/bin/helpers/browser-linux.shjust runsnode out/server-cli.js --openExternal <url>, which talks overVSCODE_IPC_HOOK_CLIto the connected VS Code, which opens the host browser. Discovery is one combineddocker exec sh -cprobe returning the IPC socket, browser helper, and remote-cli dir (eachtest-validated).Testing
TestFindVscodeBridges(mirrorsTestFindSshSocket) + env/PATH-wrapper injection assertions for both subcommands.xdg-openand an alias both forward to the helper.uv run ruff checkclean;uv run pytest— 366 passed.Out of scope / notes
host.docker.internal+ callback-port proxy) is documented as deferred inproject/plans/2026-06-30-browser-passthrough/./copy: investigated separately. It uses an in-process native X11/Wayland clipboard (no shell-out, no$BROWSER), printing a scaryFailed to create clipboard context: $DISPLAY variable not setin containers — but it falls back to OSC 52, which rides the-itPTY straight throughdocker execand reaches the host clipboard. Confirmed working; it's an upstream cosmetic-error issue (/copy shows clipboard error but still copies successfully github/copilot-cli#3521), nothing foridcto change.Docs:
README.mdupdated; research + plan underproject/plans/2026-06-30-browser-passthrough/.