Skip to content

feat(ssh): add ssh/scp/sftp builtins with russh transport#945

Open
chaliy wants to merge 1 commit intomainfrom
claude/ssh-supabase-bashkit-9YgaZ
Open

feat(ssh): add ssh/scp/sftp builtins with russh transport#945
chaliy wants to merge 1 commit intomainfrom
claude/ssh-supabase-bashkit-9YgaZ

Conversation

@chaliy
Copy link
Copy Markdown
Contributor

@chaliy chaliy commented Apr 1, 2026

Summary

  • Add SSH support as opt-in feature (ssh), following the same pattern as git and http_client
  • SshHandler trait for pluggable transport, default RusshHandler backed by russh 0.52
  • SshAllowlist with glob patterns (*.supabase.co) and port restrictions (default-deny)
  • SshConfig builder: timeouts, response limits, session limits, default user/key/password
  • ssh builtin: remote command exec, heredoc, shell sessions (ssh supabase.sh)
  • scp builtin: upload/download between VFS and remote hosts
  • sftp builtin: non-interactive put/get/ls via heredoc/pipe
  • Auth: none (public services), pubkey, or password — tried in that order
  • Example: ssh supabase.sh — no credentials needed
  • 33 integration tests via mock handler + 2 real connection tests
  • Shell injection fix (TM-SSH-008): all remote paths are shell-escaped

Test plan

  • 33 builtin integration tests (ssh_builtin_tests.rs) covering: basic exec, user@host, shell sessions, heredoc, blocked hosts, wildcards, port flags, identity flags, pipe output, variable capture, SCP upload/download/errors, SFTP put/get/ls/errors, not-configured errors
  • 2 real connection tests (ssh_supabase_tests.rs): ssh supabase.sh connect + allowlist rejection
  • 13 allowlist unit tests, 3 config tests, 6 client tests
  • All 1979+ existing lib tests pass with --features ssh
  • cargo fmt --check clean
  • cargo clippy --features ssh -- -D warnings clean
  • CI: example + integration tests run in Examples job

@chaliy chaliy force-pushed the claude/ssh-supabase-bashkit-9YgaZ branch 9 times, most recently from e1169ff to 2c5af74 Compare April 3, 2026 10:10
@chaliy chaliy closed this Apr 3, 2026
@chaliy chaliy reopened this Apr 3, 2026
@chaliy chaliy force-pushed the claude/ssh-supabase-bashkit-9YgaZ branch 3 times, most recently from 271ee72 to 403d10b Compare April 4, 2026 14:30
@chaliy
feat(ssh): add ssh/scp/sftp builtins with russh transport
aef40de 
- SSH support as opt-in feature (ssh), following git/http_client pattern
- SshHandler trait for pluggable transport, default RusshHandler (russh 0.52)
- SshAllowlist with glob patterns and port restrictions (default-deny)
- SshConfig builder: timeouts, response limits, session limits, auth
- ssh builtin: remote exec, heredoc, shell sessions (ssh supabase.sh)
- scp builtin: upload/download between VFS and remote hosts
- sftp builtin: non-interactive put/get/ls via heredoc/pipe
- Auth: none (public services), pubkey, or password
- Shell injection fix (TM-SSH-008): remote paths are shell-escaped
- Example: ssh supabase.sh — no credentials needed
- 24 mock integration tests + 2 real connection tests
- Spec 015, SSH rustdoc guide, cargo-vet exemptions, cargo-audit ignore
@chaliy chaliy force-pushed the claude/ssh-supabase-bashkit-9YgaZ branch from 403d10b to aef40de Compare April 4, 2026 14:37
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@chaliy