fix: address all PR review comments

Author: datlechin

TablePro/Core/SSH/Auth/AgentAuthenticator.swift

@@ -3,11 +3,12 @@
 //  TablePro
 //
 
-import CLibSSH2
 import Foundation
 import os
 
-struct AgentAuthenticator: SSHAuthenticator {
+import CLibSSH2
+
+internal struct AgentAuthenticator: SSHAuthenticator {
     private static let logger = Logger(subsystem: "com.TablePro", category: "AgentAuthenticator")
 
     /// Protects setenv/unsetenv of SSH_AUTH_SOCK across concurrent tunnel setups

TablePro/Core/SSH/Auth/CompositeAuthenticator.swift

@@ -3,24 +3,28 @@
 //  TablePro
 //
 
-import CLibSSH2
 import Foundation
 import os
 
+import CLibSSH2
+
 /// Authenticator that tries multiple auth methods in sequence.
 /// Used for servers requiring e.g. password + keyboard-interactive (TOTP).
-struct CompositeAuthenticator: SSHAuthenticator {
+internal struct CompositeAuthenticator: SSHAuthenticator {
     private static let logger = Logger(subsystem: "com.TablePro", category: "CompositeAuthenticator")
 
     let authenticators: [any SSHAuthenticator]
 
     func authenticate(session: OpaquePointer, username: String) throws {
+        var lastError: Error?
         for (index, authenticator) in authenticators.enumerated() {
-            Self.logger.debug(
-                "Trying authenticator \(index + 1)/\(authenticators.count): \(String(describing: type(of: authenticator)))"
-            )
-
-            try authenticator.authenticate(session: session, username: username)
+            Self.logger.debug("Trying authenticator \(index + 1)/\(authenticators.count)")
+            do {
+                try authenticator.authenticate(session: session, username: username)
+            } catch {
+                Self.logger.debug("Authenticator \(index + 1) failed: \(error)")
+                lastError = error
+            }
 
             if libssh2_userauth_authenticated(session) != 0 {
                 Self.logger.info("Authentication succeeded after \(index + 1) step(s)")
@@ -29,7 +33,7 @@ struct CompositeAuthenticator: SSHAuthenticator {
         }
 
         if libssh2_userauth_authenticated(session) == 0 {
-            throw SSHTunnelError.authenticationFailed
+            throw lastError ?? SSHTunnelError.authenticationFailed
         }
     }
 }

TablePro/Core/SSH/Auth/KeyboardInteractiveAuthenticator.swift

@@ -3,19 +3,20 @@
 //  TablePro
 //
 
-import CLibSSH2
 import Foundation
 import os
 
+import CLibSSH2
+
 /// Prompt type classification for keyboard-interactive authentication
-enum KBDINTPromptType {
+internal enum KBDINTPromptType {
     case password
     case totp
     case unknown
 }
 
 /// Context passed through the libssh2 session abstract pointer to the C callback
-final class KeyboardInteractiveContext {
+internal final class KeyboardInteractiveContext {
     var password: String?
     var totpCode: String?
 
@@ -82,7 +83,7 @@ private let kbdintCallback: @convention(c) (
     }
 }
 
-struct KeyboardInteractiveAuthenticator: SSHAuthenticator {
+internal struct KeyboardInteractiveAuthenticator: SSHAuthenticator {
     private static let logger = Logger(
         subsystem: "com.TablePro",
         category: "KeyboardInteractiveAuthenticator"

TablePro/Core/SSH/Auth/PasswordAuthenticator.swift

@@ -3,10 +3,11 @@
 //  TablePro
 //
 
-import CLibSSH2
 import Foundation
 
-struct PasswordAuthenticator: SSHAuthenticator {
+import CLibSSH2
+
+internal struct PasswordAuthenticator: SSHAuthenticator {
     let password: String
 
     func authenticate(session: OpaquePointer, username: String) throws {

TablePro/Core/SSH/Auth/PromptTOTPProvider.swift

@@ -10,39 +10,48 @@ import Foundation
 ///
 /// This provider blocks the calling thread while the alert is displayed on the main thread.
 /// It is intended for interactive SSH sessions where no TOTP secret is configured.
-final class PromptTOTPProvider: TOTPProvider, @unchecked Sendable {
+internal final class PromptTOTPProvider: TOTPProvider, @unchecked Sendable {
     func provideCode() throws -> String {
+        if Thread.isMainThread {
+            return try handleResult(showAlert())
+        }
+
         let semaphore = DispatchSemaphore(value: 0)
         var code: String?
-
         DispatchQueue.main.async {
-            let alert = NSAlert()
-            alert.messageText = String(localized: "Verification Code Required")
-            alert.informativeText = String(
-                localized: "Enter the TOTP verification code for SSH authentication."
-            )
-            alert.alertStyle = .informational
-            alert.addButton(withTitle: String(localized: "Connect"))
-            alert.addButton(withTitle: String(localized: "Cancel"))
-
-            let textField = NSTextField(frame: NSRect(x: 0, y: 0, width: 200, height: 24))
-            textField.placeholderString = "000000"
-            alert.accessoryView = textField
-            alert.window.initialFirstResponder = textField
-
-            let response = alert.runModal()
-            if response == .alertFirstButtonReturn {
-                code = textField.stringValue
-            }
+            code = self.showAlert()
             semaphore.signal()
         }
-
         let result = semaphore.wait(timeout: .now() + 120)
-
         guard result == .success else {
             throw SSHTunnelError.connectionTimeout
         }
+        return try handleResult(code)
+    }
+
+    private func showAlert() -> String? {
+        let alert = NSAlert()
+        alert.messageText = String(localized: "Verification Code Required")
+        alert.informativeText = String(
+            localized: "Enter the TOTP verification code for SSH authentication."
+        )
+        alert.alertStyle = .informational
+        alert.addButton(withTitle: String(localized: "Connect"))
+        alert.addButton(withTitle: String(localized: "Cancel"))
+
+        let textField = NSTextField(frame: NSRect(x: 0, y: 0, width: 200, height: 24))
+        textField.placeholderString = "000000"
+        alert.accessoryView = textField
+        alert.window.initialFirstResponder = textField
+
+        let response = alert.runModal()
+        if response == .alertFirstButtonReturn {
+            return textField.stringValue
+        }
+        return nil
+    }
 
+    private func handleResult(_ code: String?) throws -> String {
         guard let totpCode = code, !totpCode.isEmpty else {
             throw SSHTunnelError.authenticationFailed
         }

TablePro/Core/SSH/Auth/PublicKeyAuthenticator.swift

@@ -3,10 +3,11 @@
 //  TablePro
 //
 
-import CLibSSH2
 import Foundation
 
-struct PublicKeyAuthenticator: SSHAuthenticator {
+import CLibSSH2
+
+internal struct PublicKeyAuthenticator: SSHAuthenticator {
     let privateKeyPath: String
     let passphrase: String?
 

TablePro/Core/SSH/Auth/SSHAuthenticator.swift

@@ -3,11 +3,12 @@
 //  TablePro
 //
 
-import CLibSSH2
 import Foundation
 
+import CLibSSH2
+
 /// Protocol for SSH authentication methods
-protocol SSHAuthenticator: Sendable {
+internal protocol SSHAuthenticator: Sendable {
     /// Authenticate the SSH session
     /// - Parameters:
     ///   - session: libssh2 session pointer

TablePro/Core/SSH/Auth/TOTPProvider.swift

@@ -6,7 +6,7 @@
 import Foundation
 
 /// Protocol for providing TOTP verification codes
-protocol TOTPProvider: Sendable {
+internal protocol TOTPProvider: Sendable {
     /// Generate or obtain a TOTP code
     /// - Returns: The TOTP code string
     /// - Throws: SSHTunnelError if the code cannot be obtained
@@ -18,7 +18,7 @@ protocol TOTPProvider: Sendable {
 /// If the current code expires in less than 5 seconds, waits for the next
 /// period to avoid submitting a code that expires during the authentication handshake.
 /// The maximum wait is ~6 seconds (bounded).
-struct AutoTOTPProvider: TOTPProvider {
+internal struct AutoTOTPProvider: TOTPProvider {
     let generator: TOTPGenerator
 
     func provideCode() throws -> String {

TablePro/Core/SSH/HostKeyStore.swift

@@ -12,7 +12,7 @@ import Foundation
 import os
 
 /// Manages SSH host key verification for known hosts
-final class HostKeyStore: @unchecked Sendable {
+internal final class HostKeyStore: @unchecked Sendable {
     static let shared = HostKeyStore()
 
     private static let logger = Logger(subsystem: "com.TablePro", category: "HostKeyStore")
@@ -27,11 +27,14 @@ final class HostKeyStore: @unchecked Sendable {
     private let lock = NSLock()
 
     private init() {
-        let appSupport = FileManager.default.urls(for: .applicationSupportDirectory, in: .userDomainMask).first!
+        guard let appSupport = FileManager.default.urls(
+            for: .applicationSupportDirectory, in: .userDomainMask
+        ).first else {
+            self.filePath = NSTemporaryDirectory() + "TablePro_known_hosts"
+            return
+        }
         let tableProDir = appSupport.appendingPathComponent("TablePro")
-
         try? FileManager.default.createDirectory(at: tableProDir, withIntermediateDirectories: true)
-
         self.filePath = tableProDir.appendingPathComponent("known_hosts").path
     }
 
@@ -57,7 +60,7 @@ final class HostKeyStore: @unchecked Sendable {
         let currentFingerprint = Self.fingerprint(of: keyData)
         let entries = loadEntries()
 
-        guard let existing = entries.first(where: { $0.host == hostKey }) else {
+        guard let existing = entries.first(where: { $0.host == hostKey && $0.keyType == keyType }) else {
             Self.logger.info("Unknown host key for \(hostKey)")
             return .unknown(fingerprint: currentFingerprint, keyType: keyType)
         }
@@ -85,8 +88,8 @@ final class HostKeyStore: @unchecked Sendable {
         let hostKey = hostIdentifier(hostname, port)
         var entries = loadEntries()
 
-        // Remove existing entry for this host if present
-        entries.removeAll { $0.host == hostKey }
+        // Remove existing entry for this host and key type if present
+        entries.removeAll { $0.host == hostKey && $0.keyType == keyType }
 
         entries.append((host: hostKey, keyType: keyType, keyData: key))
         saveEntries(entries)

TablePro/Core/SSH/HostKeyVerifier.swift

@@ -11,7 +11,7 @@ import Foundation
 import os
 
 /// Handles host key verification with UI prompts
-enum HostKeyVerifier {
+internal enum HostKeyVerifier {
     private static let logger = Logger(subsystem: "com.TablePro", category: "HostKeyVerifier")
 
     /// Verify the host key, prompting the user if needed.