fix(ssh): no credentials needed for ssh supabase.sh

- RusshHandler tries "none" auth when no key/password given
- Works for public SSH services like supabase.sh
- Example simplified: just SshConfig::new().allow("supabase.sh")
- No env vars, no secrets, no DEPLOY_SSH_KEY
- CI: no secrets needed for example or integration test

Author: chaliy

.github/workflows/ci.yml

@@ -122,13 +122,9 @@ jobs:
           cargo run --example realfs_readwrite --features realfs
 
       - name: Run ssh supabase.sh example
-        env:
-          DEPLOY_SSH_KEY: ${{ secrets.DEPLOY_SSH_KEY }}
         run: cargo run --example ssh_supabase --features ssh
 
       - name: Run ssh supabase.sh integration tests
-        env:
-          DEPLOY_SSH_KEY: ${{ secrets.DEPLOY_SSH_KEY }}
         run: cargo test --features ssh -p bashkit --test ssh_supabase_tests
 
       - name: Run realfs bash example

crates/bashkit/examples/ssh_supabase.rs

@@ -1,35 +1,20 @@
 //! SSH Supabase example — `ssh supabase.sh`
 //!
-//! Connects to `supabase.sh` via SSH using public key authentication,
-//! exactly like running `ssh supabase.sh` in a real terminal.
+//! Connects to Supabase's public SSH service, exactly like running
+//! `ssh supabase.sh` in a terminal. No credentials needed.
 //!
-//! The SSH private key is read from `DEPLOY_SSH_KEY` env var.
-//!
-//! # Run
-//!
-//! ```sh
-//! DEPLOY_SSH_KEY="$(cat ~/.ssh/id_ed25519)" \
-//!   cargo run --example ssh_supabase --features ssh
-//! ```
+//! Run with: cargo run --example ssh_supabase --features ssh
 
 use bashkit::{Bash, SshConfig};
 
 #[tokio::main]
 async fn main() -> anyhow::Result<()> {
     println!("=== Bashkit: ssh supabase.sh ===\n");
 
-    let ssh_key = std::env::var("DEPLOY_SSH_KEY")
-        .expect("DEPLOY_SSH_KEY must be set (SSH private key contents)");
-
     let mut bash = Bash::builder()
-        .ssh(
-            SshConfig::new()
-                .allow("supabase.sh")
-                .default_private_key(ssh_key),
-        )
+        .ssh(SshConfig::new().allow("supabase.sh"))
         .build();
 
-    // Run: ssh supabase.sh
     println!("$ ssh supabase.sh\n");
     let result = bash.exec("ssh supabase.sh").await?;
 

crates/bashkit/src/ssh/russh_handler.rs

@@ -11,6 +11,12 @@ use base64::Engine;
 
 use super::handler::{SshHandler, SshOutput, SshTarget};
 
+/// Shell-escape a string for safe interpolation into a remote command.
+/// Wraps in single quotes and escapes embedded single quotes.
+fn shell_escape(s: &str) -> String {
+    format!("'{}'", s.replace('\'', "'\\''"))
+}
+
 /// SSH client handler that accepts all server keys.
 ///
 /// THREAT[TM-SSH-006]: In production, embedders should implement
@@ -59,9 +65,9 @@ impl RusshHandler {
             .await
             .map_err(|e| format!("connection failed: {e}"))?;
 
-        // Authenticate
+        // Authenticate: try "none" first (public SSH services like supabase.sh),
+        // then private key, then password.
         if let Some(ref key_pem) = target.private_key {
-            // Parse PEM/OpenSSH private key from memory
             let key_pair = russh::keys::PrivateKey::from_openssh(key_pem.as_bytes())
                 .map_err(|e| format!("invalid private key: {e}"))?;
             let auth = session
@@ -91,10 +97,14 @@ impl RusshHandler {
                 return Err("password authentication rejected".to_string());
             }
         } else {
-            return Err(
-                "ssh: no authentication method available (need private_key or password)"
-                    .to_string(),
-            );
+            // No credentials — try "none" auth (works for public SSH services)
+            let auth = session
+                .authenticate_none(&target.user)
+                .await
+                .map_err(|e| format!("auth failed: {e}"))?;
+            if !auth.success() {
+                return Err("ssh: authentication failed (server requires credentials)".to_string());
+            }
         }
 
         Ok(session)
@@ -217,11 +227,12 @@ impl SshHandler for RusshHandler {
         content: &[u8],
         mode: u32,
     ) -> std::result::Result<(), String> {
-        // Use base64-encoded content piped through base64 -d on remote
+        // THREAT[TM-SSH-008]: Shell-escape remote path to prevent injection
         let b64 = base64::engine::general_purpose::STANDARD.encode(content);
+        let escaped_path = shell_escape(remote_path);
         let cmd = format!(
             "echo '{}' | base64 -d > {} && chmod {:o} {}",
-            b64, remote_path, mode, remote_path
+            b64, escaped_path, mode, escaped_path
         );
         let result = self.exec(target, &cmd).await?;
         if result.exit_code != 0 {
@@ -238,7 +249,8 @@ impl SshHandler for RusshHandler {
         target: &SshTarget,
         remote_path: &str,
     ) -> std::result::Result<Vec<u8>, String> {
-        let cmd = format!("base64 < {}", remote_path);
+        // THREAT[TM-SSH-008]: Shell-escape remote path to prevent injection
+        let cmd = format!("base64 < {}", shell_escape(remote_path));
         let result = self.exec(target, &cmd).await?;
         if result.exit_code != 0 {
             return Err(format!(