refactor: Harden and improve SSH agent module

- Add extensive security validations for SSH agent - Implement robust `ssh-agent` auto-start script - Enhance `sshagent` operations with improved error handling - Revamp `sshagent` test suite for comprehensive coverage - Update `sshagent` README with detailed documentation
2025-08-25 16:32:20 +03:00
parent 0bc6150986
commit 32e7a6df4f
19 changed files with 787 additions and 1648 deletions
--- a/debug.logs
+++ b/debug.logs
--- a/examples/osal/sshagent/sshagent.vsh
+++ b/examples/osal/sshagent/sshagent.vsh
--- a/examples/osal/sshagent/sshagent_example.v
+++ b/examples/osal/sshagent/sshagent_example.v
@@ -1,51 +0,0 @@
 module main
 import freeflowuniverse.herolib.osal.sshagent
 import freeflowuniverse.herolib.osal.linux
 fn do1() ! {
 	mut agent := sshagent.new()!
 	println(agent)
 	k := agent.get(name: 'kds') or { panic('notgound') }
 	println(k)
 	mut k2 := agent.get(name: 'books') or { panic('notgound') }
 	k2.load()!
 	println(k2.agent)
 	println(agent)
 	k2.forget()!
 	println(k2.agent)
 	// println(agent)
 }
 fn test_user_mgmt() ! {
 	mut lf := linux.new()!
 	// Test user creation
 	lf.user_create(
 		name:   'testuser'
 		sshkey: 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM3/2K7R8A/l0kM0/d'
 	)!
 	// Test ssh key creation
 	lf.sshkey_create(
 		username:    'testuser'
 		sshkey_name: 'testkey'
 	)!
 	// Test ssh key deletion
 	lf.sshkey_delete(
 		username:    'testuser'
 		sshkey_name: 'testkey'
 	)!
 	// Test user deletion
 	lf.user_delete(name: 'testuser')!
 }
 fn main() {
 	do1() or { panic(err) }
 	test_user_mgmt() or { panic(err) }
 }
--- a/examples/osal/sshagent/sshagent_example.vsh
+++ b/examples/osal/sshagent/sshagent_example.vsh
@@ -0,0 +1,168 @@
 #!/usr/bin/env -S v -n -w -gc none  -cc tcc -d use_openssl -enable-globals run
 import freeflowuniverse.herolib.osal.sshagent
 import freeflowuniverse.herolib.osal.linux
 import freeflowuniverse.herolib.ui.console
 fn demo_sshagent_basic() ! {
 	console.print_header('SSH Agent Basic Demo')
 	// Create SSH agent
 	mut agent := sshagent.new()!
 	console.print_debug('SSH Agent initialized')
 	// Show current status
 	console.print_header('Current SSH Agent Status:')
 	println(agent)
 	// Show diagnostics
 	diag := agent.diagnostics()
 	console.print_header('SSH Agent Diagnostics:')
 	for key, value in diag {
 		console.print_item('${key}: ${value}')
 	}
 }
 fn demo_sshagent_key_management() ! {
 	console.print_header('SSH Agent Key Management Demo')
 	mut agent := sshagent.new()!
 	// Generate a test key if it doesn't exist
 	test_key_name := 'herolib_demo_key'
 	// Clean up any existing test key first
 	if existing_key := agent.get(name: test_key_name) {
 		console.print_debug('Removing existing test key...')
 		// Remove existing key files
 		mut key_file := agent.homepath.file_get_new('${test_key_name}')!
 		mut pub_key_file := agent.homepath.file_get_new('${test_key_name}.pub')!
 		key_file.delete() or {}
 		pub_key_file.delete() or {}
 	} else {
 		console.print_debug('No existing test key found')
 	}
 	// Generate new key with empty passphrase
 	console.print_debug('Generating new SSH key: ${test_key_name}')
 	mut new_key := agent.generate(test_key_name, '')!
 	console.print_green('✓ Generated new SSH key: ${test_key_name}')
 	// Show key information
 	console.print_item('Key name: ${new_key.name}')
 	console.print_item('Key type: ${new_key.cat}')
 	console.print_item('Key loaded: ${new_key.loaded}')
 	// Demonstrate key operations without loading (to avoid passphrase issues)
 	console.print_header('Key file operations:')
 	mut key_path := new_key.keypath()!
 	mut pub_key_path := new_key.keypath_pub()!
 	console.print_item('Private key path: ${key_path.path}')
 	console.print_item('Public key path: ${pub_key_path.path}')
 	// Show public key content
 	pub_key_content := new_key.keypub()!
 	preview_len := if pub_key_content.len > 60 { 60 } else { pub_key_content.len }
 	console.print_item('Public key: ${pub_key_content[0..preview_len]}...')
 	// Show agent status
 	console.print_header('Agent status after key generation:')
 	println(agent)
 	// Clean up test key
 	console.print_debug('Cleaning up test key...')
 	key_path.delete()!
 	pub_key_path.delete()!
 	console.print_green('✓ Test key cleaned up')
 }
 fn demo_sshagent_with_existing_keys() ! {
 	console.print_header('SSH Agent with Existing Keys Demo')
 	mut agent := sshagent.new()!
 	if agent.keys.len == 0 {
 		console.print_debug('No SSH keys found. Generating example key...')
 		mut key := agent.generate('example_demo_key', '')!
 		key.load()!
 		console.print_green('✓ Created and loaded example key')
 	}
 	console.print_header('Available SSH keys:')
 	for key in agent.keys {
 		status := if key.loaded { 'LOADED' } else { 'NOT LOADED' }
 		console.print_item('${key.name} - ${status} (${key.cat})')
 	}
 	// Try to work with the first available key
 	if agent.keys.len > 0 {
 		mut first_key := agent.keys[0]
 		console.print_header('Working with key: ${first_key.name}')
 		if first_key.loaded {
 			console.print_debug('Key is loaded, showing public key info...')
 			pubkey := first_key.keypub() or { 'Could not read public key' }
 			preview_len := if pubkey.len > 50 { 50 } else { pubkey.len }
 			console.print_item('Public key preview: ${pubkey[0..preview_len]}...')
 		}
 	}
 }
 fn test_user_mgmt() ! {
 	console.print_header('User Management Test')
 	// Note: This requires root privileges and should be run carefully
 	console.print_debug('User management test requires root privileges')
 	console.print_debug('Skipping user management test in this demo')
 	// Uncomment below to test user management (requires root)
 	/*
 	mut lf := linux.new()!
 	// Test user creation
 	lf.user_create(
 		name:   'testuser'
 		sshkey: 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM3/2K7R8A/l0kM0/d'
 	)!
 	// Test ssh key creation
 	lf.sshkey_create(
 		username:    'testuser'
 		sshkey_name: 'testkey'
 	)!
 	// Test ssh key deletion
 	lf.sshkey_delete(
 		username:    'testuser'
 		sshkey_name: 'testkey'
 	)!
 	// Test user deletion
 	lf.user_delete(name: 'testuser')!
 	*/
 }
 fn main() {
 	console.print_header('🔑 SSH Agent Example - HeroLib')
 	demo_sshagent_basic() or {
 		console.print_stderr('❌ Basic demo failed: ${err}')
 		return
 	}
 	demo_sshagent_key_management() or {
 		console.print_stderr('❌ Key management demo failed: ${err}')
 		return
 	}
 	demo_sshagent_with_existing_keys() or {
 		console.print_stderr('❌ Existing keys demo failed: ${err}')
 		return
 	}
 	test_user_mgmt() or {
 		console.print_stderr('❌ User management test failed: ${err}')
 		return
 	}
 	console.print_header('🎉 All SSH Agent demos completed successfully!')
 }
--- a/lib/builder/bootstrapper.v
+++ b/lib/builder/bootstrapper.v
@@ -5,7 +5,6 @@ import freeflowuniverse.herolib.core.texttools
 import freeflowuniverse.herolib.core.pathlib
 import freeflowuniverse.herolib.osal.core as osal
 import freeflowuniverse.herolib.ui.console
 import freeflowuniverse.herolib.ui
 import v.embed_file
 const heropath_ = os.dir(@FILE) + '/../'
--- a/lib/core/base/factory_context.v
+++ b/lib/core/base/factory_context.v
@@ -1,9 +1,6 @@
 module base
 import freeflowuniverse.herolib.data.paramsparser
 import freeflowuniverse.herolib.ui
 import freeflowuniverse.herolib.ui.console
 import crypto.md5
@[params]
 pub struct ContextConfigArgs {
--- a/lib/core/sudo.v
+++ b/lib/core/sudo.v
@@ -1,6 +1,5 @@
 module core
 import base
 import os
 // check path is accessible, e.g. do we need sudo and are we sudo
--- a/lib/data/ipaddress/ipaddress.v
+++ b/lib/data/ipaddress/ipaddress.v
@@ -1,7 +1,6 @@
 module ipaddress
 import os
 import freeflowuniverse.herolib.osal.core as osal
 import freeflowuniverse.herolib.core
 import freeflowuniverse.herolib.ui.console
--- a/lib/osal/core/net.v
+++ b/lib/osal/core/net.v
@@ -4,7 +4,6 @@ import net
 import time
 import freeflowuniverse.herolib.ui.console
 import freeflowuniverse.herolib.core
 import os
 pub enum PingResult {
 	ok
--- a/lib/osal/core/package.v
+++ b/lib/osal/core/package.v
@@ -3,7 +3,6 @@ module core
 import freeflowuniverse.herolib.ui.console
 import freeflowuniverse.herolib.core.texttools
 import freeflowuniverse.herolib.core
 import os
 // update the package list
 pub fn package_refresh() ! {
--- a/lib/osal/linux/user_mgmt.v
+++ b/lib/osal/linux/user_mgmt.v
@@ -2,7 +2,6 @@ module linux
 import os
 import json
 import freeflowuniverse.herolib.core.pathlib
 import freeflowuniverse.herolib.osal.core as osal
 import freeflowuniverse.herolib.ui.console
@@ -288,9 +287,43 @@ fn (mut lf LinuxFactory) create_ssh_agent_profile(username string) ! {
 	user_home := '/home/${username}'
 	profile_script := '${user_home}/.profile_sshagent'
-	// script_content := ''
+	// Create SSH agent auto-start script content
 	script_content := '#!/bin/bash
 # Auto-start ssh-agent if not running
 SSH_AGENT_SOCKET="/tmp/ssh-agent-${username}.sock"
-	panic('implement')
+# Check if agent is already running and responsive
 if [ -n "\$SSH_AUTH_SOCK" ] && ssh-add -l >/dev/null 2>&1; then
    # Agent is running and responsive
    exit 0
 fi
 # Check if our socket exists and is responsive
 if [ -S "\$SSH_AGENT_SOCKET" ]; then
    export SSH_AUTH_SOCK="\$SSH_AGENT_SOCKET"
    if ssh-add -l >/dev/null 2>&1; then
        # Socket is responsive
        exit 0
    fi
 fi
 # Clean up any orphaned agents
 pkill -u ${username} ssh-agent >/dev/null 2>&1 || true
 # Remove stale socket
 rm -f "\$SSH_AGENT_SOCKET"
 # Start new ssh-agent with consistent socket
 ssh-agent -a "\$SSH_AGENT_SOCKET" >/dev/null 2>&1
 # Export the socket path
 export SSH_AUTH_SOCK="\$SSH_AGENT_SOCKET"
 # Verify agent is responsive
 if ! ssh-add -l >/dev/null 2>&1; then
    echo "Warning: SSH agent started but is not responsive" >&2
 fi
 '
 	osal.file_write(profile_script, script_content)!
 	osal.exec(cmd: 'chown ${username}:${username} ${profile_script}')!
--- a/lib/osal/sshagent/agent.v
+++ b/lib/osal/sshagent/agent.v
@@ -74,10 +74,10 @@ pub fn sshkey_delete(mut agent SSHAgent, name string) ! {
 		return
 	}
-	// Remove from agent if loaded (temporarily disabled due to reset_ssh panic)
+	// Remove from agent if loaded
-	// if key.loaded {
+	if key.loaded {
-	// 	key.forget()!
+		key.forget()!
-	// }
+	}
 	// Delete key files
 	if key_path.exists() {
--- a/lib/osal/sshagent/factory.v
+++ b/lib/osal/sshagent/factory.v
@@ -27,7 +27,7 @@ pub fn new(args_ SSHAgentNewArgs) !SSHAgent {
 }
 pub fn loaded() bool {
-	mut agent := new() or { panic(err) }
+	mut agent := new() or { return false }
 	return agent.active
 }
--- a/lib/osal/sshagent/get.v
+++ b/lib/osal/sshagent/get.v
@@ -44,7 +44,8 @@ fn (mut agent SSHAgent) pop(pubkey_ string) {
 		if agent.keys.len > result {
 			agent.keys.delete(x)
 		} else {
-			panic('bug')
+			// This should not happen, but handle gracefully
 			return
 		}
 	}
 }
--- a/lib/osal/sshagent/readme.md
+++ b/lib/osal/sshagent/readme.md
@@ -1,43 +1,81 @@
-## ssh agent
+# SSH Agent Module
 SSH agent management library for V language. Provides secure key handling, agent lifecycle control, and remote integration.
 ## Features
 * Manage SSH keys (generate, load, import)
 * Single agent per user with auto-cleanup
 * Start/stop/reset agent easily
 * Diagnostics and status checks
 * Push keys to remote nodes & verify access
 * Security-first (file permissions, socket handling)
 ## Platform Support
 * Linux, macOS
 * Windows (not yet supported)
 ## Quick Start
 ```v
 import freeflowuniverse.herolib.osal.sshagent
 mut agent := sshagent.new()!
-
+mut key := agent.generate('my_key', '')!
-privkey:='
+key.load()!
-----BEGIN OPENSSH PRIVATE KEY-----
+println(agent)
 b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
 QyNTUxOQAAACDXf9Z/2AH8/8a1ppagCplQdhWyQ8wZAieUw3nNcxsDiQAAAIhb3ybRW98m
 0QAAAAtzc2gtZWQyNTUxOQAAACDXf9Z/2AH8/8a1ppagCplQdhWyQ8wZAieUw3nNcxsDiQ
 AAAEC+fcDBPqdJHlJOQJ2zXhU2FztKAIl3TmWkaGCPnyts49d/1n/YAfz/xrWmlqAKmVB2
 FbJDzBkCJ5TDec1zGwOJAAAABWJvb2tz
 -----END OPENSSH PRIVATE KEY-----
 '
 mut sshkey:=agent.add("mykey:,privkey)!
 sshkey.forget()!
 ```
-### hero
+## Usage
-there is also a hero command
+### Agent
 ```js
 //will add the key and load (at this stage no support for passphrases)
 !!sshagent.key_add name:'myname'
    privkey:'
        -----BEGIN OPENSSH PRIVATE KEY-----
        b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
        QyNTUxOQAAACDXf9Z/2AH8/8a1ppagCplQdhWyQ8wZAieUw3nNcxsDiQAAAIhb3ybRW98m
        0QAAAAtzc2gtZWQysdsdsddsdsdsdsdsdsd8/8a1ppagCplQdhWyQ8wZAieUw3nNcxsDiQ
        AAAEC+fcDBPqdJHlJOQJ2zXhU2FztKAIl3TmWkaGCPnyts49d/1n/YAfz/xrWmlqAKmVB2
        FbJDzBkCJ5TDec1zGwOJAAAABWJvb2tz
        -----END OPENSSH PRIVATE KEY-----
        '
 ```v
 mut agent := sshagent.new()!
 mut agent := sshagent.new(homepath: '/custom/ssh/path')!
 mut agent := sshagent.new_single()!
 ```
 ### Keys
 ```v
 mut key := agent.generate('my_key', '')!
 agent.add('imported_key', privkey)!
 key.load()!
 if agent.exists(name: 'my_key') { println('Key exists') }
 agent.forget('my_key')!
 ```
 ### Agent Ops
 ```v
 println(agent.diagnostics())
 println(agent.keys_loaded()!)
 agent.reset()!
 ```
 ### Remote
 ```v
 import freeflowuniverse.herolib.builder
 mut node := builder.node_new(ipaddr: 'user@remote:22')!
 agent.push_key_to_node(mut node, 'my_key')!
 ```
 ## Security
 * Private keys set to `0600`
 * Secure sockets & user isolation
 * Validated inputs & safe memory handling
 ## Examples
 See `examples/osal/sshagent/` for demos.
 ## Testing
 ```bash
 v test lib/osal/sshagent/
 ```
--- a/lib/osal/sshagent/security.v
+++ b/lib/osal/sshagent/security.v
@@ -0,0 +1,241 @@
 module sshagent
 import os
 import freeflowuniverse.herolib.core.texttools
 // Security validation functions for SSH agent operations
 // validate_key_name ensures SSH key names are safe and follow conventions
 pub fn validate_key_name(name string) !string {
 	if name.len == 0 {
 		return error('SSH key name cannot be empty')
 	}
 	if name.len > 255 {
 		return error('SSH key name too long (max 255 characters)')
 	}
 	// Check for dangerous characters
 	dangerous_chars := ['/', '\\', '..', '~', '$', '`', ';', '|', '&', '>', '<', '*', '?', '[',
 		']', '{', '}', '(', ')', '"', "'", ' ']
 	for dangerous_char in dangerous_chars {
 		if name.contains(dangerous_char) {
 			return error('SSH key name contains invalid character: ${dangerous_char}')
 		}
 	}
 	// Ensure it starts with alphanumeric
 	if !name[0].is_alnum() {
 		return error('SSH key name must start with alphanumeric character')
 	}
 	return texttools.name_fix(name)
 }
 // validate_private_key checks if the provided string is a valid SSH private key
 pub fn validate_private_key(privkey string) !string {
 	if privkey.len == 0 {
 		return error('Private key cannot be empty')
 	}
 	// Check for valid private key headers
 	valid_headers := [
 		'-----BEGIN OPENSSH PRIVATE KEY-----',
 		'-----BEGIN RSA PRIVATE KEY-----',
 		'-----BEGIN DSA PRIVATE KEY-----',
 		'-----BEGIN EC PRIVATE KEY-----',
 		'-----BEGIN PRIVATE KEY-----',
 	]
 	mut has_valid_header := false
 	for header in valid_headers {
 		if privkey.contains(header) {
 			has_valid_header = true
 			break
 		}
 	}
 	if !has_valid_header {
 		return error('Invalid private key format - missing valid header')
 	}
 	// Check for corresponding footer
 	valid_footers := [
 		'-----END OPENSSH PRIVATE KEY-----',
 		'-----END RSA PRIVATE KEY-----',
 		'-----END DSA PRIVATE KEY-----',
 		'-----END EC PRIVATE KEY-----',
 		'-----END PRIVATE KEY-----',
 	]
 	mut has_valid_footer := false
 	for footer in valid_footers {
 		if privkey.contains(footer) {
 			has_valid_footer = true
 			break
 		}
 	}
 	if !has_valid_footer {
 		return error('Invalid private key format - missing valid footer')
 	}
 	// Basic length check (private keys should be substantial)
 	if privkey.len < 200 {
 		return error('Private key appears to be too short')
 	}
 	return privkey
 }
 // validate_file_path ensures file paths are safe and within expected directories
 pub fn validate_file_path(path string, base_dir string) !string {
 	if path.len == 0 {
 		return error('File path cannot be empty')
 	}
 	// Resolve absolute path
 	abs_path := os.abs_path(path)
 	abs_base := os.abs_path(base_dir)
 	// Ensure path is within base directory (prevent directory traversal)
 	if !abs_path.starts_with(abs_base) {
 		return error('File path outside of allowed directory: ${path}')
 	}
 	// Check for dangerous path components
 	dangerous_components := ['..', './', '~/', '$']
 	for component in dangerous_components {
 		if path.contains(component) {
 			return error('File path contains dangerous component: ${component}')
 		}
 	}
 	return abs_path
 }
 // secure_file_permissions sets appropriate permissions for SSH key files
 pub fn secure_file_permissions(file_path string, is_private bool) ! {
 	if !os.exists(file_path) {
 		return error('File does not exist: ${file_path}')
 	}
 	if is_private {
 		// Private keys should be readable/writable only by owner
 		os.chmod(file_path, 0o600)!
 	} else {
 		// Public keys can be readable by others
 		os.chmod(file_path, 0o644)!
 	}
 }
 // get_secure_socket_path returns a secure socket path for the given user
 pub fn get_secure_socket_path(user string) !string {
 	if user.len == 0 {
 		return error('User cannot be empty')
 	}
 	// Validate user name
 	validated_user := validate_key_name(user)!
 	// Use more secure temporary directory if available
 	mut temp_dir := '/tmp'
 	// Check for user-specific temp directory
 	user_temp := os.getenv('XDG_RUNTIME_DIR')
 	if user_temp.len > 0 && os.exists(user_temp) {
 		temp_dir = user_temp
 	}
 	socket_path := '${temp_dir}/ssh-agent-${validated_user}.sock'
 	// Ensure parent directory exists and has correct permissions
 	parent_dir := os.dir(socket_path)
 	if !os.exists(parent_dir) {
 		os.mkdir_all(parent_dir)!
 		os.chmod(parent_dir, 0o700)! // Only owner can access
 	}
 	return socket_path
 }
 // sanitize_environment_variables cleans SSH-related environment variables
 pub fn sanitize_environment_variables() {
 	// List of SSH-related environment variables that might need cleaning
 	ssh_env_vars := ['SSH_AUTH_SOCK', 'SSH_AGENT_PID', 'SSH_CLIENT', 'SSH_CONNECTION']
 	for var in ssh_env_vars {
 		env_val := os.getenv(var)
 		if env_val.len > 0 {
 			// Basic validation of environment variable values
 			if env_val.contains('..') || env_val.contains(';') || env_val.contains('|') {
 				// Unset potentially dangerous environment variables
 				os.unsetenv(var)
 			}
 		}
 	}
 }
 // validate_passphrase checks passphrase strength (basic validation)
 pub fn validate_passphrase(passphrase string) !string {
 	// Allow empty passphrase (user choice)
 	if passphrase.len == 0 {
 		return passphrase
 	}
 	// Basic length check
 	if passphrase.len < 8 {
 		return error('Passphrase should be at least 8 characters long')
 	}
 	// Check for common weak passphrases
 	weak_passphrases := ['password', '12345678', 'qwerty', 'admin', 'root', 'test']
 	for weak in weak_passphrases {
 		if passphrase.to_lower() == weak {
 			return error('Passphrase is too weak - avoid common passwords')
 		}
 	}
 	return passphrase
 }
 // check_system_security performs basic system security checks
 pub fn check_system_security() !map[string]string {
 	mut security_status := map[string]string{}
 	// Check if running as root (generally not recommended)
 	if os.getuid() == 0 {
 		security_status['root_user'] = 'WARNING: Running as root user'
 	} else {
 		security_status['root_user'] = 'OK: Not running as root'
 	}
 	// Check SSH directory permissions
 	ssh_dir := '${os.home_dir()}/.ssh'
 	if os.exists(ssh_dir) {
 		// Get directory permissions (simplified check)
 		if os.is_readable(ssh_dir) && os.is_writable(ssh_dir) {
 			security_status['ssh_dir_permissions'] = 'OK: SSH directory accessible'
 		} else {
 			security_status['ssh_dir_permissions'] = 'WARNING: SSH directory permission issues'
 		}
 	} else {
 		security_status['ssh_dir_permissions'] = 'INFO: SSH directory does not exist'
 	}
 	// Check for SSH agent processes
 	user := os.getenv('USER')
 	res := os.execute('pgrep -u ${user} ssh-agent | wc -l')
 	if res.exit_code == 0 {
 		agent_count := res.output.trim_space().int()
 		if agent_count == 0 {
 			security_status['ssh_agents'] = 'INFO: No SSH agents running'
 		} else if agent_count == 1 {
 			security_status['ssh_agents'] = 'OK: One SSH agent running'
 		} else {
 			security_status['ssh_agents'] = 'WARNING: Multiple SSH agents running (${agent_count})'
 		}
 	}
 	return security_status
 }
--- a/lib/osal/sshagent/sshagent.v
+++ b/lib/osal/sshagent/sshagent.v
@@ -155,7 +155,7 @@ pub fn (mut agent SSHAgent) init() ! {
 			if line.contains(' ') {
 				splitted := line.split(' ')
 				if splitted.len < 2 {
-					panic('bug')
+					return error('Invalid SSH key format in agent output: ${line}')
 				}
 				pubkey := splitted[1]
 				mut sshkey := SSHKey{
@@ -166,12 +166,12 @@ pub fn (mut agent SSHAgent) init() ! {
 				if splitted[0].contains('ed25519') {
 					sshkey.cat = .ed25519
 					if splitted.len > 2 {
-						sshkey.email = splitted[2] or { panic('bug') }
+						sshkey.email = splitted[2] or { '' }
 					}
 				} else if splitted[0].contains('rsa') {
 					sshkey.cat = .rsa
 				} else {
-					panic('bug: implement other cat for ssh-key.\n${line}')
+					return error('Unsupported SSH key type in line: ${line}')
 				}
 				if !(agent.exists(pubkey: pubkey)) {
@@ -191,7 +191,7 @@ pub fn (mut agent SSHAgent) init() ! {
 		c = c.replace('  ', ' ').replace('  ', ' ') // deal with double spaces, or tripple (need to do this 2x
 		splitted := c.trim_space().split(' ')
 		if splitted.len < 2 {
-			panic('bug')
+			return error('Invalid public key format in file: ${pkp.path}')
 		}
 		mut name := pkp.name()
 		name = name[0..(name.len - 4)]
@@ -211,7 +211,7 @@ pub fn (mut agent SSHAgent) init() ! {
 		} else if splitted[0].contains('rsa') {
 			sshkey2.cat = .rsa
 		} else {
-			panic('bug: implement other cat for ssh-key')
+			return error('Unsupported SSH key type in file: ${pkp.path}')
 		}
 		if splitted.len > 2 {
 			sshkey2.email = splitted[2]
@@ -223,53 +223,74 @@ pub fn (mut agent SSHAgent) init() ! {
 // returns path to sshkey
 pub fn (mut agent SSHAgent) generate(name string, passphrase string) !SSHKey {
-	dest := '${agent.homepath.path}/${name}'
+	// Validate inputs
 	validated_name := validate_key_name(name)!
 	validated_passphrase := validate_passphrase(passphrase)!
 	dest := '${agent.homepath.path}/${validated_name}'
 	if os.exists(dest) {
 		os.rm(dest)!
 	}
-	cmd := 'ssh-keygen -t ed25519 -f ${dest} -P ${passphrase} -q'
+	cmd := 'ssh-keygen -t ed25519 -f ${dest} -P ${validated_passphrase} -q'
 	// console.print_debug(cmd)
 	rc := os.execute(cmd)
 	if !(rc.exit_code == 0) {
-		return error('Could not generated sshkey,\n${rc}')
+		return error('Could not generate SSH key: ${rc.output}')
 	}
 	// Set secure permissions
 	secure_file_permissions(dest, true)! // private key
 	secure_file_permissions('${dest}.pub', false)! // public key
 	agent.init()!
-	return agent.get(name: name) or { panic(err) }
+	return agent.get(name: validated_name) or {
 		return error("Generated SSH key '${validated_name}' not found in agent after creation: ${err}")
 	}
 }
 // unload all ssh keys
 pub fn (mut agent SSHAgent) reset() ! {
-	if true {
+	console.print_debug('Resetting SSH agent - removing all loaded keys')
 		panic('reset_ssh')
 	}
 	res := os.execute('ssh-add -D')
 	if res.exit_code > 0 {
-		return error('cannot reset sshkeys.')
+		return error('cannot reset sshkeys: ${res.output}')
 	}
 	agent.init()! // should now be empty for loaded keys
 	console.print_green('✓ All SSH keys removed from agent')
 }
 // load the key, they key is content (private key) .
 // a name is required
 pub fn (mut agent SSHAgent) add(name string, privkey_ string) !SSHKey {
-	mut privkey := privkey_
+	// Validate inputs
-	path := '${agent.homepath.path}/${name}'
+	validated_name := validate_key_name(name)!
-	if os.exists(path) {
+	validated_privkey := validate_private_key(privkey_)!
-		os.rm(path)!
+
 	mut privkey := validated_privkey
 	path := '${agent.homepath.path}/${validated_name}'
 	// Validate file path
 	validated_path := validate_file_path(path, agent.homepath.path)!
 	if os.exists(validated_path) {
 		os.rm(validated_path)!
 	}
-	if os.exists('${path}.pub') {
+	if os.exists('${validated_path}.pub') {
-		os.rm('${path}.pub')!
+		os.rm('${validated_path}.pub')!
 	}
 	if !privkey.ends_with('\n') {
 		privkey += '\n'
 	}
-	os.write_file(path, privkey)!
+	os.write_file(validated_path, privkey)!
-	os.chmod(path, 0o600)!
+	secure_file_permissions(validated_path, true)! // private key
-	res4 := os.execute('ssh-keygen -y -f ${path} > ${path}.pub')
+
 	res4 := os.execute('ssh-keygen -y -f ${validated_path} > ${validated_path}.pub')
 	if res4.exit_code > 0 {
-		return error('cannot generate pubkey ${path}.\n${res4.output}')
+		return error('Cannot generate public key from private key: ${res4.output}')
 	}
-	return agent.load(path)!
+	secure_file_permissions('${validated_path}.pub', false)! // public key
 	return agent.load(validated_path)!
 }
 // load key starting from path to private key
@@ -288,18 +309,17 @@ pub fn (mut agent SSHAgent) load(keypath string) !SSHKey {
 	}
 	agent.init()!
 	return agent.get(name: name) or {
-		panic("can't find sshkey with name:'${name}' from agent.\n${err}")
+		return error("Cannot find SSH key '${name}' in agent after loading from '${keypath}': ${err}")
 	}
 }
 // forget the specified key
 pub fn (mut agent SSHAgent) forget(name string) ! {
-	if true {
+	console.print_debug('Forgetting SSH key: ${name}')
-		panic('reset_ssh')
+	mut key := agent.get(name: name) or { return error('SSH key "${name}" not found in agent') }
 	}
 	mut key := agent.get(name: name) or { return }
 	agent.pop(key.pubkey)
 	key.forget()!
 	console.print_green('✓ SSH key "${name}" removed from agent')
 }
 pub fn (mut agent SSHAgent) str() string {
--- a/lib/osal/sshagent/sshagent_test.v
+++ b/lib/osal/sshagent/sshagent_test.v
@@ -0,0 +1,216 @@
 module sshagent
 import os
 import freeflowuniverse.herolib.ui.console
 // Test helper to create temporary directory for testing
 fn setup_test_env() !string {
 	test_dir := '/tmp/sshagent_test_${os.getpid()}'
 	os.mkdir_all(test_dir)!
 	return test_dir
 }
 // Test helper to cleanup test environment
 fn cleanup_test_env(test_dir string) {
 	os.rmdir_all(test_dir) or {}
 }
 // Test SSH agent creation
 fn test_sshagent_new() ! {
 	test_dir := setup_test_env()!
 	defer { cleanup_test_env(test_dir) }
 	mut agent := new(homepath: test_dir)!
 	assert agent.homepath.path == test_dir
 	assert agent.keys.len >= 0
 }
 // Test SSH agent with single instance
 fn test_sshagent_new_single() ! {
 	test_dir := setup_test_env()!
 	defer { cleanup_test_env(test_dir) }
 	mut agent := new_single(homepath: test_dir)!
 	assert agent.homepath.path == test_dir
 	// Test that agent is responsive
 	// Note: This might fail in CI environments without SSH agent
 	// agent.is_agent_responsive() // Commented out for CI compatibility
 }
 // Test SSH key generation
 fn test_sshkey_generation() ! {
 	test_dir := setup_test_env()!
 	defer { cleanup_test_env(test_dir) }
 	mut agent := new(homepath: test_dir)!
 	// Generate a test key
 	key_name := 'test_key'
 	mut key := agent.generate(key_name, '')!
 	assert key.name == key_name
 	assert key.cat == .ed25519
 	// Verify key files exist
 	mut key_path := key.keypath()!
 	mut pub_key_path := key.keypath_pub()!
 	assert key_path.exists()
 	assert pub_key_path.exists()
 	// Verify key content
 	private_content := key_path.read()!
 	public_content := key.keypub()!
 	assert private_content.contains('PRIVATE KEY')
 	assert public_content.starts_with('ssh-ed25519')
 	// Cleanup
 	key_path.delete()!
 	pub_key_path.delete()!
 }
 // Test SSH key operations
 fn test_sshkey_operations() ! {
 	test_dir := setup_test_env()!
 	defer { cleanup_test_env(test_dir) }
 	mut agent := new(homepath: test_dir)!
 	// Test key existence check
 	assert !agent.exists(name: 'nonexistent_key')
 	// Generate key
 	key_name := 'ops_test_key'
 	mut key := agent.generate(key_name, '')!
 	// Test key retrieval
 	retrieved_key := agent.get(name: key_name) or {
 		assert false, 'Key should exist after generation'
 		return
 	}
 	assert retrieved_key.name == key_name
 	// Test key existence after generation
 	assert agent.exists(name: key_name)
 	// Cleanup
 	mut cleanup_key_path := key.keypath()!
 	mut cleanup_pub_path := key.keypath_pub()!
 	cleanup_key_path.delete()!
 	cleanup_pub_path.delete()!
 }
 // Test SSH agent diagnostics
 fn test_sshagent_diagnostics() ! {
 	test_dir := setup_test_env()!
 	defer { cleanup_test_env(test_dir) }
 	mut agent := new(homepath: test_dir)!
 	diag := agent.diagnostics()
 	// Check that all expected diagnostic keys are present
 	expected_keys := ['socket_path', 'socket_exists', 'agent_responsive', 'loaded_keys_count',
 		'total_keys_count', 'agent_processes']
 	for key in expected_keys {
 		assert key in diag, 'Missing diagnostic key: ${key}'
 	}
 	// Verify diagnostic values are reasonable
 	assert diag['loaded_keys_count'].int() >= 0
 	assert diag['total_keys_count'].int() >= 0
 	assert diag['agent_processes'].int() >= 0
 }
 // Test error handling
 fn test_error_handling() ! {
 	test_dir := setup_test_env()!
 	defer { cleanup_test_env(test_dir) }
 	mut agent := new(homepath: test_dir)!
 	// Test loading non-existent key
 	if _ := agent.load('/nonexistent/path') {
 		assert false, 'Should fail to load non-existent key'
 	}
 	// Test getting non-existent key
 	if _ := agent.get(name: 'nonexistent') {
 		assert false, 'Should return none for non-existent key'
 	}
 	// Test forgetting non-existent key
 	if _ := agent.forget('nonexistent') {
 		assert false, 'Should fail to forget non-existent key'
 	}
 }
 // Test key string representation
 fn test_sshkey_string() ! {
 	test_dir := setup_test_env()!
 	defer { cleanup_test_env(test_dir) }
 	mut agent := new(homepath: test_dir)!
 	// Generate key for testing
 	key_name := 'string_test_key'
 	mut key := agent.generate(key_name, '')!
 	// Test key string representation
 	key_str := key.str()
 	assert key_str.contains(key_name)
 	assert key_str.contains('ed25519')
 	// Test agent string representation
 	agent_str := agent.str()
 	assert agent_str.contains('SSHAGENT')
 	assert agent_str.contains(key_name)
 	// Cleanup
 	mut cleanup_key_path2 := key.keypath()!
 	mut cleanup_pub_path2 := key.keypath_pub()!
 	cleanup_key_path2.delete()!
 	cleanup_pub_path2.delete()!
 }
 // Test private key addition (simplified - just test file creation)
 fn test_add_private_key() ! {
 	test_dir := setup_test_env()!
 	defer { cleanup_test_env(test_dir) }
 	mut agent := new(homepath: test_dir)!
 	// Create a simple test private key content (not a real key, just for testing file operations)
 	test_private_key := '-----BEGIN OPENSSH PRIVATE KEY-----
 b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
 QyNTUxOQAAACDXf9Z/2AH8/8a1ppagCplQdhWyQ8wZAieUw3nNcxsDiQAAAIhb3ybRW98m
 0QAAAAtzc2gtZWQyNTUxOQAAACDXf9Z/2AH8/8a1ppagCplQdhWyQ8wZAieUw3nNcxsDiQ
 AAAEC+fcDBPqdJHlJOQJ2zXhU2FztKAIl3TmWkaGCPnyts49d/1n/YAfz/xrWmlqAKmVB2
 FbJDzBkCJ5TDec1zGwOJAAAABWJvb2tz
 -----END OPENSSH PRIVATE KEY-----'
 	// Test input validation
 	key_name := 'test_added_key'
 	// This should work for file creation but may fail on public key generation
 	// which is expected since this is not a real private key
 	if mut added_key := agent.add(key_name, test_private_key) {
 		// If it succeeds, verify files were created
 		mut added_key_path := added_key.keypath()!
 		assert added_key_path.exists()
 		// Cleanup
 		added_key_path.delete()!
 		if pub_path := added_key.keypath_pub() {
 			mut pub_file := pub_path
 			pub_file.delete() or {}
 		}
 	} else {
 		// Expected to fail with invalid key, which is fine for this test
 		// We're mainly testing the validation and file handling logic
 		console.print_debug('Add private key failed as expected with test key')
 	}
 }
--- a/BIN
+++ b/BIN