centaurus-cli 2.9.5 → 2.9.6

package/dist/context/handlers/ssh-handler.js

@@ -4,6 +4,10 @@
 import { Client } from 'ssh2';
 import { SubshellConnectionError, SubshellExecutionError } from '../types.js';
 import { randomBytes } from 'crypto';
+import * as fs from 'fs';
+import * as os from 'os';
+import * as path from 'path';
+import { quickLog } from '../../utils/conversation-logger.js';
 /**
  * SSH Handler implementation
  */
@@ -101,16 +105,6 @@ export class SSHHandler {
         try {
             // Parse SSH command
             this.config = this.parseSSHCommand(command);
-            // Prompt for password if no other auth method is available
-            if (!this.config.password && !this.config.privateKey && this.onPasswordRequest) {
-                try {
-                    const password = await this.onPasswordRequest(`Password for ${this.config.username}@${this.config.host}:`);
-                    this.config.password = password;
-                }
-                catch (error) {
-                    throw new Error('Password input cancelled');
-                }
-            }
             // Establish SSH connection
             await this.establishConnection(this.config);
             // Initialize SFTP (non-fatal)
@@ -155,31 +149,19 @@ export class SSHHandler {
         try {
             // Parse SSH command
             this.config = this.parseSSHCommand(command);
-            // Prompt for password if no other auth method is available
-            if (!this.config.password && !this.config.privateKey && this.onPasswordRequest) {
-                try {
-                    const password = await this.onPasswordRequest(`Password for ${this.config.username}@${this.config.host}:`);
-                    this.config.password = password;
-                }
-                catch (error) {
-                    throw new Error('Password input cancelled');
-                }
-            }
+            // Mark as nested session to disable implicit local authentication
+            this.config.isNested = true;
+            // Check if parent supports streaming
             // Check if parent supports streaming
-            let stream;
+            let streamFactory;
             if (parentContext.handler && typeof parentContext.handler.createStream === 'function') {
-                try {
-                    stream = await parentContext.handler.createStream(this.config.host, this.config.port);
-                }
-                catch (err) {
-                    throw new SubshellConnectionError('ssh', `Values to create tunnel: ${err.message}`, false);
-                }
+                streamFactory = () => parentContext.handler.createStream(this.config.host, this.config.port);
             }
             else {
                 throw new SubshellConnectionError('ssh', `Parent context (${parentContext.type}) does not support nested connections via tunneling.`, false);
             }
-            // Establish SSH connection using the tunnel stream
-            await this.establishConnection(this.config, stream);
+            // Establish SSH connection using the tunnel stream factory
+            await this.establishConnection(this.config, undefined, streamFactory);
             // Initialize SFTP (non-fatal)
             try {
                 await this.initializeSFTP();
@@ -255,11 +237,12 @@ export class SSHHandler {
         if (!this._client || !this._isConnected) {
             throw new SubshellExecutionError(command, 'Not connected to SSH server');
         }
+        const pwdTag = `__CENTAURUS_PWD_${this.sessionId}__`;
         return new Promise((resolve, reject) => {
             const timeout = setTimeout(() => {
                 reject(new SubshellExecutionError(command, 'Command timed out after 30 seconds'));
             }, 30000);
-            this._client.exec(`cd "${this.currentWorkingDirectory}" && ${command}; echo "__CENTAURUS_PWD__:$(pwd)"`, (err, stream) => {
+            this._client.exec(`cd "${this.currentWorkingDirectory}" && ${command}; echo "${pwdTag}:$(pwd)"`, (err, stream) => {
                 if (err) {
                     clearTimeout(timeout);
                     reject(new SubshellExecutionError(command, err.message));
@@ -269,11 +252,15 @@ export class SSHHandler {
                 let stderr = '';
                 stream.on('close', (code) => {
                     clearTimeout(timeout);
-                    // Extract working directory from output
-                    const pwdMatch = stdout.match(/__CENTAURUS_PWD__:(.+)$/m);
+                    // Extract working directory from output using unique tag
+                    // We use a constructed regex to match the specific tag for this session
+                    const pwdRegex = new RegExp(`${pwdTag}:(.+)$`, 'm');
+                    const pwdMatch = stdout.match(pwdRegex);
                     if (pwdMatch) {
                         this.currentWorkingDirectory = pwdMatch[1].trim();
-                        stdout = stdout.replace(/__CENTAURUS_PWD__:.+$/m, '').trim();
+                        // Remove the tag line from stdout
+                        const removeRegex = new RegExp(`${pwdTag}:.+$`, 'm');
+                        stdout = stdout.replace(removeRegex, '').trim();
                     }
                     resolve({
                         stdout,
@@ -326,7 +313,10 @@ export class SSHHandler {
         // Prefer SFTP when available
         if (this.sftpClient) {
             return new Promise((resolve, reject) => {
-                this.sftpClient.writeFile(absolutePath, content, 'utf8', (err) => {
+                // ssh2 sftp writeFile supports Buffer or string
+                // If buffer, encoding is ignored/not needed
+                const options = Buffer.isBuffer(content) ? undefined : 'utf8';
+                this.sftpClient.writeFile(absolutePath, content, options, (err) => {
                     if (err) {
                         reject(new Error(`Failed to write file ${path}: ${err.message}`));
                     }
@@ -337,7 +327,8 @@ export class SSHHandler {
             });
         }
         // Fallback: base64 via exec (robust against special chars), chunked
-        const base64Content = Buffer.from(content, 'utf8').toString('base64');
+        const inputBuffer = Buffer.isBuffer(content) ? content : Buffer.from(content, 'utf8');
+        const base64Content = inputBuffer.toString('base64');
         const CHUNK_SIZE = 32000;
         // Truncate file first
         let result = await this.executeCommand(`: > "${absolutePath}"`);
@@ -447,26 +438,81 @@ export class SSHHandler {
      * Parse SSH command to extract connection details
      */
     parseSSHCommand(command) {
-        const parts = command.trim().split(/\s+/);
+        const parts = this.tokenizeSSHCommand(command);
         let host = '';
         let port = 22;
         let username = '';
+        let identityFilePath;
+        // SSH options that consume the next token as a value.
+        // We skip those values so they are not mistaken as the host.
+        const optionsWithValue = new Set([
+            '-b', '-c', '-D', '-E', '-F', '-I', '-J', '-L', '-l', '-m', '-O', '-o', '-p', '-Q', '-R', '-S', '-W', '-w'
+        ]);
         // Parse command line arguments
         for (let i = 1; i < parts.length; i++) {
             const part = parts[i];
+            if (part === '--') {
+                // End of options; next token is the host
+                if (!host && i + 1 < parts.length) {
+                    host = parts[i + 1];
+                }
+                break;
+            }
             if (part === '-p' && i + 1 < parts.length) {
-                port = parseInt(parts[i + 1], 10);
+                port = this.parsePort(parts[i + 1], port);
+                i++;
+            }
+            else if (part.startsWith('-p') && part.length > 2) {
+                port = this.parsePort(part.slice(2), port);
+            }
+            else if (part === '-l' && i + 1 < parts.length) {
+                username = parts[i + 1];
+                i++;
+            }
+            else if (part.startsWith('-l') && part.length > 2) {
+                username = part.slice(2);
+            }
+            else if (part === '-i' && i + 1 < parts.length) {
+                identityFilePath = parts[i + 1];
                 i++;
             }
+            else if (part.startsWith('-i') && part.length > 2) {
+                identityFilePath = part.slice(2);
+            }
+            else if (part === '-o' && i + 1 < parts.length) {
+                // Support both "-o Key=Value" and "-o Key Value" styles.
+                const optionToken = parts[i + 1];
+                if (optionToken.includes('=')) {
+                    this.applySSHOption(optionToken, (value) => { port = value; }, (value) => { username = value; }, (value) => { identityFilePath = value; }, port);
+                    i++;
+                }
+                else if (i + 2 < parts.length) {
+                    this.applySSHOption(`${optionToken}=${parts[i + 2]}`, (value) => { port = value; }, (value) => { username = value; }, (value) => { identityFilePath = value; }, port);
+                    i += 2;
+                }
+                else {
+                    i++;
+                }
+            }
+            else if (part.startsWith('-o') && part.length > 2) {
+                this.applySSHOption(part.slice(2), (value) => { port = value; }, (value) => { username = value; }, (value) => { identityFilePath = value; }, port);
+            }
             else if (part.startsWith('-') && part !== '-p') {
-                // Skip other flags
+                // Skip flags and their value, if any
+                if (optionsWithValue.has(part) && i + 1 < parts.length) {
+                    i++;
+                }
                 continue;
             }
             else if (!host) {
                 // This should be the host (possibly with username)
                 if (part.includes('@')) {
-                    const [user, hostname] = part.split('@');
-                    username = user;
+                    const atIndex = part.indexOf('@');
+                    const user = part.slice(0, atIndex);
+                    const hostname = part.slice(atIndex + 1);
+                    if (user) {
+                        username = user;
+                    }
                     host = hostname;
                 }
                 else {
@@ -481,50 +527,170 @@ export class SSHHandler {
         if (!host) {
             throw new Error('Could not parse SSH host from command');
         }
-        return {
+        const parsedConfig = {
             host,
             port,
             username,
         };
+        if (identityFilePath) {
+            parsedConfig.privateKey = this.loadIdentityFile(identityFilePath);
+        }
+        return parsedConfig;
     }
     /**
      * Establish SSH connection
      */
-    async establishConnection(config, stream) {
-        return new Promise((resolve, reject) => {
-            this._client = new Client();
-            const connectConfig = {
-                host: config.host,
-                port: config.port,
-                username: config.username,
-            };
-            if (stream) {
-                connectConfig.sock = stream;
-            }
-            // Add authentication method
-            if (config.password) {
-                connectConfig.password = config.password;
+    /**
+     * Establish SSH connection.
+     * Handles authentication retries (agent -> keys -> password).
+     * For nested connections, uses streamFactory to get a fresh stream for each attempt.
+     */
+    async establishConnection(config, stream, streamFactory) {
+        let promptedForPassword = false;
+        let firstError;
+        quickLog(`[SSH Auth] Starting auth for ${config.username}@${config.host}:${config.port}\n`);
+        quickLog(`[SSH Auth] Has privateKey: ${!!config.privateKey}, Has password: ${!!config.password}\n`);
+        try {
+            quickLog(`[SSH Auth] Attempt 1: agent/none (tryKeyboard=false)\n`);
+            // Get fresh stream if factory provided
+            const currentStream = streamFactory ? await streamFactory() : stream;
+            await this.establishConnectionOnce(config, currentStream, false, () => {
+                promptedForPassword = true;
+            });
+            quickLog(`[SSH Auth] Attempt 1 succeeded (agent or none auth)\n`);
+            return;
+        }
+        catch (error) {
+            const errMsg = error instanceof Error ? error.message : String(error);
+            quickLog(`[SSH Auth] Attempt 1 failed: ${errMsg}, promptedForPassword=${promptedForPassword}\n`);
+            firstError = error;
+            // Stop early for non-auth failures or if user was already prompted.
+            if (!this.isAuthenticationFailure(error) || promptedForPassword) {
+                quickLog(`[SSH Auth] Stopping early: isAuthFailure=${this.isAuthenticationFailure(error)}, prompted=${promptedForPassword}\n`);
+                throw error;
             }
-            else if (config.privateKey) {
-                connectConfig.privateKey = config.privateKey;
-                if (config.passphrase) {
-                    connectConfig.passphrase = config.passphrase;
+        }
+        // If no explicit key was provided, try default identity files before prompting for password.
+        // Skip this for nested sessions to avoid using local keys where remote ones are expected.
+        if (!config.privateKey && !config.isNested) {
+            const defaultKeys = this.loadDefaultIdentityFiles(config.host);
+            quickLog(`[SSH Auth] Found ${defaultKeys.length} default identity file(s)\n`);
+            for (let ki = 0; ki < defaultKeys.length; ki++) {
+                const key = defaultKeys[ki];
+                try {
+                    quickLog(`[SSH Auth] Trying key file ${ki + 1}/${defaultKeys.length} (${key.length} bytes)\n`);
+                    // Get fresh stream if factory provided
+                    const keyStream = streamFactory ? await streamFactory() : stream;
+                    const keyConfig = {
+                        ...config,
+                        privateKey: key,
+                        password: undefined,
+                    };
+                    await this.establishConnectionOnce(keyConfig, keyStream, false, () => {
+                        promptedForPassword = true;
+                    });
+                    quickLog(`[SSH Auth] Key file ${ki + 1} succeeded!\n`);
+                    config.privateKey = key;
+                    return;
+                }
+                catch (keyError) {
+                    const keyErrMsg = keyError instanceof Error ? keyError.message : String(keyError);
+                    quickLog(`[SSH Auth] Key file ${ki + 1} failed: ${keyErrMsg}\n`);
+                    if (promptedForPassword) {
+                        // User already provided a secret once for this connection attempt.
+                        throw keyError;
+                    }
+                    // Continue trying other keys for expected auth/key-format failures.
+                    if (this.isAuthenticationFailure(keyError) || this.isKeyParseFailure(keyError)) {
+                        continue;
+                    }
+                    throw keyError;
                 }
             }
-            else {
-                // Try SSH agent or default keys
-                connectConfig.tryKeyboard = true;
-            }
-            this._client.on('ready', () => {
+        }
+        else {
+            quickLog(`[SSH Auth] Explicit key provided, skipping default key search\n`);
+        }
+        // Password retry (only if callback exists).
+        quickLog(`[SSH Auth] All key-based auth methods exhausted, falling back to password\n`);
+        if (!this.onPasswordRequest) {
+            throw (firstError instanceof Error ? firstError : new Error('SSH authentication failed'));
+        }
+        const password = await this.requestPassword(config);
+        config.password = password;
+        config.privateKey = undefined;
+        // Get fresh stream for password attempt
+        const passwordStream = streamFactory ? await streamFactory() : stream;
+        await this.establishConnectionOnce(config, passwordStream, true, () => {
+            promptedForPassword = true;
+        });
+    }
+    /**
+     * Single SSH connection attempt.
+     * Password retry logic is handled by establishConnection().
+     * @param enableKeyboard - Whether to enable keyboard-interactive auth.
+     *   Set to false for key-based attempts so the server doesn't prompt for password prematurely.
+     *   Set to true only for the final password-retry attempt.
+     */
+    async establishConnectionOnce(config, stream, enableKeyboard, onPasswordPrompt) {
+        return new Promise((resolve, reject) => {
+            const client = new Client();
+            this._client = client;
+            let settled = false;
+            const settleResolve = () => {
+                if (settled) {
+                    return;
+                }
+                settled = true;
                 this._isConnected = true;
                 resolve();
-            });
-            this._client.on('error', (err) => {
+            };
+            const settleReject = (error) => {
+                if (settled) {
+                    return;
+                }
+                settled = true;
                 this._isConnected = false;
-                reject(new Error(`ssh connection failed: ${err.message}`));
+                this._client = null;
+                try {
+                    client.end();
+                }
+                catch {
+                    // Ignore cleanup errors
+                }
+                reject(error);
+            };
+            client.on('ready', () => {
+                settleResolve();
+            });
+            client.on('error', (err) => {
+                settleReject(new Error(`ssh connection failed: ${err.message}`));
+            });
+            client.on('keyboard-interactive', async (_name, _instructions, _lang, prompts, finish) => {
+                if (!prompts || prompts.length === 0 || !this.onPasswordRequest) {
+                    finish([]);
+                    return;
+                }
+                try {
+                    const responses = [];
+                    for (const prompt of prompts) {
+                        onPasswordPrompt();
+                        const message = this.buildPasswordPromptMessage(config, prompt.prompt);
+                        const response = await this.requestPassword(config, message);
+                        responses.push(response);
+                        if (!prompt.echo) {
+                            config.password = response;
+                        }
+                    }
+                    finish(responses);
+                }
+                catch (error) {
+                    finish([]);
+                    settleReject(error instanceof Error ? error : new Error('Password input cancelled'));
+                }
             });
             // Listen for unexpected disconnections
-            this._client.on('close', () => {
+            client.on('close', () => {
                 if (this._isConnected) {
                     // Unexpected disconnect (not initiated by us calling disconnect())
                     this._isConnected = false;
@@ -534,7 +700,7 @@ export class SSHHandler {
                     }
                 }
             });
-            this._client.on('end', () => {
+            client.on('end', () => {
                 if (this._isConnected) {
                     // Unexpected disconnect
                     this._isConnected = false;
@@ -544,9 +710,303 @@ export class SSHHandler {
                     }
                 }
             });
-            this._client.connect(connectConfig);
+            client.connect(this.buildConnectConfig(config, stream, enableKeyboard));
         });
     }
+    /**
+     * Build ssh2 connection config.
+     * @param enableKeyboard - When true, enables keyboard-interactive auth.
+     *   This should only be true for the final password-retry attempt;
+     *   otherwise the server's keyboard-interactive challenge fires before
+     *   key-based auth methods (agent, key files) have been tried.
+     */
+    buildConnectConfig(config, stream, enableKeyboard = false) {
+        const connectConfig = {
+            host: config.host,
+            port: config.port,
+            username: config.username,
+            tryKeyboard: enableKeyboard,
+        };
+        if (stream) {
+            connectConfig.sock = stream;
+        }
+        // Skip local SSH agent for nested sessions
+        if (!config.isNested) {
+            if (process.env.SSH_AUTH_SOCK) {
+                connectConfig.agent = process.env.SSH_AUTH_SOCK;
+                quickLog(`[SSH Auth] Using SSH_AUTH_SOCK agent: ${process.env.SSH_AUTH_SOCK}\n`);
+            }
+            else if (os.platform() === 'win32') {
+                // Windows OpenSSH agent uses a named pipe, not SSH_AUTH_SOCK.
+                // The ssh2 library supports this via the agent option.
+                // Pipe path: \\.\pipe\openssh-ssh-agent
+                const winPipe = ['', '', '.', 'pipe', 'openssh-ssh-agent'].join('\\');
+                quickLog(`[SSH Auth] Windows detected, checking agent pipe: ${winPipe}\n`);
+                try {
+                    // Did not stat the pipe as it returns EBUSY on Windows sometimes
+                    // Just try to use it
+                    connectConfig.agent = winPipe;
+                    quickLog(`[SSH Auth] Using Windows agent pipe (blind trust)\n`);
+                }
+                catch (e) {
+                    // Named pipe not available (agent service not running).
+                    // Fall through to key file / password auth.
+                    quickLog(`[SSH Auth] Windows agent pipe error: ${e.message}\n`);
+                }
+            }
+            else {
+                quickLog(`[SSH Auth] No SSH agent available (no SSH_AUTH_SOCK, not Windows)\n`);
+            }
+        }
+        if (config.password) {
+            connectConfig.password = config.password;
+        }
+        if (config.privateKey) {
+            connectConfig.privateKey = config.privateKey;
+            if (config.passphrase) {
+                connectConfig.passphrase = config.passphrase;
+            }
+        }
+        return connectConfig;
+    }
+    async requestPassword(config, promptMessage) {
+        if (!this.onPasswordRequest) {
+            throw new Error('Password authentication required but no password prompt handler is configured');
+        }
+        try {
+            return await this.onPasswordRequest(promptMessage || `Password for ${config.username}@${config.host}:`);
+        }
+        catch {
+            throw new Error('Password input cancelled');
+        }
+    }
+    buildPasswordPromptMessage(config, rawPrompt) {
+        const trimmedPrompt = rawPrompt?.trim();
+        if (trimmedPrompt) {
+            return trimmedPrompt;
+        }
+        return `Password for ${config.username}@${config.host}:`;
+    }
+    isAuthenticationFailure(error) {
+        const message = error instanceof Error ? error.message.toLowerCase() : String(error).toLowerCase();
+        return (message.includes('all configured authentication methods failed') ||
+            message.includes('authentication failed') ||
+            message.includes('permission denied'));
+    }
+    isKeyParseFailure(error) {
+        const message = error instanceof Error ? error.message.toLowerCase() : String(error).toLowerCase();
+        return (message.includes('cannot parse privatekey') ||
+            message.includes('bad passphrase') ||
+            message.includes('no passphrase given') ||
+            message.includes('invalid private key'));
+    }
+    parsePort(value, fallbackPort) {
+        const parsed = Number.parseInt(value, 10);
+        return Number.isFinite(parsed) && parsed > 0 ? parsed : fallbackPort;
+    }
+    applySSHOption(option, setPort, setUsername, setIdentityFile, fallbackPort) {
+        const trimmed = option.trim();
+        if (!trimmed) {
+            return;
+        }
+        const equalsIndex = trimmed.indexOf('=');
+        const key = (equalsIndex >= 0 ? trimmed.slice(0, equalsIndex) : trimmed).trim().toLowerCase();
+        const value = (equalsIndex >= 0 ? trimmed.slice(equalsIndex + 1) : '').trim();
+        if (!value) {
+            return;
+        }
+        if (key === 'identityfile') {
+            setIdentityFile(value);
+            return;
+        }
+        if (key === 'user') {
+            setUsername(value);
+            return;
+        }
+        if (key === 'port') {
+            setPort(this.parsePort(value, fallbackPort));
+        }
+    }
+    tokenizeSSHCommand(command) {
+        const tokens = [];
+        let current = '';
+        let quote = null;
+        let escaped = false;
+        for (const char of command.trim()) {
+            if (escaped) {
+                current += char;
+                escaped = false;
+                continue;
+            }
+            if (char === '\\' && quote !== '\'') {
+                escaped = true;
+                continue;
+            }
+            if (quote) {
+                if (char === quote) {
+                    quote = null;
+                }
+                else {
+                    current += char;
+                }
+                continue;
+            }
+            if (char === '"' || char === '\'') {
+                quote = char;
+                continue;
+            }
+            if (/\s/.test(char)) {
+                if (current) {
+                    tokens.push(current);
+                    current = '';
+                }
+                continue;
+            }
+            current += char;
+        }
+        if (current) {
+            tokens.push(current);
+        }
+        return tokens;
+    }
+    loadIdentityFile(identityPath) {
+        const resolvedPath = this.resolveIdentityPath(identityPath);
+        try {
+            return fs.readFileSync(resolvedPath);
+        }
+        catch (error) {
+            if (error?.code === 'ENOENT') {
+                throw new Error(`SSH identity file not found: ${resolvedPath}`);
+            }
+            throw new Error(`Failed to read SSH identity file "${resolvedPath}": ${error?.message || 'Unknown error'}`);
+        }
+    }
+    resolveIdentityPath(identityPath) {
+        const trimmed = identityPath.trim();
+        if (!trimmed) {
+            return trimmed;
+        }
+        if (trimmed.startsWith('~')) {
+            const homeDir = os.homedir();
+            return path.resolve(homeDir, trimmed.slice(1));
+        }
+        return path.isAbsolute(trimmed) ? trimmed : path.resolve(process.cwd(), trimmed);
+    }
+    loadDefaultIdentityFiles(host) {
+        const homeDir = os.homedir();
+        const candidatePaths = [
+            path.join(homeDir, '.ssh', 'id_ed25519'),
+            path.join(homeDir, '.ssh', 'id_rsa'),
+            path.join(homeDir, '.ssh', 'id_ecdsa'),
+            path.join(homeDir, '.ssh', 'id_dsa'),
+        ];
+        // Add keys from ~/.ssh/config if host is provided
+        if (host) {
+            const configKeys = this.getIdentityFilesFromConfig(host);
+            quickLog(`[SSH Config] Found ${configKeys.length} keys in config for host ${host}\n`);
+            for (const keyPath of configKeys) {
+                // Resolving relative paths in config (relative to ~/.ssh)
+                let resolvedKeyPath = keyPath;
+                if (!path.isAbsolute(keyPath)) {
+                    if (keyPath.startsWith('~')) {
+                        resolvedKeyPath = keyPath.replace(/^~/, homeDir);
+                    }
+                    else {
+                        resolvedKeyPath = path.join(homeDir, '.ssh', keyPath);
+                    }
+                }
+                // Avoid duplicates if user config points to standard keys
+                if (!candidatePaths.includes(resolvedKeyPath)) {
+                    candidatePaths.unshift(resolvedKeyPath); // Priority to config keys
+                }
+            }
+        }
+        const keys = [];
+        for (const candidate of candidatePaths) {
+            try {
+                if (fs.existsSync(candidate)) {
+                    quickLog(`[SSH Auth] Loading key from: ${candidate}\n`);
+                    keys.push(fs.readFileSync(candidate));
+                }
+            }
+            catch {
+                // Ignore unreadable key files and keep trying.
+            }
+        }
+        return keys;
+    }
+    /**
+     * Parse ~/.ssh/config to find IdentityFile entries for the given host.
+     * Supports standard SSH config patterns including wildcards (*, ?) and quoted paths.
+     */
+    getIdentityFilesFromConfig(targetHost) {
+        const homeDir = os.homedir();
+        const configPath = path.join(homeDir, '.ssh', 'config');
+        const identityFiles = [];
+        if (!fs.existsSync(configPath)) {
+            return identityFiles;
+        }
+        try {
+            const content = fs.readFileSync(configPath, 'utf8');
+            const lines = content.split('\n');
+            let inMatchingHost = false;
+            for (const line of lines) {
+                const trimmed = line.trim();
+                if (!trimmed || trimmed.startsWith('#'))
+                    continue;
+                // Split by whitespace to get key and arguments
+                const parts = trimmed.split(/\s+/);
+                const key = parts[0].toLowerCase();
+                if (key === 'host') {
+                    // Check if this Host block matches our target
+                    // Patterns can be separated by whitespace
+                    const patterns = parts.slice(1);
+                    inMatchingHost = patterns.some(pattern => {
+                        // Convert SSH glob pattern to regex
+                        try {
+                            const regex = this.convertGlobToRegex(pattern);
+                            return regex.test(targetHost);
+                        }
+                        catch {
+                            return false;
+                        }
+                    });
+                }
+                else if (inMatchingHost && key === 'identityfile') {
+                    // Found an IdentityFile for a matching host.
+                    // Extract the value robustly (handling potential quotes and spaces)
+                    // Find where the key ends and value begins in the original line
+                    const keyMatch = trimmed.match(/^\S+/);
+                    if (keyMatch) {
+                        let fileValue = trimmed.substring(keyMatch[0].length).trim();
+                        // Remove surrounding quotes if present
+                        if ((fileValue.startsWith('"') && fileValue.endsWith('"')) ||
+                            (fileValue.startsWith("'") && fileValue.endsWith("'"))) {
+                            fileValue = fileValue.slice(1, -1);
+                        }
+                        if (fileValue) {
+                            identityFiles.push(fileValue);
+                        }
+                    }
+                }
+            }
+        }
+        catch (e) {
+            quickLog(`[SSH Config] Failed to parse config file: ${e}\n`);
+        }
+        return identityFiles;
+    }
+    /**
+     * Convert standard SSH config glob pattern to RegExp.
+     * Supports * (wildcard) and ? (single char).
+     */
+    convertGlobToRegex(pattern) {
+        // Escape special regex characters
+        const escaped = pattern.replace(/[.+^${}()|[\]\\]/g, '\\$&');
+        // Convert * to .* and ? to .
+        const regexString = '^' + escaped.replace(/\*/g, '.*').replace(/\?/g, '.') + '$';
+        return new RegExp(regexString);
+    }
     /**
      * Initialize SFTP session
      */
@@ -625,7 +1085,7 @@ export class SSHHandler {
 export CENTAURUS_SUBSHELL=1
 export CENTAURUS_SESSION_ID="${sessionId}"
 _centaurus_pwd_hook() {
-  echo "__CENTAURUS_PWD__:$(pwd)"
+  echo "__CENTAURUS_PWD_${sessionId}__:$(pwd)"
 }
 export PROMPT_COMMAND="_centaurus_pwd_hook; \${PROMPT_COMMAND}"
       `.trim();
@@ -635,7 +1095,7 @@ export PROMPT_COMMAND="_centaurus_pwd_hook; \${PROMPT_COMMAND}"
 export CENTAURUS_SUBSHELL=1
 export CENTAURUS_SESSION_ID="${sessionId}"
 _centaurus_pwd_hook() {
-  echo "__CENTAURUS_PWD__:$(pwd)"
+  echo "__CENTAURUS_PWD_${sessionId}__:$(pwd)"
 }
 precmd_functions+=(_centaurus_pwd_hook)
       `.trim();
@@ -645,7 +1105,7 @@ precmd_functions+=(_centaurus_pwd_hook)
 set -x CENTAURUS_SUBSHELL 1
 set -x CENTAURUS_SESSION_ID "${sessionId}"
 function _centaurus_pwd_hook --on-event fish_prompt
-  echo "__CENTAURUS_PWD__:"(pwd)
+  echo "__CENTAURUS_PWD_${sessionId}__:"(pwd)
 end
       `.trim();
         }
@@ -692,5 +1152,18 @@ export CENTAURUS_SESSION_ID="${sessionId}"
         }
         return entries;
     }
+    /**
+     * Create a new instance of this handler
+     */
+    createNew() {
+        const newHandler = new SSHHandler();
+        if (this.onPasswordRequest) {
+            newHandler.setPasswordRequestCallback(this.onPasswordRequest);
+        }
+        if (this.onDisconnectCallback) {
+            newHandler.setDisconnectCallback(this.onDisconnectCallback);
+        }
+        return newHandler;
+    }
 }
 //# sourceMappingURL=ssh-handler.js.map