Skip to content

Improve group SSH and Telnet defaults#2124

Merged
binaricat merged 10 commits into
mainfrom
codex/issue-2114-group-credentials-encoding
Jul 12, 2026
Merged

Improve group SSH and Telnet defaults#2124
binaricat merged 10 commits into
mainfrom
codex/issue-2114-group-credentials-encoding

Conversation

@binaricat

Copy link
Copy Markdown
Owner

Closes #2114

What changed

  • let group SSH and Telnet settings reuse saved identities
  • keep manual host and child-group credentials from being replaced by inherited identities
  • replace free-form terminal encoding fields with a shared selector that supports inheritance and existing custom values
  • add regression coverage for selection, inheritance, manual overrides, and encoding compatibility

Why

Group connection settings received saved identities but did not expose them, and the free-form encoding field did not show supported choices. Nested groups also needed an explicit way to stop inheriting a parent identity.

Checks

  • npm run lint
  • targeted group and encoding tests
  • npm run build
  • browser preview smoke check; preview-only local storage reset was not treated as a product failure

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 8aa08e2464

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread domain/groupConfig.ts Outdated
const hostHasManualSshCredentials = !host.identityId && Boolean(
host.username?.trim() ||
host.password !== undefined ||
host.authMethod !== undefined ||

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Don't let default authMethod block group identities

When a host has no host-specific credential but still carries the default authMethod field, this marks it as having manual SSH credentials and causes the loop below to skip inheriting groupDefaults.identityId. HostDetailsPanel initializes new hosts with authMethod: "password", so newly-created hosts in a group with a reusable SSH identity won't inherit that identity unless the field is somehow removed, and existing hosts with only a default auth method are affected the same way.

Useful? React with 👍 / 👎.

@binaricat

Copy link
Copy Markdown
Owner Author

@codex review

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: ceb114b840

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread domain/groupConfig.ts Outdated
Comment on lines +168 to +171
host.username?.trim() ||
host.password !== undefined ||
host.identityFileId ||
host.identityFilePaths?.length,

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Allow group identities when hosts only have a username

When an existing vault host has only a username (for example the default root) and its group is later assigned a reusable identity, resolveEffectiveTerminalHost reaches this check and treats that username alone as manual SSH credentials. That skips inheriting identityId, so the effective host no longer has access to the group's identity password/key and connecting or copying credentials won't use the new group identity unless every host username is manually cleared. Only actual host auth material (password/key/explicit auth override) should block the inherited identity.

Useful? React with 👍 / 👎.

@binaricat

Copy link
Copy Markdown
Owner Author

@codex review

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 67a68c04df

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread domain/groupConfig.ts Outdated
);

for (const key of INHERITABLE_KEYS) {
if (key === 'identityId' && hostHasManualSshCredentials) continue;

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Drop the whole inherited SSH identity bundle

When a host has its own password/key but no identityId, this guard skips only the inherited identityId. INHERITABLE_KEYS applies authMethod/savePassword before this line, so a group default created from a reusable key identity can still stamp authMethod: "key" onto an older/imported manual-password host; downstream resolveHostAuth then sees key auth even though the group identity was intentionally ignored. Skip or clear the full identity credential bundle when hostHasManualSshCredentials is true.

Useful? React with 👍 / 👎.

if (!identityId) {
return {
...form,
identityId: inheritedIdentityId ? "" : undefined,

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Preserve empty SSH identity opt-outs on reopen

This introduces identityId: "" as the marker for clearing an inherited SSH identity, but the panel still initializes sshEnabled via hasSshFields, which checks !!c.identityId. A group whose only SSH setting is this opt-out reopens with the SSH section disabled, and the next save omits identityId, causing hosts in that group to inherit the parent identity again; treat identityId !== undefined as an SSH field like Telnet now does.

Useful? React with 👍 / 👎.

@binaricat

Copy link
Copy Markdown
Owner Author

@codex review

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 8bc11cb8e5

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread domain/groupConfig.ts
Comment on lines +177 to +181
const hostHasManualSshCredentials = !host.identityId && Boolean(
host.password !== undefined ||
host.savePassword === false ||
host.identityFileId ||
host.identityFilePaths?.length,

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Preserve username-only host credentials

When a host has only a custom username (for example ubuntu) and relies on prompting or agent auth, this predicate stays false because it only treats passwords/save flags/keys as manual credentials. A group identityId is then inherited by the later shouldSkipGroupSshCredentialBundle check, and resolveHostAuth prefers the identity's username/password over host.username, so enabling a group identity can silently change existing hosts that had manual usernames but no saved password/key. Please count an explicit username as a host credential, or otherwise distinguish default usernames before inheriting the identity bundle.

Useful? React with 👍 / 👎.

@binaricat

Copy link
Copy Markdown
Owner Author

@codex review

@chatgpt-codex-connector

Copy link
Copy Markdown

Codex Review: Didn't find any major issues. You're on a roll.

Reviewed commit: 6aa6c85cf5

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

@binaricat binaricat merged commit 8abbd36 into main Jul 12, 2026
23 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[Feature] 考虑优化下分组配置

1 participant