- replace standalone sandbox keys with "sandbox/root" vault entry
- update inspector config to use vault targets (no passwords/keys)
- make sandbox default active environment
- add vault helpers and tests for remotessh
- add WithNoHostKeyCheck option for ephemeral server IPs
- upload binary to genesis then distribute to other nodes (faster)
- improve provisioning error handling for cleanup on partial failure
Replaces plaintext password-based SSH authentication (sshpass) across
the entire Go CLI with wallet-derived ed25519 keys via RootWallet.
- Add `rw vault ssh agent-load` command to RootWallet CLI for SSH
agent forwarding in push fanout
- Create wallet.go bridge: PrepareNodeKeys resolves keys from `rw
vault ssh get --priv`, writes temp PEMs (0600), zero-overwrites
on cleanup
- Remove Password field from Node struct, update config parser to
new 3-field format (env|user@host|role)
- Remove all sshpass branches from inspector/ssh.go and
remotessh/ssh.go, require SSHKey on all SSH paths
- Add WithAgentForward() option to RunSSHStreaming for hub fanout
- Add PrepareNodeKeys + defer cleanup to all 7 entry points:
inspect, monitor, push, upgrade, clean, recover, install
- Update push fanout to use SSH agent forwarding instead of sshpass
on hub
- Delete install/ssh.go duplicate, replace with remotessh calls
- Create nodes.conf from remote-nodes.conf (topology only, no
secrets)
- Update all config defaults and help text from remote-nodes.conf
to nodes.conf
- Use StrictHostKeyChecking=accept-new consistently everywhere
- Deleted redeploy.sh, which handled redeployment to nodes in devnet/testnet environments.
- Removed upgrade-nodes.sh, responsible for rolling upgrades of nodes.
- Eliminated upload-source-fanout.sh, which uploaded source archives to nodes in parallel.
- Removed upload-source.sh, used for uploading and extracting source archives to VPS nodes.
