Add session recall, managed SSH runtime UX, and skill portability

[penso]

Summary

• add cross-session recall and automatic checkpoints, plus the Hermes comparison roadmap/docs work that shaped the follow-on features
• harden project context ingestion with Cursor compatibility and visible warnings for suspicious context files
• add portable skill bundle export/import with provenance, quarantine, and web UI controls
• add SSH remote execution routing with managed deploy keys, vault-backed storage, host pinning, web/CLI doctor flows, and actionable runtime failure hints
• tighten the product/docs positioning around the persistent secure personal agent story and add a Beads worktree attach helper

Validation

Completed

• just format
• cargo test -p moltis-tools sessions_search -- --nocapture
• cargo test -p moltis-tools checkpoint -- --nocapture
• cargo test -p moltis-projects types -- --nocapture
• cargo test -p moltis-projects context -- --nocapture
• cargo test -p moltis-skills portability -- --nocapture
• cargo test -p moltis-config ssh_exec -- --nocapture
• cargo test -p moltis-gateway node_exec -- --nocapture
• cargo test -p moltis-auth test_credential_store_ssh_keys_and_targets -- --nocapture
• cargo test -p moltis-auth test_first_ssh_target_becomes_default_and_delete_promotes_replacement -- --nocapture
• cargo test -p moltis-auth test_reset_all_removes_managed_ssh_material -- --nocapture
• cargo test -p moltis-vault migration -- --nocapture
• cargo test -p moltis-httpd ssh_routes -- --nocapture
• cargo test -p moltis check_remote_exec_warns_for_unpinned_active_target -- --nocapture
• cargo test -p moltis read_remote_exec_inventory_reports_pinned_defaults -- --nocapture
• cargo check -p moltis-gateway
• cargo check -p moltis-gateway -p moltis -p moltis-skills -p moltis-projects -p moltis-config
• cargo check -p moltis-web -p moltis-gateway
• cargo check -p moltis-auth -p moltis-gateway -p moltis-httpd -p moltis-web -p moltis-tools -p moltis-vault
• cargo check -p moltis-auth -p moltis-gateway -p moltis-httpd -p moltis-web -p moltis
• cargo check -p moltis-graphql --tests
• biome check --write crates/web/src/assets/js/page-skills.js crates/web/ui/e2e/specs/skills.spec.js
• biome check --write crates/web/src/assets/js/page-nodes.js crates/web/src/assets/js/nodes-selector.js crates/web/src/assets/js/components/session-header.js crates/web/ui/e2e/specs/node-selector.spec.js
• biome check --write crates/web/src/assets/js/page-settings.js crates/web/ui/e2e/specs/ssh-settings.spec.js
• biome check --write crates/web/src/assets/js/page-nodes.js crates/web/ui/e2e/specs/settings-nav.spec.js
• cd crates/web/ui && npx playwright test e2e/specs/skills.spec.js
• cd crates/web/ui && npx playwright test e2e/specs/node-selector.spec.js
• cd crates/web/ui && npx playwright test e2e/specs/ssh-settings.spec.js e2e/specs/settings-nav.spec.js
• cd crates/web/ui && npx playwright test e2e/specs/ssh-settings.spec.js
• cd crates/web/ui && npx playwright test e2e/specs/settings-nav.spec.js -g "nodes doctor can repair and clear the active SSH host pin"
• cd crates/web/ui && npx playwright test e2e/specs/settings-nav.spec.js -g "nodes doctor shows actionable hint for active SSH route failures"

Remaining

• just lint still fails locally because of the existing llama-cpp-sys-2 / CMake environment issue (make: Makefile: No such file or directory)
• just test was not rerun across the entire workspace for this stacked branch

Manual QA

• Settings → SSH: generate or import a managed key, create a target, scan/pin/refresh/clear host keys, and test connectivity
• Settings → Nodes: inspect remote exec doctor state, test the active SSH route, and repair or clear the active host pin
• Settings → Skills: export a bundle, import it, and clear quarantine on the imported bundle
• Projects: verify context-file warnings and Cursor compatibility against .cursorrules / .cursor/rules

[codspeed-hq]

Merging this PR will improve performance by 15.18%

⚡ 1 improved benchmark
✅ 38 untouched benchmarks
⏩ 5 skipped benchmarks¹

Performance Changes

	Benchmark	BASE	HEAD	Efficiency
⚡	env_substitution	11.6 µs	10.1 µs	+15.18%

---

_{Comparing plant-diagram (5e221b5) with main (b1a68d0)}

Footnotes

1. 5 benchmarks were skipped, so the baseline results were used instead. If they were deleted from the codebase, click here and archive them to remove them from the performance reports. ↩

[codecov]

Codecov Report

❌ Patch coverage is 61.80356% with 1330 lines in your changes missing coverage. Please review.

Files with missing lines	Patch %	Lines
crates/httpd/src/ssh_routes.rs	40.17%	621 Missing ⚠️
crates/gateway/src/node_exec.rs	33.87%	203 Missing ⚠️
crates/gateway/src/methods/node.rs	0.00%	156 Missing ⚠️
crates/cli/src/doctor_commands.rs	74.06%	90 Missing ⚠️
crates/skills/src/portability.rs	77.74%	81 Missing ⚠️
crates/auth/src/credential_store.rs	94.01%	41 Missing ⚠️
crates/gateway/src/services.rs	0.00%	34 Missing ⚠️
crates/gateway/src/methods/services.rs	18.18%	27 Missing ⚠️
crates/gateway/src/server.rs	0.00%	25 Missing ⚠️
crates/cli/src/main.rs	0.00%	19 Missing ⚠️
... and 7 more

📢 Thoughts on this report? Let us know!

[greptile-apps]

Greptile Summary

This PR lands four major capability areas: cross-session recall with automatic checkpoints, Cursor-compatible project context ingestion, portable skill bundle export/import, and a full managed SSH remote execution runtime with web/CLI UX.

All security concerns from the previous review round are resolved — the checkpoint path-traversal fix, tightened context-warning heuristics, robust passphrase detection, clean RepoProvenance construction, explicit plaintext-key comment, POSIX env-key validation, and ---guarded SSH destinations are all present and backed by regression tests.

Key changes:

• crates/tools/src/checkpoints.rs — new checkpoint create/list/restore with UUID ID validation and symlink rejection.
• crates/httpd/src/ssh_routes.rs — full SSH key/target CRUD, host-key scan/pin, connectivity test, and doctor endpoint; option-injection and passphrase-detection issues from prior review addressed.
• crates/auth/src/credential_store.rs — managed SSH key and target storage with vault-encryption path and documented transient-plaintext window.
• crates/skills/src/portability.rs — bundle export/import with robust zip-slip protection and quarantine-on-import policy.
• crates/projects/src/context.rs — Cursor compatibility, HTML-comment stripping, and tightened suspicious-pattern scanner.

Two minor P2 findings remain: the known-hosts option value is assembled without path quoting (a space in the temp-dir path truncates it, causing a connection failure rather than a security bypass), and scan_context_warnings runs on post-sanitization content so patterns embedded in stripped HTML comments are not surfaced as warnings (though the content itself is not injected into the agent's prompt).

Confidence Score: 5/5

Safe to merge; all prior P0/P1 security concerns are resolved and the remaining findings are P2 style/quality suggestions.

Every finding from the previous review round has a corresponding fix with regression tests. The two new findings are P2: an edge-case path-quoting issue that causes a connection failure rather than a bypass, and a coverage gap in the warning scanner for content in stripped HTML comments. Neither blocks merge.

crates/projects/src/context.rs (scan_context_warnings runs on post-sanitized content), crates/gateway/src/node_exec.rs (known-hosts option path quoting in exec_over_ssh)

Important Files Changed

Filename	Overview
crates/httpd/src/ssh_routes.rs	New file (1424 lines): full CRUD for managed SSH keys/targets, host-key scan/pin/clear, connectivity test, and doctor endpoint. Validation is well-structured; one P2 concern around the known-hosts option path not being quoted.
crates/gateway/src/node_exec.rs	Adds SSH execution routing. Shell-injection fix for env-key names is present, ssh_destination_args inserts -- before the target, and filter_env now requires both is_safe_env and is_valid_env_key.
crates/auth/src/credential_store.rs	Adds SshKeyEntry, SshTargetEntry, SshResolvedTarget, and full CRUD for managed SSH keys and targets. Vault encryption path, transient-plaintext comment, and referential-integrity guard on delete are all correct.
crates/tools/src/checkpoints.rs	New file: checkpoint create/list/restore with UUID ID validation, symlink rejection, and a regression test for path-traversal IDs.
crates/skills/src/portability.rs	New file: tar.gz bundle export/import with robust zip-slip protection, symlink/hard-link rejection, and quarantine-on-import policy. RepoProvenance constructed once from pre-captured originals.
crates/projects/src/context.rs	Adds Cursor compatibility, HTML-comment stripping, and tightened suspicious-pattern scanner. P2 gap: scan_context_warnings runs on post-sanitized content, missing patterns in stripped HTML comments.
crates/vault/src/migration.rs	Adds migrate_ssh_keys to retroactively encrypt plaintext SSH private keys on vault unseal. AAD derivation matches create_ssh_key.
crates/tools/src/sessions_communicate.rs	Adds SessionsSearchTool for cross-session recall with optional access-policy filtering and current-session exclusion. Well-tested.
crates/cli/src/doctor_commands.rs	Adds Remote Execution section to doctor with read-only DB inventory, runtime schema detection, and actionable warnings for unpinned/missing targets.
crates/web/src/assets/js/page-settings.js	Large addition: SSH key/target management UI with scan/pin/clear, connectivity test with failure-code hints, and doctor view. Covered by Playwright e2e tests.

_{Reviews (9): Last reviewed commit: "refactor(ssh): use secrecy for imported ..." | Re-trigger Greptile}

[penso]

Addressed the remaining Greptile P2s in 2d0ff500:

• SSH timeout handling now explicitly kills and reaps the child process instead of relying on pipe closure side effects.
• Context safety_bypass warnings no longer flag normal setup snippets just because they contain | sh or git push --force-style text.

Validation:

• just format
• cargo test -p moltis-projects context -- --nocapture
• cargo test -p moltis-gateway node_exec -- --nocapture

[penso]

Addressed the two latest Greptile follow-ups in 39f87982:

• CredentialStore::create_ssh_target now reads the existing default-target count inside the same transaction used for the insert/update path, so the default-selection decision is transactionally consistent.
• inspect_imported_private_key now runs the ssh-keygen inspection/decrypt commands with stdin set to /dev/null, keeping the import path explicitly non-interactive.

Validation:

• just format
• cargo test -p moltis-auth test_credential_store_ssh_keys_and_targets -- --nocapture
• cargo test -p moltis-httpd ssh_routes -- --nocapture

[cloudflare-workers-and-pages]

Deploying with    Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status	Name	Latest Commit	Preview URL	Updated (UTC)
✅ Deployment successful! View logs	withered-breeze-e956	1c14460	Commit Preview URL Branch Preview URL	Mar 29 2026, 12:09 PM

[penso]

Followed up on the latest review feedback in three small commits:

• d91b52c8 guards CredentialStore::delete_ssh_key with a single conditional delete and adds a regression test for deleting an in-use key.
• 7adadfba cleans up the SSH probe helpers in ssh_routes.rs so the new probe path stays clippy-clean.
• 0266e0a5 removes the remaining expect() calls from the SSH route tests so the workspace lint pass is happy.

Validation run on the updated PR head:

• just format
• cargo test -p moltis-auth test_delete_ssh_key_rejects_in_use_key -- --nocapture
• cargo test -p moltis-httpd ssh_routes -- --nocapture
• ./scripts/local-validate.sh 503 reached and passed [local/lint] on 0266e0a5; I stopped it after the five-minute mark while it was still grinding through the broader build matrix, per repo instructions.

I also re-checked review thread state after the push. There are still no unresolved inline review conversations on this PR.

[penso]

Followed up on the latest Greptile note in a088581c.

inspect_imported_private_key no longer passes the supplied SSH key passphrase through ssh-keygen -P ..., which exposed it in process argv. The import path now uses a temporary SSH_ASKPASS helper backed by a 0600 passphrase file in a temp dir, so the passphrase stays out of the command line while the flow remains non-interactive.

Validation:

• just format
• cargo test -p moltis-httpd ssh_routes -- --nocapture

I also re-checked PR thread state after the push. There are no unresolved inline review conversations on this PR.

[penso]

Followed up on the latest Greptile summary in 5e221b5e.

• exec_over_ssh now quotes the temp known-hosts path when building UserKnownHostsFile=..., so paths with spaces keep working instead of being truncated by ssh config parsing. I added a small unit test around the quoting helper.
• Context warning scanning now runs on the raw file contents before sanitization, with deduping on the warning list. That means suspicious text hidden in stripped leading HTML comments is still surfaced as a warning even though the comment body itself is removed before prompt injection. I added a regression test for that case.

Validation:

• just format
• cargo test -p moltis-gateway node_exec -- --nocapture
• cargo test -p moltis-projects context -- --nocapture

I also re-checked PR thread state after the push. There are still no unresolved inline review conversations on this PR.