feat: add SSH settings for device and namespace

[henrybarreto]

Add allow-based SSH settings for both namespace and device configuration, update the backend migrations and auth flow, and wire the React console to edit the new settings consistently.

Closes #6136

---

Namespace's settings:

Device's settings:

[github-actions]

Claude finished @henrybarreto's task in 7m 11s —— View job

---

Code Review Complete

Reviewed 28 files. 6 inline issues posted (2 critical, 2 high, 2 medium).

Critical: Cloud compilation breakage (non-inlinable)

DeviceIsOnline and DeviceOnlineThreshold were removed from api/store/pg/device.go, but cloud/pkg/store/pg/session.go still references both symbols via the shpg import alias (lines 220, 258, 262). This will cause a compilation failure in the cloud repo. These removals appear unrelated to the disable password/public key feature — either restore them or submit a companion cloud PR first.

Additional notes

• This PR includes several unrelated changes mixed into the same commit: removal of DeviceIsOnline/DeviceOnlineThreshold, removal of fromLt filter, session online check removals, CLI refactoring, and UUID mock changes. Consider splitting these into separate commits or PRs.
• Missing migration test: migration_121_test.go does not exist, while virtually every other migration (1–120) has one. Consider adding it following the existing pattern.

---

If you've addressed the feedback and want a new review, tag @shellhub-io/admin and a team member can trigger it.

[gustavosbarreto]

/review

[github-actions]

Claude finished @gustavosbarreto's task in 7m 6s —— View job

---

Code Review Complete

Reviewed 32 files. 2 inline issues posted (1 critical, 1 high).

Critical: Auth method restriction bypass via SSH fallback

The DisablePassword/DisablePublicKey checks in Evaluate() are only called when the session state is StateEvaluated (session.go:650). When an SSH client's first auth method passes Evaluate() and register() but fails at connect(), the state is already saved as StateRegistered. On fallback to a second auth method, Auth() enters the StateRegistered case directly, skipping Evaluate() entirely. This allows bypassing disable_password by first attempting (and failing) public key auth, then falling back to password — the DisablePassword check never runs. See inline comment for details and fix.

Additional notes

• Cloud admin NamespaceUpdate silently drops new settings: cloud/internal/admin/services/namespace.go:68-71 copies settings fields individually (SessionRecord, ConnectionAnnouncement) but does not copy the new DisablePassword/DisablePublicKey fields. When an admin updates a namespace through the cloud admin service, these settings will be silently reset to false. A companion cloud change is needed.

• Previous review findings still open: The critical bson:"omitempty" bug on boolean fields (pkg/models/namespace.go:54-55) and the disable_public_key not being handled in the terminal login form (ui/src/components/Terminal/TerminalLoginForm.vue) from the prior review remain unaddressed.

---

If you've addressed the feedback and want a new review, tag @shellhub-io/admin and a team member can trigger it.

[github-actions]

Claude encountered an error —— View job

---

Code Review Complete

Reviewed 69 files. 2 inline issues posted (2 high).

Additional notes

• Previous review findings still open: The critical bson:"omitempty" bug on boolean fields (pkg/models/namespace.go:54-62, pkg/models/device.go:104-112), the auth method bypass via SSH fallback (ssh/session/session.go Auth() method), and the required constraints removal from namespaceSettings.yaml from prior reviews remain unaddressed.
• Dead code: SettingDisablePassword.vue and SettingDisablePublicKey.vue are not imported anywhere and reference the removed disable_password/disable_public_key API fields — they should be deleted.
• Stale interface fields: INamespaceSettings in ui/src/interfaces/INamespace.ts still has disable_password? and disable_public_key? optional fields that no longer exist in the API — these should be removed to prevent future confusion.

---

If you've addressed the feedback and want a new review, tag @shellhub-io/admin and a team member can trigger it.

[gustavosbarreto]

/review

[github-actions]

Claude finished @gustavosbarreto's task in 3m 17s —— View job

---

Code Review Complete

Reviewed 69 files. 5 inline issues posted (2 critical, 3 high).

Additional notes

• Previous review findings still open: The critical bson:"omitempty" bug on boolean fields (pkg/models/namespace.go:54-62, pkg/models/device.go:104-112), the auth method bypass via SSH fallback (ssh/session/session.go Auth() method), and the TerminalLoginForm.vue not filtering public key auth when allow_public_key=false from prior reviews remain unaddressed.

• Cloud test helpers need updating: cloud/pkg/store/storetest/helpers.go and cloud/internal/admin/services/namespace_test.go construct NamespaceSettings with only SessionRecord and ConnectionAnnouncement. The new Allow* fields default to Go's false, so cloud tests will create namespaces with all SSH features disabled — breaking any test that exercises SSH connections.

• Cloud admin NamespaceUpdate still missing new fields: cloud/internal/admin/services/namespace.go copies settings fields individually but does not copy the new Allow* fields, silently resetting them to false on admin updates.

---

If you've addressed the feedback and want a new review, tag @shellhub-io/admin and a team member can trigger it.

[gustavosbarreto]

/review

[github-actions]

Claude finished @gustavosbarreto's task in 1m 33s —— View job

---

Code Review Complete

Reviewed 69 files. 4 inline issues posted (2 high, 1 high, 1 medium).

Additional notes

• Previous review findings still open: The critical bson:"omitempty" bug on boolean fields (pkg/models/namespace.go:54-62, pkg/models/device.go:104-112), the auth method restriction bypass via SSH fallback (ssh/session/session.go Auth() method), the upsert overwriting created_at and PK id columns (api/store/pg/device.go:165, api/store/pg/namespace.go:168), and the shallow copy sharing the Settings pointer in namespace tests (api/services/namespace_test.go) from prior reviews remain unaddressed.

• Cloud admin NamespaceUpdate still drops new settings: cloud/internal/admin/services/namespace.go:69-70 copies only SessionRecord and ConnectionAnnouncement but not the 9 new Allow* fields. Admin namespace updates will silently reset these settings to false. A companion cloud change is still needed.

---

If you've addressed the feedback and want a new review, tag @shellhub-io/admin and a team member can trigger it.

[gustavosbarreto]

/review

[github-actions]

Claude finished @gustavosbarreto's task in 39s —— View job

---

Code Review Complete

Reviewed 69 files. 1 inline issue posted (1 high).

Additional notes

• Previous review findings still open: The critical bson:"omitempty" bug on boolean fields (pkg/models/namespace.go:54-62, pkg/models/device.go:104-112), the auth method restriction bypass via SSH fallback (ssh/session/session.go Auth() method), the upsert overwriting created_at and PK id columns (api/store/pg/device.go:184, api/store/pg/namespace.go:187), the shallow copy sharing the Settings pointer in namespace tests (api/services/namespace_test.go:1223), the allow_password and allow_public_key added to required in namespaceSettings.yaml:51-55 (breaking API change), and the dead code SettingAllowPassword.vue/SettingAllowPublicKey.vue from prior reviews remain unaddressed.

• Cloud admin NamespaceUpdate still drops new settings: cloud/internal/admin/services/namespace.go:69-70 copies only SessionRecord and ConnectionAnnouncement but not the 9 new Allow* fields. Admin namespace updates will silently reset these settings to false. A companion cloud change is still needed.

---

If you've addressed the feedback and want a new review, tag @shellhub-io/admin and a team member can trigger it.

[github-actions]

severity: high — Stale permission entries from the old disable_* naming convention.

namespace:updateDisablePassword and namespace:updateDisablePublicKey are defined but never referenced anywhere in the codebase — the PR renamed these to namespace:updateAllowPassword and namespace:updateAllowPublicKey (lines 46–47). These two entries are dead code that pollute the Action type.

Suggested change

	"namespace:updateDisablePassword": Roles.ADMINISTRATOR,
	"namespace:updateDisablePublicKey": Roles.ADMINISTRATOR,
	"namespace:updateAllowPassword": Roles.ADMINISTRATOR,
	"namespace:updateAllowPublicKey": Roles.ADMINISTRATOR,