Fix SSH host aliases for libgit2 remotes

- Resolve HostName/User/Port from ~/.ssh/config for fetch/push

- Keep host alias for IdentityFile selection

- Use git CLI for SSH clone to respect ssh config

Author: wiedymi

aizen/Services/Git/Domain/GitRemoteService.swift

@@ -9,6 +9,19 @@ import Foundation
 
 actor GitRemoteService {
 
+    private func isSSHRemoteURL(_ url: String) -> Bool {
+        if url.hasPrefix("ssh://") { return true }
+        if url.contains("://") { return false }
+        // SCP-like: [user@]host:path
+        if let colon = url.firstIndex(of: ":") {
+            let before = url[..<colon]
+            if !before.isEmpty, !before.contains("/") {
+                return true
+            }
+        }
+        return false
+    }
+
     func fetch(at path: String) async throws {
         try await Task.detached {
             let repo = try Libgit2Repository(path: path)
@@ -40,6 +53,21 @@ actor GitRemoteService {
     }
 
     func clone(url: String, to path: String) async throws {
+        // Prefer git CLI for SSH clones to respect ~/.ssh/config host aliases and advanced ssh options.
+        if isSSHRemoteURL(url) {
+            let environment = ShellEnvironment.loadUserShellEnvironment()
+            let result = try await ProcessExecutor.shared.executeWithOutput(
+                executable: "/usr/bin/git",
+                arguments: ["clone", url, path],
+                environment: environment,
+                workingDirectory: nil
+            )
+            guard result.succeeded else {
+                throw Libgit2Error.networkError(result.stderr.isEmpty ? result.stdout : result.stderr)
+            }
+            return
+        }
+
         try await Task.detached {
             _ = try Libgit2Repository(cloneFrom: url, to: path)
         }.value

aizen/Services/Git/Libgit2/Libgit2Remote.swift

@@ -33,6 +33,114 @@ struct Libgit2TransferProgress: Sendable {
 /// Remote operations extension for Libgit2Repository
 extension Libgit2Repository {
 
+    private struct SSHRemoteURLParts: Sendable {
+        let isSSH: Bool
+        let isSCP: Bool
+        let user: String?
+        let host: String
+        let path: String
+        let port: Int?
+    }
+
+    private func parseSSHRemoteURL(_ url: String) -> SSHRemoteURLParts? {
+        if url.hasPrefix("ssh://"), let u = URL(string: url), let host = u.host {
+            let user = u.user
+            let port = u.port
+            // URL.path includes leading /
+            let path = u.path
+            return SSHRemoteURLParts(isSSH: true, isSCP: false, user: user, host: host, path: path, port: port)
+        }
+
+        // SCP-like: [user@]host:path
+        if !url.contains("://"), let colonIndex = url.firstIndex(of: ":") {
+            let before = String(url[..<colonIndex])
+            let after = String(url[url.index(after: colonIndex)...])
+            guard !before.contains("/"), !after.isEmpty else { return nil }
+
+            let user: String?
+            let host: String
+            if let at = before.firstIndex(of: "@") {
+                user = String(before[..<at])
+                host = String(before[before.index(after: at)...])
+            } else {
+                user = nil
+                host = before
+            }
+
+            guard !host.isEmpty else { return nil }
+            return SSHRemoteURLParts(isSSH: true, isSCP: true, user: user, host: host, path: after, port: nil)
+        }
+
+        return nil
+    }
+
+    private func buildResolvedSSHURL(from parts: SSHRemoteURLParts, resolution: SSHConfigResolution?) -> String? {
+        guard parts.isSSH else { return nil }
+
+        let connectHost = resolution?.hostName?.isEmpty == false ? resolution!.hostName! : parts.host
+        let user = parts.user ?? resolution?.user
+        let port = resolution?.port ?? parts.port
+
+        if parts.isSCP, (port == nil || port == 22) {
+            // Preserve SCP-like semantics when possible.
+            let userPrefix = (user?.isEmpty == false) ? "\(user!)@" : ""
+            return "\(userPrefix)\(connectHost):\(parts.path)"
+        }
+
+        // Fall back to ssh:// format (supports port)
+        var components = URLComponents()
+        components.scheme = "ssh"
+        components.host = connectHost
+        components.user = user
+        components.port = port
+
+        // Ensure leading slash for ssh:// URLs
+        let path = parts.isSCP ? "/\(parts.path)" : (parts.path.hasPrefix("/") ? parts.path : "/\(parts.path)")
+        components.path = path
+
+        return components.url?.absoluteString
+    }
+
+    private func prepareSSHCallbacksPayload(originalHost: String) -> UnsafeMutablePointer<SSHCredentialPayload> {
+        let payload = UnsafeMutablePointer<SSHCredentialPayload>.allocate(capacity: 1)
+        let hostDup = strdup(originalHost)
+        payload.initialize(to: SSHCredentialPayload(keyHost: hostDup))
+        return payload
+    }
+
+    private func freeSSHCallbacksPayload(_ payload: UnsafeMutablePointer<SSHCredentialPayload>?) {
+        guard let payload else { return }
+        if let host = payload.pointee.keyHost {
+            free(host)
+        }
+        payload.deinitialize(count: 1)
+        payload.deallocate()
+    }
+
+    private func configureRemoteInstanceURLIfNeeded(remote: OpaquePointer, forPush: Bool) -> UnsafeMutablePointer<SSHCredentialPayload>? {
+        let rawURLPtr = forPush ? git_remote_pushurl(remote) : git_remote_url(remote)
+        guard let rawURLPtr else { return nil }
+        let rawURL = String(cString: rawURLPtr)
+
+        guard let parts = parseSSHRemoteURL(rawURL) else { return nil }
+
+        let resolution = resolveSSHConfig(forHost: parts.host)
+        let resolvedURL = buildResolvedSSHURL(from: parts, resolution: resolution)
+
+        if let resolvedURL, resolvedURL != rawURL {
+            resolvedURL.withCString { cStr in
+                if forPush {
+                    _ = git_remote_set_instance_pushurl(remote, cStr)
+                } else {
+                    _ = git_remote_set_instance_url(remote, cStr)
+                }
+            }
+        }
+
+        // Preserve the original host (alias) for SSH key selection, even if we changed the connect host.
+        return prepareSSHCallbacksPayload(originalHost: parts.host)
+    }
+
     /// List all remotes
     func listRemotes() throws -> [Libgit2RemoteInfo] {
         guard let ptr = pointer else {
@@ -100,8 +208,11 @@ extension Libgit2Repository {
 
         // Setup callbacks for credential handling
         opts.callbacks.credentials = sshCredentialCallback
+        let payload = configureRemoteInstanceURLIfNeeded(remote: r, forPush: false)
+        opts.callbacks.payload = payload.map { UnsafeMutableRawPointer($0) }
 
         let fetchError = git_remote_fetch(r, nil, &opts, nil)
+        freeSSHCallbacksPayload(payload)
         guard fetchError == 0 else {
             if fetchError == Int32(GIT_EAUTH.rawValue) {
                 throw Libgit2Error.authenticationFailed(remoteName)
@@ -128,6 +239,8 @@ extension Libgit2Repository {
 
         // Setup callbacks for credential handling
         opts.callbacks.credentials = sshCredentialCallback
+        let payload = configureRemoteInstanceURLIfNeeded(remote: r, forPush: true)
+        opts.callbacks.payload = payload.map { UnsafeMutableRawPointer($0) }
 
         // Build refspecs
         var refs: [String]
@@ -154,6 +267,7 @@ extension Libgit2Repository {
         }
 
         let pushError = git_remote_push(r, &strarray, &opts)
+        freeSSHCallbacksPayload(payload)
         guard pushError == 0 else {
             if pushError == Int32(GIT_EAUTH.rawValue) {
                 throw Libgit2Error.authenticationFailed(remoteName)

aizen/Services/Git/Libgit2/SSHConfigParser.swift

@@ -2,17 +2,46 @@ import Foundation
 import Clibgit2
 
 /// Parses ~/.ssh/config to find the IdentityFile for a given host
-func findSSHKeyForHost(_ host: String) -> String? {
+struct SSHConfigResolution: Sendable {
+    let hostName: String?
+    let user: String?
+    let port: Int?
+    let identityFiles: [String]
+}
+
+func resolveSSHConfig(forHost host: String) -> SSHConfigResolution? {
     let homeDir = FileManager.default.homeDirectoryForCurrentUser.path
     let configPath = "\(homeDir)/.ssh/config"
 
     guard let content = try? String(contentsOfFile: configPath, encoding: .utf8) else {
         return nil
     }
 
-    var currentHost: String?
-    var currentIdentityFile: String?
-    var wildcardIdentityFile: String?
+    struct Entry {
+        let patterns: [String]
+        var hostName: String?
+        var user: String?
+        var port: Int?
+        var identityFiles: [String]
+    }
+
+    var entries: [Entry] = []
+    var currentPatterns: [String] = []
+    var currentHostName: String?
+    var currentUser: String?
+    var currentPort: Int?
+    var currentIdentityFiles: [String] = []
+
+    func flushCurrentEntry() {
+        guard !currentPatterns.isEmpty else { return }
+        entries.append(Entry(
+            patterns: currentPatterns,
+            hostName: currentHostName,
+            user: currentUser,
+            port: currentPort,
+            identityFiles: currentIdentityFiles
+        ))
+    }
 
     for line in content.components(separatedBy: .newlines) {
         let trimmed = line.trimmingCharacters(in: .whitespaces)
@@ -21,35 +50,71 @@ func findSSHKeyForHost(_ host: String) -> String? {
             continue
         }
 
-        if trimmed.lowercased().hasPrefix("host ") {
-            if let h = currentHost, let key = currentIdentityFile {
-                if matchesHost(host, pattern: h) {
-                    return expandPath(key)
-                }
-            }
+        let lower = trimmed.lowercased()
 
-            currentHost = String(trimmed.dropFirst(5)).trimmingCharacters(in: .whitespaces)
-            currentIdentityFile = nil
-        } else if trimmed.lowercased().hasPrefix("identityfile ") {
-            currentIdentityFile = String(trimmed.dropFirst(13)).trimmingCharacters(in: .whitespaces)
+        if lower.hasPrefix("host ") {
+            flushCurrentEntry()
 
-            if currentHost == "*" {
-                wildcardIdentityFile = currentIdentityFile
-            }
+            let remainder = String(trimmed.dropFirst(5)).trimmingCharacters(in: .whitespaces)
+            currentPatterns = remainder.split(whereSeparator: { $0 == " " || $0 == "\t" }).map(String.init)
+            currentHostName = nil
+            currentUser = nil
+            currentPort = nil
+            currentIdentityFiles = []
+            continue
         }
-    }
 
-    if let h = currentHost, let key = currentIdentityFile {
-        if matchesHost(host, pattern: h) {
-            return expandPath(key)
+        if lower.hasPrefix("hostname ") {
+            currentHostName = String(trimmed.dropFirst(9)).trimmingCharacters(in: .whitespaces)
+            continue
+        }
+
+        if lower.hasPrefix("user ") {
+            currentUser = String(trimmed.dropFirst(5)).trimmingCharacters(in: .whitespaces)
+            continue
+        }
+
+        if lower.hasPrefix("port ") {
+            let value = String(trimmed.dropFirst(5)).trimmingCharacters(in: .whitespaces)
+            currentPort = Int(value)
+            continue
+        }
+
+        if lower.hasPrefix("identityfile ") {
+            let value = String(trimmed.dropFirst(13)).trimmingCharacters(in: .whitespaces)
+            currentIdentityFiles.append(expandPath(value))
+            continue
         }
     }
 
-    if let wildcard = wildcardIdentityFile {
-        return expandPath(wildcard)
+    flushCurrentEntry()
+
+    guard !entries.isEmpty else { return nil }
+
+    // Apply matching entries in order; later matches override earlier ones.
+    var resolvedHostName: String?
+    var resolvedUser: String?
+    var resolvedPort: Int?
+    var resolvedIdentityFiles: [String] = []
+
+    for entry in entries {
+        guard entry.patterns.contains(where: { matchesHost(host, pattern: $0) }) else { continue }
+        if let hn = entry.hostName { resolvedHostName = hn }
+        if let u = entry.user { resolvedUser = u }
+        if let p = entry.port { resolvedPort = p }
+        if !entry.identityFiles.isEmpty { resolvedIdentityFiles = entry.identityFiles }
     }
 
-    return nil
+    return SSHConfigResolution(
+        hostName: resolvedHostName,
+        user: resolvedUser,
+        port: resolvedPort,
+        identityFiles: resolvedIdentityFiles
+    )
+}
+
+func findSSHKeyForHost(_ host: String) -> String? {
+    resolveSSHConfig(forHost: host)?.identityFiles.first
 }
 
 /// Check if host matches pattern (supports * wildcard)
@@ -84,12 +149,30 @@ func extractHostFromURL(_ urlString: String) -> String? {
             }
         }
     }
+
+    // SCP-like without username: host:path
+    if !urlString.contains("://"), let colonIndex = urlString.firstIndex(of: ":") {
+        let beforeColon = String(urlString[..<colonIndex])
+        if !beforeColon.isEmpty, !beforeColon.contains("/") {
+            if let atIndex = beforeColon.firstIndex(of: "@") {
+                let host = String(beforeColon[beforeColon.index(after: atIndex)...])
+                return host.isEmpty ? nil : host
+            }
+            return beforeColon
+        }
+    }
+
     if let url = URL(string: urlString) {
         return url.host
     }
     return nil
 }
 
+/// Payload for libgit2 SSH credential callback to preserve host alias for key selection
+struct SSHCredentialPayload {
+    let keyHost: UnsafeMutablePointer<CChar>?
+}
+
 /// SSH credential callback for libgit2 - reads SSH config for the correct key
 let sshCredentialCallback: git_credential_acquire_cb = { (cred, url, username_from_url, allowed_types, payload) -> Int32 in
     if allowed_types & UInt32(GIT_CREDENTIAL_SSH_KEY.rawValue) != 0 {
@@ -98,10 +181,18 @@ let sshCredentialCallback: git_credential_acquire_cb = { (cred, url, username_fr
 
         var keysToTry: [String] = []
 
+        let hostForKeySelection: String? = {
+            guard let payload else { return nil }
+            let p = payload.assumingMemoryBound(to: SSHCredentialPayload.self).pointee
+            guard let keyHost = p.keyHost else { return nil }
+            return String(cString: keyHost)
+        }()
+
         if let urlStr = url.map({ String(cString: $0) }),
-           let host = extractHostFromURL(urlStr),
-           let configKey = findSSHKeyForHost(host) {
-            keysToTry.append(configKey)
+           let host = hostForKeySelection ?? extractHostFromURL(urlStr) {
+            if let resolved = resolveSSHConfig(forHost: host), !resolved.identityFiles.isEmpty {
+                keysToTry.append(contentsOf: resolved.identityFiles)
+            }
         }
 
         keysToTry.append(contentsOf: [