Add native SSH theme clones and selectable key directories

Cargo.toml

@@ -12,21 +12,25 @@ anyhow = "1.0.102"
 askama = "0.15.4"
 askama_web = { version = "0.15.2", features = ["axum-0.8", "tracing-0.1"] }
 async-trait = "0.1.89"
-aws-config = "1.8.15"
+aws-config = "1.8.16"
 aws-credential-types = "1.2.14"
-aws-sdk-s3 = "1.129.0"
-aws-types = "1.3.14"
+aws-sdk-s3 = "1.131.0"
+aws-types = "1.3.15"
 axum = { version = "0.8.8", features = ["multipart", "macros"] }
 axum-server = { version = "0.8.0", features = ["tokio-rustls", "tls-rustls"] }
 chrono = "0.4.44"
 clap = { version = "4.6.1", features = ["derive", "env"] }
 compact_jwt = "0.5.6"
-gix = { version = "0.81.0", default-features = false, features = [
+gix = { version = "0.83.0", default-features = false, features = [
     "blocking-http-transport-reqwest",
     "blocking-http-transport-reqwest-rust-tls",
     "blocking-network-client",
     "sha1",
     "worktree-mutation",
+    "worktree-stream",
+] }
+gix-transport = { version = "0.57.0", default-features = false, features = [
+    "blocking-client",
 ] }
 glob = "0.3.3"
 html-escape = "0.2.13"
@@ -37,8 +41,16 @@ openidconnect = { version = "4.0.1", features = ["reqwest"] }
 quick-xml = "0.39.2"
 rand = "0.10.1"
 regex = "1.12.3"
-reqwest = { version = "0.12", default-features = false, features = ["rustls-tls", "json", "multipart"] }
-rustls = "0.23.39"
+reqwest = { version = "0.12", default-features = false, features = [
+    "rustls-tls",
+    "json",
+    "multipart",
+] }
+russh = { version = "0.54.5", default-features = false, features = [
+    "aws-lc-rs",
+    "flate2",
+] }
+rustls = "0.23.40"
 sea-orm = { version = "1.1.20", features = [
     "runtime-tokio-rustls",
     "sqlx-sqlite",
@@ -56,15 +68,26 @@ similar = "3.1.0"
 sqlx = { version = "0.8.6", features = ["runtime-tokio-rustls", "sqlite"] }
 tempfile = "3.27.0"
 tera = "1.20.1"
-tokio = { version = "1.52.1", features = [
+thiserror = "2.0.18"
+tokio = { version = "1.51.1", features = [
     "rt-multi-thread",
     "macros",
     "signal",
+    "sync",
+    "io-util",
+    "net",
+    "fs",
+], default-features = false }
+tokio-util = { version = "0.7.18", default-features = false, features = [
+    "io",
+    "io-util",
 ] }
 tower-http = { version = "0.6.8", features = ["fs"] }
 tower-sessions = "0.15.0"
 # TODO: remove this vendored tower-sessions-sqlx-store dependency once the upstream dependencies are updated.
-tower-sessions-sqlx-store = { path = "vendor/tower-sessions-sqlx-store", features = ["sqlite"] }
+tower-sessions-sqlx-store = { path = "vendor/tower-sessions-sqlx-store", features = [
+    "sqlite",
+] }
 tracing = { version = "0.1.44", features = ["log"] }
 tracing-appender = "0.2.4"
 tracing-subscriber = { version = "0.3.23", features = [

Dockerfile

@@ -75,6 +75,8 @@ ENV WEBSITES_DB_PATH="/data/websites.sqlite"
 ENV WEBSITES_UPLOAD_ROOT="/data/uploads"
 ENV WEBSITES_RENDERED_DIR="/data/rendered"
 ENV WEBSITES_SITE_TEMPLATES_DIR="/data/site_templates"
+ENV WEBSITES_THEME_SSH_KEY_DIR="/data/theme_ssh_keys"
+ENV WEBSITES_THEME_SSH_KNOWN_HOSTS_PATH="/data/theme_ssh_known_hosts"
 ENV WEBSITES_TLS_CERT_PATH="/certs/tls.crt"
 ENV WEBSITES_TLS_KEY_PATH="/certs/tls.key"
 ENV WEBSITES_ADMIN_ASSETS_DIR="/admin-ui-assets"

docs/src/System-Design-Updates.md

@@ -43,3 +43,4 @@
 - 2026-04-05: The admin content editor now supports Markdown pipe tables in rich-text mode through TipTap table controls. Stored table syntax round-trips through the Markdown source view, and site preview/publish render those tables with GFM table parsing enabled on the Rust markdown path.
 - 2026-04-03: Admin asset browsing now supports explicit sort controls for upload date, file size, and original filename on the site assets page, the upload page asset browser, and both asset picker modals. The shared `/api/site/<site_id>/assets/library` query contract accepts `sort_by` and `sort_dir`, and picker responses now include `byte_length` so the UI can display the active sort context.
 - 2026-04-19: The new content form now exposes a browser date/time picker for `created_at` on both posts and pages. New content creation can persist an author-selected creation timestamp, and newly created published content now defaults `published_at` to that same chosen timestamp so route dates and initial publish time stay aligned.
+- 2026-04-27: Theme install and update keep SSH repository URLs unchanged and use native `russh` transport for SSH clones instead of allowing `gix` to invoke an external `ssh` program. Admins can configure `WEBSITES_THEME_SSH_KEY_DIR` or `--theme-ssh-key-dir` (Docker default `/data/theme_ssh_keys`), and theme install/edit forms enumerate selectable private key filenames from that directory. Themes store only `theme_registry.ssh_key_name`; clone/update resolves that filename under the configured key directory, rejects traversal, and requires a selected key for SSH URLs while HTTPS and local paths can leave it blank. First-seen SSH host keys are stored in the runtime TOFU file configured by `WEBSITES_THEME_SSH_KNOWN_HOSTS_PATH`, and changed host keys are rejected.

mise.toml

@@ -1,6 +1,6 @@
 [tools]
 "github:xd009642/tarpaulin" = "latest"
-pnpm = "10.30.3"
+pnpm = "latest"
 python = "3.13"
 semgrep = "latest"
 

python_api_client/pyproject.toml

@@ -21,10 +21,10 @@ build-backend = "uv_build"
 
 [dependency-groups]
 dev = [
-    "cryptography>=46.0.7",
+    "cryptography>=47.0.0",
     "pytest>=9.0.3",
-    "ruff>=0.15.10",
-    "ty>=0.0.29",
+    "ruff>=0.15.12",
+    "ty>=0.0.32",
 ]
 
 [tool.ruff]