wraith/tasks/auth/client-auth-handler.md

id, name, status, depends_on, scope, risk, impact, level

id	name	status	depends_on	scope	risk	impact	level
auth/client-auth-handler	Implement client-side SSH authentication with Ed25519 key pairs	pending	auth/key-loading auth/error-types	narrow	low	component	implementation

Description

Implement the client-side SSH authentication. The client presents an Ed25519 private key during SSH handshake. This creates the russh::client::Handler implementation and the russh::client::ConnectStreamConfig that uses the loaded key.

No password auth. The client handler is simpler than the server — it just needs to provide the private key and handle the auth callback from russh.

Acceptance Criteria

• crates/wraith-core/src/auth/client_auth.rs exports ClientAuthConfig and client handler
• ClientAuthConfig holds: private_key: KeyPair, optional public_key: PublicKey
• ClientAuthConfig::from_key_source(source: KeySource) -> Result<Self> — loads key via key-loading module
• Implements russh::client::Handler with auth_publickey() returning the public key
• Client handler returns russh::client::AuthResult::Accept or appropriate auth state
• Unit tests: valid key creates handler, auth flow succeeds with mock SSH session

References

• docs/architecture/client.md — "Authentication is Ed25519 public key or OpenSSH certificate (ADR-012)"
• docs/architecture/decisions/012-auth-ed25519-and-cert-authority.md — key-based auth only

Notes

To be filled by implementation agent

Summary

To be filled on completion