feat: Support per-jump-host SSH private key configuration

[inureyes]

Summary

Implements #167: Support per-jump-host SSH private key configuration in config.yaml

This PR adds the ability to configure separate SSH keys for jump hosts, independent of destination node keys. Users can now specify different keys for bastion hosts versus internal nodes, addressing environments where:

• Jump/bastion hosts use different keys than internal destination nodes
• Security policies require separate keys for gateway and target access
• Multi-hop chains require different keys at each hop

Changes

Core Implementation

• JumpHost struct: Added ssh_key: Option<String> field
• JumpHostConfig enum: Created #[serde(untagged)] enum supporting both:
  • Simple(String): Legacy format "user@host:port"
  • Detailed: Structured format with host, user, port, ssh_key fields
• Config resolver: Added get_jump_host_with_key() methods to return both connection string and ssh_key
• Auth priority: Updated determine_auth_method() to prioritize jump host's own ssh_key over cluster key

Configuration Format

Legacy string format (backward compatible):

jump_host: jumpuser@bastion.example.com

New structured format with dedicated key:

jump_host:
  host: bastion.example.com
  user: jumpuser
  port: 22
  ssh_key: ~/.ssh/jump_host_key

SSH Key Priority Order

1. Jump host's own ssh_key field (from structured config)
2. Cluster/defaults ssh_key (fallback)
3. SSH agent (if enabled and available)
4. Default key files (~/.ssh/id_*)

Testing

New Tests

• tests/jump_host_config_test.rs: 13 new tests for config parsing
  • Simple vs detailed format deserialization
  • Per-node jump host override with keys
  • Environment variable expansion
  • Backward compatibility verification
• src/jump/chain/auth.rs: 2 new auth priority tests
  • Jump host key takes priority over cluster key
  • Falls back to cluster key when jump host has no key

Test Results

• All 346 tests passing (20 new tests added)
• Zero compilation warnings
• Full backward compatibility maintained

Documentation

• Updated example-config.yaml with both legacy and structured format examples
• Updated docs/architecture/ssh-jump-hosts.md with implementation details
• Added comprehensive inline documentation

Backward Compatibility

✅ All existing configurations continue to work without changes
✅ String format jump_host: "user@host:port" fully supported
✅ Multi-hop chains work with mixed formats
✅ No breaking changes to API or behavior

Example Use Case

clusters:
  secure:
    nodes:
      - host: db.internal
    user: dbadmin
    ssh_key: ~/.ssh/db_admin_key  # For database access
    jump_host:
      host: bastion.example.com
      user: bastion_user
      ssh_key: ~/.ssh/bastion_key  # Separate key for bastion

Checklist

• JumpHost struct has ssh_key field
• Config supports structured jump_host with host, user, port, ssh_key
• Config supports legacy string format
• Serde untagged enum correctly deserializes both formats
• determine_auth_method uses jump host's ssh_key when provided
• Per-node jump_host structured format works
• Global defaults jump_host structured format works
• Cluster-level jump_host structured format works
• Environment variable expansion works in jump host ssh_key paths
• example-config.yaml includes examples of new syntax
• Existing tests continue to pass
• New unit tests cover structured jump_host deserialization
• New unit tests cover per-jump-host key path resolution

Related Issues

Closes #167