Support OpenSSH certificate-based authentication (-cert.pub files) in
the Credentials manager. When a CA-signed certificate is stored alongside
a private key, Termix uses it during SSH connection establishment so that
servers relying on certificate-based authorization work out of the box.
Changes:
- db/schema.ts: add cert_public_key column to ssh_credentials table
- db/index.ts: auto-migration via addColumnIfNotExists
- routes/credentials.ts: expose certPublicKey in create/update/get endpoints
- ssh/auth-manager.ts: include certPublicKey in ResolvedCredentials
- ssh/host-resolver.ts: propagate certPublicKey when resolving credentials
- ssh/opkssh-cert-auth.ts: refactor shared logic into _applyCertToConnection;
export new setupCACertAuth() with optional passphrase support
- ssh/terminal.ts: call setupCACertAuth() when a certificate is present
- utils/ssh-key-utils.ts: detect all OpenSSH cert types in public key parser
- types/index.ts: add certPublicKey to Credential, CredentialBackend,
CredentialData interfaces
- CredentialAuthenticationTab.tsx: new CA Certificate section with file
upload, paste editor and automatic cert-type badge
- CredentialEditor.tsx: certPublicKey wired into form schema and submit
- CredentialViewer.tsx: show certificate status in security tab
- locales/en.json: add i18n strings for new UI elements
Allows OIDC-authenticated users to be auto-provisioned even when
"Allow new account registration" is disabled. Adds an admin UI toggle
and corresponding API endpoints (GET/PATCH /users/oidc-auto-provision).
Falls back to OIDC_ALLOW_REGISTRATION env var if the setting is unset.
Adds a "3-Way (H)" layout option (2 top + 1 bottom) alongside the
existing "3-Way (V)" (1 left + 2 right).
Fixes file manager content overflowing its split pane by adding
min-h-0 to nested flex containers that were missing it.
The default terminal font was configured but never loaded via CSS,
causing browsers to fall back to generic monospace. This broke column
alignment and TUI rendering (ncurses menus, box-drawing chars).
SIGTERM/SIGINT handlers previously called process.exit(0) immediately
without persisting the in-memory SQLite database. This caused session
data loss on container restart, forcing users to re-authenticate.