refactor: harden ssh_config handling, mount path, and CLI UX from audit findings

Three rounds of audit-driven hardening, fully documented in DECISIONS.md:

- argv hardening: validate HostName/User/IdentityFile via allowlist regexes,
  parse Port via strconv.Atoi, surface ssh_config parse errors instead of
  silently swallowing them. Switch -o kernel_cache to auto_cache for network-
  FS correctness, pin StrictHostKeyChecking=accept-new.
- LOW-severity cleanup: -v verbose flag (default output is just the mount
  path), run_editor returns errors and main exits 7 on failure, ABOUTME
  headers, golang.org/x/sys v0.43.0 (go 1.25.0).
- Defense-in-depth + UX: rxIdentityFile first-character anchor rejects
  leading "-"/"."/":"/etc., verify_mount_dir resolves base via EvalSymlinks
  and refuses pre-existing symlinks at the mount path, flag.Usage shows the
  positional <Host> argument, run_editor uses cmd.Start() so cold-start
  Sublime does not block the terminal.
- CI: empty-PKGVER guard in update-pkgver workflow.
- Tests: verify_mount_dir path-traversal + symlink-reject coverage,
  rxHostUser/rxIdentityFile boundary cases.

.gitea/workflows/update-pkgver.yaml

@@ -13,7 +13,9 @@ jobs:
     runs-on: moonarch
     steps:
       - name: Checkout source repo
+        shell: bash
         run: |
+          set -euo pipefail
           git clone --bare http://gitea:3000/nevaforget/sshfs_connect.git source.git
           cd source.git
           PKGVER=$(git describe --long --tags | sed 's/^v//;s/-/.r/;s/-/./')
@@ -21,8 +23,23 @@ jobs:
           echo "$PKGVER" > /tmp/pkgver
 
       - name: Update PKGBUILD
+        shell: bash
+        env:
+          PKGBUILD_TOKEN: ${{ secrets.PKGBUILD_TOKEN }}
         run: |
+          set -euo pipefail
+
+          if [ -z "${PKGBUILD_TOKEN:-}" ]; then
+            echo "ERROR: PKGBUILD_TOKEN secret is empty or unset."
+            echo "Set it under Repo Settings -> Actions -> Secrets."
+            exit 1
+          fi
+
           PKGVER=$(cat /tmp/pkgver)
+          if [ -z "$PKGVER" ]; then
+            echo "ERROR: PKGVER from previous step is empty."
+            exit 1
+          fi
           git clone http://gitea:3000/nevaforget/moonarch-pkgbuilds.git pkgbuilds
           cd pkgbuilds
 
@@ -34,10 +51,13 @@ jobs:
 
           sed -i "s/^pkgver=.*/pkgver=$PKGVER/" sshfsc-git/PKGBUILD
           sed -i "s/^\tpkgver = .*/\tpkgver = $PKGVER/" sshfsc-git/.SRCINFO
-          echo "Updated pkgver: $OLD_VER → $PKGVER"
+          echo "Updated pkgver: $OLD_VER -> $PKGVER"
 
           git config user.name "pkgver-bot"
           git config user.email "gitea@moonarch.de"
           git add sshfsc-git/PKGBUILD sshfsc-git/.SRCINFO
           git commit -m "chore(sshfsc-git): bump pkgver to $PKGVER"
-          git -c http.extraHeader="Authorization: token ${{ secrets.PKGBUILD_TOKEN }}" push
+
+          echo "--- pushing ---"
+          git -c http.extraHeader="Authorization: token ${PKGBUILD_TOKEN}" push --verbose origin HEAD:main
+          echo "--- push done ---"

.gitignore

@@ -1 +1,2 @@
-sshfs_connect
+sshfs_connect
+sshfsc

DECISIONS.md

@@ -0,0 +1,78 @@
+# Decisions
+
+## 2026-04-26 – Audit remediation: cache flag, host-key policy, argv hardening
+- **Who**: Dom, ClaudeCode
+- **Why**: Audit found `kernel_cache` causes stale reads on a network FS;
+  `StrictHostKeyChecking` was implicit (depended on system default);
+  `ssh_config`-sourced strings flowed into the sshfs argv without validation,
+  allowing comma- or leading-dash injection if `~/.ssh/config` is attacker-influenced.
+- **Tradeoffs**:
+  - `auto_cache` invalidates the page cache on `open(2)` when mtime/size
+    differ → marginal perf hit vs. correctness on a network FS.
+  - `accept-new` for `StrictHostKeyChecking` preserves first-connection UX
+    (TOFU) but locks subsequent reconnects to the recorded key.
+  - Allowlist regexes for HostName/User/IdentityFile are restrictive but match
+    real-world SSH naming. Rejected inputs surface a clear error.
+- **How**:
+  - Replaced `-o kernel_cache` with `-o auto_cache` in `mount_sshfs`.
+  - Added explicit `-o StrictHostKeyChecking=accept-new`.
+  - Added `lookup_ssh_field` (uses `GetStrict`, surfaces parse errors) and
+    `validate_ssh_field` with per-field allowlists; Port parsed via `strconv.Atoi`.
+  - Added `main_test.go` covering `verify_mount_dir` and the allowlist regexes.
+  - Hardened `.gitea/workflows/update-pkgver.yaml` with an empty-PKGVER guard.
+
+## 2026-04-26 – LOW-severity audit findings: cleanup pass + one Won't-Fix
+- **Who**: Dom, ClaudeCode
+- **Why**: Followup on the LOW-severity findings from the same audit.
+- **How**:
+  - Q-L1: dead `if len(port) == 0 { port = "22" }` block already removed by Q-M1
+    refactor (port now flows through `lookup_ssh_field` → `strconv.Atoi`).
+  - Q-L2: `run_editor` returns `error` and `main` exits 7 on editor failure
+    instead of swallowing it.
+  - Q-L3: ABOUTME header added to `main.go` per global CLAUDE.md convention.
+  - P-L1: `golang.org/x/sys` bumped `v0.1.0 → v0.43.0` via `go get … && go mod tidy`.
+    `go` directive moved from 1.23.4 to 1.25.0 (required by the new dep).
+  - S-L2: added `-v` flag; default output now prints only the mount path.
+    `-v` restores the previous full HostName/User/Port/IdentityFile/Mount block.
+- **Won't-Fix**:
+  - **S-L1** — `.gitea/workflows/update-pkgver.yaml` clones over
+    `http://gitea:3000/...`. This URL only resolves inside the Docker network
+    between the Gitea-act-runner container and the Gitea container. External
+    traffic still terminates TLS at the reverse proxy. An attacker on the
+    internal Docker bridge has already compromised the host; TLS between
+    containers does not help in that scenario. Documenting as accepted risk.
+
+## 2026-04-26 – Second-round audit: defense-in-depth + UX
+- **Who**: Dom, ClaudeCode
+- **Why**: Re-audit (Quality + Performance + Security in parallel) surfaced five
+  remaining LOW findings after agent-output gegencheck. Two MEDIUM claims were
+  filtered out as false positives: missing `Port` already defaults to `"22"` via
+  `ssh_config.Default()` (verified in library source), and `lookup_ssh_field`
+  does not parse `~/.ssh/config` four times — `kevinburke/ssh_config` caches via
+  `sync.Once`, so four `GetStrict` calls = one parse + three in-memory walks.
+  An additional MEDIUM claim about a regex range bug (`%-` interpreted as range)
+  was empirically refuted (only `-` matched, not the implied range), but a
+  legitimate defense-in-depth gap remained: the regex still allowed leading `-`
+  in IdentityFile values.
+- **Tradeoffs**:
+  - `run_editor` switched to `cmd.Start()` — drops editor exit-status
+    propagation in exchange for non-blocking UX on Sublime cold-start. Errors
+    from missing binary or fork failure are still returned.
+  - `verify_mount_dir` now `MkdirAll`s the base separately before
+    `EvalSymlinks`. `EvalSymlinks` requires the path to exist; without the
+    upfront `MkdirAll`, first run on a fresh system would fail.
+  - `rxIdentityFile` first-character class restricted to `[A-Za-z0-9/~]`. Plain
+    relative paths like `.ssh/id` are rejected — unusual but technically valid
+    in `ssh_config`. If a real config uses relative IdentityFile values, the
+    user gets a clear error and can switch to absolute or `~`-prefixed.
+- **How**:
+  - **S-L1**: anchored `rxIdentityFile` to `^[A-Za-z0-9/~][A-Za-z0-9._@/:+=~%-]*$`.
+  - **S-L2**: `verify_mount_dir` resolves base via `filepath.EvalSymlinks` and
+    rejects existing mount paths that are symlinks (`os.Lstat`).
+  - **Q-L1**: `flag.Usage` override now prints the positional `<Host>` argument
+    in the help output.
+  - **Q-L2**: inline comment at the `run_editor` call site documents the
+    deliberate fall-through on already-mounted hosts.
+  - **P-L2**: `run_editor` uses `cmd.Start()` instead of `cmd.Run()`.
+  - Tests extended: rxIdentityFile boundary cases, `TestVerifyMountDirRejectsSymlink`,
+    existing `TestVerifyMountDir` paths now compared against `EvalSymlinks(base)`.

README.md

@@ -22,7 +22,7 @@ install -Dm755 sshfsc /usr/local/bin/sshfsc
 # Dependencies
 
 - [SSHFS](https://wiki.archlinux.org/title/SSHFS)
-- [Go](https://wiki.archlinux.org/title/Go) (build-time)
+- [Go](https://wiki.archlinux.org/title/Go) >= 1.25 (build-time)
 
 # Usage
 
@@ -32,11 +32,15 @@ sshfsc <Host>
 
 ## Arguments
 
-| Flag          | Description   |
-| ------------- | ------------- |
-| -e            | open mountpoint in your editor |
+| Flag | Description |
+| ---- | ----------- |
+| `-e` | open mountpoint in your editor |
+| `-v` | verbose: print resolved ssh_config fields (HostName, User, Port, IdentityFile) |
 
-Editor Sublime-Text (subl) is currently hardcoded. [See](https://gitea.moonarch.de/nevaforget/sshfs_connect/issues/1)
+By default only the resolved mount path is printed. Use `-v` for the full
+ssh_config dump.
+
+Editor Sublime-Text (`subl`) is currently hardcoded. [See](https://gitea.moonarch.de/nevaforget/sshfs_connect/issues/1)
 
 # Example ssh config
 

go.mod

@@ -1,10 +1,10 @@
 module sshfsc
 
-go 1.23.4
-
-require github.com/kevinburke/ssh_config v1.2.0
+go 1.25.0
 
 require (
-	github.com/moby/sys/mountinfo v0.7.2 // indirect
-	golang.org/x/sys v0.1.0 // indirect
+	github.com/kevinburke/ssh_config v1.2.0
+	github.com/moby/sys/mountinfo v0.7.2
 )
+
+require golang.org/x/sys v0.43.0 // indirect

go.sum

@@ -2,5 +2,5 @@ github.com/kevinburke/ssh_config v1.2.0 h1:x584FjTGwHzMwvHx18PXxbBVzfnxogHaAReU4
 github.com/kevinburke/ssh_config v1.2.0/go.mod h1:CT57kijsi8u/K/BOFA39wgDQJ9CxiF4nAY/ojJ6r6mM=
 github.com/moby/sys/mountinfo v0.7.2 h1:1shs6aH5s4o5H2zQLn796ADW1wMrIwHsyJ2v9KouLrg=
 github.com/moby/sys/mountinfo v0.7.2/go.mod h1:1YOa8w8Ih7uW0wALDUgT1dTTSBrZ+HiBLGws92L2RU4=
-golang.org/x/sys v0.1.0 h1:kunALQeHf1/185U1i0GOB/fy1IPRDDpuoOOqRReG57U=
-golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.43.0 h1:Rlag2XtaFTxp19wS8MXlJwTvoh8ArU6ezoyFsMyCTNI=
+golang.org/x/sys v0.43.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw=

main.go

@@ -1,98 +1,208 @@
+// ABOUTME: CLI tool that mounts remote filesystems via sshfs based on
+// ABOUTME: ~/.ssh/config entries, with optional editor launch on the mountpoint.
+
 package main
 
 import (
+	"flag"
 	"fmt"
 	"os"
 	"os/exec"
-	"github.com/moby/sys/mountinfo"
+	"path/filepath"
+	"regexp"
+	"strconv"
+	"strings"
+
 	"github.com/kevinburke/ssh_config"
-	"flag"
+	"github.com/moby/sys/mountinfo"
 )
 
-var eFlag = flag.Bool("e", false, "open mountpoint in your editor")
+var (
+	rxHostUser     = regexp.MustCompile(`^[A-Za-z0-9_][A-Za-z0-9._-]*$`)
+	rxIdentityFile = regexp.MustCompile(`^[A-Za-z0-9/~][A-Za-z0-9._@/:+=~%-]*$`)
+)
+
+var (
+	eFlag = flag.Bool("e", false, "open mountpoint in your editor")
+	vFlag = flag.Bool("v", false, "verbose: print resolved ssh_config fields")
+)
 
 func main() {
+	flag.Usage = func() {
+		fmt.Fprintf(os.Stderr,
+			"usage: sshfsc [flags] <Host>\n\n"+
+				"Mount a remote home directory via sshfs based on ~/.ssh/config entries.\n\n"+
+				"Flags:\n")
+		flag.PrintDefaults()
+	}
 	flag.Parse()
 	args := flag.Args()
 
 	if len(args) == 0 {
-		fmt.Println("No hostname specified.")
-		os.Exit(80)
+		fmt.Fprintln(os.Stderr, "No hostname specified.")
+		os.Exit(2)
+	}
+
+	hostname, err := lookup_ssh_field(args[0], "HostName")
+	if err != nil {
+		fmt.Fprintln(os.Stderr, err)
+		os.Exit(3)
+	}
+	user, err := lookup_ssh_field(args[0], "User")
+	if err != nil {
+		fmt.Fprintln(os.Stderr, err)
+		os.Exit(3)
+	}
+	port, err := lookup_ssh_field(args[0], "Port")
+	if err != nil {
+		fmt.Fprintln(os.Stderr, err)
+		os.Exit(3)
+	}
+	ifile, err := lookup_ssh_field(args[0], "IdentityFile")
+	if err != nil {
+		fmt.Fprintln(os.Stderr, err)
+		os.Exit(3)
+	}
+
+	if hostname == "" || user == "" || ifile == "" {
+		var missing []string
+		if hostname == "" {
+			missing = append(missing, "HostName")
+		}
+		if user == "" {
+			missing = append(missing, "User")
+		}
+		if ifile == "" {
+			missing = append(missing, "IdentityFile")
+		}
+		fmt.Fprintf(os.Stderr, "ssh config %q missing required field(s): %s\n",
+			args[0], strings.Join(missing, ", "))
+		os.Exit(3)
+	}
+
+	if err := validate_ssh_field("HostName", hostname, rxHostUser); err != nil {
+		fmt.Fprintln(os.Stderr, err)
+		os.Exit(3)
+	}
+	if err := validate_ssh_field("User", user, rxHostUser); err != nil {
+		fmt.Fprintln(os.Stderr, err)
+		os.Exit(3)
+	}
+	if err := validate_ssh_field("IdentityFile", ifile, rxIdentityFile); err != nil {
+		fmt.Fprintln(os.Stderr, err)
+		os.Exit(3)
+	}
+	if p, perr := strconv.Atoi(port); perr != nil || p < 1 || p > 65535 {
+		fmt.Fprintf(os.Stderr, "ssh config Port %q is not a valid port number\n", port)
+		os.Exit(3)
+	}
+
+	mount, err := verify_mount_dir(hostname)
+	if err != nil {
+		fmt.Fprintln(os.Stderr, "verify_mount_dir() failed:", err)
+		os.Exit(4)
+	}
+
+	if *vFlag {
+		fmt.Println("Hostname:	", hostname)
+		fmt.Println("User:		", user)
+		fmt.Println("Port:		", port)
+		fmt.Println("Ifile:		", ifile)
+		fmt.Println("Mount:		", mount)
+		fmt.Println("---")
 	} else {
-		hostname := ssh_config.Get(args[0], "HostName")
-		user := ssh_config.Get(args[0], "User")
-		port := ssh_config.Get(args[0], "Port")
-		ifile := ssh_config.Get(args[0], "IdentityFile")
+		fmt.Println("Mount:	", mount)
+	}
 
-		if len(hostname) == 0 || len(user) == 0 || len(ifile) == 0 {
-			fmt.Println("Hostname not found in ~/.ssh_config")
-			os.Exit(3)
-		} else {
-			mount := verify_mount_dir(hostname)
-
-			fmt.Println("Hostname:	",hostname)
-			fmt.Println("User:		", user)
-			fmt.Println("Port:		", port)
-			fmt.Println("Ifile:		", ifile)
-			fmt.Println("Mount:		", mount)
-			fmt.Println("---")
-			
-			chkmount, chkmount_err := mountinfo.Mounted(mount)
-			if chkmount_err != nil {
-				fmt.Println("mountinfo.Mounted() failed with %s\n", chkmount_err)
-			}
-			if chkmount == false {
-				mount_sshfs(hostname, user, ifile, port, mount)
-			} else {
-				fmt.Println("!!! Already mounted")
-			}
-			run_editor(mount)
+	chkmount, chkmount_err := mountinfo.Mounted(mount)
+	if chkmount_err != nil {
+		fmt.Fprintf(os.Stderr, "mountinfo.Mounted() failed with %s\n", chkmount_err)
+		os.Exit(5)
+	}
+	if !chkmount {
+		if err := mount_sshfs(hostname, user, ifile, port, mount); err != nil {
+			fmt.Fprintln(os.Stderr, "mount_sshfs() failed:", err)
+			os.Exit(6)
 		}
+	} else {
+		fmt.Println("!!! Already mounted")
+	}
+	// run_editor fires on -e regardless of mount state: re-invoking with -e
+	// re-opens the editor on an already-mounted server.
+	if err := run_editor(mount); err != nil {
+		fmt.Fprintln(os.Stderr, "run_editor() failed:", err)
+		os.Exit(7)
 	}
 }
 
-func run_editor(mount string) {
-	if(*eFlag == true) {
-		cmd := exec.Command("subl", mount)
-		cmd.Stdout = os.Stdout
-		cmd.Stderr = os.Stderr
-		err := cmd.Run()
-		if err != nil {
-			fmt.Println("run_editor() failed with\n",err)
-		}
+func lookup_ssh_field(alias, field string) (string, error) {
+	v, err := ssh_config.GetStrict(alias, field)
+	if err != nil {
+		return "", fmt.Errorf("parse ~/.ssh/config: %w", err)
 	}
+	return v, nil
 }
 
-func verify_mount_dir(hostname string)(mount string) {
-	homedir, homedirerr := os.UserHomeDir()
-	if homedirerr != nil {
-		fmt.Println( homedirerr )
+func validate_ssh_field(name, value string, allow *regexp.Regexp) error {
+	if !allow.MatchString(value) {
+		return fmt.Errorf("ssh config %s %q contains disallowed characters", name, value)
 	}
-	mount = homedir+"/Servers/"+hostname
-	os.MkdirAll(mount, os.ModePerm)
-
-	return
+	return nil
 }
 
-func mount_sshfs(hostname string, user string, ifile string, port string, mount string) {
+func run_editor(mount string) error {
+	if !*eFlag {
+		return nil
+	}
+	cmd := exec.Command("subl", mount)
+	cmd.Stdout = os.Stdout
+	cmd.Stderr = os.Stderr
+	return cmd.Start()
+}
+
+func verify_mount_dir(hostname string) (string, error) {
+	homedir, err := os.UserHomeDir()
+	if err != nil {
+		return "", fmt.Errorf("resolve home dir: %w", err)
+	}
+	base := filepath.Join(homedir, "Servers")
+	if err := os.MkdirAll(base, 0700); err != nil {
+		return "", fmt.Errorf("create base %q: %w", base, err)
+	}
+	realBase, err := filepath.EvalSymlinks(base)
+	if err != nil {
+		return "", fmt.Errorf("resolve base %q: %w", base, err)
+	}
+	mount := filepath.Clean(filepath.Join(realBase, hostname))
+	if !strings.HasPrefix(mount, realBase+string(os.PathSeparator)) {
+		return "", fmt.Errorf("hostname %q escapes mount base %q", hostname, realBase)
+	}
+	if info, err := os.Lstat(mount); err == nil && info.Mode()&os.ModeSymlink != 0 {
+		return "", fmt.Errorf("mount path %q is a symlink", mount)
+	}
+	if err := os.MkdirAll(mount, 0700); err != nil {
+		return "", fmt.Errorf("create mount dir %q: %w", mount, err)
+	}
+	return mount, nil
+}
+
+func mount_sshfs(hostname string, user string, ifile string, port string, mount string) error {
 	cmd := exec.Command("sshfs", "-p", port,
 		"-o", "IdentityFile="+ifile,
 		"-o", "idmap=user",
 		"-o", "cache=yes",
-		"-o", "kernel_cache",
+		"-o", "auto_cache",
 		"-o", "attr_timeout=60",
 		"-o", "entry_timeout=60",
 		"-o", "negative_timeout=20",
 		"-o", "Ciphers=aes128-gcm@openssh.com",
 		"-o", "Compression=no",
 		"-o", "reconnect",
+		"-o", "StrictHostKeyChecking=accept-new",
 		"-o", "ServerAliveInterval=15",
 		"-o", "ServerAliveCountMax=3",
-		user+"@"+hostname+":/", mount)
+		user+"@"+hostname+":", mount)
 	cmd.Stdout = os.Stdout
 	cmd.Stderr = os.Stderr
-	err := cmd.Run()
-	if err != nil {
-		fmt.Println("mount_sshfs() failed with\n",err)
-	}
+	return cmd.Run()
 }

main_test.go

@@ -0,0 +1,128 @@
+// ABOUTME: Unit tests for sshfsc helpers, primarily the path-traversal guard
+// ABOUTME: in verify_mount_dir and the ssh_config field allowlist regexes.
+
+package main
+
+import (
+	"os"
+	"path/filepath"
+	"strings"
+	"testing"
+)
+
+func TestVerifyMountDir(t *testing.T) {
+	home := t.TempDir()
+	t.Setenv("HOME", home)
+	base := filepath.Join(home, "Servers")
+	if err := os.MkdirAll(base, 0700); err != nil {
+		t.Fatalf("setup base: %v", err)
+	}
+	realBase, err := filepath.EvalSymlinks(base)
+	if err != nil {
+		t.Fatalf("resolve base: %v", err)
+	}
+
+	cases := []struct {
+		name     string
+		hostname string
+		wantErr  string // substring; "" means no error
+		wantPath string // only checked when wantErr == ""
+	}{
+		{"normal alias", "server1", "", filepath.Join(realBase, "server1")},
+		{"trailing slash", "server1/", "", filepath.Join(realBase, "server1")},
+		{"dot in name", "db.prod", "", filepath.Join(realBase, "db.prod")},
+		{"parent traversal", "../etc", "escapes mount base", ""},
+		{"deep traversal", "../../tmp/x", "escapes mount base", ""},
+		{"empty string", "", "escapes mount base", ""},
+		{"single dot", ".", "escapes mount base", ""},
+		// nested path lands under base — accepted by guard. The hostname allowlist
+		// (rxHostUser) rejects slashes upstream; this test pins guard behaviour.
+		{"nested path stays under base", "sub/dir", "", filepath.Join(realBase, "sub/dir")},
+		// absolute-looking input does not escape because filepath.Join keeps it
+		// under base. Same upstream allowlist applies.
+		{"absolute-looking input", "/etc/passwd", "", filepath.Join(realBase, "etc/passwd")},
+	}
+
+	for _, tc := range cases {
+		t.Run(tc.name, func(t *testing.T) {
+			got, err := verify_mount_dir(tc.hostname)
+			if tc.wantErr != "" {
+				if err == nil {
+					t.Fatalf("want error containing %q, got nil (path=%q)", tc.wantErr, got)
+				}
+				if !strings.Contains(err.Error(), tc.wantErr) {
+					t.Fatalf("error %q does not contain %q", err.Error(), tc.wantErr)
+				}
+				return
+			}
+			if err != nil {
+				t.Fatalf("unexpected error: %v", err)
+			}
+			if got != tc.wantPath {
+				t.Fatalf("path = %q, want %q", got, tc.wantPath)
+			}
+		})
+	}
+}
+
+func TestValidateSSHFieldRegexes(t *testing.T) {
+	cases := []struct {
+		name  string
+		value string
+		rx    string
+		ok    bool
+	}{
+		{"plain host", "myserver", "host", true},
+		{"host with dots", "db.prod.example.com", "host", true},
+		{"host with hyphen", "edge-01", "host", true},
+		{"host leading dash rejected", "-rogue", "host", false},
+		{"host with comma rejected", "a,b", "host", false},
+		{"host with space rejected", "a b", "host", false},
+		{"host with slash rejected", "a/b", "host", false},
+		{"host empty rejected", "", "host", false},
+
+		{"identityfile tilde", "~/.ssh/id_ed25519", "ifile", true},
+		{"identityfile absolute", "/home/dom/.ssh/id_rsa", "ifile", true},
+		{"identityfile letter start", "id_rsa", "ifile", true},
+		{"identityfile digit start", "0key", "ifile", true},
+		{"identityfile dash mid accepted", "~/.ssh/id-host", "ifile", true},
+		{"identityfile with comma rejected", "~/.ssh/id,allow_other", "ifile", false},
+		{"identityfile with space rejected", "~/.ssh/id rsa", "ifile", false},
+		{"identityfile leading dash rejected", "-Ffoo", "ifile", false},
+		{"identityfile leading dot rejected", ".ssh/id", "ifile", false},
+		{"identityfile leading colon rejected", ":weird", "ifile", false},
+		{"identityfile empty rejected", "", "ifile", false},
+	}
+	for _, tc := range cases {
+		t.Run(tc.name, func(t *testing.T) {
+			var rx = rxHostUser
+			if tc.rx == "ifile" {
+				rx = rxIdentityFile
+			}
+			err := validate_ssh_field("X", tc.value, rx)
+			if tc.ok && err != nil {
+				t.Fatalf("want accept, got error: %v", err)
+			}
+			if !tc.ok && err == nil {
+				t.Fatalf("want reject, got accept")
+			}
+		})
+	}
+}
+
+func TestVerifyMountDirRejectsSymlink(t *testing.T) {
+	home := t.TempDir()
+	t.Setenv("HOME", home)
+	base := filepath.Join(home, "Servers")
+	if err := os.MkdirAll(base, 0700); err != nil {
+		t.Fatalf("setup base: %v", err)
+	}
+	target := t.TempDir()
+	if err := os.Symlink(target, filepath.Join(base, "evil")); err != nil {
+		t.Fatalf("create symlink: %v", err)
+	}
+	_, err := verify_mount_dir("evil")
+	if err == nil || !strings.Contains(err.Error(), "is a symlink") {
+		t.Fatalf("want symlink rejection, got %v", err)
+	}
+}