Reintegrate upstream 0.6: reset main to wiktor-k/ssh-agent-lib and re-apply the QueryResponse wire-format fix (ad23a6d)

[friedenberg]

Goal

amarbel-llc/ssh-agent-lib main has diverged from upstream wiktor-k/ssh-agent-lib main: 11 ahead / 26 behind (status: diverged).

Of the 11 "ahead" commits, 10 are upstream's own cert-support/rename lineage (Add CertKeyData, Rename CertKeyData -> PublicCredential, Rename Credential -> PrivateCredential, Move PrivateCredential to credential module, etc.) — upstream has since merged that work (PR wiktor-k#101) and shipped it in 0.6, so those commits are now redundant on our fork. The only fork-unique commit is ad23a6d ("Fix QueryResponse wire format to match IETF spec and OpenSSH").

Bring the fork current with upstream 0.6 while preserving that one fix.

Plan

1. Reset main to wiktor-k/ssh-agent-lib main (currently the 0.6 release line, tip 59707d1 "release version 0.6"). This is a history reset / force-push of our main.
2. Cherry-pick / re-apply ad23a6d on top.

Feasibility (verified against upstream main)

• ad23a6d is a single-file, self-contained change: src/proto/extension/message.rs (+63/-4) — replaces QueryResponse's Vec<String> Encode/Decode (which adds/reads an outer u32 byte-count prefix the SSH agent protocol does not use for extension query responses) with flat per-string encode/decode, plus compliance tests asserting byte-identical output to OpenSSH process_ext_query.
• That file exists at the same path on 0.6 and still carries the buggy encoding (self.extensions.encode(writer) / Vec::<String>::decode), so the fix is still required.
• The QueryResponse impl block and the test module's insertion point (after the round_trip helper, before parse_bind) on 0.6 match ad23a6d's patch context, so the cherry-pick should apply cleanly — at most a trivial context nudge for the added use in the test module.

Downstream impact (ssh-agent-mux)

• ssh-agent-mux pins this fork at branch=main (its Cargo.lock is currently ad23a6d). After reintegration, bump ssh-agent-mux's Cargo.lock to the new tip and confirm it builds + passes just (cargo + bats). The 26 upstream commits include 0.6 dependency updates and the cert renames; ssh-agent-mux/src/lib.rs already imports PrivateCredential, so it is partly aligned, but the full build/tests must be re-verified.
• Relates to ssh-agent-mux#10 (aggregated query drops upstream ecdh@joyent.com): the wrapped-output half (hypothesis b) is exactly this ad23a6d fix; the code-6 SSH_AGENT_SUCCESS handling half (hypothesis a) is a separate change in ssh-agent-mux, not this repo.

Reported by Clown :clown:

[friedenberg]

Reintegration done. master is now the default branch and holds upstream 0.6 + the one fork-unique fix:

• 59707d1 — upstream 0.6 (wiktor-k/ssh-agent-lib tip), reset onto.
• d16b3e8 — cherry-pick of ad23a6d (QueryResponse wire-format fix). Applied cleanly, single file src/proto/extension/message.rs (+63/-4), as predicted — the buggy Vec::<String> encode/decode still existed on 0.6.
• f0d9935 — added a flake.nix devshell (stable Rust + clippy/rustfmt/rust-src, cargo-deny, codespell, just) so the justfile lanes run via nix develop/use flake, matching the sibling ssh-agent-mux.

Verification: just tests (cargo test --all) is green inside the devshell — 38 tests, 0 failed, including the 3 new compliance tests (query_response_matches_openssh_wire_format, query_response_roundtrip, query_response_empty_roundtrip). Crate builds as ssh-agent-lib v0.6.0.

Branch changes (per request): default branch switched main → master; main deleted. The 10 redundant cert/rename commits from the old fork lineage are dropped (they're in upstream 0.6).

Downstream follow-up (not done here — separate repo): ssh-agent-mux pins this fork at branch=main, which no longer exists. It must be repointed to branch=master and its Cargo.lock bumped to f0d9935, then re-verified (just). Tracking that separately.

Leaving this open for you to verify and close.

🤡 Clown: https://github.com/amarbel-llc/clown