Add 1Password integration, SFTP folder download, and UI fixes

- 1Password CLI integration: vault browser, op:// credential resolution, biometric auth
- SFTP: 1Password credential support, recursive folder download
- Fix tags persistence on host creation
- Fix long hostnames pushing action buttons off-screen
- Dynamic version display on startup screen
- Add /bump command for release workflow

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: Tomer Vaknin

src/SshManager.App/Infrastructure/DbMigrator.cs

@@ -229,7 +229,37 @@ await db.Database.ExecuteSqlRawAsync(
         logger.Information("Schema version updated to 1");
         } // end if (currentVersion < 1)
 
-        // Future migrations go here as: if (currentVersion < 2) { ... }
+        if (currentVersion < 2)
+        {
+            // 1Password integration columns on Hosts table
+            var hostsColumns2 = new HashSet<string>(StringComparer.OrdinalIgnoreCase);
+            await using (var cmd = connection.CreateCommand())
+            {
+                cmd.CommandText = "PRAGMA table_info(Hosts)";
+                await using var reader = await cmd.ExecuteReaderAsync();
+                while (await reader.ReadAsync())
+                {
+                    hostsColumns2.Add(reader.GetString(1));
+                }
+            }
+
+            if (!hostsColumns2.Contains("OnePasswordReference"))
+            {
+                await db.Database.ExecuteSqlRawAsync(
+                    "ALTER TABLE Hosts ADD COLUMN OnePasswordReference TEXT DEFAULT NULL");
+                logger.Information("Added missing column OnePasswordReference to Hosts table");
+            }
+
+            if (!hostsColumns2.Contains("OnePasswordKeyReference"))
+            {
+                await db.Database.ExecuteSqlRawAsync(
+                    "ALTER TABLE Hosts ADD COLUMN OnePasswordKeyReference TEXT DEFAULT NULL");
+                logger.Information("Added missing column OnePasswordKeyReference to Hosts table");
+            }
+
+            await UpdateSchemaVersionAsync(connection, 2);
+            logger.Information("Schema version updated to 2");
+        }
     }
 
     /// <summary>

src/SshManager.App/Infrastructure/SecurityServiceExtensions.cs

@@ -1,5 +1,6 @@
 using Microsoft.Extensions.DependencyInjection;
 using SshManager.Security;
+using SshManager.Security.OnePassword;
 
 namespace SshManager.App.Infrastructure;
 
@@ -16,6 +17,7 @@ public static IServiceCollection AddSecurityServices(this IServiceCollection ser
         services.AddSingleton<IPpkConverter, PpkConverter>();
         services.AddSingleton<IPassphraseEncryptionService, PassphraseEncryptionService>();
         services.AddSingleton<IKeyEncryptionService, KeyEncryptionService>();
+        services.AddSingleton<IOnePasswordService, OnePasswordService>();
 
         return services;
     }

src/SshManager.App/ViewModels/HostDialogViewModel.cs

@@ -7,6 +7,7 @@
 using SshManager.Core.Models;
 using SshManager.Data.Repositories;
 using SshManager.Security;
+using SshManager.Security.OnePassword;
 using SshManager.Terminal.Services;
 
 namespace SshManager.App.ViewModels;
@@ -138,6 +139,7 @@ public HostDialogViewModel(
         ISerialConnectionService serialConnectionService,
         IAgentDiagnosticsService? agentDiagnosticsService = null,
         IKerberosAuthService? kerberosAuthService = null,
+        IOnePasswordService? onePasswordService = null,
         IHostProfileRepository? hostProfileRepo = null,
         IProxyJumpProfileRepository? proxyJumpRepo = null,
         IPortForwardingProfileRepository? portForwardingRepo = null,
@@ -161,6 +163,7 @@ public HostDialogViewModel(
             secretProtector,
             agentDiagnosticsService,
             kerberosAuthService,
+            onePasswordService,
             hostProfileRepo,
             proxyJumpRepo,
             portForwardingRepo,

src/SshManager.App/ViewModels/HostEdit/SshConnectionSettingsViewModel.cs

@@ -7,6 +7,7 @@
 using SshManager.Core.Models;
 using SshManager.Data.Repositories;
 using SshManager.Security;
+using SshManager.Security.OnePassword;
 using SshManager.Terminal.Services;
 
 namespace SshManager.App.ViewModels.HostEdit;
@@ -22,6 +23,7 @@ public partial class SshConnectionSettingsViewModel : ObservableObject
     private readonly ISecretProtector _secretProtector;
     private readonly IAgentDiagnosticsService? _agentDiagnosticsService;
     private readonly IKerberosAuthService? _kerberosAuthService;
+    private readonly IOnePasswordService? _onePasswordService;
     private readonly IHostProfileRepository? _hostProfileRepo;
     private readonly IProxyJumpProfileRepository? _proxyJumpRepo;
     private readonly IPortForwardingProfileRepository? _portForwardingRepo;
@@ -110,6 +112,25 @@ public partial class SshConnectionSettingsViewModel : ObservableObject
 
     #endregion
 
+    #region 1Password Properties
+
+    [ObservableProperty]
+    private string _onePasswordReference = "";
+
+    [ObservableProperty]
+    private string _onePasswordKeyReference = "";
+
+    [ObservableProperty]
+    private bool _isOnePasswordAvailable;
+
+    [ObservableProperty]
+    private string _onePasswordStatusText = "Checking...";
+
+    [ObservableProperty]
+    private bool _isCheckingOnePassword;
+
+    #endregion
+
     #region Kerberos Properties
 
     [ObservableProperty]
@@ -151,6 +172,11 @@ public partial class SshConnectionSettingsViewModel : ObservableObject
     /// </summary>
     public bool ShowKerberosSettings => AuthType == AuthType.Kerberos;
 
+    /// <summary>
+    /// Gets whether to show 1Password settings.
+    /// </summary>
+    public bool ShowOnePasswordSettings => AuthType == AuthType.OnePassword;
+
     /// <summary>
     /// Gets the display text for port forwarding status.
     /// </summary>
@@ -206,6 +232,7 @@ public SshConnectionSettingsViewModel(
         ISecretProtector secretProtector,
         IAgentDiagnosticsService? agentDiagnosticsService = null,
         IKerberosAuthService? kerberosAuthService = null,
+        IOnePasswordService? onePasswordService = null,
         IHostProfileRepository? hostProfileRepo = null,
         IProxyJumpProfileRepository? proxyJumpRepo = null,
         IPortForwardingProfileRepository? portForwardingRepo = null,
@@ -215,6 +242,7 @@ public SshConnectionSettingsViewModel(
         _secretProtector = secretProtector;
         _agentDiagnosticsService = agentDiagnosticsService;
         _kerberosAuthService = kerberosAuthService;
+        _onePasswordService = onePasswordService;
         _hostProfileRepo = hostProfileRepo;
         _proxyJumpRepo = proxyJumpRepo;
         _portForwardingRepo = portForwardingRepo;
@@ -259,6 +287,10 @@ public void LoadFromHost(HostEntry host)
         KerberosServicePrincipal = host.KerberosServicePrincipal;
         KerberosDelegateCredentials = host.KerberosDelegateCredentials;
 
+        // 1Password settings
+        OnePasswordReference = host.OnePasswordReference ?? "";
+        OnePasswordKeyReference = host.OnePasswordKeyReference ?? "";
+
         // Keep-alive settings
         if (host.KeepAliveIntervalSeconds.HasValue)
         {
@@ -320,6 +352,22 @@ public void PopulateHost(HostEntry host)
             host.KerberosDelegateCredentials = false;
         }
 
+        // 1Password settings
+        if (AuthType == AuthType.OnePassword)
+        {
+            host.OnePasswordReference = string.IsNullOrWhiteSpace(OnePasswordReference)
+                ? null
+                : OnePasswordReference.Trim();
+            host.OnePasswordKeyReference = string.IsNullOrWhiteSpace(OnePasswordKeyReference)
+                ? null
+                : OnePasswordKeyReference.Trim();
+        }
+        else
+        {
+            host.OnePasswordReference = null;
+            host.OnePasswordKeyReference = null;
+        }
+
         // Host/Proxy profiles
         host.HostProfileId = SelectedHostProfile?.Id;
         host.HostProfile = SelectedHostProfile;
@@ -375,6 +423,11 @@ public async Task LoadAsync(CancellationToken ct = default)
         {
             _ = RefreshKerberosStatusAsync();
         }
+
+        if (AuthType == AuthType.OnePassword)
+        {
+            _ = RefreshOnePasswordStatusAsync();
+        }
     }
 
     /// <summary>
@@ -615,6 +668,58 @@ private async Task RefreshKerberosStatusAsync()
         }
     }
 
+    /// <summary>
+    /// Refreshes 1Password CLI status information.
+    /// </summary>
+    [RelayCommand]
+    private async Task RefreshOnePasswordStatusAsync()
+    {
+        if (_onePasswordService == null)
+        {
+            OnePasswordStatusText = "1Password service not available";
+            IsOnePasswordAvailable = false;
+            return;
+        }
+
+        IsCheckingOnePassword = true;
+
+        try
+        {
+            var status = await _onePasswordService.GetStatusAsync();
+
+            IsOnePasswordAvailable = status.IsInstalled && status.IsAuthenticated;
+
+            if (status.IsAuthenticated)
+            {
+                OnePasswordStatusText = !string.IsNullOrEmpty(status.AccountEmail)
+                    ? $"Connected as {status.AccountEmail}"
+                    : "Authenticated";
+            }
+            else if (status.IsInstalled)
+            {
+                var hint = !string.IsNullOrEmpty(status.ErrorMessage) ? status.ErrorMessage
+                    : "Enable CLI integration in 1Password: Settings > Developer";
+                OnePasswordStatusText = $"Not authenticated — {hint}";
+            }
+            else
+            {
+                OnePasswordStatusText = "1Password CLI not installed";
+            }
+
+            _logger.LogDebug("1Password status refreshed: {StatusText}", OnePasswordStatusText);
+        }
+        catch (Exception ex)
+        {
+            OnePasswordStatusText = "Error checking 1Password status";
+            IsOnePasswordAvailable = false;
+            _logger.LogWarning(ex, "Failed to refresh 1Password status");
+        }
+        finally
+        {
+            IsCheckingOnePassword = false;
+        }
+    }
+
     #endregion
 
     #region Property Changed Handlers
@@ -625,6 +730,7 @@ partial void OnAuthTypeChanged(AuthType value)
         OnPropertyChanged(nameof(ShowPassword));
         OnPropertyChanged(nameof(ShowAgentStatus));
         OnPropertyChanged(nameof(ShowKerberosSettings));
+        OnPropertyChanged(nameof(ShowOnePasswordSettings));
 
         // Refresh agent status when switching to SSH Agent auth
         if (value == AuthType.SshAgent)
@@ -637,6 +743,12 @@ partial void OnAuthTypeChanged(AuthType value)
         {
             _ = RefreshKerberosStatusAsync();
         }
+
+        // Refresh 1Password status when switching to OnePassword auth
+        if (value == AuthType.OnePassword)
+        {
+            _ = RefreshOnePasswordStatusAsync();
+        }
     }
 
     partial void OnPortForwardingProfileCountChanged(int value)
@@ -709,6 +821,23 @@ public List<string> Validate()
                     errors.Add($"Private key file not found: {keyPath}");
                 }
                 break;
+
+            case AuthType.OnePassword:
+                var pwdRef = OnePasswordReference?.Trim() ?? "";
+                var keyRef = OnePasswordKeyReference?.Trim() ?? "";
+                if (string.IsNullOrWhiteSpace(pwdRef) && string.IsNullOrWhiteSpace(keyRef))
+                {
+                    errors.Add("At least one 1Password reference (password or SSH key) is required");
+                }
+                if (!string.IsNullOrWhiteSpace(pwdRef) && !pwdRef.StartsWith("op://", StringComparison.OrdinalIgnoreCase))
+                {
+                    errors.Add("Password reference must start with 'op://'");
+                }
+                if (!string.IsNullOrWhiteSpace(keyRef) && !keyRef.StartsWith("op://", StringComparison.OrdinalIgnoreCase))
+                {
+                    errors.Add("SSH key reference must start with 'op://'");
+                }
+                break;
         }
 
         return errors;

src/SshManager.App/ViewModels/HostManagementViewModel.cs

@@ -12,6 +12,7 @@
 using SshManager.Data.Repositories;
 using SshManager.Data.Services;
 using SshManager.Security;
+using SshManager.Security.OnePassword;
 using SshManager.Terminal.Services;
 using SshManager.App.Views.Dialogs;
 using SshManager.App.Behaviors;
@@ -36,6 +37,7 @@ public partial class HostManagementViewModel : ObservableObject, IDisposable
     private readonly ISerialConnectionService _serialConnectionService;
     private readonly IAgentDiagnosticsService? _agentDiagnosticsService;
     private readonly IKerberosAuthService? _kerberosAuthService;
+    private readonly IOnePasswordService? _onePasswordService;
     private readonly IHostValidationService _validationService;
     private readonly IHostCacheService _hostCacheService;
     private readonly ILogger<HostManagementViewModel> _logger;
@@ -90,6 +92,7 @@ public HostManagementViewModel(
         IHostCacheService hostCacheService,
         IAgentDiagnosticsService? agentDiagnosticsService = null,
         IKerberosAuthService? kerberosAuthService = null,
+        IOnePasswordService? onePasswordService = null,
         ILogger<HostManagementViewModel>? logger = null)
     {
         _hostRepo = hostRepo;
@@ -105,6 +108,7 @@ public HostManagementViewModel(
         _hostCacheService = hostCacheService;
         _agentDiagnosticsService = agentDiagnosticsService;
         _kerberosAuthService = kerberosAuthService;
+        _onePasswordService = onePasswordService;
         _logger = logger ?? NullLogger<HostManagementViewModel>.Instance;
 
         // Subscribe to initial collection changes
@@ -328,6 +332,7 @@ private async Task AddHostAsync()
                 _serialConnectionService,
                 _agentDiagnosticsService,
                 _kerberosAuthService,
+                _onePasswordService,
                 _hostProfileRepo,
                 _proxyJumpRepo,
                 _portForwardingRepo,
@@ -362,6 +367,10 @@ private async Task AddHostAsync()
                 var host = viewModel.GetHost();
                 await _hostRepo.AddAsync(host);
 
+                // Save tags via the proper many-to-many method
+                var tagIds = viewModel.Metadata.GetSelectedTagIds().ToList();
+                await _hostRepo.SetHostTagsAsync(host.Id, tagIds);
+
                 // Save environment variables
                 var envVars = viewModel.GetEnvironmentVariables().ToList();
                 if (envVars.Count > 0)
@@ -422,6 +431,7 @@ private async Task EditHostAsync(HostEntry? host)
             _serialConnectionService,
             _agentDiagnosticsService,
             _kerberosAuthService,
+            _onePasswordService,
             _hostProfileRepo,
             _proxyJumpRepo,
             _portForwardingRepo,
@@ -446,6 +456,10 @@ private async Task EditHostAsync(HostEntry? host)
             var updatedHost = viewModel.GetHost();
             await _hostRepo.UpdateAsync(updatedHost);
 
+            // Save tags via the proper many-to-many method
+            var tagIds = viewModel.Metadata.GetSelectedTagIds().ToList();
+            await _hostRepo.SetHostTagsAsync(updatedHost.Id, tagIds);
+
             // Save environment variables
             var envVars = viewModel.GetEnvironmentVariables().ToList();
             await _envVarRepo.SetForHostAsync(updatedHost.Id, envVars);