Slice 11 — SSH transport: SSH keys and 'git' over SSH work alongside HTTPS

[safayavatsal]

What to build

git over SSH for users who prefer key-based auth.

• Web UI: profile section to add, list, and revoke SSH public keys.
• platform-api: SSH server fronted by an NLB on port 22 (per ADR-0009). Authenticates incoming connections by matching the offered key against platform.ssh_keys, then exec's git-upload-pack / git-receive-pack against the on-disk Git repo via GitRepository.
• Permission checks reuse PermissionChecker (same allow/deny logic as HTTPS path).
• Host key generated once per environment and persisted; user gets a clear "Are you sure you want to continue connecting?" host-key fingerprint in the welcome message after first auth.

Acceptance criteria

• A user can add an SSH key, then git clone git@forge.../<owner>/<repo>.git from a machine with that key.
• git push and git pull over SSH respect the same permission model as HTTPS.
• Revoking an SSH key immediately terminates new connections that present it.
• An unknown key produces a clean "Permission denied (publickey)" error, not a hang.
• The host key is stable across deploys (not regenerated on every container restart).

Blocked by

• Slice 4 — User can 'git push'; web file viewer renders the commit #4