fix: emit SSH certificate warnings for command execution

Certificate authentication warnings were being emitted for PTY sessions
but not for command execution (exec). This caused an inconsistency where
users running commands wouldn't see certificate warnings, but interactive
shell users would.

Changes:
- Added warnings_tx channel to Exec message in ssh_pool.rs
- Modified Exec handler to capture and send auth_result.warnings
- Updated script.rs to receive and emit warnings as GC events
- Warnings now flow consistently for both PTY and exec operations

Fixes issue identified in code review where auth_result was discarded
on line 618 during exec connection.

Co-authored-by: Ellie Huxtable <ellie@users.noreply.github.com>

Author: github-actions[bot]

crates/atuin-desktop-runtime/src/blocks/script.rs

@@ -13,10 +13,11 @@ use uuid::Uuid;
 
 use crate::blocks::{Block, BlockBehavior};
 use crate::context::{fs_var, BlockExecutionOutput, BlockVars};
+use crate::events::GCEvent;
 use crate::execution::{
     CancellationToken, ExecutionContext, ExecutionHandle, ExecutionStatus, StreamingBlockOutput,
 };
-use crate::ssh::OutputLine as SessionOutputLine;
+use crate::ssh::{OutputLine as SessionOutputLine, SshWarning};
 
 use super::FromDocument;
 
@@ -705,6 +706,7 @@ impl Script {
         let channel_id = self.id.to_string();
         let (output_sender, mut output_receiver) = mpsc::channel::<SessionOutputLine>(100);
         let (result_tx, result_rx) = oneshot::channel::<()>();
+        let (warnings_tx, warnings_rx) = oneshot::channel::<Vec<SshWarning>>();
 
         let captured_output = Arc::new(RwLock::new(Vec::new()));
         let captured_output_clone = captured_output.clone();
@@ -733,6 +735,7 @@ impl Script {
                 output_sender,
                 result_tx,
                 ssh_config,
+                Some(warnings_tx),
             ) => {
                 result
             }
@@ -757,6 +760,54 @@ impl Script {
             }
             return (Err(error_msg.into()), Vec::new(), None);
         }
+
+        // Receive and emit SSH authentication warnings (certificate issues, etc.)
+        if let Ok(warnings) = warnings_rx.await {
+            for warning in warnings {
+                match warning {
+                    SshWarning::CertificateLoadFailed {
+                        host,
+                        cert_path,
+                        error,
+                    } => {
+                        let _ = context
+                            .emit_gc_event(GCEvent::SshCertificateLoadFailed {
+                                host,
+                                cert_path,
+                                error,
+                            })
+                            .await;
+                    }
+                    SshWarning::CertificateExpired {
+                        host,
+                        cert_path,
+                        valid_until,
+                    } => {
+                        let _ = context
+                            .emit_gc_event(GCEvent::SshCertificateExpired {
+                                host,
+                                cert_path,
+                                valid_until,
+                            })
+                            .await;
+                    }
+                    SshWarning::CertificateNotYetValid {
+                        host,
+                        cert_path,
+                        valid_from,
+                    } => {
+                        let _ = context
+                            .emit_gc_event(GCEvent::SshCertificateNotYetValid {
+                                host,
+                                cert_path,
+                                valid_from,
+                            })
+                            .await;
+                    }
+                }
+            }
+        }
+
         let context_clone = context.clone();
         let block_id = self.id;
         let ssh_pool_clone = ssh_pool.clone();

crates/atuin-desktop-runtime/src/ssh/ssh_pool.rs

@@ -94,6 +94,9 @@ pub enum SshPoolMessage {
 
         // Optional SSH config overrides from block settings
         ssh_config: Option<DocumentSshConfig>,
+
+        // Channel to send authentication warnings (certificate issues, etc.)
+        warnings_tx: Option<oneshot::Sender<Vec<SshWarning>>>,
     },
     ExecFinished {
         channel: String,
@@ -264,6 +267,7 @@ impl SshPoolHandle {
             output_stream,
             result_tx,
             None,
+            None,
         )
         .await
     }
@@ -279,6 +283,7 @@ impl SshPoolHandle {
         output_stream: mpsc::Sender<OutputLine>,
         result_tx: oneshot::Sender<()>,
         ssh_config: Option<DocumentSshConfig>,
+        warnings_tx: Option<oneshot::Sender<Vec<SshWarning>>>,
     ) -> Result<()> {
         let (sender, receiver) = oneshot::channel();
         let msg = SshPoolMessage::Exec {
@@ -291,6 +296,7 @@ impl SshPoolHandle {
             reply_to: sender,
             result_tx,
             ssh_config,
+            warnings_tx,
         };
 
         let _ = self.sender.send(msg).await;
@@ -579,6 +585,7 @@ impl SshPool {
                 reply_to,
                 result_tx,
                 ssh_config,
+                warnings_tx,
             } => {
                 tracing::trace!(
                     "Executing command on {host} with {interpreter} with username {username:?}"
@@ -612,20 +619,28 @@ impl SshPool {
                 tokio::spawn(async move {
                     tracing::trace!("Connecting to SSH host {host} with username {username}");
                     let mut pool_guard = pool.write().await;
-                    let session: Result<Arc<Session>, SshPoolConnectionError> = tokio::select! {
+                    let (session, warnings): (Result<Arc<Session>, SshPoolConnectionError>, Vec<SshWarning>) = tokio::select! {
                         result = pool_guard.connect_with_config(&host, Some(username.as_str()), None, Some(connect_cancel_rx), ssh_config.as_ref()) => {
                             tracing::trace!("SSH connection to {host} with username {username} successful");
-                            result.map(|(session, _auth_result)| session).map_err(SshPoolConnectionError::from)
+                            match result {
+                                Ok((session, auth_result)) => (Ok(session), auth_result.warnings),
+                                Err(e) => (Err(SshPoolConnectionError::from(e)), Vec::new()),
+                            }
                         }
                         _ = &mut cancel_rx => {
                             tracing::trace!("SSH connection to {host} with username {username} cancelled");
                             let _ = connect_cancel_tx.send(());
                             let _ = pool_guard.disconnect(&host, &username).await;
-                            Err(SshPoolConnectionError::Cancelled)
+                            (Err(SshPoolConnectionError::Cancelled), Vec::new())
                         }
                     };
                     drop(pool_guard);
 
+                    // Send warnings to caller if they requested them
+                    if let Some(tx) = warnings_tx {
+                        let _ = tx.send(warnings);
+                    }
+
                     let session = match session {
                         Ok(session) => session,
                         Err(e) => {