Release v1.0.51 with robust SSH port apply behavior.

Ensure sshd drop-in configs are actually included before writing FastCP SSH settings, and add full rollback coverage so SSH port updates apply reliably without leaving partial state on failure.

Co-authored-by: Cursor <cursoragent@cursor.com>

Author: rehmatworks

internal/agent/handlers.go

@@ -3407,6 +3407,33 @@ func restoreSSHFiles(backups map[string][]byte) {
 	}
 }
 
+func ensureSSHDropInInclude() ([]byte, bool, error) {
+	data, err := os.ReadFile(sshdMainConfig)
+	if err != nil {
+		return nil, false, fmt.Errorf("failed to read %s: %w", sshdMainConfig, err)
+	}
+
+	for _, line := range strings.Split(string(data), "\n") {
+		trimmed := strings.TrimSpace(line)
+		if trimmed == "" || strings.HasPrefix(trimmed, "#") {
+			continue
+		}
+		fields := strings.Fields(trimmed)
+		if len(fields) < 2 || !strings.EqualFold(fields[0], "Include") {
+			continue
+		}
+		if strings.Contains(fields[1], "/etc/ssh/sshd_config.d/") {
+			return nil, false, nil
+		}
+	}
+
+	newContent := "Include /etc/ssh/sshd_config.d/*.conf\n" + string(data)
+	if err := os.WriteFile(sshdMainConfig, []byte(newContent), 0644); err != nil {
+		return nil, false, fmt.Errorf("failed to update %s include directives: %w", sshdMainConfig, err)
+	}
+	return data, true, nil
+}
+
 func disableConflictingSSHPortDirectives(targetPort int) (map[string][]byte, error) {
 	files := []string{sshdMainConfig}
 	if includeFiles, err := filepath.Glob("/etc/ssh/sshd_config.d/*.conf"); err == nil {
@@ -3482,12 +3509,22 @@ KbdInteractiveAuthentication %s
 	_ = os.MkdirAll(filepath.Dir(sshdFastcpConf), 0755)
 
 	previousContent, _ := os.ReadFile(sshdFastcpConf)
+	mainConfigBackup, mainConfigChanged, err := ensureSSHDropInInclude()
+	if err != nil {
+		return nil, err
+	}
 	if err := os.WriteFile(sshdFastcpConf, []byte(content), 0644); err != nil {
+		if mainConfigChanged {
+			_ = os.WriteFile(sshdMainConfig, mainConfigBackup, 0644)
+		}
 		return nil, fmt.Errorf("failed to write ssh config: %w", err)
 	}
 
 	updatedFilesBackup, err := disableConflictingSSHPortDirectives(cfg.Port)
 	if err != nil {
+		if mainConfigChanged {
+			_ = os.WriteFile(sshdMainConfig, mainConfigBackup, 0644)
+		}
 		if len(previousContent) > 0 {
 			_ = os.WriteFile(sshdFastcpConf, previousContent, 0644)
 		} else {
@@ -3499,6 +3536,9 @@ KbdInteractiveAuthentication %s
 	sshdPath, err := resolveSSHDBinary()
 	if err != nil {
 		restoreSSHFiles(updatedFilesBackup)
+		if mainConfigChanged {
+			_ = os.WriteFile(sshdMainConfig, mainConfigBackup, 0644)
+		}
 		if len(previousContent) > 0 {
 			_ = os.WriteFile(sshdFastcpConf, previousContent, 0644)
 		} else {
@@ -3508,6 +3548,9 @@ KbdInteractiveAuthentication %s
 	}
 	if err := ensureSSHRuntimeDir(); err != nil {
 		restoreSSHFiles(updatedFilesBackup)
+		if mainConfigChanged {
+			_ = os.WriteFile(sshdMainConfig, mainConfigBackup, 0644)
+		}
 		if len(previousContent) > 0 {
 			_ = os.WriteFile(sshdFastcpConf, previousContent, 0644)
 		} else {
@@ -3518,6 +3561,9 @@ KbdInteractiveAuthentication %s
 
 	if output, err := exec.Command(sshdPath, "-t", "-f", sshdMainConfig).CombinedOutput(); err != nil {
 		restoreSSHFiles(updatedFilesBackup)
+		if mainConfigChanged {
+			_ = os.WriteFile(sshdMainConfig, mainConfigBackup, 0644)
+		}
 		if len(previousContent) > 0 {
 			_ = os.WriteFile(sshdFastcpConf, previousContent, 0644)
 		} else {
@@ -3528,6 +3574,14 @@ KbdInteractiveAuthentication %s
 
 	if err := s.restartSSHService(); err != nil {
 		restoreSSHFiles(updatedFilesBackup)
+		if mainConfigChanged {
+			_ = os.WriteFile(sshdMainConfig, mainConfigBackup, 0644)
+		}
+		if len(previousContent) > 0 {
+			_ = os.WriteFile(sshdFastcpConf, previousContent, 0644)
+		} else {
+			_ = os.Remove(sshdFastcpConf)
+		}
 		return nil, fmt.Errorf("failed to apply SSH settings: %w", err)
 	}