From 25a277ab275bb82c71a3c9848fa439118ffb29c3 Mon Sep 17 00:00:00 2001
From: m1ngsama <contact@m1ng.space>
Date: Sun, 8 Feb 2026 11:54:27 +0800
Subject: [PATCH] feat: add SSH keepalive and CI/CD auto-deploy

Send keepalive every 30s to prevent NAT/firewall from silently
dropping idle SSH connections. Add deploy workflow that auto-deploys
to production server after CI passes on main.
---
 .github/workflows/deploy.yml | 45 ++++++++++++++++++++++++++++++++++++
 src/ssh_server.c             |  5 ++--
 2 files changed, 48 insertions(+), 2 deletions(-)
 create mode 100644 .github/workflows/deploy.yml

diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
new file mode 100644
index 0000000..8e941b1
--- /dev/null
+++ b/.github/workflows/deploy.yml
@@ -0,0 +1,45 @@
+name: Deploy
+
+on:
+  push:
+    branches: [main]
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v4
+
+    - name: Install dependencies
+      run: |
+        sudo apt-get update
+        sudo apt-get install -y libssh-dev
+
+    - name: Build
+      run: make
+
+    - name: Build with AddressSanitizer
+      run: make asan
+
+    - name: Run tests
+      run: |
+        make test
+        cd tests
+        ./test_security_features.sh
+
+  deploy:
+    needs: test
+    runs-on: ubuntu-latest
+    steps:
+      - name: Deploy to production
+        uses: appleboy/ssh-action@v1
+        with:
+          host: ${{ secrets.SERVER_HOST }}
+          username: ${{ secrets.SERVER_USER }}
+          key: ${{ secrets.SERVER_SSH_KEY }}
+          script: |
+            cd /home/admin/repo/tnt
+            git pull origin main
+            make clean && make release
+            cp tnt /home/admin/tnt/tnt
+            sudo systemctl restart tnt
diff --git a/src/ssh_server.c b/src/ssh_server.c
index 970ed18..15c0c40 100644
--- a/src/ssh_server.c
+++ b/src/ssh_server.c
@@ -805,8 +805,9 @@ void* client_handle_session(void *arg) {
         int n = ssh_channel_read_timeout(client->channel, buf, 1, 0, 30000); /* 30 sec timeout */
 
         if (n == SSH_AGAIN) {
-            /* Timeout - check if channel is still alive */
-            if (!ssh_channel_is_open(client->channel)) {
+            /* Timeout - send keepalive to prevent NAT/firewall timeout */
+            if (!ssh_channel_is_open(client->channel) ||
+                ssh_send_keepalive(client->session) != SSH_OK) {
                 break;
             }
             continue;