feat: add SSH keepalive and CI/CD auto-deploy

Send keepalive every 30s to prevent NAT/firewall from silently
dropping idle SSH connections. Add deploy workflow that auto-deploys
to production server after CI passes on main.

.github/workflows/deploy.yml

@@ -0,0 +1,45 @@
+name: Deploy
+
+on:
+  push:
+    branches: [main]
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v4
+
+    - name: Install dependencies
+      run: |
+        sudo apt-get update
+        sudo apt-get install -y libssh-dev
+
+    - name: Build
+      run: make
+
+    - name: Build with AddressSanitizer
+      run: make asan
+
+    - name: Run tests
+      run: |
+        make test
+        cd tests
+        ./test_security_features.sh
+
+  deploy:
+    needs: test
+    runs-on: ubuntu-latest
+    steps:
+      - name: Deploy to production
+        uses: appleboy/ssh-action@v1
+        with:
+          host: ${{ secrets.SERVER_HOST }}
+          username: ${{ secrets.SERVER_USER }}
+          key: ${{ secrets.SERVER_SSH_KEY }}
+          script: |
+            cd /home/admin/repo/tnt
+            git pull origin main
+            make clean && make release
+            cp tnt /home/admin/tnt/tnt
+            sudo systemctl restart tnt

src/ssh_server.c

@@ -805,8 +805,9 @@ void* client_handle_session(void *arg) {
         int n = ssh_channel_read_timeout(client->channel, buf, 1, 0, 30000); /* 30 sec timeout */
 
         if (n == SSH_AGAIN) {
-            /* Timeout - check if channel is still alive */
+            /* Timeout - send keepalive to prevent NAT/firewall timeout */
-            if (!ssh_channel_is_open(client->channel)) {
+            if (!ssh_channel_is_open(client->channel) ||
+                ssh_send_keepalive(client->session) != SSH_OK) {
                 break;
             }
             continue;