fix: collect --password once up-front and honor -S consistently across subcommands

[inureyes]

Fixes #200.

Problem

Two distinct defects in credential collection both surface in:

bssh -C orin -l lablup --password -S ping

Defect 1 — --password was collected lazily, per-connection

ssh/auth.rs::password_auth() called rpassword::prompt_password() inside each per-node authentication task. The executor fans out N parallel connection attempts, so multiple tasks raced for stdin: the prompt could be missed (drowned by the indicatif progress UI), repeated per node, or interleaved with the progress bar rendering.

The -S (sudo-password) path already did this correctly — it collected once in the dispatcher, wrapped the value in Arc<SudoPassword>, and shared it across tasks. --password now follows the same pattern.

Defect 2 — -S was silently dropped by ping, upload, download

The dispatcher only read cli.sudo_password in the exec and interactive branches. Users could pass -S to ping/upload/download without any error, but the flag had no effect.

Changes

New Password wrapper — src/security/password.rs

Mirrors the existing SudoPassword design:

• Backed by secrecy::SecretString (auto-zeroized on drop via the secrecy crate's SecretString machinery).
• prompt_password() uses a non-host-specific prompt: "Enter SSH password (used for all hosts): ".
• get_password_from_env() reads BSSH_PASSWORD (discouraged for production but useful for automation).
• get_password(warn_env) combines env + interactive prompt.
• Designed to be wrapped in Arc<Password> and shared across parallel tasks without copying the secret.

Dispatcher hoists --password collection — src/app/dispatcher.rs

The prompt now runs once at the top of dispatch_command, before any ParallelExecutor is built and before any indicatif MultiProgress is initialized. This avoids the terminal-state pitfall where indicatif corrupts the prompt rendering. The resulting Arc<Password> is threaded through:

• ping_nodes(...) — new parameter
• FileTransferParams (upload + download) — new field
• ExecuteCommandParams — new field
• InteractiveCommand — new field
• SSH-mode interactive path

-S semantics for non-applicable subcommands

The dispatcher now emits tracing::warn!("--sudo-password (-S) has no effect for the {subcommand} subcommand and will be ignored") when -S is passed to ping, upload, download, list, or cache-stats. Picked a warning over a hard reject because:

• Matches typical CLI UX (ssh, git, etc. tend to warn rather than fail on flags that are harmless-but-inapplicable).
• Existing scripts that happen to pass -S to non-applicable subcommands continue to work — they just see a visible warning instead of silent no-op.
• exec and interactive paths continue to honor -S exactly as before.

Threading through the auth machinery

• AuthContext (src/ssh/auth.rs) gains a password: Option<Arc<Password>> field and with_pre_collected_password() builder.
• password_auth() now consumes the pre-collected value when available. The in-task rpassword::prompt_password() call is retained only as the fallback for the OpenSSH-style "all key methods failed → prompt for password" path (which is opportunistic and has no dispatcher-side collection point).
• ParallelExecutor::with_ssh_password(), ExecutionConfig::ssh_password, ConnectionConfig::ssh_password, and the SFTP *_with_jump_hosts helpers all carry the Option<Arc<Password>> through to the auth layer.
• Every per-node task clones the Arc so all tasks observe the same secret without duplicating the underlying string.

Tests

New: src/security/password.rs — 9 unit tests

Mirror src/security/sudo.rs test structure:

• test_password_creation, test_password_empty_rejection, test_password_debug_redaction
• test_clone_independence, test_arc_sharing
• Env var tests: _empty, _valid, _not_set
• test_get_password_dispatcher_collection_pattern — explicitly models the dispatcher-level collection pattern: one get_password() call, wrapped in Arc<Password>, observably shared across three simulated per-node tasks. Asserts all three see the same password and Arc::strong_count == 4.

New: src/ssh/auth.rs — 2 unit tests

• test_auth_context_with_pre_collected_password — verifies the builder and Arc sharing semantics.
• test_password_auth_uses_pre_collected_password — critically, verifies password_auth() returns immediately without prompting when the pre-collected value is set (which means it never blocks on stdin in non-interactive test environments).

Existing tests

All 1233 library unit tests and the integration test suites continue to pass. Pre-existing failing doctest in src/server/filter/mod.rs is unrelated to this PR (verified by running cargo test --doc on main).

Verification

cargo build --release      # passes
cargo test --lib           # 1233 lib tests pass
cargo clippy --all-targets --all-features -- -D warnings  # passes
cargo fmt --check          # passes

Behavior comparison

Scenario	Before	After
bssh -C cluster --password exec "uptime"	Multiple prompts race for stdin or interleave with progress bars; possibly missed entirely	One clean prompt up-front, value reused for all N nodes
bssh -C cluster --password ping	Same broken behavior	One clean prompt up-front
bssh -C cluster --password upload f.txt /tmp/	Same broken behavior	One clean prompt up-front
bssh -S ping	Flag silently ignored	WARN: --sudo-password (-S) has no effect for the 'ping' subcommand and will be ignored
bssh -S exec "sudo apt update"	Worked correctly	Unchanged — still works
BSSH_PASSWORD=secret bssh -C cluster --password ping	Not supported	Reads from env (with warning), still single value shared across nodes

Acceptance criteria

• Running bssh -C <cluster> --password <subcommand> prompts exactly once, before any connection attempt or progress UI output.
• The same password is used for every node in the cluster.
• Password memory is zeroized after use (via secrecy::SecretString in Password).
• -S either applies to applicable subcommands or warns when passed to subcommands where it has no effect.
• Existing tests pass.
• A unit test covers the dispatcher-level password collection (test_get_password_dispatcher_collection_pattern).

[inureyes]

PR Finalization Complete

Tests

All targeted tests pass. The existing test_get_password_dispatcher_collection_pattern test in src/security/password.rs already covers the M2 gap flagged by the pr-reviewer: it models the exact dispatcher pattern (collect once via get_password(), wrap in Arc, clone to three simulated per-node tasks, verify identical password observed). No additional dispatcher-branch tests were needed.

Final test counts:

• cargo test --lib security: 76 passed, 0 failed
• cargo test --lib ssh::auth: 13 passed, 0 failed
• cargo test --lib jump::chain: 15 passed, 0 failed

Documentation

Added in commit aeca1f4:

• CHANGELOG.md — [2.1.5] - Unreleased section with Fixed entries for the single-prompt --password behavior and the -S stderr warning routing.
• README.md — Updated "Password Authentication" section to describe the once-up-front collection and added a new "SSH Password Variable" subsection documenting BSSH_PASSWORD with security warning, parallel to the existing BSSH_SUDO_PASSWORD subsection.
• docs/man/bssh.1 — Updated --password flag description to describe the single-prompt / Arc-shared behavior; added BSSH_PASSWORD entry to the ENVIRONMENT section.

Lint / Format

• cargo fmt --all -- --check: clean
• cargo clippy --lib --tests -- -D warnings: clean
• cargo check --lib --tests: clean

Labels

• Issue fix: collect --password once up-front instead of per-connection; honor -S consistently across subcommands #200: status:done confirmed
• PR fix: collect --password once up-front and honor -S consistently across subcommands #201: status:done confirmed

The PR was not merged. Ready for merge review.