[DEFER] Add reusable SSH host key callback path for high-throughput callers #27
Description
Summary
internal/securecomms.NewSSHClientConfigWithTimeout currently writes known_hosts input to a temp file and reparses it on each call. This is correct and safe, but repeated calls can add avoidable filesystem and parsing overhead in batch/high-throughput callers.
Why this matters
As usage scales (many short-lived SSH config constructions per process), repeated file write/parse/cleanup work becomes a bottleneck and increases I/O churn.
Proposed direction
Add an advanced API that preserves current behavior while allowing reuse of parsed host-key validation state:
- Keep existing
NewSSHClientConfig*APIs unchanged for compatibility. - Add a new constructor path that accepts a prebuilt
ssh.HostKeyCallback. - Optionally add helper parser(s) to build callbacks once from known_hosts data.
Acceptance criteria
- Existing
NewSSHClientConfigandNewSSHClientConfigWithTimeoutsemantics remain unchanged. - New API allows repeated config creation without re-writing/re-parsing known_hosts per call.
- Unit tests cover both legacy and new paths.
- Docs describe when to use each API path.
Risk notes
- Must preserve strict host key verification behavior.
- Avoid introducing callback behavior drift between old/new paths.