steps:
  ssh-test:
    image: google/cloud-sdk:latest
    commands:
      - 'set -eu'
      - 'mkdir -p ~/.ssh'
      - 'gcloud secrets versions access latest --secret=STAGING_KNOWN_HOSTS --project=aptivaai-dev | base64 -d > ~/.ssh/known_hosts'
      - 'chmod 644 ~/.ssh/known_hosts'
      - 'gcloud secrets versions access latest --secret=STAGING_SSH_KEY --project=aptivaai-dev > ~/.ssh/id_ed25519'
      - 'chmod 600 ~/.ssh/id_ed25519'
      - 'echo Key size: $(wc -c < ~/.ssh/id_ed25519) bytes'
      - 'file ~/.ssh/id_ed25519 || echo file not found'
      - 'head -n 5 ~/.ssh/id_ed25519'
      - 'ssh -vvv -i ~/.ssh/id_ed25519 -o StrictHostKeyChecking=yes jcoakley@10.128.0.12 hostname'

      # Decode known hosts
      - gcloud secrets versions access latest --secret=STAGING_KNOWN_HOSTS --project=aptivaai-dev | base64 -d > ~/.ssh/known_hosts
      - chmod 644 ~/.ssh/known_hosts

      # Inject SSH key
      - gcloud secrets versions access latest --secret=STAGING_SSH_KEY --project=aptivaai-dev > ~/.ssh/id_ed25519
      - chmod 600 ~/.ssh/id_ed25519

      # Verify key integrity before SSH
      - echo Key size: $(wc -c < ~/.ssh/id_ed25519) bytes
      - file ~/.ssh/id_ed25519 || echo file not found
      - head -n 5 ~/.ssh/id_ed25519

      # Attempt SSH
      - ssh -vvv -i ~/.ssh/id_ed25519 -o StrictHostKeyChecking=yes jcoakley@10.128.0.12 hostname