feat: improve copy-bfb-to-dpu-rshim flow

[krish-nvidia]

Description

This PR improves the carbide-admin-cli site-explorer copy-bfb-to-dpu-rshim flow in preingestion by:

• Switching BFB copy from russh SFTP to the system scp binary with SSH_ASKPASS-based password auth. No combination of buffer size or timeout worked reliably with BF2 DPUs over russh's SFTP channel.
• Making host_bmc_ip required to issue a platform powercycle after the BFB is successfully installed.
• Adding --pre-copy-powercycle to optionally power-cycle the host before the copy to release rshim control to the DPU BMC.
• Detects BFB installation completion by SSHing into the DPU BMC and checking the serial console output for markers (login:, Running bfb_post_install from bf.cfg, total 100% complete). Once detected, the post-install host power-cycle is triggered automatically.

Type of Change

• Add - New feature or capability
• Change - Changes in existing functionality
• Fix - Bug fixes
• Remove - Removed features or deprecated functionality
• Internal - Internal changes (refactoring, tests, docs, etc.)

Related Issues (Optional)

Breaking Changes

• This PR contains breaking changes

Testing

• Unit tests added/updated
• Integration tests added/updated
• Manual testing performed
• No testing required (docs, internal refactor, etc.)

Additional Notes

[github-actions]

🔐 TruffleHog Secret Scan

✅ No secrets or credentials found!

Your code has been scanned for 700+ types of secrets and credentials. All clear! 🎉

🔗 View scan details

_{🕐 Last updated: 2026-04-13 18:21:33 UTC | Commit: e5ff17c}

[wminckler]

I don't think I've seen this in rust before.

[krish-nvidia]

It's just a way of creating a new scope so that all the variables inside it are freed after the block ends. Pretty much just a helper function for the host endpoint validation logic.

[wminckler]

yea, I know what it does, I've just never seen it used in rust ;)

[wminckler]

I don't know if writing a pw to a file is such a good idea. how does ssh console do it?

[krish-nvidia]

The SSH console uses the russh library directly to create a client, so the password stays in memory. I need to supply the password somehow to the system scp call so I went with the SSH_ASKPASS tempfile as the simplest approach without changing the container build. Another way would be to install sshpass in the carbide-api container, but I didn't want to add that dependency.

preingestion.bfb already lives in the container with bf.cfg appended, which contains the BMC user/password and never gets cleaned up unlike the tempfile :(