fix(security): use StrictHostKeyChecking=accept-new in all SSH connections (#3037)

Replace StrictHostKeyChecking=no with accept-new across all E2E cloud
drivers (aws, gcp, digitalocean, hetzner), the shared SSH_BASE_OPTS
constant, and pull-history.ts. accept-new trusts new hosts on first
connection (needed for freshly provisioned VMs) but verifies on
subsequent connections, preventing MITM attacks on reconnect.

Fixes #3031

Agent: style-reviewer

Co-authored-by: B <6723574+louisgv@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com>

Author: 3 people

packages/cli/src/__tests__/ssh-cov.test.ts

@@ -39,7 +39,7 @@ afterEach(() => {
 
 describe("SSH constants", () => {
   it("SSH_BASE_OPTS has required non-interactive options", () => {
-    expect(SSH_BASE_OPTS).toContain("StrictHostKeyChecking=no");
+    expect(SSH_BASE_OPTS).toContain("StrictHostKeyChecking=accept-new");
     expect(SSH_BASE_OPTS).toContain("BatchMode=yes");
   });
 

packages/cli/src/commands/pull-history.ts

@@ -117,7 +117,7 @@ async function pullFromChild(ip: string, user: string, parentSpawnId: string, ss
     const sshBase = [
       "ssh",
       "-o",
-      "StrictHostKeyChecking=no",
+      "StrictHostKeyChecking=accept-new",
       "-o",
       "ConnectTimeout=10",
       "-o",

packages/cli/src/shared/ssh.ts

@@ -11,7 +11,7 @@ import { logError, logInfo, logStep, logStepDone, logStepInline } from "./ui.js"
 /** Base SSH options shared across all clouds (array form for Bun.spawn). */
 export const SSH_BASE_OPTS: string[] = [
   "-o",
-  "StrictHostKeyChecking=no",
+  "StrictHostKeyChecking=accept-new",
   "-o",
   "UserKnownHostsFile=/dev/null",
   "-o",

sh/e2e/lib/clouds/aws.sh

@@ -161,7 +161,7 @@ _aws_exec() {
   # Pass encoded command via stdin instead of shell interpolation.
   # This completely avoids command injection — the remote side only sees
   # stdin data, never an interpolated shell string.
-  printf '%s' "${encoded_cmd}" | ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null \
+  printf '%s' "${encoded_cmd}" | ssh -o StrictHostKeyChecking=accept-new -o UserKnownHostsFile=/dev/null \
       -o ConnectTimeout=10 -o LogLevel=ERROR -o BatchMode=yes \
       "ubuntu@${_AWS_INSTANCE_IP}" "base64 -d | bash"
 }

sh/e2e/lib/clouds/digitalocean.sh

@@ -186,7 +186,7 @@ _digitalocean_exec() {
     return 1
   fi
 
-  ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null \
+  ssh -o StrictHostKeyChecking=accept-new -o UserKnownHostsFile=/dev/null \
       -o ConnectTimeout=10 -o LogLevel=ERROR -o BatchMode=yes \
       "root@${ip}" "printf '%s' '${encoded_cmd}' | base64 -d | bash"
 }

sh/e2e/lib/clouds/gcp.sh

@@ -211,7 +211,7 @@ _gcp_exec() {
   # Pass encoded command via stdin instead of shell interpolation.
   # This completely avoids command injection — the remote side only sees
   # stdin data, never an interpolated shell string.
-  printf '%s' "${encoded_cmd}" | ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null \
+  printf '%s' "${encoded_cmd}" | ssh -o StrictHostKeyChecking=accept-new -o UserKnownHostsFile=/dev/null \
       -o ConnectTimeout=10 -o LogLevel=ERROR -o BatchMode=yes \
       "${ssh_user}@${_GCP_INSTANCE_IP}" "base64 -d | bash"
 }

sh/e2e/lib/clouds/hetzner.sh

@@ -167,7 +167,7 @@ _hetzner_exec() {
   # Pipe the base64 payload via stdin to the remote host. The remote bash
   # reads stdin, base64-decodes it, and executes the result. No user-controlled
   # data is interpolated into the SSH command string.
-  printf '%s' "${encoded_cmd}" | ssh -o StrictHostKeyChecking=no \
+  printf '%s' "${encoded_cmd}" | ssh -o StrictHostKeyChecking=accept-new \
       -o UserKnownHostsFile=/dev/null \
       -o LogLevel=ERROR \
       -o BatchMode=yes \