Page Title: SSH Key Architecture (Forge + Mesh)
Summary: VaultMesh uses a strict per-node ed25519 SSH key model with IdentitiesOnly isolation, ControlMaster multiplexing, and mesh-wide access via Tailscale. nexus-0 serves as the primary forge node; brick, v1-nl-gate, gate-vm, and shield-vm are first-class SSH targets with dedicated keys.

Key Findings:
- One keypair per destination node (id_gamma, id_brick, id_v1-nl-gate, id_gate-vm, id_shield-vm, etc.).
- IdentitiesOnly enforces key isolation and prevents cross-host key probing.
- ControlMaster/ControlPath provide fast multiplexed SSH sessions.
- Tailscale hostnames (story-ule.ts.net) give stable addressing; LAN IPs are fallback.
- External service keys (GitHub/GitLab) are separate from infra keys.

Components:
- Per-node private keys (`~/.ssh/id_{node}`).
- Public keys (`~/.ssh/id_{node}.pub`).
- SSH config with host-specific IdentityFile blocks.
- Control sockets (`~/.ssh/cm-%r@%h:%p`).

Key Inventory (Infra Nodes):
| Key File         | Target Node    | Algorithm |
|------------------|----------------|-----------|
| id_gamma         | gamma          | ed25519   |
| id_beta          | beta           | ed25519   |
| id_brick         | brick          | ed25519   |
| id_w3            | w3             | ed25519   |
| id_v1-nl-gate    | v1-nl-gate     | ed25519   |
| id_gate-vm       | gate-vm        | ed25519   |
| id_debian-golden | debian-golden  | ed25519   |
| id_shield-vm     | shield-vm      | ed25519   |

Forge + Mobile:
| Key File         | Target        | Algorithm |
|------------------|--------------|-----------|
| id_nexus-0       | nexus-0      | ed25519   |
| id_kali-forge    | kali-forge   | ed25519   |
| id_shield        | shield       | ed25519   |
| id_bank-mobile   | bank-mobile  | ed25519   |

External Service Keys:
| Key File             | Service    |
|----------------------|------------|
| id_ed25519_github    | GitHub     |
| id_ed25519_gitlab    | GitLab     |

SSH Config Structure:
```sshconfig
Host *
    ServerAliveInterval 30
    ServerAliveCountMax 3
    TCPKeepAlive yes
    ControlMaster auto
    ControlPath ~/.ssh/cm-%r@%h:%p
    ControlPersist 10m
    IdentitiesOnly yes
    HashKnownHosts no
    StrictHostKeyChecking accept-new
    AddKeysToAgent yes
    UseKeychain yes
    Compression yes

Host nexus-0
    HostName 100.67.39.1
    User root
    IdentityFile ~/.ssh/id_nexus-0

Host brick
    HostName brick.story-ule.ts.net
    User sovereign
    IdentityFile ~/.ssh/id_brick

Host gate-vm
    HostName gate-vm.story-ule.ts.net
    User debian
    IdentityFile ~/.ssh/id_gate-vm

Host shield-vm
    HostName shield-vm.story-ule.ts.net
    User debian
    IdentityFile ~/.ssh/id_shield-vm
```

Security Notes:
- ed25519 keys provide strong security with small keys/signatures.
- IdentitiesOnly ensures ssh never offers the wrong key to the wrong host.
- StrictHostKeyChecking=accept-new uses TOFU while still catching host key changes.
- No password authentication; all critical nodes are key-only.

Key Generation:
```bash
ssh-keygen -t ed25519 -f ~/.ssh/id_{node} -C "aurion-to-{node}"
```

Key Deployment:
```bash
ssh-copy-id -i ~/.ssh/id_{node}.pub debian@{node}
# Or manually
cat ~/.ssh/id_{node}.pub | ssh debian@{node} "cat >> ~/.ssh/authorized_keys"
```

Dependencies:
- OpenSSH client (macOS/Linux/Android).
- ssh-agent and (on macOS) Keychain integration.
- Tailscale for stable hostnames and reachability.