Execute a shell command string on a remote host. Returns {:ok, output} or {:error, reason}.

Execute a command list (as built by Commands modules) on a host. Joins the command parts into a single shell string.

Run a command interactively with a PTY (for IEx remote, bash, etc.). Connects local stdin/stdout to the remote session.

Resolve the first existing on-disk private key from ssh.keys.

Returns {:ok, expanded_path} when a configured key exists on disk, or :none for key_data/agent flows (no usable file). This selection is what decides whether upload/4 uses scp or falls back to the in-VM SFTP channel.

Execute a function on each host in parallel. Returns list of {host, result} tuples.

Execute on hosts grouped by role, with configurable parallelism.

Build the argument list passed to the scp binary.

Uses an arg list (not a shell string) to avoid the shell, and carries the non-interactive deploy flags BatchMode=yes and StrictHostKeyChecking=accept-new.

Stream command output to stdout (for logs -f, etc.). Runs until the remote command exits or the process is interrupted.

Upload a file to a remote host.

When an on-disk private key is configured (ssh.keys), this shells out to the system scp binary, which transfers at full link speed. Erlang's built-in :ssh_sftp writes the whole file through a small SFTP window (~100-200 KB/s in practice), which is pathologically slow for release tarballs (hundreds of MB) — a multi-minute upload becomes seconds over scp. When no key file is available (e.g. key_data from a secrets manager, or an agent), it falls back to the in-VM SFTP channel so those flows keep working.