fix: SSH Keys UI - remove migration banner and compute unmanaged key fingerprints

- Remove useless "Migration Status" section from ssh_keys.html template
- Add fingerprint computation to KeyDiscoveryService using ssh-keygen -lf
- Unmanaged keys now show SHA256 fingerprints instead of "unknown"
- Graceful error handling if ssh-keygen fails for any key

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>

Author: jsbattig

src/code_indexer/server/services/key_discovery_service.py

@@ -4,6 +4,7 @@
 Discovers existing SSH keys and parses config file mappings.
 """
 
+import subprocess
 from dataclasses import dataclass
 from pathlib import Path
 from typing import Dict, List, Optional
@@ -44,6 +45,33 @@ def __init__(self, ssh_dir: Optional[Path] = None):
             ssh_dir = Path.home() / ".ssh"
         self.ssh_dir = ssh_dir
 
+    def _compute_fingerprint(self, public_key_path: Path) -> Optional[str]:
+        """
+        Compute fingerprint of an SSH public key using ssh-keygen.
+
+        Args:
+            public_key_path: Path to the public key file
+
+        Returns:
+            Fingerprint string (e.g., "SHA256:xxxx...") or None if computation fails
+        """
+        try:
+            result = subprocess.run(
+                ["ssh-keygen", "-lf", str(public_key_path)],
+                capture_output=True,
+                text=True,
+                timeout=5,
+            )
+            if result.returncode == 0 and result.stdout:
+                # Output format: "256 SHA256:xxxx... user@host (ED25519)"
+                # Extract the SHA256:xxxx... part (second field)
+                parts = result.stdout.strip().split()
+                if len(parts) >= 2:
+                    return parts[1]
+            return None
+        except (subprocess.CalledProcessError, subprocess.TimeoutExpired, OSError):
+            return None
+
     def discover_existing_keys(self) -> List[KeyInfo]:
         """
         Discover existing SSH key pairs in the SSH directory.
@@ -73,11 +101,13 @@ def discover_existing_keys(self) -> List[KeyInfo]:
             # Check if corresponding .pub file exists
             pub_path = file_path.parent / f"{file_path.name}.pub"
             if pub_path.exists():
+                fingerprint = self._compute_fingerprint(pub_path)
                 discovered_keys.append(
                     KeyInfo(
                         name=file_path.name,
                         private_path=file_path,
                         public_path=pub_path,
+                        fingerprint=fingerprint,
                         is_cidx_managed=False,
                     )
                 )

src/code_indexer/server/web/templates/ssh_keys.html

@@ -91,34 +91,6 @@ <h2>Create New SSH Key</h2>
     </article>
 </section>
 
-<!-- Migration Status Section -->
-{% if migration_result %}
-<article>
-    <header>
-        <h2>Migration Status</h2>
-    </header>
-    {% if migration_result.skipped %}
-    <p><mark>Migration already completed</mark></p>
-    {% else %}
-    <p>
-        <strong>{{ migration_result.keys_discovered }}</strong> keys discovered,
-        <strong>{{ migration_result.keys_imported }}</strong> imported,
-        <strong>{{ migration_result.mappings_imported }}</strong> existing mappings imported
-    </p>
-    {% if migration_result.failed_hosts %}
-    <details>
-        <summary>Failed Hosts ({{ migration_result.failed_hosts|length }})</summary>
-        <ul>
-            {% for key_name, hostname, reason in migration_result.failed_hosts %}
-            <li>{{ key_name }} -> {{ hostname }}: {{ reason }}</li>
-            {% endfor %}
-        </ul>
-    </details>
-    {% endif %}
-    {% endif %}
-</article>
-{% endif %}
-
 <!-- Managed Keys Section -->
 <article>
     <header>

tests/server/services/test_key_discovery_service.py

@@ -1,6 +1,8 @@
 """Unit tests for KeyDiscoveryService."""
 
+import subprocess
 from pathlib import Path
+from unittest.mock import patch, MagicMock
 
 from code_indexer.server.services.key_discovery_service import (
     KeyDiscoveryService,
@@ -123,3 +125,73 @@ def test_parse_mappings_extracts_identity_files(self, tmp_path):
 
         assert work_key_path in mappings
         assert "gitlab.com" in mappings[work_key_path]
+
+
+class TestKeyDiscoveryServiceFingerprint:
+    """Tests for fingerprint computation in discover_existing_keys()."""
+
+    def test_discover_keys_computes_fingerprint(self, tmp_path):
+        """Should compute fingerprint for discovered keys."""
+        ssh_dir = tmp_path / ".ssh"
+        ssh_dir.mkdir()
+
+        # Create a key pair
+        (ssh_dir / "id_ed25519").write_text("PRIVATE KEY CONTENT")
+        (ssh_dir / "id_ed25519.pub").write_text("ssh-ed25519 AAAA... test@example.com")
+
+        service = KeyDiscoveryService(ssh_dir=ssh_dir)
+
+        # Mock _compute_fingerprint to return a known fingerprint
+        with patch.object(
+            service, "_compute_fingerprint", return_value="SHA256:abcdef123456"
+        ) as mock_compute:
+            keys = service.discover_existing_keys()
+
+            # Verify _compute_fingerprint was called with the public key path
+            mock_compute.assert_called_once()
+            call_args = mock_compute.call_args
+            assert call_args[0][0] == ssh_dir / "id_ed25519.pub"
+
+            assert len(keys) == 1
+            assert keys[0].fingerprint == "SHA256:abcdef123456"
+
+    def test_discover_keys_handles_fingerprint_failure_gracefully(self, tmp_path):
+        """Should leave fingerprint as None if computation fails."""
+        ssh_dir = tmp_path / ".ssh"
+        ssh_dir.mkdir()
+
+        # Create a key pair
+        (ssh_dir / "id_rsa").write_text("PRIVATE KEY CONTENT")
+        (ssh_dir / "id_rsa.pub").write_text("ssh-rsa AAAA... test@example.com")
+
+        service = KeyDiscoveryService(ssh_dir=ssh_dir)
+
+        # Mock _compute_fingerprint to return None (failure case)
+        with patch.object(service, "_compute_fingerprint", return_value=None):
+            keys = service.discover_existing_keys()
+
+        assert len(keys) == 1
+        assert keys[0].fingerprint is None
+
+    def test_compute_fingerprint_parses_ssh_keygen_output(self, tmp_path):
+        """Should correctly parse fingerprint from ssh-keygen output."""
+        import code_indexer.server.services.key_discovery_service as kds_module
+
+        ssh_dir = tmp_path / ".ssh"
+        ssh_dir.mkdir()
+
+        # Create a valid public key file
+        pub_key_path = ssh_dir / "id_ed25519.pub"
+        pub_key_path.write_text("ssh-ed25519 AAAA...")
+
+        service = KeyDiscoveryService(ssh_dir=ssh_dir)
+
+        # Mock subprocess.run at the module level where it's imported
+        mock_result = MagicMock()
+        mock_result.stdout = "3072 SHA256:xyzPQR789abc user@host (RSA)\n"
+        mock_result.returncode = 0
+
+        with patch.object(kds_module.subprocess, "run", return_value=mock_result):
+            fingerprint = service._compute_fingerprint(pub_key_path)
+
+        assert fingerprint == "SHA256:xyzPQR789abc"

tests/server/web/test_ssh_keys_web_ui.py

@@ -19,8 +19,8 @@ def test_ssh_keys_template_exists(self):
         )
         assert template_path.exists(), f"Template not found at {template_path}"
 
-    def test_ssh_keys_template_contains_migration_status(self):
-        """Template should contain migration status display elements."""
+    def test_ssh_keys_template_no_migration_status_section(self):
+        """Template should NOT contain migration status section (removed as useless)."""
         template_path = (
             Path(__file__).parent.parent.parent.parent
             / "src"
@@ -33,11 +33,13 @@ def test_ssh_keys_template_contains_migration_status(self):
 
         content = template_path.read_text()
 
-        # Should have migration summary section
-        assert "migration" in content.lower()
+        # Migration status section should be removed
+        assert "migration_result" not in content
+        assert "Migration Status" not in content
 
-        # Should have key listing
+        # Should still have key listing
         assert "key" in content.lower()
+        assert "managed" in content.lower()
 
     def test_ssh_keys_template_has_copy_button(self):
         """Template should have copy public key functionality."""