TableProApp
diff --git a/‎CHANGELOG.md‎
Lines changed: 4 additions & 0 deletions b/‎CHANGELOG.md‎
Lines changed: 4 additions & 0 deletions
diff --git a/‎TablePro/Core/Database/DatabaseManager+Queries.swift‎
Lines changed: 6 additions & 2 deletions b/‎TablePro/Core/Database/DatabaseManager+Queries.swift‎
Lines changed: 6 additions & 2 deletions
diff --git a/‎TablePro/Core/Database/DatabaseManager+SSH.swift‎
Lines changed: 14 additions & 17 deletions b/‎TablePro/Core/Database/DatabaseManager+SSH.swift‎
Lines changed: 14 additions & 17 deletions
diff --git a/‎TablePro/Core/Database/DatabaseManager+Sessions.swift‎
Lines changed: 3 additions & 3 deletions b/‎TablePro/Core/Database/DatabaseManager+Sessions.swift‎
Lines changed: 3 additions & 3 deletions
diff --git a/‎TablePro/Core/SSH/LibSSH2TunnelFactory.swift‎
Lines changed: 5 additions & 1 deletion b/‎TablePro/Core/SSH/LibSSH2TunnelFactory.swift‎
Lines changed: 5 additions & 1 deletion
diff --git a/‎TablePro/Core/SSH/SSHConfigParser.swift‎
Lines changed: 133 additions & 51 deletions b/‎TablePro/Core/SSH/SSHConfigParser.swift‎
Lines changed: 133 additions & 51 deletions
@@ -15,6 +15,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Handoff support for cross-device continuity between iOS and macOS
 - State restoration across app lifecycle on iOS (selected connection, active tab, query text, database/schema selection)
 
+### Fixed
+
+- SSH Tunnel not working with `~/.ssh/config` profiles (#672): added `Include` directive support, SSH token expansion (`%d`, `%h`, `%u`, `%r`), multi-word `Host` filtering, and detailed handshake error messages
+
 ## [0.30.1] - 2026-04-10
 
 ### Added
 
@@ -78,6 +78,10 @@ extension DatabaseManager {
             sshPasswordOverride: sshPassword
         )
 
+        // Detect whether buildEffectiveConnection created a tunnel by checking
+        // if the returned connection was redirected to localhost (tunnel endpoint)
+        let tunnelWasCreated = testConnection.host == "127.0.0.1" && testConnection.port != connection.port
+
         let result: Bool
         do {
             let driver = try DatabaseDriverFactory.createDriver(
@@ -86,7 +90,7 @@ extension DatabaseManager {
             )
             result = try await driver.testConnection()
         } catch {
-            if connection.sshConfig.enabled {
+            if tunnelWasCreated {
                 do {
                     try await SSHTunnelManager.shared.closeTunnel(connectionId: connection.id)
                 } catch {
@@ -96,7 +100,7 @@ extension DatabaseManager {
             throw error
         }
 
-        if connection.sshConfig.enabled {
+        if tunnelWasCreated {
             do {
                 try await SSHTunnelManager.shared.closeTunnel(connectionId: connection.id)
             } catch {
 
@@ -24,27 +24,24 @@ extension DatabaseManager {
         for connection: DatabaseConnection,
         sshPasswordOverride: String? = nil
     ) async throws -> DatabaseConnection {
-        // Resolve SSH configuration: profile takes priority over inline
-        let profile = connection.sshProfileId.flatMap { SSHProfileStorage.shared.profile(for: $0) }
-        let sshConfig = connection.effectiveSSHConfig(profile: profile)
-        let isProfile = connection.sshProfileId != nil && profile != nil
-        let secretOwnerId = (isProfile ? connection.sshProfileId : nil) ?? connection.id
-
-        guard sshConfig.enabled else {
-            return connection
-        }
+        let sshConfig = connection.resolvedSSHConfig
+        guard sshConfig.enabled else { return connection }
 
         let storedSshPassword: String?
         let keyPassphrase: String?
         let totpSecret: String?
-        if isProfile {
-            storedSshPassword = SSHProfileStorage.shared.loadSSHPassword(for: secretOwnerId)
-            keyPassphrase = SSHProfileStorage.shared.loadKeyPassphrase(for: secretOwnerId)
-            totpSecret = SSHProfileStorage.shared.loadTOTPSecret(for: secretOwnerId)
-        } else {
-            storedSshPassword = ConnectionStorage.shared.loadSSHPassword(for: secretOwnerId)
-            keyPassphrase = ConnectionStorage.shared.loadKeyPassphrase(for: secretOwnerId)
-            totpSecret = ConnectionStorage.shared.loadTOTPSecret(for: secretOwnerId)
+
+        switch connection.sshTunnelMode {
+        case .disabled:
+            return connection
+        case .profile(let profileId, _):
+            storedSshPassword = SSHProfileStorage.shared.loadSSHPassword(for: profileId)
+            keyPassphrase = SSHProfileStorage.shared.loadKeyPassphrase(for: profileId)
+            totpSecret = SSHProfileStorage.shared.loadTOTPSecret(for: profileId)
+        case .inline:
+            storedSshPassword = ConnectionStorage.shared.loadSSHPassword(for: connection.id)
+            keyPassphrase = ConnectionStorage.shared.loadKeyPassphrase(for: connection.id)
+            totpSecret = ConnectionStorage.shared.loadTOTPSecret(for: connection.id)
         }
 
         let sshPassword = sshPasswordOverride ?? storedSshPassword
 
@@ -92,7 +92,7 @@ extension DatabaseManager {
             )
         } catch {
             // Close tunnel if SSH was established
-            if connection.sshConfig.enabled {
+            if connection.resolvedSSHConfig.enabled {
                 Task {
                     do {
                         try await SSHTunnelManager.shared.closeTunnel(connectionId: connection.id)
@@ -157,7 +157,7 @@ extension DatabaseManager {
             }
         } catch {
             // Close tunnel if connection failed
-            if connection.sshConfig.enabled {
+            if connection.resolvedSSHConfig.enabled {
                 Task {
                     do {
                         try await SSHTunnelManager.shared.closeTunnel(connectionId: connection.id)
@@ -243,7 +243,7 @@ extension DatabaseManager {
         guard let session = activeSessions[sessionId] else { return }
 
         // Close SSH tunnel if exists
-        if session.connection.sshConfig.enabled {
+        if session.connection.resolvedSSHConfig.enabled {
             do {
                 try await SSHTunnelManager.shared.closeTunnel(connectionId: session.connection.id)
             } catch {
 
@@ -403,8 +403,12 @@ internal enum LibSSH2TunnelFactory {
 
         let rc = libssh2_session_handshake(session, socketFD)
         if rc != 0 {
+            var msgPtr: UnsafeMutablePointer<CChar>?
+            var msgLen: Int32 = 0
+            libssh2_session_last_error(session, &msgPtr, &msgLen, 0)
+            let detail = msgPtr.map { String(cString: $0) } ?? "Unknown error"
             libssh2_session_free(session)
-            throw SSHTunnelError.tunnelCreationFailed("SSH handshake failed (error \(rc))")
+            throw SSHTunnelError.tunnelCreationFailed("SSH handshake failed: \(detail)")
         }
 
         return session
 
@@ -6,6 +6,7 @@
 //
 
 import Foundation
+import os
 
 /// Represents a parsed entry from ~/.ssh/config
 struct SSHConfigEntry: Identifiable, Hashable {
@@ -29,6 +30,9 @@ struct SSHConfigEntry: Identifiable, Hashable {
 
 /// Parser for SSH config file (~/.ssh/config)
 final class SSHConfigParser {
+    private static let logger = Logger(subsystem: "com.TablePro", category: "SSHConfigParser")
+    private static let maxIncludeDepth = 10
+
     /// Default SSH config file path
     static let defaultConfigPath = FileManager.default.homeDirectoryForCurrentUser
         .appendingPathComponent(".ssh/config").path(percentEncoded: false)
@@ -37,25 +41,52 @@ final class SSHConfigParser {
     /// - Parameter path: Path to the SSH config file (defaults to ~/.ssh/config)
     /// - Returns: Array of SSHConfigEntry
     static func parse(path: String = defaultConfigPath) -> [SSHConfigEntry] {
-        guard let content = try? String(contentsOfFile: path, encoding: .utf8) else {
-            return []
-        }
-
-        return parseContent(content)
+        var visitedPaths = Set<String>()
+        return parseFile(path: path, visitedPaths: &visitedPaths, depth: 0)
     }
 
     /// Parse SSH config content string
     /// - Parameter content: The content of the SSH config file
     /// - Returns: Array of SSHConfigEntry
     static func parseContent(_ content: String) -> [SSHConfigEntry] {
+        var visited = Set<String>()
+        return parseContent(content, visitedPaths: &visited, depth: 0)
+    }
+
+    /// Parse SSH config file with Include support.
+    private static func parseFile(
+        path: String,
+        visitedPaths: inout Set<String>,
+        depth: Int
+    ) -> [SSHConfigEntry] {
+        guard depth <= maxIncludeDepth else {
+            logger.warning("SSH config Include depth exceeded at: \(path)")
+            return []
+        }
+
+        let canonicalPath = (path as NSString).standardizingPath
+
+        guard !visitedPaths.contains(canonicalPath) else {
+            logger.warning("SSH config circular Include detected: \(path)")
+            return []
+        }
+
+        guard let content = try? String(contentsOfFile: path, encoding: .utf8) else {
+            return []
+        }
+
+        visitedPaths.insert(canonicalPath)
+
+        return parseContent(content, visitedPaths: &visitedPaths, depth: depth)
+    }
+
+    private static func parseContent(
+        _ content: String,
+        visitedPaths: inout Set<String>,
+        depth: Int
+    ) -> [SSHConfigEntry] {
         var entries: [SSHConfigEntry] = []
-        var currentHost: String?
-        var currentHostname: String?
-        var currentPort: Int?
-        var currentUser: String?
-        var currentIdentityFile: String?
-        var currentIdentityAgent: String?
-        var currentProxyJump: String?
+        var pending = PendingEntry()
 
         let lines = content.components(separatedBy: .newlines)
 
@@ -76,70 +107,121 @@ final class SSHConfigParser {
 
             switch key {
             case "host":
-                // Save previous entry if exists
-                if let host = currentHost {
-                    // Skip wildcard patterns like "*"
-                    if !host.contains("*") && !host.contains("?") {
-                        entries.append(
-                            SSHConfigEntry(
-                                host: host,
-                                hostname: currentHostname,
-                                port: currentPort,
-                                user: currentUser,
-                                identityFile: currentIdentityFile.map(SSHPathUtilities.expandTilde),
-                                identityAgent: currentIdentityAgent.map(SSHPathUtilities.expandTilde),
-                                proxyJump: currentProxyJump
-                            ))
-                    }
-                }
-
-                // Start new entry
-                currentHost = value
-                currentHostname = nil
-                currentPort = nil
-                currentUser = nil
-                currentIdentityFile = nil
-                currentIdentityAgent = nil
-                currentProxyJump = nil
+                pending.flush(into: &entries)
+                pending.host = value
 
             case "hostname":
-                currentHostname = value
+                pending.hostname = value
 
             case "port":
-                currentPort = Int(value)
+                pending.port = Int(value)
 
             case "user":
-                currentUser = value
+                pending.user = value
 
             case "identityfile":
-                currentIdentityFile = value
+                pending.identityFile = value
 
             case "identityagent":
-                currentIdentityAgent = value
+                pending.identityAgent = value
 
             case "proxyjump":
-                currentProxyJump = value
+                pending.proxyJump = value
+
+            case "include":
+                pending.flush(into: &entries)
+                for includePath in resolveIncludePaths(value) {
+                    let includedEntries = parseFile(
+                        path: includePath,
+                        visitedPaths: &visitedPaths,
+                        depth: depth + 1
+                    )
+                    entries.append(contentsOf: includedEntries)
+                }
 
             default:
                 break  // Ignore other directives
             }
         }
 
         // Don't forget the last entry
-        if let host = currentHost, !host.contains("*"), !host.contains("?") {
+        pending.flush(into: &entries)
+
+        return entries
+    }
+
+    // MARK: - Pending Entry State
+
+    /// Accumulates directives for the current Host stanza during parsing.
+    private struct PendingEntry {
+        var host: String?
+        var hostname: String?
+        var port: Int?
+        var user: String?
+        var identityFile: String?
+        var identityAgent: String?
+        var proxyJump: String?
+
+        /// Flush the pending entry into the entries array and reset state.
+        /// Skips wildcard patterns (`*`, `?`) and multi-word hosts.
+        mutating func flush(into entries: inout [SSHConfigEntry]) {
+            defer { self = PendingEntry() }
+
+            guard let host, !host.contains("*"), !host.contains("?"), !host.contains(" ") else {
+                return
+            }
+
             entries.append(
                 SSHConfigEntry(
                     host: host,
-                    hostname: currentHostname,
-                    port: currentPort,
-                    user: currentUser,
-                    identityFile: currentIdentityFile.map(SSHPathUtilities.expandTilde),
-                    identityAgent: currentIdentityAgent.map(SSHPathUtilities.expandTilde),
-                    proxyJump: currentProxyJump
+                    hostname: hostname,
+                    port: port,
+                    user: user,
+                    identityFile: identityFile.map {
+                        SSHPathUtilities.expandSSHTokens($0, hostname: hostname, remoteUser: user)
+                    },
+                    identityAgent: identityAgent.map {
+                        SSHPathUtilities.expandSSHTokens($0, hostname: hostname, remoteUser: user)
+                    },
+                    proxyJump: proxyJump
                 ))
         }
+    }
 
-        return entries
+    /// Expand a glob pattern to matching file paths using POSIX glob(3).
+    private static func globPaths(_ pattern: String) -> [String] {
+        var gt = glob_t()
+        defer { globfree(&gt) }
+
+        guard glob(pattern, GLOB_TILDE | GLOB_BRACE, nil, &gt) == 0 else {
+            return []
+        }
+
+        var paths: [String] = []
+        for i in 0..<Int(gt.gl_matchc) {
+            if let cStr = gt.gl_pathv[i] {
+                paths.append(String(cString: cStr))
+            }
+        }
+        return paths.sorted()
+    }
+
+    /// Resolve an Include directive value to actual file paths.
+    /// Relative paths are resolved against ~/.ssh/ per OpenSSH convention.
+    private static func resolveIncludePaths(_ value: String) -> [String] {
+        let expanded = SSHPathUtilities.expandTilde(value)
+
+        // Relative paths resolve against ~/.ssh/ per OpenSSH convention
+        let resolved: String
+        if expanded.hasPrefix("/") {
+            resolved = expanded
+        } else {
+            let sshDir = FileManager.default.homeDirectoryForCurrentUser
+                .appendingPathComponent(".ssh").path(percentEncoded: false)
+            resolved = (sshDir as NSString).appendingPathComponent(expanded)
+        }
+
+        return globPaths(resolved)
     }
 
     /// Find a specific entry by host name