feat(ssh): add -o json support for --setup-only (#106)

## Summary

- Adds `-o json` flag to `kernel browsers ssh --setup-only` for
machine-readable output
- When set, suppresses all pterm progress messages and emits a JSON
object to stdout with `vm_domain`, `session_id`, `ssh_key_file`,
`proxy_command`, and `ssh_command`
- Skips ephemeral key cleanup when JSON output is used so the key file
remains available for the caller

## Motivation

Scripting around `--setup-only` currently requires fragile `grep`/`awk`
parsing of human-readable output:

```bash
OUTPUT=$(kernel browsers ssh "$SESSION_ID" -i /tmp/kernel-scp-key --setup-only 2>&1)
VM_DOMAIN=$(echo "$OUTPUT" | grep "VM domain:" | awk '{print $NF}')
```

With `-o json`, this becomes:

```bash
SETUP=$(kernel browsers ssh "$SESSION_ID" -i /tmp/kernel-scp-key --setup-only -o json)
VM_DOMAIN=$(echo "$SETUP" | jq -r '.vm_domain')
```

## Example output

```json
{
  "vm_domain": "actual-vm-domain.onkernel.app",
  "session_id": "abc123",
  "ssh_key_file": "/tmp/kernel-scp-key",
  "proxy_command": "websocat --binary wss://actual-vm-domain.onkernel.app:2222",
  "ssh_command": "ssh -o 'ProxyCommand=websocat --binary wss://...:2222' -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -i /tmp/kernel-scp-key root@localhost"
}
```

## Test plan

- [ ] Run `kernel browsers ssh <id> -i <key> --setup-only -o json` and
verify clean JSON on stdout
- [ ] Run `kernel browsers ssh <id> --setup-only -o json` (ephemeral
key) and verify key file is not cleaned up
- [ ] Run `kernel browsers ssh <id> --setup-only` without `-o` and
verify existing behavior is unchanged
- [ ] Run `kernel browsers ssh <id> -o json` without `--setup-only` and
verify it errors
- [ ] Run `kernel browsers ssh <id> -o yaml` and verify it errors

<!-- CURSOR_SUMMARY -->
---

> [!NOTE]
> **Low Risk**
> CLI-only behavior changes gated behind `--setup-only -o json`, with
limited impact on the default interactive SSH path; main risk is leaving
temporary key files behind when JSON output is used.
> 
> **Overview**
> Adds `-o/--output json` support to `kernel browsers ssh` when used
with `--setup-only`, emitting a single JSON object (vm domain, session
id, key path, and ready-to-run proxy/ssh commands) for scripting.
> 
> When JSON output is enabled, progress/log messaging is suppressed,
`setupVMSSH` gains a quiet mode for key-injection/setup messaging, and
ephemeral key cleanup is skipped so callers can reuse the generated key
file; invalid output formats and `-o json` without `--setup-only` now
error.
> 
> <sup>Written by [Cursor
Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit
405d824. This will update automatically
on new commits. Configure
[here](https://cursor.com/dashboard?tab=bugbot).</sup>
<!-- /CURSOR_SUMMARY -->

---------

Co-authored-by: Cursor <cursoragent@cursor.com>

Author: rgarcia

cmd/ssh.go

@@ -3,6 +3,7 @@ package cmd
 import (
 	"context"
 	"encoding/base64"
+	"encoding/json"
 	"fmt"
 	"os"
 	"os/exec"
@@ -16,6 +17,15 @@ import (
 	"github.com/spf13/cobra"
 )
 
+// sshSetupResult is the JSON output structure for --setup-only -o json.
+type sshSetupResult struct {
+	VMDomain     string `json:"vm_domain"`
+	SessionID    string `json:"session_id"`
+	SSHKeyFile   string `json:"ssh_key_file"`
+	ProxyCommand string `json:"proxy_command"`
+	SSHCommand   string `json:"ssh_command"`
+}
+
 var sshCmd = &cobra.Command{
 	Use:   "ssh <id>",
 	Short: "Open an interactive SSH session to a browser VM",
@@ -49,6 +59,7 @@ func init() {
 	sshCmd.Flags().StringP("local-forward", "L", "", "Local port forwarding (localport:host:remoteport)")
 	sshCmd.Flags().StringP("remote-forward", "R", "", "Remote port forwarding (remoteport:host:localport)")
 	sshCmd.Flags().Bool("setup-only", false, "Setup SSH on VM without connecting")
+	sshCmd.Flags().StringP("output", "o", "", "Output format: json for machine-readable output (only with --setup-only)")
 }
 
 func runSSH(cmd *cobra.Command, args []string) error {
@@ -60,26 +71,39 @@ func runSSH(cmd *cobra.Command, args []string) error {
 	localForward, _ := cmd.Flags().GetString("local-forward")
 	remoteForward, _ := cmd.Flags().GetString("remote-forward")
 	setupOnly, _ := cmd.Flags().GetBool("setup-only")
+	output, _ := cmd.Flags().GetString("output")
+
+	if output != "" && output != "json" {
+		return fmt.Errorf("unsupported --output value: use 'json'")
+	}
+	if output == "json" && !setupOnly {
+		return fmt.Errorf("--output json is only supported with --setup-only")
+	}
 
 	cfg := ssh.Config{
 		BrowserID:     browserID,
 		IdentityFile:  identityFile,
 		LocalForward:  localForward,
 		RemoteForward: remoteForward,
 		SetupOnly:     setupOnly,
+		Output:        output,
 	}
 
 	return connectSSH(ctx, client, cfg)
 }
 
 func connectSSH(ctx context.Context, client kernel.Client, cfg ssh.Config) error {
+	jsonOutput := cfg.Output == "json"
+
 	// Check websocat is installed locally
 	if err := ssh.CheckWebsocatInstalled(); err != nil {
 		return err
 	}
 
 	// Get browser info
-	pterm.Info.Printf("Getting browser %s info...\n", cfg.BrowserID)
+	if !jsonOutput {
+		pterm.Info.Printf("Getting browser %s info...\n", cfg.BrowserID)
+	}
 	browser, err := client.Browsers.Get(ctx, cfg.BrowserID, kernel.BrowserGetParams{})
 	if err != nil {
 		return fmt.Errorf("failed to get browser: %w", err)
@@ -95,7 +119,9 @@ func connectSSH(ctx context.Context, client kernel.Client, cfg ssh.Config) error
 	if err != nil {
 		return fmt.Errorf("failed to extract VM domain: %w", err)
 	}
-	pterm.Info.Printf("VM domain: %s\n", vmDomain)
+	if !jsonOutput {
+		pterm.Info.Printf("VM domain: %s\n", vmDomain)
+	}
 
 	// Generate or load SSH keypair
 	var privateKeyPEM, publicKey string
@@ -104,7 +130,9 @@ func connectSSH(ctx context.Context, client kernel.Client, cfg ssh.Config) error
 
 	if cfg.IdentityFile != "" {
 		// Use provided key
-		pterm.Info.Printf("Using SSH key: %s\n", cfg.IdentityFile)
+		if !jsonOutput {
+			pterm.Info.Printf("Using SSH key: %s\n", cfg.IdentityFile)
+		}
 		keyFile = cfg.IdentityFile
 
 		// Read public key to inject into VM
@@ -117,7 +145,9 @@ func connectSSH(ctx context.Context, client kernel.Client, cfg ssh.Config) error
 		publicKey = strings.TrimSpace(string(pubKeyData))
 	} else {
 		// Generate ephemeral keypair
-		pterm.Info.Println("Generating ephemeral SSH keypair...")
+		if !jsonOutput {
+			pterm.Info.Println("Generating ephemeral SSH keypair...")
+		}
 		keyPair, err := ssh.GenerateKeyPair()
 		if err != nil {
 			return fmt.Errorf("failed to generate SSH keypair: %w", err)
@@ -134,22 +164,40 @@ func connectSSH(ctx context.Context, client kernel.Client, cfg ssh.Config) error
 		pterm.Debug.Printf("Temp key file: %s\n", keyFile)
 	}
 
-	// Cleanup temp key on exit
-	if cleanupKey {
+	// Cleanup temp key on exit (skip if JSON setup-only, since the caller needs the key)
+	if cleanupKey && !(cfg.SetupOnly && jsonOutput) {
 		defer func() {
 			pterm.Debug.Printf("Cleaning up temp key: %s\n", keyFile)
 			os.Remove(keyFile)
 		}()
 	}
 
 	// Setup SSH services on VM
-	pterm.Info.Println("Setting up SSH services on VM...")
-	if err := setupVMSSH(ctx, client, browser.SessionID, publicKey); err != nil {
+	if !jsonOutput {
+		pterm.Info.Println("Setting up SSH services on VM...")
+	}
+	if err := setupVMSSH(ctx, client, browser.SessionID, publicKey, jsonOutput); err != nil {
 		return fmt.Errorf("failed to setup SSH on VM: %w", err)
 	}
-	pterm.Success.Println("SSH services running on VM")
+	if !jsonOutput {
+		pterm.Success.Println("SSH services running on VM")
+	}
 
 	if cfg.SetupOnly {
+		if jsonOutput {
+			proxyCmd := fmt.Sprintf("websocat --binary wss://%s:2222", vmDomain)
+			sshCommand := fmt.Sprintf("ssh -o 'ProxyCommand=%s' -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o LogLevel=ERROR -i %s root@localhost", proxyCmd, keyFile)
+			result := sshSetupResult{
+				VMDomain:     vmDomain,
+				SessionID:    browser.SessionID,
+				SSHKeyFile:   keyFile,
+				ProxyCommand: proxyCmd,
+				SSHCommand:   sshCommand,
+			}
+			enc := json.NewEncoder(os.Stdout)
+			enc.SetIndent("", "  ")
+			return enc.Encode(result)
+		}
 		pterm.Info.Println("\n--setup-only specified, not connecting.")
 		pterm.Info.Printf("To connect manually:\n")
 		pterm.Info.Printf("  ssh -o 'ProxyCommand=websocat --binary wss://%s:2222' -i %s root@localhost\n", vmDomain, keyFile)
@@ -192,7 +240,7 @@ func connectSSH(ctx context.Context, client kernel.Client, cfg ssh.Config) error
 }
 
 // setupVMSSH installs and configures sshd + websocat on the VM using process.exec
-func setupVMSSH(ctx context.Context, client kernel.Client, sessionID, publicKey string) error {
+func setupVMSSH(ctx context.Context, client kernel.Client, sessionID, publicKey string, quiet bool) error {
 	// First check if services are already running
 	checkScript := ssh.CheckServicesScript()
 	checkResp, err := client.Browsers.Process.Exec(ctx, sessionID, kernel.BrowserProcessExecParams{
@@ -205,7 +253,9 @@ func setupVMSSH(ctx context.Context, client kernel.Client, sessionID, publicKey
 	} else if checkResp != nil && checkResp.StdoutB64 != "" {
 		stdout, _ := base64.StdEncoding.DecodeString(checkResp.StdoutB64)
 		if strings.TrimSpace(string(stdout)) == "RUNNING" {
-			pterm.Info.Println("SSH services already running, injecting key...")
+			if !quiet {
+				pterm.Info.Println("SSH services already running, injecting key...")
+			}
 			// Just inject the key
 			return injectSSHKey(ctx, client, sessionID, publicKey)
 		}

pkg/ssh/ssh.go

@@ -23,6 +23,7 @@ type Config struct {
 	LocalForward  string // -L flag value
 	RemoteForward string // -R flag value
 	SetupOnly     bool
+	Output        string // "json" for machine-readable output
 }
 
 // KeyPair holds an SSH keypair