fix(source-sftp-bulk): support non-RSA private key types (Ed25519, ECDSA, DSS)

[devin-ai-integration]

What

Resolves https://github.com/airbytehq/oncall/issues/11838:

• https://github.com/airbytehq/oncall/issues/11838

The connector hardcodes paramiko.RSAKey.from_private_key() for SSH private key parsing, which fails with struct.error: unpack requires a buffer of 4 bytes when users provide Ed25519, ECDSA, or DSS keys. This is a known paramiko limitation (paramiko/paramiko#2482, paramiko/paramiko#2065).

How

Replaced the hardcoded RSAKey call in client.py with a _parse_private_key() helper that tries each paramiko key class in order (RSAKey → Ed25519Key → ECDSAKey → DSSKey), catching only paramiko.SSHException and ValueError. If all fail, raises AirbyteTracedException with FailureType.config_error.

Review guide

1. source_sftp_bulk/client.py — Core fix. Review the _KEY_CLASSES list, exception types caught, and error message quality.
2. unit_tests/client_test.py — New tests. The parametrized test (test_parse_private_key_auto_detects_key_type) uses manual patch start/stop in a loop — verify the patch lifecycle is correct, especially for the rsa_key case where failing_classes=[].

Human review checklist

• Confirm that paramiko.SSHException and ValueError are sufficient to catch all key-parse failures in paramiko 3.4.0. The original bug manifests as struct.error; paramiko typically wraps this in SSHException during from_private_key(), but if a code path raises raw struct.error, it would propagate uncaught.
• Verify the manual patch start/stop lifecycle in the parametrized test is correct for the rsa_key case (failing_classes=[], single patch in list).

User Impact

Users can now authenticate to SFTP servers using Ed25519, ECDSA, and DSS private keys, not just RSA. Users with unsupported key formats receive a clear config_error message instead of a cryptic struct.error.

Can this PR be safely reverted and rolled back?

• YES 💚

Link to Devin session: https://app.devin.ai/sessions/da46a26c9ffa4191a54bcc7439ccee46

[devin-ai-integration]

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

• Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
• Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

• Disable automatic comment and CI monitoring

[github-actions]

👋 Greetings, Airbyte Team Member!

Here are some helpful tips and reminders for your convenience.

💡 Show Tips and Tricks

PR Slash Commands

Airbyte Maintainers (that's you!) can execute the following slash commands on your PR:

• 🛠️ Quick Fixes
  • /format-fix - Fixes most formatting issues.
  • /bump-version - Bumps connector versions, scraping changelog description from the PR title.
    • Bump types: patch (default), minor, major, major_rc, rc, promote.
    • The rc type is a smart default: applies minor_rc if stable, or bumps the RC number if already RC.
    • The promote type strips the RC suffix to finalize a release.
    • Example: /bump-version type=rc or /bump-version type=minor
  • /bump-progressive-rollout-version - Alias for /bump-version type=rc. Bumps with an RC suffix and enables progressive rollout.
• ❇️ AI Testing and Review (internal link: AI-SDLC Docs):
  • /ai-prove-fix - Runs prerelease readiness checks, including testing against customer connections.
  • /ai-canary-prerelease - Rolls out prerelease to 5-10 connections for canary testing.
  • /ai-review - AI-powered PR review for connector safety and quality gates.
• 🚀 Connector Releases:
  • /publish-connectors-prerelease - Publishes pre-release connector builds (tagged as {version}-preview.{git-sha}) for all modified connectors in the PR.
• ☕️ JVM connectors:
  • /update-connector-cdk-version connector=<CONNECTOR_NAME> - Updates the specified connector to the latest CDK version.
    Example: /update-connector-cdk-version connector=destination-bigquery
• 🐍 Python connectors:
  • /poe connector source-example lock - Run the Poe lock task on the source-example connector, committing the results back to the branch.
  • /poe source example lock - Alias for /poe connector source-example lock.
  • /poe source example use-cdk-branch my/branch - Pin the source-example CDK reference to the branch name specified.
  • /poe source example use-cdk-latest - Update the source-example CDK dependency to the latest available version.
• ⚙️ Admin commands:
  • /force-merge reason="<REASON>" - Force merges the PR using admin privileges, bypassing CI checks. Requires a reason.
    Example: /force-merge reason="CI is flaky, tests pass locally"

📚 Show Repo Guidance

Helpful Resources

• Breaking Changes Guide - Breaking changes, migration guides, and upgrade deadlines
• Developing Connectors Locally
• Managing Connector Secrets
• On-Demand Regression Tests
• #connector-ci-issues
• #connector-publish-updates
• #connector-build-statuses

📝 Edit this welcome message.

[github-actions]

Deploy preview for airbyte-docs ready!

✅ Preview
https://airbyte-docs-q0u8blr6k-airbyte-growth.vercel.app

Built with commit 3206048.
This pull request is being automatically deployed with vercel-action

[github-actions]

source-sftp-bulk Connector Test Results

58 tests   56 ✅  12s ⏱️
 2 suites   2 💤
 2 files     0 ❌

Results for commit 3206048.

♻️ This comment has been updated with latest results.

[Vai Ignatavicius (vai-airbyte)]

/publish-connectors-prerelease

Pre-release Connector Publish Started

Publishing pre-release build for connector source-sftp-bulk.
PR: #75967

Pre-release versions will be tagged as {version}-preview.b3844bf
and are available for version pinning via the scoped_configuration API.

View workflow run
Pre-release Publish: SUCCESS ✅

Docker image (pre-release):
airbyte/source-sftp-bulk:1.9.1-preview.b3844bf

Docker Hub: https://hub.docker.com/layers/airbyte/source-sftp-bulk/1.9.1-preview.b3844bf

Registry JSON:

• OSS Registry
• Cloud Registry

[devin-ai-integration]

↪️ Triggering /ai-prove-fix per Hands-Free AI Triage Project triage next step.

Reason: Fix PR for source-sftp-bulk non-RSA key auth. AI triage score 5/5 green, fix created same day.
https://github.com/airbytehq/oncall/issues/11838

Devin session

[octavia-bot]

🔍 AI Prove Fix session starting... Running readiness checks and testing against customer connections. View playbook

• 🔗 Session URL: https://app.devin.ai/sessions/14ded428628c4932b1562ad623798be5

✅ Devin AI session created successfully!

[devin-ai-integration]

Fix Validation Evidence

Outcome: Fix/Feature Proven Successfully

Evidence Summary

Regression tests passed successfully, confirming no regressions for existing RSA-key-based connections when using the pre-release version (1.9.1-preview.b3844bf). Unit tests comprehensively validate the new key type auto-detection logic across RSA, Ed25519, ECDSA, and DSS key types. CI connector tests also passed (58 tests, 56 passed, 2 skipped, 0 failed).

Next Steps

1. This PR appears ready for review and merge.
2. For broader validation before release, consider running /ai-canary-prerelease to test on additional connections.
3. The daily_hands_free_triage automation will monitor the release rollout after merge.
4. Live connection pinning was requested via Slack but is pending human approval — this can be done post-merge if additional validation is desired.

---

Connector & PR Details

Connector: source-sftp-bulk
PR: #75967
Pre-release Version Tested: 1.9.1-preview.b3844bf
Detailed Results: https://github.com/airbytehq/oncall/issues/11838#issuecomment-4169601037

Evidence Plan

Proving Criteria

Regression tests pass showing no regressions against existing RSA-key-based connections, AND/OR a live connection test completes successfully after pinning to the pre-release.

Disproving Criteria

• Regression tests fail showing broken functionality
• New errors appear that were not present before
• Same SSH key errors still occur after applying the fix

Cases Attempted

1. Regression Tests (REQUIRED): Workflow Run #23846982244 — PASSED
2. CI Unit Tests: 58 tests, 56 passed, 2 skipped, 0 failed — PASSED
3. Live Connection Test: Qualified internal connection identified, pinning pending Slack approval

Pre-flight Checks

• Viability: Fix addresses the reported issue — replaces hardcoded paramiko.RSAKey with auto-detection across RSA, Ed25519, ECDSA, and DSS key types
• Safety: No malicious code, no credential harvesting, no suspicious patterns
• Breaking Change: NOT breaking — no schema/spec/stream/state changes. PATCH version bump (1.9.0 to 1.9.1)
• Reversibility: Safely reversible — no state/config format changes, previous version compatible

Design Intent Note: The original code hardcoded paramiko.RSAKey.from_private_key(). This was likely an oversight — there is no documented reason to restrict to RSA keys only, and paramiko supports multiple key types natively.

Detailed Evidence Log

2026-04-01 11:42 UTC — Session started, began context gathering
2026-04-01 11:45 UTC — Pre-flight checks completed (all passed)
2026-04-01 11:47 UTC — Pre-release confirmed: 1.9.1-preview.b3844bf
2026-04-01 11:48 UTC — Regression tests triggered (Run #23846982244)
2026-04-01 11:51 UTC — Regression tests completed: PASSED
2026-04-01 11:52 UTC — Evidence plan posted to oncall issue
2026-04-01 11:53 UTC — Escalation for live testing approval sent via Slack
2026-04-01 12:00 UTC — Internal test connection qualified (not pinned, v1.9.0)
2026-04-01 12:04 UTC — Live pinning blocked pending Slack approval; proceeding with report

Note: Connection IDs and detailed logs are recorded in the linked private issue.

---

Devin session