- add circular-import justification comment on the deferred get_default_port import
- drop no-op continue in the per-type loop
- add NOTE clarifying last_exc reflects the final (RSAKey) attempt
- clarify docstring re paramiko 3.2+ PKey.from_path() and why it's unsafe here
- strengthen ed25519/RSA tests with isinstance assertions on the parsed key type
- add test for passphrase-protected key without password (PasswordRequiredException)
- add test for an unparseable key (SSHException listing all attempted types)
- de-duplicate test setup via _make_manager / _make_ssh_tunnel helpers
- consistent assertion messages across key-type tests
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
- Re-raise PasswordRequiredException immediately instead of absorbing it
into the try-next-type loop, so callers see an actionable "key requires
passphrase" error rather than "Unable to parse"
- Add `from last_exc` to the final raise to preserve the exception chain
for traceback tools (Sentry et al.)
- Narrow last_exc type annotation to SSHException | None
- Add test_create_tunnel_accepts_ecdsa_private_key (NIST P-256) to cover
the third entry in _SSH_KEY_TYPES
- Move RSA and ECDSA crypto imports to module level (rm inline import)