digraph {
    node[shape=record;style=rounded;fontname="helvetica-bold"];
    graph[layout=dot;rankdir=LR;overlap=prism;splines=true;fontname="helvetica-bold"];
    edge[arrowhead=none;fontname="helvetica"];

    start[label="\$\> ssh sshportal";color=blue;fontcolor=blue;fontsize=18];

    subgraph cluster_sshportal {
        graph[fontsize=18;color=gray;fontcolor=black];
        label="sshportal";
        {
            node[color=darkorange;fontcolor=darkorange];
            known_user_key[label="known user key"];
            unknown_user_key[label="unknown user key"];
            invite_manager[label="invite manager"];
            acl_manager[label="ACL manager"];
        }
        {
            node[color=darkgreen;fontcolor=darkgreen];
            builtin_shell[label="built-in\nconfig shell"];
            ssh_proxy[label="SSH proxy\nJump-Host"];
            learn_key[label="learn the\npub key"];
        }
        err_and_exit[label="\nerror\nand exit\n\n";color=red;fontcolor=red];
        { rank=same; ssh_proxy; builtin_shell; learn_key; err_and_exit; }
        { rank=same; known_user_key; unknown_user_key; }
    }

    subgraph cluster_hosts {
        label="your hosts";
        graph[fontsize=18;color=gray;fontcolor=black];
        node[color=blue;fontcolor=blue];

        host_1[label="root@host1"];
        host_2[label="user@host2:2222"];
        host_3[label="root@host3:1234"];
    }

    {
        edge[color=blue];
        start -> known_user_key;
        start -> unknown_user_key;
        ssh_proxy -> host_1;
        ssh_proxy -> host_2;
        ssh_proxy -> host_3;
    }
    {
        edge[color=darkgreen;fontcolor=darkgreen];
        known_user_key -> builtin_shell[label="user=admin"];
        acl_manager -> ssh_proxy[label="authorized"];
        invite_manager -> learn_key[label="valid token"];
    }
    {
        edge[color=darkorange;fontcolor=darkorange];
        known_user_key -> acl_manager[label="user matches an existing host"];
        unknown_user_key -> invite_manager[label="user=invite:<token>";labelloc=b];
    }
    {
        edge[color=red;fontcolor=red];
        known_user_key -> err_and_exit[label="invalid user"];
        acl_manager -> err_and_exit[label="unauthorized"];
        unknown_user_key -> err_and_exit[label="any other user";constraint=false];
        invite_manager -> err_and_exit[label="invalid token";constraint=false];
    }
}