diff --git a/README.md b/README.md
index e00952e..29d0bfb 100644
--- a/README.md
+++ b/README.md
@@ -78,8 +78,9 @@ sandcage codex -p ~/project # run Codex instead
sandcage shell # interactive shell, same environment
sandcage claude --shell # shell in the Claude image (debugging)
sandcage init # detect ecosystem, generate .sandcage.yml
-sandcage setup ssh # configure SSH key mounting
-sandcage setup ssh --global # configure SSH globally
+sandcage setup ssh # select and copy SSH keys for containers
+sandcage setup ssh --global # store SSH config globally
+sandcage setup ssh --refresh # re-sync keys after changes
```
## Configuration
@@ -107,14 +108,14 @@ toolchains:
node: "20"
env:
DATABASE_URL: "postgres://localhost:5432/dev"
-mounts:
- - ~/.ssh:/home/agent/.ssh:ro
agent_args:
claude:
- --dangerously-skip-permissions
shell: zsh
```
+SSH key access is configured separately via `sandcage setup ssh`, which selects only the keys needed for git and copies them into a dedicated Docker volume.
+
Run `sandcage init` to generate a starter config — it detects your project ecosystem (Rust, Node, Python, Go) and suggests appropriate toolchains and packages.
## Docker Image
diff --git a/topology.svg b/topology.svg
index dca793f..3bb385f 100644
--- a/topology.svg
+++ b/topology.svg
@@ -49,8 +49,8 @@
- SSH Keys
- ~/.ssh/
+ SSH Keys (selected)
+ sandcage-ssh volume
@@ -80,7 +80,7 @@
- /home/agent/.ssh (read-only)
+ /home/agent/.ssh (from sandcage-ssh volume)
@@ -90,7 +90,7 @@
persist
- ro mount
+ volume
@@ -108,6 +108,6 @@
1 CLI orchestrates Docker
- 2 Volumes mount project, home, and SSH into container
+ 2 Project and home are bind-mounted; SSH keys via named volume
3 Agent works in mounted workspace — changes visible on host
\ No newline at end of file