From af520ab8363ef3175fa49b4f1e641d7512f626f7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Gabor=20K=C3=B6rber?= <gab@g4b.org>
Date: Sun, 24 May 2026 02:00:36 +0200
Subject: [PATCH] =?UTF-8?q?=F0=9F=A5=87=20export=20from=20upstream=20(0ae8?=
 =?UTF-8?q?b80)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 README.md    |  9 +++++----
 topology.svg | 10 +++++-----
 2 files changed, 10 insertions(+), 9 deletions(-)

diff --git a/README.md b/README.md
index e00952e..29d0bfb 100644
--- a/README.md
+++ b/README.md
@@ -78,8 +78,9 @@ sandcage codex -p ~/project          # run Codex instead
 sandcage shell                        # interactive shell, same environment
 sandcage claude --shell              # shell in the Claude image (debugging)
 sandcage init                         # detect ecosystem, generate .sandcage.yml
-sandcage setup ssh                    # configure SSH key mounting
-sandcage setup ssh --global          # configure SSH globally
+sandcage setup ssh                    # select and copy SSH keys for containers
+sandcage setup ssh --global          # store SSH config globally
+sandcage setup ssh --refresh         # re-sync keys after changes
 ```
 
 ## Configuration
@@ -107,14 +108,14 @@ toolchains:
   node: "20"
 env:
   DATABASE_URL: "postgres://localhost:5432/dev"
-mounts:
-  - ~/.ssh:/home/agent/.ssh:ro
 agent_args:
   claude:
     - --dangerously-skip-permissions
 shell: zsh
 ```
 
+SSH key access is configured separately via `sandcage setup ssh`, which selects only the keys needed for git and copies them into a dedicated Docker volume.
+
 Run `sandcage init` to generate a starter config — it detects your project ecosystem (Rust, Node, Python, Go) and suggests appropriate toolchains and packages.
 
 ## Docker Image
diff --git a/topology.svg b/topology.svg
index dca793f..3bb385f 100644
--- a/topology.svg
+++ b/topology.svg
@@ -49,8 +49,8 @@
 
   <!-- SSH Keys -->
   <rect class="box-component comp-ssh" x="50" y="350" width="180" height="50"/>
-  <text class="label" x="140" y="376" text-anchor="middle">SSH Keys</text>
-  <text class="sublabel" x="140" y="392" text-anchor="middle">~/.ssh/</text>
+  <text class="label" x="140" y="376" text-anchor="middle">SSH Keys (selected)</text>
+  <text class="sublabel" x="140" y="392" text-anchor="middle">sandcage-ssh volume</text>
 
   <!-- Arrow from CLI down -->
   <line class="arrow" x1="230" y1="100" x2="320" y2="100"/>
@@ -80,7 +80,7 @@
 
   <!-- Mounted SSH -->
   <rect class="box-component comp-ssh" x="370" y="395" width="330" height="45"/>
-  <text class="label" x="535" y="417" text-anchor="middle">/home/agent/.ssh (read-only)</text>
+  <text class="label" x="535" y="417" text-anchor="middle">/home/agent/.ssh (from sandcage-ssh volume)</text>
 
   <!-- Volume mount arrows -->
   <line class="arrow-mount" x1="230" y1="195" x2="368" y2="260"/>
@@ -90,7 +90,7 @@
   <text class="arrow-label" x="272" y="305">persist</text>
 
   <line class="arrow-mount" x1="230" y1="375" x2="368" y2="415"/>
-  <text class="arrow-label" x="275" y="392">ro mount</text>
+  <text class="arrow-label" x="275" y="392">volume</text>
 
   <!-- Arrow from agent to workspace -->
   <line class="arrow" x1="535" y1="210" x2="535" y2="233"/>
@@ -108,6 +108,6 @@
 
   <!-- Legend -->
   <text class="sublabel" x="50" y="460">1 CLI orchestrates Docker</text>
-  <text class="sublabel" x="50" y="476">2 Volumes mount project, home, and SSH into container</text>
+  <text class="sublabel" x="50" y="476">2 Project and home are bind-mounted; SSH keys via named volume</text>
   <text class="sublabel" x="50" y="492">3 Agent works in mounted workspace — changes visible on host</text>
 </svg>
\ No newline at end of file