Рабочий вариант

docker/ssh/.gitignore

@@ -0,0 +1,4 @@
+# Deploy key and known_hosts — add locally, do not commit
+id_*
+id_*.pub
+known_hosts

docker/ssh/README.md

@@ -0,0 +1,19 @@
+# SSH for webhook (git fetch in container)
+
+When the app runs in Docker and the webhook does `git fetch origin <branch>`, git uses SSH. The container has no keys by default, so you get "Host key verification failed" or "Permission denied".
+
+## Setup
+
+1. **Deploy key** (read-only key for the repo you index):
+   - Generate: `ssh-keygen -t ed25519 -f docker/ssh/id_ed25519 -N "" -C "rag-agent-deploy"`
+   - Add the **public** key (`docker/ssh/id_ed25519.pub`) to your Git server (GitHub/GitLab/… → repo → Deploy keys).
+
+2. **Known hosts** (optional; `GIT_SSH_COMMAND` in compose accepts new host keys on first connect):
+   - To pin the host key: `ssh-keyscan -t ed25519 git.example.com >> docker/ssh/known_hosts`
+   - Replace `git.example.com` with your Git host (e.g. `github.com`, `git.lesha.spb.ru`).
+
+3. **Permissions**: key file must be readable only by you, e.g. `chmod 600 docker/ssh/id_ed25519`.
+
+4. **Compose**: by default this directory is mounted into the app container as `/root/.ssh`. Override with `RAG_SSH_DIR` in `.env` if you use another path (e.g. `RAG_SSH_DIR=/Users/you/.ssh` to use your main SSH dir).
+
+After that, restart the app: `docker compose up -d`.