# SSH for webhook (git fetch in container)

When the app runs in Docker and the webhook does `git fetch origin <branch>`, git uses SSH. The container has no keys by default, so you get "Host key verification failed" or "Permission denied".

## Setup

1. **Deploy key** (read-only key for the repo you index):
   - Generate: `ssh-keygen -t ed25519 -f docker/ssh/id_ed25519 -N "" -C "rag-agent-deploy"`
   - Add the **public** key (`docker/ssh/id_ed25519.pub`) to your Git server (GitHub/GitLab/… → repo → Deploy keys).

2. **Known hosts** (optional; `GIT_SSH_COMMAND` in compose accepts new host keys on first connect):
   - To pin the host key: `ssh-keyscan -t ed25519 git.example.com >> docker/ssh/known_hosts`
   - Replace `git.example.com` with your Git host (e.g. `github.com`, `git.lesha.spb.ru`).

3. **Permissions**: key file must be readable only by you, e.g. `chmod 600 docker/ssh/id_ed25519`.

4. **Compose**: by default this directory is mounted into the app container as `/root/.ssh`. Override with `RAG_SSH_DIR` in `.env` if you use another path (e.g. `RAG_SSH_DIR=/Users/you/.ssh` to use your main SSH dir).

After that, restart the app: `docker compose up -d`.