# SSH Access

Chaser provides a native SSH gateway for direct shell access to sandbox workspaces.

## How it works

1. Register your SSH public key with Chaser
2. Connect using your workspace name as the SSH username
3. Chaser resolves the workspace, ensures a sandbox session exists, and connects your PTY

## Register SSH keys

### CLI

```bash
# Keys are registered under the active account
chaser keys ssh add ~/.ssh/id_ed25519.pub
```

### REST API

```bash
curl -sS "$CHASER_API_URL/v1/ssh-keys" \
  -H "Authorization: Bearer $CHASER_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"public_key": "ssh-ed25519 AAAA... user@host"}' | jq
```

Keys must be in OpenSSH format (`<type> <base64> [comment]`).

### Account scoping

SSH keys are bound to the active account. Register a key on your personal account for personal workspaces, or on an organization account for team workspaces:

```bash
# Personal workspace access
chaser --account personal keys ssh add ~/.ssh/id_ed25519.pub

# Organization workspace access
chaser --account "Acme Engineering" keys ssh add ~/.ssh/id_ed25519.pub
```

The same public key can be registered on multiple accounts.

## Connect

```bash
ssh <workspace-name>@ssh.chaser.sh
```

The SSH gateway:
- Resolves the workspace name within the key's account boundary
- Ensures a sandbox session is running for that workspace
- Connects you to an interactive PTY shell

## Manage keys

```bash
# List SSH keys
curl -sS "$CHASER_API_URL/v1/ssh-keys" \
  -H "Authorization: Bearer $CHASER_API_KEY" | jq

# Delete a key
curl -sS -X DELETE "$CHASER_API_URL/v1/ssh-keys/<key_id>" \
  -H "Authorization: Bearer $CHASER_API_KEY"
```

## Constraints

- SSH access is only available for sandbox workspaces
- Workspace name ambiguity is rejected -- use unique names
- Authorization is based on key ownership and workspace account membership