@alanbem/dclaude 0.0.12 → 0.0.14

package/README.md

@@ -132,12 +132,15 @@ dclaude gh                        # Interactive GitHub login
 dclaude exec gh pr list           # Use gh commands
 ```
 
-### SSH Server for IDEs
+### SSH Key and Server Management
 
-Connect JetBrains Gateway, VS Code Remote, or any SSH client:
+Load SSH keys and start SSH server for JetBrains Gateway, VS Code Remote, or any SSH client:
 
 ```bash
-dclaude ssh                       # Start SSH server, shows port
+dclaude ssh                       # Load keys + start SSH server
+dclaude ssh keys                  # Load SSH keys into agent
+dclaude ssh server                # Start SSH server, shows port
+dclaude ssh server --stop         # Stop SSH server
 # Connect: ssh claude@localhost -p <port>
 # Password: claude
 ```
@@ -151,6 +154,32 @@ dclaude chrome                    # Launch Chrome with DevTools
 dclaude                           # Claude can now interact with the browser
 ```
 
+### AWS CLI Integration
+
+AWS CLI v2 is pre-installed in the container. Configure how AWS credentials are provided:
+
+```bash
+# Auto (default): mounts ~/.aws from host if it exists, otherwise no config
+dclaude
+
+# Mount host's ~/.aws directory (read-write, shared with host)
+DCLAUDE_AWS_CLI=mount dclaude
+
+# Use isolated Docker volume (persists across container recreations)
+DCLAUDE_AWS_CLI=volume dclaude
+
+# No AWS config mounting
+DCLAUDE_AWS_CLI=none dclaude
+```
+
+**Volume mode** provides isolated AWS config per namespace:
+
+```bash
+dclaude aws configure                  # Copy ~/.aws/config (profiles, regions) into container
+dclaude aws login                      # Run 'aws login' in container
+dclaude aws login --profile staging    # Login with specific profile
+```
+
 ### iTerm2 Shell Integration
 
 If you use iTerm2 on macOS, dclaude automatically enables [iTerm2 Shell Integration](https://iterm2.com/documentation-shell-integration.html):
@@ -173,6 +202,7 @@ dclaude automatically tells Claude about its container environment so it can giv
 - **Network mode** - Whether `localhost` works or needs `host.docker.internal`
 - **Docker access** - Whether Docker commands are available
 - **SSH auth method** - How git authentication is configured
+- **AWS CLI** - Whether and how AWS credentials are configured
 - **Path mirroring** - That file paths match the host
 
 This helps Claude understand its environment without you explaining it. Disable if needed:
@@ -195,6 +225,7 @@ DCLAUDE_SYSTEM_CONTEXT=false dclaude
 | `DCLAUDE_QUIET` | `false` | Suppress info messages |
 | `DCLAUDE_NO_UPDATE` | `false` | Skip image update check |
 | `DCLAUDE_SYSTEM_CONTEXT` | `true` | Inform Claude about container environment |
+| `DCLAUDE_AWS_CLI` | `auto` | AWS config: `auto`, `mount`, `volume`, `none` |
 | `DCLAUDE_ITERM2` | `true` | Enable iTerm2 shell integration (only affects iTerm2) |
 
 ## Configuration File
@@ -220,6 +251,7 @@ dclaude walks up the directory tree to find `.dclaude` files. Any dclaude sessio
 | `MOUNT_ROOT` | Mount directory (relative to config file, or absolute path) |
 | `DEBUG` | Enable debug output (`true`, `false`) |
 | `CHROME_PORT` | Chrome DevTools port |
+| `AWS_CLI` | AWS config mode (`mount`, `volume`, `none`) |
 
 **Precedence:** Environment variables override `.dclaude` file settings.
 
@@ -327,6 +359,7 @@ The container includes:
 - **Docker CLI** and **Docker Compose**
 - **Git**, **GitHub CLI** (`gh`), common dev tools
 - **tmux** for session management
+- **AWS CLI v2** for cloud operations
 - **SSH server** for IDE integration
 
 ## Troubleshooting

package/dclaude

@@ -135,6 +135,9 @@ load_config_file() {
                         fi
                     fi
                     ;;
+                AWS_CLI)
+                    [[ -z "${DCLAUDE_AWS_CLI:-}" ]] && DCLAUDE_AWS_CLI="$value"
+                    ;;
             esac
         fi
     done < "$config_file"
@@ -151,6 +154,7 @@ readonly DEBUG="${DCLAUDE_DEBUG:-false}"
 readonly GIT_AUTH_MODE="${DCLAUDE_GIT_AUTH:-auto}"  # auto, agent-forwarding, key-mount, none
 readonly NAMESPACE="${DCLAUDE_NAMESPACE:-}"
 CHROME_PORT="${DCLAUDE_CHROME_PORT:-9222}"
+readonly AWS_CLI_MODE="${DCLAUDE_AWS_CLI:-auto}"  # auto, mount, volume, none
 
 # Show config file if loaded (always at info level, details at debug)
 if [[ -n "$DCLAUDE_CONFIG_FILE" ]]; then
@@ -161,6 +165,7 @@ if [[ -n "$DCLAUDE_CONFIG_FILE" ]]; then
         [[ -n "${DCLAUDE_GIT_AUTH:-}" ]] && debug "  GIT_AUTH=$DCLAUDE_GIT_AUTH"
         [[ -n "${DCLAUDE_CHROME_PORT:-}" ]] && debug "  CHROME_PORT=$DCLAUDE_CHROME_PORT"
         [[ -n "${DCLAUDE_MOUNT_ROOT:-}" ]] && debug "  MOUNT_ROOT=$DCLAUDE_MOUNT_ROOT"
+        [[ -n "${DCLAUDE_AWS_CLI:-}" ]] && debug "  AWS_CLI=$DCLAUDE_AWS_CLI"
     fi
 fi
 
@@ -510,6 +515,36 @@ get_volume_name() {
     fi
 }
 
+# Get AWS volume name (includes namespace if set)
+get_aws_volume_name() {
+    if [[ -n "$NAMESPACE" ]]; then
+        echo "${VOLUME_PREFIX}-${NAMESPACE}-aws"
+    else
+        echo "${VOLUME_PREFIX}-aws"
+    fi
+}
+
+# Resolve AWS CLI mode from configured value
+# auto → mount (if ~/.aws exists) or none
+resolve_aws_cli_mode() {
+    case "$AWS_CLI_MODE" in
+        mount|volume|none)
+            echo "$AWS_CLI_MODE"
+            ;;
+        auto)
+            if [[ -d "${HOME}/.aws" ]]; then
+                echo "mount"
+            else
+                echo "none"
+            fi
+            ;;
+        *)
+            warning "Unknown AWS_CLI mode: $AWS_CLI_MODE (using none)"
+            echo "none"
+            ;;
+    esac
+}
+
 # Create Docker volumes if they don't exist
 create_volumes() {
     # Create essential volume for Claude CLI persistence
@@ -526,6 +561,24 @@ create_volumes() {
     else
         debug "Volume exists: $volume"
     fi
+
+    # Create AWS volume if volume mode is active
+    local aws_mode
+    aws_mode=$(resolve_aws_cli_mode)
+    if [[ "$aws_mode" == "volume" ]]; then
+        local aws_volume
+        aws_volume=$(get_aws_volume_name)
+        if ! docker volume inspect "$aws_volume" &> /dev/null; then
+            info "Creating AWS volume: $aws_volume"
+            if ! docker volume create "$aws_volume" > /dev/null; then
+                error "Failed to create volume: $aws_volume"
+                exit 1
+            fi
+            debug "Volume created successfully: $aws_volume"
+        else
+            debug "Volume exists: $aws_volume"
+        fi
+    fi
 }
 
 # Pull or update the Docker image
@@ -660,6 +713,7 @@ generate_system_context() {
     local has_docker="${3:-false}"
     local platform="${4:-unknown}"
     local docker_socket="${5:-}"
+    local aws_cli_mode="${6:-none}"
 
     cat <<'EOF'
 
@@ -806,8 +860,36 @@ EOF
 ## Development Tools Available
 - **Languages**: Node.js 20+, Python 3
 - **Package Managers**: npm, pip, Homebrew/Linuxbrew
-- **Tools**: git, gh (GitHub CLI), docker, docker-compose, curl, tmux, nano
+- **Tools**: git, gh (GitHub CLI), docker, docker-compose, aws (AWS CLI v2), curl, tmux, nano
 - **Shell**: bash (your commands execute in bash shell)
+EOF
+
+    # AWS CLI context
+    case "$aws_cli_mode" in
+        mount)
+            cat <<'EOF'
+- **AWS CLI**: Configured — credentials mounted from host's `~/.aws` directory
+  - All host AWS profiles, SSO config, and credentials are available
+  - Changes to AWS config (e.g., `aws sso login`) are shared with host
+EOF
+            ;;
+        volume)
+            cat <<'EOF'
+- **AWS CLI**: Configured — credentials stored in persistent Docker volume
+  - AWS config is isolated from host and persists across container recreations
+  - Run `aws configure` or `aws configure sso` to set up credentials
+EOF
+            ;;
+        *)
+            cat <<'EOF'
+- **AWS CLI**: Installed but no credentials configured
+  - User can set `DCLAUDE_AWS_CLI=mount` when launching dclaude to use host's `~/.aws` config
+  - User can set `DCLAUDE_AWS_CLI=volume` when launching dclaude for isolated persistent config
+EOF
+            ;;
+    esac
+
+    cat <<'EOF'
 
 ## Git Configuration Requirements
 **IMPORTANT**: Before performing any git operations (commit, push, etc.), you MUST:
@@ -987,6 +1069,423 @@ handle_git_auth() {
     fi
 }
 
+# ============================================================================
+# Agent Teams Tmux Passthrough — Relay Functions
+# ============================================================================
+# When the user runs dclaude from inside a host tmux session, these functions
+# set up a TCP relay that forwards Claude Code's tmux commands to the host.
+# This makes Agent Teams sub-agent panes visible in the host's tmux session.
+
+# Check if user is in a host tmux session
+detect_host_tmux() {
+    [[ -n "${TMUX:-}" ]]
+}
+
+# Check if host has required tools for relay (jq + socat or ncat)
+check_relay_deps() {
+    if ! command -v jq &>/dev/null; then
+        debug "Relay dep missing: jq"
+        return 1
+    fi
+    if command -v socat &>/dev/null; then
+        debug "Relay listener: socat"
+        return 0
+    fi
+    if command -v ncat &>/dev/null; then
+        debug "Relay listener: ncat"
+        return 0
+    fi
+    debug "Relay dep missing: socat or ncat"
+    return 1
+}
+
+# Get the address the container uses to reach the host relay
+get_relay_host() {
+    local platform="$1"
+    local network_mode="$2"
+    # Linux host mode: container shares host network, use loopback
+    if [[ "$platform" == "linux" && "$network_mode" == "host" ]]; then
+        echo "127.0.0.1"
+    else
+        # macOS (any mode) or Linux bridge: use Docker's host gateway
+        echo "host.docker.internal"
+    fi
+}
+
+# Get the address the relay binds to on the host
+get_relay_bind_addr() {
+    local platform="$1"
+    local network_mode="$2"
+    # Linux bridge: container reaches host via bridge gateway, not loopback
+    if [[ "$platform" == "linux" && "$network_mode" == "bridge" ]]; then
+        echo "0.0.0.0"
+    else
+        echo "127.0.0.1"
+    fi
+}
+
+# Get or create relay nonce for a container (reused across reattachments)
+get_or_create_relay_nonce() {
+    local container_name="$1"
+    local nonce_file="$HOME/.dclaude/tmux-relay-nonce-${container_name}"
+
+    mkdir -p "$HOME/.dclaude"
+
+    if [[ -f "$nonce_file" ]]; then
+        cat "$nonce_file"
+        return 0
+    fi
+
+    local nonce
+    nonce=$(head -c 32 /dev/urandom | base64 | tr -d '=/+' | head -c 32)
+    echo "$nonce" > "$nonce_file"
+    echo "$nonce"
+}
+
+# Generate the relay handler script (executed by socat/ncat for each connection)
+# Uses a non-quoted heredoc for baked-in values, then a single-quoted heredoc for logic
+generate_relay_handler() {
+    local container_name="$1"
+    local relay_port="$2"
+    local nonce="$3"
+    local handler_path="$4"
+    local tracking_file="$5"
+    local relay_host="$6"
+
+    # Header with baked-in values (variable expansion)
+    cat > "$handler_path" <<HANDLER_HEADER
+#!/bin/bash
+CONTAINER="$container_name"
+NONCE="$nonce"
+RELAY_PORT="$relay_port"
+RELAY_HOST="$relay_host"
+TRACKING_FILE="$tracking_file"
+HANDLER_HEADER
+
+    # Logic body (single-quoted heredoc — no escaping needed)
+    cat >> "$handler_path" <<'HANDLER_BODY'
+
+# Read one JSON line (max 65536 bytes to prevent memory exhaustion)
+read -r -n 65536 request
+if [[ -z "$request" ]]; then
+    printf '{"code":1,"stdout":"","stderr":"empty request"}\n'
+    exit 1
+fi
+
+# Validate nonce
+req_nonce=$(printf '%s' "$request" | jq -r '.nonce // empty')
+if [[ "$req_nonce" != "$NONCE" ]]; then
+    printf '{"code":1,"stdout":"","stderr":"authentication failed"}\n'
+    exit 1
+fi
+
+# Extract command array (bash 3.2 compatible — no mapfile)
+cmd=()
+while IFS= read -r line; do
+    cmd+=("$line")
+done < <(printf '%s' "$request" | jq -r '.cmd[]')
+subcmd="${cmd[0]}"
+cwd=$(printf '%s' "$request" | jq -r '.cwd // empty')
+req_pane=$(printf '%s' "$request" | jq -r '.pane // empty')
+
+# Allowlist tmux subcommands
+case "$subcmd" in
+    split-window|send-keys|list-panes|select-layout|resize-pane|\
+    select-pane|kill-pane|has-session|list-windows|display-message|list-sessions)
+        ;;
+    *)
+        printf '{"code":1,"stdout":"","stderr":"disallowed: %s"}\n' "$subcmd"
+        exit 1
+        ;;
+esac
+
+# Build tmux args based on subcommand
+args=()
+
+if [[ "$subcmd" == "split-window" ]]; then
+    args+=("split-window")
+
+    # Parse split-window flags, strip -c (handled by docker exec -w)
+    # and strip trailing shell command (replaced by docker exec)
+    i=1
+    while (( i < ${#cmd[@]} )); do
+        case "${cmd[$i]}" in
+            -b|-d|-f|-h|-I|-v|-P|-Z)
+                args+=("${cmd[$i]}")
+                ;;
+            -c)
+                # Capture directory, use for docker exec -w
+                (( i++ ))
+                cwd="${cmd[$i]}"
+                ;;
+            -e|-l|-t|-F)
+                # Flags with a value argument
+                args+=("${cmd[$i]}")
+                (( i++ ))
+                args+=("${cmd[$i]}")
+                ;;
+            -*)
+                # Unknown flag, pass through
+                args+=("${cmd[$i]}")
+                ;;
+            *)
+                # Shell command — skip (replaced by docker exec)
+                break
+                ;;
+        esac
+        (( i++ ))
+    done
+
+    # Validate cwd: absolute path, safe characters only
+    if [[ -n "$cwd" && ! "$cwd" =~ ^[a-zA-Z0-9/._-]+$ ]]; then
+        printf '{"code":1,"stdout":"","stderr":"invalid cwd"}\n'
+        exit 1
+    fi
+
+    # Append docker exec as the pane command (no sh -c, args as array)
+    args+=(
+        "--"
+        "docker" "exec" "-it"
+        "-e" "DCLAUDE_TMUX_RELAY_PORT=$RELAY_PORT"
+        "-e" "DCLAUDE_TMUX_RELAY_HOST=$RELAY_HOST"
+        "-e" "DCLAUDE_TMUX_RELAY_NONCE=$NONCE"
+        "-e" "DCLAUDE_CONTAINER=$CONTAINER"
+        "-u" "claude"
+        "-w" "${cwd:-/home/claude}"
+        "$CONTAINER"
+        "bash"
+    )
+
+elif [[ "$subcmd" == "send-keys" ]]; then
+    args+=("send-keys")
+
+    # Validate target pane is one we created
+    for (( i=1; i < ${#cmd[@]}; i++ )); do
+        if [[ "${cmd[$i]}" == "-t" && $(( i + 1 )) -lt ${#cmd[@]} ]]; then
+            target="${cmd[$(( i + 1 ))]}"
+            if [[ -f "$TRACKING_FILE" ]] && ! grep -qxF "$target" "$TRACKING_FILE"; then
+                printf '{"code":1,"stdout":"","stderr":"pane not tracked: %s"}\n' "$target"
+                exit 1
+            fi
+            break
+        fi
+    done
+
+    # Pass through all args
+    for (( i=1; i < ${#cmd[@]}; i++ )); do
+        args+=("${cmd[$i]}")
+    done
+
+elif [[ "$subcmd" == "kill-pane" ]]; then
+    args+=("kill-pane")
+    for (( i=1; i < ${#cmd[@]}; i++ )); do
+        args+=("${cmd[$i]}")
+    done
+else
+    # All other allowed commands: pass through args
+    # Inject -t $req_pane for commands that need pane context
+    # (relay runs outside tmux pane context, so tmux needs explicit targeting)
+    args+=("$subcmd")
+    has_target=false
+    for (( i=1; i < ${#cmd[@]}; i++ )); do
+        [[ "${cmd[$i]}" == "-t" ]] && has_target=true
+        [[ "${cmd[$i]}" =~ ^-t.+ ]] && has_target=true
+    done
+    # Only inject -t for commands that accept it (not list-sessions, has-session)
+    case "$subcmd" in
+        display-message|list-panes|list-windows|select-layout|resize-pane|select-pane)
+            if [[ "$has_target" == "false" && -n "$req_pane" ]]; then
+                args+=("-t" "$req_pane")
+            fi
+            ;;
+    esac
+    for (( i=1; i < ${#cmd[@]}; i++ )); do
+        args+=("${cmd[$i]}")
+    done
+fi
+
+# Execute tmux command, capture output
+stdout_file=$(mktemp)
+stderr_file=$(mktemp)
+tmux "${args[@]}" >"$stdout_file" 2>"$stderr_file"
+code=$?
+stdout=$(cat "$stdout_file")
+stderr=$(cat "$stderr_file")
+rm -f "$stdout_file" "$stderr_file"
+
+# Post-processing for split-window: track new pane ID
+if [[ "$subcmd" == "split-window" && $code -eq 0 ]]; then
+    pane_id=$(echo "$stdout" | head -1 | tr -d '[:space:]')
+    if [[ "$pane_id" =~ ^%[0-9]+$ ]]; then
+        echo "$pane_id" >> "$TRACKING_FILE"
+    fi
+fi
+
+# Post-processing for kill-pane: clean up orphaned processes after delay
+if [[ "$subcmd" == "kill-pane" && $code -eq 0 ]]; then
+    (
+        sleep 2
+        docker exec "$CONTAINER" bash -c '
+            ps -eo pid,ppid,tty,comm --no-headers 2>/dev/null | while read pid ppid tty comm; do
+                [[ "$ppid" == "0" && "$comm" == "bash" ]] || continue
+                [[ "$tty" =~ ^pts/([0-9]+)$ ]] || continue
+                (( ${BASH_REMATCH[1]} >= 2 )) || continue
+                children=$(ps --ppid "$pid" --no-headers 2>/dev/null | wc -l)
+                if [[ "$children" -eq 0 ]]; then
+                    kill -9 "$pid" 2>/dev/null
+                fi
+            done
+        '
+    ) &>/dev/null &
+fi
+
+# Return JSON response
+jq -nc --arg code "$code" --arg stdout "$stdout" --arg stderr "$stderr" \
+    '{code: ($code | tonumber), stdout: $stdout, stderr: $stderr}'
+HANDLER_BODY
+}
+
+# Start the relay listener on the host
+start_relay() {
+    local container_name="$1"
+    local relay_port="$2"
+    local nonce="$3"
+    local bind_addr="$4"
+    local relay_host="$5"
+
+    local handler_path="$HOME/.dclaude/tmux-relay-handler-${container_name}.sh"
+    local pid_file="$HOME/.dclaude/tmux-relay-pid-${container_name}"
+    local tracking_file="$HOME/.dclaude/tmux-relay-panes-${container_name}"
+
+    mkdir -p "$HOME/.dclaude"
+
+    # Generate handler script
+    generate_relay_handler "$container_name" "$relay_port" "$nonce" \
+        "$handler_path" "$tracking_file" "$relay_host"
+    chmod +x "$handler_path"
+
+    # Clear pane tracking
+    > "$tracking_file"
+
+    # Start listener
+    if command -v socat &>/dev/null; then
+        debug "Starting socat relay on $bind_addr:$relay_port"
+        socat "TCP-LISTEN:$relay_port,bind=$bind_addr,reuseaddr,fork,max-children=10" \
+            "EXEC:bash $handler_path" 2>/dev/null &
+    elif command -v ncat &>/dev/null; then
+        debug "Starting ncat relay on $bind_addr:$relay_port"
+        ncat -l -k "$bind_addr" "$relay_port" --sh-exec "$handler_path" &
+    else
+        error "No relay listener available (need socat or ncat)"
+        return 1
+    fi
+
+    echo $! > "$pid_file"
+    debug "Relay PID: $(cat "$pid_file")"
+}
+
+# Stop the relay and clean up
+stop_relay() {
+    local container_name="$1"
+
+    local pid_file="$HOME/.dclaude/tmux-relay-pid-${container_name}"
+    local handler_path="$HOME/.dclaude/tmux-relay-handler-${container_name}.sh"
+    local tracking_file="$HOME/.dclaude/tmux-relay-panes-${container_name}"
+
+    if [[ -f "$pid_file" ]]; then
+        local pid
+        pid=$(cat "$pid_file")
+        if [[ -n "$pid" ]]; then
+            # Kill forked handler processes first
+            pkill -P "$pid" 2>/dev/null || true
+            # Verify process identity before killing (guard against PID recycling)
+            local comm
+            comm=$(ps -p "$pid" -o comm= 2>/dev/null || true)
+            if [[ "$comm" =~ (socat|ncat) ]]; then
+                kill "$pid" 2>/dev/null || true
+            fi
+        fi
+    fi
+
+    # Clean up orphaned bash processes in container
+    cleanup_container_orphans "$container_name"
+
+    # Remove relay files (but keep nonce for reattachment)
+    rm -f "$pid_file" "$handler_path" "$tracking_file"
+}
+
+# Kill orphaned bash sessions in container (from dead docker exec panes)
+cleanup_container_orphans() {
+    local container_name="$1"
+
+    # Check container is running before trying
+    if ! docker ps -q -f name="^${container_name}$" 2>/dev/null | grep -q .; then
+        return 0
+    fi
+
+    docker exec "$container_name" bash -c '
+        ps -eo pid,ppid,tty,comm --no-headers 2>/dev/null | while read pid ppid tty comm; do
+            [[ "$ppid" == "0" && "$comm" == "bash" ]] || continue
+            [[ "$tty" =~ ^pts/([0-9]+)$ ]] || continue
+            (( ${BASH_REMATCH[1]} >= 2 )) || continue
+            children=$(ps --ppid "$pid" --no-headers 2>/dev/null | wc -l)
+            if [[ "$children" -eq 0 ]]; then
+                kill -9 "$pid" 2>/dev/null
+            fi
+        done
+    ' 2>/dev/null || true
+}
+
+# Set up Agent Teams relay if conditions are met
+# Sets globals: RELAY_STARTED, TMUX_SESSION_ENV_ARGS
+setup_agent_teams_relay() {
+    local container_name="$1"
+    local relay_port="$2"
+    local platform="$3"
+    local network_mode="$4"
+
+    RELAY_STARTED=false
+    TMUX_SESSION_ENV_ARGS=()
+
+    if [[ -z "$relay_port" ]]; then
+        debug "No relay port configured for this container"
+        TMUX_SESSION_ENV_ARGS=(-e "DCLAUDE_HIDE_TMUX=1")
+        return
+    fi
+
+    if ! detect_host_tmux; then
+        debug "Not in host tmux - Agent Teams will use in-process mode"
+        TMUX_SESSION_ENV_ARGS=(-e "DCLAUDE_HIDE_TMUX=1")
+        return
+    fi
+
+    if ! check_relay_deps; then
+        info "Tip: Install jq + socat (or ncat) for Agent Teams pane mode in tmux"
+        TMUX_SESSION_ENV_ARGS=(-e "DCLAUDE_HIDE_TMUX=1")
+        return
+    fi
+
+    local bind_addr relay_host relay_nonce host_pane
+    bind_addr=$(get_relay_bind_addr "$platform" "$network_mode")
+    relay_host=$(get_relay_host "$platform" "$network_mode")
+    relay_nonce=$(get_or_create_relay_nonce "$container_name")
+    host_pane=$(tmux display-message -p '#{pane_id}')
+
+    start_relay "$container_name" "$relay_port" "$relay_nonce" "$bind_addr" "$relay_host"
+    RELAY_STARTED=true
+
+    TMUX_SESSION_ENV_ARGS=(
+        -e "DCLAUDE_TMUX_RELAY_PORT=$relay_port"
+        -e "DCLAUDE_TMUX_RELAY_HOST=$relay_host"
+        -e "DCLAUDE_TMUX_RELAY_NONCE=$relay_nonce"
+        -e "DCLAUDE_HOST_PANE=$host_pane"
+        -e "DCLAUDE_CONTAINER=$container_name"
+    )
+
+    debug "Agent Teams relay: $bind_addr:$relay_port -> $container_name (pane $host_pane)"
+}
+# ============================================================================
+
 # Detect TTY availability and return appropriate Docker flags
 # Detect TTY status early (before any subshells)
 # Must be done at script top-level since $() subshells don't inherit TTY
@@ -1031,6 +1530,17 @@ should_skip_tmux() {
     return 1
 }
 
+# Debug countdown before launching Claude (gives time to read debug output)
+# Press Enter to skip the countdown and launch immediately
+debug_countdown() {
+    if [[ "$DEBUG" == "true" ]]; then
+        for i in 5 4 3 2 1; do
+            printf '\r%b' "${CYAN}Debug: Launching in ${i}... (press Enter to skip)${NC}" >&2
+            read -t 1 -s 2>/dev/null && break
+        done
+        printf '\r%b\n' "${CYAN}Debug: Launching...                               ${NC}" >&2
+    fi
+}
 
 # Main execution
 main() {
@@ -1145,14 +1655,27 @@ main() {
         debug "Git auth: $resolved_git_auth (user-specified)"
     fi
 
+    # Warn if agent-forwarding is active but no keys are loaded
+    if [[ "$resolved_git_auth" == "agent-forwarding" ]]; then
+        local ssh_add_rc=0
+        ssh-add -l >/dev/null 2>&1 || ssh_add_rc=$?
+        if [[ $ssh_add_rc -eq 1 ]]; then
+            warning "SSH agent has no keys loaded — SSH won't work inside container."
+            warning "Run 'dclaude ssh keys' to load your keys."
+        fi
+    fi
+
     # Generate system context for Claude (if enabled) - must be done early for all code paths
     local claude_args=()
     if [[ "$ENABLE_SYSTEM_CONTEXT" == "true" ]]; then
         local has_docker="false"
         [[ -n "$DOCKER_SOCKET" ]] && [[ -S "$DOCKER_SOCKET" ]] && has_docker="true"
 
+        local resolved_aws_cli_mode
+        resolved_aws_cli_mode=$(resolve_aws_cli_mode)
+
         local system_context
-        system_context=$(generate_system_context "$network_mode" "$resolved_git_auth" "$has_docker" "$platform" "$DOCKER_SOCKET")
+        system_context=$(generate_system_context "$network_mode" "$resolved_git_auth" "$has_docker" "$platform" "$DOCKER_SOCKET" "$resolved_aws_cli_mode")
 
         claude_args+=("--append-system-prompt" "$system_context")
         debug "System context enabled (${#system_context} chars, has_docker=$has_docker, git_auth=$resolved_git_auth, platform=$platform)"
@@ -1244,10 +1767,23 @@ main() {
                 [[ -n "${COLORTERM:-}" ]] && exec_env_args+=(-e "COLORTERM=${COLORTERM}")
                 [[ -n "${DCLAUDE_ITERM2:-}" ]] && exec_env_args+=(-e "DCLAUDE_ITERM2=${DCLAUDE_ITERM2}")
 
+                # Set up Agent Teams relay (or hide $TMUX for in-process mode)
+                local relay_port
+                relay_port=$(docker inspect --format='{{index .Config.Labels "dclaude.relay.port"}}' "$container_name" 2>/dev/null || true)
+                setup_agent_teams_relay "$container_name" "$relay_port" "$platform" "$network_mode"
+                if [[ "$RELAY_STARTED" == "true" ]]; then
+                    trap "stop_relay '$container_name'" EXIT
+                fi
+
                 debug "Creating new tmux session running Claude"
                 debug "Claude args count: ${#claude_args[@]}, user args: $*"
                 info "Starting new Claude session..."
-                docker exec -it -u claude "${exec_env_args[@]}" "$container_name" tmux -f /home/claude/.tmux.conf new-session -s "$tmux_session" claude "${claude_args[@]}" "$@"
+                debug_countdown
+                docker exec -it -u claude "${exec_env_args[@]}" "$container_name" \
+                    /usr/bin/tmux -L dclaude-inner -f /home/claude/.tmux.conf \
+                    new-session -s "$tmux_session" \
+                    "${TMUX_SESSION_ENV_ARGS[@]}" \
+                    claude-launcher.sh "${claude_args[@]}" "$@"
                 exit $?
             else
                 # Non-interactive or print mode - run claude directly without tmux
@@ -1298,6 +1834,17 @@ main() {
     debug "SSH port reserved: $ssh_port"
     DOCKER_ARGS+=(--label "dclaude.ssh.port=${ssh_port}")
 
+    # Reserve relay port for Agent Teams tmux passthrough
+    local relay_port
+    relay_port=$(find_available_port 30000 60000)
+    debug "Relay port reserved: $relay_port"
+    DOCKER_ARGS+=(--label "dclaude.relay.port=${relay_port}")
+
+    # Add host.docker.internal for Linux bridge mode (needed for relay connectivity)
+    if [[ "$platform" == "linux" && "$network_mode" == "bridge" ]]; then
+        DOCKER_ARGS+=(--add-host "host.docker.internal:host-gateway")
+    fi
+
     # Port mapping only needed for bridge mode (host mode shares network stack)
     if [[ "$network_mode" != "host" ]]; then
         DOCKER_ARGS+=(-p "${ssh_port}:${ssh_port}")
@@ -1341,6 +1888,32 @@ main() {
         [[ -n "$ssh_arg" ]] && DOCKER_ARGS+=("$ssh_arg")
     done < <(handle_git_auth)
 
+    # Handle AWS CLI configuration mounting
+    local resolved_aws_mode
+    resolved_aws_mode=$(resolve_aws_cli_mode)
+    # Pass mode to entrypoint so it knows whether to chown .aws (volume only)
+    DOCKER_ARGS+=(-e "DCLAUDE_AWS_CLI_MODE=${resolved_aws_mode}")
+    case "$resolved_aws_mode" in
+        mount)
+            if [[ -d "${HOME}/.aws" ]]; then
+                DOCKER_ARGS+=(-v "${HOME}/.aws:/home/claude/.aws")
+                info "AWS CLI: mounting host ~/.aws"
+                debug "AWS config mounted from host: ${HOME}/.aws"
+            else
+                warning "AWS_CLI=mount but ~/.aws not found, skipping"
+            fi
+            ;;
+        volume)
+            local aws_volume
+            aws_volume=$(get_aws_volume_name)
+            DOCKER_ARGS+=(-v "${aws_volume}:/home/claude/.aws")
+            debug "AWS config using volume: $aws_volume"
+            ;;
+        none)
+            debug "AWS CLI config mounting disabled"
+            ;;
+    esac
+
     # Add any additional environment variables
     if [[ -n "${CLAUDE_MODEL:-}" ]]; then
         DOCKER_ARGS+=(-e "CLAUDE_MODEL=${CLAUDE_MODEL}")
@@ -1397,10 +1970,21 @@ main() {
             [[ -n "${COLORTERM:-}" ]] && exec_env_args+=(-e "COLORTERM=${COLORTERM}")
             [[ -n "${DCLAUDE_ITERM2:-}" ]] && exec_env_args+=(-e "DCLAUDE_ITERM2=${DCLAUDE_ITERM2}")
 
+            # Set up Agent Teams relay (or hide $TMUX for in-process mode)
+            setup_agent_teams_relay "$container_name" "$relay_port" "$platform" "$network_mode"
+            if [[ "$RELAY_STARTED" == "true" ]]; then
+                trap "stop_relay '$container_name'" EXIT
+            fi
+
             debug "Creating new tmux session running Claude"
             debug "Claude args count: ${#claude_args[@]}, user args: $*"
             info "Starting new Claude session..."
-            docker exec -it -u claude "${exec_env_args[@]}" "$container_name" tmux -f /home/claude/.tmux.conf new-session -s "$tmux_session" claude "${claude_args[@]}" "$@"
+            debug_countdown
+            docker exec -it -u claude "${exec_env_args[@]}" "$container_name" \
+                /usr/bin/tmux -L dclaude-inner -f /home/claude/.tmux.conf \
+                new-session -s "$tmux_session" \
+                "${TMUX_SESSION_ENV_ARGS[@]}" \
+                claude-launcher.sh "${claude_args[@]}" "$@"
             exit $?
         else
             # Non-interactive or print mode - run claude directly without tmux
@@ -1530,11 +2114,11 @@ cmd_attach() {
         fi
     fi
 
-    # Check if session exists
-    if ! docker exec -u claude "$container_name" tmux has-session -t "$session_name" 2>/dev/null; then
+    # Check if session exists (use -L dclaude-inner for namespaced socket)
+    if ! docker exec -u claude "$container_name" /usr/bin/tmux -L dclaude-inner has-session -t "$session_name" 2>/dev/null; then
         error "Session '$session_name' not found in container"
         info "Available sessions:"
-        docker exec -u claude "$container_name" tmux list-sessions 2>/dev/null || echo "  (no sessions running)"
+        docker exec -u claude "$container_name" /usr/bin/tmux -L dclaude-inner list-sessions 2>/dev/null || echo "  (no sessions running)"
         exit 1
     fi
 
@@ -1546,9 +2130,22 @@ cmd_attach() {
     [[ -n "${COLORTERM:-}" ]] && exec_env_args+=(-e "COLORTERM=${COLORTERM}")
     [[ -n "${DCLAUDE_ITERM2:-}" ]] && exec_env_args+=(-e "DCLAUDE_ITERM2=${DCLAUDE_ITERM2}")
 
+    # Restart relay if the session uses it (relay was stopped when previous dclaude exited)
+    local relay_port
+    relay_port=$(docker inspect --format='{{index .Config.Labels "dclaude.relay.port"}}' "$container_name" 2>/dev/null || true)
+    local platform
+    platform=$(detect_platform)
+    local network_mode
+    network_mode=$(docker inspect --format='{{.HostConfig.NetworkMode}}' "$container_name" 2>/dev/null || echo "bridge")
+    setup_agent_teams_relay "$container_name" "$relay_port" "$platform" "$network_mode"
+    if [[ "$RELAY_STARTED" == "true" ]]; then
+        trap "stop_relay '$container_name'" EXIT
+    fi
+
     # Attach to existing session
     info "Attaching to session: $session_name"
-    docker exec -it -u claude "${exec_env_args[@]}" "$container_name" tmux -f /home/claude/.tmux.conf attach-session -t "$session_name"
+    docker exec -it -u claude "${exec_env_args[@]}" "$container_name" \
+        /usr/bin/tmux -L dclaude-inner -f /home/claude/.tmux.conf attach-session -t "$session_name"
     exit $?
 }
 
@@ -1770,7 +2367,7 @@ cmd_stop() {
     if [[ "$container_status" == "running" ]]; then
         # Count active tmux sessions
         local session_count
-        session_count=$(docker exec -u claude "$container_name" tmux list-sessions 2>/dev/null | wc -l | tr -d '[:space:]') || session_count=0
+        session_count=$(docker exec -u claude "$container_name" /usr/bin/tmux -L dclaude-inner list-sessions 2>/dev/null | wc -l | tr -d '[:space:]') || session_count=0
 
         if [[ "$session_count" =~ ^[0-9]+$ ]] && [[ "$session_count" -gt 0 ]]; then
             info "Stopping container $container_name ($session_count active session(s))..."
@@ -1778,6 +2375,9 @@ cmd_stop() {
             info "Stopping container $container_name..."
         fi
 
+        # Stop relay if running
+        stop_relay "$container_name"
+
         if docker stop "$container_name" >/dev/null; then
             success "Container stopped"
         else
@@ -1790,8 +2390,117 @@ cmd_stop() {
     exit 0
 }
 
-# Subcommand: SSH server for remote access (JetBrains Gateway, debugging, etc.)
+# Subcommand: SSH — dispatches to 'keys', 'server', or both
 cmd_ssh() {
+    local rc=0
+    case "${1:-}" in
+        keys)
+            shift
+            cmd_ssh_keys "$@" || rc=$?
+            ;;
+        server)
+            shift
+            cmd_ssh_server "$@" || rc=$?
+            ;;
+        --help|-h)
+            cat << 'SSH_HELP'
+dclaude ssh - SSH Key and Server Management
+
+Usage:
+  dclaude ssh              Load SSH keys into agent and start SSH server
+  dclaude ssh keys         Load SSH keys into agent
+  dclaude ssh server       Start SSH server and show connection info
+  dclaude ssh server --stop  Stop SSH server
+
+SSH_HELP
+            exit 0
+            ;;
+        "")
+            # Bare 'dclaude ssh': load keys (non-fatal), then start server
+            cmd_ssh_keys "$@" || true
+            echo ""
+            cmd_ssh_server "$@" || rc=$?
+            ;;
+        *)
+            error "Unknown subcommand: $1"
+            info "Usage: dclaude ssh [keys | server]"
+            exit 1
+            ;;
+    esac
+    exit "$rc"
+}
+
+# Subcommand: SSH key loading
+cmd_ssh_keys() {
+    # Parse flags
+    while [[ $# -gt 0 ]]; do
+        case "$1" in
+            --help|-h)
+                cat << 'SSH_KEYS_HELP'
+dclaude ssh keys - Load SSH Keys into Agent
+
+Usage:
+  dclaude ssh keys         Detect and load SSH keys from ~/.ssh/
+
+Detects private keys (id_rsa, id_ed25519, etc.) in ~/.ssh/ and loads
+them into the SSH agent via ssh-add. May prompt for passphrases.
+
+SSH_KEYS_HELP
+                return 0
+                ;;
+            *)
+                error "Unknown option: $1"
+                info "Usage: dclaude ssh keys"
+                return 1
+                ;;
+        esac
+    done
+
+    local ssh_dir="${HOME}/.ssh"
+    if [[ ! -d "$ssh_dir" ]]; then
+        error "No ~/.ssh directory found"
+        return 1
+    fi
+
+    # Detect private key files
+    local keys=()
+    for key_file in "$ssh_dir"/id_*; do
+        [[ -f "$key_file" ]] || continue
+        # Skip public keys and certificates
+        [[ "$key_file" == *.pub ]] && continue
+        [[ "$key_file" == *-cert.pub ]] && continue
+        keys+=("$key_file")
+    done
+
+    if [[ ${#keys[@]} -eq 0 ]]; then
+        warning "No SSH keys found in ~/.ssh/"
+        info "Generate a key with: ssh-keygen -t ed25519"
+        return 1
+    fi
+
+    info "Loading SSH keys..."
+    local loaded=0
+    for key_file in "${keys[@]}"; do
+        local display_path="~/.ssh/$(basename "$key_file")"
+        if ssh-add "$key_file" 2>/dev/null; then
+            success "  $display_path"
+            loaded=$((loaded + 1))
+        else
+            warning "  $display_path (failed — wrong passphrase or unsupported key)"
+        fi
+    done
+
+    echo ""
+    if [[ $loaded -gt 0 ]]; then
+        success "$loaded key(s) loaded into SSH agent."
+    else
+        error "No keys were loaded"
+        return 1
+    fi
+}
+
+# Subcommand: SSH server for remote access (JetBrains Gateway, debugging, etc.)
+cmd_ssh_server() {
     local action=""
 
     # Parse flags
@@ -1802,12 +2511,12 @@ cmd_ssh() {
                 shift
                 ;;
             --help|-h)
-                cat << 'SSH_HELP'
-dclaude ssh - SSH Server for Remote Access
+                cat << 'SSH_SERVER_HELP'
+dclaude ssh server - SSH Server for Remote Access
 
 Usage:
-  dclaude ssh              Start SSH server and show connection info
-  dclaude ssh --stop       Stop SSH server
+  dclaude ssh server         Start SSH server and show connection info
+  dclaude ssh server --stop  Stop SSH server
 
 Connection:
   ssh claude@localhost -p <port>
@@ -1822,20 +2531,20 @@ Use Cases:
 
 JetBrains Gateway Setup:
   1. Start container: dclaude
-  2. Start SSH: dclaude ssh
+  2. Start SSH: dclaude ssh server
   3. Open JetBrains Gateway
   4. New Connection → SSH → localhost:<port shown above>
   5. Username: claude, Password: claude
   6. Gateway will download and install IDE backend automatically
   7. Select your project directory
 
-SSH_HELP
-                exit 0
+SSH_SERVER_HELP
+                return 0
                 ;;
             *)
                 error "Unknown option: $1"
-                info "Usage: dclaude ssh [--stop]"
-                exit 1
+                info "Usage: dclaude ssh server [--stop]"
+                return 1
                 ;;
         esac
     done
@@ -1846,7 +2555,7 @@ SSH_HELP
     if ! docker ps -a --format '{{.Names}}' | grep -q "^${container_name}$"; then
         error "No container found for this directory"
         info "Run 'dclaude' first to create a persistent container"
-        exit 1
+        return 1
     fi
 
     local container_status=$(docker inspect --format='{{.State.Status}}' "$container_name" 2>/dev/null)
@@ -1858,7 +2567,7 @@ SSH_HELP
             sleep 1
         else
             error "Container $container_name is in unexpected state: $container_status"
-            exit 1
+            return 1
         fi
     fi
 
@@ -1874,9 +2583,9 @@ SSH_HELP
         echo ""
         echo "  dclaude rm -f"
         echo "  dclaude"
-        echo "  dclaude ssh"
+        echo "  dclaude ssh server"
         echo ""
-        exit 1
+        return 1
     fi
 
     case "$action" in
@@ -1918,8 +2627,6 @@ SSH_HELP
             echo ""
             ;;
     esac
-
-    exit 0
 }
 
 # Subcommand: remove container for current directory
@@ -1956,7 +2663,7 @@ cmd_rm() {
         if [[ "$force" == "true" ]]; then
             # Count active tmux sessions
             local session_count
-            session_count=$(docker exec -u claude "$container_name" tmux list-sessions 2>/dev/null | wc -l | tr -d '[:space:]') || session_count=0
+            session_count=$(docker exec -u claude "$container_name" /usr/bin/tmux -L dclaude-inner list-sessions 2>/dev/null | wc -l | tr -d '[:space:]') || session_count=0
 
             if [[ "$session_count" =~ ^[0-9]+$ ]] && [[ "$session_count" -gt 0 ]]; then
                 info "Removing running container $container_name ($session_count active session(s))..."
@@ -1964,6 +2671,10 @@ cmd_rm() {
                 info "Removing running container $container_name..."
             fi
 
+            # Clean up relay (including nonce file since container is being removed)
+            stop_relay "$container_name"
+            rm -f "$HOME/.dclaude/tmux-relay-nonce-${container_name}"
+
             if docker rm -f "$container_name" >/dev/null; then
                 success "Container removed"
             else
@@ -1978,6 +2689,11 @@ cmd_rm() {
         fi
     else
         info "Removing container $container_name..."
+
+        # Clean up relay files (including nonce since container is being removed)
+        stop_relay "$container_name"
+        rm -f "$HOME/.dclaude/tmux-relay-nonce-${container_name}"
+
         if docker rm "$container_name" >/dev/null; then
             success "Container removed"
         else
@@ -1989,6 +2705,133 @@ cmd_rm() {
 }
 
 # Subcommand: configure git identity
+cmd_aws_configure() {
+    local container_name="$1"
+
+    # This subcommand only makes sense for volume mode
+    local resolved_mode
+    resolved_mode=$(resolve_aws_cli_mode)
+    if [[ "$resolved_mode" != "volume" ]]; then
+        error "dclaude aws configure is only for AWS_CLI=volume mode"
+        if [[ "$resolved_mode" == "mount" ]]; then
+            info "Current mode is 'mount' — host's ~/.aws is already available in the container"
+        else
+            info "Set DCLAUDE_AWS_CLI=volume to use persistent AWS volume"
+        fi
+        exit 1
+    fi
+
+    echo ""
+    echo "AWS CLI Configuration"
+    echo "─────────────────────"
+
+    # Check existing config in container
+    local existing_config
+    existing_config=$(docker exec -u claude "$container_name" cat /home/claude/.aws/config 2>/dev/null || echo "")
+
+    if [[ -n "$existing_config" ]]; then
+        echo "Current config in container:"
+        echo "$existing_config" | sed 's/^/  /'
+        echo ""
+        read -p "Overwrite with host config? [y/N]: " overwrite
+        if [[ "$overwrite" != "y" && "$overwrite" != "Y" ]]; then
+            exit 0
+        fi
+    fi
+
+    # Check host config
+    if [[ ! -f "${HOME}/.aws/config" ]]; then
+        error "No ~/.aws/config found on host"
+        info "Run 'aws configure sso' on your host first, then re-run this command"
+        exit 1
+    fi
+
+    echo "Found on host:"
+    sed 's/^/  /' "${HOME}/.aws/config"
+    echo ""
+    info "Only config (profiles, regions, SSO URLs) will be copied — no credentials or tokens"
+    echo ""
+    read -p "Copy to container? [Y/n]: " copy
+    if [[ "$copy" == "n" || "$copy" == "N" ]]; then
+        exit 0
+    fi
+
+    # Copy config file into container (docker cp copies as root, fix ownership after)
+    docker exec -u claude "$container_name" mkdir -p /home/claude/.aws
+    docker cp "${HOME}/.aws/config" "${container_name}:/home/claude/.aws/config"
+    docker exec "$container_name" chown claude:claude /home/claude/.aws /home/claude/.aws/config
+    docker exec "$container_name" chmod 600 /home/claude/.aws/config
+
+    echo ""
+    success "AWS config copied to container"
+    info "Run 'dclaude aws login' or 'aws login' inside dclaude to authenticate"
+    exit 0
+}
+
+cmd_aws_login() {
+    local container_name="$1"
+    shift
+
+    local tty_flags
+    tty_flags=$(detect_tty_flags)
+
+    info "Starting AWS login..."
+    # shellcheck disable=SC2086
+    exec docker exec $tty_flags -u claude "$container_name" aws login "$@"
+}
+
+cmd_aws() {
+    local container_name=$(get_container_name "$HOST_PATH")
+
+    # Check if container exists
+    if ! docker ps -a --format '{{.Names}}' | grep -q "^${container_name}$"; then
+        error "No container found for this directory"
+        info "Run 'dclaude' first to create a container"
+        exit 1
+    fi
+
+    # Check if container is running
+    local container_status=$(docker inspect --format='{{.State.Status}}' "$container_name" 2>/dev/null)
+    if [[ "$container_status" != "running" ]]; then
+        if [[ "$container_status" == "exited" ]]; then
+            info "Starting container: $container_name"
+            docker start "$container_name" >/dev/null
+            sleep 1
+        else
+            error "Container $container_name is in unexpected state: $container_status"
+            exit 1
+        fi
+    fi
+
+    # Dispatch subcommands
+    local subcmd="${1:-}"
+    case "$subcmd" in
+        configure)
+            shift
+            cmd_aws_configure "$container_name" "$@"
+            ;;
+        login)
+            shift
+            cmd_aws_login "$container_name" "$@"
+            ;;
+        --help|-h|"")
+            echo "Usage:"
+            echo "  dclaude aws configure    Copy AWS config from host (volume mode)"
+            echo "  dclaude aws login        Run AWS login in container"
+            echo "  dclaude aws login --profile <name>  Login with specific profile"
+            exit 0
+            ;;
+        *)
+            error "Unknown subcommand: $subcmd"
+            echo "Usage:"
+            echo "  dclaude aws configure    Copy AWS config from host (volume mode)"
+            echo "  dclaude aws login        Run AWS login in container"
+            echo "  dclaude aws login --profile <name>  Login with specific profile"
+            exit 1
+            ;;
+    esac
+}
+
 cmd_git() {
     local container_name=$(get_container_name "$HOST_PATH")
 
@@ -2128,6 +2971,10 @@ if [[ $# -gt 0 ]]; then
             shift
             cmd_git "$@"
             ;;
+        aws)
+            shift
+            cmd_aws "$@"
+            ;;
         --help|-h|help)
             cat << 'EOF'
 dclaude - Dockerized Claude Code Launcher
@@ -2140,8 +2987,12 @@ Usage:
   dclaude update              Update Claude CLI inside container
   dclaude stop                Stop container for current directory
   dclaude rm [-f]             Remove container for current directory
-  dclaude ssh                 Start SSH server for remote access
+  dclaude ssh                 Load SSH keys and start SSH server
+  dclaude ssh keys            Load SSH keys into agent
+  dclaude ssh server          Start SSH server for remote access
   dclaude git                 Configure git identity (name/email)
+  dclaude aws configure       Copy AWS config from host to container (volume mode)
+  dclaude aws login           Run AWS login in container
   dclaude chrome [options]    Launch Chrome with DevTools and MCP integration
   dclaude gh                  Authenticate GitHub CLI (runs gh auth login)
   dclaude exec [command]      Execute command in container (default: bash)
@@ -2156,6 +3007,7 @@ Environment Variables:
   DCLAUDE_GIT_AUTH           SSH auth for Git: auto, agent-forwarding, key-mount, none
   DCLAUDE_NETWORK            Network mode: auto, host, bridge
   DCLAUDE_MOUNT_ROOT         Mount parent directory (absolute or relative path)
+  DCLAUDE_AWS_CLI            AWS config mode: auto, mount, volume, none
   DCLAUDE_DOCKER_SOCKET      Override Docker socket path
   DCLAUDE_TMUX_SESSION       Custom tmux session name (default: claude-TIMESTAMP)
   DCLAUDE_CHROME_BIN         Chrome executable path (auto-detected if not set)
@@ -2167,6 +3019,7 @@ Configuration File (.dclaude):
   Create a .dclaude file at project root to configure dclaude for that tree:
     NAMESPACE=mycompany
     NETWORK=host
+    AWS_CLI=mount
     DEBUG=true
     MOUNT_ROOT=.           # Mount config file's directory
     MOUNT_ROOT=..          # Mount parent of config file's directory
@@ -2205,9 +3058,11 @@ Examples:
   dclaude rm                                     # Remove stopped container
   dclaude rm -f                                  # Force remove running container
 
-  # SSH server for remote access (JetBrains Gateway, VS Code Remote, etc.)
-  dclaude ssh                                  # Start SSH server, show connection info
-  dclaude ssh --stop                           # Stop SSH server
+  # SSH key and server management
+  dclaude ssh                                  # Load keys + start SSH server
+  dclaude ssh keys                             # Load SSH keys into agent
+  dclaude ssh server                           # Start SSH server, show connection info
+  dclaude ssh server --stop                    # Stop SSH server
 
   # Launch Chrome with DevTools for MCP integration
   dclaude chrome

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@alanbem/dclaude",
-  "version": "0.0.12",
+  "version": "0.0.14",
   "description": "Dockerized Claude Code CLI launcher with MCP support",
   "main": "dclaude",
   "bin": {