diff --git a/Dockerfile.service b/Dockerfile.service
index 08fd21f..3960769 100644
--- a/Dockerfile.service
+++ b/Dockerfile.service
@@ -39,8 +39,8 @@ RUN pnpm turbo build --filter='./packages/shared/*' --filter=@it0/${SERVICE_NAME
 # ===== Production Stage =====
 FROM node:18-alpine
 
-# Install bash (required by Claude Agent SDK Bash tool)
-RUN apk add --no-cache bash
+# Install bash (required by Claude Agent SDK Bash tool) + openssh-client (for SSH to managed servers)
+RUN apk add --no-cache bash openssh-client
 
 RUN corepack enable
 
@@ -82,7 +82,8 @@ WORKDIR /app/packages/services/${SERVICE_NAME}
 # Run as non-root user (required for SDK bypassPermissions mode)
 RUN adduser -D -h /home/appuser appuser && \
     mkdir -p /data/claude-tenants && \
-    chown -R appuser:appuser /app /data/claude-tenants
+    mkdir -p /home/appuser/.ssh && chmod 700 /home/appuser/.ssh && \
+    chown -R appuser:appuser /app /data/claude-tenants /home/appuser/.ssh
 USER appuser
 
 ARG SERVICE_PORT=3000
diff --git a/deploy/docker/docker-compose.yml b/deploy/docker/docker-compose.yml
index 5069376..1ee226e 100644
--- a/deploy/docker/docker-compose.yml
+++ b/deploy/docker/docker-compose.yml
@@ -122,6 +122,7 @@ services:
       - ${HOME}/.claude:/home/appuser/.claude
       - ${HOME}/.claude.json:/home/appuser/.claude.json
       - claude_tenants:/data/claude-tenants
+      - ${HOME}/.ssh/id_ed25519:/home/appuser/.ssh/id_ed25519:ro
     environment:
       - DB_HOST=postgres
       - DB_PORT=5432