feat: seed SSH agent config in firstboot (Sam & Hermes)

shell-ssh.sh now seeds ~/.ssh/config (AddKeysToAgent yes) and
~/.tmux.conf (SSH_AUTH_SOCK persistence) after SSH key install.
Idempotent — appends to existing configs if already present.
Fixes agent-dead-after-tmux-restart for every fresh Clawdie install.

.graphifyignore

@@ -0,0 +1,20 @@
+.git/
+tmp/
+node_modules/
+dist/
+build/
+.cache/
+.env
+*.key
+*.pem
+*.sqlite
+*.db
+*.img
+*.img.gz
+*.iso
+*.sha256
+packages/
+downloads/
+html/
+webroot/
+graphify-out/cache/

firstboot/shell-ssh.sh

@@ -25,6 +25,7 @@ clawdie_shell_ssh_setup() {
   # 1. Configure SSH keys (if provided)
   # 2. Set system passwords (if provided or auto-generate)
   # 3. Configure SSH auth methods (key-only or key+password)
+  # 4. Seed SSH agent persistence (~/.ssh/config + ~/.tmux.conf)
 
   log_msg "[ssh] Starting SSH and password setup"
 
@@ -42,7 +43,8 @@ clawdie_shell_ssh_setup() {
   if [ -n "${SSH_PUBLIC_KEY:-}" ]; then
     clawdie_shell_ssh_install_pubkey
     clawdie_shell_ssh_disable_password_auth
-    log_msg "[ssh] SSH public key installed, password auth disabled"
+    clawdie_shell_ssh_seed_agent_config
+    log_msg "[ssh] SSH public key installed, password auth disabled, agent config seeded"
   else
     clawdie_shell_ssh_enable_password_auth
     log_msg "[ssh] No SSH key provided, password auth enabled (less secure)"
@@ -102,6 +104,56 @@ clawdie_shell_ssh_install_pubkey() {
   return 0
 }
 
+# ============================================================================
+# SSH AGENT PERSISTENCE (seed ~/.ssh/config + ~/.tmux.conf)
+# ============================================================================
+
+clawdie_shell_ssh_seed_agent_config() {
+  # Seed SSH agent auto-load and tmux persistence for the clawdie user.
+  # Run after clawdie_shell_ssh_install_pubkey (requires user to exist).
+
+  local ssh_config="/home/clawdie/.ssh/config"
+  local tmux_conf="/home/clawdie/.tmux.conf"
+
+  # --- ~/.ssh/config: AddKeysToAgent yes, no agent forwarding ---
+  if [ ! -f "$ssh_config" ]; then
+    cat > "$ssh_config" <<'SSHEOF'
+Host *
+    AddKeysToAgent yes
+    ForwardAgent no
+SSHEOF
+    chmod 600 "$ssh_config"
+    chown clawdie:clawdie "$ssh_config" 2>/dev/null || true
+    log_msg "[ssh] Seeded ~/.ssh/config with AddKeysToAgent yes"
+  else
+    # Append only if not already present (idempotent)
+    if ! grep -q 'AddKeysToAgent' "$ssh_config" 2>/dev/null; then
+      printf '\nHost *\n    AddKeysToAgent yes\n    ForwardAgent no\n' >> "$ssh_config"
+      log_msg "[ssh] Appended AddKeysToAgent to existing ~/.ssh/config"
+    fi
+  fi
+
+  # --- ~/.tmux.conf: persist agent socket across windows ---
+  if [ ! -f "$tmux_conf" ]; then
+    cat > "$tmux_conf" <<'TMUXEOF'
+set -g base-index 1
+setw -g pane-base-index 1
+set -g mouse on
+set-option -g update-environment "SSH_AUTH_SOCK SSH_AGENT_PID"
+TMUXEOF
+    chmod 644 "$tmux_conf"
+    chown clawdie:clawdie "$tmux_conf" 2>/dev/null || true
+    log_msg "[ssh] Seeded ~/.tmux.conf with agent persistence"
+  else
+    if ! grep -q 'SSH_AUTH_SOCK' "$tmux_conf" 2>/dev/null; then
+      printf '\nset-option -g update-environment "SSH_AUTH_SOCK SSH_AGENT_PID"\n' >> "$tmux_conf"
+      log_msg "[ssh] Appended agent persistence to existing ~/.tmux.conf"
+    fi
+  fi
+
+  return 0
+}
+
 # ============================================================================
 # SSH AUTH METHOD CONFIGURATION
 # ============================================================================