docs: rewrite user docs, fix modal scroll, webhook URL, and sccache

Rewrite all public documentation to be user-facing only:
- Remove deployment, configuration, and self-hosting sections
- Add guide pages for SBOM, issues, webhooks & PR reviews
- Add reference pages for glossary and tools/scanners
- Add 12 screenshots from live dashboard
- Explain MCP, LLM triage, false positives, human-in-the-loop

Fix edit repository modal not scrollable (max-height + overflow-y).
Show full webhook URL using window.location.origin instead of path.
Unset RUSTC_WRAPPER in agent cargo commands to avoid sccache errors.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

docs/guide/repositories.md

@@ -1,26 +1,78 @@
 # Adding Repositories
 
-Repositories are the core resource in Compliance Scanner. Each tracked repository is scanned on a schedule and its results are available across all features.
+Repositories are the core resource in Certifai. Each tracked repository is scanned on a schedule, and its results are available across all features -- findings, SBOM, code graph, AI chat, and issue tracking.
 
 ## Adding a Repository
 
 1. Navigate to **Repositories** in the sidebar
-2. Click **Add Repository** at the top of the page
+2. Click **Add Repository**
 3. Fill in the form:
-   - **Name** — A display name for the repository
-   - **Git URL** — The clone URL (HTTPS or SSH), e.g. `https://github.com/org/repo.git`
-   - **Default Branch** — The branch to scan, e.g. `main` or `master`
+   - **Name** -- a display name for the repository
+   - **Git URL** -- the clone URL (HTTPS or SSH), e.g. `https://github.com/org/repo.git` or `git@github.com:org/repo.git`
+   - **Default Branch** -- the branch to scan, e.g. `main` or `master`
 4. Click **Add**
 
+![Add repository dialog](/screenshots/add-repository.png)
+
 The repository appears in the list immediately. It will not be scanned until you trigger a scan manually or the next scheduled scan runs.
 
+## Public vs Private Repositories
+
+**Public repositories** can be cloned using an HTTPS URL with no additional setup.
+
+**Private repositories** require SSH access. When you add a repository with an SSH URL (e.g. `git@github.com:org/repo.git`), Certifai uses an SSH deploy key to authenticate.
+
+### Getting the SSH Public Key
+
+To grant Certifai access to a private repository:
+
+1. Go to the **Repositories** page
+2. The platform's SSH public key is available for copying
+3. Add this key as a **deploy key** in your Git hosting provider:
+   - **GitHub**: Repository Settings > Deploy keys > Add deploy key
+   - **GitLab**: Repository Settings > Repository > Deploy keys
+   - **Gitea**: Repository Settings > Deploy Keys > Add Deploy Key
+
 ::: tip
-For private repositories, configure a GitHub token (`GITHUB_TOKEN`) or GitLab token (`GITLAB_TOKEN`) in your environment. The agent uses these tokens when cloning.
+Deploy keys are scoped to a single repository and are read-only by default. This is the recommended approach for granting Certifai access to private code.
 :::
 
+## Configuring an Issue Tracker
+
+You can connect an issue tracker so that new findings are automatically created as issues in your existing workflow.
+
+When adding or editing a repository, expand the **Issue Tracker** section to configure:
+
+![Add repository dialog with issue tracker options](/screenshots/add-repository-tracker.png)
+
+### Supported Trackers
+
+| Tracker | Required Fields |
+|---------|----------------|
+| **GitHub Issues** | Repository owner, repository name, API token |
+| **GitLab Issues** | Project ID, GitLab URL, API token |
+| **Gitea Issues** | Repository owner, repository name, Gitea URL, API token |
+| **Jira** | Project key, Jira URL, email, API token |
+
+Each tracker is configured per-repository, so different repositories can use different trackers.
+
+## Editing Repository Settings
+
+Click the **Edit** button on any repository row to modify its settings, including the issue tracker configuration.
+
+![Edit repository modal with tracker configuration](/screenshots/edit-repository.png)
+
+From the edit modal you can:
+
+- Change the repository name, Git URL, or default branch
+- Add, modify, or remove issue tracker configuration
+- View the webhook URL and secret for this repository (see [Webhooks & PR Reviews](/guide/webhooks))
+
 ## Repository List
 
-The repositories page shows all tracked repositories with:
+The repositories page shows all tracked repositories in a table.
+
+![Repository list table](/screenshots/repositories-list.png)
 
 | Column | Description |
 |--------|-------------|
@@ -32,7 +84,7 @@ The repositories page shows all tracked repositories with:
 
 ## Triggering a Scan
 
-Click the **Scan** button on any repository row to trigger an immediate scan. The scan runs in the background through all phases (clone, SAST, SBOM, CVE, graph). You can monitor progress on the Overview page under recent scan runs.
+Click the **Scan** button on any repository row to trigger an immediate scan. The scan runs in the background through all phases (clone, SAST, SBOM, CVE, graph, issue sync). You can monitor progress on the Overview page under recent scan runs.
 
 ## Deleting a Repository
 
@@ -44,19 +96,6 @@ Click the **Delete** button on a repository row. A confirmation dialog appears w
 - Code graph data
 - Embedding vectors (for AI chat)
 - CVE alerts
+- Tracker issues
 
 This action cannot be undone.
-
-## Automatic Scanning
-
-Repositories are scanned automatically on a schedule configured by the `SCAN_SCHEDULE` environment variable (cron format). The default is every 6 hours:
-
-```
-SCAN_SCHEDULE=0 0 */6 * * *
-```
-
-CVE monitoring runs on a separate schedule (default: daily at midnight):
-
-```
-CVE_MONITOR_SCHEDULE=0 0 0 * * *
-```