Add 1Password SSH + Touch ID security docs

Add SSH security section to README explaining 1Password SSH Agent
setup with Touch ID for biometric git push approval. Add detailed
setup guide and recommended settings to QUICK_REFERENCE.md.

Clearly documents that approval is per-session (not per-push) and
recommends short auto-lock timeout for frequent re-authentication.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: AnjanJ

QUICK_REFERENCE.md

@@ -184,6 +184,41 @@ git remote set-url origin git@github.com-work:company/repo.git
 
 **Restore old SSH keys:** `cp -r ~/.dotfiles_backup_*/ssh/ ~/.ssh/`
 
+### 1Password SSH Agent — Touch ID for Git
+
+If you chose 1Password during install, every new terminal session requires Touch ID before SSH operations (push, pull, clone).
+
+**Recommended settings** (1Password → Settings → Developer → SSH Agent → Advanced):
+
+| Setting | Recommended | Effect |
+|---------|------------|--------|
+| Ask approval for each new | `application and terminal session` | Per-tab, not global |
+| Remember key approval | `until 1Password locks` | Expires on lock |
+
+**Recommended** (1Password → Settings → Security):
+
+| Setting | Recommended | Effect |
+|---------|------------|--------|
+| Lock when device locks or sleeps | ✅ enabled | Locks with your Mac |
+| Lock after device is idle for | `1 minute` | Short timeout = frequent re-auth |
+
+**Important:** approval is per-session, not per-push. Once approved in a terminal tab, subsequent pushes go through until 1Password locks. A shorter auto-lock timeout means more frequent biometric prompts.
+
+**Manual setup** (if you didn't choose 1Password during install):
+```bash
+# 1. Enable SSH Agent in 1Password → Settings → Developer
+# 2. Create the socket symlink:
+mkdir -p ~/.1password
+ln -sf ~/Library/Group\ Containers/2BUA8C4S2C.com.1password/t/agent.sock ~/.1password/agent.sock
+
+# 3. Add to ~/.ssh/config:
+# Host *
+#     IdentityAgent ~/.1password/agent.sock
+
+# 4. Test:
+ssh -T git@github.com
+```
+
 ## 💼 Work Identity Management
 
 | Command | What it does |

README.md

@@ -537,6 +537,32 @@ brew bundle install
 - **tmux**: `.tmux.conf`
 - **Neovim**: `.config/nvim/lua/plugins/*.lua`
 
+## 🔒 SSH & Security
+
+### 1Password SSH Agent (Recommended)
+
+During install, you can choose **1Password SSH Agent** for SSH key management. This gives you:
+
+- **Touch ID for git push** — each new terminal session requires biometric approval before SSH operations
+- **No key files on disk** — keys live in your 1Password vault, encrypted and synced
+- **Works everywhere** — GitHub, GitLab, Bitbucket, Codeberg, self-hosted Git
+
+**How it works:**
+1. Install sets up `~/.ssh/config` to use the 1Password agent socket
+2. When you `git push` in a new terminal session, 1Password prompts for Touch ID
+3. Approval lasts until 1Password locks (configurable timeout)
+
+**Recommended 1Password settings for maximum security:**
+| Setting | Value | Why |
+|---------|-------|-----|
+| Ask approval for each new | `application and terminal session` | Per-tab approval, not global |
+| Remember key approval | `until 1Password locks` | Approval expires on lock |
+| Auto-lock after idle | `1 minute` (or shortest you're comfortable with) | Frequent re-authentication |
+
+> **Note:** This is per-session, not per-push. Once you approve in a terminal tab, subsequent pushes in that tab go through until 1Password locks. For additional protection, consider a short auto-lock timeout.
+
+See [QUICK_REFERENCE.md](QUICK_REFERENCE.md#ssh-setup) for SSH troubleshooting and testing commands.
+
 ## 🆘 Troubleshooting
 
 ### Homebrew Not Found