Use entrypoint-based UID remapping instead of --user flag so the container's pentest user matches the host UID/GID, keeping bind-mounted volumes writable. Git config moved to --system level to survive remapping.
ezl-keygraph