feat(teamstore): add league/conference sub-sub-category pill filter (hi-five-franchise-store only)

SSH_KEYS_SETUP.md

@@ -107,6 +107,63 @@ Then update `filesystems.php`:
 'privateKey' => '/var/keys/root.pem',
 ```
 
+---
+
+## Local Development — Remote DB via SSH Tunnel
+
+Use the `ssh-db` profile to connect the local app to a **remote database** through an SSH tunnel, authenticated with a private key.
+
+### 1. Configure `.env.local`
+
+```dotenv
+# SSH jump host
+SSH_HOST=your.server.ip.or.hostname
+SSH_PORT=22
+SSH_USER=root
+SSH_KEY_PATH=~/.ssh/id_rsa        # path to your private key on the Mac host
+
+# DB endpoint as seen from the SSH server
+SSH_DB_REMOTE_HOST=127.0.0.1
+SSH_DB_REMOTE_PORT=3306
+
+# Tell the app to route through the tunnel container
+DB_HOST=db-tunnel
+DB_PORT=3306
+DB_DATABASE=your_remote_db_name
+DB_USERNAME=your_remote_db_user
+DB_PASSWORD=your_remote_db_password
+```
+
+### 2. Start the stack with the tunnel profile
+
+```bash
+docker compose -f docker-compose.local.yml --profile ssh-db up --build
+```
+
+This starts a `db-tunnel` sidecar container (Alpine + openssh-client) that creates:
+
+```
+Mac host → [SSH tunnel] → SSH_HOST → DB (SSH_DB_REMOTE_HOST:SSH_DB_REMOTE_PORT)
+```
+
+The app container connects to `db-tunnel:3306`, which forwards all traffic through the encrypted tunnel.
+
+### 3. Key requirements
+
+| Requirement | Detail |
+|---|---|
+| Key format | OpenSSH (`id_rsa`, `id_ed25519`) — **not** `.ppk` |
+| Key permissions | `chmod 600 ~/.ssh/id_rsa` |
+| SSH server | Authorised key must be in `~/.ssh/authorized_keys` on `SSH_HOST` |
+
+> **Tip:** If your key is in PuTTY (`.ppk`) format, convert it first:
+> ```bash
+> puttygen root.ppk -O private-openssh -o ~/.ssh/id_rsa
+> chmod 600 ~/.ssh/id_rsa
+> ```
+
+---
+
 ## Security Best Practices
 
 ✅ **DO:**