first round of changes: dedicated cache folder, cleaner base image, version management

README.md

@@ -42,20 +42,26 @@ so you can launch from a subdirectory and it'll still find the right one.
 .safeclaude/
   Dockerfile   # which system packages / language versions this project needs
   hooks/       # setup scripts that run each time the container starts
+  cache/       # scratch space on the host, gitignored (dependencies, downloads…)
   .env         # secrets, kept out of git (.env.example shows the format)
+  version      # the safeclaude version this config was created with
 ```
 
 A few things worth knowing:
 
 - **Two places setup can live, and the difference matters.** Slow, one-time
-  installs (system packages, a language toolchain) go in the `Dockerfile` —
+  installs (system packages, a pinned language version) go in the `Dockerfile` —
   these get cached, so they don't repeat. Anything that needs your actual code
   present, or that should persist between runs (installing dependencies,
   starting a database proxy), goes in a `hooks/` script that runs at launch.
 - **It only rebuilds when something changed.** safeclaude remembers what it
   already built, so a normal launch starts right up with no waiting.
-- **Hooks are safe to run every time.** They check before doing work — e.g. the
-  starter dependency hook only reinstalls when your lockfile actually changed.
+- **Hooks are safe to run every time.** They check before doing work, so a
+  launch with nothing to do is near-instant.
+- **`cache/` is your scratch space.** It lives on the host and is gitignored, so
+  it survives rebuilds and `docker volume` resets without ending up in your repo
+  — a good home for installed dependencies, downloads, or "already did this"
+  markers.
 
 See [`example/`](example/) for a real, filled-in Ruby + Postgres setup you can
 copy from.