diff --git a/scripts/deploy.sh b/scripts/deploy.sh
index 7b42bf3..d253b9d 100755
--- a/scripts/deploy.sh
+++ b/scripts/deploy.sh
@@ -53,6 +53,17 @@ fi
 GIT_URL=$(git config --get "remote.${GIT_REMOTE}.url") \
   || fail "no remote '${GIT_REMOTE}' configured locally"
 
+# Parse the git URL to pull out the SSH host + port so the prod box can
+# pre-trust the Gitea host key before its first clone. Supports both
+#   ssh://user@host:port/path  and  user@host:path
+GIT_HOST=""; GIT_PORT="22"
+if [[ "$GIT_URL" =~ ^ssh://[^@]+@([^:/]+)(:([0-9]+))?/ ]]; then
+  GIT_HOST="${BASH_REMATCH[1]}"
+  [[ -n "${BASH_REMATCH[3]:-}" ]] && GIT_PORT="${BASH_REMATCH[3]}"
+elif [[ "$GIT_URL" =~ ^[^@]+@([^:]+): ]]; then
+  GIT_HOST="${BASH_REMATCH[1]}"
+fi
+
 # ── 1. local push ───────────────────────────────────────────────────────
 say "pushing ${B}${BRANCH}${Z} to ${B}${GIT_REMOTE}${Z}…"
 git push "${GIT_REMOTE}" "${BRANCH}" || fail "git push failed — fix and retry"
@@ -72,15 +83,41 @@ set -euo pipefail
 HOST_PATH="${REMOTE_PATH}"
 BRANCH="${BRANCH}"
 GIT_URL="${GIT_URL}"
+GIT_HOST="${GIT_HOST}"
+GIT_PORT="${GIT_PORT}"
 COMPOSE_PROFILES="${COMPOSE_PROFILES}"
 
 prn()  { printf '  · %s\n' "\$*"; }
 
-# 2a. ensure dir + working tree
+# 2a. pre-trust the Gitea SSH host key so the first clone doesn't fail with
+#     'Host key verification failed'. This is TOFU — we accept whatever the
+#     server currently presents. If you want to verify the fingerprint
+#     manually, do so once and place it in ~/.ssh/known_hosts yourself.
+if [[ -n "\$GIT_HOST" ]]; then
+  mkdir -p ~/.ssh && chmod 700 ~/.ssh
+  KH_ENTRY="[\$GIT_HOST]:\$GIT_PORT"
+  if ! ssh-keygen -F "\$KH_ENTRY" -f ~/.ssh/known_hosts >/dev/null 2>&1; then
+    prn "adding \$KH_ENTRY to ~/.ssh/known_hosts (first time on this prod box)"
+    ssh-keyscan -T 5 -p "\$GIT_PORT" "\$GIT_HOST" 2>/dev/null >> ~/.ssh/known_hosts \
+      || { echo "[deploy] could not reach \$GIT_HOST:\$GIT_PORT from this box" >&2; exit 1; }
+    chmod 600 ~/.ssh/known_hosts
+  fi
+fi
+
+# 2b. ensure dir + working tree
 if [[ ! -d "\$HOST_PATH/.git" ]]; then
-  prn "no working tree at \$HOST_PATH — cloning"
+  prn "no working tree at \$HOST_PATH — cloning \$GIT_URL"
   mkdir -p "\$(dirname "\$HOST_PATH")"
-  git clone "\$GIT_URL" "\$HOST_PATH"
+  if ! git clone "\$GIT_URL" "\$HOST_PATH"; then
+    cat >&2 <<HINT
+[deploy] git clone failed. Two likely causes:
+  • This prod box has no SSH key registered in Gitea for this user.
+    Run on prod:    cat ~/.ssh/id_*.pub        (or ssh-keygen -t ed25519 if none)
+    Then in Gitea:  Settings → SSH Keys → add it.
+  • The repo URL is wrong / private and you're not a collaborator.
+HINT
+    exit 1
+  fi
 fi
 cd "\$HOST_PATH"