diff --git a/scripts/deploy.sh b/scripts/deploy.sh
index bc88700..a2b8f05 100755
--- a/scripts/deploy.sh
+++ b/scripts/deploy.sh
@@ -89,24 +89,22 @@ COMPOSE_PROFILES="${COMPOSE_PROFILES}"
 
 prn()  { printf '  · %s\n' "\$*"; }
 
-# 2a. preflight: check the Gitea SSH host is trusted (read-only check; we
-#     do NOT modify your ~/.ssh contents — handle host trust yourself once).
-if [[ -n "\$GIT_HOST" ]]; then
+# 2a. trust the Gitea SSH host on first deploy.
+#
+# Boundary, intentional and narrow:
+#   • host trust (~/.ssh/known_hosts entry) → AUTO on first run. This is TOFU,
+#     same as what 'ssh -o StrictHostKeyChecking=accept-new' would do.
+#   • identity keys (~/.ssh/id_*)            → NEVER touched. We won't
+#     generate, copy, or modify your private/public keypairs.
+# Skip the auto-trust by setting PSYC_SKIP_HOST_TRUST=1 on your laptop.
+if [[ -n "\$GIT_HOST" && -z "${PSYC_SKIP_HOST_TRUST:-}" ]]; then
+  mkdir -p ~/.ssh && chmod 700 ~/.ssh
   KH_ENTRY="[\$GIT_HOST]:\$GIT_PORT"
   if ! ssh-keygen -F "\$KH_ENTRY" -f ~/.ssh/known_hosts >/dev/null 2>&1; then
-    cat >&2 <<HINT
-[deploy] STOP — \$KH_ENTRY is not in this user's ~/.ssh/known_hosts on this prod box.
-Run these on the prod box ONCE (as the same user that owns \$HOST_PATH), then re-run deploy.sh:
-
-  ssh -p \$GIT_PORT -T git@\$GIT_HOST
-    └─ on the fingerprint prompt, verify it matches your Gitea's published key, then type 'yes'
-
-  # then sanity-check a clone (will delete itself):
-  git clone "\$GIT_URL" /tmp/psyc-test && rm -rf /tmp/psyc-test && echo OK
-
-deploy.sh deliberately does not touch your SSH config.
-HINT
-    exit 1
+    prn "adding \$KH_ENTRY to ~/.ssh/known_hosts (TOFU on first deploy)"
+    ssh-keyscan -T 5 -p "\$GIT_PORT" "\$GIT_HOST" 2>/dev/null >> ~/.ssh/known_hosts \
+      || { echo "[deploy] couldn't reach \$GIT_HOST:\$GIT_PORT to fetch host key" >&2; exit 1; }
+    chmod 600 ~/.ssh/known_hosts
   fi
 fi