diff --git a/k8s/awoooi-prod/02-network-policy.yaml b/k8s/awoooi-prod/02-network-policy.yaml
index 3a2c2071..d2f85a8c 100644
--- a/k8s/awoooi-prod/02-network-policy.yaml
+++ b/k8s/awoooi-prod/02-network-policy.yaml
@@ -121,9 +121,10 @@ spec:
         - protocol: TCP
           port: 11434
 
-    # 允許訪問 192.168.0.110 DevOps 金庫 (Harbor + Sentry + Langfuse)
+    # 允許訪問 192.168.0.110 DevOps 金庫 (Harbor + Sentry + Langfuse + SSH Repair)
     # 2026-03-24 新增: Sentry Self-Hosted
     # 2026-03-26 新增: Langfuse LLMOps (Phase 15.1)
+    # 2026-04-09 新增: SSH port 22 — repair-bot-110.sh 自動修復 (Bug #11 修正)
     - to:
         - ipBlock:
             cidr: 192.168.0.110/32
@@ -137,6 +138,10 @@ spec:
         # Langfuse LLMOps (Phase 15.1)
         - protocol: TCP
           port: 3100
+        # SSH — repair-bot-110.sh 自動修復執行路徑
+        # ADR-062: SSH_COMMAND Playbook 需要 K8s Pod → 110:22 的 egress
+        - protocol: TCP
+          port: 22
 
     # 允許訪問 192.168.0.112 安全掃描服務
     - to:
diff --git a/k8s/awoooi-prod/06-deployment-api.yaml b/k8s/awoooi-prod/06-deployment-api.yaml
index 4a2fae5b..b7c1b3ef 100644
--- a/k8s/awoooi-prod/06-deployment-api.yaml
+++ b/k8s/awoooi-prod/06-deployment-api.yaml
@@ -36,6 +36,11 @@ spec:
       # Phase 7: 使用 RBAC ServiceAccount (最小權限)
       serviceAccountName: awoooi-executor
       automountServiceAccountToken: true
+      # 2026-04-09 Claude Sonnet 4.6 Asia/Taipei: Bug #12 修正
+      # fsGroup=1000 讓 appuser(1000) 可讀取 defaultMode=0400 的 repair-ssh-key Secret
+      # SSH 要求 key 必須是 owner-only (0400/0600)，0444 會被拒絕
+      securityContext:
+        fsGroup: 1000
       containers:
         - name: api
           # 映像標籤由 CI/CD 動態注入 (格式: {sha}-{run_id})