diff --git a/k8s/awoooi-prod/04-configmap.yaml b/k8s/awoooi-prod/04-configmap.yaml
index 2153728e..4b251ec4 100644
--- a/k8s/awoooi-prod/04-configmap.yaml
+++ b/k8s/awoooi-prod/04-configmap.yaml
@@ -102,3 +102,13 @@ data:
   # in-cluster config 讀到 10.43.0.1，但 iptables/kube-proxy 沒把流量導到實際 API server
   # 用此 URL 覆蓋 host，讓 executor 直接打 K3s API server node IP
   K8S_API_SERVER_URL: "https://192.168.0.120:6443"
+
+  # MCP Phase 2a (2026-04-11 Claude Sonnet 4.6): SSH MCP 啟用
+  # SSH_MCP_ENABLED=true 需確認 ssh-mcp-key Secret 已建立且 188 已加 authorized_keys
+  SSH_MCP_ENABLED: "true"
+  SSH_MCP_KNOWN_HOSTS_FILE: "/etc/ssh-mcp/known_hosts"
+  # MCP Phase 3 (2026-04-11 Claude Sonnet 4.6): ArgoCD + Sentry MCP 啟用
+  # ARGOCD_API_TOKEN 在 Secrets 中配置
+  ARGOCD_MCP_ENABLED: "true"
+  ARGOCD_URL: "https://192.168.0.125:30443"
+  SENTRY_MCP_ENABLED: "true"
diff --git a/k8s/awoooi-prod/06-deployment-api.yaml b/k8s/awoooi-prod/06-deployment-api.yaml
index b7c1b3ef..e9a22c0c 100644
--- a/k8s/awoooi-prod/06-deployment-api.yaml
+++ b/k8s/awoooi-prod/06-deployment-api.yaml
@@ -71,6 +71,10 @@ spec:
               mountPath: /app/ops/config/service-registry.yaml
               subPath: service-registry.yaml
               readOnly: true
+            # MCP Phase 2a (2026-04-11 Claude Sonnet 4.6): SSH MCP key
+            - name: ssh-mcp-key
+              mountPath: /etc/ssh-mcp
+              readOnly: true
           resources:
             requests:
               cpu: "200m"
@@ -129,6 +133,13 @@ spec:
         - name: service-registry
           configMap:
             name: service-registry
+        # MCP Phase 2a (2026-04-11 Claude Sonnet 4.6): SSH MCP key
+        # optional: true — SSH MCP 預設關閉，Secret 不存在時 Pod 不阻塞
+        - name: ssh-mcp-key
+          secret:
+            secretName: ssh-mcp-key
+            defaultMode: 0400
+            optional: true
 
 ---
 apiVersion: v1