ci(cd): CD 自動建立 awoooi-repair-known-hosts Secret (Sprint 3 T2 閉環)

每次部署時 ssh-keyscan .110/.188 並 kubectl apply secret
替換 StrictHostKeyChecking=no — Security Fix A1

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

.gitea/workflows/cd.yaml

@@ -261,6 +261,22 @@ jobs:
             echo "⚠️ GITEA_WEBHOOK_SECRET 未設定，Gitea Webhook 簽章驗證將在 prod 失效"
           fi
 
+          # 2026-04-06 Claude Code: Sprint 3 T2 — known_hosts Secret (Security Fix A1)
+          # 替換 StrictHostKeyChecking=no，讓 SSH 修復路徑使用已知主機指紋
+          ssh-keyscan -H 192.168.0.110 > /tmp/known_hosts_repair 2>/dev/null
+          ssh-keyscan -H 192.168.0.188 >> /tmp/known_hosts_repair 2>/dev/null
+          if [ -s /tmp/known_hosts_repair ]; then
+            sudo kubectl create secret generic awoooi-repair-known-hosts \
+              -n awoooi-prod \
+              --from-file=known_hosts=/tmp/known_hosts_repair \
+              --dry-run=client -o yaml | sudo kubectl apply -f - \
+              && echo "✅ awoooi-repair-known-hosts Secret 已建立/更新" \
+              || echo "⚠️ awoooi-repair-known-hosts Secret 建立失敗 (非致命)"
+            rm -f /tmp/known_hosts_repair
+          else
+            echo "⚠️ ssh-keyscan 掃描失敗，跳過 known_hosts Secret"
+          fi
+
           echo "✅ 所有 Secrets 注入完成"
           SECRETS