diff --git a/.gitea/workflows/cd.yaml b/.gitea/workflows/cd.yaml
index 7b3315b9..fb10c118 100644
--- a/.gitea/workflows/cd.yaml
+++ b/.gitea/workflows/cd.yaml
@@ -261,6 +261,22 @@ jobs:
             echo "⚠️ GITEA_WEBHOOK_SECRET 未設定，Gitea Webhook 簽章驗證將在 prod 失效"
           fi
 
+          # 2026-04-06 Claude Code: Sprint 3 T2 — known_hosts Secret (Security Fix A1)
+          # 替換 StrictHostKeyChecking=no，讓 SSH 修復路徑使用已知主機指紋
+          ssh-keyscan -H 192.168.0.110 > /tmp/known_hosts_repair 2>/dev/null
+          ssh-keyscan -H 192.168.0.188 >> /tmp/known_hosts_repair 2>/dev/null
+          if [ -s /tmp/known_hosts_repair ]; then
+            sudo kubectl create secret generic awoooi-repair-known-hosts \
+              -n awoooi-prod \
+              --from-file=known_hosts=/tmp/known_hosts_repair \
+              --dry-run=client -o yaml | sudo kubectl apply -f - \
+              && echo "✅ awoooi-repair-known-hosts Secret 已建立/更新" \
+              || echo "⚠️ awoooi-repair-known-hosts Secret 建立失敗 (非致命)"
+            rm -f /tmp/known_hosts_repair
+          else
+            echo "⚠️ ssh-keyscan 掃描失敗，跳過 known_hosts Secret"
+          fi
+
           echo "✅ 所有 Secrets 注入完成"
           SECRETS