diff --git a/.woodpecker.yml b/.woodpecker.yml
index 8cace5d..59a03d4 100644
--- a/.woodpecker.yml
+++ b/.woodpecker.yml
@@ -6,14 +6,18 @@ steps:
       - |
         set -eu
         mkdir -p ~/.ssh
-        gcloud secrets versions access latest --secret="KNOWN_HOSTS_B64" --project="aptivaai-dev" | base64 -d > ~/.ssh/known_hosts
+
+        # 🔐 Pull and decode known_hosts (raw in Secret Manager)
+        gcloud secrets versions access latest \
+          --secret="STAGING_KNOWN_HOSTS" \
+          --project="aptivaai-dev" | base64 -d > ~/.ssh/known_hosts
         chmod 644 ~/.ssh/known_hosts
-        gcloud secrets versions access latest --secret="STAGING_SSH_KEY_B64" --project="aptivaai-dev" | base64 -d > ~/.ssh/id_ed25519
+
+        # 🔐 Pull and decode SSH key (also raw in Secret Manager)
+        gcloud secrets versions access latest \
+          --secret="STAGING_SSH_KEY" \
+          --project="aptivaai-dev" | base64 -d > ~/.ssh/id_ed25519
         chmod 600 ~/.ssh/id_ed25519
-        ssh -i ~/.ssh/id_ed25519 -o StrictHostKeyChecking=yes jcoakley@10.128.0.12 <<EOF
-          set -eu
-          cd /opt/aptiva-staging-app
-          IMG_TAG=$(echo "$CI_COMMIT_SHA" | head -c 8)
-          IMG_TAG=$IMG_TAG docker compose pull
-          IMG_TAG=$IMG_TAG docker compose up -d --force-recreate --remove-orphans
-        EOF
+
+        # ✅ Sanity check: SSH handshake only
+        ssh -i ~/.ssh/id_ed25519 -o StrictHostKeyChecking=yes jcoakley@10.128.0.12 hostname