diff --git a/.gitea/workflows/deploy.yml b/.gitea/workflows/deploy.yml
index 2ebb52b..0ead5d4 100644
--- a/.gitea/workflows/deploy.yml
+++ b/.gitea/workflows/deploy.yml
@@ -1,22 +1,11 @@
-name: Deploy (stellaamor)
-
-on:
-  push:
-    branches: [ "main" ]
-
 jobs:
   deploy:
-    runs-on: [ mainhost, docker ]
-    concurrency:
-      group: deploy-stellaamor
-      cancel-in-progress: false
-
+    runs-on: [ mainhost ]   # keep your labels as-is
     env:
       SSH_HOST: ${{ secrets.SSH_HOST }}
       SSH_USER: ${{ secrets.SSH_USER }}
-      SSH_KEY:  ${{ secrets.SSH_KEY }}
-      SSH_KNOWN_HOSTS: ${{ secrets.SSH_KNOWN_HOSTS }}
-
+      SSH_KEY_PATH: /home/gitea-runner/.ssh/deploy_stellaamor
+      SSH_OPTS: "-o ServerAliveInterval=15 -o ServerAliveCountMax=3 -o ConnectTimeout=20 -o StrictHostKeyChecking=no"
       APP_ROOT: /var/www/stellaamor
       UPLOADS_DIR: uploads
       KEEP_N: "5"
@@ -31,92 +20,44 @@ jobs:
           git fetch --depth=1 origin "$GITHUB_SHA"
           git checkout -q "$GITHUB_SHA"
 
-      # Build only if package.json exists — run Node inside a throwaway container
-      - name: Build frontend (if present)
-        if: hashFiles('package.json') != ''
-        run: |
-          docker run --rm -v "$PWD:/app" -w /app node:20 bash -lc "
-            npm ci
-            npm run build
-          "
-
-      - name: Prepare release tarball
-        run: |
-          set -euo pipefail
-          REL="$(date -u +%Y%m%d-%H%M%SZ)-${{ github.sha }}"
-          echo "REL=$REL" >> $GITHUB_ENV
-
-          UPLOADS="${{ env.UPLOADS_DIR }}"
-          OUT="/tmp/${REL}.tar.gz"
-
-          # create tar OUTSIDE the repo dir, then move it into ./release
-          tar -czf "$OUT" \
-            --exclude-vcs \
-            --exclude='./node_modules' \
-            --exclude="./${UPLOADS}" \
-            --exclude='./release' \
-            .
-
-          mkdir -p release
-          mv "$OUT" "release/${REL}.tar.gz"
-
-
-      - name: Write SSH key
-        run: |
-          set -eu
-          install -d -m 700 ~/.ssh
-          printf '%s\n' "${SSH_KEY}" > ~/.ssh/id_ed25519
-          sed -i 's/\r$//' ~/.ssh/id_ed25519
-          chmod 600 ~/.ssh/id_ed25519
-          if [ -n "${SSH_KNOWN_HOSTS}" ]; then
-            printf '%s\n' "${SSH_KNOWN_HOSTS}" > ~/.ssh/known_hosts
-            chmod 644 ~/.ssh/known_hosts
-          else
-            printf 'StrictHostKeyChecking no\n' >> ~/.ssh/config
-          fi
+      # (no Write SSH key step — removed)
 
       - name: Upload & activate atomically
         run: |
           set -euo pipefail
-          REL="${{ env.REL }}"
-          TAR="release/${REL}.tar.gz"
+          REL="$(date -u +%Y%m%d-%H%M%SZ)-${{ github.sha }}"
+          echo "REL=$REL" >> $GITHUB_ENV
+          TAR="/tmp/${REL}.tar.gz"
           APP="${{ env.APP_ROOT }}"
           SHARED="${APP}/shared"
           RELEASES="${APP}/releases"
           CUR="${APP}/current"
           UPLOADS="${{ env.UPLOADS_DIR }}"
 
-          # ensure layout exists
-          ssh -i ~/.ssh/id_ed25519 ${SSH_USER}@${SSH_HOST} "
-            set -e
-            sudo install -d -o ${SSH_USER} -g ${SSH_USER} -m 755 ${RELEASES} ${SHARED} ${SHARED}/${UPLOADS}
-          "
+          # build tar outside repo dir then move (avoid tar reading its own output)
+          tar -czf "$TAR" --exclude-vcs --exclude='./node_modules' --exclude="./${UPLOADS}" --exclude='./release' .
+          mkdir -p release && mv "$TAR" "release/${REL}.tar.gz"
 
-          # upload tar
-          scp -i ~/.ssh/id_ed25519 ${TAR} ${SSH_USER}@${SSH_HOST}:/tmp/${REL}.tar.gz
+          # ensure layout
+          ssh $SSH_OPTS -i "$SSH_KEY_PATH" ${SSH_USER}@${SSH_HOST} \
+            "set -e; sudo install -d -o ${SSH_USER} -g ${SSH_USER} -m 755 ${RELEASES} ${SHARED} ${SHARED}/${UPLOADS}"
 
-          # unpack, link shared, flip symlink, reload, health check, prune
-          ssh -i ~/.ssh/id_ed25519 ${SSH_USER}@${SSH_HOST} '
+          # upload (verbose)
+          scp $SSH_OPTS -vvv -i "$SSH_KEY_PATH" "release/${REL}.tar.gz" ${SSH_USER}@${SSH_HOST}:/tmp/${REL}.tar.gz
+
+          # unpack/switch/reload/health/prune
+          ssh $SSH_OPTS -i "$SSH_KEY_PATH" ${SSH_USER}@${SSH_HOST} '
             set -euo pipefail
             REL="'${REL}'"; APP="'${APP}'"; SHARED="'${SHARED}'"; RELEASES="'${RELEASES}'"; CUR="'${CUR}'"; UPLOADS="'${UPLOADS}'";
-
             NEW="${RELEASES}/${REL}"
             mkdir -p "${NEW}"
-            tar -xzf "/tmp/${REL}.tar.gz" -C "${NEW}"
-            rm -f "/tmp/${REL}.tar.gz"
-
-            rm -rf "${NEW}/${UPLOADS}"
-            ln -s "${SHARED}/${UPLOADS}" "${NEW}/${UPLOADS}"
-
-            if [ -f "${SHARED}/.env" ]; then ln -sf "${SHARED}/.env" "${NEW}/.env"; fi
-
+            tar -xzf "/tmp/${REL}.tar.gz" -C "${NEW}" && rm -f "/tmp/${REL}.tar.gz"
+            rm -rf "${NEW}/${UPLOADS}" && ln -s "${SHARED}/${UPLOADS}" "${NEW}/${UPLOADS}"
+            [ -f "${SHARED}/.env" ] && ln -sf "${SHARED}/.env" "${NEW}/.env" || true
             printf "sha=%s\nbuilt_at=%s\n" "'${{ github.sha }}'" "$(date -u +%FT%TZ)" > "${NEW}/RELEASE"
-
             PREV="$(readlink -f "${CUR}" || true)"
             ln -sfn "${NEW}" "${CUR}"
-
             '"${{ env.SERVICE_RELOAD }}"' >/dev/null 2>&1 || true
-
             if command -v curl >/dev/null 2>&1; then
               curl -fsS --max-time 5 "'"${{ env.HEALTH_URL }}"'" >/dev/null || {
                 echo "Health check failed, rolling back..."
@@ -124,7 +65,5 @@ jobs:
                 exit 1
               }
             fi
-
-            cd "${RELEASES}"
-            ls -1tr | head -n -'${{ env.KEEP_N }}' | xargs -r -I{} rm -rf "{}"
+            cd "${RELEASES}" && ls -1tr | head -n -'${{ env.KEEP_N }}' | xargs -r -I{} rm -rf "{}"
           '