feat(e2e): add custodian-key-deploy target (SSH fallback, no Ansible)

For environments where ansible-playbook is unavailable (e.g. WSL2 TLS
issue blocks install). Deploys id_custodian_agent.pub via direct SSH
using any existing admin key.

Usage: make custodian-key-deploy ADMIN_KEY=~/.ssh/id_ops

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Makefile

@@ -44,6 +44,27 @@ custodian-key-show: ## Print the custodian agent public key
 	@test -f "$(CUSTODIAN_KEY).pub" || (echo "No key found at $(CUSTODIAN_KEY). Run: make custodian-keygen"; exit 1)
 	@cat "$(CUSTODIAN_KEY).pub"
 
+## Deploy the custodian agent key directly via SSH (no Ansible required).
+## Use when ansible is unavailable. Requires an existing admin key with SSH access.
+## Usage: make custodian-key-deploy ADMIN_KEY=~/.ssh/id_ops
+##        make custodian-key-deploy ADMIN_KEY=~/.ssh/id_ops HOST=192.168.1.50 SSHUSER=admin
+
+.PHONY: custodian-key-deploy
+custodian-key-deploy:
+	@test -n "$(ADMIN_KEY)" || (echo "ERROR: ADMIN_KEY is required. Usage: make custodian-key-deploy ADMIN_KEY=~/.ssh/id_ops"; exit 1)
+	@test -f "$(CUSTODIAN_KEY).pub" || (echo "ERROR: No custodian key found. Run: make custodian-keygen"; exit 1)
+	$(eval PUBKEY := $(shell cat $(CUSTODIAN_KEY).pub))
+	@echo "Deploying custodian agent key to $(RAILIANCE_USER)@$(RAILIANCE_HOST)..."
+	@ssh -i "$(ADMIN_KEY)" -o StrictHostKeyChecking=no \
+	  $(RAILIANCE_USER)@$(RAILIANCE_HOST) \
+	  "mkdir -p ~/.ssh && chmod 700 ~/.ssh && \
+	   echo '$(PUBKEY)' | grep -qF - ~/.ssh/authorized_keys 2>/dev/null || \
+	   echo '$(PUBKEY)' >> ~/.ssh/authorized_keys && \
+	   chmod 600 ~/.ssh/authorized_keys && \
+	   echo 'Key deployed. Verifying...' && \
+	   grep -c 'custodian-agent' ~/.ssh/authorized_keys | xargs -I{} echo '{} custodian-agent key(s) in authorized_keys'"
+	@echo "Done. Test with: make e2e-cron-list"
+
 ## Run e2e tests for a repo in a remote sandbox
 ## Usage: make e2e REPO=activity-core
 ## Requires: RAILIANCE01_HOST env var (or pass HOST=<ip>)