diff --git a/Makefile b/Makefile
index 8401cfb..cba90b9 100644
--- a/Makefile
+++ b/Makefile
@@ -44,6 +44,27 @@ custodian-key-show: ## Print the custodian agent public key
 	@test -f "$(CUSTODIAN_KEY).pub" || (echo "No key found at $(CUSTODIAN_KEY). Run: make custodian-keygen"; exit 1)
 	@cat "$(CUSTODIAN_KEY).pub"
 
+## Deploy the custodian agent key directly via SSH (no Ansible required).
+## Use when ansible is unavailable. Requires an existing admin key with SSH access.
+## Usage: make custodian-key-deploy ADMIN_KEY=~/.ssh/id_ops
+##        make custodian-key-deploy ADMIN_KEY=~/.ssh/id_ops HOST=192.168.1.50 SSHUSER=admin
+
+.PHONY: custodian-key-deploy
+custodian-key-deploy:
+	@test -n "$(ADMIN_KEY)" || (echo "ERROR: ADMIN_KEY is required. Usage: make custodian-key-deploy ADMIN_KEY=~/.ssh/id_ops"; exit 1)
+	@test -f "$(CUSTODIAN_KEY).pub" || (echo "ERROR: No custodian key found. Run: make custodian-keygen"; exit 1)
+	$(eval PUBKEY := $(shell cat $(CUSTODIAN_KEY).pub))
+	@echo "Deploying custodian agent key to $(RAILIANCE_USER)@$(RAILIANCE_HOST)..."
+	@ssh -i "$(ADMIN_KEY)" -o StrictHostKeyChecking=no \
+	  $(RAILIANCE_USER)@$(RAILIANCE_HOST) \
+	  "mkdir -p ~/.ssh && chmod 700 ~/.ssh && \
+	   echo '$(PUBKEY)' | grep -qF - ~/.ssh/authorized_keys 2>/dev/null || \
+	   echo '$(PUBKEY)' >> ~/.ssh/authorized_keys && \
+	   chmod 600 ~/.ssh/authorized_keys && \
+	   echo 'Key deployed. Verifying...' && \
+	   grep -c 'custodian-agent' ~/.ssh/authorized_keys | xargs -I{} echo '{} custodian-agent key(s) in authorized_keys'"
+	@echo "Done. Test with: make e2e-cron-list"
+
 ## Run e2e tests for a repo in a remote sandbox
 ## Usage: make e2e REPO=activity-core
 ## Requires: RAILIANCE01_HOST env var (or pass HOST=<ip>)