diff --git a/Makefile b/Makefile
index 97ca4c5..8401cfb 100644
--- a/Makefile
+++ b/Makefile
@@ -1,4 +1,48 @@
 # the-custodian top-level Makefile
+#
+# Custodian agent SSH identity
+# ----------------------------
+# make custodian-keygen        — generate ~/.ssh/id_custodian_agent (one-time)
+#                                and write the public key into railiance-infra
+#                                ansible/inventory/group_vars/all.yaml
+# make custodian-key-show      — print the current public key (for manual ops)
+#
+# After keygen, run in railiance-infra:
+#   make provision-custodian-agent   (deploys the key to all managed hosts)
+#
+# The private key is NEVER committed. The public key is committed via railiance-infra.
+
+CUSTODIAN_KEY     := $(HOME)/.ssh/id_custodian_agent
+RAILIANCE_INFRA   := $(HOME)/railiance-infra
+AGENT_VARS_FILE   := $(RAILIANCE_INFRA)/ansible/inventory/group_vars/all.yaml
+
+.PHONY: custodian-keygen
+custodian-keygen: ## Generate custodian agent SSH keypair (one-time setup)
+	@if [ -f "$(CUSTODIAN_KEY)" ]; then \
+	  echo "Key already exists at $(CUSTODIAN_KEY). Remove it first to regenerate."; \
+	  exit 1; \
+	fi
+	ssh-keygen -t ed25519 -f "$(CUSTODIAN_KEY)" -C "custodian-agent" -N ""
+	@echo ""
+	@echo "Public key:"
+	@cat "$(CUSTODIAN_KEY).pub"
+	@echo ""
+	@PUBKEY=$$(cat "$(CUSTODIAN_KEY).pub") && \
+	  python3 -c "\
+import sys, re; \
+content = open('$(AGENT_VARS_FILE)').read(); \
+updated = re.sub(r'custodian_agent_pubkey:.*', 'custodian_agent_pubkey: \"' + sys.argv[1] + '\"', content); \
+open('$(AGENT_VARS_FILE)', 'w').write(updated); \
+print('Public key written to $(AGENT_VARS_FILE)')" "$$PUBKEY"
+	@echo ""
+	@echo "Next steps:"
+	@echo "  1. cd $(RAILIANCE_INFRA) && git add ansible/inventory/group_vars/all.yaml && git commit -m 'feat: add custodian agent public key'"
+	@echo "  2. cd $(RAILIANCE_INFRA) && make provision-custodian-agent"
+
+.PHONY: custodian-key-show
+custodian-key-show: ## Print the custodian agent public key
+	@test -f "$(CUSTODIAN_KEY).pub" || (echo "No key found at $(CUSTODIAN_KEY). Run: make custodian-keygen"; exit 1)
+	@cat "$(CUSTODIAN_KEY).pub"
 
 ## Run e2e tests for a repo in a remote sandbox
 ## Usage: make e2e REPO=activity-core
@@ -28,6 +72,8 @@ endif
 
 ifdef KEY
   E2E_KEY_FLAG := --key $(KEY)
+else ifneq ($(wildcard $(CUSTODIAN_KEY)),)
+  E2E_KEY_FLAG := --key $(CUSTODIAN_KEY)
 else
   E2E_KEY_FLAG :=
 endif
@@ -52,7 +98,10 @@ endif
 
 RAILIANCE_HOST  := $(or $(HOST),$(RAILIANCE01_HOST),92.205.62.239)
 RAILIANCE_USER  := $(or $(SSHUSER),$(RAILIANCE01_USER),tegwick)
-RAILIANCE_SSH   := ssh -o StrictHostKeyChecking=no $(RAILIANCE_USER)@$(RAILIANCE_HOST)
+# Default SSH key: custodian agent identity (generated via make custodian-keygen)
+# Override with KEY=~/.ssh/other_key if needed
+RAILIANCE_KEY   := $(or $(KEY),$(CUSTODIAN_KEY))
+RAILIANCE_SSH   := ssh -i "$(RAILIANCE_KEY)" -o StrictHostKeyChecking=no $(RAILIANCE_USER)@$(RAILIANCE_HOST)
 
 .PHONY: e2e-cron-install
 e2e-cron-install: