Auto-clean stale SSH known_hosts entries in VPS bootstrap flow

- Remove existing host and host:port fingerprints before first password login test
- Prevent host key mismatch failures when reprovisioned VPS reuses the same IP or alias

bootstrap-vps-ssh.sh

@@ -15,6 +15,7 @@ set -euo pipefail
 
 SSH_CONFIG="${HOME}/.ssh/config"
 SSH_DIR="${HOME}/.ssh"
+KNOWN_HOSTS_FILE="${HOME}/.ssh/known_hosts"
 MARKER_BEGIN="# --- RUBIX-VPS-BEGIN"
 MARKER_END="# --- RUBIX-VPS-END"
 
@@ -161,6 +162,16 @@ test_key_login() {
   ssh_key "${user}" "echo ok" >/dev/null 2>&1
 }
 
+cleanup_known_host_entries() {
+  local host="$1"
+  local port="$2"
+  [[ -f "${KNOWN_HOSTS_FILE}" ]] || return 0
+
+  # Remove stale host keys so reinstalled/reprovisioned VPS can be reached without manual known_hosts edits.
+  ssh-keygen -f "${KNOWN_HOSTS_FILE}" -R "${host}" >/dev/null 2>&1 || true
+  ssh-keygen -f "${KNOWN_HOSTS_FILE}" -R "[${host}]:${port}" >/dev/null 2>&1 || true
+}
+
 remote_env() {
   printf 'DEPLOY_USER=%q KEEP_ROOT=%q INSTALL_ROOT_KEY=%q' \
     "${DEPLOY_USER}" "${KEEP_ROOT}" "${INSTALL_ROOT_KEY}"
@@ -437,6 +448,9 @@ main() {
     exit 1
   fi
 
+  echo "[rubix-vps] Cleaning stale known_hosts entries for ${VPS_HOST}:${VPS_PORT} ..."
+  cleanup_known_host_entries "${VPS_HOST}" "${VPS_PORT}"
+
   echo ""
   echo "[rubix-vps] Testing password login ..."
   ssh_password "${INITIAL_USER}@${VPS_HOST}" "echo connected && uname -a"