When ssh-keyscan partially fails (e.g. one host is unreachable for a moment) the previous logic still considered the file non-empty, so it patched ssh-mcp-key/known_hosts with an incomplete set. asyncssh then rejected any SSH to the missing host with "Host key is not trusted", which routed every host disk-full / docker alert into the emergency escalation channel and spammed Telegram (today's regression for 110). Now we explicitly verify all four target IPs (110/120/121/188) appear in the scan output before patching. Missing any of them aborts the patch and keeps the previously-good secret untouched, plus logs the ssh-keyscan stderr to help debug intermittent network issues. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>