When ssh-keyscan partially fails (e.g. one host is unreachable for a
moment) the previous logic still considered the file non-empty, so it
patched ssh-mcp-key/known_hosts with an incomplete set. asyncssh then
rejected any SSH to the missing host with "Host key is not trusted",
which routed every host disk-full / docker alert into the emergency
escalation channel and spammed Telegram (today's regression for 110).
Now we explicitly verify all four target IPs (110/120/121/188) appear
in the scan output before patching. Missing any of them aborts the
patch and keeps the previously-good secret untouched, plus logs the
ssh-keyscan stderr to help debug intermittent network issues.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>