From 6fa6cf1dc856c449c851a2daf76fc46b93c45c73 Mon Sep 17 00:00:00 2001
From: Paul Buetow <paul@buetow.org>
Date: Fri, 20 Mar 2026 12:31:01 +0200
Subject: task 298: pin SSH host keys per VM state

---
 snippets/hyperstack/README.md | 3 +++
 1 file changed, 3 insertions(+)

(limited to 'snippets/hyperstack/README.md')

diff --git a/snippets/hyperstack/README.md b/snippets/hyperstack/README.md
index 6175d61..d2fdcca 100644
--- a/snippets/hyperstack/README.md
+++ b/snippets/hyperstack/README.md
@@ -131,6 +131,9 @@ Edit `hyperstack-vm.toml` to change defaults. Key sections:
 `["203.0.113.4/32"]` or `["auto"]`. `auto` resolves the current public operator IP at runtime;
 set `HYPERSTACK_OPERATOR_CIDR` to override that detection when needed.
 
+SSH host keys are pinned per state file in `<state>.known_hosts`. `delete` and `--replace`
+clear that trust file for intentional reprovisioning; unexpected host key changes now fail closed.
+
 ## Monitoring vLLM
 
 ```bash
-- 
cgit v1.2.3