diff --git a/build.sh b/build.sh
index 62e107f..3252e6b 100755
--- a/build.sh
+++ b/build.sh
@@ -512,6 +512,14 @@ check_release_gate() {
         _release_errors=$(( _release_errors + 1 ))
     fi
 
+    # A baked mother SSH private key must never reach a publicly hosted release
+    # image. Fail fast here so a release build aborts in seconds; the image
+    # assembly step also refuses to copy it, as defense in depth.
+    if [ -f "/home/clawdie/.ssh/osa-mother-2026" ]; then
+        echo "ERROR: mother SSH key present on build host (/home/clawdie/.ssh/osa-mother-2026) — refuse to bake it into a release image. Remove it, or build with BUILD_CHANNEL=dev."
+        _release_errors=$(( _release_errors + 1 ))
+    fi
+
     if [ "${_release_errors}" -gt 0 ]; then
         echo "ERROR: release build aborted — ${_release_errors} modified repo(s). Use BUILD_CHANNEL=dev for iteration builds."
         exit 1