diff --git a/scripts/deploy-k8s.sh b/scripts/deploy-k8s.sh
index 40da9d4..e41efad 100755
--- a/scripts/deploy-k8s.sh
+++ b/scripts/deploy-k8s.sh
@@ -44,6 +44,11 @@ REG_PUBLIC="mysources.co.uk"          # what k8s pulls from (same backend)
 # Deployments avoids that provider entirely.
 MCPD_URN='urn:pulumi:homelab::k8s-deployments::kubernetes:core/v1:Namespace$kubernetes:apps/v1:Deployment::mcpd'
 MCPLOCAL_URN='urn:pulumi:homelab::k8s-deployments::kubernetes:core/v1:Namespace$kubernetes:apps/v1:Deployment::mcplocal'
+# Prior kubectl-based deploys (old fulldeploy.sh) took server-side-apply
+# ownership of the Deployment .image field under the `kubectl-set` field
+# manager, which makes a plain pulumi apply conflict. Force-apply lets Pulumi
+# reclaim the field and become the single source of truth going forward.
+export PULUMI_K8S_ENABLE_PATCH_FORCE=true
 BACKUP_DIR="$HOME/tmp/mcpctl-backup"
 DATE="$(date +%Y%m%d-%H%M%S)"
 
diff --git a/src/mcplocal/tests/smoke/passwd.smoke.test.ts b/src/mcplocal/tests/smoke/passwd.smoke.test.ts
index f6ce344..dab1a5d 100644
--- a/src/mcplocal/tests/smoke/passwd.smoke.test.ts
+++ b/src/mcplocal/tests/smoke/passwd.smoke.test.ts
@@ -62,10 +62,14 @@ async function healthz(): Promise<boolean> {
 }
 
 function adminToken(): string | undefined {
-  try {
-    const raw = readFileSync(join(homedir(), '.config', 'mcpctl', 'credentials'), 'utf-8');
-    return (JSON.parse(raw) as { token?: string }).token;
-  } catch { return undefined; }
+  // The CLI stores credentials at ~/.mcpctl/credentials (see config/loader.ts).
+  for (const p of [join(homedir(), '.mcpctl', 'credentials'), join(homedir(), '.config', 'mcpctl', 'credentials')]) {
+    try {
+      const tok = (JSON.parse(readFileSync(p, 'utf-8')) as { token?: string }).token;
+      if (tok) return tok;
+    } catch { /* try next */ }
+  }
+  return undefined;
 }
 
 async function login(email: string, password: string): Promise<Resp> {