diff --git a/deploy/tests/test_deploy_artifacts.py b/deploy/tests/test_deploy_artifacts.py
index 38c3e9e..d870893 100644
--- a/deploy/tests/test_deploy_artifacts.py
+++ b/deploy/tests/test_deploy_artifacts.py
@@ -423,8 +423,14 @@ def test_deploy_script_has_safe_defaults_and_preserves_state() -> None:
     assert "for attempt in" in script
     assert "/opt/left4me/.venv" in script
     assert "visudo -cf /etc/sudoers.d/left4me" in script
-    assert "if [ ! -f /etc/left4me/web.env ]" in script
-    assert ". /etc/left4me/web.env\n" not in script
+    # Note: assertions about web.env's lifecycle (create-only-if-missing /
+    # never-sourced-from-deploy) used to live here. They became stale in
+    # commit caa8b83, which switched to "rewrite web.env every deploy with a
+    # machine-id-derived SECRET_KEY" and started sourcing web.env in the
+    # alembic + seed helper subprocesses. Removed entirely; current behavior
+    # is covered by `install -m 0640 ... /etc/left4me/web.env` which is
+    # checked indirectly via the SECRET_KEY rewrite + run_left4me_with_env
+    # plumbing below.
     assert "run_left4me_with_env" in script
     assert "LEFT4ME_ADMIN_USERNAME" in script
     assert "LEFT4ME_ADMIN_PASSWORD" in script