diff --git a/playbooks/test_config.yml b/playbooks/test_config.yml
index b619392..1aa73e8 100644
--- a/playbooks/test_config.yml
+++ b/playbooks/test_config.yml
@@ -113,8 +113,43 @@
         expected_stacks:
           - { name: traefik, dir: /opt/traefik }
           - { name: app_core, dir: /opt/app }
+          - { name: forgejo_runner, dir: /opt/forgejo-runner }
       when: is_web_host
 
+    - name: Check minimal infra-controller directories exist on services host
+      stat:
+        path: "{{ item }}"
+      register: infra_dirs
+      loop:
+        - /var/run/active-apps
+        - /var/lib/infra-controller
+      changed_when: false
+      when: is_services_host
+
+    - name: Fail if any minimal infra-controller directory is missing on services host
+      assert:
+        that:
+          - item.stat.exists
+          - item.stat.isdir
+        fail_msg: "Missing required directory on services host: {{ item.item }}. This typically means the services playbook has not been applied yet. Run ./setup.sh (or ansible-playbook playbooks/services.yml) and re-run this test."
+      loop: "{{ infra_dirs.results | default([]) }}"
+      when: is_services_host
+
+    - name: Read deployer authorized_keys on services host
+      slurp:
+        src: /home/deployer/.ssh/authorized_keys
+      register: deployer_authorized_keys
+      changed_when: false
+      when: is_services_host
+
+    - name: Fail if deployer authorized_keys is missing forced-command restrictions
+      assert:
+        that:
+          - (deployer_authorized_keys.content | b64decode) is search('command="/usr/local/sbin/infra-register-stdin"')
+          - (deployer_authorized_keys.content | b64decode) is search('command="/usr/local/sbin/infra-deregister"')
+        fail_msg: "deployer authorized_keys does not include forced-command keys for infra-register-stdin/infra-deregister"
+      when: is_services_host
+
     - name: Check that expected compose directories exist
       stat:
         path: "{{ item.dir }}/docker-compose.yml"