fix: Address review feedback on SOPS integration (#613)

- Warn on stderr when .env.enc decryption fails instead of silent || true
- Guard ensure_age_key() against empty age-keygen -y output
- Fix stale comment on write_secrets_encrypted()

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

bin/disinto

@@ -72,6 +72,7 @@ ensure_age_key() {
 
   if [ -f "$key_file" ]; then
     AGE_PUBLIC_KEY="$(age-keygen -y "$key_file" 2>/dev/null)"
+    [ -n "$AGE_PUBLIC_KEY" ] || return 1
     export AGE_PUBLIC_KEY
     return 0
   fi
@@ -84,6 +85,7 @@ ensure_age_key() {
   age-keygen -o "$key_file" 2>/dev/null
   chmod 600 "$key_file"
   AGE_PUBLIC_KEY="$(age-keygen -y "$key_file" 2>/dev/null)"
+  [ -n "$AGE_PUBLIC_KEY" ] || return 1
   export AGE_PUBLIC_KEY
   echo "Generated age key: ${key_file}"
 }
@@ -106,7 +108,6 @@ encrypt_env_file() {
 }
 
 # Store secrets into .env.enc (encrypted) if SOPS + age available, else .env (plaintext).
-# Reads existing .env, updates/adds vars, writes back.
 write_secrets_encrypted() {
   local env_file="${FACTORY_ROOT}/.env"
   local enc_file="${FACTORY_ROOT}/.env.enc"

lib/env.sh

@@ -10,7 +10,8 @@ FACTORY_ROOT="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
 # Load secrets: prefer .env.enc (SOPS-encrypted), fall back to plaintext .env
 if [ -f "$FACTORY_ROOT/.env.enc" ] && command -v sops &>/dev/null; then
   set -a
-  eval "$(sops -d --output-type dotenv "$FACTORY_ROOT/.env.enc" 2>/dev/null)" || true
+  eval "$(sops -d --output-type dotenv "$FACTORY_ROOT/.env.enc" 2>/dev/null)" \
+    || echo "Warning: failed to decrypt .env.enc — secrets not loaded" >&2
   set +a
 elif [ -f "$FACTORY_ROOT/.env" ]; then
   set -a