diff --git a/lib/env.sh b/lib/env.sh
index 29eb14c..d94c146 100755
--- a/lib/env.sh
+++ b/lib/env.sh
@@ -15,17 +15,22 @@ if [ "${DISINTO_CONTAINER:-}" = "1" ]; then
   mkdir -p "${DISINTO_DATA_DIR}"
 fi
 
-# Load secrets: prefer .env.enc (SOPS-encrypted), fall back to plaintext .env
-if [ -f "$FACTORY_ROOT/.env.enc" ] && command -v sops &>/dev/null; then
-  set -a
-  eval "$(sops -d --output-type dotenv "$FACTORY_ROOT/.env.enc" 2>/dev/null)" \
-    || echo "Warning: failed to decrypt .env.enc — secrets not loaded" >&2
-  set +a
-elif [ -f "$FACTORY_ROOT/.env" ]; then
-  set -a
-  # shellcheck source=/dev/null
-  source "$FACTORY_ROOT/.env"
-  set +a
+# Load secrets: prefer .env.enc (SOPS-encrypted), fall back to plaintext .env.
+# Inside the container, compose already injects env vars via env_file + environment
+# overrides (e.g. FORGE_URL=http://forgejo:3000).  Re-sourcing .env would clobber
+# those compose-level values, so we skip it when DISINTO_CONTAINER=1.
+if [ "${DISINTO_CONTAINER:-}" != "1" ]; then
+  if [ -f "$FACTORY_ROOT/.env.enc" ] && command -v sops &>/dev/null; then
+    set -a
+    eval "$(sops -d --output-type dotenv "$FACTORY_ROOT/.env.enc" 2>/dev/null)" \
+      || echo "Warning: failed to decrypt .env.enc — secrets not loaded" >&2
+    set +a
+  elif [ -f "$FACTORY_ROOT/.env" ]; then
+    set -a
+    # shellcheck source=/dev/null
+    source "$FACTORY_ROOT/.env"
+    set +a
+  fi
 fi
 
 # PATH: foundry, node, system