diff --git a/lib/env.sh b/lib/env.sh
index 97483bc..fb479ec 100755
--- a/lib/env.sh
+++ b/lib/env.sh
@@ -30,14 +30,8 @@ if [ -f "$FACTORY_ROOT/.env.enc" ] && command -v sops &>/dev/null; then
   _saved_forge_url="${FORGE_URL:-}"
   _saved_forge_token="${FORGE_TOKEN:-}"
   # Use temp file + validate dotenv format before sourcing (avoids eval injection)
+  # SOPS -d automatically verifies MAC/GCM authentication tag during decryption
   _tmpenv=$(mktemp) || { echo "Error: failed to create temp file for .env.enc" >&2; exit 1; }
-  # Verify SOPS metadata GCM ciphertext tag before decryption (integrity check)
-  if ! sops verify "$FACTORY_ROOT/.env.enc" &>/dev/null; then
-    echo "Error: SOPS verification failed — .env.enc integrity check failed, possible tampering" >&2
-    rm -f "$_tmpenv"
-    exit 1
-  fi
-  # Decrypt to temp file
   if ! sops -d --output-type dotenv "$FACTORY_ROOT/.env.enc" > "$_tmpenv" 2>/dev/null; then
     echo "Error: failed to decrypt .env.enc — decryption failed, possible corruption" >&2
     rm -f "$_tmpenv"