diff --git a/lib/env.sh b/lib/env.sh
index a19939d..97483bc 100755
--- a/lib/env.sh
+++ b/lib/env.sh
@@ -32,7 +32,7 @@ if [ -f "$FACTORY_ROOT/.env.enc" ] && command -v sops &>/dev/null; then
   # Use temp file + validate dotenv format before sourcing (avoids eval injection)
   _tmpenv=$(mktemp) || { echo "Error: failed to create temp file for .env.enc" >&2; exit 1; }
   # Verify SOPS metadata GCM ciphertext tag before decryption (integrity check)
-  if ! sops --verify "$FACTORY_ROOT/.env.enc" &>/dev/null; then
+  if ! sops verify "$FACTORY_ROOT/.env.enc" &>/dev/null; then
     echo "Error: SOPS verification failed — .env.enc integrity check failed, possible tampering" >&2
     rm -f "$_tmpenv"
     exit 1