diff --git a/bin/disinto b/bin/disinto
index d6b8c6e..5da58e1 100755
--- a/bin/disinto
+++ b/bin/disinto
@@ -2150,6 +2150,12 @@ disinto_secrets() {
       fi
       _secrets_ensure_sops
       encrypt_env_file "$vault_env_file" "$vault_enc_file"
+      # Verify decryption works before removing plaintext
+      if ! sops -d "$vault_enc_file" >/dev/null 2>&1; then
+        echo "Error: failed to verify .env.vault.enc decryption" >&2
+        rm -f "$vault_enc_file"
+        exit 1
+      fi
       rm -f "$vault_env_file"
       echo "Migrated: .env.vault -> .env.vault.enc (plaintext removed)"
       ;;
diff --git a/dev/dev-agent.sh b/dev/dev-agent.sh
index 21b913e..f4d06a6 100755
--- a/dev/dev-agent.sh
+++ b/dev/dev-agent.sh
@@ -455,9 +455,9 @@ Closing as already implemented."
 
   log "ERROR: no branch pushed after agent_run"
   # Dump diagnostics
-  local diag_file="${DISINTO_LOG_DIR:-/tmp}/dev/agent-run-last.json"
+  diag_file="${DISINTO_LOG_DIR:-/tmp}/dev/agent-run-last.json"
   if [ -f "$diag_file" ]; then
-    local result_text cost_usd num_turns
+    result_text=""; cost_usd=""; num_turns=""
     result_text=$(jq -r '.result // "no result field"' "$diag_file" 2>/dev/null | head -50) || result_text="(parse error)"
     cost_usd=$(jq -r '.cost_usd // "?"' "$diag_file" 2>/dev/null) || cost_usd="?"
     num_turns=$(jq -r '.num_turns // "?"' "$diag_file" 2>/dev/null) || num_turns="?"