diff --git a/lib/env.sh b/lib/env.sh
index fb479ec..0c7a71b 100755
--- a/lib/env.sh
+++ b/lib/env.sh
@@ -30,27 +30,23 @@ if [ -f "$FACTORY_ROOT/.env.enc" ] && command -v sops &>/dev/null; then
   _saved_forge_url="${FORGE_URL:-}"
   _saved_forge_token="${FORGE_TOKEN:-}"
   # Use temp file + validate dotenv format before sourcing (avoids eval injection)
-  # SOPS -d automatically verifies MAC/GCM authentication tag during decryption
-  _tmpenv=$(mktemp) || { echo "Error: failed to create temp file for .env.enc" >&2; exit 1; }
-  if ! sops -d --output-type dotenv "$FACTORY_ROOT/.env.enc" > "$_tmpenv" 2>/dev/null; then
-    echo "Error: failed to decrypt .env.enc — decryption failed, possible corruption" >&2
-    rm -f "$_tmpenv"
-    exit 1
-  fi
-  # Validate: non-empty, non-comment lines must match KEY=value pattern
-  # Filter out blank lines and comments before validation
-  _validated=$(grep -E '^[A-Za-z_][A-Za-z0-9_]*=' "$_tmpenv" 2>/dev/null || true)
-  if [ -n "$_validated" ]; then
-    # Write validated content to a second temp file and source it
-    _validated_env=$(mktemp)
-    printf '%s\n' "$_validated" > "$_validated_env"
-    # shellcheck source=/dev/null
-    source "$_validated_env"
-    rm -f "$_validated_env"
+  _tmpenv=$(mktemp) || { echo "Warning: failed to create temp file for .env.enc" >&2; exit 1; }
+  if sops -d --output-type dotenv "$FACTORY_ROOT/.env.enc" > "$_tmpenv" 2>/dev/null; then
+    # Validate: non-empty, non-comment lines must match KEY=value pattern
+    # Filter out blank lines and comments before validation
+    _validated=$(grep -E '^[A-Za-z_][A-Za-z0-9_]*=' "$_tmpenv" 2>/dev/null || true)
+    if [ -n "$_validated" ]; then
+      # Write validated content to a second temp file and source it
+      _validated_env=$(mktemp)
+      printf '%s\n' "$_validated" > "$_validated_env"
+      # shellcheck source=/dev/null
+      source "$_validated_env"
+      rm -f "$_validated_env"
+    else
+      echo "Warning: .env.enc decryption output failed format validation" >&2
+    fi
   else
-    echo "Error: .env.enc decryption output failed format validation" >&2
-    rm -f "$_tmpenv"
-    exit 1
+    echo "Warning: failed to decrypt .env.enc — secrets not loaded" >&2
   fi
   rm -f "$_tmpenv"
   set +a