lib/env.sh

@@ -30,8 +30,13 @@ if [ -f "$FACTORY_ROOT/.env.enc" ] && command -v sops &>/dev/null; then
   _saved_forge_url="${FORGE_URL:-}"
   _saved_forge_token="${FORGE_TOKEN:-}"
   # Use temp file + validate dotenv format before sourcing (avoids eval injection)
-  _tmpenv=$(mktemp) || { echo "Warning: failed to create temp file for .env.enc" >&2; exit 1; }
-  if sops -d --output-type dotenv "$FACTORY_ROOT/.env.enc" > "$_tmpenv" 2>/dev/null; then
+  # SOPS -d automatically verifies MAC/GCM authentication tag during decryption
+  _tmpenv=$(mktemp) || { echo "Error: failed to create temp file for .env.enc" >&2; exit 1; }
+  if ! sops -d --output-type dotenv "$FACTORY_ROOT/.env.enc" > "$_tmpenv" 2>/dev/null; then
+    echo "Error: failed to decrypt .env.enc — decryption failed, possible corruption" >&2
+    rm -f "$_tmpenv"
+    exit 1
+  fi
   # Validate: non-empty, non-comment lines must match KEY=value pattern
   # Filter out blank lines and comments before validation
   _validated=$(grep -E '^[A-Za-z_][A-Za-z0-9_]*=' "$_tmpenv" 2>/dev/null || true)
@@ -43,10 +48,9 @@ if [ -f "$FACTORY_ROOT/.env.enc" ] && command -v sops &>/dev/null; then
     source "$_validated_env"
     rm -f "$_validated_env"
   else
-      echo "Warning: .env.enc decryption output failed format validation" >&2
-    fi
-  else
-    echo "Warning: failed to decrypt .env.enc — secrets not loaded" >&2
+    echo "Error: .env.enc decryption output failed format validation" >&2
+    rm -f "$_tmpenv"
+    exit 1
   fi
   rm -f "$_tmpenv"
   set +a