diff --git a/.github/workflows/opentofu.yml b/.github/workflows/opentofu.yml
index 4328160..e7df3c8 100644
--- a/.github/workflows/opentofu.yml
+++ b/.github/workflows/opentofu.yml
@@ -24,8 +24,6 @@ on:
         type: string
         default: arn:aws:iam::332355796717:role/github-actions-sops-kms
     secrets:
-      SOPS_AGE_KEY:
-        required: false
       SSH_PRIVATE_KEY:
         required: false
       SSH_KNOWN_HOSTS:
@@ -39,8 +37,6 @@ permissions:
 jobs:
   test:
     runs-on: ${{ inputs.runs-on }}
-    env:
-      SOPS_AGE_KEY: ${{ secrets.SOPS_AGE_KEY }}
     steps:
       - name: Checkout
         uses: actions/checkout@v4
@@ -75,8 +71,6 @@ jobs:
     runs-on: ${{ inputs.runs-on }}
     if: github.event_name == 'pull_request'
     needs: [test]
-    env:
-      SOPS_AGE_KEY: ${{ secrets.SOPS_AGE_KEY }}
     steps:
       - name: Checkout
         uses: actions/checkout@v4
@@ -130,8 +124,6 @@ jobs:
     if: github.event_name == 'push' && github.ref == 'refs/heads/main'
     needs: [test]
     environment: ${{ inputs.environment }}
-    env:
-      SOPS_AGE_KEY: ${{ secrets.SOPS_AGE_KEY }}
     steps:
       - name: Checkout
         uses: actions/checkout@v4
diff --git a/AGENTS.md b/AGENTS.md
index d72ca41..d176db4 100644
--- a/AGENTS.md
+++ b/AGENTS.md
@@ -32,7 +32,7 @@ Reusable workflow for OpenTofu/Terraform root module repositories (`tfroot-*`).
 | `aws-region` | `us-west-2` | AWS region for SOPS KMS access |
 | `aws-role-to-assume` | `arn:aws:iam::332355796717:role/github-actions-sops-kms` | IAM role assumed via GitHub OIDC for SOPS KMS decrypt/encrypt |
 
-Caller workflows must grant `id-token: write` permissions for OIDC. `SOPS_AGE_KEY` is optional while SOPS files retain age recipients, but the preferred path is AWS KMS via OIDC.
+Caller workflows must grant `id-token: write` permissions for OIDC. SOPS decryption for `tfroot-*` repos uses AWS KMS via OIDC; do not pass `SOPS_AGE_KEY` to this workflow.
 
 There is no `container` input. The `arc-tf` runner pod IS the image, so adding `container:` on top would nest a container inside a container — don't do it.
 
diff --git a/README.md b/README.md
index 292ee95..ba8fac5 100644
--- a/README.md
+++ b/README.md
@@ -25,8 +25,6 @@ permissions:
 jobs:
   opentofu:
     uses: makeitworkcloud/shared-workflows/.github/workflows/opentofu.yml@main
-    secrets:
-      SOPS_AGE_KEY: ${{ secrets.SOPS_AGE_KEY }}
 ```
 
 ## Available Workflows
@@ -44,7 +42,6 @@ See [images](https://github.com/makeitworkcloud/images) for container source and
 ## Repository Setup
 
 1. Grant `id-token: write` in the caller workflow so GitHub OIDC can assume the SOPS KMS role.
-2. Optionally add `SOPS_AGE_KEY` secret as an age fallback while SOPS files retain age recipients.
-3. Ensure the default `aws-role-to-assume` exists (`arn:aws:iam::332355796717:role/github-actions-sops-kms`) or pass another role ARN.
-4. Create caller workflow in `.github/workflows/`.
-5. Ensure repository has required files (e.g., `Makefile` with expected targets).
+2. Ensure the default `aws-role-to-assume` exists (`arn:aws:iam::332355796717:role/github-actions-sops-kms`) or pass another role ARN.
+3. Create caller workflow in `.github/workflows/`.
+4. Ensure repository has required files (e.g., `Makefile` with expected targets).