diff --git a/.woodpecker/prod.yml b/.woodpecker/prod.yml
index 084a4db..96cca23 100644
--- a/.woodpecker/prod.yml
+++ b/.woodpecker/prod.yml
@@ -103,10 +103,6 @@ steps:
 
         PROD_SSH_TARGET="$(gcloud secrets versions access latest --secret=PROD_SSH_TARGET --project=aptivaai-dev)"
 
-        # single source of truth for deploy as well
-        IMG_TAG="$(gcloud secrets versions access latest --secret=IMG_TAG --project=aptivaai-dev)"
- 
-
         echo "🔑 SSH prerequisites installed"
 
         # ── SSH into PROD and deploy (NO DEK SYNC) ────────────────────────
@@ -118,11 +114,7 @@ steps:
           'set -euo pipefail; \
             PROJECT=aptivaai-prod; \
             ENV=prod; \
-            export IMG_TAG='"$IMG_TAG"'; \
-            # sanity: ensure prod SM matches the single source (dev) before pull
-            prod_val=$(gcloud secrets versions access latest --secret=IMG_TAG --project=$PROJECT); \
-            [ "$prod_val" = "$IMG_TAG" ] || { echo "❌ Prod SM IMG_TAG ($prod_val) != dev IMG_TAG ($IMG_TAG)"; exit 1; }; \
-            \
+            IMG_TAG="$(gcloud secrets versions access latest --secret=IMG_TAG --project=aptivaai-dev)"; export IMG_TAG; \
             # Pull all runtime secrets from aptivaai-prod
             JWT_SECRET=$(gcloud secrets versions access latest --secret=JWT_SECRET_$ENV --project=$PROJECT); export JWT_SECRET; \
             OPENAI_API_KEY=$(gcloud secrets versions access latest --secret=OPENAI_API_KEY_$ENV --project=$PROJECT); export OPENAI_API_KEY; \