diff --git a/test/.env.example b/test/.env.example
index ec7e5ad..a4364e5 100644
--- a/test/.env.example
+++ b/test/.env.example
@@ -1,19 +1,27 @@
-# --- Production / default target (main.ts) ---
+# Copy this template to one of:
+#   .env           — production target, loaded by main.ts
+#   .env.sandbox   — sandbox target,    loaded by provisionSandbox.ts
+# Both are gitignored. Never commit real secret values.
+
+# --- Target ---
+# prod:    https://erp.arcodange.lab          (.env)
+# sandbox: https://erp-sandbox.arcodange.lab  (.env.sandbox)
 DOLIBARR_ADDRESS=https://erp.arcodange.lab
-DOLI_DB_PASSWORD=
+
 DOLI_ADMIN_LOGIN=admin
 DOLI_ADMIN_PASSWORD=""
+DOLI_DB_PASSWORD=""
 ROOT_FOLDER=$HOME/erp
 
-# --- Sandbox provisioning (provisionSandbox.ts) ---
-# Point at the sandbox and reuse the DOLI_ADMIN_* vars above for the admin login.
-# Populate from the erp-sandbox namespace secrets (see "Provision the sandbox" in
-# README.md):
-#   DOLI_ADMIN_PASSWORD  <- secret `secretkv`        (-n erp-sandbox)
-#   DOLI_DB_PASSWORD     <- secret `vso-db-credentials` (-n erp-sandbox)
-# Override DOLIBARR_ADDRESS to the sandbox when running provisionSandbox.ts:
-#   DOLIBARR_ADDRESS=https://erp-sandbox.arcodange.lab
+# Populate the passwords from the cluster secrets, e.g. (prod shown):
+#   DOLI_ADMIN_PASSWORD  <- kubectl get secret secretkv -n erp -o jsonpath='{.data.DOLI_ADMIN_PASSWORD}' | base64 -d
+#   DOLI_DB_PASSWORD     <- kubectl get secret vso-db-credentials -n erp -o jsonpath='{.data.password}' | base64 -d
 #
-# Optional: fix the new user's password (otherwise one is generated and only the
-# API key is emitted). Never commit a real value here.
+# NOTE for a sandbox SEEDED from prod (ops/sandbox/sandbox-lifecycle.sh): the seed
+# clones prod's admin password into the sandbox, so .env.sandbox's
+# DOLI_ADMIN_PASSWORD must be PROD's admin password (-n erp), not the sandbox
+# secretkv. The DB password is the sandbox's own (-n erp-sandbox).
+
+# Optional: fix the provisioned user's password (else one is generated and only
+# the API key is emitted to .ai_agent_sandbox.key).
 # AI_AGENT_SANDBOX_PASSWORD=""
diff --git a/test/.gitignore b/test/.gitignore
index 6b33d05..3443b4e 100644
--- a/test/.gitignore
+++ b/test/.gitignore
@@ -1,5 +1,6 @@
-# Secrets — never commit. The root .gitignore already covers .env and *.key;
-# this is defense-in-depth for the provisioning POC.
-.env
+# Secrets — never commit. Covers .env (prod, main.ts) and .env.sandbox
+# (sandbox, provisionSandbox.ts), plus any generated *.key.
+.env*
+!.env.example
 .ai_agent_sandbox.key
 *.key
diff --git a/test/provisionSandbox.ts b/test/provisionSandbox.ts
index ef24327..7fd0261 100644
--- a/test/provisionSandbox.ts
+++ b/test/provisionSandbox.ts
@@ -1,4 +1,6 @@
-import "load_dotenv";
+import { loadSync } from "jsr:@std/dotenv";
+// Sandbox provisioning loads its OWN .env.sandbox; prod config stays in .env (main.ts).
+loadSync({ envPath: ".env.sandbox", export: true });
 import { chromium } from "playwright";
 import path from "node:path";
 import login from "./scripts/login.ts";