diff --git a/CHANGELOG.md b/CHANGELOG.md
index 40bdede..898c179 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -5,6 +5,12 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [0.9.1] - 2025-01-25
+
+### Fixed
+- Add error checking for base64 decode operations in VM provisioning
+- Add `set -e` to VM bootstrap script for early failure detection
+
 ## [0.9.0] - 2025-01-25
 
 ### Security
diff --git a/setup_env.sh b/setup_env.sh
index 72f9479..74101c1 100755
--- a/setup_env.sh
+++ b/setup_env.sh
@@ -479,9 +479,10 @@ if [[ "$(uname -s)" == "Darwin" ]]; then
     # Security: All user-controlled values are base64-encoded before passing to VM
     # The decode script sets SKIP_* env vars from the safe SKIP_LIST
     orb run -m "$VM_NAME" bash -c "
-        export GIT_NAME=\$(echo '$GIT_NAME_B64' | base64 -d)
-        export GIT_EMAIL=\$(echo '$GIT_EMAIL_B64' | base64 -d)
-        export VNC_PASSWORD=\$(echo '$VNC_PASSWORD_B64' | base64 -d)
+        set -e
+        export GIT_NAME=\$(echo '$GIT_NAME_B64' | base64 -d) || { echo 'Failed to decode GIT_NAME'; exit 1; }
+        export GIT_EMAIL=\$(echo '$GIT_EMAIL_B64' | base64 -d) || { echo 'Failed to decode GIT_EMAIL'; exit 1; }
+        export VNC_PASSWORD=\$(echo '$VNC_PASSWORD_B64' | base64 -d) || { echo 'Failed to decode VNC_PASSWORD'; exit 1; }
         for comp in \$(echo '$SKIP_LIST_B64' | base64 -d); do
             upper=\$(echo \"\$comp\" | tr '[:lower:]' '[:upper:]')
             export \"SKIP_\${upper}=1\"