From d24dbb083bb13e3103c960a1fed06fff77126f37 Mon Sep 17 00:00:00 2001
From: Ryan VanGundy <85766511+rmvangun@users.noreply.github.com>
Date: Wed, 3 Dec 2025 09:34:11 -0500
Subject: [PATCH] chore(docs): Add secrets scrubbing info

Adds a note about how windsor scrubs secrets from outputs.

Signed-off-by: Ryan VanGundy <85766511+rmvangun@users.noreply.github.com>
---
 docs/security/secrets.md | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/docs/security/secrets.md b/docs/security/secrets.md
index 51af060ef..914f186e5 100644
--- a/docs/security/secrets.md
+++ b/docs/security/secrets.md
@@ -25,6 +25,24 @@ Windsor supports the `windsor env --decrypt` option, allowing you to decrypt sec
     MY_SECRET=********
     ```
 
+### Automatic Secret Scrubbing
+
+Windsor automatically scrubs secrets from all command output to prevent accidental exposure. When secrets are retrieved from SOPS-encrypted files or 1Password vaults, they are automatically registered for scrubbing. Any command executed internally by Windsor (such as Terraform operations) will have its output automatically sanitized before being displayed.
+
+**What gets scrubbed:**
+
+- All commands executed internally by Windsor
+- Standard output and error streams
+- Returned command results
+- Error messages that may contain secret values
+
+Any registered secret values appearing in command output are automatically replaced with `********` before being displayed. This helps prevent secrets from being accidentally exposed when:
+
+- Terraform commands output values or error messages containing secrets
+- Commands pass secrets as arguments and those values appear in error output
+- Debug or verbose output includes secret values
+- Command output is logged or captured
+
 ## Best Practices
 
 ### Limit Environment Injection