diff --git a/src/docker-manager.ts b/src/docker-manager.ts
index 22f517ea..c37f0297 100644
--- a/src/docker-manager.ts
+++ b/src/docker-manager.ts
@@ -718,17 +718,22 @@ export function generateDockerCompose(
     dns_search: [], // Disable DNS search domains to prevent embedded DNS fallback
     volumes: agentVolumes,
     environment,
-    // Hide /tmp/gh-aw/mcp-logs directory using tmpfs (empty in-memory filesystem)
-    // This prevents the agent from accessing MCP server logs while still allowing
-    // the host to write logs to /tmp/gh-aw/mcp-logs/ (e.g., /tmp/gh-aw/mcp-logs/safeoutputs/)
-    // For normal mode: hide /tmp/gh-aw/mcp-logs
-    // For chroot mode: hide both /tmp/gh-aw/mcp-logs and /host/tmp/gh-aw/mcp-logs
+    // Hide /tmp/gh-aw/mcp-logs and /tmp/gh-aw/mcp-config directories using tmpfs
+    // (empty in-memory filesystems) to prevent the agent from accessing MCP server
+    // logs and configuration (which may contain tokens/credentials).
+    // For normal mode: hide /tmp/gh-aw/mcp-logs and /tmp/gh-aw/mcp-config
+    // For chroot mode: hide both paths and their /host/ equivalents
     tmpfs: config.enableChroot
       ? [
           '/tmp/gh-aw/mcp-logs:rw,noexec,nosuid,size=1m',
           '/host/tmp/gh-aw/mcp-logs:rw,noexec,nosuid,size=1m',
+          '/tmp/gh-aw/mcp-config:rw,noexec,nosuid,size=1m',
+          '/host/tmp/gh-aw/mcp-config:rw,noexec,nosuid,size=1m',
         ]
-      : ['/tmp/gh-aw/mcp-logs:rw,noexec,nosuid,size=1m'],
+      : [
+          '/tmp/gh-aw/mcp-logs:rw,noexec,nosuid,size=1m',
+          '/tmp/gh-aw/mcp-config:rw,noexec,nosuid,size=1m',
+        ],
     depends_on: {
       'squid-proxy': {
         condition: 'service_healthy',