diff --git a/AGENTS.md b/AGENTS.md
index 2e74e23e..ed40b6f2 100644
--- a/AGENTS.md
+++ b/AGENTS.md
@@ -217,7 +217,8 @@ The codebase follows a modular architecture with clear separation of concerns:
 
 **Agent Execution Container** (`containers/agent/`)
 - Based on `ubuntu:22.04` with iptables, curl, git, nodejs, npm
-- Mounts entire host filesystem at `/host` and user home directory for full access
+- **Default (Selective Mounting):** Mounts only user home directory and essential directories. Credentials are explicitly hidden via `/dev/null` mounts (see `docs/selective-mounting.md`)
+- **With `--allow-full-filesystem-access`:** Mounts entire host filesystem at `/host` with read-write access (disables credential protection)
 - `NET_ADMIN` capability required for iptables setup during initialization
 - **Security:** `NET_ADMIN` is dropped via `capsh --drop=cap_net_admin` before executing user commands, preventing malicious code from modifying iptables rules
 - Two-stage entrypoint:
diff --git a/README.md b/README.md
index f3d29b37..7049b2a5 100644
--- a/README.md
+++ b/README.md
@@ -38,6 +38,7 @@ The `--` separator divides firewall options from the command to run.
 - [Environment variables](docs/environment.md) — passing environment variables to containers
 - [Logging quick reference](docs/logging_quickref.md) and [Squid log filtering](docs/squid_log_filtering.md) — view and filter traffic
 - [Security model](docs/security.md) — what the firewall protects and how
+- [Selective mounting](docs/selective-mounting.md) — credential protection and filesystem access control
 - [Architecture](docs/architecture.md) — how Squid, Docker, and iptables fit together
 - [Compatibility](docs/compatibility.md) — supported Node.js, OS, and Docker versions
 - [Troubleshooting](docs/troubleshooting.md) — common issues and fixes
diff --git a/docs/architecture.md b/docs/architecture.md
index f04a869e..84a3dd60 100644
--- a/docs/architecture.md
+++ b/docs/architecture.md
@@ -2,7 +2,7 @@
 
 ## Overview
 
-The firewall uses a containerized architecture with Squid proxy for L7 (HTTP/HTTPS) egress control. The system provides domain-based whitelisting while maintaining full filesystem access for the Copilot CLI and its MCP servers.
+The firewall uses a containerized architecture with Squid proxy for L7 (HTTP/HTTPS) egress control. The system provides domain-based whitelisting with **selective filesystem mounting** to protect credentials from exfiltration attacks.
 
 ## High-Level Architecture
 
@@ -76,10 +76,16 @@ The firewall uses a containerized architecture with Squid proxy for L7 (HTTP/HTT
 
 ### Agent Execution Container (`containers/agent/`)
 - Based on `ubuntu:22.04` with iptables, curl, git, nodejs, npm
-- Mounts entire host filesystem at `/host` and user home directory for full access
+- **Selective Mounting (Default):** 
+  - Mounts only user home directory and essential paths
+  - Hides credentials via `/dev/null` mounts (Docker config, GitHub CLI, npm, Cargo, cloud providers)
+  - See [Selective Mounting](./selective-mounting.md) for complete list and threat model
+- **Full Filesystem Access:** With `--allow-full-filesystem-access`, mounts entire host filesystem at `/host` (disables credential protection)
 - `NET_ADMIN` capability required for iptables setup during initialization
 - **Security:** `NET_ADMIN` is dropped via `capsh --drop=cap_net_admin` before executing user commands, preventing malicious code from modifying iptables rules
 - **Chroot Mode:** With `--enable-chroot`, user commands run inside `chroot /host` for transparent host binary access. See [Chroot Mode](./chroot-mode.md) for details.
+- **Token Protection:** One-shot token library (LD_PRELOAD) caches environment variables on first access, then clears them from `/proc/self/environ` to prevent exfiltration
+- **MCP Logs Protection:** `/tmp/gh-aw/mcp-logs/` directory is hidden from container via tmpfs mount to prevent workflow data leakage
 - Two-stage entrypoint:
   1. `setup-iptables.sh`: Configures iptables NAT rules to redirect HTTP/HTTPS traffic to Squid (agent container only)
   2. `entrypoint.sh`: Drops NET_ADMIN capability, then executes user command as non-root user
diff --git a/docs/usage.md b/docs/usage.md
index a9ad7047..14afc67c 100644
--- a/docs/usage.md
+++ b/docs/usage.md
@@ -31,6 +31,10 @@ Options:
   -e, --env <KEY=VALUE>        Additional environment variables (can repeat)
   --env-all                    Pass all host environment variables to container
   -v, --mount <path:path>      Volume mount (host_path:container_path[:ro|rw])
+  --allow-full-filesystem-access  ⚠️  SECURITY WARNING: Mount entire host filesystem with
+                               read-write access. By default, AWF uses selective mounting
+                               to hide credentials and sensitive files. This flag disables
+                               that protection. See docs/selective-mounting.md
   --tty                        Allocate a pseudo-TTY for interactive tools
   --build-local                Build containers locally instead of using GHCR images
   --agent-image <value>        Agent container image (default: "default")