up

ops/devops/secrets/surface-secrets-provisioning.md

@@ -54,7 +54,7 @@ SCANNER_SURFACE_SECRETS_ALLOW_INLINE=false
 ZASTAVA_SURFACE_SECRETS_PROVIDER=${SCANNER_SURFACE_SECRETS_PROVIDER}
 ZASTAVA_SURFACE_SECRETS_ROOT=${SCANNER_SURFACE_SECRETS_ROOT}
 ```
-4) Ensure docker-compose mounts the secrets path read-only to the services that need it.
+4) Ensure docker-compose mounts the secrets path read-only to the services that need it. Use `SURFACE_SECRETS_HOST_PATH` to point at the decrypted bundle on the host (defaults to `./offline/surface-secrets` in the Compose profiles).
 
 ## Offline Kit workflow
 - The offline kit already ships encrypted `surface-secrets` bundles (see `docs/24_OFFLINE_KIT.md`).