Local Secrets Store secrets are persisted in plaintext on disk

[orelbn]

What versions & operating system are you using?

Wrangler: 4.70.0
Operating system: macOS

Please provide a link to a minimal reproduction

https://github.com/orelbn/cloudflare-local-secrets-store-plaintext-repro

Describe the Bug

Local-only Secrets Store secrets created without --remote are persisted in plaintext on disk.

I expected local Secrets Store secrets to either:

1. be encrypted at rest locally, or
2. be clearly documented as plaintext-accessible local development state

Right now, the local persistence behavior appears to store secret values in plaintext under .wrangler/state.

Reproduction

Minimal reproduction repo:
https://github.com/orelbn/cloudflare-local-secrets-store-plaintext-repro

From the repo root, run:

wrangler secrets-store secret create test-store \
  --name TEST_SECRET \
  --value 'UNIQUE_CF_SECRET_9d3f4b6e' \
  --scopes workers

rg -n 'UNIQUE_CF_SECRET_9d3f4b6e' .wrangler/state

Actual behavior
The plaintext secret value is found in the local persisted files under .wrangler/state.

Expected behavior

Either:

• local-only Secrets Store secrets should be encrypted at rest locally, or
• the docs should explicitly state that local-only Secrets Store persistence is not encrypted and should not be treated as a secure local vault

Relevant documentation:

Manage account secrets

Please provide any relevant error logs

No response

[edmundhung]

Hey @orelbn, thanks for reporting this!

This is indeed expected for local Secrets Store secrets. We'll update the docs to make this more explicit. 👍🏼