docs: add TODO for ARM token exposure on azcmagent command line

azcmagent only supports --access-token via argv, which exposes the token
through /proc/<pid>/cmdline to all local users. The token is short-lived
(~60 minutes) which limits the window, but it is still observable during
registration. Document this as a known limitation with a pointer to
alternative auth methods (service principal certificate, Azure CLI).

Author: bcho

components/arc/v20260301/arc_registration.go

@@ -164,7 +164,13 @@ func (a *installArcAction) addAuthenticationArgs(ctx context.Context, args *[]st
 		return fmt.Errorf("failed to get access token: %w", err)
 	}
 
-	// Add access token to azcmagent arguments
+	// TODO(security): The access token is passed on the command line and is therefore visible
+	// to all local users via /proc/<pid>/cmdline for the lifetime of the azcmagent process.
+	// The token is short-lived (~60 minutes) which limits the exposure window, but it is
+	// still observable during the registration process. azcmagent does not currently support
+	// reading the token from stdin or an environment variable.
+	// Consider switching to --service-principal-cert or --use-azcli when feasible.
+	// See: https://learn.microsoft.com/en-us/azure/azure-arc/servers/azcmagent-connect
 	*args = append(*args, "--access-token", accessToken)
 
 	a.logger.Debug("Authentication arguments added to Arc agent command")