# Security

## Access model
- Use least-privilege tokens; only grant org scopes when required
- Restrict runner machine access to trusted administrators
- Store secrets in GitHub Secrets, not on disk

## Token scopes
- Minimum for runner admin operations: `repo`, `workflow`, `read:org`
- `admin:org` may be required depending on org policies

## Auditing
- Prefer GitHub Actions logs as the authoritative audit trail
- Keep local host logs for forensic debugging only

## Rotation
- Remove and re-register runners on a cadence or after incident response