# Security notes

## OAuth token handling

The orchestrator uses Gradio + Hugging Face OAuth.

The OAuth token is used in two places:

1. `token=token` when launching/managing the Job.
2. `secrets={"HF_TOKEN": token}` so the Job can act on behalf of the user.

Workers must never print or persist the token.

## Scope notes

The Space metadata requests:

- `read-repos`
- `write-repos`
- `manage-repos`
- `gated-repos`
- `inference-api`
- `jobs`

`jobs` is required for launching HF Jobs. `manage-repos` is currently used for private Space creation. A later hardening pass should test whether a narrower scope can replace it.

## Private by default

- Bucket remains private.
- Target Spaces are created private.
- Existing target Spaces are not overwritten.
- Publishing must be added later as an explicit user action only.

## Trace privacy

Future Pi traces must be stored as raw/private first. A redacted copy may be generated later, but public sharing should require explicit user confirmation.

## Current limitations

The redaction helper is a basic first-pass scanner. It is not a full data-loss prevention system.


## Pi-specific security

Phase 3 runs Pi inside an ephemeral HF Job. The worker constrains Pi to a local workspace and asks it not to inspect secrets or create Hub resources. The wrapper, not Pi, creates/uploads the target Space after checking that Pi made only the expected safe modification. Saved Pi output and traces are redacted on a best-effort basis. Raw traces should remain private.