# Security

BenchCI is designed so teams can automate hardware safely.

## Authentication

BenchCI currently supports:

- user sessions for CLI access
- agent tokens for machine authentication
- optional protected Agent endpoints

## Cloud Agent Connectivity

Cloud-connected agents initiate outbound connections to the backend.

This reduces the need for exposing inbound hardware machines publicly.

## Resource Isolation

BenchCI supports workspace-oriented ownership models for:

- runs
- benches
- agents

This enables separation between customer environments.

## Artifacts

Run outputs such as logs and results are scoped to the owning workspace/session path.

## Recommended Best Practices

- rotate tokens periodically
- run agents on dedicated lab machines
- restrict unnecessary inbound ports
- physically secure lab hardware
- review artifact retention policies

## Workspace Access

BenchCI uses workspaces to scope:

- users
- benches
- runs
- agents
- artifacts
- plan limits

A user only sees benches and runs available to the active workspace.

## Dashboard Sessions

The dashboard uses the same account/workspace model as the CLI. Keep browser sessions on trusted machines and rotate credentials if access is no longer needed.

## Manual Activation

Early access and paid workspace activation are handled manually by the BenchCI owner/admin process. This avoids exposing payment automation before the product requires self-serve billing.