- who is allowed access to secrets like bot tokens
- what permissions we grant to bots before we hand that out
- how do we ensure bots are only granted the minimal necessary permissions (to mitigate damage for leaked keys)
- how do we ensure that unused bots are decommissioned?
I personally think maybe treating each bot as a "project" and ensuring we have thorough docs on its specific purpose/owner/decommission plan (similar to what im trying to do for the website in #11) would be a good way to do this (in addition to having general policy rules)
I personally think maybe treating each bot as a "project" and ensuring we have thorough docs on its specific purpose/owner/decommission plan (similar to what im trying to do for the website in #11) would be a good way to do this (in addition to having general policy rules)