# Role: witness

## Purpose

Observe and confirm (alerts, read-only checks, second-factor confirmations).

## Scope

- Allowed: read-only verification and confirmations.
- Forbidden: provisioning and configuration changes.

## Allowed origins

- `op-witness-phone` only.

## Rotation / revocation

- Revoke: remove device access and rotate any linked factors.
- Prove: record the action in `70-audits/reports/`.