diff --git a/.gitea/scripts/audit-force-merge.sh b/.gitea/scripts/audit-force-merge.sh
index 10ee9e6bf..e07ddff84 100755
--- a/.gitea/scripts/audit-force-merge.sh
+++ b/.gitea/scripts/audit-force-merge.sh
@@ -30,7 +30,10 @@
 
 set -euo pipefail
 
-: "${GITEA_TOKEN:?required}"
+# Fail-fast on missing token — internal#316: drop the || GITHUB_TOKEN
+# fallback from audit-force-merge.yml; the guard here makes the missing-
+# secret failure obvious.
+: "${GITEA_TOKEN:?GITEA_TOKEN env var required — set SOP_TIER_CHECK_TOKEN in repo secrets}"
 : "${GITEA_HOST:?required}"
 : "${REPO:?required}"
 : "${PR_NUMBER:?required}"
diff --git a/.gitea/scripts/sop-tier-check.sh b/.gitea/scripts/sop-tier-check.sh
index afd13e48b..5b19b2419 100755
--- a/.gitea/scripts/sop-tier-check.sh
+++ b/.gitea/scripts/sop-tier-check.sh
@@ -44,6 +44,12 @@
 
 set -euo pipefail
 
+# Fail-fast on missing token — produces a clear error at line 1 rather
+# than a confusing 403 mid-script when GITHUB_TOKEN lacks read:org scope.
+# internal#316: drop the || GITHUB_TOKEN fallback in sop-tier-check.yml;
+# the guard here makes the missing-secret failure obvious.
+: "${GITEA_TOKEN:?GITEA_TOKEN env var required — set SOP_TIER_CHECK_TOKEN in repo secrets}"
+
 # Ensure jq is available. Runners may not have it pre-installed, and the
 # workflow-level jq install can fail on runners with network restrictions
 # (GitHub releases not reachable from some runner networks — infra#241
diff --git a/.gitea/workflows/audit-force-merge.yml b/.gitea/workflows/audit-force-merge.yml
index b3441bcaa..9e754cb53 100644
--- a/.gitea/workflows/audit-force-merge.yml
+++ b/.gitea/workflows/audit-force-merge.yml
@@ -42,7 +42,11 @@ jobs:
       - name: Detect force-merge + emit audit event
         env:
           # Same org-level secret the sop-tier-check workflow uses.
-          GITEA_TOKEN: ${{ secrets.SOP_TIER_CHECK_TOKEN || secrets.GITHUB_TOKEN }}
+          # No fallback to GITHUB_TOKEN — that token lacks read:org scope needed
+          # for team membership probes. A missing SOP_TIER_CHECK_TOKEN produces a
+          # clear failure at script entry (via :? guard in audit-force-merge.sh),
+          # not a confusing 403 mid-script. See internal#316.
+          GITEA_TOKEN: ${{ secrets.SOP_TIER_CHECK_TOKEN }}
           GITEA_HOST: git.moleculesai.app
           REPO: ${{ github.repository }}
           PR_NUMBER: ${{ github.event.pull_request.number }}
diff --git a/.gitea/workflows/sop-tier-check.yml b/.gitea/workflows/sop-tier-check.yml
index 235ed6334..df6f5179c 100644
--- a/.gitea/workflows/sop-tier-check.yml
+++ b/.gitea/workflows/sop-tier-check.yml
@@ -55,6 +55,13 @@ name: sop-tier-check
 # Gitea API. If a future change adds a checkout step, it MUST pin to
 # `${{ github.event.pull_request.base.sha }}` (NOT `head.sha`) to keep
 # the trust boundary.
+# Cancel in-progress runs for the same PR to prevent stale status overwrites.
+# Only fires on pull_request_target (not issue_comment) — sop-tier-check
+# subscribes to PR events only.
+concurrency:
+  group: ${{ github.repository }}-${{ github.workflow }}-${{ github.event.pull_request.number }}
+  cancel-in-progress: true
+
 on:
   pull_request_target:
     types: [opened, edited, synchronize, reopened, labeled, unlabeled]
@@ -111,7 +118,11 @@ jobs:
         # mc#774: pre-existing continue-on-error mask; root-fix and remove, do not renew silently.
         continue-on-error: true
         env:
-          GITEA_TOKEN: ${{ secrets.SOP_TIER_CHECK_TOKEN || secrets.GITHUB_TOKEN }}
+          # No fallback to GITHUB_TOKEN — that token lacks read:org scope needed
+          # for team membership probes. A missing SOP_TIER_CHECK_TOKEN produces a
+          # clear failure at script entry (via :? guard in sop-tier-check.sh),
+          # not a confusing 403 mid-script. See internal#316.
+          GITEA_TOKEN: ${{ secrets.SOP_TIER_CHECK_TOKEN }}
           GITEA_HOST: git.moleculesai.app
           REPO: ${{ github.repository }}
           PR_NUMBER: ${{ github.event.pull_request.number }}