diff --git a/src/content/docs/agent-platform/cloud-agents/integrations/linear.mdx b/src/content/docs/agent-platform/cloud-agents/integrations/linear.mdx index 3f112fdf..7163fc8e 100644 --- a/src/content/docs/agent-platform/cloud-agents/integrations/linear.mdx +++ b/src/content/docs/agent-platform/cloud-agents/integrations/linear.mdx @@ -63,6 +63,36 @@ Because PRs are created as _you_, this makes code review, auditing, and team col --- +### Permissions and data access + +Oz installs into Linear as an [app actor](https://linear.app/developers/agents) (using Linear's `actor=app` OAuth mode), which means it appears as its own user in your workspace rather than acting on behalf of the installer. A Linear workspace admin must complete the installation. + +#### Workspace and team access + +Linear apps installed with `actor=app` are installed at the workspace level — that's why workspace admin approval is required. However, **workspace admins can restrict which Linear teams within the workspace the Oz app has access to**, and can change or revoke team access at any time from the Oz app details page in Linear. Until the app is granted access to a team, it cannot read or act on issues in that team. + +In practice, what Oz reads is narrower than what its team access permits: + +* Oz only acts on issues where it has been explicitly mentioned or assigned as the delegate. +* Oz does not scan or ingest issues, projects, or comments that it has not been tagged on. + +#### OAuth scopes + +The Oz Linear app installs with the following [Linear OAuth scopes](https://linear.app/developers/oauth-2-0-authentication): + +* `read` — Read access to issues, comments, projects, and other workspace data Oz needs to understand the task it has been given. +* `write` — Write access to create comments, post agent activities (status updates, plans, results), and attach GitHub pull requests to issues. +* `app:assignable` — Allow Oz to be assigned as the delegate on an issue. Assigning an issue to Oz sets it as the delegate, not the assignee, so the human assignee retains ownership while Oz acts on their behalf. +* `app:mentionable` — Allow Oz to be mentioned in issues, comments, and other editor surfaces so users can trigger it with `@Oz`. + +The authoritative list of scopes is shown on Linear's install consent screen when a workspace admin installs the Oz app. + +:::caution +Be intentional about which Linear teams the Oz app has access to, especially teams whose issues may contain customer data or other sensitive information. Workspace admins can change team access at any time through the app details page. +::: + +--- + ### Requirements * **Team membership** - The Linear integration requires you to be part of a [Warp team](/knowledge-and-collaboration/teams/). Teams can be created on any plan, including Free. diff --git a/src/content/docs/agent-platform/cloud-agents/integrations/slack.mdx b/src/content/docs/agent-platform/cloud-agents/integrations/slack.mdx index b37d510b..32eef164 100644 --- a/src/content/docs/agent-platform/cloud-agents/integrations/slack.mdx +++ b/src/content/docs/agent-platform/cloud-agents/integrations/slack.mdx @@ -79,6 +79,27 @@ Because PRs are created as you, the workflow slots seamlessly into your team’s --- +### Permissions and data access + +When a workspace admin installs the Oz app, Slack prompts them to approve the scopes Oz needs to operate. At a high level, the Oz Slack app requests permission to: + +* View messages in public channels, private channels, group DMs, and direct messages that Oz has been added to +* Send messages as Oz +* View and upload files in channels Oz has been added to +* View, add, and edit emoji reactions +* View email addresses of people in the workspace (used to map Slack users to their Warp accounts) + +What Oz actually reads is narrower than what Slack's permission model can express: + +* Oz only reads from — and only posts to — threads that it has been explicitly tagged in or messaged directly. +* Oz does not read the overall contents of channels it is added to, and does not ingest channel history outside of the threads it is participating in. + +:::caution +Because Oz can read the threads it's tagged in, treat its access the same as you would any other workspace integration that handles message content. Be intentional about which channels you add Oz to, especially channels that may contain customer data, billing information, or other sensitive content. +::: + +--- + ### Requirements * **Team membership** - The Slack integration requires you to be part of a [Warp team](/knowledge-and-collaboration/teams/). Teams can be created on any plan, including Free.