From 0dcb54d22c516332140cbe83966ce6133f979009 Mon Sep 17 00:00:00 2001 From: hongyi-chen Date: Tue, 26 May 2026 19:15:43 +0000 Subject: [PATCH 1/3] Document Slack and Linear integration permissions Adds a 'Permissions and data access' section to both the Slack and Linear integration pages so security and procurement teams can find what scopes Oz requests without asking support. For Slack, lists the scope categories the Oz app installs with and clarifies that Oz only reads from and posts to threads it has been explicitly tagged in (not channel history). For Linear, documents Oz's actor=app installation model and the four scopes it uses (read, write, app:assignable, app:mentionable), with links to Linear's agent developer docs. Co-Authored-By: Oz --- .../cloud-agents/integrations/linear.mdx | 23 +++++++++++++++++++ .../cloud-agents/integrations/slack.mdx | 21 +++++++++++++++++ 2 files changed, 44 insertions(+) diff --git a/src/content/docs/agent-platform/cloud-agents/integrations/linear.mdx b/src/content/docs/agent-platform/cloud-agents/integrations/linear.mdx index 3f112fdf..c8246ad1 100644 --- a/src/content/docs/agent-platform/cloud-agents/integrations/linear.mdx +++ b/src/content/docs/agent-platform/cloud-agents/integrations/linear.mdx @@ -63,6 +63,29 @@ Because PRs are created as _you_, this makes code review, auditing, and team col --- +### Permissions and data access + +Oz installs into Linear as an [app actor](https://linear.app/developers/agents) (using Linear's `actor=app` OAuth mode), which means it appears as its own user in your workspace rather than acting on behalf of the installer. A Linear workspace admin must complete the installation, and the resulting access is scoped to the workspace. + +The Oz Linear app requests the following Linear OAuth scopes: + +* `read` — Read access to issues, comments, projects, and other workspace data Oz needs to understand the task it has been given. +* `write` — Write access to create comments, post agent activities (status updates, plans, results), and attach GitHub pull requests to issues. +* `app:assignable` — Allow Oz to be assigned as the [delegate](https://linear.app/developers/agents) on an issue. Assigning an issue to Oz sets it as the delegate, not the assignee, so the human assignee retains ownership while Oz acts on their behalf. +* `app:mentionable` — Allow Oz to be mentioned in issues, comments, and other editor surfaces so users can trigger it with `@Oz`. + +What Oz actually reads is narrower than what these scopes can express: + +* Oz only acts on issues where it has been explicitly mentioned or assigned as the delegate. +* Oz does not scan or ingest issues, projects, or comments that it has not been tagged on. +* Team access for the app can be adjusted or revoked by workspace admins at any time from the Oz app details page in Linear. + +:::caution +Be intentional about which Linear teams the Oz app has access to, especially teams whose issues may contain customer data or other sensitive information. Workspace admins can change team access at any time through the app details page. +::: + +--- + ### Requirements * **Team membership** - The Linear integration requires you to be part of a [Warp team](/knowledge-and-collaboration/teams/). Teams can be created on any plan, including Free. diff --git a/src/content/docs/agent-platform/cloud-agents/integrations/slack.mdx b/src/content/docs/agent-platform/cloud-agents/integrations/slack.mdx index b37d510b..32eef164 100644 --- a/src/content/docs/agent-platform/cloud-agents/integrations/slack.mdx +++ b/src/content/docs/agent-platform/cloud-agents/integrations/slack.mdx @@ -79,6 +79,27 @@ Because PRs are created as you, the workflow slots seamlessly into your team’s --- +### Permissions and data access + +When a workspace admin installs the Oz app, Slack prompts them to approve the scopes Oz needs to operate. At a high level, the Oz Slack app requests permission to: + +* View messages in public channels, private channels, group DMs, and direct messages that Oz has been added to +* Send messages as Oz +* View and upload files in channels Oz has been added to +* View, add, and edit emoji reactions +* View email addresses of people in the workspace (used to map Slack users to their Warp accounts) + +What Oz actually reads is narrower than what Slack's permission model can express: + +* Oz only reads from — and only posts to — threads that it has been explicitly tagged in or messaged directly. +* Oz does not read the overall contents of channels it is added to, and does not ingest channel history outside of the threads it is participating in. + +:::caution +Because Oz can read the threads it's tagged in, treat its access the same as you would any other workspace integration that handles message content. Be intentional about which channels you add Oz to, especially channels that may contain customer data, billing information, or other sensitive content. +::: + +--- + ### Requirements * **Team membership** - The Slack integration requires you to be part of a [Warp team](/knowledge-and-collaboration/teams/). Teams can be created on any plan, including Free. From eec639f858fd866c50abb7f27b1f184f358f7882 Mon Sep 17 00:00:00 2001 From: hongyi-chen Date: Tue, 26 May 2026 19:37:57 +0000 Subject: [PATCH 2/3] Linear docs: drop duplicate link on 'delegate' The same URL is already linked from 'app actor' a few lines above; the second link adds no new context since 'delegate' is explained inline right after. Co-Authored-By: Oz --- .../docs/agent-platform/cloud-agents/integrations/linear.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/content/docs/agent-platform/cloud-agents/integrations/linear.mdx b/src/content/docs/agent-platform/cloud-agents/integrations/linear.mdx index c8246ad1..8f6e2fbd 100644 --- a/src/content/docs/agent-platform/cloud-agents/integrations/linear.mdx +++ b/src/content/docs/agent-platform/cloud-agents/integrations/linear.mdx @@ -71,7 +71,7 @@ The Oz Linear app requests the following Linear OAuth scopes: * `read` — Read access to issues, comments, projects, and other workspace data Oz needs to understand the task it has been given. * `write` — Write access to create comments, post agent activities (status updates, plans, results), and attach GitHub pull requests to issues. -* `app:assignable` — Allow Oz to be assigned as the [delegate](https://linear.app/developers/agents) on an issue. Assigning an issue to Oz sets it as the delegate, not the assignee, so the human assignee retains ownership while Oz acts on their behalf. +* `app:assignable` — Allow Oz to be assigned as the delegate on an issue. Assigning an issue to Oz sets it as the delegate, not the assignee, so the human assignee retains ownership while Oz acts on their behalf. * `app:mentionable` — Allow Oz to be mentioned in issues, comments, and other editor surfaces so users can trigger it with `@Oz`. What Oz actually reads is narrower than what these scopes can express: From 78bcc025046678c5ab6bde02f8351fea0ebb0630 Mon Sep 17 00:00:00 2001 From: hongyi-chen Date: Tue, 26 May 2026 21:43:47 +0000 Subject: [PATCH 3/3] Linear docs: clarify workspace vs. team access, soften scope claim Restructures the 'Permissions and data access' section into two sub-sections: 'Workspace and team access' and 'OAuth scopes'. The workspace-vs-team distinction is the more important answer for security reviewers: Linear apps install at the workspace level, but workspace admins can restrict which teams within the workspace the app actually has access to. Lifted that out of a buried bullet into its own subsection. The scope list now points to Linear's OAuth docs and notes that the authoritative list is what shows on the install consent screen, since the live scopes are stored in our admin OAuth provider config rather than hardcoded in the source. Co-Authored-By: Oz --- .../cloud-agents/integrations/linear.mdx | 21 ++++++++++++------- 1 file changed, 14 insertions(+), 7 deletions(-) diff --git a/src/content/docs/agent-platform/cloud-agents/integrations/linear.mdx b/src/content/docs/agent-platform/cloud-agents/integrations/linear.mdx index 8f6e2fbd..7163fc8e 100644 --- a/src/content/docs/agent-platform/cloud-agents/integrations/linear.mdx +++ b/src/content/docs/agent-platform/cloud-agents/integrations/linear.mdx @@ -65,20 +65,27 @@ Because PRs are created as _you_, this makes code review, auditing, and team col ### Permissions and data access -Oz installs into Linear as an [app actor](https://linear.app/developers/agents) (using Linear's `actor=app` OAuth mode), which means it appears as its own user in your workspace rather than acting on behalf of the installer. A Linear workspace admin must complete the installation, and the resulting access is scoped to the workspace. +Oz installs into Linear as an [app actor](https://linear.app/developers/agents) (using Linear's `actor=app` OAuth mode), which means it appears as its own user in your workspace rather than acting on behalf of the installer. A Linear workspace admin must complete the installation. -The Oz Linear app requests the following Linear OAuth scopes: +#### Workspace and team access + +Linear apps installed with `actor=app` are installed at the workspace level — that's why workspace admin approval is required. However, **workspace admins can restrict which Linear teams within the workspace the Oz app has access to**, and can change or revoke team access at any time from the Oz app details page in Linear. Until the app is granted access to a team, it cannot read or act on issues in that team. + +In practice, what Oz reads is narrower than what its team access permits: + +* Oz only acts on issues where it has been explicitly mentioned or assigned as the delegate. +* Oz does not scan or ingest issues, projects, or comments that it has not been tagged on. + +#### OAuth scopes + +The Oz Linear app installs with the following [Linear OAuth scopes](https://linear.app/developers/oauth-2-0-authentication): * `read` — Read access to issues, comments, projects, and other workspace data Oz needs to understand the task it has been given. * `write` — Write access to create comments, post agent activities (status updates, plans, results), and attach GitHub pull requests to issues. * `app:assignable` — Allow Oz to be assigned as the delegate on an issue. Assigning an issue to Oz sets it as the delegate, not the assignee, so the human assignee retains ownership while Oz acts on their behalf. * `app:mentionable` — Allow Oz to be mentioned in issues, comments, and other editor surfaces so users can trigger it with `@Oz`. -What Oz actually reads is narrower than what these scopes can express: - -* Oz only acts on issues where it has been explicitly mentioned or assigned as the delegate. -* Oz does not scan or ingest issues, projects, or comments that it has not been tagged on. -* Team access for the app can be adjusted or revoked by workspace admins at any time from the Oz app details page in Linear. +The authoritative list of scopes is shown on Linear's install consent screen when a workspace admin installs the Oz app. :::caution Be intentional about which Linear teams the Oz app has access to, especially teams whose issues may contain customer data or other sensitive information. Workspace admins can change team access at any time through the app details page.