Scope policies to resources

Tool-level policies answer “may this agent merge PRs?”. Resource scoping answers the sharper question: “may it merge PRs in this repo?” These recipes combine repo/channel restrictions and resource conditions; pickers are populated from your harvested entities.

GitHub

Confine an agent to one org (future repos included)

Field	Value
Effect	Permit
Tools	the tools you allow
Repo restrictions	owner: my-org (leave repo empty)

Owner-level restrictions are structural — repos created in the org tomorrow are covered without re-editing the policy.

Public repositories only

Field	Value
Effect	Permit
Tools	read tier
Resource conditions	visibility: public

Add archived: false to also exclude archived repos. With multiple conditions, set match = all (AND) — the default.

Protect default and protected branches

Field	Value
Effect	Forbid
Tools	push_files, create_or_update_file
GitHub resource scope	branch
Resource conditions	isDefaultBranch: true, isProtected: true — match = any (OR)

match = any makes the forbid fire if either attribute holds. The resource scope guard keeps the policy from accidentally matching non-branch resources.

Keep agents out of draft PRs

Field	Value
Effect	Forbid
Tools	merge_pull_request, pull_request_review_write
GitHub resource scope	pull_request
Resource conditions	isDraft: true

Pin a policy to specific PRs or issues

Use the entity pickers — conditions of type pullRequest / issueRef with values like my-org/api#142. Multiple picked entities OR together. Useful for tightly-scoped incident or release agents.

Slack

Public channels only

Field	Value
Effect	Permit
Tools	slack_send_message, slack_reply_to_thread
Resource conditions	isPrivate: false

Allow posting only in approved channels

Field	Value
Effect	Permit
Tools	message-sending tools
Channel restrictions	pick the channels

Linear

One team, nothing else

Field	Value
Effect	Permit
Tools	issue read/write tools
Resource conditions	issueTeamId via the team picker (multiple teams OR together)

Hands off completed work

Field	Value
Effect	Forbid
Tools	save_issue
Resource conditions	issueStateType: completed

Label-gated automation

Permit save_issue only where issueHasLabelId matches your ai-allowed label (picked, stable across renames). Manual issueHasLabel matches by name — handy for ad-hoc labels, but renames break it.

Vercel

Production is read-only

Field	Value
Effect	Forbid
Tools	anything mutating
Resource conditions	vercelTarget: production

Preview and staging stay workable; production deployments are untouchable.

Note

AND vs OR: within one policy, conditions of the same type OR together (three picked teams = any of them); different types combine per resourceConditionMatch — all (default) or any. Principal, time, and session conditions always AND with the resource clause.

Verify before enforcing

Resource-scoped policies are exactly where simulation pays off — replay last week’s traffic and check the flipped rows are the ones you expect: Preview and simulate.