PR Custody

docs: Resource Rules Engine design spec

@alanbraulio-plankchecks n/achecks…feat/resource-rules → main1 files · +1351 −0updated 19h ago

▸Description · 2 noise

Summary

Design spec for a new Resource Rules Engine — a parameter-level policy system that allows IT admins to restrict which resources (Notion pages, GitHub repos, Slack channels, etc.) agents can access via YAML-based policies.

Key decisions

IAM/OPA-inspired syntax: named rules with explicit effect (allow/deny) and typed conditions
Conflict resolution: Explicit Deny > Explicit Allow > Implicit Deny
Operators typed by JSON Schema type: string, number, boolean, array — each with their valid operators
Separate entity from existing OrgToolkitPolicy (orthogonal concern)
Proxy enforcement: evaluated pre-upstream in CallToolRequestSchema handler, fail-closed
Admin UX: Visual Builder (primary) + YAML view toggle for power users
Audit: failureStage: "resource_rule" with sensitive value redaction

Spec covers

Data model (ResourceRule, ResourceRuleAssignment with targetType/targetId)
Evaluation engine algorithm (denylist mode, allowlist mode, mixed mode)
Proxy integration (where and how rules are loaded, cached, and evaluated)
Audit trail (block types, redaction, ClickHouse dual-write)
Admin UI pages and components
tRPC procedures
Zod schemas
File structure
Testing strategy

No code changes

This PR contains only the design document. Implementation will follow in subsequent PRs.

▸ 2 bot/status comments hidden

@vercel[bot]1d ago

@alanbraulio-plank must be a member of the Composio team on Vercel to deploy. - Click here to add @alanbraulio-plank to the team. - If you initiated this build, request access.

Learn more about collaboration on Vercel and other options here.

@vercel[bot]1d ago

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
composio-enterprise-internal	Error		Jun 12, 2026 1:19pm

loading diff…