A boot-time resource-provider registry plus path-scoped, wildcard-composable role resolution that lets independently-developed AI-agent domains contribute their own permission vocabulary without ever touching the authorization resolver.
This repository is a defensive publication. It is published to establish dated, citable prior art so that the techniques described herein remain free to practice by anyone and cannot be monopolized by a later patent.
- Publication date: 2026-06-25
- Publisher: Gus IT LLC (Florida, USA)
- Author: Gustavo Assuncao, PhD
- Version: 1.0
- Document type: Technical Defensive Publication (public prior art)
- Classification: Public
- License: AGPL-3.0-or-later (copyleft) + a commercial license available from Gus IT LLC
Flat role-based access control — the familiar admin / user / viewer triad —
collapses on a platform that hosts many independently-developed domains (CRM,
communications, finance, documents, AI personas) which continuously appear,
disappear, and share resources across domain boundaries. The usual fixes either
hardcode a capability map (a code deploy for every new permission) or scatter
per-domain access-control lists (duplicated, drifting, unauditable). This
publication describes a resource-provider RBAC model adapted to multi-domain
AI-agent platforms. Each domain module registers its own resource catalogue at
boot — a set of resource types, each carrying a set of permitted actions and a
schema. Every permission is a three-part tuple domain:resourceType:action.
Roles are sets of permission patterns with * wildcards
(crm:*:*, *:*:read), so a role can be authored once and apply to resource
types that did not exist when the role was written. Role assignments bind a
principal (user, group, API token, or AI persona) to a role at a scope path
in a resource hierarchy (/, /crm, /crm/leads), and an authorization decision
is resolved by walking the scope path from the queried node toward the root,
unioning the permission patterns of every assignment encountered, and testing
the requested tuple against them. The defining property — the resolver-invariant
registration contract — is that adding a new domain, a new resource type, or a
new action never requires modifying the permission resolver, the database schema,
or any role. The publication includes architecture and data-flow diagrams, a full
data model, a worked cross-domain example, a STRIDE-style threat table, framework
mappings (NIST RBAC, XACML, Zanzibar, Azure RM), a clean-room reference
implementation, and an enumerated independent claim with sixteen dependent claims.
We are publishing this as a defensive disclosure, not as a patent application. The resource-provider authorization pattern, when adapted to the lifecycle of an AI-agent platform (boot-time provider registration, AI personas as first-class principals, agent-tool calls passing through the same resolver), is broadly useful infrastructure whose technique should remain a freely-practiceable building block. Publishing a complete, enabling, timestamped description as prior art makes the technique unavailable as novel subject matter to any later filer — that defensive-publication effect is independent of the code license. The accompanying source code is offered open by default under the AGPL-3.0 copyleft (so downstream users who modify it and offer it as a network service must release their corresponding source), with a commercial license available from Gus IT LLC for proprietary or closed-source use. AGPL-3.0 (via GPLv3 section 11) also carries an express patent license. Together we (a) bar later patenting of the technique, (b) give implementers a citable reference and a working starting point under reciprocal copyleft, and (c) seed an eventual open-source reference application (see docs/OPEN-SOURCE-APP.md).
| Document | What it contains |
|---|---|
| DEFENSIVE-PUBLICATION.md | The full technical whitepaper: motivation, architecture, mechanics, data model, worked example, threat model, framework mapping, evaluation methodology, and the enumerated claims. |
| docs/PRIOR-ART.md | Prior-art landscape, delta table, and honesty attestation. |
| docs/FIGURES.md | All Mermaid figures with captions (Figure 1..N). |
| docs/OPEN-SOURCE-APP.md | The planned open-source reference app and its deployment sketch. |
| src/ | Clean-room, illustrative reference implementation (Node.js). |
| src/README.md | How to run the reference implementation and self-check. |
This repository is intended to grow into one open-source reference application per article. The planned app — a self-contained "Resource-Provider RBAC Sandbox" with a registry, a resolver, an admin UI, and a deployable container — is described in docs/OPEN-SOURCE-APP.md.
Dual-licensed: open by default under the GNU Affero General Public License v3.0 (AGPL-3.0-or-later) — a copyleft license that requires anyone who modifies this software and offers it as a network service to release their corresponding source — with a commercial license available from Gus IT LLC for proprietary or closed-source use. See LICENSE, COMMERCIAL-LICENSE.md, and NOTICE. AGPL-3.0 (via GPLv3 section 11) also includes an express patent license, consistent with a defensive open-source release.
To cite this disclosure, see CITATION.cff. Suggested form:
Assuncao, Gustavo. Resource-Provider RBAC for Multi-Domain AI Platforms. Technical Defensive Publication, Version 1.0. Gus IT LLC, 2026-06-25.
Gus IT LLC, Florida, USA — Technical Defensive Publication — 2026-06-25.