Skip to content

gusitllc/resource-provider-rbac

Repository files navigation

Resource-Provider RBAC for Multi-Domain AI Platforms

A boot-time resource-provider registry plus path-scoped, wildcard-composable role resolution that lets independently-developed AI-agent domains contribute their own permission vocabulary without ever touching the authorization resolver.


📌 Defensive Publication / Prior Art Notice

This repository is a defensive publication. It is published to establish dated, citable prior art so that the techniques described herein remain free to practice by anyone and cannot be monopolized by a later patent.

  • Publication date: 2026-06-25
  • Publisher: Gus IT LLC (Florida, USA)
  • Author: Gustavo Assuncao, PhD
  • Version: 1.0
  • Document type: Technical Defensive Publication (public prior art)
  • Classification: Public
  • License: AGPL-3.0-or-later (copyleft) + a commercial license available from Gus IT LLC

status type license prior-art


Abstract

Flat role-based access control — the familiar admin / user / viewer triad — collapses on a platform that hosts many independently-developed domains (CRM, communications, finance, documents, AI personas) which continuously appear, disappear, and share resources across domain boundaries. The usual fixes either hardcode a capability map (a code deploy for every new permission) or scatter per-domain access-control lists (duplicated, drifting, unauditable). This publication describes a resource-provider RBAC model adapted to multi-domain AI-agent platforms. Each domain module registers its own resource catalogue at boot — a set of resource types, each carrying a set of permitted actions and a schema. Every permission is a three-part tuple domain:resourceType:action. Roles are sets of permission patterns with * wildcards (crm:*:*, *:*:read), so a role can be authored once and apply to resource types that did not exist when the role was written. Role assignments bind a principal (user, group, API token, or AI persona) to a role at a scope path in a resource hierarchy (/, /crm, /crm/leads), and an authorization decision is resolved by walking the scope path from the queried node toward the root, unioning the permission patterns of every assignment encountered, and testing the requested tuple against them. The defining property — the resolver-invariant registration contract — is that adding a new domain, a new resource type, or a new action never requires modifying the permission resolver, the database schema, or any role. The publication includes architecture and data-flow diagrams, a full data model, a worked cross-domain example, a STRIDE-style threat table, framework mappings (NIST RBAC, XACML, Zanzibar, Azure RM), a clean-room reference implementation, and an enumerated independent claim with sixteen dependent claims.

Why this is published

We are publishing this as a defensive disclosure, not as a patent application. The resource-provider authorization pattern, when adapted to the lifecycle of an AI-agent platform (boot-time provider registration, AI personas as first-class principals, agent-tool calls passing through the same resolver), is broadly useful infrastructure whose technique should remain a freely-practiceable building block. Publishing a complete, enabling, timestamped description as prior art makes the technique unavailable as novel subject matter to any later filer — that defensive-publication effect is independent of the code license. The accompanying source code is offered open by default under the AGPL-3.0 copyleft (so downstream users who modify it and offer it as a network service must release their corresponding source), with a commercial license available from Gus IT LLC for proprietary or closed-source use. AGPL-3.0 (via GPLv3 section 11) also carries an express patent license. Together we (a) bar later patenting of the technique, (b) give implementers a citable reference and a working starting point under reciprocal copyleft, and (c) seed an eventual open-source reference application (see docs/OPEN-SOURCE-APP.md).

Table of Contents

Document What it contains
DEFENSIVE-PUBLICATION.md The full technical whitepaper: motivation, architecture, mechanics, data model, worked example, threat model, framework mapping, evaluation methodology, and the enumerated claims.
docs/PRIOR-ART.md Prior-art landscape, delta table, and honesty attestation.
docs/FIGURES.md All Mermaid figures with captions (Figure 1..N).
docs/OPEN-SOURCE-APP.md The planned open-source reference app and its deployment sketch.
src/ Clean-room, illustrative reference implementation (Node.js).
src/README.md How to run the reference implementation and self-check.

Planned open-source app

This repository is intended to grow into one open-source reference application per article. The planned app — a self-contained "Resource-Provider RBAC Sandbox" with a registry, a resolver, an admin UI, and a deployable container — is described in docs/OPEN-SOURCE-APP.md.

License & Citation

Dual-licensed: open by default under the GNU Affero General Public License v3.0 (AGPL-3.0-or-later) — a copyleft license that requires anyone who modifies this software and offers it as a network service to release their corresponding source — with a commercial license available from Gus IT LLC for proprietary or closed-source use. See LICENSE, COMMERCIAL-LICENSE.md, and NOTICE. AGPL-3.0 (via GPLv3 section 11) also includes an express patent license, consistent with a defensive open-source release.

To cite this disclosure, see CITATION.cff. Suggested form:

Assuncao, Gustavo. Resource-Provider RBAC for Multi-Domain AI Platforms. Technical Defensive Publication, Version 1.0. Gus IT LLC, 2026-06-25.


Gus IT LLC, Florida, USA — Technical Defensive Publication — 2026-06-25.

About

Defensive publication: boot-time resource-provider RBAC with path-scoped, wildcard role resolution for AI platforms

Topics

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

 
 
 

Contributors