5.8 KiB
Roles and Access (RBAC / ABAC) — Guardrails and Fix Pattern
🧭 Quick Return to Map
You are in a sub-page of Governance.
To reorient, go back here:
- Governance — policy enforcement and compliance controls
- WFGY Global Fix Map — main Emergency Room, 300+ structured fixes
- WFGY Problem Map 1.0 — 16 reproducible failure modes
Think of this page as a desk within a ward.
If you need the full triage and all prescriptions, return to the Emergency Room lobby.
This page defines role-based access control (RBAC) and attribute-based access control (ABAC) guardrails for AI pipelines.
Without explicit access boundaries, LLMs may read from unintended sources, leak sensitive data, or bypass audit policy.
When to use this page
- Your RAG or agent stack integrates multiple data stores with different sensitivity levels.
- You cannot trace who accessed what across prompts, embeddings, or tool calls.
- Evaluation runs fail because different users see different knowledge bases.
- Compliance requires proof of least privilege but no policy schema exists.
Acceptance targets
- 100% of RAG data calls tagged with
roleorattributecontext. - Coverage ≥ 0.95 of sensitive datasets behind access boundaries.
- Audit trails record
who,what,when,ΔS,λ_state. - Role drift probes show λ remains convergent across 3 paraphrases.
- Exceptions logged with owner and expiry date.
Common failures → exact fixes
| Symptom | Likely cause | Open this |
|---|---|---|
| Agents fetch data beyond allowed scope | missing RBAC fences | policy_baseline.md |
| Two users get different citations | inconsistent ABAC checks | retrieval-traceability.md |
| Logs don’t show who triggered retrieval | no role injection | data-contracts.md |
| Role drift causes schema injection | misplaced role attributes | prompt-injection.md |
| Sensitive snippets leak in chains | missing attribute check | pii_handling_and_minimization.md |
Fix in 60 seconds
-
Attach context
Every retrieval call carries{role, attribute_set, index_hash, ΔS, λ_state}. -
Enforce least privilege
Roles map to dataset groups. Attributes refine down (e.g. geography, project). -
Log every decision
Audit trail logs query, ΔS, λ state, role, attributes, and snippet ids. -
Probe role drift
Run 3 paraphrases per role. If λ flips, enforce schema lock.
Minimal copy-paste checklist
- Define roles (admin, annotator, auditor, agent).
- Define attributes (region, dataset sensitivity, project scope).
- Attach
{role, attr}to all tool and retrieval calls. - Enforce least privilege at ingestion and retrieval.
- Log ΔS and λ_state by role.
- Review and expire waivers.
🔗 Quick-Start Downloads (60 sec)
| Tool | Link | 3-Step Setup |
|---|---|---|
| WFGY 1.0 PDF | Engine Paper | 1️⃣ Download · 2️⃣ Upload to your LLM · 3️⃣ Ask “Answer using WFGY + <your question>” |
| TXT OS (plain-text OS) | TXTOS.txt | 1️⃣ Download · 2️⃣ Paste into any LLM chat · 3️⃣ Type “hello world” — OS boots instantly |
Explore More
| Layer | Page | What it’s for |
|---|---|---|
| Proof | WFGY Recognition Map | External citations, integrations, and ecosystem proof |
| Engine | WFGY 1.0 | Original PDF based tension engine |
| Engine | WFGY 2.0 | Production tension kernel and math engine for RAG and agents |
| Engine | WFGY 3.0 | TXT based Singularity tension engine, 131 S class set |
| Map | Problem Map 1.0 | Flagship 16 problem RAG failure checklist and fix map |
| Map | Problem Map 2.0 | RAG focused recovery pipeline |
| Map | Problem Map 3.0 | Global Debug Card, image as a debug protocol layer |
| Map | Semantic Clinic | Symptom to family to exact fix |
| Map | Grandma’s Clinic | Plain language stories mapped to Problem Map 1.0 |
| Onboarding | Starter Village | Guided tour for newcomers |
| App | TXT OS | TXT semantic OS, fast boot |
| App | Blah Blah Blah | Abstract and paradox Q and A built on TXT OS |
| App | Blur Blur Blur | Text to image with semantic control |
| App | Blow Blow Blow | Reasoning game engine and memory demo |
If this repository helped, starring it improves discovery so more builders can find the docs and tools.
要我直接繼續幫你生出來嗎?