Field-Based Role Typing: Agent Roles Derived From Structural Composition

Mechanism

The role-typing mechanism rests on three canonical fields whose semantics are fixed by the schema language itself. The duty field declares the obligations the role accepts: the operations it must perform, the responses it must produce, and the invariants it must preserve. The authority field declares the powers the role holds: the operations it is permitted to invoke, the resources it may consume, and the decisions it may make on behalf of the system. The scope field declares the domain over which duty and authority apply: the set of objects, regions, or contexts in which the role is active. A role is defined exactly by the cross-product of these three fields, and two roles are equivalent if and only if their duty, authority, and scope fields are structurally identical.

When a composite agent is constructed, its role is the union of its constituent roles under a structural composition operator. The composition operator is not a free union; it imposes three checks that any candidate role configuration must pass. First, the duty fields of constituent roles must be jointly satisfiable: no duty may contradict another, and the conjunction of all duties must be discharge-able under the available authority. Second, the authority fields must be cycle-free with respect to delegation: if role A delegates authority to role B and role B delegates authority to role A, the configuration is rejected unless the delegation is structurally bounded. Third, the scope fields must partition cleanly: where two roles claim authority over the same scope, the resulting authority must be either identical or strictly hierarchical, with one role's authority subsuming the other's.

Conflict detection is performed by static analysis of the schema graph. Each role definition contributes a node, and each delegation, sub-scope relation, or duty obligation contributes a directed edge. The composition operator traverses the resulting graph and rejects any configuration whose graph contains a cycle of unbounded length, a duty conjunction that the authority cannot discharge, or a scope overlap with non-hierarchical authority. The traversal is deterministic and terminates in time bounded by the size of the schema; the result is a fixed verdict on whether the composition is admissible. No runtime evaluation is required, and no external policy engine participates in the decision.

Because the verdict is reached at composition time, the runtime behavior of a composed agent is constrained to the role configuration that passed the structural check. The agent cannot acquire authority it was not composed to hold, cannot accept duties it was not composed to discharge, and cannot extend its scope beyond the structurally validated boundary. Any attempt to do so is a schema violation, detectable by the same static analysis that admitted the original composition. The role-type is therefore a load-bearing structural property of the agent, not an advisory annotation.

Operating Parameters

The role-typing system exposes a small number of parameters that govern the strictness of conflict detection and the expressiveness of the role vocabulary. The first is the duty-satisfiability discipline, which determines how aggressively the composition operator analyzes duty conjunctions. Under strict discipline, every duty must be discharged by an authority claim within the same composition, and any duty without a matching authority causes rejection. Under relaxed discipline, duties without matching authority are admitted but flagged as unsatisfied, allowing the configuration to proceed under operator acknowledgment that some obligations are externally guaranteed.

The second parameter is the delegation-cycle bound. Authority delegation may, in some configurations, form short cycles that are nevertheless safe because each delegation reduces the bounded scope by a structural quantity. The cycle-bound parameter declares the maximum delegation depth admitted, and compositions that would exceed it are rejected. The default bound is zero (no cycles), which is appropriate for agent populations where delegation is intended to be a tree. Larger bounds admit graph-shaped delegation structures whose termination is guaranteed by structural decrement.

The third parameter is the scope-overlap policy. Where two roles claim authority over the same scope, the policy determines how the overlap is resolved. The hierarchical policy admits overlap only when one role's authority strictly subsumes the other's; the partition policy admits overlap only when the two scopes can be split into disjoint sub-scopes; the rejection policy admits no overlap and forces the schema author to refactor either the roles or the scope definitions. The choice of policy is a property of the schema, not of the individual composition, so all compositions over a given schema reason under identical rules.

A fourth parameter governs the visibility of role types across schema boundaries. Role definitions may be declared local to a single schema, exported for use by composing schemas, or canonicalized as part of a shared role vocabulary. The visibility setting affects how conflicts are detected when an agent composed under one schema interacts with an agent composed under another: locally typed roles must be lifted into a common vocabulary before cross-schema composition, while canonicalized roles may compose directly. The system rejects cross-schema compositions whose role types cannot be reconciled into a common vocabulary.

Alternative Embodiments

The role-typing mechanism admits several embodiments distinguished by the granularity of the canonical fields and the strictness of the composition operator. In the simplest embodiment, duty, authority, and scope are flat enumerations drawn from a fixed vocabulary, and the composition operator reasons over set membership. This embodiment is appropriate for small agent populations with well-known role catalogs and produces fast composition checks at the cost of expressive limits.

In a richer embodiment, duty and authority are themselves typed records with sub-fields, and the composition operator reasons over structural unification of those sub-fields. A duty may declare not only an operation but also a precondition, a postcondition, and a temporal bound; an authority may declare not only a permission but also a quota, a delegation policy, and a revocation rule. The composition operator unifies these sub-fields under the same structural rules that govern field-level conflict detection elsewhere in the agent schema. This embodiment is appropriate for heterogeneous agent populations where roles must compose across diverse capability profiles.

In a hierarchical embodiment, scope is expressed as a tree of nested domains, and authority is interpreted relative to the domain at which it is declared. A role declared at a parent scope holds authority over all descendant scopes unless explicitly restricted; a role declared at a child scope holds authority only within that scope. The composition operator reasons over scope-tree containment when checking overlap, admitting compositions whose authority claims are consistent with the scope hierarchy and rejecting those that are not.

In a lineage-aware embodiment, role types are bound to lineage commitments analogous to those used elsewhere in the architecture. A composed agent's role type is appended to a lineage chain rooted at the schema definition, and any subsequent modification of the role configuration produces a new lineage entry that references the prior. This embodiment supports auditability of role evolution and admits time-bounded role grants that expire automatically when the lineage is extended past a structural deadline.

A specialized embodiment supports anonymous or pseudonymous role bearers, where the agent identity is not bound to a real-world participant but the role type still constrains the agent's behavior. The role-typing mechanism operates identically; only the binding between role and bearer differs. This embodiment is appropriate for agent populations that must operate under privacy constraints while still participating in role-typed protocols.

Composition

Field-based role typing composes with the broader agent schema architecture along three principal axes. First, it composes with the canonical-field vocabulary that governs all agent properties: duty, authority, and scope are themselves fields, and they obey the same structural rules that govern any other field in the schema. There is therefore no separate role-typing language to learn or maintain; the role mechanism is a use of the schema's general structural type system. Second, it composes with the structural validation pipeline: the composition operator that checks role conflicts is the same operator that checks field-level invariants elsewhere in the schema, applied to the specific fields that constitute roles. Third, it composes with the lineage commitment substrate: every composed role configuration is itself a structural object, and its commitment to the lineage chain follows the same rules as any other structural commitment.

Because the role mechanism reuses the schema's general infrastructure, it inherits the same guarantees that apply to other structural properties: deterministic evaluation, cross-substrate consistency, and tamper-evident commitment. Replacement of any of these substrates with a runtime equivalent would forfeit the guarantee that role types are uniformly enforced across all participants in the agent population.

Prior-Art Distinction

Role-based access control (RBAC) systems assign roles to subjects through external policy stores, and role conflicts are typically detected by runtime policy evaluation or by ad hoc administrative review. The role-typing mechanism described here detects conflicts at schema composition time, before any subject is bound to a role and before any operation is invoked. The detection is structural rather than policy-driven, and its verdict is determined by the schema rather than by an external store.

Capability-based security systems express authority as unforgeable tokens that subjects hold and present at the point of use. The role-typing mechanism is compatible with capability semantics but adds a structural layer above them: the authority field of a role declares the capabilities the role may hold, and the composition operator checks that the declared capabilities are consistent with the role's duty and scope before any token is issued. Capabilities answer the question "may this subject perform this operation?"; role types answer the prior question "may this combination of duties, authorities, and scopes coexist in a single agent at all?"

Object-oriented type systems express roles as interfaces or mixins, with role conflicts surfacing as method-resolution ambiguities at compile time. The role-typing mechanism described here goes further by reasoning about delegation cycles and scope overlap, neither of which is expressible in conventional interface composition. It also operates over schema-defined fields rather than language-defined methods, allowing roles to be composed across language and substrate boundaries.

Disclosure Scope

The disclosure of field-based role typing covers the structural composition of agent roles from the canonical fields of duty, authority, and scope, together with the composition operator that detects duty unsatisfiability, delegation cycles, and scope-overlap conflicts at schema composition time. It covers the duty-satisfiability, cycle-bound, scope-overlap, and visibility parameters in any combination that preserves the deterministic composition discipline. It covers the flat-vocabulary, structured-record, hierarchical-scope, lineage-aware, and pseudonymous embodiments, and any embodiment that combines elements of these. It covers the composition with the canonical-field vocabulary, the structural validation pipeline, and the lineage commitment substrate.

The disclosure does not depend on any particular schema language, capability format, or runtime environment. The composition operator may be implemented in any analyzer that admits structural traversal of typed fields; the role definitions may be expressed in any vocabulary that supports duty, authority, and scope as distinguishable properties; the agent population may be hosted on any execution substrate that respects the schema's verdict on admissible compositions. Substitution of these implementation details does not exit the disclosure.