Donna.ai - AI Agent for Donut Naturales 🍩

This is a submission for the Permit.io Authorization Challenge: AI Access Control

The Inspiration

I wanted to start the challenge with a solid use case. So for the context of this hack, let's follow along the story of Donut Naturales, a fictional donut-based enterprise company that specializes in donuts with natural flavors. Their CEO Sofia is an AI visionary and has incorporated an AI Agent Donna.ai to help with various levels of tasks in the organization.

The tech team is currently small, with a few developers, a PM and testers working on the Donut Naturales Website (https://donut-naturales.vercel.app/).

How could Sofia build a multipurpose AI Agent that could simplify the lives of her employees?

What Is Donna.ai?

Donna.ai could do a lot of things. It was not meant to be a traditional chatbot - it was very company specific. You see, there were new developers that needed to know their company codebase, newly hired employees that needed help with their queries about onboarding, testers who needed to quickly report issues when they found them, and the PM who needed inspiration to think and formulate the next big multimillion-dollar donut.

Donna.ai took this head first. Modeled after Donna from the famous TV show Suits, this AI Agent could do exactly that.

It could:

  • Help newbie Donuts with onboarding
  • Help the PM to ideate on Donuts
  • Help the devs to learn more about the codebase
  • Help the QA team to create issue tickets directly

But Sofia wanted to be able to control who does what. This is where Permit.io came in. It allowed an API-first way where she could give permissions and roles to individual users in her company. Currently she only let the PM create donut images, the QA create tickets, and the Developer query the codebase. All users were able to ask any Onboarding related queries.

She also had a dashboard that let her control when she wanted to change these privileges, and it was as easy as ticking a checkbox and saving the changes. She could see who logged in and who changed the permissions as well with the audit trail.

This helped her and the team have a centralized, secure, controlled access to their AI Agent - Donna.

Core Features

  1. Intelligent Query Processing

    • Dynamic action classification using GPT-4 and langchain Agents
    • Multi-modal output support (text and images)
    • Function calling Support

  2. Role-Specific Capabilities

    • Onboarding assistance for new employees
    • Technical documentation access for developers
    • Issue tracking for quality assurance
    • Visual content generation for designers and product managers

  3. Security & Access Control

    • Fine-grained RBAC using Permit.io API's.
    • Real-time permission validation
    • Role-based feature access

AI Stack

  • OpenAI GPT-4 for natural language understanding
  • DALL-E 3 for donut visualization
  • Pinecone for vector search in documentation
  • GitHub API for code repository interaction

How Permit.io Enhanced Our AI Agent

1. Role-Based Access Control

  • Developer Role: Access to codebase queries and GitHub issue creation
  • Designer Role: Access to image generation and brand guidelines
  • PM Role: Access to project management and documentation features
  • Admin Role: Full system access and user management

2. Fine-Grained Permissions 

PERMISSION_TYPES = {
    "onboarding_query": {"action": "read", "resource": "onboarding"},
    "github_issues": {"action": "create", "resource": "issues"},
    "code_query": {"action": "read", "resource": "codebase"},
    "create_image": {"action": "generate", "resource": "images"}
}

3. Security Benefits

  • Centralized permission management
  • Real-time access control
  • Audit trails for AI interactions
  • Role-based feature isolation

Get Started

  1. Clone the repositories.
  2. Set up environment variables.
  3. Configure Permit.io roles and permissions in the dashboard.
  4. Run the application

Note: All instructions are also present in the backend/frontend README.md files as well.

Built With

  • Python/Flask (Backend)
  • React (Frontend)
  • OpenAI GPT-4 & DALL-E 3
  • Permit.io (Authorization)
  • Pinecone (Vector Search)
  • GitHub API (Repository Integration)

Demo

https://permit-hack-frontend.vercel.app/

The password for all users is 2025DEVChallenge.
The usernames are

  • admin
  • newuser (For the dev account)
  • pm (for the project manager)
  • test1 (for the QA)

Features to Test

User Role Testing

  1. Admin User

    • Can assign permissions in Admin Dashboard
    • Has access to all 4 features
    • Try: "What is our Leave Policy?"

  2. Developer User

    • Has codebase query access
    • Try: "Explain what is our Codebase Tech Stack"

  3. QA/Tester User

    • Has issue creation access
    • Try: "Create an issue for the broken login button"

  4. Product Manager

    • Has image generation access
    • Try: "Generate an image of a galaxy-themed donut"

Permission Testing

  • Verify permission management in Admin Dashboard works correctly
  • Confirm users receive "Permission Denied" message when accessing unauthorized features
  • Test that permission changes take effect immediately

Project Repo

https://github.com/wargod100/permit-hack-frontend
https://github.com/wargod100/permit-hack-backend

https://github.com/wargod100/Donut-Naturales (The website where issues are created)

My Journey

This was a very fun challenge to take part in. The idea emerged slowly, with a focus on how we could make a lasting AI Agent that required controls, as well as how we can use Permit.io to its fullest capacity.

The journey was not smooth, but it helped to learn a ton:

Initial Challenges

  • Started with OpenAI Agents SDK but hit scaling issues with tool usage (4 Agents + 1 Runner)
  • Switched to Langchain-based approach
  • Had to pivot from new Image API due to Company Verification requirement to Gemini
  • Moved from Gemini back to DALL-E for better results

Implementation Progress

  1. RAG Implementation

    • Created and indexed onboarding documentation to Pinecone
    • Fixed oversight of missing LLM call after RAG implementation

  2. GitHub Integration

    • Successfully implemented GitHub API for issue creation
    • Deployed Donut Naturale's website using Vercel and Claude

  3. Codebase Indexing

    • Initial success with gitingest locally
    • Azure deployment issues required rewrite of repository logic
    • Successfully pivoted to README-based approach using Github API's

Permit.io Integration Journey

  • Explored UI-based implementation initially
  • Encountered PDP permission check issues due to default ReBAC
  • Evaluated Permit.io + Langchain integration due to the AI Access Control Guides
  • Finally settled on direct API usage for clearer implementation

This journey allowed me to explore multiple approaches and pivot when needed. I hope this implementation can inspire others to create their own authorization-locked AI Agent solutions.

Authorization for AI Applications with Permit.io

Permit.io offers comprehensive access control options:

  • Policy-based controls
  • Role-Based Access Control (RBAC)
  • Attribute-Based Access Control (ABAC)
  • Relationship-Based Access Control (ReBAC)

For this proof of concept, we implemented RBAC with distinct roles:

  • PM (Product Manager)
  • Tester
  • Developer
  • Admin

Future Scalability

Permit.io enables sophisticated access control scenarios:

  • C-Suite level meeting booking and email permissions
  • Selective access to sensitive documentation
  • Complex relationship-based access patterns

Example Use Case:

In a multi-team environment (Supply Chain, Operations, Transport), Permit.io could enable location-based access control. A transport team member in location X could access specific supply chain documentation from that location in the Pinecone database.

Images

Image creation
No Permissions
Permission management page

Tech Stack Query

Issue Creation

Github Issue

Leave Policy

Team Members

@paulmkallarackal (Me)