...
I'm pretty sure there are other possibilities if none of these seems to fit your use case.
Glenn Golden adds:
Steve - if your tool is making calls to the content hosting API to manage the content, then you need to use a security advisor around your content hosting calls. This lets you re-define the security of the content hosting api calls to whatever you desire for that call. You can do your own security, then just let content hosting do the work of managing your content without its security.
If you are letting users put content into content hosing via the resources tool directly, this won't work. Then the access is completely under content hosting's security.