# Prompt-Derived Role Policy Design Brief

## Background
WHOOSH currently loads a curated library of role prompts at startup. These prompts already capture the intended responsibilities, guardrails, and collaboration patterns for each role. SLURP and SHHH need a consistent access-control baseline so that temporal records, UCXL snapshots, and DHT envelopes stay enforceable without depending on ad-hoc UI configuration. Today the access policies are loosely defined, leading to drift between runtime behaviour and storage enforcement.

## Goals
- Use the existing prompt catalog as the authoritative source of role definitions and minimum privileges.
- Generate deterministic ACL templates that SLURP, SHHH, and distribution workers can rely on without manual setup.
- Allow optional administrator overrides via WHOOSH UI while keeping the default hierarchy intact and auditable.
- Provide a migration path so temporal/DHT writers can seal envelopes with correct permissions immediately.

## Proposed Architecture

### 1. Prompt → Policy Mapper
- Build a WHOOSH service that parses the runtime prompt bundle and emits structured policy descriptors (per role, per project scope).
- Each descriptor should include: capability tags (read scope, write scope, pin, prune, audit), allowed UCXL address patterns, and SHHH classification levels.
- Output format: versioned JSON or YAML stored under UCXL (e.g., `ucxl://whoosh:policy@global:roles/#/policy/v1`).

### 2. Override Layer (Optional)
- WHOOSH UI can expose an editor that writes delta documents back to UCXL (`…/policy-overrides/v1`).
- Overrides apply as additive or subtractive modifiers; the base policy always comes from the prompt-derived descriptor.
- Store change history in UCXL so BUBBLE can audit adjustments.

### 3. Consumer Integrations
- **SLURP**: when sealing temporal/DHT envelopes, reference the policy descriptors to choose ACLs and derive role-based encryption keys.
- **SHHH**: load the same descriptors to provision/rotate keys per capability tier; reject envelopes that lack matching policy entries.
- **WHOOSH runtime**: cache the generated descriptors and refresh if prompts or overrides change; surface errors if a prompt lacks policy metadata.

## Deliverables
1. Policy mapper module with tests (likely Go for WHOOSH backend; consider reusing ucxl-validator helpers).
2. Schema definition for policy documents (include example for engineer, curator, archivist roles).
3. SLURP + SHHH integration patches that read the policy documents during startup.
4. Migration script that seeds the initial policy document from the current prompt set.

## Implementation Notes
- Keep everything ASCII and version the schema so future role prompts can introduce new capability tags safely.
- For MVP, focus on read/write/pin/prune/audit capabilities; expand later for fine-grained scopes (e.g., project-only roles).
- Ensure policy documents are sealed/encrypted with SHHH before storing in DHT/UCXL.
- Expose metrics/logging when mismatches occur (e.g., temporal writer cannot find a policy entry for a role).

## Risks & Mitigations
- **Prompt drift**: If prompts change without regenerating policies, enforcement lags. Mitigate with a checksum check when WHOOSH loads prompts; regenerate automatically on change.
- **Override misuse**: Admins could over-provision. Mitigate with BUBBLE alerts when overrides expand scope beyond approved ranges.
- **Performance**: Policy lookups must be fast. Cache descriptors in memory and invalidate on UCXL changes.

## Open Questions
- Do we need per-project or per-tenant policy branches, or is a global default sufficient initially?
- Should BACKBEAT or other automation agents be treated as roles in this hierarchy or as workflow triggers referencing existing roles?
- How will we bootstrap SHHH keys for new roles created solely via overrides?

## References
- Existing prompt catalog: `project-queues/active/WHOOSH/prompts/`
- Temporal wiring roadmap: `project-queues/active/CHORUS/docs/development/sec-slurp-ucxl-beacon-pin-steward.md`
- Prior policy discussions (for context): `project-queues/active/CHORUS/docs/progress/report-SEC-SLURP-1.1.md`