Professional Workroom WallGuard product surface

[mdheller]

Parent: SocioProphet/sociosphere#392
Depends on: SocioProphet/policy-fabric#86

Purpose

Add the product/runtime plan for Professional Workroom WallGuard: wall-scoped professional workrooms where humans, agents, documents, memories, tools, connectors, and generated artifacts operate under enforceable confidentiality topology.

This must be clean-room work. Do not depend on cascade, presidio, or OrchestraOS.

Product capabilities

• create wall-scoped workroom
• bind client/matter/confidentiality labels
• add/remove human and agent subjects
• show wall state and active policy version
• require acknowledgment where needed
• show blocked access/collaboration attempts
• route clean-room release requests
• display receipt/audit references for sensitive actions

First vertical slice

• Create Client A / Matter X workroom.
• Bind one human and one agent.
• Ingest restricted and public resources through canonical ingest/catalog paths.
• Deny unauthorized retrieval.
• Deny cross-wall agent collaboration.
• Allow same-wall collaboration.
• Permit clean-room release with receipt.
• Deny restricted global-memory write.
• Surface WallDecisionReceipt references in UI/API state.

Acceptance criteria

• Product plan identifies all enforcement points and does not implement policy logic locally.
• UI/API consumes canonical WallGuard decisions from policy/contracts layer.
• Failure mode is fail-closed for missing wall context.
• No code or schema imported from noncanonical/unlicensed repos.

[mdheller]

Completed by merged replacement PR #540.

Evidence:

• Replacement PR: feat(wallguard): replay professional workroom contract #540 — feat(wallguard): replay professional workroom contract
• Superseded PR: Add WallGuard Professional Workroom contract #517 — stale/non-mergeable predecessor closed after replay
• Merge SHA: 593fbdc86deda3c7617e8f26d494e734a4bf5bdd
• Verified head: 28e880b3d7a68b715e91f5a99d8203614886b48c

Confirmed on main:

• contracts/wallguard/professional-workroom.example.json
• tools/validate_wallguard_professional_workroom.py
• Makefile target validate-wallguard-professional-workroom

Boundary preserved:

• Contract / fixture validation only.
• No live UI implementation.
• No middleware implementation.
• No policy evaluation implementation.
• No runtime enforcement implementation.
• No service endpoints.
• No database schema.
• No deployment wiring.

This closes the product-contract tranche for the Professional Workroom WallGuard surface. Runtime/product implementation remains a later tranche.