Vol. I · No. 05
The Editor's Desk
The pioneer's review room
Solar Voice
Governance Console · judge · run · imprimatur
Pioneer Console
Personal Evolution Science
Antano & Harini Pioneer credentials — not the product
Reading the proof — validation lens2 🟦 Graph · real node/edge 🟪 Hybrid · grounded + rendered 🟨 LLM · voice, no fabrication 🟩 Data · own, not inflated Fixed · static 🟥 Care · two-tier holds the Desk inherits the Bench's ink key — same house
Pioneer credentials required
This whole console is gated to pioneer.
Compositors set the type at the Bench; only the editor-in-chief sits at the Desk. Access is decided by roleOf(email) reading config/roles — a narrow allowlist, in practice just Antano & Harini.1 Everyone else is routed back to /optimize, sandboxed to their own optimization/{uid}.
Authenticated as
role · reading…
session · read
A

The Masthead Credentials

config/roles · who may sit where
THE ALLOWLIST
Four roles. One sits at the Desk.
The role map is a single Firestore doc — config/roles { email → role }. Read on every request by the shared roleOf(email) guard. Admin maintains it; the pioneer reads it.
Viewed as · … reading the map
Pioneer · the Desk
Operator
Optimizer
Admin
Total credentialed
Email Role Rank Sits at Source
Gate · not a ranker
The role map governs access only — it never judges proofs. Judgment happens at the Proof Spike and Readership, on telemetry; the floor flags ineligibility. Credentials decide who is in the room, nothing about which edition goes to press.
B

Standing & Sandbox

— what each credential may do, and where it is bounded
Editor-in-Chief
role · pioneer · rank 3
— credentialed
Pioneer
May
  • Cross-operator view — see every operator's nominated proofs, prompt & corpus
  • Judge by telemetry — outcome first, sim second; the score is a lens
  • Order a print run — A/B a pair on a definable % of users
  • Grant the imprimatur — lock the winner to config/live
Bounded by A narrow allowlist — Antano & Harini (the bootstrap floor). The only role that may write config/live and experiments/{id}. Every lock is audit-logged + git-mirrored.
Compositor
role · operator · rank 1
— credentialed
Operator
May
  • Set the type — tune the prompt & the corpus stock
  • Run sims on the zero-variation engine over shared personas
  • Nominate a proof — flip nominated:true for the Desk
  • Replay their own past editions
Sandbox Scoped to optimization/{uid} — own iterations only. Cannot see other operators, cannot A/B, cannot lock. Nominating is a request, not a release.
Compositor · press side
role · optimizer · rank 2
— credentialed
Optimizer
May
  • Tune prompt + corpus — same Bench as the operator
  • Run sims + read the advisory sim-score
  • Nominate proofs to the Desk
  • Same Editions / replay history
Sandbox Same optimization/{uid} sandbox as operator — a parallel Bench credential. No cross-operator view, A/B, or lock. (Distinct seat name, identical bounds — the studio may split duties later.)
The Registrar
role · admin · rank 4
— credentialed
Admin
May
  • Maintain the allowlist — assign / change a role per email
  • Write config/roles { email → role }
  • Bootstrap is fixed in code — the floor can only elevate
Sandbox The role map only. No Desk, no Bench — manages who may enter, never the editions themselves. The separation of the keymaker from the keyholders. (Highest rank: 4.)
C

The Guard

roleOf(email) over the OPERATOR_EMAILS floor
index.js · the access rewire
functions/index.jstoday → governed
// TODAY — a hard-coded constant; flat "operator or not"
const OPERATOR_EMAILS = [
  'antano@antanoharini.com', 'solar345@gmail.com', 'solar345@yahoo.com', 'harini@antanoharini.com' ];

// every operator endpoint repeats this gate:
if (!OPERATOR_EMAILS.includes(user.email))
  return res.status(403)...

// GOVERNED — config/roles AUGMENTS the floor
const role = await roleOf(db, email); // config/roles ∪ floor
canOperate(role)  // Bench: operator|optimizer|pioneer|admin
canGovern(role)   // Desk : pioneer|admin → else 403
canAdmin(role)    // the allowlist write only
config/roles · liveFirestore doc
// reading config/roles…

Today access is a flat constant — OPERATOR_EMAILS on index.js — and the gate (OPERATOR_EMAILS.includes(user.email)) is copy-pasted across optimize, optimizeRuns, personas, cost, and metrics. It only answers a yes/no question: operator, or not?

roleOf(db,email) augments that constant: it reads config/roles, returns the role string, and is floored so the legacy emails always keep Bench access — the floor can elevate, never demote.7 Bench endpoints accept operator · optimizer · pioneer · admin; the Desk endpoints — the cross-operator board, A/B, and the lock — require pioneer (canGovern); writing the allowlist itself requires admin (canAdmin).

request · user.email roleOf() config/roles ∪ floor pioneer · operator · optimizer · admin · ∅

The migration is faithful: the four emails in today's OPERATOR_EMAILS all keep Bench access (the operator floor). Two of them — Antano & Harini — are the bootstrap pioneers, which is what unlocks this console. Nothing that worked stops working; the map just gains a vocabulary.

Zero-variation
The same roleOf() is the one guard the engine, the optimizer, and this console all call — one code path, never re-implemented. A role change takes effect within the config cache TTL (~30s), no deploy.5
D

Assign / Change a Credential

— admin-only · writes config/roles
THE REGISTRAR'S FORM
● Admin only
Reading your standing…
Only the admin credential may write config/roles. A pioneer judges and presses editions but does not mint credentials — the keymaker is kept separate from the keyholders.
writes one { email → role } entry · audit-logged
WHY IT'S SPLIT THIS WAY
Separation of powers
i. Admin mints, pioneer presses. The role that grants access can't grant the imprimatur, and the role that grants the imprimatur can't grant access — so no single seat both writes the allowlist and ships an edition.
ii. Bench is sandboxed. Operator & optimizer never escape optimization/{uid}; nominating is the only signal they send upward, and it's a request, never a release.
iii. The allowlist is narrow on purpose. The bootstrap floor pins two pioneers in code; roleOf can elevate but never demote them — we can't lock ourselves out. Lock-to-production stays with the founders.
iv. Every change is logged. Role writes append set_role to governance_audit (who · when · email · role) — the same provenance discipline the Imprimatur log applies to editions.
Marginal Apparatus · Operational Anchors
1
The gate. Access to the Editor's Desk is decided by roleOf(db,email) reading the Firestore doc config/roles. Desk routes (cross-operator board, A/B, lock) require role pioneer (canGovern — pioneer or admin), a narrow allowlist, in practice Antano & Harini. Operator / optimizer are routed to the Bench (/optimize); admin manages the map. This is build-order step 1 — the gate for the whole console.
2
Validation lens. Each surfaced component is coloured by what proves it true: 🟦 graph (a real node/edge), 🟪 hybrid (grounded + on-voice), 🟨 LLM (rendered language, no fabrication), 🟩 data (the user's own, never inflated), ⬜ fixed (static), 🟥 care (two-tier). The same ink key the Compositor's Bench uses — the Desk reads the proofs in the same colours.
5
Zero-variation. The engine chat path, the optimizer, and this console all call the same roleOf() — one guard, never re-implemented. Roles live in config/roles, app-cached (~30s TTL) like config/live; a change is picked up within the cache TTL, no deploy. If the guard could diverge between surfaces, access would be undefined.
7
roleOf(db,email) over OPERATOR_EMAILS. index.js still ships a four-email OPERATOR_EMAILS floor; roleOf() reads config/roles and returns max(floor, configured) — the floor can only ELEVATE. So the four legacy emails always keep Bench access (canOperate); Antano & Harini are floored to pioneer (canGovern). A new email becomes grantable purely via config/roles, no code change.