Document the runnable Docker workflow, expected one-shot container exits, server-controlled Bailian namespace switch, current earned progress, and the security and evaluation work that still blocks private-data or graduation release claims.
Constraint: Current local Bailian credentials are rejected by the configured workspace
Rejected: Mark the project complete from synthetic metrics | would overstate provider, OCR, authorization, and blind-evaluation readiness
Confidence: high
Scope-risk: narrow
Directive: Keep progress evidence task-based and distinguish synthetic engineering validation from real geological efficacy
Tested: make verify-design; Markdown links; secret scan; diff checks
Not-tested: Final thesis review and live provider authorization
The project begins with architecture, data governance, reproducible evaluation, deployment boundaries, and secret-handling contracts so later code has measurable acceptance criteria.
Constraint: Real provider credentials, workspace identities, and restricted geological data must never enter Git
Rejected: Add placeholder runnable services in the design commit | would imply unverified implementation readiness
Confidence: high
Scope-risk: narrow
Reversibility: clean
Directive: Run make verify before every commit and update ADRs when architecture boundaries change
Tested: Secret scan, Markdown links, YAML parse, shell syntax, and staged diff validation
Not-tested: Application runtime is intentionally deferred to the implementation stage