Three students. Two roles each. One firewall.
Every Founding Case wears two hats: they are also internal contributors. That means we have to enforce — by schema, not by promise — that the two records never cross-pollute.
Case #001 · Xiayutong
Track: CS Career Proof. Status: onboarded, sprint 0 underway, consent_status pending written confirmation.
Xiayutong is an international CS student. Her sprint is anchored in the m590 knowledge graph: she is extending the advisor-identity anchor methodology (originally cancer-focused via m554) into broader academic CS domains. The work product is a set of ORCID/PubMed/ LinkedIn cross-verified advisor cards, each at L3 the moment they are committed.
On the case side, her record stays in the _cases/case_001_xiayutong/ RLS-isolated namespace and is not visible to reviewers of her contributor work.
Case #002 · Hanhe Fang
Track: Bio PhD Research Proof. Status: onboarded, sprint 0 underway, consent_status pending written confirmation.
Hanhe Fang is an international biology student. Her sprint annotates EGFR / BRCA / CAR-T literature inside m610-612 and extends a subset of m516's aging-card schema. Each merged annotation is L3 at minimum, with the option to move to L4 when consumed by a published m612 cohort.
Same dual-identity firewall as Case #001: case data sits in _cases/case_002_hanhefang/, contributor data sits in normal git history, and there is no JOIN between them.
Case #003 · TBD
Track: reserved · non-Chinese international student. Status: open seat held under Charter §3.14.
Per Charter §3.14, the founding cohort cannot be sole-nationality. Case #003 is a hard seat for a non-Chinese international student. We will not backfill with a second Chinese student to round out the cohort — that would compromise the redline.
Tracks under consideration for Case #003: economics / statistics with a research-readiness orientation, or a return-track candidate (US-trained intending to return to home country). Outreach is paused until the cohort selection process is documented and the consent template is finalized.
The dual-identity firewall
Each founding case is also paid as an internal contributor. The system must guarantee that the two roles do not contaminate each other:
- Reviewer blind. When a reviewer evaluates a student's contribution work for m590, m610-612, m624, or m516, the reviewer does not know that the contributor is also Case #00X.
- Case data is RLS-isolated.
_cases/case_NNN_<name>/namespaces are reachable only by named principals (case owner + outcome tracker), enforced by row-level security. - Contributor commits are normal. Pull requests, code review, payroll go through the same path any other contributor uses.
- No JOIN. Salary tables and case-access-fee tables do not share a foreign key. CI verifies on every migration that no such JOIN exists.
- Public case use is separately consented. Being a paid contributor does not constitute consent to be in the public case library. Public-use consent is a separate written record.
Case consent
Charter §5 in plain prose: before a Founding Case enters the case library at any visibility, the record must contain a written, revocable consent with named redaction targets (school, visa status, employer, family finance, health, immigration timeline).
Compensation for outcome tracking is $50–200 per follow-up, capped to 36 months. Founding cases share in case-access fees up to 5× their own paid contribution.
Exit clause
A founding case can revoke public-use consent at any time. Revocation immediately stops the case from public surfaces but does not affect the internship relationship. Internal methodology can keep a redacted version of the case for future audit consistency, with PII removed.
Privacy right always wins over methodology continuity. We will publicly note that a case was revoked without naming the case.