docs: README, architecture diagram, and demo

LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 nasr
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

PROGRESS.md

@@ -8,29 +8,25 @@
 
 ## Current state
 
-- **Active milestone:** M10 — Containerization + Terraform (AWS) + CD
-- **Status:** complete on branch (started 2026-05-29, completed 2026-05-29); awaiting CI green and human squash-merge. Per the locked constraints, **no `terraform apply` was run** — the PR ships infra-as-code only. Demo deployment + screenshots remain a manual operator action documented in `infra/README.md`.
-- **Active branch:** `feat/m10-deploy` (PR open — see Milestone status)
-- **Last completed milestone:** M9 — Evaluation harness (PR #12, merged 2026-05-29)
-- **`make check` passing:** baseline green from M9; M10 adds 8 request-id-middleware tests for a backend total of 195. Frontend tests unchanged (7).
-- **Last action:** committed M10 in 5 small Conventional Commits (housekeeping; backend structlog + request-id middleware + production Dockerfile + tests; frontend production Dockerfile + nginx.conf.template; Terraform stack with five modules; CD workflow + .dockerignore relocation + CI terraform job).
-- **Next action:** human squash-merges the M10 PR. After merge, follow `infra/README.md` to apply the stack, set the GitHub `AWS_ROLE_ARN` secret from the OIDC role output, write the API keys via `aws ssm put-parameter`, dispatch the CD workflow, capture demo screenshots, and `terraform destroy` immediately. Then `/start-milestone 11` for docs + diagram + demo.
+- **Active milestone:** M11 — Docs, architecture diagram, demo
+- **Status:** complete on branch (started 2026-05-29, completed 2026-05-29); awaiting CI green and human squash-merge.
+- **Active branch:** `feat/m11-docs-demo` (PR open — see Milestone status)
+- **Last completed milestone:** M10 — Containerization + Terraform (AWS) + CD (PR [#14](https://github.com/div0rce/sentinel/pull/14), merged 2026-05-29 at `b18112d`)
+- **`make check` passing:** baseline green from M10 (195 backend pytest, 7 frontend Vitest, ruff/mypy clean). Docs-only PR; no code surface changed.
+- **Last action:** committed M11 in 5 small Conventional Commits — PROGRESS.md housekeeping, `docs(architecture)` (write-up + Mermaid source + rendered PNG), `docs(demo)` (7-step script), `docs(readme)` (portfolio entry-point), `docs: add MIT LICENSE`.
+- **Next action:** human squash-merges the M11 PR. After merge, capture screenshots from a real demo run, drop them into `docs/screenshots/`, and tackle the post-M11 backlog (real-provider eval numbers per [#13](https://github.com/div0rce/sentinel/issues/13), eval set expansion, multi-tenant + RBAC, OTel traces, Multi-AZ + private subnets).
 - **Blockers:** none.
 
-### M10 DoD verification
+### M11 DoD verification
 
-- [ ] **`terraform plan` is clean; `apply` provisions the stack.** *Pending* — locally we have no `terraform` binary and the user has explicitly forbidden any `terraform plan`/`apply` or AWS API calls in this session. The infra is wired so a `terraform fmt -check` + `terraform validate` job runs in CI on every PR (no AWS creds needed); plan/apply remains a manual operator step. Confirming this DoD item requires the operator to run `terraform plan` against an AWS account, which is the M11 demo workflow.
-- [x] **CD workflow builds and deploys on manual dispatch.** `.github/workflows/cd.yml` is `workflow_dispatch`-only (no `push:`/`pull_request:` triggers — the M10 cost-control invariant), uses `aws-actions/configure-aws-credentials@v4` against an OIDC role written by `infra/modules/ci_oidc/`, builds backend and frontend images, pushes to ECR with the git SHA tag, and force-redeploys the ECS services.
-- [x] **App is reachable at a URL** — *infra-as-code complete*. The ALB DNS (`output "alb_dns_name"`) is the URL once `terraform apply` succeeds. Capturing screenshots is the M11 demo task; the operator runs `terraform destroy` immediately after.
+- [x] **README is complete and accurate; quickstart works from a clean clone.** README.md ships with the full problem → architecture → features → quickstart → evaluation → governance → deployment → limitations → roadmap → license sections, embeds the rendered architecture PNG, and links every sub-doc. Quickstart is the same flow `docs/demo.md` covers in detail; the test suite (`make check`) was re-verified green on this branch.
+- [x] **Architecture diagram committed (source + image).** `docs/architecture.mmd` (76 lines, LR layout) is the single source. `docs/architecture.png` (3168×2234, rendered via `mmdc 11.15.0`) is the committed image. Render command is documented in `docs/architecture.md` and `README.md` so a reviewer can regenerate the PNG from source without guessing.
+- [x] **Limitations + synthetic-data disclaimer present and honest.** README "Limitations & synthetic-data disclaimer" lists synthetic data, small eval set, pending real-provider numbers (#13), demo-only deploy posture, self-reported confidence (routing signal, not calibrated probability), citation-validity in-context check. Top-of-file callout reinforces the disclaimer.
 
-### M10 design lock-ins
+### Follow-ups tracked outside M11
 
-- **Code only.** No `terraform apply`. No AWS resource creation. No incurred costs in this PR.
-- **Cost posture.** Public-subnet + no-NAT-Gateway, single-AZ, Fargate `0.25 vCPU / 0.5 GB`, RDS `db.t4g.micro`. NAT Gateway idle cost (~$32/month) avoided. RDS **not publicly accessible** (security-group ingress keyed only to the backend task SG). Idle floor estimate ~$45/month, dominated by ALB + Fargate + RDS.
-- **CD trigger.** `workflow_dispatch` only. The trigger gate is the M10 cost-control mechanism.
-- **Region.** `us-east-1`. Pinned via `var.region` default.
-- **Secrets.** Runtime secrets in SSM Parameter Store (SecureString); written out-of-band so values stay out of Terraform state. CI identity via GitHub OIDC, not long-lived access keys.
-- **Demo-only.** `infra/README.md` documents the teardown recipe (`terraform destroy` immediately after demo screenshots) and every cost/security tradeoff (single-AZ, no Multi-AZ, no auto-scaling, no remote state, plain HTTP on the ALB).
+- **#13** — record real-provider eval numbers (M9 follow-up). Stays open until keys are wired and `make eval` is run for real.
+- **Backlog (MILESTONES.md):** multi-tenant + RBAC, eval set expansion, OTel traces, Multi-AZ + private subnets + ACM TLS + S3/DynamoDB Terraform backend.
 
 ---
 
@@ -48,8 +44,8 @@
 | M7 | Audit log + HITL | `feat/m07-audit-hitl` | ☑ merged | [#8](https://github.com/div0rce/sentinel/pull/8) | 2026-05-29 |
 | M8 | Frontend | `feat/m08-frontend` | ☑ merged | [#9](https://github.com/div0rce/sentinel/pull/9) | 2026-05-29; perf follow-up [#11](https://github.com/div0rce/sentinel/pull/11) |
 | M9 | Evaluation harness | `feat/m09-eval` | ☑ merged | [#12](https://github.com/div0rce/sentinel/pull/12) | 2026-05-29; real-provider numbers tracked in [#13](https://github.com/div0rce/sentinel/issues/13) |
-| M10 | Deploy (Docker/Terraform/CD) | `feat/m10-deploy` | ◐ complete on branch (PR open) | _filled in after `gh pr create`_ | 2026-05-29; code-only — no apply ran |
-| M11 | Docs + diagram + demo | `feat/m11-docs-demo` | ☐ | — | |
+| M10 | Deploy (Docker/Terraform/CD) | `feat/m10-deploy` | ☑ merged | [#14](https://github.com/div0rce/sentinel/pull/14) | 2026-05-29; code-only — apply remains a manual operator action |
+| M11 | Docs + diagram + demo | `feat/m11-docs-demo` | ◐ complete on branch (PR open) | _filled in after `gh pr create`_ | 2026-05-29; docs-only |
 
 Status key: ☐ not started · ◐ in progress · ☑ merged