Authentication & Access Control
Every request is authenticated through Supabase Auth with row-level security policies enforced at the database layer.
- Email + OTP-based authentication with verified sign-up flow
- Row-level security (RLS) on every table — students only access their own data
- Teacher-scoped class management with enrollment verification
- Session tokens with automatic expiry and refresh
Isolated Code Execution
Student code runs in a sandboxed FastAPI runtime on Fly.io, fully isolated from the application database and other students.
- Server-side execution in isolated containers — no browser-based eval
- Configurable timeouts to prevent infinite loops and resource abuse
- Memory limits enforced per execution to prevent denial-of-service
- No network access from student code runtime environment
Grading Integrity
All grading is server-authoritative. Hidden test cases, scoring weights, and solution logic never reach the browser.
- Hidden tests stored server-side and never exposed in API responses
- Scoring computed on the server with results written to the database
- Submission lock controls prevent late or unauthorized submissions
- Teacher overrides logged with timestamp and user attribution
Data Visibility Controls
Assignment visibility windows, submission states, and grade access are all controlled by the teacher at the class and assignment level.
- Assignment publish/unpublish with scheduled visibility windows
- Student view limited to their own submissions and grades
- Gradebook access restricted to class owner (teacher)
- API endpoints enforce role checks before returning data
Audit & Compliance
All state changes — submissions, grade overrides, exemptions — are tracked in the database with timestamps and user references.
- Submission history with created_at timestamps for every attempt
- Grade override fields with clear attribution to teacher actions
- Class enrollment records tied to user accounts and invite codes
- School and District plans include dedicated compliance and review support