Skip to content

Commit 93d004a

Browse files
committed
Make Lantern Cloudflare D1 native
1 parent 7996111 commit 93d004a

143 files changed

Lines changed: 8995 additions & 12303 deletions

File tree

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

AGENTS.md

Lines changed: 4 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -66,11 +66,12 @@ Default stack:
6666

6767
- Deno
6868
- Hono
69-
- Postgres
69+
- Cloudflare D1 for persistence
70+
- Cloudflare R2 for reviewed artifacts and evidence
71+
- Cloudflare Worker Loader / Dynamic Workers for reviewed runtime delivery
7072
- hand-written SQL
7173
- server-rendered HTML
7274
- plain CSS tokens
73-
- HTMX only where it clearly helps
7475

7576
Avoid by default:
7677

@@ -132,7 +133,7 @@ The platform is the trusted boundary.
132133
Generated apps should not get:
133134

134135
- raw LMS tokens
135-
- direct database access
136+
- direct D1 database access
136137
- arbitrary outbound HTTP
137138
- direct grade writes
138139

APP_PACKAGE_SPEC.md

Lines changed: 10 additions & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -35,7 +35,7 @@ This spec does not support:
3535

3636
- arbitrary backend code
3737
- direct LMS API access
38-
- direct database access
38+
- direct D1 database access
3939
- arbitrary outbound HTTP
4040
- direct grade writes
4141

@@ -372,29 +372,26 @@ If we add those, we have broken the trust boundary.
372372

373373
## Runtime Backend Note
374374

375-
This spec defines the app-facing capability contract, not one required hosting
376-
vendor or transport.
375+
This spec defines the app-facing capability contract. Lantern's checked-in
376+
runtime implementation is Cloudflare-native: Workers, D1, R2, and Worker
377+
Loader / Dynamic Workers.
377378

378-
Lantern may realize this contract through different runtime backends as long as
379-
the app sees the same narrow SDK surface and the same trust boundary.
380-
381-
For example, a managed Lantern deployment may choose a capability-based sandbox
382-
such as Cloudflare Dynamic Workers to:
379+
Lantern realizes this contract through a capability-based Dynamic Worker
380+
sandbox that:
383381

384382
- block arbitrary outbound Internet access
385383
- inject only explicit typed bindings that match Lantern capabilities
386384
- keep LMS credentials and other privileged secrets outside the app sandbox
387385

388-
That does not change the public package contract.
386+
That does not change the public package contract: app packages remain
387+
browser-first artifacts and do not receive Cloudflare bindings directly.
389388

390389
Rules:
391390

392391
- app packages must not depend on Cloudflare-specific APIs, bindings, or worker
393392
internals
394-
- self-hosted Lantern deployments must be able to honor the same contract
395-
through a different backend
396-
- Dynamic Workers or any similar sandbox may tighten the implementation, but
397-
they do not add new app capabilities by themselves
393+
- Dynamic Workers may tighten the implementation, but they do not add new app
394+
capabilities by themselves
398395

399396
## Scoring Contract
400397

AUTHORING.md

Lines changed: 3 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -55,15 +55,11 @@ run:
5555

5656
```sh
5757
deno task local:init
58-
createdb lantern
5958
deno task local:bootstrap
6059
deno task local:start
6160
```
6261

63-
Then open `http://localhost:8417/admin/packages`.
64-
65-
If `createdb` is not installed, create the `lantern` database through your
66-
normal Postgres tooling before `deno task local:bootstrap`.
62+
Then open the localhost URL printed by Wrangler.
6763

6864
## Package Shape
6965

@@ -206,7 +202,7 @@ Do not add:
206202

207203
- backend code
208204
- direct LMS calls
209-
- direct database calls
205+
- direct D1 database calls
210206
- arbitrary outbound HTTP
211207
- direct grade writes
212208
- fallback-heavy runtime branches
@@ -233,7 +229,7 @@ and admin import.
233229
When you want to move a reviewed package into Lantern's governed inventory:
234230

235231
1. Start Lantern locally.
236-
2. Open `http://localhost:8417/admin/packages/import`.
232+
2. Open `/admin/packages/import` on the localhost URL printed by Wrangler.
237233
3. Choose the exact package directory you scaffolded and validated locally.
238234

239235
Lantern validates the manifest and referenced files, stores an immutable

AUTHORING_FOR_LLMS.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -111,7 +111,7 @@ The app must not expect:
111111

112112
- raw LMS tokens
113113
- arbitrary network access
114-
- database access
114+
- D1 database access
115115
- server-side execution inside the package
116116

117117
## Preview Files

BROWSER_AUTOGRADER_COOKBOOK.md

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -150,9 +150,9 @@ checks instead of one starter file.
150150

151151
When the package is ready for governed review:
152152

153-
1. Start Lantern locally with `deno task local:init`, `createdb lantern`,
153+
1. Start Lantern locally with `deno task local:init`,
154154
`deno task local:bootstrap`, and `deno task local:start`.
155-
2. Open `http://localhost:8417/admin/packages/import`.
155+
2. Open `/admin/packages/import` on the localhost URL printed by Wrangler.
156156
3. Import the exact package directory you validated locally.
157157

158158
Lantern stores an immutable reviewed snapshot, signs the reviewed runtime

DESIGN.md

Lines changed: 137 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,137 @@
1+
# Lantern Design Principles
2+
3+
Lantern is a governed app platform for institution-built and AI-built learning
4+
apps. Its interface should make review, approval, launch, grading, and audit
5+
work feel clear and dependable.
6+
7+
This is the public UI design contract for the repo. It should stay focused on
8+
implementation-facing principles and reusable interface rules. Private product
9+
strategy, research, internal operations, and Cloudflare setup details do not
10+
belong here.
11+
12+
## Product Feel
13+
14+
Lantern should feel:
15+
16+
- institutional
17+
- clear
18+
- calm
19+
- trustworthy
20+
- more modern than Canvas, but compatible with that world
21+
22+
Lantern should not feel like:
23+
24+
- a flashy startup dashboard
25+
- a generic app marketplace
26+
- an LMS replacement
27+
- a pile of one-off admin screens
28+
29+
The UI exists to make governed learning-app operations legible. It should help
30+
reviewers and operators understand what is approved, what is live, what changed,
31+
what failed, and what evidence exists.
32+
33+
## Interface Model
34+
35+
Prefer:
36+
37+
- server-rendered HTML
38+
- plain CSS tokens
39+
- strong information hierarchy
40+
- accessible defaults
41+
- reusable page and component patterns
42+
- explicit status, evidence, and next action language
43+
- dense but readable operational pages
44+
45+
Avoid:
46+
47+
- React-heavy front ends by reflex
48+
- Tailwind or utility-heavy styling
49+
- highly custom one-off UI patterns
50+
- decorative effects that compete with operational facts
51+
- marketing-page composition inside the admin product
52+
- hidden fallback flows or ambiguous recovery states
53+
54+
When a page is about governance, the primary facts should be visible before
55+
secondary decoration or explanation.
56+
57+
## Visual Language
58+
59+
Use a quiet institutional palette:
60+
61+
- navy and blue-gray for structure and primary actions
62+
- warm amber only as a restrained brand accent
63+
- green, amber, and red for semantic success, warning, and danger states
64+
- light surfaces with clear borders and enough spacing to scan
65+
66+
The current admin tokens live in
67+
[`src/admin/layout_style_tokens.ts`](src/admin/layout_style_tokens.ts). New
68+
admin UI should use those tokens before introducing new colors, radii, shadows,
69+
or spacing systems.
70+
71+
Default shape:
72+
73+
- cards and controls use small radii
74+
- borders are preferred over heavy shadows
75+
- status badges should be semantic, compact, and readable
76+
- tables and fact grids should optimize for scanning and comparison
77+
78+
## Content Rules
79+
80+
Use plain operational language.
81+
82+
Good Lantern copy:
83+
84+
- names the object being acted on
85+
- states the exact status or blocker
86+
- names the trusted boundary when relevant
87+
- explains failures clearly without exposing secrets
88+
- gives one obvious next step when a next step exists
89+
90+
Avoid copy that:
91+
92+
- implies generated apps have raw LMS, D1 database, or grading access
93+
- hides governance behind vague success states
94+
- invents compatibility promises the system does not actually provide
95+
- exposes private tenant, infrastructure, pricing, or strategy details
96+
97+
## Workflow Rules
98+
99+
Every admin workflow should make these questions easy to answer:
100+
101+
1. What app, version, deployment, LMS slot, attempt, or placement am I looking at?
102+
2. Is it reviewed, approved, live, blocked, or failed?
103+
3. What exact boundary produced this state?
104+
4. What durable evidence exists?
105+
5. What is the one safe next action?
106+
107+
Prefer one correct path over several similar actions. If a task is unavailable,
108+
fail clearly and keep the user inside a Lantern-owned page.
109+
110+
## Accessibility
111+
112+
Accessibility is part of the governance model, not polish.
113+
114+
Design and implementation should preserve:
115+
116+
- semantic headings and landmarks
117+
- keyboard-reachable controls
118+
- visible focus states
119+
- readable contrast
120+
- labels for form controls
121+
- stable layout at narrow and wide viewport sizes
122+
- clear error text near the relevant action
123+
124+
When a reviewed package has accessibility evidence or exceptions, surface that
125+
state before it goes live.
126+
127+
## Review Checklist
128+
129+
Before shipping UI changes, check:
130+
131+
- The page still feels institutional, clear, and calm.
132+
- Primary governance facts are visible without hunting.
133+
- New styles reuse existing tokens and patterns.
134+
- Buttons and links have clear action language.
135+
- Failure states are explicit and do not silently degrade.
136+
- No private strategy, secrets, account details, or infra values appear.
137+
- The change keeps the trusted LMS/runtime/grading boundary legible.

Dockerfile

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -21,4 +21,4 @@ USER deno
2121

2222
EXPOSE 8417
2323

24-
CMD ["deno", "run", "--cached-only", "--no-prompt", "--allow-read=examples,var", "--allow-write=var", "--allow-env=PORT,DATABASE_URL,DATABASE_CA_CERT,LTI_TOOL_PRIVATE_JWK,APP_ORIGIN,APP_RUNTIME_ORIGIN,LANTERN_OPERATOR_NAME,USER,LOGNAME", "--allow-net", "main.ts"]
24+
CMD ["deno", "run", "--cached-only", "--no-prompt", "--allow-read=examples,var", "--allow-write=var", "--allow-env=PORT,LTI_TOOL_PRIVATE_JWK,APP_ORIGIN,APP_RUNTIME_ORIGIN,LANTERN_OPERATOR_NAME,USER,LOGNAME", "--allow-net", "main.ts"]

0 commit comments

Comments
 (0)