Security-first learning app runtime

Run untrusted learning tools without handing them the LMS

Lantern turns institution-built and AI-built activities into reviewed app packages that launch through one trusted boundary. App code gets only the signed context and capabilities Lantern exposes, while Cloudflare Workers, D1, R2, and read-only Dynamic Workers keep delivery, grading, evidence, and audit under platform control.

Least privilege by default

  • No raw LMS tokens, direct D1 access, arbitrary outbound HTTP, or direct grade writes for app code.
  • Every launch is tied to a reviewed package version and signed runtime contract.
  • Capability requests pass through Lantern's gateway instead of private integration credentials.

Cloudflare containment

  • Workers own launch validation, runtime sessions, gateway calls, and audit events.
  • D1 stores trusted product state; R2 stores reviewed artifacts and evidence bytes.
  • Dynamic Workers serve immutable reviewed browser assets without LMS, D1, or generic outbound capability.

Review before runtime

  1. Import a package and review the exact artifact digest.
  2. Approve one version before it can launch from an LMS placement.
  3. Inspect runtime, grading, and evidence records from Lantern's operator pages.

Evaluator next step

Open the governed control surface to inspect how approvals, placements, runtime sessions, and evidence stay behind the control plane.

Open governed control surface