Why IT can say yes

Approve one governed boundary. Keep generated apps out of the LMS trust core.

The security question is not whether instructors should build better course activities. The question is whether every new activity should become a new LMS integration. App Boundary keeps one approved tool, then runs each learning app as a limited, reviewed, versioned artifact behind that boundary.

The approval answer

IT approves App Boundary, not a stream of unknown classroom apps.

A generated app can render the learner experience, read reviewed content, save progress, emit attempt events, and finish an attempt only through the runtime capabilities App Boundary exposes. It cannot hold LMS credentials, connect to the LMS directly, write grades on its own, or reach arbitrary services.

One LTI boundary The LMS launches the approved runtime. Apps do not become separate privileged tools.
Limited runtime capabilities Each package declares the exact actions it needs before review.
Reviewed versions Only approved immutable package snapshots can be pinned for use.
Durable evidence Reviews, launches, capability calls, scoring, and runtime events leave records.

What IT is not being asked to accept

No arbitrary LMS access. No invisible production push.

  • Generated app code does not receive raw LMS tokens.
  • Generated app code does not receive database, storage, Worker, Durable Object, or service bindings.
  • Generated app code does not write grades directly to the LMS.
  • Generated app code does not make arbitrary outbound network calls.
  • Generated app changes do not reach students until a reviewed version is approved and pinned.

Risks mapped to controls

The risks are direct. The controls should be too.

Risk

A generated activity becomes a broad LMS integration.

Generated apps do not receive LMS credentials. They run as browser packages behind App Boundary and call only the reviewed runtime surface.

Control

Capability checks, signed runtime contracts, and blocked direct grade-write paths.

Risk

A course tool writes grades without a governed path.

App Boundary owns scoring and grade publication. Apps can propose or finalize only through reviewed package settings and server-owned LMS service calls.

Control

Attempt records, grade publication records, retry evidence, and audit events.

Risk

Student work is stored in an unclear vendor path.

App Boundary separates normal progress from sensitive evidence. Progress, submitted artifacts, and preview activity are scoped to a reviewed app version and attempt.

Control

Purpose, data scope, retention, and sensitivity labels on the review surface.

Risk

AI-written code can call unknown services.

Generated packages are browser-first reviewed artifacts. Validation rejects arbitrary outbound network, Worker-shaped code, direct storage, and platform bindings.

Control

Package validation, TypeScript checks, preview assertions, and immutable snapshots.

Risk

No one can reconstruct what happened.

App Boundary keeps durable logs for generation, review, launch, runtime capability calls, evidence, and grade publication.

Control

Admin activity logs, runtime logs, preview evidence, and audit records.

Risk

A new classroom app creates a new procurement burden.

IT reviews the governed boundary. Instructors can create or revise apps inside that boundary without turning every activity into a new LMS integration.

Control

One LTI tool, reviewed versions, controlled placements, and explicit approval gates.

What reviewers can verify

The approval page shows the facts before students see the app.

Review is operational: what changed, what the app can do, how it behaves in a test launch, and why the package stays inside the boundary.

What changed Compare the pending version against the previous approved package.
What it can do Separate ordinary progress features from sensitive evidence or grading actions.
Review test launch Run the pending version in preview mode before approval.
Runtime log Inspect runtime activity, blocked calls, progress events, and finalize behavior.
Admin view showing managed app packages with approval status, capabilities, and metadata
Review surfaces show package status, capabilities, and operational evidence in one place.

Approval path

What happens before an app reaches students.

  1. Generate or import The app becomes a package candidate, not a live LMS tool.
  2. Validate App Boundary checks package shape, TypeScript, capabilities, policy, and preview behavior.
  3. Review Reviewers inspect capabilities, accessibility evidence, runtime behavior, and sensitive actions.
  4. Approve one version Only an approved immutable version can be pinned to an LMS placement.
  5. Run behind the boundary Launches, progress, scoring, storage, evidence, and audit stay inside the governed runtime.

Bottom line

App Boundary is not asking IT to trust AI-generated code with the LMS.

It asks IT to approve one governed boundary where classroom apps are limited, reviewed, versioned, logged, and blocked from direct platform access.