Authentication architecture, SSO status, data storage, network requirements, and current open items for schools evaluating a pilot deployment.
No. Guided Scholar does not use open student self-registration. All student and teacher access is tied to provisioned accounts and internal roster, role, class, teacher, grade-level, school, and district records. There is no path for a student to create an account independently.
Guided Scholar supports Google SSO and Microsoft SSO as the primary login paths, both live in the deployed application. SSO is account-linked — a user authenticates successfully with Google or Microsoft, but Guided Scholar grants application access only if that external identity is linked to an approved Guided Scholar account. Authentication alone does not grant access to student work, teacher records, or Pilot Setup.
Pilot and local credentials remain available as a fallback for deployments that require it. A successful login by any path establishes who the user is. Guided Scholar then determines what they can access based on internal role and roster context.
Role routing is as follows: students access the Student Workspace only; teachers access the Student Workspace and Teacher Dashboard; internal operators access Pilot Setup. Future School Admin and District Admin roles are planned and are not currently live.
The following controls apply regardless of login path — Google SSO, Microsoft SSO, or pilot credentials:
SSO proves who the user is. Guided Scholar determines what the user can access.
Yes. Google SSO is live in the deployed application. Users authenticate with their Google account, and Guided Scholar grants access only if that Google identity is linked to an approved Guided Scholar account. A successful Google authentication that is not account-linked fails closed — no new account, class, assignment, submission, or profile is created automatically.
Google SSO uses minimal scopes only (openid email profile). Google Drive, Gmail, Google Classroom, and broad Google API scopes are not requested and not required.
For school network configuration: allow access to accounts.google.com and Google OAuth and OIDC endpoints used by the school's Google Workspace configuration. Pilot and local credentials remain available as a fallback.
Yes. Microsoft SSO is live in the deployed application. Users authenticate with their Microsoft work or school account, and Guided Scholar grants access only if that Microsoft identity is linked to an approved Guided Scholar account. A successful Microsoft authentication that is not account-linked fails closed — no new account, class, assignment, submission, or profile is created automatically.
Microsoft SSO uses minimal scopes only (openid email profile). Guided Scholar does not require and will not request OneDrive, Outlook, Teams, or broad Microsoft Graph permissions for login.
For school network configuration: allow access to login.microsoftonline.com and Microsoft Entra authentication endpoints. Pilot and local credentials remain available as a fallback.
The current pilot application uses Streamlit Community Cloud for application hosting, Supabase for database persistence, and the OpenAI API for feedback generation. Source control and deployment origin is GitHub.
Supabase stores governed pilot data. Row-level security is enabled on public tables, with explicit restrictive deny policies in place for direct anonymous and authenticated role access. The application performs governed database reads and writes from the server process using a service-role key that is never exposed to the browser.
Guided Scholar stores the data required to support school-linked feedback and revision workflows. That includes: login username and provisioned identity context, role, student and teacher ID, student and teacher display name, grade level, class ID and name, school ID and district ID, assignment metadata, student submissions and drafts, feedback returned by Guided Scholar, revision history, teacher review status, and ACT scores and domain feedback where applicable.
Guided Scholar does not request or store access to Google Drive, Gmail, Google Classroom, OneDrive, Outlook, or Teams. Those permissions are not required for v1 login or feedback functionality.
Guided Scholar uses class-linked and role-aware access controls. A recent application-level scope and session-state audit did not confirm an active data spill path. Same-browser user switching was tested: the second student did not see the first student's draft, feedback, export options, Continue Work selection, or assignment context.
Role scoping enforces that students see only their own work, teachers see only work within their assigned classes, and no cross-class or cross-teacher data access is available through normal application paths.
The Streamlit server calls the OpenAI API using the OpenAI Python client and a server-side API key that is never exposed to the browser. Student drafts and submissions are sent to OpenAI only when the student submits work for feedback. The AI response is parsed into structured Guided Scholar feedback and stored with the submission and revision history.
No active data spill path was confirmed in the recent application-level scope and session-state audit. The browser does not receive the Supabase service-role key or the OpenAI API key.
Guided Scholar uses the OpenAI API as a subprocessed AI service for feedback generation. OpenAI states that API and business customer inputs and outputs are not used to train OpenAI models by default unless the customer explicitly opts in. OpenAI's Data Processing Addendum states that OpenAI acts as a data processor for Customer Data when providing services to the customer.
Guided Scholar does not opt in to any OpenAI model training program. Student submission text is transmitted to generate a feedback response and is not retained or used by OpenAI for training purposes under the current API terms.
Schools should allow the following for normal Guided Scholar operation:
guidedscholar.ai for the public website.accounts.google.com and Google OAuth and OIDC endpoints — required for Google SSO.login.microsoftonline.com and Microsoft Entra authentication endpoints — required for Microsoft SSO.The following do not need to be allowlisted for Guided Scholar v1 login and feedback functionality:
SSL inspection, strict content filters, or proxy rules that block WebSockets or long-lived HTTPS sessions may interfere with Streamlit application behavior. Before pilot launch, run through the following test sequence from a student device on the school network:
Guided Scholar supports three export formats: plain text (.txt), Word document (.docx), and Google Docs-Compatible HTML (.html). School download policies should allow all three file types.
Guided Scholar is prepared for controlled school pilot use. Google SSO and Microsoft SSO are live as the primary login paths, with pilot and local credentials available as a fallback. No security blocker remains from the most recent application-level audit. The desktop and mobile repair pass is complete. ACT Domain Coaching, template expansion, and UX polish are complete.
A final post-enhancement pilot smoke test should be run after the most recent ACT and template changes before a new pilot cohort goes live.
The following items are open and tracked. None block the current controlled pilot login model from being used, but they should be resolved before broader deployment language is finalized:
A formal IT Readiness Checklist is in development and will be included in pilot setup materials. Schools with specific network, proxy, or data handling requirements that need documentation before beginning a pilot should contact us directly. We will work through district-specific requirements before any student data is transmitted.