← All modules

REALIGN SecureAssess

Electron-based lockdown testing client with continuous biometric anchoring + tamper telemetry. Teachers upload DOCX/PDF assessments; AI auto-grades; results flow to the gradebook.

In-progress
0
Completed
0
Flagged for review
0

Upload an assessment (DOCX · PDF · TXT)

The teacher uploads the canonical assessment file; the lockdown client serves it to students; AI grades each submission against an extracted answer key + rubric; scores write straight to the gradebook.

Storage: S3 if S3_BUCKET_CONTENT is set, else local /var/realign/uploads.

AI grading pipeline

Every assessment runs through the same 5-stage pipeline. Teacher has final authority at stages 4 and 5.

  1. 1Parse

    Apache Tika extracts text + structure from DOCX/PDF/HTML.

  2. 2Extract

    Claude identifies question stems, options, point values, and rubric clues.

  3. 3Grade

    Per-submission scoring: objective items deterministic; essays via rubric prompt.

  4. 4Review

    Teacher sees AI score + confidence + reasoning; can override per item.

  5. 5Publish

    Final score written to grade_entries with ai_scored=true and graded_by=teacher.

Continuous biometric anchoring (in the desktop client)

Baseline captured at session start; rolling verification every ~5s. Privacy-by-design: zero frames leave the device.

Face presence + identity drift

Baseline at start; rolling vector distance check. If the face on camera diverges from baseline beyond threshold, the session pauses + flags the proctor — without telling the student which biometric tripped.

Second-person detection

Counts distinct faces in frame. >1 face → flag. <1 face for >Ns → flag. All counts; no images persisted.

Gaze direction (optional)

On supported webcams, off-screen gaze for >Xs flags a warn-event. Disabled by default for districts that ban gaze tracking on minors.

Audio environment fingerprint

Vosk on-device runs human-voice classification. Multiple voices flag warn-event. No transcript persisted, only the class label + timestamp.

On-device only

No frames, no audio, no transcripts leave the device. Only signed proctor-event records (timestamp + severity + class) reach this dashboard.

Tamper detection

Process list snapshot every 30s. Executable hash check against signed manifest. Kernel-driver list (Windows). Multi-monitor detection.

Download the desktop lockdown client

One installer per platform. Deploy via MDM (Jamf / Intune / Google Admin) or hand-install for BYOD.

Windows 10/11
NSIS · admin install · ~120 MB
Download →
macOS 13+
Signed DMG · Apple Silicon + Intel · ~140 MB
Download →
Linux
AppImage · ~110 MB · runs on Chrome OS via Flex
Download →

Build locally: pnpm --filter @realign/secure-assess package. Outputs land in apps/secure-assess/out/; the deploy step copies them to /var/www/downloads/ behind Caddy.

Uploaded assessments (0)

    Could not load SecureAssess data
    column s.started_at does not exist

    If the database hasn't been migrated yet, run pnpm db:migrate.

    Recent test sessions (0)

    AssessmentStudentStatusStartedDurationFlags

    What the lockdown layer prevents

    • Window/app switching — Electron kiosk + OS-level focus-stealing prevention.
    • Screenshots + screen recording — PrintScreen disabled; magnification APIs blocked on Windows; CGDisplayCaptureRefusal set on macOS.
    • External monitors — second display = blocked session start (per-district configurable).
    • Dev tools / right-click — Electron webPreferences.devTools = false + context menu disabled in production builds.
    • Network egress — only AI gateway + content CDN allowed; all other DNS blocked at the OS level during the session.
    • Clipboard — paste-in + copy-out disabled. Optional whitelist for graphing-calculator widgets.