Everything in CurioPilot.
Indexed by what it does for whom.

The audit spine. Every AI call writes a five-gate decision row to ai_decision_logs — consent, redaction, model, review, signed hash. 90-day default; up to 7 years on Campus.

Per-child, per-feature consent states checked before any prompt is assembled. GDPR Art. 6 / 9, COPPA verifiable consent, UAE PDPL alignment — all enforced at the gate.

GDPR Art. 15 (access), Art. 17 (erasure) and Art. 20 (portability — 37-collection tenant data export with SHA-256 manifest). Erasure produces an audit-hash receipt.

School-official-with-legitimate-educational-interest attribution on every record. Verifiable parental consent state, source, and verified-ts on every under-13 decision.

Deterministic, pattern-only. ~36 English + ~13 Arabic patterns scan student-authored prose under 1ms. No LLM on this path — child-safety triage must be deterministic.

Fail-closed on AI-generation paths; fail-open on student-upload (so a child's submission isn't blocked by a moderation timeout). Both pinned by image-moderation-required.test.ts.

AI-prompt rejection rows land in safety_blocks for super-admin triage at /super-admin/safety/blocks. The queue UI is the authorised reveal surface.

Five-template FSM with a regulator-notification clock. From triage through Article 33 reporting in one workspace, with TraceLayer evidence pinned to every step.

TypeScript brand type plus a build-time scan that fails CI if any AI route skips redaction. The DPA is enforced before the code can compile.

SIS credentials, LTI client secrets, and SAML SP signing material encrypted at the field level. Plaintext never persists.

Security-class events retained 7 years — long enough to satisfy any regulator who comes asking. AI-decision logs follow their own configurable retention.

Per-child, per-subject mastery model. Bloom's-level progression bars per topic, misconception categories, Lexile band, accommodation context. Updated after every submission.

Bloom's classifier plus a misconception detector return categories — procedural, conceptual, representational — not raw text. ZPD-pinned next-three recommendations follow.

Nightly division-level standardDeviationVsGrade as a soft bias on activity generation. Signals nullify when studentCount < 3. Sigma never reaches prompts or UI.

Forgetting curve scheduling layered with weekly spiral review of past topics. Practice surfaces what's about to slip — not what was hardest yesterday.

Per-student risk score across mastery, engagement, and behaviour signals. Accommodation profiles (IEP, 504, EAL) flow through every AI surface as first-class context.

MCQ, MCQ-Multi, True/False, Fill-in-blanks, Short Answer, Long Answer, Matching, Ordering, DataTable, WordBank, Classify, HotSpot, Discussion, Multi-Step with partial credit.

Every quality-score ≥ 80 item spawns 3–5 AI paraphrases — same answer key, structurally validated. Deterministic per-student assignment via variantIndexFor(); sibling de-dup is real.

STEM scenes generated as images for circuits, apparatus, geometric figures. Fail-closed moderation before storage; per-slot failure falls back to text-only.

Seven deterministic generators — number-line, coordinate-plane, fraction-bar, function-graph, pie-chart, bar-chart, molecule. Screen-reader-friendly; shunting-yard parser; no eval.

Snap a photo of a notebook; OCR + rubric review surface partial credit on multi-step problems. Teacher confirms or overrides before the grade lands.

Drafted at the student's Lexile band, then a calibration pass checks sentence length and vocabulary against MetaMetrics's published thresholds before publish.

When a student stalls on a topic, the Twin walks the prerequisite chain to find the upstream gap. Surfaces a band-only signal — never a numeric mastery score.

chooseModel() picks cheap or premium per feature based on tolerance for variance and the empirical record in ai_model_performance. Auto-promotion at ≥ 0.95×; demotion at < 0.80×.

Twelve traits like Phoenix Spark, Wayfinder, Mosaic Mind — inferred passively from how a student plays. Bands never numbers. Student Skill Constellation, parent Curiosity Report, teacher Class Skill Map.

Rubric breakdown drafted by AI; teacher confirms or overrides with one click. Override path is never buried. Misconceptions surface alongside the score.

Phone shot of handwritten work → OCR → rubric review → partial credit on multi-step problems → teacher approval. License-gated under photo-grading (Standard + Campus).

Author by Bloom's percentage; a Hamilton-rounding allocator fans the right counts into the right buckets. Auto-publish OFF — half-built blueprints never leak live.

Pre-board pacing across a grade. Audiences resolve server-side from divisionIds — never trusted from the client. Practice tracks the calendar to the exam.

Three Bloom's-anchored tiers auto-assigned by mastery. Teachers rebalance any student. Foundation / Core / Stretch — same topic, different cognitive load.

Triaged surface of risk-scored students with recommended next steps. Routes to the right person (subject teacher, head of year, counsellor) with context.

Structured peer-feedback rubrics. AI-drafted cover lessons matched to the absent teacher's plan and the class's current Bloom's profile.

One-click conference brief: strengths, gaps, recent misconceptions, recommended next steps. Print-ready. Audit-logged.

Drafted from twelve grounded data points per student, edited by the teacher. ~5 minutes per student instead of ~25, with the teacher's voice intact.

Six Action Cards ranked by impact, routed to the right teacher. Reteach lessons drafted, conference briefs ready, parent invites in queue.

Where the room is across twelve traits. Bands never numbers. No leaderboard, no per-student ranking. Aggregate participation from Boss Arena and Party Hub flows in.

Weekly per-child digest on Premium Family + B2B Standard+. Generated server-side from a fixed template; pinned to opt out of the smart router for voice consistency.

Cross-classroom library of vetted activities; Smart Compose stitches a fresh activity from a topic + Bloom's level + tier in seconds.

Super-admin TraceLayer, school-admin dashboard, teacher gradebook, parent dashboard, student experience — every view derives from the same canonical record. Tenant isolation at the Firestore-rule level.

Spark is the student hint-giver — hints, not answers, with a hard cap on the final answer. Curio is the Fun-Zone-side AI companion who remembers what they were stuck on.

School-wide channels, per-class inboxes, async messaging built on the Async Learning Exchange. Crisis-detector pre-screens every message that reaches an adult.

Plain-English parent copilot answers "why was this recommended?" The Co-Teacher digest packages a teacher's week in six action cards.

In-app + push + email + SMS + WhatsApp with per-school AED budget caps. Channel choice routes by tenant policy; every message is audit-logged.

Capacitor 8 build, code-complete on develop, awaiting store-account enrolment. Same audit spine; same consent gates; same offline guarantees as the PWA.

Daily delta from PowerSchool, Infinite Campus, Skyward — anything that speaks OneRoster v1.2. SIS credentials field-level-encrypted; sync events audit-logged.

Embed inside Canvas, Moodle, Blackboard. Grade passback runs on a durable queue with a nightly worker — retries are crash-safe, missing grades don't happen.

Entra, Okta, Google Workspace, any SAML IdP. Standard+ tier. SP signing material lives in field-level encryption alongside SIS credentials and LTI client secrets.

Parent subscriptions and school billing on Stripe. Token-bundle top-ups for schools that need more AI usage mid-term. Idempotent webhooks; every charge audit-logged.

Schools bring their own SMTP relay so transactional mail leaves their domain. Default to MoizLabs's relay for self-serve.

Tenant isolation at the rule layer, plan + token bundle entitlements, and an in-house A/B testing harness — so we can ship a flag, measure, and roll forward.

English, Spanish, Arabic (with full RTL), French, German, Portuguese, Hindi, Chinese. Translation-aware activity generation — English is the source-of-truth.