Trust — earned, not claimed

For a tool that uses AI on student work, trust is the product. So we won't ask you to take our word for it. Here is exactly what we test, with what, and how you can verify it yourself — including the limits we're honest about.

Our rule: every claim on this page is backed by something you can open and check — a test that runs in CI, a scan in the GitHub Security tab, or a document in the repository. We deliberately avoid "✓ Secure" badges and static metrics that drift stale.

How we test — and how you can verify

1. An executable security test suite

The security guarantees are written as real tests that run on every CI build (phpunit --group security): a student only ever sees a neutral "reviewed" signal — never the internal flags, quotes, or another student's data; grader capabilities are never granted to the student role; the plugin exposes no web-service attack surface. A change that broke any of these would fail the build. Verify: the CI runs.

2. Independent Semgrep security scans

Semgrep — an independent static analyser for PHP — runs on every push and weekly and reports into each repository's Security tab, dated per run. (CodeQL, GitHub's own analyser, doesn't support PHP, so we use Semgrep — and we'd rather tell you that than imply a tool we don't actually run.) Verify: engine Security tab.

3. A threat-focused manual security review

Beyond automated tools, a structured review looks for the harms that matter: data theft, privilege escalation, abuse. The latest review found no critical or high issues. Verify: SECURITY.md (also: how to report a vulnerability).

4. Zero third-party runtime dependencies

By design, the plugins bundle no third-party runtime libraries. That's a deliberately tiny supply-chain surface — there is essentially nothing for a dependency scanner to flag. We think the honest signal is the absence of dependencies, not a green badge from a tool scanning an empty set.

5. The wider quality net

A full functional + Behat test suite, a periodic mutation audit (does the suite actually catch injected bugs?), and real-call calibration + fairness checks (human-agreement and ESL-invariance) — all run in, or are linked from, CI. The data governance is backed by a complete Moodle privacy provider (export and delete) and an EU AI Act readiness pack.

What each role needs to see

Role	What you get
Moodle admin	Open source you can read; a live Trust & transparency page in your admin showing this site's actual config; CI + CodeQL you can inspect; zero runtime dependencies.
Buyer / leadership	A defensible audit trail, a security review summary, EU AI Act readiness, and a clear statement of what is and isn't certified.
Teacher	You stay in control; students never see the internal review; it doesn't track or score teachers; evidence quotes are verified, never invented.

The honest limits

It's an alpha, maintained best-effort, released to learn whether it's genuinely useful.

It is not certified. The EU AI Act materials are readiness templates to support your own assessment — not a conformity declaration. A formal assessment (~€30k–€80k) has not been done, and you remain responsible for your own compliance.

No security process is a guarantee. We test hard, scan continuously, and disclose honestly — and we ask you to report anything we missed.

Verify it yourself

Source (GPLv3): engine, assignment adapter, quiz question type — each with its own Security tab and CI.
Security policy & disclosure
Product overview (PDF)

Pilot it with your team Installation guide