Unblocked — Classroom 12x

| Sprint | Deliverable | Owner | |--------|-------------|-------| | | CDN CNAME pool, domain‑fronting config, basic service‑worker scaffolding. | Front‑end / DevOps | | Sprint 2 | OAuth 2.0 PKCE flow through CDN, JWT validation in gateway. | Auth Team | | Sprint 3 | Fallback transport layer (QUIC + WebSocket) + automatic selection logic. | Networking | | Sprint 4 | Cache‑first Service Worker, offline support for static assets. | Front‑end | | Sprint 5 | Admin UI for URL whitelisting + telemetry dashboard. | Product UI | | Sprint 6 | Full security hardening (CSP, HSTS, rate‑limit), compliance logging. | Security | | Sprint 7 | End‑to‑end QA (blocked‑network simulation), performance testing, documentation. | QA | | Sprint 8 | Pilot rollout to 5 schools, collect metrics, iterate. | Release Engineering |

| Risk | Likelihood | Impact | Mitigation | |------|------------|--------|------------| | | Medium | High (core feature loss) | Contract with multiple CDN vendors; implement rapid DNS‑failover. | | Network admins detect and block the CDN CNAMEs | Low‑Medium | Medium | Rotate CNAME pool weekly; provide a “self‑serve” custom CNAME option for districts. | | Legal concerns about bypassing institutional filters | Low | High | Position the feature as “access for legitimate educational use,” include explicit opt‑out for institutions, and require admin‑level consent. | | Performance degradation on fallback protocols | Medium | Medium | Pre‑warm QUIC connections, use CDN edge caching to keep latency low. | | Token leakage via Service Worker | Low | High | Store tokens in IndexedDB with httpOnly ‑like restrictions, and never expose them to page scripts. | classroom 12x unblocked