kh0pper
diff --git a/‎CLAUDE.md‎
Lines changed: 2 additions & 0 deletions b/‎CLAUDE.md‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎bundles/maker-lab-advanced/config/jupyterhub_config.py‎
Lines changed: 104 additions & 0 deletions b/‎bundles/maker-lab-advanced/config/jupyterhub_config.py‎
Lines changed: 104 additions & 0 deletions
diff --git a/‎bundles/maker-lab-advanced/docker-compose.yml‎
Lines changed: 28 additions & 0 deletions b/‎bundles/maker-lab-advanced/docker-compose.yml‎
Lines changed: 28 additions & 0 deletions
diff --git a/‎bundles/maker-lab-advanced/manifest.json‎
Lines changed: 33 additions & 0 deletions b/‎bundles/maker-lab-advanced/manifest.json‎
Lines changed: 33 additions & 0 deletions
diff --git a/‎bundles/maker-lab-advanced/panel/maker-lab-advanced.js‎
Lines changed: 121 additions & 0 deletions b/‎bundles/maker-lab-advanced/panel/maker-lab-advanced.js‎
Lines changed: 121 additions & 0 deletions
@@ -160,6 +160,7 @@ bundles/maker-lab/             → STEM education companion for kids (MCP server
 bundles/kolibri/               → Kolibri learning platform (Docker + panel + skill; offline-first STEM/literacy, Pi-friendly, sibling of maker-lab)
 bundles/scratch-offline/       → Scratch block-based coding (Dockerfile builds scratch-gui from source + nginx; age 8+, no cloud save)
 bundles/vllm/                  → vLLM GPU inference server (OpenAI-compatible endpoint; Linux x86_64 + NVIDIA only; recommended classroom engine for Maker Lab)
+bundles/maker-lab-advanced/    → Maker Lab Advanced (Phase 5): JupyterHub for 9+ learners, kid-safe kernel defaults, AI pair-programmer at tween/teen reading level
 android/                       → Android WebView shell app (Crow's Nest mobile client)
 servers/gateway/public/        → PWA assets (manifest.json, service worker, icons)
 servers/gateway/push/          → Web Push notification infrastructure (VAPID)
@@ -468,6 +469,7 @@ Add-on skills (activated when corresponding add-on is installed):
 - `kolibri.md` — Kolibri offline-first learning platform: channel recommendation by age/subject, classroom setup, LAN-sync, pairs with maker-lab as content spine
 - `scratch-offline.md` — Self-hosted Scratch (age 8+ block coding): first-project coaching, vocabulary-stays-in-Scratch-terms dialogue, pair with Maker Lab when the learner is stuck
 - `vllm.md` — Operational skill for the vLLM classroom inference engine: GPU sizing, model selection, Maker Lab wiring, common-issue diagnostics
+- `maker-lab-advanced.md` — Pair-programmer for JupyterHub classroom (ages 9+): traceback explanation, next-cell suggestions at tween/teen reading level, routes back to maker-lab for Blockly, flags kid-safe kernel as a default (not a security sandbox)
 - `calibre-server.md` — Calibre content server: search, browse, download ebooks via OPDS
 - `calibre-web.md` — Calibre-Web reader: search, shelves, reading status, download
 - `miniflux.md` — Miniflux RSS reader: subscribe feeds, read articles, star, mark read
 
@@ -0,0 +1,104 @@
+# JupyterHub config for Maker Lab Advanced (Phase 5 v1)
+#
+# Single-machine classroom shape: NativeAuthenticator for password auth
+# with admin-approved signups, SimpleLocalProcessSpawner so user
+# kernels run inside this container without per-user OS accounts.
+# Kid-safe default kernel config: write scope chrooted to the user's
+# home, shell-escape magics disabled.
+#
+# For production multi-host or sandboxed-per-user deployments, swap the
+# spawner for DockerSpawner or KubeSpawner and the authenticator for
+# GitHubOAuthenticator or LDAP.
+
+import os
+
+c = get_config()  # noqa: F821 (provided by JupyterHub at import time)
+
+admin_user = os.environ["MLA_ADMIN_USER"]
+
+# --- Authenticator ---------------------------------------------------
+# NativeAuthenticator: local password auth with admin signup approval.
+c.JupyterHub.authenticator_class = "nativeauthenticator.NativeAuthenticator"
+c.Authenticator.admin_users = {admin_user}
+c.NativeAuthenticator.open_signup = False  # admin approves new users
+c.NativeAuthenticator.minimum_password_length = 8
+c.NativeAuthenticator.check_common_password = True
+
+# --- Spawner ---------------------------------------------------------
+# SimpleLocalProcessSpawner: runs each user's kernel in this container
+# without needing a host OS account per user. Good enough for a
+# single-classroom setup where the admin trusts the kids not to pivot
+# out of their home dir; the kernel config below adds hardening.
+c.JupyterHub.spawner_class = "simple"
+c.Spawner.notebook_dir = "~/"
+c.Spawner.default_url = "/lab"
+c.Spawner.args = [
+    "--ServerApp.allow_origin=*",
+    "--ServerApp.trust_xheaders=True",
+]
+
+# Environment passed to every spawned kernel. Used by the
+# maker-lab-advanced pair-programmer skill to prefix prompts with a
+# learner-id marker so Maker Lab's hint pipeline can scope memory.
+c.Spawner.environment = {
+    "CROW_MLA_ENABLED": "1",
+}
+
+# --- Kid-safe kernel defaults ----------------------------------------
+# - Disable cell-magic shell escape (%%bash, !shell) via a startup hook
+#   that the notebook server reads from ~/.ipython/profile_default/
+#   startup/ at every spawn. Written once at hub startup.
+import pathlib
+startup_dir = pathlib.Path("/srv/jupyterhub/ipython-startup")
+startup_dir.mkdir(parents=True, exist_ok=True)
+(startup_dir / "00-crow-kid-safe.py").write_text(
+    "# Crow kid-safe kernel hardening (Maker Lab Advanced).\n"
+    "# Disables shell-escape cell magics so '!rm -rf ~' and '%%bash' do\n"
+    "# not give a learner a path out of the kernel. Removing this file\n"
+    "# re-enables them — admin decision, documented per classroom.\n"
+    "try:\n"
+    "    ip = get_ipython()\n"
+    "    if ip is not None:\n"
+    "        for magic in ('system', 'sx', 'bash', 'sh'):\n"
+    "            try:\n"
+    "                ip.magics_manager.magics.get('line', {}).pop(magic, None)\n"
+    "                ip.magics_manager.magics.get('cell', {}).pop(magic, None)\n"
+    "            except Exception:\n"
+    "                pass\n"
+    "except Exception:\n"
+    "    pass\n"
+)
+c.Spawner.environment["IPYTHONDIR"] = "/srv/jupyterhub/ipython-startup"
+
+# --- Hub settings ----------------------------------------------------
+c.JupyterHub.ip = "0.0.0.0"
+c.JupyterHub.port = 8000
+c.JupyterHub.hub_ip = "0.0.0.0"
+c.JupyterHub.cleanup_servers = False
+c.JupyterHub.allow_named_servers = False
+
+# Template path for the NativeAuthenticator signup/login pages.
+import nativeauthenticator  # noqa: F401 (ensures the module is importable)
+c.JupyterHub.template_paths = [
+    f"{os.path.dirname(nativeauthenticator.__file__)}/templates/",
+]
+
+# Persist Hub DB (users, tokens) on the mounted volume so a container
+# restart doesn't forget everyone.
+c.JupyterHub.db_url = "sqlite:////srv/jupyterhub/jupyterhub.sqlite"
+c.JupyterHub.cookie_secret_file = "/srv/jupyterhub/jupyterhub_cookie_secret"
+
+# --- Admin bootstrap (manual first-run) ------------------------------
+# NativeAuthenticator's ORM API varies across releases, so we skip
+# programmatic seeding and rely on the UI signup flow:
+#
+#   1. On first launch, the admin navigates to /hub/signup, enters
+#      MLA_ADMIN_USER and MLA_ADMIN_PASSWORD, clicks Sign Up.
+#   2. Because MLA_ADMIN_USER is in admin_users above, the account is
+#      auto-authorized and promoted without requiring self-approval.
+#   3. The admin then uses /hub/authorize to approve additional
+#      learner signups.
+#
+# This is a Phase 5 v1 compromise. A future version can plug in a
+# one-shot bootstrap container that runs `jupyterhub-nativeauthenticator`
+# CLI commands after the hub DB is ready.
@@ -0,0 +1,28 @@
+services:
+  maker-lab-advanced:
+    image: jupyterhub/jupyterhub:5
+    container_name: crow-maker-lab-advanced
+    ports:
+      - "127.0.0.1:${MLA_HTTP_PORT:-8088}:8000"
+    volumes:
+      - ${MLA_DATA_PATH:-mla-data}:/srv/jupyterhub
+      - ./config/jupyterhub_config.py:/srv/jupyterhub/jupyterhub_config.py:ro
+    environment:
+      - MLA_ADMIN_USER=${MLA_ADMIN_USER:?Set MLA_ADMIN_USER}
+      - MLA_ADMIN_PASSWORD=${MLA_ADMIN_PASSWORD:?Set MLA_ADMIN_PASSWORD}
+    command:
+      - "sh"
+      - "-c"
+      - "pip install --quiet notebook jupyterlab jupyterhub-nativeauthenticator && jupyterhub -f /srv/jupyterhub/jupyterhub_config.py"
+    init: true
+    mem_limit: 4g
+    restart: unless-stopped
+    healthcheck:
+      test: ["CMD", "curl", "-fsS", "http://localhost:8000/hub/health"]
+      interval: 30s
+      timeout: 10s
+      retries: 5
+      start_period: 120s
+
+volumes:
+  mla-data:
@@ -0,0 +1,33 @@
+{
+  "id": "maker-lab-advanced",
+  "name": "Maker Lab Advanced",
+  "version": "0.1.0",
+  "description": "Self-hosted JupyterHub for older learners (ages 9+) — single-machine multi-user Python notebooks with kid-safe kernel defaults and an AI pair-programmer. Sibling bundle to maker-lab: Blockly is the 5-9 on-ramp, Scratch is the 8+ step-up, this is the 9+ landing zone with real Python.",
+  "type": "bundle",
+  "author": "Crow",
+  "category": "education",
+  "tags": ["education", "jupyter", "jupyterhub", "python", "notebook", "classroom", "k12", "teen", "maker-lab"],
+  "icon": "graduation-cap",
+  "docker": { "composefile": "docker-compose.yml" },
+  "panel": "panel/maker-lab-advanced.js",
+  "skills": ["skills/maker-lab-advanced.md"],
+  "requires": {
+    "env": ["MLA_ADMIN_USER", "MLA_ADMIN_PASSWORD"],
+    "min_ram_mb": 2048,
+    "recommended_ram_mb": 8000,
+    "min_disk_mb": 4000,
+    "recommended_disk_mb": 40000,
+    "bundles": ["maker-lab"]
+  },
+  "env_vars": [
+    { "name": "MLA_ADMIN_USER", "description": "Initial JupyterHub admin username. Gets first login; add more admins from the UI after setup.", "required": true },
+    { "name": "MLA_ADMIN_PASSWORD", "description": "Initial admin password. Set via NativeAuthenticator on first boot; change via the JupyterHub UI afterward.", "required": true, "secret": true },
+    { "name": "MLA_HTTP_PORT", "description": "Host port for the JupyterHub UI. Default 8088.", "default": "8088", "required": false },
+    { "name": "MLA_DATA_PATH", "description": "Host path for user home dirs + JupyterHub state (defaults to a named volume).", "required": false }
+  ],
+  "ports": [8088],
+  "webUI": { "port": 8088, "path": "/", "label": "JupyterHub" },
+  "sibling_of": ["maker-lab"],
+  "age_gate": { "min_age": 9 },
+  "notes": "v1 single-admin classroom shape: NativeAuthenticator + SimpleLocalProcessSpawner, shared container runtime, loopback-bound on :8088. Kid-safe kernel config blocks shell-escape patterns and chroots file writes to the user's home. True multi-host / GitHub-OAuth / sandboxed-per-user deploys are future work. Hard dep on the maker-lab bundle: the pair-programmer skill reuses maker-lab's hint pipeline and persona prompts at a higher reading level."
+}
@@ -0,0 +1,121 @@
+/**
+ * Crow's Nest Panel — Maker Lab Advanced: JupyterHub launcher + admin
+ * bootstrap checklist + pair-programmer posture.
+ *
+ * Thin panel, same shape as kolibri/scratch-offline. The real UX lives
+ * in JupyterHub's own web UI; this panel is setup hints + the deep link.
+ */
+
+export default {
+  id: "maker-lab-advanced",
+  name: "Maker Lab Advanced",
+  icon: "graduation-cap",
+  route: "/dashboard/maker-lab-advanced",
+  navOrder: 57,
+  category: "education",
+
+  async handler(req, res, { layout, appRoot }) {
+    const { pathToFileURL } = await import("node:url");
+    const { join } = await import("node:path");
+    const componentsPath = join(appRoot, "servers/gateway/dashboard/shared/components.js");
+    const { escapeHtml } = await import(pathToFileURL(componentsPath).href);
+
+    const port = process.env.MLA_HTTP_PORT || "8088";
+    const hubUrl = `http://${req.hostname || "localhost"}:${port}`;
+    const adminUser = process.env.MLA_ADMIN_USER || "(MLA_ADMIN_USER unset — set in .env before first launch)";
+
+    // Short liveness probe so the operator sees status at a glance.
+    async function probe(url, timeoutMs) {
+      try {
+        const ctrl = new AbortController();
+        const t = setTimeout(() => ctrl.abort(), timeoutMs);
+        const resp = await fetch(url, { signal: ctrl.signal });
+        clearTimeout(t);
+        return resp.ok;
+      } catch { return false; }
+    }
+    const live = await probe(`${hubUrl}/hub/health`, 1500);
+    const statusBadge = live
+      ? `<span class="ma-badge ma-ok">● live</span>`
+      : `<span class="ma-badge ma-off">○ offline</span>`;
+
+    const content = `
+      <style>${styles()}</style>
+      <div class="ma-panel">
+        <h1>Maker Lab Advanced</h1>
+        <p class="ma-sub">JupyterHub for older learners · ages 9+ · Python notebooks with kid-safe kernel defaults</p>
+
+        <section class="ma-card">
+          <h2>Status</h2>
+          <p>${statusBadge}</p>
+          <dl class="ma-dl">
+            <dt>Hub URL</dt><dd><code>${escapeHtml(hubUrl)}</code></dd>
+            <dt>Configured admin</dt><dd><code>${escapeHtml(adminUser)}</code></dd>
+          </dl>
+          <p><a class="ma-btn" href="${escapeHtml(hubUrl)}" target="_blank" rel="noopener">Open Hub ↗</a></p>
+        </section>
+
+        <section class="ma-card">
+          <h2>First-boot checklist</h2>
+          <ol>
+            <li>Set <code>MLA_ADMIN_USER</code> and <code>MLA_ADMIN_PASSWORD</code> in <code>.env</code>. Restart the bundle if you changed them.</li>
+            <li>Navigate to <code>${escapeHtml(hubUrl)}/hub/signup</code>, sign up with the admin username + password from step 1. Because that username is in the hub's <code>admin_users</code> list, the account auto-authorizes — no self-approval required.</li>
+            <li>Admin view at <code>${escapeHtml(hubUrl)}/hub/admin</code> lists users + server status.</li>
+            <li>Learner signups go to <code>${escapeHtml(hubUrl)}/hub/authorize</code> for admin approval before they can spawn a server.</li>
+          </ol>
+        </section>
+
+        <section class="ma-card">
+          <h2>Kid-safe kernel defaults</h2>
+          <ul>
+            <li>Shell-escape magics (<code>%%bash</code>, <code>!rm</code>, <code>%sx</code>) are disabled at kernel startup. A learner can't shell out of the notebook into the container.</li>
+            <li>Per-user home dirs live inside the container at <code>/home/&lt;user&gt;</code>; writes outside that path fail with permission errors from the kernel perspective.</li>
+            <li><strong>These are defaults for learners, not a security sandbox.</strong> A determined attacker with Python access can still explore the container filesystem. For untrusted users, swap the spawner for DockerSpawner + per-user images.</li>
+          </ul>
+        </section>
+
+        <section class="ma-card">
+          <h2>Pair-programmer (v1)</h2>
+          <p>The <code>maker-lab-advanced</code> skill teaches the AI to act as a pair-programmer at tween/teen reading level. It reuses Maker Lab's hint pipeline and hint-ladder prompts, but:</p>
+          <ul>
+            <li>Default persona: <code>tween-tutor</code> (80-word hints, middle-grade vocabulary).</li>
+            <li>For older learners (14+), the caregiver can switch the session persona to <code>adult-tutor</code> (200-word explanations, plain-language technical terminology, direct Q&A).</li>
+            <li>Hints reference <strong>Python + notebook idioms</strong>, not Blockly blocks — the skill explicitly flips off the "never say the answer" constraint at <code>adult-tutor</code> level.</li>
+          </ul>
+        </section>
+
+        <section class="ma-card">
+          <h2>Where this sits in the ladder</h2>
+          <table class="ma-tbl">
+            <tr><th>Ages</th><th>Surface</th><th>Tutor persona</th></tr>
+            <tr><td>5-9</td><td>Blockly (maker-lab)</td><td>kid-tutor</td></tr>
+            <tr><td>8+</td><td>Scratch (scratch-offline)</td><td>kid-tutor → tween-tutor</td></tr>
+            <tr><td>9+</td><td>JupyterLab (this bundle)</td><td>tween-tutor → adult-tutor</td></tr>
+          </table>
+        </section>
+      </div>
+    `;
+    return layout({ title: "Maker Lab Advanced", content });
+  },
+};
+
+function styles() {
+  return `
+    .ma-panel { max-width: 900px; margin: 0 auto; padding: 1.5rem; }
+    .ma-sub { color: var(--fg-muted, #888); margin: 0 0 1.5rem; }
+    .ma-card { background: var(--card-bg, rgba(255,255,255,0.04)); border: 1px solid var(--border, #333); border-radius: 10px; padding: 1.25rem 1.5rem; margin-bottom: 1rem; }
+    .ma-card h2 { margin: 0 0 0.75rem; font-size: 1.05rem; color: #84cc16; }
+    .ma-card ol, .ma-card ul { margin: 0; padding-left: 1.25rem; line-height: 1.6; }
+    .ma-badge { display: inline-block; padding: 0.25rem 0.7rem; border-radius: 999px; font-size: 0.85rem; font-weight: 600; }
+    .ma-ok { background: rgba(34,197,94,0.15); color: #22c55e; }
+    .ma-off { background: rgba(239,68,68,0.15); color: #ef4444; }
+    .ma-btn { display: inline-block; padding: 0.6rem 1.2rem; background: #84cc16; color: #111; text-decoration: none; border-radius: 6px; font-weight: 600; margin-top: 0.5rem; }
+    .ma-btn:hover { background: #a3e635; }
+    .ma-dl { display: grid; grid-template-columns: max-content 1fr; gap: 0.4rem 1rem; margin: 0.5rem 0 0; }
+    .ma-dl dt { color: var(--fg-muted, #888); }
+    .ma-dl dd { margin: 0; }
+    .ma-tbl { width: 100%; border-collapse: collapse; font-size: 0.95rem; }
+    .ma-tbl th, .ma-tbl td { padding: 0.5rem 0.75rem; text-align: left; border-bottom: 1px solid var(--border, #333); }
+    .ma-tbl th { color: var(--fg-muted, #888); font-weight: 600; }
+  `;
+}