U
/u/Civil_Organization65
Guest
Quick recap for context: I teach coding to kids 7-16 in Brussels and I’m rebuilding my entire classroom setup as a Minecraft server with CC:Tweaked. Currently running with one class of 18 students across 6 districts. Last two weeks have been heavy on backend work, so dropping a combined update here.
Week 1 — Pipeline shipped:
Students write code in a Blockly editor on a website (custom toolboxes per device type: turtle gets movement/dig/place, computer gets terminal I/O). The editor generates Lua, the backend stores it under a 6-character short code, and a loader on the CC:T machine fetches it and runs it in a sandboxed env (fs wrapped to block protected files, load(code, name, "t", sandbox) to disable bytecode injection, pcall for error isolation, restricted set of exposed globals).
Week 2 — Trust moved from client to server:
Added a UUID-based identification system. The current architecture uses a small FastAPI agent on the VPS that translates HTTP requests into local RCON queries (data get entity @a[name=X,limit=1] UUID) and returns the immutable UUID. Backend on Railway calls the agent over a private route, never touches RCON directly. Player has to be online to be identified, zero impersonation by design. All mission progression now lives in PostgreSQL keyed on UUID (roughly 20 missions tracked per student across 6 districts), short codes are bound to UUIDs at first use to prevent cross-student code sharing.
Real questions I haven’t fully solved:
1. The agent works well, but I’m wondering if there’s a more standard approach people use for cross-network RCON access. Tunnels, message queues, something I haven’t considered?
2. My goal is to encourage code reuse as a learning tool while preventing students from claiming another student’s work. Currently the short code is bound to UUID at first use, so reusing requires a manual regen on my side. Curious how others solved that balance.
3. CC:T loader sandbox: I’m wrapping fs, using "t" mode, pcall, and restricting the exposed globals to a defined whitelist. I’d love a sanity check from people who’ve thought harder about Lua sandbox escape vectors, anything obvious I might be missing?
Full devlogs with code samples:
• Devlog #1
• Devlog #2
submitted by /u/Civil_Organization65
[link] [comments]
Continue reading...
Week 1 — Pipeline shipped:
Students write code in a Blockly editor on a website (custom toolboxes per device type: turtle gets movement/dig/place, computer gets terminal I/O). The editor generates Lua, the backend stores it under a 6-character short code, and a loader on the CC:T machine fetches it and runs it in a sandboxed env (fs wrapped to block protected files, load(code, name, "t", sandbox) to disable bytecode injection, pcall for error isolation, restricted set of exposed globals).
Week 2 — Trust moved from client to server:
Added a UUID-based identification system. The current architecture uses a small FastAPI agent on the VPS that translates HTTP requests into local RCON queries (data get entity @a[name=X,limit=1] UUID) and returns the immutable UUID. Backend on Railway calls the agent over a private route, never touches RCON directly. Player has to be online to be identified, zero impersonation by design. All mission progression now lives in PostgreSQL keyed on UUID (roughly 20 missions tracked per student across 6 districts), short codes are bound to UUIDs at first use to prevent cross-student code sharing.
Real questions I haven’t fully solved:
1. The agent works well, but I’m wondering if there’s a more standard approach people use for cross-network RCON access. Tunnels, message queues, something I haven’t considered?
2. My goal is to encourage code reuse as a learning tool while preventing students from claiming another student’s work. Currently the short code is bound to UUID at first use, so reusing requires a manual regen on my side. Curious how others solved that balance.
3. CC:T loader sandbox: I’m wrapping fs, using "t" mode, pcall, and restricting the exposed globals to a defined whitelist. I’d love a sanity check from people who’ve thought harder about Lua sandbox escape vectors, anything obvious I might be missing?
Full devlogs with code samples:
• Devlog #1
• Devlog #2
submitted by /u/Civil_Organization65
[link] [comments]
Continue reading...