Canvascope added Cross-Account Protection through Google's RISC security event stream. When Google reports a high-risk account event, Canvascope can validate the signed event, dedupe it, map it to the matching Supabase user, and revoke active sessions.
Account-disabled events also set a sign-in block that the Supabase custom access token hook enforces on both sign-in and token refresh. If the account is later re-enabled, the block can be cleared. The hook is intentionally fail-open so an internal error cannot lock out the whole user base.
This is not flashy UI, but it is the kind of infrastructure a student workspace needs before it handles more files, identity, and device-to-device workflow.