projectadg last reviewed 2026-05-20

Aspire Hub — internal staff launchpad + SSO IdP

Context

Aspire staff need a single entry point to access ~20 internal apps (Coolify, GitLab, smart-dashboard, secrets vault, MCP registry, audit log viewer, brand-specific dashboards). Previously they'd bookmark each one. Aspire Hub is the launchpad + SSO identity provider that all internal apps now federate to.

Architecture

graph TD S["Staff"] --> HUB["Aspire Hub<br/>hub.aspiredigital.group"] HUB --> LP["Tile launchpad"] HUB --> SSO["OIDC IdP"] HUB --> SV["Secrets vault"] SSO --> SD["smart-dashboard"] SSO --> OTHER["other internal apps"] HUB --> ODOO[("Odoo res.users<br/>via XML-RPC")] classDef hub fill:#715EE3,color:#fff,stroke:#291F50; class HUB hub;

Detail

Goal

One URL (hub.aspiredigital.group) lists every Aspire internal tool the staff member has access to, with one-click SSO into each.

Stack

Repo path: apps/aspire-staff-portal inside the aspire-digital-group Turborepo monorepo
Rebranded: 2026-05-02 from "Staff Portal" → "Aspire Hub" (commit 1170caf)
Domains: canonical hub.aspiredigital.group; legacy staff.aspiredigitalgroup.com.au + bare aspiredigital.group 308-redirect to canonical
SSO mechanism: OIDC (NextAuth.js v5)
Identity backend: Odoo res.users via XML-RPC

Features shipped

Feature	Status
Tile launchpad (icons for each app, scoped by user role)	✅
OIDC IdP at `/.well-known/openid-configuration`	✅
Secrets vault (`SecretVault` model + `/secrets` UI + reveal API)	✅
MCP registry + audit log	✅
First-app SSO pilot — smart-dashboard	✅ LIVE 2026-05-12
Per-app `signIn()` client helper pattern	✅

Per-app SSO enablement pattern

Add signIn() client helper in the target app
Set AUTH_TRUST_HOST=true in target app env
Set HUB_* env trio (URL, client ID, client secret) from Hub /apps UI
Click Enable SSO in Hub /apps
Discovery doc lives at <hub>/.well-known/openid-configuration

Known issue: XML-RPC decoder for nested tags

packages/auth/odoo-client.ts had two regex bugs (non-greedy <value> match + backreference closing tag) that broke nested XML decoding silently for ~5 days
Hub Odoo SSO returned CredentialsSignin with no useful error
Fix shipped commit 5d0c001 — depth-aware scanning replaces both regex patterns
Long-term TODO: replace hand-rolled XML-RPC decoder with fast-xml-parser

Open questions

Next 2-3 apps to onboard to SSO (Coolify wrapper? GitLab via SAML proxy?)
Off-boarding flow when staff leave Aspire — currently manual

Provenance

Source: apps/aspire-staff-portal/ in aspire-digital-group monorepo. Deploy: Coolify (rolling).

🔗 Relationships

graph LR aspire_hub["aspire-hub"]:::self aspire_hub --> gitlab_self_hosted_not_github["gitlab-self-hosted-not-github"] aspire_hub --> aspire_llm_gateway["aspire-llm-gateway"] classDef self fill:#715EE3,color:#fff,stroke:#291F50;

Generated from the Knowledge OS markdown vault · diagrams via Mermaid · source of truth = .md