SureNetwork for SureCentric
This page documents a platform that is actively under development. Architecture, container names, and component responsibilities are subject to change. See Platform Roadmap for future direction.
Overview
SureNetwork for SureCentric is the integration layer that connects the SureNetwork research network microservice, Nuxeo LTS 2025 content platform, and the SureCentric Client (Angular 16) into a unified platform experience.
Users access the platform through the SureCentric Desktop (Electron) or SureCentric Web (browser), both powered by the same SureNetwork Global UI Angular 16 codebase.
Tech Stack
| Layer | Technology | Status |
|---|---|---|
| Content Platform | Nuxeo LTS 2025 — nuxeo-sc-2025:local, pinned to 2025.12 | ✅ Running |
| Content Extensions | SureDMS Nuxeo extensions — porting from Nuxeo 5.6 to 2025 | 🔄 In Progress |
| SureDrive (legacy) | SureDMS AngularJS dashboard WAR — embedded via iframe | ✅ Available |
| SureArchive | SureNetwork Global / SureCentric Angular 16 — future doc navigator | 🔄 Planned |
| Nuxeo Web UI | nuxeo-web-ui:3.1.29-local — iframe-embedded File Explorer | ✅ Running |
| API Gateway | Apache APISIX 3.11.0 on port 25080 | ✅ Running |
| Identity Provider | Logto (svhd/logto:latest) — dev-only OIDC | ✅ Running |
| SureNetwork Service | sn-nuxeo-lts-2023:latest — Spring Boot, Java 20 | ✅ Running |
| SureNetwork DB | PostgreSQL 15-alpine | ✅ Running |
| SureNetwork Search | Elasticsearch | ✅ Running |
| SureCentric Client | SureNetwork Global UI — Angular 16, Electron + Web | ✅ Active dev |
| SureCentric Desktop | Electron wrapper for SureCentric Client | ✅ Active dev |
| SureCentric Analytics | Apache Superset 4.0.0 + Redis + PostgreSQL 17 | 🔄 Dev (not started) |
| Card API | Node 20-alpine on port 3099 | 🔄 Dev (not started) |
| Nuxeo DB | PostgreSQL 16 on port 25432 | ✅ Running |
SureCentric Client — Angular 16
The SureCentric Client is the unified Angular 16 application that serves as the UI for:
- SureCentric Desktop — Electron app (
SureClinical/Desktopproject) - SureCentric Web — Browser-hosted version
The Angular 16 client is the existing SureNetwork Global UI (surenetwork-global/network-global-ui). These are the same codebase. SureArchive and future platform features are added as modules inside SureNetwork Global UI.
All client applications communicate with backend services through the APISIX gateway at port 25080.
Project Desktop
The Project Desktop is the hub- or project-scoped launcher page inside SureNetwork Global. It launches tools from cards.
Navigation path
Login → Projects / Hubs → Select a Project or Hub → Project Desktop → Launch a card
Card Inventory (MVP)
| Card | Tech | Embedded via | Purpose |
|---|---|---|---|
| File Explorer | Nuxeo Web UI | iframe | Generic folder and file browsing in the Nuxeo repository |
| SureDrive | SureDMS AngularJS | iframe | SC-specific document workflows, study navigator, SureDrive browsing |
| SureArchive | Angular 16 (SN Global) | Direct route | Future home for ported SureDMS doc navigator; currently in planning |
| Project Explorer | Angular 16 (SN Global) | Direct route | Shortcut to SN Global project browsing |
| Hub Explorer | Angular 16 (SN Global) | Direct route | Shortcut to SN Global hub browsing |
SureDrive vs SureArchive
SureDrive is the current legacy path. It embeds the existing SureDMS AngularJS document navigator in an iframe. It covers SC-specific document workflows that are not yet available in Angular 16.
SureArchive is the future Angular 16 replacement. The SureDMS AngularJS document navigator code will be progressively ported into SureArchive inside SureNetwork Global UI. Until porting is complete, SureDrive remains the active card for document-centric work.
Both cards coexist on the Project Desktop. SureDrive handles today's workflows. SureArchive evolves alongside the porting effort and eventually replaces SureDrive.
Docker Stack Topology
The platform currently runs as four separate Docker Compose stacks. A unified single compose is planned — see Platform Roadmap.
| Stack | Purpose | Detail page |
|---|---|---|
nuxeo-webui-2025-local | Nuxeo LTS 2025 + Web UI + APISIX + Logto | Nuxeo LTS 2025 Stack |
surenet | SureNetwork microservice + DB + Elasticsearch | SureNetwork Stack |
surecentric | Superset analytics + Card API + DuckDB | SureCentric Analytics Stack |
sc | SC Legacy Nuxeo 5.6 + SureDMS app (being replaced) | SC Legacy Stack |
Database inventory (current)
| Database | Stack | Engine | Port |
|---|---|---|---|
| Nuxeo 2025 DB | nuxeo-webui-2025-local | PostgreSQL 16 | 25432 |
| Logto DB | nuxeo-webui-2025-local | PostgreSQL 17-alpine | 26434 |
| SureNetwork DB | surenet | PostgreSQL 15-alpine | 5433 |
| Superset DB | surecentric | PostgreSQL 17 | 5432 |
| SC Legacy DB | sc | PostgreSQL (internal) | 5432 |
Target: ≤ 2 PostgreSQL databases after full platform consolidation. See Platform Roadmap.
APISIX Gateway
APISIX is the single entry point for all browser traffic to the Nuxeo 2025 stack.
| Route | Target | Notes |
|---|---|---|
/nuxeo/* | Nuxeo server at 28080 | Rewrites Host and X-Forwarded-* headers |
/* (default) | Nuxeo Web UI container | Serves the generic repository explorer |
/logto/* | Logto identity server | Scaffold — requires hostname-based routing for production |
Required Nuxeo configuration for APISIX proxy
# Tell Nuxeo its public URL is the APISIX address
nuxeo.url=http://localhost:25080/nuxeo
# Trust the APISIX proxy for CSRF origin validation
nuxeo.security.csrf.trustProxies=apisix
# Allow CORS from the APISIX origin
nuxeo.cors.urls=http://localhost:25080
# Dev-only: do not require Secure attribute on cookies over plain HTTP
nuxeo.bind.secure=false
Without nuxeo.security.csrf.trustProxies, proxied browser login returns 403 NuxeoException.
Logto Identity Provider
Logto provides dev-only OIDC/OAuth2 login for SureNetwork Global and the SureCentric Client.
Logto in this stack is for local development only. It is not a production identity provider. The tunnel token and admin credentials are in .env (not committed to git).
- Logto admin:
http://localhost:25080/logto-admin/ - Dev user seeding: match the username/email expected by the SureNetwork database (
admin,user,external) - Token validation: SureNetwork service and SN Global validate Logto-issued tokens against the Logto JWKS endpoint
Cloudflare Tunnel
The nuxeo-webui-cloudflared container provides dev-only external access to the local stack without a VPN.
The Cloudflare tunnel is not a production path. The tunnel token is loaded from .env (CLOUDFLARED_TUNNEL_TOKEN) which is excluded from git. Do not commit the tunnel token.
The tunnel joins the same Docker network as APISIX. External hostnames route through APISIX to the appropriate service.