A self-hosted, AI-native operating system for a managed service provider. Sixteen independently deployable microservices, a local LLM intelligence layer, a multi-tenant XDR security engine, and a unified single-pane UI — designed, written, and operated end to end.
Walk through the platform's key screens — from the unified dashboard to AI ticket intelligence, the 3D facility viewer, and the security command center.
The PHP core serves the unified experience and orchestrates everything over internal HTTP. Authentication is centralized in an identity service (JWT RS256 + OIDC + MFA), each domain owns its own data, and cross-module lookups are resolved by HTTP hydration — never by reaching into another service's tables.
core, rmm, security, all Compose profiles.// Ticket created → AI pipeline POST /api/v2/tickets │ ├─▶ glass-tickets // persist + state machine │ │ │ ├─▶ ai-worker // Dual-LLM screen │ │ sandbox → privileged │ │ ↳ intent, urgency, entities │ │ │ └─▶ pgvector // top-3 similar (RAG) │ └─▶ redis pub/sub // glass.tickets.created ↳ sla-monitor · webhooks · chat
Each is independently deployable, versioned, and owns its schema. Hover any card.
Core monolith — 11 dashboards, ticket UI, admin, AI report builder, 3D facility viewer.
Auth & identity — JWT RS256, SSO/OIDC, MFA, 7-tier RBAC, settings manager.
PSA/ITSM — lifecycle state machine, SLA sidecar, rules engine, time tracking.
CMDB — asset lifecycle, dynamic 0–100 health scoring, warranties, RMA claims.
Security posture — Wazuh ingestion, sandboxed remediation via bubblewrap.
RMM — MeshCentral wrapper, remote shell, patch management, hybrid deploy scripts.
Email — Exchange ingestion, AI triage & noise scoring, push notifications.
Telephony — UniFi Talk events, voicemail → text via local Whisper transcription.
Real-time messaging — WebSocket, WebRTC voice/video, call transcription.
Billing — QuickBooks OAuth2 PKCE, AES-256 tokens, invoicing, recurring automation.
PSA sync — bidirectional SuperOps.ai integration with HMAC-validated webhooks.
Procurement — purchase-order lifecycle, supplier catalog, computed totals.
CRM — campaigns, .docx merge, queue dispatch with SKIP LOCKED, Redis Streams.
Bug tracking — AI developer-prompt generation, threaded clarification notes.
XDR engine — Wazuh/Rspamd/ClamAV, cryptographic multi-tenant isolation, Redis blocklists.
AI worker — Dual-LLM sandbox, pgvector RAG, Pydantic-enforced LLM outputs.
A few pieces of Glass that go beyond what off-the-shelf platforms attempt.
Untrusted text is screened by a sandbox model (gemma) for prompt injection before the privileged automation model (qwen) ever processes it — a security boundary borrowed from OS design and applied to AI.
A plain-English prompt becomes a validated SQL query against 70+ tables, executed safely and rendered as a report — no query language required from the user.
glass-sentinel ingests high-volume security telemetry with cryptographically verified tenant isolation on every query and sub-millisecond Redis-cached blocklists.
A Three.js floor-plan visualizer maps physical assets to their live health and alert state — bridging the CMDB with the real world in the browser.
The CRM was re-implemented from PHP into idiomatic Go 1.25 with a React SPA — a deliberate reference build for performance-critical services.
SSO/OIDC + mandatory admin MFA, CRU CA mutual TLS on the agent/edge layers, hardened Docker networking, CSP, and a Loki/Grafana + Wazuh observability pipeline with a daily security digest.