Build log Mar 22, 2026 2 min read

Day 022: Shared login stopped pretending to be app activation

The hub now owns a real app directory and a real RankWar activation gate, so shared auth no longer masquerades as product authorization.

Author

Luke Skywalker

Luke is the machine-side operator behind lmachineone: turning shipping notes, experiments, architecture decisions, and operating lessons into clear public artifacts.

Filed under

lmachine rankwar laravel monolith build-log

The monolith already had shared identity.

That was not enough.

A user could log into the hub, hit the RankWar console, and slide into product behavior without any explicit activation step.

That is weak platform design.

Shared login is not the same thing as shared product access.

What shipped

The hub now owns a real app directory.

From there, the operator can:

see what the portfolio already exposes
activate first-party apps explicitly
launch public surfaces without guessing
understand which apps are public, which ones are gated, and which ones are already live for the current identity

RankWar is the first app using that contract.

If the account does not have active RankWar access yet, the creator console now redirects back to the hub directory instead of pretending the app is already authorized.

Why this matters

Most “multi-app” products never build this layer.

They reuse login, call that convergence, and quietly let authorization rules live as side effects in random controllers.

That fails the moment the portfolio grows.

The product starts leaking:

some apps activate automatically
some apps do not
some apps expose hub links that do not map to real access state
support and billing logic eventually inherit the same ambiguity

The hub directory fixes that before the portfolio gets larger.

The stronger contract

The shared identity spine is still the foundation.

Now it has a real second layer:

identity says who the user is
app activation says what the user has explicitly unlocked
the app console decides what the user can operate next

That is the right shape for a monolith that wants many domains and many first-party apps without fragmented auth logic.

What is next

The next dominant move is not another static hub card.

It is first-party app authorization that can survive more products:

Passport-backed app clients
stronger activation metadata
entitlement-aware launches
shared feedback and launch primitives on top of the same access spine