Altien/mikeOssAzure

Maintained by Allen Morgan · verified on MikeWatch

A systematic Azure-target port of willchen96/mike: swap Supabase auth for Entra ID, replace R2 with Azure Blob, add OpenAI/AOAI providers, and ship a self-contained local dev stack.

Active development with a clear Azure deployment target. The fork has completed its core portability layer - auth abstraction, provider-neutral migrations, storage interface, and multi-provider LLM adapters are all in place. Documentation covers README, runbooks, and CONTRIBUTING. The feature work appears to be building on that foundation toward an Azure Marketplace deployment story.

View on GitHub →

Altien's fork takes the upstream legal-AI codebase and makes it deployable on Azure without Supabase. The work covers three main axes.

Auth abstraction. An AUTH_PROVIDER env var switches between three modes: supabase (upstream behavior), local (HS256 JWTs against a PostgREST/Postgres stack from docker-compose.dev.yml), and entra (Azure AD OIDC with Managed Identity for downstream services). The PostgREST client in lib/supabase.ts selects the right fetch wrapper and header behavior for each mode at startup.

Database portability. The upstream Supabase one-shot schema is replaced with six node-pg-migrate files that run against any Postgres 16+. Supabase-specific items - the auth.users FK, RLS policies, and the handle_new_user trigger - are removed and annotated. A migration runner handles both direct connection and Azure Postgres Flexible Server Managed Identity auth.

Provider extensions. OpenAI and Azure OpenAI join Claude and Gemini as LLM adapters, with tool-call streaming and a fast-model fallback chain. Storage gets a StorageProvider interface wrapping R2/S3 and Azure Blob (with DefaultAzureCredential for container-deployed instances). The user profile REST surface gains proper GET/PATCH/DELETE endpoints and a global_api_keys advertisement for shared server-side keys.

Supporting work includes a /config endpoint for one-image-many-tenant deployment, bundled static frontend serving in Express, an Azure Key Vault config reader, and a full .env.example documenting the entire env surface.

What's in it

Direction

infrastructuremulti-tenantintegration

Activity

Themed changes and pull requests touching this fork, newest first. Themed changes that haven't been turned into a public post yet still appear — they're real work even without a published writeup.

Threads of work (detailed view)

25 threads have been distilled into posts.

Single-image multistage Dockerfile: bundled frontend + backend, tenant-portable

Altien replaces the upstream backend-only Dockerfile with a three-stage build that produces one image serving both the compiled Express API and the Next.js static export. The `NEXT_PUBLIC_API_BASE_URL` build arg handles same-origin vs split-origin deployments from a single Dockerfile.

Local docker-compose dev stack with PostgREST, Postgres, and Azurite

Commit `56cadfe6` adds a self-contained local dev environment: Postgres 16, PostgREST v12.2.3, and Azurite wired together in `docker-compose.dev.yml`, with helper scripts for role setup, JWT minting, and a smoke check. No hosted dependency required to run the backend locally.

Express wired up: /api prefix, /config endpoint, bundled static frontend

Commit `acbb6cc7` ties the fork's backend together. Every router gets mounted under `/api/*`, two roots (`/install` and `/config`) stay at the top level, and a static frontend block lets a Next.js static export be served from the same process. A second commit (`6697186c`) adds the full `.env.example` and supporting chore files.

In-app /install configurator and /admin/diagnostics for Azure/Entra deployments

Altien adds a backend-side install wizard that walks an operator through Azure Key Vault secrets, Entra app registration, and readiness checks - all served from the running container. The manifest in `lib/install/manifest.ts` doubles as a live inventory of every config item the app expects.

PostgREST client picks transport by AUTH_PROVIDER; two small resilience fixes

Commit `5d6f529c` makes `lib/supabase.ts` branch on `AUTH_PROVIDER` at startup to select one of three request behaviors: standard supabase-js for hosted Supabase, a fetch wrapper that strips the `/rest/v1` prefix for local and entra modes, and header stripping in entra mode where PostgREST runs without a JWT secret and rejects `Authorization` headers.

Fix: supabase-js JSONB containment bug breaks shared-project queries

Passing a JS array to supabase-js `.contains()` on a JSONB column sends Postgres array-literal syntax (`cs.{x,y}`), which Postgres rejects. The fix is one line: wrap the array in `JSON.stringify()` so supabase-js emits `cs.<jsonarray>` instead.

OpenAI and Azure OpenAI adapters added alongside existing Claude and Gemini

Commit `16a0799f` adds plain OpenAI and Azure OpenAI to the LLM adapter layer. New files cover streaming, tool-call assembly, deployment discovery, and a fast-model fallback chain that tries the user's pick first, then Gemini Flash Lite, then OpenAI nano, then Claude Haiku, then an AOAI default.

Full REST surface for /user/profile replaces upstream stub

Altien replaces upstream's single-method POST stub with four properly scoped endpoints: GET, PATCH, a credits increment, and DELETE /user/account with cascade. The whitelist-based PATCH and cascading account deletion are cleaner than anything upstream ships, regardless of whether you care about the Azure-specific pieces.

Auth provider abstraction: Supabase, Entra ID, and local HS256

Three commits convert Mike's hardwired Supabase auth check into a dispatching boundary. You set `AUTH_PROVIDER` to `supabase`, `entra`, or `local` and the middleware routes to the corresponding validator - no code change needed per deployment.

Altien tears out the database's built-in safety net

Altien moved this fork off a hosted database platform and onto its own Postgres, and in doing so handed every access decision to the application layer.

Supabase one-shot schema replaced with six node-pg-migrate files

Commit `b9f5f60a` is the portability change that makes this fork runnable on plain Postgres 16. The upstream one-shot schema - with its `auth.users` FK, RLS policies, and `handle_new_user` trigger - is broken into six sequential migration files runnable against any Postgres instance, plus a migration runner with Managed Identity support for Azure.

Storage abstracted behind a provider interface; Azure Blob added

Two commits refactor `backend/src/lib/storage.ts`. The first (`45310480`) extracts a `StorageProvider` interface and wraps R2/S3 in an `R2Provider` class with no behavior change. The second (`c3daf8fa`) adds an `AzureBlobProvider` against that interface, supporting both connection-string auth (local/Azurite) and `DefaultAzureCredential` (Managed Identity in Container Apps).