Altien/mikeOssAzure
A systematic Azure-target port of willchen96/mike: swap Supabase auth for Entra ID, replace R2 with Azure Blob, add OpenAI/AOAI providers, and ship a self-contained local dev stack.
Altien's fork takes the upstream legal-AI codebase and makes it deployable on Azure without Supabase. The work covers three main axes.
Auth abstraction. An AUTH_PROVIDER env var switches between three modes: supabase (upstream behavior), local (HS256 JWTs against a PostgREST/Postgres stack from docker-compose.dev.yml), and entra (Azure AD OIDC with Managed Identity for downstream services). The PostgREST client in lib/supabase.ts selects the right fetch wrapper and header behavior for each mode at startup.
Database portability. The upstream Supabase one-shot schema is replaced with six node-pg-migrate files that run against any Postgres 16+. Supabase-specific items - the auth.users FK, RLS policies, and the handle_new_user trigger - are removed and annotated. A migration runner handles both direct connection and Azure Postgres Flexible Server Managed Identity auth.
Provider extensions. OpenAI and Azure OpenAI join Claude and Gemini as LLM adapters, with tool-call streaming and a fast-model fallback chain. Storage gets a StorageProvider interface wrapping R2/S3 and Azure Blob (with DefaultAzureCredential for container-deployed instances). The user profile REST surface gains proper GET/PATCH/DELETE endpoints and a global_api_keys advertisement for shared server-side keys.
Supporting work includes a /config endpoint for one-image-many-tenant deployment, bundled static frontend serving in Express, an Azure Key Vault config reader, and a full .env.example documenting the entire env surface.
What's in it
- Azure-first deployment story Reworked to run on Azure with Entra sign-in, Key Vault for secrets, and Blob storage - without losing the option to point at other backends.
- Pluggable auth, storage, and LLM providers Auth, file storage, and model providers all sit behind interfaces, so you pick what fits the tenant rather than inheriting one vendor's stack.
- Run-it-on-your-laptop dev stack A local development setup with Postgres, PostgREST, and a blob emulator - no hosted dependency required to try the fork.
- OpenAI and Azure OpenAI support Both providers are wired in alongside Claude and Gemini, with a fallback chain so a slow or failing model degrades gracefully.
- In-app installer and diagnostics An admin-facing configuration UI declares the secrets and settings the app expects, with readiness checks rather than a hand-edited env file.
- Single image, many tenants The same built image ships to different deployments and reads its tenant config at runtime, so you're not rebuilding per customer.
- Provider-neutral database migrations Schema migrations run against any modern Postgres, replacing the original Supabase-only setup script.
Direction
infrastructuremulti-tenantintegration
Activity
Threads of work (detailed view)
Altien turns Mike into one tenant-portable image
One packaged build now runs the whole app and can serve any client without a rebuild.
Single-image multistage Dockerfile: bundled frontend + backend, tenant-portable
Altien replaces the upstream backend-only Dockerfile with a three-stage build that produces one image serving both the compiled Express API and the Next.js static export. The `NEXT_PUBLIC_API_BASE_URL` build arg handles same-origin vs split-origin deployments from a single Dockerfile.
Altien writes down the rules for its Azure fork of Mike
The interesting part of this documentation drop isn't the README - it's the governance that sits behind it.
Local docker-compose dev stack with PostgREST, Postgres, and Azurite
Commit `56cadfe6` adds a self-contained local dev environment: Postgres 16, PostgREST v12.2.3, and Azurite wired together in `docker-compose.dev.yml`, with helper scripts for role setup, JWT minting, and a smoke check. No hosted dependency required to run the backend locally.
Altien is making Mike at home inside Microsoft's cloud
The same build can now sign users in through Microsoft's corporate identity and run on Azure's hosted AI models - chosen per deployment, not baked in.
Frontend: runtime ConfigContext, provider-aware AuthContext, OpenAI/AOAI model components
The browser bundle is now tenant-portable. Auth provider, Entra IDs, and feature flags come from `GET /config` at startup rather than being baked into the build - so one image can serve Supabase, local, and Entra deployments without a rebuild per customer.
Altien is making Mike enterprise-ready for the Microsoft stack
A round of plumbing turns Mike from a local prototype into something that can actually run behind Microsoft's cloud and sign-in.
Express wired up: /api prefix, /config endpoint, bundled static frontend
Commit `acbb6cc7` ties the fork's backend together. Every router gets mounted under `/api/*`, two roots (`/install` and `/config`) stay at the top level, and a static frontend block lets a Next.js static export be served from the same process. A second commit (`6697186c`) adds the full `.env.example` and supporting chore files.
Altien builds an installer that locks the door behind itself
A new in-app setup flow lets operators configure an Azure deployment from the browser - and then checks that the installer's own admin rights were actually taken away afterward.
In-app /install configurator and /admin/diagnostics for Azure/Entra deployments
Altien adds a backend-side install wizard that walks an operator through Azure Key Vault secrets, Entra app registration, and readiness checks - all served from the running container. The manifest in `lib/install/manifest.ts` doubles as a live inventory of every config item the app expects.
Altien teaches Mike to run inside Microsoft's cloud
One fork now bends to three different hosting setups, including a locked-down Azure deployment that leans on Microsoft's own identity layer.
PostgREST client picks transport by AUTH_PROVIDER; two small resilience fixes
Commit `5d6f529c` makes `lib/supabase.ts` branch on `AUTH_PROVIDER` at startup to select one of three request behaviors: standard supabase-js for hosted Supabase, a fetch wrapper that strips the `/rest/v1` prefix for local and entra modes, and header stripping in entra mode where PostgREST runs without a JWT secret and rejects `Authorization` headers.
Altien stops shared projects from failing in silence
A quiet database mismatch was breaking shared-project lookups in production - and leaking raw server errors back to users while it did.
Fix: supabase-js JSONB containment bug breaks shared-project queries
Passing a JS array to supabase-js `.contains()` on a JSONB column sends Postgres array-literal syntax (`cs.{x,y}`), which Postgres rejects. The fix is one line: wrap the array in `JSON.stringify()` so supabase-js emits `cs.<jsonarray>` instead.
Altien gives Mike its pick of AI engines, with Azure OpenAI now in the mix
Two new model providers plug into the same socket the existing ones use, so Mike can run on whichever AI vendor a firm already trusts.
OpenAI and Azure OpenAI adapters added alongside existing Claude and Gemini
Commit `16a0799f` adds plain OpenAI and Azure OpenAI to the LLM adapter layer. New files cover streaming, tool-call assembly, deployment discovery, and a fast-model fallback chain that tries the user's pick first, then Gemini Flash Lite, then OpenAI nano, then Claude Haiku, then an AOAI default.
Altien turns a login stub into real account management
What was a one-line bookkeeping endpoint is now a full surface for reading profiles, tracking usage, and deleting accounts cleanly.
Full REST surface for /user/profile replaces upstream stub
Altien replaces upstream's single-method POST stub with four properly scoped endpoints: GET, PATCH, a credits increment, and DELETE /user/account with cascade. The whitelist-based PATCH and cascading account deletion are cleaner than anything upstream ships, regardless of whether you care about the Azure-specific pieces.
Altien wires Mike into corporate Microsoft logins
The fork swaps a single hardcoded login system for a switchable one, with Microsoft's enterprise identity service now a first-class option.
Auth provider abstraction: Supabase, Entra ID, and local HS256
Three commits convert Mike's hardwired Supabase auth check into a dispatching boundary. You set `AUTH_PROVIDER` to `supabase`, `entra`, or `local` and the middleware routes to the corresponding validator - no code change needed per deployment.
Altien tears out the database's built-in safety net
Altien moved this fork off a hosted database platform and onto its own Postgres, and in doing so handed every access decision to the application layer.
Supabase one-shot schema replaced with six node-pg-migrate files
Commit `b9f5f60a` is the portability change that makes this fork runnable on plain Postgres 16. The upstream one-shot schema - with its `auth.users` FK, RLS policies, and `handle_new_user` trigger - is broken into six sequential migration files runnable against any Postgres instance, plus a migration runner with Managed Identity support for Azure.
Altien makes Mike right at home on Microsoft's cloud
Storage is no longer hard-wired to one vendor - Mike can now keep documents in Azure, with the door open for others.
Storage abstracted behind a provider interface; Azure Blob added
Two commits refactor `backend/src/lib/storage.ts`. The first (`45310480`) extracts a `StorageProvider` interface and wraps R2/S3 in an `R2Provider` class with no behavior change. The second (`c3daf8fa`) adds an `AzureBlobProvider` against that interface, supporting both connection-string auth (local/Azurite) and `DefaultAzureCredential` (Managed Identity in Container Apps).
Altien teaches Mike to keep its secrets in Azure's vault
A new configuration layer lets Mike pull its sensitive settings from Microsoft's managed secrets store instead of leaving them in plain config.