Altien teaches Mike to run inside Microsoft's cloud

One fork now bends to three different hosting setups, including a locked-down Azure deployment that leans on Microsoft's own identity layer.

infrastructuresecurity

Maintained by Allen Morgan · verified on MikeWatch

Most installs of Mike assume a single hosted database service. Altien has rewired the plumbing so the same code runs three ways: the standard hosted setup, a bare local database for development, and a hardened Azure deployment that authenticates users through Entra, Microsoft's corporate identity system. In the Azure mode, the fork trusts the network boundary rather than passing around login tokens - the kind of arrangement a security team running inside Microsoft's ecosystem will recognise and want.

Two smaller bits of housekeeping ride along. The server now refuses to start in production if its file-signing secret is missing or too weak, instead of quietly falling back to a default. And if the AI ever fails to name a new chat, the sidebar shows "New Chat" rather than a blank line.

So what If you're a legal team that lives in Microsoft and Azure, this is the fork that knows how to deploy on your turf.

View this fork on GitHub →

Spotted something wrong? Or know the PR text has fresher detail than the writeup above?

Commits in this thread

1 commit from Altien/mikeOssAzure, oldest first. Source extracted verbatim from the harvested git log.

SHA Subject Author Date
5d6f529c feat(supabase): provider-aware PostgREST client + chat title fallback Allen Morgan 2026-05-08 ↗ GitHub
commit body
  * lib/supabase.ts now picks one of three transports based on
    AUTH_PROVIDER:

      supabase  - default supabase-js, hits hosted Supabase /rest/v1
      local     - supabase-js with a fetch wrapper that strips the
                  /rest/v1 prefix so SUPABASE_URL can point at PostgREST
                  directly (no Caddy required for the local docker stack)
      entra     - same prefix-strip plus Authorization/apikey header
                  removal, since the deployed PostgREST runs without
                  jwt-secret and refuses requests carrying Authorization.
                  Trust comes from network isolation: only the
                  Container Apps internal ingress can reach PostgREST.

    The "supabase" function name is now historical - for everything but
    the supabase branch this is a generic PostgREST client.

  * routes/chat.ts: title generation is cosmetic, so an LLM failure (no
    provider configured, AOAI deployment unreachable, etc.) now falls
    back to the first ~60 chars of the user message instead of failing
    the entire request.  Errors still log with context.

  * lib/downloadTokens.ts: hard-fail on missing DOWNLOAD_SIGNING_SECRET
    in production mode.  Same dev-mode fallback as before.

Capture this thread into my fork

Download a single Markdown prompt that tells Claude how to port every commit above into your working tree — adapting paths and structure to match your repo. Run it via claude -p < capture-thread-197.md from inside the repo you want the changes in.

⬇ Download capture-thread-197.md