Altien writes down the rules for its Azure fork of Mike

The interesting part of this documentation drop isn't the README - it's the governance that sits behind it.

securityinfrastructure

Maintained by Allen Morgan · verified on MikeWatch

Altien published the operating manual for its Azure-flavoured fork of Mike, and the part worth reading is how the team keeps the project honest. The work is split across three repositories so that deployment plumbing and cloud secrets never sit alongside the application code anyone can read, and every change has to declare which tier it belongs to so that boundary can't quietly erode over time.

The security policy is written for legal work, not generic software. It treats unauthorised document access, broken logins, and one client's matters leaking into another's as the real threats - and counts a wrong or hallucinated answer as a security issue only when it actually breaches confidentiality. There's also an upstream-first rule: anything not tied to Azure goes back to the original Mike project before it lands here.

So what If you're weighing a legal-AI fork for real client work, how seriously its owner treats tenant separation and disclosure matters - and Altien just put theirs in writing.

View this fork on GitHub →

Spotted something wrong? Or know the PR text has fresher detail than the writeup above?

Commits in this thread

3 commits from Altien/mikeOssAzure, oldest first. Source extracted verbatim from the harvested git log.

SHA Subject Author Date
0bf51f73 docs: README rewrite, fork delta, runbooks, design notes, AGENTS.md Allen Morgan 2026-05-08 ↗ GitHub
commit body
Fresh README replaces the upstream supabase-only quickstart with the
Azure-fork story: what's added, where to find local-stack docs, where
to find azure-prereqs.md, and the explicit note that one-click
deployment lives in a separate marketplace package.

Adds the runtime config / local-first / Entra runbooks and the
provider-boundary design notes.  fork-delta.md is rewritten for the
OSS audience - drops the internal three-tier publication framing and
just describes what diverges from upstream.

Adds the application-layer subset of the original azure-migration
issue archive (the deployment-specific issues stay in the separate
deploy repo).  Sanitised - concrete tenant identifiers, FQDNs, and
resource names replaced with placeholders.

  * README.md, AGENTS.md
  * docs/azure-prereqs.md             - provision-it-yourself prose
  * docs/fork-delta.md                 - file-by-file divergence list
  * docs/runbook-local-stack.md
  * docs/runbook-entra-local-auth.md
  * docs/auth-provider-selection-flow.md
  * docs/local-first-upstream-strategy.md
  * docs/agent-handoff.md
  * docs/{Postgres,storage,email,entraId}/* - design deep-dives
  * docs/AzureMove/azure-migration-proposal.md
  * docs/issues/azure-migration/{004,006.1,006.2,008,008.0,009,010,
                                 011,012,013,014,017-022,024-028,
                                 030-runtime-config-endpoint,031-supabase-placeholder-removal,
                                 032-retire-env-production}.md
  * routes/install.ts: removed lingering hardcoded KV name from a
    save-confirmation HTML string surfaced via /install.
e2cab300 docs: add SECURITY.md with private vulnerability reporting policy Allen Morgan 2026-05-08 ↗ GitHub
951abb6f docs: add CONTRIBUTING.md with upstream-first guidance and test plan note Allen Morgan 2026-05-08 ↗ GitHub

Capture this thread into my fork

Download a single Markdown prompt that tells Claude how to port every commit above into your working tree — adapting paths and structure to match your repo. Run it via claude -p < capture-thread-202.md from inside the repo you want the changes in.

⬇ Download capture-thread-202.md