Altien builds an installer that locks the door behind itself

A new in-app setup flow lets operators configure an Azure deployment from the browser - and then checks that the installer's own admin rights were actually taken away afterward.

infrastructuresecurity

Maintained by Allen Morgan · verified on MikeWatch

Until now, standing up this fork on Microsoft's Azure cloud meant working through a command line. Altien has added a guided setup that runs inside the deployed app itself, plus a separate health-check screen for confirming everything came up clean once you're live.

The sharp bit is the security posture. After setup finishes, the system does a live check against Azure to confirm the elevated access used during install has genuinely been revoked - not just assumed gone. And if it can't verify that cleanly, it says so plainly instead of flashing a false green tick. That honesty matters: a setup tool that lies about its own clean-up is worse than one that admits uncertainty.

So what Anyone weighing whether to self-host a legal-AI tool should care - this is the difference between a deployment you can hand to an ops person and one that needs a developer babysitting a terminal.

View this fork on GitHub →

Spotted something wrong? Or know the PR text has fresher detail than the writeup above?

Commits in this thread

1 commit from Altien/mikeOssAzure, oldest first. Source extracted verbatim from the harvested git log.

SHA Subject Author Date
c94bf9f1 feat(install): /install configurator + /admin/diagnostics routes Allen Morgan 2026-05-08 ↗ GitHub
commit body
Backend half of the in-app install/configuration UI.

  * lib/install/manifest.ts        - declarative manifest of every
                                     config item the app expects (KV
                                     secret names, env-only items,
                                     readiness checks).  Functional
                                     documentation: anyone with this
                                     code can rebuild the configurator,
                                     no proprietary IP.

  * lib/install/installAuth.ts     - bootstrap-token + Entra OIDC auth
                                     for /install.  The bootstrap token
                                     burns on first successful Entra-
                                     admin sign-in.

  * lib/install/sessionTokens.ts   - short-lived HMAC-signed cookies
                                     keyed off the bootstrap or OIDC
                                     identity.

  * lib/install/types.ts           - manifest model types.

  * lib/install/checks/*           - manifest readiness probes for
                                     installer access and Entra
                                     redirect-uri registration.

  * routes/install.ts              - server-rendered HTML configurator
                                     UI.  Reads/writes Key Vault via
                                     getConfig/setConfig.  GET /install/
                                     scripts/:name returns 404 when
                                     scripts/install/ is absent - that
                                     directory ships with the separate
                                     deploy package, not the application
                                     image, so the application-only
                                     deployment degrades cleanly.

  * routes/diagnostics.ts          - /admin/diagnostics health page.
                                     Operator-grade utility that runs
                                     every manifest probe and reports
                                     status; useful in any deployment.

Adds cookie-parser + @types/cookie-parser to support the configurator's
short-lived session cookies.  The routers themselves are not yet
mounted on the Express app - that wiring lands in the bundled-frontend
commit so this one stays focused on the configurator surface.

Capture this thread into my fork

Download a single Markdown prompt that tells Claude how to port every commit above into your working tree — adapting paths and structure to match your repo. Run it via claude -p < capture-thread-195.md from inside the repo you want the changes in.

⬇ Download capture-thread-195.md