This repository supports two modes:
- Local Mode (fully runnable, no cloud dependency)
- Azure Mode (reference architecture + IaC skeleton)
Local Mode remains the default for development, testing, and demos. Azure Mode is for consulting-grade architecture guidance and deployment planning.
| Capability | Local Mode | Azure Mode (Reference) |
|---|---|---|
| Web UI | Vite dev server | Azure Static Web Apps (preferred) |
| API | Node/Fastify process | Azure App Service (Linux Web App) |
| Worker | Node worker loop | Azure Functions (Linux Function App) |
| Persistence | Local JSON file store | Azure Cosmos DB for NoSQL |
| Secrets | .env placeholders only |
Azure Key Vault + Managed Identity |
| Identity | Dev header context | Managed Identity for service-to-service |
| Observability | Console logs | Application Insights + Log Analytics + OpenTelemetry-compatible traces |
Chosen reference: Azure Static Web Apps for the web tier.
Why:
- Built-in global edge distribution and TLS
- Simple CI/CD integration for front-end deployments
- Cost-effective for static SPA workloads
Tradeoff:
- If you need tightly coupled server-rendered behavior in one host, App Service can simplify topology.
- For this architecture (SPA + separate API), Static Web Apps is typically the cleaner fit.
Primary strategy:
- Partition key for all operational containers:
/tenantId - Every document includes
tenantId - Every query filters by
tenantId
Container-per-collection approach:
notesjobstasksauditmembershipsusers
Benefits:
- Predictable RU usage by tenant
- Reduced cross-partition fan-out
- Clear operational boundaries by entity type
Large tenant strategy (optional):
- Move high-scale tenants to dedicated environment/subscription when needed
- Keep same document shape and partition strategy to minimize migration complexity
Rules:
- No secrets in source control
- No hardcoded keys/connection strings in code or IaC
- Use Key Vault references for runtime secrets when required
Access model:
- API and Worker each use Managed Identity
- Managed Identities receive:
- Key Vault secrets read permissions (
get/listvia RBAC) - Cosmos DB data access role (documented in IaC skeleton)
- Key Vault secrets read permissions (
- App and worker telemetry flow to Application Insights
- Logs and metrics retained in Log Analytics workspace
- Tracing model maps to OpenTelemetry concepts:
- request span (API)
- background job span (worker)
- correlation via request/job identifiers
- CI validates: lint, typecheck, tests
- IaC deploys platform resources (RG, KV, Cosmos, App Service, Functions, identities)
- App deployment publishes API and Worker artifacts
- Runtime configuration resolves secret values from Key Vault
- Smoke checks verify API health and worker job processing
Azure resources are not required for local tests or local demo execution. Local Mode remains unchanged and self-contained.