Contract & lease intelligence platform — Azure-native port of the original Supabase prototype.
| Layer | Service |
|---|---|
| Frontend | Vite + React on Azure Static Web Apps (Free) |
| API | FastAPI on Azure Container Apps (Consumption, scale-to-zero) |
| Database | Azure Database for PostgreSQL Flexible Server (B1ms) with pgvector |
| Storage | Azure Blob Storage (LRS, Hot) |
| AI | Azure OpenAI (gpt-4o-mini + text-embedding-3-small) + Document Intelligence |
| Identity | Microsoft Entra ID — User-Assigned Managed Identity; secrets in Key Vault |
| Observability | Log Analytics + Application Insights |
Region: France Central (OpenAI may fall back to Sweden Central if a model isn't available).
azd auth login
azd env new gardia-prod
azd env set AZURE_LOCATION francecentral
azd env set AZURE_OPENAI_LOCATION swedencentral # safer; switch to francecentral if available
azd env set PG_ADMIN_PASSWORD (New-Guid).Guid
azd upazd up will:
- Create resource group
rg-gardiain France Central - Deploy the 12 resources defined in infra/main.bicep
- Build the API container, push it to ACR, and roll the Container App
- Build the Vite SPA and publish it to the Static Web App
apps/
api/ FastAPI service (single container, all routes)
app/
routes/ /health, /api/onboarding, /api/documents
mcp/ MCP server (Day-3)
web/ Vite + React SPA
db/migrations/ SQL migrations (Postgres + pgvector)
infra/main.bicep Single-file infra-as-code (Day-1, ~12 resources)
azure.yaml azd service mapping
$30–80 / month (excluding AOAI traffic). Designed to fit a $700 sponsorship for 8–20 months.
- No admin user on ACR — managed identity
AcrPullonly - Key Vault in RBAC mode, soft delete + purge protection on
- Storage: shared key disabled, TLS 1.2 min, public blob access off
- Postgres: AAD auth enabled alongside password; password sourced from Key Vault
- All compute uses a single user-assigned managed identity (least-privilege role bindings)