Provisioning And Runtime Topology¶
LeafEnterprise uses an Azure-first backend topology while preserving the current AWS SQL runtime source where it remains authoritative.
Runtime Components¶
| Component | Role |
|---|---|
| Cloudflare Access / Tunnel | Internal perimeter and protected hosted API reachability. |
| Azure VM / backend process | Current hosted backend process for scripts/serve_client_portal.py. |
| AKS | Target heavy execution lane for persistent agent workspaces and worker pools. |
Service Bus agent-tasks |
Durable dispatch queue for agent and long-running backend work. |
| AWS SQL Server | Current claims/reporting source for live savings/audit runtime. |
| Azure SQL | Targeted curated store for Domo takeover, contract/evidence registries, and promoted backend tables. |
| ADLS Gen2 | Bronze/silver evidence, materialized files, artifacts, and replayable source snapshots. |
| Microsoft Graph / OneDrive | Read-only governed contract-packet retrieval. |
| Azure AI Search / Foundry IQ | Indexed evidence and enterprise retrieval context. |
| APIM | Gateway policy layer for AI and future MCP/tool traffic. |
| Key Vault | Runtime secrets, source credentials, and managed identity boundaries. |
| Azure OpenAI | Module copilot, narrative drafting, and agent model calls behind backend guardrails. |
Executive Provisioning Summary¶
| Provision | Business value |
|---|---|
| AKS worker lane | Gives LeafEnterprise a durable execution plane for long-running agent tasks, data refreshes, validation, and controlled automation. |
| ADLS Gen2 | Keeps evidence and artifacts replayable instead of trapped in dashboard state. |
| AWS SQL connection | Preserves current claims/audit runtime authority while replacement layers mature. |
| Azure SQL bronze/silver/curated | Provides migration and reconciliation structure for Domo takeover without making Domo a runtime dependency. |
| Microsoft Graph / OneDrive | Lets contract packet evidence be retrieved and promoted from governed source files. |
| Salesforce integration | Connects business requests and evidence to backend execution and final deliverables. |
| Azure AI Search / Foundry IQ | Gives agents searchable governed context without exposing raw source systems. |
| Agent SDKs and workers | Allow automation while retaining policy, traces, blockers, and artifact ownership. |
Execution Flow¶
flowchart LR
UI[Internal UI / dashboard consumer] --> API[LeafEnterprise API]
API --> SQL[AWS SQL / Azure SQL curated stores]
API --> Graph[Graph contract packets]
API --> ADLS[ADLS evidence and artifacts]
API --> Search[Azure AI Search / Foundry IQ]
API --> Bus[Service Bus agent-tasks]
Bus --> AKS[AKS lane workers]
AKS --> ADLS
AKS --> SQL
API --> AOAI[Azure OpenAI via backend guardrails]Current Versus Target¶
| Area | Current posture | Target posture |
|---|---|---|
| Claims runtime | AWS SQL remains active runtime authority. | Promote only deliberate governed tables to Azure SQL when ready. |
| Domo takeover | Dedicated Azure SQL/ADLS evidence lane. | Complete high-volume extracts, flaw gates, golden comparisons, no runtime Domo dependency. |
| Agent execution | API ledger, local runner, Service Bus dispatch scaffold. | AKS persistent lane workspaces with managed identity and artifact replay. |
| Retrieval | Salesforce ITR search-document contract and docs semantic index. | Module-split Azure AI Search / Foundry IQ indexes with source-aware routing. |
| MCP tools | Private backend tools and docs-generated route contracts. | APIM-governed, policy-aware MCP services generated from machine contracts. |
Provisioning Rule¶
Provisioning docs must separate:
- what is live now,
- what is scaffolded and validated locally,
- what is target architecture,
- what requires secrets, identity binding, private networking, or operator approval.
This prevents docs from overstating production readiness while still making the intended AKS/ADLS/Azure AI/Search runtime clear to humans and agents.