Backend Parity Checklist

The repository supports AWS and Azure backends without forking the application data model. Site features should be implemented once against the shared workspace model, then mapped to local storage, AWS, and Azure through provider configuration and service adapters.

The active provider selection lives in src/config/backend.js. That file is generated by npm run init:backend and should contain only non-secret deployment metadata: provider, environment, region or location, storage resource names, database resource names, identity service label, and notification service label. The coordinating node can still register additional provider connections in .wm-data/connections.json for sync.

Use this checklist after reading the shared Cloud Backend Setup page and the concrete AWS Backend Setup or Azure Backend Setup page. It is not a provisioning runbook; it is the review surface that keeps the provider-specific runbooks, scripts, and shared model aligned.

Current Repository State

At the time this doc was written, src/config/backend.js selects AWS for the dev environment:

provider: "aws"
environment: "dev"
region: "us-east-1"

This does not remove Azure support. AWS and Azure defaults, labels, and service mappings remain in src/lib/workspace-model.js under backendProviderCatalog. Tests verify that provider selection changes labels and storage_provider, while keeping project-owned paths provider-neutral.

The static frontend still has one active deployment context, but the local coordinating-node runtime can register multiple backend connections. That is the sync boundary: local, AWS, and Azure surfaces exchange provider-neutral sync items with stable IDs, versions, checksums, timestamps, deleted markers, and conflict records. This avoids embedding provider-specific dual-write logic in the browser.

Shared Application Contract

Both providers must support the same application contracts:

Feature work should preserve this contract. If a UI feature adds a new field to a project, document, account, team, grant, metadata record, or write event, update the shared model and both backend docs in the same change.

Provider Mapping

Concern AWS Azure
User sign-in and deployment claims Cognito Microsoft Entra External ID
API runtime API Gateway + Lambda Azure Functions or Container Apps behind API Management
Application records DynamoDB Cosmos DB for NoSQL
Raw and processed files S3 Blob Storage
Upload URL S3 presigned URL Blob delegated upload URL or SAS issued by the API
Administrative event bus EventBridge Event Grid
Email SES Azure Communication Services Email
Secrets and runtime configuration Secrets Manager or Parameter Store Key Vault or App Configuration

Backend Selection File

The generated src/config/backend.js file is intentionally safe to commit when it contains only resource identifiers:

export const backendSelection = {
  provider: "aws",
  environment: "dev",
  region: "us-east-1",
  storage: {
    bucket: "workspace-management-dev-documents",
    privatePrefixMode: "workspace-model"
  },
  database: {
    table: "workspace-management-dev",
    itemContainer: "workspace_items"
  },
  identity: {
    service: "Cognito"
  },
  notifications: {
    service: "EventBridge + SES"
  }
};

Azure uses the same shape, but replaces region with location and names Azure resources:

export const backendSelection = {
  provider: "azure",
  environment: "dev",
  location: "eastus",
  storage: {
    account: "workspacemanagedevdocs",
    container: "workspace-documents",
    privatePrefixMode: "workspace-model"
  },
  database: {
    account: "workspace-management-dev-cosmos",
    database: "workspace",
    container: "workspace_items",
    itemContainer: "workspace_items"
  },
  identity: {
    service: "Microsoft Entra External ID"
  },
  notifications: {
    service: "Event Grid + Azure Communication Services Email"
  }
};

Do not put cloud credentials, connection strings, account keys, SAS tokens, Cognito secrets, Entra secrets, or personal login material in this file.

Parallel Maintenance Rules

Keep these layers separate when editing site features:

When adding a feature:

  1. Add provider-neutral fields and helper behavior to src/lib/workspace-model.js.
  2. Add or update tests in tests/workspace-model.test.mjs.
  3. Render the feature from shared helpers in the UI.
  4. Update AWS and Azure docs when storage, identity, database, API, or notification behavior changes.
  5. Keep src/config/backend.js limited to selected provider and resource names.
  6. Avoid provider-specific branching in UI components unless it is presentation-only labeling.

AWS Configuration

AWS backend setup is selected with:

npm run init:backend -- --provider aws --environment dev --prefix workspace-management --region us-east-1

Baseline provisioning uses:

npm run setup:aws

The setup script creates or hardens:

AWS environment variables include:

The private artifact bucket is separate from any public static website bucket used by frontend deployment.

Azure Configuration

Azure backend setup is selected with:

npm run init:backend -- --provider azure --environment dev --prefix workspace-management --location eastus

Baseline provisioning uses:

npm run setup:azure

The setup script creates or hardens:

Azure environment variables include:

The private Blob container is separate from any Azure Storage static website $web container used by frontend deployment.

Data Storage Architecture

Both providers should persist the same logical records.

AWS DynamoDB:

Azure Cosmos DB:

The backend should treat DynamoDB and Cosmos DB as persistence adapters for the same item families. The application should not need different project, file/document artifact, team, or account fields for each provider.

Versioning And Audit Records

Version and history behavior is provider-neutral:

For concurrency in a production backend, add provider-specific conditional writes while preserving the same logical version model:

Those concurrency fields are implementation details. They should not change the user-visible object hierarchy.

Cloud Account Versus Application Account

The word account appears in two places:

Application account records must remain portable across AWS and Azure. Moving the deployment from AWS to Azure should change where records are stored and where files live, not what an application account means.

Parity Checklist

Before merging backend-affecting feature work, verify: