QVANTUM

Handover & maintenance guide

How the sign-in & hosting works

Three Qvantum web tools, one Microsoft sign-in — explained for everyone·with a deep-dive on tap·June 2026

Three of Qvantum's internal web tools — the NPI/CPI dashboard, the AI hub, and the UK Document Builder — now require you to sign in with your Qvantum account before showing anything. Only Qvantum employees get in; everyone else is turned away at the door. This page explains, without code, how the pages are built, how a change goes live, and how the sign-in gate works — so anyone can keep it running.

The connection map

From the tools to you

Follow the flow top to bottom. Everything funnels through one sign-in gate before it reaches an employee.

Your files / edits GitHub Azure hosting Sign-in gate

NPI/CPI dashboard

Weekly project status

home_work/dashboard/site/

AI hub

AI@Qvantum home

home_work/ai/

UK Document Builder

Branded UK documents

home_work/uk_document_builder/

GitHub

Stores & versions the code

QvantumSiteManager · main branch

Azure Static Web Apps

Publishes the pages automatically

Standard tier · auto-deploy on push

Microsoft sign-in gate

Only Qvantum accounts allowed

Microsoft Entra ID · single-tenant

✅

Qvantum accountsigned in → sees the tool

⛔

Everyone elseturned away → blocked

Qvantum employee

Opens the tool, signed in

Tip: click a tool to trace its path · hover any node to focus it

The three tools

What's behind the gate

Tool	What it's for	GitHub repo	Azure app / host	Sign-in
NPI/CPI dashboard	Weekly project-status dashboard for management	QvantumSiteManager/qvantum-dashboard	nice-stone-05b579003.azurestaticapps.net	Config ready
AI hub	The AI@Qvantum home page & tutorials	QvantumSiteManager/qvantum-ai	kind-coast-0b353fb03.azurestaticapps.net	Config ready
UK Document Builder	Builds branded, compliant UK customer documents	QvantumSiteManager/uk_document_builder	uk.documentbuilder.qvantum.com (zealous-pond-0f610f103)	Live

All three are plain static sites (HTML/CSS/JS) — no database, no live server code. That's why they're cheap, safe, and easy to gate.

Flow 1

What happens when you open one

You open the page; Azure sees you're not signed in.

Every route is gated — "/*" with "allowedRoles":["authenticated"]. An unauthenticated request gets a 401.

You're sent to the Microsoft sign-in.

A responseOverrides rule turns the 401 into a 302 redirect to /.auth/login/aad → login.microsoftonline.com.

Microsoft checks who you are (incl. MFA) and that you belong to Qvantum.

The app registration is single-tenant, so only the Qvantum directory passes; other accounts are rejected here.

You're sent back, signed in.

Azure sets a session cookie; /.auth/me returns your identity; /.auth/* is excluded from app routing so the login round-trip isn't swallowed.

The page loads and stays loaded until you sign out.

/login and /logout are convenience routes.

Flow 2

How a change gets published

Edit the files on the work laptop, in that tool's folder.

Under home_work/<tool>/. The dashboard publishes only from its site/ build-output folder — the project root holds .env/secrets that must never be committed.

Push to GitHub. One git push to that tool's repo.

Work identity, github-work SSH alias → QvantumSiteManager/<repo>, main branch only.

Azure publishes it automatically within a minute or two.

A GitHub Actions workflow .github/workflows/azure-static-web-apps-<resource>.yml runs Azure/static-web-apps-deploy@v1 with a deploy-token secret and skip_app_build: true for static sites.

In short: edit → push → it goes live automatically. No build servers to babysit.

Anatomy of the gate · Detailed

One small file per repo

staticwebapp.config.json turns a public site into a gated one. There is no other "auth code."

staticwebapp.config.json

"auth": { "identityProviders": { "azureActiveDirectory": { "registration": {  "openIdIssuer": ".../606f0645-…/v2.0",        // 1 · single-tenant Qvantum issuer  "clientIdSettingName": "AZURE_CLIENT_ID",      //     id/secret are Azure app settings,  "clientSecretSettingName": "AZURE_CLIENT_SECRET" //     NOT in the repo}}}},"routes": [  { "route": "/login",  "redirect": "/.auth/login/aad" },  { "route": "/logout", "redirect": "/.auth/logout" },  { "route": "/*", "allowedRoles": ["authenticated"] }   // 2 · everything is gated],"responseOverrides": { "401": { "statusCode": 302, "redirect": "/.auth/login/aad" } }, // 3 · denied → sign in"navigationFallback": { "exclude": ["/.auth/*","/.swa/*","/assets/*","…"] }            // 4 · don't swallow login

Points sign-in at the Qvantum Entra tenant; the secret stays in Azure.

Every page needs a signed-in user.

Blocked visitors are bounced to Microsoft instead of seeing a bare 401.

The SPA rewrite must exclude /.auth/* and /.swa/* or login breaks.

The Entra app registration · Detailed

The sign-in's settings

Created & owned on the Azure/IT side (Wekudata / Jonathan Hjort), not in any repo.

Account types

Single tenant — "this organizational directory only"

The switch that limits access to Qvantum employees.

Tenant (directory) ID

606f0645-2e97-4efd-9bef-e8e7c04a511b

Not secret — appears in the sign-in URL.

Client (application) ID

55b9d923-da43-4a7a-8600-862c961c3111

Stored as app setting AZURE_CLIENT_ID; not secret.

🔒 Client secret

Never shown — stored only as AZURE_CLIENT_SECRET

Never in repo or chat; expires ≈24 months; rotate on expiry or any leak.

Redirect URI

type Web · https://<host>/.auth/login/aad/callback

One per app.

⚠️

One registration per app. The dashboard and AI hub each need their own. SWA tier must be Standard (custom auth isn't on Free).

Gotchas & lessons · Detailed

Things that bit us

🏷️

Use the exact app-setting names AZURE_CLIENT_ID / AZURE_CLIENT_SECRET (an earlier AAD_* attempt 404'd at /.auth/login/aad).

🚫

Always exclude /.auth/* (and /.swa/*) from navigationFallback.

⚙️

skip_app_build: true for static sites (Oryx assumed Node from a root package.json and failed).

🔁

Sign-in loop after MFA = fix on the Entra registration (enable ID tokens / v2; redirect URI must be Web type …/.auth/login/aad/callback).

💳

Custom auth requires the Standard tier.

🔐

The client secret never leaves Azure; rotate if exposed.

Keeping it running

The only chores

🔁

Rotate the sign-in secret

About every 2 years: new client secret → update AZURE_CLIENT_SECRET → delete the old. Calendar a reminder ~2 months early.

✍️

Publish a change

Edit → push → it goes live automatically. Nothing else to do.

👤

Name an owner

For the three apps + sign-in after handover; record it in uk_document_builder/docs/access-control-runbook.md.

☎️

Who to call

The Azure/Entra side is run with Wekudata / Jonathan Hjort (Qvantum IT).

Current status & remaining work · Detailed

Where each tool stands

✅ UK Document Builder — live / gated (merged to main) ◷ Dashboard + AI hub — gate config on branch feature/access-control

To finish each of the remaining two:

Create its own single-tenant Entra app registration + Web redirect URI.
Set AZURE_CLIENT_ID / AZURE_CLIENT_SECRET app settings and confirm Standard tier.
Merge feature/access-control → main.
Acceptance-test in a private window (redirects to sign-in; Qvantum account loads page + assets; /.auth/me shows identity; non-Qvantum rejected).

Full steps: uk_document_builder/docs/access-control-runbook.md.

Regenerate the diagram · Detailed

Copy as Mermaid

Paste into any Mermaid-aware tool to get an editable picture of the flow.

flow.mmd

flowchart TD  subgraph Tools["3 tools (home_work/)"]    D["NPI/CPI dashboard"]    A["AI hub"]    U["UK Document Builder"]  end  Tools -->|git push to main| GH["GitHub · QvantumSiteManager"]  GH -->|GitHub Actions auto-deploy| AZ["Azure Static Web Apps (Standard)"]  AZ -->|staticwebapp.config.json gate| ENTRA{"Microsoft Entra ID — single-tenant"}  ENTRA -->|Qvantum account| OK["✅ Employee sees the tool"]  ENTRA -->|anyone else| NO["⛔ Blocked"]

One sign-in, three tools, nothing to babysit.

The pages are plain static files; GitHub publishes them to Azure on every push; one small config puts the Microsoft sign-in in front of each — so only Qvantum employees can open them. The only recurring chore is rotating one sign-in secret every couple of years.