Magpie Todoist · Plan Access
Transition & modifications plan prepared for American Crane. This page is not public — enter the access code to continue.
From proof of concept to your infrastructure — and your workflow.
It works — and Karen loves it. Two things are holding it back.
Magpie Todoist is already live: Karen uses it daily, it merges duplicates, recognizes attachments, and surfaced a 47-task week on the last review. The proof of concept is proven. What remains is one security gap that blocks rollout, and one workflow mismatch that makes the daily briefing fight Karen's methodology instead of supporting it.
-
{{ issue.h }}{{ issue.kind === 'security' ? 'Transition' : 'Modifications' }}
{{ issue.d }}
Two tracks. One the IT side cares about, one the user side feels.
Track 1 closes the security gap by putting the agent behind your existing Microsoft Entra sign-in — and you choose whether it stays on Supabase or moves into your own Azure tenant. Track 2 retunes the agent to the Maura Thomas methodology your team was trained on, so it reads your projects as the buckets and keeps delegated work out of your overdue list.
{{ c.h }}
{{ c.d }}
- {{ b }}
Same engine. A real front door. Your tenant when you're ready.
Path A keeps the working system in place and adds Microsoft Entra authentication in front of it — closing the impersonation hole fast, in-budget. Path B goes further and lifts the whole system into American Crane's own Azure tenant — Postgres-to-Postgres, so there's no query rewrite. Both end at the same security model; the choice is simply whether the data lives on Supabase or in your infrastructure.
[ Claude Desktop ] ← the "brain"; the prompt is the harness │ connects to a per-user MCP URL ▼ [ MCP server ] Supabase Edge Functions (Deno/TS) │ ┌────┴─────────────────────────┐ ▼ NEW — Track 1 │ Microsoft Entra sign-in ▼ per-user bearer token Supabase Postgres (replaces user_id) tasks · mirror · prefs per-user query scoping Todoist token (encrypted) │ ▼ [ Todoist ] per-user OAuth · SSO via Entra ····························································· OPTION D — lift into YOUR Azure tenant (Path B): Supabase → Azure DB for PostgreSQL (pg_dump/restore) Edge Fns → Azure Container Apps · secrets in Key Vault
Security model
- {{ p }}
We built it. Karen's already using it. We know exactly what to fix.
{{ c.h }}
{{ c.d }}
Every task, estimated. No black boxes.
Work packages with honest hour estimates. Tracks 1 + 2 together land at roughly 18 hours — inside the 15–20 hour envelope. Track 3 is the optional deeper move into your own Azure tenant; it replaces Track 1's hosting and adds hours, but the data ends up in your infrastructure.
Secure migration — Entra sign-in, keep Supabase
≈ {{ track1Total }} hrs{{ w.h }}
{{ w.est }}h{{ w.d }}
Workflow modifications — Karen's methodology fixes
≈ {{ track2Total }} hrs{{ w.h }}
{{ w.est }}h{{ w.d }}
Migrate to your Azure tenant — Path B
≈ {{ track3Total }} hrsReplaces Track 1’s hosting — the Entra auth is performed inside your Azure tenant here, so Track 3 stands in for Track 1 rather than adding on top of it.
{{ w.h }}
{{ w.est }}h{{ w.d }}
Tracks 1 + 2 ≈ {{ track1Total + track2Total }} hrs (in budget). Track 3 + 2 ≈ {{ track3Total + track2Total }} hrs (your Azure tenant). Estimates include local testing and a guided cutover with Denny and Karen. Blue Raven sets final pricing — these are engineering hours only.
Four ways to run it — from in-budget to your own infrastructure.
Pick the scope that fits. Our value pick is Option C — secure and team-ready in one in-budget pass. If American Crane needs the data in your own Azure tenant, Option D delivers the full migration; it costs more hours, and that’s expected. Click an option to highlight it.
- {{ b }}
Included in every option
What Option D involves — the Azure-tenant migration (Path B)
We provision Postgres on Azure Database for PostgreSQL, move the data with pg_dump / pg_restore (Postgres-to-Postgres, no query rewrite), redeploy the MCP server to Azure Container Apps, and keep secrets in Key Vault with a managed identity. The Entra sign-in runs inside your tenant, and we hold Supabase read-only as a rollback for a few days after cutover.
It adds hours over the in-budget options — that's expected, and priced separately. The decision that points you to Option D is simple: does American Crane policy require the data to live in your own Azure tenant?
A short list of answers — most of them Denny already has.
The engagement moves fast once these are settled. The IT-side answers unblock Track 1; the workflow-side answers let us tune Track 2 to Karen's exact structure instead of guessing.
For IT Denny
- {{ a.q }}{{ a.note }}
For workflow Karen
- {{ a.q }}{{ a.note }}
Risks — and how we've structured around them.
-
{{ r.r }}
→{{ r.m }}
Three steps to a signed-off plan.
{{ s.h }}
{{ s.d }}