Cloud Migration 2026
ALAI cloud migration master plan: 6-phase transition from ANVIL-only to cloud-hosted control plane
- Master Plan — Cloud Migration
- Phase 1 — Bitwarden Cloud Migration
- Phase 2 — MC + HiveMind API
- Current State vs Target State
Master Plan — Cloud Migration
$(cat /tmp/bookstack-page-1-master-plan.html | jq -Rs .)Phase 1 — Bitwarden Cloud Migration
Phase 1 — Bitwarden Cloud Migration
Timeline: Days 1-3
Goal: Eliminate Vaultwarden SPOF as the very first step. Every subsequent phase depends on secrets being available globally, not just when the Azure VM is alive.
MC Task: #8494
Proveo Owner: Angie Jones
Status: PREVIEW — Parisa writing detailed runbook in parallel
Why First
Phase 2 onwards deploys to Azure Container Apps. Those containers need secrets at startup (Anthropic API key, Postgres connection string, Azure SP). If Vaultwarden is down, all containers fail to start. Fix the foundation before building on it.
Deliverables
- Export all current Vaultwarden items to encrypted JSON
- Import to Bitwarden cloud Teams ($4/user/month — 1 seat = $4/month total)
- Update
alai-clibootstrap step to usebw loginagainstcloud.bitwarden.com - Update all agent bootstrap scripts to use cloud BW endpoint
- Delete the BW CLI config pointing to
vault.basicconsulting.no
Rollback Plan
Vaultwarden self-hosted remains running in parallel until Phase 6. If Bitwarden cloud import fails, fall back to self-hosted immediately. Keep vault export as encrypted offline backup in ~/system/backups/.
Proveo Validation Criteria
Test Owner: Angie Jones (Proveo)
- Fresh
bw login alembasic@gmail.comon a machine with NOvault.basicconsulting.noaccess returns all expected items (GitHub token, Azure SP, Anthropic key, SSH key) alai login(once built in Phase 4) succeeds using cloud BW credentials- Vaultwarden VM can be stopped for 1 hour with no agent failures on ANVIL
Cost
Bitwarden cloud Teams: $4/user/month × 1 user = $4/month
vs Vaultwarden HA (2 VMs + Load Balancer): ~$88/month
Detailed Runbook
Parisa Tabriz (Securion) is writing the full step-by-step runbook in parallel. Once complete, it will be referenced here:
~/system/architecture/phase-1-bitwarden-runbook.md (pending)
Credit: ALAI, 2026
Phase 2 — MC + HiveMind API
Phase 2 — MC + HiveMind API
Timeline: Weeks 1-2
Goal: Mission Control and HiveMind leave ANVIL and become cloud-hosted APIs. This is the biggest architectural change — SQLite becomes Postgres, local scripts become REST calls.
MC Task: #8495
Proveo Owner: Angie Jones
Status: PREVIEW — Kelsey working in parallel
Why Second
MC and HiveMind are the nervous system. Once they are cloud-hosted, every other phase can run from any machine without touching ANVIL.
Deliverables
- mc-api.js: Express-based REST API wrapping current
mc.jslogicGET /tasks,POST /tasks,PATCH /tasks/:id,GET /stats- Postgres driver (pg) replacing SQLite
- Schema migration: 8378 tasks, 127 open — pg-migrate from SQLite dump
- hivemind-api.js: REST + optional WebSocket for pub/sub
- Postgres backend (hivemind schema)
- Docker images for both, pushed to Azure Container Registry
- Azure Container Apps: deploy mc-api and hivemind-api
- Consumption plan (serverless, scale-to-zero when no traffic)
- Min replicas: 1 (so cold start is 2-4s max, not 30s+)
- Memory: 0.5GB each, vCPU: 0.25 each
- Azure Database for Postgres Flexible Server: Burstable B1ms
- Region: swedencentral
mission_controlDB +hivemindDB on same instance- Automated backups (7-day retention, included in cost)
- Update
mc.jsclient wrapper: detectALAI_MC_URLenv var, proxy to API if set- Backward compatible: if no
ALAI_MC_URL, still uses local SQLite (ANVIL stays working)
- Backward compatible: if no
Cost Estimate
Container Apps (2 apps, ~5h/day active, consumption plan): ~$1.50/month per app = $3/month total (Free grant: 180,000 vCPU-s/month covers most light usage) Azure Postgres B1ms: ~$22-24/month (swedencentral, Flexible Server) Azure Container Registry Basic: $5/month Total Phase 2 additions: ~$30-32/month
Rollback Plan
mc.js still reads local SQLite if ALAI_MC_URL is not set. If Postgres or Container Apps fail, unset ALAI_MC_URL on ANVIL and operations continue locally. SQLite is kept in parallel for 30 days post-migration before decommission.
Proveo Validation Criteria
Test Owner: Angie Jones (Proveo)
- From ab-mac (no local SQLite):
alai mc listreturns live tasks - From ANVIL:
node ~/system/tools/mc.js liststill works (backward compat) - POST to mc-api: task appears in both
mc.js listAND cloud Postgres within 2s - Postgres automated backup: verify restore of 100-row sample matches source
- Container App scales to zero after 10min idle, cold starts under 5s
Detailed Implementation
Kelsey Hightower (FlowForge) is implementing Azure Container Apps + Postgres in parallel. Full runbook will be linked here once ready.
Credit: ALAI, 2026
Current State vs Target State
Current State vs Target State
Purpose: Visual comparison of ALAI's architecture today (ANVIL single-point-of-failure) vs the cloud-hosted control plane target state.
Source: ~/system/architecture/cloud-migration-master-plan.md
TODAY — SINGLE SPOF ARCHITECTURE
ANVIL (makinja-sin-mac-studio) Azure swedencentral
100.103.49.98 4.223.110.181
┌─────────────────────────────────┐ ┌──────────────────────────────┐
│ CONTROL PLANE (all-in-one) │ │ Supporting services (1 VM) │
│ │ │ Standard_B2als_v2, 2vCPU │
│ Mission Control (mc.js) │ │ 4GB RAM, 30GB SSD │
│ └─ SQLite mission-control.db │ │ │
│ 8378 tasks │ │ BookStack (docs) │
│ │ │ Vaultwarden (secrets — SPOF)│
│ HiveMind (hivemind.db) │ │ Planka (boards) │
│ Agent runner (pi-orchestrator) │ │ Documenso (signing) │
│ 30 LaunchAgent daemons │ │ Grafana / Prometheus │
│ Rules/skills/agents (git) │ │ Caddy (reverse proxy) │
│ │ │ │
│ LightRAG (Docker :9621) │ │ Cost estimate: $5-53/month │
│ Neo4j (Docker :7474/:7687) │ │ (Azure Founders Hub credit) │
│ Knowledge graph (481MB) │ └──────────────────────────────┘
│ │
│ Ollama :11434 │ Azure Blob (alaibackups0ebb)
│ qwen3.5:27b (17G) │ ┌──────────────────────────────┐
│ orchestrator:latest (23G) │ │ system-db-backups │
│ alaiml-task/tender/email (3G) │ │ system-git-bundles │
│ qwen2.5-coder:32b (23G) │ │ bitwarden-exports │
│ bge-m3 + others (~40G) │ │ Cost: ~$2.40/month │
└─────────────────────────────────┘ └──────────────────────────────┘
│ LAN only (10.0.0.2)
┌────────▼────────────────────────┐
│ FORGE (Mac Mini) │
│ devstral:24b, qwen2.5-coder │
│ NOT on Tailscale — LAN only │
└─────────────────────────────────┘
Tailscale mesh: 4 nodes
makinja-sin-mac-studio 100.103.49.98
ab-mac 100.118.37.71
basicass-mac-mini 100.104.164.86
iphone181 100.93.161.73
NOTE: ANVIL Ollama :11434 NOT reachable from ab-mac (port timeout verified).
NOTE: 306 files in ~/system/ hardcode localhost:11434 — zero portability today.
SPOF inventory (4 critical):
[1] ANVIL dead → mc.js, HiveMind, agents, LightRAG, Ollama ALL stop
[2] FORGE dead → devstral/coder workload stops (Anthropic can substitute)
[3] Azure VM dead → Vaultwarden down, secrets inaccessible, agents cannot bootstrap
[4] Local network → FORGE permanently isolated (LAN-only, no Tailscale)
TARGET — CLOUD-HOSTED CONTROL PLANE + THIN CLIENT
CLIENT (any OS — new laptop, travel machine, etc.)
┌──────────────────────────────────────────────────┐
│ alai-cli (single installable package) │
│ brew install alai | npm install -g @alai/cli │
│ winget install alai | apt install alai-cli │
│ │
│ alai login → OAuth2 PKCE → Azure AD B2C │
│ alai start → connects to cloud APIs │
│ alai mc list → proxies to MC API │
│ alai agent run → dispatches to agent runner │
│ │
│ Claude Code CLI (installed separately) │
│ ~/.claude/ cloned from git on login │
└──────────────────────────────────────────────────┘
│ HTTPS (Azure Front Door or direct)
│ Auth: Azure AD B2C JWT
┌───────────────▼──────────────────────────────────┐
│ CLOUD CONTROL PLANE (Azure Container Apps) │
│ Region: swedencentral (existing subscription) │
│ │
│ ┌─────────────────┐ ┌──────────────────────┐ │
│ │ MC API │ │ Agent Runner API │ │
│ │ REST + WebSocket│ │ POST /run │ │
│ │ → Postgres │ │ → dispatches agents │ │
│ └─────────────────┘ └──────────────────────┘ │
│ │
│ ┌─────────────────┐ ┌──────────────────────┐ │
│ │ HiveMind API │ │ Skills/Rules Proxy │ │
│ │ pub/sub │ │ serves ~/system/ │ │
│ │ → Postgres │ │ content from Git │ │
│ └─────────────────┘ └──────────────────────┘ │
│ │
│ ┌─────────────────┐ ┌──────────────────────┐ │
│ │ Auth API │ │ Secrets Proxy │ │
│ │ Azure AD B2C │ │ → Bitwarden cloud │ │
│ │ JWT issuance │ │ (no self-hosted BW) │ │
│ └─────────────────┘ └──────────────────────┘ │
│ │
│ Azure Database for Postgres (Flexible Server) │
│ Burstable B1ms — mission_control + hivemind │
│ (migrated from local SQLite) │
│ │
│ Azure Container Registry (private) │
│ MC API, HiveMind, Agent Runner images │
└──────────────────────────────────────────────────┘
│ Tailscale (encrypted WireGuard)
│ OR public HTTPS (for Anthropic-only agents)
┌───────────────▼──────────────────────────────────┐
│ DATA PLANE (stays on hardware) │
│ │
│ ANVIL 100.103.49.98 FORGE 10.0.0.2 │
│ Ollama :11434 (primary) devstral:24b │
│ qwen3.5:27b qwen2.5-coder:32b │
│ alaiml-task/tender/email (add to Tailscale) │
│ orchestrator:latest :11434 │
│ LightRAG + Neo4j (Phase 5) │
│ │
│ CLOUD ML FALLBACK (Phase 5) │
│ Together.ai — Llama-3.3-70B $0.88/M tokens │
│ Triggered only when ANVIL:11434 unreachable │
└──────────────────────────────────────────────────┘
SECRETS (Phase 6 — replaces self-hosted Vaultwarden)
┌──────────────────────────────────────────────────┐
│ Bitwarden cloud (Teams plan) │
│ $4/user/month — 1 user = $4/month │
│ HA by default — Bitwarden's infrastructure │
│ alai-cli integrates via BW CLI at login │
└──────────────────────────────────────────────────┘
Key Differences
| Component | Current State (ANVIL SPOF) | Target State (Cloud Control Plane) |
|---|---|---|
| Mission Control | SQLite on ANVIL disk | Postgres + MC API (Azure Container Apps) |
| HiveMind | SQLite on ANVIL disk | Postgres + HiveMind API (Azure Container Apps) |
| Agent Runner | pi-orchestrator on ANVIL only | Cloud agent-runner (Anthropic-powered agents), ANVIL for fine-tuned models |
| Secrets | Vaultwarden on single Azure VM | Bitwarden cloud ($4/month, HA by default) |
| Client Bootstrap | Manual setup, ANVIL-dependent | brew install alai && alai login — under 10 minutes, any OS |
| Ollama | ANVIL only, FORGE LAN-isolated | ANVIL + FORGE (Tailscale) + Together.ai cloud fallback |
| Cost | $27-106/month (mostly hidden by Azure credit) | $108-165/month (transparent, no hidden dependencies) |
| ANVIL Offline Impact | Total system outage | Cloud services continue, fine-tuned models pause gracefully |
SPOF Elimination
4 SPOFs removed:
- ANVIL death — control plane (MC, HiveMind, agent runner) migrates to cloud. ANVIL offline = Ollama workloads pause, everything else continues.
- Vaultwarden VM death — secrets migrate to Bitwarden cloud (HA by default). No more single-VM secret dependency.
- Network isolation — FORGE joins Tailscale. Cloud services can reach FORGE for code tasks even when ANVIL is down.
- Workstation lock-in —
alai-cliworks from any machine. No more "John only works from ANVIL."
Credit: ALAI, 2026