Identity
Microsoft Entra ID for authenticated product access
Operators authenticate through Entra, with API audiences and tenant restrictions tied to the deployment they actually use.
Security
Security posture for regulated Microsoft Teams oversight.
The public site exists to explain how the system is operated. It does not expose the signed-in product surface or client content APIs.
Hosting
Azure-hosted app, function, storage, and secrets
The product is built around Azure Static Web Apps, Functions, Table Storage, Blob Storage, Key Vault, and App Insights.
Review controls
Human review remains in the loop
Ambiguous evidence is routed into analyst review instead of being silently treated as trusted final output.
What the public website does not do
The public site at helioslabs.app is a marketing and qualification surface. It does not share the same runtime purpose as the operator console at app.helioslabs.app.
Product access stays separate
The sign-in path routes operators into the authenticated application rather than collapsing public SEO pages and protected product behavior into the same interface.
External partner model
For external rollouts, the intended architecture is a Helios control plane paired with client-owned data planes so content, secrets, and derived outputs can stay inside the client environment.