Some of it pays the bills. Some of it I'd rebuild from scratch tomorrow. Click anything.
more: forge pocs · archive
I'm running a Metro Vancouver pest and wildlife control company end-to-end on an AI-built operating system. Marketing site, admin console, technician PWA, customer portal — all built and operated by one person.
A B2C platform that discovers, scores, tailors, submits, and tracks job applications on behalf of career-changers and immigrants. Built for the people the job market under-serves.
An AI-content compliance pipeline for healthcare and government publishers. Editors paste a draft or describe what they want — the pipeline scans for PHI/PII, medical red flags, hallucinations, and regulatory exposure before anything is safe to publish.
An English + Egyptian-Arabic ecommerce platform with a built-in CRM, built on the same operating-system stack as my pest-control company. One operator. One codebase. Two markets.
A revenue-intelligence platform that connects to a sales team's CRM, surfaces what needs attention today, and runs what-if scenarios — built to replace the spreadsheet pile and fragmented dashboards.
A learning environment that synced your library, notes, and reading progress across web and iPad — designed for the rare reader who treats their books like a working notebook, not a finished archive.
A media transcription service with an AI-powered caption generator — drop in audio or video, get clean timed captions back. Built as a monorepo with separate React frontend and Node API.
How I run 24 autonomous AI agents in production for roughly a third of cloud-only cost. A 4-tier model pyramid with automatic failover — the infrastructure my own businesses run on.
A scoring engine that predicts product-adoption outcomes across 5 weighted dimensions and self-calibrates against real results. Built to decide where to spend the next month of work.
A pipeline that turns video corpora and practitioner interviews into callable Subject Matter Expert agents. The meta-build that produces the tools I use to build everything else.
An autonomous software-creation system that starts with trivial tasks, masters them through repeated build-measure-repair loops, then progressively takes on harder challenges while learning from every failure.
A multi-agent pipeline that takes a one-line product brief and ships a working app — designer, builder, brand-voice, browser-checker, and provisioner agents collaborating with strict contracts between them.
A fleet of autonomous worker agents that run scheduled tasks across my businesses — lead intake, calendar reconciliation, daily ops reports, error triage. The thing I built so I could stop checking on things at 11 PM.
Master-tier subject matter expert on local SEO, built from 49 videos of practitioner content.
Practitioner-voice expert on HubSpot Lead Scoring at the post-Aug-31-2025 sunset moment.
Practitioner-voice expert on negative keywords in Google Ads — match-type asymmetry, n-gram mining, AI-assisted classification.
An exploration of what a physical-retail-meets-AI storefront looks like — checkout-free, inventory-aware, conversational. A working prototype, not a product.
Twelve habits, one per month. Not a tracker — an operating system that schedules the right habit for the right month of the year and quietly retires the ones you've already integrated.
A landing-page generation system tuned for video-ad traffic: messaging that matches the ad's first three seconds, sections that respond to ad-platform context, and a backend that learns from which sections convert.
A premium salad recipe app with seasonal browsing, full recipe pages, a hands-free guided cooking mode, and favorites sync. Designed and built end-to-end in one Pantheon run.
A Bloomberg-Terminal-style command center for the 20-100+ YouTube channels knowledge workers follow. Daily briefs, library, group manager, lightbox player — generated in one Pantheon run.
A modern CRM concept for small sales teams (5-20 reps). Dashboard, contacts, pipeline, deal detail, email composer, settings — designed end-to-end in one Pantheon run.
A landing-page concept for a weekly 2-minute team pulse-survey product. Hero, features, social proof, pricing, footer — full long-form sales page generated in one Pantheon run.
A guided breathing-exercise app for stress, focus, and sleep. Landing page, auth, dashboard, guided sessions, history. Designed and built end-to-end in one Pantheon run.
A community recipe-sharing app. Landing page, browse with search and tag filters, recipe detail, auth, dashboard, recipe editor. Designed and built end-to-end in one Pantheon run.
22 customers × per-tier quota usage (rps + monthly request count + concurrency). Soft-limit (90% warning), hard-limit (100% throttle). Surfaces 4 customers exceeding soft cap + 2 customers paying enterprise rates but using free-tier quotas (sales misalignment) + 1 burst-pattern customer needing different rate-limit shape.
18 active content-moderation appeals under DSA Art 20 internal complaint handling. Per appeal: original decision, appellant statement, statutory clock (90-day reasonable response), out-of-court dispute resolution path. Surfaces 3 appeals approaching deadline + 1 nested retaliation case.
22 platform behaviors checked against US KOSA + COPPA, UK Age Appropriate Design Code (Children's Code), Texas SCOPE Act, EU DSA Art 28, Utah Social Media Regulation Act. Per behavior: applicable jurisdiction, current implementation, gap, mitigation. 21 of 22 compliant; 1 gap on knowledge-of-minor inferred from behavior.
18 CI pipelines × DORA-aligned metrics: test coverage, flake/rerun rate, build duration drift, MTTR-to-green, deploys/day. Surfaces 4 chronic flake pipelines (rerun rate >15%) + 2 with declining coverage + 3 with build duration over 2× baseline.
22 third-party cookie use cases × Chrome 3p-cookie deprecation + Privacy Sandbox APIs (Topics, Protected Audience, Attribution Reporting, Storage Access, FedCM, CHIPS). Per use case: current implementation, replacement API, readiness state, Safari/Firefox fallback (already blocking).
22 customer contracts × residency commitments (EU-only / US-only / no-restriction / China-only / KSA-only / UK-only / FedRAMP) vs actual storage location across our 12 data services. Surfaces 4 customers with data leaking to non-contracted regions + 2 ambiguous contracts (no residency clause negotiated).
22 dependency CVEs from Dependabot + Snyk + GHSA in single queue. Per CVE: severity (CVSS 3.1), exposure path (transitive depth), CISA KEV catalog status, SLA clock, fix-available, applied/auto-merge state. Surfaces 3 critical past SLA + 4 in CISA KEV catalog (actively exploited).
14 NIST CSF 2.0 categories scored across the 6 functions (GOVERN + IDENTIFY + PROTECT + DETECT + RESPOND + RECOVER) with 4-tier maturity model. Per category: trend vs last quarter, top finding, owner, board-action recommendation. The artifact every public-company audit committee asks for under the SEC Cyber Disclosure Rule.
22 image-moderation hits across PhotoDNA hash-match, AI classifier, IWF list, NCMEC list, Apple NeuralHash, user reports. Per hit: source, classifier confidence, NCMEC CyberTipline reporting status (US 18 USC §2258A 24-hour reporting), false-positive triage. Surfaces verified hash-matches + GENAI synthetic-CSAM cases.
22 employees × MFA enrollment status across 8 systems (Okta, GitHub, AWS, Salesforce, GSuite, 1Password, Auth0 admin, Snowflake). Per user × system: factor type (FIDO2 / TOTP / SMS-fallback / none). Surfaces 4 users with SMS-only fallback + tracks FIDO2-coverage % across the org.
22 PSD2 / Open Banking OAuth grants audited. AISP (account info), PISP (payment init), CBPII (card-based payment instrument issuer). Per grant: scope, 90-day reconfirmation status (RTS on SCA), SCA exemptions used, FAPI 2.0 conformance. Surfaces 4 past-90d reconfirmation + 2 with insufficient SCA + 1 deprecated FAPI 1.0.
22 systems classified by PCI-DSS scope: in-CDE, connected-to-CDE (segmented), out-of-scope. Per system: PAN/CHD touchpoints, network segmentation evidence, segmentation test status, control owner. Surfaces 2 scope-leaked systems + 1 missing annual segmentation test (Req 11.4).
8 teams × 4 quarters of phishing-sim results. Per team: click-rate (target <5%), report-rate (target >50%), repeat-clicker count, supplemental training assigned. Surfaces 2 teams with chronic high click-rate (Sales + Marketing) + 1 team with declining report-rate (Marketing Q4).
18 SBOM snapshots (CycloneDX 1.6) over 18 months × 4 production services. Per snapshot: dependency count, license mix, new packages added, removed packages, version bumps, signed-attestation status. The audit-evidence trail EO 14028 + NIST SSDF require.
22 services × Istio/Linkerd sidecar mTLS coverage, zero-trust NetworkPolicy presence, deny-by-default verification, JWT-on-request enforcement, mesh-version. Surfaces 4 services without mTLS in mesh + 2 with permissive NetworkPolicy + 1 with mesh outdated (Istio 1.18 EOL).
22 TLS certificates × SAN coverage, days-to-expire, ACME provider, key algorithm + size, OCSP stapling, Certificate Transparency log status. Surfaces 4 expiring <30 days + 2 with weak crypto (RSA-2048 — should migrate to ECDSA P-256 or RSA-4096) + 1 missing-CT-log entry.
22 outbound webhook subscribers. Per subscriber: success rate, retry attempts, DLQ depth, signature version (HMAC-SHA256 v2 vs deprecated HMAC-MD5 v1), idempotency-key support, exponential-backoff cadence. Surfaces 4 with chronic failures + 2 still on legacy HMAC-MD5.
Interactive model-card generator. Inputs: model name + intended use + out-of-scope use + training data + eval results + bias analysis + mitigations + governance. Live preview + HTML/Markdown export. Conforms to NIST AI RMF + EU AI Act Annex IV (high-risk AI system documentation, mandatory from 2026).
22 active cross-border data transfers with mechanism (SCC 2021/914 / EU-US DPF / adequacy decision / BCR / Art 49 derogation / consent). Per transfer: source jurisdiction, destination, data category, lawful basis, Schrems II TIA, frequency. Surfaces 3 with pending TIA + 1 Art 49 derogation overuse.
6 incident-tabletop scenarios (ransomware encrypts customer DB; region-wide AWS outage; sub-processor breach disclosure; supply-chain compromise via npm; insider threat exfiltration; AI model jailbreak). Walk through 5 phases per scenario (detect → triage → contain → disclose → recover); pick decisions; see canonical answer + framework-grounded rationale.
Interactive WCAG 2.2 AA conformance-statement generator. Inputs: org + URL + conformance target + status + audit date + scope + audit method + auditor + known limitations + contact channel + statement date. Outputs: live-updating EAA + ADA Title III + Section 508 + EN 301 549-aligned conformance statement with HTML and Markdown export. Mandatory disclosure under EAA 2025 (effective 2025-06-28).
28 columns mapped source → transformations → destinations. Each column carries data classification (direct PII / sensitive / cardholder / aggregate / indirect), every transformation that touches it (PII-scrub, hash, anonymize, redact, generalize), every downstream consumer (warehouse, ML training, partner shares). Surfaces 4 columns flowing raw to ML training without redaction + 2 lineage gaps where the source was lost during platform migration.
24 production prompts × owner + version + model + eval link + change log + safety review. Per prompt: system message, allowed inputs, banned outputs, kill-switch flag. Surfaces 4 prompts without current eval + 2 orphan prompts inherited from former employee + 3 prompts with safety review overdue + 1 prompt without a kill-switch.
Interactive blameless post-mortem template with 5 sections × 18 evidence prompts (summary / impact / timeline / root-cause / actions). Per section: prompts that catch missing evidence, anti-blame language linter, action-item owner + due-date validator, learning-extraction prompts. Live readiness score + Markdown export. Drives the postmortem from ad-hoc to consistent without imposing a single template.
28 vendor contracts × actual vs budgeted spend × renewal-window clock. Per vendor: monthly burn, YTD spend ratio, contract end date, auto-renewal flag, lock-in clauses, alternates. Surfaces 4 vendors over budget (AWS +17%, Datadog +17%, Twilio +23%, Atlassian +11%) + 6 with renewal in <60 days + 1 auto-renewing legacy contract that locks us in within 27 days unless we give notice.
22 build artifacts (containers + npm + pip + binaries + SDKs) audited against SLSA v1.0 attestation chain. Per artifact: SLSA level (1-4), Sigstore signature, in-toto provenance, SBOM (CycloneDX 1.6), source provenance, runtime verification. Surfaces 4 SLSA Level 1 artifacts (no provenance) + 2 unsigned releases + 1 vendor sidecar mirrored without verification.
32 platform behaviors checked against EU Digital Markets Act 2022/1925 + Digital Services Act 2022/2065. Per finding: applicable article (DMA Art 5/6/7 or DSA Art 14/15/16/24/25/27/30/34/40), gatekeeper-threshold check, self-preferencing audit, dark-pattern detection. Surfaces 3 self-preferencing patterns + 2 dark-pattern UX choices that face EU consumer-law scrutiny even pre-designation.
24 standing orders that auto-execute every N days for opted-out subjects. Per order: trigger event, scope, cadence, downstream sub-process fan-out, last-execution proof, statutory-hold check. Surfaces 3 standing orders SUSPENDED by legal hold + 1 with sub-processor that needs manual reconfirmation. The artifact that converts one-shot DSARs into reliable ongoing erasure.
28 third-party apps with active OAuth grants on YOUR users. Per app: vendor, granted scopes (with criticality), user count, grant age, last-used, vendor-side breach status, recommended action (allow / step-up / review / dormant / consent-renewal-needed / block). Surfaces 4 dormant grants with sensitive scopes + 2 vendors needing user reconsent + 1 unknown-vendor mail.modify grant.
22 daily payouts reconciled against the internal ledger. Per payout: gross / fee / refunds / disputes / FX-spread / other-adj / Stripe net / ledger expected / variance. Break categories: refund-out-of-period, fee-rate-mismatch, dispute-chargeback, currency-fx-spread, payout-timing-skew, missing-transaction. Surfaces $4,820 in unreconciled breaks + 1 systemic fee-rate misconfiguration.
8 reviewers × 142 employees × 12 systems. Per-grant decision (keep / reduce / revoke), justification, escalation, days-to-deadline. Sort by tier-0-system-first, dormant-first, employee, system. Surfaces 4 reviewers chronically overdue + 18 unattested grants on tier-0 systems + the SOC2 CC6.1 audit-trail.
22 customer contracts × per-customer error-budget consumption. Per customer: tier, MSA SLA target, MRR, observed downtime min, 5xx rate, 429 rate, p99 exceedance, credit owed (% of MRR via standard ladder), notification status. Surfaces 4 customers eligible for SLA credit + 2 contracts with SLA mis-aligned with infrastructure reality.
38 packages (npm + pip + Apache) audited across direct + transitive. Per package: locked version, latest, semver-distance, days-behind, known CVEs, license, services using. Surfaces 4 packages with version drift across services + 6 with major-version skew + 2 phantom dependencies (in node_modules but not in package.json).
14 quarterly DR failover drills logged. Per drill: target service, hypothesis, planned RTO/RPO vs observed, minute-by-minute timeline, deviations from plan, action items shipped vs open, post-mortem cross-references. The actual exercise log SOC2 CC9.1 + ISO 22301 §8.5 demand — including 1 failed drill where the failover path was undocumented.
22 SSO integrations across SAML 2.0, OIDC, SCIM. Per integration: signature algorithm, encryption algorithm, assertion lifetime, signed assertion + signed response + encrypted assertion, NameID format, IdP-init vs SP-init, allowed clock skew, AuthnContextClassRef. Surfaces 4 integrations with weak crypto (SHA-1, RSA-1024) + 2 over-long assertion lifetimes + 1 unsigned-assertion CRITICAL finding.
38 alert rules with 30-day firing count, page count, actionable %, MTTR, alert-fatigue score, recommended action (keep / tune / demote / silence-or-tune / add-runbook / remove). Surfaces 4 noise leaders eating the on-call budget, 1 critical paging alert without a runbook, and 1 alert silenced 90 days for a deprecated service.
20 carbon-credit purchases across 6 registries (Verra VCS, Gold Standard, ACR, CAR, Puro.earth, Climeworks, BioCarbon). Per credit: vintage year, project type, methodology, additionality, permanence, leakage, retirement status, ICVCM CCP screen. Surfaces 3 credits past quality screens (REDD+ avoided-deforestation over-crediting + low-additionality wind farm) + 1 vintage-tournament double-claim risk.
24 engineers × 12-week on-call schedule. Primary + secondary + follow-the-sun coverage. Fairness scored on 4 axes (weekend equity, holiday equity, page-load equity, time-zone alignment). Surfaces 4 engineers carrying disproportionate weekend duty + 1 timezone-coverage gap (no APAC primary 03:00-09:00 UTC).
14 in-flight vendor onboardings × 28-step pipeline. Commercial intake → spend approval → SIG/CAIQ → SOC2/ISO review → pen-test review → DPA + SCC + DPF + TIA → sanctions screening → MSA → RoPA + DPIA + DPADeskbook → IT integration + SSO → egress firewall + audit hooks → offboarding plan + production access. Surfaces 4 stuck mid-pipeline + 2 with production access before security review.
32 WAF rules across OWASP Core Rule Set 4.x + custom rules. Per rule: action (block / log / count / disabled), 7-day fired/blocked stats, false-positive rate, last-tuned date, paranoia level. Surfaces 4 rules with FP rate >15%, 2 stuck in count-mode for >90 days (decide: promote or remove), 1 rule unfired for 18 months.
28 RFCs across normal / standard / emergency. Per RFC: requester, reviewer chain, risk class, blast radius, rollback plan, customer notification, sign-off chain with timestamps, pre-deploy checks. Surfaces 4 RFCs awaiting review >14 days, 4 emergency RFCs (with documented post-hoc CAB ratification), and 1 rolled-back change with lessons-learned.
22 repos audited. Per repo: CODEOWNERS coverage %, bus-factor (unique owner teams), former-employees still listed, files without an owner, branch-protection coverage, signed-commits enforcement. Surfaces 4 repos with bus-factor 1, 4 repos with stale former-employee owners, and 2 repos with no CODEOWNERS file at all.
40 evidence requests across 4 frameworks. Per request: source system, collection method (automated / manual), CMMI maturity (1-5), evidence freshness, gap-list. The Vanta / Drata / Secureframe shape — built directly. Surfaces the controls that look 'covered' but actually have manual workflows masking ad-hoc execution.
28 findings from FY24 annual pen-test. Per finding: CVSS 3.1 base + vector, OWASP / CWE mapping, exploitability rating, evidence, our remediation, retest status. SLA clock per severity (critical 24h, high 7d, medium 30d, low 90d). 4 critical fixed in <2 weeks; 3 past SLA; 2 explicitly accepted as residual risk with documented rationale.
24 pricing variants across 6 SKUs × 8 markets. Detects geographic discrimination (US vs EU vs APAC vs LATAM), cohort skewing (income-proxy KILLED, mobile-vs-desktop FLAGGED, B2B/B2C OK, AI-personalized KILLED), Robinson-Patman concerns, EU Geo-blocking Reg 2018/302 violations, EU Omnibus 2019/2161 sale-claim provenance.
24 deprecated items (APIs, endpoints, fields, OAuth scopes, SDK versions, formats). Per item: announce date, sunset date, replacement, RFC 8594 Sunset header status, customer migration progress, 7-day traffic on the old path. Surfaces 4 items past sunset still receiving traffic, including the v1 PAN-storage endpoint that triggers a PCI-DSS Req 3.5 finding.
Interactive trainer with 22 incident scenarios across 6 categories. Pick a severity (SEV-1 to SEV-4); get the canonical answer + the 5-dimension impact rationale (blast radius, data sensitivity, customer visibility, regulatory implications, time sensitivity). Tracks accuracy + over-paged + under-paged across the session.
38 data classes with retention period, source of the rule (regulation / contract / business / legitimate-interest / consent), legal-hold trigger, deletion mechanism, evidence of execution. Surfaces 2 over-retained classes (Twilio SMS, Mixpanel events), 2 with no automated deletion (legacy mongo, ChinaPartnerCo archive), and 2 active legal holds (DOJ subpoena, SEC TCR).
20 services × availability + latency + freshness SLOs. 30-day error-budget burn rate. Multi-window multi-burn-rate alerts (Google SRE Workbook ch. 5: 1h short window, 6h medium, 3d long). Surfaces 1 service that has fully exhausted its quarterly budget and 4 currently burning fast.
22 trademark-watch hits across USPTO TSDR, EUIPO eSearch, WIPO Madrid, and domain registrars. Per hit: 3-axis confusability scoring (phonetic distance + Nice-class overlap + visual similarity), opposition-window clock, decision matrix (oppose / cease-and-desist / monitor / no-action / settled). Includes one URS domain takedown and one Madrid LATAM multi-country opposition.
32 findings across 18 page templates. Each mapped to a WCAG 2.2 success criterion (including the 9 new SC introduced Oct 2023: 2.4.11 Focus Not Obscured, 2.5.7 Dragging Movements, 2.5.8 Target Size, 3.2.6 Consistent Help, 3.3.7 Redundant Entry, 3.3.8 Accessible Authentication). Per finding: page, element, contrast preview, suggested code fix. EAA + ADA Title III + Section 508 + EN 301 549 alignment.
22 findings across an OpenAPI 3.1 spec, 9 lint classes (missing operationId, untyped 5xx, undocumented 429, RFC 7807 gap, breaking parameter rename, deprecated-no-sunset, response schema drift, semver mismatch, PII in query, unsafe-eval). Maps Spectral-style severity to SemVer impact (MAJOR / MINOR / PATCH).
20 emission sources spanning Scope 1 (gas + fleet + refrigerant leakage), Scope 2 (location-based AND market-based per dual-reporting rule), Scope 3 (purchased goods, business travel, employee commute, use-of-sold-products at 280 tCO₂e, financed-emissions). Per-source: GHG-Protocol-aligned methodology, FY24 actuals vs FY22 baseline, SBTi 1.5°C-aligned 2030 target.
20 experiments scored against Belmont Principles (respect / beneficence / justice) + IRB-lite checklist + GDPR Art 6(1)(f) balancing test. Surfaces 4 blocked/killed experiments (Cambridge Analytica-style emotion contagion, income-inferred pricing, unauthorized $1 charge, pre-checked EU consent), 5 in-review (AI urgency, mood-targeted upsell, GeoIP price discrimination, click-to-cancel dark pattern, per-user dynamic LLM pricing).
28 customer responses across NPS, CSAT, exit surveys, in-app comments. PII-scan + redaction (email, phone, SSN, name, address, DOB, account number). Per-response action: share-ok / share-redacted / cannot-share / crisis-escalate. Lawful basis tagged, retention enforced, employee-name vs third-party-name distinction surfaced.
88 tokens across 7 types (PATs, service accounts, customer-issued, partner, signed-request, cron, legacy). Last-used age, scope, rotation cadence, IP allow-list, abuse signals. Surfaces 5 orphan tokens, 6 over-privileged (admin: *), 2 known-leaked-not-rotated, 1 former-employee token still active.
32 hash-chained consent events. Each entry: subject, purpose, prompt version, exact prompt text shown to subject, affirmative-action evidence, timestamp, source IP-truncated to /16, UA, signed envelope with the hash of the previous entry. Tamper-evident — the artifact that defends GDPR Art 7(1) 'the controller shall be able to demonstrate that the data subject has consented'.
32 processing activities as a real RoPA. Per activity: purpose, Art 6 lawful basis, categories of data subjects, categories of personal data (Art 9 sensitive flagged), recipients, international transfers, retention period, Art 32 security measures. The canonical artifact every supervisory authority asks for first.
22 supplier sites mapped across 4 tiers (finished good → component → sub-assembly → raw material). UFLPA Xinjiang-traceability, Modern Slavery Act 2015 §54 coverage, EU CSDDD 2024/1760 due-diligence, ILO 8 core-conventions risk. Surfaces 2 XUAR-located polysilicon + transformer suppliers (UFLPA rebuttable presumption applies), 1 DRC cobalt site without OECD Annex II audit.
32 sanctions-screening hits across OFAC SDN, EU Consolidated, UK HMT, UN-SC, Non-SDN SSI, BIS Entity List. Per-hit: name-distance score, secondary identifier comparison (DoB, country, address), 50%-rule beneficial-owner cascade, decision (auto-block / hold-and-review / false-positive / released), SAR filing trigger.
16 endpoints × 4 limit tiers (anon-IP, free-tier, paid-tier, enterprise). Real-time burn rate vs limit, abuse signals (single-IP saturation, token reuse across geos, payload-size anomalies), and the actual API-gateway YAML config per endpoint. Maps RFC 6585 + OWASP API4:2023 + SOC2 CC6.6.
38 sub-processors. DPA + SCC 2021/914 module + DPF status + adequacy decision + Schrems II Transfer Impact Assessment. Surfaces 4 vendors with legacy 2010 SCCs (invalid since Dec 2022), 1 with expired DPF self-cert, 3 with transfers to non-adequate jurisdictions (BR, IN, CN), and the Heap.io shadow-IT no-DPA entry.
22 product features classified against US EAR (15 CFR §730-774) + ITAR (22 CFR §120-130) + EU Dual-Use Regulation 2021/821. Per-feature: ECCN (EAR99 / 5A002 / 5D002 / 5E002 / 3A090 / 4D090 / USML), license exception (ENC §740.17 / publicly-available §734.7), country deny list (E:1 + OFAC SDN), deemed-export risk.
28 prompt-injection payloads across 8 classes: direct (DAN, fiction-framing, authority impersonation), indirect via RAG (poisoned docs, hidden HTML, web-search injection), system-prompt exfiltration, training-data extraction, jailbreaks, encoded payloads, multimodal (image-OCR, audio-injection), tool/agent abuse (SSRF, XPIA). Each payload includes 4-layer mitigations.
18 active reports across EU Whistleblower Directive 2019/1937, SOX §806, Dodd-Frank §922, German HinSchG, French Sapin II. Per-report: anonymity tier, channel, retaliation-risk score, 7-day acknowledgment clock + 3-month feedback clock (Art 9), workflow stage, assigned investigator. Includes one nested retaliation case and one SEC TCR Dodd-Frank §922 filing.
22 seeded CSP violations across 5 properties. Classifies each by directive (script-src, img-src, connect-src, frame-ancestors, …), risk class (XSS attempt / shadow IT / 3p drift / browser-noise / clickjacking probe / SRI mismatch / unsafe-eval / mixed-content), and recommended action with the actual directive fix.
12 processing activities scored against the 9 WP29 / Art 35(3) criteria. Risk matrix (likelihood × severity, inherent vs residual), mitigation roadmap with ship-state per item, DPO sign-off. 2 activities flagged for Art 36 prior consultation with the supervisory authority.
18 incidents over 24 months. Per-incident severity (SEV-1 to SEV-4), MTTD, MTTR, NIST 800-61 lifecycle timeline, post-mortem actions (shipped vs open). Includes one Art 12(3)-missed DSAR (Twilio gap), one credential-stuffing wave, one vendor-disclosed breach with the 72-hour Art 33 notification timeline.
36 eval cases × 4 models × 6 risk dimensions: factuality, refusal correctness, jailbreak resistance, PII leakage, instruction following, bias. Cross-model pass-rate matrix with current-vs-baseline regressions (color-coded deltas). Per-case prompt + expected behavior + per-model outcome.
40 employees × 8 training modules (security awareness, phishing simulation, HIPAA, PCI, GDPR, secure coding, AI risk, role-based privilege). Per-employee × per-module completion matrix, annual + 90-day cadences, retake-after-fail tracking. Maps to PCI Req 12.6, HIPAA §164.530(b)(1), SOC2 CC1.4.
12 properties across 4 jurisdictions (EU, US-CA, US-VA, multi-state). Validates IAB TCF v2.2 + GPP MSPS strings, 8 banner checks (reject-all on layer 1, balanced buttons, scroll ≠ consent, cookie-table accuracy, no dark patterns, no non-essential cookies pre-consent). Surfaces the €60M CNIL pattern (reject buried in settings) and the beta domain with NO BANNER firing GA4 + Hotjar.
24 active DSARs across GDPR, CCPA, CPRA, VCDPA, and Quebec Law 25. Per-request statutory clock (GDPR Art 12(3) 30-day, CCPA 45-day, Quebec 30-day), request type, identity-verification status, 6-stage workflow, and the analyst assignment. One request is already OVER deadline (Twilio gap from RtbfFlow) and the response is documented.
28 outbound destinations from 8 production services. Allow-list state, 7-day traffic baseline, 4-dimension anomaly score (request rate, error rate, response size, geographic dispersion). Surfaces shadow IT (api.anthropic.com from a still-unidentified ECS task), denied destinations (Google Fonts loading visitor IPs), and one bare-IP exfil drill.
32 OAuth grants across 14 SaaS apps. For every grant: scopes granted vs scopes actually used in last 90 days, classification (active / dormant / unused), recommended minimum-grant. Flags the dormant 'admin: *', the 'iam:*' that has never been used, and the former-employee Google Workspace token still alive.
64 seeded secrets across 12 systems. Rotation cadence vs policy. Last-rotated age, blast-radius, owner, vault. Surfaces the 'orphan token' (no owner, no last-rotated metadata), the deprecated mongo password 880 days stale, the FCM legacy server key still in env vars, and the still-running IAM access key that should have been migrated to OIDC.
Scores 18 production services across 6 resilience dimensions: RTO actual vs target, RPO actual vs target, last successful failover, runbook freshness, blast-radius isolation, on-call coverage. Composite drives the next chaos test. SOC2 CC7.5 / CC9.1 + ISO 22301 shape.
Walks 38 columns across an e-commerce schema and classifies each as direct identifier, sensitive PI, PHI, cardholder data, or quasi-identifier. Maps to GDPR Art 4(1), HIPAA 45 CFR 164.514, PCI-DSS v4.0 Req 3, CCPA. Proposes minimization: drop, tokenize, pseudonymize, generalize, truncate.
32 seeded controls comparing what the policy says to what the config actually does. CSP headers, IAM trust policies, S3 public-access blocks, GitHub branch protection, KMS key rotation, MFA enforcement, secret-rotation cadence. Drift age in days.
One deletion request, 14 downstream systems. Each system has its own deletion API, retention exception, and SLA. Renders the actual fan-out — Postgres CASCADE, Stripe redaction, Intercom permanent-delete, Segment Regulations API, Sentry tag scrub, Datadog retention wait, S3 versioned delete, Auth0 invalidation, backup rotation, Twilio gap.
The public trust page that sales hands to every enterprise prospect. 8 certifications (SOC 2 Type II, ISO 27001, HIPAA, PCI DSS L1, CCPA, GDPR, NIST CSF 2.0, CSA CAIQ), 8 sub-processors with current attestation status, 4-incident timeline, 8 pre-answered SIG questionnaire items.
52 seeded packages across a realistic Node.js + Python stack. Matches every package against CVE feeds (CVE-2022-23529 jsonwebtoken bypass, CVE-2021-44906 minimist prototype pollution, CVE-2023-23931 cryptography, …), classifies licenses, flags EOL upstream versions. NTIA SBOM compliance shape.
Scores 22 seeded vendors across 4 risk dimensions: security posture (attestation + breach history), financial health, concentration risk (% of workload on this vendor), and data sensitivity. Composite drives review cadence — critical = quarterly, low = annual.
When a breach is detected, every jurisdiction's clock is already running. BreachNotifier shows each one in real time: GDPR 72-hour, NYDFS 72-hour, HIPAA 60-day, California 30-day, plus 6 US states + EU + UK + Canada + Australia + Singapore — with the regulator address, the citation, and the required action.
Automates SOC2 CC6.2 quarterly access review. 38 seeded grants across production DB, AWS root, GitHub admin, Stripe, Vault, Datadog. Flags dormant accounts, over-permissioned users, offboarded employees. Reviewer attests or revokes; the audit trail is the SOC2 evidence.
Audits 14 seeded multi-tenant systems against 7 isolation surfaces: row-level security, schema boundaries, K8s namespace, S3 prefix, cache-key prefix, Kafka topic ACL, search index per tenant. Catches every cross-tenant leak vector a SOC2 reviewer would find.
88 seeded evidence artifacts indexed by control across SOC2, HIPAA, ISO 27001, and PCI DSS. SHA-256 hash, retention period, last-access. Build the packet your auditor asks for by selecting artifacts; export JSON manifest with control coverage. Turns 9-day evidence requests into 90-second downloads.
Computes the dollar exposure per missed compliance control. Models GDPR Art 83 sliding-scale (4% of global revenue), HIPAA tiered fines, FLSA back-wages + 2× liquidated damages, OFAC penalties, PCI scheme fines, EU AI Act sliding-scale, CCPA private right of action. 20 toggleable scenarios.
A rolling 13-month calendar of every compliance deadline. 42 seeded items across SOC2, ERISA, BSA/AML, HIPAA, GDPR, PCI, OSHA, EU AI Act, contract renewals, certifications, and insurance — owner-assigned, status-tracked, framework-filterable.
16 seeded customer applications with sanctions screening (OFAC/EU/UN), PEP check, beneficial-ownership tree at 25% threshold, source-of-funds review, and Enhanced Due Diligence triggers. BSA 31 CFR §1020 evidence shape with realistic high-risk scenarios.
22 seeded privacy rights requests across GDPR Art 15/16/17/20, CCPA right-to-know / delete / opt-out, and LGPD. Per-request SLA clock with regulatory citation, identity verification status, sub-system fanout to Stripe / Snowflake / Sentry, and the workflow steps from intake to delivery.
18 seeded vendor-pushed change attestations: Datadog agent upgrade, Stripe API version sunset, AWS IMDSv1 deprecation, Salesforce IP allowlist default ON, Snowflake function behavior change. Each declares scope, blast radius, rollback, SOC2 mapping — before the change ships.
Tracks 26 seeded regulatory updates from CFR, EU Official Journal, SEC, FDA, HHS, FCA, OCC, CFPB, PCI SSC, and IRS. Each mapped to the internal policies that need review, assigned to an owner, and tracked through to closure. The shape behind regulatory-change-management.
Audits AI-generated marketing copy against FDA, FTC, FINRA, SEC, and HIPAA requirements. Detects unsubstantiated health claims, FINRA-prohibited return guarantees, FTC endorsement violations, missing risk disclosures, and required industry disclaimers. Each finding cites the regulation.
Scans 16 seeded sites for cookies set, classifies each into essential / functional / analytics / marketing, identifies tracker vendors, and flags pre-consent violations under GDPR + ePrivacy. The audit shape behind a cookie banner.
Tracks performance budgets across 12 seeded routes / 4 web properties. Per-route p75 LCP / INP / CLS / total JS / image bytes, week-over-week regression detection, and route-by-route recommendations.
Verifies 16 seeded vendor COIs against contract requirements per risk tier. Checks coverage limits across 6 lines (GL, Auto, WC, Umbrella, E&O, Cyber), endorsements (Additional Insured, Waiver of Subrogation, Primary & Non-Contributory, 30-day Cancellation), A.M. Best rating, and expiry.
Tracks 18 seeded enterprise customers across EU, UK, US, APAC, and Canada. DPA execution dates, DPIA documentation, SCC module + transfer mechanism, sub-processor consent, retention windows, renewal calendar. GDPR Art 28 evidence shape.
Parses DMARC aggregate (rua) reports from Google, Microsoft, Yahoo, Mimecast, Proofpoint. Builds a per-sending-IP rollup with pass/fail rate, SPF + DKIM alignment audit, and classification (legitimate / forwarder / spoof / unknown). 12 seeded sending IPs across 7 days.
Audits 14 seeded commercial-lease CAM (Common Area Maintenance) reconciliations. Per-line allowability check against the lease, gross-up math for under-occupied buildings, admin-fee cap enforcement, capital-repair gating, audit-right window. Flags the dollar amount over-billed.
22 seeded apprentices across electrical (IBEW), plumbing (UA), sheet-metal, ironworking, and HVAC. OJT hours by work process, RTI classroom credits, 8-step wage progression, and journey-worker ratio compliance — DOL 29 CFR §29.5 evidence shape.
Download video and audio from YouTube and 1000+ sites using yt-dlp. No API keys needed.
Audits every recorded meeting for two-party consent, attendee objections, retention-window adherence per classification (PHI, attorney-client, M&A, external), and access-log evidence. 26 seeded meetings across regulated and standard categories.
Edit videos locally using ffmpeg — trim, concat, resize, speed, overlay, extract audio, compress, and convert.
Tracks every contract's auto-renewal window, notice-of-termination deadline, escalation clauses (CPI / fixed % / market reset), and projected price bumps. 22 seeded contracts across SaaS, lease, service, partnership, insurance, with realistic renewal patterns and burn-down timeline visualizations.
Understand video content locally using ffmpeg frame extraction and Whisper transcription. No API keys needed.
Computes FLSA-compliant overtime, tipped-credit math, jurisdictional minimum-wage delta, regular-rate-of-pay corrections (including non-discretionary bonuses + commissions), and meal-period premiums (CA). 18 seeded workers across 6 jurisdictions, every line reasoned with the regulation cited.
Discover and install Claude agent skills when users ask how to do something or extend their capabilities.
Tracks 14 seeded federal research awards across NIH, NSF, DOE, and DARPA. Per-award budget by Uniform Guidance §200 category, indirect-cost rate math, allowability flags (alcohol / first-class travel / spouse travel), no-cost-extension status, burn-rate vs time-elapsed.
Reference guide for building video in React with Remotion — animations, audio, captions, charts, fonts, frame extraction, and more.
A working ERISA fiduciary record-keeping prototype. 6 seeded plans (401(k), health, dental, FSA, HSA, group life), every required §107 document tracked, retention windows enforced, deadline calendar for 5500 / SAR / fidelity bond / SPD restatement.
Generate AI video from text or images using fal.ai models (Kling, Veo, LTX, Wan) — smart router picks the best model by video type.
Tracks calibration status across 30 seeded lab instruments — micropipettes, analytical balances, thermocyclers, autoclaves, pH meters, spectrophotometers. ISO/IEC 17025-aligned. Drift trend per instrument with tolerance band visualization.
Score a UI design screenshot across 10 dimensions using Gemini Vision — structured scores, weaknesses with fixes, average and minimum.
A working observability prototype for AI agents in production. 24 seeded sessions with prompt-injection signatures, jailbreak detection, tool-call audit, runaway-cost flags, and per-session risk score. Modeled on OWASP LLM Top 10.
Search and retrieve stock photos from the Pexels API — structured photo data with multiple resolution URLs, ready to drop into a project.
A working change-management prototype aligned to SOC2 CC8.1. 28 seeded change requests across migrations, infra, feature flags, vendor swaps, key rotations, and emergency hotfixes — each with risk class, rollback plan, role-separated approval, and audit trail.
Create, extract, and apply portable visual design systems via visual-style.md — colors, typography, layout, motion, mood in one file any AI tool can consume.
A working compliance prototype for tracking employee certifications across industrial sites. 24 seeded workers carrying 83 active OSHA / NFPA / DOT / FMCSA / AWS certs. Roster, expiring queue, by-certification coverage, audit CSV.
Generate AI videos from text prompts via the HeyGen API — text-to-video, image-to-video, and provider routing (VEO, Kling, Sora, Runway, Seedance).
A two-sided vendor-compliance prototype. Buyer side: 18 seeded vendors across COI, W-9, SOC2, MSA, HIPAA, PCI, bank-verify, safety packets. Vendor side: 5 customers, request queue, gap list. Buyer view sorts blocked vendors first.
Create AI avatar videos with precise control over avatars, voices, scripts, scenes, and backgrounds via HeyGen v2 API.
A working audit-trail UI for AI-assisted decisions in regulated industries. 32 seeded decisions across underwriting, fraud review, hiring, and clinical triage flows. Filter, drill-down, approve, reject, export to CSV/JSON.
Create videos from a text prompt using HeyGen's Video Agent — explainer, demo, marketing video from a single description.
Drop a HAR file from any browser. Get a real waterfall (DNS / TCP / TLS / wait / receive segments), mime-type breakdown, largest-payload + slowest-request lists, and a per-regression audit (heavy JS, blocking CSS, ad sprawl, failed requests).
Translate and dub existing videos into multiple languages with lip-sync via HeyGen.
Paste sample JSON or NDJSON. Infers types, detects string formats (email, uri, uuid, date-time, ipv4), recognizes enums from repeated literals, and merges multiple samples into one schema that validates them all.
Swap faces in a video using the HeyGen API — replace a face from a source image onto a target video.
Auto-detects 11 timestamp formats (epoch s/ms/μs/ns, ISO 8601, RFC 2822, Windows FILETIME, .NET Ticks, MongoDB ObjectId, Microsoft JSON Date, Excel serial) and renders 14 outputs side by side.
Generate speech audio from text using HeyGen's Starfish TTS model — voice selection, speed, and pitch control.
Paste any JWT and see every claim, every signature, and the security issues an attacker would find first. Brute-forces 12 common weak secrets in-browser via Web Crypto. Nothing leaves the page.
Generates the SPF, DMARC, DKIM, and BIMI DNS records to publish — plus parses your existing records, flags the 10-DNS-lookup SPF limit, weak DMARC policies, missing rua, and unrecognized tags.
Image generation across 10 AI models via a smart router — text overlay, photorealism, design assets, reference-guided, batch editing.
Paste raw HTTP response headers, get a letter grade across 16 modern security headers. Each finding includes the exploit class it opens up and the one-line fix. Nothing leaves the page.
Live regex editor with capture-group highlighting, English-language explainer of every token, a library of 18 hardened patterns (UUID v4, JWT, IPv4, AWS access keys, semver), and a replace mode.
Paste Set-Cookie headers and get a per-cookie security and privacy audit: Secure / HttpOnly / SameSite flags, __Host- prefix conformance, lifetime caps, and tracker classification across 26 known vendors.
Paste a package.json. Get every dependency's license classified, copyleft and proprietary flagged against your chosen distribution profile (SaaS, OSS, on-prem), a per-class obligations breakdown, and an auto-generated NOTICE file.
A daily accountability system that enforces four immutable laws — declare an objective, ship an artifact, hit the health floor, subtract something. Pure Node.js CLI, no dependencies, no skip days.
A rental-discovery engine that scores listings on deal strength first, livability second, fit third. A luxury unit at market price can never reach the top tier — the tier system is deal-gated.
A discovery engine for in-person events scored across three pillars — wealth, health, and happiness. Cuts the firehose of "things happening in Vancouver" down to the handful that move the dial.
A web app that ingests a YouTube URL, splits the video into configurable time-segment chunks, transcribes each chunk through Whisper, and stores the result with presigned-URL access. Built for the people who treat YouTube as a research corpus.