Local-first tools, security evidence and infrastructure systems that stay reviewable.

I am a FOSS maintainer, security researcher and infrastructure-focused engineer. My work sits around the parts of software that need to stay understandable under pressure: HTTP and TLS behaviour, reverse proxy edge cases, release evidence, infrastructure review, vulnerability validation and project history.

I build local-first tools that produce durable artefacts rather than opaque output. The goal is usually the same: make decisions easier to inspect, reproduce and carry forward after the original platform, issue tracker, cloud account or release page is no longer the source of truth.

Local-first infrastructure planning and evidence engine for typed plans, architecture graphs, validation output, risk notes, cost notes, diagrams and release packs.

Local CLI for exporting and managing portable project history for Git repositories.

Post-quantum readiness and cryptographic inventory proof of concept.

Source for my personal website and writing archive.

Caddy is my main upstream maintenance focus. I work on issue triage, code review, security report validation, HTTP/TLS correctness, Caddyfile behaviour, reverse proxy edge cases and release-quality fixes.

I focus on practical vulnerability analysis rather than volume reporting: source review, behaviour reproduction, severity calibration and a fix path that maintainers can actually merge.

Good output should be easy to diff, easy to verify and useful after the run has finished. I prefer tools that make uncertainty visible instead of hiding it behind compatibility claims.