Things I have
quietly built.

01

AI-powered privileged data access governance.

Intercepts and validates privileged data access requests — from humans and AI systems alike — by requiring real-time business justifications before granting access. Sub-200ms validation. Tamper-proof audit logs. Integrates with M365, AWS, GCP, Snowflake, Okta, and the rest of the enterprise stack. Built for regulated industries that can’t afford either false positives or unjustified access.

02

Benchmark AI coding agents on your actual codebase.

A local-first benchmarking tool that mines bugfix commits from your repo’s history, converts them into SWE-bench-style evaluation tasks, and runs coding agents side-by-side with full cost and token tracking. Also trains cost-aware routers to pick the right solver per task. Because “it works on the SWE-bench leaderboard” is not quite “it works on our code”.

03

A shared filesystem for AI agents.

Persistent, POSIX-compliant, object-backed filesystem for AI-agent and multi-client workloads. No external metadata DB required — metadata is log-structured into the same object store as the data. Passes pjdfstest and the xfstests smoke suite. An answer to a question I kept running into: what does the filesystem look like when most of your callers are agents?

04

Every device the request crosses, not just the endpoints.

A path-aware access-control mechanism: rather than checking source and destination, validate every device a request traverses against regional data controls. Published as TDCommons 6837.

05

How Access SRE rolled ASM internally at Google.

Co-authored with Anthony Bushong. The reference account of how Google’s Corp Eng teams adopted Anthos Service Mesh to secure Googler access across trust boundaries, across cloud and on-prem, with minimal operational overhead.