Engineering · Platform Architecture · B2B SaaS Technologist Boston, MA · ~30 years across IBM, CyberArk, Alteryx, Digital.ai, Gryphon.ai

I build the systems that sit between traffic, revenue, and the teams that operate them. Platform engineering, GTM systems, traffic integrity, digital intelligence, AI governance. I also author open specifications for the answer-engine era — and a fifteen-repo implementation stack that consumes them (Suite × Implementations). Polyglot by choice: the language fits the problem, not the resume.

Publication note: many of the repos below were published in a concentrated May 2026 portfolio sprint. The dates reflect public packaging, CI, screenshots, and repo hardening, not the first moment the ideas or workstreams existed.

The current public wave now spans revenue systems, traffic integrity, web-platform reliability, regulated workflow operations, a polyglot language atlas, and multi-cloud identity & platform governance:

• GTM Systems & Growth — demand-gen automation, CRM routing, lifecycle control, offer motion
• Traffic Integrity — bot mitigation, click-fraud reduction, clean analytics inputs
• Digital Intelligence — attribution, telemetry, SEO governance, pipeline clarity
• Platform Engineering — headless CMS, DevOps, core web vitals, resilient delivery
• Regulated Workflow Systems — approval routing, obligation graphs, consent evidence, audit posture
• Operational Command Surfaces — bookings, creator launches, menu sync, store incidents, permits, crop compliance
• Language Atlas — real operator surfaces in Flutter, Julia, Python, Rust, Go, PHP, Kotlin, and more where the language fits the system shape
• Cloud Identity, Platform, FinOps & Threat Detection — operator surfaces for Microsoft (Entra access reviews, Intune device compliance, M365 Purview retention), AWS (IAM Access Analyzer + GuardDuty triage), GCP (IAM policy drift + billing-anomaly routing), and Azure (landing-zone drift). Each is a synthetic-data operator console at production hardness — AGPL-3.0-or-later, dual-Node CI, dependabot, 95%+ coverage, deployed on its own kineticgain.com subdomain.

Early anchors in that lane:

• revops-lead-router — control plane for lead enrichment, CRM routing, speed-to-lead posture, and queue integrity
• fraud-click-filter · cf-bot-shield-tf · honeypot-form-validator · anomaly-log-hunter — traffic-integrity layer for blocking fraudulent sessions before they burn ad spend or poison analytics
• dbt-multi-touch-attr · gtm-datalayer-standards · seo-vital-monitor · pipeline-velocity-dash — digital-intelligence layer for attribution, signal clarity, and route-level performance posture
• offer-ladder-engine — offer-path and conversion-state control for pricing and package motion
• edge-redirect-manager · headless-wp-vue-starter — web-platform layer for headless CMS delivery, route migration, preview-safe rendering, and SEO-conscious frontend architecture
• regulatory-comment-intelligence-hub · contract-clause-obligation-graph · prior-authorization-evidence-router · patient-consent-audit-stream — regulated workflow layer for approvals, obligation mapping, evidence routing, and synthetic audit posture
• creator-partnership-deal-desk · booking-disruption-command-center · menu-availability-sync-engine · store-ops-incident-board — launch and operations layer for creator programs, hospitality disruption handling, menu sync, and store incident response
• flutter-operator-console · capacity-optimizer-jl · regulatory-reporting-mart — language-atlas proof that the portfolio ships real operator systems in Flutter/Dart, Julia, and Python, not just one web stack
• Multi-cloud identity, platform, FinOps & threat-detection lane — eight operator consoles all at v1.0-prod, all running on their own kineticgain.com subdomain:
  • entra-access-review-control-plane → entra.kineticgain.com — Microsoft Entra access reviews & privileged role drift
  • intune-device-compliance-ops → intune.kineticgain.com — Intune device compliance & jailbreak / OS-drift posture
  • m365-retention-case-orchestrator → retention.kineticgain.com — Microsoft 365 Purview retention & eDiscovery
  • aws-iam-access-analyzer-console → aws.kineticgain.com — AWS IAM Access Analyzer & cross-account trust
  • aws-guardduty-triage-board → guardduty.kineticgain.com — AWS GuardDuty detector posture, threat-finding triage & incident response
  • gcp-iam-policy-diff-lab → gcp.kineticgain.com — GCP IAM policy drift & org-policy posture
  • gcp-billing-anomaly-router → billing.kineticgain.com — GCP billing-anomaly routing, budget breaches & FinOps escalation
  • azure-landing-zone-drift-radar → zone.kineticgain.com — Azure landing-zone baseline drift & guardrail risk
• Polyglot Operator Reporting lane — three new operator surfaces in three different runtimes, each picked because the language fits the problem (mobile briefings → Flutter, scientific optimization → Julia, warehouse-style mart → Python). All v1.0-prod, all subdomain-deployed:
  • flutter-operator-console → flutter.kineticgain.com — Flutter web operator console: signal triage, briefings, dispatch posture
  • capacity-optimizer-jl → capacity.kineticgain.com — Julia + JuMP capacity planning, constraint optimization, scenario diffs
  • regulatory-reporting-mart → reporting.kineticgain.com — Python warehouse-style mart: docket readiness, evidence packets, deadline pressure, late-risk

Current public GitHub count: 372 repos. Operator-surface hardening backlog (squad doctrine v1.1): 49 .kineticgain.com subdomains now at v1.0-prod, every Codex-shipped v0.1 caught up — zero gaps remaining at the cutoff. The full grouped index is at kineticgain.com/constellation.

Three sibling repos enforce a buyer's AI Procurement Decision Card → PolicyBundle at request time, one per upstream surface — the v2 strategy's IBM-credibility flagship lane. Same primitive (deny-trumps-allow eval, x-kg-correlation-id propagation, audit-stream emission), three platforms:

• ibm-watsonx-governance-bridge → watsonx.kineticgain.com — IBM watsonx.ai (Python · IBM Cloud IAM · Code Engine deploy manifest · v1.0-prod)
• azure-openai-governance-bridge — Azure OpenAI (Python · Azure Functions v2 · Bicep IaC)
• mcp-permission-broker — Model Context Protocol transport (the MCP-side sibling)

Same buyer-published AI Procurement Decision Card v0.2, a different enforcement axis: instead of gating requests, this family gates field-level PII at the seam. The Decision Card declares data_vault_targets[] — which fields may be tokenized through a Skyyflow-shaped vault, and which roles may detokenize. Four sibling surfaces consume one contract:

• ai-procurement-decision-spec — the JSON Schema (v0.2 adds data_vault_targets)
• kg-skyyflow-klaviyo-bridge — Node lib + CLI · audit · tokenize · detokenize · transform (webhook → Klaviyo) · per-field protection levels (none / masked / tokenized) · v0.2.0 · AGPL-3.0
• skyyflow-klaviyo-bridge-console — React + Vite operator console for the bridge engine: dashboard · live webhook simulator with a 3-stage animated pipeline · field mapper · sync log stream
• rag-sentinel — tokenize-before-index for RAG pipelines (server-side enforcement of the same contract)
• deal-desk-workspace — RBAC-aware reveal for the deal-desk surface (client-side enforcement of the same contract)

One Decision Card, four enforcement points. Same SkyyflowVault interface across server-side (rag-sentinel), client-side (deal-desk-workspace, console), pipeline-side (bridge lib), and CLI.

Fourteen new public repos now sit underneath the portfolio as a reusable developer toolkit layer:

• MCP governance — mcp-registry-risk-scanner · mcp-tool-card-generator · mcp-tools-diff
• GenAI observability — agent-trace-normalizer · llm-cost-span-exporter · rag-evidence-trace-linker
• K8s control planes — governance-disclosure-operator · llm-cost-budget-operator · scheduled-audit-operator
• Agent-runtime adapters — agent-tool-adapters · agent-card-runtime-adapters
• Knowledge graph + evidence — rag-evidence-graph · wellknown-index-aggregator

These are not customer-facing protocol specs. They are the implementation toolkit underneath the protocol layer: manifest scanning, disclosure generation, tool drift detection, runtime adapters, evidence integrity, cost spans, and Kubernetes-native governance publishing.

The next ~10 operator-surface repos are organized as three sub-verticals × four-tier monetization ladder, with SEO and security posture as first-class concerns on every repo. Each lane lands on a real enterprise platform; each repo carries the credible "from someone who lived in this stack" hook — IBM enterprise integration · CyberArk identity · Alteryx analytics.

Three sub-verticals:

Four-tier monetization ladder per repo (honest tier wording):

Default for a tier-1-only repo: list tiers 1 + 2-planned only. No SaaS-looking promises without an OAuth + billing + tenant + support motion behind them.

Cross-cutting (every repo, no exceptions):

• SEO — dark slate/blue theme · descriptive dofollow anchors · /.well-known/ Suite docs · hub-and-spoke interlinking · GH topics + homepage set · sitemap entry
• Security — read-only by default · minimal OAuth scopes · no tenant credentials in repo · synthetic fixtures only · evidence packets signed (ed25519 once pulse-signing.json ships)
• Compliance language (broad) — across HIPAA · FERPA · SOC 2 · GDPR · ISO 27001 · accessibility (WCAG/ADA) · AI governance (NIST AI RMF, EU AI Act, ISO 42001): always frame as readiness · evidence · posture · controls · scaffolding. Never "certified" / "compliant" unless truly audited and currently attested. No "BAA" / "DPA" / "PHI" / "PII" / "audit ready" promises without legal review.
• Anti-overlap discipline — before opening any new repo, document core primitive · target buyer · target platform · monetization tier path · nearest existing repo · why distinct. Blocks the "same surface, different wrapper" drift.
• Pulse universe entry — every deploy adds its CNAME to the AI Procurement Pulse universe, additively · async if possible · non-fatal on failure. Pulse-entry never blocks a publish.

Phase 0 anchors (founder-credibility-ordered):

1. ibm-watsonx-governance-bridge — founder-credibility flagship. IBM is the most credible "lived in this stack" hook in the portfolio; watsonx Governance is the cleanest disclosure-shaped target.
2. genesys-cx-disclosure-board — enterprise workflow/CX flagship. Warmest CISO/VP-CX buyer + highest tier-4 KGE fit.
3. klaviyo-flow-consent-audit — Growth Ops flagship. Cleanest CMO/RevOps narrative; consent-state lineage is a timely angle.

Three anchors prove the four-tier ladder in three distinct buyer contexts before the remaining 7 fill out at tier-1 + tier-2-planned. FirstUp deferred to second-tier priority — good fit, weaker instant recognition than IBM/Genesys/Camunda/UKG/Klaviyo/VWO.

The portfolio runs on two parallel layers that compose:

1. A growing network of productized open-source properties live at kineticgain.com subdomains — front doors, per-spec landings, operator dashboards, vertical command surfaces, vendor directory, and prompt-injection bench. All push-to-deploy via GitHub Actions FTP CI/CD. Front door: suite.kineticgain.com · Quickstart hub: docs.kineticgain.com · Live portfolio constellation across every public repo: portfolio.kineticgain.com.
2. Fifteen-repo Suite Implementation Stack — the software that consumes the Kinetic Gain Protocol Suite specs. Decision Intelligence engines · Platform Reliability primitives · MCP servers · data-contract enforcement · ed25519 attestation · drift detection · streaming validators. All CI-green, all semver-tagged at v0.1.0, all MIT-licensed. Four cross-ecosystem hooks chain them into one composable system. The catalog: Suite × Implementations. The compliance mapping: NIST AI RMF crosswalk (v0.2 includes the implementation-tooling alignment).

flowchart TB
    classDef spec fill:#10b981,stroke:#065f46,color:#fff,stroke-width:2px
    classDef hook fill:#3b82f6,stroke:#1e40af,color:#fff,stroke-width:2px
    classDef sup fill:#f3f4f6,stroke:#6b7280,color:#1f2937
    classDef stream fill:#f59e0b,stroke:#92400e,color:#fff
    classDef mcp fill:#a855f7,stroke:#581c87,color:#fff,stroke-width:2px

    SPECS["📐 11 Kinetic Gain Protocol Suite specs<br/>AEO · Agent · Tool · Tutor · AUP · Disclosure<br/>Evidence · Provenance · Clinical · Incident · Decision"]:::spec

    SPECS -->|"#1 ingest Suite docs"| PDA["procurement-decision-api<br/>drafts Decision Cards"]:::hook
    PDA -->|"#2 conditions → runtime gates"| PAC["policy-as-code-engine<br/>PolicyBundle enforcement"]:::hook
    PDA -->|"#3 extract owners"| DCR["data-contract-registry<br/>schema + SLAs"]:::hook
    DCR -->|"#4 streaming CSV check"| CDQ["csv-data-quality-rs<br/>row-by-row validation"]:::hook

    SPECS -.->|sign + verify| HA["hash-attestation-rs<br/>ed25519 over canonical hash"]:::sup
    SPECS -.->|drift detection| AVS["aeo-validator-service<br/>always-on validation"]:::sup
    AVS -.->|JSONL feed| AGE["aeo-graph-explorer-rs<br/>graph-query layer #5"]:::sup
    SPECS -.->|incident → plan| ICR["incident-correlation-rs<br/>Suite-graph BFS"]:::sup
    ICR -.->|drives| PAC

    PDA --> AS
    PAC --> AS
    DCR --> AS
    AVS --> AS
    ICR --> AS
    HA --> AS
    AS["📋 audit-stream-py<br/>hash-chained tamper-evident spine"]:::stream

    SPECS ==>|spec tools| MCP
    PDA ==>|preview tools| MCP
    AS ==>|event tools| MCP
    HA ==>|verify tools| MCP
    MCP["🤖 mcp-kinetic-gain v0.7.1<br/>63 tools · one Claude Desktop config entry"]:::mcp

Green = spec layer (the foundation). Blue = the four cross-ecosystem hooks that make it a stack rather than a pile. Grey = supporting implementation tools that feed into either side. Amber = the tamper-evident audit spine every governance moment writes to. Purple = the unified MCP surface that exposes the whole thing to Claude through one config entry.

Zoom in on the amber spine: every governance moment in the stack writes to one hash-chained, tamper-evident log via audit-stream-py. Same opt-in env-var contract (AUDIT_STREAM_URL) across all seven producers; same best-effort semantics (a failed POST is logged, never raised). 17 event kinds, seven producers, four FastAPI services + three Rust crates, all feeding one verifiable narrative an auditor can replay end-to-end.

flowchart LR
    classDef pyprod fill:#3b82f6,stroke:#1e40af,color:#fff,stroke-width:2px
    classDef rsprod fill:#dea584,stroke:#92400e,color:#1f2937,stroke-width:2px
    classDef spine fill:#f59e0b,stroke:#92400e,color:#fff,stroke-width:3px
    classDef sink fill:#f3f4f6,stroke:#6b7280,color:#1f2937

    PDA["procurement-decision-api<br/>Python · FastAPI"]:::pyprod
    AVS["aeo-validator-service<br/>Python · FastAPI"]:::pyprod
    PCE["policy-as-code-engine<br/>Python · FastAPI"]:::pyprod
    DCR["data-contract-registry<br/>Python · FastAPI"]:::pyprod
    HA["hash-attestation<br/>Rust · crypto library"]:::rsprod
    ICR["incident-correlation<br/>Rust · graph library"]:::rsprod
    AGE["aeo-graph-explorer<br/>Rust · axum service"]:::rsprod

    PDA -->|"decision_card_drafted"| AS
    AVS -->|"watch_created<br/>watch_drifted<br/>watch_validity_flipped"| AS
    PCE -->|"policy_bundle_registered<br/>request_allowed<br/>request_denied"| AS
    DCR -->|"contract_promoted<br/>contract_deprecated<br/>contract_compatibility_failed"| AS
    HA -->|"attestation_signed<br/>attestation_verified<br/>attestation_failed"| AS
    ICR -->|"incident_correlated<br/>incident_correlation_failed"| AS
    AGE -->|"graph_ingested<br/>graph_ingest_failed"| AS

    AS{{"📋 audit-stream-py<br/>hash-chained · tamper-evident<br/>SSE live tail · REST query · GET /verify"}}:::spine

    AS -->|GET /events/stream| LT["governance dashboards<br/>(live tail)"]:::sink
    AS -->|GET /events| Q["compliance evidence<br/>(REST query)"]:::sink
    AS -->|GET /verify| V["auditor replay<br/>(walk the chain)"]:::sink

Blue = Python FastAPI producers. Tan = Rust producers (two libraries gated behind --features audit-stream so library consumers can strip out the HTTP dep, one axum service with the feature on by default). Amber = the spine itself. Grey = the three downstream surfaces auditors and operators consume.

Across the live property network: mix of AGPL-3.0 and Apache-2.0, CI green, push-to-deploy via FTP Action. The current mix includes React + TypeScript operator apps, hand-written static HTML landings, and newer vertical command surfaces.

Fifteen standalone vertical operator surfaces, each a TypeScript control plane for a regulated/operations workflow — intake → risk & obligation mapping → posture → safe escalation. Codex ships at v0.1-shipped; I (Platform/SRE) harden each to v1.0-prod: CI on Node 20 + 22, ≥60% service-test coverage, AGPL-3.0, Dependabot, npm audit, SECURITY.md, static prerender → GitHub Pages. All live, all CI-green.

HealthTech surfaces (priorauth, consent) are HIPAA-readiness scaffolding only — synthetic data, no PHI; see each repo's SECURITY.md.

Seventeen Action wrappers that turn every Kinetic Gain protocol library into a per-PR governance gate. Composite Node 20 actions with dist/index.js committed for SHA/tag pinning, hermetic tests with injected gitShow, AGPL-3.0-or-later, Dependabot-managed.

Each one retrieves the previous version of a single governance doc via git show <base.sha>:<path>, diffs against HEAD, posts the structured diff as a PR comment, and fails the build on breaking changes.

Each one summarizes a single doc against the rest of a fleet (a directory of peer docs of the same protocol), surfacing the outliers and posting a structured PR summary.

agent-card-fleet-summary-action · mcp-tool-card-fleet-summary-action · prompt-provenance-fleet-summary-action · evidence-bundle-fleet-summary-action · otel-genai-fleet-summary-action

The wiring that ties the per-protocol quintets together across mixed-content repos:

Composition story: kg-protocol-detect-action identifies what protocols live in the repo → the matching per-protocol *-diff-action gates breaking changes → the matching *-fleet-summary-action surfaces outliers across the fleet → kg-suite-conformance-runner-action checks spec conformance → kg-suite-canonicalize-action enforces stable serialization → procurement-pulse-action self-scores the deployed /.well-known/ surface. End-to-end PR governance with zero hand-rolled glue.

Dogfooded on kineticgain.com itself. Weekly procurement-pulse-action run probes the apex and refreshes the badge + the public receipt at kineticgain.com/.well-known/pulse-receipt.json.

A different discipline from the governance suite: a studio-grade, offline-first notepad at sveska.studio. No account, no telemetry, no cloud dependency — every note lives in the browser's IndexedDB and the app works with the network unplugged.

Repo: mizcausevic-dev/sveska · v0.8.0 · MIT

A family of eleven open JSON specifications for the answer-engine and agent era — five core (AEO, Prompt Provenance, Agent Cards, AI Evidence Format, MCP Tool Cards), a three-spec EdTech trio (vendor / district / student), a HealthTech vertical extension (Clinical AI Disclosure — HIPAA / FDA / SaMD posture), a cross-cutting AI Incident Card that ties everything together post-hoc, and an AI Procurement Decision Card that signs off on a vendor's posture across the rest of the Suite. Two regulated verticals covered. NIST AI RMF crosswalk shipped alongside. All AGPL-3.0, all v0.1 draft, all kinetic-gain-protocol-suite tagged. Single landing: kinetic-gain-protocol-suite.

The canonical depth example — every layer needed to consume the spec, across five languages:

hash-attestation-rs — sign + verify Suite docs with ed25519 over the same canonical-hash convention every other Suite repo uses. The missing "this AEO actually came from the vendor" layer. Vendors sign, publish a well-known public key URL, consumers verify. Composes with aeo-validator-service (tamper events surface as structured issues) and procurement-decision-api (Decision Cards can carry a signature).

The spec is only one layer. The newer control-plane layer covers citation readiness, publication safety, visibility monitoring, and release posture:

The unified visualizer + unified MCP server give the Suite a complete read-side (human) and tool-side (agent) entry point. Eleven specs, two front doors, and a growing operator subdomain network.

Reliability primitives. Each independent. All designed to compose:

Identity at the edge → rate limits at the model → canary at deploy → registry as source of truth → SLO budget at the API surface → Rust primitives for hot paths → feature flags for rollout control → shadow traffic for migrations → tamper-evident audit log. Defense-in-depth for the agent era.

Production-shaped backend services in the right language for the problem. 15+ languages across one coherent platform.

Production-shaped governance and observability for AI / LLM workloads:

• mcp-sentinel — MCP server observability + security audit
• rag-sentinel — RAG quality / drift / hallucination signals
• agentobserve — Datadog-shaped operator surface for agent fleets
• agent-codex — governance-as-code: SOC 2 / EU AI Act / ISO 27001 / NIST mappings
• agent-eval-arena — eval harness with regression detection + CI gates
• agent-router — LLM router with provider-aware routing and breakers
• llm-redaction-gateway — PII + secret redaction for LLM API calls
• shadow-ai-detector — unauthorized LLM usage detection
• ai-finops-radar — token-level cost attribution + anomaly detection
• kinetic-flightdeck — unified AI Platform Engineering ops console

Executive dashboards, control planes, decision studios — organized by domain:

Executive & Portfolio executive-briefing-studio · portfolio-command-center · executive_operations_dashboard · scenario-planning-atlas

Revenue & Growth customer-intelligence-graph · growth-systems-control-room · revenue-forecasting-workbench · attribution-intelligence-studio · pricing-experiment-studio · conversion-funnel-intelligence-hub · deal-desk-workspace

AI Governance & Risk ai-governance-review-studio · model-risk-oversight-hub · vendor-risk-operations-center · compliance-workflow-hub · ai-operations-console

Identity & Security identity-command-center · identity-lifecycle-workbench · security-posture-control-room

Workflow & Operations workflow-orchestration-studio · feature-flag-rollout-studio · ab-testing-command-center · customer-journey-control-plane

Spec-first OpenAPI services:

Identity-Access-Audit-API · observability-incident-command-api · customer-health-churn-api · partner-lead-distribution-engine · content-workflow-intelligence-platform · experimentation_insights_kpi · seo-governance-platform · webhook-ingestion-pipeline · kinetic-api-gateway · revenue-ops-ai-assistant

The newer CMS lane is not brochure work. It is governance, preview trust, query discipline, cache freshness, schema safety, and contract protection for headless WordPress estates:

wordpress-block-seo-governance-auditor · wordpress-graphql-governance-gateway · headless-seo-fallback-engine · headless-preview-recovery-kit · wpgraphql-query-cost-inspector · frontend-contract-testing-for-wordpress · headless-editorial-command-center · headless-wp-vue-starter · wpgraphql-schema-diff-gate · wordpress-cache-invalidation-map · wordpress-preview-trust-monitor · wp-kinetic-gain-audit

This cluster now covers answer-surface safety, preview recovery, metadata fallback, query cost, frontend payload contracts, editorial release readiness, schema-drift approval gates, cache invalidation mapping, preview trust monitoring, and — via wp-kinetic-gain-audit — a tamper-evident MySQL hash-chained governance audit log that plugs WordPress straight into the Suite's audit-stream-py spine.

Commercially legible systems work across access review, evidence plumbing, connector testing, workflow infrastructure, and HR-to-identity provisioning:

cyberark-access-review-sync · cyberark-connector-observability-exporter · servicenow-cyberark-evidence-pipeline · ibm-custom-connector-starter · ukg-to-scim-provisioner · camunda-connector-test-harness

Open to Director / Principal-level Platform Engineering, Web Engineering, or AI Platform roles at enterprise B2B SaaS companies. East Coast time zone. Remote-friendly.

"Long-lived credentials are tomorrow's incident reports. Build short-lived. Audit always. Document once."

_{All active repositories · Career one-pager}

Connect: LinkedIn · Kinetic Gain · Medium · Skills