freundcloud

Work

A handful of the things I've built or led. Some are client programmes I can only describe in outline; the open-source ones you can go and read — and most of them you can see below.

SARC — multi-cloud compliance pipeline

Product owner & lead architect

SARC (Synechron ARC) is an orchestration layer that sits on top of Kosli and ServiceNow and turns regulated software delivery into something you can actually audit at a glance. Instead of spreadsheets and manual evidence-gathering, it manages every framework a regulated shop cares about — DORA, PSD2, ISO 27001, SOC 2, SOX, NIST 800-53, PCI-DSS — from one place. I own the architecture and most of the build.

SARC operator dashboard
The operator dashboard — pipelines, change requests and compliance state in one view.

Every change request gets a 5-axis risk score, so a typo fix and a database migration don't get treated the same way — low-risk changes clear themselves and only the ones that matter land on a human's desk, which is what actually shrinks the CAB queue. Auditors get one-click evidence export and time-boxed, magic-link sessions into the same dashboard the change board and the regulators use — no more assembling an "audit binder" by hand. The audit log is hash-chained so the trail is tamper-evident, and a cost-vulnerability correlation view puts a number on what a remediation is actually worth ("fix this, save $X/month") by joining Snyk, Wiz and Trivy findings to spend.

5-axis risk clearance score
5-axis risk clearance per change
Compliance dashboard with framework coverage
Multi-framework coverage
Multi-cluster overview across clouds
Multi-cluster, multi-cloud overview

The engineering trick that makes it demo well: the same repository deploys to AWS (EKS), Azure (AKS), GCP (GKE), OpenShift (ROSA) or a local k3d cluster off a single TARGET_CLOUD switch that drives the Terraform, the kubectl auth, the Helm values and the Kosli environment naming — each cloud using its own native data services and identity federation rather than a lowest-common-denominator fudge. GitLab is the source of truth, mirrored to GitHub and Azure DevOps on every green pipeline; images are built in-house, scanned with trivy, signed with cosign and attested through Kosli. The portal runs to 37 screens, with real-time timeline updates over server-sent events and a pair of Claude MCP servers (Kosli + ServiceNow) so you can ask the compliance state of a commit in plain English. → the full SARC showcase · the live walkthrough

The Factory suite — a governed pipeline for AI software delivery

Creator · open source

What started as AIFactory grew into a four-product suite around one idea: AI can write the code, but someone still has to be accountable for it. 84% of developers use AI coding tools; only 29% trust the output. The Factory suite is the trust and governance layer for that gap, built around the PARR pipelinePrepare · Act · Reflect · Review — with a human gate at every seam rather than one "trust me" big bang.

  • PFactory (Prepare) — plans work grounded in live cloud and Backstage context, runs architecture, security, feasibility and best-practice gates with citations, and only emits governed GitHub epics and issues once a human has signed the plan.
  • AIFactory (Act) — turns those specs into code and QA in isolated git worktrees, model-agnostic across Claude, Gemini, OpenAI and local Ollama, and can delegate sub-tasks to other coding agents.
  • TFactory (Reflect) — autonomously generates and runs tests in ephemeral sandboxes, grades each run on five signals (coverage delta, stability, mutation testing, lint and semantic relevance) and reports back on the pull request.
  • CFactory (Review) — the control-tower cockpit: one pane of glass with a live, animated dependency graph across plan → code → test, an advise-and-confirm copilot, and per-task and per-worker cost and token tracking.
AIFactory kanban board of tasks
AIFactory — issues moving through plan, code and QA.
AIFactory task plan detail
A planner's breakdown of a task
AIFactory live agent console
Live agent console

The spine that makes it cohere is deliberately boring plumbing: a shared correlation key, a normalized completion-event schema and a canonical port map, so every product emits the same audit trail — HMAC-anchored logs and completion records of exactly the kind the EU AI Act is about to ask for. It's model-agnostic through MCP, and you can watch the whole thing run live. → AIFactory · TFactory · the meta-repo

Bifrost — Azure DevOps → GitHub Actions, at portfolio scale

Creator · open source

GitHub's own importer (gh actions-importer) gets you maybe 90% of the way from an Azure DevOps pipeline to a GitHub Actions workflow. Bifrost is the other 10% — the review workflow, the semantic validation, the portfolio-level coordination and the audit trail that a syntactic converter leaves to you. It's the tooling I wish I'd had walking into a migration with hundreds of pipelines instead of one.

The design rule is review-first: nothing is silently rewritten. The importer runs a dry pass, Bifrost parses the logs into typed gaps, and each gap goes to an LLM grounded in the actual source, the importer's output and the failure — so the model fills a specific hole rather than converting from scratch. Risk scoring stays deterministic and explainable: the numbers come from factors you can read, and the LLM explains them rather than being trusted to invent them. Every decision is recorded as a signed, exportable attestation.

It's built to run where regulated shops actually live: air-gap capable against local models (Ollama / llama.cpp) so pipeline definitions and secrets never leave the network, with the same provider trait swapping in Anthropic, Gemini or Copilot when you're allowed to reach out. A React/TypeScript portal — portfolio heatmap, three-pane diff, approvals — sits on a Rust/Axum control plane (jobs, risk model, attestations), with Docker-based ingestion behind a SourceAdapter trait: ADO first, Jenkins, GitLab and Bamboo next. It's early — in active planning, MIT-licensed, and building in the open. → olafkfreund.github.io/bifrost · source

ravn-agents — self-healing for Linux fleets that never decides on its own

Creator · open source · MIT

Ravn detects and fixes problems across Linux infrastructure — standalone hosts, Kubernetes, air-gapped networks — without phoning home to anyone's cloud. The whole design is a reaction to "AIOps" that asks you to trust a black box: detection is deterministic ("rules you can read, not a statistical model you have to trust"), remediation runs from pre-authored, risk-tiered templates that need human or signed-policy approval, and every command is Ed25519-signed, verified and logged to an append-only Postgres trail. The local model only ever explains — it suggests next steps in plain language; it never decides what's wrong or what runs.

Three layers: edge agents (ravnd) detect and execute approved fixes, a control plane (ravn-server) handles ingestion and policy, and a web portal owns inventory, approvals and audit. Default-deny throughout — circuit breakers, fleet kill switches, risk tiers — and because inference runs locally on CPU it works fully offline. Rust backend, React front end, shipped as static binaries, NixOS modules, OCI images and Kubernetes manifests. → source

lxconnect — your Android phone as an MCP tool surface

Creator · open source

lxconnect bridges Android (Waydroid or a real device) to the Linux desktop, and the interesting half is the MCP server it runs on the phone. The Android app stands up a Ktor MCP server on port 8080 and hooks into NotificationListenerService and PackageManager — so an LLM or agent on your laptop can treat the phone as a set of tools: read notifications, open native deep links (mailto:, spotify:), launch and control apps, read system status, even drive the camera, all over a standard MCP transport.

That turns "my phone" into something an agent can actually reach — triage notifications onto the desktop, hand a 2FA push to the right app, let a Claude session check or act on the device without you picking it up. A Python daemon reads a Server-Sent-Events stream from the phone and surfaces it through libnotify; a GTK4/PyGObject app gives you a native UI to test and control it. The whole thing is a declarative Nix flake — nix run github:olafkfreund/lxconnect#gui and you're live. → source

skill-pool — the team layer for Claude Code

Creator · open source

Anthropic solved the single-developer story for Claude Code skills: drop a file in ~/.claude/skills/ and you're done. The team story wasn't solved — everyone hand-rolls their own .claude/ and the knowledge of which prompt actually fixes which problem stays trapped on one laptop. skill-pool is the team layer: a self-hosted, multi-tenant registry (Rust API, Svelte portal, a CLI that knows what to install for the repo you just cd'd into).

skill-pool catalog
The catalog — browse, review and install skills, agents and commands.

The part I'm proudest of is retrospective capture: when Claude finishes a non-trivial fix, a Stop-hook scorer flags the session, a SessionEnd hook queues it, and a Haiku→Sonnet daemon turns the transcript into a draft SKILL.md for human review. The team's .claude/ grows from the work the team actually did, not from somebody's bookmark folder. It also does per-tenant SSO, semantic search over bge-small embeddings, and one-binary deploys (Nix, Compose, Helm, Terraform). → olafkfreund.github.io/skill_pool · source

SkillAi — open-source AI recruiting

Author & lead architect · GPL v3

SkillAi is a self-hosted recruiting platform built on Claude and Gemini that ranks, compares and archives candidates against a role — and keeps every CV, score and note on infrastructure the team controls. A typical open role pulls 50–200 applications; the incumbents (Greenhouse, Workday) nail the workflow, charge tens of thousands a year, store your candidates on someone else's servers, and still leave the actual hard part — ranking people fairly — to a keyword match. SkillAi answers one question in seconds instead: who are the best candidates, and why.

It parses CVs in every format people actually send (PDF, DOCX, ODT, TXT, RTF), scores candidates across four dimensions — technical skills, experience, cultural fit, communication — and uses vector-embedding search so an old candidate can be re-evaluated against a new role. It generates interview packs with rubrics and follow-up questions, does multi-tenant RBAC, and talks to Google and Microsoft calendars. It's in production as the backbone of Synechron's recruitment for HSBC's Kraków technology hub. → github.com/olafkfreund/SkillAi

rolehunter — the candidate's side of the same table

Creator · open source · GPL v3

If SkillAi is the recruiter's side, rolehunter is the candidate's. It's a self-hosted, single-user job-hunt copilot: paste a job (or pull one from JSearch / LinkedIn), score it 0–100 against your master CV with reasoning, then auto-tailor an ATS-friendly CV and a one-click cover-letter PDF for that specific role. Applications and interviews live in a searchable table or Kanban board, with LLM-generated behavioural flashcards and a rejection taxonomy so patterns surface after a couple of entries.

The part I like best is skill-gap aggregation: it clusters the gap strings from every match into canonical skills and pulls curated learning resources from whitelisted docs — so the job hunt quietly turns into a study plan. Next.js 15 / React 19 / TypeScript on Postgres 16 + pgvector, Drizzle for queries and Playwright for the PDFs, running as two localhost-bound Docker containers on randomised ports. Single-user by design — your CV never leaves your box. → source

gog & gogmail — Google Workspace without leaving the terminal

Creator · open source

gog is a CLI that authenticates to Google Workspace; gogmail is the keyboard-driven TUI on top of it. Between them they put Gmail, Calendar, Drive, Docs, Sheets, Slides, Tasks, Contacts, Chat and Meet (plus Zoom) into a single Textual interface — read and write mail, RSVP to events, edit Sheets cells inline, spin up meetings, all without a browser tab. A context-aware Gemini side panel can actually act — fetch data, draft replies, star mail, change tasks from a plain-language request — with optional voice in and spoken replies.

It's also the layer under a couple of my other experiments: waycal, my Wayland/niri calendar, mail and task widgets, is just Quickshell QML driven by the same gog CLI. Python 3.10+, packaged for Nix, .deb, .rpm and zipapp. → gogmail

nixos_config — my whole machine, declared

Open source

My personal NixOS estate, and the reason "infrastructure you can't rebuild from a clean checkout isn't infrastructure" is a thing I actually believe. It's a flake-based, multi-host config built on a single parameterised host template with a feature-flag system (dependencies and conflicts validated), so each machine turns on exactly what it needs from a shared base — an AMD workstation with ROCm for local AI, a headless Xeon media server running k3s microVMs, and a hybrid-graphics laptop with Secure Boot via lanzaboote.

Secrets are age-encrypted with agenix and committed safely; Home Manager is wired in as a flake module; theming is Stylix-driven from a single base16 palette that colours everything from the terminal to the desktop; and the documentation site is generated reproducibly from the live Nix source so it never drifts. It's the testbed where most of what ends up in the knowledge base gets tried first. → olafkfreund.github.io/nixos_config · source

GitHub Enterprise migration — Jefferies

Lead DevOps & migration architect

Leading the move of six business units at a tier-1 US investment bank off Bitbucket Cloud and Bamboo onto GitHub Enterprise Cloud and Actions, for the CTO office. I designed the Phase 1 reference architecture — reusable workflow templates spanning Maven, Gradle, .NET, Python, Node and multi-stage Docker, with NFS-backed caching and JFrog Artifactory over OIDC — and the self-hosted runner estate on AKS via Actions Runner Controller.

The governance is Terraform: org and team structure, repo lifecycle, branch protection, GHAS configuration, signed-commit enforcement — idempotent and reviewable, not ClickOps. Snyk, SonarQube and HashiCorp Vault are baked into the standard pipeline so developers get supply-chain attestation and secret rotation by default. I also wrote a small set of Claude Code plugins the migration team uses daily to scaffold and convert pipelines.

Backstage developer platform — NESO

Lead platform engineer

Leading a team building Spotify Backstage as the internal developer platform for the UK's National Energy System Operator — golden-path templates, self-service service scaffolding, and a single pane of glass for service ownership, on-call and runbooks. As much defining the DevOps operating model — tooling standards, environment promotion, branching, the feedback loops back to engineers — as building the portal.

More open source & the Linux desktop

  • gnome-quick-web-apps — a GTK4/libadwaita manager that turns any site into a native GNOME app: paste a URL and it pulls the name, icon and theme from the web manifest, then runs each app CEF-isolated with its own profile and true URL-scope confinement.
  • COSMIC & the Linux desktop in Rust — a native KDE-Connect app for COSMIC, an RDP server, notification and RSS applets, and r-hyprconfig, a real-time Hyprland config TUI.
  • nixos-template — a batteries-included starting point for a NixOS journey, and the most-used thing I've published.
  • Muninn — a zero-backend, Gruvbox GitHub portal and WebMCP playground for local browser agents.
  • MCP servers for Kosli and ServiceNow, shipped inside SARC — real-world MCP in a CI/compliance context.
  • This knowledge baseDevOps Help for Cloud Platform Engineers: multi-cloud architecture, FinOps, NixOS, AIOps and Service Mesh patterns. Browse it →