Work
A handful of the things I've built or led. Some are client programmes I can only describe in outline; the open-source ones you can go and read — and most of them you can see below.
SARC — multi-cloud compliance pipeline
Product owner & lead architect
SARC (Synechron ARC) is an orchestration layer that sits on top of Kosli and ServiceNow and turns regulated software delivery into something you can actually audit at a glance. Instead of spreadsheets and manual evidence-gathering, it manages every framework a regulated shop cares about — DORA, PSD2, ISO 27001, SOC 2, SOX, NIST 800-53, PCI-DSS — from one place. I own the architecture and most of the build.
Every change request gets a 5-axis risk score, so a typo fix and a database migration don't get treated the same way. Auditors get one-click evidence export; the audit log is hash-chained so the trail is tamper-evident; and there's a cost-vulnerability correlation view that puts a number on what a given remediation is actually worth.
The engineering trick that makes it demo well: the same repository deploys to
AWS (EKS), Azure (AKS), GCP (GKE), OpenShift (ROSA) or a local k3d cluster off a
single TARGET_CLOUD switch that drives the Terraform, the kubectl
auth, the Helm values and the Kosli environment naming — each cloud using its
own native data services and identity federation rather than a
lowest-common-denominator fudge. GitLab is the source of truth, mirrored to
GitHub and Azure DevOps on every green pipeline; images are built in-house,
scanned with trivy, signed with cosign and attested through Kosli. The portal
runs to 37 screens, with real-time timeline updates over server-sent events and
a pair of Claude MCP servers (Kosli + ServiceNow) so you can ask the compliance
state of a commit in plain English.
→ see the SARC walkthrough
AIFactory — spec-driven development for AI agents
Creator · open source
AIFactory turns a GitHub issue into shipping code. It runs a planner → coder → QA agent pipeline: a planner breaks the spec down, a coder implements it, a QA agent reviews, and a pull request comes out the other end — with a human approval gate at every step rather than a "trust me" big bang. Models are selectable per agent role, and a web dashboard lets you watch each run live and replay any step.
TFactory — autonomous test generation
Creator · open source
TFactory is AIFactory's sister project. Where AIFactory turns a spec into code, TFactory turns it into tests — it ingests a spec (or any structured feature description), generates a full feature, edge-case and security suite, runs it sandboxed in ephemeral containers with no host access, and reports back on the pull request, committing the passing tests. It drops into GitHub Actions as a reusable workflow, with the same planner → generator → sandbox-runner → reporter shape as AIFactory.
skill-pool — the team layer for Claude Code
Creator · open source
Anthropic solved the single-developer story for Claude Code skills: drop a file
in ~/.claude/skills/ and you're done. The team story wasn't
solved — everyone hand-rolls their own .claude/ and the knowledge of
which prompt actually fixes which problem stays trapped on one laptop. skill-pool
is the team layer: a self-hosted, multi-tenant registry (Rust API, Svelte portal,
a CLI that knows what to install for the repo you just cd'd into).
The part I'm proudest of is retrospective capture: when Claude
finishes a non-trivial fix, a Stop-hook scorer flags the session, a SessionEnd
hook queues it, and a Haiku→Sonnet daemon turns the transcript into a draft
SKILL.md for human review. The team's .claude/ grows
from the work the team actually did, not from somebody's bookmark folder. It also
does per-tenant SSO, semantic search over bge-small embeddings, and
one-binary deploys (Nix, Compose, Helm, Terraform).
→ olafkfreund.github.io/skill_pool
· source
SkillAi — open-source AI recruiting
Author & lead architect · GPL v3
SkillAi is a self-hosted recruiting platform built on Claude and Gemini that ranks, compares and archives candidates against a role — and keeps every CV, score and note on infrastructure the team controls. I built it because the incumbents solve the workflow problem and leave the actual hard part, ranking people fairly, to a keyword match.
It parses CVs in every format people actually send (PDF, DOCX, ODT, TXT, RTF), scores candidates across four dimensions — technical skills, experience, cultural fit, communication — and uses vector-embedding search so an old candidate can be re-evaluated against a new role. It generates interview packs with rubrics and follow-up questions, does multi-tenant RBAC, and talks to Google and Microsoft calendars. It's in production as the backbone of Synechron's recruitment for HSBC's Kraków technology hub. → github.com/olafkfreund/SkillAi
nixos_config — my whole machine, declared
Open source
My personal NixOS estate, and the reason "infrastructure you can't rebuild from a clean checkout isn't infrastructure" is a thing I actually believe. It's a flake-based, multi-host config built on a single parameterised host template with a feature-flag system (dependencies and conflicts validated), so each machine turns on exactly what it needs from a shared base — an AMD workstation with ROCm for local AI, a headless Xeon media server running k3s microVMs, and a hybrid-graphics laptop with Secure Boot via lanzaboote.
Secrets are age-encrypted with agenix and committed safely; Home Manager is wired in as a flake module; theming is Stylix-driven from a single base16 palette that colours everything from the terminal to the desktop; and the documentation site is generated reproducibly from the live Nix source so it never drifts. It's the testbed where most of what ends up in the knowledge base gets tried first. → olafkfreund.github.io/nixos_config · source
GitHub Enterprise migration — Jefferies
Lead DevOps & migration architect
Leading the move of six business units at a tier-1 US investment bank off Bitbucket Cloud and Bamboo onto GitHub Enterprise Cloud and Actions, for the CTO office. I designed the Phase 1 reference architecture — reusable workflow templates spanning Maven, Gradle, .NET, Python, Node and multi-stage Docker, with NFS-backed caching and JFrog Artifactory over OIDC — and the self-hosted runner estate on AKS via Actions Runner Controller.
The governance is Terraform: org and team structure, repo lifecycle, branch protection, GHAS configuration, signed-commit enforcement — idempotent and reviewable, not ClickOps. Snyk, SonarQube and HashiCorp Vault are baked into the standard pipeline so developers get supply-chain attestation and secret rotation by default. I also wrote a small set of Claude Code plugins the migration team uses daily to scaffold and convert pipelines.
Backstage developer platform — NESO
Lead platform engineer
Leading a team building Spotify Backstage as the internal developer platform for the UK's National Energy System Operator — golden-path templates, self-service service scaffolding, and a single pane of glass for service ownership, on-call and runbooks. As much defining the DevOps operating model — tooling standards, environment promotion, branching, the feedback loops back to engineers — as building the portal.
More open source & Claude ecosystem
- MCP servers for Kosli and ServiceNow, shipped inside SARC — real-world MCP in a CI/compliance context.
- COSMIC desktop applets in Rust — KDE Connect protocol integration and a screen-mirroring plugin for the COSMIC ecosystem.
- This knowledge base — DevOps Help for Cloud Platform Engineers: multi-cloud architecture, FinOps, NixOS, AIOps and Service Mesh patterns. Browse it →