Work
A handful of the things I've built or led. Some are client programmes I can only describe in outline; the open-source ones you can go and read — and most of them you can see below.
SARC — multi-cloud compliance pipeline
Product owner & lead architect
SARC (Synechron ARC) is an orchestration layer that sits on top of Kosli and ServiceNow and turns regulated software delivery into something you can actually audit at a glance. Instead of spreadsheets and manual evidence-gathering, it manages every framework a regulated shop cares about — DORA, PSD2, ISO 27001, SOC 2, SOX, NIST 800-53, PCI-DSS — from one place. I own the architecture and most of the build.
Every change request gets a 5-axis risk score, so a typo fix and a database migration don't get treated the same way — low-risk changes clear themselves and only the ones that matter land on a human's desk, which is what actually shrinks the CAB queue. Auditors get one-click evidence export and time-boxed, magic-link sessions into the same dashboard the change board and the regulators use — no more assembling an "audit binder" by hand. The audit log is hash-chained so the trail is tamper-evident, and a cost-vulnerability correlation view puts a number on what a remediation is actually worth ("fix this, save $X/month") by joining Snyk, Wiz and Trivy findings to spend.
The engineering trick that makes it demo well: the same repository deploys to
AWS (EKS), Azure (AKS), GCP (GKE), OpenShift (ROSA) or a local k3d cluster off a
single TARGET_CLOUD switch that drives the Terraform, the kubectl
auth, the Helm values and the Kosli environment naming — each cloud using its
own native data services and identity federation rather than a
lowest-common-denominator fudge. GitLab is the source of truth, mirrored to
GitHub and Azure DevOps on every green pipeline; images are built in-house,
scanned with trivy, signed with cosign and attested through Kosli. The portal
runs to 37 screens, with real-time timeline updates over server-sent events and
a pair of Claude MCP servers (Kosli + ServiceNow) so you can ask the compliance
state of a commit in plain English.
→ the full SARC showcase
· the live walkthrough
The Factory suite — a governed pipeline for AI software delivery
Creator · open source
What started as AIFactory grew into a four-product suite around one idea: AI can write the code, but someone still has to be accountable for it. 84% of developers use AI coding tools; only 29% trust the output. The Factory suite is the trust and governance layer for that gap, built around the PARR pipeline — Prepare · Act · Reflect · Review — with a human gate at every seam rather than one "trust me" big bang.
- PFactory (Prepare) — plans work grounded in live cloud and Backstage context, runs architecture, security, feasibility and best-practice gates with citations, and only emits governed GitHub epics and issues once a human has signed the plan.
- AIFactory (Act) — turns those specs into code and QA in isolated git worktrees, model-agnostic across Claude, Gemini, OpenAI and local Ollama, and can delegate sub-tasks to other coding agents.
- TFactory (Reflect) — autonomously generates and runs tests in ephemeral sandboxes, grades each run on five signals (coverage delta, stability, mutation testing, lint and semantic relevance) and reports back on the pull request.
- CFactory (Review) — the control-tower cockpit: one pane of glass with a live, animated dependency graph across plan → code → test, an advise-and-confirm copilot, and per-task and per-worker cost and token tracking.
The spine that makes it cohere is deliberately boring plumbing: a shared correlation key, a normalized completion-event schema and a canonical port map, so every product emits the same audit trail — HMAC-anchored logs and completion records of exactly the kind the EU AI Act is about to ask for. It's model-agnostic through MCP, and you can watch the whole thing run live. → AIFactory · TFactory · the meta-repo
Bifrost — Azure DevOps → GitHub Actions, at portfolio scale
Creator · open source
GitHub's own importer (gh actions-importer) gets you maybe 90% of
the way from an Azure DevOps pipeline to a GitHub Actions workflow. Bifrost is
the other 10% — the review workflow, the semantic validation, the portfolio-level
coordination and the audit trail that a syntactic converter leaves to you. It's
the tooling I wish I'd had walking into a migration with hundreds of pipelines
instead of one.
The design rule is review-first: nothing is silently rewritten. The importer runs a dry pass, Bifrost parses the logs into typed gaps, and each gap goes to an LLM grounded in the actual source, the importer's output and the failure — so the model fills a specific hole rather than converting from scratch. Risk scoring stays deterministic and explainable: the numbers come from factors you can read, and the LLM explains them rather than being trusted to invent them. Every decision is recorded as a signed, exportable attestation.
It's built to run where regulated shops actually live: air-gap
capable against local models (Ollama / llama.cpp) so pipeline definitions
and secrets never leave the network, with the same provider trait swapping in
Anthropic, Gemini or Copilot when you're allowed to reach out. A React/TypeScript
portal — portfolio heatmap, three-pane diff, approvals — sits on a Rust/Axum
control plane (jobs, risk model, attestations), with Docker-based ingestion behind
a SourceAdapter trait: ADO first, Jenkins, GitLab and Bamboo next.
It's early — in active planning, MIT-licensed, and building in the open.
→ olafkfreund.github.io/bifrost
· source
ravn-agents — self-healing for Linux fleets that never decides on its own
Creator · open source · MIT
Ravn detects and fixes problems across Linux infrastructure — standalone hosts, Kubernetes, air-gapped networks — without phoning home to anyone's cloud. The whole design is a reaction to "AIOps" that asks you to trust a black box: detection is deterministic ("rules you can read, not a statistical model you have to trust"), remediation runs from pre-authored, risk-tiered templates that need human or signed-policy approval, and every command is Ed25519-signed, verified and logged to an append-only Postgres trail. The local model only ever explains — it suggests next steps in plain language; it never decides what's wrong or what runs.
Three layers: edge agents (ravnd) detect and execute approved fixes,
a control plane (ravn-server) handles ingestion and policy, and a web
portal owns inventory, approvals and audit. Default-deny throughout — circuit
breakers, fleet kill switches, risk tiers — and because inference runs locally on
CPU it works fully offline. Rust backend, React front end, shipped as static
binaries, NixOS modules, OCI images and Kubernetes manifests.
→ source
lxconnect — your Android phone as an MCP tool surface
Creator · open source
lxconnect bridges Android (Waydroid or a real device) to the Linux desktop, and
the interesting half is the MCP server it runs on the phone. The
Android app stands up a Ktor MCP server on port 8080 and hooks into
NotificationListenerService and PackageManager — so an LLM
or agent on your laptop can treat the phone as a set of tools: read notifications,
open native deep links (mailto:, spotify:), launch and
control apps, read system status, even drive the camera, all over a standard MCP
transport.
That turns "my phone" into something an agent can actually reach — triage
notifications onto the desktop, hand a 2FA push to the right app, let a Claude
session check or act on the device without you picking it up. A Python daemon reads
a Server-Sent-Events stream from the phone and surfaces it through
libnotify; a GTK4/PyGObject app gives you a native UI to test and
control it. The whole thing is a declarative Nix flake — nix run
github:olafkfreund/lxconnect#gui and you're live.
→ source
skill-pool — the team layer for Claude Code
Creator · open source
Anthropic solved the single-developer story for Claude Code skills: drop a file
in ~/.claude/skills/ and you're done. The team story wasn't
solved — everyone hand-rolls their own .claude/ and the knowledge of
which prompt actually fixes which problem stays trapped on one laptop. skill-pool
is the team layer: a self-hosted, multi-tenant registry (Rust API, Svelte portal,
a CLI that knows what to install for the repo you just cd'd into).
The part I'm proudest of is retrospective capture: when Claude
finishes a non-trivial fix, a Stop-hook scorer flags the session, a SessionEnd
hook queues it, and a Haiku→Sonnet daemon turns the transcript into a draft
SKILL.md for human review. The team's .claude/ grows
from the work the team actually did, not from somebody's bookmark folder. It also
does per-tenant SSO, semantic search over bge-small embeddings, and
one-binary deploys (Nix, Compose, Helm, Terraform).
→ olafkfreund.github.io/skill_pool
· source
SkillAi — open-source AI recruiting
Author & lead architect · GPL v3
SkillAi is a self-hosted recruiting platform built on Claude and Gemini that ranks, compares and archives candidates against a role — and keeps every CV, score and note on infrastructure the team controls. A typical open role pulls 50–200 applications; the incumbents (Greenhouse, Workday) nail the workflow, charge tens of thousands a year, store your candidates on someone else's servers, and still leave the actual hard part — ranking people fairly — to a keyword match. SkillAi answers one question in seconds instead: who are the best candidates, and why.
It parses CVs in every format people actually send (PDF, DOCX, ODT, TXT, RTF), scores candidates across four dimensions — technical skills, experience, cultural fit, communication — and uses vector-embedding search so an old candidate can be re-evaluated against a new role. It generates interview packs with rubrics and follow-up questions, does multi-tenant RBAC, and talks to Google and Microsoft calendars. It's in production as the backbone of Synechron's recruitment for HSBC's Kraków technology hub. → github.com/olafkfreund/SkillAi
rolehunter — the candidate's side of the same table
Creator · open source · GPL v3
If SkillAi is the recruiter's side, rolehunter is the candidate's. It's a self-hosted, single-user job-hunt copilot: paste a job (or pull one from JSearch / LinkedIn), score it 0–100 against your master CV with reasoning, then auto-tailor an ATS-friendly CV and a one-click cover-letter PDF for that specific role. Applications and interviews live in a searchable table or Kanban board, with LLM-generated behavioural flashcards and a rejection taxonomy so patterns surface after a couple of entries.
The part I like best is skill-gap aggregation: it clusters the gap strings from every match into canonical skills and pulls curated learning resources from whitelisted docs — so the job hunt quietly turns into a study plan. Next.js 15 / React 19 / TypeScript on Postgres 16 + pgvector, Drizzle for queries and Playwright for the PDFs, running as two localhost-bound Docker containers on randomised ports. Single-user by design — your CV never leaves your box. → source
gog & gogmail — Google Workspace without leaving the terminal
Creator · open source
gog is a CLI that authenticates to Google Workspace; gogmail is the keyboard-driven TUI on top of it. Between them they put Gmail, Calendar, Drive, Docs, Sheets, Slides, Tasks, Contacts, Chat and Meet (plus Zoom) into a single Textual interface — read and write mail, RSVP to events, edit Sheets cells inline, spin up meetings, all without a browser tab. A context-aware Gemini side panel can actually act — fetch data, draft replies, star mail, change tasks from a plain-language request — with optional voice in and spoken replies.
It's also the layer under a couple of my other experiments:
waycal, my Wayland/niri calendar, mail and task widgets, is just
Quickshell QML driven by the same gog CLI. Python 3.10+, packaged for
Nix, .deb, .rpm and zipapp.
→ gogmail
nixos_config — my whole machine, declared
Open source
My personal NixOS estate, and the reason "infrastructure you can't rebuild from a clean checkout isn't infrastructure" is a thing I actually believe. It's a flake-based, multi-host config built on a single parameterised host template with a feature-flag system (dependencies and conflicts validated), so each machine turns on exactly what it needs from a shared base — an AMD workstation with ROCm for local AI, a headless Xeon media server running k3s microVMs, and a hybrid-graphics laptop with Secure Boot via lanzaboote.
Secrets are age-encrypted with agenix and committed safely; Home Manager is wired in as a flake module; theming is Stylix-driven from a single base16 palette that colours everything from the terminal to the desktop; and the documentation site is generated reproducibly from the live Nix source so it never drifts. It's the testbed where most of what ends up in the knowledge base gets tried first. → olafkfreund.github.io/nixos_config · source
GitHub Enterprise migration — Jefferies
Lead DevOps & migration architect
Leading the move of six business units at a tier-1 US investment bank off Bitbucket Cloud and Bamboo onto GitHub Enterprise Cloud and Actions, for the CTO office. I designed the Phase 1 reference architecture — reusable workflow templates spanning Maven, Gradle, .NET, Python, Node and multi-stage Docker, with NFS-backed caching and JFrog Artifactory over OIDC — and the self-hosted runner estate on AKS via Actions Runner Controller.
The governance is Terraform: org and team structure, repo lifecycle, branch protection, GHAS configuration, signed-commit enforcement — idempotent and reviewable, not ClickOps. Snyk, SonarQube and HashiCorp Vault are baked into the standard pipeline so developers get supply-chain attestation and secret rotation by default. I also wrote a small set of Claude Code plugins the migration team uses daily to scaffold and convert pipelines.
Backstage developer platform — NESO
Lead platform engineer
Leading a team building Spotify Backstage as the internal developer platform for the UK's National Energy System Operator — golden-path templates, self-service service scaffolding, and a single pane of glass for service ownership, on-call and runbooks. As much defining the DevOps operating model — tooling standards, environment promotion, branching, the feedback loops back to engineers — as building the portal.
More open source & the Linux desktop
- gnome-quick-web-apps — a GTK4/libadwaita manager that turns any site into a native GNOME app: paste a URL and it pulls the name, icon and theme from the web manifest, then runs each app CEF-isolated with its own profile and true URL-scope confinement.
- COSMIC & the Linux desktop in Rust — a native KDE-Connect app for COSMIC, an RDP server, notification and RSS applets, and r-hyprconfig, a real-time Hyprland config TUI.
- nixos-template — a batteries-included starting point for a NixOS journey, and the most-used thing I've published.
- Muninn — a zero-backend, Gruvbox GitHub portal and WebMCP playground for local browser agents.
- MCP servers for Kosli and ServiceNow, shipped inside SARC — real-world MCP in a CI/compliance context.
- This knowledge base — DevOps Help for Cloud Platform Engineers: multi-cloud architecture, FinOps, NixOS, AIOps and Service Mesh patterns. Browse it →