Skills
Languages, frameworks, tools, and domains — every line backed by shipped code.
Every skill below is backed by commits, production code, and deployed
systems. Generated from analysis of 2,500+ commit messages across 25+
repositories.
Each skill has an evidence level:
- Production — used in live systems serving real users daily.
- Shipped — built and deployed, not necessarily in active daily use.
- Academic — built for coursework, fully functional.
- Explored — used in side projects or experiments.
3 production Rails applications. 1,695 combined commits. 732 test files
in a single project.
| Skill | Evidence |
|---|
| Rails 8.1 native authentication | "Rails 8 native auth, HIPAA-compliant session timeout" |
Multi-tenancy (acts_as_tenant) | Path-based tenant routing (/t/:tenant_slug/...), agency onboarding flow |
| Row-level tenant isolation | Architecture tests programmatically verify tenant isolation is not broken |
| Hotwire (Turbo + Stimulus) | Turbo Stream partial replacements, 51 Stimulus controllers in production |
| ViewComponent + Lookbook | Design system with previews for UI consistency across the platform |
| Packwerk domain boundaries | Billing, compliance, clinical, and scheduling concerns enforced via Packwerk |
| Pundit authorization | Policies for 20+ resources, unified child-access predicates |
| PaperTrail audit trails | Tamper-evident PHI version logging; 23,447 version entries in production |
| AASM state machines | Clinical workflow: referral → evaluation → IFSP → service → discharge |
| Solid Queue / Cache / Cable | Background jobs, cache, WebSockets — all Rails-native |
| Kamal deployment | 67+ Fly.io releases for one app |
| Devise authentication | Full auth stack across LocalElo |
| ActiveStorage | Attachments, blobs, variant records in production DB |
| Minitest + Capybara + Cuprite | System tests in headless Chrome with axe-core accessibility assertions |
| Brakeman + bundler-audit | Security scanning in CI |
| EDI X12 837P / 835 | Medical claim generation + remittance parsing via stupidedi |
| PostgreSQL full-text search | tsvector indexes powering OmniSearch |
| Tesseract OCR | Digitizing paper documents into searchable records |
| AWS Bedrock (Claude) | AI-powered clinical note quality checks |
| Zeitwerk custom loading | Concept-driven directory structure with collapsing |
| Sharded CI | ~5-minute CI across 2 parallel runners |
| 155+ migrations in a single app | Idempotent, zero errors on re-run |
10+ Next.js applications. 700+ commits across Next.js projects.
| Skill | Evidence |
|---|
| Next.js 14–16 (App Router) | tiny-steps-cms, civica, portfolio, bmth-time, TinyToes-Auditor |
| React 19 | Verified via package.json in tiny-steps-cms |
| Server Components + Server Actions | Route groups, server-side rendering, mutations via server actions |
| React-PDF document generation | Clinical summaries and internal report templates |
| AcroForm PDF filling | Standardized government forms with fixed layouts |
| Drizzle ORM | Primary TypeScript ORM — typed schemas, migrations, Neon |
| next-auth v5 | Credentials provider, JWT strategy (tiny-steps-cms) |
| Clerk | Auth + RBAC (LocalElo, VerseCraft) |
| tRPC | End-to-end type-safe APIs, 36 integration tests for tRPC routers |
| Convex real-time backend | Real-time "who is currently on shift" dashboard (bmth-time) |
| Tailwind CSS 4 | Primary styling across all frontend projects |
| Radix UI / shadcn/ui | Component libraries |
| Framer Motion | Page transitions + component animations |
| Three.js / React Three Fiber | 3D insight visualization, WebGL noise orb shader, post-processing |
| GSAP + Lenis | Scroll animations + smooth scrolling on portfolio |
| MDX blog system | 12 published articles |
| Tone.js | Ambient audio + soundscape system |
| Recharts / Chart.js | Rating history charts, per-target SVG graphs |
| WebLLM (on-device AI) | Qwen2.5 (360M/1.5B) + Phi-3.5-mini (3.8B), WebGPU accelerated |
| PWA + service workers | Offline-first, iPad kiosk mode |
| Vitest + Playwright + fast-check | 2,101 unit tests; cross-browser E2E; property-based testing |
| Bundle budget enforcement | CI blocks size regressions |
| Sentry | Error monitoring + release tracking in CI |
Dominant language across 10+ production repos.
| Skill | Evidence |
|---|
| Express.js servers | Production email scraper with OAuth2 + cron scheduling |
| NestJS + TypeORM | ai-editor-bot — PostgreSQL + NestJS + TypeORM |
| Microsoft Graph API (OAuth2) | Outlook inbox access via Azure AD MSAL |
| Google Sheets API | Structured data pipeline to 36-column sheets |
| Google Gemini 2.5 Flash | Production email extraction (temp 0.1, 32K max output) |
node-cron | Background processing every 5 minutes |
| Zod | Runtime type safety across tiny-steps-cms, FairShare, tooling |
| Turborepo | 3 apps + 15 packages monorepo in neo-provider |
| DOMPurify | XSS sanitization for user-generated content |
5+ projects: FastAPI backend, ML pipelines, network security tools, automation.
| Skill | Evidence |
|---|
| FastAPI + uvicorn | GLIMPSE backend — JWST spectroscopy API |
| Flask | Spectrum analyzer Heroku deployment |
| Scapy | Port-independent protocol detection in Argus |
dpkt PCAP parsing | TCP flow analysis: flow detection, throughput, congestion window |
| scikit-learn | Linear Regression (R² = 0.769), KNN, Random Forest (MAE = $31.4M) |
| pandas / numpy / scipy | Across all ML and data analysis projects |
astropy / astroquery | JWST FITS file processing, spectral analysis |
| matplotlib / seaborn | NYC Airbnb analysis — radar charts, correlation, coordinate mapping |
| Tkinter GUI + Task Scheduler | BIM file automation at Beyer Blinder Belle |
| Socket programming | HTTP web server and caching proxy built from raw sockets |
4 substantial C projects. All Valgrind-verified.
| Skill | Evidence |
|---|
Custom malloc / free / realloc | Segregated free lists, quick lists, coalescing, XOR-obfuscated headers |
| POSIX threads (pthreads) | Concurrent game server: mutex + semaphore synchronization |
| TCP socket programming | Custom binary protocol, concurrent player connections |
| Signal handling | SIGCHLD, SIGSTOP, SIGCONT, SIGTERM, SIGUSR1 for game events |
fork / pipe / dup2 / execvp | Full process-pipeline construction in print spooler |
| Unix domain sockets | IPC between spooler components |
| Protocol Buffers wire format | Hand-written deserializer (no libprotobuf) — varint, length-delimited, fixed-width |
zlib decompression | OSM PBF data blocks |
| Reference counting | Player objects in game server — safe concurrent access |
| Valgrind + Criterion | Memory-safety and testing frameworks |
5+ production PostgreSQL databases. 190+ migrations. Live data under management.
| Skill | Evidence |
|---|
| PostgreSQL (primary) | Every production system. Neon (us-east-1) + Supabase |
| 190+ migrations | 155 in one app + 45 in another; all idempotent |
| PLpgSQL stored procedures | 142KB in tiny-steps-cms |
Full-text search (tsvector) | OmniSearch — production feature |
| Row-level tenant isolation | Every query automatically scoped to the correct agency |
| Schema design (27–43 tables) | CMS (28 tables), behavioral health (43 tables) |
| Drizzle ORM | Primary TS ORM — typed schemas + migration generation |
| Prisma | FairShare and earlier projects |
| MongoDB / Mongoose | Reddit-Clone |
| SQLite | Internship data storage |
| Redis (ElastiCache) | Session + cache layer in neo-provider |
| Convex | Real-time document database (bmth-time) |
| Skill | Evidence |
|---|
| Google Gemini 2.5 Flash | Production email processing, parallel batch extraction |
| AWS Bedrock (Claude) | Clinical note quality checks |
| WebLLM on-device inference | 3 model tiers: 360M / 1.5B / 3.8B params, WebGPU, zero-cloud HIPAA-safe |
| OpenAI API | AI-powered bill summarization, agent orchestration |
| AI prompt engineering | 600-line extraction prompt with plate-math-style domain rules |
| Skill | Evidence |
|---|
| Linear Regression | Movie revenue R² = 0.769; energy RMSE = 10.73 kW |
| K-Nearest Neighbors | Model comparison on box-office prediction |
| Random Forest | MAE = $31.4M (best performer on box-office data) |
| Logistic Regression | Energy demand-response classification, F1 = 0.59 |
| Feature engineering | ~100 engineered features including talent prestige scoring |
| k-fold cross-validation | Robust model evaluation |
| Exploratory data analysis | NYC Airbnb — 48K+ listings, geospatial visualization, correlation matrices |
Terraform-defined AWS infrastructure. Docker containers. 190+ production deployments.
| Skill | Evidence |
|---|
| Terraform (AWS IaC) | 72KB of HCL defining full production infrastructure |
| AWS VPC | Public/private subnet topology |
| AWS ECS Fargate | Autoscaling on CPU + memory |
| AWS ALB | Application Load Balancer with health checks |
| AWS S3 | HIPAA-compliant config (versioning, encryption, Glacier lifecycle) |
| AWS ElastiCache Redis | Session/cache |
| AWS ECR | Container registry |
| AWS Secrets Manager | Credential rotation |
| AWS CloudWatch | Alarms + monitoring |
| AWS CodePipeline | CI/CD |
| Docker + Compose | Multi-service development environments |
| Kamal | Rails production deployment |
| Fly.io | 2 production apps, EWR region, 196 + 73 releases |
| Vercel | 10+ production deployments |
| Render / Heroku / Railway | Multi-platform hosting experience |
| GitHub Actions | 3-job pipelines: lint/audit → unit/integration → sharded system |
| SHA-pinned Actions | Supply-chain security |
| Dependabot | Automated dependency updates |
| Snyk | Security scanning in CI |
| Codecov | Coverage reporting |
| Sentry releases | Release creation + Slack notifications in deploy pipeline |
| Automatic rollback | Failure-triggered revert in neo-provider |
5 HIPAA-compliant production systems. Cybersecurity internship. Offensive security coursework.
| Skill | Evidence |
|---|
| AES-256-GCM encryption | Authenticated encryption with key versioning for rotation |
| XSalsa20-Poly1305 | SSN encryption via tweetnacl — encrypted at rest, never plaintext |
| HMAC-SHA256 searchable encryption | Search encrypted fields without decryption |
| PHI audit trails | 3,902 + 1,197 audit log entries across two production systems |
| PHI completeness verification | Architecture tests verify coverage |
| Row-level tenant isolation | Programmatic verification via architecture tests |
| Session timeout | 15-minute timeout with 2-minute warning modal + auto-save |
| Circuit breakers | External API calls protected against cascading failures |
| Zero-cloud AI | WebGPU on-device inference — no BAA, no cloud, no PHI egress |
| Skill | Evidence |
|---|
| Open redirect prevention | request.fullpath stored instead of request.url |
| Secure session cookies | Secure flag in production |
| RBAC | Pundit (20+ resources), NextAuth roles, Clerk |
| SAML + OIDC SSO | @neo/sso package |
| bcrypt + TOTP 2FA | Email-delivered OTP with 10 backup codes |
| Cloudflare Turnstile | Bot protection (production secret verified) |
| Rate limiting | All API endpoints, Upstash Redis-backed |
| Brakeman + bundler-audit | CI-gated security scans |
| DOMPurify | Client-side HTML sanitization |
| API key management | IP allowlisting in neo-provider |
| Supply-chain security | SHA-pinned GitHub Actions |
| Skill | Evidence |
|---|
| Splunk SIEM | NYCHA internship — SPL queries correlating events across log sources |
| CrowdStrike Falcon EDR | Process-tree analysis, malicious binary identification, containment support |
| Incident response | Alert triage, severity classification, escalation workflows |
| Tenable vulnerability scanning | Scan review + remediation coordination |
| MITRE ATT&CK | Mapping TTPs to known threat actors |
| Passive network sniffing | Argus — port-independent HTTP / TLS SNI / DNS detection |
| TLS analysis | ClientHello parsing, IPv4 fallback, TCP payload fallback |
| TCP flow analysis | Flow detection, throughput, congestion window, retransmission |
| PCAP analysis | dpkt-based TCP flow analysis tool |
860+ test files across multiple frameworks.
| Skill | Evidence |
|---|
| Vitest | 106 test files, 2,101 tests passed (tiny-steps-cms) |
| Playwright E2E | Cross-browser, mobile/tablet/desktop viewports |
| Minitest | 64 tests, 178 assertions per story |
| Capybara + Cuprite | Headless Chrome system tests |
| fast-check | Property-based testing — random inputs for edge-case discovery |
| axe-core (WCAG 2.1 AA) | Accessibility assertions baked into system tests |
| Architecture tests | Programmatic verification of tenant isolation + PHI coverage |
convex-test | Serverless function testing |
| Criterion (C) | Dynamic memory allocator validation |
| Valgrind | Memory-safety verification in C projects |
| Sharded CI | ~5-minute CI across parallel runners |
15+ API integrations.
| API | Usage |
|---|
| Microsoft Graph | Outlook email access via OAuth2 |
| Google Sheets | Automated data pipeline |
| Google Gemini | AI text extraction |
| AWS Bedrock | Clinical AI quality checks |
| Twilio | SMS notifications |
| Stripe | Subscription billing + webhook lifecycle |
| Clerk | Auth + RBAC |
| Resend | Transactional email |
| Cloudflare Turnstile | Bot protection |
| Congress.gov | Federal legislation tracking |
| Google Civic | Representative lookup |
| Open States | State legislation |
| FEC | Campaign finance |
| Federal Register | Executive orders |
| NASA MAST Archive | JWST exoplanet data |
| Alpaca Trading | Brokerage data |
| SomaFM | Audio streaming |
| Skill | Evidence |
|---|
| Design system creation | ViewComponent + Lookbook previews, verification scripts for consistency |
| Tailwind CSS 4 | Primary styling across all frontend projects |
| Radix UI / shadcn/ui | Component libraries in Next.js projects |
| 3D rendering (R3F / Three.js) | Insight visualization, WebGL noise orb shader, post-processing |
| GSAP + Framer Motion | Scroll animations + page/component transitions |
| Responsive mobile-first | Haptics, bottom nav, touch effects |
| PWA | iPad kiosk mode, offline-first, service-worker management |
| WCAG 2.1 AA accessibility | axe-core assertions, explicit label elements, GLIMPSE compliance |
| Multi-theme / dark mode | 8 artistic themes on portfolio; premium light/dark across all apps |
| Data visualization | Recharts, Chart.js, per-target SVG, Plotly.js |
| Typography systems | Instrument Serif + DM Sans, publication-grade blog typography |
| Audio integration | Tone.js ambient, SomaFM streaming, soundscape systems |
| Command palette (⌘K) | Universal search with server-side fuzzy matching |
| Concept | Evidence |
|---|
| NY Early Intervention system | 5 production systems for EI agencies, training course platform |
| IFSP management | Clinical workflow state machine |
| Service Coordination Notes | TinyToes-Auditor validates SCNs for state compliance |
| DTS submissions | Circuit breakers for state API calls |
| EDI 837P claims | Production claim generation for insurance billing |
| EDI 835 remittance | Payment reconciliation from insurance |
| Provider credentialing | 1,286 credentials tracked in production, expiration alerts |
| Clinical documentation | Signature capture, carry-forward logic, government-form PDF generation |
| Multi-agency operations | Four home health agencies with row-level data isolation |
| Concept | Evidence |
|---|
| ABA terminology | 17 concepts documented, TrialSession → TrialBlock rename |
| Assessment execution | TemplateRunner, DomainTerminationChecker — 291 assessments in production |
| Program management | FromAssessmentGenerator — 270 programs in production |
| Mastery criteria | PromptLevelCalculator — configurable per program type |
| Prompt levels | Configurable prompt sequences per program |
| Regression detection | Consecutive-failure tracking + stepped response workflow |
| Progress visualization | PairProgressCalculator, ProgramCompletionDetector |
| Concept | Evidence |
|---|
| Elo rating | Rating calculation on match completion |
| Glicko-2 | Rating deviation and volatility (LocalElo) |
| Match invalidation | Rating reversal with rollback logic |
| Gamification | Daily streaks, weekly XP leagues, achievement badges |
| Concept | Evidence |
|---|
| Legislation tracking | All 50 states + federal, with AI summaries |
| Representative lookup | Deep profiles with VoteSmart integration |
| Campaign finance | Lobbying Dashboard, PAC Tracker, Donor Search |
| Executive orders | Federal Register API tracking |
| Concept | Evidence |
|---|
| JWST transit spectroscopy | Exoplanet observation catalog + transmission spectra |
| Molecular band overlays | H₂O, CO₂, CH₄ overlay rendering |
| FITS file processing | astropy backend for JWST data |
| Tool / Method | Evidence |
|---|
| AI-augmented development | Claude Code co-authored commits across all recent projects |
| BMAD framework | v6.0.1 → v6.0.4 configuration and commands |
| GSD (Get Shit Done) workflow | Milestone-based development — 24 phases completed in one app |
| Linear project management | All task execution tracked in Linear |
| Conventional commits | feat / fix / chore / refactor / perf / style / docs |
| Adversarial code review | "Fix 7 code review findings from adversarial review" |
| PRD-driven development | PRD validation sweeps, implementation readiness artifacts |
| Vertical slice architecture | 59 vertical slices in one rewrite (was 172 horizontal) |
| Metric | Value |
|---|
| Commits analyzed | 2,500+ |
| Production systems | 7 (all actively used daily) |
| Production database tables | 64 across 2 databases |
| Production records under management | 7,900+ |
| Production deployments | 190+ |
| Test files | 860+ |
| Database migrations | 190+ |
| API integrations | 15+ |
| GitHub repositories | 100 (80 public + 20 private) |
| GitHub contributions (past year) | 2,748 |
| Live deployed applications | 12+ |
| Production languages | 6 (TypeScript, Ruby, Python, C, SQL/PLpgSQL, HCL) |