--- title: Skills description: Languages, frameworks, tools, and domains — every line backed by shipped code. section: about tags: [resume, skills] genre: reference stability: stable lastUpdated: 2026-04-18 url: https://fardiniqbal.com/docs/about/skills --- Every skill below is backed by commits, production code, and deployed systems. Generated from analysis of 2,500+ commit messages across 25+ repositories. ## How to read this [#how-to-read-this] Each skill has an **evidence level**: * **Production** — used in live systems serving real users daily. * **Shipped** — built and deployed, not necessarily in active daily use. * **Academic** — built for coursework, fully functional. * **Explored** — used in side projects or experiments. ## Ruby on Rails — Production (Expert) [#ruby-on-rails--production-expert] 3 production Rails applications. 1,695 combined commits. 732 test files in a single project. | Skill | Evidence | | -------------------------------- | ---------------------------------------------------------------------------- | | Rails 8.1 native authentication | "Rails 8 native auth, HIPAA-compliant session timeout" | | Multi-tenancy (`acts_as_tenant`) | Path-based tenant routing (`/t/:tenant_slug/...`), agency onboarding flow | | Row-level tenant isolation | Architecture tests programmatically verify tenant isolation is not broken | | Hotwire (Turbo + Stimulus) | Turbo Stream partial replacements, 51 Stimulus controllers in production | | ViewComponent + Lookbook | Design system with previews for UI consistency across the platform | | Packwerk domain boundaries | Billing, compliance, clinical, and scheduling concerns enforced via Packwerk | | Pundit authorization | Policies for 20+ resources, unified child-access predicates | | PaperTrail audit trails | Tamper-evident PHI version logging; 23,447 version entries in production | | AASM state machines | Clinical workflow: referral → evaluation → IFSP → service → discharge | | Solid Queue / Cache / Cable | Background jobs, cache, WebSockets — all Rails-native | | Kamal deployment | 67+ Fly.io releases for one app | | Devise authentication | Full auth stack across LocalElo | | ActiveStorage | Attachments, blobs, variant records in production DB | | Minitest + Capybara + Cuprite | System tests in headless Chrome with axe-core accessibility assertions | | Brakeman + bundler-audit | Security scanning in CI | | EDI X12 837P / 835 | Medical claim generation + remittance parsing via `stupidedi` | | PostgreSQL full-text search | `tsvector` indexes powering OmniSearch | | Tesseract OCR | Digitizing paper documents into searchable records | | AWS Bedrock (Claude) | AI-powered clinical note quality checks | | Zeitwerk custom loading | Concept-driven directory structure with collapsing | | Sharded CI | \~5-minute CI across 2 parallel runners | | 155+ migrations in a single app | Idempotent, zero errors on re-run | ## Next.js / React — Production (Expert) [#nextjs--react--production-expert] 10+ Next.js applications. 700+ commits across Next.js projects. | Skill | Evidence | | ---------------------------------- | ----------------------------------------------------------------- | | Next.js 14–16 (App Router) | tiny-steps-cms, civica, portfolio, bmth-time, TinyToes-Auditor | | React 19 | Verified via `package.json` in tiny-steps-cms | | Server Components + Server Actions | Route groups, server-side rendering, mutations via server actions | | React-PDF document generation | Clinical summaries and internal report templates | | AcroForm PDF filling | Standardized government forms with fixed layouts | | Drizzle ORM | Primary TypeScript ORM — typed schemas, migrations, Neon | | next-auth v5 | Credentials provider, JWT strategy (tiny-steps-cms) | | Clerk | Auth + RBAC (LocalElo, VerseCraft) | | tRPC | End-to-end type-safe APIs, 36 integration tests for tRPC routers | | Convex real-time backend | Real-time "who is currently on shift" dashboard (bmth-time) | | Tailwind CSS 4 | Primary styling across all frontend projects | | Radix UI / shadcn/ui | Component libraries | | Framer Motion | Page transitions + component animations | | Three.js / React Three Fiber | 3D insight visualization, WebGL noise orb shader, post-processing | | GSAP + Lenis | Scroll animations + smooth scrolling on portfolio | | MDX blog system | 12 published articles | | Tone.js | Ambient audio + soundscape system | | Recharts / Chart.js | Rating history charts, per-target SVG graphs | | WebLLM (on-device AI) | Qwen2.5 (360M/1.5B) + Phi-3.5-mini (3.8B), WebGPU accelerated | | PWA + service workers | Offline-first, iPad kiosk mode | | Vitest + Playwright + fast-check | 2,101 unit tests; cross-browser E2E; property-based testing | | Bundle budget enforcement | CI blocks size regressions | | Sentry | Error monitoring + release tracking in CI | ## TypeScript / Node.js — Production (Expert) [#typescript--nodejs--production-expert] Dominant language across 10+ production repos. | Skill | Evidence | | ---------------------------- | ------------------------------------------------------------- | | Express.js servers | Production email scraper with OAuth2 + cron scheduling | | NestJS + TypeORM | `ai-editor-bot` — PostgreSQL + NestJS + TypeORM | | Microsoft Graph API (OAuth2) | Outlook inbox access via Azure AD MSAL | | Google Sheets API | Structured data pipeline to 36-column sheets | | Google Gemini 2.5 Flash | Production email extraction (temp 0.1, 32K max output) | | `node-cron` | Background processing every 5 minutes | | Zod | Runtime type safety across tiny-steps-cms, FairShare, tooling | | Turborepo | 3 apps + 15 packages monorepo in neo-provider | | DOMPurify | XSS sanitization for user-generated content | ## Python — Advanced [#python--advanced] 5+ projects: FastAPI backend, ML pipelines, network security tools, automation. | Skill | Evidence | | ---------------------------- | ------------------------------------------------------------------- | | FastAPI + uvicorn | GLIMPSE backend — JWST spectroscopy API | | Flask | Spectrum analyzer Heroku deployment | | Scapy | Port-independent protocol detection in Argus | | `dpkt` PCAP parsing | TCP flow analysis: flow detection, throughput, congestion window | | scikit-learn | Linear Regression (R² = 0.769), KNN, Random Forest (MAE = $31.4M) | | pandas / numpy / scipy | Across all ML and data analysis projects | | `astropy` / `astroquery` | JWST FITS file processing, spectral analysis | | matplotlib / seaborn | NYC Airbnb analysis — radar charts, correlation, coordinate mapping | | Tkinter GUI + Task Scheduler | BIM file automation at Beyer Blinder Belle | | Socket programming | HTTP web server and caching proxy built from raw sockets | ## C Systems Programming — Academic (Advanced) [#c-systems-programming--academic-advanced] 4 substantial C projects. All Valgrind-verified. | Skill | Evidence | | ------------------------------------ | ------------------------------------------------------------------------------------ | | Custom `malloc` / `free` / `realloc` | Segregated free lists, quick lists, coalescing, XOR-obfuscated headers | | POSIX threads (pthreads) | Concurrent game server: mutex + semaphore synchronization | | TCP socket programming | Custom binary protocol, concurrent player connections | | Signal handling | `SIGCHLD`, `SIGSTOP`, `SIGCONT`, `SIGTERM`, `SIGUSR1` for game events | | `fork` / `pipe` / `dup2` / `execvp` | Full process-pipeline construction in print spooler | | Unix domain sockets | IPC between spooler components | | Protocol Buffers wire format | Hand-written deserializer (no `libprotobuf`) — varint, length-delimited, fixed-width | | `zlib` decompression | OSM PBF data blocks | | Reference counting | Player objects in game server — safe concurrent access | | Valgrind + Criterion | Memory-safety and testing frameworks | ## Databases — Production (Expert) [#databases--production-expert] 5+ production PostgreSQL databases. 190+ migrations. Live data under management. | Skill | Evidence | | ----------------------------- | ------------------------------------------------------ | | PostgreSQL (primary) | Every production system. Neon (us-east-1) + Supabase | | 190+ migrations | 155 in one app + 45 in another; all idempotent | | PLpgSQL stored procedures | 142KB in tiny-steps-cms | | Full-text search (`tsvector`) | OmniSearch — production feature | | Row-level tenant isolation | Every query automatically scoped to the correct agency | | Schema design (27–43 tables) | CMS (28 tables), behavioral health (43 tables) | | Drizzle ORM | Primary TS ORM — typed schemas + migration generation | | Prisma | FairShare and earlier projects | | MongoDB / Mongoose | Reddit-Clone | | SQLite | Internship data storage | | Redis (ElastiCache) | Session + cache layer in neo-provider | | Convex | Real-time document database (bmth-time) | ## AI / Machine Learning — Production + Academic [#ai--machine-learning--production--academic] ### Production AI integrations [#production-ai-integrations] | Skill | Evidence | | -------------------------- | ----------------------------------------------------------------------- | | Google Gemini 2.5 Flash | Production email processing, parallel batch extraction | | AWS Bedrock (Claude) | Clinical note quality checks | | WebLLM on-device inference | 3 model tiers: 360M / 1.5B / 3.8B params, WebGPU, zero-cloud HIPAA-safe | | OpenAI API | AI-powered bill summarization, agent orchestration | | AI prompt engineering | 600-line extraction prompt with plate-math-style domain rules | ### Academic ML [#academic-ml] | Skill | Evidence | | ------------------------- | -------------------------------------------------------------------------- | | Linear Regression | Movie revenue R² = 0.769; energy RMSE = 10.73 kW | | K-Nearest Neighbors | Model comparison on box-office prediction | | Random Forest | MAE = $31.4M (best performer on box-office data) | | Logistic Regression | Energy demand-response classification, F1 = 0.59 | | Feature engineering | \~100 engineered features including talent prestige scoring | | k-fold cross-validation | Robust model evaluation | | Exploratory data analysis | NYC Airbnb — 48K+ listings, geospatial visualization, correlation matrices | ## Infrastructure & DevOps — Production (Advanced) [#infrastructure--devops--production-advanced] Terraform-defined AWS infrastructure. Docker containers. 190+ production deployments. | Skill | Evidence | | ------------------------- | ------------------------------------------------------------------ | | Terraform (AWS IaC) | 72KB of HCL defining full production infrastructure | | AWS VPC | Public/private subnet topology | | AWS ECS Fargate | Autoscaling on CPU + memory | | AWS ALB | Application Load Balancer with health checks | | AWS S3 | HIPAA-compliant config (versioning, encryption, Glacier lifecycle) | | AWS ElastiCache Redis | Session/cache | | AWS ECR | Container registry | | AWS Secrets Manager | Credential rotation | | AWS CloudWatch | Alarms + monitoring | | AWS CodePipeline | CI/CD | | Docker + Compose | Multi-service development environments | | Kamal | Rails production deployment | | Fly.io | 2 production apps, EWR region, 196 + 73 releases | | Vercel | 10+ production deployments | | Render / Heroku / Railway | Multi-platform hosting experience | | GitHub Actions | 3-job pipelines: lint/audit → unit/integration → sharded system | | SHA-pinned Actions | Supply-chain security | | Dependabot | Automated dependency updates | | Snyk | Security scanning in CI | | Codecov | Coverage reporting | | Sentry releases | Release creation + Slack notifications in deploy pipeline | | Automatic rollback | Failure-triggered revert in neo-provider | ## Security & Compliance — Production (Advanced) [#security--compliance--production-advanced] 5 HIPAA-compliant production systems. Cybersecurity internship. Offensive security coursework. ### HIPAA compliance (production) [#hipaa-compliance-production] | Skill | Evidence | | --------------------------------- | ------------------------------------------------------------------- | | AES-256-GCM encryption | Authenticated encryption with key versioning for rotation | | XSalsa20-Poly1305 | SSN encryption via `tweetnacl` — encrypted at rest, never plaintext | | HMAC-SHA256 searchable encryption | Search encrypted fields without decryption | | PHI audit trails | 3,902 + 1,197 audit log entries across two production systems | | PHI completeness verification | Architecture tests verify coverage | | Row-level tenant isolation | Programmatic verification via architecture tests | | Session timeout | 15-minute timeout with 2-minute warning modal + auto-save | | Circuit breakers | External API calls protected against cascading failures | | Zero-cloud AI | WebGPU on-device inference — no BAA, no cloud, no PHI egress | ### Application security [#application-security] | Skill | Evidence | | ------------------------ | -------------------------------------------------- | | Open redirect prevention | `request.fullpath` stored instead of `request.url` | | Secure session cookies | `Secure` flag in production | | RBAC | Pundit (20+ resources), NextAuth roles, Clerk | | SAML + OIDC SSO | `@neo/sso` package | | bcrypt + TOTP 2FA | Email-delivered OTP with 10 backup codes | | Cloudflare Turnstile | Bot protection (production secret verified) | | Rate limiting | All API endpoints, Upstash Redis-backed | | Brakeman + bundler-audit | CI-gated security scans | | DOMPurify | Client-side HTML sanitization | | API key management | IP allowlisting in neo-provider | | Supply-chain security | SHA-pinned GitHub Actions | ### Cybersecurity (internship + academic) [#cybersecurity-internship--academic] | Skill | Evidence | | ------------------------------ | --------------------------------------------------------------------------- | | Splunk SIEM | NYCHA internship — SPL queries correlating events across log sources | | CrowdStrike Falcon EDR | Process-tree analysis, malicious binary identification, containment support | | Incident response | Alert triage, severity classification, escalation workflows | | Tenable vulnerability scanning | Scan review + remediation coordination | | MITRE ATT\&CK | Mapping TTPs to known threat actors | | Passive network sniffing | Argus — port-independent HTTP / TLS SNI / DNS detection | | TLS analysis | ClientHello parsing, IPv4 fallback, TCP payload fallback | | TCP flow analysis | Flow detection, throughput, congestion window, retransmission | | PCAP analysis | `dpkt`-based TCP flow analysis tool | ## Testing — Production (Expert) [#testing--production-expert] 860+ test files across multiple frameworks. | Skill | Evidence | | ---------------------- | -------------------------------------------------------------- | | Vitest | 106 test files, 2,101 tests passed (tiny-steps-cms) | | Playwright E2E | Cross-browser, mobile/tablet/desktop viewports | | Minitest | 64 tests, 178 assertions per story | | Capybara + Cuprite | Headless Chrome system tests | | fast-check | Property-based testing — random inputs for edge-case discovery | | axe-core (WCAG 2.1 AA) | Accessibility assertions baked into system tests | | Architecture tests | Programmatic verification of tenant isolation + PHI coverage | | `convex-test` | Serverless function testing | | Criterion (C) | Dynamic memory allocator validation | | Valgrind | Memory-safety verification in C projects | | Sharded CI | \~5-minute CI across parallel runners | ## Third-Party APIs (Production) [#third-party-apis-production] 15+ API integrations. | API | Usage | | -------------------- | ---------------------------------------- | | Microsoft Graph | Outlook email access via OAuth2 | | Google Sheets | Automated data pipeline | | Google Gemini | AI text extraction | | AWS Bedrock | Clinical AI quality checks | | Twilio | SMS notifications | | Stripe | Subscription billing + webhook lifecycle | | Clerk | Auth + RBAC | | Resend | Transactional email | | Cloudflare Turnstile | Bot protection | | Congress.gov | Federal legislation tracking | | Google Civic | Representative lookup | | Open States | State legislation | | FEC | Campaign finance | | Federal Register | Executive orders | | NASA MAST Archive | JWST exoplanet data | | Alpaca Trading | Brokerage data | | SomaFM | Audio streaming | ## Frontend Design & UX (Production) [#frontend-design--ux-production] | Skill | Evidence | | ----------------------------- | ----------------------------------------------------------------------- | | Design system creation | ViewComponent + Lookbook previews, verification scripts for consistency | | Tailwind CSS 4 | Primary styling across all frontend projects | | Radix UI / shadcn/ui | Component libraries in Next.js projects | | 3D rendering (R3F / Three.js) | Insight visualization, WebGL noise orb shader, post-processing | | GSAP + Framer Motion | Scroll animations + page/component transitions | | Responsive mobile-first | Haptics, bottom nav, touch effects | | PWA | iPad kiosk mode, offline-first, service-worker management | | WCAG 2.1 AA accessibility | axe-core assertions, explicit label elements, GLIMPSE compliance | | Multi-theme / dark mode | 8 artistic themes on portfolio; premium light/dark across all apps | | Data visualization | Recharts, Chart.js, per-target SVG, Plotly.js | | Typography systems | Instrument Serif + DM Sans, publication-grade blog typography | | Audio integration | Tone.js ambient, SomaFM streaming, soundscape systems | | Command palette (⌘K) | Universal search with server-side fuzzy matching | ## Domain Expertise [#domain-expertise] ### Healthcare / Early Intervention (Production) [#healthcare--early-intervention-production] | Concept | Evidence | | ---------------------------- | ---------------------------------------------------------------------- | | NY Early Intervention system | 5 production systems for EI agencies, training course platform | | IFSP management | Clinical workflow state machine | | Service Coordination Notes | TinyToes-Auditor validates SCNs for state compliance | | DTS submissions | Circuit breakers for state API calls | | EDI 837P claims | Production claim generation for insurance billing | | EDI 835 remittance | Payment reconciliation from insurance | | Provider credentialing | 1,286 credentials tracked in production, expiration alerts | | Clinical documentation | Signature capture, carry-forward logic, government-form PDF generation | | Multi-agency operations | Four home health agencies with row-level data isolation | ### Applied Behavior Analysis (Production) [#applied-behavior-analysis-production] | Concept | Evidence | | ---------------------- | ---------------------------------------------------------------------------- | | ABA terminology | 17 concepts documented, `TrialSession → TrialBlock` rename | | Assessment execution | `TemplateRunner`, `DomainTerminationChecker` — 291 assessments in production | | Program management | `FromAssessmentGenerator` — 270 programs in production | | Mastery criteria | `PromptLevelCalculator` — configurable per program type | | Prompt levels | Configurable prompt sequences per program | | Regression detection | Consecutive-failure tracking + stepped response workflow | | Progress visualization | `PairProgressCalculator`, `ProgramCompletionDetector` | ### Competitive Rating Systems (Shipped) [#competitive-rating-systems-shipped] | Concept | Evidence | | ------------------ | ---------------------------------------------------- | | Elo rating | Rating calculation on match completion | | Glicko-2 | Rating deviation and volatility (LocalElo) | | Match invalidation | Rating reversal with rollback logic | | Gamification | Daily streaks, weekly XP leagues, achievement badges | ### Civic Technology (Shipped) [#civic-technology-shipped] | Concept | Evidence | | --------------------- | --------------------------------------------- | | Legislation tracking | All 50 states + federal, with AI summaries | | Representative lookup | Deep profiles with VoteSmart integration | | Campaign finance | Lobbying Dashboard, PAC Tracker, Donor Search | | Executive orders | Federal Register API tracking | ### Scientific Computing (Shipped) [#scientific-computing-shipped] | Concept | Evidence | | ------------------------- | ---------------------------------------------------- | | JWST transit spectroscopy | Exoplanet observation catalog + transmission spectra | | Molecular band overlays | H₂O, CO₂, CH₄ overlay rendering | | FITS file processing | `astropy` backend for JWST data | ## Development Methodology [#development-methodology] | Tool / Method | Evidence | | ---------------------------- | ----------------------------------------------------------------- | | AI-augmented development | Claude Code co-authored commits across all recent projects | | BMAD framework | v6.0.1 → v6.0.4 configuration and commands | | GSD (Get Shit Done) workflow | Milestone-based development — 24 phases completed in one app | | Linear project management | All task execution tracked in Linear | | Conventional commits | `feat` / `fix` / `chore` / `refactor` / `perf` / `style` / `docs` | | Adversarial code review | "Fix 7 code review findings from adversarial review" | | PRD-driven development | PRD validation sweeps, implementation readiness artifacts | | Vertical slice architecture | 59 vertical slices in one rewrite (was 172 horizontal) | ## Aggregate [#aggregate] | Metric | Value | | ----------------------------------- | ------------------------------------------------- | | Commits analyzed | 2,500+ | | Production systems | 7 (all actively used daily) | | Production database tables | 64 across 2 databases | | Production records under management | 7,900+ | | Production deployments | 190+ | | Test files | 860+ | | Database migrations | 190+ | | API integrations | 15+ | | GitHub repositories | 100 (80 public + 20 private) | | GitHub contributions (past year) | 2,748 | | Live deployed applications | 12+ | | Production languages | 6 (TypeScript, Ruby, Python, C, SQL/PLpgSQL, HCL) |