← Index

What I've Built

Hardened Secure-Workspace Endpoint

Type - A locked-down Linux workstation for classified communications. Smartcard login instead of the OS login, isolated workspaces, post-quantum VPN.

My role - Primary owner of the desktop application. This is my current project - I'm redesigning it and removing technical debt with the right architecture.

Stack - Python, Qt, smartcard auth, Linux internals, VPN, pytest, Playwright.

DDD
architecture
~74
test files
PQC
post-quantum VPN

What I worked on

  • The desktop application end to end
  • A domain-driven re-architecture of a UI monolith
  • Smartcard authentication and the lock-screen flow, with its security fail-safes
  • The networking domain and VPN-gated workspaces
  • OS-level integration and boot hardening
  • A testing strategy that made a Qt desktop app testable
  • A full dashboard redesign

The hardest problem

  • A stolen smartcard had to be useless to an attacker, without ever risking the card locking itself.
  • I designed a fail-safe that makes that state impossible to reach.

What I've learned

  • Automated agents can do almost anything. We had agents deploying and testing over SSH on the real laptop. AI is just a skill issue.
  • Security features need a fail-safe bias. When in doubt, shut down early.
  • Hardware is not software. The design has to absorb physical-world failures.
  • DDD made a desktop monolith understandable and testable.
  • Infrastructure needs one source of truth.
  • Never underestimate documentation. Document everything, even the parts you build solo. The next person who needs it is usually you.
← Back to all