I build small, auditable security and developer tooling — command-line tools and libraries that are zero-dependency and offline-first, so every line that runs in your supply chain is one you can read. The work sits at the intersection of software supply-chain security, static analysis, and the new failure modes that AI coding agents introduce.
Projects
-
vibecheck
A "safe to ship?" gate for AI-generated code. Real AST parsing and inter-procedural taint analysis for JavaScript/TypeScript, Python, and Go, ranked by confidence. Runs as a CLI and as an MCP tool inside agent loops.
-
wormguard
An offline npm, pnpm, yarn, and bun install-script auditor. AST-grade analysis with baseline-diff detection of Shai-Hulud-style supply-chain worms — no network, no account, no CVE database.
-
veritrail
Tamper-evident, append-only transparency logs for TypeScript. RFC 6962 / RFC 9162 Merkle trees with inclusion and consistency proofs, Ed25519-signed checkpoints, and a sparse-Merkle verifiable map. Zero dependencies.
-
envlint
A zero-dependency CLI that validates .env files against .env.example — missing keys, duplicates, empty values, leaked secrets, and an unsafe .gitignore. Built for CI, with inline GitHub Actions annotations.
-
goodfaith
A precision-first Discord automod for tight-knit communities. It treats wrongly muting a regular as the expensive failure and makes that trade-off explicit, tunable, and auditable.
Writing
-
Detecting Shai-Hulud npm supply-chain worms offline
What offline, AST-grade install-script auditing can and cannot catch.
-
Verifiable transparency logs in TypeScript
RFC 6962 inclusion and consistency proofs, signed checkpoints, and verifiable maps.
-
Catching the security bugs AI coding agents introduce
Taint-backed static analysis and confidence ranking for AI-generated code.