#Selected Work

Implemented an organisation's entire Microsoft Entra ID estate through Terraform – app registrations, service principals, Conditional Access, MFA and privileged access – so every identity change is a peer-reviewed pull request rather than a console click.

• Self-service provisioning + JML lifecycle: access turnaround cut from days to minutes.
• Least-privilege enforced in code; controls wired into Sentinel and endpoint workflows.

A governed Infrastructure-as-Code delivery pipeline using OIDC-based authentication to AWS – no long-lived credentials – with plan/apply gating, approval workflows, and automated security scanning. Currently evaluating Atlantis vs Terragrunt vs GitHub Actions for the team workflow.

A just-in-time privileged access architecture built around least-privilege defaults, SCPs and RBAC, designed for ISO 27001 audit readiness. Threat-modelled before a line of access control was written.

A hybrid physical/virtual K3s cluster running a self-hosted AI stack: Ollama for local inference, n8n for automation, and a Milvus vector DB with a token-chunking RAG pipeline. See homelab.md for the full architecture.

Cross-machine dotfiles (WSL + macOS) managed via a bare Git repo on a self-hosted Forgejo instance, with an idempotent bootstrap.sh that provisions Neovim (LazyVim), tooling and mounts on a fresh box in one run.