{"profile":{"name":"Alex Hill","preferredName":"Alex (Hoobi) Hill","pronouns":"he/him","role":"Senior Platform Engineer","location":"Melbourne, Australia","timezone":"Australia/Melbourne","headline":"Senior Platform Engineer building secure-by-default platforms at speed. Azure-focused, Kubernetes-deep, identity-obsessed. AI-native in how I work.","tagline":"Why do work twice? Do it right and automate it.","summary":"Senior Platform Engineer focused on speedy, secure delivery in an AI-native R&D org.\n\nSpeed and security only conflict when the platform makes them conflict. Most of my work is removing that conflict: making the secure path the path of least resistance for hundreds of engineers, then automating the friction out from underneath them.\n\nDay job is shared platform engineering: service mesh, identity modernisation, supply-chain security, regulated-environment resilience, and a GitOps developer platform. Outside the day job I maintain open-source Windows tooling, contribute upstream to vulnerability-management projects, and run a home-lab that doubles as a proving ground for patterns I bring back to work.\n\nHeavy investment in agentic engineering as a force multiplier: multi-agent PR review, MCP servers wired into the dev platform, and a tuned harness of skills that encodes hard-won standards so they survive across sessions.\n","cloudFocus":{"primary":"Azure","primaryDescription":"Microsoft Azure has been the primary cloud for ~8 years: AKS, APIM, Front Door, App Gateway, Entra, Bicep/ARM and Terraform across commercial and regulated tenancies.","secondary":[{"name":"AWS","level":"working","context":"Regulated workloads, identity, hosted-zone automation, and customer-segregated tenancies."},{"name":"GCP","level":"dabble","context":"Small amount of exposure for specific integration work."}]},"contact":[{"kind":"email","value":"alex@hoobi.io","display":"alex@hoobi.io","primary":true},{"kind":"github","value":"https://github.com/hoobio","display":"github.com/hoobio","primary":false},{"kind":"linkedin","value":"https://www.linkedin.com/in/alex-h-905a8990/","display":"linkedin.com/in/alex-h-905a8990","primary":false},{"kind":"website","value":"https://hoobi.io","display":"hoobi.io","primary":false}],"availability":{"status":"open-to-conversations","description":"Open to talking platform engineering, agentic workflows, or secure-by-default systems. Not actively job hunting."},"seo":{"description":"Alex Hill, Senior Platform Engineer based in Melbourne, Australia. Specialises in Azure, Kubernetes, OAuth and identity, supply-chain security, FedRAMP resilience, GitOps, and AI-native engineering workflows. Open-source maintainer.","keywords":["Platform Engineering","Senior Platform Engineer","Microsoft Azure","Kubernetes","AKS","Istio","Terraform","Bicep","OAuth","OpenID Connect","OIDC","PIM","Privileged Identity Management","Supply-chain Security","SBOM","CycloneDX","Dependency-Track","FedRAMP","SOC 2","GitOps","ArgoCD","Helm","Service Mesh","APIM","Azure DevOps","GitHub Actions",".NET","WinUI 3","TypeScript","Node.js","PowerShell","Model Context Protocol","MCP","Agentic Engineering","Open Source Maintainer"]}},"principles":[{"id":"secure-by-default","title":"Secure by default","summary":"Security is a property of the platform, not a checklist applied to it. Reusable templates, identity baked into deploy pipelines, supply-chain controls on by default. The secure path is the path of least resistance.","evidence":["SBOM generation and Dependency-Track ingestion embedded in reusable pipeline templates","PAT-to-GitHub-App migrations for self-hosted CI agents","OIDC federated credentials replacing static secrets for package feed auth","Privileged Identity Management rolled out across multiple product platforms"]},{"id":"speed-as-a-property-of-quality","title":"Speed is a property of quality","summary":"Teams ship faster when the platform removes the steps where decisions used to be made. GitOps, validated templates, opinionated defaults. You earn the speed by making the right thing the easy thing.","evidence":["GitOps developer platform for self-service deploys with Helm validation and rollback","Reusable composite actions and pipeline templates rolled out across consumer repos","Region-by-region rolling production deploys gated on readiness and metrics"]},{"id":"identity-first","title":"Identity-first","summary":"Most platform problems are identity problems wearing other costumes. Get identity right and the blast radius shrinks, the audit trail clarifies, and the engineers downstream stop needing exceptions.","evidence":["Replacing static credentials with GitHub Apps, OIDC, managed identity, workload identity","Privileged Identity Management programme with IaC-driven config and drift detection","Centralised TLS estate management and rotation across the company's domain footprint"]},{"id":"regulated-environment-fluency","title":"Regulated-environment fluency","summary":"Regulated builds are not a tax. They are a discipline that pays off in every environment if you let them. Designing for FedRAMP shapes how you think about commercial too.","evidence":["FedRAMP secondary-region disaster recovery programme: provisioning, traffic management, identity and DNS","Kernel-feature compatibility work across FIPS and commercial kernel pools","Federated credential, private-endpoint, and private-DNS migrations across regulated environments"]},{"id":"ai-native-engineering","title":"AI-native engineering","subtitle":"Agentic workflows I built and tune for my own work, not features turned on from a menu.","summary":"I run multi-agent code review on my own pull requests, drive operational work through tenant-scoped MCP servers, and maintain a layered skill library that captures hard-won conventions across sessions. The agents do the routine work the humans already agreed on so the humans can spend time on the judgement calls.","evidence":["Multi-agent PR review harness orchestrating parallel reviews via MCP","Tenant-partitioned MCP servers for safe cross-tenant operations","MCP service architecture for surfacing organisational APIs to agents","Layered skills + project memory system that carries standards across sessions"]}],"skills":[{"id":"platform-engineering","title":"Platform engineering","level":"deep","skills":["Platform engineering","Kubernetes (AKS)","Service mesh (Istio, ambient mesh)","GitOps (ArgoCD)","Helm","Cert Manager","Secrets Management","Custom Developer Tooling"]},{"id":"cloud-azure","title":"Cloud (Azure primary)","level":"deep","skills":["Azure (AKS, APIM, Front Door, App Gateway, Entra)","Azure Classic (App Services, Cloud Services, Virtual Machines)","Terraform","Bicep","ARM","AWS","GCP (limited exposure)"]},{"id":"identity-and-auth","title":"Identity & auth","level":"deep","skills":["OAuth 2.0","OpenID Connect","OIDC Federated Credentials","Managed & Workload Identity","Privileged Identity Management (PIM)","GitHub App Auth","Entra ID","Custom RBAC & ABAC","Auth0"]},{"id":"supply-chain-security","title":"Supply-chain & vulnerability management","level":"deep","skills":["CycloneDX SBOMs","OWASP Dependency-Track (upstream contributor)","Trivy / Snyk","Veracode","Code signing (Authenticode, MSIX)","SBOM attestation & provenance"]},{"id":"networking-and-edge","title":"Networking & edge","level":"deep","skills":["Hub-and-spoke Networking","Private Networking (Private Endpoints & Private DNS)","Cloudflare WAF and Global Load Balancing","Imperva WAF","Azure Front Door","Application Gateway","APIM","nginx","eBPF awareness for service-mesh work"]},{"id":"cicd","title":"CI/CD","level":"deep","skills":["Azure DevOps pipelines (YAML and Classic)","GitHub Actions","Reusable composite actions","release-please","SBOM and provenance attestation gates"]},{"id":"ado-github-administration","title":"ADO & GitHub platform administration","level":"deep","skills":["Azure DevOps org administration (boards, repos, pipelines, artifacts)","GitHub Enterprise org administration","Billing & licensing (seat management)","Scrum, iterations, area paths, custom work item types","Service connections, agent pools, environments","Branch policies, required reviewers, build validation","GitHub Advanced Security (code/secret scanning, Dependabot)","Audit logging & retention","Cross-org admin across R&D, Corporate IT, Security"]},{"id":"data-and-platform-services","title":"Data & platform services","level":"deep","skills":["Cosmos DB (multi-region, automatic failover)","Azure Storage","Azure Service Bus","Azure SQL","MSSQL","PostgreSQL (Managed and Self-Hosted)","MongoDB"]},{"id":"observability-platform","title":"Observability","level":"deep","skills":["Application Insights / Log Analytics (..and Kusto)","Grafana","Prometheus","Mimir","Loki","Tempo","Datadog","PagerDuty"]},{"id":"compliance","title":"Compliance","level":"deep","skills":["FedRAMP","SOC-2","GDPR (data residency, claim-based regional routing)","PCI-aware workload patterns"]},{"id":"incident-management","title":"Incident management","level":"deep","skills":["Security & availability incident response","Customer-facing status page updates","Cross-functional coordination (legal, security, dev teams)","Out-of-hours response & global coordination","Post-incident reviews & corrective actions","Comms tone for regulated & enterprise customers"]},{"id":"ai-native-tooling","title":"AI-native engineering","level":"deep","skills":["Model Context Protocol (MCP) servers","Multi-agent orchestration","Claude Code & Claude Agent SDK","Agentic PR review","Skill / context engineering","Prompt caching strategies"]},{"id":"languages","title":"Languages","level":"working","skills":["C# / .NET (incl. .NET 10, WinUI 3)","TypeScript / Node.js","PowerShell","Python","Java","SQL"]},{"id":"frontend","title":"Frontend / desktop","level":"working","skills":["React","WinUI 3","Fluent UI","HTML / CSS","ASP.NET (backend)"]},{"id":"cloud-cost-optimisation","title":"Cloud cost optimisation","level":"working","skills":["Azure Reservations (compute + Cosmos throughput)","Azure Compute Savings Plans","AWS Reserved Instances","AWS Compute Savings Plans","Cost analysis + chargeback reporting","Right-sizing + commitment laddering"]}],"experience":[{"id":"senior-platform-engineer-current","title":"Senior Platform Engineer","company":"Nintex","location":"Melbourne, Australia","workType":"hybrid","start":"2024-01","end":"present","current":true,"summary":"On the team that owns the shared developer and service platform. Service mesh, regulated-environment DR, hub-and-spoke networking, GitOps developer tooling, identity modernisation, supply-chain security, and the early AI-native platform engineering work.","highlights":["Cross-region service mesh rollout and east-west connectivity across the compute fleet.","Regulated-environment disaster recovery: secondary-region provisioning, traffic management, identity and DNS plumbing.","Network topology refactors separating shared hub resources from product workloads, with the IaC, pipeline and state-migration tooling to make it safe.","GitOps developer platform that lets product teams self-serve deploys, with Helm validation and rollback.","Kernel and runtime upgrades across Kubernetes node pools, including the compatibility work that comes with regulated builds.","Identity modernisation: replacing PATs with GitHub Apps, OIDC federated credentials and managed identity. PIM across product teams.","Supply-chain security: SBOMs, vulnerability ingestion, container scanning, reusable pipeline templates that bake the controls in by default.","AI-native platform engineering: tenant-partitioned MCP servers, multi-agent PR review, MCP service architecture.","Proof-of-concept work on Cloudflare WAF and Global Load Balancing as supplement / alternative to incumbent edge."],"tech":["Azure (AKS, APIM, Front Door, App Gateway, Entra)","Bicep / ARM","Terraform","Helm","ArgoCD","Istio","GitHub Actions","Azure DevOps pipelines",".NET","TypeScript","PowerShell"]},{"id":"senior-devops-engineer","title":"Senior DevOps Engineer","company":"Nintex","location":"Melbourne, Australia","workType":"hybrid","start":"2021-01","end":"2024-01","current":false,"summary":"Cross-cutting platform work: Azure governance, identity programmes, certificate lifecycle, multi-region resilience groundwork, and Reserved-Instance ownership across the Azure footprint.","highlights":["Azure governance for autonomous product teams: management-group model, prod and non-prod isolation, PR-time validation that guard rails stay intact.","Privileged Identity Management programme across multiple product platforms, with IaC-based automation driving it.","Multi-region resilience groundwork that fed the current DR cutover.","Certificate lifecycle ownership across the company's TLS estate: rotation, automation, expiry detection.","Cloud cost optimisation: ownership of Azure Reservations, Compute Savings Plans, and Cosmos throughput reservations across the compute and data footprint."],"tech":["Azure","Entra ID / PIM","Bicep","Terraform","Azure DevOps","PowerShell"]},{"id":"devops-engineer","title":"DevOps Engineer","company":"Nintex","location":"Melbourne, Australia","workType":"office","start":"2018-01","end":"2021-01","current":false,"summary":"Productionising the cloud workflow platform. Foundational Kubernetes migration, regional failover work, backup automation, and pipeline hardening with SAST and end-to-end gating.","highlights":["Kubernetes platform rollout for the company's cloud workflow product: foundational migration from VM-based hosting to AKS.","Productionisation of cloud services: regional failover, automatic database failover, backup automation.","Pipeline hardening: SAST integration, end-to-end and API test gating before production."],"tech":["Azure","AKS","C# / .NET","ASP.NET","Cosmos DB","Azure DevOps","Veracode"]},{"id":"associate-devops-engineer","title":"Associate DevOps Engineer","company":"Nintex","location":"Melbourne, Australia","workType":"office","start":"2016-01","end":"2018-01","current":false,"summary":"On-prem and early-cloud era. Datacentre refresh, virtualisation automation, disaster recovery for the on-prem estate, and the early container orchestration evaluation that seeded the later AKS direction.","highlights":["Datacentre refresh programme covering hardware, capacity uplift, and the supporting automation.","Virtualisation platform migrations and automated VM delivery.","Disaster recovery for the on-prem estate.","Early evaluation of container orchestration, which seeded the later AKS direction."],"tech":["System Center VMM","PowerShell","Azure (early adoption)","Service Fabric (POC)"]},{"id":"systems-administrator-st-philips","title":"Systems Administrator","company":"St Philips College","location":"Alice Springs, Australia","workType":"office","start":"2012-01","end":"2016-01","current":false,"summary":"Thrust into the IT Manager role at 19 when the rest of the team quit and I was the most senior person left. Owned end-to-end school infrastructure: network, identity, telephony, virtualisation, and the migration to cloud. Most of the patterns I bring to platform engineering now came from problems I had to solve here without backup.","highlights":["Network refresh: HP 10G fibre core running BGP, replacing the legacy switching backend.","BYOD WiFi rollout with Windows NPS / RAS for 802.1X authentication across the campus.","Replaced legacy VMware with Hyper-V HA on a NAS backend, orchestrated by SCVMM.","AARNet (Australian research and education network) connection rolled out for the college.","Rebuilt Active Directory from scratch with a live cutover: domain trusts maintained during migration, all services moved (Exchange, SharePoint, Print Services, RAS, DirectAccess).","Native IPv6 rollout across the campus network.","On-prem to O365 Hybrid migration (Exchange + identity).","Replaced the legacy phone system with a Ubiquiti UniFi-based VoIP rollout."],"tech":["Active Directory","Exchange (on-prem + O365 Hybrid)","SharePoint","Hyper-V (SCVMM)","HP Switches (BGP, 10G fibre)","Windows NPS / RAS (802.1X)","IPv6","DirectAccess","VoIP (UniFi)","O365"]}],"projects":[{"id":"command-palette-bitwarden","title":"Command Palette Extension for Bitwarden","kind":"open-source","role":"Author & maintainer","status":"active","start":"2025-01","summary":"Open-source Bitwarden integration for the Windows Command Palette (the PowerToys-based command surface). Biometric-gated, signed MSI installer, Microsoft Store release, ongoing issue triage.","highlights":[".NET 10 / WinUI 3 with WiX 5 MSI installer and Authenticode signing.","Microsoft Store release pipeline with release-please reusable workflows.","Biometric auth flow, vault state machine, TOTP enter-key behaviour.","WACK certification on x64 and ARM64.","CycloneDX SBOM published with every release and ingested into Dependency-Track."],"tech":[".NET 10","WinUI 3","WiX 5","GitHub Actions","CycloneDX","Microsoft Store"],"links":[{"kind":"repo","url":"https://github.com/hoobio/command-palette-bitwarden"},{"kind":"store","url":"https://apps.microsoft.com/"}]},{"id":"dependency-track-contribution","title":"OWASP Dependency-Track upstream contribution","kind":"open-source","role":"Contributor","status":"shipped","summary":"Upstream feature work on the OWASP Dependency-Track project.","highlights":[],"tech":["Java","Docker"],"links":[{"kind":"repo","url":"https://github.com/DependencyTrack/dependency-track"},{"kind":"issue","url":"https://github.com/DependencyTrack/dependency-track/issues/4570"}]},{"id":"earmark","title":"Earmark","kind":"open-source","role":"Author & maintainer","status":"active","summary":"Per-application audio output routing for Windows. Rules engine with conditions and actions (device-present, application-name regex), event-driven device and application enumeration, Fluent 2 design, signed MSI installer.","highlights":[],"tech":[".NET 10","WinUI 3","WiX 5","Fluent 2","PowerShell interop"],"links":[]},{"id":"hoobi-pr-reviewer","title":"PR Reviewer","kind":"personal","role":"Author","status":"active","summary":"Multi-agent system that orchestrates pull-request reviews across Azure DevOps and GitHub in parallel via MCP. Dispatches subagents per repository class (governance, infrastructure, GitOps, APIM) and consolidates feedback inline.","highlights":[],"tech":["Model Context Protocol","Claude Agent SDK","TypeScript","GitHub MCP","Azure DevOps MCP"],"links":[]},{"id":"personal-assistant","title":"Personal Assistant","kind":"personal","role":"Author","status":"active","summary":"Local LLM-driven personal assistant. Wake-word voice activation with on-device STT and TTS, tool-use bridge into Home Assistant for device and scene control, Jellyfin/Jellyseerr integration for media requests and playback control. Rich structured logging across the agent loop.","highlights":[],"tech":["Local LLM (llama.cpp / Ollama)","Whisper STT","Piper / Coqui TTS","Wake-word detection","Home Assistant","Jellyfin / Jellyseerr","Python","Structured logging"],"links":[]},{"id":"hoobi-automation","title":"Hoobi Automation","kind":"personal","role":"Author","status":"active","summary":"Home Assistant integration as a Windows service. Publishes last-input idle metrics over MQTT, drives audio-device restart automation and motion activated monitors / sleep.","highlights":[],"tech":["TypeScript","Node.js","MQTT","Home Assistant","Windows Services"],"links":[]},{"id":"internal-mcp-service","title":"Internal MCP services (architectural design)","kind":"work","role":"Architect","status":"in-design","summary":"Architectural design for an internal Model Context Protocol service. Regional API routing, OAuth-gated agent access, multi-domain ingress, relationship with the identity provider. Closed-source internal tool.","highlights":[],"tech":["APIM","MCP","OAuth","OIDC","Helm","Bicep"],"links":[]},{"id":"pim-automation","title":"Privileged Identity Management automation (internal tool)","kind":"work","role":"Contributor / designer","status":"shipped","summary":"A closed-source automation solution that drives PIM role assignments via IaC. Audited, repeatable, PR-gated. Rolled out across multiple product platforms.","highlights":[],"tech":["Terraform","Azure RBAC","PIM","Azure DevOps pipelines"],"links":[]},{"id":"cloudflare-edge","title":"Cloudflare WAF + Global Load Balancing","kind":"work","role":"Author","status":"shipped","summary":"Cloudflare WAF and global load balancing supplementing the incumbent edge stack. IaC for top-level domains, configuration, user onboarding with differentiated access levels per domain. Global APIs with claim-based regional routing for GDPR-compliant data residency.","highlights":[],"tech":["Cloudflare","Terraform","Global Load Balancing","WAF","GDPR","Claim-based routing"],"links":[]}],"azureResources":[{"id":"compute-and-orchestration","title":"Compute & orchestration","description":"Where workloads actually run, and how they get scheduled, scaled, and rolled.","services":[{"name":"Azure Kubernetes Service (AKS)","usage":"Primary compute platform. Multi-region, multi-tenancy, regulated and commercial pools."},{"name":"Virtual Machine Scale Sets","usage":"Underpin AKS node pools and legacy automation workloads."},{"name":"Azure Container Apps","usage":"Lightweight container hosting. Used here for this portfolio (free consumption tier)."},{"name":"Azure App Service","usage":"Pre-AKS hosting for cloud services and legacy products."},{"name":"Azure Container Instances","usage":"Ephemeral self-hosted runners with GitHub App authentication."},{"name":"Azure Functions","usage":"Event-driven automation."}]},{"id":"identity-and-access","title":"Identity & access","description":"Who can do what, with what credentials, against which resources.","services":[{"name":"Entra ID (Azure AD)","usage":"Tenant identity. SSO, MFA, conditional access."},{"name":"Privileged Identity Management (PIM)","usage":"Just-in-time elevation across product platforms, IaC-driven."},{"name":"Managed Identity & Workload Identity","usage":"Replacing static credentials for workloads and CI agents."},{"name":"Federated Credentials","usage":"OIDC trust from GitHub Actions and Azure DevOps into Azure RBAC."},{"name":"Azure RBAC + ABAC","usage":"Custom roles, attribute conditions, subscription-scoped delegations."}]},{"id":"networking-and-edge","title":"Networking & edge","description":"Where traffic enters, how it's filtered, and how internal services reach each other.","services":[{"name":"Azure Front Door","usage":"Global L7 entry, traffic management, WAF policies."},{"name":"Application Gateway","usage":"Regional ingress for the legacy and regulated estates."},{"name":"API Management (APIM)","usage":"Regional consolidation, OAuth gating, internal/external surface separation."},{"name":"Virtual Network (VNet)","usage":"Hub-and-spoke topology with isolated workload spokes."},{"name":"VNet Peering","usage":"Hub-to-spoke connectivity, cross-region peering."},{"name":"Private Endpoints","usage":"Replacing service-endpoint patterns with PE for narrow exposure."},{"name":"Private DNS Zones","usage":"Centralised zones for the platform, removing per-service DNS sprawl."},{"name":"Traffic Manager","usage":"Active-passive regional failover in regulated environments."},{"name":"Azure Bastion","usage":"Operator access without public IPs on management VMs."},{"name":"ExpressRoute / VPN Gateway","usage":"Hybrid connectivity (legacy on-prem era)."}]},{"id":"data","title":"Data","description":"Stateful workloads, durability, replication, recovery.","services":[{"name":"Cosmos DB","usage":"Multi-region with automatic failover, backup automation, capacity planning."},{"name":"Azure SQL","usage":"Workload-specific, regulated workloads."},{"name":"Azure Storage (Blob, Table, Queue)","usage":"Per-deployment artifact and state storage."},{"name":"Service Bus","usage":"Asynchronous messaging between services."},{"name":"Event Grid","usage":"Event-driven automation between platform services."}]},{"id":"observability","title":"Observability","description":"Knowing what the platform is doing, fast enough to act on it.","services":[{"name":"Application Insights","usage":"Workspace-backed (post-migration). Front-of-house APM."},{"name":"Log Analytics","usage":"Central telemetry sink. KQL across the estate."},{"name":"Azure Monitor","usage":"Metrics, alerts, autoscale signals."},{"name":"Managed Grafana","usage":"Operational dashboards."}]},{"id":"governance","title":"Governance & compliance","description":"Guard rails: what cannot be done, what must be tagged, what gets reviewed.","services":[{"name":"Azure Policy","usage":"Subscription-level guard rails. Tagging, region restrictions, resource-type allow-lists."},{"name":"Management Groups","usage":"Top-level governance model for autonomous product teams."},{"name":"Resource Tags","usage":"Standardised: environment, owner, managed-by. Validated in PR."},{"name":"Microsoft Defender for Cloud","usage":"Cloud security posture management across subs."}]},{"id":"edge-and-cdn","title":"External edge (non-Azure)","description":"The bits of the edge that don't live in Azure but are part of the same architecture conversations.","services":[{"name":"Imperva WAF","usage":"Incumbent WAF for the regulated and commercial estates."},{"name":"Cloudflare WAF + Global Load Balancing","usage":"PoC alternative / supplement evaluated for the edge stack."},{"name":"AWS Route 53","usage":"Hosted-zone automation for regulated workloads."}]},{"id":"ci-and-supply-chain","title":"CI & supply-chain","description":"How code becomes a deployable artifact, and what we know about it.","services":[{"name":"Azure DevOps Pipelines","usage":"Primary CI/CD platform. YAML pipelines + reusable templates."},{"name":"GitHub Actions","usage":"For workflows that need to live with the public repos."},{"name":"Azure Container Registry (ACR)","usage":"Private container images. Trivy scanning in pipeline."},{"name":"Azure Key Vault","usage":"Secret storage, certificate management."}]},{"id":"iac","title":"Infrastructure as code","description":"How the above gets defined, reviewed, and rolled out.","services":[{"name":"Terraform","usage":"Primary IaC tool. Modules, remote state, lifecycle management."},{"name":"Bicep","usage":"Preferred for new ARM work."},{"name":"ARM Templates","usage":"Maintained for legacy stacks."}]}],"themes":[{"id":"identity-modernisation","title":"Identity modernisation","description":"Replacing static credentials with short-lived, audited, identity-bound alternatives across every system that touches Azure.","receipts":["PAT-to-GitHub-App migrations for self-hosted CI agents","OIDC federated credentials for npm package authentication via a reusable composite action","Workload Identity migration for cluster-internal Azure access","Privileged Identity Management programme across multiple product platforms","Subscription-scoped ABAC with User-Assigned Identities for product integration tenants"]},{"id":"supply-chain-security","title":"Supply-chain security","description":"Every artifact carries an SBOM. Every dependency is tracked. Every pipeline can answer \"what's in this build?\" without anyone having to ask.","receipts":["Reusable CycloneDX SBOM pipeline template rolled out across consumer repos","Self-hosted Dependency-Track instance with an opinionated domain/system/component hierarchy","Upstream contribution to OWASP Dependency-Track (issue","Trivy scanning embedded in container build pipelines","SBOM and build provenance attestation on every signed installer release"]},{"id":"regulated-resilience","title":"Regulated-environment resilience","description":"Building secondary-region infrastructure for regulated workloads with the identity, DNS and traffic-management plumbing to fail over cleanly.","receipts":["Secondary-region public IPs, federated credentials, VNets, clusters, WAFs, Traffic Manager","Centralised private DNS zones across regulated environments","Service-endpoint to private-endpoint migration","cert-manager federated-credential automation","User-Assigned Identity to VMSS automation"]},{"id":"platform-routing-and-mesh","title":"Platform routing & service mesh","description":"How services talk to each other, how external traffic reaches them, and how the rules stay consistent across regions and clusters.","receipts":["Istio rollout across the platform compute fleet","East-west connectivity between control and shared clusters across multiple regions","APIM regional consolidation removing legacy multi-hop reverse-proxy paths","Hub-and-spoke VNet decoupling with state-migration tooling","Ingress consolidation onto a shared, opinionated helper chart"]},{"id":"gitops-developer-platform","title":"GitOps developer platform","description":"Self-service deployment paths for product teams, with validation, rollback and observability built into the platform rather than the individual pipelines.","receipts":["Node.js GitOps API service exposing self-serve deploys via the shared platform","Helm chart validation at deploy time","Rollback support and per-deployment blob storage","PAT-to-GitHub-App authentication migration for the GitOps API","Rolling region-by-region production deploys gated on readiness and metrics"]},{"id":"ai-native-engineering","title":"AI-native engineering","description":"Agents as part of the team. Multi-agent orchestration for routine reviews, MCP servers for safe access to organisational systems, and a layered skill harness that captures hard-won standards so they survive across sessions.","receipts":["Multi-agent PR review across Azure DevOps and GitHub via MCP","Tenant-partitioned MCP servers for cross-tenant safety","MCP service architecture for the company's Model Context Protocol surface","Skill library encoding code review, security review, change-request drafting, triage, anti-slop prose rules","Project-scoped memory system carrying conventions across sessions"]}],"generatedAt":"2026-05-23T15:21:38.119Z"}