I build the distributed systems and storage behind managed Postgres at fleet scale

Replicated NVMe-TCP block storage that started as a TLA+ question: can a block-device algorithm satisfy POSIX compliance under every failure case, with the metadata service off the I/O hot path? The design that answers it keeps rich per-block invariants (checksums and generations) in-place and non-blocking, using replication and checksums-everywhere as the substrate, with six TLA+ models proving the metad/storaged/clientd protocol stays coherent.

• Formal-methods-first: the invariants and failure model were specified and machine-checked in TLA+ before the implementation. Six models covering FLUSH, replication, resilver, snapshots, dispatch, and Raft DR
• Per-block checksums and generations treated as a dependency, not a passive integrity flag: validated on every read, a mismatch fails over to a coherent replica and resilvers in the background. Maintained in-place, no copy-on-write, no I/O stall
• One uniform primitive: a volume is just a replicated shard set, so snapshots, clones, archival, rebalancing, and merge-forward all fall out of it instead of being engineered separately
• Zig io_uring zero-copy data path, Go Raft-replicated control plane, CSI driver. Copysets reframed as a per-volume stride constraint on shard assignment; per-volume tunable stride and replica counts; S3 disaster recovery

A personal control plane built around household resilience and figuring out what production LLM integration actually requires, including the safety story. While most agent platforms gate the model with policy (allow-lists, argument parsing, sandboxes), sentinel binds capability structurally: a typed composition substrate where the agent composes freely but the verb catalog grows only through human-reviewed PRs. Capability bound by construction, never by trust at runtime.

• NATS-based two-node HA via per-subsystem leader locks: no Raft, no quorum
• Composition substrate: typed Flow pipelines (Unix-pipes lineage), addressable persistent runs, three-tier wrapper economics (Rust crate / compiled binary / sandboxed subprocess), capability bound by construction
• Multi-provider agent (Claude/Ollama/OpenAI) with voice (wake-word, STT, TTS), unified MCP/plugin tool plane, persistent semantic memory; hosts unmodified Home Assistant integrations alongside the Rust core

A multi-mode internal admin platform for Tiger Data's managed-Postgres fleet: CLI, node DaemonSet, MCP server, Slack bot, and gRPC control plane in one Go binary.

• Five deployment shapes from one binary; mTLS and k8s authn/authz end-to-end across CLI, DaemonSet, MCP, Slack
• Cross-cluster fleet manager (AWS and Azure) with concurrency primitives and rate limiting; 62 gRPC services / 603 RPC methods
• Sole author from inception: 1,544 commits on main (83%), ~38× the second contributor, over 3 years

A Go Kubernetes operator that deploys and manages Patroni-managed Postgres replication topologies across AWS and Azure.

• Custom CRD reconciles a full Patroni HA topology across 8 watched k8s resources
• Property-based simulation testing (rapid) plus 17+ end-to-end tests on envtest or kind
• #1 contributor: 367 commits on main, ~1.6× the second author, over 3 years

A distributed block-storage layer for forkable, ephemeral, durable Postgres at cloud scale, co-founded with Samuel Gichohi, powering Tiger Cloud's free-tier and Ghost databases. The hard problem is tenant isolation and economics at tens of thousands of volumes per cluster, not the single-volume data path.

• Co-founder (with Samuel Gichohi) of Tiger Data's storage substrate for Agentic Postgres: the production product behind free-tier and Ghost databases
• Three-tier disaggregated architecture for tenant isolation at cloud economics: zero-copy forks, 110k+ IOPS / 1.4 GB/s per volume, tens of thousands of volumes per cluster
• Authored the CSI driver: 510 of 585 commits (87%) on main, over 2 years

A Go daemon that supervises long-lived LLM coding-agent children (pi, claude) under one normalized control/event vocabulary: the routing substrate that lets a frontier agent delegate work to cheaper, different, or local models, with the same observability across kinds.

• ProtocolProvider abstraction: per-child stateful translators normalize native streams (claude stream-json, pi RPC) into one event vocabulary on the bus; raw frames preserved in the ring for full-fidelity inspection
• End-to-end metadata round-trip: Kind and ConfigDir threaded through SpawnRequest, Snapshot, Session, resume, so claude children resume by session id alongside pi children with no client changes
• Test-disciplined: golden transcripts, contract tests for vocabulary translation, integration tests through fake children; the kind=claude support landed in two days with ~11 new test files

Custom ESP32-P4 hardware pickets for the sentinel fleet, plus a public ESP32-H2 Zigbee firmware portfolio: vibration, water-leak, and temperature sensors with OTA updates.

• Custom NATS-native ESP32-P4 pickets (private): env sensing, audio, presence; integrated end-to-end with sentinel
• Public ESP32-H2 Zigbee firmware (C/ESP-IDF): vibration sensor (incl. battery-operated), water-leak sensor, DS18B20 temperature sensor, temperature+heater-control variant, all with OTA
• lennox-s30 Rust crate for talking to Lennox HVAC thermostats

Open-source Zig building blocks underpinning ublkstor.

• rbitz (Roaring bitmaps), dietz (DIET), promz (Prometheus client)
• pretty-zig (table rendering), a documented io_uring bug reproduction