Compliance-grade AI architecture · RAG · agents · MCP
Most AI stacks fail audit at the same three seams — prompt provenance, retrieval lineage, output attestation.
I architect RAG and agent systems for regulated workloads — banking, tax, legal — where the audit trail is the deliverable. Every figure cites its source. Every decision reconstructs six months later. The cost ceiling holds at peak. Built to LGPD, BCB 4.893, and the EU AI Act’s Article 12 logging mandate.
Selected work
The constraint that made it hard, the decision taken, and the measured outcome — not just the result.
Open-source & demos
- wa
A persistent agent channel that treats the inbound message body as an untrusted audit perimeter. Go, hexagonal, Sigstore-signed.
Gowhatsmeowmodernc.org/sqlite - serverless-data-api
Production-grade serverless CRUD in Terraform: IAM least-privilege, API-key usage plans, PITR, and a teardown that leaves zero orphans.
TerraformPythonAWS Lambda · arm64 - exec-job-board
Four divergent public APIs normalized behind one Pydantic schema, deduped by content hash, and served as a zero-backend static site — refreshed daily by cron.
PythonhttpxPydantic v2 - realestate-price-tracker
Three layers most demo stacks fake one of: filtered + paginated REST, indexed aggregate queries, and a map/charts frontend that stays responsive under every filter combination.
PythonFastAPISQLAlchemy async · asyncpg - claude-mac-chrome
Drives React/Ember SPAs that reject synthetic events, by sending real OS pointer events at computed screen coordinates.
BashAppleScriptTypeScript - linkedin-chrome-copilot
Materializes and saves per-locale (PT/EN/ES) profile slots behind isTrusted-gated Save buttons, with a two-phase confirm on any send.
BashAppleScriptTypeScript - kokoro-speakd
Loads the TTS model once and serves synthesis over a unix socket — sub-200ms warm response instead of a 3-5s per-call cold load.
PythonONNX RuntimeKokoro 82M - claude-classroom-submit
Skips the cross-origin Drive Picker iframe entirely — uploads via rclone, attaches and turns in via the Classroom REST API.
PythonGoogle Classroom APIrclone - fand
Ramps fans on temperature-driven curves before thermal throttling starts, with zero-downtime SIGHUP config reload — Rust + launchd.
RustSMClaunchd - pedro-portfolio-recipes
Short, copy-pasteable patterns from the stacks I ship — each one is problem, working snippet, tradeoff, anti-pattern.
BashSQLNix
Start with a verdict. Scale when the proof holds.
Each offer ships a defined deliverable, scoped and fixed at signature. Most clients open with a diagnostic, then expand into a build once the architecture proves out against their own data.
Regulated-AI Architecture Review
A fixed-week diagnostic of your existing LLM stack — three-plane topology memo, severity-ranked findings, annotated reference repo.
Outcome — A go/no-go verdict and a scoped remediation map before you commit engineering quarters.
MCP Tool-Boundary Security Audit
STRIDE threat model of every exposed tool, LLM-vs-operator input-boundary review, deny-by-default permission matrix, signed-release hardening (Sigstore + SLSA L2 + dual SBOM).
Outcome — A severity-ranked report with concrete patches, and a pipeline where every binary verifies with one command.
RAG Audit-Chain Readiness Sprint
A production retrieval pipeline — pgvector + hybrid retrieval + rerank, forced-citation answers, recall measured on your own holdout set, a decision-trace ledger keyed to (prompt, docs, model, output).
Outcome — Provably-grounded answers, accuracy measured against your data, and behaviour auditable from day one.
Event-Driven Backend Build & Rescue
An authenticated, production-shape backend — typed schema, audit ledger, outbox + idempotency, fitness-function tests, CI gate, observability. Serverless variant ships at $0 idle.
Outcome — A backend that survives load, costs nothing idle, and provisions and tears down reproducibly — owned in your repo.
Embedded AI-Platform Custody
Fractional architecture custody — weekly fitness-function review, monthly audit-chain integrity probe, compliance-plane ownership, participation in the AI hiring loop.
Outcome — An audit-grade AI capability your whole org reuses, with the audit chain kept green between releases.
Every engagement opens with a short discovery call and a written diagnostic. Scope is fixed at signature. Send a brief →
Technical Skills
Grouped by the problem each stack solves, so you can scan for the one that matches yours.
Regulated AI & compliance
RAG with retrieval lineage, hash-chained audit ledgers, and decision provenance — mapped to LGPD, BCB 4.893, and the EU AI Act Art. 12 logging mandate.
AI agents & RAG
Production RAG pipelines, typed-tool agent loops with bounded turns, and Model Context Protocol integrations — grounded retrieval with frozen-eval regression checks.
Backend
Polyglot services that hold under load: Go daemons, TypeScript APIs, Python pipelines, Rust binaries — event-driven with outbox + idempotency.
Cloud
Multi-cloud deployments on AWS, Azure, and GCP — serverless and container workloads sized to a cost ceiling, not left to drift.
Infra-as-Code
Declarative infrastructure across cloud and bare-metal fleets — reproducible, with a teardown story that leaves zero orphans.
Release engineering
Supply-chain hardening as a first-class deliverable: reproducible builds, signed provenance, dual-format SBOMs.
Experience
Shipped systems and the outcomes they moved.
Compliance-Grade AI Architect / Cloud Architect
Jul 2025 — PresentTier-1 IT services group · LATAM
- Architected compliance-grade RAG on Azure OpenAI — decision provenance, audit-trail logging, and frozen-eval regression checks for regulated workloads
- Shipped a multilingual education assistant serving 100K+ daily active users — +40% knowledge-base precision after rollout
- Stood up multi-cloud Terraform (Azure + GCP) cutting environment provisioning below 10 minutes
- Cut cloud spend 30% via Lambda right-sizing and reserved-capacity planning
Systems Software Engineer
Oct 2024 — Sep 2025Telecom carrier · LATAM
- Designed serverless ETL on AWS Lambda + Step Functions for tier-1 telecom billing data
- Published Terraform modules provisioning multi-region infrastructure in under 10 minutes
- Rolled out a CloudWatch observability stack — dashboards, alarms, automated incident response
- Hardened the release pipeline with Sigstore + SLSA provenance for a regulated supply chain
Senior Software Engineer
Jul 2021 — Oct 2024Product engineering studio · e-commerce / fintech / logistics
- Delivered 12+ production systems across e-commerce, fintech, and logistics
- Built an event-driven BFF + Broker + Dispatcher clearing 10K+ transactions/day with the outbox pattern and idempotency keys
- Introduced GitHub Actions matrix CI with gitleaks + OSV-Scanner for supply-chain hygiene
- Set the architecture and release-gate standards adopted across multiple squads
Every claim here is auditable
Six public repositories under yolo-labz, each SLSA L2, Sigstore-signed, and gated on live SonarQube quality checks. Read the source, not a screenshot. Client work links to anonymized writeups, never names.
Contact
I build for the engineer who gets paged at 02:00 BRT and needs the audit chain to still hold. The cost ceiling stays put at peak. The writeup still reconstructs six months later. Send a brief on architecture, RAG, compliance, or supply-chain. I'll tell you straight whether it's a fit.