Portfolio

Production systems I've designed and built — from a seven-year GRC SaaS backend and compliance data-viz to weather maps, cloud & AI-cost tooling, and private-blockchain infrastructure.

CISOteria

Security-compliance (GRC) SaaS · backend architect, 2019–present

A multi-tenant CISO / compliance platform offered on the AWS Marketplace. For seven years I've owned the backend — API design, the data model, and overall architecture — leading a small distributed team across Israel and India. Node.js / Express microservices alongside a large legacy PHP codebase I've incrementally modernized; MariaDB, Redis, Docker; NVD / CVE vulnerability data integrated into a management dashboard; SSO / SAML, AWS CloudTrail, and Terraform-managed infrastructure.

CISOteria backoffice analytics dashboard
Backoffice analytics dashboard (demo data).
CISOteria D3 asset-risk graph
A D3.js risk hierarchy — an asset's risk traced to the systems and infrastructure it depends on, colour-coded by risk score.

Israel National Cyber Directorate — GRC portal

grc.cyber.gov.il · built at CISOteria · backend lead

The Israel National Cyber Directorate's governance-risk-compliance (GRC) portal runs on CISOteria's platform ("Powered by CISOteria — Cyber OS"). As part of my CISOteria work I was the backend lead — I led most of the backend and built parts of the front end.

grc.cyber.gov.il login — Israel National Cyber Directorate GRC portal, powered by CISOteria
Public login page — National Cyber Directorate branding, powered by CISOteria.

Israel Meteorological Service — synoptic maps

Front-end / data visualization

Map-overlay work I contributed to the Israel Meteorological Service (ims.gov.il): rendering forecast model data — pressure fields and contours — onto their interactive synoptic maps.

IMS synoptic forecast maps
Screenshot of the live ModelMaps page.

Smallest Business

Cloud & AI-cost engineering consultancy

My own consultancy: cutting cloud bills and controlling AI / LLM spend — request-path cost controls for AI agents (gateways with per-key / per-run budget breakers, caching, model routing) plus cloud reduction (egress, compute commitments, observability). The supporting tooling is built in Astro / Node.js — a research pipeline and a client-side cloud-bill analyzer — alongside a daily learn-in-public series.

ChainVault

Tamper-proof deal room with wire fraud prevention

A full-stack platform for real estate closings and M&A transactions. Documents are encrypted client-side before upload — the server never sees plaintext. Every action is recorded on a private 4-node blockchain with BFT consensus.

Technical Stack

  • Blockchain: 4-node Antelope chain with BFT finality (tolerates 1 node failure)
  • Smart Contracts: 3 C++ contracts (chainvault, auditlog, wirevault) — separated so audit survives upgrades
  • Indexing: Hyperion full-history API + custom sync daemon materializing to PostgreSQL
  • Document Storage: MinIO (S3-compatible) with AES-256-GCM client-side encryption
  • Frontend: Next.js 15, App Router, TypeScript, Tailwind v4
  • Auth: SSO-ready (Google, Microsoft Entra), multi-tenant membership
  • Billing: Stripe integration with usage-based plans

Key Features

  • Wire transfer verification — multi-party on-chain confirmation before funds move
  • Encrypted document vault with blockchain content hash commitments
  • Full audit trail — every action immutably recorded
  • Multi-tenant with role-based access control
  • Blockchain explorer and superadmin panel

Live at: chainvault.amiheines.com

Verarta

Art provenance and authentication on private blockchain

A provenance tracking system for art and collectibles. Each piece gets a verifiable chain of ownership recorded on a private blockchain. Certificates of authenticity are cryptographically signed and permanently linked to the artwork's on-chain record.

What It Demonstrates

  • Provenance tracking with cryptographic proof of ownership transitions
  • Tamper-proof certificates of authenticity
  • Private blockchain running on the same infrastructure pattern as ChainVault
  • The versatility of the same core technology across different domains

Live at: verarta.com

Self-Hosted Infrastructure

Production-grade stack running on bare metal

Every project above runs on infrastructure I built and manage:

  • 4 block producers with BFT consensus — 3/4 needed for finality, tolerates 1 failure
  • State History Plugin (SHIP) node for full blockchain state streaming
  • Hyperion full-history indexer backed by Elasticsearch
  • PostgreSQL as a disposable read cache — can be rebuilt from chain at any time
  • MinIO for S3-compatible encrypted blob storage
  • nginx reverse proxy with rate limiting, SSL via Let's Encrypt
  • systemd services with security hardening (NoNewPrivileges, ProtectSystem)

All ports bind to localhost only — nginx is the sole external entry point. Docker containers use named volumes with JSON logging rotation.

I write more often at smallestbusiness.com

My main blog lives there — near-daily posts on cutting cloud bills and controlling AI / LLM spend. This site keeps the occasional longer piece; the frequent writing is over there.

Read smallestbusiness.com