Portfolio
Production systems I've designed and built — from a seven-year GRC SaaS backend and compliance data-viz to weather maps, cloud & AI-cost tooling, and private-blockchain infrastructure.
CISOteria
Security-compliance (GRC) SaaS · backend architect, 2019–present
A multi-tenant CISO / compliance platform offered on the AWS Marketplace. For seven years I've owned the backend — API design, the data model, and overall architecture — leading a small distributed team across Israel and India. Node.js / Express microservices alongside a large legacy PHP codebase I've incrementally modernized; MariaDB, Redis, Docker; NVD / CVE vulnerability data integrated into a management dashboard; SSO / SAML, AWS CloudTrail, and Terraform-managed infrastructure.
Israel National Cyber Directorate — GRC portal
grc.cyber.gov.il · built at CISOteria · backend lead
The Israel National Cyber Directorate's governance-risk-compliance (GRC) portal runs on CISOteria's platform ("Powered by CISOteria — Cyber OS"). As part of my CISOteria work I was the backend lead — I led most of the backend and built parts of the front end.
Israel Meteorological Service — synoptic maps
Front-end / data visualization
Map-overlay work I contributed to the Israel Meteorological Service (ims.gov.il): rendering forecast model data — pressure fields and contours — onto their interactive synoptic maps.
Smallest Business
Cloud & AI-cost engineering consultancy
My own consultancy: cutting cloud bills and controlling AI / LLM spend — request-path cost controls for AI agents (gateways with per-key / per-run budget breakers, caching, model routing) plus cloud reduction (egress, compute commitments, observability). The supporting tooling is built in Astro / Node.js — a research pipeline and a client-side cloud-bill analyzer — alongside a daily learn-in-public series.
ChainVault
Tamper-proof deal room with wire fraud prevention
A full-stack platform for real estate closings and M&A transactions. Documents are encrypted client-side before upload — the server never sees plaintext. Every action is recorded on a private 4-node blockchain with BFT consensus.
Technical Stack
- Blockchain: 4-node Antelope chain with BFT finality (tolerates 1 node failure)
- Smart Contracts: 3 C++ contracts (chainvault, auditlog, wirevault) — separated so audit survives upgrades
- Indexing: Hyperion full-history API + custom sync daemon materializing to PostgreSQL
- Document Storage: MinIO (S3-compatible) with AES-256-GCM client-side encryption
- Frontend: Next.js 15, App Router, TypeScript, Tailwind v4
- Auth: SSO-ready (Google, Microsoft Entra), multi-tenant membership
- Billing: Stripe integration with usage-based plans
Key Features
- Wire transfer verification — multi-party on-chain confirmation before funds move
- Encrypted document vault with blockchain content hash commitments
- Full audit trail — every action immutably recorded
- Multi-tenant with role-based access control
- Blockchain explorer and superadmin panel
Live at: chainvault.amiheines.com
Verarta
Art provenance and authentication on private blockchain
A provenance tracking system for art and collectibles. Each piece gets a verifiable chain of ownership recorded on a private blockchain. Certificates of authenticity are cryptographically signed and permanently linked to the artwork's on-chain record.
What It Demonstrates
- Provenance tracking with cryptographic proof of ownership transitions
- Tamper-proof certificates of authenticity
- Private blockchain running on the same infrastructure pattern as ChainVault
- The versatility of the same core technology across different domains
Live at: verarta.com
Self-Hosted Infrastructure
Production-grade stack running on bare metal
Every project above runs on infrastructure I built and manage:
- 4 block producers with BFT consensus — 3/4 needed for finality, tolerates 1 failure
- State History Plugin (SHIP) node for full blockchain state streaming
- Hyperion full-history indexer backed by Elasticsearch
- PostgreSQL as a disposable read cache — can be rebuilt from chain at any time
- MinIO for S3-compatible encrypted blob storage
- nginx reverse proxy with rate limiting, SSL via Let's Encrypt
- systemd services with security hardening (NoNewPrivileges, ProtectSystem)
All ports bind to localhost only — nginx is the sole external entry point. Docker containers use named volumes with JSON logging rotation.