Encrypted Credential Vault
AES-GCM encrypted per-client storage for API keys, CMS credentials, and access tokens. Encryption secret in macOS Keychain, never the database.
Custom workspace for client redesign projects
A production client-services workspace I designed, built, and deployed end-to-end. Public portfolio plus a private portal for clients to track work and approve milestones.
// goal
Replace ad-hoc client communication (emails, Slack, Loom) with a single branded surface where clients track their project, leave structured feedback, sign documents, and get an admin layer that automates the tedious parts.
// approach
Built on Next.js 16 with React Server Components, deployed to Cloudflare Workers via OpenNext. D1 with Drizzle for relational data, R2 for file uploads, Resend for email, Better-Auth for magic-link and OTP login. The same Worker also serves a cross-origin embeddable feedback widget for client preview sites.
// features
AES-GCM encrypted per-client storage for API keys, CMS credentials, and access tokens. Encryption secret in macOS Keychain, never the database.
Admin can impersonate any client to QA exactly what they will see, with a banner and clear exit affordance. Server-side session augmentation, not client-side fakery.
Gated preview loader for client sites. Pins activate only inside the portal preview iframe; HMAC bearer tokens authorize cross-origin moderation.
// tech stack