Software developer

Ari Ugwu

One deliberate body of work, held to a single standard: software you can verify, run fully offline, and trust not to phone home. Every project ships with public source and a static trust report, so a clean no-telemetry posture is something you can inspect before you run it — not a claim you take on faith. Built in the open as a standing practice in AI pair-programming.

github.com/ariugwu

About

M.S. in Cyber Security. Full-stack background spanning TypeScript, .NET, SQL Server, and Elastic Search. I gravitate toward security and reliability problems — and toward turning them into things you can read, run locally, and audit yourself.

Portfolio

One body of work in three parts — the apps you run, the libraries they're built from, and the passion projects I tinker with. The trust report each one ships is concrete, not a slogan: an SBOM, a full license inventory, and a documented offline posture, versioned in plain files in the public repo.

What “trust” means here

Three plain promises, the same for every project — and each one you can check for yourself:

Verifiable. The source is public, and every project ships a trust report: a parts list of everything inside it (an SBOM), a full inventory of the licenses, and a note on how it behaves with the network off. You don't have to take my word for any of it — the receipts are right in the repo.

Offline. These run on your own device, in your own browser. Switch the network off and they keep working; your files and notes never have to leave the machine.

No telemetry. Nothing phones home — no tracking, no analytics, no accounts, no quiet uploads. There's simply nowhere for your data to leak to.

Apps

The consumer-facing surfaces built on the libraries below. All in active development — each card shows where it stands.

Dilate In development

The portfolio's one consumer product — an augmented-reality mobile app with a free tier and a paid PRO tier. A Flutter shell around a Unity AR layer.

PIVLIB In development

A FIPS-201 PIV credential and biometric dashboard built on the pivlib toolkit below — inspect and validate PIV cards, X.509 certificates, and biometric containers, entirely client-side.

Stultus In development

A local-first notebook and knowledge graph. Write typed pages — math problems, philosophy papers, recipes, logic, history — and they interlink into a personal graph of nodes and relationships you can query across subjects, theme in a Tufte style, and print in an academic layout. The flagship at stultus.app exercises every page kind. Offline, WASM SQLite, no telemetry.

0x13d::att&ck In development

The enterprise-facing build of the browser EDR — a Manifest V3 extension that matches browser events to MITRE ATT&CK signatures and responds: disable a rogue extension, cancel a malicious download, block a phishing tab, and ship the detection to your SIEM. Built on the open-source attack detection engine below.

Libraries

The reusable cores — published to npm, NuGet, and the VS Code Marketplace. Most are one Rust core compiled to native + WebAssembly and wrapped across several surfaces.

pivlib npm

A pocket toolkit for the people who actually wrangle PIV cards and the PKI files around them. Drop in a mystery X.509 cert in some odd encoding, a PKCS#12 bundle, a CHUID container, a portrait JPEG, or a fingerprint WSQ — pivlib will tell you what it is, classify the PIV key role from the evidence, and hand you a canonical form. One Rust → WASM core, five surfaces.

stultus npm

A local-first notebook engine that turns typed pages into a personal knowledge graph. Each page kind — math word problems, philosophy papers, recipes, logic, history — is its own @stultus/page-* npm package plugged into @stultus/notebook, which stores everything in WASM SQLite and links pages into queryable nodes and relationships. One library family, many page kinds, entirely in the browser.

Elsa NuGet · VS Code · npm

A pair of libraries for Elsa 3 workflows, sharing one home at elsa.0x13d.com. The broker is a durable queueing front end: clients submit typed requests over an mTLS-secured API — the certificate is the identity, never the request body — and each request type is handled by a versioned Elsa workflow, tracked through a full audit trail you can poll. The diagrams surface turns Elsa Workflow JSON (schema v2 or v3) into Mermaid flowcharts — one Rust → WASM core wrapped as a CLI, an npm package, a web demo, and a VS Code extension.

Netjson‑Diagrams VS Code · npm

A converter that turns NetJSON documents — graph, configuration, monitoring, routes, or a collection — into PlantUML deployment diagrams plus an auto-generated Markdown paper for the metadata that doesn't fit cleanly in a diagram. Same Rust → WASM pattern as elsa-to-mermaid: one core, five surfaces (CLI, npm, web, VS Code, library crate).

0x13d::att&ck In development

A browser Endpoint Detection & Response extension — it matches browser events to MITRE ATT&CK signatures and responds, catching what a host agent can't see from outside the browser: rogue extensions, OAuth consent phishing, lookalike logins. The shipped extension is deliberately small and auditable — zero runtime dependencies, a least-privilege manifest, no telemetry — and in practice just ships detection data to your SIEM.

Passion Projects

Just some things I always wanted to make.

Terminal Drift

A space-courier roguelite with a CRT phosphor aesthetic. Persistent Past Lives carry upgrades and dialog memory across loops. Pure TypeScript engine; Vite + React on the web, Tauri for desktop and Steam.

Sound

A portal for four spoken-word and music projects in progress — an open-mic poetry zine, a weekly public-domain audiobook, an album of short hymns, and a zine + podcast chronicling Black history event by event, each told as a story of horror, of endurance, of hope. All proceeds route to Hawks Land Trust.