frontend/	HTML · CSS · responsive UI · JavaScript (ES6+) · React / Next.js
backend/	Node.js · Express · EJS · REST APIs · PostgreSQL / SQLite · Supabase
ai-llms/	OpenAI · Claude · Gemini · Llama — prompt design, function calling, agentic workflows
automation/	API integration · web & task automation · AI-assisted development
gen-media/	Midjourney · DALL·E · Stable Diffusion · Sora · Runway · Pika
data/	Python · Pandas · Jupyter · ETL basics
ops/	Linux · system administration · Docker & Compose · self-hosting (Cloudflare Tunnel · Tailscale) · cron CI/CD · Git · deployment (Vercel / VPS)

# SamfunnPrep [solo + AI]

An exam-prep product for Samfunnskunnskapsprøven — Norway's official society-knowledge test for permanent residence and citizenship — built on an AI-powered editorial CMS and a security-hardened Postgres backend. I designed, built and operate the whole system solo.

## the AI editorial suite  // Claude-powered newsroom

• 15 admin AI endpoints over the Anthropic SDK — alt-text, SEO titles & meta, outlines, FAQ, tone & readability, source verification — on a 3-tier Claude registry (Haiku / Sonnet / Opus) routed per task and per locale, env-overridable for model pinning
• Schema-constrained translation: forced tool_choice structured output (no JSON-parsing of model prose) translates body, SEO metadata & FAQ across no · en · uk · ar, with markdown-aware chunking and recursive halving when Arabic tokenizes past the output cap — fanned out per-article with per-locale failure isolation and a batch id threaded through DB & logs
• Cache-aware cost control that fails closed: prices all four token classes (incl. prompt-cache reads), enforces global + per-feature monthly budgets (default $300), and runs a daily cron reconciling the in-house cost estimate against Anthropic's Admin cost_report API, alerting on >5% drift
• Every call — success or failure — persisted to a dedicated request-trace table (four token counts, stop_reason, latency, estimated cost, 20KB raw excerpt) for replayable diagnostics

## the hardened database  // ~89 migrations, audit-driven

• ~89 versioned SQL migrations (~8,000 hand-written lines): ~90 SECURITY DEFINER functions (most pinning search_path), 44 RLS-protected tables, a 5-role newsroom RBAC (user / author / editor / lawyer / admin), and admin TOTP recovery codes stored SHA-256-only
• Defense-in-depth trust boundaries: fixed a classic RLS-on-self recursion bug with an is_admin() definer bypass; blocked role & billing-field tampering with a BEFORE-UPDATE trigger under owner-scoped RLS; made audit ledgers append-only via triggers that hold even against a leaked service_role key
• Postgres concurrency primitives for real races: optimistic article versioning, a compare-and-swap editing lease, and pg_advisory_xact_lock per user to serialize payment activation against duplicate webhooks
• GDPR retention at the DB layer — payment-PII minimization in a trigger plus self-scheduling pg_cron purges — behind an edge-runtime middleware doing per-request CSP nonces and HMAC double-submit CSRF on Web Crypto; findings from two written security audits map traceably onto the fixing migrations

## the product

• Server-authoritative exam engine: category-balanced 38-question selection (60 min, pass ≥ 26/34, 4 unscored pilots) that strips correct answers from the network payload so trial users can't read them client-side
• 225 bilingual questions (no / en) across 11 categories; a 4-language UI (no · en · uk · ar) with RTL Arabic; a custom remark plugin that auto-links the first glossary mention with Norwegian-aware word boundaries (æøå)
• Hand-rolled Vipps ePayment (no SDK) with single-use constant-time callback tokens, amount-tamper checks & capture-failure recovery, plus a Stripe webhook reconciling subscriptions and one-time exam packages across 11 event types
• A separate Telegram ops console (grammy + cron, ~47 TS files) for privileged refunds and role & trial management, with confirmation/undo and audit logging

## stack

Next.js 15 (App Router / RSC) · React 19 · TypeScript · Tailwind + shadcn/ui · @anthropic-ai/sdk (tool use · prompt caching · extended thinking) · Supabase Postgres (RLS · PL/pgSQL · pg_cron) · Stripe · Vipps ePayment · Zod · Zustand · TanStack Query · next-intl · MDX + remark · grammy · Web Crypto · Vercel

→ samfunnprep.no/en [live]

# Penger [hardware + web]

"The final backup for your digital wealth."

A titanium cold-storage plate you encode yourself, fronted by a real web app I designed and built solo: a hand-rolled, zero-dependency BIP39 / BIP32 implementation, a self-custodial on-chain crypto checkout, and a bilingual academy with a hybrid AI tutor — no crypto library, no payment processor, no framework doing the hard parts for me.

## the simulators  // the part I'm most proud of

Browser BIP39 tools that teach the encoding by letting you do it. I implemented the entire BIP39 / BIP32 stack from scratch on the Web Crypto API — 0 third-party crypto libraries — and verified it against the official spec test vectors:

• Generator — CSPRNG entropy → SHA-256 checksum → 11-bit regrouping for all five BIP39 lengths (12 / 15 / 18 / 21 / 24 words), validated against the canonical abandon…about spec vector, then rendered as the exact dot-matrix you punch into the plate
• Passphrase sim — real PBKDF2-HMAC-SHA512, 2048 iterations (salt mnemonic + passphrase) reproducing the official BIP39 seed exactly; on top, a hand-built BIP32 hardened path (44'/0'/0'/0) and BigInt Base58Check — with honest in-code notes that the address derivation is a demo (SHA-256 standing in for RIPEMD-160, no secp256k1 point math)
• Decoder — a clickable / touch-paint binary grid that reverse-maps each column to its BIP39 word live, with per-column index readout and 1–2048 invalid-state marking
• Defense-in-depth — a hand-written pure-JS SHA-256 fallback for offline file:// use, in-memory entropy zeroing, plus on the simulator page a CSP connect-src 'none' and runtime neutering of all five network APIs (fetch, sendBeacon, WebSocket, EventSource, XHR) so secrets can't leave the page

## the commerce backend & AI academy

• Trustless on-chain checkout — self-custodial SOL & USDC payments via Solana Pay reference keys; a 5s poller re-derives correctness server-side from RPC balance deltas and SPL token-account ownership, never trusting a client-reported signature
• Server-authoritative money — a guarded 7-state invoice machine with an append-only event log, BigNumber.js ROUND_CEIL pricing, CoinGecko→Binance FX failover, and server-recomputed totals / promos that treat the client as untrusted
• Ops automation — an event bus → Telegram bot (9 owner commands over SQLite), a programmatic Google Sheets CRM, and a locale-correct Ukrainian invoice PDF with live National Bank of Ukraine FX
• Hybrid AI tutor — a loop-safe 80-node decision-tree chat plus a server-side OpenAI proxy with a custom sliding-window budgeter that summarizes dropped turns into a gap note; the key never touches the browser, rate-limited and size-bounded on both ends
• Bilingual academy — an 80-question two-tier quiz that deep-links wrong answers to the exact guide-section anchor, over a fully parallel en / uk site (/uk prefix routing · per-language schema.org) built with no i18n library

## the plate

• Each word's index (1–2048) becomes 12 punched bits — filled dot = 1, empty = 0 — the same model the simulators render
• Fully manual and offline — the encoding is a standard BIP39 seed, restorable in any BIP39 wallet

## stack

Node.js · Express · EJS · vanilla JS · Web Crypto API (BIP39 / BIP32 from scratch) · @solana/web3.js + spl-token · Solana Pay · better-sqlite3 · BigNumber.js · pdfkit · OpenAI (gpt-4o-mini proxy) · node-telegram-bot-api · googleapis · Cloudflare Workers · helmet + per-page meta CSP · terser / lightningcss · bilingual en / uk

→ try the simulators  ·  mypenger.com  ·  about [live]

# homelab [self-hosted infra]

A Raspberry Pi 5 (4 GB) I turned into a production host for ~750 kr — it serves this very portfolio alongside my other sites and Telegram bots: 16 Docker containers, zero inbound ports, designed to run unattended.

## the setup

• All ingress through a single Cloudflare Tunnel — no open ports (ufw deny incoming), HTTP services bound to 127.0.0.1 only, admin over Tailscale → SSH; cloudflared runs natively under systemd so the tunnel outlives any stack issue
• 16 containers — 4 web apps + 4 long-poll Telegram bots + Beszel monitoring & a Dockge compose UI behind Cloudflare Access, with autoheal / watchtower / socket-proxy sidecars
• Network-wide ad-blocking via Pi-hole + AdGuard Home as local DNS
• Per-service git auto-deploy on staggered cron, images built natively on-device (arm64), orchestrated with Claude Code

## built to run unattended

• Tuned for 4 GB: zram (zstd) swap, log2ram, tuned vfs_cache_pressure & scheduled docker prune
• Self-healing watchdogs for memory, temperature & throttling with Telegram alerts; daily backups on a 7-day rotation
• The deploy script ramps the fan to max before each native build and restores auto-mode via a trap…EXIT — never touching the critical thermal limit
• ~3,200 lines of living ops docs (7 chapters + per-service runbooks) that explain the why, cite verified-live facts and honest gaps, with copy-paste recovery runbooks & decision trees — enough that a fresh session could cold-start the box from the docs alone

## stack

Raspberry Pi 5 · Debian 13 (arm64) · Docker + Compose · Cloudflare Tunnel + Access · Tailscale · Pi-hole · AdGuard Home · Beszel · Dockge · systemd · cron · bash

// no public URL by design — but you're looking at it: this page is served from the Pi