JH
01 / OverviewEst. 2012 · Toronto
Currently available for hire

I build the software
you need, and secure
the software you have.

I'm a Toronto-based freelance developer. I build new products, clean up the messy ones, and (my specialty) secure the code most teams never audit. Fourteen years of shipping across web, mobile, and hardware. Easy to work with, and I get it done.

Focus
Full-stack + Security
Based in
Toronto, ON
Working since
2012
AI since
the GPT-2 era
Jack Harsfai
Freelance Developer
Jack Harsfai
02 / Approach

The dangerous bugs
are the ones you
never see
coming.

Hardcoded credentials. Passwords in plaintext. Database queries glued together with string concatenation. Auth that trusts whatever the browser sends. This stuff hides inside working software. The UI looks fine, the demo passes, and the hole just sits there.

That's the part I love most: reading a codebase closely, finding what's quietly wrong, and fixing it before it becomes your problem. Whoever wrote it (you, a contractor, or an AI), I don't judge. I clean it up.

patch / before-prod.diff
+18 / −14
01 · Stop committing the keys to the kingdom
// api/openai.ts
const OPENAI_KEY = "sk-proj-9aE...REDACTED";
const OPENAI_KEY = process.env.OPENAI_API_KEY!;
02 · Parameterize. Always.
// db/users.ts
db.query(`SELECT * FROM users WHERE email='${email}'`)
db.query("SELECT * FROM users WHERE email = $1", [email])
03 · The client doesn't get to be the admin
// app/api/admin/route.ts
if (req.headers.get("x-is-admin") === "true") { ... }
const session = await getSession(req);
if (!session?.user.roles.includes("admin")) return new Response("403", { status: 403 });

Every line above I have found in production this year.

What I usually find
SEC-001Hardcoded secrets in repo
SEC-014SQL injection via string template
ARC-007No tenant isolation, single DB
SEC-021Client-trusted authorization
OPS-003No observability, no rate-limit
03 / Operations

Three things,
done properly.

Pick one. Pick all three. Most clients arrive needing all three.

I01 / 03

Build.

Need it built? I'll build it. Properly.

Full-stack development across web, mobile, and embedded. I've shipped iOS apps, self-driving stacks, RAG systems, and games. Give me the goal and the constraints; I'll handle the rest and keep you in the loop the whole way.

  • Web & mobile apps, end-to-end
  • Features that fit your existing code
  • Prototypes & MVPs, fast
  • Architecture that won't box you in
II02 / 03

Clean Up.

Working code and good code aren't the same thing.

Inherited a mess? I'll make it something you can build on. Decompose the 800-line file, delete the dead branches, redraw the boundaries that got lost, add the tests and the honest README. Your repo stops being a liability and starts being an asset.

  • Refactor & untangle
  • Type safety end-to-end
  • Tests where they actually matter
  • A README a human can read
III03 / 03

Secure.

My specialty: the security holes most reviews miss.

OWASP-mapped review, secrets sweep, dependency triage, auth hardening, SQL/NoSQL and prompt-injection surface, supply-chain checks. Then I help you fix everything I find. Sixteen years of watching offensive security up close.

  • Threat model & risk register
  • Secrets, IAM & key rotation
  • Pen-test of your highest-value surface
  • A prioritized, plain-English fix list

Every project starts with a fixed-scope quote and a plan. You know exactly what you're getting before you commit.

Start a project
04 / Work

A decade of shipped systems.
Receipts attached.

01
14yrs
Building shipped systems
since 2012
02
10k
Original OpenAI API Beta seat
GPT-2 era · 2020
03
05+
Active projects
this quarter
Credentials

The paper trail.

I prefer to be judged on the work. These are the markers along the way.

  • 2012 - Present
    14+ Years in Technology
    Cybersecurity, AI, automotive, hardware: built and shipped across all four.
  • 2020
    Original OpenAI API Beta Program
    One of ten thousand people invited to OpenAI's original API beta back in the GPT-2 era. I've been hands-on with generative AI since before there was a hype cycle to speak of.
  • 2021 - 2023
    Engineer · WOCSOR
    Built RetroPilot: reverse-engineered Toyota CAN bus to retrofit semi-autonomous driving onto older vehicles. Modified the DSU for longitudinal control and adapted openpilot to Android. Grew into an active open-source community.
  • 2021 - Present
    YNG · Young Presidents' Organization
    Member, next-generation chapter.
  • 2023 - 2025
    Software Engineer · Incleon
    Engineered an air-gapped 70B Llama3 RAG system for analyzing enterprise codebases on a single GPU. Built ReAct-style reasoning loops and a small-model post-processing layer to cut hallucinations on critical technical questions.
Selected Work

Things I've shipped
myself.

Security is the specialty, but I build, too: mobile, ML, embedded, web, end-to-end.

Project / 01Open ↗

Kestrel

AI-Powered Mobile IDE

An autonomous-agent coding environment for iOS: code generation, real-time AI collaboration, and a streamlined editor built for mobile-first developers.

Project / 02Open ↗

Tapout

Phone management for schools

Software-level app restrictions on the iOS Screen Time API with zone-based geofencing, a centralized admin portal, and per-student exceptions. No pouches, no daily logistics.

Project / 03Open ↗

Phantom

Self-driving on Android · Comma 2

Open-source driver-assistance stack for Comma 2 hardware. ARNE (Always Ready Neural Engagement), vision-based stop detection, and Mapbox navigation built in.

Project / 04Open ↗

Oneiro

AI dream journal · App Store

Automatic tag generation, AI-generated visuals, and personalized dream analysis that surfaces recurring patterns in the subconscious.

Project / 05Open ↗

Guided Meditation Generator

Local-first · Open source

Personalized meditation sessions with local Ollama inference, custom F5-TTS speech, and PaulStretch-processed ambient audio.

Project / 06Open ↗

Vellum

Floor-plan layout studio · Web

Lay out furniture on a true-to-scale one-foot grid. Drag, snap, and measure an apartment before you move in. A browser-based spatial planner for getting the layout right the first time.

Project / 07Open ↗

GlassSDR

Software-defined radio lab · Rust + Tauri

Turns an affordable USB dongle into a full radio lab. 83 built-in apps spanning aircraft tracking, weather satellites, and protocol decoding, with transparent DSP flowgraphs written in readable Rust.

Project / 08Open ↗

Icebreaker

Arctic survival RPG · Web

A 2D arctic survival RPG. Build, fish, and hunt to outlast the long winter, solo or co-op with friends. Browser-based and installable as a mobile web app.

Arsenal

Each one, a concept learned.

Not a list of buzzwords. Every name below is a concept I've spent real time learning about. That's all.

I've attended DEF CON Las Vegas every year since 2010 and counting: sixteen years of watching offensive security evolve up close, always picking up the next concept, the next technique, the next way of thinking.

The list grows.
Core Disciplines
Security & Pen-TestingFull-Stack DevelopmentCode Cleanup & RefactoringMobile & App DevelopmentAI / RAG SystemsEmbedded & Hardware
Technologies
Burp SuiteOWASP ZAPsqlmapNucleiffufgobusterdirsearchNiktoArjunhttpxNmapMasscanWiresharktcpdumpShodanCensysAmasssubfindertheHarvesterdnsreconMetasploitImpacketBloodHoundCrackMapExecMimikatzResponderHashcatJohn the RipperHydraAircrack-ngGarakPromptfooRebuffLakeraLlama GuardMITRE ATLASOWASP LLM Top 10SemgrepCodeQLSnykTruffleHogGitleaksBanditDependabotProwlerScoutSuitePacuTrivyGrypeCheckovkube-benchkube-hunterFalcoFridaObjectionMobSFapktoolDrozerGhidraIDA ProRadare2Binary NinjapwndbgVolatilityAutopsySleuth KitYARAHackRFProxmark3Flipper ZeroJTAGulatorMaltegoSpiderFootRecon-ngMITRE ATT&CKOWASP ASVSNIST CSFKali LinuxParrot OSUbuntu ServerTypeScriptJavaScriptReactNext.jsNode.jsReact NativePostgreSQLRedisGraphQLDockerKubernetesTailwind CSSVitePrismaREST APIsPythonJavaC++DartBashPowerShellGoLangChainLlamaIndexPyTorchTensorFlowOpenCVStable DiffusionAWSGoogle CloudSupabaseFirebaseNFC / RFIDSDRCAN ProtocolMarlin FirmwareFlutterLynx