Roman Mednitzer

Infrastructure as code for the fleet with OpenTofu: a KVM/libvirt module for cloud-init Ubuntu VMs and a Talos Linux module that deploys a Kubernetes cluster with hardened machine configs, secret management, and automated bootstrap. Lab and production environments are separated, production state lives in an encrypted, locked remote backend, and CI gates every change with fmt, validate, TFLint, Trivy, and gitleaks. Decisions are documented as ADRs.

Ansible configuration management and hardening for the same fleet: 19 baseline roles (SSH, AppArmor, UFW, auditd, AIDE, fail2ban, and more) plus playbooks for the SRE toolchain, local LLM inference, and out-of-band Redfish management. Every control is mapped to NIS2, CRA, GDPR, and ISO/IEC 27001 in a machine-readable compliance file, with ansible-lint and schema checks enforced in CI. Targets Ubuntu 24.04 and 26.04 LTS.

A code-managed ISMS for ISO/IEC 27001:2022, NIS2/NISG 2026, and GDPR Art. 32: a reusable template layer with per-organization instances, three evidence layers (signed Git history, eIDAS qualified signatures for formal documents, continuous evidence collection), and offline-capable validators and packagers. Early stage by design: the framework tooling is public while instance content stays confidential, and content population is ongoing.

A governed MCP server for shell and SSH work. It adds four authority modes (open, guarded, read-only, and deny), append-only auditing with SHA-256 output hashes instead of raw output storage, automatic secret redaction, and bounded execution through timeouts, output caps, and idle-session reaping. One interface covers local shell, SSH, SFTP, port forwarding, and parallel fleet commands.

A self-contained, security-first AIOps control plane exposed as an MCP server. It combines a bitemporal model of fleet state (hosts, services, packages, networks, identities, alerts), a drift engine comparing observed against desired state, and an audited actuator with tiered execution and human confirmation gates over SSH, Ansible, OpenTofu, and cloud APIs. v0 is stdio-only; limitations are tracked openly in the repo.

A simulation-based digital twin of a man-portable edge-AI appliance for single operators in disconnected or contested environments: per-subsystem physics models (power, thermal, compute, radios, sensors), recursive state estimators, and a mission-posture state machine, queried by an LLM controller over MCP with an append-only audit trail. Interop adapters cover CoT/TAK, STANAG 4774/4778, MISB KLV, NMEA 0183, and SensorThings. Simulation throughout; no fielded hardware.