John Belthoff

Selected engagements include long-term, hands-on engineering and architecture work for government, defense-adjacent, and regulated-industry clients; project and client details are redacted due to NDA and security restrictions.

• Designed and implemented complete HashiCorp Vault integration for a .NET API backend (2,650 lines across 10 classes) — dynamic PostgreSQL credential rotation with automatic lease renewal and 30-second drain for zero-downtime swaps, PKI-based TLS trust injection with custom X.509 chain validation, KV v2 secret management for JWT/SMTP/Turnstile credentials, and AppRole authentication with thread-safe token caching. Built deterministic five-phase startup with exponential-backoff retry and health check endpoints exposing Vault lease status.
• Built a RAG (Retrieval-Augmented Generation) system with PostgreSQL/pgvector providing persistent, searchable memory for AI coding assistants across multiple repositories. Developed C# embedding pipeline with hash-based change detection (SHA-256), batched OpenAI text-embedding-3-small integration, HNSW-indexed cosine similarity search, secret file detection, and path-escape prevention. Created custom Model Context Protocol (MCP) server exposing four semantic search tools that Claude Code discovers and calls natively, enabling cross-repository context retrieval.
• Integrated OpenAI's Chat Completions API into a production .NET application (iching.rocks) as a paid premium feature, engineering a multi-section prompt architecture (8–14 concurrent requests per transaction) with domain-specific context injection, parallel async orchestration (Task.WhenAll), AES-encrypted request/response storage, and per-request token usage tracking for cost monitoring.
• Hardened an Angular 21 SSR application with CSP nonce architecture (randomBytes per request, placeholder-based cache strategy for unique nonces on cached responses), SSRF prevention (startup validation of upstream URLs against explicit allowlist), timing-safe token authentication, AsyncLocalStorage for concurrency-safe request isolation, and server-side DOMPurify sanitization with custom security hooks. Conducted OWASP ZAP and WPScan penetration testing with an 8-iteration AI-assisted code review pipeline progressing production readiness from 72 to 91.
• Achieved near-native C++ performance parity in a pure managed C# poker hand evaluator (~180–210M evaluations/sec, ~943 ns/op core). Implemented zero-allocation hot paths using stackalloc/Span, AggressiveInlining/AggressiveOptimization, and Parallel.For with thread-local accumulators. Developed a dedicated cross-language benchmark suite (BenchmarkDotNet) proving C# throughput within sub-microsecond margins of C++ MSVC /O2 AVX2.
• Enforced clean architecture across an 8-project .NET solution (~13,500 lines) using automated architecture tests (NetArchTest) validating dependency flow, domain immutability, and infrastructure isolation. Implemented domain-driven design with deterministic, side-effect-free domain logic, multi-tier caching (in-memory L1 → Redis L2 with automatic warming), BenchmarkDotNet performance profiling, and Syncfusion PDF report generation.
• Built JWT authentication system with ASP.NET Core Identity, HMAC-SHA256 refresh token hashing (raw tokens never stored), HttpOnly cookie-based refresh flow, Cloudflare Turnstile bot verification, rate limiting, and email confirmation — all secrets sourced from HashiCorp Vault at runtime via KV v2 secrets engine.
• Architected a headless WordPress/Angular 21 SSR system with WPGraphQL API, webhook-driven cache invalidation, preview authentication via custom REST endpoint, LRU HTML cache with nonce placeholder substitution, NGINX reverse proxy with per-location CSP policies, TLS 1.2/1.3, rate limiting, and Docker Compose orchestration.

• Led development and architecture of the Depot Tracking System (DTS) — a global logistics application tracking Electronic Warfare (EW) systems entering and leaving repair depots worldwide, built on ASP.NET / SQL Server.
• Designed and maintained a secure platform aligned with the DoD Integrated Defense Acquisition, Technology, & Logistics Life Cycle Management Framework.
• Implemented and enforced Unclassified, Confidential, and Secret data handling protocols across multiple security domains, ensuring full compliance with DoD cybersecurity and data protection standards.
• Administered Windows Server infrastructure, networking, and virtualized environments supporting high-availability deployments and global user access.
• Held and maintained an active U.S. Secret Security Clearance for the duration of the project.
• Consulted with Technical Publications on SGML and Arbortext best practices for multi-output technical documentation pipelines.

• Delivered end-to-end web solutions for multiple clients, integrating business workflows with secure, scalable .NET applications and SQL Server backends.
• Architected multi-user platforms supporting financial, media, and marketing use cases, from transactional systems to high-traffic consumer websites.
• Integrated secure financial data systems for a student loan consolidation client, including direct compliance alignment with Fannie Mae systems.
• Designed and deployed a stock market trading competition platform and a photo contest site, managing real-time submissions, voting logic, and scalable database infrastructure.
• Led development of FastBrowserSearch.com, a globally distributed browser toolbar platform deployed to billions of installations worldwide through large-scale marketing campaigns.

Emmy Award–winning audio engineer with decades of experience designing audio systems for NYC television studios, supporting national television productions, live broadcasts, and post-production sound design. (Full broadcast résumé available upon request.)