Lead Software Engineer / Systems Architect • .NET • Angular • Cloud Infrastructure • AI-Native Systems

John Belthoff

Lead Software Engineer and Systems Architect with 15+ years designing, building, securing, and operating production platforms across enterprise finance, AI-native development, cloud infrastructure, and high-reliability web systems. Delivers complete systems — not features — spanning architecture, implementation, security, and deployment, with a track record of solo and lead-engineer engagements under real business constraints.

Creator of Continuum, an AI-native engineering workflow and commercial methodology, powered by Engram — a secure, OAuth-gated client/server semantic-memory platform that ingests repositories, source code, specifications, commit history, and architectural decisions into a retrievable knowledge layer shared across AI agents and development sessions. Hands-on across .NET, Angular, SQL Server, PostgreSQL/pgvector, OAuth 2.1/OIDC, Keycloak, Docker, Kubernetes, and cloud-native infrastructure.

Background includes Emmy Award–winning broadcast engineering, bringing deep expertise in real-time systems, operational reliability, and production-critical infrastructure.

Fort Lee, NJ U.S. Citizen • Authorized to work in the U.S.
Security
HashiCorp Vault (4 engines)
OWASP ZAP • WPScan • CSP nonce architecture • SSRF prevention
AI & LLM
RAG / pgvector • MCP Server
OpenAI API • Anthropic Claude • Prompt architecture
Performance
Near-C++ throughput in managed C#
BenchmarkDotNet • Zero-allocation hot paths
Infrastructure
Docker • NGINX • Vault • Cloudflare
PostgreSQL • SQL Server • Prior Secret Clearance

Technical skills

Curated for fast scanning
Languages & Frameworks
C# • .NET 10 / ASP.NET Core • Angular 21 • TypeScript
Razor Pages • MVC • JavaScript • HTML5 • CSS / Tailwind CSS • Python • Node.js / Express • PHP • XML • SGML • VB.NET
AI & LLM Integration
RAG • pgvector • MCP server development
Vector embeddings (OpenAI text-embedding-3-small) • OpenAI Chat Completions & Embeddings APIs • Anthropic Claude API • Multi-section prompt architecture • Parallel async LLM orchestration • Token usage tracking • Encrypted AI data persistence • AI-assisted code review pipelines
Security & Penetration Testing
HashiCorp Vault (PKI, Database, KV v2, AppRole)
Dynamic credential rotation • Runtime CA trust injection • OWASP ZAP (frontend + GraphQL active scanning) • WPScan • Offensive Security Penetration Testing with Kali Linux (PWK/PEN-200 training) • CSP nonce architecture • SSRF prevention • DOMPurify (custom security hooks) • TLS hardening (Mozilla Intermediate) • Timing-safe token comparison • AES encryption at rest • HMAC-SHA256 token hashing • X.509 custom trust stores
Databases & Data Access
SQL Server (2000–2024) • T-SQL • PostgreSQL
pgvector extension • HNSW indexing • Cosine similarity search • MariaDB • MySQL • Dapper • Entity Framework Core • Redis • Stored procedures • Multi-schema design
Performance Engineering
BenchmarkDotNet (MemoryDiagnoser) • Cross-language benchmarking
Zero-allocation hot paths (stackalloc, Span<T>, ReadOnlySpan<T>) • AggressiveInlining / AggressiveOptimization • Parallel.For with thread-local accumulators • Multi-tier caching (in-memory L1 → Redis L2)
Architecture & Engineering Practices
Clean architecture enforcement (NetArchTest)
Domain-driven design (DDD) • Deterministic domain logic • Automated architecture testing • Immutability patterns • CQRS-influenced data access (Dapper + EF Core) • Syncfusion PDF report generation • Apollo Client / GraphQL (WPGraphQL) • Headless CMS (WordPress as API)
Authentication & Identity
ASP.NET Core Identity • JWT (access + HttpOnly refresh)
HMAC-SHA256 refresh token hashing • Cloudflare Turnstile bot verification • Stripe payment integration • Rate limiting • Email confirmation flows • 2FA
Infrastructure & DevOps
Docker (multi-stage builds, non-root execution) • Ansible • NGINX
Reverse proxy • Per-location CSP • Rate limiting • TLS termination • Docker Compose • Terraform (IaC, cloud-agnostic provisioning) • RKE2 • kubectl • Cloudflare • Linux (Ubuntu/Debian, RHEL/CentOS) • Windows Server • IIS • Git / GitHub • CI/CD • Proxmox • VMware • vSphere — Cloud Platforms: AWS, Azure, GCP, DigitalOcean, Linode

Selected projects

Continuum / Engram (In Development)

Continuum is an AI-native engineering workflow and commercial methodology — covering design-spec authoring, dual-model cross-review, structured implementation, and documented delivery — offered with implementation, training, and ongoing maintenance. It runs on Engram, a secure client/server semantic-memory platform built on .NET 10, PostgreSQL/pgvector, and OAuth 2.1 (Keycloak). Engram ingests repositories, source code, commit history, architectural decisions, and AI session logs into a shared knowledge layer that any AI agent can query over an authenticated MCP endpoint — enabling genuine engineering continuity across sessions, models, and months of development. Currently serving 16 repositories, 6,200+ documents, and 45,000+ semantic chunks across Claude, Codex, Claude Desktop, and ChatGPT.

AI-Native Cash Application Platform
codematters.johnbelthoff.com →

Production-credible AI-Native accounts receivable platform built as a direct alternative to HighRadius during a client engagement. Angular, .NET 10, SQL Server. Universal remittance ingestion handling any file format — CSV, Excel, PDF, PNG/JPG, MICR encoding — normalized to database tables regardless of source. AI-assisted invoice-to-payment matching with confidence scoring that improves with payment history. Customer aliasing, workflow-guided exception decisioning, NetSuite OAuth2 machine-to-machine integration, BAI2 bank file parsing, sFTP intake, and strict 2FA/passkey security with CSP enforced end-to-end. Built across three coordinated repositories — codebase, fully versioned artifacts and documentation, and smoke-test suite — using my pgvector semantic knowledge system for cross-repo context continuity. AI-Native code reviews ran continuously throughout.

Angular + ASP.NET Core Platform (2026)
angular.johnbelthoff.com →

Full-stack Angular 21 SPA with ASP.NET Core API backend, serving as both an online portfolio and a production reference implementation. Backend integrates HashiCorp Vault across four secrets engines — dynamic PostgreSQL credential rotation (922-line credential manager with lease renewal, zero-downtime drain, and self-healing on auth errors), PKI-based TLS trust injection with custom X.509 chain validation, KV v2 secret management, and AppRole authentication. Implements JWT authentication with HMAC-SHA256 refresh token hashing, HttpOnly cookie refresh flow, ASP.NET Core Identity with email confirmation, Cloudflare Turnstile bot verification, and rate limiting. Health check endpoints expose Vault lease status, credential health, and database identity verification. Deployed behind Cloudflare and NGINX reverse proxy with Docker containerization.

Semantic Knowledge System — RAG + MCP
Blog → Source available upon request

RAG (Retrieval-Augmented Generation) system providing persistent, searchable memory for AI coding assistants across multiple repositories. C# embedding pipeline ingests source files and git commit history, generates OpenAI text-embedding-3-small vectors, and stores in PostgreSQL with pgvector extension and HNSW-indexed cosine similarity search. Hash-based change detection (SHA-256) minimizes API costs (16 repositories, 45,000+ embeddings at minimal monthly API cost). Security-conscious ingestion with secret file detection, path-escape prevention, and database CHECK constraints blocking absolute paths. Custom Model Context Protocol (MCP) server built with the official C# SDK exposes four semantic search tools (search_context, get_activity_log, get_file_summary, list_repos) that Claude Code discovers and calls natively. Enables cross-repository context retrieval — an AI agent working in one repo can pull decisions and code reviews from completely different repos.

CodeMatters Frontend — SSR Security + Pen Testing
codematters.johnbelthoff.com → Source available upon request

Headless WordPress / Angular 21 SSR architecture with production security hardening and penetration testing. Conducted OWASP ZAP (frontend + GraphQL active scans up to 120 minutes) and WPScan (aggressive plugin/theme/user enumeration, ~150K requests) with findings triaged through 8 formal AI-assisted production readiness reviews (72 → 95 production readiness score). SSR server (~1,040 lines) implements CSP nonce architecture with placeholder-based cache strategy, SSRF prevention via startup URL allowlist validation, timing-safe token authentication, AsyncLocalStorage for concurrency-safe renders, SSR concurrency limiting with 503 shed, and stampede protection via in-flight render coalescing. Server-side DOMPurify pool with custom security hooks. NGINX reverse proxy with per-location CSP policies, TLS 1.2/1.3, rate limiting, and request tracing. 532+ tests across 25 spec files (461 Angular unit tests, 71 server integration tests).

Poker Hand Evaluator

High-performance Texas Hold'em evaluator achieving near-native C++ performance parity in pure managed C# (~180–210M evaluations/sec, ~943 ns/op core). Complete reimplementation of Cactus Kev/Suffecool algorithm using bitmask-encoded cards, precomputed lookup tables, and prime-product hashing for O(1) hand classification. Zero-allocation hot paths via stackalloc/Span, AggressiveInlining/AggressiveOptimization, ReadOnlySpan for permutation tables, and Parallel.For with thread-local accumulators. Dedicated cross-language benchmark suite (BenchmarkDotNet with MemoryDiagnoser) proves C# throughput within sub-microsecond margins of C++ MSVC /O2 AVX2. Deployed with Docker, SQL Server backend, and Razor Pages UI.

I Ching Oracle

Production AI interpretation platform delivering comprehensive, multi-section I Ching readings via 18 concurrent OpenAI calls orchestrated under SemaphoreSlim-bounded parallelism. Durable background job pipeline with lease/heartbeat/retry-budget architecture ensures restart-safe, fault-tolerant execution across all 18 interpretation sections — each with its own carefully constructed prompt and injected domain data. Full membership system with Stripe-gated premium features generating recurring revenue, user authentication, email confirmation, SHA-256 key derivation, and per-request token usage tracking for cost monitoring. SQL Server via Dapper, production deployment with caching and SEO automation.

Ballistics.Systems
ballistics.systems →

Enterprise-grade .NET 10 ballistics calculator with enforced clean architecture across a 17-project solution. Automated architecture tests (NetArchTest) validate dependency flow, domain immutability, and infrastructure isolation — violations fail the build. Domain-driven design with deterministic, side-effect-free domain logic (Miller gyroscopic stability model, Satterlee ladder test optimization). Multi-tier caching (in-memory L1 → Redis L2 with automatic warming), runtime-configurable cache TTLs without redeployment, BenchmarkDotNet performance profiling with MemoryDiagnoser. Production infrastructure includes Syncfusion PDF report generation, Stripe payments, MailKit email with HTML/text dual templates, ASP.NET Core Identity with 2FA, HMAC-signed API tokens, Turnstile bot protection, and multi-stage Docker builds on Alpine. Data layer uses Dapper with SQL Server (1,654-line schema, stored procedures, multiple schemas).

Experience

Independent Software Engineer / Architect
2017 – Present

Selected engagements include long-term, sole and lead-architect work across greenfield builds and large-scale legacy modernization for government, defense-adjacent, and regulated-industry clients — project and client details redacted under NDA.

  • Designed and implemented complete HashiCorp Vault integration for a .NET API backend (2,650 lines across 10 classes) — eliminating static credentials from the deployment pipeline. Dynamic PostgreSQL credential rotation with automatic lease renewal and 30-second drain for zero-downtime swaps, PKI-based TLS trust injection with custom X.509 chain validation, KV v2 secret management for JWT/SMTP/Turnstile credentials, and AppRole authentication with thread-safe token caching. Built deterministic five-phase startup with exponential-backoff retry and health check endpoints exposing Vault lease status.
  • Built a RAG (Retrieval-Augmented Generation) system with PostgreSQL/pgvector providing persistent, searchable memory for AI coding assistants across 16 repositories (45,000+ embeddings at minimal monthly API cost). Developed C# embedding pipeline with hash-based change detection (SHA-256), batched OpenAI text-embedding-3-small integration, HNSW-indexed cosine similarity search, secret file detection, and path-escape prevention. Created custom Model Context Protocol (MCP) server exposing four semantic search tools that Claude Code discovers and calls natively, enabling an AI agent in one repo to retrieve decisions and code reviews from entirely different repos.
  • Integrated OpenAI's Chat Completions API into a production .NET application (iching.rocks) as a Stripe-gated premium feature generating recurring revenue, engineering a multi-section prompt architecture (18 concurrent requests per transaction) with domain-specific context injection, parallel async orchestration (Task.WhenAll), AES-encrypted request/response storage, and per-request token usage tracking for cost monitoring.
  • Hardened an Angular 21 SSR application with CSP nonce architecture (randomBytes per request, placeholder-based cache strategy for unique nonces on cached responses), SSRF prevention (startup validation of upstream URLs against explicit allowlist), timing-safe token authentication, AsyncLocalStorage for concurrency-safe request isolation, and server-side DOMPurify sanitization with custom security hooks. Conducted OWASP ZAP and WPScan penetration testing with AI-assisted code reviews across 8 formal production readiness reviews progressing from 72 to 95.
  • Achieved near-native C++ performance parity in a pure managed C# poker hand evaluator (~180–210M evaluations/sec, ~943 ns/op core). Implemented zero-allocation hot paths using stackalloc/Span, AggressiveInlining/AggressiveOptimization, and Parallel.For with thread-local accumulators. Developed a dedicated cross-language benchmark suite (BenchmarkDotNet) proving C# throughput within sub-microsecond margins of C++ MSVC /O2 AVX2.
  • Enforced clean architecture across a 17-project .NET solution using automated architecture tests (NetArchTest) validating dependency flow, domain immutability, and infrastructure isolation. Implemented domain-driven design with deterministic, side-effect-free domain logic, multi-tier caching (in-memory L1 → Redis L2 with automatic warming), BenchmarkDotNet performance profiling, and Syncfusion PDF report generation.
  • Built JWT authentication system with ASP.NET Core Identity, HMAC-SHA256 refresh token hashing (raw tokens never stored), HttpOnly cookie-based refresh flow, Cloudflare Turnstile bot verification, rate limiting, and email confirmation — all secrets sourced from HashiCorp Vault at runtime via KV v2 secrets engine.
  • Architected a headless WordPress/Angular 21 SSR system with WPGraphQL API, webhook-driven cache invalidation, preview authentication via custom REST endpoint, LRU HTML cache with nonce placeholder substitution, NGINX reverse proxy with per-location CSP policies, TLS 1.2/1.3, rate limiting, and Docker Compose orchestration.
Datalis Solutions Corporation
2010 – 2017 • Lead Software Developer, System Administrator, Web Architect
  • Led development and architecture of the Depot Tracking System (DTS) — a global logistics application tracking Electronic Warfare (EW) systems entering and leaving repair depots worldwide, serving users across multiple security domains. Built on ASP.NET / SQL Server.
  • Designed and maintained a secure platform aligned with the DoD Integrated Defense Acquisition, Technology, & Logistics Life Cycle Management Framework.
  • Implemented and enforced Unclassified, Confidential, and Secret data handling protocols across multiple security domains, ensuring full compliance with DoD cybersecurity and data protection standards.
  • Administered Windows Server infrastructure, networking, and virtualized environments supporting high-availability deployments and global user access.
  • Held and maintained an active U.S. Secret Security Clearance for the duration of the project.
  • Consulted with Technical Publications on SGML and Arbortext best practices for multi-output technical documentation pipelines.
Perry Systems, Inc.
2007 – 2010 • Web Architect, Full Stack .NET Developer
  • Delivered end-to-end web solutions for multiple clients, integrating business workflows with secure, scalable .NET applications and SQL Server backends.
  • Architected multi-user platforms supporting financial, media, and marketing use cases, from transactional systems to high-traffic consumer websites.
  • Integrated secure financial data systems for a student loan consolidation client, including direct compliance alignment with Fannie Mae systems.
  • Designed and deployed a stock market trading competition platform and a photo contest site, managing real-time submissions, voting logic, and scalable database infrastructure.
  • Led development of FastBrowserSearch.com, a globally distributed browser toolbar platform deployed to billions of installations worldwide through large-scale marketing campaigns.
Broadcast & Audio Engineering

Emmy Award–winning audio engineer with decades of experience designing audio systems for NYC television studios, supporting national television productions, live broadcasts, and post-production sound design. This background built deep expertise in real-time systems, signal processing, production-critical infrastructure, and operating under zero-downtime constraints — disciplines that directly inform current software architecture work. (Full broadcast résumé available upon request.)

Education & Awards

Education
  • Berklee College of Music — Professional Music, Production & Engineering (1981)
  • The Recording Workshop — Advanced Audio Engineering, 2nd in Class (1984)
  • Offensive Security — Penetration Testing with Kali Linux (PWK/PEN-200)
Awards
  • Emmy Award — Outstanding Audio (1997)
  • Cable ACE Award — Best Talk Show Audio (1997)