London → Atlanta → Houston  ·  Remote  ·  Open to roles

Andrew Bolaji

Engineer. Ten years keeping production systems alive across financial services, EdTech, e‑commerce, and manufacturing. Now building applied AI where the security model is the product. I build for the day it breaks.

Andrew Bolaji
Live now  ·  AI voice agent
515‑608‑4723

I built this. It answers as a receptionist for a home services company. Tell it your AC is leaking and it will work out that it is urgent, ask what a good dispatcher would ask, and walk the booking through end to end. Ask what it is and it will tell you that too.

On this public number the calendar write and the confirmation text are simulated, so nothing lands in a real calendar or on your phone. Wired into a client’s systems, that last step is a real write.

Every other line on this page is something you have to take my word for. This one is not.

Tap to call.

10
Years
engineering
7
Products shipped
end to end
1,700+
Automated tests
across them
2
Live AI systems
you can use now
Selected work Each one ends on the decision that made it work

One argument runs through all seven: the guarantee belongs in the structure, not the interface. A paywall the client can bypass was never enforced, a compliance record you can delete is not a record, and a safety rule written into a prompt is a request. Every “hard part” below is the place where that rule actually lives.

Applied AI · Voice

Porter

Live

A voice agent that answers the phone for a home services business. It holds context through a call, works out urgency, checks real availability, books the slot, and sends an SMS confirmation. Retell AI for the voice layer, Claude and GPT for reasoning, Twilio for telephony.

The hard part

Not the model. The guardrails. It cannot book a slot it has not verified, and it cannot quote a price it was not given. When it is unsure it escalates to a human with a summary, because an agent that confidently invents an appointment is worse than no agent at all.

Retell AIClaudeOpenAITwilioPythonFastAPI
Applied AI · Security

Custos

Live

A private AI assistant that answers questions about a company’s internal documents. The embedding model runs locally and the vector store is self-hosted, so document content never leaves the environment. Answers are scoped to what you are allowed to see, and every one of them cites the source it came from.

The hard part

The gate holds after the model is compromised. In red-team testing a poisoned document convinced the assistant to send an email, and it genuinely tried. The email never went, because tools with real-world effects cannot execute themselves — they return a single-use token that only a human confirmation redeems. Detection eventually fails against an attacker with unlimited attempts. That is the argument for putting the control underneath it rather than in front of it.

PythonFastAPIQdrantClaudeReactDocker
Data · Cloud

Reckon

Deployed

A business intelligence platform. Three data sources into a warehouse, cleaned and modelled with dbt, served through an API to a dashboard, with an AI copilot that answers questions in plain English. Infrastructure provisioned with Terraform and deployed to Kubernetes on AWS.

The hard part

Bad data fails the build, not the dashboard. Data-quality and freshness tests run inline with the transformation, so a failing test stops downstream models from materialising. Stale numbers never reach a screen someone is about to make a decision from. The copilot follows the same rule from the other direction: it refuses to answer on stale data rather than guessing, and its limits live in a read-only database role instead of in the prompt — so even a fully manipulated model cannot reach a raw record.

PythondbtRedshiftFastAPITerraformEKSHelm
Marketplace · Payments

Junta

Launching

A two-sided roofing marketplace. Homeowners post one standardized scope, vetted contractors bid blind, and the money sits in escrow until the work is confirmed. Full job lifecycle through dispute resolution, plus an admin console for verification and audit.

The hard part

Stripe Connect defaults to automatic daily payouts. Build escrow on top without changing that and Stripe quietly pays out on its own schedule, bypassing your hold entirely. Setting the connected account to manual payouts is the single load-bearing config in the whole system. Miss it and the escrow is theater.

React 19TypeScriptSupabasePostgres / RLSStripe ConnectVercel
Web · Compliance

Roster

In production

Operations and compliance software for regulated housing operators, built to a municipal ordinance with mandatory incident reporting and a five-year records retention minimum. Applicant intake, resident records, QR check-in, and a shareable inspector view.

The hard part

Hard DELETE is blocked at the database level. Not discouraged, blocked. A compliance record you can destroy is not a compliance record. Public form IPs are SHA-256 hashed, check-in photos are EXIF-stripped in the browser so GPS never reaches the server, and every anonymous endpoint runs through a function that whitelists the exact fields it can return.

React 19TypeScriptSupabasePostgres / RLSZod
Mobile · iOS

Vouch

In development

One curated Top 10 restaurant list per city, ranked by time-decayed community voting, so an opinion from two years ago weighs less than one from last week. Three-tier membership.

The hard part

The paywall is enforced on the server, not in the UI. A Cloud Function strips premium fields out of the response for non-members, so a modified client cannot unlock paid content. One vote per user is enforced at the database layer for the same reason. Anything you can bypass in DevTools was never really enforced.

FlutterDartFirebaseCloud FunctionsRevenueCat
Mobile · iOS

Chants

App Store submission

Find, learn, and vote on football chants. Built on a sport- and league-agnostic data model, so adding a new sport is data rather than new code. Full moderation stack: report, auto-hide at threshold, ban, audit log.

The hard part

Cloud Functions fire at least once, not exactly once, so I never increment the vote counters. They are recomputed from ground truth and set to an absolute value, which makes every write idempotent under duplicate triggers and out-of-order events. A privilege escalation hole in the security rules was also caught and closed in review.

FlutterDartFirebaseRiverpodApp Check
Experience 2017 → now
Oct 2022 → now
Senior Application Support Engineer
Vestmark · Wakefield, MA (Remote)

Technical liaison between enterprise financial institutions and engineering on the VestmarkONE wealth management platform. Own Tier-2 and Tier-3 escalations end to end: SQL optimization, XML configuration, REST integrations, SAML and SSO. Root-cause and impact analysis across portfolio management and trading workflows, then partner with engineering on the permanent fix rather than the patch.

Feb 2021 → Oct 2022
Senior Software Support Engineer
Veracross · Wakefield, MA (Remote)

Backend support and solutions for 300+ institutional customers across 20+ countries on an EdTech SaaS platform. Custom SQL reporting, Python tooling, API integration troubleshooting. Mentored three junior engineers on debugging, SQL, and client communication.

Mar 2019 → Feb 2021
Software Support Engineer
SSI Schäfer · Atlanta, GA

Java-based warehouse management systems processing millions of daily e-commerce transactions, including Walmart. SQL for migrations, corrections, and production diagnosis. Selected for on-call second-shift coverage of mission-critical systems.

Sep 2017 → Mar 2019
Software Developer
Honda Manufacturing of Indiana · Greensburg, IN

Java on a live assembly-line control application running real manufacturing operations at a target of 1,000 cars per day. Real-time plant signboard systems and business intelligence in Tableau and SAP BusinessObjects.

Stack What I reach for
Applied AI Claude and OpenAI APIs · Voice agents (Retell, VAPI, Twilio) · RAG · Prompt engineering and tool calling · Agent orchestration (custom agent loop, tool registry, execution gating) · Embeddings and vector search (Qdrant, local models) · Prompt-injection defence · PII redaction · Eval harness and red-team design · Guardrail and evaluation design
Cloud & infrastructure AWS (EKS, Redshift, S3, ECR, IAM) · Terraform · Kubernetes · Helm · Docker · Linux server administration · Reverse proxy and automatic TLS · DNS · Prometheus, Grafana, Loki
Data SQL (PostgreSQL, MySQL, SQL Server, Redshift) · dbt · Data modelling (raw, staging, marts) · Data-quality and freshness gating that blocks the build · Warehouse and S3 data lake
Languages Python · SQL · TypeScript / JavaScript · Dart · Java
Backend & product FastAPI · Supabase (Postgres, row-level security, Edge Functions) · Firebase (Firestore, Auth, Cloud Functions) · Stripe Connect · REST · Webhooks · SAML / SSO · React 19 · Next.js · Flutter
Testing Automated testing — unit, integration, security-rules and RLS isolation against live databases — with CI gates that block the build. Adversarial review at every milestone.
Enterprise Tier-2 / Tier-3 escalation · Requirements and functional specs · Root-cause and impact analysis · UAT · SaaS implementation · Agile / Scrum