Portrait of Dmitrii Mukomel, Founder, Sirius IT · Full-Stack Engineer with Security-First Architecture
@dmitrii.mukomelAvailable for new work
Work Together
Founder · liracode.dev

DmitriiMukomel

Founder, Sirius IT · Full-Stack Engineer with Security-First Architecture

Full-stack engineer who works problem-first: identifies real operational friction, designs an architecture against it, and ships solo to production. Security is treated as a primary design constraint, not a bolt-on — threat modeling, Zero Trust, defense-in-depth applied to every system. Three flagship products live in production: Boheme.art (multi-party art-marketplace escrow coordinating Stripe Connect + carrier + insurance APIs), workes.co.il (multilingual Israeli jobs platform with migrant-worker identity verification under Israeli Privacy Law), and liracode.dev (Sirius IT's secure cloud development environment with a PII-safe AI routing pipeline). Native-level English, US-market client experience, specification-and-TDD discipline that turns generative output into auditable systems.

By the numbers

Shipped, measured, in production

0
Passing tests
0
Findings remediated
0-layer
Defense-in-depth
~0k ₪/yr
Operational capacity freed
~0%
Manual workload cut

Experience

Roles built around the real constraint

Founder & Full-Stack Engineer

Sirius IT (חברה בע״מ)

2025 – Present
  • Founded a registered Israeli company delivering secure-by-design AI infrastructure to mid-market businesses and defense-adjacent customers — negotiated with data centers, assembled server configs, ran delivery, networking and operations end-to-end.
  • Problem: regulated teams want cloud-AI productivity gains but cannot send sensitive code or customer data outside their trust boundary. Today they choose between speed and sovereignty.
  • Built liracode.dev — a cloud development environment that runs the choice automatically: a PII-detection-and-masking pipeline routes sensitive prompts to local models and clean prompts to cloud LLMs. Multi-tenant, multi-country: PII detection happens on-site in partner countries; only masked tokens cross borders via mTLS.
  • Architected on Deno + clean architecture (ports & adapters, type-state machines, immutable tenant context). Isolated network segments, mTLS everywhere, zero-BYPASSRLS at the DB, multi-step JWT validation, billing-proxy isolation so the gateway never holds payment secrets.

Founder / CTO

Boheme.art

Nov 2025 – Present
  • Problem: art buyers and sellers don't trust each other — buyers fear losing payment after sending art, sellers fear non-payment after shipping. Designed a multi-party escrow capturing (not charging) funds at purchase, holding them until delivery is verified, then releasing to the artist.
  • Coordinated three trust-critical async paths in one state machine: Stripe Connect capture/release, carrier tracking (EasyPost for <$10k, Arta white-glove for >$10k fine art), and insurance — idempotent webhook processing across all three providers.
  • Killed a P0 double-transfer fraud bug from Stripe's auto-transfer parameter (paying out twice on every sale). Eliminated TOCTOU race conditions in the financial state machine with atomic Postgres stored procedures (FOR UPDATE + SECURITY DEFINER invariant gates). Remediated 335 findings total after fixing a verification-script subshell bug that had been hiding them.
  • 9-layer defense-in-depth where every layer closes a specific attack class. Solo build: 17 modules across 4 bounded domains, Flutter mobile + Next.js web in Turborepo, every architectural decision captured in an ADR before code, 5,735 passing tests.

Business Automation Architect

Bravo

Apr 2025 – Present
  • Problem: logistics team burning two hours daily on paper-based order processing and reconciliation against RIVHIT (Israel's standard accounting platform). Went on-site, identified the binding constraint before writing code, decomposed the workflow, built the integration — operational capacity freed: ~100,000 ₪/year; handoff documentation kept the insight inside the team.

Freelance Researcher & Process Automation Developer

Upwork

Sep 2024 – Present
  • US-market clients, fully remote under NDA. Reduced manual workloads by ~60% through targeted automation; delivered documented solutions, not just functional code — structured output as default.
How the work is framedProblem-firstEach role started by finding the binding constraint the operator felt — then architecting against it before writing code.

Live Products

Three products, in production

Each one leads with the problem it solved, then what I shipped — the structure encodes a problem-first practice.

Live

workes.co.il

Multilingual Israeli Jobs Platform

Problem Solved

Israel's labor market is multilingual (HE/RU/AM/TH/FR/HI/EN) and includes migrant workers who must verify employment eligibility using government identity documents — Teudat Zehut, Darkon, foreign passports. Existing platforms either don't speak their language or can't handle the compliance load.

What I Built

7-language platform with full RTL support, phone-OTP via WhatsApp, and a zero-document-storage identity verification model — documents travel from the user's browser directly to the verification provider via iframe isolation; our servers never see them. Envelope encryption (AES-256-GCM keys wrapped by Vault KEK) for the data we do hold. Admin panel with AAL2 MFA gating and content management. Compliance: Israeli Privacy Protection Law (Amendment 13), ILITA-ready, GDPR (right-to-erasure cascading across 15+ tables).

Next.js 16TypeScriptPostgres · RLSSupabaseGCP me-west1Didit IdentityAES-256-GCMVault
Live

liracode.dev

Sirius IT · Secure Cloud Dev Environment

Problem Solved

Developers in regulated markets — Israeli defense, healthcare, fintech, government suppliers — need cloud-AI productivity gains, but cannot send their code or customer data to third parties. Today they choose between speed and sovereignty.

What I Built

Cloud development environment that runs the choice automatically: a PII-detection pipeline classifies and masks every prompt, routes sensitive code to local models inside the trust boundary, clean prompts to cloud LLMs for speed. Built on Deno + clean architecture (ports & adapters, type-state machines, immutable tenant context). Isolated network segments, mTLS everywhere, zero-BYPASSRLS at the DB, multi-step JWT validation, billing-proxy isolation. Multi-country: PII detection on-site in partner countries, only masked tokens cross borders via mTLS.

DenoTypeScriptFastAPIPostgres · RLSZitadel OIDCVaultCaddy · mTLSvLLM · Qwen 3.5 (A100)Falco · SigNoz
Live

Bravo Business Automation

RIVHIT Integration · Logistics Order Processing · Live

Problem Solved

Logistics team burning two hours per day on paper-based order processing and reconciling against RIVHIT, Israel's standard accounting platform. Real business friction, real money on the floor.

What I Built

Went on-site, watched the operators, identified the binding constraint before writing a line of code. Decomposed the workflow, built the RIVHIT integration, eliminated the manual handling. Outcome: ~100,000 ₪/year capacity freed; handoff documentation kept the insight inside the team.

Node.jsTypeScriptRIVHIT APIn8n

Tech Stack

Tools chosen to fit the problem

Stack-agnostic by discipline — tools chosen to fit the problem, never the reverse.

Daily Stack — current production work

TypeScriptTypeScriptPart of the daily stack — current production work.DenoDenoPart of the daily stack — current production work.Node.jsNode.jsPart of the daily stack — current production work.PythonPythonPart of the daily stack — current production work.Next.jsNext.jsPart of the daily stack — current production work.ReactReactPart of the daily stack — current production work.React NativeReact NativePart of the daily stack — current production work.FlutterFlutterPart of the daily stack — current production work.TailwindTailwindPart of the daily stack — current production work.Framer MotionFramer MotionPart of the daily stack — current production work.FastAPIFastAPIPart of the daily stack — current production work.PostgreSQLPostgreSQLPart of the daily stack — current production work.SupabaseSupabasePart of the daily stack — current production work.RedisRedisPart of the daily stack — current production work.Stripe ConnectStripe ConnectPart of the daily stack — current production work.ZitadelZitadelPart of the daily stack — current production work.CaddyCaddyPart of the daily stack — current production work.VaultVaultPart of the daily stack — current production work.OWASP ZAPOWASP ZAPPart of the daily stack — current production work.SnykSnykPart of the daily stack — current production work.TrivyTrivyPart of the daily stack — current production work.SonarQubeSonarQubePart of the daily stack — current production work.DockerDockerPart of the daily stack — current production work.GCPGCPPart of the daily stack — current production work.AWSAWSPart of the daily stack — current production work.VercelVercelPart of the daily stack — current production work.CloudflareCloudflarePart of the daily stack — current production work.VitestVitestPart of the daily stack — current production work.PlaywrightPlaywrightPart of the daily stack — current production work.JestJestPart of the daily stack — current production work.

Languages

JSJSShipped production code in — Languages.GoGoShipped production code in — Languages.RubyRubyShipped production code in — Languages.CCShipped production code in — Languages.C++C++Shipped production code in — Languages.DartDartShipped production code in — Languages.RRShipped production code in — Languages.

Backend

NestJSNestJSShipped production code in — Backend.ExpressExpressShipped production code in — Backend.FastifyFastifyShipped production code in — Backend.DjangoDjangoShipped production code in — Backend.RailsRailsShipped production code in — Backend.VueVueShipped production code in — Backend.GraphQLGraphQLShipped production code in — Backend.

Data & Storage

MongoMongoShipped production code in — Data & Storage.MySQLMySQLShipped production code in — Data & Storage.SQLiteSQLiteShipped production code in — Data & Storage.Neo4jNeo4jShipped production code in — Data & Storage.DynamoDBDynamoDBShipped production code in — Data & Storage.FirebaseFirebaseShipped production code in — Data & Storage.ElasticElasticShipped production code in — Data & Storage.

Infra / Ops

K8sK8sShipped production code in — Infra / Ops.NginxNginxShipped production code in — Infra / Ops.PrometheusPrometheusShipped production code in — Infra / Ops.GH ActionsGH ActionsShipped production code in — Infra / Ops.GitGitShipped production code in — Infra / Ops.

Data / ML

PandasPandasShipped production code in — Data / ML.PyTorchPyTorchShipped production code in — Data / ML.Power BIPower BIShipped production code in — Data / ML.

Tooling

FigmaFigmaShipped production code in — Tooling.Three.jsThree.jsShipped production code in — Tooling.PostmanPostmanShipped production code in — Tooling.OpenAPIOpenAPIShipped production code in — Tooling.n8nn8nShipped production code in — Tooling.

Key Skills

Engineering practice & security architecture

Engineering Practice

  • Problem-first design: identify the binding constraint → architect against it → ship
  • Clean architecture: ports & adapters, type-state machines, bounded contexts
  • TDD discipline with ADR coverage of every architectural decision
  • Spec-driven build: PRD → spec pods → tests → implementation
  • Solo end-to-end delivery: web + mobile + infra + ops
  • US-market remote client communication; native-level English

Security Architecture

  • Zero Trust, defense-in-depth, least privilege as design defaults
  • Threat modeling + explicit trust-boundary mapping
  • PII under Israeli Privacy Law + GDPR: zero-document-storage, envelope encryption (AES-256-GCM, Vault KEK)
  • Payment security: Stripe Connect escrow, MFA gates, fraud velocity scoring
  • DevSecOps: OWASP ZAP, Snyk, Trivy, SonarQube; Postgres RLS + SECURITY DEFINER + advisory locks
  • Adversarial: Kali Linux MCP framework for automated pen-testing (HackerOne disclosure)

How I Work

The cognitive model

The Cognitive Model

I start every project by hunting for the real constraint — the friction the operator feels but doesn't always articulate. Then I design backward from it: what's the minimum architecture that resolves it, what trust boundaries does it cross, what fails if a component is compromised. Implementation is the last and easiest step. Security isn't a separate workstream — it's part of the same design pass that produced the data model. Three live products and a registered Israeli company are what came out of that loop.

On securitySecurity ≠ a phaseSecurity isn't a separate workstream — it's part of the same design pass that produced the data model.

Additional Background

The abstraction muscle

  • Music production 8 yrs + guitar 4 yrs — trained the abstraction muscle: scales as shapes, chords as voicings, architecture as modules. Patterns applied at the right level, not memorised as rules.
  • Art Projection Studio 7 yrs under Nikolai & Tatiana Selivanov (Georgia, France, Germany) — formative-years apprenticeship where the instinct to think in systems took root.
  • MIT/Harvard/Stanford open courses (CS50, Distributed Systems, Neurobiology) + critical thinking & philosophy of mind — masterclass in structured decomposition of complex systems.

Business & Data Analytics — Reichman University, Herzliya

2nd year, in progress · Relevant coursework: Economics, Data-Driven Decision Making, Entrepreneurship

Let's build something secure

Available for new work — security-first full-stack engineering, solo end-to-end delivery from architecture to production.

Work Together