I ship apps alone and keep them running — six on Google Play under my own name, 15k+ installs between them, the oldest live since 2018. Every one was built outside a day job, most of them while I held one. In the last six months I designed a context-engineering + structured-RAG engine, shipped it in two of those apps, and abstracted it well enough that the second product reused it rather than rebuilt it. It ships behind an LLM-as-Judge quality gate — prompt changes get measured, not eyeballed. I also author two MCP servers on npm, one curated into awesome-mcp-servers. Solo means solo: design, build, deploy, on-call — including responding to a CVSS 10.0 breach on my own production servers. Before that, 6 years of native mobile — Android-primary in Kotlin/Compose, with production iOS features shipped in Swift.
What I build
Six apps on Google Play — my own, not a day job
Published under my own developer account, built on my own time. The two AI ones share one abstracted engine: Sajumung (AI counseling) and Lunaday (women's health) — Flutter, Node/Mongo, Docker on EC2. The others are utilities I've kept alive since 2018 — long before LLMs made solo building fashionable. Mirror Camera passed 10k installs; the lunar calendar, 5k at 4.7★. All six →
15k+ installs · store listing to on-callAI / LLM systems
Structured RAG, context engineering, LLM-as-Judge evaluation with real statistics, MCP servers & agent tooling. OpenAI & AWS Bedrock / Nova. Application layer — not model training.
bedrock · nova · shippedIncident response — CVSS 10.0 on my own production servers
In May 2026 AWS flagged abuse on my EC2 host. Root cause: CVE-2025-66478 (React2Shell, CVSS 10.0) in Next.js — 3 of 9 production containers were compromised, with a ~5-month dwell time (2025-12 → 2026-05). I ran a 16-task response: patched Next.js, deny-by-default middleware, every container rebuilt non-root, all secrets rotated, and 1.2 GB of forensic evidence preserved (docker-save of the compromised containers) before teardown. The AWS Trust & Safety case was closed 2026-05-16.
The part I actually learned from: the fix regressed. The hotfix lived on the server and was never committed to git, so a June rebuild rolled the image back to the unpatched version and the host was re-infected. I back-synced server → git and closed the loop. Infra fixes that only exist on the box are not fixes.
cve-2025-66478 · forensics · non-root · postmortemMobile — Android-primary, production iOS
Kotlin / Jetpack Compose as my primary stack, plus Flutter / Riverpod. I've also shipped production iOS features in SwiftUI/Combine on two live App Store apps (Futuredigm, Petnow) — real iOS work, not a side claim of parity. 7 yrs on apps with real users.
kotlin · compose · swiftui · flutterFull-stack + deploy
Four web services I built and run on Docker/EC2/Nginx (Next.js, TypeScript, Prisma/Mongo): Korea Benefits Finder — 9,654 government benefits ingested from public open data and kept in sync; Seoul Date Course; Salary Calculator; AI Background Remover. From first commit to a running URL.
next.js · docker · ec2 · nginxAutomated video pipeline · side project
A pipeline I wrote and run unattended: LLM script & shot list → keyframe image generation → image-to-video → TTS dubbing → ffmpeg assembly with caption rendering. Output ships to two live YouTube channels — sample.
python · ffmpeg · unattendedHow I build with LLMs
Most of my AI work is at the application layer — turning models into features people actually use. Not model training or on-device inference optimization. Concretely:
Evaluation with actual statistics
I built a 6-dimension LLM-as-Judge harness as a quality gate on prompt and model changes — no prompt ships without passing it:
- Self-bias avoided — GPT-4o judges, GPT-4o-mini generates (never the same model grading itself)
- Judge reliability measured — Cohen's quadratic weighted kappa, so I know the judge is trustworthy before I trust its verdict
- Regressions caught statistically — Welch's t-test with Bonferroni correction, not eyeballing a few samples
- CoT + score calibration + few-shot; judge prompts versioned and hashed
I chose not to use a vector DB — and that was the right call
The default reflex is "RAG = embeddings + vector store." My domain data had a well-defined schema, so key-based lookup in MongoDB was more accurate, faster, and cheaper than embedding search — semantic similarity would have retrieved plausible-but-wrong records. So it's DB-backed structured RAG: multiple context sources (user profile, life context, emotional trend, prior sessions, cross-references) composed into one prompt per request, not top-k chunks glued together.
mongodb · structured ragSafety: the LLM is never the last line of defense
A counseling app receives real distress. Crisis detection is a deterministic keyword tier — regex, not a model, and that's the design choice, not a shortcut: a probabilistic model must never be what stands between a self-harm signal and a response. It grades into two tiers (Level 1 watch / Level 2 urgent); urgent cases are routed out of the generative path to Korea's national hotlines (1393 / 1577-0199). On analytics, a 5-stage filter means only positive, anonymized sessions feed service-level learning — personal data is structurally blocked from reaching another user.
Context window as a budget
Six consultation types, each pulling only the context that type actually needs — cutting API cost without cutting quality. Response params are adapted per question: complexity is classified (simple / moderate / deep) and max_tokens (350–800) and temperature (0.7–0.85) are set accordingly, instead of one fixed config for every call. Facts are extracted from each conversation (also regex, at the boundary) and written back to the user's context immediately — life changes stored as history rather than overwrites, so "what recently changed" stays answerable.
Proof it's an architecture, not a one-off
The same engine runs two unrelated products because it was abstracted, not rebuilt: Sajumung (counseling — real domain theory encoded into structured system prompts, every answer grounded in the user's own chart, not generic advice) and Lunaday — not a reskin: it adds a cycle-prediction algorithm and a full anonymous community (posts, threaded comments, reporting, admin moderation) on top of the shared engine.
2 domains · 1 engineMCP & agent tooling
Two published MCP servers. The hard part isn't the protocol — it's designing tool descriptions and return shapes so a model reaches for the right tool unprompted. API design for a non-human reader. session-continuity-mcp — curated into awesome-mcp-servers · mac-pilot-mcp
mcp · awesome-mcp-serversExperience
- Designed a Context-Engineering + structured-RAG counseling engine — multi-source merging to cut tokens, a self-harm-signal classifier routing to a safe-response path, and a self-built LLM-as-Judge evaluation loop.
- Shipped Sajumung & Lunaday on Google Play; reused one abstracted AI architecture as a web-service pipeline for 4 more services.
- Authored claude-session-continuity-mcp (curated into awesome-mcp-servers) and mac-pilot-mcp on npm.
- Owned incident response for a CVSS 10.0 breach (CVE-2025-66478) across my 9-container EC2 fleet — 16-task remediation, forensic preservation, everything rebuilt non-root; then fixed the process gap that let the patch regress.
- Amazon Nova AI Hackathon — ResumeAI, a multi-stage LLM pipeline on AWS Bedrock (AWS Builder feature).
- Android: stabilized infinite-scroll lists with Paging 3, fixed memory leaks on a live app.
- iOS: replaced synchronous API waits with a Combine-based async ordering flow under a no-redesign constraint — cutting screen-entry latency.
- Built core community screens (Riverpod) for a Flutter renewal; migrated infra NCloud → AWS (EC2/RDS).
- Shipped the biometric pet-ID app from v1.0 through v3.3.1 — identity from a dog's nose print, the way a fingerprint identifies a person.
- Introduced Dynamic Feature modules for global rollout; designed multi-module architecture; integrated Amplitude.
- Built and maintained production iOS features in SwiftUI/Combine MVVM; introduced Firebase & Swift Package Manager.
- Led the app team; designed MQTT + Socket.io real-time order intake for a POS system.
- Mediated an implementation conflict between the server team and iOS over payment-Intent handling — resolved it with sample code and a written sequence spec rather than another meeting. That artifact became the team's standard for communicating with outsourced partners.
- Replaced numeric-index paging with time-based paging stable under dynamic insert/delete.
- A neighborhood community app I took from concept to store entirely solo — before LLMs could write code for me: board, threaded comments, 1:1 chat with read state, in-app purchases.
- Kotlin/Compose client, Node backend on EC2/S3, CI via GitHub Actions.
- Built both the Android app and Node.js backend; designed a text-indexed "overline" DB model.
- Image processing (Sharp/Multer), scheduled jobs, GCP + Docker deploy.
Skills
Certifications
- Anthropic Academy — MCP: Advanced Topics · Subagents · Claude API · Claude Code in Action (2026)
- Engineer Information Processing · B.S. Software Engineering, Korea Polytechnic University
Available: contract now · full-time from Aug 2026 · rate on request · remote only.