Skip to content
zg
← Work

Case study · 2026 · live

Northbridge Horizon

A small IAM sandbox where everything actually works the way it would in production. Real tokens you can't forge, audit logs you can't quietly tamper with, revocation that takes effect in about a second, two-person approval for risky operations, and a page that's honest about what's real vs theatrical.

TypeScript·Express 5·Postgres·Drizzle·JWT·React

01 · Problem

Most IAM portfolio demos fall apart the second you look at them with a senior engineer's eyes. The tokens don't behave like real tokens. The audit logs are append-only labels on a normal table. A hardcoded button click counts as 'authentication.' I wanted to build something honest — a small sandbox where every part actually works the way it would in production, and the parts that aren't real are named out loud.

02 · Approach

  1. 01

    Token issuance you can verify. Real RSA signing keys generated at boot, the public side served at a standard JWKS URL, so any client can pull the key and check a signature without trusting the server.

  2. 02

    Revocation that actually takes effect. Every token carries an epoch, and joining/moving/leaving bumps it. A separate verifier page proves a stale token flips to STALE_EPOCH within about a second of a Leaver event in another tab.

  3. 03

    Audit logs you can't tamper with quietly. Each row carries a hash of itself plus the previous row, so any edit breaks the chain. There's a verifier endpoint that walks the chain and names the first row that doesn't add up.

  4. 04

    Two-person approval for risky operations, with step-up auth required. Same-session approval is blocked. Privileged break-glass demands a single-use token from a second person and gets stamped with a higher trust level. Explicit deny still wins — break-glass can't override it.

  5. 05

    Non-human identity treated as a first-class object. Every service account has an owner, a stated purpose, a credential type, and a rotation cadence. Two governance views catch the 'owner quit, agent kept its keys' case and the 'rotated 187 days ago' case.

  6. 06

    A /redteam page that just lists what's real vs what's theatrical — what the site doesn't have, what it fakes, what would need real work to ship to a customer. Reviewers don't have to guess.

03 · Outcome

Live at northbridge.zacgibson.work. Narrow on purpose — but the primitives that are in it (issuance, revocation, audit integrity, two-person elevation, NHI lifecycle) are implemented the way you'd implement them in production, not the way you'd implement them in a demo. The /redteam page makes that promise checkable.

Anthropic
Claude
Gemini
xAI / Grok
TypeScript
Python
PowerShell
React
TanStack
Astro
Tailwind CSS
Vite
Node.js
Three.js
Radix UI
shadcn/ui
Supabase
PostgreSQL
Drizzle ORM
Express
Stripe
Firebase
Resend
Cloudflare
Vercel
Sentry
GitHub
VS Code
Unreal Engine / UEFN
UiPath
Anthropic
Claude
Gemini
xAI / Grok
TypeScript
Python
PowerShell
React
TanStack
Astro
Tailwind CSS
Vite
Node.js
Three.js
Radix UI
shadcn/ui
Supabase
PostgreSQL
Drizzle ORM
Express
Stripe
Firebase
Resend
Cloudflare
Vercel
Sentry
GitHub
VS Code
Unreal Engine / UEFN
UiPath