the control-plane studio · selected work

Two control planes.
Nothing moves unreviewed.

Orb, built for a tier-1 bank's GitHub Enterprise across 2023–2026, files every edit as a reviewed pull request. Meridian, the operations CLI at a media-tech platform, mutates nothing without --execute. Each is shown in the design system it shipped with.

01 — Orb rendered in its own design system · Ledger

Orb · governance control plane/a tier-1 bank · GitHub Enterprise/design system — Ledger
orbrecursive broker · est. 2026
§ 01zero-direct-write

A governed console for the whole of GitHub — that cannot change a thing on its own.

Orb is an audit-grade access broker for GitHub Enterprise, built across a tier-1 bank's SDLC (2023–2026). It gives non-CLI users a governed surface for organizations, repositories, rulesets and role-based access inside a regulated bank — permission rendered as weight, not colour.

Its defining trait is zero-direct-write: the interface holds every change as staged state and cannot touch production. To make a change real it files a sync — a pull request under your own identity — reviewed and then reconciled downstream. The tool proposes; the record decides.

  1. I.
    Stage
    Held, not written
    Edits accumulate client-side as unsynced state. Nothing has happened yet.
  2. II.
    File a sync
    A reviewed pull request
    The staged change is filed as a PR under your identity — never written straight to live state.
  3. III.
    Review
    Filed, or returned
    Approved, amended, or returned at a gate. The exact plan is visible before it is real.
  4. IV.
    Reconcile
    Now it is live
    On merge, a downstream run reconciles the change into state. Only now — and fully audited.
2 unsynced edits→ file a sync →filedcrimson is earned by state, never decoration
orb · ledger v0.1 · § 01.Agoverned by review, not by access

02 — Meridian rendered in its own design system · v4

Meridian · operations CLI/a media-tech platform/design system — v4
meridianall lines converge

Run it local. Ship one image. Nothing mutates without --execute.

Meridian is the plan-first operations CLI behind a media-tech company's supply-chain platform. It runs the backend locally and ships a single proven image to AWS — and every command that would touch infrastructure, images or release tags prints the exact plan and stops.

Nothing runs without --execute. The spine is Terraform on AWS with keyless GitHub-OIDC — CalVer release trains (meridian/v2026.06.1), and per-client deploys that can never cross tenants. Pure engine modules return data; a thin CLI is the only thing that touches a process — argv-lists, never a shell.

meridian — plan, then gate
$ meridian deploy acme --to prd
 plan · deploy acme → prd
  1  build    image   sha-4f2c1ab
  2  publish  ecr     acme/app:sha-4f2c1ab
  3  release  ecs     acme-prd  (rolling)
  4  verify   health  gate
  ───────────────  --execute  ───────────────
  nothing mutated. add --execute to apply.

$ meridian deploy acme --to prd --execute
 build    sha-4f2c1ab
 publish  acme/app:sha-4f2c1ab
 release  acme-prd
 verify   health gate passed
 deployed acme → prd · sha-4f2c1ab · 2m 41s
meridian · v4.0 flagship · 2026.06one reference line, from commit to client
the pattern

Two designs.
One gate.

Orb files every change as a pull request; Meridian prints every change as a plan. A bank and a media platform, years apart — and the same gate holds in both: nothing goes live until the full plan is approved. The bad day has nowhere to start.