← The resume no framework · no build step · view source

Runs on Cloudflare

This resume isn't a PDF on a file server. It's a working edge application: the document lives in a Durable Object, AI restyles run at the edge, a real headless Chrome prints the PDF, and Zero Trust guards the editor.

This page is the system diagram, with live numbers from the app itself. It's also a static asset on the same Worker: only the stats call below does any compute.

$0/mo free plan 10 Cloudflare services 3 custom domains MCP-queryable maintained by AI agents

The architecture

YOU Visitors read, remix, restyle any browser BOT Agent fleet maintains the doc x-edit-key JSON API Custom domains resume.berglabs.net resume.seanyoungberg.com DNS + TLS at the edge W Worker berglabs-resume-lab routing · auth · exports static UI (vanilla JS, no build step) wrangler deploy DO ResumeDoc /api/resume SQLite doc: items + wording variants, 30 revisions, optimistic rev guard (409) DO RateLimit budget check per-IP hourly + global daily budgets protect the public AI endpoints AI Workers AI /api/reword · /api/speak llama-3.3-70b restyles a line; aura-1 reads it aloud. never saved BR Browser Rendering /resume.pdf headless Chrome prints the saved doc; edge-cached by doc revision ZT Access (Zero Trust) /edit · one-time PIN email OTP gate; the Worker verifies the JWT itself (aud · iss · RS256)

One Worker fronts everything. Public traffic gets the published view; the owner signs in through Access with an email one-time PIN; agents speak JSON through a keyed API (pull → transform → push, with the revision guard rejecting stale writes). The AI endpoints sit behind the RateLimit object so the free-tier budget survives the internet.

Live from the edge

Self-counted by a Durable Object since . No analytics scripts, no cookies.

Resume views
AI restyles
PDFs printed by Chrome
Voice plays
Podcasts generated
Notes left for Sean

Restyles by voice

The document itself

Revision
Last saved
Revisions retainedlast 30
PDF cache key

How it's counted: views come from a tiny beacon in the page (the owner, his agents, and the PDF printer's own page loads are excluded); restyles, prints, and exports are counted server-side where they run. Honest numbers, small numbers.

W

Workers compute

One Worker is the whole app: routing, Access JWT verification, the reword and stats APIs, markdown export, and the static UI. The client is vanilla JS with no framework and no build step. Deploys are atomic via wrangler, and observability is on.

DO

Durable Objects state

ResumeDoc, a SQLite-backed object, holds the document: sections hold items, items hold wording variants (the rewording history that used to get lost). It keeps the last 30 revisions and an optimistic-concurrency guard: a stale save gets a 409, not a clobber. RateLimit and Stats objects meter the public AI endpoints and count this page's numbers.

AI

Workers AI inference

Two models. Restyle runs llama-3.3-70b-instruct-fp8-fast, grounded on a digest of the published resume so it stays inside the facts. Speak runs deepgram/aura-1: the restyle picks the words, the voice matches the flavor (Hillbilly gets the folksiest voice in the catalog). Identical audio is edge-cached, so replays cost nothing. All of it is ephemeral: fun on screen, never written to the doc.

BR

Browser Rendering pdf

The PDF is printed by a real headless Chrome session driven with puppeteer: it loads the saved document exactly as a reader sees it and prints to letter. The edge caches the result keyed by document revision, so it re-renders only after a save.

ZT

Access zero trust

The editor and admin API sit behind Cloudflare Access with an email one-time PIN, scoped to one identity. The Worker independently verifies the Access JWT (aud, issuer, expiry, RS256 against team certs), so the API stays locked even when hit directly.

AIG

AI Gateway observability

Every Workers AI call (restyle, voice, podcast, moderation) flows through an AI Gateway, so each request is logged with its model, latency, token count, and cache status. It's the govern-the-AI-bill layer: caching, rate limits, spend caps, and provider fallback, measured on real traffic.

D1

D1 ugc storage

Highlight any line and leave Sean a note, a question, or a genuine roast. It lands in a D1 SQLite database (one row, a crypto UUID, anchored to the section you highlighted). Nothing is shown on the page — the owner reads it through the Access-gated admin API.

🛡

Turnstile + Llama Guard trust & safety

Before a note is stored, Turnstile (Cloudflare's privacy-first CAPTCHA) keeps bots out, and Llama Guard 3 on Workers AI moderates the content — flagging genuine harm (threats, hate) while letting an honest roast through. Fail-closed: if the moderator errors, the note is held for review.

WAF

Defense in depth abuse control

The AI endpoints are guarded in layers: a WAF rate-limit rule stops floods at the edge before the Worker even runs, a Durable Object enforces fair per-user AI budgets, and expensive partner models are hard-capped with results edge-cached. Cost stays bounded even under abuse.

RAG

Ask about Sean vectorize + r2

A separate Worker at ask.berglabs.net answers questions about Sean over his résumé and public GitHub repos. The corpus lives in R2, is embedded with Workers AI (bge), indexed in Vectorize, and answered by llama grounded on the retrieved chunks — the edge-native version of an embeddings memory, all through the AI Gateway.

{}

The agent contract api

This resume is maintained by AI agents. They pull the full document as JSON, transform it, and push it back through the revision guard. Every line is an item with tagged wording variants; the Skill Mix widget reads the same tags the agents write. And it's queryable over MCP: add mcp-resume.berglabs.net/mcp to an MCP client and ask the live document questions (a separate facade Worker; each session is a Durable Object).