Runs on Cloudflare
This resume isn't a PDF on a file server. It's a working edge application: the document lives in a Durable Object, AI restyles run at the edge, a real headless Chrome prints the PDF, and Zero Trust guards the editor.
This page is the system diagram, with live numbers from the app itself. It's also a static asset on the same Worker: only the stats call below does any compute.
The architecture
One Worker fronts everything. Public traffic gets the published view;
the owner signs in through Access with an email one-time PIN; agents speak JSON through a
keyed API (pull → transform → push, with the revision guard rejecting stale
writes). The AI endpoints sit behind the RateLimit object so the free-tier budget survives
the internet.
Live from the edge
Self-counted by a Durable Object since —. No analytics scripts, no cookies.
Restyles by voice
The document itself
How it's counted: views come from a tiny beacon in the page (the owner, his agents, and the PDF printer's own page loads are excluded); restyles, prints, and exports are counted server-side where they run. Honest numbers, small numbers.
Workers compute
One Worker is the whole app: routing, Access JWT verification, the reword and stats APIs, markdown export, and the static UI. The client is vanilla JS with no framework and no build step. Deploys are atomic via wrangler, and observability is on.
Durable Objects state
ResumeDoc, a SQLite-backed object, holds the document: sections hold items, items hold wording variants (the rewording history that used to get lost). It keeps the last 30 revisions and an optimistic-concurrency guard: a stale save gets a 409, not a clobber. RateLimit and Stats objects meter the public AI endpoints and count this page's numbers.
Workers AI inference
Two models. Restyle runs llama-3.3-70b-instruct-fp8-fast, grounded on a digest of the published resume so it stays inside the facts. Speak runs deepgram/aura-1: the restyle picks the words, the voice matches the flavor (Hillbilly gets the folksiest voice in the catalog). Identical audio is edge-cached, so replays cost nothing. All of it is ephemeral: fun on screen, never written to the doc.
Browser Rendering pdf
The PDF is printed by a real headless Chrome session driven with puppeteer: it loads the saved document exactly as a reader sees it and prints to letter. The edge caches the result keyed by document revision, so it re-renders only after a save.
Access zero trust
The editor and admin API sit behind Cloudflare Access with an email one-time PIN, scoped to one identity. The Worker independently verifies the Access JWT (aud, issuer, expiry, RS256 against team certs), so the API stays locked even when hit directly.
AI Gateway observability
Every Workers AI call (restyle, voice, podcast, moderation) flows through an AI Gateway, so each request is logged with its model, latency, token count, and cache status. It's the govern-the-AI-bill layer: caching, rate limits, spend caps, and provider fallback, measured on real traffic.
D1 ugc storage
Highlight any line and leave Sean a note, a question, or a genuine roast. It lands in a D1 SQLite database (one row, a crypto UUID, anchored to the section you highlighted). Nothing is shown on the page — the owner reads it through the Access-gated admin API.
Turnstile + Llama Guard trust & safety
Before a note is stored, Turnstile (Cloudflare's privacy-first CAPTCHA) keeps bots out, and Llama Guard 3 on Workers AI moderates the content — flagging genuine harm (threats, hate) while letting an honest roast through. Fail-closed: if the moderator errors, the note is held for review.
Defense in depth abuse control
The AI endpoints are guarded in layers: a WAF rate-limit rule stops floods at the edge before the Worker even runs, a Durable Object enforces fair per-user AI budgets, and expensive partner models are hard-capped with results edge-cached. Cost stays bounded even under abuse.
Ask about Sean vectorize + r2
A separate Worker at ask.berglabs.net answers questions about Sean over his résumé and public GitHub repos. The corpus lives in R2, is embedded with Workers AI (bge), indexed in Vectorize, and answered by llama grounded on the retrieved chunks — the edge-native version of an embeddings memory, all through the AI Gateway.
The agent contract api
This resume is maintained by AI agents. They pull the full document as JSON,
transform it, and push it back through the revision guard. Every line is an item with
tagged wording variants; the Skill Mix widget reads the same tags the agents write.
And it's queryable over MCP: add
mcp-resume.berglabs.net/mcp to an MCP client and ask the live document
questions (a separate facade Worker; each session is a Durable Object).