Abhilaash Velamati

Built JiraBot — a self-learning agent that plans, implements, tests, and submits code reviews for engineering tickets it's confident it can resolve, deferring the rest to human review. Persists confidence-scored lessons to a growing knowledge store with auto-distilled playbooks. Also a significant contributor to the team's sibling OncallBot agent (built on the same shared infrastructure) and packaged the broader internal agent suite as reusable Claude Code skills + an MCP server.

CloudHSM's core orchestration workflows were hardcoded to a single HSM type, blocking next-generation rollout, and the legacy orchestration layer was a recurring source of reliability pain — opaque failures, hard-to-test changes, and operator toil. I led the initial design and shipped the first few of the new workflows, then shared ownership across the team as we re-implemented CreateHsm, CreateBackup, and ReplaceHsm as async, idempotent Lambda orchestrations — simplifying the workflow surface, adding fault isolation, and significantly raising unit-test code coverage. Mentored teammates through the migration. The result: 75% faster execution, dramatically faster development and deployment of bug fixes and improvements, improved fault isolation and operational predictability, and the foundation that unblocked the next-generation HSM platform rollout.

CloudHSM backups can silently become invalid in ways that don't surface until a customer tries to use one — a gap that needed to be closed proactively. I designed and led a multi-region Lambda system that continuously validates the integrity of every backup; the design uses a manager-worker pattern (a manager Lambda fans work out across short-lived worker Lambdas, tracks in-flight items, and re-launches idempotently) to handle the fact that a single backup's validation can exceed Lambda's 15-minute timeout. It's been running across every CloudHSM region since 2022, validating thousands of backups per region per month — millions total — and emits CloudWatch metrics with operator tickets cut on any failure. The result: continuous integrity assurance for the entire backup corpus, guaranteeing restorability before any customer-impacting moment.

Failed workflows used to leave orphaned CloudFormation stacks, EC2 instances, and HSM records behind, and large service events compounded the problem — orphans accumulated, ate into account limits, ran up cost, and required engineering time to clean up by hand once limits were threatened. I designed and shipped a Lambda that continuously detects and cleans up orphans across resource types, replacing the manual ticket-driven process with an autonomous one. Eliminated the recurring oncall toil around stuck resources and recovered engineering time previously spent chasing them down after every workflow failure or outage.

When the client team upgraded OpenSSL, several existing customer certificates that had passed the older permissive validation started failing — driving customer-reported breakage. I tightened the service-side OpenSSL validation to match the new client behavior and, before turning it on, built sweep tooling that scanned every active customer certificate to flag the ones that would break — letting us notify and unblock customers ahead of the upgrade instead of after. Alongside that PKI work I extended InitializeCluster to accept multi-cert X.509 chains for Payments HSM customers, hardened public API operations against a JSON-depth DoS attack class, and added resource-level IAM authorization with fail-closed validation on internal APIs.

Region launches were a manual ticket-driven slog across 30+ packages, with circular pipeline dependencies and brittle initial-infrastructure deploys — some resources came from tools, some from CDK, and out-of-order runs broke things and left orphaned resources behind, forcing cleanup-and-retry cycles. I designed and built a region-build automation framework that templated pipeline configs, ordered initial deploys correctly, and added operator guardrails to catch misconfigurations before they shipped. Used it to lead end-to-end launches into 5 new AWS regions — Europe (Zurich), Europe (Spain), Asia Pacific (Malaysia), Mexico (Central), and Canada West (Calgary). The result: 75% cycle-time reduction (3 months → 1 month), fewer launch-blocking bugs, and a low-enough barrier that other team members can now run a region launch without needing to have done one before.

Both the AWS-wide IPv6 push and specific customer/compliance demand for IPv6 endpoints converged on CloudHSM, requiring the control-plane API to support dualstack — without breaking any existing IPv4-only customer. I designed and deployed IPv4/IPv6 dualstack networking for the control-plane API, including DNS configuration, canary infrastructure, and end-to-end integration tests across 25+ regions and 70+ availability zones. The result: customers requiring IPv6 endpoints can now reach CloudHSM natively, and existing IPv4 customers were unaffected by the rollout.

New compliance requirements mandated that HSM cards ship to data centers in Secure Transport Mode (STM) — ensuring the vendor was the only party that could lock them and the CloudHSM service was the only party that could unlock them, so any tampering in transit would be detectable. I authored the STM unlock key ceremony procedure, now the team's standard runbook, and updated the broader offline claiming ceremony documentation. I've led multiple production HSM key ceremonies in commercial regions, and separately authored and executed the GovCloud-specific ITAR-controlled ceremonies for those partitions.

CloudHSM was developing a new vendor-agnostic Rust SDK to replace SDK 3 (locked to hsm1.medium) and ship across HSM platforms, with a tight deadline. Three other service-side engineers and I were loaned to the client team and had to onboard ourselves to client-side internals and learn Rust at the same time. I shipped RSA-PKCS Sign/Verify Recover, CMAC verify, and multi-part sign/verify across both the provider and PKCS#11 layers — plus DKM/counter-width validation, session-handle matching, initialize/finalize error handling, license deny-list enforcement, and Wrap/Unwrap template tests. The library reached PKCS#11 feature parity with SDK 3, unblocked customers using those ops, and let CloudHSM ship a vendor-agnostic SDK across HSM platforms.