Praxon is a freelance engineering practice. I build B2B software with the discipline most teams skip: row-level security at the database, audit trails on every mutation, and verification gates that catch bugs before production. The credential is Ataraxia, a CMMC compliance platform built and shipped solo over three months.
— Q. Lott
§ 01
Recent work
2026.04Praxon: open for engagements.— now
2026.04Ataraxia v1.0 reached feature-completeness and entered wind-down. Codebase remains as a credential.86 mig · 320 obj
2026.04Migration 086 — byte-exact correction of CMMC AG L1 v2.13 objective text against canonical PDF, validated row-by-row.audit-logged
2026.03Comprehensive security audit, fail-closed auth rate limiting, audit log enforced at the database layer.137 routes
2026.03SAML SSO, public REST API with key management, AI copilot with prompt injection protection, RAG via pgvector.enterprise tier
2026.02Multi-tenant data model. Schema spans 69 tables across 15 functional domains with 244 RLS policies.244 policies
2026.01First commit on Ataraxia. Next.js 15, Supabase, Postgres, fixed scope: CMMC L2 compliance for defense contractors.solo
A multi-tenant SaaS platform for defense contractors with byte-exact NIST regulatory data, real-time SPRS scoring, and audit trails on every mutation. Three months from first commit to feature-complete.
The Problem
Defense contractors handling Controlled Unclassified Information are required to comply with CMMC Level 2: 110 NIST controls assessed against 320specific objectives, scored on a methodology with strict POA&M eligibility rules [1], attested under False Claims Act exposure.
Existing tools were either compliance theater (template SSPs with blanks) or enterprise products priced out of reach for small contractors. The build target was a platform that compliance practitioners (RPOs, C3PAOs) and contractors could use to track posture, generate SSPs and POA&Ms, and prepare for assessments — without paraphrasing regulatory text or skipping the audit trail.
The Build
Three months solo. Next.js 15, Supabase, Postgres. 86 migrations including the byte-exact correction of 199 of 320 NIST 800-171A assessment objectives to canonical text from the source publication [2]. Multi-tenant data model with 244 RLS policies across 69 tables in 15 functional domains for org-scoped isolation. Real-time SPRS scoring engine implementing the DoD Assessment Methodology v1.2.1 [1]. Audit trail with provenance metadata on every mutation. Stripe for billing, Resend for email, Sentry for error tracking. 137 API routes, 192 components.
The platform includes SAML SSO, a public REST API with key management, an AI copilot with prompt injection protection, retrieval-augmented generation over the regulatory corpus via pgvector, multi-framework mapping across CMMC / ISO 27001 / SOC 2 / HIPAA, a C3PAO assessor portal, subcontractor flow-down tracking, a False Claims Act risk calculator, and a mock C3PAO assessment simulator.
What's hard about it
Regulatory data fidelity. Most platforms paraphrase NIST text into developer-friendly strings; the paraphrasing drifts. A contractor attesting against drifted text is creating False Claims Act exposure. The fix was authoritative regulatory text in Postgres, SHA-256 checksums against source PDFs, citation comments on every compliance fact in code, and a pre-commit check that rejects assertions of compliance facts without citations. Migrations 085 and 086 are this discipline shipping in real time:
-- Source: cmmc-ag-l1-v2.13.pdf, §3.1.1, page 12-- Verified byte-exact via SHA-256: a3f7c9d2…BEGIN;
WITH upd AS (
UPDATE controls
SET requirement_text = canonical_text
WHERE level = 1
RETURNING control_id, old_text, requirement_text
)
INSERT INTO audit_logs (...)
SELECT ... FROM upd;
-- validation: row count == expected, raise on driftCOMMIT;
Multi-tenant boundaries. Application-layer tenant filtering breaks the day someone forgets the WHERE clause. The fix was Row-Level Security on every table — org-scoped reads via JWT claim, role-based writes (viewer cannot write, contributor can INSERT and UPDATE, admin can DELETE). The audit_logs table has no UPDATE or DELETE policies, so it's append-only at the database layer. A new query that forgets the org filter fails closed at the database, not silently leaks.
Coordinating fifteen domains in one schema. Compliance platforms aren't single-purpose. The schema has to handle identity, assessment workflow, document generation, evidence collection, remediation, continuous monitoring, an AI copilot, and an audit log that captures every mutation across all of it. The hard part isn't building any single domain. It's making fifteen share one tenant boundary, one audit trail, and one transaction layer without leaks.
Fig. 1 — Tenant boundary inherited by every query
Status
After three months in build, I decided to step away from the platform and apply the same engineering discipline to client work. The codebase shipped past the “sellable” threshold — but distribution as a solo founder against entrenched competitors wasn't the path I wanted.
The codebase remains as a credential and a teaching artifact for the verification discipline I now apply to every Praxon engagement. Currently not in active development; not ruling out a revival.
References
Department of Defense CIO. CMMC Assessment Methodology, version 1.2.1. November 2024.
NIST. Special Publication 800-171A: Assessing Security Requirements for Controlled Unclassified Information. June 2018.
NIST. Special Publication 800-171, Revision 2: Protecting CUI in Nonfederal Systems and Organizations. February 2020.
32 CFR Part 170. Cybersecurity Maturity Model Certification (CMMC) Program. October 2024.
§ 03
Engagements
Three fixed-price packages. Self-qualify on budget before the discovery call. Anything outside these gets a custom quote after scoping.
№
Package
Fee
01
Audit & recommendations
Senior-level assessment of an existing codebase, schema, or infrastructure. Output: a written report with prioritized findings and a remediation plan.
One week · Async-first
$4,500Fixed
02
Targeted build
A specific deliverable. A migration, a feature, an integration, or a self-contained system. One-time scope, no ongoing maintenance, weekly status updates.
Two to four weeks
$12,000Fixed
03
Engagement build
Multi-week or multi-month build. A platform, a major feature set, a significant refactor. Milestone-based delivery with biweekly demos and architecture documentation throughout.
Six weeks and up · Milestone-based
From $35,000Per milestone
§ 04
Process
Discovery callThirty minutes. I qualify the project honestly. If it isn't the right fit, I'll say so on the call.
Proposal within 48 hoursFixed-price proposal with specific scope, milestones, timeline, and payment terms.
Build under signed SOWDeposit paid, work starts. Weekly written status, biweekly demos. No surprises.
Handoff with documentationFinal delivery with architecture and runbook documentation. Thirty-day warranty on the code. Retainer option for ongoing.
§ 05
Stack
If a tool isn't listed, I haven't shipped production code in it.
Languages
TypeScript · Rust · SQL · Python
Frameworks
Next.js · React · Tauri · Node.js
Data
Postgres · Supabase · pgvector · Redis
Infrastructure
Vercel · Cloudflare · AWS · Sentry
AI / ML
Anthropic API · OpenAI API · RAG · Vector search
§ 06
Testimonials
Available after the first engagement closes. If you're considering Praxon and want to talk to a past client, ask on the discovery call.
§ 07
Contact
Tell me about your project. Discovery calls are 30 minutes. I'll send a proposal within 48 hours or tell you why Praxon isn't the right fit.