I design, build, and operate a multi-tenant SaaS end to end β backend, frontend, bot, infrastructure, payments, and security. I care about shipping resilient systems, clean architecture, and interfaces that feel premium. Currently focused on scaling Askar Apps and growing Ruby Verse, the first store running on the platform.
const gabriel = {
name: "Gabriel Bertolassi Barretta",
role: "Founder & Full-Stack Engineer",
company: "Askar Apps",
focus: ["Distributed Systems", "SaaS Architecture", "Payment Infrastructure", "DX & UI Craft"],
stack: ["TypeScript", "Node.js", "Next.js", "Discord.js", "MongoDB", "Redis", "BullMQ"],
currently: "Scaling Askar Apps β dashboard, bot, and Askar Pay for Discord commerce",
location: "Brazil π§π·",
};SaaS platform for Discord-based Roblox commerce. A multi-tenant dashboard and bot source that lets store owners run, customize, and scale their Discord shop β with real-time sync, a native PIX wallet (Askar Pay), and a full affiliate system.
Architecture
- Backend β Express + TypeScript + Mongoose + Redis + Socket.IO + BullMQ + Zod
- Frontend β Next.js + React + TypeScript + Styled-Components + React Query
- Bot β Discord.js + Mongoose + Express +
@napi-rs/canvas - Infra β SquareCloud, MongoDB (multi-tenant), Redis, Blob storage
- Payments β Askar Pay, the platform's native PIX wallet (balance, KYC, withdrawals, commissions)
Highlights
| Multi-tenant | Central registry + N isolated guild databases with LRU connection pooling |
| RBAC | 16 granular permissions with fail-fast validation |
| Askar Pay | Native PIX wallet β balance, KYC, withdrawals, fee handling, reconciliation |
| Affiliate System | Chain-of-responsibility attribution (coupon βΊ role βΊ invite), GROSS/NET commissions |
| Real-time | Socket.IO presence, access sync, live panel updates via Change Streams |
| Resilience | AsyncLock β CircuitBreaker β Retry with jitter β timeout |
| Tested | 1,500+ automated tests across backend, frontend, and bot |
| Audited | Multiple security audits β all findings resolved |
|
Premium Robux & Gamepass marketplace β the first store running on Askar Apps. 
|
Solo horror game built in Roblox Studio. First-person, task-based, no combat. Atmosphere-driven terror in an abandoned 80s restaurant. 
|
Offensive security work on the side β web apps, REST/GraphQL APIs, .NET reverse engineering, license/auth bypass, and full white-box engagements. Reports follow a wave-based methodology with PoCs, attack chains, and anti-findings.
- Web application pentesting β OWASP Top 10 applied, auth flows, payment/business-logic bypass, IDOR, XSS (stored/reflected/DOM), CSRF, CORS/CSP, rate limiting, WebSocket security
- API security β REST/GraphQL endpoint enumeration, JWT analysis (alg confusion, secret brute, replay), NoSQL/SQL injection, mass assignment, broken access control
- .NET reverse engineering β
dnlibstatic analysis,Harmonyruntime patching, single-file bundle unpack, ConfuserEx/Themida bypass, anti-debug/anti-VM evasion - License & auth bypass β KeyAuth crack methodology, Ed25519 native-patch, JWT forge, session storage analysis, full NoAuth builds
- Supply chain audit β auto-update mechanism analysis, signature verification gaps, dependency injection vectors
| Target | Type | Outcome |
|---|---|---|
| FPS aim-assist SaaS | White-box web + binary, 4 waves | 171 findings (17 CRIT Β· 49 HIGH Β· 52 MED Β· 33 LOW Β· 20 INFO) β senior-audit reviewed 9/10 |
| .NET 8 license portal | Web + binary, NoAuth target | Full crack via 13-method IL patch + 34 findings (4 CRIT incl. supply-chain backdoor) |
| Roblox marketplace SaaS | Web black-box launch audit | 2 reproducible findings (DoS via malformed payload + affiliate-fee abuse) |
| Multi-tenant commerce portal | Auth flow + IDOR test | Login enumeration vectors + cross-tenant access PoC |
| Discord-commerce SaaS (Askar) | Internal multi-wave white-box | 10+ waves, ~150 anti-findings, 0 open CRIT/HIGH/MED |
Each engagement follows the same wave-based structure:
- W1 β Recon: stack mapping, endpoint enumeration via
OPTIONS, source/binary extraction - W2 β Auth + license: flow audit, token analysis, brute force where viable
- W3 β Business logic: core feature audit (cheat logic, payment, RBAC, etc)
- W4 β Infra + compliance: backend analysis, LGPD/GDPR audit, supply chain
- Retest + attack chains: end-to-end exploitation PoCs (after fixes shipped)
Deliverable: RELATORIO.pdf with executive summary, full findings catalog (CRIT β INFO), anti-findings (defenses that worked), attack chains, and recommended fixes. Format: light pentest professional with severity color coding.
If we've worked together β even a short engagement β a quick public note (LinkedIn comment, Discord testimonial, GitHub issue thank-you, anything) would mean a lot. Reach out on the contacts below if you'd like to leave one or hire for an audit.
Languages
Backend & Runtime
Frontend
Data & Infra
Tooling & Observability
"Build systems you'd trust your own business to run on β because mine does."