// ashutosh vijay

MuleSoft
Engineer.

Integration engineer · Product builder

I write DataWeave, design MuleSoft integration architecture, and build desktop and serverless tools when the existing options aren't good enough.

GitHub LinkedIn Email
scroll
01DataWeave Studio 02Quick Sync 03PincodeDB API 04ContextForge
About

Building integrations that move money, documents, and data for a regulated NBFC.

Ashutosh Vijay

I'm an Integration Engineer at a housing finance NBFC regulated by the RBI, and the primary MuleSoft developer on the team. I own 40+ APIs and 720+ endpoints across a four-server on-prem production environment — system APIs, process APIs, experience APIs — serving 1 lakh+ daily transactions.

My day job is designing integration flows, writing DataWeave, managing Salesforce connectivity, handling VAPT remediation, and keeping production stable while shipping. Outside of work, I build developer tools and open-source projects that solve problems I actually run into.

Payment Processing & Loan Lifecycle
End-to-end MuleSoft flows for payment processing, account aggregator and bank statement ingestion, DSA lead-to-loan lifecycle, and e-sign workflows.
VAPT Remediation — 40+ APIs
Led full security remediation following an external L1 audit. Implemented security headers, rate limiting, injection detection, input validation, and response-level encryption across the entire API surface.
Vendor Migration — ~87% Cost Reduction
Drove a bank statement vendor migration with zero production downtime. Redesigned the integration pattern and cut costs by approximately 87%.
OAuth Deprecation Migration
Led OAuth 2.0 Username-Password to Client Credentials migration on a Salesforce SAPI with 80+ endpoints and 1 lakh+ daily hits. Completed before the deprecation deadline.
40+
Production APIs
720+
Endpoints Managed
1L+
Daily Transactions
4
Production Servers
Stack
MuleSoft Anypoint Platform DataWeave 2.0 RAML REST API Design API-led Connectivity Salesforce Integration OAuth 2.0 / Client Credentials Tauri v2 (Rust) React TypeScript Flutter Dart Python AWS Lambda DynamoDB S3 CloudFormation / SAM Cloudflare Workers Cloudflare Pages Supabase Git GitHub Actions Postman
Recognition
MuleSoft Community & Industry Recognition
Received public recognition from senior leadership at Aavas Financiers in connection with an industry BFSI award (Impact Honour 2026). Active contributor to the MuleSoft developer ecosystem through open-source tooling, community engagement, and technical content.
01DataWeave Studio
v1.1.0 · Live ↗ GitHub ↗ Site
01 / 04  —  Flagship Project  ·  Tauri + React + TypeScript

DataWeave Studio

A local desktop application for writing, testing, and debugging DataWeave 2.0 scripts. No Anypoint Studio. No Eclipse. No 2-minute startup time. Full Mule message context from a UI, in one window.

Tauri v2 (Rust) React TypeScript Vite Monaco Editor DataWeave CLI Tailwind CSS AES-CBC GitHub Actions Cloudflare Pages Cloudflare Workers
DataWeave Studio — main interface
The Problem

Testing a DataWeave script in the standard MuleSoft toolchain is genuinely painful. Anypoint Studio is 2GB, Eclipse-based, takes minutes to start, and forces you to spin up a full Mule application just to test a single transform.

The online playground has no real execution context. No vars, no config properties, no headers. It crashes on large payloads. The VSCode extension requires hand-written JSON files and a specific folder structure for every new input.

None of these tools reflect what actually runs in production — where a script might depend on vars.correlationId, a decrypted secure property, or a specific content-type header to behave correctly.

The Fix

DataWeave Studio bundles the DataWeave CLI, wraps it in a Monaco-powered editor, and exposes the full Mule message context through a UI. You set attributes.method, headers, vars, config properties, and secure values — all without touching a file.

It ships as a native installer for Windows, macOS Intel, macOS ARM, and Linux. GitHub Actions builds every release. Cloudflare Workers proxy the download assets — so the in-app updater works even behind corporate firewalls that block github.com.

Real users. Community traction in the MuleSoft ecosystem. A speaking invite that came directly off the back of the project.

Secure Properties Decryption
cURL Importer — paste and get a transform template
Salesforce SOQL Query Mode
SQL DB Query Mode
Key Capabilities
Security
Secure Property Decryption — Key Never Hits Disk
Paste a production secure-config.yaml containing ![Base64Encrypted...] values, provide the AES-CBC encryption key, and scripts execute with real decrypted values. The key lives only in memory for the duration of the session — never written to disk, never logged. Same algorithm as MuleSoft's secure-properties-tool.jar.
Context
Full Mule Message Context from the UI
Set attributes.method, attributes.headers, queryParams, vars, config properties, and named input streams — all from form fields. No hand-written JSON files.
Import
cURL → Transform Template
Paste any cURL command from Postman or browser devtools. Get a DataWeave transform template with headers and params pre-populated.
Migration
DW 1.0 → 2.0 in One Click
Paste a DataWeave 1.0 script. Review a diff overlay. Replace with one click. No external migration tools needed.
Query Modes
SOQL + SQL Editors
Dedicated Salesforce Query and DB Query modes with :param binding. Renders the exact final query before execution.
Autocomplete
Context-Aware Suggestions
Suggests actual field names from your payload, vars, attributes, and config properties — not generic DataWeave keywords.
Workspace
Save / Load as .dwstudio
Full editor state — scripts, inputs, context, MIME types — persisted in a single .dwstudio file. Open it, pick up where you left off.
Distribution
Bundled CLI + Auto-Updater
DataWeave CLI bundled (~150MB). In-app updater checks update.json on startup and installs in one click. GitHub never touched directly — all traffic through Cloudflare.
Release Pipeline
01 / GitHub Actions
Cross-Platform Signed Builds
Every v* tag triggers a build matrix: Windows, macOS Intel, macOS ARM, Linux. Produces native installers automatically.
02 / Cloudflare Pages
Download Site + Update Feed
Hosts the download landing page and the update.json endpoint that the in-app updater polls on startup.
03 / Pages Functions
Corporate Firewall Bypass
Proxies GitHub release assets through Cloudflare. Downloads work behind enterprise firewalls that block *.github.com.
↗ GitHub ↗ Site
02Quick Sync
Live ↗ GitHub ↗ App ↗ Site
02 / 04  —  Web App  ·  React · Supabase · Web Crypto API

Quick Sync

Real-time, ephemeral text and file transfer between any devices with a browser. No accounts. No persistence beyond the session. End-to-end encrypted when you need it — the server genuinely cannot read your content.

React 18 TypeScript Supabase Realtime Supabase Storage Web Crypto API AES-256-GCM Zustand Framer Motion Tailwind + shadcn/ui Cloudflare Pages
Quick Sync home page — dark mode
E2E encrypted room
Active sync room
How the encryption works
Secure Mode — Key Never Touches the Server
Client A → crypto.getRandomValues(128-bit key)
URL hash → /room/ABCDEF#a1b2c3...key
↑ hash fragment: browser-private, never sent
Text → AES-256-GCM encrypt → Supabase DB
Files → encrypt raw binary → Supabase Storage
Client B → reads key from URL hash
→ decrypts locally — never touches server
Supabase breach → useless ciphertext
How the sync works
Differential Sync, Not Full Replace
Only the diff — insert or delete operation — is broadcast on each keystroke via Supabase broadcast channels. The database syncs every 2 seconds as a fallback for late joiners.
Room Destruct
One button deletes the room row, all content, and every file in storage. A postgres_changes DELETE event fires across all connected clients instantly — ROOM VAPORIZED on every screen.
Zero Infrastructure Cost
Runs entirely on free tiers. Supabase free for realtime + storage. Cloudflare Pages for hosting. Auto-deploys from GitHub main.
File sharing
Room destruct screen
↗ GitHub ↗ Live App ↗ Site
03PincodeDB API
Open Source · Archived ↗ GitHub ↗ Site
03 / 04  —  Serverless AWS Backend  ·  Python · SAM · DynamoDB

PincodeDB API

A serverless, multi-tenant backend that turns any CSV of postal codes into a private, queryable REST API. Upload the CSV. Get a live API back in seconds. No server provisioning, no database setup, nobody else's data mixed with yours.

Python 3.13 AWS Lambda (ARM64) API Gateway DynamoDB S3 CloudFormation / SAM SSM Parameter Store SQS DLQ CloudWatch SNS X-Ray EventBridge RapidAPI pytest + moto GitHub Actions
PincodeDB full AWS serverless architecture diagram
Upload & Ingestion Flow
1
Subscribe on RapidAPI
Get an API key. No registration call to the backend needed — user provisioning happens on the first real request.
2
POST /postal-code/upload
API returns a presigned S3 POST URL and a datasetId. The CSV never passes through API Gateway.
3
Client uploads directly to S3
File goes straight from client to S3, bypassing API Gateway's 10MB limit. Size limits enforced by the presigned policy, tied to the user's tier.
4
S3 event triggers ingestion
S3 fires an ObjectCreated event. The processor Lambda parses the CSV, validates schema, and batch-writes to DynamoDB.
5
Poll status → query
GET /dataset/{"{id}"}/statusSUCCEEDED. Then query GET /postal-code/search?pincode=110001 and get your own data back instantly.
By the Numbers
10
Lambda functions
3
DynamoDB tables
7
GSIs
155K
Public fallback records
~40
Tests (moto, no real AWS)
1
SAM template for everything

Built, deployed live on AWS, listed on the RapidAPI marketplace, and taken down when the free tier expired. The entire production source — infrastructure-as-code, all Lambda handlers, test suite — is open on GitHub.

The interesting parts aren't the domain. Pincodes are just lookup data. The interesting parts are the multi-tenancy design, the JIT provisioning pattern, and building end-to-end operational visibility on a fully serverless stack.

Architecture Decisions
Auth / Provisioning
JIT User Provisioning — No Signup Flow
The Lambda authorizer does everything on every request: validates the RapidAPI proxy secret, looks up the user, creates them if they don't exist, and syncs their tier if they've upgraded or downgraded. No onboarding webhook, no separate registration endpoint, no periodic sync job.
Storage
Presigned S3 Upload — API Gateway Never Sees the File
The upload endpoint returns a presigned S3 POST URL. The client uploads directly to S3 — API Gateway's 10MB limit never applies. S3 fires an event, the processor Lambda wakes up. The API itself never touches the raw CSV data.
Multi-Tenancy
Single-Table Design — Cross-Tenant Leakage Impossible at Query Level
All tenants share one DynamoDB table, partitioned by internalUserId. Three GSIs cover three access patterns. Cross-tenant isolation is enforced structurally at the query — not by application-level filtering that could be bypassed.
Operations
Kill Switch via SSM
One SSM parameter: /pincode-api/enabled. Set it to false and the authorizer denies every request globally, instantly — no deployment, no code change.
Enterprise Tier
Dynamic CSV Schema
Growth/Enterprise tiers accept any CSV. Extra columns are stored as a customData map in DynamoDB and returned as-is. A logistics company uploads pincode,sla,risk,is_serviceable — no schema pre-registration.
Observability
Custom CloudWatch Metrics + X-Ray Traces
Every Lambda emits LatencyMs, RequestsOk, RowsIngested via aws-embedded-metrics. X-Ray distributed tracing on all functions. SQS DLQ depth alarm wired to SNS.
Under the Hood
src/auth/app.py — JIT User Provisioning
def handler(event, context):
    # Every request: validate → lookup → provision/sync
    _validate_proxy_secret(event['authorizationToken'])

    marketplace_id = _extract_marketplace_id(event)
    current_tier   = _get_tier_from_headers(event)

    user = users_table.get_item(
        Key={'marketplaceId': marketplace_id}
    ).get('Item')

    if not user:
        # First request — create user on the spot
        user = _provision_user(marketplace_id, current_tier)
    elif user['tier'] != current_tier:
        # Subscription changed — sync immediately
        user = _sync_tier(user, new_tier=current_tier)

    # Downstream Lambdas receive userId + tier in context
    return _build_allow_policy(
        principal=user['internalUserId'],
        context={
            'userId': user['internalUserId'],
            'tier':   user['tier'],
        }
    )
shared/utils.py — Kill Switch + Tenant Isolation
def is_api_enabled(ssm) -> bool:
    """
    One SSM parameter. Instant global shutoff.
    No deployment. No code change.
    """
    param = ssm.get_parameter(
        Name='/pincode-api/enabled'
    )
    return param['Parameter']['Value'] == 'true'


def query_pincodes(table, user_id: str,
                   pincode: str) -> list:
    """
    Single-table multi-tenancy.
    All tenants share one table — partition key
    is internalUserId. Cross-tenant leakage is
    impossible at the DynamoDB query level.
    """
    return table.query(
        KeyConditionExpression=(
            Key('internalUserId').eq(user_id) &
            Key('pincode_officename').begins_with(
                pincode
            )
        )
    )['Items']
Tier Model
Tier Max File Max Rows Max Datasets Dynamic Schema
FREE 50 KB 250 1 No
BUSINESS 10 MB 1,000,000 50 No
GROWTH 20 MB 5,000,000 200 Yes
ENTERPRISE 50 MB 25,000,000 1,000 Yes
↗ GitHub ↗ Site
04ContextForge
Live ↗ GitHub ↗ Site
04 / 04  —  Windows Desktop App  ·  Flutter · Dart

ContextForge

A Windows desktop app for preparing codebases to paste into an LLM's context window. Drop a folder, configure what to exclude, hit one button — you get a clean structured dump with a file tree, ready for Claude, GPT, or anything else.

Flutter (Windows x64) Dart fluent_ui flutter_acrylic Windows Mica / Acrylic Dart Isolates AES-256 provider desktop_drop
ContextForge main screen — folder opened
Exclusion settings
Settings panel
Utilities panel
Key Capabilities
Performance
Non-Blocking Scans via Dart Isolates
File scanning runs in a separate Dart isolate using compute(). The UI never freezes, even on large codebases. Disk writes use a streaming chunk-by-chunk approach — massive outputs don't blow up RAM.
Exclusion System
GitIgnore-Aware · Per-Project Config That Travels with the Repo
Parses .gitignore and respects it during scans. Exclusion settings are stored in a .exclusion_settings.json file at the project root — not locked to the machine or the app install.
Output
Plain Text · XML (CDATA) · Markdown Code Blocks
Three output formats depending on what your LLM context window handles best. Token estimation with a color-coded budget indicator — green → orange → red as you approach the limit.
Presets
Project Type Profiles — Standard · MuleSoft · Python · React
One click applies the right exclusion profile for the project type. node_modules, build, .git, binaries, and type-specific artifacts excluded by default.
UI
Windows 11 Fluent Design — Mica / Acrylic Glass
Built with fluent_ui and flutter_acrylic. Native Windows Mica and Acrylic glass effects. Dark, light, and pitch-black themes with multiple accent color flavors.
Architecture
Clean Separation: AppState · SettingsService · FileService
AppState (ChangeNotifier) manages UI state. SettingsService handles persistence. FileService does all heavy I/O in isolates. Pages are thin UI shells.
↗ GitHub ↗ Site