← all projects
Full-Stack + Desktop

WorkSight

Take-home assignment proctoring you can actually trust. A reviewer web app, a Node backend, and an Electron candidate app that captures timestamped screenshots during a timed session — so reviewers score the candidate, not the model.

Three-surface system (backend + reviewer web + Electron desktop) for trustworthy take-home assessments: timed sessions, periodic screenshot evidence via presigned URLs, auto-close, and submission scoring — built with a privacy-first 'what it deliberately does NOT do' charter.

Demo
Web/UI
Backend
Electron
React
TypeScript
Vite
Tailwind
Node.js
Express
MongoDB

Problem Statement

Take-home coding assessments have lost credibility: with GPT-level tools, a reviewer can't tell whether they're scoring the candidate or the model. The usual "fix" is invasive proctoring (webcam, keylogging, browser lockdown) that candidates rightly hate and that produces creepy, low-signal surveillance. WorkSight's framing: "take-homes you can actually trust" — capture just enough evidence (timestamped screenshots of the work) to score the real work, with an explicit charter of what it will never do.

Proposed Solution

WorkSight is a three-surface system. A reviewer creates an assignment and generates a per-candidate access code; the candidate downloads a lightweight Electron desktop app, signs in with the code, and works through a timed session during which the app captures periodic, timestamped screenshots and uploads them via presigned URLs; the reviewer then reviews the evidence and scores the submission. The product is deliberately bounded by a public "what WorkSight does not do" list — no webcam, no keylogging, no detection-guessing on submissions, no data sharing, no persistent surveillance outside an active session, no browser extension/IDE plugin.

Full Solution Details

  • Three-step flow — create the assessment → candidate runs the desktop app → reviewer scrubs the evidence and scores.
  • Timed sessions with expiresAt, auto-close, and a background 30s session-sweeper that closes expired sessions server-side.
  • Evidence — random-interval screenshots captured on the desktop, uploaded directly to a file service via presigned URLs (the backend stores only keys).
  • Submission — link / text / both, with reviewer scoring + feedback.
  • Distribution — an unsigned macOS .app (zip) shipped through three channels, deliberately avoiding the $99/yr Apple Developer Program (documented Gatekeeper workaround).

Technical Documentation

Backend — the single source of truth: Node 20 + Express 4 + TypeScript on MongoDB (Mongoose), Zod request validation, layered controllers → services (returning ServiceResult) → thin models, singletons throughout, and a 30s session-sweeper background job. Dual JWT auth: reviewers authenticate normally; candidates get a JWT signed from a 10-character access code — an elegant way to admit a candidate to exactly one assignment without making them create an account. Screenshot bytes never touch the backend (presigned URLs to a separate file service; only keys stored).

Reviewer web app — React 19 + Vite 8 + React Router 7, Tailwind (intentionally light-mode-only, single green palette), TanStack Query (no global state), Lucide icons proxied through shared/ui/icons for swappability, Feature-Sliced Design. Bundled with the public marketing landing page.

Electron candidate app — desktop app that runs the timed session, captures screenshots in the background, and uploads them; packaged via electron-builder as an unsigned macOS zip with a deliberate, documented distribution strategy.

Tech Stack

React 19, Vite 8, React Router 7, Tailwind, TanStack Query (reviewer web); Electron + electron-builder (candidate desktop); Node 20, Express 4, TypeScript, MongoDB/Mongoose, Zod, JWT, bcryptjs (backend); external file service via presigned URLs.

System Design

Reviewer (web, React 19/Vite8) ──create assignment──► Backend (Express, single source of truth)
        │  JWT (reviewer)                                  │  Zod · ServiceResult · singletons
        │                                                  │  30s session-sweeper (auto-close)
        ▼                                                  ▼
  generate 10-char access code ───────────────► MongoDB (assignments, sessions, scores)
        │                                                  ▲ stores screenshot KEYS only
        ▼                                                  │
 Candidate (Electron app) ─sign in w/ code→ JWT (from code)│
        │  timed session: periodic screenshots             │
        └──presigned URL──► File service (bytes) ───────────┘

 Charter (enforced as scope): NO webcam · NO keylogging · NO submission-detection
                              NO data sharing · NO out-of-session surveillance

Smart Architectural Decisions

  • JWT signed from a 10-char access code. Candidates authenticate to exactly one assignment with no signup — a clean, low-friction auth model that still yields a normal JWT downstream.
  • Backend never sees screenshot bytes. Presigned-URL uploads (store keys only) keep the API light and the binary path off the critical server — the same stateless-files pattern he reuses across projects.
  • Server-side session truth + sweeper. expiresAt, auto-close, and a 30s sweeper mean the server owns session lifetime, so a candidate can't extend time by tampering with the client.
  • Privacy as a product boundary. Publishing what WorkSight won't do (no webcam/keylogging/etc.) turns restraint into a feature and a trust signal — and constrains scope creep.
  • Pragmatic distribution. A documented unsigned-macOS-app strategy across three channels sidesteps the Apple Developer fee — practical shipping under real constraints.

Impacts

A full three-surface assessment platform that makes take-homes trustworthy in the GPT era with minimal, consent-respecting evidence — backend as single source of truth, codeless candidate auth, stateless screenshot storage, and a privacy charter that's enforced as scope. Live at worksight.netlify.app.

Demonstrated Skills

Multi-surface product engineering (web + desktop + API); Electron desktop development, packaging, and unsigned distribution; auth design (dual JWT, code-derived tokens); session lifecycle/background jobs (sweeper, auto-close); stateless file handling via presigned URLs; React 19 + Feature-Sliced Design; Zod + ServiceResult backend discipline; privacy-by-design product framing.

Notes

  • Breadth in one product: a Node backend, a React 19 reviewer app, and an Electron desktop app — shipping a cross-platform desktop binary is something most web devs never do.
  • Timely problem, principled answer: "score the candidate, not the model" with a published 'what we will NOT do' charter (no webcam/keylogging) shows product judgment and ethics in a space full of creepy proctoring tools.
  • Elegant auth: deriving a candidate JWT from a 10-char access code (no signup) is a neat, interview-worthy design.
  • Server-owned session truth + sweeper and presigned-URL screenshot uploads are exactly the kind of can't-trust-the-client and keep-bytes-off-the-API decisions that read as senior.
  • Ships under real constraints: the documented unsigned-macOS distribution workaround shows pragmatism, not just architecture-astronautics.
← back to all projects
Ask me anything