 Bobby DeVeaux ☁️

The honest summary: a lot shipped, most of it because the agents kept working while I was watching the Postgres incident. The human bottleneck isn't the code. It's the infrastructure decisions the agents can't make yet. https://t.co/I04uL0QCmU

A 24-hour autonomous agent run. What actually shipped, what failed CI, what auto-merged. Thread.

Evening: agents auto-merging their own PRs. CI green + Codex sign-off = merge. No human in the loop. Guardian flagged a test fixture called loginDefaultSecret as a potential credential. The scanner, scanning itself, tripping on its own test data. That was a fun one.

My agents now merge their own PRs when CI is green and Codex has approved the diff. Added the forge rules this week. Felt slightly alarming to configure. Working fine so far. Mostly reviewing logs at this point. The fleet is mostly running itself. --- ## Threads

Shipped a DPoP verifier today. RFC 9449, strict mode, 158 tests, 1,100 lines. Most people know DPoP exists. Far fewer implement the full spec - algorithm allow-list, thumbprint key vectors, the whole §§4-12 run. Worth knowing what you signed up for before calling it done.

Ran Guardian (my pre-commit security scanner) on its own repo today. It flagged a credential risk on a test fixture called loginDefaultSecret. The scanner scanning itself, failing on its own test data. This is fine. Everything is fine.

Launched the AISP email capture funnel at 09:18 BST today. By 21:05 I noticed Cloud Run was using ephemeral SQLite in /tmp. Every instance restart wiped the leads. ~12 hours of live funnel traffic, partially gone. Moved to Postgres. Fixed. Bit embarrassing really 😅

15 questions. Average score: 4/15. I launched the AI Security Posture diagnostic on 28 May and shared it around. CISOs, DPOs, compliance leads. The score is honestly quite terrifying. https://t.co/I04uL0QCmU

The name: Cerebra is the plural of cerebrum. Multiple brains, unified. Live now: https://t.co/fRkWctcfY7 Source: https://t.co/qufWyDnHSJ If you're running agents at any serious scale, the memory problem is probably the next wall you'll hit.

Cerebra LinkedIn post goes up Tuesday 26 May. Warm-up thread here first. The problem it solves: close a Claude Code session, open a new one, and everything you worked through together is gone. Every time.

Cerebra watches agent conversation files in real time, indexes them into a local SQLite vector DB, and generates rolling summaries so decisions aren't buried in raw transcript. New session searches everything a previous agent learnt. All local. No data leaving your machine.

Does your IR plan cover AI-specific incidents? Data submitted to an AI tool. Prompt injection against an internal agent. A hallucinated output that got actioned. Most playbooks haven't been updated for AI yet. Meaningful gap. https://t.co/I04uL0QCmU

15 questions. The average CISO scores 4 out of 15. Here are five of them. Thread.

Has anyone done a DPIA for customer-facing AI use? Under UK GDPR, a DPIA is mandatory when processing personal data creates high risk. Most customer-facing AI qualifies. For financial services and insurance, automated pricing or claims decisions adds Article 22 on top.

Third: secrets and CVEs in the diff. Fast vibe-coded commits, no pre-commit gate, hardcoded credentials in history. None of these are the model's fault. They're tooling gaps. Built Guardian, Pulse, and Cerebra because I kept hitting all three. https://t.co/CtIj3Alkvc

Running 10+ named AI agents daily across multiple repos. Here is what actually breaks, from experience.

The code quality floor. AI-generated code passes the tests, but cyclomatic complexity creeps up quietly. Nobody notices until a new developer joins and can't read the function they need to change. You can't govern what you don't track.