CVE automation architecture - simple state machine, 1 CVE per commit

January 30, 2026 at 4:42 PMtechnicalhigh

Situation

CVE automation should be built as a simple state machine with clear exit criteria at each step. Each commit addresses exactly one CVE. The orchestrator should be stupid-simple - just moving between states. Steps: Research -> Rebase -> Build -> Test -> MR -> Final Build -> Integration Test -> Promote to Beta -> Integration Test -> Production.

Reasoning

Modular, debuggable automation beats clever solutions. Each step should work independently, be runnable manually or automated, and have clear success criteria. Simple state machines are easier to debug and maintain than complex orchestration.

Additional Context

Nathan drew the workflow on whiteboard. NARF initial scope was getting to merge review. Discussion about avoiding the complexity of Jasons previous CVE workflow implementation.

Observed Evidence

Peter: "This orchestrator has to be simple and stupid... All I want here is SWF where S actually is simple" and "I want the vision doc to put all of this as requirements... So they can be run manually and automated" and agreement on 1 CVE per commit approach.

Confidence Breakdown

33/35

Evidence

27/30

Pattern

18/20

Source

14/15

Corroboration

Reasoning Depth Analysis

Org Signal:Engineering should prioritize simplicity and debuggability over cleverness

Precedent:Sets architectural pattern for all automation going forward

People Involved

Max Spevack, Nathan Blackham, Justin Haynes, David Gomez

Source

reflection

AI Confidence

92%

Outcome

Closed without detailed outcome

Decision ID: dbf5fc1b-fec6-4fef-a77e-229e8bae7619