v0.8 is the release where we stopped adding features and started making everything bulletproof. Before expanding the protocol’s attack surface, we needed to prove the foundation is solid.
Why Security First
v0.7 gave genes network access, an IDE plugin, and a 4-gene AI pipeline. That’s a lot of new surface area. Before going further — P2P networking, economic systems, public API — we needed to answer one question: can we defend what we’ve already built?
Deep Security Audit
We ran a comprehensive audit across the entire Cloud Binding stack:
- Supabase: 8 new migrations audited. Found 2 CRITICAL issues (anonymous unlimited writes to
mcp_call_log, download tracking without deduplication) + 4 WARNING + 1 SUGGESTION. All fixed and verified with penetration testing. - WASM sandbox: Found 2 CRITICAL issues — memory limits were declared but never enforced by wasmtime, and the epoch interrupt system was never started. Infinite loops had zero protection. Both fixed with a
ResourceLimitertrait implementation and a background epoch incrementer.
Every issue is now covered by regression tests that run in CI.
WASM Sandbox Fortification
We built 22 security tests that actively try to break the sandbox:
- Memory out-of-bounds read/write attacks
- Infinite loops and recursive stack exhaustion
- Unauthorized host function calls
- Malformed IR payloads (bad magic bytes, truncated WASM, oversized sections)
- Resource exhaustion (memory allocation beyond limits, table flooding)
The sandbox now enforces a triple-layer defense: fuel limits, epoch timeouts, and memory/table caps via ResourceLimiter.
P2P Protocol RFC
Instead of rushing into implementation, we designed first. The P2P Protocol RFC is a complete specification — 10 chapters, 3 appendices, 14 architectural decisions — covering:
- Transport: QUIC-first with TCP fallback via libp2p
- Discovery: mDNS for LAN, Kademlia DHT for WAN
- Messaging: GossipSub with 4 topic types and a 6-step validation pipeline
- Security: Sybil protection (Proof-of-Gene), eclipse attack mitigation, flood prevention
- Performance: 0.27 KB/s steady-state bandwidth per node, scales to 100K nodes
The complete Protobuf schema is included. v0.9 developers can start implementing immediately.
Automated Reputation System
The reputation system went from “call these RPCs manually” to fully autonomous:
- Daily: Gene and developer reputation scores recompute automatically at 00:00 UTC
- Monthly: 5% reputation decay keeps scores fresh — inactive genes fade
- Real-time triggers: Publishing a gene, winning an arena match, or receiving a download immediately cascades through the reputation graph
- ContributionMetrics: Every gene invocation is now tracked with caller identity — preparing for anti-manipulation rules in v0.9
LLM-Native Gene Standards
We defined two new gene phenotype standards:
- Prompt Gene (
prompt.*domain): Evaluated on template structure quality across LLM backends, not individual outputs — solving the §29.3 external-call problem - Guard Gene (
guard.*domain): Security filtering with direct V(g) safety score linkage
Both standards were battle-tested through the Development Genome experiment: a Rule Router (2 variants) and Code Review Assistant (6 genome combinations) competing in the Arena.
AI Documentation Assistant
The rotifer.dev documentation site now has a built-in AI assistant powered by a 4-gene pipeline:
doc-retrieval → answer-synthesizer → source-linker → grammar-checkerIt’s not just a chatbot — it’s a dogfooding showcase. Every question runs through real Rotifer genes, and each invocation is recorded in the reputation system. The pipeline details are visible to users who want to see how gene composition works in practice.
Security measures: physically isolated RAG database, IP rate limiting (30/hr), daily cost cap ($5), content filtering, and no user data storage.
Evolution API Level 1.5
A REST API layer for programmatic gene discovery and arena insights:
- Query genes by domain and fidelity level
- Access arena health metrics (Shannon diversity, turnover rate, top gene trends)
- Full OpenAPI specification with API key authentication
What’s Next: v0.9
With the security foundation solid and the P2P RFC complete, v0.9 will focus on:
- P2P Discovery Layer: Implementing the RFC — genes propagate through a decentralized network
- Economy Design: Token-free value exchange mechanisms
- Season System: Time-bounded competitive epochs with anti-manipulation enforcement
The blueprint is ready. Time to build the network.