DEV Community

Cover image for Rotifer v0.5.5: Foundation Hardening — Fixing Four Critical Gaps Before They Become Real Problems
Rotifer Protocol
Rotifer Protocol

Posted on • Originally published at rotifer.dev

Rotifer v0.5.5: Foundation Hardening — Fixing Four Critical Gaps Before They Become Real Problems

#ai #webassembly #security #opensource

We paused feature development to fix foundations. An implementation audit found four critical gaps between our specification and our code. v0.5.5 closes all four.

Gap 1: CLI Bypassed the WASM Sandbox

rotifer test and rotifer agent run called import() directly in Node.js — genes ran with full host access, no fuel metering, no memory isolation. The WasmtimeSandbox existed in Rust but the CLI never called it.

Fix: A new NAPI function executeGene() routes Native genes through the Rust sandbox. The execution report now includes fuel_consumed, memory_peak, and execution_time_ms. Wrapped genes fall back to Node.js with a warning: ⚠ Running without sandbox — run 'rotifer compile' first.

Gap 2: L0 Kernel Had Zero Enforcement

PermissionSet was passed through the execution context but never checked. A gene could declare network_access: false and still make HTTP requests.

Fix: L0Gate::check() runs four pre-execution checks (domain whitelist, resource limits, network permission, filesystem permission). Every execution — pass or block — is logged to .rotifer/audit.jsonl.

Gap 3: AlgebraExecutor Not Integrated

Rust had a complete five-operator algebra executor (Seq/Par/Cond/Try/Transform). The CLI reimplemented a Seq-only loop in TypeScript and ignored the rest.

Fix: executeAlgebra() NAPI bridge connects the CLI to the Rust executor. rotifer agent run --composition Par now works, with rotifer agent create supporting Par/Cond/Try configuration.

Gap 4: Fitness Formula Diverged from Spec

The spec defines a multiplicative model where zero success rate = zero fitness. The implementation used an additive average where a bad score could be compensated by other metrics.

Fix: compute_fitness() now implements the spec formula: F(g) = [S_r · log(1+C_util) · (1+R_rob)] / [L · Resource_Cost]. Historical data coexists via formula_version field.

Compliance Testing

rotifer test --compliance runs 6 structural checks: sandbox execution, fuel consumption, L0Gate pass, phenotype compliance, F(g) computability, and IR segment integrity.

Stats: Rust 224 tests + 1 doc-test · TypeScript 188 tests · All passing

Source: gitlab.com/rotifer-protocol/rotifer-playground

This article was originally published on rotifer.dev. Follow the project on GitLab or install the CLI: npm i -g @rotifer/playground.

Top comments (0)