Two releases in rapid succession — same goal, different angles. v0.7.7 eliminates every feature gap between CLI, MCP Server, and VSCode extension. v0.7.8 adds 67 tests covering security, resilience, and edge cases that didn't exist before. Together, they create the foundation for v0.7.9's Trust Shield — because you can't ship a security scanner built on untested code.
Both @rotifer/playground and @rotifer/mcp-server are updated on npm.
v0.7.7 — Alignment
The Problem: Three Tools, Three Different Feature Sets
After v0.7.6, a cross-layer audit revealed an uncomfortable truth: the CLI had commands the MCP Server didn't expose, the MCP Server had tools the CLI couldn't do, and the VSCode extension was stuck at 5 commands while the other two had 20+.
Developers hitting rotifer info in their terminal couldn't do the same thing from their AI agent (MCP). Agent developers using get_gene_reputation via MCP couldn't check reputation from the CLI. And VSCode users? They could search and publish — that's about it.
The Fix: Full Feature Parity
CLI gained 7 new commands — every capability that was MCP-only is now available in the terminal:
rotifer info <gene-id> # Gene detail (was MCP-only)
rotifer list # Local gene inventory
rotifer run <gene-name> # Execute a gene directly
rotifer versions <owner> <name> # Version history chain
rotifer whoami # Auth status check
rotifer stats <gene-id> # Download analytics
rotifer compare <id1> <id2> # Side-by-side gene comparison
MCP Server gained 3 new tools — reputation and domain suggestion, previously CLI-only:
-
get_gene_reputation— Full reputation breakdown for any gene -
get_my_reputation— Developer's own reputation score -
suggest_domain— AI-powered domain name recommendations
VSCode extension jumped from 5 to 26 commands — a complete rewrite:
| Before (v0.1.1) | After (v0.7.7) |
|---|---|
| 5 commands | 26 commands |
| 1 TreeView | 3 TreeViews (Genes, Local, Arena) |
| 15 tests | 27 tests |
| No auth | Full OAuth login/logout |
| No webviews | Stats, Versions, Leaderboard, Compare |
The result: any operation you can do in one tool, you can do in all three.
Test Count: 499 Across All Layers
CLI (275) + MCP Server (197) + VSCode (27) = 499 tests, all green.
v0.7.8 — Test Fortification
Why a Dedicated Testing Release?
With v0.7.9 planning to ship a security scanner (V(g) analysis for the Claw ecosystem), we couldn't build security tooling on top of code that lacked security tests of its own. A quick audit after v0.7.7 showed clear gaps:
| Test Type | CLI | MCP | VSCode |
|---|---|---|---|
| Unit | ✅ | ✅ | ✅ |
| Integration | ⚠️ Partial | ✅ | ❌ Missing |
| Security | ❌ Missing | ✅ | ❌ Missing |
| Resilience | ❌ Missing | ✅ | ❌ Missing |
The CLI — the most user-facing layer — had zero security tests and zero resilience tests.
67 New Tests in Four Categories
Security tests (22 tests) — the stuff that keeps you up at night:
-
Path traversal:
rotifer init --name ../../../etc/passwd→ blocked -
Command injection: Gene names with shell metacharacters (
; rm -rf /) → sanitized - Token safety: API tokens never printed to stdout/stderr
- Malicious input: 10MB JSON payloads, circular references → graceful rejection
-
Credential file permissions:
credentials.jsonisn't world-readable
Resilience tests (15 tests) — what happens when things break:
- Network unreachable → clear error message, no crash
- Cloud API returns 500/502/503 → retry logic, eventual graceful failure
- Token expires mid-operation → prompt re-login, don't corrupt state
- Config file externally corrupted → detect and recover
Edge case tests (20 tests) — the weird stuff real users do:
- Gene names with Chinese characters, emoji, spaces
- Concurrent
rotifer publishof the same gene -
rotifer comparewith two identical IDs - Version downgrade installation
- Every command in an empty project directory
VSCode integration tests (10 tests) — the missing layer:
- TreeView graceful degradation when offline
- Auth expiry → re-login prompt (not silent failure)
- Complete publish flow with mocked Cloud API
Final Test Count: 566
Before v0.7.8: 499. After: 566 tests across 3 layers, all passing. The test pyramid now covers Unit, Integration, E2E, Security, and Resilience for both CLI and MCP Server.
What's Next: v0.7.9 — Trust Shield
v0.7.9 introduces V(g) security scanning for the broader Claw ecosystem — a direct response to the ClawHavoc incident that exposed 1,184 malicious Skills on ClawHub.
The idea: VirusTotal tells you "not a virus." Rotifer tells you "actually good or not."
-
V(g) AST scanner: Static analysis that detects
eval(), command injection patterns, suspicious network calls, and code obfuscation — 7 rules, graded A through D - badge.rotifer.dev: A shields.io-compatible badge service. Any ClawHub Skill author can add a trust badge to their README
- Top 50 scan report: We'll scan the most-installed ClawHub Skills and publish the results
v0.7.7 aligned the tools. v0.7.8 hardened the tests. v0.7.9 uses both to build trust infrastructure for the entire ecosystem.
Install / Upgrade
npm install -g @rotifer/playground@0.7.8
For MCP Server users:
npm install -g @rotifer/mcp-server@0.7.8
VSCode extension: search "Rotifer" in the Extensions panel, or install from the .vsix in the latest release.
Top comments (1)
nice! I like your explanation