🔧 SteemBiota — Patch Notes: Code Audit & Fixes

Since the initial release I ran a full code audit across all four source files (blockchain.js, app.js, components.js, index.html). Seventeen issues were found and all have been fixed. Here's what changed and why it matters.

🔴 Bug Fixes — Gameplay Correctness

Mutation detection was broken (app.js — breedGenomes)

This is the most important fix. The breeding function was consuming extra random number generator ticks after the child genome was already finalized, then comparing the child against those unrelated draws. The result: the mutated flag shown after every breeding session was unreliable — sometimes reporting a mutation when the child was actually clean, sometimes the reverse. This affected the 🧬 Mutation badge, XP display, and post body text.

The fix replaces the flawed comparison with a simple, RNG-free check: a gene is considered mutated if its value differs from both parents. No extra draws, no broken sequence.

RPC fallback could permanently skip the primary node (blockchain.js — callWithFallback)

The RPC fallback logic stored the current node index in a shared global variable. Under a transient network hiccup, two concurrent requests could race on that variable and advance the index past all available nodes, leaving the app stuck on the last one even after the primary recovered. The fix passes the attempt index as a parameter so each call manages its own fallback independently.

Previous owner could still breed a transferred creature (blockchain.js — isBreedingPermitted)

After an ownership transfer, the original post author is no longer the owner — but the breeding permission check was comparing against post.author (immutable) instead of effectiveOwner (derived from the transfer chain). This meant the previous owner retained breed access indefinitely after giving a creature away. The fix ensures the check always uses the correct effective owner.

Uppercase permlinks were silently accepted then failed at the API (app.js — parseSteemUrl)

The URL parser used a case-insensitive regex flag (i), so a URL with a capitalised permlink would parse successfully here and then produce a confusing "Post not found" error from the API. Steem permlinks are always lowercase; the fix removes the i flag so invalid URLs are caught early with a clear message.

🟡 Security & Ownership

Explicit documentation of the localStorage trust model (app.js)

The app restores the logged-in username from localStorage on load. This is safe because no key material is ever stored — every write action requires a fresh Keychain signature. The trust boundary is now clearly documented in code so future contributors don't accidentally weaken it.

Client-side kinship check limitation documented (blockchain.js)

The inbreeding prevention system runs entirely in the browser. A determined user who modifies the JS can bypass it. This was always true by design (fully client-side dApp, no backend), but it's now explicitly noted in the source. The post-hoc detection path — genome fingerprinting and parent-link fields stored in json_metadata — remains intact for community accountability.

🟠 Performance Improvements

Notification scan made ~2× faster (blockchain.js — fetchNotificationsForUser)

The notification scanner was calling fetchPostsByTag('steembiota', 100) twice in the same function — once for incoming transfer offers, once for breed notifications. Both calls fetch the same data. They now share a single fetch result (sharedTagPosts), halving the tag-query RPC cost every time notifications are polled.

Reply fan-out throttled to 5 concurrent requests (blockchain.js)

Both the notification scanner and the owned-creatures loader were firing reply fetches for all matching posts simultaneously via Promise.all. With an active community this could easily trigger 50–100 parallel RPC calls at once, which is abusive to free public nodes. All fan-out operations are now throttled to a maximum of 5 concurrent requests using a lightweight _throttledMap helper.

Notification badge polling extended to 15 minutes (app.js)

The badge was polling every 5 minutes. Given that each poll triggers the heavy notification scan above, this was too aggressive for public infrastructure. The interval is now 15 minutes — still responsive enough for typical usage while being much kinder to the RPC nodes the whole community depends on.

🔵 Code Quality

• buildPermlink — trailing-hyphen strip regex was missing the g flag, so titles that collapsed to ---slug--- would still have leading/trailing hyphens after the strip. Fixed.
• @keyframes spin — the CSS animation was injected via a <style> tag inside a Vue component template, which is invalid HTML (only allowed in <head>). Moved to the global stylesheet in index.html.
• parseSteembiotaPosts — date sort changed from string comparison to numeric Date subtraction, making it stable when two posts share the same timestamp.
• Dead code removed — the void beforeMOR line in breedGenomes (a leftover from an earlier design) is gone.
• Comments added throughout for generateGenome (intentional non-determinism), mirrorUnicodeLine (grapheme-cluster limitation), and safeUrl (remaining trust boundary).

🚀 How to Update

Replace your local copies of app.js, blockchain.js, components.js, and index.html with the patched versions and redeploy to GitHub Pages. No breaking changes to the on-chain data format — all existing creatures, feeds, permits, and transfers remain fully compatible.

Thanks for the continued support of SteemBiota. Every creature published, fed, and bred makes the fossil record richer. 🌿

— @puncakbukit