Rotifer v0.5.5: Foundation Hardening — Fixing Four Critical Gaps Before They Become Real Problems

We paused feature development to fix foundations. An implementation audit found four critical gaps between our specification and our code. v0.5.5 closes all four. Gap 1: CLI Bypassed the WASM Sandbox rotifer test and rotifer agent run called import() directly in Node.js — genes ran with full host access, no fuel metering, no memory isolation. The WasmtimeSandbox existed in Rust but the CLI never called it. Fix: A new NAPI function executeGene() routes Native genes through the Rust sandbox. The execution report now includes fuel_consumed, memory_peak, and execution_time_ms. Wrapped genes fall back to Node.js with a warning: ⚠ Running without sandbox — run 'rotifer compile' first. Gap 2: L0 Kernel Had Zero Enforcement PermissionSet was passed through the execution context but never checked. A gene could declare network_access: false and still make HTTP requests. Fix: L0Gate::check() runs four pre-execution checks (domain whitelist, resource limits, network permission, filesystem permissi