Release Notes — Forge-CRS v1.0.0

First release of Forge-CRS, an autonomous Cyber Reasoning System implementing the full AIxCC-style discover → exploit → patch → verify loop.

Highlights

• Autonomous, zero-touch loop over a benchmark of five real-world OSS

vulnerability classes (CWE-1321, CWE-22, CWE-78, CWE-1333, CWE-125).

• Coverage-guided fuzzing on real V8 precise block coverage, with

dictionary + structure-aware mutation.

• Multi-signal crash oracle: prototype-pollution canary, path containment,

shell-metacharacter detection, sandboxed wall-clock hang (ReDoS), and unhandled out-of-bounds.

• Crash minimization (delta-debugging / binary search) to tight PoVs, plus

independent CWE classification checked against ground truth.

• Semantic patch synthesis + a strict two-part validator (PoV must be

neutralized *and* functional regression must hold).

• Deterministic: seedable PRNG makes a whole campaign reproducible.
• Safe by construction: no real exploit executes (injected sinks, killable

workers).

• Zero dependencies; Node ≥ 20; CLI + library API + CI-friendly exit codes.

Verification

node verify.mjs → 37/37 checks pass (100%): 5/5 discovered, 5/5 classified, 5/5 remediated, 11/11 regression cases preserved, deterministic across runs.

Known limitations (see certification-report.md)

• Live adapter is JavaScript/Node only; C/C++/Java adapters are

architectural seams (not executed).

• Single-file benchmark scale, not whole-repo OSS.
• Bug-class repair strategies, not free-form program repair.

Roadmap

• C/C++ adapter via ASan/UBSan + libFuzzer/AFL++.
• Java adapter via Jazzer.
• Persistent corpora + parallel workers for repo-scale fuzzing.
• SARIF output and a scoring harness.