Code Quill

𝗪𝗵𝗲𝗻 𝗰𝗼𝗱𝗲 𝗶𝘀 𝗴𝗲𝗻𝗲𝗿𝗮𝘁𝗲𝗱 𝗳𝗮𝘀𝘁𝗲𝗿 𝘁𝗵𝗮𝗻 𝗶𝘁 𝗰𝗮𝗻 𝗯𝗲 𝗿𝗲𝗺𝗲𝗺𝗯𝗲𝗿𝗲𝗱 We are entering an era where code is produced at a rate never seen before. AI systems can generate repositories, refactor large codebases, and produce entire features in minutes. The bottleneck is no longer typing — it’s understanding, coordination, and accountability. As the volume of code increases, something subtle happens: it becomes harder to answer simple questions. What exactly existed at a given moment? Who approved this release? What source state was this artifact supposed to correspond to? When did this change become authoritative? When code is generated rapidly, intent becomes easier to reconstruct after the fact. Facts do not. This is not an argument against AI. It is an argument for stronger evidence infrastructure. If software is increasingly generated, modified, and assembled at machine speed, then preserving durable, inspectable records of source states and release intent becomes more important — not less. The future may involve more automation. But automation without memory becomes noise. In an era of abundant code, what matters is not just what can be produced — but what can be preserved. Software needs memory. CodeQuill is building memory infrastructure for software.

@Shiba_Prophet @Bookof_Eth @cryptomastery_ @dadajuice @1clawAI @ETHGlobal @ethereum @kartiktalwar @ophelios_studio 👀

@Bookof_Eth @CodeQuillClaim @cryptomastery_ @dadajuice @1clawAI @ETHGlobal @ethereum @kartiktalwar @ophelios_studio 🙏

ETHGlobal NYC. 🗽 At the @CodeQuillClaim booth, we have @cryptomastery_ and @dadajuice 👇 Excited to see Immunity × @1clawAI exploring integrations and building together on Ethereum. The BOOElievers are building on Ethereum 🙏📖 We wish everyone a great hack this weekend🙏

we asked our ETHGlobal New York Spotlight teams to share advice for first-time hackers this weekend. here’s what they had to say 👇 credits: @RailBridgeAI @CodeQuillClaim @pampalodotcom @AquaZero0

🌟 ETHGlobal New York Spotlight: @CodeQuillClaim CodeQuill is onchain memory for software, preserving source states, release intent, and lineage claims. Catch the team at their booth and see it in action! ethglob.al/oxMQOTu | codequill.xyz

We are finally @ETHGlobal NY hackathon with our Spotlight booth! Come say hi and learn more 👀 #BOOELIEVE Special thanks to @Bookof_Eth of their incredible support 🙏📘

@ETHGlobal Can’t wait to be there 🎉

gm builders ☕️ who’s coming to ETHGlobal New York?

ETHGlobal New York Spotlight. 🗽✨ Book Of Ethereum will be featured alongside @CodeQuillClaim during ETHGlobal NYC. 🙏📖 Last year at @ETHGlobal NYC was the moment CodeQuill was born and first revealed. Almost one year later, @dadajuice_crypto kept building through the noise and turned the vision into something real for Ethereum’s future. 👇 CodeQuill is building an onchain memory layer for software: preserving source history, release intent and software lineage in a world where code is evolving faster than ever. This is the type of Ethereum aligned infrastructure and frontier building that deserves attention. We are grateful as BOOElievers to receive recognition from an organization like @ETHGlobal and we will take this opportunity with both hands. And NYC doesn’t stop there… Book Of Ethereum is organizing it’s own side event togheter with @strato_net during @ethconf NYC bringing together Ethereum culture, builders, memes, HardFi and community. 🍸⚡ Come meet the BOOElievers, experience the energy of Ethereum culture and be part of what we are building together in NYC. Let’s make this year’s edition Epic🙏🙏🙏📖 Sign up for our event👇 luma.com/of3zm3c5

@0xTwilty @dadajuice @Bookof_Eth $BOOE holders have great quota boost when using CodeQuill 👀

ETHGlobal NY Spotlight. @CodeQuillClaim That’s @dadajuice from the @Bookof_Eth community, turning Ethereum ideas into real products. $BOOE'lievers don’t just talk. They build. 📖

⭐️ Introducing ETHGlobal New York Spotlight: @CodeQuillClaim An onchain memory for software — preserving source states, release intent, and lineage claims in a world where code is produced faster than it can be. ethglob.al/oxMQOTu | codequill.xyz

Nine months. Eight immutable contracts. One thesis. CodeQuill is live on @base. Source code is the most reproduced asset in the world. And the least preserved. Repos vanish. Authorship gets murky. History gets rewritten. CodeQuill writes the receipts as code is built. On-chain, immutable, verifiable by anyone. Memory infrastructure for software. codequill.xyz

@Bookof_Eth @notfeven 100% fact

@notfeven When code is abundant, what's scarce is taste, judgment, and maintenance. Fund the humans who curate, the infrastructure that persists, and the communities that maintain context. Importance = what breaks when it disappears.

some hard questions: If code becomes abundant: What should get funded? How do we measure importance? Who pays for the compute that maintains the commons?

@strato_net 🤣🤣🤣 bonus points for the UPPERCASE

STRATO IS THRILLED TO ANNOUNCE A PARTNERSHIP WITH THE US TREASURY DEPARTMENT. ALL FORT KNOX GOLD HAS BEEN TOKENIZED ON STRATO AT A 1:1 RATE, AND IS FULLY AUDITED. SECRETARY SCOTT BESSENT SHARED PLANS TO BORROW, PROVIDE LIQUIDITY, AND EARN FEES IN ORDER TO “DO RIGHT BY AMERICAN TAXPAYERS.” THANK YOU FOR YOUR ATTENTION TO THIS MATTER!

@wmougayar @614D05 @EthCC Highly interesting talk!

Done and done. @EthCC

@Bookof_Eth @dadajuice 🙏

EIP-712 delegations for relayer-mediated workflows is the right call - repo owners don't need to be online for every tx. Workspace-scoped permissions, Merkle-rooted snapshots, supply-chain attestations all on-chain. This is serious software provenance infra, not a toy. @dadajuice building the real thing 🔥

𝗖𝗼𝗱𝗲𝗤𝘂𝗶𝗹𝗹 𝗰𝗼𝗻𝘁𝗿𝗮𝗰𝘁𝘀 𝗮𝗿𝗲 𝗻𝗼𝘄 𝗽𝘂𝗯𝗹𝗶𝗰 As we get closer to release, the core CodeQuill smart contracts are open. These contracts implement the on-chain primitives the system is built on: claims of authority, source snapshots, releases, attestations, preservation, and delegation. They are fully permissionless. Anyone can inspect them, reason about them, and build on top of them. Their job is narrow but critical: record durable facts. What source code existed. When it existed. Under whose authority. What claims were made about it. The application layer coordinates, through our CLI and Web interface, the workflows, surfaces evidence, and makes these primitives usable at scale. But the rules that govern the evidence live on-chain, in the open. If CodeQuill is meant to preserve evidence, the mechanisms that record that evidence must themselves be visible and understandable. Architecture diagrams, a permission matrix, and threat model notes are included to make the design legible, not just executable. Ethereum works best when infrastructure explains itself. Repository: github.com/codequill-clai… If this is interesting to you, starring the repo and following along on GitHub is the best way to stay close to where the work happens. Much more coming soon.

Supply chain attacks expose a deeper gap. We rely on dependency trees we don’t control, but we don’t preserve durable records of what source states and releases we actually depended on at a given moment. So after the incident, we reconstruct. We don’t reference. That distinction matters more as code generation accelerates.

Software horror: litellm PyPI supply chain attack. Simple `pip install litellm` was enough to exfiltrate SSH keys, AWS/GCP/Azure creds, Kubernetes configs, git credentials, env vars (all your API keys), shell history, crypto wallets, SSL private keys, CI/CD secrets, database passwords. LiteLLM itself has 97 million downloads per month which is already terrible, but much worse, the contagion spreads to any project that depends on litellm. For example, if you did `pip install dspy` (which depended on litellm>=1.64.0), you'd also be pwnd. Same for any other large project that depended on litellm. Afaict the poisoned version was up for only less than ~1 hour. The attack had a bug which led to its discovery - Callum McMahon was using an MCP plugin inside Cursor that pulled in litellm as a transitive dependency. When litellm 1.82.8 installed, their machine ran out of RAM and crashed. So if the attacker didn't vibe code this attack it could have been undetected for many days or weeks. Supply chain attacks like this are basically the scariest thing imaginable in modern software. Every time you install any depedency you could be pulling in a poisoned package anywhere deep inside its entire depedency tree. This is especially risky with large projects that might have lots and lots of dependencies. The credentials that do get stolen in each attack can then be used to take over more accounts and compromise more packages. Classical software engineering would have you believe that dependencies are good (we're building pyramids from bricks), but imo this has to be re-evaluated, and it's why I've been so growingly averse to them, preferring to use LLMs to "yoink" functionality when it's simple enough and possible.

𝗣𝗿𝗶𝗺𝗶𝘁𝗶𝘃𝗲 𝗩𝗜 - 𝗔𝘀𝘀𝗲𝗿𝘁𝗶𝗻𝗴 𝗮𝗿𝘁𝗶𝗳𝗮𝗰𝘁 𝗹𝗶𝗻𝗲𝗮𝗴𝗲 Once a release is defined, another question follows: What artifacts are claimed to originate from it? In CodeQuill, this is handled through attestations. An 𝗮𝘁𝘁𝗲𝘀𝘁𝗮𝘁𝗶𝗼𝗻 records a statement made by an authority: that a given artifact claims lineage from a specific release. It is a claim — not a proof. CodeQuill does not observe how the artifact was built. It does not guarantee build causality. Instead, it preserves the statement itself as evidence: who made the claim, what artifact was referenced, and which release it was associated with. That distinction matters. Attestations allow lineage claims to be examined later — compared against preserved source states and evaluated in context, even if build systems, logs, or registries are no longer available. They turn assumptions into explicit records. So trust can be reasoned about — not inferred.

@Bookof_Eth We hope the EF will take notice of CodeQuill soon and what we are trying to achieve 🙏 we plan on releasing publicly very soon the whole smart contract architecture underneath CodeQuill and start the beta (free of use) for everyone willing to participate ❤️

@CodeQuillClaim The EF just published their mandate onchain with a transaction hash you can verify. This is what CodeQuill is building toward - release intent as a verifiable primitive. Code + governance, recorded permanently. The timing couldn't be better.

𝗣𝗿𝗶𝗺𝗶𝘁𝗶𝘃𝗲 𝗩 — 𝗥𝗲𝗹𝗲𝗮𝘀𝗲 𝗜𝗻𝘁𝗲𝗻𝘁 At some point, software moves from source code to release. A specific repository state is selected and declared as the version meant to ship, govern, or be referenced. Yet this moment — the intent to release — is rarely preserved explicitly. In CodeQuill, this is where 𝗥𝗲𝗹𝗲𝗮𝘀𝗲𝘀 come in. A Release is a deterministic, human-readable record linking a repository snapshot to an explicit release intent, recorded at a point in time under a specific authority. It is: • evidence of selection • evidence of intent to release • evidence of coordination A Release declares: this source state is what we intend to release. That declaration can come directly from the repository authority or through external governance — such as DAO voting or other approval processes. This makes a release more than a technical event. It becomes a coordination point between code, governance, and infrastructure — a stable reference that other systems can rely on: governance decisions, ENS records, and downstream artifact attestations. By making release intent explicit and durable, CodeQuill turns what is usually an implicit step into a verifiable record. Releases become the point where source code and governance meet.

𝗣𝗿𝗶𝗺𝗶𝘁𝗶𝘃𝗲 𝗜𝗩 — 𝗣𝗿𝗼𝘃𝗶𝗻𝗴 𝗮 𝗳𝗶𝗹𝗲 𝘄𝗮𝘀 𝗶𝗻𝗰𝗹𝘂𝗱𝗲𝗱 Once a source state is preserved, a simple question often follows: Did a specific file actually exist in that state? This question appears during audits, after incidents, or when changes are disputed and trust becomes uncertain. CodeQuill is designed to answer it without ambiguity. From a preserved source state, an authority can produce a proof that a specific file was included — not by assertion, but by reference to preserved evidence. Producing the proof may require authority, because revealing it can disclose details. But verifying the proof does not. Once shared, anyone can independently verify it through cryptographic checks against the preserved record. The proof answers a narrow question: Was this file part of the preserved source state at that moment? It does not interpret intent or justify behavior. But that narrow question matters. Because it moves discussions from speculation to verifiable fact.