Security

BoltHash Security Whitepaper

Threat model, security architecture, and cryptographic design for Node.js source protection and software licensing.

Version: BoltHash 3.x
|
Coverage: CLI, Server, Bolt Dev, Bolt Client
|
View full docs →

Overview

BoltHash is a multi-layer protection system for Node.js applications. It combines source obfuscation, cryptographic integrity verification, license enforcement, and hardware-bound access control. This document describes the technical mechanisms behind each layer and their threat coverage.

Scope: This whitepaper covers the CLI (bolt protect, bolt start), the BoltHash server API, and the Bolt Dev / Bolt Client desktop applications.

Security Threat Model

BoltHash is designed to defend Node.js applications against three categories of threats:

Threat 1: Source Code Exfiltration

An attacker obtains your deployed application directory and reads your business logic, API secrets, or proprietary algorithms directly from JavaScript files.

BoltHash response: Multi-pass obfuscation with identifier renaming, control flow flattening, string encryption, and dead code injection makes the extracted code functionally unreadable.

Threat 2: License Bypass

An attacker modifies the license verification code to always return true, or shares one paid key across many deployments.

BoltHash response: License check logic is embedded inside the obfuscated bundle and cryptographically tied to the bundle's hash. Modifying the check changes the hash and fails integrity verification. Key sharing is detected via concurrent heartbeat monitoring.

Threat 3: Unauthorized Redistribution

A customer re-sells your software or deploys it on unapproved machines.

BoltHash response: Hardware fingerprinting binds a license to specific device(s). Deployment counts are enforced server-side. Keys can be revoked instantly.

Security Architecture

The diagram below illustrates the full protection pipeline — from the developer's bolt protect command through the BoltHash server to the customer's bolt start verification flow.

Developer Machine BoltHash Server Customer Machine source.js bolt protect ► Obfuscate source ► Compute SHA-256 hashes ► Embed license verifier ► HMAC-sign manifest ► Send hash to server HTTPS protected_output/ __bolt_manifest.json __bolt_premium_signature Project Ed25519 Key asymmetric signing Sign & Store Hash return signature License Verify API heartbeat + device check bolt start Verification Pipeline 1 Check hash vs manifest 2 Contact license server 3 Verify Ed25519 signature 4 Check HW fingerprint 5 Start heartbeat loop HTTPS verify Run Exit(1) ship / deploy

Cryptographic Design

SHA-256 Integrity Hashing

Every file in the protected output is hashed with SHA-256. The hashes are stored in __bolt_manifest.json. On startup, bolt start recomputes every hash and compares — any modification, even a single byte, fails the check.

HMAC Manifest Signing

The manifest is signed with an auto-generated HMAC secret stored in ~/.bolt/config.json. This prevents an attacker from modifying files AND regenerating the manifest. The secret is created on first bolt protect and reused automatically by bolt start.

Hardware Fingerprint

BoltHash collects a salted combination of: CPU model, MAC address (first NIC, salted), OS platform + architecture, and hostname. These are hashed with SHA-512 and stored server-side against the license key. Only the hash is transmitted — raw hardware data never leaves the machine.

Important: Hardware fingerprinting raises the cost of attack but is not unbreakable. A sophisticated attacker with kernel-level access can spoof hardware identifiers.

What BoltHash Protects — and What It Does Not

Protected against:

  • Casual source reading — obfuscation makes code practically unreadable
  • License key sharing — concurrent heartbeat monitoring detects multiple simultaneous uses
  • Cold redistribution — hardware fingerprint blocks running on unapproved machines
  • Post-deployment tampering — integrity hash fails at startup if any file was modified
  • Expired/revoked key usage — online license check rejects invalid keys in real time

Not protected against:

  • Determined reverse engineers — obfuscation adds cost, not mathematical impossibility
  • Full memory dumps at runtime — all JS code is eventually executed in V8 as plaintext
  • Node.js runtime modifications — a patched Node binary could bypass checks
Bottom line: BoltHash is a strong deterrent for the overwhelming majority of real-world threat scenarios against commercial software. It is not a substitute for contractual protection or for protecting truly sensitive secrets (use server-side APIs for those).
 Full Documentation  Download BoltHash