SifrBolt / docs

SifrBolt Documentation

Documentation to understand the SifrBolt platform and use it effectively.

Integration signal

For platform and integration engineers, this spec shows how to plug into BoltEdge safely. Every claim ties back to signed manifests you can verify in the Trust Center.

Overview

The SifrBolt wire protocol secures orchestration between BoltCore control planes and BoltEdge workers. Every message is signed and replay-protected so you can automate deployments, telemetry ingest, and compliance hooks without human-in-the-loop confirmations.

Transport Layers

ChannelUse CaseAuthentication
gRPC over mTLSControl plane → BoltEdge commandsmTLS certificates + Ed25519 payload signatures
HTTPS (REST)Console-triggered installs and callbacksApplication tokens + signed payload digest
NATSAmanShield attestations fan-outSigned message envelopes with nonce rotation

Message Envelope

{
  "id": "uuid",
  "issued_at": "2025-01-20T23:59:59Z",
  "issuer": "boltcore.cluster-01",
  "target": "boltedge.worker-22",
  "family": "Surge",
  "action": "deploy_pack",
  "digest": "sha256:…",
  "signature": "ed25519:…"
}
  • family aligns with the Console pack family label so downstream workers preserve execution context.
  • All digest values must be computed over the canonical JSON (UTF-8, sorted keys) before signing.

Replay Protection

  • Each worker tracks the most recent issued_at per issuer and rejects messages older than 90 seconds.
  • QuietOps automations attach a nonce claim in the payload extension when operating in fully automated mode.
  • BoltEdge workers append accepted message IDs to their short-term Bloom filter, flushed every 15 minutes.

/v1/features Manifest

The license service exposes a signed feature manifest at GET https://license.sifrbolt.com/v1/features. Console badges and the Surge Pack bootstrap both consume the packs map so each family toggles the matching hooks. The response mirrors what we publish inside the Trust Center:

{
  "manifest": {
    "version": "2025.09.0",
    "published_at": "2025-09-15T00:00:00Z",
    "plans": {
      "spark": {
        "features": [
          "critical_css",
          "html_minify",
          "async_fonts"
        ],
        "limits": {
          "domains": 1,
          "pages": 1000
        },
        "packs": {
          "speed_packs": false,
          "edge_packs": false,
          "security_packs": false,
          "db_packs": false,
          "zk_packs": false,
          "agency_packs": false,
          "enterprise_packs": false
        },
        "enterprise": {
          "sso_saml": false,
          "waf_rulesets": false
        }
      },
      "surge": {
        "features": [
          "critical_css",
          "html_minify",
          "async_fonts",
          "image_optimization",
          "edge_cache",
          "autoload_inspector_write",
          "js_scheduler",
          "image_iq"
        ],
        "limits": {
          "domains": 5,
          "pages": 10000
        },
        "packs": {
          "speed_packs": true,
          "edge_packs": true,
          "security_packs": false,
          "db_packs": false,
          "zk_packs": false,
          "agency_packs": false,
          "enterprise_packs": false
        },
        "enterprise": {
          "sso_saml": false,
          "waf_rulesets": false
        }
      },
      "storm": {
        "features": [
          "critical_css",
          "html_minify",
          "async_fonts",
          "image_optimization",
          "edge_cache",
          "ai_performance_audits",
          "autoload_inspector_write",
          "js_scheduler",
          "image_iq",
          "index_pack",
          "redis_advanced"
        ],
        "limits": {
          "domains": 20,
          "pages": 50000
        },
        "packs": {
          "speed_packs": true,
          "edge_packs": true,
          "security_packs": true,
          "db_packs": true,
          "zk_packs": false,
          "agency_packs": true,
          "enterprise_packs": false
        },
        "enterprise": {
          "sso_saml": false,
          "waf_rulesets": false
        }
      },
      "citadel": {
        "features": [
          "critical_css",
          "html_minify",
          "async_fonts",
          "image_optimization",
          "edge_cache",
          "ai_performance_audits",
          "sla_priority",
          "autoload_inspector_write",
          "js_scheduler",
          "image_iq",
          "index_pack",
          "redis_advanced"
        ],
        "limits": {
          "domains": 50,
          "pages": 200000
        },
        "packs": {
          "speed_packs": true,
          "edge_packs": true,
          "security_packs": true,
          "db_packs": true,
          "zk_packs": true,
          "agency_packs": true,
          "enterprise_packs": true
        },
        "enterprise": {
          "sso_saml": true,
          "waf_rulesets": true
        }
      }
    }
  },
  "sig": "YQ8Mkw5DOaV8qUviPHfggCzajuZTy0tAg2b1OKBdi-ln-YRZmqkYuTvgnMqLjFx_5hpR35SJ8ViZY14p8EWDDw",
  "kid": "license-prod-20250915",
  "exp": 1757980800
}
  • kid maps to the Ed25519 verifying key exposed via the /v1/jwks endpoint.
  • Verify sig against the canonical JSON for manifest (no whitespace, sorted keys) before trusting the payload.
  • Pack flags default to false; only the plans promoting a flag in the manifest may unlock the corresponding UI badge.

Next Steps

  • Publish an end-to-end integration sample that pushes packs via gRPC and confirms delivery via telemetry replay.
  • Document AmanShield attestation schema updates once the new Ed25519 roll-out completes.