Documentation

Guides for protecting production JavaScript

Reference guides for release workflows, command-line usage, cross-file protections, and the desktop app.

Build And Release Workflows Download Desktop
Inside The Docs

Practical guides, not placeholder pages.

How-to guides Start with release sequencing and command-line usage, then move into feature-specific references.
Advanced protection Browse cross-file controls like Replace Globals and Protect Members when a build spans multiple scripts.

Scorecard

  • 2026-05-20
  • Procurement, security review, evaluation

A numbers-first summary of the JSO ecosystem and how it's tested. Where claims need verification, every entry links to the source of truth (npm package, CI template, doc page).

9
First-class language clients
Node, Python, Go, .NET, Ruby, PHP, Rust, Java, Kotlin
13
CI templates
GitHub, GitLab, Circle, Jenkins, Azure, Bitbucket, Drone, Buildkite, Woodpecker, Tekton, TeamCity, GoCD, Argo
8
Error-reporter integrations
Sentry, Bugsnag, Rollbar, Datadog, Honeybadger, Raygun, Airbrake, AppSignal
11
Build-tool plugin entrypoints
Vite, Webpack, Rspack, Rollup, esbuild, Next.js, Parcel, Metro/RN, Bun, Turbopack, Browserify/Gulp/Grunt
2
IDE plugin families
VS Code · JetBrains (WebStorm + IDEA Ultimate + 5 others)
4
Kubernetes-native deployment patterns
Standalone Job · Helm chart (Job/CronJob) · Tekton · Argo
240+
Locally-runnable + CI tests
152 Node CLI + 15 symbolicate + 8 Python + 8 .NET + 38 written for Go/Ruby/PHP/Rust/Java/Kotlin awaiting first per-language CI
3
Verify-chain gates
verify:ci (templates) · verify:polyglot (cross-client smoke) · schema cross-check

Supported runtime matrix

LanguageMin runtimeHTTP transportThird-party depsLocally verified
NodeNode 18fetchnone152 tests
PythonPython 3.8urllib (stdlib)none8 tests
GoGo 1.21net/http (stdlib)none8 tests, awaiting Go CI
.NET.NET Standard 2.0HttpClientSystem.Text.Json8 tests
RubyRuby 2.7net/http (stdlib)none8 tests, awaiting Ruby CI
PHPPHP 7.4ext-curl + stream fallbacknone8 tests, awaiting PHP CI
RustRust 1.70ureq (sync, rustls)serde_json, thiserror7 tests, awaiting Rust CI
JavaJDK 11java.net.httpJackson7 tests, awaiting Java CI
KotlinJDK 11java.net.httpkotlinx-serialization, kotlinx-coroutines7 tests, awaiting Kotlin CI

Security posture

  • Password hashing: PBKDF2-SHA256, 120k iterations (OWASP 2026 floor), 16-byte salt, 32-byte hash.
  • API-key passwords: MachineKey AES-CBC-encrypted at rest (auto-upgrades on first verify).
  • Admin password: PBKDF2 hash supported via JSOAdminPasswordHash; constant-time compare; cookie bound to UA+IP+XFF.
  • Recovery codes: HMAC-SHA256 with a per-deployment server secret; constant-time verify.
  • ESLint plugin: catches base-64-shaped JSO API tokens hardcoded in source. Auto-fixes to process.env.
  • pre-commit hooks: jso-release-check + jso-dry-run + jso-credential-leak scan, all run before each git commit.
  • Polymorphism evidence: every API response includes BuildId and PolymorphismFingerprint; two consecutive obfuscations of identical input MUST produce different fingerprints.
  • Symbolication privacy: identifier maps stay on the customer machine; stack traces are demangled locally by jso-symbolicate. No third-party symbolication service.
  • Beacon webhook security: jso-beacon-slack uses constant-time token comparison; opaque 200 on token mismatch denies probe signal.

Verifiability

Every claim on this page links to a source you can inspect without contacting JSO:

Procurement use: this page is designed to fit in a vendor-evaluation spreadsheet. Each tile is a number that maps to a known category and a known source. If your evaluation rubric needs a number we don't show, contact support — recipes get added based on what real evaluations ask for.