DEV Community

Cover image for DevFortress Open Core is Live — Free Credential Isolation for Node.js
duncan n. ndegwa
duncan n. ndegwa

Posted on • Originally published at devfortress.net

DevFortress Open Core is Live — Free Credential Isolation for Node.js

#security #api #opensource #node

Last week we launched the DevFortress platform.

The most consistent response from developers: "I want to use this, but I cannot
justify a subscription right now."

That is a fair response. Today we publish the open-core edition.

What is free, permanently

Tier 1 local rule engine
SQLi, XSS, path traversal, rate limiting. Evaluation happens in under 1 millisecond.
Zero network calls. Your application does not need internet access for this to work.

Credential isolation
Real session tokens never leave your application boundary. If you connect to the
DevFortress platform, it receives only non-derivable aliases — never your real tokens.
Even a complete platform breach yields no usable credentials.

Agent scope enforcement
Define which tools your AI agents are permitted to call. Unsanctioned tool calls
are blocked before execution. This is the structural answer to prompt injection —
the injection string alone does not cause the damage; the unsanctioned tool
execution does.

Local ML inference (embedded, optional)
In-process threat scoring using an ONNX model. No network call required.
Bring your own model or rely on the built-in heuristic fallback.

Local audit trail
Every security decision is logged: timestamp, source, decision, score. JSON export.
Compliance-ready without sending data to any external service.

What is commercial

Cross-customer threat intelligence (B1), platform ML inference — cloud-scored
cross-customer model (B2), predictive attack trajectory (B12), cloud webhook
delivery, automated response, dashboard.

The dividing line: local security is free. Platform intelligence is commercial.

The license

BUSL-1.1. In plain language:

  • You can use it in your own applications, free.
  • You can read the source code and verify exactly what data it touches.
  • You cannot build a competing API security SaaS using our code.
  • Four years after each release, the code converts to Apache 2.0.

Security tools should be transparent about what they do.
That is why we publish the source.

Install 

npm install devfortress-sdk@4.9.0
Enter fullscreen mode Exit fullscreen mode

GitHub: github.com/duncan982/devfortress
Docs: devfortress.net/docs

Core credential isolation and threat response inventions are patent-pending.
KIPI KE/P/2026/005970–005973.

Top comments (0)