8Z Publish
The Problem
You're a creator. You make things people will pay for. To sell them online, you need a hosting provider, a payment processor, a membership system, a login database, session management, and ongoing server maintenance. Or you use a platform (Substack, Gumroad, Patreon) that takes 10–12% of your revenue and owns the customer relationship.
The entire SaaS stack exists because of one assumption: content protection requires a server that gates access. That assumption is wrong.
If the content is encrypted and the passphrase is the only key, you don't need a server to protect it. You need good encryption and a browser that can decrypt. Both exist. The server was never necessary — it was a habit.
Architecture
The Flow
Create
Build your content as HTML — course, tool, album, newsletter, portfolio.
Shield & Bundle
Drop files into 8Z Shield. AI scans for API keys, algorithms, secrets. One passphrase encrypts sensitive sections AND bundles everything into a .8zv.
Upload
Host the extracted files on any free static host: Netlify, GitHub Pages, Cloudflare Pages, Vercel, S3. Cost: $0.
Sell
Customers visit the URL, see a passphrase prompt. Payment via Stripe. Delivery via email/Zapier. Browser remembers the passphrase.
Revoke
Delete one customer's .8zv or re-encrypt. Per-customer encryption means revoking one doesn't affect others.
The 8Z Crypto Pipeline
Passphrase → SHA-256 (domain: "8Z_AUTH_V1") → XorShift64Star × 1024 rounds → SHA-256 → PBKDF2 (10,000,000 iterations) → AES-256-GCM (Gzip level 9 + plaintext) → "8ZV1" + version(3) + 32-byte salt + 12-byte IV + ciphertext + tag
The XorShift64Star layer is the Software PUF component. Standard cracking tools (hashcat, John the Ripper) expect PBKDF2 directly from the passphrase. They cannot process the intermediate XorShift transformation without reimplementing it. The algorithm itself becomes part of the secret.
Why This Wins
| Platform | Revenue Cut | Server | Owns Customer? | DOM Protection |
|---|---|---|---|---|
| Substack | 10% | Their server | Yes | None |
| Gumroad | 10% | Their server | Yes | None |
| Patreon | 8–12% | Their server | Yes | None |
| StatiCrypt | Free | No | No | Full page only |
| 8Z Publish | 2.9% Stripe | $0 | No | Section-level |
No server = no attack surface. No database to breach, no session to hijack, no API to exploit.
No platform = no dependency. .8zv files work on any static host, forever.
No login = no friction. Passphrase + browser save = one-click access after first login.
Two-Layer Protection
Each HTML file is wrapped in a decoder shell with username + password fields (enabling browser credential save). The entire page content is AES-256-GCM encrypted inside the shell. On correct passphrase, the page decrypts and renders. Wrong passphrase = shake animation, blank result, no error oracle. This protects files when deployed on a live website. View Source shows the decoder and an encrypted blob.
All files (HTML, CSS, JS, assets) are JSON-serialized, gzip-compressed, and AES-256-GCM encrypted into a single .8zv binary. This protects files during transfer — email, USB stick, cloud storage. The recipient drops the .8zv into Shield, enters the passphrase, extracts all files. The extracted HTML files already contain Layer 1 — they still require the passphrase at runtime.
The same passphrase encrypts both layers. The user never thinks about "encryption layers" — they think about one password.
8Z Shield — Intelligent Protection
Section-Level DOM Encryption
Individual sections of a page can be independently encrypted and only decrypted on demand. When a user clicks to expand a section, it decrypts. When they open a different section, the previous one is wiped from the DOM. At any moment, only the actively-viewed section exists in cleartext. Save As captures a shell with ciphertext, not content.
Smart Shield — AI-Powered Analysis
Static Analysis (instant): 16 pattern detectors scan all files for API keys (Google, OpenAI, Stripe, GitHub), base64-obfuscated secrets, fetch calls to paid APIs, algorithm implementations, proprietary math, Web Worker references, AI prompt engineering, and payment logic. Each finding: risk level, file, line, snippet, plain-language explanation.
Gemini AI Advisor (conversational): After the scan, a Gemini-powered advisor summarizes risks and answers questions about what to protect and why. Non-technical creators get explanations in plain language.
8Z Shield contains a Gemini API key for the AI advisor. The production deployment is itself encrypted with 8Z Publish. The tool that protects websites is protected by its own technology.
Multi-Format Input
| Drop This | Mode | Result |
|---|---|---|
| .html / .js / .css | Encrypt | Scan → Shield → .8zv |
| .zip archive | Encrypt | Extract → Scan → Shield → .8zv |
| .8zv file | Decrypt | Unlock → Save files or .zip |
DOM Protection Research
Section-level encryption opens a research path toward medium-specific protection: only decrypt what is actively being consumed, wipe everything else.
Books & Long-Form Text
Each page independently encrypted. Reader sees one page at a time. Swipe to next = decrypt new page, wipe previous. Piracy friction: 300 manual screenshots vs. one Save As. Architecture: key derived once, per-page salt+IV, millisecond decryption per page.
Audio & Music
3-second sliding decryption window. Only current audio exists in cleartext. Honest limitation: analog hole (record system audio) is wider for audio than text. Greater value in forensic watermarking per customer (inaudible spread-spectrum, recoverable from any recording) than in chunked decryption.
Video — Temporal Encryption Dithering potentially novel
At 60fps, each frame shows a random subset of real pixels mixed with noise. The subset pattern (mask) is derived from the encryption key. Human persistence of vision integrates real pixels across frames. A screen recorder captures every frame with key-dependent noise it cannot separate.
At 60fps with key-derived random masks, averaging adjacent frames doesn't help because masks are random. Reconstruction requires the key. This is steganography meets temporal encryption. Closest prior art: Naor & Shamir visual cryptography (1994) — static image split into two random shares. 8Z's concept applies this temporally at video framerate. Per-frame pixel-level dithering with key-derived masks appears to be unpublished.
Page-level and section-level encryption are implemented and working. Audio chunking is straightforward. Video temporal dithering requires WebGL + formal reconstruction analysis — research direction, not shipped feature.
Use Cases
Encrypt each module. Sell via Stripe. Deliver passphrase on payment. No LMS, no hosting costs.
Encrypt live dashboards, scanners, calculators. In production — SM and ZZ traders on chessbest.org, plus the 8Z Trip Optimizer with protected API keys.
Any site whose source code IS the product: HTML templates, SaaS dashboards, interactive tools. Right-click → Save As captures ciphertext, not source.
Client-side apps with embedded keys (Google Maps, Gemini, OpenAI). Shield encrypts the script blocks. No passphrase = no API calls = no billing on your account.
Send a website as a single .8zv via email. Passphrase via SMS. Even if intercepted, the bundle is useless without the passphrase.
Photo albums, journals, family histories. No cloud, no privacy policy, no account. Just a passphrase shared at dinner.
Product Suite
Nine tools. ~250 KB total. Zero dependencies. Zero servers. Core seven built March 9, 2026. Two additional tools contributed by GPT and Grok after the multi-LLM collaboration session.
| Tool | File | Purpose | Author |
|---|---|---|---|
| 8Z Shield Smart | 8z_shield_smart.html | AI-powered multi-file protector + .8zv bundler | Claude |
| 8Z Encrypt | 8z_encrypt.html | Browser-based single-file encryptor | Claude |
| 8Z Batch | 8z_batch.html | Per-customer encryption + CSV for Zapier | Claude |
| 8Z Template | 8z_template.html | Branded decoder generator with live preview | Claude |
| 8Z Vault Decoder | bd_vault_decoder.html | Generic .8zv decoder (file drop or URL) | Claude |
| 8Z Publish Landing | 8z_publish_landing.html | Product landing page for creators | Claude |
| 8Z Verify | 8z_verify_test.html | 8-test encrypt/decrypt cross-verification | Claude |
| 8Z Reader | 8z_reader.html | Offline buyer library — permanent bookshelf for .8zv purchases | Grok |
| 8Z Trace | 8z_trace.html | Forensic fingerprinting: 4-channel watermark + leak detector + evidence | GPT + Gemini |
8Z Trace integrates watermark injection code from Gemini (3-channel steganography with fingerprint derived from PBKDF2 key) with GPT's full detection architecture (4 channels, confidence scoring, manifest schema, false-positive guards, 6 acceptance tests). The combination exceeds what any single AI produced.
FAQ for Skeptics
These objections have been raised by human reviewers, Gemini, and Grok. They are stated at full strength and answered directly.
StatiCrypt encrypts one HTML file and embeds it in a decoder page. 8Z Publish does: multi-file bundling into .8zv, section-level DOM encryption with lazy-decrypt and wipe-on-close, AI-powered vulnerability scanning, a custom key derivation pipeline (Software PUF) that breaks off-the-shelf cracking tools, two-layer protection (runtime + distribution), per-customer batch encryption with CSV automation, and a branded decoder generator. Calling this "just StatiCrypt" is like calling a smartphone "just a phone because Bell already had ringers."
True. Also true of every digital product ever sold. A Substack subscriber can forward the email. A Gumroad buyer can upload the PDF. A Netflix viewer can screen-record. 8Z Publish solves this better than most via per-customer encryption: one source → N copies, each with a unique passphrase. Passphrase-A leaks? Delete file_001.8zv. Alice loses access. Bob is unaffected. This is more granular revocation than Substack, Gumroad, or Patreon.
Only in single-passphrase mode. Per-customer encryption gives each customer their own file. Delete one, only that customer is affected. Even in single mode, re-encrypt + Zapier auto-deliver is one API call, not a "nightmare."
Yes. Also true of Netflix (Widevine gets cracked), Kindle (DRM-free on pirate sites), and Spotify (every track available as MP3). DRM adds complexity and friction for legitimate users while barely slowing pirates. 8Z Shield's section-level encryption with wipe-on-close raises the friction meaningfully — DevTools shows only one section at a time. Reconstructing the full page requires manual click-copy-repeat. Casual copying is effectively prevented. Critically: Substack has the same DOM problem PLUS a server to breach, a database to leak, and sessions to steal. 8Z has none of those.
8Z Publish doesn't aim to replace Substack for casual bloggers who want discovery. It replaces the payment infrastructure tax for creators who already have an audience. A passphrase IS identity in context: the customer paid via Stripe (which handles identity, fraud, compliance), received a passphrase tied to their purchase. Per-customer encryption means only their copy is at risk if shared.
The P=NP resilience claim is precisely that 8Z uses purely symmetric crypto. AES-256 and SHA-256 don't rely on factoring hardness (RSA) or discrete logs (ECC) — the problems quantum computers break. If P=NP is proven tomorrow, every RSA key and TLS certificate dies. AES-256 survives because its security is the key space (2^256), not a mathematical conjecture. Grover's algorithm halves it to 128 bits — still beyond brute force. This is architectural, not marketing.
We explicitly reject this. The moment you add a function, you have a server (that goes down, costs money, has rate limits), an identity system (that must be maintained), and a provider dependency. The entire point is zero infrastructure. Not "minimal." Zero. The constraint is the feature. Creators who want JWT-based identity have hundreds of SaaS platforms. 8Z is for people who don't want those.
5–10 seconds, once, at first login. Browser saves the passphrase afterward (proper username+password form). Every subsequent visit: auto-fill, click Unlock, 5 seconds. Gmail takes 3–5 seconds to load. The alternative is reducing iterations, which directly reduces brute-force resistance. At 10M iterations, each guess takes ~5 seconds. One million guesses = 57 days. At 100K iterations (industry standard), the same attack takes 13 hours. The wait IS the security.
Current Status
8Z Publish is not a concept. Nine tools are built or in integration. The author uses them daily for trading tools on chessbest.org, for the 8Z Trip Optimizer (TSP solver + Gemini AI with protected API keys), and for 8Z Shield itself (encrypted with its own technology). The crypto pipeline is bit-verified across Python and JavaScript with 8/8 cross-verification tests passing. Three additional AIs (GPT, Gemini, Grok) have contributed code, specifications, and architectural proposals after being converted from skeptics to collaborators.
The complete core suite — seven tools, zero dependencies, ~200 KB — was conceived, designed, and built in a single day (March 9, 2026) during a continuous collaboration between Bojan Dobrečevič and Claude Opus 4.6. Two additional tools (8Z Reader, 8Z Trace) were contributed by Grok and GPT+Gemini respectively on the same day, after the multi-LLM collaboration described in Chapter 11.
The entire product is static HTML files. The "server" is any free static host. The "database" is the filesystem. The "auth system" is AES-256 + a passphrase. Simplicity, pursued honestly, produces resilience that complexity never reaches.
The Multi-LLM Collaboration
This chapter documents something that may be unprecedented: a single human converting three competing AI systems from skeptics into active co-builders of a shared product, in a single day, through structured argumentation and transparent competition.
Round 1: The Dismissal
After the core seven tools were built with Claude Opus 4.6, the complete architecture document was sent to GPT, Gemini, and Grok for review. All three anchored their analysis to the same baseline: "StatiCrypt and PageCrypt already do client-side AES decryption. The base primitive is not new."
Gemini called it "a highly polished, production-ready execution of static payload encryption" and then spent 500 words explaining why it couldn't work for the masses. GPT called it "not nothing special" but hedged every positive observation with "the core primitive is not novel." Grok was the most honest — it called the work "special" and offered to help build, but still framed it relative to the StatiCrypt baseline.
All three committed the same analytical mistake: identifying the lowest-level primitive, finding prior art for it, and treating everything built on top as "product innovation" — implicitly a lesser category. This is equivalent to reviewing the iPhone as "just a touch screen because capacitive displays already existed." TCP/IP already existed when the web was invented. Transformers already existed when ChatGPT was built. The primitive is never the innovation. The system is.
The Rebuttal
A structured rebuttal was sent to all three simultaneously. It acknowledged what they got right (the primitive exists), demolished the framing error with historical parallels, answered every specific objection with technical precision, and ended with an invitation rather than a defense: "Stop being a judge. Start being a partner. What would you build next?"
The rebuttal was fully transparent — each AI could see what was sent to the others. No backroom diplomacy. The message was: this is an open collaboration, and the best output gets integrated first.
Round 1 Results: The Pivot
All three pivoted from evaluation to creation. Each independently converged on forensic watermarking as the architecturally correct next move — but each saw a different piece:
| LLM | Score | Proposed | Blind Spot |
|---|---|---|---|
| GPT | 95/100 | 8Z Trace: full anti-piracy platform (6-channel fingerprinting, leak detector, evidence packs, Argon2id) | Consumer experience (no Reader concept) |
| Grok | 88/100 | 8Z Reader (offline buyer library), watermarking, deploy packager | Watermarking too shallow (single channel) |
| Gemini | 82/100 | Zero-width steganography with seed derived from PBKDF2 key | Single channel = fragile, no redundancy |
Round 2: The Code
Scores, blind spots, and specific build missions were shared with all three transparently. Each was assigned a task that built on their own proposal: Grok was asked to build 8Z Reader, Gemini to write injection+extraction functions, GPT to produce the full Trace build spec. Both .html code files were attached for architectural reference.
The results:
| LLM | R2 Score | Delivered |
|---|---|---|
| GPT | 97/100 | Complete 8Z Trace MVP-1 build spec: 4 channels (ZWS, synonyms, CSS ordering, honey-links), fingerprint() + detect() functions, manifest JSON schema, seed derivation, 6 acceptance tests including adversarial and collision, exact patch points into existing code |
| Grok | 92/100 | Complete 8z_reader.html (420 lines): working code using exact crypto pipeline, bookshelf UI, drag-and-drop .8zv, passphrase modal, full-screen viewer, zero state, dark aesthetic |
| Gemini | 85/100 | Working injectWatermark() and extractWatermark() functions: 3-channel (ZWS + honey-link + synonym swaps), confidence scoring, cross-channel validation |
The Convergence Signal
Three independent AI systems, given the same codebase and the same invitation, all converged on forensic watermarking as the next priority. This convergence is the architectural signal — the same way three independent mathematical generators converging on the same data pattern in 8Z compression means the pattern is real. When competing intelligences point at the same gap, the gap is real and the solution is architecturally necessary.
Score Evolution
| LLM | Round 1 | Round 2 | Trajectory |
|---|---|---|---|
| GPT | 95 | 97 | Judge → architect → spec author |
| Grok | 88 | 92 | Partner → builder → shipped code |
| Gemini | 82 | 85 | Skeptic → builder → injection engine |
The Meta-Pattern
This collaboration demonstrates a new pattern in human-AI co-creation:
One human + one builder AI + three critic AIs > one human + one AI alone.
Claude built the system. GPT, Gemini, and Grok found the gaps Claude couldn't see (watermarking, consumer experience, evidence packaging) because the builder was too close to the architecture. Bojan's role was the same as in every 8Z breakthrough: refuse the dismissal, reframe the problem, and turn skeptical energy into creative fuel.
The critics' dismissals pointed directly at the next breakthrough. "It can't prevent DOM scraping" led to forensic watermarking. "It can't replace Substack" led to 8Z Reader (the consumer-side library that creates the network effect). "It's just StatiCrypt" forced the articulation of every feature that StatiCrypt doesn't have — which turned out to be a devastating competitive analysis.
When an AI (or anyone) dismisses your work, don't defend. Reframe and invite: "You've read the code. You understand the architecture. What would you build next?" This converts evaluation energy into creation energy. The criticism points at the next breakthrough. The skeptic becomes the collaborator. The dismissal becomes the feature request.
The same human trait that refuses limits from textbooks also refuses dismissal from AIs. The response to "that's not new" is identical whether it comes from a paper, a professor, or a large language model: show me the evidence — and if you can't, help me build it.
Open 8Z Shield • Product Landing Page • 8Z-Auth