HBMHBM Rocket
HOW IT WORKS

One agent on your site. One control plane. Five jobs running continuously.

HBM Rocket runs on a hub and spoke model. Your sites stay yours. The control plane signs every request with HMAC and never serves visitor traffic. The agent does the optimization work locally, the cloud does the heavy compute.

01

Install the agent on every site

A small PHP plugin on each WordPress install. Mirrors HBM's existing security connector pattern. Activate, paste a per site secret, the heartbeat begins.

  • About 15 KB compressed
  • PHP 7.4 plus, WordPress 6.0 plus
  • WP-CLI native: wp hbm-rocket sync
02

Heartbeat every five minutes

The agent reports environment, version, and recent stats. The control plane updates the site row, opens or closes alerts, and decides what artifacts the agent needs.

  • HMAC SHA256 signed payload
  • Replay protected (300s window)
  • Auto upgrades flags from the dashboard
03

Workers run heavy compute

Lighthouse audits, Penthouse critical CSS, Coverage based unused CSS. Each job claims a Puppeteer pool, runs against the real site URL, writes artifacts.

  • BullMQ on Redis, retried with backoff
  • Idempotent: same input, same output
  • Concurrency tuned per host
04

Artifacts pushed back to the agent

On the next heartbeat, the agent pulls the active config bundle: critical CSS for each detected template, the JS delay list, preconnect hints, and feature flags.

  • Hash compared, only deltas applied
  • Stored in wp_options, served from PHP
  • Versioned and rollback safe
05

Audited again, alerts on regression

Nightly Lighthouse re run. Self heal kicks in if a metric drops past target. Alerts opened only if self heal fails twice in a row.

  • Audit history charted per site
  • CrUX RUM ingest when available
  • Email or Slack delivery
THE PIPELINE DIAGRAM

From content change to optimized cache, in under a minute.

STEP 1

Save post on origin

WordPress fires save_post.

STEP 2

Event sent to control plane

HMAC signed, queued for purge.

STEP 3

Purge graph executed

Post, taxonomy, home, feed, sitemap.

STEP 4

Cache warmup queued

Top URLs crawled in parallel.

STEP 5

Audit on next cycle

Score and CWV captured.

SECURITY MODEL

HMAC signed agents. No credentials shared. Per site rotation.

Per site HMAC secrets

Each site has its own 64 character hex secret used to sign every request. Rotate from the dashboard with one click. The new secret is propagated on next heartbeat.

Replay protection

Every signed request includes a unix timestamp. We reject anything outside a 300 second window. The signature covers the timestamp so it cannot be reused.

Read only by default

The agent never writes to your filesystem outside its own option keys. It never inspects user data. It never proxies visitor traffic. The control plane never logs in.

TRY IT LOCALLY FIRST

Self host the entire stack.

The Enterprise tier ships the same Node services we run, the same Postgres schema, the same Redis queues, and the same WordPress agent. Run it in your data center, your data never leaves.

Talk to us

Ready to put a Rocket on your stack?

HBM Rocket - Continuous speed optimization for WordPress