Cloudflare R2 Primer

Why R2

R2 is Cloudflare's S3-compatible object store with zero egress fees. For a loader that ships signed payloads to thousands of endpoints, eliminating bandwidth cost is transformative. Buckets live on Cloudflare's edge network, so cold-start latency is negligible even for first-byte requests from regions far from your origin.

Bucket Layout

We recommend a single bucket with path-prefix partitioning:

nimbus-cdn/
├── payloads/
│   ├── stable/
│   ├── beta/
│   └── canary/
├── manifests/
│   └── update.json
└── telemetry/
    └── crashdumps/

Each payload variant is a Themida-wrapped PE signed with Ed25519. The manifest maps version → object key + expected hash so the loader can verify integrity before mapping.

Access Model

Public buckets with signed URLs are the simplest path. Generate presigned GET URLs server-side (Next.js API route or edge function) with a short TTL — 60 seconds is plenty for a loader that fetches immediately. Never embed long-lived tokens in the client binary.

For write operations (telemetry uploads), use a separate authenticated bucket with scoped API tokens. The loader never writes directly; it POSTs to your dashboard which proxies to R2 after validating the license session.

CORS & Custom Domains

Map a custom domain (cdn.getnimbus.net) to your R2 bucket via Cloudflare DNS. Enable CORS for your dashboard origin so the web UI can preview artifacts. A minimal CORS policy:

[
  {
    "AllowedOrigins": ["https://getnimbus.net"],
    "AllowedMethods": ["GET", "HEAD"],
    "AllowedHeaders": ["*"],
    "MaxAgeSeconds": 3600
  }
]

Loader Integration

The C++ loader fetches the manifest first, validates its Ed25519 signature against a baked-in public key, then requests the payload object. Both requests use WinHTTP with a 10-second timeout and exponential backoff on failure. The fetched PE is verified against the manifest hash before manual-map injection proceeds.