Under pure PHP we can use something like ioncube/else with obfuscation. Under pre-HHVM we can use already compiled code without sources. But under current HHVM can we somehow hide our sources?
@paulbliss:
You could compile a bytecode repository and run that, but it's not something that would be difficult to reverse engineer. ... There isn't any great documentation on building repos. The wrapper script in tools/hhvm_wrapper.php has some useful shortcuts, you can look at the help options. There really isn't a great option for obfuscation, but repo-authoritative is probably your best bet as it will do some optimizations on top of the bytecode.
@see https://github.com/facebook/hhvm/issues/4929#issuecomment-76751039
Ini settings for hhvm and it's server: https://github.com/facebook/hhvm/wiki/INI-Settings
Complete shell that compiles, removes sources and run from optimized repo: https://gist.github.com/garex/b0fa539903746e67ad6c
So as a workaround you can have compiled sources under root user but run hh server under www-data. So even if attacker will break you through web -- it will not see sources there.