Curious if this is something NuCoder can do or if it's ever been placed on the roadmap.

If you could require that all scripts be encoded, that would shrink the attack surface for *FI vulnerabilities, I would think. For example, if someone were able to get code in an executable directory using some image hack (plus insufficient restriction of exe-able dirs), but the code were not encoded, it would not run.

I don't know where NuCoder hooks the PHP load/token/parsing/etc/ process but I am wondering if this can be done or thought about.

Thanks for this one.