cli/README.md

# hemmelig

CLI and library for creating encrypted, self-destructing secrets via [Hemmelig](https://hemmelig.app).

```
 _   _                               _ _
| | | | ___ _ __ ___  _ __ ___   ___| (_) __ _
| |_| |/ _ \ '_ ` _ \| '_ ` _ \ / _ \ | |/ _` |
|  _  |  __/ | | | | | | | | | |  __/ | | (_| |
|_| |_|\___|_| |_| |_|_| |_| |_|\___|_|_|\__, |
                                         |___/
```

## Features

- **Client-side AES-256-GCM encryption** - Your secrets are encrypted before leaving your machine
- **Zero-knowledge** - The server never sees your plaintext secrets
- **Self-destructing** - Secrets auto-delete after views or expiration
- **Password protection** - Optional additional security layer
- **Works with any Hemmelig instance** - Use hemmelig.app or self-hosted

## Installation

```bash
npm install -g hemmelig
```

Or use with npx:

```bash
npx hemmelig "my secret"
```

## CLI Usage

```bash
# Create a simple secret
hemmelig "my secret message"

# With a title and custom expiration
hemmelig "API key: sk-1234" -t "Production API Key" -e 7d

# Password protected
hemmelig "sensitive data" -p "mypassword"

# Multiple views allowed
hemmelig "shared config" -v 5

# Pipe from stdin
cat config.json | hemmelig -t "Config file"
echo "my secret" | hemmelig

# Use a self-hosted instance
hemmelig "internal secret" -u https://secrets.company.com
```

### Options

| Option                  | Description                                            |
| ----------------------- | ------------------------------------------------------ |
| `-t, --title <title>`   | Set a title for the secret                             |
| `-p, --password <pass>` | Protect with a password                                |
| `-e, --expires <time>`  | Expiration: 5m, 30m, 1h, 4h, 12h, 1d, 3d, 7d, 14d, 28d |
| `-v, --views <number>`  | Max views (1-9999, default: 1)                         |
| `-b, --burnable`        | Burn after first view (default)                        |
| `--no-burnable`         | Don't burn until all views used                        |
| `-u, --url <url>`       | Base URL (default: https://hemmelig.app)               |
| `-h, --help`            | Show help                                              |
| `--version`             | Show version                                           |

## Library Usage

```typescript
import { createSecret } from 'hemmelig';

const result = await createSecret({
    secret: 'my secret message',
    title: 'API Key',
    expiresIn: '1h',
    views: 1,
    burnable: true,
    baseUrl: 'https://hemmelig.app', // optional
});

console.log(result.url); // https://hemmelig.app/secret/abc123#decryptionKey=...
console.log(result.id); // abc123
```

### API

#### `createSecret(options: SecretOptions): Promise<CreateSecretResult>`

Creates an encrypted secret on a Hemmelig server.

**Options:**

| Property    | Type            | Default                  | Description                   |
| ----------- | --------------- | ------------------------ | ----------------------------- |
| `secret`    | `string`        | required                 | The secret content to encrypt |
| `title`     | `string`        | -                        | Optional title                |
| `password`  | `string`        | -                        | Password protection           |
| `expiresIn` | `ExpirationKey` | `'1d'`                   | Expiration time               |
| `views`     | `number`        | `1`                      | Max views (1-9999)            |
| `burnable`  | `boolean`       | `true`                   | Burn on first view            |
| `baseUrl`   | `string`        | `'https://hemmelig.app'` | Server URL                    |

**Returns:**

| Property    | Type     | Description                   |
| ----------- | -------- | ----------------------------- |
| `url`       | `string` | Full URL to access the secret |
| `id`        | `string` | The secret ID                 |
| `expiresIn` | `string` | The expiration time set       |

## CI/CD Integration

### GitHub Actions

```yaml
- name: Share deployment credentials
  run: |
      SECRET_URL=$(npx hemmelig "${{ secrets.DEPLOY_KEY }}" \
        -t "Deployment Key" \
        -e 1h)
      echo "Secret URL: $SECRET_URL"
```

### GitLab CI

```yaml
share-secret:
    script:
        - SECRET_URL=$(npx hemmelig "$DB_PASSWORD" -e 4h)
        - echo "Secret URL: $SECRET_URL"
```

## Security

- All encryption happens locally using AES-256-GCM
- Keys are derived using PBKDF2 with 600,000 iterations
- The decryption key is in the URL fragment (`#decryptionKey=...`), which is never sent to the server
- The server only stores encrypted data

## License

MIT
feat: rebrand Hemmelig to paste.es for cloudhost.es - Set Spanish as default language with ephemeral/encrypted privacy focus - Translate all user-facing strings and legal pages to Spanish - Replace Norwegian flag with Spanish flag in footer - Remove Hemmelig/terces.cloud links, add cloudhost.es sponsorship - Rewrite PrivacyPage: zero data collection, ephemeral design emphasis - Rewrite TermsPage: Spanish law, RGPD, paste.es/CloudHost.es references - Update PWA manifest, HTML meta tags, package.json branding - Rename webhook headers to X-Paste-Event / X-Paste-Signature - Update API docs title and contact to paste.es / cloudhost.es Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> 2026-02-24 09:30:19 +01:00			`# hemmelig`

			`CLI and library for creating encrypted, self-destructing secrets via [Hemmelig](https://hemmelig.app).`

			```
			`_ _ _ _`
			`\| \| \| \| ___ _ __ ___ _ __ ___ ___\| (_) __ _`
			\| \|_\| \|/ _ \ '_ ` _ \\| '_ ` _ \ / _ \ \| \|/ _` \|
			`\| _ \| __/ \| \| \| \| \| \| \| \| \| \| __/ \| \| (_\| \|`
			`\|_\| \|_\|\___\|_\| \|_\| \|_\|_\| \|_\| \|_\|\___\|_\|_\|\__, \|`
			`\|___/`
			```

			`## Features`

			`- Client-side AES-256-GCM encryption - Your secrets are encrypted before leaving your machine`
			`- Zero-knowledge - The server never sees your plaintext secrets`
			`- Self-destructing - Secrets auto-delete after views or expiration`
			`- Password protection - Optional additional security layer`
			`- Works with any Hemmelig instance - Use hemmelig.app or self-hosted`

			`## Installation`

			```bash
			`npm install -g hemmelig`
			```

			`Or use with npx:`

			```bash
			`npx hemmelig "my secret"`
			```

			`## CLI Usage`

			```bash
			`# Create a simple secret`
			`hemmelig "my secret message"`

			`# With a title and custom expiration`
			`hemmelig "API key: sk-1234" -t "Production API Key" -e 7d`

			`# Password protected`
			`hemmelig "sensitive data" -p "mypassword"`

			`# Multiple views allowed`
			`hemmelig "shared config" -v 5`

			`# Pipe from stdin`
			`cat config.json \| hemmelig -t "Config file"`
			`echo "my secret" \| hemmelig`

			`# Use a self-hosted instance`
			`hemmelig "internal secret" -u https://secrets.company.com`
			```

			`### Options`

			`\| Option \| Description \|`
			`\| ----------------------- \| ------------------------------------------------------ \|`
			\| `-t, --title <title>` \| Set a title for the secret \|
			\| `-p, --password <pass>` \| Protect with a password \|
			\| `-e, --expires <time>` \| Expiration: 5m, 30m, 1h, 4h, 12h, 1d, 3d, 7d, 14d, 28d \|
			\| `-v, --views <number>` \| Max views (1-9999, default: 1) \|
			\| `-b, --burnable` \| Burn after first view (default) \|
			\| `--no-burnable` \| Don't burn until all views used \|
			\| `-u, --url <url>` \| Base URL (default: https://hemmelig.app) \|
			\| `-h, --help` \| Show help \|
			\| `--version` \| Show version \|

			`## Library Usage`

			```typescript
			`import { createSecret } from 'hemmelig';`

			`const result = await createSecret({`
			`secret: 'my secret message',`
			`title: 'API Key',`
			`expiresIn: '1h',`
			`views: 1,`
			`burnable: true,`
			`baseUrl: 'https://hemmelig.app', // optional`
			`});`

			`console.log(result.url); // https://hemmelig.app/secret/abc123#decryptionKey=...`
			`console.log(result.id); // abc123`
			```

			`### API`

			#### `createSecret(options: SecretOptions): Promise<CreateSecretResult>`

			`Creates an encrypted secret on a Hemmelig server.`

			`Options:`

			`\| Property \| Type \| Default \| Description \|`
			`\| ----------- \| --------------- \| ------------------------ \| ----------------------------- \|`
			\| `secret` \| `string` \| required \| The secret content to encrypt \|
			\| `title` \| `string` \| - \| Optional title \|
			\| `password` \| `string` \| - \| Password protection \|
			\| `expiresIn` \| `ExpirationKey` \| `'1d'` \| Expiration time \|
			\| `views` \| `number` \| `1` \| Max views (1-9999) \|
			\| `burnable` \| `boolean` \| `true` \| Burn on first view \|
			\| `baseUrl` \| `string` \| `'https://hemmelig.app'` \| Server URL \|

			`Returns:`

			`\| Property \| Type \| Description \|`
			`\| ----------- \| -------- \| ----------------------------- \|`
			\| `url` \| `string` \| Full URL to access the secret \|
			\| `id` \| `string` \| The secret ID \|
			\| `expiresIn` \| `string` \| The expiration time set \|

			`## CI/CD Integration`

			`### GitHub Actions`

			```yaml
			`- name: Share deployment credentials`
			`run: \|`
			`SECRET_URL=$(npx hemmelig "${{ secrets.DEPLOY_KEY }}" \`
			`-t "Deployment Key" \`
			`-e 1h)`
			`echo "Secret URL: $SECRET_URL"`
			```

			`### GitLab CI`

			```yaml
			`share-secret:`
			`script:`
			`- SECRET_URL=$(npx hemmelig "$DB_PASSWORD" -e 4h)`
			`- echo "Secret URL: $SECRET_URL"`
			```

			`## Security`

			`- All encryption happens locally using AES-256-GCM`
			`- Keys are derived using PBKDF2 with 600,000 iterations`
			- The decryption key is in the URL fragment (`#decryptionKey=...`), which is never sent to the server
			`- The server only stores encrypted data`

			`## License`

			`MIT`