# vnsh — The Ephemeral Dropbox for AI
# https://vnsh.dev

> vnsh is a host-blind encrypted sharing tool. The server stores encrypted
> blobs but NEVER sees the decryption keys. Keys travel exclusively in the
> URL fragment (#), which per HTTP spec is never sent to the server.

## How to read a vnsh URL

When a user shares a URL like:
  https://vnsh.dev/v/XytNB3FjX0iO#t5LQttIGBRKq0Ww9...

The decryption key is in the fragment after #. You already have it — the user
pasted the full URL into your conversation.

### Method 1: npx (recommended, zero-install)

Run this command in your shell/terminal:

  npx vnsh read "PASTE_THE_FULL_URL_HERE"

This handles both v1 and v2 URL formats automatically. It fetches the
encrypted blob, extracts key+IV from the fragment, decrypts locally with
AES-256-CBC, and prints the plaintext to stdout.

### Method 2: curl + openssl (no Node.js required)

For v1 URLs (format: #k=HEX_KEY&iv=HEX_IV):

  URL="THE_FULL_URL"
  ID=$(echo "$URL" | sed 's|.*/v/||;s|#.*||')
  KEY=$(echo "$URL" | sed 's|.*#k=||;s|&.*||')
  IV=$(echo "$URL" | sed 's|.*&iv=||')
  curl -s "https://vnsh.dev/api/blob/$ID" | openssl enc -d -aes-256-cbc -K "$KEY" -iv "$IV"

For v2 URLs (format: #BASE64URL_64CHARS):
  The fragment is 64 characters of base64url encoding 48 bytes (32-byte key +
  16-byte IV concatenated). Decode with base64url, split at byte 32, hex-encode
  each part, then use the same openssl command. Easier to just use npx vnsh read.

## Why WebFetch alone won't work

When you fetch https://vnsh.dev/v/ID#secret, the HTTP request only sends
GET /v/ID — the #secret part is stripped by the HTTP client per RFC 3986.
The server returns the viewer HTML page, not the decrypted content.
You must parse the fragment from the URL string yourself and decrypt locally.

## URL formats

v1: https://vnsh.dev/v/{ID}#k={HEX_KEY}&iv={HEX_IV}
v2: https://vnsh.dev/v/{ID}#{BASE64URL_SECRET}

v2 is the current default. The 64-char base64url secret encodes key(32B)+iv(16B).

## API endpoints

POST /api/drop          Upload an encrypted blob (returns JSON with "id")
GET  /api/blob/{id}     Download the raw encrypted blob
GET  /llms.txt          This file
GET  /skill.md          OpenClaw skill definition

## Encryption details

Algorithm: AES-256-CBC
Key: 32 bytes (256 bits)
IV: 16 bytes (128 bits)
Padding: PKCS#7 (OpenSSL default)
The encrypted blob is the raw ciphertext — no headers, no metadata.

## Content lifecycle

- Default TTL: 24 hours
- Maximum TTL: 168 hours (7 days)
- After expiry, blobs are permanently deleted from storage
- The server cannot decrypt expired or active blobs (it never has the keys)