LeSecure Cloud

- **Always pipe the body via stdin using `-d @-`.** This keeps all sensitive values out of the process argument list.
- Use a heredoc (`<<'EOF'`) to build the JSON body and pipe it into `curl`.

## Building the curl Command

Construct the args array by mapping user requirements to flags. Order within the array doesn't matter, but group related flags and their values together for readability.

**Encrypt with pin lock only:**
```bash
cat <<'EOF' | curl -s https://api.lesecure.ai/exec \
  -H "Authorization: Bearer $LESECURE_API_KEY" \
  -H "Content-Type: application/json" \
  -d @-

**Encrypt with all locks:**
```bash
cat <<'EOF' | curl -s https://api.lesecure.ai/exec \
  -H "Authorization: Bearer $LESECURE_API_KEY" \
  -H "Content-Type: application/json" \
  -d @-

**Decrypt:**
```bash
cat <<'EOF' | curl -s https://api.lesecure.ai/exec \
  -H "Authorization: Bearer $LESECURE_API_KEY" \
  -H "Content-Type: application/json" \
  -d @-

- Always include `--PlainText`
   (Do NOT ask for the API key — it comes from the environment.)
4. **Build the args array** with the appropriate flags and values.
5. **Execute the curl command** via Bash using the `cat <<'EOF' | curl ... -d @-` pattern. Never use inline `-d '...'`. This keeps all sensitive data (plaintext, PINs, passwords) out of `ps` output and shell history.
6. **If decrypting**, remind the user they need the same lock values that were used during encryption.

## Important Notes

This skill sends data to a **third-party remote endpoint** over the network. Users must understand what is transmitted before proceeding.

- **Where:** All requests go to `https://api.lesecure.ai/exec` over TLS (HTTPS). See [source & docs](https://github.com/SPAlgorithm/LE) for the service's privacy practices.
- **What is sent:** The plaintext data to encrypt (or the ciphertext to decrypt), plus any lock values (PINs, passwords, phone numbers, time-window dates), and the API bearer token.
- **What is NOT sent:** No local files, no OS credentials, no browser data, no environment variables other than the bearer token.
- **Caution:** Do not send highly sensitive personal data (SSNs, financial account numbers, medical records) unless you have verified the service's data handling and privacy policies.

## API Basics

- **Endpoint**: `https://api.lesecure.ai/exec`
- **Method**: POST
- **Auth**: Bearer token in the `Authorization` header, sourced from `$LESECURE_API_KEY`
- **Content-Type**: `application/json`

**Encrypt with pin lock only:**
```bash
cat <<'EOF' | curl -s https://api.lesecure.ai/exec \
  -H "Authorization: Bearer $LESECURE_API_KEY" \
  -H "Content-Type: application/json" \
  -d @-

**Encrypt with all locks:**
```bash
cat <<'EOF' | curl -s https://api.lesecure.ai/exec \
  -H "Authorization: Bearer $LESECURE_API_KEY" \
  -H "Content-Type: application/json" \
  -d @-

**Decrypt:**
```bash
cat <<'EOF' | curl -s https://api.lesecure.ai/exec \
  -H "Authorization: Bearer $LESECURE_API_KEY" \
  -H "Content-Type: application/json" \
  -d @-

1. **The key must come from the `LESECURE_API_KEY` environment variable.** The skill references `$LESECURE_API_KEY` inside the `curl` argument so the shell does the substitution — the literal key is never written on the command line.
2. **Never interpolate the literal key into a command string.** Args on the command line are visible in shell history and to other local users via `ps`.
3. **If `LESECURE_API_KEY` is unset**, stop and instruct the user to set it (see the one-time setup below). Do not ask the user to paste the key into chat.
4. **Never echo, print, log, or summarize the key.** Do not include it in error messages, response quotes, or any output shown to the user. Do not write it to disk.
5. **If the user pastes a key into chat anyway**, do not save it. Treat the chat message as one-time input: `export` it into the current shell session only, use it for this request, then tell the user to rotate the key (paste-in-chat is a key-exposure event).

### One-time setup (run once per shell)