🔒heresyour.site

/docs

Ship a link in one command.

/install

Run the CLI

Nothing to install — npx fetches and runs the latest version for you. Point it at the folder that holds your index.html. Needs Node 18.17+.

terminal
$ npx heresyour .
 live at  https://heresyour.site/brisk-otter-4f9c
 copied to your clipboard

Prefer it always on hand?

Install it globally and drop the npx:

terminal
$ npm install -g heresyour
$ heresyour .   # same thing, no npx
/commands

Commands

Four commands do everything. The bare command publishes; the rest manage who you are.

heresyour [dir]Publish a folder (defaults to the current directory) and copy the link.
heresyour loginSign in through the browser. Saves a token to ~/.heresyour/config.json.
heresyour logoutForget the saved token on this machine.
heresyour whoamiShow which account you're signed in as.

Flags

--name, --slug <name>Ask for a specific link name, e.g. /q3-report. Pro
--entry <file.html>Choose which HTML file visitors land on — no index.html required. It's served as the landing page and stays reachable at its own name too.
--password <word>Lock the page behind one word. Visitors get a gate before it opens. Pro
--no-passwordRemove the password when updating a link.
--jsonPrint the result as JSON — for scripts and agents to parse.
-h, --helpShow help.
-v, --versionShow the installed version.

Examples

terminal
$ heresyour ./dist --name q3-report              # pick your own link name
$ heresyour . --entry q3_report_FINAL_v3.html    # choose the landing page
$ heresyour report.html --password swordfish     # lock it
$ heresyour . --json                             # machine-readable output

The index.html at the top level of what you upload becomes the page people land on. Got a single oddly-named file? Pass it directly — heresyour report.html — and it becomes the index. Uploading a whole folder where nothing's called index.html? Point at the landing page with --entryheresyour . --entry q3_report_FINAL_v3.html.

/update

Update a link in place

Fixed a typo, refreshed the numbers, got a new draft? Re-publish to the same name and the files swap in place — the link you already sent keeps working. No new URL, nothing to re-share.

terminal
$ heresyour . --name q3-report
 updated  https://heresyour.site/q3-report
 copied to your clipboard

Updating works on every plan — even a free, auto-generated name like /brisk-otter-4f9c. Custom new names are Pro, but re-publishing over a link you already own never is. Grab the name from your last publish (or the dashboard) and pass it with --name.

A password survives updates. Just refreshing the content? Don't re-send --password — the gate stays as-is. Change it by passing a new --password <word>, or take the lock off with --no-password.

Prefer clicking? In the dashboard, hit update on any link and drop the new version — same link, new files.

/auth

Signing in

You publish under your account so you can manage and delete links later. There are two ways in — one for people, one for machines.

Humans

Run heresyour login. Your browser opens, you approve, and the token is saved locally. That's it — every publish after that just works.

CI & agents (Claude Code, Codex)

Browser login can't run headless, so set an API key as an environment variable instead. Create one at the dashboard → API keys.

terminal
$ export HERESYOUR_TOKEN=hyk_your_key_here
$ heresyour . --json
{"slug":"brisk-otter-4f9c","url":"https://heresyour.site/brisk-otter-4f9c","is_protected":false}

Pointing at a different backend (like a local dev server)? Set HERESYOUR_API_BASE to its URL.

/skill

Add the skill to your agent

Install the skill and you never touch the CLI yourself. Say "ship it" or "send me a link" and your agent runs heresyour, reads back the URL, and (if you asked) sets a password. Pick your harness:

  1. 1

    Add the marketplace

    Inside Claude Code, register the heresyour plugin marketplace. One-time.

    claude code
    > /plugin marketplace add dschuler36/heresyour-plugin
  2. 2

    Install the skill

    Pull it in from the marketplace you just added.

    claude code
    > /plugin install heresyour@heresyour-marketplace
  3. 3

    Give it a token

    The agent needs an API key to publish on your behalf. Set HERESYOUR_TOKEN in the environment Claude Code runs in (see Signing in).

  4. 4

    Just ask

    Generate a report, then tell it what to do. The skill handles the rest.

    claude code
    > Ship this dashboard and give me a link — password-protect it.
    Claude runs: npx heresyour ./dashboard --name sales-dashboard --password swordfish --json
     https://heresyour.site/sales-dashboard  (password: swordfish)

Works the same in any agent that reads SKILL.md conventions. No token, no ship — the skill checks for HERESYOUR_TOKEN first and tells you if it's missing rather than failing silently. It's open source — browse or fork it at github.com/dschuler36/heresyour-plugin.

/security

Security, plainly

Here's exactly what happens to your files and how the protections work — no hand-waving. If any of this matters for what you're about to publish, read it first.

links are unlisted, not secretA plain link (like /brisk-otter-4f9c) is a random, unguessable name — but anyone who has the link can open the page. There's no login wall on a plain link. Don't rely on the URL being hard to guess to protect something sensitive; add a password instead.
everything over HTTPSThe CLI uploads over TLS, and every page is served over TLS. Nothing about your files travels in the clear.
passwords are hashed, never stored--password puts a one-word gate in front of a page. We never keep the word itself — only a PBKDF2-HMAC-SHA256 hash with a per-site random salt (100k iterations). The gate is checked at the edge; unlocking sets a short-lived signed cookie (24h) so we don't cache or expose the page. It's a shared-secret gate to keep unintended eyes out — good for a client draft, not a replacement for real per-person accounts on highly sensitive data.
your pages can't touch our sessionHosted pages are your own HTML and JavaScript, served from our domain. Each one is locked into a browser sandbox on its own isolated origin, so a page can't read your login cookie, your account, or any other user's page — even though it runs real scripts. Uploads also carry nosniff so the browser can't be tricked about a file's type.
API keys are hashed at restWe store only a SHA-256 hash of each key — the plaintext is shown once, at creation. The CLI keeps your token locally in ~/.heresyour/config.json. Revoke any key from the dashboard and it stops working immediately.
you can delete anythingDelete a site from the dashboard and its files are removed from storage. Because we host and serve your files, we're technically able to access their contents — so treat a published page like something on the open web, not a private vault.

Rule of thumb: a link is publishing, not private storage. Passwords keep casual viewers out; they don't make a page a secure document. If it's truly sensitive — credentials, PII, anything you'd regret leaking — don't put it in a page you're about to hand out as a link.