Kemforge

Kemforge is a modern, curl-compatible CLI tool for making web requests — built from the ground up with Post-Quantum Cryptography (PQC) support. It is the security-first successor to curl, designed to address the primary threat of the modern era: quantum attacks.

---

Table of Contents

• Why Kemforge?
• TLS Data & PQC Feedback
• Curl Feature Compatibility
• Usage Examples
• Installation
• Testing
• Sponsors
• License

---

Why Kemforge?

Traditional encryption algorithms (RSA, ECDH) that protect today's internet traffic are vulnerable to attacks by quantum computers. Adversaries are already harvesting encrypted data today with the intent to decrypt it once quantum computers become powerful enough — a strategy known as "Harvest Now, Decrypt Later".

Post-Quantum Cryptography (PQC) refers to cryptographic algorithms designed to be secure against both classical and quantum computers. Standards such as ML-KEM (Module-Lattice-Based Key Encapsulation Mechanism, formerly known as CRYSTALS-Kyber) have been standardized by NIST to replace vulnerable key exchange mechanisms.

Kemforge makes PQC accessible and effortless:

• No dependency on system TLS libraries — Unlike curl, which relies on the installed version of Schannel (Windows), OpenSSL (Linux), or Secure Transport (macOS) for PQC support, Kemforge provides PQC out of the box on every platform, regardless of the underlying TLS library version.
• Automatic PQC detection — Every HTTPS request returns TLS metadata indicating whether PQC was used. If PQC is not negotiated, Kemforge warns you that the server is not protected against quantum attacks.
• Drop-in curl replacement — Kemforge supports all common curl features and flags, so you can switch seamlessly.

---

TLS Data & PQC Feedback

Every HTTPS request made with Kemforge outputs TLS Data to stderr, giving you immediate insight into the security of your connection:

* TLS DATA:
* TlsVersion: 1.3
* Cipher:     TLS_AES_128_GCM_SHA256
* KeyExchangeGroup: X25519MLKEM768
* This server supports post quantum cryptography so the server has protection against quantum attacks.

If the server does not support PQC, you will see a warning:

* TLS DATA:
* TlsVersion: 1.3
* Cipher:     TLS_AES_128_GCM_SHA256
* KeyExchangeGroup: X25519
* This server is not protected against quantum attacks as the key exchange group does not contain MLKEM.

Note: If PQC is not used, it is caused by the server's configuration — not Kemforge. Kemforge always negotiates PQC when the server supports it.

---

Curl Feature Compatibility

Kemforge supports all common curl features, including but not limited to:

Feature	Flags
GET / POST / PUT / PATCH / DELETE	-X, -d, --data-raw, --json
Custom headers	-H
File uploads (multipart)	-F
Follow redirects	-L, --max-redirs, --post301, --post302, --post303
Authentication	-u (Basic), --digest
Cookies	-b, -c (cookie jar)
TLS / SSL	-k (insecure), --cacert, --cert, --key, --pinnedpubkey
Proxy support	-x, --noproxy, --proxy-user
Output control	-o, -O, -i, -I, -s, -v, -w, -D
Transfer control	-C (resume), -r (range), --limit-rate, --compressed
Timeouts & retries	-m, --connect-timeout, --retry, --retry-delay
Parallel transfers	-Z
DNS & networking	--resolve, --doh-url, -4, -6, --unix-socket
Config files	-K
HTTP versions	--http1.1, HTTP/2 by default

For a complete specification with input/output examples, see CURL_FEATURES.md.

---

Usage Examples

Simple GET request

kemforge https://example.com

GET request with custom headers

kemforge -H "Authorization: Bearer mytoken" https://api.example.com/data

POST request with JSON data

kemforge --json '{"key": "value"}' https://api.example.com/items

POST request with form data

kemforge -d "user=admin&pass=secret" https://example.com/login

File upload

kemforge -F "file=@document.pdf" https://example.com/upload

Follow redirects with verbose output

kemforge -L -v https://example.com

HEAD request (show headers only)

kemforge -I https://www.google.com

Use a proxy

kemforge -x http://proxy:8080 https://example.com

Insecure mode (skip certificate verification)

kemforge -k https://self-signed.example.com

Save output to file

kemforge -o output.html https://example.com

Parallel transfers

kemforge -Z https://example.com https://example.org

Retry on failure

kemforge --retry 3 --retry-delay 2 https://flaky-api.example.com

---

Installation

Ubuntu / Debian

1. Install Go (if not already installed):

sudo apt update
sudo apt install -y golang-go

2. Ensure the Go bin directory is in your PATH:

echo 'export PATH="$PATH:$(go env GOBIN):$(go env GOPATH)/bin"' >> ~/.bashrc
source ~/.bashrc

3. Install kemforge:

go install github.com/ConnectingApps/kemforge@latest

macOS via go install

1. Install Go (if not already installed) using Homebrew:

brew install go

2. Ensure the Go bin directory is in your PATH:

echo 'export PATH="$PATH:$(go env GOBIN):$(go env GOPATH)/bin"' >> ~/.zshrc
source ~/.zshrc

3. Install kemforge:

go install github.com/ConnectingApps/kemforge@latest

macOS via Homebrew

Kemforge can be installed via Homebrew. Open Terminal and run:

brew tap ConnectingApps/kemforge
brew install kemforge

Kemforge works on both Apple Silicon (M1/M2/M3/M4) and Intel Macs.

Windows via go install

1. Install Go by downloading the installer from https://go.dev/dl/ and running it. The installer adds Go to your PATH automatically.

2. Ensure the Go bin directory is in your PATH. Open PowerShell and run:

$GoBin = go env GOBIN
$GoPath = go env GOPATH
$BinPath = if ($GoBin) { $GoBin } else { "$GoPath\bin" }
[Environment]::SetEnvironmentVariable("Path", $env:Path + ";$BinPath", "User")

Then restart your terminal for the change to take effect.

3. Install kemforge:

go install github.com/ConnectingApps/kemforge@latest

Windows via winget

Kemforge can be installed via winget. Open Terminal and run:

winget install ConnectingApps.Kemforge

After installation

Once installed, kemforge can be used just like curl:

kemforge -I https://www.google.com

Build from source

Requires Go 1.26.

git clone https://github.com/ConnectingApps/kemforge.git
cd kemforge
go build -v .

This produces the kemforge binary (or kemforge.exe on Windows).

---

Testing

Kemforge uses a two-stage testing strategy, as reflected in the CI/CD pipeline:

Stage 1: Verify the test infrastructure against curl

Before testing Kemforge itself, the test script and Python test server are validated against standard curl to ensure the test harness is correct:

# Create a Python virtual environment and install dependencies
python -m venv .venv
.venv/bin/pip install flask cryptography    # Linux/macOS
# .venv\Scripts\pip install flask cryptography  # Windows

# Run tests against curl to verify the test script and server
pwsh -File test_curl.ps1 curl

This step ensures that test_curl.ps1 (the PowerShell test runner) and test_server.py (the local Flask test server) work correctly — any failure here is a problem with the test infrastructure, not Kemforge.

Stage 2: Build and test Kemforge

Once the test infrastructure is verified, Kemforge is built and tested against the same test suite:

# Build
go build -v .

# Run the same test suite against the Kemforge binary
pwsh -File test_curl.ps1 ./kemforge          # Linux/macOS
# pwsh -File test_curl.ps1 ./kemforge.exe    # Windows

The test script starts a local Flask test server (test_server.py) automatically — no external services are required.

CI/CD Pipeline

The GitHub Actions pipeline (.github/workflows/go.yml) runs both stages across Ubuntu, Windows, and macOS to ensure cross-platform compatibility.

---

Sponsors

Kemforge is an open-source project that relies on community support. If you find Kemforge useful, please consider sponsoring us on Open Collective. Your sponsorship helps us maintain and improve the project — and as a sponsor, you can get your company logo featured right here on this README page.

---

License

See LICENSE for details.