ibm-hyper-protect · Sashwat-K · Feb 19, 2026 · Feb 17, 2026 · Feb 17, 2026 · Feb 17, 2026
diff --git a/cmd/validateContract.go b/cmd/validateContract.go
@@ -36,13 +36,21 @@ var validateContractCmd = &cobra.Command{
 			log.Fatal(err)
 		}
 
-		contractData, err := common.ReadDataFromFile(contractPath)
-		if err != nil {
-			log.Fatal(err)
-		}
-
-		if !common.CheckFileFolderExists(contractPath) {
-			log.Fatal("The path to contract doesn't exist")
+		var contractData string
+		// Handle stdin input
+		if contractPath == "-" {
+			contractData, err = common.ReadDataFromStdin()
+			if err != nil {
+				log.Fatalf("unable to read input from standard input: %v", err)
+			}
+		} else {
+			if !common.CheckFileFolderExists(contractPath) {
+				log.Fatal("The path to contract doesn't exist")
+			}
+			contractData, err = common.ReadDataFromFile(contractPath)
+			if err != nil {
+				log.Fatal(err)
+			}
 		}
 
 		err = contract.HpcrVerifyContract(contractData, version)

diff --git a/cmd/validateEncryptionCertificate.go b/cmd/validateEncryptionCertificate.go
@@ -55,7 +55,7 @@ func init() {
 	requiredFlags := map[string]bool{
 		"in": true,
 	}
-	validateEncryptionCertificateCmd.PersistentFlags().String(validateEncryptionCertificate.InputFlagName, "", validateEncryptionCertificate.CertVersionFlagDescription)
+	validateEncryptionCertificateCmd.PersistentFlags().String(validateEncryptionCertificate.InputFlagName, "", validateEncryptionCertificate.InputFlagDescription)
 	common.SetCustomHelpTemplate(validateEncryptionCertificateCmd, requiredFlags)
 	common.SetCustomErrorTemplate(validateEncryptionCertificateCmd)
 }
diff --git a/cmd/validateNetwork.go b/cmd/validateNetwork.go
@@ -36,13 +36,21 @@ var validateNetworkConfigCmd = &cobra.Command{
 			log.Fatal(err)
 		}
 
-		if !common.CheckFileFolderExists(networkConfigPath) {
-			log.Fatal("The path to network-config doesn't exist")
-		}
+		var networkConfigData string
+		if networkConfigPath == "-" {
+			networkConfigData, err = common.ReadDataFromStdin()
+			if err != nil {
+				log.Fatalf("unable to read input from standard input: %v", err)
+			}
+		} else {
+			if !common.CheckFileFolderExists(networkConfigPath) {
+				log.Fatal("The path to network-config doesn't exist")
+			}
 
-		networkConfigData, err := common.ReadDataFromFile(networkConfigPath)
-		if err != nil {
-			log.Fatal(err)
+			networkConfigData, err = common.ReadDataFromFile(networkConfigPath)
+			if err != nil {
+				log.Fatal(err)
+			}
 		}
 
 		err = network.HpcrVerifyNetworkConfig(networkConfigData)

diff --git a/common/common.go b/common/common.go
@@ -49,6 +49,44 @@ func ReadDataFromFile(filePath string) (string, error) {
 	return string(content), nil
 }
 
+// ReadDataFromStdin - function to read data from stdin
+func ReadDataFromStdin() (string, error) {
+	content, err := io.ReadAll(os.Stdin)
+	if err != nil {
+		return "", fmt.Errorf("unable to read input from standard input: %w", err)
+	}
+	return string(content), nil
+}
+
+// IsStdinAvailable - function to check if stdin has data available (piped or redirected)
+func IsStdinAvailable() bool {
+	stat, err := os.Stdin.Stat()
+	if err != nil {
+		return false
+	}
+	// Check if stdin is a pipe or file (not a character device like terminal)
+	// This returns true when data is piped: echo "data" | command
+	// This returns false when running interactively in terminal
+	mode := stat.Mode()
+	return (mode&os.ModeCharDevice) == 0 && stat.Size() > 0
+}
+
+// ValidateStdinInput - function to validate stdin input conflicts
+// Returns error if there's a conflict between stdin and input parameter
+func ValidateStdinInput(cmd *cobra.Command, inputData string) {
+	// Check if "-" is specified but no stdin is available
+	if inputData == "-" && !IsStdinAvailable() {
+		err := fmt.Errorf("Error: '--in -' specified but no standard input data detected. Pipe data to standard input or use a file path instead")
+		SetMandatoryFlagError(cmd, err)
+	}
+
+	// Check if stdin has data when input data (not "-") is specified
+	if inputData != "-" && IsStdinAvailable() {
+		err := fmt.Errorf("Error: standard input data detected but --in specifies a file path '%s'. Use '--in -' to read from standard input or remove piped input to read from file", inputData)
+		SetMandatoryFlagError(cmd, err)
+	}
+}
+
 // WriteDataToFile - function to write data to file (create file if doesn't exists)
 func WriteDataToFile(filePath, data string) error {
 	DataFile, err := os.OpenFile(filePath, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0644)

diff --git a/docs/README.md b/docs/README.md
@@ -126,7 +126,7 @@ contract-cli base64 [flags]
 
 | Flag | Type | Required | Description |
 |------|------|----------|-------------|
-| `--in` | string | Yes | Input data to encode (text or JSON) |
+| `--in` | string | Yes | Input data to encode (text or JSON) (use '-' for standard input) |
 | `--format` | string | No | Input data format (text or json) |
 | `--out` | string | No | Path to save Base64 encoded output |
 | `-h, --help` | - | No | Display help information |
@@ -148,6 +148,11 @@ contract-cli base64 --in '{"type": "workload"}' --format json
 contract-cli base64 --in "Hello World" --format text --out encoded.txt
 ```
 
+**Using standard input (pipe input):**
+```bash
+echo "Hello World" | contract-cli base64 --in - --format text
+```
+
 ---
 
 ### base64-tgz
@@ -164,7 +169,7 @@ contract-cli base64-tgz [flags]
 
 | Flag | Type | Required | Description |
 |------|------|----------|-------------|
-| `--in` | string | Yes | Path to folder containing `docker-compose.yaml` or `pods.yaml` |
+| `--in` | string | Yes | Path to folder containing `docker-compose.yaml` or `pods.yaml` (use '-' for standard input) |
 | `--output` | string | No | Output type: `plain` or `encrypted` (default: `plain`) |
 | `--cert` | string | No | Path to encryption certificate (for encrypted output) |
 | `--os` | string | No | Target Hyper Protect platform: `hpvs`, `hpcr-rhvs`, or `hpcc-peerpod` (default: `hpvs`) |
@@ -212,6 +217,11 @@ contract-cli base64-tgz \
 contract-cli base64-tgz --in ./compose-folder --out archive.txt
 ```
 
+**Using standard input (pipe input):**
+```bash
+echo "pods-folder" | contract-cli base64-tgz --in -
+```
+
 ---
 
 ### decrypt-attestation
@@ -228,7 +238,7 @@ contract-cli decrypt-attestation [flags]
 
 | Flag | Type | Required | Description |
 |------|------|----------|-------------|
-| `--in` | string | Yes | Path to encrypted attestation file |
+| `--in` | string | Yes | Path to encrypted attestation file (use '-' for standard input) |
 | `--priv` | string | Yes | Path to private key used for decryption |
 | `--out` | string | No | Path to save decrypted attestation records |
 | `-h, --help` | - | No | Display help information |
@@ -250,6 +260,13 @@ contract-cli decrypt-attestation \
   --out decrypted-attestation.txt
 ```
 
+**Using standard input:**
+```bash
+cat se-checksums.txt.enc | contract-cli decrypt-attestation \
+  --in - \
+  --priv private.pem
+```
+
 ---
 
 ### download-certificate
@@ -312,7 +329,7 @@ contract-cli encrypt [flags]
 
 | Flag | Type | Required | Description |
 |------|------|----------|-------------|
-| `--in` | string | Yes | Path to unencrypted Hyper Protect contract YAML file |
+| `--in` | string | Yes | Path to unencrypted Hyper Protect contract YAML file (use '-' for standard input) |
 | `--priv` | string | No* | Path to private key for signing |
 | `--cert` | string | No | Path to encryption certificate (uses latest if not specified) |
 | `--os` | string | No | Target Hyper Protect platform: `hpvs`, `hpcr-rhvs`, or `hpcc-peerpod` (default: `hpvs`) |
@@ -379,6 +396,13 @@ contract-cli encrypt \
   --os hpcc-peerpod
 ```
 
+**Using standard input:**
+```bash
+echo "test-string" | contract-cli encrypt \
+  --in - \
+  --priv private.pem
+```
+
 ---
 
 ### encrypt-string
@@ -395,7 +419,7 @@ contract-cli encrypt-string [flags]
 
 | Flag | Type | Required | Description |
 |------|------|----------|-------------|
-| `--in` | string | Yes | String data to encrypt |
+| `--in` | string | Yes | String data to encrypt (use '-' for standard input) |
 | `--format` | string | No | Input data format (text or json) |
 | `--cert` | string | No | Path to encryption certificate (uses latest if not specified) |
 | `--os` | string | No | Target Hyper Protect platform: `hpvs`, `hpcr-rhvs`, or `hpcc-peerpod` (default: `hpvs`) |
@@ -430,6 +454,11 @@ contract-cli encrypt-string \
   --out encrypted-secret.txt
 ```
 
+**Using standard input:**
+```bash
+echo "my-secret-password" | contract-cli encrypt-string --in -
+```
+
 ---
 
 ### get-certificate
@@ -446,7 +475,7 @@ contract-cli get-certificate [flags]
 
 | Flag | Type | Required | Description |
 |------|------|----------|-------------|
-| `--in` | string | Yes | Path to download-certificate JSON output |
+| `--in` | string | Yes | Path to download-certificate JSON output (use '-' for standard input) |
 | `--version` | string | Yes | Certificate version to extract (e.g., 1.0.23) |
 | `--out` | string | No | Path to save extracted encryption certificate |
 | `-h, --help` | - | No | Display help information |
@@ -468,6 +497,11 @@ contract-cli get-certificate \
   --out cert-1.0.23.crt
 ```
 
+**Using standard input:**
+```bash
+cat "cert.json" | contract-cli get-certificate --in - --version 1.0.23
+```
+
 ---
 
 ### image
@@ -484,7 +518,7 @@ contract-cli image [flags]
 
 | Flag | Type | Required | Description |
 |------|------|----------|-------------|
-| `--in` | string | Yes | Path to IBM Cloud images JSON (from API, CLI, or Terraform) |
+| `--in` | string | Yes | Path to IBM Cloud images JSON (from API, CLI, or Terraform) (use '-' for standard input) |
 | `--version` | string | No | Specific HPCR version to retrieve (returns latest if not specified) |
 | `--format` | string | No | Output format for data (json, yaml, or text) |
 | `--out` | string | No | Path to save HPCR image details |
@@ -518,6 +552,12 @@ contract-cli image \
   --out hpcr-image.json
 ```
 
+**Using standard input:**
+```bash
+cat "ibm-cloud-images.json" | contract-cli image --in -
+```
+
+
 ---
 
 ### validate-contract
@@ -534,7 +574,7 @@ contract-cli validate-contract [flags]
 
 | Flag | Type | Required | Description |
 |------|------|----------|-------------|
-| `--in` | string | Yes | Path to unencrypted Hyper Protect contract YAML file |
+| `--in` | string | Yes | Path to unencrypted Hyper Protect contract YAML file (use '-' for standard input) |
 | `--os` | string | No | Target Hyper Protect platform: `hpvs`, `hpcr-rhvs`, or `hpcc-peerpod` (default: `hpvs`) |
 | `-h, --help` | - | No | Display help information |
 
@@ -555,6 +595,11 @@ contract-cli validate-contract --in contract.yaml --os hpcr-rhvs
 contract-cli validate-contract --in contract.yaml --os hpcc-peerpod
 ```
 
+**Using standard input:**
+```bash
+cat contract.yaml | contract-cli validate-contract --in - --os hpvs
+```
+
 ---
 
 ### validate-network
@@ -571,7 +616,7 @@ contract-cli validate-network [flags]
 
 | Flag | Type | Required | Description |
 |------|------|----------|-------------|
-| `--in` | string | Yes | Path to network-config YAML file |
+| `--in` | string | Yes | Path to network-config YAML file (use '-' for standard input) |
 | `-h, --help` | - | No | Display help information |
 
 #### Examples
@@ -581,6 +626,11 @@ contract-cli validate-network [flags]
 contract-cli validate-network --in network-config.yaml
 ```
 
+**Using standard input:**
+```bash
+cat network-config.yaml | contract-cli validate-network --in -
+```
+
 ---
 
 
@@ -598,16 +648,21 @@ contract-cli validate-encryption-certificate [flags]
 
 | Flag | Type | Required | Description |
 |------|------|----------|-------------|
-| `--in` | string | Yes | Path to encryption certificate file |
+| `--in` | string | Yes | Path to encryption certificate file (use '-' for standard input) |
 | `-h, --help` | - | No | Display help information |
 
 #### Examples
 
-**Validate encryption certifacte configuration:**
+**Validate encryption certificate configuration:**
 ```bash
 contract-cli validate-encryption-certificate --in encryption-cert.crt
 ```
 
+**Using standard input:**
+```bash
+cat encryption-cert.crt | contract-cli validate-encryption-certificate --in -
+```
+
 ---
 
 ### initdata
@@ -623,17 +678,22 @@ contract-cli initdata [flags]
 
 | Flag | Type | Required | Description |
 |------|------|----------|-------------|
-| `--in` | string | Yes | Path to signed & encrypted contract YAML file |
+| `--in` | string | Yes | Path to signed & encrypted contract YAML file (use '-' for standard input) |
 | `--out` | string | No | Path to store gzipped & encoded initdata value |
 | `-h, --help` | - | No | Display help information |
 
 #### Examples
 
-**Create Hpcc Initdata from signed & encrypted contract**
+**Create Hpcc Initdata from signed & encrypted contract:**
 ```bash
 contract-cli initdata --in signed_encrypted_contract.yaml
 ```
 
+**Using standard input:**
+```bash
+cat signed_encrypted_contract.yaml | contract-cli initdata --in -
+```
+
 ---
 
 ## Common Workflows