vart-cli
v1.1.0
Published
vart - cli anti-alteration tool for text-based everything.
Maintainers
Readme
vart (cli)

vart (verify article) is a small command-line tool for creating encrypted identities and signing/verifying text articles inside the vart ecosystem. the project uses a hybrid model:
- private data (identities, private metadata) is encrypted with a master secret.
- public fingerprints and optional authority signatures are embedded so others can perform public verification without the master secret.
https://vart.vercel.app/
installation
install from npm (global):
npm install -g vart-cli
# or from source during development:
npm install -g .there's also a provided installer for unix-like systems:
./install-vart.shthe installer bootstraps a persisted master secret at ~/.vart_master_secret if none is provided. do not commit that file.
quick start
- initialize authority keys (optional, creates an authority keypair under
~/.vart/):
vart init- register an identity (interactive):
vart regor non-interactive:
vart reg --name "alice example" --email "[email protected]" --verify "https://example.com/alice.txt"- sign an article:
vart sign article.txt alice.vart- public verification (anyone, no master secret required):
vart verify-public alice.vart- full verification (requires master secret to decrypt identity details):
vart verify alice.vart- export a signed article's plaintext:
vart export article.vart [output.txt]- show info about a .vart file:
vart info file.vart- join an organization (writer + org .vart files):
vart join writer.vart org.vart- check trust via verification URLs embedded in an identity:
vart trust alice.vart- view local configuration status:
vart statusenvironment variables
recommended runtime configuration options:
MASTER_SECRET_HEX— preferred. a 64-char hex string representing the master secret. if provided, this is used instead of generating/persisting a file.MASTER_SECRET_FILE— optional path to persisted secret (default:~/.vart_master_secret).AUTHORITY_PUBLIC_KEY_PEM— optional. authority public key pem text (used for public verification).AUTHORITY_PRIVATE_KEY_PEM— optional. authority private key pem text (used to sign fingerprints at registration).AUTHORITY_NAME— optional friendly name for the authority (default:VART-Authority).
note: it's safer to store secrets in a secret manager (vault, aws secrets manager) and set MASTER_SECRET_HEX in the runtime environment.
file format (brief)
a .vart file is a json wrapper:
{
"type": "identity" | "signed_article",
"version": "1.0",
"data": "<encrypted-hex-string>",
"public": {
"authority": "<authority-name>",
"authorityPublicKey": "<pem or null>",
"fingerprint": "<sha256-hex>",
"authoritySignature": "<base64 or null>",
"signedAt": "<timestamp>"
}
}datais the ciphertext (aes-256-gcm hex format).public.fingerprintis the canonical sha256 fingerprint of the canonicalized identity (stable key ordering).authoritySignatureis present only if the identity was signed by the authority private key.
why authority signature can be null
if you see authoritySignature: null it means the identity was created without the authority private key available (or signing failed). public verification will not be possible until the signature is added.
options to fix:
- run
vart initto generate authority keys and re-register the identity withAUTHORITY_PRIVATE_KEY_PEMpresent; or - sign the existing
.vartfile in-place using your authority private key (there's a helper script in the repo examples, or you can call thesign-vart-file.jsapproach described in docs).
troubleshooting
- "authority signature is null": ensure
AUTHORITY_PRIVATE_KEY_PEMis present in the same shell and valid, or runvart initand re-register/sign the file. - "decryption failed": most likely wrong
MASTER_SECRET_HEXor different persisted secret. confirmMASTER_SECRET_HEXor the persisted file at~/.vart_master_secret. - fetch/trust checks timing out or failing: network fetches have a timeout and max size; ensure URLs are reachable and returning expected content.
contributing & tests
please add unit tests for:
- encrypt/decrypt round trips
- register -> verify-public -> verify (full)
- sign -> verify-article
setup ci to run tests and scan for accidental secrets (git-secrets or similar).
license
see LICENSE.md
