Documentation

Graneth documentation

Zero to a signed, verifiable receipt: the free MCP pre-flight check, the team dashboard, and how your client verifies what you hand them.

Updated 2026-07

Quickstart — add the free pre-flight check

pre_flight_check runs inside your AI coding agent and verifies every dependency it invents against the live npm and PyPI registries — plus a secret and unsafe-pattern scan — before the code reaches a commit. No account, no credit card.

npx -y @graneth/mcp-server
claude_desktop_config.json
{
  "mcpServers": {
    "graneth": { "command": "npx", "args": ["-y", "@graneth/mcp-server"] }
  }
}

Claude Desktop / Claude Code

Add graneth to the mcpServers block of claude_desktop_config.json, then restart the app.

Cursor

Settings → MCP → Add server, using the npx command above.

Windsurf & other MCP hosts

Point your MCP config at the same npx command — any MCP-compatible host works.

What pre_flight_check inspects

Hallucinated & slopsquatted packages

Every import is checked against the live npm/PyPI registry. Names that don't exist — or were registered days ago to catch an AI's guess — are flagged before install.

Hardcoded secrets

Shannon-entropy analysis plus provider formats (AWS, GitHub, Slack, OpenAI) catch embedded keys and tokens.

Unsafe patterns

SQL string-concatenation, eval/exec, shell=True, disabled TLS, unsafe deserialization, and XSS sinks — the shortcuts assistants emit without sanitization.

The team dashboard

Per-PR scanning

Connect a GitHub repo and Graneth scans every pull request — SAST, reachability, and LLM triage — in shadow mode until you promote a policy to enforcement.

Policy as code

Author Rego/regex rules, dry-run them in Rego Studio, then enforce. Every decision is recorded, tamper-evident.

Signed receipts

Each completed scan can mint an Ed25519-signed, public receipt — proof for a client that a specific delivery was checked.

Verifying a receipt

Independent verification

A receipt is canonicalized and Ed25519-signed. Anyone can verify it against Graneth's published public key — no account, no taking our word for it.

What it proves — and doesn't

A receipt proves the code was checked at a moment in time. It is not a warranty the code is safe, and not a CRA/NIS2 compliance certificate.

Credits

pre_flight_check and repository scanning are free and unlimited. Deep Scans (full LLM analysis) and Auto-Fix remediation PRs run on one-time credits that never expire.

Keep reading

Detection benchmark

The 135-package methodology behind the 100% recall / 100% precision claim.

Trust & security

How your code and data are handled — and what never leaves your machine.

CRA & NIS2 guide

What the EU regulations mean for agencies shipping AI-generated code.

Changelog

What shipped recently.