Zero to a signed, verifiable receipt: the free MCP pre-flight check, the team dashboard, and how your client verifies what you hand them.
pre_flight_check runs inside your AI coding agent and verifies every dependency it invents against the live npm and PyPI registries — plus a secret and unsafe-pattern scan — before the code reaches a commit. No account, no credit card.
npx -y @graneth/mcp-server{
"mcpServers": {
"graneth": { "command": "npx", "args": ["-y", "@graneth/mcp-server"] }
}
}Add graneth to the mcpServers block of claude_desktop_config.json, then restart the app.
Settings → MCP → Add server, using the npx command above.
Point your MCP config at the same npx command — any MCP-compatible host works.
Every import is checked against the live npm/PyPI registry. Names that don't exist — or were registered days ago to catch an AI's guess — are flagged before install.
Shannon-entropy analysis plus provider formats (AWS, GitHub, Slack, OpenAI) catch embedded keys and tokens.
SQL string-concatenation, eval/exec, shell=True, disabled TLS, unsafe deserialization, and XSS sinks — the shortcuts assistants emit without sanitization.
Connect a GitHub repo and Graneth scans every pull request — SAST, reachability, and LLM triage — in shadow mode until you promote a policy to enforcement.
Author Rego/regex rules, dry-run them in Rego Studio, then enforce. Every decision is recorded, tamper-evident.
Each completed scan can mint an Ed25519-signed, public receipt — proof for a client that a specific delivery was checked.
A receipt is canonicalized and Ed25519-signed. Anyone can verify it against Graneth's published public key — no account, no taking our word for it.
A receipt proves the code was checked at a moment in time. It is not a warranty the code is safe, and not a CRA/NIS2 compliance certificate.
pre_flight_check and repository scanning are free and unlimited. Deep Scans (full LLM analysis) and Auto-Fix remediation PRs run on one-time credits that never expire.