npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

@gera-services/mcp-gera-verify

v1.2.1

Published

Gera Verify MCP server — "Proof-of-Real": let AI agents check if a UK business / food establishment / care provider is real and how trustworthy it is, using real verified FSA food-hygiene, CQC care-registry and Gera verified-provider data. Offline, source

Readme

Gera Verify MCP Server — "Proof-of-Real"

A Gera Systems product

An MCP server that lets any AI agent — Claude Desktop, ChatGPT with tools, Cursor, Windsurf, or any MCP client — answer "is this real / how trustworthy is this?" about a UK business, food establishment, or care provider, grounded in real verified data Gera already owns.

It is seeded with first- and third-party verified datasets that Gera already renders on its products:

| Signal | Source | Records (this snapshot) | |---|---|---| | Food-hygiene ratings | FSA Food Hygiene Rating Scheme (FHRS/FHIS) — as used by GeraEats | 10,266 establishments | | Care-provider registry | CQC (Care Quality Commission) — as used by GeraClinic | 5,411 providers | | Verified providers | Gera's own crawled verified-provider set | 25 providers | | Public doctor listings | Practo public profiles | 406 doctors |

Everything is offline. The data is a committed on-disk snapshot, so the server gives the same verified answer the Gera products give and runs anywhere with no backend, no network, no auth.

Honesty contract. Every signal is source-attributed with an as-of date. When a subject is not in our records, the tools say so plainly (not_in_our_records) — they never invent a rating or status. Signals we do not hold (e.g. CQC's categorical overall rating) are returned as "unknown", never guessed.

Tools

| Tool | What it does | |------|--------------| | check_business_trust | Flagship. Given a business name (+ optional city/postcode/type), returns every real verified signal Gera holds — FSA hygiene rating, CQC registration, Gera verified-provider presence — each source-attributed. Returns overall_verification = verified or not_in_our_records. | | lookup_food_hygiene | Real FSA food-hygiene rating for a UK food business: FHRS 0–5 (England/Wales/NI) or FHIS Pass/Improvement-Required (Scotland), with establishment, business type, local authority, and rating date. | | lookup_care_rating | Confirms a UK care/health provider is in the CQC registry; returns registered name, address, service types, last-inspection date, region, and a link to the live CQC profile. CQC's overall rating is categorical (Outstanding/Good/Requires improvement/Inadequate) and not in this snapshot, so it is honestly returned as unknown with a live link. | | verify_provider | Checks Gera's own crawled verified-provider / Passport set; returns type, specialty, location, website, crawl source + date. | | get_trust_summary | Aggregates the above into a short, citation-ready sentence (plus structured signals) for an agent to quote a grounded "what we can verify about X" answer. | | issue_attestation | Gera Vouch. Runs the same real verification and returns a cryptographically signed (Ed25519) attestation receipt an agent can present to a counterparty (who verifies it with the public key). Verdict is pass (a strong, source-attributed verifying signal exists) or unverified (not in our records — never a guess). A signed proof-of-diligence receipt; indemnity/underwriting is roadmap and is never implied. | | get_vouch_public_key | Returns the Ed25519 public key + key_id + verification recipe so any party can independently verify an issue_attestation receipt without trusting the transport. | | issue_mandate | Gera Agent Mandate. A human/business grants an agent a scoped, revocable, Ed25519-signed spend mandate (cap, currency, merchant allowlist, categories, expiry). Pure authorization — no money moves. | | verify_mandate | Verify a mandate before honouring an action: checks signature, expiry, spend cap, and merchant/category scope against the intended action. Fails closed — forged/expired/over-cap/out-of-scope all return valid:false with reasons. | | issue_receipt | Gera Ledger. After an agent acts, mint a signed receipt of what happened — optionally linking the Vouch attestation + Agent Mandate it acted under. A verifiable proof-of-action (not a settlement). | | verify_receipt | Verify a receipt's Ed25519 signature against the Gera issuer key — confirms Gera recorded the action, unaltered. Fails closed. |

A typical agent flow: check_business_trust (or get_trust_summary) → drill into lookup_food_hygiene / lookup_care_rating / verify_provider for the source-attributed detail behind any signal → issue_attestation to get a signed receipt before the agent acts (book / pay / recommend).

Gera Vouch — signed attestations (the agent trust layer)

issue_attestation is the keystone of Gera Labs' agent-trust spine: AI agents can't be liable, so before an agent takes a real-world action it calls Vouch for a signed verdict it (and the counterparty) can verify. The signature covers the canonical (sorted-key UTF-8) JSON of the attestation object; verify with the key from get_vouch_public_key. Set GERA_VOUCH_SEED (base64, 32+ bytes) in production; without it a deterministic, stable dev key is used so signatures verify out-of-the-box (is_production_key flags which). Vouch only attests a pass on a strong name match (the record name contains the full query), stricter than the read-only lookup tools.

Install & run

# Run directly (no global install) once published to npm:
npx -y @gera-services/mcp-gera-verify

# Or from this repo:
cd packages/mcp-gera-verify
npm run build:data   # extract the real on-disk datasets -> src/data/*.json (committed)
npm run build        # tsc --noCheck -> dist/  + copy datasets to dist/data
node bin/cli.js      # starts on stdio

The datasets are committed (src/data/*.json), so you only need npm run build:data if you want to re-snapshot from the latest apps/*/src/data/*.generated.ts sources.

Client configuration

Claude Desktop / Claude Code (claude_desktop_config.json)

{
  "mcpServers": {
    "gera-verify": {
      "command": "npx",
      "args": ["-y", "@gera-services/mcp-gera-verify"]
    }
  }
}

Local (unpublished) variant — point at the built CLI:

{
  "mcpServers": {
    "gera-verify": {
      "command": "node",
      "args": ["/Users/armen/Gera/packages/mcp-gera-verify/bin/cli.js"]
    }
  }
}

Cursor / Windsurf (.cursor/mcp.json etc.)

{
  "mcpServers": {
    "gera-verify": {
      "command": "npx",
      "args": ["-y", "@gera-services/mcp-gera-verify"]
    }
  }
}

Hosted transport (Streamable HTTP / SSE — for ChatGPT Apps & remote MCP clients)

Live now: https://gera-verify-mcp-production.up.railway.app/mcp (POST JSON-RPC, Accept: application/json, text/event-stream; GET /healthok). All 7 tools — including the signed issue_attestation (Gera Vouch) — are callable over HTTP today, no install. A branded verify-mcp.gera.services domain is next.

The same seven tools are served over the MCP Streamable HTTP transport, so remote MCP clients and ChatGPT Apps can connect to a public URL instead of spawning a local stdio process. The HTTP server reuses the exact same tool handlers — it just swaps the transport.

cd packages/mcp-gera-verify
npm run build           # tsc --noCheck -> dist/ (builds both transports)
npm run start:http      # or: node bin/http.js
# -> listening on http://0.0.0.0:3400/mcp  (POST JSON-RPC; GET /health)

Endpoints:

| Method & path | Purpose | |---|---| | POST /mcp | MCP JSON-RPC (and SSE streaming). This is the MCP endpoint clients connect to. | | GET /health | Plain-text liveness probe (ok) — exempt, never gated. | | GET /mcp | 405 — stateless mode has no server-initiated stream to open. |

It runs stateless (a fresh server per request, no session id) — correct for a read-only, offline lookup service with no cross-call state, and safe to host behind a serverless function or a horizontally-scaled container.

Configure host/port via env vars: PORT (or MCP_HTTP_PORT, default 3400) and HOST (default 0.0.0.0).

Connecting a remote MCP client

{
  "mcpServers": {
    "gera-verify": {
      "type": "streamable-http",
      "url": "https://verify.gera.services/mcp"
    }
  }
}

For ChatGPT Apps / remote-MCP connectors, register the same https://verify.gera.services/mcp URL as the server endpoint. No auth is required — the lookups are read-only and offline.

Quick check once running: curl -s http://localhost:3400/healthok curl -s -X POST http://localhost:3400/mcp -H 'Content-Type: application/json' -H 'Accept: application/json, text/event-stream' -d '{"jsonrpc":"2.0","id":1,"method":"tools/list"}'

Verify it works

npm run build
node scripts/smoke.mjs

The smoke test speaks raw MCP JSON-RPC over stdio (initializetools/list → several tools/call against real records) and asserts the responses, including the honesty checks (a fake business → not_in_our_records; CQC categorical rating → unknown, never invented). Expected output ends with ALL SMOKE CHECKS PASSED.

Example

Ask your agent: "Is Etci Mehmet Steak House in Birmingham a real, hygienic restaurant?"

The agent calls check_business_trust / lookup_food_hygiene and gets back:

{
  "found": true,
  "best_match": {
    "establishment": "Etci Mehmet Steak House",
    "address": "Unit 16, Star City, Watson Road, Birmingham",
    "postcode": "B7 5SA",
    "businessType": "Restaurant/Cafe/Canteen",
    "localAuthority": "Birmingham",
    "scheme": "FHRS",
    "rating": 5,
    "rating_date": "2026-05-29",
    "source": "Source: FSA Food Hygiene Rating Scheme, local authority \"Birmingham\", as of 2026-06-12."
  }
}

Data & attribution

  • FSA FHRS/FHIS — Contains public sector information licensed under the Open Government Licence v3.0. https://ratings.food.gov.uk
  • CQC — Source: Care Quality Commission www.cqc.org.uk. Licensed under the Open Government Licence v3.0.
  • Gera verified-provider set — Gera's own supplier crawler.
  • Doctor listings — public Practo professional profiles.

Snapshots are extracted by scripts/build-data.mjs from the same on-disk *.generated.ts files that GeraEats and GeraClinic render — no data is invented; every record traces to a source row.

License

MIT © Gera Systems Ltd