npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

@spazio-genesi/attest-mcp

v0.2.1

Published

MCP server for Spazio Genesi's attestation service — attest, verify, and check digital works from AI agents, full privacy (files never leave the device).

Readme

attest-mcp

MCP server for Spazio Genesi's attestation service — attest, verify, and check the existence of digital works from any MCP-capable AI agent (Claude Code, Claude Desktop, etc.).

Full privacy: file bytes never leave your device. The fingerprint (SHA-256) is computed locally, streamed from disk — only the hash and optional metadata are sent.

What it does

The attestation service timestamps a file's SHA-256 fingerprint, signs it (HMAC), and can produce a signed PDF certificate plus an OpenTimestamps proof anchored in Bitcoin. This server exposes that service as MCP tools, so an agent can attest and verify works on your behalf without a browser.

Why this, not just an OpenTimestamps wrapper

Several MCP servers can submit a hash to an OpenTimestamps calendar. As far as we know, this is the only one that hands back a complete proof of existence — a signed PDF certificate, a recognized RFC 3161 timestamp, and a Bitcoin anchor — for free, with the file's bytes never leaving the caller's machine. No account, no upload, no paid notarization chain. If you know of another MCP server with the same combination (full certificate + free + local hashing), we'd genuinely like to hear about it — open an issue.

Install

Claude Desktop — one command, no manual JSON editing:

npx -y @spazio-genesi/attest-mcp-setup

This finds your claude_desktop_config.json (Windows/macOS/Linux), adds the attest-mcp entry, and backs up the original file first. It refuses to touch anything if the existing file isn't valid JSON — it never guesses. Restart Claude Desktop afterwards. To remove it again: add --uninstall. To preview without writing: add --dry-run.

Claude Code:

claude mcp add attest-mcp -- npx -y @spazio-genesi/attest-mcp

Manual / other clients — add this to your MCP client's config:

{
  "mcpServers": {
    "attest-mcp": {
      "command": "npx",
      "args": ["-y", "@spazio-genesi/attest-mcp"]
    }
  }
}

Authentication

Two ways to authenticate, matching the underlying service:

  1. API key (for partner integrations, issued manually by Spazio Genesi): set the IMGAUTH_API_KEY environment variable.
  2. Device flow (for personal/agent use): call the authorize tool with no arguments. It returns a URL — open it, approve with the human-verification widget, then call authorize again with the returned code. The session token (24h, 20 attestations) is saved to ~/.config/attest-mcp/credentials.json (permissions 600 where supported) and used automatically after that.

Either way, the credential only unlocks the anti-bot check on attestation — the server-side timestamp, cryptographic signature, and rate limits are unchanged.

Tools

| Tool | What it does | |---|---| | authorize | Start or continue the device-flow authorization. | | attest_file | Hash a local file (streamed) and attest it. | | get_certificate_pdf | Mint a fresh signed PDF, or recover an already-archived one, saved to disk. | | verify_file | Hash a local file and check it against a declared hash + signature. | | verify_certificate | Verify a certificate's signature without a local file. | | check_anchor | Check/download the OpenTimestamps (Bitcoin) proof. | | service_status | Traffic-light status of the attestation service. |

Configuration

| Env var | Default | Purpose | |---|---|---| | IMGAUTH_API_KEY | — | API key credential, bypasses the device flow. | | IMGAUTH_BASE_URL | https://imgauth.spaziogenesi.org | Override for local development (http://localhost:8787). | | IMGAUTH_CERT_PAGE_BASE | https://attestazione.spaziogenesi.org | Override for the permanent-certificate-page base URL. |

Known limitation

The certificate PDF and its text are in Italian (Spazio Genesi is an Italian non-profit and the certificate is a legal-facing document). The MCP tool descriptions and this README are in English for an international audience.

Development

npm install
npm test          # unit tests (hash vectors)
IMGAUTH_BASE_URL=http://localhost:8787 npm start   # against a local `wrangler dev`

License

MIT — see LICENSE. This is a client for the attestation service; the service itself (imgauth) is AGPL-3.0.