Installation
Supply Pulse — is anything dangerous in my app?
One command to scan your repo, a live website, or both — leaked secrets, dependency risks, env gaps, and what your users actually download in the browser.
Command reference: All Supply Pulse commands · Terminal CLI · API key setup · Test Pulse
Supply Pulse in one sentence
zephex supply runs security checks on your machine and prints a severity-ranked report — what was scanned, what was found, and what to fix next.
Website URL
Public JavaScript only
Fetches your homepage, downloads linked .js bundles, and scans them for leaked API keys, JWTs, exposed source maps, and outdated frontend libraries.
Local repo
Full supply-chain pass
Secrets in files and git history, dependency CVEs (optional reachability), env audit, GitHub Actions risks, and Supabase RLS checks when relevant.
Combined
Repo + live URL
zephex supply . + https://yoursite.com cross-checks source against what still ships in production bundles.
Not MCP
CLI only
Run from any terminal. No editor MCP tool — use terminal commandsor your agent's shell.
What happens when you pass a URL
Supply Pulse does not log into your app or attack your server. It behaves like a visitor loading your public homepage:
- Downloads the HTML of your URL
- Finds external
<script src="…">tags and common framework chunks (e.g. Next.js static paths) - Downloads those JavaScript files (up to 40 scripts, 5 MB each)
- Scans bundle contents for secrets and misconfigurations
- Optionally probes for exposed
.js.mapsource maps
npm install -g zephex && mcpcli setupzephex supply https://app.example.comzephex supply app.example.comzephex supply https://app.example.com --jsonzephex supply https://app.example.com --severity highWhat it can find on a URL
| Finding type | Examples |
|---|---|
| Leaked secrets | Stripe sk_live, AWS keys, GitHub tokens, Supabase JWTs, generic apiKey: patterns |
| Client-side keys (contextual) | Algolia search keys, Stripe pk_live — often informational with guidance on restrictions |
| Source maps | Public bundle.js.map files that expose TypeScript paths or source |
| Outdated JS libraries | Known CVEs in frontend deps when retire.js is available on your machine |
What a URL scan does not do
- No login, cookies, or authenticated areas
- No server-side code, databases, or API endpoint probing
- No inline
<script>blocks — only external.jsfiles linked from HTML - No npm
package.json/ dependency CVE audit (use a repo scan for that) - No git history,
.envfiles, GitHub Actions, or infrastructure scans - Sites behind bot protection may return zero bundles — check warnings in the report
Zero findings can mean a clean site or no downloadable JS from the first HTML response. The report shows how many bundles were scanned and bytes read.
cd your-projectzephex supplyzephex supply --only secrets --strictzephex supply --only deps --reachabilityzephex supply github:your-org/your-repoRepo scans cover secrets (files + git when tools are installed), OSV dependency CVEs, optional reachability filtering, env reference audit, GitHub Actions workflow risks, Supabase RLS signals, and IaC hints when scanners are present.
Gitleaks and TruffleHog improve coverage when installed locally; a regex backstop always runs.
Reading the report
Human output includes:
- Severity bar (critical → informational)
- Per-finding headlines, bundle URLs, and redacted context snippets
- Scanner transparency — which phases ran and what was skipped
- Action lines (rotate key, disable source maps, upgrade package)
zephex supply lastzephex supply --why "are these Algolia keys safe?"zephex supply --jsonRecent scans are cached locally (~30 minutes) under your Zephex config directory for last and --why follow-ups.
Save scans to your account
With a Zephex API key configured (setup guide), completed scans can upload a result summary for history — the scan still runs on your machine; Zephex stores the report you send.
zephex supply https://app.example.comzephex supply historyIf upload fails, your local report is always saved. Fix API key or connectivity and run again.
mcpcli is the short install name for the Zephex MCP CLI (npm package zephex). Same binary, same API key, same 10 tools — you can type mcpcli instead of zephex after a one-time install. Official package name on npm remains zephex; command aliases ship inside that package (v2.4.6+).
Node.js required (or alternatives)
Includes best download path and how many MB each option uses — see download sizes.
mcpcli, npx zephex, and npm install -g zephex are Node.js programs. They need Node.js 18+ and npm on your PATH (or Node inside Docker). Zephex in the browser or in an editor over HTTPS does not replace that for terminal Mode 2.
Quick answer: Most people should install Node.js LTS, restart the terminal, then run npm install -g zephex && mcpcli setup. Pick another row in the table only if Node or global install is not possible on your machine.
Recommended if you have nothing installed yet: official Node.js LTS from nodejs.org (one installer), then the Zephex CLI from npm. Total download is not huge — on the order of tens of MB for Node, plus about 2.4 MB for the CLI itself.
# Best download for most people (small + permanent):# 1) Node.js LTS installer — ~30 MB (Windows) or ~85 MB (macOS) one-time download# https://nodejs.org/en/download# 2) Then in terminal (Zephex CLI is only ~2–3 MB from npm):npm install -g zephexmcpcli setup # Smallest try-before-install (still needs Node for npx):npx zephex setup# First run downloads zephex (~2–3 MB) to npm cache; no huge SDK.| What you download | Approx. download | After install on disk |
|---|---|---|
| Node.js LTS (Windows .msi) — best base for most users | ~30 MB | ~100–250 MB |
| Node.js LTS (macOS .pkg) | ~84 MB | ~100–250 MB |
zephex CLI only (npm install -g zephex) | ~2.4 MB | ~3–20 MB in npm cache |
| npx zephex setup (no global install) | Same ~2.4 MB CLI on first run | Cached under ~/.npm; no separate “Zephex app” installer |
Docker node:22-alpine (no local Node) | ~45–60 MB image pull | Docker Desktop ~500+; image ~45–60 MB |
| Editor-only MCP (HTTPS + API key) | 0 MB CLI — config only | No Node required on laptop |
Sizes vary slightly by Node version and OS. You are not downloading a large IDE or a multi-GB SDK — just Node (if needed) and a small npm package. Tools run against https://zephex.dev/mcp; your project code is not uploaded as a full repo by default.
Step 1 — check what you already have:
node -vnpm -vwhich nodewhich npmv18.x,v20.x, orv22.x→ you are ready; skip to after Node is installed.command not found→ Node is missing; install below or use Docker / editor-only.v16or lower → upgrade Node; the CLI requires 18+.
Step 2 — pick the best path for you:
| Your situation | Best option | Notes |
|---|---|---|
| New user, can install software | Node.js LTS + npm install -g zephex && mcpcli setup | Recommended. Shortest commands: mcpcli, zepx, zephex. |
| Have Node, try before installing globally | npx zephex setup | ~5s first download; nothing permanent except credentials. |
| Use Bun instead of Node day-to-day | bun install -g zephex | Still a JS runtime; see Bun block below. |
| Use pnpm | pnpm add -g zephex | Same CLI; see pnpm block below. |
| No Node on host; Docker allowed | Docker + npx in container | Mount $HOME so credentials survive. |
| No Node, no Docker; only Cursor / Claude | Editor MCP (HTTP) | Mode 1 in editor — not the same as terminal mcpcli tools. |
| Corporate laptop, no installs | Manual JSON config | Paste MCP config + API key; setup wizard optional on another machine. |
| Only need terminal tools occasionally | npx zephex … per command | Needs Node each time; no global PATH entry. |
Download the LTS installer if you are unsure — it includes npm. After install, close and reopen your terminal (required on Windows so PATH updates).
# macOS — recommended for most users# Option A: Homebrew (developers)brew install node # Option B: Official LTS installer (everyone)# Download from https://nodejs.org/en/download# Run the .pkg, then restart Terminal # Option C: Version manager (multiple Node versions)# fnm: https://github.com/Schniz/fnm# nvm: https://github.com/nvm-sh/nvm# Windows — recommended for most users# Option A: winget (Windows 10/11)winget install OpenJS.NodeJS.LTS # Option B: Official LTS installer# https://nodejs.org/en/download — check "Add to PATH" during install# Then open a NEW Command Prompt or PowerShell window # Verify (new window):node -vnpm -v# Linux — pick one# Option A: NodeSource (Debian/Ubuntu)curl -fsSL https://deb.nodesource.com/setup_22.x | sudo -E bash -sudo apt-get install -y nodejs # Option B: Distro packages (may be older — need v18+)# sudo apt install nodejs npm # only if version >= 18 # Option C: nvm (no sudo, per-user)# curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.40.1/install.sh | bash# nvm install --lts# nvm use --ltsStep 3 — after Node works, run Zephex setup:
npm install -g zephex && mcpcli setupWithout global install (still needs Node + npm for npx):
npx zephex setupnpx -p zephex mcpcli setupThese still require a JavaScript runtime on the machine — not a substitute for “no Node at all.”
bun install -g zephexmcpcli setup# or one-shot:bunx zephex setuppnpm add -g zephexmcpcli setup# or one-shot:pnpm dlx zephex mcpcli setupNo Node on this computer? Use Docker (Node runs inside the image) or editor-only MCP. Docker still requires Docker Desktop / Engine on the host.
# Docker Desktop or Engine required on the hostdocker pull node:22-alpine # Setup (writes ~/.zephex + editor configs on YOUR machine)docker run -it --rm \ -v "$HOME:/root" \ -w /root \ node:22-alpine \ npx -y zephex setup # Terminal tool in your repo (mount project folder)cd /path/to/your-appdocker run -it --rm \ -v "$HOME:/root" \ -v "$(pwd):/work" \ -w /work \ node:22-alpine \ npx -y zephex get-contextOptional alias so daily commands look like local mcpcli:
# ~/.bashrc or ~/.zshrc — shorter daily commandsalias mcpcli='docker run -it --rm -v "$HOME:/root" -w "$(pwd):/work" -w /work node:22-alpine npx -y zephex' mcpcli setupmcpcli get-contextFull CLI in Docker guide · Windows paths: use %USERPROFILE% instead of $HOME in -v mounts.
If you only want MCP tools inside Cursor or Claude Code and never run commands in Terminal, you can connect over HTTPS without installing Node on your laptop. Terminal Mode 2 (mcpcli get-context, etc.) still needs Node or Docker somewhere.
# No local Node needed for Cursor / Claude Code (hosted HTTP)# 1. Create a key: https://zephex.dev/dashboard/api-keys# 2. In Cursor: Settings → MCP → add server URL:# https://zephex.dev/mcp# Header: Authorization: Bearer YOUR_API_KEY# Or run setup on ANY machine that has Node once, copy the key into the editor. # Full wizard (needs Node somewhere once):# mcpcli setup --cursor# "command not found: node" or "command not found: npx"# → Node is not installed OR not on your PATH.# Fix: install LTS from nodejs.org, restart terminal, run node -v again. # "mcpcli: command not found" after npm install -g# → Global npm bin not on PATH, or install did not finish.# Fix: npm install -g zephex# npm bin -g # add this folder to PATH# Or skip global: npx zephex setup # EACCEs / permission denied on npm install -g (macOS/Linux)# Fix: mkdir -p ~/.npm-global && npm config set prefix ~/.npm-global# Add to ~/.zshrc: export PATH="$HOME/.npm-global/bin:$PATH" # Old Node (v16 or below)# Fix: upgrade to Node 18+ LTS — zephex CLI will not run on EOL Node.| Question | Answer |
|---|---|
| Do I need Node.js to use Zephex at all? | Only for the terminal CLI (mcpcli / npx zephex). Editor MCP via hosted HTTPS (Cursor, Claude Code) can work without Node on your laptop if you paste an API key or HTTP config. Terminal tools always need Node somewhere — your machine or Docker. |
| What is the best install for a new user? | Install Node.js LTS from nodejs.org (includes npm), restart the terminal, then run: npm install -g zephex && mcpcli setup. That gives the shortest commands forever. |
| I cannot install software on my work laptop. | Use editor-only MCP (manual JSON or dashboard key) — see Install methods → Manual JSON. Or run setup once on a personal machine, copy the API key, paste into work editor config. Terminal CLI on the work machine may be blocked without Docker approval. |
| I have Node for another project — is that enough? | Yes, if node -v shows v18 or higher. You do not need a separate Node install for Zephex. Use the same npm/npx. |
| Does the AI editor install Node for me? | Sometimes. Cursor/VS Code may bundle npx for MCP stdio configs, but that does not put mcpcli on your system PATH for Mode 2 terminal use. For terminal tools, install Node yourself or use Docker. |
| Docker still needs something installed? | Docker Desktop (or docker CLI) on the host — not Node. The container image includes Node and runs npx zephex for you. |
| How many MB will this download? | Node.js LTS installer is roughly 30 MB (Windows) or 85 MB (macOS) — not hundreds of MB. The zephex CLI package from npm is about 2–3 MB. npx zephex setup only adds that CLI download on first run (cached after). Docker pulls a ~50 MB Node Alpine image plus the same small zephex package inside the container. |
| What is the best way to download if I have nothing installed? | Use the official Node.js LTS installer from nodejs.org (includes npm), restart your terminal, then run npm install -g zephex && mcpcli setup. That is the smallest hassle long-term. If you truly cannot install Node, use editor-only MCP (no download) or Docker if your IT allows it. |
More: Install methods (all 6) · Connect MCP · CLI in Docker · npx zephex
First time (any OS, Node already installed)
Pick one path — both work the first time you run setup:
Recommended — global install (shortest commands forever):
npm install -g zephex && mcpcli setupOne-shot without global install (pick one):
npx zephex setupnpx -p zephex mcpcli setupPlain mcpcli setup only works after npm install -g zephex (or the combined line above). That is expected — there is no separate npm package named mcpcli on the public registry.
After install — daily commands
mcpcli setupmcpcli get-contextmcpcli usagezepx helpzphx doctorAll of these run the same CLI: mcpcli, zepx, zphx, mcpz, zepcli, zephx, zephex.
Terminal-only vs editor MCP
MCP CLI (Mode 2) runs in your shell — no AI agent required. mcpcli setup when you pick Terminal / CLI only does not change Cursor/VS Code MCP config. Use mcpcli setup --cursor (or another flag) if you also want tools inside the editor.
logout vs disconnect: mcpcli logout removes only ~/.zephex terminal credentials — your editor can keep using MCP. mcpcli disconnect removes Zephex from an editor config and revokes the key — not the same as logout. You can use terminal tools and editor MCP together with one API key; you do not run two separate products.
Who can run it?
Anyone in the world can download and run mcpcli / zephex from npm (public CLI). Your hosted MCP tools at https://zephex.dev/mcp require your API key from setup — strangers cannot use your quota without a key. Keys stay in ~/.zephex (or editor config); nothing secret is baked into the npm package.
More
Connect MCP (editors) · Terminal tools · Full command list · Install & package names · Install methods (no Node / Docker / manual) · CLI in Docker
# Websitezephex supply https://yoursite.com # Repo (default cwd)zephex supply # Repo + production URLzephex supply . + https://yoursite.com # CI-friendlyzephex supply --only secrets --strict --json # Less noisezephex supply https://yoursite.com --severity highFull flag list: Supply Pulse commands.