CLI Reference
ZeroMCP ships two commands: serve and audit.
zeromcp serve
Start the MCP server. Scans tool directories, connects remote servers, and serves over configured transports.
zeromcp serve [config-path]| Argument | Default | Description |
|---|---|---|
config-path | ./zeromcp.config.json | Path to config file |
Output
$ zeromcp serve
[zeromcp] Loaded: hello
[zeromcp] Loaded: stripe_list_customers
[zeromcp] Loaded: github_list_issues
[zeromcp] 3 local + 0 remote = 3 tool(s)
[zeromcp] stdio transport readyAll output goes to stderr. stdout is reserved for MCP JSON-RPC communication.
zeromcp audit
Run static analysis on tool files. Checks for security violations.
zeromcp audit [tools-path]| Argument | Default | Description |
|---|---|---|
tools-path | ./tools | Directory of tool files to audit |
What it checks
- Permission declarations present
- No direct
process.envaccess (usectx.credentials) - No global
fetchcalls (usectx.fetch) - No undeclared filesystem access
- No hardcoded credentials or API keys
Output
$ zeromcp audit ./tools
✓ stripe/list_customers.js — permissions declared, no raw env access
✓ stripe/create_charge.js — permissions declared, no raw env access
✗ github/issues.js — uses global fetch (should use ctx.fetch)
✗ utils/helper.js — accesses process.env directly
2 passed, 2 failedThe audit CLI gates the community tool registry. Tools with violations cannot be published.