// docs / quickstart

quickstart.

fizzgig is a catalogue of audit tools your AI editor can call directly through MCP. One install command, one paste, and your editor can scan for secret leaks, RLS misconfigs, dependency CVEs, and more — without you ever leaving the chat.

// built on lovable, bolt, or v0?

Fizzgig audits the code, not the builder — so it works on AI-built apps too. Sync your Lovable / Bolt project to GitHub (or export it), open the repo in Cursor or Claude Code, and run the audit there. It's the fastest way to catch the classics those builders ship by default: Supabase RLS left open, the service-role key leaked to the browser, routes with no auth. full guide →

// install in your editor — one command

Run this in your terminal. It detects your editor, asks for a Fizzgig key, writes the right config file, and tells you how to reload — everything below this card is the manual fallback.

$ npx @fizzgig-ai/install

✓ Claude Code✓ Cursor✓ Windsurf✓ VS Code (Copilot Chat)✓ Continue.dev

node 18+ required · source on npm

three steps, ~60 seconds.

get an API key

Sign in to fizzgig and mint a key at fizzgig.ai/dashboard/keys. The plaintext value shows once at creation — copy it now. Lost the key? Revoke and mint a new one; old keys stop working immediately.

▸ no account yet? request beta access →

run the installer

In your terminal, from anywhere on your machine:

$ npx @fizzgig-ai/install

The installer detects which editor you have, asks which to install Fizzgig into (multi-select if you have several), prompts for the API key from step 1, then writes the right config file per editor. Your existing MCP servers are preserved — Fizzgig is added alongside, not blasted over.

reload your editor + try a tool

The installer prints reload instructions per editor (Cursor: Cmd-Shift-P → Reload Window; Claude Code: full restart; Windsurf: full restart; VS Code: Cmd-Shift-P → Developer: Reload Window). After the reload, first confirm the connection — ask your AI:

“What Fizzgig tools do you have access to?”

It should list your tools. (If it says it has none, the server isn't connected — re-check the Authorization header and that you fully reloaded.) Then run one on something real:

“Use fizzgig__secret_leak_finder on the contents of lib/ and workers/.”

The AI calls Fizzgig, gets back ranked findings, surfaces them with copy-paste fix suggestions. Every run also writes an audit-log row you can view at /dashboard/runs.

what you have access to.

Six tools land in your editor on install. Eighteen more roll out as the catalogue opens (paid tier — see /pricing).

fizzgig__secret_leak_finder

Scan source code for hardcoded credentials

input: code: string (concatenated source files)
when: Before every commit, before publishing any repo, after adding a new SDK.

fizzgig__rls_checker

Audit Supabase RLS policies for misconfigurations

input: sql: string (migration SQL or pg_policies output)
when: Before any production migration, when adding a new table, when rewriting a policy.

fizzgig__dep_audit

Static dep-config audit (placement, ranges, lockfile drift)

input: package_json + (optional) lockfile
when: After every npm install, before every release, on every CI PR.

fizzgig__vuln_scanner

Known-CVE lookup against OSV.dev (GitHub Advisory + npm)

input: package_json + (optional) lockfile
when: After every npm install. Database adds advisories daily — even a static lockfile can become vulnerable overnight.

fizzgig__fetch_url_scanner

Detect third-party APIs called by URL (no installed SDK)

input: code: string (concatenated source files)
when: After every new fetch() / axios call to a new domain.

fizzgig__stack_map

Live architecture map with platform status pills

input: tool_run_ids: string[] (audit-log ids from prior tool runs)
when: After other tools run (the map gets richer with each emit). Before any deploy.

common issues.

The installer says “no supported MCP-aware editors detected”

Your editor's config dir isn't where we expect (e.g. you're on Windows or installed it to a non-default path). Use the per-editor JSON snippets at /dashboard/keys instead — open the “manual install” section beneath the CLI card.

My editor doesn't see Fizzgig after the install

The installer prints the reload step per editor. Some editors watch the config file and pick up changes live; others need a full restart. Try a full restart if a window-reload doesn't pick it up.

“Invalid or missing execution secret” / 401

Your API key is wrong or has been revoked. Mint a new one at /dashboard/keys and re-run the installer (it'll ask if you want to overwrite the existing entry — say yes).

The tool returned 56KB and tripped my AI client's output cap

By default Fizzgig responses are LEAN — synthesis_hint, envelope, and per-finding ai_context are stripped because the framing the AI needs lives in each tool's long_description (delivered once per session via tools/list). Pass verbose: true if you need the full envelope back (debugging, dashboard inspection). Otherwise responses sit comfortably under 10KB even for multi-finding scans.

next.

browse the tool catalogue →pricing open dashboard

something not working? file an issue at github.com/RascalRebelCreative/fizzgig/issues — every coverage gap or edge case is one we want to close before public launch.