skip to content
fizzgig
sign in
// product
code auditdetect what shippedbrand and reachsoonlift qualityperfect memorysoondecision graph
// build better
sourdough startersproject kicks-off in 1 prompt
// resources
pricingdocsblogabout
sign inrequest access →
// code audit

one mcp tool. 27 checks.

code audit is the first of fizzgig's three legs — it detectswhat's wrong with what your AI shipped. live as a single MCP entry point (fizzgig__audit) that fans out to the right checks based on the inputs you provide. 6 free essentials are pinned to the top regardless of how you sort or filter. these are the 27 checks that live behind that one call — audit shows you the catalogue so you can see exactly what coverage you get.

detect <> lift. these 27 tools find the problem. the matching brand & reach _lift tools fix it (Q3 2026).

sort:
showing 27 of 27
newsecurity
fetch_url_scanner
fizzgig__fetch_url_scanner

detects third-party apis called via fetch() urls (no installed sdk). emits architecture_facts for stack-map.

Freev0.1.0
newux / dx
stack_map
fizzgig__stack_map

live architecture map of your stack — services, connections, status pills.

Freev0.4.0
newsecurity
vuln_scanner
fizzgig__vuln_scanner

known-cve lookup against osv.dev for npm packages. closes the gap dep-audit (structural) leaves open.

Freev0.1.0
security
dep_audit
fizzgig__dep_audit

reviews package.json + lockfile for placement, range, and integrity issues.

Freev0.5.0
security
rls_checker
fizzgig__rls_checker

checks supabase row-level-security policies for the 8 canonical leak shapes.

Freev0.6.0
security
secret_leak_finder
fizzgig__secret_leak_finder

finds hardcoded api keys, tokens, and provider secrets in your source.

Freev0.9.0
newsecurity
auth_flow_trace
fizzgig__auth_flow_trace

traces every protected route back to its auth check + verifies webhooks.

£4 / mov0.3.0
newcompliance
cookie_monster
fizzgig__cookie_monster

checks cookie consent — banner presence, parity, withdrawal, pre-consent script firing.

£3 / mov0.2.1
newcompliance
data_licence_review
fizzgig__data_licence_review

cross-references known data sources against your attribution text + commercial use.

£4 / mov0.3.0
newsecurity
form_validation_audit
fizzgig__form_validation_audit

verifies client + server validation parity — catches the "client validates, server trusts" bug.

£3 / mov0.3.0
newcompliance
gdpr_checker
fizzgig__gdpr_checker

cross-references your privacy policy against the live dependency tree.

£4 / mov0.2.0
newux / dx
legibility_review
fizzgig__legibility_review

WCAG contrast + font-size + line-height. resolves your design tokens, composites translucent backgrounds, computes the real ratio.

Paidv0.1.0
newcompliance
regulatory_compliance
fizzgig__regulatory_compliance

industry-aware regulatory check — auto-detects relevant regulators from your code + claims.

£4 / mov0.3.0
ux / dx
a11y_audit
fizzgig__a11y_audit

static WCAG check — alts, labels, semantic structure, keyboard nav.

£3 / mov0.2.0
discoverability
ai_search_audit
fizzgig__ai_search_audit

checks the signals AI search engines use — FAQPage, /llms.txt, E-E-A-T, server-rendered.

£5 / mov0.2.0
ux / dx
brand_completeness
fizzgig__brand_completeness

checks the cross-surface brand metadata (favicons, og, theme-color, manifest).

£3 / mov0.2.1
ux / dx
brand_consistency
fizzgig__brand_consistency

reviews component code against your design tokens + universal sourdough principles.

£4 / mov0.2.0
ux / dx
broken_link_finder
fizzgig__broken_link_finder

flags empty hrefs, broken internal routes, anchor-id mismatches, mailto/tel issues.

£3 / mov0.2.0
ux / dx
content_quality
fizzgig__content_quality

reviews writing quality + structural quality from a human-reader perspective.

£4 / mov0.2.0
ux / dx
copy_tone_check
fizzgig__copy_tone_check

flags AI-generated tells, buzzwords, and prose-rhythm issues in marketing copy.

£3 / mov0.2.0
security
cors_audit
fizzgig__cors_audit

inspects api routes for permissive cors configs.

£3 / mov0.2.1
ux / dx
empty_state_finder
fizzgig__empty_state_finder

flags `.map()` over a list with no empty-state guard rendered.

£3 / mov0.2.0
security
env_auditor
fizzgig__env_auditor

checks your .env file for credible secrets behind public prefixes.

£3 / mov0.4.0
combo
launch_checklist
fizzgig__launch_checklist

pre-launch ritual — fan-out to every other fizzgig tool, single ship/dont-ship verdict.

£5 / mov0.6.0
security
prompt_injection_scan
fizzgig__prompt_injection_scan

flags prompt content for injection-vector smells.

£3 / mov0.2.0
discoverability
seo_audit
fizzgig__seo_audit

comprehensive traditional SEO review — URL, head, schema, body, security headers.

£5 / mov0.2.1
security
sql_injection_sniff
fizzgig__sql_injection_sniff

flags SQL built via interpolation, concatenation, or ORM raw escape hatches.

£3 / mov0.2.0
one MCP tool. one pre-deploy ritual.
all 27 checks live behind fizzgig__audit (general detection) and fizzgig__launch_checklist (pre-deploy ritual with ship/dont-ship verdict). one install, every check.
what's the audit suite? →
request beta access →
// detect <> lift
audit finds the problem. lift fixes it.
every audit tool here has a planned _lift partner on the brand & reach leg — context-aware rewrites that take the audit findings AND your project and ship the actual fix. nine planned. Q3 2026.
see the lift catalogue →
fizzgig

the fluffy guardian of vibe-coded apps. growls at insecure code so you don't have to.

all systems operational

product

code auditbrand and reach (soon)perfect memory (soon)pricingdocschangelog

community

sourdough startersdiscord (soon)github (soon)x / twitter (soon)rss (soon)

company

aboutcontactterms (soon)privacy
© 2026 fizzgig labs.
v1.4.2 · 2026-05-01