fizzgig__form_validation_audit
verifies client + server validation parity — catches the "client validates, server trusts" bug.
the AI adds zod on the client and forgets to validate on the server. the form looks right, behaves right, then someone curls your endpoint with garbage and the database accepts it.
4 checks: client forms with no validation library imported, server routes accessing request body without a parse/validate call (the canonical 'client validates, server trusts' bug), validation library mismatch between client + server (drift risk), <input required> as the only validation signal (browser-native only). Inline-aware — distinguishes manual typeof/length/regex guards (medium, not false-critical) from genuinely-unvalidated input. Recognises zod, yup, joi, superstruct, valibot, arktype, react-hook-form, formik.
make the server validation match the client validation. the client check is UX; the server check is security — never mistake one for the other.
caught a policy that would have leaked every user's comments. shipped a fix in 4 minutes.
first tool i installed. it's the one that pays for itself.
works great. one false positive on a join table — easy to ignore.
{
"fizzgig": {
"url": "https://mcp.fizzgig.ai",
"tools": ["form_validation_audit"]
}
}