skip to content
fizzgig
sign in
// product
code auditdetect what shippedbrand and reachsoonlift qualityperfect memorysoondecision graph
// build better
sourdough startersproject kicks-off in 1 prompt
// resources
pricingdocsblogabout
sign inrequest access →
audit suite/security/form_validation_audit
newsecurityv0.3.0pro · $0.002/call

fizzgig__form_validation_audit

verifies client + server validation parity — catches the "client validates, server trusts" bug.

// ai does this over time

the AI adds zod on the client and forgets to validate on the server. the form looks right, behaves right, then someone curls your endpoint with garbage and the database accepts it.

// the tool does

4 checks: client forms with no validation library imported, server routes accessing request body without a parse/validate call (the canonical 'client validates, server trusts' bug), validation library mismatch between client + server (drift risk), <input required> as the only validation signal (browser-native only). Inline-aware — distinguishes manual typeof/length/regex guards (medium, not false-critical) from genuinely-unvalidated input. Recognises zod, yup, joi, superstruct, valibot, arktype, react-hook-form, formik.

// so you can

make the server validation match the client validation. the client check is UX; the server check is security — never mistake one for the other.

● new● v0.3.0● pro
// input schema
schema · application/json
{
"type": "object"
"required": [
"project"
]
"properties": {
"project": {
"type": "string"
"description": "the project slug or path"
}
"strict": {
"type": "boolean"
"default": false
"description": "fail on warnings, not just errors"
}
}
}
// output schema
schema · application/json
{
"type": "object"
"properties": {
"ok": {
"type": "boolean"
}
"findings": {
"type": "array"
"items": {
"type": "object"
"properties": {
"severity": {
"enum": [
"info"
"warn"
"high"
"critical"
]
}
"message": {
"type": "string"
}
"fix": {
"type": "string"
}
}
}
}
}
}
// example call from cursor
~/myapp — example output
→ fizzgig__form_validation_audit(project="myapp")
{
"ok": false,
"findings": [
{ "severity": "high",
"message": "policy uses user_id without auth.uid()",
"fix": "USING (auth.uid() = user_id)" }
],
"scanned": 3, "duration_ms": 142
}
// reviews
@maya.codes★★★★★
2 days ago

caught a policy that would have leaked every user's comments. shipped a fix in 4 minutes.

@solo_at_3am★★★★★
1 week ago

first tool i installed. it's the one that pays for itself.

@vibebuilder★★★★☆
2 weeks ago

works great. one false positive on a join table — easy to ignore.

// primary action
add to your editor
paste this into your mcp config.
.cursor/mcp.json
{
  "fizzgig": {
    "url": "https://mcp.fizzgig.ai",
    "tools": ["form_validation_audit"]
  }
}
full setup guide →
// pricing
$0.002 / call
included free in pro plan.
// related tools
secret_leak_finder
v0.9.0
→
rls_checker
v0.6.0
→
env_auditor
v0.4.0
→
fizzgig

the fluffy guardian of vibe-coded apps. growls at insecure code so you don't have to.

all systems operational

product

code auditbrand and reach (soon)perfect memory (soon)pricingdocschangelog

community

sourdough startersdiscord (soon)github (soon)x / twitter (soon)rss (soon)

company

aboutcontactterms (soon)privacy
© 2026 fizzgig labs.
v1.4.2 · 2026-05-01