tools/security/form_validation_audit
newsecurityv0.3.0pro · $0.002/call

fizzgig__form_validation_audit

verifies client + server validation parity — catches the "client validates, server trusts" bug.

4 checks: client forms with no validation library imported, server routes accessing request body without a parse/validate call (the canonical "client validates, server trusts" bug), validation library mismatch between client + server (drift risk), and `<input required>` as the only validation signal (browser-native only). Now inline-aware — distinguishes manual typeof/length/regex guards on the server (flagged high, not false-critical) and native HTML5 constraints (type=email / pattern / minlength) on the client (medium, not false-high) from genuinely-unvalidated input. Recognises zod, yup, joi, superstruct, valibot, arktype, react-hook-form, formik.

new v0.3.0 pro
// input schema
schema · application/json
{
"type": "object"
"required": [
"project"
]
"properties": {
"project": {
"type": "string"
"description": "the project slug or path"
}
"strict": {
"type": "boolean"
"default": false
"description": "fail on warnings, not just errors"
}
}
}
// output schema
schema · application/json
{
"type": "object"
"properties": {
"ok": {
"type": "boolean"
}
"findings": {
"type": "array"
"items": {
"type": "object"
"properties": {
"severity": {
"enum": [
"info"
"warn"
"high"
"critical"
]
}
"message": {
"type": "string"
}
"fix": {
"type": "string"
}
}
}
}
}
}
// example call from cursor
~/myapp — example output
fizzgig__form_validation_audit(project="myapp")
{
"ok": false,
"findings": [
{ "severity": "high",
"message": "policy uses user_id without auth.uid()",
"fix": "USING (auth.uid() = user_id)" }
],
"scanned": 3, "duration_ms": 142
}
// reviews
@maya.codes★★★★★
2 days ago

caught a policy that would have leaked every user's comments. shipped a fix in 4 minutes.

@solo_at_3am★★★★★
1 week ago

first tool i installed. it's the one that pays for itself.

@vibebuilder★★★★
2 weeks ago

works great. one false positive on a join table — easy to ignore.

// primary action
add to your editor
paste this into your mcp config.
.cursor/mcp.json
{
  "fizzgig": {
    "url": "https://mcp.fizzgig.ai",
    "tools": ["form_validation_audit"]
  }
}
full setup guide →
// pricing
$0.002 / call
included free in pro plan.
// related tools
secret_leak_finder
v0.9.0
rls_checker
v0.6.0
env_auditor
v0.4.0