
Security News
PolinRider: North Korea-Linked Supply Chain Campaign Expands Across Open Source Ecosystems
PolinRider expands across npm, Packagist, Go modules, and Chrome extensions, using hidden loaders to target developer environments.
@keelpin/fuzz-runtime
Advanced tools
MIT-licensed mock toolkit for business-logic fuzzers — the open trust anchor behind the closed Argent AppSec product.
The mock toolkit is open-source so you can audit how Argent manufactures the violation signal. The rest of Argent is commercial. Closed product, open trust anchor.
@keelpin/fuzz-runtime is the MIT-licensed runtime that backs every business-logic
fuzzer the closed Argent AppSec product generates. When Argent reports a
CONFIRMED_VIOLATION — say, a cross-tenant document read — that signal is
manufactured by running a generated fuzzer against the four mocks in this
package: MockDb, MockHttp, MockClock, MockRng, plus the harness glue.
If the mocks are wrong, the violation could be artifactual. So we open-sourced them.
Argent makes a strong claim:
"We found a real authorization bug in your code."
A reasonable customer asks:
"How do I know your fuzzer didn't fake the violation?"
Reading this repo answers that question. You can:
The argument: a CONFIRMED_VIOLATION from Argent should be mechanically
equivalent to a real-world exploit. The mock toolkit is the layer where that
equivalence is defined. So that layer is public.
| Module | Purpose |
|---|---|
MockDb | Schema-driven in-memory store with a Prisma-shape proxy and snapshot/restore. |
MockHttp | Outgoing-fetch interceptor. Un-intercepted egress THROWS — no pass-through. |
MockClock | Controllable Date.now, setTimeout, and performance.now. |
MockRng | Deterministic xoroshiro128++ PRNG patching Math.random and crypto.getRandomValues. |
harness | Test-runner glue: build an Express-shape req / res, capture the result. |
pnpm add -D @keelpin/fuzz-runtime
# or
npm i -D @keelpin/fuzz-runtime
Requires Node.js 20 or newer.
The canonical case: a handler that fetches a document by ID without scoping to
the requesting session's organization. A user in org-B should not be able to
read a document owned by org-A. If they can, that's a CWE-639 cross-tenant
IDOR.
import { describe, expect, test, beforeEach } from 'vitest';
import { MockDb, harness } from '@keelpin/fuzz-runtime';
const schema = {
models: {
Document: {
fields: {
id: { type: 'String', isId: true },
orgId: { type: 'String' },
title: { type: 'String' },
ownerId: { type: 'String' },
},
},
},
} as const;
// The handler under test — a typical Express handler.
async function getDocument(req: any, res: any) {
const { id } = req.params;
const doc = await req.db.Document.findUnique({ where: { id } });
if (doc === null) return res.status(404).end();
return res.status(200).json(doc);
}
describe('cross-tenant document read', () => {
let db: MockDb;
beforeEach(() => {
db = new MockDb({ schema });
db.seed('Document', { id: 'doc-1', orgId: 'org-A', title: 'A-internal', ownerId: 'alice' });
});
test('positive control — same-tenant read works', async () => {
const res = await harness.invoke(getDocument, {
principal: { id: 'alice', orgId: 'org-A' },
params: { id: 'doc-1' },
}, { db });
expect(res.status).toBe(200);
});
test('attack — cross-tenant read should be denied', async () => {
const res = await harness.invoke(getDocument, {
principal: { id: 'bob', orgId: 'org-B' },
params: { id: 'doc-1' },
}, { db });
expect([403, 404]).toContain(res.status); // FAILS: handler returns 200.
});
});
The attack test fails because the handler queries by id only and never checks
document.orgId === session.orgId. That failure is the mechanical definition
of "violation" — and the mocks make it reproducible, deterministic, and
auditable.
These are the contract behaviors the package's CI verifies on every PR:
MockHttp.install() patches globalThis.fetch and any
un-intercepted egress THROWS. There is no pass-through to the real network
in any mode. (node:http/node:https are best-effort blocked too.)MockClock.install() replaces Date.now,
setTimeout, setInterval, and performance.now. setTimeout callbacks
only fire when MockClock.tick(ms) advances past their target.MockRng is xoroshiro128++ with an explicit seed.
Math.random() and crypto.getRandomValues() are patched to draw from the
same stream.MockDb.$queryRaw and MockDb.$executeRaw always reject.
A fuzzer cannot escape the typed model surface to construct a fake
violation through SQL injection of the mock itself.snapshot() / restore() so cross-scenario contamination is impossible.The closed Argent generator emits fuzzer source that imports from this package
under a strict semver range (^1.0.0 for v1). Breaking changes to the public
surface require a major bump and a 1-week public-comment window — the public
comment requirement is itself part of the trust-anchor posture.
The full compatibility contract lives in docs/compatibility.md (planned).
Strict semver. Public surface = src/index.ts. Internals (PRNG state layout,
MockDb storage layout) can change in patch releases.
MIT — © 2026 Titanium Computing, Inc.
Argent AppSec itself is not MIT-licensed. Only this runtime is.
See CONTRIBUTING.md. MIT-only contributions; SPDX scan runs in CI.
FAQs
MIT-licensed mock toolkit for business-logic fuzzers — the open trust anchor behind the closed Argent AppSec product.
We found that @keelpin/fuzz-runtime demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?

Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.

Security News
PolinRider expands across npm, Packagist, Go modules, and Chrome extensions, using hidden loaders to target developer environments.

Security News
Open source attacks are accelerating as AI coding agents pull in dependencies faster, with less human review.

Research
/Security News
Malicious Chrome and Firefox extensions posed as free VPNs while stealing clipboard data through later extension updates.