npx claudepluginhub berrzebb/quorum --plugin quorumHTTP runner that executes FVM rows against a live server. Authenticates as each role, sends requests, compares actual vs expected status codes. - Post-deployment verification — validate that access control works as designed - Security testing — detect AUTH_LEAK (unauthorized access) issues - CI integration — automate FVM validation as part of the test pipeline - Bug detection — find FALSE_DENY ...
Fills Nyquist validation gaps by generating runnable behavioral tests for phase requirements, running them adversarially, debugging failures (max 3 iterations), verifying coverage, and escalating blockers.
Share bugs, ideas, or general feedback.
HTTP runner that executes FVM rows against a live server. Authenticates as each role, sends requests, compares actual vs expected status codes.
fvm_generate)| Param | Required | Default | Description |
|---|---|---|---|
--fvm_path | Yes | — | Path to FVM markdown file |
--base_url | Yes | — | Live server URL (e.g., http://localhost:4200) |
--credentials | Yes | — | JSON: {"role": {"username": "u", "password": "p"}} |
--filter_role | No | — | Only validate rows for this role |
--filter_route | No | — | Only validate rows matching this route |
--timeout_ms | No | 5000 | Per-request timeout in milliseconds |
# Full validation
quorum tool fvm_validate \
--fvm_path docs/fvm.md \
--base_url http://localhost:4200 \
--credentials '{"admin":{"username":"admin","password":"pass"},"viewer":{"username":"viewer","password":"pass"}}'
# Filter by role
quorum tool fvm_validate \
--fvm_path docs/fvm.md \
--base_url http://localhost:4200 \
--credentials '{"admin":{"username":"admin","password":"pass"}}' \
--filter_role admin
# Filter by route
quorum tool fvm_validate \
--fvm_path docs/fvm.md \
--base_url http://localhost:4200 \
--credentials '{"admin":{"username":"admin","password":"pass"}}' \
--filter_route /admin
# JSON output
quorum tool fvm_validate \
--fvm_path docs/fvm.md \
--base_url http://localhost:4200 \
--credentials '{}' \
--json
| Code | Severity | Meaning | Action |
|---|---|---|---|
AUTH_LEAK | 🔴 Critical | Role denied by policy but server returned 2xx | Security fix required |
FALSE_DENY | 🟡 Bug | Role allowed by policy but server returned 401/403 | Fix authorization logic |
ENDPOINT_MISSING | 🟠 Warning | Server returned 404 for defined endpoint | Check routing config |
PARAM_ERROR | 🟢 Info | Server returned 400/422 | May need test data |
TIMEOUT | — | Request timed out | Check server health |
CONNECTION_REFUSED | — | Cannot connect | Server not running |
The validator authenticates via POST /api/auth/login with each role's credentials. The set-cookie header from the response is used for subsequent requests. The unauthenticated role sends requests without any cookie.
## FVM Validation Results
Base URL: http://localhost:4200
Validated: 2026-03-20T10:30:00Z
Total: 150 rows, 142 passed, 8 failed
### Failures
| Route | Feature | Endpoint | Method | Role | Expected | Actual | Verdict |
|-------|---------|----------|--------|------|----------|--------|---------|
### Full Matrix
| Route | Feature | Endpoint | Method | Role | Expected | Actual | Pass |
Requests are sent sequentially with a 100ms delay between each to avoid overwhelming the server. For large FVM matrices (700+ rows), consider using --filter_role or --filter_route to validate in batches.