Workflow Gallery

Current v4 Scenarios

Example operations that match the actual WSHawk v4 workflow model.

Cross-Identity WebSocket AuthZ Diff

AuthZ

Compare the same WebSocket action across two stored identities and review the grouped behavioral differences.

bash
1POST /platform/projects/{project}/attacks/authz-diff
2{
3  "baseline_identity_id": "tenant-admin",
4  "candidate_identity_id": "tenant-user",
5  "message_family": "invoice.subscribe"
6}
7 
8# Output
9# difference_count: 1
10# finding: candidate received cross-tenant invoice metadata

HTTP Replay with Stored Identity

Replay

Replay a captured HTTP request inside the same project record used for WebSocket work.

bash
1POST /platform/projects/{project}/attacks/http/replay
2{
3  "identity_id": "support-user",
4  "request_id": "req_42"
5}
6 
7# Output
8# replay_status: complete
9# evidence_record: http_replay_completed

Duplicate Action Race Window

Race

Fire parallel requests against a state-changing workflow to spot replay-before-invalidation windows.

bash
1POST /platform/projects/{project}/attacks/race
2{
3  "waves": 3,
4  "parallelism": 8,
5  "action": "approve_refund"
6}
7 
8# Output
9# suspicious_race_window: true
10# accepted_duplicates: 2

Validation Lab Regression Run

Validation

Use the shipped local labs to check that replay, diff, race, and evidence paths still behave as expected.

bash
1./venv/bin/python validation/run_validation.py
2 
3# Output
4# full_stack_realtime_saas: passed
5# socketio_saas: passed
6# graphql_subscriptions_lab: passed