Add WebSocket generator for real-time LLM security testing

[dyrtyData]

Summary

This PR adds a WebSocket generator to enable garak to test WebSocket-based LLM services for security vulnerabilities. Many modern chat-based LLM services use WebSocket connections for real-time bidirectional communication, and this generator extends garak's testing capabilities to cover these services.

Key Features:

• Full WebSocket protocol support using the professional websockets library
• Multiple authentication methods: Basic Auth, Bearer tokens, and custom headers
• Template-based messaging aligned with REST generator patterns (req_template, req_template_json_object)
• JSON response extraction with JSONPath support
• Typing indicator handling for chat-based LLMs
• Smart detection and graceful skipping of unsupported scenarios (system prompts, multi-turn conversations)
• Configurable timeouts, SSL verification, and connection management

Files Changed

• garak/generators/websocket.py - Main WebSocket generator implementation (~390 lines)
• docs/source/garak.generators.websocket.rst - Comprehensive RST documentation with examples
• docs/source/generators.rst - Added websocket generator to documentation index
• tests/generators/test_websocket.py - Complete test suite with 17+ tests
• pyproject.toml - Added websockets>=13.0 dependency
• requirements.txt - Added websockets>=13.0 dependency

Usage Example

# Basic usage with echo server
garak --model_type websocket.WebSocketGenerator \
      --generator_options '{"websocket": {"WebSocketGenerator": {"uri": "wss://echo.websocket.org"}}}' \
      --probes dan

# With authentication (password via environment variable)
export WEBSOCKET_API_KEY="your_secure_password"
garak --model_type websocket.WebSocketGenerator \
      --generator_options '{"websocket": {"WebSocketGenerator": {"uri": "ws://localhost:3000", "auth_type": "basic", "username": "user"}}}' \
      --probes encoding

Configuration Options

Parameter	Default	Description
uri	wss://echo.websocket.org	WebSocket URL (ws:// or wss://)
auth_type	none	Authentication: none, basic, bearer, custom
username	None	Basic auth username
api_key	None	Bearer token or basic auth password
req_template	$INPUT	String template with $INPUT, $KEY, $CONVERSATION_ID
req_template_json_object	None	JSON object template
response_json	false	Parse responses as JSON
response_json_field	text	JSON field to extract (supports JSONPath: $.data.message)
response_after_typing	true	Wait for typing indicators to complete
typing_indicator	typing	String to detect typing status
request_timeout	20	Seconds to wait for response
connection_timeout	10	Seconds to wait for connection
verify_ssl	true	SSL certificate verification

Verification

• All CI tests pass (Linux, macOS, Windows across Python 3.10, 3.12, 3.13)
• WebSocket-specific tests: 17 passed, 3 skipped
• Generator integration tests pass
• CLI functionality verified working
• DCO signed commits
• Documentation follows garak RST patterns
• Code follows garak generator patterns and conventions

Manual Testing

• Tested against echo.websocket.org public service
• Tested against custom WebSocket LLM service with authentication
• SSH tunnel compatible for secure remote testing

Review History

This PR went through extensive review with maintainers @jmartin-tech and @leondz over 50+ commits:

Key improvements from review feedback:

1. Migrated from custom socket code to professional websockets library
2. Aligned template configuration with REST generator patterns
3. Implemented JSON response extraction with JSONPath support
4. Added DEFAULT_CLASS for module-level plugin discovery
5. Fixed security: removed dangerous URI scheme fallback, sanitized logging
6. Moved environment variable access to _validate_env_var method
7. Standardized on api_key for all authentication (no password in configs)
8. Added smart detection for unsupported scenarios (system prompts, multi-turn)
9. Migrated to use _has_single_turn pattern from base Generator

Known Limitations

• Single-turn only: WebSocket generator gracefully skips multi-turn conversations (logs warning)
• No system prompts: System role messages are detected and skipped with warning
• Session paradigm: WebSocket session management differs from stateless HTTP; complex conversation flows may need future work as real-world WebSocket LLM services emerge

Security Considerations

• No sensitive data logged (prompt content sanitized)
• Credentials stored via environment variables only (WEBSOCKET_API_KEY)
• SSL verification enabled by default
• No dangerous URI scheme fallbacks (HTTP -> WebSocket conversion removed)

garak impacts

Resolves #435

[dyrtyData]

@leondz

Testing Instructions
The WebSocket generator has been tested and validated with a public WebSocket service. Reviewers can easily test the functionality using the following command:

python3 -m garak --model_type websocket.WebSocketGenerator \
  --generator_options '{"websocket": {"WebSocketGenerator": {"endpoint": "wss://echo.websocket.org", "response_after_typing": false}}}' \
  --probes dan --generations 1 --report_prefix websocket_test

Test Results
This command successfully:
✅ Connected to wss://echo.websocket.org (public WebSocket echo server)
✅ Processed 386 security test prompts across multiple DAN probe categories
✅ Generated comprehensive security assessment reports (JSONL + HTML)
✅ Completed without errors in under 45 seconds

Why wss://echo.websocket.org?
This public echo server is ideal for testing because it:
Requires no authentication or setup
Uses secure WebSocket (wss://) protocol
Provides predictable echo responses for validation
Is widely used by developers for WebSocket testing
Remains accessible and reliable

Expected Output
The test will create two report files:
~/.local/share/garak/garak_runs/websocket_test.report.jsonl - Detailed results
~/.local/share/garak/garak_runs/websocket_test.report.html - Summary report

Alternative Test Endpoints
If needed, other public WebSocket test servers can be used:
wss://libwebsockets.org/testserver/ (advanced features)
wss://www.websocket-test.com/ (web interface available)

This demonstrates the WebSocket generator's compatibility with real WebSocket services and its proper integration with garak's testing framework.

[jmartin-tech]

This looks interesting, I see a lot of custom socket communication code that may be better managed by supported libraries.

Also please look at the RestGenerator options, it would be nice to to align template configuration for headers and to support json extraction of the response text from the data received from the socket. We had some examples asks where the response is not just RAW text.

[dyrtyData]

Fixed in commit e220924 @jmartin-tech

• Migrated to websockets library
• Added REST-style templates and JSON extraction
• Created comprehensive RST documentation
• Removed testing code from core generator

[leondz]

@dyrtyData Can this PR be updated to the point where it passes tests?

[dyrtyData]

@leondz Fixed the dependency issue! Added websockets>=13.0 to both pyproject.toml and requirements.txt in commit 012e960.

This should resolve all the ModuleNotFoundError: No module named 'websockets' failures across Python 3.10/3.12/3.13 and all platforms (Ubuntu/macOS/Windows).

Ready for workflow approval when you have a moment. Thanks!

[jmartin-tech]

Sorry for the somewhat opinionated requests, this looks like a very useful implementation.

Many of the comments are for alignment with the existing codebase.

[dyrtyData]

Wasn't able to get this example running:

Instantiation of the plugin fails after the first request

 python -m garak --model_type websocket --model_name WebSocketGenerator   --generator_options '{"websocket": {"WebSocketGenerator": {"endpoint": "ws://echo.websocket.org"}}}'
garak LLM vulnerability scanner v0.13.1.pre1 ( https://github.com/NVIDIA/garak ) at 2025-10-29T08:42:07.455495
📜 logging to /home/lderczynski/.local/share/garak/garak.log
attribute name must be string, not 'type'

Recommend running the tests and running the examples provided, and getting all to pass

Fixed in 0bb5386. Changed line 79 from super().__init__(self.name, config_root) to super().__init__("WebSocket Generator", config_root) to prevent the TypeError.

The name is now properly initialized as a class-level immutable attribute that can still be overridden via config or CLI (per the discussion on name configurability).

Instantiation now works correctly:

python -m garak --model_type websocket --probes test.Test \
  --generator_options '{"websocket": {"WebSocketGenerator": {"uri": "wss://echo.websocket.org"}}}'

All tests passing. Ready for review.

[dyrtyData]

@jmartin-tech or @leondz
Could you please re-run the failed jobs? Both failures are network timeouts to HuggingFace, not code issues:

Linux (ubuntu-24.04-arm, 3.10):
FAILED tests/detectors/test_detectors.py::test_detector_detect[detectors.packagehallucination.JavaScriptNpm]
requests.exceptions.ReadTimeout: HTTPSConnectionPool(host='huggingface.co', port=443): Read timed out

macOS (3.13):
FAILED tests/detectors/test_detectors.py::test_detector_detect[detectors.packagehallucination.PythonPypi]
requests.exceptions.ReadTimeout: HTTPSConnectionPool(host='huggingface.co', port=443): Read timed out

Thanks!

[dyrtyData]

@leondz @jmartin-tech All feedback addressed - merge conflicts resolved, tests passing. Ready for re-review.

[jmartin-tech]

A couple minor revision asks for improved maintainability.

[dyrtyData]

Ah yes, of course 😅 Thanks @jmartin-tech for implementing the _has_single_turn migration! All tests are passing now. Was there anything else?

[leondz]

we've been focusing on our next release and are almost done - will take a look soon after it's out!

[jmartin-tech]

Thanks, this is a great add providing a starting point for more.

Sorry for the additional late requests, looks like the return value expectations are unclear. This generator does not support multiple responses from a single generation call and min() is definitely not the right value to use when 1 is a possible choice.

[leondz]

few updates, mostly streamlining / code style

[leondz]

prefer to use the extra_dependency_names class attribute to specify these (see #1199 ), so they don't have be imported before anything in the module can even be enumerated

[leondz]

why not use jsonpath directly for this? (there's an example in RESTGenerator)

[leondz]

please scope this down to something specific instead of root class Exception

[leondz]

two tiny changes and we're there, from my side. great job - thank you!