// reference investigation

sable-hr-platform-audit — after-hours HCM admin abuse

Sable Meridian audit SHR-2026-0521 on E-78441: after-hours HR Admin role grants and off-network HCM edits from 203.0.113.41 · headcount drift · onboarding background-check skip before provisioning. Fully synthetic.

what this proves

all eight hr platform audit primary engines produce deterministic, fixture-locked output — verified by npm run check:flagship (728/728 fleet · 8 for this scenario).
every output is generated 100% locally in your browser — export hcm audit logs, never upload tenant data.
unauthorized job title changes across workday, successfactors, and oracle hcm, headcount drift against payroll, dual-control bypass on svc-hcm-admin, and onboarding background-check task skips surface without sending evidence to a server.

primary engines locked to this fixture

build the case binder

runs all eight primary engines on the synthetic evidence zip and opens a self-contained html binder. uses the default binder renderer for hr platform audit — no upload.

runs all 8 primary engines locally on the synthetic evidence zip · opens a self-contained html binder · no upload

download the synthetic evidence

MIT-licensed, fully synthetic. includes workday hcm audit csv, successfactors ec export, oracle hcm audit export, consolidated job change export, cross-hcm headcount export, multi-platform timeline export, onboarding task skip events, and case report manifest json.

download evidence zip →download goldens zip →run this kit in your browser →

built deterministically from scripts/fixtures/build-sable-hr-platform-audit.mjs. seed: sable-hr-platform-audit:v1.

methodology

hr platform audit is cross-system sequence, not a single export. anchor workday as system of record, then walk successfactors ec sync → oracle hcm dual-control → unauthorized job change detector → headcount correlator → multi-platform timeline → onboarding skip → case report. svc-hcm-admin from 198.51.100.66 changed E-55102 in all three systems without approval. read the full HR platform audit / HCM integrity guide →

after the playbook

run each primary locally — or export findings from the binder — then drop every csv/json into fatcousin-multi-tool-super-timeline-correlator. one timestamp-sorted timeline across workday job change, successfactors ec sync, oracle hcm drift, headcount mismatch, and onboarding task skip — still zero upload.

methodology article HR platform audit playbook forensics home

what this proves

all eight hr platform audit primary engines produce deterministic, fixture-locked output — verified by npm run check:flagship (728/728 fleet · 8 for this scenario).

every output is generated 100% locally in your browser — export hcm audit logs, never upload tenant data.

unauthorized job title changes across workday, successfactors, and oracle hcm, headcount drift against payroll, dual-control bypass on svc-hcm-admin, and onboarding background-check task skips surface without sending evidence to a server.

build the case binder

runs all eight primary engines on the synthetic evidence zip and opens a self-contained html binder. uses the default binder renderer for hr platform audit — no upload.

runs all 8 primary engines locally on the synthetic evidence zip · opens a self-contained html binder · no upload

download the synthetic evidence

built deterministically from scripts/fixtures/build-sable-hr-platform-audit.mjs. seed: sable-hr-platform-audit:v1.

methodology

hr platform audit is cross-system sequence, not a single export. anchor workday as system of record, then walk successfactors ec sync → oracle hcm dual-control → unauthorized job change detector → headcount correlator → multi-platform timeline → onboarding skip → case report. svc-hcm-admin from 198.51.100.66 changed E-55102 in all three systems without approval. read the full HR platform audit / HCM integrity guide →

after the playbook