Changelog

Hugin is pre-release. No public version has shipped yet.

An early v0.1.0 candidate was prepared but never published — the candidate was withdrawn after surfacing too many issues during pre-release testing. A re-cut of the first stable release is in progress on the dev branch.

The roster below summarises what’s in dev today. It will become the changelog for the first published release once it ships.

🔗Pending First Release

🔗Proxy & Capture

  • MITM proxy: HTTP/1.1, HTTP/2, WebSocket
  • Chrome TLS fingerprint via BoringSSL
  • Per-host certificate cache and per-host client certs (mTLS)
  • Multi-interface listeners (mobile / remote)
  • Upstream proxy chaining (HTTP / HTTPS / SOCKS4 / SOCKS5) with per-host rules
  • Hosted files served through the proxy port (/hosted/*)
  • DNS management — custom upstream resolvers (hickory-dns), per-domain routing, DNS rewrite rules
  • TLS security state captured per flow via CDP, surfaced in the detail pane

🔗Core Tools

  • Repeater, Intruder, Sequencer, Decoder, Comparer, Match & Replace
  • Findings repository with 9-state workflow (open → triaged → confirmed → reported → resolved, plus duplicate / wontfix / false_positive)
  • Intercept Rules and Session Rules
  • WebSocket inspection and frame intercept

🔗Scanning

  • Built-in scanner: 41 active checks + 36 passive checks
  • Synaps WASM scanner (loaded as a dynamic plugin)
  • vurl-offensive plugin (~46 specialised hunting tools, loaded as a dynamic plugin)
  • Authz, CORS, and Upload focused scanners
  • AI-assisted scan optimizer (rule-based scoring + feedback learning)

🔗Intelligence

  • Nerve passive intelligence: 21 categories, 700+ signal patterns
  • Cross-flow intelligence engine (params, routes, reflections, endpoints, rollups, gold)
  • Flow analysis (postMessage handlers, DOM sinks)
  • Technology fingerprinting (10 categories)

🔗Browser Stack

  • Chrome (CDP), Mullvad (Marionette), Servo (IPC child process), Hugin native engine (in-process)
  • Anti-detect script for Chrome (navigator.webdriver, plugins, chrome.app/csi, WebGL, permissions)
  • Mullvad Browser quick-launch with isolated profile + CA import via certutil
  • Browser-routed fetch() for real TLS fingerprint in Repeater / Intruder

🔗AI & Orchestration

  • Three providers (OpenAICompatible / Anthropic / Google)
  • 53-tool orchestration bridge with autonomous agent loops
  • Auto Mode (4-phase: recon / passive / active / deep)
  • 5-tier response cache with on-disk persistence

🔗Automation

  • Workflows (event-driven graph engine, boa_engine JS runtime)
  • Campaigns (persistent multi-mode Intruder attacks: sniper / battering_ram / pitchfork / cluster_bomb)
  • Scheduler (cron / interval scan jobs)
  • Macros (record / replay / auto-extract for session maintenance)

🔗Recon

  • Asset inventory with SubFlow / XMass / vmap ingestion + JARM and favicon clustering
  • Discover (content discovery scanner)
  • Param Discover (batch + verify hidden parameter fuzzer)
  • FFuzzer (FUZZ-keyword fuzzer; HTTP and Mullvad-Browser modes)

🔗Operations

  • Database backup (auto-interval + manual via UI/API, atomic via SQLite VACUUM INTO)
  • Self-update mechanism with Ed25519 signature verification
  • 14-day Pro trial via the licensing server with device-fingerprint binding (max 3 devices per account)
  • Telemetry (opt-in, off by default)

🔗Integration

  • 87 built-in MCP tools + dynamic plugin loading
  • REST + GraphQL APIs
  • Lua extensions (Pro)
  • Real-time hunter collaboration (HTTPS polling through license-server relay, ChaCha20-Poly1305 e2e)
  • HackerOne and YesWeHack platform integrations
  • Mobile testing (APK/IPA static analysis + Frida via objection)

🔗Desktop UI

  • Dioxus desktop app with 50+ views
  • Visual workflow builder
  • UI command socket for scriptable automation
  • Project bundle export/import (.huginproject)

🔗How to Track Real Progress

Until the first release ships, the most accurate “what’s done” view is:

  • git log on dev branch
  • cargo build --release --bin hugin --features dev-bypass for a local build
  • The Discord / IRC / mailing list (when available)

Public releases will be tagged on GitHub at xmaryo/hugin (private source) and HuginSecurity/Hugin (public artifacts) and verified per the Release Signing flow. Until then, treat any “release” claim as informational, not promised.