CLI Reference

Hugin ships as a single binary. Run without arguments to launch the desktop GUI. Run with a subcommand for CLI mode.

hugin              # Launch GUI
hugin <command>    # CLI mode

Global flags (work with any subcommand):

-v, --verbose – Enable verbose (debug-level) tracing
--headless – Force headless mode (no GUI even when run from a desktop session)

🔗Commands

🔗`hugin start`

Start the proxy daemon.

hugin start [OPTIONS]

Options:

-p, --port <PORT> – Proxy listen port (default: 8080)
--api-port <PORT> – API server port (default: 8081)
--bind <ADDRESS> – Bind address (default: 127.0.0.1)
--mcp – Also start the MCP server connected to the API

Example:

hugin start --port 8080 --api-port 8081 --mcp

🔗`hugin status`

Show proxy status including whether it is running, the listen address, and basic statistics.

hugin status

🔗`hugin ca`

Manage the proxy CA certificate. Subcommands: export, trust, untrust.

🔗`hugin ca export`

hugin ca export [OPTIONS]

Options:

-o, --output <PATH> – Output path for the certificate file
--print – Print certificate to stdout (PEM format)

Example:

hugin ca export -o ~/Hugin-CA.pem
hugin ca export --print | sudo tee /usr/local/share/ca-certificates/hugin.crt

🔗`hugin ca trust`

Install the Hugin CA into the system trust store (macOS Keychain, Linux ca-certificates, or Windows Root). Requires sudo.

hugin ca trust

🔗`hugin ca untrust`

Remove the Hugin CA from the system trust store. Requires sudo.

hugin ca untrust

🔗`hugin flows`

List captured HTTP flows.

hugin flows [OPTIONS]

Options:

-m, --method <METHOD> – Filter by HTTP method (GET, POST, etc.)
--host <HOST> – Filter by hostname
--flagged – Show only flagged flows
-l, --limit <N> – Maximum results (default: 20)
-f, --format <FORMAT> – Output format: table or json (default: table)

Example:

hugin flows --host example.com --method POST --format json
hugin flows --flagged --limit 50

🔗`hugin flow`

Show details of a specific flow by ID.

hugin flow <ID>

Example:

hugin flow a3f2e1d0-1234-5678-9abc-def012345678

🔗`hugin mcp`

Start the embedded MCP server on stdio for integration with Claude Code and Claude Desktop. The MCP server starts its own proxy and API internally.

hugin mcp

This is the command specified in MCP client configurations:

{
  "mcpServers": {
    "hugin": {
      "command": "hugin",
      "args": ["mcp"]
    }
  }
}

🔗`hugin init`

Generate a default configuration file at ~/.hugin/config.toml.

hugin init

🔗`hugin setup`

First-run setup wizard. Configures CA certificate installation, browser proxy settings, and basic options.

hugin setup [OPTIONS]

Options:

--headless – Non-interactive mode for CI/headless environments

🔗`hugin serve`

Start a headless server for team collaboration. Binds to 0.0.0.0 by default for remote access. No GUI is launched.

hugin serve [OPTIONS]

Options:

-p, --port <PORT> – Proxy listen port (default: 8080)
--api-port <PORT> – API server port (default: 8081)
--bind <ADDRESS> – Bind address (default: 0.0.0.0)
--no-auth – Disable token authentication (DANGEROUS – only use on trusted networks)

Example:

# Start headless server for team
hugin serve --port 8080 --api-port 8081

# On a trusted local network only
hugin serve --no-auth

🔗`hugin update`

Check for updates or update Hugin in-place.

hugin update [OPTIONS]

Options:

--check – Only check for updates, do not install

🔗`hugin verify`

Verify the Ed25519 signature of a downloaded Hugin release file.

hugin verify <FILE> [OPTIONS]

Options:

-s, --sig <PATH> – Path to the .sig file (defaults to <file>.sig)

Example:

hugin verify hugin-linux-amd64.tar.gz
hugin verify hugin-linux-amd64.tar.gz --sig custom-path.sig

🔗`hugin account`

Manage your Hugin Pro license account.

🔗`hugin account set`

Activate Pro license with your account ID.

hugin account set <ID>

The account ID format is HGN-XXXXXXXX-XXXXXXXX-XXXXXXXX (from your purchase confirmation).

🔗`hugin account show`

Show current account and license status.

hugin account show

🔗`hugin account clear`

Deactivate and remove the stored account ID.

hugin account clear

🔗`hugin bac` (Pro)

Query the Broken Access Control pipeline — findings, passive signals, ID corpus — and export reports. Pro feature: Community tier gets an upsell error. Trial, Pro, and Dev-bypass have full access.

The CLI surface is read-only / export-only — it opens HuginStore directly, no proxy or AppState needed. For the audit side, use the MCP tool or POST /api/bac/audit.

🔗`hugin bac findings`

List scored BAC findings.

hugin bac findings [--kind KIND] [--severity SEVERITY] [--limit N] [--format table|json]

Severities: info | low | medium | high | critical (minimum threshold)

hugin bac findings --severity high --format json
hugin bac findings --kind cross_tenant_access --limit 50

🔗`hugin bac signals`

List passive BAC observations.

hugin bac signals [--kind KIND] [--limit N] [--format table|json]

🔗`hugin bac corpus`

List classified ID corpus entries.

hugin bac corpus [--kind KIND] [--limit N] [--format table|json]

🔗`hugin bac purge`

Purge BAC findings, optionally scoped to a project.

hugin bac purge [--project-id ID]

🔗`hugin bac export`

Render findings in the chosen format. Same renderer the MCP bac_audit export action uses.

hugin bac export [--format markdown|sarif|html|csv|summary|json] [--project-id ID]

hugin bac export --format sarif > findings.sarif
hugin bac export --format markdown --project-id my-project

See the BAC pipeline doc for the full surface.

🔗`hugin scanner`

Manage Synaps WASM scanner modules.

🔗`hugin scanner update`

Sync modules from the community catalog.

hugin scanner update [OPTIONS]

Options:

--catalog-url <URL> – Custom catalog URL (defaults to synaps-community GitHub)
--base-url <URL> – Base URL for downloading WASM binaries
--dry-run – Only check for updates, do not download

🔗`hugin scanner install`

Install a specific module by ID.

hugin scanner install <ID> [OPTIONS]

Options:

--catalog-url <URL> – Custom catalog URL
--base-url <URL> – Base URL for WASM binaries

🔗`hugin scanner remove`

Remove an installed module.

hugin scanner remove <ID>

🔗`hugin scanner list`

List installed modules.

hugin scanner list

🔗`hugin config`

Manage proxy configuration.

🔗`hugin config telemetry`

Enable, disable, or check telemetry status.

hugin config telemetry [ACTION]

Action is on to enable, off to disable, or omit to show current status.

🔗`hugin config show`

Show current configuration summary.

hugin config show

🔗`hugin plugin`

Manage Lua plugins.

🔗`hugin plugin install`

Install a plugin from a Git repository URL.

hugin plugin install <URL>

Example:

hugin plugin install https://github.com/user/hugin-plugin-name

🔗`hugin plugin remove`

Remove an installed plugin by directory name.

hugin plugin remove <NAME>

🔗`hugin plugin list`

List installed plugins.

hugin plugin list

🔗`hugin token`

Manage access tokens for team collaboration.

🔗`hugin token create`

Create a new access token.

hugin token create [OPTIONS]

Options:

-l, --label <LABEL> – Optional label for the token (e.g., team member name)

🔗`hugin token list`

List all access tokens.

hugin token list

🔗`hugin token revoke`

Revoke an access token.

hugin token revoke <TOKEN>

The full hgn_* token string is required.

🔗`hugin doctor`

Run system health and security diagnostics. Verifies CA installation, browser proxy reachability, certificate trust state, port availability, and required OS dependencies (certutil, etc.). Useful first step when interception isn’t working.

hugin doctor

🔗`hugin browse`

Open a URL in Hugin’s Chrome-fingerprinted visual browser (Blitz renderer). Useful for quick PoC capture or analyzing a single page through the proxy without launching the GUI.

hugin browse <URL> [OPTIONS]

Options:

--width <PX> – Window width (default: 1280)
--height <PX> – Window height (default: 800)

🔗`hugin oastify-setup`

Generate a deployment guide for a self-hosted Oastify OOB callback server (DNS / HTTP / SMTP / LDAP / FTP / SMB listeners on a VPS).

hugin oastify-setup --domain <DOMAIN> --ip <IP>

Both flags required.

🔗`hugin plugin mcp`

Manage dynamic MCP tool plugins (.dylib / .so / .dll) loaded at MCP server startup. Subcommands:

hugin plugin mcp list – List loaded MCP plugins and their tools
hugin plugin mcp install <PATH> – Copy a plugin into the plugin directory
hugin plugin mcp remove <NAME> – Remove a plugin by name or filename
hugin plugin mcp dir – Show plugin directory and contents

🔗Commands

🔗hugin start

🔗hugin status

🔗hugin ca

🔗hugin ca export

🔗hugin ca trust

🔗hugin ca untrust

🔗hugin flows

🔗hugin flow

🔗hugin mcp

🔗hugin init

🔗hugin setup

🔗hugin serve

🔗hugin update

🔗hugin verify

🔗hugin account

🔗hugin account set

🔗hugin account show

🔗hugin account clear

🔗hugin bac (Pro)

🔗hugin bac findings

🔗hugin bac signals

🔗hugin bac corpus

🔗hugin bac purge

🔗hugin bac export

🔗hugin scanner

🔗hugin scanner update

🔗hugin scanner install

🔗hugin scanner remove

🔗hugin scanner list

🔗hugin config

🔗hugin config telemetry

🔗hugin config show

🔗hugin plugin

🔗hugin plugin install

🔗hugin plugin remove

🔗hugin plugin list

🔗hugin token

🔗hugin token create

🔗hugin token list

🔗hugin token revoke

🔗hugin doctor

🔗hugin browse

🔗hugin oastify-setup

🔗hugin plugin mcp

🔗`hugin start`

🔗`hugin status`

🔗`hugin ca`

🔗`hugin ca export`

🔗`hugin ca trust`

🔗`hugin ca untrust`

🔗`hugin flows`

🔗`hugin flow`

🔗`hugin mcp`

🔗`hugin init`

🔗`hugin setup`

🔗`hugin serve`

🔗`hugin update`

🔗`hugin verify`

🔗`hugin account`

🔗`hugin account set`

🔗`hugin account show`

🔗`hugin account clear`

🔗`hugin bac` (Pro)

🔗`hugin bac findings`

🔗`hugin bac signals`

🔗`hugin bac corpus`

🔗`hugin bac purge`

🔗`hugin bac export`

🔗`hugin scanner`

🔗`hugin scanner update`

🔗`hugin scanner install`

🔗`hugin scanner remove`

🔗`hugin scanner list`

🔗`hugin config`

🔗`hugin config telemetry`

🔗`hugin config show`

🔗`hugin plugin`

🔗`hugin plugin install`

🔗`hugin plugin remove`

🔗`hugin plugin list`

🔗`hugin token`

🔗`hugin token create`

🔗`hugin token list`

🔗`hugin token revoke`

🔗`hugin doctor`

🔗`hugin browse`

🔗`hugin oastify-setup`

🔗`hugin plugin mcp`