Hugin v0.1.1 — Platform fixes and scanner FP cleanup
v0.1.1 is a platform and polish release. YesWeHack and Synaps feature work,
proxy latency fixes, and 50+ scanner false-positive and bug fixes from live
engagements. The engine features (session re-auth, checkpointing, CSRF
freshness, payload relocation, consolidation) land in v0.1.2.
Scanner bug fixes from live engagements
Three targets since v0.1.0 surfaced real false-positive classes. 25 passive
scanner fixes, 15 active fixes, 11 BAC fixes (PII redaction, WAF
false-positive gates, coverage gaps), 8 passive FP patches from the
white.market engagement, 4 FP patches (Next.js RSC, minified postMessage,
framework dSIH, JS-bundle CC), 6 patches (prototype-pollution extends
Array, nerve enum FPs, BAC no-op, body_offset, screenshot timeout). Fewer
junk findings to triage.
Proxy
pool_idle_timeout 10s + connect_timeout 10s — kills the 60-120s
keep-alive latency inflation. Three startup deadlock fixes. Null-status on
body collection failure. LazyLock poison fallback (never-match replaces
unreachable!()). Per-flow preflight parallelized (baselines + calibration
run concurrently). REST scanner_start handler parallelized (was the last
sequential bottleneck).
Platform features
- YesWeHack: modal login with credential persistence
- Synaps: import
.yamltemplates and.wasmmodules from the UI - Browser:
no_proxyparameter now works withbrowseandnavigateactions (was onlylaunch) - Bug-bounty skills published to docs and as MCP resources (
hugin://skill) - Crawler: 15s navigation timeout cap (was 60s), aborts after 5 consecutive WAF/challenge responses
Full changelog: v0.1.0...v0.1.1