Changelog

What shipped.

Every Huudis release — what’s new, what moved, what the CLI learned. Subscribe to the GitHub releases feed for the RSS.

Apr 19, 2026
v0.7.0

Webhooks — outbound HMAC-signed event delivery

  • New /dashboard/webhooks page — create, pause, rotate-secret, or delete subscriptions. Deliveries tab shows recent attempts per subscription with Replay for failed rows.
  • New /account/webhook-subscriptions REST surface: create/list/show/update/delete/rotate-secret + /:id/deliveries, /deliveries/:id/replay, /events/catalog.
  • Outbox worker fan-out: every OutboxEvent scans active subscriptions, POSTs the JSON envelope with X-Huudis-Signature: t=…,v1=sha256(secret, `${t}.${body}`). Failed deliveries retry on 1m → 5m → 25m → 2h → 12h; 6th failure marks dead (manual replay only).
  • SDK helpers across Node, Python, Go: verifyWebhookSignature / verify_webhook_signature / VerifyWebhookSignature — defaults to a 5-minute replay tolerance, constant-time HMAC compare, tunable clock for tests. Bumps: @forjio/huudis-node 0.2.0, huudis 0.2.0 (PyPI), github.com/hachimi-cat/huudis-go v0.2.0.
  • CLI 0.4.0: huudis webhooks list | create | show | update | delete | rotate-secret | deliveries | replay | catalog.
  • Event catalog seeded with huudis.user.created.v1, huudis.user.disabled.v1, huudis.session.created.v1, huudis.oidc.consent_granted.v1, and the account/IAM lifecycle events. Subscribe to one, many, or the whole thing — no wildcards (keeps the delivery log filterable).
Apr 19, 2026
v0.6.0

Official SDKs — Node, Python, Go

  • New @forjio/huudis-node package on npm — verifyAccessToken reads HUUDIS_ISSUER/HUUDIS_AUDIENCE from env, plus a HuudisClient with the full OIDC code flow, refresh, userinfo, and authz check.
  • New huudis package on PyPI — same surface, works with FastAPI / Flask / Django. Uses PyJWT + httpx under the hood.
  • New Go module github.com/hachimi-cat/huudis-go — JWKS fetch + cache, ES256/RS256 verification, Client for every endpoint. Pass r.Header.Get("Authorization") straight in.
  • Hero sample on huudis.com now references real packages — no more imaginary imports.
  • Docs quickstart Step 2 lists all three install lines side-by-side.
Apr 19, 2026
v0.5.0

End users + impersonation

  • New /dashboard/end-users page — every user who signed into one of this workspace's OIDC apps, scoped strictly to the workspace's own clients.
  • Per-user actions: revoke access, send password reset, force-verify email, impersonate for support (short-lived session with persistent banner + audit trail).
  • Global soft-ban: /ops/end-users/:id/disable revokes every live session + refresh token. Scoped to the Forjio-internal Huudis ops workspace only.
  • user.disabled flag gates /auth/login — generic INVALID_CREDENTIALS error, no enumeration leak.
  • Session table carries impersonatedById + impersonatedAt; dashboard renders an orange 'Acting as X — end impersonation' banner across every page.
  • issueSession() upserts an OidcConsent(user, huudis-dashboard) on every non-impersonation login — the End users query works uniformly across every workspace without a Huudis special case.
  • Sidebar rename: 'Users' → 'Members' (workspace admins) with a new 'End users' entry below it.
  • CLI 0.3.0: 7 new command groups — huudis workspaces, members (+ invites), end-users, oidc-clients, identity-providers, assumed-sessions, connected-apps. iam group grows create/delete for groups/roles/service-accounts/policies plus attach-policy / detach-policy / list-attachments. Every dashboard action now has a CLI mirror.
Apr 19, 2026
v0.4.0

Service opt-in + Forjio products as real accounts

  • Account.enabledServices list — dashboard filters system policies + first-party OIDC clients by what this account has opted into. Huudis is always baseline.
  • New endpoints: GET /account/services, POST /account/services/enable, POST /account/services/disable — the programmatic hook Storlaunch/Plugipay/etc. call when a seller enables a module.
  • POST /auth/signup now takes an optional clientId; if it matches a first-party OIDC client, the new account is auto-opted into that client's service. Registering via storlaunch → ['huudis','storlaunch'].
  • Existing-email signup with clientId + correct password now logs in + opts into the service instead of returning EMAIL_TAKEN — ends the Forjio cross-product sign-up dead end.
  • Forjio services (Huudis, Plugipay, Storlaunch, Fulkruma, Ripllo, Malapos, Suppuo) are now real Huudis accounts, owned by the Forjio team — each with its OIDC client parented correctly. Canned policies stay system-scope (immutable) to keep tenant attachments safe.
  • Account.isForjioInternal flag surfaces a 'forjio' badge in the workspace switcher, workspaces page, and /account/workspaces API response. Ready for billing to skip invoicing later.
  • Middleware fallback: sessions without an explicit activeAccountId resolve to the user's earliest-joined workspace — fixes fresh-login 400s on identity-providers + assumed-sessions.
Apr 18, 2026
v0.3.0

Dashboard buildout

  • Workspaces: switcher in the sidebar, rename, create, switch; session.activeAccountId now carried end-to-end.
  • Members: direct add (auto-generated temp password or bring-your-own) and invite-link flow with 7-day tokens. Change role, remove, admin-triggered password reset.
  • Every IAM row (users, groups, roles, service accounts, policies) grew a 'Details' drawer — type-specific info + attach/detach policies via a searchable combobox (new <SearchableSelect>).
  • Role Details now has a live 'Assume role' block — returns real short-lived STS-style credentials; secret + session token are blur-filtered until hover.
  • Policy Details shows the JSON document + an Edit mode for custom policies; system-scope stays immutable (PATCH/DELETE explicitly reject).
  • New /dashboard/authz/playground — simulate an authorization decision for any principal + action + resource, see Allow/Deny with matched statement SID.
  • New /dashboard/oidc/clients — customers register their apps, rotate secrets, manage redirect URIs + scopes. System clients shown read-only.
  • New /dashboard/account/connected-apps — user's personal 'Third-party apps with access to my account' list, revoke per-app consent.
  • New /dashboard/iam/identity-providers — SAML / external OIDC federation configs.
  • New /dashboard/iam/assumed-sessions — every STS session active in this account; revoke individually.
  • Search + sort + pagination on every list page via a shared useListControls hook. Users table now shows a Groups column.
  • Group membership is now editable inline on the Users Details panel (add/remove with a searchable combobox).
  • Nav hierarchy cleanup: Identity gets Workspaces at the top; Developer gets Policy playground + OIDC clients; Account gets Connected apps.
  • Custom favicon, heading alignment fix, Safari date-grid overflow fix.
Apr 25, 2026
v0.2.0

Social sign-in + dashboard polish

  • Continue with Google — OAuth 2 + OIDC ID-token verification via Google JWKS.
  • Continue with Apple — Sign in with Apple including private-email relay support.
  • Link / unlink providers from /dashboard/account/linked-accounts.
  • New dashboard: /dashboard/account, /dashboard/sessions, /dashboard/audit.
  • Branded HTML email templates — verify, reset, MFA backup codes, new-device alert, welcome, social link added/removed.
  • CLI 0.2.0: huudis account whoami / sessions list / sessions revoke, huudis audit list.
Apr 18, 2026
v0.1.0

M2 — IAM core

  • AWS-IAM-style policies with JSON documents + Action / Resource / Condition / NotAction / NotResource / Effect.
  • 28 canned system policies (Admin / Developer / ReadOnly / Billing × 7 services).
  • Groups, roles, service accounts, access keys (AKIA long-term and ASIA session keys).
  • POST /authz/check authoritative authorization endpoint + POST /authz/assume-role STS analog.
  • HMAC middleware with ±5 min clock skew + constant-time comparison.
  • /dashboard/iam UI and huudis iam CLI commands.
Apr 18, 2026
v0.0.1

M1 — Foundation

  • Email + password signup / login / verification / reset.
  • TOTP MFA with backup codes + step-up auth.
  • Full OIDC identity provider — discovery / JWKS / authorize / token / userinfo / end_session / RFC 8628 device flow.
  • huudis CLI — device-flow login, whoami, logout.
  • CI/CD with lint → test → build → deploy-staging → E2E → deploy-prod → publish-cli.