Huginn whispers — real-time feedback
Attack blind, learn nothing. Tag your traffic, and Huginn will tell you which sensors you tripped, what tier you've reached, and where the wall above you sits.
Pull-only, rate-limited, 30-second emit delay, 5-minute timestamp buckets. The feed must not become a side channel — if you want clean signal, slow probes are better than fast ones.
How it works
- Register a handle on the main page (proof-of-work, ~1 second).
- Claim a probe tag. POST to
/hyveguard/feedback/claimwith your handle and a fresh PoW nonce. You get back a 16-hex-char tag likehgft-a3f29c7e1b4d8201. Valid for 24 hours. - Embed the tag in your traffic. Anywhere it leaks into request detail strings —
User-Agent, TLS SNI, DNS QNAME, payload bytes. The cluster's audit log will pick it up. - Pull your feed. GET
/hyveguard/feedback/feed?handle=...&tag=...— events get attributed to you with educational narration.
No IP→handle map is ever stored. Your tag is the only attribution mechanism. You can rotate, burn, or claim a fresh one whenever.
Endpoints
| Endpoint | Auth | Purpose |
|---|---|---|
POST /hyveguard/feedback/claim | PoW (18 bits) | Bind a probe tag to your handle, 24h TTL |
GET /hyveguard/feedback/feed | handle + tag | Your attributed events with narration |
GET /hyveguard/feedback/hint | handle + tag | Tier ceiling estimate + suggested next layer |
GET /hyveguard/feedback/global | none | Anonymized cluster feed (5-min buckets) |
GET /hyveguard/feedback/threat | none | Cluster threat assessment from the SNN |
Tag handling
The probe tag is a bearer credential. If it leaks (shared Wi-Fi, ISP-level capture, third-party HTTP log, a screenshot in your write-up), anyone who has it can include it in their own probes and pollute your feed.
What an attacker with your tag cannot do:
- Claim the prize for you. Only a valid FROST signature ends the season.
- Get a hall-of-fame badge in your name. Badges are operator-curated, not auto-derived.
- Forge a different tag. Tags are 16 hex chars from
crypto/rand(264 space).
What they can do: muddy your /feedback/feed and /feedback/hint. If you suspect leakage, claim a fresh one — same handle gets a new tag and the old one stops binding within 24h.
Proof-of-work spec
nonce such that
SHA-256("hyveguard-feedback-v1" || 0x00 || lower(handle) || 0x00 || nonce)
has at least 18 leading zero bits.~250k hashes on average, ~0.3 seconds on a laptop. Cheaper than the identify gate (20 bits) because claims are repeatable — burn a tag any time, claim a fresh one for a fresh nonce.
Live: anonymized cluster feed
No handles, no detail bytes — just what the cluster has been catching, 5-minute buckets, last 24 hours.
loading…
Cluster threat — what the brain thinks
loading…
Per-handle feed
Paste your handle and probe tag below. Stored in this browser tab only — never sent anywhere except the cluster's feed endpoints.
What we don't tell you
- The contents of any canary file or honey banner you tripped.
- Exact timestamps of your events (5-minute buckets only).
- Sequential audit DAG indexes (would let you correlate probes 1:1).
- Internal MTD epochs, FROST round state, DKG indexes.
- Per-request timing or status codes (would help REALITY enumeration).
- Whether a sensor exists if it never fired for you.
- Anything in real-time — pull only, 30s emit delay, 5/min per handle.
If you want any of those, find them yourself. That's the trial.
The narration table
What each sensor says when it catches you. Fixed and public — presence here ≠ presence in the cluster.
| Sensor | Tier floor | What we tell you |
|---|---|---|
| reality_probes | 0 | REALITY auth failed at the perimeter. The challenge gate is the first thing you hit — not the first thing to break. |
| replay_attempts | 0 | You replayed a valid nonce. We dedupe cluster-wide. Don't capture-and-replay. |
| honey_hit (passive) | 0 | You hit a decoy port. Empty connect = scanner. Cheap signal. |
| honey_hit (interactive) | 1 | You spoke protocol to a decoy. Real services don't run on those ports. Quarantine trigger primed. |
| canary_touched | 1 | A tripwire was touched. There are exactly N of them, all bait. |
| dns_canary_tripped | 1 | A canary DNS record was queried. We don't publish those names. |
| consensus_probes | 2 | You hit a consensus endpoint past its budget. Backing off resets it. |
| quarantines | 2 | A node quarantined. Your activity reached the response layer. |
| tamper_detected | 3 | Cross-peer state check disagreed. Whatever you swapped didn't propagate. |
| checkpoint_forgery | 4 | A signed artefact failed verification. The threshold gate held. |