HailBytes ASM June 2026 Stability Update: PDF Downloads, Workflow Dispatch, Tool Arsenal & Form Fix

The June 5 ASM release added MSSP portfolio metrics, full pt-BR localization, SCIM 2.0 fixes, and supply-chain hardening. In the days that followed, continuous automated testing surfaced five user-facing bugs that were resolved in a patch wave merged June 8–9. None of these require a configuration change; all are included in marketplace images published from June 9 onward. This post describes what broke and what changed.

PDF Report Downloads

HailBytes ASM generates PDF compliance and scan reports via WeasyPrint. After the June 5 release, clicking the download button caused the PDF to open inline in the browser rather than triggering a file download. The underlying cause was a missing Content-Disposition: attachment header in the _render_report_response view function — without it, browsers apply their default inline rendering policy for application/pdf responses.

The fix adds attachment; filename="<project>_<scan>.pdf" to all PDF report responses. The ?format=html preview path (which renders the report as styled HTML for layout review before generating the PDF) is not affected and continues to serve inline.

Superuser Control Visibility

HailBytes ASM uses django-role-permissions to gate UI controls (delete buttons, configuration menus, and administrative actions) behind named permissions. Django superusers bypass model-level permissions natively, but not the can-style role permission checks that govern individual UI controls. The result was that a Django superuser account — typically the operator’s administrative credential — would log in and find UI elements like the scheduled-scan delete button missing.

The fix enables ROLEPERMISSIONS_SUPERUSER_SUPERPOWERS, which grants Django superusers all role-permission checks without requiring explicit role assignment. Non-superuser role boundaries (for regular users, auditors, and tenant admins) are unaffected.

Background Workflow Dispatch

HailBytes ASM uses Hatchet as its workflow orchestration layer for long-running jobs: scan execution, subdomain drift detection, cloud-connector asset discovery, vulnerability snapshot generation, and exploitDB refreshes. Following an upgrade to hatchet-sdk v1, the seven dispatch call sites were still using the v0 hatchet.admin.run_workflow() pattern, which was removed in the new major version.

When the v0 API raised an AttributeError, the system silently fell back to running the workflow body in-process (synchronously, within the web request). For most operations this meant the user saw a response, but the work ran in the web worker thread instead of being dispatched to the dedicated background worker — blocking the web process, bypassing the Hatchet retry and observability layer, and preventing the jobs from appearing in the Hatchet UI.

The fix migrates all seven call sites to the supported v1 hatchet_client.runs.create() API. Scans, drift checks, cloud discovery, snapshots, and exploitDB refreshes now run asynchronously as intended.

Tool Arsenal Seeded on Fresh Installs

HailBytes ASM ships a catalog of 16 security tools available for selection in the scan engine configuration — nuclei, subfinder, httpx, ffuf, amass, naabu, katana, and others. The catalog was defined in a fixture file (web/fixtures/external_tools.yaml) that had been present in the codebase since the initial fork, but no mechanism existed to load it on a fresh deployment: no management command invoked it, no migration loaded it, and the example-scan seed command did not touch it.

On any deployment that had not manually run loaddata external_tools.yaml, the Tool Arsenal page in the scan engine configuration rendered an empty list, with no indication that the catalog should contain anything. A data migration (scanEngine.0031) now loads the catalog when the table is empty, so new deployments and fresh database resets automatically have the full tool set available.

Add Target Form Submission

HailBytes ASM includes a double-click guard on form submit buttons to prevent duplicate requests — a standard UX pattern. The implementation disabled all submit buttons synchronously inside the submit event handler. Browser form-data serialization happens after submit handlers run, and the HTML specification excludes disabled form controls from the submitted data set. The result: the button that the user clicked — which carries the form’s branch identifier (name=add-multiple-targets, name=add-ip-target, etc.) — was stripped from every POST before it reached the server.

In the Add Target view, add_target branches on request.POST.get("add-multiple-targets") to distinguish bulk add from single-add. Without that key, the condition always evaluated false and the form returned to /add without inserting anything, silently. The same pattern affected the CSV import and IP target import paths.

The fix defers the button-disable by one JavaScript event loop tick using setTimeout(0), giving the browser time to serialize form data before the disable fires. If the submit event was explicitly prevented (e.g. by validation), the disable is skipped entirely to avoid leaving the form in a broken state.

Upgrading

All five fixes are included in marketplace images published from June 9, 2026 onward. Existing deployments update by pulling the latest Docker image; no database migration is required beyond scanEngine.0031 (which runs automatically on startup). No configuration changes are needed.

The Tool Arsenal migration is safe to run on existing deployments: it checks whether the table is empty before loading, so platforms that already have tools configured are not affected. The Hatchet dispatch fix, PDF download fix, and form fix are entirely server-side changes that take effect immediately on restart.