> ## Documentation Index
> Fetch the complete documentation index at: https://docs.turen.io/llms.txt
> Use this file to discover all available pages before exploring further.

# Policies

> Read and update security policies

## Get Policy

Retrieve the current policy configuration for your organization.

```bash theme={null}
curl -H "X-API-Key: sk_live_your_key_here" \
  https://api.prod.turen.io/api/v1/policy
```

### Response

```json theme={null}
{
  "version": "v1.4.2",
  "name": "default",
  "updated_at": "2026-02-15T14:00:00Z",
  "rules": {
    "min_scorecard": 5.0,
    "review_scorecard": 8.0,
    "max_known_vulnerabilities": 5,
    "block_on_critical_vuln": true,
    "require_provenance": false,
    "allow_provenance_fallback": true,
    "review_on_new_package_days": 30,
    "allowed_licenses": ["MIT", "Apache-2.0", "BSD-2-Clause", "BSD-3-Clause", "ISC"],
    "typosquat_action": "review",
    "typosquat_threshold": 0.85
  },
  "blocked_packages": [],
  "blocked_maintainers": []
}
```

### Response Fields

| Field                 | Type   | Description                       |
| --------------------- | ------ | --------------------------------- |
| `version`             | string | Policy version identifier         |
| `name`                | string | Policy name (default: "default")  |
| `updated_at`          | string | When the policy was last modified |
| `rules`               | object | Policy threshold values           |
| `blocked_packages`    | array  | Explicitly blocked packages       |
| `blocked_maintainers` | array  | Explicitly blocked maintainers    |

### Rules Fields

| Field                        | Type    | Description                                                 |
| ---------------------------- | ------- | ----------------------------------------------------------- |
| `min_scorecard`              | number  | Minimum OpenSSF Scorecard score (0-10). Below this = block. |
| `review_scorecard`           | number  | Score threshold for manual review (0-10)                    |
| `max_known_vulnerabilities`  | number  | Max allowed CVEs per package                                |
| `block_on_critical_vuln`     | boolean | Block packages with critical CVEs                           |
| `require_provenance`         | boolean | Require SLSA provenance                                     |
| `allow_provenance_fallback`  | boolean | Allow if provenance can't be verified                       |
| `review_on_new_package_days` | number  | Flag packages newer than N days                             |
| `allowed_licenses`           | array   | List of allowed SPDX license identifiers                    |
| `typosquat_action`           | string  | Action for typosquat detection (`block` or `review`)        |
| `typosquat_threshold`        | number  | Similarity threshold for typosquat detection (0-1)          |

## Update Policy

Update policy thresholds for your organization.

```bash theme={null}
curl -X PUT \
  -H "X-API-Key: sk_live_your_key_here" \
  -H "Content-Type: application/json" \
  -d '{
    "rules": {
      "min_scorecard": 7.0,
      "review_scorecard": 9.0,
      "max_known_vulnerabilities": 0
    },
    "blocked_packages": [],
    "blocked_maintainers": []
  }' \
  https://api.prod.turen.io/api/v1/policy
```

### Request Body

| Field                 | Type   | Description                                                |
| --------------------- | ------ | ---------------------------------------------------------- |
| `rules`               | object | Policy threshold values to update (see Rules Fields above) |
| `blocked_packages`    | array  | Packages to explicitly block                               |
| `blocked_maintainers` | array  | Maintainers to explicitly block                            |

<Note>
  Only include the fields you want to change within the `rules` object. Omitted fields retain their current values.
</Note>

### Response

Returns the updated policy (same schema as Get Policy).

<Note>
  Policy updates are distributed to agents at their next policy sync interval (every 15 minutes by default). No agent restart is required.
</Note>
