> ## Documentation Index
> Fetch the complete documentation index at: https://docs.turen.io/llms.txt
> Use this file to discover all available pages before exploring further.

# Agent Release Notes

> Version history for the Turen Agent

## v0.2.0

| Asset                  | SHA256                                                             |
| ---------------------- | ------------------------------------------------------------------ |
| macOS DMG              | `3810e29d7b030ecd7d95fbacc549c14b1538e028408a0ad8a5f5975911016331` |
| Linux `.deb` (amd64)   | `c4172e66ba8ea25bccaecece5d787e4eddf38cce90446ec6391709cfe195c70b` |
| Linux `.deb` (arm64)   | `2badd9145709d97d9273ca0cac4f0929a5daf7438a6dc0666ae29d27ef04f9de` |
| Linux `.rpm` (x86\_64) | `91ade8f478c642201e25e3d47cbd3d0e2d4a728b8149a109dddb06ccf34543f4` |
| Linux `.rpm` (aarch64) | `310d08d4faa6e9ecad37067808c64af1823aaf0f1cb48d7ee0b770e707110b37` |
| Windows MSI (amd64)    | `f2542d5e88b361fb37877d6edd0cca2d9e5dbce45ebef006b3057e84b2f0a127` |
| Windows MSI (arm64)    | `fe2e41eb83a865bb982c4f1623ee255795f3a1e039aa970241f24b6b2ccab4d4` |

**Windows 11 support**

* Turen now runs on Windows 11 on both amd64 and arm64. Authenticode-signed `.msi` installers are available from the **Downloads** section of the [dashboard](https://dashboard.turen.io). See the new [Windows installation guide](/installation/windows) for details.
* The installer registers `turen-watchdog` as a Windows Service that starts on boot, drops binaries into `%ProgramFiles%\Turen`, and configures Claude Code automatically: same one-shot install experience as macOS and Linux.
* Claude Code hooks fire on both Bash and PowerShell on Windows, so package-install policy and Batou findings work the same way regardless of which shell Claude Code chooses.
* Auto-updates work in place on Windows: the agent updates itself, verifies the new build's signature, and rolls back if the new version fails to start.

## v0.1.45

| Asset                  | SHA256                                                             |
| ---------------------- | ------------------------------------------------------------------ |
| macOS DMG              | `5b61ec5f78df4c43fc14c7d775474c7fd26eb70e3c0cd2de703f6c2360b80f4a` |
| Linux `.deb` (amd64)   | `8f7f4a48aa46f0b67d8e1e207e510ec9a44e739aa2a0883e21ae0e9ce70137d5` |
| Linux `.deb` (arm64)   | `3250a00ba73fd418924ef5e2263db151b2187737106fb5f108d94bf5b763b227` |
| Linux `.rpm` (x86\_64) | `2cedc4197642030c2c330cff7870b4d2c4e7c8248da07e6264f581f5e5ae9715` |
| Linux `.rpm` (aarch64) | `99cf0707f21e166a7b39c4b4bad36dafc825a85261c9a685a5015a5a51e43266` |

**Self-correcting Batou suppressions, fewer false positives, and broader taint coverage**

* AI coding agents can now resolve Batou false positives inline without pausing to ask first: as long as they document their reasoning in a `batou:ignore <RULE> -- reason` comment. Bare directives with no reason still flag `BATOU-SUPPRESS-REVIEW` for human review, so accountability lives in the comment that stays in the file forever. Removes a multi-round-trip loop where agents were stalling on findings they had already correctly judged.
* Fewer false positives from Batou's suppression and CLI-tool handling: `batou:ignore` comments above multi-line Python sinks (e.g. paren-wrapped argument lists) now match the correct line, trailing inline directives no longer extend suppression to an unrelated next line, and Python CLI scripts (`argparse`/`sys.argv` flowing into `pathlib.read_text`) are downgraded from blocking to hint-level since the path is the tool's interface.
* Two Go AST-rule false positives fixed: AST-004 no longer matches non-crypto helper names on a substring of "crypt", and AST-008 now recognises `WaitGroup`-bounded goroutines as safely coordinated instead of flagging them as leaks.
* Batou taint-tracking expansion across 13 languages: new **sinks** for SQL injection (Python `asyncpg`/`aiosqlite`/`databases`/DuckDB/Polars, Swift `SQLite.swift`, Ruby `PG`/`Mysql2`), NoSQL (C `libmongoc`/`libbson`), CQL (Go `gocql`, Kotlin DataStax Cassandra/ScyllaDB), server-side template injection (Groovy across Velocity/FreeMarker/Thymeleaf/Pebble/Handlebars), SSH command exec and SCP path traversal (C++ `libssh2`/`libssh`), Redis script injection (C# StackExchange.Redis), Zip Slip / Tar Slip archive extraction (JavaScript), Neovim plugin command and eval (Lua), absolute-path and env-manipulation sinks (Zig `std.fs`), and weak-crypto sinks (Perl MD2/MD4/Blowfish/IDEA/RC2/CAST5, Swift CryptoSwift and CommonCrypto).
* New **sources**: HTTP-client SSRF (Java JAX-RS/Retrofit/RestTemplate), GraphQL resolver contexts (Java `DataFetchingEnvironment`, Rust `async-graphql`/`juniper`), WordPress `wpdb` read helpers, `wp_mail`, and template loaders plus 8 new WordPress sanitisers (PHP), 7 new servlet/Spring MVC CWE-501 trust-boundary sinks (Java), and task-queue producer trust-boundary flows (Python).
* Hardened the Linux install flow after an internal security review: registration keys are no longer passed on the command line (where any local process could read `/proc/<pid>/cmdline` during the brief install window), install-time state moved off `/tmp` onto a root-owned tmpfs directory to close symlink races, and privileged directory creation now uses `install -d` instead of `mkdir + chown + chmod` so it doesn't follow symlinks.

## v0.1.44

| Asset                  | SHA256                                                             |
| ---------------------- | ------------------------------------------------------------------ |
| macOS DMG              | `e1fbb3ede5ed27faf1afcfeeb510608e8798f34381202931081d97c7f1424edc` |
| Linux `.deb` (amd64)   | `be8abe7993bbce1a9b994876295810cb50f7385661d7a30981e9af09a43136b9` |
| Linux `.deb` (arm64)   | `c049e6d3feff7fb3645bd7bb9b511bc260064a7ec3b8a4d6524b2ef6854be813` |
| Linux `.rpm` (x86\_64) | `f15cfe1c8f2e760ba2e527e1731f92fb70671e5e221770523928d1baa5a29f44` |
| Linux `.rpm` (aarch64) | `c4d1e8cee0efdeadfc53234b8cf839f797a8be60dcd3241ab286c31c43c7c588` |

**Linux support**

* Turen now runs on Linux. `.deb` packages for Ubuntu/Debian and `.rpm` packages for RHEL/CentOS/Fedora are available from the **Downloads** section of the dashboard, on both x86\_64 and arm64. See the new [Linux installation guide](/installation/linux) for details.
* New one-line installer for Linux (and headless macOS) at `https://downloads.turen.io/install.sh`: downloads the right tarball for your architecture, verifies the checksum, drops binaries into `/usr/local/bin`, and wires up systemd (or launchd on macOS) so the agent starts on boot.
* Auto-updates are fully supported on Linux. The agent updates itself in place without a package-manager reinstall and rolls back to the previous version if the new release fails to start: matching the existing macOS behaviour.

## v0.1.38

**DMG SHA256:** `d3d314bd720bf59d98c6db963893d02facb86978ecaa0d637246d441a56b4377`

**Cleaner installs and uninstalls**

* Reinstalls and uninstalls now fully clean up the `turen-batou` binary and any running batou processes. Previously, the macOS uninstaller could leave the batou binary on disk, and reinstalling over a running agent could leave a stale batou process active until the next restart.

## v0.1.37

**DMG SHA256:** `257c848ce37592699399c726ecc78955d8d9adcfb9e1c8f8c695c01b7f56243b`

**Suppressions honoured on taint flows, broader framework coverage, fewer JS false positives**

* `batou:ignore` comments now correctly suppress findings on raw taint flows. Previously, taint-based findings could keep reappearing in the dashboard even after you'd added a suppress directive: the ignore comment was applied to the regex detector but not to the taint analyzer.
* Reduced JavaScript false positives: the SQL-injection detector no longer flags `Array.find`/`filter`/`forEach` calls that take a callback (they're not database queries), and the SSRF detector now distinguishes the global `fetch()` from `.fetch()` methods on ORMs and other objects.
* Major taint-tracking expansion across 16 languages: **sanitizers** added for C, C#, C++, Go, Groovy, Java, JavaScript, Kotlin, Lua, Perl, Python, Rust: these let Batou recognise validated input and cut false positives across log injection, trust-boundary, eval, deserialization, SSRF, LDAP, XPath, crypto-timing, path-traversal, and XSS detection.
* New **sources** for HTTP frameworks and messaging systems: Gin/Echo/Fiber and net/http (Go), OkHttp/Ktor and NIO Files (Kotlin), PSR-7/Redis/Memcached/AMQP/Kafka/YAML (PHP), stdin/env/httpz/zap (Zig), WebSocket/Redis/CloudKit (Swift), Firebase/Redis (Kotlin), Azure/RabbitMQ/Kafka/AWS SQS (C#), HTTP clients and ORMs (Java, Ruby, Rust), second-order injection paths through these systems are now tracked.
* New **sinks** for LDAP injection (Java JNDI/Spring LDAP/UnboundID, Lua, Perl), weak crypto (C++ RC4/ECB/Blowfish, Perl), command injection (Lua FFI/POSIX/Penlight/luv), XSS and template injection (Ruby), embedded VM/eval (Go), trust-boundary and redirect/header injection (Go, Perl), and deserialization (C JSON/XML/msgpack).

## v0.1.36

**DMG SHA256:** `53356039255eece7533036b67e5cc5b1db773de998679b0e4923941b5cbefce5`

**Agent trap detection, tool output scanning, and quieter secret detection**

* 16 new detection rules (INJ-21..36) for AI agent trap patterns: content injection, behavioural control, cognitive-state manipulation, and human-in-the-loop attacks. Based on the Franklin et al. (2026) taxonomy.
* Prompt injection, secret detection, and agent trap rules now scan the content returned by `Bash`, `WebFetch`, and `WebSearch`. Previously, tool output was bypassing content scanning and leaving the primary prompt-injection attack surface uncovered.
* Quieter secret scanning: the entropy detector no longer flags file paths, import paths, or dotted identifier chains on shell command output as secrets. Pattern-based detection for AWS keys, Stripe, GitHub PATs, private keys, and other high-confidence formats remains fully active.
* Expanded Batou SAST taint tracking across C, C++, C#, Go, Java, JavaScript, Kotlin, Python, and Zig: new file-read, SSRF, deserialisation, and framework-specific sources and sinks catch path traversal and injection bugs that previously went undetected.
* Batou dashboard now stays in sync with what the agent sees: low-confidence findings no longer appear as "Top Active Risks" when the agent has been told the code is clean.
* New `turen-watchdog checkin` subcommand triggers the running daemon to immediately sync policy, org config, and update availability with the API instead of waiting for the next 5-minute interval. Supports `--json` for scripting.
* Fixed a beta-channel version comparison bug that could cause agents on `beta.10` or higher to silently downgrade to `beta.2`, and improved macOS installer error reporting when registration-key validation fails.

## v0.1.35

**DMG SHA256:** `2e4708f7a59bd8192a0ac961a24fb3c79042c002ea038739e91d04935b2baf29`

**Suppress directives no longer blocked by existing findings**

* Fixed a deadlock where pre-existing blocking findings prevented agents from adding `batou:ignore` comments to the same file. Edits that only add suppress directives now go through, so agents can resolve blocked findings without manual intervention.

## v0.1.34

**DMG SHA256:** `6980874224641dcea0996b3cf05f5f0ec9db024cc7bcc4eead11faed4cca2c7b`

**Batou scanning outside git repos**

* Batou now works correctly when scanning files outside a git repository. Previously, findings and suppression data could be written to unexpected locations: they're now stored alongside the scanned file.
* Fixed a bug where `batou:ignore` comments with preprocessor directives (e.g., in JSX or templated files) could fail to match the correct line, causing valid suppressions to be ignored.

## v0.1.33

**DMG SHA256:** `30385bd917c7ab8216d0201ae8bdaf9d6e88acb688507a1d9a846473e67e3f41`

**Smarter suppression handling and ORM taint tracking**

* The agent now prefers fixing a finding over suppressing it. When a `batou:ignore` comment is added, the agent will suggest a code fix first and only suppress if you confirm.
* Category-based suppression (`batou:ignore injection`, `batou:ignore xss`) now works reliably across all 45 rule categories.
* Batou's taint analysis now tracks data flow through 12 popular ORMs (Sequelize, Prisma, SQLAlchemy, GORM, and others), catching SQL injection and query-building vulnerabilities that previously went undetected.
* Suppressed findings no longer reappear as new issues in the dashboard: their lifecycle status is now tracked correctly through rescans.
* Improved risk scoring: blocking decisions now use a single risk score combining severity and detection confidence, reducing noise from low-confidence findings.

## v0.1.32

**DMG SHA256:** `6c45cab6cec226041f9c55d80691c34fda8e8b87d8209e0288d63bbbc2b534f8`

**Improved Batou communication and rule adherence**

* Batou SAST findings now reliably appear in the AI agent's context during coding sessions. Previously, some findings could be silently dropped before reaching the agent: this is now fixed.
* The agent automatically provides Claude with clear instructions on how to handle Batou findings (fix the issue or ask the user before suppressing), improving compliance with your org's security policies.
* Startup recovery: if a previous update failed mid-apply, the agent now detects the incomplete state on next launch and automatically restores from the last known-good version.

## v0.1.31

**DMG SHA256:** `fbdbef9c894e005f77447812a55ec0f83b27ca5a23c8dd3fa3141b419691f8d4`

**Auto-updates with rollback**

* The Turen agent now updates itself automatically. When a new version is available, the agent downloads, verifies, and applies the update: no manual reinstall required.
* If an update fails or the new version doesn't start correctly, the agent automatically rolls back to the previous working version.
* Admins can control update behavior from the dashboard: choose a release channel (production, beta, or alpha), set a version offset to stay behind the latest release, or pin to a specific version. See [Update Channel Settings](/dashboard/agents#update-channel-settings).

## v0.1.30

**DMG SHA256:** `4b8155bff2ed3f241c6bb71261dccc84325c0717c8016b81b3cb5ef2c437eb8d`

**SAST suppression fix**

* Fixed a bug where findings marked as Fixed or Suppressed via `batou:ignore` comments could still incorrectly trigger a block. Suppressed and fixed findings are now correctly skipped during blocking decisions.

## v0.1.29

**DMG SHA256:** `07d17690eb050f97da47bb98b8311c6b96aed4e4743d30dc2cd73ae8dc5f241e`

**SAST finding lifecycle tracking**

* Batou SAST findings now track their full lifecycle: Active, Fixed, Suppressed, and Blocked statuses are reported to the dashboard, so you can see how findings are resolved over time.
* Fixed and suppressed findings are now visible in the dashboard's Issue Resolution view.

## v0.1.28

**DMG SHA256:** `5e2cc5f6ab5566e0560ee56c9740509aac08844a56aa742e037aa1035a989d3e`

**SAST reliability improvements**

* Improved accuracy of finding lifecycle status (Active, Fixed, Suppressed) so the dashboard correctly reflects the current state of each finding.
* Reduced false positives in scan results.

## v0.1.27

**DMG SHA256:** `1acec9879ab06423f4cdcae263d862b3fa7a2059d466987b57c798461df145de`

**SAST finding resolution tracking**

* Batou SAST findings now carry lifecycle metadata (Active, Fixed, Suppressed), enabling the dashboard to show which findings have been addressed and which are still open.

## v0.1.26

**DMG SHA256:** `da7e7d33cfe556ac092309c4824d006383b9d2193d2cc6193141b5d3c5e99e72`

**Malware detection**

* turen-pkg now detects packages with known malware advisories (MAL-\*) and automatically blocks them at CRITICAL severity. Malware status is visible in the dashboard and package evaluation output.

## v0.1.25

**DMG SHA256:** `29ec862963483ff9720cf60aabba5fe319fcc41a96b2b269f01d0a11bb95b386`

**PostToolUse hooks and timeout increase**

* Batou SAST now runs on both PreToolUse (can block writes) and PostToolUse (provides hints after execution), giving broader coverage for real-time code scanning.
* Hook timeout increased from 10s to 30s to match the open-source Batou engine and prevent premature timeouts on larger scans.
* Uninstaller now cleans up hooks from all Claude Code event types (PreToolUse, PostToolUse, UserPromptSubmit) and removes the managed CLAUDE.md section.

## v0.1.24

**DMG SHA256:** `0f92f1b9f19b22e180afd6e9bdaa761f5236378ebc9f155e984c37a6b502a21f`

**Batou SAST integration**

* The Turen agent now includes Batou, a real-time static analysis engine that scans code as it's written by AI coding agents.
* Findings are evaluated against org-configured thresholds (severity, confidence) and can block or warn inline.
* Individual rules can be disabled per-org from the dashboard.
* Scan results and findings are reported to the Turen platform for dashboard visibility.

## v0.1.22

**DMG SHA256:** `3b13dab4ca2e0a97103b3ac9319031eca16238d9616a53a80cf273bd9a9e263b`

**Watchdog diagnose command and session resync**

* New `turen-watchdog diagnose` command runs 14 self-checks covering the full operational stack (LaunchDaemon, IPC, registration, API, proxy, Claude Code) and prints actionable recommendations for failures.
* Session resync: if the platform detects missing sessions, the agent will re-scan and re-upload them on the next checkin.

## v0.1.21

**DMG SHA256:** `c7d3a76398fecddf2e423b12c39ca5ade78276e51e6a7420f9b0589484f0ac2d`

**Installer improvements**

* Installer now restricts to system-wide (LaunchDaemon) installation only, preventing permission issues with per-user LaunchAgent installs.

## v0.1.20

**DMG SHA256:** `955b883b157c9729c2c6519cf3c0d85a711b973263b1d4a691927aafac70ccac`

**Uninstall app bundle for notarization**

* Wrapped `Uninstall.command` in a proper `.app` bundle so macOS Gatekeeper no longer blocks the uninstaller after notarization.
* Uninstall script now cleans up hooks from all Claude Code event types (PreToolUse, UserPromptSubmit), not just PreToolUse.

## v0.1.18

**DMG SHA256:** `a337bb692bb46ea1f438b6041f73762d9db9cfbcf910826ba1ee28454a69de87`

**Uninstaller and allowlist improvements**

* Fixed uninstaller to properly clean up the root LaunchDaemon, IPC socket, and Claude Code managed settings.
* Allowlisted packages now correctly bypass all downstream policy checks: previously a block or review from a later check could override the allowlist.
* Removed leftover classifier integration code from the rules engine and telemetry.

## v0.1.17

**DMG SHA256:** `f2e8cffd34e989f8fc32e74fff8283638c7b281e98127cb4cef76374d93f8580`

**Smarter remediation hints**

* Block and review messages now include targeted remediation guidance based on the specific policy violation: scorecard, vulnerabilities, license, blocklist, provenance, new package, or missing signals.
* Hints include actionable next steps like adding to the allowlist or using `TUREN_ALLOW_REVIEW=1` to override review decisions.

## v0.1.16

**DMG SHA256:** `fe3bb90d518e0a02023cc3bf3e29e7879be614f1d7c9f05182a174bb973774c2`

**Watchdog reliability and richer event data**

* Fixed proxy health recovery so crashed proxies are automatically restarted instead of leaving the agent in a broken state.
* Stuck proxy processes are now detected and killed on startup.
* Bulk installs now emit per-package events with full signal metadata (scorecard, vulnerabilities, licenses), making each blocked or reviewed package individually visible in the dashboard.
* Seamless upgrades: the installer now skips the registration dialog when the agent is already registered.

## v0.1.15

**DMG SHA256:** `ba547207d66a266c95ffebadaab1914aeb9b98613f0af1354c1a13905576c7bd`

**Pre-install auditing for bulk installs**

* Running `npm install` (or `pip install -r requirements.txt`, etc.) now audits all direct dependencies **before** the install runs, matching the behavior of explicit installs. Previously, packages were installed first and audited after.
* Removed the experimental classifier feature. Package security decisions are now fully handled by the policy engine and rules.
