> ## Documentation Index
> Fetch the complete documentation index at: https://docs.turen.io/llms.txt
> Use this file to discover all available pages before exploring further.

# Release Notes

> What's new in the Turen platform

## April 2026

### Dashboard

* **Unified install flow with Linux beta**: A new shared install component across onboarding, the Getting Started page, and the Agents page. Linux users now get a first-class path with a shell installer plus `.deb`, `.rpm`, and tarball downloads per architecture (labelled **Linux (Beta)**). macOS keeps the `.dmg` as the primary CTA. The shell snippet is pre-filled with `TUREN_REGISTRATION_KEY=…` when a key is available, so it's one paste to install and register. A new "all platforms" disclosure lists every binary format the platform ships.
* **Code Quality Trend replaces Detection Confidence card**: The SAST dashboard's "Detection Confidence" card conflated finding volume with confidence distribution and was easy to misread. It's been replaced with a clearer trend view of blocked vs. warned findings over time.
* **Removed entropy-detection UI**: Entropy detection is no longer a live secret-scanning mode in the agent, so the related toggles and indicators have been removed from the dashboard. Pattern-based detection for AWS keys, Stripe, GitHub PATs, private keys, and other high-confidence formats remains fully active.

### API

* **Slowloris protection**: API server now enforces `IdleTimeout` and `ReadHeaderTimeout` on incoming requests, closing slow-header and slow-read attack vectors against customer-facing endpoints.
* **Trial auto-cancel when no payment method**: If a free-trial subscription reaches its end date with no payment method on file, the subscription is now cancelled cleanly instead of attempting a failing charge. You retain read-only access and can upgrade at any time.
* **`GET /api/v1/agent-versions` supports `?limit=N`**: The agent-versions list endpoint now accepts an optional `limit` query param (clamped to a max of 100), combinable with the existing `channel` filter. Existing callers without a limit are unaffected.

### Agent

See the full [agent release notes](/get-started/agent-release-notes) for per-version detail. April highlights:

* **Linux support (GA)**: Turen agent now runs on Ubuntu/Debian and RHEL/CentOS/Fedora on both x86\_64 and arm64, with auto-updates and rollback matching macOS. Shipped in `v0.1.44`.
* **Windows 11 support (GA)**: Turen agent now runs on Windows 11 on both amd64 and arm64, installed via an Authenticode-signed `.msi` and registered as a Windows Service. Claude Code hooks fire on both Bash and PowerShell, and auto-updates work in place with rollback. Shipped in `v0.2.0`.
* **Self-correcting Batou suppressions**: AI coding agents can resolve Batou false positives inline with a `batou:ignore <RULE> -- <reason>` comment instead of pausing to ask. Bare directives (no reason) still flag for human review. Shipped in `v0.1.45`.
* **Fewer Batou false positives**: Multi-line Python suppressions match the correct line, trailing inline directives no longer extend suppression to unrelated code, and Python CLI scripts are downgraded from blocking to hint-level. Shipped in `v0.1.45`.
* **Broader Batou taint coverage**: New sinks and sources across 13 languages, including HTTP-client SSRF (Java), GraphQL resolver contexts (Java, Rust), async SQL drivers (Python), archive extraction / Zip Slip (JavaScript), SSH command exec (C++), and more.

## March 2026

### Batou SAST

* **Real-time code scanning**: Batou, Turen's static analysis engine, scans code in real time as agents write it. Findings are surfaced inline with confidence scores and CWE classification.
* **Confidence-based blocking**: Blocking presets now use confidence tiers instead of severity, giving you clearer control over what gets blocked vs. warned. Configure presets from the SAST tab in Software Security.
* **Finding lifecycle tracking**: Every finding now tracks its lifecycle status: Active, Fixed, Suppressed, or Blocked. The Issue Resolution view shows how findings are resolved over time.
* **Redesigned SAST dashboard**: Scan Activity (lines scanned, avg scan time), Detection Confidence distribution, Top Active Risks, Vulnerability Categories (CWE breakdown), and Issue Resolution charts.
* **Inline suppression**: Developers can suppress false positives with `// batou:ignore RULE-ID` comments. Suppressed findings are tracked in the dashboard with their reason.
* **Rule management**: Disable individual SAST rules per-org from the dashboard.

### Security

* **Malware detection**: PIA now identifies malware advisories (MAL-\*) and automatically escalates them to CRITICAL severity (CVSS 10.0). Malware status is surfaced in the API response and dashboard.
* **Password reset**: Users can now reset their password via email from the sign-in page. MFA-enabled users are prompted for their TOTP code during the reset flow.
* Multiple security hardening fixes across session replay, skill uploads, policy management, and invitation handling.

### Billing & Subscriptions

* **Free trial at signup**: New organizations automatically start with a 14-day free trial of the Teams plan. No credit card required to get started.
* **Billing enforcement**: Organizations with expired trials or canceled subscriptions are prompted to upgrade. Active trials and paid subscriptions continue uninterrupted.
* **Promo codes**: Promotion codes can now be applied during Stripe checkout.
* **Plan upgrades**: Solo plan users can upgrade to Teams directly from the billing page.
* **Trial fix**: New organizations on the free trial now correctly have SAST and custom skills enabled from the start.

### Dashboard

* **Feature gating by plan**: SAST, custom skills, and custom rules are now gated by billing tier. Teams plan users get full access; Solo plan users see upgrade prompts.
* **Package allowlist & blocklist**: Manage allowed and blocked packages directly from the Events page. Block suspicious packages with one click.
* **Interactive LLM analytics**: The LLM dashboard is now fully interactive with clickable charts and deep-linked filters.
* **Activity heatmap**: Redesigned activity-by-hour heatmap with dynamic labels and a stats summary row.
* **Improved onboarding**: Redesigned onboarding page with trial-aware flow showing days remaining and clear upgrade paths. Onboarding completion is now persisted server-side.
* **Better policy validation**: Scorecard score inputs now validate properly, and the Save button is disabled when values are invalid.
* **Invite flow**: Redesigned authentication pages to support team invitation workflows.
* **GitHub skill import**: Import custom skills directly from a GitHub repository URL.
* **Agent download from dashboard**: The Devices page now shows a download button with the latest agent version, always pointing to the current release.
* **Blocked scan visibility**: Blocked scans now show all findings including any that were later suppressed, so you can see exactly what triggered the block.
* **Documentation links**: Quick links to documentation and help are now available in the sidebar.
* **Cleaner SAST findings**: Removed redundant severity badges from individual findings. Lifecycle labels (Fixed, Suppressed) are still shown.
* **Multi-platform agent downloads**: The agent download button now supports per-platform download links (macOS DMG, Linux tarballs).

### Session Replay

* **Faster session loading**: Session content now streams with parallel chunk fetching, ETag caching, and content tickets for reduced latency on large sessions.
* **Session reconciliation**: Agents now reconcile session upload state on checkin, ensuring no sessions are lost if uploads are interrupted.
* **Time range filter fix**: Dashboard charts and session stats now correctly respect the selected time range. Previously, some views could show all-time data regardless of the filter.
* **Date range filter**: Filter sessions by a specific date range using the new "Between" filter with start and end date pickers.
* **Subagent visibility**: Subagent sessions now appear in the replay list. You can expand a parent session to see its subagents, and hour filters match across both parent and subagent sessions.
* **Heatmap improvements**: Clicking an hour on the activity heatmap now filters in place instead of navigating away, preserving your other active filters.

### Agent & CLI

* **Automatic updates with rollback**: The agent now updates itself automatically when a new version is available. If an update fails, it rolls back to the previous working version: no manual reinstall required.
* **Update channel settings**: Admins can choose a release channel (production, beta, alpha), set a version offset to stay a few versions behind latest, or pin to a specific version. Configure from **Platform Settings > Device Settings**.
* **Curated skills**: Agents now receive curated skill manifests alongside custom skills during sync.
* **Faster event ingestion**: CLI and security events now use batch inserts for improved throughput.
* **Better UTF-8 handling**: Session first-prompt previews are now safely truncated at character boundaries, preventing garbled text.
* **Billing enforcement for agents**: Registration and session uploads now respect organization plan limits.

### Package Intelligence (PIA)

* **Malware detection**: Packages with known malware advisories are flagged with `has_malware: true` and escalated to CRITICAL severity.
* **Version range support**: PIA now resolves version range specifiers (e.g., `^1.2.0`, `>=2.0`) to concrete versions via deps.dev, improving vulnerability and license accuracy.
* **Reduced log noise**: Expected not-found responses from upstream APIs are no longer logged as warnings.
