Guard Packs

POST/v1/orgs/{org_id}/packs/apply

Apply Pack

Apply a guard pack to an organization. If ``target_scope`` is provided the pack policy is written to that scope atomically with the install-count and history record - so nothing is recorded as applied if the policy write fails. Without ``target_scope`` the endpoint returns the pack policy for the caller to persist.

CI or Admin tokenscope: writeoperation_id: packs.apply

Authentication

Requires a CI- or admin-level token. Runtime tokens are rejected for mutations.

SDK install

pip install znyx-sdknpm install @znyx/sdk

Path parameters

Name	Type	Required	Description
org_id#path	string	required	—

Header parameters

Name	Type	Required	Description
X-API-Key#header	string \| null	optional	—
authorization#header	string \| null	optional	—

Request bodyrequired

Field	Type	Required	Description
pack_id	string	required	—
mode	string	optional	—
target_scope	ApplyPackTargetScope \| null	optional	—

Responses

Status	Description
200	Successful Response
422	Validation Error

Response schema

pack_namerequiredstring

moderequiredstring

policyrequiredobject

detectorsrequiredany

applied_toApplyPackAppliedScope | null

Errors & what triggers them

Code	Trigger	Fix
404	pack_id does not exist in the catalog.	—
422	target_scope is malformed (missing app_id, invalid env).	—
500	Policy write failed after the pack was resolved.	The endpoint is transactional — the pack install count is only incremented if the policy write succeeded. Retry is safe.

Notes & examples

What's a Guard Pack

A curated starter policy for a vertical or use case. Each pack ships:

A set of enabled detectors with opinionated thresholds.
Compliance mapping (e.g. HIPAA, SOC 2) — the proof surface.
Benchmark baseline — the pack's authors ran it against a reference dataset and shipped the numbers.

Browse the catalog: GET /v1/hub/packs.

`merge` vs `replace`

merge (default) — overlays the pack's detectors on top of the current policy. Keeps anything you already had.
replace — wipes the scope's current policy and writes the pack fresh. Use only on new agents.

Applying with scope

Pass target_scope to write the policy atomically. Without it, the endpoint returns the merged policy JSON for you to persist yourself — useful when you want to diff before committing.

{
  "pack_id": "...",
  "mode": "merge",
  "target_scope": {
    "tenant_id": "<org-uuid>",
    "app_id": "<project-uuid>",
    "agent_id": "default",
    "env": "prod"
  }
}

Removing a pack

POST /v1/orgs/{org}/packs/remove with the same scope disables every detector the pack enabled and drops any non-detector keys it injected. Use it when a pack no longer fits.

GET /v1/hub/packs — browse the catalog.
GET /v1/hub/packs/{id}/proof — compliance + benchmark evidence for a vertical pack.
GET /v1/orgs/{org}/packs/applications — history of apply/remove per org.

Request

curl -X POST 'https://api.znyx.ai/v1/orgs/00000000-0000-0000-0000-000000000000/packs/apply' \
  -H 'Authorization: Bearer $ZNYX_TOKEN' \
  -H 'Content-Type: application/json' \
  -d '{
  "pack_id": "string",
  "mode": "merge",
  "target_scope": null
}'

Response

application/json

Successful Response

{
  "pack_name": "string",
  "mode": "string",
  "policy": {},
  "detectors": null,
  "applied_to": null
}

Schema: object