controlzero 1.3.0__tar.gz → 1.4.2__tar.gz

{controlzero-1.3.0 → controlzero-1.4.2}/.gitignore

@@ -1,6 +1,17 @@
 # Worktrees
 .worktrees/
 
+# Transient QA / design captures at repo root.
+# Long-term reference screenshots live under docs-site/static/ or in Obsidian.
+/*.png
+/dashboard-*.md
+/uat-*.png
+/audit-*.png
+/billing-*.png
+/sso-*.png
+/notifications-*.png
+/settings-*.png
+
 # Dependencies
 node_modules/
 vendor/
@@ -30,6 +41,7 @@ __pycache__/
 
 # Environment and secrets (deny-all, allow explicitly)
 .env*
+!.envrc
 production-secrets*
 vault-backup.key
 *.pem
@@ -188,8 +200,6 @@ scripts/fix-ssh-config.sh
 scripts/hetzner-post-install.sh
 docs/knowledge-base/
 docs/superpowers/
-scripts/doppler/doppler-env.values.sh
-
 # Air-gap build artifacts (generated tarballs and package directories)
 cz-air-gap-*/
 cz-air-gap-*.tar.gz
@@ -218,3 +228,12 @@ cz-revamp-live.png
 
 # Agent worktrees (created by Claude Code during parallel work)
 .claude/worktrees/
+
+# direnv + sops secrets. Encrypted files under secrets/ are safe to
+# commit; anything matching *.plain or *.dec is a decryption artifact
+# and must NEVER land in git.
+.envrc.local
+.direnv/
+secrets/*.plain
+secrets/*.dec
+.claude/scheduled_tasks.lock

controlzero-1.4.2/CHANGELOG.md

@@ -0,0 +1,33 @@
+# Changelog
+
+## 1.4.1 -- 2026-04-15
+
+### Added
+
+- `agent_name` arg + `CZ_AGENT_NAME` env var contract on the `Client` constructor (issue #71). Order: explicit arg > env > `default-agent`.
+- `CZ_DEBUG=1` (or `true`/`yes`/`on`) flips the controlzero logger to DEBUG at construction. Cheap escape hatch for support.
+- Optional install extras: `controlzero[google]`, `controlzero[openai]`, `controlzero[anthropic]` (issue #68). Pin the matching upstream SDK so users do not see import errors.
+- Cross-SDK action canonicalization parity test (issue #69). Mirrors the same fixture in the Node and Go SDKs.
+- Smoke + denial + error-propagation tests for the `wrap_google` integration (issue #68).
+
+## 1.4.0 -- 2026-04-15
+
+### Breaking changes
+
+- Integration wrappers now emit simplified action names (`llm:generate`, `embedding:generate`, `tool:call`) instead of provider-prefixed ones (`llm:openai:chat.completions.create`). Policies targeting the old action names must be updated. Provider and model move into `context` tags. See docs/integrations for current patterns.
+- Google integration rewritten against `google-genai` (deprecated `google.generativeai` removed). Install `google-genai`.
+- `integrations.langchain.agent.GovernedAgent` wrapping `AgentExecutor` is deprecated in LangChain v1.x. Use `integrations.langchain.modern.create_governed_agent`.
+
+### New integrations
+
+- `integrations.autogen` - first-party helper for autogen-agentchat v0.7+
+- `integrations.pydantic_ai` - first-party helper for pydantic-ai v1.x
+- `integrations.langchain.modern` - LangGraph create_agent pattern
+
+### New features
+
+- Policy rule `conditions` field is now evaluated in the local enforcer. Conditions are matched against merged context + args with glob patterns. All keys must match.
+
+### Enhancements
+
+- `integrations.litellm` - async + success/failure hooks for streaming audit.

{controlzero-1.3.0 → controlzero-1.4.2}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: controlzero
-Version: 1.3.0
+Version: 1.4.2
 Summary: AI agent governance: policies, audit, and observability for tool calls. Works locally with no signup.
 Project-URL: Homepage, https://controlzero.ai
 Project-URL: Documentation, https://docs.controlzero.ai
@@ -26,14 +26,25 @@ Requires-Dist: click>=8.1.0
 Requires-Dist: loguru>=0.7.0
 Requires-Dist: pydantic>=2.0.0
 Requires-Dist: pyyaml>=6.0
+Provides-Extra: anthropic
+Requires-Dist: anthropic>=0.25.0; extra == 'anthropic'
 Provides-Extra: dev
+Requires-Dist: cryptography>=41.0.0; extra == 'dev'
+Requires-Dist: httpx>=0.25.0; extra == 'dev'
 Requires-Dist: pytest-asyncio>=0.21.0; extra == 'dev'
 Requires-Dist: pytest-cov>=4.0.0; extra == 'dev'
 Requires-Dist: pytest>=7.0.0; extra == 'dev'
 Requires-Dist: pyyaml>=6.0; extra == 'dev'
+Requires-Dist: respx>=0.20.0; extra == 'dev'
+Requires-Dist: zstandard>=0.22.0; extra == 'dev'
+Provides-Extra: google
+Requires-Dist: google-genai>=0.3.0; extra == 'google'
 Provides-Extra: hosted
 Requires-Dist: cryptography>=41.0.0; extra == 'hosted'
 Requires-Dist: httpx>=0.25.0; extra == 'hosted'
+Requires-Dist: zstandard>=0.22.0; extra == 'hosted'
+Provides-Extra: openai
+Requires-Dist: openai>=1.0.0; extra == 'openai'
 Description-Content-Type: text/markdown
 
 # control-zero
@@ -158,6 +169,46 @@ rules:
 Rules are evaluated top to bottom. The first match wins. If no rule matches,
 the call is denied (fail-closed).
 
+## Tamper detection and quarantine
+
+The policy YAML supports a `settings:` section that controls how the SDK
+responds when it detects that the local policy file has been modified outside
+of normal channels (manual edits, unexpected hash changes, etc.):
+
+```yaml
+version: '1'
+settings:
+  tamper_behavior: warn # Options: warn | deny | deny-all | quarantine
+rules:
+  - deny: 'delete_*'
+  - allow: '*'
+```
+
+| Mode         | Behavior                                                                 |
+| ------------ | ------------------------------------------------------------------------ |
+| `warn`       | Log a warning but continue evaluating rules normally.                    |
+| `deny`       | Deny the current tool call that triggered the tamper check.              |
+| `deny-all`   | Deny all tool calls and place the machine in quarantine until recovered. |
+| `quarantine` | Same as `deny-all`, plus report a tamper alert to the backend dashboard. |
+
+**Quarantine recovery.** When a machine enters quarantine (`deny-all` or
+`quarantine`), every tool call is denied until you re-establish trust with one
+of these commands:
+
+```bash
+controlzero enroll
+controlzero policy-pull
+controlzero sign-policy
+```
+
+**Org-level policy signing.** When a machine is enrolled via `controlzero enroll`,
+it receives the organization's signing public key. Policy bundles pulled from
+the backend are cryptographically signed and verified by the SDK automatically.
+No extra configuration is required.
+
+**Tamper alert reporting.** In `quarantine` mode, the SDK reports a tamper alert
+to the Control Zero backend so your team can see it on the dashboard.
+
 ## Local audit log
 
 When running without an API key, every decision is written to `./controlzero.log`

{controlzero-1.3.0 → controlzero-1.4.2}/README.md

@@ -120,6 +120,46 @@ rules:
 Rules are evaluated top to bottom. The first match wins. If no rule matches,
 the call is denied (fail-closed).
 
+## Tamper detection and quarantine
+
+The policy YAML supports a `settings:` section that controls how the SDK
+responds when it detects that the local policy file has been modified outside
+of normal channels (manual edits, unexpected hash changes, etc.):
+
+```yaml
+version: '1'
+settings:
+  tamper_behavior: warn # Options: warn | deny | deny-all | quarantine
+rules:
+  - deny: 'delete_*'
+  - allow: '*'
+```
+
+| Mode         | Behavior                                                                 |
+| ------------ | ------------------------------------------------------------------------ |
+| `warn`       | Log a warning but continue evaluating rules normally.                    |
+| `deny`       | Deny the current tool call that triggered the tamper check.              |
+| `deny-all`   | Deny all tool calls and place the machine in quarantine until recovered. |
+| `quarantine` | Same as `deny-all`, plus report a tamper alert to the backend dashboard. |
+
+**Quarantine recovery.** When a machine enters quarantine (`deny-all` or
+`quarantine`), every tool call is denied until you re-establish trust with one
+of these commands:
+
+```bash
+controlzero enroll
+controlzero policy-pull
+controlzero sign-policy
+```
+
+**Org-level policy signing.** When a machine is enrolled via `controlzero enroll`,
+it receives the organization's signing public key. Policy bundles pulled from
+the backend are cryptographically signed and verified by the SDK automatically.
+No extra configuration is required.
+
+**Tamper alert reporting.** In `quarantine` mode, the SDK reports a tamper alert
+to the Control Zero backend so your team can see it on the dashboard.
+
 ## Local audit log
 
 When running without an API key, every decision is written to `./controlzero.log`

{controlzero-1.3.0 → controlzero-1.4.2}/controlzero/__init__.py

@@ -28,7 +28,7 @@ from controlzero.errors import (
 )
 from controlzero.policy_loader import load_policy
 
-__version__ = "1.3.0"
+__version__ = "1.4.1"
 
 __all__ = [
     "Client",

controlzero-1.4.2/controlzero/_internal/bundle.py

@@ -0,0 +1,440 @@
+"""Policy bundle parser (`.czpolicy`).
+
+See `docs/designs/policy-bundle-format.md` for the authoritative spec.
+
+This module is a *pure function* parser: given bundle bytes plus the
+project encryption key and the project signing public key, it either
+returns the decrypted policy payload as a dict, or raises a
+:class:`BundleVerificationError` / :class:`BundleFormatError`.
+
+The parser performs **no I/O**. It does not read from disk. It does not
+make network calls. It does not mutate global state. This is
+intentional: the integrity of the policy flow depends on the parser
+being auditable in isolation. All I/O (fetching bundles, caching,
+retries) lives in :mod:`controlzero.hosted_policy`.
+
+Wire format (little-endian throughout):
+
+    offset  size  field
+    0       4     magic           ASCII "CZ01"
+    4       2     schema_version  uint16
+    6       8     created_at      uint64 UNIX seconds
+    14      2     policy_count    uint16 (informational)
+    16      4     sig_offset      uint32 (absolute byte offset of signature)
+    20      4     sig_len         uint32 (must be 64)
+    24      8     reserved        must be zero
+    32      N     payload         authenticated-encryption over zstd(json)
+    32+N    64    signature       signature over header[0:32] || payload
+"""
+
+from __future__ import annotations
+
+import json
+import struct
+from dataclasses import dataclass
+from typing import Optional  # noqa: F401  (used in type annotations below)
+
+# --- Exceptions ------------------------------------------------------------
+
+
+class BundleFormatError(ValueError):
+    """Bundle bytes do not match the expected wire format.
+
+    Raised for structural problems: wrong magic, impossible offsets,
+    truncated data, unknown schema version. Never raised for cryptographic
+    failures -- use :class:`BundleVerificationError` for those.
+    """
+
+
+class BundleVerificationError(ValueError):
+    """Bundle signature or AES-GCM authentication tag failed to verify.
+
+    This is the fail-closed signal. The SDK MUST NOT use any policy data
+    extracted before this exception was raised.
+    """
+
+
+# --- Constants -------------------------------------------------------------
+
+_MAGIC = b"CZ01"
+_HEADER_SIZE = 32
+_SIG_LEN = 64
+_SCHEMA_VERSION_MAX = 1
+
+# AES-GCM constants. Matches the backend's encryptAESGCM helper:
+# nonce(12) || ciphertext || tag(16)
+_GCM_NONCE_SIZE = 12
+_GCM_TAG_SIZE = 16
+
+
+# --- Parsed structures -----------------------------------------------------
+
+
+@dataclass(frozen=True)
+class BundleHeader:
+    schema_version: int
+    created_at: int
+    policy_count: int
+    sig_offset: int
+    sig_len: int
+
+
+@dataclass(frozen=True)
+class ParsedBundle:
+    """The decrypted and authenticated policy bundle."""
+
+    header: BundleHeader
+    payload: dict  # the JSON-decoded policy bundle
+
+
+# --- Public API ------------------------------------------------------------
+
+
+def parse_bundle(
+    blob: bytes,
+    encryption_key: bytes,
+    signing_pubkey: bytes,
+    *,
+    max_bundle_bytes: int = 16 * 1024 * 1024,
+) -> ParsedBundle:
+    """Verify signature, decrypt, and decode a policy bundle.
+
+    Args:
+        blob: The raw bundle bytes as returned by ``/v1/sdk/policies/pull``.
+        encryption_key: 32-byte symmetric key for the project.
+        signing_pubkey: 32-byte signing public key for the project.
+        max_bundle_bytes: Defensive cap on bundle size. Rejects huge blobs
+            before doing any crypto work (default 16 MiB).
+
+    Returns:
+        A :class:`ParsedBundle` with the decoded header and payload dict.
+
+    Raises:
+        BundleFormatError: if the wire format is malformed.
+        BundleVerificationError: if the signature does not verify, or if
+            authenticated-encryption tag validation fails.
+    """
+    if not isinstance(blob, (bytes, bytearray)):
+        raise BundleFormatError(
+            f"bundle must be bytes, got {type(blob).__name__}"
+        )
+    blob = bytes(blob)
+
+    if len(blob) > max_bundle_bytes:
+        raise BundleFormatError(
+            f"bundle size {len(blob)} exceeds max {max_bundle_bytes}"
+        )
+
+    header, encrypted_payload, signature = _split_bundle(blob)
+
+    # Signature covers header[0:32] || encrypted_payload. Verify BEFORE
+    # decrypt so we never touch ciphertext for an unauthenticated blob.
+    if len(signing_pubkey) != 32:
+        raise BundleVerificationError(
+            f"signing public key must be 32 bytes, got {len(signing_pubkey)}"
+        )
+    _verify_ed25519(signing_pubkey, blob[:_HEADER_SIZE] + encrypted_payload, signature)
+
+    # Decrypt the payload.
+    if len(encryption_key) != 32:
+        raise BundleVerificationError(
+            f"encryption key must be 32 bytes, got {len(encryption_key)}"
+        )
+    plaintext_compressed = _decrypt_aes_gcm(encryption_key, encrypted_payload)
+
+    # zstd decompress.
+    plaintext_json = _zstd_decompress(plaintext_compressed)
+
+    # Parse JSON.
+    try:
+        payload = json.loads(plaintext_json.decode("utf-8"))
+    except (UnicodeDecodeError, json.JSONDecodeError) as exc:
+        # We already verified the signature, so this is either a server
+        # bug or a successful decryption of corrupted content. Report as
+        # format error so the caller surfaces a clear message.
+        raise BundleFormatError(f"payload is not valid JSON: {exc}") from exc
+
+    if not isinstance(payload, dict):
+        raise BundleFormatError(
+            f"payload root must be an object, got {type(payload).__name__}"
+        )
+
+    return ParsedBundle(header=header, payload=payload)
+
+
+# --- Header / split --------------------------------------------------------
+
+
+def _split_bundle(blob: bytes) -> tuple[BundleHeader, bytes, bytes]:
+    """Validate the header and split the blob into (header, payload, signature)."""
+    if len(blob) < _HEADER_SIZE + _SIG_LEN:
+        raise BundleFormatError(
+            f"bundle too short: {len(blob)} bytes, need at least "
+            f"{_HEADER_SIZE + _SIG_LEN}"
+        )
+
+    if blob[:4] != _MAGIC:
+        raise BundleFormatError(
+            f"bad magic: expected CZ01, got {blob[:4]!r}"
+        )
+
+    # Parse the fixed-layout header.
+    (
+        schema_version,
+        created_at,
+        policy_count,
+        sig_offset,
+        sig_len,
+    ) = struct.unpack_from("<HQHII", blob, 4)
+
+    # The reserved 8 bytes at offset 24 must be zero. This gives us room
+    # to extend the header in a backwards-compatible way later.
+    reserved = blob[24:32]
+    if reserved != b"\x00" * 8:
+        raise BundleFormatError(f"reserved bytes must be zero, got {reserved!r}")
+
+    if schema_version < 1 or schema_version > _SCHEMA_VERSION_MAX:
+        raise BundleFormatError(
+            f"unsupported schema version {schema_version}, this SDK "
+            f"supports 1..{_SCHEMA_VERSION_MAX}. Upgrade the SDK."
+        )
+
+    if sig_len != _SIG_LEN:
+        raise BundleFormatError(
+            f"unexpected signature length {sig_len}, want {_SIG_LEN}"
+        )
+
+    if sig_offset < _HEADER_SIZE:
+        raise BundleFormatError(
+            f"sig_offset {sig_offset} must be >= header size {_HEADER_SIZE}"
+        )
+
+    if sig_offset + sig_len > len(blob):
+        raise BundleFormatError(
+            f"signature extends past end of bundle: sig_offset={sig_offset} "
+            f"sig_len={sig_len} bundle_len={len(blob)}"
+        )
+
+    if sig_offset + sig_len != len(blob):
+        # Trailing bytes after the signature are not allowed. This prevents
+        # smuggling data past the authenticated region.
+        raise BundleFormatError(
+            f"trailing bytes after signature: "
+            f"sig_offset+sig_len={sig_offset + sig_len} bundle_len={len(blob)}"
+        )
+
+    encrypted_payload = blob[_HEADER_SIZE:sig_offset]
+    signature = blob[sig_offset : sig_offset + sig_len]
+
+    return (
+        BundleHeader(
+            schema_version=schema_version,
+            created_at=created_at,
+            policy_count=policy_count,
+            sig_offset=sig_offset,
+            sig_len=sig_len,
+        ),
+        encrypted_payload,
+        signature,
+    )
+
+
+# --- Crypto primitives -----------------------------------------------------
+
+
+def _verify_ed25519(pubkey: bytes, message: bytes, signature: bytes) -> None:
+    """Verify a detached signature. Raises BundleVerificationError on failure."""
+    try:
+        from cryptography.exceptions import InvalidSignature
+        from cryptography.hazmat.primitives.asymmetric.ed25519 import (
+            Ed25519PublicKey,
+        )
+    except ImportError as exc:
+        # The cryptography package is a hard dependency of the SDK. If it
+        # is missing, we cannot verify a bundle and MUST NOT accept it.
+        raise BundleVerificationError(
+            "cryptography library is not installed; cannot verify bundle"
+        ) from exc
+
+    try:
+        pk = Ed25519PublicKey.from_public_bytes(pubkey)
+        pk.verify(signature, message)
+    except InvalidSignature as exc:
+        raise BundleVerificationError(
+            "signature verification failed: bundle is not authentic"
+        ) from exc
+    except Exception as exc:  # noqa: BLE001
+        raise BundleVerificationError(
+            f"signature verification error: {exc}"
+        ) from exc
+
+
+def _decrypt_aes_gcm(key: bytes, encrypted: bytes) -> bytes:
+    """Authenticated-encryption decrypt. Expects nonce(12) || ciphertext || tag(16)."""
+    try:
+        from cryptography.hazmat.primitives.ciphers.aead import AESGCM
+    except ImportError as exc:
+        raise BundleVerificationError(
+            "cryptography library is not installed; cannot decrypt bundle"
+        ) from exc
+
+    if len(encrypted) < _GCM_NONCE_SIZE + _GCM_TAG_SIZE:
+        raise BundleFormatError(
+            f"encrypted payload too short ({len(encrypted)} bytes) to contain "
+            f"nonce and tag"
+        )
+
+    nonce = encrypted[:_GCM_NONCE_SIZE]
+    ciphertext_with_tag = encrypted[_GCM_NONCE_SIZE:]
+
+    try:
+        aesgcm = AESGCM(key)
+        return aesgcm.decrypt(nonce, ciphertext_with_tag, None)
+    except Exception as exc:  # noqa: BLE001
+        # Authenticated-encryption tag check failed or key mismatch.
+        # Either way, the bundle is not trusted.
+        raise BundleVerificationError(
+            f"bundle decryption failed: {exc}"
+        ) from exc
+
+
+def _zstd_decompress(data: bytes) -> bytes:
+    """Zstd decompress. Tries multiple Python bindings for portability.
+
+    Some backend builds produce zstd frames without the frame content
+    size in the header (klauspost/compress EncodeAll variants). In that
+    case `zstd.ZstdDecompressor().decompress(data)` raises:
+
+        zstandard.backend_c.ZstdError:
+            could not determine content size in frame header
+
+    To decompress regardless of whether the size is declared, we fall
+    back to the streaming API with a hard upper bound of 16 MiB --
+    matching MAX_BUNDLE_BYTES enforced one layer up. This is the
+    standard robust-decompression pattern recommended by the zstandard
+    maintainers for untrusted / variable-source input. #113.
+    """
+    # 16 MiB upper bound on decompressed size; matches
+    # hosted_policy.MAX_BUNDLE_BYTES. Kept inline to avoid an import
+    # cycle between _internal and hosted_policy.
+    _MAX_DECOMPRESSED = 16 * 1024 * 1024
+
+    # Preferred: `zstandard` is the de-facto PyPI package.
+    try:
+        import io
+        import zstandard as zstd
+
+        dctx = zstd.ZstdDecompressor()
+        # Streaming read works for frames that lack the declared
+        # content size. Cap the output to prevent a zip-bomb class
+        # of attack on a tampered bundle.
+        with dctx.stream_reader(io.BytesIO(data)) as reader:
+            out = reader.read(_MAX_DECOMPRESSED + 1)
+        if len(out) > _MAX_DECOMPRESSED:
+            raise BundleVerificationError(
+                f"zstd decompressed payload exceeds {_MAX_DECOMPRESSED} byte limit"
+            )
+        return out
+    except ImportError:
+        pass
+
+    # Fallback: `pyzstd`. Its `decompress()` handles missing content
+    # size natively without needing streaming mode.
+    try:
+        import pyzstd
+
+        return pyzstd.decompress(data)
+    except ImportError:
+        pass
+
+    raise BundleVerificationError(
+        "zstd decompression library not installed; "
+        "install with: pip install 'controlzero[hosted]' or pip install zstandard"
+    )
+
+
+# --- Schema translation ----------------------------------------------------
+
+
+def translate_to_local_policy(payload: dict) -> dict:
+    """Translate a decrypted bundle payload to the local policy dict shape.
+
+    The bundle's `policies` list comes from the backend in the shape
+    produced by :func:`BundleHandler.SDKPull` (Go: bundlePolicy). The
+    local :class:`PolicyEvaluator` expects the input format from
+    :func:`controlzero.policy_loader.load_policy`: a dict with
+    ``version: "1"`` and a flat ``rules`` list where each entry is
+    either ``{"deny": "<tool>"}``, ``{"allow": "<tool>"}`` or
+    ``{"effect": "<deny|allow|warn|audit>", "action": "<tool>"}``.
+
+    Policies are sorted by ``priority`` ascending so SDKs in every
+    language produce identical decisions from identical input.
+    """
+    policies = payload.get("policies") or []
+    policies = sorted(
+        [p for p in policies if isinstance(p, dict)],
+        key=lambda p: int(p.get("priority", 100)),
+    )
+
+    flat: list[dict] = []
+    for pol in policies:
+        raw_rules = pol.get("rules")
+        if isinstance(raw_rules, dict):
+            rule_list = list(raw_rules.values())
+        elif isinstance(raw_rules, list):
+            rule_list = raw_rules
+        else:
+            continue
+
+        for r in rule_list:
+            if not isinstance(r, dict):
+                continue
+            translated = _translate_rule(r, pol.get("id", ""))
+            if translated is not None:
+                flat.append(translated)
+
+    if not flat:
+        # Empty policy set: default deny-all. An empty hosted project is
+        # not "everything allowed" -- it's "nothing configured yet."
+        flat.append({
+            "effect": "deny",
+            "action": "*",
+            "reason": (
+                "No active policies. Define one in the Control Zero dashboard."
+            ),
+        })
+
+    return {"version": "1", "rules": flat}
+
+
+def _translate_rule(rule: dict, policy_id: str) -> Optional[dict]:
+    """Translate a single backend rule to the local rule shape."""
+    effect = rule.get("effect") or rule.get("action") or "allow"
+    if effect not in ("allow", "deny", "warn", "audit"):
+        effect = "allow"
+
+    # Find the tool pattern. The backend may put it under several keys
+    # depending on the policy form (LLM, tool-call, etc.).
+    pattern = rule.get("tool")
+    if not pattern:
+        pattern = rule.get("pattern")
+    if not pattern:
+        match = rule.get("match")
+        if isinstance(match, dict):
+            pattern = match.get("tool") or match.get("action")
+    if not pattern:
+        # Final fallback: universal match. Combined with a non-allow
+        # effect, this is still meaningful (e.g. deny-all).
+        pattern = "*"
+
+    translated: dict = {
+        "effect": effect,
+        "action": pattern,
+        "reason": rule.get("reason") or f"policy:{policy_id}",
+    }
+
+    resources = rule.get("resources") or rule.get("resource")
+    if resources:
+        translated["resources"] = resources
+
+    return translated