controlzero 1.4.5__tar.gz → 1.4.6__tar.gz

{controlzero-1.4.5 → controlzero-1.4.6}/CHANGELOG.md

@@ -1,5 +1,22 @@
 # Changelog
 
+## 1.4.6 -- 2026-05-11
+
+### Fixed
+
+- **resources:["*"] no longer requires a caller resource** (T83).
+  Hosted policy bundles emit `resources:["*"]` for any rule that does
+  not scope by resource. The enforcer's resource gate previously
+  required a caller-supplied `context.resource` even when the rule's
+  resources list was the universal wildcard, causing every rule to be
+  silently skipped on calls that didn't pass a resource. Result: every
+  `cz.guard()` returned `deny` with `reason_code=NO_RULE_MATCH` regardless
+  of what the policy said. Now rules with `*` in their resources match
+  universally; non-wildcard resource patterns still require a caller
+  resource (no silent broadening). Three regression tests added in
+  `tests/test_glob_matching.py` including the exact bundle shape from
+  the customer reproduction.
+
 ## 1.4.5 -- 2026-05-05
 
 ### Added

{controlzero-1.4.5 → controlzero-1.4.6}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: controlzero
-Version: 1.4.5
+Version: 1.4.6
 Summary: AI agent governance: policies, audit, and observability for tool calls. Works locally with no signup.
 Project-URL: Homepage, https://controlzero.ai
 Project-URL: Documentation, https://docs.controlzero.ai

{controlzero-1.4.5 → controlzero-1.4.6}/controlzero/__init__.py

@@ -28,7 +28,7 @@ from controlzero.errors import (
 )
 from controlzero.policy_loader import load_policy
 
-__version__ = "1.4.5"
+__version__ = "1.4.6"
 
 __all__ = [
     "Client",

{controlzero-1.4.5 → controlzero-1.4.6}/controlzero/_internal/enforcer.py

@@ -253,8 +253,19 @@ class PolicyEvaluator:
             if not any(_glob_any(rule.actions, a) for a in candidate_actions):
                 continue
             if rule.resources:
-                if not resource or not _glob_any(rule.resources, resource):
-                    continue
+                # T83: a rule whose resources list contains "*" matches
+                # universally and must NOT require the caller to supply
+                # context.resource. The dashboard always emits
+                # resources:["*"] for unscoped rules, so prior to this
+                # fix every cz.guard() call without an explicit resource
+                # was skipping every rule and falling through to the
+                # default deny (Bryan deny-deny incident, 2026-05-10).
+                # Logic now: if any pattern in rule.resources is the
+                # universal "*", treat the gate as satisfied; otherwise
+                # require a caller-supplied resource and glob-match it.
+                if "*" not in rule.resources:
+                    if not resource or not _glob_any(rule.resources, resource):
+                        continue
             if not self._conditions_match(rule.conditions, context, args):
                 continue
             # Prefer the rule-declared reason_code (only synthetic

{controlzero-1.4.5 → controlzero-1.4.6}/controlzero/hosted_policy.py

@@ -409,5 +409,13 @@ def _parse_and_translate(
 
 
 def _compute_etag(blob: bytes) -> str:
-    """Fallback ETag when the server doesn't provide one."""
-    return hashlib.sha256(blob).hexdigest()[:32]
+    """Fallback ETag when the server doesn't provide one.
+
+    Returns the full 64-char hex sha256 of the bundle blob. The backend
+    stores and serves the full hex string in its ETag header, so the
+    SDK must hash to the same width for `If-None-Match` to ever match.
+    Truncating to 32 chars (the prior shape) silently broke the 304
+    short-circuit, surfacing as Bryan's investigation finding 1 in
+    docs/investigations/bryan-db-read-only-fail-closed-2026-05-08.md.
+    """
+    return hashlib.sha256(blob).hexdigest()

{controlzero-1.4.5 → controlzero-1.4.6}/pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
 
 [project]
 name = "controlzero"
-version = "1.4.5"
+version = "1.4.6"
 description = "AI agent governance: policies, audit, and observability for tool calls. Works locally with no signup."
 readme = "README.md"
 license = {text = "Apache-2.0"}

{controlzero-1.4.5 → controlzero-1.4.6}/tests/test_glob_matching.py

@@ -116,3 +116,86 @@ def test_universal_wildcard(tmp_log):
     assert cz.guard("anything").allowed
     assert cz.guard("anything", method="anything").allowed
     cz.close()
+
+
+# ---------------------------------------------------------------------
+# T83 regression: resources:["*"] must NOT require a caller resource.
+# ---------------------------------------------------------------------
+# Pre-T83 the dashboard's universal-resource shape (every rule emitted
+# resources:["*"]) skipped every rule when callers passed no
+# context.resource, falling through to default deny. Bryan deny-deny
+# incident, 2026-05-10. The exact bundle Bryan ran against is the
+# fixture below.
+
+def test_resources_wildcard_matches_without_context_resource(tmp_log):
+    cz = Client(
+        policy={
+            "rules": [
+                {
+                    "id": "rule-0",
+                    "allow": "database:read",
+                    "resources": ["*"],
+                },
+            ],
+        },
+        log_path=str(tmp_log),
+    )
+    # SELECT classifies as database:read via sql_semantic_class.
+    r = cz.guard("database", method="read", args={"sql": "SELECT id FROM orders"})
+    assert r.decision == "allow", f"resources:['*'] without context.resource should match; got {r.decision} ({r.reason})"
+    cz.close()
+
+
+def test_bryan_db_read_only_full_bundle_shape(tmp_log):
+    """End-to-end against the EXACT rule shape from Bryan's published bundle.
+
+    This is the smoking-gun reproduction:
+      - rule-0 allow database:read    (should fire on SELECT)
+      - rule-1 deny  database:exec    (should fire on DROP via canonical class)
+      - rule-2 deny  database:delete  (separate guard rail)
+    All rules carry resources:["*"]. Pre-T83 every call returned deny.
+    """
+    cz = Client(
+        policy={
+            "rules": [
+                {"id": "rule-0", "allow": "database:read", "resources": ["*"]},
+                {"id": "rule-1", "deny": "database:exec", "resources": ["*"]},
+                {"id": "rule-2", "deny": "database:delete", "resources": ["*"]},
+            ],
+        },
+        log_path=str(tmp_log),
+    )
+    # SELECT must allow.
+    r = cz.guard("database", method="read", args={"sql": "SELECT id FROM orders"})
+    assert r.decision == "allow", f"SELECT should allow, got {r.decision} ({r.reason})"
+
+    # DROP TABLE: caller passes method="exec" so candidate_actions
+    # contains database:exec which matches rule-1 deny.
+    r2 = cz.guard("database", method="exec", args={"sql": "DROP TABLE orders"})
+    assert r2.decision == "deny", f"DROP via method=exec should deny, got {r2.decision} ({r2.reason})"
+    cz.close()
+
+
+def test_specific_resource_pattern_still_requires_caller_resource(tmp_log):
+    """T83 must NOT regress non-wildcard resource scoping. A rule that
+    names a concrete resource pattern should still skip when the caller
+    passes no resource."""
+    cz = Client(
+        policy={
+            "rules": [
+                {"id": "scoped", "allow": "fs:read", "resources": ["/home/*"]},
+                {"deny": "*"},
+            ],
+        },
+        log_path=str(tmp_log),
+    )
+    # No resource in context -- scoped rule must NOT match, fall through to deny.
+    r = cz.guard("fs", method="read")
+    assert r.decision == "deny", f"scoped rule must not match without context.resource, got {r.decision}"
+    # With matching resource, allow.
+    r2 = cz.guard("fs", method="read", context={"resource": "/home/alice/notes.txt"})
+    assert r2.decision == "allow"
+    # With non-matching resource, deny via fall-through.
+    r3 = cz.guard("fs", method="read", context={"resource": "/etc/passwd"})
+    assert r3.decision == "deny"
+    cz.close()

{controlzero-1.4.5 → controlzero-1.4.6}/tests/test_refresh.py

@@ -140,7 +140,12 @@ def mock_backend(tmp_path, monkeypatch):
     import hashlib
 
     def current_etag() -> str:
-        return hashlib.sha256(backend.bundle_bytes).hexdigest()[:32]
+        # Match the SDK's _compute_etag (full 64-char hex). The earlier
+        # [:32] truncation here mirrored the bug in hosted_policy.py
+        # that PR #374 fixed; keeping the truncation here would make
+        # the mock backend's ETag perpetually mismatch the SDK's
+        # If-None-Match and the 304 short-circuit would never fire.
+        return hashlib.sha256(backend.bundle_bytes).hexdigest()
 
     class Handler(BaseHTTPRequestHandler):
         def _bearer_ok(self):