controlzero 1.5.6__tar.gz → 1.5.7__tar.gz

{controlzero-1.5.6 → controlzero-1.5.7}/CHANGELOG.md

@@ -1,5 +1,28 @@
 # Changelog
 
+## v1.5.7 -- 2026-05-16 (PRIVACY)
+
+### Fixed
+
+- **Customer-context comments in the published wheel.** Codex +
+  Gemini outside-voice review surfaced several customer-context
+  strings + private monorepo path references that v1.5.6 missed:
+  - `controlzero/hosted_policy.py` referenced a customer-specific
+    possessive when describing the T104 cache-GC scenario. Rewritten
+    in neutral phrasing that preserves the technical context.
+  - `controlzero/enrollment.py` documented the wire-format contract
+    via a private monorepo path. Replaced with a pointer to the
+    public docs site.
+  - `controlzero/cli/hosts/base.py` and
+    `controlzero/cli/hosts/unknown.py` referenced an internal
+    backend filename in inline comments. Replaced with a generic
+    description of the constraint.
+  - Tests `test_t104_cache_gc.py` and `test_t103_precedence.py`
+    carried a geographic identifier and a customer-derived test
+    name (NOT in the published wheel since tests are excluded, but
+    scrubbed for consistency).
+- **No behavior change.** Comments + docstrings only.
+
 ## v1.5.6 -- 2026-05-15 (PRIVACY)
 
 ### Fixed

{controlzero-1.5.6 → controlzero-1.5.7}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: controlzero
-Version: 1.5.6
+Version: 1.5.7
 Summary: AI agent governance: policies, audit, and observability for tool calls. Works locally with no signup.
 Project-URL: Homepage, https://controlzero.ai
 Project-URL: Documentation, https://docs.controlzero.ai

{controlzero-1.5.6 → controlzero-1.5.7}/controlzero/__init__.py

@@ -28,7 +28,7 @@ from controlzero.errors import (
 )
 from controlzero.policy_loader import load_policy
 
-__version__ = "1.5.6"
+__version__ = "1.5.7"
 
 __all__ = [
     "Client",

{controlzero-1.5.6 → controlzero-1.5.7}/controlzero/cli/hosts/__init__.py

@@ -36,9 +36,9 @@ A ``HostAdapter`` owns three responsibilities for one host runtime:
    (Windows Claude Code is the canonical case).
 2. ``render(decision)`` -- translate the canonical ``CZDecision``
    into the JSON shape this host's hook validator accepts.
-3. ``canonical_source`` -- the backend ``audit.NormalizeSource``
-   alias (``claude_code`` / ``gemini_cli`` / ``codex_cli`` / etc.)
-   so the audit row's SOURCE column renders correctly.
+3. ``canonical_source`` -- the backend-side source alias
+   (``claude_code`` / ``gemini_cli`` / ``codex_cli`` / etc.) so the
+   audit row's SOURCE column renders correctly.
 
 Adding a new host (Cursor, Windsurf, OpenClaw, Antigravity, the
 next agent that ships) is a single file in this package: subclass

{controlzero-1.5.6 → controlzero-1.5.7}/controlzero/cli/hosts/base.py

@@ -84,7 +84,7 @@ class HostAdapter:
     A subclass needs three things:
 
     * ``name`` -- short identifier used in logs ("claude_code").
-    * ``canonical_source`` -- backend ``audit.NormalizeSource`` alias
+    * ``canonical_source`` -- backend-side source alias
       ("claude_code" / "gemini_cli" / "codex_cli" / "unknown").
       This is what the audit row's SOURCE column resolves to so
       the dashboard renders the right label.
@@ -109,10 +109,9 @@ class HostAdapter:
     #: Short identifier used in logs / metrics.
     name: str = "base"
 
-    #: Backend ``audit.NormalizeSource`` alias. Must be one of the
-    #: canonical values in ``backend/internal/audit/source.go`` so
-    #: the dashboard renders the right label. Default is
-    #: ``"unknown"`` -- subclasses MUST override.
+    #: Backend audit source alias. Must be one of the canonical
+    #: values the dashboard accepts so the right label renders.
+    #: Default is ``"unknown"`` -- subclasses MUST override.
     canonical_source: str = "unknown"
 
     # -- detection --------------------------------------------------

{controlzero-1.5.6 → controlzero-1.5.7}/controlzero/cli/hosts/unknown.py

@@ -26,9 +26,8 @@ from controlzero.cli.hosts.base import CZDecision, HostAdapter
 
 class UnknownHostAdapter(HostAdapter):
     name = "unknown"
-    # Canonical source value mapped in
-    # ``backend/internal/audit/source.go`` -- renders as ``--`` on
-    # the dashboard. Better than mislabelling.
+    # Canonical source value the dashboard accepts -- renders as
+    # ``--`` on the dashboard. Better than mislabelling.
     canonical_source = "unknown"
 
     def claim(self, payload: dict, env: Mapping[str, str]) -> bool:

{controlzero-1.5.6 → controlzero-1.5.7}/controlzero/enrollment.py

@@ -19,10 +19,9 @@ private key lives in ``~/.controlzero/machine.key`` with mode 0600.
 A follow-up will plug in Keychain/DPAPI/secret-service per platform;
 the file-on-disk fallback stays as the bottom of the chain.
 
-Wire-format: see ``apps/control-zero-platform/backend/internal/api/
-middleware/machine_auth.go`` for the canonical signed string and
-header definitions. This module is the source of truth on the
-client side.
+Wire-format contract: see the public docs and OpenAPI spec for the
+machine-auth endpoint at https://docs.controlzero.ai. This module is
+the source of truth on the client side.
 """
 
 from __future__ import annotations

{controlzero-1.5.6 → controlzero-1.5.7}/controlzero/hosted_policy.py

@@ -138,8 +138,8 @@ def gc_stale_cache(active_api_key: str) -> int:
     T104 (2026-05-12, customer report): on key rotation the old key's cache files
     (``bootstrap-<oldscope>.json``, ``bundle-<oldscope>.bin``,
     ``bundle-<oldscope>.meta``) accumulated forever next to the new key's
-    files. John's machine carried a 25-day-old ``bundle-cz_live_566b.bin``
-    next to a fresh ``bootstrap-cz_live_1af8.json`` because the rotated
+    files. A customer reported a 25-day-old ``bundle-<oldscope>.bin`` left
+    next to a fresh ``bootstrap-<newscope>.json`` because the rotated
     key never invalidated the previous cache. We clean up on every fresh
     bootstrap so the cache directory always reflects exactly one active
     key per machine.

{controlzero-1.5.6 → controlzero-1.5.7}/pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
 
 [project]
 name = "controlzero"
-version = "1.5.6"
+version = "1.5.7"
 description = "AI agent governance: policies, audit, and observability for tool calls. Works locally with no signup."
 readme = "README.md"
 license = {text = "Apache-2.0"}

{controlzero-1.5.6 → controlzero-1.5.7}/tests/test_api_key_mask.py

@@ -19,12 +19,12 @@ from controlzero.client import _mask_api_key
 
 
 def test_mask_live_key_emits_only_public_prefix():
-    masked = _mask_api_key("cz_live_7ebef6b600015e3eaeda9149bf6d9c29a")
+    masked = _mask_api_key("cz_live_aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa")
     assert masked == "cz_live_***"
 
 
 def test_mask_test_key_emits_only_public_prefix():
-    masked = _mask_api_key("cz_test_abcdef0123456789abcdef0123456789")
+    masked = _mask_api_key("cz_test_bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb")
     assert masked == "cz_test_***"
 
 
@@ -42,10 +42,10 @@ def test_mask_empty_string_returns_triple_star():
 
 
 def test_mask_never_leaks_secret_bytes_brute_force():
-    # The secret portion of a real production key (anonymised:
-    # do not use this value as-is, the customer rotated it after the
+    # Obviously-synthetic placeholder fixture. The 4-char window
+    # scan downstream remains meaningful: the masked output must not
     # 1.5.0 -> 1.5.1 incident on 2026-05-12).
-    secret_tail = "7ebef6b600015e3eaeda9149bf6d9c29a3a2a7a3075209112afde20888280de0"
+    secret_tail = "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
     for prefix in ("cz_live_", "cz_test_"):
         key = prefix + secret_tail
         masked = _mask_api_key(key)

{controlzero-1.5.6 → controlzero-1.5.7}/tests/test_env_dump_438.py

@@ -66,7 +66,7 @@ def test_env_dump_outputs_valid_json(monkeypatch):
 def test_env_dump_redacts_api_key_by_default(monkeypatch):
     monkeypatch.setenv(
         "CONTROLZERO_API_KEY",
-        "cz_live_7ebef6b600015e3eaeda9149bf6d9c29a3a2a7a3075209112afde20888280de0",
+        "cz_live_aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa",
     )
     result = _invoke([])
     assert result.exit_code == 0
@@ -74,7 +74,7 @@ def test_env_dump_redacts_api_key_by_default(monkeypatch):
     masked = data["env"]["CONTROLZERO_API_KEY"]
     assert masked == "cz_live_***"
     # Defensive: the secret bytes MUST NOT appear anywhere in the dump.
-    secret_tail = "7ebef6b600015e3eaeda9149bf6d9c29a"
+    secret_tail = "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
     assert secret_tail not in result.output
 
 

{controlzero-1.5.6 → controlzero-1.5.7}/tests/test_install_hook_command.py

@@ -30,8 +30,8 @@ from click.testing import CliRunner
 from controlzero.cli.main import cli
 
 
-LIVE_KEY = "cz_live_7ebef6b600015e3eaeda9149bf6d9c29a3a2a7a3075209112afde20888280de0"
-TEST_KEY = "cz_test_abcdef0123456789abcdef0123456789abcdef0123456789abcdef01234567"
+LIVE_KEY = "cz_live_aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
+TEST_KEY = "cz_test_bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb"
 
 
 def _read_pretooluse_command(settings_path: Path) -> str:

{controlzero-1.5.6 → controlzero-1.5.7}/tests/test_t103_precedence.py

@@ -1,6 +1,6 @@
 """T103 regression tests: hosted-vs-local precedence.
 
-an enterprise customer (Korea) 2026-05-12: a stale ~/.controlzero/policy.yaml
+Customer report 2026-05-12: a stale ~/.controlzero/policy.yaml
 shadowed the dashboard policy with no warning. Local always won over
 hosted when both were present. T103 reverses this so api_key implies
 hosted unless CONTROLZERO_LOCAL_OVERRIDE=1.
@@ -101,10 +101,10 @@ def test_no_api_key_accepts_json_policy(monkeypatch, tmp_path):
     cz.close()
 
 
-def test_john_na_regression_cwd_yaml_bypassed_when_api_key_set(
+def test_customer_2026_05_12_cwd_yaml_bypassed_when_api_key_set(
     monkeypatch, tmp_path
 ):
-    """an enterprise customer (Korea) 2026-05-12 regression.
+    """Customer report 2026-05-12 regression.
 
     Pre-T103: a stale ~/.controlzero/policy.yaml shadowed the hosted
     bundle for 25 days. Post-T103: api_key + cwd policy.yaml + no
@@ -125,7 +125,7 @@ def test_john_na_regression_cwd_yaml_bypassed_when_api_key_set(
         encoding="utf-8",
     )
     monkeypatch.chdir(tmp_path)
-    monkeypatch.setenv("CONTROLZERO_API_KEY", "cz_live_johnnafake")
+    monkeypatch.setenv("CONTROLZERO_API_KEY", "cz_live_synthetictest")
     monkeypatch.delenv("CONTROLZERO_LOCAL_OVERRIDE", raising=False)
 
     hosted_policy = {

{controlzero-1.5.6 → controlzero-1.5.7}/tests/test_t104_cache_gc.py

@@ -1,11 +1,11 @@
 """T104 regression tests: stale cache GC on key rotation.
 
-an enterprise customer (Korea) 2026-05-12: rotated his api_key from
-``cz_live_566b...`` to ``cz_live_1af8...``. The new key bootstrapped
-fresh but ``cache/bundle-cz_live_566b.bin`` lingered for 25 days next to
-the new key's files. T104 GC's any cache files whose key-scope does NOT
-match the currently-active api_key, but only on a fresh bootstrap (not
-on a cache hit, because that means the active key is unchanged).
+Customer report 2026-05-12: rotated their api_key from one value to
+another. The new key bootstrapped fresh but the prior key's
+``cache/bundle-<oldscope>.bin`` lingered for 25 days next to the new
+key's files. T104 GC's any cache files whose key-scope does NOT match
+the currently-active api_key, but only on a fresh bootstrap (not on a
+cache hit, because that means the active key is unchanged).
 """
 
 from __future__ import annotations
@@ -47,19 +47,19 @@ def _write_cache_triplet(cache_dir: Path, scope: str) -> tuple[Path, Path, Path]
 
 
 def test_gc_removes_files_for_rotated_keys(fake_cache_dir):
-    """Stale triplet for cz_live_566b... is removed when 1af8 is active."""
-    _write_cache_triplet(fake_cache_dir, _key_scope("cz_live_566bdeadbeef"))
+    """Stale triplet for the old scope is removed when the new scope is active."""
+    _write_cache_triplet(fake_cache_dir, _key_scope("cz_live_oldscope0000"))
     new_files = _write_cache_triplet(
-        fake_cache_dir, _key_scope("cz_live_1af8fd9bcafe")
+        fake_cache_dir, _key_scope("cz_live_newscope0000")
     )
 
-    removed = gc_stale_cache("cz_live_1af8fd9bcafe")
+    removed = gc_stale_cache("cz_live_newscope0000")
 
-    assert removed == 3  # the 566b triplet
+    assert removed == 3  # the old-scope triplet
     for stale_name in (
-        f"bootstrap-{_key_scope('cz_live_566bdeadbeef')}.json",
-        f"bundle-{_key_scope('cz_live_566bdeadbeef')}.bin",
-        f"bundle-{_key_scope('cz_live_566bdeadbeef')}.meta",
+        f"bootstrap-{_key_scope('cz_live_oldscope0000')}.json",
+        f"bundle-{_key_scope('cz_live_oldscope0000')}.bin",
+        f"bundle-{_key_scope('cz_live_oldscope0000')}.meta",
     ):
         assert not (fake_cache_dir / stale_name).exists()
     for active in new_files:
@@ -68,17 +68,17 @@ def test_gc_removes_files_for_rotated_keys(fake_cache_dir):
 
 def test_gc_is_noop_when_only_active_key_present(fake_cache_dir):
     """No-op when every file already belongs to the active key."""
-    _write_cache_triplet(fake_cache_dir, _key_scope("cz_live_1af8fd9bcafe"))
-    removed = gc_stale_cache("cz_live_1af8fd9bcafe")
+    _write_cache_triplet(fake_cache_dir, _key_scope("cz_live_newscope0000"))
+    removed = gc_stale_cache("cz_live_newscope0000")
     assert removed == 0
 
 
 def test_gc_leaves_unrelated_files_alone(fake_cache_dir):
     """Stray user files in the cache dir are preserved.
 
-    John's machine had `s3_copy.py` in `~/.controlzero/`; we are not
-    going to delete arbitrary user content even if they put it in our
-    cache dir.
+    A customer's machine had `s3_copy.py` in `~/.controlzero/`; we are
+    not going to delete arbitrary user content even if they put it in
+    our cache dir.
     """
     stray = fake_cache_dir / "README.txt"
     stray.write_text("notes", encoding="utf-8")
@@ -114,7 +114,7 @@ def test_get_or_fetch_bootstrap_triggers_gc_on_fresh_fetch(
     fake_cache_dir, monkeypatch
 ):
     """A fresh bootstrap fetch triggers cache GC for rotated keys."""
-    stale_scope = _key_scope("cz_live_566bdeadbeef")
+    stale_scope = _key_scope("cz_live_oldscope0000")
     _write_cache_triplet(fake_cache_dir, stale_scope)
 
     fresh_keys = BootstrapKeys(
@@ -126,16 +126,16 @@ def test_get_or_fetch_bootstrap_triggers_gc_on_fresh_fetch(
     )
 
     def fake_fetch(api_key, api_url=None):
-        assert api_key == "cz_live_1af8fd9bcafe"
+        assert api_key == "cz_live_newscope0000"
         return fresh_keys
 
     monkeypatch.setattr(hosted_policy, "fetch_bootstrap", fake_fetch)
 
-    keys = hosted_policy.get_or_fetch_bootstrap("cz_live_1af8fd9bcafe")
+    keys = hosted_policy.get_or_fetch_bootstrap("cz_live_newscope0000")
     assert keys.project_id == "proj"
 
     # Stale triplet gone, new bootstrap landed.
-    new_scope = _key_scope("cz_live_1af8fd9bcafe")
+    new_scope = _key_scope("cz_live_newscope0000")
     assert not (fake_cache_dir / f"bootstrap-{stale_scope}.json").exists()
     assert not (fake_cache_dir / f"bundle-{stale_scope}.bin").exists()
     assert not (fake_cache_dir / f"bundle-{stale_scope}.meta").exists()