controlzero 1.5.7__tar.gz → 1.5.8__tar.gz

{controlzero-1.5.7 → controlzero-1.5.8}/.gitignore

@@ -239,3 +239,7 @@ secrets/*.dec
 
 # Local documentation, patent assets, and legal research (sensitive, never commit)
 doc_local/
+
+# Go build/module caches (generated by `go build`, `go test`, etc.)
+**/.gocache/
+**/.gomodcache/

{controlzero-1.5.7 → controlzero-1.5.8}/CHANGELOG.md

@@ -1,5 +1,39 @@
 # Changelog
 
+## v1.5.8 -- 2026-05-16 (HITL-5a, gh#538)
+
+Additive minor preparing the SDK for the Human-in-the-Loop approval
+workflow that ships in 1.6.0 (HITL-6a, gh#542). Pure additive: no
+behavior change on existing policies; no new public API surface.
+
+### Added
+
+- **`escalate_on_deny: bool` rule key** is acknowledged. Customers may
+  pre-tag deny rules for HITL eligibility; 1.5.8 persists the field
+  on `PolicyRule` (default `False`). The actual `request_approval()`
+  flow ships in 1.6.0; 1.5.8 ensures a customer pre-tagging rules
+  doesn't crash an old client.
+- **Typo guardrail** on rule keys. Unknown keys within Levenshtein-1
+  of a known key (`escalate_on_dney` -> `escalate_on_deny`) now print
+  a one-line "did you mean?" warning to stderr. Unknown keys far from
+  any known key remain silently accepted (additive contract).
+- **9 new HITL reason codes** registered in `VALID_REASON_CODES`:
+  `HITL_SDK_TIMEOUT`, `HITL_SLA_EXPIRED`, `HITL_BACKEND_UNREACHABLE`,
+  `HITL_POLICY_VERSION_CONFLICT`, `HITL_NO_APPROVER_AVAILABLE`,
+  `HITL_IDENTITY_NOT_IN_ORG`, `HITL_IDENTITY_REQUIRED`,
+  `HITL_IDENTITY_CLAIM_REJECTED`, `HITL_ARGS_HASH_MISMATCH`. 1.5.8
+  itself never emits these; registration ensures a 1.6.0+ client's
+  audit rows pass 1.5.8 ingest validation during a mixed-version
+  rollout.
+
+### Unchanged
+
+- 11-line Hello World still works.
+- All 156 existing SDK hook tests pass.
+- No new methods on `Client` or `PolicyDecision`.
+- Existing 1.5.7 policies parse identically (escalate_on_deny defaults
+  to `False`; legacy keys still in `_KNOWN_RULE_KEYS`).
+
 ## v1.5.7 -- 2026-05-16 (PRIVACY)
 
 ### Fixed

{controlzero-1.5.7 → controlzero-1.5.8}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: controlzero
-Version: 1.5.7
+Version: 1.5.8
 Summary: AI agent governance: policies, audit, and observability for tool calls. Works locally with no signup.
 Project-URL: Homepage, https://controlzero.ai
 Project-URL: Documentation, https://docs.controlzero.ai

{controlzero-1.5.7 → controlzero-1.5.8}/controlzero/__init__.py

@@ -28,7 +28,7 @@ from controlzero.errors import (
 )
 from controlzero.policy_loader import load_policy
 
-__version__ = "1.5.7"
+__version__ = "1.5.8"
 
 __all__ = [
     "Client",

{controlzero-1.5.7 → controlzero-1.5.8}/controlzero/_internal/enforcer.py

@@ -66,6 +66,20 @@ REASON_CODE_DLP_BLOCKED = "DLP_BLOCKED"
 # decision is "audit" and policy_id is "<lifecycle>".
 REASON_CODE_LOCAL_OVERRIDE_ACTIVE = "LOCAL_OVERRIDE_ACTIVE"
 
+# HITL approval-flow reason codes (HITL-5a, gh#538). The actual
+# request-approval flow ships in 1.6.0 (HITL-6a, gh#542); 1.5.8
+# registers the codes so audit rows from a 1.6.0+ client can be
+# accepted by a 1.5.8 ingest path without rejection.
+REASON_CODE_HITL_SDK_TIMEOUT = "HITL_SDK_TIMEOUT"
+REASON_CODE_HITL_SLA_EXPIRED = "HITL_SLA_EXPIRED"
+REASON_CODE_HITL_BACKEND_UNREACHABLE = "HITL_BACKEND_UNREACHABLE"
+REASON_CODE_HITL_POLICY_VERSION_CONFLICT = "HITL_POLICY_VERSION_CONFLICT"
+REASON_CODE_HITL_NO_APPROVER_AVAILABLE = "HITL_NO_APPROVER_AVAILABLE"
+REASON_CODE_HITL_IDENTITY_NOT_IN_ORG = "HITL_IDENTITY_NOT_IN_ORG"
+REASON_CODE_HITL_IDENTITY_REQUIRED = "HITL_IDENTITY_REQUIRED"
+REASON_CODE_HITL_IDENTITY_CLAIM_REJECTED = "HITL_IDENTITY_CLAIM_REJECTED"
+REASON_CODE_HITL_ARGS_HASH_MISMATCH = "HITL_ARGS_HASH_MISMATCH"
+
 VALID_REASON_CODES = frozenset({
     REASON_CODE_RULE_MATCH,
     REASON_CODE_NO_RULE_MATCH,
@@ -76,6 +90,15 @@ VALID_REASON_CODES = frozenset({
     REASON_CODE_NETWORK_ERROR,
     REASON_CODE_DLP_BLOCKED,
     REASON_CODE_LOCAL_OVERRIDE_ACTIVE,
+    REASON_CODE_HITL_SDK_TIMEOUT,
+    REASON_CODE_HITL_SLA_EXPIRED,
+    REASON_CODE_HITL_BACKEND_UNREACHABLE,
+    REASON_CODE_HITL_POLICY_VERSION_CONFLICT,
+    REASON_CODE_HITL_NO_APPROVER_AVAILABLE,
+    REASON_CODE_HITL_IDENTITY_NOT_IN_ORG,
+    REASON_CODE_HITL_IDENTITY_REQUIRED,
+    REASON_CODE_HITL_IDENTITY_CLAIM_REJECTED,
+    REASON_CODE_HITL_ARGS_HASH_MISMATCH,
 })
 
 # Synthetic policy_id sentinels (T79 / the deny-deny postmortem,

{controlzero-1.5.7 → controlzero-1.5.8}/controlzero/_internal/types.py

@@ -23,3 +23,9 @@ class PolicyRule(BaseModel):
     # "NO_ACTIVE_POLICIES"). User-authored rules leave this empty and
     # the evaluator does not promote them to a code.
     reason_code: str = ""
+    # HITL escalation tag (HITL-5a, gh#538): when True and the rule's
+    # effect is `deny`, the SDK marks the resulting PolicyDecision as
+    # `hitl_eligible=True`. The actual approval-request flow ships in
+    # 1.6.0 (HITL-6a, gh#542); 1.5.8 just acknowledges the field so a
+    # customer pre-tagging rules for HITL doesn't crash an old client.
+    escalate_on_deny: bool = False

{controlzero-1.5.7 → controlzero-1.5.8}/controlzero/policy_loader.py

@@ -44,6 +44,63 @@ PolicyInput = Union[dict, str, Path]
 
 VALID_TAMPER_BEHAVIORS = {"warn", "deny", "deny-all", "quarantine"}
 
+# Known rule-level keys. Used by the typo guardrail (HITL-5a, gh#538)
+# to surface "did you mean?" warnings on near-misses. Unknown keys are
+# still silently accepted (additive contract; never break existing YAML)
+# but a Levenshtein-1 match on a known key fires a `_KNOWN_RULE_KEYS`
+# warning in stderr so the customer can self-correct.
+_KNOWN_RULE_KEYS = frozenset({
+    "id",
+    "name",
+    "deny",
+    "allow",
+    "effect",
+    "action",
+    "actions",
+    "resource",
+    "resources",
+    "when",
+    "conditions",
+    "reason",
+    "reason_code",
+    "escalate_on_deny",  # HITL tag (additive in 1.5.8; behavior in 1.6.0)
+})
+
+
+def _levenshtein_le_1(a: str, b: str) -> bool:
+    """Return True iff edit distance between `a` and `b` is exactly 0 or 1.
+
+    Used by the typo guardrail to suggest fixes for unknown rule keys
+    that are one keystroke away from a known one (e.g. `escalate_on_dnen`
+    -> `escalate_on_deny`). Pure-Python; no external dependency.
+    """
+    if a == b:
+        return True
+    la, lb = len(a), len(b)
+    if abs(la - lb) > 1:
+        return False
+    if la > lb:
+        a, b = b, a
+        la, lb = lb, la
+    # la <= lb; check for one substitution (la == lb) or one insertion
+    i = j = diffs = 0
+    while i < la and j < lb:
+        if a[i] != b[j]:
+            diffs += 1
+            if diffs > 1:
+                return False
+            if la == lb:
+                i += 1
+                j += 1
+            else:
+                j += 1  # insertion in b
+        else:
+            i += 1
+            j += 1
+    if j < lb:
+        diffs += lb - j
+    return diffs <= 1
+
 
 @dataclass
 class PolicySettings:
@@ -258,6 +315,21 @@ def _validate_and_translate(data: dict, source_label: str) -> ParsedPolicy:
             errors.append(f"rules[{i}]: must be a mapping, got {type(raw).__name__}")
             continue
 
+        # Typo guardrail (HITL-5a, gh#538): warn on unknown rule keys that
+        # are within Levenshtein-1 of a known key. Unknown keys are still
+        # silently accepted (additive contract); the warning is stderr-only.
+        for k in raw.keys():
+            if k in _KNOWN_RULE_KEYS:
+                continue
+            for known in _KNOWN_RULE_KEYS:
+                if _levenshtein_le_1(k, known):
+                    import sys as _sys
+                    _sys.stderr.write(
+                        f"controlzero: rules[{i}] unknown key {k!r}; "
+                        f"did you mean {known!r}?\n"
+                    )
+                    break
+
         # Determine effect from the keys present
         has_deny = "deny" in raw
         has_allow = "allow" in raw
@@ -339,6 +411,12 @@ def _validate_and_translate(data: dict, source_label: str) -> ParsedPolicy:
                 # emitted by bundle.translate_to_local_policy) set
                 # this today; user-authored rules leave it empty.
                 reason_code=str(raw.get("reason_code", "")),
+                # HITL escalation tag (HITL-5a, gh#538). Coerce truthy
+                # values; non-bool / missing => False. The actual
+                # request-approval flow ships in 1.6.0 (HITL-6a); 1.5.8
+                # just persists the field so old SDKs don't crash on
+                # rules that pre-tag for HITL.
+                escalate_on_deny=bool(raw.get("escalate_on_deny", False)),
             )
         )
 

{controlzero-1.5.7 → controlzero-1.5.8}/pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
 
 [project]
 name = "controlzero"
-version = "1.5.7"
+version = "1.5.8"
 description = "AI agent governance: policies, audit, and observability for tool calls. Works locally with no signup."
 readme = "README.md"
 license = {text = "Apache-2.0"}

controlzero-1.5.8/tests/test_hitl_reason_codes.py

@@ -0,0 +1,72 @@
+"""Tests for HITL-5a (gh#538): new HITL reason codes in 1.5.8.
+
+The 9 new codes are registered in VALID_REASON_CODES so a 1.6.0+ client
+emitting them via audit doesn't get rejected by a 1.5.8 ingest path.
+1.5.8 itself never EMITS these codes (no HITL flow yet); it just
+recognizes them.
+"""
+from __future__ import annotations
+
+from controlzero._internal.enforcer import (
+    REASON_CODE_DLP_BLOCKED,  # legacy sanity check
+    REASON_CODE_HITL_ARGS_HASH_MISMATCH,
+    REASON_CODE_HITL_BACKEND_UNREACHABLE,
+    REASON_CODE_HITL_IDENTITY_CLAIM_REJECTED,
+    REASON_CODE_HITL_IDENTITY_NOT_IN_ORG,
+    REASON_CODE_HITL_IDENTITY_REQUIRED,
+    REASON_CODE_HITL_NO_APPROVER_AVAILABLE,
+    REASON_CODE_HITL_POLICY_VERSION_CONFLICT,
+    REASON_CODE_HITL_SDK_TIMEOUT,
+    REASON_CODE_HITL_SLA_EXPIRED,
+    VALID_REASON_CODES,
+)
+
+
+HITL_CODES = (
+    REASON_CODE_HITL_SDK_TIMEOUT,
+    REASON_CODE_HITL_SLA_EXPIRED,
+    REASON_CODE_HITL_BACKEND_UNREACHABLE,
+    REASON_CODE_HITL_POLICY_VERSION_CONFLICT,
+    REASON_CODE_HITL_NO_APPROVER_AVAILABLE,
+    REASON_CODE_HITL_IDENTITY_NOT_IN_ORG,
+    REASON_CODE_HITL_IDENTITY_REQUIRED,
+    REASON_CODE_HITL_IDENTITY_CLAIM_REJECTED,
+    REASON_CODE_HITL_ARGS_HASH_MISMATCH,
+)
+
+
+def test_all_9_hitl_codes_exported():
+    # Module-level constants exist + are non-empty strings.
+    for c in HITL_CODES:
+        assert isinstance(c, str) and c.startswith("HITL_")
+
+
+def test_all_9_hitl_codes_in_valid_set():
+    for c in HITL_CODES:
+        assert c in VALID_REASON_CODES, f"{c!r} missing from VALID_REASON_CODES"
+
+
+def test_legacy_codes_still_in_valid_set():
+    # No regression: existing 1.5.7 codes remain registered.
+    assert REASON_CODE_DLP_BLOCKED in VALID_REASON_CODES
+
+
+def test_hitl_codes_match_design_doc_exactly():
+    # Spelling guard: any rename here breaks cross-SDK parity with the
+    # design doc + Node + Go. Lock them in.
+    assert REASON_CODE_HITL_SDK_TIMEOUT == "HITL_SDK_TIMEOUT"
+    assert REASON_CODE_HITL_SLA_EXPIRED == "HITL_SLA_EXPIRED"
+    assert REASON_CODE_HITL_BACKEND_UNREACHABLE == "HITL_BACKEND_UNREACHABLE"
+    assert REASON_CODE_HITL_POLICY_VERSION_CONFLICT == "HITL_POLICY_VERSION_CONFLICT"
+    assert REASON_CODE_HITL_NO_APPROVER_AVAILABLE == "HITL_NO_APPROVER_AVAILABLE"
+    assert REASON_CODE_HITL_IDENTITY_NOT_IN_ORG == "HITL_IDENTITY_NOT_IN_ORG"
+    assert REASON_CODE_HITL_IDENTITY_REQUIRED == "HITL_IDENTITY_REQUIRED"
+    assert REASON_CODE_HITL_IDENTITY_CLAIM_REJECTED == "HITL_IDENTITY_CLAIM_REJECTED"
+    assert REASON_CODE_HITL_ARGS_HASH_MISMATCH == "HITL_ARGS_HASH_MISMATCH"
+
+
+def test_valid_set_size_grew_by_exactly_9():
+    # 1.5.7 had 9 codes; 1.5.8 adds 9 -> 18. If anyone adds another
+    # code without updating this test, it fires so the addition is
+    # intentional + reviewed.
+    assert len(VALID_REASON_CODES) == 9 + 9

controlzero-1.5.8/tests/test_hitl_validator_keys.py

@@ -0,0 +1,260 @@
+"""Tests for HITL-5a (gh#538): policy validator additive surface in 1.5.8.
+
+Covers every new branch in policy_loader.py:
+- escalate_on_deny is recognized + plumbed into PolicyRule (default False).
+- _levenshtein_le_1 helper: 0/1-edit pairs return True; >=2-edit pairs return False.
+- Typo guardrail: warns on near-miss unknown rule keys (Levenshtein-1).
+- Typo guardrail: silent on unknown keys far from any known one.
+- Existing 1.5.7 policies (no escalate_on_deny field) still parse identically.
+"""
+from __future__ import annotations
+
+from controlzero.policy_loader import (
+    _KNOWN_RULE_KEYS,
+    _levenshtein_le_1,
+    load_policy,
+)
+
+
+class TestLevenshteinHelper:
+    """Pure-function unit tests for _levenshtein_le_1."""
+
+    def test_identical_strings_return_true(self):
+        assert _levenshtein_le_1("escalate_on_deny", "escalate_on_deny") is True
+
+    def test_empty_strings_return_true(self):
+        assert _levenshtein_le_1("", "") is True
+
+    def test_one_substitution(self):
+        # tru -> true is one substitution? No, that's an insertion.
+        # 'eqcalate_on_deny' vs 'escalate_on_deny': 'q'->'s' is one sub.
+        assert _levenshtein_le_1("eqcalate_on_deny", "escalate_on_deny") is True
+
+    def test_one_insertion(self):
+        assert _levenshtein_le_1("escalate_on_dny", "escalate_on_deny") is True
+
+    def test_one_deletion(self):
+        # symmetric to insertion; helper handles both via a swap.
+        assert _levenshtein_le_1("escalate_on_denyx", "escalate_on_deny") is True
+
+    def test_two_substitutions_return_false(self):
+        assert _levenshtein_le_1("escalate_on_dnen", "escalate_on_deny") is False
+
+    def test_length_diff_gt_1_short_circuit(self):
+        # Very different lengths: helper short-circuits without scanning.
+        assert _levenshtein_le_1("a", "abc") is False
+        assert _levenshtein_le_1("escalate", "escalate_on_deny") is False
+
+    def test_completely_different_strings(self):
+        assert _levenshtein_le_1("foo", "bar") is False
+
+    def test_one_char_strings(self):
+        assert _levenshtein_le_1("a", "a") is True
+        assert _levenshtein_le_1("a", "b") is True  # one substitution
+        assert _levenshtein_le_1("a", "") is True   # one deletion
+        assert _levenshtein_le_1("", "a") is True   # one insertion
+
+    def test_swap_branch_when_b_shorter_than_a(self):
+        # Forces the la > lb swap branch.
+        assert _levenshtein_le_1("escalate_on_deny", "escalate_on_den") is True
+
+    def test_substitution_at_end(self):
+        assert _levenshtein_le_1("escalate_on_denz", "escalate_on_deny") is True
+
+    def test_diff_count_via_remaining_tail(self):
+        # When inner loop exhausts a but b has tail; helper adds remaining.
+        assert _levenshtein_le_1("foo", "fooxx") is False
+        assert _levenshtein_le_1("foo", "foox") is True
+
+
+class TestKnownRuleKeysAllowlist:
+    """The _KNOWN_RULE_KEYS set is the typo-guardrail allowlist."""
+
+    def test_escalate_on_deny_is_known(self):
+        assert "escalate_on_deny" in _KNOWN_RULE_KEYS
+
+    def test_legacy_keys_still_known(self):
+        for k in ("id", "name", "deny", "allow", "effect", "action", "actions",
+                  "resource", "resources", "when", "conditions", "reason",
+                  "reason_code"):
+            assert k in _KNOWN_RULE_KEYS, f"legacy key {k!r} missing from _KNOWN_RULE_KEYS"
+
+    def test_no_unexpected_keys(self):
+        # Defensive: if someone adds a new key, this test fails so they
+        # remember to update the typo guardrail intentionally.
+        expected = {
+            "id", "name", "deny", "allow", "effect", "action", "actions",
+            "resource", "resources", "when", "conditions", "reason",
+            "reason_code", "escalate_on_deny",
+        }
+        assert _KNOWN_RULE_KEYS == expected
+
+
+class TestEscalateOnDenyAdditive:
+    """The new escalate_on_deny field flows into PolicyRule."""
+
+    def test_default_false_when_absent(self):
+        result = load_policy({
+            "version": "1",
+            "rules": [{"deny": "Bash:sudo *", "reason": "no sudo"}],
+        })
+        assert result.rules[0].escalate_on_deny is False
+
+    def test_true_when_set(self):
+        result = load_policy({
+            "version": "1",
+            "rules": [{
+                "deny": "Bash:sudo *",
+                "reason": "no sudo",
+                "escalate_on_deny": True,
+            }],
+        })
+        assert result.rules[0].escalate_on_deny is True
+
+    def test_explicit_false_stays_false(self):
+        result = load_policy({
+            "version": "1",
+            "rules": [{
+                "deny": "Bash:sudo *",
+                "escalate_on_deny": False,
+            }],
+        })
+        assert result.rules[0].escalate_on_deny is False
+
+    def test_truthy_non_bool_coerced_to_bool(self):
+        # Defensive: customers may YAML-write `escalate_on_deny: 1` etc.
+        result = load_policy({
+            "version": "1",
+            "rules": [{"deny": "Bash:sudo *", "escalate_on_deny": 1}],
+        })
+        assert result.rules[0].escalate_on_deny is True
+        assert isinstance(result.rules[0].escalate_on_deny, bool)
+
+    def test_falsy_non_bool_coerced_to_false(self):
+        result = load_policy({
+            "version": "1",
+            "rules": [{"deny": "Bash:sudo *", "escalate_on_deny": 0}],
+        })
+        assert result.rules[0].escalate_on_deny is False
+
+    def test_allow_rule_can_also_carry_field(self):
+        # Field is rule-level, not effect-coupled.
+        result = load_policy({
+            "version": "1",
+            "rules": [{
+                "allow": "Bash:make test",
+                "escalate_on_deny": True,
+            }],
+        })
+        assert result.rules[0].escalate_on_deny is True
+        assert result.rules[0].effect == "allow"
+
+
+class TestTypoGuardrailWarnings:
+    """The Levenshtein-1 typo guardrail surfaces 'did you mean?' warnings."""
+
+    def test_warns_on_near_miss_to_escalate_on_deny(self, capsys):
+        # `escalate_on_dny` is one deletion away from `escalate_on_deny`.
+        # Levenshtein-1 catches deletions / insertions / substitutions but
+        # NOT transpositions (those are distance 2 in basic Levenshtein).
+        load_policy({
+            "version": "1",
+            "rules": [{
+                "deny": "Bash:sudo *",
+                "escalate_on_dny": True,  # one-deletion typo
+            }],
+        })
+        captured = capsys.readouterr()
+        assert "escalate_on_dny" in captured.err
+        assert "escalate_on_deny" in captured.err
+        assert "did you mean" in captured.err
+
+    def test_silent_on_transposition_typo(self, capsys):
+        # Transpositions are distance 2 (not 1), so we explicitly do NOT
+        # warn on them. Documented behavior; if the typo guardrail ever
+        # upgrades to Damerau-Levenshtein, this test breaks.
+        load_policy({
+            "version": "1",
+            "rules": [{
+                "deny": "Bash:sudo *",
+                "escalate_on_dney": True,  # transposition (n<->e)
+            }],
+        })
+        captured = capsys.readouterr()
+        assert captured.err == ""
+
+    def test_warns_on_actiom_typo(self, capsys):
+        load_policy({
+            "version": "1",
+            "rules": [{
+                "actiom": "Bash:make",  # near-miss for "action"
+                "deny": "Bash:make",
+            }],
+        })
+        captured = capsys.readouterr()
+        assert "actiom" in captured.err
+        assert "action" in captured.err
+
+    def test_silent_on_far_unknown_keys(self, capsys):
+        # An unknown key with no near-miss to any known key: silent.
+        load_policy({
+            "version": "1",
+            "rules": [{
+                "deny": "Bash:sudo *",
+                "completely_made_up_field_xyz": "some value",
+            }],
+        })
+        captured = capsys.readouterr()
+        assert captured.err == ""
+
+    def test_silent_when_all_keys_known(self, capsys):
+        load_policy({
+            "version": "1",
+            "rules": [{
+                "id": "r1",
+                "name": "no sudo",
+                "deny": "Bash:sudo *",
+                "reason": "policy",
+                "escalate_on_deny": True,
+            }],
+        })
+        captured = capsys.readouterr()
+        assert captured.err == ""
+
+    def test_unknown_key_does_not_break_parsing(self):
+        # Even with the typo warning fired, the rule should still parse.
+        result = load_policy({
+            "version": "1",
+            "rules": [{
+                "deny": "Bash:sudo *",
+                "escalate_on_dney": True,  # typo
+            }],
+        })
+        assert len(result.rules) == 1
+        assert result.rules[0].effect == "deny"
+
+
+class TestExisting157PoliciesStillParse:
+    """Defensive: 1.5.7-shape policies (no escalate_on_deny) still parse identically."""
+
+    def test_minimal_policy_unchanged(self):
+        result = load_policy({
+            "version": "1",
+            "rules": [{"deny": "*"}],
+        })
+        assert result.rules[0].effect == "deny"
+        assert result.rules[0].escalate_on_deny is False  # default
+
+    def test_complex_policy_unchanged(self):
+        result = load_policy({
+            "version": "1",
+            "settings": {"tamper_behavior": "warn"},
+            "rules": [
+                {"id": "r1", "deny": "Bash:sudo *", "reason": "no sudo"},
+                {"id": "r2", "allow": "Bash:make *"},
+                {"id": "r3", "deny": "*", "when": {"model": "claude-opus-*"}},
+            ],
+        })
+        assert len(result.rules) == 3
+        for rule in result.rules:
+            assert rule.escalate_on_deny is False

{controlzero-1.5.7 → controlzero-1.5.8}/tests/test_reason_code.py

@@ -69,7 +69,11 @@ def test_reason_code_enum_has_all_nine_values():
     from controlzero._internal.enforcer import REASON_CODE_LOCAL_OVERRIDE_ACTIVE
     assert REASON_CODE_LOCAL_OVERRIDE_ACTIVE == "LOCAL_OVERRIDE_ACTIVE"
 
-    assert VALID_REASON_CODES == frozenset({
+    # Subset check (not strict equality) so additive code expansions
+    # (e.g. HITL-5a 1.5.8: 9 new HITL_* codes added 2026-05-16) do not
+    # break this rename-guarantee test. The exact total is asserted by
+    # test_hitl_reason_codes.py::test_valid_set_size_grew_by_exactly_9.
+    assert frozenset({
         "RULE_MATCH",
         "NO_RULE_MATCH",
         "NO_ACTIVE_POLICIES",
@@ -79,7 +83,7 @@ def test_reason_code_enum_has_all_nine_values():
         "NETWORK_ERROR",
         "DLP_BLOCKED",
         "LOCAL_OVERRIDE_ACTIVE",
-    })
+    }) <= VALID_REASON_CODES
 
 
 # ---- NO_ACTIVE_POLICIES emission ------------------------------------------