controlzero 1.9.6__tar.gz → 1.9.9__tar.gz

{controlzero-1.9.6 → controlzero-1.9.9}/CHANGELOG.md

@@ -1,5 +1,88 @@
 # Changelog
 
+## 1.9.9 -- 2026-06-17 (Antigravity tool vocab, JSON+YAML config parity, spool reliability)
+
+Follow-ups to the gh#1303 fail-open work plus two correctness fixes.
+
+### Fixed
+
+- **Antigravity enforcement (gh#1303 part 2).** Real Antigravity emits
+  `run_command` (args under `CommandLine`) / `ListDir` / `view_file` /
+  `write_to_file` / `replace_file_content`, but the inbound alias table and the
+  dangerous-shell extractor assumed `run_command`/`read_file` with
+  `args.command`. Two compounding fail-opens against allow-by-default: a
+  canonical `deny: Bash` never matched Antigravity's `run_command`, and
+  `rm -rf` inside `CommandLine` was invisible to the argument-level scanner.
+  Added inbound aliases and made `Bash` read either `command` or `CommandLine`
+  (first non-empty wins, fail-closed fallback). Inbound-only -- the policy
+  vocabulary the four working hosts match is unchanged.
+- **CLI hook path now auto-discovers JSON/YAML policy files (gh#67).** All
+  three SDKs already parse `.yaml`/`.yml`/`.json` and the in-process `Client`
+  auto-discovers all three in the working directory, but the CLI `hook-check`
+  resolver searched only `controlzero.yaml`. A project authored as
+  `controlzero.json` (no `.yaml`) was enforced by the `Client` yet INVISIBLE to
+  the enforcement hook -- it fell through to the global policy / BUNDLE_MISSING.
+  `hook-check` now searches `controlzero.{yaml,yml,json}` in the working
+  directory and `policy.{yaml,yml,json}` globally (first existing,
+  `.yaml` > `.yml` > `.json`), matching the `Client`.
+- **Offline audit spool reliability on Python 3.13 (gh#1315).** The encrypted
+  spool needs `zstandard` and `cryptography`. `zstandard` 0.22.0 has no cp313
+  wheel, so on Python 3.13 the import could fail, the error was swallowed in
+  `BearerAuditSink._init_spool`, and the spool silently never formed -- hosted
+  audit fell back to a non-durable in-memory buffer. The `zstandard` floor is
+  raised to `>=0.23.0` (first cp313 wheels), the import failure is now logged
+  loudly and actionably (naming the missing dependency), and a
+  `_spool_unavailable_reason` is recorded for diagnostics.
+
+## 1.9.8 -- 2026-06-17 (P0 enforcement fail-open: degraded/empty bundle, gh#1303)
+
+Closes a P0 SECURITY fail-open found via a customer report: a hosted-policy
+customer's destructive tool calls (e.g. `rm -rf`) were intermittently ALLOWED
+across agent surfaces.
+
+### Fixed
+
+- **Degraded/partial/stale bundle no longer fails OPEN (gh#1303).** The shared
+  decision core (`translate_to_local_policy`) synthesized an allow-all OBSERVE
+  rule whenever the translated rule set was empty -- but that fired not only for
+  a genuinely-empty project (intended observe, gh#1247) but also for a degraded
+  bundle (policies attached yet zero translatable rules) or a missing/malformed
+  `policies` key (truncated/stale). A customer who HAS a policy could thus get
+  allow-all. The translator now distinguishes a genuinely-empty project (the
+  backend ships an explicit empty list) -- which still OBSERVES (gh#1247
+  preserved) -- from any other zero-rule outcome, which now FAILS CLOSED (deny)
+  via `default_on_missing`. This lives in the shared core, so all five host
+  surfaces (Claude Code, Gemini CLI, Codex CLI, Antigravity, Kiro) inherit it.
+- **Unrecognized rule effect now fails closed.** A validly-signed rule carrying
+  an unknown/future/typo effect was coerced to `allow` (allow-* for its
+  pattern); it now defaults to `deny`.
+
+Residual stale-empty-cache replay window (backend bundle provenance + cache
+freshness) and the Antigravity tool-vocabulary gap are tracked in gh#1303 and
+land in follow-up releases.
+
+## 1.9.7 -- 2026-06-16 (hosted audit delivery for short-lived processes, gh#1292)
+
+Fixes a P0 found via a customer report: hosted-mode audit rows were written to
+the local `~/.controlzero/audit.log` but never reached the dashboard for
+short-lived processes (PreToolUse hooks, CLI one-shots).
+
+### Fixed
+
+- **Remote audit never delivered for short-lived processes (gh#1292).** Since
+  1.9.2 the hosted (`BearerAuditSink`) and enrolled (`RemoteAuditSink`) sinks
+  default to the durable encrypted spool, where `log()` WALs the row and an
+  opportunistic `daemon=True` thread drains it. A short-lived process exits
+  before that thread can finish its HTTPS POST, and `close()` was a fsync-only
+  boundary, so the row stayed on local disk and never shipped. The hosted sink
+  now hands the drain to a **detached `controlzero spool flush` child** that
+  outlives the process (no latency on the agent hot path; the keystore and
+  network work happen in the child, never on the close path). The api key
+  travels via the child's environment, never on its argv. The enrolled sink
+  (opt-in, off the hosted hot path) does a bounded, fail-open in-process drain
+  on close instead. Both paths are fail-open: any error leaves the durable WAL
+  intact for a later drain. The durable WAL guarantee is unchanged.
+
 ## 1.9.6 -- 2026-06-16 (Antigravity GA-blocker hardening, gh#1248 / epic gh#925)
 
 Closes 3 of the prod-readiness GA blockers for the Antigravity (`agy`)

{controlzero-1.9.6 → controlzero-1.9.9}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: controlzero
-Version: 1.9.6
+Version: 1.9.9
 Summary: AI agent governance: policies, audit, and observability for tool calls. Works locally with no signup.
 Project-URL: Homepage, https://controlzero.ai
 Project-URL: Documentation, https://docs.controlzero.ai
@@ -30,7 +30,7 @@ Requires-Dist: pydantic>=2.0.0
 Requires-Dist: pyyaml>=6.0
 Requires-Dist: rfc8785<0.2,>=0.1.4
 Requires-Dist: rich>=13.0.0
-Requires-Dist: zstandard>=0.22.0
+Requires-Dist: zstandard>=0.23.0
 Provides-Extra: anthropic
 Requires-Dist: anthropic>=0.25.0; extra == 'anthropic'
 Provides-Extra: dev
@@ -41,13 +41,13 @@ Requires-Dist: pytest-cov>=4.0.0; extra == 'dev'
 Requires-Dist: pytest>=7.0.0; extra == 'dev'
 Requires-Dist: pyyaml>=6.0; extra == 'dev'
 Requires-Dist: respx>=0.20.0; extra == 'dev'
-Requires-Dist: zstandard>=0.22.0; extra == 'dev'
+Requires-Dist: zstandard>=0.23.0; extra == 'dev'
 Provides-Extra: google
 Requires-Dist: google-genai>=0.3.0; extra == 'google'
 Provides-Extra: hosted
 Requires-Dist: cryptography>=41.0.0; extra == 'hosted'
 Requires-Dist: httpx>=0.25.0; extra == 'hosted'
-Requires-Dist: zstandard>=0.22.0; extra == 'hosted'
+Requires-Dist: zstandard>=0.23.0; extra == 'hosted'
 Provides-Extra: openai
 Requires-Dist: openai>=1.0.0; extra == 'openai'
 Description-Content-Type: text/markdown
@@ -93,7 +93,7 @@ Your AI agents call tools. Some of those tools should never be called by an
 agent without a human in the loop. `controlzero` is the policy layer between
 the model's output and the tool execution. Decisions are fail-closed by default.
 
-You can use it offline with a local YAML file or Python dict. When you want to
+You can use it offline with a local YAML or JSON file or Python dict. When you want to
 share policies across a team or get a hosted audit dashboard, sign up at
 [controlzero.ai](https://controlzero.ai) and set `CONTROLZERO_API_KEY`.
 
@@ -155,8 +155,10 @@ cz = Client(policy_file="./controlzero.yaml")
 cz = Client()
 ```
 
-If `./controlzero.yaml` exists in the current directory, it is picked up
-automatically. No environment variable needed.
+If a policy file exists in the current directory it is picked up
+automatically -- `controlzero.yaml`, `controlzero.yml`, or `controlzero.json`
+are auto-detected in that order (first existing wins). No environment
+variable needed. The file may be YAML or JSON; both use the identical schema.
 
 ## Policy schema
 

{controlzero-1.9.6 → controlzero-1.9.9}/README.md

@@ -39,7 +39,7 @@ Your AI agents call tools. Some of those tools should never be called by an
 agent without a human in the loop. `controlzero` is the policy layer between
 the model's output and the tool execution. Decisions are fail-closed by default.
 
-You can use it offline with a local YAML file or Python dict. When you want to
+You can use it offline with a local YAML or JSON file or Python dict. When you want to
 share policies across a team or get a hosted audit dashboard, sign up at
 [controlzero.ai](https://controlzero.ai) and set `CONTROLZERO_API_KEY`.
 
@@ -101,8 +101,10 @@ cz = Client(policy_file="./controlzero.yaml")
 cz = Client()
 ```
 
-If `./controlzero.yaml` exists in the current directory, it is picked up
-automatically. No environment variable needed.
+If a policy file exists in the current directory it is picked up
+automatically -- `controlzero.yaml`, `controlzero.yml`, or `controlzero.json`
+are auto-detected in that order (first existing wins). No environment
+variable needed. The file may be YAML or JSON; both use the identical schema.
 
 ## Policy schema
 

{controlzero-1.9.6 → controlzero-1.9.9}/controlzero/__init__.py

@@ -40,7 +40,7 @@ from controlzero.hitl.grant_protocol import (
 )
 from controlzero.policy_loader import load_policy
 
-__version__ = "1.9.6"
+__version__ = "1.9.9"
 
 __all__ = [
     "Client",

{controlzero-1.9.6 → controlzero-1.9.9}/controlzero/_internal/bundle.py

@@ -527,7 +527,13 @@ def translate_to_local_policy(payload: dict) -> dict:
     if default_on_tamper not in VALID_DEFAULT_ON_TAMPER:
         default_on_tamper = DEFAULT_BUNDLE_ON_TAMPER
 
-    policies = payload.get("policies") or []
+    # #1303: keep the RAW policies value to distinguish a genuinely-empty
+    # project (the backend ships an explicit empty list `policies: []`) from a
+    # DEGRADED/partial bundle (policies attached but zero translatable rules, or
+    # a missing/malformed `policies` key). The former is observe (#1247); the
+    # latter must fail CLOSED, never observe-allow.
+    raw_policies = payload.get("policies")
+    policies = raw_policies or []
     policies = sorted(
         [p for p in policies if isinstance(p, dict)],
         key=lambda p: int(p.get("priority", 100)),
@@ -550,6 +556,40 @@ def translate_to_local_policy(payload: dict) -> dict:
             if translated is not None:
                 flat.append(translated)
 
+    if not flat and not (isinstance(raw_policies, list) and len(raw_policies) == 0):
+        # #1303 FAIL-OPEN FIX (the empty-vs-degraded boundary). We have zero
+        # translatable rules, but this is NOT a genuinely-empty project: the
+        # payload carried attached policies that produced no enforceable rules,
+        # OR a missing / non-list `policies` key (truncated / malformed / stale
+        # bundle). Treating that as observe would ALLOW EVERY tool call for a
+        # customer who HAS a policy -- the reproduced rm-rf fail-open. Fail
+        # CLOSED here via default_on_missing (canonical deny), with a distinct
+        # reason_code so it is not confused with a genuine empty project. The
+        # genuinely-empty observe path (#1247) below is reached ONLY when the
+        # backend shipped an explicit empty list (`policies: []`).
+        #
+        # NOTE: a stale CACHED bundle that legitimately held `policies: []` from
+        # when the project WAS empty is NOT caught here (it looks genuinely
+        # empty); that residual replay window is closed by bundle provenance +
+        # freshness (#1303 part 3 / backend active_policy_count).
+        # Reuse the registered BUNDLE_MISSING reason_code / synthetic id (both
+        # already in VALID_REASON_CODES / VALID_SYNTHETIC_POLICY_IDS) so no new
+        # error-catalog entry is introduced; the human-readable reason names the
+        # degraded/partial/stale cause. effect honors default_on_missing (deny).
+        flat.append({
+            "effect": default_on_missing,
+            "action": "*",
+            "id": "synthetic:BUNDLE_MISSING",
+            "reason": (
+                "Your project has attached policies but the resolved bundle "
+                "produced zero enforceable rules (a degraded, partial, or stale "
+                "bundle). Control Zero is failing CLOSED (deny) rather than "
+                "allowing every tool call. Regenerate the policy bundle in the "
+                "Control Zero dashboard; contact support if this persists."
+            ),
+            "reason_code": "BUNDLE_MISSING",
+        })
+
     if not flat:
         # Empty policy set (RESOLVED SUCCESSFULLY, zero translatable
         # rules): synthetic catch-all rule whose posture is driven by
@@ -711,9 +751,12 @@ def _translate_rule(rule: dict, policy_id: str) -> Optional[dict]:
     singular (``tool`` / ``pattern`` / ``action`` / ``match.tool``) forms
     are now supported; plural wins when both are present.
     """
-    # Accept several spellings of "effect". Policy engine has four
-    # canonical effects; anything else is treated as ``allow`` to stay
-    # fail-safe on forward-compat.
+    # Accept several spellings of "effect". Policy engine has four canonical
+    # effects; an UNRECOGNIZED effect on a validly-signed rule (typo, future
+    # effect, corruption) must fail CLOSED. Coercing it to "allow" (the old
+    # behavior) turned an unknown rule into allow-*-for-its-pattern -- a
+    # fail-open for a security gate (#1303). A deny here over-denies that one
+    # pattern at worst, which is the safe direction.
     effect_raw = rule.get("effect")
     if not effect_raw:
         # Only fall back to rule["action"] for effect if it looks like
@@ -722,7 +765,7 @@ def _translate_rule(rule: dict, policy_id: str) -> Optional[dict]:
         fallback = rule.get("action")
         if fallback in ("allow", "deny", "warn", "audit"):
             effect_raw = fallback
-    effect = effect_raw if effect_raw in ("allow", "deny", "warn", "audit") else "allow"
+    effect = effect_raw if effect_raw in ("allow", "deny", "warn", "audit") else "deny"
 
     # Tool pattern resolution order:
     #   1. plural ``actions`` (list, as emitted by the backend)

{controlzero-1.9.6 → controlzero-1.9.9}/controlzero/_internal/hook_extractors.py

@@ -566,7 +566,14 @@ def extract_method(
     2. If the tool is unknown, method = ``"*"``.
     3. Read ``args_path`` from the entry. If non-null, ``raw =
        args[args_path]``; else ``raw = tool_name`` (used by
-       ``file_read`` / ``file_write``).
+       ``file_read`` / ``file_write``). ``args_path`` may be a single
+       key (string) or a list of candidate keys, in which case the
+       first key that resolves to a non-empty string is used. The list
+       form lets one canonical tool read the differently-named command
+       argument each host emits -- e.g. the ``Bash`` shell tool reads
+       ``command`` (Claude Code / Gemini CLI) or ``CommandLine``
+       (Antigravity ``run_command``) so the dangerous-command scanner
+       fires regardless of which host sent the call.
     4. Apply the ``extract`` function. Non-empty result = method.
     5. Empty result -> ``fallback_method``.
 
@@ -593,11 +600,24 @@ def extract_method(
         else:
             if not isinstance(args, dict):
                 return canonical, fallback
-            raw = args.get(args_path)
+            # ``args_path`` is either a single key (string) or a list of
+            # candidate keys. The list form lets one canonical tool read
+            # the differently-named command argument each host emits --
+            # e.g. ``Bash`` reads ``command`` (Claude Code / Gemini CLI)
+            # or ``CommandLine`` (Antigravity ``run_command``). The first
+            # key that resolves to a non-empty string wins; if none do,
+            # fall back so the no-arg path stays fail-closed.
+            candidates = (
+                args_path if isinstance(args_path, list) else [args_path]
+            )
+            raw = None
+            for key in candidates:
+                value = args.get(key)
+                if isinstance(value, str) and value != "":
+                    raw = value
+                    break
             if raw is None:
                 return canonical, fallback
-            if not isinstance(raw, str):
-                return canonical, fallback
 
         func = _EXTRACTORS.get(extract_name)
         if func is None:

{controlzero-1.9.6 → controlzero-1.9.9}/controlzero/_internal/tool_extractors.json

@@ -9,7 +9,7 @@
       "aliases": ["sql", "Database", "PostgreSQL", "MySQL", "postgres", "sqlite"]
     },
     "Bash": {
-      "args_path": "command",
+      "args_path": ["command", "CommandLine"],
       "extract": "most_dangerous_shell_command",
       "fallback_method": "*",
       "aliases": [
@@ -17,6 +17,7 @@
         "shell",
         "ShellTool",
         "run_shell_command",
+        "run_command",
         "PowerShell",
         "powershell",
         "Shell"
@@ -44,19 +45,19 @@
       "args_path": null,
       "extract": "tool_name_as_method",
       "fallback_method": "read",
-      "aliases": ["read_file", "Read", "ReadFile", "read_many_files"]
+      "aliases": ["read_file", "Read", "ReadFile", "read_many_files", "view_file"]
     },
     "file_write": {
       "args_path": null,
       "extract": "tool_name_as_method",
       "fallback_method": "write",
-      "aliases": ["write_file", "Write", "WriteFile", "edit_file", "Edit", "replace", "apply_patch"]
+      "aliases": ["write_file", "Write", "WriteFile", "edit_file", "Edit", "replace", "apply_patch", "write_to_file", "replace_file_content"]
     },
     "file_search": {
       "args_path": null,
       "extract": "tool_name_as_method",
       "fallback_method": "search",
-      "aliases": ["Grep", "grep_search", "Glob", "glob"]
+      "aliases": ["Grep", "grep_search", "Glob", "glob", "ListDir"]
     },
     "task": {
       "args_path": null,

{controlzero-1.9.6 → controlzero-1.9.9}/controlzero/audit_remote.py

@@ -24,6 +24,7 @@ import json
 import logging
 import os
 import platform
+import sys
 import threading
 import uuid
 from datetime import datetime, timezone
@@ -110,6 +111,15 @@ _SPOOL_DEFAULT_DIR = "~/.controlzero/spool"
 # processes.
 _SPOOL_HOOK_BUDGET_S = 2.0
 _SPOOL_TIMER_BUDGET_S = 25.0
+# close() handoff budgets (#1292). A short-lived process (PreToolUse hook /
+# CLI one-shot) exits before the daemon drain ships its spooled rows, and
+# close() was a fsync-only boundary -- so the rows never reached the backend.
+# The hosted (Bearer) sink now hands the drain to a DETACHED uploader child
+# that outlives this process (no latency on the agent hot path, keystore +
+# network work happen off the close path). The enrolled sink -- opt-in, off
+# the hosted hot path -- does a bounded, fail-open in-process drain instead.
+_DETACHED_DRAIN_BUDGET_S = 30.0
+_CLOSE_DRAIN_BUDGET_S = 2.0
 
 
 def _build_wire_entry(
@@ -284,8 +294,18 @@ class _SpoolWiringMixin:
         self._drain_inflight = False
         self._drain_again = False
         self._drain_auth_blocked = False
+        # #1292: whether this process WAL-logged at least one entry (gates the
+        # close-time handoff so a pure-read process never spawns a drainer) and
+        # whether the detached drainer was already spawned (coalesce to one).
+        self._spool_logged = False
+        self._detached_drain_spawned = False
         self._spool = None
         self._spool_mode = "off"
+        # #1315: when the durable spool cannot form (e.g. zstandard/cryptography
+        # missing or binary-incompatible on this interpreter), record WHY so
+        # diagnostics (`controlzero doctor`) can surface it instead of the user
+        # silently running on the ephemeral in-memory buffer. None == healthy.
+        self._spool_unavailable_reason = None
         # Fast path: flag off/unset, NO hosted default, AND no spool
         # directory on disk -- skip the spool import entirely so the
         # legacy default path stays byte-identical. When default_mode is
@@ -327,8 +347,29 @@ class _SpoolWiringMixin:
             if (self._spool is not None
                     and getattr(self._spool, "in_memory_mode", False)):
                 self._spool_init_degraded("memory_mode")
+        except ImportError as exc:
+            # #1315: the durable spool needs `zstandard` (compression) and
+            # `cryptography` (AES-GCM). A missing or binary-incompatible wheel
+            # (classically zstandard 0.22.0 on Python 3.13 -- no cp313 wheel)
+            # raises here BEFORE the spool dir is created. Name the cause loudly
+            # so the operator can fix the dependency instead of unknowingly
+            # running on the non-durable in-memory buffer. The dependency floor
+            # was raised (zstandard>=0.23.0) to prevent the common case.
+            self._spool_init_degraded("import_error")
+            self._spool_unavailable_reason = f"import_error: {exc}"
+            logger.warning(
+                "controlzero: audit spool dependencies unavailable (%s); "
+                "the encrypted offline spool is DISABLED and audit falls back "
+                "to in-memory buffering (durability reduced). Ensure "
+                "'zstandard>=0.23.0' and 'cryptography' are installed for this "
+                "Python (pip install -U controlzero).",
+                exc,
+            )
+            self._spool = None
+            self._spool_mode = "off"
         except Exception as exc:  # noqa: BLE001
             self._spool_init_degraded("exception")
+            self._spool_unavailable_reason = f"exception: {exc}"
             logger.warning(
                 "controlzero: audit spool unavailable (%s); "
                 "falling back to in-memory buffering",
@@ -365,6 +406,10 @@ class _SpoolWiringMixin:
         except Exception as exc:  # noqa: BLE001
             logger.warning("controlzero: spool append failed (%s)", exc)
             return False
+        # This process has durably WAL-logged at least one entry; close() may
+        # need to hand its drain to a detached uploader so a short-lived
+        # process does not strand it (#1292).
+        self._spool_logged = True
         if self._spool_mode == _SPOOL_MODE_DURABLE:
             self._drain_async(budget_s=_SPOOL_HOOK_BUDGET_S)
         return True
@@ -377,6 +422,73 @@ class _SpoolWiringMixin:
     def _spool_drain_orphans(self) -> bool:
         return False
 
+    def _spawn_detached_drain(self) -> None:
+        """Hand the spool drain to a DETACHED child that outlives this
+        process, then return immediately (#1292).
+
+        A short-lived hosted process (PreToolUse hook / CLI one-shot) exits
+        before the in-process daemon drain can finish its HTTPS POST, so
+        durably-spooled rows never reach the backend -- close() was a
+        fsync-only boundary that stranded them. Spawning ``controlzero spool
+        flush`` in a new session lets the upload complete after this process
+        is gone: no latency on the agent hot path, and the keystore + network
+        work happen in the child, never on this close path (the founder
+        non-blocking-hook and no-keystore-on-close constraints).
+
+        Only the Bearer (hosted api-key) sink can be drained this way --
+        ``cz spool flush`` authenticates with the api key, which it reads from
+        the environment (never argv, so the key never lands in ``ps``). The
+        enrolled sink has no such entrypoint and uses an in-process close
+        drain instead.
+
+        Fail-open: any error leaves the durable WAL intact for a later drain
+        (next long-lived process, the timer, or an explicit ``cz spool
+        flush``)."""
+        if getattr(self, "_detached_drain_spawned", False):
+            return
+        if self._spool is None or not getattr(self, "_spool_logged", False):
+            return
+        api_key = getattr(self, "_api_key", None)
+        if not api_key:
+            return
+        try:
+            import subprocess
+
+            env = dict(os.environ)
+            env["CONTROLZERO_API_KEY"] = api_key
+            api_url = getattr(self, "_api_url", None)
+            if api_url:
+                env["CONTROLZERO_API_URL"] = api_url
+            popen_kwargs = dict(
+                stdin=subprocess.DEVNULL,
+                stdout=subprocess.DEVNULL,
+                stderr=subprocess.DEVNULL,
+                env=env,
+                close_fds=True,
+            )
+            if os.name == "nt":  # detach on Windows
+                popen_kwargs["creationflags"] = (
+                    getattr(subprocess, "DETACHED_PROCESS", 0)
+                    | getattr(subprocess, "CREATE_NEW_PROCESS_GROUP", 0)
+                )
+            else:  # POSIX: escape the process group so it outlives the parent
+                popen_kwargs["start_new_session"] = True
+            subprocess.Popen(  # noqa: S603 -- fixed argv, no shell, no user input
+                [
+                    sys.executable, "-m", "controlzero.cli.main",
+                    "spool", "flush",
+                    "--timeout", str(_DETACHED_DRAIN_BUDGET_S),
+                ],
+                **popen_kwargs,
+            )
+            self._detached_drain_spawned = True
+        except Exception as exc:  # noqa: BLE001 -- never block/crash the host
+            logger.warning(
+                "controlzero: detached spool drain spawn failed (%s); audit "
+                "rows remain durable in the spool for a later drain",
+                exc,
+            )
+
     def _drain_async(self, budget_s: float = _SPOOL_HOOK_BUDGET_S) -> None:
         """One opportunistic non-blocking drain in a daemon thread.
         Coalesced: at most one drain in flight per sink instance; an
@@ -506,8 +618,17 @@ class RemoteAuditSink(_SpoolWiringMixin):
         self._closed = True
         self._cancel_flush_timer()
         if self._spool_wal:
-            # Spool mode: every entry is already durable on disk; close
-            # is a final fsync boundary, NEVER a blocking network flush.
+            # DURABLE mode (enrolled, opt-in, off the hosted hot path) ships
+            # synchronously with a bounded, fail-open budget before the final
+            # fsync so a short-lived process does not strand its rows (#1292).
+            # spool_only is replay-only and must NEVER live-send on close.
+            if (self._spool_mode == _SPOOL_MODE_DURABLE
+                    and getattr(self, "_spool_logged", False)):
+                try:
+                    self._drain_once(blocking=True,
+                                     budget_s=_CLOSE_DRAIN_BUDGET_S)
+                except Exception:  # noqa: BLE001 -- fail-open; WAL preserved
+                    pass
             self._spool_close()
             return
         # Synchronous flush -- we are shutting down
@@ -748,8 +869,13 @@ class BearerAuditSink(_SpoolWiringMixin):
         self._closed = True
         self._cancel_flush_timer()
         if self._spool_wal:
-            # Spool mode: entries are already durable; close is a final
-            # fsync boundary, NEVER a blocking network flush.
+            # DURABLE mode hands the drain to a DETACHED child that outlives
+            # this (possibly short-lived) process so its rows are delivered;
+            # close() makes NO in-process network call -- the child does the
+            # keystore + network work off this hot path (#1292). spool_only is
+            # replay-only and must NEVER live-send on close -- only fsync.
+            if self._spool_mode == _SPOOL_MODE_DURABLE:
+                self._spawn_detached_drain()
             self._spool_close()
             return
         self._flush_sync()

{controlzero-1.9.6 → controlzero-1.9.9}/controlzero/cli/main.py

@@ -50,11 +50,47 @@ DEFAULT_TEMPLATES = [
 ]
 
 # Where the global policy lives when controlzero is used as a Claude Code hook.
-# Per-project ./controlzero.yaml takes precedence (the SDK already does this).
+# Per-project ./controlzero.{yaml,yml,json} takes precedence (the SDK already
+# does this).
 GLOBAL_POLICY_DIR = Path.home() / ".controlzero"
 GLOBAL_POLICY_PATH = GLOBAL_POLICY_DIR / "policy.yaml"
 GLOBAL_POLICY_SIG_PATH = GLOBAL_POLICY_DIR / "policy.yaml.sig"
 GLOBAL_TAMPER_KEY_PATH = GLOBAL_POLICY_DIR / "tamper.key"
+
+# Policy-file extensions auto-discovered in the hook resolution order, in
+# precedence order. The local policy loader accepts all three (YAML and JSON
+# -- see ``policy_loader._load_from_file``) and the in-process ``Client``
+# already auto-discovers all three in cwd; the CLI hook path must search the
+# same set so a project authored as ``controlzero.json`` is enforced by the
+# hook exactly like ``controlzero.yaml`` (else it falls through to the global
+# policy / BUNDLE_MISSING -- a JSON-config user would otherwise be invisible
+# to enforcement). Keep this list in sync with ``client._resolve_local_source``.
+_POLICY_FILE_EXTS = (".yaml", ".yml", ".json")
+
+
+def _first_existing_policy(directory: Path, basename: str) -> Optional[Path]:
+    """Return the first existing ``<directory>/<basename><ext>`` for ``ext`` in
+    :data:`_POLICY_FILE_EXTS` (``.yaml`` -> ``.yml`` -> ``.json``), else None."""
+    for ext in _POLICY_FILE_EXTS:
+        candidate = directory / f"{basename}{ext}"
+        if candidate.exists():
+            return candidate
+    return None
+
+
+def _first_existing_variant(base: Path) -> Optional[Path]:
+    """Return the first existing ``base`` with each policy extension swapped in
+    (``.yaml`` -> ``.yml`` -> ``.json``), else None.
+
+    Anchored on ``base`` (not its directory) so the global lookup honors a
+    monkeypatched ``GLOBAL_POLICY_PATH`` -- the established test contract
+    (e.g. ``test_install_hooks`` sets ``GLOBAL_POLICY_PATH`` to a non-existent
+    file to assert the missing-policy path)."""
+    for ext in _POLICY_FILE_EXTS:
+        candidate = base.with_suffix(ext)
+        if candidate.exists():
+            return candidate
+    return None
 GLOBAL_AUDIT_PATH = GLOBAL_POLICY_DIR / "audit.log"
 # Where the hook-check CLI logs surface-level events that don't flow
 # through the policy evaluator -- today just the unenrolled first-run
@@ -1349,20 +1385,17 @@ def sign_policy(policy: Optional[str], verify_only: bool):
 
 
 def _has_resolvable_policy_file() -> bool:
-    """True when a ``./controlzero.yaml`` or ``~/.controlzero/policy.yaml``
-    exists and looks loadable.
+    """True when a ``./controlzero.{yaml,yml,json}`` or
+    ``~/.controlzero/policy.{yaml,yml,json}`` exists and looks loadable.
 
     Scoped to the carve-out logic: "do we already have a policy in
     the standard search paths?" If yes, the user is past first-run
     and the carve-out banner is noise. Mirrors the happy-path search
     order in :func:`_resolve_hook_policy` so the two stay in sync.
     """
-    cwd_policy = Path.cwd() / "controlzero.yaml"
-    if cwd_policy.exists():
-        return True
-    if GLOBAL_POLICY_PATH.exists():
+    if _first_existing_policy(Path.cwd(), "controlzero") is not None:
         return True
-    return False
+    return _first_existing_variant(GLOBAL_POLICY_PATH) is not None
 
 
 def _is_unenrolled_first_run() -> bool:
@@ -1783,19 +1816,22 @@ def _maybe_refresh_policy(
 def _resolve_hook_policy(explicit: Optional[str]) -> Optional[Path]:
     """Find a policy file using the hook-time resolution order:
 
-    1. Explicit --policy argument
-    2. ./controlzero.yaml (per-project)
-    3. ~/.controlzero/policy.yaml (global)
+    1. Explicit --policy argument (any extension; the loader dispatches on it)
+    2. ./controlzero.{yaml,yml,json} (per-project, first existing)
+    3. ~/.controlzero/policy.{yaml,yml,json} (global, first existing)
+
+    The per-project and global searches probe all three extensions so a
+    project authored as ``controlzero.json`` (or ``.yml``) is enforced by the
+    hook identically to ``controlzero.yaml`` -- matching the in-process
+    ``Client`` (:func:`client._resolve_local_source`).
     """
     if explicit:
         p = Path(explicit)
         return p if p.exists() else None
-    cwd = Path.cwd() / "controlzero.yaml"
-    if cwd.exists():
+    cwd = _first_existing_policy(Path.cwd(), "controlzero")
+    if cwd is not None:
         return cwd
-    if GLOBAL_POLICY_PATH.exists():
-        return GLOBAL_POLICY_PATH
-    return None
+    return _first_existing_variant(GLOBAL_POLICY_PATH)
 
 
 def _policy_has_deny_rules(policy_path: Path) -> bool: