controlzero 1.9.7__tar.gz → 1.9.9__tar.gz

{controlzero-1.9.7 → controlzero-1.9.9}/CHANGELOG.md

@@ -1,5 +1,66 @@
 # Changelog
 
+## 1.9.9 -- 2026-06-17 (Antigravity tool vocab, JSON+YAML config parity, spool reliability)
+
+Follow-ups to the gh#1303 fail-open work plus two correctness fixes.
+
+### Fixed
+
+- **Antigravity enforcement (gh#1303 part 2).** Real Antigravity emits
+  `run_command` (args under `CommandLine`) / `ListDir` / `view_file` /
+  `write_to_file` / `replace_file_content`, but the inbound alias table and the
+  dangerous-shell extractor assumed `run_command`/`read_file` with
+  `args.command`. Two compounding fail-opens against allow-by-default: a
+  canonical `deny: Bash` never matched Antigravity's `run_command`, and
+  `rm -rf` inside `CommandLine` was invisible to the argument-level scanner.
+  Added inbound aliases and made `Bash` read either `command` or `CommandLine`
+  (first non-empty wins, fail-closed fallback). Inbound-only -- the policy
+  vocabulary the four working hosts match is unchanged.
+- **CLI hook path now auto-discovers JSON/YAML policy files (gh#67).** All
+  three SDKs already parse `.yaml`/`.yml`/`.json` and the in-process `Client`
+  auto-discovers all three in the working directory, but the CLI `hook-check`
+  resolver searched only `controlzero.yaml`. A project authored as
+  `controlzero.json` (no `.yaml`) was enforced by the `Client` yet INVISIBLE to
+  the enforcement hook -- it fell through to the global policy / BUNDLE_MISSING.
+  `hook-check` now searches `controlzero.{yaml,yml,json}` in the working
+  directory and `policy.{yaml,yml,json}` globally (first existing,
+  `.yaml` > `.yml` > `.json`), matching the `Client`.
+- **Offline audit spool reliability on Python 3.13 (gh#1315).** The encrypted
+  spool needs `zstandard` and `cryptography`. `zstandard` 0.22.0 has no cp313
+  wheel, so on Python 3.13 the import could fail, the error was swallowed in
+  `BearerAuditSink._init_spool`, and the spool silently never formed -- hosted
+  audit fell back to a non-durable in-memory buffer. The `zstandard` floor is
+  raised to `>=0.23.0` (first cp313 wheels), the import failure is now logged
+  loudly and actionably (naming the missing dependency), and a
+  `_spool_unavailable_reason` is recorded for diagnostics.
+
+## 1.9.8 -- 2026-06-17 (P0 enforcement fail-open: degraded/empty bundle, gh#1303)
+
+Closes a P0 SECURITY fail-open found via a customer report: a hosted-policy
+customer's destructive tool calls (e.g. `rm -rf`) were intermittently ALLOWED
+across agent surfaces.
+
+### Fixed
+
+- **Degraded/partial/stale bundle no longer fails OPEN (gh#1303).** The shared
+  decision core (`translate_to_local_policy`) synthesized an allow-all OBSERVE
+  rule whenever the translated rule set was empty -- but that fired not only for
+  a genuinely-empty project (intended observe, gh#1247) but also for a degraded
+  bundle (policies attached yet zero translatable rules) or a missing/malformed
+  `policies` key (truncated/stale). A customer who HAS a policy could thus get
+  allow-all. The translator now distinguishes a genuinely-empty project (the
+  backend ships an explicit empty list) -- which still OBSERVES (gh#1247
+  preserved) -- from any other zero-rule outcome, which now FAILS CLOSED (deny)
+  via `default_on_missing`. This lives in the shared core, so all five host
+  surfaces (Claude Code, Gemini CLI, Codex CLI, Antigravity, Kiro) inherit it.
+- **Unrecognized rule effect now fails closed.** A validly-signed rule carrying
+  an unknown/future/typo effect was coerced to `allow` (allow-* for its
+  pattern); it now defaults to `deny`.
+
+Residual stale-empty-cache replay window (backend bundle provenance + cache
+freshness) and the Antigravity tool-vocabulary gap are tracked in gh#1303 and
+land in follow-up releases.
+
 ## 1.9.7 -- 2026-06-16 (hosted audit delivery for short-lived processes, gh#1292)
 
 Fixes a P0 found via a customer report: hosted-mode audit rows were written to

{controlzero-1.9.7 → controlzero-1.9.9}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: controlzero
-Version: 1.9.7
+Version: 1.9.9
 Summary: AI agent governance: policies, audit, and observability for tool calls. Works locally with no signup.
 Project-URL: Homepage, https://controlzero.ai
 Project-URL: Documentation, https://docs.controlzero.ai
@@ -30,7 +30,7 @@ Requires-Dist: pydantic>=2.0.0
 Requires-Dist: pyyaml>=6.0
 Requires-Dist: rfc8785<0.2,>=0.1.4
 Requires-Dist: rich>=13.0.0
-Requires-Dist: zstandard>=0.22.0
+Requires-Dist: zstandard>=0.23.0
 Provides-Extra: anthropic
 Requires-Dist: anthropic>=0.25.0; extra == 'anthropic'
 Provides-Extra: dev
@@ -41,13 +41,13 @@ Requires-Dist: pytest-cov>=4.0.0; extra == 'dev'
 Requires-Dist: pytest>=7.0.0; extra == 'dev'
 Requires-Dist: pyyaml>=6.0; extra == 'dev'
 Requires-Dist: respx>=0.20.0; extra == 'dev'
-Requires-Dist: zstandard>=0.22.0; extra == 'dev'
+Requires-Dist: zstandard>=0.23.0; extra == 'dev'
 Provides-Extra: google
 Requires-Dist: google-genai>=0.3.0; extra == 'google'
 Provides-Extra: hosted
 Requires-Dist: cryptography>=41.0.0; extra == 'hosted'
 Requires-Dist: httpx>=0.25.0; extra == 'hosted'
-Requires-Dist: zstandard>=0.22.0; extra == 'hosted'
+Requires-Dist: zstandard>=0.23.0; extra == 'hosted'
 Provides-Extra: openai
 Requires-Dist: openai>=1.0.0; extra == 'openai'
 Description-Content-Type: text/markdown
@@ -93,7 +93,7 @@ Your AI agents call tools. Some of those tools should never be called by an
 agent without a human in the loop. `controlzero` is the policy layer between
 the model's output and the tool execution. Decisions are fail-closed by default.
 
-You can use it offline with a local YAML file or Python dict. When you want to
+You can use it offline with a local YAML or JSON file or Python dict. When you want to
 share policies across a team or get a hosted audit dashboard, sign up at
 [controlzero.ai](https://controlzero.ai) and set `CONTROLZERO_API_KEY`.
 
@@ -155,8 +155,10 @@ cz = Client(policy_file="./controlzero.yaml")
 cz = Client()
 ```
 
-If `./controlzero.yaml` exists in the current directory, it is picked up
-automatically. No environment variable needed.
+If a policy file exists in the current directory it is picked up
+automatically -- `controlzero.yaml`, `controlzero.yml`, or `controlzero.json`
+are auto-detected in that order (first existing wins). No environment
+variable needed. The file may be YAML or JSON; both use the identical schema.
 
 ## Policy schema
 

{controlzero-1.9.7 → controlzero-1.9.9}/README.md

@@ -39,7 +39,7 @@ Your AI agents call tools. Some of those tools should never be called by an
 agent without a human in the loop. `controlzero` is the policy layer between
 the model's output and the tool execution. Decisions are fail-closed by default.
 
-You can use it offline with a local YAML file or Python dict. When you want to
+You can use it offline with a local YAML or JSON file or Python dict. When you want to
 share policies across a team or get a hosted audit dashboard, sign up at
 [controlzero.ai](https://controlzero.ai) and set `CONTROLZERO_API_KEY`.
 
@@ -101,8 +101,10 @@ cz = Client(policy_file="./controlzero.yaml")
 cz = Client()
 ```
 
-If `./controlzero.yaml` exists in the current directory, it is picked up
-automatically. No environment variable needed.
+If a policy file exists in the current directory it is picked up
+automatically -- `controlzero.yaml`, `controlzero.yml`, or `controlzero.json`
+are auto-detected in that order (first existing wins). No environment
+variable needed. The file may be YAML or JSON; both use the identical schema.
 
 ## Policy schema
 

{controlzero-1.9.7 → controlzero-1.9.9}/controlzero/__init__.py

@@ -40,7 +40,7 @@ from controlzero.hitl.grant_protocol import (
 )
 from controlzero.policy_loader import load_policy
 
-__version__ = "1.9.7"
+__version__ = "1.9.9"
 
 __all__ = [
     "Client",

{controlzero-1.9.7 → controlzero-1.9.9}/controlzero/_internal/bundle.py

@@ -527,7 +527,13 @@ def translate_to_local_policy(payload: dict) -> dict:
     if default_on_tamper not in VALID_DEFAULT_ON_TAMPER:
         default_on_tamper = DEFAULT_BUNDLE_ON_TAMPER
 
-    policies = payload.get("policies") or []
+    # #1303: keep the RAW policies value to distinguish a genuinely-empty
+    # project (the backend ships an explicit empty list `policies: []`) from a
+    # DEGRADED/partial bundle (policies attached but zero translatable rules, or
+    # a missing/malformed `policies` key). The former is observe (#1247); the
+    # latter must fail CLOSED, never observe-allow.
+    raw_policies = payload.get("policies")
+    policies = raw_policies or []
     policies = sorted(
         [p for p in policies if isinstance(p, dict)],
         key=lambda p: int(p.get("priority", 100)),
@@ -550,6 +556,40 @@ def translate_to_local_policy(payload: dict) -> dict:
             if translated is not None:
                 flat.append(translated)
 
+    if not flat and not (isinstance(raw_policies, list) and len(raw_policies) == 0):
+        # #1303 FAIL-OPEN FIX (the empty-vs-degraded boundary). We have zero
+        # translatable rules, but this is NOT a genuinely-empty project: the
+        # payload carried attached policies that produced no enforceable rules,
+        # OR a missing / non-list `policies` key (truncated / malformed / stale
+        # bundle). Treating that as observe would ALLOW EVERY tool call for a
+        # customer who HAS a policy -- the reproduced rm-rf fail-open. Fail
+        # CLOSED here via default_on_missing (canonical deny), with a distinct
+        # reason_code so it is not confused with a genuine empty project. The
+        # genuinely-empty observe path (#1247) below is reached ONLY when the
+        # backend shipped an explicit empty list (`policies: []`).
+        #
+        # NOTE: a stale CACHED bundle that legitimately held `policies: []` from
+        # when the project WAS empty is NOT caught here (it looks genuinely
+        # empty); that residual replay window is closed by bundle provenance +
+        # freshness (#1303 part 3 / backend active_policy_count).
+        # Reuse the registered BUNDLE_MISSING reason_code / synthetic id (both
+        # already in VALID_REASON_CODES / VALID_SYNTHETIC_POLICY_IDS) so no new
+        # error-catalog entry is introduced; the human-readable reason names the
+        # degraded/partial/stale cause. effect honors default_on_missing (deny).
+        flat.append({
+            "effect": default_on_missing,
+            "action": "*",
+            "id": "synthetic:BUNDLE_MISSING",
+            "reason": (
+                "Your project has attached policies but the resolved bundle "
+                "produced zero enforceable rules (a degraded, partial, or stale "
+                "bundle). Control Zero is failing CLOSED (deny) rather than "
+                "allowing every tool call. Regenerate the policy bundle in the "
+                "Control Zero dashboard; contact support if this persists."
+            ),
+            "reason_code": "BUNDLE_MISSING",
+        })
+
     if not flat:
         # Empty policy set (RESOLVED SUCCESSFULLY, zero translatable
         # rules): synthetic catch-all rule whose posture is driven by
@@ -711,9 +751,12 @@ def _translate_rule(rule: dict, policy_id: str) -> Optional[dict]:
     singular (``tool`` / ``pattern`` / ``action`` / ``match.tool``) forms
     are now supported; plural wins when both are present.
     """
-    # Accept several spellings of "effect". Policy engine has four
-    # canonical effects; anything else is treated as ``allow`` to stay
-    # fail-safe on forward-compat.
+    # Accept several spellings of "effect". Policy engine has four canonical
+    # effects; an UNRECOGNIZED effect on a validly-signed rule (typo, future
+    # effect, corruption) must fail CLOSED. Coercing it to "allow" (the old
+    # behavior) turned an unknown rule into allow-*-for-its-pattern -- a
+    # fail-open for a security gate (#1303). A deny here over-denies that one
+    # pattern at worst, which is the safe direction.
     effect_raw = rule.get("effect")
     if not effect_raw:
         # Only fall back to rule["action"] for effect if it looks like
@@ -722,7 +765,7 @@ def _translate_rule(rule: dict, policy_id: str) -> Optional[dict]:
         fallback = rule.get("action")
         if fallback in ("allow", "deny", "warn", "audit"):
             effect_raw = fallback
-    effect = effect_raw if effect_raw in ("allow", "deny", "warn", "audit") else "allow"
+    effect = effect_raw if effect_raw in ("allow", "deny", "warn", "audit") else "deny"
 
     # Tool pattern resolution order:
     #   1. plural ``actions`` (list, as emitted by the backend)

{controlzero-1.9.7 → controlzero-1.9.9}/controlzero/_internal/hook_extractors.py

@@ -566,7 +566,14 @@ def extract_method(
     2. If the tool is unknown, method = ``"*"``.
     3. Read ``args_path`` from the entry. If non-null, ``raw =
        args[args_path]``; else ``raw = tool_name`` (used by
-       ``file_read`` / ``file_write``).
+       ``file_read`` / ``file_write``). ``args_path`` may be a single
+       key (string) or a list of candidate keys, in which case the
+       first key that resolves to a non-empty string is used. The list
+       form lets one canonical tool read the differently-named command
+       argument each host emits -- e.g. the ``Bash`` shell tool reads
+       ``command`` (Claude Code / Gemini CLI) or ``CommandLine``
+       (Antigravity ``run_command``) so the dangerous-command scanner
+       fires regardless of which host sent the call.
     4. Apply the ``extract`` function. Non-empty result = method.
     5. Empty result -> ``fallback_method``.
 
@@ -593,11 +600,24 @@ def extract_method(
         else:
             if not isinstance(args, dict):
                 return canonical, fallback
-            raw = args.get(args_path)
+            # ``args_path`` is either a single key (string) or a list of
+            # candidate keys. The list form lets one canonical tool read
+            # the differently-named command argument each host emits --
+            # e.g. ``Bash`` reads ``command`` (Claude Code / Gemini CLI)
+            # or ``CommandLine`` (Antigravity ``run_command``). The first
+            # key that resolves to a non-empty string wins; if none do,
+            # fall back so the no-arg path stays fail-closed.
+            candidates = (
+                args_path if isinstance(args_path, list) else [args_path]
+            )
+            raw = None
+            for key in candidates:
+                value = args.get(key)
+                if isinstance(value, str) and value != "":
+                    raw = value
+                    break
             if raw is None:
                 return canonical, fallback
-            if not isinstance(raw, str):
-                return canonical, fallback
 
         func = _EXTRACTORS.get(extract_name)
         if func is None:

{controlzero-1.9.7 → controlzero-1.9.9}/controlzero/_internal/tool_extractors.json

@@ -9,7 +9,7 @@
       "aliases": ["sql", "Database", "PostgreSQL", "MySQL", "postgres", "sqlite"]
     },
     "Bash": {
-      "args_path": "command",
+      "args_path": ["command", "CommandLine"],
       "extract": "most_dangerous_shell_command",
       "fallback_method": "*",
       "aliases": [
@@ -17,6 +17,7 @@
         "shell",
         "ShellTool",
         "run_shell_command",
+        "run_command",
         "PowerShell",
         "powershell",
         "Shell"
@@ -44,19 +45,19 @@
       "args_path": null,
       "extract": "tool_name_as_method",
       "fallback_method": "read",
-      "aliases": ["read_file", "Read", "ReadFile", "read_many_files"]
+      "aliases": ["read_file", "Read", "ReadFile", "read_many_files", "view_file"]
     },
     "file_write": {
       "args_path": null,
       "extract": "tool_name_as_method",
       "fallback_method": "write",
-      "aliases": ["write_file", "Write", "WriteFile", "edit_file", "Edit", "replace", "apply_patch"]
+      "aliases": ["write_file", "Write", "WriteFile", "edit_file", "Edit", "replace", "apply_patch", "write_to_file", "replace_file_content"]
     },
     "file_search": {
       "args_path": null,
       "extract": "tool_name_as_method",
       "fallback_method": "search",
-      "aliases": ["Grep", "grep_search", "Glob", "glob"]
+      "aliases": ["Grep", "grep_search", "Glob", "glob", "ListDir"]
     },
     "task": {
       "args_path": null,

{controlzero-1.9.7 → controlzero-1.9.9}/controlzero/audit_remote.py

@@ -301,6 +301,11 @@ class _SpoolWiringMixin:
         self._detached_drain_spawned = False
         self._spool = None
         self._spool_mode = "off"
+        # #1315: when the durable spool cannot form (e.g. zstandard/cryptography
+        # missing or binary-incompatible on this interpreter), record WHY so
+        # diagnostics (`controlzero doctor`) can surface it instead of the user
+        # silently running on the ephemeral in-memory buffer. None == healthy.
+        self._spool_unavailable_reason = None
         # Fast path: flag off/unset, NO hosted default, AND no spool
         # directory on disk -- skip the spool import entirely so the
         # legacy default path stays byte-identical. When default_mode is
@@ -342,8 +347,29 @@ class _SpoolWiringMixin:
             if (self._spool is not None
                     and getattr(self._spool, "in_memory_mode", False)):
                 self._spool_init_degraded("memory_mode")
+        except ImportError as exc:
+            # #1315: the durable spool needs `zstandard` (compression) and
+            # `cryptography` (AES-GCM). A missing or binary-incompatible wheel
+            # (classically zstandard 0.22.0 on Python 3.13 -- no cp313 wheel)
+            # raises here BEFORE the spool dir is created. Name the cause loudly
+            # so the operator can fix the dependency instead of unknowingly
+            # running on the non-durable in-memory buffer. The dependency floor
+            # was raised (zstandard>=0.23.0) to prevent the common case.
+            self._spool_init_degraded("import_error")
+            self._spool_unavailable_reason = f"import_error: {exc}"
+            logger.warning(
+                "controlzero: audit spool dependencies unavailable (%s); "
+                "the encrypted offline spool is DISABLED and audit falls back "
+                "to in-memory buffering (durability reduced). Ensure "
+                "'zstandard>=0.23.0' and 'cryptography' are installed for this "
+                "Python (pip install -U controlzero).",
+                exc,
+            )
+            self._spool = None
+            self._spool_mode = "off"
         except Exception as exc:  # noqa: BLE001
             self._spool_init_degraded("exception")
+            self._spool_unavailable_reason = f"exception: {exc}"
             logger.warning(
                 "controlzero: audit spool unavailable (%s); "
                 "falling back to in-memory buffering",

{controlzero-1.9.7 → controlzero-1.9.9}/controlzero/cli/main.py

@@ -50,11 +50,47 @@ DEFAULT_TEMPLATES = [
 ]
 
 # Where the global policy lives when controlzero is used as a Claude Code hook.
-# Per-project ./controlzero.yaml takes precedence (the SDK already does this).
+# Per-project ./controlzero.{yaml,yml,json} takes precedence (the SDK already
+# does this).
 GLOBAL_POLICY_DIR = Path.home() / ".controlzero"
 GLOBAL_POLICY_PATH = GLOBAL_POLICY_DIR / "policy.yaml"
 GLOBAL_POLICY_SIG_PATH = GLOBAL_POLICY_DIR / "policy.yaml.sig"
 GLOBAL_TAMPER_KEY_PATH = GLOBAL_POLICY_DIR / "tamper.key"
+
+# Policy-file extensions auto-discovered in the hook resolution order, in
+# precedence order. The local policy loader accepts all three (YAML and JSON
+# -- see ``policy_loader._load_from_file``) and the in-process ``Client``
+# already auto-discovers all three in cwd; the CLI hook path must search the
+# same set so a project authored as ``controlzero.json`` is enforced by the
+# hook exactly like ``controlzero.yaml`` (else it falls through to the global
+# policy / BUNDLE_MISSING -- a JSON-config user would otherwise be invisible
+# to enforcement). Keep this list in sync with ``client._resolve_local_source``.
+_POLICY_FILE_EXTS = (".yaml", ".yml", ".json")
+
+
+def _first_existing_policy(directory: Path, basename: str) -> Optional[Path]:
+    """Return the first existing ``<directory>/<basename><ext>`` for ``ext`` in
+    :data:`_POLICY_FILE_EXTS` (``.yaml`` -> ``.yml`` -> ``.json``), else None."""
+    for ext in _POLICY_FILE_EXTS:
+        candidate = directory / f"{basename}{ext}"
+        if candidate.exists():
+            return candidate
+    return None
+
+
+def _first_existing_variant(base: Path) -> Optional[Path]:
+    """Return the first existing ``base`` with each policy extension swapped in
+    (``.yaml`` -> ``.yml`` -> ``.json``), else None.
+
+    Anchored on ``base`` (not its directory) so the global lookup honors a
+    monkeypatched ``GLOBAL_POLICY_PATH`` -- the established test contract
+    (e.g. ``test_install_hooks`` sets ``GLOBAL_POLICY_PATH`` to a non-existent
+    file to assert the missing-policy path)."""
+    for ext in _POLICY_FILE_EXTS:
+        candidate = base.with_suffix(ext)
+        if candidate.exists():
+            return candidate
+    return None
 GLOBAL_AUDIT_PATH = GLOBAL_POLICY_DIR / "audit.log"
 # Where the hook-check CLI logs surface-level events that don't flow
 # through the policy evaluator -- today just the unenrolled first-run
@@ -1349,20 +1385,17 @@ def sign_policy(policy: Optional[str], verify_only: bool):
 
 
 def _has_resolvable_policy_file() -> bool:
-    """True when a ``./controlzero.yaml`` or ``~/.controlzero/policy.yaml``
-    exists and looks loadable.
+    """True when a ``./controlzero.{yaml,yml,json}`` or
+    ``~/.controlzero/policy.{yaml,yml,json}`` exists and looks loadable.
 
     Scoped to the carve-out logic: "do we already have a policy in
     the standard search paths?" If yes, the user is past first-run
     and the carve-out banner is noise. Mirrors the happy-path search
     order in :func:`_resolve_hook_policy` so the two stay in sync.
     """
-    cwd_policy = Path.cwd() / "controlzero.yaml"
-    if cwd_policy.exists():
-        return True
-    if GLOBAL_POLICY_PATH.exists():
+    if _first_existing_policy(Path.cwd(), "controlzero") is not None:
         return True
-    return False
+    return _first_existing_variant(GLOBAL_POLICY_PATH) is not None
 
 
 def _is_unenrolled_first_run() -> bool:
@@ -1783,19 +1816,22 @@ def _maybe_refresh_policy(
 def _resolve_hook_policy(explicit: Optional[str]) -> Optional[Path]:
     """Find a policy file using the hook-time resolution order:
 
-    1. Explicit --policy argument
-    2. ./controlzero.yaml (per-project)
-    3. ~/.controlzero/policy.yaml (global)
+    1. Explicit --policy argument (any extension; the loader dispatches on it)
+    2. ./controlzero.{yaml,yml,json} (per-project, first existing)
+    3. ~/.controlzero/policy.{yaml,yml,json} (global, first existing)
+
+    The per-project and global searches probe all three extensions so a
+    project authored as ``controlzero.json`` (or ``.yml``) is enforced by the
+    hook identically to ``controlzero.yaml`` -- matching the in-process
+    ``Client`` (:func:`client._resolve_local_source`).
     """
     if explicit:
         p = Path(explicit)
         return p if p.exists() else None
-    cwd = Path.cwd() / "controlzero.yaml"
-    if cwd.exists():
+    cwd = _first_existing_policy(Path.cwd(), "controlzero")
+    if cwd is not None:
         return cwd
-    if GLOBAL_POLICY_PATH.exists():
-        return GLOBAL_POLICY_PATH
-    return None
+    return _first_existing_variant(GLOBAL_POLICY_PATH)
 
 
 def _policy_has_deny_rules(policy_path: Path) -> bool:

{controlzero-1.9.7 → controlzero-1.9.9}/controlzero/cli/templates/antigravity.yaml

@@ -22,13 +22,27 @@
 # To see what got blocked (and what was allowed):
 #   tail -f ~/.controlzero/audit.log
 #
-# Antigravity common tools (as of 2026-06):
-#   run_command            shell execution        (args: CommandLine, Cwd)
-#   write_to_file          file write             (args: TargetFile, CodeContent)
-#   replace_file_content   file edit              (args: TargetFile, ReplacementChunks)
-#   read_file              file read
-#   browser_*              browser navigation / interaction
-#   mcp_*                  MCP server tools       (tool-specific args)
+# Antigravity (agy) real tool names (as of 2026-06) and the canonical
+# Control Zero tool each one normalizes to. Write your deny rules
+# against the CANONICAL name on the right -- the SDK resolves every
+# agy tool name to its canonical equivalent before the policy engine
+# evaluates anything, so one rule (e.g. `Bash`) covers agy + Claude
+# Code + Gemini CLI + Codex CLI:
+#
+#   agy tool name          args                       canonical tool
+#   --------------------   ------------------------   --------------
+#   run_command            CommandLine, Cwd           Bash
+#   write_to_file          TargetFile, CodeContent    file_write
+#   replace_file_content   TargetFile, ...Chunks      file_write
+#   read_file              ...                        file_read
+#   view_file              ...                        file_read
+#   ListDir                ...                        file_search
+#   browser_*              ...                        (literal / glob)
+#   mcp_*                  tool-specific args         (literal / glob)
+#
+# The dangerous-command scanner reads agy's `CommandLine` argument the
+# same way it reads `command` from other hosts, so `Bash:rm` matches a
+# `run_command` whose `CommandLine` is `rm -rf /`.
 #
 # Antigravity packs the call under a top-level `toolCall{name,args}`
 # envelope; the host adapter flattens it to tool_name / tool_input
@@ -56,17 +70,25 @@ rules:
   # DENY: destructive patterns at the tool level
   # ============================================================
   #
-  # v0.1 matches on TOOL NAME, not argument content. For
-  # argument-level checks (e.g., block `rm -rf /` specifically),
-  # use the SDK inside your own code. Until then, you can deny
-  # whole tool classes.
+  # Write rules against the CANONICAL tool name (see the table above).
+  # `Bash` covers agy's `run_command`; `file_write` covers
+  # `write_to_file` + `replace_file_content`; `file_read` covers
+  # `read_file` + `view_file`; `file_search` covers `ListDir`.
+  #
+  # Argument-level rules also work: the SDK extracts the dangerous
+  # command from agy's `CommandLine` argument, so `Bash:rm` blocks an
+  # `rm` while leaving the rest of `Bash` allowed.
+  #
+  # - id: deny-rm
+  #   deny: 'Bash:rm'
+  #   reason: 'rm blocked in this workspace'
   #
   # - id: deny-file-writes
-  #   deny: 'write_to_file'
+  #   deny: 'file_write'
   #   reason: 'No unattended file writes in this project'
   #
   # - id: deny-shell-entirely
-  #   deny: 'run_command'
+  #   deny: 'Bash'
   #   reason: 'This workspace does not allow shell execution'
 
   # ============================================================

{controlzero-1.9.7 → controlzero-1.9.9}/pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
 
 [project]
 name = "controlzero"
-version = "1.9.7"
+version = "1.9.9"
 description = "AI agent governance: policies, audit, and observability for tool calls. Works locally with no signup."
 readme = "README.md"
 license = {text = "Apache-2.0"}
@@ -37,7 +37,12 @@ dependencies = [
     # (cryptography is the bulk), acceptable for the UX win.
     "httpx>=0.25.0",
     "cryptography>=41.0.0",
-    "zstandard>=0.22.0",
+    # zstandard floor is 0.23.0: it is the first release to ship cp313
+    # wheels. With the old >=0.22.0 floor a Python 3.13 environment could
+    # resolve 0.22.0 (no cp313 wheel) and fail to import, which silently
+    # disabled the encrypted audit spool (the import error was swallowed in
+    # BearerAuditSink._init_spool). See #1315.
+    "zstandard>=0.23.0",
     # RFC 8785 JSON Canonicalization Scheme. Single source of truth for
     # cross-SDK audit hashing (args_hash field). Same bytes from Python,
     # Node, and Go SDKs for the same input. ~12 KB pure-Python wheel.
@@ -60,7 +65,7 @@ dependencies = [
 hosted = [
     "httpx>=0.25.0",
     "cryptography>=41.0.0",
-    "zstandard>=0.22.0",
+    "zstandard>=0.23.0",  # cp313 wheels (#1315)
 ]
 google = [
     # New Gemini SDK. The deprecated google-generativeai package is no
@@ -80,7 +85,7 @@ dev = [
     "pyyaml>=6.0",
     "httpx>=0.25.0",
     "cryptography>=41.0.0",
-    "zstandard>=0.22.0",
+    "zstandard>=0.23.0",  # cp313 wheels (#1315)
     "respx>=0.20.0",
 ]
 

{controlzero-1.9.7 → controlzero-1.9.9}/tests/test_antigravity_hook_check.py

@@ -69,8 +69,10 @@ def test_allow_emits_explicit_allow_decision(tmp_path):
 
 
 def test_deny_emits_deny_decision_from_toolcall_and_exits_zero(tmp_path):
-    # A deny rule on the FLATTENED tool name proves toolCall normalization
-    # reached the engine through the real command path.
+    # A deny rule on the CANONICAL tool name proves toolCall normalization
+    # reached the engine through the real command path. Since #1303 Part 2
+    # agy's `run_command` resolves to canonical `Bash`, so the portable rule
+    # is `deny: Bash` (one rule covers agy + Claude Code + Gemini + Codex).
     #
     # CRITICAL: Antigravity decides from the stdout JSON, NOT the exit code. A
     # non-zero exit is read by agy as a fail-closed deny that would OVERRIDE
@@ -79,7 +81,7 @@ def test_deny_emits_deny_decision_from_toolcall_and_exits_zero(tmp_path):
     p = _write_policy(
         tmp_path,
         [
-            {"deny": "run_command", "reason": "shell blocked in this workspace"},
+            {"deny": "Bash", "reason": "shell blocked in this workspace"},
             {"allow": "*"},
         ],
     )
@@ -126,10 +128,11 @@ def test_decision_is_never_empty_object(tmp_path):
 def test_exit_code_convention_is_host_aware(tmp_path):
     # REGRESSION: the host-aware exit code must not change Claude Code's
     # convention. The SAME deny rule exits 0 for Antigravity (decision lives
-    # in the JSON) but exits 2 for Claude Code (non-zero = block).
+    # in the JSON) but exits 2 for Claude Code (non-zero = block). The rule
+    # targets canonical `Bash` (run_command resolves to it since #1303 Part 2).
     p = _write_policy(
         tmp_path,
-        [{"deny": "run_command", "reason": "blocked"}, {"allow": "*"}],
+        [{"deny": "Bash", "reason": "blocked"}, {"allow": "*"}],
     )
     runner = CliRunner()