AI agent governance: policies, audit, and observability for tool calls. Works locally with no signup.
Project description
control-zero
AI agent governance for Python. Policies, audit, and observability for tool calls. Works locally with no signup.
v1.0.0 is a complete rewrite. If you depend on
control-zero<1.0.0(the hosted-mode SDK), pin your requirement:control-zero<1.0.0to stay on the legacy v0.3.x. The new v1.0.0+ is a local-first SDK with a different API surface; see the migration guide for details.
Hello World
from controlzero import Client
cz = Client(policy={
"rules": [
{"deny": "delete_*", "reason": "Hello World: deletes are blocked"},
{"allow": "*", "reason": "Hello World: everything else is fine"},
]
})
print(cz.guard("delete_file", {"path": "/tmp/foo"}).decision) # "deny"
print(cz.guard("read_file", {"path": "/tmp/foo"}).decision) # "allow"
11 lines. No API key. No signup. Run it.
Install
pip install controlzero
Why
Your AI agents call tools. Some of those tools should never be called by an
agent without a human in the loop. controlzero is the policy layer between
the model's output and the tool execution. Decisions are fail-closed by default.
You can use it offline with a local YAML file or Python dict. When you want to
share policies across a team or get a hosted audit dashboard, sign up at
controlzero.ai and set CONTROLZERO_API_KEY.
Quickstart with the CLI
# 1. Generate a starter policy file with examples and comments
controlzero init
# 2. Edit controlzero.yaml in your editor
# 3. Validate it
controlzero validate
# 4. Test a tool call against the policy
controlzero test delete_file
The generated controlzero.yaml is the tutorial. It ships with annotated
rules covering the common patterns: allow lists, deny lists, wildcards, and
the catch-all.
Templates available:
controlzero init— Hello World template (default)controlzero init -t rag— RAG agent template (block exfiltration)controlzero init -t mcp— MCP server templatecontrolzero init -t cost-cap— model allow-listing and cost guards
Loading a policy
Three ways:
from controlzero import Client
# From a Python dict
cz = Client(policy={
"rules": [
{"deny": "delete_*"},
{"allow": "read_*"},
]
})
# From a YAML file
cz = Client(policy_file="./controlzero.yaml")
# From an environment variable
# (set CONTROLZERO_POLICY_FILE=./controlzero.yaml)
cz = Client()
If ./controlzero.yaml exists in the current directory, it is picked up
automatically. No environment variable needed.
Policy schema
version: '1'
rules:
# Block any tool whose name starts with "delete_"
- deny: 'delete_*'
reason: 'Deletes need human approval'
# Allow specific known-good tools
- allow: 'search'
- allow: 'read_*'
# tool:method syntax
- allow: 'github:list_*'
- deny: 'github:delete_repo'
# Catch-all
- deny: '*'
reason: 'Default deny'
Rules are evaluated top to bottom. The first match wins. If no rule matches, the call is denied (fail-closed).
Tamper detection and quarantine
The policy YAML supports a settings: section that controls how the SDK
responds when it detects that the local policy file has been modified outside
of normal channels (manual edits, unexpected hash changes, etc.):
version: '1'
settings:
tamper_behavior: warn # Options: warn | deny | deny-all | quarantine
rules:
- deny: 'delete_*'
- allow: '*'
| Mode | Behavior |
|---|---|
warn |
Log a warning but continue evaluating rules normally. |
deny |
Deny the current tool call that triggered the tamper check. |
deny-all |
Deny all tool calls and place the machine in quarantine until recovered. |
quarantine |
Same as deny-all, plus report a tamper alert to the backend dashboard. |
Quarantine recovery. When a machine enters quarantine (deny-all or
quarantine), every tool call is denied until you re-establish trust with one
of these commands:
controlzero enroll
controlzero policy-pull
controlzero sign-policy
Org-level policy signing. When a machine is enrolled via controlzero enroll,
it receives the organization's signing public key. Policy bundles pulled from
the backend are cryptographically signed and verified by the SDK automatically.
No extra configuration is required.
Tamper alert reporting. In quarantine mode, the SDK reports a tamper alert
to the Control Zero backend so your team can see it on the dashboard.
Local audit log
When running without an API key, every decision is written to ./controlzero.log
with daily rotation and 30-day retention. Tail it:
controlzero tail
Configure rotation via the client:
cz = Client(
policy_file="./controlzero.yaml",
log_path="./logs/controlzero.log",
log_rotation="10 MB", # rotate at 10 MB, or "daily", or "1 hour"
log_retention="30 days",
log_compression="gz", # gzip rotated files
log_format="json", # or "pretty"
)
When CONTROLZERO_API_KEY is set, audit ships to the remote dashboard and
these log_* options are ignored with a warning.
Hybrid mode
If you set both an API key AND pass a local policy, the local policy overrides the dashboard policy and you get a loud WARN log on init:
WARNING: controlzero: manual policy override detected. ...
This is intentional: it makes accidental prod bypass impossible to miss. For prod environments, opt into strict mode to raise instead:
cz = Client(api_key="cz_live_...", policy=local_policy, strict_hosted=True)
# RuntimeError: manual policy override detected ...
Coding agent hooks
controlzero hook-check runs inside Claude Code, Gemini CLI, and Codex CLI
on every tool use and evaluates the call against your policy before it fires.
It extracts a canonical tool:method from the tool arguments so rules can
target database:SELECT vs database:DROP, or allow Bash:git while denying
Bash:rm. Multi-statement SQL and compound shell commands are resolved to the
most dangerous token, so a SELECT ... ; DROP TABLE users; payload matches
database:DROP, not database:SELECT. See
Hook action extraction
for the full extraction rules, security model, and per-tool examples.
Framework examples
Full integration guides at docs.controlzero.ai/sdk/integrations:
- LangChain
- LangGraph
- CrewAI
- OpenAI Agents SDK
- Anthropic tool use
- Pydantic AI
- AutoGen
- MCP servers
- Raw HTTP / no framework
Hosted mode
When you want a dashboard, audit search, team policies, and approval workflows, sign up at controlzero.ai and set the API key:
import os
os.environ["CONTROLZERO_API_KEY"] = "cz_live_..."
from controlzero import Client
cz = Client() # picks up the API key from env, audit ships remote
License
Apache 2.0
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file controlzero-1.4.5.tar.gz.
File metadata
- Download URL: controlzero-1.4.5.tar.gz
- Upload date:
- Size: 200.0 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.12.13
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
ddeddee1f7ec4c35fa618735d677c63323d174e91fcaf92f0eb0b3f7eedf1598
|
|
| MD5 |
6a1be406631f64d95ed389db8c67d968
|
|
| BLAKE2b-256 |
abe9250821117d6225f39af8a1ba5e3d1faca396ac1ef9d632ad53a84d96245d
|
File details
Details for the file controlzero-1.4.5-py3-none-any.whl.
File metadata
- Download URL: controlzero-1.4.5-py3-none-any.whl
- Upload date:
- Size: 165.8 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.12.13
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
8ec252e5bf30a1d1d7467397c9c71fea0e4044f5da5cfd919aef8c47c703a60c
|
|
| MD5 |
68b9829b00247750a34a9ed89c8a399b
|
|
| BLAKE2b-256 |
c405f9a569e1623a9d230d3d237443e8c8e00e9b6bfd50bf7cc02c2ebaa5a4ae
|
