Changelog

Customer-facing rollup of recent shipped work. The most recent items are first. For finer-grained engineering history, see the in-repo CHANGELOG.md.

2026-05-18, dashboard

Approvals rename. "HITL" is now called "Approvals" everywhere in the dashboard. Functionality unchanged. (PR #597)
PostHog identifier scrub. Dashboard analytics no longer transmits email addresses. Identifiers are now restricted to the non-reversible identity provider UID. (PR #595, PR #596)
Approvals RBAC narrowing. Only org admins and owners can edit approval policy settings or revoke active grants. Non-admins see a disabled action with explanatory tooltip. (PR #588, PR #591, PR #592)
Approvals dashboard. Bell badge for pending requests, /approvals page with filters, per-approval drawer, grants table, settings UI. (PR #581, PR #585)

2026-05-17, SDKs

Python SDK 1.6.0. Full Approvals support: request_approval, PendingApproval.wait, get_secret wrap with leak guard, eleven new exception classes (E1701 through E1711), and controlzero test --hitl approve|deny|timeout for local mocking. (PR #578)
Node SDK Approvals parity. requestApproval, wait, and getSecret shipped on @controlzero/sdk 1.9.x. (PR #582)
Go SDK Approvals parity. RequestApproval, Wait, and GetSecret shipped on controlzero.ai/sdk/go v1.7.x. (PR #584)

2026-05-15, releases and trust

Phase 1A args fingerprinting across all three SDKs. Every SDK now produces an RFC 8785 canonical hash of guarded-call arguments. Same arguments produce the same hash on every SDK and every machine, without ever transmitting the raw values. (PR #463)
Python SDK 1.5.7 and Go SDK v1.7.5. Clean releases that scrub customer-context strings and inline notes from the published artifact. See the May 2026 security advisory for the full disclosure. (PR #530, PR #529)
IP scrub gate. A pre-push detector now blocks any commit that would publish customer names, realistic-looking key fixtures, or internal hostnames to PyPI, npm, the Go proxy, or the docs site. (PR #528)

2026-05-12 to 2026-05-13, customer fix sprint

Policy republish bug. Republishing a library policy now reliably propagates the new version to every project that has it attached. The dashboard and the SDK no longer drift. (PR #207)
resources: ["*"] wildcard. Rules using the universal resource wildcard now match every call, with or without a caller-supplied resource. Narrow resource patterns still require an explicit match, so narrow rules stay narrow. (See Policy enforcement fixes, 2026-05-11.)
Provider recovery for empty orgs. A customer dashboard hang triggered by an org with zero projects is fixed; the dashboard now renders an empty-state instead of looping. (PR #422)

2026-05-11, dashboard

Split-zone Governance Home. Lifetime counts on top ("at a glance"), period-scoped activity below, with clickable drill-down tiles for projects, policies, API keys, and tools. Returning users with stale data get a [View 7d] / [View 30d] jump rather than a full re-onboarding takeover. (PR #203)
/get-started route. Four-step server-persisted onboarding checklist, deep-linkable via ?lang=python&mode=cloud. Auto-advances on key copy, snippet copy, and first audit row. (PR #203)

Earlier

For changes before May 2026, see the in-repo CHANGELOG.md or filter by milestone on the GitHub issue tracker.

2026-05-18, dashboard​

2026-05-17, SDKs​

2026-05-15, releases and trust​

2026-05-12 to 2026-05-13, customer fix sprint​

2026-05-11, dashboard​

Earlier​

Related​