Policy enforcement fixes, 2026-05-11
Two customer-reported issues where a published policy did not take effect have been fixed and shipped to all SDKs and the dashboard.
What was wrong
Republished policies did not refresh attached projects
When a policy in the Policy Library was edited and a new version was published, projects that already had the previous version attached did not always pick up the new version. The dashboard showed the new version as published, but the SDK kept enforcing the prior version.
This is now fixed: republishing a policy rolls forward every project that already had it attached. Projects without the policy attached are unaffected.
Hosted-mode SDKs returned deny on every call when a rule used resources:["*"]
Rules in the published bundle that listed resources: ["*"] (the universal wildcard) were silently skipped on calls that did not pass context.resource. Result: every guard() call returned deny with reason_code=NO_RULE_MATCH, regardless of what the policy said.
This is now fixed: resources: ["*"] matches every call, with or without a caller-supplied resource. Non-wildcard resource patterns (for example, ["table/orders"]) still require the caller to set a matching context.resource, so narrow rules stay narrow.
What you need to do
- Python SDK users: upgrade to
controlzero1.4.6 or later viapip install -U controlzero. - Node SDK users: upgrade to
@controlzero/sdk1.8.2 or later vianpm install @controlzero/sdk@latest. - Go SDK users: upgrade to the latest tagged release via
go get -u controlzero.ai/sdk/go. - Dashboard republish flow: no action needed; the fix is live on the SaaS platform.
If you were affected and policies still appear stuck after upgrading the SDK, force a refresh:
cz.refresh() # Python
await cz.refreshPolicies(); // Node
If a fresh refresh still shows the wrong behavior, see Troubleshooting deny-on-every-call.