ZLAR intercepts AI agent tool calls, evaluates each against Ed25519-signed policy, routes decisions to humans when required, and produces cryptographic proof that governance happened. No AI in the enforcement path. The gate pattern-matches. It cannot be persuaded.
When an AI agent attempts any action — shell command, file write, network request, MCP tool call — ZLAR intercepts before execution and evaluates against signed policy.
Framework hook fires before execution. The call never reaches the OS without passing through ZLAR. Works with Claude Code, Cursor, Windsurf, and any MCP client.
Ed25519-signed rules evaluated by regex matching, not reasoning. The agent cannot modify the rules that govern it. Policy supports JSON rules and Cedar formal policy language.
Safe actions pass. Dangerous actions are blocked. Ambiguous actions are routed to the human authority via Telegram. The human approves or denies from their phone.
Every decision produces a v1 envelope receipt — portable cryptographic proof that governance happened, verifiable by anyone with the public key. No platform access required.
Fail closed: gate down = all actions denied.
No AI in the enforcement path. The gate classifies and enforces. It does not reason.
Policy is a human artifact. Agents cannot modify the rules that govern them.
Human invariants protect the decision-maker: daily caps, deliberation floors, response-time variance monitoring.
ZLAR governs actions that flow through it. Actions that do not flow through it are not governed. This is not a hidden limitation. It is the scope boundary, stated in doctrine.
Within the governed path: cryptographically verifiable evidence for every intercepted action, signed policy, human authority routed when policy calls for it, fail-closed on every error path. The claim is structural and holds when the agent is adversarial, misaligned, or buggy.
ZLAR does not govern the model, the prompt, or the reasoning trace. Governing upstream is governance theater. Governance happens at the contact.
Capabilities the deployment has not routed through a ZLAR interception surface reach effect without crossing the gate. Those belong to sandboxes, network controls, and OS permissions.
When the local process delegates to a sub-runtime that is not a ZLAR-mediated worker, ZLAR sees neither the handoff nor the sub-runtime's actions. A delegation-envelope gate is the named plan; not yet shipped.
Closing these gaps is the deployment owner's job. A deployment that leaves un-routed capabilities has ZLAR running, not ZLAR governing.
The category is crowded with adjacent things that look like governance and aren't. ZLAR is not those things.
A model judging another model is an attack surface disguised as a feature. Both can be talked into the same answer in the same language. The judge must not be smart in the way the agent is smart.
Watching after the fact is monitoring. Governance stops the action before it becomes real. Receipts come from a gate that already happened — not the other way around.
The party with revenue at stake cannot be the party that says no. Independent audit is structural, not optional — that is why finance has it, and that is why autonomous agents need it.
If the agent can rewrite or bypass the wrapper, the first yes still lives inside the agent's reach. First-allow authority must live outside the governed agent's writable space.
ZLAR is the structural alternative: deterministic gate, signed policy, separately-signed meta-policy, named human authority at the points consequence demands it, receipts an auditor can verify without the vendor in the room.
A Governed Action Receipt is a signed artifact — not a screenshot, not a log entry, not a dashboard view. The decision, the rule it cited, the human who authorized it, the timestamp, the delegation chain are all bytes that anyone with the public key can verify.
That is the structural answer to vendor capture. The affected party — citizen, regulator, auditor, opposing counsel — does not depend on the vendor's interface for ground truth. After the session ends. After the vendor pivots. After the deployment is gone.
Portable cryptographic proof. v1 envelope format (frozen). Ed25519 signature over canonical payload. Verifiable by anyone with the public key.
Bash gate (Claude Code, Cursor, Windsurf) and MCP gate (any MCP client). Per-entry Ed25519 audit signing. Fail-closed on every error path.
28+ formal policy rules in Amazon's Cedar language. Dual-engine evaluation (JSON regex + Cedar). Policy portability across governance layers.
Five enforced constraints protecting the human decision-maker: H6 (daily cap), H13 (capacity), H14 (response-time variance), H15 (deliberation floor), H17 (authenticity).
Published specification (RFC 8785 subset). 28 test vectors verified across Node.js, Python, and bash. Cross-language receipt verification.
Five-layer verification pipeline. Rule-outcome consistency, authorizer coherence, temporal checks, delegation chain integrity. Signature is necessary but not sufficient.
The quickstart runs the real gate against real tool calls. Two are allowed. Two are denied. A v1 receipt is generated and cryptographically verified. Nothing is simulated.
git clone https://github.com/ZLAR-AI/ZLAR.git && cd ZLAR && bash scripts/quickstart.sh
Requirements: bash 4+, jq, openssl 3.x. Optional: Node.js 18+ (MCP gate, receipt verification). Troubleshooting →
Formal comment on the NIST concept paper on AI agent identity and authorization.
NIST CAISI SubmissionSubmitted to NIST CAISI Listening Sessions. Primary barrier to AI agent adoption in financial services.
Published SpecificationsFormal specifications with permanent URLs. Cross-language verified. Receipt format frozen.
Legal & RegulatoryApache 2.0. Regulatory classification under EU AI Act. Known limitations disclosed.
Problem, architecture, evidence, regulatory mapping. The complete technical briefing.
InteractiveStep through four scenarios. See the input, policy evaluation, and response at each stage.
Formal ProofAll 9 terminal states verified against source code. Every claim verifiable. Every boundary stated.
Verify a ReceiptA real Governed Action Receipt. Clone, verify with only the public key, no platform access. The proof a reader can touch.
Doctrine SuiteThe architectural canon. What ZLAR is, what it governs, how public claims are framed, how doctrine becomes code.
RepositoryFull source. 1,422 test assertions. 12 ADRs. Apache 2.0. Clone, install, read.
ZLAR is built from 25 years of financial services experience, where independent audit is structural, not optional. The same principle applies to autonomous agents: the entity performing the work cannot credibly audit itself.
Canadian corporation. Apache 2.0 licensed. Open source.