The claim is powerful because it is bounded.
ZLAR is a boundary, not a totalizing story about all AI behavior. The disclosure is part of the product.
Actions that cross a routed or intercepted gate surface.
An action is on the governed path when it flows through a ZLAR interception surface before it takes effect. Within that governed path, ZLAR applies signed deterministic policy and records evidence of the governance decision.
Core boundary
ZLAR governs routed/intercepted action surfaces only.
The safe Codex wording is exact.
Release state: ZLAR v3.3.15 on GitHub.
"ZLAR can govern Codex CLI-invoked MCP tool calls when those MCP servers are routed through ZLAR."
Routed MCP tools/call decisions in the proof path.
Direct upstream MCP registrations that bypass the route.
/contest and external attestation status.
Unrouted client surfaces and model text.
What this proof path does not claim.
Explicit non-claims
- Unrouted shell/filesystem/browser/app/network/model-reasoning/final-text surfaces are not claimed as governed by this proof path.
- Direct MCP registrations that bypass the ZLAR route are outside this evidence path.
- /contest is not implemented.
- External non-Vincent verifier attestation remains prepared/pending unless state changes.
- A receipt proves a governance event was recorded. It does not prove the policy was correct or the agent's intention was good.