The airport map is honest because it names the side doors.
ZLAR governs boarding for defined routed action surfaces. It does not claim all AI, all tools, all reasoning, all final text, or paths that do not cross the governed gate.
Passengers in the governed lane.
An action is governed when it flows through a ZLAR interception surface before it takes effect. On that route, ZLAR checks the signed rule, applies the boarding decision, and records what counted as authorized effect. It leaves a receipt that can be verified later.
Core boundary
ZLAR governs routed/intercepted action surfaces only.
What stays outside this gate.
A side door is not automatically evil. It is simply outside this governed lane unless the deployment routes it through ZLAR or closes it with surrounding controls.
Defined routed or intercepted action surfaces.
Receipt, verifier, manifest, and release metadata.
Missing or unrecognized credentials can be refused on configured routes.
Unrouted shell, filesystem, browser, app, network, reasoning, and final text are not claimed.
The current claim is narrow on purpose.
Receipt scanner summary: the public sample names the governed route, the receipt, the scanner, and the side doors. It is bounded fake/scratch evidence for a defined routed path.
Public release metadata and proof-pack detail live in Public Proof Desk. Current core source access is private; this page states only the claim boundary.
"ZLAR can govern Codex CLI-invoked MCP tool calls when those MCP servers are routed through ZLAR."
Routed MCP tool-call decisions in the sample path.
Direct MCP routes that bypass ZLAR are outside the claim.
/contest and external attestation status are named.
Unrouted client surfaces and model text.
What the sample receipt does not prove.
Explicit non-claims
- Unrouted shell/filesystem/browser/app/network/model-reasoning/final-text surfaces are not claimed as governed by this proof path.
- Direct MCP registrations that bypass the ZLAR route are outside this evidence path.
- /contest is not implemented.
- A private-by-default non-Vincent verifier request has been sent; no public external attestation is claimed in this repo, and any private reply or later result remains bounded by verifier relationship, disclosure permission, and exact evidence returned.
- A log records what happened. A ZLAR receipt records what counted as authorized effect. It does not prove the rule was correct or the AI's intention was good.