ZLAR is where AI action becomes answerable.
AI can change files.
Call tools.
Move data.
Run commands.
Start workflows.
Affect people.
That kind of action needs a threshold.
Before AI acts, ZLAR checks the rule.
The rule can allow it.
The rule can block it.
The rule can ask a person.
The AI does not get to write its own permission slip.
The yes has to be real
And when a person is asked, the yes has to be real.
A person needs time to think.
A person needs room to say no.
A person should not be turned into a button-clicker for machine speed.
A fast no can be real. A fast yes can be dangerous.
The action leaves proof
After the decision, ZLAR leaves a receipt.
The receipt says what happened, what rule applied, who or what allowed it, and whether the record still verifies.
The threshold has limits
ZLAR only governs the doors it is attached to.
That limit is not a weakness.
That is how a threshold works.
What ZLAR is for
AI can move.
Humans remain present.
Actions become answerable.
Exact scope
- ZLAR governs routed/intercepted action surfaces only.
- Safe Codex wording: "ZLAR can govern Codex CLI-invoked MCP tool calls when those MCP servers are routed through ZLAR."
- Unrouted shell/filesystem/browser/app/network/model-reasoning/final-text surfaces are not claimed as governed by the current proof path.
- /contest is not implemented.
- External non-Vincent verifier attestation remains prepared/pending unless state changes.