ZLAR-CC · Open Source · Apache 2.0

ZLAR-CC

Human-governed AI coding. No speed lost.

You gave Claude Code bypass permissions because the default permission prompts slow you down. Good. ZLAR-CC gives you the speed back — and adds a gate where it matters.

View on GitHub → Read the Legal

Tools intercepted

95%

Pass through instantly

Ed25519

Signed policy

Fail-closed

If it breaks, it stops

The Problem

No middle ground built in.

Claude Code with bypass permissions is powerful. It can write files, execute shell commands, install packages, and modify your system — all without asking.

That's the point. That's why you enabled it.

But there's no middle ground built in. It's either full friction (approve everything) or no friction (approve nothing). Every tool call gets the same treatment regardless of whether it's reading a file or running rm -rf /.

ZLAR-CC creates the middle ground that doesn't exist.

How It Works

A gate with no intelligence.

ZLAR-CC hooks into Claude Code's PreToolUse protocol. Every tool call — all 10 of them — passes through a deterministic gate before execution.

The gate has no intelligence. It doesn't use AI. It doesn't make judgment calls. It classifies, matches against your policy, and either passes instantly or halts for your approval.

What happens	How
Tool call intercepted	PreToolUse hook, fail-closed
Risk classified	Two-stage deterministic classifier
Policy matched	Your rules, Ed25519 signed
Low risk	Passes instantly — no delay
High risk	Halts. You get a Telegram message. You approve or deny.

95% of actions flow through instantly. The 5% that matter — destructive commands, sensitive file access, network operations — wait for you.

Coverage

Every tool. Every time.

Tool	What it does	Default
Bash	Shell commands	Always gated
Read	File reads	Sensitive paths gated
Write	File creation	Policy-dependent
Edit	File modification	Policy-dependent
Glob / Grep	File search	Sensitive paths gated
WebFetch / WebSearch	Network requests	Always gated
NotebookEdit	Jupyter edits	Policy-dependent
Task / Agent	Sub-agent spawning	Always gated
TodoWrite, AskUserQuestion, EnterPlanMode…	Internal tools	⚡ Pass-through — zero overhead
mcp__<server>__<tool>	Third-party MCP	🚦 Ask by default

MCP tools classified. Every call to a third-party MCP server triggers an approval request. Governance follows the tool, not just the model.

Internal tools pass instantly. TodoWrite, AskUserQuestion, plan mode — conversation-internal tools have zero governance overhead. The gate only fires when it matters.

Denied-by distinction. Every deny includes denied_by: [human], [timeout], [policy], [rate_limit], or [gate_error]. Your agent knows exactly why it was blocked.

Risk Classifier

Two-stage. Deterministic. Same input, same output, always.

Stage 1 — Boundedness

Five binary checks. Any true = Tier 4.

Unbounded scope? (e.g., find / -delete)
Unbounded depth? (e.g., recursive without limit)
Crosses trust boundary? (network access, external comms)
Modifies execution environment? (chmod, env vars)
Self-referential? (modifying its own policy or config)

Stage 2 — Scoring

Three axes, each scored 1–4.

Irreversibility — can this be undone?
Consequence — what's the blast radius?
Scope — how many systems does this touch?

tier = max(all axes)

Policy

AI writes code. Humans write rules.

The policy file is yours. You write it. You sign it with Ed25519. The AI cannot modify the rules that govern it.

# Example: allow reads, gate writes, block destructive commands
rules:
  - pattern: "cat *"
    action: allow
  - pattern: "rm *"
    action: deny
  - pattern: "git push *"
    action: hold  # sends to Telegram for approval

No machine learning. No inference. No heuristics. String matching against human-authored rules.

Scenario	What happens
Gateway unreachable	All actions denied
Unknown tool	Denied
Policy signature invalid	All actions denied
Classifier error	Denied
Telegram down	High-risk actions wait (configurable timeout)

Quick Start

Up in minutes.

git clone https://github.com/ZLAR-AI/ClaudeCode_ZLAR-CC.git
cd ClaudeCode_ZLAR-CC
npm install && npm run build
cp .env.example .env       # add your Telegram bot token
npm run keygen             # generate Ed25519 keypair
npm run sign-policy        # sign your policy
npm run dev:gateway        # start the gate

Then add the hook to your Claude Code settings. See the README for full setup.

After signing your policy, extract your public key — the install guide walks you through it. Without this step, the gate can’t verify signatures and blocks all actions.

✓ Verified working on macOS Sequoia with Claude Code Opus 4.6. The gate that governs this project’s own Claude sessions is this gate.

The ZLAR Family

Seven products. One thesis.

Same principle: independent governance that does not depend on the model's cooperation. Different surfaces.

Product	Platform	What it does
ZLAR-OC	macOS (OpenClaw)	OS-level containment — user isolation, kernel sandbox, firewall, signed policy, audit trail
ZLAR-CC	Claude Code	Hook-based gate — tool-call interception, risk classification, signed policy, Telegram approval
ZLAR Gate	Claude Code + Cursor + Windsurf	Universal policy enforcement — one gate, three frameworks
ZLAR-LT	Claude Code + Cursor + Windsurf	Zero-config governance — one command install, deny-heavy defaults
ZLAR-AU	ZLAR Gate audit trail	Compliance reporting — PCI-DSS, SOC 2, OSFI B-13, SOX, EU AI Act
ZLAR-NT	Cross-platform	Network egress policy — domain-aware, gate-integrated
ZLAR-FL	Cross-platform	Fleet governance — registry, health monitoring, audit aggregation