ZLAR Gate · Open Source · Apache 2.0

ZLAR Gate

One gate. Your rules. Every agent framework.

Policy enforcement for AI coding agents. Works with Claude Code, Cursor, and Windsurf. Same policy, same audit trail, same human authority — across every editor.

Get Started → Read the Legal

Frameworks supported

Policy file

Ed25519

Signed policy

Fail-closed

If it breaks, it stops

The Problem

Three editors. Three ungoverned surfaces.

AI coding agents run with your permissions across every editor. You turned off the safety prompts because they were annoying. Now your agent can delete files, push code, install packages, and make network requests — in Claude Code, in Cursor, in Windsurf — with no gate between intent and execution.

Every editor has its own bypass. None of them have a policy layer. You're managing risk three times, inconsistently, or not at all.

ZLAR Gate creates one gate for all of them.

Architecture

One engine. Three adapters.

ZLAR Gate has a core gate engine and framework-specific adapters. The adapters are thin translators — ~80 lines each — that sit between each framework's hook protocol and the gate's native format. The engine does all the work: classification, policy matching, Telegram approval, audit trail.

Claude Code

PreToolUse hook. All 10 tools. JSON stdout response. Fail-closed — no response means deny.

Cursor

beforeShellExecution, beforeReadFile, beforeMCPExecution. JSON permission response. File edits audited post-write.

Windsurf

pre_run_command, pre_write_code, pre_read_code, pre_mcp_tool_use. Exit code response. Post-execution events audited.

Framework	Hook Events	Response Format
Claude Code	PreToolUse (10 tools)	JSON stdout
Cursor	beforeShellExecution, beforeReadFile, beforeMCPExecution	JSON permission
Windsurf	pre_run_command, pre_write_code, pre_read_code, pre_mcp_tool_use	Exit code

Policy

Write once. Govern everywhere.

Write your rules once. Sign them with Ed25519. Every framework evaluates against the same policy. One audit trail captures decisions from all editors. One Telegram bot handles all approval requests.

AI writes code. Humans write rules.

{
  "rules": [
    {
      "domain": "bash",
      "detail": { "regex": "^(ls|pwd|cat|head|tail)\\b" },
      "action": "allow",
      "description": "Safe read-only commands"
    },
    {
      "domain": "bash",
      "detail": { "contains": "rm " },
      "action": "ask",
      "description": "Deletion requires approval"
    },
    { "domain": "bash", "action": "deny" }
  ],
  "defaultAction": "deny"
}

No machine learning. No inference. Deterministic string matching against human-authored rules. The gate refuses to start with a tampered policy.

Security

Security hardened.

Ed25519 signature verified on every policy load — no cache bypass vector
ERR trap — gate emits deny on any unhandled internal error, not silent failure
MCP tool injection fixed — MCP tools go to dedicated domain, never mapped to trusted tool names
JSON construction via jq — no string interpolation injection vectors
Framework identifier in every audit event — know which editor triggered each decision
.env auto-loaded — Telegram token works without manual env export
Hooks merge fix — setup uses targeted key update, not clobber

Quick Start

One command.

git clone https://github.com/ZLAR-AI/ZLAR-Gate.git
cd ZLAR-Gate
./scripts/zlar-setup.sh

The setup script checks prerequisites, copies config templates, walks you through Telegram configuration, generates your Ed25519 keypair, signs the default policy, and configures hooks in each framework. See the README for full setup details.

Known Limitations

What ZLAR Gate doesn't do.

In the interest of transparency:

Cursor file edits are audited, not pre-blocked. Cursor's afterFileEdit hook fires after the edit is applied. Shell commands and MCP calls are fully gated. File edits are recorded in the audit trail but cannot be stopped in advance.

Obfuscated commands may not be caught. Policy rules use regex matching. Variable indirection, base64 encoding, and eval wrappers can bypass string-level rules. This is a fundamental limitation of any regex-based classifier.

Adapter accuracy depends on framework hook contracts. When Claude Code, Cursor, or Windsurf updates their hook protocols, adapters may need updating. ZLAR Inc. makes no guarantee of compatibility with future framework versions.

ZLAR Gate reduces risk. It does not eliminate it. See Legal for complete terms.

The ZLAR Family

Seven products. One thesis.

Same principle: independent governance that does not depend on the model's cooperation. Different surfaces.

Product	Platform	What it does
ZLAR-OC	macOS (OpenClaw)	OS-level containment — user isolation, kernel sandbox, firewall, signed policy, audit trail
ZLAR-CC	Claude Code	Hook-based gate — tool-call interception, risk classification, signed policy, Telegram approval
ZLAR Gate	Claude Code + Cursor + Windsurf	Universal policy enforcement — one gate, three frameworks
ZLAR-LT	Claude Code + Cursor + Windsurf	Zero-config governance — one command install, deny-heavy defaults
ZLAR-AU	ZLAR Gate audit trail	Compliance reporting — PCI-DSS, SOC 2, OSFI B-13, SOX, EU AI Act
ZLAR-NT	Cross-platform	Network egress policy — domain-aware, gate-integrated
ZLAR-FL	Cross-platform	Fleet governance — registry, health monitoring, audit aggregation