ZLAR-LT · Open Source · Apache 2.0

ZLAR-LT

Zero-config governance for AI coding agents.

One command. Auto-detects Claude Code, Cursor, and Windsurf. Generates Ed25519 keys. Signs a deny-heavy policy. Configures hooks. Governance running in under 60 seconds.

Get Started → Read the Legal

curl -fsSL https://zlar.ai/install.sh | bash

Policy rules

Deny rules

Ed25519

Signed policy

<60s

Time to governance

What's Allowed. What's Blocked.

Deny-heavy by default.

ZLAR-LT ships with 23 rules (8 allow, 15 deny). The agent can read, write, edit, and search. It cannot delete, escalate, persist, exfiltrate, or push. Anything not explicitly allowed is denied.

Allowed

Read files (cat, head, tail, less)
List directories (ls, find, tree)
Search content (grep, rg, ag)
Write and edit files
Create directories (mkdir)
Compile and run tests
Read environment info (pwd, whoami, date)
Git status and diff (read-only)

Blocked

Delete files or directories (rm, rmdir)
Git push, force push, tag push
Network requests (curl, wget, nc)
Install packages (npm install, pip install, brew install)
Privilege escalation (sudo, su)
Modify gate infrastructure (self-protection)
Read signing key (self-protection)
Shell escapes and subshell tricks
Environment variable manipulation
Process injection and background execution

No Telegram. No decisions. Safe actions flow through instantly. Blocked actions are denied with a reason. The agent knows why. The audit trail records everything.

Self-Protection

The agent cannot govern itself.

Three rules exist specifically to prevent the agent from modifying or reading its own governance infrastructure:

Cannot modify gate infrastructure — writes to ZLAR-LT directories are blocked
Cannot read the signing key — the Ed25519 private key is blocked from agent reads
Cannot modify policy — the policy file and signature are outside the agent's write domain

The policy is signed with Ed25519. The gate verifies the signature on every load. An agent that writes to the policy file invalidates the signature — the gate detects this and denies everything. Governance that the governed party can modify is not governance.

Installation

One command.

curl -fsSL https://zlar.ai/install.sh | bash

The installer:

Auto-detects which frameworks are installed (Claude Code, Cursor, Windsurf)
Generates Ed25519 keypair
Signs the default deny-heavy policy
Configures hooks in each detected framework
Verifies governance is running

No configuration required. No Telegram bot. No API tokens. No decisions. You can read and customize the default policy at ~/.zlar-lt/policies/lt-default.policy.json.

If you want to read the install script before running it: github.com/ZLAR-AI/ZLAR-LT/blob/main/install.sh

Known Limitations

What ZLAR-LT doesn't do.

No Telegram approval. Blocked actions are denied, not held for review. If you want case-by-case approval, add a Telegram token or upgrade to ZLAR Gate.

Cursor file edits are audited, not pre-blocked. Cursor's afterFileEdit hook fires after the edit is applied. File edits are recorded but cannot be stopped in advance.

Obfuscated commands may bypass regex rules. Base64, eval wrappers, and variable indirection can evade string-level rules. This is a fundamental limitation of regex-based classifiers.

Cursor and Windsurf adapters are built from documentation, not tested against live payloads. The Claude Code adapter is verified. If you use ZLAR-LT with Cursor or Windsurf and encounter issues, open an issue.

ZLAR-LT reduces risk. It does not eliminate it. See Legal for complete terms.

The ZLAR Family

Seven products. One thesis.

Same principle: independent governance that does not depend on the model's cooperation. Different surfaces.