docs
/

Get started

Getting started

Install the toolchain and go from an empty repo to a governed push with signed evidence. Budget about 90 minutes for the full path.

Install the tools

Each tool is a single static Go binary (the plugins add a small adapter). Install what you need — they compose, but each works on its own.

zegit (zg)

Install from a release archive, or build from source, then point it at your Control Plane:

terminalbash
zg version
export ZEGIT_CP_URL=https://zegit.io   # omit for local IAM mode

meerkat (mk)

The repo is private, so authenticate gh once — mk update reuses that token:

terminalbash
gh auth login
TAG=v0.4.0
PLATFORM=darwin_arm64          # darwin_amd64 / linux_amd64 / linux_arm64
mkdir -p ~/.local/bin
gh release download "$TAG" --repo zegit-zoo/meerkat \
  -p "meerkat_${TAG#v}_${PLATFORM}.tar.gz" --output - \
  | tar -xz -C ~/.local/bin meerkat
ln -sf meerkat ~/.local/bin/mk
meerkat version

mongoose

Build from source and export a provider key:

terminalbash
export ANTHROPIC_API_KEY=sk-ant-...
go build -o mongoose ./cmd/mongoose
./mongoose run "list the Go files here and summarise each"

Install location matters for self-update

Install mk into a user-owned directory like ~/.local/bin (or /opt/homebrew/bin on Apple Silicon). mk update can then swap the binary without sudo.

Your first governed push

This is the core loop: validate locally, which signs an Attestation of Validation (AoV) for the exact commit, then push — the gateway verifies the signed evidence instead of re-running CI.

  1. Authenticate

    A passkey ceremony issues a short-lived signing certificate.

    terminalbash
    zg auth login
zg auth status        # identity, role, expiry

  2. Initialize the repo

    Writes .zegit/config.yaml, a ZEGITFILE, and a pre-push hook.

    terminalbash
    cd my-repo
zg init

  3. Validate

    Runs your pipeline, evaluates policy, and on success signs an AoV into refs/zegit/aov/<commit>.

    terminalbash
    git add -A && git commit -m "feature"
zg validate

  4. Push

    The pre-push hook pushes the AoV ref alongside your branch; the gateway accepts or rejects.

    terminalbash
    git push gateway main

Exit codes are a contract

zg validate returns 0 for ALLOW, 10 for REQUIRE_REVIEW, and 20 for BLOCK. Wire these into CI rather than grepping output.

Your first governed release

Releases go through a Tag Request — a quorum gate. The creator's own approval never counts toward quorum (unless the repo opts into AoV self-approval), so you need a second authorized identity.

terminalbash
zg tr create v0.1.0 --commit HEAD
# a second owner/maintainer approves (fresh passkey touch):
zg tr approve v0.1.0
zg tr finalize v0.1.0           # writes the signed tag once quorum is met
git push gateway refs/tags/v0.1.0

Produce a CRA Evidence Bundle

Every release tag can be turned into a signed, offline-verifiable bundle:

terminalbash
zg evidence bundle --tag v0.1.0 --out v0.1.0-bundle.zip
zg evidence verify-bundle v0.1.0-bundle.zip --trust-root root.crt

Archive the zip and the Root CA certificate together — that pair verifies with no network access, years later. See CRA & compliance.

Where to go next

Core concepts

Understand evidence records, envelopes, and the policy engine.

Read

zg CLI reference

The full command surface with flags and exit codes.

Read

Wire in meerkat

Give your agents a knowledge base over MCP.

Read
PreviousOverview

Authoritative reference, generated from the component repos. Spot something stale? Tell us.