docs
/

  zegit · proves

zegit

CRA-aligned governance for the Git you already have. zegit sits in front of your existing Git host and turns every release tag into an audit-grade evidence bundle — without migrating where code lives.

zegit (pronounced [ʒə ɡʲɪt]; the CLI is zg) is the governance layer of the ecosystem. It is built for two workflows that PR/CI-centric platforms underserve: trunk-based development (where main is always deployable) and agentic workflows (which need deterministic, local validation, not remote CI round-trips).

Core bets

PrincipleWhat it means
Execution at the edgeChecks run locally or on your runners. zg validate runs on the dev machine.
Verify, don't re-runThe gateway verifies cryptographic evidence rather than re-running CI.
Governance as codePolicy lives in Git — an org baseline plus a per-repo ZEGITFILE. "Policy cannot be weakened" is a cryptographic property.
Hardware-backed trustPasskeys / WebAuthn; short-lived signing certs; a fresh passkey touch for release approvals. No passwords, no long-lived tokens.
CRA-grade evidenceEvery release tag produces a downloadable, Annex I–mapped evidence bundle.

The three components

zegit ships three deployable pieces:

zg — the CLI

The developer/agent surface. Runs validation, signs AoVs, drives Tag Requests.

CLI reference

The Gateway

A pre-receive enforcer for self-hosted Git. Verifies AoVs and enforces quorum — a gate, not a forwarder.

Gateway docs

Control Plane

IAM, policy resolution, Tag Request orchestration, the audit log, and bundle generation.

Compliance

How it fits together

The model is edge-first and governance-centric. Identity is passkey-bound: a WebAuthn ceremony makes the Control Plane issue a short-lived X.509 signing certificate; zg validate signs AoVs with that cert; the gateway verifies the chain to the Root CA, checks revocation, and accepts or rejects the push.

flowtext
developer / agent          gateway (pre-receive)        control plane
  zg validate  ──signs──▶  verify AoV → Root CA          IAM · policy
  git push     ─────────▶  check revocation + quorum     Tag Requests
                          ALLOW → accept                 audit log
                          BLOCK → reject ZG_ERR_*        bundle gen

Fail-closed by default

For protected refs, a gateway whose revocation list is staler than the max staleness (default 60s) must fail closed (ZG_ERR_REVOCATION_LIST_STALE), as must an unreachable Control Plane. Self-hosted deployments can set an offline grace period for unprotected refs only.

Self-hosting

Supported Git hosts today are Gitea and GitLab self-managed. GitHub App / GitLab App integrations and SaaS "shadow mode" are on the roadmap. zegit governs its own repository — every commit to master carries a verified AoV.

Dig in

zg CLI reference

Every subcommand, flag, and exit code.

Read

ZEGITFILE & config

The governance contract and the validation pipeline.

Read

Error codes

The ZG_ERR_* surface and how to remediate each.

Read
PreviousCore concepts

Authoritative reference, generated from the component repos. Spot something stale? Tell us.