From brew install to your first AI-authored policy.
Install zift. Sign up. Connect your agent. Watch it write Rego, generate tests, deploy. Done.
- 01Install zift30s
- 02Scan a real codebase60s
- 03Sign up + get an API key60s
- 04Connect your AI agent60s
- 05Talk to your control plane90s
- 06Test the decision30s
- 07(Optional) Add Verdict—
Install zift · 30 seconds
# macOS / Linux via Homebrew
brew install enforceauth/tap/zift
# Linux / Windows via pip
pip install zift
# Or download a binary from
# https://github.com/EnforceAuth/zift/releasesVerify:
zift --version
# zift 0.x.xScan a real codebase · 60 seconds
If you have an app:
cd ~/your-app
zift scan .Otherwise, use our demo app:
git clone https://github.com/enforceauth/zift-demo-app
cd zift-demo-app && zift scan .Expected output:
Scanning ./src ...
Found 7 authorization checks across 3 files:
src/api/admin.ts:23 if (user.role === "admin")
src/api/admin.ts:45 if (user.role === "admin" || user.role === "owner")
src/api/users.ts:12 if (user.id !== params.id && !user.roles.includes("support"))
...
Generated Rego stubs in .zift/policies/Sign up + get an API key · 60 seconds
Create your free account → (no card required)
Copy your API key from Settings → API Keys.
export EA_API_KEY="ea_..."Connect your AI agent · 60 seconds
claude mcp add enforceauth https://api.enforceauth.com/t/<your-tenant>/mcp \
--header "Authorization: Bearer $EA_API_KEY"
claude mcp list
# enforceauth — connected. 100+ tools available.Talk to your control plane · 90 seconds
In your AI agent's chat:
> Show me the entity tree.
Calling ea_get_entity_tree...
EA Financial Corp (tenant)
├── Retail API (entity, system)
├── Identity Provider (entity, system)
└── Wealth Kubernetes (entity, system)
56 active policies
Then try:
> Create a new system called Receipts API. Add a policy that allows GET /receipts/:id only for the receipt owner or anyone with role finance.viewer. Generate three test cases. Deploy to staging.
Calling ea_create_entity, ea_get_policy_draft, ea_trigger_deployment
✓ Bundle 54e2cc8cc81a deployed to staging-alpha
The Rego it generates:
package receipts.allow
import rego.v1
default allow := false
allow if {
input.action == "GET"
input.resource.type == "receipt"
input.resource.owner == input.subject.id
}
allow if {
input.action == "GET"
input.resource.type == "receipt"
"finance.viewer" in input.subject.roles
}Plus three *_test.rego cases. Plus a deployment confirmation with the new bundle hash and PDP URL.
Test the decision · 30 seconds
Bundles run on standard OPA. Query against your OPA endpoint with the standard OPA request shape:
curl -X POST http://your-opa-pdp/v1/data/receipts/allow \
-H "Content-Type: application/json" \
-d '{
"input": {
"subject": {"id": "user-42", "roles": ["finance.viewer"]},
"action": "GET",
"resource": {"type": "receipt", "id": "rcpt-9001", "owner": "user-13"}
}
}'
# {"result": true}This is the standard OPA Data API shape. Wherever your OPA fleet runs, your EnforceAuth-deployed bundles answer.
Add Verdict for AI-agent governance · optional
For governing AI-driven actions on sensitive resources, EnforceAuth builds Verdict — its own HITL agentic firewall. See the reference deployment for the architecture.