Skip to main content
EnforceAuth
LEVEL 01 · ASSESS · v0.2

ZIFT

THE AUTHORIZATION
SPRAWL HUNTER

Sift through your code for embedded authorization logic — role checks, permission guards, auth middleware, security annotations — and extract it into Policy as Code. Rego for OPA today. Apache 2.0.

★ VIEW ON GITHUB ★
$brew install enforceauth/tap/zift
RANDOM ENCOUNTER

A wild AUTHZ TANGLE appears.

Each command below is a real zift CLI flag in disguise. SCAN runs the structural tree-sitter pass against this fixture; --DEEP forwards the cold regions to your agent host. The battle log streams the real findings format.

AUTHZ TANGLE · LV 6
HP
96 / 96
ZIFTLV 02

▶ COMMAND

SCAN zift . — tree-sitter pass, deterministic, zero-cost. --DEEP zift scan --deep — ships uncertain regions to Claude Code, Cursor, Continue, Cline, or Zed over MCP, or any OpenAI-compatible HTTP endpoint.

▶ BATTLE LOG

SYSTEM · A wild AUTHZ TANGLE blocks api/admin/users.ts:42.
SYSTEM · Awaiting your command…
LOOT ACQUIRED · +1 FINDING

The tangled code dropped…

This is the shape zift actually emits — one structured JSON finding per match. Pipe a stream of these to zift extract for a Rego bundle, or expose them to your agent over MCP via scan_authz. Raw drop:

▶ CLICK TO OPEN ◀
FINDING.JSONRARITY: UNCOMMON · CONFIDENCE: HIGH
{
  "file":           "src/api/admin/users.ts",
  "line_start":     42,
  "line_end":       47,
  "category":       "middleware",
  "confidence":     "high",
  "pass":           "structural",
  "pattern_rule":   "ts-nest-useguards",
  "language":       "typescript",
  "framework":      "nestjs",
  "code_snippet":   "@UseGuards(AdminGuard)",
  "enforcement_point": {
    "kind":   "decorator",
    "target": "AdminController.deleteUser"
  },
  "suggested_rego": "policies/admin/delete_user.rego"
}
NARRATOR · WHAT THIS LOOT MEANS

file · line_start · line_end

Where in the codebase the finding lives. Click-through territory for any editor.

category · pattern_rule

Which authz shape matched. middleware, ownership, rbac, abac, or a custom rule.

confidence · pass

structural = deterministic tree-sitter match, no LLM, no network. deep = classified by your agent host (MCP) or any OpenAI-shaped HTTP endpoint.

suggested_rego

The policy file path your Rego stub lands at. Pipe the stream to zift extract for a full OPA bundle.

PARTY ROSTER · THE WHOLE SUITE

Choose your next class.

Zift is your assess class — the scout who maps the dungeon. The full party covers every stage from scan to defense.

LV 01ASSESS
Zift
Zift Migration Tool

Sift embedded authz. Extract to PaC. Rego or Cedar.

★ EQUIPPED ★
LV 02GOVERN
Writ
Writ Control Plane

Author Rego. Ship bundles. Govern entities, drift, and audit through 100+ MCP tools.

▶ ENTER
LV 03EVALUATE
Herald
Herald MCP

Bring your AI agents. Cloud or air-gapped. Compose Writ data with your own for compliance, audit, risk.

▶ ENTER
LV 04DEFEND
Verdict
Verdict Agentic Firewall

Human approvals for AI-driven actions.

▶ ENTER
END OF SESSION · SAVE POINT

The rest is on GitHub.

Open source. Apache-2.0. Powered by tree-sitter for the structural pass and OPA’s embedded regorus for Rego validation. Brew, Cargo, or prebuilt binaries — full quickstart, MCP setup, and the rule library all live in the README.

$brew install enforceauth/tap/zift
★ VIEW ON GITHUB ★▶ QUICKSTART