Governed Zed in 3 minutes

David Crowe · 4 min read

zed llm-proxy governance three-minute-governance ide

Zed is the modern IDE that bet on first-class AI assistants. Its Assistant panel and Parallel Agents feature are deeply integrated — they don’t sit in a sidebar pretending to be a chat, they participate in the editor itself. The integration goes one direction Cursor and Claude Code don’t: there’s no native pre-tool-call hook surface for governance.

That’s a constraint, not a wall. Zed’s Assistant constructs Anthropic-shaped Messages API requests under the hood. Redirect those requests through Agentic Control Plane’s proxy and every round-trip — system prompt, tool declarations, tool calls, model output — flows through governance before it reaches Anthropic.

This post is the 3-minute path. No code, no SDK, just settings.json.

The pattern

Zed has no hook surface, but it does have a configurable API base URL per language model provider. Point Zed at ACP’s Anthropic-compatible proxy. ACP verifies your identity, evaluates policy against the full request, forwards to Anthropic, and logs the round-trip with full prompt + tool + output capture.

This is the LLM-proxy pattern — heavier than hook-based governance because every LLM round-trip crosses ACP’s network, but it sees more (full prompts, tool declarations, handoff metadata) than a tool-call-only hook would.

Three minutes from blank slate

1. Get an ACP key

cloud.agenticcontrolplane.com → create a workspace → Settings → API Keys → New key. Copy the gsk_yourslug_... value.

2. Open Zed settings

Command palette (Cmd+Shift+P) → “Open Settings” → opens settings.json.

3. Add the API URL override

{
  "language_models": {
    "anthropic": {
      "api_url": "https://api.agenticcontrolplane.com/anthropic"
    }
  }
}

Zed’s default is https://api.anthropic.com. Zed appends /v1/messages itself, so ACP responds at https://api.agenticcontrolplane.com/anthropic/v1/messages.

4. Configure the API key

Zed’s credential store currently expects an Anthropic API key for the Anthropic provider. Use your gsk_ ACP key in that slot — ACP accepts it as the bearer credential and routes the request to the upstream model with your workspace’s configured Anthropic key.

(How Zed’s credential schema evolves: check the Zed integration guide for current specifics. The schema has iterated; the pattern hasn’t.)

5. Verify

Open cloud.agenticcontrolplane.com/activity. Open the Zed Assistant panel and send any prompt that uses tools. The round-trip appears in the dashboard with the full request body, tool calls, and output — within seconds.

What you get for free

• Full LLM round-trip audit. Every Assistant interaction is logged with the prompt, tool declarations, tool calls, and model output.
• Policy enforcement at the LLM layer. Set deny rules that reject specific prompts (containing forbidden patterns), tool declarations (denying access to certain tools), or model choices.
• Per-user budget enforcement. Cap LLM spend per user / per agent. When the budget hits zero, ACP returns BUDGET and the next request is denied until the period rolls over.
• PII / secret detection in prompts. Patterns matching credit cards, API keys, or PHI in prompt content are flagged in the audit log; optional inline redaction.
• Cross-framework audit. Zed Assistant calls sit alongside Claude Code, Cursor, Codex, CrewAI, LangGraph, and every other framework wired into ACP. One log, one identity.

What governance covers (and what it doesn’t)

The proxy pattern sees the full LLM request. That includes:

• The system prompt Zed constructs
• The tool declarations Zed offers the model
• The tool calls the model produces
• The tool outputs Zed feeds back

What it doesn’t see:

• Tool execution itself. The proxy intercepts the LLM round-trip; the actual tool execution (the model says “edit this file”, Zed edits the file) happens locally in Zed and isn’t routed through the proxy. For per-tool-call interception you’d need a hook surface Zed doesn’t currently expose.

For most policy goals (rate limits, prompt content scanning, cost attribution, model choice), full round-trip visibility is enough. For per-tool-call gating (“this user can’t use the file_edit tool right now”), the policy has to be expressed as a denial of the tool declaration in the LLM request — which the proxy can do — rather than as a denial of the tool call itself.

Tradeoffs vs hook / MCP patterns

Proxy pattern (Zed):

• ✓ Sees the full request — prompts, tool declarations, handoff metadata
• ✓ Works with any IDE that exposes an API base URL
• ✗ Sits in the LLM hot path — every round-trip crosses ACP’s network
• ✗ Latency-sensitive — operationally more demanding than tool-call-only hooks

Hook pattern (Claude Code, Cursor, Codex):

• ✓ Only fires on tool dispatch, not every LLM round-trip
• ✓ Lower latency, less network sensitivity
• ✗ Doesn’t see the full LLM request
• ✗ Requires a native hook surface in the agent runtime

The right pattern is the one your runtime supports. For Zed today, that’s proxy. If Zed exposes a tool-call hook in a future release, ACP will support it.

Multi-provider Zed

Zed’s language_models config is per-provider. The example above proxies Anthropic. If you also use OpenAI or Gemini through Zed, add parallel entries pointing at ACP’s matching provider proxies.

Where this fits

The starter at acp-governance-sdks/examples/starters/zed is the runnable reference for the JSON config above. Drop into your team’s settings.json, redeploy, and every Zed Assistant interaction is governed.

Zed integration guide → · Architecture is governance → · Three-minute integrations → · Get started →

Get the next post

Agentic governance, AgentGovBench updates, the occasional incident post-mortem. One email per post. No marketing fluff.

Share: Twitter LinkedIn

Related posts

• Stop your AI agent from leaking PII through tool calls — in three steps
• SOC 2 and HIPAA for AI agents: the compliance playbook
• OpenAI on Bedrock: what the partnership covers, and what's beyond it

← back to blog