Skip to content
Browse docs
Install // setup // local-first // build from specs

grclanker Docs

grclanker is an experimental open source AI GRC companion built on top of Pi.

The current release starts with CMVP, KEV, EPSS, official FedRAMP GitHub-grounded 20x and Rev5 lookups, FedRAMP readiness, ADS package planning, starter-bundle generation, portable public trust-center site generation, read-only AWS, Azure, GCP, OCI, Cloudflare, Webex, Zoom, Duo, Okta, GitHub, and Google Workspace compliance assessments, an optional Google Workspace CLI operator bridge, posture mapping, Vanta audit export, SCF lookups, trestle-backed OSCAL helpers, and spec-driven build inputs, but that is the opening surface, not the ceiling. The real flow is short:

  1. Install the companion.
  2. Run grclanker setup.
  3. Choose local-first or hosted.
  4. Start using the current workflows and point the companion at repo specs when you want it to build.

Start Here

  • Installation is the main operator page. It covers the bundle installer, skills-only install, pinned versions, package-manager fallback, and the immediate post-install setup path.
  • Setup goes deeper on the local-first Ollama + Gemma 4 path and the hosted alternative.
  • Configuration documents ~/.grclanker/agent/settings.json, models.json, and runtime state.
  • Compute Backends documents host, sandbox-runtime, Docker, and Parallels configuration plus validation commands.
  • Quick Start is still available if you just want the shortest install → setup → first useful question sequence.

Default Recommendation

If you want the path that best matches the current product direction:

  1. Install with the one-line bundle.
  2. Run grclanker setup.
  3. Choose local-first.
  4. Point the companion at Ollama on http://localhost:11434/v1.
  5. Use gemma4 as the first local model unless you already know you want a different local backend.

Current Release Surface

  • /investigate for crypto status, KEV exposure, EPSS likelihood, and ransomware linkage.
  • /audit for framework mapping and control classification.
  • /assess for posture readouts, risk order, and confidence notes.
  • /validate for narrow FIPS validation questions.
  • Official FedRAMP FRMR-backed lookups and generated docs under /docs/fedramp/.
  • fedramp_assess_readiness when you want an operator-facing brief for a FedRAMP process or KSI instead of raw lookup data.
  • fedramp_plan_process_artifacts and fedramp_plan_ads_package when you need a concrete trust-center and evidence rollout plan instead of another lookup.
  • fedramp_generate_ads_bundle when you want grclanker to scaffold an ADS starter package you can actually start filling in.
  • fedramp_generate_ads_site when you want a portable public trust-center site bundle customers can deploy in their own AWS, Azure, or GCP environment.
  • aws_check_access, aws_assess_identity, aws_assess_logging_detection, aws_assess_org_guardrails, and aws_export_audit_bundle for read-only AWS account and organization posture work.
  • azure_check_access, azure_assess_identity, azure_assess_monitoring, azure_assess_subscription_guardrails, and azure_export_audit_bundle for read-only Azure tenant and subscription posture work.
  • gcp_check_access, gcp_assess_identity, gcp_assess_logging_detection, gcp_assess_org_guardrails, and gcp_export_audit_bundle for read-only GCP organization and project posture work.
  • oci_check_access, oci_assess_identity, oci_assess_logging_detection, oci_assess_tenancy_guardrails, and oci_export_audit_bundle for read-only OCI tenancy and compartment posture work.
  • cloudflare_check_access, cloudflare_assess_identity, cloudflare_assess_zone_security, cloudflare_assess_traffic_controls, and cloudflare_export_audit_bundle for read-only Cloudflare account and zone posture work.
  • webex_check_access, webex_assess_identity, webex_assess_collaboration_governance, webex_assess_meeting_hybrid_security, and webex_export_audit_bundle for read-only Webex organization posture work.
  • zoom_check_access, zoom_assess_identity, zoom_assess_collaboration_governance, zoom_assess_meeting_security, and zoom_export_audit_bundle for read-only Zoom account posture work.
  • duo_check_access, duo_assess_authentication, duo_assess_admin_access, duo_assess_integrations, duo_assess_monitoring, and duo_export_audit_bundle for read-only, multi-framework Duo posture work.
  • okta_check_access, okta_assess_authentication, okta_assess_admin_access, okta_assess_integrations, okta_assess_monitoring, and okta_export_audit_bundle for read-only, multi-framework Okta posture work.
  • github_check_access, github_assess_org_access, github_assess_repo_protection, github_assess_actions_security, github_assess_code_security, and github_export_audit_bundle for read-only, multi-framework GitHub organization posture work.
  • gws_check_access, gws_assess_identity, gws_assess_admin_access, gws_assess_integrations, gws_assess_monitoring, and gws_export_audit_bundle for read-only, multi-framework Google Workspace tenant posture work.
  • gws_ops_check_cli, gws_ops_investigate_alerts, gws_ops_trace_admin_activity, gws_ops_review_tokens, and gws_ops_collect_evidence_bundle for optional, read-only Google Workspace CLI operator evidence collection.
  • slack_check_access, slack_assess_identity, slack_assess_admin_access, slack_assess_integrations, slack_assess_monitoring, and slack_export_audit_bundle for read-only, multi-framework Slack Enterprise Grid posture work.
  • ansible_check_access, ansible_assess_job_health, ansible_assess_host_coverage, ansible_assess_platform_security, and ansible_export_audit_bundle for read-only Ansible Automation Platform evidence collection.
  • Repo specs as build inputs under /specs and /docs/specs/using-specs-as-inputs/.

Important Release Note

0.0.1 is experimental on purpose. The bundle installer and local-first runtime path are real. The feature surface, setup flow, and docs structure will keep moving quickly.

macOS and Linux are the recommended platforms right now. Windows is best-effort and not a priority for the first experimental release.

URL copied to clipboard