Skip to content
Browse docs
Install // setup // local-first // build from specs

grclanker Docs

grclanker is an experimental open source AI GRC companion built on top of Pi.

The current release starts with CMVP, KEV, EPSS, official FedRAMP GitHub-grounded 20x and Rev5 lookups, FedRAMP readiness, ADS package planning, starter-bundle generation, portable public trust-center site generation, read-only AWS, Azure, GCP, OCI, Cloudflare, Webex, Duo, Okta, GitHub, and Google Workspace compliance assessments, an optional Google Workspace CLI operator bridge, posture mapping, Vanta audit export, SCF lookups, trestle-backed OSCAL helpers, and spec-driven build inputs, but that is the opening surface, not the ceiling. The real flow is short:

  1. Install the companion.
  2. Run grclanker setup.
  3. Choose local-first or hosted.
  4. Start using the current workflows and point the companion at repo specs when you want it to build.

Start Here

  • Installation is the main operator page. It covers the bundle installer, skills-only install, pinned versions, package-manager fallback, and the immediate post-install setup path.
  • Setup goes deeper on the local-first Ollama + Gemma 4 path and the hosted alternative.
  • Configuration documents ~/.grclanker/agent/settings.json, models.json, and runtime state.
  • Compute Backends documents host, sandbox-runtime, Docker, and Parallels configuration plus validation commands.
  • Quick Start is still available if you just want the shortest install → setup → first useful question sequence.

Default Recommendation

If you want the path that best matches the current product direction:

  1. Install with the one-line bundle.
  2. Run grclanker setup.
  3. Choose local-first.
  4. Point the companion at Ollama on http://localhost:11434/v1.
  5. Use gemma4 as the first local model unless you already know you want a different local backend.

Current Release Surface

  • /investigate for crypto status, KEV exposure, EPSS likelihood, and ransomware linkage.
  • /audit for framework mapping and control classification.
  • /assess for posture readouts, risk order, and confidence notes.
  • /validate for narrow FIPS validation questions.
  • Official FedRAMP FRMR-backed lookups and generated docs under /docs/fedramp/.
  • fedramp_assess_readiness when you want an operator-facing brief for a FedRAMP process or KSI instead of raw lookup data.
  • fedramp_plan_process_artifacts and fedramp_plan_ads_package when you need a concrete trust-center and evidence rollout plan instead of another lookup.
  • fedramp_generate_ads_bundle when you want grclanker to scaffold an ADS starter package you can actually start filling in.
  • fedramp_generate_ads_site when you want a portable public trust-center site bundle customers can deploy in their own AWS, Azure, or GCP environment.
  • aws_check_access, aws_assess_identity, aws_assess_logging_detection, aws_assess_org_guardrails, and aws_export_audit_bundle for read-only AWS account and organization posture work.
  • azure_check_access, azure_assess_identity, azure_assess_monitoring, azure_assess_subscription_guardrails, and azure_export_audit_bundle for read-only Azure tenant and subscription posture work.
  • gcp_check_access, gcp_assess_identity, gcp_assess_logging_detection, gcp_assess_org_guardrails, and gcp_export_audit_bundle for read-only GCP organization and project posture work.
  • oci_check_access, oci_assess_identity, oci_assess_logging_detection, oci_assess_tenancy_guardrails, and oci_export_audit_bundle for read-only OCI tenancy and compartment posture work.
  • cloudflare_check_access, cloudflare_assess_identity, cloudflare_assess_zone_security, cloudflare_assess_traffic_controls, and cloudflare_export_audit_bundle for read-only Cloudflare account and zone posture work.
  • webex_check_access, webex_assess_identity, webex_assess_collaboration_governance, webex_assess_meeting_hybrid_security, and webex_export_audit_bundle for read-only Webex organization posture work.
  • duo_check_access, duo_assess_authentication, duo_assess_admin_access, duo_assess_integrations, duo_assess_monitoring, and duo_export_audit_bundle for read-only, multi-framework Duo posture work.
  • okta_check_access, okta_assess_authentication, okta_assess_admin_access, okta_assess_integrations, okta_assess_monitoring, and okta_export_audit_bundle for read-only, multi-framework Okta posture work.
  • github_check_access, github_assess_org_access, github_assess_repo_protection, github_assess_actions_security, github_assess_code_security, and github_export_audit_bundle for read-only, multi-framework GitHub organization posture work.
  • gws_check_access, gws_assess_identity, gws_assess_admin_access, gws_assess_integrations, gws_assess_monitoring, and gws_export_audit_bundle for read-only, multi-framework Google Workspace tenant posture work.
  • gws_ops_check_cli, gws_ops_investigate_alerts, gws_ops_trace_admin_activity, gws_ops_review_tokens, and gws_ops_collect_evidence_bundle for optional, read-only Google Workspace CLI operator evidence collection.
  • slack_check_access, slack_assess_identity, slack_assess_admin_access, slack_assess_integrations, slack_assess_monitoring, and slack_export_audit_bundle for read-only, multi-framework Slack Enterprise Grid posture work.
  • ansible_check_access, ansible_assess_job_health, ansible_assess_host_coverage, ansible_assess_platform_security, and ansible_export_audit_bundle for read-only Ansible Automation Platform evidence collection.
  • Repo specs as build inputs under /specs and /docs/specs/using-specs-as-inputs/.

Important Release Note

0.0.1 is experimental on purpose. The bundle installer and local-first runtime path are real. The feature surface, setup flow, and docs structure will keep moving quickly.

macOS and Linux are the recommended platforms right now. Windows is best-effort and not a priority for the first experimental release.

URL copied to clipboard