Know Your AI Tooling Before It Becomes Unreviewed Access.

Wrkr gives security and platform teams an evidence-ready view of org-wide AI tooling posture and keeps a deterministic local-machine hygiene path available for developers.

Discover supported AI dev tools, MCP servers, and agent frameworks, map what they can touch, show what changed, and emit proof artifacts for audits and CI. Start with the curated scenario when you want the evaluator-safe path, then widen to org posture when hosted prerequisites are ready; use repo-local or local-machine fallback paths when you need zero-integration first value and want to avoid repo-root fixture noise in the Wrkr repo itself.

Security Team Flow Start Here Optional Browser Bootstrap

Homebrew, pinned Go install, optional secondary `@latest`, and `wrkr version --json` verification live in Start Here install and the optional secondary browser handoff lives at /scan.

# Evaluator-safe first pass: use the curated scenario
wrkr scan --path ./scenarios/wrkr/scan-mixed-org/repos --json
wrkr evidence --frameworks eu-ai-act,soc2,pci-dss --state ./.wrkr/last-scan.json --output ./.tmp/wrkr-scenario-evidence --json
wrkr verify --chain --state ./.wrkr/last-scan.json --json
wrkr regress init --baseline ./.wrkr/last-scan.json --output ./.tmp/wrkr-regress-baseline.json --json
wrkr regress run --baseline ./.tmp/wrkr-regress-baseline.json --state ./.wrkr/last-scan.json --json

# Security and platform teams: widen to org posture next
# Hosted prerequisites: set --github-api and usually a GitHub token for private repos or rate limits
wrkr scan --github-org acme --github-api https://api.github.com --json
wrkr evidence --frameworks eu-ai-act,soc2,pci-dss --state ./.wrkr/last-scan.json --output ./.wrkr/evidence --json
wrkr verify --chain --state ./.wrkr/last-scan.json --json

# If hosted prerequisites are not ready yet after the scenario run, use a deterministic fallback
wrkr scan --path ./your-repo --json

# Developers: use the secondary local-machine hygiene path
wrkr scan --my-setup --json
wrkr mcp-list --state ./.wrkr/last-scan.json --json
cp ./.wrkr/last-scan.json ./.wrkr/inventory-baseline.json
wrkr inventory --diff --baseline ./.wrkr/inventory-baseline.json --state ./.wrkr/last-scan.json --json

Org Evidence

Widen from local hygiene to GitHub org posture and emit deterministic evidence bundles for audit and CI.

MCP Posture

Project MCP server transport, requested permissions, gateway posture, and trust overlay from saved state.

Workflow Drift Review

Use inventory drift for day-to-day review and regress gates when you need policy-grade change detection.

Local Setup Inventory

Use the secondary local-machine path to inspect supported AI configs, project markers, and secret-presence signals.

Command Contracts

Keep automation grounded on stable `--json`, SARIF, and exit-code surfaces rather than ad hoc scraping.

Scope Boundaries

Wrkr inventories what is configured and what it can touch. It does not replace vulnerability scanners or runtime control.

Optional Browser Bootstrap

Use the read-only browser handoff only when you explicitly want a secondary org-scan projection surface.

Why Teams Use Wrkr

	Without Wrkr	With Wrkr
AI tool inventory	manual surveys, stale answers	deterministic machine, repo, and org inventory
MCP trust posture	partial config knowledge, no privilege map	transport, permissions, gateway, and trust context
Compliance evidence	manual artifact assembly	command-generated evidence bundle
Regression gating	no baseline contract	stable drift reasons and exit code 5

Frequently Asked Questions

What is Wrkr in one sentence?

Wrkr gives security and platform teams an evidence-ready view of org-wide AI tooling posture and keeps a deterministic local-machine hygiene path available for developers.

Does Wrkr require a hosted control plane?

No. Wrkr is deterministic and file-based by default, with local scan state and local evidence generation.

What makes Wrkr outputs audit-friendly?

Wrkr emits deterministic JSON contracts, stable exit codes, and proof-chain verifiable evidence paths.

Can Wrkr enforce runtime side effects?

Wrkr is a discovery and posture layer. Runtime side-effect enforcement belongs to control-plane runtimes like Gait.

How do I fail CI on posture drift?

Use `wrkr regress run` in CI. It accepts a saved regress baseline or a raw saved scan snapshot baseline. Exit code `5` indicates drift.

How do I generate compliance evidence?

Run `wrkr evidence --frameworks ... --json` and validate integrity with `wrkr verify --chain --json`.

Start with your machine. Widen to your org only when you need posture and proof.

Use command-first docs that developers, security teams, and assistants can all validate against the same deterministic CLI outputs.

Open Documentation

For assistant and crawler discovery resources, use LLM Context.