Know Your AI Tooling Before It Becomes Unreviewed Access.

Wrkr gives security and platform teams an evidence-ready view of org-wide AI tooling posture and keeps a deterministic local-machine hygiene path available for developers.

Discover supported AI dev tools, MCP servers, and agent frameworks, map what they can touch, show what changed, and emit proof artifacts for audits and CI. Start with hosted org posture when GitHub access is ready; use the curated scenario and local fallback paths when hosted prerequisites are not ready yet or when you want an evaluator-safe demo that avoids repo-root fixture noise in the Wrkr repo itself.

Security Team Flow Start Here Optional Browser Bootstrap

Homebrew, pinned Go install, optional secondary `@latest`, and `wrkr version --json` verification live in Start Here install and the optional secondary browser handoff lives at /scan.

# Security and platform teams: use hosted org posture first when prerequisites are ready
wrkr init --non-interactive --org acme --github-api https://api.github.com --json
wrkr scan --config ~/.wrkr/config.json --json
wrkr evidence --frameworks eu-ai-act,soc2,pci-dss --state ./.wrkr/last-scan.json --output ./.wrkr/evidence --json
wrkr verify --chain --state ./.wrkr/last-scan.json --json

# Low or zero first-run framework_coverage means the current state is evidence sparse, not that parsing is broken

# Evaluator-safe scenario fallback when hosted prerequisites are not ready yet
wrkr scan --path ./scenarios/wrkr/scan-mixed-org/repos --json
wrkr evidence --frameworks eu-ai-act,soc2,pci-dss --state ./.wrkr/last-scan.json --output ./.tmp/wrkr-scenario-evidence --json
wrkr verify --chain --state ./.wrkr/last-scan.json --json
wrkr regress init --baseline ./.wrkr/last-scan.json --output ./.tmp/wrkr-regress-baseline.json --json
wrkr regress run --baseline ./.tmp/wrkr-regress-baseline.json --state ./.wrkr/last-scan.json --json

# If hosted prerequisites are still not ready yet, use a deterministic local fallback
wrkr scan --path ./your-repo --json

# Developers: use the secondary local-machine hygiene path
wrkr scan --my-setup --json
wrkr mcp-list --state ./.wrkr/last-scan.json --json
cp ./.wrkr/last-scan.json ./.wrkr/inventory-baseline.json
wrkr inventory --diff --baseline ./.wrkr/inventory-baseline.json --state ./.wrkr/last-scan.json --json

Org Evidence

Widen from local hygiene to GitHub org posture and emit deterministic evidence bundles for audit and CI.

MCP Posture

Project MCP server transport, requested permissions, gateway posture, and trust overlay from saved state.

Workflow Drift Review

Use inventory drift for day-to-day review and regress gates when you need policy-grade change detection.

Local Setup Inventory

Use the secondary local-machine path to inspect supported AI configs, project markers, and secret-presence signals.

Command Contracts

Keep automation grounded on stable `--json`, SARIF, and exit-code surfaces rather than ad hoc scraping.

Scope Boundaries

Wrkr inventories what is configured and what it can touch. It does not replace vulnerability scanners or runtime control.

Optional Browser Bootstrap

Use the read-only browser handoff only when you explicitly want a secondary org-scan projection surface.

Why Teams Use Wrkr

	Without Wrkr	With Wrkr
AI tool inventory	manual surveys, stale answers	deterministic machine, repo, and org inventory
MCP trust posture	partial config knowledge, no privilege map	transport, permissions, gateway, and trust context
Compliance evidence	manual artifact assembly	command-generated evidence bundle
Regression gating	no baseline contract	stable drift reasons and exit code 5

Frequently Asked Questions

What is Wrkr in one sentence?

Wrkr gives security and platform teams an evidence-ready view of org-wide AI tooling posture and keeps a deterministic local-machine hygiene path available for developers.

Does Wrkr require a hosted control plane?

No. Wrkr is deterministic and file-based by default, with local scan state and local evidence generation.

What makes Wrkr outputs audit-friendly?

Wrkr emits deterministic JSON contracts, stable exit codes, and proof-chain verifiable evidence paths.

Can Wrkr enforce runtime side effects?

Wrkr is a discovery and posture layer. Runtime side-effect enforcement belongs to control-plane runtimes like Gait.

How do I fail CI on posture drift?

Use `wrkr regress run` in CI. It accepts a saved regress baseline or a raw saved scan snapshot baseline. Exit code `5` indicates drift.

How do I generate compliance evidence?

Run `wrkr evidence --frameworks ... --json` and validate integrity with `wrkr verify --chain --json`.

Start with your org when hosted access is ready. Fall back to the scenario or local paths when it is not.

Use command-first docs that developers, security teams, and assistants can all validate against the same deterministic CLI outputs and the same evidence-gap framing.

Open Documentation

For assistant and crawler discovery resources, use LLM Context.