git clone https://github.com/riskreadyeu/riskready-community.git
cd riskready-community
cp .env.example .env # edit: POSTGRES_PASSWORD, JWT_SECRET, ADMIN_EMAIL, ADMIN_PASSWORD
docker compose up -d # first run ~3 minutes
open http://localhost:9380 # log in as [email protected] / password123Requires Docker 24+ with Compose v2. Linux, macOS, or Windows (WSL2).
9 MCP servers expose 254 tools that connect Claude directly to your compliance database — risks, controls, policies, incidents, audits, evidence, ITSM, and organisation governance.
Every AI mutation is proposed, not executed. A human reviews and approves each action before it touches the database. This holds for interactive chat, scheduled runs, and autonomous workflows.
You: "Give me a full security posture assessment."
Agent: Convenes AI Council → 6 specialists analyse in parallel → CISO synthesises
→ structured report with consensus, dissents, and prioritised actions
Cost: $0.19 on Haiku. $10 on Opus. 96% token reduction via tool search.
| Mode | How it works | AI cost to you | Security |
|---|---|---|---|
| Web App | Built-in chat UI with streaming, council, scheduled workflows | You pay per token | 8.1/10 |
| MCP Proxy | Claude Desktop connects remotely via API key — one endpoint, all 254 tools | $0 | 8.9/10 |
| Direct | 9 stdio servers on your machine for local development | $0 | 2.3/10 |
The MCP Proxy is the recommended mode for teams. Each user brings their own Claude subscription. You provide the tools and the security layer. Connection modes compared →
| Module | What it covers |
|---|---|
| Risk Management | Risk register, scenarios, KRIs, tolerance statements, treatment plans |
| Controls | Control library, assessments, Statement of Applicability, gap analysis |
| Policies | Document lifecycle, version control, change requests, reviews, exceptions |
| Incidents | Tracking, classification, response workflows, lessons learned |
| Audits | Internal audit planning, nonconformity tracking, corrective actions |
| Evidence | Collection, file storage, linking to controls, risks, and incidents |
| ITSM | IT asset register, change management, capacity planning |
| Organisation | Structure, departments, locations, committees, key personnel |
Screenshots (click to expand)
Complex questions convene 6 specialist agents:
| Agent | Domain |
|---|---|
| Risk Analyst | Risk register, scenarios, KRIs, tolerance, treatments |
| Controls Auditor | Control effectiveness, SOA, assessments, gap analysis |
| Compliance Officer | Policies, frameworks (ISO 27001, DORA, NIS2), governance |
| Incident Commander | Incident patterns, response metrics, lessons learned |
| Evidence Auditor | Evidence coverage, audit readiness, nonconformities |
| CISO Strategist | Cross-domain synthesis — produces the final report |
Each member queries the database independently, then the CISO synthesises. All reasoning is preserved for audit. Benchmarks →
Every AI mutation goes through human approval. No exceptions, no auto-approve, not even for scheduled runs.
The 8-point agent security audit covers:
- Identity & Authorization — per-user API keys with per-tool permission scoping
- Memory — 90-day TTL, injection scanning, org-scoped recall
- Tool Trust — 254 first-party tools, Zod-validated, no third-party MCP servers
- Blast Radius — zero HTTP outbound, rate limiting, scoped API keys
- Human Checkpoints — tiered severity (low/medium/high/critical) on all mutations
- Output Validation — credential scanning, PII redaction, grounding guard
- Cost Controls — token budgets, turn caps, council rate limits
- Observability — tool call logging, behavioral anomaly detection, source tracking
First deploy auto-seeds ClearStream Payments Ltd — a fictional European fintech regulated under DORA and NIS2: 15 risks, 30 scenarios, 40 controls, 12 policies, 8 incidents, 20 assets, 5 nonconformities, 20 evidence records, and 6 months of trend data.
Log in as [email protected] / password123 for the most complete view.
| Guide | |
|---|---|
| AI Platform Guide | MCP servers, gateway, council, scheduler, workflows, approval pipeline |
| Deployment | Docker setup, env vars, production TLS, troubleshooting |
| User Guide | Web app walkthrough for all 8 GRC modules |
| Connection Modes | Web App vs MCP Proxy vs Direct — feature comparison |
| Agent Security Audit | 8-point framework with per-mode scoring and code references |
| MCP Server Reference | All 254 tools with parameters and examples |
| API Reference | REST endpoints, request/response formats |
| Administration | Backup, monitoring, updates, security hardening |
docker compose up db -d
cd apps/server && npm install && cp .env.example .env
npx prisma db push --schema=prisma/schema && npm run prisma:seed
npm run dev # backend :4000
cd ../web && npm install && npm run dev # frontend :5173Additional modules for larger organisations: Risk Appetite Cascade, Loss Magnitude (FAIR), Supply Chain Risk, BCM/BIA, Vulnerability Management, Application Security Posture, External Requirements Mapping.