All notable changes follow the format from Keep a Changelog. This project adheres to Semantic Versioning.
vanta-bridgeplugin removed. Vanta now ships an official Claude Code plugin (vanta-mcp-plugininanthropics/claude-plugins-official) and an official MCP server (mcp.vanta.com/mcpand regional variants). The community bridge predated both and added a manual-export step that's now obsolete. Users should install Vanta's official plugin instead — see GHSA #150. Drops the bridge plugin, marketplace registration, test fixtures, and documentation references.
- Plugin install failures. Removed non-standard top-level fields (
commands,skills,hooks,namespace) fromus-hipaa-security,grc-loop,us-ccpa,ch-fadp, andnist-csf-20manifests — Claude Code's install-time validator was rejecting them. Commands and skills are auto-discovered from their directories; hooks were already wired correctly viahooks/hooks.json. Closes #150. plugin.schema.jsontightened. Explicitly forbidsnamespace,commands,skills, andhooksas top-level keys inplugin.jsonso future PRs catch the same install-time validation drift at CI time rather than at user install.
- Tier-2 connector wave. Added Azure, Slack, Datadog, Drata, Splunk, CrowdStrike, Tenable, and Snowflake inspector plugins with setup/status/collect commands, expert skills, v1 Finding fixtures, and marketplace registration.
- Vanta bridge. Added
vanta-bridgeto normalize Vanta MCP/plugin outputs into v1 Findings, including command metadata and marketplace registration. - Google Developer Knowledge API source. Added
gcp-docsunderplugins/knowledge-sources/for API-key-backed Google documentation search, citation lookup, grounded query answers, and local 7-day caching. Closes #46. - Socket Basics security workflow. Added a secret-gated, SHA-pinned Socket Basics workflow for PR/build security scanning. Closes #76.
- Additional reference framework plugins. Added Japan APPI, Singapore MAS TRM, APRA CPS 234, and NERC CIP reference plugins with marketplace registration.
- Assessment and automation workflows. Added the assessment interview question generator, scheduled automation metrics snapshot workflow, and automation-total derivation from framework metadata.
- Claude Cowork and AWS Claude Platform docs. Added compatibility/deployment guidance for Claude Cowork and AWS Claude Platform environments.
- Architecture v2 accepted. Marked the Architecture v2 RFC accepted, including Amendment A1 decisions for bridges, knowledge sources, and the non-breaking directory-layout recommendation. Closes #38.
- Quickstart and marketplace expanded. Registered the new connector, bridge, framework, and knowledge-source plugins in the marketplace and kept the quickstart plugin-selection guidance aligned with the growing toolkit.
- Lychee stability. Excluded the PCAOB auditing standards URL that returns scraper-only 522 responses, preventing unrelated PRs from being blocked by an external regulator-site availability issue.
- FFIEC CAT and K-ISMS framework requests. Closed #18 and #22 after validating that the requested
US-FFIEC-CATandKR-K-ISMSSCF framework IDs are not present in the current SCF index.
- Quickstart plugin decision tree.
docs/QUICKSTART.mdnow includes a "Which plugin do I need?" flowchart covering connectors, framework plugins, persona plugins, learning support, OSCAL/FedRAMP utilities, and the compliance posture dashboard. Closes #36. - Reference-depth framework plugins. Added EU NIS2, NIST CSF 2.0, SOX, and CCPA/CPRA framework plugins with scope, assessment, evidence-checklist commands, expert skills, and marketplace registration. Closes #14, #15, #16, and #23.
- Compliance posture dashboard plugin. Added
compliance-posture-dashboard, a dependency-free localhost dashboard for/grc-engineer:monitor-continuousJSON output, with marketplace registration. teach-meplugin (v0.1.0). Socratic primer + drill plugin for new-to-GRC practitioners and career transitioners — the on-ramp the toolkit was missing for people who don't already know the framework. Four commands:/teach-me:framework <name>produces a paraphrased primer (purpose, scope, artifacts, cadence, regulator, control families),/teach-me:control <id>explains one control across every framework it maps to via the SCF crosswalk,/teach-me:role <persona>outputs a first-90-days onboarding for the four GRC personas, and/teach-me:quiz <framework>runs a Socratic drill loop (inspired bymattpocock/skills/grill-me) that tracks coverage in-session. Reuses/grc-engineer:map-controls-unifiedand/grc-engineer:frameworksrather than duplicating the SCF client. No normative standard text is reproduced. Closes #61.
markdown-lintCI workflow andmarkdownlint-cli2devDependency. The lint gate was rejecting valid<picture>/<source>HTML in the README's star-history block (and similar legitimate HTML) faster than it was catching real prose problems. Removed.github/workflows/markdown-lint.yml,.markdownlint-cli2.jsonc, thelint:mdpackage script, and themarkdownlint-cli2devDependency.
- SCF API source migrated to the Club-owned mirror. Default
DEFAULT_BASE_URLinplugins/grc-engineer/scripts/scf-client.jsswitched fromhackidle.github.io/scf-apitogrcengclub.github.io/scf-api(repo). The new mirror is API-compatible — same SCF v2026.1 workbook, identical endpoint shapes, identical response payloads — so cached data and framework alias tables remain valid. Users who want to pin to the previous origin can still setCLAUDE_GRC_SCF_BASE_URL=https://hackidle.github.io/scf-api. Closes #55.
This release marks the official handoff of the toolkit to the GRC Engineering Club. Content below summarizes the handoff + community scaffolding that landed between 0.0.1 and 0.0.2.
Community scaffolding
CODE_OF_CONDUCT.md(Contributor Covenant v2.1)CONTRIBUTORS.mdseeded via the all-contributors pattern; AJ Yawn and Ethan Troy listed as co-leadsGOVERNANCE.md— co-lead governance model, decision process, path to maintainershipMAINTAINERS.md— leadership team with expertise areasSECURITY.md— private advisory-first vulnerability reportingROADMAP.md— Tier-2 connectors, framework gaps, schema v1.1 candidates.github/ISSUE_TEMPLATE/{bug_report, connector_request, framework_request, plugin_proposal, config}.yml.github/PULL_REQUEST_TEMPLATE.md.github/CODEOWNERSwith leadership team ownership and sensitive-file routing
Continuous integration
.github/workflows/contract-test.yml— validates everytests/fixtures/findings/**/*.jsonagainstschemas/finding.schema.jsonv1 on every PR.github/workflows/markdown-lint.yml—markdownlint-cli2with a docs-aware config.github/workflows/link-check.yml—lycheeon PR and weekly cron.github/workflows/all-contributors.yml— contributor-recognition bot wired to PR commentspackage.jsongainstest:contractandlint:mdscripts plusajv-cli/markdownlint-cli2devDependencies
Architecture v2 RFC
docs/ARCHITECTURE-V2-RFC.md— design proposal for five new plugin categories (reporting, dashboards, transforms, programs, meetings), sibling schemas for metrics/risks/exceptions/vendors/policies, a newgrc-cisopersona, and a GitOps-first statefulness model. 2-week community comment window tracked in #38.
Roadmap seeding
- Public project board at github.com/orgs/GRCEngClub/projects/1 with custom fields (Category, Difficulty, Target release, Plugin depth, Region) and 29 seeded issues covering 15 framework-plugin gaps, 7 Tier-2 connectors, tooling, docs, and the framework-coverage meta tracker.
Ownership transfer to GRC Engineering Club
- Repository transferred from
ethanolivertroy/claude-grc-engineeringtoGRCEngClub/claude-grc-engineering. The toolkit is now the official open-source project of the GRC Engineering Club. LICENSEcopyright updated to "GRC Engineering Club contributors" (MIT terms unchanged). Third-party attributions (SCF CC BY-ND 4.0, CIS Controls CC BY-SA 4.0) preserved.- All 30
plugin.jsonfiles:authorandrepositoryfields now reflect Club ownership. .claude-plugin/marketplace.json:ownerupdated to the Club (homepage: grcengclub.com).package.json:author,repository,homepage,bugs, and license URLs migrated.schemas/finding.schema.json:$idupdated to the Club-owned URL. Schema contract unchanged — still v1.0.0, no behavioral break.- Documentation and helper scripts: install commands and issue-tracker URLs point at the Club repo.
- External tool references (e.g.,
ethanolivertroy/oscal-cli,ethanolivertroy/frdocx-to-froscal-ssp,ethanolivertroy/compliance-trestle-skills,hackIDLE/*) remain unchanged. These are independent upstream projects the toolkit wraps; their attribution stays accurate. - Founding author: Ethan Troy (
@ethanolivertroy). Co-leads of the Club's leadership team: AJ Yawn (@ajy0127) and Ethan Troy. See forthcomingGOVERNANCE.mdandMAINTAINERS.md.
Migration note for existing users: If your /plugin marketplace add points at the old ethanolivertroy/claude-grc-engineering URL, re-add the marketplace using GRCEngClub/claude-grc-engineering. GitHub auto-redirects the old URL, but updating avoids future ambiguity.
Foundations
schemas/finding.schema.jsonv1.0.0. The canonical output contract for connector plugins.LICENSEat repo root (MIT with third-party attributions for SCF and CIS Controls).- Secure Controls Framework (SCF) as the canonical crosswalk backbone. 1,468 controls mapped to 249 frameworks, fetched from
hackidle.github.io/scf-apiand cached locally under CC BY-ND 4.0. docs/ARCHITECTURE.md,docs/QUICKSTART.md,docs/CONTRIBUTING.md,docs/SCF-ATTRIBUTION.md.
Orchestration
/grc-engineer:gap-assessment. Unified cross-framework command that joins connector findings with the SCF crosswalk and emits a tiered gap report (markdown, JSON, SARIF, or OSCAL Assessment Results)./grc-engineer:pipeline-status. Aggregate connector health: auth validity, cache freshness, resource and evaluation counts.
Connectors (Tier 1)
aws-inspector. IAM (root MFA, password policy, access keys), S3 (encryption, public access, versioning), CloudTrail (multi-region, log validation, active logging), EBS (default encryption).github-inspector. Branch protection, required status checks, secret scanning, Dependabot, code scanning. Tested end-to-end against live GitHub.gcp-inspector. IAM primitive roles, service-account key age, Cloud Storage (public-access prevention, uniform access, logging, CMEK), log sinks, KMS rotation (≤90d), Compute OS Login.okta-inspector. Password, MFA enrollment, and sign-on policies. Session lifetime and idle timeouts. Inactive users, super-admin count, per-admin factor enrollment.
OSCAL / FedRAMP showcase plugins
oscal. Wrapsethanolivertroy/oscal-clifor validate and convert commands across catalogs, profiles, SSPs, SAPs, SARs, POA&Ms, assessment results, and component definitions. Auto-installs from source. Degrades gracefully when the upstream binary isn't available.fedramp-ssp. Wrapsethanolivertroy/frdocx-to-froscal-sspto convert FedRAMP Rev 5 SSP DOCX templates into OSCAL 1.2.0 SSP JSON (323 implemented-requirements across 18 NIST 800-53 Rev 5 families). Tolerates venv and Homebrew-Python edge cases with clear remediation.
Licensing and hygiene
- CIS Controls plugin isolation:
plugins/frameworks/cis-controls/LICENSE-CIS.mdplus CC BY-SA 4.0 attribution headers on every command and SKILL in that directory. - HITRUST plugin carries a reference-only disclaimer. Paraphrased one CSF-echoing phrase in
evidence-checklist.md. - SOC 2 command documentation renamed the fictional example audit firm from "Deloitte" / "Deloitte & Touche LLP" to "Example Audit LLP". These were always illustrative placeholders in command examples. No real auditor engagement or contact was ever in the repo. The new name makes the illustrative intent unambiguous.
.gitignorecovering in-progress work (data/,grc-audit-manager/,grc-cert-manager/,grc-program-manager/) and runtime artifacts.
- README rewritten around capability-first workflows and the data-pipeline model.
- Plugin taxonomy restructured into five categories: engineering hub, persona, framework, connector, OSCAL / FedRAMP showcase.
compliance-trestleplugin: first-class integration withethanolivertroy/compliance-trestle-skillsfor OSCAL authoring workflows.fedramp-docsplugin: MCP server integration withethanolivertroy/fedramp-docs-mcpfor live FedRAMP documentation lookup.vanta-bridgeplugin: wrapsethanolivertroy/vanta-go-exportto pull Vanta evidence and normalize to v1 findings.azure-inspectorconnector (Tier 2 promotion).- Deeper connector coverage: per-user IAM for AWS, shielded-VM + VPC-SC for GCP, factor-type analysis for Okta.
/grc-engineer:monitor-continuouscron-friendly scheduling wrapper with EventBridge and GitHub Actions templates.