Clanker CLI

Agent swarm powering Clanker Cloud, the first AI DevOps IDE for agents and humans.

Docs available at docs.clankercloud.ai

Ask questions about your infra (and optionally GitHub/etc). Clanker can inspect existing environments and also generate or apply infrastructure and deploy plans through its maker and deploy flows.

Repo: bgdnvk/clanker

Homebrew tap: clankercloud/homebrew-tap

Install

Homebrew (can be outdated, the best is to build from master)

brew tap clankercloud/tap
brew install clanker

From source

make install

Self-update

clanker update

By default, clanker update replaces the current binary with the latest GitHub release from bgdnvk/clanker. To track the latest commit on the repository's default branch instead, set the update channel during setup:

clanker config init --update-channel main

or edit ~/.clanker.yaml:

update:
    channel: main # release or main

You can also override it for one run:

clanker update --channel release
clanker update --channel main

Requirements

• Go
• AWS CLI v2 (recommended; v1 breaks --no-cli-pager)

brew install awscli

Config

Copy the example config and edit it for your environments/providers:

cp .clanker.example.yaml ~/.clanker.yaml

alternatively you can do clanker config init

Most providers use env vars for keys (see .clanker.example.yaml), e.g.:

export OPENAI_API_KEY="..."
export GEMINI_API_KEY="..."
export COHERE_API_KEY="..."

No config file defaults

If you run without ~/.clanker.yaml:

• Default provider: openai (unless you pass --ai-profile).
• OpenAI key order: --openai-key → OPENAI_API_KEY (also supports ai.providers.openai.api_key and ai.providers.openai.api_key_env if config exists).
• Gemini API key order (when using --ai-profile gemini-api): --gemini-key → GEMINI_API_KEY (also supports ai.providers.gemini-api.api_key and ai.providers.gemini-api.api_key_env if config exists).
• Cohere API key order (when using --ai-profile cohere): --cohere-key → COHERE_API_KEY (also supports ai.providers.cohere.api_key and ai.providers.cohere.api_key_env if config exists).
• Model: openai defaults to gpt-5; gemini/gemini-api defaults to gemini-3-pro-preview; cohere defaults to command-a-03-2025.

AWS

Clanker uses your local AWS CLI profiles (not raw access keys in the clanker config).

Create a profile:

aws configure --profile clankercloud-tekbog | cat
aws sts get-caller-identity --profile clankercloud-tekbog | cat

Set the default environment + profile in ~/.clanker.yaml:

infra:
    default_provider: aws
    default_environment: clankercloud

    aws:
        environments:
            clankercloud:
                profile: clankercloud-tekbog
                region: us-east-1

Override for a single command:

clanker ask --aws --profile clankercloud-tekbog "what lambdas do we have?" | cat

Usage

MCP

Clanker also exposes its own MCP surface as a CLI command.

Run it over HTTP:

clanker mcp --transport http --listen 127.0.0.1:39393 | cat

Or over stdio for MCP clients that launch commands directly:

clanker mcp --transport stdio | cat

The CLI MCP currently exposes tools to:

• return the installed Clanker version
• return Clanker routing decisions for a prompt
• run local clanker commands through MCP, including ask, openclaw, and other subcommands
• launch and talk to the Clanker Cloud desktop app through its local backend

Clanker chat routing also recognizes Clanker Cloud app questions now. If you use clanker talk and ask about the running desktop app or its saved settings, it will try the local Clanker Cloud backend first and fall back to Hermes if the app is not running.

Examples:

clanker ask --route-only "use clanker cloud mcp to show my saved settings" | cat
clanker ask --route-only "ask clanker cloud about the running app backend" | cat
clanker mcp --transport http --listen 127.0.0.1:39393 | cat

Example MCP calls against the standalone Clanker CLI server:

# Start the HTTP MCP server
clanker mcp --transport http --listen 127.0.0.1:39393 | cat

# Initialize a client session
curl -sS -X POST http://127.0.0.1:39393/mcp \
    -H 'Content-Type: application/json' \
    -H 'Accept: application/json, text/event-stream' \
    --data '{"jsonrpc":"2.0","id":1,"method":"initialize","params":{"protocolVersion":"2025-03-26","capabilities":{},"clientInfo":{"name":"local-cli","version":"1.0"}}}' | jq

# List available CLI MCP tools
curl -sS -X POST http://127.0.0.1:39393/mcp \
    -H 'Content-Type: application/json' \
    -H 'Accept: application/json, text/event-stream' \
    --data '{"jsonrpc":"2.0","id":2,"method":"tools/list","params":{}}' | jq

# Return the installed clanker version
curl -sS -X POST http://127.0.0.1:39393/mcp \
    -H 'Content-Type: application/json' \
    -H 'Accept: application/json, text/event-stream' \
    --data '{"jsonrpc":"2.0","id":3,"method":"tools/call","params":{"name":"clanker_version","arguments":{}}}' | jq

# Return the internal route decision for a prompt
curl -sS -X POST http://127.0.0.1:39393/mcp \
    -H 'Content-Type: application/json' \
    -H 'Accept: application/json, text/event-stream' \
    --data '{"jsonrpc":"2.0","id":4,"method":"tools/call","params":{"name":"clanker_route_question","arguments":{"question":"use clanker cloud mcp to show my saved settings"}}}' | jq

# Run a real clanker command through MCP
curl -sS -X POST http://127.0.0.1:39393/mcp \
    -H 'Content-Type: application/json' \
    -H 'Accept: application/json, text/event-stream' \
    --data '{"jsonrpc":"2.0","id":5,"method":"tools/call","params":{"name":"clanker_run_command","arguments":{"args":["ask","--route-only","use clanker cloud mcp to show my saved settings"]}}}' | jq

The standalone CLI MCP currently exposes these tools:

• clanker_version
• clanker_route_question
• clanker_run_command
• clanker_cloud_app_status
• clanker_cloud_launch_app
• clanker_cloud_ask_app
• clanker_cloud_call_backend_api

Flags:

• --aws: force AWS context/tooling for the question (uses the default env/profile from ~/.clanker.yaml unless you pass --profile)
• --profile <name>: override the AWS CLI profile for this run
• --ai-profile <name>: select an AI provider profile from ai.providers.<name> (overrides ai.default_provider)
• --maker: generate an AWS CLI plan (JSON) for infrastructure changes
• --destroyer: allow destructive AWS CLI operations when using --maker
• --apply: apply an approved maker plan (reads from stdin unless --plan-file is provided)
• --plan-file <path>: optional path to maker plan JSON file for --apply
• --debug: print diagnostics (selected tools, AWS CLI calls, prompt sizes)
• --agent-trace: print detailed coordinator/agent lifecycle logs (tool selection + investigation steps)

clanker ask "what's the status of my chat service lambda?"

clanker ask --profile dev "what's the last error from my big-api-service lambda?"

clanker ask --ai-profile openai "What are the latest logs for our dev Lambda functions?"

clanker ask --ai-profile cohere --cohere-model command-a-03-2025 "Summarize the current deployment risks in dev."

clanker ask --agent-trace --profile dev "how can i create an additional lambda and link it to dev?"

# Maker (plan + apply)

# Generate a plan (prints JSON)
clanker ask --aws --maker "create a small ec2 instance and a postgres rds" | cat

# Apply an approved plan from stdin
clanker ask --aws --maker --apply < plan.json | cat

# Apply an approved plan from a file
clanker ask --aws --maker --apply --plan-file plan.json | cat

# Allow destructive operations (only with explicit intent)
clanker ask --aws --maker --destroyer "delete the clanka-postgres rds instance" | cat

Security

Minimal security scan commands:

# Best-effort scan using whatever local provider access is already configured
clanker security | cat

# Focus the scan on a specific service or attack surface
clanker security "review public APIs, IAM blast radius, and auth gaps around clanker-auth" | cat

# Pin provider-side helpers to a specific account, project, or workspace
clanker security --profile prod --gcp-project my-gcp-project --workspace prod | cat

# Re-check auth-gated routes with runtime auth attached to the probe set
export CLANKER_RUNTIME_SECURITY_BEARER_TOKEN="your-token"
clanker security "verify which routes unlock with auth" | cat

Notes:

• Without CLANKER_RUNTIME_DEEP_RESEARCH_ESTATE_JSON, the scan still runs in best-effort mode using live provider context only.
• DigitalOcean live coverage works with either digitalocean.api_token / DO_API_TOKEN / DIGITALOCEAN_ACCESS_TOKEN or an authenticated doctl session.
• Supabase live coverage needs a configured databases.connections entry with vendor: supabase, or a runtime CLANKER_RUNTIME_DB_CONNECTION_JSON connection.
• Verda live coverage needs verda.client_id / verda.client_secret, VERDA_CLIENT_ID / VERDA_CLIENT_SECRET, or verda auth login.

SRE Bot

Clanker can run a lightweight SRE bot that adapts to the infrastructure it finds and reports heartbeat/discovery events into Clanker Cloud Cerebro. Docker is the default runtime, but local foreground, launchd, systemd, Kubernetes, and minimal cloud VM install assets are available on request.

# Inspect what the SRE bot can see before installing anything
clanker sre discover | cat
clanker sre discover --format json | cat

# Plan the default Docker install
clanker sre plan --sre | cat

# Build a local Docker image from this repository if you are not using a published image
docker bu