threep AI logo
Policies • Plans • Procedures
Quickstart ★ Star on GitHub
OPEN SOURCE Ship audit-ready answers from your real docs — not vibes.

Policy-to-answer, grounded and defensible.

threep™ AI turns your policies, plans, and procedures into answers you can cite — mapped to frameworks like NIST 800-53, FedRAMP, and TX-RAMP. Built to avoid over-claiming: if it’s not in the docs, it says so.

Get Started Try Sample Questions See Features
Local-first (Ollama) OpenAI optional Two namespaces: Policies + NIST Upload → Convert → Ingest
Live workflow preview
Ready
Upload DOCX
Convert MD
Ingest Index
Ask RAG
Answer Cite
×
Upload
Convert
Ingest
Ask
Answer
Answer COMPLIANCE
How do we comply with NIST SP 800-53 AC-2 (Account Management)?
Summary: grounded in your Access Control Policy and lifecycle procedures.
Policy Coverage
  • Account creation & approval workflow
  • Role / least-privilege assignment
  • Disable on termination or inactivity
Citations Policy-first Honest gaps

Built for real compliance work

Not just search. Not just chat. A system that prefers your policies and cites them.

RAG + heuristics Topic-aware Control-aware
🧭

Intent-aware retrieval

Topic boosts + demotions keep results on-track (SDLC ≠ training ≠ retention).

📌

Policy-first answers

Coverage bullets are synthesized from your top policy snippets — consistent and citeable.

🧾

Audit-ready structure

Compliance mode outputs: Summary → Policy Coverage → Supporting NIST → Implementation Details.

🛡️

Anti-hallucination guardrails

If there’s no policy evidence, it reports the gap instead of guessing.

🧩

Modular core

Clean separation: uploads, text cleanup, query parsing, retrieval, and answer shaping.

Two namespaces

  • Policies are the source of truth for “how we implement.”
  • NIST is supporting reference for control naming and validation.
  • Compliance answers lead with policies, never NIST alone.

Uploads that actually work

  • Upload DOCX → convert to Markdown → ingest → reload indexes.
  • Job status endpoints to show progress in the UI.
  • Path safety checks + filename sanitization.

What threep will NOT do

  • It won’t claim compliance without policy evidence.
  • It won’t invent citations or breadcrumb labels.
  • It won’t replace policy with generic framework text.
★ Star on GitHub (link your repo)
Tip: once your repo URL is final, drop it into the button above and the clone command.

Sample questions (click to copy)

Great for demos and regression tests — designed to hit your compliance mode cleanly.

Prompt Gallery
Compliance — AC-2 How do we comply with NIST SP 800-53 AC-2 (Account Management) for user account lifecycle management?
Compliance — IA-4 How do we comply with NIST SP 800-53 IA-4 (Identifier Management) to ensure unique user identification?
Compliance — CM-3 Which policies support NIST SP 800-53 CM-3 (Configuration Change Control) and how are changes approved and documented?
Policy What is the purpose and scope of the Access Control Policy?
Readiness For FedRAMP readiness: how do we demonstrate periodic access reviews and account disablement upon termination?
Hybrid What does NIST 800-53 mean by 'least privilege' and which internal policies address it?
You can seed these in your UI as “Quick Ask” chips for first-time users.