Define, assemble, and verify LLM context pipelines in executable Markdown.
Treat prompts, embeddings, and retrieval logic as first-class, traceable artifacts.
Modern AI applications need more than just simple prompts. They need reproducible context graphs—structured workflows where every step is documented, tested, and version-controlled.
Think of it like this: Instead of manually prompting an AI each time, you create a reusable pipeline that automatically handles document loading, embedding generation, storage, and retrieval. Everything is in Markdown, so it's easy to understand and modify.
Spry lets you build RAG pipelines (Retrieval-Augmented Generation), prompt chains, and embedding workflows where every step is documented, executed, and versioned—all in executable Markdown.
This Spryfile demonstrates a prompt chaining pipeline. It uses OpenAI’s models to automatically draft, question, and validate a security compliance policy.
The Spryfile.md defines an AI-powered security policy generation pipeline that runs entirely within Spry, using OpenAI’s GPT-4o API.
It demonstrates how to:
--dep).-C) to pass outputs (like JSON responses) between AI tasks.jq to prevent escaping or syntax errors when sending data to OpenAI’s API.sqlpage-conf block for easy portability (OPENAI_API_KEY).show-results task that merges and formats all AI-generated artifacts (policy, QA response, and validation report).Usage: Run with ./spry.ts task show-results to execute the entire pipeline and display results.
If you’re starting from scratch, you can set up Spry in one command:
curl -fsSL https://sprymd.org/init.sh | shFor detailed installation steps, visit the official guide: official installation guide
This example demonstrates a complete AI workflow that automatically generates, reviews, and validates security compliance policies. It shows how Spry chains multiple AI tasks together to automate complex work.
What it does: Creates a security policy for IT Asset Management that complies with US CMMC 2.0 Level 1 standards, then asks questions about it and validates it—all automatically.
To make sure your project can run the AI and database tools correctly, you need to define a few environment variables. This block helps set up those basic connection details.
Recommended practice is to keep these values in a local, directory-scoped environment file.
If you use direnv (recommended), create a file named .envrc in this directory.
Then run direnv allow in this project directory to load the .envrc into your shell environment.
direnv will evaluate .envrc only after you explicitly allow it.
```envrc prepare-env-openai-key -C ./.envrc --gitignore --descr "Generate .envrc file and add it to local .gitignore if it's not already there"
export OPENAI_API_KEY=
```This pipeline demonstrates the automation of compliance work. It generates security policies using OpenAI and performs a quality check and validation on the results without any manual effort.
Sends a request to OpenAI GPT-4o to generate an IT Asset Management policy compliant with US CMMC 2.0 Level 1.
Output: Saves the AI's JSON response to .tmp-policy.json for use in later steps.
```bash policy-generator -C ./.tmp-policy.json --gitignore --descr "Generate an SCF policy"
#!/usr/bin/env -S bash
curl -s -X POST https://api.openai.com/v1/chat/completions \
-H "Content-Type: application/json" \
-H "Authorization: Bearer $OPENAI_API_KEY" \
-d '{
"model": "gpt-4o",
"messages": [{
"role": "user",
"content": "Generate an SCF policy for US CMMC 2.0 Level 1, control id: MP.L1-3.8.3. Question: Does the organization facilitate an IT Asset Management program?"
}]
}'
```
Performs Retrieval-Augmented Generation (RAG) by asking the AI questions about the generated policy. Requires --dep policy-generator to run first.
Process: Extracts policy text with jq, sends it as context, then asks "What are the key requirements for IT Asset Management?" to verify completeness. Saves response to .tmp-qa.json.
```bash policy-qa --dep policy-generator -C ./.tmp-qa.json --descr "Ask questions about the policy"
#!/usr/bin/env -S bash
# Extract the policy text from the previous task's output
POLICY_TEXT=$(cat ./.tmp-policy.json | jq -r '.choices[0].message.content')
# Send it back to AI as context
jq -n --arg policy "$POLICY_TEXT" '{
model: "gpt-4o",
messages: [
{
role: "system",
content: ("You are a helpful assistant. Use this policy as context: " + $policy)
},
{
role: "user",
content: "What are the key requirements for IT Asset Management?"
}
]
}' | curl -s -X POST https://api.openai.com/v1/chat/completions \
-H "Content-Type: application/json" \
-H "Authorization: Bearer $OPENAI_API_KEY" \
-d @-
```Final Compliance Check. Instructs the AI to act as a compliance expert and audit the policy against CMMC 2.0 Level 1 control MP.L1-3.8.3.
Process: Sends policy text with a prompt requesting a validation report. Saves results to .tmp-validate.json.
```bash policy-validate --dep policy-generator -C ./.tmp-validate.json --descr "Validate policy compliance"
#!/usr/bin/env -S bash
POLICY_TEXT=$(cat ./.tmp-policy.json | jq -r '.choices[0].message.content')
jq -n --arg policy "$POLICY_TEXT" '{
model: "gpt-4o",
messages: [
{
role: "system",
content: "You are a compliance expert. Review this policy for CMMC 2.0 Level 1 control MP.L1-3.8.3."
},
{
role: "user",
content: ("Policy: " + $policy + ". Provide validation report.")
}
]
}' | curl -s -X POST https://api.openai.com/v1/chat/completions \
-H "Content-Type: application/json" \
-H "Authorization: Bearer $OPENAI_API_KEY" \
-d @-
```Presentation Layer that displays all results. Depends on all previous tasks, so running this executes the entire pipeline automatically.
Usage: Run ./spry.ts task show-results to generate, validate, and display the complete policy workflow.
```bash show-results --dep policy-generator --dep policy-qa --dep policy-validate --descr "Display all AI pipeline results"
#!/usr/bin/env -S bash
echo "╔═══════════════════════════════════════╗"
echo "║ GENERATED POLICY ║"
echo "╚═══════════════════════════════════════╝"
cat ./.tmp-policy.json | jq -r '.choices[0].message.content'
echo "╔═══════════════════════════════════════╗"
echo "║ Q&A RESPONSE ║"
echo "╚═══════════════════════════════════════╝"
cat ./.tmp-qa.json | jq -r '.choices[0].message.content'
echo "╔═══════════════════════════════════════╗"
echo "║ VALIDATION RESPONSE ║"
echo "╚═══════════════════════════════════════╝"
cat ./.tmp-validate.json | jq -r '.choices[0].message.content'
```Append the above code blocks in order in the Spryfile.md file.
Execute the following commands in a bash terminal:
./spry.ts task prepare-env-openai-key # Specify openai key in the .envrc file generated in this step.direnv allow./spry.ts task show-resultsExpected Output: generate policy → ask questions → validate → show results. Runs automatically in the correct order.
╔═══════════════════════════════════════════════════════════════════════╗
║ GENERATED POLICY ║
╚═══════════════════════════════════════════════════════════════════════╝
**Policy Title:** IT Asset Management Policy
**Policy Number:** SCF-CMMC2.0-L1-3.8.3
**Effective Date:** [Effective Date]
**Last Review Date:** [Review Date]
**Version:** 1.0
**Policy Owner:** [Policy Owner/Department]
**Purpose:**
This policy establishes requirements for the facilitation of an IT Asset Management (ITAM) program within the organization, as mandated by the Cybersecurity Maturity Model Certification (CMMC) 2.0 Level 1, specifically addressing control MP.L1-3.8.3. The objective is to ensure proper implementation and management of asset management controls for safeguarding sensitive data and maintaining operational efficiency.
**Scope:**
This policy applies to all organizational units, employees, contractors, and third-party service providers who manage or have access to any information technology assets owned, leased, or operated by the organization.
**Policy Statement:**
The organization is committed to maintaining an effective IT Asset Management (ITAM) program that effectively implements and manages asset management controls. This program is designed to achieve the following objectives:
1. **Inventory Management:**
- Maintain an up-to-date inventory of all IT assets, including hardware, software, and virtual assets.
- Ensure inventory records include asset details such as owner, location, status, acquisition, and retirement information.
2. **Asset Classification:**
- Classify assets according to their criticality, sensitivity, and regulatory requirements.
- Implement tagging and labeling processes to facilitate asset tracking and management.
3. **Asset Lifecycle Management:**
- Establish processes for the entire lifecycle of IT assets, from acquisition to disposal.
- Ensure secure data removal and proper disposal of assets at the end of their lifecycle.
4. **Access Control:**
- Implement controls to restrict access to IT assets based on roles and responsibilities.
- Regularly review and update access permissions to reflect changes in roles or asset ownership.
5. **Monitoring and Reporting:**
- Utilize tools and technologies to monitor asset usage and performance.
- Generate reports on asset management activities and compliance with organizational policies.
6. **Training and Awareness:**
- Provide training programs to ensure staff understand the importance of IT asset management.
- Promote awareness of roles and responsibilities related to asset management.
7. **Risk Management:**
- Conduct regular risk assessments to identify, evaluate, and mitigate risks associated with IT assets.
- Implement risk treatment plans to address identified vulnerabilities.
8. **Compliance and Audit:**
- Ensure the ITAM program complies with relevant legal, regulatory, and organizational requirements.
- Conduct regular audits to verify compliance with IT asset management policies and procedures.
**Responsibilities:**
- The IT Department is responsible for maintaining the IT Asset Management system and ensuring compliance with this policy.
- All employees and relevant third parties must adhere to this policy and report any asset management issues to the IT department.
**Enforcement:**
Non-compliance with this policy may result in disciplinary action, up to and including termination of employment or contract, as well as potential legal action.
**Review and Revision:**
This policy will be reviewed annually and revised as necessary to ensure its effectiveness and compliance with applicable laws and regulations.
**Approval:**
- [Name], [Title]
- [Signature]
- [Date]
**Contact Information:**
For questions or further information regarding this policy, please contact the IT department or the policy owner.
---
By implementing this policy, the organization strives to ensure a structured approach to IT Asset Management, supporting its cybersecurity objectives and compliance with CMMC 2.0 requirements.
╔═══════════════════════════════════════════════════════════════════════╗
║ Q&A RESPONSE ║
╚═══════════════════════════════════════════════════════════════════════╝
The key requirements for IT Asset Management as outlined in the policy are:
1. **Inventory Management:**
- Maintain an up-to-date inventory of all IT assets, including hardware, software, and virtual assets.
- Ensure inventory records include detailed information such as asset owner, location, status, acquisition, and retirement.
2. **Asset Classification:**
- Classify assets based on criticality, sensitivity, and regulatory requirements.
- Implement tagging and labeling processes to facilitate asset tracking and management.
3. **Asset Lifecycle Management:**
- Establish processes for managing IT assets throughout their entire lifecycle, from acquisition to disposal.
- Ensure secure data removal and proper disposal of assets at the end of their lifecycle.
4. **Access Control:**
- Implement controls to restrict access to IT assets based on roles and responsibilities.
- Regularly review and update access permissions to reflect changes in roles or asset ownership.
5. **Monitoring and Reporting:**
- Utilize tools and technologies to monitor asset usage and performance.
- Generate reports on asset management activities and compliance with organizational policies.
6. **Training and Awareness:**
- Provide training programs to ensure staff understand the importance of IT asset management.
- Promote awareness of roles and responsibilities related to asset management.
7. **Risk Management:**
- Conduct regular risk assessments to identify, evaluate, and mitigate risks associated with IT assets.
- Implement risk treatment plans to address identified vulnerabilities.
8. **Compliance and Audit:**
- Ensure the ITAM program complies with relevant legal, regulatory, and organizational requirements.
- Conduct regular audits to verify compliance with IT asset management policies and procedures.
╔═══════════════════════════════════════════════════════════════════════╗
║ VALIDATION RESPONSE ║
╚═══════════════════════════════════════════════════════════════════════╝
**Validation Report for IT Asset Management Policy:**
**Policy Title:** IT Asset Management Policy
**Policy Number:** SCF-CMMC2.0-L1-3.8.3
**Control:** MP.L1-3.8.3
**Control Description:**
MP.L1-3.8.3 requires organizations to mark media with necessary identification to ensure appropriate protection. This typically involves labeling and tracking all information systems and supporting media, establishing accountability for these assets to mitigate risks of loss, theft, or unauthorized access.
**Validation Status:** Partially Compliant
**Assessment Summary:**
1. **Policy Alignment with CMMC 2.0 Level 1 Control MP.L1-3.8.3:**
- The policy highlights a commitment to IT Asset Management, which is foundational but doesn't explicitly address media marking—an essential aspect of MP.L1-3.8.3.
- Specifically, this control emphasizes the identification and marking of media to enable necessary protections, which is not directly outlined in the current policy.
2. **Inventory Management:**
- Establishes clear guidelines for maintaining an inventory, including asset details. While it supports overall asset tracking, explicit mention of marking or labeling for media is not well-covered.
3. **Asset Classification:**
- The policy does mention "tagging and labeling processes," which indicates an attempt to address media identification needs, but lacks specificity regarding media.
4. **Access Control:**
- Controls on access are correctly specified and enhance security posture but do not directly refer to marking requirements.
5. **Other Policy Elements:**
- Process-oriented sections like lifecycle management, monitoring, and risk management contribute to a robust asset management framework, supporting the control indirectly through enhanced accountability.
**Recommendations for Full Compliance:**
1. **Explicit Media Marking:**
- Update the policy to include a specific section detailing the requirement for marking media. Define what constitutes "media" (e.g., hard drives, USBs, backup tapes) and how it should be labeled to ensure proper handling and protection.
2. **Detailed Labeling Procedures:**
- Develop and append a procedural guide or reference that describes how to implement and maintain labeling and tracking systems for all forms of media in accordance with the control requirements.
3. **Training Enhancement:**
- Expand training programs to include the importance and methods of media marking to ensure staff understand these specific requirements of the IT Asset Management system.
4. **Regular Review and Audit:**
- Ensure periodic assessments explicitly include the examination of media marking practices to verify compliance with CMMC controls.
**Conclusion:**
The organization has established several effective asset management practices in compliance with broader CMMC goals. Nevertheless, to fully adhere to MP.L1-3.8.3, explicit processes and guidelines for marking media must be incorporated. Addressing these gaps will enhance compliance and strengthen the organization's defensive posture against media-related risks.
The --dep flag ensures tasks run in the correct order
Tasks save outputs to files that other tasks can read
Using jq prevents syntax errors when passing data
Run the same pipeline anytime and get consistent results
The entire pipeline is just a Markdown file in Git
Every step is documented, making it easy to understand and debug
Every prompt, embedding, and retrieval step is captured. Know exactly what context went into every LLM response.
Store prompts and context logic in Git. Roll back, compare, and A/B test different context strategies.
Chain context generation steps. Reuse embeddings, prompts, and retrievals across multiple pipelines.
Spry makes RAG (Retrieval-Augmented Generation) pipelines transparent and reproducible. No black boxes, no hidden state.
Load documents from files, APIs, or databases. Spry handles formats and chunking.
Use prompt cells to call embedding models. Store results as JSON or vector formats.
Connect to Pinecone, Weaviate, or pgvector. Spry plugins make integration simple.
Query vectors, retrieve context, feed to LLM. All in executable Markdown cells.
Build retrieval-augmented generation with full transparency
Version and test prompts as executable Markdown cells
Combine dense, sparse, and reranking in one pipeline
Store and reuse expensive LLM context between runs
Test AI systems with reproducible prompt/response pairs
Track context, prompts, and outputs for debugging
Most AI failures are not model failures. They are context failures. Poor retrieval, stale embeddings, or untested prompts lead to unreliable AI systems.
Spry makes AI context reproducible, testable, and auditable. It turns black-box AI into transparent, verifiable intelligence.