All products
Developer Tools Shipped · v4.0.2 · MIT license

EmbedIQ

Answer a few questions.
We generate the config for every AI coding agent on your team.

Setting up Claude Code, Cursor, GitHub Copilot, Gemini CLI, Windsurf, AGENTS.md — and local models like Ollama — across a real team means juggling a dozen config formats and keeping them consistent as your stack, roles, and compliance posture evolve. EmbedIQ interviews you once, then generates all of them, with audit-ready governance for regulated teams. 15 to 40 files per target. Deterministic. No runtime LLM.

View on GitHub See how it works Enterprise walkthrough
93 adaptive questions
across 7 dimensions
16 output targets
from one interview
31 generators produce
15–40 config files
0 runtime LLM calls
zero data persistence

The problem

Every AI coding agent wants a different config. Keeping them coherent is the actual work.

Today

  • Someone writes CLAUDE.md from scratch. Someone else writes .cursor/rules/*.mdc. Someone else does .github/copilot-instructions.md. They drift.
  • Security and compliance teams share PDFs. Developers translate them into hooks and rules by hand — differently for each agent.
  • When compliance requirements change, six files in six formats need updating across every machine.
  • No validation that the configuration actually meets HIPAA, PCI-DSS, or SOC 2 before you ship.
  • “Works on my Claude Code” becomes “fails on my Cursor” becomes a meeting.

With EmbedIQ

  • Open the wizard. Answer 25 to 40 contextual questions — branching adapts to your role, stack, and industry.
  • Review your derived profile with confidence scores. Correct anything before generating.
  • EmbedIQ generates the full config for every agent format in one pass: Claude Code, Cursor, Copilot, Gemini CLI, Windsurf, plus cross-agent AGENTS.md.
  • Output validation flags missing compliance controls, over-permissive settings, and DLP coverage gaps before files hit disk.
  • Check the generated files into git. Your whole team gets identical, compliant setup across whichever agent they use.

How it works

Interview. Review. Generate.

Three steps. The wizard handles the rest.

1

Interview

93 questions live in the bank across seven dimensions. Branching logic means you only see the 25 to 40 that actually matter for your role, stack, and industry. Each question has help text; none is a trick.

See sample questions
  • Strategic Intent — What is the primary purpose of your project?
  • Operational Reality — Do you want to use Claude Code agent teams for parallel coordination?
  • Technology — Which MCP servers would be useful for your workflow? (GitHub, Context7, Sequential Thinking, Filesystem, Playwright, Database, or “recommend for me”)
  • Regulatory — Do you need Data Loss Prevention (DLP) controls in Claude Code?
  • Financial — Do you want to use model routing to optimize costs?
  • Innovation — Do you want to generate custom slash commands for your team workflows?
2

Review

Before anything is written, EmbedIQ plays back your derived profile with confidence scores on each priority. You correct whatever is off. Non-technical roles (BA, PM, exec) get a “Claude coworker” setup focused on research, analysis, and documentation rather than code.

3

Generate

31 generators run across sixteen output targets: Claude Code (CLAUDE.md, rules, commands, agents, hooks, MCP), Cursor (.cursor/rules/*.mdc with scoping), GitHub Copilot (project + glob-scoped instructions), Gemini CLI (GEMINI.md), Windsurf (.windsurfrules), and cross-agent AGENTS.md — plus local models via Continue.dev, Aider, Zed AI, and Ollama. Output is validated against your compliance profile before files are written.

What you get

Thirty-one generators. Sixteen output targets. One coherent environment.

The Claude Code generators are the flagship depth — hooks, skills, slash commands, MCP templates. The cross-agent targets emit native config for every other coding agent your team uses — hosted and local — and a governance layer emits OSCAL, AIBOM, and tamper-evident audit artifacts for regulated teams. One interview, sixteen targets, no drift.

Claude Code — deep integration

CLAUDE.md

Root tech-stack document with your build and test commands, code conventions, security requirements, CI/CD setup, and role-specific guidance.

settings.json

Core configuration: hook pipelines (PreToolUse, PostToolUse), model routing, permission scopes, and security-concern mapping.

settings.local.json

Permission allow and deny rules based on your chosen security tier (Permissive, Balanced, Strict, Lockdown). Always-deny blocks for shell commands and credential paths.

Rules

Markdown rules files: testing.md, security.md, compliance.md. Enforces standards like TDD, OWASP Top 10, and secret-prohibition policies.

Commands

Slash commands with model routing: /quick (Haiku for fast lookups), /code (Sonnet for coding), /think (Opus for architecture). Plus /review, /test-gaps, /health.

Agents

Role-specific agent definitions: security-reviewer, compliance-checker, test-writer. Each gets its own allowed-tools list — read-only for reviewers.

Skills

Cross-cutting skills: memory-sync, impact-analysis. For managing elastic context and tracking code-to-test-to-doc impact across files.

Hooks

Python hook scripts: dlp-scanner.py (SSNs, credit cards, API keys, medical record numbers), command-guard.py (blocks dangerous shell), audit-logger.py, egress-guard.py.

.claudeignore

Sensible ignore patterns for node_modules, build outputs, IDE configs, secrets, and test data. Extended per-industry with PHI or cardholder-data paths.

.mcp.json.template

Pre-configured MCP server definitions: Context7, Sequential Thinking, GitHub, Filesystem, Playwright, Database. Copy to .mcp.json, add your keys, go.

Association map

YAML map of code files to their tests, docs, and infrastructure. Enables impact analysis and co-commit enforcement when rules require it.

Document state registry

docs/document_state.yaml categorizing documentation by lifecycle (CURRENT, FUTURE, REFERENCE, ARCHIVED). Plays well with CI gates and staleness checks.

Cross-agent targets — one interview, every agent

AGENTS.md

The cross-agent standard: a single AGENTS.md with unified Stack, Commands, Boundaries, Rules, and Terminology sections that any compatible coding agent can read.

Cursor rules

.cursor/rules/*.mdc files with MDC frontmatter and alwaysApply / globs scoping. Mirrors the same rules, security posture, and compliance gates as the Claude Code config.

GitHub Copilot instructions

.github/copilot-instructions.md for project-wide guidance plus glob-scoped .github/instructions/*.instructions.md (applyTo selectors) for path-specific rules.

Gemini CLI

GEMINI.md with your stack, conventions, and safety posture rendered in the format Gemini expects. Same source-of-truth profile; native output.

Windsurf

.windsurfrules generated from the same interview. Teams can switch agents without re-authoring their rules, conventions, or DLP policies.

Local AI & enterprise governance — new in v4

Local-model agents

Native config for Continue.dev, Aider, and Zed AI, so the same rules and guardrails follow your team onto on-device models.

Ollama & local router

Ollama setup plus a confidence-escalating router that runs simple tasks locally and escalates complex ones to a hosted model — with optional PHI redaction for regulated teams.

Healthcare RAG scaffold

A FHIR-aware retrieval scaffold with a local vector store and audit logging, for HIPAA-sensitive local workflows.

OSCAL catalog, profile & SSP

Import NIST 800-53 / SP 800-218 catalogs and FedRAMP profiles; export an OSCAL component definition and SSP fragment straight into your audit pipeline.

CycloneDX-ML AIBOM

An AI Bill of Materials enumerating every model, agent, and service the harness invokes — machine-readable for supply-chain governance.

Tamper-evident audit log

An RFC-6962-pattern, hash-linked audit chain with a verify-audit-log script, so every generated change is provable.

CI pipelines

azure-pipelines.yml and CI files matched to your stack (.NET, Python, Java, Node, Go, Rust), with a security stage for regulated profiles.

Editor & IDE configs

Visual Studio .editorconfig with analyzer severities, plus JetBrains .junie/guidelines.md and .aiignore.

Compliance packs

Your regulatory profile, generated as code.

Tell the wizard which framework applies. It produces matching detection patterns, deny rules, audit hooks, and role-based access — then validates the whole bundle before writing anything to disk.

Healthcare

HIPAA · HITECH

  • PHI detection patterns (medical record numbers, patient fields)
  • .claudeignore entries for patient_data/ and phi/
  • Deny rules blocking writes to PHI paths
  • Full-session audit logging
  • DLP scanning for SSNs and credit card numbers

Finance

PCI-DSS · SOX · GLBA

  • Cardholder-data detection patterns
  • Credit-card-number DLP scanning
  • Minimum-necessary principle enforced in settings.local.json
  • Permission tiers mapped to SOC 2 trust services
  • Access restrictions via deny rules

Education

FERPA · COPPA

  • Student-data protection patterns
  • Restricted-path deny rules
  • Audit logging for student_data/ and ferpa/
  • Role-based access enforcement

AI Risk Management

NIST AI RMF · AI 600-1

  • Governance questions mapped to the NIST AI Risk Management Framework
  • OSCAL component-definition and SSP-fragment exports
  • CycloneDX-ML AI Bill of Materials (AIBOM)
  • Tamper-evident, hash-linked audit log with verification script

The wizard also imports NIST 800-53 / SP 800-218 catalogs and FedRAMP Low/Moderate/High profiles via OSCAL, with 50+ framework options across these domains. External plugins: point EMBEDIQ_PLUGINS_DIR at your own registry to ship custom packs today. A dedicated SOC 2 / GDPR-oriented pack is on the roadmap; the four packs above are shipping today.

Privacy posture

Deterministic. No telemetry. No runtime LLM.

EmbedIQ was built for regulated teams. The design enforces privacy in the generator itself, not through policy alone.

Rules-based generation

The Branch Evaluator uses ten deterministic operators to decide which questions to show and which rules to emit. No third-party AI call is made while you run the wizard.

Prove it: npm run evaluate replays a golden config and byte-diffs every file. 1,339 tests gate every release.

Zero data persistence by default

By default your answers live only in volatile memory — process heap for the CLI, browser memory for the web UI. No logging of user input. Multi-node deployments can opt into an encrypted Postgres session store with key rotation.

Stateless REST API

The optional web interface exposes a stateless API. No sessions, no user store, no analytics beacons. Auth is pluggable (Basic, OIDC, Proxy Header) and off by default for local use.

Optional OpenTelemetry

Instrumentation is opt-in via EMBEDIQ_OTEL_ENABLED. When disabled, the SDK is never loaded.

Quickstart

Install. Interview. Generate.

EmbedIQ is MIT-licensed. Today it installs from source; public package distribution is on the roadmap.

Run the web wizard 
git clone https://github.com/asq-sheriff/embediq.git
cd embediq
npm install
npm run start:web
# open http://localhost:3000
Or use the CLI 
npm start
# or: make start
Generate + open a pull request in one shot 
npm start -- --git-pr
# interviews you, generates files, and opens an atomic PR
# via the GitHub REST v3 Git Data API — with evaluation
# scores and contributor attribution in the PR body.
After generation, in your project 
cp .mcp.json.template .mcp.json      # add your API keys
cd /path/to/your/project
claude                               # launch Claude Code (or your agent)
git add CLAUDE.md AGENTS.md .claude/ .cursor/ .github/ .claudeignore
git commit -m "Add AI-agent config generated by EmbedIQ"
Keep these local (git-ignored): .claude/settings.local.json, .mcp.json, .claude/logs/

Enterprise operations

Scheduled regeneration. Drift detection. Audit-ready PRs.

Generating the config is the start. Keeping it in sync across dozens of repos, compliance reviews, and contributor changes is the actual operating problem.

Role-based delegation

Shareable, role-scoped session links let an interview span devices and contributors. An admin sets policy, a team lead answers project and technology questions, and individuals set their own preferences — with role-scoped writes and per-answer attribution. Partial submissions still generate.

Drift detection

npm run drift classifies every file as match, missing, modified-by-user, modified-stale-stamp, version-mismatch, or extra. Exit codes wire straight into CI gates so rogue edits fail the build.

Autopilot

Arbitrary 5-field cron with IANA time zones (DST-aware), or @hourly/@daily/@weekly/@monthly. Backed by JSON, SQLite, or Postgres; multiple scheduler replicas coordinate via atomic claim-locking. Full REST CRUD at /api/autopilot/schedules.

Pull requests — every provider

The --git-pr flag opens an atomic pull request on GitHub, GitLab, Bitbucket, or Azure DevOps, with generated files, evaluation scores, validation results, and contributor attribution in the PR body.

Webhooks — outbound & inbound

Outbound to Slack (Block Kit), Teams (MessageCard), or generic JSON with auto-detection and per-URL event filtering. Inbound Drata and Vanta adapters translate compliance findings into autopilot runs.

Multi-node & secure sessions

Postgres-backed sessions let every web replica share state for horizontal scale-out, and session payloads are encrypted with support for key rotation — no sticky sessions, no downtime to rotate keys.

Status

Shipped. Growing.

v4.0.2 — released June 3, 2026

  • 93-question adaptive wizard with branching logic and three-role delegation (admin / lead / individual)
  • 31 generators across 16 output targets — six flagship agents plus local models (Continue.dev, Aider, Zed AI, Ollama)
  • Compliance domain packs: HIPAA/HITECH, PCI-DSS/SOX/GLBA, FERPA/COPPA, NIST AI RMF; OSCAL catalog/profile import with FedRAMP profiles
  • Enterprise AI governance: OSCAL component & SSP exports, CycloneDX-ML AIBOM, tamper-evident RFC-6962 audit log, per-file provenance
  • Hybrid local/hosted routing with confidence escalation and optional PHI redaction; healthcare RAG scaffold
  • Multi-node deployment: Postgres-backed sessions and autopilot with atomic claim-locking; encrypted sessions with key rotation
  • Autopilot with arbitrary cron and IANA time zones; drift detection CLI; output validation before any file is written
  • Pull requests for GitHub, GitLab, Bitbucket, Azure DevOps; Slack / Teams / Drata / Vanta webhooks
  • Azure DevOps & CI pipelines; Visual Studio and JetBrains editor configs
  • Evaluation framework with golden-config replay scorer and benchmark mode; 1,339 tests gate every release
  • Pluggable auth (Basic, OIDC, Proxy Header), rate limiting, TLS; Docker & Kubernetes; optional OpenTelemetry
  • MIT license

On the roadmap

  • Provider abstraction & policy RAG (v4.1): pluggable AI providers (Claude, OpenAI, Ollama) with token-usage tracking — all AI features opt-in, deterministic baseline always available
  • Self-hosted multi-workspace (v4.2): per-workspace isolation, multi-tenant within a single install
  • AI-augmented generation (v4.3, gated): a post-generation LLM review pass, applied only when it scores higher than the deterministic baseline
  • Public package distribution (npm install)
  • Dedicated SOC 2 / GDPR compliance pack
  • Quick mode: lightweight wizard for sub-2-minute config

Ready to see it run against your stack?

EmbedIQ is MIT-licensed and on GitHub. Clone it, run the wizard, and see what config comes out for your role, stack, and compliance posture.

Try it on GitHub Back to products

Running it in a regulated environment with audit, SSO, and compliance-platform integration? Reach out for an enterprise walkthrough.