The problem
Every AI coding agent wants a different config. Keeping them coherent is the actual work.
Today
- Someone writes
CLAUDE.mdfrom scratch. Someone else writes.cursor/rules/*.mdc. Someone else does.github/copilot-instructions.md. They drift. - Security and compliance teams share PDFs. Developers translate them into hooks and rules by hand — differently for each agent.
- When compliance requirements change, six files in six formats need updating across every machine.
- No validation that the configuration actually meets HIPAA, PCI-DSS, or SOC 2 before you ship.
- “Works on my Claude Code” becomes “fails on my Cursor” becomes a meeting.
With EmbedIQ
- Open the wizard. Answer 25 to 40 contextual questions — branching adapts to your role, stack, and industry.
- Review your derived profile with confidence scores. Correct anything before generating.
- EmbedIQ generates the full config for every agent format in one pass: Claude Code, Cursor, Copilot, Gemini CLI, Windsurf, plus cross-agent
AGENTS.md. - Output validation flags missing compliance controls, over-permissive settings, and DLP coverage gaps before files hit disk.
- Check the generated files into git. Your whole team gets identical, compliant setup across whichever agent they use.
How it works
Interview. Review. Generate.
Three steps. The wizard handles the rest.
Interview
71 questions live in the bank across seven dimensions. Branching logic means you only see the 25 to 40 that actually matter for your role, stack, and industry. Each question has help text; none is a trick.
See sample questions
- Strategic Intent — What is the primary purpose of your project?
- Operational Reality — Do you want to use Claude Code agent teams for parallel coordination?
- Technology — Which MCP servers would be useful for your workflow? (GitHub, Context7, Sequential Thinking, Filesystem, Playwright, Database, or “recommend for me”)
- Regulatory — Do you need Data Loss Prevention (DLP) controls in Claude Code?
- Financial — Do you want to use model routing to optimize costs?
- Innovation — Do you want to generate custom slash commands for your team workflows?
Review
Before anything is written, EmbedIQ plays back your derived profile with confidence scores on each priority. You correct whatever is off. Non-technical roles (BA, PM, exec) get a “Claude coworker” setup focused on research, analysis, and documentation rather than code.
Generate
17 generators run in parallel across six agent formats: Claude Code (CLAUDE.md, rules, commands, agents, hooks, MCP), Cursor (.cursor/rules/*.mdc with scoping), GitHub Copilot (project + glob-scoped instructions), Gemini CLI (GEMINI.md), Windsurf (.windsurfrules), and cross-agent AGENTS.md. Output is validated against your compliance profile before files are written.
What you get
Seventeen generators. Six agent formats. One coherent environment.
The Claude Code generators are the flagship depth — hooks, skills, slash commands, MCP templates. The cross-agent targets take the same derived profile and emit native config for every other coding agent your team uses. One interview, six formats, no drift.
Claude Code — deep integration
CLAUDE.md
Root tech-stack document with your build and test commands, code conventions, security requirements, CI/CD setup, and role-specific guidance.
settings.json
Core configuration: hook pipelines (PreToolUse, PostToolUse), model routing, permission scopes, and security-concern mapping.
settings.local.json
Permission allow and deny rules based on your chosen security tier (Permissive, Balanced, Strict, Lockdown). Always-deny blocks for shell commands and credential paths.
Rules
Markdown rules files: testing.md, security.md, compliance.md. Enforces standards like TDD, OWASP Top 10, and secret-prohibition policies.
Commands
Slash commands with model routing: /quick (Haiku for fast lookups), /code (Sonnet for coding), /think (Opus for architecture). Plus /review, /test-gaps, /health.
Agents
Role-specific agent definitions: security-reviewer, compliance-checker, test-writer. Each gets its own allowed-tools list — read-only for reviewers.
Skills
Cross-cutting skills: memory-sync, impact-analysis. For managing elastic context and tracking code-to-test-to-doc impact across files.
Hooks
Python hook scripts: dlp-scanner.py (SSNs, credit cards, API keys, medical record numbers), command-guard.py (blocks dangerous shell), audit-logger.py, egress-guard.py.
.claudeignore
Sensible ignore patterns for node_modules, build outputs, IDE configs, secrets, and test data. Extended per-industry with PHI or cardholder-data paths.
.mcp.json.template
Pre-configured MCP server definitions: Context7, Sequential Thinking, GitHub, Filesystem, Playwright, Database. Copy to .mcp.json, add your keys, go.
Association map
YAML map of code files to their tests, docs, and infrastructure. Enables impact analysis and co-commit enforcement when rules require it.
Document state registry
docs/document_state.yaml categorizing documentation by lifecycle (CURRENT, FUTURE, REFERENCE, ARCHIVED). Plays well with CI gates and staleness checks.
Cross-agent targets — one interview, every agent
AGENTS.md
The cross-agent standard: a single AGENTS.md with unified Stack, Commands, Boundaries, Rules, and Terminology sections that any compatible coding agent can read.
Cursor rules
.cursor/rules/*.mdc files with MDC frontmatter and alwaysApply / globs scoping. Mirrors the same rules, security posture, and compliance gates as the Claude Code config.
GitHub Copilot instructions
.github/copilot-instructions.md for project-wide guidance plus glob-scoped .github/instructions/*.instructions.md (applyTo selectors) for path-specific rules.
Gemini CLI
GEMINI.md with your stack, conventions, and safety posture rendered in the format Gemini expects. Same source-of-truth profile; native output.
Windsurf
.windsurfrules generated from the same interview. Teams can switch agents without re-authoring their rules, conventions, or DLP policies.
Compliance packs
Your regulatory profile, generated as code.
Tell the wizard which framework applies. It produces matching detection patterns, deny rules, audit hooks, and role-based access — then validates the whole bundle before writing anything to disk.
Healthcare
HIPAA · HITECH
- PHI detection patterns (medical record numbers, patient fields)
.claudeignoreentries forpatient_data/andphi/- Deny rules blocking writes to PHI paths
- Full-session audit logging
- DLP scanning for SSNs and credit card numbers
Finance
PCI-DSS · SOX · GLBA
- Cardholder-data detection patterns
- Credit-card-number DLP scanning
- Minimum-necessary principle enforced in
settings.local.json - Permission tiers mapped to SOC 2 trust services
- Access restrictions via deny rules
Education
FERPA · COPPA
- Student-data protection patterns
- Restricted-path deny rules
- Audit logging for
student_data/andferpa/ - Role-based access enforcement
External plugins: point EMBEDIQ_PLUGINS_DIR at your own registry to ship custom packs today. A SOC 2 / GDPR-oriented pack and a FedRAMP extension are in the roadmap; the three packs above are shipping today.
Privacy posture
Deterministic. No telemetry. No runtime LLM.
EmbedIQ was built for regulated teams. The design enforces privacy in the generator itself, not through policy alone.
Rules-based generation
The Branch Evaluator uses ten deterministic operators to decide which questions to show and which rules to emit. No third-party AI call is made while you run the wizard.
Prove it: npm run evaluate replays a golden config and byte-diffs every file. 56 unit tests gate every release.
Zero data persistence
Your answers live only in volatile memory — process heap for the CLI, browser memory for the web UI. No database. No logging of user input.
Stateless REST API
The optional web interface exposes a stateless API. No sessions, no user store, no analytics beacons. Auth is pluggable (Basic, OIDC, Proxy Header) and off by default for local use.
Optional OpenTelemetry
Instrumentation is opt-in via EMBEDIQ_OTEL_ENABLED. When disabled, the SDK is never loaded.
Quickstart
Install. Interview. Generate.
EmbedIQ is MIT-licensed. Today it installs from source; public package distribution is on the roadmap.
git clone https://github.com/asq-sheriff/embediq.git
cd embediq
npm install
npm run start:web
# open http://localhost:3000npm start
# or: make startnpm start -- --git-pr
# interviews you, generates files, and opens an atomic PR
# via the GitHub REST v3 Git Data API — with evaluation
# scores and contributor attribution in the PR body.cp .mcp.json.template .mcp.json # add your API keys
cd /path/to/your/project
claude # launch Claude Code (or your agent)
git add CLAUDE.md AGENTS.md .claude/ .cursor/ .github/ .claudeignore
git commit -m "Add AI-agent config generated by EmbedIQ".claude/settings.local.json, .mcp.json, .claude/logs/ Enterprise operations
Scheduled regeneration. Drift detection. Audit-ready PRs.
Generating the config is the start. Keeping it in sync across dozens of repos, compliance reviews, and contributor changes is the actual operating problem.
Interrupt & resume
Shareable session URLs (?session=id) let an interview span devices and contributors. Ship with a half-finished interview, hand it to a compliance officer, they finish it, you merge — with per-answer attribution.
Drift detection
npm run drift classifies every file as match, missing, modified-by-user, modified-stale-stamp, version-mismatch, or extra. Exit codes wire straight into CI gates so rogue edits fail the build.
Autopilot
@hourly, @daily, @weekly, @monthly scheduled drift scans with a JSON-backed store and per-run records. Full REST CRUD at /api/autopilot/schedules.
GitHub PRs
The --git-pr flag opens an atomic pull request via the REST v3 Git Data API with generated files, evaluation scores, validation results, and contributor attribution in the PR body.
Webhooks — outbound & inbound
Outbound to Slack (Block Kit), Teams (MessageCard), or generic JSON with auto-detection and per-URL event filtering. Inbound Drata and Vanta adapters translate compliance findings into autopilot runs.
Status
Shipped. Growing.
v3.2 — released April 22, 2026
- 71-question adaptive wizard with branching logic
- 17 generators across six agent formats (Claude Code, Cursor, Copilot, Gemini CLI, Windsurf, AGENTS.md)
- Compliance packs: HIPAA, PCI-DSS/SOX/GLBA, FERPA/COPPA; external plugin registry via
EMBEDIQ_PLUGINS_DIR - Evaluation framework: golden-config replay scorer and benchmark mode
- Composable skills system with external registry support
- Interrupt & resume sessions with contributor attribution
- Drift detection CLI and autopilot scheduled regeneration
- GitHub PR integration (
--git-pr), Slack / Teams / Drata / Vanta webhooks - Output validation before files are written
- Role-adaptive output (8 roles; non-technical “coworker” variants)
- Pluggable auth (Basic, OIDC, Proxy Header), rate limiting, TLS
- Docker and Kubernetes deployment manifests; optional OpenTelemetry
- MIT license
On the roadmap
- AI-augmented generation (v4.0, opt-in): provider abstraction for Claude, OpenAI, Ollama — deterministic baseline always available
- Public package distribution (
npm install) - SOC 2 / GDPR-oriented compliance pack
- FedRAMP extension
- Quick mode: 5-question lightweight wizard for sub-2-minute config
- Deeper generator parity for non-flagship agents