{"id":49150935,"url":"https://github.com/asq-sheriff/embediq","last_synced_at":"2026-05-31T23:00:51.303Z","repository":{"id":353014454,"uuid":"1211166307","full_name":"asq-sheriff/embediq","owner":"asq-sheriff","description":"Adaptive wizard that generates production-ready configs for Claude Code, Cursor, GitHub Copilot, Gemini CLI, Windsurf, and AGENTS.md from a single Q\u0026A. Deterministic, offline, audit-ready. compliance-aware (HIPAA / PCI-DSS / SOC2 / GDPR / FERPA / COPPA).","archived":false,"fork":false,"pushed_at":"2026-05-25T19:44:16.000Z","size":2281,"stargazers_count":4,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2026-05-25T20:28:22.460Z","etag":null,"topics":["agents-md","ai-coding-assistant","claude-code","compliance","configuration-generator","cursor","developer-tools","gemini","github-copilot","hipaa","llm-tooling","pci-dss","soc2","typescript","windsurf"],"latest_commit_sha":null,"homepage":"https://pragmaticlogic.ai/products/embediq/","language":"TypeScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/asq-sheriff.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-04-15T06:07:55.000Z","updated_at":"2026-05-25T19:44:20.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/asq-sheriff/embediq","commit_stats":null,"previous_names":["asq-sheriff/embediq"],"tags_count":12,"template":false,"template_full_name":null,"purl":"pkg:github/asq-sheriff/embediq","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/asq-sheriff%2Fembediq","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/asq-sheriff%2Fembediq/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/asq-sheriff%2Fembediq/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/asq-sheriff%2Fembediq/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/asq-sheriff","download_url":"https://codeload.github.com/asq-sheriff/embediq/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/asq-sheriff%2Fembediq/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":33752286,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-05-31T02:00:06.040Z","response_time":95,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["agents-md","ai-coding-assistant","claude-code","compliance","configuration-generator","cursor","developer-tools","gemini","github-copilot","hipaa","llm-tooling","pci-dss","soc2","typescript","windsurf"],"created_at":"2026-04-22T06:02:37.129Z","updated_at":"2026-05-31T23:00:51.296Z","avatar_url":"https://github.com/asq-sheriff.png","language":"TypeScript","funding_links":[],"categories":[],"sub_categories":[],"readme":"\u003c!-- audience: public --\u003e\n\n# EmbedIQ\n\n**One adaptive interview → production-ready configs for six AI coding agents, with federal-procurement-grade governance output.**\n\n[![License: MIT](https://img.shields.io/badge/License-MIT-blue.svg)](LICENSE) **Stable** · v4.0 governance suite shipped 2026-05-25\n\nEmbedIQ interviews you about your project, team, and compliance\nobligations, then generates a complete agent harness — 15–40 files —\ntailored to your role, industry, tech stack, and security posture.\nSame answer set produces output for **Claude Code, Cursor, GitHub\nCopilot, Gemini CLI, Windsurf, and cross-agent `AGENTS.md`**. Opt\ninto local AI and the same interview also configures **Continue.dev,\nAider, Zed AI, and Ollama** against locally-installed models, and\nemits a **runnable RAG scaffold** under `rag/` — FHIR-aware for\nhealthcare profiles, plain-text for everyone else, with one\npath-scoped compliance rule file per active framework.\n\nOpt in to **v4.0 governance targets** (`cyclonedx-aibom`,\n`oscal-component`, `oscal-ssp-fragment`, `provenance`) and the same\ninterview produces a **NIST OSCAL Component Definition + SSP fragment\n+ CycloneDX-ML AIBOM + per-file provenance manifest** alongside the\nharness — feedable into Drata, Vanta, FedRAMP 20x, Dependency-Track,\nor any OSCAL/CycloneDX-aware pipeline. Add `EMBEDIQ_AUDIT_CHAIN_ENABLED=true`\nfor a tamper-evident audit chain (RFC-6962 pattern) plus a\n`verify-audit-log` CLI that walks the chain and reports the first\nintegrity break.\n\nEverything is **deterministic, offline, and audit-ready**: no LLM calls,\nno telemetry, no database. Same answers in → byte-identical files out.\n\n[Latest release: **v4.0.1**](https://github.com/asq-sheriff/embediq/releases/latest) ·\n[Full changelog](CHANGELOG.md) ·\n[Security model](SECURITY.md) ·\n[Governance suite docs](docs/extension-guide/writing-oscal-imports.md)\n\n![EmbedIQ demo — drift, evaluation, and multi-engagement scoping in ~70 seconds](docs/assets/demo.gif)\n\n---\n\n## Why this exists\n\nTeams adopting AI coding agents today juggle four to six tools — Claude\nCode, Cursor, Copilot, Gemini, Windsurf — each with its own config\nlanguage and capability surface. Configurations duplicate, drift, and\ndecay. Compliance teams have no single artifact to audit. Security\npostures vary per developer's local setup, and every new hire rebuilds\nthe harness from scratch.\n\nEmbedIQ produces a governed multi-agent harness from one structured\ninterview, and keeps it that way via drift detection, scheduled\nregeneration, and byte-identical re-runs. No LLM in the generator path,\nso the same answers always produce the same output — including under\nregulatory audit.\n\n---\n\n## Who this is for\n\n**Best fit**\n\n- **Regulated industries** — healthcare, financial services, government —\n where compliance auditors block non-deterministic tooling and a\n byte-identical regeneration story is a regulatory requirement, not a\n preference.\n- **Multi-agent enterprise environments** already standardizing on\n `AGENTS.md` plus tool-specific files, where keeping six configs\n consistent by hand has become a recurring tax.\n- **Consulting firms and systems integrators** running multiple client\n engagements from the same checkout, who need isolated state per\n engagement without a hosted control plane. See the\n [per-engagement deployment pattern](docs/CONSULTING-FIRM-DEPLOYMENT.md).\n- **Teams whose AI workforce includes non-developers** — business\n analysts, product managers, executives — who need role-adaptive\n output rather than a flattened `CLAUDE.md`.\n\n**Not for**\n\n- **Hobbyist solo developers** who want a one-page `CLAUDE.md`. Shallow\n generators serve that case well and a 93-question wizard would\n over-serve it — even with the engine's short-circuiting for\n minimal-compliance profiles, admin-vs-user gating, and agent-target\n filtering.\n\n---\n\n## 60-second quickstart\n\n```bash\ngit clone https://github.com/asq-sheriff/embediq.git\ncd embediq\nnpm install\n\n# Interactive CLI wizard\nnpm start\n\n# Or web UI — same wizard, same generators, same output\nnpm run start:web # http://localhost:3000\n\n# Generate with full v4.0 governance output set\nEMBEDIQ_AUDIT_LOG=./audit.jsonl \\\nEMBEDIQ_AUDIT_CHAIN_ENABLED=true \\\n npm start -- --targets claude,cyclonedx-aibom,oscal-component,oscal-ssp-fragment,provenance\n\n# Already generated once? Drift-check a project\nnpm run drift -- --target ./my-project --archetype minimal-developer\n\n# Scoring + benchmarking\nnpm run evaluate # replay answer sets against golden references\nnpm run benchmark -- --candidate ./other-tool-output --candidate-label claude-init\n\n# v4.0 — verify the tamper-evident audit chain\nnpm run verify-audit-log -- --input ./audit.jsonl\n```\n\n\u003e **CLI or web — same surface.** `npm start` launches the terminal\n\u003e wizard with `@inquirer/prompts` (arrow-key navigation, conditional\n\u003e branching, in-place edits). `npm run start:web` launches a vanilla-JS\n\u003e SPA on port 3000 with the same wizard flow, same generators, same\n\u003e output — stateless by default, optional Postgres backend for\n\u003e horizontal scale-out, encrypted resumable sessions via shareable\n\u003e `?session=\u003cid\u003e` URLs. Both surfaces drive identical generation.\n\u003e Full walkthroughs:\n\u003e [CLI](docs/user-guide/01-wizard-walkthrough.md) ·\n\u003e [Web](docs/user-guide/07-session-and-resume.md).\n\nGuided 10-minute tour: [`docs/getting-started.md`](docs/getting-started.md).\n\n---\n\n## What you get\n\nA snippet from a generated `CLAUDE.md` — HIPAA-scoped TypeScript + Python\nteam, developer role, strict security tier:\n\n````markdown\n# Patient portal\n\n## Tech Stack\n\n- Languages: typescript, python\n- Build: npm\n- CI/CD: github_actions\n\n## Security Requirements\n\n- Never commit secrets, API keys, or credentials\n- NEVER include PHI in any form: code, comments, test fixtures, logs\n- NEVER include PII in any form: code, comments, test fixtures, logs\n- DLP hooks actively scan all edits for sensitive data patterns\n- Follow OWASP Top 10 guidelines for all user-facing code\n\n## Compliance\n\n- HIPAA compliance is mandatory\n- Never include PHI in code, comments, logs, or test data\n- For PHI handling details, see .claude/rules/hipaa-compliance.md\n````\n\nThat `CLAUDE.md` is one of 16 files generated for this profile under\nthe default `claude` target. Backing it up: path-scoped rule files\n(`.claude/rules/hipaa-phi-handling.md`,\n`.claude/rules/healthcare-interop.md`, `.claude/rules/hipaa-compliance.md`,\n`.claude/rules/security.md`, plus language rules for `typescript` and\n`python`), three Python hook scripts under `.claude/hooks/`\n(`dlp-scanner.py`, `audit-logger.py`, `command-guard.py`), a\npermissions-tier `.claude/settings.json` plus a `.claude/settings.local.json`\nallow-list, an `.mcp.json.template` for MCP server wiring, and the\n`.claudeignore` / `.claude/.claude_ignore` egress controls. Opt additional\ntargets in (`--targets claude,agents-md,cursor,copilot,gemini,windsurf`)\nand the same answer set produces `AGENTS.md`, `.cursor/rules/*.mdc`,\n`.github/copilot-instructions.md` + scoped instructions, `GEMINI.md`,\nand `.windsurfrules` alongside. If TECH_013 (local AI) is `yes`,\nadd `.continue/config.json`, `.aider.conf.yml` + `.aiderignore`,\n`.zed/settings.json`, a root `OLLAMA_SETUP.md`, and a runnable\nRAG scaffold under `rag/` (chunker + embedder + SQLite-VSS store +\naudit + CLI) with `RAG_RUNBOOK.md` at the project root and a\npath-scoped compliance rule file under `.claude/rules/` for each\nactive framework (`rag-hipaa-`, `rag-pci-`, `rag-soc2-`, or\n`rag-ferpa-compliance.md`; `rag-conventions.md` for non-regulated\nprofiles).\n\nSee the full file inventory in\n[`docs/user-guide/02-generated-files.md`](docs/user-guide/02-generated-files.md).\n\n---\n\n## What it generates\n\nPick one or more output targets via `EMBEDIQ_OUTPUT_TARGETS` or\n`--targets`:\n\n**Hosted agents** (six target families — the default surface):\n\n| Target | Files produced |\n| --------------- | -------------------------------------------------------------------------------------------------- |\n| `claude` (default) | `CLAUDE.md`, `.claude/settings.json`, `.claude/settings.local.json`, `.claude/rules/*` (universal + per-language), `.claude/commands/*` and `.claude/agents/*` (when the profile registers any), `.claude/skills/*` (when domain packs / skills are active), `.claude/hooks/*` (Python DLP, audit, egress, command-guard), `.claudeignore`, `.mcp.json.template`, `.claude/association_map.yaml`, `.claude/document_state.yaml` |\n| `agents-md` | `AGENTS.md` (cross-agent universal format) |\n| `cursor` | `.cursor/rules/*.mdc` with MDC frontmatter (`alwaysApply`, `globs`) |\n| `copilot` | `.github/copilot-instructions.md` + glob-scoped `.github/instructions/*.instructions.md` |\n| `gemini` | `GEMINI.md` |\n| `windsurf` | `.windsurfrules` |\n\n**Local-AI integrations** (v3.3 — auto-included when the wizard's\n`TECH_013` \"use local AI\" answer is `yes`; per-IDE gated by\n`TECH_017`):\n\n| Target | Files produced |\n| --------------- | -------------------------------------------------------------------------------------------------- |\n| `continue-dev` | `.continue/config.json` — Ollama models, tab-autocomplete, embeddings provider, telemetry off |\n| `aider` | `.aider.conf.yml` + `.aiderignore` — Ollama-backed default model, language-aware test/lint commands |\n| `zed-ai` | `.zed/settings.json` — Ollama provider registration |\n| `ollama` | Root `OLLAMA_SETUP.md` runbook — install commands, `ollama pull` per selected model, hardware-tier tuning notes |\n| `rag-scaffold` | `rag/` directory (chunker + embedder + SQLite-VSS store + audit + CLI), root `RAG_RUNBOOK.md`, and one path-scoped `.claude/rules/rag-{framework}-compliance.md` per active compliance framework. Chunker is FHIR-aware for healthcare profiles, plain-text otherwise. |\n| `local-router` | `router/` Express dispatch service (v3.3) — routes local Ollama by default, escalates to hosted LLMs after optional PHI redaction; opt-in via `TECH_019` |\n\n**v4.0 governance outputs** (post-pass — opt-in only; existing goldens regenerate byte-identically):\n\n| Target | File produced | What it carries |\n| ------------------- | ------------- | --------------- |\n| `cyclonedx-aibom` | `.embediq/cyclonedx/aibom.json` | CycloneDX 1.6 ML-BOM enumerating every AI model, agent, and service the harness invokes (Ollama, hosted APIs, IDE agents, local-router). Procurement-relevant under EO 14110. [Doc →](docs/extension-guide/exporting-cyclonedx-aibom.md) |\n| `oscal-component` | `.embediq/oscal/component-definition.json` | OSCAL 1.1.2 Component Definition — product-level claim that the harness implements the listed compliance frameworks. Drata / Vanta / OSCAL-aware platforms ingest directly. [Doc →](docs/extension-guide/exporting-oscal-component-definitions.md) |\n| `oscal-ssp-fragment`| `.embediq/oscal/ssp-fragment.json` | OSCAL 1.1.2 SSP fragment — deployment-level claim. Stamped `document-completion-status=fragment` so audit pipelines know the operator merges with their org-specific SSP content. Operator-tunable via `EMBEDIQ_OSCAL_SSP_*` env vars. [Doc →](docs/extension-guide/exporting-oscal-ssp-fragments.md) |\n| `provenance` | `.embediq/provenance/manifest.json` | Per-file authoritative generator + target attribution + heuristic driver inference (\"why is this file here?\"). [Doc →](docs/extension-guide/exporting-provenance-trace.md) |\n\nPlus opt-in via env var (not a target):\n\n- **Tamper-evident audit chain** (v4.0) — `EMBEDIQ_AUDIT_CHAIN_ENABLED=true` writes hash-chained JSONL entries to `EMBEDIQ_AUDIT_LOG`. RFC-6962 linked-log pattern; `npm run verify-audit-log -- --input \u003cpath\u003e` reports the first integrity break. [Doc →](docs/operator-guide/audit-chain.md)\n- **NIST AI RMF + AI 600-1 domain pack** (v4.0) — opt in via `REG_002` containing `nist-ai-rmf`, or compose programmatically via `domainPackRegistry.composeFromPacks(['healthcare', 'nist-ai-rmf'], …)`. Adds 6 wizard questions, 4 path-scoped rule files (Govern/Map/Measure/Manage), 2 recognized frameworks. [Doc →](docs/extension-guide/nist-ai-rmf-pack.md)\n\nNon-technical roles (Business Analyst, Product Manager, Executive) get\ncoworker-shaped variants focused on research, analysis, and documentation\ninstead of code, and never see the local-AI targets.\n\n---\n\n## How it stacks up\n\nEmbedIQ ships an evaluation harness that scores its output against\ngolden references and against what other tools produce — Claude\n`/init`, hand-rolled configs, shallow template generators. The same\nharness that gates internal quality is yours to run end-to-end:\n\n```bash\nnpm run evaluate # score EmbedIQ vs golden references\nnpm run benchmark # score another tool's output vs the same goldens\nnpm run evaluate -- --format scorecard --out r.html # customer-facing HTML scorecard\n```\n\nMethodology, scoring weights, and per-archetype scorecards in\n[`docs/evaluators/competitive-comparison.md`](docs/evaluators/competitive-comparison.md);\nthe scorecard option surface (themes, layouts, logo embed, PDF\noutput) in\n[`docs/user-guide/06-evaluation-and-drift.md`](docs/user-guide/06-evaluation-and-drift.md#customer-facing-scorecards).\n\"Prove it\" beats \"trust me\" in regulated procurement.\n\n---\n\n## Feature matrix\n\n### Core differentiators\n\n| Area | What ships today |\n|---|---|\n| **Adaptive Q\u0026A** | 93 questions · 7 dimensions · explicit agent-target selection (`STRAT_TARGETS`) and admin-vs-user split (`STRAT_000b`) gate ~28 admin-only questions for end-user operators |\n| **Operator-aware framing** | User-profile questions (role, proficiency) reframe for a Coding Agent Admin configuring for a team vs. an individual personalizing their own setup |\n| **Cross-answer validation** | Typed answers are checked against earlier ones (framework↔language, serverless-without-cloud, duplicate \"Other\" entries, invalid DLP regex) — non-blocking warn + suggested fix |\n| **Optional questions + inference** | Skippable questions infer a sensible default from your stack (e.g. testing framework from selected languages); inferred values are tagged in the profile report |\n| **Profile report + versioned audit** | Human-readable (md/json) report of every answer + the determinations EmbedIQ made — downloadable from the wizard or via `--profile-report`; each generation writes a versioned, audit-chained profile snapshot |\n| **Role adaptation** | 9 roles (developer, devops, lead, eng_manager, BA, PM, executive, QA, data); role-specific output variants; admin/user operator-type orthogonal to role |\n| **Per-question context + purpose** | Every question carries `helpText` (shown to all users) plus admin-only `purposeText` explaining what the answer drives in the generated output |\n| **Multi-agent targets** | Claude Code, `AGENTS.md`, Cursor, Copilot, Gemini, Windsurf — from one interview |\n| **Local-AI integration** (v3.3) | Continue.dev, Aider, Zed AI, and Ollama — auto-included when the wizard's local-AI branch (`TECH_013`) is opted in |\n| **Runnable RAG scaffold** (v3.3) | `rag-scaffold` target emits chunker + embedder + SQLite-VSS store + audit + CLI under `rag/`, with FHIR-aware chunker for healthcare profiles and per-framework compliance rules (`rag-hipaa-`, `rag-pci-`, `rag-soc2-`, `rag-ferpa-compliance.md`) |\n| **Compliance-aware output** | Pre-write validators (HIPAA, PCI-DSS, SOC2, GDPR, universal); refused — not warned about |\n| **Determinism + audit-readiness** | Zero LLM calls in the generator path; same answers → byte-identical files; CI-gateable |\n| **Evaluation framework** | Golden-config replay scoring; benchmark mode against competing tools |\n| **Domain packs + composable skills** | Built-in Healthcare / Finance / Education plus `SKILL.md` authoring format; external packs via `EMBEDIQ_PLUGINS_DIR` / `EMBEDIQ_SKILLS_DIR` |\n\n### Azure / Microsoft stack\n\n| Area | What ships today |\n|---|---|\n| **Azure DevOps Repos PR** | `EMBEDIQ_GIT_PROVIDER=azure-repos` opens PRs into Azure Repos (`organization/project/repository`, PAT auth, Git REST API; Azure DevOps Server via `EMBEDIQ_GIT_API_BASE_URL`) |\n| **Azure Pipelines** | `azure-pipelines.yml` generator matched to your stack (.NET / Python / Java / Node / Go / Rust) with a compliance security stage, when CI/CD = Azure DevOps |\n| **Visual Studio** | root `.editorconfig` (formatting + Roslyn analyzer severities) when Visual Studio is a selected IDE |\n| **JetBrains** | `.junie/guidelines.md` (Junie / AI Assistant project guidelines) + `.aiignore` for IntelliJ / PyCharm / WebStorm / Rider |\n| **Cloud / deployment target** | `TECH_022` (Azure / AWS / GCP / on-prem / hybrid) drives provider-specific scaffolding |\n\n### Operational features\n\n| Area | What ships today |\n|---|---|\n| **Drift detection** | `npm run drift` classifies files as match / missing / modified / stale / version-mismatch / extra |\n| **Autopilot** | Scheduled drift scans (`@hourly` / `@daily` / `@weekly` / `@monthly` presets or arbitrary 5-field cron expressions in any IANA timezone with DST handling) plus webhook triggers. Multi-replica scheduling via the Postgres-backed store (`claimSchedule()` CAS — every replica reads the shared table, each due schedule fires exactly once). Failure-streak alerting via the `autopilot:alerting` event (one-shot per crossing). |\n| **Interrupt \u0026 resume** | Shareable `?session=\u003cid\u003e` URLs; per-answer contributor attribution for multi-stakeholder workflows |\n| **Multi-platform PR integration** | `--git-pr` opens a PR via GitHub, GitLab, Bitbucket Cloud, or **Azure DevOps Repos** (atomic multi-file commits through each platform's native API) |\n| **Outbound notifications** | Slack Block Kit / Teams MessageCard / generic JSON via `EMBEDIQ_WEBHOOK_URLS` |\n| **Compliance webhooks** | Drata, Vanta, and generic adapters translate external findings into autopilot runs; HMAC-SHA256 signature verification opt-in per adapter |\n\n### v4.0 governance suite\n\n| Area | What ships today |\n|---|---|\n| **OSCAL catalog/profile import** | `DomainPackRegistry.loadFromOscalCatalog()` + `.loadFromOscalProfile()` ingest NIST 800-53 / SSDF / FedRAMP profiles directly. No JVM dep. Composes with industry packs via `composeFromPacks()`. |\n| **OSCAL component-definition export** | Per-generation product-level OSCAL claim — `--targets oscal-component`. Drata / Vanta / FedRAMP 20x ingestion-ready. |\n| **OSCAL SSP fragment export** | Per-engagement deployment-level OSCAL fragment — `--targets oscal-ssp-fragment`. Operator-tunable via `EMBEDIQ_OSCAL_SSP_*` env vars. Stamped `document-completion-status=fragment`. |\n| **CycloneDX-ML AIBOM** | Full AI bill of materials enumerating every model, agent, and service the harness invokes — `--targets cyclonedx-aibom`. EO 14110-aligned. |\n| **Per-file provenance trace** | \"Why is this file here?\" answer-key combining authoritative generator attribution + heuristic driver inference — `--targets provenance`. |\n| **Tamper-evident audit chain** | RFC-6962-pattern hash-chained `audit.jsonl` via `EMBEDIQ_AUDIT_CHAIN_ENABLED=true` + `verify-audit-log` CLI for offline integrity check. |\n| **NIST AI RMF + AI 600-1 pack** | Built-in domain pack mapping Govern/Map/Measure/Manage onto rule templates + validation checks + 6 wizard questions. Cross-industry; compose with HIPAA / PCI / FERPA via `composeFromPacks()`. |\n\n### Infrastructure \u0026 deployment\n\n| Area | What ships today |\n|---|---|\n| **Authentication** | Basic / OIDC / reverse-proxy header / demo (admin-vs-user persona switcher for demo recordings — never for production); three-tier RBAC (`wizard-viewer` / `wizard-user` ≡ `wizard-contributor` / `wizard-admin`) with legacy `wizard-user` preserved as a contributor alias |\n| **Session persistence** | Null (default) / JSON file / SQLite / Postgres backends; AES-256-GCM optional payload encryption with side-by-side key rotation (`EMBEDIQ_SESSION_DATA_KEY_PREV`). Postgres backend supports horizontal scale-out — every web replica reads the same session table |\n| **Multi-engagement scoping** | `EMBEDIQ_ENGAGEMENT_ID` isolates session, autopilot, and audit state under `.embediq/engagements/\u003cid\u003e/` — one process per engagement |\n| **Observability** | Optional OpenTelemetry (`EMBEDIQ_OTEL_ENABLED=true`); JSONL audit log |\n| **Deployment** | Docker, docker-compose, Kubernetes manifests with health and readiness probes |\n\n---\n\n## Requirements\n\n**To run EmbedIQ**\n\n| Requirement | Minimum | Check |\n| ----------- | --------- | ----------------- |\n| Node.js | 18+ | `node --version` |\n| npm | 8+ | `npm --version` |\n\nNo Anthropic account or API key is needed to run the wizard itself —\nEmbedIQ is 100% offline.\n\n**To use the generated Claude Code output**\n\n| Requirement | Details |\n| --- | --- |\n| Claude Code | `npm install -g @anthropic-ai/claude-code` |\n| Anthropic subscription | Pro ($20/mo), Max ($100-200/mo), Team ($30/user/mo), Enterprise, or API (BYOK) |\n| Python 3.8+ | Required if hook scripts are generated (DLP, audit, egress) |\n\nOutput for other targets (Cursor, Copilot, Gemini, Windsurf, `AGENTS.md`)\nhas no tool-specific runtime requirement beyond the agent itself.\n\n---\n\n## Architecture\n\nThree-layer design:\n\n```\n┌────────────────────────────────────────────────────┐\n│ Layer 1: Universal Question Bank │\n│ 93 questions · 7 dimensions · purposeText schema │\n├────────────────────────────────────────────────────┤\n│ Layer 2: Adaptive Logic Engine │\n│ Branch evaluation · profile building · priorities │\n├────────────────────────────────────────────────────┤\n│ Layer 3: Unified Synthesizer │\n│ 31 generators · 16 target formats · validation │\n└────────────────────────────────────────────────────┘\n```\n\nBoth CLI and web interfaces share the same core. The web API is\nstateless by default — the browser holds the answer map and sends it\nwith each request. Opt-in server-side sessions add interrupt-and-resume\nwithout compromising the zero-persistence baseline.\n\n---\n\n## Documentation map\n\n| I want to… | Go to |\n| --- | --- |\n| Take a guided 10-minute tour | [`docs/getting-started.md`](docs/getting-started.md) |\n| Run the wizard end-to-end | [`docs/user-guide/01-wizard-walkthrough.md`](docs/user-guide/01-wizard-walkthrough.md) |\n| Understand every generated file | [`docs/user-guide/02-generated-files.md`](docs/user-guide/02-generated-files.md) |\n| Generate for Cursor / Copilot / Gemini / Windsurf | [`docs/user-guide/05-multi-agent-targets.md`](docs/user-guide/05-multi-agent-targets.md) |\n| Score my output against golden configs | [`docs/user-guide/06-evaluation-and-drift.md`](docs/user-guide/06-evaluation-and-drift.md) |\n| Resume a wizard session on another device | [`docs/user-guide/07-session-and-resume.md`](docs/user-guide/07-session-and-resume.md) |\n| Schedule nightly drift scans | [`docs/user-guide/08-autopilot.md`](docs/user-guide/08-autopilot.md) |\n| Open a PR instead of writing to disk | [`docs/user-guide/09-git-pr-integration.md`](docs/user-guide/09-git-pr-integration.md) |\n| Wire Slack / Teams notifications | [`docs/user-guide/10-notification-webhooks.md`](docs/user-guide/10-notification-webhooks.md) |\n| Trigger runs from Drata or Vanta | [`docs/user-guide/11-compliance-webhooks.md`](docs/user-guide/11-compliance-webhooks.md) |\n| Deploy to Docker or Kubernetes | [`docs/operator-guide/deployment.md`](docs/operator-guide/deployment.md) |\n| Run multiple engagements out of one checkout | [`docs/CONSULTING-FIRM-DEPLOYMENT.md`](docs/CONSULTING-FIRM-DEPLOYMENT.md) |\n| Deploy in a HIPAA-covered healthcare BPO environment | [`docs/HEALTHCARE-BPO-DEPLOYMENT.md`](docs/HEALTHCARE-BPO-DEPLOYMENT.md) |\n| Wire authentication | [`docs/operator-guide/authentication.md`](docs/operator-guide/authentication.md) |\n| Set up OpenTelemetry | [`docs/operator-guide/observability.md`](docs/operator-guide/observability.md) |\n| Look up every env var | [`docs/reference/configuration.md`](docs/reference/configuration.md) |\n| Look up every HTTP endpoint | [`docs/reference/rest-api.md`](docs/reference/rest-api.md) |\n| Write my own domain pack / skill / adapter | [`docs/extension-guide/`](docs/extension-guide/) |\n| Read the architecture | [`docs/architecture/overview.md`](docs/architecture/overview.md) |\n| Evaluate EmbedIQ vs. competitors | [`docs/evaluators/competitive-comparison.md`](docs/evaluators/competitive-comparison.md) |\n| Contribute code or docs | [`CONTRIBUTING.md`](CONTRIBUTING.md) |\n| Report a security issue | [`SECURITY.md`](SECURITY.md) |\n\n---\n\n## Commands at a glance\n\n```bash\nmake help # Show all targets\nmake check # Type-check + 949 tests\nmake start # CLI wizard\nmake start-web # Web server on :3000\nmake evaluate # Run evaluation harness\nmake benchmark # Benchmark another tool's output\nmake drift # Drift-check a project (flags required)\nmake otel-dev # Web server with OpenTelemetry enabled\nmake docker-up # Start via docker-compose\n```\n\nOr use the raw `npm` scripts — every Makefile target wraps a one-line\n`npm run ...` call.\n\n---\n\n## Data privacy — the short version\n\n- **No database** unless you opt in to a session backend (JSON file or\n SQLite). Default is volatile memory only.\n- **No telemetry.** EmbedIQ never phones home.\n- **No LLM calls.** The wizard is 100% deterministic — answers are\n never sent to any AI service.\n- **No hidden disk writes.** Output lands in the directory you name,\n period.\n- **Air-gap compatible.** CLI runs offline; web server's only optional\n outbound traffic is OpenTelemetry export, git PR integration, and\n outbound webhooks — all opt-in via env vars.\n\nFull threat model and compliance-framework coverage in\n[`SECURITY.md`](SECURITY.md) and\n[`docs/evaluators/threat-coverage.md`](docs/evaluators/threat-coverage.md).\n\n---\n\n## License\n\n[MIT](LICENSE). A [Praglogic](https://pragmaticlogic.ai) project.\nContributions welcome — see [`CONTRIBUTING.md`](CONTRIBUTING.md).\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fasq-sheriff%2Fembediq","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fasq-sheriff%2Fembediq","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fasq-sheriff%2Fembediq/lists"}