aiolos · keeper of the winds

One command to make Claude Code fit your repo.

aiolos reads your stack, turns on the agents that match it, wires your MCP servers without ever touching your secrets, and lays down a deny-list so Claude can't cat ~/.ssh/id_rsa on a bad day. About 30 seconds per repo. 

uv tool install aiolos
aiolos wizard

Works on fresh Next.js apps and ten-year-old monorepos. · macOS & Linux, Python 3.11+. · source

The first time you opened a repo with Claude Code…

You pasted an API key into .mcp.json to test a server, then committed it by accident. You watched the assistant run a gh command on your main branch. Your teammate's .claude/ looked nothing like yours and neither of you remembered why. You tried to harden settings.json, realised the deny patterns are harder than they look, and shipped without them.

aiolos does the 30-minute chore of wiring a new Claude Code project so you don't.

What runs when you type aiolos wizard

YOUR REPO PRESET MATCH (next.js, python, infra…) .claude/ Agents on built-in, by name Skills fetched from trusted authors MCP wired secrets stay in .env Hardened deny-rules + hooks

The repo is scanned, matched to one or more presets, and .claude/ is wired in four ways. The tool ships plumbing. The content — prompts, agent bodies, skill markdown — comes from Anthropic's built-ins and authors you explicitly trust.

What it writes into your repo

A Next.js repo with Postgres, after aiolos wizard:

# .mcp.json — committed, only ${VAR} placeholders
{
  "mcpServers": {
    "github":   { "command": "npx", "args": ["-y", "@modelcontextprotocol/server-github"],
                  "env": { "GITHUB_PERSONAL_ACCESS_TOKEN": "${GITHUB_PERSONAL_ACCESS_TOKEN}" } },
    "postgres": { "command": "npx", "args": ["-y", "@modelcontextprotocol/server-postgres",
                                              "${DATABASE_URL}"] }
  }
}

# .env.claude.example — committed, documents what the team needs
GITHUB_PERSONAL_ACCESS_TOKEN=
DATABASE_URL=

# .gitignore — we add this line, so real values never slip in
.env.claude

# .claude/settings.json — deny-rules you'd otherwise write by hand
{ "permissions": { "deny": [
  "Read(~/.ssh/**)", "Read(~/.aws/**)", "Read(.env)", "Read(.env.*)",
  "Bash(cat ~/.ssh/**)", "Bash(security find-generic-password*)",
  "Bash(git push --force *)", "Bash(terraform destroy *)"
]}}

Re-run any time; the managed blocks merge cleanly and your own rules survive.

The small set of commands

wizard
Interactive grand tour. Five gated steps (init → browse → harden → mcp → tools); each prints a plan and asks [Y/n] before writing anything. Start here.
init
Scans the repo, picks the matching preset(s), activates the built-in Anthropic agents those presets reference (typescript-pro, nextjs-developer, python-pro, …). Monorepo-aware: if Python and Next.js both match, both activate.
browse
Interactive picker over trusted community sources — anthropics/skills, obra/skills, vercel-labs/skills, skills.sh, or a custom owner/repo. Lists their skills, confirms the ones you want, fetches into your library, installs into the repo.
mcp
Writes .mcp.json with ${VAR} references, a committed .env.claude.example, and a .gitignore entry for the local .env.claude. Secrets never enter git.
harden
Baseline permissions.deny rules in .claude/settings.json — SSH, AWS, GCP, GPG, kubeconfig, .env*, macOS Keychain — plus a sidecar aiolos.lock.json so re-runs merge cleanly and never stomp your hand-written rules. Optional hooks: refuse edits to .env*, pause on --production, ding when a turn finishes.
tools
Scans PATH for authenticated CLIs (gh, flyctl, neonctl, wrangler…) and scaffolds a wrapper SKILL.md you can fill in. Defaults to repo-relevant CLIs — if the repo has a Dockerfile you see docker, not your whole global toolbox. Pass --all for the full scan.
new-skill
Scaffolds a SKILL.md with the things people forget: single-line description, Prettier guard, the right frontmatter keys. The body is yours.
lint · audit · doctor
Sanity checks for your personal skill library. Use when something stops working.

Not to be confused with

Claude Code's built-in /init
Writes a CLAUDE.md. We wire agents, MCP, secrets, and deny-rules. Use both; they don't overlap.
rulesync
Syncs rule files across Cursor, Codex, Copilot, Claude. We're Claude-Code-only and configure runtime, not just rules. If you use multiple assistants, use rulesync too.
obra/superpowers, skill marketplaces
Ship opinionated skill content. We ship zero. Point us at any marketplace via trust.toml and we'll fetch from it.

What aiolos deliberately doesn't do

This is plumbing. The pipes are ours; the water is yours and the community's.

  • It doesn't write your skills for you. new-skill gives you a scaffold with the right shape and gets out of the way. The body is yours because only you know your codebase.
  • It doesn't re-implement Anthropic's built-in agents. If Claude Code already ships typescript-pro, we reference it by name. One source of truth, upgraded when Anthropic upgrades it.
  • It doesn't touch your secrets. .mcp.json only holds ${VAR} references. Real values live in .env.claude, gitignored before you can commit by accident. You get .env.claude.example to share with the team.
  • It isn't a security audit. The deny-list stops the obvious footguns — SSH keys, cloud creds, keychain, .env*. If you're shipping to users, that's table stakes, not a substitute for a real review.