@sechroom/cli 2026.6.1 → 2026.6.3

package/README.md

@@ -54,15 +54,27 @@ npm i -g @sechroom/cli@next
 npx @sechroom/cli login
 ```
 
+## Develop
+
+This is a **pnpm workspace member** (`frontend/apps/cli`). Install from the repo root
+(`pnpm install`), then run scripts via the filter (or `pnpm <script>` from this dir):
+
+```bash
+pnpm --filter @sechroom/cli run gen          # regenerate the typed client
+pnpm --filter @sechroom/cli run check-types
+pnpm --filter @sechroom/cli run build
+pnpm --filter @sechroom/cli run dev -- --help # tsx, no build
+```
+
 ## Generate the client (once, and after any API change)
 
 ```bash
 # defaults to https://app.sechroom.ai/api/openapi/v1.json
-npm run gen
-SECHROOM_OPENAPI_URL=https://<host>/api/openapi/v1.json npm run gen   # other envs
+pnpm --filter @sechroom/cli run gen
+SECHROOM_OPENAPI_URL=https://<host>/api/openapi/v1.json pnpm --filter @sechroom/cli run gen   # other envs
 ```
 
-`npm run gen` overwrites `src/generated/api.d.ts`. The **real generated types are
+`gen` overwrites `src/generated/api.d.ts`. The **real generated types are
 committed** (regenerated from the live prod spec) so builds are hermetic — no
 live-API dependency at compile time; re-run `gen` after any API change. Generating
 against the live schema is what caught the original placeholder's shape drift
@@ -82,17 +94,52 @@ sechroom memory get mem_XXXX
 sechroom memory search "convention lifecycle drift" --limit 5
 sechroom worklog append --text "shipped CLI skeleton; pointers: ..." --source claude-code-chris
 
+sechroom lookup mem_XXXX                 # what is this id? -> kind / title / view URL
+sechroom lookup sechroom:mem_XXXX --json # namespaced form also resolves
+
 sechroom --json memory get mem_XXXX     # agent-friendly
 ```
 
 Headless:
 
 ```bash
-export SECHROOM_TOKEN="<jwt from /auth/dev/token>"
+export SECHROOM_TOKEN="<bearer: a PAT or dev-token JWT>"
 export SECHROOM_TENANT=ocd
 sechroom --json memory search "rate limiting" 
 ```
 
+## Onboarding (`init` / `setup`)
+
+`sechroom init` wires a project for sechroom by rendering the server's
+operator-surface setup descriptors (`GET /operator-surface/setup`, tenant-scoped
+— the aggregator URL is baked in) into local AI-client config + agent instruction
+files. **Idempotent — merges/appends, never clobbers** (JSON `mcpServers` merge;
+Codex TOML table replace; instruction files use a managed marker block).
+
+```bash
+sechroom init                       # Claude Code (default): .mcp.json + CLAUDE.md
+sechroom init --client all          # claude-code, claude-desktop, codex, cursor
+sechroom init --client codex,cursor # a subset
+sechroom init --dry-run --json      # preview the writes, no changes
+
+# granular pieces init orchestrates:
+sechroom setup mcp claude-desktop          # just the MCP config for one client
+sechroom setup agent-files codex           # just the AGENTS.md instruction file
+```
+
+Per client → where it writes:
+
+| client | MCP config | instruction file |
+|---|---|---|
+| `claude-code` | `./.mcp.json` | `./CLAUDE.md` |
+| `claude-desktop` | `claude_desktop_config.json` (OS path) | `~/.claude/CLAUDE.md` |
+| `codex` | `~/.codex/config.toml` | `./AGENTS.md` |
+| `cursor` | `./.cursor/mcp.json` | `./AGENTS.md` |
+
+The instruction-file step pulls the role template the SEM Starter bundle ships
+(via the descriptor's tag-query artifact). If that bundle isn't installed in the
+tenant, the step **skips gracefully** with a note (MCP config still gets written).
+
 ## Layout
 
 ```
@@ -101,10 +148,16 @@ src/
   auth.ts             OAuth auth-code+PKCE loopback (fixed-port DCR) + refresh + cache
   client.ts           openapi-fetch client (auth + tenant middleware) + emit/fail
   config.ts           base-url / tenant / token resolution + persistence
-  generated/api.d.ts  typed client — `npm run gen`; real types committed (hermetic)
+  generated/api.d.ts  typed client — `pnpm run gen`; real types committed (hermetic)
   commands/
     memory.ts         create / get / search
     worklog.ts        append
+    lookup.ts         resolve any id (mem_…/unprefixed/sechroom:<id>) -> kind/title/url
+    setup.ts          init + setup mcp/agent-files
+  setup/
+    operator-surface.ts  fetch GET /operator-surface/setup + resolve template artifacts
+    clients.ts           client→(surface, local paths, format) registry
+    apply.ts             writers: mcp json merge / codex toml / instruction marker block
 ```
 
 ## Remaining before ship
@@ -123,9 +176,9 @@ Public **npmjs** under the `@sechroom` org is the host; **TeamCity** is the
 publisher (build config `Sechroom_PublishCli`). The full pipeline — steps,
 parameters, npm auth, provisioning, and how to run a publish — is documented in
 [`ci/PUBLISHING.md`](./ci/PUBLISHING.md). In short: a manual-trigger config runs
-`npm ci → gen → typecheck → build → publish` in a `node:20` container, authed by
-a masked `NPM_TOKEN` param; `next` stamps a per-build prerelease, `latest` ships
-`BASE_CLI_VERSION`.
+`pnpm install → gen → check-types → build → publish` (filtered to `@sechroom/cli`)
+in a `node:20` container, authed by a masked `NPM_TOKEN` param. Every publish gets a
+fresh calendar version `YYYY.M.<n>` (own counter); the dist-tag separates next/latest.
 
 Why public npmjs: the CLI is customer-facing, and `npx @sechroom/cli` must work
 with zero `.npmrc`/token on the customer side. GitHub Packages or a private

package/dist/index.js

@@ -1,6 +1,7 @@
 #!/usr/bin/env node
 
 // src/index.ts
+import { readFileSync as readFileSync3 } from "fs";
 import { Command } from "commander";
 
 // src/auth.ts
@@ -211,6 +212,62 @@ async function requireToken(cfg) {
 
 // src/client.ts
 import createClient from "openapi-fetch";
+
+// src/ui.ts
+var FRAMES = ["\u280B", "\u2819", "\u2839", "\u2838", "\u283C", "\u2834", "\u2826", "\u2827", "\u2807", "\u280F"];
+var quiet = false;
+function setQuiet(q) {
+  quiet = q;
+}
+function active() {
+  return !quiet && Boolean(process.stderr.isTTY);
+}
+function spinner(text) {
+  if (!active()) {
+    return { succeed() {
+    }, fail() {
+    }, stop() {
+    } };
+  }
+  let i = 0;
+  const render = () => {
+    i = (i + 1) % FRAMES.length;
+    process.stderr.write(`\r${FRAMES[i]} ${text}`);
+  };
+  process.stderr.write(`\r${FRAMES[0]} ${text}`);
+  const timer = setInterval(render, 80);
+  timer.unref?.();
+  const clear = () => {
+    clearInterval(timer);
+    process.stderr.write("\r\x1B[K");
+  };
+  return {
+    succeed(t) {
+      clear();
+      process.stderr.write(`\u2713 ${t ?? text}
+`);
+    },
+    fail(t) {
+      clear();
+      process.stderr.write(`\u2717 ${t ?? text}
+`);
+    },
+    stop: clear
+  };
+}
+async function withSpinner(text, fn) {
+  const s = spinner(text);
+  try {
+    const result = await fn();
+    s.succeed();
+    return result;
+  } catch (err) {
+    s.fail();
+    throw err;
+  }
+}
+
+// src/client.ts
 async function makeClient(cfg) {
   const token = await requireToken(cfg);
   const client = createClient({ baseUrl: cfg.baseUrl });
@@ -230,6 +287,22 @@ function emit(data, json) {
     process.stdout.write(JSON.stringify(data, null, 2) + "\n");
   }
 }
+async function runApi(label, fn) {
+  const s = spinner(label);
+  let res;
+  try {
+    res = await fn();
+  } catch (err) {
+    s.fail();
+    fail(err);
+  }
+  if (res.error !== void 0 && res.error !== null) {
+    s.fail();
+    fail(res.error);
+  }
+  s.succeed();
+  return res.data;
+}
 function fail(error) {
   const msg = typeof error === "object" && error !== null && "title" in error ? String(error.title) : typeof error === "object" ? JSON.stringify(error) : String(error);
   process.stderr.write(`error: ${msg}
@@ -242,50 +315,51 @@ function registerMemory(program2) {
   const memory = program2.command("memory").description("Create, read, and search memories");
   memory.command("create").description("Create a memory (POST /memories)").requiredOption("--text <text>", "Memory body text").option("--type <type>", "Memory type", "reference").option("--title <title>", "Optional title").option("--tag <tag...>", "Tags (repeatable)").option("--owner-type <ownerType>", "Workspace | Project | Unfiled", "Unfiled").option("--owner-id <ownerId>", "Owner id (required for Workspace/Project)").option("--source <source>", "Source / lane stamp", "cli").option("--confidence <n>", "Confidence 0..1", "1.0").action(async (opts, cmd) => {
     const cfg = resolveConfig(cmd.optsWithGlobals());
-    const client = await makeClient(cfg);
     const unfiled = String(opts.ownerType).toLowerCase() === "unfiled";
-    const { data, error } = await client.POST("/memories", {
-      body: {
-        text: opts.text,
-        type: opts.type,
-        content: "{}",
-        confidence: Number(opts.confidence),
-        source: opts.source,
-        archetype: "Document",
-        title: opts.title ?? null,
-        tags: opts.tag ?? null,
-        owner: unfiled ? null : { type: opts.ownerType, id: String(opts.ownerId ?? "") }
-      }
+    const data = await runApi("Creating memory", async () => {
+      const client = await makeClient(cfg);
+      return client.POST("/memories", {
+        body: {
+          text: opts.text,
+          type: opts.type,
+          content: "{}",
+          confidence: Number(opts.confidence),
+          source: opts.source,
+          archetype: "Document",
+          title: opts.title ?? null,
+          tags: opts.tag ?? null,
+          owner: unfiled ? null : { type: opts.ownerType, id: String(opts.ownerId ?? "") }
+        }
+      });
     });
-    if (error) fail(error);
     emit(data, cmd.optsWithGlobals().json);
   });
   memory.command("get <memoryId>").description("Fetch a memory by id (GET /memories/{memoryId})").action(async (memoryId, _opts, cmd) => {
     const cfg = resolveConfig(cmd.optsWithGlobals());
-    const client = await makeClient(cfg);
-    const { data, error } = await client.GET("/memories/{memoryId}", {
-      params: { path: { memoryId } }
+    const data = await runApi("Fetching memory", async () => {
+      const client = await makeClient(cfg);
+      return client.GET("/memories/{memoryId}", { params: { path: { memoryId } } });
     });
-    if (error) fail(error);
     emit(data, cmd.optsWithGlobals().json);
   });
   memory.command("search <query>").description("Hybrid search (POST /memories/search; SemanticQuery -> vector+FTS RRF)").option("--limit <n>", "Max results", "10").option("--tag <tag...>", "Require all listed tags").option("--workspace <workspaceId>", "Scope to a workspace (cascades to its projects)").option("--include-archived", "Include archived memories", false).action(async (query, opts, cmd) => {
     const cfg = resolveConfig(cmd.optsWithGlobals());
-    const client = await makeClient(cfg);
-    const { data, error } = await client.POST("/memories/search", {
-      body: {
-        query: null,
-        textQuery: null,
-        semanticQuery: query,
-        hybrid: true,
-        limit: Number(opts.limit),
-        includeArchived: Boolean(opts.includeArchived),
-        includeSystem: false,
-        ...opts.tag ? { tags: opts.tag } : {},
-        ...opts.workspace ? { workspaceId: opts.workspace } : {}
-      }
+    const data = await runApi("Searching", async () => {
+      const client = await makeClient(cfg);
+      return client.POST("/memories/search", {
+        body: {
+          query: null,
+          textQuery: null,
+          semanticQuery: query,
+          hybrid: true,
+          limit: Number(opts.limit),
+          includeArchived: Boolean(opts.includeArchived),
+          includeSystem: false,
+          ...opts.tag ? { tags: opts.tag } : {},
+          ...opts.workspace ? { workspaceId: opts.workspace } : {}
+        }
+      });
     });
-    if (error) fail(error);
     emit(data, cmd.optsWithGlobals().json);
   });
 }
@@ -295,23 +369,348 @@ function registerWorklog(program2) {
   const worklog = program2.command("worklog").description("Append to the daily work log");
   worklog.command("append").description("Append a work-log entry (POST /operator-surface/work-log/append)").requiredOption("--text <text>", "Entry body (short bullets / pointers) \u2014 the bullet").option("--source <source>", "Lane stamp (e.g. claude-code-chris) \u2014 laneId", "cli").option("--workspace <workspaceId>", "Target work-log workspace (default: caller's daily log)").option("--title <title>", "Optional entry title").action(async (opts, cmd) => {
     const cfg = resolveConfig(cmd.optsWithGlobals());
-    const client = await makeClient(cfg);
-    const { data, error } = await client.POST("/operator-surface/work-log/append", {
+    const data = await runApi("Appending work-log entry", async () => {
+      const client = await makeClient(cfg);
+      return client.POST("/operator-surface/work-log/append", {
+        body: {
+          bullet: opts.text,
+          laneId: opts.source ?? null,
+          workspaceId: opts.workspace ?? null,
+          title: opts.title ?? null
+        }
+      });
+    });
+    emit(data, cmd.optsWithGlobals().json);
+  });
+}
+
+// src/commands/lookup.ts
+function registerLookup(program2) {
+  program2.command("lookup <id>").description(
+    "Resolve a sechroom id to its kind, title, and view URL (mem_\u2026/wsp_\u2026/prj_\u2026, unprefixed, or sechroom:<id>)"
+  ).action(async (id, _opts, cmd) => {
+    const cfg = resolveConfig(cmd.optsWithGlobals());
+    const data = await runApi(`Resolving ${id}`, async () => {
+      const client = await makeClient(cfg);
+      return client.GET("/lookup/{id}", { params: { path: { id } } });
+    });
+    if (data == null) {
+      process.stderr.write(`not found: ${id}
+`);
+      process.exit(1);
+    }
+    emit(data, cmd.optsWithGlobals().json);
+  });
+}
+
+// src/setup/apply.ts
+import { mkdirSync as mkdirSync2, readFileSync as readFileSync2, writeFileSync as writeFileSync2, existsSync as existsSync2 } from "fs";
+import { dirname } from "path";
+
+// src/setup/operator-surface.ts
+var SectionType = {
+  McpConfig: "mcp-config",
+  McpConfigToml: "mcp-config-toml",
+  InstructionFile: "instruction-file",
+  ProjectConfig: "project-config",
+  Verify: "verify"
+};
+async function fetchSetup(cfg) {
+  const client = await makeClient(cfg);
+  const { data, error } = await client.GET("/operator-surface/setup", {});
+  if (error) throw new Error(`GET /operator-surface/setup failed: ${JSON.stringify(error)}`);
+  return data;
+}
+function findSurface(setup, surfaceKey) {
+  return setup.surfaces.find((s) => s.surfaceKey === surfaceKey);
+}
+function findSection(surface, sectionType) {
+  return surface?.sections.find((s) => s.sectionType === sectionType);
+}
+function sectionSnippet(section) {
+  if (!section) return null;
+  for (const step of section.steps) {
+    if (step.copyValue) return step.copyValue;
+    if (step.codeSnippet) return step.codeSnippet;
+  }
+  return null;
+}
+function parseTagArtifactId(id) {
+  if (!id.startsWith("tag:")) return null;
+  const tags = id.slice("tag:".length).split(",").map((t) => t.trim()).filter((t) => t.length > 0);
+  return tags.length > 0 ? tags : null;
+}
+async function resolveInstructionBody(cfg, section) {
+  const client = await makeClient(cfg);
+  for (const artifact of section.artifacts) {
+    const tags = parseTagArtifactId(artifact.id);
+    if (!tags) continue;
+    const { data } = await client.POST("/memories/search", {
       body: {
-        bullet: opts.text,
-        laneId: opts.source ?? null,
-        workspaceId: opts.workspace ?? null,
-        title: opts.title ?? null
+        query: null,
+        textQuery: null,
+        semanticQuery: artifact.title ?? "role instruction template",
+        hybrid: true,
+        limit: 1,
+        includeArchived: false,
+        includeSystem: false,
+        tags
       }
     });
-    if (error) fail(error);
-    emit(data, cmd.optsWithGlobals().json);
+    const hits = data ?? [];
+    if (hits.length === 0) continue;
+    const memId = hits[0].id;
+    const { data: memEnvelope } = await client.GET("/memories/{memoryId}", {
+      params: { path: { memoryId: memId } }
+    });
+    const env = memEnvelope;
+    const body = env?.item?.text ?? env?.text;
+    if (typeof body === "string" && body.length > 0) {
+      return { title: env?.item?.title ?? env?.title ?? artifact.title, body };
+    }
+  }
+  return null;
+}
+
+// src/setup/apply.ts
+var BLOCK_BEGIN = "<!-- @sechroom/cli:begin (managed \u2014 re-run `sechroom setup agent-files` to refresh) -->";
+var BLOCK_END = "<!-- @sechroom/cli:end -->";
+function ensureDir2(path) {
+  mkdirSync2(dirname(path), { recursive: true });
+}
+function readOr(path, fallback) {
+  try {
+    return readFileSync2(path, "utf8");
+  } catch {
+    return fallback;
+  }
+}
+function mergeMcpJson(path, snippet, dryRun) {
+  const incoming = JSON.parse(snippet);
+  const existed = existsSync2(path);
+  let current = {};
+  if (existed) {
+    try {
+      current = JSON.parse(readFileSync2(path, "utf8"));
+    } catch {
+      return { kind: "mcp", path, status: "skipped", note: "existing file isn't valid JSON \u2014 left untouched" };
+    }
+  }
+  current.mcpServers = { ...current.mcpServers ?? {}, ...incoming.mcpServers ?? {} };
+  if (dryRun) return { kind: "mcp", path, status: "dry-run" };
+  ensureDir2(path);
+  writeFileSync2(path, JSON.stringify(current, null, 2) + "\n", { mode: 384 });
+  return { kind: "mcp", path, status: existed ? "merged" : "created" };
+}
+function mergeCodexToml(path, snippet, dryRun) {
+  const existed = existsSync2(path);
+  let body = readOr(path, "");
+  body = body.replace(/(^|\n)\[mcp_servers\.sechroom\][^[]*/, "\n").replace(/\n{3,}/g, "\n\n");
+  const trimmed = body.trim();
+  const next = (trimmed.length > 0 ? trimmed + "\n\n" : "") + snippet.trim() + "\n";
+  if (dryRun) return { kind: "mcp", path, status: "dry-run" };
+  ensureDir2(path);
+  writeFileSync2(path, next, { mode: 384 });
+  return { kind: "mcp", path, status: existed ? "merged" : "created" };
+}
+function writeInstructionBlock(path, body, dryRun) {
+  const block = `${BLOCK_BEGIN}
+${body.trim()}
+${BLOCK_END}
+`;
+  const existed = existsSync2(path);
+  const current = readOr(path, "");
+  let next;
+  const re = new RegExp(`${escapeRe(BLOCK_BEGIN)}[\\s\\S]*?${escapeRe(BLOCK_END)}\\n?`);
+  if (re.test(current)) {
+    next = current.replace(re, block);
+  } else {
+    next = current.trim().length > 0 ? `${current.trimEnd()}
+
+${block}` : block;
+  }
+  if (dryRun) return { kind: "instruction", path, status: "dry-run" };
+  ensureDir2(path);
+  writeFileSync2(path, next);
+  return { kind: "instruction", path, status: existed ? "merged" : "created" };
+}
+function escapeRe(s) {
+  return s.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+}
+async function applyClient(cfg, setup, target, opts) {
+  const actions = [];
+  if (opts.mcp && target.mcp) {
+    const surface = findSurface(setup, target.mcp.surfaceKey);
+    const section = findSection(surface, target.mcp.sectionType);
+    const snippet = sectionSnippet(section);
+    if (!snippet) {
+      actions.push({ kind: "mcp", path: target.mcp.path, status: "skipped", note: `no ${target.mcp.sectionType} section on surface '${target.mcp.surfaceKey}'` });
+    } else {
+      actions.push(
+        target.mcp.format === "toml" ? mergeCodexToml(target.mcp.path, snippet, opts.dryRun) : mergeMcpJson(target.mcp.path, snippet, opts.dryRun)
+      );
+    }
+  }
+  if (opts.agentFiles && target.instruction) {
+    const surface = findSurface(setup, target.instruction.surfaceKey);
+    const section = findSection(surface, SectionType.InstructionFile);
+    if (!section) {
+      actions.push({ kind: "instruction", path: target.instruction.path, status: "skipped", note: `no instruction-file section on surface '${target.instruction.surfaceKey}'` });
+    } else {
+      const resolved = await resolveInstructionBody(cfg, section);
+      if (!resolved) {
+        actions.push({ kind: "instruction", path: target.instruction.path, status: "skipped", note: "no role template found in this tenant \u2014 install the SEM Starter bundle, then re-run `sechroom setup agent-files`" });
+      } else {
+        actions.push(writeInstructionBlock(target.instruction.path, resolved.body, opts.dryRun));
+      }
+    }
+  }
+  return actions;
+}
+
+// src/setup/clients.ts
+import { homedir as homedir2 } from "os";
+import { join as join2 } from "path";
+function claudeDesktopConfigPath(home) {
+  switch (process.platform) {
+    case "darwin":
+      return join2(home, "Library", "Application Support", "Claude", "claude_desktop_config.json");
+    case "win32":
+      return join2(process.env.APPDATA ?? join2(home, "AppData", "Roaming"), "Claude", "claude_desktop_config.json");
+    default:
+      return join2(home, ".config", "Claude", "claude_desktop_config.json");
+  }
+}
+function clientTargets(cwd) {
+  const home = homedir2();
+  return {
+    "claude-code": {
+      key: "claude-code",
+      label: "Claude Code",
+      mcp: { surfaceKey: "claude-code", sectionType: SectionType.McpConfig, path: join2(cwd, ".mcp.json"), format: "json" },
+      instruction: { surfaceKey: "claude-code", path: join2(cwd, "CLAUDE.md") }
+    },
+    "claude-desktop": {
+      key: "claude-desktop",
+      label: "Claude Desktop",
+      mcp: { surfaceKey: "claude-desktop", sectionType: SectionType.McpConfig, path: claudeDesktopConfigPath(home), format: "json" },
+      instruction: { surfaceKey: "claude-desktop", path: join2(home, ".claude", "CLAUDE.md") }
+    },
+    codex: {
+      key: "codex",
+      label: "Codex CLI",
+      mcp: { surfaceKey: "chatgpt", sectionType: SectionType.McpConfigToml, path: join2(home, ".codex", "config.toml"), format: "toml" },
+      instruction: { surfaceKey: "chatgpt", path: join2(cwd, "AGENTS.md") }
+    },
+    cursor: {
+      key: "cursor",
+      label: "Cursor",
+      mcp: { surfaceKey: "claude-code", sectionType: SectionType.McpConfig, path: join2(cwd, ".cursor", "mcp.json"), format: "json" },
+      instruction: { surfaceKey: "chatgpt", path: join2(cwd, "AGENTS.md") }
+    }
+  };
+}
+var ALL_CLIENT_KEYS = ["claude-code", "claude-desktop", "codex", "cursor"];
+var DEFAULT_CLIENT_KEY = "claude-code";
+
+// src/commands/setup.ts
+function resolveClientKeys(raw) {
+  const targets = clientTargets(process.cwd());
+  if (raw === "all") return [...ALL_CLIENT_KEYS];
+  const keys = raw.split(",").map((k) => k.trim()).filter(Boolean);
+  for (const k of keys) {
+    if (!targets[k]) {
+      fail(`unknown client '${k}'. Known: ${ALL_CLIENT_KEYS.join(", ")}, or 'all'.`);
+    }
+  }
+  return keys;
+}
+function printActions(client, actions) {
+  process.stdout.write(`
+${client.label} (${client.key}):
+`);
+  for (const a of actions) {
+    const tag = a.status === "skipped" ? "skip" : a.status;
+    process.stdout.write(`  [${tag}] ${a.kind}: ${a.path}${a.note ? ` \u2014 ${a.note}` : ""}
+`);
+  }
+}
+function registerInit(program2) {
+  program2.command("init").description("Wire this project for sechroom: write MCP config + agent instruction files from the server's setup descriptors").option("--client <list>", `comma-separated clients (${ALL_CLIENT_KEYS.join(", ")}) or 'all'`, DEFAULT_CLIENT_KEY).option("--dry-run", "print what would be written without writing", false).option("--mcp-only", "only write MCP config (skip agent files)", false).option("--agent-files-only", "only write agent instruction files (skip MCP config)", false).action(async (opts, cmd) => {
+    const cfg = resolveConfig(cmd.optsWithGlobals());
+    const setup = await withSpinner("Fetching setup descriptors", () => fetchSetup(cfg));
+    const targets = clientTargets(process.cwd());
+    const keys = resolveClientKeys(opts.client);
+    const json = cmd.optsWithGlobals().json;
+    const result = [];
+    for (const key of keys) {
+      const target = targets[key];
+      const actions = await applyClient(cfg, setup, target, {
+        dryRun: Boolean(opts.dryRun),
+        mcp: !opts.agentFilesOnly,
+        agentFiles: !opts.mcpOnly
+      });
+      result.push({ client: key, actions });
+      if (!json) printActions(target, actions);
+    }
+    if (json) {
+      emit({ dryRun: Boolean(opts.dryRun), clients: result }, true);
+      return;
+    }
+    const first = targets[keys[0]];
+    const surface = findSurface(setup, first.mcp?.surfaceKey ?? first.instruction?.surfaceKey ?? "");
+    const verify = findSection(surface, SectionType.Verify);
+    if (verify?.description) {
+      process.stdout.write(`
+Next \u2014 verify: ${verify.description}
+`);
+    }
+    process.stdout.write(
+      opts.dryRun ? "\n(dry run \u2014 nothing written)\n" : "\nDone. Restart your AI client (or reload MCP) to pick up the new config.\n"
+    );
+  });
+}
+function registerSetup(program2) {
+  const setup = program2.command("setup").description("Granular onboarding steps (init runs these together)");
+  setup.command("mcp <client>").description(`Write only the MCP config for a client (${ALL_CLIENT_KEYS.join(", ")})`).option("--dry-run", "print what would be written without writing", false).action(async (client, opts, cmd) => {
+    await runSingle(client, cmd, { dryRun: Boolean(opts.dryRun), mcp: true, agentFiles: false });
+  });
+  setup.command("agent-files <client>").description(`Write only the agent instruction file for a client (${ALL_CLIENT_KEYS.join(", ")})`).option("--dry-run", "print what would be written without writing", false).action(async (client, opts, cmd) => {
+    await runSingle(client, cmd, { dryRun: Boolean(opts.dryRun), mcp: false, agentFiles: true });
   });
 }
+async function runSingle(client, cmd, opts) {
+  const cfg = resolveConfig(cmd.optsWithGlobals());
+  const targets = clientTargets(process.cwd());
+  const target = targets[client];
+  if (!target) fail(`unknown client '${client}'. Known: ${ALL_CLIENT_KEYS.join(", ")}.`);
+  const setupData = await withSpinner("Fetching setup descriptors", () => fetchSetup(cfg));
+  const actions = await applyClient(cfg, setupData, target, opts);
+  const json = cmd.optsWithGlobals().json;
+  if (json) {
+    emit({ dryRun: opts.dryRun, client, actions }, true);
+  } else {
+    printActions(target, actions);
+    process.stdout.write(opts.dryRun ? "\n(dry run \u2014 nothing written)\n" : "\nDone.\n");
+  }
+}
 
 // src/index.ts
+function resolveVersion() {
+  try {
+    const pkg = JSON.parse(
+      readFileSync3(new URL("../package.json", import.meta.url), "utf8")
+    );
+    return pkg.version ?? "0.0.0";
+  } catch {
+    return "0.0.0";
+  }
+}
 var program = new Command();
-program.name("sechroom").description("Sechroom CLI \u2014 thin generated client over the Sechroom HTTP API. An agent/human surface alongside MCP.").version("0.0.0").option("--base-url <url>", "API base URL (overrides config / SECHROOM_BASE_URL)").option("--tenant <tenant>", "Tenant id (required by the API; overrides config / SECHROOM_TENANT)").option("--json", "Emit compact JSON (for scripts and agents)", false);
+program.name("sechroom").description("Sechroom CLI \u2014 thin generated client over the Sechroom HTTP API. An agent/human surface alongside MCP.").version(resolveVersion()).option("--base-url <url>", "API base URL (overrides config / SECHROOM_BASE_URL)").option("--tenant <tenant>", "Tenant id (required by the API; overrides config / SECHROOM_TENANT)").option("--json", "Emit compact JSON (for scripts and agents)", false);
+program.hook("preAction", (_thisCmd, actionCmd) => {
+  setQuiet(Boolean(actionCmd.optsWithGlobals().json));
+});
 program.command("login").description("Sign in via browser (OAuth auth-code + PKCE, dynamic client registration)").action(async (_opts, cmd) => {
   const g = cmd.optsWithGlobals();
   const persisted = readPersisted();
@@ -334,6 +733,9 @@ config.command("show").description("Print persisted config").action(() => {
 });
 registerMemory(program);
 registerWorklog(program);
+registerLookup(program);
+registerInit(program);
+registerSetup(program);
 program.parseAsync().catch((err) => {
   process.stderr.write(`error: ${err instanceof Error ? err.message : String(err)}
 `);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@sechroom/cli",
-  "version": "2026.6.1",
+  "version": "2026.6.3",
   "description": "Sechroom CLI — a thin, generated client over the Sechroom HTTP API. An agent/human surface alongside MCP.",
   "type": "module",
   "license": "UNLICENSED",
@@ -8,7 +8,7 @@
   "repository": {
     "type": "git",
     "url": "git+https://github.com/OcdLimited/sechroom.git",
-    "directory": "tools/sechroom-cli"
+    "directory": "frontend/apps/cli"
   },
   "bin": {
     "sechroom": "./dist/index.js"
@@ -23,13 +23,6 @@
     "access": "public",
     "registry": "https://registry.npmjs.org/"
   },
-  "scripts": {
-    "gen": "openapi-typescript \"${SECHROOM_OPENAPI_URL:-https://app.sechroom.ai/api/openapi/v1.json}\" -o src/generated/api.d.ts",
-    "build": "tsup src/index.ts --format esm --target node20 --clean",
-    "dev": "tsx src/index.ts",
-    "typecheck": "tsc --noEmit",
-    "prepublishOnly": "npm run build"
-  },
   "dependencies": {
     "commander": "^12.1.0",
     "open": "^10.1.0",
@@ -41,5 +34,11 @@
     "tsup": "^8.3.0",
     "tsx": "^4.19.0",
     "typescript": "^5.6.0"
+  },
+  "scripts": {
+    "gen": "openapi-typescript \"${SECHROOM_OPENAPI_URL:-https://app.sechroom.ai/api/openapi/v1.json}\" -o src/generated/api.d.ts",
+    "build": "tsup src/index.ts --format esm --target node20 --clean",
+    "dev": "tsx src/index.ts",
+    "check-types": "tsc --noEmit"
   }
-}
+}