@sechroom/cli 2026.6.10 → 2026.6.12

package/dist/index.js

@@ -1,7 +1,7 @@
 #!/usr/bin/env node
 
 // src/index.ts
-import { readFileSync as readFileSync3 } from "fs";
+import { readFileSync as readFileSync6 } from "fs";
 import { Command } from "commander";
 
 // src/auth.ts
@@ -12,7 +12,7 @@ import open from "open";
 // src/config.ts
 import { homedir } from "os";
 import { join, dirname } from "path";
-import { mkdirSync, readFileSync, writeFileSync, existsSync } from "fs";
+import { mkdirSync, readFileSync, writeFileSync, existsSync, rmSync } from "fs";
 var CONFIG_DIR = join(homedir(), ".config", "sechroom");
 var CONFIG_FILE = join(CONFIG_DIR, "config.json");
 var TOKEN_FILE = join(CONFIG_DIR, "token.json");
@@ -53,6 +53,16 @@ function writeToken(tok) {
   ensureDir();
   writeFileSync(TOKEN_FILE, JSON.stringify(tok, null, 2), { mode: 384 });
 }
+function clearToken() {
+  if (!existsSync(TOKEN_FILE)) return void 0;
+  rmSync(TOKEN_FILE);
+  return TOKEN_FILE;
+}
+function clearPersisted() {
+  if (!existsSync(CONFIG_FILE)) return void 0;
+  rmSync(CONFIG_FILE);
+  return CONFIG_FILE;
+}
 function findLocalConfigPath(start = process.cwd()) {
   let dir = start;
   for (; ; ) {
@@ -453,6 +463,7 @@ async function makeClient(cfg) {
     onRequest({ request }) {
       request.headers.set("authorization", `Bearer ${token}`);
       request.headers.set("tenant", cfg.tenant);
+      request.headers.set("x-sechroom-surface", "cli");
       return request;
     }
   });
@@ -491,9 +502,10 @@ async function runApi(label, fn) {
     s.fail();
     fail(err2);
   }
-  if (res.error !== void 0 && res.error !== null) {
+  const httpFailed = res.response !== void 0 && !res.response.ok;
+  if (res.error !== void 0 && res.error !== null || httpFailed) {
     s.fail();
-    fail(res.error);
+    fail(res.error ?? (res.response ? `HTTP ${res.response.status} ${res.response.statusText}`.trim() : "request failed"));
   }
   s.succeed();
   return res.data;
@@ -2000,6 +2012,129 @@ function detectInstalledClients(cwd) {
   return detected;
 }
 
+// src/setup/skills-offer.ts
+import { mkdirSync as mkdirSync3, writeFileSync as writeFileSync3 } from "fs";
+import { homedir as homedir3 } from "os";
+import { join as join4 } from "path";
+
+// src/sem.ts
+import { dirname as dirname4, join as join3 } from "path";
+import { existsSync as existsSync4, readFileSync as readFileSync3 } from "fs";
+var SEM_FILE = ".sem";
+function localSemPath(cwd = process.cwd()) {
+  return join3(cwd, SEM_FILE);
+}
+function resolveSemPathForRead(start = process.cwd()) {
+  let dir = start;
+  while (true) {
+    const candidate = join3(dir, SEM_FILE);
+    if (existsSync4(candidate)) return candidate;
+    const parent = dirname4(dir);
+    if (parent === dir) return void 0;
+    dir = parent;
+  }
+}
+function parseSem(text) {
+  const out = {};
+  for (const raw of text.split("\n")) {
+    const line = raw.trim();
+    if (!line || line.startsWith("#")) continue;
+    const eq = line.indexOf("=");
+    if (eq === -1) continue;
+    const key = line.slice(0, eq).trim();
+    const value = line.slice(eq + 1).trim();
+    if (key) out[key] = value;
+  }
+  return out;
+}
+function serializeSem(values) {
+  const header = "# sechroom lane pin (per-location fallback) \u2014 resolved at runtime by operator skills.\n";
+  const body = Object.entries(values).map(([k, v]) => `${k} = ${v}`).join("\n");
+  return header + body + "\n";
+}
+function readSem(path) {
+  const p = path ?? resolveSemPathForRead();
+  if (!p || !existsSync4(p)) return void 0;
+  return { path: p, values: parseSem(readFileSync3(p, "utf8")) };
+}
+
+// src/setup/skills-offer.ts
+var ROLE_TAG = "sechroom:role:skill-template";
+function tagValue(tags, prefix) {
+  return tags.find((t) => t.startsWith(prefix))?.slice(prefix.length);
+}
+async function maybeOfferSkills(cfg, personalWorkspaceId, opts) {
+  if (!personalWorkspaceId || opts.dryRun) return;
+  const surface = opts.surface ?? "claude-code";
+  let rows = [];
+  try {
+    const client = await makeClient(cfg);
+    const feed = await client.GET("/workspaces/{workspaceId}/memories/feed", {
+      params: {
+        path: { workspaceId: personalWorkspaceId },
+        query: { limit: 200, cascadeWorkspaces: true, includeText: true }
+      }
+    }).then((r) => r.data).catch(() => void 0);
+    rows = feed?.results ?? feed?.Results ?? [];
+  } catch {
+    return;
+  }
+  const skills = rows.map((r) => r.item ?? r).filter((m) => {
+    const tags = m.tags ?? m.Tags ?? [];
+    return tags.includes(ROLE_TAG) && tagValue(tags, "target:") === surface;
+  });
+  if (skills.length === 0) return;
+  const byName = /* @__PURE__ */ new Map();
+  for (const m of skills) {
+    const name = tagValue(m.tags ?? m.Tags ?? [], "skill:");
+    if (name) byName.set(name, m);
+  }
+  const names = [...byName.keys()].sort();
+  if (names.length === 0) return;
+  process.stderr.write(
+    `
+Found ${style.bold(String(names.length))} operator skill(s) installed in your workspace: ${names.join(", ")}.
+`
+  );
+  const dir = join4(homedir3(), ".claude", "skills");
+  const materialise = opts.yes ? true : canPrompt() ? await promptYesNo(`Write them to ${dir}/ so ${surface} can use them?`) : false;
+  if (!materialise) return;
+  const written = [];
+  for (const [name, m] of byName) {
+    const body = m.text ?? m.Text ?? "";
+    mkdirSync3(join4(dir, name), { recursive: true });
+    writeFileSync3(join4(dir, name, "SKILL.md"), body.endsWith("\n") ? body : body + "\n");
+    written.push(name);
+  }
+  process.stderr.write(`${style.green("\u2713")} wrote ${written.length} skill(s) to ${dir}
+`);
+  if (readSem()) return;
+  const setLane = opts.yes ? false : canPrompt() ? await promptYesNo("Set your lane now so the skills can resolve their identity slots?") : false;
+  if (!setLane) {
+    process.stderr.write(
+      `  ${style.dim("run")} ${style.cyan("sechroom skills set-lane --code-lane \u2026 --design-lane \u2026")} ${style.dim("when ready.")}
+`
+    );
+    return;
+  }
+  let wf;
+  try {
+    const client = await makeClient(cfg);
+    wf = await client.GET("/me/workflow-preferences", {}).then((r) => r.data).catch(() => void 0);
+  } catch {
+  }
+  const code = await promptText("Code-lane id (e.g. claude-code-you)?", wf?.defaultCodeLane);
+  const design = await promptText("Design-lane id (e.g. claude-design-you)?", wf?.defaultDesignLane);
+  const values = {};
+  if (code) values["code-lane"] = code;
+  if (design) values["design-lane"] = design;
+  if (Object.keys(values).length === 0) return;
+  const target = localSemPath();
+  writeFileSync3(target, serializeSem(values));
+  process.stderr.write(`${style.green("\u2713")} lane pin written \u2192 ${target}
+`);
+}
+
 // src/commands/setup.ts
 function copyChoice(opts) {
   return opts.copy === true ? "yes" : opts.copy === false ? "no" : "ask";
@@ -2086,6 +2221,9 @@ Examples:
       result.push({ client: key, actions });
       if (!json) printActions(target, actions);
     }
+    if (!json && !opts.dryRun && !opts.mcpOnly) {
+      await maybeOfferSkills(cfg, personalWorkspaceId, { yes: false, dryRun: Boolean(opts.dryRun), surface: "claude-code" });
+    }
     if (json) {
       emit({ dryRun: Boolean(opts.dryRun), clients: result }, true);
       return;
@@ -2152,7 +2290,6 @@ async function ensureConfig(g, opts) {
   let baseUrl = g.baseUrl ?? process.env.SECHROOM_BASE_URL ?? local.baseUrl ?? persisted.baseUrl ?? DEFAULT_BASE_URL2;
   let tenant = g.tenant ?? process.env.SECHROOM_TENANT ?? local.tenant ?? persisted.tenant ?? "";
   if (canPrompt() && !opts.yes) {
-    baseUrl = await promptText("Sechroom API base URL?", baseUrl);
     tenant = await promptText("Tenant id?", tenant || void 0);
   }
   baseUrl = baseUrl.replace(/\/$/, "");
@@ -2295,6 +2432,9 @@ Try: ${style.cyan('sechroom memory search "..."')}  or  ${style.cyan("sechroom -
       result.push({ client: key, actions });
       if (!json) printActions(target, actions);
     }
+    if (!json && !dryRun) {
+      await maybeOfferSkills(cfg, personalWorkspaceId, { yes, dryRun, surface: "claude-code" });
+    }
     if (json) {
       emit({ dryRun, baseUrl: cfg.baseUrl, tenant: cfg.tenant, timezone: tz, wire, clients: result }, true);
       return;
@@ -2324,11 +2464,306 @@ async function chooseWire(opts, yes) {
   return opts.mcp === false ? "agent-only" : "full";
 }
 
+// src/commands/skills.ts
+import { homedir as homedir4 } from "os";
+import { dirname as dirname5, join as join5 } from "path";
+import { mkdirSync as mkdirSync4, writeFileSync as writeFileSync4, rmSync as rmSync2, existsSync as existsSync5, readFileSync as readFileSync4 } from "fs";
+var DEFAULT_SLUG = "operator-skills";
+var ROLE_TAGS = ["sechroom:role:skill-template", "role:skill-template"];
+var LOCK = ".sechroom-skills.json";
+function skillsDir(global) {
+  return global ? join5(homedir4(), ".claude", "skills") : join5(process.cwd(), ".claude", "skills");
+}
+function tagValue2(tags, prefix) {
+  return (tags ?? []).find((t) => t.startsWith(prefix))?.slice(prefix.length);
+}
+function hasAny(tags, candidates) {
+  return (tags ?? []).some((t) => candidates.includes(t));
+}
+function registerSkills(program2) {
+  const skills = program2.command("skills").description("Install + manage operator skills from a bundle");
+  skills.addHelpText(
+    "after",
+    `
+Examples:
+  $ sechroom skills install --code-lane claude-code-chris --design-lane claude-design-chris
+  $ sechroom skills install operator-skills --surface claude-code --local
+  $ sechroom skills list
+  $ sechroom skills set-lane --code-lane claude-code-chris --design-lane claude-design-chris
+  $ sechroom skills lane
+  $ sechroom skills clean`
+  );
+  skills.command("install [slug]").description(`Install a skills bundle (default ${DEFAULT_SLUG}) into your personal workspace + write SKILL.md files`).option("--version <v>", "bundle version (default: latest published in the catalogue)").option("--instance <name>", "install as a named, separate instance (install the same bundle more than once)").option("--code-lane <id>", "identity.code-lane binding (e.g. claude-code-chris)").option("--design-lane <id>", "identity.design-lane binding (e.g. claude-design-chris)").option("--surface <s>", "skill target surface to materialise", "claude-code").option("--local", "write to ./.claude/skills instead of ~/.claude/skills").option("--json", "machine output").action(async (slugArg, opts, cmd) => {
+    const slug = slugArg || DEFAULT_SLUG;
+    const client = await makeClient(resolveConfig(cmd.optsWithGlobals()));
+    const pw = await runApi("resolving personal workspace", () => client.GET("/me/personal-workspace", {}));
+    const personalWsId = pw?.id || pw?.workspaceId || pw?.personalWorkspaceId || pw?.item?.id;
+    if (!personalWsId) fail("Could not resolve your personal workspace.");
+    let version = opts.version;
+    if (!version) {
+      const cat = await runApi("reading the bundle catalogue", () => client.GET("/me/bundles", {}));
+      const item = (cat?.bundles ?? cat?.Bundles ?? []).find((b) => (b.slug ?? b.Slug) === slug);
+      if (!item) fail(`Bundle '${slug}' is not in your self-serve catalogue (must be UserInstallable + Published).`);
+      version = item.latestVersion ?? item.LatestVersion;
+      if (!version) fail(`Bundle '${slug}' has no installable (Published) version.`);
+    }
+    const installOptions = {};
+    if (opts.codeLane) installOptions["identity.code-lane"] = opts.codeLane;
+    if (opts.designLane) installOptions["identity.design-lane"] = opts.designLane;
+    const res = await runApi(
+      `installing ${slug}@${version}${opts.instance ? ` (${opts.instance})` : ""}`,
+      () => client.POST("/me/bundles/{slug}/versions/{version}/install", {
+        params: { path: { slug, version } },
+        // instance: null/absent = the default instance (reinstall updates in
+        // place); a name installs a separate instance.
+        body: { installOptions, instance: opts.instance ?? null }
+      })
+    );
+    const status = String(res?.status ?? res?.Status ?? "");
+    if (status && status.toLowerCase() !== "completed") {
+      fail(`Install did not complete (status=${status}; ${res?.failureReason ?? res?.FailureReason ?? ""}).`);
+    }
+    const feed = await runApi(
+      "materialising skill files",
+      () => client.GET("/workspaces/{workspaceId}/memories/feed", {
+        // cascadeWorkspaces: skills land in an "Operator Skills" SUB-workspace of
+        // the personal workspace, so we recurse from the personal-ws root.
+        // includeText: the feed omits bodies by default; we need them for SKILL.md.
+        params: {
+          path: { workspaceId: personalWsId },
+          query: { limit: 200, cascadeWorkspaces: true, includeText: true }
+        }
+      })
+    );
+    const rows = feed?.results ?? feed?.Results ?? [];
+    const dir = skillsDir(!opts.local);
+    const wantInstance = opts.instance || "default";
+    const written = [];
+    const bundleTagPrefix = `sechroom:bundle:${slug}@`;
+    for (const r of rows) {
+      const m = r.item ?? r;
+      const tags = m.tags ?? m.Tags ?? [];
+      if (!hasAny(tags, ROLE_TAGS)) continue;
+      if (tagValue2(tags, "target:") !== opts.surface) continue;
+      if (!tags.some((t) => t.startsWith(bundleTagPrefix))) continue;
+      if ((tagValue2(tags, "sechroom:skill-instance:") ?? "default") !== wantInstance) continue;
+      const name = tagValue2(tags, "skill:");
+      if (!name) continue;
+      const body = m.text ?? m.Text ?? "";
+      mkdirSync4(join5(dir, name), { recursive: true });
+      writeFileSync4(join5(dir, name, "SKILL.md"), body.endsWith("\n") ? body : body + "\n");
+      written.push(name);
+    }
+    mkdirSync4(dir, { recursive: true });
+    const lockPath = join5(dir, LOCK);
+    const lock = existsSync5(lockPath) ? JSON.parse(readFileSync4(lockPath, "utf8")) : {};
+    lock[slug] = { surface: opts.surface, version, instance: wantInstance, skills: written.sort() };
+    writeFileSync4(lockPath, JSON.stringify(lock, null, 2) + "\n");
+    if (opts.json) return emit({ slug, version, instance: wantInstance, surface: opts.surface, dir, installed: written }, true);
+    const instanceNote = opts.instance ? ` (${opts.instance})` : "";
+    console.log(style.green(`Installed ${slug}@${version}${instanceNote} \u2014 ${written.length} skill(s) \u2192 ${dir}`));
+    written.forEach((n) => console.log("  " + style.dim("\u2022") + " " + n));
+    if (written.length === 0) console.log(style.dim(`  (no '${opts.surface}' skill bodies found; check --surface)`));
+  });
+  skills.command("list").description("List your installed bundles (GET /me/bundle-installs)").option("--json", "machine output").action(async (opts, cmd) => {
+    const client = await makeClient(resolveConfig(cmd.optsWithGlobals()));
+    const data = await runApi("reading your installs", () => client.GET("/me/bundle-installs", {}));
+    if (opts.json) return emit(data, true);
+    const installs = data?.installs ?? data?.Installs ?? [];
+    if (installs.length === 0) return console.log(style.dim("No bundles installed."));
+    installs.forEach((i) => {
+      const inst = i.instance ?? i.Instance ?? "";
+      const tag = inst ? style.dim(` [${inst}]`) : "";
+      console.log(`  ${i.bundleSlug ?? i.BundleSlug}@${i.bundleVersion ?? i.BundleVersion ?? "?"}${tag}`);
+    });
+  });
+  skills.command("clean [slug]").description(`Remove materialised skill files written by install (default ${DEFAULT_SLUG})`).option("--local", "clean ./.claude/skills instead of ~/.claude/skills").option("--json", "machine output").action(async (slugArg, opts) => {
+    const slug = slugArg || DEFAULT_SLUG;
+    const dir = skillsDir(!opts.local);
+    const lockPath = join5(dir, LOCK);
+    if (!existsSync5(lockPath)) fail(`No skills lockfile at ${lockPath}; nothing to clean.`);
+    const lock = JSON.parse(readFileSync4(lockPath, "utf8"));
+    const entry = lock[slug];
+    if (!entry) fail(`No installed record for '${slug}' in ${lockPath}.`);
+    const removed = [];
+    for (const name of entry.skills) {
+      const skillPath = join5(dir, name);
+      if (existsSync5(skillPath)) {
+        rmSync2(skillPath, { recursive: true, force: true });
+        removed.push(name);
+      }
+    }
+    delete lock[slug];
+    writeFileSync4(lockPath, JSON.stringify(lock, null, 2) + "\n");
+    if (opts.json) return emit({ slug, removed, dir }, true);
+    console.log(style.green(`Removed ${removed.length} skill(s) for ${slug} from ${dir}`));
+  });
+  skills.command("set-lane").description("Write this checkout's lane pin to a local ./.sem file (read at runtime by skills)").option("--code-lane <id>", "code-surface lane id (e.g. claude-code-chris)").option("--design-lane <id>", "design / substrate-authoring lane id (e.g. claude-design-chris)").option("--json", "machine output").action((opts, cmd) => {
+    if (!opts.codeLane && !opts.designLane) fail("Provide --code-lane and/or --design-lane.");
+    const target = localSemPath();
+    const values = readSem(target)?.values ?? {};
+    if (opts.codeLane) values["code-lane"] = opts.codeLane;
+    if (opts.designLane) values["design-lane"] = opts.designLane;
+    mkdirSync4(dirname5(target), { recursive: true });
+    writeFileSync4(target, serializeSem(values));
+    if (cmd.optsWithGlobals().json) return emit({ path: target, values }, true);
+    console.log(style.green(`Wrote lane pin \u2192 ${target}`));
+    Object.entries(values).forEach(([k, v]) => console.log("  " + style.dim(k) + " = " + v));
+  });
+  skills.command("lane").description("Show the lane pin resolved from ./.sem (nearest in this checkout)").option("--json", "machine output").action((opts, cmd) => {
+    const json = cmd.optsWithGlobals().json;
+    const found = readSem();
+    if (!found) {
+      if (json) return emit({ path: null, values: {} }, true);
+      return console.log(style.dim(`No ./.sem pin in this checkout. Run 'sechroom skills set-lane'.`));
+    }
+    if (json) return emit(found, true);
+    console.log(style.dim(`from ${found.path}`));
+    Object.entries(found.values).forEach(([k, v]) => console.log("  " + style.bold(k) + " = " + v));
+  });
+  skills.command("set-workflow").description("Set your per-operator workflow defaults (server-side; follows you across tenants)").option("--default-code-lane <id>", "personal default code lane (e.g. claude-code-chris)").option("--default-design-lane <id>", "personal default design lane (e.g. claude-design-chris)").option("--handover-recipient <id>", "your daily-handover counterparty (e.g. andy)").option("--json", "machine output").action(async (opts, cmd) => {
+    if (!opts.defaultCodeLane && !opts.defaultDesignLane && !opts.handoverRecipient)
+      fail("Provide at least one of --default-code-lane / --default-design-lane / --handover-recipient.");
+    const client = await makeClient(resolveConfig(cmd.optsWithGlobals()));
+    const cur = await runApi(
+      "reading workflow preferences",
+      () => client.GET("/me/workflow-preferences", {})
+    );
+    const body = {
+      defaultCodeLane: opts.defaultCodeLane ?? cur?.defaultCodeLane ?? null,
+      defaultDesignLane: opts.defaultDesignLane ?? cur?.defaultDesignLane ?? null,
+      handoverRecipient: opts.handoverRecipient ?? cur?.handoverRecipient ?? null
+    };
+    const res = await runApi(
+      "saving workflow preferences",
+      () => client.POST("/me/workflow-preferences", { body })
+    );
+    if (cmd.optsWithGlobals().json) return emit(res, true);
+    console.log(style.green("Saved your workflow preferences"));
+    console.log("  " + style.dim("default-code-lane") + "   = " + (body.defaultCodeLane ?? "(unset)"));
+    console.log("  " + style.dim("default-design-lane") + " = " + (body.defaultDesignLane ?? "(unset)"));
+    console.log("  " + style.dim("handover-recipient") + "  = " + (body.handoverRecipient ?? "(unset)"));
+  });
+  skills.command("workflow").description("Show your per-operator workflow defaults (GET /me/workflow-preferences)").option("--json", "machine output").action(async (opts, cmd) => {
+    const client = await makeClient(resolveConfig(cmd.optsWithGlobals()));
+    const data = await runApi(
+      "reading workflow preferences",
+      () => client.GET("/me/workflow-preferences", {})
+    );
+    if (cmd.optsWithGlobals().json) return emit(data, true);
+    console.log("  " + style.bold("default-code-lane") + "   = " + (data?.defaultCodeLane ?? style.dim("(unset)")));
+    console.log("  " + style.bold("default-design-lane") + " = " + (data?.defaultDesignLane ?? style.dim("(unset)")));
+    console.log("  " + style.bold("handover-recipient") + "  = " + (data?.handoverRecipient ?? style.dim("(unset)")));
+  });
+  skills.command("resolve").description("Resolve the effective ${identity.*} slot values (per-location .sem + per-operator workflow prefs)").option("--json", "machine output (a flat slot->value map + per-slot source)").action(async (opts, cmd) => {
+    const local = readSem()?.values ?? {};
+    let operator = {};
+    try {
+      const client = await makeClient(resolveConfig(cmd.optsWithGlobals()));
+      operator = await runApi(
+        "reading workflow preferences",
+        () => client.GET("/me/workflow-preferences", {})
+      ) ?? {};
+    } catch {
+    }
+    const pick = (loc, op) => loc != null && loc !== "" ? { value: loc, source: "per-location" } : op != null && op !== "" ? { value: op, source: "per-operator" } : { value: null, source: "unset" };
+    const slots = {
+      "identity.code-lane": pick(local["code-lane"], operator?.defaultCodeLane),
+      "identity.design-lane": pick(local["design-lane"], operator?.defaultDesignLane),
+      "identity.handover-recipient": pick(void 0, operator?.handoverRecipient)
+    };
+    if (cmd.optsWithGlobals().json) {
+      const values = Object.fromEntries(Object.entries(slots).map(([k, v]) => [k, v.value]));
+      return emit({ values, sources: Object.fromEntries(Object.entries(slots).map(([k, v]) => [k, v.source])) }, true);
+    }
+    for (const [slot, { value, source }] of Object.entries(slots)) {
+      const v = value == null ? style.dim("(unset)") : value;
+      console.log("  " + style.bold(slot) + " = " + v + "  " + style.dim(`[${source}]`));
+    }
+  });
+}
+
+// src/commands/reset.ts
+import { homedir as homedir5 } from "os";
+import { join as join6 } from "path";
+import { existsSync as existsSync6, readFileSync as readFileSync5, rmSync as rmSync3 } from "fs";
+var SKILLS_LOCK = ".sechroom-skills.json";
+var localSkillsDir = () => join6(process.cwd(), ".claude", "skills");
+var globalSkillsDir = () => join6(homedir5(), ".claude", "skills");
+function removeMaterialisedSkills(dir) {
+  const removed = [];
+  const lockPath = join6(dir, SKILLS_LOCK);
+  if (!existsSync6(lockPath)) return removed;
+  try {
+    const lock = JSON.parse(readFileSync5(lockPath, "utf8"));
+    for (const entry of Object.values(lock)) {
+      for (const name of entry.skills ?? []) {
+        const p = join6(dir, name);
+        if (existsSync6(p)) {
+          rmSync3(p, { recursive: true, force: true });
+          removed.push(p);
+        }
+      }
+    }
+  } catch {
+  }
+  rmSync3(lockPath, { force: true });
+  removed.push(lockPath);
+  return removed;
+}
+function registerReset(program2) {
+  program2.command("logout").description("Sign out \u2014 remove the cached (global) auth token").action((_opts, cmd) => {
+    const removed = clearToken();
+    if (cmd.optsWithGlobals().json) return emit({ removed: removed ? [removed] : [] }, true);
+    console.log(
+      removed ? style.green("Signed out \u2014 auth token removed.") : style.dim("Already signed out (no token).")
+    );
+  });
+  program2.command("reset").description("Reset LOCAL CLI state for this directory (./.sechroom.json, ./.sem, ./.claude/skills); --global also wipes the machine-wide token + config + ~/.claude/skills").option("--global", "also remove the global auth token, config, and ~/.claude/skills").option("-y, --yes", "don't prompt for confirmation").option("--json", "machine output").action(async (opts, cmd) => {
+    const json = cmd.optsWithGlobals().json;
+    const global = Boolean(opts.global);
+    if (!opts.yes && canPrompt()) {
+      const scope = global ? "this directory's local state AND your global auth token + config + ~/.claude/skills" : "this directory's local state (./.sechroom.json, ./.sem, ./.claude/skills)";
+      if (!await promptYesNo(`Remove ${scope}?`)) {
+        if (!json) console.log(style.dim("Cancelled."));
+        return;
+      }
+    }
+    const removed = [];
+    const localCfg = join6(process.cwd(), ".sechroom.json");
+    if (existsSync6(localCfg)) {
+      rmSync3(localCfg, { force: true });
+      removed.push(localCfg);
+    }
+    const sem = localSemPath();
+    if (existsSync6(sem)) {
+      rmSync3(sem, { force: true });
+      removed.push(sem);
+    }
+    removed.push(...removeMaterialisedSkills(localSkillsDir()));
+    if (global) {
+      const tok = clearToken();
+      if (tok) removed.push(tok);
+      const cfg = clearPersisted();
+      if (cfg) removed.push(cfg);
+      removed.push(...removeMaterialisedSkills(globalSkillsDir()));
+    }
+    if (json) return emit({ global, removed }, true);
+    if (removed.length === 0) {
+      console.log(style.dim(global ? "Nothing to remove \u2014 already clean." : "No local CLI state in this directory."));
+      return;
+    }
+    console.log(style.green(`Reset complete \u2014 removed ${removed.length} item(s):`));
+    removed.forEach((p) => console.log("  " + style.dim("\u2022") + " " + p));
+    if (global) console.log(style.dim("Run 'sechroom onboard' to set up again."));
+  });
+}
+
 // src/index.ts
 function resolveVersion() {
   try {
     const pkg = JSON.parse(
-      readFileSync3(new URL("../package.json", import.meta.url), "utf8")
+      readFileSync6(new URL("../package.json", import.meta.url), "utf8")
     );
     return pkg.version ?? "0.0.0";
   } catch {
@@ -2443,6 +2878,8 @@ registerChat(program);
 registerInit(program);
 registerSetup(program);
 registerOnboard(program);
+registerSkills(program);
+registerReset(program);
 program.parseAsync().catch((err2) => {
   process.stderr.write(`error: ${err2 instanceof Error ? err2.message : String(err2)}
 `);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@sechroom/cli",
-  "version": "2026.6.10",
+  "version": "2026.6.12",
   "description": "Sechroom CLI — a thin, generated client over the Sechroom HTTP API. An agent/human surface alongside MCP.",
   "type": "module",
   "license": "UNLICENSED",