npm - @sechroom/cli - Versions diffs - 2026.6.17 → 2026.6.19 - Mend

@sechroom/cli 2026.6.17 → 2026.6.19

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (2) hide show

package/dist/index.js +863 -396
package/package.json +1 -1

package/dist/index.js CHANGED Viewed

@@ -1,7 +1,7 @@
 #!/usr/bin/env node
 // src/index.ts
-import { readFileSync as readFileSync6 } from "fs";
+import { readFileSync as readFileSync7 } from "fs";
 import { Command } from "commander";
 // src/auth.ts
@@ -11,12 +11,14 @@ import open from "open";
 // src/config.ts
 import { homedir } from "os";
-import { join, dirname } from "path";
+import { join, dirname, basename } from "path";
 import { mkdirSync, readFileSync, writeFileSync, existsSync, rmSync } from "fs";
 var CONFIG_DIR = join(homedir(), ".config", "sechroom");
 var CONFIG_FILE = join(CONFIG_DIR, "config.json");
 var TOKEN_FILE = join(CONFIG_DIR, "token.json");
-var LOCAL_CONFIG_NAME = ".sechroom.json";
+var STATE_DIR_NAME = ".sechroom";
+var LOCAL_CONFIG_NAME = join(STATE_DIR_NAME, "config.json");
+var LEGACY_LOCAL_CONFIG_NAME = ".sechroom.json";
 var DEFAULT_BASE_URL = "https://app.sechroom.ai/api";
 var LOCAL_CONFIG_SCHEMA_VERSION = 2;
 function ensureDir() {
@@ -69,11 +71,18 @@ function findLocalConfigPath(start = process.cwd()) {
   for (; ; ) {
     const candidate = join(dir, LOCAL_CONFIG_NAME);
     if (existsSync(candidate)) return candidate;
+    const legacy = join(dir, LEGACY_LOCAL_CONFIG_NAME);
+    if (existsSync(legacy)) return legacy;
     const parent = dirname(dir);
     if (parent === dir) return void 0;
     dir = parent;
   }
 }
+function localConfigWritePath(resolvedPath) {
+  const baseDir = resolvedPath ? dirname(resolvedPath) : process.cwd();
+  const dir = basename(baseDir) === STATE_DIR_NAME ? dirname(baseDir) : baseDir;
+  return join(dir, LOCAL_CONFIG_NAME);
+}
 function readLocalConfig() {
   const path = findLocalConfigPath();
   if (!path) return {};
@@ -92,12 +101,16 @@ function readLocalConfig() {
   }
 }
 function writeLocalConfig(patch) {
-  const path = findLocalConfigPath() ?? join(process.cwd(), LOCAL_CONFIG_NAME);
+  const readPath = findLocalConfigPath();
   let current = {};
-  try {
-    current = JSON.parse(readFileSync(path, "utf8"));
-  } catch {
+  if (readPath) {
+    try {
+      current = JSON.parse(readFileSync(readPath, "utf8"));
+    } catch {
+    }
   }
+  const path = localConfigWritePath(readPath);
+  mkdirSync(dirname(path), { recursive: true, mode: 448 });
   const next = { ...current, ...patch, schemaVersion: LOCAL_CONFIG_SCHEMA_VERSION };
   writeFileSync(path, JSON.stringify(next, null, 2), { mode: 384 });
   return path;
@@ -1558,96 +1571,678 @@ Examples:
   });
 }
-// src/commands/account.ts
-function registerId(program2) {
-  const id = program2.command("id").description("Allocate human-authored id sequences (FR-*, D-*)");
-  id.addHelpText(
-    "after",
-    `
-Examples:
-  $ sechroom id next FR sechroom            allocate the next FR-sechroom-NNN id
-  $ sechroom id next D Backend              allocate the next D-Backend-NNN id
-  $ sechroom id peek FR sechroom            inspect the sequence without consuming
-  $ sechroom id peek FR sechroom --json`
-  );
-  id.command("next <namespaceKind> <scope>").description("Allocate the next id in a sequence (POST /id-registry/allocate)").action(async (namespaceKind, scope, _opts, cmd) => {
-    const cfg = resolveConfig(cmd.optsWithGlobals());
-    const data = await runApi("Allocating id", async () => {
-      const client = await makeClient(cfg);
-      return client.POST("/id-registry/allocate", {
-        body: { namespaceKind, scope, clientNonce: null }
-      });
-    });
-    emitAction(`allocated ${style.bold(data.id)} ${style.dim(`(seq ${data.seq})`)}`, data, cmd.optsWithGlobals().json);
-  });
-  id.command("peek <namespaceKind> <scope>").description("Inspect a sequence without consuming (GET /id-registry/state)").action(async (namespaceKind, scope, _opts, cmd) => {
-    const cfg = resolveConfig(cmd.optsWithGlobals());
-    const data = await runApi("Peeking id sequence", async () => {
-      const client = await makeClient(cfg);
-      return client.GET("/id-registry/state", {
-        params: { query: { namespaceKind, scope } }
-      });
-    });
-    emit(data, cmd.optsWithGlobals().json);
+// src/commands/hook.ts
+import { existsSync as existsSync4, mkdirSync as mkdirSync3, readFileSync as readFileSync3, writeFileSync as writeFileSync3 } from "fs";
+import { homedir as homedir3 } from "os";
+import { dirname as dirname4, join as join4 } from "path";
+// src/sem.ts
+import { basename as basename2, dirname as dirname2, join as join2 } from "path";
+import { appendFileSync, existsSync as existsSync2, mkdirSync as mkdirSync2, readFileSync as readFileSync2, writeFileSync as writeFileSync2 } from "fs";
+var SEM_FILE = join2(".sechroom", "lane.json");
+var LEGACY_SEM_FILE = ".sem";
+var STATE_DIR_NAME2 = ".sechroom";
+function localSemPath(cwd = process.cwd()) {
+  return join2(cwd, SEM_FILE);
+}
+function resolveSemPathForRead(start = process.cwd()) {
+  let dir = start;
+  while (true) {
+    const candidate = join2(dir, SEM_FILE);
+    if (existsSync2(candidate)) return candidate;
+    const legacy = join2(dir, LEGACY_SEM_FILE);
+    if (existsSync2(legacy)) return legacy;
+    const parent = dirname2(dir);
+    if (parent === dir) return void 0;
+    dir = parent;
+  }
+}
+function parseSem(text) {
+  const out = {};
+  for (const raw of text.split("\n")) {
+    const line = raw.trim();
+    if (!line || line.startsWith("#")) continue;
+    const eq = line.indexOf("=");
+    if (eq === -1) continue;
+    const key = line.slice(0, eq).trim();
+    const value = line.slice(eq + 1).trim();
+    if (key) out[key] = value;
+  }
+  return out;
+}
+function serializeSem(values) {
+  return JSON.stringify(values, null, 2) + "\n";
+}
+function readSem(path) {
+  const p = path ?? resolveSemPathForRead();
+  if (!p || !existsSync2(p)) return void 0;
+  const text = readFileSync2(p, "utf8");
+  const values = basename2(p) === LEGACY_SEM_FILE ? parseSem(text) : parseLaneJson(text);
+  return { path: p, values };
+}
+function readLocalSemValues(cwd = process.cwd()) {
+  const next = join2(cwd, SEM_FILE);
+  if (existsSync2(next)) return readSem(next)?.values ?? {};
+  const legacy = join2(cwd, LEGACY_SEM_FILE);
+  if (existsSync2(legacy)) return readSem(legacy)?.values ?? {};
+  return {};
+}
+function parseLaneJson(text) {
+  try {
+    const parsed = JSON.parse(text);
+    const out = {};
+    for (const [k, v] of Object.entries(parsed)) {
+      if (typeof v === "string") out[k] = v;
+    }
+    return out;
+  } catch {
+    return {};
+  }
+}
+var STATE_DIR_IGNORE = `${STATE_DIR_NAME2}/`;
+function writeSem(values, path = localSemPath()) {
+  mkdirSync2(dirname2(path), { recursive: true });
+  writeFileSync2(path, serializeSem(values));
+  ensureSemIgnored(path);
+  return path;
+}
+function ignoresSem(content) {
+  return content.split("\n").some((line) => {
+    const t = line.trim();
+    return t === STATE_DIR_NAME2 || t === STATE_DIR_IGNORE || t === `/${STATE_DIR_NAME2}` || t === `/${STATE_DIR_IGNORE}` || t === `**/${STATE_DIR_NAME2}` || t === `**/${STATE_DIR_IGNORE}`;
   });
 }
-function registerAccount(program2) {
-  const account = program2.command("account").description("Your profile, feeds, and review queue");
-  account.addHelpText(
-    "after",
-    `
-Examples:
-  $ sechroom account profile
-  $ sechroom account set-profile --display-name "Chris" --timezone "Europe/London"
-  $ sechroom account feed --limit 20
-  $ sechroom account reviews --status Pending
-  $ sechroom account lookup-batch mem_XXXX wsp_YYYY --json`
+function resolveGitignoreTarget(startDir) {
+  let dir = startDir;
+  for (; ; ) {
+    const gi = join2(dir, ".gitignore");
+    if (existsSync2(gi)) return { path: gi, exists: true };
+    const parent = dirname2(dir);
+    if (existsSync2(join2(dir, ".git")) || parent === dir) {
+      return { path: join2(startDir, ".gitignore"), exists: false };
+    }
+    dir = parent;
+  }
+}
+function ensureSemIgnored(semPath) {
+  try {
+    const checkoutDir = dirname2(dirname2(semPath));
+    const target = resolveGitignoreTarget(checkoutDir);
+    if (target.exists) {
+      const content = readFileSync2(target.path, "utf8");
+      if (ignoresSem(content)) return;
+      const sep = content.length === 0 || content.endsWith("\n") ? "" : "\n";
+      appendFileSync(target.path, `${sep}${STATE_DIR_IGNORE}
+`);
+    } else {
+      writeFileSync2(target.path, `${STATE_DIR_IGNORE}
+`);
+    }
+  } catch {
+  }
+}
+// src/setup/clients.ts
+import { existsSync as existsSync3 } from "fs";
+import { homedir as homedir2 } from "os";
+import { dirname as dirname3, join as join3 } from "path";
+// src/setup/operator-surface.ts
+var SectionType = {
+  McpConfig: "mcp-config",
+  McpConfigToml: "mcp-config-toml",
+  InstructionFile: "instruction-file",
+  ProjectConfig: "project-config",
+  Verify: "verify",
+  /** SBC-999 — workspace-pinned conventions, emitted only when the request
+   *  carried a workspaceId and that workspace has agent-setup-bundle memories. */
+  WorkspaceConventions: "workspace-conventions"
+};
+async function fetchSetup(cfg) {
+  const client = await makeClient(cfg);
+  const { data, error } = await client.GET(
+    "/operator-surface/setup",
+    cfg.workspaceId ? { params: { query: { workspaceId: cfg.workspaceId } } } : {}
   );
-  account.command("profile").description("Show your resolved profile (GET /me/profile)").action(async (_opts, cmd) => {
-    const cfg = resolveConfig(cmd.optsWithGlobals());
-    const data = await runApi("Fetching profile", async () => {
-      const client = await makeClient(cfg);
-      return client.GET("/me/profile");
+  if (error) throw new Error(`GET /operator-surface/setup failed: ${JSON.stringify(error)}`);
+  return data;
+}
+function findSurface(setup, surfaceKey) {
+  return setup.surfaces.find((s) => s.surfaceKey === surfaceKey);
+}
+function findSection(surface, sectionType) {
+  return surface?.sections.find((s) => s.sectionType === sectionType);
+}
+function sectionSnippet(section) {
+  if (!section) return null;
+  for (const step of section.steps) {
+    if (step.copyValue) return step.copyValue;
+    if (step.codeSnippet) return step.codeSnippet;
+  }
+  return null;
+}
+function parseTagArtifactId(id) {
+  if (!id.startsWith("tag:")) return null;
+  const tags = id.slice("tag:".length).split(",").map((t) => t.trim()).filter((t) => t.length > 0);
+  return tags.length > 0 ? tags : null;
+}
+async function getPersonalWorkspaceId(cfg) {
+  const client = await makeClient(cfg);
+  const { data } = await client.GET("/me/personal-workspace", {});
+  return data?.workspaceId ?? null;
+}
+async function fetchMemoryFields(cfg, id) {
+  const client = await makeClient(cfg);
+  const { data } = await client.GET("/memories/{memoryId}", { params: { path: { memoryId: id } } });
+  const env = data;
+  const m = env?.item ?? env;
+  if (!m) return null;
+  const version = typeof m.currentVersion === "string" ? Number(m.currentVersion) : m.currentVersion;
+  return { text: m.text, title: m.title, tags: m.tags, version: Number.isFinite(version) ? version : void 0 };
+}
+async function resolveInstruction(cfg, section, personalWorkspaceId) {
+  const client = await makeClient(cfg);
+  for (const artifact of section.artifacts) {
+    const tags = parseTagArtifactId(artifact.id);
+    if (!tags) continue;
+    const { data } = await client.POST("/memories/search", {
+      body: { query: null, textQuery: null, semanticQuery: null, hybrid: false, limit: 1, includeArchived: false, includeSystem: false, tags }
     });
-    emit(data, cmd.optsWithGlobals().json);
-  });
-  account.command("set-profile").description("Update your profile (PUT /me/profile)").option("--display-name <displayName>", "Display name").option("--timezone <timezone>", "IANA timezone (e.g. Europe/London)").option("--bio <bio>", "Short bio").option("--photo-url <photoUrl>", "Avatar / photo URL").action(async (opts, cmd) => {
-    const cfg = resolveConfig(cmd.optsWithGlobals());
-    const data = await runApi("Updating profile", async () => {
-      const client = await makeClient(cfg);
-      return client.PUT("/me/profile", {
-        body: {
-          displayName: opts.displayName ?? null,
-          timezone: opts.timezone ?? null,
-          bio: opts.bio ?? null,
-          photoUrl: opts.photoUrl ?? null
-        }
+    const hits = data ?? [];
+    if (hits.length === 0) continue;
+    const templateId = hits[0].id;
+    const template = await fetchMemoryFields(cfg, templateId);
+    if (typeof template?.text !== "string" || template.text.length === 0) continue;
+    const templateTags = template.tags ?? tags;
+    if (personalWorkspaceId) {
+      const { data: ovr } = await client.POST("/memories/search", {
+        body: { query: null, textQuery: null, semanticQuery: null, hybrid: false, limit: 1, includeArchived: false, includeSystem: false, tags: ["sechroom:role:override", `sechroom:template-ref:${templateId}`], owner: { type: "Workspace", id: personalWorkspaceId } }
       });
-    });
-    emitAction("updated profile", data, cmd.optsWithGlobals().json);
-  });
-  account.command("feed").description("Your recent memory feed (GET /me/memories/feed)").option("--limit <n>", "Max results", "20").option("--cursor <cursor>", "Opaque paging cursor").option("--query <query>", "Free-text filter").option("--filter-tags <tags>", "Comma-separated tag filter").option("--include-archived", "Include archived memories", false).option("--include-text", "Include memory body text", false).action(async (opts, cmd) => {
-    const cfg = resolveConfig(cmd.optsWithGlobals());
-    const data = await runApi("Fetching feed", async () => {
-      const client = await makeClient(cfg);
-      return client.GET("/me/memories/feed", {
-        params: {
-          query: {
-            limit: Number(opts.limit),
-            includeArchived: Boolean(opts.includeArchived),
-            includeText: Boolean(opts.includeText),
-            ...opts.cursor ? { cursor: opts.cursor } : {},
-            ...opts.query ? { query: opts.query } : {},
-            ...opts.filterTags ? { filterTags: opts.filterTags } : {}
-          }
+      const ovrHits = ovr ?? [];
+      if (ovrHits.length > 0) {
+        const override = await fetchMemoryFields(cfg, ovrHits[0].id);
+        if (typeof override?.text === "string" && override.text.length > 0) {
+          return { title: override.title ?? template.title ?? artifact.title, body: override.text, source: "override", templateId, templateTags, sourceRef: `${ovrHits[0].id}@v${override.version ?? 1}` };
         }
-      });
-    });
-    emit(data, cmd.optsWithGlobals().json);
+      }
+    }
+    return { title: template.title ?? artifact.title, body: template.text, source: "template", templateId, templateTags, sourceRef: `${templateId}@v${template.version ?? 1}` };
+  }
+  return null;
+}
+async function resolveWorkspaceConventions(cfg, section) {
+  const parts = [];
+  const refs = [];
+  for (const artifact of section.artifacts) {
+    if (parseTagArtifactId(artifact.id)) continue;
+    const mem = await fetchMemoryFields(cfg, artifact.id);
+    if (typeof mem?.text === "string" && mem.text.trim().length > 0) {
+      parts.push(mem.text.trim());
+      refs.push(`${artifact.id}@v${mem.version ?? 1}`);
+    }
+  }
+  if (parts.length === 0) return null;
+  return { body: parts.join("\n\n---\n\n"), refs };
+}
+async function createOverride(cfg, template, personalWorkspaceId) {
+  const client = await makeClient(cfg);
+  const overrideTags = template.templateTags.filter(
+    (t) => t !== "sechroom:role:template" && !t.startsWith("sechroom:bundle:") && !t.startsWith("sechroom:template-ref:")
+  );
+  overrideTags.push("sechroom:role:override", `sechroom:template-ref:${template.templateId}`);
+  const { error } = await client.POST("/memories", {
+    body: {
+      text: template.body,
+      type: "reference",
+      content: "{}",
+      confidence: 1,
+      source: "cli-agent-instructions-customize",
+      archetype: "Document",
+      title: template.title ?? null,
+      tags: overrideTags,
+      owner: { type: "Workspace", id: personalWorkspaceId }
+    }
   });
-  account.command("reviews").description("Your review queue (GET /reviews)").option("--status <status>", "Pending | Resolved | Empty").option("--scope-kind <scopeKind>", "Memory | Project | Workspace").option("--scope-target-id <id>", "Scope target id").option("--limit <n>", "Max results", "20").action(async (opts, cmd) => {
-    const cfg = resolveConfig(cmd.optsWithGlobals());
-    const data = await runApi("Fetching reviews", async () => {
+  if (error) throw new Error(`creating personal copy failed: ${JSON.stringify(error)}`);
+}
+// src/setup/clients.ts
+function claudeDesktopConfigPath(home) {
+  switch (process.platform) {
+    case "darwin":
+      return join3(home, "Library", "Application Support", "Claude", "claude_desktop_config.json");
+    case "win32":
+      return join3(process.env.APPDATA ?? join3(home, "AppData", "Roaming"), "Claude", "claude_desktop_config.json");
+    default:
+      return join3(home, ".config", "Claude", "claude_desktop_config.json");
+  }
+}
+function clientTargets(cwd) {
+  const home = homedir2();
+  return {
+    "claude-code": {
+      key: "claude-code",
+      label: "Claude Code",
+      mcp: { surfaceKey: "claude-code", sectionType: SectionType.McpConfig, path: join3(cwd, ".mcp.json"), format: "json" },
+      instruction: { surfaceKey: "claude-code", path: join3(cwd, "CLAUDE.md") }
+    },
+    "claude-desktop": {
+      key: "claude-desktop",
+      label: "Claude Desktop",
+      mcp: { surfaceKey: "claude-desktop", sectionType: SectionType.McpConfig, path: claudeDesktopConfigPath(home), format: "json" },
+      instruction: { surfaceKey: "claude-desktop", path: join3(home, ".claude", "CLAUDE.md") }
+    },
+    codex: {
+      key: "codex",
+      label: "Codex CLI",
+      mcp: { surfaceKey: "chatgpt", sectionType: SectionType.McpConfigToml, path: join3(home, ".codex", "config.toml"), format: "toml" },
+      instruction: { surfaceKey: "chatgpt", path: join3(cwd, "AGENTS.md") }
+    },
+    cursor: {
+      key: "cursor",
+      label: "Cursor",
+      mcp: { surfaceKey: "claude-code", sectionType: SectionType.McpConfig, path: join3(cwd, ".cursor", "mcp.json"), format: "json" },
+      instruction: { surfaceKey: "chatgpt", path: join3(cwd, "AGENTS.md") }
+    }
+  };
+}
+var ALL_CLIENT_KEYS = ["claude-code", "claude-desktop", "codex", "cursor"];
+var DEFAULT_CLIENT_KEY = "claude-code";
+function detectInstalledClients(cwd) {
+  const home = homedir2();
+  const detected = [];
+  if (existsSync3(join3(home, ".claude"))) detected.push("claude-code");
+  if (existsSync3(dirname3(claudeDesktopConfigPath(home)))) detected.push("claude-desktop");
+  if (existsSync3(join3(home, ".codex"))) detected.push("codex");
+  if (existsSync3(join3(home, ".cursor")) || existsSync3(join3(cwd, ".cursor"))) detected.push("cursor");
+  return detected;
+}
+// src/commands/hook.ts
+async function readStdin() {
+  if (process.stdin.isTTY) return "";
+  const chunks = [];
+  for await (const chunk of process.stdin) chunks.push(chunk);
+  return Buffer.concat(chunks).toString("utf8");
+}
+function parseHookInput(raw) {
+  if (!raw.trim()) return {};
+  try {
+    return JSON.parse(raw);
+  } catch {
+    return {};
+  }
+}
+function resolveLane(flagLane, cwd) {
+  if (flagLane) return flagLane;
+  const env = process.env.SECHROOM_LANE;
+  if (env) return env;
+  const start = cwd ?? process.cwd();
+  const sem = readSem(resolveSemPathForRead(start));
+  return sem?.values["code-lane"];
+}
+var INTENT_FILE = join4(".sechroom", "continuity.json");
+function resolveIntentPath(start) {
+  let dir = start;
+  for (; ; ) {
+    const candidate = join4(dir, INTENT_FILE);
+    if (existsSync4(candidate)) return candidate;
+    const parent = dirname4(dir);
+    if (parent === dir) return void 0;
+    dir = parent;
+  }
+}
+function readIntent(start) {
+  const path = resolveIntentPath(start);
+  if (!path) return void 0;
+  try {
+    return JSON.parse(readFileSync3(path, "utf8"));
+  } catch {
+    return void 0;
+  }
+}
+function hasRequiredIntent(i) {
+  return Boolean(
+    i.objective?.trim() && i.state?.trim() && i.lastAction?.trim() && i.nextAction?.trim() && i.resumeInstruction?.trim()
+  );
+}
+function formatContext(bundle, lane) {
+  const s = bundle?.latestSnapshot;
+  if (!s) return null;
+  const lines = [];
+  lines.push(`[sechroom continuity \u2014 resumed lane ${lane}]`);
+  if (s.currentObjective) lines.push(`Objective: ${s.currentObjective}`);
+  if (s.currentState) lines.push(`State: ${s.currentState}`);
+  if (s.lastMeaningfulAction) lines.push(`Last action: ${s.lastMeaningfulAction}`);
+  if (s.nextIntendedAction) lines.push(`Next: ${s.nextIntendedAction}`);
+  if (s.resumeInstruction) lines.push(`Resume: ${s.resumeInstruction}`);
+  const constraints = s.activeConstraints ?? [];
+  if (constraints.length) {
+    lines.push("Active constraints:");
+    for (const c of constraints) lines.push(`  - ${c}`);
+  }
+  const questions = s.openQuestions ?? [];
+  if (questions.length) {
+    lines.push("Open questions:");
+    for (const q of questions) lines.push(`  - ${q}`);
+  }
+  const artifacts = s.relevantArtifactIds ?? [];
+  if (artifacts.length) lines.push(`Relevant artifacts: ${artifacts.join(", ")}`);
+  const marker = [s.id, s.createdAt].filter(Boolean).join(" @ ");
+  if (marker) lines.push(`(snapshot ${marker})`);
+  return lines.join("\n");
+}
+function emitSessionStart(additionalContext) {
+  process.stdout.write(
+    JSON.stringify({
+      hookSpecificOutput: {
+        hookEventName: "SessionStart",
+        additionalContext
+      }
+    }) + "\n"
+  );
+}
+var HOOK_COMMANDS = {
+  SessionStart: "sechroom hook session-start",
+  PreCompact: "sechroom hook pre-compact"
+};
+var HOOK_EVENTS = ["SessionStart", "PreCompact"];
+function hasHookCommand(config2, event, command) {
+  const groups = config2.hooks?.[event] ?? [];
+  return groups.some((g) => (g.hooks ?? []).some((h) => h.type === "command" && h.command === command));
+}
+function mergeHooks(config2) {
+  config2.hooks ??= {};
+  let added = 0;
+  for (const event of HOOK_EVENTS) {
+    const command = HOOK_COMMANDS[event];
+    if (hasHookCommand(config2, event, command)) continue;
+    const groups = config2.hooks[event] ??= [];
+    groups.push({ hooks: [{ type: "command", command }] });
+    added += 1;
+  }
+  return added;
+}
+function readJsonConfig(path) {
+  if (!existsSync4(path)) return {};
+  const raw = readFileSync3(path, "utf8");
+  if (!raw.trim()) return {};
+  return JSON.parse(raw);
+}
+function installHooksJson(path, dryRun) {
+  const existed = existsSync4(path) && readFileSync3(path, "utf8").trim().length > 0;
+  const config2 = readJsonConfig(path);
+  const added = mergeHooks(config2);
+  if (added === 0 && existed) return { path, status: "current" };
+  if (!dryRun) {
+    mkdirSync3(dirname4(path), { recursive: true });
+    writeFileSync3(path, JSON.stringify(config2, null, 2) + "\n");
+  }
+  return { path, status: existed ? "merged" : "created" };
+}
+function ensureCodexFeaturesHooks(content) {
+  const lines = content.split("\n");
+  const headerIdx = lines.findIndex((l) => l.trim() === "[features]");
+  if (headerIdx === -1) {
+    const base = content.length === 0 || content.endsWith("\n") ? content : content + "\n";
+    return { next: base + "\n[features]\nhooks = true\n", changed: true };
+  }
+  for (let i = headerIdx + 1; i < lines.length; i += 1) {
+    const trimmed = lines[i].trim();
+    if (trimmed.startsWith("[") && trimmed.endsWith("]")) break;
+    const m = lines[i].match(/^(\s*)hooks(\s*)=(\s*)(.*)$/);
+    if (!m) continue;
+    const value = m[4].replace(/\s*#.*$/, "").trim();
+    if (value === "true") return { next: content, changed: false };
+    lines[i] = `${m[1]}hooks${m[2]}=${m[3]}true`;
+    return { next: lines.join("\n"), changed: true };
+  }
+  lines.splice(headerIdx + 1, 0, "hooks = true");
+  return { next: lines.join("\n"), changed: true };
+}
+function installCodexFeatureFlag(path, dryRun) {
+  const existed = existsSync4(path);
+  const content = existed ? readFileSync3(path, "utf8") : "";
+  const { next, changed } = ensureCodexFeaturesHooks(content);
+  if (!changed) return { path, status: "current" };
+  if (!dryRun) {
+    mkdirSync3(dirname4(path), { recursive: true });
+    writeFileSync3(path, next);
+  }
+  return { path, status: existed ? "merged" : "created" };
+}
+function resolveSurfaces(surface, cwd) {
+  if (surface === "claude") return ["claude"];
+  if (surface === "codex") return ["codex"];
+  if (surface === "both") return ["claude", "codex"];
+  if (surface) throw new Error(`--surface must be one of claude | codex | both (got '${surface}')`);
+  const detected = detectInstalledClients(cwd);
+  const surfaces = [];
+  if (detected.includes("claude-code")) surfaces.push("claude");
+  if (detected.includes("codex")) surfaces.push("codex");
+  return surfaces.length > 0 ? surfaces : ["claude", "codex"];
+}
+function describe(result, dryRun) {
+  if (result.status === "current") return `  \u2713 ${result.path} (already configured)`;
+  const verb = dryRun ? "would" : result.status === "created" ? "created" : "updated";
+  return `  \u2713 ${result.path} (${dryRun ? `${verb} ${result.status === "created" ? "create" : "update"}` : verb})`;
+}
+function registerHook(program2) {
+  const hook = program2.command("hook").description("Agent-lifecycle hook adapter (Claude Code / Codex) \u2014 bridges hooks to continuity");
+  hook.addHelpText(
+    "after",
+    `
+Examples:
+  # SessionStart (load): inject the lane's latest snapshot as context.
+  $ echo '{"hook_event_name":"SessionStart","cwd":"'"$PWD"'"}' | sechroom hook session-start
+  # PreCompact (save): snapshot from ./${INTENT_FILE} before the agent compacts.
+  $ echo '{"hook_event_name":"PreCompact","cwd":"'"$PWD"'"}' | sechroom hook pre-compact
+  # Wire both hooks into the installed surface(s)' config (no hand-editing):
+  $ sechroom hook install                       auto-detect Claude Code / Codex
+  $ sechroom hook install --surface codex        Codex only
+  $ sechroom hook install --local --dry-run      preview the project .claude/settings.json
+Lane source (high -> low): --lane  >  SECHROOM_LANE  >  ./.sem code-lane (D-binding-5).
+Fail-soft: no lane / no auth / no-or-partial intent file / API error -> exit 0, never blocks.`
+  );
+  hook.command("session-start").description("Resume the checkout's lane and emit continuity context for a SessionStart hook").option("--lane <laneId>", "Override the resolved lane (else SECHROOM_LANE, else ./.sem code-lane)").option("--surface <surface>", "Target surface: claude | codex (output is identical for session-start)", "claude").option("--max-artifacts <n>", "Cap artifacts in the resume bundle").action(async (opts, cmd) => {
+    try {
+      const raw = await readStdin();
+      const input = parseHookInput(raw);
+      const lane = resolveLane(opts.lane, input.cwd);
+      if (!lane) return process.exit(0);
+      const cfg = resolveConfig(cmd.optsWithGlobals());
+      const client = await makeClient(cfg);
+      const { data } = await client.POST("/continuity/resume/lane", {
+        body: {
+          laneId: lane,
+          workspaceId: null,
+          maxArtifacts: opts.maxArtifacts != null ? Number(opts.maxArtifacts) : null,
+          includeLookingAtMyself: null,
+          changedSince: null
+        }
+      });
+      const context = formatContext(data, lane);
+      if (context) emitSessionStart(context);
+      return process.exit(0);
+    } catch {
+      return process.exit(0);
+    }
+  });
+  hook.command("pre-compact").description("Save a continuity snapshot from the agent-maintained intent file on a PreCompact hook").option("--lane <laneId>", "Override the resolved lane (else SECHROOM_LANE, else ./.sem code-lane)").option("--scope <scope>", "Snapshot scope (else the intent file's `scope`, else 'compaction')").option("--surface <surface>", "Target surface: claude | codex (lifecycle-only on both)", "claude").action(async (opts, cmd) => {
+    try {
+      const raw = await readStdin();
+      const input = parseHookInput(raw);
+      const cwd = input.cwd ?? process.cwd();
+      const lane = resolveLane(opts.lane, input.cwd);
+      if (!lane) return process.exit(0);
+      const intent = readIntent(cwd);
+      if (!intent || !hasRequiredIntent(intent)) return process.exit(0);
+      const cfg = resolveConfig(cmd.optsWithGlobals());
+      const client = await makeClient(cfg);
+      await client.POST("/continuity/snapshots", {
+        body: {
+          laneId: lane,
+          scope: opts.scope ?? intent.scope ?? "compaction",
+          currentObjective: intent.objective,
+          currentState: intent.state,
+          lastMeaningfulAction: intent.lastAction,
+          nextIntendedAction: intent.nextAction,
+          resumeInstruction: intent.resumeInstruction,
+          activeConstraints: intent.constraints ?? null,
+          openQuestions: intent.questions ?? null,
+          surfaceMarkers: intent.surfaceMarkers ?? null,
+          relevantArtifactIds: intent.artifacts ?? null,
+          confidence: intent.confidence ?? null,
+          // Compaction is infrequent, so the FR-051 clobber guard doesn't bite;
+          // Acknowledge lets a within-window checkpoint land on the lane.
+          concurrentSessionPolicy: "Acknowledge"
+        }
+      });
+      return process.exit(0);
+    } catch {
+      return process.exit(0);
+    }
+  });
+  hook.command("install").description("Wire the session-start + pre-compact hooks into Claude Code and/or Codex config").option("--surface <surface>", "Target surface: claude | codex | both (default: auto-detect installed surfaces)").option("--local", "Claude Code only: write <cwd>/.claude/settings.json instead of ~/.claude/settings.json").option("--dry-run", "Print what would change; write nothing").action((opts) => {
+    const dryRun = Boolean(opts.dryRun);
+    const cwd = process.cwd();
+    let surfaces;
+    try {
+      surfaces = resolveSurfaces(opts.surface, cwd);
+    } catch (err2) {
+      process.stderr.write(`${err2.message}
+`);
+      return process.exit(2);
+    }
+    const home = homedir3();
+    const results = [];
+    try {
+      for (const surface of surfaces) {
+        if (surface === "claude") {
+          const path = opts.local ? join4(cwd, ".claude", "settings.json") : join4(home, ".claude", "settings.json");
+          process.stdout.write(`Claude Code:
+`);
+          const r = installHooksJson(path, dryRun);
+          results.push(r);
+          process.stdout.write(describe(r, dryRun) + "\n");
+        } else {
+          process.stdout.write(`Codex:
+`);
+          const hooksJson = installHooksJson(join4(home, ".codex", "hooks.json"), dryRun);
+          results.push(hooksJson);
+          process.stdout.write(describe(hooksJson, dryRun) + "\n");
+          const featureFlag = installCodexFeatureFlag(join4(home, ".codex", "config.toml"), dryRun);
+          results.push(featureFlag);
+          process.stdout.write(describe(featureFlag, dryRun) + "\n");
+        }
+      }
+    } catch (err2) {
+      process.stderr.write(`hook install failed: ${err2.message}
+`);
+      return process.exit(1);
+    }
+    if (dryRun) {
+      process.stdout.write("\n(dry run \u2014 no files were written.)\n");
+    } else if (results.every((r) => r.status === "current")) {
+      process.stdout.write("\nAlready up to date \u2014 nothing to change.\n");
+    } else {
+      process.stdout.write("\nRestart (or reload) your agent for the hooks to take effect.\n");
+    }
+    return process.exit(0);
+  });
+}
+// src/commands/account.ts
+function registerId(program2) {
+  const id = program2.command("id").description("Allocate human-authored id sequences (FR-*, D-*)");
+  id.addHelpText(
+    "after",
+    `
+Examples:
+  $ sechroom id next FR sechroom            allocate the next FR-sechroom-NNN id
+  $ sechroom id next D Backend              allocate the next D-Backend-NNN id
+  $ sechroom id peek FR sechroom            inspect the sequence without consuming
+  $ sechroom id peek FR sechroom --json`
+  );
+  id.command("next <namespaceKind> <scope>").description("Allocate the next id in a sequence (POST /id-registry/allocate)").action(async (namespaceKind, scope, _opts, cmd) => {
+    const cfg = resolveConfig(cmd.optsWithGlobals());
+    const data = await runApi("Allocating id", async () => {
+      const client = await makeClient(cfg);
+      return client.POST("/id-registry/allocate", {
+        body: { namespaceKind, scope, clientNonce: null }
+      });
+    });
+    emitAction(`allocated ${style.bold(data.id)} ${style.dim(`(seq ${data.seq})`)}`, data, cmd.optsWithGlobals().json);
+  });
+  id.command("peek <namespaceKind> <scope>").description("Inspect a sequence without consuming (GET /id-registry/state)").action(async (namespaceKind, scope, _opts, cmd) => {
+    const cfg = resolveConfig(cmd.optsWithGlobals());
+    const data = await runApi("Peeking id sequence", async () => {
+      const client = await makeClient(cfg);
+      return client.GET("/id-registry/state", {
+        params: { query: { namespaceKind, scope } }
+      });
+    });
+    emit(data, cmd.optsWithGlobals().json);
+  });
+}
+function registerAccount(program2) {
+  const account = program2.command("account").description("Your profile, feeds, and review queue");
+  account.addHelpText(
+    "after",
+    `
+Examples:
+  $ sechroom account profile
+  $ sechroom account set-profile --display-name "Chris" --timezone "Europe/London"
+  $ sechroom account feed --limit 20
+  $ sechroom account reviews --status Pending
+  $ sechroom account lookup-batch mem_XXXX wsp_YYYY --json`
+  );
+  account.command("profile").description("Show your resolved profile (GET /me/profile)").action(async (_opts, cmd) => {
+    const cfg = resolveConfig(cmd.optsWithGlobals());
+    const data = await runApi("Fetching profile", async () => {
+      const client = await makeClient(cfg);
+      return client.GET("/me/profile");
+    });
+    emit(data, cmd.optsWithGlobals().json);
+  });
+  account.command("set-profile").description("Update your profile (PUT /me/profile)").option("--display-name <displayName>", "Display name").option("--timezone <timezone>", "IANA timezone (e.g. Europe/London)").option("--bio <bio>", "Short bio").option("--photo-url <photoUrl>", "Avatar / photo URL").action(async (opts, cmd) => {
+    const cfg = resolveConfig(cmd.optsWithGlobals());
+    const data = await runApi("Updating profile", async () => {
+      const client = await makeClient(cfg);
+      return client.PUT("/me/profile", {
+        body: {
+          displayName: opts.displayName ?? null,
+          timezone: opts.timezone ?? null,
+          bio: opts.bio ?? null,
+          photoUrl: opts.photoUrl ?? null
+        }
+      });
+    });
+    emitAction("updated profile", data, cmd.optsWithGlobals().json);
+  });
+  account.command("feed").description("Your recent memory feed (GET /me/memories/feed)").option("--limit <n>", "Max results", "20").option("--cursor <cursor>", "Opaque paging cursor").option("--query <query>", "Free-text filter").option("--filter-tags <tags>", "Comma-separated tag filter").option("--include-archived", "Include archived memories", false).option("--include-text", "Include memory body text", false).action(async (opts, cmd) => {
+    const cfg = resolveConfig(cmd.optsWithGlobals());
+    const data = await runApi("Fetching feed", async () => {
+      const client = await makeClient(cfg);
+      return client.GET("/me/memories/feed", {
+        params: {
+          query: {
+            limit: Number(opts.limit),
+            includeArchived: Boolean(opts.includeArchived),
+            includeText: Boolean(opts.includeText),
+            ...opts.cursor ? { cursor: opts.cursor } : {},
+            ...opts.query ? { query: opts.query } : {},
+            ...opts.filterTags ? { filterTags: opts.filterTags } : {}
+          }
+        }
+      });
+    });
+    emit(data, cmd.optsWithGlobals().json);
+  });
+  account.command("reviews").description("Your review queue (GET /reviews)").option("--status <status>", "Pending | Resolved | Empty").option("--scope-kind <scopeKind>", "Memory | Project | Workspace").option("--scope-target-id <id>", "Scope target id").option("--limit <n>", "Max results", "20").action(async (opts, cmd) => {
+    const cfg = resolveConfig(cmd.optsWithGlobals());
+    const data = await runApi("Fetching reviews", async () => {
       const client = await makeClient(cfg);
       return client.GET("/reviews", {
         params: {
@@ -1775,129 +2370,8 @@ Examples:
 // src/setup/apply.ts
 import { createHash as createHash2 } from "crypto";
-import { mkdirSync as mkdirSync2, readFileSync as readFileSync2, writeFileSync as writeFileSync2, existsSync as existsSync2 } from "fs";
-import { dirname as dirname2 } from "path";
-// src/setup/operator-surface.ts
-var SectionType = {
-  McpConfig: "mcp-config",
-  McpConfigToml: "mcp-config-toml",
-  InstructionFile: "instruction-file",
-  ProjectConfig: "project-config",
-  Verify: "verify",
-  /** SBC-999 — workspace-pinned conventions, emitted only when the request
-   *  carried a workspaceId and that workspace has agent-setup-bundle memories. */
-  WorkspaceConventions: "workspace-conventions"
-};
-async function fetchSetup(cfg) {
-  const client = await makeClient(cfg);
-  const { data, error } = await client.GET(
-    "/operator-surface/setup",
-    cfg.workspaceId ? { params: { query: { workspaceId: cfg.workspaceId } } } : {}
-  );
-  if (error) throw new Error(`GET /operator-surface/setup failed: ${JSON.stringify(error)}`);
-  return data;
-}
-function findSurface(setup, surfaceKey) {
-  return setup.surfaces.find((s) => s.surfaceKey === surfaceKey);
-}
-function findSection(surface, sectionType) {
-  return surface?.sections.find((s) => s.sectionType === sectionType);
-}
-function sectionSnippet(section) {
-  if (!section) return null;
-  for (const step of section.steps) {
-    if (step.copyValue) return step.copyValue;
-    if (step.codeSnippet) return step.codeSnippet;
-  }
-  return null;
-}
-function parseTagArtifactId(id) {
-  if (!id.startsWith("tag:")) return null;
-  const tags = id.slice("tag:".length).split(",").map((t) => t.trim()).filter((t) => t.length > 0);
-  return tags.length > 0 ? tags : null;
-}
-async function getPersonalWorkspaceId(cfg) {
-  const client = await makeClient(cfg);
-  const { data } = await client.GET("/me/personal-workspace", {});
-  return data?.workspaceId ?? null;
-}
-async function fetchMemoryFields(cfg, id) {
-  const client = await makeClient(cfg);
-  const { data } = await client.GET("/memories/{memoryId}", { params: { path: { memoryId: id } } });
-  const env = data;
-  const m = env?.item ?? env;
-  if (!m) return null;
-  const version = typeof m.currentVersion === "string" ? Number(m.currentVersion) : m.currentVersion;
-  return { text: m.text, title: m.title, tags: m.tags, version: Number.isFinite(version) ? version : void 0 };
-}
-async function resolveInstruction(cfg, section, personalWorkspaceId) {
-  const client = await makeClient(cfg);
-  for (const artifact of section.artifacts) {
-    const tags = parseTagArtifactId(artifact.id);
-    if (!tags) continue;
-    const { data } = await client.POST("/memories/search", {
-      body: { query: null, textQuery: null, semanticQuery: null, hybrid: false, limit: 1, includeArchived: false, includeSystem: false, tags }
-    });
-    const hits = data ?? [];
-    if (hits.length === 0) continue;
-    const templateId = hits[0].id;
-    const template = await fetchMemoryFields(cfg, templateId);
-    if (typeof template?.text !== "string" || template.text.length === 0) continue;
-    const templateTags = template.tags ?? tags;
-    if (personalWorkspaceId) {
-      const { data: ovr } = await client.POST("/memories/search", {
-        body: { query: null, textQuery: null, semanticQuery: null, hybrid: false, limit: 1, includeArchived: false, includeSystem: false, tags: ["sechroom:role:override", `sechroom:template-ref:${templateId}`], owner: { type: "Workspace", id: personalWorkspaceId } }
-      });
-      const ovrHits = ovr ?? [];
-      if (ovrHits.length > 0) {
-        const override = await fetchMemoryFields(cfg, ovrHits[0].id);
-        if (typeof override?.text === "string" && override.text.length > 0) {
-          return { title: override.title ?? template.title ?? artifact.title, body: override.text, source: "override", templateId, templateTags, sourceRef: `${ovrHits[0].id}@v${override.version ?? 1}` };
-        }
-      }
-    }
-    return { title: template.title ?? artifact.title, body: template.text, source: "template", templateId, templateTags, sourceRef: `${templateId}@v${template.version ?? 1}` };
-  }
-  return null;
-}
-async function resolveWorkspaceConventions(cfg, section) {
-  const parts = [];
-  const refs = [];
-  for (const artifact of section.artifacts) {
-    if (parseTagArtifactId(artifact.id)) continue;
-    const mem = await fetchMemoryFields(cfg, artifact.id);
-    if (typeof mem?.text === "string" && mem.text.trim().length > 0) {
-      parts.push(mem.text.trim());
-      refs.push(`${artifact.id}@v${mem.version ?? 1}`);
-    }
-  }
-  if (parts.length === 0) return null;
-  return { body: parts.join("\n\n---\n\n"), refs };
-}
-async function createOverride(cfg, template, personalWorkspaceId) {
-  const client = await makeClient(cfg);
-  const overrideTags = template.templateTags.filter(
-    (t) => t !== "sechroom:role:template" && !t.startsWith("sechroom:bundle:") && !t.startsWith("sechroom:template-ref:")
-  );
-  overrideTags.push("sechroom:role:override", `sechroom:template-ref:${template.templateId}`);
-  const { error } = await client.POST("/memories", {
-    body: {
-      text: template.body,
-      type: "reference",
-      content: "{}",
-      confidence: 1,
-      source: "cli-agent-instructions-customize",
-      archetype: "Document",
-      title: template.title ?? null,
-      tags: overrideTags,
-      owner: { type: "Workspace", id: personalWorkspaceId }
-    }
-  });
-  if (error) throw new Error(`creating personal copy failed: ${JSON.stringify(error)}`);
-}
-// src/setup/apply.ts
+import { mkdirSync as mkdirSync4, readFileSync as readFileSync4, writeFileSync as writeFileSync4, existsSync as existsSync5 } from "fs";
+import { dirname as dirname5 } from "path";
 var MARKER_BEGIN = "<!-- @sechroom/cli:begin";
 var MARKER_END = "<!-- @sechroom/cli:end";
 function normalizeBody(s) {
@@ -1950,22 +2424,22 @@ function parseManagedBlock(content, block) {
   return null;
 }
 function ensureDir2(path) {
-  mkdirSync2(dirname2(path), { recursive: true });
+  mkdirSync4(dirname5(path), { recursive: true });
 }
 function readOr(path, fallback) {
   try {
-    return readFileSync2(path, "utf8");
+    return readFileSync4(path, "utf8");
   } catch {
     return fallback;
   }
 }
 function mergeMcpJson(path, snippet, dryRun) {
   const incoming = JSON.parse(snippet);
-  const existed = existsSync2(path);
+  const existed = existsSync5(path);
   let current = {};
   if (existed) {
     try {
-      current = JSON.parse(readFileSync2(path, "utf8"));
+      current = JSON.parse(readFileSync4(path, "utf8"));
     } catch {
       return { kind: "mcp", path, status: "skipped", note: "existing file isn't valid JSON \u2014 left untouched" };
     }
@@ -1973,26 +2447,26 @@ function mergeMcpJson(path, snippet, dryRun) {
   current.mcpServers = { ...current.mcpServers ?? {}, ...incoming.mcpServers ?? {} };
   if (dryRun) return { kind: "mcp", path, status: "dry-run" };
   ensureDir2(path);
-  writeFileSync2(path, JSON.stringify(current, null, 2) + "\n", { mode: 384 });
+  writeFileSync4(path, JSON.stringify(current, null, 2) + "\n", { mode: 384 });
   return { kind: "mcp", path, status: existed ? "merged" : "created" };
 }
 function mergeCodexToml(path, snippet, dryRun) {
-  const existed = existsSync2(path);
+  const existed = existsSync5(path);
   let body = readOr(path, "");
   body = body.replace(/(^|\n)\[mcp_servers\.sechroom\][^[]*/, "\n").replace(/\n{3,}/g, "\n\n");
   const trimmed = body.trim();
   const next = (trimmed.length > 0 ? trimmed + "\n\n" : "") + snippet.trim() + "\n";
   if (dryRun) return { kind: "mcp", path, status: "dry-run" };
   ensureDir2(path);
-  writeFileSync2(path, next, { mode: 384 });
+  writeFileSync4(path, next, { mode: 384 });
   return { kind: "mcp", path, status: existed ? "merged" : "created" };
 }
 function writeInstructionBlock(path, write, dryRun) {
-  const existed = existsSync2(path);
+  const existed = existsSync5(path);
   const next = computeBlockFile(readOr(path, ""), write);
   if (dryRun) return { kind: "instruction", path, status: "dry-run" };
   ensureDir2(path);
-  writeFileSync2(path, next);
+  writeFileSync4(path, next);
   return { kind: "instruction", path, status: existed ? "merged" : "created" };
 }
 function computeBlockFile(current, write) {
@@ -2033,7 +2507,7 @@ function applyBlock(path, write, mode, dryRun) {
     const next = computeBlockFile(current, write);
     if (!dryRun) {
       ensureDir2(proposedPath);
-      writeFileSync2(proposedPath, next);
+      writeFileSync4(proposedPath, next);
     }
     return {
       kind: "instruction",
@@ -2103,105 +2577,84 @@ async function applyClient(cfg, setup, target, opts) {
   return actions;
 }
-// src/setup/clients.ts
-import { existsSync as existsSync3 } from "fs";
-import { homedir as homedir2 } from "os";
-import { dirname as dirname3, join as join2 } from "path";
-function claudeDesktopConfigPath(home) {
-  switch (process.platform) {
-    case "darwin":
-      return join2(home, "Library", "Application Support", "Claude", "claude_desktop_config.json");
-    case "win32":
-      return join2(process.env.APPDATA ?? join2(home, "AppData", "Roaming"), "Claude", "claude_desktop_config.json");
-    default:
-      return join2(home, ".config", "Claude", "claude_desktop_config.json");
-  }
-}
-function clientTargets(cwd) {
-  const home = homedir2();
-  return {
-    "claude-code": {
-      key: "claude-code",
-      label: "Claude Code",
-      mcp: { surfaceKey: "claude-code", sectionType: SectionType.McpConfig, path: join2(cwd, ".mcp.json"), format: "json" },
-      instruction: { surfaceKey: "claude-code", path: join2(cwd, "CLAUDE.md") }
-    },
-    "claude-desktop": {
-      key: "claude-desktop",
-      label: "Claude Desktop",
-      mcp: { surfaceKey: "claude-desktop", sectionType: SectionType.McpConfig, path: claudeDesktopConfigPath(home), format: "json" },
-      instruction: { surfaceKey: "claude-desktop", path: join2(home, ".claude", "CLAUDE.md") }
-    },
-    codex: {
-      key: "codex",
-      label: "Codex CLI",
-      mcp: { surfaceKey: "chatgpt", sectionType: SectionType.McpConfigToml, path: join2(home, ".codex", "config.toml"), format: "toml" },
-      instruction: { surfaceKey: "chatgpt", path: join2(cwd, "AGENTS.md") }
-    },
-    cursor: {
-      key: "cursor",
-      label: "Cursor",
-      mcp: { surfaceKey: "claude-code", sectionType: SectionType.McpConfig, path: join2(cwd, ".cursor", "mcp.json"), format: "json" },
-      instruction: { surfaceKey: "chatgpt", path: join2(cwd, "AGENTS.md") }
-    }
-  };
-}
-var ALL_CLIENT_KEYS = ["claude-code", "claude-desktop", "codex", "cursor"];
-var DEFAULT_CLIENT_KEY = "claude-code";
-function detectInstalledClients(cwd) {
-  const home = homedir2();
-  const detected = [];
-  if (existsSync3(join2(home, ".claude"))) detected.push("claude-code");
-  if (existsSync3(dirname3(claudeDesktopConfigPath(home)))) detected.push("claude-desktop");
-  if (existsSync3(join2(home, ".codex"))) detected.push("codex");
-  if (existsSync3(join2(home, ".cursor")) || existsSync3(join2(cwd, ".cursor"))) detected.push("cursor");
-  return detected;
-}
 // src/setup/skills-offer.ts
-import { mkdirSync as mkdirSync3, writeFileSync as writeFileSync3 } from "fs";
-import { homedir as homedir3 } from "os";
-import { join as join4 } from "path";
+import { mkdirSync as mkdirSync5, writeFileSync as writeFileSync5 } from "fs";
+import { homedir as homedir4 } from "os";
+import { join as join5 } from "path";
-// src/sem.ts
-import { dirname as dirname4, join as join3 } from "path";
-import { existsSync as existsSync4, readFileSync as readFileSync3 } from "fs";
-var SEM_FILE = ".sem";
-function localSemPath(cwd = process.cwd()) {
-  return join3(cwd, SEM_FILE);
+// src/setup/lane-pin.ts
+var CODE_LANE_PREFIX_BY_CLIENT = {
+  "claude-code": "claude-code",
+  "claude-desktop": "claude-code",
+  cursor: "claude-code",
+  codex: "codex"
+};
+var CLIENT_PRIORITY = ["claude-code", "claude-desktop", "cursor", "codex"];
+function handleFromDisplayName(name) {
+  if (!name) return void 0;
+  const localPart = name.trim().split("@")[0] ?? "";
+  const first = localPart.split(/[\s._-]+/)[0]?.toLowerCase().replace(/[^a-z0-9]/g, "");
+  return first || void 0;
+}
+function codeLanePrefix(clients) {
+  for (const c of CLIENT_PRIORITY) if (clients.includes(c)) return CODE_LANE_PREFIX_BY_CLIENT[c];
+  return "claude-code";
+}
+function writePin(code, design) {
+  const values = {};
+  if (code) values["code-lane"] = code;
+  if (design) values["design-lane"] = design;
+  if (Object.keys(values).length === 0) return;
+  const target = writeSem(values);
+  process.stderr.write(`${ok("\u2713")} lane pin written \u2192 ${target} ${style.dim("(./.sechroom/lane.json, git-ignored)")}
+`);
 }
-function resolveSemPathForRead(start = process.cwd()) {
-  let dir = start;
-  while (true) {
-    const candidate = join3(dir, SEM_FILE);
-    if (existsSync4(candidate)) return candidate;
-    const parent = dirname4(dir);
-    if (parent === dir) return void 0;
-    dir = parent;
+async function ensureLanePin(cfg, opts) {
+  if (opts.dryRun) return;
+  if (readSem()) return;
+  let wf;
+  let profile;
+  try {
+    const client = await makeClient(cfg);
+    [wf, profile] = await Promise.all([
+      client.GET("/me/workflow-preferences", {}).then((r) => r.data).catch(() => void 0),
+      client.GET("/me/profile", {}).then((r) => r.data).catch(() => void 0)
+    ]);
+  } catch {
   }
-}
-function parseSem(text) {
-  const out = {};
-  for (const raw of text.split("\n")) {
-    const line = raw.trim();
-    if (!line || line.startsWith("#")) continue;
-    const eq = line.indexOf("=");
-    if (eq === -1) continue;
-    const key = line.slice(0, eq).trim();
-    const value = line.slice(eq + 1).trim();
-    if (key) out[key] = value;
+  const handle = handleFromDisplayName(profile?.effectiveDisplayName);
+  const prefix = codeLanePrefix(opts.clients ?? ["claude-code"]);
+  const codeGuess = wf?.defaultCodeLane ?? (handle ? `${prefix}-${handle}` : void 0);
+  const designGuess = wf?.defaultDesignLane ?? (handle ? `claude-design-${handle}` : void 0);
+  if (!canPrompt() || opts.yes) {
+    if (opts.yes && (codeGuess || designGuess)) writePin(codeGuess, designGuess);
+    return;
   }
-  return out;
-}
-function serializeSem(values) {
-  const header = "# sechroom lane pin (per-location fallback) \u2014 resolved at runtime by operator skills.\n";
-  const body = Object.entries(values).map(([k, v]) => `${k} = ${v}`).join("\n");
-  return header + body + "\n";
-}
-function readSem(path) {
-  const p = path ?? resolveSemPathForRead();
-  if (!p || !existsSync4(p)) return void 0;
-  return { path: p, values: parseSem(readFileSync3(p, "utf8")) };
+  if (codeGuess || designGuess) {
+    process.stderr.write(
+      `
+I can pin this checkout's lane so operator skills + the continuity hook resolve your identity:
+`
+    );
+    if (codeGuess) process.stderr.write(`  ${style.dim("code-lane")}   = ${style.cyan(codeGuess)}
+`);
+    if (designGuess) process.stderr.write(`  ${style.dim("design-lane")} = ${style.cyan(designGuess)}
+`);
+    if (await promptYesNo("Pin these?")) {
+      writePin(codeGuess, designGuess);
+      return;
+    }
+  }
+  const code = await promptText("Code-lane id (e.g. claude-code-you, blank to skip)?", codeGuess ?? "");
+  const design = await promptText("Design-lane id (e.g. claude-design-you, blank to skip)?", designGuess ?? "");
+  if (!code && !design) {
+    process.stderr.write(
+      `  ${style.dim("skipped \u2014 set later with")} ${style.cyan("sechroom skills set-lane --code-lane \u2026 --design-lane \u2026")}
+`
+    );
+    return;
+  }
+  writePin(code || void 0, design || void 0);
 }
 // src/setup/skills-offer.ts
@@ -2242,43 +2695,19 @@ async function maybeOfferSkills(cfg, personalWorkspaceId, opts) {
 Found ${style.bold(String(names.length))} operator skill(s) installed in your workspace: ${names.join(", ")}.
 `
   );
-  const dir = join4(homedir3(), ".claude", "skills");
+  const dir = join5(homedir4(), ".claude", "skills");
   const materialise = opts.yes ? true : canPrompt() ? await promptYesNo(`Write them to ${dir}/ so ${surface} can use them?`) : false;
   if (!materialise) return;
   const written = [];
   for (const [name, m] of byName) {
     const body = m.text ?? m.Text ?? "";
-    mkdirSync3(join4(dir, name), { recursive: true });
-    writeFileSync3(join4(dir, name, "SKILL.md"), body.endsWith("\n") ? body : body + "\n");
+    mkdirSync5(join5(dir, name), { recursive: true });
+    writeFileSync5(join5(dir, name, "SKILL.md"), body.endsWith("\n") ? body : body + "\n");
     written.push(name);
   }
   process.stderr.write(`${style.green("\u2713")} wrote ${written.length} skill(s) to ${dir}
 `);
-  if (readSem()) return;
-  const setLane = opts.yes ? false : canPrompt() ? await promptYesNo("Set your lane now so the skills can resolve their identity slots?") : false;
-  if (!setLane) {
-    process.stderr.write(
-      `  ${style.dim("run")} ${style.cyan("sechroom skills set-lane --code-lane \u2026 --design-lane \u2026")} ${style.dim("when ready.")}
-`
-    );
-    return;
-  }
-  let wf;
-  try {
-    const client = await makeClient(cfg);
-    wf = await client.GET("/me/workflow-preferences", {}).then((r) => r.data).catch(() => void 0);
-  } catch {
-  }
-  const code = await promptText("Code-lane id (e.g. claude-code-you)?", wf?.defaultCodeLane);
-  const design = await promptText("Design-lane id (e.g. claude-design-you)?", wf?.defaultDesignLane);
-  const values = {};
-  if (code) values["code-lane"] = code;
-  if (design) values["design-lane"] = design;
-  if (Object.keys(values).length === 0) return;
-  const target = localSemPath();
-  writeFileSync3(target, serializeSem(values));
-  process.stderr.write(`${style.green("\u2713")} lane pin written \u2192 ${target}
-`);
+  await ensureLanePin(cfg, { yes: opts.yes, dryRun: opts.dryRun, clients: [surface] });
 }
 // src/commands/setup.ts
@@ -2603,7 +3032,7 @@ async function ensureTenant(baseUrl, g, opts) {
       "Where should this tenant + base URL be saved?",
       [
         { label: "Globally", value: "global", hint: "all projects on this machine" },
-        { label: "This directory", value: "local", hint: ".sechroom.json \u2014 project + subdirs" }
+        { label: "This directory", value: "local", hint: ".sechroom/config.json \u2014 project + subdirs" }
       ],
       local.path ? "local" : "global"
     ) === "local";
@@ -2679,14 +3108,14 @@ async function chooseClients(clientFlag, yes, cwd) {
   return picks.length > 0 ? picks : preselected;
 }
 function registerOnboard(program2) {
-  program2.command("onboard").description("Guided first-run setup: configure, sign in, set timezone, detect clients, and wire this project").option("--client <list>", `comma-separated clients (${ALL_CLIENT_KEYS.join(", ")}) or 'all' (default: auto-detected)`).option("--local", "save tenant + base URL to a directory-local .sechroom.json instead of the global config", false).option("--workspace <id>", "bind this directory to a workspace (skips the interactive workspace pick)").option("--cli-only", "configure the CLI only \u2014 don't wire any AI client (no MCP config, no agent files)", false).option("--no-mcp", "skip the MCP server config (.mcp.json etc.); still write the agent instruction files").option("--copy", "make a personal copy of the agent instructions you can edit (default: prompt on a TTY, else skip)").option("--dry-run", "walk through without writing files or changing the profile", false).option("--refresh", "re-fetch descriptors and refresh any out-of-date managed blocks (local edits preserved to .proposed)", false).option("--force", "rewrite every managed block, overwriting local edits inside the markers (content outside untouched)", false).option("--check", "report whether anything would change and exit (0 = all current, 1 = stale/drift/absent); writes nothing", false).option("-y, --yes", "non-interactive: accept defaults (system timezone, detected clients, global config, full wire)", false).addHelpText(
+  program2.command("onboard").description("Guided first-run setup: configure, sign in, set timezone, detect clients, and wire this project").option("--client <list>", `comma-separated clients (${ALL_CLIENT_KEYS.join(", ")}) or 'all' (default: auto-detected)`).option("--local", "save tenant + base URL to a directory-local .sechroom/config.json instead of the global config", false).option("--workspace <id>", "bind this directory to a workspace (skips the interactive workspace pick)").option("--cli-only", "configure the CLI only \u2014 don't wire any AI client (no MCP config, no agent files)", false).option("--no-mcp", "skip the MCP server config (.mcp.json etc.); still write the agent instruction files").option("--copy", "make a personal copy of the agent instructions you can edit (default: prompt on a TTY, else skip)").option("--dry-run", "walk through without writing files or changing the profile", false).option("--refresh", "re-fetch descriptors and refresh any out-of-date managed blocks (local edits preserved to .proposed)", false).option("--force", "rewrite every managed block, overwriting local edits inside the markers (content outside untouched)", false).option("--check", "report whether anything would change and exit (0 = all current, 1 = stale/drift/absent); writes nothing", false).option("-y, --yes", "non-interactive: accept defaults (system timezone, detected clients, global config, full wire)", false).addHelpText(
     "after",
     `
 Examples:
   $ sechroom onboard                    guided, interactive (asks where to save config + how to wire)
   $ sechroom onboard --cli-only         just the CLI \u2014 no .mcp.json, no agent files
   $ sechroom onboard --no-mcp           agent instructions only, skip MCP config
-  $ sechroom onboard --local            save tenant + base URL to ./.sechroom.json
+  $ sechroom onboard --local            save tenant + base URL to ./.sechroom/config.json
   $ sechroom onboard --workspace wsp_XX  bind this directory to a workspace (no pick prompt)
   $ sechroom onboard --refresh          refresh out-of-date instruction blocks in place
   $ sechroom onboard --check            CI/pre-commit: nonzero exit if instructions are out of date
@@ -2716,12 +3145,14 @@ Examples:
         emit({ dryRun, baseUrl: cfg.baseUrl, tenant: cfg.tenant, workspaceId: cfg.workspaceId ?? null, timezone: tz, wire, clients: [] }, true);
         return;
       }
+      if (!dryRun) await ensureLanePin(cfg, { yes, dryRun, clients: detectInstalledClients(process.cwd()) });
       process.stdout.write(
         `
 ${style.bold("Done.")} The CLI is configured for ${style.cyan(cfg.tenant)} \u2014 no AI-client files written.
 Try: ${style.cyan('sechroom memory search "..."')}  or  ${style.cyan("sechroom --help")}
 `
       );
+      await printStarterPrompt("cli");
       return;
     }
     const keys = await chooseClients(opts.client, yes, process.cwd());
@@ -2766,6 +3197,9 @@ Try: ${style.cyan('sechroom memory search "..."')}  or  ${style.cyan("sechroom -
       }
       process.exit(wouldChange === 0 ? 0 : 1);
     }
+    if (!json && !dryRun) {
+      await ensureLanePin(cfg, { yes, dryRun, clients: keys });
+    }
     if (!json && !dryRun) {
       await maybeOfferSkills(cfg, personalWorkspaceId, { yes, dryRun, surface: "claude-code" });
     }
@@ -2794,6 +3228,7 @@ ${style.bold("Done.")} Restart your AI client (or reload MCP) to pick up the new
 ${style.bold("Done.")} Agent instructions written (no MCP config).
 `
     );
+    if (!dryRun) await printStarterPrompt("agent", cfg);
   });
 }
 async function chooseWire(opts, yes) {
@@ -2811,16 +3246,43 @@ async function chooseWire(opts, yes) {
   }
   return opts.mcp === false ? "agent-only" : "full";
 }
+var FALLBACK_AGENT_PROMPT = "Resume my sechroom continuity, summarise what I was last working on, then suggest the next step.";
+async function printStarterPrompt(mode, cfg) {
+  if (mode === "cli") {
+    process.stdout.write(
+      `
+${style.bold("Next:")} pick up where you left off \u2014
+  ${style.cyan("sechroom continuity resume-me")}
+`
+    );
+    return;
+  }
+  let primary = FALLBACK_AGENT_PROMPT;
+  if (cfg) {
+    try {
+      const client = await makeClient(cfg);
+      const { data } = await client.GET("/me/onboarding/starter-prompt", {});
+      if (data?.primary) primary = data.primary;
+    } catch {
+    }
+  }
+  process.stdout.write(
+    `
+${style.bold("Next:")} paste this into your AI agent to get going \u2014
+  ${style.cyan(`"${primary}"`)}
+`
+  );
+}
 // src/commands/skills.ts
-import { homedir as homedir4 } from "os";
-import { dirname as dirname5, join as join5 } from "path";
-import { mkdirSync as mkdirSync4, writeFileSync as writeFileSync4, rmSync as rmSync2, existsSync as existsSync5, readFileSync as readFileSync4 } from "fs";
+import { homedir as homedir5 } from "os";
+import { join as join6 } from "path";
+import { mkdirSync as mkdirSync6, writeFileSync as writeFileSync6, rmSync as rmSync2, existsSync as existsSync6, readFileSync as readFileSync5 } from "fs";
 var DEFAULT_SLUG = "operator-skills";
 var ROLE_TAGS = ["sechroom:role:skill-template", "role:skill-template"];
 var LOCK = ".sechroom-skills.json";
 function skillsDir(global) {
-  return global ? join5(homedir4(), ".claude", "skills") : join5(process.cwd(), ".claude", "skills");
+  return global ? join6(homedir5(), ".claude", "skills") : join6(process.cwd(), ".claude", "skills");
 }
 function tagValue2(tags, prefix) {
   return (tags ?? []).find((t) => t.startsWith(prefix))?.slice(prefix.length);
@@ -2898,15 +3360,15 @@ Examples:
       const name = tagValue2(tags, "skill:");
       if (!name) continue;
       const body = m.text ?? m.Text ?? "";
-      mkdirSync4(join5(dir, name), { recursive: true });
-      writeFileSync4(join5(dir, name, "SKILL.md"), body.endsWith("\n") ? body : body + "\n");
+      mkdirSync6(join6(dir, name), { recursive: true });
+      writeFileSync6(join6(dir, name, "SKILL.md"), body.endsWith("\n") ? body : body + "\n");
       written.push(name);
     }
-    mkdirSync4(dir, { recursive: true });
-    const lockPath = join5(dir, LOCK);
-    const lock = existsSync5(lockPath) ? JSON.parse(readFileSync4(lockPath, "utf8")) : {};
+    mkdirSync6(dir, { recursive: true });
+    const lockPath = join6(dir, LOCK);
+    const lock = existsSync6(lockPath) ? JSON.parse(readFileSync5(lockPath, "utf8")) : {};
     lock[slug] = { surface: opts.surface, version, instance: wantInstance, skills: written.sort() };
-    writeFileSync4(lockPath, JSON.stringify(lock, null, 2) + "\n");
+    writeFileSync6(lockPath, JSON.stringify(lock, null, 2) + "\n");
     if (opts.json) return emit({ slug, version, instance: wantInstance, surface: opts.surface, dir, installed: written }, true);
     const instanceNote = opts.instance ? ` (${opts.instance})` : "";
     console.log(style.green(`Installed ${slug}@${version}${instanceNote} \u2014 ${written.length} skill(s) \u2192 ${dir}`));
@@ -2928,42 +3390,41 @@ Examples:
   skills.command("clean [slug]").description(`Remove materialised skill files written by install (default ${DEFAULT_SLUG})`).option("--local", "clean ./.claude/skills instead of ~/.claude/skills").option("--json", "machine output").action(async (slugArg, opts) => {
     const slug = slugArg || DEFAULT_SLUG;
     const dir = skillsDir(!opts.local);
-    const lockPath = join5(dir, LOCK);
-    if (!existsSync5(lockPath)) fail(`No skills lockfile at ${lockPath}; nothing to clean.`);
-    const lock = JSON.parse(readFileSync4(lockPath, "utf8"));
+    const lockPath = join6(dir, LOCK);
+    if (!existsSync6(lockPath)) fail(`No skills lockfile at ${lockPath}; nothing to clean.`);
+    const lock = JSON.parse(readFileSync5(lockPath, "utf8"));
     const entry = lock[slug];
     if (!entry) fail(`No installed record for '${slug}' in ${lockPath}.`);
     const removed = [];
     for (const name of entry.skills) {
-      const skillPath = join5(dir, name);
-      if (existsSync5(skillPath)) {
+      const skillPath = join6(dir, name);
+      if (existsSync6(skillPath)) {
         rmSync2(skillPath, { recursive: true, force: true });
         removed.push(name);
       }
     }
     delete lock[slug];
-    writeFileSync4(lockPath, JSON.stringify(lock, null, 2) + "\n");
+    writeFileSync6(lockPath, JSON.stringify(lock, null, 2) + "\n");
     if (opts.json) return emit({ slug, removed, dir }, true);
     console.log(style.green(`Removed ${removed.length} skill(s) for ${slug} from ${dir}`));
   });
-  skills.command("set-lane").description("Write this checkout's lane pin to a local ./.sem file (read at runtime by skills)").option("--code-lane <id>", "code-surface lane id (e.g. claude-code-chris)").option("--design-lane <id>", "design / substrate-authoring lane id (e.g. claude-design-chris)").option("--json", "machine output").action((opts, cmd) => {
+  skills.command("set-lane").description("Write this checkout's lane pin to a local ./.sechroom/lane.json file (read at runtime by skills)").option("--code-lane <id>", "code-surface lane id (e.g. claude-code-chris)").option("--design-lane <id>", "design / substrate-authoring lane id (e.g. claude-design-chris)").option("--json", "machine output").action((opts, cmd) => {
     if (!opts.codeLane && !opts.designLane) fail("Provide --code-lane and/or --design-lane.");
     const target = localSemPath();
-    const values = readSem(target)?.values ?? {};
+    const values = readLocalSemValues();
     if (opts.codeLane) values["code-lane"] = opts.codeLane;
     if (opts.designLane) values["design-lane"] = opts.designLane;
-    mkdirSync4(dirname5(target), { recursive: true });
-    writeFileSync4(target, serializeSem(values));
+    writeSem(values, target);
     if (cmd.optsWithGlobals().json) return emit({ path: target, values }, true);
-    console.log(style.green(`Wrote lane pin \u2192 ${target}`));
+    console.log(style.green(`Wrote lane pin \u2192 ${target} ${style.dim("(git-ignored)")}`));
     Object.entries(values).forEach(([k, v]) => console.log("  " + style.dim(k) + " = " + v));
   });
-  skills.command("lane").description("Show the lane pin resolved from ./.sem (nearest in this checkout)").option("--json", "machine output").action((opts, cmd) => {
+  skills.command("lane").description("Show the lane pin resolved from ./.sechroom/lane.json (nearest in this checkout; legacy ./.sem honoured)").option("--json", "machine output").action((opts, cmd) => {
     const json = cmd.optsWithGlobals().json;
     const found = readSem();
     if (!found) {
       if (json) return emit({ path: null, values: {} }, true);
-      return console.log(style.dim(`No ./.sem pin in this checkout. Run 'sechroom skills set-lane'.`));
+      return console.log(style.dim(`No ./.sechroom/lane.json pin in this checkout. Run 'sechroom skills set-lane'.`));
     }
     if (json) return emit(found, true);
     console.log(style.dim(`from ${found.path}`));
@@ -3032,22 +3493,22 @@ Examples:
 }
 // src/commands/reset.ts
-import { homedir as homedir5 } from "os";
-import { join as join6 } from "path";
-import { existsSync as existsSync6, readFileSync as readFileSync5, rmSync as rmSync3 } from "fs";
+import { homedir as homedir6 } from "os";
+import { join as join7 } from "path";
+import { existsSync as existsSync7, readFileSync as readFileSync6, rmSync as rmSync3 } from "fs";
 var SKILLS_LOCK = ".sechroom-skills.json";
-var localSkillsDir = () => join6(process.cwd(), ".claude", "skills");
-var globalSkillsDir = () => join6(homedir5(), ".claude", "skills");
+var localSkillsDir = () => join7(process.cwd(), ".claude", "skills");
+var globalSkillsDir = () => join7(homedir6(), ".claude", "skills");
 function removeMaterialisedSkills(dir) {
   const removed = [];
-  const lockPath = join6(dir, SKILLS_LOCK);
-  if (!existsSync6(lockPath)) return removed;
+  const lockPath = join7(dir, SKILLS_LOCK);
+  if (!existsSync7(lockPath)) return removed;
   try {
-    const lock = JSON.parse(readFileSync5(lockPath, "utf8"));
+    const lock = JSON.parse(readFileSync6(lockPath, "utf8"));
     for (const entry of Object.values(lock)) {
       for (const name of entry.skills ?? []) {
-        const p = join6(dir, name);
-        if (existsSync6(p)) {
+        const p = join7(dir, name);
+        if (existsSync7(p)) {
           rmSync3(p, { recursive: true, force: true });
           removed.push(p);
         }
@@ -3067,26 +3528,31 @@ function registerReset(program2) {
       removed ? style.green("Signed out \u2014 auth token removed.") : style.dim("Already signed out (no token).")
     );
   });
-  program2.command("reset").description("Reset LOCAL CLI state for this directory (./.sechroom.json, ./.sem, ./.claude/skills); --global also wipes the machine-wide token + config + ~/.claude/skills").option("--global", "also remove the global auth token, config, and ~/.claude/skills").option("-y, --yes", "don't prompt for confirmation").option("--json", "machine output").action(async (opts, cmd) => {
+  program2.command("reset").description("Reset LOCAL CLI state for this directory (./.sechroom/, legacy ./.sechroom.json + ./.sem, ./.claude/skills); --global also wipes the machine-wide token + config + ~/.claude/skills").option("--global", "also remove the global auth token, config, and ~/.claude/skills").option("-y, --yes", "don't prompt for confirmation").option("--json", "machine output").action(async (opts, cmd) => {
     const json = cmd.optsWithGlobals().json;
     const global = Boolean(opts.global);
     if (!opts.yes && canPrompt()) {
-      const scope = global ? "this directory's local state AND your global auth token + config + ~/.claude/skills" : "this directory's local state (./.sechroom.json, ./.sem, ./.claude/skills)";
+      const scope = global ? "this directory's local state AND your global auth token + config + ~/.claude/skills" : "this directory's local state (./.sechroom/, legacy ./.sechroom.json + ./.sem, ./.claude/skills)";
       if (!await promptYesNo(`Remove ${scope}?`)) {
         if (!json) console.log(style.dim("Cancelled."));
         return;
       }
     }
     const removed = [];
-    const localCfg = join6(process.cwd(), ".sechroom.json");
-    if (existsSync6(localCfg)) {
-      rmSync3(localCfg, { force: true });
-      removed.push(localCfg);
+    const stateDir = join7(process.cwd(), ".sechroom");
+    if (existsSync7(stateDir)) {
+      rmSync3(stateDir, { recursive: true, force: true });
+      removed.push(stateDir);
+    }
+    const legacyCfg = join7(process.cwd(), ".sechroom.json");
+    if (existsSync7(legacyCfg)) {
+      rmSync3(legacyCfg, { force: true });
+      removed.push(legacyCfg);
     }
-    const sem = localSemPath();
-    if (existsSync6(sem)) {
-      rmSync3(sem, { force: true });
-      removed.push(sem);
+    const legacySem = join7(process.cwd(), ".sem");
+    if (existsSync7(legacySem)) {
+      rmSync3(legacySem, { force: true });
+      removed.push(legacySem);
     }
     removed.push(...removeMaterialisedSkills(localSkillsDir()));
     if (global) {
@@ -3111,7 +3577,7 @@ function registerReset(program2) {
 function resolveVersion() {
   try {
     const pkg = JSON.parse(
-      readFileSync6(new URL("../package.json", import.meta.url), "utf8")
+      readFileSync7(new URL("../package.json", import.meta.url), "utf8")
     );
     return pkg.version ?? "0.0.0";
   } catch {
@@ -3127,7 +3593,7 @@ Examples:
   $ sechroom onboard                              guided first-run: configure, sign in, wire this project
   $ sechroom login                                sign in via browser (OAuth + PKCE)
   $ sechroom config set tenant ocd                set your tenant (global)
-  $ sechroom config set --local tenant cli-smoke  pin tenant for this directory (.sechroom.json)
+  $ sechroom config set --local tenant cli-smoke  pin tenant for this directory (.sechroom/config.json)
   $ sechroom config show                          resolved config + which source won
   $ sechroom memory create --text "a note" --title "Note" --tag idea
@@ -3139,7 +3605,7 @@ Examples:
   $ sechroom --json memory search "auth"           compact JSON for scripts and agents
   $ SECHROOM_TOKEN=<bearer> sechroom --json memory get mem_XXXX    headless
-Config precedence (high -> low): --flag  >  env (SECHROOM_*)  >  ./.sechroom.json  >  global  >  default.
+Config precedence (high -> low): --flag  >  env (SECHROOM_*)  >  ./.sechroom/config.json (legacy ./.sechroom.json)  >  global  >  default.
 Run 'sechroom <command> --help' for command-specific examples.`
 );
 program.hook("preAction", (_thisCmd, actionCmd) => {
@@ -3165,11 +3631,11 @@ config.addHelpText(
 Examples:
   $ sechroom config set baseUrl https://app.sechroom.ai/api   prod (staging: https://staging.app.sechroom.ai/api)
   $ sechroom config set tenant ocd
-  $ sechroom config set --local tenant cli-smoke              this dir + subdirs (.sechroom.json)
+  $ sechroom config set --local tenant cli-smoke              this dir + subdirs (.sechroom/config.json)
   $ sechroom config set clientId dyn-XXXX                     global-only escape hatch (no DCR endpoint)
   $ sechroom config show --json`
 );
-config.command("set <key> <value>").description("Set baseUrl | tenant | workspaceId | defaultProjectId | clientId (clientId is global-only)").option("--local", "Write to the directory-local .sechroom.json (nearest up the tree, else cwd) instead of the global config").action((key, value, opts) => {
+config.command("set <key> <value>").description("Set baseUrl | tenant | workspaceId | defaultProjectId | clientId (clientId is global-only)").option("--local", "Write to the directory-local .sechroom/config.json (nearest up the tree, else cwd; migrates a legacy .sechroom.json) instead of the global config").action((key, value, opts) => {
   if (opts.local) {
     if (!["baseUrl", "tenant", "workspaceId", "defaultProjectId"].includes(key)) {
       process.stderr.write(`--local supports only: baseUrl | tenant | workspaceId | defaultProjectId (clientId is global)
@@ -3221,6 +3687,7 @@ registerWorkspace(program);
 registerProject(program);
 registerFiling(program);
 registerContinuity(program);
+registerHook(program);
 registerId(program);
 registerAccount(program);
 registerChat(program);