@sechroom/cli 2026.6.18 → 2026.6.19

package/dist/index.js

@@ -1,7 +1,7 @@
 #!/usr/bin/env node
 
 // src/index.ts
-import { readFileSync as readFileSync6 } from "fs";
+import { readFileSync as readFileSync7 } from "fs";
 import { Command } from "commander";
 
 // src/auth.ts
@@ -11,12 +11,14 @@ import open from "open";
 
 // src/config.ts
 import { homedir } from "os";
-import { join, dirname } from "path";
+import { join, dirname, basename } from "path";
 import { mkdirSync, readFileSync, writeFileSync, existsSync, rmSync } from "fs";
 var CONFIG_DIR = join(homedir(), ".config", "sechroom");
 var CONFIG_FILE = join(CONFIG_DIR, "config.json");
 var TOKEN_FILE = join(CONFIG_DIR, "token.json");
-var LOCAL_CONFIG_NAME = ".sechroom.json";
+var STATE_DIR_NAME = ".sechroom";
+var LOCAL_CONFIG_NAME = join(STATE_DIR_NAME, "config.json");
+var LEGACY_LOCAL_CONFIG_NAME = ".sechroom.json";
 var DEFAULT_BASE_URL = "https://app.sechroom.ai/api";
 var LOCAL_CONFIG_SCHEMA_VERSION = 2;
 function ensureDir() {
@@ -69,11 +71,18 @@ function findLocalConfigPath(start = process.cwd()) {
   for (; ; ) {
     const candidate = join(dir, LOCAL_CONFIG_NAME);
     if (existsSync(candidate)) return candidate;
+    const legacy = join(dir, LEGACY_LOCAL_CONFIG_NAME);
+    if (existsSync(legacy)) return legacy;
     const parent = dirname(dir);
     if (parent === dir) return void 0;
     dir = parent;
   }
 }
+function localConfigWritePath(resolvedPath) {
+  const baseDir = resolvedPath ? dirname(resolvedPath) : process.cwd();
+  const dir = basename(baseDir) === STATE_DIR_NAME ? dirname(baseDir) : baseDir;
+  return join(dir, LOCAL_CONFIG_NAME);
+}
 function readLocalConfig() {
   const path = findLocalConfigPath();
   if (!path) return {};
@@ -92,12 +101,16 @@ function readLocalConfig() {
   }
 }
 function writeLocalConfig(patch) {
-  const path = findLocalConfigPath() ?? join(process.cwd(), LOCAL_CONFIG_NAME);
+  const readPath = findLocalConfigPath();
   let current = {};
-  try {
-    current = JSON.parse(readFileSync(path, "utf8"));
-  } catch {
+  if (readPath) {
+    try {
+      current = JSON.parse(readFileSync(readPath, "utf8"));
+    } catch {
+    }
   }
+  const path = localConfigWritePath(readPath);
+  mkdirSync(dirname(path), { recursive: true, mode: 448 });
   const next = { ...current, ...patch, schemaVersion: LOCAL_CONFIG_SCHEMA_VERSION };
   writeFileSync(path, JSON.stringify(next, null, 2), { mode: 384 });
   return path;
@@ -1558,10 +1571,17 @@ Examples:
   });
 }
 
+// src/commands/hook.ts
+import { existsSync as existsSync4, mkdirSync as mkdirSync3, readFileSync as readFileSync3, writeFileSync as writeFileSync3 } from "fs";
+import { homedir as homedir3 } from "os";
+import { dirname as dirname4, join as join4 } from "path";
+
 // src/sem.ts
-import { dirname as dirname2, join as join2 } from "path";
+import { basename as basename2, dirname as dirname2, join as join2 } from "path";
 import { appendFileSync, existsSync as existsSync2, mkdirSync as mkdirSync2, readFileSync as readFileSync2, writeFileSync as writeFileSync2 } from "fs";
-var SEM_FILE = ".sem";
+var SEM_FILE = join2(".sechroom", "lane.json");
+var LEGACY_SEM_FILE = ".sem";
+var STATE_DIR_NAME2 = ".sechroom";
 function localSemPath(cwd = process.cwd()) {
   return join2(cwd, SEM_FILE);
 }
@@ -1570,6 +1590,8 @@ function resolveSemPathForRead(start = process.cwd()) {
   while (true) {
     const candidate = join2(dir, SEM_FILE);
     if (existsSync2(candidate)) return candidate;
+    const legacy = join2(dir, LEGACY_SEM_FILE);
+    if (existsSync2(legacy)) return legacy;
     const parent = dirname2(dir);
     if (parent === dir) return void 0;
     dir = parent;
@@ -1589,15 +1611,35 @@ function parseSem(text) {
   return out;
 }
 function serializeSem(values) {
-  const header = "# sechroom lane pin (per-location fallback) \u2014 resolved at runtime by operator skills.\n";
-  const body = Object.entries(values).map(([k, v]) => `${k} = ${v}`).join("\n");
-  return header + body + "\n";
+  return JSON.stringify(values, null, 2) + "\n";
 }
 function readSem(path) {
   const p = path ?? resolveSemPathForRead();
   if (!p || !existsSync2(p)) return void 0;
-  return { path: p, values: parseSem(readFileSync2(p, "utf8")) };
+  const text = readFileSync2(p, "utf8");
+  const values = basename2(p) === LEGACY_SEM_FILE ? parseSem(text) : parseLaneJson(text);
+  return { path: p, values };
+}
+function readLocalSemValues(cwd = process.cwd()) {
+  const next = join2(cwd, SEM_FILE);
+  if (existsSync2(next)) return readSem(next)?.values ?? {};
+  const legacy = join2(cwd, LEGACY_SEM_FILE);
+  if (existsSync2(legacy)) return readSem(legacy)?.values ?? {};
+  return {};
+}
+function parseLaneJson(text) {
+  try {
+    const parsed = JSON.parse(text);
+    const out = {};
+    for (const [k, v] of Object.entries(parsed)) {
+      if (typeof v === "string") out[k] = v;
+    }
+    return out;
+  } catch {
+    return {};
+  }
 }
+var STATE_DIR_IGNORE = `${STATE_DIR_NAME2}/`;
 function writeSem(values, path = localSemPath()) {
   mkdirSync2(dirname2(path), { recursive: true });
   writeFileSync2(path, serializeSem(values));
@@ -1607,7 +1649,7 @@ function writeSem(values, path = localSemPath()) {
 function ignoresSem(content) {
   return content.split("\n").some((line) => {
     const t = line.trim();
-    return t === ".sem" || t === "/.sem" || t === "**/.sem";
+    return t === STATE_DIR_NAME2 || t === STATE_DIR_IGNORE || t === `/${STATE_DIR_NAME2}` || t === `/${STATE_DIR_IGNORE}` || t === `**/${STATE_DIR_NAME2}` || t === `**/${STATE_DIR_IGNORE}`;
   });
 }
 function resolveGitignoreTarget(startDir) {
@@ -1624,20 +1666,198 @@ function resolveGitignoreTarget(startDir) {
 }
 function ensureSemIgnored(semPath) {
   try {
-    const target = resolveGitignoreTarget(dirname2(semPath));
+    const checkoutDir = dirname2(dirname2(semPath));
+    const target = resolveGitignoreTarget(checkoutDir);
     if (target.exists) {
       const content = readFileSync2(target.path, "utf8");
       if (ignoresSem(content)) return;
       const sep = content.length === 0 || content.endsWith("\n") ? "" : "\n";
-      appendFileSync(target.path, `${sep}.sem
+      appendFileSync(target.path, `${sep}${STATE_DIR_IGNORE}
 `);
     } else {
-      writeFileSync2(target.path, ".sem\n");
+      writeFileSync2(target.path, `${STATE_DIR_IGNORE}
+`);
     }
   } catch {
   }
 }
 
+// src/setup/clients.ts
+import { existsSync as existsSync3 } from "fs";
+import { homedir as homedir2 } from "os";
+import { dirname as dirname3, join as join3 } from "path";
+
+// src/setup/operator-surface.ts
+var SectionType = {
+  McpConfig: "mcp-config",
+  McpConfigToml: "mcp-config-toml",
+  InstructionFile: "instruction-file",
+  ProjectConfig: "project-config",
+  Verify: "verify",
+  /** SBC-999 — workspace-pinned conventions, emitted only when the request
+   *  carried a workspaceId and that workspace has agent-setup-bundle memories. */
+  WorkspaceConventions: "workspace-conventions"
+};
+async function fetchSetup(cfg) {
+  const client = await makeClient(cfg);
+  const { data, error } = await client.GET(
+    "/operator-surface/setup",
+    cfg.workspaceId ? { params: { query: { workspaceId: cfg.workspaceId } } } : {}
+  );
+  if (error) throw new Error(`GET /operator-surface/setup failed: ${JSON.stringify(error)}`);
+  return data;
+}
+function findSurface(setup, surfaceKey) {
+  return setup.surfaces.find((s) => s.surfaceKey === surfaceKey);
+}
+function findSection(surface, sectionType) {
+  return surface?.sections.find((s) => s.sectionType === sectionType);
+}
+function sectionSnippet(section) {
+  if (!section) return null;
+  for (const step of section.steps) {
+    if (step.copyValue) return step.copyValue;
+    if (step.codeSnippet) return step.codeSnippet;
+  }
+  return null;
+}
+function parseTagArtifactId(id) {
+  if (!id.startsWith("tag:")) return null;
+  const tags = id.slice("tag:".length).split(",").map((t) => t.trim()).filter((t) => t.length > 0);
+  return tags.length > 0 ? tags : null;
+}
+async function getPersonalWorkspaceId(cfg) {
+  const client = await makeClient(cfg);
+  const { data } = await client.GET("/me/personal-workspace", {});
+  return data?.workspaceId ?? null;
+}
+async function fetchMemoryFields(cfg, id) {
+  const client = await makeClient(cfg);
+  const { data } = await client.GET("/memories/{memoryId}", { params: { path: { memoryId: id } } });
+  const env = data;
+  const m = env?.item ?? env;
+  if (!m) return null;
+  const version = typeof m.currentVersion === "string" ? Number(m.currentVersion) : m.currentVersion;
+  return { text: m.text, title: m.title, tags: m.tags, version: Number.isFinite(version) ? version : void 0 };
+}
+async function resolveInstruction(cfg, section, personalWorkspaceId) {
+  const client = await makeClient(cfg);
+  for (const artifact of section.artifacts) {
+    const tags = parseTagArtifactId(artifact.id);
+    if (!tags) continue;
+    const { data } = await client.POST("/memories/search", {
+      body: { query: null, textQuery: null, semanticQuery: null, hybrid: false, limit: 1, includeArchived: false, includeSystem: false, tags }
+    });
+    const hits = data ?? [];
+    if (hits.length === 0) continue;
+    const templateId = hits[0].id;
+    const template = await fetchMemoryFields(cfg, templateId);
+    if (typeof template?.text !== "string" || template.text.length === 0) continue;
+    const templateTags = template.tags ?? tags;
+    if (personalWorkspaceId) {
+      const { data: ovr } = await client.POST("/memories/search", {
+        body: { query: null, textQuery: null, semanticQuery: null, hybrid: false, limit: 1, includeArchived: false, includeSystem: false, tags: ["sechroom:role:override", `sechroom:template-ref:${templateId}`], owner: { type: "Workspace", id: personalWorkspaceId } }
+      });
+      const ovrHits = ovr ?? [];
+      if (ovrHits.length > 0) {
+        const override = await fetchMemoryFields(cfg, ovrHits[0].id);
+        if (typeof override?.text === "string" && override.text.length > 0) {
+          return { title: override.title ?? template.title ?? artifact.title, body: override.text, source: "override", templateId, templateTags, sourceRef: `${ovrHits[0].id}@v${override.version ?? 1}` };
+        }
+      }
+    }
+    return { title: template.title ?? artifact.title, body: template.text, source: "template", templateId, templateTags, sourceRef: `${templateId}@v${template.version ?? 1}` };
+  }
+  return null;
+}
+async function resolveWorkspaceConventions(cfg, section) {
+  const parts = [];
+  const refs = [];
+  for (const artifact of section.artifacts) {
+    if (parseTagArtifactId(artifact.id)) continue;
+    const mem = await fetchMemoryFields(cfg, artifact.id);
+    if (typeof mem?.text === "string" && mem.text.trim().length > 0) {
+      parts.push(mem.text.trim());
+      refs.push(`${artifact.id}@v${mem.version ?? 1}`);
+    }
+  }
+  if (parts.length === 0) return null;
+  return { body: parts.join("\n\n---\n\n"), refs };
+}
+async function createOverride(cfg, template, personalWorkspaceId) {
+  const client = await makeClient(cfg);
+  const overrideTags = template.templateTags.filter(
+    (t) => t !== "sechroom:role:template" && !t.startsWith("sechroom:bundle:") && !t.startsWith("sechroom:template-ref:")
+  );
+  overrideTags.push("sechroom:role:override", `sechroom:template-ref:${template.templateId}`);
+  const { error } = await client.POST("/memories", {
+    body: {
+      text: template.body,
+      type: "reference",
+      content: "{}",
+      confidence: 1,
+      source: "cli-agent-instructions-customize",
+      archetype: "Document",
+      title: template.title ?? null,
+      tags: overrideTags,
+      owner: { type: "Workspace", id: personalWorkspaceId }
+    }
+  });
+  if (error) throw new Error(`creating personal copy failed: ${JSON.stringify(error)}`);
+}
+
+// src/setup/clients.ts
+function claudeDesktopConfigPath(home) {
+  switch (process.platform) {
+    case "darwin":
+      return join3(home, "Library", "Application Support", "Claude", "claude_desktop_config.json");
+    case "win32":
+      return join3(process.env.APPDATA ?? join3(home, "AppData", "Roaming"), "Claude", "claude_desktop_config.json");
+    default:
+      return join3(home, ".config", "Claude", "claude_desktop_config.json");
+  }
+}
+function clientTargets(cwd) {
+  const home = homedir2();
+  return {
+    "claude-code": {
+      key: "claude-code",
+      label: "Claude Code",
+      mcp: { surfaceKey: "claude-code", sectionType: SectionType.McpConfig, path: join3(cwd, ".mcp.json"), format: "json" },
+      instruction: { surfaceKey: "claude-code", path: join3(cwd, "CLAUDE.md") }
+    },
+    "claude-desktop": {
+      key: "claude-desktop",
+      label: "Claude Desktop",
+      mcp: { surfaceKey: "claude-desktop", sectionType: SectionType.McpConfig, path: claudeDesktopConfigPath(home), format: "json" },
+      instruction: { surfaceKey: "claude-desktop", path: join3(home, ".claude", "CLAUDE.md") }
+    },
+    codex: {
+      key: "codex",
+      label: "Codex CLI",
+      mcp: { surfaceKey: "chatgpt", sectionType: SectionType.McpConfigToml, path: join3(home, ".codex", "config.toml"), format: "toml" },
+      instruction: { surfaceKey: "chatgpt", path: join3(cwd, "AGENTS.md") }
+    },
+    cursor: {
+      key: "cursor",
+      label: "Cursor",
+      mcp: { surfaceKey: "claude-code", sectionType: SectionType.McpConfig, path: join3(cwd, ".cursor", "mcp.json"), format: "json" },
+      instruction: { surfaceKey: "chatgpt", path: join3(cwd, "AGENTS.md") }
+    }
+  };
+}
+var ALL_CLIENT_KEYS = ["claude-code", "claude-desktop", "codex", "cursor"];
+var DEFAULT_CLIENT_KEY = "claude-code";
+function detectInstalledClients(cwd) {
+  const home = homedir2();
+  const detected = [];
+  if (existsSync3(join3(home, ".claude"))) detected.push("claude-code");
+  if (existsSync3(dirname3(claudeDesktopConfigPath(home)))) detected.push("claude-desktop");
+  if (existsSync3(join3(home, ".codex"))) detected.push("codex");
+  if (existsSync3(join3(home, ".cursor")) || existsSync3(join3(cwd, ".cursor"))) detected.push("cursor");
+  return detected;
+}
+
 // src/commands/hook.ts
 async function readStdin() {
   if (process.stdin.isTTY) return "";
@@ -1661,6 +1881,31 @@ function resolveLane(flagLane, cwd) {
   const sem = readSem(resolveSemPathForRead(start));
   return sem?.values["code-lane"];
 }
+var INTENT_FILE = join4(".sechroom", "continuity.json");
+function resolveIntentPath(start) {
+  let dir = start;
+  for (; ; ) {
+    const candidate = join4(dir, INTENT_FILE);
+    if (existsSync4(candidate)) return candidate;
+    const parent = dirname4(dir);
+    if (parent === dir) return void 0;
+    dir = parent;
+  }
+}
+function readIntent(start) {
+  const path = resolveIntentPath(start);
+  if (!path) return void 0;
+  try {
+    return JSON.parse(readFileSync3(path, "utf8"));
+  } catch {
+    return void 0;
+  }
+}
+function hasRequiredIntent(i) {
+  return Boolean(
+    i.objective?.trim() && i.state?.trim() && i.lastAction?.trim() && i.nextAction?.trim() && i.resumeInstruction?.trim()
+  );
+}
 function formatContext(bundle, lane) {
   const s = bundle?.latestSnapshot;
   if (!s) return null;
@@ -1697,18 +1942,108 @@ function emitSessionStart(additionalContext) {
     }) + "\n"
   );
 }
+var HOOK_COMMANDS = {
+  SessionStart: "sechroom hook session-start",
+  PreCompact: "sechroom hook pre-compact"
+};
+var HOOK_EVENTS = ["SessionStart", "PreCompact"];
+function hasHookCommand(config2, event, command) {
+  const groups = config2.hooks?.[event] ?? [];
+  return groups.some((g) => (g.hooks ?? []).some((h) => h.type === "command" && h.command === command));
+}
+function mergeHooks(config2) {
+  config2.hooks ??= {};
+  let added = 0;
+  for (const event of HOOK_EVENTS) {
+    const command = HOOK_COMMANDS[event];
+    if (hasHookCommand(config2, event, command)) continue;
+    const groups = config2.hooks[event] ??= [];
+    groups.push({ hooks: [{ type: "command", command }] });
+    added += 1;
+  }
+  return added;
+}
+function readJsonConfig(path) {
+  if (!existsSync4(path)) return {};
+  const raw = readFileSync3(path, "utf8");
+  if (!raw.trim()) return {};
+  return JSON.parse(raw);
+}
+function installHooksJson(path, dryRun) {
+  const existed = existsSync4(path) && readFileSync3(path, "utf8").trim().length > 0;
+  const config2 = readJsonConfig(path);
+  const added = mergeHooks(config2);
+  if (added === 0 && existed) return { path, status: "current" };
+  if (!dryRun) {
+    mkdirSync3(dirname4(path), { recursive: true });
+    writeFileSync3(path, JSON.stringify(config2, null, 2) + "\n");
+  }
+  return { path, status: existed ? "merged" : "created" };
+}
+function ensureCodexFeaturesHooks(content) {
+  const lines = content.split("\n");
+  const headerIdx = lines.findIndex((l) => l.trim() === "[features]");
+  if (headerIdx === -1) {
+    const base = content.length === 0 || content.endsWith("\n") ? content : content + "\n";
+    return { next: base + "\n[features]\nhooks = true\n", changed: true };
+  }
+  for (let i = headerIdx + 1; i < lines.length; i += 1) {
+    const trimmed = lines[i].trim();
+    if (trimmed.startsWith("[") && trimmed.endsWith("]")) break;
+    const m = lines[i].match(/^(\s*)hooks(\s*)=(\s*)(.*)$/);
+    if (!m) continue;
+    const value = m[4].replace(/\s*#.*$/, "").trim();
+    if (value === "true") return { next: content, changed: false };
+    lines[i] = `${m[1]}hooks${m[2]}=${m[3]}true`;
+    return { next: lines.join("\n"), changed: true };
+  }
+  lines.splice(headerIdx + 1, 0, "hooks = true");
+  return { next: lines.join("\n"), changed: true };
+}
+function installCodexFeatureFlag(path, dryRun) {
+  const existed = existsSync4(path);
+  const content = existed ? readFileSync3(path, "utf8") : "";
+  const { next, changed } = ensureCodexFeaturesHooks(content);
+  if (!changed) return { path, status: "current" };
+  if (!dryRun) {
+    mkdirSync3(dirname4(path), { recursive: true });
+    writeFileSync3(path, next);
+  }
+  return { path, status: existed ? "merged" : "created" };
+}
+function resolveSurfaces(surface, cwd) {
+  if (surface === "claude") return ["claude"];
+  if (surface === "codex") return ["codex"];
+  if (surface === "both") return ["claude", "codex"];
+  if (surface) throw new Error(`--surface must be one of claude | codex | both (got '${surface}')`);
+  const detected = detectInstalledClients(cwd);
+  const surfaces = [];
+  if (detected.includes("claude-code")) surfaces.push("claude");
+  if (detected.includes("codex")) surfaces.push("codex");
+  return surfaces.length > 0 ? surfaces : ["claude", "codex"];
+}
+function describe(result, dryRun) {
+  if (result.status === "current") return `  \u2713 ${result.path} (already configured)`;
+  const verb = dryRun ? "would" : result.status === "created" ? "created" : "updated";
+  return `  \u2713 ${result.path} (${dryRun ? `${verb} ${result.status === "created" ? "create" : "update"}` : verb})`;
+}
 function registerHook(program2) {
   const hook = program2.command("hook").description("Agent-lifecycle hook adapter (Claude Code / Codex) \u2014 bridges hooks to continuity");
   hook.addHelpText(
     "after",
     `
 Examples:
-  # Wire into a SessionStart hook (the surface pipes the hook payload on stdin):
+  # SessionStart (load): inject the lane's latest snapshot as context.
   $ echo '{"hook_event_name":"SessionStart","cwd":"'"$PWD"'"}' | sechroom hook session-start
-  $ sechroom hook session-start --lane claude-code-chris        override the .sem pin
+  # PreCompact (save): snapshot from ./${INTENT_FILE} before the agent compacts.
+  $ echo '{"hook_event_name":"PreCompact","cwd":"'"$PWD"'"}' | sechroom hook pre-compact
+  # Wire both hooks into the installed surface(s)' config (no hand-editing):
+  $ sechroom hook install                       auto-detect Claude Code / Codex
+  $ sechroom hook install --surface codex        Codex only
+  $ sechroom hook install --local --dry-run      preview the project .claude/settings.json
 
 Lane source (high -> low): --lane  >  SECHROOM_LANE  >  ./.sem code-lane (D-binding-5).
-Fail-soft: no lane / no auth / API error -> exit 0, no context injected, never blocks.`
+Fail-soft: no lane / no auth / no-or-partial intent file / API error -> exit 0, never blocks.`
   );
   hook.command("session-start").description("Resume the checkout's lane and emit continuity context for a SessionStart hook").option("--lane <laneId>", "Override the resolved lane (else SECHROOM_LANE, else ./.sem code-lane)").option("--surface <surface>", "Target surface: claude | codex (output is identical for session-start)", "claude").option("--max-artifacts <n>", "Cap artifacts in the resume bundle").action(async (opts, cmd) => {
     try {
@@ -1734,6 +2069,88 @@ Fail-soft: no lane / no auth / API error -> exit 0, no context injected, never b
       return process.exit(0);
     }
   });
+  hook.command("pre-compact").description("Save a continuity snapshot from the agent-maintained intent file on a PreCompact hook").option("--lane <laneId>", "Override the resolved lane (else SECHROOM_LANE, else ./.sem code-lane)").option("--scope <scope>", "Snapshot scope (else the intent file's `scope`, else 'compaction')").option("--surface <surface>", "Target surface: claude | codex (lifecycle-only on both)", "claude").action(async (opts, cmd) => {
+    try {
+      const raw = await readStdin();
+      const input = parseHookInput(raw);
+      const cwd = input.cwd ?? process.cwd();
+      const lane = resolveLane(opts.lane, input.cwd);
+      if (!lane) return process.exit(0);
+      const intent = readIntent(cwd);
+      if (!intent || !hasRequiredIntent(intent)) return process.exit(0);
+      const cfg = resolveConfig(cmd.optsWithGlobals());
+      const client = await makeClient(cfg);
+      await client.POST("/continuity/snapshots", {
+        body: {
+          laneId: lane,
+          scope: opts.scope ?? intent.scope ?? "compaction",
+          currentObjective: intent.objective,
+          currentState: intent.state,
+          lastMeaningfulAction: intent.lastAction,
+          nextIntendedAction: intent.nextAction,
+          resumeInstruction: intent.resumeInstruction,
+          activeConstraints: intent.constraints ?? null,
+          openQuestions: intent.questions ?? null,
+          surfaceMarkers: intent.surfaceMarkers ?? null,
+          relevantArtifactIds: intent.artifacts ?? null,
+          confidence: intent.confidence ?? null,
+          // Compaction is infrequent, so the FR-051 clobber guard doesn't bite;
+          // Acknowledge lets a within-window checkpoint land on the lane.
+          concurrentSessionPolicy: "Acknowledge"
+        }
+      });
+      return process.exit(0);
+    } catch {
+      return process.exit(0);
+    }
+  });
+  hook.command("install").description("Wire the session-start + pre-compact hooks into Claude Code and/or Codex config").option("--surface <surface>", "Target surface: claude | codex | both (default: auto-detect installed surfaces)").option("--local", "Claude Code only: write <cwd>/.claude/settings.json instead of ~/.claude/settings.json").option("--dry-run", "Print what would change; write nothing").action((opts) => {
+    const dryRun = Boolean(opts.dryRun);
+    const cwd = process.cwd();
+    let surfaces;
+    try {
+      surfaces = resolveSurfaces(opts.surface, cwd);
+    } catch (err2) {
+      process.stderr.write(`${err2.message}
+`);
+      return process.exit(2);
+    }
+    const home = homedir3();
+    const results = [];
+    try {
+      for (const surface of surfaces) {
+        if (surface === "claude") {
+          const path = opts.local ? join4(cwd, ".claude", "settings.json") : join4(home, ".claude", "settings.json");
+          process.stdout.write(`Claude Code:
+`);
+          const r = installHooksJson(path, dryRun);
+          results.push(r);
+          process.stdout.write(describe(r, dryRun) + "\n");
+        } else {
+          process.stdout.write(`Codex:
+`);
+          const hooksJson = installHooksJson(join4(home, ".codex", "hooks.json"), dryRun);
+          results.push(hooksJson);
+          process.stdout.write(describe(hooksJson, dryRun) + "\n");
+          const featureFlag = installCodexFeatureFlag(join4(home, ".codex", "config.toml"), dryRun);
+          results.push(featureFlag);
+          process.stdout.write(describe(featureFlag, dryRun) + "\n");
+        }
+      }
+    } catch (err2) {
+      process.stderr.write(`hook install failed: ${err2.message}
+`);
+      return process.exit(1);
+    }
+    if (dryRun) {
+      process.stdout.write("\n(dry run \u2014 no files were written.)\n");
+    } else if (results.every((r) => r.status === "current")) {
+      process.stdout.write("\nAlready up to date \u2014 nothing to change.\n");
+    } else {
+      process.stdout.write("\nRestart (or reload) your agent for the hooks to take effect.\n");
+    }
+    return process.exit(0);
+  });
 }
 
 // src/commands/account.ts
@@ -1953,129 +2370,8 @@ Examples:
 
 // src/setup/apply.ts
 import { createHash as createHash2 } from "crypto";
-import { mkdirSync as mkdirSync3, readFileSync as readFileSync3, writeFileSync as writeFileSync3, existsSync as existsSync3 } from "fs";
-import { dirname as dirname3 } from "path";
-
-// src/setup/operator-surface.ts
-var SectionType = {
-  McpConfig: "mcp-config",
-  McpConfigToml: "mcp-config-toml",
-  InstructionFile: "instruction-file",
-  ProjectConfig: "project-config",
-  Verify: "verify",
-  /** SBC-999 — workspace-pinned conventions, emitted only when the request
-   *  carried a workspaceId and that workspace has agent-setup-bundle memories. */
-  WorkspaceConventions: "workspace-conventions"
-};
-async function fetchSetup(cfg) {
-  const client = await makeClient(cfg);
-  const { data, error } = await client.GET(
-    "/operator-surface/setup",
-    cfg.workspaceId ? { params: { query: { workspaceId: cfg.workspaceId } } } : {}
-  );
-  if (error) throw new Error(`GET /operator-surface/setup failed: ${JSON.stringify(error)}`);
-  return data;
-}
-function findSurface(setup, surfaceKey) {
-  return setup.surfaces.find((s) => s.surfaceKey === surfaceKey);
-}
-function findSection(surface, sectionType) {
-  return surface?.sections.find((s) => s.sectionType === sectionType);
-}
-function sectionSnippet(section) {
-  if (!section) return null;
-  for (const step of section.steps) {
-    if (step.copyValue) return step.copyValue;
-    if (step.codeSnippet) return step.codeSnippet;
-  }
-  return null;
-}
-function parseTagArtifactId(id) {
-  if (!id.startsWith("tag:")) return null;
-  const tags = id.slice("tag:".length).split(",").map((t) => t.trim()).filter((t) => t.length > 0);
-  return tags.length > 0 ? tags : null;
-}
-async function getPersonalWorkspaceId(cfg) {
-  const client = await makeClient(cfg);
-  const { data } = await client.GET("/me/personal-workspace", {});
-  return data?.workspaceId ?? null;
-}
-async function fetchMemoryFields(cfg, id) {
-  const client = await makeClient(cfg);
-  const { data } = await client.GET("/memories/{memoryId}", { params: { path: { memoryId: id } } });
-  const env = data;
-  const m = env?.item ?? env;
-  if (!m) return null;
-  const version = typeof m.currentVersion === "string" ? Number(m.currentVersion) : m.currentVersion;
-  return { text: m.text, title: m.title, tags: m.tags, version: Number.isFinite(version) ? version : void 0 };
-}
-async function resolveInstruction(cfg, section, personalWorkspaceId) {
-  const client = await makeClient(cfg);
-  for (const artifact of section.artifacts) {
-    const tags = parseTagArtifactId(artifact.id);
-    if (!tags) continue;
-    const { data } = await client.POST("/memories/search", {
-      body: { query: null, textQuery: null, semanticQuery: null, hybrid: false, limit: 1, includeArchived: false, includeSystem: false, tags }
-    });
-    const hits = data ?? [];
-    if (hits.length === 0) continue;
-    const templateId = hits[0].id;
-    const template = await fetchMemoryFields(cfg, templateId);
-    if (typeof template?.text !== "string" || template.text.length === 0) continue;
-    const templateTags = template.tags ?? tags;
-    if (personalWorkspaceId) {
-      const { data: ovr } = await client.POST("/memories/search", {
-        body: { query: null, textQuery: null, semanticQuery: null, hybrid: false, limit: 1, includeArchived: false, includeSystem: false, tags: ["sechroom:role:override", `sechroom:template-ref:${templateId}`], owner: { type: "Workspace", id: personalWorkspaceId } }
-      });
-      const ovrHits = ovr ?? [];
-      if (ovrHits.length > 0) {
-        const override = await fetchMemoryFields(cfg, ovrHits[0].id);
-        if (typeof override?.text === "string" && override.text.length > 0) {
-          return { title: override.title ?? template.title ?? artifact.title, body: override.text, source: "override", templateId, templateTags, sourceRef: `${ovrHits[0].id}@v${override.version ?? 1}` };
-        }
-      }
-    }
-    return { title: template.title ?? artifact.title, body: template.text, source: "template", templateId, templateTags, sourceRef: `${templateId}@v${template.version ?? 1}` };
-  }
-  return null;
-}
-async function resolveWorkspaceConventions(cfg, section) {
-  const parts = [];
-  const refs = [];
-  for (const artifact of section.artifacts) {
-    if (parseTagArtifactId(artifact.id)) continue;
-    const mem = await fetchMemoryFields(cfg, artifact.id);
-    if (typeof mem?.text === "string" && mem.text.trim().length > 0) {
-      parts.push(mem.text.trim());
-      refs.push(`${artifact.id}@v${mem.version ?? 1}`);
-    }
-  }
-  if (parts.length === 0) return null;
-  return { body: parts.join("\n\n---\n\n"), refs };
-}
-async function createOverride(cfg, template, personalWorkspaceId) {
-  const client = await makeClient(cfg);
-  const overrideTags = template.templateTags.filter(
-    (t) => t !== "sechroom:role:template" && !t.startsWith("sechroom:bundle:") && !t.startsWith("sechroom:template-ref:")
-  );
-  overrideTags.push("sechroom:role:override", `sechroom:template-ref:${template.templateId}`);
-  const { error } = await client.POST("/memories", {
-    body: {
-      text: template.body,
-      type: "reference",
-      content: "{}",
-      confidence: 1,
-      source: "cli-agent-instructions-customize",
-      archetype: "Document",
-      title: template.title ?? null,
-      tags: overrideTags,
-      owner: { type: "Workspace", id: personalWorkspaceId }
-    }
-  });
-  if (error) throw new Error(`creating personal copy failed: ${JSON.stringify(error)}`);
-}
-
-// src/setup/apply.ts
+import { mkdirSync as mkdirSync4, readFileSync as readFileSync4, writeFileSync as writeFileSync4, existsSync as existsSync5 } from "fs";
+import { dirname as dirname5 } from "path";
 var MARKER_BEGIN = "<!-- @sechroom/cli:begin";
 var MARKER_END = "<!-- @sechroom/cli:end";
 function normalizeBody(s) {
@@ -2128,22 +2424,22 @@ function parseManagedBlock(content, block) {
   return null;
 }
 function ensureDir2(path) {
-  mkdirSync3(dirname3(path), { recursive: true });
+  mkdirSync4(dirname5(path), { recursive: true });
 }
 function readOr(path, fallback) {
   try {
-    return readFileSync3(path, "utf8");
+    return readFileSync4(path, "utf8");
   } catch {
     return fallback;
   }
 }
 function mergeMcpJson(path, snippet, dryRun) {
   const incoming = JSON.parse(snippet);
-  const existed = existsSync3(path);
+  const existed = existsSync5(path);
   let current = {};
   if (existed) {
     try {
-      current = JSON.parse(readFileSync3(path, "utf8"));
+      current = JSON.parse(readFileSync4(path, "utf8"));
     } catch {
       return { kind: "mcp", path, status: "skipped", note: "existing file isn't valid JSON \u2014 left untouched" };
     }
@@ -2151,26 +2447,26 @@ function mergeMcpJson(path, snippet, dryRun) {
   current.mcpServers = { ...current.mcpServers ?? {}, ...incoming.mcpServers ?? {} };
   if (dryRun) return { kind: "mcp", path, status: "dry-run" };
   ensureDir2(path);
-  writeFileSync3(path, JSON.stringify(current, null, 2) + "\n", { mode: 384 });
+  writeFileSync4(path, JSON.stringify(current, null, 2) + "\n", { mode: 384 });
   return { kind: "mcp", path, status: existed ? "merged" : "created" };
 }
 function mergeCodexToml(path, snippet, dryRun) {
-  const existed = existsSync3(path);
+  const existed = existsSync5(path);
   let body = readOr(path, "");
   body = body.replace(/(^|\n)\[mcp_servers\.sechroom\][^[]*/, "\n").replace(/\n{3,}/g, "\n\n");
   const trimmed = body.trim();
   const next = (trimmed.length > 0 ? trimmed + "\n\n" : "") + snippet.trim() + "\n";
   if (dryRun) return { kind: "mcp", path, status: "dry-run" };
   ensureDir2(path);
-  writeFileSync3(path, next, { mode: 384 });
+  writeFileSync4(path, next, { mode: 384 });
   return { kind: "mcp", path, status: existed ? "merged" : "created" };
 }
 function writeInstructionBlock(path, write, dryRun) {
-  const existed = existsSync3(path);
+  const existed = existsSync5(path);
   const next = computeBlockFile(readOr(path, ""), write);
   if (dryRun) return { kind: "instruction", path, status: "dry-run" };
   ensureDir2(path);
-  writeFileSync3(path, next);
+  writeFileSync4(path, next);
   return { kind: "instruction", path, status: existed ? "merged" : "created" };
 }
 function computeBlockFile(current, write) {
@@ -2211,7 +2507,7 @@ function applyBlock(path, write, mode, dryRun) {
     const next = computeBlockFile(current, write);
     if (!dryRun) {
       ensureDir2(proposedPath);
-      writeFileSync3(proposedPath, next);
+      writeFileSync4(proposedPath, next);
     }
     return {
       kind: "instruction",
@@ -2281,65 +2577,10 @@ async function applyClient(cfg, setup, target, opts) {
   return actions;
 }
 
-// src/setup/clients.ts
-import { existsSync as existsSync4 } from "fs";
-import { homedir as homedir2 } from "os";
-import { dirname as dirname4, join as join3 } from "path";
-function claudeDesktopConfigPath(home) {
-  switch (process.platform) {
-    case "darwin":
-      return join3(home, "Library", "Application Support", "Claude", "claude_desktop_config.json");
-    case "win32":
-      return join3(process.env.APPDATA ?? join3(home, "AppData", "Roaming"), "Claude", "claude_desktop_config.json");
-    default:
-      return join3(home, ".config", "Claude", "claude_desktop_config.json");
-  }
-}
-function clientTargets(cwd) {
-  const home = homedir2();
-  return {
-    "claude-code": {
-      key: "claude-code",
-      label: "Claude Code",
-      mcp: { surfaceKey: "claude-code", sectionType: SectionType.McpConfig, path: join3(cwd, ".mcp.json"), format: "json" },
-      instruction: { surfaceKey: "claude-code", path: join3(cwd, "CLAUDE.md") }
-    },
-    "claude-desktop": {
-      key: "claude-desktop",
-      label: "Claude Desktop",
-      mcp: { surfaceKey: "claude-desktop", sectionType: SectionType.McpConfig, path: claudeDesktopConfigPath(home), format: "json" },
-      instruction: { surfaceKey: "claude-desktop", path: join3(home, ".claude", "CLAUDE.md") }
-    },
-    codex: {
-      key: "codex",
-      label: "Codex CLI",
-      mcp: { surfaceKey: "chatgpt", sectionType: SectionType.McpConfigToml, path: join3(home, ".codex", "config.toml"), format: "toml" },
-      instruction: { surfaceKey: "chatgpt", path: join3(cwd, "AGENTS.md") }
-    },
-    cursor: {
-      key: "cursor",
-      label: "Cursor",
-      mcp: { surfaceKey: "claude-code", sectionType: SectionType.McpConfig, path: join3(cwd, ".cursor", "mcp.json"), format: "json" },
-      instruction: { surfaceKey: "chatgpt", path: join3(cwd, "AGENTS.md") }
-    }
-  };
-}
-var ALL_CLIENT_KEYS = ["claude-code", "claude-desktop", "codex", "cursor"];
-var DEFAULT_CLIENT_KEY = "claude-code";
-function detectInstalledClients(cwd) {
-  const home = homedir2();
-  const detected = [];
-  if (existsSync4(join3(home, ".claude"))) detected.push("claude-code");
-  if (existsSync4(dirname4(claudeDesktopConfigPath(home)))) detected.push("claude-desktop");
-  if (existsSync4(join3(home, ".codex"))) detected.push("codex");
-  if (existsSync4(join3(home, ".cursor")) || existsSync4(join3(cwd, ".cursor"))) detected.push("cursor");
-  return detected;
-}
-
 // src/setup/skills-offer.ts
-import { mkdirSync as mkdirSync4, writeFileSync as writeFileSync4 } from "fs";
-import { homedir as homedir3 } from "os";
-import { join as join4 } from "path";
+import { mkdirSync as mkdirSync5, writeFileSync as writeFileSync5 } from "fs";
+import { homedir as homedir4 } from "os";
+import { join as join5 } from "path";
 
 // src/setup/lane-pin.ts
 var CODE_LANE_PREFIX_BY_CLIENT = {
@@ -2365,7 +2606,7 @@ function writePin(code, design) {
   if (design) values["design-lane"] = design;
   if (Object.keys(values).length === 0) return;
   const target = writeSem(values);
-  process.stderr.write(`${ok("\u2713")} lane pin written \u2192 ${target} ${style.dim("(./.sem, git-ignored)")}
+  process.stderr.write(`${ok("\u2713")} lane pin written \u2192 ${target} ${style.dim("(./.sechroom/lane.json, git-ignored)")}
 `);
 }
 async function ensureLanePin(cfg, opts) {
@@ -2454,14 +2695,14 @@ async function maybeOfferSkills(cfg, personalWorkspaceId, opts) {
 Found ${style.bold(String(names.length))} operator skill(s) installed in your workspace: ${names.join(", ")}.
 `
   );
-  const dir = join4(homedir3(), ".claude", "skills");
+  const dir = join5(homedir4(), ".claude", "skills");
   const materialise = opts.yes ? true : canPrompt() ? await promptYesNo(`Write them to ${dir}/ so ${surface} can use them?`) : false;
   if (!materialise) return;
   const written = [];
   for (const [name, m] of byName) {
     const body = m.text ?? m.Text ?? "";
-    mkdirSync4(join4(dir, name), { recursive: true });
-    writeFileSync4(join4(dir, name, "SKILL.md"), body.endsWith("\n") ? body : body + "\n");
+    mkdirSync5(join5(dir, name), { recursive: true });
+    writeFileSync5(join5(dir, name, "SKILL.md"), body.endsWith("\n") ? body : body + "\n");
     written.push(name);
   }
   process.stderr.write(`${style.green("\u2713")} wrote ${written.length} skill(s) to ${dir}
@@ -2791,7 +3032,7 @@ async function ensureTenant(baseUrl, g, opts) {
       "Where should this tenant + base URL be saved?",
       [
         { label: "Globally", value: "global", hint: "all projects on this machine" },
-        { label: "This directory", value: "local", hint: ".sechroom.json \u2014 project + subdirs" }
+        { label: "This directory", value: "local", hint: ".sechroom/config.json \u2014 project + subdirs" }
       ],
       local.path ? "local" : "global"
     ) === "local";
@@ -2867,14 +3108,14 @@ async function chooseClients(clientFlag, yes, cwd) {
   return picks.length > 0 ? picks : preselected;
 }
 function registerOnboard(program2) {
-  program2.command("onboard").description("Guided first-run setup: configure, sign in, set timezone, detect clients, and wire this project").option("--client <list>", `comma-separated clients (${ALL_CLIENT_KEYS.join(", ")}) or 'all' (default: auto-detected)`).option("--local", "save tenant + base URL to a directory-local .sechroom.json instead of the global config", false).option("--workspace <id>", "bind this directory to a workspace (skips the interactive workspace pick)").option("--cli-only", "configure the CLI only \u2014 don't wire any AI client (no MCP config, no agent files)", false).option("--no-mcp", "skip the MCP server config (.mcp.json etc.); still write the agent instruction files").option("--copy", "make a personal copy of the agent instructions you can edit (default: prompt on a TTY, else skip)").option("--dry-run", "walk through without writing files or changing the profile", false).option("--refresh", "re-fetch descriptors and refresh any out-of-date managed blocks (local edits preserved to .proposed)", false).option("--force", "rewrite every managed block, overwriting local edits inside the markers (content outside untouched)", false).option("--check", "report whether anything would change and exit (0 = all current, 1 = stale/drift/absent); writes nothing", false).option("-y, --yes", "non-interactive: accept defaults (system timezone, detected clients, global config, full wire)", false).addHelpText(
+  program2.command("onboard").description("Guided first-run setup: configure, sign in, set timezone, detect clients, and wire this project").option("--client <list>", `comma-separated clients (${ALL_CLIENT_KEYS.join(", ")}) or 'all' (default: auto-detected)`).option("--local", "save tenant + base URL to a directory-local .sechroom/config.json instead of the global config", false).option("--workspace <id>", "bind this directory to a workspace (skips the interactive workspace pick)").option("--cli-only", "configure the CLI only \u2014 don't wire any AI client (no MCP config, no agent files)", false).option("--no-mcp", "skip the MCP server config (.mcp.json etc.); still write the agent instruction files").option("--copy", "make a personal copy of the agent instructions you can edit (default: prompt on a TTY, else skip)").option("--dry-run", "walk through without writing files or changing the profile", false).option("--refresh", "re-fetch descriptors and refresh any out-of-date managed blocks (local edits preserved to .proposed)", false).option("--force", "rewrite every managed block, overwriting local edits inside the markers (content outside untouched)", false).option("--check", "report whether anything would change and exit (0 = all current, 1 = stale/drift/absent); writes nothing", false).option("-y, --yes", "non-interactive: accept defaults (system timezone, detected clients, global config, full wire)", false).addHelpText(
     "after",
     `
 Examples:
   $ sechroom onboard                    guided, interactive (asks where to save config + how to wire)
   $ sechroom onboard --cli-only         just the CLI \u2014 no .mcp.json, no agent files
   $ sechroom onboard --no-mcp           agent instructions only, skip MCP config
-  $ sechroom onboard --local            save tenant + base URL to ./.sechroom.json
+  $ sechroom onboard --local            save tenant + base URL to ./.sechroom/config.json
   $ sechroom onboard --workspace wsp_XX  bind this directory to a workspace (no pick prompt)
   $ sechroom onboard --refresh          refresh out-of-date instruction blocks in place
   $ sechroom onboard --check            CI/pre-commit: nonzero exit if instructions are out of date
@@ -3034,14 +3275,14 @@ ${style.bold("Next:")} paste this into your AI agent to get going \u2014
 }
 
 // src/commands/skills.ts
-import { homedir as homedir4 } from "os";
-import { join as join5 } from "path";
-import { mkdirSync as mkdirSync5, writeFileSync as writeFileSync5, rmSync as rmSync2, existsSync as existsSync5, readFileSync as readFileSync4 } from "fs";
+import { homedir as homedir5 } from "os";
+import { join as join6 } from "path";
+import { mkdirSync as mkdirSync6, writeFileSync as writeFileSync6, rmSync as rmSync2, existsSync as existsSync6, readFileSync as readFileSync5 } from "fs";
 var DEFAULT_SLUG = "operator-skills";
 var ROLE_TAGS = ["sechroom:role:skill-template", "role:skill-template"];
 var LOCK = ".sechroom-skills.json";
 function skillsDir(global) {
-  return global ? join5(homedir4(), ".claude", "skills") : join5(process.cwd(), ".claude", "skills");
+  return global ? join6(homedir5(), ".claude", "skills") : join6(process.cwd(), ".claude", "skills");
 }
 function tagValue2(tags, prefix) {
   return (tags ?? []).find((t) => t.startsWith(prefix))?.slice(prefix.length);
@@ -3119,15 +3360,15 @@ Examples:
       const name = tagValue2(tags, "skill:");
       if (!name) continue;
       const body = m.text ?? m.Text ?? "";
-      mkdirSync5(join5(dir, name), { recursive: true });
-      writeFileSync5(join5(dir, name, "SKILL.md"), body.endsWith("\n") ? body : body + "\n");
+      mkdirSync6(join6(dir, name), { recursive: true });
+      writeFileSync6(join6(dir, name, "SKILL.md"), body.endsWith("\n") ? body : body + "\n");
       written.push(name);
     }
-    mkdirSync5(dir, { recursive: true });
-    const lockPath = join5(dir, LOCK);
-    const lock = existsSync5(lockPath) ? JSON.parse(readFileSync4(lockPath, "utf8")) : {};
+    mkdirSync6(dir, { recursive: true });
+    const lockPath = join6(dir, LOCK);
+    const lock = existsSync6(lockPath) ? JSON.parse(readFileSync5(lockPath, "utf8")) : {};
     lock[slug] = { surface: opts.surface, version, instance: wantInstance, skills: written.sort() };
-    writeFileSync5(lockPath, JSON.stringify(lock, null, 2) + "\n");
+    writeFileSync6(lockPath, JSON.stringify(lock, null, 2) + "\n");
     if (opts.json) return emit({ slug, version, instance: wantInstance, surface: opts.surface, dir, installed: written }, true);
     const instanceNote = opts.instance ? ` (${opts.instance})` : "";
     console.log(style.green(`Installed ${slug}@${version}${instanceNote} \u2014 ${written.length} skill(s) \u2192 ${dir}`));
@@ -3149,28 +3390,28 @@ Examples:
   skills.command("clean [slug]").description(`Remove materialised skill files written by install (default ${DEFAULT_SLUG})`).option("--local", "clean ./.claude/skills instead of ~/.claude/skills").option("--json", "machine output").action(async (slugArg, opts) => {
     const slug = slugArg || DEFAULT_SLUG;
     const dir = skillsDir(!opts.local);
-    const lockPath = join5(dir, LOCK);
-    if (!existsSync5(lockPath)) fail(`No skills lockfile at ${lockPath}; nothing to clean.`);
-    const lock = JSON.parse(readFileSync4(lockPath, "utf8"));
+    const lockPath = join6(dir, LOCK);
+    if (!existsSync6(lockPath)) fail(`No skills lockfile at ${lockPath}; nothing to clean.`);
+    const lock = JSON.parse(readFileSync5(lockPath, "utf8"));
     const entry = lock[slug];
     if (!entry) fail(`No installed record for '${slug}' in ${lockPath}.`);
     const removed = [];
     for (const name of entry.skills) {
-      const skillPath = join5(dir, name);
-      if (existsSync5(skillPath)) {
+      const skillPath = join6(dir, name);
+      if (existsSync6(skillPath)) {
         rmSync2(skillPath, { recursive: true, force: true });
         removed.push(name);
       }
     }
     delete lock[slug];
-    writeFileSync5(lockPath, JSON.stringify(lock, null, 2) + "\n");
+    writeFileSync6(lockPath, JSON.stringify(lock, null, 2) + "\n");
     if (opts.json) return emit({ slug, removed, dir }, true);
     console.log(style.green(`Removed ${removed.length} skill(s) for ${slug} from ${dir}`));
   });
-  skills.command("set-lane").description("Write this checkout's lane pin to a local ./.sem file (read at runtime by skills)").option("--code-lane <id>", "code-surface lane id (e.g. claude-code-chris)").option("--design-lane <id>", "design / substrate-authoring lane id (e.g. claude-design-chris)").option("--json", "machine output").action((opts, cmd) => {
+  skills.command("set-lane").description("Write this checkout's lane pin to a local ./.sechroom/lane.json file (read at runtime by skills)").option("--code-lane <id>", "code-surface lane id (e.g. claude-code-chris)").option("--design-lane <id>", "design / substrate-authoring lane id (e.g. claude-design-chris)").option("--json", "machine output").action((opts, cmd) => {
     if (!opts.codeLane && !opts.designLane) fail("Provide --code-lane and/or --design-lane.");
     const target = localSemPath();
-    const values = readSem(target)?.values ?? {};
+    const values = readLocalSemValues();
     if (opts.codeLane) values["code-lane"] = opts.codeLane;
     if (opts.designLane) values["design-lane"] = opts.designLane;
     writeSem(values, target);
@@ -3178,12 +3419,12 @@ Examples:
     console.log(style.green(`Wrote lane pin \u2192 ${target} ${style.dim("(git-ignored)")}`));
     Object.entries(values).forEach(([k, v]) => console.log("  " + style.dim(k) + " = " + v));
   });
-  skills.command("lane").description("Show the lane pin resolved from ./.sem (nearest in this checkout)").option("--json", "machine output").action((opts, cmd) => {
+  skills.command("lane").description("Show the lane pin resolved from ./.sechroom/lane.json (nearest in this checkout; legacy ./.sem honoured)").option("--json", "machine output").action((opts, cmd) => {
     const json = cmd.optsWithGlobals().json;
     const found = readSem();
     if (!found) {
       if (json) return emit({ path: null, values: {} }, true);
-      return console.log(style.dim(`No ./.sem pin in this checkout. Run 'sechroom skills set-lane'.`));
+      return console.log(style.dim(`No ./.sechroom/lane.json pin in this checkout. Run 'sechroom skills set-lane'.`));
     }
     if (json) return emit(found, true);
     console.log(style.dim(`from ${found.path}`));
@@ -3252,22 +3493,22 @@ Examples:
 }
 
 // src/commands/reset.ts
-import { homedir as homedir5 } from "os";
-import { join as join6 } from "path";
-import { existsSync as existsSync6, readFileSync as readFileSync5, rmSync as rmSync3 } from "fs";
+import { homedir as homedir6 } from "os";
+import { join as join7 } from "path";
+import { existsSync as existsSync7, readFileSync as readFileSync6, rmSync as rmSync3 } from "fs";
 var SKILLS_LOCK = ".sechroom-skills.json";
-var localSkillsDir = () => join6(process.cwd(), ".claude", "skills");
-var globalSkillsDir = () => join6(homedir5(), ".claude", "skills");
+var localSkillsDir = () => join7(process.cwd(), ".claude", "skills");
+var globalSkillsDir = () => join7(homedir6(), ".claude", "skills");
 function removeMaterialisedSkills(dir) {
   const removed = [];
-  const lockPath = join6(dir, SKILLS_LOCK);
-  if (!existsSync6(lockPath)) return removed;
+  const lockPath = join7(dir, SKILLS_LOCK);
+  if (!existsSync7(lockPath)) return removed;
   try {
-    const lock = JSON.parse(readFileSync5(lockPath, "utf8"));
+    const lock = JSON.parse(readFileSync6(lockPath, "utf8"));
     for (const entry of Object.values(lock)) {
       for (const name of entry.skills ?? []) {
-        const p = join6(dir, name);
-        if (existsSync6(p)) {
+        const p = join7(dir, name);
+        if (existsSync7(p)) {
           rmSync3(p, { recursive: true, force: true });
           removed.push(p);
         }
@@ -3287,26 +3528,31 @@ function registerReset(program2) {
       removed ? style.green("Signed out \u2014 auth token removed.") : style.dim("Already signed out (no token).")
     );
   });
-  program2.command("reset").description("Reset LOCAL CLI state for this directory (./.sechroom.json, ./.sem, ./.claude/skills); --global also wipes the machine-wide token + config + ~/.claude/skills").option("--global", "also remove the global auth token, config, and ~/.claude/skills").option("-y, --yes", "don't prompt for confirmation").option("--json", "machine output").action(async (opts, cmd) => {
+  program2.command("reset").description("Reset LOCAL CLI state for this directory (./.sechroom/, legacy ./.sechroom.json + ./.sem, ./.claude/skills); --global also wipes the machine-wide token + config + ~/.claude/skills").option("--global", "also remove the global auth token, config, and ~/.claude/skills").option("-y, --yes", "don't prompt for confirmation").option("--json", "machine output").action(async (opts, cmd) => {
     const json = cmd.optsWithGlobals().json;
     const global = Boolean(opts.global);
     if (!opts.yes && canPrompt()) {
-      const scope = global ? "this directory's local state AND your global auth token + config + ~/.claude/skills" : "this directory's local state (./.sechroom.json, ./.sem, ./.claude/skills)";
+      const scope = global ? "this directory's local state AND your global auth token + config + ~/.claude/skills" : "this directory's local state (./.sechroom/, legacy ./.sechroom.json + ./.sem, ./.claude/skills)";
       if (!await promptYesNo(`Remove ${scope}?`)) {
         if (!json) console.log(style.dim("Cancelled."));
         return;
       }
     }
     const removed = [];
-    const localCfg = join6(process.cwd(), ".sechroom.json");
-    if (existsSync6(localCfg)) {
-      rmSync3(localCfg, { force: true });
-      removed.push(localCfg);
+    const stateDir = join7(process.cwd(), ".sechroom");
+    if (existsSync7(stateDir)) {
+      rmSync3(stateDir, { recursive: true, force: true });
+      removed.push(stateDir);
+    }
+    const legacyCfg = join7(process.cwd(), ".sechroom.json");
+    if (existsSync7(legacyCfg)) {
+      rmSync3(legacyCfg, { force: true });
+      removed.push(legacyCfg);
     }
-    const sem = localSemPath();
-    if (existsSync6(sem)) {
-      rmSync3(sem, { force: true });
-      removed.push(sem);
+    const legacySem = join7(process.cwd(), ".sem");
+    if (existsSync7(legacySem)) {
+      rmSync3(legacySem, { force: true });
+      removed.push(legacySem);
     }
     removed.push(...removeMaterialisedSkills(localSkillsDir()));
     if (global) {
@@ -3331,7 +3577,7 @@ function registerReset(program2) {
 function resolveVersion() {
   try {
     const pkg = JSON.parse(
-      readFileSync6(new URL("../package.json", import.meta.url), "utf8")
+      readFileSync7(new URL("../package.json", import.meta.url), "utf8")
     );
     return pkg.version ?? "0.0.0";
   } catch {
@@ -3347,7 +3593,7 @@ Examples:
   $ sechroom onboard                              guided first-run: configure, sign in, wire this project
   $ sechroom login                                sign in via browser (OAuth + PKCE)
   $ sechroom config set tenant ocd                set your tenant (global)
-  $ sechroom config set --local tenant cli-smoke  pin tenant for this directory (.sechroom.json)
+  $ sechroom config set --local tenant cli-smoke  pin tenant for this directory (.sechroom/config.json)
   $ sechroom config show                          resolved config + which source won
 
   $ sechroom memory create --text "a note" --title "Note" --tag idea
@@ -3359,7 +3605,7 @@ Examples:
   $ sechroom --json memory search "auth"           compact JSON for scripts and agents
   $ SECHROOM_TOKEN=<bearer> sechroom --json memory get mem_XXXX    headless
 
-Config precedence (high -> low): --flag  >  env (SECHROOM_*)  >  ./.sechroom.json  >  global  >  default.
+Config precedence (high -> low): --flag  >  env (SECHROOM_*)  >  ./.sechroom/config.json (legacy ./.sechroom.json)  >  global  >  default.
 Run 'sechroom <command> --help' for command-specific examples.`
 );
 program.hook("preAction", (_thisCmd, actionCmd) => {
@@ -3385,11 +3631,11 @@ config.addHelpText(
 Examples:
   $ sechroom config set baseUrl https://app.sechroom.ai/api   prod (staging: https://staging.app.sechroom.ai/api)
   $ sechroom config set tenant ocd
-  $ sechroom config set --local tenant cli-smoke              this dir + subdirs (.sechroom.json)
+  $ sechroom config set --local tenant cli-smoke              this dir + subdirs (.sechroom/config.json)
   $ sechroom config set clientId dyn-XXXX                     global-only escape hatch (no DCR endpoint)
   $ sechroom config show --json`
 );
-config.command("set <key> <value>").description("Set baseUrl | tenant | workspaceId | defaultProjectId | clientId (clientId is global-only)").option("--local", "Write to the directory-local .sechroom.json (nearest up the tree, else cwd) instead of the global config").action((key, value, opts) => {
+config.command("set <key> <value>").description("Set baseUrl | tenant | workspaceId | defaultProjectId | clientId (clientId is global-only)").option("--local", "Write to the directory-local .sechroom/config.json (nearest up the tree, else cwd; migrates a legacy .sechroom.json) instead of the global config").action((key, value, opts) => {
   if (opts.local) {
     if (!["baseUrl", "tenant", "workspaceId", "defaultProjectId"].includes(key)) {
       process.stderr.write(`--local supports only: baseUrl | tenant | workspaceId | defaultProjectId (clientId is global)

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@sechroom/cli",
-  "version": "2026.6.18",
+  "version": "2026.6.19",
   "description": "Sechroom CLI — a thin, generated client over the Sechroom HTTP API. An agent/human surface alongside MCP.",
   "type": "module",
   "license": "UNLICENSED",