npm - @sechroom/cli - Versions diffs - 2026.6.19 → 2026.6.20-rc.11acdaab - Mend

@sechroom/cli 2026.6.19 → 2026.6.20-rc.11acdaab

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (2) hide show

package/dist/index.js +542 -127
package/package.json +1 -1

package/dist/index.js CHANGED Viewed

@@ -1,7 +1,7 @@
 #!/usr/bin/env node
 // src/index.ts
-import { readFileSync as readFileSync7 } from "fs";
+import { readFileSync as readFileSync8 } from "fs";
 import { Command } from "commander";
 // src/auth.ts
@@ -11,14 +11,15 @@ import open from "open";
 // src/config.ts
 import { homedir } from "os";
-import { join, dirname, basename } from "path";
+import { join, dirname } from "path";
 import { mkdirSync, readFileSync, writeFileSync, existsSync, rmSync } from "fs";
 var CONFIG_DIR = join(homedir(), ".config", "sechroom");
 var CONFIG_FILE = join(CONFIG_DIR, "config.json");
 var TOKEN_FILE = join(CONFIG_DIR, "token.json");
 var STATE_DIR_NAME = ".sechroom";
-var LOCAL_CONFIG_NAME = join(STATE_DIR_NAME, "config.json");
-var LEGACY_LOCAL_CONFIG_NAME = ".sechroom.json";
+var BASELINE_CONFIG_NAME = ".sechroom.json";
+var OVERRIDE_CONFIG_NAME = join(STATE_DIR_NAME, "config.json");
+var BINDING_FIELDS = ["schemaVersion", "baseUrl", "tenant", "workspaceId", "defaultProjectId"];
 var DEFAULT_BASE_URL = "https://app.sechroom.ai/api";
 var LOCAL_CONFIG_SCHEMA_VERSION = 2;
 function ensureDir() {
@@ -66,54 +67,55 @@ function clearPersisted() {
   rmSync(CONFIG_FILE);
   return CONFIG_FILE;
 }
-function findLocalConfigPath(start = process.cwd()) {
+function readJsonConfig(path) {
+  try {
+    return JSON.parse(readFileSync(path, "utf8"));
+  } catch {
+    return void 0;
+  }
+}
+function findConfigHome(start = process.cwd()) {
   let dir = start;
   for (; ; ) {
-    const candidate = join(dir, LOCAL_CONFIG_NAME);
-    if (existsSync(candidate)) return candidate;
-    const legacy = join(dir, LEGACY_LOCAL_CONFIG_NAME);
-    if (existsSync(legacy)) return legacy;
+    if (existsSync(join(dir, BASELINE_CONFIG_NAME)) || existsSync(join(dir, OVERRIDE_CONFIG_NAME))) return dir;
     const parent = dirname(dir);
     if (parent === dir) return void 0;
     dir = parent;
   }
 }
-function localConfigWritePath(resolvedPath) {
-  const baseDir = resolvedPath ? dirname(resolvedPath) : process.cwd();
-  const dir = basename(baseDir) === STATE_DIR_NAME ? dirname(baseDir) : baseDir;
-  return join(dir, LOCAL_CONFIG_NAME);
-}
 function readLocalConfig() {
-  const path = findLocalConfigPath();
-  if (!path) return {};
-  try {
-    const c = JSON.parse(readFileSync(path, "utf8"));
-    return {
-      schemaVersion: c.schemaVersion,
-      baseUrl: c.baseUrl,
-      tenant: c.tenant,
-      workspaceId: c.workspaceId,
-      defaultProjectId: c.defaultProjectId,
-      path
-    };
-  } catch {
-    return {};
-  }
+  const home = findConfigHome();
+  if (!home) return {};
+  const baselinePath = join(home, BASELINE_CONFIG_NAME);
+  const overridePath = join(home, OVERRIDE_CONFIG_NAME);
+  const merged = { ...readJsonConfig(baselinePath) ?? {}, ...readJsonConfig(overridePath) ?? {} };
+  return {
+    schemaVersion: merged.schemaVersion,
+    baseUrl: merged.baseUrl,
+    tenant: merged.tenant,
+    workspaceId: merged.workspaceId,
+    defaultProjectId: merged.defaultProjectId,
+    path: existsSync(baselinePath) ? baselinePath : overridePath
+  };
 }
 function writeLocalConfig(patch) {
-  const readPath = findLocalConfigPath();
-  let current = {};
-  if (readPath) {
-    try {
-      current = JSON.parse(readFileSync(readPath, "utf8"));
-    } catch {
-    }
-  }
-  const path = localConfigWritePath(readPath);
-  mkdirSync(dirname(path), { recursive: true, mode: 448 });
+  const home = findConfigHome() ?? process.cwd();
+  const baselinePath = join(home, BASELINE_CONFIG_NAME);
+  const overridePath = join(home, OVERRIDE_CONFIG_NAME);
+  const current = readJsonConfig(baselinePath) ?? {};
   const next = { ...current, ...patch, schemaVersion: LOCAL_CONFIG_SCHEMA_VERSION };
-  writeFileSync(path, JSON.stringify(next, null, 2), { mode: 384 });
-  return path;
+  writeFileSync(baselinePath, JSON.stringify(next, null, 2), { mode: 420 });
+  const override = readJsonConfig(overridePath);
+  if (override) {
+    for (const f of BINDING_FIELDS) delete override[f];
+    if (Object.keys(override).length === 0) rmSync(overridePath, { force: true });
+    else writeFileSync(overridePath, JSON.stringify(override, null, 2), { mode: 384 });
+  }
+  return baselinePath;
+}
+function committedBindingPath(dir) {
+  const p = join(dir, BASELINE_CONFIG_NAME);
+  return existsSync(p) ? p : void 0;
 }
 function resolveConfig(flags) {
   const local = readLocalConfig();
@@ -373,8 +375,8 @@ async function promptYesNo(question) {
   const { createInterface } = await import("readline");
   const rl = createInterface({ input: process.stdin, output: process.stderr });
   try {
-    const answer = await new Promise((resolve) => {
-      rl.question(`${question} [y/N] `, resolve);
+    const answer = await new Promise((resolve3) => {
+      rl.question(`${question} [y/N] `, resolve3);
     });
     return /^y(es)?$/i.test(answer.trim());
   } finally {
@@ -387,8 +389,8 @@ async function promptText(question, def) {
   const rl = createInterface({ input: process.stdin, output: process.stderr });
   try {
     const suffix = def ? ` [${def}]` : "";
-    const answer = await new Promise((resolve) => {
-      rl.question(`${question}${suffix} `, resolve);
+    const answer = await new Promise((resolve3) => {
+      rl.question(`${question}${suffix} `, resolve3);
     });
     const trimmed = answer.trim();
     return trimmed.length > 0 ? trimmed : def ?? "";
@@ -414,8 +416,8 @@ async function promptSelect(question, choices, def) {
       process.stderr.write(`  ${marker} ${style.bold(String(i + 1))}. ${c.label}${hint}
 `);
     });
-    const answer = await new Promise((resolve) => {
-      rl.question(`Choose ${style.dim(`[${defIdx + 1}]`)} `, resolve);
+    const answer = await new Promise((resolve3) => {
+      rl.question(`Choose ${style.dim(`[${defIdx + 1}]`)} `, resolve3);
     });
     const trimmed = answer.trim();
     if (!trimmed) return choices[defIdx].value;
@@ -447,8 +449,8 @@ async function promptMultiSelect(question, choices, preselected = []) {
       process.stderr.write(`  ${box} ${style.bold(String(i + 1))}. ${c.label}${hint}
 `);
     });
-    const answer = await new Promise((resolve) => {
-      rl.question(`Select ${style.dim("[Enter = \u25C9]")} `, resolve);
+    const answer = await new Promise((resolve3) => {
+      rl.question(`Select ${style.dim("[Enter = \u25C9]")} `, resolve3);
     });
     const trimmed = answer.trim().toLowerCase();
     if (!trimmed) return preValues();
@@ -1574,7 +1576,7 @@ Examples:
 // src/commands/hook.ts
 import { existsSync as existsSync4, mkdirSync as mkdirSync3, readFileSync as readFileSync3, writeFileSync as writeFileSync3 } from "fs";
 import { homedir as homedir3 } from "os";
-import { dirname as dirname4, join as join4 } from "path";
+import { delimiter, dirname as dirname4, join as join4 } from "path";
 // src/sem.ts
 import { basename as basename2, dirname as dirname2, join as join2 } from "path";
@@ -1652,6 +1654,15 @@ function ignoresSem(content) {
     return t === STATE_DIR_NAME2 || t === STATE_DIR_IGNORE || t === `/${STATE_DIR_NAME2}` || t === `/${STATE_DIR_IGNORE}` || t === `**/${STATE_DIR_NAME2}` || t === `**/${STATE_DIR_IGNORE}`;
   });
 }
+function inGitRepo(startDir) {
+  let dir = startDir;
+  for (; ; ) {
+    if (existsSync2(join2(dir, ".git"))) return true;
+    const parent = dirname2(dir);
+    if (parent === dir) return false;
+    dir = parent;
+  }
+}
 function resolveGitignoreTarget(startDir) {
   let dir = startDir;
   for (; ; ) {
@@ -1667,6 +1678,7 @@ function resolveGitignoreTarget(startDir) {
 function ensureSemIgnored(semPath) {
   try {
     const checkoutDir = dirname2(dirname2(semPath));
+    if (!inGitRepo(checkoutDir)) return;
     const target = resolveGitignoreTarget(checkoutDir);
     if (target.exists) {
       const content = readFileSync2(target.path, "utf8");
@@ -1963,7 +1975,7 @@ function mergeHooks(config2) {
   }
   return added;
 }
-function readJsonConfig(path) {
+function readJsonConfig2(path) {
   if (!existsSync4(path)) return {};
   const raw = readFileSync3(path, "utf8");
   if (!raw.trim()) return {};
@@ -1971,7 +1983,7 @@ function readJsonConfig(path) {
 }
 function installHooksJson(path, dryRun) {
   const existed = existsSync4(path) && readFileSync3(path, "utf8").trim().length > 0;
-  const config2 = readJsonConfig(path);
+  const config2 = readJsonConfig2(path);
   const added = mergeHooks(config2);
   if (added === 0 && existed) return { path, status: "current" };
   if (!dryRun) {
@@ -2016,10 +2028,7 @@ function resolveSurfaces(surface, cwd) {
   if (surface === "codex") return ["codex"];
   if (surface === "both") return ["claude", "codex"];
   if (surface) throw new Error(`--surface must be one of claude | codex | both (got '${surface}')`);
-  const detected = detectInstalledClients(cwd);
-  const surfaces = [];
-  if (detected.includes("claude-code")) surfaces.push("claude");
-  if (detected.includes("codex")) surfaces.push("codex");
+  const surfaces = detectHookSurfaces(cwd);
   return surfaces.length > 0 ? surfaces : ["claude", "codex"];
 }
 function describe(result, dryRun) {
@@ -2027,6 +2036,50 @@ function describe(result, dryRun) {
   const verb = dryRun ? "would" : result.status === "created" ? "created" : "updated";
   return `  \u2713 ${result.path} (${dryRun ? `${verb} ${result.status === "created" ? "create" : "update"}` : verb})`;
 }
+var HOOK_SURFACE_LABEL = {
+  claude: "Claude Code",
+  codex: "Codex"
+};
+function installHookSurfaces(surfaces, opts) {
+  const out = [];
+  for (const surface of surfaces) {
+    if (surface === "claude") {
+      const path = opts.local ? join4(opts.cwd, ".claude", "settings.json") : join4(opts.home, ".claude", "settings.json");
+      out.push({ surface, results: [installHooksJson(path, opts.dryRun)] });
+    } else {
+      const hooksJson = installHooksJson(join4(opts.home, ".codex", "hooks.json"), opts.dryRun);
+      const featureFlag = installCodexFeatureFlag(join4(opts.home, ".codex", "config.toml"), opts.dryRun);
+      out.push({ surface, results: [hooksJson, featureFlag] });
+    }
+  }
+  return out;
+}
+function detectHookSurfaces(cwd) {
+  const detected = detectInstalledClients(cwd);
+  const surfaces = [];
+  if (detected.includes("claude-code")) surfaces.push("claude");
+  if (detected.includes("codex")) surfaces.push("codex");
+  return surfaces;
+}
+function isSechroomOnPath() {
+  const pathEnv = process.env.PATH ?? "";
+  if (!pathEnv) return false;
+  const names = process.platform === "win32" ? ["sechroom.cmd", "sechroom.exe", "sechroom.bat", "sechroom"] : ["sechroom"];
+  for (const dir of pathEnv.split(delimiter)) {
+    if (!dir) continue;
+    for (const name of names) {
+      if (existsSync4(join4(dir, name))) return true;
+    }
+  }
+  return false;
+}
+function warnIfSechroomNotOnPath(write = (s) => void process.stderr.write(s)) {
+  if (isSechroomOnPath()) return false;
+  write(
+    "\n\u26A0  `sechroom` isn't on your PATH. The hooks run a bare `sechroom hook \u2026` command\n   when your agent fires them, so a non-global install (npx / local) will fail at\n   that point. Install globally so the command resolves:\n     npm i -g @sechroom/cli\n"
+  );
+  return true;
+}
 function registerHook(program2) {
   const hook = program2.command("hook").description("Agent-lifecycle hook adapter (Claude Code / Codex) \u2014 bridges hooks to continuity");
   hook.addHelpText(
@@ -2115,26 +2168,15 @@ Fail-soft: no lane / no auth / no-or-partial intent file / API error -> exit 0,
 `);
       return process.exit(2);
     }
-    const home = homedir3();
     const results = [];
     try {
-      for (const surface of surfaces) {
-        if (surface === "claude") {
-          const path = opts.local ? join4(cwd, ".claude", "settings.json") : join4(home, ".claude", "settings.json");
-          process.stdout.write(`Claude Code:
+      const installed = installHookSurfaces(surfaces, { dryRun, local: opts.local, cwd, home: homedir3() });
+      for (const { surface, results: surfaceResults } of installed) {
+        process.stdout.write(`${HOOK_SURFACE_LABEL[surface]}:
 `);
-          const r = installHooksJson(path, dryRun);
+        for (const r of surfaceResults) {
           results.push(r);
           process.stdout.write(describe(r, dryRun) + "\n");
-        } else {
-          process.stdout.write(`Codex:
-`);
-          const hooksJson = installHooksJson(join4(home, ".codex", "hooks.json"), dryRun);
-          results.push(hooksJson);
-          process.stdout.write(describe(hooksJson, dryRun) + "\n");
-          const featureFlag = installCodexFeatureFlag(join4(home, ".codex", "config.toml"), dryRun);
-          results.push(featureFlag);
-          process.stdout.write(describe(featureFlag, dryRun) + "\n");
         }
       }
     } catch (err2) {
@@ -2149,6 +2191,7 @@ Fail-soft: no lane / no auth / no-or-partial intent file / API error -> exit 0,
     } else {
       process.stdout.write("\nRestart (or reload) your agent for the hooks to take effect.\n");
     }
+    warnIfSechroomNotOnPath();
     return process.exit(0);
   });
 }
@@ -2577,9 +2620,47 @@ async function applyClient(cfg, setup, target, opts) {
   return actions;
 }
+// src/setup/hooks-offer.ts
+import { homedir as homedir4 } from "os";
+async function maybeOfferHooks(opts) {
+  if (opts.dryRun) return;
+  const cwd = opts.cwd ?? process.cwd();
+  const surfaces = detectHookSurfaces(cwd);
+  if (surfaces.length === 0) return;
+  const names = surfaces.map((s) => HOOK_SURFACE_LABEL[s]).join(" + ");
+  process.stderr.write(
+    `
+Sechroom can wire continuity lifecycle hooks into ${style.bold(names)} so your agent
+auto-resumes where you left off and checkpoints working state before compacting.
+`
+  );
+  const install = opts.yes ? true : canPrompt() ? await promptYesNo(`Install the continuity hooks for ${names}?`) : false;
+  if (!install) return;
+  try {
+    const installed = installHookSurfaces(surfaces, { dryRun: false, cwd, home: homedir4() });
+    let changed = false;
+    for (const { surface, results } of installed) {
+      for (const r of results) {
+        if (r.status !== "current") changed = true;
+        const verb = r.status === "current" ? "already configured" : r.status === "created" ? "created" : "updated";
+        process.stderr.write(`${style.green("\u2713")} ${HOOK_SURFACE_LABEL[surface]}: ${r.path} (${verb})
+`);
+      }
+    }
+    if (changed) {
+      process.stderr.write(`${style.dim("Restart (or reload) your agent for the hooks to take effect.")}
+`);
+    }
+    warnIfSechroomNotOnPath();
+  } catch (err2) {
+    process.stderr.write(`${style.dim(`(skipped hook install: ${err2.message})`)}
+`);
+  }
+}
 // src/setup/skills-offer.ts
 import { mkdirSync as mkdirSync5, writeFileSync as writeFileSync5 } from "fs";
-import { homedir as homedir4 } from "os";
+import { homedir as homedir5 } from "os";
 import { join as join5 } from "path";
 // src/setup/lane-pin.ts
@@ -2600,6 +2681,24 @@ function codeLanePrefix(clients) {
   for (const c of CLIENT_PRIORITY) if (clients.includes(c)) return CODE_LANE_PREFIX_BY_CLIENT[c];
   return "claude-code";
 }
+async function inferLanes(cfg, clients) {
+  let wf;
+  let profile;
+  try {
+    const client = await makeClient(cfg);
+    [wf, profile] = await Promise.all([
+      client.GET("/me/workflow-preferences", {}).then((r) => r.data).catch(() => void 0),
+      client.GET("/me/profile", {}).then((r) => r.data).catch(() => void 0)
+    ]);
+  } catch {
+  }
+  const handle = handleFromDisplayName(profile?.effectiveDisplayName);
+  const prefix = codeLanePrefix(clients ?? ["claude-code"]);
+  return {
+    code: process.env.SECHROOM_CODE_LANE ?? wf?.defaultCodeLane ?? (handle ? `${prefix}-${handle}` : void 0),
+    design: process.env.SECHROOM_DESIGN_LANE ?? wf?.defaultDesignLane ?? (handle ? `claude-design-${handle}` : void 0)
+  };
+}
 function writePin(code, design) {
   const values = {};
   if (code) values["code-lane"] = code;
@@ -2612,20 +2711,7 @@ function writePin(code, design) {
 async function ensureLanePin(cfg, opts) {
   if (opts.dryRun) return;
   if (readSem()) return;
-  let wf;
-  let profile;
-  try {
-    const client = await makeClient(cfg);
-    [wf, profile] = await Promise.all([
-      client.GET("/me/workflow-preferences", {}).then((r) => r.data).catch(() => void 0),
-      client.GET("/me/profile", {}).then((r) => r.data).catch(() => void 0)
-    ]);
-  } catch {
-  }
-  const handle = handleFromDisplayName(profile?.effectiveDisplayName);
-  const prefix = codeLanePrefix(opts.clients ?? ["claude-code"]);
-  const codeGuess = wf?.defaultCodeLane ?? (handle ? `${prefix}-${handle}` : void 0);
-  const designGuess = wf?.defaultDesignLane ?? (handle ? `claude-design-${handle}` : void 0);
+  const { code: codeGuess, design: designGuess } = await inferLanes(cfg, opts.clients);
   if (!canPrompt() || opts.yes) {
     if (opts.yes && (codeGuess || designGuess)) writePin(codeGuess, designGuess);
     return;
@@ -2695,7 +2781,7 @@ async function maybeOfferSkills(cfg, personalWorkspaceId, opts) {
 Found ${style.bold(String(names.length))} operator skill(s) installed in your workspace: ${names.join(", ")}.
 `
   );
-  const dir = join5(homedir4(), ".claude", "skills");
+  const dir = join5(homedir5(), ".claude", "skills");
   const materialise = opts.yes ? true : canPrompt() ? await promptYesNo(`Write them to ${dir}/ so ${surface} can use them?`) : false;
   if (!materialise) return;
   const written = [];
@@ -2799,6 +2885,9 @@ Examples:
     if (!json && !opts.dryRun && !opts.mcpOnly) {
       await maybeOfferSkills(cfg, personalWorkspaceId, { yes: false, dryRun: Boolean(opts.dryRun), surface: "claude-code" });
     }
+    if (!json && !opts.dryRun && !opts.mcpOnly) {
+      await maybeOfferHooks({ yes: false, dryRun: Boolean(opts.dryRun), cwd: process.cwd() });
+    }
     if (json) {
       emit({ dryRun: Boolean(opts.dryRun), clients: result }, true);
       return;
@@ -2854,6 +2943,113 @@ async function runClients(clients, cmd, opts) {
   process.stdout.write(opts.dryRun ? "\n(dry run \u2014 nothing written)\n" : "\nDone.\n");
 }
+// src/commands/onboard.ts
+import { existsSync as existsSync7 } from "fs";
+import { join as join7 } from "path";
+// src/commands/fanout.ts
+import { spawnSync } from "child_process";
+import { existsSync as existsSync6, readFileSync as readFileSync5, readdirSync, statSync } from "fs";
+import { isAbsolute, join as join6, resolve } from "path";
+var ICON = {
+  refresh: "\u21BB",
+  bind: "+",
+  "skip-missing": "\u2013",
+  "skip-unbound": "\u26A0"
+};
+function resolveChildDir(path, root) {
+  return isAbsolute(path) ? path : resolve(root, path);
+}
+function discoverChildren(root) {
+  let names;
+  try {
+    names = readdirSync(root);
+  } catch {
+    return [];
+  }
+  const out = [];
+  for (const name of names.sort()) {
+    if (name.startsWith(".") || name === "node_modules") continue;
+    const dir = join6(root, name);
+    try {
+      if (!statSync(dir).isDirectory()) continue;
+    } catch {
+      continue;
+    }
+    if (existsSync6(join6(dir, ".git")) || committedBindingPath(dir)) out.push(name);
+  }
+  return out;
+}
+function readManifest(path) {
+  if (!existsSync6(path)) return null;
+  let parsed;
+  try {
+    parsed = JSON.parse(readFileSync5(path, "utf8"));
+  } catch (err2) {
+    throw new Error(`couldn't parse ${path}: ${err2 instanceof Error ? err2.message : String(err2)}`);
+  }
+  return Array.isArray(parsed.repos) ? parsed.repos.filter((r) => r && typeof r.path === "string") : [];
+}
+function passthroughGlobals(g) {
+  const out = [];
+  if (g.baseUrl) out.push("--base-url", g.baseUrl);
+  if (g.tenant) out.push("--tenant", g.tenant);
+  return out;
+}
+function runChildren(plans, o) {
+  const { globals, dryRun, json } = o;
+  const results = [];
+  for (const plan of plans) {
+    const runs = plan.argv.length > 0;
+    const argv = runs ? [...globals, ...plan.argv] : [];
+    if (!json) {
+      process.stderr.write(`  ${ICON[plan.disposition]} ${style.cyan(plan.label)} ${style.dim(plan.reason)}
+`);
+      if (runs && dryRun) process.stderr.write(`      ${style.dim(`would run: sechroom ${argv.join(" ")}`)}
+`);
+    }
+    let exitCode = runs ? 0 : null;
+    if (runs && !dryRun) {
+      const res = spawnSync(process.execPath, [process.argv[1], ...argv], {
+        cwd: plan.dir,
+        stdio: json ? "ignore" : "inherit"
+      });
+      exitCode = res.status;
+      if (!json) {
+        process.stderr.write(
+          exitCode === 0 ? `      ${ok("\u2713")} ${style.dim("onboard ok")}
+` : `      ${warn("\u2717")} ${style.dim(`onboard exited ${exitCode ?? "signal"}`)}
+`
+        );
+      }
+    }
+    results.push({
+      path: plan.label,
+      dir: plan.dir,
+      disposition: plan.disposition,
+      ran: runs && !dryRun,
+      exitCode,
+      reason: plan.reason
+    });
+  }
+  return results;
+}
+function summarizeFanout(results, o) {
+  const ran = results.filter((r) => r.ran);
+  const failed = ran.filter((r) => r.exitCode !== 0);
+  const skipped = results.filter((r) => r.disposition.startsWith("skip"));
+  const wouldRun = results.filter((r) => !r.disposition.startsWith("skip"));
+  const tally = (o.dryRun ? [wouldRun.length ? `${wouldRun.length} would onboard` : null, skipped.length ? `${skipped.length} would skip` : null] : [
+    ran.length ? `${ran.length - failed.length}/${ran.length} onboarded` : null,
+    skipped.length ? `${skipped.length} skipped` : null,
+    failed.length ? `${failed.length} failed` : null
+  ]).filter(Boolean).join(", ");
+  process.stderr.write(`
+${failed.length ? warn("\u26A0") : ok("\u2713")} ${tally || "nothing to do"}${o.dryRun ? style.dim(" (dry run)") : ""}
+`);
+  if (failed.length) process.exit(1);
+}
 // src/commands/onboard.ts
 var DEFAULT_BASE_URL2 = "https://app.sechroom.ai/api";
 function systemTimezone() {
@@ -2926,7 +3122,7 @@ async function warnIfProjectStray(client, projectId, workspaceId, json) {
     );
   }
 }
-async function pickWorkspace(client) {
+async function pickWorkspace(client, promptLabel = "Bind this directory to a workspace:") {
   const all = await withSpinner("Listing your workspaces", () => fetchWorkspaces(client));
   if (all.length === 0) {
     process.stderr.write(`no workspaces found \u2014 skipping workspace binding (you can set it later with \`sechroom config set --local workspaceId <id>\`)
@@ -2949,7 +3145,7 @@ async function pickWorkspace(client) {
     ...pool.slice().sort((a, b) => workspacePath(a, byId).localeCompare(workspacePath(b, byId))).map((w) => ({ label: workspacePath(w, byId), value: w.id, hint: w.id })),
     { label: style.dim("skip \u2014 don't bind a workspace"), value: SKIP, hint: void 0 }
   ];
-  const chosen = await promptSelect("Bind this directory to a workspace:", choices, SKIP);
+  const chosen = await promptSelect(promptLabel, choices, SKIP);
   if (chosen === SKIP) return void 0;
   const picked = byId.get(chosen);
   const collisions = all.filter((w) => w.id !== picked.id && namesCollide(w.name, picked.name));
@@ -3032,7 +3228,7 @@ async function ensureTenant(baseUrl, g, opts) {
       "Where should this tenant + base URL be saved?",
       [
         { label: "Globally", value: "global", hint: "all projects on this machine" },
-        { label: "This directory", value: "local", hint: ".sechroom/config.json \u2014 project + subdirs" }
+        { label: "This directory", value: "local", hint: ".sechroom.json \u2014 committed, project + subdirs" }
       ],
       local.path ? "local" : "global"
     ) === "local";
@@ -3107,16 +3303,120 @@ async function chooseClients(clientFlag, yes, cwd) {
   );
   return picks.length > 0 ? picks : preselected;
 }
+async function planRecurseChild(entry, root, client, opts) {
+  const dir = resolveChildDir(entry.path, root);
+  if (!existsSync7(dir)) {
+    return { label: entry.path, dir, disposition: "skip-missing", argv: [], reason: "directory does not exist" };
+  }
+  if (existsSync7(join7(dir, ".sechroom.json"))) {
+    return {
+      label: entry.path,
+      dir,
+      disposition: "refresh",
+      argv: ["onboard", "--refresh", "--yes"],
+      reason: "bound (committed .sechroom.json) \u2014 refresh in place"
+    };
+  }
+  if (entry.workspaceId) {
+    return {
+      label: entry.path,
+      dir,
+      disposition: "bind",
+      argv: ["onboard", "--yes", "--local", "--workspace", entry.workspaceId],
+      reason: `unbound \u2014 bind to ${entry.workspaceId}`
+    };
+  }
+  if (opts.dryRun) {
+    return { label: entry.path, dir, disposition: "bind", argv: ["onboard", "--yes", "--local", "--workspace", "<prompt>"], reason: "unbound \u2014 would prompt for a workspace" };
+  }
+  if (opts.yes || !canPrompt()) {
+    return { label: entry.path, dir, disposition: "skip-unbound", argv: [], reason: "unbound + no workspace (run interactively, or add it to ./.sechroom/repos.json)" };
+  }
+  process.stderr.write(`
+${style.bold(entry.path)} ${style.dim("is not bound yet.")}
+`);
+  const ws = await pickWorkspace(client, `Bind ${style.cyan(entry.path)} to a workspace:`);
+  if (!ws) {
+    return { label: entry.path, dir, disposition: "skip-unbound", argv: [], reason: "unbound \u2014 no workspace chosen (skipped)" };
+  }
+  return {
+    label: entry.path,
+    dir,
+    disposition: "bind",
+    argv: ["onboard", "--yes", "--local", "--workspace", ws],
+    reason: `unbound \u2014 bind to ${ws}`
+  };
+}
+async function resolveFanoutLane(cfg, opts) {
+  let code = opts.lane ?? process.env.SECHROOM_CODE_LANE;
+  let design = opts.designLane ?? process.env.SECHROOM_DESIGN_LANE;
+  if (!code || !design) {
+    const clients = detectInstalledClients(process.cwd());
+    const inferred = await inferLanes(cfg, clients.length ? clients : void 0);
+    code = code ?? inferred.code;
+    design = design ?? inferred.design;
+  }
+  if (!opts.lane && !opts.yes && !opts.dryRun && canPrompt() && (code || design)) {
+    process.stderr.write(`
+This fan-out will pin the same lane in every repo:
+`);
+    if (code) process.stderr.write(`  ${style.dim("code-lane")}   = ${style.cyan(code)}
+`);
+    if (design) process.stderr.write(`  ${style.dim("design-lane")} = ${style.cyan(design)}
+`);
+    if (!await promptYesNo("Use this lane for all repos?")) {
+      code = await promptText("Code-lane id (blank = let each repo infer)?", code ?? "") || void 0;
+      design = await promptText("Design-lane id (blank = skip)?", design ?? "") || void 0;
+    }
+  }
+  if (code) process.env.SECHROOM_CODE_LANE = code;
+  else delete process.env.SECHROOM_CODE_LANE;
+  if (design) process.env.SECHROOM_DESIGN_LANE = design;
+  else delete process.env.SECHROOM_DESIGN_LANE;
+  return { code, design };
+}
+async function runRecurse(cfg, g, opts) {
+  const { yes, dryRun, json } = opts;
+  const root = process.cwd();
+  const manifestPath = join7(root, ".sechroom", "repos.json");
+  const fromManifest = readManifest(manifestPath);
+  const entries = fromManifest ?? discoverChildren(root).map((path) => ({ path }));
+  const sourceLabel = fromManifest ? `manifest ${manifestPath}` : `auto-discovered under ${root}`;
+  if (entries.length === 0) {
+    if (json) process.stdout.write(JSON.stringify({ recurse: true, root, repos: [] }) + "\n");
+    else process.stderr.write(`${warn("\u26A0")} no child repos found ${fromManifest ? `in ${manifestPath}` : `under ${root}`} \u2014 nothing to do.
+`);
+    return;
+  }
+  if (!json) {
+    process.stderr.write(`${style.bold("onboard --recurse")} ${style.dim(`(${entries.length} repo${entries.length === 1 ? "" : "s"} from ${sourceLabel})`)}
+`);
+  }
+  const lane = await resolveFanoutLane(cfg, { lane: opts.lane, designLane: opts.designLane, yes, dryRun });
+  if (!json && lane.code) process.stderr.write(`${ok("\u2713")} lane ${style.cyan(lane.code)}${lane.design ? ` ${style.dim(`/ ${lane.design}`)}` : ""} for every repo
+`);
+  const client = await makeClient(cfg);
+  const plans = [];
+  for (const entry of entries) plans.push(await planRecurseChild(entry, root, client, { yes, dryRun }));
+  const results = runChildren(plans, { globals: passthroughGlobals(g), dryRun, json });
+  if (json) {
+    process.stdout.write(JSON.stringify({ recurse: true, root, dryRun, repos: results }) + "\n");
+    return;
+  }
+  summarizeFanout(results, { dryRun });
+}
 function registerOnboard(program2) {
-  program2.command("onboard").description("Guided first-run setup: configure, sign in, set timezone, detect clients, and wire this project").option("--client <list>", `comma-separated clients (${ALL_CLIENT_KEYS.join(", ")}) or 'all' (default: auto-detected)`).option("--local", "save tenant + base URL to a directory-local .sechroom/config.json instead of the global config", false).option("--workspace <id>", "bind this directory to a workspace (skips the interactive workspace pick)").option("--cli-only", "configure the CLI only \u2014 don't wire any AI client (no MCP config, no agent files)", false).option("--no-mcp", "skip the MCP server config (.mcp.json etc.); still write the agent instruction files").option("--copy", "make a personal copy of the agent instructions you can edit (default: prompt on a TTY, else skip)").option("--dry-run", "walk through without writing files or changing the profile", false).option("--refresh", "re-fetch descriptors and refresh any out-of-date managed blocks (local edits preserved to .proposed)", false).option("--force", "rewrite every managed block, overwriting local edits inside the markers (content outside untouched)", false).option("--check", "report whether anything would change and exit (0 = all current, 1 = stale/drift/absent); writes nothing", false).option("-y, --yes", "non-interactive: accept defaults (system timezone, detected clients, global config, full wire)", false).addHelpText(
+  program2.command("onboard").description("Guided first-run setup: configure, sign in, set timezone, detect clients, and wire this project").option("--recurse", "orchestration-root mode: onboard every child repo under this dir (auto-discovered, or from ./.sechroom/repos.json) \u2014 refreshes bound repos, prompts a workspace per new one", false).option("--lane <id>", "set the code-lane (substrate source identity) explicitly instead of inferring it; with --recurse it's used for every child repo").option("--design-lane <id>", "set the design-lane explicitly (substrate-authoring identity); with --recurse applies to every child").option("--client <list>", `comma-separated clients (${ALL_CLIENT_KEYS.join(", ")}) or 'all' (default: auto-detected)`).option("--local", "save the binding (tenant + base URL + workspace) to a committed .sechroom.json in this repo instead of the global config", false).option("--workspace <id>", "bind this directory to a workspace (skips the interactive workspace pick)").option("--cli-only", "configure the CLI only \u2014 don't wire any AI client (no MCP config, no agent files)", false).option("--no-mcp", "skip the MCP server config (.mcp.json etc.); still write the agent instruction files").option("--copy", "make a personal copy of the agent instructions you can edit (default: prompt on a TTY, else skip)").option("--dry-run", "walk through without writing files or changing the profile", false).option("--refresh", "re-fetch descriptors and refresh any out-of-date managed blocks (local edits preserved to .proposed)", false).option("--force", "rewrite every managed block, overwriting local edits inside the markers (content outside untouched)", false).option("--check", "report whether anything would change and exit (0 = all current, 1 = stale/drift/absent); writes nothing", false).option("-y, --yes", "non-interactive: accept defaults (system timezone, detected clients, global config, full wire)", false).addHelpText(
     "after",
     `
 Examples:
   $ sechroom onboard                    guided, interactive (asks where to save config + how to wire)
   $ sechroom onboard --cli-only         just the CLI \u2014 no .mcp.json, no agent files
   $ sechroom onboard --no-mcp           agent instructions only, skip MCP config
-  $ sechroom onboard --local            save tenant + base URL to ./.sechroom/config.json
+  $ sechroom onboard --local            save tenant + base URL to a committed ./.sechroom.json
   $ sechroom onboard --workspace wsp_XX  bind this directory to a workspace (no pick prompt)
+  $ sechroom onboard --recurse          orchestration root: onboard every child repo under this dir
+  $ sechroom onboard --recurse --lane claude-code-you   pin one lane across every repo in the tree
   $ sechroom onboard --refresh          refresh out-of-date instruction blocks in place
   $ sechroom onboard --check            CI/pre-commit: nonzero exit if instructions are out of date
   $ sechroom onboard --yes              non-interactive: defaults + global config + full wire
@@ -3128,6 +3428,15 @@ Examples:
     const mode = opts.check ? "check" : opts.force ? "force" : "apply";
     const check = mode === "check";
     const yes = Boolean(opts.yes) || check;
+    if (opts.lane) process.env.SECHROOM_CODE_LANE = opts.lane;
+    if (opts.designLane) process.env.SECHROOM_DESIGN_LANE = opts.designLane;
+    if (opts.recurse) {
+      const baseUrl2 = resolveBaseUrl(g);
+      await ensureAuth({ baseUrl: baseUrl2, tenant: "", clientId: readPersisted().clientId }, yes);
+      const cfg2 = await ensureTenant(baseUrl2, g, { yes: true, json, persist: false });
+      await runRecurse(cfg2, g, { yes, dryRun, json, lane: opts.lane, designLane: opts.designLane });
+      return;
+    }
     const baseUrl = resolveBaseUrl(g);
     await ensureAuth({ baseUrl, tenant: "", clientId: readPersisted().clientId }, yes);
     const cfg = await ensureTenant(baseUrl, g, { yes, json, local: Boolean(opts.local), workspace: opts.workspace, persist: !check });
@@ -3145,7 +3454,10 @@ Examples:
         emit({ dryRun, baseUrl: cfg.baseUrl, tenant: cfg.tenant, workspaceId: cfg.workspaceId ?? null, timezone: tz, wire, clients: [] }, true);
         return;
       }
-      if (!dryRun) await ensureLanePin(cfg, { yes, dryRun, clients: detectInstalledClients(process.cwd()) });
+      if (!dryRun) {
+        await ensureLanePin(cfg, { yes, dryRun, clients: detectInstalledClients(process.cwd()) });
+        await maybeOfferHooks({ yes, dryRun, cwd: process.cwd() });
+      }
       process.stdout.write(
         `
 ${style.bold("Done.")} The CLI is configured for ${style.cyan(cfg.tenant)} \u2014 no AI-client files written.
@@ -3203,6 +3515,9 @@ Try: ${style.cyan('sechroom memory search "..."')}  or  ${style.cyan("sechroom -
     if (!json && !dryRun) {
       await maybeOfferSkills(cfg, personalWorkspaceId, { yes, dryRun, surface: "claude-code" });
     }
+    if (!json && !dryRun) {
+      await maybeOfferHooks({ yes, dryRun, cwd: process.cwd() });
+    }
     if (json) {
       emit({ dryRun, baseUrl: cfg.baseUrl, tenant: cfg.tenant, workspaceId: cfg.workspaceId ?? null, timezone: tz, wire, eval: evalCounts, clients: result }, true);
       return;
@@ -3274,15 +3589,114 @@ ${style.bold("Next:")} paste this into your AI agent to get going \u2014
   );
 }
+// src/commands/sweep.ts
+import { existsSync as existsSync8 } from "fs";
+import { dirname as dirname6, join as join8, resolve as resolve2 } from "path";
+var DEFAULT_MANIFEST = join8(".sechroom", "repos.json");
+function planEntry(entry, root) {
+  const dir = resolveChildDir(entry.path, root);
+  if (!existsSync8(dir)) {
+    return { label: entry.path, dir, disposition: "skip-missing", argv: [], reason: "directory does not exist" };
+  }
+  if (committedBindingPath(dir)) {
+    return {
+      label: entry.path,
+      dir,
+      disposition: "refresh",
+      argv: ["onboard", "--refresh", "--yes"],
+      reason: "bound (committed .sechroom.json) \u2014 refresh in place"
+    };
+  }
+  if (entry.workspaceId) {
+    return {
+      label: entry.path,
+      dir,
+      disposition: "bind",
+      argv: ["onboard", "--yes", "--local", "--workspace", entry.workspaceId],
+      reason: `unbound \u2014 bind to ${entry.workspaceId} + commit .sechroom.json`
+    };
+  }
+  return {
+    label: entry.path,
+    dir,
+    disposition: "skip-unbound",
+    argv: [],
+    reason: "unbound + no workspaceId in the manifest \u2014 add one or run `sechroom onboard` there"
+  };
+}
+function registerSweep(program2) {
+  program2.command("sweep").description("Non-interactive fan-out from ./.sechroom/repos.json (headless sibling of `onboard --recurse`)").option("--manifest <path>", "path to the repos manifest", DEFAULT_MANIFEST).option("--dry-run", "print the plan (per-repo disposition + the onboard command) without running anything", false).addHelpText(
+    "after",
+    `
+For an interactive, no-manifest run use ${"`sechroom onboard --recurse`"} instead \u2014 it
+auto-discovers the child repos and prompts for a workspace per new one. ${"`sweep`"} is
+the deterministic manifest-driven form for scripts / CI.
+Manifest \u2014 ./.sechroom/repos.json (per-operator, gitignored, alongside lane.json):
+  {
+    "repos": [
+      { "path": "sechroom",      "workspaceId": "wsp_XXXX" },
+      { "path": "../other-repo", "workspaceId": "wsp_YYYY" },
+      { "path": "already-bound" }
+    ]
+  }
+Per repo (paths resolve relative to the manifest's root):
+  ${ICON.refresh} bound        committed .sechroom.json present  \u2192 onboard --refresh (manifest workspace ignored)
+  ${ICON.bind} unbound      bind to the manifest workspaceId    \u2192 onboard --local --workspace <id>
+  ${ICON["skip-missing"]} missing      directory does not exist            \u2192 skipped
+  ${ICON["skip-unbound"]} no workspace unbound + no workspaceId in manifest  \u2192 skipped (add one, or onboard manually)
+Examples:
+  $ sechroom sweep --dry-run            preview every repo's disposition, run nothing
+  $ sechroom sweep                      onboard the whole tree from the root
+  $ sechroom --tenant ocd sweep         force a tenant for every child (else each resolves its own)`
+  ).action((opts, cmd) => {
+    const g = cmd.optsWithGlobals();
+    const json = Boolean(g.json);
+    const dryRun = Boolean(opts.dryRun);
+    const manifestPath = resolve2(opts.manifest);
+    let repos;
+    try {
+      repos = readManifest(manifestPath);
+    } catch (err2) {
+      fail(err2 instanceof Error ? err2.message : String(err2));
+    }
+    if (repos === null) {
+      fail(`no manifest at ${manifestPath} \u2014 create ./.sechroom/repos.json, or use \`sechroom onboard --recurse\` to auto-discover (see \`sechroom sweep --help\`).`);
+    }
+    if (repos.length === 0) {
+      if (json) process.stdout.write(JSON.stringify({ manifest: manifestPath, repos: [] }) + "\n");
+      else process.stderr.write(`${warn("\u26A0")} ${manifestPath} lists no repos \u2014 nothing to do.
+`);
+      return;
+    }
+    const root = dirname6(dirname6(manifestPath));
+    const plans = repos.map((entry) => planEntry(entry, root));
+    if (!json) {
+      process.stderr.write(
+        `${style.bold("sweep")} ${style.dim(`(${plans.length} repo${plans.length === 1 ? "" : "s"} from ${manifestPath})`)}
+`
+      );
+    }
+    const results = runChildren(plans, { globals: passthroughGlobals(g), dryRun, json });
+    if (json) {
+      process.stdout.write(JSON.stringify({ manifest: manifestPath, dryRun, repos: results }) + "\n");
+      return;
+    }
+    summarizeFanout(results, { dryRun });
+  });
+}
 // src/commands/skills.ts
-import { homedir as homedir5 } from "os";
-import { join as join6 } from "path";
-import { mkdirSync as mkdirSync6, writeFileSync as writeFileSync6, rmSync as rmSync2, existsSync as existsSync6, readFileSync as readFileSync5 } from "fs";
+import { homedir as homedir6 } from "os";
+import { join as join9 } from "path";
+import { mkdirSync as mkdirSync6, writeFileSync as writeFileSync6, rmSync as rmSync2, existsSync as existsSync9, readFileSync as readFileSync6 } from "fs";
 var DEFAULT_SLUG = "operator-skills";
 var ROLE_TAGS = ["sechroom:role:skill-template", "role:skill-template"];
 var LOCK = ".sechroom-skills.json";
 function skillsDir(global) {
-  return global ? join6(homedir5(), ".claude", "skills") : join6(process.cwd(), ".claude", "skills");
+  return global ? join9(homedir6(), ".claude", "skills") : join9(process.cwd(), ".claude", "skills");
 }
 function tagValue2(tags, prefix) {
   return (tags ?? []).find((t) => t.startsWith(prefix))?.slice(prefix.length);
@@ -3360,13 +3774,13 @@ Examples:
       const name = tagValue2(tags, "skill:");
       if (!name) continue;
       const body = m.text ?? m.Text ?? "";
-      mkdirSync6(join6(dir, name), { recursive: true });
-      writeFileSync6(join6(dir, name, "SKILL.md"), body.endsWith("\n") ? body : body + "\n");
+      mkdirSync6(join9(dir, name), { recursive: true });
+      writeFileSync6(join9(dir, name, "SKILL.md"), body.endsWith("\n") ? body : body + "\n");
       written.push(name);
     }
     mkdirSync6(dir, { recursive: true });
-    const lockPath = join6(dir, LOCK);
-    const lock = existsSync6(lockPath) ? JSON.parse(readFileSync5(lockPath, "utf8")) : {};
+    const lockPath = join9(dir, LOCK);
+    const lock = existsSync9(lockPath) ? JSON.parse(readFileSync6(lockPath, "utf8")) : {};
     lock[slug] = { surface: opts.surface, version, instance: wantInstance, skills: written.sort() };
     writeFileSync6(lockPath, JSON.stringify(lock, null, 2) + "\n");
     if (opts.json) return emit({ slug, version, instance: wantInstance, surface: opts.surface, dir, installed: written }, true);
@@ -3390,15 +3804,15 @@ Examples:
   skills.command("clean [slug]").description(`Remove materialised skill files written by install (default ${DEFAULT_SLUG})`).option("--local", "clean ./.claude/skills instead of ~/.claude/skills").option("--json", "machine output").action(async (slugArg, opts) => {
     const slug = slugArg || DEFAULT_SLUG;
     const dir = skillsDir(!opts.local);
-    const lockPath = join6(dir, LOCK);
-    if (!existsSync6(lockPath)) fail(`No skills lockfile at ${lockPath}; nothing to clean.`);
-    const lock = JSON.parse(readFileSync5(lockPath, "utf8"));
+    const lockPath = join9(dir, LOCK);
+    if (!existsSync9(lockPath)) fail(`No skills lockfile at ${lockPath}; nothing to clean.`);
+    const lock = JSON.parse(readFileSync6(lockPath, "utf8"));
     const entry = lock[slug];
     if (!entry) fail(`No installed record for '${slug}' in ${lockPath}.`);
     const removed = [];
     for (const name of entry.skills) {
-      const skillPath = join6(dir, name);
-      if (existsSync6(skillPath)) {
+      const skillPath = join9(dir, name);
+      if (existsSync9(skillPath)) {
         rmSync2(skillPath, { recursive: true, force: true });
         removed.push(name);
       }
@@ -3493,22 +3907,22 @@ Examples:
 }
 // src/commands/reset.ts
-import { homedir as homedir6 } from "os";
-import { join as join7 } from "path";
-import { existsSync as existsSync7, readFileSync as readFileSync6, rmSync as rmSync3 } from "fs";
+import { homedir as homedir7 } from "os";
+import { join as join10 } from "path";
+import { existsSync as existsSync10, readFileSync as readFileSync7, rmSync as rmSync3 } from "fs";
 var SKILLS_LOCK = ".sechroom-skills.json";
-var localSkillsDir = () => join7(process.cwd(), ".claude", "skills");
-var globalSkillsDir = () => join7(homedir6(), ".claude", "skills");
+var localSkillsDir = () => join10(process.cwd(), ".claude", "skills");
+var globalSkillsDir = () => join10(homedir7(), ".claude", "skills");
 function removeMaterialisedSkills(dir) {
   const removed = [];
-  const lockPath = join7(dir, SKILLS_LOCK);
-  if (!existsSync7(lockPath)) return removed;
+  const lockPath = join10(dir, SKILLS_LOCK);
+  if (!existsSync10(lockPath)) return removed;
   try {
-    const lock = JSON.parse(readFileSync6(lockPath, "utf8"));
+    const lock = JSON.parse(readFileSync7(lockPath, "utf8"));
     for (const entry of Object.values(lock)) {
       for (const name of entry.skills ?? []) {
-        const p = join7(dir, name);
-        if (existsSync7(p)) {
+        const p = join10(dir, name);
+        if (existsSync10(p)) {
           rmSync3(p, { recursive: true, force: true });
           removed.push(p);
         }
@@ -3539,18 +3953,18 @@ function registerReset(program2) {
       }
     }
     const removed = [];
-    const stateDir = join7(process.cwd(), ".sechroom");
-    if (existsSync7(stateDir)) {
+    const stateDir = join10(process.cwd(), ".sechroom");
+    if (existsSync10(stateDir)) {
       rmSync3(stateDir, { recursive: true, force: true });
       removed.push(stateDir);
     }
-    const legacyCfg = join7(process.cwd(), ".sechroom.json");
-    if (existsSync7(legacyCfg)) {
+    const legacyCfg = join10(process.cwd(), ".sechroom.json");
+    if (existsSync10(legacyCfg)) {
       rmSync3(legacyCfg, { force: true });
       removed.push(legacyCfg);
     }
-    const legacySem = join7(process.cwd(), ".sem");
-    if (existsSync7(legacySem)) {
+    const legacySem = join10(process.cwd(), ".sem");
+    if (existsSync10(legacySem)) {
       rmSync3(legacySem, { force: true });
       removed.push(legacySem);
     }
@@ -3577,7 +3991,7 @@ function registerReset(program2) {
 function resolveVersion() {
   try {
     const pkg = JSON.parse(
-      readFileSync7(new URL("../package.json", import.meta.url), "utf8")
+      readFileSync8(new URL("../package.json", import.meta.url), "utf8")
     );
     return pkg.version ?? "0.0.0";
   } catch {
@@ -3593,7 +4007,7 @@ Examples:
   $ sechroom onboard                              guided first-run: configure, sign in, wire this project
   $ sechroom login                                sign in via browser (OAuth + PKCE)
   $ sechroom config set tenant ocd                set your tenant (global)
-  $ sechroom config set --local tenant cli-smoke  pin tenant for this directory (.sechroom/config.json)
+  $ sechroom config set --local tenant cli-smoke  pin tenant for this directory (committed .sechroom.json)
   $ sechroom config show                          resolved config + which source won
   $ sechroom memory create --text "a note" --title "Note" --tag idea
@@ -3605,7 +4019,7 @@ Examples:
   $ sechroom --json memory search "auth"           compact JSON for scripts and agents
   $ SECHROOM_TOKEN=<bearer> sechroom --json memory get mem_XXXX    headless
-Config precedence (high -> low): --flag  >  env (SECHROOM_*)  >  ./.sechroom/config.json (legacy ./.sechroom.json)  >  global  >  default.
+Config precedence (high -> low): --flag  >  env (SECHROOM_*)  >  directory-local (committed ./.sechroom.json, shadowed per-field by the gitignored ./.sechroom/config.json override)  >  global  >  default.
 Run 'sechroom <command> --help' for command-specific examples.`
 );
 program.hook("preAction", (_thisCmd, actionCmd) => {
@@ -3631,11 +4045,11 @@ config.addHelpText(
 Examples:
   $ sechroom config set baseUrl https://app.sechroom.ai/api   prod (staging: https://staging.app.sechroom.ai/api)
   $ sechroom config set tenant ocd
-  $ sechroom config set --local tenant cli-smoke              this dir + subdirs (.sechroom/config.json)
+  $ sechroom config set --local tenant cli-smoke              this dir + subdirs (committed .sechroom.json)
   $ sechroom config set clientId dyn-XXXX                     global-only escape hatch (no DCR endpoint)
   $ sechroom config show --json`
 );
-config.command("set <key> <value>").description("Set baseUrl | tenant | workspaceId | defaultProjectId | clientId (clientId is global-only)").option("--local", "Write to the directory-local .sechroom/config.json (nearest up the tree, else cwd; migrates a legacy .sechroom.json) instead of the global config").action((key, value, opts) => {
+config.command("set <key> <value>").description("Set baseUrl | tenant | workspaceId | defaultProjectId | clientId (clientId is global-only)").option("--local", "Write the committed directory-local .sechroom.json (nearest up the tree, else cwd) instead of the global config").action((key, value, opts) => {
   if (opts.local) {
     if (!["baseUrl", "tenant", "workspaceId", "defaultProjectId"].includes(key)) {
       process.stderr.write(`--local supports only: baseUrl | tenant | workspaceId | defaultProjectId (clientId is global)
@@ -3694,6 +4108,7 @@ registerChat(program);
 registerInit(program);
 registerSetup(program);
 registerOnboard(program);
+registerSweep(program);
 registerSkills(program);
 registerReset(program);
 program.parseAsync().catch((err2) => {

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@sechroom/cli",
-  "version": "2026.6.19",
+  "version": "2026.6.20-rc.11acdaab",
   "description": "Sechroom CLI — a thin, generated client over the Sechroom HTTP API. An agent/human surface alongside MCP.",
   "type": "module",
   "license": "UNLICENSED",