@sechroom/cli 2026.6.23 → 2026.6.25

package/dist/index.js

@@ -1,7 +1,7 @@
 #!/usr/bin/env node
 
 // src/index.ts
-import { readFileSync as readFileSync7 } from "fs";
+import { readFileSync as readFileSync8 } from "fs";
 import { Command } from "commander";
 
 // src/auth.ts
@@ -11,14 +11,15 @@ import open from "open";
 
 // src/config.ts
 import { homedir } from "os";
-import { join, dirname, basename } from "path";
+import { join, dirname } from "path";
 import { mkdirSync, readFileSync, writeFileSync, existsSync, rmSync } from "fs";
 var CONFIG_DIR = join(homedir(), ".config", "sechroom");
 var CONFIG_FILE = join(CONFIG_DIR, "config.json");
 var TOKEN_FILE = join(CONFIG_DIR, "token.json");
 var STATE_DIR_NAME = ".sechroom";
-var LOCAL_CONFIG_NAME = join(STATE_DIR_NAME, "config.json");
-var LEGACY_LOCAL_CONFIG_NAME = ".sechroom.json";
+var BASELINE_CONFIG_NAME = ".sechroom.json";
+var OVERRIDE_CONFIG_NAME = join(STATE_DIR_NAME, "config.json");
+var BINDING_FIELDS = ["schemaVersion", "baseUrl", "tenant", "workspaceId", "defaultProjectId"];
 var DEFAULT_BASE_URL = "https://app.sechroom.ai/api";
 var LOCAL_CONFIG_SCHEMA_VERSION = 2;
 function ensureDir() {
@@ -66,54 +67,55 @@ function clearPersisted() {
   rmSync(CONFIG_FILE);
   return CONFIG_FILE;
 }
-function findLocalConfigPath(start = process.cwd()) {
+function readJsonConfig(path) {
+  try {
+    return JSON.parse(readFileSync(path, "utf8"));
+  } catch {
+    return void 0;
+  }
+}
+function findConfigHome(start = process.cwd()) {
   let dir = start;
   for (; ; ) {
-    const candidate = join(dir, LOCAL_CONFIG_NAME);
-    if (existsSync(candidate)) return candidate;
-    const legacy = join(dir, LEGACY_LOCAL_CONFIG_NAME);
-    if (existsSync(legacy)) return legacy;
+    if (existsSync(join(dir, BASELINE_CONFIG_NAME)) || existsSync(join(dir, OVERRIDE_CONFIG_NAME))) return dir;
     const parent = dirname(dir);
     if (parent === dir) return void 0;
     dir = parent;
   }
 }
-function localConfigWritePath(resolvedPath) {
-  const baseDir = resolvedPath ? dirname(resolvedPath) : process.cwd();
-  const dir = basename(baseDir) === STATE_DIR_NAME ? dirname(baseDir) : baseDir;
-  return join(dir, LOCAL_CONFIG_NAME);
-}
 function readLocalConfig() {
-  const path = findLocalConfigPath();
-  if (!path) return {};
-  try {
-    const c = JSON.parse(readFileSync(path, "utf8"));
-    return {
-      schemaVersion: c.schemaVersion,
-      baseUrl: c.baseUrl,
-      tenant: c.tenant,
-      workspaceId: c.workspaceId,
-      defaultProjectId: c.defaultProjectId,
-      path
-    };
-  } catch {
-    return {};
-  }
+  const home = findConfigHome();
+  if (!home) return {};
+  const baselinePath = join(home, BASELINE_CONFIG_NAME);
+  const overridePath = join(home, OVERRIDE_CONFIG_NAME);
+  const merged = { ...readJsonConfig(baselinePath) ?? {}, ...readJsonConfig(overridePath) ?? {} };
+  return {
+    schemaVersion: merged.schemaVersion,
+    baseUrl: merged.baseUrl,
+    tenant: merged.tenant,
+    workspaceId: merged.workspaceId,
+    defaultProjectId: merged.defaultProjectId,
+    path: existsSync(baselinePath) ? baselinePath : overridePath
+  };
 }
 function writeLocalConfig(patch) {
-  const readPath = findLocalConfigPath();
-  let current = {};
-  if (readPath) {
-    try {
-      current = JSON.parse(readFileSync(readPath, "utf8"));
-    } catch {
-    }
-  }
-  const path = localConfigWritePath(readPath);
-  mkdirSync(dirname(path), { recursive: true, mode: 448 });
+  const home = findConfigHome() ?? process.cwd();
+  const baselinePath = join(home, BASELINE_CONFIG_NAME);
+  const overridePath = join(home, OVERRIDE_CONFIG_NAME);
+  const current = readJsonConfig(baselinePath) ?? {};
   const next = { ...current, ...patch, schemaVersion: LOCAL_CONFIG_SCHEMA_VERSION };
-  writeFileSync(path, JSON.stringify(next, null, 2), { mode: 384 });
-  return path;
+  writeFileSync(baselinePath, JSON.stringify(next, null, 2), { mode: 420 });
+  const override = readJsonConfig(overridePath);
+  if (override) {
+    for (const f of BINDING_FIELDS) delete override[f];
+    if (Object.keys(override).length === 0) rmSync(overridePath, { force: true });
+    else writeFileSync(overridePath, JSON.stringify(override, null, 2), { mode: 384 });
+  }
+  return baselinePath;
+}
+function committedBindingPath(dir) {
+  const p = join(dir, BASELINE_CONFIG_NAME);
+  return existsSync(p) ? p : void 0;
 }
 function resolveConfig(flags) {
   const local = readLocalConfig();
@@ -373,8 +375,8 @@ async function promptYesNo(question) {
   const { createInterface } = await import("readline");
   const rl = createInterface({ input: process.stdin, output: process.stderr });
   try {
-    const answer = await new Promise((resolve) => {
-      rl.question(`${question} [y/N] `, resolve);
+    const answer = await new Promise((resolve3) => {
+      rl.question(`${question} [y/N] `, resolve3);
     });
     return /^y(es)?$/i.test(answer.trim());
   } finally {
@@ -387,8 +389,8 @@ async function promptText(question, def) {
   const rl = createInterface({ input: process.stdin, output: process.stderr });
   try {
     const suffix = def ? ` [${def}]` : "";
-    const answer = await new Promise((resolve) => {
-      rl.question(`${question}${suffix} `, resolve);
+    const answer = await new Promise((resolve3) => {
+      rl.question(`${question}${suffix} `, resolve3);
     });
     const trimmed = answer.trim();
     return trimmed.length > 0 ? trimmed : def ?? "";
@@ -414,8 +416,8 @@ async function promptSelect(question, choices, def) {
       process.stderr.write(`  ${marker} ${style.bold(String(i + 1))}. ${c.label}${hint}
 `);
     });
-    const answer = await new Promise((resolve) => {
-      rl.question(`Choose ${style.dim(`[${defIdx + 1}]`)} `, resolve);
+    const answer = await new Promise((resolve3) => {
+      rl.question(`Choose ${style.dim(`[${defIdx + 1}]`)} `, resolve3);
     });
     const trimmed = answer.trim();
     if (!trimmed) return choices[defIdx].value;
@@ -447,8 +449,8 @@ async function promptMultiSelect(question, choices, preselected = []) {
       process.stderr.write(`  ${box} ${style.bold(String(i + 1))}. ${c.label}${hint}
 `);
     });
-    const answer = await new Promise((resolve) => {
-      rl.question(`Select ${style.dim("[Enter = \u25C9]")} `, resolve);
+    const answer = await new Promise((resolve3) => {
+      rl.question(`Select ${style.dim("[Enter = \u25C9]")} `, resolve3);
     });
     const trimmed = answer.trim().toLowerCase();
     if (!trimmed) return preValues();
@@ -1973,7 +1975,7 @@ function mergeHooks(config2) {
   }
   return added;
 }
-function readJsonConfig(path) {
+function readJsonConfig2(path) {
   if (!existsSync4(path)) return {};
   const raw = readFileSync3(path, "utf8");
   if (!raw.trim()) return {};
@@ -1981,7 +1983,7 @@ function readJsonConfig(path) {
 }
 function installHooksJson(path, dryRun) {
   const existed = existsSync4(path) && readFileSync3(path, "utf8").trim().length > 0;
-  const config2 = readJsonConfig(path);
+  const config2 = readJsonConfig2(path);
   const added = mergeHooks(config2);
   if (added === 0 && existed) return { path, status: "current" };
   if (!dryRun) {
@@ -2936,6 +2938,113 @@ async function runClients(clients, cmd, opts) {
   process.stdout.write(opts.dryRun ? "\n(dry run \u2014 nothing written)\n" : "\nDone.\n");
 }
 
+// src/commands/onboard.ts
+import { existsSync as existsSync7 } from "fs";
+import { join as join7 } from "path";
+
+// src/commands/fanout.ts
+import { spawnSync } from "child_process";
+import { existsSync as existsSync6, readFileSync as readFileSync5, readdirSync, statSync } from "fs";
+import { isAbsolute, join as join6, resolve } from "path";
+var ICON = {
+  refresh: "\u21BB",
+  bind: "+",
+  "skip-missing": "\u2013",
+  "skip-unbound": "\u26A0"
+};
+function resolveChildDir(path, root) {
+  return isAbsolute(path) ? path : resolve(root, path);
+}
+function discoverChildren(root) {
+  let names;
+  try {
+    names = readdirSync(root);
+  } catch {
+    return [];
+  }
+  const out = [];
+  for (const name of names.sort()) {
+    if (name.startsWith(".") || name === "node_modules") continue;
+    const dir = join6(root, name);
+    try {
+      if (!statSync(dir).isDirectory()) continue;
+    } catch {
+      continue;
+    }
+    if (existsSync6(join6(dir, ".git")) || committedBindingPath(dir)) out.push(name);
+  }
+  return out;
+}
+function readManifest(path) {
+  if (!existsSync6(path)) return null;
+  let parsed;
+  try {
+    parsed = JSON.parse(readFileSync5(path, "utf8"));
+  } catch (err2) {
+    throw new Error(`couldn't parse ${path}: ${err2 instanceof Error ? err2.message : String(err2)}`);
+  }
+  return Array.isArray(parsed.repos) ? parsed.repos.filter((r) => r && typeof r.path === "string") : [];
+}
+function passthroughGlobals(g) {
+  const out = [];
+  if (g.baseUrl) out.push("--base-url", g.baseUrl);
+  if (g.tenant) out.push("--tenant", g.tenant);
+  return out;
+}
+function runChildren(plans, o) {
+  const { globals, dryRun, json } = o;
+  const results = [];
+  for (const plan of plans) {
+    const runs = plan.argv.length > 0;
+    const argv = runs ? [...globals, ...plan.argv] : [];
+    if (!json) {
+      process.stderr.write(`  ${ICON[plan.disposition]} ${style.cyan(plan.label)} ${style.dim(plan.reason)}
+`);
+      if (runs && dryRun) process.stderr.write(`      ${style.dim(`would run: sechroom ${argv.join(" ")}`)}
+`);
+    }
+    let exitCode = runs ? 0 : null;
+    if (runs && !dryRun) {
+      const res = spawnSync(process.execPath, [process.argv[1], ...argv], {
+        cwd: plan.dir,
+        stdio: json ? "ignore" : "inherit"
+      });
+      exitCode = res.status;
+      if (!json) {
+        process.stderr.write(
+          exitCode === 0 ? `      ${ok("\u2713")} ${style.dim("onboard ok")}
+` : `      ${warn("\u2717")} ${style.dim(`onboard exited ${exitCode ?? "signal"}`)}
+`
+        );
+      }
+    }
+    results.push({
+      path: plan.label,
+      dir: plan.dir,
+      disposition: plan.disposition,
+      ran: runs && !dryRun,
+      exitCode,
+      reason: plan.reason
+    });
+  }
+  return results;
+}
+function summarizeFanout(results, o) {
+  const ran = results.filter((r) => r.ran);
+  const failed = ran.filter((r) => r.exitCode !== 0);
+  const skipped = results.filter((r) => r.disposition.startsWith("skip"));
+  const wouldRun = results.filter((r) => !r.disposition.startsWith("skip"));
+  const tally = (o.dryRun ? [wouldRun.length ? `${wouldRun.length} would onboard` : null, skipped.length ? `${skipped.length} would skip` : null] : [
+    ran.length ? `${ran.length - failed.length}/${ran.length} onboarded` : null,
+    skipped.length ? `${skipped.length} skipped` : null,
+    failed.length ? `${failed.length} failed` : null
+  ]).filter(Boolean).join(", ");
+  process.stderr.write(`
+${failed.length ? warn("\u26A0") : ok("\u2713")} ${tally || "nothing to do"}${o.dryRun ? style.dim(" (dry run)") : ""}
+`);
+  if (failed.length) process.exit(1);
+}
+
 // src/commands/onboard.ts
 var DEFAULT_BASE_URL2 = "https://app.sechroom.ai/api";
 function systemTimezone() {
@@ -3008,7 +3117,7 @@ async function warnIfProjectStray(client, projectId, workspaceId, json) {
     );
   }
 }
-async function pickWorkspace(client) {
+async function pickWorkspace(client, promptLabel = "Bind this directory to a workspace:") {
   const all = await withSpinner("Listing your workspaces", () => fetchWorkspaces(client));
   if (all.length === 0) {
     process.stderr.write(`no workspaces found \u2014 skipping workspace binding (you can set it later with \`sechroom config set --local workspaceId <id>\`)
@@ -3031,7 +3140,7 @@ async function pickWorkspace(client) {
     ...pool.slice().sort((a, b) => workspacePath(a, byId).localeCompare(workspacePath(b, byId))).map((w) => ({ label: workspacePath(w, byId), value: w.id, hint: w.id })),
     { label: style.dim("skip \u2014 don't bind a workspace"), value: SKIP, hint: void 0 }
   ];
-  const chosen = await promptSelect("Bind this directory to a workspace:", choices, SKIP);
+  const chosen = await promptSelect(promptLabel, choices, SKIP);
   if (chosen === SKIP) return void 0;
   const picked = byId.get(chosen);
   const collisions = all.filter((w) => w.id !== picked.id && namesCollide(w.name, picked.name));
@@ -3114,7 +3223,7 @@ async function ensureTenant(baseUrl, g, opts) {
       "Where should this tenant + base URL be saved?",
       [
         { label: "Globally", value: "global", hint: "all projects on this machine" },
-        { label: "This directory", value: "local", hint: ".sechroom/config.json \u2014 project + subdirs" }
+        { label: "This directory", value: "local", hint: ".sechroom.json \u2014 committed, project + subdirs" }
       ],
       local.path ? "local" : "global"
     ) === "local";
@@ -3189,16 +3298,88 @@ async function chooseClients(clientFlag, yes, cwd) {
   );
   return picks.length > 0 ? picks : preselected;
 }
+async function planRecurseChild(entry, root, client, opts) {
+  const dir = resolveChildDir(entry.path, root);
+  if (!existsSync7(dir)) {
+    return { label: entry.path, dir, disposition: "skip-missing", argv: [], reason: "directory does not exist" };
+  }
+  if (existsSync7(join7(dir, ".sechroom.json"))) {
+    return {
+      label: entry.path,
+      dir,
+      disposition: "refresh",
+      argv: ["onboard", "--refresh", "--yes"],
+      reason: "bound (committed .sechroom.json) \u2014 refresh in place"
+    };
+  }
+  if (entry.workspaceId) {
+    return {
+      label: entry.path,
+      dir,
+      disposition: "bind",
+      argv: ["onboard", "--yes", "--local", "--workspace", entry.workspaceId],
+      reason: `unbound \u2014 bind to ${entry.workspaceId}`
+    };
+  }
+  if (opts.dryRun) {
+    return { label: entry.path, dir, disposition: "bind", argv: ["onboard", "--yes", "--local", "--workspace", "<prompt>"], reason: "unbound \u2014 would prompt for a workspace" };
+  }
+  if (opts.yes || !canPrompt()) {
+    return { label: entry.path, dir, disposition: "skip-unbound", argv: [], reason: "unbound + no workspace (run interactively, or add it to ./.sechroom/repos.json)" };
+  }
+  process.stderr.write(`
+${style.bold(entry.path)} ${style.dim("is not bound yet.")}
+`);
+  const ws = await pickWorkspace(client, `Bind ${style.cyan(entry.path)} to a workspace:`);
+  if (!ws) {
+    return { label: entry.path, dir, disposition: "skip-unbound", argv: [], reason: "unbound \u2014 no workspace chosen (skipped)" };
+  }
+  return {
+    label: entry.path,
+    dir,
+    disposition: "bind",
+    argv: ["onboard", "--yes", "--local", "--workspace", ws],
+    reason: `unbound \u2014 bind to ${ws}`
+  };
+}
+async function runRecurse(cfg, g, opts) {
+  const { yes, dryRun, json } = opts;
+  const root = process.cwd();
+  const manifestPath = join7(root, ".sechroom", "repos.json");
+  const fromManifest = readManifest(manifestPath);
+  const entries = fromManifest ?? discoverChildren(root).map((path) => ({ path }));
+  const sourceLabel = fromManifest ? `manifest ${manifestPath}` : `auto-discovered under ${root}`;
+  if (entries.length === 0) {
+    if (json) process.stdout.write(JSON.stringify({ recurse: true, root, repos: [] }) + "\n");
+    else process.stderr.write(`${warn("\u26A0")} no child repos found ${fromManifest ? `in ${manifestPath}` : `under ${root}`} \u2014 nothing to do.
+`);
+    return;
+  }
+  if (!json) {
+    process.stderr.write(`${style.bold("onboard --recurse")} ${style.dim(`(${entries.length} repo${entries.length === 1 ? "" : "s"} from ${sourceLabel})`)}
+`);
+  }
+  const client = await makeClient(cfg);
+  const plans = [];
+  for (const entry of entries) plans.push(await planRecurseChild(entry, root, client, { yes, dryRun }));
+  const results = runChildren(plans, { globals: passthroughGlobals(g), dryRun, json });
+  if (json) {
+    process.stdout.write(JSON.stringify({ recurse: true, root, dryRun, repos: results }) + "\n");
+    return;
+  }
+  summarizeFanout(results, { dryRun });
+}
 function registerOnboard(program2) {
-  program2.command("onboard").description("Guided first-run setup: configure, sign in, set timezone, detect clients, and wire this project").option("--client <list>", `comma-separated clients (${ALL_CLIENT_KEYS.join(", ")}) or 'all' (default: auto-detected)`).option("--local", "save tenant + base URL to a directory-local .sechroom/config.json instead of the global config", false).option("--workspace <id>", "bind this directory to a workspace (skips the interactive workspace pick)").option("--cli-only", "configure the CLI only \u2014 don't wire any AI client (no MCP config, no agent files)", false).option("--no-mcp", "skip the MCP server config (.mcp.json etc.); still write the agent instruction files").option("--copy", "make a personal copy of the agent instructions you can edit (default: prompt on a TTY, else skip)").option("--dry-run", "walk through without writing files or changing the profile", false).option("--refresh", "re-fetch descriptors and refresh any out-of-date managed blocks (local edits preserved to .proposed)", false).option("--force", "rewrite every managed block, overwriting local edits inside the markers (content outside untouched)", false).option("--check", "report whether anything would change and exit (0 = all current, 1 = stale/drift/absent); writes nothing", false).option("-y, --yes", "non-interactive: accept defaults (system timezone, detected clients, global config, full wire)", false).addHelpText(
+  program2.command("onboard").description("Guided first-run setup: configure, sign in, set timezone, detect clients, and wire this project").option("--recurse", "orchestration-root mode: onboard every child repo under this dir (auto-discovered, or from ./.sechroom/repos.json) \u2014 refreshes bound repos, prompts a workspace per new one", false).option("--client <list>", `comma-separated clients (${ALL_CLIENT_KEYS.join(", ")}) or 'all' (default: auto-detected)`).option("--local", "save the binding (tenant + base URL + workspace) to a committed .sechroom.json in this repo instead of the global config", false).option("--workspace <id>", "bind this directory to a workspace (skips the interactive workspace pick)").option("--cli-only", "configure the CLI only \u2014 don't wire any AI client (no MCP config, no agent files)", false).option("--no-mcp", "skip the MCP server config (.mcp.json etc.); still write the agent instruction files").option("--copy", "make a personal copy of the agent instructions you can edit (default: prompt on a TTY, else skip)").option("--dry-run", "walk through without writing files or changing the profile", false).option("--refresh", "re-fetch descriptors and refresh any out-of-date managed blocks (local edits preserved to .proposed)", false).option("--force", "rewrite every managed block, overwriting local edits inside the markers (content outside untouched)", false).option("--check", "report whether anything would change and exit (0 = all current, 1 = stale/drift/absent); writes nothing", false).option("-y, --yes", "non-interactive: accept defaults (system timezone, detected clients, global config, full wire)", false).addHelpText(
     "after",
     `
 Examples:
   $ sechroom onboard                    guided, interactive (asks where to save config + how to wire)
   $ sechroom onboard --cli-only         just the CLI \u2014 no .mcp.json, no agent files
   $ sechroom onboard --no-mcp           agent instructions only, skip MCP config
-  $ sechroom onboard --local            save tenant + base URL to ./.sechroom/config.json
+  $ sechroom onboard --local            save tenant + base URL to a committed ./.sechroom.json
   $ sechroom onboard --workspace wsp_XX  bind this directory to a workspace (no pick prompt)
+  $ sechroom onboard --recurse          orchestration root: onboard every child repo under this dir
   $ sechroom onboard --refresh          refresh out-of-date instruction blocks in place
   $ sechroom onboard --check            CI/pre-commit: nonzero exit if instructions are out of date
   $ sechroom onboard --yes              non-interactive: defaults + global config + full wire
@@ -3210,6 +3391,13 @@ Examples:
     const mode = opts.check ? "check" : opts.force ? "force" : "apply";
     const check = mode === "check";
     const yes = Boolean(opts.yes) || check;
+    if (opts.recurse) {
+      const baseUrl2 = resolveBaseUrl(g);
+      await ensureAuth({ baseUrl: baseUrl2, tenant: "", clientId: readPersisted().clientId }, yes);
+      const cfg2 = await ensureTenant(baseUrl2, g, { yes: true, json, persist: false });
+      await runRecurse(cfg2, g, { yes, dryRun, json });
+      return;
+    }
     const baseUrl = resolveBaseUrl(g);
     await ensureAuth({ baseUrl, tenant: "", clientId: readPersisted().clientId }, yes);
     const cfg = await ensureTenant(baseUrl, g, { yes, json, local: Boolean(opts.local), workspace: opts.workspace, persist: !check });
@@ -3362,15 +3550,114 @@ ${style.bold("Next:")} paste this into your AI agent to get going \u2014
   );
 }
 
+// src/commands/sweep.ts
+import { existsSync as existsSync8 } from "fs";
+import { dirname as dirname6, join as join8, resolve as resolve2 } from "path";
+var DEFAULT_MANIFEST = join8(".sechroom", "repos.json");
+function planEntry(entry, root) {
+  const dir = resolveChildDir(entry.path, root);
+  if (!existsSync8(dir)) {
+    return { label: entry.path, dir, disposition: "skip-missing", argv: [], reason: "directory does not exist" };
+  }
+  if (committedBindingPath(dir)) {
+    return {
+      label: entry.path,
+      dir,
+      disposition: "refresh",
+      argv: ["onboard", "--refresh", "--yes"],
+      reason: "bound (committed .sechroom.json) \u2014 refresh in place"
+    };
+  }
+  if (entry.workspaceId) {
+    return {
+      label: entry.path,
+      dir,
+      disposition: "bind",
+      argv: ["onboard", "--yes", "--local", "--workspace", entry.workspaceId],
+      reason: `unbound \u2014 bind to ${entry.workspaceId} + commit .sechroom.json`
+    };
+  }
+  return {
+    label: entry.path,
+    dir,
+    disposition: "skip-unbound",
+    argv: [],
+    reason: "unbound + no workspaceId in the manifest \u2014 add one or run `sechroom onboard` there"
+  };
+}
+function registerSweep(program2) {
+  program2.command("sweep").description("Non-interactive fan-out from ./.sechroom/repos.json (headless sibling of `onboard --recurse`)").option("--manifest <path>", "path to the repos manifest", DEFAULT_MANIFEST).option("--dry-run", "print the plan (per-repo disposition + the onboard command) without running anything", false).addHelpText(
+    "after",
+    `
+For an interactive, no-manifest run use ${"`sechroom onboard --recurse`"} instead \u2014 it
+auto-discovers the child repos and prompts for a workspace per new one. ${"`sweep`"} is
+the deterministic manifest-driven form for scripts / CI.
+
+Manifest \u2014 ./.sechroom/repos.json (per-operator, gitignored, alongside lane.json):
+  {
+    "repos": [
+      { "path": "sechroom",      "workspaceId": "wsp_XXXX" },
+      { "path": "../other-repo", "workspaceId": "wsp_YYYY" },
+      { "path": "already-bound" }
+    ]
+  }
+
+Per repo (paths resolve relative to the manifest's root):
+  ${ICON.refresh} bound        committed .sechroom.json present  \u2192 onboard --refresh (manifest workspace ignored)
+  ${ICON.bind} unbound      bind to the manifest workspaceId    \u2192 onboard --local --workspace <id>
+  ${ICON["skip-missing"]} missing      directory does not exist            \u2192 skipped
+  ${ICON["skip-unbound"]} no workspace unbound + no workspaceId in manifest  \u2192 skipped (add one, or onboard manually)
+
+Examples:
+  $ sechroom sweep --dry-run            preview every repo's disposition, run nothing
+  $ sechroom sweep                      onboard the whole tree from the root
+  $ sechroom --tenant ocd sweep         force a tenant for every child (else each resolves its own)`
+  ).action((opts, cmd) => {
+    const g = cmd.optsWithGlobals();
+    const json = Boolean(g.json);
+    const dryRun = Boolean(opts.dryRun);
+    const manifestPath = resolve2(opts.manifest);
+    let repos;
+    try {
+      repos = readManifest(manifestPath);
+    } catch (err2) {
+      fail(err2 instanceof Error ? err2.message : String(err2));
+    }
+    if (repos === null) {
+      fail(`no manifest at ${manifestPath} \u2014 create ./.sechroom/repos.json, or use \`sechroom onboard --recurse\` to auto-discover (see \`sechroom sweep --help\`).`);
+    }
+    if (repos.length === 0) {
+      if (json) process.stdout.write(JSON.stringify({ manifest: manifestPath, repos: [] }) + "\n");
+      else process.stderr.write(`${warn("\u26A0")} ${manifestPath} lists no repos \u2014 nothing to do.
+`);
+      return;
+    }
+    const root = dirname6(dirname6(manifestPath));
+    const plans = repos.map((entry) => planEntry(entry, root));
+    if (!json) {
+      process.stderr.write(
+        `${style.bold("sweep")} ${style.dim(`(${plans.length} repo${plans.length === 1 ? "" : "s"} from ${manifestPath})`)}
+`
+      );
+    }
+    const results = runChildren(plans, { globals: passthroughGlobals(g), dryRun, json });
+    if (json) {
+      process.stdout.write(JSON.stringify({ manifest: manifestPath, dryRun, repos: results }) + "\n");
+      return;
+    }
+    summarizeFanout(results, { dryRun });
+  });
+}
+
 // src/commands/skills.ts
 import { homedir as homedir6 } from "os";
-import { join as join6 } from "path";
-import { mkdirSync as mkdirSync6, writeFileSync as writeFileSync6, rmSync as rmSync2, existsSync as existsSync6, readFileSync as readFileSync5 } from "fs";
+import { join as join9 } from "path";
+import { mkdirSync as mkdirSync6, writeFileSync as writeFileSync6, rmSync as rmSync2, existsSync as existsSync9, readFileSync as readFileSync6 } from "fs";
 var DEFAULT_SLUG = "operator-skills";
 var ROLE_TAGS = ["sechroom:role:skill-template", "role:skill-template"];
 var LOCK = ".sechroom-skills.json";
 function skillsDir(global) {
-  return global ? join6(homedir6(), ".claude", "skills") : join6(process.cwd(), ".claude", "skills");
+  return global ? join9(homedir6(), ".claude", "skills") : join9(process.cwd(), ".claude", "skills");
 }
 function tagValue2(tags, prefix) {
   return (tags ?? []).find((t) => t.startsWith(prefix))?.slice(prefix.length);
@@ -3448,13 +3735,13 @@ Examples:
       const name = tagValue2(tags, "skill:");
       if (!name) continue;
       const body = m.text ?? m.Text ?? "";
-      mkdirSync6(join6(dir, name), { recursive: true });
-      writeFileSync6(join6(dir, name, "SKILL.md"), body.endsWith("\n") ? body : body + "\n");
+      mkdirSync6(join9(dir, name), { recursive: true });
+      writeFileSync6(join9(dir, name, "SKILL.md"), body.endsWith("\n") ? body : body + "\n");
       written.push(name);
     }
     mkdirSync6(dir, { recursive: true });
-    const lockPath = join6(dir, LOCK);
-    const lock = existsSync6(lockPath) ? JSON.parse(readFileSync5(lockPath, "utf8")) : {};
+    const lockPath = join9(dir, LOCK);
+    const lock = existsSync9(lockPath) ? JSON.parse(readFileSync6(lockPath, "utf8")) : {};
     lock[slug] = { surface: opts.surface, version, instance: wantInstance, skills: written.sort() };
     writeFileSync6(lockPath, JSON.stringify(lock, null, 2) + "\n");
     if (opts.json) return emit({ slug, version, instance: wantInstance, surface: opts.surface, dir, installed: written }, true);
@@ -3478,15 +3765,15 @@ Examples:
   skills.command("clean [slug]").description(`Remove materialised skill files written by install (default ${DEFAULT_SLUG})`).option("--local", "clean ./.claude/skills instead of ~/.claude/skills").option("--json", "machine output").action(async (slugArg, opts) => {
     const slug = slugArg || DEFAULT_SLUG;
     const dir = skillsDir(!opts.local);
-    const lockPath = join6(dir, LOCK);
-    if (!existsSync6(lockPath)) fail(`No skills lockfile at ${lockPath}; nothing to clean.`);
-    const lock = JSON.parse(readFileSync5(lockPath, "utf8"));
+    const lockPath = join9(dir, LOCK);
+    if (!existsSync9(lockPath)) fail(`No skills lockfile at ${lockPath}; nothing to clean.`);
+    const lock = JSON.parse(readFileSync6(lockPath, "utf8"));
     const entry = lock[slug];
     if (!entry) fail(`No installed record for '${slug}' in ${lockPath}.`);
     const removed = [];
     for (const name of entry.skills) {
-      const skillPath = join6(dir, name);
-      if (existsSync6(skillPath)) {
+      const skillPath = join9(dir, name);
+      if (existsSync9(skillPath)) {
         rmSync2(skillPath, { recursive: true, force: true });
         removed.push(name);
       }
@@ -3582,21 +3869,21 @@ Examples:
 
 // src/commands/reset.ts
 import { homedir as homedir7 } from "os";
-import { join as join7 } from "path";
-import { existsSync as existsSync7, readFileSync as readFileSync6, rmSync as rmSync3 } from "fs";
+import { join as join10 } from "path";
+import { existsSync as existsSync10, readFileSync as readFileSync7, rmSync as rmSync3 } from "fs";
 var SKILLS_LOCK = ".sechroom-skills.json";
-var localSkillsDir = () => join7(process.cwd(), ".claude", "skills");
-var globalSkillsDir = () => join7(homedir7(), ".claude", "skills");
+var localSkillsDir = () => join10(process.cwd(), ".claude", "skills");
+var globalSkillsDir = () => join10(homedir7(), ".claude", "skills");
 function removeMaterialisedSkills(dir) {
   const removed = [];
-  const lockPath = join7(dir, SKILLS_LOCK);
-  if (!existsSync7(lockPath)) return removed;
+  const lockPath = join10(dir, SKILLS_LOCK);
+  if (!existsSync10(lockPath)) return removed;
   try {
-    const lock = JSON.parse(readFileSync6(lockPath, "utf8"));
+    const lock = JSON.parse(readFileSync7(lockPath, "utf8"));
     for (const entry of Object.values(lock)) {
       for (const name of entry.skills ?? []) {
-        const p = join7(dir, name);
-        if (existsSync7(p)) {
+        const p = join10(dir, name);
+        if (existsSync10(p)) {
           rmSync3(p, { recursive: true, force: true });
           removed.push(p);
         }
@@ -3627,18 +3914,18 @@ function registerReset(program2) {
       }
     }
     const removed = [];
-    const stateDir = join7(process.cwd(), ".sechroom");
-    if (existsSync7(stateDir)) {
+    const stateDir = join10(process.cwd(), ".sechroom");
+    if (existsSync10(stateDir)) {
       rmSync3(stateDir, { recursive: true, force: true });
       removed.push(stateDir);
     }
-    const legacyCfg = join7(process.cwd(), ".sechroom.json");
-    if (existsSync7(legacyCfg)) {
+    const legacyCfg = join10(process.cwd(), ".sechroom.json");
+    if (existsSync10(legacyCfg)) {
       rmSync3(legacyCfg, { force: true });
       removed.push(legacyCfg);
     }
-    const legacySem = join7(process.cwd(), ".sem");
-    if (existsSync7(legacySem)) {
+    const legacySem = join10(process.cwd(), ".sem");
+    if (existsSync10(legacySem)) {
       rmSync3(legacySem, { force: true });
       removed.push(legacySem);
     }
@@ -3665,7 +3952,7 @@ function registerReset(program2) {
 function resolveVersion() {
   try {
     const pkg = JSON.parse(
-      readFileSync7(new URL("../package.json", import.meta.url), "utf8")
+      readFileSync8(new URL("../package.json", import.meta.url), "utf8")
     );
     return pkg.version ?? "0.0.0";
   } catch {
@@ -3681,7 +3968,7 @@ Examples:
   $ sechroom onboard                              guided first-run: configure, sign in, wire this project
   $ sechroom login                                sign in via browser (OAuth + PKCE)
   $ sechroom config set tenant ocd                set your tenant (global)
-  $ sechroom config set --local tenant cli-smoke  pin tenant for this directory (.sechroom/config.json)
+  $ sechroom config set --local tenant cli-smoke  pin tenant for this directory (committed .sechroom.json)
   $ sechroom config show                          resolved config + which source won
 
   $ sechroom memory create --text "a note" --title "Note" --tag idea
@@ -3693,7 +3980,7 @@ Examples:
   $ sechroom --json memory search "auth"           compact JSON for scripts and agents
   $ SECHROOM_TOKEN=<bearer> sechroom --json memory get mem_XXXX    headless
 
-Config precedence (high -> low): --flag  >  env (SECHROOM_*)  >  ./.sechroom/config.json (legacy ./.sechroom.json)  >  global  >  default.
+Config precedence (high -> low): --flag  >  env (SECHROOM_*)  >  directory-local (committed ./.sechroom.json, shadowed per-field by the gitignored ./.sechroom/config.json override)  >  global  >  default.
 Run 'sechroom <command> --help' for command-specific examples.`
 );
 program.hook("preAction", (_thisCmd, actionCmd) => {
@@ -3719,11 +4006,11 @@ config.addHelpText(
 Examples:
   $ sechroom config set baseUrl https://app.sechroom.ai/api   prod (staging: https://staging.app.sechroom.ai/api)
   $ sechroom config set tenant ocd
-  $ sechroom config set --local tenant cli-smoke              this dir + subdirs (.sechroom/config.json)
+  $ sechroom config set --local tenant cli-smoke              this dir + subdirs (committed .sechroom.json)
   $ sechroom config set clientId dyn-XXXX                     global-only escape hatch (no DCR endpoint)
   $ sechroom config show --json`
 );
-config.command("set <key> <value>").description("Set baseUrl | tenant | workspaceId | defaultProjectId | clientId (clientId is global-only)").option("--local", "Write to the directory-local .sechroom/config.json (nearest up the tree, else cwd; migrates a legacy .sechroom.json) instead of the global config").action((key, value, opts) => {
+config.command("set <key> <value>").description("Set baseUrl | tenant | workspaceId | defaultProjectId | clientId (clientId is global-only)").option("--local", "Write the committed directory-local .sechroom.json (nearest up the tree, else cwd) instead of the global config").action((key, value, opts) => {
   if (opts.local) {
     if (!["baseUrl", "tenant", "workspaceId", "defaultProjectId"].includes(key)) {
       process.stderr.write(`--local supports only: baseUrl | tenant | workspaceId | defaultProjectId (clientId is global)
@@ -3782,6 +4069,7 @@ registerChat(program);
 registerInit(program);
 registerSetup(program);
 registerOnboard(program);
+registerSweep(program);
 registerSkills(program);
 registerReset(program);
 program.parseAsync().catch((err2) => {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@sechroom/cli",
-  "version": "2026.6.23",
+  "version": "2026.6.25",
   "description": "Sechroom CLI — a thin, generated client over the Sechroom HTTP API. An agent/human surface alongside MCP.",
   "type": "module",
   "license": "UNLICENSED",