@sechroom/cli 2026.6.25 → 2026.6.26

package/dist/index.js

@@ -2681,6 +2681,24 @@ function codeLanePrefix(clients) {
   for (const c of CLIENT_PRIORITY) if (clients.includes(c)) return CODE_LANE_PREFIX_BY_CLIENT[c];
   return "claude-code";
 }
+async function inferLanes(cfg, clients) {
+  let wf;
+  let profile;
+  try {
+    const client = await makeClient(cfg);
+    [wf, profile] = await Promise.all([
+      client.GET("/me/workflow-preferences", {}).then((r) => r.data).catch(() => void 0),
+      client.GET("/me/profile", {}).then((r) => r.data).catch(() => void 0)
+    ]);
+  } catch {
+  }
+  const handle = handleFromDisplayName(profile?.effectiveDisplayName);
+  const prefix = codeLanePrefix(clients ?? ["claude-code"]);
+  return {
+    code: process.env.SECHROOM_CODE_LANE ?? wf?.defaultCodeLane ?? (handle ? `${prefix}-${handle}` : void 0),
+    design: process.env.SECHROOM_DESIGN_LANE ?? wf?.defaultDesignLane ?? (handle ? `claude-design-${handle}` : void 0)
+  };
+}
 function writePin(code, design) {
   const values = {};
   if (code) values["code-lane"] = code;
@@ -2693,20 +2711,7 @@ function writePin(code, design) {
 async function ensureLanePin(cfg, opts) {
   if (opts.dryRun) return;
   if (readSem()) return;
-  let wf;
-  let profile;
-  try {
-    const client = await makeClient(cfg);
-    [wf, profile] = await Promise.all([
-      client.GET("/me/workflow-preferences", {}).then((r) => r.data).catch(() => void 0),
-      client.GET("/me/profile", {}).then((r) => r.data).catch(() => void 0)
-    ]);
-  } catch {
-  }
-  const handle = handleFromDisplayName(profile?.effectiveDisplayName);
-  const prefix = codeLanePrefix(opts.clients ?? ["claude-code"]);
-  const codeGuess = wf?.defaultCodeLane ?? (handle ? `${prefix}-${handle}` : void 0);
-  const designGuess = wf?.defaultDesignLane ?? (handle ? `claude-design-${handle}` : void 0);
+  const { code: codeGuess, design: designGuess } = await inferLanes(cfg, opts.clients);
   if (!canPrompt() || opts.yes) {
     if (opts.yes && (codeGuess || designGuess)) writePin(codeGuess, designGuess);
     return;
@@ -3342,6 +3347,33 @@ ${style.bold(entry.path)} ${style.dim("is not bound yet.")}
     reason: `unbound \u2014 bind to ${ws}`
   };
 }
+async function resolveFanoutLane(cfg, opts) {
+  let code = opts.lane ?? process.env.SECHROOM_CODE_LANE;
+  let design = opts.designLane ?? process.env.SECHROOM_DESIGN_LANE;
+  if (!code || !design) {
+    const inferred = await inferLanes(cfg, ["claude-code"]);
+    code = code ?? inferred.code;
+    design = design ?? inferred.design;
+  }
+  if (!opts.lane && !opts.yes && !opts.dryRun && canPrompt() && (code || design)) {
+    process.stderr.write(`
+This fan-out will pin the same lane in every repo:
+`);
+    if (code) process.stderr.write(`  ${style.dim("code-lane")}   = ${style.cyan(code)}
+`);
+    if (design) process.stderr.write(`  ${style.dim("design-lane")} = ${style.cyan(design)}
+`);
+    if (!await promptYesNo("Use this lane for all repos?")) {
+      code = await promptText("Code-lane id (blank = let each repo infer)?", code ?? "") || void 0;
+      design = await promptText("Design-lane id (blank = skip)?", design ?? "") || void 0;
+    }
+  }
+  if (code) process.env.SECHROOM_CODE_LANE = code;
+  else delete process.env.SECHROOM_CODE_LANE;
+  if (design) process.env.SECHROOM_DESIGN_LANE = design;
+  else delete process.env.SECHROOM_DESIGN_LANE;
+  return { code, design };
+}
 async function runRecurse(cfg, g, opts) {
   const { yes, dryRun, json } = opts;
   const root = process.cwd();
@@ -3359,6 +3391,9 @@ async function runRecurse(cfg, g, opts) {
     process.stderr.write(`${style.bold("onboard --recurse")} ${style.dim(`(${entries.length} repo${entries.length === 1 ? "" : "s"} from ${sourceLabel})`)}
 `);
   }
+  const lane = await resolveFanoutLane(cfg, { lane: opts.lane, designLane: opts.designLane, yes, dryRun });
+  if (!json && lane.code) process.stderr.write(`${ok("\u2713")} lane ${style.cyan(lane.code)}${lane.design ? ` ${style.dim(`/ ${lane.design}`)}` : ""} for every repo
+`);
   const client = await makeClient(cfg);
   const plans = [];
   for (const entry of entries) plans.push(await planRecurseChild(entry, root, client, { yes, dryRun }));
@@ -3370,7 +3405,7 @@ async function runRecurse(cfg, g, opts) {
   summarizeFanout(results, { dryRun });
 }
 function registerOnboard(program2) {
-  program2.command("onboard").description("Guided first-run setup: configure, sign in, set timezone, detect clients, and wire this project").option("--recurse", "orchestration-root mode: onboard every child repo under this dir (auto-discovered, or from ./.sechroom/repos.json) \u2014 refreshes bound repos, prompts a workspace per new one", false).option("--client <list>", `comma-separated clients (${ALL_CLIENT_KEYS.join(", ")}) or 'all' (default: auto-detected)`).option("--local", "save the binding (tenant + base URL + workspace) to a committed .sechroom.json in this repo instead of the global config", false).option("--workspace <id>", "bind this directory to a workspace (skips the interactive workspace pick)").option("--cli-only", "configure the CLI only \u2014 don't wire any AI client (no MCP config, no agent files)", false).option("--no-mcp", "skip the MCP server config (.mcp.json etc.); still write the agent instruction files").option("--copy", "make a personal copy of the agent instructions you can edit (default: prompt on a TTY, else skip)").option("--dry-run", "walk through without writing files or changing the profile", false).option("--refresh", "re-fetch descriptors and refresh any out-of-date managed blocks (local edits preserved to .proposed)", false).option("--force", "rewrite every managed block, overwriting local edits inside the markers (content outside untouched)", false).option("--check", "report whether anything would change and exit (0 = all current, 1 = stale/drift/absent); writes nothing", false).option("-y, --yes", "non-interactive: accept defaults (system timezone, detected clients, global config, full wire)", false).addHelpText(
+  program2.command("onboard").description("Guided first-run setup: configure, sign in, set timezone, detect clients, and wire this project").option("--recurse", "orchestration-root mode: onboard every child repo under this dir (auto-discovered, or from ./.sechroom/repos.json) \u2014 refreshes bound repos, prompts a workspace per new one", false).option("--lane <id>", "set the code-lane (substrate source identity) explicitly instead of inferring it; with --recurse it's used for every child repo").option("--design-lane <id>", "set the design-lane explicitly (substrate-authoring identity); with --recurse applies to every child").option("--client <list>", `comma-separated clients (${ALL_CLIENT_KEYS.join(", ")}) or 'all' (default: auto-detected)`).option("--local", "save the binding (tenant + base URL + workspace) to a committed .sechroom.json in this repo instead of the global config", false).option("--workspace <id>", "bind this directory to a workspace (skips the interactive workspace pick)").option("--cli-only", "configure the CLI only \u2014 don't wire any AI client (no MCP config, no agent files)", false).option("--no-mcp", "skip the MCP server config (.mcp.json etc.); still write the agent instruction files").option("--copy", "make a personal copy of the agent instructions you can edit (default: prompt on a TTY, else skip)").option("--dry-run", "walk through without writing files or changing the profile", false).option("--refresh", "re-fetch descriptors and refresh any out-of-date managed blocks (local edits preserved to .proposed)", false).option("--force", "rewrite every managed block, overwriting local edits inside the markers (content outside untouched)", false).option("--check", "report whether anything would change and exit (0 = all current, 1 = stale/drift/absent); writes nothing", false).option("-y, --yes", "non-interactive: accept defaults (system timezone, detected clients, global config, full wire)", false).addHelpText(
     "after",
     `
 Examples:
@@ -3380,6 +3415,7 @@ Examples:
   $ sechroom onboard --local            save tenant + base URL to a committed ./.sechroom.json
   $ sechroom onboard --workspace wsp_XX  bind this directory to a workspace (no pick prompt)
   $ sechroom onboard --recurse          orchestration root: onboard every child repo under this dir
+  $ sechroom onboard --recurse --lane claude-code-you   pin one lane across every repo in the tree
   $ sechroom onboard --refresh          refresh out-of-date instruction blocks in place
   $ sechroom onboard --check            CI/pre-commit: nonzero exit if instructions are out of date
   $ sechroom onboard --yes              non-interactive: defaults + global config + full wire
@@ -3391,11 +3427,13 @@ Examples:
     const mode = opts.check ? "check" : opts.force ? "force" : "apply";
     const check = mode === "check";
     const yes = Boolean(opts.yes) || check;
+    if (opts.lane) process.env.SECHROOM_CODE_LANE = opts.lane;
+    if (opts.designLane) process.env.SECHROOM_DESIGN_LANE = opts.designLane;
     if (opts.recurse) {
       const baseUrl2 = resolveBaseUrl(g);
       await ensureAuth({ baseUrl: baseUrl2, tenant: "", clientId: readPersisted().clientId }, yes);
       const cfg2 = await ensureTenant(baseUrl2, g, { yes: true, json, persist: false });
-      await runRecurse(cfg2, g, { yes, dryRun, json });
+      await runRecurse(cfg2, g, { yes, dryRun, json, lane: opts.lane, designLane: opts.designLane });
       return;
     }
     const baseUrl = resolveBaseUrl(g);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@sechroom/cli",
-  "version": "2026.6.25",
+  "version": "2026.6.26",
   "description": "Sechroom CLI — a thin, generated client over the Sechroom HTTP API. An agent/human surface alongside MCP.",
   "type": "module",
   "license": "UNLICENSED",