@sechroom/cli 2026.6.5 → 2026.6.6-rc.ff3f8b7d

package/dist/index.js

@@ -1,7 +1,7 @@
 #!/usr/bin/env node
 
 // src/index.ts
-import { readFileSync as readFileSync3 } from "fs";
+import { readFileSync as readFileSync8 } from "fs";
 import { Command } from "commander";
 
 // src/auth.ts
@@ -11,12 +11,17 @@ import open from "open";
 
 // src/config.ts
 import { homedir } from "os";
-import { join } from "path";
-import { mkdirSync, readFileSync, writeFileSync, existsSync } from "fs";
+import { join, dirname } from "path";
+import { mkdirSync, readFileSync, writeFileSync, existsSync, rmSync } from "fs";
 var CONFIG_DIR = join(homedir(), ".config", "sechroom");
 var CONFIG_FILE = join(CONFIG_DIR, "config.json");
 var TOKEN_FILE = join(CONFIG_DIR, "token.json");
+var STATE_DIR_NAME = ".sechroom";
+var BASELINE_CONFIG_NAME = ".sechroom.json";
+var OVERRIDE_CONFIG_NAME = join(STATE_DIR_NAME, "config.json");
+var BINDING_FIELDS = ["schemaVersion", "baseUrl", "tenant", "workspaceId", "defaultProjectId"];
 var DEFAULT_BASE_URL = "https://app.sechroom.ai/api";
+var LOCAL_CONFIG_SCHEMA_VERSION = 2;
 function ensureDir() {
   if (!existsSync(CONFIG_DIR)) mkdirSync(CONFIG_DIR, { recursive: true, mode: 448 });
 }
@@ -32,6 +37,13 @@ function writePersisted(patch) {
   const next = { ...readPersisted(), ...patch };
   writeFileSync(CONFIG_FILE, JSON.stringify(next, null, 2), { mode: 384 });
 }
+function readDcrClientId(baseUrl) {
+  return readPersisted().clientIds?.[baseUrl];
+}
+function writeDcrClientId(baseUrl, clientId) {
+  const p = readPersisted();
+  writePersisted({ clientIds: { ...p.clientIds ?? {}, [baseUrl]: clientId } });
+}
 function readToken() {
   const envTok = process.env.SECHROOM_TOKEN;
   if (envTok) return { accessToken: envTok };
@@ -45,16 +57,99 @@ function writeToken(tok) {
   ensureDir();
   writeFileSync(TOKEN_FILE, JSON.stringify(tok, null, 2), { mode: 384 });
 }
+function clearToken() {
+  if (!existsSync(TOKEN_FILE)) return void 0;
+  rmSync(TOKEN_FILE);
+  return TOKEN_FILE;
+}
+function clearPersisted() {
+  if (!existsSync(CONFIG_FILE)) return void 0;
+  rmSync(CONFIG_FILE);
+  return CONFIG_FILE;
+}
+function readJsonConfig(path) {
+  try {
+    return JSON.parse(readFileSync(path, "utf8"));
+  } catch {
+    return void 0;
+  }
+}
+function findConfigHome(start = process.cwd()) {
+  let dir = start;
+  for (; ; ) {
+    if (existsSync(join(dir, BASELINE_CONFIG_NAME)) || existsSync(join(dir, OVERRIDE_CONFIG_NAME))) return dir;
+    const parent = dirname(dir);
+    if (parent === dir) return void 0;
+    dir = parent;
+  }
+}
+function readLocalConfig() {
+  const home = findConfigHome();
+  if (!home) return {};
+  const baselinePath = join(home, BASELINE_CONFIG_NAME);
+  const overridePath = join(home, OVERRIDE_CONFIG_NAME);
+  const merged = { ...readJsonConfig(baselinePath) ?? {}, ...readJsonConfig(overridePath) ?? {} };
+  return {
+    schemaVersion: merged.schemaVersion,
+    baseUrl: merged.baseUrl,
+    tenant: merged.tenant,
+    workspaceId: merged.workspaceId,
+    defaultProjectId: merged.defaultProjectId,
+    path: existsSync(baselinePath) ? baselinePath : overridePath
+  };
+}
+function writeLocalConfig(patch) {
+  const home = findConfigHome() ?? process.cwd();
+  const baselinePath = join(home, BASELINE_CONFIG_NAME);
+  const overridePath = join(home, OVERRIDE_CONFIG_NAME);
+  const current = readJsonConfig(baselinePath) ?? {};
+  const next = { ...current, ...patch, schemaVersion: LOCAL_CONFIG_SCHEMA_VERSION };
+  writeFileSync(baselinePath, JSON.stringify(next, null, 2), { mode: 420 });
+  const override = readJsonConfig(overridePath);
+  if (override) {
+    for (const f of BINDING_FIELDS) delete override[f];
+    if (Object.keys(override).length === 0) rmSync(overridePath, { force: true });
+    else writeFileSync(overridePath, JSON.stringify(override, null, 2), { mode: 384 });
+  }
+  return baselinePath;
+}
+function committedBindingPath(dir) {
+  const p = join(dir, BASELINE_CONFIG_NAME);
+  return existsSync(p) ? p : void 0;
+}
 function resolveConfig(flags) {
+  const local = readLocalConfig();
   const persisted = readPersisted();
-  const baseUrl = flags.baseUrl ?? process.env.SECHROOM_BASE_URL ?? persisted.baseUrl ?? DEFAULT_BASE_URL;
-  const tenant = flags.tenant ?? process.env.SECHROOM_TENANT ?? persisted.tenant ?? "";
+  const baseUrl = flags.baseUrl ?? process.env.SECHROOM_BASE_URL ?? local.baseUrl ?? persisted.baseUrl ?? DEFAULT_BASE_URL;
+  const tenant = flags.tenant ?? process.env.SECHROOM_TENANT ?? local.tenant ?? persisted.tenant ?? "";
   if (!tenant) {
     throw new Error(
-      "No tenant set. The Sechroom API rejects untenanted requests (HTTP 400). Pass --tenant <id>, set SECHROOM_TENANT, or run `sechroom config set tenant <id>`."
+      "No tenant set. The Sechroom API rejects untenanted requests (HTTP 400). Pass --tenant <id>, set SECHROOM_TENANT, run `sechroom config set tenant <id>`, or `sechroom config set --local tenant <id>` for this directory."
     );
   }
-  return { baseUrl: baseUrl.replace(/\/$/, ""), tenant, clientId: persisted.clientId };
+  const workspaceId = process.env.SECHROOM_WORKSPACE ?? local.workspaceId ?? persisted.workspaceId ?? void 0;
+  const defaultProjectId = local.defaultProjectId ?? persisted.defaultProjectId ?? void 0;
+  return { baseUrl: baseUrl.replace(/\/$/, ""), tenant, workspaceId, defaultProjectId, clientId: persisted.clientId };
+}
+function describeConfig(flags) {
+  const local = readLocalConfig();
+  const g = readPersisted();
+  const localTag = local.path ? `local (${local.path})` : "local";
+  const pick = (flag, env, l, gl, def) => {
+    if (flag) return { value: flag, source: "flag" };
+    if (env) return { value: env, source: "env" };
+    if (l) return { value: l, source: localTag };
+    if (gl) return { value: gl, source: "global" };
+    if (def) return { value: def, source: "default" };
+    return { value: void 0, source: "unset" };
+  };
+  const baseUrl = pick(flags.baseUrl, process.env.SECHROOM_BASE_URL, local.baseUrl, g.baseUrl, DEFAULT_BASE_URL);
+  return {
+    baseUrl: { value: baseUrl.value, source: baseUrl.source },
+    tenant: pick(flags.tenant, process.env.SECHROOM_TENANT, local.tenant, g.tenant),
+    workspaceId: pick(void 0, process.env.SECHROOM_WORKSPACE, local.workspaceId, g.workspaceId),
+    localPath: local.path
+  };
 }
 
 // src/auth.ts
@@ -72,26 +167,26 @@ async function discover(baseUrl) {
   if (!res.ok) throw new Error(`AS discovery failed (${res.status}) at ${baseUrl}`);
   return await res.json();
 }
-async function ensureClientId(meta) {
-  const cached = readPersisted().clientId;
-  if (cached) return cached;
-  if (!meta.registration_endpoint) {
-    throw new Error(
-      "Server advertises no registration_endpoint and no client_id is cached. Pre-register a client and run `sechroom config set clientId <id>`."
-    );
+async function ensureClientId(meta, baseUrl) {
+  if (meta.registration_endpoint) {
+    const res = await fetch(meta.registration_endpoint, {
+      method: "POST",
+      headers: { "content-type": "application/json" },
+      body: JSON.stringify({
+        client_name: "sechroom-cli",
+        redirect_uris: CANDIDATE_PORTS.map(redirectUriFor)
+      })
+    });
+    if (!res.ok) throw new Error(`Dynamic client registration failed (${res.status}): ${await res.text()}`);
+    const reg = await res.json();
+    writeDcrClientId(baseUrl, reg.client_id);
+    return reg.client_id;
   }
-  const res = await fetch(meta.registration_endpoint, {
-    method: "POST",
-    headers: { "content-type": "application/json" },
-    body: JSON.stringify({
-      client_name: "sechroom-cli",
-      redirect_uris: CANDIDATE_PORTS.map(redirectUriFor)
-    })
-  });
-  if (!res.ok) throw new Error(`Dynamic client registration failed (${res.status}): ${await res.text()}`);
-  const reg = await res.json();
-  writePersisted({ clientId: reg.client_id });
-  return reg.client_id;
+  const fallback = readPersisted().clientId ?? readDcrClientId(baseUrl);
+  if (fallback) return fallback;
+  throw new Error(
+    "Server advertises no registration_endpoint and no client_id is configured. Pre-register a client and run `sechroom config set clientId <id>`."
+  );
 }
 function startLoopback(state) {
   return new Promise((resolveOuter, rejectOuter) => {
@@ -115,13 +210,13 @@ function startLoopback(state) {
         }
         const got = url.searchParams.get("code");
         const gotState = url.searchParams.get("state");
-        const err = url.searchParams.get("error");
-        res.writeHead(err ? 400 : 200, { "content-type": "text/html" });
+        const err2 = url.searchParams.get("error");
+        res.writeHead(err2 ? 400 : 200, { "content-type": "text/html" });
         res.end(
-          err ? `<h3>Authorization failed: ${err}</h3>` : "<h3>Signed in to Sechroom.</h3><p>Return to the terminal.</p>"
+          err2 ? `<h3>Authorization failed: ${err2}</h3>` : "<h3>Signed in to Sechroom.</h3><p>Return to the terminal.</p>"
         );
         server.close();
-        if (err) return rejectCode(new Error(`Authorization error: ${err}`));
+        if (err2) return rejectCode(new Error(`Authorization error: ${err2}`));
         if (!got) return rejectCode(new Error("No code in callback."));
         if (gotState !== state) return rejectCode(new Error("State mismatch \u2014 possible CSRF."));
         resolveCode(got);
@@ -162,7 +257,7 @@ function persistTokenResponse(json) {
 }
 async function login(cfg) {
   const meta = await discover(cfg.baseUrl);
-  const clientId = await ensureClientId(meta);
+  const clientId = await ensureClientId(meta, cfg.baseUrl);
   const state = b64url(randomBytes(16));
   const verifier = b64url(randomBytes(32));
   const challenge = b64url(createHash("sha256").update(verifier).digest());
@@ -219,6 +314,23 @@ var quiet = false;
 function setQuiet(q) {
   quiet = q;
 }
+function colorOn() {
+  return !quiet && !process.env.NO_COLOR && process.env.FORCE_COLOR !== "0" && Boolean(process.stdout.isTTY);
+}
+function wrap(open2, close) {
+  return (s) => colorOn() ? `\x1B[${open2}m${s}\x1B[${close}m` : String(s);
+}
+var style = {
+  bold: wrap(1, 22),
+  dim: wrap(2, 22),
+  red: wrap(31, 39),
+  green: wrap(32, 39),
+  yellow: wrap(33, 39),
+  cyan: wrap(36, 39)
+};
+var ok = (s) => style.green(s);
+var warn = (s) => style.yellow(s);
+var err = (s) => style.red(s);
 function active() {
   return !quiet && Boolean(process.stderr.isTTY);
 }
@@ -244,12 +356,12 @@ function spinner(text) {
   return {
     succeed(t) {
       clear();
-      process.stderr.write(`\u2713 ${t ?? text}
+      process.stderr.write(`${ok("\u2713")} ${t ?? text}
 `);
     },
     fail(t) {
       clear();
-      process.stderr.write(`\u2717 ${t ?? text}
+      process.stderr.write(`${err("\u2717")} ${t ?? text}
 `);
     },
     stop: clear
@@ -263,8 +375,8 @@ async function promptYesNo(question) {
   const { createInterface } = await import("readline");
   const rl = createInterface({ input: process.stdin, output: process.stderr });
   try {
-    const answer = await new Promise((resolve) => {
-      rl.question(`${question} [y/N] `, resolve);
+    const answer = await new Promise((resolve3) => {
+      rl.question(`${question} [y/N] `, resolve3);
     });
     return /^y(es)?$/i.test(answer.trim());
   } finally {
@@ -277,8 +389,8 @@ async function promptText(question, def) {
   const rl = createInterface({ input: process.stdin, output: process.stderr });
   try {
     const suffix = def ? ` [${def}]` : "";
-    const answer = await new Promise((resolve) => {
-      rl.question(`${question}${suffix} `, resolve);
+    const answer = await new Promise((resolve3) => {
+      rl.question(`${question}${suffix} `, resolve3);
     });
     const trimmed = answer.trim();
     return trimmed.length > 0 ? trimmed : def ?? "";
@@ -286,15 +398,88 @@ async function promptText(question, def) {
     rl.close();
   }
 }
+async function promptSelect(question, choices, def) {
+  if (choices.length === 0) throw new Error("promptSelect: no choices");
+  const defIdx = Math.max(
+    0,
+    def !== void 0 ? choices.findIndex((c) => c.value === def) : 0
+  );
+  if (!canPrompt()) return choices[defIdx].value;
+  const { createInterface } = await import("readline");
+  const rl = createInterface({ input: process.stdin, output: process.stderr });
+  try {
+    process.stderr.write(`${style.bold(question)}
+`);
+    choices.forEach((c, i) => {
+      const marker = i === defIdx ? style.cyan("\u203A") : " ";
+      const hint = c.hint ? ` ${style.dim(`\u2014 ${c.hint}`)}` : "";
+      process.stderr.write(`  ${marker} ${style.bold(String(i + 1))}. ${c.label}${hint}
+`);
+    });
+    const answer = await new Promise((resolve3) => {
+      rl.question(`Choose ${style.dim(`[${defIdx + 1}]`)} `, resolve3);
+    });
+    const trimmed = answer.trim();
+    if (!trimmed) return choices[defIdx].value;
+    const n = Number(trimmed);
+    if (Number.isInteger(n) && n >= 1 && n <= choices.length) return choices[n - 1].value;
+    const byLabel = choices.find(
+      (c) => c.label.toLowerCase().startsWith(trimmed.toLowerCase())
+    );
+    return byLabel ? byLabel.value : choices[defIdx].value;
+  } finally {
+    rl.close();
+  }
+}
+async function promptMultiSelect(question, choices, preselected = []) {
+  if (choices.length === 0) return [];
+  const pre = (v) => preselected.includes(v);
+  const preValues = () => choices.filter((c) => pre(c.value)).map((c) => c.value);
+  if (!canPrompt()) return preValues();
+  const { createInterface } = await import("readline");
+  const rl = createInterface({ input: process.stdin, output: process.stderr });
+  try {
+    process.stderr.write(
+      `${style.bold(question)} ${style.dim("(numbers or 'all', comma-separated; Enter keeps \u25C9)")}
+`
+    );
+    choices.forEach((c, i) => {
+      const box = pre(c.value) ? style.cyan("\u25C9") : "\u25CB";
+      const hint = c.hint ? ` ${style.dim(`\u2014 ${c.hint}`)}` : "";
+      process.stderr.write(`  ${box} ${style.bold(String(i + 1))}. ${c.label}${hint}
+`);
+    });
+    const answer = await new Promise((resolve3) => {
+      rl.question(`Select ${style.dim("[Enter = \u25C9]")} `, resolve3);
+    });
+    const trimmed = answer.trim().toLowerCase();
+    if (!trimmed) return preValues();
+    if (trimmed === "all") return choices.map((c) => c.value);
+    const picks = [];
+    for (const tok of trimmed.split(",").map((t) => t.trim()).filter(Boolean)) {
+      const n = Number(tok);
+      if (Number.isInteger(n) && n >= 1 && n <= choices.length) {
+        picks.push(choices[n - 1].value);
+        continue;
+      }
+      const byLabel = choices.find((c) => c.label.toLowerCase().startsWith(tok));
+      if (byLabel) picks.push(byLabel.value);
+    }
+    const uniq = [...new Set(picks)];
+    return uniq.length > 0 ? uniq : preValues();
+  } finally {
+    rl.close();
+  }
+}
 async function withSpinner(text, fn) {
   const s = spinner(text);
   try {
     const result = await fn();
     s.succeed();
     return result;
-  } catch (err) {
+  } catch (err2) {
     s.fail();
-    throw err;
+    throw err2;
   }
 }
 
@@ -306,6 +491,7 @@ async function makeClient(cfg) {
     onRequest({ request }) {
       request.headers.set("authorization", `Bearer ${token}`);
       request.headers.set("tenant", cfg.tenant);
+      request.headers.set("x-sechroom-surface", "cli");
       return request;
     }
   });
@@ -318,18 +504,36 @@ function emit(data, json) {
     process.stdout.write(JSON.stringify(data, null, 2) + "\n");
   }
 }
+function publicUrl(url) {
+  return url.replace(/^https?:\/\/localhost:5012/, "https://sechroom.yi.ocd.codes");
+}
+function resolveViewUrl(baseUrl, url) {
+  if (!url) return void 0;
+  if (/^https?:\/\//i.test(url)) return publicUrl(url);
+  const origin = baseUrl.replace(/\/api\/?$/i, "").replace(/\/+$/, "");
+  return publicUrl(`${origin}${url.startsWith("/") ? url : `/${url}`}`);
+}
+function emitAction(summary, data, json) {
+  if (json) {
+    process.stdout.write(JSON.stringify(data) + "\n");
+    return;
+  }
+  process.stdout.write(`${ok("\u2713")} ${summary}
+`);
+}
 async function runApi(label, fn) {
   const s = spinner(label);
   let res;
   try {
     res = await fn();
-  } catch (err) {
+  } catch (err2) {
     s.fail();
-    fail(err);
+    fail(err2);
   }
-  if (res.error !== void 0 && res.error !== null) {
+  const httpFailed = res.response !== void 0 && !res.response.ok;
+  if (res.error !== void 0 && res.error !== null || httpFailed) {
     s.fail();
-    fail(res.error);
+    fail(res.error ?? (res.response ? `HTTP ${res.response.status} ${res.response.statusText}`.trim() : "request failed"));
   }
   s.succeed();
   return res.data;
@@ -344,6 +548,22 @@ function fail(error) {
 // src/commands/memory.ts
 function registerMemory(program2) {
   const memory = program2.command("memory").description("Create, read, and search memories");
+  memory.addHelpText(
+    "after",
+    `
+Examples:
+  $ sechroom memory create --text "first note" --type reference --tag idea --tag cli
+  $ sechroom memory create --text "filed note" --owner-type Workspace --owner-id wsp_XXXX
+  $ sechroom memory search "rate limiting" --limit 5 --tag kind:decision
+  $ sechroom memory search "auth flow" --workspace wsp_XXXX --json
+  $ sechroom memory get mem_XXXX --json
+  $ sechroom memory edit-text mem_XXXX --old "teh" --new "the" --replace-all
+  $ sechroom memory edit-text-batch mem_XXXX --edit "foo=>bar" --edit "baz=>qux"
+  $ sechroom memory move mem_XXXX --owner-type Workspace --owner-id wsp_XXXX
+  $ sechroom memory archive mem_XXXX
+  $ sechroom memory list-archived --workspace wsp_XXXX --json
+  $ sechroom memory tags --json`
+  );
   memory.command("create").description("Create a memory (POST /memories)").requiredOption("--text <text>", "Memory body text").option("--type <type>", "Memory type", "reference").option("--title <title>", "Optional title").option("--tag <tag...>", "Tags (repeatable)").option("--owner-type <ownerType>", "Workspace | Project | Unfiled", "Unfiled").option("--owner-id <ownerId>", "Owner id (required for Workspace/Project)").option("--source <source>", "Source / lane stamp", "cli").option("--confidence <n>", "Confidence 0..1", "1.0").action(async (opts, cmd) => {
     const cfg = resolveConfig(cmd.optsWithGlobals());
     const unfiled = String(opts.ownerType).toLowerCase() === "unfiled";
@@ -363,7 +583,10 @@ function registerMemory(program2) {
         }
       });
     });
-    emit(data, cmd.optsWithGlobals().json);
+    const titlePart = opts.title ? ` ${style.dim(`"${opts.title}"`)}` : "";
+    const view = resolveViewUrl(cfg.baseUrl, data.url);
+    const urlPart = view ? ` ${style.dim("\u2192")} ${view}` : "";
+    emitAction(`created memory ${style.bold(data.id)}${titlePart}${urlPart}`, data, cmd.optsWithGlobals().json);
   });
   memory.command("get <memoryId>").description("Fetch a memory by id (GET /memories/{memoryId})").action(async (memoryId, _opts, cmd) => {
     const cfg = resolveConfig(cmd.optsWithGlobals());
@@ -393,11 +616,213 @@ function registerMemory(program2) {
     });
     emit(data, cmd.optsWithGlobals().json);
   });
+  memory.command("edit-text <memoryId>").description("Find/replace one substring (POST /memories/{memoryId}/edit-text)").requiredOption("--old <text>", "Text to find").requiredOption("--new <text>", "Replacement text").option("--replace-all", "Replace every occurrence (default: first only)", false).option("--regenerate-filing", "Re-run filing after the edit", false).option("--source <source>", "Source / lane stamp", "cli").action(async (memoryId, opts, cmd) => {
+    const cfg = resolveConfig(cmd.optsWithGlobals());
+    const data = await runApi("Editing memory text", async () => {
+      const client = await makeClient(cfg);
+      return client.POST("/memories/{memoryId}/edit-text", {
+        params: { path: { memoryId } },
+        body: {
+          memoryId,
+          oldText: opts.old,
+          newText: opts.new,
+          replaceAll: Boolean(opts.replaceAll),
+          regenerateFiling: Boolean(opts.regenerateFiling),
+          source: opts.source
+        }
+      });
+    });
+    emitAction(`edited ${style.bold(memoryId)} \u2192 v${style.bold(String(data.version))}`, data, cmd.optsWithGlobals().json);
+  });
+  memory.command("edit-text-batch <memoryId>").description("Apply many find/replace edits (POST /memories/{memoryId}/edit-text-batch)").requiredOption("--edit <old=>new...>", "Edit as 'old=>new' (repeatable)").option("--replace-all", "Apply replaceAll to every edit", false).option("--regenerate-filing", "Re-run filing after the edits", false).option("--source <source>", "Source / lane stamp", "cli").action(async (memoryId, opts, cmd) => {
+    const cfg = resolveConfig(cmd.optsWithGlobals());
+    const replaceAll = Boolean(opts.replaceAll);
+    const edits = opts.edit.map((spec) => {
+      const idx = spec.indexOf("=>");
+      if (idx < 0) {
+        process.stderr.write(`error: --edit must be 'old=>new', got: ${spec}
+`);
+        process.exit(1);
+      }
+      return { oldText: spec.slice(0, idx), newText: spec.slice(idx + 2), replaceAll };
+    });
+    const data = await runApi("Applying batch edits", async () => {
+      const client = await makeClient(cfg);
+      return client.POST("/memories/{memoryId}/edit-text-batch", {
+        params: { path: { memoryId } },
+        body: {
+          memoryId,
+          edits,
+          regenerateFiling: Boolean(opts.regenerateFiling),
+          source: opts.source
+        }
+      });
+    });
+    emitAction(
+      `applied ${style.bold(String(data.editsApplied))} edit(s) \u2192 v${style.bold(String(data.version))}`,
+      data,
+      cmd.optsWithGlobals().json
+    );
+  });
+  memory.command("archive <memoryId>").description("Archive a memory (POST /memories/{memoryId}/archive)").option("--source <source>", "Source / lane stamp", "cli").action(async (memoryId, opts, cmd) => {
+    const cfg = resolveConfig(cmd.optsWithGlobals());
+    const data = await runApi("Archiving memory", async () => {
+      const client = await makeClient(cfg);
+      return client.POST("/memories/{memoryId}/archive", {
+        params: { path: { memoryId } },
+        body: { source: opts.source }
+      });
+    });
+    emitAction(`archived ${style.bold(memoryId)}`, data, cmd.optsWithGlobals().json);
+  });
+  memory.command("restore <memoryId>").description("Restore an archived memory (POST /memories/{memoryId}/restore)").option("--source <source>", "Source / lane stamp", "cli").action(async (memoryId, opts, cmd) => {
+    const cfg = resolveConfig(cmd.optsWithGlobals());
+    const data = await runApi("Restoring memory", async () => {
+      const client = await makeClient(cfg);
+      return client.POST("/memories/{memoryId}/restore", {
+        params: { path: { memoryId } },
+        body: { source: opts.source }
+      });
+    });
+    emitAction(`restored ${style.bold(memoryId)}`, data, cmd.optsWithGlobals().json);
+  });
+  memory.command("move <memoryId>").description("Move a memory to a new owner (POST /memories/{memoryId}/move)").requiredOption("--owner-type <ownerType>", "Unfiled | Workspace | Project | Candidate").option("--owner-id <ownerId>", "Owner id (required unless Unfiled)").option("--source <source>", "Source / lane stamp", "cli").action(async (memoryId, opts, cmd) => {
+    const cfg = resolveConfig(cmd.optsWithGlobals());
+    const data = await runApi("Moving memory", async () => {
+      const client = await makeClient(cfg);
+      return client.POST("/memories/{memoryId}/move", {
+        params: { path: { memoryId } },
+        body: {
+          to: {
+            type: opts.ownerType,
+            id: String(opts.ownerId ?? "")
+          },
+          source: opts.source
+        }
+      });
+    });
+    emitAction(`moved ${style.bold(memoryId)} \u2192 ${opts.ownerType}`, data, cmd.optsWithGlobals().json);
+  });
+  memory.command("list-archived").description("List archived memories (GET /memories/archived)").option("--workspace <workspaceId>", "Scope to a workspace").option("--project <projectId>", "Scope to a project").option("--page <n>", "Page number").option("--page-size <n>", "Page size").action(async (opts, cmd) => {
+    const cfg = resolveConfig(cmd.optsWithGlobals());
+    const data = await runApi("Listing archived memories", async () => {
+      const client = await makeClient(cfg);
+      return client.GET("/memories/archived", {
+        params: {
+          query: {
+            ...opts.workspace ? { workspaceId: opts.workspace } : {},
+            ...opts.project ? { projectId: opts.project } : {},
+            ...opts.page ? { page: Number(opts.page) } : {},
+            ...opts.pageSize ? { pageSize: Number(opts.pageSize) } : {}
+          }
+        }
+      });
+    });
+    emit(data, cmd.optsWithGlobals().json);
+  });
+  memory.command("versions <memoryId>").description("List a memory's versions (GET /memories/{memoryId}/versions)").action(async (memoryId, _opts, cmd) => {
+    const cfg = resolveConfig(cmd.optsWithGlobals());
+    const data = await runApi("Fetching versions", async () => {
+      const client = await makeClient(cfg);
+      return client.GET("/memories/{memoryId}/versions", { params: { path: { memoryId } } });
+    });
+    emit(data, cmd.optsWithGlobals().json);
+  });
+  memory.command("revert <memoryId>").description("Revert a memory to an earlier version (POST /memories/{memoryId}/revert)").requiredOption("--from-version <n>", "Version to revert from").requiredOption("--text <text>", "Reverted text (the target version's text)").requiredOption("--content <content>", "Reverted content JSON (the target version's content)").option("--source <source>", "Source / lane stamp", "cli").action(async (memoryId, opts, cmd) => {
+    const cfg = resolveConfig(cmd.optsWithGlobals());
+    const data = await runApi("Reverting memory", async () => {
+      const client = await makeClient(cfg);
+      return client.POST("/memories/{memoryId}/revert", {
+        params: { path: { memoryId } },
+        body: {
+          fromVersion: Number(opts.fromVersion),
+          revertedContent: opts.content,
+          revertedText: opts.text,
+          source: opts.source
+        }
+      });
+    });
+    emitAction(`reverted ${style.bold(memoryId)} from v${opts.fromVersion}`, data, cmd.optsWithGlobals().json);
+  });
+  memory.command("owners").description("List owners with memory counts (GET /memories/owners)").option("--include-archived", "Include archived memories in counts", false).action(async (opts, cmd) => {
+    const cfg = resolveConfig(cmd.optsWithGlobals());
+    const data = await runApi("Fetching owners", async () => {
+      const client = await makeClient(cfg);
+      return client.GET("/memories/owners", {
+        params: { query: { includeArchived: Boolean(opts.includeArchived) } }
+      });
+    });
+    emit(data, cmd.optsWithGlobals().json);
+  });
+  memory.command("tags").description("List tags with memory counts (GET /memories/tags)").option("--include-archived", "Include archived memories in counts", false).action(async (opts, cmd) => {
+    const cfg = resolveConfig(cmd.optsWithGlobals());
+    const data = await runApi("Fetching tags", async () => {
+      const client = await makeClient(cfg);
+      return client.GET("/memories/tags", {
+        params: { query: { includeArchived: Boolean(opts.includeArchived) } }
+      });
+    });
+    emit(data, cmd.optsWithGlobals().json);
+  });
+  memory.command("types").description("List types with memory counts (GET /memories/types)").option("--include-archived", "Include archived memories in counts", false).action(async (opts, cmd) => {
+    const cfg = resolveConfig(cmd.optsWithGlobals());
+    const data = await runApi("Fetching types", async () => {
+      const client = await makeClient(cfg);
+      return client.GET("/memories/types", {
+        params: { query: { includeArchived: Boolean(opts.includeArchived) } }
+      });
+    });
+    emit(data, cmd.optsWithGlobals().json);
+  });
+  memory.command("sum-tokens").description("Sum token counts across memories (POST /memories/sum-tokens)").option("--id <memoryId...>", "Memory id(s) to sum (repeatable)").option("--snapshot <snapshotId>", "Sum a continuity snapshot's load set").action(async (opts, cmd) => {
+    const cfg = resolveConfig(cmd.optsWithGlobals());
+    const data = await runApi("Summing tokens", async () => {
+      const client = await makeClient(cfg);
+      return client.POST("/memories/sum-tokens", {
+        body: {
+          ids: opts.id ?? null,
+          snapshotId: opts.snapshot ?? null
+        }
+      });
+    });
+    emit(data, cmd.optsWithGlobals().json);
+  });
+  memory.command("similar <memoryId>").description("Find similar memories (GET /memories/{memoryId}/similar)").option("--limit <n>", "Max results").option("--threshold <n>", "Minimum similarity threshold").action(async (memoryId, opts, cmd) => {
+    const cfg = resolveConfig(cmd.optsWithGlobals());
+    const data = await runApi("Finding similar memories", async () => {
+      const client = await makeClient(cfg);
+      return client.GET("/memories/{memoryId}/similar", {
+        params: {
+          path: { memoryId },
+          query: {
+            ...opts.limit ? { limit: Number(opts.limit) } : {},
+            ...opts.threshold ? { threshold: Number(opts.threshold) } : {}
+          }
+        }
+      });
+    });
+    emit(data, cmd.optsWithGlobals().json);
+  });
+  memory.command("by-url <url>").description("Resolve a memory by its canonical URL (GET /memories/by-url)").action(async (url, _opts, cmd) => {
+    const cfg = resolveConfig(cmd.optsWithGlobals());
+    const data = await runApi("Resolving memory by URL", async () => {
+      const client = await makeClient(cfg);
+      return client.GET("/memories/by-url", { params: { query: { url } } });
+    });
+    emit(data, cmd.optsWithGlobals().json);
+  });
 }
 
 // src/commands/worklog.ts
 function registerWorklog(program2) {
   const worklog = program2.command("worklog").description("Append to the daily work log");
+  worklog.addHelpText(
+    "after",
+    `
+Examples:
+  $ sechroom worklog append --text "shipped CLI help + onboarding scope; PR #1430"
+  $ sechroom worklog append --text "smoke passed" --source claude-code-chris --title "CLI smoke"`
+  );
   worklog.command("append").description("Append a work-log entry (POST /operator-surface/work-log/append)").requiredOption("--text <text>", "Entry body (short bullets / pointers) \u2014 the bullet").option("--source <source>", "Lane stamp (e.g. claude-code-chris) \u2014 laneId", "cli").option("--workspace <workspaceId>", "Target work-log workspace (default: caller's daily log)").option("--title <title>", "Optional entry title").action(async (opts, cmd) => {
     const cfg = resolveConfig(cmd.optsWithGlobals());
     const data = await runApi("Appending work-log entry", async () => {
@@ -411,7 +836,7 @@ function registerWorklog(program2) {
         }
       });
     });
-    emit(data, cmd.optsWithGlobals().json);
+    emitAction(`appended work-log entry ${style.bold(data.memoryId)}`, data, cmd.optsWithGlobals().json);
   });
 }
 
@@ -419,6 +844,14 @@ function registerWorklog(program2) {
 function registerLookup(program2) {
   program2.command("lookup <id>").description(
     "Resolve a sechroom id to its kind, title, and view URL (mem_\u2026/wsp_\u2026/prj_\u2026, unprefixed, or sechroom:<id>)"
+  ).addHelpText(
+    "after",
+    `
+Examples:
+  $ sechroom lookup mem_XXXX             a memory -> kind / title / view URL
+  $ sechroom lookup wsp_XXXX             a workspace
+  $ sechroom lookup sechroom:mem_XXXX    namespaced / portable form also resolves
+  $ sechroom lookup mem_XXXX --json`
   ).action(async (id, _opts, cmd) => {
     const cfg = resolveConfig(cmd.optsWithGlobals());
     const data = await runApi(`Resolving ${id}`, async () => {
@@ -434,126 +867,1622 @@ function registerLookup(program2) {
   });
 }
 
-// src/setup/apply.ts
-import { mkdirSync as mkdirSync2, readFileSync as readFileSync2, writeFileSync as writeFileSync2, existsSync as existsSync2 } from "fs";
-import { dirname } from "path";
-
-// src/setup/operator-surface.ts
-var SectionType = {
-  McpConfig: "mcp-config",
-  McpConfigToml: "mcp-config-toml",
-  InstructionFile: "instruction-file",
-  ProjectConfig: "project-config",
-  Verify: "verify"
-};
-async function fetchSetup(cfg) {
-  const client = await makeClient(cfg);
-  const { data, error } = await client.GET("/operator-surface/setup", {});
-  if (error) throw new Error(`GET /operator-surface/setup failed: ${JSON.stringify(error)}`);
-  return data;
-}
-function findSurface(setup, surfaceKey) {
-  return setup.surfaces.find((s) => s.surfaceKey === surfaceKey);
-}
-function findSection(surface, sectionType) {
-  return surface?.sections.find((s) => s.sectionType === sectionType);
-}
-function sectionSnippet(section) {
-  if (!section) return null;
-  for (const step of section.steps) {
-    if (step.copyValue) return step.copyValue;
-    if (step.codeSnippet) return step.codeSnippet;
-  }
-  return null;
-}
-function parseTagArtifactId(id) {
-  if (!id.startsWith("tag:")) return null;
-  const tags = id.slice("tag:".length).split(",").map((t) => t.trim()).filter((t) => t.length > 0);
-  return tags.length > 0 ? tags : null;
-}
-async function getPersonalWorkspaceId(cfg) {
-  const client = await makeClient(cfg);
-  const { data } = await client.GET("/me/personal-workspace", {});
-  return data?.workspaceId ?? null;
-}
-async function fetchMemoryFields(cfg, id) {
-  const client = await makeClient(cfg);
-  const { data } = await client.GET("/memories/{memoryId}", { params: { path: { memoryId: id } } });
-  const env = data;
-  return env?.item ?? env ?? null;
-}
-async function resolveInstruction(cfg, section, personalWorkspaceId) {
-  const client = await makeClient(cfg);
-  for (const artifact of section.artifacts) {
-    const tags = parseTagArtifactId(artifact.id);
-    if (!tags) continue;
-    const { data } = await client.POST("/memories/search", {
-      body: { query: null, textQuery: null, semanticQuery: artifact.title ?? "role instruction template", hybrid: true, limit: 1, includeArchived: false, includeSystem: false, tags }
+// src/commands/relationships.ts
+function registerRelationships(program2) {
+  const relationship = program2.command("relationship").description("Create, list, and manage memory relationships + suggestions");
+  relationship.addHelpText(
+    "after",
+    `
+Examples:
+  $ sechroom relationship create mem_FROM mem_TO --type Reference
+  $ sechroom relationship list mem_XXXX --direction Outbound --json
+  $ sechroom relationship delete rel_XXXX
+  $ sechroom relationship suggest mem_XXXX --limit 5
+  $ sechroom relationship suggestions --status Pending --memory mem_XXXX
+  $ sechroom relationship suggestion accept rsg_XXXX`
+  );
+  relationship.command("create <fromMemoryId> <toMemoryId>").description("Create a relationship (POST /memories/{memoryId}/relationships)").option("--type <type>", "Relationship type (Reference, Related, Parent, Child, Follows, \u2026)", "Reference").action(async (fromMemoryId, toMemoryId, opts, cmd) => {
+    const cfg = resolveConfig(cmd.optsWithGlobals());
+    const data = await runApi("Creating relationship", async () => {
+      const client = await makeClient(cfg);
+      return client.POST("/memories/{memoryId}/relationships", {
+        params: { path: { memoryId: fromMemoryId } },
+        body: {
+          toMemoryId,
+          type: opts.type
+        }
+      });
     });
-    const hits = data ?? [];
-    if (hits.length === 0) continue;
-    const templateId = hits[0].id;
-    const template = await fetchMemoryFields(cfg, templateId);
-    if (typeof template?.text !== "string" || template.text.length === 0) continue;
-    const templateTags = template.tags ?? tags;
-    if (personalWorkspaceId) {
-      const { data: ovr } = await client.POST("/memories/search", {
-        body: { query: null, textQuery: null, semanticQuery: "role override", hybrid: true, limit: 1, includeArchived: false, includeSystem: false, tags: ["sechroom:role:override", `sechroom:template-ref:${templateId}`], owner: { type: "Workspace", id: personalWorkspaceId } }
+    const inversePart = data.inverseId ? ` ${style.dim(`(inverse ${data.inverseId})`)}` : "";
+    const view = resolveViewUrl(cfg.baseUrl, data.url);
+    const urlPart = view ? ` ${style.dim("\u2192")} ${view}` : "";
+    emitAction(
+      `created relationship ${style.bold(data.id)} ${style.dim(`${fromMemoryId} \u2192 ${toMemoryId}`)}${inversePart}${urlPart}`,
+      data,
+      cmd.optsWithGlobals().json
+    );
+  });
+  relationship.command("list <memoryId>").description("List a memory's relationships (GET /memories/{memoryId}/relationships)").option("--direction <direction>", "Both | Outbound | Inbound").option("--include-deleted", "Include deleted relationships", false).option("--page <n>", "Page number").option("--page-size <n>", "Page size").action(async (memoryId, opts, cmd) => {
+    const cfg = resolveConfig(cmd.optsWithGlobals());
+    const data = await runApi("Listing relationships", async () => {
+      const client = await makeClient(cfg);
+      return client.GET("/memories/{memoryId}/relationships", {
+        params: {
+          path: { memoryId },
+          query: {
+            ...opts.direction ? { direction: opts.direction } : {},
+            ...opts.includeDeleted ? { includeDeleted: true } : {},
+            ...opts.page ? { page: Number(opts.page) } : {},
+            ...opts.pageSize ? { pageSize: Number(opts.pageSize) } : {}
+          }
+        }
       });
-      const ovrHits = ovr ?? [];
-      if (ovrHits.length > 0) {
-        const override = await fetchMemoryFields(cfg, ovrHits[0].id);
-        if (typeof override?.text === "string" && override.text.length > 0) {
-          return { title: override.title ?? template.title ?? artifact.title, body: override.text, source: "override", templateId, templateTags };
+    });
+    emit(data, cmd.optsWithGlobals().json);
+  });
+  relationship.command("delete <id>").description("Delete a relationship (DELETE /relationships/{id})").action(async (id, _opts, cmd) => {
+    const cfg = resolveConfig(cmd.optsWithGlobals());
+    const data = await runApi("Deleting relationship", async () => {
+      const client = await makeClient(cfg);
+      return client.DELETE("/relationships/{id}", {
+        params: { path: { id } },
+        body: {}
+      });
+    });
+    emitAction(`deleted relationship ${style.bold(id)}`, data, cmd.optsWithGlobals().json);
+  });
+  relationship.command("suggest <memoryId>").description("Generate relationship suggestions for a memory (POST /memories/{memoryId}/suggest-relationships)").option("--limit <n>", "Max suggestions to generate").action(async (memoryId, opts, cmd) => {
+    const cfg = resolveConfig(cmd.optsWithGlobals());
+    const data = await runApi("Suggesting relationships", async () => {
+      const client = await makeClient(cfg);
+      return client.POST("/memories/{memoryId}/suggest-relationships", {
+        params: { path: { memoryId } },
+        body: {
+          limit: opts.limit ? Number(opts.limit) : null
         }
-      }
-    }
-    return { title: template.title ?? artifact.title, body: template.text, source: "template", templateId, templateTags };
-  }
-  return null;
-}
-async function createOverride(cfg, template, personalWorkspaceId) {
+      });
+    });
+    emitAction(
+      `suggested ${style.bold(String(data.suggested))} for ${memoryId} ${style.dim(`(considered ${data.considered}, suppressed ${data.suppressed})`)}`,
+      data,
+      cmd.optsWithGlobals().json
+    );
+  });
+  relationship.command("suggestions").description("List relationship suggestions (GET /relationship-suggestions)").option("--memory <memoryId>", "Filter to a memory").option(
+    "--status <status>",
+    "Pending | Accepted | EditedAndAccepted | Rejected | Superseded | Deferred | Invalidated"
+  ).option("--page <n>", "Page number").option("--page-size <n>", "Page size").action(async (opts, cmd) => {
+    const cfg = resolveConfig(cmd.optsWithGlobals());
+    const data = await runApi("Listing suggestions", async () => {
+      const client = await makeClient(cfg);
+      return client.GET("/relationship-suggestions", {
+        params: {
+          query: {
+            ...opts.memory ? { memoryId: opts.memory } : {},
+            ...opts.status ? {
+              status: opts.status
+            } : {},
+            ...opts.page ? { page: Number(opts.page) } : {},
+            ...opts.pageSize ? { pageSize: Number(opts.pageSize) } : {}
+          }
+        }
+      });
+    });
+    emit(data, cmd.optsWithGlobals().json);
+  });
+  const suggestion = relationship.command("suggestion").description("Inspect and decide on a single relationship suggestion");
+  suggestion.command("get <id>").description("Fetch a suggestion by id (GET /relationship-suggestions/{id})").action(async (id, _opts, cmd) => {
+    const cfg = resolveConfig(cmd.optsWithGlobals());
+    const data = await runApi("Fetching suggestion", async () => {
+      const client = await makeClient(cfg);
+      return client.GET("/relationship-suggestions/{id}", { params: { path: { id } } });
+    });
+    emit(data, cmd.optsWithGlobals().json);
+  });
+  suggestion.command("accept <id>").description("Accept a suggestion (POST /relationship-suggestions/{id}/accept)").action(async (id, _opts, cmd) => {
+    const cfg = resolveConfig(cmd.optsWithGlobals());
+    const data = await runApi("Accepting suggestion", async () => {
+      const client = await makeClient(cfg);
+      return client.POST("/relationship-suggestions/{id}/accept", {
+        params: { path: { id } },
+        body: {}
+      });
+    });
+    emitAction(`accepted suggestion ${style.bold(id)}`, data, cmd.optsWithGlobals().json);
+  });
+  suggestion.command("reject <id>").description("Reject a suggestion (POST /relationship-suggestions/{id}/reject)").option("--reason <reason>", "Why it's being rejected").option("--reason-code <code>", "Structured reason code").action(async (id, opts, cmd) => {
+    const cfg = resolveConfig(cmd.optsWithGlobals());
+    const data = await runApi("Rejecting suggestion", async () => {
+      const client = await makeClient(cfg);
+      return client.POST("/relationship-suggestions/{id}/reject", {
+        params: { path: { id } },
+        body: {
+          reason: opts.reason ?? null,
+          ...opts.reasonCode ? { reasonCode: opts.reasonCode } : {}
+        }
+      });
+    });
+    emitAction(`rejected suggestion ${style.bold(id)}`, data, cmd.optsWithGlobals().json);
+  });
+  suggestion.command("defer <id>").description("Defer a suggestion (POST /relationship-suggestions/{id}/defer)").option("--until <iso>", "Defer until this ISO date-time (omit to defer indefinitely)").action(async (id, opts, cmd) => {
+    const cfg = resolveConfig(cmd.optsWithGlobals());
+    const data = await runApi("Deferring suggestion", async () => {
+      const client = await makeClient(cfg);
+      return client.POST("/relationship-suggestions/{id}/defer", {
+        params: { path: { id } },
+        body: {
+          until: opts.until ?? null
+        }
+      });
+    });
+    emitAction(`deferred suggestion ${style.bold(id)}`, data, cmd.optsWithGlobals().json);
+  });
+}
+
+// src/commands/workspace.ts
+function registerWorkspace(program2) {
+  const workspace = program2.command("workspace").description("Create, browse, and manage workspaces");
+  workspace.addHelpText(
+    "after",
+    `
+Examples:
+  $ sechroom workspace create --name "My Workspace" --parent wsp_XXXX
+  $ sechroom workspace list --include-archived --json
+  $ sechroom workspace get wsp_XXXX --json
+  $ sechroom workspace rename wsp_XXXX --name "Renamed"
+  $ sechroom workspace move wsp_XXXX --parent wsp_YYYY
+  $ sechroom workspace feed wsp_XXXX --limit 20 --cascade`
+  );
+  workspace.command("create").description("Create a workspace (POST /workspaces)").requiredOption("--name <name>", "Workspace name").option("--description <description>", "Optional description").option("--parent <parentId>", "Parent workspace id (omit for a top-level workspace)").action(async (opts, cmd) => {
+    const cfg = resolveConfig(cmd.optsWithGlobals());
+    const data = await runApi("Creating workspace", async () => {
+      const client = await makeClient(cfg);
+      return client.POST("/workspaces", {
+        body: {
+          name: opts.name,
+          description: opts.description ?? null,
+          parentId: opts.parent ?? null
+        }
+      });
+    });
+    const view = resolveViewUrl(cfg.baseUrl, data.url);
+    const urlPart = view ? ` ${style.dim("\u2192")} ${view}` : "";
+    emitAction(
+      `created workspace ${style.bold(data.id)} ${style.dim(`"${opts.name}"`)}${urlPart}`,
+      data,
+      cmd.optsWithGlobals().json
+    );
+  });
+  workspace.command("list").description("List the caller's workspaces (GET /workspaces)").option("--include-archived", "Include archived workspaces", false).action(async (opts, cmd) => {
+    const cfg = resolveConfig(cmd.optsWithGlobals());
+    const data = await runApi("Listing workspaces", async () => {
+      const client = await makeClient(cfg);
+      return client.GET("/workspaces", {
+        params: { query: { includeArchived: Boolean(opts.includeArchived) } }
+      });
+    });
+    emit(data, cmd.optsWithGlobals().json);
+  });
+  workspace.command("get <workspaceId>").description("Fetch a workspace by id (GET /workspaces/{workspaceId})").action(async (workspaceId, _opts, cmd) => {
+    const cfg = resolveConfig(cmd.optsWithGlobals());
+    const data = await runApi("Fetching workspace", async () => {
+      const client = await makeClient(cfg);
+      return client.GET("/workspaces/{workspaceId}", { params: { path: { workspaceId } } });
+    });
+    emit(data, cmd.optsWithGlobals().json);
+  });
+  workspace.command("rename <workspaceId>").description("Rename a workspace (PUT /workspaces/{workspaceId}/rename)").requiredOption("--name <name>", "New workspace name").action(async (workspaceId, opts, cmd) => {
+    const cfg = resolveConfig(cmd.optsWithGlobals());
+    const data = await runApi("Renaming workspace", async () => {
+      const client = await makeClient(cfg);
+      return client.PUT("/workspaces/{workspaceId}/rename", {
+        params: { path: { workspaceId } },
+        body: { newName: opts.name }
+      });
+    });
+    emitAction(
+      `renamed workspace ${style.bold(workspaceId)} ${style.dim(`\u2192 "${opts.name}"`)}`,
+      data,
+      cmd.optsWithGlobals().json
+    );
+  });
+  workspace.command("describe <workspaceId>").description("Set a workspace description (PUT /workspaces/{workspaceId}/description)").requiredOption("--description <description>", "New description").action(async (workspaceId, opts, cmd) => {
+    const cfg = resolveConfig(cmd.optsWithGlobals());
+    const data = await runApi("Updating description", async () => {
+      const client = await makeClient(cfg);
+      return client.PUT("/workspaces/{workspaceId}/description", {
+        params: { path: { workspaceId } },
+        body: { newDescription: opts.description }
+      });
+    });
+    emitAction(
+      `updated description for workspace ${style.bold(workspaceId)}`,
+      data,
+      cmd.optsWithGlobals().json
+    );
+  });
+  workspace.command("move <workspaceId>").description("Move a workspace under a new parent (POST /workspaces/{workspaceId}/move)").option("--parent <parentId>", "New parent workspace id (omit to move to top level)").action(async (workspaceId, opts, cmd) => {
+    const cfg = resolveConfig(cmd.optsWithGlobals());
+    const data = await runApi("Moving workspace", async () => {
+      const client = await makeClient(cfg);
+      return client.POST("/workspaces/{workspaceId}/move", {
+        params: { path: { workspaceId } },
+        body: { newParentId: opts.parent ?? null }
+      });
+    });
+    const target = opts.parent ? `under ${style.bold(opts.parent)}` : "to top level";
+    emitAction(
+      `moved workspace ${style.bold(workspaceId)} ${style.dim(target)}`,
+      data,
+      cmd.optsWithGlobals().json
+    );
+  });
+  workspace.command("archive <workspaceId>").description("Archive a workspace (POST /workspaces/{workspaceId}/archive)").action(async (workspaceId, _opts, cmd) => {
+    const cfg = resolveConfig(cmd.optsWithGlobals());
+    const data = await runApi("Archiving workspace", async () => {
+      const client = await makeClient(cfg);
+      return client.POST("/workspaces/{workspaceId}/archive", {
+        params: { path: { workspaceId } },
+        body: {}
+      });
+    });
+    emitAction(`archived workspace ${style.bold(workspaceId)}`, data, cmd.optsWithGlobals().json);
+  });
+  workspace.command("restore <workspaceId>").description("Restore an archived workspace (POST /workspaces/{workspaceId}/restore)").action(async (workspaceId, _opts, cmd) => {
+    const cfg = resolveConfig(cmd.optsWithGlobals());
+    const data = await runApi("Restoring workspace", async () => {
+      const client = await makeClient(cfg);
+      return client.POST("/workspaces/{workspaceId}/restore", {
+        params: { path: { workspaceId } },
+        body: {}
+      });
+    });
+    emitAction(`restored workspace ${style.bold(workspaceId)}`, data, cmd.optsWithGlobals().json);
+  });
+  workspace.command("feed <workspaceId>").description("List a workspace's memory feed (GET /workspaces/{workspaceId}/memories/feed)").option("--limit <n>", "Max results", "20").option("--cursor <cursor>", "Paging cursor from a prior page").option("--cascade", "Cascade into descendant workspaces", false).option("--include-projects", "Include the workspace's projects", false).option("--include-archived", "Include archived memories", false).option("--query <query>", "Filter the feed by text").option("--tag <tag>", "Filter tags (comma-separated)").action(async (workspaceId, opts, cmd) => {
+    const cfg = resolveConfig(cmd.optsWithGlobals());
+    const data = await runApi("Fetching feed", async () => {
+      const client = await makeClient(cfg);
+      return client.GET("/workspaces/{workspaceId}/memories/feed", {
+        params: {
+          path: { workspaceId },
+          query: {
+            limit: Number(opts.limit),
+            cascadeWorkspaces: Boolean(opts.cascade),
+            includeProjects: Boolean(opts.includeProjects),
+            includeArchived: Boolean(opts.includeArchived),
+            ...opts.cursor ? { cursor: opts.cursor } : {},
+            ...opts.query ? { query: opts.query } : {},
+            ...opts.tag ? { filterTags: opts.tag } : {}
+          }
+        }
+      });
+    });
+    emit(data, cmd.optsWithGlobals().json);
+  });
+}
+
+// src/commands/project.ts
+function registerProject(program2) {
+  const project = program2.command("project").description("Create, browse, and manage projects");
+  project.addHelpText(
+    "after",
+    `
+Examples:
+  $ sechroom project create --workspace wsp_XXXX --name "Onboarding" --slug onboarding
+  $ sechroom project list --workspace wsp_XXXX --status Active
+  $ sechroom project get prj_XXXX --json
+  $ sechroom project rename prj_XXXX --name "New Name" --slug new-name
+  $ sechroom project status prj_XXXX --status Completed`
+  );
+  project.command("create").description("Create a project (POST /projects)").requiredOption("--workspace <workspaceId>", "Owning workspace id").requiredOption("--name <name>", "Project name").requiredOption("--slug <slug>", "URL slug").option("--description <description>", "Optional description").option("--parent <parentProjectId>", "Optional parent project id").action(async (opts, cmd) => {
+    const cfg = resolveConfig(cmd.optsWithGlobals());
+    const data = await runApi("Creating project", async () => {
+      const client = await makeClient(cfg);
+      return client.POST("/projects", {
+        body: {
+          workspaceId: opts.workspace,
+          name: opts.name,
+          slug: opts.slug,
+          description: opts.description ?? null,
+          parentProjectId: opts.parent ?? null
+        }
+      });
+    });
+    const view = resolveViewUrl(cfg.baseUrl, data.url);
+    const urlPart = view ? ` ${style.dim("\u2192")} ${view}` : "";
+    emitAction(`created project ${style.bold(data.id)}${urlPart}`, data, cmd.optsWithGlobals().json);
+  });
+  project.command("list").description("List projects (GET /projects)").option("--workspace <workspaceId>", "Scope to a workspace").option("--status <status>", "Draft | Active | OnHold | Completed | Cancelled").option("--include-archived", "Include archived projects", false).action(async (opts, cmd) => {
+    const cfg = resolveConfig(cmd.optsWithGlobals());
+    const data = await runApi("Listing projects", async () => {
+      const client = await makeClient(cfg);
+      return client.GET("/projects", {
+        params: {
+          query: {
+            ...opts.workspace ? { workspaceId: opts.workspace } : {},
+            ...opts.status ? { status: opts.status } : {},
+            ...opts.includeArchived ? { includeArchived: true } : {}
+          }
+        }
+      });
+    });
+    emit(data, cmd.optsWithGlobals().json);
+  });
+  project.command("get <projectId>").description("Fetch a project by id (GET /projects/{projectId})").action(async (projectId, _opts, cmd) => {
+    const cfg = resolveConfig(cmd.optsWithGlobals());
+    const data = await runApi("Fetching project", async () => {
+      const client = await makeClient(cfg);
+      return client.GET("/projects/{projectId}", { params: { path: { projectId } } });
+    });
+    emit(data, cmd.optsWithGlobals().json);
+  });
+  project.command("rename <projectId>").description("Rename a project (PUT /projects/{projectId}/rename)").requiredOption("--name <name>", "New project name").requiredOption("--slug <slug>", "New URL slug").action(async (projectId, opts, cmd) => {
+    const cfg = resolveConfig(cmd.optsWithGlobals());
+    const data = await runApi("Renaming project", async () => {
+      const client = await makeClient(cfg);
+      return client.PUT("/projects/{projectId}/rename", {
+        params: { path: { projectId } },
+        body: { newName: opts.name, newSlug: opts.slug }
+      });
+    });
+    emitAction(`renamed project ${style.bold(projectId)} \u2192 ${style.bold(opts.name)}`, data, cmd.optsWithGlobals().json);
+  });
+  project.command("describe <projectId>").description("Set a project's description (PUT /projects/{projectId}/description)").requiredOption("--description <description>", "New description (empty string to clear)").action(async (projectId, opts, cmd) => {
+    const cfg = resolveConfig(cmd.optsWithGlobals());
+    const data = await runApi("Updating description", async () => {
+      const client = await makeClient(cfg);
+      return client.PUT("/projects/{projectId}/description", {
+        params: { path: { projectId } },
+        body: { newDescription: opts.description }
+      });
+    });
+    emitAction(`updated description on project ${style.bold(projectId)}`, data, cmd.optsWithGlobals().json);
+  });
+  project.command("move <projectId>").description("Move a project to another workspace/parent (POST /projects/{projectId}/move)").requiredOption("--workspace <toWorkspaceId>", "Destination workspace id").option("--parent <toParentId>", "Destination parent project id").action(async (projectId, opts, cmd) => {
+    const cfg = resolveConfig(cmd.optsWithGlobals());
+    const data = await runApi("Moving project", async () => {
+      const client = await makeClient(cfg);
+      return client.POST("/projects/{projectId}/move", {
+        params: { path: { projectId } },
+        body: { toWorkspaceId: opts.workspace, toParentId: opts.parent ?? null }
+      });
+    });
+    emitAction(`moved project ${style.bold(projectId)} \u2192 ${style.bold(opts.workspace)}`, data, cmd.optsWithGlobals().json);
+  });
+  project.command("status <projectId>").description("Set a project's status (POST /projects/{projectId}/status)").requiredOption("--status <status>", "Draft | Active | OnHold | Completed | Cancelled").action(async (projectId, opts, cmd) => {
+    const cfg = resolveConfig(cmd.optsWithGlobals());
+    const data = await runApi("Setting status", async () => {
+      const client = await makeClient(cfg);
+      return client.POST("/projects/{projectId}/status", {
+        params: { path: { projectId } },
+        body: {
+          status: opts.status
+        }
+      });
+    });
+    emitAction(`set project ${style.bold(projectId)} status \u2192 ${style.bold(opts.status)}`, data, cmd.optsWithGlobals().json);
+  });
+  project.command("victory-conditions <projectId>").description("Set a project's victory conditions (PUT /projects/{projectId}/victory-conditions)").requiredOption("--conditions <conditions>", "Victory conditions text (empty string to clear)").action(async (projectId, opts, cmd) => {
+    const cfg = resolveConfig(cmd.optsWithGlobals());
+    const data = await runApi("Updating victory conditions", async () => {
+      const client = await makeClient(cfg);
+      return client.PUT("/projects/{projectId}/victory-conditions", {
+        params: { path: { projectId } },
+        body: { victoryConditions: opts.conditions }
+      });
+    });
+    emitAction(`updated victory conditions on project ${style.bold(projectId)}`, data, cmd.optsWithGlobals().json);
+  });
+  project.command("archive <projectId>").description("Archive a project (POST /projects/{projectId}/archive)").action(async (projectId, _opts, cmd) => {
+    const cfg = resolveConfig(cmd.optsWithGlobals());
+    const data = await runApi("Archiving project", async () => {
+      const client = await makeClient(cfg);
+      return client.POST("/projects/{projectId}/archive", {
+        params: { path: { projectId } },
+        body: {}
+      });
+    });
+    emitAction(`archived project ${style.bold(projectId)}`, data, cmd.optsWithGlobals().json);
+  });
+  project.command("restore <projectId>").description("Restore an archived project (POST /projects/{projectId}/restore)").action(async (projectId, _opts, cmd) => {
+    const cfg = resolveConfig(cmd.optsWithGlobals());
+    const data = await runApi("Restoring project", async () => {
+      const client = await makeClient(cfg);
+      return client.POST("/projects/{projectId}/restore", {
+        params: { path: { projectId } },
+        body: {}
+      });
+    });
+    emitAction(`restored project ${style.bold(projectId)}`, data, cmd.optsWithGlobals().json);
+  });
+}
+
+// src/commands/filing.ts
+function registerFiling(program2) {
+  const filing = program2.command("filing").description("Review and act on filing suggestions");
+  filing.addHelpText(
+    "after",
+    `
+Examples:
+  $ sechroom filing suggestions --status Pending --page-size 20
+  $ sechroom filing get fsg_XXXX --json
+  $ sechroom filing preview --memory-id mem_XXXX
+  $ sechroom filing accept fsg_XXXX
+  $ sechroom filing reject fsg_XXXX --reason "wrong workspace"
+  $ sechroom filing edit-and-accept fsg_XXXX --target-kind Workspace --existing-target-id wsp_XXXX`
+  );
+  filing.command("suggestions").description("List filing suggestions (GET /filing/suggestions)").option("--memory-id <memoryId>", "Filter to a single memory's suggestions").option(
+    "--status <status>",
+    "Generating | Pending | Accepted | Rejected | EditedAndAccepted | Deferred | Invalidated"
+  ).option("--page <n>", "Page number").option("--page-size <n>", "Page size").action(async (opts, cmd) => {
+    const cfg = resolveConfig(cmd.optsWithGlobals());
+    const data = await runApi("Listing filing suggestions", async () => {
+      const client = await makeClient(cfg);
+      return client.GET("/filing/suggestions", {
+        params: {
+          query: {
+            ...opts.memoryId ? { memoryId: opts.memoryId } : {},
+            ...opts.status ? { status: opts.status } : {},
+            ...opts.page ? { page: Number(opts.page) } : {},
+            ...opts.pageSize ? { pageSize: Number(opts.pageSize) } : {}
+          }
+        }
+      });
+    });
+    emit(data, cmd.optsWithGlobals().json);
+  });
+  filing.command("get <id>").description("Fetch a filing suggestion by id (GET /filing/suggestions/{id})").action(async (id, _opts, cmd) => {
+    const cfg = resolveConfig(cmd.optsWithGlobals());
+    const data = await runApi("Fetching filing suggestion", async () => {
+      const client = await makeClient(cfg);
+      return client.GET("/filing/suggestions/{id}", { params: { path: { id } } });
+    });
+    emit(data, cmd.optsWithGlobals().json);
+  });
+  filing.command("preview").description("Preview a filing suggestion for a memory id or ad-hoc shape (POST /filing/suggestions/preview)").option("--memory-id <memoryId>", "Preview filing for an existing memory").option("--text <text>", "Ad-hoc memory body text (instead of --memory-id)").option("--title <title>", "Ad-hoc memory title").option("--tag <tag...>", "Ad-hoc memory tags (repeatable)").option("--type <type>", "Ad-hoc memory type", "reference").option("--scope-workspace <workspaceId>", "Scope the preview to a workspace").action(async (opts, cmd) => {
+    const cfg = resolveConfig(cmd.optsWithGlobals());
+    const memory = opts.text ? {
+      text: opts.text,
+      title: opts.title ?? null,
+      tags: opts.tag ?? null,
+      type: opts.type
+    } : null;
+    const data = await runApi("Previewing filing suggestion", async () => {
+      const client = await makeClient(cfg);
+      return client.POST("/filing/suggestions/preview", {
+        body: {
+          memoryId: opts.memoryId ?? null,
+          memory,
+          scopeWorkspaceId: opts.scopeWorkspace ?? null
+        }
+      });
+    });
+    emit(data, cmd.optsWithGlobals().json);
+  });
+  filing.command("accept <id>").description("Accept a filing suggestion (POST /filing/suggestions/{id}/accept)").action(async (id, _opts, cmd) => {
+    const cfg = resolveConfig(cmd.optsWithGlobals());
+    const data = await runApi("Accepting filing suggestion", async () => {
+      const client = await makeClient(cfg);
+      return client.POST("/filing/suggestions/{id}/accept", { params: { path: { id } }, body: {} });
+    });
+    emitAction(`accepted filing suggestion ${style.bold(id)}`, data, cmd.optsWithGlobals().json);
+  });
+  filing.command("reject <id>").description("Reject a filing suggestion (POST /filing/suggestions/{id}/reject)").option("--reason <reason>", "Why the suggestion was rejected").option("--reason-code <code>", "Structured reason code").action(async (id, opts, cmd) => {
+    const cfg = resolveConfig(cmd.optsWithGlobals());
+    const data = await runApi("Rejecting filing suggestion", async () => {
+      const client = await makeClient(cfg);
+      return client.POST("/filing/suggestions/{id}/reject", {
+        params: { path: { id } },
+        body: {
+          reason: opts.reason ?? null,
+          ...opts.reasonCode ? { reasonCode: opts.reasonCode } : {}
+        }
+      });
+    });
+    emitAction(`rejected filing suggestion ${style.bold(id)}`, data, cmd.optsWithGlobals().json);
+  });
+  filing.command("defer <id>").description("Defer a filing suggestion (POST /filing/suggestions/{id}/defer)").option("--until <iso>", "Defer until an ISO-8601 timestamp (defaults to indefinite)").action(async (id, opts, cmd) => {
+    const cfg = resolveConfig(cmd.optsWithGlobals());
+    const data = await runApi("Deferring filing suggestion", async () => {
+      const client = await makeClient(cfg);
+      return client.POST("/filing/suggestions/{id}/defer", {
+        params: { path: { id } },
+        body: { until: opts.until ?? null }
+      });
+    });
+    emitAction(`deferred filing suggestion ${style.bold(id)}`, data, cmd.optsWithGlobals().json);
+  });
+  filing.command("edit-and-accept <id>").description("Override the target then accept (POST /filing/suggestions/{id}/edit-and-accept)").option("--target-kind <kind>", "Workspace | Project").option("--existing-target-id <id>", "File into an existing workspace/project").option("--new-name <name>", "Create a new target with this name").option("--new-description <text>", "Description for the new target").option("--new-parent-workspace <workspaceId>", "Parent workspace for a new project").option("--memory-id <memoryId...>", "Override the memory set (repeatable)").action(async (id, opts, cmd) => {
+    const cfg = resolveConfig(cmd.optsWithGlobals());
+    const data = await runApi("Editing and accepting filing suggestion", async () => {
+      const client = await makeClient(cfg);
+      return client.POST("/filing/suggestions/{id}/edit-and-accept", {
+        params: { path: { id } },
+        body: {
+          targetKind: opts.targetKind ?? null,
+          existingTargetId: opts.existingTargetId ?? null,
+          newName: opts.newName ?? null,
+          newDescription: opts.newDescription ?? null,
+          newParentWorkspaceId: opts.newParentWorkspace ?? null,
+          overrideMemoryIds: opts.memoryId ?? null
+        }
+      });
+    });
+    emitAction(`edited & accepted filing suggestion ${style.bold(id)}`, data, cmd.optsWithGlobals().json);
+  });
+}
+
+// src/commands/continuity.ts
+function registerContinuity(program2) {
+  const continuity = program2.command("continuity").description("Continuity snapshots: checkpoint and resume work");
+  continuity.addHelpText(
+    "after",
+    `
+Examples:
+  $ sechroom continuity snapshot-create --lane claude-code-chris --scope loop-spec \\
+      --objective "ship slice 9" --state "tests green, PR open" \\
+      --last-action "raised PR #1425" --next-action "watch for merge" \\
+      --resume-instruction "load csn id, resume at step 10"
+  $ sechroom continuity snapshots --scope loop-spec
+  $ sechroom continuity snapshot-get csn_XXXX --json
+  $ sechroom continuity resume-me --max-artifacts 20
+  $ sechroom continuity changed-since --since 2026-06-01T00:00:00Z
+  $ sechroom continuity grant csn_XXXX --grantee usr_XXXX`
+  );
+  continuity.command("snapshot-create").description("Create a continuity snapshot (POST /continuity/snapshots)").requiredOption("--lane <laneId>", "Lane id (e.g. claude-code-chris)").requiredOption("--scope <scope>", "Snapshot scope (e.g. loop-spec)").requiredOption("--objective <text>", "Current objective").requiredOption("--state <text>", "Current state").requiredOption("--last-action <text>", "Last meaningful action").requiredOption("--next-action <text>", "Next intended action").requiredOption("--resume-instruction <text>", "Resume instruction").option("--constraint <text...>", "Active constraints (repeatable)").option("--question <text...>", "Open questions (repeatable)").option("--surface-marker <text...>", "Surface markers (repeatable)").option("--artifact <id...>", "Relevant artifact ids (repeatable)").option("--confidence <n>", "Confidence 0..1").action(async (opts, cmd) => {
+    const cfg = resolveConfig(cmd.optsWithGlobals());
+    const data = await runApi("Creating snapshot", async () => {
+      const client = await makeClient(cfg);
+      return client.POST("/continuity/snapshots", {
+        body: {
+          laneId: opts.lane,
+          scope: opts.scope,
+          currentObjective: opts.objective,
+          currentState: opts.state,
+          lastMeaningfulAction: opts.lastAction,
+          nextIntendedAction: opts.nextAction,
+          resumeInstruction: opts.resumeInstruction,
+          activeConstraints: opts.constraint ?? null,
+          openQuestions: opts.question ?? null,
+          surfaceMarkers: opts.surfaceMarker ?? null,
+          relevantArtifactIds: opts.artifact ?? null,
+          confidence: opts.confidence != null ? Number(opts.confidence) : null
+        }
+      });
+    });
+    emitAction(`created snapshot ${style.bold(data.snapshotId)}`, data, cmd.optsWithGlobals().json);
+  });
+  continuity.command("snapshot-get <id>").description("Fetch a snapshot by id (GET /continuity/snapshots/{id})").action(async (id, _opts, cmd) => {
+    const cfg = resolveConfig(cmd.optsWithGlobals());
+    const data = await runApi("Fetching snapshot", async () => {
+      const client = await makeClient(cfg);
+      return client.GET("/continuity/snapshots/{id}", { params: { path: { id } } });
+    });
+    emit(data, cmd.optsWithGlobals().json);
+  });
+  continuity.command("snapshots").description("List the caller's own snapshots (GET /me/continuity/snapshots)").option("--scope <scope>", "Filter by scope").option("--lane <laneId>", "Filter by lane id").action(async (opts, cmd) => {
+    const cfg = resolveConfig(cmd.optsWithGlobals());
+    const data = await runApi("Listing snapshots", async () => {
+      const client = await makeClient(cfg);
+      return client.GET("/me/continuity/snapshots", {
+        params: {
+          query: {
+            ...opts.scope ? { scope: opts.scope } : {},
+            ...opts.lane ? { laneId: opts.lane } : {}
+          }
+        }
+      });
+    });
+    emit(data, cmd.optsWithGlobals().json);
+  });
+  continuity.command("resume-me").description("Resume the caller's own lane (POST /continuity/resume/me)").option("--workspace <workspaceId>", "Scope to a workspace").option("--max-artifacts <n>", "Cap artifacts in the bundle").option("--changed-since <iso>", "Only include changes since this ISO timestamp").option("--looking-at-myself", "Include the caller's own changes", false).action(async (opts, cmd) => {
+    const cfg = resolveConfig(cmd.optsWithGlobals());
+    const data = await runApi("Resuming", async () => {
+      const client = await makeClient(cfg);
+      return client.POST("/continuity/resume/me", {
+        body: {
+          workspaceId: opts.workspace ?? null,
+          maxArtifacts: opts.maxArtifacts != null ? Number(opts.maxArtifacts) : null,
+          includeLookingAtMyself: opts.lookingAtMyself ? true : null,
+          changedSince: opts.changedSince ?? null
+        }
+      });
+    });
+    emit(data, cmd.optsWithGlobals().json);
+  });
+  continuity.command("resume-lane <laneId>").description("Resume a specific lane (POST /continuity/resume/lane)").option("--workspace <workspaceId>", "Scope to a workspace").option("--max-artifacts <n>", "Cap artifacts in the bundle").option("--changed-since <iso>", "Only include changes since this ISO timestamp").option("--looking-at-myself", "Include the caller's own changes", false).action(async (laneId, opts, cmd) => {
+    const cfg = resolveConfig(cmd.optsWithGlobals());
+    const data = await runApi("Resuming lane", async () => {
+      const client = await makeClient(cfg);
+      return client.POST("/continuity/resume/lane", {
+        body: {
+          laneId,
+          workspaceId: opts.workspace ?? null,
+          maxArtifacts: opts.maxArtifacts != null ? Number(opts.maxArtifacts) : null,
+          includeLookingAtMyself: opts.lookingAtMyself ? true : null,
+          changedSince: opts.changedSince ?? null
+        }
+      });
+    });
+    emit(data, cmd.optsWithGlobals().json);
+  });
+  continuity.command("changed-since").description("What changed since a timestamp (POST /continuity/changed-since)").requiredOption("--since <iso>", "ISO-8601 timestamp to compare against").option("--looking-at-myself", "Include the caller's own changes", false).action(async (opts, cmd) => {
+    const cfg = resolveConfig(cmd.optsWithGlobals());
+    const data = await runApi("Computing changes", async () => {
+      const client = await makeClient(cfg);
+      return client.POST("/continuity/changed-since", {
+        body: {
+          since: opts.since,
+          includeLookingAtMyself: opts.lookingAtMyself ? true : null
+        }
+      });
+    });
+    emit(data, cmd.optsWithGlobals().json);
+  });
+  continuity.command("load-set").description("Derive the active load set (POST /continuity/load-set/derive)").option("--workspace <workspaceId>", "Scope to a workspace").option("--max-artifacts <n>", "Cap artifacts in the load set").option("--looking-at-myself", "Include the caller's own changes", false).action(async (opts, cmd) => {
+    const cfg = resolveConfig(cmd.optsWithGlobals());
+    const data = await runApi("Deriving load set", async () => {
+      const client = await makeClient(cfg);
+      return client.POST("/continuity/load-set/derive", {
+        body: {
+          workspaceId: opts.workspace ?? null,
+          maxArtifacts: opts.maxArtifacts != null ? Number(opts.maxArtifacts) : null,
+          includeLookingAtMyself: opts.lookingAtMyself ? true : null
+        }
+      });
+    });
+    emit(data, cmd.optsWithGlobals().json);
+  });
+  continuity.command("grant <snapshotId>").description("Grant another operator read access (POST /continuity/snapshots/{snapshotId}/grants)").requiredOption("--grantee <userId>", "Sechroom user id being granted read access").option("--source <source>", "Permission-set source kind", "TenantRole").option("--source-id <sourceId>", "Permission-set source id (e.g. a tenant role)", "viewer").option("--valid-from <iso>", "Optional ISO-8601 grant start").option("--valid-to <iso>", "Optional ISO-8601 grant expiry").action(async (snapshotId, opts, cmd) => {
+    const cfg = resolveConfig(cmd.optsWithGlobals());
+    const data = await runApi("Minting grant", async () => {
+      const client = await makeClient(cfg);
+      return client.POST("/continuity/snapshots/{snapshotId}/grants", {
+        params: { path: { snapshotId } },
+        body: {
+          userId: opts.grantee,
+          kind: "Allow",
+          source: opts.source,
+          sourceId: opts.sourceId,
+          ...opts.validFrom ? { validFrom: opts.validFrom } : {},
+          ...opts.validTo ? { validTo: opts.validTo } : {}
+        }
+      });
+    });
+    emitAction(
+      `granted ${style.bold(data.userId)} read on ${style.bold(snapshotId)} ${style.dim(`(grant ${data.grantId})`)}`,
+      data,
+      cmd.optsWithGlobals().json
+    );
+  });
+  continuity.command("revoke-grant <snapshotId> <grantId>").description("Revoke a grant (DELETE /continuity/snapshots/{snapshotId}/grants/{grantId})").action(async (snapshotId, grantId, _opts, cmd) => {
+    const cfg = resolveConfig(cmd.optsWithGlobals());
+    const data = await runApi("Revoking grant", async () => {
+      const client = await makeClient(cfg);
+      return client.DELETE("/continuity/snapshots/{snapshotId}/grants/{grantId}", {
+        params: { path: { snapshotId, grantId } },
+        body: {}
+      });
+    });
+    emitAction(
+      `revoked grant ${style.bold(grantId)} on ${style.bold(snapshotId)}`,
+      data,
+      cmd.optsWithGlobals().json
+    );
+  });
+}
+
+// src/commands/hook.ts
+import { existsSync as existsSync4, mkdirSync as mkdirSync3, readFileSync as readFileSync3, writeFileSync as writeFileSync3 } from "fs";
+import { homedir as homedir3 } from "os";
+import { delimiter, dirname as dirname4, join as join4 } from "path";
+
+// src/sem.ts
+import { basename as basename2, dirname as dirname2, join as join2 } from "path";
+import { appendFileSync, existsSync as existsSync2, mkdirSync as mkdirSync2, readFileSync as readFileSync2, writeFileSync as writeFileSync2 } from "fs";
+var SEM_FILE = join2(".sechroom", "lane.json");
+var LEGACY_SEM_FILE = ".sem";
+var STATE_DIR_NAME2 = ".sechroom";
+function localSemPath(cwd = process.cwd()) {
+  return join2(cwd, SEM_FILE);
+}
+function resolveSemPathForRead(start = process.cwd()) {
+  let dir = start;
+  while (true) {
+    const candidate = join2(dir, SEM_FILE);
+    if (existsSync2(candidate)) return candidate;
+    const legacy = join2(dir, LEGACY_SEM_FILE);
+    if (existsSync2(legacy)) return legacy;
+    const parent = dirname2(dir);
+    if (parent === dir) return void 0;
+    dir = parent;
+  }
+}
+function parseSem(text) {
+  const out = {};
+  for (const raw of text.split("\n")) {
+    const line = raw.trim();
+    if (!line || line.startsWith("#")) continue;
+    const eq = line.indexOf("=");
+    if (eq === -1) continue;
+    const key = line.slice(0, eq).trim();
+    const value = line.slice(eq + 1).trim();
+    if (key) out[key] = value;
+  }
+  return out;
+}
+function serializeSem(values) {
+  return JSON.stringify(values, null, 2) + "\n";
+}
+function readSem(path) {
+  const p = path ?? resolveSemPathForRead();
+  if (!p || !existsSync2(p)) return void 0;
+  const text = readFileSync2(p, "utf8");
+  const values = basename2(p) === LEGACY_SEM_FILE ? parseSem(text) : parseLaneJson(text);
+  return { path: p, values };
+}
+function readLocalSemValues(cwd = process.cwd()) {
+  const next = join2(cwd, SEM_FILE);
+  if (existsSync2(next)) return readSem(next)?.values ?? {};
+  const legacy = join2(cwd, LEGACY_SEM_FILE);
+  if (existsSync2(legacy)) return readSem(legacy)?.values ?? {};
+  return {};
+}
+function parseLaneJson(text) {
+  try {
+    const parsed = JSON.parse(text);
+    const out = {};
+    for (const [k, v] of Object.entries(parsed)) {
+      if (typeof v === "string") out[k] = v;
+    }
+    return out;
+  } catch {
+    return {};
+  }
+}
+var STATE_DIR_IGNORE = `${STATE_DIR_NAME2}/`;
+function writeSem(values, path = localSemPath()) {
+  mkdirSync2(dirname2(path), { recursive: true });
+  writeFileSync2(path, serializeSem(values));
+  ensureSemIgnored(path);
+  return path;
+}
+function ignoresSem(content) {
+  return content.split("\n").some((line) => {
+    const t = line.trim();
+    return t === STATE_DIR_NAME2 || t === STATE_DIR_IGNORE || t === `/${STATE_DIR_NAME2}` || t === `/${STATE_DIR_IGNORE}` || t === `**/${STATE_DIR_NAME2}` || t === `**/${STATE_DIR_IGNORE}`;
+  });
+}
+function inGitRepo(startDir) {
+  let dir = startDir;
+  for (; ; ) {
+    if (existsSync2(join2(dir, ".git"))) return true;
+    const parent = dirname2(dir);
+    if (parent === dir) return false;
+    dir = parent;
+  }
+}
+function resolveGitignoreTarget(startDir) {
+  let dir = startDir;
+  for (; ; ) {
+    const gi = join2(dir, ".gitignore");
+    if (existsSync2(gi)) return { path: gi, exists: true };
+    const parent = dirname2(dir);
+    if (existsSync2(join2(dir, ".git")) || parent === dir) {
+      return { path: join2(startDir, ".gitignore"), exists: false };
+    }
+    dir = parent;
+  }
+}
+function ensureSemIgnored(semPath) {
+  try {
+    const checkoutDir = dirname2(dirname2(semPath));
+    if (!inGitRepo(checkoutDir)) return;
+    const target = resolveGitignoreTarget(checkoutDir);
+    if (target.exists) {
+      const content = readFileSync2(target.path, "utf8");
+      if (ignoresSem(content)) return;
+      const sep = content.length === 0 || content.endsWith("\n") ? "" : "\n";
+      appendFileSync(target.path, `${sep}${STATE_DIR_IGNORE}
+`);
+    } else {
+      writeFileSync2(target.path, `${STATE_DIR_IGNORE}
+`);
+    }
+  } catch {
+  }
+}
+
+// src/setup/clients.ts
+import { existsSync as existsSync3 } from "fs";
+import { homedir as homedir2 } from "os";
+import { dirname as dirname3, join as join3 } from "path";
+
+// src/setup/operator-surface.ts
+var SectionType = {
+  McpConfig: "mcp-config",
+  McpConfigToml: "mcp-config-toml",
+  InstructionFile: "instruction-file",
+  ProjectConfig: "project-config",
+  Verify: "verify",
+  /** SBC-999 — workspace-pinned conventions, emitted only when the request
+   *  carried a workspaceId and that workspace has agent-setup-bundle memories. */
+  WorkspaceConventions: "workspace-conventions"
+};
+async function fetchSetup(cfg) {
+  const client = await makeClient(cfg);
+  const { data, error } = await client.GET(
+    "/operator-surface/setup",
+    cfg.workspaceId ? { params: { query: { workspaceId: cfg.workspaceId } } } : {}
+  );
+  if (error) throw new Error(`GET /operator-surface/setup failed: ${JSON.stringify(error)}`);
+  return data;
+}
+function findSurface(setup, surfaceKey) {
+  return setup.surfaces.find((s) => s.surfaceKey === surfaceKey);
+}
+function findSection(surface, sectionType) {
+  return surface?.sections.find((s) => s.sectionType === sectionType);
+}
+function sectionSnippet(section) {
+  if (!section) return null;
+  for (const step of section.steps) {
+    if (step.copyValue) return step.copyValue;
+    if (step.codeSnippet) return step.codeSnippet;
+  }
+  return null;
+}
+function parseTagArtifactId(id) {
+  if (!id.startsWith("tag:")) return null;
+  const tags = id.slice("tag:".length).split(",").map((t) => t.trim()).filter((t) => t.length > 0);
+  return tags.length > 0 ? tags : null;
+}
+async function getPersonalWorkspaceId(cfg) {
+  const client = await makeClient(cfg);
+  const { data } = await client.GET("/me/personal-workspace", {});
+  return data?.workspaceId ?? null;
+}
+async function fetchMemoryFields(cfg, id) {
+  const client = await makeClient(cfg);
+  const { data } = await client.GET("/memories/{memoryId}", { params: { path: { memoryId: id } } });
+  const env = data;
+  const m = env?.item ?? env;
+  if (!m) return null;
+  const version = typeof m.currentVersion === "string" ? Number(m.currentVersion) : m.currentVersion;
+  return { text: m.text, title: m.title, tags: m.tags, version: Number.isFinite(version) ? version : void 0 };
+}
+async function resolveInstruction(cfg, section, personalWorkspaceId) {
+  const client = await makeClient(cfg);
+  for (const artifact of section.artifacts) {
+    const tags = parseTagArtifactId(artifact.id);
+    if (!tags) continue;
+    const { data } = await client.POST("/memories/search", {
+      body: { query: null, textQuery: null, semanticQuery: null, hybrid: false, limit: 1, includeArchived: false, includeSystem: false, tags }
+    });
+    const hits = data ?? [];
+    if (hits.length === 0) continue;
+    const templateId = hits[0].id;
+    const template = await fetchMemoryFields(cfg, templateId);
+    if (typeof template?.text !== "string" || template.text.length === 0) continue;
+    const templateTags = template.tags ?? tags;
+    if (personalWorkspaceId) {
+      const { data: ovr } = await client.POST("/memories/search", {
+        body: { query: null, textQuery: null, semanticQuery: null, hybrid: false, limit: 1, includeArchived: false, includeSystem: false, tags: ["sechroom:role:override", `sechroom:template-ref:${templateId}`], owner: { type: "Workspace", id: personalWorkspaceId } }
+      });
+      const ovrHits = ovr ?? [];
+      if (ovrHits.length > 0) {
+        const override = await fetchMemoryFields(cfg, ovrHits[0].id);
+        if (typeof override?.text === "string" && override.text.length > 0) {
+          return { title: override.title ?? template.title ?? artifact.title, body: override.text, source: "override", templateId, templateTags, sourceRef: `${ovrHits[0].id}@v${override.version ?? 1}` };
+        }
+      }
+    }
+    return { title: template.title ?? artifact.title, body: template.text, source: "template", templateId, templateTags, sourceRef: `${templateId}@v${template.version ?? 1}` };
+  }
+  return null;
+}
+async function resolveWorkspaceConventions(cfg, section) {
+  const parts = [];
+  const refs = [];
+  for (const artifact of section.artifacts) {
+    if (parseTagArtifactId(artifact.id)) continue;
+    const mem = await fetchMemoryFields(cfg, artifact.id);
+    if (typeof mem?.text === "string" && mem.text.trim().length > 0) {
+      parts.push(mem.text.trim());
+      refs.push(`${artifact.id}@v${mem.version ?? 1}`);
+    }
+  }
+  if (parts.length === 0) return null;
+  return { body: parts.join("\n\n---\n\n"), refs };
+}
+async function createOverride(cfg, template, personalWorkspaceId) {
   const client = await makeClient(cfg);
   const overrideTags = template.templateTags.filter(
     (t) => t !== "sechroom:role:template" && !t.startsWith("sechroom:bundle:") && !t.startsWith("sechroom:template-ref:")
   );
-  overrideTags.push("sechroom:role:override", `sechroom:template-ref:${template.templateId}`);
-  const { error } = await client.POST("/memories", {
-    body: {
-      text: template.body,
-      type: "reference",
-      content: "{}",
-      confidence: 1,
-      source: "cli-agent-instructions-customize",
-      archetype: "Document",
-      title: template.title ?? null,
-      tags: overrideTags,
-      owner: { type: "Workspace", id: personalWorkspaceId }
+  overrideTags.push("sechroom:role:override", `sechroom:template-ref:${template.templateId}`);
+  const { error } = await client.POST("/memories", {
+    body: {
+      text: template.body,
+      type: "reference",
+      content: "{}",
+      confidence: 1,
+      source: "cli-agent-instructions-customize",
+      archetype: "Document",
+      title: template.title ?? null,
+      tags: overrideTags,
+      owner: { type: "Workspace", id: personalWorkspaceId }
+    }
+  });
+  if (error) throw new Error(`creating personal copy failed: ${JSON.stringify(error)}`);
+}
+
+// src/setup/clients.ts
+function claudeDesktopConfigPath(home) {
+  switch (process.platform) {
+    case "darwin":
+      return join3(home, "Library", "Application Support", "Claude", "claude_desktop_config.json");
+    case "win32":
+      return join3(process.env.APPDATA ?? join3(home, "AppData", "Roaming"), "Claude", "claude_desktop_config.json");
+    default:
+      return join3(home, ".config", "Claude", "claude_desktop_config.json");
+  }
+}
+function clientTargets(cwd) {
+  const home = homedir2();
+  return {
+    "claude-code": {
+      key: "claude-code",
+      label: "Claude Code",
+      mcp: { surfaceKey: "claude-code", sectionType: SectionType.McpConfig, path: join3(cwd, ".mcp.json"), format: "json" },
+      instruction: { surfaceKey: "claude-code", path: join3(cwd, "CLAUDE.md") }
+    },
+    "claude-desktop": {
+      key: "claude-desktop",
+      label: "Claude Desktop",
+      mcp: { surfaceKey: "claude-desktop", sectionType: SectionType.McpConfig, path: claudeDesktopConfigPath(home), format: "json" },
+      instruction: { surfaceKey: "claude-desktop", path: join3(home, ".claude", "CLAUDE.md") }
+    },
+    codex: {
+      key: "codex",
+      label: "Codex CLI",
+      mcp: { surfaceKey: "chatgpt", sectionType: SectionType.McpConfigToml, path: join3(home, ".codex", "config.toml"), format: "toml" },
+      instruction: { surfaceKey: "chatgpt", path: join3(cwd, "AGENTS.md") }
+    },
+    cursor: {
+      key: "cursor",
+      label: "Cursor",
+      mcp: { surfaceKey: "claude-code", sectionType: SectionType.McpConfig, path: join3(cwd, ".cursor", "mcp.json"), format: "json" },
+      instruction: { surfaceKey: "chatgpt", path: join3(cwd, "AGENTS.md") }
+    }
+  };
+}
+var ALL_CLIENT_KEYS = ["claude-code", "claude-desktop", "codex", "cursor"];
+var DEFAULT_CLIENT_KEY = "claude-code";
+function detectInstalledClients(cwd) {
+  const home = homedir2();
+  const detected = [];
+  if (existsSync3(join3(home, ".claude"))) detected.push("claude-code");
+  if (existsSync3(dirname3(claudeDesktopConfigPath(home)))) detected.push("claude-desktop");
+  if (existsSync3(join3(home, ".codex"))) detected.push("codex");
+  if (existsSync3(join3(home, ".cursor")) || existsSync3(join3(cwd, ".cursor"))) detected.push("cursor");
+  return detected;
+}
+
+// src/commands/hook.ts
+async function readStdin() {
+  if (process.stdin.isTTY) return "";
+  const chunks = [];
+  for await (const chunk of process.stdin) chunks.push(chunk);
+  return Buffer.concat(chunks).toString("utf8");
+}
+function parseHookInput(raw) {
+  if (!raw.trim()) return {};
+  try {
+    return JSON.parse(raw);
+  } catch {
+    return {};
+  }
+}
+function resolveLane(flagLane, cwd) {
+  if (flagLane) return flagLane;
+  const env = process.env.SECHROOM_LANE;
+  if (env) return env;
+  const start = cwd ?? process.cwd();
+  const sem = readSem(resolveSemPathForRead(start));
+  return sem?.values["code-lane"];
+}
+var INTENT_FILE = join4(".sechroom", "continuity.json");
+function resolveIntentPath(start) {
+  let dir = start;
+  for (; ; ) {
+    const candidate = join4(dir, INTENT_FILE);
+    if (existsSync4(candidate)) return candidate;
+    const parent = dirname4(dir);
+    if (parent === dir) return void 0;
+    dir = parent;
+  }
+}
+function readIntent(start) {
+  const path = resolveIntentPath(start);
+  if (!path) return void 0;
+  try {
+    return JSON.parse(readFileSync3(path, "utf8"));
+  } catch {
+    return void 0;
+  }
+}
+function hasRequiredIntent(i) {
+  return Boolean(
+    i.objective?.trim() && i.state?.trim() && i.lastAction?.trim() && i.nextAction?.trim() && i.resumeInstruction?.trim()
+  );
+}
+function formatContext(bundle, lane) {
+  const s = bundle?.latestSnapshot;
+  if (!s) return null;
+  const lines = [];
+  lines.push(`[sechroom continuity \u2014 resumed lane ${lane}]`);
+  if (s.currentObjective) lines.push(`Objective: ${s.currentObjective}`);
+  if (s.currentState) lines.push(`State: ${s.currentState}`);
+  if (s.lastMeaningfulAction) lines.push(`Last action: ${s.lastMeaningfulAction}`);
+  if (s.nextIntendedAction) lines.push(`Next: ${s.nextIntendedAction}`);
+  if (s.resumeInstruction) lines.push(`Resume: ${s.resumeInstruction}`);
+  const constraints = s.activeConstraints ?? [];
+  if (constraints.length) {
+    lines.push("Active constraints:");
+    for (const c of constraints) lines.push(`  - ${c}`);
+  }
+  const questions = s.openQuestions ?? [];
+  if (questions.length) {
+    lines.push("Open questions:");
+    for (const q of questions) lines.push(`  - ${q}`);
+  }
+  const artifacts = s.relevantArtifactIds ?? [];
+  if (artifacts.length) lines.push(`Relevant artifacts: ${artifacts.join(", ")}`);
+  const marker = [s.id, s.createdAt].filter(Boolean).join(" @ ");
+  if (marker) lines.push(`(snapshot ${marker})`);
+  return lines.join("\n");
+}
+function emitSessionStart(additionalContext) {
+  process.stdout.write(
+    JSON.stringify({
+      hookSpecificOutput: {
+        hookEventName: "SessionStart",
+        additionalContext
+      }
+    }) + "\n"
+  );
+}
+var HOOK_COMMANDS = {
+  SessionStart: "sechroom hook session-start",
+  PreCompact: "sechroom hook pre-compact"
+};
+var HOOK_EVENTS = ["SessionStart", "PreCompact"];
+function hasHookCommand(config2, event, command) {
+  const groups = config2.hooks?.[event] ?? [];
+  return groups.some((g) => (g.hooks ?? []).some((h) => h.type === "command" && h.command === command));
+}
+function mergeHooks(config2) {
+  config2.hooks ??= {};
+  let added = 0;
+  for (const event of HOOK_EVENTS) {
+    const command = HOOK_COMMANDS[event];
+    if (hasHookCommand(config2, event, command)) continue;
+    const groups = config2.hooks[event] ??= [];
+    groups.push({ hooks: [{ type: "command", command }] });
+    added += 1;
+  }
+  return added;
+}
+function readJsonConfig2(path) {
+  if (!existsSync4(path)) return {};
+  const raw = readFileSync3(path, "utf8");
+  if (!raw.trim()) return {};
+  return JSON.parse(raw);
+}
+function installHooksJson(path, dryRun) {
+  const existed = existsSync4(path) && readFileSync3(path, "utf8").trim().length > 0;
+  const config2 = readJsonConfig2(path);
+  const added = mergeHooks(config2);
+  if (added === 0 && existed) return { path, status: "current" };
+  if (!dryRun) {
+    mkdirSync3(dirname4(path), { recursive: true });
+    writeFileSync3(path, JSON.stringify(config2, null, 2) + "\n");
+  }
+  return { path, status: existed ? "merged" : "created" };
+}
+function ensureCodexFeaturesHooks(content) {
+  const lines = content.split("\n");
+  const headerIdx = lines.findIndex((l) => l.trim() === "[features]");
+  if (headerIdx === -1) {
+    const base = content.length === 0 || content.endsWith("\n") ? content : content + "\n";
+    return { next: base + "\n[features]\nhooks = true\n", changed: true };
+  }
+  for (let i = headerIdx + 1; i < lines.length; i += 1) {
+    const trimmed = lines[i].trim();
+    if (trimmed.startsWith("[") && trimmed.endsWith("]")) break;
+    const m = lines[i].match(/^(\s*)hooks(\s*)=(\s*)(.*)$/);
+    if (!m) continue;
+    const value = m[4].replace(/\s*#.*$/, "").trim();
+    if (value === "true") return { next: content, changed: false };
+    lines[i] = `${m[1]}hooks${m[2]}=${m[3]}true`;
+    return { next: lines.join("\n"), changed: true };
+  }
+  lines.splice(headerIdx + 1, 0, "hooks = true");
+  return { next: lines.join("\n"), changed: true };
+}
+function installCodexFeatureFlag(path, dryRun) {
+  const existed = existsSync4(path);
+  const content = existed ? readFileSync3(path, "utf8") : "";
+  const { next, changed } = ensureCodexFeaturesHooks(content);
+  if (!changed) return { path, status: "current" };
+  if (!dryRun) {
+    mkdirSync3(dirname4(path), { recursive: true });
+    writeFileSync3(path, next);
+  }
+  return { path, status: existed ? "merged" : "created" };
+}
+function resolveSurfaces(surface, cwd) {
+  if (surface === "claude") return ["claude"];
+  if (surface === "codex") return ["codex"];
+  if (surface === "both") return ["claude", "codex"];
+  if (surface) throw new Error(`--surface must be one of claude | codex | both (got '${surface}')`);
+  const surfaces = detectHookSurfaces(cwd);
+  return surfaces.length > 0 ? surfaces : ["claude", "codex"];
+}
+function describe(result, dryRun) {
+  if (result.status === "current") return `  \u2713 ${result.path} (already configured)`;
+  const verb = dryRun ? "would" : result.status === "created" ? "created" : "updated";
+  return `  \u2713 ${result.path} (${dryRun ? `${verb} ${result.status === "created" ? "create" : "update"}` : verb})`;
+}
+var HOOK_SURFACE_LABEL = {
+  claude: "Claude Code",
+  codex: "Codex"
+};
+function installHookSurfaces(surfaces, opts) {
+  const out = [];
+  for (const surface of surfaces) {
+    if (surface === "claude") {
+      const path = opts.local ? join4(opts.cwd, ".claude", "settings.json") : join4(opts.home, ".claude", "settings.json");
+      out.push({ surface, results: [installHooksJson(path, opts.dryRun)] });
+    } else {
+      const hooksJson = installHooksJson(join4(opts.home, ".codex", "hooks.json"), opts.dryRun);
+      const featureFlag = installCodexFeatureFlag(join4(opts.home, ".codex", "config.toml"), opts.dryRun);
+      out.push({ surface, results: [hooksJson, featureFlag] });
+    }
+  }
+  return out;
+}
+function detectHookSurfaces(cwd) {
+  const detected = detectInstalledClients(cwd);
+  const surfaces = [];
+  if (detected.includes("claude-code")) surfaces.push("claude");
+  if (detected.includes("codex")) surfaces.push("codex");
+  return surfaces;
+}
+function isSechroomOnPath() {
+  const pathEnv = process.env.PATH ?? "";
+  if (!pathEnv) return false;
+  const names = process.platform === "win32" ? ["sechroom.cmd", "sechroom.exe", "sechroom.bat", "sechroom"] : ["sechroom"];
+  for (const dir of pathEnv.split(delimiter)) {
+    if (!dir) continue;
+    for (const name of names) {
+      if (existsSync4(join4(dir, name))) return true;
+    }
+  }
+  return false;
+}
+function warnIfSechroomNotOnPath(write = (s) => void process.stderr.write(s)) {
+  if (isSechroomOnPath()) return false;
+  write(
+    "\n\u26A0  `sechroom` isn't on your PATH. The hooks run a bare `sechroom hook \u2026` command\n   when your agent fires them, so a non-global install (npx / local) will fail at\n   that point. Install globally so the command resolves:\n     npm i -g @sechroom/cli\n"
+  );
+  return true;
+}
+function registerHook(program2) {
+  const hook = program2.command("hook").description("Agent-lifecycle hook adapter (Claude Code / Codex) \u2014 bridges hooks to continuity");
+  hook.addHelpText(
+    "after",
+    `
+Examples:
+  # SessionStart (load): inject the lane's latest snapshot as context.
+  $ echo '{"hook_event_name":"SessionStart","cwd":"'"$PWD"'"}' | sechroom hook session-start
+  # PreCompact (save): snapshot from ./${INTENT_FILE} before the agent compacts.
+  $ echo '{"hook_event_name":"PreCompact","cwd":"'"$PWD"'"}' | sechroom hook pre-compact
+  # Wire both hooks into the installed surface(s)' config (no hand-editing):
+  $ sechroom hook install                       auto-detect Claude Code / Codex
+  $ sechroom hook install --surface codex        Codex only
+  $ sechroom hook install --local --dry-run      preview the project .claude/settings.json
+
+Lane source (high -> low): --lane  >  SECHROOM_LANE  >  ./.sem code-lane (D-binding-5).
+Fail-soft: no lane / no auth / no-or-partial intent file / API error -> exit 0, never blocks.`
+  );
+  hook.command("session-start").description("Resume the checkout's lane and emit continuity context for a SessionStart hook").option("--lane <laneId>", "Override the resolved lane (else SECHROOM_LANE, else ./.sem code-lane)").option("--surface <surface>", "Target surface: claude | codex (output is identical for session-start)", "claude").option("--max-artifacts <n>", "Cap artifacts in the resume bundle").action(async (opts, cmd) => {
+    try {
+      const raw = await readStdin();
+      const input = parseHookInput(raw);
+      const lane = resolveLane(opts.lane, input.cwd);
+      if (!lane) return process.exit(0);
+      const cfg = resolveConfig(cmd.optsWithGlobals());
+      const client = await makeClient(cfg);
+      const { data } = await client.POST("/continuity/resume/lane", {
+        body: {
+          laneId: lane,
+          workspaceId: null,
+          maxArtifacts: opts.maxArtifacts != null ? Number(opts.maxArtifacts) : null,
+          includeLookingAtMyself: null,
+          changedSince: null
+        }
+      });
+      const context = formatContext(data, lane);
+      if (context) emitSessionStart(context);
+      return process.exit(0);
+    } catch {
+      return process.exit(0);
+    }
+  });
+  hook.command("pre-compact").description("Save a continuity snapshot from the agent-maintained intent file on a PreCompact hook").option("--lane <laneId>", "Override the resolved lane (else SECHROOM_LANE, else ./.sem code-lane)").option("--scope <scope>", "Snapshot scope (else the intent file's `scope`, else 'compaction')").option("--surface <surface>", "Target surface: claude | codex (lifecycle-only on both)", "claude").action(async (opts, cmd) => {
+    try {
+      const raw = await readStdin();
+      const input = parseHookInput(raw);
+      const cwd = input.cwd ?? process.cwd();
+      const lane = resolveLane(opts.lane, input.cwd);
+      if (!lane) return process.exit(0);
+      const intent = readIntent(cwd);
+      if (!intent || !hasRequiredIntent(intent)) return process.exit(0);
+      const cfg = resolveConfig(cmd.optsWithGlobals());
+      const client = await makeClient(cfg);
+      await client.POST("/continuity/snapshots", {
+        body: {
+          laneId: lane,
+          scope: opts.scope ?? intent.scope ?? "compaction",
+          currentObjective: intent.objective,
+          currentState: intent.state,
+          lastMeaningfulAction: intent.lastAction,
+          nextIntendedAction: intent.nextAction,
+          resumeInstruction: intent.resumeInstruction,
+          activeConstraints: intent.constraints ?? null,
+          openQuestions: intent.questions ?? null,
+          surfaceMarkers: intent.surfaceMarkers ?? null,
+          relevantArtifactIds: intent.artifacts ?? null,
+          confidence: intent.confidence ?? null,
+          // Compaction is infrequent, so the FR-051 clobber guard doesn't bite;
+          // Acknowledge lets a within-window checkpoint land on the lane.
+          concurrentSessionPolicy: "Acknowledge"
+        }
+      });
+      return process.exit(0);
+    } catch {
+      return process.exit(0);
+    }
+  });
+  hook.command("install").description("Wire the session-start + pre-compact hooks into Claude Code and/or Codex config").option("--surface <surface>", "Target surface: claude | codex | both (default: auto-detect installed surfaces)").option("--local", "Claude Code only: write <cwd>/.claude/settings.json instead of ~/.claude/settings.json").option("--dry-run", "Print what would change; write nothing").action((opts) => {
+    const dryRun = Boolean(opts.dryRun);
+    const cwd = process.cwd();
+    let surfaces;
+    try {
+      surfaces = resolveSurfaces(opts.surface, cwd);
+    } catch (err2) {
+      process.stderr.write(`${err2.message}
+`);
+      return process.exit(2);
+    }
+    const results = [];
+    try {
+      const installed = installHookSurfaces(surfaces, { dryRun, local: opts.local, cwd, home: homedir3() });
+      for (const { surface, results: surfaceResults } of installed) {
+        process.stdout.write(`${HOOK_SURFACE_LABEL[surface]}:
+`);
+        for (const r of surfaceResults) {
+          results.push(r);
+          process.stdout.write(describe(r, dryRun) + "\n");
+        }
+      }
+    } catch (err2) {
+      process.stderr.write(`hook install failed: ${err2.message}
+`);
+      return process.exit(1);
+    }
+    if (dryRun) {
+      process.stdout.write("\n(dry run \u2014 no files were written.)\n");
+    } else if (results.every((r) => r.status === "current")) {
+      process.stdout.write("\nAlready up to date \u2014 nothing to change.\n");
+    } else {
+      process.stdout.write("\nRestart (or reload) your agent for the hooks to take effect.\n");
+    }
+    warnIfSechroomNotOnPath();
+    return process.exit(0);
+  });
+}
+
+// src/commands/account.ts
+function registerId(program2) {
+  const id = program2.command("id").description("Allocate human-authored id sequences (FR-*, D-*)");
+  id.addHelpText(
+    "after",
+    `
+Examples:
+  $ sechroom id next FR sechroom            allocate the next FR-sechroom-NNN id
+  $ sechroom id next D Backend              allocate the next D-Backend-NNN id
+  $ sechroom id peek FR sechroom            inspect the sequence without consuming
+  $ sechroom id peek FR sechroom --json`
+  );
+  id.command("next <namespaceKind> <scope>").description("Allocate the next id in a sequence (POST /id-registry/allocate)").action(async (namespaceKind, scope, _opts, cmd) => {
+    const cfg = resolveConfig(cmd.optsWithGlobals());
+    const data = await runApi("Allocating id", async () => {
+      const client = await makeClient(cfg);
+      return client.POST("/id-registry/allocate", {
+        body: { namespaceKind, scope, clientNonce: null }
+      });
+    });
+    emitAction(`allocated ${style.bold(data.id)} ${style.dim(`(seq ${data.seq})`)}`, data, cmd.optsWithGlobals().json);
+  });
+  id.command("peek <namespaceKind> <scope>").description("Inspect a sequence without consuming (GET /id-registry/state)").action(async (namespaceKind, scope, _opts, cmd) => {
+    const cfg = resolveConfig(cmd.optsWithGlobals());
+    const data = await runApi("Peeking id sequence", async () => {
+      const client = await makeClient(cfg);
+      return client.GET("/id-registry/state", {
+        params: { query: { namespaceKind, scope } }
+      });
+    });
+    emit(data, cmd.optsWithGlobals().json);
+  });
+}
+function registerAccount(program2) {
+  const account = program2.command("account").description("Your profile, feeds, and review queue");
+  account.addHelpText(
+    "after",
+    `
+Examples:
+  $ sechroom account profile
+  $ sechroom account set-profile --display-name "Chris" --timezone "Europe/London"
+  $ sechroom account feed --limit 20
+  $ sechroom account reviews --status Pending
+  $ sechroom account lookup-batch mem_XXXX wsp_YYYY --json`
+  );
+  account.command("profile").description("Show your resolved profile (GET /me/profile)").action(async (_opts, cmd) => {
+    const cfg = resolveConfig(cmd.optsWithGlobals());
+    const data = await runApi("Fetching profile", async () => {
+      const client = await makeClient(cfg);
+      return client.GET("/me/profile");
+    });
+    emit(data, cmd.optsWithGlobals().json);
+  });
+  account.command("set-profile").description("Update your profile (PUT /me/profile)").option("--display-name <displayName>", "Display name").option("--timezone <timezone>", "IANA timezone (e.g. Europe/London)").option("--bio <bio>", "Short bio").option("--photo-url <photoUrl>", "Avatar / photo URL").action(async (opts, cmd) => {
+    const cfg = resolveConfig(cmd.optsWithGlobals());
+    const data = await runApi("Updating profile", async () => {
+      const client = await makeClient(cfg);
+      return client.PUT("/me/profile", {
+        body: {
+          displayName: opts.displayName ?? null,
+          timezone: opts.timezone ?? null,
+          bio: opts.bio ?? null,
+          photoUrl: opts.photoUrl ?? null
+        }
+      });
+    });
+    emitAction("updated profile", data, cmd.optsWithGlobals().json);
+  });
+  account.command("feed").description("Your recent memory feed (GET /me/memories/feed)").option("--limit <n>", "Max results", "20").option("--cursor <cursor>", "Opaque paging cursor").option("--query <query>", "Free-text filter").option("--filter-tags <tags>", "Comma-separated tag filter").option("--include-archived", "Include archived memories", false).option("--include-text", "Include memory body text", false).action(async (opts, cmd) => {
+    const cfg = resolveConfig(cmd.optsWithGlobals());
+    const data = await runApi("Fetching feed", async () => {
+      const client = await makeClient(cfg);
+      return client.GET("/me/memories/feed", {
+        params: {
+          query: {
+            limit: Number(opts.limit),
+            includeArchived: Boolean(opts.includeArchived),
+            includeText: Boolean(opts.includeText),
+            ...opts.cursor ? { cursor: opts.cursor } : {},
+            ...opts.query ? { query: opts.query } : {},
+            ...opts.filterTags ? { filterTags: opts.filterTags } : {}
+          }
+        }
+      });
+    });
+    emit(data, cmd.optsWithGlobals().json);
+  });
+  account.command("reviews").description("Your review queue (GET /reviews)").option("--status <status>", "Pending | Resolved | Empty").option("--scope-kind <scopeKind>", "Memory | Project | Workspace").option("--scope-target-id <id>", "Scope target id").option("--limit <n>", "Max results", "20").action(async (opts, cmd) => {
+    const cfg = resolveConfig(cmd.optsWithGlobals());
+    const data = await runApi("Fetching reviews", async () => {
+      const client = await makeClient(cfg);
+      return client.GET("/reviews", {
+        params: {
+          query: {
+            limit: Number(opts.limit),
+            ...opts.status ? { status: opts.status } : {},
+            ...opts.scopeKind ? { scopeKind: opts.scopeKind } : {},
+            ...opts.scopeTargetId ? { scopeTargetId: opts.scopeTargetId } : {}
+          }
+        }
+      });
+    });
+    emit(data, cmd.optsWithGlobals().json);
+  });
+  account.command("review-get <reviewId>").description("Fetch one review bundle (GET /reviews/{reviewId})").action(async (reviewId, _opts, cmd) => {
+    const cfg = resolveConfig(cmd.optsWithGlobals());
+    const data = await runApi("Fetching review", async () => {
+      const client = await makeClient(cfg);
+      return client.GET("/reviews/{reviewId}", { params: { path: { reviewId } } });
+    });
+    emit(data, cmd.optsWithGlobals().json);
+  });
+  account.command("review-accept <reviewId>").description("Accept a review bundle (POST /reviews/{reviewId}/accept)").action(async (reviewId, _opts, cmd) => {
+    const cfg = resolveConfig(cmd.optsWithGlobals());
+    const data = await runApi("Accepting review", async () => {
+      const client = await makeClient(cfg);
+      return client.POST("/reviews/{reviewId}/accept", {
+        params: { path: { reviewId } },
+        body: { decisions: {} }
+      });
+    });
+    emitAction(`accepted review ${style.bold(reviewId)}`, data, cmd.optsWithGlobals().json);
+  });
+  account.command("lookup-batch <ids...>").description("Resolve many ids at once (POST /lookup/batch)").action(async (ids, _opts, cmd) => {
+    const cfg = resolveConfig(cmd.optsWithGlobals());
+    const data = await runApi(`Resolving ${ids.length} ids`, async () => {
+      const client = await makeClient(cfg);
+      return client.POST("/lookup/batch", { body: { ids } });
+    });
+    emit(data, cmd.optsWithGlobals().json);
+  });
+}
+
+// src/commands/chat.ts
+function registerChat(program2) {
+  const chat = program2.command("chat").description("Send and read Slack / Discord channel messages").option("--surface <surface>", "slack | discord", "slack");
+  chat.addHelpText(
+    "after",
+    `
+Examples:
+  $ sechroom chat send C0123456789 "deploy is green" --surface slack
+  $ sechroom chat send 987654321098765432 "deploy is green" --surface discord --guild 123456789012345678
+  $ sechroom chat send C0123456789 "lgtm" --surface slack --as user --parent 1718049600.123456
+  $ sechroom chat messages --surface slack
+  $ sechroom chat replies 1718049600.123456 --surface slack
+  $ sechroom chat stop-tracking 1718049600.123456 --surface slack`
+  );
+  chat.command("send <channelId> <text>").description("Send a message to a channel (POST /chat/channel-messages/{surface})").option("--guild <guildId>", "Discord guild snowflake \u2014 required for --surface discord").option("--memory <memoryId>", "Attach a sechroom memory id").option("--no-track", "Don't capture replies to this message").option("--parent <parentMessage>", "Thread under a parent (Slack thread_ts / Discord message id)").option("--source <source>", "Source / lane stamp (renders an attribution footer)", "cli").option("--as <as>", "Slack only: 'bot' (default) or 'user' (your linked Slack identity)", "bot").action(async (channelId, text, opts, cmd) => {
+    const { surface, ...globals } = cmd.optsWithGlobals();
+    const json = Boolean(cmd.optsWithGlobals().json);
+    const cfg = resolveConfig(globals);
+    const data = await runApi("Sending message", async () => {
+      const client = await makeClient(cfg);
+      return client.POST("/chat/channel-messages/{surface}", {
+        params: { path: { surface: String(surface) } },
+        body: {
+          channelId,
+          text,
+          guildId: opts.guild ?? null,
+          attachedMemoryId: opts.memory ?? null,
+          trackReplies: opts.track,
+          parentMessage: opts.parent ?? null,
+          source: opts.source,
+          as: opts.as
+        }
+      });
+    });
+    if (!data.ok) {
+      if (json) {
+        emit(data, true);
+      } else {
+        process.stderr.write(
+          `${err("\u2717")} send failed: ${data.upstreamError ?? "error"}${data.errorDescription ? ` \u2014 ${data.errorDescription}` : ""}
+`
+        );
+      }
+      process.exit(1);
     }
+    const idPart = data.persistedId ? ` ${style.dim(`(${data.persistedId})`)}` : "";
+    emitAction(`sent to ${surface} ${style.bold(channelId)}${idPart}`, data, json);
+  });
+  chat.command("messages").description("List recent channel messages (GET /chat/channel-messages/{surface})").action(async (_opts, cmd) => {
+    const { surface, ...globals } = cmd.optsWithGlobals();
+    const cfg = resolveConfig(globals);
+    const data = await runApi("Fetching messages", async () => {
+      const client = await makeClient(cfg);
+      return client.GET("/chat/channel-messages/{surface}", {
+        params: { path: { surface: String(surface) } }
+      });
+    });
+    emit(data, cmd.optsWithGlobals().json);
+  });
+  chat.command("replies <messageId>").description("List thread replies for a message (GET /chat/channel-messages/by-id/{id}/replies)").action(async (messageId, _opts, cmd) => {
+    const cfg = resolveConfig(cmd.optsWithGlobals());
+    const data = await runApi("Fetching replies", async () => {
+      const client = await makeClient(cfg);
+      return client.GET("/chat/channel-messages/by-id/{id}/replies", {
+        params: { path: { id: messageId } }
+      });
+    });
+    emit(data, cmd.optsWithGlobals().json);
+  });
+  chat.command("stop-tracking <messageId>").description("Stop watching a message for replies (POST .../by-id/{id}/stop-tracking-replies)").action(async (messageId, _opts, cmd) => {
+    const cfg = resolveConfig(cmd.optsWithGlobals());
+    const data = await runApi("Stopping reply tracking", async () => {
+      const client = await makeClient(cfg);
+      return client.POST("/chat/channel-messages/by-id/{id}/stop-tracking-replies", {
+        params: { path: { id: messageId } },
+        body: {}
+      });
+    });
+    emitAction(`stopped tracking replies on ${style.bold(messageId)}`, data, cmd.optsWithGlobals().json);
   });
-  if (error) throw new Error(`creating personal copy failed: ${JSON.stringify(error)}`);
 }
 
 // src/setup/apply.ts
-var BLOCK_BEGIN = "<!-- @sechroom/cli:begin (managed \u2014 re-run `sechroom setup agent-files` to refresh) -->";
-var BLOCK_END = "<!-- @sechroom/cli:end -->";
+import { createHash as createHash2 } from "crypto";
+import { mkdirSync as mkdirSync4, readFileSync as readFileSync4, writeFileSync as writeFileSync4, existsSync as existsSync5 } from "fs";
+import { dirname as dirname5 } from "path";
+var MARKER_BEGIN = "<!-- @sechroom/cli:begin";
+var MARKER_END = "<!-- @sechroom/cli:end";
+function normalizeBody(s) {
+  return s.replace(/\r\n/g, "\n").trim();
+}
+function bodySha256(body) {
+  return createHash2("sha256").update(normalizeBody(body), "utf8").digest("hex");
+}
+function renderBlock(write) {
+  const body = normalizeBody(write.body);
+  const attrs = [`block=${write.block}`];
+  if (write.source) attrs.push(`source=${write.source}`);
+  attrs.push(`sha256=${bodySha256(body)}`);
+  return `${MARKER_BEGIN} ${attrs.join(" ")} -->
+${body}
+${MARKER_END} block=${write.block} -->
+`;
+}
+function keyedBlockRe(block) {
+  const b = escapeRe(block);
+  return new RegExp(
+    `${escapeRe(MARKER_BEGIN)}[^\\n]*?\\bblock=${b}\\b[^\\n]*?-->\\n[\\s\\S]*?${escapeRe(MARKER_END)}[^\\n]*?\\bblock=${b}\\b[^\\n]*?-->\\n?`
+  );
+}
+function legacyBlockRe() {
+  return new RegExp(
+    `${escapeRe(MARKER_BEGIN)}(?:(?!block=)[^\\n])*?-->\\n[\\s\\S]*?${escapeRe(MARKER_END)}(?:(?!block=)[^\\n])*?-->\\n?`
+  );
+}
+function parseAttrs(beginLine) {
+  const attrs = {};
+  for (const m of beginLine.matchAll(/(\w+)=(\S+)/g)) attrs[m[1]] = m[2];
+  return attrs;
+}
+function innerBody(segment) {
+  const firstNl = segment.indexOf("\n");
+  const endIdx = segment.lastIndexOf(MARKER_END);
+  return segment.slice(firstNl + 1, endIdx).replace(/\n$/, "");
+}
+function parseManagedBlock(content, block) {
+  const keyed = content.match(keyedBlockRe(block));
+  if (keyed) {
+    const attrs = parseAttrs(keyed[0].slice(0, keyed[0].indexOf("\n")));
+    return { block, source: attrs.source ?? null, sha256: attrs.sha256 ?? null, body: innerBody(keyed[0]) };
+  }
+  if (block === "role-template") {
+    const legacy = content.match(legacyBlockRe());
+    if (legacy) return { block, source: null, sha256: null, body: innerBody(legacy[0]) };
+  }
+  return null;
+}
 function ensureDir2(path) {
-  mkdirSync2(dirname(path), { recursive: true });
+  mkdirSync4(dirname5(path), { recursive: true });
 }
 function readOr(path, fallback) {
   try {
-    return readFileSync2(path, "utf8");
+    return readFileSync4(path, "utf8");
   } catch {
     return fallback;
   }
 }
 function mergeMcpJson(path, snippet, dryRun) {
   const incoming = JSON.parse(snippet);
-  const existed = existsSync2(path);
+  const existed = existsSync5(path);
   let current = {};
   if (existed) {
     try {
-      current = JSON.parse(readFileSync2(path, "utf8"));
+      current = JSON.parse(readFileSync4(path, "utf8"));
     } catch {
       return { kind: "mcp", path, status: "skipped", note: "existing file isn't valid JSON \u2014 left untouched" };
     }
@@ -561,46 +2490,88 @@ function mergeMcpJson(path, snippet, dryRun) {
   current.mcpServers = { ...current.mcpServers ?? {}, ...incoming.mcpServers ?? {} };
   if (dryRun) return { kind: "mcp", path, status: "dry-run" };
   ensureDir2(path);
-  writeFileSync2(path, JSON.stringify(current, null, 2) + "\n", { mode: 384 });
+  writeFileSync4(path, JSON.stringify(current, null, 2) + "\n", { mode: 384 });
   return { kind: "mcp", path, status: existed ? "merged" : "created" };
 }
 function mergeCodexToml(path, snippet, dryRun) {
-  const existed = existsSync2(path);
+  const existed = existsSync5(path);
   let body = readOr(path, "");
   body = body.replace(/(^|\n)\[mcp_servers\.sechroom\][^[]*/, "\n").replace(/\n{3,}/g, "\n\n");
   const trimmed = body.trim();
   const next = (trimmed.length > 0 ? trimmed + "\n\n" : "") + snippet.trim() + "\n";
   if (dryRun) return { kind: "mcp", path, status: "dry-run" };
   ensureDir2(path);
-  writeFileSync2(path, next, { mode: 384 });
+  writeFileSync4(path, next, { mode: 384 });
   return { kind: "mcp", path, status: existed ? "merged" : "created" };
 }
-function writeInstructionBlock(path, body, dryRun) {
-  const block = `${BLOCK_BEGIN}
-${body.trim()}
-${BLOCK_END}
-`;
-  const existed = existsSync2(path);
-  const current = readOr(path, "");
-  let next;
-  const re = new RegExp(`${escapeRe(BLOCK_BEGIN)}[\\s\\S]*?${escapeRe(BLOCK_END)}\\n?`);
-  if (re.test(current)) {
-    next = current.replace(re, block);
-  } else {
-    next = current.trim().length > 0 ? `${current.trimEnd()}
-
-${block}` : block;
-  }
+function writeInstructionBlock(path, write, dryRun) {
+  const existed = existsSync5(path);
+  const next = computeBlockFile(readOr(path, ""), write);
   if (dryRun) return { kind: "instruction", path, status: "dry-run" };
   ensureDir2(path);
-  writeFileSync2(path, next);
+  writeFileSync4(path, next);
   return { kind: "instruction", path, status: existed ? "merged" : "created" };
 }
+function computeBlockFile(current, write) {
+  const rendered = renderBlock(write);
+  const keyed = keyedBlockRe(write.block);
+  if (keyed.test(current)) return current.replace(keyed, rendered);
+  if (write.block === "role-template" && legacyBlockRe().test(current)) {
+    return current.replace(legacyBlockRe(), rendered);
+  }
+  return current.trim().length > 0 ? `${current.trimEnd()}
+
+${rendered}` : rendered;
+}
+function evaluateBlock(content, block, serverBody) {
+  const onDisk = parseManagedBlock(content, block);
+  if (!onDisk) return "absent";
+  const actual = bodySha256(onDisk.body);
+  if (onDisk.sha256 && actual !== onDisk.sha256) return "drift";
+  return actual === bodySha256(serverBody) ? "current" : "stale";
+}
+function applyBlock(path, write, mode, dryRun) {
+  const current = readOr(path, "");
+  const state = evaluateBlock(current, write.block, write.body);
+  if (mode === "check") {
+    return {
+      kind: "instruction",
+      path,
+      status: state === "current" ? "current" : "skipped",
+      eval: state,
+      note: state === "current" ? void 0 : `would ${state === "absent" ? "write" : "refresh"} (${state})`
+    };
+  }
+  if (state === "current") {
+    return { kind: "instruction", path, status: "current", eval: "current" };
+  }
+  if (state === "drift" && mode !== "force") {
+    const proposedPath = `${path}.proposed`;
+    const next = computeBlockFile(current, write);
+    if (!dryRun) {
+      ensureDir2(proposedPath);
+      writeFileSync4(proposedPath, next);
+    }
+    return {
+      kind: "instruction",
+      path,
+      status: "skipped",
+      eval: "drift",
+      proposedPath,
+      note: `local edits \u2014 wrote ${proposedPath} (original left untouched)`
+    };
+  }
+  const action = writeInstructionBlock(path, write, dryRun);
+  const note = state === "stale" ? "refreshed" : state === "drift" ? "overwrote local edits" : void 0;
+  return { ...action, eval: state, note: note ?? action.note };
+}
 function escapeRe(s) {
   return s.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
 }
 async function applyClient(cfg, setup, target, opts) {
   const actions = [];
+  const mode = opts.mode ?? "apply";
+  const dryRun = opts.dryRun || mode === "check";
   if (opts.mcp && target.mcp) {
     const surface = findSurface(setup, target.mcp.surfaceKey);
     const section = findSection(surface, target.mcp.sectionType);
@@ -609,7 +2580,7 @@ async function applyClient(cfg, setup, target, opts) {
       actions.push({ kind: "mcp", path: target.mcp.path, status: "skipped", note: `no ${target.mcp.sectionType} section on surface '${target.mcp.surfaceKey}'` });
     } else {
       actions.push(
-        target.mcp.format === "toml" ? mergeCodexToml(target.mcp.path, snippet, opts.dryRun) : mergeMcpJson(target.mcp.path, snippet, opts.dryRun)
+        target.mcp.format === "toml" ? mergeCodexToml(target.mcp.path, snippet, dryRun) : mergeMcpJson(target.mcp.path, snippet, dryRun)
       );
     }
   }
@@ -623,67 +2594,206 @@ async function applyClient(cfg, setup, target, opts) {
       if (!resolved) {
         actions.push({ kind: "instruction", path: target.instruction.path, status: "skipped", note: "no role template found in this tenant \u2014 install the SEM Starter bundle, then re-run `sechroom setup agent-files`" });
       } else {
-        const action = writeInstructionBlock(target.instruction.path, resolved.body, opts.dryRun);
-        actions.push(resolved.source === "override" ? { ...action, note: "your personal copy" } : action);
+        const action = applyBlock(
+          target.instruction.path,
+          { block: "role-template", body: resolved.body, source: resolved.sourceRef },
+          mode,
+          opts.dryRun
+        );
+        actions.push(resolved.source === "override" && action.status !== "current" ? { ...action, note: action.note ?? "your personal copy" } : action);
+      }
+    }
+    const conventionsSection = findSection(surface, SectionType.WorkspaceConventions);
+    if (conventionsSection) {
+      const conventions = await resolveWorkspaceConventions(cfg, conventionsSection);
+      if (conventions) {
+        const action = applyBlock(
+          target.instruction.path,
+          { block: "workspace-conventions", body: conventions.body, source: `workspace:${cfg.workspaceId ?? ""}` },
+          mode,
+          opts.dryRun
+        );
+        actions.push(action.status === "current" ? action : { ...action, note: action.note ?? `workspace conventions (${conventions.refs.length})` });
       }
     }
   }
   return actions;
 }
 
-// src/setup/clients.ts
-import { existsSync as existsSync3 } from "fs";
-import { homedir as homedir2 } from "os";
-import { dirname as dirname2, join as join2 } from "path";
-function claudeDesktopConfigPath(home) {
-  switch (process.platform) {
-    case "darwin":
-      return join2(home, "Library", "Application Support", "Claude", "claude_desktop_config.json");
-    case "win32":
-      return join2(process.env.APPDATA ?? join2(home, "AppData", "Roaming"), "Claude", "claude_desktop_config.json");
-    default:
-      return join2(home, ".config", "Claude", "claude_desktop_config.json");
+// src/setup/hooks-offer.ts
+import { homedir as homedir4 } from "os";
+async function maybeOfferHooks(opts) {
+  if (opts.dryRun) return;
+  const cwd = opts.cwd ?? process.cwd();
+  const surfaces = detectHookSurfaces(cwd);
+  if (surfaces.length === 0) return;
+  const names = surfaces.map((s) => HOOK_SURFACE_LABEL[s]).join(" + ");
+  process.stderr.write(
+    `
+Sechroom can wire continuity lifecycle hooks into ${style.bold(names)} so your agent
+auto-resumes where you left off and checkpoints working state before compacting.
+`
+  );
+  const install = opts.yes ? true : canPrompt() ? await promptYesNo(`Install the continuity hooks for ${names}?`) : false;
+  if (!install) return;
+  try {
+    const installed = installHookSurfaces(surfaces, { dryRun: false, cwd, home: homedir4() });
+    let changed = false;
+    for (const { surface, results } of installed) {
+      for (const r of results) {
+        if (r.status !== "current") changed = true;
+        const verb = r.status === "current" ? "already configured" : r.status === "created" ? "created" : "updated";
+        process.stderr.write(`${style.green("\u2713")} ${HOOK_SURFACE_LABEL[surface]}: ${r.path} (${verb})
+`);
+      }
+    }
+    if (changed) {
+      process.stderr.write(`${style.dim("Restart (or reload) your agent for the hooks to take effect.")}
+`);
+    }
+    warnIfSechroomNotOnPath();
+  } catch (err2) {
+    process.stderr.write(`${style.dim(`(skipped hook install: ${err2.message})`)}
+`);
   }
 }
-function clientTargets(cwd) {
-  const home = homedir2();
+
+// src/setup/skills-offer.ts
+import { mkdirSync as mkdirSync5, writeFileSync as writeFileSync5 } from "fs";
+import { homedir as homedir5 } from "os";
+import { join as join5 } from "path";
+
+// src/setup/lane-pin.ts
+var CODE_LANE_PREFIX_BY_CLIENT = {
+  "claude-code": "claude-code",
+  "claude-desktop": "claude-code",
+  cursor: "claude-code",
+  codex: "codex"
+};
+var CLIENT_PRIORITY = ["claude-code", "claude-desktop", "cursor", "codex"];
+function handleFromDisplayName(name) {
+  if (!name) return void 0;
+  const localPart = name.trim().split("@")[0] ?? "";
+  const first = localPart.split(/[\s._-]+/)[0]?.toLowerCase().replace(/[^a-z0-9]/g, "");
+  return first || void 0;
+}
+function codeLanePrefix(clients) {
+  for (const c of CLIENT_PRIORITY) if (clients.includes(c)) return CODE_LANE_PREFIX_BY_CLIENT[c];
+  return "claude-code";
+}
+async function inferLanes(cfg, clients) {
+  let wf;
+  let profile;
+  try {
+    const client = await makeClient(cfg);
+    [wf, profile] = await Promise.all([
+      client.GET("/me/workflow-preferences", {}).then((r) => r.data).catch(() => void 0),
+      client.GET("/me/profile", {}).then((r) => r.data).catch(() => void 0)
+    ]);
+  } catch {
+  }
+  const handle = handleFromDisplayName(profile?.effectiveDisplayName);
+  const prefix = codeLanePrefix(clients ?? ["claude-code"]);
   return {
-    "claude-code": {
-      key: "claude-code",
-      label: "Claude Code",
-      mcp: { surfaceKey: "claude-code", sectionType: SectionType.McpConfig, path: join2(cwd, ".mcp.json"), format: "json" },
-      instruction: { surfaceKey: "claude-code", path: join2(cwd, "CLAUDE.md") }
-    },
-    "claude-desktop": {
-      key: "claude-desktop",
-      label: "Claude Desktop",
-      mcp: { surfaceKey: "claude-desktop", sectionType: SectionType.McpConfig, path: claudeDesktopConfigPath(home), format: "json" },
-      instruction: { surfaceKey: "claude-desktop", path: join2(home, ".claude", "CLAUDE.md") }
-    },
-    codex: {
-      key: "codex",
-      label: "Codex CLI",
-      mcp: { surfaceKey: "chatgpt", sectionType: SectionType.McpConfigToml, path: join2(home, ".codex", "config.toml"), format: "toml" },
-      instruction: { surfaceKey: "chatgpt", path: join2(cwd, "AGENTS.md") }
-    },
-    cursor: {
-      key: "cursor",
-      label: "Cursor",
-      mcp: { surfaceKey: "claude-code", sectionType: SectionType.McpConfig, path: join2(cwd, ".cursor", "mcp.json"), format: "json" },
-      instruction: { surfaceKey: "chatgpt", path: join2(cwd, "AGENTS.md") }
-    }
+    code: process.env.SECHROOM_CODE_LANE ?? wf?.defaultCodeLane ?? (handle ? `${prefix}-${handle}` : void 0),
+    design: process.env.SECHROOM_DESIGN_LANE ?? wf?.defaultDesignLane ?? (handle ? `claude-design-${handle}` : void 0)
   };
 }
-var ALL_CLIENT_KEYS = ["claude-code", "claude-desktop", "codex", "cursor"];
-var DEFAULT_CLIENT_KEY = "claude-code";
-function detectInstalledClients(cwd) {
-  const home = homedir2();
-  const detected = [];
-  if (existsSync3(join2(home, ".claude"))) detected.push("claude-code");
-  if (existsSync3(dirname2(claudeDesktopConfigPath(home)))) detected.push("claude-desktop");
-  if (existsSync3(join2(home, ".codex"))) detected.push("codex");
-  if (existsSync3(join2(home, ".cursor")) || existsSync3(join2(cwd, ".cursor"))) detected.push("cursor");
-  return detected;
+function writePin(code, design) {
+  const values = {};
+  if (code) values["code-lane"] = code;
+  if (design) values["design-lane"] = design;
+  if (Object.keys(values).length === 0) return;
+  const target = writeSem(values);
+  process.stderr.write(`${ok("\u2713")} lane pin written \u2192 ${target} ${style.dim("(./.sechroom/lane.json, git-ignored)")}
+`);
+}
+async function ensureLanePin(cfg, opts) {
+  if (opts.dryRun) return;
+  if (readSem()) return;
+  const { code: codeGuess, design: designGuess } = await inferLanes(cfg, opts.clients);
+  if (!canPrompt() || opts.yes) {
+    if (opts.yes && (codeGuess || designGuess)) writePin(codeGuess, designGuess);
+    return;
+  }
+  if (codeGuess || designGuess) {
+    process.stderr.write(
+      `
+I can pin this checkout's lane so operator skills + the continuity hook resolve your identity:
+`
+    );
+    if (codeGuess) process.stderr.write(`  ${style.dim("code-lane")}   = ${style.cyan(codeGuess)}
+`);
+    if (designGuess) process.stderr.write(`  ${style.dim("design-lane")} = ${style.cyan(designGuess)}
+`);
+    if (await promptYesNo("Pin these?")) {
+      writePin(codeGuess, designGuess);
+      return;
+    }
+  }
+  const code = await promptText("Code-lane id (e.g. claude-code-you, blank to skip)?", codeGuess ?? "");
+  const design = await promptText("Design-lane id (e.g. claude-design-you, blank to skip)?", designGuess ?? "");
+  if (!code && !design) {
+    process.stderr.write(
+      `  ${style.dim("skipped \u2014 set later with")} ${style.cyan("sechroom skills set-lane --code-lane \u2026 --design-lane \u2026")}
+`
+    );
+    return;
+  }
+  writePin(code || void 0, design || void 0);
+}
+
+// src/setup/skills-offer.ts
+var ROLE_TAG = "sechroom:role:skill-template";
+function tagValue(tags, prefix) {
+  return tags.find((t) => t.startsWith(prefix))?.slice(prefix.length);
+}
+async function maybeOfferSkills(cfg, personalWorkspaceId, opts) {
+  if (!personalWorkspaceId || opts.dryRun) return;
+  const surface = opts.surface ?? "claude-code";
+  let rows = [];
+  try {
+    const client = await makeClient(cfg);
+    const feed = await client.GET("/workspaces/{workspaceId}/memories/feed", {
+      params: {
+        path: { workspaceId: personalWorkspaceId },
+        query: { limit: 200, cascadeWorkspaces: true, includeText: true }
+      }
+    }).then((r) => r.data).catch(() => void 0);
+    rows = feed?.results ?? feed?.Results ?? [];
+  } catch {
+    return;
+  }
+  const skills = rows.map((r) => r.item ?? r).filter((m) => {
+    const tags = m.tags ?? m.Tags ?? [];
+    return tags.includes(ROLE_TAG) && tagValue(tags, "target:") === surface;
+  });
+  if (skills.length === 0) return;
+  const byName = /* @__PURE__ */ new Map();
+  for (const m of skills) {
+    const name = tagValue(m.tags ?? m.Tags ?? [], "skill:");
+    if (name) byName.set(name, m);
+  }
+  const names = [...byName.keys()].sort();
+  if (names.length === 0) return;
+  process.stderr.write(
+    `
+Found ${style.bold(String(names.length))} operator skill(s) installed in your workspace: ${names.join(", ")}.
+`
+  );
+  const dir = join5(homedir5(), ".claude", "skills");
+  const materialise = opts.yes ? true : canPrompt() ? await promptYesNo(`Write them to ${dir}/ so ${surface} can use them?`) : false;
+  if (!materialise) return;
+  const written = [];
+  for (const [name, m] of byName) {
+    const body = m.text ?? m.Text ?? "";
+    mkdirSync5(join5(dir, name), { recursive: true });
+    writeFileSync5(join5(dir, name, "SKILL.md"), body.endsWith("\n") ? body : body + "\n");
+    written.push(name);
+  }
+  process.stderr.write(`${style.green("\u2713")} wrote ${written.length} skill(s) to ${dir}
+`);
+  await ensureLanePin(cfg, { yes: opts.yes, dryRun: opts.dryRun, clients: [surface] });
 }
 
 // src/commands/setup.ts
@@ -741,7 +2851,16 @@ ${client.label} (${client.key}):
   }
 }
 function registerInit(program2) {
-  program2.command("init").description("Wire this project for sechroom: write MCP config + agent instruction files from the server's setup descriptors").option("--client <list>", `comma-separated clients (${ALL_CLIENT_KEYS.join(", ")}) or 'all'`, DEFAULT_CLIENT_KEY).option("--dry-run", "print what would be written without writing", false).option("--mcp-only", "only write MCP config (skip agent files)", false).option("--agent-files-only", "only write agent instruction files (skip MCP config)", false).option("--copy", "make a personal copy of the agent instructions you can edit (default: prompt on a TTY, else skip)").action(async (opts, cmd) => {
+  program2.command("init").description("Wire this project for sechroom: write MCP config + agent instruction files from the server's setup descriptors").option("--client <list>", `comma-separated clients (${ALL_CLIENT_KEYS.join(", ")}) or 'all'`, DEFAULT_CLIENT_KEY).option("--dry-run", "print what would be written without writing", false).option("--mcp-only", "only write MCP config (skip agent files)", false).option("--agent-files-only", "only write agent instruction files (skip MCP config)", false).option("--copy", "make a personal copy of the agent instructions you can edit (default: prompt on a TTY, else skip)").addHelpText(
+    "after",
+    `
+Examples:
+  $ sechroom init                       Claude Code (default): ./.mcp.json + ./CLAUDE.md
+  $ sechroom init --client all          claude-code, claude-desktop, codex, cursor
+  $ sechroom init --client codex,cursor
+  $ sechroom init --mcp-only            just the MCP config (skip agent files)
+  $ sechroom init --dry-run --json      preview the writes, change nothing`
+  ).action(async (opts, cmd) => {
     const cfg = resolveConfig(cmd.optsWithGlobals());
     const setup = await withSpinner("Fetching setup descriptors", () => fetchSetup(cfg));
     const targets = clientTargets(process.cwd());
@@ -763,6 +2882,12 @@ function registerInit(program2) {
       result.push({ client: key, actions });
       if (!json) printActions(target, actions);
     }
+    if (!json && !opts.dryRun && !opts.mcpOnly) {
+      await maybeOfferSkills(cfg, personalWorkspaceId, { yes: false, dryRun: Boolean(opts.dryRun), surface: "claude-code" });
+    }
+    if (!json && !opts.dryRun && !opts.mcpOnly) {
+      await maybeOfferHooks({ yes: false, dryRun: Boolean(opts.dryRun), cwd: process.cwd() });
+    }
     if (json) {
       emit({ dryRun: Boolean(opts.dryRun), clients: result }, true);
       return;
@@ -782,36 +2907,147 @@ Next \u2014 verify: ${verify.description}
 }
 function registerSetup(program2) {
   const setup = program2.command("setup").description("Granular onboarding steps (init runs these together)");
-  setup.command("mcp <client>").description(`Write only the MCP config for a client (${ALL_CLIENT_KEYS.join(", ")})`).option("--dry-run", "print what would be written without writing", false).action(async (client, opts, cmd) => {
-    await runSingle(client, cmd, { dryRun: Boolean(opts.dryRun), mcp: true, agentFiles: false });
+  setup.command("mcp <clients...>").description(`Write only the MCP config for one or more clients (${ALL_CLIENT_KEYS.join(", ")}, or 'all')`).option("--dry-run", "print what would be written without writing", false).addHelpText("after", "\nExamples:\n  $ sechroom setup mcp codex\n  $ sechroom setup mcp claude-code codex\n  $ sechroom setup mcp all").action(async (clients, opts, cmd) => {
+    await runClients(clients, cmd, { dryRun: Boolean(opts.dryRun), mcp: true, agentFiles: false });
   });
-  setup.command("agent-files <client>").description(`Write only the agent instruction file for a client (${ALL_CLIENT_KEYS.join(", ")})`).option("--dry-run", "print what would be written without writing", false).option("--copy", "make a personal copy you can edit (default: prompt on a TTY, else skip)").action(async (client, opts, cmd) => {
-    await runSingle(client, cmd, { dryRun: Boolean(opts.dryRun), mcp: false, agentFiles: true, copy: opts.copy });
+  setup.command("agent-files <clients...>").description(`Write only the agent instruction file(s) for one or more clients (${ALL_CLIENT_KEYS.join(", ")}, or 'all')`).option("--dry-run", "print what would be written without writing", false).option("--copy", "make a personal copy you can edit (default: prompt on a TTY, else skip)").addHelpText("after", "\nExamples:\n  $ sechroom setup agent-files claude-code        CLAUDE.md\n  $ sechroom setup agent-files claude-code codex  CLAUDE.md + AGENTS.md in one run\n  $ sechroom setup agent-files all").action(async (clients, opts, cmd) => {
+    await runClients(clients, cmd, { dryRun: Boolean(opts.dryRun), mcp: false, agentFiles: true, copy: opts.copy });
   });
 }
-async function runSingle(client, cmd, opts) {
+async function runClients(clients, cmd, opts) {
   const cfg = resolveConfig(cmd.optsWithGlobals());
   const targets = clientTargets(process.cwd());
-  const target = targets[client];
-  if (!target) fail(`unknown client '${client}'. Known: ${ALL_CLIENT_KEYS.join(", ")}.`);
+  const keys = resolveClientKeys(clients.join(","));
   const setupData = await withSpinner("Fetching setup descriptors", () => fetchSetup(cfg));
   const personalWorkspaceId = await getPersonalWorkspaceId(cfg);
   if (opts.agentFiles && !opts.dryRun) {
-    await maybeOfferCopies(cfg, setupData, targets, [client], personalWorkspaceId, copyChoice(opts));
+    await maybeOfferCopies(cfg, setupData, targets, keys, personalWorkspaceId, copyChoice(opts));
   }
-  const actions = await applyClient(cfg, setupData, target, {
-    dryRun: opts.dryRun,
-    mcp: opts.mcp,
-    agentFiles: opts.agentFiles,
-    personalWorkspaceId
-  });
   const json = cmd.optsWithGlobals().json;
+  const result = [];
+  for (const key of keys) {
+    const target = targets[key];
+    const actions = await applyClient(cfg, setupData, target, {
+      dryRun: opts.dryRun,
+      mcp: opts.mcp,
+      agentFiles: opts.agentFiles,
+      personalWorkspaceId
+    });
+    result.push({ client: key, actions });
+    if (!json) printActions(target, actions);
+  }
   if (json) {
-    emit({ dryRun: opts.dryRun, client, actions }, true);
-  } else {
-    printActions(target, actions);
-    process.stdout.write(opts.dryRun ? "\n(dry run \u2014 nothing written)\n" : "\nDone.\n");
+    emit({ dryRun: opts.dryRun, clients: result }, true);
+    return;
+  }
+  process.stdout.write(opts.dryRun ? "\n(dry run \u2014 nothing written)\n" : "\nDone.\n");
+}
+
+// src/commands/onboard.ts
+import { existsSync as existsSync7 } from "fs";
+import { join as join7 } from "path";
+
+// src/commands/fanout.ts
+import { spawnSync } from "child_process";
+import { existsSync as existsSync6, readFileSync as readFileSync5, readdirSync, statSync } from "fs";
+import { isAbsolute, join as join6, resolve } from "path";
+var ICON = {
+  refresh: "\u21BB",
+  bind: "+",
+  "skip-missing": "\u2013",
+  "skip-unbound": "\u26A0"
+};
+function resolveChildDir(path, root) {
+  return isAbsolute(path) ? path : resolve(root, path);
+}
+function discoverChildren(root) {
+  let names;
+  try {
+    names = readdirSync(root);
+  } catch {
+    return [];
+  }
+  const out = [];
+  for (const name of names.sort()) {
+    if (name.startsWith(".") || name === "node_modules") continue;
+    const dir = join6(root, name);
+    try {
+      if (!statSync(dir).isDirectory()) continue;
+    } catch {
+      continue;
+    }
+    if (existsSync6(join6(dir, ".git")) || committedBindingPath(dir)) out.push(name);
+  }
+  return out;
+}
+function readManifest(path) {
+  if (!existsSync6(path)) return null;
+  let parsed;
+  try {
+    parsed = JSON.parse(readFileSync5(path, "utf8"));
+  } catch (err2) {
+    throw new Error(`couldn't parse ${path}: ${err2 instanceof Error ? err2.message : String(err2)}`);
+  }
+  return Array.isArray(parsed.repos) ? parsed.repos.filter((r) => r && typeof r.path === "string") : [];
+}
+function passthroughGlobals(g) {
+  const out = [];
+  if (g.baseUrl) out.push("--base-url", g.baseUrl);
+  if (g.tenant) out.push("--tenant", g.tenant);
+  return out;
+}
+function runChildren(plans, o) {
+  const { globals, dryRun, json } = o;
+  const results = [];
+  for (const plan of plans) {
+    const runs = plan.argv.length > 0;
+    const argv = runs ? [...globals, ...plan.argv] : [];
+    if (!json) {
+      process.stderr.write(`  ${ICON[plan.disposition]} ${style.cyan(plan.label)} ${style.dim(plan.reason)}
+`);
+      if (runs && dryRun) process.stderr.write(`      ${style.dim(`would run: sechroom ${argv.join(" ")}`)}
+`);
+    }
+    let exitCode = runs ? 0 : null;
+    if (runs && !dryRun) {
+      const res = spawnSync(process.execPath, [process.argv[1], ...argv], {
+        cwd: plan.dir,
+        stdio: json ? "ignore" : "inherit"
+      });
+      exitCode = res.status;
+      if (!json) {
+        process.stderr.write(
+          exitCode === 0 ? `      ${ok("\u2713")} ${style.dim("onboard ok")}
+` : `      ${warn("\u2717")} ${style.dim(`onboard exited ${exitCode ?? "signal"}`)}
+`
+        );
+      }
+    }
+    results.push({
+      path: plan.label,
+      dir: plan.dir,
+      disposition: plan.disposition,
+      ran: runs && !dryRun,
+      exitCode,
+      reason: plan.reason
+    });
   }
+  return results;
+}
+function summarizeFanout(results, o) {
+  const ran = results.filter((r) => r.ran);
+  const failed = ran.filter((r) => r.exitCode !== 0);
+  const skipped = results.filter((r) => r.disposition.startsWith("skip"));
+  const wouldRun = results.filter((r) => !r.disposition.startsWith("skip"));
+  const tally = (o.dryRun ? [wouldRun.length ? `${wouldRun.length} would onboard` : null, skipped.length ? `${skipped.length} would skip` : null] : [
+    ran.length ? `${ran.length - failed.length}/${ran.length} onboarded` : null,
+    skipped.length ? `${skipped.length} skipped` : null,
+    failed.length ? `${failed.length} failed` : null
+  ]).filter(Boolean).join(", ");
+  process.stderr.write(`
+${failed.length ? warn("\u26A0") : ok("\u2713")} ${tally || "nothing to do"}${o.dryRun ? style.dim(" (dry run)") : ""}
+`);
+  if (failed.length) process.exit(1);
 }
 
 // src/commands/onboard.ts
@@ -823,22 +3059,197 @@ function systemTimezone() {
     return "UTC";
   }
 }
-async function ensureConfig(g, yes) {
+function editDistance(a, b) {
+  const m = a.length;
+  const n = b.length;
+  if (m === 0) return n;
+  if (n === 0) return m;
+  let prev = Array.from({ length: n + 1 }, (_, j) => j);
+  for (let i = 1; i <= m; i++) {
+    const curr = [i];
+    for (let j = 1; j <= n; j++) {
+      const cost = a[i - 1] === b[j - 1] ? 0 : 1;
+      curr[j] = Math.min(curr[j - 1] + 1, prev[j] + 1, prev[j - 1] + cost);
+    }
+    prev = curr;
+  }
+  return prev[n];
+}
+function namesCollide(a, b) {
+  const x = a.trim().toLowerCase();
+  const y = b.trim().toLowerCase();
+  return x === y || editDistance(x, y) <= 1;
+}
+function workspacePath(ws, byId) {
+  const parts = [];
+  const seen = /* @__PURE__ */ new Set();
+  let cur = ws;
+  while (cur && !seen.has(cur.id)) {
+    seen.add(cur.id);
+    parts.unshift(cur.name);
+    cur = cur.parentId ? byId.get(cur.parentId) : void 0;
+  }
+  return parts.join(" / ");
+}
+function resolveBaseUrl(g) {
   const persisted = readPersisted();
-  let baseUrl = g.baseUrl ?? process.env.SECHROOM_BASE_URL ?? persisted.baseUrl ?? DEFAULT_BASE_URL2;
-  let tenant = g.tenant ?? process.env.SECHROOM_TENANT ?? persisted.tenant ?? "";
-  if (canPrompt() && !yes) {
-    baseUrl = await promptText("Sechroom API base URL?", baseUrl);
-    tenant = await promptText("Tenant id?", tenant || void 0);
+  const local = readLocalConfig();
+  const baseUrl = g.baseUrl ?? process.env.SECHROOM_BASE_URL ?? local.baseUrl ?? persisted.baseUrl ?? DEFAULT_BASE_URL2;
+  return baseUrl.replace(/\/$/, "");
+}
+async function fetchWorkspaces(client) {
+  const { data, error } = await client.GET("/workspaces", { params: { query: { includeArchived: false } } });
+  if (error) throw new Error(`Couldn't list your workspaces: ${JSON.stringify(error)}`);
+  const rows = data ?? [];
+  return rows.map((r) => r.item ?? r).filter((w) => Boolean(w?.id && w?.name)).map((w) => ({ id: w.id, name: w.name, parentId: w.parentId ?? null }));
+}
+async function lookupWorkspace(client, id) {
+  const { data, error } = await client.GET("/workspaces/{workspaceId}", { params: { path: { workspaceId: id } } });
+  if (error) return null;
+  const env = data;
+  const w = env?.item ?? env;
+  return w?.id ? { id: w.id, name: w.name ?? id, parentId: w.parentId ?? null } : null;
+}
+async function warnIfProjectStray(client, projectId, workspaceId, json) {
+  const { data, error } = await client.GET("/projects/{projectId}", { params: { path: { projectId } } });
+  if (error) return;
+  const env = data;
+  const owner = env?.item?.workspaceId;
+  if (owner && owner !== workspaceId && !json) {
+    process.stderr.write(
+      `${warn("\u26A0")} defaultProjectId ${style.dim(projectId)} belongs to a different workspace (${style.dim(owner)}), not ${style.dim(workspaceId)} \u2014 leaving it as-is.
+`
+    );
   }
-  baseUrl = baseUrl.replace(/\/$/, "");
-  if (!tenant) {
-    fail(
-      "No tenant set. Pass --tenant <id>, set SECHROOM_TENANT, or run `sechroom config set tenant <id>` \u2014 the API rejects untenanted requests (HTTP 400)."
+}
+async function pickWorkspace(client, promptLabel = "Bind this directory to a workspace:") {
+  const all = await withSpinner("Listing your workspaces", () => fetchWorkspaces(client));
+  if (all.length === 0) {
+    process.stderr.write(`no workspaces found \u2014 skipping workspace binding (you can set it later with \`sechroom config set --local workspaceId <id>\`)
+`);
+    return void 0;
+  }
+  const byId = new Map(all.map((w) => [w.id, w]));
+  let pool = all;
+  if (all.length > 12) {
+    const q = (await promptText(`Filter ${all.length} workspaces (substring, Enter to list all)?`, "")).trim().toLowerCase();
+    if (q) {
+      const hits = all.filter((w) => `${w.name} ${workspacePath(w, byId)}`.toLowerCase().includes(q));
+      if (hits.length > 0) pool = hits;
+      else process.stderr.write(`no match for "${q}" \u2014 listing all
+`);
+    }
+  }
+  const SKIP = "__skip__";
+  const choices = [
+    ...pool.slice().sort((a, b) => workspacePath(a, byId).localeCompare(workspacePath(b, byId))).map((w) => ({ label: workspacePath(w, byId), value: w.id, hint: w.id })),
+    { label: style.dim("skip \u2014 don't bind a workspace"), value: SKIP, hint: void 0 }
+  ];
+  const chosen = await promptSelect(promptLabel, choices, SKIP);
+  if (chosen === SKIP) return void 0;
+  const picked = byId.get(chosen);
+  const collisions = all.filter((w) => w.id !== picked.id && namesCollide(w.name, picked.name));
+  if (collisions.length > 0) {
+    process.stderr.write(
+      `${warn("\u26A0")} ${collisions.length} other workspace(s) have a similar name to ${style.cyan(workspacePath(picked, byId))}:
+` + collisions.map((w) => `    ${style.dim(workspacePath(w, byId))} ${style.dim(`(${w.id})`)}`).join("\n") + `
+    You picked ${style.dim(picked.id)} \u2014 re-run \`sechroom config set --local workspaceId <id>\` if that's wrong.
+`
     );
   }
-  writePersisted({ baseUrl, tenant });
-  return { baseUrl, tenant, clientId: persisted.clientId };
+  return chosen;
+}
+async function resolveWorkspaceBinding(client, existing, opts) {
+  if (opts.workspace) {
+    const found = await lookupWorkspace(client, opts.workspace);
+    if (!found && !opts.json) {
+      process.stderr.write(
+        `${warn("\u26A0")} workspace ${style.dim(opts.workspace)} not found (or you lack access) \u2014 binding it anyway.
+`
+      );
+    }
+    return opts.workspace;
+  }
+  if (existing) return existing;
+  if (!canPrompt() || opts.yes) return void 0;
+  return pickWorkspace(client);
+}
+async function ensureTenant(baseUrl, g, opts) {
+  const persisted = readPersisted();
+  const local = readLocalConfig();
+  let tenant = g.tenant ?? process.env.SECHROOM_TENANT ?? local.tenant ?? persisted.tenant ?? "";
+  if (!tenant) {
+    const client = await makeClient({ baseUrl, tenant: "", clientId: persisted.clientId });
+    const { data, error } = await client.GET("/auth/me/tenants", {});
+    if (error) {
+      fail(`Couldn't list your tenants: ${JSON.stringify(error)}. Pass --tenant <id> to skip this.`);
+    }
+    const tenants = data?.tenants ?? [];
+    if (tenants.length === 0) {
+      fail(
+        "You're signed in, but your account isn't a member of any tenant yet. Ask an admin to add you (or create one in the app), then re-run \u2014 or pass --tenant <id>."
+      );
+    } else if (tenants.length === 1) {
+      tenant = tenants[0].key;
+      if (!opts.json) {
+        process.stderr.write(
+          `${ok("\u2713")} using your tenant ${style.cyan(tenants[0].label)} ${style.dim(`(${tenant})`)}
+`
+        );
+      }
+    } else if (canPrompt() && !opts.yes) {
+      tenant = await promptSelect(
+        "You belong to several tenants \u2014 pick one:",
+        tenants.map((t) => ({ label: t.label, value: t.key, hint: t.key })),
+        data?.defaultTenantKey ?? tenants[0].key
+      );
+    } else {
+      tenant = data?.defaultTenantKey ?? tenants[0].key;
+      if (!opts.json) {
+        process.stderr.write(
+          `using tenant ${tenant} (${tenants.length} available \u2014 pass --tenant to choose another)
+`
+        );
+      }
+    }
+  }
+  const existingWorkspace = local.workspaceId ?? persisted.workspaceId ?? void 0;
+  const wsClient = await makeClient({ baseUrl, tenant, clientId: persisted.clientId });
+  const workspaceId = await resolveWorkspaceBinding(wsClient, existingWorkspace, {
+    yes: opts.yes,
+    json: opts.json,
+    workspace: opts.workspace
+  });
+  const defaultProjectId = local.defaultProjectId ?? persisted.defaultProjectId ?? void 0;
+  if (defaultProjectId && workspaceId) await warnIfProjectStray(wsClient, defaultProjectId, workspaceId, opts.json);
+  let storeLocal = Boolean(opts.local);
+  if (!opts.local && canPrompt() && !opts.yes) {
+    storeLocal = await promptSelect(
+      "Where should this tenant + base URL be saved?",
+      [
+        { label: "Globally", value: "global", hint: "all projects on this machine" },
+        { label: "This directory", value: "local", hint: ".sechroom.json \u2014 committed, project + subdirs" }
+      ],
+      local.path ? "local" : "global"
+    ) === "local";
+  }
+  if (opts.persist !== false) {
+    const patch = { baseUrl, tenant, ...workspaceId ? { workspaceId } : {} };
+    if (storeLocal) {
+      const path = writeLocalConfig(patch);
+      if (!opts.json) process.stderr.write(`${ok("\u2713")} config saved to ${path} (directory-local)
+`);
+    } else {
+      writePersisted(patch);
+      if (!opts.json) process.stderr.write(`${ok("\u2713")} config saved globally (~/.config/sechroom/config.json)
+`);
+    }
+    if (workspaceId && !existingWorkspace && !opts.json) {
+      process.stderr.write(`${ok("\u2713")} bound to workspace ${style.dim(workspaceId)}
+`);
+    }
+  }
+  return { baseUrl, tenant, workspaceId, defaultProjectId, clientId: persisted.clientId };
 }
 async function ensureAuth(cfg, yes) {
   if (process.env.SECHROOM_TOKEN) return;
@@ -879,59 +3290,700 @@ async function ensureTimezone(cfg, opts) {
 async function chooseClients(clientFlag, yes, cwd) {
   if (clientFlag) return resolveClientKeys(clientFlag);
   const detected = detectInstalledClients(cwd);
-  const fallback = (detected.length > 0 ? detected : [DEFAULT_CLIENT_KEY]).join(",");
-  if (!canPrompt() || yes) return resolveClientKeys(fallback);
-  process.stderr.write(
-    `
-Available clients: ${ALL_CLIENT_KEYS.join(", ")}
-` + (detected.length > 0 ? `Detected on this machine: ${detected.join(", ")}
-` : "No clients auto-detected.\n")
+  const preselected = detected.length > 0 ? detected : [DEFAULT_CLIENT_KEY];
+  if (!canPrompt() || yes) return preselected;
+  const picks = await promptMultiSelect(
+    "Which AI clients should I wire?",
+    ALL_CLIENT_KEYS.map((k) => ({
+      label: k,
+      value: k,
+      hint: detected.includes(k) ? "detected" : void 0
+    })),
+    preselected
   );
-  const answer = await promptText("Which to wire? (comma-separated, or 'all')", fallback);
-  return resolveClientKeys(answer);
+  return picks.length > 0 ? picks : preselected;
+}
+async function planRecurseChild(entry, root, client, opts) {
+  const dir = resolveChildDir(entry.path, root);
+  if (!existsSync7(dir)) {
+    return { label: entry.path, dir, disposition: "skip-missing", argv: [], reason: "directory does not exist" };
+  }
+  if (existsSync7(join7(dir, ".sechroom.json"))) {
+    return {
+      label: entry.path,
+      dir,
+      disposition: "refresh",
+      argv: ["onboard", "--refresh", "--yes"],
+      reason: "bound (committed .sechroom.json) \u2014 refresh in place"
+    };
+  }
+  if (entry.workspaceId) {
+    return {
+      label: entry.path,
+      dir,
+      disposition: "bind",
+      argv: ["onboard", "--yes", "--local", "--workspace", entry.workspaceId],
+      reason: `unbound \u2014 bind to ${entry.workspaceId}`
+    };
+  }
+  if (opts.dryRun) {
+    return { label: entry.path, dir, disposition: "bind", argv: ["onboard", "--yes", "--local", "--workspace", "<prompt>"], reason: "unbound \u2014 would prompt for a workspace" };
+  }
+  if (opts.yes || !canPrompt()) {
+    return { label: entry.path, dir, disposition: "skip-unbound", argv: [], reason: "unbound + no workspace (run interactively, or add it to ./.sechroom/repos.json)" };
+  }
+  process.stderr.write(`
+${style.bold(entry.path)} ${style.dim("is not bound yet.")}
+`);
+  const ws = await pickWorkspace(client, `Bind ${style.cyan(entry.path)} to a workspace:`);
+  if (!ws) {
+    return { label: entry.path, dir, disposition: "skip-unbound", argv: [], reason: "unbound \u2014 no workspace chosen (skipped)" };
+  }
+  return {
+    label: entry.path,
+    dir,
+    disposition: "bind",
+    argv: ["onboard", "--yes", "--local", "--workspace", ws],
+    reason: `unbound \u2014 bind to ${ws}`
+  };
+}
+async function resolveFanoutLane(cfg, opts) {
+  let code = opts.lane ?? process.env.SECHROOM_CODE_LANE;
+  let design = opts.designLane ?? process.env.SECHROOM_DESIGN_LANE;
+  if (!code || !design) {
+    const clients = detectInstalledClients(process.cwd());
+    const inferred = await inferLanes(cfg, clients.length ? clients : void 0);
+    code = code ?? inferred.code;
+    design = design ?? inferred.design;
+  }
+  if (!opts.lane && !opts.yes && !opts.dryRun && canPrompt() && (code || design)) {
+    process.stderr.write(`
+This fan-out will pin the same lane in every repo:
+`);
+    if (code) process.stderr.write(`  ${style.dim("code-lane")}   = ${style.cyan(code)}
+`);
+    if (design) process.stderr.write(`  ${style.dim("design-lane")} = ${style.cyan(design)}
+`);
+    if (!await promptYesNo("Use this lane for all repos?")) {
+      code = await promptText("Code-lane id (blank = let each repo infer)?", code ?? "") || void 0;
+      design = await promptText("Design-lane id (blank = skip)?", design ?? "") || void 0;
+    }
+  }
+  if (code) process.env.SECHROOM_CODE_LANE = code;
+  else delete process.env.SECHROOM_CODE_LANE;
+  if (design) process.env.SECHROOM_DESIGN_LANE = design;
+  else delete process.env.SECHROOM_DESIGN_LANE;
+  return { code, design };
+}
+async function runRecurse(cfg, g, opts) {
+  const { yes, dryRun, json } = opts;
+  const root = process.cwd();
+  const manifestPath = join7(root, ".sechroom", "repos.json");
+  const fromManifest = readManifest(manifestPath);
+  const entries = fromManifest ?? discoverChildren(root).map((path) => ({ path }));
+  const sourceLabel = fromManifest ? `manifest ${manifestPath}` : `auto-discovered under ${root}`;
+  if (entries.length === 0) {
+    if (json) process.stdout.write(JSON.stringify({ recurse: true, root, repos: [] }) + "\n");
+    else process.stderr.write(`${warn("\u26A0")} no child repos found ${fromManifest ? `in ${manifestPath}` : `under ${root}`} \u2014 nothing to do.
+`);
+    return;
+  }
+  if (!json) {
+    process.stderr.write(`${style.bold("onboard --recurse")} ${style.dim(`(${entries.length} repo${entries.length === 1 ? "" : "s"} from ${sourceLabel})`)}
+`);
+  }
+  const lane = await resolveFanoutLane(cfg, { lane: opts.lane, designLane: opts.designLane, yes, dryRun });
+  if (!json && lane.code) process.stderr.write(`${ok("\u2713")} lane ${style.cyan(lane.code)}${lane.design ? ` ${style.dim(`/ ${lane.design}`)}` : ""} for every repo
+`);
+  const client = await makeClient(cfg);
+  const plans = [];
+  for (const entry of entries) plans.push(await planRecurseChild(entry, root, client, { yes, dryRun }));
+  const results = runChildren(plans, { globals: passthroughGlobals(g), dryRun, json });
+  if (json) {
+    process.stdout.write(JSON.stringify({ recurse: true, root, dryRun, repos: results }) + "\n");
+    return;
+  }
+  summarizeFanout(results, { dryRun });
 }
 function registerOnboard(program2) {
-  program2.command("onboard").description("Guided first-run setup: configure, sign in, set timezone, detect clients, and wire this project").option("--client <list>", `comma-separated clients (${ALL_CLIENT_KEYS.join(", ")}) or 'all' (default: auto-detected)`).option("--copy", "make a personal copy of the agent instructions you can edit (default: prompt on a TTY, else skip)").option("--dry-run", "walk through without writing files or changing the profile", false).option("-y, --yes", "non-interactive: accept defaults (system timezone, detected clients)", false).action(async (opts, cmd) => {
+  program2.command("onboard").description("Guided first-run setup: configure, sign in, set timezone, detect clients, and wire this project").option("--recurse", "orchestration-root mode: onboard every child repo under this dir (auto-discovered, or from ./.sechroom/repos.json) \u2014 refreshes bound repos, prompts a workspace per new one", false).option("--lane <id>", "set the code-lane (substrate source identity) explicitly instead of inferring it; with --recurse it's used for every child repo").option("--design-lane <id>", "set the design-lane explicitly (substrate-authoring identity); with --recurse applies to every child").option("--client <list>", `comma-separated clients (${ALL_CLIENT_KEYS.join(", ")}) or 'all' (default: auto-detected)`).option("--local", "save the binding (tenant + base URL + workspace) to a committed .sechroom.json in this repo instead of the global config", false).option("--workspace <id>", "bind this directory to a workspace (skips the interactive workspace pick)").option("--cli-only", "configure the CLI only \u2014 don't wire any AI client (no MCP config, no agent files)", false).option("--no-mcp", "skip the MCP server config (.mcp.json etc.); still write the agent instruction files").option("--copy", "make a personal copy of the agent instructions you can edit (default: prompt on a TTY, else skip)").option("--dry-run", "walk through without writing files or changing the profile", false).option("--refresh", "re-fetch descriptors and refresh any out-of-date managed blocks (local edits preserved to .proposed)", false).option("--force", "rewrite every managed block, overwriting local edits inside the markers (content outside untouched)", false).option("--check", "report whether anything would change and exit (0 = all current, 1 = stale/drift/absent); writes nothing", false).option("-y, --yes", "non-interactive: accept defaults (system timezone, detected clients, global config, full wire)", false).addHelpText(
+    "after",
+    `
+Examples:
+  $ sechroom onboard                    guided, interactive (asks where to save config + how to wire)
+  $ sechroom onboard --cli-only         just the CLI \u2014 no .mcp.json, no agent files
+  $ sechroom onboard --no-mcp           agent instructions only, skip MCP config
+  $ sechroom onboard --local            save tenant + base URL to a committed ./.sechroom.json
+  $ sechroom onboard --workspace wsp_XX  bind this directory to a workspace (no pick prompt)
+  $ sechroom onboard --recurse          orchestration root: onboard every child repo under this dir
+  $ sechroom onboard --recurse --lane claude-code-you   pin one lane across every repo in the tree
+  $ sechroom onboard --refresh          refresh out-of-date instruction blocks in place
+  $ sechroom onboard --check            CI/pre-commit: nonzero exit if instructions are out of date
+  $ sechroom onboard --yes              non-interactive: defaults + global config + full wire
+  $ sechroom onboard --client all --dry-run    preview wiring every client, write nothing`
+  ).action(async (opts, cmd) => {
     const g = cmd.optsWithGlobals();
     const json = Boolean(g.json);
-    const yes = Boolean(opts.yes);
     const dryRun = Boolean(opts.dryRun);
-    const cfg = await ensureConfig(g, yes);
-    await ensureAuth(cfg, yes);
-    const tz = await ensureTimezone(cfg, { yes, dryRun });
+    const mode = opts.check ? "check" : opts.force ? "force" : "apply";
+    const check = mode === "check";
+    const yes = Boolean(opts.yes) || check;
+    if (opts.lane) process.env.SECHROOM_CODE_LANE = opts.lane;
+    if (opts.designLane) process.env.SECHROOM_DESIGN_LANE = opts.designLane;
+    if (opts.recurse) {
+      const baseUrl2 = resolveBaseUrl(g);
+      await ensureAuth({ baseUrl: baseUrl2, tenant: "", clientId: readPersisted().clientId }, yes);
+      const cfg2 = await ensureTenant(baseUrl2, g, { yes: true, json, persist: false });
+      await runRecurse(cfg2, g, { yes, dryRun, json, lane: opts.lane, designLane: opts.designLane });
+      return;
+    }
+    const baseUrl = resolveBaseUrl(g);
+    await ensureAuth({ baseUrl, tenant: "", clientId: readPersisted().clientId }, yes);
+    const cfg = await ensureTenant(baseUrl, g, { yes, json, local: Boolean(opts.local), workspace: opts.workspace, persist: !check });
+    const tz = await ensureTimezone(cfg, { yes, dryRun: dryRun || check });
     if (!json && tz.action !== "already-set") {
-      const line = tz.action === "set" ? `\u2713 timezone set to ${tz.timezone}
+      const line = tz.action === "set" ? `${ok("\u2713")} timezone set to ${tz.timezone}
 ` : tz.action === "dry-run" ? `(dry run \u2014 would set timezone to ${tz.timezone})
 ` : `timezone not set \u2014 ${tz.note}
 `;
       process.stderr.write(line);
     }
+    const wire = await chooseWire(opts, yes);
+    if (wire === "cli-only") {
+      if (json) {
+        emit({ dryRun, baseUrl: cfg.baseUrl, tenant: cfg.tenant, workspaceId: cfg.workspaceId ?? null, timezone: tz, wire, clients: [] }, true);
+        return;
+      }
+      if (!dryRun) {
+        await ensureLanePin(cfg, { yes, dryRun, clients: detectInstalledClients(process.cwd()) });
+        await maybeOfferHooks({ yes, dryRun, cwd: process.cwd() });
+      }
+      process.stdout.write(
+        `
+${style.bold("Done.")} The CLI is configured for ${style.cyan(cfg.tenant)} \u2014 no AI-client files written.
+Try: ${style.cyan('sechroom memory search "..."')}  or  ${style.cyan("sechroom --help")}
+`
+      );
+      await printStarterPrompt("cli");
+      return;
+    }
     const keys = await chooseClients(opts.client, yes, process.cwd());
     const setup = await withSpinner("Fetching setup descriptors", () => fetchSetup(cfg));
     const targets = clientTargets(process.cwd());
     const personalWorkspaceId = await getPersonalWorkspaceId(cfg);
-    if (!dryRun) {
+    if (!dryRun && !check) {
       await maybeOfferCopies(cfg, setup, targets, keys, personalWorkspaceId, copyChoice(opts));
     }
+    const writeMcp = wire === "full";
     const result = [];
     for (const key of keys) {
       const target = targets[key];
       const actions = await applyClient(cfg, setup, target, {
         dryRun,
-        mcp: true,
+        mcp: writeMcp,
         agentFiles: true,
-        personalWorkspaceId
+        personalWorkspaceId,
+        mode
       });
       result.push({ client: key, actions });
-      if (!json) printActions(target, actions);
+      if (!json && !check) printActions(target, actions);
+    }
+    const evalCounts = { current: 0, stale: 0, drift: 0, absent: 0 };
+    for (const { actions } of result) for (const a of actions) if (a.eval) evalCounts[a.eval]++;
+    const wouldChange = evalCounts.stale + evalCounts.drift + evalCounts.absent;
+    if (check) {
+      if (json) {
+        emit({ check: true, baseUrl: cfg.baseUrl, tenant: cfg.tenant, workspaceId: cfg.workspaceId ?? null, eval: evalCounts, wouldChange, clients: result }, true);
+      } else if (wouldChange === 0) {
+        process.stdout.write(`${ok("\u2713")} all instruction blocks are up to date.
+`);
+      } else {
+        const bits = [];
+        if (evalCounts.stale) bits.push(`${evalCounts.stale} out of date`);
+        if (evalCounts.drift) bits.push(`${evalCounts.drift} with local edits`);
+        if (evalCounts.absent) bits.push(`${evalCounts.absent} not yet written`);
+        process.stderr.write(
+          `${warn("\u26A0")} ${wouldChange} instruction block(s) would change: ${bits.join(", ")}. Run ${style.cyan("sechroom onboard --refresh")}.
+`
+        );
+      }
+      process.exit(wouldChange === 0 ? 0 : 1);
+    }
+    if (!json && !dryRun) {
+      await ensureLanePin(cfg, { yes, dryRun, clients: keys });
+    }
+    if (!json && !dryRun) {
+      await maybeOfferSkills(cfg, personalWorkspaceId, { yes, dryRun, surface: "claude-code" });
+    }
+    if (!json && !dryRun) {
+      await maybeOfferHooks({ yes, dryRun, cwd: process.cwd() });
     }
     if (json) {
-      emit({ dryRun, baseUrl: cfg.baseUrl, tenant: cfg.tenant, timezone: tz, clients: result }, true);
+      emit({ dryRun, baseUrl: cfg.baseUrl, tenant: cfg.tenant, workspaceId: cfg.workspaceId ?? null, timezone: tz, wire, eval: evalCounts, clients: result }, true);
       return;
     }
+    if (!dryRun && evalCounts.stale) {
+      process.stderr.write(`${style.cyan("\u21BB")} refreshed ${evalCounts.stale} section(s) the server had moved
+`);
+    }
+    if (!dryRun && evalCounts.drift) {
+      process.stderr.write(
+        mode === "force" ? `${warn("\u26A0")} overwrote ${evalCounts.drift} section(s) that had local edits (--force)
+` : `${warn("\u26A0")} ${evalCounts.drift} section(s) have local edits \u2014 wrote a .proposed file alongside (original untouched). Review + merge, or re-run with ${style.cyan("--force")}.
+`
+      );
+    }
+    const wroteSomething = result.some(({ actions }) => actions.some((a) => a.status === "created" || a.status === "merged"));
+    process.stdout.write(
+      dryRun ? "\n(dry run \u2014 nothing written)\n" : !wroteSomething ? `
+${style.bold("Done.")} Everything's already up to date.
+` : writeMcp ? `
+${style.bold("Done.")} Restart your AI client (or reload MCP) to pick up the new config.
+` : `
+${style.bold("Done.")} Agent instructions written (no MCP config).
+`
+    );
+    if (!dryRun) await printStarterPrompt("agent", cfg);
+  });
+}
+async function chooseWire(opts, yes) {
+  if (opts.cliOnly) return "cli-only";
+  if (canPrompt() && !yes) {
+    return promptSelect(
+      "How should I set up Sechroom in this project?",
+      [
+        { label: "Wire my AI client", value: "full", hint: "MCP server (.mcp.json) + agent instructions" },
+        { label: "Agent instructions only", value: "agent-only", hint: "skip MCP config" },
+        { label: "CLI only", value: "cli-only", hint: "don't write any AI-client files" }
+      ],
+      "full"
+    );
+  }
+  return opts.mcp === false ? "agent-only" : "full";
+}
+var FALLBACK_AGENT_PROMPT = "Resume my sechroom continuity, summarise what I was last working on, then suggest the next step.";
+async function printStarterPrompt(mode, cfg) {
+  if (mode === "cli") {
     process.stdout.write(
-      dryRun ? "\n(dry run \u2014 nothing written)\n" : "\nDone. Restart your AI client (or reload MCP) to pick up the new config.\n"
+      `
+${style.bold("Next:")} pick up where you left off \u2014
+  ${style.cyan("sechroom continuity resume-me")}
+`
+    );
+    return;
+  }
+  let primary = FALLBACK_AGENT_PROMPT;
+  if (cfg) {
+    try {
+      const client = await makeClient(cfg);
+      const { data } = await client.GET("/me/onboarding/starter-prompt", {});
+      if (data?.primary) primary = data.primary;
+    } catch {
+    }
+  }
+  process.stdout.write(
+    `
+${style.bold("Next:")} paste this into your AI agent to get going \u2014
+  ${style.cyan(`"${primary}"`)}
+`
+  );
+}
+
+// src/commands/sweep.ts
+import { existsSync as existsSync8 } from "fs";
+import { dirname as dirname6, join as join8, resolve as resolve2 } from "path";
+var DEFAULT_MANIFEST = join8(".sechroom", "repos.json");
+function planEntry(entry, root) {
+  const dir = resolveChildDir(entry.path, root);
+  if (!existsSync8(dir)) {
+    return { label: entry.path, dir, disposition: "skip-missing", argv: [], reason: "directory does not exist" };
+  }
+  if (committedBindingPath(dir)) {
+    return {
+      label: entry.path,
+      dir,
+      disposition: "refresh",
+      argv: ["onboard", "--refresh", "--yes"],
+      reason: "bound (committed .sechroom.json) \u2014 refresh in place"
+    };
+  }
+  if (entry.workspaceId) {
+    return {
+      label: entry.path,
+      dir,
+      disposition: "bind",
+      argv: ["onboard", "--yes", "--local", "--workspace", entry.workspaceId],
+      reason: `unbound \u2014 bind to ${entry.workspaceId} + commit .sechroom.json`
+    };
+  }
+  return {
+    label: entry.path,
+    dir,
+    disposition: "skip-unbound",
+    argv: [],
+    reason: "unbound + no workspaceId in the manifest \u2014 add one or run `sechroom onboard` there"
+  };
+}
+function registerSweep(program2) {
+  program2.command("sweep").description("Non-interactive fan-out from ./.sechroom/repos.json (headless sibling of `onboard --recurse`)").option("--manifest <path>", "path to the repos manifest", DEFAULT_MANIFEST).option("--dry-run", "print the plan (per-repo disposition + the onboard command) without running anything", false).addHelpText(
+    "after",
+    `
+For an interactive, no-manifest run use ${"`sechroom onboard --recurse`"} instead \u2014 it
+auto-discovers the child repos and prompts for a workspace per new one. ${"`sweep`"} is
+the deterministic manifest-driven form for scripts / CI.
+
+Manifest \u2014 ./.sechroom/repos.json (per-operator, gitignored, alongside lane.json):
+  {
+    "repos": [
+      { "path": "sechroom",      "workspaceId": "wsp_XXXX" },
+      { "path": "../other-repo", "workspaceId": "wsp_YYYY" },
+      { "path": "already-bound" }
+    ]
+  }
+
+Per repo (paths resolve relative to the manifest's root):
+  ${ICON.refresh} bound        committed .sechroom.json present  \u2192 onboard --refresh (manifest workspace ignored)
+  ${ICON.bind} unbound      bind to the manifest workspaceId    \u2192 onboard --local --workspace <id>
+  ${ICON["skip-missing"]} missing      directory does not exist            \u2192 skipped
+  ${ICON["skip-unbound"]} no workspace unbound + no workspaceId in manifest  \u2192 skipped (add one, or onboard manually)
+
+Examples:
+  $ sechroom sweep --dry-run            preview every repo's disposition, run nothing
+  $ sechroom sweep                      onboard the whole tree from the root
+  $ sechroom --tenant ocd sweep         force a tenant for every child (else each resolves its own)`
+  ).action((opts, cmd) => {
+    const g = cmd.optsWithGlobals();
+    const json = Boolean(g.json);
+    const dryRun = Boolean(opts.dryRun);
+    const manifestPath = resolve2(opts.manifest);
+    let repos;
+    try {
+      repos = readManifest(manifestPath);
+    } catch (err2) {
+      fail(err2 instanceof Error ? err2.message : String(err2));
+    }
+    if (repos === null) {
+      fail(`no manifest at ${manifestPath} \u2014 create ./.sechroom/repos.json, or use \`sechroom onboard --recurse\` to auto-discover (see \`sechroom sweep --help\`).`);
+    }
+    if (repos.length === 0) {
+      if (json) process.stdout.write(JSON.stringify({ manifest: manifestPath, repos: [] }) + "\n");
+      else process.stderr.write(`${warn("\u26A0")} ${manifestPath} lists no repos \u2014 nothing to do.
+`);
+      return;
+    }
+    const root = dirname6(dirname6(manifestPath));
+    const plans = repos.map((entry) => planEntry(entry, root));
+    if (!json) {
+      process.stderr.write(
+        `${style.bold("sweep")} ${style.dim(`(${plans.length} repo${plans.length === 1 ? "" : "s"} from ${manifestPath})`)}
+`
+      );
+    }
+    const results = runChildren(plans, { globals: passthroughGlobals(g), dryRun, json });
+    if (json) {
+      process.stdout.write(JSON.stringify({ manifest: manifestPath, dryRun, repos: results }) + "\n");
+      return;
+    }
+    summarizeFanout(results, { dryRun });
+  });
+}
+
+// src/commands/skills.ts
+import { homedir as homedir6 } from "os";
+import { join as join9 } from "path";
+import { mkdirSync as mkdirSync6, writeFileSync as writeFileSync6, rmSync as rmSync2, existsSync as existsSync9, readFileSync as readFileSync6 } from "fs";
+var DEFAULT_SLUG = "operator-skills";
+var ROLE_TAGS = ["sechroom:role:skill-template", "role:skill-template"];
+var LOCK = ".sechroom-skills.json";
+function skillsDir(global) {
+  return global ? join9(homedir6(), ".claude", "skills") : join9(process.cwd(), ".claude", "skills");
+}
+function tagValue2(tags, prefix) {
+  return (tags ?? []).find((t) => t.startsWith(prefix))?.slice(prefix.length);
+}
+function hasAny(tags, candidates) {
+  return (tags ?? []).some((t) => candidates.includes(t));
+}
+function registerSkills(program2) {
+  const skills = program2.command("skills").description("Install + manage operator skills from a bundle");
+  skills.addHelpText(
+    "after",
+    `
+Examples:
+  $ sechroom skills install --code-lane claude-code-chris --design-lane claude-design-chris
+  $ sechroom skills install operator-skills --surface claude-code --local
+  $ sechroom skills list
+  $ sechroom skills set-lane --code-lane claude-code-chris --design-lane claude-design-chris
+  $ sechroom skills lane
+  $ sechroom skills clean`
+  );
+  skills.command("install [slug]").description(`Install a skills bundle (default ${DEFAULT_SLUG}) into your personal workspace + write SKILL.md files`).option("--version <v>", "bundle version (default: latest published in the catalogue)").option("--instance <name>", "install as a named, separate instance (install the same bundle more than once)").option("--code-lane <id>", "identity.code-lane binding (e.g. claude-code-chris)").option("--design-lane <id>", "identity.design-lane binding (e.g. claude-design-chris)").option("--surface <s>", "skill target surface to materialise", "claude-code").option("--local", "write to ./.claude/skills instead of ~/.claude/skills").option("--json", "machine output").action(async (slugArg, opts, cmd) => {
+    const slug = slugArg || DEFAULT_SLUG;
+    const client = await makeClient(resolveConfig(cmd.optsWithGlobals()));
+    const pw = await runApi("resolving personal workspace", () => client.GET("/me/personal-workspace", {}));
+    const personalWsId = pw?.id || pw?.workspaceId || pw?.personalWorkspaceId || pw?.item?.id;
+    if (!personalWsId) fail("Could not resolve your personal workspace.");
+    let version = opts.version;
+    if (!version) {
+      const cat = await runApi("reading the bundle catalogue", () => client.GET("/me/bundles", {}));
+      const item = (cat?.bundles ?? cat?.Bundles ?? []).find((b) => (b.slug ?? b.Slug) === slug);
+      if (!item) fail(`Bundle '${slug}' is not in your self-serve catalogue (must be UserInstallable + Published).`);
+      version = item.latestVersion ?? item.LatestVersion;
+      if (!version) fail(`Bundle '${slug}' has no installable (Published) version.`);
+    }
+    const installOptions = {};
+    if (opts.codeLane) installOptions["identity.code-lane"] = opts.codeLane;
+    if (opts.designLane) installOptions["identity.design-lane"] = opts.designLane;
+    const res = await runApi(
+      `installing ${slug}@${version}${opts.instance ? ` (${opts.instance})` : ""}`,
+      () => client.POST("/me/bundles/{slug}/versions/{version}/install", {
+        params: { path: { slug, version } },
+        // instance: null/absent = the default instance (reinstall updates in
+        // place); a name installs a separate instance.
+        body: { installOptions, instance: opts.instance ?? null }
+      })
     );
+    const status = String(res?.status ?? res?.Status ?? "");
+    if (status && status.toLowerCase() !== "completed") {
+      fail(`Install did not complete (status=${status}; ${res?.failureReason ?? res?.FailureReason ?? ""}).`);
+    }
+    const feed = await runApi(
+      "materialising skill files",
+      () => client.GET("/workspaces/{workspaceId}/memories/feed", {
+        // cascadeWorkspaces: skills land in an "Operator Skills" SUB-workspace of
+        // the personal workspace, so we recurse from the personal-ws root.
+        // includeText: the feed omits bodies by default; we need them for SKILL.md.
+        params: {
+          path: { workspaceId: personalWsId },
+          query: { limit: 200, cascadeWorkspaces: true, includeText: true }
+        }
+      })
+    );
+    const rows = feed?.results ?? feed?.Results ?? [];
+    const dir = skillsDir(!opts.local);
+    const wantInstance = opts.instance || "default";
+    const written = [];
+    const bundleTagPrefix = `sechroom:bundle:${slug}@`;
+    for (const r of rows) {
+      const m = r.item ?? r;
+      const tags = m.tags ?? m.Tags ?? [];
+      if (!hasAny(tags, ROLE_TAGS)) continue;
+      if (tagValue2(tags, "target:") !== opts.surface) continue;
+      if (!tags.some((t) => t.startsWith(bundleTagPrefix))) continue;
+      if ((tagValue2(tags, "sechroom:skill-instance:") ?? "default") !== wantInstance) continue;
+      const name = tagValue2(tags, "skill:");
+      if (!name) continue;
+      const body = m.text ?? m.Text ?? "";
+      mkdirSync6(join9(dir, name), { recursive: true });
+      writeFileSync6(join9(dir, name, "SKILL.md"), body.endsWith("\n") ? body : body + "\n");
+      written.push(name);
+    }
+    mkdirSync6(dir, { recursive: true });
+    const lockPath = join9(dir, LOCK);
+    const lock = existsSync9(lockPath) ? JSON.parse(readFileSync6(lockPath, "utf8")) : {};
+    lock[slug] = { surface: opts.surface, version, instance: wantInstance, skills: written.sort() };
+    writeFileSync6(lockPath, JSON.stringify(lock, null, 2) + "\n");
+    if (opts.json) return emit({ slug, version, instance: wantInstance, surface: opts.surface, dir, installed: written }, true);
+    const instanceNote = opts.instance ? ` (${opts.instance})` : "";
+    console.log(style.green(`Installed ${slug}@${version}${instanceNote} \u2014 ${written.length} skill(s) \u2192 ${dir}`));
+    written.forEach((n) => console.log("  " + style.dim("\u2022") + " " + n));
+    if (written.length === 0) console.log(style.dim(`  (no '${opts.surface}' skill bodies found; check --surface)`));
+  });
+  skills.command("list").description("List your installed bundles (GET /me/bundle-installs)").option("--json", "machine output").action(async (opts, cmd) => {
+    const client = await makeClient(resolveConfig(cmd.optsWithGlobals()));
+    const data = await runApi("reading your installs", () => client.GET("/me/bundle-installs", {}));
+    if (opts.json) return emit(data, true);
+    const installs = data?.installs ?? data?.Installs ?? [];
+    if (installs.length === 0) return console.log(style.dim("No bundles installed."));
+    installs.forEach((i) => {
+      const inst = i.instance ?? i.Instance ?? "";
+      const tag = inst ? style.dim(` [${inst}]`) : "";
+      console.log(`  ${i.bundleSlug ?? i.BundleSlug}@${i.bundleVersion ?? i.BundleVersion ?? "?"}${tag}`);
+    });
+  });
+  skills.command("clean [slug]").description(`Remove materialised skill files written by install (default ${DEFAULT_SLUG})`).option("--local", "clean ./.claude/skills instead of ~/.claude/skills").option("--json", "machine output").action(async (slugArg, opts) => {
+    const slug = slugArg || DEFAULT_SLUG;
+    const dir = skillsDir(!opts.local);
+    const lockPath = join9(dir, LOCK);
+    if (!existsSync9(lockPath)) fail(`No skills lockfile at ${lockPath}; nothing to clean.`);
+    const lock = JSON.parse(readFileSync6(lockPath, "utf8"));
+    const entry = lock[slug];
+    if (!entry) fail(`No installed record for '${slug}' in ${lockPath}.`);
+    const removed = [];
+    for (const name of entry.skills) {
+      const skillPath = join9(dir, name);
+      if (existsSync9(skillPath)) {
+        rmSync2(skillPath, { recursive: true, force: true });
+        removed.push(name);
+      }
+    }
+    delete lock[slug];
+    writeFileSync6(lockPath, JSON.stringify(lock, null, 2) + "\n");
+    if (opts.json) return emit({ slug, removed, dir }, true);
+    console.log(style.green(`Removed ${removed.length} skill(s) for ${slug} from ${dir}`));
+  });
+  skills.command("set-lane").description("Write this checkout's lane pin to a local ./.sechroom/lane.json file (read at runtime by skills)").option("--code-lane <id>", "code-surface lane id (e.g. claude-code-chris)").option("--design-lane <id>", "design / substrate-authoring lane id (e.g. claude-design-chris)").option("--json", "machine output").action((opts, cmd) => {
+    if (!opts.codeLane && !opts.designLane) fail("Provide --code-lane and/or --design-lane.");
+    const target = localSemPath();
+    const values = readLocalSemValues();
+    if (opts.codeLane) values["code-lane"] = opts.codeLane;
+    if (opts.designLane) values["design-lane"] = opts.designLane;
+    writeSem(values, target);
+    if (cmd.optsWithGlobals().json) return emit({ path: target, values }, true);
+    console.log(style.green(`Wrote lane pin \u2192 ${target} ${style.dim("(git-ignored)")}`));
+    Object.entries(values).forEach(([k, v]) => console.log("  " + style.dim(k) + " = " + v));
+  });
+  skills.command("lane").description("Show the lane pin resolved from ./.sechroom/lane.json (nearest in this checkout; legacy ./.sem honoured)").option("--json", "machine output").action((opts, cmd) => {
+    const json = cmd.optsWithGlobals().json;
+    const found = readSem();
+    if (!found) {
+      if (json) return emit({ path: null, values: {} }, true);
+      return console.log(style.dim(`No ./.sechroom/lane.json pin in this checkout. Run 'sechroom skills set-lane'.`));
+    }
+    if (json) return emit(found, true);
+    console.log(style.dim(`from ${found.path}`));
+    Object.entries(found.values).forEach(([k, v]) => console.log("  " + style.bold(k) + " = " + v));
+  });
+  skills.command("set-workflow").description("Set your per-operator workflow defaults (server-side; follows you across tenants)").option("--default-code-lane <id>", "personal default code lane (e.g. claude-code-chris)").option("--default-design-lane <id>", "personal default design lane (e.g. claude-design-chris)").option("--handover-recipient <id>", "your daily-handover counterparty (e.g. andy)").option("--json", "machine output").action(async (opts, cmd) => {
+    if (!opts.defaultCodeLane && !opts.defaultDesignLane && !opts.handoverRecipient)
+      fail("Provide at least one of --default-code-lane / --default-design-lane / --handover-recipient.");
+    const client = await makeClient(resolveConfig(cmd.optsWithGlobals()));
+    const cur = await runApi(
+      "reading workflow preferences",
+      () => client.GET("/me/workflow-preferences", {})
+    );
+    const body = {
+      defaultCodeLane: opts.defaultCodeLane ?? cur?.defaultCodeLane ?? null,
+      defaultDesignLane: opts.defaultDesignLane ?? cur?.defaultDesignLane ?? null,
+      handoverRecipient: opts.handoverRecipient ?? cur?.handoverRecipient ?? null
+    };
+    const res = await runApi(
+      "saving workflow preferences",
+      () => client.POST("/me/workflow-preferences", { body })
+    );
+    if (cmd.optsWithGlobals().json) return emit(res, true);
+    console.log(style.green("Saved your workflow preferences"));
+    console.log("  " + style.dim("default-code-lane") + "   = " + (body.defaultCodeLane ?? "(unset)"));
+    console.log("  " + style.dim("default-design-lane") + " = " + (body.defaultDesignLane ?? "(unset)"));
+    console.log("  " + style.dim("handover-recipient") + "  = " + (body.handoverRecipient ?? "(unset)"));
+  });
+  skills.command("workflow").description("Show your per-operator workflow defaults (GET /me/workflow-preferences)").option("--json", "machine output").action(async (opts, cmd) => {
+    const client = await makeClient(resolveConfig(cmd.optsWithGlobals()));
+    const data = await runApi(
+      "reading workflow preferences",
+      () => client.GET("/me/workflow-preferences", {})
+    );
+    if (cmd.optsWithGlobals().json) return emit(data, true);
+    console.log("  " + style.bold("default-code-lane") + "   = " + (data?.defaultCodeLane ?? style.dim("(unset)")));
+    console.log("  " + style.bold("default-design-lane") + " = " + (data?.defaultDesignLane ?? style.dim("(unset)")));
+    console.log("  " + style.bold("handover-recipient") + "  = " + (data?.handoverRecipient ?? style.dim("(unset)")));
+  });
+  skills.command("resolve").description("Resolve the effective ${identity.*} slot values (per-location .sem + per-operator workflow prefs)").option("--json", "machine output (a flat slot->value map + per-slot source)").action(async (opts, cmd) => {
+    const local = readSem()?.values ?? {};
+    let operator = {};
+    try {
+      const client = await makeClient(resolveConfig(cmd.optsWithGlobals()));
+      operator = await runApi(
+        "reading workflow preferences",
+        () => client.GET("/me/workflow-preferences", {})
+      ) ?? {};
+    } catch {
+    }
+    const pick = (loc, op) => loc != null && loc !== "" ? { value: loc, source: "per-location" } : op != null && op !== "" ? { value: op, source: "per-operator" } : { value: null, source: "unset" };
+    const slots = {
+      "identity.code-lane": pick(local["code-lane"], operator?.defaultCodeLane),
+      "identity.design-lane": pick(local["design-lane"], operator?.defaultDesignLane),
+      "identity.handover-recipient": pick(void 0, operator?.handoverRecipient)
+    };
+    if (cmd.optsWithGlobals().json) {
+      const values = Object.fromEntries(Object.entries(slots).map(([k, v]) => [k, v.value]));
+      return emit({ values, sources: Object.fromEntries(Object.entries(slots).map(([k, v]) => [k, v.source])) }, true);
+    }
+    for (const [slot, { value, source }] of Object.entries(slots)) {
+      const v = value == null ? style.dim("(unset)") : value;
+      console.log("  " + style.bold(slot) + " = " + v + "  " + style.dim(`[${source}]`));
+    }
+  });
+}
+
+// src/commands/reset.ts
+import { homedir as homedir7 } from "os";
+import { join as join10 } from "path";
+import { existsSync as existsSync10, readFileSync as readFileSync7, rmSync as rmSync3 } from "fs";
+var SKILLS_LOCK = ".sechroom-skills.json";
+var localSkillsDir = () => join10(process.cwd(), ".claude", "skills");
+var globalSkillsDir = () => join10(homedir7(), ".claude", "skills");
+function removeMaterialisedSkills(dir) {
+  const removed = [];
+  const lockPath = join10(dir, SKILLS_LOCK);
+  if (!existsSync10(lockPath)) return removed;
+  try {
+    const lock = JSON.parse(readFileSync7(lockPath, "utf8"));
+    for (const entry of Object.values(lock)) {
+      for (const name of entry.skills ?? []) {
+        const p = join10(dir, name);
+        if (existsSync10(p)) {
+          rmSync3(p, { recursive: true, force: true });
+          removed.push(p);
+        }
+      }
+    }
+  } catch {
+  }
+  rmSync3(lockPath, { force: true });
+  removed.push(lockPath);
+  return removed;
+}
+function registerReset(program2) {
+  program2.command("logout").description("Sign out \u2014 remove the cached (global) auth token").action((_opts, cmd) => {
+    const removed = clearToken();
+    if (cmd.optsWithGlobals().json) return emit({ removed: removed ? [removed] : [] }, true);
+    console.log(
+      removed ? style.green("Signed out \u2014 auth token removed.") : style.dim("Already signed out (no token).")
+    );
+  });
+  program2.command("reset").description("Reset LOCAL CLI state for this directory (./.sechroom/, legacy ./.sechroom.json + ./.sem, ./.claude/skills); --global also wipes the machine-wide token + config + ~/.claude/skills").option("--global", "also remove the global auth token, config, and ~/.claude/skills").option("-y, --yes", "don't prompt for confirmation").option("--json", "machine output").action(async (opts, cmd) => {
+    const json = cmd.optsWithGlobals().json;
+    const global = Boolean(opts.global);
+    if (!opts.yes && canPrompt()) {
+      const scope = global ? "this directory's local state AND your global auth token + config + ~/.claude/skills" : "this directory's local state (./.sechroom/, legacy ./.sechroom.json + ./.sem, ./.claude/skills)";
+      if (!await promptYesNo(`Remove ${scope}?`)) {
+        if (!json) console.log(style.dim("Cancelled."));
+        return;
+      }
+    }
+    const removed = [];
+    const stateDir = join10(process.cwd(), ".sechroom");
+    if (existsSync10(stateDir)) {
+      rmSync3(stateDir, { recursive: true, force: true });
+      removed.push(stateDir);
+    }
+    const legacyCfg = join10(process.cwd(), ".sechroom.json");
+    if (existsSync10(legacyCfg)) {
+      rmSync3(legacyCfg, { force: true });
+      removed.push(legacyCfg);
+    }
+    const legacySem = join10(process.cwd(), ".sem");
+    if (existsSync10(legacySem)) {
+      rmSync3(legacySem, { force: true });
+      removed.push(legacySem);
+    }
+    removed.push(...removeMaterialisedSkills(localSkillsDir()));
+    if (global) {
+      const tok = clearToken();
+      if (tok) removed.push(tok);
+      const cfg = clearPersisted();
+      if (cfg) removed.push(cfg);
+      removed.push(...removeMaterialisedSkills(globalSkillsDir()));
+    }
+    if (json) return emit({ global, removed }, true);
+    if (removed.length === 0) {
+      console.log(style.dim(global ? "Nothing to remove \u2014 already clean." : "No local CLI state in this directory."));
+      return;
+    }
+    console.log(style.green(`Reset complete \u2014 removed ${removed.length} item(s):`));
+    removed.forEach((p) => console.log("  " + style.dim("\u2022") + " " + p));
+    if (global) console.log(style.dim("Run 'sechroom onboard' to set up again."));
   });
 }
 
@@ -939,7 +3991,7 @@ function registerOnboard(program2) {
 function resolveVersion() {
   try {
     const pkg = JSON.parse(
-      readFileSync3(new URL("../package.json", import.meta.url), "utf8")
+      readFileSync8(new URL("../package.json", import.meta.url), "utf8")
     );
     return pkg.version ?? "0.0.0";
   } catch {
@@ -948,19 +4000,69 @@ function resolveVersion() {
 }
 var program = new Command();
 program.name("sechroom").description("Sechroom CLI \u2014 thin generated client over the Sechroom HTTP API. An agent/human surface alongside MCP.").version(resolveVersion()).option("--base-url <url>", "API base URL (overrides config / SECHROOM_BASE_URL)").option("--tenant <tenant>", "Tenant id (required by the API; overrides config / SECHROOM_TENANT)").option("--json", "Emit compact JSON (for scripts and agents)", false);
+program.addHelpText(
+  "after",
+  `
+Examples:
+  $ sechroom onboard                              guided first-run: configure, sign in, wire this project
+  $ sechroom login                                sign in via browser (OAuth + PKCE)
+  $ sechroom config set tenant ocd                set your tenant (global)
+  $ sechroom config set --local tenant cli-smoke  pin tenant for this directory (committed .sechroom.json)
+  $ sechroom config show                          resolved config + which source won
+
+  $ sechroom memory create --text "a note" --title "Note" --tag idea
+  $ sechroom memory search "convention drift" --limit 5
+  $ sechroom memory get mem_XXXX
+  $ sechroom worklog append --text "shipped X; PR #123" --source claude-code-chris
+  $ sechroom lookup mem_XXXX                       resolve any id -> kind / title / view URL
+
+  $ sechroom --json memory search "auth"           compact JSON for scripts and agents
+  $ SECHROOM_TOKEN=<bearer> sechroom --json memory get mem_XXXX    headless
+
+Config precedence (high -> low): --flag  >  env (SECHROOM_*)  >  directory-local (committed ./.sechroom.json, shadowed per-field by the gitignored ./.sechroom/config.json override)  >  global  >  default.
+Run 'sechroom <command> --help' for command-specific examples.`
+);
 program.hook("preAction", (_thisCmd, actionCmd) => {
   setQuiet(Boolean(actionCmd.optsWithGlobals().json));
 });
-program.command("login").description("Sign in via browser (OAuth auth-code + PKCE, dynamic client registration)").action(async (_opts, cmd) => {
+program.command("login").description("Sign in via browser (OAuth auth-code + PKCE, dynamic client registration)").addHelpText(
+  "after",
+  `
+Examples:
+  $ sechroom login                                          sign in to the configured base URL + tenant
+  $ sechroom login --base-url https://staging.app.sechroom.ai/api
+  $ export SECHROOM_TOKEN=<bearer>                          headless: skip login entirely (CI / agents)`
+).action(async (_opts, cmd) => {
   const g = cmd.optsWithGlobals();
   const persisted = readPersisted();
   const baseUrl = g.baseUrl ?? process.env.SECHROOM_BASE_URL ?? persisted.baseUrl ?? "https://app.sechroom.ai/api";
   await login({ baseUrl: baseUrl.replace(/\/$/, ""), tenant: g.tenant ?? "" });
 });
 var config = program.command("config").description("Manage persisted CLI config");
-config.command("set <key> <value>").description("Set baseUrl | tenant | clientId").action((key, value) => {
-  if (!["baseUrl", "tenant", "clientId"].includes(key)) {
-    process.stderr.write(`unknown key: ${key} (expected baseUrl | tenant | clientId)
+config.addHelpText(
+  "after",
+  `
+Examples:
+  $ sechroom config set baseUrl https://app.sechroom.ai/api   prod (staging: https://staging.app.sechroom.ai/api)
+  $ sechroom config set tenant ocd
+  $ sechroom config set --local tenant cli-smoke              this dir + subdirs (committed .sechroom.json)
+  $ sechroom config set clientId dyn-XXXX                     global-only escape hatch (no DCR endpoint)
+  $ sechroom config show --json`
+);
+config.command("set <key> <value>").description("Set baseUrl | tenant | workspaceId | defaultProjectId | clientId (clientId is global-only)").option("--local", "Write the committed directory-local .sechroom.json (nearest up the tree, else cwd) instead of the global config").action((key, value, opts) => {
+  if (opts.local) {
+    if (!["baseUrl", "tenant", "workspaceId", "defaultProjectId"].includes(key)) {
+      process.stderr.write(`--local supports only: baseUrl | tenant | workspaceId | defaultProjectId (clientId is global)
+`);
+      process.exit(1);
+    }
+    const path = writeLocalConfig({ [key]: value });
+    process.stdout.write(`set ${key} (local: ${path})
+`);
+    return;
+  }
+  if (!["baseUrl", "tenant", "clientId", "workspaceId", "defaultProjectId"].includes(key)) {
+    process.stderr.write(`unknown key: ${key} (expected baseUrl | tenant | workspaceId | defaultProjectId | clientId)
 `);
     process.exit(1);
   }
@@ -968,17 +4070,49 @@ config.command("set <key> <value>").description("Set baseUrl | tenant | clientId
   process.stdout.write(`set ${key}
 `);
 });
-config.command("show").description("Print persisted config").action(() => {
-  process.stdout.write(JSON.stringify(readPersisted(), null, 2) + "\n");
+config.command("show").description("Print resolved config + sources (flag > env > local > global > default)").action((_opts, cmd) => {
+  const g = cmd.optsWithGlobals();
+  const d = describeConfig({ baseUrl: g.baseUrl, tenant: g.tenant });
+  if (g.json) {
+    process.stdout.write(
+      JSON.stringify({
+        resolved: { baseUrl: d.baseUrl, tenant: d.tenant, workspaceId: d.workspaceId },
+        global: readPersisted(),
+        local: readLocalConfig()
+      }) + "\n"
+    );
+    return;
+  }
+  process.stdout.write(
+    `baseUrl:     ${d.baseUrl.value}  [${d.baseUrl.source}]
+tenant:      ${d.tenant.value ?? "(unset)"}  [${d.tenant.source}]
+workspaceId: ${d.workspaceId.value ?? "(unset)"}  [${d.workspaceId.source}]
+
+global: ${JSON.stringify(readPersisted())}
+local:  ${d.localPath ?? "(none)"} ${JSON.stringify(readLocalConfig())}
+`
+  );
 });
 registerMemory(program);
 registerWorklog(program);
 registerLookup(program);
+registerRelationships(program);
+registerWorkspace(program);
+registerProject(program);
+registerFiling(program);
+registerContinuity(program);
+registerHook(program);
+registerId(program);
+registerAccount(program);
+registerChat(program);
 registerInit(program);
 registerSetup(program);
 registerOnboard(program);
-program.parseAsync().catch((err) => {
-  process.stderr.write(`error: ${err instanceof Error ? err.message : String(err)}
+registerSweep(program);
+registerSkills(program);
+registerReset(program);
+program.parseAsync().catch((err2) => {
+  process.stderr.write(`error: ${err2 instanceof Error ? err2.message : String(err2)}
 `);
   process.exit(1);
 });