@lumoai/cli 1.4.0 → 1.5.1

package/dist/cli/src/commands/memory-task-add.js

@@ -0,0 +1,99 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.memoryTaskAdd = memoryTaskAdd;
+const config_1 = require("../lib/config");
+const api_1 = require("../lib/api");
+const sanitize_1 = require("../lib/sanitize");
+const memory_content_1 = require("../lib/memory-content");
+const resolve_bound_task_1 = require("../lib/resolve-bound-task");
+const agent_1 = require("../lib/agent");
+async function memoryTaskAdd(identifierArg, options) {
+    if (!options.category) {
+        console.error('Error: --category <trap|decision|convention|procedural> is required.');
+        return 1;
+    }
+    const built = (0, memory_content_1.buildMemoryContent)(options.category, options);
+    if (!built.ok) {
+        console.error(`Error: ${built.error}`);
+        return 1;
+    }
+    let agent;
+    const agentRaw = options.agent?.trim();
+    if (agentRaw) {
+        const normalized = (0, agent_1.normalizeAgent)(agentRaw);
+        if (!normalized) {
+            console.error(`Error: invalid --agent "${agentRaw}". Valid values: ${agent_1.VALID_AGENT_TOKENS.join(', ')}.`);
+            return 1;
+        }
+        agent = normalized;
+    }
+    const creds = (0, config_1.readCredentials)();
+    if (!creds) {
+        console.error('Error: not logged in. Run `lumo auth login` first.');
+        return 1;
+    }
+    const apiUrl = (0, api_1.resolveAuthedApiUrl)(creds.apiUrl);
+    const base = (0, api_1.trimTrailingSlash)(apiUrl);
+    // Resolve the target: explicit arg > session-bound task.
+    const identifier = identifierArg ?? (await (0, resolve_bound_task_1.resolveBoundTaskIdentifier)(apiUrl, creds.token));
+    if (!identifier) {
+        console.error('Error: no <LUM-N> given and no task bound to this session.\n' +
+            'Pass it explicitly or run `lumo session attach <LUM-N>`.');
+        return 1;
+    }
+    // LUM-N → task id.
+    let taskId;
+    try {
+        const r = await fetch(`${base}/api/tasks/resolve/${encodeURIComponent(identifier)}`, {
+            headers: { Authorization: `Bearer ${creds.token}` },
+        });
+        if (r.status === 401) {
+            console.error('Error: API key invalid or revoked. Run `lumo auth login`.');
+            return 1;
+        }
+        if (r.status === 404) {
+            console.error(`Error: task ${identifier} not found in workspace ${creds.workspaceSlug}`);
+            return 1;
+        }
+        if (!r.ok) {
+            console.error(`Error: resolve failed (HTTP ${r.status})`);
+            return 1;
+        }
+        taskId = (await r.json()).id;
+    }
+    catch (err) {
+        console.error(`Error: could not reach Lumo API at ${apiUrl} (${err instanceof Error ? err.message : String(err)})`);
+        return 1;
+    }
+    // POST the memory.
+    let res;
+    try {
+        res = await fetch(`${base}/api/tasks/${encodeURIComponent(taskId)}/memories`, {
+            method: 'POST',
+            headers: { Authorization: `Bearer ${creds.token}`, 'Content-Type': 'application/json' },
+            body: JSON.stringify({
+                category: built.category,
+                content: built.content,
+                ...(agent ? { agent } : {}),
+            }),
+        });
+    }
+    catch (err) {
+        console.error(`Error: could not reach Lumo API at ${apiUrl} (${err instanceof Error ? err.message : String(err)})`);
+        return 1;
+    }
+    if (res.status !== 201) {
+        let m = null;
+        try {
+            const b = (await res.json());
+            if (typeof b.error === 'string')
+                m = b.error;
+        }
+        catch { /* */ }
+        console.error(m ? `Error: ${(0, sanitize_1.sanitizeField)(m)}` : `Error: memory add failed (HTTP ${res.status})`);
+        return 1;
+    }
+    process.stdout.write(`Added ${built.category} memory to ${identifier}` +
+        `${identifierArg ? '' : ' (from bound session)'}\n` +
+        'Tip: only useful for this task? If it generalizes, use `lumo project memory add` or `lumo memory promote` later.\n');
+}

package/dist/cli/src/commands/memory-task-list.js

@@ -0,0 +1,61 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.memoryTaskList = memoryTaskList;
+const config_1 = require("../lib/config");
+const api_1 = require("../lib/api");
+const memory_content_1 = require("../lib/memory-content");
+const resolve_bound_task_1 = require("../lib/resolve-bound-task");
+async function memoryTaskList(identifierArg, options) {
+    const limit = options.limit !== undefined ? parseInt(options.limit, 10) : undefined;
+    if (limit !== undefined && (Number.isNaN(limit) || limit < 1)) {
+        console.error(`Error: invalid --limit "${options.limit}" (expected a positive integer)`);
+        return 1;
+    }
+    const creds = (0, config_1.readCredentials)();
+    if (!creds) {
+        console.error('Error: not logged in. Run `lumo auth login` first.');
+        return 1;
+    }
+    const apiUrl = (0, api_1.resolveAuthedApiUrl)(creds.apiUrl);
+    const base = (0, api_1.trimTrailingSlash)(apiUrl);
+    const identifier = identifierArg ?? (await (0, resolve_bound_task_1.resolveBoundTaskIdentifier)(apiUrl, creds.token));
+    if (!identifier) {
+        console.error('Error: no <LUM-N> given and no task bound to this session.\nPass it explicitly or run `lumo session attach <LUM-N>`.');
+        return 1;
+    }
+    let taskId;
+    try {
+        const r = await fetch(`${base}/api/tasks/resolve/${encodeURIComponent(identifier)}`, { headers: { Authorization: `Bearer ${creds.token}` } });
+        if (r.status === 404) {
+            console.error(`Error: task ${identifier} not found in workspace ${creds.workspaceSlug}`);
+            return 1;
+        }
+        if (!r.ok) {
+            console.error(`Error: resolve failed (HTTP ${r.status})`);
+            return 1;
+        }
+        taskId = (await r.json()).id;
+    }
+    catch (err) {
+        console.error(`Error: could not reach Lumo API at ${apiUrl} (${err instanceof Error ? err.message : String(err)})`);
+        return 1;
+    }
+    let res;
+    try {
+        res = await fetch(`${base}/api/tasks/${encodeURIComponent(taskId)}/memories`, { headers: { Authorization: `Bearer ${creds.token}` } });
+    }
+    catch (err) {
+        console.error(`Error: could not reach Lumo API at ${apiUrl} (${err instanceof Error ? err.message : String(err)})`);
+        return 1;
+    }
+    if (!res.ok) {
+        console.error(`Error: memory list failed (HTTP ${res.status})`);
+        return 1;
+    }
+    let rows = (await res.json()).memories;
+    if (options.category)
+        rows = rows.filter(m => m.category.toLowerCase() === options.category.toLowerCase());
+    if (limit !== undefined)
+        rows = rows.slice(0, limit);
+    process.stdout.write((0, memory_content_1.formatMemoryList)(rows) + '\n');
+}

package/dist/cli/src/commands/milestone-create.js

@@ -5,6 +5,7 @@ exports.formatCreatedMilestoneLine = formatCreatedMilestoneLine;
 exports.milestoneCreate = milestoneCreate;
 const config_1 = require("../lib/config");
 const api_1 = require("../lib/api");
+const sanitize_1 = require("../lib/sanitize");
 const resolve_1 = require("../lib/resolve");
 function buildCreatePayload(name, opts) {
     const payload = { name };
@@ -17,7 +18,7 @@ function buildCreatePayload(name, opts) {
     return payload;
 }
 function formatCreatedMilestoneLine(milestone) {
-    return `Created milestone "${milestone.name}"  ${milestone.id}`;
+    return `Created milestone "${(0, sanitize_1.sanitizeField)(milestone.name)}"  ${milestone.id}`;
 }
 async function milestoneCreate(name, opts) {
     if (!name || !name.trim()) {
@@ -29,8 +30,7 @@ async function milestoneCreate(name, opts) {
         console.error('Error: not logged in. Run `lumo auth login` first.');
         return 1;
     }
-    const envUrl = process.env.LUMO_API_URL?.trim();
-    const apiUrl = envUrl && envUrl.length > 0 ? envUrl : creds.apiUrl;
+    const apiUrl = (0, api_1.resolveAuthedApiUrl)(creds.apiUrl);
     const base = (0, api_1.trimTrailingSlash)(apiUrl);
     let projectId;
     try {
@@ -72,7 +72,7 @@ async function milestoneCreate(name, opts) {
             // Body wasn't JSON; fall through to status-only message
         }
         if (serverMsg) {
-            console.error(`Error: ${serverMsg}`);
+            console.error(`Error: ${(0, sanitize_1.sanitizeField)(serverMsg)}`);
         }
         else {
             console.error(`Error: milestone create failed (HTTP ${res.status})`);

package/dist/cli/src/commands/milestone-delete.js

@@ -5,8 +5,9 @@ exports.milestoneDelete = milestoneDelete;
 const config_1 = require("../lib/config");
 const api_1 = require("../lib/api");
 const resolve_1 = require("../lib/resolve");
+const sanitize_1 = require("../lib/sanitize");
 function formatDeleteRefusal(name, taskCount) {
-    const head = `Refusing to delete milestone "${name}" without --yes.`;
+    const head = `Refusing to delete milestone "${(0, sanitize_1.sanitizeField)(name)}" without --yes.`;
     const tail = `Re-run with --yes to confirm.`;
     if (taskCount === 0)
         return `${head}\n${tail}`;
@@ -21,8 +22,7 @@ async function milestoneDelete(identifier, opts) {
         console.error('Error: not logged in. Run `lumo auth login` first.');
         return 1;
     }
-    const envUrl = process.env.LUMO_API_URL?.trim();
-    const apiUrl = envUrl && envUrl.length > 0 ? envUrl : creds.apiUrl;
+    const apiUrl = (0, api_1.resolveAuthedApiUrl)(creds.apiUrl);
     const base = (0, api_1.trimTrailingSlash)(apiUrl);
     let milestoneId;
     let resolvedName;
@@ -89,8 +89,8 @@ async function milestoneDelete(identifier, opts) {
         catch {
             // body wasn't JSON
         }
-        console.error(`Error: ${errMsg}`);
+        console.error(`Error: ${(0, sanitize_1.sanitizeField)(errMsg)}`);
         return 1;
     }
-    process.stdout.write(`Deleted milestone "${name}"\n`);
+    process.stdout.write(`Deleted milestone "${(0, sanitize_1.sanitizeField)(name)}"\n`);
 }

package/dist/cli/src/commands/milestone-list.js

@@ -5,6 +5,7 @@ exports.milestoneList = milestoneList;
 const config_1 = require("../lib/config");
 const api_1 = require("../lib/api");
 const resolve_1 = require("../lib/resolve");
+const sanitize_1 = require("../lib/sanitize");
 function formatDate(iso) {
     if (!iso)
         return '-';
@@ -22,7 +23,7 @@ function formatMilestoneList(rows) {
     const statusW = Math.max(...rows.map(r => r.status.length));
     const dateW = Math.max(...rows.map(r => formatDate(r.targetDate).length));
     return rows
-        .map(r => `${r.status.padEnd(statusW)}  ${formatDate(r.targetDate).padEnd(dateW)}  ${r.name}`)
+        .map(r => `${r.status.padEnd(statusW)}  ${formatDate(r.targetDate).padEnd(dateW)}  ${(0, sanitize_1.sanitizeField)(r.name)}`)
         .join('\n');
 }
 async function milestoneList(options) {
@@ -31,8 +32,7 @@ async function milestoneList(options) {
         console.error('Error: not logged in. Run `lumo auth login` first.');
         return 1;
     }
-    const envUrl = process.env.LUMO_API_URL?.trim();
-    const apiUrl = envUrl && envUrl.length > 0 ? envUrl : creds.apiUrl;
+    const apiUrl = (0, api_1.resolveAuthedApiUrl)(creds.apiUrl);
     const base = (0, api_1.trimTrailingSlash)(apiUrl);
     let projectId;
     try {

package/dist/cli/src/commands/milestone-show.js

@@ -6,6 +6,7 @@ const config_1 = require("../lib/config");
 const api_1 = require("../lib/api");
 const resolve_1 = require("../lib/resolve");
 const format_1 = require("../lib/format");
+const sanitize_1 = require("../lib/sanitize");
 function fmtDate(iso) {
     return iso ? iso.slice(0, 10) : '-';
 }
@@ -15,13 +16,13 @@ function formatMilestoneShow(m, tasks) {
         m.taskCounts.IN_REVIEW +
         m.taskCounts.DONE;
     const lines = [
-        `Milestone:    ${m.name}`,
+        `Milestone:    ${(0, sanitize_1.sanitizeField)(m.name)}`,
         `Status:       ${m.status}`,
         `Start:        ${fmtDate(m.startDate)}`,
         `Target:       ${fmtDate(m.targetDate)}`,
-        `Project:      ${m.projectName}`,
+        `Project:      ${(0, sanitize_1.sanitizeField)(m.projectName)}`,
         `Description:`,
-        `  ${m.description && m.description.length > 0 ? m.description : '-'}`,
+        `  ${m.description && m.description.length > 0 ? (0, sanitize_1.sanitizeField)(m.description) : '-'}`,
         ``,
         `Tasks:        ${total} total (TODO ${m.taskCounts.TODO} / IN_PROGRESS ${m.taskCounts.IN_PROGRESS} / IN_REVIEW ${m.taskCounts.IN_REVIEW} / DONE ${m.taskCounts.DONE})`,
     ];
@@ -36,8 +37,7 @@ async function milestoneShow(identifier, opts) {
         console.error('Error: not logged in. Run `lumo auth login` first.');
         return 1;
     }
-    const envUrl = process.env.LUMO_API_URL?.trim();
-    const apiUrl = envUrl && envUrl.length > 0 ? envUrl : creds.apiUrl;
+    const apiUrl = (0, api_1.resolveAuthedApiUrl)(creds.apiUrl);
     const base = (0, api_1.trimTrailingSlash)(apiUrl);
     let milestoneId;
     try {

package/dist/cli/src/commands/milestone-update.js

@@ -7,6 +7,7 @@ exports.milestoneUpdate = milestoneUpdate;
 const config_1 = require("../lib/config");
 const api_1 = require("../lib/api");
 const resolve_1 = require("../lib/resolve");
+const sanitize_1 = require("../lib/sanitize");
 const ALLOWED_STATUSES = [
     'PLANNED',
     'ACTIVE',
@@ -54,9 +55,10 @@ function fmtDate(v) {
     return v.slice(0, 10);
 }
 function formatMilestoneUpdateSummary(before, after) {
+    const beforeName = (0, sanitize_1.sanitizeField)(before.name);
     const changes = [];
     if (after.name !== undefined && after.name !== before.name) {
-        changes.push(`name "${before.name}" → "${after.name}"`);
+        changes.push(`name "${beforeName}" → "${(0, sanitize_1.sanitizeField)(after.name)}"`);
     }
     if (after.description !== undefined) {
         changes.push(after.description === null ? 'description → ∅' : 'description updated');
@@ -70,7 +72,7 @@ function formatMilestoneUpdateSummary(before, after) {
     if (after.targetDate !== undefined) {
         changes.push(`target → ${fmtDate(after.targetDate)}`);
     }
-    return `Updated milestone "${before.name}": ${changes.join(', ')}`;
+    return `Updated milestone "${beforeName}": ${changes.join(', ')}`;
 }
 async function milestoneUpdate(identifier, opts) {
     // Validate status flag eagerly.
@@ -96,8 +98,7 @@ async function milestoneUpdate(identifier, opts) {
         console.error('Error: not logged in. Run `lumo auth login` first.');
         return 1;
     }
-    const envUrl = process.env.LUMO_API_URL?.trim();
-    const apiUrl = envUrl && envUrl.length > 0 ? envUrl : creds.apiUrl;
+    const apiUrl = (0, api_1.resolveAuthedApiUrl)(creds.apiUrl);
     const base = (0, api_1.trimTrailingSlash)(apiUrl);
     let milestoneId;
     try {
@@ -160,7 +161,7 @@ async function milestoneUpdate(identifier, opts) {
         catch {
             // body wasn't JSON; keep the status-only message
         }
-        console.error(`Error: ${errMsg}`);
+        console.error(`Error: ${(0, sanitize_1.sanitizeField)(errMsg)}`);
         return 1;
     }
     process.stdout.write(formatMilestoneUpdateSummary(before, payload) + '\n');

package/dist/cli/src/commands/project-list.js

@@ -5,6 +5,7 @@ exports.projectList = projectList;
 const config_1 = require("../lib/config");
 const api_1 = require("../lib/api");
 const resolve_1 = require("../lib/resolve");
+const sanitize_1 = require("../lib/sanitize");
 /**
  * Render projects as `slug-style-name  Display Name` lines. The slug form
  * matches what `lumo task create --project <ref>` accepts (slugify(name)),
@@ -22,7 +23,7 @@ function formatProjectList(projects) {
     if (rows.length === 0)
         return 'No projects.';
     const w = Math.max(...rows.map(r => r.slug.length));
-    return rows.map(r => `${r.slug.padEnd(w)}  ${r.name}`).join('\n');
+    return rows.map(r => `${r.slug.padEnd(w)}  ${(0, sanitize_1.sanitizeField)(r.name)}`).join('\n');
 }
 async function projectList() {
     const creds = (0, config_1.readCredentials)();
@@ -30,8 +31,7 @@ async function projectList() {
         console.error('Error: not logged in. Run `lumo auth login` first.');
         return 1;
     }
-    const envUrl = process.env.LUMO_API_URL?.trim();
-    const apiUrl = envUrl && envUrl.length > 0 ? envUrl : creds.apiUrl;
+    const apiUrl = (0, api_1.resolveAuthedApiUrl)(creds.apiUrl);
     const url = `${(0, api_1.trimTrailingSlash)(apiUrl)}/api/projects`;
     let res;
     try {

package/dist/cli/src/commands/session-attach.js

@@ -3,6 +3,7 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.sessionAttach = sessionAttach;
 const config_1 = require("../lib/config");
 const api_1 = require("../lib/api");
+const sanitize_1 = require("../lib/sanitize");
 /**
  * `lumo session attach <identifier>` — bind the currently-running
  * Claude Code session to a task.
@@ -30,8 +31,7 @@ async function sessionAttach(identifier) {
         console.error('Error: not logged in. Run `lumo auth login` first.');
         return 1;
     }
-    const envUrl = process.env.LUMO_API_URL?.trim();
-    const apiUrl = envUrl && envUrl.length > 0 ? envUrl : creds.apiUrl;
+    const apiUrl = (0, api_1.resolveAuthedApiUrl)(creds.apiUrl);
     const url = `${(0, api_1.trimTrailingSlash)(apiUrl)}/api/sessions/${encodeURIComponent(sessionId)}/bind-task`;
     let res;
     try {
@@ -63,7 +63,7 @@ async function sessionAttach(identifier) {
         catch {
             // fall through
         }
-        console.error(`Error: ${message}`);
+        console.error(`Error: ${(0, sanitize_1.sanitizeField)(message)}`);
         return 1;
     }
     if (!res.ok) {
@@ -71,10 +71,10 @@ async function sessionAttach(identifier) {
         return 1;
     }
     const result = (await res.json());
-    console.log(`Attached session ${sessionId} to ${result.taskIdentifier} "${result.taskTitle}"`);
+    console.log(`Attached session ${sessionId} to ${result.taskIdentifier} "${(0, sanitize_1.sanitizeField)(result.taskTitle)}"`);
     console.log(`Re-tagged ${result.retaggedEventCount} previously-untagged event${result.retaggedEventCount === 1 ? '' : 's'} in this session.`);
     if (result.memorySection !== '') {
         console.log('');
-        console.log(result.memorySection);
+        console.log((0, sanitize_1.sanitizeField)(result.memorySection));
     }
 }

package/dist/cli/src/commands/session-detach.js

@@ -3,6 +3,7 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.sessionDetach = sessionDetach;
 const config_1 = require("../lib/config");
 const api_1 = require("../lib/api");
+const sanitize_1 = require("../lib/sanitize");
 /**
  * `lumo session detach` — clear the task binding on the current Claude Code
  * session. Idempotent: re-detaching an already-unbound session reports
@@ -24,8 +25,7 @@ async function sessionDetach() {
         console.error('Error: not logged in. Run `lumo auth login` first.');
         return 1;
     }
-    const envUrl = process.env.LUMO_API_URL?.trim();
-    const apiUrl = envUrl && envUrl.length > 0 ? envUrl : creds.apiUrl;
+    const apiUrl = (0, api_1.resolveAuthedApiUrl)(creds.apiUrl);
     const url = `${(0, api_1.trimTrailingSlash)(apiUrl)}/api/sessions/${encodeURIComponent(sessionId)}/bind-task`;
     let res;
     try {
@@ -56,5 +56,5 @@ async function sessionDetach() {
         process.stdout.write(`Session ${sessionId} was already unbound.\n`);
         return;
     }
-    process.stdout.write(`Detached session ${sessionId} from ${data.previousTaskIdentifier} "${data.previousTaskTitle}".\n`);
+    process.stdout.write(`Detached session ${sessionId} from ${data.previousTaskIdentifier} "${(0, sanitize_1.sanitizeField)(data.previousTaskTitle ?? '')}".\n`);
 }

package/dist/cli/src/commands/session-status.js

@@ -3,6 +3,7 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.sessionStatus = sessionStatus;
 const config_1 = require("../lib/config");
 const api_1 = require("../lib/api");
+const sanitize_1 = require("../lib/sanitize");
 async function sessionStatus() {
     const sessionId = process.env.CLAUDE_CODE_SESSION_ID;
     if (!sessionId) {
@@ -15,8 +16,7 @@ async function sessionStatus() {
         console.error('Error: not logged in. Run `lumo auth login` first.');
         return 1;
     }
-    const envUrl = process.env.LUMO_API_URL?.trim();
-    const apiUrl = envUrl && envUrl.length > 0 ? envUrl : creds.apiUrl;
+    const apiUrl = (0, api_1.resolveAuthedApiUrl)(creds.apiUrl);
     const url = `${(0, api_1.trimTrailingSlash)(apiUrl)}/api/sessions/${encodeURIComponent(sessionId)}`;
     let res;
     try {
@@ -47,7 +47,7 @@ async function sessionStatus() {
     const data = (await res.json());
     if (data.taskIdentifier && data.taskTitle) {
         process.stdout.write(`Session ${sessionId}\n` +
-            `  Bound to:  ${data.taskIdentifier} "${data.taskTitle}"\n` +
+            `  Bound to:  ${data.taskIdentifier} "${(0, sanitize_1.sanitizeField)(data.taskTitle)}"\n` +
             `  Events:    ${data.eventCount}\n`);
     }
     else {

package/dist/cli/src/commands/setup.js

@@ -33,6 +33,7 @@ var __importStar = (this && this.__importStar) || (function () {
     };
 })();
 Object.defineProperty(exports, "__esModule", { value: true });
+exports.resolveAgentToken = resolveAgentToken;
 exports.setup = setup;
 const fs = __importStar(require("fs"));
 const os = __importStar(require("os"));
@@ -40,11 +41,35 @@ const path = __importStar(require("path"));
 const child_process_1 = require("child_process");
 const hooks_template_1 = require("../lib/hooks-template");
 const line_prompt_1 = require("../lib/line-prompt");
+const agent_1 = require("../lib/agent");
+const config_1 = require("../lib/config");
+/**
+ * Validate the `--agent` flag and canonicalize it to the CLI token baked into
+ * the hook commands. Defaults to `claude-code` — accurate today, since only
+ * Claude Code emits hook events. Returns `{ error }` for an unrecognized
+ * token so the caller can abort before writing settings.json.
+ */
+function resolveAgentToken(raw) {
+    if (raw === undefined)
+        return { token: 'claude-code' };
+    const enumValue = (0, agent_1.normalizeAgent)(raw);
+    if (!enumValue) {
+        return {
+            error: `Unknown agent "${raw}". Valid agents: ${agent_1.VALID_AGENT_TOKENS.join(', ')}.`,
+        };
+    }
+    return { token: agent_1.ENUM_TO_TOKEN[enumValue] };
+}
 async function setup(options) {
     if (options.user && options.project) {
         process.stderr.write('Error: --user and --project are mutually exclusive.\n');
         return 1;
     }
+    const agentResult = resolveAgentToken(options.agent);
+    if ('error' in agentResult) {
+        process.stderr.write(`Error: ${agentResult.error}\n`);
+        return 1;
+    }
     const scope = await resolveScope(options);
     if (!scope)
         return 130;
@@ -52,7 +77,7 @@ async function setup(options) {
     const claudeDir = path.join(root, '.claude');
     process.stdout.write(`\nInstalling Lumo for ${scope} scope: ${claudeDir}\n\n`);
     installSkill(claudeDir, options.force === true);
-    mergeSettings(claudeDir);
+    mergeSettings(claudeDir, agentResult.token);
     printPostInstall();
     return 0;
 }
@@ -101,7 +126,7 @@ function installSkill(claudeDir, force) {
     fs.copyFileSync(skillSrc, skillDst);
     process.stdout.write(`✓ wrote skill: ${skillDst}\n`);
 }
-function mergeSettings(claudeDir) {
+function mergeSettings(claudeDir, agentToken) {
     const settingsPath = path.join(claudeDir, 'settings.json');
     let existing = {};
     if (fs.existsSync(settingsPath)) {
@@ -116,18 +141,19 @@ function mergeSettings(claudeDir) {
     else {
         fs.mkdirSync(claudeDir, { recursive: true });
     }
-    const { merged, stats } = (0, hooks_template_1.mergeLumoHooks)(existing);
+    const { merged, stats } = (0, hooks_template_1.mergeLumoHooks)(existing, agentToken);
     fs.writeFileSync(settingsPath, JSON.stringify(merged, null, 2) + '\n');
-    if (stats.addedEvents.length === 0) {
-        process.stdout.write(`✓ hooks already wired in: ${settingsPath} (${stats.alreadyPresent.length} events)\n`);
+    const changed = stats.addedEvents.length + stats.updatedEvents.length;
+    if (changed === 0) {
+        process.stdout.write(`✓ hooks already wired in (agent=${agentToken}): ${settingsPath} (${stats.alreadyPresent.length} events)\n`);
     }
     else {
-        process.stdout.write(`✓ merged hooks into ${settingsPath} (added ${stats.addedEvents.length}, kept ${stats.alreadyPresent.length})\n`);
+        process.stdout.write(`✓ merged hooks into ${settingsPath} (agent=${agentToken}; added ${stats.addedEvents.length}, updated ${stats.updatedEvents.length}, kept ${stats.alreadyPresent.length})\n`);
     }
 }
 function printPostInstall() {
     const onPath = isLumoOnPath();
-    const credsPath = path.join(process.env.LUMO_CONFIG_DIR || path.join(os.homedir(), '.lumo'), 'credentials.json');
+    const credsPath = path.join((0, config_1.configDir)(), 'credentials.json');
     const authed = fs.existsSync(credsPath);
     process.stdout.write('\nNext steps:\n');
     if (!onPath || isRunningUnderNpx()) {

package/dist/cli/src/commands/sprint-add.js

@@ -3,6 +3,7 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.sprintAdd = sprintAdd;
 const config_1 = require("../lib/config");
 const api_1 = require("../lib/api");
+const sanitize_1 = require("../lib/sanitize");
 const resolve_1 = require("../lib/resolve");
 async function sprintAdd(identifier, taskIdentifier, opts) {
     const creds = (0, config_1.readCredentials)();
@@ -10,8 +11,7 @@ async function sprintAdd(identifier, taskIdentifier, opts) {
         console.error('Error: not logged in. Run `lumo auth login` first.');
         return 1;
     }
-    const envUrl = process.env.LUMO_API_URL?.trim();
-    const apiUrl = envUrl && envUrl.length > 0 ? envUrl : creds.apiUrl;
+    const apiUrl = (0, api_1.resolveAuthedApiUrl)(creds.apiUrl);
     const base = (0, api_1.trimTrailingSlash)(apiUrl);
     const workspaceSlug = creds.workspaceSlug ?? '';
     let resolved;
@@ -55,7 +55,7 @@ async function sprintAdd(identifier, taskIdentifier, opts) {
         catch {
             // ignore
         }
-        console.error(`Error: ${errMsg}`);
+        console.error(`Error: ${(0, sanitize_1.sanitizeField)(errMsg)}`);
         return 1;
     }
     process.stdout.write(`Added ${taskIdentifier} to sprint #${resolved.number}\n`);

package/dist/cli/src/commands/sprint-close.js

@@ -7,6 +7,7 @@ const config_1 = require("../lib/config");
 const api_1 = require("../lib/api");
 const resolve_1 = require("../lib/resolve");
 const format_1 = require("../lib/format");
+const sanitize_1 = require("../lib/sanitize");
 /**
  * Build the decisions map for POST /api/sprints/<id>/close.
  * Only non-DONE tasks get a decision entry; DONE tasks are excluded entirely.
@@ -28,7 +29,7 @@ function buildCloseDecisions(tasks, mode) {
 function formatUnfinishedRefusal(number, name, tasks) {
     const unfinished = tasks.filter(t => t.status !== 'DONE');
     const lines = [
-        `Refusing to close sprint #${number} "${name}": ${unfinished.length} task(s) not DONE.`,
+        `Refusing to close sprint #${number} "${(0, sanitize_1.sanitizeField)(name)}": ${unfinished.length} task(s) not DONE.`,
         '',
         (0, format_1.formatTaskListTable)(unfinished),
         '',
@@ -56,8 +57,7 @@ async function sprintClose(identifier, opts) {
         console.error('Error: not logged in. Run `lumo auth login` first.');
         return 1;
     }
-    const envUrl = process.env.LUMO_API_URL?.trim();
-    const apiUrl = envUrl && envUrl.length > 0 ? envUrl : creds.apiUrl;
+    const apiUrl = (0, api_1.resolveAuthedApiUrl)(creds.apiUrl);
     const base = (0, api_1.trimTrailingSlash)(apiUrl);
     const workspaceSlug = creds.workspaceSlug ?? '';
     let resolved;
@@ -144,8 +144,8 @@ async function sprintClose(identifier, opts) {
         catch {
             // body wasn't JSON
         }
-        console.error(`Error: ${errMsg}`);
+        console.error(`Error: ${(0, sanitize_1.sanitizeField)(errMsg)}`);
         return 1;
     }
-    process.stdout.write(`Closed sprint #${sprint.number} "${sprint.name}"\n`);
+    process.stdout.write(`Closed sprint #${sprint.number} "${(0, sanitize_1.sanitizeField)(sprint.name)}"\n`);
 }

package/dist/cli/src/commands/sprint-create.js

@@ -6,6 +6,7 @@ exports.sprintCreate = sprintCreate;
 const config_1 = require("../lib/config");
 const api_1 = require("../lib/api");
 const resolve_1 = require("../lib/resolve");
+const sanitize_1 = require("../lib/sanitize");
 function buildCreateSprintPayload(opts) {
     // start/end are required by the server schema; caller validates presence.
     const payload = {
@@ -17,7 +18,7 @@ function buildCreateSprintPayload(opts) {
     return payload;
 }
 function formatCreatedSprintLine(sprint) {
-    return `Created sprint #${sprint.number} "${sprint.name}"  ${sprint.id}`;
+    return `Created sprint #${sprint.number} "${(0, sanitize_1.sanitizeField)(sprint.name)}"  ${sprint.id}`;
 }
 async function sprintCreate(opts) {
     if (!opts.start || !opts.end) {
@@ -29,8 +30,7 @@ async function sprintCreate(opts) {
         console.error('Error: not logged in. Run `lumo auth login` first.');
         return 1;
     }
-    const envUrl = process.env.LUMO_API_URL?.trim();
-    const apiUrl = envUrl && envUrl.length > 0 ? envUrl : creds.apiUrl;
+    const apiUrl = (0, api_1.resolveAuthedApiUrl)(creds.apiUrl);
     const base = (0, api_1.trimTrailingSlash)(apiUrl);
     let teamId;
     try {
@@ -72,7 +72,7 @@ async function sprintCreate(opts) {
         catch {
             // ignore
         }
-        console.error(`Error: ${serverMsg ?? `sprint create failed (HTTP ${res.status})`}`);
+        console.error(`Error: ${serverMsg != null ? (0, sanitize_1.sanitizeField)(serverMsg) : `sprint create failed (HTTP ${res.status})`}`);
         return 1;
     }
     const sprint = (await res.json());