@lumoai/cli 1.4.0 → 1.5.1

package/dist/cli/src/commands/sprint-delete.js

@@ -5,8 +5,9 @@ exports.sprintDelete = sprintDelete;
 const config_1 = require("../lib/config");
 const api_1 = require("../lib/api");
 const resolve_1 = require("../lib/resolve");
+const sanitize_1 = require("../lib/sanitize");
 function formatDeleteRefusal(number, name, taskCount) {
-    const head = `Refusing to delete sprint #${number} "${name}" without --yes.`;
+    const head = `Refusing to delete sprint #${number} "${(0, sanitize_1.sanitizeField)(name)}" without --yes.`;
     const tail = `Re-run with --yes to confirm.`;
     if (taskCount === 0)
         return `${head}\n${tail}`;
@@ -18,8 +19,7 @@ async function sprintDelete(identifier, opts) {
         console.error('Error: not logged in. Run `lumo auth login` first.');
         return 1;
     }
-    const envUrl = process.env.LUMO_API_URL?.trim();
-    const apiUrl = envUrl && envUrl.length > 0 ? envUrl : creds.apiUrl;
+    const apiUrl = (0, api_1.resolveAuthedApiUrl)(creds.apiUrl);
     const base = (0, api_1.trimTrailingSlash)(apiUrl);
     const workspaceSlug = creds.workspaceSlug ?? '';
     let resolved;
@@ -81,8 +81,8 @@ async function sprintDelete(identifier, opts) {
         catch {
             // body wasn't JSON
         }
-        console.error(`Error: ${errMsg}`);
+        console.error(`Error: ${(0, sanitize_1.sanitizeField)(errMsg)}`);
         return 1;
     }
-    process.stdout.write(`Deleted sprint #${sprint.number} "${sprint.name}"\n`);
+    process.stdout.write(`Deleted sprint #${sprint.number} "${(0, sanitize_1.sanitizeField)(sprint.name)}"\n`);
 }

package/dist/cli/src/commands/sprint-list.js

@@ -5,6 +5,7 @@ exports.sprintList = sprintList;
 const config_1 = require("../lib/config");
 const api_1 = require("../lib/api");
 const resolve_1 = require("../lib/resolve");
+const sanitize_1 = require("../lib/sanitize");
 const VALID_STATUSES = ['DRAFT', 'ACTIVE', 'CLOSED'];
 function formatDate(iso) {
     if (!iso)
@@ -25,7 +26,7 @@ function formatSprintList(rows) {
         const statusCol = r.status.padEnd(statusW);
         const numCol = `#${r.number}`.padEnd(numW + 1); // +1 for the '#'
         const dateRange = `${formatDate(r.startDate)}..${formatDate(r.endDate)}`;
-        return `${statusCol}  ${numCol}  ${dateRange}  ${r.name}`;
+        return `${statusCol}  ${numCol}  ${dateRange}  ${(0, sanitize_1.sanitizeField)(r.name)}`;
     })
         .join('\n');
 }
@@ -49,8 +50,7 @@ async function sprintList(options) {
         console.error('Error: not logged in. Run `lumo auth login` first.');
         return 1;
     }
-    const envUrl = process.env.LUMO_API_URL?.trim();
-    const apiUrl = envUrl && envUrl.length > 0 ? envUrl : creds.apiUrl;
+    const apiUrl = (0, api_1.resolveAuthedApiUrl)(creds.apiUrl);
     const base = (0, api_1.trimTrailingSlash)(apiUrl);
     let teamId;
     try {

package/dist/cli/src/commands/sprint-remove.js

@@ -3,6 +3,7 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.sprintRemove = sprintRemove;
 const config_1 = require("../lib/config");
 const api_1 = require("../lib/api");
+const sanitize_1 = require("../lib/sanitize");
 const resolve_1 = require("../lib/resolve");
 async function sprintRemove(identifier, taskIdentifier, opts) {
     const creds = (0, config_1.readCredentials)();
@@ -10,8 +11,7 @@ async function sprintRemove(identifier, taskIdentifier, opts) {
         console.error('Error: not logged in. Run `lumo auth login` first.');
         return 1;
     }
-    const envUrl = process.env.LUMO_API_URL?.trim();
-    const apiUrl = envUrl && envUrl.length > 0 ? envUrl : creds.apiUrl;
+    const apiUrl = (0, api_1.resolveAuthedApiUrl)(creds.apiUrl);
     const base = (0, api_1.trimTrailingSlash)(apiUrl);
     const workspaceSlug = creds.workspaceSlug ?? '';
     let resolved;
@@ -50,7 +50,7 @@ async function sprintRemove(identifier, taskIdentifier, opts) {
         catch {
             // ignore
         }
-        console.error(`Error: ${errMsg}`);
+        console.error(`Error: ${(0, sanitize_1.sanitizeField)(errMsg)}`);
         return 1;
     }
     process.stdout.write(`Removed ${taskIdentifier} from sprint #${resolved.number}\n`);

package/dist/cli/src/commands/sprint-show.js

@@ -6,14 +6,15 @@ const config_1 = require("../lib/config");
 const api_1 = require("../lib/api");
 const resolve_1 = require("../lib/resolve");
 const format_1 = require("../lib/format");
+const sanitize_1 = require("../lib/sanitize");
 function fmtDate(iso) {
     return iso ? iso.slice(0, 10) : '-';
 }
 function formatSprintShow(s, progress, tasks) {
     const lines = [
-        `Sprint:    #${s.number} ${s.name}`,
+        `Sprint:    #${s.number} ${(0, sanitize_1.sanitizeField)(s.name)}`,
         `Status:    ${s.status}`,
-        `Team:      ${s.team.name}`,
+        `Team:      ${(0, sanitize_1.sanitizeField)(s.team.name)}`,
         `Start:     ${fmtDate(s.startDate)}`,
         `End:       ${fmtDate(s.endDate)}`,
         `Started:   ${fmtDate(s.startedAt)}`,
@@ -32,8 +33,7 @@ async function sprintShow(identifier, opts) {
         console.error('Error: not logged in. Run `lumo auth login` first.');
         return 1;
     }
-    const envUrl = process.env.LUMO_API_URL?.trim();
-    const apiUrl = envUrl && envUrl.length > 0 ? envUrl : creds.apiUrl;
+    const apiUrl = (0, api_1.resolveAuthedApiUrl)(creds.apiUrl);
     const base = (0, api_1.trimTrailingSlash)(apiUrl);
     let sprintId;
     try {

package/dist/cli/src/commands/sprint-start.js

@@ -4,14 +4,14 @@ exports.sprintStart = sprintStart;
 const config_1 = require("../lib/config");
 const api_1 = require("../lib/api");
 const resolve_1 = require("../lib/resolve");
+const sanitize_1 = require("../lib/sanitize");
 async function sprintStart(identifier, opts) {
     const creds = (0, config_1.readCredentials)();
     if (!creds) {
         console.error('Error: not logged in. Run `lumo auth login` first.');
         return 1;
     }
-    const envUrl = process.env.LUMO_API_URL?.trim();
-    const apiUrl = envUrl && envUrl.length > 0 ? envUrl : creds.apiUrl;
+    const apiUrl = (0, api_1.resolveAuthedApiUrl)(creds.apiUrl);
     const base = (0, api_1.trimTrailingSlash)(apiUrl);
     const workspaceSlug = creds.workspaceSlug ?? '';
     let resolved;
@@ -61,8 +61,8 @@ async function sprintStart(identifier, opts) {
         catch {
             // ignore
         }
-        console.error(`Error: ${errMsg}`);
+        console.error(`Error: ${(0, sanitize_1.sanitizeField)(errMsg)}`);
         return 1;
     }
-    process.stdout.write(`Started sprint #${displayNumber} "${displayName}"\n`);
+    process.stdout.write(`Started sprint #${displayNumber} "${(0, sanitize_1.sanitizeField)(displayName)}"\n`);
 }

package/dist/cli/src/commands/sprint-summary.js

@@ -5,9 +5,10 @@ exports.sprintSummary = sprintSummary;
 const config_1 = require("../lib/config");
 const api_1 = require("../lib/api");
 const resolve_1 = require("../lib/resolve");
+const sanitize_1 = require("../lib/sanitize");
 function formatSprintSummary(input) {
     const { number, name, stats, tldr, report } = input;
-    const lines = [`Sprint: #${number} ${name}`];
+    const lines = [`Sprint: #${number} ${(0, sanitize_1.sanitizeField)(name)}`];
     if (stats === null && tldr === null && report === null) {
         lines.push('', '(no summary generated yet)');
         return lines.join('\n');
@@ -16,10 +17,10 @@ function formatSprintSummary(input) {
         lines.push(`Done:   ${stats.done} / ${stats.total}`);
     }
     if (tldr) {
-        lines.push('', tldr);
+        lines.push('', (0, sanitize_1.sanitizeField)(tldr));
     }
     if (report) {
-        lines.push('', report);
+        lines.push('', (0, sanitize_1.sanitizeField)(report));
     }
     return lines.join('\n');
 }
@@ -29,8 +30,7 @@ async function sprintSummary(identifier, opts) {
         console.error('Error: not logged in. Run `lumo auth login` first.');
         return 1;
     }
-    const envUrl = process.env.LUMO_API_URL?.trim();
-    const apiUrl = envUrl && envUrl.length > 0 ? envUrl : creds.apiUrl;
+    const apiUrl = (0, api_1.resolveAuthedApiUrl)(creds.apiUrl);
     const base = (0, api_1.trimTrailingSlash)(apiUrl);
     const workspaceSlug = creds.workspaceSlug ?? '';
     let resolved;
@@ -82,7 +82,7 @@ async function sprintSummary(identifier, opts) {
             catch {
                 // ignore
             }
-            console.error(`Error: ${errMsg}`);
+            console.error(`Error: ${(0, sanitize_1.sanitizeField)(errMsg)}`);
             return 1;
         }
         // 202 means queued; regeneration is async. The GET below may still return
@@ -124,7 +124,7 @@ async function sprintSummary(identifier, opts) {
         catch {
             // ignore
         }
-        console.error(`Error: ${errMsg}`);
+        console.error(`Error: ${(0, sanitize_1.sanitizeField)(errMsg)}`);
         return 1;
     }
     // 404 → fall through with all-null; formatSprintSummary renders the friendly marker.

package/dist/cli/src/commands/sprint-update.js

@@ -6,6 +6,7 @@ exports.sprintUpdate = sprintUpdate;
 const config_1 = require("../lib/config");
 const api_1 = require("../lib/api");
 const resolve_1 = require("../lib/resolve");
+const sanitize_1 = require("../lib/sanitize");
 function buildSprintUpdatePayload(opts) {
     const payload = {};
     const flagsGiven = [];
@@ -29,9 +30,10 @@ function fmtDate(v) {
     return v.slice(0, 10);
 }
 function formatSprintUpdateSummary(before, after) {
+    const beforeName = (0, sanitize_1.sanitizeField)(before.name);
     const changes = [];
     if (after.name !== undefined && after.name !== before.name) {
-        changes.push(`name "${before.name}" → "${after.name}"`);
+        changes.push(`name "${beforeName}" → "${(0, sanitize_1.sanitizeField)(after.name)}"`);
     }
     if (after.startDate !== undefined) {
         changes.push(`start → ${fmtDate(after.startDate)}`);
@@ -39,7 +41,7 @@ function formatSprintUpdateSummary(before, after) {
     if (after.endDate !== undefined) {
         changes.push(`end → ${fmtDate(after.endDate)}`);
     }
-    return `Updated sprint #${before.number} "${before.name}": ${changes.join(', ')}`;
+    return `Updated sprint #${before.number} "${beforeName}": ${changes.join(', ')}`;
 }
 async function sprintUpdate(identifier, opts) {
     // Reject empty strings — these fields can't be cleared.
@@ -65,8 +67,7 @@ async function sprintUpdate(identifier, opts) {
         console.error('Error: not logged in. Run `lumo auth login` first.');
         return 1;
     }
-    const envUrl = process.env.LUMO_API_URL?.trim();
-    const apiUrl = envUrl && envUrl.length > 0 ? envUrl : creds.apiUrl;
+    const apiUrl = (0, api_1.resolveAuthedApiUrl)(creds.apiUrl);
     const base = (0, api_1.trimTrailingSlash)(apiUrl);
     let sprintId;
     let resolvedNumber;
@@ -141,7 +142,7 @@ async function sprintUpdate(identifier, opts) {
         catch {
             // body wasn't JSON; keep the status-only message
         }
-        console.error(`Error: ${errMsg}`);
+        console.error(`Error: ${(0, sanitize_1.sanitizeField)(errMsg)}`);
         return 1;
     }
     process.stdout.write(formatSprintUpdateSummary(beforeSnapshot, payload) + '\n');

package/dist/cli/src/commands/task-artifact-add.js

@@ -4,6 +4,9 @@ exports.taskArtifactAdd = taskArtifactAdd;
 const config_1 = require("../lib/config");
 const api_1 = require("../lib/api");
 const doc_input_1 = require("../lib/doc-input");
+const agent_1 = require("../lib/agent");
+const sanitize_1 = require("../lib/sanitize");
+const path_guard_1 = require("../lib/path-guard");
 async function taskArtifactAdd(identifier, options) {
     if (!identifier) {
         console.error('Error: missing <task>. Usage: lumo task artifact add <LUM-42> --kind spec --title "Spec" --file spec.md --source Superpowers');
@@ -24,13 +27,34 @@ async function taskArtifactAdd(identifier, options) {
         console.error('Error: --source is required (the spec-gen framework, formal name e.g. Superpowers, "Spec Kit", BMad, OpenSpec, GSD).');
         return 1;
     }
+    const agentRaw = options.agent?.trim();
+    if (!agentRaw) {
+        console.error(`Error: --agent is required. Valid values: ${agent_1.VALID_AGENT_TOKENS.join(', ')}.`);
+        return 1;
+    }
+    const agent = (0, agent_1.normalizeAgent)(agentRaw);
+    if (!agent) {
+        console.error(`Error: invalid --agent "${agentRaw}". Valid values: ${agent_1.VALID_AGENT_TOKENS.join(', ')}.`);
+        return 1;
+    }
     if (!options.file) {
         console.error('Error: --file <path> is required.');
         return 1;
     }
+    const verdict = (0, path_guard_1.checkArtifactFilePath)(options.file);
+    if (!verdict.ok) {
+        if (verdict.reason === 'unreadable') {
+            console.error(`Error: could not read file ${options.file}`);
+        }
+        else {
+            console.error(`Error: refusing to read ${options.file} — ${verdict.detail}. ` +
+                `artifact --file must be a non-sensitive path inside the project directory.`);
+        }
+        return 1;
+    }
     let content;
     try {
-        content = await (0, doc_input_1.readFileUtf8)(options.file);
+        content = await (0, doc_input_1.readFileUtf8)(verdict.resolved);
     }
     catch {
         console.error(`Error: could not read file ${options.file}`);
@@ -45,10 +69,15 @@ async function taskArtifactAdd(identifier, options) {
         console.error('Error: not logged in. Run `lumo auth login` first.');
         return 1;
     }
-    const envUrl = process.env.LUMO_API_URL?.trim();
-    const apiUrl = envUrl && envUrl.length > 0 ? envUrl : creds.apiUrl;
+    const apiUrl = (0, api_1.resolveAuthedApiUrl)(creds.apiUrl);
     const base = (0, api_1.trimTrailingSlash)(apiUrl);
-    const payload = { kind, title, content, source };
+    const payload = {
+        kind,
+        title,
+        content,
+        source,
+        agent,
+    };
     let res;
     try {
         res = await fetch(`${base}/api/tasks/${encodeURIComponent(identifier)}/artifacts`, {
@@ -84,10 +113,10 @@ async function taskArtifactAdd(identifier, options) {
             /* not JSON */
         }
         console.error(serverMsg
-            ? `Error: ${serverMsg}`
+            ? `Error: ${(0, sanitize_1.sanitizeField)(serverMsg)}`
             : `Error: artifact add failed (HTTP ${res.status})`);
         return 1;
     }
     const data = (await res.json());
-    process.stdout.write(`Added [${data.artifact.kind}] "${data.artifact.title}" to ${identifier}\n`);
+    process.stdout.write(`Added [${(0, sanitize_1.sanitizeField)(data.artifact.kind)}] "${(0, sanitize_1.sanitizeField)(data.artifact.title)}" to ${identifier}\n`);
 }

package/dist/cli/src/commands/task-artifact-list.js

@@ -3,6 +3,8 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.taskArtifactList = taskArtifactList;
 const config_1 = require("../lib/config");
 const api_1 = require("../lib/api");
+const agent_1 = require("../lib/agent");
+const sanitize_1 = require("../lib/sanitize");
 async function taskArtifactList(identifier) {
     if (!identifier) {
         console.error('Error: missing <task>. Usage: lumo task artifact list <LUM-42>');
@@ -13,8 +15,7 @@ async function taskArtifactList(identifier) {
         console.error('Error: not logged in. Run `lumo auth login` first.');
         return 1;
     }
-    const envUrl = process.env.LUMO_API_URL?.trim();
-    const apiUrl = envUrl && envUrl.length > 0 ? envUrl : creds.apiUrl;
+    const apiUrl = (0, api_1.resolveAuthedApiUrl)(creds.apiUrl);
     const base = (0, api_1.trimTrailingSlash)(apiUrl);
     let res;
     try {
@@ -43,6 +44,7 @@ async function taskArtifactList(identifier) {
         return;
     }
     for (const a of artifacts) {
-        process.stdout.write(`${a.id}  ${a.kind.padEnd(10)}  ${a.source.padEnd(12)}  ${a.title}\n`);
+        const agentLabel = agent_1.AGENT_LABELS[a.agent] ?? (0, sanitize_1.sanitizeField)(a.agent);
+        process.stdout.write(`${a.id}  ${(0, sanitize_1.sanitizeField)(a.kind).padEnd(10)}  ${agentLabel.padEnd(15)}  ${(0, sanitize_1.sanitizeField)(a.source).padEnd(12)}  ${(0, sanitize_1.sanitizeField)(a.title)}\n`);
     }
 }

package/dist/cli/src/commands/task-artifact-rm.js

@@ -3,6 +3,7 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.taskArtifactRm = taskArtifactRm;
 const config_1 = require("../lib/config");
 const api_1 = require("../lib/api");
+const sanitize_1 = require("../lib/sanitize");
 async function taskArtifactRm(identifier, artifactId, options) {
     if (!identifier) {
         console.error('Error: missing <task>. Usage: lumo task artifact rm <LUM-42> <artifact-id> --yes');
@@ -21,8 +22,7 @@ async function taskArtifactRm(identifier, artifactId, options) {
         console.error('Error: not logged in. Run `lumo auth login` first.');
         return 1;
     }
-    const envUrl = process.env.LUMO_API_URL?.trim();
-    const apiUrl = envUrl && envUrl.length > 0 ? envUrl : creds.apiUrl;
+    const apiUrl = (0, api_1.resolveAuthedApiUrl)(creds.apiUrl);
     const base = (0, api_1.trimTrailingSlash)(apiUrl);
     let res;
     try {
@@ -50,7 +50,7 @@ async function taskArtifactRm(identifier, artifactId, options) {
         catch {
             /* not JSON */
         }
-        console.error(`Error: ${serverMsg}`);
+        console.error(`Error: ${(0, sanitize_1.sanitizeField)(serverMsg)}`);
         return 1;
     }
     if (res.status !== 204) {
@@ -64,7 +64,7 @@ async function taskArtifactRm(identifier, artifactId, options) {
             /* not JSON */
         }
         console.error(serverMsg
-            ? `Error: ${serverMsg}`
+            ? `Error: ${(0, sanitize_1.sanitizeField)(serverMsg)}`
             : `Error: artifact rm failed (HTTP ${res.status})`);
         return 1;
     }

package/dist/cli/src/commands/task-artifact-show.js

@@ -3,6 +3,8 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.taskArtifactShow = taskArtifactShow;
 const config_1 = require("../lib/config");
 const api_1 = require("../lib/api");
+const agent_1 = require("../lib/agent");
+const sanitize_1 = require("../lib/sanitize");
 async function taskArtifactShow(identifier, artifactId) {
     if (!identifier) {
         console.error('Error: missing <task>. Usage: lumo task artifact show <LUM-42> <artifact-id>');
@@ -17,8 +19,7 @@ async function taskArtifactShow(identifier, artifactId) {
         console.error('Error: not logged in. Run `lumo auth login` first.');
         return 1;
     }
-    const envUrl = process.env.LUMO_API_URL?.trim();
-    const apiUrl = envUrl && envUrl.length > 0 ? envUrl : creds.apiUrl;
+    const apiUrl = (0, api_1.resolveAuthedApiUrl)(creds.apiUrl);
     const base = (0, api_1.trimTrailingSlash)(apiUrl);
     let res;
     try {
@@ -43,7 +44,7 @@ async function taskArtifactShow(identifier, artifactId) {
         catch {
             /* not JSON */
         }
-        console.error(`Error: ${serverMsg}`);
+        console.error(`Error: ${(0, sanitize_1.sanitizeField)(serverMsg)}`);
         return 1;
     }
     if (!res.ok) {
@@ -52,10 +53,11 @@ async function taskArtifactShow(identifier, artifactId) {
     }
     const { artifact } = (await res.json());
     process.stdout.write(`id:     ${artifact.id}\n`);
-    process.stdout.write(`kind:   ${artifact.kind}\n`);
-    process.stdout.write(`title:  ${artifact.title}\n`);
-    process.stdout.write(`source: ${artifact.source}\n`);
+    process.stdout.write(`kind:   ${(0, sanitize_1.sanitizeField)(artifact.kind)}\n`);
+    process.stdout.write(`title:  ${(0, sanitize_1.sanitizeField)(artifact.title)}\n`);
+    process.stdout.write(`source: ${(0, sanitize_1.sanitizeField)(artifact.source)}\n`);
+    process.stdout.write(`agent:  ${agent_1.AGENT_LABELS[artifact.agent] ?? (0, sanitize_1.sanitizeField)(artifact.agent ?? '')}\n`);
     process.stdout.write(`order:  ${artifact.order}\n`);
     process.stdout.write(`task:   ${identifier}\n`);
-    process.stdout.write(`\n${artifact.content}\n`);
+    process.stdout.write(`\n${(0, sanitize_1.sanitizeField)(artifact.content)}\n`);
 }

package/dist/cli/src/commands/task-artifact-update.js

@@ -3,6 +3,8 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.taskArtifactUpdate = taskArtifactUpdate;
 const config_1 = require("../lib/config");
 const api_1 = require("../lib/api");
+const sanitize_1 = require("../lib/sanitize");
+const agent_1 = require("../lib/agent");
 async function taskArtifactUpdate(identifier, artifactId, options) {
     if (!identifier) {
         console.error('Error: missing <task>. Usage: lumo task artifact update <LUM-42> <artifact-id> --kind plan');
@@ -37,8 +39,16 @@ async function taskArtifactUpdate(identifier, artifactId, options) {
         }
         payload.source = source;
     }
+    if (options.agent !== undefined) {
+        const agent = (0, agent_1.normalizeAgent)(options.agent);
+        if (!agent) {
+            console.error(`Error: invalid --agent "${options.agent}". Valid values: ${agent_1.VALID_AGENT_TOKENS.join(', ')}.`);
+            return 1;
+        }
+        payload.agent = agent;
+    }
     if (Object.keys(payload).length === 0) {
-        console.error('Error: provide at least one of --kind, --title, or --source to update.');
+        console.error('Error: provide at least one of --kind, --title, --source, or --agent to update.');
         return 1;
     }
     const creds = (0, config_1.readCredentials)();
@@ -46,8 +56,7 @@ async function taskArtifactUpdate(identifier, artifactId, options) {
         console.error('Error: not logged in. Run `lumo auth login` first.');
         return 1;
     }
-    const envUrl = process.env.LUMO_API_URL?.trim();
-    const apiUrl = envUrl && envUrl.length > 0 ? envUrl : creds.apiUrl;
+    const apiUrl = (0, api_1.resolveAuthedApiUrl)(creds.apiUrl);
     const base = (0, api_1.trimTrailingSlash)(apiUrl);
     let res;
     try {
@@ -79,7 +88,7 @@ async function taskArtifactUpdate(identifier, artifactId, options) {
         catch {
             /* not JSON */
         }
-        console.error(`Error: ${serverMsg}`);
+        console.error(`Error: ${(0, sanitize_1.sanitizeField)(serverMsg)}`);
         return 1;
     }
     if (res.status !== 200) {
@@ -93,10 +102,10 @@ async function taskArtifactUpdate(identifier, artifactId, options) {
             /* not JSON */
         }
         console.error(serverMsg
-            ? `Error: ${serverMsg}`
+            ? `Error: ${(0, sanitize_1.sanitizeField)(serverMsg)}`
             : `Error: artifact update failed (HTTP ${res.status})`);
         return 1;
     }
     const data = (await res.json());
-    process.stdout.write(`Updated [${data.artifact.kind}] "${data.artifact.title}" (${data.artifact.source}) on ${identifier}\n`);
+    process.stdout.write(`Updated [${(0, sanitize_1.sanitizeField)(data.artifact.kind)}] "${(0, sanitize_1.sanitizeField)(data.artifact.title)}" (${(0, sanitize_1.sanitizeField)(data.artifact.source)}) on ${identifier}\n`);
 }

package/dist/cli/src/commands/task-comment-list.js

@@ -0,0 +1,111 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.taskCommentList = taskCommentList;
+const config_1 = require("../lib/config");
+const api_1 = require("../lib/api");
+const sanitize_1 = require("../lib/sanitize");
+/**
+ * Strip TipTap/HTML markup to readable plain text. Comment bodies are stored as
+ * HTML; the CLI only needs the visible text. We collapse block tags to newlines
+ * and drop the rest, then decode the handful of entities that survive.
+ */
+function htmlToPlainText(html) {
+    return html
+        .replace(/<\/(p|div|li|h[1-6]|blockquote)>/gi, '\n')
+        .replace(/<br\s*\/?>/gi, '\n')
+        .replace(/<[^>]+>/g, '')
+        .replace(/&nbsp;/g, ' ')
+        .replace(/&amp;/g, '&')
+        .replace(/&lt;/g, '<')
+        .replace(/&gt;/g, '>')
+        .replace(/&quot;/g, '"')
+        .replace(/&#39;/g, "'")
+        .replace(/\n{3,}/g, '\n\n')
+        .trim();
+}
+function printComment(c, indent) {
+    const author = (0, sanitize_1.sanitizeField)(c.authorActorId ?? 'unknown');
+    console.log(`${indent}${author} · ${c.createdAt}`);
+    const text = (0, sanitize_1.sanitizeField)(htmlToPlainText(c.body));
+    for (const line of (text || '(empty)').split('\n')) {
+        console.log(`${indent}${line}`);
+    }
+    console.log('');
+    for (const reply of c.replies ?? []) {
+        printComment(reply, indent + '  ');
+    }
+}
+/**
+ * `lumo task comments list <LUM-N>`
+ *
+ * Tier-2 retrieval for the task comment thread. Resolves the LUM-N identifier to
+ * its DB id (the comments endpoint is keyed by DB id), then fetches the full
+ * thread from `/api/tasks/:id/comments` and prints each top-level comment
+ * (replies indented) as `author · time` followed by the plain-text body.
+ */
+async function taskCommentList(identifier) {
+    if (!identifier) {
+        console.error('Error: usage: lumo task comments list <LUM-42>');
+        return 1;
+    }
+    const creds = (0, config_1.readCredentials)();
+    if (!creds) {
+        console.error('Error: not logged in. Run `lumo auth login` first.');
+        return 1;
+    }
+    const apiUrl = (0, api_1.resolveAuthedApiUrl)(creds.apiUrl);
+    const base = (0, api_1.trimTrailingSlash)(apiUrl);
+    // 1. Resolve LUM-N → DB id (the comments endpoint takes the DB id).
+    let resolveRes;
+    try {
+        resolveRes = await fetch(`${base}/api/tasks/resolve/${encodeURIComponent(identifier)}`, { headers: { Authorization: `Bearer ${creds.token}` } });
+    }
+    catch (err) {
+        const msg = err instanceof Error ? err.message : String(err);
+        console.error(`Error: could not reach Lumo API at ${apiUrl} (${msg})`);
+        return 1;
+    }
+    if (resolveRes.status === 401) {
+        console.error('Error: API key invalid or revoked. Run `lumo auth login`.');
+        return 1;
+    }
+    if (resolveRes.status === 404) {
+        console.error(`Error: task ${identifier} not found in workspace ${creds.workspaceSlug}`);
+        return 1;
+    }
+    if (!resolveRes.ok) {
+        console.error(`Error: resolve failed (HTTP ${resolveRes.status})`);
+        return 1;
+    }
+    const resolved = (await resolveRes.json());
+    // 2. Fetch the comment thread.
+    let res;
+    try {
+        res = await fetch(`${base}/api/tasks/${encodeURIComponent(resolved.id)}/comments`, { headers: { Authorization: `Bearer ${creds.token}` } });
+    }
+    catch (err) {
+        const msg = err instanceof Error ? err.message : String(err);
+        console.error(`Error: could not reach Lumo API at ${apiUrl} (${msg})`);
+        return 1;
+    }
+    if (res.status === 401) {
+        console.error('Error: API key invalid or revoked. Run `lumo auth login`.');
+        return 1;
+    }
+    if (res.status === 404) {
+        console.error(`Error: task ${identifier} not found`);
+        return 1;
+    }
+    if (!res.ok) {
+        console.error(`Error: comments list failed (HTTP ${res.status})`);
+        return 1;
+    }
+    const { comments } = (await res.json());
+    if (!comments || comments.length === 0) {
+        console.log('(no comments)');
+        return;
+    }
+    for (const c of comments) {
+        printComment(c, '');
+    }
+}

package/dist/cli/src/commands/task-comment.js

@@ -3,6 +3,7 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.taskComment = taskComment;
 const config_1 = require("../lib/config");
 const api_1 = require("../lib/api");
+const sanitize_1 = require("../lib/sanitize");
 /**
  * `lumo task comment <LUM-N> <body>`
  *
@@ -28,8 +29,7 @@ async function taskComment(identifier, body) {
         console.error('Error: not logged in. Run `lumo auth login` first.');
         return 1;
     }
-    const envUrl = process.env.LUMO_API_URL?.trim();
-    const apiUrl = envUrl && envUrl.length > 0 ? envUrl : creds.apiUrl;
+    const apiUrl = (0, api_1.resolveAuthedApiUrl)(creds.apiUrl);
     const base = (0, api_1.trimTrailingSlash)(apiUrl);
     // 1. Resolve LUM-N → DB id (the comments endpoint takes DB id).
     let resolveRes;
@@ -86,7 +86,7 @@ async function taskComment(identifier, body) {
             // Body wasn't JSON
         }
         console.error(serverMsg
-            ? `Error: ${serverMsg}`
+            ? `Error: ${(0, sanitize_1.sanitizeField)(serverMsg)}`
             : `Error: comment create failed (HTTP ${postRes.status})`);
         return 1;
     }