@lumoai/cli 1.4.0 → 1.5.1

package/dist/cli/src/commands/task-context.js

@@ -4,6 +4,7 @@ exports.taskContext = taskContext;
 exports.formatTaskContextMarkdown = formatTaskContextMarkdown;
 const config_1 = require("../lib/config");
 const api_1 = require("../lib/api");
+const sanitize_1 = require("../lib/sanitize");
 async function taskContext(identifier) {
     if (!identifier) {
         console.error('Error: missing <identifier>. Usage: lumo task context <LUM-42>');
@@ -14,8 +15,7 @@ async function taskContext(identifier) {
         console.error('Error: not logged in. Run `lumo auth login` first.');
         return 1;
     }
-    const envUrl = process.env.LUMO_API_URL?.trim();
-    const apiUrl = envUrl && envUrl.length > 0 ? envUrl : creds.apiUrl;
+    const apiUrl = (0, api_1.resolveAuthedApiUrl)(creds.apiUrl);
     const url = `${(0, api_1.trimTrailingSlash)(apiUrl)}/api/tasks/context/${encodeURIComponent(identifier)}`;
     let res;
     try {
@@ -52,39 +52,51 @@ async function taskContext(identifier) {
 function formatTaskContextMarkdown(data, now) {
     const lines = [];
     lines.push(`# Task: ${data.task.identifier}`);
-    lines.push(`**Title**: ${data.task.title}`);
+    lines.push(`**Title**: ${(0, sanitize_1.sanitizeField)(data.task.title)}`);
     lines.push(`**Status**: ${data.task.status}`);
     if (data.task.milestone) {
         const target = data.task.milestone.targetDate
             ? `, target ${data.task.milestone.targetDate.slice(0, 10)}`
             : '';
-        lines.push(`**Milestone**: ${data.task.milestone.name} (${data.task.milestone.status}${target})`);
+        lines.push(`**Milestone**: ${(0, sanitize_1.sanitizeField)(data.task.milestone.name)} (${data.task.milestone.status}${target})`);
     }
     const body = data.task.descriptionMarkdown ?? data.task.description;
     if (body && body.trim().length > 0) {
-        lines.push(`**Description**: ${body}`);
+        lines.push(`**Description**: ${(0, sanitize_1.sanitizeField)(body)}`);
     }
     lines.push('');
     // Frontload memory before sessions: it's cold context the agent should see
     // first. Server returns "" when empty, in which case we skip the section.
     if (data.memorySection && data.memorySection.trim().length > 0) {
-        lines.push(data.memorySection.trimEnd());
+        lines.push((0, sanitize_1.sanitizeField)(data.memorySection.trimEnd()));
         lines.push('');
     }
     if (data.slackContextSection && data.slackContextSection.trim().length > 0) {
-        lines.push(data.slackContextSection.trimEnd());
+        lines.push((0, sanitize_1.sanitizeField)(data.slackContextSection.trimEnd()));
         lines.push('');
     }
     if (data.webLinkSection && data.webLinkSection.trim().length > 0) {
-        lines.push(data.webLinkSection.trimEnd());
+        lines.push((0, sanitize_1.sanitizeField)(data.webLinkSection.trimEnd()));
         lines.push('');
     }
     if (data.figmaSection && data.figmaSection.trim().length > 0) {
-        lines.push(data.figmaSection.trimEnd());
+        lines.push((0, sanitize_1.sanitizeField)(data.figmaSection.trimEnd()));
         lines.push('');
     }
     if (data.artifactSection && data.artifactSection.trim().length > 0) {
-        lines.push(data.artifactSection.trimEnd());
+        lines.push((0, sanitize_1.sanitizeField)(data.artifactSection.trimEnd()));
+        lines.push('');
+    }
+    if (data.docSection && data.docSection.trim().length > 0) {
+        lines.push((0, sanitize_1.sanitizeField)(data.docSection.trimEnd()));
+        lines.push('');
+    }
+    if (data.commentsSection && data.commentsSection.trim().length > 0) {
+        lines.push((0, sanitize_1.sanitizeField)(data.commentsSection.trimEnd()));
+        lines.push('');
+    }
+    if (data.prSection && data.prSection.trim().length > 0) {
+        lines.push((0, sanitize_1.sanitizeField)(data.prSection.trimEnd()));
         lines.push('');
     }
     if (data.sessions.length === 0) {
@@ -101,11 +113,11 @@ function formatTaskContextMarkdown(data, now) {
         const ago = relativeTime(new Date(s.lastActivityAt), now);
         const dur = formatDuration(s.durationMs);
         lines.push(`### Session ${shortId} · ${ago} · ${dur}`);
-        lines.push(`**Summary**: ${s.headline}`);
+        lines.push(`**Summary**: ${(0, sanitize_1.sanitizeField)(s.headline)}`);
         if (s.unresolved.length > 0) {
             lines.push('**Unresolved**:');
             for (const u of s.unresolved)
-                lines.push(`- ${u}`);
+                lines.push(`- ${(0, sanitize_1.sanitizeField)(u)}`);
         }
         lines.push('');
     }

package/dist/cli/src/commands/task-create.js

@@ -8,6 +8,7 @@ const config_1 = require("../lib/config");
 const api_1 = require("../lib/api");
 const tag_resolver_1 = require("../lib/tag-resolver");
 const resolve_1 = require("../lib/resolve");
+const sanitize_1 = require("../lib/sanitize");
 const ALLOWED_PRIORITIES = ['LOW', 'MEDIUM', 'HIGH', 'URGENT'];
 /**
  * Assert that the sprint belongs to the same team as the newly created task.
@@ -81,10 +82,10 @@ function normalizePriority(value) {
  * present.
  */
 function formatCreatedTaskLine(task) {
-    const escapedTitle = task.title.replace(/"/g, '\\"');
+    const escapedTitle = (0, sanitize_1.sanitizeField)(task.title).replace(/"/g, '\\"');
     const head = `Created ${task.identifier} "${escapedTitle}"  ${task.url}`;
     if (task.tags && task.tags.length > 0) {
-        return `${head}\nTags: ${task.tags.join(', ')}`;
+        return `${head}\nTags: ${task.tags.map(sanitize_1.sanitizeField).join(', ')}`;
     }
     return head;
 }
@@ -108,8 +109,7 @@ async function taskCreate(title, opts) {
         }
         priority = normalized;
     }
-    const envUrl = process.env.LUMO_API_URL?.trim();
-    const apiUrl = envUrl && envUrl.length > 0 ? envUrl : creds.apiUrl;
+    const apiUrl = (0, api_1.resolveAuthedApiUrl)(creds.apiUrl);
     const base = (0, api_1.trimTrailingSlash)(apiUrl);
     const url = `${base}/api/tasks`;
     let tagIds;
@@ -166,7 +166,7 @@ async function taskCreate(title, opts) {
             const workspaceSlug = creds.workspaceSlug ?? '';
             try {
                 const sprint = await bindTaskToSprint(base, creds.token, workspaceSlug, opts.sprint, { id: data.task.id, teamId: data.task.teamId, identifier: data.task.identifier });
-                process.stdout.write(`Sprint: #${sprint.number} "${sprint.name}"\n`);
+                process.stdout.write(`Sprint: #${sprint.number} "${(0, sanitize_1.sanitizeField)(sprint.name)}"\n`);
             }
             catch (err) {
                 const msg = err instanceof Error ? err.message : String(err);
@@ -175,7 +175,7 @@ async function taskCreate(title, opts) {
                     console.error(msg);
                 }
                 else {
-                    console.error(`Error: ${msg}`);
+                    console.error(`Error: ${(0, sanitize_1.sanitizeField)(msg)}`);
                 }
                 return 1;
             }
@@ -193,7 +193,7 @@ async function taskCreate(title, opts) {
         // Body wasn't JSON; fall through to status-only message
     }
     if (serverMsg) {
-        console.error(`Error: ${serverMsg}`);
+        console.error(`Error: ${(0, sanitize_1.sanitizeField)(serverMsg)}`);
     }
     else {
         console.error(`Error: task create failed (HTTP ${res.status})`);

package/dist/cli/src/commands/task-figma-add.js

@@ -2,12 +2,13 @@
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.taskFigmaAdd = taskFigmaAdd;
 const figma_api_1 = require("../lib/figma-api");
+const sanitize_1 = require("../lib/sanitize");
 async function taskFigmaAdd(args) {
     try {
         const { link } = await (0, figma_api_1.addFigmaLink)(args.identifier, args.url);
-        const label = link.frameName
+        const label = (0, sanitize_1.sanitizeField)(link.frameName
             ? `${link.fileName} · ${link.frameName}`
-            : `${link.fileName}${link.nodeId === '' ? ' (file-level)' : ''}`;
+            : `${link.fileName}${link.nodeId === '' ? ' (file-level)' : ''}`);
         console.log(`Linked ${args.identifier} ↔ Figma "${label}"`);
         console.log(`  ${link.url}`);
         return 0;

package/dist/cli/src/commands/task-figma-context.js

@@ -0,0 +1,61 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.taskFigmaContext = taskFigmaContext;
+const config_1 = require("../lib/config");
+const api_1 = require("../lib/api");
+const sanitize_1 = require("../lib/sanitize");
+/**
+ * `lumo task figma context <LUM-N> <link-id>`
+ *
+ * Tier-2 retrieval for the cheap inline Figma card. Reads the cached design
+ * metadata (file/frame name, url, thumbnail, last sync) from
+ * `/api/tasks/:id/figma-links/:linkId/context`. Live design context (layers,
+ * variables, code connect) needs the Figma MCP server, so the route degrades to
+ * metadata + a `note`; we print the note when present.
+ */
+async function taskFigmaContext(identifier, linkId) {
+    if (!identifier || !linkId) {
+        console.error('Error: usage: lumo task figma context <LUM-42> <link-id>');
+        return 1;
+    }
+    const creds = (0, config_1.readCredentials)();
+    if (!creds) {
+        console.error('Error: not logged in. Run `lumo auth login` first.');
+        return 1;
+    }
+    const apiUrl = (0, api_1.resolveAuthedApiUrl)(creds.apiUrl);
+    const base = (0, api_1.trimTrailingSlash)(apiUrl);
+    let res;
+    try {
+        res = await fetch(`${base}/api/tasks/${encodeURIComponent(identifier)}/figma-links/${encodeURIComponent(linkId)}/context`, { headers: { Authorization: `Bearer ${creds.token}` } });
+    }
+    catch (err) {
+        const msg = err instanceof Error ? err.message : String(err);
+        console.error(`Error: could not reach Lumo API at ${apiUrl} (${msg})`);
+        return 1;
+    }
+    if (res.status === 401) {
+        console.error('Error: API key invalid or revoked. Run `lumo auth login`.');
+        return 1;
+    }
+    if (res.status === 404) {
+        console.error(`Error: task ${identifier} or figma link ${linkId} not found in workspace ${creds.workspaceSlug}`);
+        return 1;
+    }
+    if (!res.ok) {
+        console.error(`Error: figma context failed (HTTP ${res.status})`);
+        return 1;
+    }
+    const { metadata, note } = (await res.json());
+    if (metadata.fileName)
+        console.log(`file:  ${(0, sanitize_1.sanitizeField)(metadata.fileName)}`);
+    if (metadata.frameName)
+        console.log(`frame: ${(0, sanitize_1.sanitizeField)(metadata.frameName)}`);
+    console.log(`url:   ${metadata.url}`);
+    if (metadata.lastSyncedAt)
+        console.log(`synced: ${metadata.lastSyncedAt}`);
+    if (metadata.lastSyncError)
+        console.log(`syncError: ${(0, sanitize_1.sanitizeField)(metadata.lastSyncError)}`);
+    if (note)
+        console.log(`\nnote: ${(0, sanitize_1.sanitizeField)(note)}`);
+}

package/dist/cli/src/commands/task-figma-list.js

@@ -2,12 +2,13 @@
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.taskFigmaList = taskFigmaList;
 const figma_api_1 = require("../lib/figma-api");
+const sanitize_1 = require("../lib/sanitize");
 const STALE_MS = 25 * 24 * 3600 * 1000;
 function formatRow(id, fileName, frame, synced, stale) {
     return [
         id.padEnd(10),
-        fileName.padEnd(20),
-        frame.padEnd(24),
+        (0, sanitize_1.sanitizeField)(fileName).padEnd(20),
+        (0, sanitize_1.sanitizeField)(frame).padEnd(24),
         synced.padEnd(12),
         stale ? '⚠ thumbnail stale' : '',
     ]

package/dist/cli/src/commands/task-figma-refresh.js

@@ -2,6 +2,7 @@
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.taskFigmaRefresh = taskFigmaRefresh;
 const figma_api_1 = require("../lib/figma-api");
+const sanitize_1 = require("../lib/sanitize");
 async function taskFigmaRefresh(args) {
     try {
         const { links } = await (0, figma_api_1.listFigmaLinks)(args.identifier);
@@ -15,14 +16,14 @@ async function taskFigmaRefresh(args) {
         for (const r of results) {
             const link = byId.get(r.id);
             const label = link
-                ? link.frameName
+                ? (0, sanitize_1.sanitizeField)(link.frameName
                     ? `${link.fileName} · ${link.frameName}`
-                    : `${link.fileName} (file-level)`
+                    : `${link.fileName} (file-level)`)
                 : r.id;
             if (r.ok)
                 console.log(`  ✓ ${label}`);
             else
-                console.log(`  ✗ ${label} (${r.error})`);
+                console.log(`  ✗ ${label} (${(0, sanitize_1.sanitizeField)(r.error ?? '')})`);
         }
         return 0;
     }

package/dist/cli/src/commands/task-figma-rm.js

@@ -2,6 +2,7 @@
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.taskFigmaRm = taskFigmaRm;
 const figma_api_1 = require("../lib/figma-api");
+const sanitize_1 = require("../lib/sanitize");
 async function taskFigmaRm(args) {
     const { links } = await (0, figma_api_1.listFigmaLinks)(args.identifier);
     const match = links.find(l => l.id === args.linkIdOrUrl || l.url === args.linkIdOrUrl);
@@ -10,9 +11,9 @@ async function taskFigmaRm(args) {
         return 0;
     }
     await (0, figma_api_1.removeFigmaLink)(args.identifier, match.id);
-    const label = match.frameName
+    const label = (0, sanitize_1.sanitizeField)(match.frameName
         ? `${match.fileName} · ${match.frameName}`
-        : `${match.fileName} (file-level)`;
+        : `${match.fileName} (file-level)`);
     console.log(`Removed Figma link from ${args.identifier}: "${label}"`);
     return 0;
 }

package/dist/cli/src/commands/task-list.js

@@ -43,8 +43,7 @@ async function taskList(opts) {
         console.error('Error: not logged in. Run `lumo auth login` first.');
         return 1;
     }
-    const envUrl = process.env.LUMO_API_URL?.trim();
-    const apiUrl = envUrl && envUrl.length > 0 ? envUrl : creds.apiUrl;
+    const apiUrl = (0, api_1.resolveAuthedApiUrl)(creds.apiUrl);
     const base = (0, api_1.trimTrailingSlash)(apiUrl);
     let milestoneId;
     if (opts.milestone !== undefined) {

package/dist/cli/src/commands/task-pr-show.js

@@ -0,0 +1,66 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.taskPrShow = taskPrShow;
+const config_1 = require("../lib/config");
+const api_1 = require("../lib/api");
+const sanitize_1 = require("../lib/sanitize");
+/**
+ * `lumo task pr show <LUM-N> <number>`
+ *
+ * Tier-2 retrieval for the cheap inline PR card. Reads the synced PR record
+ * (title, state, ciStatus, branches, author, url) from
+ * `/api/tasks/:id/pull-requests/:number`. Live diff + review comments need a
+ * GitHub token, so the route degrades to the stored record + a `note`; we print
+ * the note when present.
+ */
+async function taskPrShow(identifier, prNumber) {
+    if (!identifier || !prNumber) {
+        console.error('Error: usage: lumo task pr show <LUM-42> <number>');
+        return 1;
+    }
+    const creds = (0, config_1.readCredentials)();
+    if (!creds) {
+        console.error('Error: not logged in. Run `lumo auth login` first.');
+        return 1;
+    }
+    const apiUrl = (0, api_1.resolveAuthedApiUrl)(creds.apiUrl);
+    const base = (0, api_1.trimTrailingSlash)(apiUrl);
+    let res;
+    try {
+        res = await fetch(`${base}/api/tasks/${encodeURIComponent(identifier)}/pull-requests/${encodeURIComponent(prNumber)}`, { headers: { Authorization: `Bearer ${creds.token}` } });
+    }
+    catch (err) {
+        const msg = err instanceof Error ? err.message : String(err);
+        console.error(`Error: could not reach Lumo API at ${apiUrl} (${msg})`);
+        return 1;
+    }
+    if (res.status === 401) {
+        console.error('Error: API key invalid or revoked. Run `lumo auth login`.');
+        return 1;
+    }
+    if (res.status === 400) {
+        console.error(`Error: invalid PR number "${prNumber}"`);
+        return 1;
+    }
+    if (res.status === 404) {
+        console.error(`Error: task ${identifier} or PR #${prNumber} not found in workspace ${creds.workspaceSlug}`);
+        return 1;
+    }
+    if (!res.ok) {
+        console.error(`Error: pr show failed (HTTP ${res.status})`);
+        return 1;
+    }
+    const { pullRequest: pr, note } = (await res.json());
+    console.log(`#${pr.number}${pr.repo ? ` (${(0, sanitize_1.sanitizeField)(pr.repo)})` : ''}  ${(0, sanitize_1.sanitizeField)(pr.title ?? '')}`);
+    console.log(`state:    ${pr.state ?? 'unknown'}${pr.isDraft ? ' · draft' : ''}`);
+    if (pr.ciStatus)
+        console.log(`ci:       ${pr.ciStatus}`);
+    if (pr.authorLogin)
+        console.log(`author:   ${(0, sanitize_1.sanitizeField)(pr.authorLogin)}`);
+    if (pr.headBranch || pr.baseBranch)
+        console.log(`branch:   ${pr.headBranch ?? '?'} → ${pr.baseBranch ?? '?'}`);
+    if (pr.url)
+        console.log(`url:      ${pr.url}`);
+    if (note)
+        console.log(`\nnote: ${(0, sanitize_1.sanitizeField)(note)}`);
+}

package/dist/cli/src/commands/task-show.js

@@ -4,20 +4,22 @@ exports.formatTaskShow = formatTaskShow;
 exports.taskShow = taskShow;
 const config_1 = require("../lib/config");
 const api_1 = require("../lib/api");
+const sanitize_1 = require("../lib/sanitize");
 /**
  * Render task detail as a key:value block. Multi-line description is
  * indented under a `Description:` label so the structure stays scannable.
  */
 function formatTaskShow(task) {
     const lines = [];
-    lines.push(`${task.identifier}  ${task.title}`);
+    lines.push(`${task.identifier}  ${(0, sanitize_1.sanitizeField)(task.title)}`);
     lines.push(`Status:    ${task.status}`);
     lines.push(`Priority:  ${task.priority}`);
-    lines.push(`Project:   ${task.project.name}`);
+    lines.push(`Project:   ${(0, sanitize_1.sanitizeField)(task.project.name)}`);
     if (task.assignee) {
+        const label = (0, sanitize_1.sanitizeField)(task.assignee.label);
         const detail = task.assignee.email && task.assignee.type === 'member'
-            ? `${task.assignee.label} <${task.assignee.email}>`
-            : task.assignee.label;
+            ? `${label} <${(0, sanitize_1.sanitizeField)(task.assignee.email)}>`
+            : label;
         lines.push(`Assignee:  ${detail}`);
     }
     else {
@@ -28,7 +30,7 @@ function formatTaskShow(task) {
     if (body && body.trim().length > 0) {
         lines.push('');
         lines.push('Description:');
-        for (const line of body.split('\n')) {
+        for (const line of (0, sanitize_1.sanitizeField)(body).split('\n')) {
             lines.push(`  ${line}`);
         }
     }
@@ -44,8 +46,7 @@ async function taskShow(identifier) {
         console.error('Error: not logged in. Run `lumo auth login` first.');
         return 1;
     }
-    const envUrl = process.env.LUMO_API_URL?.trim();
-    const apiUrl = envUrl && envUrl.length > 0 ? envUrl : creds.apiUrl;
+    const apiUrl = (0, api_1.resolveAuthedApiUrl)(creds.apiUrl);
     const url = `${(0, api_1.trimTrailingSlash)(apiUrl)}/api/tasks/by-identifier/${encodeURIComponent(identifier)}`;
     let res;
     try {

package/dist/cli/src/commands/task-slack-show.js

@@ -0,0 +1,59 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.taskSlackShow = taskSlackShow;
+const config_1 = require("../lib/config");
+const api_1 = require("../lib/api");
+const sanitize_1 = require("../lib/sanitize");
+/**
+ * `lumo task slack show <LUM-N> <context-id>`
+ *
+ * Tier-2 retrieval for the cheap inline Slack card. Fetches the stored thread
+ * snapshot (no live Slack call) from
+ * `/api/tasks/:id/slack-contexts/:contextId/snapshot` and prints one line per
+ * message as `author: text`, falling back to `@<userId>` when the display name
+ * is missing.
+ */
+async function taskSlackShow(identifier, contextId) {
+    if (!identifier || !contextId) {
+        console.error('Error: usage: lumo task slack show <LUM-42> <context-id>');
+        return 1;
+    }
+    const creds = (0, config_1.readCredentials)();
+    if (!creds) {
+        console.error('Error: not logged in. Run `lumo auth login` first.');
+        return 1;
+    }
+    const apiUrl = (0, api_1.resolveAuthedApiUrl)(creds.apiUrl);
+    const base = (0, api_1.trimTrailingSlash)(apiUrl);
+    let res;
+    try {
+        res = await fetch(`${base}/api/tasks/${encodeURIComponent(identifier)}/slack-contexts/${encodeURIComponent(contextId)}/snapshot`, { headers: { Authorization: `Bearer ${creds.token}` } });
+    }
+    catch (err) {
+        const msg = err instanceof Error ? err.message : String(err);
+        console.error(`Error: could not reach Lumo API at ${apiUrl} (${msg})`);
+        return 1;
+    }
+    if (res.status === 401) {
+        console.error('Error: API key invalid or revoked. Run `lumo auth login`.');
+        return 1;
+    }
+    if (res.status === 404) {
+        console.error(`Error: task ${identifier} or slack context ${contextId} not found in workspace ${creds.workspaceSlug}`);
+        return 1;
+    }
+    if (!res.ok) {
+        console.error(`Error: slack show failed (HTTP ${res.status})`);
+        return 1;
+    }
+    const { snapshot } = (await res.json());
+    const messages = snapshot?.messages ?? [];
+    if (messages.length === 0) {
+        console.log('(no messages in stored snapshot)');
+        return;
+    }
+    for (const m of messages) {
+        const author = (0, sanitize_1.sanitizeField)(m.userName ?? '@' + m.userId);
+        console.log(`${author}: ${(0, sanitize_1.sanitizeField)(m.text)}`);
+    }
+}

package/dist/cli/src/commands/task-update.js

@@ -10,6 +10,7 @@ const api_1 = require("../lib/api");
 const task_create_1 = require("./task-create");
 const tag_resolver_1 = require("../lib/tag-resolver");
 const resolve_1 = require("../lib/resolve");
+const sanitize_1 = require("../lib/sanitize");
 const ALLOWED_STATUSES = ['TODO', 'IN_PROGRESS', 'IN_REVIEW', 'DONE'];
 /**
  * Pure function: given the task's current sprint binding and the resolved
@@ -87,10 +88,10 @@ function buildUpdatePayload(opts) {
  * Appends a Tags line when tags are present.
  */
 function formatUpdatedTaskLine(task) {
-    const escapedTitle = task.title.replace(/"/g, '\\"');
+    const escapedTitle = (0, sanitize_1.sanitizeField)(task.title).replace(/"/g, '\\"');
     const head = `Updated ${task.identifier} "${escapedTitle}"  ${task.url}`;
     if (task.tags && task.tags.length > 0) {
-        return `${head}\nTags: ${task.tags.join(', ')}`;
+        return `${head}\nTags: ${task.tags.map(sanitize_1.sanitizeField).join(', ')}`;
     }
     return head;
 }
@@ -146,8 +147,7 @@ async function taskUpdate(identifier, opts) {
         console.error('Error: not logged in. Run `lumo auth login` first.');
         return 1;
     }
-    const envUrl = process.env.LUMO_API_URL?.trim();
-    const apiUrl = envUrl && envUrl.length > 0 ? envUrl : creds.apiUrl;
+    const apiUrl = (0, api_1.resolveAuthedApiUrl)(creds.apiUrl);
     // Resolve tag refs into ids
     let tagIds;
     let addTagIds;
@@ -235,7 +235,7 @@ async function taskUpdate(identifier, opts) {
                 // Body wasn't JSON; fall through to status-only message
             }
             if (serverMsg) {
-                console.error(`Error: ${serverMsg}`);
+                console.error(`Error: ${(0, sanitize_1.sanitizeField)(serverMsg)}`);
             }
             else {
                 console.error(`Error: task update failed (HTTP ${res.status})`);
@@ -365,7 +365,7 @@ async function taskUpdate(identifier, opts) {
                         errMsg = b.error;
                 }
                 catch { /* ignore */ }
-                console.error(`Error: ${errMsg}`);
+                console.error(`Error: ${(0, sanitize_1.sanitizeField)(errMsg)}`);
                 return 1;
             }
             const oldLabel = oldNumber !== null ? `#${oldNumber}` : action.oldSprintId;
@@ -397,7 +397,7 @@ async function taskUpdate(identifier, opts) {
                         errMsg = b.error;
                 }
                 catch { /* ignore */ }
-                console.error(`Error: ${errMsg}`);
+                console.error(`Error: ${(0, sanitize_1.sanitizeField)(errMsg)}`);
                 return 1;
             }
             // resolvedSprintNumber is set from the resolveSprintId call above

package/dist/cli/src/commands/task-web-show.js

@@ -0,0 +1,64 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.taskWebShow = taskWebShow;
+const config_1 = require("../lib/config");
+const api_1 = require("../lib/api");
+const sanitize_1 = require("../lib/sanitize");
+/**
+ * `lumo task web show <LUM-N> <link-id>`
+ *
+ * Tier-2 retrieval for the cheap inline WebLink card. Fetches the page body
+ * (cached, or fetched behind the SSRF guard on first read) from
+ * `/api/tasks/:id/web-links/:linkId/body` and prints it as plain text.
+ */
+async function taskWebShow(identifier, linkId) {
+    if (!identifier || !linkId) {
+        console.error('Error: usage: lumo task web show <LUM-42> <link-id>');
+        return 1;
+    }
+    const creds = (0, config_1.readCredentials)();
+    if (!creds) {
+        console.error('Error: not logged in. Run `lumo auth login` first.');
+        return 1;
+    }
+    const apiUrl = (0, api_1.resolveAuthedApiUrl)(creds.apiUrl);
+    const base = (0, api_1.trimTrailingSlash)(apiUrl);
+    let res;
+    try {
+        res = await fetch(`${base}/api/tasks/${encodeURIComponent(identifier)}/web-links/${encodeURIComponent(linkId)}/body`, { headers: { Authorization: `Bearer ${creds.token}` } });
+    }
+    catch (err) {
+        const msg = err instanceof Error ? err.message : String(err);
+        console.error(`Error: could not reach Lumo API at ${apiUrl} (${msg})`);
+        return 1;
+    }
+    if (res.status === 401) {
+        console.error('Error: API key invalid or revoked. Run `lumo auth login`.');
+        return 1;
+    }
+    if (res.status === 404) {
+        console.error(`Error: task ${identifier} or web link ${linkId} not found in workspace ${creds.workspaceSlug}`);
+        return 1;
+    }
+    if (!res.ok) {
+        let serverMsg = null;
+        try {
+            const errBody = (await res.json());
+            if (typeof errBody.error === 'string')
+                serverMsg = errBody.error;
+        }
+        catch {
+            /* not JSON */
+        }
+        console.error(serverMsg
+            ? `Error: ${(0, sanitize_1.sanitizeField)(serverMsg)}`
+            : `Error: web show failed (HTTP ${res.status})`);
+        return 1;
+    }
+    const { body } = (await res.json());
+    if (!body || body.trim().length === 0) {
+        console.log('(empty body)');
+        return;
+    }
+    console.log((0, sanitize_1.sanitizeField)(body));
+}

package/dist/cli/src/commands/whoami.js

@@ -2,6 +2,7 @@
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.whoami = whoami;
 const config_1 = require("../lib/config");
+const sanitize_1 = require("../lib/sanitize");
 async function whoami() {
     const creds = (0, config_1.readCredentials)();
     if (!creds) {
@@ -9,8 +10,8 @@ async function whoami() {
         console.log('Run `lumo auth login` to log in');
         return 1;
     }
-    console.log(`Logged in as ${creds.email}`);
-    console.log(`  Workspace: ${creds.workspaceName} (${creds.workspaceSlug})`);
-    console.log(`  Key: ${creds.apiKeyName} (${creds.apiKeyPrefix})`);
+    console.log(`Logged in as ${(0, sanitize_1.sanitizeField)(creds.email)}`);
+    console.log(`  Workspace: ${(0, sanitize_1.sanitizeField)(creds.workspaceName)} (${creds.workspaceSlug})`);
+    console.log(`  Key: ${(0, sanitize_1.sanitizeField)(creds.apiKeyName)} (${creds.apiKeyPrefix})`);
     console.log(`  API: ${creds.apiUrl}`);
 }