@lumoai/cli 1.5.0 → 1.5.1

package/dist/cli/src/commands/session-attach.js

@@ -3,6 +3,7 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.sessionAttach = sessionAttach;
 const config_1 = require("../lib/config");
 const api_1 = require("../lib/api");
+const sanitize_1 = require("../lib/sanitize");
 /**
  * `lumo session attach <identifier>` — bind the currently-running
  * Claude Code session to a task.
@@ -30,8 +31,7 @@ async function sessionAttach(identifier) {
         console.error('Error: not logged in. Run `lumo auth login` first.');
         return 1;
     }
-    const envUrl = process.env.LUMO_API_URL?.trim();
-    const apiUrl = envUrl && envUrl.length > 0 ? envUrl : creds.apiUrl;
+    const apiUrl = (0, api_1.resolveAuthedApiUrl)(creds.apiUrl);
     const url = `${(0, api_1.trimTrailingSlash)(apiUrl)}/api/sessions/${encodeURIComponent(sessionId)}/bind-task`;
     let res;
     try {
@@ -63,7 +63,7 @@ async function sessionAttach(identifier) {
         catch {
             // fall through
         }
-        console.error(`Error: ${message}`);
+        console.error(`Error: ${(0, sanitize_1.sanitizeField)(message)}`);
         return 1;
     }
     if (!res.ok) {
@@ -71,10 +71,10 @@ async function sessionAttach(identifier) {
         return 1;
     }
     const result = (await res.json());
-    console.log(`Attached session ${sessionId} to ${result.taskIdentifier} "${result.taskTitle}"`);
+    console.log(`Attached session ${sessionId} to ${result.taskIdentifier} "${(0, sanitize_1.sanitizeField)(result.taskTitle)}"`);
     console.log(`Re-tagged ${result.retaggedEventCount} previously-untagged event${result.retaggedEventCount === 1 ? '' : 's'} in this session.`);
     if (result.memorySection !== '') {
         console.log('');
-        console.log(result.memorySection);
+        console.log((0, sanitize_1.sanitizeField)(result.memorySection));
     }
 }

package/dist/cli/src/commands/session-detach.js

@@ -3,6 +3,7 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.sessionDetach = sessionDetach;
 const config_1 = require("../lib/config");
 const api_1 = require("../lib/api");
+const sanitize_1 = require("../lib/sanitize");
 /**
  * `lumo session detach` — clear the task binding on the current Claude Code
  * session. Idempotent: re-detaching an already-unbound session reports
@@ -24,8 +25,7 @@ async function sessionDetach() {
         console.error('Error: not logged in. Run `lumo auth login` first.');
         return 1;
     }
-    const envUrl = process.env.LUMO_API_URL?.trim();
-    const apiUrl = envUrl && envUrl.length > 0 ? envUrl : creds.apiUrl;
+    const apiUrl = (0, api_1.resolveAuthedApiUrl)(creds.apiUrl);
     const url = `${(0, api_1.trimTrailingSlash)(apiUrl)}/api/sessions/${encodeURIComponent(sessionId)}/bind-task`;
     let res;
     try {
@@ -56,5 +56,5 @@ async function sessionDetach() {
         process.stdout.write(`Session ${sessionId} was already unbound.\n`);
         return;
     }
-    process.stdout.write(`Detached session ${sessionId} from ${data.previousTaskIdentifier} "${data.previousTaskTitle}".\n`);
+    process.stdout.write(`Detached session ${sessionId} from ${data.previousTaskIdentifier} "${(0, sanitize_1.sanitizeField)(data.previousTaskTitle ?? '')}".\n`);
 }

package/dist/cli/src/commands/session-status.js

@@ -3,6 +3,7 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.sessionStatus = sessionStatus;
 const config_1 = require("../lib/config");
 const api_1 = require("../lib/api");
+const sanitize_1 = require("../lib/sanitize");
 async function sessionStatus() {
     const sessionId = process.env.CLAUDE_CODE_SESSION_ID;
     if (!sessionId) {
@@ -15,8 +16,7 @@ async function sessionStatus() {
         console.error('Error: not logged in. Run `lumo auth login` first.');
         return 1;
     }
-    const envUrl = process.env.LUMO_API_URL?.trim();
-    const apiUrl = envUrl && envUrl.length > 0 ? envUrl : creds.apiUrl;
+    const apiUrl = (0, api_1.resolveAuthedApiUrl)(creds.apiUrl);
     const url = `${(0, api_1.trimTrailingSlash)(apiUrl)}/api/sessions/${encodeURIComponent(sessionId)}`;
     let res;
     try {
@@ -47,7 +47,7 @@ async function sessionStatus() {
     const data = (await res.json());
     if (data.taskIdentifier && data.taskTitle) {
         process.stdout.write(`Session ${sessionId}\n` +
-            `  Bound to:  ${data.taskIdentifier} "${data.taskTitle}"\n` +
+            `  Bound to:  ${data.taskIdentifier} "${(0, sanitize_1.sanitizeField)(data.taskTitle)}"\n` +
             `  Events:    ${data.eventCount}\n`);
     }
     else {

package/dist/cli/src/commands/setup.js

@@ -33,6 +33,7 @@ var __importStar = (this && this.__importStar) || (function () {
     };
 })();
 Object.defineProperty(exports, "__esModule", { value: true });
+exports.resolveAgentToken = resolveAgentToken;
 exports.setup = setup;
 const fs = __importStar(require("fs"));
 const os = __importStar(require("os"));
@@ -40,11 +41,35 @@ const path = __importStar(require("path"));
 const child_process_1 = require("child_process");
 const hooks_template_1 = require("../lib/hooks-template");
 const line_prompt_1 = require("../lib/line-prompt");
+const agent_1 = require("../lib/agent");
+const config_1 = require("../lib/config");
+/**
+ * Validate the `--agent` flag and canonicalize it to the CLI token baked into
+ * the hook commands. Defaults to `claude-code` — accurate today, since only
+ * Claude Code emits hook events. Returns `{ error }` for an unrecognized
+ * token so the caller can abort before writing settings.json.
+ */
+function resolveAgentToken(raw) {
+    if (raw === undefined)
+        return { token: 'claude-code' };
+    const enumValue = (0, agent_1.normalizeAgent)(raw);
+    if (!enumValue) {
+        return {
+            error: `Unknown agent "${raw}". Valid agents: ${agent_1.VALID_AGENT_TOKENS.join(', ')}.`,
+        };
+    }
+    return { token: agent_1.ENUM_TO_TOKEN[enumValue] };
+}
 async function setup(options) {
     if (options.user && options.project) {
         process.stderr.write('Error: --user and --project are mutually exclusive.\n');
         return 1;
     }
+    const agentResult = resolveAgentToken(options.agent);
+    if ('error' in agentResult) {
+        process.stderr.write(`Error: ${agentResult.error}\n`);
+        return 1;
+    }
     const scope = await resolveScope(options);
     if (!scope)
         return 130;
@@ -52,7 +77,7 @@ async function setup(options) {
     const claudeDir = path.join(root, '.claude');
     process.stdout.write(`\nInstalling Lumo for ${scope} scope: ${claudeDir}\n\n`);
     installSkill(claudeDir, options.force === true);
-    mergeSettings(claudeDir);
+    mergeSettings(claudeDir, agentResult.token);
     printPostInstall();
     return 0;
 }
@@ -101,7 +126,7 @@ function installSkill(claudeDir, force) {
     fs.copyFileSync(skillSrc, skillDst);
     process.stdout.write(`✓ wrote skill: ${skillDst}\n`);
 }
-function mergeSettings(claudeDir) {
+function mergeSettings(claudeDir, agentToken) {
     const settingsPath = path.join(claudeDir, 'settings.json');
     let existing = {};
     if (fs.existsSync(settingsPath)) {
@@ -116,18 +141,19 @@ function mergeSettings(claudeDir) {
     else {
         fs.mkdirSync(claudeDir, { recursive: true });
     }
-    const { merged, stats } = (0, hooks_template_1.mergeLumoHooks)(existing);
+    const { merged, stats } = (0, hooks_template_1.mergeLumoHooks)(existing, agentToken);
     fs.writeFileSync(settingsPath, JSON.stringify(merged, null, 2) + '\n');
-    if (stats.addedEvents.length === 0) {
-        process.stdout.write(`✓ hooks already wired in: ${settingsPath} (${stats.alreadyPresent.length} events)\n`);
+    const changed = stats.addedEvents.length + stats.updatedEvents.length;
+    if (changed === 0) {
+        process.stdout.write(`✓ hooks already wired in (agent=${agentToken}): ${settingsPath} (${stats.alreadyPresent.length} events)\n`);
     }
     else {
-        process.stdout.write(`✓ merged hooks into ${settingsPath} (added ${stats.addedEvents.length}, kept ${stats.alreadyPresent.length})\n`);
+        process.stdout.write(`✓ merged hooks into ${settingsPath} (agent=${agentToken}; added ${stats.addedEvents.length}, updated ${stats.updatedEvents.length}, kept ${stats.alreadyPresent.length})\n`);
     }
 }
 function printPostInstall() {
     const onPath = isLumoOnPath();
-    const credsPath = path.join(process.env.LUMO_CONFIG_DIR || path.join(os.homedir(), '.lumo'), 'credentials.json');
+    const credsPath = path.join((0, config_1.configDir)(), 'credentials.json');
     const authed = fs.existsSync(credsPath);
     process.stdout.write('\nNext steps:\n');
     if (!onPath || isRunningUnderNpx()) {

package/dist/cli/src/commands/sprint-add.js

@@ -3,6 +3,7 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.sprintAdd = sprintAdd;
 const config_1 = require("../lib/config");
 const api_1 = require("../lib/api");
+const sanitize_1 = require("../lib/sanitize");
 const resolve_1 = require("../lib/resolve");
 async function sprintAdd(identifier, taskIdentifier, opts) {
     const creds = (0, config_1.readCredentials)();
@@ -10,8 +11,7 @@ async function sprintAdd(identifier, taskIdentifier, opts) {
         console.error('Error: not logged in. Run `lumo auth login` first.');
         return 1;
     }
-    const envUrl = process.env.LUMO_API_URL?.trim();
-    const apiUrl = envUrl && envUrl.length > 0 ? envUrl : creds.apiUrl;
+    const apiUrl = (0, api_1.resolveAuthedApiUrl)(creds.apiUrl);
     const base = (0, api_1.trimTrailingSlash)(apiUrl);
     const workspaceSlug = creds.workspaceSlug ?? '';
     let resolved;
@@ -55,7 +55,7 @@ async function sprintAdd(identifier, taskIdentifier, opts) {
         catch {
             // ignore
         }
-        console.error(`Error: ${errMsg}`);
+        console.error(`Error: ${(0, sanitize_1.sanitizeField)(errMsg)}`);
         return 1;
     }
     process.stdout.write(`Added ${taskIdentifier} to sprint #${resolved.number}\n`);

package/dist/cli/src/commands/sprint-close.js

@@ -7,6 +7,7 @@ const config_1 = require("../lib/config");
 const api_1 = require("../lib/api");
 const resolve_1 = require("../lib/resolve");
 const format_1 = require("../lib/format");
+const sanitize_1 = require("../lib/sanitize");
 /**
  * Build the decisions map for POST /api/sprints/<id>/close.
  * Only non-DONE tasks get a decision entry; DONE tasks are excluded entirely.
@@ -28,7 +29,7 @@ function buildCloseDecisions(tasks, mode) {
 function formatUnfinishedRefusal(number, name, tasks) {
     const unfinished = tasks.filter(t => t.status !== 'DONE');
     const lines = [
-        `Refusing to close sprint #${number} "${name}": ${unfinished.length} task(s) not DONE.`,
+        `Refusing to close sprint #${number} "${(0, sanitize_1.sanitizeField)(name)}": ${unfinished.length} task(s) not DONE.`,
         '',
         (0, format_1.formatTaskListTable)(unfinished),
         '',
@@ -56,8 +57,7 @@ async function sprintClose(identifier, opts) {
         console.error('Error: not logged in. Run `lumo auth login` first.');
         return 1;
     }
-    const envUrl = process.env.LUMO_API_URL?.trim();
-    const apiUrl = envUrl && envUrl.length > 0 ? envUrl : creds.apiUrl;
+    const apiUrl = (0, api_1.resolveAuthedApiUrl)(creds.apiUrl);
     const base = (0, api_1.trimTrailingSlash)(apiUrl);
     const workspaceSlug = creds.workspaceSlug ?? '';
     let resolved;
@@ -144,8 +144,8 @@ async function sprintClose(identifier, opts) {
         catch {
             // body wasn't JSON
         }
-        console.error(`Error: ${errMsg}`);
+        console.error(`Error: ${(0, sanitize_1.sanitizeField)(errMsg)}`);
         return 1;
     }
-    process.stdout.write(`Closed sprint #${sprint.number} "${sprint.name}"\n`);
+    process.stdout.write(`Closed sprint #${sprint.number} "${(0, sanitize_1.sanitizeField)(sprint.name)}"\n`);
 }

package/dist/cli/src/commands/sprint-create.js

@@ -6,6 +6,7 @@ exports.sprintCreate = sprintCreate;
 const config_1 = require("../lib/config");
 const api_1 = require("../lib/api");
 const resolve_1 = require("../lib/resolve");
+const sanitize_1 = require("../lib/sanitize");
 function buildCreateSprintPayload(opts) {
     // start/end are required by the server schema; caller validates presence.
     const payload = {
@@ -17,7 +18,7 @@ function buildCreateSprintPayload(opts) {
     return payload;
 }
 function formatCreatedSprintLine(sprint) {
-    return `Created sprint #${sprint.number} "${sprint.name}"  ${sprint.id}`;
+    return `Created sprint #${sprint.number} "${(0, sanitize_1.sanitizeField)(sprint.name)}"  ${sprint.id}`;
 }
 async function sprintCreate(opts) {
     if (!opts.start || !opts.end) {
@@ -29,8 +30,7 @@ async function sprintCreate(opts) {
         console.error('Error: not logged in. Run `lumo auth login` first.');
         return 1;
     }
-    const envUrl = process.env.LUMO_API_URL?.trim();
-    const apiUrl = envUrl && envUrl.length > 0 ? envUrl : creds.apiUrl;
+    const apiUrl = (0, api_1.resolveAuthedApiUrl)(creds.apiUrl);
     const base = (0, api_1.trimTrailingSlash)(apiUrl);
     let teamId;
     try {
@@ -72,7 +72,7 @@ async function sprintCreate(opts) {
         catch {
             // ignore
         }
-        console.error(`Error: ${serverMsg ?? `sprint create failed (HTTP ${res.status})`}`);
+        console.error(`Error: ${serverMsg != null ? (0, sanitize_1.sanitizeField)(serverMsg) : `sprint create failed (HTTP ${res.status})`}`);
         return 1;
     }
     const sprint = (await res.json());

package/dist/cli/src/commands/sprint-delete.js

@@ -5,8 +5,9 @@ exports.sprintDelete = sprintDelete;
 const config_1 = require("../lib/config");
 const api_1 = require("../lib/api");
 const resolve_1 = require("../lib/resolve");
+const sanitize_1 = require("../lib/sanitize");
 function formatDeleteRefusal(number, name, taskCount) {
-    const head = `Refusing to delete sprint #${number} "${name}" without --yes.`;
+    const head = `Refusing to delete sprint #${number} "${(0, sanitize_1.sanitizeField)(name)}" without --yes.`;
     const tail = `Re-run with --yes to confirm.`;
     if (taskCount === 0)
         return `${head}\n${tail}`;
@@ -18,8 +19,7 @@ async function sprintDelete(identifier, opts) {
         console.error('Error: not logged in. Run `lumo auth login` first.');
         return 1;
     }
-    const envUrl = process.env.LUMO_API_URL?.trim();
-    const apiUrl = envUrl && envUrl.length > 0 ? envUrl : creds.apiUrl;
+    const apiUrl = (0, api_1.resolveAuthedApiUrl)(creds.apiUrl);
     const base = (0, api_1.trimTrailingSlash)(apiUrl);
     const workspaceSlug = creds.workspaceSlug ?? '';
     let resolved;
@@ -81,8 +81,8 @@ async function sprintDelete(identifier, opts) {
         catch {
             // body wasn't JSON
         }
-        console.error(`Error: ${errMsg}`);
+        console.error(`Error: ${(0, sanitize_1.sanitizeField)(errMsg)}`);
         return 1;
     }
-    process.stdout.write(`Deleted sprint #${sprint.number} "${sprint.name}"\n`);
+    process.stdout.write(`Deleted sprint #${sprint.number} "${(0, sanitize_1.sanitizeField)(sprint.name)}"\n`);
 }

package/dist/cli/src/commands/sprint-list.js

@@ -5,6 +5,7 @@ exports.sprintList = sprintList;
 const config_1 = require("../lib/config");
 const api_1 = require("../lib/api");
 const resolve_1 = require("../lib/resolve");
+const sanitize_1 = require("../lib/sanitize");
 const VALID_STATUSES = ['DRAFT', 'ACTIVE', 'CLOSED'];
 function formatDate(iso) {
     if (!iso)
@@ -25,7 +26,7 @@ function formatSprintList(rows) {
         const statusCol = r.status.padEnd(statusW);
         const numCol = `#${r.number}`.padEnd(numW + 1); // +1 for the '#'
         const dateRange = `${formatDate(r.startDate)}..${formatDate(r.endDate)}`;
-        return `${statusCol}  ${numCol}  ${dateRange}  ${r.name}`;
+        return `${statusCol}  ${numCol}  ${dateRange}  ${(0, sanitize_1.sanitizeField)(r.name)}`;
     })
         .join('\n');
 }
@@ -49,8 +50,7 @@ async function sprintList(options) {
         console.error('Error: not logged in. Run `lumo auth login` first.');
         return 1;
     }
-    const envUrl = process.env.LUMO_API_URL?.trim();
-    const apiUrl = envUrl && envUrl.length > 0 ? envUrl : creds.apiUrl;
+    const apiUrl = (0, api_1.resolveAuthedApiUrl)(creds.apiUrl);
     const base = (0, api_1.trimTrailingSlash)(apiUrl);
     let teamId;
     try {

package/dist/cli/src/commands/sprint-remove.js

@@ -3,6 +3,7 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.sprintRemove = sprintRemove;
 const config_1 = require("../lib/config");
 const api_1 = require("../lib/api");
+const sanitize_1 = require("../lib/sanitize");
 const resolve_1 = require("../lib/resolve");
 async function sprintRemove(identifier, taskIdentifier, opts) {
     const creds = (0, config_1.readCredentials)();
@@ -10,8 +11,7 @@ async function sprintRemove(identifier, taskIdentifier, opts) {
         console.error('Error: not logged in. Run `lumo auth login` first.');
         return 1;
     }
-    const envUrl = process.env.LUMO_API_URL?.trim();
-    const apiUrl = envUrl && envUrl.length > 0 ? envUrl : creds.apiUrl;
+    const apiUrl = (0, api_1.resolveAuthedApiUrl)(creds.apiUrl);
     const base = (0, api_1.trimTrailingSlash)(apiUrl);
     const workspaceSlug = creds.workspaceSlug ?? '';
     let resolved;
@@ -50,7 +50,7 @@ async function sprintRemove(identifier, taskIdentifier, opts) {
         catch {
             // ignore
         }
-        console.error(`Error: ${errMsg}`);
+        console.error(`Error: ${(0, sanitize_1.sanitizeField)(errMsg)}`);
         return 1;
     }
     process.stdout.write(`Removed ${taskIdentifier} from sprint #${resolved.number}\n`);

package/dist/cli/src/commands/sprint-show.js

@@ -6,14 +6,15 @@ const config_1 = require("../lib/config");
 const api_1 = require("../lib/api");
 const resolve_1 = require("../lib/resolve");
 const format_1 = require("../lib/format");
+const sanitize_1 = require("../lib/sanitize");
 function fmtDate(iso) {
     return iso ? iso.slice(0, 10) : '-';
 }
 function formatSprintShow(s, progress, tasks) {
     const lines = [
-        `Sprint:    #${s.number} ${s.name}`,
+        `Sprint:    #${s.number} ${(0, sanitize_1.sanitizeField)(s.name)}`,
         `Status:    ${s.status}`,
-        `Team:      ${s.team.name}`,
+        `Team:      ${(0, sanitize_1.sanitizeField)(s.team.name)}`,
         `Start:     ${fmtDate(s.startDate)}`,
         `End:       ${fmtDate(s.endDate)}`,
         `Started:   ${fmtDate(s.startedAt)}`,
@@ -32,8 +33,7 @@ async function sprintShow(identifier, opts) {
         console.error('Error: not logged in. Run `lumo auth login` first.');
         return 1;
     }
-    const envUrl = process.env.LUMO_API_URL?.trim();
-    const apiUrl = envUrl && envUrl.length > 0 ? envUrl : creds.apiUrl;
+    const apiUrl = (0, api_1.resolveAuthedApiUrl)(creds.apiUrl);
     const base = (0, api_1.trimTrailingSlash)(apiUrl);
     let sprintId;
     try {

package/dist/cli/src/commands/sprint-start.js

@@ -4,14 +4,14 @@ exports.sprintStart = sprintStart;
 const config_1 = require("../lib/config");
 const api_1 = require("../lib/api");
 const resolve_1 = require("../lib/resolve");
+const sanitize_1 = require("../lib/sanitize");
 async function sprintStart(identifier, opts) {
     const creds = (0, config_1.readCredentials)();
     if (!creds) {
         console.error('Error: not logged in. Run `lumo auth login` first.');
         return 1;
     }
-    const envUrl = process.env.LUMO_API_URL?.trim();
-    const apiUrl = envUrl && envUrl.length > 0 ? envUrl : creds.apiUrl;
+    const apiUrl = (0, api_1.resolveAuthedApiUrl)(creds.apiUrl);
     const base = (0, api_1.trimTrailingSlash)(apiUrl);
     const workspaceSlug = creds.workspaceSlug ?? '';
     let resolved;
@@ -61,8 +61,8 @@ async function sprintStart(identifier, opts) {
         catch {
             // ignore
         }
-        console.error(`Error: ${errMsg}`);
+        console.error(`Error: ${(0, sanitize_1.sanitizeField)(errMsg)}`);
         return 1;
     }
-    process.stdout.write(`Started sprint #${displayNumber} "${displayName}"\n`);
+    process.stdout.write(`Started sprint #${displayNumber} "${(0, sanitize_1.sanitizeField)(displayName)}"\n`);
 }

package/dist/cli/src/commands/sprint-summary.js

@@ -5,9 +5,10 @@ exports.sprintSummary = sprintSummary;
 const config_1 = require("../lib/config");
 const api_1 = require("../lib/api");
 const resolve_1 = require("../lib/resolve");
+const sanitize_1 = require("../lib/sanitize");
 function formatSprintSummary(input) {
     const { number, name, stats, tldr, report } = input;
-    const lines = [`Sprint: #${number} ${name}`];
+    const lines = [`Sprint: #${number} ${(0, sanitize_1.sanitizeField)(name)}`];
     if (stats === null && tldr === null && report === null) {
         lines.push('', '(no summary generated yet)');
         return lines.join('\n');
@@ -16,10 +17,10 @@ function formatSprintSummary(input) {
         lines.push(`Done:   ${stats.done} / ${stats.total}`);
     }
     if (tldr) {
-        lines.push('', tldr);
+        lines.push('', (0, sanitize_1.sanitizeField)(tldr));
     }
     if (report) {
-        lines.push('', report);
+        lines.push('', (0, sanitize_1.sanitizeField)(report));
     }
     return lines.join('\n');
 }
@@ -29,8 +30,7 @@ async function sprintSummary(identifier, opts) {
         console.error('Error: not logged in. Run `lumo auth login` first.');
         return 1;
     }
-    const envUrl = process.env.LUMO_API_URL?.trim();
-    const apiUrl = envUrl && envUrl.length > 0 ? envUrl : creds.apiUrl;
+    const apiUrl = (0, api_1.resolveAuthedApiUrl)(creds.apiUrl);
     const base = (0, api_1.trimTrailingSlash)(apiUrl);
     const workspaceSlug = creds.workspaceSlug ?? '';
     let resolved;
@@ -82,7 +82,7 @@ async function sprintSummary(identifier, opts) {
             catch {
                 // ignore
             }
-            console.error(`Error: ${errMsg}`);
+            console.error(`Error: ${(0, sanitize_1.sanitizeField)(errMsg)}`);
             return 1;
         }
         // 202 means queued; regeneration is async. The GET below may still return
@@ -124,7 +124,7 @@ async function sprintSummary(identifier, opts) {
         catch {
             // ignore
         }
-        console.error(`Error: ${errMsg}`);
+        console.error(`Error: ${(0, sanitize_1.sanitizeField)(errMsg)}`);
         return 1;
     }
     // 404 → fall through with all-null; formatSprintSummary renders the friendly marker.

package/dist/cli/src/commands/sprint-update.js

@@ -6,6 +6,7 @@ exports.sprintUpdate = sprintUpdate;
 const config_1 = require("../lib/config");
 const api_1 = require("../lib/api");
 const resolve_1 = require("../lib/resolve");
+const sanitize_1 = require("../lib/sanitize");
 function buildSprintUpdatePayload(opts) {
     const payload = {};
     const flagsGiven = [];
@@ -29,9 +30,10 @@ function fmtDate(v) {
     return v.slice(0, 10);
 }
 function formatSprintUpdateSummary(before, after) {
+    const beforeName = (0, sanitize_1.sanitizeField)(before.name);
     const changes = [];
     if (after.name !== undefined && after.name !== before.name) {
-        changes.push(`name "${before.name}" → "${after.name}"`);
+        changes.push(`name "${beforeName}" → "${(0, sanitize_1.sanitizeField)(after.name)}"`);
     }
     if (after.startDate !== undefined) {
         changes.push(`start → ${fmtDate(after.startDate)}`);
@@ -39,7 +41,7 @@ function formatSprintUpdateSummary(before, after) {
     if (after.endDate !== undefined) {
         changes.push(`end → ${fmtDate(after.endDate)}`);
     }
-    return `Updated sprint #${before.number} "${before.name}": ${changes.join(', ')}`;
+    return `Updated sprint #${before.number} "${beforeName}": ${changes.join(', ')}`;
 }
 async function sprintUpdate(identifier, opts) {
     // Reject empty strings — these fields can't be cleared.
@@ -65,8 +67,7 @@ async function sprintUpdate(identifier, opts) {
         console.error('Error: not logged in. Run `lumo auth login` first.');
         return 1;
     }
-    const envUrl = process.env.LUMO_API_URL?.trim();
-    const apiUrl = envUrl && envUrl.length > 0 ? envUrl : creds.apiUrl;
+    const apiUrl = (0, api_1.resolveAuthedApiUrl)(creds.apiUrl);
     const base = (0, api_1.trimTrailingSlash)(apiUrl);
     let sprintId;
     let resolvedNumber;
@@ -141,7 +142,7 @@ async function sprintUpdate(identifier, opts) {
         catch {
             // body wasn't JSON; keep the status-only message
         }
-        console.error(`Error: ${errMsg}`);
+        console.error(`Error: ${(0, sanitize_1.sanitizeField)(errMsg)}`);
         return 1;
     }
     process.stdout.write(formatSprintUpdateSummary(beforeSnapshot, payload) + '\n');

package/dist/cli/src/commands/task-artifact-add.js

@@ -5,6 +5,8 @@ const config_1 = require("../lib/config");
 const api_1 = require("../lib/api");
 const doc_input_1 = require("../lib/doc-input");
 const agent_1 = require("../lib/agent");
+const sanitize_1 = require("../lib/sanitize");
+const path_guard_1 = require("../lib/path-guard");
 async function taskArtifactAdd(identifier, options) {
     if (!identifier) {
         console.error('Error: missing <task>. Usage: lumo task artifact add <LUM-42> --kind spec --title "Spec" --file spec.md --source Superpowers');
@@ -39,9 +41,20 @@ async function taskArtifactAdd(identifier, options) {
         console.error('Error: --file <path> is required.');
         return 1;
     }
+    const verdict = (0, path_guard_1.checkArtifactFilePath)(options.file);
+    if (!verdict.ok) {
+        if (verdict.reason === 'unreadable') {
+            console.error(`Error: could not read file ${options.file}`);
+        }
+        else {
+            console.error(`Error: refusing to read ${options.file} — ${verdict.detail}. ` +
+                `artifact --file must be a non-sensitive path inside the project directory.`);
+        }
+        return 1;
+    }
     let content;
     try {
-        content = await (0, doc_input_1.readFileUtf8)(options.file);
+        content = await (0, doc_input_1.readFileUtf8)(verdict.resolved);
     }
     catch {
         console.error(`Error: could not read file ${options.file}`);
@@ -56,8 +69,7 @@ async function taskArtifactAdd(identifier, options) {
         console.error('Error: not logged in. Run `lumo auth login` first.');
         return 1;
     }
-    const envUrl = process.env.LUMO_API_URL?.trim();
-    const apiUrl = envUrl && envUrl.length > 0 ? envUrl : creds.apiUrl;
+    const apiUrl = (0, api_1.resolveAuthedApiUrl)(creds.apiUrl);
     const base = (0, api_1.trimTrailingSlash)(apiUrl);
     const payload = {
         kind,
@@ -101,10 +113,10 @@ async function taskArtifactAdd(identifier, options) {
             /* not JSON */
         }
         console.error(serverMsg
-            ? `Error: ${serverMsg}`
+            ? `Error: ${(0, sanitize_1.sanitizeField)(serverMsg)}`
             : `Error: artifact add failed (HTTP ${res.status})`);
         return 1;
     }
     const data = (await res.json());
-    process.stdout.write(`Added [${data.artifact.kind}] "${data.artifact.title}" to ${identifier}\n`);
+    process.stdout.write(`Added [${(0, sanitize_1.sanitizeField)(data.artifact.kind)}] "${(0, sanitize_1.sanitizeField)(data.artifact.title)}" to ${identifier}\n`);
 }

package/dist/cli/src/commands/task-artifact-list.js

@@ -4,6 +4,7 @@ exports.taskArtifactList = taskArtifactList;
 const config_1 = require("../lib/config");
 const api_1 = require("../lib/api");
 const agent_1 = require("../lib/agent");
+const sanitize_1 = require("../lib/sanitize");
 async function taskArtifactList(identifier) {
     if (!identifier) {
         console.error('Error: missing <task>. Usage: lumo task artifact list <LUM-42>');
@@ -14,8 +15,7 @@ async function taskArtifactList(identifier) {
         console.error('Error: not logged in. Run `lumo auth login` first.');
         return 1;
     }
-    const envUrl = process.env.LUMO_API_URL?.trim();
-    const apiUrl = envUrl && envUrl.length > 0 ? envUrl : creds.apiUrl;
+    const apiUrl = (0, api_1.resolveAuthedApiUrl)(creds.apiUrl);
     const base = (0, api_1.trimTrailingSlash)(apiUrl);
     let res;
     try {
@@ -44,7 +44,7 @@ async function taskArtifactList(identifier) {
         return;
     }
     for (const a of artifacts) {
-        const agentLabel = agent_1.AGENT_LABELS[a.agent] ?? a.agent;
-        process.stdout.write(`${a.id}  ${a.kind.padEnd(10)}  ${agentLabel.padEnd(15)}  ${a.source.padEnd(12)}  ${a.title}\n`);
+        const agentLabel = agent_1.AGENT_LABELS[a.agent] ?? (0, sanitize_1.sanitizeField)(a.agent);
+        process.stdout.write(`${a.id}  ${(0, sanitize_1.sanitizeField)(a.kind).padEnd(10)}  ${agentLabel.padEnd(15)}  ${(0, sanitize_1.sanitizeField)(a.source).padEnd(12)}  ${(0, sanitize_1.sanitizeField)(a.title)}\n`);
     }
 }

package/dist/cli/src/commands/task-artifact-rm.js

@@ -3,6 +3,7 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.taskArtifactRm = taskArtifactRm;
 const config_1 = require("../lib/config");
 const api_1 = require("../lib/api");
+const sanitize_1 = require("../lib/sanitize");
 async function taskArtifactRm(identifier, artifactId, options) {
     if (!identifier) {
         console.error('Error: missing <task>. Usage: lumo task artifact rm <LUM-42> <artifact-id> --yes');
@@ -21,8 +22,7 @@ async function taskArtifactRm(identifier, artifactId, options) {
         console.error('Error: not logged in. Run `lumo auth login` first.');
         return 1;
     }
-    const envUrl = process.env.LUMO_API_URL?.trim();
-    const apiUrl = envUrl && envUrl.length > 0 ? envUrl : creds.apiUrl;
+    const apiUrl = (0, api_1.resolveAuthedApiUrl)(creds.apiUrl);
     const base = (0, api_1.trimTrailingSlash)(apiUrl);
     let res;
     try {
@@ -50,7 +50,7 @@ async function taskArtifactRm(identifier, artifactId, options) {
         catch {
             /* not JSON */
         }
-        console.error(`Error: ${serverMsg}`);
+        console.error(`Error: ${(0, sanitize_1.sanitizeField)(serverMsg)}`);
         return 1;
     }
     if (res.status !== 204) {
@@ -64,7 +64,7 @@ async function taskArtifactRm(identifier, artifactId, options) {
             /* not JSON */
         }
         console.error(serverMsg
-            ? `Error: ${serverMsg}`
+            ? `Error: ${(0, sanitize_1.sanitizeField)(serverMsg)}`
             : `Error: artifact rm failed (HTTP ${res.status})`);
         return 1;
     }