@lumoai/cli 1.5.0 → 1.5.1

package/dist/cli/src/commands/task-artifact-show.js

@@ -4,6 +4,7 @@ exports.taskArtifactShow = taskArtifactShow;
 const config_1 = require("../lib/config");
 const api_1 = require("../lib/api");
 const agent_1 = require("../lib/agent");
+const sanitize_1 = require("../lib/sanitize");
 async function taskArtifactShow(identifier, artifactId) {
     if (!identifier) {
         console.error('Error: missing <task>. Usage: lumo task artifact show <LUM-42> <artifact-id>');
@@ -18,8 +19,7 @@ async function taskArtifactShow(identifier, artifactId) {
         console.error('Error: not logged in. Run `lumo auth login` first.');
         return 1;
     }
-    const envUrl = process.env.LUMO_API_URL?.trim();
-    const apiUrl = envUrl && envUrl.length > 0 ? envUrl : creds.apiUrl;
+    const apiUrl = (0, api_1.resolveAuthedApiUrl)(creds.apiUrl);
     const base = (0, api_1.trimTrailingSlash)(apiUrl);
     let res;
     try {
@@ -44,7 +44,7 @@ async function taskArtifactShow(identifier, artifactId) {
         catch {
             /* not JSON */
         }
-        console.error(`Error: ${serverMsg}`);
+        console.error(`Error: ${(0, sanitize_1.sanitizeField)(serverMsg)}`);
         return 1;
     }
     if (!res.ok) {
@@ -53,11 +53,11 @@ async function taskArtifactShow(identifier, artifactId) {
     }
     const { artifact } = (await res.json());
     process.stdout.write(`id:     ${artifact.id}\n`);
-    process.stdout.write(`kind:   ${artifact.kind}\n`);
-    process.stdout.write(`title:  ${artifact.title}\n`);
-    process.stdout.write(`source: ${artifact.source}\n`);
-    process.stdout.write(`agent:  ${agent_1.AGENT_LABELS[artifact.agent] ?? artifact.agent}\n`);
+    process.stdout.write(`kind:   ${(0, sanitize_1.sanitizeField)(artifact.kind)}\n`);
+    process.stdout.write(`title:  ${(0, sanitize_1.sanitizeField)(artifact.title)}\n`);
+    process.stdout.write(`source: ${(0, sanitize_1.sanitizeField)(artifact.source)}\n`);
+    process.stdout.write(`agent:  ${agent_1.AGENT_LABELS[artifact.agent] ?? (0, sanitize_1.sanitizeField)(artifact.agent ?? '')}\n`);
     process.stdout.write(`order:  ${artifact.order}\n`);
     process.stdout.write(`task:   ${identifier}\n`);
-    process.stdout.write(`\n${artifact.content}\n`);
+    process.stdout.write(`\n${(0, sanitize_1.sanitizeField)(artifact.content)}\n`);
 }

package/dist/cli/src/commands/task-artifact-update.js

@@ -3,6 +3,7 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.taskArtifactUpdate = taskArtifactUpdate;
 const config_1 = require("../lib/config");
 const api_1 = require("../lib/api");
+const sanitize_1 = require("../lib/sanitize");
 const agent_1 = require("../lib/agent");
 async function taskArtifactUpdate(identifier, artifactId, options) {
     if (!identifier) {
@@ -55,8 +56,7 @@ async function taskArtifactUpdate(identifier, artifactId, options) {
         console.error('Error: not logged in. Run `lumo auth login` first.');
         return 1;
     }
-    const envUrl = process.env.LUMO_API_URL?.trim();
-    const apiUrl = envUrl && envUrl.length > 0 ? envUrl : creds.apiUrl;
+    const apiUrl = (0, api_1.resolveAuthedApiUrl)(creds.apiUrl);
     const base = (0, api_1.trimTrailingSlash)(apiUrl);
     let res;
     try {
@@ -88,7 +88,7 @@ async function taskArtifactUpdate(identifier, artifactId, options) {
         catch {
             /* not JSON */
         }
-        console.error(`Error: ${serverMsg}`);
+        console.error(`Error: ${(0, sanitize_1.sanitizeField)(serverMsg)}`);
         return 1;
     }
     if (res.status !== 200) {
@@ -102,10 +102,10 @@ async function taskArtifactUpdate(identifier, artifactId, options) {
             /* not JSON */
         }
         console.error(serverMsg
-            ? `Error: ${serverMsg}`
+            ? `Error: ${(0, sanitize_1.sanitizeField)(serverMsg)}`
             : `Error: artifact update failed (HTTP ${res.status})`);
         return 1;
     }
     const data = (await res.json());
-    process.stdout.write(`Updated [${data.artifact.kind}] "${data.artifact.title}" (${data.artifact.source}) on ${identifier}\n`);
+    process.stdout.write(`Updated [${(0, sanitize_1.sanitizeField)(data.artifact.kind)}] "${(0, sanitize_1.sanitizeField)(data.artifact.title)}" (${(0, sanitize_1.sanitizeField)(data.artifact.source)}) on ${identifier}\n`);
 }

package/dist/cli/src/commands/task-comment-list.js

@@ -0,0 +1,111 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.taskCommentList = taskCommentList;
+const config_1 = require("../lib/config");
+const api_1 = require("../lib/api");
+const sanitize_1 = require("../lib/sanitize");
+/**
+ * Strip TipTap/HTML markup to readable plain text. Comment bodies are stored as
+ * HTML; the CLI only needs the visible text. We collapse block tags to newlines
+ * and drop the rest, then decode the handful of entities that survive.
+ */
+function htmlToPlainText(html) {
+    return html
+        .replace(/<\/(p|div|li|h[1-6]|blockquote)>/gi, '\n')
+        .replace(/<br\s*\/?>/gi, '\n')
+        .replace(/<[^>]+>/g, '')
+        .replace(/&nbsp;/g, ' ')
+        .replace(/&amp;/g, '&')
+        .replace(/&lt;/g, '<')
+        .replace(/&gt;/g, '>')
+        .replace(/&quot;/g, '"')
+        .replace(/&#39;/g, "'")
+        .replace(/\n{3,}/g, '\n\n')
+        .trim();
+}
+function printComment(c, indent) {
+    const author = (0, sanitize_1.sanitizeField)(c.authorActorId ?? 'unknown');
+    console.log(`${indent}${author} · ${c.createdAt}`);
+    const text = (0, sanitize_1.sanitizeField)(htmlToPlainText(c.body));
+    for (const line of (text || '(empty)').split('\n')) {
+        console.log(`${indent}${line}`);
+    }
+    console.log('');
+    for (const reply of c.replies ?? []) {
+        printComment(reply, indent + '  ');
+    }
+}
+/**
+ * `lumo task comments list <LUM-N>`
+ *
+ * Tier-2 retrieval for the task comment thread. Resolves the LUM-N identifier to
+ * its DB id (the comments endpoint is keyed by DB id), then fetches the full
+ * thread from `/api/tasks/:id/comments` and prints each top-level comment
+ * (replies indented) as `author · time` followed by the plain-text body.
+ */
+async function taskCommentList(identifier) {
+    if (!identifier) {
+        console.error('Error: usage: lumo task comments list <LUM-42>');
+        return 1;
+    }
+    const creds = (0, config_1.readCredentials)();
+    if (!creds) {
+        console.error('Error: not logged in. Run `lumo auth login` first.');
+        return 1;
+    }
+    const apiUrl = (0, api_1.resolveAuthedApiUrl)(creds.apiUrl);
+    const base = (0, api_1.trimTrailingSlash)(apiUrl);
+    // 1. Resolve LUM-N → DB id (the comments endpoint takes the DB id).
+    let resolveRes;
+    try {
+        resolveRes = await fetch(`${base}/api/tasks/resolve/${encodeURIComponent(identifier)}`, { headers: { Authorization: `Bearer ${creds.token}` } });
+    }
+    catch (err) {
+        const msg = err instanceof Error ? err.message : String(err);
+        console.error(`Error: could not reach Lumo API at ${apiUrl} (${msg})`);
+        return 1;
+    }
+    if (resolveRes.status === 401) {
+        console.error('Error: API key invalid or revoked. Run `lumo auth login`.');
+        return 1;
+    }
+    if (resolveRes.status === 404) {
+        console.error(`Error: task ${identifier} not found in workspace ${creds.workspaceSlug}`);
+        return 1;
+    }
+    if (!resolveRes.ok) {
+        console.error(`Error: resolve failed (HTTP ${resolveRes.status})`);
+        return 1;
+    }
+    const resolved = (await resolveRes.json());
+    // 2. Fetch the comment thread.
+    let res;
+    try {
+        res = await fetch(`${base}/api/tasks/${encodeURIComponent(resolved.id)}/comments`, { headers: { Authorization: `Bearer ${creds.token}` } });
+    }
+    catch (err) {
+        const msg = err instanceof Error ? err.message : String(err);
+        console.error(`Error: could not reach Lumo API at ${apiUrl} (${msg})`);
+        return 1;
+    }
+    if (res.status === 401) {
+        console.error('Error: API key invalid or revoked. Run `lumo auth login`.');
+        return 1;
+    }
+    if (res.status === 404) {
+        console.error(`Error: task ${identifier} not found`);
+        return 1;
+    }
+    if (!res.ok) {
+        console.error(`Error: comments list failed (HTTP ${res.status})`);
+        return 1;
+    }
+    const { comments } = (await res.json());
+    if (!comments || comments.length === 0) {
+        console.log('(no comments)');
+        return;
+    }
+    for (const c of comments) {
+        printComment(c, '');
+    }
+}

package/dist/cli/src/commands/task-comment.js

@@ -3,6 +3,7 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.taskComment = taskComment;
 const config_1 = require("../lib/config");
 const api_1 = require("../lib/api");
+const sanitize_1 = require("../lib/sanitize");
 /**
  * `lumo task comment <LUM-N> <body>`
  *
@@ -28,8 +29,7 @@ async function taskComment(identifier, body) {
         console.error('Error: not logged in. Run `lumo auth login` first.');
         return 1;
     }
-    const envUrl = process.env.LUMO_API_URL?.trim();
-    const apiUrl = envUrl && envUrl.length > 0 ? envUrl : creds.apiUrl;
+    const apiUrl = (0, api_1.resolveAuthedApiUrl)(creds.apiUrl);
     const base = (0, api_1.trimTrailingSlash)(apiUrl);
     // 1. Resolve LUM-N → DB id (the comments endpoint takes DB id).
     let resolveRes;
@@ -86,7 +86,7 @@ async function taskComment(identifier, body) {
             // Body wasn't JSON
         }
         console.error(serverMsg
-            ? `Error: ${serverMsg}`
+            ? `Error: ${(0, sanitize_1.sanitizeField)(serverMsg)}`
             : `Error: comment create failed (HTTP ${postRes.status})`);
         return 1;
     }

package/dist/cli/src/commands/task-context.js

@@ -4,6 +4,7 @@ exports.taskContext = taskContext;
 exports.formatTaskContextMarkdown = formatTaskContextMarkdown;
 const config_1 = require("../lib/config");
 const api_1 = require("../lib/api");
+const sanitize_1 = require("../lib/sanitize");
 async function taskContext(identifier) {
     if (!identifier) {
         console.error('Error: missing <identifier>. Usage: lumo task context <LUM-42>');
@@ -14,8 +15,7 @@ async function taskContext(identifier) {
         console.error('Error: not logged in. Run `lumo auth login` first.');
         return 1;
     }
-    const envUrl = process.env.LUMO_API_URL?.trim();
-    const apiUrl = envUrl && envUrl.length > 0 ? envUrl : creds.apiUrl;
+    const apiUrl = (0, api_1.resolveAuthedApiUrl)(creds.apiUrl);
     const url = `${(0, api_1.trimTrailingSlash)(apiUrl)}/api/tasks/context/${encodeURIComponent(identifier)}`;
     let res;
     try {
@@ -52,39 +52,51 @@ async function taskContext(identifier) {
 function formatTaskContextMarkdown(data, now) {
     const lines = [];
     lines.push(`# Task: ${data.task.identifier}`);
-    lines.push(`**Title**: ${data.task.title}`);
+    lines.push(`**Title**: ${(0, sanitize_1.sanitizeField)(data.task.title)}`);
     lines.push(`**Status**: ${data.task.status}`);
     if (data.task.milestone) {
         const target = data.task.milestone.targetDate
             ? `, target ${data.task.milestone.targetDate.slice(0, 10)}`
             : '';
-        lines.push(`**Milestone**: ${data.task.milestone.name} (${data.task.milestone.status}${target})`);
+        lines.push(`**Milestone**: ${(0, sanitize_1.sanitizeField)(data.task.milestone.name)} (${data.task.milestone.status}${target})`);
     }
     const body = data.task.descriptionMarkdown ?? data.task.description;
     if (body && body.trim().length > 0) {
-        lines.push(`**Description**: ${body}`);
+        lines.push(`**Description**: ${(0, sanitize_1.sanitizeField)(body)}`);
     }
     lines.push('');
     // Frontload memory before sessions: it's cold context the agent should see
     // first. Server returns "" when empty, in which case we skip the section.
     if (data.memorySection && data.memorySection.trim().length > 0) {
-        lines.push(data.memorySection.trimEnd());
+        lines.push((0, sanitize_1.sanitizeField)(data.memorySection.trimEnd()));
         lines.push('');
     }
     if (data.slackContextSection && data.slackContextSection.trim().length > 0) {
-        lines.push(data.slackContextSection.trimEnd());
+        lines.push((0, sanitize_1.sanitizeField)(data.slackContextSection.trimEnd()));
         lines.push('');
     }
     if (data.webLinkSection && data.webLinkSection.trim().length > 0) {
-        lines.push(data.webLinkSection.trimEnd());
+        lines.push((0, sanitize_1.sanitizeField)(data.webLinkSection.trimEnd()));
         lines.push('');
     }
     if (data.figmaSection && data.figmaSection.trim().length > 0) {
-        lines.push(data.figmaSection.trimEnd());
+        lines.push((0, sanitize_1.sanitizeField)(data.figmaSection.trimEnd()));
         lines.push('');
     }
     if (data.artifactSection && data.artifactSection.trim().length > 0) {
-        lines.push(data.artifactSection.trimEnd());
+        lines.push((0, sanitize_1.sanitizeField)(data.artifactSection.trimEnd()));
+        lines.push('');
+    }
+    if (data.docSection && data.docSection.trim().length > 0) {
+        lines.push((0, sanitize_1.sanitizeField)(data.docSection.trimEnd()));
+        lines.push('');
+    }
+    if (data.commentsSection && data.commentsSection.trim().length > 0) {
+        lines.push((0, sanitize_1.sanitizeField)(data.commentsSection.trimEnd()));
+        lines.push('');
+    }
+    if (data.prSection && data.prSection.trim().length > 0) {
+        lines.push((0, sanitize_1.sanitizeField)(data.prSection.trimEnd()));
         lines.push('');
     }
     if (data.sessions.length === 0) {
@@ -101,11 +113,11 @@ function formatTaskContextMarkdown(data, now) {
         const ago = relativeTime(new Date(s.lastActivityAt), now);
         const dur = formatDuration(s.durationMs);
         lines.push(`### Session ${shortId} · ${ago} · ${dur}`);
-        lines.push(`**Summary**: ${s.headline}`);
+        lines.push(`**Summary**: ${(0, sanitize_1.sanitizeField)(s.headline)}`);
         if (s.unresolved.length > 0) {
             lines.push('**Unresolved**:');
             for (const u of s.unresolved)
-                lines.push(`- ${u}`);
+                lines.push(`- ${(0, sanitize_1.sanitizeField)(u)}`);
         }
         lines.push('');
     }

package/dist/cli/src/commands/task-create.js

@@ -8,6 +8,7 @@ const config_1 = require("../lib/config");
 const api_1 = require("../lib/api");
 const tag_resolver_1 = require("../lib/tag-resolver");
 const resolve_1 = require("../lib/resolve");
+const sanitize_1 = require("../lib/sanitize");
 const ALLOWED_PRIORITIES = ['LOW', 'MEDIUM', 'HIGH', 'URGENT'];
 /**
  * Assert that the sprint belongs to the same team as the newly created task.
@@ -81,10 +82,10 @@ function normalizePriority(value) {
  * present.
  */
 function formatCreatedTaskLine(task) {
-    const escapedTitle = task.title.replace(/"/g, '\\"');
+    const escapedTitle = (0, sanitize_1.sanitizeField)(task.title).replace(/"/g, '\\"');
     const head = `Created ${task.identifier} "${escapedTitle}"  ${task.url}`;
     if (task.tags && task.tags.length > 0) {
-        return `${head}\nTags: ${task.tags.join(', ')}`;
+        return `${head}\nTags: ${task.tags.map(sanitize_1.sanitizeField).join(', ')}`;
     }
     return head;
 }
@@ -108,8 +109,7 @@ async function taskCreate(title, opts) {
         }
         priority = normalized;
     }
-    const envUrl = process.env.LUMO_API_URL?.trim();
-    const apiUrl = envUrl && envUrl.length > 0 ? envUrl : creds.apiUrl;
+    const apiUrl = (0, api_1.resolveAuthedApiUrl)(creds.apiUrl);
     const base = (0, api_1.trimTrailingSlash)(apiUrl);
     const url = `${base}/api/tasks`;
     let tagIds;
@@ -166,7 +166,7 @@ async function taskCreate(title, opts) {
             const workspaceSlug = creds.workspaceSlug ?? '';
             try {
                 const sprint = await bindTaskToSprint(base, creds.token, workspaceSlug, opts.sprint, { id: data.task.id, teamId: data.task.teamId, identifier: data.task.identifier });
-                process.stdout.write(`Sprint: #${sprint.number} "${sprint.name}"\n`);
+                process.stdout.write(`Sprint: #${sprint.number} "${(0, sanitize_1.sanitizeField)(sprint.name)}"\n`);
             }
             catch (err) {
                 const msg = err instanceof Error ? err.message : String(err);
@@ -175,7 +175,7 @@ async function taskCreate(title, opts) {
                     console.error(msg);
                 }
                 else {
-                    console.error(`Error: ${msg}`);
+                    console.error(`Error: ${(0, sanitize_1.sanitizeField)(msg)}`);
                 }
                 return 1;
             }
@@ -193,7 +193,7 @@ async function taskCreate(title, opts) {
         // Body wasn't JSON; fall through to status-only message
     }
     if (serverMsg) {
-        console.error(`Error: ${serverMsg}`);
+        console.error(`Error: ${(0, sanitize_1.sanitizeField)(serverMsg)}`);
     }
     else {
         console.error(`Error: task create failed (HTTP ${res.status})`);

package/dist/cli/src/commands/task-figma-add.js

@@ -2,12 +2,13 @@
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.taskFigmaAdd = taskFigmaAdd;
 const figma_api_1 = require("../lib/figma-api");
+const sanitize_1 = require("../lib/sanitize");
 async function taskFigmaAdd(args) {
     try {
         const { link } = await (0, figma_api_1.addFigmaLink)(args.identifier, args.url);
-        const label = link.frameName
+        const label = (0, sanitize_1.sanitizeField)(link.frameName
             ? `${link.fileName} · ${link.frameName}`
-            : `${link.fileName}${link.nodeId === '' ? ' (file-level)' : ''}`;
+            : `${link.fileName}${link.nodeId === '' ? ' (file-level)' : ''}`);
         console.log(`Linked ${args.identifier} ↔ Figma "${label}"`);
         console.log(`  ${link.url}`);
         return 0;

package/dist/cli/src/commands/task-figma-context.js

@@ -0,0 +1,61 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.taskFigmaContext = taskFigmaContext;
+const config_1 = require("../lib/config");
+const api_1 = require("../lib/api");
+const sanitize_1 = require("../lib/sanitize");
+/**
+ * `lumo task figma context <LUM-N> <link-id>`
+ *
+ * Tier-2 retrieval for the cheap inline Figma card. Reads the cached design
+ * metadata (file/frame name, url, thumbnail, last sync) from
+ * `/api/tasks/:id/figma-links/:linkId/context`. Live design context (layers,
+ * variables, code connect) needs the Figma MCP server, so the route degrades to
+ * metadata + a `note`; we print the note when present.
+ */
+async function taskFigmaContext(identifier, linkId) {
+    if (!identifier || !linkId) {
+        console.error('Error: usage: lumo task figma context <LUM-42> <link-id>');
+        return 1;
+    }
+    const creds = (0, config_1.readCredentials)();
+    if (!creds) {
+        console.error('Error: not logged in. Run `lumo auth login` first.');
+        return 1;
+    }
+    const apiUrl = (0, api_1.resolveAuthedApiUrl)(creds.apiUrl);
+    const base = (0, api_1.trimTrailingSlash)(apiUrl);
+    let res;
+    try {
+        res = await fetch(`${base}/api/tasks/${encodeURIComponent(identifier)}/figma-links/${encodeURIComponent(linkId)}/context`, { headers: { Authorization: `Bearer ${creds.token}` } });
+    }
+    catch (err) {
+        const msg = err instanceof Error ? err.message : String(err);
+        console.error(`Error: could not reach Lumo API at ${apiUrl} (${msg})`);
+        return 1;
+    }
+    if (res.status === 401) {
+        console.error('Error: API key invalid or revoked. Run `lumo auth login`.');
+        return 1;
+    }
+    if (res.status === 404) {
+        console.error(`Error: task ${identifier} or figma link ${linkId} not found in workspace ${creds.workspaceSlug}`);
+        return 1;
+    }
+    if (!res.ok) {
+        console.error(`Error: figma context failed (HTTP ${res.status})`);
+        return 1;
+    }
+    const { metadata, note } = (await res.json());
+    if (metadata.fileName)
+        console.log(`file:  ${(0, sanitize_1.sanitizeField)(metadata.fileName)}`);
+    if (metadata.frameName)
+        console.log(`frame: ${(0, sanitize_1.sanitizeField)(metadata.frameName)}`);
+    console.log(`url:   ${metadata.url}`);
+    if (metadata.lastSyncedAt)
+        console.log(`synced: ${metadata.lastSyncedAt}`);
+    if (metadata.lastSyncError)
+        console.log(`syncError: ${(0, sanitize_1.sanitizeField)(metadata.lastSyncError)}`);
+    if (note)
+        console.log(`\nnote: ${(0, sanitize_1.sanitizeField)(note)}`);
+}

package/dist/cli/src/commands/task-figma-list.js

@@ -2,12 +2,13 @@
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.taskFigmaList = taskFigmaList;
 const figma_api_1 = require("../lib/figma-api");
+const sanitize_1 = require("../lib/sanitize");
 const STALE_MS = 25 * 24 * 3600 * 1000;
 function formatRow(id, fileName, frame, synced, stale) {
     return [
         id.padEnd(10),
-        fileName.padEnd(20),
-        frame.padEnd(24),
+        (0, sanitize_1.sanitizeField)(fileName).padEnd(20),
+        (0, sanitize_1.sanitizeField)(frame).padEnd(24),
         synced.padEnd(12),
         stale ? '⚠ thumbnail stale' : '',
     ]

package/dist/cli/src/commands/task-figma-refresh.js

@@ -2,6 +2,7 @@
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.taskFigmaRefresh = taskFigmaRefresh;
 const figma_api_1 = require("../lib/figma-api");
+const sanitize_1 = require("../lib/sanitize");
 async function taskFigmaRefresh(args) {
     try {
         const { links } = await (0, figma_api_1.listFigmaLinks)(args.identifier);
@@ -15,14 +16,14 @@ async function taskFigmaRefresh(args) {
         for (const r of results) {
             const link = byId.get(r.id);
             const label = link
-                ? link.frameName
+                ? (0, sanitize_1.sanitizeField)(link.frameName
                     ? `${link.fileName} · ${link.frameName}`
-                    : `${link.fileName} (file-level)`
+                    : `${link.fileName} (file-level)`)
                 : r.id;
             if (r.ok)
                 console.log(`  ✓ ${label}`);
             else
-                console.log(`  ✗ ${label} (${r.error})`);
+                console.log(`  ✗ ${label} (${(0, sanitize_1.sanitizeField)(r.error ?? '')})`);
         }
         return 0;
     }

package/dist/cli/src/commands/task-figma-rm.js

@@ -2,6 +2,7 @@
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.taskFigmaRm = taskFigmaRm;
 const figma_api_1 = require("../lib/figma-api");
+const sanitize_1 = require("../lib/sanitize");
 async function taskFigmaRm(args) {
     const { links } = await (0, figma_api_1.listFigmaLinks)(args.identifier);
     const match = links.find(l => l.id === args.linkIdOrUrl || l.url === args.linkIdOrUrl);
@@ -10,9 +11,9 @@ async function taskFigmaRm(args) {
         return 0;
     }
     await (0, figma_api_1.removeFigmaLink)(args.identifier, match.id);
-    const label = match.frameName
+    const label = (0, sanitize_1.sanitizeField)(match.frameName
         ? `${match.fileName} · ${match.frameName}`
-        : `${match.fileName} (file-level)`;
+        : `${match.fileName} (file-level)`);
     console.log(`Removed Figma link from ${args.identifier}: "${label}"`);
     return 0;
 }

package/dist/cli/src/commands/task-list.js

@@ -43,8 +43,7 @@ async function taskList(opts) {
         console.error('Error: not logged in. Run `lumo auth login` first.');
         return 1;
     }
-    const envUrl = process.env.LUMO_API_URL?.trim();
-    const apiUrl = envUrl && envUrl.length > 0 ? envUrl : creds.apiUrl;
+    const apiUrl = (0, api_1.resolveAuthedApiUrl)(creds.apiUrl);
     const base = (0, api_1.trimTrailingSlash)(apiUrl);
     let milestoneId;
     if (opts.milestone !== undefined) {

package/dist/cli/src/commands/task-pr-show.js

@@ -0,0 +1,66 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.taskPrShow = taskPrShow;
+const config_1 = require("../lib/config");
+const api_1 = require("../lib/api");
+const sanitize_1 = require("../lib/sanitize");
+/**
+ * `lumo task pr show <LUM-N> <number>`
+ *
+ * Tier-2 retrieval for the cheap inline PR card. Reads the synced PR record
+ * (title, state, ciStatus, branches, author, url) from
+ * `/api/tasks/:id/pull-requests/:number`. Live diff + review comments need a
+ * GitHub token, so the route degrades to the stored record + a `note`; we print
+ * the note when present.
+ */
+async function taskPrShow(identifier, prNumber) {
+    if (!identifier || !prNumber) {
+        console.error('Error: usage: lumo task pr show <LUM-42> <number>');
+        return 1;
+    }
+    const creds = (0, config_1.readCredentials)();
+    if (!creds) {
+        console.error('Error: not logged in. Run `lumo auth login` first.');
+        return 1;
+    }
+    const apiUrl = (0, api_1.resolveAuthedApiUrl)(creds.apiUrl);
+    const base = (0, api_1.trimTrailingSlash)(apiUrl);
+    let res;
+    try {
+        res = await fetch(`${base}/api/tasks/${encodeURIComponent(identifier)}/pull-requests/${encodeURIComponent(prNumber)}`, { headers: { Authorization: `Bearer ${creds.token}` } });
+    }
+    catch (err) {
+        const msg = err instanceof Error ? err.message : String(err);
+        console.error(`Error: could not reach Lumo API at ${apiUrl} (${msg})`);
+        return 1;
+    }
+    if (res.status === 401) {
+        console.error('Error: API key invalid or revoked. Run `lumo auth login`.');
+        return 1;
+    }
+    if (res.status === 400) {
+        console.error(`Error: invalid PR number "${prNumber}"`);
+        return 1;
+    }
+    if (res.status === 404) {
+        console.error(`Error: task ${identifier} or PR #${prNumber} not found in workspace ${creds.workspaceSlug}`);
+        return 1;
+    }
+    if (!res.ok) {
+        console.error(`Error: pr show failed (HTTP ${res.status})`);
+        return 1;
+    }
+    const { pullRequest: pr, note } = (await res.json());
+    console.log(`#${pr.number}${pr.repo ? ` (${(0, sanitize_1.sanitizeField)(pr.repo)})` : ''}  ${(0, sanitize_1.sanitizeField)(pr.title ?? '')}`);
+    console.log(`state:    ${pr.state ?? 'unknown'}${pr.isDraft ? ' · draft' : ''}`);
+    if (pr.ciStatus)
+        console.log(`ci:       ${pr.ciStatus}`);
+    if (pr.authorLogin)
+        console.log(`author:   ${(0, sanitize_1.sanitizeField)(pr.authorLogin)}`);
+    if (pr.headBranch || pr.baseBranch)
+        console.log(`branch:   ${pr.headBranch ?? '?'} → ${pr.baseBranch ?? '?'}`);
+    if (pr.url)
+        console.log(`url:      ${pr.url}`);
+    if (note)
+        console.log(`\nnote: ${(0, sanitize_1.sanitizeField)(note)}`);
+}

package/dist/cli/src/commands/task-show.js

@@ -4,20 +4,22 @@ exports.formatTaskShow = formatTaskShow;
 exports.taskShow = taskShow;
 const config_1 = require("../lib/config");
 const api_1 = require("../lib/api");
+const sanitize_1 = require("../lib/sanitize");
 /**
  * Render task detail as a key:value block. Multi-line description is
  * indented under a `Description:` label so the structure stays scannable.
  */
 function formatTaskShow(task) {
     const lines = [];
-    lines.push(`${task.identifier}  ${task.title}`);
+    lines.push(`${task.identifier}  ${(0, sanitize_1.sanitizeField)(task.title)}`);
     lines.push(`Status:    ${task.status}`);
     lines.push(`Priority:  ${task.priority}`);
-    lines.push(`Project:   ${task.project.name}`);
+    lines.push(`Project:   ${(0, sanitize_1.sanitizeField)(task.project.name)}`);
     if (task.assignee) {
+        const label = (0, sanitize_1.sanitizeField)(task.assignee.label);
         const detail = task.assignee.email && task.assignee.type === 'member'
-            ? `${task.assignee.label} <${task.assignee.email}>`
-            : task.assignee.label;
+            ? `${label} <${(0, sanitize_1.sanitizeField)(task.assignee.email)}>`
+            : label;
         lines.push(`Assignee:  ${detail}`);
     }
     else {
@@ -28,7 +30,7 @@ function formatTaskShow(task) {
     if (body && body.trim().length > 0) {
         lines.push('');
         lines.push('Description:');
-        for (const line of body.split('\n')) {
+        for (const line of (0, sanitize_1.sanitizeField)(body).split('\n')) {
             lines.push(`  ${line}`);
         }
     }
@@ -44,8 +46,7 @@ async function taskShow(identifier) {
         console.error('Error: not logged in. Run `lumo auth login` first.');
         return 1;
     }
-    const envUrl = process.env.LUMO_API_URL?.trim();
-    const apiUrl = envUrl && envUrl.length > 0 ? envUrl : creds.apiUrl;
+    const apiUrl = (0, api_1.resolveAuthedApiUrl)(creds.apiUrl);
     const url = `${(0, api_1.trimTrailingSlash)(apiUrl)}/api/tasks/by-identifier/${encodeURIComponent(identifier)}`;
     let res;
     try {