@lumoai/cli 1.5.0 → 1.6.0

package/dist/cli/src/commands/doc-share-list.js

@@ -6,14 +6,18 @@ const config_1 = require("../lib/config");
 const api_1 = require("../lib/api");
 const resolve_doc_id_1 = require("../lib/resolve-doc-id");
 const resolve_member_1 = require("../lib/resolve-member");
+const sanitize_1 = require("../lib/sanitize");
 function formatShareListRows(rows) {
     if (rows.length === 0)
         return [];
-    const nameWidth = Math.max(...rows.map(r => r.displayName.length));
-    return rows.map(r => {
-        const name = r.displayName.padEnd(nameWidth, ' ');
-        return `${name}  ${r.role}`;
-    });
+    // Sanitize first, then measure/pad off the sanitized string so the
+    // column width matches the printed cell (control chars stripped).
+    const sanitized = rows.map(r => ({
+        name: (0, sanitize_1.sanitizeField)(r.displayName),
+        role: r.role,
+    }));
+    const nameWidth = Math.max(...sanitized.map(r => r.name.length));
+    return sanitized.map(r => `${r.name.padEnd(nameWidth, ' ')}  ${r.role}`);
 }
 async function docShareList(docRef) {
     if (!docRef) {
@@ -25,8 +29,7 @@ async function docShareList(docRef) {
         console.error('Error: not logged in. Run `lumo auth login` first.');
         return 1;
     }
-    const envUrl = process.env.LUMO_API_URL?.trim();
-    const apiUrl = envUrl && envUrl.length > 0 ? envUrl : creds.apiUrl;
+    const apiUrl = (0, api_1.resolveAuthedApiUrl)(creds.apiUrl);
     const docId = await (0, resolve_doc_id_1.lookupDocId)(apiUrl, creds.token, docRef);
     if (!docId) {
         console.error(`Error: Document not found: ${docRef}`);
@@ -43,7 +46,7 @@ async function docShareList(docRef) {
     ]);
     if (!sharesRes.ok) {
         const text = await sharesRes.text();
-        console.error(`Error: ${sharesRes.status} ${sharesRes.statusText}: ${text}`);
+        console.error(`Error: ${sharesRes.status} ${sharesRes.statusText}: ${(0, sanitize_1.sanitizeField)(text)}`);
         return 1;
     }
     const { shares } = (await sharesRes.json());

package/dist/cli/src/commands/doc-share.js

@@ -6,6 +6,7 @@ const config_1 = require("../lib/config");
 const api_1 = require("../lib/api");
 const resolve_doc_id_1 = require("../lib/resolve-doc-id");
 const resolve_member_1 = require("../lib/resolve-member");
+const sanitize_1 = require("../lib/sanitize");
 const ALLOWED_ROLES = ['VIEWER', 'EDITOR', 'MANAGER'];
 function normalizeRole(value) {
     if (!value)
@@ -34,8 +35,7 @@ async function docShare(docRef, memberRef, opts) {
         console.error('Error: not logged in. Run `lumo auth login` first.');
         return 1;
     }
-    const envUrl = process.env.LUMO_API_URL?.trim();
-    const apiUrl = envUrl && envUrl.length > 0 ? envUrl : creds.apiUrl;
+    const apiUrl = (0, api_1.resolveAuthedApiUrl)(creds.apiUrl);
     const docId = await (0, resolve_doc_id_1.lookupDocId)(apiUrl, creds.token, docRef);
     if (!docId) {
         console.error(`Error: Document not found: ${docRef}`);
@@ -55,7 +55,9 @@ async function docShare(docRef, memberRef, opts) {
         return 1;
     }
     if (result.kind === 'ambiguous') {
-        const list = result.candidates.map(c => c.email ?? c.displayName).join(', ');
+        const list = result.candidates
+            .map(c => (0, sanitize_1.sanitizeField)(c.email ?? c.displayName))
+            .join(', ');
         console.error(`Error: multiple members match "${result.query}": ${list}`);
         return 1;
     }
@@ -70,8 +72,8 @@ async function docShare(docRef, memberRef, opts) {
     });
     if (!res.ok) {
         const text = await res.text();
-        console.error(`Error: ${res.status} ${res.statusText}: ${text}`);
+        console.error(`Error: ${res.status} ${res.statusText}: ${(0, sanitize_1.sanitizeField)(text)}`);
         return 1;
     }
-    console.log(`Shared ${docId} ↔ ${result.member.displayName} (${role})`);
+    console.log(`Shared ${docId} ↔ ${(0, sanitize_1.sanitizeField)(result.member.displayName)} (${role})`);
 }

package/dist/cli/src/commands/doc-show.js

@@ -6,6 +6,7 @@ const config_1 = require("../lib/config");
 const api_1 = require("../lib/api");
 const markdown_tiptap_1 = require("../lib/markdown-tiptap");
 const resolve_doc_id_1 = require("../lib/resolve-doc-id");
+const sanitize_1 = require("../lib/sanitize");
 function scopeLabel(s) {
     if (s === 'PRIVATE')
         return 'personal';
@@ -16,15 +17,15 @@ function scopeLabel(s) {
 function formatShowOutput(vm) {
     const lines = [
         `ID: ${vm.id}`,
-        `Title: ${vm.title}`,
+        `Title: ${(0, sanitize_1.sanitizeField)(vm.title)}`,
         `Scope: ${scopeLabel(vm.scope)}`,
-        `Project: ${vm.projectName ?? '-'}`,
+        `Project: ${vm.projectName ? (0, sanitize_1.sanitizeField)(vm.projectName) : '-'}`,
         `Created: ${vm.createdAt}`,
         `Updated: ${vm.updatedAt}`,
         `Mentioned tasks: ${vm.mentionedTasks.length ? vm.mentionedTasks.join(', ') : '-'}`,
     ];
     const header = lines.join('\n');
-    return vm.bodyMarkdown ? `${header}\n\n${vm.bodyMarkdown}` : header;
+    return vm.bodyMarkdown ? `${header}\n\n${(0, sanitize_1.sanitizeField)(vm.bodyMarkdown)}` : header;
 }
 async function docShow(reference) {
     if (!reference) {
@@ -36,8 +37,7 @@ async function docShow(reference) {
         console.error('Error: not logged in. Run `lumo auth login` first.');
         return 1;
     }
-    const envUrl = process.env.LUMO_API_URL?.trim();
-    const apiUrl = envUrl && envUrl.length > 0 ? envUrl : creds.apiUrl;
+    const apiUrl = (0, api_1.resolveAuthedApiUrl)(creds.apiUrl);
     const id = await (0, resolve_doc_id_1.lookupDocId)(apiUrl, creds.token, reference);
     if (!id) {
         console.error(`Error: Document not found: ${reference}`);
@@ -48,7 +48,7 @@ async function docShow(reference) {
     });
     if (!res.ok) {
         const text = await res.text();
-        console.error(`Error: ${res.status} ${res.statusText}: ${text}`);
+        console.error(`Error: ${res.status} ${res.statusText}: ${(0, sanitize_1.sanitizeField)(text)}`);
         return 1;
     }
     // The exact shape of the GET response is not guaranteed; defensively unwrap.

package/dist/cli/src/commands/doc-sync.js

@@ -0,0 +1,44 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.formatSyncedLine = formatSyncedLine;
+exports.docSync = docSync;
+const config_1 = require("../lib/config");
+const api_1 = require("../lib/api");
+const resolve_doc_id_1 = require("../lib/resolve-doc-id");
+const sanitize_1 = require("../lib/sanitize");
+function formatSyncedLine(doc) {
+    const escaped = (0, sanitize_1.sanitizeField)(doc.title).replace(/"/g, '\\"');
+    return `Synced ${doc.id} "${escaped}" from Google`;
+}
+async function docSync(reference) {
+    const creds = (0, config_1.readCredentials)();
+    if (!creds) {
+        console.error('Error: not logged in. Run `lumo auth login` first.');
+        return 1;
+    }
+    const apiUrl = (0, api_1.resolveAuthedApiUrl)(creds.apiUrl);
+    const base = (0, api_1.trimTrailingSlash)(apiUrl);
+    const docId = await (0, resolve_doc_id_1.lookupDocId)(apiUrl, creds.token, reference);
+    if (!docId) {
+        console.error(`Error: doc not found: ${reference}`);
+        return 1;
+    }
+    let res;
+    try {
+        res = await fetch(`${base}/api/documents/${docId}/sync-google`, {
+            method: 'POST',
+            headers: { Authorization: `Bearer ${creds.token}` },
+        });
+    }
+    catch (err) {
+        console.error(`Error: network failure: ${err.message}`);
+        return 1;
+    }
+    if (!res.ok) {
+        const text = await res.text();
+        console.error(`Error: ${res.status} ${res.statusText}: ${(0, sanitize_1.sanitizeField)(text)}`);
+        return 1;
+    }
+    const { document } = (await res.json());
+    console.log(formatSyncedLine(document));
+}

package/dist/cli/src/commands/doc-unbind.js

@@ -4,6 +4,7 @@ exports.docUnbind = docUnbind;
 const config_1 = require("../lib/config");
 const api_1 = require("../lib/api");
 const resolve_doc_id_1 = require("../lib/resolve-doc-id");
+const sanitize_1 = require("../lib/sanitize");
 async function docUnbind(docRef, task) {
     if (!docRef || !task) {
         console.error('Error: usage: lumo doc unbind <doc> <task>');
@@ -14,8 +15,7 @@ async function docUnbind(docRef, task) {
         console.error('Error: not logged in. Run `lumo auth login` first.');
         return 1;
     }
-    const envUrl = process.env.LUMO_API_URL?.trim();
-    const apiUrl = envUrl && envUrl.length > 0 ? envUrl : creds.apiUrl;
+    const apiUrl = (0, api_1.resolveAuthedApiUrl)(creds.apiUrl);
     const docId = await (0, resolve_doc_id_1.lookupDocId)(apiUrl, creds.token, docRef);
     if (!docId) {
         console.error(`Error: Document not found: ${docRef}`);
@@ -29,12 +29,12 @@ async function docUnbind(docRef, task) {
     });
     if (res.status === 409) {
         const { error } = (await res.json());
-        console.error(`Error: ${error}`);
+        console.error(`Error: ${(0, sanitize_1.sanitizeField)(error)}`);
         return 1;
     }
     if (!res.ok) {
         const text = await res.text();
-        console.error(`Error: ${res.status} ${res.statusText}: ${text}`);
+        console.error(`Error: ${res.status} ${res.statusText}: ${(0, sanitize_1.sanitizeField)(text)}`);
         return 1;
     }
     const data = (await res.json());

package/dist/cli/src/commands/doc-unshare.js

@@ -5,6 +5,7 @@ const config_1 = require("../lib/config");
 const api_1 = require("../lib/api");
 const resolve_doc_id_1 = require("../lib/resolve-doc-id");
 const resolve_member_1 = require("../lib/resolve-member");
+const sanitize_1 = require("../lib/sanitize");
 async function docUnshare(docRef, memberRef) {
     if (!docRef || !memberRef) {
         console.error('Error: usage: lumo doc unshare <doc> <member>');
@@ -15,8 +16,7 @@ async function docUnshare(docRef, memberRef) {
         console.error('Error: not logged in. Run `lumo auth login` first.');
         return 1;
     }
-    const envUrl = process.env.LUMO_API_URL?.trim();
-    const apiUrl = envUrl && envUrl.length > 0 ? envUrl : creds.apiUrl;
+    const apiUrl = (0, api_1.resolveAuthedApiUrl)(creds.apiUrl);
     const docId = await (0, resolve_doc_id_1.lookupDocId)(apiUrl, creds.token, docRef);
     if (!docId) {
         console.error(`Error: Document not found: ${docRef}`);
@@ -36,7 +36,9 @@ async function docUnshare(docRef, memberRef) {
         return 1;
     }
     if (result.kind === 'ambiguous') {
-        const list = result.candidates.map(c => c.email ?? c.displayName).join(', ');
+        const list = result.candidates
+            .map(c => (0, sanitize_1.sanitizeField)(c.email ?? c.displayName))
+            .join(', ');
         console.error(`Error: multiple members match "${result.query}": ${list}`);
         return 1;
     }
@@ -48,13 +50,13 @@ async function docUnshare(docRef, memberRef) {
     });
     if (!listRes.ok) {
         const text = await listRes.text();
-        console.error(`Error: ${listRes.status} ${listRes.statusText}: ${text}`);
+        console.error(`Error: ${listRes.status} ${listRes.statusText}: ${(0, sanitize_1.sanitizeField)(text)}`);
         return 1;
     }
     const { shares } = (await listRes.json());
     const row = shares.find(s => s.member.id === result.member.memberId);
     if (!row) {
-        console.log(`Not shared with ${result.member.displayName}`);
+        console.log(`Not shared with ${(0, sanitize_1.sanitizeField)(result.member.displayName)}`);
         return;
     }
     const delUrl = `${(0, api_1.trimTrailingSlash)(apiUrl)}/api/documents/${docId}/shares/${row.id}`;
@@ -64,8 +66,8 @@ async function docUnshare(docRef, memberRef) {
     });
     if (!delRes.ok) {
         const text = await delRes.text();
-        console.error(`Error: ${delRes.status} ${delRes.statusText}: ${text}`);
+        console.error(`Error: ${delRes.status} ${delRes.statusText}: ${(0, sanitize_1.sanitizeField)(text)}`);
         return 1;
     }
-    console.log(`Unshared ${docId} ↔ ${result.member.displayName}`);
+    console.log(`Unshared ${docId} ↔ ${(0, sanitize_1.sanitizeField)(result.member.displayName)}`);
 }

package/dist/cli/src/commands/doc-update.js

@@ -8,11 +8,12 @@ const doc_input_1 = require("../lib/doc-input");
 const doc_create_1 = require("./doc-create");
 const resolve_doc_id_1 = require("../lib/resolve-doc-id");
 const tag_resolver_1 = require("../lib/tag-resolver");
+const sanitize_1 = require("../lib/sanitize");
 function formatUpdatedDocLine(doc) {
-    const escaped = doc.title.replace(/"/g, '\\"');
+    const escaped = (0, sanitize_1.sanitizeField)(doc.title).replace(/"/g, '\\"');
     const head = `Updated ${doc.id} "${escaped}"  ${doc.url}`;
     if (doc.tags && doc.tags.length > 0) {
-        return `${head}\nTags: ${doc.tags.join(', ')}`;
+        return `${head}\nTags: ${doc.tags.map(sanitize_1.sanitizeField).join(', ')}`;
     }
     return head;
 }
@@ -26,8 +27,7 @@ async function docUpdate(reference, opts) {
         console.error('Error: not logged in. Run `lumo auth login` first.');
         return 1;
     }
-    const envUrl = process.env.LUMO_API_URL?.trim();
-    const apiUrl = envUrl && envUrl.length > 0 ? envUrl : creds.apiUrl;
+    const apiUrl = (0, api_1.resolveAuthedApiUrl)(creds.apiUrl);
     // CLI-side mutex check: --tag/--tag-id (bulk replace) vs --add-tag/--add-tag-id/--remove-tag/--remove-tag-id (incremental)
     const hasBulk = (opts.tag && opts.tag.length > 0) || (opts.tagId && opts.tagId.length > 0);
     const hasIncremental = (opts.addTag && opts.addTag.length > 0) ||
@@ -122,7 +122,7 @@ async function docUpdate(reference, opts) {
     });
     if (!res.ok) {
         const text = await res.text();
-        console.error(`Error: ${res.status} ${res.statusText}: ${text}`);
+        console.error(`Error: ${res.status} ${res.statusText}: ${(0, sanitize_1.sanitizeField)(text)}`);
         return 1;
     }
     const { document } = (await res.json());

package/dist/cli/src/commands/hook.js

@@ -11,9 +11,9 @@ const hook_log_1 = require("../lib/hook-log");
  * if `runHook` someday throws (it currently never does), Claude Code is
  * not disrupted.
  */
-async function hookCommand(path) {
+async function hookCommand(path, agentToken) {
     try {
-        await (0, hook_runner_1.runHook)(path);
+        await (0, hook_runner_1.runHook)(path, agentToken);
     }
     catch (err) {
         (0, hook_log_1.logHookError)(`[${path}] dispatcher`, err);

package/dist/cli/src/commands/memory-project-add.js

@@ -3,10 +3,12 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.memoryProjectAdd = memoryProjectAdd;
 const config_1 = require("../lib/config");
 const api_1 = require("../lib/api");
+const sanitize_1 = require("../lib/sanitize");
 const memory_content_1 = require("../lib/memory-content");
 const resolve_1 = require("../lib/resolve");
 const resolve_bound_task_1 = require("../lib/resolve-bound-task");
 const resolve_project_1 = require("../lib/resolve-project");
+const agent_1 = require("../lib/agent");
 async function memoryProjectAdd(refArg, options) {
     if (!options.category) {
         console.error('Error: --category <trap|decision|convention|procedural> is required.');
@@ -17,13 +19,22 @@ async function memoryProjectAdd(refArg, options) {
         console.error(`Error: ${built.error}`);
         return 1;
     }
+    let agent;
+    const agentRaw = options.agent?.trim();
+    if (agentRaw) {
+        const normalized = (0, agent_1.normalizeAgent)(agentRaw);
+        if (!normalized) {
+            console.error(`Error: invalid --agent "${agentRaw}". Valid values: ${agent_1.VALID_AGENT_TOKENS.join(', ')}.`);
+            return 1;
+        }
+        agent = normalized;
+    }
     const creds = (0, config_1.readCredentials)();
     if (!creds) {
         console.error('Error: not logged in. Run `lumo auth login` first.');
         return 1;
     }
-    const envUrl = process.env.LUMO_API_URL?.trim();
-    const apiUrl = envUrl && envUrl.length > 0 ? envUrl : creds.apiUrl;
+    const apiUrl = (0, api_1.resolveAuthedApiUrl)(creds.apiUrl);
     const base = (0, api_1.trimTrailingSlash)(apiUrl);
     let projectId;
     let echoSuffix = '';
@@ -49,7 +60,11 @@ async function memoryProjectAdd(refArg, options) {
         res = await fetch(`${base}/api/projects/${encodeURIComponent(projectId)}/memories`, {
             method: 'POST',
             headers: { Authorization: `Bearer ${creds.token}`, 'Content-Type': 'application/json' },
-            body: JSON.stringify({ category: built.category, content: built.content }),
+            body: JSON.stringify({
+                category: built.category,
+                content: built.content,
+                ...(agent ? { agent } : {}),
+            }),
         });
     }
     catch (err) {
@@ -64,7 +79,7 @@ async function memoryProjectAdd(refArg, options) {
                 m = b.error;
         }
         catch { /* */ }
-        console.error(m ? `Error: ${m}` : `Error: memory add failed (HTTP ${res.status})`);
+        console.error(m ? `Error: ${(0, sanitize_1.sanitizeField)(m)}` : `Error: memory add failed (HTTP ${res.status})`);
         return 1;
     }
     process.stdout.write(`Added ${built.category} PROJECT memory${echoSuffix}\n`);

package/dist/cli/src/commands/memory-project-list.js

@@ -18,8 +18,7 @@ async function memoryProjectList(refArg, options) {
         console.error('Error: not logged in. Run `lumo auth login` first.');
         return 1;
     }
-    const envUrl = process.env.LUMO_API_URL?.trim();
-    const apiUrl = envUrl && envUrl.length > 0 ? envUrl : creds.apiUrl;
+    const apiUrl = (0, api_1.resolveAuthedApiUrl)(creds.apiUrl);
     const base = (0, api_1.trimTrailingSlash)(apiUrl);
     let projectId;
     if (refArg) {

package/dist/cli/src/commands/memory-promote.js

@@ -3,6 +3,7 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.memoryPromote = memoryPromote;
 const config_1 = require("../lib/config");
 const api_1 = require("../lib/api");
+const sanitize_1 = require("../lib/sanitize");
 async function memoryPromote(memoryId) {
     if (!memoryId) {
         console.error('Error: missing <memoryId>. Usage: lumo memory promote <memoryId>');
@@ -13,8 +14,7 @@ async function memoryPromote(memoryId) {
         console.error('Error: not logged in. Run `lumo auth login` first.');
         return 1;
     }
-    const envUrl = process.env.LUMO_API_URL?.trim();
-    const apiUrl = envUrl && envUrl.length > 0 ? envUrl : creds.apiUrl;
+    const apiUrl = (0, api_1.resolveAuthedApiUrl)(creds.apiUrl);
     const base = (0, api_1.trimTrailingSlash)(apiUrl);
     let res;
     try {
@@ -44,7 +44,7 @@ async function memoryPromote(memoryId) {
                 m = b.error;
         }
         catch { /* */ }
-        console.error(m ? `Error: ${m}` : `Error: promote failed (HTTP ${res.status})`);
+        console.error(m ? `Error: ${(0, sanitize_1.sanitizeField)(m)}` : `Error: promote failed (HTTP ${res.status})`);
         return 1;
     }
     process.stdout.write(`Promoted ${memoryId} to PROJECT — every agent on this project now sees it.\n` +

package/dist/cli/src/commands/memory-rm.js

@@ -17,8 +17,7 @@ async function memoryRm(memoryId, options) {
         console.error('Error: not logged in. Run `lumo auth login` first.');
         return 1;
     }
-    const envUrl = process.env.LUMO_API_URL?.trim();
-    const apiUrl = envUrl && envUrl.length > 0 ? envUrl : creds.apiUrl;
+    const apiUrl = (0, api_1.resolveAuthedApiUrl)(creds.apiUrl);
     const base = (0, api_1.trimTrailingSlash)(apiUrl);
     let res;
     try {

package/dist/cli/src/commands/memory-task-add.js

@@ -3,8 +3,10 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.memoryTaskAdd = memoryTaskAdd;
 const config_1 = require("../lib/config");
 const api_1 = require("../lib/api");
+const sanitize_1 = require("../lib/sanitize");
 const memory_content_1 = require("../lib/memory-content");
 const resolve_bound_task_1 = require("../lib/resolve-bound-task");
+const agent_1 = require("../lib/agent");
 async function memoryTaskAdd(identifierArg, options) {
     if (!options.category) {
         console.error('Error: --category <trap|decision|convention|procedural> is required.');
@@ -15,13 +17,22 @@ async function memoryTaskAdd(identifierArg, options) {
         console.error(`Error: ${built.error}`);
         return 1;
     }
+    let agent;
+    const agentRaw = options.agent?.trim();
+    if (agentRaw) {
+        const normalized = (0, agent_1.normalizeAgent)(agentRaw);
+        if (!normalized) {
+            console.error(`Error: invalid --agent "${agentRaw}". Valid values: ${agent_1.VALID_AGENT_TOKENS.join(', ')}.`);
+            return 1;
+        }
+        agent = normalized;
+    }
     const creds = (0, config_1.readCredentials)();
     if (!creds) {
         console.error('Error: not logged in. Run `lumo auth login` first.');
         return 1;
     }
-    const envUrl = process.env.LUMO_API_URL?.trim();
-    const apiUrl = envUrl && envUrl.length > 0 ? envUrl : creds.apiUrl;
+    const apiUrl = (0, api_1.resolveAuthedApiUrl)(creds.apiUrl);
     const base = (0, api_1.trimTrailingSlash)(apiUrl);
     // Resolve the target: explicit arg > session-bound task.
     const identifier = identifierArg ?? (await (0, resolve_bound_task_1.resolveBoundTaskIdentifier)(apiUrl, creds.token));
@@ -60,7 +71,11 @@ async function memoryTaskAdd(identifierArg, options) {
         res = await fetch(`${base}/api/tasks/${encodeURIComponent(taskId)}/memories`, {
             method: 'POST',
             headers: { Authorization: `Bearer ${creds.token}`, 'Content-Type': 'application/json' },
-            body: JSON.stringify({ category: built.category, content: built.content }),
+            body: JSON.stringify({
+                category: built.category,
+                content: built.content,
+                ...(agent ? { agent } : {}),
+            }),
         });
     }
     catch (err) {
@@ -75,7 +90,7 @@ async function memoryTaskAdd(identifierArg, options) {
                 m = b.error;
         }
         catch { /* */ }
-        console.error(m ? `Error: ${m}` : `Error: memory add failed (HTTP ${res.status})`);
+        console.error(m ? `Error: ${(0, sanitize_1.sanitizeField)(m)}` : `Error: memory add failed (HTTP ${res.status})`);
         return 1;
     }
     process.stdout.write(`Added ${built.category} memory to ${identifier}` +

package/dist/cli/src/commands/memory-task-list.js

@@ -16,8 +16,7 @@ async function memoryTaskList(identifierArg, options) {
         console.error('Error: not logged in. Run `lumo auth login` first.');
         return 1;
     }
-    const envUrl = process.env.LUMO_API_URL?.trim();
-    const apiUrl = envUrl && envUrl.length > 0 ? envUrl : creds.apiUrl;
+    const apiUrl = (0, api_1.resolveAuthedApiUrl)(creds.apiUrl);
     const base = (0, api_1.trimTrailingSlash)(apiUrl);
     const identifier = identifierArg ?? (await (0, resolve_bound_task_1.resolveBoundTaskIdentifier)(apiUrl, creds.token));
     if (!identifier) {

package/dist/cli/src/commands/milestone-create.js

@@ -5,6 +5,7 @@ exports.formatCreatedMilestoneLine = formatCreatedMilestoneLine;
 exports.milestoneCreate = milestoneCreate;
 const config_1 = require("../lib/config");
 const api_1 = require("../lib/api");
+const sanitize_1 = require("../lib/sanitize");
 const resolve_1 = require("../lib/resolve");
 function buildCreatePayload(name, opts) {
     const payload = { name };
@@ -17,7 +18,7 @@ function buildCreatePayload(name, opts) {
     return payload;
 }
 function formatCreatedMilestoneLine(milestone) {
-    return `Created milestone "${milestone.name}"  ${milestone.id}`;
+    return `Created milestone "${(0, sanitize_1.sanitizeField)(milestone.name)}"  ${milestone.id}`;
 }
 async function milestoneCreate(name, opts) {
     if (!name || !name.trim()) {
@@ -29,8 +30,7 @@ async function milestoneCreate(name, opts) {
         console.error('Error: not logged in. Run `lumo auth login` first.');
         return 1;
     }
-    const envUrl = process.env.LUMO_API_URL?.trim();
-    const apiUrl = envUrl && envUrl.length > 0 ? envUrl : creds.apiUrl;
+    const apiUrl = (0, api_1.resolveAuthedApiUrl)(creds.apiUrl);
     const base = (0, api_1.trimTrailingSlash)(apiUrl);
     let projectId;
     try {
@@ -72,7 +72,7 @@ async function milestoneCreate(name, opts) {
             // Body wasn't JSON; fall through to status-only message
         }
         if (serverMsg) {
-            console.error(`Error: ${serverMsg}`);
+            console.error(`Error: ${(0, sanitize_1.sanitizeField)(serverMsg)}`);
         }
         else {
             console.error(`Error: milestone create failed (HTTP ${res.status})`);

package/dist/cli/src/commands/milestone-delete.js

@@ -5,8 +5,9 @@ exports.milestoneDelete = milestoneDelete;
 const config_1 = require("../lib/config");
 const api_1 = require("../lib/api");
 const resolve_1 = require("../lib/resolve");
+const sanitize_1 = require("../lib/sanitize");
 function formatDeleteRefusal(name, taskCount) {
-    const head = `Refusing to delete milestone "${name}" without --yes.`;
+    const head = `Refusing to delete milestone "${(0, sanitize_1.sanitizeField)(name)}" without --yes.`;
     const tail = `Re-run with --yes to confirm.`;
     if (taskCount === 0)
         return `${head}\n${tail}`;
@@ -21,8 +22,7 @@ async function milestoneDelete(identifier, opts) {
         console.error('Error: not logged in. Run `lumo auth login` first.');
         return 1;
     }
-    const envUrl = process.env.LUMO_API_URL?.trim();
-    const apiUrl = envUrl && envUrl.length > 0 ? envUrl : creds.apiUrl;
+    const apiUrl = (0, api_1.resolveAuthedApiUrl)(creds.apiUrl);
     const base = (0, api_1.trimTrailingSlash)(apiUrl);
     let milestoneId;
     let resolvedName;
@@ -89,8 +89,8 @@ async function milestoneDelete(identifier, opts) {
         catch {
             // body wasn't JSON
         }
-        console.error(`Error: ${errMsg}`);
+        console.error(`Error: ${(0, sanitize_1.sanitizeField)(errMsg)}`);
         return 1;
     }
-    process.stdout.write(`Deleted milestone "${name}"\n`);
+    process.stdout.write(`Deleted milestone "${(0, sanitize_1.sanitizeField)(name)}"\n`);
 }

package/dist/cli/src/commands/milestone-list.js

@@ -5,6 +5,7 @@ exports.milestoneList = milestoneList;
 const config_1 = require("../lib/config");
 const api_1 = require("../lib/api");
 const resolve_1 = require("../lib/resolve");
+const sanitize_1 = require("../lib/sanitize");
 function formatDate(iso) {
     if (!iso)
         return '-';
@@ -22,7 +23,7 @@ function formatMilestoneList(rows) {
     const statusW = Math.max(...rows.map(r => r.status.length));
     const dateW = Math.max(...rows.map(r => formatDate(r.targetDate).length));
     return rows
-        .map(r => `${r.status.padEnd(statusW)}  ${formatDate(r.targetDate).padEnd(dateW)}  ${r.name}`)
+        .map(r => `${r.status.padEnd(statusW)}  ${formatDate(r.targetDate).padEnd(dateW)}  ${(0, sanitize_1.sanitizeField)(r.name)}`)
         .join('\n');
 }
 async function milestoneList(options) {
@@ -31,8 +32,7 @@ async function milestoneList(options) {
         console.error('Error: not logged in. Run `lumo auth login` first.');
         return 1;
     }
-    const envUrl = process.env.LUMO_API_URL?.trim();
-    const apiUrl = envUrl && envUrl.length > 0 ? envUrl : creds.apiUrl;
+    const apiUrl = (0, api_1.resolveAuthedApiUrl)(creds.apiUrl);
     const base = (0, api_1.trimTrailingSlash)(apiUrl);
     let projectId;
     try {

package/dist/cli/src/commands/milestone-show.js

@@ -6,6 +6,7 @@ const config_1 = require("../lib/config");
 const api_1 = require("../lib/api");
 const resolve_1 = require("../lib/resolve");
 const format_1 = require("../lib/format");
+const sanitize_1 = require("../lib/sanitize");
 function fmtDate(iso) {
     return iso ? iso.slice(0, 10) : '-';
 }
@@ -15,13 +16,13 @@ function formatMilestoneShow(m, tasks) {
         m.taskCounts.IN_REVIEW +
         m.taskCounts.DONE;
     const lines = [
-        `Milestone:    ${m.name}`,
+        `Milestone:    ${(0, sanitize_1.sanitizeField)(m.name)}`,
         `Status:       ${m.status}`,
         `Start:        ${fmtDate(m.startDate)}`,
         `Target:       ${fmtDate(m.targetDate)}`,
-        `Project:      ${m.projectName}`,
+        `Project:      ${(0, sanitize_1.sanitizeField)(m.projectName)}`,
         `Description:`,
-        `  ${m.description && m.description.length > 0 ? m.description : '-'}`,
+        `  ${m.description && m.description.length > 0 ? (0, sanitize_1.sanitizeField)(m.description) : '-'}`,
         ``,
         `Tasks:        ${total} total (TODO ${m.taskCounts.TODO} / IN_PROGRESS ${m.taskCounts.IN_PROGRESS} / IN_REVIEW ${m.taskCounts.IN_REVIEW} / DONE ${m.taskCounts.DONE})`,
     ];
@@ -36,8 +37,7 @@ async function milestoneShow(identifier, opts) {
         console.error('Error: not logged in. Run `lumo auth login` first.');
         return 1;
     }
-    const envUrl = process.env.LUMO_API_URL?.trim();
-    const apiUrl = envUrl && envUrl.length > 0 ? envUrl : creds.apiUrl;
+    const apiUrl = (0, api_1.resolveAuthedApiUrl)(creds.apiUrl);
     const base = (0, api_1.trimTrailingSlash)(apiUrl);
     let milestoneId;
     try {