@lumoai/cli 1.5.0 → 1.6.0

package/dist/cli/src/commands/milestone-update.js

@@ -7,6 +7,7 @@ exports.milestoneUpdate = milestoneUpdate;
 const config_1 = require("../lib/config");
 const api_1 = require("../lib/api");
 const resolve_1 = require("../lib/resolve");
+const sanitize_1 = require("../lib/sanitize");
 const ALLOWED_STATUSES = [
     'PLANNED',
     'ACTIVE',
@@ -54,9 +55,10 @@ function fmtDate(v) {
     return v.slice(0, 10);
 }
 function formatMilestoneUpdateSummary(before, after) {
+    const beforeName = (0, sanitize_1.sanitizeField)(before.name);
     const changes = [];
     if (after.name !== undefined && after.name !== before.name) {
-        changes.push(`name "${before.name}" → "${after.name}"`);
+        changes.push(`name "${beforeName}" → "${(0, sanitize_1.sanitizeField)(after.name)}"`);
     }
     if (after.description !== undefined) {
         changes.push(after.description === null ? 'description → ∅' : 'description updated');
@@ -70,7 +72,7 @@ function formatMilestoneUpdateSummary(before, after) {
     if (after.targetDate !== undefined) {
         changes.push(`target → ${fmtDate(after.targetDate)}`);
     }
-    return `Updated milestone "${before.name}": ${changes.join(', ')}`;
+    return `Updated milestone "${beforeName}": ${changes.join(', ')}`;
 }
 async function milestoneUpdate(identifier, opts) {
     // Validate status flag eagerly.
@@ -96,8 +98,7 @@ async function milestoneUpdate(identifier, opts) {
         console.error('Error: not logged in. Run `lumo auth login` first.');
         return 1;
     }
-    const envUrl = process.env.LUMO_API_URL?.trim();
-    const apiUrl = envUrl && envUrl.length > 0 ? envUrl : creds.apiUrl;
+    const apiUrl = (0, api_1.resolveAuthedApiUrl)(creds.apiUrl);
     const base = (0, api_1.trimTrailingSlash)(apiUrl);
     let milestoneId;
     try {
@@ -160,7 +161,7 @@ async function milestoneUpdate(identifier, opts) {
         catch {
             // body wasn't JSON; keep the status-only message
         }
-        console.error(`Error: ${errMsg}`);
+        console.error(`Error: ${(0, sanitize_1.sanitizeField)(errMsg)}`);
         return 1;
     }
     process.stdout.write(formatMilestoneUpdateSummary(before, payload) + '\n');

package/dist/cli/src/commands/project-list.js

@@ -5,6 +5,7 @@ exports.projectList = projectList;
 const config_1 = require("../lib/config");
 const api_1 = require("../lib/api");
 const resolve_1 = require("../lib/resolve");
+const sanitize_1 = require("../lib/sanitize");
 /**
  * Render projects as `slug-style-name  Display Name` lines. The slug form
  * matches what `lumo task create --project <ref>` accepts (slugify(name)),
@@ -22,7 +23,7 @@ function formatProjectList(projects) {
     if (rows.length === 0)
         return 'No projects.';
     const w = Math.max(...rows.map(r => r.slug.length));
-    return rows.map(r => `${r.slug.padEnd(w)}  ${r.name}`).join('\n');
+    return rows.map(r => `${r.slug.padEnd(w)}  ${(0, sanitize_1.sanitizeField)(r.name)}`).join('\n');
 }
 async function projectList() {
     const creds = (0, config_1.readCredentials)();
@@ -30,8 +31,7 @@ async function projectList() {
         console.error('Error: not logged in. Run `lumo auth login` first.');
         return 1;
     }
-    const envUrl = process.env.LUMO_API_URL?.trim();
-    const apiUrl = envUrl && envUrl.length > 0 ? envUrl : creds.apiUrl;
+    const apiUrl = (0, api_1.resolveAuthedApiUrl)(creds.apiUrl);
     const url = `${(0, api_1.trimTrailingSlash)(apiUrl)}/api/projects`;
     let res;
     try {

package/dist/cli/src/commands/session-attach.js

@@ -3,6 +3,7 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.sessionAttach = sessionAttach;
 const config_1 = require("../lib/config");
 const api_1 = require("../lib/api");
+const sanitize_1 = require("../lib/sanitize");
 /**
  * `lumo session attach <identifier>` — bind the currently-running
  * Claude Code session to a task.
@@ -30,8 +31,7 @@ async function sessionAttach(identifier) {
         console.error('Error: not logged in. Run `lumo auth login` first.');
         return 1;
     }
-    const envUrl = process.env.LUMO_API_URL?.trim();
-    const apiUrl = envUrl && envUrl.length > 0 ? envUrl : creds.apiUrl;
+    const apiUrl = (0, api_1.resolveAuthedApiUrl)(creds.apiUrl);
     const url = `${(0, api_1.trimTrailingSlash)(apiUrl)}/api/sessions/${encodeURIComponent(sessionId)}/bind-task`;
     let res;
     try {
@@ -63,7 +63,7 @@ async function sessionAttach(identifier) {
         catch {
             // fall through
         }
-        console.error(`Error: ${message}`);
+        console.error(`Error: ${(0, sanitize_1.sanitizeField)(message)}`);
         return 1;
     }
     if (!res.ok) {
@@ -71,10 +71,10 @@ async function sessionAttach(identifier) {
         return 1;
     }
     const result = (await res.json());
-    console.log(`Attached session ${sessionId} to ${result.taskIdentifier} "${result.taskTitle}"`);
+    console.log(`Attached session ${sessionId} to ${result.taskIdentifier} "${(0, sanitize_1.sanitizeField)(result.taskTitle)}"`);
     console.log(`Re-tagged ${result.retaggedEventCount} previously-untagged event${result.retaggedEventCount === 1 ? '' : 's'} in this session.`);
     if (result.memorySection !== '') {
         console.log('');
-        console.log(result.memorySection);
+        console.log((0, sanitize_1.sanitizeField)(result.memorySection));
     }
 }

package/dist/cli/src/commands/session-detach.js

@@ -3,6 +3,7 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.sessionDetach = sessionDetach;
 const config_1 = require("../lib/config");
 const api_1 = require("../lib/api");
+const sanitize_1 = require("../lib/sanitize");
 /**
  * `lumo session detach` — clear the task binding on the current Claude Code
  * session. Idempotent: re-detaching an already-unbound session reports
@@ -24,8 +25,7 @@ async function sessionDetach() {
         console.error('Error: not logged in. Run `lumo auth login` first.');
         return 1;
     }
-    const envUrl = process.env.LUMO_API_URL?.trim();
-    const apiUrl = envUrl && envUrl.length > 0 ? envUrl : creds.apiUrl;
+    const apiUrl = (0, api_1.resolveAuthedApiUrl)(creds.apiUrl);
     const url = `${(0, api_1.trimTrailingSlash)(apiUrl)}/api/sessions/${encodeURIComponent(sessionId)}/bind-task`;
     let res;
     try {
@@ -56,5 +56,5 @@ async function sessionDetach() {
         process.stdout.write(`Session ${sessionId} was already unbound.\n`);
         return;
     }
-    process.stdout.write(`Detached session ${sessionId} from ${data.previousTaskIdentifier} "${data.previousTaskTitle}".\n`);
+    process.stdout.write(`Detached session ${sessionId} from ${data.previousTaskIdentifier} "${(0, sanitize_1.sanitizeField)(data.previousTaskTitle ?? '')}".\n`);
 }

package/dist/cli/src/commands/session-status.js

@@ -3,6 +3,7 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.sessionStatus = sessionStatus;
 const config_1 = require("../lib/config");
 const api_1 = require("../lib/api");
+const sanitize_1 = require("../lib/sanitize");
 async function sessionStatus() {
     const sessionId = process.env.CLAUDE_CODE_SESSION_ID;
     if (!sessionId) {
@@ -15,8 +16,7 @@ async function sessionStatus() {
         console.error('Error: not logged in. Run `lumo auth login` first.');
         return 1;
     }
-    const envUrl = process.env.LUMO_API_URL?.trim();
-    const apiUrl = envUrl && envUrl.length > 0 ? envUrl : creds.apiUrl;
+    const apiUrl = (0, api_1.resolveAuthedApiUrl)(creds.apiUrl);
     const url = `${(0, api_1.trimTrailingSlash)(apiUrl)}/api/sessions/${encodeURIComponent(sessionId)}`;
     let res;
     try {
@@ -47,7 +47,7 @@ async function sessionStatus() {
     const data = (await res.json());
     if (data.taskIdentifier && data.taskTitle) {
         process.stdout.write(`Session ${sessionId}\n` +
-            `  Bound to:  ${data.taskIdentifier} "${data.taskTitle}"\n` +
+            `  Bound to:  ${data.taskIdentifier} "${(0, sanitize_1.sanitizeField)(data.taskTitle)}"\n` +
             `  Events:    ${data.eventCount}\n`);
     }
     else {

package/dist/cli/src/commands/session-wrap.js

@@ -0,0 +1,32 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.sessionWrap = sessionWrap;
+const config_1 = require("../lib/config");
+const wrap_panel_1 = require("../lib/wrap-panel");
+const progress_comment_section_1 = require("./wrap/progress-comment-section");
+/**
+ * `lumo session wrap [--yes] [--dry-run]`
+ *
+ * Session-end wrap-up panel. v1 has a single section: draft a progress comment
+ * from this session's unposted turnSummaries and post it (after y/e/s
+ * confirmation) to the bound task. Designed as a multi-section panel so
+ * LUM-152's memory-review section slots in without touching this command.
+ */
+async function sessionWrap(options) {
+    const sessionId = process.env.CLAUDE_CODE_SESSION_ID;
+    if (!sessionId) {
+        console.error('Error: $CLAUDE_CODE_SESSION_ID is not set.\n' +
+            '`lumo session wrap` must be run inside a Claude Code session.');
+        return 1;
+    }
+    const creds = (0, config_1.readCredentials)();
+    if (!creds) {
+        console.error('Error: not logged in. Run `lumo auth login` first.');
+        return 1;
+    }
+    const sections = [new progress_comment_section_1.ProgressCommentSection({ creds, sessionId })];
+    await (0, wrap_panel_1.runWrapPanel)(sections, {
+        yes: options.yes === true,
+        dryRun: options.dryRun === true,
+    });
+}

package/dist/cli/src/commands/setup.js

@@ -33,6 +33,7 @@ var __importStar = (this && this.__importStar) || (function () {
     };
 })();
 Object.defineProperty(exports, "__esModule", { value: true });
+exports.resolveAgentToken = resolveAgentToken;
 exports.setup = setup;
 const fs = __importStar(require("fs"));
 const os = __importStar(require("os"));
@@ -40,11 +41,35 @@ const path = __importStar(require("path"));
 const child_process_1 = require("child_process");
 const hooks_template_1 = require("../lib/hooks-template");
 const line_prompt_1 = require("../lib/line-prompt");
+const agent_1 = require("../lib/agent");
+const config_1 = require("../lib/config");
+/**
+ * Validate the `--agent` flag and canonicalize it to the CLI token baked into
+ * the hook commands. Defaults to `claude-code` — accurate today, since only
+ * Claude Code emits hook events. Returns `{ error }` for an unrecognized
+ * token so the caller can abort before writing settings.json.
+ */
+function resolveAgentToken(raw) {
+    if (raw === undefined)
+        return { token: 'claude-code' };
+    const enumValue = (0, agent_1.normalizeAgent)(raw);
+    if (!enumValue) {
+        return {
+            error: `Unknown agent "${raw}". Valid agents: ${agent_1.VALID_AGENT_TOKENS.join(', ')}.`,
+        };
+    }
+    return { token: agent_1.ENUM_TO_TOKEN[enumValue] };
+}
 async function setup(options) {
     if (options.user && options.project) {
         process.stderr.write('Error: --user and --project are mutually exclusive.\n');
         return 1;
     }
+    const agentResult = resolveAgentToken(options.agent);
+    if ('error' in agentResult) {
+        process.stderr.write(`Error: ${agentResult.error}\n`);
+        return 1;
+    }
     const scope = await resolveScope(options);
     if (!scope)
         return 130;
@@ -52,7 +77,7 @@ async function setup(options) {
     const claudeDir = path.join(root, '.claude');
     process.stdout.write(`\nInstalling Lumo for ${scope} scope: ${claudeDir}\n\n`);
     installSkill(claudeDir, options.force === true);
-    mergeSettings(claudeDir);
+    mergeSettings(claudeDir, agentResult.token);
     printPostInstall();
     return 0;
 }
@@ -101,7 +126,7 @@ function installSkill(claudeDir, force) {
     fs.copyFileSync(skillSrc, skillDst);
     process.stdout.write(`✓ wrote skill: ${skillDst}\n`);
 }
-function mergeSettings(claudeDir) {
+function mergeSettings(claudeDir, agentToken) {
     const settingsPath = path.join(claudeDir, 'settings.json');
     let existing = {};
     if (fs.existsSync(settingsPath)) {
@@ -116,18 +141,19 @@ function mergeSettings(claudeDir) {
     else {
         fs.mkdirSync(claudeDir, { recursive: true });
     }
-    const { merged, stats } = (0, hooks_template_1.mergeLumoHooks)(existing);
+    const { merged, stats } = (0, hooks_template_1.mergeLumoHooks)(existing, agentToken);
     fs.writeFileSync(settingsPath, JSON.stringify(merged, null, 2) + '\n');
-    if (stats.addedEvents.length === 0) {
-        process.stdout.write(`✓ hooks already wired in: ${settingsPath} (${stats.alreadyPresent.length} events)\n`);
+    const changed = stats.addedEvents.length + stats.updatedEvents.length;
+    if (changed === 0) {
+        process.stdout.write(`✓ hooks already wired in (agent=${agentToken}): ${settingsPath} (${stats.alreadyPresent.length} events)\n`);
     }
     else {
-        process.stdout.write(`✓ merged hooks into ${settingsPath} (added ${stats.addedEvents.length}, kept ${stats.alreadyPresent.length})\n`);
+        process.stdout.write(`✓ merged hooks into ${settingsPath} (agent=${agentToken}; added ${stats.addedEvents.length}, updated ${stats.updatedEvents.length}, kept ${stats.alreadyPresent.length})\n`);
     }
 }
 function printPostInstall() {
     const onPath = isLumoOnPath();
-    const credsPath = path.join(process.env.LUMO_CONFIG_DIR || path.join(os.homedir(), '.lumo'), 'credentials.json');
+    const credsPath = path.join((0, config_1.configDir)(), 'credentials.json');
     const authed = fs.existsSync(credsPath);
     process.stdout.write('\nNext steps:\n');
     if (!onPath || isRunningUnderNpx()) {

package/dist/cli/src/commands/sprint-add.js

@@ -3,6 +3,7 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.sprintAdd = sprintAdd;
 const config_1 = require("../lib/config");
 const api_1 = require("../lib/api");
+const sanitize_1 = require("../lib/sanitize");
 const resolve_1 = require("../lib/resolve");
 async function sprintAdd(identifier, taskIdentifier, opts) {
     const creds = (0, config_1.readCredentials)();
@@ -10,8 +11,7 @@ async function sprintAdd(identifier, taskIdentifier, opts) {
         console.error('Error: not logged in. Run `lumo auth login` first.');
         return 1;
     }
-    const envUrl = process.env.LUMO_API_URL?.trim();
-    const apiUrl = envUrl && envUrl.length > 0 ? envUrl : creds.apiUrl;
+    const apiUrl = (0, api_1.resolveAuthedApiUrl)(creds.apiUrl);
     const base = (0, api_1.trimTrailingSlash)(apiUrl);
     const workspaceSlug = creds.workspaceSlug ?? '';
     let resolved;
@@ -55,7 +55,7 @@ async function sprintAdd(identifier, taskIdentifier, opts) {
         catch {
             // ignore
         }
-        console.error(`Error: ${errMsg}`);
+        console.error(`Error: ${(0, sanitize_1.sanitizeField)(errMsg)}`);
         return 1;
     }
     process.stdout.write(`Added ${taskIdentifier} to sprint #${resolved.number}\n`);

package/dist/cli/src/commands/sprint-close.js

@@ -7,6 +7,7 @@ const config_1 = require("../lib/config");
 const api_1 = require("../lib/api");
 const resolve_1 = require("../lib/resolve");
 const format_1 = require("../lib/format");
+const sanitize_1 = require("../lib/sanitize");
 /**
  * Build the decisions map for POST /api/sprints/<id>/close.
  * Only non-DONE tasks get a decision entry; DONE tasks are excluded entirely.
@@ -28,7 +29,7 @@ function buildCloseDecisions(tasks, mode) {
 function formatUnfinishedRefusal(number, name, tasks) {
     const unfinished = tasks.filter(t => t.status !== 'DONE');
     const lines = [
-        `Refusing to close sprint #${number} "${name}": ${unfinished.length} task(s) not DONE.`,
+        `Refusing to close sprint #${number} "${(0, sanitize_1.sanitizeField)(name)}": ${unfinished.length} task(s) not DONE.`,
         '',
         (0, format_1.formatTaskListTable)(unfinished),
         '',
@@ -56,8 +57,7 @@ async function sprintClose(identifier, opts) {
         console.error('Error: not logged in. Run `lumo auth login` first.');
         return 1;
     }
-    const envUrl = process.env.LUMO_API_URL?.trim();
-    const apiUrl = envUrl && envUrl.length > 0 ? envUrl : creds.apiUrl;
+    const apiUrl = (0, api_1.resolveAuthedApiUrl)(creds.apiUrl);
     const base = (0, api_1.trimTrailingSlash)(apiUrl);
     const workspaceSlug = creds.workspaceSlug ?? '';
     let resolved;
@@ -144,8 +144,8 @@ async function sprintClose(identifier, opts) {
         catch {
             // body wasn't JSON
         }
-        console.error(`Error: ${errMsg}`);
+        console.error(`Error: ${(0, sanitize_1.sanitizeField)(errMsg)}`);
         return 1;
     }
-    process.stdout.write(`Closed sprint #${sprint.number} "${sprint.name}"\n`);
+    process.stdout.write(`Closed sprint #${sprint.number} "${(0, sanitize_1.sanitizeField)(sprint.name)}"\n`);
 }

package/dist/cli/src/commands/sprint-create.js

@@ -6,6 +6,7 @@ exports.sprintCreate = sprintCreate;
 const config_1 = require("../lib/config");
 const api_1 = require("../lib/api");
 const resolve_1 = require("../lib/resolve");
+const sanitize_1 = require("../lib/sanitize");
 function buildCreateSprintPayload(opts) {
     // start/end are required by the server schema; caller validates presence.
     const payload = {
@@ -17,7 +18,7 @@ function buildCreateSprintPayload(opts) {
     return payload;
 }
 function formatCreatedSprintLine(sprint) {
-    return `Created sprint #${sprint.number} "${sprint.name}"  ${sprint.id}`;
+    return `Created sprint #${sprint.number} "${(0, sanitize_1.sanitizeField)(sprint.name)}"  ${sprint.id}`;
 }
 async function sprintCreate(opts) {
     if (!opts.start || !opts.end) {
@@ -29,8 +30,7 @@ async function sprintCreate(opts) {
         console.error('Error: not logged in. Run `lumo auth login` first.');
         return 1;
     }
-    const envUrl = process.env.LUMO_API_URL?.trim();
-    const apiUrl = envUrl && envUrl.length > 0 ? envUrl : creds.apiUrl;
+    const apiUrl = (0, api_1.resolveAuthedApiUrl)(creds.apiUrl);
     const base = (0, api_1.trimTrailingSlash)(apiUrl);
     let teamId;
     try {
@@ -72,7 +72,7 @@ async function sprintCreate(opts) {
         catch {
             // ignore
         }
-        console.error(`Error: ${serverMsg ?? `sprint create failed (HTTP ${res.status})`}`);
+        console.error(`Error: ${serverMsg != null ? (0, sanitize_1.sanitizeField)(serverMsg) : `sprint create failed (HTTP ${res.status})`}`);
         return 1;
     }
     const sprint = (await res.json());

package/dist/cli/src/commands/sprint-delete.js

@@ -5,8 +5,9 @@ exports.sprintDelete = sprintDelete;
 const config_1 = require("../lib/config");
 const api_1 = require("../lib/api");
 const resolve_1 = require("../lib/resolve");
+const sanitize_1 = require("../lib/sanitize");
 function formatDeleteRefusal(number, name, taskCount) {
-    const head = `Refusing to delete sprint #${number} "${name}" without --yes.`;
+    const head = `Refusing to delete sprint #${number} "${(0, sanitize_1.sanitizeField)(name)}" without --yes.`;
     const tail = `Re-run with --yes to confirm.`;
     if (taskCount === 0)
         return `${head}\n${tail}`;
@@ -18,8 +19,7 @@ async function sprintDelete(identifier, opts) {
         console.error('Error: not logged in. Run `lumo auth login` first.');
         return 1;
     }
-    const envUrl = process.env.LUMO_API_URL?.trim();
-    const apiUrl = envUrl && envUrl.length > 0 ? envUrl : creds.apiUrl;
+    const apiUrl = (0, api_1.resolveAuthedApiUrl)(creds.apiUrl);
     const base = (0, api_1.trimTrailingSlash)(apiUrl);
     const workspaceSlug = creds.workspaceSlug ?? '';
     let resolved;
@@ -81,8 +81,8 @@ async function sprintDelete(identifier, opts) {
         catch {
             // body wasn't JSON
         }
-        console.error(`Error: ${errMsg}`);
+        console.error(`Error: ${(0, sanitize_1.sanitizeField)(errMsg)}`);
         return 1;
     }
-    process.stdout.write(`Deleted sprint #${sprint.number} "${sprint.name}"\n`);
+    process.stdout.write(`Deleted sprint #${sprint.number} "${(0, sanitize_1.sanitizeField)(sprint.name)}"\n`);
 }

package/dist/cli/src/commands/sprint-list.js

@@ -5,6 +5,7 @@ exports.sprintList = sprintList;
 const config_1 = require("../lib/config");
 const api_1 = require("../lib/api");
 const resolve_1 = require("../lib/resolve");
+const sanitize_1 = require("../lib/sanitize");
 const VALID_STATUSES = ['DRAFT', 'ACTIVE', 'CLOSED'];
 function formatDate(iso) {
     if (!iso)
@@ -25,7 +26,7 @@ function formatSprintList(rows) {
         const statusCol = r.status.padEnd(statusW);
         const numCol = `#${r.number}`.padEnd(numW + 1); // +1 for the '#'
         const dateRange = `${formatDate(r.startDate)}..${formatDate(r.endDate)}`;
-        return `${statusCol}  ${numCol}  ${dateRange}  ${r.name}`;
+        return `${statusCol}  ${numCol}  ${dateRange}  ${(0, sanitize_1.sanitizeField)(r.name)}`;
     })
         .join('\n');
 }
@@ -49,8 +50,7 @@ async function sprintList(options) {
         console.error('Error: not logged in. Run `lumo auth login` first.');
         return 1;
     }
-    const envUrl = process.env.LUMO_API_URL?.trim();
-    const apiUrl = envUrl && envUrl.length > 0 ? envUrl : creds.apiUrl;
+    const apiUrl = (0, api_1.resolveAuthedApiUrl)(creds.apiUrl);
     const base = (0, api_1.trimTrailingSlash)(apiUrl);
     let teamId;
     try {

package/dist/cli/src/commands/sprint-remove.js

@@ -3,6 +3,7 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.sprintRemove = sprintRemove;
 const config_1 = require("../lib/config");
 const api_1 = require("../lib/api");
+const sanitize_1 = require("../lib/sanitize");
 const resolve_1 = require("../lib/resolve");
 async function sprintRemove(identifier, taskIdentifier, opts) {
     const creds = (0, config_1.readCredentials)();
@@ -10,8 +11,7 @@ async function sprintRemove(identifier, taskIdentifier, opts) {
         console.error('Error: not logged in. Run `lumo auth login` first.');
         return 1;
     }
-    const envUrl = process.env.LUMO_API_URL?.trim();
-    const apiUrl = envUrl && envUrl.length > 0 ? envUrl : creds.apiUrl;
+    const apiUrl = (0, api_1.resolveAuthedApiUrl)(creds.apiUrl);
     const base = (0, api_1.trimTrailingSlash)(apiUrl);
     const workspaceSlug = creds.workspaceSlug ?? '';
     let resolved;
@@ -50,7 +50,7 @@ async function sprintRemove(identifier, taskIdentifier, opts) {
         catch {
             // ignore
         }
-        console.error(`Error: ${errMsg}`);
+        console.error(`Error: ${(0, sanitize_1.sanitizeField)(errMsg)}`);
         return 1;
     }
     process.stdout.write(`Removed ${taskIdentifier} from sprint #${resolved.number}\n`);

package/dist/cli/src/commands/sprint-show.js

@@ -6,14 +6,15 @@ const config_1 = require("../lib/config");
 const api_1 = require("../lib/api");
 const resolve_1 = require("../lib/resolve");
 const format_1 = require("../lib/format");
+const sanitize_1 = require("../lib/sanitize");
 function fmtDate(iso) {
     return iso ? iso.slice(0, 10) : '-';
 }
 function formatSprintShow(s, progress, tasks) {
     const lines = [
-        `Sprint:    #${s.number} ${s.name}`,
+        `Sprint:    #${s.number} ${(0, sanitize_1.sanitizeField)(s.name)}`,
         `Status:    ${s.status}`,
-        `Team:      ${s.team.name}`,
+        `Team:      ${(0, sanitize_1.sanitizeField)(s.team.name)}`,
         `Start:     ${fmtDate(s.startDate)}`,
         `End:       ${fmtDate(s.endDate)}`,
         `Started:   ${fmtDate(s.startedAt)}`,
@@ -32,8 +33,7 @@ async function sprintShow(identifier, opts) {
         console.error('Error: not logged in. Run `lumo auth login` first.');
         return 1;
     }
-    const envUrl = process.env.LUMO_API_URL?.trim();
-    const apiUrl = envUrl && envUrl.length > 0 ? envUrl : creds.apiUrl;
+    const apiUrl = (0, api_1.resolveAuthedApiUrl)(creds.apiUrl);
     const base = (0, api_1.trimTrailingSlash)(apiUrl);
     let sprintId;
     try {

package/dist/cli/src/commands/sprint-start.js

@@ -4,14 +4,14 @@ exports.sprintStart = sprintStart;
 const config_1 = require("../lib/config");
 const api_1 = require("../lib/api");
 const resolve_1 = require("../lib/resolve");
+const sanitize_1 = require("../lib/sanitize");
 async function sprintStart(identifier, opts) {
     const creds = (0, config_1.readCredentials)();
     if (!creds) {
         console.error('Error: not logged in. Run `lumo auth login` first.');
         return 1;
     }
-    const envUrl = process.env.LUMO_API_URL?.trim();
-    const apiUrl = envUrl && envUrl.length > 0 ? envUrl : creds.apiUrl;
+    const apiUrl = (0, api_1.resolveAuthedApiUrl)(creds.apiUrl);
     const base = (0, api_1.trimTrailingSlash)(apiUrl);
     const workspaceSlug = creds.workspaceSlug ?? '';
     let resolved;
@@ -61,8 +61,8 @@ async function sprintStart(identifier, opts) {
         catch {
             // ignore
         }
-        console.error(`Error: ${errMsg}`);
+        console.error(`Error: ${(0, sanitize_1.sanitizeField)(errMsg)}`);
         return 1;
     }
-    process.stdout.write(`Started sprint #${displayNumber} "${displayName}"\n`);
+    process.stdout.write(`Started sprint #${displayNumber} "${(0, sanitize_1.sanitizeField)(displayName)}"\n`);
 }

package/dist/cli/src/commands/sprint-summary.js

@@ -5,9 +5,10 @@ exports.sprintSummary = sprintSummary;
 const config_1 = require("../lib/config");
 const api_1 = require("../lib/api");
 const resolve_1 = require("../lib/resolve");
+const sanitize_1 = require("../lib/sanitize");
 function formatSprintSummary(input) {
     const { number, name, stats, tldr, report } = input;
-    const lines = [`Sprint: #${number} ${name}`];
+    const lines = [`Sprint: #${number} ${(0, sanitize_1.sanitizeField)(name)}`];
     if (stats === null && tldr === null && report === null) {
         lines.push('', '(no summary generated yet)');
         return lines.join('\n');
@@ -16,10 +17,10 @@ function formatSprintSummary(input) {
         lines.push(`Done:   ${stats.done} / ${stats.total}`);
     }
     if (tldr) {
-        lines.push('', tldr);
+        lines.push('', (0, sanitize_1.sanitizeField)(tldr));
     }
     if (report) {
-        lines.push('', report);
+        lines.push('', (0, sanitize_1.sanitizeField)(report));
     }
     return lines.join('\n');
 }
@@ -29,8 +30,7 @@ async function sprintSummary(identifier, opts) {
         console.error('Error: not logged in. Run `lumo auth login` first.');
         return 1;
     }
-    const envUrl = process.env.LUMO_API_URL?.trim();
-    const apiUrl = envUrl && envUrl.length > 0 ? envUrl : creds.apiUrl;
+    const apiUrl = (0, api_1.resolveAuthedApiUrl)(creds.apiUrl);
     const base = (0, api_1.trimTrailingSlash)(apiUrl);
     const workspaceSlug = creds.workspaceSlug ?? '';
     let resolved;
@@ -82,7 +82,7 @@ async function sprintSummary(identifier, opts) {
             catch {
                 // ignore
             }
-            console.error(`Error: ${errMsg}`);
+            console.error(`Error: ${(0, sanitize_1.sanitizeField)(errMsg)}`);
             return 1;
         }
         // 202 means queued; regeneration is async. The GET below may still return
@@ -124,7 +124,7 @@ async function sprintSummary(identifier, opts) {
         catch {
             // ignore
         }
-        console.error(`Error: ${errMsg}`);
+        console.error(`Error: ${(0, sanitize_1.sanitizeField)(errMsg)}`);
         return 1;
     }
     // 404 → fall through with all-null; formatSprintSummary renders the friendly marker.

package/dist/cli/src/commands/sprint-update.js

@@ -6,6 +6,7 @@ exports.sprintUpdate = sprintUpdate;
 const config_1 = require("../lib/config");
 const api_1 = require("../lib/api");
 const resolve_1 = require("../lib/resolve");
+const sanitize_1 = require("../lib/sanitize");
 function buildSprintUpdatePayload(opts) {
     const payload = {};
     const flagsGiven = [];
@@ -29,9 +30,10 @@ function fmtDate(v) {
     return v.slice(0, 10);
 }
 function formatSprintUpdateSummary(before, after) {
+    const beforeName = (0, sanitize_1.sanitizeField)(before.name);
     const changes = [];
     if (after.name !== undefined && after.name !== before.name) {
-        changes.push(`name "${before.name}" → "${after.name}"`);
+        changes.push(`name "${beforeName}" → "${(0, sanitize_1.sanitizeField)(after.name)}"`);
     }
     if (after.startDate !== undefined) {
         changes.push(`start → ${fmtDate(after.startDate)}`);
@@ -39,7 +41,7 @@ function formatSprintUpdateSummary(before, after) {
     if (after.endDate !== undefined) {
         changes.push(`end → ${fmtDate(after.endDate)}`);
     }
-    return `Updated sprint #${before.number} "${before.name}": ${changes.join(', ')}`;
+    return `Updated sprint #${before.number} "${beforeName}": ${changes.join(', ')}`;
 }
 async function sprintUpdate(identifier, opts) {
     // Reject empty strings — these fields can't be cleared.
@@ -65,8 +67,7 @@ async function sprintUpdate(identifier, opts) {
         console.error('Error: not logged in. Run `lumo auth login` first.');
         return 1;
     }
-    const envUrl = process.env.LUMO_API_URL?.trim();
-    const apiUrl = envUrl && envUrl.length > 0 ? envUrl : creds.apiUrl;
+    const apiUrl = (0, api_1.resolveAuthedApiUrl)(creds.apiUrl);
     const base = (0, api_1.trimTrailingSlash)(apiUrl);
     let sprintId;
     let resolvedNumber;
@@ -141,7 +142,7 @@ async function sprintUpdate(identifier, opts) {
         catch {
             // body wasn't JSON; keep the status-only message
         }
-        console.error(`Error: ${errMsg}`);
+        console.error(`Error: ${(0, sanitize_1.sanitizeField)(errMsg)}`);
         return 1;
     }
     process.stdout.write(formatSprintUpdateSummary(beforeSnapshot, payload) + '\n');