@tasklumina/cli 1.0.0

package/dist/index.js

@@ -0,0 +1,2865 @@
+#!/usr/bin/env node
+
+// src/index.ts
+import { Command as Command13 } from "commander";
+
+// src/commands/auth.ts
+import { Command } from "commander";
+
+// src/lib/config.ts
+import { resolve } from "path";
+import { homedir } from "os";
+import { existsSync, readFileSync } from "fs";
+function loadEnvFile(path) {
+  if (!existsSync(path)) return;
+  const content = readFileSync(path, "utf8");
+  for (const line of content.split("\n")) {
+    const trimmed = line.trim();
+    if (!trimmed || trimmed.startsWith("#")) continue;
+    const eqIdx = trimmed.indexOf("=");
+    if (eqIdx === -1) continue;
+    const key = trimmed.slice(0, eqIdx).trim();
+    const value = trimmed.slice(eqIdx + 1).trim().replace(/^["']|["']$/g, "");
+    if (!process.env[key]) process.env[key] = value;
+  }
+}
+loadEnvFile(resolve(homedir(), ".tasklumina", ".env"));
+function requireEnv(key) {
+  const value = process.env[key];
+  if (!value) {
+    throw new Error(
+      `Missing required environment variable: ${key}
+Set it in ~/.tasklumina/.env or as an environment variable.
+See cli/.env.example for required variables.`
+    );
+  }
+  return value;
+}
+var _envConfig = null;
+function getEnvConfig() {
+  if (!_envConfig) {
+    _envConfig = {
+      region: requireEnv("TASKLUMINA_AWS_REGION"),
+      appsyncEndpoint: requireEnv("TASKLUMINA_APPSYNC_ENDPOINT")
+    };
+  }
+  return _envConfig;
+}
+var CONFIG = {
+  get region() {
+    return getEnvConfig().region;
+  },
+  get appsyncEndpoint() {
+    return getEnvConfig().appsyncEndpoint;
+  },
+  tokenStorageKey: "tasklumina-cli",
+  autoRotateIntervalHours: 24
+};
+
+// src/lib/crypto.ts
+import {
+  createCipheriv,
+  createDecipheriv,
+  scryptSync,
+  randomBytes
+} from "crypto";
+import { mkdirSync, readFileSync as readFileSync2, writeFileSync } from "fs";
+import { resolve as resolve2 } from "path";
+import { homedir as homedir2 } from "os";
+var ALGO = "aes-256-gcm";
+var SCRYPT_KEYLEN = 32;
+var SCRYPT_COST = { N: 32768, r: 8, p: 1, maxmem: 64 * 1024 * 1024 };
+function getMachineSecret() {
+  const dir = resolve2(homedir2(), ".tasklumina");
+  const keyFile = resolve2(dir, "machine-key");
+  try {
+    const secret2 = readFileSync2(keyFile, "utf8").trim();
+    if (secret2.length >= 32) return secret2;
+  } catch {
+  }
+  mkdirSync(dir, { recursive: true, mode: 448 });
+  const secret = randomBytes(32).toString("hex");
+  try {
+    writeFileSync(keyFile, secret, { mode: 384, flag: "wx" });
+    return secret;
+  } catch (err) {
+    if (err.code === "EEXIST") {
+      const existing = readFileSync2(keyFile, "utf8").trim();
+      if (existing.length >= 32) return existing;
+    }
+    throw err;
+  }
+}
+var _cachedSecret = null;
+function deriveKey(salt) {
+  if (!_cachedSecret) {
+    _cachedSecret = getMachineSecret();
+  }
+  return scryptSync(_cachedSecret, salt, SCRYPT_KEYLEN, SCRYPT_COST);
+}
+function encrypt(plaintext) {
+  const salt = randomBytes(16);
+  const key = deriveKey(salt);
+  const iv = randomBytes(16);
+  const cipher = createCipheriv(ALGO, key, iv);
+  let encrypted = cipher.update(plaintext, "utf8", "hex");
+  encrypted += cipher.final("hex");
+  const tag = cipher.getAuthTag();
+  return `enc2:${salt.toString("hex")}:${iv.toString("hex")}:${tag.toString("hex")}:${encrypted}`;
+}
+function decrypt(ciphertext) {
+  if (ciphertext.startsWith("enc2:")) {
+    const parts = ciphertext.slice(5).split(":");
+    if (parts.length !== 4) {
+      throw new Error("Malformed encrypted value");
+    }
+    const [saltHex, ivHex, tagHex, encrypted] = parts;
+    const key = deriveKey(Buffer.from(saltHex, "hex"));
+    const decipher = createDecipheriv(ALGO, key, Buffer.from(ivHex, "hex"));
+    decipher.setAuthTag(Buffer.from(tagHex, "hex"));
+    let decrypted = decipher.update(encrypted, "hex", "utf8");
+    decrypted += decipher.final("utf8");
+    return decrypted;
+  }
+  if (ciphertext.startsWith("enc:")) {
+    throw new Error(
+      "Token encrypted with legacy format (v1). Run `tasklumina login` to re-authenticate."
+    );
+  }
+  throw new Error("Not an encrypted value");
+}
+function isPlaintext(value) {
+  return !value.startsWith("enc2:") && !value.startsWith("enc:") && value.startsWith("{");
+}
+
+// src/lib/token-store.ts
+var keytarModule = null;
+var keytarFailed = false;
+async function getKeytar() {
+  if (keytarFailed) {
+    throw new Error(
+      "System keychain (keytar) is unavailable. Install it with: npm install keytar\nTask Lumina CLI requires a secure keychain \u2014 plaintext token storage is not supported."
+    );
+  }
+  if (keytarModule) return keytarModule;
+  try {
+    const mod = await import("keytar");
+    keytarModule = mod.default ?? mod;
+    return keytarModule;
+  } catch {
+    keytarFailed = true;
+    throw new Error(
+      "System keychain (keytar) is unavailable. Install it with: npm install keytar\nTask Lumina CLI requires a secure keychain \u2014 plaintext token storage is not supported."
+    );
+  }
+}
+async function loadApiKeyV1() {
+  const keytar = await getKeytar();
+  const raw = await keytar.getPassword(CONFIG.tokenStorageKey, "api-key");
+  if (!raw) return null;
+  if (isPlaintext(raw)) return raw;
+  return decrypt(raw);
+}
+async function clearApiKeyV1() {
+  const keytar = await getKeytar();
+  await keytar.deletePassword(CONFIG.tokenStorageKey, "api-key");
+}
+async function saveApiKeyData(data) {
+  const json = JSON.stringify(data);
+  const encrypted = encrypt(json);
+  const keytar = await getKeytar();
+  await keytar.setPassword(CONFIG.tokenStorageKey, "api-key-v2", encrypted);
+}
+async function loadApiKeyData() {
+  const keytar = await getKeytar();
+  const raw = await keytar.getPassword(CONFIG.tokenStorageKey, "api-key-v2");
+  if (raw) {
+    const json = decrypt(raw);
+    return JSON.parse(json);
+  }
+  const legacyKey = await loadApiKeyV1();
+  if (legacyKey) {
+    const data = { key: legacyKey, lastRotatedAt: (/* @__PURE__ */ new Date(0)).toISOString() };
+    await saveApiKeyData(data);
+    await clearApiKeyV1();
+    return data;
+  }
+  return null;
+}
+
+// src/lib/graphql-client.ts
+async function getAuthToken() {
+  const envKey = process.env.TASKLUMINA_API_KEY;
+  if (envKey) return envKey;
+  const data = await loadApiKeyData();
+  if (data) return data.key;
+  throw new Error("No API key configured. Run `tasklumina configure` to set up authentication.");
+}
+var _verboseWarningShown = false;
+function isVerbose() {
+  const verbose = process.argv.includes("--verbose");
+  if (verbose && !_verboseWarningShown) {
+    console.error("\u26A0 Verbose mode: debug output may expose operation names and timing in terminal/logs.");
+    _verboseWarningShown = true;
+  }
+  return verbose;
+}
+function extractOperationName(query) {
+  const match = query.match(/(?:query|mutation)\s+(\w+)/);
+  return match?.[1] || "unknown";
+}
+function maskEndpoint(url) {
+  return url.replace(/^(https:\/\/)[^.]+/, "$1***");
+}
+var SENSITIVE_KEYS = ["email", "password", "token", "accessToken", "idToken", "refreshToken", "sharedWithEmail", "ownerEmail", "key"];
+function redactVariables(vars) {
+  const redacted = {};
+  for (const [key, value] of Object.entries(vars)) {
+    if (SENSITIVE_KEYS.includes(key)) {
+      redacted[key] = "[REDACTED]";
+    } else if (value && typeof value === "object" && !Array.isArray(value)) {
+      redacted[key] = redactVariables(value);
+    } else {
+      redacted[key] = value;
+    }
+  }
+  return redacted;
+}
+async function graphql(query, variables) {
+  const token = await getAuthToken();
+  const verbose = isVerbose();
+  const opName = extractOperationName(query);
+  const startTime = Date.now();
+  if (verbose) {
+    console.error(`\u2192 POST ${maskEndpoint(CONFIG.appsyncEndpoint)}`);
+    console.error(`  Operation: ${opName}`);
+    if (variables) console.error(`  Variables: ${JSON.stringify(redactVariables(variables))}`);
+  }
+  let res;
+  try {
+    res = await fetch(CONFIG.appsyncEndpoint, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/json",
+        Authorization: token
+      },
+      body: JSON.stringify({ query, variables }),
+      signal: AbortSignal.timeout(3e4)
+    });
+  } catch (err) {
+    if (err instanceof DOMException && err.name === "TimeoutError") {
+      throw new Error("Request timed out after 30s. Check your connection.");
+    }
+    throw new Error("Cannot reach Task Lumina API. Check your connection.");
+  }
+  if (verbose) {
+    console.error(`\u2190 ${res.status} ${res.statusText} (${Date.now() - startTime}ms)`);
+  }
+  if (!res.ok) {
+    throw new Error(`GraphQL request failed: ${res.status} ${res.statusText}`);
+  }
+  const json = await res.json();
+  if (json.errors?.length) {
+    const msg = json.errors[0].message;
+    if (msg.includes("Not Authorized") || msg.includes("Unauthorized")) {
+      throw new Error("Not authorized. Your API key may be revoked \u2014 run `tasklumina configure`.");
+    }
+    const MAX_ERROR_LEN = 200;
+    const sanitized = msg.length > MAX_ERROR_LEN ? msg.slice(0, MAX_ERROR_LEN) + "..." : msg;
+    if (verbose) {
+      console.error(`  Server error: ${msg}`);
+    }
+    throw new Error(sanitized);
+  }
+  if (!json.data) {
+    throw new Error("No data returned from GraphQL");
+  }
+  return json.data;
+}
+
+// src/lib/output.ts
+import chalk from "chalk";
+import Table from "cli-table3";
+function isJsonMode() {
+  return process.argv.includes("--json");
+}
+function isRedactMode() {
+  return process.argv.includes("--redact");
+}
+function printTable(headers, rows) {
+  if (isJsonMode()) return;
+  const table = new Table({ head: headers.map((h) => chalk.bold(h)) });
+  for (const row of rows) {
+    table.push(row);
+  }
+  console.log(table.toString());
+}
+function printJson(data) {
+  console.log(JSON.stringify(data, null, 2));
+}
+function printError(msg) {
+  console.error(chalk.red(`Error: ${msg}`));
+}
+function printSuccess(msg) {
+  console.log(chalk.green(msg));
+}
+function printWarning(msg) {
+  console.log(chalk.yellow(msg));
+}
+function formatDate(iso) {
+  if (!iso) return "\u2014";
+  const d = new Date(iso);
+  return d.toLocaleDateString("en-US", {
+    year: "numeric",
+    month: "short",
+    day: "numeric"
+  });
+}
+function formatPriority(p) {
+  switch (p) {
+    case "critical":
+      return chalk.red.bold("CRITICAL");
+    case "high":
+      return chalk.hex("#f97316").bold("HIGH");
+    case "medium":
+      return chalk.yellow("MEDIUM");
+    case "low":
+      return chalk.gray("LOW");
+    default:
+      return p;
+  }
+}
+function formatStatus(s) {
+  switch (s) {
+    case "todo":
+      return chalk.white("To Do");
+    case "in_progress":
+      return chalk.blue("In Progress");
+    case "review":
+      return chalk.magenta("Review");
+    case "done":
+      return chalk.green("Done");
+    default:
+      return s;
+  }
+}
+function truncateId(id) {
+  return id.substring(0, 8);
+}
+function maskEmail(email) {
+  if (!isRedactMode()) return email;
+  const [local, domain] = email.split("@");
+  if (!domain) return email;
+  const [domainName, ...tld] = domain.split(".");
+  const maskedLocal = local[0] + "***";
+  const maskedDomain = domainName[0] + "***";
+  return `${maskedLocal}@${maskedDomain}.${tld.join(".")}`;
+}
+
+// ../shared/graphql/queries.ts
+var listTasks = (
+  /* GraphQL */
+  `
+  query ListTasks($status: TaskStatus, $archived: Boolean) {
+    listTasks(status: $status, archived: $archived) {
+      id
+      title
+      description
+      status
+      archived
+      deletedAt
+      priority
+      categoryId
+      color
+      tags
+      dueDate
+      dueTime
+      position
+      createdAt
+      updatedAt
+    }
+  }
+`
+);
+var listCategories = (
+  /* GraphQL */
+  `
+  query ListCategories {
+    listCategories {
+      id
+      name
+      color
+      position
+    }
+  }
+`
+);
+var listTags = (
+  /* GraphQL */
+  `
+  query ListTags {
+    listTags {
+      id
+      name
+    }
+  }
+`
+);
+var listTaskShares = (
+  /* GraphQL */
+  `
+  query ListTaskShares($taskId: ID!) {
+    listTaskShares(taskId: $taskId) {
+      taskId
+      ownerId
+      ownerEmail
+      sharedWithId
+      sharedWithEmail
+      permission
+      status
+      sharedAt
+      respondedAt
+    }
+  }
+`
+);
+var listSharedWithMe = (
+  /* GraphQL */
+  `
+  query ListSharedWithMe {
+    listSharedWithMe {
+      taskId
+      ownerId
+      ownerEmail
+      sharedWithId
+      sharedWithEmail
+      permission
+      status
+      sharedAt
+      respondedAt
+      task {
+        id
+        userId
+        title
+        description
+        status
+        archived
+        deletedAt
+        priority
+        categoryId
+        color
+        tags
+        dueDate
+        position
+        createdAt
+        updatedAt
+      }
+    }
+  }
+`
+);
+var listMyOutgoingTaskShares = (
+  /* GraphQL */
+  `
+  query ListMyOutgoingTaskShares {
+    listMyOutgoingTaskShares {
+      taskId
+      ownerId
+      ownerEmail
+      sharedWithId
+      sharedWithEmail
+      permission
+      status
+      sharedAt
+      respondedAt
+      task {
+        id
+        userId
+        title
+        description
+        status
+        priority
+        dueDate
+        createdAt
+        updatedAt
+      }
+    }
+  }
+`
+);
+var listLists = (
+  /* GraphQL */
+  `
+  query ListLists {
+    listLists {
+      id
+      name
+      description
+      icon
+      color
+      itemCount
+      createdAt
+      updatedAt
+    }
+  }
+`
+);
+var listListItems = (
+  /* GraphQL */
+  `
+  query ListListItems($listId: ID!) {
+    listListItems(listId: $listId) {
+      id
+      listId
+      name
+      description
+      quantity
+      category
+      tags
+      link
+      customFields
+      position
+      createdAt
+      updatedAt
+    }
+  }
+`
+);
+var listListShares = (
+  /* GraphQL */
+  `
+  query ListListShares($listId: ID!) {
+    listListShares(listId: $listId) {
+      listId
+      ownerId
+      ownerEmail
+      sharedWithId
+      sharedWithEmail
+      permission
+      status
+      sharedAt
+      respondedAt
+    }
+  }
+`
+);
+var listListsSharedWithMe = (
+  /* GraphQL */
+  `
+  query ListListsSharedWithMe {
+    listListsSharedWithMe {
+      listId
+      ownerId
+      ownerEmail
+      sharedWithId
+      sharedWithEmail
+      permission
+      status
+      sharedAt
+      respondedAt
+      list {
+        id
+        name
+        description
+        icon
+        color
+      }
+    }
+  }
+`
+);
+var listMyOutgoingListShares = (
+  /* GraphQL */
+  `
+  query ListMyOutgoingListShares {
+    listMyOutgoingListShares {
+      listId
+      ownerId
+      ownerEmail
+      sharedWithId
+      sharedWithEmail
+      permission
+      status
+      sharedAt
+      respondedAt
+      list {
+        id
+        name
+        description
+        icon
+        color
+      }
+    }
+  }
+`
+);
+var listContacts = (
+  /* GraphQL */
+  `
+  query ListContacts {
+    listContacts {
+      id
+      name
+      email
+      createdAt
+      updatedAt
+    }
+  }
+`
+);
+var listNotes = `
+  query ListNotes($taskId: ID!) {
+    listNotes(taskId: $taskId) {
+      id
+      taskId
+      content
+      authorId
+      authorName
+      createdAt
+    }
+  }
+`;
+var listApiKeys = (
+  /* GraphQL */
+  `
+  query ListApiKeys {
+    listApiKeys {
+      id
+      name
+      keyPrefix
+      status
+      createdAt
+      lastUsedAt
+      revokedAt
+    }
+  }
+`
+);
+var getPreferences = `
+  query GetPreferences {
+    getPreferences {
+      theme
+      defaultView
+      archiveDelay
+      colorPalette
+      colorRules
+      notificationPrefs
+      filterPresets
+      defaultPriority
+      defaultCategoryId
+      defaultColor
+      updatedAt
+    }
+  }
+`;
+
+// src/commands/auth.ts
+var whoamiCommand = new Command("whoami").description("Verify API key and show key info").action(async () => {
+  try {
+    const data = await loadApiKeyData();
+    if (!data) {
+      printError("No API key configured. Run `tasklumina configure` first.");
+      process.exitCode = 1;
+      return;
+    }
+    const result = await graphql(listApiKeys);
+    const activeKeys = result.listApiKeys.filter((k) => k.status === "active");
+    const prefix = data.keyPrefix ?? data.key.slice(0, 12);
+    if (isJsonMode()) {
+      printJson({
+        keyPrefix: prefix,
+        activeKeyCount: activeKeys.length,
+        lastRotatedAt: data.lastRotatedAt
+      });
+      return;
+    }
+    printSuccess("API key is valid.");
+    console.log(`  Key prefix:      ${prefix}...`);
+    console.log(`  Last rotated:    ${data.lastRotatedAt}`);
+    console.log(`  Active keys:     ${activeKeys.length}`);
+  } catch (err) {
+    printError(err.message);
+    process.exitCode = 1;
+  }
+});
+
+// src/commands/configure.ts
+import { Command as Command2 } from "commander";
+import { password } from "@inquirer/prompts";
+
+// src/lib/auto-rotate.ts
+import { resolve as resolve3 } from "path";
+import { homedir as homedir3 } from "os";
+import { mkdirSync as mkdirSync2, rmSync, statSync } from "fs";
+
+// ../shared/graphql/mutations.ts
+var createTask = (
+  /* GraphQL */
+  `
+  mutation CreateTask($input: CreateTaskInput!) {
+    createTask(input: $input) {
+      id
+      title
+      description
+      status
+      archived
+      deletedAt
+      priority
+      categoryId
+      color
+      tags
+      dueDate
+      dueTime
+      position
+      createdAt
+      updatedAt
+    }
+  }
+`
+);
+var updateTask = (
+  /* GraphQL */
+  `
+  mutation UpdateTask($input: UpdateTaskInput!) {
+    updateTask(input: $input) {
+      id
+      title
+      description
+      status
+      archived
+      deletedAt
+      priority
+      categoryId
+      color
+      tags
+      dueDate
+      dueTime
+      position
+      createdAt
+      updatedAt
+    }
+  }
+`
+);
+var deleteTask = (
+  /* GraphQL */
+  `
+  mutation DeleteTask($id: ID!) {
+    deleteTask(id: $id)
+  }
+`
+);
+var createCategory = (
+  /* GraphQL */
+  `
+  mutation CreateCategory($input: CreateCategoryInput!) {
+    createCategory(input: $input) {
+      id
+      name
+      color
+      position
+    }
+  }
+`
+);
+var updateCategory = (
+  /* GraphQL */
+  `
+  mutation UpdateCategory($input: UpdateCategoryInput!) {
+    updateCategory(input: $input) {
+      id
+      name
+      color
+      position
+    }
+  }
+`
+);
+var deleteCategory = (
+  /* GraphQL */
+  `
+  mutation DeleteCategory($id: ID!) {
+    deleteCategory(id: $id)
+  }
+`
+);
+var createTag = (
+  /* GraphQL */
+  `
+  mutation CreateTag($input: CreateTagInput!) {
+    createTag(input: $input) {
+      id
+      name
+    }
+  }
+`
+);
+var updateTag = (
+  /* GraphQL */
+  `
+  mutation UpdateTag($input: UpdateTagInput!) {
+    updateTag(input: $input) {
+      id
+      name
+    }
+  }
+`
+);
+var deleteTagMutation = (
+  /* GraphQL */
+  `
+  mutation DeleteTag($id: ID!) {
+    deleteTag(id: $id)
+  }
+`
+);
+var shareTask = (
+  /* GraphQL */
+  `
+  mutation ShareTask($input: ShareTaskInput!) {
+    shareTask(input: $input) {
+      taskId
+      ownerId
+      ownerEmail
+      sharedWithId
+      sharedWithEmail
+      permission
+      status
+      sharedAt
+      respondedAt
+    }
+  }
+`
+);
+var acceptShare = (
+  /* GraphQL */
+  `
+  mutation AcceptShare($taskId: ID!, $ownerId: ID!) {
+    acceptShare(taskId: $taskId, ownerId: $ownerId) {
+      taskId
+      ownerId
+      ownerEmail
+      sharedWithId
+      sharedWithEmail
+      permission
+      status
+      sharedAt
+      respondedAt
+    }
+  }
+`
+);
+var declineShare = (
+  /* GraphQL */
+  `
+  mutation DeclineShare($taskId: ID!, $ownerId: ID!) {
+    declineShare(taskId: $taskId, ownerId: $ownerId) {
+      taskId
+      ownerId
+      ownerEmail
+      sharedWithId
+      sharedWithEmail
+      permission
+      status
+      sharedAt
+      respondedAt
+    }
+  }
+`
+);
+var revokeShare = (
+  /* GraphQL */
+  `
+  mutation RevokeShare($taskId: ID!, $sharedWithId: ID!) {
+    revokeShare(taskId: $taskId, sharedWithId: $sharedWithId)
+  }
+`
+);
+var updateSharePermission = (
+  /* GraphQL */
+  `
+  mutation UpdateSharePermission($input: UpdateSharePermissionInput!) {
+    updateSharePermission(input: $input) {
+      taskId
+      ownerId
+      ownerEmail
+      sharedWithId
+      sharedWithEmail
+      permission
+      status
+      sharedAt
+      respondedAt
+    }
+  }
+`
+);
+var createList = (
+  /* GraphQL */
+  `
+  mutation CreateList($input: CreateListInput!) {
+    createList(input: $input) {
+      id
+      name
+      description
+      icon
+      color
+      itemCount
+      createdAt
+      updatedAt
+    }
+  }
+`
+);
+var updateList = (
+  /* GraphQL */
+  `
+  mutation UpdateList($input: UpdateListInput!) {
+    updateList(input: $input) {
+      id
+      name
+      description
+      icon
+      color
+      itemCount
+      createdAt
+      updatedAt
+    }
+  }
+`
+);
+var deleteListMutation = (
+  /* GraphQL */
+  `
+  mutation DeleteList($id: ID!) {
+    deleteList(id: $id)
+  }
+`
+);
+var createListItem = (
+  /* GraphQL */
+  `
+  mutation CreateListItem($input: CreateListItemInput!) {
+    createListItem(input: $input) {
+      id
+      listId
+      name
+      description
+      quantity
+      category
+      tags
+      link
+      customFields
+      position
+      createdAt
+      updatedAt
+    }
+  }
+`
+);
+var updateListItem = (
+  /* GraphQL */
+  `
+  mutation UpdateListItem($input: UpdateListItemInput!) {
+    updateListItem(input: $input) {
+      id
+      listId
+      name
+      description
+      quantity
+      category
+      tags
+      link
+      customFields
+      position
+      createdAt
+      updatedAt
+    }
+  }
+`
+);
+var deleteListItemMutation = (
+  /* GraphQL */
+  `
+  mutation DeleteListItem($id: ID!, $listId: ID!) {
+    deleteListItem(id: $id, listId: $listId)
+  }
+`
+);
+var bulkCreateListItems = (
+  /* GraphQL */
+  `
+  mutation BulkCreateListItems($input: BulkCreateListItemsInput!) {
+    bulkCreateListItems(input: $input) {
+      id
+      listId
+      name
+      description
+      quantity
+      category
+      tags
+      link
+      customFields
+      position
+      createdAt
+      updatedAt
+    }
+  }
+`
+);
+var shareList = (
+  /* GraphQL */
+  `
+  mutation ShareList($input: ShareListInput!) {
+    shareList(input: $input) {
+      listId
+      ownerId
+      ownerEmail
+      sharedWithId
+      sharedWithEmail
+      permission
+      status
+      sharedAt
+      respondedAt
+    }
+  }
+`
+);
+var acceptListShare = (
+  /* GraphQL */
+  `
+  mutation AcceptListShare($listId: ID!, $ownerId: ID!) {
+    acceptListShare(listId: $listId, ownerId: $ownerId) {
+      listId
+      ownerId
+      ownerEmail
+      sharedWithId
+      sharedWithEmail
+      permission
+      status
+      sharedAt
+      respondedAt
+    }
+  }
+`
+);
+var declineListShare = (
+  /* GraphQL */
+  `
+  mutation DeclineListShare($listId: ID!, $ownerId: ID!) {
+    declineListShare(listId: $listId, ownerId: $ownerId) {
+      listId
+      ownerId
+      ownerEmail
+      sharedWithId
+      sharedWithEmail
+      permission
+      status
+      sharedAt
+      respondedAt
+    }
+  }
+`
+);
+var revokeListShare = (
+  /* GraphQL */
+  `
+  mutation RevokeListShare($listId: ID!, $sharedWithId: ID!) {
+    revokeListShare(listId: $listId, sharedWithId: $sharedWithId)
+  }
+`
+);
+var updateListSharePermission = (
+  /* GraphQL */
+  `
+  mutation UpdateListSharePermission($input: UpdateListSharePermissionInput!) {
+    updateListSharePermission(input: $input) {
+      listId
+      ownerId
+      ownerEmail
+      sharedWithId
+      sharedWithEmail
+      permission
+      status
+      sharedAt
+      respondedAt
+    }
+  }
+`
+);
+var createNote = `
+  mutation CreateNote($input: CreateNoteInput!) {
+    createNote(input: $input) {
+      id
+      taskId
+      content
+      authorId
+      authorName
+      createdAt
+    }
+  }
+`;
+var deleteNote = `
+  mutation DeleteNote($taskId: ID!, $noteId: ID!, $createdAt: AWSDateTime!) {
+    deleteNote(taskId: $taskId, noteId: $noteId, createdAt: $createdAt)
+  }
+`;
+var createContact = (
+  /* GraphQL */
+  `
+  mutation CreateContact($input: CreateContactInput!) {
+    createContact(input: $input) {
+      id
+      name
+      email
+      createdAt
+      updatedAt
+    }
+  }
+`
+);
+var updateContact = (
+  /* GraphQL */
+  `
+  mutation UpdateContact($input: UpdateContactInput!) {
+    updateContact(input: $input) {
+      id
+      name
+      email
+      createdAt
+      updatedAt
+    }
+  }
+`
+);
+var deleteContactMutation = (
+  /* GraphQL */
+  `
+  mutation DeleteContact($id: ID!) {
+    deleteContact(id: $id)
+  }
+`
+);
+var revokeApiKey = (
+  /* GraphQL */
+  `
+  mutation RevokeApiKey($id: ID!) {
+    revokeApiKey(id: $id) {
+      id
+      name
+      keyPrefix
+      status
+      createdAt
+      lastUsedAt
+      revokedAt
+    }
+  }
+`
+);
+var rotateSelfApiKey = (
+  /* GraphQL */
+  `
+  mutation RotateSelfApiKey {
+    rotateSelfApiKey {
+      revokedKeyId
+      newKey {
+        id
+        name
+        keyPrefix
+        key
+        createdAt
+      }
+    }
+  }
+`
+);
+var updatePreferences = `
+  mutation UpdatePreferences($input: UpdatePreferencesInput!) {
+    updatePreferences(input: $input) {
+      theme
+      defaultView
+      archiveDelay
+      colorPalette
+      colorRules
+      notificationPrefs
+      filterPresets
+      defaultPriority
+      defaultCategoryId
+      defaultColor
+      updatedAt
+    }
+  }
+`;
+
+// src/lib/auto-rotate.ts
+var LOCK_DIR = resolve3(homedir3(), ".tasklumina", ".rotate-lock");
+var LOCK_STALE_MS = 6e4;
+function acquireLock() {
+  try {
+    try {
+      const stat = statSync(LOCK_DIR);
+      if (Date.now() - stat.mtimeMs > LOCK_STALE_MS) {
+        rmSync(LOCK_DIR, { recursive: true, force: true });
+      }
+    } catch {
+    }
+    mkdirSync2(LOCK_DIR, { recursive: false });
+    return true;
+  } catch {
+    return false;
+  }
+}
+function releaseLock() {
+  try {
+    rmSync(LOCK_DIR, { recursive: true, force: true });
+  } catch {
+  }
+}
+async function performSelfRotation() {
+  const data = await graphql(rotateSelfApiKey);
+  const result = data.rotateSelfApiKey.newKey;
+  await saveApiKeyData({
+    key: result.key,
+    keyPrefix: result.keyPrefix,
+    lastRotatedAt: (/* @__PURE__ */ new Date()).toISOString()
+  });
+  return result.key;
+}
+async function maybeAutoRotate() {
+  try {
+    if (process.env.TASKLUMINA_API_KEY) return;
+    const data = await loadApiKeyData();
+    if (!data) return;
+    const lastRotated = new Date(data.lastRotatedAt).getTime();
+    const hoursSince = (Date.now() - lastRotated) / (1e3 * 60 * 60);
+    if (hoursSince < CONFIG.autoRotateIntervalHours) return;
+    if (!acquireLock()) return;
+    try {
+      const freshData = await loadApiKeyData();
+      if (freshData) {
+        const freshHours = (Date.now() - new Date(freshData.lastRotatedAt).getTime()) / (1e3 * 60 * 60);
+        if (freshHours < CONFIG.autoRotateIntervalHours) return;
+      }
+      await performSelfRotation();
+    } finally {
+      releaseLock();
+    }
+  } catch {
+    releaseLock();
+  }
+}
+
+// src/commands/configure.ts
+var configureCommand = new Command2("configure").description("Configure CLI authentication with an API key").action(async () => {
+  try {
+    const key = await password({ message: "Enter your API key:" });
+    if (!key.startsWith("tl_live_")) {
+      printError("Invalid API key format. Keys must start with tl_live_");
+      process.exitCode = 1;
+      return;
+    }
+    await saveApiKeyData({
+      key,
+      keyPrefix: key.slice(0, 12),
+      lastRotatedAt: (/* @__PURE__ */ new Date(0)).toISOString()
+    });
+    printWarning("Rotating key for security (the key you entered will be revoked)...");
+    try {
+      const newKey = await performSelfRotation();
+      printSuccess("API key configured and rotated successfully.");
+      console.log(`  Active key prefix: ${newKey.slice(0, 12)}...`);
+      printWarning("The key you entered has been revoked. Your CLI now uses a new key stored securely in the OS keychain.");
+    } catch (rotateErr) {
+      const msg = rotateErr instanceof Error ? rotateErr.message : "Unknown error";
+      printWarning(`Key saved but auto-rotation failed: ${msg}`);
+      printWarning("The original key is still active and stored in your OS keychain.");
+      printWarning("Rotation will be attempted automatically on your next command.");
+    }
+  } catch (err) {
+    printError(err.message);
+    process.exitCode = 1;
+  }
+});
+
+// src/commands/tasks.ts
+import { Command as Command3 } from "commander";
+import { confirm } from "@inquirer/prompts";
+
+// src/lib/validators.ts
+var VALID_STATUSES = ["todo", "in_progress", "review", "done"];
+var VALID_PRIORITIES = ["critical", "high", "medium", "low"];
+var VALID_PERMISSIONS = ["view", "edit"];
+var VALID_THEMES = ["light", "dark", "system"];
+var VALID_VIEWS = ["list", "kanban", "priority", "category"];
+function validateEnum(value, allowed, label) {
+  if (!allowed.includes(value)) {
+    throw new Error(`Invalid ${label}: "${value}". Must be one of: ${allowed.join(", ")}`);
+  }
+}
+function validateStatus(value) {
+  validateEnum(value, VALID_STATUSES, "status");
+}
+function validatePriority(value) {
+  validateEnum(value, VALID_PRIORITIES, "priority");
+}
+function validatePermission(value) {
+  validateEnum(value, VALID_PERMISSIONS, "permission");
+}
+function validateTheme(value) {
+  validateEnum(value, VALID_THEMES, "theme");
+}
+function validateView(value) {
+  validateEnum(value, VALID_VIEWS, "default view");
+}
+function validateTime(value) {
+  if (!/^\d{2}:\d{2}$/.test(value)) {
+    throw new Error(`Invalid time: "${value}". Expected format: HH:MM (e.g. 09:30)`);
+  }
+  const [h, m] = value.split(":").map(Number);
+  if (h > 23 || m > 59) {
+    throw new Error(`Invalid time: "${value}". Hours must be 0-23 and minutes 0-59.`);
+  }
+}
+function validateDate(value) {
+  if (!/^\d{4}-\d{2}-\d{2}$/.test(value)) {
+    throw new Error(`Invalid date: "${value}". Expected format: YYYY-MM-DD`);
+  }
+  const [year, month, day] = value.split("-").map(Number);
+  const d = new Date(value);
+  if (isNaN(d.getTime()) || d.getUTCFullYear() !== year || d.getUTCMonth() + 1 !== month || d.getUTCDate() !== day) {
+    throw new Error(`Invalid date: "${value}". Day does not exist in that month.`);
+  }
+}
+function validateEmail(value) {
+  if (value.length > 254) {
+    throw new Error(`Email too long (max 254 characters): "${value}"`);
+  }
+  if (!/^[^\s@]+@[^\s@]+\.[^\s@]+$/.test(value)) {
+    throw new Error(`Invalid email address: "${value}"`);
+  }
+}
+function validateUrl(value) {
+  try {
+    const url = new URL(value);
+    if (url.protocol !== "http:" && url.protocol !== "https:") {
+      throw new Error("Only http and https URLs are allowed");
+    }
+  } catch {
+    throw new Error(`Invalid URL: "${value}". Must be a valid http or https URL.`);
+  }
+}
+function validateUuid(value, label = "ID") {
+  if (!/^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i.test(value)) {
+    if (!/^[0-9a-f]{6,}$/i.test(value)) {
+      throw new Error(`Invalid ${label}: "${value}". Must be a UUID or at least a 6-character hex prefix.`);
+    }
+  }
+}
+function validateStringLength(value, field, max) {
+  if (value.length > max) {
+    throw new Error(`${field} too long (${value.length} chars, max ${max}).`);
+  }
+}
+function validateHexColor(value) {
+  if (!/^#[0-9A-Fa-f]{6}$/.test(value)) {
+    throw new Error(`Invalid color: "${value}". Must be a hex color like #FF5733.`);
+  }
+}
+function validateQuantity(value) {
+  const n = parseInt(value, 10);
+  if (isNaN(n) || n < 0 || n > 99999) {
+    throw new Error(`Invalid quantity: "${value}". Must be a number between 0 and 99999.`);
+  }
+  return n;
+}
+
+// src/commands/tasks.ts
+var PRIORITY_ORDER = { critical: 0, high: 1, medium: 2, low: 3 };
+var UUID_RE = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i;
+async function resolveTaskId(idOrPrefix) {
+  if (UUID_RE.test(idOrPrefix)) return idOrPrefix;
+  const data = await graphql(listTasks, {});
+  const archivedData = await graphql(listTasks, { archived: true });
+  const allTasks = [...data.listTasks, ...archivedData.listTasks];
+  const matches = allTasks.filter((t) => t.id.startsWith(idOrPrefix));
+  if (matches.length === 0) throw new Error(`No task found matching ID prefix: ${idOrPrefix}`);
+  if (matches.length > 1) {
+    const list = matches.map((t) => `  ${truncateId(t.id)} \u2014 ${t.title}`).join("\n");
+    throw new Error(`Ambiguous ID prefix "${idOrPrefix}" matches ${matches.length} tasks:
+${list}`);
+  }
+  return matches[0].id;
+}
+function escapeCsv(value) {
+  if (value.includes(",") || value.includes('"') || value.includes("\n")) {
+    return `"${value.replace(/"/g, '""')}"`;
+  }
+  return value;
+}
+function tasksToCsv(tasks) {
+  const headers = ["ID", "Title", "Status", "Priority", "Due Date", "Due Time", "Category", "Tags", "Created", "Updated"];
+  const rows = tasks.map((t) => [
+    t.id,
+    t.title,
+    t.status,
+    t.priority,
+    t.dueDate || "",
+    t.dueTime || "",
+    t.categoryId || "",
+    t.tags.join(";"),
+    t.createdAt,
+    t.updatedAt
+  ].map(escapeCsv).join(","));
+  return [headers.join(","), ...rows].join("\n");
+}
+var tasksCommand = new Command3("tasks").description("Manage tasks").option("--status <status>", "Filter by status (todo, in_progress, review, done)").option("--priority <priority>", "Filter by priority (critical, high, medium, low)").option("--completed", "Show completed (archived) tasks instead of active tasks").option("--archived", "Show all archived tasks including trash").option("--category <id>", "Filter by category ID").option("--tag <tag>", "Filter by tag name").option("--due-on <date>", "Tasks due on exactly this date (YYYY-MM-DD)").option("--due-before <date>", "Tasks due before date (YYYY-MM-DD)").option("--due-after <date>", "Tasks due after date (YYYY-MM-DD)").option("--overdue", "Show only overdue tasks").option("--sort <field>", "Sort by: due, priority, created, updated, title").option("--desc", "Sort descending (default: ascending)").option("--csv", "Export as CSV").action(async (opts) => {
+  try {
+    if (opts.status) validateStatus(opts.status);
+    if (opts.priority) validatePriority(opts.priority);
+    if (opts.category) validateUuid(opts.category, "Category ID");
+    if (opts.dueOn) validateDate(opts.dueOn);
+    if (opts.dueBefore) validateDate(opts.dueBefore);
+    if (opts.dueAfter) validateDate(opts.dueAfter);
+    const variables = {};
+    if (opts.status) variables.status = opts.status;
+    if (opts.completed || opts.archived) {
+      variables.archived = true;
+    } else {
+      variables.archived = false;
+    }
+    const data = await graphql(listTasks, variables);
+    let tasks = data.listTasks;
+    if (opts.completed) {
+      tasks = tasks.filter((t) => !t.deletedAt);
+    }
+    if (opts.dueOn) {
+      tasks = tasks.filter((t) => t.dueDate === opts.dueOn);
+    }
+    if (opts.priority) {
+      tasks = tasks.filter((t) => t.priority === opts.priority);
+    }
+    if (opts.category) {
+      tasks = tasks.filter((t) => t.categoryId === opts.category);
+    }
+    if (opts.tag) {
+      const tag = opts.tag.toLowerCase();
+      tasks = tasks.filter((t) => t.tags.some((tg) => tg.toLowerCase() === tag));
+    }
+    if (opts.dueBefore) {
+      const before = new Date(opts.dueBefore);
+      tasks = tasks.filter((t) => t.dueDate && new Date(t.dueDate) <= before);
+    }
+    if (opts.dueAfter) {
+      const after = new Date(opts.dueAfter);
+      tasks = tasks.filter((t) => t.dueDate && new Date(t.dueDate) >= after);
+    }
+    if (opts.overdue) {
+      const now = /* @__PURE__ */ new Date();
+      tasks = tasks.filter((t) => {
+        if (t.status === "done" || !t.dueDate) return false;
+        const dueMs = t.dueTime ? (/* @__PURE__ */ new Date(`${t.dueDate}T${t.dueTime}`)).getTime() : (/* @__PURE__ */ new Date(`${t.dueDate}T23:59:59`)).getTime();
+        return dueMs < now.getTime();
+      });
+    }
+    if (opts.sort) {
+      const dir = opts.desc ? -1 : 1;
+      tasks.sort((a, b) => {
+        switch (opts.sort) {
+          case "due": {
+            if (!a.dueDate && !b.dueDate) return 0;
+            if (!a.dueDate) return 1;
+            if (!b.dueDate) return -1;
+            return dir * (new Date(a.dueDate).getTime() - new Date(b.dueDate).getTime());
+          }
+          case "priority":
+            return dir * ((PRIORITY_ORDER[a.priority] ?? 9) - (PRIORITY_ORDER[b.priority] ?? 9));
+          case "created":
+            return dir * (new Date(a.createdAt).getTime() - new Date(b.createdAt).getTime());
+          case "updated":
+            return dir * (new Date(a.updatedAt).getTime() - new Date(b.updatedAt).getTime());
+          case "title":
+            return dir * a.title.localeCompare(b.title);
+          default:
+            return 0;
+        }
+      });
+    }
+    if (opts.csv) {
+      console.log(tasksToCsv(tasks));
+      return;
+    }
+    if (isJsonMode()) {
+      printJson(tasks);
+      return;
+    }
+    if (tasks.length === 0) {
+      console.log("No tasks found.");
+      return;
+    }
+    printTable(
+      ["ID", "Title", "Status", "Priority", "Due Date"],
+      tasks.map((t) => [
+        truncateId(t.id),
+        t.title.length > 40 ? t.title.substring(0, 37) + "..." : t.title,
+        formatStatus(t.status),
+        formatPriority(t.priority),
+        formatDate(t.dueDate)
+      ])
+    );
+  } catch (err) {
+    printError(err.message);
+    process.exitCode = 1;
+  }
+});
+tasksCommand.command("create").description("Create a new task").argument("<title>", "Task title").option("--desc <description>", "Task description").option("--status <status>", "Task status", "todo").option("--priority <priority>", "Task priority", "medium").option("--category <id>", "Category ID").option("--tags <tags>", "Comma-separated tags").option("--due <date>", "Due date (YYYY-MM-DD)").option("--due-time <time>", "Due time (HH:MM, 24-hour). Requires --due.").option("--color <color>", "Task color").action(async (title, opts) => {
+  try {
+    validateStringLength(title, "Title", 500);
+    validateStatus(opts.status);
+    validatePriority(opts.priority);
+    if (opts.due) validateDate(opts.due);
+    if (opts.dueTime) {
+      if (!opts.due) {
+        printError("--due-time requires --due to be set.");
+        process.exitCode = 1;
+        return;
+      }
+      validateTime(opts.dueTime);
+    }
+    if (opts.color) validateHexColor(opts.color);
+    if (opts.desc) validateStringLength(opts.desc, "Description", 5e3);
+    const taskInput = {
+      title,
+      status: opts.status,
+      priority: opts.priority,
+      tags: opts.tags ? opts.tags.split(",").map((t) => t.trim()) : []
+    };
+    if (opts.desc) taskInput.description = opts.desc;
+    if (opts.category) taskInput.categoryId = opts.category;
+    if (opts.due) taskInput.dueDate = opts.due;
+    if (opts.dueTime) taskInput.dueTime = opts.dueTime;
+    if (opts.color) taskInput.color = opts.color;
+    const data = await graphql(createTask, { input: taskInput });
+    if (isJsonMode()) {
+      printJson(data.createTask);
+      return;
+    }
+    printSuccess(`Created task: ${data.createTask.title} (id: ${truncateId(data.createTask.id)})`);
+  } catch (err) {
+    printError(err.message);
+    process.exitCode = 1;
+  }
+});
+tasksCommand.command("update").description("Update a task").argument("<id>", "Task ID").option("--title <title>", "New title").option("--desc <description>", "New description").option("--status <status>", "New status").option("--priority <priority>", "New priority").option("--category <id>", "New category ID").option("--tags <tags>", "New tags (comma-separated)").option("--due <date>", "New due date (YYYY-MM-DD)").option("--due-time <time>", "Set due time (HH:MM, 24-hour)").option("--all-day", "Remove due time (make all-day)").option("--color <color>", "New color").action(async (id, opts) => {
+  try {
+    validateUuid(id, "Task ID");
+    const resolvedId = await resolveTaskId(id);
+    if (opts.status) validateStatus(opts.status);
+    if (opts.priority) validatePriority(opts.priority);
+    if (opts.due) validateDate(opts.due);
+    if (opts.dueTime) validateTime(opts.dueTime);
+    if (opts.dueTime && opts.allDay) {
+      printError("--due-time and --all-day are mutually exclusive.");
+      process.exitCode = 1;
+      return;
+    }
+    if (opts.color) validateHexColor(opts.color);
+    if (opts.title) validateStringLength(opts.title, "Title", 500);
+    if (opts.desc) validateStringLength(opts.desc, "Description", 5e3);
+    const taskInput = { id: resolvedId };
+    if (opts.title) taskInput.title = opts.title;
+    if (opts.desc) taskInput.description = opts.desc;
+    if (opts.status) taskInput.status = opts.status;
+    if (opts.priority) taskInput.priority = opts.priority;
+    if (opts.category) taskInput.categoryId = opts.category;
+    if (opts.tags) taskInput.tags = opts.tags.split(",").map((t) => t.trim());
+    if (opts.due) taskInput.dueDate = opts.due;
+    if (opts.dueTime) taskInput.dueTime = opts.dueTime;
+    if (opts.allDay) taskInput.dueTime = null;
+    if (opts.color) taskInput.color = opts.color;
+    const data = await graphql(updateTask, { input: taskInput });
+    if (isJsonMode()) {
+      printJson(data.updateTask);
+      return;
+    }
+    printSuccess(`Updated task: ${data.updateTask.title}`);
+  } catch (err) {
+    printError(err.message);
+    process.exitCode = 1;
+  }
+});
+function addStatusShortcut(name, targetStatus, pastTense) {
+  tasksCommand.command(name).description(`Mark a task as ${targetStatus.replace("_", " ")}`).argument("<id>", "Task ID").action(async (id) => {
+    try {
+      validateUuid(id, "Task ID");
+      const resolvedId = await resolveTaskId(id);
+      const data = await graphql(updateTask, {
+        input: { id: resolvedId, status: targetStatus }
+      });
+      if (isJsonMode()) {
+        printJson(data.updateTask);
+        return;
+      }
+      printSuccess(`${pastTense}: ${data.updateTask.title}`);
+    } catch (err) {
+      printError(err.message);
+      process.exitCode = 1;
+    }
+  });
+}
+addStatusShortcut("start", "in_progress", "Started");
+addStatusShortcut("review", "review", "Moved to review");
+addStatusShortcut("done", "done", "Marked done");
+tasksCommand.command("delete").description("Delete a task (soft delete)").argument("<id>", "Task ID").option("--force", "Skip confirmation").action(async (id, opts) => {
+  try {
+    validateUuid(id, "Task ID");
+    const resolvedId = await resolveTaskId(id);
+    if (!opts.force) {
+      const ok = await confirm({ message: `Delete task ${truncateId(resolvedId)}?`, default: false });
+      if (!ok) {
+        console.log("Cancelled.");
+        return;
+      }
+    }
+    await graphql(deleteTask, { id: resolvedId });
+    if (isJsonMode()) {
+      printJson({ deleted: resolvedId });
+      return;
+    }
+    printSuccess(`Deleted task: ${truncateId(resolvedId)}`);
+  } catch (err) {
+    printError(err.message);
+    process.exitCode = 1;
+  }
+});
+tasksCommand.command("show").description("Show detailed task info").argument("<id>", "Task ID").action(async (id) => {
+  try {
+    validateUuid(id, "Task ID");
+    const resolvedId = await resolveTaskId(id);
+    const data = await graphql(listTasks, {});
+    const archivedData = await graphql(listTasks, { archived: true });
+    const allTasks = [...data.listTasks, ...archivedData.listTasks];
+    const task = allTasks.find((t) => t.id === resolvedId);
+    if (!task) {
+      printError(`Task not found: ${id}`);
+      process.exitCode = 1;
+      return;
+    }
+    const [notesData, sharesData] = await Promise.all([
+      graphql(
+        listNotes,
+        { taskId: task.id }
+      ).catch(() => ({ listNotes: [] })),
+      graphql(
+        listTaskShares,
+        { taskId: task.id }
+      ).catch(() => ({ listTaskShares: [] }))
+    ]);
+    if (isJsonMode()) {
+      printJson({ ...task, notes: notesData.listNotes, shares: sharesData.listTaskShares });
+      return;
+    }
+    console.log(`ID:          ${task.id}`);
+    console.log(`Title:       ${task.title}`);
+    console.log(`Status:      ${formatStatus(task.status)}`);
+    console.log(`Priority:    ${formatPriority(task.priority)}`);
+    console.log(`Description: ${task.description || "\u2014"}`);
+    console.log(`Category:    ${task.categoryId || "\u2014"}`);
+    console.log(`Tags:        ${task.tags.length ? task.tags.join(", ") : "\u2014"}`);
+    console.log(`Due Date:    ${formatDate(task.dueDate)}${task.dueTime ? ` at ${task.dueTime}` : task.dueDate ? " (all day)" : ""}`);
+    console.log(`Color:       ${task.color || "\u2014"}`);
+    console.log(`Archived:    ${task.archived ? "Yes" : "No"}`);
+    console.log(`Created:     ${formatDate(task.createdAt)}`);
+    console.log(`Updated:     ${formatDate(task.updatedAt)}`);
+    if (notesData.listNotes.length > 0) {
+      console.log(`
+Notes (${notesData.listNotes.length}):`);
+      for (const note of notesData.listNotes) {
+        console.log(`  [${formatDate(note.createdAt)}] ${note.authorName}: ${note.content}`);
+      }
+    }
+    if (sharesData.listTaskShares.length > 0) {
+      console.log(`
+Shares (${sharesData.listTaskShares.length}):`);
+      printTable(
+        ["Email", "Permission", "Status", "Shared At"],
+        sharesData.listTaskShares.map((s) => [maskEmail(s.sharedWithEmail), s.permission, s.status, formatDate(s.sharedAt)])
+      );
+    }
+  } catch (err) {
+    printError(err.message);
+    process.exitCode = 1;
+  }
+});
+
+// src/commands/categories.ts
+import { Command as Command4 } from "commander";
+import { randomUUID } from "crypto";
+import { confirm as confirm2 } from "@inquirer/prompts";
+var categoriesCommand = new Command4("categories").description("Manage categories").action(async () => {
+  try {
+    const data = await graphql(listCategories);
+    if (isJsonMode()) {
+      printJson(data.listCategories);
+      return;
+    }
+    if (data.listCategories.length === 0) {
+      console.log("No categories.");
+      return;
+    }
+    printTable(
+      ["ID", "Name", "Color"],
+      data.listCategories.map((c) => [truncateId(c.id), c.name, c.color || "\u2014"])
+    );
+  } catch (err) {
+    printError(err.message);
+    process.exitCode = 1;
+  }
+});
+categoriesCommand.command("create").description("Create a category").argument("<name>", "Category name").option("--color <color>", "Category color (hex)").action(async (name, opts) => {
+  try {
+    validateStringLength(name, "Name", 100);
+    if (opts.color) validateHexColor(opts.color);
+    const input2 = { id: randomUUID(), name, position: Date.now() };
+    if (opts.color) input2.color = opts.color;
+    const data = await graphql(createCategory, { input: input2 });
+    if (isJsonMode()) {
+      printJson(data.createCategory);
+      return;
+    }
+    printSuccess(`Created category: ${data.createCategory.name}`);
+  } catch (err) {
+    printError(err.message);
+    process.exitCode = 1;
+  }
+});
+categoriesCommand.command("update").description("Update a category").argument("<id>", "Category ID").option("--name <name>", "New name").option("--color <color>", "New color").action(async (id, opts) => {
+  try {
+    validateUuid(id, "Category ID");
+    if (opts.name) validateStringLength(opts.name, "Name", 100);
+    if (opts.color) validateHexColor(opts.color);
+    const input2 = { id };
+    if (opts.name) input2.name = opts.name;
+    if (opts.color) input2.color = opts.color;
+    const data = await graphql(updateCategory, { input: input2 });
+    if (isJsonMode()) {
+      printJson(data.updateCategory);
+      return;
+    }
+    printSuccess(`Updated category: ${data.updateCategory.name}`);
+  } catch (err) {
+    printError(err.message);
+    process.exitCode = 1;
+  }
+});
+categoriesCommand.command("delete").description("Delete a category").argument("<id>", "Category ID").option("--force", "Skip confirmation").action(async (id, opts) => {
+  try {
+    validateUuid(id, "Category ID");
+    if (!opts.force) {
+      const ok = await confirm2({ message: `Delete category ${truncateId(id)}?`, default: false });
+      if (!ok) {
+        console.log("Cancelled.");
+        return;
+      }
+    }
+    await graphql(deleteCategory, { id });
+    if (isJsonMode()) {
+      printJson({ deleted: id });
+      return;
+    }
+    printSuccess("Deleted category");
+  } catch (err) {
+    printError(err.message);
+    process.exitCode = 1;
+  }
+});
+
+// src/commands/tags.ts
+import { Command as Command5 } from "commander";
+import { randomUUID as randomUUID2 } from "crypto";
+import { confirm as confirm3 } from "@inquirer/prompts";
+var tagsCommand = new Command5("tags").description("Manage tags").action(async () => {
+  try {
+    const data = await graphql(listTags);
+    if (isJsonMode()) {
+      printJson(data.listTags);
+      return;
+    }
+    if (data.listTags.length === 0) {
+      console.log("No tags.");
+      return;
+    }
+    printTable(["ID", "Name"], data.listTags.map((t) => [truncateId(t.id), t.name]));
+  } catch (err) {
+    printError(err.message);
+    process.exitCode = 1;
+  }
+});
+tagsCommand.command("create").description("Create a tag").argument("<name>", "Tag name").action(async (name) => {
+  try {
+    validateStringLength(name, "Tag name", 100);
+    const data = await graphql(createTag, { input: { id: randomUUID2(), name } });
+    if (isJsonMode()) {
+      printJson(data.createTag);
+      return;
+    }
+    printSuccess(`Created tag: ${data.createTag.name}`);
+  } catch (err) {
+    printError(err.message);
+    process.exitCode = 1;
+  }
+});
+tagsCommand.command("update").description("Update a tag").argument("<id>", "Tag ID").option("--name <name>", "New name").action(async (id, opts) => {
+  try {
+    validateUuid(id, "Tag ID");
+    if (opts.name) validateStringLength(opts.name, "Tag name", 100);
+    const input2 = { id };
+    if (opts.name) input2.name = opts.name;
+    const data = await graphql(updateTag, { input: input2 });
+    if (isJsonMode()) {
+      printJson(data.updateTag);
+      return;
+    }
+    printSuccess(`Updated tag: ${data.updateTag.name}`);
+  } catch (err) {
+    printError(err.message);
+    process.exitCode = 1;
+  }
+});
+tagsCommand.command("delete").description("Delete a tag").argument("<id>", "Tag ID").option("--force", "Skip confirmation").action(async (id, opts) => {
+  try {
+    validateUuid(id, "Tag ID");
+    if (!opts.force) {
+      const ok = await confirm3({ message: `Delete tag ${truncateId(id)}?`, default: false });
+      if (!ok) {
+        console.log("Cancelled.");
+        return;
+      }
+    }
+    await graphql(deleteTagMutation, { id });
+    if (isJsonMode()) {
+      printJson({ deleted: id });
+      return;
+    }
+    printSuccess("Deleted tag");
+  } catch (err) {
+    printError(err.message);
+    process.exitCode = 1;
+  }
+});
+
+// src/commands/notes.ts
+import { Command as Command6 } from "commander";
+import { randomUUID as randomUUID3 } from "crypto";
+import { confirm as confirm4 } from "@inquirer/prompts";
+var notesCommand = new Command6("notes").description("Manage task notes").argument("<task-id>", "Task ID").action(async (taskId) => {
+  try {
+    validateUuid(taskId, "Task ID");
+    const data = await graphql(listNotes, { taskId });
+    if (isJsonMode()) {
+      printJson(data.listNotes);
+      return;
+    }
+    if (data.listNotes.length === 0) {
+      console.log("No notes.");
+      return;
+    }
+    printTable(
+      ["ID", "Author", "Content", "Created"],
+      data.listNotes.map((n) => [truncateId(n.id), n.authorName, n.content.length > 50 ? n.content.substring(0, 47) + "..." : n.content, formatDate(n.createdAt)])
+    );
+  } catch (err) {
+    printError(err.message);
+    process.exitCode = 1;
+  }
+});
+notesCommand.command("add").description("Add a note to a task").argument("<task-id>", "Task ID").argument("<content>", "Note content").action(async (taskId, content) => {
+  try {
+    validateUuid(taskId, "Task ID");
+    validateStringLength(content, "Note content", 5e3);
+    const data = await graphql(createNote, {
+      input: { id: randomUUID3(), taskId, content }
+    });
+    if (isJsonMode()) {
+      printJson(data.createNote);
+      return;
+    }
+    printSuccess("Added note to task");
+  } catch (err) {
+    printError(err.message);
+    process.exitCode = 1;
+  }
+});
+notesCommand.command("delete").description("Delete a note").argument("<task-id>", "Task ID").argument("<note-id>", "Note ID").requiredOption("--created-at <date>", "Note creation date (ISO 8601)").option("--force", "Skip confirmation").action(async (taskId, noteId, opts) => {
+  try {
+    validateUuid(taskId, "Task ID");
+    validateUuid(noteId, "Note ID");
+    if (!/^\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}/.test(opts.createdAt)) {
+      throw new Error("Invalid --created-at: must be an ISO 8601 datetime (e.g. 2024-01-15T10:30:00Z).");
+    }
+    if (!opts.force) {
+      const ok = await confirm4({ message: "Delete this note?", default: false });
+      if (!ok) {
+        console.log("Cancelled.");
+        return;
+      }
+    }
+    await graphql(deleteNote, { taskId, noteId, createdAt: opts.createdAt });
+    if (isJsonMode()) {
+      printJson({ deleted: noteId });
+      return;
+    }
+    printSuccess("Deleted note");
+  } catch (err) {
+    printError(err.message);
+    process.exitCode = 1;
+  }
+});
+
+// src/commands/contacts.ts
+import { Command as Command7 } from "commander";
+import { randomUUID as randomUUID4 } from "crypto";
+import { confirm as confirm5 } from "@inquirer/prompts";
+var contactsCommand = new Command7("contacts").description("Manage contacts").action(async () => {
+  try {
+    const data = await graphql(listContacts);
+    if (isJsonMode()) {
+      printJson(data.listContacts);
+      return;
+    }
+    if (data.listContacts.length === 0) {
+      console.log("No contacts.");
+      return;
+    }
+    printTable(
+      ["ID", "Name", "Email"],
+      data.listContacts.map((c) => [truncateId(c.id), c.name, maskEmail(c.email)])
+    );
+  } catch (err) {
+    printError(err.message);
+    process.exitCode = 1;
+  }
+});
+contactsCommand.command("create").description("Create a contact").argument("<name>", "Contact name").requiredOption("--email <email>", "Contact email").action(async (name, opts) => {
+  try {
+    validateEmail(opts.email);
+    validateStringLength(name, "Name", 200);
+    const data = await graphql(createContact, {
+      input: { id: randomUUID4(), name, email: opts.email }
+    });
+    if (isJsonMode()) {
+      printJson(data.createContact);
+      return;
+    }
+    printSuccess(`Created contact: ${data.createContact.name}`);
+  } catch (err) {
+    printError(err.message);
+    process.exitCode = 1;
+  }
+});
+contactsCommand.command("update").description("Update a contact").argument("<id>", "Contact ID").option("--name <name>", "New name").option("--email <email>", "New email").action(async (id, opts) => {
+  try {
+    validateUuid(id, "Contact ID");
+    const input2 = { id };
+    if (opts.name) {
+      validateStringLength(opts.name, "Name", 200);
+      input2.name = opts.name;
+    }
+    if (opts.email) {
+      validateEmail(opts.email);
+      input2.email = opts.email;
+    }
+    const data = await graphql(updateContact, { input: input2 });
+    if (isJsonMode()) {
+      printJson(data.updateContact);
+      return;
+    }
+    printSuccess(`Updated contact: ${data.updateContact.name}`);
+  } catch (err) {
+    printError(err.message);
+    process.exitCode = 1;
+  }
+});
+contactsCommand.command("delete").description("Delete a contact").argument("<id>", "Contact ID").option("--force", "Skip confirmation").action(async (id, opts) => {
+  try {
+    validateUuid(id, "Contact ID");
+    if (!opts.force) {
+      const ok = await confirm5({ message: `Delete contact ${truncateId(id)}?`, default: false });
+      if (!ok) {
+        console.log("Cancelled.");
+        return;
+      }
+    }
+    await graphql(deleteContactMutation, { id });
+    if (isJsonMode()) {
+      printJson({ deleted: id });
+      return;
+    }
+    printSuccess("Deleted contact");
+  } catch (err) {
+    printError(err.message);
+    process.exitCode = 1;
+  }
+});
+
+// src/commands/prefs.ts
+import { Command as Command8 } from "commander";
+import { randomUUID as randomUUID5 } from "crypto";
+import chalk2 from "chalk";
+var prefsCommand = new Command8("prefs").description("Manage preferences").action(async () => {
+  try {
+    const data = await graphql(getPreferences);
+    const p = data.getPreferences;
+    if (isJsonMode()) {
+      printJson(p);
+      return;
+    }
+    printTable(
+      ["Setting", "Value"],
+      [
+        ["Theme", p.theme],
+        ["Default View", p.defaultView],
+        ["Archive Delay (hours)", String(p.archiveDelay)],
+        ["Default Priority", p.defaultPriority || "\u2014"],
+        ["Default Category ID", p.defaultCategoryId ? truncateId(p.defaultCategoryId) : "\u2014"],
+        ["Default Color", p.defaultColor || "\u2014"]
+      ]
+    );
+  } catch (err) {
+    printError(err.message);
+    process.exitCode = 1;
+  }
+});
+prefsCommand.command("set").description("Update a preference").option("--theme <theme>", "Theme (light, dark, system)").option("--default-view <view>", "Default view (list, kanban, priority, category)").option("--archive-delay <hours>", "Archive delay in hours").option("--default-priority <priority>", 'Default task priority (critical, high, medium, low) or "none" to clear').option("--default-category <id>", 'Default category ID or "none" to clear').option("--default-color <color>", 'Default task color (hex, e.g. #FF5733) or "none" to clear').action(async (opts) => {
+  try {
+    if (opts.theme) validateTheme(opts.theme);
+    if (opts.defaultView) validateView(opts.defaultView);
+    if (opts.defaultPriority && opts.defaultPriority !== "none") validatePriority(opts.defaultPriority);
+    if (opts.defaultColor && opts.defaultColor !== "none") validateHexColor(opts.defaultColor);
+    const input2 = {};
+    if (opts.theme) input2.theme = opts.theme;
+    if (opts.defaultView) input2.defaultView = opts.defaultView;
+    if (opts.archiveDelay) {
+      const delay = parseInt(opts.archiveDelay, 10);
+      if (isNaN(delay) || delay < 0 || delay > 8760) {
+        printError("Archive delay must be between 0 and 8760 hours (1 year).");
+        process.exitCode = 1;
+        return;
+      }
+      input2.archiveDelay = delay;
+    }
+    if (opts.defaultPriority) input2.defaultPriority = opts.defaultPriority === "none" ? "" : opts.defaultPriority;
+    if (opts.defaultCategory) input2.defaultCategoryId = opts.defaultCategory === "none" ? "" : opts.defaultCategory;
+    if (opts.defaultColor) input2.defaultColor = opts.defaultColor === "none" ? "" : opts.defaultColor;
+    if (Object.keys(input2).length === 0) {
+      printError("Provide at least one option: --theme, --default-view, --archive-delay, --default-priority, --default-category, --default-color");
+      process.exitCode = 1;
+      return;
+    }
+    const data = await graphql(updatePreferences, { input: input2 });
+    if (isJsonMode()) {
+      printJson(data.updatePreferences);
+      return;
+    }
+    for (const [key, value] of Object.entries(input2)) {
+      printSuccess(`Updated preference: ${key} = ${value}`);
+    }
+  } catch (err) {
+    printError(err.message);
+    process.exitCode = 1;
+  }
+});
+var VALID_CONDITION_TYPES = ["tag", "priority", "category"];
+function isValidColorRule(item) {
+  if (typeof item !== "object" || item === null) return false;
+  const obj = item;
+  return typeof obj.id === "string" && typeof obj.conditionType === "string" && VALID_CONDITION_TYPES.includes(obj.conditionType) && typeof obj.conditionValue === "string" && typeof obj.color === "string" && /^#[0-9A-Fa-f]{6}$/.test(obj.color);
+}
+async function loadColorRules() {
+  const data = await graphql(getPreferences);
+  const raw = data.getPreferences.colorRules;
+  if (!raw) return [];
+  const parsed = JSON.parse(raw);
+  if (!Array.isArray(parsed)) return [];
+  return parsed.filter(isValidColorRule);
+}
+async function saveColorRules(rules) {
+  await graphql(updatePreferences, {
+    input: { colorRules: JSON.stringify(rules) }
+  });
+}
+var colorRulesCommand = prefsCommand.command("color-rules").description("Manage automatic color rules").action(async () => {
+  try {
+    const rules = await loadColorRules();
+    if (isJsonMode()) {
+      printJson(rules);
+      return;
+    }
+    if (rules.length === 0) {
+      console.log("No color rules configured.");
+      console.log(chalk2.dim("Add one: tasklumina prefs color-rules add --type priority --value critical --color #ef4444"));
+      return;
+    }
+    printTable(
+      ["ID", "Type", "Value", "Color"],
+      rules.map((r) => [
+        truncateId(r.id),
+        r.conditionType,
+        r.conditionValue,
+        `${chalk2.hex(r.color)("\u2588\u2588")} ${r.color}`
+      ])
+    );
+  } catch (err) {
+    printError(err.message);
+    process.exitCode = 1;
+  }
+});
+colorRulesCommand.command("add").description("Add a color rule").requiredOption("--type <type>", "Condition type (tag, priority, category)").requiredOption("--value <value>", 'Condition value (e.g. "critical", "Work")').requiredOption("--color <hex>", "Color hex code (e.g. #ef4444)").action(async (opts) => {
+  try {
+    if (!VALID_CONDITION_TYPES.includes(opts.type)) {
+      printError(`Invalid type: "${opts.type}". Must be one of: ${VALID_CONDITION_TYPES.join(", ")}`);
+      process.exitCode = 1;
+      return;
+    }
+    validateHexColor(opts.color);
+    validateStringLength(opts.value, "Condition value", 200);
+    const rules = await loadColorRules();
+    const existing = rules.find(
+      (r) => r.conditionType === opts.type && r.conditionValue === opts.value
+    );
+    if (existing) {
+      printError(`A rule for ${opts.type} "${opts.value}" already exists (${truncateId(existing.id)}). Remove it first.`);
+      process.exitCode = 1;
+      return;
+    }
+    const rule = {
+      id: randomUUID5(),
+      conditionType: opts.type,
+      conditionValue: opts.value,
+      color: opts.color
+    };
+    rules.push(rule);
+    await saveColorRules(rules);
+    if (isJsonMode()) {
+      printJson(rule);
+      return;
+    }
+    printSuccess(`Added color rule: ${opts.type} "${opts.value}" \u2192 ${chalk2.hex(opts.color)("\u2588\u2588")} ${opts.color}`);
+  } catch (err) {
+    printError(err.message);
+    process.exitCode = 1;
+  }
+});
+colorRulesCommand.command("remove").description("Remove a color rule").argument("<id>", "Rule ID or prefix").action(async (id) => {
+  try {
+    const rules = await loadColorRules();
+    const match = rules.filter((r) => r.id === id || r.id.startsWith(id));
+    if (match.length === 0) {
+      printError(`No color rule found matching "${id}".`);
+      process.exitCode = 1;
+      return;
+    }
+    if (match.length > 1) {
+      printError(`Multiple rules match "${id}". Be more specific.`);
+      process.exitCode = 1;
+      return;
+    }
+    const removed = match[0];
+    const updated = rules.filter((r) => r.id !== removed.id);
+    await saveColorRules(updated);
+    if (isJsonMode()) {
+      printJson({ removed: removed.id });
+      return;
+    }
+    printSuccess(`Removed color rule: ${removed.conditionType} "${removed.conditionValue}"`);
+  } catch (err) {
+    printError(err.message);
+    process.exitCode = 1;
+  }
+});
+
+// src/commands/lists.ts
+import { Command as Command9 } from "commander";
+import { randomUUID as randomUUID6 } from "crypto";
+import { confirm as confirm6 } from "@inquirer/prompts";
+var listsCommand = new Command9("lists").description("Manage lists").action(async () => {
+  try {
+    const data = await graphql(listLists);
+    if (isJsonMode()) {
+      printJson(data.listLists);
+      return;
+    }
+    if (data.listLists.length === 0) {
+      console.log("No lists.");
+      return;
+    }
+    printTable(
+      ["ID", "Name", "Items", "Created"],
+      data.listLists.map((l) => [truncateId(l.id), l.name, String(l.itemCount), formatDate(l.createdAt)])
+    );
+  } catch (err) {
+    printError(err.message);
+    process.exitCode = 1;
+  }
+});
+listsCommand.command("show").description("Show a list with items").argument("<id>", "List ID").action(async (id) => {
+  try {
+    validateUuid(id, "List ID");
+    const [listsData, itemsData] = await Promise.all([
+      graphql(listLists),
+      graphql(listListItems, { listId: id })
+    ]);
+    const list = listsData.listLists.find((l) => l.id === id || l.id.startsWith(id));
+    if (!list) {
+      printError(`List not found: ${id}`);
+      process.exitCode = 1;
+      return;
+    }
+    if (isJsonMode()) {
+      printJson({ ...list, items: itemsData.listListItems });
+      return;
+    }
+    console.log(`ID:          ${list.id}`);
+    console.log(`Name:        ${list.name}`);
+    console.log(`Description: ${list.description || "\u2014"}`);
+    console.log(`Icon:        ${list.icon || "\u2014"}`);
+    console.log(`Color:       ${list.color || "\u2014"}`);
+    console.log(`Items:       ${list.itemCount}`);
+    console.log(`Created:     ${formatDate(list.createdAt)}`);
+    if (itemsData.listListItems.length > 0) {
+      console.log("\nItems:");
+      printTable(
+        ["ID", "Name", "Qty", "Category"],
+        itemsData.listListItems.map((i) => [truncateId(i.id), i.name, i.quantity != null ? String(i.quantity) : "\u2014", i.category || "\u2014"])
+      );
+    }
+  } catch (err) {
+    printError(err.message);
+    process.exitCode = 1;
+  }
+});
+listsCommand.command("create").description("Create a list").argument("<name>", "List name").option("--desc <description>", "Description").option("--icon <icon>", "Icon emoji").option("--color <color>", "Color hex").action(async (name, opts) => {
+  try {
+    validateStringLength(name, "Name", 200);
+    if (opts.desc) validateStringLength(opts.desc, "Description", 2e3);
+    if (opts.color) validateHexColor(opts.color);
+    const input2 = { id: randomUUID6(), name };
+    if (opts.desc) input2.description = opts.desc;
+    if (opts.icon) input2.icon = opts.icon;
+    if (opts.color) input2.color = opts.color;
+    const data = await graphql(createList, { input: input2 });
+    if (isJsonMode()) {
+      printJson(data.createList);
+      return;
+    }
+    printSuccess(`Created list: ${data.createList.name}`);
+  } catch (err) {
+    printError(err.message);
+    process.exitCode = 1;
+  }
+});
+listsCommand.command("update").description("Update a list").argument("<id>", "List ID").option("--name <name>", "New name").option("--desc <description>", "New description").option("--icon <icon>", "New icon").option("--color <color>", "New color").action(async (id, opts) => {
+  try {
+    validateUuid(id, "List ID");
+    if (opts.name) validateStringLength(opts.name, "Name", 200);
+    if (opts.desc) validateStringLength(opts.desc, "Description", 2e3);
+    if (opts.color) validateHexColor(opts.color);
+    const input2 = { id };
+    if (opts.name) input2.name = opts.name;
+    if (opts.desc) input2.description = opts.desc;
+    if (opts.icon) input2.icon = opts.icon;
+    if (opts.color) input2.color = opts.color;
+    const data = await graphql(updateList, { input: input2 });
+    if (isJsonMode()) {
+      printJson(data.updateList);
+      return;
+    }
+    printSuccess(`Updated list: ${data.updateList.name}`);
+  } catch (err) {
+    printError(err.message);
+    process.exitCode = 1;
+  }
+});
+listsCommand.command("delete").description("Delete a list").argument("<id>", "List ID").option("--force", "Skip confirmation").action(async (id, opts) => {
+  try {
+    validateUuid(id, "List ID");
+    if (!opts.force) {
+      const ok = await confirm6({ message: `Delete list ${truncateId(id)}?`, default: false });
+      if (!ok) {
+        console.log("Cancelled.");
+        return;
+      }
+    }
+    await graphql(deleteListMutation, { id });
+    if (isJsonMode()) {
+      printJson({ deleted: id });
+      return;
+    }
+    printSuccess("Deleted list");
+  } catch (err) {
+    printError(err.message);
+    process.exitCode = 1;
+  }
+});
+listsCommand.command("add-item").description("Add an item to a list").argument("<list-id>", "List ID").argument("<name>", "Item name").option("--qty <quantity>", "Quantity").option("--category <category>", "Category").option("--link <url>", "Link URL").action(async (listId, name, opts) => {
+  try {
+    validateUuid(listId, "List ID");
+    validateStringLength(name, "Name", 500);
+    if (opts.qty) validateQuantity(opts.qty);
+    if (opts.link) validateUrl(opts.link);
+    const input2 = { id: randomUUID6(), listId, name, tags: [], customFields: "{}", position: Date.now() };
+    if (opts.qty) input2.quantity = validateQuantity(opts.qty);
+    if (opts.category) input2.category = opts.category;
+    if (opts.link) input2.link = opts.link;
+    const data = await graphql(createListItem, { input: input2 });
+    if (isJsonMode()) {
+      printJson(data.createListItem);
+      return;
+    }
+    printSuccess(`Added item: ${data.createListItem.name}`);
+  } catch (err) {
+    printError(err.message);
+    process.exitCode = 1;
+  }
+});
+listsCommand.command("bulk-add").description("Add multiple items to a list").argument("<list-id>", "List ID").argument("<items...>", "Item names").action(async (listId, items) => {
+  try {
+    validateUuid(listId, "List ID");
+    for (const name of items) {
+      validateStringLength(name, "Item name", 500);
+    }
+    const itemInputs = items.map((name, i) => ({
+      id: randomUUID6(),
+      listId,
+      name,
+      tags: [],
+      customFields: "{}",
+      position: Date.now() + i
+    }));
+    const data = await graphql(bulkCreateListItems, {
+      input: { listId, items: itemInputs }
+    });
+    if (isJsonMode()) {
+      printJson(data.bulkCreateListItems);
+      return;
+    }
+    printSuccess(`Added ${data.bulkCreateListItems.length} items to list`);
+  } catch (err) {
+    printError(err.message);
+    process.exitCode = 1;
+  }
+});
+listsCommand.command("update-item").description("Update a list item").argument("<item-id>", "Item ID").requiredOption("--list <list-id>", "List ID").option("--name <name>", "New name").option("--qty <quantity>", "New quantity").option("--category <category>", "New category").option("--link <url>", "New link").action(async (itemId, opts) => {
+  try {
+    validateUuid(itemId, "Item ID");
+    validateUuid(opts.list, "List ID");
+    if (opts.name) validateStringLength(opts.name, "Name", 500);
+    if (opts.qty) validateQuantity(opts.qty);
+    if (opts.link) validateUrl(opts.link);
+    const input2 = { id: itemId, listId: opts.list };
+    if (opts.name) input2.name = opts.name;
+    if (opts.qty) input2.quantity = validateQuantity(opts.qty);
+    if (opts.category) input2.category = opts.category;
+    if (opts.link) input2.link = opts.link;
+    const data = await graphql(updateListItem, { input: input2 });
+    if (isJsonMode()) {
+      printJson(data.updateListItem);
+      return;
+    }
+    printSuccess("Updated item");
+  } catch (err) {
+    printError(err.message);
+    process.exitCode = 1;
+  }
+});
+listsCommand.command("remove-item").description("Remove a list item").argument("<item-id>", "Item ID").requiredOption("--list <list-id>", "List ID").option("--force", "Skip confirmation").action(async (itemId, opts) => {
+  try {
+    validateUuid(itemId, "Item ID");
+    validateUuid(opts.list, "List ID");
+    if (!opts.force) {
+      const ok = await confirm6({ message: "Remove this item?", default: false });
+      if (!ok) {
+        console.log("Cancelled.");
+        return;
+      }
+    }
+    await graphql(deleteListItemMutation, { id: itemId, listId: opts.list });
+    if (isJsonMode()) {
+      printJson({ deleted: itemId });
+      return;
+    }
+    printSuccess("Removed item");
+  } catch (err) {
+    printError(err.message);
+    process.exitCode = 1;
+  }
+});
+
+// src/commands/shares.ts
+import { Command as Command10 } from "commander";
+async function resolveEmail(opts) {
+  if (opts.email) {
+    validateEmail(opts.email);
+    return opts.email;
+  }
+  if (opts.contact) {
+    const data = await graphql(listContacts);
+    const name = opts.contact.toLowerCase();
+    const match = data.listContacts.filter((c) => c.name.toLowerCase().includes(name));
+    if (match.length === 0) {
+      throw new Error(`No contact found matching "${opts.contact}". Run \`tasklumina contacts\` to see your contacts.`);
+    }
+    if (match.length > 1) {
+      const names = match.map((c) => `  ${c.name} (${c.email})`).join("\n");
+      throw new Error(`Multiple contacts match "${opts.contact}":
+${names}
+Be more specific or use --email instead.`);
+    }
+    return match[0].email;
+  }
+  throw new Error("Provide --email or --contact");
+}
+var sharesCommand = new Command10("shares").description("Manage task and list sharing");
+sharesCommand.command("send").description("Share a task with someone").argument("<task-id>", "Task ID").option("--email <email>", "Recipient email").option("--contact <name>", "Recipient contact name").option("--permission <perm>", "Permission (view or edit)", "view").action(async (taskId, opts) => {
+  try {
+    validateUuid(taskId, "Task ID");
+    const email = await resolveEmail(opts);
+    validatePermission(opts.permission);
+    const data = await graphql(shareTask, {
+      input: { taskId, sharedWithEmail: email, permission: opts.permission }
+    });
+    if (isJsonMode()) {
+      printJson(data.shareTask);
+      return;
+    }
+    printSuccess(`Shared task with ${maskEmail(email)} (${opts.permission})`);
+  } catch (err) {
+    printError(err.message);
+    process.exitCode = 1;
+  }
+});
+sharesCommand.command("inbox").description("List tasks shared with me").action(async () => {
+  try {
+    const data = await graphql(listSharedWithMe);
+    if (isJsonMode()) {
+      printJson(data.listSharedWithMe);
+      return;
+    }
+    if (data.listSharedWithMe.length === 0) {
+      console.log("No shared tasks.");
+      return;
+    }
+    printTable(
+      ["Task", "Owner", "Permission", "Status"],
+      data.listSharedWithMe.map((s) => [
+        s.task?.title || truncateId(s.taskId),
+        maskEmail(s.ownerEmail),
+        s.permission,
+        s.status
+      ])
+    );
+  } catch (err) {
+    printError(err.message);
+    process.exitCode = 1;
+  }
+});
+sharesCommand.command("accept").description("Accept a shared task").argument("<task-id>", "Task ID").requiredOption("--owner <owner-id>", "Owner user ID").action(async (taskId, opts) => {
+  try {
+    validateUuid(taskId, "Task ID");
+    validateUuid(opts.owner, "Owner ID");
+    const data = await graphql(acceptShare, { taskId, ownerId: opts.owner });
+    if (isJsonMode()) {
+      printJson(data.acceptShare);
+      return;
+    }
+    printSuccess("Accepted share");
+  } catch (err) {
+    printError(err.message);
+    process.exitCode = 1;
+  }
+});
+sharesCommand.command("decline").description("Decline a shared task").argument("<task-id>", "Task ID").requiredOption("--owner <owner-id>", "Owner user ID").action(async (taskId, opts) => {
+  try {
+    validateUuid(taskId, "Task ID");
+    validateUuid(opts.owner, "Owner ID");
+    const data = await graphql(declineShare, { taskId, ownerId: opts.owner });
+    if (isJsonMode()) {
+      printJson(data.declineShare);
+      return;
+    }
+    printSuccess("Declined share");
+  } catch (err) {
+    printError(err.message);
+    process.exitCode = 1;
+  }
+});
+sharesCommand.command("revoke").description("Revoke a task share").argument("<task-id>", "Task ID").requiredOption("--user <user-id>", "Shared-with user ID").action(async (taskId, opts) => {
+  try {
+    validateUuid(taskId, "Task ID");
+    validateUuid(opts.user, "User ID");
+    await graphql(revokeShare, { taskId, sharedWithId: opts.user });
+    if (isJsonMode()) {
+      printJson({ revoked: true, taskId });
+      return;
+    }
+    printSuccess("Revoked share");
+  } catch (err) {
+    printError(err.message);
+    process.exitCode = 1;
+  }
+});
+sharesCommand.command("ls").description("List shares for a task").argument("<task-id>", "Task ID").action(async (taskId) => {
+  try {
+    validateUuid(taskId, "Task ID");
+    const data = await graphql(listTaskShares, { taskId });
+    if (isJsonMode()) {
+      printJson(data.listTaskShares);
+      return;
+    }
+    if (data.listTaskShares.length === 0) {
+      console.log("Not shared.");
+      return;
+    }
+    printTable(
+      ["Email", "Permission", "Status", "Shared At"],
+      data.listTaskShares.map((s) => [maskEmail(s.sharedWithEmail), s.permission, s.status, formatDate(s.sharedAt)])
+    );
+  } catch (err) {
+    printError(err.message);
+    process.exitCode = 1;
+  }
+});
+sharesCommand.command("outbox").description("List all shares you have sent (tasks and lists)").action(async () => {
+  try {
+    const [taskData, listData] = await Promise.all([
+      graphql(listMyOutgoingTaskShares),
+      graphql(listMyOutgoingListShares)
+    ]);
+    const tasks = taskData.listMyOutgoingTaskShares;
+    const lists = listData.listMyOutgoingListShares;
+    if (isJsonMode()) {
+      printJson({ tasks, lists });
+      return;
+    }
+    if (tasks.length === 0 && lists.length === 0) {
+      console.log("No outgoing shares.");
+      return;
+    }
+    if (tasks.length > 0) {
+      console.log("\nTask shares:");
+      printTable(
+        ["Task", "To", "Permission", "Status", "Shared At"],
+        tasks.map((s) => [
+          s.task?.title || truncateId(s.taskId),
+          maskEmail(s.sharedWithEmail),
+          s.permission,
+          s.status,
+          formatDate(s.sharedAt)
+        ])
+      );
+    }
+    if (lists.length > 0) {
+      console.log("\nList shares:");
+      printTable(
+        ["List", "To", "Permission", "Status", "Shared At"],
+        lists.map((s) => [
+          s.list?.name || truncateId(s.listId),
+          maskEmail(s.sharedWithEmail),
+          s.permission,
+          s.status,
+          formatDate(s.sharedAt)
+        ])
+      );
+    }
+  } catch (err) {
+    printError(err.message);
+    process.exitCode = 1;
+  }
+});
+sharesCommand.command("update-permission").description("Change permission on a task share").argument("<task-id>", "Task ID").requiredOption("--user <user-id>", "Shared-with user ID").requiredOption("--permission <perm>", "New permission (view or edit)").action(async (taskId, opts) => {
+  try {
+    validateUuid(taskId, "Task ID");
+    validateUuid(opts.user, "User ID");
+    validatePermission(opts.permission);
+    const data = await graphql(updateSharePermission, {
+      input: { taskId, sharedWithId: opts.user, permission: opts.permission }
+    });
+    if (isJsonMode()) {
+      printJson(data.updateSharePermission);
+      return;
+    }
+    printSuccess(`Updated permission to ${opts.permission}`);
+  } catch (err) {
+    printError(err.message);
+    process.exitCode = 1;
+  }
+});
+sharesCommand.command("list-send").description("Share a list with someone").argument("<list-id>", "List ID").option("--email <email>", "Recipient email").option("--contact <name>", "Recipient contact name").option("--permission <perm>", "Permission (view or edit)", "view").action(async (listId, opts) => {
+  try {
+    validateUuid(listId, "List ID");
+    const email = await resolveEmail(opts);
+    validatePermission(opts.permission);
+    const data = await graphql(shareList, {
+      input: { listId, sharedWithEmail: email, permission: opts.permission }
+    });
+    if (isJsonMode()) {
+      printJson(data.shareList);
+      return;
+    }
+    printSuccess(`Shared list with ${maskEmail(email)} (${opts.permission})`);
+  } catch (err) {
+    printError(err.message);
+    process.exitCode = 1;
+  }
+});
+sharesCommand.command("list-inbox").description("List lists shared with me").action(async () => {
+  try {
+    const data = await graphql(listListsSharedWithMe);
+    if (isJsonMode()) {
+      printJson(data.listListsSharedWithMe);
+      return;
+    }
+    if (data.listListsSharedWithMe.length === 0) {
+      console.log("No shared lists.");
+      return;
+    }
+    printTable(
+      ["List", "Owner", "Permission", "Status"],
+      data.listListsSharedWithMe.map((s) => [
+        s.list?.name || truncateId(s.listId),
+        s.ownerEmail ? maskEmail(s.ownerEmail) : "\u2014",
+        s.permission,
+        s.status
+      ])
+    );
+  } catch (err) {
+    printError(err.message);
+    process.exitCode = 1;
+  }
+});
+sharesCommand.command("list-accept").description("Accept a shared list").argument("<list-id>", "List ID").requiredOption("--owner <owner-id>", "Owner user ID").action(async (listId, opts) => {
+  try {
+    validateUuid(listId, "List ID");
+    validateUuid(opts.owner, "Owner ID");
+    await graphql(acceptListShare, { listId, ownerId: opts.owner });
+    if (isJsonMode()) {
+      printJson({ accepted: true, listId });
+      return;
+    }
+    printSuccess("Accepted list share");
+  } catch (err) {
+    printError(err.message);
+    process.exitCode = 1;
+  }
+});
+sharesCommand.command("list-decline").description("Decline a shared list").argument("<list-id>", "List ID").requiredOption("--owner <owner-id>", "Owner user ID").action(async (listId, opts) => {
+  try {
+    validateUuid(listId, "List ID");
+    validateUuid(opts.owner, "Owner ID");
+    await graphql(declineListShare, { listId, ownerId: opts.owner });
+    if (isJsonMode()) {
+      printJson({ declined: true, listId });
+      return;
+    }
+    printSuccess("Declined list share");
+  } catch (err) {
+    printError(err.message);
+    process.exitCode = 1;
+  }
+});
+sharesCommand.command("list-revoke").description("Revoke a list share").argument("<list-id>", "List ID").requiredOption("--user <user-id>", "Shared-with user ID").action(async (listId, opts) => {
+  try {
+    validateUuid(listId, "List ID");
+    validateUuid(opts.user, "User ID");
+    await graphql(revokeListShare, { listId, sharedWithId: opts.user });
+    if (isJsonMode()) {
+      printJson({ revoked: true, listId });
+      return;
+    }
+    printSuccess("Revoked list share");
+  } catch (err) {
+    printError(err.message);
+    process.exitCode = 1;
+  }
+});
+sharesCommand.command("list-ls").description("List shares for a list").argument("<list-id>", "List ID").action(async (listId) => {
+  try {
+    validateUuid(listId, "List ID");
+    const data = await graphql(listListShares, { listId });
+    if (isJsonMode()) {
+      printJson(data.listListShares);
+      return;
+    }
+    if (data.listListShares.length === 0) {
+      console.log("Not shared.");
+      return;
+    }
+    printTable(
+      ["Email", "Permission", "Status", "Shared At"],
+      data.listListShares.map((s) => [maskEmail(s.sharedWithEmail), s.permission, s.status, formatDate(s.sharedAt)])
+    );
+  } catch (err) {
+    printError(err.message);
+    process.exitCode = 1;
+  }
+});
+sharesCommand.command("list-update-permission").description("Change permission on a list share").argument("<list-id>", "List ID").requiredOption("--user <user-id>", "Shared-with user ID").requiredOption("--permission <perm>", "New permission (view or edit)").action(async (listId, opts) => {
+  try {
+    validateUuid(listId, "List ID");
+    validateUuid(opts.user, "User ID");
+    validatePermission(opts.permission);
+    const data = await graphql(updateListSharePermission, {
+      input: { listId, sharedWithId: opts.user, permission: opts.permission }
+    });
+    if (isJsonMode()) {
+      printJson(data.updateListSharePermission);
+      return;
+    }
+    printSuccess(`Updated list share permission to ${opts.permission}`);
+  } catch (err) {
+    printError(err.message);
+    process.exitCode = 1;
+  }
+});
+
+// src/commands/status.ts
+import { Command as Command11 } from "commander";
+import chalk3 from "chalk";
+var statusCommand = new Command11("status").description("Show task dashboard with counts by status").option("--all", "Include archived tasks").action(async (opts) => {
+  try {
+    const data = await graphql(listTasks, {});
+    const tasks = opts.all ? data.listTasks : data.listTasks.filter((t) => !t.archived);
+    if (isJsonMode()) {
+      const counts = {};
+      for (const t of tasks) {
+        counts[t.status] = (counts[t.status] || 0) + 1;
+      }
+      printJson({ total: tasks.length, counts });
+      return;
+    }
+    if (tasks.length === 0) {
+      console.log("No tasks found.");
+      return;
+    }
+    const buckets = {
+      todo: [],
+      in_progress: [],
+      review: [],
+      done: []
+    };
+    for (const t of tasks) {
+      if (buckets[t.status]) buckets[t.status].push(t);
+    }
+    const total = tasks.length;
+    const parts = Object.entries(buckets).filter(([, list]) => list.length > 0).map(([status, list]) => `${formatStatus(status)} ${chalk3.bold(String(list.length))}`);
+    console.log(`
+  ${chalk3.bold(String(total))} tasks: ${parts.join("  ")}
+`);
+    for (const status of ["in_progress", "review", "todo"]) {
+      const list = buckets[status];
+      if (list.length === 0) continue;
+      console.log(`  ${formatStatus(status)}`);
+      for (const t of list.slice(0, 10)) {
+        const due = t.dueDate ? chalk3.dim(` due ${formatDate(t.dueDate)}`) : "";
+        const pri = t.priority === "critical" || t.priority === "high" ? ` ${formatPriority(t.priority)}` : "";
+        console.log(`    ${chalk3.dim(truncateId(t.id))}  ${t.title}${pri}${due}`);
+      }
+      if (list.length > 10) {
+        console.log(chalk3.dim(`    ... and ${list.length - 10} more`));
+      }
+      console.log();
+    }
+    const now = /* @__PURE__ */ new Date();
+    const overdue = tasks.filter(
+      (t) => t.status !== "done" && t.dueDate && new Date(t.dueDate) < now
+    );
+    if (overdue.length > 0) {
+      console.log(chalk3.red.bold(`  ! ${overdue.length} overdue task${overdue.length > 1 ? "s" : ""}`));
+      for (const t of overdue.slice(0, 5)) {
+        console.log(chalk3.red(`    ${truncateId(t.id)}  ${t.title}  (due ${formatDate(t.dueDate)})`));
+      }
+      console.log();
+    }
+  } catch (err) {
+    printError(err.message);
+    process.exitCode = 1;
+  }
+});
+
+// src/commands/apikeys.ts
+import { Command as Command12 } from "commander";
+import { confirm as confirm7 } from "@inquirer/prompts";
+function printKeyList(keys) {
+  if (keys.length === 0) {
+    console.log("No API keys.");
+    return;
+  }
+  printTable(
+    ["Name", "Prefix", "Status", "Created", "Last Used"],
+    keys.map((k) => [k.name, k.keyPrefix, k.status, formatDate(k.createdAt), k.lastUsedAt ? formatDate(k.lastUsedAt) : "never"])
+  );
+}
+var apikeysCommand = new Command12("apikeys").description("List and manage API keys").action(async () => {
+  try {
+    const data = await graphql(listApiKeys);
+    if (isJsonMode()) {
+      printJson(data.listApiKeys);
+      return;
+    }
+    printKeyList(data.listApiKeys);
+  } catch (err) {
+    printError(err.message);
+    process.exitCode = 1;
+  }
+});
+apikeysCommand.command("list").description("List all API keys").action(async () => {
+  try {
+    const data = await graphql(listApiKeys);
+    if (isJsonMode()) {
+      printJson(data.listApiKeys);
+      return;
+    }
+    printKeyList(data.listApiKeys);
+  } catch (err) {
+    printError(err.message);
+    process.exitCode = 1;
+  }
+});
+apikeysCommand.command("revoke").description("Revoke an API key").argument("<id>", "API key ID").option("--force", "Skip confirmation").action(async (id, opts) => {
+  try {
+    if (!opts.force) {
+      const ok = await confirm7({ message: `Revoke API key ${id}?`, default: false });
+      if (!ok) {
+        console.log("Cancelled.");
+        return;
+      }
+    }
+    const data = await graphql(revokeApiKey, { id });
+    if (isJsonMode()) {
+      printJson(data.revokeApiKey);
+      return;
+    }
+    printSuccess(`Revoked API key: ${data.revokeApiKey.name}`);
+  } catch (err) {
+    printError(err.message);
+    process.exitCode = 1;
+  }
+});
+
+// src/index.ts
+var program = new Command13();
+program.name("tasklumina").version("1.0.0").description("Task Lumina CLI \u2014 manage tasks from the terminal").option("--json", "Output as JSON").option("--no-color", "Disable colored output").option("--verbose", "Show detailed request info (endpoint masked)").option("--redact", "Mask emails and sensitive data in output");
+program.hook("postAction", async () => {
+  await maybeAutoRotate();
+});
+program.addCommand(configureCommand);
+program.addCommand(whoamiCommand);
+program.addCommand(statusCommand);
+program.addCommand(tasksCommand);
+program.addCommand(categoriesCommand);
+program.addCommand(tagsCommand);
+program.addCommand(notesCommand);
+program.addCommand(contactsCommand);
+program.addCommand(prefsCommand);
+program.addCommand(listsCommand);
+program.addCommand(sharesCommand);
+program.addCommand(apikeysCommand);
+program.parse();