@zoobbe/cli 1.0.0 → 1.1.1

package/README.md

@@ -0,0 +1,172 @@
+# @zoobbe/cli
+
+Manage your [Zoobbe](https://zoobbe.com) boards, cards, and projects from the terminal.
+
+## Installation
+
+```bash
+npm install -g @zoobbe/cli
+```
+
+Requires Node.js 18 or later.
+
+## Quick Start
+
+```bash
+# Authenticate with your API key
+zoobbe auth login --token zb_live_xxxxx
+
+# Or point to a self-hosted instance
+zoobbe config set apiUrl https://your-instance.com
+zoobbe auth login --token zb_live_xxxxx
+
+# Set your active workspace
+zoobbe workspace list
+zoobbe workspace switch <workspace-id>
+
+# Start managing your work
+zoobbe board list
+zoobbe card list --board <board-id>
+```
+
+## Authentication
+
+Generate an API key from your workspace settings at **Settings > API Keys**, then:
+
+```bash
+zoobbe auth login --token zb_live_your_api_key_here
+```
+
+Check your login status:
+
+```bash
+zoobbe auth whoami     # Show current user
+zoobbe auth status     # Show auth details
+zoobbe auth logout     # Clear credentials
+```
+
+## Commands
+
+### Workspaces
+
+```bash
+zoobbe workspace list              # List your workspaces
+zoobbe workspace switch <id>       # Set active workspace
+zoobbe workspace info [id]         # Show workspace details
+zoobbe workspace members           # List workspace members
+```
+
+### Boards
+
+```bash
+zoobbe board list                  # List boards in active workspace
+zoobbe board list --all            # Include archived boards
+zoobbe board create <name>         # Create a new board
+zoobbe board create <name> -v Public  # Create with visibility
+zoobbe board info <id>             # Show board details
+zoobbe board open <id>             # Open board in browser
+zoobbe board archive <id>          # Archive a board
+```
+
+### Cards
+
+```bash
+zoobbe card list --board <id>      # List cards on a board
+zoobbe card create <title> -b <board-id>           # Create card in first list
+zoobbe card create <title> -b <id> -l <list-id>    # Create card in specific list
+zoobbe card create <title> -b <id> --due 2026-04-01 --priority high
+zoobbe card info <card-id>         # Show card details
+zoobbe card move <card-id> -l <list-name>           # Move card to another list
+zoobbe card assign <card-id> -u <user-id>           # Assign a user
+zoobbe card comment <card-id> "your message"        # Add a comment
+zoobbe card done <card-id>         # Mark card as complete
+```
+
+### Pages
+
+```bash
+zoobbe page list                   # List pages
+zoobbe page create <title>         # Create a new page
+zoobbe page info <page-id>         # Show page details
+zoobbe page open <page-id>         # Open page in browser
+```
+
+### Search
+
+```bash
+zoobbe search "query"              # Search across boards, cards, and pages
+```
+
+### Status
+
+```bash
+zoobbe status                      # Show your cards across all boards
+```
+
+### AI (Experimental)
+
+Requires an AI provider key configured on the backend.
+
+```bash
+zoobbe ask "what cards are due this week?"
+zoobbe ask "move all overdue cards to Review"
+zoobbe ask "create a sprint board with 3 lists" --provider openai
+```
+
+### Configuration
+
+```bash
+zoobbe config set apiUrl https://api.zoobbe.com   # Set API URL
+zoobbe config set format json                      # Default output format
+zoobbe config get apiUrl                           # Get a config value
+zoobbe config list                                 # Show all config
+zoobbe config path                                 # Show config file location
+```
+
+## Output Formats
+
+Use the `--format` flag or set a default:
+
+```bash
+zoobbe board list --format json    # JSON output
+zoobbe board list --format plain   # Plain text
+zoobbe board list --format table   # Table (default)
+```
+
+## Global Options
+
+```
+-f, --format <format>    Output format: table | json | plain
+--workspace <id>         Override active workspace for this command
+-V, --version            Show version
+-h, --help               Show help
+```
+
+## Aliases
+
+Most commands have short aliases:
+
+| Command     | Alias |
+|-------------|-------|
+| `board`     | `b`   |
+| `card`      | `c`   |
+| `page`      | `p`   |
+| `list`      | `ls`  |
+
+```bash
+zoobbe b ls              # Same as: zoobbe board list
+zoobbe c ls -b <id>      # Same as: zoobbe card list --board <id>
+```
+
+## Self-Hosted
+
+For self-hosted Zoobbe instances, set your API URL before logging in:
+
+```bash
+zoobbe config set apiUrl https://your-instance.com
+zoobbe auth login --token zb_live_xxxxx
+```
+
+## License
+
+MIT

package/package.json

@@ -1,10 +1,10 @@
 {
   "name": "@zoobbe/cli",
-  "version": "1.0.0",
+  "version": "1.1.1",
   "description": "Zoobbe CLI - Manage boards, cards, and projects from the terminal",
   "main": "src/index.js",
   "bin": {
-    "zoobbe": "./bin/zoobbe"
+    "zoobbe": "bin/zoobbe"
   },
   "scripts": {
     "start": "node bin/zoobbe",
@@ -29,14 +29,15 @@
   "homepage": "https://zoobbe.com/cli",
   "repository": {
     "type": "git",
-    "url": "https://github.com/zoobbe/zoobbe-cli"
+    "url": "git+https://github.com/zoobbe/zoobbe-cli.git"
   },
   "bugs": {
     "url": "https://github.com/zoobbe/zoobbe-cli/issues"
   },
   "files": [
     "bin/",
-    "src/"
+    "src/",
+    "README.md"
   ],
   "dependencies": {
     "chalk": "^4.1.2",

package/src/commands/ai.js

@@ -73,7 +73,8 @@ const ai = new Command('ask')
         console.log(JSON.stringify(result, null, 2));
       }
     } catch (err) {
-      error(`AI command failed: ${err.message}`);
+      const detail = err.data?.message || err.message;
+      error(`AI command failed: ${detail}`);
     }
   });
 

package/src/commands/auth.js

@@ -16,7 +16,16 @@ auth
   .action(async (options) => {
     try {
       if (options.url) {
-        config.set('apiUrl', options.url);
+        // Validate URL format and enforce HTTPS
+        try {
+          const parsed = new URL(options.url);
+          if (parsed.protocol !== 'https:' && !parsed.hostname.match(/^(localhost|127\.0\.0\.1)$/)) {
+            return error('API URL must use HTTPS. Only localhost is allowed over HTTP.');
+          }
+          config.set('apiUrl', options.url);
+        } catch {
+          return error('Invalid URL format.');
+        }
       }
 
       let apiKey = options.token;
@@ -107,7 +116,7 @@ auth
   .action(() => {
     const apiKey = config.get('apiKey');
     if (apiKey) {
-      success(`Authenticated (key: ${apiKey.substring(0, 16)}...)`);
+      success(`Authenticated (key: ${apiKey.substring(0, 10)}...)`);
       info(`API URL: ${config.get('apiUrl')}`);
       if (config.get('activeWorkspaceName')) {
         info(`Workspace: ${config.get('activeWorkspaceName')}`);

package/src/commands/board.js

@@ -60,16 +60,24 @@ board
         return error('No active workspace. Run "zoobbe workspace switch <name>".');
       }
 
+      // Resolve workspace ObjectId from shortId
+      const wsData = await client.get('/workspaces/me');
+      const workspaces = wsData.data || wsData;
+      const ws = workspaces.find(w => w.shortId === workspaceId);
+      if (!ws) {
+        return error('Active workspace not found.');
+      }
+
       const data = await withSpinner('Creating board...', () =>
         client.post('/boards', {
-          name,
-          workspaceId,
+          title: name,
+          workspaceId: ws._id,
           visibility: options.visibility,
         })
       );
 
-      const b = data.data || data;
-      success(`Created board: ${chalk.bold(b.name || name)} (${b.shortId})`);
+      const b = data.board || data.data || data;
+      success(`Created board: ${chalk.bold(b.title || b.name || name)} (${b.shortId})`);
     } catch (err) {
       error(`Failed to create board: ${err.message}`);
     }
@@ -91,7 +99,7 @@ board
       const boards = data.data || data;
       const match = boards.find(b =>
         b.shortId === nameOrId ||
-        (b.name || '').toLowerCase() === nameOrId.toLowerCase()
+        (b.title || b.name || '').toLowerCase() === nameOrId.toLowerCase()
       );
 
       const boardId = match ? match.shortId : nameOrId;
@@ -113,7 +121,7 @@ board
       const boards = data.data || data;
       const match = boards.find(b =>
         b.shortId === nameOrId ||
-        (b.name || '').toLowerCase() === nameOrId.toLowerCase()
+        (b.title || b.name || '').toLowerCase() === nameOrId.toLowerCase()
       );
 
       if (!match) {
@@ -124,7 +132,7 @@ board
         client.post(`/boards/archive/${match.shortId}`)
       );
 
-      success(`Archived board: ${chalk.bold(match.name)}`);
+      success(`Archived board: ${chalk.bold(match.title || match.name)}`);
     } catch (err) {
       error(`Failed to archive board: ${err.message}`);
     }
@@ -139,9 +147,9 @@ board
         client.get(`/boards/${nameOrId}`)
       );
 
-      const b = data.data || data;
+      const b = data.board || data.data || data;
       console.log();
-      console.log(chalk.bold('  Name:       '), b.name);
+      console.log(chalk.bold('  Name:       '), b.title || b.name);
       console.log(chalk.bold('  ID:         '), b.shortId);
       console.log(chalk.bold('  Visibility: '), b.visibility || 'Private');
       console.log(chalk.bold('  Members:    '), b.members?.length || 0);

package/src/commands/card.js

@@ -20,30 +20,43 @@ card
   .option('-f, --format <format>', 'Output format')
   .action(async (options) => {
     try {
-      let path;
-
-      if (options.assignee === 'me') {
-        const userName = config.get('userName');
-        path = `/${userName}/cards`;
-      } else if (options.board) {
-        path = `/boards/${options.board}/cards`;
-      } else if (options.list) {
-        path = `/actionLists/${options.list}/cards/`;
+      let cards = [];
+
+      if (options.board) {
+        // Get lists with populated cards for this board
+        const listsData = await withSpinner('Fetching cards...', () =>
+          client.get(`/boards/${options.board}/lists`)
+        );
+        const lists = listsData.lists || listsData.data || listsData;
+        const listArr = Array.isArray(lists) ? lists : Object.values(lists);
+
+        // Collect card shortIds per list
+        const cardRefs = [];
+        for (const list of listArr) {
+          if (list.cards && Array.isArray(list.cards)) {
+            for (const c of list.cards) {
+              cardRefs.push({ id: c.shortId || c._id, listName: list.title || '' });
+            }
+          }
+        }
+
+        // Fetch full card details in parallel
+        const results = await Promise.allSettled(
+          cardRefs.map(ref => client.get(`/cards/${ref.id}`).then(d => ({ ...d, _listName: ref.listName })))
+        );
+        for (const r of results) {
+          if (r.status === 'fulfilled') cards.push(r.value);
+        }
       } else {
         // Get cards for current user
-        const userName = config.get('userName');
-        if (!userName) {
-          return error('No user context. Run "zoobbe auth login" first.');
-        }
-        path = `/${userName}/cards`;
+        const userId = config.get('userId');
+        const data = await withSpinner('Fetching cards...', () =>
+          client.get(`/${userId}/cards`)
+        );
+        cards = data.data || data;
+        if (!Array.isArray(cards)) cards = [];
       }
 
-      const data = await withSpinner('Fetching cards...', () =>
-        client.get(path)
-      );
-
-      let cards = data.data || data;
-
       // Apply due date filter
       if (options.due && Array.isArray(cards)) {
         const now = new Date();
@@ -62,9 +75,9 @@ card
       const rows = (Array.isArray(cards) ? cards : []).map(c => ({
         title: (c.title || c.name || '').substring(0, 50),
         id: c.shortId || c._id,
-        list: c.actionList?.name || c.actionListName || '',
-        due: c.dueDate ? new Date(c.dueDate).toLocaleDateString() : '-',
-        members: String(c.members?.length || 0),
+        list: c._listName || c.actionListTitle || c.actionList?.name || '',
+        due: c.dueDate?.date ? new Date(c.dueDate.date).toLocaleDateString() : (typeof c.dueDate === 'string' && c.dueDate ? new Date(c.dueDate).toLocaleDateString() : '-'),
+        members: String(c.members?.length || c.users?.length || 0),
         priority: c.priority || '-',
       }));
 
@@ -96,29 +109,41 @@ card
       // If no list specified, get the first list from the board
       if (!listId) {
         const listsData = await client.get(`/boards/${options.board}/lists`);
-        const lists = listsData.data || listsData;
-        if (!lists || lists.length === 0) {
+        const lists = listsData.lists || listsData.data || listsData;
+        const listArr = Array.isArray(lists) ? lists : Object.values(lists);
+        if (listArr.length === 0) {
           return error('Board has no lists. Create one first.');
         }
-        listId = lists[0].shortId || lists[0]._id;
+        listId = listArr[0]._id;
       }
 
       const body = {
         title,
-        boardId: options.board,
         actionListId: listId,
       };
 
       if (options.description) body.description = options.description;
-      if (options.due) body.dueDate = options.due;
-      if (options.priority) body.priority = options.priority;
 
       const data = await withSpinner('Creating card...', () =>
         client.post('/cards', body)
       );
 
-      const c = data.data || data;
+      const c = data.card || data.data || data;
       success(`Created card: ${chalk.bold(title)} (${c.shortId || c._id})`);
+
+      // Set due date if provided
+      if (options.due && (c.shortId || c._id)) {
+        await client.post(`/cards/${c.shortId || c._id}/duedate`, {
+          dueDate: options.due,
+        });
+      }
+
+      // Set priority if provided
+      if (options.priority && (c.shortId || c._id)) {
+        await client.post(`/cards/${c.shortId || c._id}/priority`, {
+          priority: options.priority,
+        });
+      }
     } catch (err) {
       error(`Failed to create card: ${err.message}`);
     }
@@ -127,20 +152,62 @@ card
 card
   .command('move <cardId>')
   .description('Move a card to a different list')
-  .option('-l, --list <listId>', 'Target list ID (required)')
+  .option('-l, --list <listName>', 'Target list name or ID (required)')
+  .option('-b, --board <boardId>', 'Board ID (auto-detected from card if not specified)')
   .action(async (cardId, options) => {
     try {
       if (!options.list) {
-        return error('Target list ID is required. Use -l <listId>.');
+        return error('Target list is required. Use -l <listName>.');
+      }
+
+      // Fetch card to get board and current list info
+      const cardData = await withSpinner('Fetching card...', () =>
+        client.get(`/cards/${cardId}`)
+      );
+      const c = cardData.card || cardData.data || cardData;
+      const boardId = options.board || c.boardShortId || c.board;
+
+      if (!boardId) {
+        return error('Could not determine board. Use -b <boardId>.');
+      }
+
+      // Get all lists for the board
+      const listsData = await client.get(`/boards/${boardId}/lists`);
+      const lists = listsData.lists || listsData.data || listsData;
+      const listArr = Array.isArray(lists) ? lists : Object.values(lists);
+
+      // Find source list (the list the card is currently in)
+      const sourceActionListId = c.actionList?._id || c.actionListId;
+      const sourceList = listArr.find(l =>
+        l._id === sourceActionListId || l._id?.toString() === sourceActionListId?.toString()
+      );
+
+      // Find target list by name or ID
+      const targetList = listArr.find(l =>
+        l._id === options.list ||
+        l._id?.toString() === options.list ||
+        (l.title || '').toLowerCase() === options.list.toLowerCase()
+      );
+
+      if (!targetList) {
+        const available = listArr.map(l => `  - ${l.title} (${l._id})`).join('\n');
+        return error(`List "${options.list}" not found. Available lists:\n${available}`);
+      }
+
+      if (!sourceList) {
+        return error('Could not determine the card\'s current list.');
       }
 
       await withSpinner('Moving card...', () =>
-        client.post(`/cards/update/${cardId}`, {
-          actionListId: options.list,
+        client.put(`/boards/${boardId}/cards/order`, {
+          sourceListId: sourceList._id,
+          cardId: c._id,
+          targetListId: targetList._id,
+          targetPosition: 0,
         })
       );
 
-      success(`Moved card ${cardId} to list ${options.list}`);
+      success(`Moved card ${cardId} to ${chalk.bold(targetList.title)}`);
     } catch (err) {
       error(`Failed to move card: ${err.message}`);
     }
@@ -173,8 +240,13 @@ card
   .description('Add a comment to a card')
   .action(async (cardId, message) => {
     try {
+      const userId = config.get('userId');
       await withSpinner('Adding comment...', () =>
-        client.post(`/cards/${cardId}/comments`, { text: message })
+        client.post(`/cards/${cardId}/comments`, {
+          comment: message,
+          member: userId,
+          mentionedIds: [],
+        })
       );
 
       success(`Comment added to card ${cardId}`);
@@ -207,15 +279,17 @@ card
         client.get(`/cards/${cardId}`)
       );
 
-      const c = data.data || data;
+      const c = data.card || data.data || data;
+      const dueStr = c.dueDate?.date ? new Date(c.dueDate.date).toLocaleDateString() : 'None';
       console.log();
       console.log(chalk.bold('  Title:      '), c.title || c.name);
       console.log(chalk.bold('  ID:         '), c.shortId || c._id);
-      console.log(chalk.bold('  List:       '), c.actionList?.name || 'N/A');
-      console.log(chalk.bold('  Members:    '), c.members?.length || 0);
-      console.log(chalk.bold('  Due Date:   '), c.dueDate ? new Date(c.dueDate).toLocaleDateString() : 'None');
+      console.log(chalk.bold('  Board:      '), c.boardTitle || c.board || 'N/A');
+      console.log(chalk.bold('  List:       '), c.actionListTitle || c.actionList?.name || 'N/A');
+      console.log(chalk.bold('  Members:    '), c.members?.length || c.users?.length || 0);
+      console.log(chalk.bold('  Due Date:   '), dueStr);
       console.log(chalk.bold('  Priority:   '), c.priority || 'None');
-      console.log(chalk.bold('  Complete:   '), c.isComplete ? 'Yes' : 'No');
+      console.log(chalk.bold('  Complete:   '), c.completed ? 'Yes' : 'No');
       if (c.description) {
         console.log(chalk.bold('  Description:'), c.description.substring(0, 100));
       }

package/src/commands/page.js

@@ -54,7 +54,7 @@ page
         client.post('/pages', { title, workspaceId })
       );
 
-      const p = data.data || data;
+      const p = data.page || data.data || data;
       success(`Created page: ${chalk.bold(title)} (${p.shortId || p._id})`);
     } catch (err) {
       error(`Failed to create page: ${err.message}`);
@@ -85,7 +85,7 @@ page
         client.get(`/pages/${pageId}`)
       );
 
-      const p = data.data || data;
+      const p = data.page || data.data || data;
       console.log();
       console.log(chalk.bold('  Title:      '), p.title || 'Untitled');
       console.log(chalk.bold('  ID:         '), p.shortId || p._id);

package/src/commands/search.js

@@ -15,25 +15,28 @@ const search = new Command('search')
       const workspaceId = config.get('activeWorkspace');
 
       const data = await withSpinner(`Searching for "${query}"...`, () =>
-        client.post('/global/search', {
-          query,
-          workspaceId,
-        })
+        client.post(`/global/search?query=${encodeURIComponent(query)}`)
       );
 
-      const results = data.data || data;
+      const results = data.data || data.results || data;
 
-      if (!results || (Array.isArray(results) && results.length === 0)) {
+      // Flatten different result types into a single list
+      const items = [];
+      if (results.boards) results.boards.forEach(b => items.push({ type: 'Board', title: b.title || b.name, id: b.shortId || b._id }));
+      if (results.cards) results.cards.forEach(c => items.push({ type: 'Card', title: c.title || c.name, id: c.shortId || c._id, context: c.boardTitle || '' }));
+      if (results.pages) results.pages.forEach(p => items.push({ type: 'Page', title: p.title || p.name, id: p.shortId || p._id }));
+      if (Array.isArray(results)) results.forEach(r => items.push({ type: r.type || 'item', title: r.title || r.name || '', id: r.shortId || r._id || '' }));
+
+      if (items.length === 0) {
         console.log(chalk.yellow('  No results found.'));
         return;
       }
 
-      // Format results based on type
-      const rows = (Array.isArray(results) ? results : [results]).map(r => ({
-        type: r.type || 'item',
-        title: (r.title || r.name || '').substring(0, 50),
-        id: r.shortId || r._id || '',
-        context: r.boardName || r.workspaceName || '',
+      const rows = items.map(r => ({
+        type: r.type,
+        title: (r.title || '').substring(0, 50),
+        id: r.id || '',
+        context: r.context || '',
       }));
 
       output(rows, {

package/src/commands/status.js

@@ -12,13 +12,13 @@ const status = new Command('status')
   .option('--overdue', 'Only show overdue cards')
   .action(async (options) => {
     try {
-      const userName = config.get('userName');
-      if (!userName) {
+      const userId = config.get('userId');
+      if (!userId) {
         return error('Not logged in. Run "zoobbe auth login" first.');
       }
 
       const data = await withSpinner('Fetching your cards...', () =>
-        client.get(`/${userName}/cards`)
+        client.get(`/${userId}/cards`)
       );
 
       let cards = data.data || data;

package/src/commands/workspace.js

@@ -129,10 +129,14 @@ workspace
       }
 
       const data = await withSpinner('Fetching workspace info...', () =>
-        client.get(`/workspaces/${workspaceId}`)
+        client.get('/workspaces/me')
       );
 
-      const ws = data.data || data;
+      const workspaces = data.data || data;
+      const ws = workspaces.find(w => w.shortId === workspaceId);
+      if (!ws) {
+        return error('Workspace not found.');
+      }
       console.log();
       console.log(chalk.bold('  Name:    '), ws.name);
       console.log(chalk.bold('  ID:      '), ws.shortId);

package/src/lib/client.js

@@ -26,6 +26,11 @@ class ZoobbeClient {
   async request(method, path, body = null) {
     this.ensureAuth();
 
+    // Reject path traversal attempts
+    if (path.includes('..') || path.includes('//')) {
+      throw new Error('Invalid request path');
+    }
+
     const url = `${this.baseUrl}/v1${path}`;
     const options = {
       method,

package/src/lib/config.js

@@ -1,10 +1,18 @@
 const Conf = require('conf');
 const path = require('path');
 const os = require('os');
+const fs = require('fs');
+
+const configDir = path.join(os.homedir(), '.zoobbe');
+
+// Ensure config directory exists with restricted permissions (owner-only)
+if (!fs.existsSync(configDir)) {
+  fs.mkdirSync(configDir, { mode: 0o700, recursive: true });
+}
 
 const config = new Conf({
   projectName: 'zoobbe',
-  cwd: path.join(os.homedir(), '.zoobbe'),
+  cwd: configDir,
   schema: {
     apiKey: { type: 'string', default: '' },
     apiUrl: { type: 'string', default: 'https://api.zoobbe.com' },
@@ -17,4 +25,11 @@ const config = new Conf({
   },
 });
 
+// Lock down the config file (owner read/write only)
+try {
+  fs.chmodSync(config.path, 0o600);
+} catch {
+  // Ignore if chmod fails (e.g., Windows)
+}
+
 module.exports = config;