confluence-cli 1.29.1 → 1.30.1

package/README.md

@@ -102,7 +102,7 @@ This creates `.claude/skills/confluence/SKILL.md` in your current directory. Cla
 confluence init
 ```
 
-The wizard helps you choose the right API endpoint and authentication method. It recommends `/wiki/rest/api` for Atlassian Cloud domains (e.g., `*.atlassian.net`) and `/rest/api` for self-hosted/Data Center instances, then prompts for Basic (email/username + token/password) or Bearer authentication.
+The wizard helps you choose the right API endpoint and authentication method. It recommends `/wiki/rest/api` for Atlassian Cloud domains (e.g., `*.atlassian.net`) and `/rest/api` for self-hosted/Data Center instances, then prompts for Basic (email/username + token/password), Bearer, or client-certificate (mTLS) authentication.
 
 ### Option 2: Non-interactive Setup (CLI Flags)
 
@@ -138,6 +138,17 @@ confluence --profile staging init \
   --token "your-personal-access-token"
 ```
 
+**mTLS profile** (self-hosted or reverse-proxied Confluence APIs):
+```bash
+confluence --profile corp init \
+  --domain "docs.example.com" \
+  --api-path "/confluence/rest/api" \
+  --auth-type "mtls" \
+  --tls-client-cert "~/.certs/client.pem" \
+  --tls-client-key "~/.certs/client.key" \
+  --tls-ca-cert "~/.certs/ca-chain.pem"
+```
+
 **Hybrid mode** (some fields provided, rest via prompts):
 ```bash
 # Domain and token provided, will prompt for auth method and email
@@ -150,9 +161,12 @@ confluence init --email "user@example.com" --token "your-api-token"
 **Available flags:**
 - `-d, --domain <domain>` - Confluence domain (e.g., `company.atlassian.net`)
 - `-p, --api-path <path>` - REST API path (e.g., `/wiki/rest/api`)
-- `-a, --auth-type <type>` - Authentication type: `basic` or `bearer`
+- `-a, --auth-type <type>` - Authentication type: `basic`, `bearer`, or `mtls`
 - `-e, --email <email>` - Email or username for basic authentication
 - `-t, --token <token>` - API token or password
+- `--tls-client-cert <path>` - Client certificate for mTLS authentication
+- `--tls-client-key <path>` - Client private key for mTLS authentication
+- `--tls-ca-cert <path>` - Optional CA certificate chain for mTLS authentication
 - `--read-only` - Enable read-only mode (blocks all write operations)
 
 ⚠️ **Security note:** While flags work, storing tokens in shell history is risky. Prefer environment variables (Option 3) for production environments.
@@ -169,6 +183,16 @@ export CONFLUENCE_AUTH_TYPE="basic"
 export CONFLUENCE_PROFILE="default"
 ```
 
+**mTLS environment variables**:
+```bash
+export CONFLUENCE_DOMAIN="docs.example.com"
+export CONFLUENCE_API_PATH="/confluence/rest/api"
+export CONFLUENCE_AUTH_TYPE="mtls"
+export CONFLUENCE_TLS_CLIENT_CERT="~/.certs/client.pem"
+export CONFLUENCE_TLS_CLIENT_KEY="~/.certs/client.key"
+export CONFLUENCE_TLS_CA_CERT="~/.certs/ca-chain.pem"  # optional
+```
+
 **Scoped API token** (recommended for agents):
 ```bash
 export CONFLUENCE_DOMAIN="api.atlassian.com"
@@ -178,7 +202,7 @@ export CONFLUENCE_EMAIL="user@example.com"
 export CONFLUENCE_API_TOKEN="your-scoped-token"
 ```
 
-`CONFLUENCE_API_PATH` defaults to `/wiki/rest/api` for Atlassian Cloud domains and `/rest/api` otherwise. Override it when your site lives under a custom reverse proxy or on-premises path. `CONFLUENCE_AUTH_TYPE` defaults to `basic` when an email is present and falls back to `bearer` otherwise.
+`CONFLUENCE_API_PATH` defaults to `/wiki/rest/api` for Atlassian Cloud domains and `/rest/api` otherwise. Override it when your site lives under a custom reverse proxy or on-premises path. `CONFLUENCE_AUTH_TYPE` defaults to `basic` when an email is present and falls back to `bearer` otherwise. For `mtls`, set `CONFLUENCE_TLS_CLIENT_CERT` and `CONFLUENCE_TLS_CLIENT_KEY`; `CONFLUENCE_TLS_CA_CERT` is optional.
 
 **Read-only mode** (recommended for AI agents):
 ```bash
@@ -224,6 +248,8 @@ For **read-only** usage, select at minimum: `read:confluence-content.all`, `read
 
 **On-premise / Data Center:** Use your Confluence username and password for basic authentication.
 
+**mTLS-protected Confluence APIs:** Some self-hosted or reverse-proxied deployments authenticate at the TLS layer with a client certificate instead of sending an application-level token. In these environments, configure `authType=mtls` and provide certificate paths via CLI flags or environment variables. No `Authorization` header will be sent in mTLS mode.
+
 ## Usage
 
 ### Read a Page

package/bin/confluence.js

@@ -34,9 +34,12 @@ program
   .option('-d, --domain <domain>', 'Confluence domain')
   .option('--protocol <protocol>', 'Protocol (http or https)')
   .option('-p, --api-path <path>', 'REST API path')
-  .option('-a, --auth-type <type>', 'Authentication type (basic or bearer)')
+  .option('-a, --auth-type <type>', 'Authentication type (basic, bearer, or mtls)')
   .option('-e, --email <email>', 'Email or username for basic auth')
   .option('-t, --token <token>', 'API token')
+  .option('--tls-ca-cert <path>', 'CA certificate for mTLS connections')
+  .option('--tls-client-cert <path>', 'Client certificate for mTLS connections')
+  .option('--tls-client-key <path>', 'Client private key for mTLS connections')
   .option('--read-only', 'Set profile to read-only mode (blocks write operations)')
   .action(async (options) => {
     const profile = getProfileName();
@@ -1917,9 +1920,12 @@ profileCmd
   .option('-d, --domain <domain>', 'Confluence domain')
   .option('--protocol <protocol>', 'Protocol (http or https)')
   .option('-p, --api-path <path>', 'REST API path')
-  .option('-a, --auth-type <type>', 'Authentication type (basic or bearer)')
+  .option('-a, --auth-type <type>', 'Authentication type (basic, bearer, or mtls)')
   .option('-e, --email <email>', 'Email or username for basic auth')
   .option('-t, --token <token>', 'API token')
+  .option('--tls-ca-cert <path>', 'CA certificate for mTLS connections')
+  .option('--tls-client-cert <path>', 'Client certificate for mTLS connections')
+  .option('--tls-client-key <path>', 'Client private key for mTLS connections')
   .option('--read-only', 'Set profile to read-only mode (blocks write operations)')
   .action(async (name, options) => {
     if (!isValidProfileName(name)) {

package/lib/config.js

@@ -10,7 +10,8 @@ const DEFAULT_PROFILE = 'default';
 
 const AUTH_CHOICES = [
   { name: 'Basic (credentials)', value: 'basic' },
-  { name: 'Bearer token', value: 'bearer' }
+  { name: 'Bearer token', value: 'bearer' },
+  { name: 'Client certificate (mTLS)', value: 'mtls' }
 ];
 
 const isValidProfileName = (name) => /^[a-zA-Z0-9_-]+$/.test(name);
@@ -37,12 +38,92 @@ const normalizeProtocol = (rawValue) => {
 
 const normalizeAuthType = (rawValue, hasEmail) => {
   const normalized = (rawValue || '').trim().toLowerCase();
-  if (normalized === 'basic' || normalized === 'bearer') {
+  if (normalized === 'basic' || normalized === 'bearer' || normalized === 'mtls') {
     return normalized;
   }
   return hasEmail ? 'basic' : 'bearer';
 };
 
+const trimOptional = (value) => {
+  if (typeof value !== 'string') {
+    return undefined;
+  }
+  const trimmed = value.trim();
+  return trimmed || undefined;
+};
+
+const normalizeMtlsConfig = (mtls) => {
+  if (!mtls) {
+    return undefined;
+  }
+
+  const normalized = {
+    caCert: trimOptional(mtls.caCert),
+    clientCert: trimOptional(mtls.clientCert),
+    clientKey: trimOptional(mtls.clientKey),
+  };
+
+  if (!normalized.caCert && !normalized.clientCert && !normalized.clientKey) {
+    return undefined;
+  }
+
+  return normalized;
+};
+
+const validateMtlsConfig = (mtls, labelPrefix = 'mTLS') => {
+  const normalized = normalizeMtlsConfig(mtls);
+  if (!normalized) {
+    return [`${labelPrefix} requires a client certificate and client key.`];
+  }
+
+  const errors = [];
+  if (!normalized.clientCert) {
+    errors.push(`${labelPrefix} requires a client certificate.`);
+  } else if (!fs.existsSync(normalized.clientCert)) {
+    errors.push(`${labelPrefix} client certificate file not found: ${normalized.clientCert}`);
+  }
+  if (!normalized.clientKey) {
+    errors.push(`${labelPrefix} requires a client key.`);
+  } else if (!fs.existsSync(normalized.clientKey)) {
+    errors.push(`${labelPrefix} client key file not found: ${normalized.clientKey}`);
+  }
+  if (normalized.caCert && !fs.existsSync(normalized.caCert)) {
+    errors.push(`${labelPrefix} CA certificate file not found: ${normalized.caCert}`);
+  }
+  return errors;
+};
+
+const validateMtlsProtocol = (protocol) => {
+  if (normalizeProtocol(protocol) === 'http') {
+    return 'mTLS authentication requires HTTPS and is not compatible with HTTP.';
+  }
+  return null;
+};
+
+/**
+ * Build an inquirer question for an mTLS file path prompt.
+ * @param {string} name       - answer key (e.g. 'tlsClientCert')
+ * @param {string} message    - prompt text
+ * @param {boolean} required  - whether the field is mandatory
+ * @param {Function} [whenFn] - optional custom `when` predicate; defaults to authType === 'mtls'
+ */
+const mtlsCertQuestion = (name, message, required, whenFn) => ({
+  type: 'input',
+  name,
+  message,
+  when: whenFn || ((responses) => responses.authType === 'mtls'),
+  validate: (input) => {
+    const value = (input || '').trim();
+    if (!value) {
+      return required ? `${message.replace(/:$/, '')} is required for mTLS.` : true;
+    }
+    if (!fs.existsSync(value)) {
+      return `File not found: ${value}`;
+    }
+    return true;
+  }
+});
+
 const inferApiPath = (domain) => {
   if (!domain) {
     return '/rest/api';
@@ -89,6 +170,10 @@ function readConfigFile() {
         token: raw.token,
         authType: raw.authType
       };
+      const mtls = normalizeMtlsConfig(raw.mtls);
+      if (mtls) {
+        profile.mtls = mtls;
+      }
       if (raw.email) {
         profile.email = raw.email;
       }
@@ -123,7 +208,7 @@ const validateCliOptions = (options) => {
     errors.push('--domain cannot be empty');
   }
 
-  if (options.token && !options.token.trim()) {
+  if (options.token !== undefined && !options.token.trim()) {
     errors.push('--token cannot be empty');
   }
 
@@ -148,8 +233,8 @@ const validateCliOptions = (options) => {
     errors.push('--protocol must be "http" or "https"');
   }
 
-  if (options.authType && !['basic', 'bearer'].includes(options.authType.toLowerCase())) {
-    errors.push('--auth-type must be "basic" or "bearer"');
+  if (options.authType && !['basic', 'bearer', 'mtls'].includes(options.authType.toLowerCase())) {
+    errors.push('--auth-type must be "basic", "bearer", or "mtls"');
   }
 
   // Check if basic auth is provided with email
@@ -158,6 +243,16 @@ const validateCliOptions = (options) => {
     errors.push('--email is required when using basic authentication (use your username for on-premise)');
   }
 
+  if (normAuthType === 'mtls') {
+    validateMtlsConfig(options.mtls, '--auth-type mtls').forEach((error) => {
+      errors.push(error);
+    });
+    const protocolError = validateMtlsProtocol(options.protocol);
+    if (protocolError) {
+      errors.push(protocolError);
+    }
+  }
+
   return errors;
 };
 
@@ -167,14 +262,22 @@ const saveConfig = (configData, profileName) => {
     domain: configData.domain.trim(),
     protocol: normalizeProtocol(configData.protocol),
     apiPath: normalizeApiPath(configData.apiPath, configData.domain),
-    token: configData.token.trim(),
     authType: configData.authType
   };
 
+  if (configData.token) {
+    config.token = configData.token.trim();
+  }
+
   if (configData.authType === 'basic' && configData.email) {
     config.email = configData.email.trim();
   }
 
+  const mtls = normalizeMtlsConfig(configData.mtls);
+  if (mtls) {
+    config.mtls = mtls;
+  }
+
   if (configData.readOnly) {
     config.readOnly = true;
   }
@@ -283,10 +386,30 @@ const promptForMissingValues = async (providedValues) => {
       type: 'password',
       name: 'token',
       message: 'API token / password:',
+      when: (responses) => {
+        const authType = providedValues.authType || responses.authType;
+        return authType !== 'mtls';
+      },
       validate: requiredInput('API token / password')
     });
   }
 
+  // mTLS certificate path questions
+  const mtls = normalizeMtlsConfig(providedValues.mtls);
+  const mtlsWhen = (responses) => {
+    const authType = providedValues.authType || responses.authType;
+    return authType === 'mtls';
+  };
+  if (!mtls || !mtls.clientCert) {
+    questions.push(mtlsCertQuestion('tlsClientCert', 'Path to client certificate file (PEM):', true, mtlsWhen));
+  }
+  if (!mtls || !mtls.clientKey) {
+    questions.push(mtlsCertQuestion('tlsClientKey', 'Path to client key file (PEM):', true, mtlsWhen));
+  }
+  if (!mtls || !mtls.caCert) {
+    questions.push(mtlsCertQuestion('tlsCaCert', 'Path to CA certificate file (PEM, optional):', false, mtlsWhen));
+  }
+
   if (questions.length === 0) {
     return providedValues;
   }
@@ -313,7 +436,12 @@ async function initConfig(cliOptions = {}) {
     apiPath: cliOptions.apiPath,
     authType: cliOptions.authType,
     email: cliOptions.email,
-    token: cliOptions.token
+    token: cliOptions.token,
+    mtls: cliOptions.mtls || {
+      caCert: cliOptions.tlsCaCert,
+      clientCert: cliOptions.tlsClientCert,
+      clientKey: cliOptions.tlsClientKey,
+    }
   };
 
   // Check if any CLI options were provided
@@ -380,11 +508,24 @@ async function initConfig(cliOptions = {}) {
         type: 'password',
         name: 'token',
         message: 'API token / password:',
+        when: (responses) => responses.authType !== 'mtls',
         validate: requiredInput('API token / password')
-      }
+      },
+      mtlsCertQuestion('tlsClientCert', 'Path to client certificate file (PEM):', true),
+      mtlsCertQuestion('tlsClientKey', 'Path to client key file (PEM):', true),
+      mtlsCertQuestion('tlsCaCert', 'Path to CA certificate file (PEM, optional):', false)
     ]);
 
-    saveConfig({ ...answers, readOnly }, profileName);
+    const configData = { ...answers, readOnly };
+    if (answers.authType === 'mtls') {
+      configData.mtls = {
+        clientCert: answers.tlsClientCert,
+        clientKey: answers.tlsClientKey,
+        caCert: answers.tlsCaCert || undefined,
+      };
+    }
+
+    saveConfig(configData, profileName);
     return;
   }
 
@@ -403,8 +544,13 @@ async function initConfig(cliOptions = {}) {
   // Non-interactive requires: domain, token, and either authType or email (for inference)
   const hasRequiredValues = Boolean(
     providedValues.domain &&
-    providedValues.token &&
-    (providedValues.authType || providedValues.email)
+    (
+      providedValues.authType === 'mtls'
+      || (
+        providedValues.token &&
+        (providedValues.authType || providedValues.email)
+      )
+    )
   );
 
   if (hasRequiredValues) {
@@ -425,6 +571,11 @@ async function initConfig(cliOptions = {}) {
         process.exit(1);
       }
 
+      if (normalizedAuthType !== 'mtls' && !providedValues.token) {
+        console.error(chalk.red('❌ Token is required for basic or bearer authentication'));
+        process.exit(1);
+      }
+
       // Verify API path format if provided
       if (providedValues.apiPath) {
         normalizeApiPath(providedValues.apiPath, normalizedDomain);
@@ -437,6 +588,7 @@ async function initConfig(cliOptions = {}) {
         token: providedValues.token,
         authType: normalizedAuthType,
         email: providedValues.email,
+        mtls: providedValues.mtls,
         readOnly
       };
 
@@ -461,6 +613,15 @@ async function initConfig(cliOptions = {}) {
     // Normalize auth type
     mergedValues.authType = normalizeAuthType(mergedValues.authType, Boolean(mergedValues.email));
 
+    // Build mTLS config from prompted values if needed
+    if (mergedValues.authType === 'mtls') {
+      mergedValues.mtls = normalizeMtlsConfig({
+        clientCert: mergedValues.tlsClientCert || (mergedValues.mtls && mergedValues.mtls.clientCert),
+        clientKey: mergedValues.tlsClientKey || (mergedValues.mtls && mergedValues.mtls.clientKey),
+        caCert: mergedValues.tlsCaCert || (mergedValues.mtls && mergedValues.mtls.caCert),
+      });
+    }
+
     saveConfig({ ...mergedValues, readOnly }, profileName);
   } catch (error) {
     console.error(chalk.red(`❌ ${error.message}`));
@@ -476,9 +637,15 @@ function getConfig(profileName) {
   const envApiPath = process.env.CONFLUENCE_API_PATH;
   const envProtocol = process.env.CONFLUENCE_PROTOCOL;
   const envReadOnly = process.env.CONFLUENCE_READ_ONLY;
-
-  if (envDomain && envToken) {
-    const authType = normalizeAuthType(envAuthType, Boolean(envEmail));
+  const envMtls = normalizeMtlsConfig({
+    caCert: process.env.CONFLUENCE_TLS_CA_CERT,
+    clientCert: process.env.CONFLUENCE_TLS_CLIENT_CERT,
+    clientKey: process.env.CONFLUENCE_TLS_CLIENT_KEY,
+  });
+
+  if (envDomain && (envToken || envAuthType === 'mtls' || envMtls)) {
+    const inferredAuthType = envAuthType || (envMtls && !envToken ? 'mtls' : undefined);
+    const authType = normalizeAuthType(inferredAuthType, Boolean(envEmail));
     let apiPath;
 
     try {
@@ -494,13 +661,33 @@ function getConfig(profileName) {
       process.exit(1);
     }
 
+    if (authType !== 'mtls' && !envToken) {
+      console.error(chalk.red('❌ Bearer/basic authentication requires CONFLUENCE_API_TOKEN or CONFLUENCE_PASSWORD.'));
+      process.exit(1);
+    }
+
+    if (authType === 'mtls') {
+      const mtlsErrors = validateMtlsConfig(envMtls, 'CONFLUENCE_AUTH_TYPE=mtls');
+      if (mtlsErrors.length > 0) {
+        console.error(chalk.red(`❌ ${mtlsErrors.join(' ')}`));
+        console.log(chalk.yellow('Set CONFLUENCE_TLS_CLIENT_CERT and CONFLUENCE_TLS_CLIENT_KEY. Optionally set CONFLUENCE_TLS_CA_CERT.'));
+        process.exit(1);
+      }
+      if (normalizeProtocol(envProtocol) === 'http') {
+        const protocolError = validateMtlsProtocol(envProtocol);
+        console.error(chalk.red(`❌ ${protocolError}`));
+        process.exit(1);
+      }
+    }
+
     return {
       domain: envDomain.trim(),
       protocol: normalizeProtocol(envProtocol),
       apiPath,
-      token: envToken.trim(),
+      token: envToken ? envToken.trim() : undefined,
       email: envEmail ? envEmail.trim() : undefined,
       authType,
+      mtls: envMtls,
       readOnly: envReadOnly === 'true'
     };
   }
@@ -534,12 +721,13 @@ function getConfig(profileName) {
 
   try {
     const trimmedDomain = (storedConfig.domain || '').trim();
-    const trimmedToken = (storedConfig.token || '').trim();
+    const trimmedToken = trimOptional(storedConfig.token);
     const trimmedEmail = storedConfig.email ? storedConfig.email.trim() : undefined;
     const authType = normalizeAuthType(storedConfig.authType, Boolean(trimmedEmail));
+    const mtls = normalizeMtlsConfig(storedConfig.mtls);
     let apiPath;
 
-    if (!trimmedDomain || !trimmedToken) {
+    if (!trimmedDomain || (authType !== 'mtls' && !trimmedToken)) {
       console.error(chalk.red('❌ Configuration file is missing required values.'));
       console.log(chalk.yellow('Run "confluence init" to refresh your settings.'));
       process.exit(1);
@@ -551,6 +739,21 @@ function getConfig(profileName) {
       process.exit(1);
     }
 
+    if (authType === 'mtls') {
+      const mtlsErrors = validateMtlsConfig(mtls, 'mTLS authentication');
+      if (mtlsErrors.length > 0) {
+        console.error(chalk.red(`❌ ${mtlsErrors.join(' ')}`));
+        console.log(chalk.yellow('Please rerun "confluence init" to add your mTLS certificate paths.'));
+        process.exit(1);
+      }
+      if (normalizeProtocol(storedConfig.protocol) === 'http') {
+        const protocolError = validateMtlsProtocol(storedConfig.protocol);
+        console.error(chalk.red(`❌ ${protocolError}`));
+        console.log(chalk.yellow('Please rerun "confluence init" to update your protocol to HTTPS.'));
+        process.exit(1);
+      }
+    }
+
     try {
       apiPath = normalizeApiPath(storedConfig.apiPath, trimmedDomain);
     } catch (error) {
@@ -570,6 +773,7 @@ function getConfig(profileName) {
       token: trimmedToken,
       email: trimmedEmail,
       authType,
+      mtls,
       readOnly
     };
   } catch (error) {

package/lib/confluence-client.js

@@ -1,5 +1,6 @@
 const axios = require('axios');
 const fs = require('fs');
+const https = require('https');
 const path = require('path');
 const FormData = require('form-data');
 const { convert } = require('html-to-text');
@@ -34,6 +35,7 @@ class ConfluenceClient {
     this.token = config.token;
     this.email = config.email;
     this.authType = (config.authType || (this.email ? 'basic' : 'bearer')).toLowerCase();
+    this.mtls = config.mtls;
     this.apiPath = this.sanitizeApiPath(config.apiPath);
     this.webUrlPrefix = this.apiPath.startsWith('/wiki/') ? '/wiki' : '';
     this.baseURL = `${this.protocol}://${this.domain}${this.apiPath}`;
@@ -41,14 +43,23 @@ class ConfluenceClient {
     this.setupConfluenceMarkdownExtensions();
 
     const headers = {
-      'Content-Type': 'application/json',
-      'Authorization': this.authType === 'basic' ? this.buildBasicAuthHeader() : `Bearer ${this.token}`
+      'Content-Type': 'application/json'
     };
+    const authHeader = this.buildAuthHeader();
+    if (authHeader) {
+      headers.Authorization = authHeader;
+    }
 
-    this.client = axios.create({
+    const clientOptions = {
       baseURL: this.baseURL,
       headers
-    });
+    };
+    const httpsAgent = this.buildHttpsAgent();
+    if (httpsAgent) {
+      clientOptions.httpsAgent = httpsAgent;
+    }
+
+    this.client = axios.create(clientOptions);
 
     this.client.interceptors.response.use(
       response => response,
@@ -72,6 +83,10 @@ class ConfluenceClient {
             hints.push(
               'Please verify your username and password are correct.'
             );
+          } else if (this.authType === 'mtls') {
+            hints.push(
+              'Please verify your client certificate, client key, and CA certificate are correct and trusted by the server.'
+            );
           } else {
             hints.push(
               'Please verify your personal access token is valid and not expired.'
@@ -115,6 +130,67 @@ class ConfluenceClient {
     return `Basic ${encodedCredentials}`;
   }
 
+  buildAuthHeader() {
+    if (this.authType === 'mtls') {
+      return null;
+    }
+
+    if (!this.token) {
+      throw new Error(`Authentication type "${this.authType}" requires a token or password.`);
+    }
+
+    return this.authType === 'basic' ? this.buildBasicAuthHeader() : `Bearer ${this.token}`;
+  }
+
+  buildHttpsAgent() {
+    if (this.protocol !== 'https' || !this.mtls) {
+      return null;
+    }
+
+    const options = {};
+
+    if (this.mtls.caCert) {
+      if (!fs.existsSync(this.mtls.caCert)) {
+        throw new Error(`CA certificate file not found: ${this.mtls.caCert}`);
+      }
+      options.ca = fs.readFileSync(this.mtls.caCert);
+    }
+    if (this.mtls.clientCert) {
+      if (!fs.existsSync(this.mtls.clientCert)) {
+        throw new Error(`Client certificate file not found: ${this.mtls.clientCert}`);
+      }
+      options.cert = fs.readFileSync(this.mtls.clientCert);
+    }
+    if (this.mtls.clientKey) {
+      if (!fs.existsSync(this.mtls.clientKey)) {
+        throw new Error(`Client key file not found: ${this.mtls.clientKey}`);
+      }
+      // Warn if private key file is readable by others (Unix only)
+      if (process.platform !== 'win32') {
+        try {
+          const keyStats = fs.statSync(this.mtls.clientKey);
+          const keyMode = keyStats.mode & 0o777;
+          if (keyMode & 0o077) {
+            console.error(
+              `Warning: Client key file "${this.mtls.clientKey}" has mode ${keyMode.toString(8)}. ` +
+              'Private keys should not be readable by other users (recommended: 0600). ' +
+              `Fix with: chmod 600 "${this.mtls.clientKey}"`
+            );
+          }
+        } catch {
+          // Ignore stat errors — the read below will surface them
+        }
+      }
+      options.key = fs.readFileSync(this.mtls.clientKey);
+    }
+
+    if (Object.keys(options).length === 0) {
+      return null;
+    }
+
+    return new https.Agent(options);
+  }
+
   /**
    * Extract page ID from URL or return the ID if it's already a number
    */
@@ -136,6 +212,26 @@ class ConfluenceClient {
         return prettyMatch[1];
       }
 
+      // Handle tiny links (/wiki/x/<code>)
+      const tinyLinkMatch = pageIdOrUrl.match(/\/wiki\/x\/([A-Za-z0-9_-]+)/);
+      if (tinyLinkMatch) {
+        try {
+          const response = await this.client.get(pageIdOrUrl, {
+            maxRedirects: 0,
+            validateStatus: (status) => status >= 300 && status < 400
+          });
+          const redirectUrl = response.headers.location;
+          if (redirectUrl) {
+            return this.extractPageId(redirectUrl);
+          }
+        } catch (error) {
+          if (error.response && error.response.headers && error.response.headers.location) {
+            return this.extractPageId(error.response.headers.location);
+          }
+        }
+        throw new Error(`Could not resolve page ID from tiny link: ${pageIdOrUrl}`);
+      }
+
       // Handle display URLs - search by space and title
       const displayMatch = pageIdOrUrl.match(/\/display\/([^/]+)\/(.+)/);
       if (displayMatch) {
@@ -1403,9 +1499,12 @@ class ConfluenceClient {
     // Format: <ac:link><ri:page ri:space-key="xxx" ri:content-title="Page Title" /></ac:link>
     markdown = markdown.replace(/<ac:link>\s*<ri:page[^>]*ri:content-title="([^"]*)"[^>]*\/>\s*<\/ac:link>/g, '[$1]');
     markdown = markdown.replace(/<ac:link>\s*<ri:page[^>]*ri:content-title="([^"]*)"[^>]*>\s*<\/ri:page>\s*<\/ac:link>/g, '[$1]');
-    
-    // Remove any remaining ac:link tags that weren't matched
-    markdown = markdown.replace(/<ac:link>[\s\S]*?<\/ac:link>/g, '');
+
+    // Convert internal page links with custom display text (ac:link-body)
+    markdown = markdown.replace(/<ac:link[^>]*>[\s\S]*?<ac:link-body>([\s\S]*?)<\/ac:link-body>[\s\S]*?<\/ac:link>/g, '$1');
+
+    // Remove any remaining ac:link tags that weren't matched (including those with attributes)
+    markdown = markdown.replace(/<ac:link[^>]*>[\s\S]*?<\/ac:link>/g, '');
     
     // Convert remaining HTML to markdown
     markdown = this.htmlToMarkdown(markdown);
@@ -2112,4 +2211,4 @@ ConfluenceClient.createLocalConverter = function () {
 };
 
 module.exports = ConfluenceClient;
-module.exports.NAMED_ENTITIES = NAMED_ENTITIES;
+module.exports.NAMED_ENTITIES = NAMED_ENTITIES;

package/npm-shrinkwrap.json

@@ -1,12 +1,12 @@
 {
   "name": "confluence-cli",
-  "version": "1.29.1",
+  "version": "1.30.1",
   "lockfileVersion": 3,
   "requires": true,
   "packages": {
     "": {
       "name": "confluence-cli",
-      "version": "1.29.1",
+      "version": "1.30.1",
       "license": "MIT",
       "dependencies": {
         "axios": "^1.15.0",
@@ -2684,9 +2684,9 @@
       "license": "ISC"
     },
     "node_modules/follow-redirects": {
-      "version": "1.15.11",
-      "resolved": "https://registry.npmjs.org/follow-redirects/-/follow-redirects-1.15.11.tgz",
-      "integrity": "sha512-deG2P0JfjrTxl50XGCDyfI97ZGVCxIpfKYmfyrQ54n5FO/0gfIES8C/Psl6kWVDolizcaaxZJnTS0QSMxvnsBQ==",
+      "version": "1.16.0",
+      "resolved": "https://registry.npmjs.org/follow-redirects/-/follow-redirects-1.16.0.tgz",
+      "integrity": "sha512-y5rN/uOsadFT/JfYwhxRS5R7Qce+g3zG97+JrtFZlC9klX/W5hD7iiLzScI4nZqUS7DNUdhPgw4xI8W2LuXlUw==",
       "funding": [
         {
           "type": "individual",

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "confluence-cli",
-  "version": "1.29.1",
+  "version": "1.30.1",
   "description": "A command-line interface for Atlassian Confluence with page creation and editing capabilities",
   "main": "index.js",
   "bin": {