confluence-cli 1.30.2 → 1.31.1

package/README.md

@@ -149,6 +149,21 @@ confluence --profile corp init \
   --tls-ca-cert "~/.certs/ca-chain.pem"
 ```
 
+**Cookie authentication profile** (Enterprise SSO):
+```bash
+confluence --profile sso init \
+  --domain "confluence.company.com" \
+  --api-path "/rest/api" \
+  --auth-type "cookie" \
+  --cookie "JSESSIONID=abc123xyz..."
+
+# Multiple cookies are also supported:
+confluence --profile sso init \
+  --domain "confluence.company.com" \
+  --auth-type "cookie" \
+  --cookie "JSESSIONID=abc123; XSRF-TOKEN=xyz789"
+```
+
 **Hybrid mode** (some fields provided, rest via prompts):
 ```bash
 # Domain and token provided, will prompt for auth method and email
@@ -161,9 +176,10 @@ confluence init --email "user@example.com" --token "your-api-token"
 **Available flags:**
 - `-d, --domain <domain>` - Confluence domain (e.g., `company.atlassian.net`)
 - `-p, --api-path <path>` - REST API path (e.g., `/wiki/rest/api`)
-- `-a, --auth-type <type>` - Authentication type: `basic`, `bearer`, or `mtls`
+- `-a, --auth-type <type>` - Authentication type: `basic`, `bearer`, `mtls`, or `cookie`
 - `-e, --email <email>` - Email or username for basic authentication
 - `-t, --token <token>` - API token or password
+- `-c, --cookie <cookie>` - Cookie for Enterprise SSO authentication (e.g., `"JSESSIONID=..."`)
 - `--tls-client-cert <path>` - Client certificate for mTLS authentication
 - `--tls-client-key <path>` - Client private key for mTLS authentication
 - `--tls-ca-cert <path>` - Optional CA certificate chain for mTLS authentication
@@ -193,6 +209,14 @@ export CONFLUENCE_TLS_CLIENT_KEY="~/.certs/client.key"
 export CONFLUENCE_TLS_CA_CERT="~/.certs/ca-chain.pem"  # optional
 ```
 
+**Cookie environment variables** (Enterprise SSO):
+```bash
+export CONFLUENCE_DOMAIN="confluence.company.com"
+export CONFLUENCE_API_PATH="/rest/api"
+export CONFLUENCE_AUTH_TYPE="cookie"
+export CONFLUENCE_COOKIE="JSESSIONID=abc123xyz..."
+```
+
 **Scoped API token** (recommended for agents):
 ```bash
 export CONFLUENCE_DOMAIN="api.atlassian.com"
@@ -271,6 +295,8 @@ For **read-only** usage, select at minimum: `read:confluence-content.all`, `read
 
 **mTLS-protected Confluence APIs:** Some self-hosted or reverse-proxied deployments authenticate at the TLS layer with a client certificate instead of sending an application-level token. In these environments, configure `authType=mtls` and provide certificate paths via CLI flags or environment variables. No `Authorization` header will be sent in mTLS mode.
 
+**Enterprise SSO with Cookie Authentication:** For Confluence instances behind Enterprise SSO (SAML, OAuth, Okta, etc.) where API tokens or Basic/Bearer auth are not available, you can authenticate using session cookies. After logging in through your browser, extract the session cookie (typically `JSESSIONID` or similar) from your browser's dev tools and configure it via the `--cookie` flag or `CONFLUENCE_COOKIE` environment variable. The cookie is sent in the `Cookie` header instead of an `Authorization` header. Note that session cookies typically expire, so you'll need to refresh them periodically. For security, prefer `CONFLUENCE_COOKIE` env var or interactive prompt over `--cookie` flag since command-line arguments may be visible in shell history and process listings.
+
 ## Usage
 
 ### Read a Page

package/bin/confluence.js

@@ -46,9 +46,10 @@ program
   .option('-d, --domain <domain>', 'Confluence domain')
   .option('--protocol <protocol>', 'Protocol (http or https)')
   .option('-p, --api-path <path>', 'REST API path')
-  .option('-a, --auth-type <type>', 'Authentication type (basic, bearer, or mtls)')
+  .option('-a, --auth-type <type>', 'Authentication type (basic, bearer, mtls, or cookie)')
   .option('-e, --email <email>', 'Email or username for basic auth')
   .option('-t, --token <token>', 'API token')
+  .option('-c, --cookie <cookie>', 'Cookie for Enterprise SSO authentication (e.g., "JSESSIONID=...")')
   .option('--tls-ca-cert <path>', 'CA certificate for mTLS connections')
   .option('--tls-client-cert <path>', 'Client certificate for mTLS connections')
   .option('--tls-client-key <path>', 'Client private key for mTLS connections')
@@ -551,8 +552,9 @@ program
         fs.mkdirSync(destDir, { recursive: true });
 
         const uniquePathFor = (dir, filename) => {
-          const parsed = path.parse(filename);
-          let attempt = path.join(dir, filename);
+          const safeFilename = sanitizeFilename(filename);
+          const parsed = path.parse(safeFilename);
+          let attempt = path.join(dir, safeFilename);
           let counter = 1;
           while (fs.existsSync(attempt)) {
             const suffix = ` (${counter})`;
@@ -1334,9 +1336,24 @@ function isExportDirectory(fs, path, dir) {
   return fs.existsSync(path.join(dir, EXPORT_MARKER));
 }
 
+function sanitizeFilename(filename) {
+  if (!filename || typeof filename !== 'string') {
+    return 'unnamed';
+  }
+  const path = require('path');
+  const stripped = path.basename(filename.replace(/\\/g, '/'));
+  const cleaned = stripped
+    // eslint-disable-next-line no-control-regex
+    .replace(/[\\/:*?"<>|\x00-\x1f]/g, '_')
+    .replace(/^\.+/, '')
+    .trim();
+  return cleaned || 'unnamed';
+}
+
 function uniquePathFor(fs, path, dir, filename) {
-  const parsed = path.parse(filename);
-  let attempt = path.join(dir, filename);
+  const safeFilename = sanitizeFilename(filename);
+  const parsed = path.parse(safeFilename);
+  let attempt = path.join(dir, safeFilename);
   let counter = 1;
   while (fs.existsSync(attempt)) {
     const suffix = ` (${counter})`;
@@ -1536,7 +1553,11 @@ function sanitizeTitle(value) {
   if (!value || typeof value !== 'string') {
     return fallback;
   }
-  const cleaned = value.replace(/[\\/:*?"<>|]/g, ' ').trim();
+  const cleaned = value
+    // eslint-disable-next-line no-control-regex
+    .replace(/[\\/:*?"<>|\x00-\x1f]/g, ' ')
+    .replace(/^\.+/, '')
+    .trim();
   return cleaned || fallback;
 }
 
@@ -1896,9 +1917,10 @@ profileCmd
   .option('-d, --domain <domain>', 'Confluence domain')
   .option('--protocol <protocol>', 'Protocol (http or https)')
   .option('-p, --api-path <path>', 'REST API path')
-  .option('-a, --auth-type <type>', 'Authentication type (basic, bearer, or mtls)')
+  .option('-a, --auth-type <type>', 'Authentication type (basic, bearer, mtls, or cookie)')
   .option('-e, --email <email>', 'Email or username for basic auth')
   .option('-t, --token <token>', 'API token')
+  .option('-c, --cookie <cookie>', 'Cookie for Enterprise SSO authentication (e.g., "JSESSIONID=...")')
   .option('--tls-ca-cert <path>', 'CA certificate for mTLS connections')
   .option('--tls-client-cert <path>', 'Client certificate for mTLS connections')
   .option('--tls-client-key <path>', 'Client private key for mTLS connections')
@@ -2029,6 +2051,7 @@ module.exports = {
     uniquePathFor,
     exportRecursive,
     sanitizeTitle,
+    sanitizeFilename,
     assertWritable,
     assertNonEmpty,
     handleCommandError,

package/lib/config.js

@@ -11,9 +11,12 @@ const DEFAULT_PROFILE = 'default';
 const AUTH_CHOICES = [
   { name: 'Basic (credentials)', value: 'basic' },
   { name: 'Bearer token', value: 'bearer' },
-  { name: 'Client certificate (mTLS)', value: 'mtls' }
+  { name: 'Client certificate (mTLS)', value: 'mtls' },
+  { name: 'Cookie (Enterprise SSO)', value: 'cookie' }
 ];
 
+const AUTH_TYPES = ['basic', 'bearer', 'mtls', 'cookie'];
+
 const isValidProfileName = (name) => /^[a-zA-Z0-9_-]+$/.test(name);
 
 const requiredInput = (label) => (input) => {
@@ -38,7 +41,7 @@ const normalizeProtocol = (rawValue) => {
 
 const normalizeAuthType = (rawValue, hasEmail) => {
   const normalized = (rawValue || '').trim().toLowerCase();
-  if (normalized === 'basic' || normalized === 'bearer' || normalized === 'mtls') {
+  if (AUTH_TYPES.includes(normalized)) {
     return normalized;
   }
   return hasEmail ? 'basic' : 'bearer';
@@ -109,7 +112,11 @@ const validateAuthConfig = (auth, mtlsSourceLabel) => {
     errors.push('Basic authentication requires an email address or username.');
   }
 
-  if (auth.authType !== 'mtls' && !auth.token) {
+  if (auth.authType === 'cookie' && !auth.cookie) {
+    errors.push('Cookie authentication requires a cookie value.');
+  }
+
+  if (auth.authType !== 'mtls' && auth.authType !== 'cookie' && !auth.token) {
     errors.push('Bearer or basic authentication requires a token.');
   }
 
@@ -201,6 +208,9 @@ function readConfigFile() {
       if (raw.email) {
         profile.email = raw.email;
       }
+      if (raw.cookie) {
+        profile.cookie = raw.cookie;
+      }
       return {
         activeProfile: DEFAULT_PROFILE,
         profiles: { [DEFAULT_PROFILE]: profile }
@@ -257,8 +267,8 @@ const validateCliOptions = (options) => {
     errors.push('--protocol must be "http" or "https"');
   }
 
-  if (options.authType && !['basic', 'bearer', 'mtls'].includes(options.authType.toLowerCase())) {
-    errors.push('--auth-type must be "basic", "bearer", or "mtls"');
+  if (options.authType && !AUTH_TYPES.includes(options.authType.toLowerCase())) {
+    errors.push('--auth-type must be "basic", "bearer", "mtls", or "cookie"');
   }
 
   // Check if basic auth is provided with email
@@ -277,6 +287,10 @@ const validateCliOptions = (options) => {
     }
   }
 
+  if (normAuthType === 'cookie' && options.cookie !== undefined && !options.cookie.trim()) {
+    errors.push('--cookie cannot be empty when using cookie authentication');
+  }
+
   return errors;
 };
 
@@ -297,6 +311,10 @@ const saveConfig = (configData, profileName) => {
     config.email = configData.email.trim();
   }
 
+  if (configData.authType === 'cookie' && configData.cookie) {
+    config.cookie = configData.cookie.trim();
+  }
+
   const mtls = normalizeMtlsConfig(configData.mtls);
   if (mtls) {
     config.mtls = mtls;
@@ -412,12 +430,26 @@ const promptForMissingValues = async (providedValues) => {
       message: 'API token / password:',
       when: (responses) => {
         const authType = providedValues.authType || responses.authType;
-        return authType !== 'mtls';
+        return authType !== 'mtls' && authType !== 'cookie';
       },
       validate: requiredInput('API token / password')
     });
   }
 
+  // Cookie question (Enterprise SSO)
+  if (!providedValues.cookie) {
+    questions.push({
+      type: 'password',
+      name: 'cookie',
+      message: 'Cookie (format: "name=value" or "name=value; name2=value2"):',
+      when: (responses) => {
+        const authType = providedValues.authType || responses.authType;
+        return authType === 'cookie';
+      },
+      validate: requiredInput('Cookie')
+    });
+  }
+
   // mTLS certificate path questions
   const mtls = normalizeMtlsConfig(providedValues.mtls);
   const mtlsWhen = (responses) => {
@@ -453,14 +485,18 @@ async function initConfig(cliOptions = {}) {
 
   const readOnly = cliOptions.readOnly || false;
 
-  // Extract provided values from CLI options
+  // Extract provided values from CLI options.
+  // Normalize authType up front so downstream case-insensitive checks
+  // (hasRequiredValues, prompt `when` predicates) work for values like
+  // `--auth-type COOKIE` or `--auth-type MTLS`.
   const providedValues = {
     protocol: cliOptions.protocol,
     domain: cliOptions.domain,
     apiPath: cliOptions.apiPath,
-    authType: cliOptions.authType,
+    authType: cliOptions.authType ? cliOptions.authType.trim().toLowerCase() : undefined,
     email: cliOptions.email,
     token: cliOptions.token,
+    cookie: cliOptions.cookie,
     mtls: cliOptions.mtls || {
       caCert: cliOptions.tlsCaCert,
       clientCert: cliOptions.tlsClientCert,
@@ -532,9 +568,16 @@ async function initConfig(cliOptions = {}) {
         type: 'password',
         name: 'token',
         message: 'API token / password:',
-        when: (responses) => responses.authType !== 'mtls',
+        when: (responses) => responses.authType !== 'mtls' && responses.authType !== 'cookie',
         validate: requiredInput('API token / password')
       },
+      {
+        type: 'password',
+        name: 'cookie',
+        message: 'Cookie (format: "name=value" or "name=value; name2=value2"):',
+        when: (responses) => responses.authType === 'cookie',
+        validate: requiredInput('Cookie')
+      },
       mtlsCertQuestion('tlsClientCert', 'Path to client certificate file (PEM):', true),
       mtlsCertQuestion('tlsClientKey', 'Path to client key file (PEM):', true),
       mtlsCertQuestion('tlsCaCert', 'Path to CA certificate file (PEM, optional):', false)
@@ -565,11 +608,15 @@ async function initConfig(cliOptions = {}) {
   }
 
   // Check if all required values are provided for non-interactive mode
-  // Non-interactive requires: domain, token, and either authType or email (for inference)
+  // Non-interactive requires: domain, and one of:
+  //   - authType === 'mtls' (certs via flags/env)
+  //   - authType === 'cookie' + cookie
+  //   - token + (authType or email) for basic/bearer
   const hasRequiredValues = Boolean(
     providedValues.domain &&
     (
       providedValues.authType === 'mtls'
+      || (providedValues.authType === 'cookie' && providedValues.cookie)
       || (
         providedValues.token &&
         (providedValues.authType || providedValues.email)
@@ -595,11 +642,16 @@ async function initConfig(cliOptions = {}) {
         process.exit(1);
       }
 
-      if (normalizedAuthType !== 'mtls' && !providedValues.token) {
+      if (normalizedAuthType !== 'mtls' && normalizedAuthType !== 'cookie' && !providedValues.token) {
         console.error(chalk.red('❌ Token is required for basic or bearer authentication'));
         process.exit(1);
       }
 
+      if (normalizedAuthType === 'cookie' && !providedValues.cookie) {
+        console.error(chalk.red('❌ Cookie is required for cookie authentication'));
+        process.exit(1);
+      }
+
       // Verify API path format if provided
       if (providedValues.apiPath) {
         normalizeApiPath(providedValues.apiPath, normalizedDomain);
@@ -612,6 +664,7 @@ async function initConfig(cliOptions = {}) {
         token: providedValues.token,
         authType: normalizedAuthType,
         email: providedValues.email,
+        cookie: providedValues.cookie,
         mtls: providedValues.mtls,
         readOnly
       };
@@ -657,19 +710,30 @@ function getConfig(profileName) {
   const envDomain = process.env.CONFLUENCE_DOMAIN || process.env.CONFLUENCE_HOST;
   const envToken = process.env.CONFLUENCE_API_TOKEN || process.env.CONFLUENCE_PASSWORD;
   const envEmail = process.env.CONFLUENCE_EMAIL || process.env.CONFLUENCE_USERNAME;
-  const envAuthType = process.env.CONFLUENCE_AUTH_TYPE;
+  // Normalize up front so env gating and inferredAuthType are case-insensitive
+  // for values like CONFLUENCE_AUTH_TYPE=COOKIE / MTLS.
+  const envAuthType = process.env.CONFLUENCE_AUTH_TYPE
+    ? process.env.CONFLUENCE_AUTH_TYPE.trim().toLowerCase()
+    : undefined;
   const envApiPath = process.env.CONFLUENCE_API_PATH;
   const envProtocol = process.env.CONFLUENCE_PROTOCOL;
   const envReadOnly = process.env.CONFLUENCE_READ_ONLY;
   const envForceCloud = process.env.CONFLUENCE_FORCE_CLOUD;
+  const envCookie = process.env.CONFLUENCE_COOKIE;
   const envMtls = normalizeMtlsConfig({
     caCert: process.env.CONFLUENCE_TLS_CA_CERT,
     clientCert: process.env.CONFLUENCE_TLS_CLIENT_CERT,
     clientKey: process.env.CONFLUENCE_TLS_CLIENT_KEY,
   });
 
-  if (envDomain && (envToken || envAuthType === 'mtls' || envMtls)) {
-    const inferredAuthType = envAuthType || (envMtls && !envToken ? 'mtls' : undefined);
+  const hasEnvAuth = envToken
+    || envAuthType === 'mtls' || envMtls
+    || envAuthType === 'cookie' || envCookie;
+
+  if (envDomain && hasEnvAuth) {
+    const inferredAuthType = envAuthType
+      || (envMtls && !envToken ? 'mtls' : undefined)
+      || (envCookie && !envToken ? 'cookie' : undefined);
     const authType = normalizeAuthType(inferredAuthType, Boolean(envEmail));
     let apiPath;
 
@@ -681,7 +745,7 @@ function getConfig(profileName) {
     }
 
     const authErrors = validateAuthConfig(
-      { authType, token: envToken, email: envEmail, mtls: envMtls, protocol: envProtocol },
+      { authType, token: envToken, email: envEmail, cookie: envCookie, mtls: envMtls, protocol: envProtocol },
       'CONFLUENCE_AUTH_TYPE=mtls'
     );
     if (authErrors.length > 0) {
@@ -692,6 +756,9 @@ function getConfig(profileName) {
       if (authType === 'mtls' && !envMtls) {
         console.log(chalk.yellow('Set CONFLUENCE_TLS_CLIENT_CERT and CONFLUENCE_TLS_CLIENT_KEY. Optionally set CONFLUENCE_TLS_CA_CERT.'));
       }
+      if (authType === 'cookie' && !envCookie) {
+        console.log(chalk.yellow('Set CONFLUENCE_COOKIE with your session cookie (e.g., "JSESSIONID=...").'));
+      }
       process.exit(1);
     }
 
@@ -701,6 +768,7 @@ function getConfig(profileName) {
       apiPath,
       token: envToken ? envToken.trim() : undefined,
       email: envEmail ? envEmail.trim() : undefined,
+      cookie: envCookie ? envCookie.trim() : undefined,
       authType,
       mtls: envMtls,
       readOnly: envReadOnly === 'true',
@@ -739,6 +807,7 @@ function getConfig(profileName) {
     const trimmedDomain = (storedConfig.domain || '').trim();
     const trimmedToken = trimOptional(storedConfig.token);
     const trimmedEmail = storedConfig.email ? storedConfig.email.trim() : undefined;
+    const trimmedCookie = trimOptional(storedConfig.cookie);
     const authType = normalizeAuthType(storedConfig.authType, Boolean(trimmedEmail));
     const mtls = normalizeMtlsConfig(storedConfig.mtls);
     let apiPath;
@@ -750,7 +819,7 @@ function getConfig(profileName) {
     }
 
     const authErrors = validateAuthConfig(
-      { authType, token: trimmedToken, email: trimmedEmail, mtls, protocol: storedConfig.protocol },
+      { authType, token: trimmedToken, email: trimmedEmail, cookie: trimmedCookie, mtls, protocol: storedConfig.protocol },
       'mTLS authentication'
     );
     if (authErrors.length > 0) {
@@ -781,6 +850,7 @@ function getConfig(profileName) {
       apiPath,
       token: trimmedToken,
       email: trimmedEmail,
+      cookie: trimmedCookie,
       authType,
       mtls,
       readOnly,

package/lib/confluence-client.js

@@ -27,6 +27,28 @@ const NAMED_ENTITIES = {
   Eth: 'Ð', Thorn: 'Þ'
 };
 
+function createSemaphore(limit) {
+  let active = 0;
+  const waiters = [];
+  return {
+    async acquire() {
+      if (active < limit) {
+        active++;
+        return;
+      }
+      await new Promise(resolve => waiters.push(resolve));
+    },
+    release() {
+      if (waiters.length > 0) {
+        const next = waiters.shift();
+        next();
+      } else {
+        active--;
+      }
+    }
+  };
+}
+
 class ConfluenceClient {
   constructor(config) {
     this.domain = config.domain;
@@ -34,6 +56,7 @@ class ConfluenceClient {
     this.protocol = (rawProtocol === 'http' || rawProtocol === 'https') ? rawProtocol : 'https';
     this.token = config.token;
     this.email = config.email;
+    this.cookie = config.cookie;
     this.authType = (config.authType || (this.email ? 'basic' : 'bearer')).toLowerCase();
     this.forceCloud = !!config.forceCloud;
     this.mtls = config.mtls;
@@ -44,12 +67,9 @@ class ConfluenceClient {
     this.setupConfluenceMarkdownExtensions();
 
     const headers = {
-      'Content-Type': 'application/json'
+      'Content-Type': 'application/json',
+      ...this.buildAuthHeaders()
     };
-    const authHeader = this.buildAuthHeader();
-    if (authHeader) {
-      headers.Authorization = authHeader;
-    }
 
     const clientOptions = {
       baseURL: this.baseURL,
@@ -88,6 +108,11 @@ class ConfluenceClient {
             hints.push(
               'Please verify your client certificate, client key, and CA certificate are correct and trusted by the server.'
             );
+          } else if (this.authType === 'cookie') {
+            hints.push(
+              'Please verify your cookie is valid and not expired.',
+              'You may need to re-authenticate through your Enterprise SSO to get a fresh cookie.'
+            );
           } else {
             hints.push(
               'Please verify your personal access token is valid and not expired.'
@@ -132,7 +157,7 @@ class ConfluenceClient {
   }
 
   buildAuthHeader() {
-    if (this.authType === 'mtls') {
+    if (this.authType === 'mtls' || this.authType === 'cookie') {
       return null;
     }
 
@@ -143,6 +168,18 @@ class ConfluenceClient {
     return this.authType === 'basic' ? this.buildBasicAuthHeader() : `Bearer ${this.token}`;
   }
 
+  buildAuthHeaders() {
+    const headers = {};
+    const authHeader = this.buildAuthHeader();
+    if (authHeader) {
+      headers.Authorization = authHeader;
+    }
+    if (this.authType === 'cookie' && this.cookie) {
+      headers.Cookie = this.cookie;
+    }
+    return headers;
+  }
+
   buildHttpsAgent() {
     if (this.protocol !== 'https' || !this.mtls) {
       return null;
@@ -381,11 +418,26 @@ class ConfluenceClient {
     };
   }
 
+  /**
+   * Escape a string for safe use inside a CQL double-quoted literal.
+   * Only escapes characters that can break out of the literal: backslash and
+   * double quote. Wildcards (*, ?) and fuzzy (~) are left as-is so existing
+   * search semantics are preserved.
+   */
+  escapeCql(str) {
+    if (typeof str !== 'string') {
+      return '';
+    }
+    return str
+      .replace(/\\/g, '\\\\')
+      .replace(/"/g, '\\"');
+  }
+
   /**
    * Search for pages
    */
   async search(query, limit = 10, rawCql = false) {
-    const cql = rawCql ? query : `text ~ "${String(query).replace(/"/g, '\\"')}"`;
+    const cql = rawCql ? query : `text ~ "${this.escapeCql(query)}"`;
     const response = await this.client.get('/search', {
       params: {
         cql,
@@ -966,12 +1018,15 @@ class ConfluenceClient {
     }
 
     // Download directly using axios with the same auth headers
-    const downloadResponse = await axios.get(downloadUrl, {
+    const downloadRequestConfig = {
       responseType: options.responseType || 'stream',
-      headers: {
-        'Authorization': this.authType === 'basic' ? this.buildBasicAuthHeader() : `Bearer ${this.token}`
-      }
-    });
+      headers: this.buildAuthHeaders()
+    };
+    const httpsAgent = this.buildHttpsAgent();
+    if (httpsAgent) {
+      downloadRequestConfig.httpsAgent = httpsAgent;
+    }
+    const downloadResponse = await axios.get(downloadUrl, downloadRequestConfig);
     return downloadResponse.data;
   }
 
@@ -1872,9 +1927,9 @@ class ConfluenceClient {
    * Search for a page by title and space
    */
   async findPageByTitle(title, spaceKey = null) {
-    let cql = `title = "${title}"`;
+    let cql = `title = "${this.escapeCql(title)}"`;
     if (spaceKey) {
-      cql += ` AND space = "${spaceKey}"`;
+      cql += ` AND space = "${this.escapeCql(spaceKey)}"`;
     }
 
     const response = await this.client.get('/search', {
@@ -1926,25 +1981,33 @@ class ConfluenceClient {
    * Get all descendant pages recursively
    */
   async getAllDescendantPages(pageId, maxDepth = 10, currentDepth = 0) {
+    const semaphore = createSemaphore(10);
+    return this._collectDescendants(pageId, maxDepth, currentDepth, semaphore);
+  }
+
+  async _collectDescendants(pageId, maxDepth, currentDepth, semaphore) {
     if (currentDepth >= maxDepth) {
       return [];
     }
 
-    const children = await this.getChildPages(pageId);
+    await semaphore.acquire();
+    let children;
+    try {
+      children = await this.getChildPages(pageId);
+    } finally {
+      semaphore.release();
+    }
+
     // Attach parentId so we can later reconstruct hierarchy if needed
     const childrenWithParent = children.map(child => ({ ...child, parentId: pageId }));
-    let allDescendants = [...childrenWithParent];
 
-    for (const child of children) {
-      const grandChildren = await this.getAllDescendantPages(
-        child.id, 
-        maxDepth, 
-        currentDepth + 1
-      );
-      allDescendants = allDescendants.concat(grandChildren);
-    }
+    const grandChildrenLists = await Promise.all(
+      children.map(child =>
+        this._collectDescendants(child.id, maxDepth, currentDepth + 1, semaphore)
+      )
+    );
 
-    return allDescendants;
+    return childrenWithParent.concat(...grandChildrenLists);
   }
 
   /**
@@ -2178,7 +2241,10 @@ class ConfluenceClient {
       return pathOrUrl;
     }
 
-    return this.buildUrl(pathOrUrl);
+    const pathWithPrefix = this.webUrlPrefix && !pathOrUrl.startsWith(this.webUrlPrefix)
+      ? `${this.webUrlPrefix}${pathOrUrl}`
+      : pathOrUrl;
+    return this.buildUrl(pathWithPrefix);
   }
 
   parseNextStart(nextLink) {

package/npm-shrinkwrap.json

@@ -1,12 +1,12 @@
 {
   "name": "confluence-cli",
-  "version": "1.30.2",
+  "version": "1.31.1",
   "lockfileVersion": 3,
   "requires": true,
   "packages": {
     "": {
       "name": "confluence-cli",
-      "version": "1.30.2",
+      "version": "1.31.1",
       "license": "MIT",
       "dependencies": {
         "axios": "^1.15.0",

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "confluence-cli",
-  "version": "1.30.2",
+  "version": "1.31.1",
   "description": "A command-line interface for Atlassian Confluence with page creation and editing capabilities",
   "main": "index.js",
   "bin": {