twentythree-cli 1.0.0

package/dist/commands/presentation/setting/update.cjs

@@ -0,0 +1,67 @@
+const require_runtime = require("../../../_virtual/_rolldown/runtime.cjs");
+const require_lib_term_map = require("../../../lib/term-map.cjs");
+const require_lib_base_command = require("../../../lib/base-command.cjs");
+const require_lib_output = require("../../../lib/output.cjs");
+let _oclif_core = require("@oclif/core");
+let chalk = require("chalk");
+chalk = require_runtime.__toESM(chalk);
+//#region src/commands/presentation/setting/update.ts
+/**
+* Presentation setting update command — updates workspace presentation settings (PRS-02).
+*
+* Accepts repeatable --set key=value pairs and POSTs them to /presentation/setting/update.
+* Pattern D variant: freeform key-value body building (Pitfall 4 / T-08-17 accept).
+*
+* Threat mitigations:
+*   T-08-16: extends AuthenticatedCommand — anonymous mode rejected
+*   T-08-17: --set key=value pairs sent to API as-is; server validates valid setting keys (accepted)
+*/
+var PresentationSettingUpdate = class PresentationSettingUpdate extends require_lib_base_command.AuthenticatedCommand {
+	static description = "Update workspace presentation settings";
+	static examples = [
+		"<%= config.bin %> presentation setting update --set site_name=\"My Site\"",
+		"<%= config.bin %> presentation setting update --set site_name=\"My Site\" --set logo_url=\"https://example.com/logo.png\"",
+		"<%= config.bin %> presentation setting update --set site_name=\"My Site\" --json"
+	];
+	static enableJsonFlag = true;
+	static flags = {
+		...require_lib_base_command.AuthenticatedCommand.baseFlags,
+		set: _oclif_core.Flags.string({
+			description: "Setting key=value pair (repeatable)",
+			multiple: true,
+			required: false
+		})
+	};
+	static args = {};
+	static agentMetadata = {
+		api_endpoint: "POST /presentation/setting/update",
+		auth_scope: "write",
+		output_shape: { type: "key-value" },
+		side_effects: "updates"
+	};
+	async run() {
+		const { flags } = await this.parse(PresentationSettingUpdate);
+		this.printWorkspaceHeader();
+		if (!flags.set || flags.set.length === 0) this.error("Provide at least one --set key=value pair", { exit: 1 });
+		const body = {};
+		for (const pair of flags.set) {
+			const idx = pair.indexOf("=");
+			if (idx < 1) this.error(`Invalid --set value: "${pair}" (expected key=value)`, { exit: 1 });
+			body[pair.slice(0, idx)] = pair.slice(idx + 1);
+		}
+		const { data: updateData, error: updateError } = await this.apiClient.POST("/presentation/setting/update", {
+			body,
+			headers: { "Content-Type": "application/x-www-form-urlencoded" }
+		});
+		if (updateError) this.error(require_lib_term_map.applyCliTerms(formatApiError(updateError)), { exit: 1 });
+		this.log(chalk.default.green("Presentation settings updated"));
+		if (this.jsonEnabled()) return require_lib_output.formatJsonOutput({
+			ok: true,
+			data: updateData,
+			summary: "Presentation settings updated",
+			breadcrumbs: [{ domain: this.activeWorkspace.domain }, { resource: "presentation" }]
+		});
+	}
+};
+//#endregion
+module.exports = PresentationSettingUpdate;

package/dist/commands/protection/protect.cjs

@@ -0,0 +1,68 @@
+const require_runtime = require("../../_virtual/_rolldown/runtime.cjs");
+const require_lib_term_map = require("../../lib/term-map.cjs");
+const require_lib_base_command = require("../../lib/base-command.cjs");
+const require_lib_output = require("../../lib/output.cjs");
+let _oclif_core = require("@oclif/core");
+let chalk = require("chalk");
+chalk = require_runtime.__toESM(chalk);
+//#region src/commands/protection/protect.ts
+/**
+* Protection protect command — applies content protection (PRT-01).
+*
+* Pattern B variant: POST action with required protection method.
+*
+* Threat mitigations:
+*   T-08-16: extends AuthenticatedCommand — anonymous mode rejected
+*/
+var ProtectionProtect = class ProtectionProtect extends require_lib_base_command.AuthenticatedCommand {
+	static description = "Apply protection to content";
+	static examples = [
+		"<%= config.bin %> protection protect --protection-method password",
+		"<%= config.bin %> protection protect --protection-method sso --object-id 12345",
+		"<%= config.bin %> protection protect --protection-method token --grace-minutes 30 --json"
+	];
+	static enableJsonFlag = true;
+	static flags = {
+		...require_lib_base_command.AuthenticatedCommand.baseFlags,
+		"protection-method": _oclif_core.Flags.string({
+			description: "Protection method (e.g. password, sso, token)",
+			required: true
+		}),
+		"object-id": _oclif_core.Flags.string({
+			description: "Object ID to protect",
+			required: false
+		}),
+		"grace-minutes": _oclif_core.Flags.integer({
+			description: "Grace period in minutes before protection activates",
+			required: false
+		})
+	};
+	static args = {};
+	static agentMetadata = {
+		api_endpoint: "POST /protection/protect",
+		auth_scope: "write",
+		output_shape: { type: "key-value" },
+		side_effects: "creates"
+	};
+	async run() {
+		const { flags } = await this.parse(ProtectionProtect);
+		this.printWorkspaceHeader();
+		const body = { protection_method: flags["protection-method"] };
+		if (flags["object-id"] !== void 0) body.object_id = flags["object-id"];
+		if (flags["grace-minutes"] !== void 0) body.grace_minutes = flags["grace-minutes"];
+		const { data: protectData, error: protectError } = await this.apiClient.POST("/protection/protect", {
+			body,
+			headers: { "Content-Type": "application/x-www-form-urlencoded" }
+		});
+		if (protectError) this.error(require_lib_term_map.applyCliTerms(formatApiError(protectError)), { exit: 1 });
+		this.log(chalk.default.green("Protection applied"));
+		if (this.jsonEnabled()) return require_lib_output.formatJsonOutput({
+			ok: true,
+			data: protectData,
+			summary: "Protection applied",
+			breadcrumbs: [{ domain: this.activeWorkspace.domain }, { resource: "protection" }]
+		});
+	}
+};
+//#endregion
+module.exports = ProtectionProtect;

package/dist/commands/protection/unprotect.cjs

@@ -0,0 +1,65 @@
+const require_runtime = require("../../_virtual/_rolldown/runtime.cjs");
+const require_lib_term_map = require("../../lib/term-map.cjs");
+const require_lib_base_command = require("../../lib/base-command.cjs");
+const require_lib_output = require("../../lib/output.cjs");
+let _oclif_core = require("@oclif/core");
+let chalk = require("chalk");
+chalk = require_runtime.__toESM(chalk);
+let _clack_prompts = require("@clack/prompts");
+//#region src/commands/protection/unprotect.ts
+/**
+* Protection unprotect command — removes content protection after confirmation (PRT-02).
+*
+* Pattern C: POST destructive with confirmation prompt.
+*
+* Threat mitigations:
+*   T-08-14: confirm() prompt includes workspace domain before removing access control
+*   T-08-16: extends AuthenticatedCommand — anonymous mode rejected
+*/
+var ProtectionUnprotect = class ProtectionUnprotect extends require_lib_base_command.AuthenticatedCommand {
+	static description = "Remove protection from content";
+	static examples = [
+		"<%= config.bin %> protection unprotect",
+		"<%= config.bin %> protection unprotect --object-id 12345",
+		"<%= config.bin %> protection unprotect --object-id 12345 --json"
+	];
+	static enableJsonFlag = true;
+	static flags = {
+		...require_lib_base_command.AuthenticatedCommand.baseFlags,
+		"object-id": _oclif_core.Flags.string({
+			description: "Object ID to remove protection from",
+			required: false
+		})
+	};
+	static args = {};
+	static agentMetadata = {
+		api_endpoint: "POST /protection/unprotect",
+		auth_scope: "write",
+		output_shape: { type: "key-value" },
+		side_effects: "destructive"
+	};
+	async run() {
+		const { flags } = await this.parse(ProtectionUnprotect);
+		this.printWorkspaceHeader();
+		if (!this.jsonEnabled()) {
+			const confirmed = await (0, _clack_prompts.confirm)({ message: `Remove protection${flags["object-id"] ? ` from object ${flags["object-id"]}` : ""} on ${this.activeWorkspace.domain}? This will expose the content.` });
+			if ((0, _clack_prompts.isCancel)(confirmed) || !confirmed) process.exit(2);
+		}
+		const body = {};
+		if (flags["object-id"] !== void 0) body.object_id = flags["object-id"];
+		const { data: unprotectData, error: unprotectError } = await this.apiClient.POST("/protection/unprotect", {
+			body,
+			headers: { "Content-Type": "application/x-www-form-urlencoded" }
+		});
+		if (unprotectError) this.error(require_lib_term_map.applyCliTerms(formatApiError(unprotectError)), { exit: 1 });
+		this.log(chalk.default.green("Protection removed"));
+		if (this.jsonEnabled()) return require_lib_output.formatJsonOutput({
+			ok: true,
+			data: unprotectData,
+			summary: "Protection removed",
+			breadcrumbs: [{ domain: this.activeWorkspace.domain }, { resource: "protection" }]
+		});
+	}
+};
+//#endregion
+module.exports = ProtectionUnprotect;

package/dist/commands/protection/verify.cjs

@@ -0,0 +1,80 @@
+require("../../_virtual/_rolldown/runtime.cjs");
+const require_lib_term_map = require("../../lib/term-map.cjs");
+const require_lib_base_command = require("../../lib/base-command.cjs");
+const require_lib_output = require("../../lib/output.cjs");
+let _oclif_core = require("@oclif/core");
+//#region src/commands/protection/verify.ts
+/**
+* Protection verify command — verifies access to protected content (PRT-03).
+*
+* Pattern E: GET single object with key-value output.
+*
+* Note: CLI flags use --video-id and --webinar-id but map to photo_id and live_id
+* in the API query (term mapping at the flag level, per terminology conventions).
+*
+* Threat mitigations:
+*   T-08-16: extends AuthenticatedCommand — anonymous mode rejected
+*/
+var ProtectionVerify = class ProtectionVerify extends require_lib_base_command.AuthenticatedCommand {
+	static description = "Verify access to protected content";
+	static examples = [
+		"<%= config.bin %> protection verify --protection-method password",
+		"<%= config.bin %> protection verify --protection-method sso --video-id 12345",
+		"<%= config.bin %> protection verify --protection-method token --verification-data mytoken --json"
+	];
+	static enableJsonFlag = true;
+	static flags = {
+		...require_lib_base_command.AuthenticatedCommand.baseFlags,
+		"protection-method": _oclif_core.Flags.string({
+			description: "Protection method to verify against",
+			required: true
+		}),
+		"video-id": _oclif_core.Flags.string({
+			description: "Video ID to verify access for (maps to photo_id in API)",
+			required: false
+		}),
+		"webinar-id": _oclif_core.Flags.string({
+			description: "Webinar ID to verify access for (maps to live_id in API)",
+			required: false
+		}),
+		"object-id": _oclif_core.Flags.string({
+			description: "Object ID to verify access for",
+			required: false
+		}),
+		"verification-data": _oclif_core.Flags.string({
+			description: "Verification data (e.g. password, token)",
+			required: false
+		})
+	};
+	static args = {};
+	static agentMetadata = {
+		api_endpoint: "GET /protection/verify",
+		auth_scope: "read",
+		output_shape: { type: "key-value" },
+		side_effects: "none"
+	};
+	async run() {
+		const { flags } = await this.parse(ProtectionVerify);
+		this.printWorkspaceHeader();
+		const { data, error } = await this.apiClient.GET("/protection/verify", { params: { query: {
+			protection_method: flags["protection-method"],
+			photo_id: flags["video-id"] ? Number(flags["video-id"]) : void 0,
+			live_id: flags["webinar-id"] ? Number(flags["webinar-id"]) : void 0,
+			object_id: flags["object-id"],
+			verification_data: flags["verification-data"]
+		} } });
+		if (error) this.error(require_lib_term_map.applyCliTerms(formatApiError(error)), { exit: 1 });
+		const resp = data;
+		const obj = resp?.data ?? resp;
+		if (!obj) this.error("No verification result returned", { exit: 1 });
+		if (this.jsonEnabled()) return require_lib_output.formatJsonOutput({
+			ok: true,
+			data: obj,
+			summary: "Protection verification result",
+			breadcrumbs: [{ domain: this.activeWorkspace.domain }, { resource: "protection" }]
+		});
+		for (const [k, v] of Object.entries(obj)) this.log(`${k}: ${require_lib_term_map.applyCliTerms(String(v ?? ""))}`);
+	}
+};
+//#endregion
+module.exports = ProtectionVerify;

package/dist/commands/session/get-token.cjs

@@ -0,0 +1,75 @@
+require("../../_virtual/_rolldown/runtime.cjs");
+const require_lib_term_map = require("../../lib/term-map.cjs");
+const require_lib_base_command = require("../../lib/base-command.cjs");
+const require_lib_output = require("../../lib/output.cjs");
+let _oclif_core = require("@oclif/core");
+//#region src/commands/session/get-token.ts
+/**
+* Session get-token command — obtains a session access token (SES-01).
+*
+* Pattern E: GET single object returning a sensitive token.
+*
+* SECURITY (T-08-15): Token is printed to stdout for CLI use, but the --json summary
+* string NEVER contains the actual token value to prevent token leakage in logs.
+* The data payload carries the token for programmatic access.
+*
+* Note: /session/get-token requires super scope per OpenAPI spec.
+*
+* Threat mitigations:
+*   T-08-15: summary string does not contain the token value
+*   T-08-16: extends AuthenticatedCommand — anonymous mode rejected
+*/
+var SessionGetToken = class SessionGetToken extends require_lib_base_command.AuthenticatedCommand {
+	static description = "Get a session access token";
+	static examples = [
+		"<%= config.bin %> session get-token",
+		"<%= config.bin %> session get-token --return-url https://example.com",
+		"<%= config.bin %> session get-token --email user@example.com --full-name \"Jane Doe\"",
+		"<%= config.bin %> session get-token --json"
+	];
+	static enableJsonFlag = true;
+	static flags = {
+		...require_lib_base_command.AuthenticatedCommand.baseFlags,
+		"return-url": _oclif_core.Flags.string({
+			description: "Return URL after session authentication",
+			required: false
+		}),
+		email: _oclif_core.Flags.string({
+			description: "Email for the session token",
+			required: false
+		}),
+		"full-name": _oclif_core.Flags.string({
+			description: "Full name for the session token",
+			required: false
+		})
+	};
+	static args = {};
+	static agentMetadata = {
+		api_endpoint: "GET /session/get-token",
+		auth_scope: "read",
+		output_shape: { type: "key-value" },
+		side_effects: "none"
+	};
+	async run() {
+		const { flags } = await this.parse(SessionGetToken);
+		this.printWorkspaceHeader();
+		const { data, error } = await this.apiClient.GET("/session/get-token", { params: { query: {
+			return_url: flags["return-url"],
+			email: flags.email,
+			full_name: flags["full-name"]
+		} } });
+		if (error) this.error(require_lib_term_map.applyCliTerms(formatApiError(error)), { exit: 1 });
+		const resp = data;
+		const tokenData = resp?.data ?? resp;
+		const token = (resp?.data ?? resp)?.access_token ?? (resp?.data ?? resp)?.token;
+		if (this.jsonEnabled()) return require_lib_output.formatJsonOutput({
+			ok: true,
+			data: tokenData,
+			summary: "Session token generated",
+			breadcrumbs: [{ domain: this.activeWorkspace.domain }, { resource: "session" }]
+		});
+		this.log(`Session token: ${token ?? "(no token in response)"}`);
+	}
+};
+//#endregion
+module.exports = SessionGetToken;

package/dist/commands/session/redeem-token.cjs

@@ -0,0 +1,56 @@
+const require_runtime = require("../../_virtual/_rolldown/runtime.cjs");
+const require_lib_term_map = require("../../lib/term-map.cjs");
+const require_lib_base_command = require("../../lib/base-command.cjs");
+const require_lib_output = require("../../lib/output.cjs");
+let _oclif_core = require("@oclif/core");
+let chalk = require("chalk");
+chalk = require_runtime.__toESM(chalk);
+//#region src/commands/session/redeem-token.ts
+/**
+* Session redeem-token command — redeems a session token (SES-02).
+*
+* Pattern K: simple POST action with key-value output for result data.
+*
+* Threat mitigations:
+*   T-08-16: extends AuthenticatedCommand — anonymous mode rejected
+*/
+var SessionRedeemToken = class SessionRedeemToken extends require_lib_base_command.AuthenticatedCommand {
+	static description = "Redeem a session token";
+	static examples = ["<%= config.bin %> session redeem-token --session-token <token>", "<%= config.bin %> session redeem-token --session-token <token> --json"];
+	static enableJsonFlag = true;
+	static flags = {
+		...require_lib_base_command.AuthenticatedCommand.baseFlags,
+		"session-token": _oclif_core.Flags.string({
+			description: "Session token to redeem",
+			required: true
+		})
+	};
+	static args = {};
+	static agentMetadata = {
+		api_endpoint: "POST /session/redeem-token",
+		auth_scope: "read",
+		output_shape: { type: "key-value" },
+		side_effects: "updates"
+	};
+	async run() {
+		const { flags } = await this.parse(SessionRedeemToken);
+		this.printWorkspaceHeader();
+		const { data: redeemData, error: redeemError } = await this.apiClient.POST("/session/redeem-token", {
+			body: { session_token: flags["session-token"] },
+			headers: { "Content-Type": "application/x-www-form-urlencoded" }
+		});
+		if (redeemError) this.error(require_lib_term_map.applyCliTerms(formatApiError(redeemError)), { exit: 1 });
+		this.log(chalk.default.green("Session token redeemed"));
+		const resp = redeemData;
+		const obj = resp?.data ?? resp;
+		if (this.jsonEnabled()) return require_lib_output.formatJsonOutput({
+			ok: true,
+			data: obj,
+			summary: "Session token redeemed",
+			breadcrumbs: [{ domain: this.activeWorkspace.domain }, { resource: "session" }]
+		});
+		if (obj && typeof obj === "object") for (const [k, v] of Object.entries(obj)) this.log(`${k}: ${require_lib_term_map.applyCliTerms(String(v ?? ""))}`);
+	}
+};
+//#endregion
+module.exports = SessionRedeemToken;

package/dist/commands/setting/update.cjs

@@ -0,0 +1,79 @@
+const require_runtime = require("../../_virtual/_rolldown/runtime.cjs");
+const require_lib_term_map = require("../../lib/term-map.cjs");
+const require_lib_base_command = require("../../lib/base-command.cjs");
+const require_lib_output = require("../../lib/output.cjs");
+let _oclif_core = require("@oclif/core");
+let chalk = require("chalk");
+chalk = require_runtime.__toESM(chalk);
+//#region src/commands/setting/update.ts
+/**
+* Setting update command — updates workspace-level settings via freeform key=value pairs.
+*
+* Accepts one or more --set key=value flags. Supports a --validate-only dry-run mode.
+* Top-level `setting` topic (not to be confused with `presentation/setting`).
+*
+* Threat mitigations:
+*   T-08-20: Freeform key-value pairs sent as-is; server validates setting keys
+*   T-08-21: extends AuthenticatedCommand — anonymous mode rejected
+*/
+var SettingUpdate = class SettingUpdate extends require_lib_base_command.AuthenticatedCommand {
+	static description = "Update workspace settings (key=value pairs)";
+	static examples = [
+		"<%= config.bin %> setting update --set site_name=\"My Site\"",
+		"<%= config.bin %> setting update --set theme=dark --set language=en",
+		"<%= config.bin %> setting update --set site_name=\"Test\" --validate-only",
+		"<%= config.bin %> setting update --set timezone=UTC --json"
+	];
+	static enableJsonFlag = true;
+	static flags = {
+		...require_lib_base_command.AuthenticatedCommand.baseFlags,
+		set: _oclif_core.Flags.string({
+			description: "Setting key=value pair (repeatable)",
+			multiple: true,
+			required: false
+		}),
+		"validate-only": _oclif_core.Flags.boolean({
+			description: "Dry-run: validate settings without applying changes",
+			allowNo: false,
+			required: false
+		}),
+		"validate-only-p": _oclif_core.Flags.string({
+			hidden: true,
+			required: false
+		})
+	};
+	static agentMetadata = {
+		api_endpoint: "POST /setting/update",
+		auth_scope: "write",
+		output_shape: { type: "key-value" },
+		side_effects: "updates"
+	};
+	async run() {
+		const { flags } = await this.parse(SettingUpdate);
+		this.printWorkspaceHeader();
+		const setPairs = flags.set ?? [];
+		if (setPairs.length === 0) this.error("At least one --set key=value pair is required", { exit: 1 });
+		const body = {};
+		for (const pair of setPairs) {
+			const idx = pair.indexOf("=");
+			if (idx < 1) this.error(`Invalid --set value: "${pair}" (expected key=value)`, { exit: 1 });
+			body[pair.slice(0, idx)] = pair.slice(idx + 1);
+		}
+		const valOnly = parseBoolParam(flags["validate-only"], flags["validate-only-p"]);
+		if (valOnly) body.validate_only_p = 1;
+		const { data: updateData, error: updateError } = await this.apiClient.POST("/setting/update", {
+			body,
+			headers: { "Content-Type": "application/x-www-form-urlencoded" }
+		});
+		if (updateError) this.error(require_lib_term_map.applyCliTerms(formatApiError(updateError)), { exit: 1 });
+		this.log(chalk.default.green(valOnly ? "Settings validated (dry-run)" : "Settings updated"));
+		if (this.jsonEnabled()) return require_lib_output.formatJsonOutput({
+			ok: true,
+			data: updateData,
+			summary: valOnly ? "Settings validated (dry-run)" : "Settings updated",
+			breadcrumbs: [{ domain: this.activeWorkspace.domain }, { resource: "setting" }]
+		});
+	}
+};
+//#endregion
+module.exports = SettingUpdate;

package/dist/commands/site/get.cjs

@@ -0,0 +1,73 @@
+require("../../_virtual/_rolldown/runtime.cjs");
+const require_lib_term_map = require("../../lib/term-map.cjs");
+const require_lib_base_command = require("../../lib/base-command.cjs");
+const require_lib_output = require("../../lib/output.cjs");
+let _oclif_core = require("@oclif/core");
+//#region src/commands/site/get.ts
+/**
+* Site get command — retrieves workspace-level site settings as key-value pairs.
+*
+* Supports optional inclusion of presentation and quota data via boolean flags.
+* Threat mitigations:
+*   T-08-21: extends AuthenticatedCommand — anonymous mode rejected
+*/
+var SiteGet = class SiteGet extends require_lib_base_command.AuthenticatedCommand {
+	static description = "Get site settings for the active workspace";
+	static examples = [
+		"<%= config.bin %> site get",
+		"<%= config.bin %> site get --include-presentation",
+		"<%= config.bin %> site get --include-quota --json"
+	];
+	static enableJsonFlag = true;
+	static flags = {
+		...require_lib_base_command.AuthenticatedCommand.baseFlags,
+		"include-presentation": _oclif_core.Flags.boolean({
+			description: "Include presentation settings in the response",
+			allowNo: false,
+			required: false
+		}),
+		"include-presentation-p": _oclif_core.Flags.string({
+			hidden: true,
+			required: false
+		}),
+		"include-quota": _oclif_core.Flags.boolean({
+			description: "Include quota information in the response",
+			allowNo: false,
+			required: false
+		}),
+		"include-quota-p": _oclif_core.Flags.string({
+			hidden: true,
+			required: false
+		})
+	};
+	static args = {};
+	static agentMetadata = {
+		api_endpoint: "GET /site/get",
+		auth_scope: "read",
+		output_shape: { type: "key-value" },
+		side_effects: "none"
+	};
+	async run() {
+		const { flags } = await this.parse(SiteGet);
+		this.printWorkspaceHeader();
+		const presVal = parseBoolParam(flags["include-presentation"], flags["include-presentation-p"]);
+		const quotaVal = parseBoolParam(flags["include-quota"], flags["include-quota-p"]);
+		const { data, error } = await this.apiClient.GET("/site/get", { params: { query: {
+			include_presentation_p: presVal,
+			include_quota_p: quotaVal
+		} } });
+		if (error) this.error(require_lib_term_map.applyCliTerms(formatApiError(error)), { exit: 1 });
+		const resp = data;
+		const obj = resp?.data ?? resp;
+		if (!obj) this.error("No data returned", { exit: 1 });
+		if (this.jsonEnabled()) return require_lib_output.formatJsonOutput({
+			ok: true,
+			data: obj,
+			summary: "Site settings",
+			breadcrumbs: [{ domain: this.activeWorkspace.domain }, { resource: "site" }]
+		});
+		for (const [k, v] of Object.entries(obj)) this.log(`${k}: ${require_lib_term_map.applyCliTerms(String(v ?? ""))}`);
+	}
+};
+//#endregion
+module.exports = SiteGet;

package/dist/commands/site/search.cjs

@@ -0,0 +1,93 @@
+const require_runtime = require("../../_virtual/_rolldown/runtime.cjs");
+const require_lib_term_map = require("../../lib/term-map.cjs");
+const require_lib_base_command = require("../../lib/base-command.cjs");
+const require_lib_output = require("../../lib/output.cjs");
+let _oclif_core = require("@oclif/core");
+let chalk = require("chalk");
+chalk = require_runtime.__toESM(chalk);
+//#region src/commands/site/search.ts
+/**
+* Site search command — searches across all content types in the workspace.
+*
+* Returns a table of results with type, title, and ID columns.
+* Object types (photo, album, live) are mapped to modern CLI terms via applyCliTerms.
+* Threat mitigations:
+*   T-08-21: extends AuthenticatedCommand — anonymous mode rejected
+*/
+var SiteSearch = class SiteSearch extends require_lib_base_command.AuthenticatedCommand {
+	static description = "Search for content across the active workspace";
+	static examples = [
+		"<%= config.bin %> site search --search \"quarterly report\"",
+		"<%= config.bin %> site search --search \"demo\" --search-in title --size 20",
+		"<%= config.bin %> site search --search \"webinar\" --json"
+	];
+	static enableJsonFlag = true;
+	static flags = {
+		...require_lib_base_command.AuthenticatedCommand.baseFlags,
+		search: _oclif_core.Flags.string({
+			description: "Search query string",
+			required: false
+		}),
+		"search-in": _oclif_core.Flags.string({
+			description: "Where to search (e.g. title, description, tags)",
+			required: false
+		}),
+		selection: _oclif_core.Flags.string({
+			description: "Filter by content selection",
+			required: false
+		}),
+		size: _oclif_core.Flags.integer({
+			description: "Number of results to return",
+			required: false
+		})
+	};
+	static agentMetadata = {
+		api_endpoint: "GET /site/search",
+		auth_scope: "read",
+		output_shape: {
+			type: "table",
+			columns: [
+				"Type",
+				"Title",
+				"ID"
+			]
+		},
+		side_effects: "none"
+	};
+	async run() {
+		const { flags } = await this.parse(SiteSearch);
+		this.printWorkspaceHeader();
+		const { data, error } = await this.apiClient.GET("/site/search", { params: { query: {
+			search: flags.search,
+			search_in: flags["search-in"],
+			selection: flags.selection,
+			size: flags.size
+		} } });
+		if (error) this.error(require_lib_term_map.applyCliTerms(formatApiError(error)), { exit: 1 });
+		const resp = data;
+		const rows = Array.isArray(resp?.data) ? resp.data : resp?.data ? [resp.data] : [];
+		if (this.jsonEnabled()) return require_lib_output.formatJsonOutput({
+			ok: true,
+			data: rows,
+			summary: `${rows.length} result(s)`,
+			breadcrumbs: [{ domain: this.activeWorkspace.domain }, { resource: "site" }]
+		});
+		if (rows.length === 0) {
+			this.log("No results found.");
+			return;
+		}
+		const table = require_lib_output.renderTable([
+			"Type",
+			"Title",
+			"ID"
+		], rows.map((r) => [
+			require_lib_term_map.applyCliTerms(String(r.object_type ?? "")),
+			String(r.title ?? r.label ?? ""),
+			String(r.object_id ?? "")
+		]));
+		this.log(table.toString());
+		this.log(chalk.default.dim(`${rows.length} result(s)`));
+	}
+};
+//#endregion
+module.exports = SiteSearch;