fix: address latest review — status union, error info leak, create test

1. Drop the "active,revoked" literal from ListInput.status. Reviewer
   flagged the asymmetry: listing one CSV combination implies it's
   canonical, but the API accepts any order ("active,revoked" or
   "revoked,active") and may add filter-only values. Simplified to
   `"active" | "revoked" | (string & {})`. The JSDoc already documents
   the CSV form, so autocomplete for the canonical single values stays
   and arbitrary strings still type-check.

2. Remove the raw response-body snippet from the batchCreate shape
   validation error. The previous message embedded up to 200 chars of
   the unexpected body, which could leak sensitive data (auth details,
   request echoes) into client-side error logs. Replaced with a static
   "Unexpected response shape from POST /v1/qurls/batch" message.
   Added a comment explaining why the snippet is intentionally absent.

3. Add qurl_id and label assertions to the existing "creates a QURL"
   test. The PR adds both fields to CreateOutput but the existing test
   only checked resource_id and qurl_link, leaving the new required
   fields without a regression guard.

Tests: 63 (unchanged — #3 tightens an existing test rather than
adding a new one).

Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>

Author: justin-layerv

src/client.test.ts

@@ -43,10 +43,12 @@ describe("QURLClient", () => {
       status: 201,
       body: {
         data: {
+          qurl_id: "q_3a7f2c8e91b",
           resource_id: "r_abc123def45",
           qurl_link: "https://qurl.link/#at_test",
           qurl_site: "https://r_abc123def45.qurl.site",
           expires_at: "2026-03-15T10:00:00Z",
+          label: "Test create",
         },
         meta: { request_id: "req_1" },
       },
@@ -56,10 +58,13 @@ describe("QURLClient", () => {
     const result = await client.create({
       target_url: "https://example.com",
       expires_in: "24h",
+      label: "Test create",
     });
 
+    expect(result.qurl_id).toBe("q_3a7f2c8e91b");
     expect(result.resource_id).toBe("r_abc123def45");
     expect(result.qurl_link).toBe("https://qurl.link/#at_test");
+    expect(result.label).toBe("Test create");
     expect(fetch).toHaveBeenCalledWith(
       "https://api.test.layerv.ai/v1/qurls",
       expect.objectContaining({ method: "POST" }),
@@ -1562,7 +1567,11 @@ describe("QURLClient", () => {
       .catch((e: unknown) => e as ValidationError);
     expect(error).toBeInstanceOf(ValidationError);
     expect((error as ValidationError).code).toBe("client_validation");
-    expect((error as ValidationError).detail).toContain("Unexpected batchCreate response shape");
+    // Error message is intentionally static (no raw body embedded) to
+    // avoid leaking sensitive response content into client-side logs.
+    expect((error as ValidationError).detail).toBe(
+      "Unexpected response shape from POST /v1/qurls/batch",
+    );
   });
 
   it("batch create still throws on non-400 error statuses (401, 429, 5xx)", async () => {

src/client.ts

@@ -202,16 +202,17 @@ export class QURLClient {
     // if the API ever returns 400 with a different body (e.g., a top-level
     // malformed-request error) the caller would silently get undefined
     // fields. Validate the shape before returning and surface a clear
-    // error otherwise.
+    // error otherwise. The error intentionally does not embed the raw
+    // response body — an unexpected body could contain sensitive data
+    // (auth details, request echoes) and error messages may end up in
+    // client-side logs.
     if (
       !result ||
       typeof result.succeeded !== "number" ||
       typeof result.failed !== "number" ||
       !Array.isArray(result.results)
     ) {
-      throw clientValidationError(
-        `Unexpected batchCreate response shape: ${JSON.stringify(result).slice(0, 200)}`,
-      );
+      throw clientValidationError("Unexpected response shape from POST /v1/qurls/batch");
     }
     return result;
   }

src/types.ts

@@ -81,12 +81,13 @@ export interface ListInput {
   limit?: number;
   cursor?: string;
   /**
-   * Filter by status. Accepts comma-separated values to combine multiple,
-   * e.g. `"active,revoked"`. The union includes common literal values for
-   * autocomplete while still accepting any string (via the `(string & {})`
-   * trick) to support CSV and any filter-only values the API may add.
+   * Filter by status. Accepts a single value or comma-separated values to
+   * combine multiple (e.g. `"active,revoked"`). The union lists the
+   * canonical single values for autocomplete and uses the `(string & {})`
+   * trick to still accept arbitrary strings — CSV combinations in any
+   * order, plus any filter-only values the API may add later.
    */
-  status?: "active" | "revoked" | "active,revoked" | (string & {});
+  status?: "active" | "revoked" | (string & {});
   /** Free-text search over description and target_url. */
   q?: string;
   /**