@lumoai/cli 1.32.0 → 1.34.0

package/dist/cli/src/commands/task-status.js

@@ -6,6 +6,17 @@ const config_1 = require("../lib/config");
 const api_1 = require("../lib/api");
 const resolve_bound_task_1 = require("../lib/resolve-bound-task");
 const sanitize_1 = require("../lib/sanitize");
+const open_crossings_1 = require("../lib/open-crossings");
+/** One-line a possibly-multiline crossing detail and cap it so the safety block
+ *  stays a glance, never a wall (it must not overshadow the criteria). */
+const CROSSING_DETAIL_CAP = 160;
+function oneLineDetail(detail) {
+    const firstLine = detail.split('\n')[0] ?? '';
+    const clean = (0, sanitize_1.sanitizeField)(firstLine).trim();
+    return clean.length > CROSSING_DETAIL_CAP
+        ? `${clean.slice(0, CROSSING_DETAIL_CAP)}…`
+        : clean;
+}
 const REASON_TAIL = 400;
 function tail(s, max) {
     return s.length > max ? `…${s.slice(-max)}` : s;
@@ -16,7 +27,7 @@ function tail(s, max) {
  * glyph in front — ✓ pass, ✗ fail, ○ no verdict yet — so REVIEW_ADDED
  * provenance stays explicitly visible in every row.
  */
-function formatTaskStatus(data) {
+function formatTaskStatus(data, extras = {}) {
     const lines = [];
     const t = data.task;
     lines.push(`${t.identifier}  ${(0, sanitize_1.sanitizeField)(t.title)}`);
@@ -30,6 +41,7 @@ function formatTaskStatus(data) {
     if (data.criteria.length === 0) {
         lines.push('');
         lines.push(`No acceptance criteria on ${t.identifier} — draft 3–7 and submit with lumo task criteria set ${t.identifier} --file <criteria.json>`);
+        pushOpenCrossings(lines, extras);
         return lines.join('\n') + '\n';
     }
     lines.push('');
@@ -46,6 +58,15 @@ function formatTaskStatus(data) {
         if (c.checkpointer) {
             lines.push(`      ↳ check: ${(0, sanitize_1.sanitizeField)(c.checkpointer)}`);
         }
+        // LUM-465: agent-drafted human-judging guidance, rendered as an indented
+        // block under a HUMAN criterion (multi-line steps stay aligned).
+        if (c.judgeSteps) {
+            const judgeLines = (0, sanitize_1.sanitizeField)(c.judgeSteps).split('\n');
+            lines.push(`      ↳ judge: ${judgeLines[0]}`);
+            for (const jl of judgeLines.slice(1)) {
+                lines.push(`              ${jl}`);
+            }
+        }
         const v = c.latestVerdict;
         if (v == null) {
             lines.push('      (no verdict yet)');
@@ -61,6 +82,11 @@ function formatTaskStatus(data) {
                 ? ` · ${(0, sanitize_1.sanitizeField)(v.evidencePointer)}`
                 : '';
             lines.push(`      ✓ ${v.verdict}@r${v.round}${evidencePart}`);
+            // LUM-457: a pass that vouches for a pre-edit version of the criterion —
+            // render-only downgrade, the criterion still counts met.
+            if (c.verdictStale || c.checkMismatch) {
+                lines.push('      ⚠ pre-edit version — criterion changed since this check; re-run `lumo verify` to re-confirm');
+            }
         }
     }
     if (data.verificationHistory.length > 0) {
@@ -108,8 +134,50 @@ function formatTaskStatus(data) {
                 : 'Remaining criteria are HUMAN-only — finish the work and hand off for human review.');
         }
     }
+    pushOpenCrossings(lines, extras);
     return lines.join('\n') + '\n';
 }
+/**
+ * Append the OPEN boundary-crossings safety block (LUM-448) — a count, one line
+ * per crossing with its severity + category + clipped detail, and a pointer to
+ * the human-only web disposition panel. Trailing (after the criteria) and
+ * silent when there are none, so it never overshadows the acceptance contract.
+ * Read-only awareness: the line points at the web UI; it offers no way to clear
+ * a crossing from the terminal (LUM-426/435/422).
+ */
+function pushOpenCrossings(lines, extras) {
+    const open = extras.openCrossings ?? [];
+    if (open.length === 0)
+        return;
+    lines.push('');
+    lines.push(`⚠ Open boundary crossings (${open.length} undispositioned):`);
+    for (const c of open) {
+        const detail = oneLineDetail(c.detail);
+        const tail = detail ? ` — ${detail}` : '';
+        lines.push(`  • [${c.severity}] ${(0, sanitize_1.sanitizeField)(c.category)}${tail}`);
+        lines.push(`    ${formatAttribution(c.attribution)}`);
+    }
+    lines.push('  Disposition is human-only in the web acceptance panel:');
+    if (extras.dispositionUrl) {
+        lines.push(`    ${extras.dispositionUrl}`);
+    }
+}
+/**
+ * Compact attribution line for an open crossing (LUM-469): which model + which
+ * agent/session committed it, so a reviewer can audit who/what crossed from the
+ * terminal. Every dimension that the server couldn't resolve renders `unknown`
+ * — never a fabricated value. The session UUID is clipped to a correlatable
+ * prefix; the worktree branch (which branch) is appended to the agent when known.
+ */
+function formatAttribution(a) {
+    const agent = a.agent
+        ? a.worktreeBranch
+            ? `${a.agent}/${a.worktreeBranch}`
+            : a.agent
+        : 'unknown';
+    const session = a.sessionId ? a.sessionId.slice(0, 8) : 'unknown';
+    return `↳ by model=${a.model ?? 'unknown'} · agent=${agent} · session=${session}`;
+}
 /**
  * `lumo task status [task] [--json]` — the agent's read-only self-check
  * (LUM-344): contract + latest verdicts + verification history + next
@@ -126,8 +194,7 @@ async function taskStatus(identifier, options = {}) {
     const base = (0, api_1.trimTrailingSlash)((0, api_1.resolveAuthedApiUrl)(creds.apiUrl));
     let taskId = identifier;
     if (!taskId) {
-        taskId =
-            (await (0, resolve_bound_task_1.resolveBoundTaskIdentifier)(base, creds.token)) ?? undefined;
+        taskId = (await (0, resolve_bound_task_1.resolveBoundTaskIdentifier)(base, creds.token)) ?? undefined;
         if (!taskId) {
             console.error('Error: no task given and this session is not bound to one.\n' +
                 'Run `lumo task status <LUM-N>`, or bind first with `lumo session attach <LUM-N>`.');
@@ -156,11 +223,21 @@ async function taskStatus(identifier, options = {}) {
         return 1;
     }
     const data = (await res.json());
+    // Read-only awareness (LUM-448): surface the task's OPEN boundary crossings
+    // via the existing LUM-435 endpoint. Best-effort — fetchOpenCrossings already
+    // swallows failures to an empty list, so this supplementary safety signal can
+    // never block the primary acceptance status. The resolved taskId (the
+    // identifier the status was fetched for) is the key here.
+    const openCrossings = await (0, open_crossings_1.fetchOpenCrossings)(base, creds.token, taskId);
     if (options.json) {
         // JSON.stringify escapes control chars (…), so the payload is safe
         // to emit raw — and consumers get byte-faithful server data.
-        process.stdout.write(JSON.stringify(data, null, 2) + '\n');
+        // The open crossings ride alongside as an additive field (count = length).
+        process.stdout.write(JSON.stringify({ ...data, openCrossings }, null, 2) + '\n');
         return;
     }
-    process.stdout.write(formatTaskStatus(data));
+    process.stdout.write(formatTaskStatus(data, {
+        openCrossings,
+        dispositionUrl: (0, open_crossings_1.dispositionUrl)(base, creds.workspaceSlug ?? 'lumo', data.task.identifier),
+    }));
 }

package/dist/cli/src/commands/wrap/crossings-reminder.js

@@ -0,0 +1,41 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.formatCrossingReminder = formatCrossingReminder;
+exports.openCrossingReminder = openCrossingReminder;
+const resolve_bound_task_1 = require("../../lib/resolve-bound-task");
+const sanitize_1 = require("../../lib/sanitize");
+const open_crossings_1 = require("../../lib/open-crossings");
+/**
+ * Build the wrap-up reminder for a task's OPEN boundary crossings (LUM-448).
+ * Returns the reminder string when there is ≥1 open crossing, and `null` when
+ * there are none — the caller prints nothing on null, so a clean task makes NO
+ * noise at wrap time. Read-only awareness: the reminder points at the
+ * human-only web disposition panel and offers no way to clear a crossing from
+ * the terminal (LUM-426/435/422).
+ */
+function formatCrossingReminder(taskIdentifier, open, url) {
+    if (open.length === 0)
+        return null;
+    const n = open.length;
+    const lines = [
+        `⚠ ${n} open boundary crossing${n === 1 ? '' : 's'} on ${taskIdentifier} still undispositioned:`,
+    ];
+    for (const c of open) {
+        lines.push(`  • [${c.severity}] ${(0, sanitize_1.sanitizeField)(c.category)}`);
+    }
+    lines.push(`  Review & disposition (web + human-only): ${url}`);
+    return lines.join('\n') + '\n';
+}
+/**
+ * Resolve the session's bound task and surface its OPEN boundary crossings as a
+ * wrap-up reminder (LUM-448), or `null` when the session is unbound or nothing
+ * is open. Pure read — `fetchOpenCrossings` hits only the LUM-435 GET endpoint
+ * and there is no disposition write path here.
+ */
+async function openCrossingReminder(creds) {
+    const taskIdentifier = await (0, resolve_bound_task_1.resolveBoundTaskIdentifier)(creds.apiUrl, creds.token);
+    if (!taskIdentifier)
+        return null;
+    const open = await (0, open_crossings_1.fetchOpenCrossings)(creds.apiUrl, creds.token, taskIdentifier);
+    return formatCrossingReminder(taskIdentifier, open, (0, open_crossings_1.dispositionUrl)(creds.apiUrl, creds.workspaceSlug, taskIdentifier));
+}

package/dist/cli/src/index.js

@@ -44,7 +44,6 @@ const auth_logout_1 = require("./commands/auth-logout");
 const whoami_1 = require("./commands/whoami");
 const hook_1 = require("./commands/hook");
 const session_attach_1 = require("./commands/session-attach");
-const session_detach_1 = require("./commands/session-detach");
 const session_status_1 = require("./commands/session-status");
 const session_wrap_1 = require("./commands/session-wrap");
 const next_1 = require("./commands/next");
@@ -110,6 +109,7 @@ const doc_sync_1 = require("./commands/doc-sync");
 const doc_update_1 = require("./commands/doc-update");
 const doc_show_1 = require("./commands/doc-show");
 const doc_diff_1 = require("./commands/doc-diff");
+const doc_rebuild_source_1 = require("./commands/doc-rebuild-source");
 const doc_section_edit_1 = require("./commands/doc-section-edit");
 const doc_list_1 = require("./commands/doc-list");
 const doc_delete_1 = require("./commands/doc-delete");
@@ -239,17 +239,12 @@ const session = program
     .description('Manage per-terminal coding-session context');
 session
     .command('attach <identifier>')
-    .description('Attach the currently-running Claude Code session (CLAUDE_CODE_SESSION_ID) to a task. Sets Session.taskId server-side and re-tags untagged hook events. If the session is already bound to a different task, confirms before overwriting (use --force to skip).')
-    .option('--force', 'Overwrite an existing binding to a different task without confirmation (skips the [y/N] prompt).')
-    .action(wrap((identifier, options) => (0, session_attach_1.sessionAttach)(identifier, options)));
+    .description('Attach the currently-running Claude Code session (CLAUDE_CODE_SESSION_ID) to a task. The binding is a lifetime lock: re-attaching to the same task is a no-op, attaching to a different task is refused — start a new session for a different task.')
+    .action(wrap(identifier => (0, session_attach_1.sessionAttach)(identifier)));
 session
     .command('status')
     .description('Show the task currently bound to this Claude Code session (or "no task" if none).')
     .action(wrap(() => (0, session_status_1.sessionStatus)()));
-session
-    .command('detach')
-    .description('Clear the task binding on the current Claude Code session. Past hook events keep their taskId; only future events become untagged.')
-    .action(wrap(() => (0, session_detach_1.sessionDetach)()));
 session
     .command('wrap')
     .description("Session-end wrap-up: draft a progress comment from this session's turn summaries and post it to the bound task after confirmation.")
@@ -344,8 +339,9 @@ const taskComments = task
     .description('Inspect the full task comment thread');
 taskComments
     .command('list <identifier>')
-    .description('List the full task comment thread')
-    .action(wrap(id => (0, task_comment_list_1.taskCommentList)(id)));
+    .description('List the task comment thread (capped to the output budget; --full prints every comment)')
+    .option('--full', 'Print every comment, bypassing the output-token cap')
+    .action(wrap((id, opts) => (0, task_comment_list_1.taskCommentList)(id, opts)));
 const taskDeps = task
     .command('deps')
     .description('Task dependency edges — detected candidates + confirmed blockers');
@@ -714,6 +710,13 @@ doc
     .description('Compare the server-side markdown source against a local file. Exit 0 when byte-identical, 1 with a unified diff when divergent. Requires the doc to have a stored markdown source.')
     .requiredOption('--file <path>', 'Local markdown file to compare against')
     .action(wrap((reference, opts) => (0, doc_diff_1.docDiff)(reference, opts)));
+doc
+    .command('rebuild-source <doc>')
+    .description("Regenerate the stored markdown source from the doc's HTML body using a lossless serializer (tables/rows/headings round-trip), re-enabling doc show --raw / diff / patch / append for a source-less doc. The rebuilt source is structure-guarded: any table/tr/heading shrink is rejected with 422 (no silent flattening) unless --allow-shrink is passed. A doc that already has a source is refused with 409 unless --force re-derives it (replacing a byte-faithful source with a serializer-derived one).")
+    .option('--allow-shrink', 'Commit even if the rebuilt source re-renders with fewer tables/rows/headings than the stored body (default: rejected with 422)')
+    .option('--force', 'Re-derive the source even when one already exists (default: refused with 409)')
+    .option('--if-revision <n>', 'Only apply if the doc body is still at this revision (from doc show)')
+    .action(wrap((reference, opts) => (0, doc_rebuild_source_1.docRebuildSource)(reference, opts)));
 doc
     .command('list')
     .description('List documents visible to the current user')

package/dist/cli/src/lib/open-crossings.js

@@ -0,0 +1,78 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.fetchOpenCrossings = fetchOpenCrossings;
+exports.dispositionUrl = dispositionUrl;
+const api_1 = require("./api");
+const SEVERITY_RANK = {
+    HIGH: 3,
+    MEDIUM: 2,
+    LOW: 1,
+};
+/** Narrow the raw view's attribution to the terminal's read-only shape, every
+ *  dimension defaulting to null (unknown) when absent or the wrong type. */
+function normalizeAttribution(raw) {
+    const str = (v) => typeof v === 'string' && v.length > 0 ? v : null;
+    return {
+        workspaceMemberId: str(raw?.workspaceMemberId),
+        sessionId: str(raw?.sessionId),
+        agent: str(raw?.agent),
+        worktreeBranch: str(raw?.worktreeBranch),
+        model: str(raw?.model),
+    };
+}
+function normalizeSeverity(s) {
+    return s === 'HIGH' || s === 'MEDIUM' || s === 'LOW' ? s : 'LOW';
+}
+/**
+ * Fetch a task's OPEN (undispositioned) boundary crossings, highest-severity
+ * first, via the EXISTING LUM-435 read endpoint — `GET …/boundary-crossings`
+ * returns every crossing (open and dispositioned); we keep only the
+ * undispositioned ones (`disposition == null`). This is the **read/awareness**
+ * half of the acceptance loop: there is no new query and, by construction, no
+ * way to clear a crossing — disposition stays web + human-only
+ * (LUM-426/435/422).
+ *
+ * Best-effort: any transport / HTTP / parse failure yields an empty list, so a
+ * supplementary safety signal can never break the caller's primary output
+ * (the acceptance status, the wrap-up panel).
+ */
+async function fetchOpenCrossings(apiUrl, token, taskIdentifier) {
+    const url = `${(0, api_1.trimTrailingSlash)(apiUrl)}/api/tasks/${encodeURIComponent(taskIdentifier)}/boundary-crossings`;
+    let res;
+    try {
+        res = await fetch(url, { headers: { Authorization: `Bearer ${token}` } });
+    }
+    catch {
+        return [];
+    }
+    if (!res.ok)
+        return [];
+    let data;
+    try {
+        data = (await res.json());
+    }
+    catch {
+        return [];
+    }
+    const rows = Array.isArray(data.crossings) ? data.crossings : [];
+    return rows
+        .filter(c => c.disposition == null)
+        .map(c => ({
+        id: c.id,
+        category: c.category,
+        severity: normalizeSeverity(c.severity),
+        detail: c.detail,
+        attribution: normalizeAttribution(c.attribution),
+    }))
+        .sort((a, b) => SEVERITY_RANK[b.severity] - SEVERITY_RANK[a.severity]);
+}
+/**
+ * The web deep link where a HUMAN dispositions crossings. Disposition is
+ * web-only and human-only (LUM-426/435/422); the terminal only ever points
+ * here, it never clears anything itself. Built from the workspace slug +
+ * identifier alone (the `/my-tasks/<id>` route needs no project slug), so no
+ * extra fetch is required.
+ */
+function dispositionUrl(apiUrl, workspaceSlug, taskIdentifier) {
+    return `${(0, api_1.trimTrailingSlash)(apiUrl)}/workspace/${workspaceSlug}/my-tasks/${taskIdentifier}#boundary-crossings`;
+}

package/dist/shared/src/index.js

@@ -1,7 +1,7 @@
 "use strict";
 // ── Agent Error types ────────────────────────────────────────────────────────
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.buildCmdEvidencePointer = exports.isValidEvidencePointer = exports.EVIDENCE_POINTER_MAX = exports.EVIDENCE_POINTER_FORMAT_HINT = exports.EVIDENCE_POINTER_PATTERNS = exports.sanitizeField = exports.parseStreamJsonUsage = exports.tiptapToMarkdown = exports.markdownToTiptap = exports.AgentError = void 0;
+exports.capRenderedOutput = exports.truncateUnitsToBudget = exports.OUTPUT_TOKEN_BUDGET = exports.estimateTokens = exports.buildCmdEvidencePointer = exports.isValidEvidencePointer = exports.EVIDENCE_POINTER_MAX = exports.EVIDENCE_POINTER_FORMAT_HINT = exports.EVIDENCE_POINTER_PATTERNS = exports.sanitizeField = exports.parseStreamJsonUsage = exports.tiptapToMarkdown = exports.markdownToTiptap = exports.AgentError = void 0;
 exports.userFriendlyError = userFriendlyError;
 class AgentError extends Error {
     code;
@@ -46,3 +46,9 @@ Object.defineProperty(exports, "EVIDENCE_POINTER_FORMAT_HINT", { enumerable: tru
 Object.defineProperty(exports, "EVIDENCE_POINTER_MAX", { enumerable: true, get: function () { return acceptance_evidence_1.EVIDENCE_POINTER_MAX; } });
 Object.defineProperty(exports, "isValidEvidencePointer", { enumerable: true, get: function () { return acceptance_evidence_1.isValidEvidencePointer; } });
 Object.defineProperty(exports, "buildCmdEvidencePointer", { enumerable: true, get: function () { return acceptance_evidence_1.buildCmdEvidencePointer; } });
+// ── Agent-facing CLI output-token budget (LUM-428) ───────────────────────────
+var output_budget_1 = require("./output-budget");
+Object.defineProperty(exports, "estimateTokens", { enumerable: true, get: function () { return output_budget_1.estimateTokens; } });
+Object.defineProperty(exports, "OUTPUT_TOKEN_BUDGET", { enumerable: true, get: function () { return output_budget_1.OUTPUT_TOKEN_BUDGET; } });
+Object.defineProperty(exports, "truncateUnitsToBudget", { enumerable: true, get: function () { return output_budget_1.truncateUnitsToBudget; } });
+Object.defineProperty(exports, "capRenderedOutput", { enumerable: true, get: function () { return output_budget_1.capRenderedOutput; } });

package/dist/shared/src/markdown-sections.js

@@ -93,10 +93,29 @@ function parseSectionQuery(raw) {
         return { text: (m[2] ?? '').trim(), depth: (m[1] ?? '').length };
     return { text: raw.trim() };
 }
+/**
+ * Normalize a heading for the widest match tier (LUM-447): fold full-width
+ * ASCII forms (U+FF01–U+FF5E — the （），etc. that pepper CJK headings) down
+ * to their half-width counterparts, turn the full-width ideographic space
+ * (U+3000) into a normal space, collapse runs of whitespace to one, then
+ * lower-case. This lets a half-width `--section` query land on a full-width
+ * stored heading (and the reverse) so agents no longer have to grep and copy
+ * the raw bytes. It does NOT relax the ambiguity guard: matches are still
+ * counted, and more than one is reported as candidates.
+ */
+function normalizeHeading(text) {
+    return text
+        .replace(/[！-～]/g, ch => String.fromCharCode(ch.charCodeAt(0) - 0xfee0))
+        .replace(/　/g, ' ')
+        .replace(/\s+/g, ' ')
+        .trim()
+        .toLowerCase();
+}
 /**
  * Locate a section by heading text. Exact match first, then a
- * case-insensitive pass; more than one hit in the winning pass is reported
- * as ambiguous rather than silently picking one.
+ * case-insensitive pass, then a full-width/half-width + whitespace
+ * normalization pass (LUM-447); more than one hit in the winning pass is
+ * reported as ambiguous rather than silently picking one.
  */
 function findSection(src, query) {
     const q = parseSectionQuery(query);
@@ -107,6 +126,10 @@ function findSection(src, query) {
         const lower = q.text.toLowerCase();
         matches = pool.filter(s => s.heading.toLowerCase() === lower);
     }
+    if (matches.length === 0) {
+        const normalized = normalizeHeading(q.text);
+        matches = pool.filter(s => normalizeHeading(s.heading) === normalized);
+    }
     const first = matches[0];
     if (matches.length === 1 && first)
         return { kind: 'found', section: first };

package/dist/shared/src/output-budget.js

@@ -0,0 +1,129 @@
+"use strict";
+/**
+ * LUM-428 — output-token budget for agent-facing CLI stdout.
+ *
+ * Anthropic's "Writing effective tools for AI agents" + "Effective context
+ * engineering": a tool's response is a contract that spends from the agent's
+ * context budget, and Claude Code defaults to truncating a tool result to
+ * 25,000 tokens. Lumo's agent-facing commands (`task comments list`,
+ * `task context`, `doc show`, …) print straight into that budget, so a single
+ * fat comment thread / huge doc must not be allowed to blow it.
+ *
+ * This module is the CLI-side primitive: a token estimate, the budget anchor,
+ * and two cappers that truncate to the budget and append a *lightweight
+ * fetch-more pointer* — a just-in-time identifier telling the agent how to pull
+ * the rest on demand instead of receiving it all up front.
+ *
+ * It lives in `shared/` (not the app's `lib/context/budget.ts`) because the CLI
+ * imports `shared/` and never the app `lib/`. It is deliberately decoupled from
+ * the LUM-402 *injection-side* budget (session-start additionalContext): that
+ * one allocates the context window; this one caps command stdout.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.OUTPUT_TOKEN_BUDGET = void 0;
+exports.estimateTokens = estimateTokens;
+exports.truncateUnitsToBudget = truncateUnitsToBudget;
+exports.capRenderedOutput = capRenderedOutput;
+/**
+ * Rough token estimate: char-count / 4, rounded up. Stable proxy that avoids a
+ * tokenizer dependency — the same heuristic the canonical injection-side budget
+ * (`lib/context/budget.ts`) uses, duplicated here only because `shared/` must
+ * stay free of any app-`lib/` import.
+ */
+function estimateTokens(text) {
+    return Math.ceil(text.length / 4);
+}
+/**
+ * Default per-command output ceiling for agent-facing CLI stdout, in tokens.
+ * Anchored to Anthropic's published Claude Code default (tool results truncated
+ * to 25,000 tokens). Generous on purpose: normal outputs sit far below it, so
+ * the cap only ever engages on a pathological input (a thousand-comment thread,
+ * a book-length doc) — exactly the case that would otherwise silently swallow
+ * the agent's whole budget.
+ */
+exports.OUTPUT_TOKEN_BUDGET = 25_000;
+/**
+ * Chars reserved for the appended pointer line so the final string (body +
+ * pointer) still fits the budget. Comfortably larger than any pointer this
+ * module builds.
+ */
+const POINTER_RESERVE_CHARS = 320;
+function buildPointer(omitted, unitNoun, maxTokens, fetchHint) {
+    return (`… +${omitted.toLocaleString('en-US')} more ${unitNoun} not shown ` +
+        `(output capped at ${maxTokens.toLocaleString('en-US')} tokens) — ${fetchHint}`);
+}
+/**
+ * Truncate an explicit list of repeatable units (e.g. one comment each) to the
+ * budget, appending the fetch-more pointer when anything is dropped. Always
+ * keeps at least one unit so the output is never just a pointer. The returned
+ * `text` is guaranteed to estimate at or under `maxTokens`.
+ */
+function truncateUnitsToBudget(params) {
+    const maxTokens = params.maxTokens ?? exports.OUTPUT_TOKEN_BUDGET;
+    const separator = params.separator ?? '\n\n';
+    const { units, unitNoun, fetchHint } = params;
+    const full = units.join(separator);
+    if (units.length === 0 || estimateTokens(full) <= maxTokens) {
+        return {
+            text: full,
+            truncated: false,
+            shownUnits: units.length,
+            omittedUnits: 0,
+        };
+    }
+    const charBudget = Math.max(0, maxTokens * 4 - POINTER_RESERVE_CHARS);
+    const kept = [];
+    let used = 0;
+    for (const unit of units) {
+        const add = (kept.length === 0 ? 0 : separator.length) + unit.length;
+        if (kept.length > 0 && used + add > charBudget)
+            break;
+        kept.push(unit);
+        used += add;
+        if (used >= charBudget)
+            break;
+    }
+    let body = kept.join(separator);
+    // A single oversized leading unit can still bust the budget — hard-slice it.
+    if (body.length > charBudget)
+        body = body.slice(0, charBudget);
+    const omitted = units.length - kept.length;
+    const pointer = buildPointer(omitted, unitNoun, maxTokens, fetchHint);
+    return {
+        text: `${body}${separator}${pointer}`,
+        truncated: true,
+        shownUnits: kept.length,
+        omittedUnits: omitted,
+    };
+}
+/**
+ * Cap an already-rendered multi-line string to the budget at a line boundary,
+ * appending the fetch-more pointer when truncated. For commands that assemble a
+ * single body (a doc render, the task-context handoff) rather than an explicit
+ * unit list. The returned `text` estimates at or under `maxTokens`.
+ */
+function capRenderedOutput(text, opts) {
+    const maxTokens = opts.maxTokens ?? exports.OUTPUT_TOKEN_BUDGET;
+    const unitNoun = opts.unitNoun ?? 'lines';
+    if (estimateTokens(text) <= maxTokens) {
+        return { text, truncated: false, shownUnits: 0, omittedUnits: 0 };
+    }
+    const charBudget = Math.max(0, maxTokens * 4 - POINTER_RESERVE_CHARS);
+    // Fill the budget with a hard char-slice (so a single very long line is
+    // sliced, not dropped wholesale), then back up to a line boundary when one
+    // sits in the kept tail — keeps the output from ending mid-line.
+    let body = text.slice(0, charBudget);
+    const lastNewline = body.lastIndexOf('\n');
+    if (lastNewline > charBudget / 2)
+        body = body.slice(0, lastNewline);
+    const totalLines = text.split('\n').length;
+    const keptLines = body.length === 0 ? 0 : body.split('\n').length;
+    const omitted = Math.max(0, totalLines - keptLines);
+    const pointer = buildPointer(omitted, unitNoun, maxTokens, opts.fetchHint);
+    return {
+        text: `${body}\n\n${pointer}`,
+        truncated: true,
+        shownUnits: keptLines,
+        omittedUnits: omitted,
+    };
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@lumoai/cli",
-  "version": "1.32.0",
+  "version": "1.34.0",
   "description": "Lumo CLI — manage tasks and sessions from the terminal",
   "license": "MIT",
   "author": "cli@uselumo.ai",

package/dist/cli/src/commands/session-detach.js

@@ -1,60 +0,0 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.sessionDetach = sessionDetach;
-const config_1 = require("../lib/config");
-const api_1 = require("../lib/api");
-const sanitize_1 = require("../lib/sanitize");
-/**
- * `lumo session detach` — clear the task binding on the current Claude Code
- * session. Idempotent: re-detaching an already-unbound session reports
- * "already unbound" instead of erroring.
- *
- * Past HookEvent rows keep their original taskId — only future events on
- * this session will be unbound. Re-attach later with `session attach
- * <LUM-N>` to point the session at a different task.
- */
-async function sessionDetach() {
-    const sessionId = process.env.CLAUDE_CODE_SESSION_ID;
-    if (!sessionId) {
-        console.error('Error: $CLAUDE_CODE_SESSION_ID is not set.\n' +
-            '`lumo session detach` must be run inside a Claude Code session.');
-        return 1;
-    }
-    const creds = (0, config_1.readCredentials)();
-    if (!creds) {
-        console.error('Error: not logged in. Run `lumo auth login` first.');
-        return 1;
-    }
-    const apiUrl = (0, api_1.resolveAuthedApiUrl)(creds.apiUrl);
-    const url = `${(0, api_1.trimTrailingSlash)(apiUrl)}/api/sessions/${encodeURIComponent(sessionId)}/bind-task`;
-    let res;
-    try {
-        res = await fetch(url, {
-            method: 'DELETE',
-            headers: { Authorization: `Bearer ${creds.token}` },
-        });
-    }
-    catch (err) {
-        const msg = err instanceof Error ? err.message : String(err);
-        console.error(`Error: could not reach Lumo API at ${apiUrl} (${msg})`);
-        return 1;
-    }
-    if (res.status === 401) {
-        console.error('Error: API key invalid or revoked. Run `lumo auth login`.');
-        return 1;
-    }
-    if (res.status === 404) {
-        process.stdout.write(`Session ${sessionId} has no server-side state yet — nothing to detach.\n`);
-        return;
-    }
-    if (!res.ok) {
-        console.error(`Error: session detach failed (HTTP ${res.status})`);
-        return 1;
-    }
-    const data = (await res.json());
-    if (data.alreadyUnbound) {
-        process.stdout.write(`Session ${sessionId} was already unbound.\n`);
-        return;
-    }
-    process.stdout.write(`Detached session ${sessionId} from ${data.previousTaskIdentifier} "${(0, sanitize_1.sanitizeField)(data.previousTaskTitle ?? '')}".\n`);
-}