@lumoai/cli 1.33.0 → 1.34.0

package/assets/skill/SKILL.md

@@ -31,7 +31,7 @@ The command catalog below is a **map**: it lists every command grouped by domain
 | `doc*`                                                                                  | [references/docs.md](references/docs.md)                       |
 | `sprint*`                                                                               | [references/sprints.md](references/sprints.md)                 |
 | `task/project memory`, `memory promote/rm`                                              | [references/memory.md](references/memory.md)                   |
-| `session attach/status/detach/wrap`, git-suggest on start, Layer-2 review               | [references/sessions.md](references/sessions.md)               |
+| `session attach/status/wrap`, git-suggest on start, Layer-2 review                      | [references/sessions.md](references/sessions.md)               |
 | `worktree add/rm/list` (local dev tooling)                                              | [references/worktree.md](references/worktree.md)               |
 
 ## Command catalog
@@ -73,13 +73,13 @@ The command catalog below is a **map**: it lists every command grouped by domain
 
 **Acceptance criteria (contract)** — see [criteria.md](references/criteria.md)
 
-- `lumo task criteria set <task> --file <criteria.json> [--human] [--cause <tag>]` — submit the whole contract: default = initial agent draft (AGENT_DRAFT, locked once submitted); `--human` = a HUMAN_EDIT revision transcribed from the conversation (desired final list; items with `id` keep/update, missing ones are deleted); `--cause` (with `--human`) annotates why the contract drifted: `NEW_INFO | SCOPE_CHANGE | DRAFT_BLIND_SPOT | GRANULARITY | OTHER`
+- `lumo task criteria set <task> --file <criteria.json> [--human] [--cause <tag>]` — submit the whole contract: default = agent draft (AGENT_DRAFT, editable until DONE — full-group replace while never-left-TODO; identity-preserving diff with CRITERION_CHANGED drift trail once work has started; 409 only when task is DONE); `--human` = a HUMAN_EDIT revision transcribed from the conversation (desired final list; items with `id` keep/update, missing ones are deleted; allowed in every non-DONE stage); `--cause` (with `--human`) annotates why the contract drifted: `NEW_INFO | SCOPE_CHANGE | DRAFT_BLIND_SPOT | GRANULARITY | OTHER`
 - `lumo task criteria list <task>` — print the contract (id, MACHINE/HUMAN, provenance source@round, checkpointer)
 
 **Verification (machine acceptance loop)** — see [verify.md](references/verify.md)
 
 - `lumo verify [task] [--timeout <seconds>]` — run every MACHINE criterion's checkpointer locally, report one structured PASS/FAIL verdict per criterion to the server, print next actions. Defaults to the session-bound task. Round cap 3: an all-pass round moves the task to IN_REVIEW (agent stops there); a round-3 fail escalates to a human (stop retrying). **Run this before claiming a task is done.**
-- `lumo task status [task] [--json]` — read-only acceptance self-check (no LLM, milliseconds): the contract with each criterion's latest verdict (REVIEW_ADDED provenance visible), verification history, current round, last round's failure reasons, and `nextActions` = the unmet criteria (the declarative "what's next" — no separate plan). Defaults to the session-bound task; `--json` emits a versioned payload (`version` field). **Run it first when resuming a task in a new session or after a verification round was rejected.**
+- `lumo task status [task] [--json]` — read-only acceptance self-check (no LLM, milliseconds): the contract with each criterion's latest verdict (REVIEW_ADDED provenance visible), verification history, current round, last round's failure reasons, `nextActions` = the unmet criteria (the declarative "what's next" — no separate plan), and any OPEN (undispositioned) boundary crossings (count + per crossing category/severity/detail + a read-only attribution line `↳ by model=…·agent=…·session=…` naming who/what crossed, `unknown` when unresolved — LUM-469; `--json` adds an `openCrossings[]` field, each entry carrying an `attribution` object) — read-only awareness, disposition stays web + human-only (LUM-448). Defaults to the session-bound task; `--json` emits a versioned payload (`version` field). **Run it first when resuming a task in a new session or after a verification round was rejected.**
 - `lumo verdict [task] --pass | --pass-with-followup | --fail` — acceptance verdicts (LUM-422). `--pass` / `--pass-with-followup` open the browser to the human verdict bar focused on the passing action (a deep link — **records nothing**; a passing data row is only ever a human's own click). `--fail --reason <enum> [--note <text>] [--criterion <id>…]` records an **AGENT send-back** (verifierType=AGENT, verdict hard-coded FAIL) and bounces the task to IN_PROGRESS. Defaults to the session-bound task. **An unresolved send-back (machine/AGENT/human FAIL) blocks the agent/CLI DONE transition with 409** — clear it (re-verify) before `task update --status done`.
 
 **Artifacts & Figma** — see [artifacts-figma.md](references/artifacts-figma.md)
@@ -104,6 +104,7 @@ The command catalog below is a **map**: it lists every command grouped by domain
 - `lumo doc patch <doc> --section "<heading>" --content/--file/stdin [--if-revision N] [--allow-shrink]` — replace ONLY that section (heading line included); every byte outside it is untouched; concurrent edits 409 instead of clobbering; the structure guard 422s a replacement that drops the section's tables/rows/headings unless `--allow-shrink` (appends are never guarded)
 - `lumo doc append <doc> [--section "<heading>"] --content/--file/stdin [--if-revision N]` — append at section end (or doc end without `--section`); pure insertion, no existing byte modified — the safest write for running logs/ledgers
 - `lumo doc diff <doc> --file <local.md>` — compare the server-side markdown source against a local file (exit 0 identical, 1 with unified diff)
+- `lumo doc rebuild-source <doc> [--allow-shrink] [--force] [--if-revision N]` — regenerate `sourceMarkdown` from the stored HTML body with a lossless serializer (tables/rows/headings round-trip), re-enabling raw/diff/section/append on a source-less doc; structure-guarded (422 on any shrink, LUM-410 口径), backfills the source only; 409 if a source already exists unless `--force`. Recovery path when raw/section/patch errors "no stored source" (LUM-446)
 - `lumo doc move` — reparent under a parent / to root
 - `lumo doc bind/unbind <doc> <task>` — task linkage
 - `lumo doc share/unshare/share-list` — member sharing
@@ -123,9 +124,9 @@ The command catalog below is a **map**: it lists every command grouped by domain
 
 **Sessions** — see [sessions.md](references/sessions.md)
 
-- `lumo session attach <id>` — bind this session to a task (then run `task context`)
-- `lumo session status` / `lumo session detach` — show / clear binding
-- `lumo session wrap [--yes] [--dry-run] [--used <indices>]` — end-of-session panel: progress comment + memory review + fragment-usage vote (`--used`, LUM-300) + blocked-tag prompt. Usage is now also audited automatically when a task reaches DONE (evidence-gated, true-only — confident fragments marked used, the rest left NULL); `session wrap --used` remains the manual override and takes precedence for a session.
+- `lumo session attach <id>` — bind this session to a task (then run `task context`). **Lifetime lock**: re-attaching to the same task is a no-op; attaching to a _different_ task is refused with 409 — start a new Claude Code session instead. No `--force`, no `session detach`.
+- `lumo session status` — show current binding
+- `lumo session wrap [--yes] [--dry-run] [--used <indices>]` — end-of-session panel: progress comment + memory review + fragment-usage vote (`--used`, LUM-300) + blocked-tag prompt, then a read-only reminder when the bound task has ≥1 OPEN boundary crossing still undispositioned (silent when none — no wrap-up noise; pointer is web + human-only, LUM-448). Usage is now also audited automatically when a task reaches DONE (evidence-gated, true-only — confident fragments marked used, the rest left NULL); `session wrap --used` remains the manual override and takes precedence for a session.
 - Git-suggest at session start (suggests `session attach`, never auto-binds) + Layer-2 project-memory review — see the reference
 
 **Worktrees (local dev tooling)** — see [worktree.md](references/worktree.md)
@@ -139,6 +140,7 @@ The command catalog below is a **map**: it lists every command grouped by domain
 Measured from real agent sessions (LUM-392) — don't guess these:
 
 - No `lumo session start` — binding is `lumo session attach <LUM-N>`
+- No `lumo session detach` — the session↔task binding is a lifetime lock (LUM-459); to work on a different task, start a new Claude Code session
 - No `lumo task delete` — tasks can't be deleted from the CLI (web UI only)
 - No `lumo task artifact edit` — it's `lumo task artifact update`
 - No `lumo auth status` — identity check is `lumo whoami`

package/assets/skill/references/criteria.md

@@ -22,12 +22,32 @@ contract, you MUST draft and submit criteria before starting implementation:
    merge related checks instead). **Scale the count down for small tasks** —
    see "Scale the contract to the task size" below.
 3. Submit with `lumo task criteria set <task> --file <criteria.json>`.
-   Submission **locks the contract for agent edits** — get it right before
-   submitting, because afterwards only human revisions (`--human`) can change it.
 
-Once you (the agent) have started work, you can NOT change your own contract.
-That's by design: the contract is what your work gets judged against, not a
-to-do list you trim to fit what you built.
+**The contract is editable until DONE — but changes after work starts leave a
+recorded drift trail.** The behaviour changes at two thresholds tracked by
+`Task.workStartedAt` (set the first time the task leaves TODO; never resets even
+if the task bounces back to TODO):
+
+- **Work has never started** (`workStartedAt` unset, task still in its initial
+  TODO phase): a `criteria set` resubmit replaces the whole contract freely —
+  full-group replace, recorded as `AGENT_DRAFT@round0`. Iterate as much as
+  needed during planning.
+- **Work has started** (the task left TODO at least once): a `criteria set`
+  resubmit is **still allowed** and applies an **identity-preserving diff** — the
+  CLI matches submitted items to existing criteria by id (attaching ids
+  automatically by exact-statement match) and records each add, update, or delete
+  as a `CRITERION_CHANGED` drift event at the current round. **No 409.** The
+  intent: the contract can be sharpened as understanding grows, but every change
+  is traceable.
+- **Task is DONE**: the contract locks — a `criteria set` resubmit is rejected
+  with 409. Reopen the task (move it back to in_progress) to change criteria, or
+  use `--human`.
+
+`--human` revisions are allowed in every non-DONE stage. One deletion rule holds
+across all stages: a criterion that already has verification runs is
+**soft-deleted** (kept for audit, runs preserved) rather than hard-deleted; a
+run-free criterion is hard-deleted. Either way, reword rather than delete when
+possible.
 
 ## Scale the contract to the task size
 
@@ -71,8 +91,70 @@ must track the size of the work — it is not a fixed ritual:
     `npx tsx scripts/jest-t.ts '<exact test name>' [test file path]` instead:
     it fails unless ≥1 matching test ran and passed. The optional path scopes
     the run to one file (much faster than name-filtering the whole suite).
+  - **A checkpointer must be instance-independent — never self-comparing.** It
+    is stored once and re-run for the life of the task, so it must not depend on
+    a baseline that shifts under it. The trap is a `vs origin/main`
+    self-comparison ("current file is strictly smaller than origin/main"): it
+    passes pre-merge, but the moment the change merges, every branch cut from
+    main has `current == base` and the check fails forever (LUM-433 c1, fixed in
+    #528). Anchor to a **fixed, absolute target** instead — a literal budget
+    (`byteCount ≤ 9500`), a committed fixture, or a stable named test run through
+    the zero-match guard. A jest-by-name checkpointer likewise rots when its test
+    is renamed or deleted — often by _another_ task's work, so the stored PASS
+    goes stale invisibly. Keep test names stable; `scripts/checkpointer-drift.ts`
+    statically sweeps stored contracts for these zero-match checkpointers
+    (`npx tsx scripts/checkpointer-drift.ts <LUM-N> | --mine`, detection-only).
 - `evidenceRequired: true` marks criteria whose verdict must point at proof
   (a MACHINE PASS always requires evidence regardless of this flag).
+- **Edited a MACHINE checkpointer mid-task? Re-run `lumo verify`.** A prior PASS
+  was recorded against the old command — once you swap the checkpointer (or
+  reword the criterion) that pass goes stale: `lumo task status` / the acceptance
+  tab flag it `⚠ pre-edit version` (LUM-457). The stale pass still counts as met
+  (render-only, doesn't block DONE), but re-verify so the green reflects the
+  current check.
+
+### judgeSteps — agent-drafted judging steps for HUMAN criteria (LUM-465)
+
+A HUMAN criterion is judged by a person, not a checkpointer — so don't hand them
+a bare assertion ("the copy reads naturally") and make them reverse-engineer
+what to do. Attach **`judgeSteps`**: short, human-readable instructions the
+adjudication card renders verbatim (light markdown, URLs are made clickable).
+Structured labour is yours; the human just follows the steps.
+
+**Shape — 1–3 steps, always in this order:**
+
+1. **Where to look** — the exact link or path (a task URL, a tab, a file). Paste
+   the real URL; the card/`lumo task status` render it clickable.
+2. **What to do** — the concrete action ("open the acceptance tab", "read the
+   `judgeSteps` block aloud", "resize to mobile width").
+3. **✓ pass / ✗ send-back** — the decision rule, both directions, so the verdict
+   isn't a coin-flip ("pass if every URL opens; send back if any step is vague").
+
+**One criterion = one judgment point.** If a HUMAN criterion bundles two checks,
+split it — each half gets its own steps. The canonical miss is LUM-397's "additive
+schema **and** self-credit not implemented": those are two assertions; the first
+is even machine-able (below), the second is a separate human read.
+
+**Machine-able → make it MACHINE, don't burn human attention.** Before writing
+`judgeSteps`, ask whether a checkpointer could decide it. "The migration is purely
+additive" → `grep` the `migration.sql` for `DROP`/destructive DDL → MACHINE. "No
+file under `prisma/migrations/` was deleted" → a `git diff` probe → MACHINE.
+Reserve HUMAN + `judgeSteps` for genuine taste/feel/fidelity judgments a check
+can't make.
+
+`judgeSteps` is **optional and non-blocking** — a HUMAN criterion without it still
+submits, but the server returns a soft warning (same channel as the 3–7 count
+warning) and the card shows a "no judging guidance" fallback. It is part of the
+contract: editing it drifts like any other field (`CRITERION_CHANGED` before/after
+carries it), and it survives a statement-only web edit.
+
+```json
+{
+  "statement": "The acceptance tab reads as plain operational instructions, not agent-voice assertions",
+  "verifierType": "HUMAN",
+  "judgeSteps": "Open the task's Acceptance tab (the IN_REVIEW card). For each HUMAN criterion, read its 'How to judge' block. Pass if each one names where to look, what to do, and what counts as pass vs send-back; send back if any reads as a bare assertion with no steps."
+}
+```
 
 ### Invariant (negative-assertion) criteria
 
@@ -155,7 +237,8 @@ it shouldn't_.
   },
   {
     "statement": "The criteria section reads naturally as part of the task statement",
-    "verifierType": "HUMAN"
+    "verifierType": "HUMAN",
+    "judgeSteps": "Open the task's Acceptance tab. Read the contract top to bottom. Pass if it scans as one coherent definition of done; send back if a criterion reads as boilerplate or contradicts another."
   },
   {
     "statement": "Session-start injection shows the contract ahead of memory",
@@ -168,16 +251,24 @@ it shouldn't_.
 
 Fields: `statement` (required, ≤2000 chars), `verifierType` (`"MACHINE"` |
 `"HUMAN"`), `checkpointer` (required for MACHINE), `evidenceRequired`
-(optional, default false), `id` (only in `--human` revisions — see below).
+(optional, default false), `judgeSteps` (optional, ≤2000 chars — agent-drafted
+human-judging steps for a HUMAN criterion; see "judgeSteps" above), `id` (only
+in `--human` revisions — see below).
 
 ## Commands
 
 ### `lumo task criteria set <task> --file <criteria.json>`
 
-Initial agent draft. Creates the whole contract as `AGENT_DRAFT` at round 0.
-Rejected with 409 once **any** criteria exist on the task — the agent lock.
-Echoes the stored criteria (with ids) plus the 3–7 soft-cap warning if
-outside range.
+Agent draft, recorded as `AGENT_DRAFT` at round 0. **Editable until DONE:**
+while `workStartedAt` is unset (task never left TODO) a resubmit replaces the
+whole contract (full-group baseline). Once work has started an agent resubmit
+applies an **identity-preserving diff** — matched by id, with each add/update/
+delete recorded as a `CRITERION_CHANGED` drift event; no 409. The contract locks
+(409) only once the task is **DONE** — reopen it to change criteria, or use
+`--human`. A criterion that already has verification runs is soft-deleted (audit
+trail preserved) rather than hard-deleted; run-free criteria are hard-deleted.
+Echoes the stored criteria (with ids) plus the 3–7 soft-cap warning if outside
+range.
 
 ```bash
 lumo task criteria set LUM-42 --file criteria-lum42.json

package/assets/skill/references/docs.md

@@ -134,7 +134,7 @@ lumo doc show cmd_xxx --section "D 状态表" > sec.md  # one section only (revi
 **`--raw` (LUM-408)** prints the byte-identical markdown source of the last markdown upload — no header, no trailing newline added. The server stores the raw markdown (`sourceMarkdown`) alongside the rendered HTML on every markdown write (`doc create/update --content/--file/stdin`, gdoc import/sync), so `--raw` output IS a legal edit base: `doc show --raw > base.md`, edit, `doc update --file base.md` round-trips losslessly.
 
 - A web-editor (HTML-direct) edit or revision restore **invalidates** the stored source — the doc's markdown source is gone until the next markdown upload.
-- When no source is stored (legacy doc or after an HTML edit), `--raw` **fails with exit 1 and a rebuild hint** — it never silently falls back to the lossy HTML→markdown reverse render (that fallback flattened tables: LUM-349). Rebuild flow: `doc show` (rendered) → reconstruct the markdown faithfully → `doc update --file rebuilt.md` → `--raw` works from then on.
+- When no source is stored (legacy doc or after an HTML edit), `--raw` **fails with exit 1 and a rebuild hint** — it never silently falls back to the lossy HTML→markdown reverse render (that fallback flattened tables: LUM-349). Rebuild flow (LUM-446): run **`lumo doc rebuild-source <doc>`** — it regenerates the source from the stored HTML with a lossless serializer (tables round-trip) and a structure guard, so `--raw` works from then on. (The old manual flow — `doc show` rendered → hand-reconstruct → `doc update --file` — flattened tables and is superseded.)
 - Raw output is verbatim (unsanitized) by design — redirect it to a file rather than reading it in a terminal when the doc's provenance is uncertain.
 
 Note: the markdown rendered by **default-mode** `doc show` is still best-effort (tables flatten). Round-trip via `doc show > tmp.md && doc update --file tmp.md` is NOT a no-op — use `--raw` as the edit base instead.
@@ -143,7 +143,7 @@ Output budget (LUM-428): **default-mode** `doc show` caps the rendered body to t
 
 **`--section <heading>` (LUM-409)** prints just one heading-addressed section of the markdown source — a byte-faithful slice from the heading line through (not including) the next same-or-higher-level heading, subsections included. No header on stdout (the slice is a legal `doc patch` base); the current revision is printed to **stderr** as `Revision: N`. Mutually exclusive with `--raw`.
 
-- Section addressing: pass the heading text (`--section "D 状态表"`), case-insensitive fallback after an exact pass. Prefix with `#…` to pin the level when the same text exists at several depths (`--section "## Status"`).
+- Section addressing: pass the heading text (`--section "D 状态表"`), matched in three tiers — exact, then case-insensitive, then (LUM-447) full-width↔half-width punctuation + whitespace normalization, so a half-width query (`问题(P4)`) lands on a full-width stored heading (`问题（P4）`) and vice-versa without copying the raw bytes. Prefix with `#…` to pin the level when the same text exists at several depths (`--section "## Status"`). Normalization never relaxes the ambiguity guard — if it matches more than one heading you still get the candidate list + exit 1.
 - Missing heading → exit 1 listing the available headings; ambiguous heading → exit 1 with a depth-disambiguation hint.
 - Requires a stored markdown source — same no-fallback rule and rebuild flow as `--raw`.
 - Heading detection is markdown-aware: `#` lines inside fenced code blocks or blockquotes are never section boundaries.
@@ -156,7 +156,7 @@ Use default mode when the user wants to read a doc; use `--raw` whenever the ful
 - Before a `doc patch` — read the section with `--section` first, note the `Revision:` line, edit, patch back with `--if-revision`.
 - User asks "what's the exact source of this doc", or an agent needs a faithful local copy of a live doc.
 - User asks "what's in section X" of a long doc — `--section` avoids pulling the whole body into context.
-- If `--raw`/`--section` errors (no stored source), walk the rebuild flow above instead of editing the rendered output.
+- If `--raw`/`--section` errors (no stored source), run `lumo doc rebuild-source <doc>` to regenerate it losslessly, then retry — don't edit the rendered output.
 
 ### `lumo doc patch <doc> --section <heading>` — replace one section
 
@@ -201,7 +201,7 @@ Inserts the new content at the **end of the addressed section** (just before the
 | `--file <path>`       | string | Content from file (project-local sandbox).                                   |
 | `--if-revision <n>`   | int    | Only apply if the body is still at revision `n`; 409 + retry hint otherwise. |
 
-Same concurrency contract as `doc patch` (always a conditional commit; 409 on conflict). Requires a stored markdown source.
+Same concurrency contract as `doc patch` (always a conditional commit; 409 on conflict). **End-of-document append (no `--section`) does NOT require a stored markdown source** (LUM-444): when the source is missing (web HTML edit / revision restore / legacy doc) it renders the new block to HTML and concatenates it onto the stored HTML body — so one web operation can no longer lock the whole doc against the agent write path. The source stays null (the doc is still HTML-only afterward; `--raw`/`--section`/`doc patch` keep erroring with the rebuild hint). **Section-addressed append (`--section`) still requires a stored source** — it needs the markdown to locate the heading boundary.
 
 ```bash
 lumo doc append cmd_xxx --section "F 待办队列" --content "- [ ] 评估 XYZ 论文"
@@ -234,6 +234,29 @@ lumo doc diff cmd_xxx --file docs/live-docs/research-intake-ledger.md
 - When a repo-tracked markdown source (e.g. `docs/live-docs/`) and the live doc may have drifted and the user asks which is current.
 - After a suspected concurrent edit: a clean diff (exit 0) proves remote and local are in sync.
 
+### `lumo doc rebuild-source <doc>` — regenerate the markdown source from the HTML body
+
+The **recovery path for a source-less doc** (LUM-446). When a doc has no stored `sourceMarkdown` — a web HTML-direct edit or revision restore nulled it, or the doc predates source storage — every markdown write path (`--raw`, `--section`, `doc patch`, `doc append --section`, `doc diff`) is locked. This regenerates a valid source by serializing the **stored HTML structure model** back to markdown with a **lossless serializer that round-trips tables/rows/headings** (the default `doc show` render flattens tables — LUM-349 — so it was never a safe rebuild base). Only the `sourceMarkdown` column is backfilled; the rendered body is untouched, so the doc reads identically and you just regain the edit base.
+
+| Flag                | Type    | Notes                                                                                                                    |
+| ------------------- | ------- | ------------------------------------------------------------------------------------------------------------------------ |
+| `--allow-shrink`    | boolean | Commit even if the rebuilt source re-renders with fewer tables/rows/headings than the stored body (default: 422 reject). |
+| `--force`           | boolean | Re-derive even when a source already exists (default: 409 — protects a byte-faithful human source from a downgrade).     |
+| `--if-revision <n>` | int     | Only apply if the body is still at this revision (from `doc show`).                                                      |
+
+The rebuild is **structure-guarded** (the same LUM-410 口径 as `doc update`/`doc patch`): if the serializer would drop any table/row/heading, it is rejected with **422** rather than silently committing a flattened source — `--allow-shrink` is the explicit escape hatch. A doc that already has a source is refused **409** unless `--force`.
+
+```bash
+lumo doc rebuild-source cmd_xxx          # restore a source-less doc; --raw works after
+lumo doc rebuild-source cmd_xxx --force  # re-derive even if a source already exists
+```
+
+### When to suggest `doc rebuild-source`
+
+- A `--raw` / `--section` / `doc patch` / `doc diff` call errored with "no stored markdown source" — rebuild, then retry. This is the first thing to try, not a manual reconstruction.
+- A table-heavy live doc (e.g. a `docs/live-docs/` registry) lost its source after a web operation and the markdown write path is locked.
+- Do **not** run it on a doc that already has a good source unless the user explicitly wants to re-derive it (then pass `--force`) — it replaces the byte-faithful source with a serializer-derived one.
+
 ### `lumo doc list [flags]` — list documents
 
 Default behavior: lists every document the current user can see, as fixed-width rows: `<cuid>  <SCOPE>  <project|->  <title>`.

package/assets/skill/references/sessions.md

@@ -44,6 +44,7 @@ Attribution requires the CC session id to reach the server: `lumo task update <i
 When the bound task has live blockers or SUGGESTED dependency candidates, the attach output and session-start hook context inject a dependency warning block. The warning is built by `buildBlockerWarningSectionForTask` and is **omitted entirely** (empty string) when nothing is actionable — no output appears when there are no live blockers and no SUGGESTED candidates.
 
 **Trigger conditions (OR — either or both may appear):**
+
 1. At least one CONFIRMED "blocked by" edge where the blocking task's status is not DONE.
 2. At least one SUGGESTED (unconfirmed) dependency candidate on the task.
 
@@ -74,6 +75,7 @@ Detected 3 candidate dependencies awaiting confirmation: run `lumo task deps lis
 - The function never throws — if it fails it silently returns an empty string, leaving the session start unaffected.
 
 **Agent guidance — watch for EITHER the `## ⚠ Dependency alerts` header (form A) OR the standalone hint line (form B):**
+
 - **Form A — live blockers:** Evaluate whether to wait. If the blocking task's work overlaps with yours (same files, same API surface), starting immediately risks rework. Read the blocker's status and open PR note before deciding.
 - **Stale or wrong edge?** Run `lumo task deps list <LUM-N>` to inspect the full edge list, then `lumo task deps rm <LUM-N> <edge> --yes` (if manually added and now obsolete) or `lumo task deps dismiss <LUM-N> <edge>` (if a false positive from detection).
 - **Candidate hint present (form A or B)?** Run `lumo task deps list <LUM-N>` and review each SUGGESTED edge — confirm real ones, dismiss false positives. Leaving SUGGESTED edges unreviewed means repeated hints every session.
@@ -97,20 +99,17 @@ What it does:
 
 **After attaching, always run `lumo task context <identifier>` to load the task background.**
 
-#### Overwriting an existing binding (LUM-266)
+#### Lifetime lock (LUM-459)
 
-Re-attaching a session that's already bound to a **different** task no longer silently clobbers the binding. The server returns the current binding instead of overwriting, and the CLI decides what to do:
+`Session.taskId` is **write-once**. Re-attaching to the **same** task is always a no-op re-bind (idempotent, re-emits context). Attaching to a **different** task is refused with HTTP 409 — the server returns `{ error, currentTaskIdentifier, currentTaskTitle }` and the CLI prints:
 
-- **On a TTY** (a human running it directly): prompts `Already bound to LUM-X. Rebind to LUM-Y? [y/N]`. Answering `y`/`yes` re-binds to `LUM-Y`; anything else (including bare Enter) cancels and leaves `LUM-X` bound.
-- **Off a TTY** (the usual agent case — `stdin` is not interactive): the command **refuses** and prints `Session already bound to LUM-X … Re-run with --force …` without overwriting. Exit code is `0` (a safe refusal, not an error).
-- **`--force`**: skips the prompt/refusal and overwrites unconditionally. Re-attaching to the **same** task is always a no-op re-bind (never prompts).
-
-```bash
-lumo session attach LUM-42            # already on LUM-7 → prompts (TTY) / refuses (agent)
-lumo session attach LUM-42 --force    # overwrite without confirmation
 ```
+Error: this session is permanently bound to LUM-7 "Other task". A session works one task for its lifetime — start a new Claude Code session to work on LUM-42.
+```
+
+There is no `--force` and no `session detach`. To work on a different task, open a new terminal / Claude Code session and run `lumo session attach <new-task>` there.
 
-**Agent guidance:** when `session attach` reports the session is already bound to a different task, **ask the user** whether to switch before re-running with `--force`. Don't auto-`--force` — the existing binding may be intentional (e.g. a manual attach the user ran earlier). Alternatively run `lumo session detach` first, then a clean `session attach`.
+**Agent guidance:** if `session attach` returns 409, do not retry or look for a workaround — start a fresh Claude Code session for the target task.
 
 ### Parallel sessions
 
@@ -126,16 +125,6 @@ lumo session status
 
 When to suggest: the user asks "which task am I on", "what's this session bound to", or you need to decide whether to suggest `session attach` for a mentioned task ID.
 
-### `lumo session detach` — clear the current binding
-
-Idempotent — running it twice is fine, the second call reports `already unbound`. Past hook events keep their original `taskId`; only future events on this session will be untagged.
-
-```bash
-lumo session detach
-```
-
-When to suggest: the user wants to stop tagging the current session with the active task (e.g., switching to unrelated exploratory work without binding to a different task).
-
 ### `lumo session wrap [--yes] [--dry-run] [--used <indices>]` — wrap-up panel: progress comment + memory review + fragment-usage vote + blocked-tag prompt
 
 Session-end wrap-up panel with **four sections, run in order**:
@@ -188,6 +177,17 @@ shared board requires an interactive `y`, so `--yes` (and non-TTY) prints the
 suggestion and moves on rather than silently flipping board state. When there's
 nothing to prompt, the section prints "(no content)".
 
+**After the panel — open-crossings reminder (LUM-448).** Once the four sections
+finish, `session wrap` prints a one-shot read-only reminder **if** the bound
+task has ≥1 OPEN (undispositioned) boundary crossing: `⚠ N open boundary
+crossing(s) on LUM-N still undispositioned:` then a line per crossing `• [SEVERITY]
+CATEGORY` and a web pointer. When there are none — or the session is unbound —
+it prints **nothing** (truly silent, not a "(no content)" line), so a clean task
+adds no wrap-up noise. **Awareness only:** it points at the web acceptance panel;
+there is **no CLI path** to disposition or clear a crossing. Disposition stays
+web + human-only (LUM-426/435/422) — an agent/CLI bearer cannot clear its own
+crossing from the terminal.
+
 ```bash
 lumo session wrap                  # interactive: preview each section, choose per-section
 lumo session wrap --yes            # progress posted + memories kept; blocked tag NOT auto-applied (needs interactive y)
@@ -218,8 +218,3 @@ see the numbered fragment list, decide which you actually used, then re-run with
 When to suggest: at the end of a working session on a bound task, to record what
 was done as a progress comment — offer `lumo session wrap` rather than composing
 a `task comment` by hand.
-
-### When to suggest session binding
-
-- If the user mentions a task ID (e.g., "let's work on LUM-42") and no session is currently bound, **suggest running `lumo session attach`**.
-- If the user switches tasks mid-session, run `attach` with the new task ID — the server overwrites the existing binding atomically.

package/assets/skill/references/verify.md

@@ -129,6 +129,13 @@ what's unmet and why (the exact failure tails), and how many rounds are left.
 statement` (✓ latest verdict passed / ✗ failed / ○ no verdict yet) with its
   checkpointer and latest verdict line (evidence pointer on pass, failure
   tail on fail). `REVIEW_ADDED@rN` provenance is visible per row.
+  - A pass can carry a **`⚠ pre-edit version`** note (LUM-457): the criterion
+    was changed after that verdict (reworded, or its checkpointer was swapped so
+    the recorded evidence ran a different command). The pass still counts as met
+    (a stale pass does not block DONE — render-only signal), but it vouches for
+    an older version — **re-run `lumo verify` to re-confirm against the current
+    criterion.** This is the habit whenever you edit a MACHINE criterion's
+    checkpointer mid-task: change the check, then re-verify so the green is honest.
 - **History** — one line per recorded round: `rN · timestamp · X PASS / Y FAIL`.
 - **Last round failures** — the most recent round's FAIL verdicts with their
   rejection reasons (why the last round bounced).
@@ -136,12 +143,30 @@ statement` (✓ latest verdict passed / ✗ failed / ○ no verdict yet) with it
   failed or never verified, HUMAN ones included). This list IS the plan —
   it is recomputed from the event log on every read, never maintained
   separately. Empty + rounds recorded = awaiting human adjudication.
+- **Open boundary crossings** (LUM-448) — a trailing safety block when the
+  task has ≥1 OPEN (undispositioned) forbidden-action crossing: a count, then
+  one line per crossing `• [SEVERITY] CATEGORY — <clipped detail>`
+  (highest-severity first), each followed by a read-only **attribution** line
+  `↳ by model=<m> · agent=<type>[/branch] · session=<8-char prefix>` (LUM-469 —
+  who/what crossed; any dimension that couldn't be resolved server-side prints
+  `unknown`, never a fabricated value), then a pointer to the web acceptance
+  panel. Silent when there are none, so it never overshadows the criteria.
+  **Read-only awareness** — this surfaces crossings detected elsewhere
+  (LUM-426/435/442); there is no CLI path to disposition or clear one.
+  Disposition stays web + human-only (LUM-426/435/422): an agent/CLI bearer
+  cannot clear its own crossing from the terminal.
 
 ### --json contract
 
 `--json` emits the full read model with a top-level `version` field
 (currently `1`). The schema is versioned: breaking shape changes bump the
 major; additive fields don't. Pin on `version` when scripting against it.
+The open boundary crossings ride along as an additive top-level
+`openCrossings[]` (each `{ id, category, severity, detail, attribution }`,
+where `attribution` is `{ workspaceMemberId, sessionId, agent, worktreeBranch,
+model }` with every field nullable — null = unknown, never fabricated; LUM-469;
+the array length is the count; empty when none) — same read-only awareness, no
+write path.
 
 `status` reads; `verify` judges. Running status never starts a round, never
 escalates, and never changes task state — loop rules (cap 3, IN_REVIEW on

package/dist/cli/src/commands/doc-rebuild-source.js

@@ -0,0 +1,86 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.docRebuildSource = docRebuildSource;
+const config_1 = require("../lib/config");
+const api_1 = require("../lib/api");
+const resolve_doc_id_1 = require("../lib/resolve-doc-id");
+const sanitize_1 = require("../lib/sanitize");
+/**
+ * `lumo doc rebuild-source <doc>` (LUM-446).
+ *
+ * Recovery path for a source-less doc: regenerates `Document.sourceMarkdown`
+ * from the stored HTML body using the lossless serializer (tables round-trip),
+ * re-enabling `doc show --raw` / `diff` / `patch` / `append`. The rebuilt source
+ * is structure-guarded server-side: any table/tr/heading shrink is rejected 422
+ * (zero silent flattening — LUM-410 口径) unless --allow-shrink is passed. A doc
+ * that already has a source is refused 409 unless --force re-derives it.
+ */
+async function docRebuildSource(reference, opts) {
+    if (!reference) {
+        console.error('Error: missing <doc>. Usage: lumo doc rebuild-source <doc> [--allow-shrink] [--force] [--if-revision <n>]');
+        return 1;
+    }
+    let ifRevision;
+    if (opts.ifRevision !== undefined) {
+        if (!/^\d+$/.test(opts.ifRevision)) {
+            console.error(`Error: --if-revision must be a non-negative integer (got "${opts.ifRevision}")`);
+            return 1;
+        }
+        ifRevision = Number(opts.ifRevision);
+    }
+    const creds = (0, config_1.readCredentials)();
+    if (!creds) {
+        console.error('Error: not logged in. Run `lumo auth login` first.');
+        return 1;
+    }
+    const apiUrl = (0, api_1.resolveAuthedApiUrl)(creds.apiUrl);
+    const id = await (0, resolve_doc_id_1.lookupDocId)(apiUrl, creds.token, reference);
+    if (!id) {
+        console.error(`Error: Document not found: ${reference}`);
+        return 1;
+    }
+    const body = {};
+    if (opts.allowShrink)
+        body.allowShrink = true;
+    if (opts.force)
+        body.force = true;
+    if (ifRevision !== undefined)
+        body.ifRevision = ifRevision;
+    const res = await fetch(`${(0, api_1.trimTrailingSlash)(apiUrl)}/api/documents/${id}/rebuild-source`, {
+        method: 'POST',
+        headers: {
+            Authorization: `Bearer ${creds.token}`,
+            'Content-Type': 'application/json',
+        },
+        body: JSON.stringify(body),
+    });
+    if (!res.ok) {
+        const text = await res.text();
+        const message = (0, api_1.extractErrorMessage)(text);
+        if (res.status === 409) {
+            console.error(`Error: ${(0, sanitize_1.sanitizeField)(message)}`);
+            console.error('Hint: the doc already has a markdown source. Inspect it with ' +
+                `\`lumo doc show ${reference} --raw\`; pass --force only if you intend ` +
+                'to replace it with a freshly serialized one.');
+            return 1;
+        }
+        if (res.status === 422) {
+            // Structure guard rejection (LUM-410): the serializer would drop
+            // structure the stored body has — refuse rather than commit a flattened
+            // source.
+            console.error(`Error: ${(0, sanitize_1.sanitizeField)(message)}`);
+            console.error('Hint: this means the rebuild could not reproduce the stored structure ' +
+                'losslessly. Re-run with --allow-shrink only if the loss is acceptable.');
+            return 1;
+        }
+        console.error(`Error: ${res.status} ${res.statusText}: ${(0, sanitize_1.sanitizeField)(message)}`);
+        return 1;
+    }
+    const { document } = (await res.json());
+    const escaped = (0, sanitize_1.sanitizeField)(document.title).replace(/"/g, '\\"');
+    const bytes = typeof document.sourceBytes === 'number'
+        ? ` (${document.sourceBytes} bytes)`
+        : '';
+    console.log(`Rebuilt markdown source for ${document.id} "${escaped}"${bytes}. ` +
+        `\`lumo doc show ${document.id} --raw\` now works.`);
+}

package/dist/cli/src/commands/session-attach.js

@@ -4,26 +4,20 @@ exports.sessionAttach = sessionAttach;
 const config_1 = require("../lib/config");
 const api_1 = require("../lib/api");
 const sanitize_1 = require("../lib/sanitize");
-const line_prompt_1 = require("../lib/line-prompt");
 /**
  * `lumo session attach <identifier>` — bind the currently-running
  * Claude Code session to a task.
  *
  * Required environment: `CLAUDE_CODE_SESSION_ID` (set automatically by
- * Claude Code). Must be invoked from inside a Claude Code session — there
- * is no longer a global "current task" pointer for terminals outside CC.
+ * Claude Code). Must be invoked from inside a Claude Code session.
  *
- * The binding lives entirely on the server (`Session.taskId`); subsequent
- * hooks read it back via the session row. The CLI keeps no local sentinel.
- *
- * Re-binding a session that's already attached to a *different* task no
- * longer silently clobbers `Session.taskId` (LUM-266): the server returns
- * the current binding and we confirm before overwriting —
- *   - `--force` skips the prompt and overwrites directly;
- *   - on a TTY we ask `Already bound to LUM-X. Rebind to LUM-Y? [y/N]`;
- *   - off a TTY (the usual agent case) we refuse and point at `--force`.
+ * The binding is a **lifetime lock** (LUM-459): `Session.taskId` is write-once.
+ * Re-attaching to the *same* task is an idempotent no-op (re-emits context).
+ * Attaching to a *different* task is refused with HTTP 409 — there is no
+ * `--force` and no `session detach`; a different task requires a brand-new
+ * Claude Code session.
  */
-async function sessionAttach(identifier, options = {}) {
+async function sessionAttach(identifier) {
     if (!identifier) {
         console.error('Error: missing <identifier>. Usage: lumo session attach <LUM-42>');
         return 1;
@@ -41,75 +35,63 @@ async function sessionAttach(identifier, options = {}) {
     }
     const apiUrl = (0, api_1.resolveAuthedApiUrl)(creds.apiUrl);
     const url = `${(0, api_1.trimTrailingSlash)(apiUrl)}/api/sessions/${encodeURIComponent(sessionId)}/bind-task`;
-    const bind = async (force) => {
-        let res;
+    let res;
+    try {
+        res = await fetch(url, {
+            method: 'POST',
+            headers: {
+                'Content-Type': 'application/json',
+                Authorization: `Bearer ${creds.token}`,
+            },
+            body: JSON.stringify({ taskIdentifier: identifier }),
+        });
+    }
+    catch (err) {
+        const msg = err instanceof Error ? err.message : String(err);
+        console.error(`Error: could not reach Lumo API at ${apiUrl} (${msg})`);
+        return 1;
+    }
+    if (res.status === 401) {
+        console.error('Error: API key invalid or revoked. Run `lumo auth login`.');
+        return 1;
+    }
+    if (res.status === 404) {
+        let message = 'Not found';
         try {
-            res = await fetch(url, {
-                method: 'POST',
-                headers: {
-                    'Content-Type': 'application/json',
-                    Authorization: `Bearer ${creds.token}`,
-                },
-                body: JSON.stringify({ taskIdentifier: identifier, force }),
-            });
-        }
-        catch (err) {
-            const msg = err instanceof Error ? err.message : String(err);
-            console.error(`Error: could not reach Lumo API at ${apiUrl} (${msg})`);
-            return { ok: false, code: 1 };
+            const data = (await res.json());
+            if (data.error)
+                message = data.error;
         }
-        if (res.status === 401) {
-            console.error('Error: API key invalid or revoked. Run `lumo auth login`.');
-            return { ok: false, code: 1 };
+        catch {
+            // fall through
         }
-        if (res.status === 404) {
-            let message = 'Not found';
-            try {
-                const data = (await res.json());
-                if (data.error)
-                    message = data.error;
-            }
-            catch {
-                // fall through
+        console.error(`Error: ${(0, sanitize_1.sanitizeField)(message)}`);
+        return 1;
+    }
+    // Lifetime lock (LUM-459): the session is permanently bound to another task.
+    if (res.status === 409) {
+        let current = 'another task';
+        try {
+            const data = (await res.json());
+            if (data.currentTaskIdentifier) {
+                current = data.currentTaskTitle
+                    ? `${data.currentTaskIdentifier} "${(0, sanitize_1.sanitizeField)(data.currentTaskTitle)}"`
+                    : data.currentTaskIdentifier;
             }
-            console.error(`Error: ${(0, sanitize_1.sanitizeField)(message)}`);
-            return { ok: false, code: 1 };
         }
-        if (!res.ok) {
-            console.error(`Error: bind-task failed (HTTP ${res.status})`);
-            return { ok: false, code: 1 };
+        catch {
+            // fall through with the generic phrasing
         }
-        return { ok: true, body: (await res.json()) };
-    };
-    // First attempt. `--force` overwrites unconditionally; otherwise the server
-    // may answer `already-bound` so we can confirm before clobbering.
-    const first = await bind(options.force === true);
-    if (!first.ok)
-        return first.code;
-    let body = first.body;
-    if (body.status === 'already-bound') {
-        // Reached only when not forced (force=true would have overwritten).
-        if (!process.stdin.isTTY) {
-            console.error(`Session already bound to ${body.currentTaskIdentifier} "${(0, sanitize_1.sanitizeField)(body.currentTaskTitle)}". ` +
-                `Not overwriting. Re-run with --force to switch to ${identifier} ` +
-                '(or run `lumo session detach` first).');
-            return 0;
-        }
-        const answer = await (0, line_prompt_1.promptLine)(`Already bound to ${body.currentTaskIdentifier}. Rebind to ${identifier}? [y/N] `);
-        if (!/^y(es)?$/i.test(answer)) {
-            console.log(`Cancelled — still bound to ${body.currentTaskIdentifier}.`);
-            return 0;
-        }
-        const second = await bind(true);
-        if (!second.ok)
-            return second.code;
-        body = second.body;
+        console.error(`Error: this session is permanently bound to ${current}. ` +
+            'A session works one task for its lifetime — start a new Claude Code ' +
+            `session to work on ${identifier}.`);
+        return 1;
     }
-    if (body.status === 'already-bound') {
-        // Defensive: a forced bind should never report already-bound.
-        console.error(`Error: bind did not take effect (still bound to ${body.currentTaskIdentifier}).`);
+    if (!res.ok) {
+        console.error(`Error: bind-task failed (HTTP ${res.status})`);
         return 1;
     }
+    const body = (await res.json());
     console.log(`Attached session ${sessionId} to ${body.taskIdentifier} "${(0, sanitize_1.sanitizeField)(body.taskTitle)}"`);
     console.log(`Re-tagged ${body.retaggedEventCount} previously-untagged event${body.retaggedEventCount === 1 ? '' : 's'} in this session.`);
     // Warnings come before contract/memory: matches the hook injection order —

package/dist/cli/src/commands/session-wrap.js

@@ -7,6 +7,7 @@ const progress_comment_section_1 = require("./wrap/progress-comment-section");
 const memory_review_section_1 = require("./wrap/memory-review-section");
 const fragment_usage_section_1 = require("./wrap/fragment-usage-section");
 const blocked_prompt_section_1 = require("./wrap/blocked-prompt-section");
+const crossings_reminder_1 = require("./wrap/crossings-reminder");
 /**
  * `lumo session wrap [--yes] [--dry-run]`
  *
@@ -40,4 +41,11 @@ async function sessionWrap(options) {
         yes: options.yes === true,
         dryRun: options.dryRun === true,
     });
+    // After the panel: a read-only nudge if the bound task has open boundary
+    // crossings still undispositioned (LUM-448). Silent when there are none —
+    // a clean task adds no wrap-up noise. Awareness only; clearing a crossing is
+    // web + human-only (LUM-426/435/422).
+    const reminder = await (0, crossings_reminder_1.openCrossingReminder)(creds);
+    if (reminder)
+        process.stdout.write(reminder);
 }

package/dist/cli/src/commands/task-criteria-list.js

@@ -20,6 +20,12 @@ function formatCriteriaRows(criteria) {
         if (c.checkpointer) {
             lines.push(`  ↳ check: ${(0, sanitize_1.sanitizeField)(c.checkpointer)}`);
         }
+        if (c.judgeSteps) {
+            const judgeLines = (0, sanitize_1.sanitizeField)(c.judgeSteps).split('\n');
+            lines.push(`  ↳ judge: ${judgeLines[0]}`);
+            for (const jl of judgeLines.slice(1))
+                lines.push(`           ${jl}`);
+        }
     }
     return lines.length > 0 ? lines.join('\n') + '\n' : '';
 }

package/dist/cli/src/commands/task-criteria-set.js

@@ -104,6 +104,31 @@ async function taskCriteriaSet(identifier, options) {
     const sessionId = process.env.CLAUDE_CODE_SESSION_ID;
     if (sessionId)
         headers['X-Lumo-Session-Id'] = sessionId;
+    // LUM-437: when a contract already exists, preserve criterion identity across
+    // an after-start edit by matching submitted items to existing criteria by exact
+    // statement and attaching their ids. Best-effort — fall back to id-less submit.
+    let criteriaItems = parsed.items;
+    if (!options.human) {
+        try {
+            const listRes = await fetch(`${base}/api/tasks/${encodeURIComponent(identifier)}/criteria`, { headers: { Authorization: `Bearer ${creds.token}` } });
+            if (listRes.ok) {
+                const listData = (await listRes.json());
+                const activeByStatement = new Map(listData.criteria.map(c => [c.statement, c.id]));
+                criteriaItems = parsed.items.map(item => {
+                    if (item !== null && typeof item === 'object' && !('id' in item)) {
+                        const stmt = item['statement'];
+                        if (typeof stmt === 'string' && activeByStatement.has(stmt)) {
+                            return { ...item, id: activeByStatement.get(stmt) };
+                        }
+                    }
+                    return item;
+                });
+            }
+        }
+        catch {
+            // leave criteriaItems as-is; the server still records via full diff
+        }
+    }
     let res;
     try {
         res = await fetch(`${base}/api/tasks/${encodeURIComponent(identifier)}/criteria`, {
@@ -111,7 +136,7 @@ async function taskCriteriaSet(identifier, options) {
             headers,
             body: JSON.stringify({
                 source: options.human ? 'HUMAN_EDIT' : 'AGENT_DRAFT',
-                criteria: parsed.items,
+                criteria: criteriaItems,
                 ...(causeTag ? { causeTag } : {}),
             }),
         });
@@ -143,4 +168,7 @@ async function taskCriteriaSet(identifier, options) {
     if (data.warning) {
         process.stdout.write(`⚠ ${(0, sanitize_1.sanitizeField)(data.warning)}\n`);
     }
+    if (data.judgeStepsWarning) {
+        process.stdout.write(`⚠ ${(0, sanitize_1.sanitizeField)(data.judgeStepsWarning)}\n`);
+    }
 }

package/dist/cli/src/commands/task-status.js

@@ -6,6 +6,17 @@ const config_1 = require("../lib/config");
 const api_1 = require("../lib/api");
 const resolve_bound_task_1 = require("../lib/resolve-bound-task");
 const sanitize_1 = require("../lib/sanitize");
+const open_crossings_1 = require("../lib/open-crossings");
+/** One-line a possibly-multiline crossing detail and cap it so the safety block
+ *  stays a glance, never a wall (it must not overshadow the criteria). */
+const CROSSING_DETAIL_CAP = 160;
+function oneLineDetail(detail) {
+    const firstLine = detail.split('\n')[0] ?? '';
+    const clean = (0, sanitize_1.sanitizeField)(firstLine).trim();
+    return clean.length > CROSSING_DETAIL_CAP
+        ? `${clean.slice(0, CROSSING_DETAIL_CAP)}…`
+        : clean;
+}
 const REASON_TAIL = 400;
 function tail(s, max) {
     return s.length > max ? `…${s.slice(-max)}` : s;
@@ -16,7 +27,7 @@ function tail(s, max) {
  * glyph in front — ✓ pass, ✗ fail, ○ no verdict yet — so REVIEW_ADDED
  * provenance stays explicitly visible in every row.
  */
-function formatTaskStatus(data) {
+function formatTaskStatus(data, extras = {}) {
     const lines = [];
     const t = data.task;
     lines.push(`${t.identifier}  ${(0, sanitize_1.sanitizeField)(t.title)}`);
@@ -30,6 +41,7 @@ function formatTaskStatus(data) {
     if (data.criteria.length === 0) {
         lines.push('');
         lines.push(`No acceptance criteria on ${t.identifier} — draft 3–7 and submit with lumo task criteria set ${t.identifier} --file <criteria.json>`);
+        pushOpenCrossings(lines, extras);
         return lines.join('\n') + '\n';
     }
     lines.push('');
@@ -46,6 +58,15 @@ function formatTaskStatus(data) {
         if (c.checkpointer) {
             lines.push(`      ↳ check: ${(0, sanitize_1.sanitizeField)(c.checkpointer)}`);
         }
+        // LUM-465: agent-drafted human-judging guidance, rendered as an indented
+        // block under a HUMAN criterion (multi-line steps stay aligned).
+        if (c.judgeSteps) {
+            const judgeLines = (0, sanitize_1.sanitizeField)(c.judgeSteps).split('\n');
+            lines.push(`      ↳ judge: ${judgeLines[0]}`);
+            for (const jl of judgeLines.slice(1)) {
+                lines.push(`              ${jl}`);
+            }
+        }
         const v = c.latestVerdict;
         if (v == null) {
             lines.push('      (no verdict yet)');
@@ -61,6 +82,11 @@ function formatTaskStatus(data) {
                 ? ` · ${(0, sanitize_1.sanitizeField)(v.evidencePointer)}`
                 : '';
             lines.push(`      ✓ ${v.verdict}@r${v.round}${evidencePart}`);
+            // LUM-457: a pass that vouches for a pre-edit version of the criterion —
+            // render-only downgrade, the criterion still counts met.
+            if (c.verdictStale || c.checkMismatch) {
+                lines.push('      ⚠ pre-edit version — criterion changed since this check; re-run `lumo verify` to re-confirm');
+            }
         }
     }
     if (data.verificationHistory.length > 0) {
@@ -108,8 +134,50 @@ function formatTaskStatus(data) {
                 : 'Remaining criteria are HUMAN-only — finish the work and hand off for human review.');
         }
     }
+    pushOpenCrossings(lines, extras);
     return lines.join('\n') + '\n';
 }
+/**
+ * Append the OPEN boundary-crossings safety block (LUM-448) — a count, one line
+ * per crossing with its severity + category + clipped detail, and a pointer to
+ * the human-only web disposition panel. Trailing (after the criteria) and
+ * silent when there are none, so it never overshadows the acceptance contract.
+ * Read-only awareness: the line points at the web UI; it offers no way to clear
+ * a crossing from the terminal (LUM-426/435/422).
+ */
+function pushOpenCrossings(lines, extras) {
+    const open = extras.openCrossings ?? [];
+    if (open.length === 0)
+        return;
+    lines.push('');
+    lines.push(`⚠ Open boundary crossings (${open.length} undispositioned):`);
+    for (const c of open) {
+        const detail = oneLineDetail(c.detail);
+        const tail = detail ? ` — ${detail}` : '';
+        lines.push(`  • [${c.severity}] ${(0, sanitize_1.sanitizeField)(c.category)}${tail}`);
+        lines.push(`    ${formatAttribution(c.attribution)}`);
+    }
+    lines.push('  Disposition is human-only in the web acceptance panel:');
+    if (extras.dispositionUrl) {
+        lines.push(`    ${extras.dispositionUrl}`);
+    }
+}
+/**
+ * Compact attribution line for an open crossing (LUM-469): which model + which
+ * agent/session committed it, so a reviewer can audit who/what crossed from the
+ * terminal. Every dimension that the server couldn't resolve renders `unknown`
+ * — never a fabricated value. The session UUID is clipped to a correlatable
+ * prefix; the worktree branch (which branch) is appended to the agent when known.
+ */
+function formatAttribution(a) {
+    const agent = a.agent
+        ? a.worktreeBranch
+            ? `${a.agent}/${a.worktreeBranch}`
+            : a.agent
+        : 'unknown';
+    const session = a.sessionId ? a.sessionId.slice(0, 8) : 'unknown';
+    return `↳ by model=${a.model ?? 'unknown'} · agent=${agent} · session=${session}`;
+}
 /**
  * `lumo task status [task] [--json]` — the agent's read-only self-check
  * (LUM-344): contract + latest verdicts + verification history + next
@@ -126,8 +194,7 @@ async function taskStatus(identifier, options = {}) {
     const base = (0, api_1.trimTrailingSlash)((0, api_1.resolveAuthedApiUrl)(creds.apiUrl));
     let taskId = identifier;
     if (!taskId) {
-        taskId =
-            (await (0, resolve_bound_task_1.resolveBoundTaskIdentifier)(base, creds.token)) ?? undefined;
+        taskId = (await (0, resolve_bound_task_1.resolveBoundTaskIdentifier)(base, creds.token)) ?? undefined;
         if (!taskId) {
             console.error('Error: no task given and this session is not bound to one.\n' +
                 'Run `lumo task status <LUM-N>`, or bind first with `lumo session attach <LUM-N>`.');
@@ -156,11 +223,21 @@ async function taskStatus(identifier, options = {}) {
         return 1;
     }
     const data = (await res.json());
+    // Read-only awareness (LUM-448): surface the task's OPEN boundary crossings
+    // via the existing LUM-435 endpoint. Best-effort — fetchOpenCrossings already
+    // swallows failures to an empty list, so this supplementary safety signal can
+    // never block the primary acceptance status. The resolved taskId (the
+    // identifier the status was fetched for) is the key here.
+    const openCrossings = await (0, open_crossings_1.fetchOpenCrossings)(base, creds.token, taskId);
     if (options.json) {
         // JSON.stringify escapes control chars (…), so the payload is safe
         // to emit raw — and consumers get byte-faithful server data.
-        process.stdout.write(JSON.stringify(data, null, 2) + '\n');
+        // The open crossings ride alongside as an additive field (count = length).
+        process.stdout.write(JSON.stringify({ ...data, openCrossings }, null, 2) + '\n');
         return;
     }
-    process.stdout.write(formatTaskStatus(data));
+    process.stdout.write(formatTaskStatus(data, {
+        openCrossings,
+        dispositionUrl: (0, open_crossings_1.dispositionUrl)(base, creds.workspaceSlug ?? 'lumo', data.task.identifier),
+    }));
 }

package/dist/cli/src/commands/wrap/crossings-reminder.js

@@ -0,0 +1,41 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.formatCrossingReminder = formatCrossingReminder;
+exports.openCrossingReminder = openCrossingReminder;
+const resolve_bound_task_1 = require("../../lib/resolve-bound-task");
+const sanitize_1 = require("../../lib/sanitize");
+const open_crossings_1 = require("../../lib/open-crossings");
+/**
+ * Build the wrap-up reminder for a task's OPEN boundary crossings (LUM-448).
+ * Returns the reminder string when there is ≥1 open crossing, and `null` when
+ * there are none — the caller prints nothing on null, so a clean task makes NO
+ * noise at wrap time. Read-only awareness: the reminder points at the
+ * human-only web disposition panel and offers no way to clear a crossing from
+ * the terminal (LUM-426/435/422).
+ */
+function formatCrossingReminder(taskIdentifier, open, url) {
+    if (open.length === 0)
+        return null;
+    const n = open.length;
+    const lines = [
+        `⚠ ${n} open boundary crossing${n === 1 ? '' : 's'} on ${taskIdentifier} still undispositioned:`,
+    ];
+    for (const c of open) {
+        lines.push(`  • [${c.severity}] ${(0, sanitize_1.sanitizeField)(c.category)}`);
+    }
+    lines.push(`  Review & disposition (web + human-only): ${url}`);
+    return lines.join('\n') + '\n';
+}
+/**
+ * Resolve the session's bound task and surface its OPEN boundary crossings as a
+ * wrap-up reminder (LUM-448), or `null` when the session is unbound or nothing
+ * is open. Pure read — `fetchOpenCrossings` hits only the LUM-435 GET endpoint
+ * and there is no disposition write path here.
+ */
+async function openCrossingReminder(creds) {
+    const taskIdentifier = await (0, resolve_bound_task_1.resolveBoundTaskIdentifier)(creds.apiUrl, creds.token);
+    if (!taskIdentifier)
+        return null;
+    const open = await (0, open_crossings_1.fetchOpenCrossings)(creds.apiUrl, creds.token, taskIdentifier);
+    return formatCrossingReminder(taskIdentifier, open, (0, open_crossings_1.dispositionUrl)(creds.apiUrl, creds.workspaceSlug, taskIdentifier));
+}

package/dist/cli/src/index.js

@@ -44,7 +44,6 @@ const auth_logout_1 = require("./commands/auth-logout");
 const whoami_1 = require("./commands/whoami");
 const hook_1 = require("./commands/hook");
 const session_attach_1 = require("./commands/session-attach");
-const session_detach_1 = require("./commands/session-detach");
 const session_status_1 = require("./commands/session-status");
 const session_wrap_1 = require("./commands/session-wrap");
 const next_1 = require("./commands/next");
@@ -110,6 +109,7 @@ const doc_sync_1 = require("./commands/doc-sync");
 const doc_update_1 = require("./commands/doc-update");
 const doc_show_1 = require("./commands/doc-show");
 const doc_diff_1 = require("./commands/doc-diff");
+const doc_rebuild_source_1 = require("./commands/doc-rebuild-source");
 const doc_section_edit_1 = require("./commands/doc-section-edit");
 const doc_list_1 = require("./commands/doc-list");
 const doc_delete_1 = require("./commands/doc-delete");
@@ -239,17 +239,12 @@ const session = program
     .description('Manage per-terminal coding-session context');
 session
     .command('attach <identifier>')
-    .description('Attach the currently-running Claude Code session (CLAUDE_CODE_SESSION_ID) to a task. Sets Session.taskId server-side and re-tags untagged hook events. If the session is already bound to a different task, confirms before overwriting (use --force to skip).')
-    .option('--force', 'Overwrite an existing binding to a different task without confirmation (skips the [y/N] prompt).')
-    .action(wrap((identifier, options) => (0, session_attach_1.sessionAttach)(identifier, options)));
+    .description('Attach the currently-running Claude Code session (CLAUDE_CODE_SESSION_ID) to a task. The binding is a lifetime lock: re-attaching to the same task is a no-op, attaching to a different task is refused — start a new session for a different task.')
+    .action(wrap(identifier => (0, session_attach_1.sessionAttach)(identifier)));
 session
     .command('status')
     .description('Show the task currently bound to this Claude Code session (or "no task" if none).')
     .action(wrap(() => (0, session_status_1.sessionStatus)()));
-session
-    .command('detach')
-    .description('Clear the task binding on the current Claude Code session. Past hook events keep their taskId; only future events become untagged.')
-    .action(wrap(() => (0, session_detach_1.sessionDetach)()));
 session
     .command('wrap')
     .description("Session-end wrap-up: draft a progress comment from this session's turn summaries and post it to the bound task after confirmation.")
@@ -715,6 +710,13 @@ doc
     .description('Compare the server-side markdown source against a local file. Exit 0 when byte-identical, 1 with a unified diff when divergent. Requires the doc to have a stored markdown source.')
     .requiredOption('--file <path>', 'Local markdown file to compare against')
     .action(wrap((reference, opts) => (0, doc_diff_1.docDiff)(reference, opts)));
+doc
+    .command('rebuild-source <doc>')
+    .description("Regenerate the stored markdown source from the doc's HTML body using a lossless serializer (tables/rows/headings round-trip), re-enabling doc show --raw / diff / patch / append for a source-less doc. The rebuilt source is structure-guarded: any table/tr/heading shrink is rejected with 422 (no silent flattening) unless --allow-shrink is passed. A doc that already has a source is refused with 409 unless --force re-derives it (replacing a byte-faithful source with a serializer-derived one).")
+    .option('--allow-shrink', 'Commit even if the rebuilt source re-renders with fewer tables/rows/headings than the stored body (default: rejected with 422)')
+    .option('--force', 'Re-derive the source even when one already exists (default: refused with 409)')
+    .option('--if-revision <n>', 'Only apply if the doc body is still at this revision (from doc show)')
+    .action(wrap((reference, opts) => (0, doc_rebuild_source_1.docRebuildSource)(reference, opts)));
 doc
     .command('list')
     .description('List documents visible to the current user')

package/dist/cli/src/lib/open-crossings.js

@@ -0,0 +1,78 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.fetchOpenCrossings = fetchOpenCrossings;
+exports.dispositionUrl = dispositionUrl;
+const api_1 = require("./api");
+const SEVERITY_RANK = {
+    HIGH: 3,
+    MEDIUM: 2,
+    LOW: 1,
+};
+/** Narrow the raw view's attribution to the terminal's read-only shape, every
+ *  dimension defaulting to null (unknown) when absent or the wrong type. */
+function normalizeAttribution(raw) {
+    const str = (v) => typeof v === 'string' && v.length > 0 ? v : null;
+    return {
+        workspaceMemberId: str(raw?.workspaceMemberId),
+        sessionId: str(raw?.sessionId),
+        agent: str(raw?.agent),
+        worktreeBranch: str(raw?.worktreeBranch),
+        model: str(raw?.model),
+    };
+}
+function normalizeSeverity(s) {
+    return s === 'HIGH' || s === 'MEDIUM' || s === 'LOW' ? s : 'LOW';
+}
+/**
+ * Fetch a task's OPEN (undispositioned) boundary crossings, highest-severity
+ * first, via the EXISTING LUM-435 read endpoint — `GET …/boundary-crossings`
+ * returns every crossing (open and dispositioned); we keep only the
+ * undispositioned ones (`disposition == null`). This is the **read/awareness**
+ * half of the acceptance loop: there is no new query and, by construction, no
+ * way to clear a crossing — disposition stays web + human-only
+ * (LUM-426/435/422).
+ *
+ * Best-effort: any transport / HTTP / parse failure yields an empty list, so a
+ * supplementary safety signal can never break the caller's primary output
+ * (the acceptance status, the wrap-up panel).
+ */
+async function fetchOpenCrossings(apiUrl, token, taskIdentifier) {
+    const url = `${(0, api_1.trimTrailingSlash)(apiUrl)}/api/tasks/${encodeURIComponent(taskIdentifier)}/boundary-crossings`;
+    let res;
+    try {
+        res = await fetch(url, { headers: { Authorization: `Bearer ${token}` } });
+    }
+    catch {
+        return [];
+    }
+    if (!res.ok)
+        return [];
+    let data;
+    try {
+        data = (await res.json());
+    }
+    catch {
+        return [];
+    }
+    const rows = Array.isArray(data.crossings) ? data.crossings : [];
+    return rows
+        .filter(c => c.disposition == null)
+        .map(c => ({
+        id: c.id,
+        category: c.category,
+        severity: normalizeSeverity(c.severity),
+        detail: c.detail,
+        attribution: normalizeAttribution(c.attribution),
+    }))
+        .sort((a, b) => SEVERITY_RANK[b.severity] - SEVERITY_RANK[a.severity]);
+}
+/**
+ * The web deep link where a HUMAN dispositions crossings. Disposition is
+ * web-only and human-only (LUM-426/435/422); the terminal only ever points
+ * here, it never clears anything itself. Built from the workspace slug +
+ * identifier alone (the `/my-tasks/<id>` route needs no project slug), so no
+ * extra fetch is required.
+ */
+function dispositionUrl(apiUrl, workspaceSlug, taskIdentifier) {
+    return `${(0, api_1.trimTrailingSlash)(apiUrl)}/workspace/${workspaceSlug}/my-tasks/${taskIdentifier}#boundary-crossings`;
+}

package/dist/shared/src/markdown-sections.js

@@ -93,10 +93,29 @@ function parseSectionQuery(raw) {
         return { text: (m[2] ?? '').trim(), depth: (m[1] ?? '').length };
     return { text: raw.trim() };
 }
+/**
+ * Normalize a heading for the widest match tier (LUM-447): fold full-width
+ * ASCII forms (U+FF01–U+FF5E — the （），etc. that pepper CJK headings) down
+ * to their half-width counterparts, turn the full-width ideographic space
+ * (U+3000) into a normal space, collapse runs of whitespace to one, then
+ * lower-case. This lets a half-width `--section` query land on a full-width
+ * stored heading (and the reverse) so agents no longer have to grep and copy
+ * the raw bytes. It does NOT relax the ambiguity guard: matches are still
+ * counted, and more than one is reported as candidates.
+ */
+function normalizeHeading(text) {
+    return text
+        .replace(/[！-～]/g, ch => String.fromCharCode(ch.charCodeAt(0) - 0xfee0))
+        .replace(/　/g, ' ')
+        .replace(/\s+/g, ' ')
+        .trim()
+        .toLowerCase();
+}
 /**
  * Locate a section by heading text. Exact match first, then a
- * case-insensitive pass; more than one hit in the winning pass is reported
- * as ambiguous rather than silently picking one.
+ * case-insensitive pass, then a full-width/half-width + whitespace
+ * normalization pass (LUM-447); more than one hit in the winning pass is
+ * reported as ambiguous rather than silently picking one.
  */
 function findSection(src, query) {
     const q = parseSectionQuery(query);
@@ -107,6 +126,10 @@ function findSection(src, query) {
         const lower = q.text.toLowerCase();
         matches = pool.filter(s => s.heading.toLowerCase() === lower);
     }
+    if (matches.length === 0) {
+        const normalized = normalizeHeading(q.text);
+        matches = pool.filter(s => normalizeHeading(s.heading) === normalized);
+    }
     const first = matches[0];
     if (matches.length === 1 && first)
         return { kind: 'found', section: first };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@lumoai/cli",
-  "version": "1.33.0",
+  "version": "1.34.0",
   "description": "Lumo CLI — manage tasks and sessions from the terminal",
   "license": "MIT",
   "author": "cli@uselumo.ai",

package/dist/cli/src/commands/session-detach.js

@@ -1,60 +0,0 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.sessionDetach = sessionDetach;
-const config_1 = require("../lib/config");
-const api_1 = require("../lib/api");
-const sanitize_1 = require("../lib/sanitize");
-/**
- * `lumo session detach` — clear the task binding on the current Claude Code
- * session. Idempotent: re-detaching an already-unbound session reports
- * "already unbound" instead of erroring.
- *
- * Past HookEvent rows keep their original taskId — only future events on
- * this session will be unbound. Re-attach later with `session attach
- * <LUM-N>` to point the session at a different task.
- */
-async function sessionDetach() {
-    const sessionId = process.env.CLAUDE_CODE_SESSION_ID;
-    if (!sessionId) {
-        console.error('Error: $CLAUDE_CODE_SESSION_ID is not set.\n' +
-            '`lumo session detach` must be run inside a Claude Code session.');
-        return 1;
-    }
-    const creds = (0, config_1.readCredentials)();
-    if (!creds) {
-        console.error('Error: not logged in. Run `lumo auth login` first.');
-        return 1;
-    }
-    const apiUrl = (0, api_1.resolveAuthedApiUrl)(creds.apiUrl);
-    const url = `${(0, api_1.trimTrailingSlash)(apiUrl)}/api/sessions/${encodeURIComponent(sessionId)}/bind-task`;
-    let res;
-    try {
-        res = await fetch(url, {
-            method: 'DELETE',
-            headers: { Authorization: `Bearer ${creds.token}` },
-        });
-    }
-    catch (err) {
-        const msg = err instanceof Error ? err.message : String(err);
-        console.error(`Error: could not reach Lumo API at ${apiUrl} (${msg})`);
-        return 1;
-    }
-    if (res.status === 401) {
-        console.error('Error: API key invalid or revoked. Run `lumo auth login`.');
-        return 1;
-    }
-    if (res.status === 404) {
-        process.stdout.write(`Session ${sessionId} has no server-side state yet — nothing to detach.\n`);
-        return;
-    }
-    if (!res.ok) {
-        console.error(`Error: session detach failed (HTTP ${res.status})`);
-        return 1;
-    }
-    const data = (await res.json());
-    if (data.alreadyUnbound) {
-        process.stdout.write(`Session ${sessionId} was already unbound.\n`);
-        return;
-    }
-    process.stdout.write(`Detached session ${sessionId} from ${data.previousTaskIdentifier} "${(0, sanitize_1.sanitizeField)(data.previousTaskTitle ?? '')}".\n`);
-}