@lumoai/cli 1.34.0 → 1.35.0

package/assets/skill/SKILL.md

@@ -79,7 +79,7 @@ The command catalog below is a **map**: it lists every command grouped by domain
 **Verification (machine acceptance loop)** — see [verify.md](references/verify.md)
 
 - `lumo verify [task] [--timeout <seconds>]` — run every MACHINE criterion's checkpointer locally, report one structured PASS/FAIL verdict per criterion to the server, print next actions. Defaults to the session-bound task. Round cap 3: an all-pass round moves the task to IN_REVIEW (agent stops there); a round-3 fail escalates to a human (stop retrying). **Run this before claiming a task is done.**
-- `lumo task status [task] [--json]` — read-only acceptance self-check (no LLM, milliseconds): the contract with each criterion's latest verdict (REVIEW_ADDED provenance visible), verification history, current round, last round's failure reasons, `nextActions` = the unmet criteria (the declarative "what's next" — no separate plan), and any OPEN (undispositioned) boundary crossings (count + per crossing category/severity/detail + a read-only attribution line `↳ by model=…·agent=…·session=…` naming who/what crossed, `unknown` when unresolved — LUM-469; `--json` adds an `openCrossings[]` field, each entry carrying an `attribution` object) — read-only awareness, disposition stays web + human-only (LUM-448). Defaults to the session-bound task; `--json` emits a versioned payload (`version` field). **Run it first when resuming a task in a new session or after a verification round was rejected.**
+- `lumo task status [task] [--json]` — read-only acceptance self-check (no LLM, milliseconds): the contract with each criterion's latest verdict (REVIEW_ADDED provenance visible), verification history, current round, last round's failure reasons, `nextActions` = the unmet criteria (the declarative "what's next" — no separate plan), and any OPEN (undispositioned) boundary crossings (count + per crossing category/severity/detail + a read-only attribution line `↳ by model=…·agent=…·session=…` naming who/what crossed, `unknown` when unresolved — LUM-469; `--json` adds an `openCrossings` field, each entry carrying an `attribution` object) — read-only awareness, disposition stays web + human-only (LUM-448). The crossings check fails closed (LUM-480): if the read errors, the block prints `⚠ Boundary-crossing check failed` instead of staying silent, and `--json` sets `openCrossings: null` (distinct from `[]` = a successful read with zero open — treat `null` as "could not confirm", not "safe"). Defaults to the session-bound task; `--json` emits a versioned payload (`version` field). **Run it first when resuming a task in a new session or after a verification round was rejected.**
 - `lumo verdict [task] --pass | --pass-with-followup | --fail` — acceptance verdicts (LUM-422). `--pass` / `--pass-with-followup` open the browser to the human verdict bar focused on the passing action (a deep link — **records nothing**; a passing data row is only ever a human's own click). `--fail --reason <enum> [--note <text>] [--criterion <id>…]` records an **AGENT send-back** (verifierType=AGENT, verdict hard-coded FAIL) and bounces the task to IN_PROGRESS. Defaults to the session-bound task. **An unresolved send-back (machine/AGENT/human FAIL) blocks the agent/CLI DONE transition with 409** — clear it (re-verify) before `task update --status done`.
 
 **Artifacts & Figma** — see [artifacts-figma.md](references/artifacts-figma.md)
@@ -126,7 +126,7 @@ The command catalog below is a **map**: it lists every command grouped by domain
 
 - `lumo session attach <id>` — bind this session to a task (then run `task context`). **Lifetime lock**: re-attaching to the same task is a no-op; attaching to a _different_ task is refused with 409 — start a new Claude Code session instead. No `--force`, no `session detach`.
 - `lumo session status` — show current binding
-- `lumo session wrap [--yes] [--dry-run] [--used <indices>]` — end-of-session panel: progress comment + memory review + fragment-usage vote (`--used`, LUM-300) + blocked-tag prompt, then a read-only reminder when the bound task has ≥1 OPEN boundary crossing still undispositioned (silent when none — no wrap-up noise; pointer is web + human-only, LUM-448). Usage is now also audited automatically when a task reaches DONE (evidence-gated, true-only — confident fragments marked used, the rest left NULL); `session wrap --used` remains the manual override and takes precedence for a session.
+- `lumo session wrap [--yes] [--dry-run] [--used <indices>]` — end-of-session panel: progress comment + memory review + fragment-usage vote (`--used`, LUM-300) + blocked-tag prompt, then a read-only reminder when the bound task has ≥1 OPEN boundary crossing still undispositioned (silent only on a genuine empty read — no wrap-up noise; a crossings-check failure prints a "could not confirm" warning instead of staying silent, LUM-480; pointer is web + human-only, LUM-448). Usage is now also audited automatically when a task reaches DONE (evidence-gated, true-only — confident fragments marked used, the rest left NULL); `session wrap --used` remains the manual override and takes precedence for a session.
 - Git-suggest at session start (suggests `session attach`, never auto-binds) + Layer-2 project-memory review — see the reference
 
 **Worktrees (local dev tooling)** — see [worktree.md](references/worktree.md)

package/assets/skill/references/sessions.md

@@ -181,12 +181,16 @@ nothing to prompt, the section prints "(no content)".
 finish, `session wrap` prints a one-shot read-only reminder **if** the bound
 task has ≥1 OPEN (undispositioned) boundary crossing: `⚠ N open boundary
 crossing(s) on LUM-N still undispositioned:` then a line per crossing `• [SEVERITY]
-CATEGORY` and a web pointer. When there are none — or the session is unbound —
-it prints **nothing** (truly silent, not a "(no content)" line), so a clean task
-adds no wrap-up noise. **Awareness only:** it points at the web acceptance panel;
-there is **no CLI path** to disposition or clear a crossing. Disposition stays
-web + human-only (LUM-426/435/422) — an agent/CLI bearer cannot clear its own
-crossing from the terminal.
+CATEGORY` and a web pointer. When the read genuinely comes back empty — or the
+session is unbound — it prints **nothing** (truly silent, not a "(no content)"
+line), so a clean task adds no wrap-up noise. **But a crossings-check failure is
+not silent (LUM-480):** if the read errors (network / server), it prints
+`⚠ Could not check boundary crossings on LUM-N (network/server error) — unable
+to confirm whether any are still undispositioned`, so a failed safety check never
+masquerades as "0 open / safe". **Awareness only:** it points at the web
+acceptance panel; there is **no CLI path** to disposition or clear a crossing.
+Disposition stays web + human-only (LUM-426/435/422) — an agent/CLI bearer cannot
+clear its own crossing from the terminal.
 
 ```bash
 lumo session wrap                  # interactive: preview each section, choose per-section

package/assets/skill/references/verify.md

@@ -125,10 +125,23 @@ what's unmet and why (the exact failure tails), and how many rounds are left.
 
 - Header: task identifier/title/status + `verification round N/3` (round 0 =
   never verified) + an escalation warning when the machine loop is exhausted.
+- **Machine verification rollup** (LUM-470) — directly under the `Criteria`
+  header, one line `Machine verification: N machine-verified / M human override
+(of T MACHINE criteria)` over the active MACHINE criteria, aligned with the web
+  read model (LUM-456). Printed whenever the contract has ≥1 MACHINE criterion,
+  so the terminal rollup never reads as all-human when a checkpointer actually
+  verified the work.
 - **Criteria** — every criterion as `<glyph> <id>  [TYPE]  SOURCE@rN
 statement` (✓ latest verdict passed / ✗ failed / ○ no verdict yet) with its
   checkpointer and latest verdict line (evidence pointer on pass, failure
   tail on fail). `REVIEW_ADDED@rN` provenance is visible per row.
+  - A passing **MACHINE** criterion's verdict line carries a machine-state tag
+    derived from the read model's `machinePassed` flag, NOT the latest verdict
+    (LUM-470): `· machine-verified` when a checkpointer actually passed it (even
+    after a human later signs the task off), or `· human override (no machine
+pass)` when it passes only on a human sign-off with no machine run underneath.
+    This keeps the terminal honest with web — a machine-verified criterion that
+    a human co-signed no longer reads as a plain human pass.
   - A pass can carry a **`⚠ pre-edit version`** note (LUM-457): the criterion
     was changed after that verdict (reworded, or its checkpointer was swapped so
     the recorded evidence ran a different command). The pass still counts as met
@@ -154,19 +167,31 @@ statement` (✓ latest verdict passed / ✗ failed / ○ no verdict yet) with it
   **Read-only awareness** — this surfaces crossings detected elsewhere
   (LUM-426/435/442); there is no CLI path to disposition or clear one.
   Disposition stays web + human-only (LUM-426/435/422): an agent/CLI bearer
-  cannot clear its own crossing from the terminal.
+  cannot clear its own crossing from the terminal. **The check fails closed
+  (LUM-480):** if the crossings read itself errors (network / server / parse),
+  the block prints `⚠ Boundary-crossing check failed (network/server error) —
+could not confirm whether any are undispositioned` instead of staying silent.
+  Silence means a successful read with zero open crossings, never a failed
+  check — a hiccup can no longer masquerade as "all clear".
 
 ### --json contract
 
 `--json` emits the full read model with a top-level `version` field
 (currently `1`). The schema is versioned: breaking shape changes bump the
 major; additive fields don't. Pin on `version` when scripting against it.
+Each criterion carries `machinePassed` (boolean — a checkpointer currently
+vouches for it; LUM-456/470), and the payload carries a top-level
+`machineVerification` aggregate `{ total, machineVerified, humanOverridden }`
+over the active MACHINE criteria — read these, not `latestVerdict` alone, to
+tell a machine-verified criterion from a human override.
 The open boundary crossings ride along as an additive top-level
-`openCrossings[]` (each `{ id, category, severity, detail, attribution }`,
+`openCrossings` (each entry `{ id, category, severity, detail, attribution }`,
 where `attribution` is `{ workspaceMemberId, sessionId, agent, worktreeBranch,
 model }` with every field nullable — null = unknown, never fabricated; LUM-469;
-the array length is the count; empty when none) — same read-only awareness, no
-write path.
+the array length is the count) — same read-only awareness, no write path.
+**`openCrossings` is `null` when the crossings check failed (LUM-480)** —
+distinct from `[]`, which is a successful read with zero open crossings. Script
+consumers must treat `null` as "unknown / could not confirm", not "safe".
 
 `status` reads; `verify` judges. Running status never starts a round, never
 escalates, and never changes task state — loop rules (cap 3, IN_REVIEW on

package/dist/cli/src/commands/task-status.js

@@ -46,6 +46,13 @@ function formatTaskStatus(data, extras = {}) {
     }
     lines.push('');
     lines.push(`Criteria (${data.criteria.length} total, ${data.nextActions.length} unmet):`);
+    // LUM-470: honest machine-verification rollup over the active MACHINE criteria
+    // (same read model as web, LUM-456) — so the terminal rollup never reads as
+    // all-human when a checkpointer actually verified the work.
+    const mv = data.machineVerification;
+    if (mv.total > 0) {
+        lines.push(`Machine verification: ${mv.machineVerified} machine-verified / ${mv.humanOverridden} human override (of ${mv.total} MACHINE criteria)`);
+    }
     for (const c of data.criteria) {
         const glyph = c.latestVerdict == null
             ? '○'
@@ -81,7 +88,16 @@ function formatTaskStatus(data, extras = {}) {
             const evidencePart = v.evidencePointer
                 ? ` · ${(0, sanitize_1.sanitizeField)(v.evidencePointer)}`
                 : '';
-            lines.push(`      ✓ ${v.verdict}@r${v.round}${evidencePart}`);
+            // LUM-470: tag a passing MACHINE criterion by the read model's
+            // machinePassed flag, not the latest verdict — a criterion a checkpointer
+            // verified reads as machine-verified even after a human signs off, and a
+            // pass with no machine run underneath reads as a human override.
+            const machineTag = c.verifierType === 'MACHINE'
+                ? c.machinePassed
+                    ? ' · machine-verified'
+                    : ' · human override (no machine pass)'
+                : '';
+            lines.push(`      ✓ ${v.verdict}@r${v.round}${evidencePart}${machineTag}`);
             // LUM-457: a pass that vouches for a pre-edit version of the criterion —
             // render-only downgrade, the criterion still counts met.
             if (c.verdictStale || c.checkMismatch) {
@@ -146,7 +162,17 @@ function formatTaskStatus(data, extras = {}) {
  * a crossing from the terminal (LUM-426/435/422).
  */
 function pushOpenCrossings(lines, extras) {
-    const open = extras.openCrossings ?? [];
+    const result = extras.openCrossings;
+    if (!result)
+        return;
+    // LUM-480: a failed check is NOT "0 open / safe" — say so explicitly rather
+    // than rendering an empty (implicitly-clear) block.
+    if (result.status === 'error') {
+        lines.push('');
+        lines.push('⚠ Boundary-crossing check failed (network/server error) — could not confirm whether any are undispositioned.');
+        return;
+    }
+    const open = result.crossings;
     if (open.length === 0)
         return;
     lines.push('');
@@ -224,20 +250,24 @@ async function taskStatus(identifier, options = {}) {
     }
     const data = (await res.json());
     // Read-only awareness (LUM-448): surface the task's OPEN boundary crossings
-    // via the existing LUM-435 endpoint. Best-effort — fetchOpenCrossings already
-    // swallows failures to an empty list, so this supplementary safety signal can
-    // never block the primary acceptance status. The resolved taskId (the
-    // identifier the status was fetched for) is the key here.
-    const openCrossings = await (0, open_crossings_1.fetchOpenCrossings)(base, creds.token, taskId);
+    // via the existing LUM-435 endpoint. fetchOpenCrossings returns a result that
+    // distinguishes a check FAILURE from a genuine 0-open read (LUM-480), so this
+    // supplementary safety signal never masquerades a hiccup as "all clear" — yet
+    // it still never throws, so it can't block the primary acceptance status. The
+    // resolved taskId (the identifier the status was fetched for) is the key here.
+    const crossingsResult = await (0, open_crossings_1.fetchOpenCrossings)(base, creds.token, taskId);
     if (options.json) {
         // JSON.stringify escapes control chars (…), so the payload is safe
         // to emit raw — and consumers get byte-faithful server data.
-        // The open crossings ride alongside as an additive field (count = length).
+        // openCrossings rides alongside as an additive field: an array on success
+        // (count = length), or `null` when the check failed (LUM-480) — distinct
+        // from `[]`, which is a successful read with zero open crossings.
+        const openCrossings = crossingsResult.status === 'ok' ? crossingsResult.crossings : null;
         process.stdout.write(JSON.stringify({ ...data, openCrossings }, null, 2) + '\n');
         return;
     }
     process.stdout.write(formatTaskStatus(data, {
-        openCrossings,
+        openCrossings: crossingsResult,
         dispositionUrl: (0, open_crossings_1.dispositionUrl)(base, creds.workspaceSlug ?? 'lumo', data.task.identifier),
     }));
 }

package/dist/cli/src/commands/wrap/crossings-reminder.js

@@ -7,13 +7,20 @@ const sanitize_1 = require("../../lib/sanitize");
 const open_crossings_1 = require("../../lib/open-crossings");
 /**
  * Build the wrap-up reminder for a task's OPEN boundary crossings (LUM-448).
- * Returns the reminder string when there is ≥1 open crossing, and `null` when
- * there are none — the caller prints nothing on null, so a clean task makes NO
- * noise at wrap time. Read-only awareness: the reminder points at the
- * human-only web disposition panel and offers no way to clear a crossing from
- * the terminal (LUM-426/435/422).
+ * Returns the reminder string when there is ≥1 open crossing, and `null` only on
+ * a genuine empty read — the caller prints nothing on null, so a clean task
+ * makes NO noise at wrap time. A check FAILURE (LUM-480) is NOT silent: it
+ * returns a warning so a failed safety check never reads as "0 open / safe".
+ * Read-only awareness: the reminder points at the human-only web disposition
+ * panel and offers no way to clear a crossing from the terminal (LUM-426/435/422).
  */
-function formatCrossingReminder(taskIdentifier, open, url) {
+function formatCrossingReminder(taskIdentifier, result, url) {
+    if (result.status === 'error') {
+        return (`⚠ Could not check boundary crossings on ${taskIdentifier} ` +
+            `(network/server error) — unable to confirm whether any are still ` +
+            `undispositioned. Review in the web panel: ${url}\n`);
+    }
+    const open = result.crossings;
     if (open.length === 0)
         return null;
     const n = open.length;
@@ -28,14 +35,15 @@ function formatCrossingReminder(taskIdentifier, open, url) {
 }
 /**
  * Resolve the session's bound task and surface its OPEN boundary crossings as a
- * wrap-up reminder (LUM-448), or `null` when the session is unbound or nothing
- * is open. Pure read — `fetchOpenCrossings` hits only the LUM-435 GET endpoint
- * and there is no disposition write path here.
+ * wrap-up reminder (LUM-448), or `null` when the session is unbound or the read
+ * genuinely came back empty. A crossings-check failure yields a warning, not
+ * silence (LUM-480). Pure read — `fetchOpenCrossings` hits only the LUM-435 GET
+ * endpoint and there is no disposition write path here.
  */
 async function openCrossingReminder(creds) {
     const taskIdentifier = await (0, resolve_bound_task_1.resolveBoundTaskIdentifier)(creds.apiUrl, creds.token);
     if (!taskIdentifier)
         return null;
-    const open = await (0, open_crossings_1.fetchOpenCrossings)(creds.apiUrl, creds.token, taskIdentifier);
-    return formatCrossingReminder(taskIdentifier, open, (0, open_crossings_1.dispositionUrl)(creds.apiUrl, creds.workspaceSlug, taskIdentifier));
+    const result = await (0, open_crossings_1.fetchOpenCrossings)(creds.apiUrl, creds.token, taskIdentifier);
+    return formatCrossingReminder(taskIdentifier, result, (0, open_crossings_1.dispositionUrl)(creds.apiUrl, creds.workspaceSlug, taskIdentifier));
 }

package/dist/cli/src/lib/open-crossings.js

@@ -32,9 +32,13 @@ function normalizeSeverity(s) {
  * way to clear a crossing — disposition stays web + human-only
  * (LUM-426/435/422).
  *
- * Best-effort: any transport / HTTP / parse failure yields an empty list, so a
- * supplementary safety signal can never break the caller's primary output
- * (the acceptance status, the wrap-up panel).
+ * Fails *closed*, not open (LUM-480): any transport / non-ok HTTP / parse
+ * failure returns `{ status: 'error', reason }` so the caller can say "check
+ * failed — could not confirm" instead of mistaking a hiccup for "0 open / all
+ * clear". A successful read returns `{ status: 'ok', crossings }`; the list is
+ * empty only when the server genuinely reports no open crossings. Either way the
+ * supplementary safety signal never throws into the caller's primary output (the
+ * acceptance status, the wrap-up panel) — failure is a value, not an exception.
  */
 async function fetchOpenCrossings(apiUrl, token, taskIdentifier) {
     const url = `${(0, api_1.trimTrailingSlash)(apiUrl)}/api/tasks/${encodeURIComponent(taskIdentifier)}/boundary-crossings`;
@@ -42,20 +46,23 @@ async function fetchOpenCrossings(apiUrl, token, taskIdentifier) {
     try {
         res = await fetch(url, { headers: { Authorization: `Bearer ${token}` } });
     }
-    catch {
-        return [];
+    catch (err) {
+        return {
+            status: 'error',
+            reason: err instanceof Error ? err.message : 'network error',
+        };
     }
     if (!res.ok)
-        return [];
+        return { status: 'error', reason: `HTTP ${res.status}` };
     let data;
     try {
         data = (await res.json());
     }
     catch {
-        return [];
+        return { status: 'error', reason: 'invalid response body' };
     }
     const rows = Array.isArray(data.crossings) ? data.crossings : [];
-    return rows
+    const crossings = rows
         .filter(c => c.disposition == null)
         .map(c => ({
         id: c.id,
@@ -65,6 +72,7 @@ async function fetchOpenCrossings(apiUrl, token, taskIdentifier) {
         attribution: normalizeAttribution(c.attribution),
     }))
         .sort((a, b) => SEVERITY_RANK[b.severity] - SEVERITY_RANK[a.severity]);
+    return { status: 'ok', crossings };
 }
 /**
  * The web deep link where a HUMAN dispositions crossings. Disposition is

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@lumoai/cli",
-  "version": "1.34.0",
+  "version": "1.35.0",
   "description": "Lumo CLI — manage tasks and sessions from the terminal",
   "license": "MIT",
   "author": "cli@uselumo.ai",