@haus-tech/haus-workflow 0.1.0

package/library/catalog/sources.yaml

@@ -0,0 +1,411 @@
+sources:
+  - id: anthropic-skills
+    url: https://github.com/anthropics/skills
+    policy: reference
+    status: approved
+    pinnedVersion: "2026-05-01"
+    pinnedHash: "sha256-candidate-anthropic"
+    license: MIT
+    notes: official provider skill examples and formats only
+    containsStacks:
+      - claude-code
+    unsafeHookCommands: []
+    # Curated library fields
+    useMode: adapt-allowed
+    installMode: candidate
+    riskLevel: low
+  - id: superpowers
+    url: https://github.com/obra/superpowers
+    policy: rewrite
+    status: approved
+    pinnedVersion: "2026-05-01"
+    pinnedHash: "sha256-candidate-superpowers"
+    license: MIT
+    notes: curate workflow patterns then rewrite into haus-owned skills
+    containsStacks:
+      - workflow
+      - testing
+      - context-minimisation
+    unsafeHookCommands: []
+    # Curated library fields
+    useMode: rewrite-only
+    installMode: candidate
+    riskLevel: low
+  - id: ecc
+    url: https://ecc.tools/skills
+    policy: candidate-only
+    status: candidate
+    pinnedVersion: "2026-05-01"
+    pinnedHash: "sha256-candidate-ecc"
+    license: unknown
+    notes: candidate source only pending legal review
+    containsStacks:
+      - token-budgeting
+      - context-minimisation
+    unsafeHookCommands: []
+    # Curated library fields
+    useMode: reference
+    installMode: not-installable
+    riskLevel: medium
+  - id: skills-sh
+    url: https://skills.sh/
+    policy: candidate-only
+    status: candidate
+    pinnedVersion: "2026-05-01"
+    pinnedHash: "sha256-candidate-skills-sh"
+    license: unknown
+    notes: discovery index only
+    containsStacks:
+      - discovery-index
+    unsafeHookCommands: []
+    # Curated library fields
+    useMode: reference
+    installMode: not-installable
+    riskLevel: medium
+  - id: prpm
+    url: https://prpm.dev/
+    policy: candidate-only
+    status: candidate
+    pinnedVersion: "2026-05-01"
+    pinnedHash: "sha256-candidate-prpm"
+    license: unknown
+    notes: discovery index only
+    containsStacks:
+      - discovery-index
+    unsafeHookCommands: []
+    # Curated library fields
+    useMode: reference
+    installMode: not-installable
+    riskLevel: medium
+  - id: jeffallan-skills
+    url: https://github.com/jeffallan
+    policy: candidate-only
+    status: candidate
+    pinnedVersion: "2026-05-01"
+    pinnedHash: "sha256-candidate-jeffallan"
+    license: unknown
+    notes: organization and naming ideas only
+    containsStacks:
+      - workflow
+      - discovery-index
+    unsafeHookCommands: []
+    # Curated library fields
+    useMode: reference
+    installMode: not-installable
+    riskLevel: medium
+  - id: skillkit
+    url: https://skillkit.dev/
+    policy: candidate-only
+    status: candidate
+    pinnedVersion: "2026-05-01"
+    pinnedHash: "sha256-candidate-skillkit"
+    license: unknown
+    notes: packaging and validation inspiration only
+    containsStacks:
+      - workflow
+      - validation
+    unsafeHookCommands: []
+    # Curated library fields
+    useMode: reference
+    installMode: not-installable
+    riskLevel: medium
+  - id: voltagent
+    url: https://voltagent.dev/
+    policy: candidate-only
+    status: candidate
+    pinnedVersion: "2026-05-01"
+    pinnedHash: "sha256-candidate-voltagent"
+    license: unknown
+    notes: Python-first agent framework; all primitives rejected due to unsupported stack
+    containsStacks:
+      - agents
+    unsafeHookCommands: []
+    # Curated library fields
+    useMode: reference
+    installMode: not-installable
+    riskLevel: medium
+  - id: everything-cc
+    url: https://everything.cc/
+    policy: candidate-only
+    status: candidate
+    pinnedVersion: "2026-05-01"
+    pinnedHash: "sha256-candidate-everything-cc"
+    license: unknown
+    notes: community Claude skill collection index; discovery reference only
+    containsStacks:
+      - discovery-index
+    unsafeHookCommands: []
+    # Curated library fields
+    useMode: reference
+    installMode: not-installable
+    riskLevel: medium
+  - id: claude-docs
+    url: https://docs.anthropic.com/
+    policy: reference
+    status: approved
+    pinnedVersion: "2026-05-01"
+    pinnedHash: "sha256-candidate-claude-docs"
+    license: unknown
+    notes: official Anthropic documentation; reference-only, no artifact copy
+    containsStacks:
+      - claude-code
+      - mcp
+    unsafeHookCommands: []
+    # Curated library fields
+    useMode: reference
+    installMode: not-installable
+    riskLevel: low
+  # ── Stack-specific official docs (PR10) ─────────────────────────────────
+  - id: vendure-docs
+    url: https://docs.vendure.io/
+    policy: reference
+    status: approved
+    pinnedVersion: "2026-05-13"
+    pinnedHash: "sha256-candidate-vendure-docs"
+    license: unknown
+    notes: official Vendure documentation; reference-only, includes llms.txt
+    containsStacks:
+      - vendure3
+    unsafeHookCommands: []
+    useMode: reference
+    installMode: not-installable
+    riskLevel: low
+  - id: nextjs-docs
+    url: https://nextjs.org/
+    policy: reference
+    status: approved
+    pinnedVersion: "2026-05-13"
+    pinnedHash: "sha256-candidate-nextjs-docs"
+    license: unknown
+    notes: official Next.js documentation; reference-only, includes llms.txt
+    containsStacks:
+      - nextjs
+    unsafeHookCommands: []
+    useMode: reference
+    installMode: not-installable
+    riskLevel: low
+  - id: laravel-docs
+    url: https://laravel.com/
+    policy: reference
+    status: approved
+    pinnedVersion: "2026-05-13"
+    pinnedHash: "sha256-candidate-laravel-docs"
+    license: unknown
+    notes: official Laravel documentation; reference-only
+    containsStacks:
+      - laravel
+    unsafeHookCommands: []
+    useMode: reference
+    installMode: not-installable
+    riskLevel: low
+  - id: tailwind-docs
+    url: https://tailwindcss.com/
+    policy: reference
+    status: approved
+    pinnedVersion: "2026-05-13"
+    pinnedHash: "sha256-candidate-tailwind-docs"
+    license: unknown
+    notes: official Tailwind CSS documentation; reference-only
+    containsStacks:
+      - tailwind
+    unsafeHookCommands: []
+    useMode: reference
+    installMode: not-installable
+    riskLevel: low
+  - id: shadcn-docs
+    url: https://ui.shadcn.com/
+    policy: reference
+    status: approved
+    pinnedVersion: "2026-05-13"
+    pinnedHash: "sha256-candidate-shadcn-docs"
+    license: unknown
+    notes: official shadcn/ui documentation; reference-only
+    containsStacks:
+      - shadcn
+    unsafeHookCommands: []
+    useMode: reference
+    installMode: not-installable
+    riskLevel: low
+  - id: radix-docs
+    url: https://www.radix-ui.com/
+    policy: reference
+    status: approved
+    pinnedVersion: "2026-05-13"
+    pinnedHash: "sha256-candidate-radix-docs"
+    license: unknown
+    notes: official Radix UI primitives documentation; reference-only
+    containsStacks:
+      - radix
+    unsafeHookCommands: []
+    useMode: reference
+    installMode: not-installable
+    riskLevel: low
+  - id: playwright-docs
+    url: https://playwright.dev/
+    policy: reference
+    status: approved
+    pinnedVersion: "2026-05-13"
+    pinnedHash: "sha256-candidate-playwright-docs"
+    license: unknown
+    notes: official Playwright documentation; reference-only
+    containsStacks:
+      - playwright
+    unsafeHookCommands: []
+    useMode: reference
+    installMode: not-installable
+    riskLevel: low
+  - id: tanstack-docs
+    url: https://tanstack.com/
+    policy: reference
+    status: approved
+    pinnedVersion: "2026-05-13"
+    pinnedHash: "sha256-candidate-tanstack-docs"
+    license: unknown
+    notes: official TanStack (Query + Router) documentation; reference-only
+    containsStacks:
+      - tanstack-query
+      - tanstack-router
+    unsafeHookCommands: []
+    useMode: reference
+    installMode: not-installable
+    riskLevel: low
+  - id: nestjs-docs
+    url: https://docs.nestjs.com/
+    policy: reference
+    status: approved
+    pinnedVersion: "2026-05-13"
+    pinnedHash: "sha256-candidate-nestjs-docs"
+    license: unknown
+    notes: official NestJS documentation; reference-only
+    containsStacks:
+      - nestjs
+    unsafeHookCommands: []
+    useMode: reference
+    installMode: not-installable
+    riskLevel: low
+  - id: nx-docs
+    url: https://nx.dev/
+    policy: reference
+    status: approved
+    pinnedVersion: "2026-05-13"
+    pinnedHash: "sha256-candidate-nx-docs"
+    license: unknown
+    notes: official Nx documentation; reference-only
+    containsStacks:
+      - nx21
+    unsafeHookCommands: []
+    useMode: reference
+    installMode: not-installable
+    riskLevel: low
+  - id: turbo-docs
+    url: https://turbo.build/
+    policy: reference
+    status: approved
+    pinnedVersion: "2026-05-13"
+    pinnedHash: "sha256-candidate-turbo-docs"
+    license: unknown
+    notes: official Turborepo documentation; reference-only
+    containsStacks:
+      - turbo
+    unsafeHookCommands: []
+    useMode: reference
+    installMode: not-installable
+    riskLevel: low
+  - id: vite-docs
+    url: https://vite.dev/
+    policy: reference
+    status: approved
+    pinnedVersion: "2026-05-13"
+    pinnedHash: "sha256-candidate-vite-docs"
+    license: unknown
+    notes: official Vite documentation; reference-only
+    containsStacks:
+      - vite8
+    unsafeHookCommands: []
+    useMode: reference
+    installMode: not-installable
+    riskLevel: low
+  - id: vue-docs
+    url: https://vuejs.org/
+    policy: reference
+    status: approved
+    pinnedVersion: "2026-05-13"
+    pinnedHash: "sha256-candidate-vue-docs"
+    license: unknown
+    notes: official Vue.js documentation; reference-only
+    containsStacks:
+      - vue
+    unsafeHookCommands: []
+    useMode: reference
+    installMode: not-installable
+    riskLevel: low
+  - id: wordpress-dev-docs
+    url: https://developer.wordpress.org/
+    policy: reference
+    status: approved
+    pinnedVersion: "2026-05-13"
+    pinnedHash: "sha256-candidate-wordpress-dev-docs"
+    license: unknown
+    notes: official WordPress developer documentation; reference-only
+    containsStacks:
+      - wordpress
+    unsafeHookCommands: []
+    useMode: reference
+    installMode: not-installable
+    riskLevel: low
+  - id: vitest-docs
+    url: https://vitest.dev/
+    policy: reference
+    status: approved
+    pinnedVersion: "2026-05-13"
+    pinnedHash: "sha256-candidate-vitest-docs"
+    license: unknown
+    notes: official Vitest documentation; reference-only
+    containsStacks:
+      - vite8
+    unsafeHookCommands: []
+    useMode: reference
+    installMode: not-installable
+    riskLevel: low
+  - id: typescript-docs
+    url: https://www.typescriptlang.org/
+    policy: reference
+    status: approved
+    pinnedVersion: "2026-05-13"
+    pinnedHash: "sha256-candidate-typescript-docs"
+    license: unknown
+    notes: official TypeScript documentation; reference-only
+    containsStacks:
+      - typescript
+    unsafeHookCommands: []
+    useMode: reference
+    installMode: not-installable
+    riskLevel: low
+  - id: storybook-docs
+    url: https://storybook.js.org/
+    policy: reference
+    status: approved
+    pinnedVersion: "2026-05-13"
+    pinnedHash: "sha256-candidate-storybook-docs"
+    license: unknown
+    notes: official Storybook documentation; reference-only
+    containsStacks:
+      - storybook
+    unsafeHookCommands: []
+    useMode: reference
+    installMode: not-installable
+    riskLevel: low
+  - id: react-docs
+    url: https://react.dev/
+    policy: reference
+    status: approved
+    pinnedVersion: "2026-05-13"
+    pinnedHash: "sha256-candidate-react-docs"
+    license: unknown
+    notes: official React documentation; reference-only
+    containsStacks:
+      - react
+    unsafeHookCommands: []
+    useMode: reference
+    installMode: not-installable
+    riskLevel: low

package/library/global/agents/haus-code-reviewer.md

@@ -0,0 +1,27 @@
+<!-- HAUS-MANAGED id=agent.haus-code-reviewer v=1 source=@haus-tech/haus-workflow@0.1.0 -->
+---
+name: haus-code-reviewer
+description: Narrow diff review for correctness, regressions, and missing tests.
+tools: Read, Grep, Glob, Bash
+---
+
+You are the Haus code reviewer. Work only from the user-supplied diff or explicitly listed paths.
+
+## Use when
+
+- User asks for code review, PR feedback, or risk check on a bounded change set.
+- There is a concrete diff, patch, or file list to inspect.
+
+## Do not use when
+
+- There is no change set and user wants open-ended exploration.
+- Task is purely security-only (use haus-security-reviewer) or test-only (use haus-test-reviewer).
+
+## Verification
+
+1. List files you actually read.
+2. Output findings ordered by severity (blocker, high, medium, low).
+3. Each finding: file path, issue, concrete fix.
+4. End with **Not reviewed** (scopes you skipped) and **Suggested commands** to validate (do not claim ran unless user output shows it).
+
+Stay bounded: do not expand scope without user confirmation.

package/library/global/agents/haus-docs-researcher.md

@@ -0,0 +1,26 @@
+<!-- HAUS-MANAGED id=agent.haus-docs-researcher v=1 source=@haus-tech/haus-workflow@0.1.0 -->
+---
+name: haus-docs-researcher
+description: Pull minimal official or in-repo documentation for the active task.
+tools: Read, Grep, Glob, Bash
+---
+
+You are the Haus docs researcher. Collect only what unblocks the current task.
+
+## Use when
+
+- User needs API behavior, config keys, or framework semantics for a named task.
+- Sources are official docs or files already in the repo.
+
+## Do not use when
+
+- User wants a full tutorial or broad survey.
+- Task is implementation without an information gap.
+
+## Verification
+
+1. State the precise question.
+2. Return at most 5 bullets; each bullet cites **path or URL + section** you used.
+3. If insufficient: say what is missing and ask one clarifying question.
+
+Do not paste large doc bodies; summarize and point to locations.

package/library/global/agents/haus-planner.md

@@ -0,0 +1,26 @@
+<!-- HAUS-MANAGED id=agent.haus-planner v=1 source=@haus-tech/haus-workflow@0.1.0 -->
+---
+name: haus-planner
+description: Produce a short implementation plan with files, risks, and validation steps.
+tools: Read, Grep, Glob, Bash
+---
+
+You are the Haus planner. Plans only: no file edits unless user explicitly asks.
+
+## Use when
+
+- User wants a sequenced plan before coding for a defined task.
+- Enough context exists (task text + relevant paths or scan output).
+
+## Do not use when
+
+- Requirements conflict or scope is undefined — stop and ask first.
+- User asked for immediate implementation without planning.
+
+## Verification
+
+1. Output: **Goal**, **Steps** (ordered, each names files or areas), **Risks**, **Validation** (commands or checks).
+2. If two approaches differ: present **Option A / Option B** and one recommendation; stop if trade-off needs user call.
+3. Keep plan short enough to execute in one focused session.
+
+Single-threaded reasoning only: one plan path unless user chooses an option.

package/library/global/agents/haus-security-reviewer.md

@@ -0,0 +1,26 @@
+<!-- HAUS-MANAGED id=agent.haus-security-reviewer v=1 source=@haus-tech/haus-workflow@0.1.0 -->
+---
+name: haus-security-reviewer
+description: Narrow security review for secrets, auth, injection, and unsafe operations in a bounded scope.
+tools: Read, Grep, Glob, Bash
+---
+
+You are the Haus security reviewer. Evidence only: cite file and line or pattern.
+
+## Use when
+
+- User asks for security review on specific paths, diff, or feature area.
+- Scope is bounded (directory list or change list).
+
+## Do not use when
+
+- User wants penetration testing or exploit development.
+- No scope: refuse and ask for paths or diff.
+
+## Verification
+
+1. Group findings: secrets/credentials, authz/authn, injection, deserialization, unsafe file or shell access.
+2. Each finding: severity, file path, why it matters, minimal mitigation (no step-by-step exploit).
+3. End with **Out of scope** (what you did not check) and **Recommended follow-up** (manual checks, dependency audit).
+
+Never read `.env`, key files, or production dumps unless user explicitly points to sanitized snippets.

package/library/global/agents/haus-test-reviewer.md

@@ -0,0 +1,26 @@
+<!-- HAUS-MANAGED id=agent.haus-test-reviewer v=1 source=@haus-tech/haus-workflow@0.1.0 -->
+---
+name: haus-test-reviewer
+description: Narrow review of tests, assertions, and coverage for a behavior change.
+tools: Read, Grep, Glob, Bash
+---
+
+You are the Haus test reviewer. Tie every behavior claim to an observable test.
+
+## Use when
+
+- User asks for test review, missing coverage, flaky tests, or assertion quality on named files.
+- A behavior change and its intended tests are identifiable.
+
+## Do not use when
+
+- No code or test paths are specified.
+- User wants product or security audit without test focus.
+
+## Verification
+
+1. Map each changed behavior to an existing or missing test file; name exact paths to add or extend.
+2. Flag flaky patterns (timing sleeps, shared mutable state, order-dependent suites).
+3. Close with **Tests to add** (bullet list with file paths) and **Commands** user should run (e.g. project test script); do not claim pass without evidence.
+
+Do not rewrite production code unless user explicitly asks.

package/library/global/settings-fragments/hooks.json

@@ -0,0 +1,31 @@
+{
+  "_schema": "haus-hooks-fragment/1",
+  "hooks": [
+    {
+      "id": "hook.guard.file-access",
+      "gate": "keep",
+      "event": "PreToolUse",
+      "matcher": "Read|Edit|Write",
+      "command": "haus guard file-access --from-hook"
+    },
+    {
+      "id": "hook.guard.bash",
+      "gate": "keep",
+      "event": "PreToolUse",
+      "matcher": "Bash",
+      "command": "haus guard bash --from-hook"
+    },
+    {
+      "id": "hook.context",
+      "gate": "gate-default-off",
+      "event": "UserPromptSubmit",
+      "command": "haus context --from-hook"
+    },
+    {
+      "id": "hook.memory-inject",
+      "gate": "gate-default-off",
+      "event": "UserPromptSubmit",
+      "command": "haus memory inject --from-hook"
+    }
+  ]
+}

package/library/global/skills/haus-workflow/SKILL.md

@@ -0,0 +1,56 @@
+<!-- HAUS-MANAGED id=skill.haus-workflow v=1 source=@haus-tech/haus-workflow@0.1.0 -->
+---
+name: haus-workflow
+description: Haus all-in-one workflow skill. Handles project setup, update, catalog refresh, and CLAUDE.md regeneration.
+---
+
+# haus-workflow
+
+All-in-one entry point for the Haus AI workflow. Covers setup, update, sync, catalog refresh, and root `CLAUDE.md` regeneration.
+
+## Use when
+
+- Setting up a project for the first time (`haus init`).
+- Updating an existing project setup (`.claude/` + `.haus-workflow/`).
+- Checking for a newer `@haus-tech/haus-workflow` package and refreshing `~/.claude/` accordingly.
+- Fetching catalog updates (`haus update`).
+- Regenerating the root `CLAUDE.md` import block.
+
+## Do not use when
+
+- User needs a security, code, or test review — use the dedicated reviewer agents instead.
+
+## How to invoke
+
+Run the relevant CLI command for the task:
+
+| Goal | Command |
+|---|---|
+| First-time project setup | `haus init` |
+| Re-run setup / refresh context | `haus apply --write` |
+| Update package + catalog + `~/.claude/` | `haus update` |
+| Check install drift | `haus doctor` |
+| Install global haus files into `~/.claude/` | `haus install` |
+| Remove all haus global files | `haus uninstall` |
+
+## Setup flow (init)
+
+1. Run `haus init` in the project root.
+2. Haus scans the repo, generates `.haus-workflow/context-map.json` and `.haus-workflow/recommendation.json`.
+3. Writes `.haus-workflow/haus-way-of-work.md` (from catalog template) and `.haus-workflow/project.md`.
+4. Ensures root `CLAUDE.md` contains the `<!-- HAUS:BEGIN haus-imports -->` block with `@import` lines.
+5. Prints a summary; user confirms before writes.
+
+## Update flow
+
+`haus update` runs in order:
+1. Checks installed npm package version vs. latest on registry. If newer: prints `npm i -g @haus-tech/haus-workflow` instruction.
+2. After any version change, re-runs `haus install` to refresh `~/.claude/` haus files.
+3. Fetches latest catalog from `haus-workflow-catalog`, writes cache, updates lockfile.
+4. Re-renders `.haus-workflow/haus-way-of-work.md` and `.haus-workflow/project.md`.
+
+## Global install
+
+`haus install` seeds `~/.claude/` with haus-owned files. Each file carries a `<!-- HAUS-MANAGED ... -->` header so the CLI can update or remove it safely without touching user content.
+
+`haus uninstall` reverses this: removes every HAUS-MANAGED file and strips haus hook entries from `~/.claude/settings.json`. User-owned files are never deleted.

package/library/global/templates/haus-way-of-work.md

@@ -0,0 +1,40 @@
+# Haus way of work
+
+General instructions for every project using the Haus AI workflow.
+
+## Context before coding
+
+Before starting any task, orient yourself:
+
+1. Read `.haus-workflow/project.md` for repo facts (stack, roles, package manager).
+2. Check `.haus-workflow/recommendation.json` to see which skills and agents are active for this project.
+3. Run `haus context --task "<task>"` to load the minimal context set for your current task.
+
+Use `haus doctor` when hooks, context, or settings seem stale.
+
+## Output discipline
+
+- Write only the files the task requires. No speculative refactors.
+- Default to no comments — only add one when the **why** is non-obvious.
+- No multi-paragraph docstrings, no trailing summaries, no "I just did X" narration.
+- Match the existing code style. If the repo uses tabs, use tabs.
+
+## Commit hygiene
+
+- Conventional Commits format: `type(scope): subject` (subject ≤ 50 chars).
+- Body only when the why is not obvious from the diff.
+- Never skip pre-commit hooks (`--no-verify`).
+- One logical change per commit. Do not bundle unrelated fixes.
+
+## Safety rails
+
+- Never read files that look like secrets (`.env`, `*credentials*`, `*secret*`, `*token*`).
+- Never run destructive shell commands without explicit user confirmation.
+- Never force-push to `main` or `master`.
+- Validate at system boundaries (user input, external APIs). Trust internal framework guarantees.
+
+## PR workflow
+
+- Merge each PR to `main` before starting the next branch — no stacking.
+- Run the full test suite and `haus verify` before opening a PR.
+- Report actual test results in the PR body — no unchecked checkboxes.