@haus-tech/haus-workflow 0.13.0 → 0.13.2

package/CHANGELOG.md

@@ -1,5 +1,17 @@
 # Changelog
 
+## [0.13.2](https://github.com/WeAreHausTech/haus-workflow/compare/v0.13.1...v0.13.2) (2026-06-04)
+
+### Bug Fixes
+
+- catalog-audit drift + scanner EMFILE (TDD) ([#65](https://github.com/WeAreHausTech/haus-workflow/issues/65)) ([815ad79](https://github.com/WeAreHausTech/haus-workflow/commit/815ad798b5c28b98f53a8b8fc62c4e8decf9350e))
+
+## [0.13.1](https://github.com/WeAreHausTech/haus-workflow/compare/v0.13.0...v0.13.1) (2026-06-03)
+
+### Bug Fixes
+
+- **catalog:** download skill reference files into cache ([#63](https://github.com/WeAreHausTech/haus-workflow/issues/63)) ([db67180](https://github.com/WeAreHausTech/haus-workflow/commit/db671807273a45e97d5f5cd9505b43284d7b7389))
+
 ## [0.13.0](https://github.com/WeAreHausTech/haus-workflow/compare/v0.12.1...v0.13.0) (2026-06-03)
 
 ### Features

package/dist/cli.js

@@ -75,6 +75,27 @@ function safeJoin(base, itemPath) {
   const resolved = path.resolve(base, itemPath);
   return resolved.startsWith(base + path.sep) || resolved === base ? resolved : null;
 }
+function isExternalReference(ref) {
+  return /^[a-z][a-z0-9+.-]*:\/\//i.test(ref);
+}
+async function downloadSkillReferences(item, destDir) {
+  for (const ref of item.references ?? []) {
+    if (isExternalReference(ref)) continue;
+    const refDest = safeJoin(destDir, ref);
+    if (!refDest) {
+      warn(`Skipping reference "${ref}" for ${item.id}: path traversal detected`);
+      continue;
+    }
+    if (await fs.pathExists(refDest)) continue;
+    const text = await fetchText(`${REMOTE_BASE}/${item.path}/${ref}`);
+    if (text === null) {
+      warn(`Failed to fetch reference "${ref}" for ${item.id}`);
+      continue;
+    }
+    await fs.ensureDir(path.dirname(refDest));
+    await fs.writeFile(refDest, text, "utf8");
+  }
+}
 async function syncRemoteCatalog() {
   const items = await fetchRemoteManifest();
   if (!items) {
@@ -108,6 +129,7 @@ async function syncRemoteCatalog() {
       }
       const dest = path.join(destDir, "SKILL.md");
       if (await fs.pathExists(dest)) {
+        await downloadSkillReferences(item, destDir);
         unchanged++;
         continue;
       }
@@ -120,6 +142,7 @@ async function syncRemoteCatalog() {
       }
       await fs.ensureDir(path.dirname(dest));
       await fs.writeFile(dest, text, "utf8");
+      await downloadSkillReferences(item, destDir);
       newItems.push(item.id);
     } else {
       const dest = safeJoin(CACHE_DIR, item.path);
@@ -219,6 +242,16 @@ async function listFiles(root, patterns) {
 function hashText(value) {
   return `sha256-${crypto.createHash("sha256").update(value).digest("hex")}`;
 }
+async function mapWithConcurrency(items, fn, concurrency = 24) {
+  const size = Number.isFinite(concurrency) ? Math.max(1, Math.floor(concurrency)) : 24;
+  const results = new Array(items.length);
+  for (let i = 0; i < items.length; i += size) {
+    const batch = items.slice(i, i + size);
+    const settled = await Promise.all(batch.map((item, j) => fn(item, i + j)));
+    for (let j = 0; j < settled.length; j += 1) results[i + j] = settled[j];
+  }
+  return results;
+}
 
 // src/update/hash-installed.ts
 var EMPTY_LOCK_PATHS_TOKEN = "haus-lock:empty-paths";
@@ -1046,32 +1079,202 @@ async function loadCatalog(root) {
   return data?.items ?? [];
 }
 
+// library/catalog/validation-rules.json
+var validation_rules_default = {
+  forbiddenTags: [
+    "python",
+    "django",
+    "go",
+    "rust",
+    "java",
+    "spring",
+    "kotlin",
+    "swift",
+    "android",
+    "flutter",
+    "dart",
+    "c++",
+    "perl",
+    "defi",
+    "trading"
+  ],
+  bannedAgentPhrases: ["autonomous", "swarm", "delegate", "orchestrat", "marketplace"],
+  requiredSkillSections: ["## Use when", "## Do not use when"],
+  requiredAgentSections: ["## Use when", "## Do not use when", "## Verification"],
+  riskyInstallPatterns: [
+    { source: "\\bnpx\\s+-y\\b", flags: "i" },
+    { source: "\\bnpx\\s+--yes\\b", flags: "i" },
+    { source: "\\byarn\\s+dlx\\b", flags: "i" },
+    { source: "\\bpnpm\\s+dlx\\b", flags: "i" }
+  ],
+  allowedNpxPattern: { source: "\\bnpx\\s+tsx\\b", flags: "i" },
+  anyNpxPattern: { source: "\\bnpx\\s+\\S+", flags: "i" },
+  httpUrlPattern: { source: "^http:\\/\\/", flags: "i" },
+  placeholderPattern: { source: "\\bTODO\\b|\\bPLACEHOLDER\\b", flags: "i" },
+  allowedStacks: [
+    "haus",
+    "security",
+    "quality",
+    "frontend",
+    "backend",
+    "testing",
+    "review",
+    "workflow",
+    "reference-pack",
+    "core-skill",
+    "workflow-skill",
+    "stack-skill",
+    "review-skill",
+    "agent",
+    "hook",
+    "rule",
+    "react",
+    "typescript",
+    "php",
+    "csharp",
+    "vendure",
+    "vendure3",
+    "nestjs",
+    "graphql",
+    "nx21",
+    "turbo",
+    "nextjs",
+    "react19",
+    "typescript5",
+    "vite8",
+    "tanstack-query",
+    "tanstack-router",
+    "radix",
+    "radix-ui",
+    "shadcn",
+    "shadcn-ui",
+    "tailwind",
+    "tailwindcss",
+    "scss",
+    "scss-modules",
+    "vue",
+    "expressjs",
+    "soup-base",
+    "laravel",
+    "laravel-nova",
+    "wordpress",
+    "bedrock",
+    "elementor-pro",
+    "acf-pro",
+    "jetengine",
+    "dotnet",
+    "oidc",
+    "azure-ad",
+    "bankid",
+    "myid",
+    "cgi",
+    "crypto",
+    "collection2",
+    "postgresql",
+    "mariadb",
+    "mssql",
+    "elasticsearch",
+    "yarn4",
+    "pnpm89",
+    "playwright",
+    "testing-library",
+    "phpunit",
+    "storybook",
+    "wisest",
+    "vitest",
+    "jest",
+    "redis",
+    "sanity",
+    "strapi",
+    "prisma",
+    "cms",
+    "database",
+    "mysql",
+    "saml2",
+    "next-auth",
+    "auth",
+    "expo",
+    "react-native",
+    "mobile",
+    "i18next",
+    "i18n",
+    "bullmq",
+    "queue",
+    "sentry",
+    "observability",
+    "tooling",
+    "prettier",
+    "eslint",
+    "missing-prettier",
+    "missing-eslint",
+    "docker",
+    "pm2",
+    "deployer-php",
+    "stripe",
+    "qliro",
+    "supabase",
+    "payments"
+  ],
+  alwaysAllowedTags: [
+    "haus",
+    "security",
+    "quality",
+    "review",
+    "workflow",
+    "baseline",
+    "project-instructions"
+  ],
+  patternTagSuffixes: ["-patterns"]
+};
+
+// src/catalog/validation-rules.ts
+var toRegExp = (r) => new RegExp(r.source, r.flags);
+var FORBIDDEN_TAGS = validation_rules_default.forbiddenTags;
+var BANNED_AGENT_PHRASES = validation_rules_default.bannedAgentPhrases;
+var REQUIRED_SKILL_SECTIONS = validation_rules_default.requiredSkillSections;
+var REQUIRED_AGENT_SECTIONS = validation_rules_default.requiredAgentSections;
+var RISKY_INSTALL_PATTERNS = validation_rules_default.riskyInstallPatterns.map(toRegExp);
+var ALLOWED_NPX_PATTERN = toRegExp(validation_rules_default.allowedNpxPattern);
+var ANY_NPX_PATTERN = toRegExp(validation_rules_default.anyNpxPattern);
+var HTTP_URL_PATTERN = toRegExp(validation_rules_default.httpUrlPattern);
+var PLACEHOLDER_PATTERN = toRegExp(validation_rules_default.placeholderPattern);
+var ALLOWED_STACKS = validation_rules_default.allowedStacks;
+var ALWAYS_ALLOWED_TAGS = validation_rules_default.alwaysAllowedTags;
+var PATTERN_TAG_SUFFIXES = validation_rules_default.patternTagSuffixes;
+var ALLOWED_SET = new Set([...ALLOWED_STACKS, ...ALWAYS_ALLOWED_TAGS].map((t) => t.toLowerCase()));
+function isTagAllowed(tag) {
+  const lower = tag.toLowerCase();
+  if (ALLOWED_SET.has(lower)) return true;
+  return PATTERN_TAG_SUFFIXES.some((suffix) => lower.endsWith(suffix));
+}
+function auditDisallowedTags(items) {
+  const failures = [];
+  for (const item of items) {
+    if (!item.id) continue;
+    for (const tag of Array.isArray(item.tags) ? item.tags : []) {
+      if (!isTagAllowed(tag)) failures.push(`${item.id}: tag not in allowlist: "${tag}"`);
+    }
+  }
+  return failures;
+}
+
 // src/commands/catalog-audit.ts
-var FORBIDDEN = [
-  "python",
-  "django",
-  "go",
-  "rust",
-  "java",
-  "spring",
-  "kotlin",
-  "swift",
-  "android",
-  "flutter",
-  "dart",
-  "c++",
-  "perl",
-  "defi",
-  "trading"
-];
-async function runCatalogAudit() {
-  const items = await loadCatalog(process.cwd());
+function auditForbiddenTags(items) {
   const failures = [];
+  const forbidden = new Set(FORBIDDEN_TAGS.map((w) => w.toLowerCase()));
   for (const item of items) {
-    const text = `${item.id} ${item.tags.join(" ")}`.toLowerCase();
-    for (const word of FORBIDDEN)
-      if (text.includes(word)) failures.push(`${item.id} has unsupported tag ${word}`);
+    for (const tag of item.tags) {
+      if (forbidden.has(tag.toLowerCase())) failures.push(`${item.id} has unsupported tag ${tag}`);
+    }
+    for (const token of item.id.toLowerCase().split(/[^a-z0-9+]+/)) {
+      if (forbidden.has(token)) failures.push(`${item.id} has unsupported tag ${token}`);
+    }
   }
+  return failures;
+}
+async function runCatalogAudit() {
+  const items = await loadCatalog(process.cwd());
+  const failures = auditForbiddenTags(items);
   if (failures.length) {
     failures.forEach((f) => error(f));
     process.exitCode = 1;
@@ -1808,20 +2011,13 @@ async function buildContentBlob(root, files) {
     (f) => f.endsWith(".ts") || f.endsWith(".js") || f.endsWith(".php") || f.endsWith(".json") || f.endsWith(".yml") || f.endsWith(".yaml")
   );
   const slice = candidates.slice(0, 300);
-  const CHUNK = 24;
-  const parts = [];
-  for (let i = 0; i < slice.length; i += CHUNK) {
-    const batch = await Promise.all(
-      slice.slice(i, i + CHUNK).map(async (rel) => {
-        try {
-          return await readFile(path15.join(root, rel), "utf8");
-        } catch {
-          return "";
-        }
-      })
-    );
-    parts.push(...batch);
-  }
+  const parts = await mapWithConcurrency(slice, async (rel) => {
+    try {
+      return await readFile(path15.join(root, rel), "utf8");
+    } catch {
+      return "";
+    }
+  });
   return parts.join("\n");
 }
 function renderSummary(context) {
@@ -1934,10 +2130,9 @@ async function scanProject(root, mode = "fast") {
     composer: isRecord(composer?.require) ? Object.keys(composer.require) : []
   };
   const scanHashes = Object.fromEntries(
-    await Promise.all(
-      safeFiles.map(
-        async (f) => [f, hashText(await readFile2(path16.join(root, f), "utf8"))]
-      )
+    await mapWithConcurrency(
+      safeFiles,
+      async (f) => [f, hashText(await readFile2(path16.join(root, f), "utf8"))]
     )
   );
   const repoSummary = renderSummary(context);
@@ -3502,187 +3697,6 @@ async function runUpdate(options) {
 // src/commands/validate-catalog.ts
 import fs17 from "fs";
 import path26 from "path";
-
-// library/catalog/validation-rules.json
-var validation_rules_default = {
-  forbiddenTags: [
-    "python",
-    "django",
-    "go",
-    "rust",
-    "java",
-    "spring",
-    "kotlin",
-    "swift",
-    "android",
-    "flutter",
-    "dart",
-    "c++",
-    "perl",
-    "defi",
-    "trading"
-  ],
-  bannedAgentPhrases: ["autonomous", "swarm", "delegate", "orchestrat", "marketplace"],
-  requiredSkillSections: ["## Use when", "## Do not use when"],
-  requiredAgentSections: ["## Use when", "## Do not use when", "## Verification"],
-  riskyInstallPatterns: [
-    { source: "\\bnpx\\s+-y\\b", flags: "i" },
-    { source: "\\bnpx\\s+--yes\\b", flags: "i" },
-    { source: "\\byarn\\s+dlx\\b", flags: "i" },
-    { source: "\\bpnpm\\s+dlx\\b", flags: "i" }
-  ],
-  allowedNpxPattern: { source: "\\bnpx\\s+tsx\\b", flags: "i" },
-  anyNpxPattern: { source: "\\bnpx\\s+\\S+", flags: "i" },
-  httpUrlPattern: { source: "^http:\\/\\/", flags: "i" },
-  placeholderPattern: { source: "\\bTODO\\b|\\bPLACEHOLDER\\b", flags: "i" },
-  allowedStacks: [
-    "haus",
-    "security",
-    "quality",
-    "frontend",
-    "backend",
-    "testing",
-    "review",
-    "workflow",
-    "reference-pack",
-    "core-skill",
-    "workflow-skill",
-    "stack-skill",
-    "review-skill",
-    "agent",
-    "hook",
-    "rule",
-    "react",
-    "typescript",
-    "php",
-    "csharp",
-    "vendure",
-    "vendure3",
-    "nestjs",
-    "graphql",
-    "nx21",
-    "turbo",
-    "nextjs",
-    "react19",
-    "typescript5",
-    "vite8",
-    "tanstack-query",
-    "tanstack-router",
-    "radix",
-    "radix-ui",
-    "shadcn",
-    "shadcn-ui",
-    "tailwind",
-    "tailwindcss",
-    "scss",
-    "scss-modules",
-    "vue",
-    "expressjs",
-    "soup-base",
-    "laravel",
-    "laravel-nova",
-    "wordpress",
-    "bedrock",
-    "elementor-pro",
-    "acf-pro",
-    "jetengine",
-    "dotnet",
-    "oidc",
-    "azure-ad",
-    "bankid",
-    "myid",
-    "cgi",
-    "crypto",
-    "collection2",
-    "postgresql",
-    "mariadb",
-    "mssql",
-    "elasticsearch",
-    "yarn4",
-    "pnpm89",
-    "playwright",
-    "testing-library",
-    "phpunit",
-    "storybook",
-    "wisest",
-    "vitest",
-    "jest",
-    "redis",
-    "sanity",
-    "strapi",
-    "prisma",
-    "cms",
-    "database",
-    "mysql",
-    "saml2",
-    "next-auth",
-    "auth",
-    "expo",
-    "react-native",
-    "mobile",
-    "i18next",
-    "i18n",
-    "bullmq",
-    "queue",
-    "sentry",
-    "observability",
-    "tooling",
-    "prettier",
-    "eslint",
-    "missing-prettier",
-    "missing-eslint",
-    "docker",
-    "pm2",
-    "deployer-php",
-    "stripe",
-    "qliro",
-    "supabase",
-    "payments"
-  ],
-  alwaysAllowedTags: [
-    "haus",
-    "security",
-    "quality",
-    "review",
-    "workflow",
-    "baseline",
-    "project-instructions"
-  ],
-  patternTagSuffixes: ["-patterns"]
-};
-
-// src/catalog/validation-rules.ts
-var toRegExp = (r) => new RegExp(r.source, r.flags);
-var FORBIDDEN_TAGS = validation_rules_default.forbiddenTags;
-var BANNED_AGENT_PHRASES = validation_rules_default.bannedAgentPhrases;
-var REQUIRED_SKILL_SECTIONS = validation_rules_default.requiredSkillSections;
-var REQUIRED_AGENT_SECTIONS = validation_rules_default.requiredAgentSections;
-var RISKY_INSTALL_PATTERNS = validation_rules_default.riskyInstallPatterns.map(toRegExp);
-var ALLOWED_NPX_PATTERN = toRegExp(validation_rules_default.allowedNpxPattern);
-var ANY_NPX_PATTERN = toRegExp(validation_rules_default.anyNpxPattern);
-var HTTP_URL_PATTERN = toRegExp(validation_rules_default.httpUrlPattern);
-var PLACEHOLDER_PATTERN = toRegExp(validation_rules_default.placeholderPattern);
-var ALLOWED_STACKS = validation_rules_default.allowedStacks;
-var ALWAYS_ALLOWED_TAGS = validation_rules_default.alwaysAllowedTags;
-var PATTERN_TAG_SUFFIXES = validation_rules_default.patternTagSuffixes;
-var ALLOWED_SET = new Set([...ALLOWED_STACKS, ...ALWAYS_ALLOWED_TAGS].map((t) => t.toLowerCase()));
-function isTagAllowed(tag) {
-  const lower = tag.toLowerCase();
-  if (ALLOWED_SET.has(lower)) return true;
-  return PATTERN_TAG_SUFFIXES.some((suffix) => lower.endsWith(suffix));
-}
-function auditDisallowedTags(items) {
-  const failures = [];
-  for (const item of items) {
-    if (!item.id) continue;
-    for (const tag of Array.isArray(item.tags) ? item.tags : []) {
-      if (!isTagAllowed(tag)) failures.push(`${item.id}: tag not in allowlist: "${tag}"`);
-    }
-  }
-  return failures;
-}
-
-// src/commands/validate-catalog.ts
 function auditForbiddenStacks(items) {
   const failures = [];
   for (const item of items) {

package/library/catalog/manifest.json

@@ -1,5 +1,5 @@
 {
-  "version": "2.4.0",
+  "version": "2.4.1",
   "items": [
     {
       "id": "haus.nextjs-patterns",

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@haus-tech/haus-workflow",
-  "version": "0.13.0",
+  "version": "0.13.2",
   "description": "Haus AI workflow CLI for Claude Code.",
   "type": "module",
   "bin": {
@@ -26,6 +26,8 @@
     "build": "tsup src/cli.ts --format esm --dts --clean --out-dir dist --external @inquirer/checkbox",
     "dev": "tsx src/cli.ts",
     "test": "node --import tsx --test tests/**/*.test.js",
+    "test:coverage": "c8 yarn test",
+    "coverage:check": "c8 --check-coverage yarn test",
     "lint": "eslint src scripts",
     "format:check": "prettier --check .",
     "format": "prettier --write .",
@@ -38,6 +40,7 @@
     "release:dry": "GITHUB_TOKEN=$(gh auth token) release-it --dry-run",
     "prepack": "yarn build",
     "verify": "yarn typecheck && yarn typecheck:scripts && yarn lint && yarn build && yarn test",
+    "verify:full": "yarn verify && yarn coverage:check",
     "postinstall": "node ./scripts/postinstall.mjs || true",
     "prepare": "lefthook install || true",
     "security:audit": "yarn npm audit -A -R --severity high --environment production"
@@ -62,6 +65,7 @@
     "@types/semver": "7.7.1",
     "@typescript-eslint/eslint-plugin": "8.59.3",
     "@typescript-eslint/parser": "8.59.3",
+    "c8": "11.0.0",
     "eslint": "9.39.4",
     "eslint-plugin-import": "2.32.0",
     "lefthook": "1.13.6",

package/tests/fixtures/catalog/policy-gates-manifest.json

@@ -0,0 +1,120 @@
+{
+  "version": "0.1.0",
+  "_note": "Policy gates test fixture. One item per gate exercised by recommend-eligibility.test.js.",
+  "items": [
+    {
+      "id": "test.unsupported-python",
+      "source": "haus",
+      "type": "skill",
+      "path": "skills/test.unsupported-python",
+      "title": "Test: Unsupported Python",
+      "purpose": "Triggers UNSUPPORTED gate (python in tags).",
+      "tags": ["python", "backend"],
+      "repoRoles": [],
+      "default": false,
+      "tokenEstimate": 100
+    },
+    {
+      "id": "test.curated-not-approved",
+      "source": "curated",
+      "type": "skill",
+      "path": "skills/test.curated-not-approved",
+      "title": "Test: Curated Not Approved",
+      "purpose": "Triggers curated-not-approved gate (reviewStatus:candidate).",
+      "tags": ["frontend"],
+      "repoRoles": [],
+      "reviewStatus": "candidate",
+      "default": false,
+      "tokenEstimate": 100
+    },
+    {
+      "id": "test.curated-risk-blocked",
+      "source": "curated",
+      "type": "skill",
+      "path": "skills/test.curated-risk-blocked",
+      "title": "Test: Curated Risk Blocked",
+      "purpose": "Triggers curated-risk-blocked gate (reviewStatus:approved but riskLevel:blocked).",
+      "tags": ["frontend"],
+      "repoRoles": [],
+      "reviewStatus": "approved",
+      "riskLevel": "blocked",
+      "default": false,
+      "tokenEstimate": 100
+    },
+    {
+      "id": "test.env-management",
+      "source": "haus",
+      "type": "skill",
+      "path": "skills/test.env-management",
+      "title": "Test: Sensitive Secrets Item",
+      "purpose": "Triggers sensitive-policy gate (secrets in tags, matched by SENSITIVE_ITEM_KEYWORDS).",
+      "tags": ["secrets", "workflow"],
+      "repoRoles": [],
+      "default": false,
+      "tokenEstimate": 100
+    },
+    {
+      "id": "test.third-party-unapproved",
+      "source": "third-party-plugin",
+      "type": "skill",
+      "path": "skills/test.third-party-unapproved",
+      "title": "Test: Third-Party Unapproved",
+      "purpose": "Triggers source-approval gate (non-haus, non-curated, not in sources-report.json).",
+      "tags": ["typescript"],
+      "repoRoles": [],
+      "default": false,
+      "tokenEstimate": 100
+    },
+    {
+      "id": "test.requires-svelte",
+      "source": "haus",
+      "type": "skill",
+      "path": "skills/test.requires-svelte",
+      "title": "Test: Requires Svelte",
+      "purpose": "Triggers requiresAny unsatisfied gate when svelte not in context.",
+      "tags": ["svelte"],
+      "repoRoles": [],
+      "requiresAny": [{ "dependency": "svelte" }],
+      "default": false,
+      "tokenEstimate": 100
+    },
+    {
+      "id": "test.default-baseline",
+      "source": "haus",
+      "type": "skill",
+      "path": "skills/test.default-baseline",
+      "title": "Test: Default Baseline",
+      "purpose": "Passes all gates because default:true. Used to verify tokenEstimate is preserved.",
+      "tags": ["workflow"],
+      "repoRoles": [],
+      "default": true,
+      "tokenEstimate": 999
+    },
+    {
+      "id": "test.role-matched",
+      "source": "haus",
+      "type": "skill",
+      "path": "skills/test.role-matched",
+      "title": "Test: Role Matched",
+      "purpose": "Recommended when context has nextjs stack. Tests positive matching path.",
+      "tags": ["nextjs", "frontend"],
+      "repoRoles": ["next-app"],
+      "requiresAny": [{ "stack": "nextjs" }],
+      "default": false,
+      "tokenEstimate": 100
+    },
+    {
+      "id": "haus.nx21-monorepo-patterns",
+      "source": "haus",
+      "type": "skill",
+      "path": "skills/haus.nx21-monorepo-patterns",
+      "title": "Haus Nx 21 Monorepo Patterns",
+      "purpose": "Triggers required-role-missing gate when nx-monorepo role is absent. Hardcoded check in recommend().",
+      "tags": ["nx", "monorepo"],
+      "repoRoles": ["nx-monorepo"],
+      "requiresAny": [{ "stack": "nx" }],
+      "default": false,
+      "tokenEstimate": 100
+    }
+  ]
+}