@haus-tech/haus-workflow 0.14.0 → 0.15.0

package/dist/cli.js

@@ -6,8 +6,9 @@ import path34 from "path";
 import { Command } from "commander";
 
 // src/commands/apply.ts
-import path10 from "path";
+import path12 from "path";
 import checkbox from "@inquirer/checkbox";
+import fs11 from "fs-extra";
 
 // src/catalog/remote-catalog.ts
 import os from "os";
@@ -102,13 +103,20 @@ async function syncRemoteCatalog() {
     warn("Remote catalog fetch failed \u2014 using bundled catalog");
     return { newItems: [], unchanged: 0, failed: [] };
   }
-  await fs.ensureDir(CACHE_DIR);
-  await fs.writeFile(
-    path.join(CACHE_DIR, "manifest.json"),
-    `${JSON.stringify({ items }, null, 2)}
+  try {
+    await fs.ensureDir(CACHE_DIR);
+    await fs.writeFile(
+      path.join(CACHE_DIR, "manifest.json"),
+      `${JSON.stringify({ items }, null, 2)}
 `,
-    "utf8"
-  );
+      "utf8"
+    );
+  } catch (err) {
+    warn(
+      `Catalog cache not writable (${CACHE_DIR}) \u2014 skipping cache sync: ${err instanceof Error ? err.message : String(err)}`
+    );
+    return { newItems: [], unchanged: 0, failed: [] };
+  }
   const newItems = [];
   let unchanged = 0;
   const failed = [];
@@ -140,10 +148,15 @@ async function syncRemoteCatalog() {
         failed.push(item.id);
         continue;
       }
-      await fs.ensureDir(path.dirname(dest));
-      await fs.writeFile(dest, text, "utf8");
-      await downloadSkillReferences(item, destDir);
-      newItems.push(item.id);
+      try {
+        await fs.ensureDir(path.dirname(dest));
+        await fs.writeFile(dest, text, "utf8");
+        await downloadSkillReferences(item, destDir);
+        newItems.push(item.id);
+      } catch (err) {
+        warn(`Failed to cache ${item.id}: ${err instanceof Error ? err.message : String(err)}`);
+        failed.push(item.id);
+      }
     } else {
       const dest = safeJoin(CACHE_DIR, item.path);
       if (!dest) {
@@ -162,9 +175,14 @@ async function syncRemoteCatalog() {
         failed.push(item.id);
         continue;
       }
-      await fs.ensureDir(path.dirname(dest));
-      await fs.writeFile(dest, text, "utf8");
-      newItems.push(item.id);
+      try {
+        await fs.ensureDir(path.dirname(dest));
+        await fs.writeFile(dest, text, "utf8");
+        newItems.push(item.id);
+      } catch (err) {
+        warn(`Failed to cache ${item.id}: ${err instanceof Error ? err.message : String(err)}`);
+        failed.push(item.id);
+      }
     }
   }
   return { newItems, unchanged, failed };
@@ -193,13 +211,21 @@ async function getCacheManifestAge() {
   }
 }
 
-// src/claude/write-claude-files.ts
-import path9 from "path";
-import fs9 from "fs-extra";
+// src/install/allow-rules.ts
+var ALLOWED_SUBCOMMANDS = [
+  "setup-project",
+  "apply",
+  "doctor",
+  "scan",
+  "context",
+  "recommend"
+];
+function buildAllowRules() {
+  return [...new Set(ALLOWED_SUBCOMMANDS.map((sub) => `Bash(haus ${sub}:*)`))];
+}
 
-// src/update/hash-installed.ts
-import path3 from "path";
-import fg2 from "fast-glob";
+// src/install/settings-merge.ts
+import path4 from "path";
 import fs3 from "fs-extra";
 
 // src/utils/fs.ts
@@ -253,118 +279,181 @@ async function mapWithConcurrency(items, fn, concurrency = 24) {
   return results;
 }
 
-// src/update/hash-installed.ts
-var EMPTY_LOCK_PATHS_TOKEN = "haus-lock:empty-paths";
-async function hashInstalledPaths(root, relPaths) {
-  if (relPaths.length === 0) {
-    return hashText(EMPTY_LOCK_PATHS_TOKEN);
-  }
-  const normalized = [...new Set(relPaths.map((p) => p.replace(/\\/g, "/")))].sort();
-  const fileDigests = [];
-  for (const rel of normalized) {
-    const abs = path3.join(root, rel);
-    if (!await fs3.pathExists(abs)) continue;
-    const stat = await fs3.stat(abs);
-    if (stat.isFile()) {
-      const body = await fs3.readFile(abs, "utf8");
-      fileDigests.push({ rel, digest: hashText(body) });
-      continue;
-    }
-    if (!stat.isDirectory()) continue;
-    const inner = await fg2("**/*", { cwd: abs, onlyFiles: true, dot: true });
-    for (const sub of inner.sort()) {
-      const relFile = path3.join(rel, sub).replace(/\\/g, "/");
-      const absFile = path3.join(abs, sub);
-      const body = await fs3.readFile(absFile, "utf8");
-      fileDigests.push({ rel: relFile, digest: hashText(body) });
-    }
-  }
-  if (fileDigests.length === 0) {
-    return hashText(`${EMPTY_LOCK_PATHS_TOKEN}|${normalized.join("|")}`);
-  }
-  fileDigests.sort((a, b) => a.rel.localeCompare(b.rel));
-  return hashText(fileDigests.map((f) => `${f.rel}=${f.digest}`).join("|"));
+// src/install/manifest.ts
+import os2 from "os";
+import path3 from "path";
+var MANIFEST_SCHEMA = "haus-install-manifest/1";
+function globalClaudeDir() {
+  return path3.join(os2.homedir(), ".claude");
 }
-
-// src/utils/diff.ts
-import { createTwoFilesPatch } from "diff";
-function hasTextChanged(before, after) {
-  return before !== after;
+function hausManifestPath() {
+  return path3.join(globalClaudeDir(), "haus", "install-manifest.json");
 }
-function createUnifiedDiff(filePath, before, after) {
-  return createTwoFilesPatch(filePath, filePath, before, after, "before", "after", {
-    context: 3
-  });
+async function readManifest() {
+  return readJson(hausManifestPath());
 }
-function summarizeDiff(diffText) {
-  const lines = diffText.split("\n");
-  let additions = 0;
-  let deletions = 0;
-  for (const line2 of lines) {
-    if (line2.startsWith("+++ ") || line2.startsWith("--- ")) continue;
-    if (line2.startsWith("+")) additions += 1;
-    if (line2.startsWith("-")) deletions += 1;
-  }
-  return { additions, deletions };
+async function writeManifest(manifest) {
+  await writeJson(hausManifestPath(), manifest);
+}
+function buildManifest(source, files, hooks) {
+  return {
+    _schema: MANIFEST_SCHEMA,
+    source,
+    installedAt: (/* @__PURE__ */ new Date()).toISOString(),
+    files,
+    hooks
+  };
 }
 
-// src/utils/paths.ts
-import { existsSync, readFileSync } from "fs";
-import os2 from "os";
-import path4 from "path";
-import { fileURLToPath } from "url";
-var HAUS_DIR = ".haus-workflow";
-function hausPath(root, ...parts) {
-  return path4.join(root, HAUS_DIR, ...parts);
+// src/install/settings-merge.ts
+function settingsJsonPath() {
+  return path4.join(globalClaudeDir(), "settings.json");
 }
-function claudePath(root, ...parts) {
-  return path4.join(root, ".claude", ...parts);
+async function readSettings() {
+  const parsed = await readJson(settingsJsonPath());
+  return parsed ?? {};
 }
-function displayPath(root, targetPath) {
-  const rel = path4.relative(root, targetPath).replace(/\\/g, "/");
-  if (rel && !rel.startsWith("../") && rel !== "..") {
-    return rel.startsWith("./") ? rel : `./${rel}`;
+async function writeSettings(settings) {
+  await writeJson(settingsJsonPath(), settings);
+}
+function mergeHooks(settings, fragments) {
+  const existing = settings._haus?.hooks ?? [];
+  const existingCommands = settings._haus?.hookCommands ?? [];
+  const existingSet = new Set(existing);
+  const updated = { ...settings };
+  updated.hooks = { ...settings.hooks ?? {} };
+  const addedIds = [];
+  const addedCommands = [];
+  for (const fragment of fragments) {
+    if (fragment.gate !== "keep") continue;
+    if (existingSet.has(fragment.id)) continue;
+    const event = fragment.event;
+    if (!updated.hooks[event]) updated.hooks[event] = [];
+    const entry = {
+      hooks: [{ type: "command", command: fragment.command }]
+    };
+    if (fragment.matcher) entry.matcher = fragment.matcher;
+    updated.hooks[event] = [...updated.hooks[event] ?? [], entry];
+    addedIds.push(fragment.id);
+    addedCommands.push(fragment.command);
   }
-  const home = os2.homedir();
-  const normalized = targetPath.replace(/\\/g, "/");
-  if (home && home.trim().length > 0) {
-    const homeRel = path4.relative(home, targetPath).replace(/\\/g, "/");
-    if (homeRel && !homeRel.startsWith("../") && homeRel !== "..") {
-      return `~/${homeRel}`;
-    }
+  updated._haus = {
+    hooks: [...existing, ...addedIds],
+    hookCommands: [...existingCommands, ...addedCommands],
+    // Preserve deny/allow tracking so hook, deny, and allow merges are order-independent.
+    ...settings._haus?.denyRules ? { denyRules: settings._haus.denyRules } : {},
+    ...settings._haus?.allowRules ? { allowRules: settings._haus.allowRules } : {}
+  };
+  return { settings: updated, addedIds };
+}
+function mergeDenyRules(settings, rules) {
+  const existingDeny = settings.permissions?.deny ?? [];
+  const seen = new Set(existingDeny);
+  const trackedDeny = settings._haus?.denyRules ?? [];
+  const addedRules = [];
+  for (const rule of rules) {
+    if (seen.has(rule)) continue;
+    seen.add(rule);
+    addedRules.push(rule);
   }
-  return normalized;
+  const updated = { ...settings };
+  updated.permissions = {
+    ...settings.permissions ?? {},
+    deny: [...existingDeny, ...addedRules]
+  };
+  updated._haus = {
+    hooks: settings._haus?.hooks ?? [],
+    ...settings._haus?.hookCommands ? { hookCommands: settings._haus.hookCommands } : {},
+    denyRules: [...trackedDeny, ...addedRules],
+    ...settings._haus?.allowRules ? { allowRules: settings._haus.allowRules } : {}
+  };
+  return { settings: updated, addedRules };
 }
-function packageRoot() {
-  let dir = path4.dirname(fileURLToPath(import.meta.url));
-  for (let i = 0; i < 12; i++) {
-    const pkgPath = path4.join(dir, "package.json");
-    if (existsSync(pkgPath)) {
-      try {
-        const pkg = JSON.parse(readFileSync(pkgPath, "utf8"));
-        if (pkg.name === "haus" || pkg.name === "@haus-tech/haus-workflow") return dir;
-      } catch {
-      }
-    }
-    const parent = path4.dirname(dir);
-    if (parent === dir) break;
-    dir = parent;
+function mergeAllowRules(settings, rules) {
+  const existingAllow = settings.permissions?.allow ?? [];
+  const seen = new Set(existingAllow);
+  const trackedAllow = settings._haus?.allowRules ?? [];
+  const addedRules = [];
+  for (const rule of rules) {
+    if (seen.has(rule)) continue;
+    seen.add(rule);
+    addedRules.push(rule);
   }
-  const file = fileURLToPath(import.meta.url);
-  return path4.resolve(path4.dirname(file), "../..");
+  const updated = { ...settings };
+  updated.permissions = {
+    ...settings.permissions ?? {},
+    allow: [...existingAllow, ...addedRules]
+  };
+  updated._haus = {
+    hooks: settings._haus?.hooks ?? [],
+    ...settings._haus?.hookCommands ? { hookCommands: settings._haus.hookCommands } : {},
+    ...settings._haus?.denyRules ? { denyRules: settings._haus.denyRules } : {},
+    allowRules: [...trackedAllow, ...addedRules]
+  };
+  return { settings: updated, addedRules };
 }
-
-// src/claude/load-hooks-config.ts
-import path5 from "path";
-var CONFIG_PATH = ".haus-workflow/config.json";
-var DEFAULT_HOOKS_CONFIG = {
-  hooks: {
-    context: { enabled: false }
+function stripHausAllow(settings) {
+  const prevHaus = settings._haus;
+  if (!prevHaus?.allowRules || prevHaus.allowRules.length === 0) return settings;
+  const ownedSet = new Set(prevHaus.allowRules);
+  const updated = { ...settings };
+  const remainingAllow = (settings.permissions?.allow ?? []).filter((rule) => !ownedSet.has(rule));
+  const permissions = { ...settings.permissions ?? {} };
+  if (remainingAllow.length > 0) permissions.allow = remainingAllow;
+  else delete permissions.allow;
+  if (Object.keys(permissions).length > 0) updated.permissions = permissions;
+  else delete updated.permissions;
+  const haus = { ...prevHaus };
+  delete haus.allowRules;
+  const stillTracking = (haus.hooks?.length ?? 0) > 0 || (haus.hookCommands?.length ?? 0) > 0 || (haus.denyRules?.length ?? 0) > 0;
+  if (stillTracking) updated._haus = haus;
+  else delete updated._haus;
+  return updated;
+}
+function stripHausDeny(settings) {
+  const prevHaus = settings._haus;
+  if (!prevHaus?.denyRules || prevHaus.denyRules.length === 0) return settings;
+  const ownedSet = new Set(prevHaus.denyRules);
+  const updated = { ...settings };
+  const remainingDeny = (settings.permissions?.deny ?? []).filter((rule) => !ownedSet.has(rule));
+  const permissions = { ...settings.permissions ?? {} };
+  if (remainingDeny.length > 0) permissions.deny = remainingDeny;
+  else delete permissions.deny;
+  if (Object.keys(permissions).length > 0) updated.permissions = permissions;
+  else delete updated.permissions;
+  const haus = { ...prevHaus };
+  delete haus.denyRules;
+  const stillTracking = (haus.hooks?.length ?? 0) > 0 || (haus.hookCommands?.length ?? 0) > 0 || (haus.allowRules?.length ?? 0) > 0;
+  if (stillTracking) updated._haus = haus;
+  else delete updated._haus;
+  return updated;
+}
+function stripHausHooks(settings) {
+  if (!settings._haus) return settings;
+  const ownedCommands = new Set(settings._haus.hookCommands ?? []);
+  const usePrefix = ownedCommands.size === 0;
+  const updated = { ...settings };
+  updated.hooks = {};
+  for (const [event, entries] of Object.entries(settings.hooks ?? {})) {
+    const kept = entries.filter((entry) => {
+      const cmd = entry.hooks[0]?.command ?? "";
+      return usePrefix ? !cmd.startsWith("haus ") : !ownedCommands.has(cmd);
+    });
+    if (kept.length > 0) updated.hooks[event] = kept;
   }
-};
-async function isHookEnabled(root, key) {
-  const cfg = await readJson(path5.join(root, CONFIG_PATH));
-  return cfg?.hooks?.[key]?.enabled === true;
+  const { _haus: _, ...rest } = updated;
+  void _;
+  return rest;
+}
+async function loadHooksFragment(fragmentPath) {
+  let raw;
+  try {
+    raw = await fs3.readJson(fragmentPath);
+  } catch {
+    return [];
+  }
+  const data = raw;
+  return Array.isArray(data?.hooks) ? data.hooks : [];
 }
 
 // src/security/dangerous-commands.ts
@@ -458,6 +547,173 @@ function buildDenyRules() {
   return [...new Set(rules)];
 }
 
+// src/utils/paths.ts
+import { existsSync, readFileSync } from "fs";
+import os3 from "os";
+import path5 from "path";
+import { fileURLToPath } from "url";
+var HAUS_DIR = ".haus-workflow";
+function hausPath(root, ...parts) {
+  return path5.join(root, HAUS_DIR, ...parts);
+}
+function claudePath(root, ...parts) {
+  return path5.join(root, ".claude", ...parts);
+}
+function displayPath(root, targetPath) {
+  const rel = path5.relative(root, targetPath).replace(/\\/g, "/");
+  if (rel && !rel.startsWith("../") && rel !== "..") {
+    return rel.startsWith("./") ? rel : `./${rel}`;
+  }
+  const home = os3.homedir();
+  const normalized = targetPath.replace(/\\/g, "/");
+  if (home && home.trim().length > 0) {
+    const homeRel = path5.relative(home, targetPath).replace(/\\/g, "/");
+    if (homeRel && !homeRel.startsWith("../") && homeRel !== "..") {
+      return `~/${homeRel}`;
+    }
+  }
+  return normalized;
+}
+function packageRoot() {
+  let dir = path5.dirname(fileURLToPath(import.meta.url));
+  for (let i = 0; i < 12; i++) {
+    const pkgPath = path5.join(dir, "package.json");
+    if (existsSync(pkgPath)) {
+      try {
+        const pkg = JSON.parse(readFileSync(pkgPath, "utf8"));
+        if (pkg.name === "haus" || pkg.name === "@haus-tech/haus-workflow") return dir;
+      } catch {
+      }
+    }
+    const parent = path5.dirname(dir);
+    if (parent === dir) break;
+    dir = parent;
+  }
+  const file = fileURLToPath(import.meta.url);
+  return path5.resolve(path5.dirname(file), "../..");
+}
+
+// src/claude/merge-project-settings.ts
+var PROJECT_HOOK_FRAGMENTS = [
+  {
+    id: "haus.context-hook",
+    gate: "keep",
+    event: "UserPromptSubmit",
+    command: "haus context --from-hook || true"
+  },
+  {
+    id: "haus.guard-file",
+    gate: "keep",
+    event: "PreToolUse",
+    matcher: "Read|Edit|Write",
+    command: "haus guard file-access --from-hook || true"
+  },
+  {
+    id: "haus.guard-bash",
+    gate: "keep",
+    event: "PreToolUse",
+    matcher: "Bash",
+    command: "haus guard bash --from-hook || true"
+  }
+];
+async function readProjectSettings(root) {
+  const parsed = await readJson(claudePath(root, "settings.json"));
+  return parsed ?? {};
+}
+async function writeProjectSettings(root, settings) {
+  await writeJson(claudePath(root, "settings.json"), settings);
+}
+async function mergeProjectSettings(root) {
+  const base = await readProjectSettings(root);
+  const { settings: withHooks } = mergeHooks(base, PROJECT_HOOK_FRAGMENTS);
+  const { settings: withDeny } = mergeDenyRules(withHooks, buildDenyRules());
+  const { settings: merged } = mergeAllowRules(withDeny, buildAllowRules());
+  return merged;
+}
+async function applyProjectSettingsMerge(root) {
+  const merged = await mergeProjectSettings(root);
+  await writeProjectSettings(root, merged);
+  return merged;
+}
+
+// src/claude/write-claude-files.ts
+import path11 from "path";
+import fs10 from "fs-extra";
+
+// src/update/hash-installed.ts
+import path6 from "path";
+import fg2 from "fast-glob";
+import fs4 from "fs-extra";
+var EMPTY_LOCK_PATHS_TOKEN = "haus-lock:empty-paths";
+async function hashInstalledPaths(root, relPaths) {
+  if (relPaths.length === 0) {
+    return hashText(EMPTY_LOCK_PATHS_TOKEN);
+  }
+  const normalized = [...new Set(relPaths.map((p) => p.replace(/\\/g, "/")))].sort();
+  const fileDigests = [];
+  for (const rel of normalized) {
+    const abs = path6.join(root, rel);
+    if (!await fs4.pathExists(abs)) continue;
+    const stat = await fs4.stat(abs);
+    if (stat.isFile()) {
+      const body = await fs4.readFile(abs, "utf8");
+      fileDigests.push({ rel, digest: hashText(body) });
+      continue;
+    }
+    if (!stat.isDirectory()) continue;
+    const inner = await fg2("**/*", { cwd: abs, onlyFiles: true, dot: true });
+    for (const sub of inner.sort()) {
+      const relFile = path6.join(rel, sub).replace(/\\/g, "/");
+      const absFile = path6.join(abs, sub);
+      const body = await fs4.readFile(absFile, "utf8");
+      fileDigests.push({ rel: relFile, digest: hashText(body) });
+    }
+  }
+  if (fileDigests.length === 0) {
+    return hashText(`${EMPTY_LOCK_PATHS_TOKEN}|${normalized.join("|")}`);
+  }
+  fileDigests.sort((a, b) => a.rel.localeCompare(b.rel));
+  return hashText(fileDigests.map((f) => `${f.rel}=${f.digest}`).join("|"));
+}
+
+// src/utils/diff.ts
+import { createTwoFilesPatch } from "diff";
+function hasTextChanged(before, after) {
+  return before !== after;
+}
+function createUnifiedDiff(filePath, before, after) {
+  return createTwoFilesPatch(filePath, filePath, before, after, "before", "after", {
+    context: 3
+  });
+}
+function summarizeDiff(diffText) {
+  const lines = diffText.split("\n");
+  let additions = 0;
+  let deletions = 0;
+  for (const line2 of lines) {
+    if (line2.startsWith("+++ ") || line2.startsWith("--- ")) continue;
+    if (line2.startsWith("+")) additions += 1;
+    if (line2.startsWith("-")) deletions += 1;
+  }
+  return { additions, deletions };
+}
+
+// src/claude/load-hooks-config.ts
+import path7 from "path";
+var CONFIG_PATH = ".haus-workflow/config.json";
+var DEFAULT_HOOKS_CONFIG = {
+  hooks: {
+    context: { enabled: false }
+  }
+};
+async function isHookEnabled(root, key) {
+  const cfg = await readJson(path7.join(root, CONFIG_PATH));
+  return cfg?.hooks?.[key]?.enabled === true;
+}
+
+// src/claude/verify-hooks-contract.ts
+import fs5 from "fs-extra";
+
 // src/claude/load-hooks.ts
 var CANONICAL_HOOKS = {
   hooks: {
@@ -505,24 +761,52 @@ function flattenRecommendedHooks(settings) {
 }
 
 // src/claude/verify-hooks-contract.ts
-import { isDeepStrictEqual } from "util";
-import fs4 from "fs-extra";
-async function assertPostApplySettingsMatchCanonical(root, canonical) {
+function collectHookCommands(settings) {
+  const cmds = [];
+  for (const entries of Object.values(settings.hooks ?? {})) {
+    for (const entry of entries) {
+      for (const h of entry.hooks ?? []) {
+        if (h.command) cmds.push(h.command);
+      }
+    }
+  }
+  return cmds;
+}
+function hausHookContractSatisfied(project, canonical) {
+  const present = new Set(collectHookCommands(project));
+  for (const block of canonical.hooks.UserPromptSubmit) {
+    for (const h of block.hooks) {
+      if (!present.has(h.command)) return false;
+    }
+  }
+  for (const block of canonical.hooks.PreToolUse) {
+    for (const h of block.hooks) {
+      if (!present.has(h.command)) return false;
+    }
+  }
+  const denySet = new Set(project.permissions?.deny ?? []);
+  for (const rule of canonical.permissions?.deny ?? []) {
+    if (!denySet.has(rule)) return false;
+  }
+  return true;
+}
+async function assertPostApplySettingsHausContract(root) {
+  const canonical = await loadClaudeHooksSettings();
   const written = await readJson(claudePath(root, "settings.json"));
   if (written == null || typeof written !== "object") {
     throw new Error(
       "haus: post-apply self-check failed: .claude/settings.json missing or unreadable"
     );
   }
-  if (!isDeepStrictEqual(canonical, written)) {
+  if (!hausHookContractSatisfied(written, canonical)) {
     throw new Error(
-      "haus: post-apply self-check failed: .claude/settings.json does not match canonical hook contract"
+      "haus: post-apply self-check failed: .claude/settings.json missing required haus hooks or deny rules"
     );
   }
 }
 async function verifyProjectSettingsHooksContract(root) {
   const settingsPath = claudePath(root, "settings.json");
-  if (!await fs4.pathExists(settingsPath)) {
+  if (!await fs5.pathExists(settingsPath)) {
     return {
       ok: true,
       skipped: true,
@@ -539,18 +823,18 @@ async function verifyProjectSettingsHooksContract(root) {
   if (project == null || typeof project !== "object") {
     return { ok: false, message: ".claude/settings.json is unreadable." };
   }
-  if (!isDeepStrictEqual(canonical, project)) {
+  if (!hausHookContractSatisfied(project, canonical)) {
     return {
       ok: false,
-      message: ".claude/settings.json drifts from canonical hook config (regenerate with `haus apply --write`)."
+      message: ".claude/settings.json missing required haus hooks or deny rules (regenerate with `haus apply --write`)."
     };
   }
-  return { ok: true, message: "settings.json matches canonical hook contract." };
+  return { ok: true, message: "settings.json carries required haus hook contract." };
 }
 
 // src/claude/write-root-claude-md.ts
-import path6 from "path";
-import fs5 from "fs-extra";
+import path8 from "path";
+import fs6 from "fs-extra";
 var BLOCK_BEGIN = "<!-- HAUS:BEGIN haus-imports v=1 -->";
 var BLOCK_END = "<!-- HAUS:END haus-imports -->";
 var IMPORT_CONTENT = `@.haus-workflow/WORKFLOW.md
@@ -560,6 +844,16 @@ function buildImportBlock() {
 ${IMPORT_CONTENT}
 ${BLOCK_END}`;
 }
+function stripHausBlock(existing) {
+  const beginIdx = existing.indexOf(BLOCK_BEGIN);
+  const endIdx = existing.indexOf(BLOCK_END);
+  if (beginIdx === -1 || endIdx === -1 || endIdx <= beginIdx) return existing;
+  const before = existing.slice(0, beginIdx);
+  const after = existing.slice(endIdx + BLOCK_END.length);
+  const merged = `${before}${after}`.replace(/\n{3,}/g, "\n\n").trimEnd();
+  return merged.length > 0 ? `${merged}
+` : "";
+}
 function injectHausBlock(existing, block) {
   const beginIdx = existing.indexOf(BLOCK_BEGIN);
   const endIdx = existing.indexOf(BLOCK_END);
@@ -579,9 +873,9 @@ ${block}
 `;
 }
 async function writeRootClaudeMd(root, dryRun) {
-  const filePath = path6.join(root, "CLAUDE.md");
+  const filePath = path8.join(root, "CLAUDE.md");
   const block = buildImportBlock();
-  const prev = await fs5.pathExists(filePath) ? await fs5.readFile(filePath, "utf8") : "";
+  const prev = await fs6.pathExists(filePath) ? await fs6.readFile(filePath, "utf8") : "";
   const next = injectHausBlock(prev, block);
   const printable = displayPath(root, filePath);
   if (dryRun) {
@@ -604,12 +898,12 @@ async function writeRootClaudeMd(root, dryRun) {
 }
 
 // src/claude/write-workflow-config.ts
-import path8 from "path";
-import fs7 from "fs-extra";
+import path10 from "path";
+import fs8 from "fs-extra";
 
 // src/claude/derive-workflow-config.ts
-import path7 from "path";
-import fs6 from "fs-extra";
+import path9 from "path";
+import fs7 from "fs-extra";
 function binCmd(pm, bin, args) {
   const tail = args ? ` ${args}` : "";
   if (pm === "yarn") return `yarn ${bin}${tail}`;
@@ -618,7 +912,7 @@ function binCmd(pm, bin, args) {
 }
 async function deriveWorkflowConfig(root, ctx) {
   const pm = ctx.packageManager === "unknown" ? "npm" : ctx.packageManager;
-  const pkg = await readJson(path7.join(root, "package.json"));
+  const pkg = await readJson(path9.join(root, "package.json"));
   const scripts = pkg?.scripts ?? {};
   const deps = new Set(ctx.dependencies);
   const stacks = Object.values(ctx.detectedStacks ?? {}).flat();
@@ -628,7 +922,7 @@ async function deriveWorkflowConfig(root, ctx) {
     return null;
   };
   const hasDep = (name) => deps.has(name);
-  const exists = (rel) => fs6.pathExistsSync(path7.join(root, rel));
+  const exists = (rel) => fs7.pathExistsSync(path9.join(root, rel));
   const hasPlaywright = hasDep("@playwright/test") || stacks.includes("playwright");
   const hasCypress = hasDep("cypress");
   const preCommitTool = exists("lefthook.yml") || exists("lefthook.yaml") ? "lefthook" : exists(".husky") || hasDep("husky") || (scripts.prepare ?? "").includes("husky") ? "husky" : exists(".pre-commit-config.yaml") ? "pre-commit (Python framework)" : null;
@@ -697,7 +991,7 @@ var FALLBACK_CONTEXT = {
 async function writeWorkflowConfig(root, dryRun, opts = {}) {
   const destPath = hausPath(root, "workflow-config.md");
   const printable = displayPath(root, destPath);
-  const exists = await fs7.pathExists(destPath);
+  const exists = await fs8.pathExists(destPath);
   if (exists && !opts.refill) {
     if (dryRun) log(printable + ": exists (project-owned, skipping)");
     return null;
@@ -705,11 +999,11 @@ async function writeWorkflowConfig(root, dryRun, opts = {}) {
   const ctx = await readJson(hausPath(root, "context-map.json")) ?? {
     ...FALLBACK_CONTEXT,
     root,
-    repoName: path8.basename(root)
+    repoName: path10.basename(root)
   };
   const values = await deriveWorkflowConfig(root, ctx);
   if (exists) {
-    const current = await fs7.readFile(destPath, "utf8");
+    const current = await fs8.readFile(destPath, "utf8");
     const refilled = refillContent(current, values);
     if (refilled === current) {
       if (dryRun) log(printable + ": no blank fields to refill");
@@ -731,7 +1025,7 @@ async function writeWorkflowConfig(root, dryRun, opts = {}) {
 }
 
 // src/claude/write-workflow.ts
-import fs8 from "fs-extra";
+import fs9 from "fs-extra";
 
 // src/claude/managed-template.ts
 function normaliseLF(content2) {
@@ -764,8 +1058,8 @@ async function writeWorkflow(root, pkgVersion, dryRun) {
 ${templateContent}`;
   const destPath = hausPath(root, "WORKFLOW.md");
   const printable = displayPath(root, destPath);
-  if (await fs8.pathExists(destPath)) {
-    const existing = await fs8.readFile(destPath, "utf8");
+  if (await fs9.pathExists(destPath)) {
+    const existing = await fs9.readFile(destPath, "utf8");
     const firstLine = existing.split("\n")[0] ?? "";
     const parsed = parseHausManagedHeader(firstLine);
     if (!parsed) {
@@ -787,7 +1081,7 @@ ${templateContent}`;
     }
   }
   if (dryRun) {
-    const prev = await fs8.pathExists(destPath) ? await fs8.readFile(destPath, "utf8") : "";
+    const prev = await fs9.pathExists(destPath) ? await fs9.readFile(destPath, "utf8") : "";
     if (!prev) {
       log(createUnifiedDiff(printable, "", next));
     } else {
@@ -814,7 +1108,7 @@ async function writeClaudeFiles(root, dryRun, selectedIds, opts = {}) {
     estimatedTokenReductionPct: 0
   };
   const pkgRoot = packageRoot();
-  const hausVersion2 = (await readJson(path9.join(pkgRoot, "package.json")))?.version ?? "0.0.0";
+  const hausVersion2 = (await readJson(path11.join(pkgRoot, "package.json")))?.version ?? "0.0.0";
   const coreFiles = [
     claudePath(root, "settings.json"),
     claudePath(root, "rules", "haus.md"),
@@ -838,11 +1132,15 @@ async function writeClaudeFiles(root, dryRun, selectedIds, opts = {}) {
     hausPath(root, "selected-context.json"),
     hausPath(root, "haus.lock.json")
   ];
-  const hookSettings = await loadClaudeHooksSettings();
-  await writeManagedJson(root, claudePath(root, "settings.json"), hookSettings, dryRun);
-  if (!dryRun) await assertPostApplySettingsMatchCanonical(root, hookSettings);
+  if (dryRun) {
+    const mergedSettings = await mergeProjectSettings(root);
+    await writeManagedJson(root, claudePath(root, "settings.json"), mergedSettings, true);
+  } else {
+    await applyProjectSettingsMerge(root);
+    await assertPostApplySettingsHausContract(root);
+  }
   const configPath = hausPath(root, "config.json");
-  if (!await fs9.pathExists(configPath)) {
+  if (!await fs10.pathExists(configPath)) {
     await writeManagedJson(root, configPath, DEFAULT_HOOKS_CONFIG, dryRun);
   }
   await writeManagedText(
@@ -870,12 +1168,12 @@ async function writeClaudeFiles(root, dryRun, selectedIds, opts = {}) {
     dryRun
   );
   const fixtureManifestPath = process.env["HAUS_FIXTURE_CATALOG"];
-  const manifestPath2 = fixtureManifestPath ?? path9.join(pkgRoot, "library", "catalog", "manifest.json");
-  const manifestDir = path9.dirname(manifestPath2);
+  const manifestPath2 = fixtureManifestPath ?? path11.join(pkgRoot, "library", "catalog", "manifest.json");
+  const manifestDir = path11.dirname(manifestPath2);
   const manifest = await readJson(manifestPath2) ?? { items: [] };
   const manifestById = new Map((manifest.items ?? []).map((item) => [item.id, item]));
   const cacheManifest = await readJson(
-    path9.join(CACHE_DIR, "manifest.json")
+    path11.join(CACHE_DIR, "manifest.json")
   );
   const cacheManifestById = new Map((cacheManifest?.items ?? []).map((item) => [item.id, item]));
   const installedPathsByItem = /* @__PURE__ */ new Map();
@@ -897,23 +1195,23 @@ async function writeClaudeFiles(root, dryRun, selectedIds, opts = {}) {
       }
     }
     const cachedItem = cacheManifestById.get(item.id);
-    const cachePath = cachedItem?.path ? path9.join(CACHE_DIR, cachedItem.path) : null;
-    const sourcePath = cachePath && await fs9.pathExists(cachePath) ? cachePath : path9.join(manifestDir, manifestItem.path);
+    const cachePath = cachedItem?.path ? path11.join(CACHE_DIR, cachedItem.path) : null;
+    const sourcePath = cachePath && await fs10.pathExists(cachePath) ? cachePath : path11.join(manifestDir, manifestItem.path);
     const target = item.type === "agent" ? "agents" : item.type === "template" ? "templates" : "skills";
-    const destination = claudePath(root, target, path9.basename(sourcePath));
-    if (await fs9.pathExists(sourcePath)) {
+    const destination = claudePath(root, target, path11.basename(sourcePath));
+    if (await fs10.pathExists(sourcePath)) {
       if (dryRun) {
-        const exists = await fs9.pathExists(destination);
+        const exists = await fs10.pathExists(destination);
         log(
           `${displayPath(root, destination)}: ${exists ? "would overwrite" : "would create"} (${item.id})`
         );
       } else {
-        await fs9.ensureDir(path9.dirname(destination));
-        await fs9.copy(sourcePath, destination, { overwrite: true, errorOnExist: false });
+        await fs10.ensureDir(path11.dirname(destination));
+        await fs10.copy(sourcePath, destination, { overwrite: true, errorOnExist: false });
       }
       files.push(destination);
       const current = installedPathsByItem.get(item.id) ?? [];
-      installedPathsByItem.set(item.id, [...current, path9.relative(root, destination)]);
+      installedPathsByItem.set(item.id, [...current, path11.relative(root, destination)]);
       installedIds.add(item.id);
     } else {
       warn(
@@ -964,7 +1262,7 @@ async function writeClaudeFiles(root, dryRun, selectedIds, opts = {}) {
   return [...new Set(files)];
 }
 async function writeManagedText(root, filePath, nextText, dryRun) {
-  const prev = await fs9.pathExists(filePath) ? await fs9.readFile(filePath, "utf8") : "";
+  const prev = await fs10.pathExists(filePath) ? await fs10.readFile(filePath, "utf8") : "";
   const printable = displayPath(root, filePath);
   if (dryRun) {
     if (!prev) {
@@ -991,7 +1289,7 @@ async function writeManagedJson(root, filePath, value, dryRun) {
 
 // src/commands/apply.ts
 async function cacheHasItems() {
-  const data = await readJson(path10.join(CACHE_DIR, "manifest.json"));
+  const data = await readJson(path12.join(CACHE_DIR, "manifest.json"));
   return Array.isArray(data?.items) && data.items.length > 0;
 }
 async function runApply(options) {
@@ -1058,11 +1356,23 @@ async function runApply(options) {
     files.forEach((f) => log(`- ${displayPath(root, f)}`));
   }
 }
+async function isHausProject(root) {
+  if (await fs11.pathExists(hausPath(root, "recommendation.json"))) return true;
+  if (await fs11.pathExists(claudePath(root, "settings.json"))) {
+    const settings = await readProjectSettings(root);
+    if (settings._haus != null) return true;
+  }
+  return false;
+}
+async function refreshProjectApply(root) {
+  if (!await isHausProject(root)) return [];
+  return writeClaudeFiles(root, false, void 0, { refillConfig: false });
+}
 
 // src/catalog/load-catalog.ts
-import os3 from "os";
-import path11 from "path";
-var CACHE_MANIFEST = path11.join(os3.homedir(), CATALOG_CACHE_SUBDIR, "manifest.json");
+import os4 from "os";
+import path13 from "path";
+var CACHE_MANIFEST = path13.join(os4.homedir(), CATALOG_CACHE_SUBDIR, "manifest.json");
 async function loadCatalog(root) {
   const envPath = process.env["HAUS_FIXTURE_CATALOG"];
   if (envPath) {
@@ -1071,10 +1381,10 @@ async function loadCatalog(root) {
   }
   const cacheData = await readJson(CACHE_MANIFEST);
   if (cacheData?.items?.length) return cacheData.items;
-  const localManifest = path11.join(root, "library/catalog/manifest.json");
+  const localManifest = path13.join(root, "library/catalog/manifest.json");
   const localData = await readJson(localManifest);
   if (localData?.items?.length) return localData.items;
-  const packageManifest = path11.join(packageRoot(), "library/catalog/manifest.json");
+  const packageManifest = path13.join(packageRoot(), "library/catalog/manifest.json");
   const data = await readJson(packageManifest);
   return data?.items ?? [];
 }
@@ -1284,7 +1594,7 @@ async function runCatalogAudit() {
 }
 
 // src/commands/config.ts
-import path12 from "path";
+import path14 from "path";
 var CONFIG_PATH2 = ".haus-workflow/config.json";
 var HOOK_ALIASES = {
   "hook.context": "context"
@@ -1297,7 +1607,7 @@ async function runConfig(key, action) {
     );
   }
   const root = process.cwd();
-  const configPath = path12.join(root, CONFIG_PATH2);
+  const configPath = path14.join(root, CONFIG_PATH2);
   const existing = await readJson(configPath);
   const cfg = existing ?? structuredClone(DEFAULT_HOOKS_CONFIG);
   cfg.hooks ??= {};
@@ -1669,7 +1979,7 @@ function selectRules(recommended, task, taskIntents) {
 
 // src/scanner/scan-project.ts
 import { readFile as readFile2 } from "fs/promises";
-import path16 from "path";
+import path18 from "path";
 
 // src/utils/audit-checks.ts
 function isRecord(v) {
@@ -1696,8 +2006,8 @@ function compareVersions(a, b) {
 }
 
 // src/scanner/detect-package-manager.ts
-import path13 from "path";
-import fs10 from "fs-extra";
+import path15 from "path";
+import fs12 from "fs-extra";
 function detectPackageManager(root, packageManagerField) {
   const field = String(packageManagerField ?? "").trim();
   if (field.startsWith("yarn@")) {
@@ -1715,9 +2025,9 @@ function detectPackageManager(root, packageManagerField) {
     if (satisfiesVersion(version, ">=9")) return "npm";
     return "unknown";
   }
-  if (fs10.existsSync(path13.join(root, "yarn.lock"))) return "yarn";
-  if (fs10.existsSync(path13.join(root, "pnpm-lock.yaml"))) return "pnpm";
-  if (fs10.existsSync(path13.join(root, "package-lock.json"))) return "npm";
+  if (fs12.existsSync(path15.join(root, "yarn.lock"))) return "yarn";
+  if (fs12.existsSync(path15.join(root, "pnpm-lock.yaml"))) return "pnpm";
+  if (fs12.existsSync(path15.join(root, "package-lock.json"))) return "npm";
   return "unknown";
 }
 
@@ -1890,7 +2200,7 @@ function runDetection(ctx, rules = STACK_RULES) {
 }
 
 // src/scanner/detection.ts
-import path14 from "path";
+import path16 from "path";
 var UNSUPPORTED_MARKERS = {
   "requirements.txt": "python",
   "pyproject.toml": "python",
@@ -1944,14 +2254,14 @@ function finalizeRoles(registryRoles, deps, files) {
 function collectUnsupportedSignals(files) {
   return [
     ...new Set(
-      files.map((f) => UNSUPPORTED_MARKERS[path14.basename(f)]).filter((s) => Boolean(s))
+      files.map((f) => UNSUPPORTED_MARKERS[path16.basename(f)]).filter((s) => Boolean(s))
     )
   ].sort();
 }
 
 // src/scanner/render.ts
 import { readFile } from "fs/promises";
-import path15 from "path";
+import path17 from "path";
 
 // src/scanner/role-labels.ts
 var ROLE_LABELS = {
@@ -2013,7 +2323,7 @@ async function buildContentBlob(root, files) {
   const slice = candidates.slice(0, 300);
   const parts = await mapWithConcurrency(slice, async (rel) => {
     try {
-      return await readFile(path15.join(root, rel), "utf8");
+      return await readFile(path17.join(root, rel), "utf8");
     } catch {
       return "";
     }
@@ -2079,8 +2389,8 @@ var SAFE_FILES = [
   "Gemfile"
 ];
 async function scanProject(root, mode = "fast") {
-  const pkg = await readJson(path16.join(root, "package.json"));
-  const composer = await readJson(path16.join(root, "composer.json"));
+  const pkg = await readJson(path18.join(root, "package.json"));
+  const composer = await readJson(path18.join(root, "composer.json"));
   const files = await listFiles(root, SAFE_FILES);
   const safeFiles = files.filter((f) => !blocked(f));
   const deps = dependencySet(pkg, composer);
@@ -2114,7 +2424,7 @@ async function scanProject(root, mode = "fast") {
     mode,
     generatedAt: (/* @__PURE__ */ new Date()).toISOString(),
     root,
-    repoName: String(pkg?.name ?? path16.basename(root)),
+    repoName: String(pkg?.name ?? path18.basename(root)),
     packageManager,
     repoRoles: roles,
     detectedStacks: stacks,
@@ -2132,7 +2442,7 @@ async function scanProject(root, mode = "fast") {
   const scanHashes = Object.fromEntries(
     await mapWithConcurrency(
       safeFiles,
-      async (f) => [f, hashText(await readFile2(path16.join(root, f), "utf8"))]
+      async (f) => [f, hashText(await readFile2(path18.join(root, f), "utf8"))]
     )
   );
   const repoSummary = renderSummary(context);
@@ -2204,8 +2514,8 @@ async function runContext(options) {
 }
 
 // src/commands/doctor.ts
-import path17 from "path";
-import fs11 from "fs-extra";
+import path19 from "path";
+import fs13 from "fs-extra";
 
 // src/update/npm-version.ts
 var NPM_PACKAGE_NAME = "@haus-tech/haus-workflow";
@@ -2285,7 +2595,7 @@ async function runDoctor(options) {
     const enabled = await isHookEnabled(root, key);
     ok(`- HOOK ${key}: ${enabled ? "enabled" : "disabled (default)"}`);
   }
-  const rootClaudeMdPath = path17.join(root, "CLAUDE.md");
+  const rootClaudeMdPath = path19.join(root, "CLAUDE.md");
   const rootClaudeMdContent = await readText(rootClaudeMdPath);
   if (!rootClaudeMdContent) {
     flag(
@@ -2313,7 +2623,7 @@ async function runDoctor(options) {
       const block = rootClaudeMdContent.slice(beginIdx, endIdx + BLOCK_END.length);
       const importTargets = [...block.matchAll(/@\.haus-workflow\/(\S+)/g)].map((m) => m[1]);
       for (const target of importTargets) {
-        if (!await fs11.pathExists(hausPath(root, target))) {
+        if (!await fs13.pathExists(hausPath(root, target))) {
           flag(
             `- CLAUDE.md import: @.haus-workflow/${target} does not resolve (run \`haus apply --write\`)`,
             `A file CLAUDE.md links to (${target}) is missing, so part of the guidance won't load`,
@@ -2324,7 +2634,7 @@ async function runDoctor(options) {
     }
   }
   const workflowPath = hausPath(root, "WORKFLOW.md");
-  const workflowExists = await fs11.pathExists(workflowPath);
+  const workflowExists = await fs13.pathExists(workflowPath);
   if (!workflowExists) {
     flag(
       "- .haus-workflow/WORKFLOW.md: missing (run `haus apply --write`)",
@@ -2338,15 +2648,15 @@ async function runDoctor(options) {
       ok("- .haus-workflow/WORKFLOW.md: OK (user-owned)");
     } else {
       const storedHashMatch = firstLine.match(/hash=(sha256-[a-f0-9]+)/);
-      const cachePath = path17.join(CACHE_DIR, "templates/agentic-workflow-standard.md");
-      const bundledPath = path17.join(
+      const cachePath = path19.join(CACHE_DIR, "templates/agentic-workflow-standard.md");
+      const bundledPath = path19.join(
         packageRoot(),
         "library",
         "global",
         "templates",
         "agentic-workflow-standard.md"
       );
-      const templatePath = await fs11.pathExists(cachePath) ? cachePath : bundledPath;
+      const templatePath = await fs13.pathExists(cachePath) ? cachePath : bundledPath;
       const templateContent = await readText(templatePath);
       if (storedHashMatch && templateContent) {
         const currentHash = hashText(normaliseLF(templateContent));
@@ -2365,7 +2675,7 @@ async function runDoctor(options) {
     }
   }
   const workflowConfigPath = hausPath(root, "workflow-config.md");
-  const workflowConfigExists = await fs11.pathExists(workflowConfigPath);
+  const workflowConfigExists = await fs13.pathExists(workflowConfigPath);
   if (!workflowConfigExists) {
     flag(
       "- .haus-workflow/workflow-config.md: missing (run `haus apply --write`)",
@@ -2373,7 +2683,7 @@ async function runDoctor(options) {
       "haus apply --write"
     );
   } else {
-    const cfg = await fs11.readFile(workflowConfigPath, "utf8");
+    const cfg = await fs13.readFile(workflowConfigPath, "utf8");
     const unfilled = cfg.split("\n").filter((l) => l.includes("<!-- fill in")).length;
     if (unfilled > 0) {
       flag(
@@ -2404,7 +2714,7 @@ async function runDoctor(options) {
       ok(`- CATALOG CACHE: OK (${cacheAgeDays}d old)`);
     }
   }
-  const pkgJson = await readJson(path17.join(packageRoot(), "package.json"));
+  const pkgJson = await readJson(path19.join(packageRoot(), "package.json"));
   const currentVersion = pkgJson?.version ?? "0.0.0";
   const npmStatus = await fetchNpmVersionStatus(currentVersion);
   if (npmStatus.updateAvailable && npmStatus.latest !== null) {
@@ -2545,8 +2855,8 @@ async function runGuard(kind, _options) {
 }
 
 // src/commands/init.ts
-import path18 from "path";
-import fs12 from "fs-extra";
+import path20 from "path";
+import fs14 from "fs-extra";
 
 // src/utils/prompts.ts
 import { stdin as input, stdout as output } from "process";
@@ -2974,8 +3284,8 @@ async function runSetupProject(options) {
 // src/commands/init.ts
 async function runInit(options) {
   const root = process.cwd();
-  const hausDir = path18.join(root, ".haus-workflow");
-  const alreadyInit = await fs12.pathExists(hausDir);
+  const hausDir = path20.join(root, ".haus-workflow");
+  const alreadyInit = await fs14.pathExists(hausDir);
   if (alreadyInit) {
     log("Haus AI already initialized in this project.");
     log("Run `haus setup-project` to reconfigure.");
@@ -2988,20 +3298,7 @@ async function runInit(options) {
 // src/install/apply.ts
 import crypto2 from "crypto";
 import path21 from "path";
-import fs14 from "fs-extra";
-
-// src/install/allow-rules.ts
-var ALLOWED_SUBCOMMANDS = [
-  "setup-project",
-  "apply",
-  "doctor",
-  "scan",
-  "context",
-  "recommend"
-];
-function buildAllowRules() {
-  return [...new Set(ALLOWED_SUBCOMMANDS.map((sub) => `Bash(haus ${sub}:*)`))];
-}
+import fs15 from "fs-extra";
 
 // src/install/header.ts
 var MD_PREFIX = "<!-- HAUS-MANAGED";
@@ -3033,185 +3330,6 @@ ${rest}`;
 ${content2}`;
 }
 
-// src/install/manifest.ts
-import os4 from "os";
-import path19 from "path";
-var MANIFEST_SCHEMA = "haus-install-manifest/1";
-function globalClaudeDir() {
-  return path19.join(os4.homedir(), ".claude");
-}
-function hausManifestPath() {
-  return path19.join(globalClaudeDir(), "haus", "install-manifest.json");
-}
-async function readManifest() {
-  return readJson(hausManifestPath());
-}
-async function writeManifest(manifest) {
-  await writeJson(hausManifestPath(), manifest);
-}
-function buildManifest(source, files, hooks) {
-  return {
-    _schema: MANIFEST_SCHEMA,
-    source,
-    installedAt: (/* @__PURE__ */ new Date()).toISOString(),
-    files,
-    hooks
-  };
-}
-
-// src/install/settings-merge.ts
-import path20 from "path";
-import fs13 from "fs-extra";
-function settingsJsonPath() {
-  return path20.join(globalClaudeDir(), "settings.json");
-}
-async function readSettings() {
-  const parsed = await readJson(settingsJsonPath());
-  return parsed ?? {};
-}
-async function writeSettings(settings) {
-  await writeJson(settingsJsonPath(), settings);
-}
-function mergeHooks(settings, fragments) {
-  const existing = settings._haus?.hooks ?? [];
-  const existingCommands = settings._haus?.hookCommands ?? [];
-  const existingSet = new Set(existing);
-  const updated = { ...settings };
-  updated.hooks = { ...settings.hooks ?? {} };
-  const addedIds = [];
-  const addedCommands = [];
-  for (const fragment of fragments) {
-    if (fragment.gate !== "keep") continue;
-    if (existingSet.has(fragment.id)) continue;
-    const event = fragment.event;
-    if (!updated.hooks[event]) updated.hooks[event] = [];
-    const entry = {
-      hooks: [{ type: "command", command: fragment.command }]
-    };
-    if (fragment.matcher) entry.matcher = fragment.matcher;
-    updated.hooks[event] = [...updated.hooks[event] ?? [], entry];
-    addedIds.push(fragment.id);
-    addedCommands.push(fragment.command);
-  }
-  updated._haus = {
-    hooks: [...existing, ...addedIds],
-    hookCommands: [...existingCommands, ...addedCommands],
-    // Preserve deny/allow tracking so hook, deny, and allow merges are order-independent.
-    ...settings._haus?.denyRules ? { denyRules: settings._haus.denyRules } : {},
-    ...settings._haus?.allowRules ? { allowRules: settings._haus.allowRules } : {}
-  };
-  return { settings: updated, addedIds };
-}
-function mergeDenyRules(settings, rules) {
-  const existingDeny = settings.permissions?.deny ?? [];
-  const seen = new Set(existingDeny);
-  const trackedDeny = settings._haus?.denyRules ?? [];
-  const addedRules = [];
-  for (const rule of rules) {
-    if (seen.has(rule)) continue;
-    seen.add(rule);
-    addedRules.push(rule);
-  }
-  const updated = { ...settings };
-  updated.permissions = {
-    ...settings.permissions ?? {},
-    deny: [...existingDeny, ...addedRules]
-  };
-  updated._haus = {
-    hooks: settings._haus?.hooks ?? [],
-    ...settings._haus?.hookCommands ? { hookCommands: settings._haus.hookCommands } : {},
-    denyRules: [...trackedDeny, ...addedRules],
-    ...settings._haus?.allowRules ? { allowRules: settings._haus.allowRules } : {}
-  };
-  return { settings: updated, addedRules };
-}
-function mergeAllowRules(settings, rules) {
-  const existingAllow = settings.permissions?.allow ?? [];
-  const seen = new Set(existingAllow);
-  const trackedAllow = settings._haus?.allowRules ?? [];
-  const addedRules = [];
-  for (const rule of rules) {
-    if (seen.has(rule)) continue;
-    seen.add(rule);
-    addedRules.push(rule);
-  }
-  const updated = { ...settings };
-  updated.permissions = {
-    ...settings.permissions ?? {},
-    allow: [...existingAllow, ...addedRules]
-  };
-  updated._haus = {
-    hooks: settings._haus?.hooks ?? [],
-    ...settings._haus?.hookCommands ? { hookCommands: settings._haus.hookCommands } : {},
-    ...settings._haus?.denyRules ? { denyRules: settings._haus.denyRules } : {},
-    allowRules: [...trackedAllow, ...addedRules]
-  };
-  return { settings: updated, addedRules };
-}
-function stripHausAllow(settings) {
-  const prevHaus = settings._haus;
-  if (!prevHaus?.allowRules || prevHaus.allowRules.length === 0) return settings;
-  const ownedSet = new Set(prevHaus.allowRules);
-  const updated = { ...settings };
-  const remainingAllow = (settings.permissions?.allow ?? []).filter((rule) => !ownedSet.has(rule));
-  const permissions = { ...settings.permissions ?? {} };
-  if (remainingAllow.length > 0) permissions.allow = remainingAllow;
-  else delete permissions.allow;
-  if (Object.keys(permissions).length > 0) updated.permissions = permissions;
-  else delete updated.permissions;
-  const haus = { ...prevHaus };
-  delete haus.allowRules;
-  const stillTracking = (haus.hooks?.length ?? 0) > 0 || (haus.hookCommands?.length ?? 0) > 0 || (haus.denyRules?.length ?? 0) > 0;
-  if (stillTracking) updated._haus = haus;
-  else delete updated._haus;
-  return updated;
-}
-function stripHausDeny(settings) {
-  const prevHaus = settings._haus;
-  if (!prevHaus?.denyRules || prevHaus.denyRules.length === 0) return settings;
-  const ownedSet = new Set(prevHaus.denyRules);
-  const updated = { ...settings };
-  const remainingDeny = (settings.permissions?.deny ?? []).filter((rule) => !ownedSet.has(rule));
-  const permissions = { ...settings.permissions ?? {} };
-  if (remainingDeny.length > 0) permissions.deny = remainingDeny;
-  else delete permissions.deny;
-  if (Object.keys(permissions).length > 0) updated.permissions = permissions;
-  else delete updated.permissions;
-  const haus = { ...prevHaus };
-  delete haus.denyRules;
-  const stillTracking = (haus.hooks?.length ?? 0) > 0 || (haus.hookCommands?.length ?? 0) > 0 || (haus.allowRules?.length ?? 0) > 0;
-  if (stillTracking) updated._haus = haus;
-  else delete updated._haus;
-  return updated;
-}
-function stripHausHooks(settings) {
-  if (!settings._haus) return settings;
-  const ownedCommands = new Set(settings._haus.hookCommands ?? []);
-  const usePrefix = ownedCommands.size === 0;
-  const updated = { ...settings };
-  updated.hooks = {};
-  for (const [event, entries] of Object.entries(settings.hooks ?? {})) {
-    const kept = entries.filter((entry) => {
-      const cmd = entry.hooks[0]?.command ?? "";
-      return usePrefix ? !cmd.startsWith("haus ") : !ownedCommands.has(cmd);
-    });
-    if (kept.length > 0) updated.hooks[event] = kept;
-  }
-  const { _haus: _, ...rest } = updated;
-  void _;
-  return rest;
-}
-async function loadHooksFragment(fragmentPath) {
-  let raw;
-  try {
-    raw = await fs13.readJson(fragmentPath);
-  } catch {
-    return [];
-  }
-  const data = raw;
-  return Array.isArray(data?.hooks) ? data.hooks : [];
-}
-
 // src/install/apply.ts
 var SCHEMA_VERSION2 = "1";
 function hashContent(content2) {
@@ -3220,7 +3338,7 @@ function hashContent(content2) {
 function sourceVersion() {
   try {
     const pkgPath = path21.join(packageRoot(), "package.json");
-    const pkg = JSON.parse(fs14.readFileSync(pkgPath, "utf8"));
+    const pkg = JSON.parse(fs15.readFileSync(pkgPath, "utf8"));
     return `${pkg.name ?? "haus"}@${pkg.version ?? "0.0.0"}`;
   } catch {
     return "haus@0.0.0";
@@ -3232,10 +3350,10 @@ function globalSrcDir() {
 function collectSourceFiles(srcDir, claudeDir) {
   const entries = [];
   const skillsDir = path21.join(srcDir, "skills");
-  if (fs14.pathExistsSync(skillsDir)) {
-    for (const skillName of fs14.readdirSync(skillsDir)) {
+  if (fs15.pathExistsSync(skillsDir)) {
+    for (const skillName of fs15.readdirSync(skillsDir)) {
       const skillFile = path21.join(skillsDir, skillName, "SKILL.md");
-      if (fs14.pathExistsSync(skillFile)) {
+      if (fs15.pathExistsSync(skillFile)) {
         entries.push({
           stableId: `skill.${skillName}`,
           srcRelPath: path21.join("library", "global", "skills", skillName, "SKILL.md"),
@@ -3245,8 +3363,8 @@ function collectSourceFiles(srcDir, claudeDir) {
     }
   }
   const commandsDir = path21.join(srcDir, "commands");
-  if (fs14.pathExistsSync(commandsDir)) {
-    for (const fileName of fs14.readdirSync(commandsDir)) {
+  if (fs15.pathExistsSync(commandsDir)) {
+    for (const fileName of fs15.readdirSync(commandsDir)) {
       if (!fileName.endsWith(".md")) continue;
       const commandName = fileName.slice(0, -".md".length);
       entries.push({
@@ -3296,7 +3414,7 @@ async function applyInstall(options = {}) {
       }
       continue;
     }
-    const destExists = fs14.pathExistsSync(entry.destPath);
+    const destExists = fs15.pathExistsSync(entry.destPath);
     if (destExists) {
       const currentContent = await readText(entry.destPath);
       if (currentContent !== void 0) {
@@ -3343,13 +3461,13 @@ async function applyInstall(options = {}) {
     const currentDestPaths = new Set(sourceFiles.map((f) => f.destPath));
     for (const entry of existingManifest.files) {
       if (currentDestPaths.has(entry.destPath)) continue;
-      if (!fs14.pathExistsSync(entry.destPath)) continue;
+      if (!fs15.pathExistsSync(entry.destPath)) continue;
       const content2 = await readText(entry.destPath);
       if (!content2) continue;
       const hasHeader = parseMarkdownHeader(content2) !== void 0;
       const currentHash = hashContent(content2);
       if (hasHeader && currentHash === entry.hash) {
-        if (!dryRun) await fs14.remove(entry.destPath);
+        if (!dryRun) await fs15.remove(entry.destPath);
         result.deleted.push(entry.destPath);
       } else {
         warn(`Orphaned file ${entry.destPath} was user-modified \u2014 leaving in place`);
@@ -3473,35 +3591,128 @@ async function runScan(options) {
 
 // src/commands/undo.ts
 import path22 from "path";
-import fs15 from "fs-extra";
-var CLAUDE_DIR = ".claude";
+import fs16 from "fs-extra";
+
+// src/claude/managed-paths.ts
+var PROJECT_MANAGED_CLAUDE_REL = [
+  "rules/haus.md",
+  "rules/security.md",
+  "commands/haus-doctor.md",
+  "commands/haus-review.md"
+];
+var PROJECT_MANAGED_HAUS_REL = [
+  "selected-context.json",
+  "haus.lock.json",
+  "config.json"
+];
+function coreManagedAbsolutePaths(root) {
+  const claude = PROJECT_MANAGED_CLAUDE_REL.map((rel) => claudePath(root, rel));
+  const haus = PROJECT_MANAGED_HAUS_REL.map((rel) => hausPath(root, rel));
+  return [...claude, ...haus];
+}
+
+// src/commands/undo.ts
+async function collectManagedPaths(root) {
+  const paths = new Set(coreManagedAbsolutePaths(root));
+  const lock = await readJson(hausPath(root, "haus.lock.json"));
+  for (const row of lock ?? []) {
+    for (const rel of row.paths ?? []) {
+      paths.add(path22.resolve(root, rel));
+    }
+  }
+  const existing = [];
+  for (const abs of paths) {
+    if (await fs16.pathExists(abs)) existing.push(abs);
+  }
+  return existing;
+}
+async function settingsHasHausContent(root) {
+  const settingsPath = claudePath(root, "settings.json");
+  if (!await fs16.pathExists(settingsPath)) return false;
+  const settings = await readProjectSettings(root);
+  return settings._haus != null;
+}
+async function claudeMdHasHausBlock(root) {
+  const filePath = path22.join(root, "CLAUDE.md");
+  if (!await fs16.pathExists(filePath)) return false;
+  const text = await fs16.readFile(filePath, "utf8");
+  return text.includes(BLOCK_BEGIN);
+}
+async function stripProjectSettings(root) {
+  const settingsPath = claudePath(root, "settings.json");
+  if (!await fs16.pathExists(settingsPath)) return false;
+  let settings = await readProjectSettings(root);
+  settings = stripHausAllow(stripHausDeny(stripHausHooks(settings)));
+  const hasContent = Object.keys(settings).length > 0;
+  if (hasContent) {
+    await writeProjectSettings(root, settings);
+    log(`Stripped haus rules from ${path22.relative(root, settingsPath)} (user settings preserved).`);
+    return true;
+  }
+  await fs16.remove(settingsPath);
+  log(`Removed ${path22.relative(root, settingsPath)} (no user-owned settings remained).`);
+  return true;
+}
+async function stripRootClaudeMd(root) {
+  const filePath = path22.join(root, "CLAUDE.md");
+  if (!await fs16.pathExists(filePath)) return false;
+  const prev = await fs16.readFile(filePath, "utf8");
+  if (!prev.includes(BLOCK_BEGIN)) return false;
+  const next = stripHausBlock(prev);
+  if (next.length === 0) {
+    await fs16.remove(filePath);
+    log("Removed CLAUDE.md (only contained haus import block).");
+  } else {
+    await fs16.writeFile(filePath, next, "utf8");
+    log("Removed haus import block from CLAUDE.md (user content preserved).");
+  }
+  return true;
+}
+async function pruneDirIfEmpty(dir) {
+  if (!await fs16.pathExists(dir)) return;
+  const entries = await fs16.readdir(dir);
+  if (entries.length === 0) await fs16.remove(dir);
+}
 async function runUndo(options) {
   const root = process.cwd();
-  const targets = [path22.join(root, CLAUDE_DIR), path22.join(root, HAUS_DIR)];
-  const existing = targets.filter((p) => fs15.existsSync(p));
-  if (existing.length === 0) {
-    log("Nothing to remove: no .claude/ or .haus-workflow/ in this directory.");
+  const managed = await collectManagedPaths(root);
+  const stripSettings = await settingsHasHausContent(root);
+  const stripClaudeMd = await claudeMdHasHausBlock(root);
+  if (managed.length === 0 && !stripSettings && !stripClaudeMd) {
+    log("Nothing to remove: no haus-managed files found in this directory.");
     return;
   }
+  const relTargets = managed.map((p) => path22.relative(root, p));
+  const summaryParts = [...relTargets];
+  if (stripSettings) summaryParts.push(".claude/settings.json (haus rules only)");
+  if (stripClaudeMd) summaryParts.push("CLAUDE.md (haus import block only)");
   if (!options.yes) {
     const ok = await confirm(
-      `Remove ${existing.map((p) => path22.relative(root, p)).join(" and ")}? This cannot be undone.`
+      `Remove haus-managed files?
+  ${summaryParts.join("\n  ")}
+User-owned .claude/ files will be preserved.`
     );
     if (!ok) {
       log("Cancelled.");
       return;
     }
   }
-  for (const p of existing) {
-    await fs15.remove(p);
-    log(`Removed ${path22.relative(root, p)}`);
+  for (const abs of managed) {
+    if (!await fs16.pathExists(abs)) continue;
+    await fs16.remove(abs);
+    log(`Removed ${path22.relative(root, abs)}`);
   }
+  if (stripSettings) await stripProjectSettings(root);
+  if (stripClaudeMd) await stripRootClaudeMd(root);
+  await pruneDirIfEmpty(claudePath(root));
+  await pruneDirIfEmpty(hausPath(root));
+  log("haus undo complete. Scan artifacts under .haus-workflow/ were left in place.");
 }
 
 // src/install/uninstall.ts
 import crypto3 from "crypto";
 import path23 from "path";
-import fs16 from "fs-extra";
+import fs17 from "fs-extra";
 async function runUninstall(options = {}) {
   const { force = false } = options;
   const manifest = await readManifest();
@@ -3511,7 +3722,7 @@ async function runUninstall(options = {}) {
     return result;
   }
   for (const entry of manifest.files) {
-    const exists = fs16.pathExistsSync(entry.destPath);
+    const exists = fs17.pathExistsSync(entry.destPath);
     if (!exists) continue;
     const content2 = await readText(entry.destPath);
     if (content2 === void 0) continue;
@@ -3529,7 +3740,7 @@ async function runUninstall(options = {}) {
       result.skipped.push(entry.destPath);
       continue;
     }
-    await fs16.remove(entry.destPath);
+    await fs17.remove(entry.destPath);
     await pruneEmptyDir(path23.dirname(entry.destPath));
     result.deleted.push(entry.destPath);
   }
@@ -3539,12 +3750,12 @@ async function runUninstall(options = {}) {
   result.hooksStripped = true;
   const hausDir = path23.join(globalClaudeDir(), "haus");
   const manifestPath2 = hausManifestPath();
-  if (fs16.pathExistsSync(manifestPath2)) {
-    await fs16.remove(manifestPath2);
+  if (fs17.pathExistsSync(manifestPath2)) {
+    await fs17.remove(manifestPath2);
   }
-  if (fs16.pathExistsSync(hausDir)) {
-    const remaining = await fs16.readdir(hausDir);
-    if (remaining.length === 0) await fs16.remove(hausDir);
+  if (fs17.pathExistsSync(hausDir)) {
+    const remaining = await fs17.readdir(hausDir);
+    if (remaining.length === 0) await fs17.remove(hausDir);
   }
   return result;
 }
@@ -3563,8 +3774,8 @@ function printUninstallResult(result) {
 }
 async function pruneEmptyDir(dir) {
   try {
-    const entries = await fs16.readdir(dir);
-    if (entries.length === 0) await fs16.remove(dir);
+    const entries = await fs17.readdir(dir);
+    if (entries.length === 0) await fs17.remove(dir);
   } catch {
   }
 }
@@ -3666,10 +3877,11 @@ async function runUpdate(options) {
   if (options.check) {
     const pkgJson2 = await readJson(path25.join(packageRoot(), "package.json"));
     const currentVersion2 = pkgJson2?.version ?? "0.0.0";
-    const [status, npmVersion, latestCatalogTag] = await Promise.all([
+    const [status, npmVersion, latestCatalogTag, globalInstallDrift] = await Promise.all([
       checkLock(root),
       fetchNpmVersionStatus(currentVersion2),
-      fetchLatestCatalogTag()
+      fetchLatestCatalogTag(),
+      detectGlobalInstallDrift()
     ]);
     const installedRef = status.catalogRef ?? "main";
     const catalogRefBehind = latestCatalogTag !== null && installedRef !== latestCatalogTag ? `installed from ${installedRef}, latest tag is ${latestCatalogTag}` : false;
@@ -3680,6 +3892,7 @@ async function runUpdate(options) {
           installedCatalogRef: installedRef,
           latestCatalogTag,
           catalogRefBehind,
+          globalInstallDrift,
           localOverrides: await hasLocalOverrides(root),
           summary: diffGeneratedFiles(),
           npmVersion
@@ -3701,7 +3914,7 @@ async function runUpdate(options) {
     log(`npm package up to date: ${currentVersion}`);
   }
   if (await hasLocalOverrides(root)) {
-    log("Local .claude overrides detected. Preserving local files; only lockfile updated.");
+    log("Existing .claude/settings.json \u2014 haus rules will be merged, not replaced.");
   }
   const { before, after } = await applyLock(root);
   log(diffLock(before, after));
@@ -3717,11 +3930,53 @@ async function runUpdate(options) {
   if (sync.failed.length > 0) {
     warn(`Failed to fetch ${sync.failed.length} item(s): ${sync.failed.join(", ")}`);
   }
+  await refreshGlobalInstall();
+  await refreshProjectFiles(root);
   log("Update applied with backup in .haus-workflow/backups/. Run haus doctor.");
 }
+async function refreshProjectFiles(root) {
+  log("Refreshing project .claude/ files...");
+  try {
+    const files = await refreshProjectApply(root);
+    if (files.length === 0) {
+      log("No prior haus project setup detected \u2014 skipped project re-apply.");
+      return;
+    }
+    log(`Project refreshed: ${files.length} managed path(s) updated.`);
+  } catch (err) {
+    warn(`Could not refresh project files: ${err instanceof Error ? err.message : String(err)}`);
+  }
+}
+async function refreshGlobalInstall() {
+  log("Refreshing ~/.claude/ global files...");
+  try {
+    const result = await applyInstall({});
+    const total = result.created.length + result.updated.length;
+    if (total > 0) {
+      log(`~/.claude refreshed: ${result.created.length} added, ${result.updated.length} updated.`);
+    } else {
+      log("~/.claude already up to date.");
+    }
+    if (result.skipped.length > 0) {
+      log(
+        `Preserved ${result.skipped.length} locally-edited file(s) (run \`haus install --force\` to overwrite).`
+      );
+    }
+  } catch (err) {
+    warn(`Could not refresh ~/.claude/: ${err instanceof Error ? err.message : String(err)}`);
+  }
+}
+async function detectGlobalInstallDrift() {
+  try {
+    const result = await applyInstall({ check: true });
+    return result.drift;
+  } catch {
+    return null;
+  }
+}
 
 // src/commands/validate-catalog.ts
-import fs17 from "fs";
+import fs18 from "fs";
 import path26 from "path";
 function auditForbiddenStacks(items) {
   const failures = [];
@@ -3793,20 +4048,20 @@ function auditShippedFiles(manifestDir, items) {
     const absPath = path26.join(manifestDir, item.path);
     if (item.type === "skill") {
       const skillMd = path26.join(absPath, "SKILL.md");
-      if (!fs17.existsSync(skillMd)) {
+      if (!fs18.existsSync(skillMd)) {
         failures.push(`${item.id}: missing ${path26.relative(manifestDir, skillMd)}`);
         continue;
       }
-      const text = fs17.readFileSync(skillMd, "utf8");
+      const text = fs18.readFileSync(skillMd, "utf8");
       for (const section of REQUIRED_SKILL_SECTIONS) {
         if (!text.includes(section)) failures.push(`${item.id}: SKILL.md missing ${section}`);
       }
     } else if (item.type === "agent") {
-      if (!fs17.existsSync(absPath)) {
+      if (!fs18.existsSync(absPath)) {
         failures.push(`${item.id}: missing agent file ${item.path}`);
         continue;
       }
-      const text = fs17.readFileSync(absPath, "utf8");
+      const text = fs18.readFileSync(absPath, "utf8");
       if (!text.startsWith("---")) failures.push(`${item.id}: agent file missing YAML frontmatter`);
       for (const section of REQUIRED_AGENT_SECTIONS) {
         if (!text.includes(section)) failures.push(`${item.id}: agent file missing ${section}`);
@@ -3817,7 +4072,7 @@ function auditShippedFiles(manifestDir, items) {
           failures.push(`${item.id}: agent file contains disallowed phrase "${phrase}"`);
       }
     } else if (item.type === "template") {
-      if (!fs17.existsSync(absPath)) {
+      if (!fs18.existsSync(absPath)) {
         failures.push(`${item.id}: missing template file ${item.path}`);
       }
     }
@@ -3829,9 +4084,9 @@ function auditMarkdownContent(manifestDir) {
   const dirs = ["skills", "agents"];
   for (const dir of dirs) {
     const abs = path26.join(manifestDir, dir);
-    if (!fs17.existsSync(abs)) continue;
+    if (!fs18.existsSync(abs)) continue;
     walkMd(abs, (file) => {
-      const text = fs17.readFileSync(file, "utf8");
+      const text = fs18.readFileSync(file, "utf8");
       const rel = path26.relative(manifestDir, file);
       const lines = text.split(/\r?\n/);
       for (let i = 0; i < lines.length; i++) {
@@ -3851,7 +4106,7 @@ function auditMarkdownContent(manifestDir) {
   return failures;
 }
 function walkMd(dir, fn) {
-  for (const entry of fs17.readdirSync(dir, { withFileTypes: true })) {
+  for (const entry of fs18.readdirSync(dir, { withFileTypes: true })) {
     const full = path26.join(dir, entry.name);
     if (entry.isDirectory()) walkMd(full, fn);
     else if (entry.name.endsWith(".md")) fn(full);
@@ -4254,7 +4509,7 @@ import path32 from "path";
 
 // src/claude/write-workspace-claude-md.ts
 import path31 from "path";
-import fs18 from "fs-extra";
+import fs19 from "fs-extra";
 function buildWorkspaceImportBlock(client, members) {
   const memberLines = members.map((m) => `- ${m.name} (${m.path})`);
   const body = [
@@ -4273,7 +4528,7 @@ async function writeWorkspaceClaudeMd(workspaceRoot, opts) {
   const block = buildWorkspaceImportBlock(opts.client, opts.members);
   const dryRun = opts.dryRun ?? false;
   const filePath = opts.collision ? hausPath(workspaceRoot, "WORKSPACE.md") : path31.join(workspaceRoot, "CLAUDE.md");
-  const prev = await fs18.pathExists(filePath) ? await fs18.readFile(filePath, "utf8") : "";
+  const prev = await fs19.pathExists(filePath) ? await fs19.readFile(filePath, "utf8") : "";
   const next = opts.collision ? `${block}
 ` : injectHausBlock(prev, block);
   const printable = displayPath(workspaceRoot, filePath);