@haus-tech/haus-workflow 0.15.0 → 0.16.0

package/CHANGELOG.md

@@ -1,5 +1,15 @@
 # Changelog
 
+## [0.16.0](https://github.com/WeAreHausTech/haus-workflow/compare/v0.15.0...v0.16.0) (2026-06-05)
+
+### Features
+
+- support catalog contexts and refresh-aware sync ([1ab1d6c](https://github.com/WeAreHausTech/haus-workflow/commit/1ab1d6c1ca91a412fc4e7269e1616050c4397101))
+
+### Bug Fixes
+
+- Add forbidden-content, sources-report, and drift ([e7cbd07](https://github.com/WeAreHausTech/haus-workflow/commit/e7cbd076f7f8d8a21555c5e0cdba058b9788ee29))
+
 ## [0.15.0](https://github.com/WeAreHausTech/haus-workflow/compare/v0.14.0...v0.15.0) (2026-06-05)
 
 ### Features

package/dist/cli.js

@@ -6,7 +6,7 @@ import path34 from "path";
 import { Command } from "commander";
 
 // src/commands/apply.ts
-import path12 from "path";
+import path13 from "path";
 import checkbox from "@inquirer/checkbox";
 import fs11 from "fs-extra";
 
@@ -32,7 +32,9 @@ var CATALOG_REF = process.env.HAUS_CATALOG_REF ?? "main";
 var CATALOG_CACHE_SUBDIR = ".claude/haus/catalog-cache";
 
 // src/catalog/remote-catalog.ts
-var CACHE_DIR = process.env["HAUS_CATALOG_CACHE_DIR_OVERRIDE"] ?? path.join(os.homedir(), CATALOG_CACHE_SUBDIR);
+function getCacheDir() {
+  return process.env["HAUS_CATALOG_CACHE_DIR_OVERRIDE"] ?? path.join(os.homedir(), CATALOG_CACHE_SUBDIR);
+}
 var REMOTE_BASE = process.env["HAUS_CATALOG_REMOTE_BASE"] ?? `${CATALOG_REPO_URL}/${CATALOG_REF}`;
 var REMOTE_MANIFEST_URL = `${REMOTE_BASE}/manifest.json`;
 async function fetchText(url) {
@@ -54,15 +56,29 @@ async function fetchRemoteManifest() {
     return null;
   }
 }
+async function writeTextIfChanged(dest, text) {
+  if (await fs.pathExists(dest)) {
+    const local = await fs.readFile(dest, "utf8");
+    if (local === text) return "unchanged";
+    await fs.writeFile(dest, text, "utf8");
+    return "updated";
+  }
+  await fs.ensureDir(path.dirname(dest));
+  await fs.writeFile(dest, text, "utf8");
+  return "created";
+}
 var WORKFLOW_TEMPLATE_REL = "templates/agentic-workflow-standard.md";
 async function readWorkflowTemplate(opts = {}) {
-  const dest = path.join(CACHE_DIR, WORKFLOW_TEMPLATE_REL);
-  if (await fs.pathExists(dest)) return fs.readFile(dest, "utf8");
+  const dest = path.join(getCacheDir(), WORKFLOW_TEMPLATE_REL);
   const text = await fetchText(`${REMOTE_BASE}/${WORKFLOW_TEMPLATE_REL}`);
-  if (text === null) return null;
+  if (text === null) {
+    if (await fs.pathExists(dest)) return fs.readFile(dest, "utf8");
+    return null;
+  }
   if (!opts.dryRun) {
-    await fs.ensureDir(path.dirname(dest));
-    await fs.writeFile(dest, text, "utf8");
+    await writeTextIfChanged(dest, text);
+  } else if (await fs.pathExists(dest)) {
+    return fs.readFile(dest, "utf8");
   }
   return text;
 }
@@ -87,37 +103,37 @@ async function downloadSkillReferences(item, destDir) {
       warn(`Skipping reference "${ref}" for ${item.id}: path traversal detected`);
       continue;
     }
-    if (await fs.pathExists(refDest)) continue;
     const text = await fetchText(`${REMOTE_BASE}/${item.path}/${ref}`);
     if (text === null) {
       warn(`Failed to fetch reference "${ref}" for ${item.id}`);
       continue;
     }
-    await fs.ensureDir(path.dirname(refDest));
-    await fs.writeFile(refDest, text, "utf8");
+    await writeTextIfChanged(refDest, text);
   }
 }
 async function syncRemoteCatalog() {
   const items = await fetchRemoteManifest();
   if (!items) {
     warn("Remote catalog fetch failed \u2014 using bundled catalog");
-    return { newItems: [], unchanged: 0, failed: [] };
+    return { newItems: [], refreshed: [], unchanged: 0, failed: [] };
   }
+  const cacheDir = getCacheDir();
   try {
-    await fs.ensureDir(CACHE_DIR);
+    await fs.ensureDir(cacheDir);
     await fs.writeFile(
-      path.join(CACHE_DIR, "manifest.json"),
+      path.join(cacheDir, "manifest.json"),
       `${JSON.stringify({ items }, null, 2)}
 `,
       "utf8"
     );
   } catch (err) {
     warn(
-      `Catalog cache not writable (${CACHE_DIR}) \u2014 skipping cache sync: ${err instanceof Error ? err.message : String(err)}`
+      `Catalog cache not writable (${cacheDir}) \u2014 skipping cache sync: ${err instanceof Error ? err.message : String(err)}`
     );
-    return { newItems: [], unchanged: 0, failed: [] };
+    return { newItems: [], refreshed: [], unchanged: 0, failed: [] };
   }
   const newItems = [];
+  const refreshed = [];
   let unchanged = 0;
   const failed = [];
   for (const item of items) {
@@ -129,18 +145,13 @@ async function syncRemoteCatalog() {
       continue;
     }
     if (item.type === "skill") {
-      const destDir = safeJoin(CACHE_DIR, item.path);
+      const destDir = safeJoin(getCacheDir(), item.path);
       if (!destDir) {
         warn(`Skipping ${item.id}: path traversal detected`);
         failed.push(item.id);
         continue;
       }
       const dest = path.join(destDir, "SKILL.md");
-      if (await fs.pathExists(dest)) {
-        await downloadSkillReferences(item, destDir);
-        unchanged++;
-        continue;
-      }
       const url = `${REMOTE_BASE}/${item.path}/SKILL.md`;
       const text = await fetchText(url);
       if (!text) {
@@ -149,25 +160,22 @@ async function syncRemoteCatalog() {
         continue;
       }
       try {
-        await fs.ensureDir(path.dirname(dest));
-        await fs.writeFile(dest, text, "utf8");
+        const outcome = await writeTextIfChanged(dest, text);
         await downloadSkillReferences(item, destDir);
-        newItems.push(item.id);
+        if (outcome === "created") newItems.push(item.id);
+        else if (outcome === "updated") refreshed.push(item.id);
+        else unchanged++;
       } catch (err) {
         warn(`Failed to cache ${item.id}: ${err instanceof Error ? err.message : String(err)}`);
         failed.push(item.id);
       }
     } else {
-      const dest = safeJoin(CACHE_DIR, item.path);
+      const dest = safeJoin(getCacheDir(), item.path);
       if (!dest) {
         warn(`Skipping ${item.id}: path traversal detected`);
         failed.push(item.id);
         continue;
       }
-      if (await fs.pathExists(dest)) {
-        unchanged++;
-        continue;
-      }
       const url = `${REMOTE_BASE}/${item.path}`;
       const text = await fetchText(url);
       if (!text) {
@@ -176,16 +184,17 @@ async function syncRemoteCatalog() {
         continue;
       }
       try {
-        await fs.ensureDir(path.dirname(dest));
-        await fs.writeFile(dest, text, "utf8");
-        newItems.push(item.id);
+        const outcome = await writeTextIfChanged(dest, text);
+        if (outcome === "created") newItems.push(item.id);
+        else if (outcome === "updated") refreshed.push(item.id);
+        else unchanged++;
       } catch (err) {
         warn(`Failed to cache ${item.id}: ${err instanceof Error ? err.message : String(err)}`);
         failed.push(item.id);
       }
     }
   }
-  return { newItems, unchanged, failed };
+  return { newItems, refreshed, unchanged, failed };
 }
 var CATALOG_TAGS_API_URL = "https://api.github.com/repos/WeAreHausTech/haus-workflow-catalog/tags";
 async function fetchLatestCatalogTag() {
@@ -204,7 +213,7 @@ async function fetchLatestCatalogTag() {
 }
 async function getCacheManifestAge() {
   try {
-    const stat = await fs.stat(path.join(CACHE_DIR, "manifest.json"));
+    const stat = await fs.stat(path.join(getCacheDir(), "manifest.json"));
     return Date.now() - stat.mtimeMs;
   } catch {
     return null;
@@ -599,21 +608,21 @@ var PROJECT_HOOK_FRAGMENTS = [
     id: "haus.context-hook",
     gate: "keep",
     event: "UserPromptSubmit",
-    command: "haus context --from-hook || true"
+    command: "haus context --from-hook"
   },
   {
     id: "haus.guard-file",
     gate: "keep",
     event: "PreToolUse",
     matcher: "Read|Edit|Write",
-    command: "haus guard file-access --from-hook || true"
+    command: "haus guard file-access --from-hook"
   },
   {
     id: "haus.guard-bash",
     gate: "keep",
     event: "PreToolUse",
     matcher: "Bash",
-    command: "haus guard bash --from-hook || true"
+    command: "haus guard bash --from-hook"
   }
 ];
 async function readProjectSettings(root) {
@@ -637,11 +646,54 @@ async function applyProjectSettingsMerge(root) {
 }
 
 // src/claude/write-claude-files.ts
-import path11 from "path";
+import path12 from "path";
 import fs10 from "fs-extra";
 
-// src/update/hash-installed.ts
+// src/catalog/load-catalog.ts
 import path6 from "path";
+async function loadCatalogContext(root) {
+  const envPath = process.env["HAUS_FIXTURE_CATALOG"];
+  if (envPath) {
+    const data2 = await readJson(envPath);
+    return {
+      items: data2?.items ?? [],
+      contentRoot: path6.dirname(envPath),
+      source: "fixture"
+    };
+  }
+  const cacheDir = getCacheDir();
+  const cacheManifestPath = path6.join(cacheDir, "manifest.json");
+  const cacheData = await readJson(cacheManifestPath);
+  if (cacheData?.items?.length) {
+    return { items: cacheData.items, contentRoot: cacheDir, source: "cache" };
+  }
+  const localManifest = path6.join(root, "library/catalog/manifest.json");
+  const localData = await readJson(localManifest);
+  if (localData?.items?.length) {
+    return {
+      items: localData.items,
+      contentRoot: path6.dirname(localManifest),
+      source: "local"
+    };
+  }
+  const packageManifest = path6.join(packageRoot(), "library/catalog/manifest.json");
+  const data = await readJson(packageManifest);
+  return {
+    items: data?.items ?? [],
+    contentRoot: path6.dirname(packageManifest),
+    source: "bundled"
+  };
+}
+async function loadCatalog(root) {
+  const ctx = await loadCatalogContext(root);
+  return ctx.items;
+}
+function catalogItemContentPath(contentRoot, item) {
+  return path6.join(contentRoot, item.path);
+}
+
+// src/update/hash-installed.ts
+import path7 from "path";
 import fg2 from "fast-glob";
 import fs4 from "fs-extra";
 var EMPTY_LOCK_PATHS_TOKEN = "haus-lock:empty-paths";
@@ -652,7 +704,7 @@ async function hashInstalledPaths(root, relPaths) {
   const normalized = [...new Set(relPaths.map((p) => p.replace(/\\/g, "/")))].sort();
   const fileDigests = [];
   for (const rel of normalized) {
-    const abs = path6.join(root, rel);
+    const abs = path7.join(root, rel);
     if (!await fs4.pathExists(abs)) continue;
     const stat = await fs4.stat(abs);
     if (stat.isFile()) {
@@ -663,8 +715,8 @@ async function hashInstalledPaths(root, relPaths) {
     if (!stat.isDirectory()) continue;
     const inner = await fg2("**/*", { cwd: abs, onlyFiles: true, dot: true });
     for (const sub of inner.sort()) {
-      const relFile = path6.join(rel, sub).replace(/\\/g, "/");
-      const absFile = path6.join(abs, sub);
+      const relFile = path7.join(rel, sub).replace(/\\/g, "/");
+      const absFile = path7.join(abs, sub);
       const body = await fs4.readFile(absFile, "utf8");
       fileDigests.push({ rel: relFile, digest: hashText(body) });
     }
@@ -699,7 +751,7 @@ function summarizeDiff(diffText) {
 }
 
 // src/claude/load-hooks-config.ts
-import path7 from "path";
+import path8 from "path";
 var CONFIG_PATH = ".haus-workflow/config.json";
 var DEFAULT_HOOKS_CONFIG = {
   hooks: {
@@ -707,7 +759,7 @@ var DEFAULT_HOOKS_CONFIG = {
   }
 };
 async function isHookEnabled(root, key) {
-  const cfg = await readJson(path7.join(root, CONFIG_PATH));
+  const cfg = await readJson(path8.join(root, CONFIG_PATH));
   return cfg?.hooks?.[key]?.enabled === true;
 }
 
@@ -719,25 +771,25 @@ var CANONICAL_HOOKS = {
   hooks: {
     UserPromptSubmit: [
       {
-        hooks: [{ type: "command", command: "haus context --from-hook || true" }]
+        hooks: [{ type: "command", command: "haus context --from-hook" }]
       }
     ],
     PreToolUse: [
       {
         matcher: "Read|Edit|Write",
-        hooks: [{ type: "command", command: "haus guard file-access --from-hook || true" }]
+        hooks: [{ type: "command", command: "haus guard file-access --from-hook" }]
       },
       {
         matcher: "Bash",
-        hooks: [{ type: "command", command: "haus guard bash --from-hook || true" }]
+        hooks: [{ type: "command", command: "haus guard bash --from-hook" }]
       }
     ]
   }
 };
 var STABLE_HOOK_IDS = {
-  "haus context --from-hook || true": "haus.context-hook",
-  "haus guard file-access --from-hook || true": "haus.guard-file",
-  "haus guard bash --from-hook || true": "haus.guard-bash"
+  "haus context --from-hook": "haus.context-hook",
+  "haus guard file-access --from-hook": "haus.guard-file",
+  "haus guard bash --from-hook": "haus.guard-bash"
 };
 async function loadClaudeHooksSettings() {
   return { ...CANONICAL_HOOKS, permissions: { deny: buildDenyRules() } };
@@ -833,7 +885,7 @@ async function verifyProjectSettingsHooksContract(root) {
 }
 
 // src/claude/write-root-claude-md.ts
-import path8 from "path";
+import path9 from "path";
 import fs6 from "fs-extra";
 var BLOCK_BEGIN = "<!-- HAUS:BEGIN haus-imports v=1 -->";
 var BLOCK_END = "<!-- HAUS:END haus-imports -->";
@@ -873,7 +925,7 @@ ${block}
 `;
 }
 async function writeRootClaudeMd(root, dryRun) {
-  const filePath = path8.join(root, "CLAUDE.md");
+  const filePath = path9.join(root, "CLAUDE.md");
   const block = buildImportBlock();
   const prev = await fs6.pathExists(filePath) ? await fs6.readFile(filePath, "utf8") : "";
   const next = injectHausBlock(prev, block);
@@ -898,11 +950,11 @@ async function writeRootClaudeMd(root, dryRun) {
 }
 
 // src/claude/write-workflow-config.ts
-import path10 from "path";
+import path11 from "path";
 import fs8 from "fs-extra";
 
 // src/claude/derive-workflow-config.ts
-import path9 from "path";
+import path10 from "path";
 import fs7 from "fs-extra";
 function binCmd(pm, bin, args) {
   const tail = args ? ` ${args}` : "";
@@ -912,7 +964,7 @@ function binCmd(pm, bin, args) {
 }
 async function deriveWorkflowConfig(root, ctx) {
   const pm = ctx.packageManager === "unknown" ? "npm" : ctx.packageManager;
-  const pkg = await readJson(path9.join(root, "package.json"));
+  const pkg = await readJson(path10.join(root, "package.json"));
   const scripts = pkg?.scripts ?? {};
   const deps = new Set(ctx.dependencies);
   const stacks = Object.values(ctx.detectedStacks ?? {}).flat();
@@ -922,7 +974,7 @@ async function deriveWorkflowConfig(root, ctx) {
     return null;
   };
   const hasDep = (name) => deps.has(name);
-  const exists = (rel) => fs7.pathExistsSync(path9.join(root, rel));
+  const exists = (rel) => fs7.pathExistsSync(path10.join(root, rel));
   const hasPlaywright = hasDep("@playwright/test") || stacks.includes("playwright");
   const hasCypress = hasDep("cypress");
   const preCommitTool = exists("lefthook.yml") || exists("lefthook.yaml") ? "lefthook" : exists(".husky") || hasDep("husky") || (scripts.prepare ?? "").includes("husky") ? "husky" : exists(".pre-commit-config.yaml") ? "pre-commit (Python framework)" : null;
@@ -999,7 +1051,7 @@ async function writeWorkflowConfig(root, dryRun, opts = {}) {
   const ctx = await readJson(hausPath(root, "context-map.json")) ?? {
     ...FALLBACK_CONTEXT,
     root,
-    repoName: path10.basename(root)
+    repoName: path11.basename(root)
   };
   const values = await deriveWorkflowConfig(root, ctx);
   if (exists) {
@@ -1108,7 +1160,7 @@ async function writeClaudeFiles(root, dryRun, selectedIds, opts = {}) {
     estimatedTokenReductionPct: 0
   };
   const pkgRoot = packageRoot();
-  const hausVersion2 = (await readJson(path11.join(pkgRoot, "package.json")))?.version ?? "0.0.0";
+  const hausVersion2 = (await readJson(path12.join(pkgRoot, "package.json")))?.version ?? "0.0.0";
   const coreFiles = [
     claudePath(root, "settings.json"),
     claudePath(root, "rules", "haus.md"),
@@ -1167,15 +1219,8 @@ async function writeClaudeFiles(root, dryRun, selectedIds, opts = {}) {
     "- Never read secrets.\n- Block dangerous shell commands.\n",
     dryRun
   );
-  const fixtureManifestPath = process.env["HAUS_FIXTURE_CATALOG"];
-  const manifestPath2 = fixtureManifestPath ?? path11.join(pkgRoot, "library", "catalog", "manifest.json");
-  const manifestDir = path11.dirname(manifestPath2);
-  const manifest = await readJson(manifestPath2) ?? { items: [] };
-  const manifestById = new Map((manifest.items ?? []).map((item) => [item.id, item]));
-  const cacheManifest = await readJson(
-    path11.join(CACHE_DIR, "manifest.json")
-  );
-  const cacheManifestById = new Map((cacheManifest?.items ?? []).map((item) => [item.id, item]));
+  const { items: manifestItems, contentRoot } = await loadCatalogContext(root);
+  const manifestById = new Map(manifestItems.map((item) => [item.id, item]));
   const installedPathsByItem = /* @__PURE__ */ new Map();
   const installedIds = /* @__PURE__ */ new Set();
   const catalogItems = selectedIds !== void 0 ? rec.recommended.filter((r) => selectedIds.includes(r.id)) : rec.recommended;
@@ -1194,11 +1239,9 @@ async function writeClaudeFiles(root, dryRun, selectedIds, opts = {}) {
         continue;
       }
     }
-    const cachedItem = cacheManifestById.get(item.id);
-    const cachePath = cachedItem?.path ? path11.join(CACHE_DIR, cachedItem.path) : null;
-    const sourcePath = cachePath && await fs10.pathExists(cachePath) ? cachePath : path11.join(manifestDir, manifestItem.path);
+    const sourcePath = catalogItemContentPath(contentRoot, manifestItem);
     const target = item.type === "agent" ? "agents" : item.type === "template" ? "templates" : "skills";
-    const destination = claudePath(root, target, path11.basename(sourcePath));
+    const destination = claudePath(root, target, path12.basename(sourcePath));
     if (await fs10.pathExists(sourcePath)) {
       if (dryRun) {
         const exists = await fs10.pathExists(destination);
@@ -1206,12 +1249,12 @@ async function writeClaudeFiles(root, dryRun, selectedIds, opts = {}) {
           `${displayPath(root, destination)}: ${exists ? "would overwrite" : "would create"} (${item.id})`
         );
       } else {
-        await fs10.ensureDir(path11.dirname(destination));
+        await fs10.ensureDir(path12.dirname(destination));
         await fs10.copy(sourcePath, destination, { overwrite: true, errorOnExist: false });
       }
       files.push(destination);
       const current = installedPathsByItem.get(item.id) ?? [];
-      installedPathsByItem.set(item.id, [...current, path11.relative(root, destination)]);
+      installedPathsByItem.set(item.id, [...current, path12.relative(root, destination)]);
       installedIds.add(item.id);
     } else {
       warn(
@@ -1289,7 +1332,7 @@ async function writeManagedJson(root, filePath, value, dryRun) {
 
 // src/commands/apply.ts
 async function cacheHasItems() {
-  const data = await readJson(path12.join(CACHE_DIR, "manifest.json"));
+  const data = await readJson(path13.join(getCacheDir(), "manifest.json"));
   return Array.isArray(data?.items) && data.items.length > 0;
 }
 async function runApply(options) {
@@ -1333,17 +1376,9 @@ async function runApply(options) {
     const rec = await readJson(hausPath(root, "recommendation.json"));
     const catalogItemCount = selectedIds !== void 0 ? selectedIds.length : rec?.recommended.length ?? 0;
     if (catalogItemCount > 0 && !await cacheHasItems()) {
-      if (isDryRun) {
-        warn(
-          "Catalog cache is empty \u2014 `haus apply --write` will skip catalog items. Run `haus update` first."
-        );
-      } else {
-        error(
-          "Catalog cache is empty \u2014 cannot install catalog items. Run `haus update` first, or pass --allow-empty-cache to apply core files only."
-        );
-        process.exitCode = 1;
-        return;
-      }
+      warn(
+        isDryRun ? "Catalog cache is empty \u2014 `haus apply --write` will skip catalog items. Run `haus update` first." : "Catalog cache is empty \u2014 catalog items will be skipped. Run `haus update` first, or pass --allow-empty-cache to silence this warning."
+      );
     }
   }
   const files = await writeClaudeFiles(root, isDryRun, selectedIds, {
@@ -1369,26 +1404,6 @@ async function refreshProjectApply(root) {
   return writeClaudeFiles(root, false, void 0, { refillConfig: false });
 }
 
-// src/catalog/load-catalog.ts
-import os4 from "os";
-import path13 from "path";
-var CACHE_MANIFEST = path13.join(os4.homedir(), CATALOG_CACHE_SUBDIR, "manifest.json");
-async function loadCatalog(root) {
-  const envPath = process.env["HAUS_FIXTURE_CATALOG"];
-  if (envPath) {
-    const data2 = await readJson(envPath);
-    return data2?.items ?? [];
-  }
-  const cacheData = await readJson(CACHE_MANIFEST);
-  if (cacheData?.items?.length) return cacheData.items;
-  const localManifest = path13.join(root, "library/catalog/manifest.json");
-  const localData = await readJson(localManifest);
-  if (localData?.items?.length) return localData.items;
-  const packageManifest = path13.join(packageRoot(), "library/catalog/manifest.json");
-  const data = await readJson(packageManifest);
-  return data?.items ?? [];
-}
-
 // library/catalog/validation-rules.json
 var validation_rules_default = {
   forbiddenTags: [
@@ -2342,6 +2357,38 @@ ${describeRepo(context)}
 `;
 }
 
+// src/scanner/write-sources-report.ts
+function buildSourcesReport(items) {
+  const statusBySource = /* @__PURE__ */ new Map();
+  for (const item of items) {
+    const src = item.source?.trim();
+    if (!src || src === "haus") continue;
+    if (src === "curated") {
+      if (item.reviewStatus === "approved" && item.riskLevel !== "blocked") {
+        statusBySource.set("curated", "approved");
+      } else if (!statusBySource.has("curated")) {
+        statusBySource.set("curated", "candidate");
+      }
+      continue;
+    }
+    if (item.reviewStatus === "approved" && item.riskLevel !== "blocked") {
+      statusBySource.set(src, "approved");
+    } else if (!statusBySource.has(src)) {
+      statusBySource.set(src, "candidate");
+    }
+  }
+  return {
+    generatedAt: (/* @__PURE__ */ new Date()).toISOString(),
+    items: [...statusBySource.entries()].map(([id, status]) => ({ id, status })).sort((a, b) => a.id.localeCompare(b.id))
+  };
+}
+async function writeSourcesReport(root) {
+  const items = await loadCatalog(root);
+  const report = buildSourcesReport(items);
+  await writeJson(hausPath(root, "sources-report.json"), report);
+  return report;
+}
+
 // src/scanner/scan-project.ts
 var SAFE_FILES = [
   "package.json",
@@ -2450,6 +2497,7 @@ async function scanProject(root, mode = "fast") {
   await writeJson(hausPath(root, "dependency-map.json"), dependencyMap);
   await writeJson(hausPath(root, "scan-hashes.json"), scanHashes);
   await writeText(hausPath(root, "repo-summary.md"), repoSummary);
+  await writeSourcesReport(root);
   return { ...context, dependencyMap, scanHashes, repoSummary };
 }
 
@@ -2461,6 +2509,18 @@ async function readContextOrScan(root) {
   return scan;
 }
 
+// src/security/secret-patterns.ts
+var SECRET_PATTERNS = [
+  /api[_-]?key\s*[:=]\s*\S+/i,
+  /token\s*[:=]\s*\S+/i,
+  /password\s*[:=]\s*\S+/i
+];
+
+// src/security/redact-sensitive.ts
+function redactSensitive(input2) {
+  return SECRET_PATTERNS.reduce((acc, pattern) => acc.replace(pattern, "[REDACTED]"), input2);
+}
+
 // src/commands/context.ts
 async function runContext(options) {
   const root = process.cwd();
@@ -2509,7 +2569,7 @@ async function runContext(options) {
     }),
     summary
   ];
-  const text = lines.join("\n");
+  const text = redactSensitive(lines.join("\n"));
   log(options.fromHook ? text.slice(0, 3e3) : text);
 }
 
@@ -2648,7 +2708,7 @@ async function runDoctor(options) {
       ok("- .haus-workflow/WORKFLOW.md: OK (user-owned)");
     } else {
       const storedHashMatch = firstLine.match(/hash=(sha256-[a-f0-9]+)/);
-      const cachePath = path19.join(CACHE_DIR, "templates/agentic-workflow-standard.md");
+      const cachePath = path19.join(getCacheDir(), "templates/agentic-workflow-standard.md");
       const bundledPath = path19.join(
         packageRoot(),
         "library",
@@ -2723,7 +2783,9 @@ async function runDoctor(options) {
       `A newer haus (${npmStatus.latest}) is available`,
       `npm install -g ${NPM_PACKAGE_NAME}`
     );
-    process.exitCode = 1;
+    if (!process.env["HAUS_FIXTURE_CATALOG"]) {
+      process.exitCode = 1;
+    }
   } else if (npmStatus.latest !== null) {
     ok(`- CLI: ${currentVersion} (up to date)`);
   } else {
@@ -2916,23 +2978,7 @@ async function readChangedFiles(root) {
 }
 
 // src/recommender/policies.ts
-var UNSUPPORTED = [
-  "python",
-  "django",
-  "go",
-  "rust",
-  "java",
-  "spring",
-  "kotlin",
-  "swift",
-  "android",
-  "flutter",
-  "dart",
-  "c++",
-  "perl",
-  "defi",
-  "trading"
-];
+var UNSUPPORTED = FORBIDDEN_TAGS;
 function matchRequiresAny(clauses, ctx) {
   for (const clause of clauses) {
     if ("stack" in clause) {
@@ -3218,6 +3264,15 @@ async function runSetupCore(root, opts) {
       return baseResult;
     }
   }
+  if (!dryRun && !process.env["HAUS_FIXTURE_CATALOG"]) {
+    log("Syncing remote catalog...");
+    const sync = await syncRemoteCatalog();
+    if (sync.newItems.length > 0) {
+      log(`Catalog cache populated: ${sync.newItems.length} new item(s).`);
+    } else if (sync.refreshed.length > 0) {
+      log(`Catalog cache refreshed: ${sync.refreshed.length} updated item(s).`);
+    }
+  }
   const files = await writeClaudeFiles(root, dryRun ?? false);
   log("Applied files:");
   files.forEach((f) => log(`- ${displayPath(root, f)}`));
@@ -3570,10 +3625,14 @@ async function runRecommend(options) {
 
 // src/commands/refresh.ts
 async function runRefresh() {
-  const result = await scanProject(process.cwd(), "fast");
-  log("Haus scan complete");
-  log(`Roles: ${result.repoRoles.join(", ") || "unknown"}`);
-  log(`Package manager: ${result.packageManager}`);
+  const root = process.cwd();
+  const context = await scanProject(root, "fast");
+  const recommendation = await recommend(root, context);
+  await writeJson(hausPath(root, "recommendation.json"), recommendation);
+  log("Haus refresh complete");
+  log(`Roles: ${context.repoRoles.join(", ") || "unknown"}`);
+  log(`Package manager: ${context.packageManager}`);
+  log(`Recommended items: ${recommendation.recommended.length}`);
 }
 
 // src/commands/scan.ts
@@ -3827,7 +3886,17 @@ async function checkLock(root) {
     (item) => !item.version || normalizeVersion(item.version) !== null
   );
   const catalogRef = lock[0]?.catalogRef ?? null;
-  return { ok: lock.length > 0 && hasValidVersions, count: lock.length, catalogRef };
+  const drift = [];
+  for (const item of lock) {
+    if (!item.hash) continue;
+    const paths = Array.isArray(item.paths) ? item.paths.map(String) : [];
+    const actual = await hashInstalledPaths(root, paths);
+    if (item.hash !== actual) {
+      drift.push({ id: item.id, expected: item.hash, actual });
+    }
+  }
+  const ok = lock.length > 0 && hasValidVersions && drift.length === 0;
+  return { ok, count: lock.length, catalogRef, drift, driftCount: drift.length };
 }
 async function applyLock(root) {
   const lockPath = hausPath(root, "haus.lock.json");
@@ -3902,6 +3971,7 @@ async function runUpdate(options) {
       )
     );
     if (!status.ok) process.exitCode = 1;
+    if (status.driftCount > 0) process.exitCode = 1;
     return;
   }
   const pkgJson = await readJson(path25.join(packageRoot(), "package.json"));
@@ -3924,7 +3994,12 @@ async function runUpdate(options) {
   if (sync.newItems.length > 0) {
     log(`Catalog updated: ${sync.newItems.length} new item(s): ${sync.newItems.join(", ")}`);
     log("Run `haus recommend && haus apply --write` to install new skills.");
-  } else if (sync.unchanged > 0) {
+  }
+  if (sync.refreshed.length > 0) {
+    log(`Catalog refreshed: ${sync.refreshed.length} updated item(s): ${sync.refreshed.join(", ")}`);
+    log("Run `haus apply --write` to install refreshed skill content.");
+  }
+  if (sync.newItems.length === 0 && sync.refreshed.length === 0 && sync.unchanged > 0) {
     log(`Catalog up to date (${sync.unchanged} item(s) unchanged).`);
   }
   if (sync.failed.length > 0) {
@@ -3978,6 +4053,32 @@ async function detectGlobalInstallDrift() {
 // src/commands/validate-catalog.ts
 import fs18 from "fs";
 import path26 from "path";
+
+// src/catalog/forbidden-content.ts
+var PROSE_FORBIDDEN_TAGS = FORBIDDEN_TAGS.filter((t) => t.toLowerCase() !== "go");
+function escapeRegExp(value) {
+  return value.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+}
+function extractUseWhenSection(text) {
+  const marker = "## Use when";
+  const idx = text.toLowerCase().indexOf(marker.toLowerCase());
+  if (idx < 0) return "";
+  const tail = text.slice(idx + marker.length);
+  const next = tail.search(/\n##\s+/);
+  return next < 0 ? tail : tail.slice(0, next);
+}
+function auditForbiddenTagsInText(text, label) {
+  const body = extractUseWhenSection(text);
+  if (!body.trim()) return [];
+  const failures = [];
+  for (const word of PROSE_FORBIDDEN_TAGS) {
+    const re = new RegExp(`\\b${escapeRegExp(word)}\\b`, "i");
+    if (re.test(body)) failures.push(`${label}: forbidden stack/tag "${word}" in content`);
+  }
+  return failures;
+}
+
+// src/commands/validate-catalog.ts
 function auditForbiddenStacks(items) {
   const failures = [];
   for (const item of items) {
@@ -4056,6 +4157,9 @@ function auditShippedFiles(manifestDir, items) {
       for (const section of REQUIRED_SKILL_SECTIONS) {
         if (!text.includes(section)) failures.push(`${item.id}: SKILL.md missing ${section}`);
       }
+      failures.push(
+        ...auditForbiddenTagsInText(text, `${item.id}: ${path26.relative(manifestDir, skillMd)}`)
+      );
     } else if (item.type === "agent") {
       if (!fs18.existsSync(absPath)) {
         failures.push(`${item.id}: missing agent file ${item.path}`);
@@ -4071,17 +4175,42 @@ function auditShippedFiles(manifestDir, items) {
         if (lower.includes(phrase))
           failures.push(`${item.id}: agent file contains disallowed phrase "${phrase}"`);
       }
+      failures.push(
+        ...auditForbiddenTagsInText(text, `${item.id}: ${path26.relative(manifestDir, absPath)}`)
+      );
     } else if (item.type === "template") {
       if (!fs18.existsSync(absPath)) {
         failures.push(`${item.id}: missing template file ${item.path}`);
+        continue;
       }
+      failures.push(...auditTemplateContent(manifestDir, absPath, item.id));
+    }
+  }
+  return failures;
+}
+function auditTemplateContent(manifestDir, absPath, itemId) {
+  const rel = path26.relative(manifestDir, absPath);
+  const text = fs18.readFileSync(absPath, "utf8");
+  const failures = [];
+  const lines = text.split(/\r?\n/);
+  for (let i = 0; i < lines.length; i++) {
+    const line2 = lines[i] ?? "";
+    if (PLACEHOLDER_PATTERN.test(line2)) {
+      failures.push(`${rel}:${i + 1}: TODO or placeholder in shipped content`);
+    }
+    if (RISKY_INSTALL_PATTERNS.some((re) => re.test(line2))) {
+      failures.push(`${rel}:${i + 1}: risky install pattern`);
+    }
+    if (ANY_NPX_PATTERN.test(line2) && !ALLOWED_NPX_PATTERN.test(line2)) {
+      failures.push(`${rel}:${i + 1}: disallowed npx (only npx tsx allowed)`);
     }
   }
+  failures.push(...auditForbiddenTagsInText(text, `${itemId}: ${rel}`));
   return failures;
 }
 function auditMarkdownContent(manifestDir) {
   const failures = [];
-  const dirs = ["skills", "agents"];
+  const dirs = ["skills", "agents", "templates"];
   for (const dir of dirs) {
     const abs = path26.join(manifestDir, dir);
     if (!fs18.existsSync(abs)) continue;
@@ -4101,6 +4230,9 @@ function auditMarkdownContent(manifestDir) {
           failures.push(`${rel}:${i + 1}: disallowed npx (only npx tsx allowed)`);
         }
       }
+      if (!rel.includes("/references/")) {
+        failures.push(...auditForbiddenTagsInText(text, rel));
+      }
     });
   }
   return failures;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@haus-tech/haus-workflow",
-  "version": "0.15.0",
+  "version": "0.16.0",
   "description": "Haus AI workflow CLI for Claude Code.",
   "type": "module",
   "bin": {