npm - @haus-tech/haus-workflow - Versions diffs - 0.22.1 → 0.23.1 - Mend

@haus-tech/haus-workflow 0.22.1 → 0.23.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/CHANGELOG.md +9 -0
package/dist/cli.js +642 -288
package/library/catalog/manifest.json +70 -310
package/package.json +1 -1

package/dist/cli.js CHANGED Viewed

@@ -2,13 +2,13 @@
 // src/cli.ts
 import { readFileSync as readFileSync4 } from "fs";
-import path35 from "path";
+import path36 from "path";
 import { Command } from "commander";
 // src/commands/apply.ts
-import path13 from "path";
+import path14 from "path";
 import checkbox from "@inquirer/checkbox";
-import fs12 from "fs-extra";
+import fs13 from "fs-extra";
 // src/catalog/remote-catalog.ts
 import os from "os";
@@ -86,6 +86,8 @@ var error = (msg, ...args) => {
 // src/catalog/constants.ts
 var CATALOG_REPO_URL = "https://raw.githubusercontent.com/wearehaustech/haus-workflow-catalog";
+var CATALOG_GITHUB_API_URL = "https://api.github.com/repos/WeAreHausTech/haus-workflow-catalog";
+var SUPERPOWERS_SHARED_CATALOG_REL = "skills/superpowers/shared";
 var CATALOG_REF = process.env.HAUS_CATALOG_REF;
 var CATALOG_CACHE_SUBDIR = ".claude/haus/catalog-cache";
@@ -405,6 +407,7 @@ function getCacheDir() {
   return process.env["HAUS_CATALOG_CACHE_DIR_OVERRIDE"] ?? path2.join(os.homedir(), CATALOG_CACHE_SUBDIR);
 }
 var cachedCatalogRef;
+var cachedBlobPaths;
 function getResolvedCatalogRef() {
   return cachedCatalogRef ?? process.env["HAUS_CATALOG_REF"] ?? "main";
 }
@@ -436,6 +439,15 @@ async function fetchText(url) {
     return null;
   }
 }
+async function fetchBytes(url) {
+  try {
+    const res = await fetch(url, { signal: AbortSignal.timeout(1e4) });
+    if (!res.ok) return null;
+    return Buffer.from(await res.arrayBuffer());
+  } catch {
+    return null;
+  }
+}
 async function fetchRemoteManifest() {
   const base = await remoteBase();
   const text = await fetchText(`${base}/manifest.json`);
@@ -480,29 +492,246 @@ function isSafeCatalogPath(itemPath) {
   const normalized = path2.normalize(itemPath);
   return !normalized.startsWith("..") && !normalized.includes("/..");
 }
+function isSafeRelativeFilePath(rel) {
+  if (!rel || rel.startsWith("/") || rel.includes("\\") || rel.includes("//")) return false;
+  if (path2.isAbsolute(rel)) return false;
+  const normalized = path2.posix.normalize(rel.replace(/\\/g, "/"));
+  return normalized !== ".." && !normalized.startsWith("../") && !normalized.includes("/../");
+}
+function githubApiHeaders() {
+  const headers = { Accept: "application/vnd.github+json" };
+  const auth = process.env["HAUS_GITHUB_TOKEN"] ?? process.env["GITHUB_TOKEN"];
+  if (auth) headers["Authorization"] = `Bearer ${auth}`;
+  return headers;
+}
+function sanitizeRelativeFilePaths(files, label) {
+  const safe = [];
+  for (const rel of files) {
+    if (!isSafeRelativeFilePath(rel)) {
+      warn(`Rejected unsafe path in ${label}: ${rel}`);
+      return null;
+    }
+    safe.push(rel);
+  }
+  return safe;
+}
 function safeJoin(base, itemPath) {
   if (!isSafeCatalogPath(itemPath)) return null;
   const resolved = path2.resolve(base, itemPath);
   return resolved.startsWith(base + path2.sep) || resolved === base ? resolved : null;
 }
 var KNOWN_ITEM_TYPES = /* @__PURE__ */ new Set(["skill", "agent", "template", "command"]);
-function isExternalReference(ref) {
-  return /^[a-z][a-z0-9+.-]*:\/\//i.test(ref);
-}
-async function downloadSkillReferences(item, destDir, base) {
-  for (const ref of item.references ?? []) {
-    if (isExternalReference(ref)) continue;
-    const refDest = safeJoin(destDir, ref);
-    if (!refDest) {
-      warn(`Skipping reference "${ref}" for ${item.id}: path traversal detected`);
-      continue;
+function isMarkdownPath(rel) {
+  return rel.toLowerCase().endsWith(".md");
+}
+async function listFilesRecursive(dir, base = dir) {
+  const out = [];
+  if (!await fs2.pathExists(dir)) return out;
+  for (const entry of await fs2.readdir(dir, { withFileTypes: true })) {
+    const full = path2.join(dir, entry.name);
+    if (entry.isDirectory()) {
+      out.push(...await listFilesRecursive(full, base));
+    } else if (entry.isFile()) {
+      out.push(path2.relative(base, full).replace(/\\/g, "/"));
     }
-    const text = await fetchText(`${base}/${item.path}/${ref}`);
-    if (text === null) {
-      warn(`Failed to fetch reference "${ref}" for ${item.id}`);
-      continue;
+  }
+  return out.sort();
+}
+async function listMockPrefixFiles(base, prefix) {
+  const text = await fetchText(`${base}/__haus_tree__/${encodeURIComponent(prefix)}`);
+  if (text === null) return null;
+  try {
+    const parsed = JSON.parse(text);
+    if (!Array.isArray(parsed) || !parsed.every((e) => typeof e === "string")) return null;
+    return parsed;
+  } catch {
+    return null;
+  }
+}
+async function fetchGitHubRecursiveBlobPaths(ref) {
+  try {
+    const headers = githubApiHeaders();
+    const commitRes = await fetch(`${CATALOG_GITHUB_API_URL}/commits/${encodeURIComponent(ref)}`, {
+      signal: AbortSignal.timeout(15e3),
+      headers
+    });
+    if (!commitRes.ok) return null;
+    const commit = await commitRes.json();
+    const treeSha = commit.commit.tree.sha;
+    const treeRes = await fetch(`${CATALOG_GITHUB_API_URL}/git/trees/${treeSha}?recursive=1`, {
+      signal: AbortSignal.timeout(3e4),
+      headers
+    });
+    if (!treeRes.ok) return null;
+    const tree = await treeRes.json();
+    if (tree.truncated) {
+      warn("Catalog GitHub tree listing was truncated \u2014 refusing partial cache sync");
+      return null;
+    }
+    return tree.tree.filter((e) => e.type === "blob").map((e) => e.path);
+  } catch {
+    return null;
+  }
+}
+async function fetchCatalogBlobPaths(_base) {
+  if (cachedBlobPaths) return cachedBlobPaths;
+  if (process.env["HAUS_CATALOG_REMOTE_BASE"]) return null;
+  const ref = getResolvedCatalogRef();
+  const paths = await fetchGitHubRecursiveBlobPaths(ref);
+  if (paths) cachedBlobPaths = paths;
+  return paths;
+}
+async function listFilesUnderCatalogPrefix(prefix, base) {
+  const normalized = prefix.replace(/\\/g, "/").replace(/\/+$/, "");
+  const prefixSlash = `${normalized}/`;
+  let relFiles;
+  if (process.env["HAUS_CATALOG_REMOTE_BASE"]) {
+    relFiles = await listMockPrefixFiles(base, normalized);
+  } else {
+    const blobs = await fetchCatalogBlobPaths(base);
+    if (!blobs) return null;
+    relFiles = blobs.filter((p) => p.startsWith(prefixSlash)).map((p) => p.slice(prefixSlash.length)).sort();
+  }
+  if (!relFiles) return null;
+  return sanitizeRelativeFilePaths(relFiles, normalized);
+}
+async function fetchPrefixFiles(catalogPrefix, relFiles, base, label) {
+  const fetched = [];
+  for (const rel of relFiles) {
+    const url = `${base}/${catalogPrefix}/${rel}`;
+    if (isMarkdownPath(rel)) {
+      const text = await fetchText(url);
+      if (text === null) {
+        warn(`Failed to fetch ${rel} for ${label}`);
+        return null;
+      }
+      fetched.push({ rel, kind: "text", body: text });
+    } else {
+      const bytes = await fetchBytes(url);
+      if (bytes === null) {
+        warn(`Failed to fetch ${rel} for ${label}`);
+        return null;
+      }
+      fetched.push({ rel, kind: "binary", body: bytes });
+    }
+  }
+  return fetched;
+}
+function validateMarkdownFiles(item, fetched) {
+  for (const file of fetched) {
+    if (file.kind !== "text" || !isMarkdownPath(file.rel)) continue;
+    const verdict = validateCatalogItem(item, file.body);
+    if (!verdict.ok) {
+      warn(`Rejected ${item.id} at ingest: ${verdict.reason}`);
+      return false;
     }
-    await writeTextIfChanged(refDest, text);
+  }
+  return true;
+}
+async function directoryMatchesFetched(destDir, fetched) {
+  if (!await fs2.pathExists(destDir)) return false;
+  const existing = await listFilesRecursive(destDir);
+  const relSet = new Set(fetched.map((f) => f.rel));
+  if (existing.length !== fetched.length) return false;
+  for (const rel of existing) {
+    if (!relSet.has(rel)) return false;
+  }
+  for (const file of fetched) {
+    const dest = path2.join(destDir, file.rel);
+    if (!await fs2.pathExists(dest)) return false;
+    if (file.kind === "text") {
+      const local = await fs2.readFile(dest, "utf8");
+      if (local !== file.body) return false;
+    } else {
+      const local = await fs2.readFile(dest);
+      if (!local.equals(file.body)) return false;
+    }
+  }
+  return true;
+}
+async function writeFetchedDirectory(destDir, fetched) {
+  if (await fs2.pathExists(destDir)) {
+    await fs2.remove(destDir);
+  }
+  await fs2.ensureDir(destDir);
+  for (const file of fetched) {
+    const dest = path2.join(destDir, file.rel);
+    await fs2.ensureDir(path2.dirname(dest));
+    if (file.kind === "text") {
+      await fs2.writeFile(dest, file.body, "utf8");
+    } else {
+      await fs2.writeFile(dest, file.body);
+    }
+  }
+}
+async function syncDirectoryFromPrefix(item, catalogPrefix, destDir, base, opts) {
+  const relFiles = await listFilesUnderCatalogPrefix(catalogPrefix, base);
+  if (!relFiles) {
+    warn(`Failed to list files for ${item.id}`);
+    return "failed";
+  }
+  if (!relFiles.includes("SKILL.md") && catalogPrefix !== SUPERPOWERS_SHARED_CATALOG_REL) {
+    warn(`Failed to fetch content for ${item.id}: missing SKILL.md`);
+    return "failed";
+  }
+  if (relFiles.length === 0) {
+    return "unchanged";
+  }
+  const fetched = await fetchPrefixFiles(catalogPrefix, relFiles, base, item.id);
+  if (!fetched) return "failed";
+  if (opts.validateMarkdown && "type" in item) {
+    if (!validateMarkdownFiles(item, fetched)) return "failed";
+  } else if (opts.validateMarkdown) {
+    for (const file of fetched) {
+      if (file.kind !== "text" || !isMarkdownPath(file.rel)) continue;
+      const verdict = validateCatalogItem(
+        { id: item.id, type: "skill", path: catalogPrefix },
+        file.body
+      );
+      if (!verdict.ok) {
+        warn(`Rejected ${item.id} at ingest: ${verdict.reason}`);
+        return "failed";
+      }
+    }
+  }
+  const existed = await fs2.pathExists(destDir);
+  if (await directoryMatchesFetched(destDir, fetched)) {
+    return "unchanged";
+  }
+  await writeFetchedDirectory(destDir, fetched);
+  return existed ? "updated" : "created";
+}
+async function syncSkillDirectory(item, base) {
+  const destDir = safeJoin(getCacheDir(), item.path);
+  if (!destDir) {
+    warn(`Skipping ${item.id}: path traversal detected`);
+    return "failed";
+  }
+  try {
+    return await syncDirectoryFromPrefix(item, item.path, destDir, base, {
+      validateMarkdown: true
+    });
+  } catch (err) {
+    warn(`Failed to cache ${item.id}: ${err instanceof Error ? err.message : String(err)}`);
+    return "failed";
+  }
+}
+async function syncSuperpowersShared(base) {
+  const relFiles = await listFilesUnderCatalogPrefix(SUPERPOWERS_SHARED_CATALOG_REL, base);
+  if (!relFiles || relFiles.length === 0) return "skipped";
+  const destDir = safeJoin(getCacheDir(), SUPERPOWERS_SHARED_CATALOG_REL);
+  if (!destDir) return "failed";
+  try {
+    return await syncDirectoryFromPrefix(
+      { id: "haus.superpowers-shared", path: SUPERPOWERS_SHARED_CATALOG_REL },
+      SUPERPOWERS_SHARED_CATALOG_REL,
+      destDir,
+      base,
+      { validateMarkdown: true }
+    );
+  } catch (err) {
+    warn(`Failed to cache superpowers shared: ${err instanceof Error ? err.message : String(err)}`);
+    return "failed";
   }
 }
 async function syncOneItem(item, base) {
@@ -518,30 +747,7 @@ async function syncOneItem(item, base) {
     return "failed";
   }
   if (item.type === "skill") {
-    const destDir = safeJoin(getCacheDir(), item.path);
-    if (!destDir) {
-      warn(`Skipping ${item.id}: path traversal detected`);
-      return "failed";
-    }
-    const dest2 = path2.join(destDir, "SKILL.md");
-    const text2 = await fetchText(`${base}/${item.path}/SKILL.md`);
-    if (!text2) {
-      warn(`Failed to fetch content for ${item.id}`);
-      return "failed";
-    }
-    const verdict2 = validateCatalogItem(item, text2);
-    if (!verdict2.ok) {
-      warn(`Rejected ${item.id} at ingest: ${verdict2.reason}`);
-      return "failed";
-    }
-    try {
-      const outcome = await writeTextIfChanged(dest2, text2);
-      await downloadSkillReferences(item, destDir, base);
-      return outcome;
-    } catch (err) {
-      warn(`Failed to cache ${item.id}: ${err instanceof Error ? err.message : String(err)}`);
-      return "failed";
-    }
+    return syncSkillDirectory(item, base);
   }
   const dest = safeJoin(getCacheDir(), item.path);
   if (!dest) {
@@ -566,6 +772,7 @@ async function syncOneItem(item, base) {
   }
 }
 async function syncRemoteCatalog() {
+  cachedBlobPaths = void 0;
   const manifest = await fetchRemoteManifest();
   if (!manifest) {
     warn("Remote catalog fetch failed \u2014 using bundled catalog");
@@ -593,6 +800,10 @@ async function syncRemoteCatalog() {
   const failed = [];
   const base = await remoteBase();
   const outcomes = await mapWithConcurrency(items, (item) => syncOneItem(item, base), 8);
+  const sharedOutcome = await syncSuperpowersShared(base);
+  if (sharedOutcome === "failed") {
+    warn("Failed to cache superpowers shared support files");
+  }
   for (let i = 0; i < items.length; i++) {
     const item = items[i];
     const outcome = outcomes[i];
@@ -609,7 +820,7 @@ async function fetchLatestCatalogTag() {
   try {
     const res = await fetch(CATALOG_TAGS_API_URL, {
       signal: AbortSignal.timeout(5e3),
-      headers: { Accept: "application/vnd.github+json" }
+      headers: githubApiHeaders()
     });
     if (!res.ok) return null;
     const tags = await res.json();
@@ -718,9 +929,10 @@ function mergeHooks(settings, fragments) {
   updated._haus = {
     hooks: [...existing, ...addedIds],
     hookCommands: [...existingCommands, ...addedCommands],
-    // Preserve deny/allow tracking so hook, deny, and allow merges are order-independent.
+    // Preserve deny/allow/ask tracking so hook, deny, allow, and ask merges are order-independent.
     ...settings._haus?.denyRules ? { denyRules: settings._haus.denyRules } : {},
-    ...settings._haus?.allowRules ? { allowRules: settings._haus.allowRules } : {}
+    ...settings._haus?.allowRules ? { allowRules: settings._haus.allowRules } : {},
+    ...settings._haus?.askRules ? { askRules: settings._haus.askRules } : {}
   };
   return { settings: updated, addedIds };
 }
@@ -743,7 +955,8 @@ function mergeDenyRules(settings, rules) {
     hooks: settings._haus?.hooks ?? [],
     ...settings._haus?.hookCommands ? { hookCommands: settings._haus.hookCommands } : {},
     denyRules: [...trackedDeny, ...addedRules],
-    ...settings._haus?.allowRules ? { allowRules: settings._haus.allowRules } : {}
+    ...settings._haus?.allowRules ? { allowRules: settings._haus.allowRules } : {},
+    ...settings._haus?.askRules ? { askRules: settings._haus.askRules } : {}
   };
   return { settings: updated, addedRules };
 }
@@ -766,7 +979,8 @@ function mergeAllowRules(settings, rules) {
     hooks: settings._haus?.hooks ?? [],
     ...settings._haus?.hookCommands ? { hookCommands: settings._haus.hookCommands } : {},
     ...settings._haus?.denyRules ? { denyRules: settings._haus.denyRules } : {},
-    allowRules: [...trackedAllow, ...addedRules]
+    allowRules: [...trackedAllow, ...addedRules],
+    ...settings._haus?.askRules ? { askRules: settings._haus.askRules } : {}
   };
   return { settings: updated, addedRules };
 }
@@ -783,7 +997,7 @@ function stripHausAllow(settings) {
   else delete updated.permissions;
   const haus = { ...prevHaus };
   delete haus.allowRules;
-  const stillTracking = (haus.hooks?.length ?? 0) > 0 || (haus.hookCommands?.length ?? 0) > 0 || (haus.denyRules?.length ?? 0) > 0;
+  const stillTracking = (haus.hooks?.length ?? 0) > 0 || (haus.hookCommands?.length ?? 0) > 0 || (haus.denyRules?.length ?? 0) > 0 || (haus.askRules?.length ?? 0) > 0;
   if (stillTracking) updated._haus = haus;
   else delete updated._haus;
   return updated;
@@ -801,7 +1015,7 @@ function stripHausDeny(settings) {
   else delete updated.permissions;
   const haus = { ...prevHaus };
   delete haus.denyRules;
-  const stillTracking = (haus.hooks?.length ?? 0) > 0 || (haus.hookCommands?.length ?? 0) > 0 || (haus.allowRules?.length ?? 0) > 0;
+  const stillTracking = (haus.hooks?.length ?? 0) > 0 || (haus.hookCommands?.length ?? 0) > 0 || (haus.allowRules?.length ?? 0) > 0 || (haus.askRules?.length ?? 0) > 0;
   if (stillTracking) updated._haus = haus;
   else delete updated._haus;
   return updated;
@@ -823,6 +1037,48 @@ function stripHausHooks(settings) {
   void _;
   return rest;
 }
+function mergeAskRules(settings, rules) {
+  const existingAsk = settings.permissions?.ask ?? [];
+  const seen = new Set(existingAsk);
+  const trackedAsk = settings._haus?.askRules ?? [];
+  const addedRules = [];
+  for (const rule of rules) {
+    if (seen.has(rule)) continue;
+    seen.add(rule);
+    addedRules.push(rule);
+  }
+  const updated = { ...settings };
+  updated.permissions = {
+    ...settings.permissions ?? {},
+    ask: [...existingAsk, ...addedRules]
+  };
+  updated._haus = {
+    hooks: settings._haus?.hooks ?? [],
+    ...settings._haus?.hookCommands ? { hookCommands: settings._haus.hookCommands } : {},
+    ...settings._haus?.denyRules ? { denyRules: settings._haus.denyRules } : {},
+    ...settings._haus?.allowRules ? { allowRules: settings._haus.allowRules } : {},
+    askRules: [...trackedAsk, ...addedRules]
+  };
+  return { settings: updated, addedRules };
+}
+function stripHausAsk(settings) {
+  const prevHaus = settings._haus;
+  if (!prevHaus?.askRules || prevHaus.askRules.length === 0) return settings;
+  const ownedSet = new Set(prevHaus.askRules);
+  const updated = { ...settings };
+  const remainingAsk = (settings.permissions?.ask ?? []).filter((rule) => !ownedSet.has(rule));
+  const permissions = { ...settings.permissions ?? {} };
+  if (remainingAsk.length > 0) permissions.ask = remainingAsk;
+  else delete permissions.ask;
+  if (Object.keys(permissions).length > 0) updated.permissions = permissions;
+  else delete updated.permissions;
+  const haus = { ...prevHaus };
+  delete haus.askRules;
+  const stillTracking = (haus.hooks?.length ?? 0) > 0 || (haus.hookCommands?.length ?? 0) > 0 || (haus.denyRules?.length ?? 0) > 0 || (haus.allowRules?.length ?? 0) > 0;
+  if (stillTracking) updated._haus = haus;
+  else delete updated._haus;
+  return updated;
+}
 async function loadHooksFragment(fragmentPath) {
   let raw;
   try {
@@ -835,44 +1091,48 @@ async function loadHooksFragment(fragmentPath) {
 }
 // src/security/dangerous-commands.ts
-var DANGEROUS_COMMANDS = [
-  "rm -rf",
+var DENY_COMMANDS = [
   "sudo",
   "chmod -R 777",
-  "chown -R",
   "git push --force",
-  "git reset --hard",
-  "docker system prune",
   "drop database",
   "truncate table",
-  "php artisan migrate --force",
   "npm publish",
   "yarn npm publish",
   "pnpm publish"
 ];
+var ASK_COMMANDS = [
+  "rm -rf",
+  "chown -R",
+  "git reset --hard",
+  "docker system prune",
+  "php artisan migrate --force"
+];
 // src/security/sensitive-paths.ts
-var SENSITIVE_PATHS = [
-  ".env",
-  ".env.*",
+var DENY_PATHS = [
   "*.pem",
   "*.key",
   "*.p12",
   "*.pfx",
   "id_rsa",
   "id_ed25519",
-  "*.sql",
-  "*.dump",
-  "*.backup",
-  "*.bak",
-  "storage/logs",
-  "wp-content/uploads",
-  "uploads",
   "customer-data",
-  "exports",
   "secrets",
   "certs"
 ];
+var DENY_DIRS = /* @__PURE__ */ new Set(["customer-data", "secrets", "certs"]);
+var ASK_PATHS = [
+  { pattern: ".env", tools: ["Edit", "Write"] },
+  { pattern: ".env.*", tools: ["Edit", "Write"] },
+  { pattern: "storage/logs/**", tools: ["Edit", "Write"] },
+  { pattern: "exports/**", tools: ["Edit", "Write"] },
+  { pattern: "*.dump", tools: ["Read", "Edit", "Write"] },
+  { pattern: "*.backup", tools: ["Read", "Edit", "Write"] },
+  { pattern: "*.bak", tools: ["Read", "Edit", "Write"] },
+  { pattern: "wp-content/uploads/**", tools: ["Read", "Edit", "Write"] },
+  { pattern: "uploads/**", tools: ["Read", "Edit", "Write"] }
+];
 var SENSITIVE_PATH_REGEXES = [
   /^\.env(\.|$)/,
   /(^|\/)\.env(\.|$)/,
@@ -900,24 +1160,29 @@ var SENSITIVE_ITEM_KEYWORDS = [
   ".key"
 ];
+// src/security/ask-rules.ts
+function buildAskRules() {
+  const rules = [];
+  for (const command of ASK_COMMANDS) {
+    rules.push(`Bash(${command}:*)`);
+  }
+  for (const { pattern, tools } of ASK_PATHS) {
+    for (const tool of tools) {
+      rules.push(`${tool}(${pattern})`);
+    }
+  }
+  return [...new Set(rules)];
+}
 // src/security/deny-rules.ts
-var SENSITIVE_DIRS = /* @__PURE__ */ new Set([
-  "storage/logs",
-  "wp-content/uploads",
-  "uploads",
-  "customer-data",
-  "exports",
-  "secrets",
-  "certs"
-]);
 var FILE_TOOLS = ["Read", "Edit", "Write"];
 function buildDenyRules() {
   const rules = [];
-  for (const command of DANGEROUS_COMMANDS) {
+  for (const command of DENY_COMMANDS) {
     rules.push(`Bash(${command}:*)`);
   }
-  for (const path36 of SENSITIVE_PATHS) {
-    const pattern = SENSITIVE_DIRS.has(path36) ? `${path36}/**` : path36;
+  for (const path37 of DENY_PATHS) {
+    const pattern = DENY_DIRS.has(path37) ? `${path37}/**` : path37;
     for (const tool of FILE_TOOLS) {
       rules.push(`${tool}(${pattern})`);
     }
@@ -1005,7 +1270,8 @@ async function mergeProjectSettings(root) {
   const base = await readProjectSettings(root);
   const { settings: withHooks } = mergeHooks(base, PROJECT_HOOK_FRAGMENTS);
   const { settings: withDeny } = mergeDenyRules(withHooks, buildDenyRules());
-  const { settings: merged } = mergeAllowRules(withDeny, buildAllowRules());
+  const { settings: withAllow } = mergeAllowRules(withDeny, buildAllowRules());
+  const { settings: merged } = mergeAskRules(withAllow, buildAskRules());
   return merged;
 }
 async function applyProjectSettingsMerge(root) {
@@ -1015,8 +1281,8 @@ async function applyProjectSettingsMerge(root) {
 }
 // src/claude/write-claude-files.ts
-import path12 from "path";
-import fs11 from "fs-extra";
+import path13 from "path";
+import fs12 from "fs-extra";
 // src/catalog/load-catalog.ts
 import path6 from "path";
@@ -1183,8 +1449,59 @@ async function writeManagedJson(root, filePath, value, dryRun) {
   await writeManagedText(root, filePath, nextText, dryRun);
 }
-// src/claude/verify-hooks-contract.ts
+// src/claude/superpowers-install.ts
+import path9 from "path";
+import fg3 from "fast-glob";
 import fs6 from "fs-extra";
+var SUPERPOWERS_ORIGIN_SOURCE_ID = "superpowers-pcvelz";
+var PATH_REWRITES = [
+  ["skills/shared/", ".claude/skills/shared/"]
+];
+function rewriteSuperpowersMarkdown(text) {
+  let out = text;
+  for (const [from, to] of PATH_REWRITES) {
+    out = out.split(from).join(to);
+  }
+  return out;
+}
+async function rewriteMarkdownTree(dir) {
+  const files = await fg3("**/*.md", { cwd: dir, onlyFiles: true, dot: true });
+  for (const rel of files) {
+    const abs = path9.join(dir, rel);
+    const text = await fs6.readFile(abs, "utf8");
+    const rewritten = rewriteSuperpowersMarkdown(text);
+    if (rewritten !== text) {
+      await fs6.writeFile(abs, rewritten, "utf8");
+    }
+  }
+}
+async function installCatalogSkill(sourcePath, destination, opts) {
+  if (opts.dryRun) return;
+  await fs6.ensureDir(path9.dirname(destination));
+  if (await fs6.pathExists(destination)) {
+    await fs6.remove(destination);
+  }
+  await fs6.copy(sourcePath, destination, { overwrite: true, errorOnExist: false });
+  if (opts.originSourceId === SUPERPOWERS_ORIGIN_SOURCE_ID) {
+    await rewriteMarkdownTree(destination);
+  }
+}
+async function installSuperpowersShared(contentRoot, projectRoot, dryRun) {
+  const source = path9.join(contentRoot, SUPERPOWERS_SHARED_CATALOG_REL);
+  if (!await fs6.pathExists(source)) return null;
+  const destination = claudePath(projectRoot, "skills", "shared");
+  if (dryRun) return path9.relative(projectRoot, destination);
+  await fs6.ensureDir(path9.dirname(destination));
+  if (await fs6.pathExists(destination)) {
+    await fs6.remove(destination);
+  }
+  await fs6.copy(source, destination, { overwrite: true, errorOnExist: false });
+  await rewriteMarkdownTree(destination);
+  return path9.relative(projectRoot, destination);
+}
+// src/claude/verify-hooks-contract.ts
+import fs7 from "fs-extra";
 // src/claude/load-hooks.ts
 var CANONICAL_HOOKS = {
@@ -1212,7 +1529,7 @@ var STABLE_HOOK_IDS = {
   "haus guard bash --from-hook": "haus.guard-bash"
 };
 async function loadClaudeHooksSettings() {
-  return { ...CANONICAL_HOOKS, permissions: { deny: buildDenyRules() } };
+  return { ...CANONICAL_HOOKS, permissions: { deny: buildDenyRules(), ask: buildAskRules() } };
 }
 function flattenRecommendedHooks(settings) {
   const out = [];
@@ -1278,7 +1595,7 @@ async function assertPostApplySettingsHausContract(root) {
 }
 async function verifyProjectSettingsHooksContract(root) {
   const settingsPath = claudePath(root, "settings.json");
-  if (!await fs6.pathExists(settingsPath)) {
+  if (!await fs7.pathExists(settingsPath)) {
     return {
       ok: true,
       skipped: true,
@@ -1305,8 +1622,8 @@ async function verifyProjectSettingsHooksContract(root) {
 }
 // src/claude/write-root-claude-md.ts
-import path9 from "path";
-import fs7 from "fs-extra";
+import path10 from "path";
+import fs8 from "fs-extra";
 var BLOCK_BEGIN = "<!-- HAUS:BEGIN haus-imports v=1 -->";
 var BLOCK_END = "<!-- HAUS:END haus-imports -->";
 var IMPORT_CONTENT = `@.haus-workflow/WORKFLOW.md
@@ -1346,21 +1663,21 @@ ${block}
 `;
 }
 async function writeRootClaudeMd(root, dryRun) {
-  const filePath = path9.join(root, "CLAUDE.md");
+  const filePath = path10.join(root, "CLAUDE.md");
   const block = buildImportBlock();
-  const prev = await fs7.pathExists(filePath) ? await fs7.readFile(filePath, "utf8") : "";
+  const prev = await fs8.pathExists(filePath) ? await fs8.readFile(filePath, "utf8") : "";
   const next = injectHausBlock(prev, block);
   await writeManagedText(root, filePath, next, dryRun);
   return filePath;
 }
 // src/claude/write-workflow-config.ts
-import path11 from "path";
-import fs9 from "fs-extra";
+import path12 from "path";
+import fs10 from "fs-extra";
 // src/claude/derive-workflow-config.ts
-import path10 from "path";
-import fs8 from "fs-extra";
+import path11 from "path";
+import fs9 from "fs-extra";
 function binCmd(pm, bin, args) {
   const tail = args ? ` ${args}` : "";
   if (pm === "yarn") return `yarn ${bin}${tail}`;
@@ -1369,7 +1686,7 @@ function binCmd(pm, bin, args) {
 }
 async function deriveWorkflowConfig(root, ctx) {
   const pm = ctx.packageManager === "unknown" ? "npm" : ctx.packageManager;
-  const pkg = await readJson(path10.join(root, "package.json"));
+  const pkg = await readJson(path11.join(root, "package.json"));
   const scripts = pkg?.scripts ?? {};
   const deps = new Set(ctx.dependencies);
   const stacks = Object.values(ctx.detectedStacks ?? {}).flat();
@@ -1379,7 +1696,7 @@ async function deriveWorkflowConfig(root, ctx) {
     return null;
   };
   const hasDep = (name) => deps.has(name);
-  const exists = (rel) => fs8.pathExistsSync(path10.join(root, rel));
+  const exists = (rel) => fs9.pathExistsSync(path11.join(root, rel));
   const hasPlaywright = hasDep("@playwright/test") || stacks.includes("playwright");
   const hasCypress = hasDep("cypress");
   const preCommitTool = exists("lefthook.yml") || exists("lefthook.yaml") ? "lefthook" : exists(".husky") || hasDep("husky") || (scripts.prepare ?? "").includes("husky") ? "husky" : exists(".pre-commit-config.yaml") ? "pre-commit (Python framework)" : null;
@@ -1448,7 +1765,7 @@ var FALLBACK_CONTEXT = {
 async function writeWorkflowConfig(root, dryRun, opts = {}) {
   const destPath = hausPath(root, "workflow-config.md");
   const printable = displayPath(root, destPath);
-  const exists = await fs9.pathExists(destPath);
+  const exists = await fs10.pathExists(destPath);
   if (exists && !opts.refill) {
     if (dryRun) log(printable + ": exists (project-owned, skipping)");
     return null;
@@ -1456,11 +1773,11 @@ async function writeWorkflowConfig(root, dryRun, opts = {}) {
   const ctx = await readJson(hausPath(root, "context-map.json")) ?? {
     ...FALLBACK_CONTEXT,
     root,
-    repoName: path11.basename(root)
+    repoName: path12.basename(root)
   };
   const values = await deriveWorkflowConfig(root, ctx);
   if (exists) {
-    const current = await fs9.readFile(destPath, "utf8");
+    const current = await fs10.readFile(destPath, "utf8");
     const refilled = refillContent(current, values);
     if (refilled === current) {
       if (dryRun) log(printable + ": no blank fields to refill");
@@ -1482,7 +1799,7 @@ async function writeWorkflowConfig(root, dryRun, opts = {}) {
 }
 // src/claude/write-workflow.ts
-import fs10 from "fs-extra";
+import fs11 from "fs-extra";
 var STABLE_ID = "template.workflow";
 function makeWorkflowHeader(pkgVersion, contentHash) {
   return `<!-- HAUS-MANAGED id=${STABLE_ID} v=${SCHEMA_VERSION} source=@haus-tech/haus-workflow@${pkgVersion} hash=${contentHash} -->`;
@@ -1501,8 +1818,8 @@ async function writeWorkflow(root, pkgVersion, dryRun, force = false) {
 ${templateContent}`;
   const destPath = hausPath(root, "WORKFLOW.md");
   const printable = displayPath(root, destPath);
-  if (await fs10.pathExists(destPath)) {
-    const existing = await fs10.readFile(destPath, "utf8");
+  if (await fs11.pathExists(destPath)) {
+    const existing = await fs11.readFile(destPath, "utf8");
     const firstLine = existing.split("\n")[0] ?? "";
     const parsed = parseHausManagedHeader(firstLine);
     if (!parsed) {
@@ -1530,7 +1847,7 @@ ${templateContent}`;
     }
   }
   if (dryRun) {
-    const prev = await fs10.pathExists(destPath) ? await fs10.readFile(destPath, "utf8") : "";
+    const prev = await fs11.pathExists(destPath) ? await fs11.readFile(destPath, "utf8") : "";
     if (!prev) {
       log(createUnifiedDiff(printable, "", next));
     } else {
@@ -1564,13 +1881,12 @@ async function writeClaudeFiles(root, dryRun, selectedIds, opts = {}) {
     estimatedTokenReductionPct: 0
   };
   const pkgRoot = packageRoot();
-  const hausVersion2 = (await readJson(path12.join(pkgRoot, "package.json")))?.version ?? "0.0.0";
+  const hausVersion2 = (await readJson(path13.join(pkgRoot, "package.json")))?.version ?? "0.0.0";
   const coreFiles = [
     claudePath(root, "settings.json"),
     claudePath(root, "rules", "haus.md"),
     claudePath(root, "rules", "security.md"),
-    claudePath(root, "commands", "haus-doctor.md"),
-    claudePath(root, "commands", "haus-review.md")
+    claudePath(root, "commands", "haus-doctor.md")
   ];
   const rootClaudeMdPath = await writeRootClaudeMd(root, dryRun);
   const workflowPath = await writeWorkflow(root, hausVersion2, dryRun, opts.force);
@@ -1596,7 +1912,7 @@ async function writeClaudeFiles(root, dryRun, selectedIds, opts = {}) {
     await assertPostApplySettingsHausContract(root);
   }
   const configPath = hausPath(root, "config.json");
-  if (!await fs11.pathExists(configPath)) {
+  if (!await fs12.pathExists(configPath)) {
     await writeManagedJson(root, configPath, DEFAULT_HOOKS_CONFIG, dryRun);
   }
   await writeManagedText(
@@ -1605,12 +1921,20 @@ async function writeClaudeFiles(root, dryRun, selectedIds, opts = {}) {
     "Run `haus doctor`.",
     dryRun
   );
-  await writeManagedText(
-    root,
-    claudePath(root, "commands", "haus-review.md"),
-    'Run `haus context --task "code review"` then review diff.',
-    dryRun
-  );
+  const legacyReviewPath = claudePath(root, "commands", "haus-review.md");
+  if (await fs12.pathExists(legacyReviewPath)) {
+    const content2 = await fs12.readFile(legacyReviewPath, "utf8");
+    const stub = 'Run `haus context --task "code review"` then review diff.';
+    if (content2 === stub || content2 === `${stub}
+` || content2 === `${stub}\r
+`) {
+      if (dryRun) {
+        log(`[dry-run] would remove stale ${displayPath(root, legacyReviewPath)}`);
+      } else {
+        await fs12.remove(legacyReviewPath);
+      }
+    }
+  }
   await writeManagedText(
     root,
     claudePath(root, "rules", "haus.md"),
@@ -1629,6 +1953,7 @@ async function writeClaudeFiles(root, dryRun, selectedIds, opts = {}) {
   const installedIds = /* @__PURE__ */ new Set();
   const catalogItems = selectedIds !== void 0 ? rec.recommended.filter((r) => selectedIds.includes(r.id)) : rec.recommended;
   let curatedReviewStatusSkips = 0;
+  let superpowersSharedInstalled = false;
   for (const item of catalogItems) {
     const manifestItem = manifestById.get(item.id);
     if (!manifestItem?.path) continue;
@@ -1655,20 +1980,34 @@ async function writeClaudeFiles(root, dryRun, selectedIds, opts = {}) {
       );
       continue;
     }
-    const destination = claudePath(root, target, path12.basename(sourcePath));
-    if (await fs11.pathExists(sourcePath)) {
+    const destination = claudePath(root, target, path13.basename(sourcePath));
+    if (await fs12.pathExists(sourcePath)) {
       if (dryRun) {
-        const exists = await fs11.pathExists(destination);
+        const exists = await fs12.pathExists(destination);
         log(
           `${displayPath(root, destination)}: ${exists ? "would overwrite" : "would create"} (${item.id})`
         );
+      } else if (item.type === "skill") {
+        await installCatalogSkill(sourcePath, destination, {
+          originSourceId: manifestItem.originSourceId,
+          dryRun: false
+        });
       } else {
-        await fs11.ensureDir(path12.dirname(destination));
-        await fs11.copy(sourcePath, destination, { overwrite: true, errorOnExist: false });
+        await fs12.ensureDir(path13.dirname(destination));
+        await fs12.copy(sourcePath, destination, { overwrite: true, errorOnExist: false });
       }
       files.push(destination);
+      const relPaths = [path13.relative(root, destination)];
+      if (!superpowersSharedInstalled && manifestItem.originSourceId === SUPERPOWERS_ORIGIN_SOURCE_ID && item.type === "skill") {
+        const sharedRel = await installSuperpowersShared(contentRoot, root, dryRun);
+        if (sharedRel) {
+          superpowersSharedInstalled = true;
+          relPaths.push(sharedRel);
+          files.push(path13.join(root, sharedRel));
+        }
+      }
       const current = installedPathsByItem.get(item.id) ?? [];
-      installedPathsByItem.set(item.id, [...current, path12.relative(root, destination)]);
+      installedPathsByItem.set(item.id, [...current, ...relPaths]);
       installedIds.add(item.id);
     } else {
       warn(
@@ -1738,7 +2077,7 @@ async function cleanupStaleCatalogItems(root, knownIds, dryRun) {
     if (relPaths.length === 0) continue;
     const existing = [];
     for (const rel of relPaths) {
-      if (await fs11.pathExists(path12.join(root, rel))) existing.push(rel);
+      if (await fs12.pathExists(path13.join(root, rel))) existing.push(rel);
     }
     if (existing.length === 0) continue;
     if (entry.hash === void 0) {
@@ -1755,13 +2094,13 @@ async function cleanupStaleCatalogItems(root, knownIds, dryRun) {
       continue;
     }
     for (const rel of existing) {
-      const abs = path12.join(root, rel);
+      const abs = path13.join(root, rel);
       if (dryRun) {
         log(`[dry-run] would remove stale ${displayPath(root, abs)} (${entry.id})`);
         continue;
       }
-      await fs11.remove(abs);
-      await pruneEmptyDir(path12.dirname(abs));
+      await fs12.remove(abs);
+      await pruneEmptyDir(path13.dirname(abs));
       log(`Removed stale ${displayPath(root, abs)} (${entry.id})`);
     }
   }
@@ -1769,7 +2108,7 @@ async function cleanupStaleCatalogItems(root, knownIds, dryRun) {
 // src/commands/apply.ts
 async function cacheHasItems() {
-  const data = await readJson(path13.join(getCacheDir(), "manifest.json"));
+  const data = await readJson(path14.join(getCacheDir(), "manifest.json"));
   return Array.isArray(data?.items) && data.items.length > 0;
 }
 async function runApply(options) {
@@ -1835,8 +2174,8 @@ async function runApply(options) {
   }
 }
 async function isHausProject(root) {
-  if (await fs12.pathExists(hausPath(root, "recommendation.json"))) return true;
-  if (await fs12.pathExists(claudePath(root, "settings.json"))) {
+  if (await fs13.pathExists(hausPath(root, "recommendation.json"))) return true;
+  if (await fs13.pathExists(claudePath(root, "settings.json"))) {
     const settings = await readProjectSettings(root);
     if (settings._haus != null) return true;
   }
@@ -1874,7 +2213,7 @@ async function runCatalogAudit() {
 // src/commands/clone.ts
 import { existsSync as existsSync2 } from "fs";
-import path14 from "path";
+import path15 from "path";
 // src/utils/exec.ts
 import { execa } from "execa";
@@ -1902,6 +2241,20 @@ async function runGit(args, options = {}) {
 }
 // src/commands/clone.ts
+var GIT_LOCATION_VARS = [
+  "GIT_DIR",
+  "GIT_WORK_TREE",
+  "GIT_INDEX_FILE",
+  "GIT_COMMON_DIR",
+  "GIT_OBJECT_DIRECTORY",
+  "GIT_NAMESPACE",
+  "GIT_PREFIX"
+];
+function cloneEnv() {
+  const env = { ...process.env };
+  for (const key of GIT_LOCATION_VARS) delete env[key];
+  return env;
+}
 function repoNameFromUrl(url) {
   const trimmed = url.trim().replace(/\.git$/, "").replace(/\/+$/, "");
   const tail = trimmed.split(/[/:]/).pop() ?? "";
@@ -1913,16 +2266,16 @@ async function runClone(url, opts = {}) {
     process.exitCode = 1;
     return;
   }
-  const target = path14.resolve(opts.dir?.trim() || repoNameFromUrl(url));
+  const target = path15.resolve(opts.dir?.trim() || repoNameFromUrl(url));
   if (existsSync2(target)) {
-    log(`\u2022 ${path14.basename(target)} already present at ${target} \u2014 skipped`);
+    log(`\u2022 ${path15.basename(target)} already present at ${target} \u2014 skipped`);
     return;
   }
   if (opts.dryRun) {
     log(`would clone ${url} \u2192 ${target}`);
     return;
   }
-  const res = await runGit(["clone", url, target]);
+  const res = await runGit(["clone", url, target], { env: cloneEnv(), extendEnv: false });
   if (res.exitCode !== 0) {
     error(`clone failed for ${url}: ${(res.stderr || res.stdout).trim()}`);
     process.exitCode = 1;
@@ -1932,7 +2285,7 @@ async function runClone(url, opts = {}) {
 }
 // src/commands/config.ts
-import path15 from "path";
+import path16 from "path";
 var CONFIG_PATH2 = ".haus-workflow/config.json";
 var HOOK_ALIASES = {
   "hook.context": "context"
@@ -1945,7 +2298,7 @@ async function runConfig(key, action) {
     );
   }
   const root = process.cwd();
-  const configPath = path15.join(root, CONFIG_PATH2);
+  const configPath = path16.join(root, CONFIG_PATH2);
   const existing = await readJson(configPath);
   const cfg = existing ?? structuredClone(DEFAULT_HOOKS_CONFIG);
   cfg.hooks ??= {};
@@ -2325,7 +2678,7 @@ function selectRules(recommended, task, taskIntents) {
 // src/scanner/scan-project.ts
 import { readFile as readFile2 } from "fs/promises";
-import path19 from "path";
+import path20 from "path";
 // src/utils/audit-checks.ts
 function isRecord(v) {
@@ -2352,8 +2705,8 @@ function compareVersions(a, b) {
 }
 // src/scanner/detect-package-manager.ts
-import path16 from "path";
-import fs13 from "fs-extra";
+import path17 from "path";
+import fs14 from "fs-extra";
 function detectPackageManager(root, packageManagerField) {
   const field = String(packageManagerField ?? "").trim();
   if (field.startsWith("yarn@")) {
@@ -2371,9 +2724,9 @@ function detectPackageManager(root, packageManagerField) {
     if (satisfiesVersion(version, ">=9")) return "npm";
     return "unknown";
   }
-  if (fs13.existsSync(path16.join(root, "yarn.lock"))) return "yarn";
-  if (fs13.existsSync(path16.join(root, "pnpm-lock.yaml"))) return "pnpm";
-  if (fs13.existsSync(path16.join(root, "package-lock.json"))) return "npm";
+  if (fs14.existsSync(path17.join(root, "yarn.lock"))) return "yarn";
+  if (fs14.existsSync(path17.join(root, "pnpm-lock.yaml"))) return "pnpm";
+  if (fs14.existsSync(path17.join(root, "package-lock.json"))) return "npm";
   return "unknown";
 }
@@ -2570,7 +2923,7 @@ function runDetection(ctx, rules = STACK_RULES) {
 }
 // src/scanner/detection.ts
-import path17 from "path";
+import path18 from "path";
 var UNSUPPORTED_MARKERS = {
   "requirements.txt": "python",
   "pyproject.toml": "python",
@@ -2624,14 +2977,14 @@ function finalizeRoles(registryRoles, deps, files) {
 function collectUnsupportedSignals(files) {
   return [
     ...new Set(
-      files.map((f) => UNSUPPORTED_MARKERS[path17.basename(f)]).filter((s) => Boolean(s))
+      files.map((f) => UNSUPPORTED_MARKERS[path18.basename(f)]).filter((s) => Boolean(s))
     )
   ].sort();
 }
 // src/scanner/render.ts
 import { readFile } from "fs/promises";
-import path18 from "path";
+import path19 from "path";
 // src/scanner/role-labels.ts
 var ROLE_LABELS = {
@@ -2693,7 +3046,7 @@ async function buildContentBlob(root, files) {
   const slice = candidates.slice(0, 300);
   const parts = await mapWithConcurrency(slice, async (rel) => {
     try {
-      return await readFile(path18.join(root, rel), "utf8");
+      return await readFile(path19.join(root, rel), "utf8");
     } catch {
       return "";
     }
@@ -2791,8 +3144,8 @@ var SAFE_FILES = [
   "Gemfile"
 ];
 async function scanProject(root, mode = "fast") {
-  const pkg = await readJson(path19.join(root, "package.json"));
-  const composer = await readJson(path19.join(root, "composer.json"));
+  const pkg = await readJson(path20.join(root, "package.json"));
+  const composer = await readJson(path20.join(root, "composer.json"));
   const files = await listFiles(root, SAFE_FILES);
   const safeFiles = files.filter((f) => !blocked(f));
   const deps = dependencySet(pkg, composer);
@@ -2826,7 +3179,7 @@ async function scanProject(root, mode = "fast") {
     mode,
     generatedAt: (/* @__PURE__ */ new Date()).toISOString(),
     root,
-    repoName: String(pkg?.name ?? path19.basename(root)),
+    repoName: String(pkg?.name ?? path20.basename(root)),
     packageManager,
     repoRoles: roles,
     detectedStacks: stacks,
@@ -2844,7 +3197,7 @@ async function scanProject(root, mode = "fast") {
   const scanHashes = Object.fromEntries(
     await mapWithConcurrency(
       safeFiles,
-      async (f) => [f, hashText(await readFile2(path19.join(root, f), "utf8"))]
+      async (f) => [f, hashText(await readFile2(path20.join(root, f), "utf8"))]
     )
   );
   const repoSummary = renderSummary(context);
@@ -2929,8 +3282,8 @@ async function runContext(options) {
 }
 // src/commands/doctor.ts
-import path20 from "path";
-import fs14 from "fs-extra";
+import path21 from "path";
+import fs15 from "fs-extra";
 // src/update/npm-version.ts
 var NPM_PACKAGE_NAME = "@haus-tech/haus-workflow";
@@ -3010,7 +3363,7 @@ async function runDoctor(options) {
     const enabled = await isHookEnabled(root, key);
     ok(`- HOOK ${key}: ${enabled ? "enabled" : "disabled (default)"}`);
   }
-  const rootClaudeMdPath = path20.join(root, "CLAUDE.md");
+  const rootClaudeMdPath = path21.join(root, "CLAUDE.md");
   const rootClaudeMdContent = await readText(rootClaudeMdPath);
   if (!rootClaudeMdContent) {
     flag(
@@ -3038,7 +3391,7 @@ async function runDoctor(options) {
       const block = rootClaudeMdContent.slice(beginIdx, endIdx + BLOCK_END.length);
       const importTargets = [...block.matchAll(/@\.haus-workflow\/(\S+)/g)].map((m) => m[1]);
       for (const target of importTargets) {
-        if (!await fs14.pathExists(hausPath(root, target))) {
+        if (!await fs15.pathExists(hausPath(root, target))) {
           flag(
             `- CLAUDE.md import: @.haus-workflow/${target} does not resolve (run \`haus apply --write\`)`,
             `A file CLAUDE.md links to (${target}) is missing, so part of the guidance won't load`,
@@ -3049,7 +3402,7 @@ async function runDoctor(options) {
     }
   }
   const workflowPath = hausPath(root, "WORKFLOW.md");
-  const workflowExists = await fs14.pathExists(workflowPath);
+  const workflowExists = await fs15.pathExists(workflowPath);
   if (!workflowExists) {
     flag(
       "- .haus-workflow/WORKFLOW.md: missing (run `haus apply --write`)",
@@ -3072,15 +3425,15 @@ async function runDoctor(options) {
           "haus apply --write --force"
         );
       } else {
-        const cachePath = path20.join(getCacheDir(), "templates/agentic-workflow-standard.md");
-        const bundledPath = path20.join(
+        const cachePath = path21.join(getCacheDir(), "templates/agentic-workflow-standard.md");
+        const bundledPath = path21.join(
           packageRoot(),
           "library",
           "global",
           "templates",
           "agentic-workflow-standard.md"
         );
-        const templatePath = await fs14.pathExists(cachePath) ? cachePath : bundledPath;
+        const templatePath = await fs15.pathExists(cachePath) ? cachePath : bundledPath;
         const templateContent = await readText(templatePath);
         if (storedHashMatch && templateContent) {
           const currentHash = hashText(normaliseLF(templateContent));
@@ -3100,7 +3453,7 @@ async function runDoctor(options) {
     }
   }
   const workflowConfigPath = hausPath(root, "workflow-config.md");
-  const workflowConfigExists = await fs14.pathExists(workflowConfigPath);
+  const workflowConfigExists = await fs15.pathExists(workflowConfigPath);
   if (!workflowConfigExists) {
     flag(
       "- .haus-workflow/workflow-config.md: missing (run `haus apply --write`)",
@@ -3108,7 +3461,7 @@ async function runDoctor(options) {
       "haus apply --write"
     );
   } else {
-    const cfg = await fs14.readFile(workflowConfigPath, "utf8");
+    const cfg = await fs15.readFile(workflowConfigPath, "utf8");
     const unfilled = cfg.split("\n").filter((l) => l.includes("<!-- fill in")).length;
     if (unfilled > 0) {
       flag(
@@ -3139,7 +3492,7 @@ async function runDoctor(options) {
       ok(`- CATALOG CACHE: OK (${cacheAgeDays}d old)`);
     }
   }
-  const pkgJson = await readJson(path20.join(packageRoot(), "package.json"));
+  const pkgJson = await readJson(path21.join(packageRoot(), "package.json"));
   const currentVersion = pkgJson?.version ?? "0.0.0";
   const npmStatus = await fetchNpmVersionStatus(currentVersion);
   if (npmStatus.updateAvailable && npmStatus.latest !== null) {
@@ -3225,15 +3578,16 @@ import { readFileSync as readFileSync2 } from "fs";
 // src/security/guard-bash.ts
 function guardBash(command) {
-  const matched = DANGEROUS_COMMANDS.find((token) => command.includes(token));
+  const matched = DENY_COMMANDS.find((token) => command.includes(token));
   if (matched) return `I didn't run that \u2014 it can permanently change or delete things: ${command}`;
   return void 0;
 }
 // src/security/guard-file-access.ts
 function guardFileAccess(candidate) {
-  const matched = SENSITIVE_PATHS.find((token) => candidate.includes(token.replace("*", "")));
-  if (matched) return `I didn't open ${candidate} \u2014 it looks like it holds secrets or sensitive data`;
+  const matched = DENY_PATHS.find((token) => candidate.includes(token.replace(/\*/g, "")));
+  if (matched)
+    return `I didn't open ${candidate} \u2014 it looks like it holds secrets or sensitive data`;
   return void 0;
 }
@@ -3282,8 +3636,8 @@ async function runGuard(kind, _options) {
 }
 // src/commands/init.ts
-import path21 from "path";
-import fs15 from "fs-extra";
+import path22 from "path";
+import fs16 from "fs-extra";
 // src/utils/prompts.ts
 import { stdin as input, stdout as output } from "process";
@@ -3644,8 +3998,8 @@ async function runSetupProject(options) {
 // src/commands/init.ts
 async function runInit(options) {
   const root = process.cwd();
-  const hausDir = path21.join(root, ".haus-workflow");
-  const alreadyInit = await fs15.pathExists(hausDir);
+  const hausDir = path22.join(root, ".haus-workflow");
+  const alreadyInit = await fs16.pathExists(hausDir);
   if (alreadyInit) {
     log("Haus AI already initialized in this project.");
     log("Run `haus setup-project` to reconfigure.");
@@ -3657,8 +4011,8 @@ async function runInit(options) {
 // src/install/apply.ts
 import crypto2 from "crypto";
-import path22 from "path";
-import fs16 from "fs-extra";
+import path23 from "path";
+import fs17 from "fs-extra";
 // src/install/header.ts
 var MD_PREFIX = "<!-- HAUS-MANAGED";
@@ -3746,40 +4100,40 @@ function hashContent(content2) {
 }
 function sourceVersion() {
   try {
-    const pkgPath = path22.join(packageRoot(), "package.json");
-    const pkg = JSON.parse(fs16.readFileSync(pkgPath, "utf8"));
+    const pkgPath = path23.join(packageRoot(), "package.json");
+    const pkg = JSON.parse(fs17.readFileSync(pkgPath, "utf8"));
     return `${pkg.name ?? "haus"}@${pkg.version ?? "0.0.0"}`;
   } catch {
     return "haus@0.0.0";
   }
 }
 function globalSrcDir() {
-  return path22.join(packageRoot(), "library", "global");
+  return path23.join(packageRoot(), "library", "global");
 }
 function collectSourceFiles(srcDir, claudeDir) {
   const entries = [];
-  const skillsDir = path22.join(srcDir, "skills");
-  if (fs16.pathExistsSync(skillsDir)) {
-    for (const skillName of fs16.readdirSync(skillsDir)) {
-      const skillFile = path22.join(skillsDir, skillName, "SKILL.md");
-      if (fs16.pathExistsSync(skillFile)) {
+  const skillsDir = path23.join(srcDir, "skills");
+  if (fs17.pathExistsSync(skillsDir)) {
+    for (const skillName of fs17.readdirSync(skillsDir)) {
+      const skillFile = path23.join(skillsDir, skillName, "SKILL.md");
+      if (fs17.pathExistsSync(skillFile)) {
         entries.push({
           stableId: `skill.${skillName}`,
-          srcRelPath: path22.join("library", "global", "skills", skillName, "SKILL.md"),
-          destPath: path22.join(claudeDir, "skills", skillName, "SKILL.md")
+          srcRelPath: path23.join("library", "global", "skills", skillName, "SKILL.md"),
+          destPath: path23.join(claudeDir, "skills", skillName, "SKILL.md")
         });
       }
     }
   }
-  const commandsDir = path22.join(srcDir, "commands");
-  if (fs16.pathExistsSync(commandsDir)) {
-    for (const fileName of fs16.readdirSync(commandsDir)) {
+  const commandsDir = path23.join(srcDir, "commands");
+  if (fs17.pathExistsSync(commandsDir)) {
+    for (const fileName of fs17.readdirSync(commandsDir)) {
       if (!fileName.endsWith(".md")) continue;
       const commandName = fileName.slice(0, -".md".length);
       entries.push({
         stableId: `command.${commandName}`,
-        srcRelPath: path22.join("library", "global", "commands", fileName),
-        destPath: path22.join(claudeDir, "commands", fileName)
+        srcRelPath: path23.join("library", "global", "commands", fileName),
+        destPath: path23.join(claudeDir, "commands", fileName)
       });
     }
   }
@@ -3803,7 +4157,7 @@ async function applyInstall(options = {}) {
   };
   const manifestFiles = [];
   for (const entry of sourceFiles) {
-    const srcPath = path22.join(packageRoot(), entry.srcRelPath);
+    const srcPath = path23.join(packageRoot(), entry.srcRelPath);
     const rawContent = await readText(srcPath);
     if (rawContent === void 0) {
       warn(`Source file not found: ${entry.srcRelPath}`);
@@ -3823,7 +4177,7 @@ async function applyInstall(options = {}) {
       }
       continue;
     }
-    const destExists = fs16.pathExistsSync(entry.destPath);
+    const destExists = fs17.pathExistsSync(entry.destPath);
     if (destExists) {
       const currentContent = await readText(entry.destPath);
       if (currentContent !== void 0) {
@@ -3859,24 +4213,25 @@ async function applyInstall(options = {}) {
       schemaVersion: SCHEMA_VERSION2
     });
   }
-  const fragmentPath = path22.join(srcDir, "settings-fragments", "hooks.json");
+  const fragmentPath = path23.join(srcDir, "settings-fragments", "hooks.json");
   const fragments = await loadHooksFragment(fragmentPath);
   const settings = await readSettings();
   const { settings: hookSettings, addedIds } = mergeHooks(settings, fragments);
   const { settings: deniedSettings } = mergeDenyRules(hookSettings, buildDenyRules());
-  const { settings: mergedSettings } = mergeAllowRules(deniedSettings, buildAllowRules());
+  const { settings: allowedSettings } = mergeAllowRules(deniedSettings, buildAllowRules());
+  const { settings: mergedSettings } = mergeAskRules(allowedSettings, buildAskRules());
   result.hookIds = addedIds;
   if (!check && existingManifest) {
     const currentDestPaths = new Set(sourceFiles.map((f) => f.destPath));
     for (const entry of existingManifest.files) {
       if (currentDestPaths.has(entry.destPath)) continue;
-      if (!fs16.pathExistsSync(entry.destPath)) continue;
+      if (!fs17.pathExistsSync(entry.destPath)) continue;
       const content2 = await readText(entry.destPath);
       if (!content2) continue;
       const hasHeader = parseMarkdownHeader(content2) !== void 0;
       const currentHash = hashContent(content2);
       if (hasHeader && currentHash === entry.hash) {
-        if (!dryRun) await fs16.remove(entry.destPath);
+        if (!dryRun) await fs17.remove(entry.destPath);
         result.deleted.push(entry.destPath);
       } else {
         warn(`Orphaned file ${entry.destPath} was user-modified \u2014 leaving in place`);
@@ -4003,15 +4358,14 @@ async function runScan(options) {
 }
 // src/commands/undo.ts
-import path23 from "path";
-import fs17 from "fs-extra";
+import path24 from "path";
+import fs18 from "fs-extra";
 // src/claude/managed-paths.ts
 var PROJECT_MANAGED_CLAUDE_REL = [
   "rules/haus.md",
   "rules/security.md",
-  "commands/haus-doctor.md",
-  "commands/haus-review.md"
+  "commands/haus-doctor.md"
 ];
 var PROJECT_MANAGED_HAUS_REL = [
   "selected-context.json",
@@ -4030,61 +4384,61 @@ async function collectManagedPaths(root) {
   const lock = await readJson(hausPath(root, "haus.lock.json"));
   for (const row of lock ?? []) {
     for (const rel of row.paths ?? []) {
-      paths.add(path23.resolve(root, rel));
+      paths.add(path24.resolve(root, rel));
     }
   }
   const existing = [];
   for (const abs of paths) {
-    if (await fs17.pathExists(abs)) existing.push(abs);
+    if (await fs18.pathExists(abs)) existing.push(abs);
   }
   return existing;
 }
 async function settingsHasHausContent(root) {
   const settingsPath = claudePath(root, "settings.json");
-  if (!await fs17.pathExists(settingsPath)) return false;
+  if (!await fs18.pathExists(settingsPath)) return false;
   const settings = await readProjectSettings(root);
   return settings._haus != null;
 }
 async function claudeMdHasHausBlock(root) {
-  const filePath = path23.join(root, "CLAUDE.md");
-  if (!await fs17.pathExists(filePath)) return false;
-  const text = await fs17.readFile(filePath, "utf8");
+  const filePath = path24.join(root, "CLAUDE.md");
+  if (!await fs18.pathExists(filePath)) return false;
+  const text = await fs18.readFile(filePath, "utf8");
   return text.includes(BLOCK_BEGIN);
 }
 async function stripProjectSettings(root) {
   const settingsPath = claudePath(root, "settings.json");
-  if (!await fs17.pathExists(settingsPath)) return false;
+  if (!await fs18.pathExists(settingsPath)) return false;
   let settings = await readProjectSettings(root);
-  settings = stripHausAllow(stripHausDeny(stripHausHooks(settings)));
+  settings = stripHausHooks(stripHausAsk(stripHausAllow(stripHausDeny(settings))));
   const hasContent = Object.keys(settings).length > 0;
   if (hasContent) {
     await writeProjectSettings(root, settings);
-    log(`Stripped haus rules from ${path23.relative(root, settingsPath)} (user settings preserved).`);
+    log(`Stripped haus rules from ${path24.relative(root, settingsPath)} (user settings preserved).`);
     return true;
   }
-  await fs17.remove(settingsPath);
-  log(`Removed ${path23.relative(root, settingsPath)} (no user-owned settings remained).`);
+  await fs18.remove(settingsPath);
+  log(`Removed ${path24.relative(root, settingsPath)} (no user-owned settings remained).`);
   return true;
 }
 async function stripRootClaudeMd(root) {
-  const filePath = path23.join(root, "CLAUDE.md");
-  if (!await fs17.pathExists(filePath)) return false;
-  const prev = await fs17.readFile(filePath, "utf8");
+  const filePath = path24.join(root, "CLAUDE.md");
+  if (!await fs18.pathExists(filePath)) return false;
+  const prev = await fs18.readFile(filePath, "utf8");
   if (!prev.includes(BLOCK_BEGIN)) return false;
   const next = stripHausBlock(prev);
   if (next.length === 0) {
-    await fs17.remove(filePath);
+    await fs18.remove(filePath);
     log("Removed CLAUDE.md (only contained haus import block).");
   } else {
-    await fs17.writeFile(filePath, next, "utf8");
+    await fs18.writeFile(filePath, next, "utf8");
     log("Removed haus import block from CLAUDE.md (user content preserved).");
   }
   return true;
 }
 async function pruneDirIfEmpty(dir) {
-  if (!await fs17.pathExists(dir)) return;
-  const entries = await fs17.readdir(dir);
-  if (entries.length === 0) await fs17.remove(dir);
+  if (!await fs18.pathExists(dir)) return;
+  const entries = await fs18.readdir(dir);
+  if (entries.length === 0) await fs18.remove(dir);
 }
 async function runUndo(options) {
   const root = process.cwd();
@@ -4095,7 +4449,7 @@ async function runUndo(options) {
     log("Nothing to remove: no haus-managed files found in this directory.");
     return;
   }
-  const relTargets = managed.map((p) => path23.relative(root, p));
+  const relTargets = managed.map((p) => path24.relative(root, p));
   const summaryParts = [...relTargets];
   if (stripSettings) summaryParts.push(".claude/settings.json (haus rules only)");
   if (stripClaudeMd) summaryParts.push("CLAUDE.md (haus import block only)");
@@ -4111,9 +4465,9 @@ User-owned .claude/ files will be preserved.`
     }
   }
   for (const abs of managed) {
-    if (!await fs17.pathExists(abs)) continue;
-    await fs17.remove(abs);
-    log(`Removed ${path23.relative(root, abs)}`);
+    if (!await fs18.pathExists(abs)) continue;
+    await fs18.remove(abs);
+    log(`Removed ${path24.relative(root, abs)}`);
   }
   if (stripSettings) await stripProjectSettings(root);
   if (stripClaudeMd) await stripRootClaudeMd(root);
@@ -4124,8 +4478,8 @@ User-owned .claude/ files will be preserved.`
 // src/install/uninstall.ts
 import crypto3 from "crypto";
-import path24 from "path";
-import fs18 from "fs-extra";
+import path25 from "path";
+import fs19 from "fs-extra";
 async function runUninstall(options = {}) {
   const { force = false } = options;
   const manifest = await readManifest();
@@ -4135,7 +4489,7 @@ async function runUninstall(options = {}) {
     return result;
   }
   for (const entry of manifest.files) {
-    const exists = fs18.pathExistsSync(entry.destPath);
+    const exists = fs19.pathExistsSync(entry.destPath);
     if (!exists) continue;
     const content2 = await readText(entry.destPath);
     if (content2 === void 0) continue;
@@ -4153,22 +4507,22 @@ async function runUninstall(options = {}) {
       result.skipped.push(entry.destPath);
       continue;
     }
-    await fs18.remove(entry.destPath);
-    await pruneEmptyDir(path24.dirname(entry.destPath));
+    await fs19.remove(entry.destPath);
+    await pruneEmptyDir(path25.dirname(entry.destPath));
     result.deleted.push(entry.destPath);
   }
   const settings = await readSettings();
-  const stripped = stripHausHooks(stripHausAllow(stripHausDeny(settings)));
+  const stripped = stripHausHooks(stripHausAsk(stripHausAllow(stripHausDeny(settings))));
   await writeSettings(stripped);
   result.hooksStripped = true;
-  const hausDir = path24.join(globalClaudeDir(), "haus");
+  const hausDir = path25.join(globalClaudeDir(), "haus");
   const manifestPath2 = hausManifestPath();
-  if (fs18.pathExistsSync(manifestPath2)) {
-    await fs18.remove(manifestPath2);
+  if (fs19.pathExistsSync(manifestPath2)) {
+    await fs19.remove(manifestPath2);
   }
-  if (fs18.pathExistsSync(hausDir)) {
-    const remaining = await fs18.readdir(hausDir);
-    if (remaining.length === 0) await fs18.remove(hausDir);
+  if (fs19.pathExistsSync(hausDir)) {
+    const remaining = await fs19.readdir(hausDir);
+    if (remaining.length === 0) await fs19.remove(hausDir);
   }
   return result;
 }
@@ -4199,7 +4553,7 @@ async function runUninstallCommand(options) {
 }
 // src/commands/update.ts
-import path26 from "path";
+import path27 from "path";
 // src/update/diff-generated-files.ts
 function diffGeneratedFiles() {
@@ -4226,7 +4580,7 @@ function summarizeLockDiff(before, after) {
 // src/update/lockfile.ts
 import { mkdir, readFile as readFile3, copyFile } from "fs/promises";
-import path25 from "path";
+import path26 from "path";
 async function checkLock(root) {
   const lock = await readJson(hausPath(root, "haus.lock.json")) ?? [];
   const hasValidVersions = lock.every(
@@ -4257,7 +4611,7 @@ async function applyLock(root) {
   try {
     const backupDir = hausPath(root, "backups");
     await mkdir(backupDir, { recursive: true });
-    await copyFile(lockPath, path25.join(backupDir, `haus.lock.${Date.now()}.json`));
+    await copyFile(lockPath, path26.join(backupDir, `haus.lock.${Date.now()}.json`));
   } catch {
   }
   const enriched = await Promise.all(
@@ -4279,7 +4633,7 @@ function diffLock(before, after) {
 }
 async function hasLocalOverrides(root) {
   try {
-    await readFile3(path25.join(root, ".claude", "settings.json"), "utf8");
+    await readFile3(path26.join(root, ".claude", "settings.json"), "utf8");
     return true;
   } catch {
     return false;
@@ -4291,7 +4645,7 @@ var NPM_PACKAGE_NAME2 = "@haus-tech/haus-workflow";
 async function runUpdate(options) {
   const root = process.cwd();
   if (options.check) {
-    const pkgJson2 = await readJson(path26.join(packageRoot(), "package.json"));
+    const pkgJson2 = await readJson(path27.join(packageRoot(), "package.json"));
     const currentVersion2 = pkgJson2?.version ?? "0.0.0";
     const [status, npmVersion, latestCatalogTag, globalInstallDrift] = await Promise.all([
       checkLock(root),
@@ -4321,7 +4675,7 @@ async function runUpdate(options) {
     if (status.driftCount > 0) process.exitCode = 1;
     return;
   }
-  const pkgJson = await readJson(path26.join(packageRoot(), "package.json"));
+  const pkgJson = await readJson(path27.join(packageRoot(), "package.json"));
   const currentVersion = pkgJson?.version ?? "0.0.0";
   const npmStatus = await fetchNpmVersionStatus(currentVersion);
   if (npmStatus.updateAvailable && npmStatus.latest !== null) {
@@ -4398,8 +4752,8 @@ async function detectGlobalInstallDrift() {
 }
 // src/commands/validate-catalog.ts
-import fs19 from "fs";
-import path27 from "path";
+import fs20 from "fs";
+import path28 from "path";
 function auditForbiddenStacks(items) {
   const failures = [];
   for (const item of items) {
@@ -4476,40 +4830,40 @@ function auditShippedFiles(manifestDir, items) {
   const failures = [];
   for (const item of items) {
     if (!item.path) continue;
-    const absPath = path27.join(manifestDir, item.path);
+    const absPath = path28.join(manifestDir, item.path);
     if (item.type === "skill") {
-      const skillMd = path27.join(absPath, "SKILL.md");
-      if (!fs19.existsSync(skillMd)) {
-        failures.push(`${item.id}: missing ${path27.relative(manifestDir, skillMd)}`);
+      const skillMd = path28.join(absPath, "SKILL.md");
+      if (!fs20.existsSync(skillMd)) {
+        failures.push(`${item.id}: missing ${path28.relative(manifestDir, skillMd)}`);
         continue;
       }
-      const text = fs19.readFileSync(skillMd, "utf8");
+      const text = fs20.readFileSync(skillMd, "utf8");
       failures.push(...checkRequiredFrontmatter(text, `${item.id}: SKILL.md`));
       failures.push(
-        ...auditForbiddenTagsInText(text, `${item.id}: ${path27.relative(manifestDir, skillMd)}`)
+        ...auditForbiddenTagsInText(text, `${item.id}: ${path28.relative(manifestDir, skillMd)}`)
       );
     } else if (item.type === "agent") {
-      if (!fs19.existsSync(absPath)) {
+      if (!fs20.existsSync(absPath)) {
         failures.push(`${item.id}: missing agent file ${item.path}`);
         continue;
       }
-      const text = fs19.readFileSync(absPath, "utf8");
-      const rel = path27.relative(manifestDir, absPath);
+      const text = fs20.readFileSync(absPath, "utf8");
+      const rel = path28.relative(manifestDir, absPath);
       failures.push(...checkRequiredFrontmatter(text, `${item.id}: ${rel}`));
       failures.push(...auditForbiddenTagsInText(text, `${item.id}: ${rel}`));
     } else if (item.type === "template") {
-      if (!fs19.existsSync(absPath)) {
+      if (!fs20.existsSync(absPath)) {
         failures.push(`${item.id}: missing template file ${item.path}`);
         continue;
       }
       failures.push(...auditTemplateContent(manifestDir, absPath, item.id));
     } else if (item.type === "command") {
-      if (!fs19.existsSync(absPath)) {
+      if (!fs20.existsSync(absPath)) {
         failures.push(`${item.id}: missing command file ${item.path}`);
         continue;
       }
-      const text = fs19.readFileSync(absPath, "utf8");
-      const rel = path27.relative(manifestDir, absPath);
+      const text = fs20.readFileSync(absPath, "utf8");
+      const rel = path28.relative(manifestDir, absPath);
       failures.push(...checkRequiredFrontmatter(text, `${item.id}: ${rel}`));
       failures.push(...auditTemplateContent(manifestDir, absPath, item.id));
     }
@@ -4517,8 +4871,8 @@ function auditShippedFiles(manifestDir, items) {
   return failures;
 }
 function auditTemplateContent(manifestDir, absPath, itemId) {
-  const rel = path27.relative(manifestDir, absPath);
-  const text = fs19.readFileSync(absPath, "utf8");
+  const rel = path28.relative(manifestDir, absPath);
+  const text = fs20.readFileSync(absPath, "utf8");
   const failures = [];
   const lines = text.split(/\r?\n/);
   for (let i = 0; i < lines.length; i++) {
@@ -4540,11 +4894,11 @@ function auditMarkdownContent(manifestDir) {
   const failures = [];
   const dirs = ["skills", "agents", "templates", "commands"];
   for (const dir of dirs) {
-    const abs = path27.join(manifestDir, dir);
-    if (!fs19.existsSync(abs)) continue;
+    const abs = path28.join(manifestDir, dir);
+    if (!fs20.existsSync(abs)) continue;
     walkMd(abs, (file) => {
-      const text = fs19.readFileSync(file, "utf8");
-      const rel = path27.relative(manifestDir, file);
+      const text = fs20.readFileSync(file, "utf8");
+      const rel = path28.relative(manifestDir, file);
       const lines = text.split(/\r?\n/);
       for (let i = 0; i < lines.length; i++) {
         const line2 = lines[i] ?? "";
@@ -4563,8 +4917,8 @@ function auditMarkdownContent(manifestDir) {
   return failures;
 }
 function walkMd(dir, fn) {
-  for (const entry of fs19.readdirSync(dir, { withFileTypes: true })) {
-    const full = path27.join(dir, entry.name);
+  for (const entry of fs20.readdirSync(dir, { withFileTypes: true })) {
+    const full = path28.join(dir, entry.name);
     if (entry.isDirectory()) walkMd(full, fn);
     else if (entry.name.endsWith(".md")) fn(full);
   }
@@ -4575,8 +4929,8 @@ async function runValidateCatalog(manifestPath2) {
     process.exitCode = 1;
     return;
   }
-  const abs = path27.resolve(process.cwd(), manifestPath2);
-  const manifestDir = path27.dirname(abs);
+  const abs = path28.resolve(process.cwd(), manifestPath2);
+  const manifestDir = path28.dirname(abs);
   const data = await readJson(abs);
   if (!data?.items) {
     error(`Could not read catalog manifest at ${abs}`);
@@ -4606,7 +4960,7 @@ async function runValidateCatalog(manifestPath2) {
 // src/commands/workspace.ts
 import { existsSync as existsSync5, statSync as statSync2 } from "fs";
-import path34 from "path";
+import path35 from "path";
 // src/commands/workspace/aggregate.ts
 async function writeWorkspaceArtifacts(workspaceRoot, repos, relationships = []) {
@@ -4660,7 +5014,7 @@ ${summaries.map(
 }
 // src/commands/workspace/config.ts
-import path28 from "path";
+import path29 from "path";
 import YAML from "yaml";
 var WORKSPACE_FILE = "haus.workspace.yaml";
 function parseWorkspaceConfig(text) {
@@ -4683,12 +5037,12 @@ function parseWorkspaceConfig(text) {
   };
 }
 async function readWorkspaceConfig(workspaceRoot) {
-  return parseWorkspaceConfig(await readText(path28.join(workspaceRoot, WORKSPACE_FILE)));
+  return parseWorkspaceConfig(await readText(path29.join(workspaceRoot, WORKSPACE_FILE)));
 }
 // src/commands/workspace/discover.ts
-import path29 from "path";
-import fg3 from "fast-glob";
+import path30 from "path";
+import fg4 from "fast-glob";
 import YAML2 from "yaml";
 var DEFAULT_MAX_DEPTH = 3;
 var REPO_MARKERS = ["**/.git", "**/package.json", "**/composer.json"];
@@ -4704,7 +5058,7 @@ function isDescendant(child, ancestor) {
   return child === ancestor ? false : child.startsWith(`${ancestor}/`);
 }
 async function discoverRepos(workspaceRoot, maxDepth = DEFAULT_MAX_DEPTH) {
-  const matches = await fg3(REPO_MARKERS, {
+  const matches = await fg4(REPO_MARKERS, {
     cwd: workspaceRoot,
     dot: true,
     onlyFiles: false,
@@ -4715,8 +5069,8 @@ async function discoverRepos(workspaceRoot, maxDepth = DEFAULT_MAX_DEPTH) {
   const gitDirs = /* @__PURE__ */ new Set();
   const manifestDirs = /* @__PURE__ */ new Set();
   for (const match of matches) {
-    const base = path29.posix.basename(match);
-    const dir = path29.posix.dirname(match);
+    const base = path30.posix.basename(match);
+    const dir = path30.posix.dirname(match);
     const owner = dir === "." ? "." : dir;
     if (base === ".git") gitDirs.add(owner);
     else manifestDirs.add(owner);
@@ -4732,9 +5086,9 @@ async function discoverRepos(workspaceRoot, maxDepth = DEFAULT_MAX_DEPTH) {
   }
   repoRoots.sort((a, b) => a.localeCompare(b));
   return mapWithConcurrency(repoRoots, async (relDir) => {
-    const absDir = path29.resolve(workspaceRoot, relDir);
-    const pkg = await readJson(path29.join(absDir, "package.json"));
-    const name = typeof pkg?.name === "string" && pkg.name.length > 0 ? pkg.name : path29.basename(relDir === "." ? workspaceRoot : absDir);
+    const absDir = path30.resolve(workspaceRoot, relDir);
+    const pkg = await readJson(path30.join(absDir, "package.json"));
+    const name = typeof pkg?.name === "string" && pkg.name.length > 0 ? pkg.name : path30.basename(relDir === "." ? workspaceRoot : absDir);
     let role = "auto";
     try {
       const scan = await scanProject(absDir, "fast");
@@ -4777,7 +5131,7 @@ function renderWorkspaceYaml(config2) {
   });
 }
 async function runDiscover(workspaceRoot, opts = {}) {
-  const yamlPath = path29.join(workspaceRoot, "haus.workspace.yaml");
+  const yamlPath = path30.join(workspaceRoot, "haus.workspace.yaml");
   const existingText = await readText(yamlPath);
   const existing = parseWorkspaceConfig(existingText);
   if (existingText && !existing) {
@@ -4811,18 +5165,18 @@ async function runDiscover(workspaceRoot, opts = {}) {
 // src/commands/workspace/doctor.ts
 import { existsSync as existsSync3 } from "fs";
-import path31 from "path";
+import path32 from "path";
 // src/commands/workspace/manifest.ts
 import { readFileSync as readFileSync3 } from "fs";
-import path30 from "path";
+import path31 from "path";
 var MANIFEST_FILE = "workspace.manifest.json";
 function manifestPath(workspaceRoot) {
   return hausPath(workspaceRoot, MANIFEST_FILE);
 }
 function hausVersion() {
   try {
-    const pkg = JSON.parse(readFileSync3(path30.join(packageRoot(), "package.json"), "utf8"));
+    const pkg = JSON.parse(readFileSync3(path31.join(packageRoot(), "package.json"), "utf8"));
     return pkg.version ?? "0.0.0";
   } catch {
     return "0.0.0";
@@ -4888,7 +5242,7 @@ async function runWorkspaceDoctor(workspaceRoot, opts = {}) {
   }
   const manifestByName = new Map(manifest.repos.map((r) => [r.name, r]));
   for (const repo of config2.repos) {
-    const repoRoot = path31.resolve(workspaceRoot, repo.path);
+    const repoRoot = path32.resolve(workspaceRoot, repo.path);
     const entry = manifestByName.get(repo.name);
     if (!entry) {
       flag({
@@ -4962,11 +5316,11 @@ function emit(args) {
 // src/commands/workspace/setup.ts
 import { existsSync as existsSync4, statSync } from "fs";
-import path33 from "path";
+import path34 from "path";
 // src/claude/write-workspace-claude-md.ts
-import path32 from "path";
-import fs20 from "fs-extra";
+import path33 from "path";
+import fs21 from "fs-extra";
 function buildWorkspaceImportBlock(client, members) {
   const memberLines = members.map((m) => `- ${m.name} (${m.path})`);
   const body = [
@@ -4984,8 +5338,8 @@ ${BLOCK_END}`;
 async function writeWorkspaceClaudeMd(workspaceRoot, opts) {
   const block = buildWorkspaceImportBlock(opts.client, opts.members);
   const dryRun = opts.dryRun ?? false;
-  const filePath = opts.collision ? hausPath(workspaceRoot, "WORKSPACE.md") : path32.join(workspaceRoot, "CLAUDE.md");
-  const prev = await fs20.pathExists(filePath) ? await fs20.readFile(filePath, "utf8") : "";
+  const filePath = opts.collision ? hausPath(workspaceRoot, "WORKSPACE.md") : path33.join(workspaceRoot, "CLAUDE.md");
+  const prev = await fs21.pathExists(filePath) ? await fs21.readFile(filePath, "utf8") : "";
   const next = opts.collision ? `${block}
 ` : injectHausBlock(prev, block);
   const printable = displayPath(workspaceRoot, filePath);
@@ -5010,21 +5364,21 @@ async function writeWorkspaceClaudeMd(workspaceRoot, opts) {
 // src/commands/workspace/setup.ts
 function resolveWorkspaceRoot(start = process.cwd()) {
-  let dir = path33.resolve(start);
+  let dir = path34.resolve(start);
   for (; ; ) {
-    if (existsSync4(path33.join(dir, WORKSPACE_FILE))) return dir;
-    const parent = path33.dirname(dir);
-    if (parent === dir) return path33.resolve(start);
+    if (existsSync4(path34.join(dir, WORKSPACE_FILE))) return dir;
+    const parent = path34.dirname(dir);
+    if (parent === dir) return path34.resolve(start);
     dir = parent;
   }
 }
 function isRootRepo(workspaceRoot, repoPath) {
-  return path33.resolve(workspaceRoot, repoPath) === path33.resolve(workspaceRoot);
+  return path34.resolve(workspaceRoot, repoPath) === path34.resolve(workspaceRoot);
 }
 async function runWorkspaceSetup(workspaceRoot, options = {}) {
   const mode = options.mode ?? "fast";
   const apply = options.write ?? false;
-  const configText = await readText(path33.join(workspaceRoot, WORKSPACE_FILE));
+  const configText = await readText(path34.join(workspaceRoot, WORKSPACE_FILE));
   if (!configText) {
     error(`Missing ${WORKSPACE_FILE}. Run \`haus workspace discover\` or \`init\` first.`);
     process.exitCode = 1;
@@ -5041,7 +5395,7 @@ async function runWorkspaceSetup(workspaceRoot, options = {}) {
   const statuses = [];
   const aggregateInputs = [];
   for (const repo of repos) {
-    const repoRoot = path33.resolve(workspaceRoot, repo.path);
+    const repoRoot = path34.resolve(workspaceRoot, repo.path);
     log(`
 \u2192 ${repo.name} (${repo.path})`);
     try {
@@ -5110,7 +5464,7 @@ async function runWorkspaceSetup(workspaceRoot, options = {}) {
       const status = statusByName.get(repo.name);
       const role = repo.role ?? status?.roles?.[0] ?? "auto";
       if (status?.status === "ok") {
-        const lock = await checkLock(path33.resolve(workspaceRoot, repo.path));
+        const lock = await checkLock(path34.resolve(workspaceRoot, repo.path));
         manifestRepos.push({
           name: repo.name,
           path: repo.path,
@@ -5190,7 +5544,7 @@ relationships: []
   log("Workspace initialized.");
 }
 async function scanWorkspace(workspaceRoot, opts) {
-  const configText = await readText(path34.join(workspaceRoot, WORKSPACE_FILE));
+  const configText = await readText(path35.join(workspaceRoot, WORKSPACE_FILE));
   if (!configText) {
     error(`Missing ${WORKSPACE_FILE}. Run \`haus workspace discover\` or \`init\` first.`);
     process.exitCode = 1;
@@ -5211,7 +5565,7 @@ async function scanWorkspace(workspaceRoot, opts) {
   }
   const inputs = [];
   for (const repo of config2.repos) {
-    const repoRoot = path34.resolve(workspaceRoot, repo.path);
+    const repoRoot = path35.resolve(workspaceRoot, repo.path);
     if (!existsSync5(repoRoot) || !statSync2(repoRoot).isDirectory()) {
       throw new Error(`Repo path is not a directory: ${repo.path}`);
     }
@@ -5262,7 +5616,7 @@ async function runWorkspace(action, options = {}) {
 // src/cli.ts
 function cliVersion() {
   try {
-    const pkgPath = path35.join(packageRoot(), "package.json");
+    const pkgPath = path36.join(packageRoot(), "package.json");
     const pkg = JSON.parse(readFileSync4(pkgPath, "utf8"));
     return pkg.version ?? "0.0.0";
   } catch {
@@ -5272,7 +5626,7 @@ function cliVersion() {
 var program = new Command();
 function validateRuntimeNodeVersion() {
   try {
-    const pkgPath = path35.join(packageRoot(), "package.json");
+    const pkgPath = path36.join(packageRoot(), "package.json");
     const pkg = JSON.parse(readFileSync4(pkgPath, "utf8"));
     const requiredRange = pkg.engines?.node;
     if (requiredRange && !satisfiesVersion(process.version, requiredRange)) {