@nathapp/nax 0.18.5 → 0.19.0

package/.gitlab-ci.yml

@@ -17,7 +17,7 @@ test:
   stage: test
   image: 
     name: nathapp/node-bun:22.21.0-1.3.9-alpine
-    pull_policy: if-not-present
+    pull_policy: always
   before_script:
     - apk add --no-cache git 
     - git config --global safe.directory '*'
@@ -47,7 +47,7 @@ release:
   stage: release
   image: 
     name: nathapp/node-bun:22.21.0-1.3.9-alpine
-    pull_policy: if-not-present
+    pull_policy: always
   cache:
     key:
       files:
@@ -86,7 +86,7 @@ notify:
   stage: notify
   image: 
     name: registry-intl.cn-hongkong.aliyuncs.com/gkci/node:22.14.0-alpine-ci
-    pull_policy: if-not-present
+    pull_policy: always
   needs: [release]
   script:
     - VERSION=$(node -e "console.log(require('./package.json').version)")

package/CHANGELOG.md

@@ -5,6 +5,13 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [0.18.6] - 2026-03-04
+
+### Fixed
+- **BUG-2:** Infinite PTY respawn loop in `usePty` hook by destructuring object-identity dependencies.
+- **MEM-1 & MEM-3:** Prevented child process hangs on full `stderr` pipes by switching to `stderr: "inherit"`.
+- **BUG-21 & BUG-22:** Added missing error handling and `.catch()` chains to process `stdout` streaming and exit handlers.
+
 ## [0.18.5] - 2026-03-04
 
 ### Changed

package/docs/ROADMAP.md

@@ -134,7 +134,7 @@
 
 ---
 
-## v0.19.0 — Verification Architecture v2
+## v0.19.0 — Hardening & Compliance
 
 **Theme:** Eliminate duplicate test runs, deferred regression gate, structured escalation context
 **Status:** 🔲 Planned
@@ -166,6 +166,7 @@
 | Version | Theme | Date | Details |
 |:---|:---|:---|:---|
 | v0.18.1 | Type Safety + CI Pipeline | 2026-03-03 | 60 TS errors + 12 lint errors fixed, GitLab CI green (1952/56/0) |
+| v0.19.0 | Hardening & Compliance | TBD | SEC-1 to SEC-5, BUG-1, Node.js API removal, _deps rollout |
 | v0.18.5 | Bun PTY Migration | 2026-03-04 | BUN-001: node-pty → Bun.spawn, CI cleanup, flaky test fix |
 | v0.18.4 | Routing Stability | 2026-03-04 | BUG-031 keyword drift, BUG-033 LLM retry, pre-commit hook |
 | v0.18.3 | Execution Reliability + Smart Runner | 2026-03-04 | BUG-026/028/029/030/032 + SFC-001/002 + STR-007, all items complete |

package/nax/features/nax-compliance/prd.json

@@ -0,0 +1,52 @@
+{
+  "project": "@nathapp/nax",
+  "feature": "nax-compliance",
+  "branchName": "feat/v0.19.0-sec",
+  "createdAt": "2026-03-05T02:37:00Z",
+  "updatedAt": "2026-03-05T02:38:46.450Z",
+  "userStories": [
+    {
+      "id": "US-001",
+      "title": "Node.js API Removal",
+      "description": "Replace all forbidden Node.js APIs (readFileSync, appendFileSync, existsSync, setTimeout) with Bun-native equivalents (Bun.file().text(), Bun.write, Bun.file().exists(), Bun.sleep) across the codebase as per the v0.19.0 roadmap. Refer to .claude/rules/04-forbidden-patterns.md.",
+      "acceptanceCriteria": [
+        "No occurrences of readFileSync or appendFileSync remain in src/",
+        "No occurrences of existsSync remain in src/ (unless performance critical)",
+        "No occurrences of setTimeout remain in src/",
+        "Codebase passes typecheck and lint after changes"
+      ],
+      "status": "failed",
+      "passes": false,
+      "attempts": 1,
+      "routing": {
+        "complexity": "simple",
+        "modelTier": "powerful",
+        "testStrategy": "test-after"
+      },
+      "priorErrors": [
+        "Attempt 1 failed with model tier: fast: Stage requested escalation to higher tier",
+        "Attempt 1 failed with model tier: balanced: Stage requested escalation to higher tier"
+      ],
+      "priorFailures": [
+        {
+          "attempt": 1,
+          "modelTier": "fast",
+          "stage": "escalation",
+          "summary": "Failed with tier fast, escalating to next tier",
+          "timestamp": "2026-03-05T02:37:41.586Z"
+        },
+        {
+          "attempt": 1,
+          "modelTier": "balanced",
+          "stage": "escalation",
+          "summary": "Failed with tier balanced, escalating to next tier",
+          "timestamp": "2026-03-05T02:38:14.713Z"
+        }
+      ],
+      "escalations": [],
+      "dependencies": [],
+      "tags": [],
+      "storyPoints": 1
+    }
+  ]
+}

package/nax/features/nax-compliance/progress.txt

@@ -0,0 +1 @@
+[2026-03-05T02:38:46.450Z] US-001 — FAILED — Node.js API Removal — Execution failed

package/nax/features/v0.19.0-hardening/plan.md

@@ -0,0 +1,7 @@
+# Plan: v0.19.0-hardening
+
+## Architecture
+
+## Phases
+
+## Dependencies

package/nax/features/v0.19.0-hardening/prd.json

@@ -0,0 +1,84 @@
+{
+  "project": "@nathapp/nax",
+  "feature": "v0.19.0-hardening",
+  "branchName": "feat/v0.19.0-sec",
+  "createdAt": "2026-03-05T02:58:00Z",
+  "updatedAt": "2026-03-05T03:13:29.408Z",
+  "userStories": [
+    {
+      "id": "US-001",
+      "title": "Security P0 Hardening",
+      "description": "Implement path validation for loaders (SEC-1, SEC-2), fix shell injection vectors (SEC-3, SEC-4), and respect dangerouslySkipPermissions config (SEC-5).",
+      "status": "passed",
+      "passes": true,
+      "attempts": 1,
+      "priorErrors": [],
+      "priorFailures": [],
+      "escalations": [],
+      "dependencies": [],
+      "tags": [],
+      "acceptanceCriteria": [],
+      "storyPoints": 1
+    },
+    {
+      "id": "US-002",
+      "title": "BUG-1 Parallel Race Condition",
+      "description": "Replace Promise.race loop with proper concurrency control in parallel executor.",
+      "status": "passed",
+      "passes": true,
+      "attempts": 1,
+      "priorErrors": [],
+      "priorFailures": [],
+      "escalations": [],
+      "dependencies": [],
+      "tags": [],
+      "acceptanceCriteria": [],
+      "storyPoints": 1
+    },
+    {
+      "id": "US-003",
+      "title": "Node.js API Removal",
+      "description": "Replace readFileSync, appendFileSync, existsSync, and setTimeout with Bun-native equivalents.",
+      "status": "passed",
+      "passes": true,
+      "attempts": 1,
+      "priorErrors": [],
+      "priorFailures": [],
+      "escalations": [],
+      "dependencies": [],
+      "tags": [],
+      "acceptanceCriteria": [],
+      "storyPoints": 1
+    },
+    {
+      "id": "US-004",
+      "title": "Type Fixes (v0.19.0)",
+      "description": "Fix the 18 type errors introduced during the Node.js API removal and security hardening in the src/ directory. Ensure all Bun-native APIs (Bun.file, Bun.write) are used correctly with valid types. Fix variable scopes and missing imports.",
+      "status": "failed",
+      "passes": false,
+      "attempts": 1,
+      "routing": {
+        "complexity": "medium",
+        "modelTier": "powerful",
+        "testStrategy": "test-after"
+      },
+      "priorErrors": [
+        "Attempt 1 failed with model tier: balanced: Stage requested escalation to higher tier"
+      ],
+      "priorFailures": [
+        {
+          "attempt": 1,
+          "modelTier": "balanced",
+          "stage": "escalation",
+          "summary": "Failed with tier balanced, escalating to next tier",
+          "timestamp": "2026-03-05T03:12:59.254Z"
+        }
+      ],
+      "escalations": [],
+      "dependencies": [],
+      "tags": [],
+      "acceptanceCriteria": [],
+      "storyPoints": 1
+    }
+  ]
+}

package/nax/features/v0.19.0-hardening/progress.txt

@@ -0,0 +1,7 @@
+# Progress: v0.19.0-hardening
+
+Created: 2026-03-05T02:58:51.347Z
+
+---
+[2026-03-05T03:01:55.028Z] US-003 — FAILED — Node.js API Removal — Execution failed
+[2026-03-05T03:13:29.408Z] US-004 — FAILED — Type Fixes (v0.19.0) — Execution failed

package/nax/features/v0.19.0-hardening/spec.md

@@ -0,0 +1,18 @@
+# v0.19.0 Hardening & Compliance
+
+Address Security, Reliability, and Technical Debt findings from the 2026-03-04 audit.
+
+## Goals
+- SEC-1 to SEC-5: Complete security hardening (RCE, Shell, Permissions).
+- BUG-1: Fix parallel concurrency race condition.
+- BUG-3, BUG-5, MEM-2: Reliability fixes (metrics, mutation, memory leak).
+- Technical Debt: Replace forbidden Node.js APIs (readFileSync, etc.) with Bun-native equivalents.
+- Architecture: Split 400-line files and cleanup dead code.
+
+## Acceptance Criteria
+- SEC-1/2: Dynamic imports restricted to allowed roots.
+- SEC-3/4: Shell injection via backticks/dollar-signs blocked.
+- SEC-5: --dangerously-skip-permissions respects config.
+- BUG-1: Parallel execution respects maxConcurrency exactly.
+- Node.js APIs: All readFileSync/appendFileSync/setTimeout replaced with Bun equivalents.
+- Files: cli/config.ts split below 400 lines.

package/nax/features/v0.19.0-hardening/tasks.md

@@ -0,0 +1,8 @@
+# Tasks: v0.19.0-hardening
+
+## US-001: [Title]
+
+### Description
+
+### Acceptance Criteria
+- [ ] Criterion 1

package/nax/status.json

@@ -0,0 +1,27 @@
+{
+  "version": 1,
+  "run": {
+    "id": "run-2026-03-05T02-37-04-540Z",
+    "feature": "nax-compliance",
+    "startedAt": "2026-03-05T02:37:04.540Z",
+    "status": "stalled",
+    "dryRun": false,
+    "pid": 814245
+  },
+  "progress": {
+    "total": 1,
+    "passed": 0,
+    "failed": 1,
+    "paused": 0,
+    "blocked": 0,
+    "pending": 0
+  },
+  "cost": {
+    "spent": 0,
+    "limit": 8
+  },
+  "current": null,
+  "iterations": 3,
+  "updatedAt": "2026-03-05T02:38:46.469Z",
+  "durationMs": 101929
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@nathapp/nax",
-  "version": "0.18.5",
+  "version": "0.19.0",
   "description": "AI Coding Agent Orchestrator \u2014 loops until done",
   "type": "module",
   "bin": {
@@ -44,4 +44,4 @@
     "tdd",
     "coding"
   ]
-}
+}

package/src/acceptance/fix-generator.ts

@@ -6,7 +6,7 @@
  */
 
 import type { AgentAdapter } from "../agents/types";
-import type { ModelDef } from "../config/schema";
+import type { ModelDef, NaxConfig } from "../config/schema";
 import { getLogger } from "../logger";
 import type { PRD, UserStory } from "../prd/types";
 
@@ -70,6 +70,8 @@ export interface GenerateFixStoriesOptions {
   workdir: string;
   /** Model definition for LLM call */
   modelDef: ModelDef;
+  /** Global config */
+  config: NaxConfig;
 }
 
 /**
@@ -224,7 +226,9 @@ export async function generateFixStories(
 
     try {
       // Call agent to generate fix description
-      const cmd = [adapter.binary, "--model", modelDef.model, "--dangerously-skip-permissions", "-p", prompt];
+      const skipPerms = options.config.quality?.dangerouslySkipPermissions ?? true;
+      const permArgs = skipPerms ? ["--dangerously-skip-permissions"] : [];
+      const cmd = [adapter.binary, "--model", modelDef.model, ...permArgs, "-p", prompt];
 
       const proc = Bun.spawn(cmd, {
         cwd: workdir,

package/src/acceptance/generator.ts

@@ -178,7 +178,9 @@ export async function generateAcceptanceTests(
 
   try {
     // Call agent to generate tests (using decompose as pattern)
-    const cmd = [adapter.binary, "--model", options.modelDef.model, "--dangerously-skip-permissions", "-p", prompt];
+    const skipPerms = options.config.quality?.dangerouslySkipPermissions ?? true;
+    const permArgs = skipPerms ? ["--dangerously-skip-permissions"] : [];
+    const cmd = [adapter.binary, "--model", options.modelDef.model, ...permArgs, "-p", prompt];
 
     const proc = Bun.spawn(cmd, {
       cwd: options.workdir,

package/src/acceptance/types.ts

@@ -4,7 +4,7 @@
  * Types for generating acceptance tests from spec.md acceptance criteria.
  */
 
-import type { ModelDef, ModelTier } from "../config/schema";
+import type { ModelDef, ModelTier, NaxConfig } from "../config/schema";
 
 /**
  * A single acceptance criterion extracted from spec.md.
@@ -55,6 +55,8 @@ export interface GenerateAcceptanceTestsOptions {
   modelTier: ModelTier;
   /** Resolved model definition */
   modelDef: ModelDef;
+  /** Global config for quality settings */
+  config: NaxConfig;
 }
 
 /**

package/src/agents/claude-plan.ts

@@ -1,3 +1,6 @@
+import { mkdtempSync, rmSync } from "node:fs";
+import { tmpdir } from "node:os";
+import { join } from "node:path";
 /**
  * Claude Code Plan Logic
  *
@@ -96,9 +99,7 @@ export async function runPlan(
   }
 
   // Non-interactive: redirect stdout to temp file via Bun.file()
-  const { join } = require("node:path");
-  const { mkdtempSync, readFileSync, rmSync } = require("node:fs");
-  const { tmpdir } = require("node:os");
+
   const tempDir = mkdtempSync(join(tmpdir(), "nax-plan-"));
   const outFile = join(tempDir, "stdout.txt");
   const errFile = join(tempDir, "stderr.txt");
@@ -120,8 +121,8 @@ export async function runPlan(
     // Unregister PID after exit
     await pidRegistry.unregister(proc.pid);
 
-    const specContent = readFileSync(outFile, "utf-8");
-    const conversationLog = readFileSync(errFile, "utf-8");
+    const specContent = await Bun.file(outFile).text();
+    const conversationLog = await Bun.file(errFile).text();
 
     if (exitCode !== 0) {
       throw new Error(`Plan mode failed with exit code ${exitCode}: ${conversationLog || "unknown error"}`);

package/src/agents/claude.ts

@@ -172,7 +172,7 @@ export class ClaudeCodeAdapter implements AgentAdapter {
     const proc = Bun.spawn(cmd, {
       cwd: options.workdir,
       stdout: "pipe",
-      stderr: "pipe",
+      stderr: "inherit", // MEM-3: Inherit stderr to avoid blocking on unread pipe
       env: this.buildAllowedEnv(options),
     });
 
@@ -255,7 +255,7 @@ export class ClaudeCodeAdapter implements AgentAdapter {
     const proc = Bun.spawn(cmd, {
       cwd: options.workdir,
       stdout: "pipe",
-      stderr: "pipe",
+      stderr: "inherit", // MEM-3: Inherit stderr to avoid blocking on unread pipe
       env: this.buildAllowedEnv({
         workdir: options.workdir,
         modelDef: options.modelDef || { provider: "anthropic", model: "claude-sonnet-4-5", env: {} },
@@ -295,7 +295,7 @@ export class ClaudeCodeAdapter implements AgentAdapter {
       env: { ...this.buildAllowedEnv(options), TERM: "xterm-256color", FORCE_COLOR: "1" },
       stdin: "pipe",
       stdout: "pipe",
-      stderr: "pipe",
+      stderr: "inherit", // MEM-3: Inherit stderr to avoid blocking on unread pipe
     });
 
     const pidRegistry = this.getPidRegistry(options.workdir);
@@ -303,16 +303,26 @@ export class ClaudeCodeAdapter implements AgentAdapter {
 
     // Stream stdout to onOutput callback
     (async () => {
-      for await (const chunk of proc.stdout) {
-        options.onOutput(Buffer.from(chunk));
+      try {
+        for await (const chunk of proc.stdout) {
+          options.onOutput(Buffer.from(chunk));
+        }
+      } catch (err) {
+        // BUG-21: Handle stream errors to avoid unhandled rejections
+        getLogger()?.error("agent", "runInteractive stdout error", { err });
       }
     })();
 
     // Fire onExit when process completes
-    proc.exited.then((code) => {
-      pidRegistry.unregister(proc.pid).catch(() => {});
-      options.onExit(code ?? 1);
-    });
+    proc.exited
+      .then((code) => {
+        pidRegistry.unregister(proc.pid).catch(() => {});
+        options.onExit(code ?? 1);
+      })
+      .catch((err) => {
+        // BUG-22: Guard against onExit or unregister throws
+        getLogger()?.error("agent", "runInteractive exit error", { err });
+      });
 
     return {
       write: (data: string) => {

package/src/cli/analyze.ts

@@ -193,6 +193,7 @@ async function generateAcceptanceTestsForFeature(
       codebaseContext,
       modelTier,
       modelDef,
+      config,
     });
 
     const acceptanceTestPath = join(featureDir, config.acceptance.testPath);

package/src/cli/init.ts

@@ -4,7 +4,8 @@
  * Initializes nax configuration directories and files.
  */
 
-import { existsSync, mkdirSync, readFileSync } from "node:fs";
+import { existsSync } from "node:fs";
+import { mkdir } from "node:fs/promises";
 import { join } from "node:path";
 import { globalConfigDir, projectConfigDir } from "../config/paths";
 import { DEFAULT_CONFIG } from "../config/schema";
@@ -34,7 +35,7 @@ async function updateGitignore(projectRoot: string): Promise<void> {
 
   let existing = "";
   if (existsSync(gitignorePath)) {
-    existing = readFileSync(gitignorePath, "utf-8");
+    existing = await Bun.file(gitignorePath).text();
   }
 
   const missingEntries = NAX_GITIGNORE_ENTRIES.filter((entry) => !existing.includes(entry));
@@ -95,7 +96,7 @@ async function initGlobal(): Promise<void> {
 
   // Create ~/.nax if it doesn't exist
   if (!existsSync(globalDir)) {
-    mkdirSync(globalDir, { recursive: true });
+    await mkdir(globalDir, { recursive: true });
     logger.info("init", "Created global config directory", { path: globalDir });
   }
 
@@ -120,7 +121,7 @@ async function initGlobal(): Promise<void> {
   // Create ~/.nax/hooks/ directory if it doesn't exist
   const hooksDir = join(globalDir, "hooks");
   if (!existsSync(hooksDir)) {
-    mkdirSync(hooksDir, { recursive: true });
+    await mkdir(hooksDir, { recursive: true });
     logger.info("init", "Created global hooks directory", { path: hooksDir });
   } else {
     logger.info("init", "Global hooks directory already exists", { path: hooksDir });
@@ -138,7 +139,7 @@ async function initProject(projectRoot: string): Promise<void> {
 
   // Create nax/ directory if it doesn't exist
   if (!existsSync(projectDir)) {
-    mkdirSync(projectDir, { recursive: true });
+    await mkdir(projectDir, { recursive: true });
     logger.info("init", "Created project config directory", { path: projectDir });
   }
 
@@ -163,7 +164,7 @@ async function initProject(projectRoot: string): Promise<void> {
   // Create nax/hooks/ directory if it doesn't exist
   const hooksDir = join(projectDir, "hooks");
   if (!existsSync(hooksDir)) {
-    mkdirSync(hooksDir, { recursive: true });
+    await mkdir(hooksDir, { recursive: true });
     logger.info("init", "Created project hooks directory", { path: hooksDir });
   } else {
     logger.info("init", "Project hooks directory already exists", { path: hooksDir });

package/src/config/defaults.ts

@@ -80,6 +80,7 @@ export const DEFAULT_CONFIG: NaxConfig = {
     detectOpenHandles: true,
     detectOpenHandlesRetries: 1,
     gracePeriodMs: 5000,
+    dangerouslySkipPermissions: true,
     drainTimeoutMs: 2000,
     shell: "/bin/sh",
     stripEnvVars: ["CLAUDECODE", "REPL_ID", "AGENT"],

package/src/config/types.ts

@@ -145,6 +145,8 @@ export interface QualityConfig {
   detectOpenHandlesRetries: number;
   /** Grace period in ms after SIGTERM before sending SIGKILL (default: 5000) */
   gracePeriodMs: number;
+  /** Use --dangerously-skip-permissions for agent sessions (default: false) */
+  dangerouslySkipPermissions: boolean;
   /** Deadline in ms to drain stdout/stderr after killing process (Bun stream workaround, default: 2000) */
   drainTimeoutMs: number;
   /** Shell to use for running verification commands (default: /bin/sh) */

package/src/context/injector.ts

@@ -7,7 +7,7 @@
  *           Ruby (Gemfile), Java/Kotlin (pom.xml / build.gradle).
  */
 
-import { existsSync, readFileSync } from "node:fs";
+import { existsSync } from "node:fs";
 import { join } from "node:path";
 import type { NaxConfig } from "../config";
 import type { ProjectMetadata } from "./types";
@@ -68,12 +68,12 @@ async function detectNode(workdir: string): Promise<{ name?: string; lang: strin
 }
 
 /** Go: read go.mod for module name + direct dependencies */
-function detectGo(workdir: string): { name?: string; lang: string; dependencies: string[] } | null {
+async function detectGo(workdir: string): Promise<{ name?: string; lang: string; dependencies: string[] } | null> {
   const goMod = join(workdir, "go.mod");
   if (!existsSync(goMod)) return null;
 
   try {
-    const content = readFileSync(goMod, "utf8");
+    const content = await Bun.file(goMod).text();
     const moduleMatch = content.match(/^module\s+(\S+)/m);
     const name = moduleMatch?.[1];
 
@@ -95,12 +95,12 @@ function detectGo(workdir: string): { name?: string; lang: string; dependencies:
 }
 
 /** Rust: read Cargo.toml for package name + dependencies */
-function detectRust(workdir: string): { name?: string; lang: string; dependencies: string[] } | null {
+async function detectRust(workdir: string): Promise<{ name?: string; lang: string; dependencies: string[] } | null> {
   const cargoPath = join(workdir, "Cargo.toml");
   if (!existsSync(cargoPath)) return null;
 
   try {
-    const content = readFileSync(cargoPath, "utf8");
+    const content = await Bun.file(cargoPath).text();
     const nameMatch = content.match(/^\[package\][^[]*name\s*=\s*"([^"]+)"/ms);
     const name = nameMatch?.[1];
 
@@ -119,7 +119,7 @@ function detectRust(workdir: string): { name?: string; lang: string; dependencie
 }
 
 /** Python: read pyproject.toml or requirements.txt */
-function detectPython(workdir: string): { name?: string; lang: string; dependencies: string[] } | null {
+async function detectPython(workdir: string): Promise<{ name?: string; lang: string; dependencies: string[] } | null> {
   const pyproject = join(workdir, "pyproject.toml");
   const requirements = join(workdir, "requirements.txt");
 
@@ -127,7 +127,7 @@ function detectPython(workdir: string): { name?: string; lang: string; dependenc
 
   try {
     if (existsSync(pyproject)) {
-      const content = readFileSync(pyproject, "utf8");
+      const content = await Bun.file(pyproject).text();
       const nameMatch = content.match(/^\s*name\s*=\s*"([^"]+)"/m);
       const depsSection = content.match(/^\[project\][^[]*dependencies\s*=\s*\[([^\]]*)\]/ms)?.[1] ?? "";
       const deps = depsSection
@@ -139,7 +139,7 @@ function detectPython(workdir: string): { name?: string; lang: string; dependenc
     }
 
     // Fallback: requirements.txt
-    const lines = readFileSync(requirements, "utf8")
+    const lines = (await Bun.file(requirements).text())
       .split("\n")
       .map((l) => l.split(/[>=<!]/)[0].trim())
       .filter((l) => l && !l.startsWith("#"))
@@ -169,12 +169,12 @@ async function detectPhp(workdir: string): Promise<{ name?: string; lang: string
 }
 
 /** Ruby: read Gemfile */
-function detectRuby(workdir: string): { name?: string; lang: string; dependencies: string[] } | null {
+async function detectRuby(workdir: string): Promise<{ name?: string; lang: string; dependencies: string[] } | null> {
   const gemfile = join(workdir, "Gemfile");
   if (!existsSync(gemfile)) return null;
 
   try {
-    const content = readFileSync(gemfile, "utf8");
+    const content = await Bun.file(gemfile).text();
     const gems = [...content.matchAll(/^\s*gem\s+['"]([^'"]+)['"]/gm)].map((m) => m[1]).slice(0, 10);
     return { lang: "Ruby", dependencies: gems };
   } catch {
@@ -183,7 +183,7 @@ function detectRuby(workdir: string): { name?: string; lang: string; dependencie
 }
 
 /** Java/Kotlin: detect from pom.xml or build.gradle */
-function detectJvm(workdir: string): { name?: string; lang: string; dependencies: string[] } | null {
+async function detectJvm(workdir: string): Promise<{ name?: string; lang: string; dependencies: string[] } | null> {
   const pom = join(workdir, "pom.xml");
   const gradle = join(workdir, "build.gradle");
   const gradleKts = join(workdir, "build.gradle.kts");
@@ -192,7 +192,7 @@ function detectJvm(workdir: string): { name?: string; lang: string; dependencies
 
   try {
     if (existsSync(pom)) {
-      const content = readFileSync(pom, "utf8");
+      const content = await Bun.file(pom).text();
       const nameMatch = content.match(/<artifactId>([^<]+)<\/artifactId>/);
       const deps = [...content.matchAll(/<artifactId>([^<]+)<\/artifactId>/g)]
         .map((m) => m[1])
@@ -203,7 +203,7 @@ function detectJvm(workdir: string): { name?: string; lang: string; dependencies
     }
 
     const gradleFile = existsSync(gradleKts) ? gradleKts : gradle;
-    const content = readFileSync(gradleFile, "utf8");
+    const content = await Bun.file(gradleFile).text();
     const lang = gradleFile.endsWith(".kts") ? "Kotlin" : "Java";
     const deps = [...content.matchAll(/implementation[^'"]*['"]([^:'"]+:[^:'"]+)[^'"]*['"]/g)]
       .map((m) => m[1].split(":").pop() ?? m[1])
@@ -223,12 +223,12 @@ function detectJvm(workdir: string): { name?: string; lang: string; dependencies
 export async function buildProjectMetadata(workdir: string, config: NaxConfig): Promise<ProjectMetadata> {
   // Priority: Go > Rust > Python > PHP > Ruby > JVM > Node
   const detected =
-    detectGo(workdir) ??
-    detectRust(workdir) ??
-    detectPython(workdir) ??
+    (await detectGo(workdir)) ??
+    (await detectRust(workdir)) ??
+    (await detectPython(workdir)) ??
     (await detectPhp(workdir)) ??
-    detectRuby(workdir) ??
-    detectJvm(workdir) ??
+    (await detectRuby(workdir)) ??
+    (await detectJvm(workdir)) ??
     (await detectNode(workdir));
 
   return {