fix: address Copilot PR review comments (round 3)

- Fix PS Resolve-Template fallback to skip dot-prefixed dirs (.cache)
- Rename _catalog to _catalog_name for consistency with extension system
- Enforce install_allowed policy in CLI preset add and download_pack()
- Fix shell injection: pass registry path via env var instead of string interpolation

scripts/bash/common.sh

@@ -175,10 +175,11 @@ resolve_template() {
         if [ -f "$registry_file" ] && command -v python3 >/dev/null 2>&1; then
             # Read preset IDs sorted by priority (lower number = higher precedence)
             local sorted_presets
-            sorted_presets=$(python3 -c "
-import json, sys
+            sorted_presets=$(SPECKIT_REGISTRY="$registry_file" python3 -c "
+import json, sys, os
 try:
-    data = json.load(open('$registry_file'))
+    with open(os.environ['SPECKIT_REGISTRY']) as f:
+        data = json.load(f)
     presets = data.get('presets', {})
     for pid, meta in sorted(presets.items(), key=lambda x: x[1].get('priority', 10)):
         print(pid)

scripts/powershell/common.ps1

@@ -179,7 +179,7 @@ function Resolve-Template {
             }
         } else {
             # Fallback: alphabetical directory order
-            foreach ($preset in Get-ChildItem -Path $presetsDir -Directory -ErrorAction SilentlyContinue) {
+            foreach ($preset in Get-ChildItem -Path $presetsDir -Directory -ErrorAction SilentlyContinue | Where-Object { $_.Name -notlike '.*' }) {
                 $candidate = Join-Path $preset.FullName "templates/$TemplateName.md"
                 if (Test-Path $candidate) { return $candidate }
             }