@stylusnexus/work-plan 2026.6.9-4 → 2026.6.10-1

package/README.md

@@ -51,7 +51,7 @@ The five essentials you'll use 80% of the time are:
 | `/work-plan brief` | Morning. Multi-track snapshot — what's on your plate across every active track. Add `--repo=<key>` to scope to one project. |
 | `/work-plan handoff <track>` | End of a work block. Captures what you touched. Use `--auto-next` for an algorithmic priority-sorted `next_up` (no LLM), `--set-next 1,2,3` for explicit numbers, or pair with Claude in chat for a curated pick. |
 | `/work-plan orient <track>` | Switching context. ~15-line paste-block of priority / last session / next pick / git state — drop into a fresh Claude Code terminal. |
-| `/work-plan reconcile <track> \| --all \| --repo=<key> [--draft]` | Track frontmatter membership drifted from GitHub labels. Use on label-driven tracks only — for hand-curated tracks, use `refresh-md` instead. `--draft` previews proposed ADDs/FLAGs without prompting or writing. `--repo=<key>` scopes the sweep to one repo. |
+| `/work-plan reconcile <track> \| --all \| --repo=<key> [--draft] [--yes]` | Track frontmatter membership drifted from GitHub labels. Use on label-driven tracks only — for hand-curated tracks, use `refresh-md` instead. In an `--all`/`--repo` sweep it also moves issues relabeled from one track to another in the same repo. `--draft` previews proposed ADDs/MOVEs/FLAGs; `--yes` applies without prompting. `--repo=<key>` scopes the sweep to one repo. |
 | `/work-plan hygiene [--repo=<key>]` | **Weekly all-in-one cleanup.** Runs three steps: ① `refresh-md --all` (pull live GitHub state into every active track's status table), ② `reconcile --all` (sync frontmatter membership against GitHub labels), ③ `duplicates` (flag likely-duplicate issues). `--repo=<key>` scopes steps ① and ② to one repo; step ③ is skipped in scoped mode. |
 
 A dozen more subcommands cover slotting new issues into tracks, closing tracks (shipped/abandoned/parked), and one-time priority-label backfill. Three capabilities worth calling out explicitly:
@@ -148,8 +148,8 @@ The CLI never auto-pushes. When you create or update a shared track, it prints a
 **Multi-repo disambiguation:** if the same track slug exists in two repos, qualify with `@<repo>` or `--repo=<key>`:
 
 ```bash
-/work-plan slot 4234 auth-flow@critforge
-/work-plan close auth-flow --repo=critforge
+/work-plan slot 4234 auth-flow@myproject
+/work-plan close auth-flow --repo=myproject
 ```
 
 ## Plan & doc liveness (`plan-status`)
@@ -493,7 +493,7 @@ See `docs/usage-examples.md` for end-to-end scenarios (morning brief, mid-work h
 | `close <track> [--state=shipped\|parked\|abandoned] [--note=<text>]` | Mark track shipped, parked, or abandoned. Moves to `archive/<state>/` for shipped/abandoned. Pass `--state=` (and an optional `--note=`) to run without prompts. |
 | `refresh-md <track>` `\|` `--all` `\|` `--repo=<key>` | Update issue STATE (open/closed, status labels) inside the track body's status table. Does NOT change track membership — this is the right tool for "refresh the work I just completed." `--all` sweeps every active track; `--repo=<key>` scopes the sweep to one repo. |
 | `hygiene [--repo=<key>]` | Weekly all-in-one: `refresh-md` + `reconcile` + `duplicates`. With `--repo=<key>`, steps 1 and 2 scope to that repo and the global `duplicates` step is skipped. |
-| `list [--all]` | List active tracks (or all including parked/archived). |
+| `list [--all] [--sort=recent\|priority]` | List active tracks (or all including parked/archived). `--sort=recent` orders by `last_touched` (most recent first); `--sort=priority` orders by `launch_priority` (P0→P3) with recency as tiebreaker. Default keeps discovery order. |
 | `init <path> [--priority=P0..P3] [--milestone=<m>]` | Add frontmatter to a brand-new track .md file (the file must already exist). Pass `--priority=`/`--milestone=` to skip the prompts. |
 | `init-repo <key> --github=<slug> [--local=<path>]` | Bootstrap a new repo: create `<notes_root>/<key>/archive/{shipped,abandoned}/` and add the repo block to your config. `--github` is required; `--local` is optional. |
 | `new-track <repo> <slug> [--priority=P0..P3] [--milestone=<m>]` | One-shot, non-interactive: create a new track file under `notes_root` for `<repo>` (a config key **or** an `org/repo` slug) with frontmatter. Unlike `init`, it makes the file for you — the headless creation path the VS Code viewer uses. |
@@ -502,7 +502,7 @@ See `docs/usage-examples.md` for end-to-end scenarios (morning brief, mid-work h
 | `group [--milestone=X] [--label=Y] [--repo=Z] [--private] [--apply] [--limit=N]` | AI-cluster GitHub issues into thematic track files. Two-step: CLI prints prompt → you save JSON answer → `--apply` creates the tracks. `--private` routes to `notes_root` instead of `.work-plan/`. `--limit` controls how many issues are shown in the prompt (default 100). |
 | `auto-triage [--repo=<key>] [--apply] [--limit=N]` | AI-assign untracked open issues to existing tracks. Two-step (same pattern as `group`). Run `coverage` first to measure the gap. `--limit` controls how many untracked issues are shown (default 100). |
 | `coverage [--repo=<key>] [--list] [--limit=N]` | Report how many open issues are not in any track. `--list` prints titles. Read-only. |
-| `reconcile <track>` `\|` `--all` `\|` `--repo=<key> [--draft]` | Update track MEMBERSHIP (the `github.issues` list in frontmatter) by syncing against a GitHub label. Read-only on GitHub. Default label is `track/<slug>`; override per-track via `github.labels: [...]` in frontmatter (OR semantics). `--draft` previews ADDs/FLAGs without prompting or writing. `--repo=<key>` scopes the sweep to one repo. NOT for hand-curated tracks (it'll propose dropping curated issues every run) — use `refresh-md` if you only want to update issue state. When >50% of frontmatter issues lack the label, reconcile prints a hint pointing to `refresh-md`. |
+| `reconcile <track>` `\|` `--all` `\|` `--repo=<key> [--draft] [--yes]` | Update track MEMBERSHIP (the `github.issues` list in frontmatter) by syncing against a GitHub label. Read-only on GitHub. Default label is `track/<slug>`; override per-track via `github.labels: [...]` in frontmatter (OR semantics). In an `--all`/`--repo` sweep it also detects **MOVEs** — an issue relabeled from one track to another in the same repo is moved (removed from the old track, added to the new); ambiguous targets stay as FLAGs. `--draft` previews ADDs/MOVEs/FLAGs without prompting or writing. `--yes` applies without prompting (non-interactive, e.g. the VS Code extension); PUBLIC-repo move destinations are skipped under `--yes`. `--repo=<key>` scopes the sweep to one repo. NOT for hand-curated tracks (it'll propose dropping curated issues every run) — use `refresh-md` if you only want to update issue state. When >50% of frontmatter issues lack the label, reconcile prints a hint pointing to `refresh-md`. |
 | `duplicates [--repo=<key>]` | Find likely-duplicate issues by title similarity (stdlib `difflib`). Prints `gh issue close` consolidation commands. |
 | `canonicalize <track>` | Add a canonical issue table to a track file (so `refresh-md` knows where to update). |
 | `plan-status [--repo=<key>] [--json] [--stamp [--draft]] [--llm [--apply]] [--archive \| --issues] [--draft]` | Reach a verdict on every plan/spec doc in a repo by correlating its declared file-manifest against git + the filesystem: ✅ shipped / 🟡 partial / 💀 dead / 👻 manifest-less / 🧳 foreign. Read-only by default. `--stamp` writes an idempotent status header into each doc (`--draft` previews); `--llm` runs a two-step AI verdict on prose/ambiguous docs; `--archive` moves dead plans to `archive/abandoned/` and `--issues` opens issues for partial plans (both gated, both honor `--draft`); `--json` for machine output. |

package/VERSION

@@ -1 +1 @@
-2026.06.09+f25e6e1
+2026.06.10+9dce675

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@stylusnexus/work-plan",
-  "version": "2026.6.9-4",
+  "version": "2026.6.10-1",
   "description": "Track-aware daily work planning over GitHub issues. Shared tracks (git-synced .work-plan/ in each repo), AI clustering (group/auto-triage), VS Code viewer, Claude Code + Codex plugins. Pure Python stdlib.",
   "bin": {
     "work-plan": "bin/work-plan"

package/skills/work-plan/SKILL.md

@@ -97,8 +97,8 @@ Track files live in one of two places:
 
 **Disambiguation when the same track slug exists in two repos:**
 ```
-/work-plan slot 4234 auth-flow@critforge   # @repo qualifier
-/work-plan close auth-flow --repo=critforge  # --repo=<key> flag
+/work-plan slot 4234 auth-flow@myproject   # @repo qualifier
+/work-plan close auth-flow --repo=myproject  # --repo=<key> flag
 ```
 
 Both forms work on: `slot`, `close`, `handoff`, `canonicalize`, `refresh-md`, `reconcile`, `set`.

package/skills/work-plan/commands/brief.py

@@ -3,7 +3,10 @@ from datetime import datetime
 from pathlib import Path
 
 from lib.config import load_config, ConfigError
-from lib.tracks import discover_tracks, discover_archived_tracks, filter_tracks_by_repo
+from lib.tracks import (
+    discover_tracks, discover_archived_tracks, filter_tracks_by_repo,
+    priority_rank, recency_sort_key,
+)
 from lib.github_state import fetch_issues, extract_priority, short_milestone
 from lib.prompts import parse_flags
 from lib.git_state import (
@@ -193,11 +196,8 @@ def _build_track_block(track, cfg, now: datetime) -> dict:
         return gap_seconds_to_label(int(gs))
 
     in_prog_rank = 0 if operational_status == "in-progress" else 1
-    pri_rank = {"P0": 0, "P1": 1, "P2": 2, "P3": 3}.get(meta.get("launch_priority", "P3"), 3)
-    recency_key = (
-        -parse_iso_timestamp(meta["last_touched"]).timestamp()
-        if meta.get("last_touched") else 0
-    )
+    pri_rank = priority_rank(meta)
+    recency_key = recency_sort_key(meta)
 
     return {
         "name": meta.get("track", track.name),

package/skills/work-plan/commands/handoff.py

@@ -19,6 +19,7 @@ from lib.session_log import append_session_log, SESSION_LOG_HEADER
 from lib.git_state import (
     has_uncommitted, current_branch, parse_iso_timestamp,
     gap_seconds_to_label, uncommitted_file_count, commits_ahead,
+    is_safe_ref, GIT_TIMEOUT,
 )
 from lib.github_state import fetch_issues, state_to_status_label, extract_priority, short_milestone
 from lib.status_table import update_row_status, sync_missing_rows, find_canonical_status_tables, ISSUE_NUM_RE
@@ -514,12 +515,20 @@ def _recent_commits(track, since_dt) -> list[dict]:
 
     if branches:
         for b in branches:
-            proc = subprocess.run(
-                ["git", "-C", str(track.local_path), "log", b,
-                 f"--since={since_iso}",
-                 "--pretty=format:%H|%s|%cI"],
-                capture_output=True, text=True,
-            )
+            # A branch name from frontmatter is passed as a positional rev; a
+            # dash-led value (e.g. `--output=/path`) would be read by git as an
+            # option → arbitrary-file write. Reject before use (#192).
+            if not is_safe_ref(str(b)):
+                continue
+            try:
+                proc = subprocess.run(
+                    ["git", "-C", str(track.local_path), "log", b,
+                     f"--since={since_iso}",
+                     "--pretty=format:%H|%s|%cI"],
+                    capture_output=True, text=True, timeout=GIT_TIMEOUT,
+                )
+            except (subprocess.TimeoutExpired, OSError):
+                continue
             if proc.returncode != 0 or not proc.stdout.strip():
                 continue
             for line in proc.stdout.strip().split("\n"):

package/skills/work-plan/commands/hygiene.py

@@ -78,6 +78,8 @@ def run(args: list[str]) -> int:
     print(f"WEEKLY HYGIENE — step 2 of 3: reconcile{scope_label}")
     print("=" * 60)
     reconcile_args = [f"--repo={repo_key}"] if repo_key else ["--all"]
+    if yes:
+        reconcile_args.append("--yes")
     rc = reconcile.run(reconcile_args)
     if rc != 0:
         print(f"\n⚠ reconcile exited with code {rc}; continuing.")

package/skills/work-plan/commands/init.py

@@ -67,12 +67,22 @@ def run(args: list[str]) -> int:
             return 1
         folder = None
     else:
-        notes_root = Path(cfg["notes_root"])
+        # Containment guard (#195): a non-shared target MUST live under
+        # notes_root. Without this, `init /etc/anything` (any user-writable
+        # file with no frontmatter) would get frontmatter prepended via
+        # write_file, clobbering it. `path` is already resolved; resolve
+        # notes_root too so the comparison is symlink/relative-safe.
+        notes_root = Path(cfg["notes_root"]).expanduser().resolve()
         try:
             rel = path.relative_to(notes_root)
-            folder = rel.parts[0] if len(rel.parts) > 1 else None
         except ValueError:
-            folder = None
+            print(
+                f"ERROR: {path} is not inside notes_root ({notes_root}) or a"
+                " registered .work-plan/ directory — refusing to write"
+                " frontmatter outside the tracked tree."
+            )
+            return 1
+        folder = rel.parts[0] if len(rel.parts) > 1 else None
         repo = resolve_github_for_folder(folder, cfg) if folder else None
 
     issue_nums = sorted(set(int(m) for m in re.findall(r"#(\d+)", body)))

package/skills/work-plan/commands/init_repo.py

@@ -3,6 +3,7 @@
 Non-interactive: --github is required; --local is optional (no prompts).
 """
 import json
+import os
 import re
 import subprocess
 from pathlib import Path
@@ -113,11 +114,16 @@ def run(args: list[str]) -> int:
     if local:
         repo_block["local"] = local
 
-    yq_expr = f'.repos.{key} = {json.dumps(repo_block)}'
+    # `key` is validated against ^[a-z][a-z0-9-]*$ above, so it's safe in the yq
+    # path. The repo block is passed as an OPAQUE env value via env() (parsed as
+    # YAML/JSON) rather than interpolated into the expression — uniform with the
+    # strenv() hardening in set-notes-root (#196).
+    env = {**os.environ, "WP_REPO_BLOCK": json.dumps(repo_block)}
+    yq_expr = f".repos.{key} = env(WP_REPO_BLOCK)"
     try:
         subprocess.run(
             ["yq", "-i", yq_expr, str(DEFAULT_CONFIG_PATH)],
-            check=True, capture_output=True, text=True,
+            check=True, capture_output=True, text=True, env=env,
         )
     except subprocess.CalledProcessError as e:
         print(f"ERROR: yq failed to update config: {e.stderr}")

package/skills/work-plan/commands/list_cmd.py

@@ -1,10 +1,22 @@
 """list subcommand."""
 from lib.config import load_config, ConfigError
-from lib.tracks import discover_tracks, discover_archived_tracks
+from lib.tracks import (
+    discover_tracks, discover_archived_tracks,
+    priority_rank, recency_sort_key,
+)
+from lib.prompts import parse_flags
+
+_VALID_SORTS = ("recent", "priority")
 
 
 def run(args: list[str]) -> int:
-    show_all = "--all" in args
+    flags, _ = parse_flags(args, {"--all", "--sort"})
+    show_all = "--all" in flags
+    sort_mode = flags.get("--sort")
+    if sort_mode is True or (sort_mode and sort_mode not in _VALID_SORTS):
+        print(f"usage: work_plan.py list [--all] [--sort={'|'.join(_VALID_SORTS)}]")
+        return 2
+
     try:
         cfg = load_config()
     except ConfigError as e:
@@ -16,17 +28,19 @@ def run(args: list[str]) -> int:
         print(f"No tracks found under {cfg['notes_root']}")
         return 0
 
+    tracks = _sort_tracks(tracks, sort_mode)
+
     print(f"Tracks under {cfg['notes_root']}:\n")
     for t in tracks:
         status = t.meta.get("status", "(no frontmatter)")
         priority = t.meta.get("launch_priority", "—")
         repo = t.repo or "(no repo)"
-        flags = []
+        flags_out = []
         if t.needs_init:
-            flags.append("NEEDS INIT")
+            flags_out.append("NEEDS INIT")
         if t.needs_filing:
-            flags.append("NEEDS FILING")
-        flag_str = f" [{', '.join(flags)}]" if flags else ""
+            flags_out.append("NEEDS FILING")
+        flag_str = f" [{', '.join(flags_out)}]" if flags_out else ""
         print(f"  {t.name:30}  {status:14}  {priority:3}  {repo}{flag_str}")
 
     if show_all:
@@ -37,3 +51,17 @@ def run(args: list[str]) -> int:
                 end_state = a.meta.get("status", "?")
                 print(f"  {a.name:30}  {end_state:14}  {a.repo or '(no repo)'}")
     return 0
+
+
+def _sort_tracks(tracks: list, sort_mode):
+    """Order active tracks per --sort. None preserves discovery order.
+
+    - "recent": by last_touched descending (missing last_touched sorts last).
+    - "priority": by launch_priority ascending (P0→P3, then missing/other),
+      with last_touched recency as tiebreaker.
+    """
+    if sort_mode == "recent":
+        return sorted(tracks, key=lambda t: recency_sort_key(t.meta))
+    if sort_mode == "priority":
+        return sorted(tracks, key=lambda t: (priority_rank(t.meta), recency_sort_key(t.meta)))
+    return tracks

package/skills/work-plan/commands/new_track.py

@@ -103,6 +103,13 @@ def run(args: list[str]) -> int:
     elif "/" in repo_arg:
         github = repo_arg
         folder = repo_arg.rsplit("/", 1)[-1]
+        # Validate the derived folder segment (#195). `rsplit` caps traversal at
+        # one segment, but a slug like `x/..` yields folder=".." → the track
+        # would be written one level ABOVE notes_root. A real GitHub repo name
+        # matches [A-Za-z0-9._-]+ and is never "." / ".." — reject anything else.
+        if folder in ("", ".", "..") or not re.fullmatch(r"[A-Za-z0-9._-]+", folder):
+            print(f"ERROR: cannot derive a safe notes folder from '{repo_arg}'.")
+            return 2
     else:
         print(
             f"ERROR: unknown repo '{repo_arg}' — pass a configured key"

package/skills/work-plan/commands/reconcile.py

@@ -12,8 +12,11 @@ For a given track:
     of "anything closed looks unlabeled."
   - Compare against frontmatter `github.issues`.
   - Propose ADDS (labeled in GitHub but missing from frontmatter).
-  - Propose FLAGS (in frontmatter but no longer labeled — possible move out).
-  - User confirms before writing to the LOCAL frontmatter file.
+  - Propose MOVES (in track A's frontmatter, but now labeled for exactly one
+    other active track B in the same repo — a relabel; remove from A, add to B).
+  - Propose FLAGS (in frontmatter but no longer labeled, with no single move
+    target — possible orphan).
+  - User confirms before writing to the LOCAL frontmatter file(s).
 
 READ-ONLY GITHUB CONTRACT
   reconcile only READS GitHub via `gh issue list` and `gh pr list`. It NEVER
@@ -32,6 +35,7 @@ from lib.config import load_config, ConfigError
 from lib.tracks import discover_tracks, find_track_by_name, filter_tracks_by_repo, parse_track_repo_arg, AmbiguousTrackError
 from lib.frontmatter import write_file
 from lib.prompts import parse_flags, prompt_input
+from lib.write_guard import needs_confirm
 
 
 PER_TRACK_TIMEOUT = 15  # seconds; each gh call gets this budget
@@ -86,17 +90,18 @@ def _fetch_labeled_issues(repo: str, labels: list[str]) -> list[dict]:
 
 
 def run(args: list[str]) -> int:
-    flags, positional = parse_flags(args, {"--all", "--draft", "--repo"})
+    flags, positional = parse_flags(args, {"--all", "--draft", "--repo", "--yes"})
     do_all = flags.get("--all", False)
     draft = flags.get("--draft", False)
+    yes = flags.get("--yes", False)
     repo_key = flags.get("--repo")
     if repo_key is True:
-        print("usage: work_plan.py reconcile <track-name> | --all | --repo=<key> [--draft]")
+        print("usage: work_plan.py reconcile <track-name> | --all | --repo=<key> [--draft] [--yes]")
         return 2
     track_arg = positional[0] if positional else None
 
     if not do_all and not track_arg and not repo_key:
-        print("usage: work_plan.py reconcile <track-name> | --all | --repo=<key> [--draft]")
+        print("usage: work_plan.py reconcile <track-name> | --all | --repo=<key> [--draft] [--yes]")
         return 2
 
     track_name = track_arg
@@ -167,7 +172,52 @@ def run(args: list[str]) -> int:
                 print(f"  [{i}/{total}] ⚠ {track.name}: {e} — skipping")
                 results[track.name] = None
 
-    # Phase 2: serial diff, report, and confirm (prompts must NOT be in threads)
+    # Phase 2a: index which fetched track(s) label each issue. Used to turn a
+    # bare FLAG (in a track's frontmatter, but it has lost that track's label)
+    # into a MOVE when the issue is now labeled for exactly one OTHER active
+    # track in the same repo.
+    labeled_index: dict = {}  # issue number -> list[track]
+    for track in targets:
+        if not track.repo or results.get(track.name) is None:
+            continue
+        for num in {i["number"] for i in results[track.name]}:
+            labeled_index.setdefault(num, []).append(track)
+
+    # Phase 2b: detect cross-track moves (#163). An issue qualifies when it is
+    # in track A's frontmatter, no longer carries A's label, and is now labeled
+    # by exactly one OTHER active track B in the same repo. Ambiguous cases
+    # (two or more candidate targets) stay as plain FLAGs.
+    moved_out: dict = {}  # src track name -> set(num)
+    moved_in: dict = {}   # dst track name -> set(num)
+    move_dst: dict = {}   # (src track name, num) -> dst track
+    for track in targets:
+        if not track.repo or results.get(track.name) is None:
+            continue
+        labeled_nums = {i["number"] for i in results[track.name]}
+        listed_nums = set(track.meta.get("github", {}).get("issues") or [])
+        for num in sorted(listed_nums - labeled_nums):
+            cands = [b for b in labeled_index.get(num, [])
+                     if b is not track and b.repo == track.repo]
+            if len(cands) == 1:
+                dst = cands[0]
+                moved_out.setdefault(track.name, set()).add(num)
+                moved_in.setdefault(dst.name, set()).add(num)
+                move_dst[(track.name, num)] = dst
+
+    # Phase 2c: per-track diff, report, confirm. Membership changes accumulate
+    # in `final` (track name -> desired issue set); each affected track is
+    # written exactly ONCE at the end, so a move that touches two tracks never
+    # double-writes or clobbers a sibling's accepted ADDs. A move is governed by
+    # the confirmation on its SOURCE track (where the issue currently lives).
+    final: dict = {}     # track name -> set(num)
+    affected: dict = {}  # track name -> track (only those we may write)
+
+    def _final_for(t):
+        if t.name not in final:
+            final[t.name] = set(t.meta.get("github", {}).get("issues") or [])
+            affected[t.name] = t
+        return final[t.name]
+
     any_changes = False
     for track in targets:
         slug = track.meta.get("track", track.name)
@@ -181,11 +231,14 @@ def run(args: list[str]) -> int:
         labels = _resolve_labels(track)
         labeled_nums = {i["number"] for i in labeled}
         listed_nums = set(track.meta.get("github", {}).get("issues") or [])
+        out_moves = sorted(moved_out.get(track.name, set()))
 
-        adds = sorted(labeled_nums - listed_nums)
-        flag_nums = sorted(listed_nums - labeled_nums)
+        # MOVE issues are reported (and applied) as moves, not as ADD on the
+        # destination or FLAG on the source.
+        adds = sorted(labeled_nums - listed_nums - moved_in.get(track.name, set()))
+        flag_nums = sorted(listed_nums - labeled_nums - moved_out.get(track.name, set()))
 
-        if not adds and not flag_nums:
+        if not adds and not flag_nums and not out_moves:
             continue
 
         any_changes = True
@@ -197,6 +250,13 @@ def run(args: list[str]) -> int:
             for num in adds:
                 i = issue_lookup[num]
                 print(f"    #{num} ({i['state'].lower()}) {i['title']}")
+        if out_moves:
+            print(f"  MOVE ({len(out_moves)}) — relabeled to another track in this repo:")
+            for num in out_moves:
+                dst = move_dst[(track.name, num)]
+                dst_slug = dst.meta.get("track", dst.name)
+                pub = " [dst PUBLIC]" if needs_confirm(dst.repo, cfg) else ""
+                print(f"    #{num}  {slug} → {dst_slug}{pub}")
         if flag_nums:
             print(f"  FLAG ({len(flag_nums)}) — in frontmatter but missing every configured label:")
             for num in flag_nums:
@@ -204,8 +264,8 @@ def run(args: list[str]) -> int:
 
         if listed_nums and len(flag_nums) / len(listed_nums) > 0.5:
             print(f"\n  ⓘ {len(flag_nums)}/{len(listed_nums)} frontmatter issues lack the configured label(s).")
-            print(f"    This track looks hand-curated, not label-driven — reconcile may not be the right tool.")
-            print(f"    If you just want to update issue state in the body table, try:")
+            print("    This track looks hand-curated, not label-driven — reconcile may not be the right tool.")
+            print("    If you just want to update issue state in the body table, try:")
             print(f"      /work-plan refresh-md {slug}")
 
         if draft:
@@ -213,12 +273,41 @@ def run(args: list[str]) -> int:
             # Useful for sweep audits and scripted reports.
             continue
 
-        choice = prompt_input(f"\n  Apply ADDs to {track.path.name}? [y/N/skip-flags]").lower()
-        if choice == "y":
-            new_issues = sorted(listed_nums | labeled_nums)
-            track.meta.setdefault("github", {})["issues"] = new_issues
-            write_file(track.path, track.meta, track.body)
-            print(f"  ✓ Updated {track.path.name} ({len(adds)} added)")
+        if yes:
+            # Non-interactive: apply ADDs + MOVEs without prompting. All writes
+            # are local frontmatter — the read-only-GitHub contract is unchanged.
+            print(f"\n  --yes: applying changes from {track.path.name}")
+            choice = "y"
+        else:
+            choice = prompt_input(f"\n  Apply ADDs/MOVEs from {track.path.name}? [y/N]").lower()
+        if choice != "y":
+            continue
+
+        if adds:
+            _final_for(track).update(adds)
+        for num in out_moves:
+            dst = move_dst[(track.name, num)]
+            # Public-repo guard (#163): under --yes we never silently write
+            # membership into a PUBLIC/shared destination track — that move is
+            # skipped with a pointer to the gated `move` verb. Interactive runs
+            # treat the prompt above as the confirmation.
+            if yes and needs_confirm(dst.repo, cfg):
+                dst_slug = dst.meta.get("track", dst.name)
+                print(f"  ⏭ skipped MOVE #{num} → {dst_slug} ({dst.repo} is PUBLIC; "
+                      f"run `/work-plan move {num} {slug} {dst_slug} --confirm` instead)")
+                continue
+            _final_for(track).discard(num)
+            _final_for(dst).add(num)
+
+    # Write each affected track exactly once, only if its set actually changed.
+    for name, issues in final.items():
+        track = affected[name]
+        original = set(track.meta.get("github", {}).get("issues") or [])
+        if issues == original:
+            continue
+        track.meta.setdefault("github", {})["issues"] = sorted(issues)
+        write_file(track.path, track.meta, track.body)
+        print(f"  ✓ Updated {track.path.name}")
 
     if not any_changes:
         print("All tracks in sync with configured labels.")

package/skills/work-plan/commands/set_notes_root.py

@@ -5,6 +5,7 @@ folder. Config writes stay in the CLI (the engine), not the extension.
 
 Usage: set-notes-root <path>
 """
+import os
 import subprocess
 from pathlib import Path
 
@@ -38,12 +39,15 @@ def run(args: list[str]) -> int:
     # Ensure the target directory exists
     new_root.mkdir(parents=True, exist_ok=True)
 
-    # Write the new notes_root into config via yq (mikefarah/yq)
-    yq_expr = f'.notes_root = "{new_root}"'
+    # Write the new notes_root into config via yq (mikefarah/yq). The path is
+    # passed as an OPAQUE env value via strenv() — never interpolated into the
+    # yq expression — so a path containing `"` or yq operators cannot break out
+    # of the string literal and rewrite arbitrary config keys (#191).
+    env = {**os.environ, "WP_NEW_ROOT": str(new_root)}
     try:
         subprocess.run(
-            ["yq", "-i", yq_expr, str(DEFAULT_CONFIG_PATH)],
-            check=True, capture_output=True, text=True,
+            ["yq", "-i", ".notes_root = strenv(WP_NEW_ROOT)", str(DEFAULT_CONFIG_PATH)],
+            check=True, capture_output=True, text=True, env=env,
         )
     except subprocess.CalledProcessError as e:
         print(f"ERROR: yq failed to update config: {e.stderr}")

package/skills/work-plan/commands/suggest_priorities.py

@@ -113,8 +113,18 @@ def _apply(cfg: dict) -> int:
 
     print(f"Applying {len(answers)} priority labels to {repo}...")
     for ans in answers:
-        num = ans["number"]
-        priority = ans["priority"]
+        # The answers file is model-written; coerce the issue number to int and
+        # skip malformed entries so a non-numeric value can't reach `gh` argv
+        # (and a malformed file can't crash the apply). (#196)
+        if not isinstance(ans, dict):
+            print(f"  SKIP: answer is not an object: {ans!r}")
+            continue
+        try:
+            num = int(ans["number"])
+        except (KeyError, TypeError, ValueError):
+            print(f"  SKIP: answer missing a numeric 'number': {ans!r}")
+            continue
+        priority = ans.get("priority")
         if priority not in ("P0", "P1", "P2", "P3"):
             print(f"  SKIP #{num}: invalid priority '{priority}'")
             continue

package/skills/work-plan/lib/frontmatter.py

@@ -21,12 +21,21 @@ def parse_file(path: Path) -> Tuple[dict, str]:
 
 
 def write_file(path: Path, meta: dict, body: str) -> None:
-    """Write markdown with frontmatter. Empty meta = body only."""
+    """Write markdown with frontmatter. Empty meta = body only.
+
+    Refuses to write through a symlink (#195): a track file that is a symlink to
+    a target outside the notes tree would otherwise let a write land on an
+    arbitrary file. Track files are never legitimately symlinks, so this rejects
+    nothing valid; raises ValueError if one is encountered.
+    """
+    p = Path(path)
+    if p.is_symlink():
+        raise ValueError(f"refusing to write through symlink: {p}")
     if not meta:
-        Path(path).write_text(body, encoding="utf-8")
+        p.write_text(body, encoding="utf-8")
         return
     yaml_text = _dict_to_yaml(meta)
-    Path(path).write_text(f"---\n{yaml_text}---\n{body}", encoding="utf-8")
+    p.write_text(f"---\n{yaml_text}---\n{body}", encoding="utf-8")
 
 
 def _yaml_to_dict(yaml_text: str) -> dict: