@yemi33/minions 0.1.1812 → 0.1.1814

package/CHANGELOG.md

@@ -1,5 +1,15 @@
 # Changelog
 
+## 0.1.1814 (2026-05-09)
+
+### Features
+- harden PRD and playbook paths (#2247)
+
+## 0.1.1813 (2026-05-09)
+
+### Features
+- improve manual PR project inference (#2242)
+
 ## 0.1.1812 (2026-05-09)
 
 ### Features

package/dashboard/js/command-center.js

@@ -1340,8 +1340,10 @@ async function ccExecuteAction(action, targetTabId) {
         break;
       }
       case 'link-pr': {
-        await _ccFetch('/api/pull-requests/link', { url: action.url, title: action.title || '', project: action.project || '', autoObserve: action.autoObserve !== false });
-        status.innerHTML = '&#10003; PR linked: <strong>' + escHtml(action.url) + '</strong>';
+        var prLinkRes = await _ccFetch('/api/pull-requests/link', { url: action.url, title: action.title || '', project: action.project || '', autoObserve: action.autoObserve !== false });
+        var prLinkData = await prLinkRes.json().catch(function() { return {}; });
+        status.innerHTML = '&#10003; PR linked: <strong>' + escHtml(action.url) + '</strong>' +
+          (prLinkData.message ? '<div style="font-size:11px;color:var(--muted);margin-top:4px">' + escHtml(prLinkData.message) + '</div>' : '');
         status.style.color = 'var(--green)';
         break;
       }

package/dashboard/js/render-prs.js

@@ -125,7 +125,7 @@ function openAddPrModal() {
     '<div style="display:flex;flex-direction:column;gap:10px">' +
       '<label style="color:var(--text);font-size:var(--text-md)">PR URL <input id="pr-link-url" style="' + inputStyle + '" placeholder="https://github.com/org/repo/pull/123"></label>' +
       '<label style="color:var(--text);font-size:var(--text-md)">Title <input id="pr-link-title" style="' + inputStyle + '" placeholder="Short description (optional — auto-detected from URL)"></label>' +
-      '<label style="color:var(--text);font-size:var(--text-md)">Project <select id="pr-link-project" style="' + inputStyle + '"><option value="">Auto / Central</option>' + projOpts + '</select></label>' +
+      '<label style="color:var(--text);font-size:var(--text-md)">Project <select id="pr-link-project" style="' + inputStyle + '"><option value="">Auto-detect from URL (central if no unique match)</option>' + projOpts + '</select></label>' +
       '<label style="color:var(--text);font-size:var(--text-md)">Context <textarea id="pr-link-context" rows="3" style="' + inputStyle + ';resize:vertical" placeholder="Why are you linking this? What should agents know about it?"></textarea></label>' +
       '<label style="display:flex;align-items:center;gap:8px;color:var(--text);font-size:var(--text-md);margin-top:4px;cursor:pointer">' +
         '<input type="checkbox" id="pr-link-observe" style="width:16px;height:16px;accent-color:var(--blue)">' +
@@ -151,14 +151,16 @@ async function _submitLinkPr(e) {
   const autoObserve = document.getElementById('pr-link-observe')?.checked || false;
 
   try { closeModal(); } catch { /* expected */ }
-  showToast('cmd-toast', 'PR linked' + (autoObserve ? ' (auto-observe on)' : ''), true);
   try {
     const res = await fetch('/api/pull-requests/link', {
       method: 'POST', headers: { 'Content-Type': 'application/json' },
       body: JSON.stringify({ url, title, project, context, autoObserve })
     });
     const data = await res.json();
-    if (res.ok) { refresh(); } else { alert('Failed: ' + (data.error || 'unknown')); openAddPrModal(); }
+    if (res.ok) {
+      showToast('cmd-toast', (data.message || 'PR linked') + (autoObserve ? ' (auto-observe on)' : ''), true, 6000);
+      refresh();
+    } else { alert('Failed: ' + (data.error || 'unknown')); openAddPrModal(); }
   } catch (e) { alert('Error: ' + e.message); openAddPrModal(); }
 }
 

package/dashboard.js

@@ -382,6 +382,83 @@ function findProjectByName(projects, projectName) {
   return shared.findProjectByName(projects, projectName);
 }
 
+function resolveManualPrLinkProject(url, projectName, projects = PROJECTS) {
+  const explicitProjectName = String(projectName || '').trim();
+  if (explicitProjectName) {
+    const explicitProject = shared.resolveProjectSource(explicitProjectName, projects, { allowCentral: false, minionsDir: MINIONS_DIR });
+    if (explicitProject.error) {
+      const err = new Error(explicitProject.error);
+      err.statusCode = 400;
+      throw err;
+    }
+    const targetProject = explicitProject.project;
+    return {
+      project: targetProject,
+      resolution: {
+        reason: 'explicit',
+        project: targetProject.name || explicitProjectName,
+        storage: 'project',
+        message: `Linked to selected project "${targetProject.name || explicitProjectName}".`,
+      },
+    };
+  }
+
+  const parsedPr = shared.parsePrUrl(url);
+  const prScope = parsedPr?.scope || '';
+  if (!prScope) {
+    return {
+      project: null,
+      resolution: {
+        reason: 'unrecognized-url',
+        project: 'central',
+        storage: 'central',
+        message: 'Could not infer a project from this PR URL; linked in central PR tracking.',
+      },
+    };
+  }
+
+  const matches = projects.filter(p => shared.getProjectPrScope(p) === prScope);
+  if (matches.length === 1) {
+    const targetProject = matches[0];
+    return {
+      project: targetProject,
+      resolution: {
+        reason: 'inferred',
+        scope: prScope,
+        project: targetProject.name || '',
+        storage: 'project',
+        message: `Inferred project "${targetProject.name}" from PR scope ${prScope}.`,
+      },
+    };
+  }
+
+  if (matches.length > 1) {
+    const names = matches.map(p => p.name).filter(Boolean);
+    return {
+      project: null,
+      resolution: {
+        reason: 'ambiguous',
+        scope: prScope,
+        project: 'central',
+        storage: 'central',
+        matches: names,
+        message: `PR scope ${prScope} matches multiple configured projects (${names.join(', ')}); linked in central PR tracking. Select a project to attach it.`,
+      },
+    };
+  }
+
+  return {
+    project: null,
+    resolution: {
+      reason: 'unmatched',
+      scope: prScope,
+      project: 'central',
+      storage: 'central',
+      message: `No configured project matches PR scope ${prScope}; linked in central PR tracking.`,
+    },
+  };
+}
+
 function resolveWorkItemsCreateTarget(projectName, projects = PROJECTS) {
   const target = shared.resolveProjectSource(projectName, projects, { defaultWhenSingle: true, minionsDir: MINIONS_DIR });
   if (target.error) return { error: target.error };
@@ -416,6 +493,73 @@ function findWorkItemsTargetById(id, source, projects = PROJECTS) {
   return { found: false };
 }
 
+function buildPlanWorkItem(body, projects = PROJECTS, options = {}) {
+  if (!body?.title || !String(body.title).trim()) return { error: 'title is required' };
+  const target = resolveWorkItemsCreateTarget(body.project, projects);
+  if (target.error) return { error: target.error };
+  let now = options.now ? new Date(options.now) : new Date();
+  if (!Number.isFinite(now.getTime())) now = new Date();
+  const item = {
+    id: options.id || ('W-' + shared.uid()),
+    title: body.title,
+    type: 'plan',
+    priority: body.priority || 'high',
+    description: body.description || '',
+    status: WI_STATUS.PENDING,
+    created: now.toISOString(),
+    createdBy: 'dashboard',
+    branchStrategy: body.branch_strategy || body.branchStrategy || 'parallel',
+  };
+  if (target.project) item.project = target.project.name;
+  if (body.agent) item.agent = body.agent;
+  return { item, id: item.id };
+}
+
+function buildManualPrdItemPlan(body, projects = PROJECTS, options = {}) {
+  if (!body?.name || !String(body.name).trim()) return { error: 'name is required' };
+  const target = resolveWorkItemsCreateTarget(body.project, projects);
+  if (target.error) return { error: target.error };
+
+  const overrideProject = body.item_project ?? body.itemProject;
+  const itemProjectTarget = overrideProject !== undefined
+    ? shared.resolveConfiguredProject(overrideProject, projects)
+    : null;
+  if (itemProjectTarget?.error) return { error: itemProjectTarget.error };
+
+  let now = options.now ? new Date(options.now) : new Date();
+  if (!Number.isFinite(now.getTime())) now = new Date();
+  const nowTime = now.getTime();
+  const projectName = target.project?.name || (projects.length > 0 ? projects[0].name : 'Unknown');
+  const itemProjectName = itemProjectTarget?.project?.name || target.project?.name || (projects.length === 1 ? projects[0].name : '');
+  const item = {
+    id: body.id || ('M' + String(nowTime).slice(-4)),
+    name: String(body.name).trim(),
+    description: body.description || '',
+    priority: body.priority || 'medium',
+    estimated_complexity: body.estimated_complexity || 'medium',
+    status: 'missing',
+    depends_on: [],
+    acceptance_criteria: [],
+  };
+  if (itemProjectName) item.project = itemProjectName;
+
+  return {
+    plan: {
+      version: 'manual-' + now.toISOString().slice(0, 10),
+      project: projectName,
+      generated_by: 'dashboard',
+      generated_at: now.toISOString().slice(0, 10),
+      plan_summary: item.name,
+      status: 'approved',
+      requires_approval: false,
+      branch_strategy: 'parallel',
+      missing_features: [item],
+      open_questions: [],
+    },
+    id: item.id,
+  };
+}
+
 function validatePipelineProjects(pipeline, projects = PROJECTS) {
   const refs = [];
   const collect = (value) => {
@@ -488,21 +632,7 @@ function linkPullRequestForTracking({ url, title, project: projectName, autoObse
     throw err;
   }
   const projects = shared.getProjects(config);
-  const explicitProjectName = String(projectName || '').trim();
-  const explicitProject = explicitProjectName
-    ? shared.resolveProjectSource(explicitProjectName, projects, { allowCentral: false, minionsDir: MINIONS_DIR })
-    : null;
-  let targetProject = explicitProject?.project || null;
-  if (explicitProject?.error) {
-    const err = new Error(explicitProject.error);
-    err.statusCode = 400;
-    throw err;
-  }
-  if (!explicitProjectName) {
-    const prScope = shared.parsePrUrl(url)?.scope || '';
-    const matches = prScope ? projects.filter(p => shared.getProjectPrScope(p) === prScope) : [];
-    if (matches.length === 1) targetProject = matches[0];
-  }
+  const { project: targetProject, resolution: projectResolution } = resolveManualPrLinkProject(url, projectName, projects);
   const prPath = targetProject ? shared.projectPrPath(targetProject) : shared.centralPullRequestsPath(MINIONS_DIR);
 
   const prNumMatch = url.match(/\/pull\/(\d+)|pullrequest\/(\d+)/);
@@ -527,11 +657,12 @@ function linkPullRequestForTracking({ url, title, project: projectName, autoObse
     _contextOnly: !autoObserve,
     _autoObserve: !!autoObserve,
     _context: contextText,
+    _projectResolution: projectResolution,
   }, {
     project: targetProject,
     itemId: linkedWorkItemId,
   });
-  return { ...result, prPath, targetProject, prNum };
+  return { ...result, prPath, targetProject, projectResolution, prNum };
 }
 
 function _normalizeSkillDirForCompare(dir) {
@@ -5064,21 +5195,12 @@ const server = http.createServer(async (req, res) => {
     try {
       const body = await readBody(req);
       if (!body.title || !body.title.trim()) return jsonReply(res, 400, { error: 'title is required' });
-      const target = resolveWorkItemsCreateTarget(body.project);
-      if (target.error) return jsonReply(res, 400, { error: target.error });
+      const planWorkItem = buildPlanWorkItem(body);
+      if (planWorkItem.error) return jsonReply(res, 400, { error: planWorkItem.error });
       // Write as a work item with type 'plan' — user must explicitly execute plan-to-prd after reviewing
       const wiPath = path.join(MINIONS_DIR, 'work-items.json');
-      const id = 'W-' + shared.uid();
-      const item = {
-        id, title: body.title, type: 'plan',
-        priority: body.priority || 'high', description: body.description || '',
-        status: WI_STATUS.PENDING, created: new Date().toISOString(), createdBy: 'dashboard',
-        branchStrategy: body.branch_strategy || body.branchStrategy || 'parallel',
-      };
-      if (target.project) item.project = target.project.name;
-      if (body.agent) item.agent = body.agent;
-      mutateWorkItems(wiPath, items => { items.push(item); });
-      return jsonReply(res, 200, { ok: true, id, agent: body.agent || '' });
+      mutateWorkItems(wiPath, items => { items.push(planWorkItem.item); });
+      return jsonReply(res, 200, { ok: true, id: planWorkItem.id, agent: body.agent || '' });
     } catch (e) { return jsonReply(res, 400, { error: e.message }); }
   }
 
@@ -5086,31 +5208,14 @@ const server = http.createServer(async (req, res) => {
     try {
       const body = await readBody(req);
       if (!body.name || !body.name.trim()) return jsonReply(res, 400, { error: 'name is required' });
-      const target = resolveWorkItemsCreateTarget(body.project);
-      if (target.error) return jsonReply(res, 400, { error: target.error });
+      const manualPrd = buildManualPrdItemPlan(body);
+      if (manualPrd.error) return jsonReply(res, 400, { error: manualPrd.error });
 
       if (!fs.existsSync(PRD_DIR)) fs.mkdirSync(PRD_DIR, { recursive: true });
 
-      const id = body.id || ('M' + String(Date.now()).slice(-4));
       const planFile = 'manual-' + shared.uid() + '.json';
-      const plan = {
-        version: 'manual-' + new Date().toISOString().slice(0, 10),
-        project: target.project?.name || 'Unknown',
-        generated_by: 'dashboard',
-        generated_at: new Date().toISOString().slice(0, 10),
-        plan_summary: body.name,
-        status: 'approved',
-        requires_approval: false,
-        branch_strategy: 'parallel',
-        missing_features: [{
-          id, name: body.name, description: body.description || '',
-          priority: body.priority || 'medium', estimated_complexity: body.estimated_complexity || 'medium',
-          status: 'missing', depends_on: [], acceptance_criteria: [],
-        }],
-        open_questions: [],
-      };
-      safeWrite(path.join(PRD_DIR, planFile), plan);
-      return jsonReply(res, 200, { ok: true, id, file: planFile });
+      safeWrite(path.join(PRD_DIR, planFile), manualPrd.plan);
+      return jsonReply(res, 200, { ok: true, id: manualPrd.id, file: planFile });
     } catch (e) { return jsonReply(res, 400, { error: e.message }); }
   }
 
@@ -8385,7 +8490,7 @@ What would you like to discuss or change? When you're happy, say "approve" and I
     { method: 'GET', path: /^\/api\/plans\/([^?]+)$/, template: '/api/plans/:file', desc: 'Read a full plan (JSON from prd/ or markdown from plans/)', handler: handlePlansRead },
 
     // PRD items
-    { method: 'POST', path: '/api/prd-items', desc: 'Create a PRD item as a plan file in prd/ (auto-approved)', params: 'name, description?, priority?, estimated_complexity?, project?, id?', handler: handlePrdItemsCreate },
+    { method: 'POST', path: '/api/prd-items', desc: 'Create a PRD item as a plan file in prd/ (auto-approved)', params: 'name, description?, priority?, estimated_complexity?, project?, item_project?, id?', handler: handlePrdItemsCreate },
     { method: 'POST', path: '/api/prd-items/update', desc: 'Edit a PRD item in its source plan JSON', params: 'source, itemId, name?, description?, priority?, estimated_complexity?, status?', handler: handlePrdItemsUpdate },
     { method: 'POST', path: '/api/prd-items/remove', desc: 'Remove a PRD item from plan + cancel materialized work item', params: 'source, itemId', handler: handlePrdItemsRemove },
     // /api/prd/regenerate removed — use /api/plans/approve which does diff-aware update
@@ -8419,9 +8524,17 @@ What would you like to discuss or change? When you're happy, say "approve" and I
       } catch (e) {
         return jsonReply(res, e.statusCode || 400, { error: e.message }, req);
       }
-      const { id: prId, prPath, prNum, created, linked } = linkResult;
+      const { id: prId, prPath, prNum, created, linked, targetProject, projectResolution } = linkResult;
       invalidateStatusCache();
-      jsonReply(res, 200, { ok: true, id: prId, created, linked });
+      jsonReply(res, 200, {
+        ok: true,
+        id: prId,
+        created,
+        linked,
+        project: targetProject?.name || 'central',
+        projectResolution,
+        message: projectResolution?.message || 'PR linked.',
+      });
 
       // Async-enrich: fetch title, description, branch, author from GitHub/ADO API
       (async () => {
@@ -9041,6 +9154,8 @@ module.exports = {
   _findDuplicateWorkItemCreate: findDuplicateWorkItemCreate,
   _createWorkItemWithDedup: createWorkItemWithDedup,
   _resolveWorkItemsCreateTarget: resolveWorkItemsCreateTarget,
+  _buildPlanWorkItem: buildPlanWorkItem,
+  _buildManualPrdItemPlan: buildManualPrdItemPlan,
   _resolveScheduleProjectValue: resolveScheduleProjectValue,
   _collectArchivedWorkItems: collectArchivedWorkItems,
   _createPipelineFromAction: createPipelineFromAction,

package/engine/copilot-models.json

@@ -1,5 +1,5 @@
 {
   "runtime": "copilot",
   "models": null,
-  "cachedAt": "2026-05-09T08:52:32.908Z"
+  "cachedAt": "2026-05-09T15:01:20.730Z"
 }

package/engine/pipeline.js

@@ -390,9 +390,9 @@ function executeTaskStage(stage, stageState, run, config, pipeline = {}) {
       touchedProjects.push(project?.name || null);
     }
   }
-  const projects = [...new Set(touchedProjects)];
   const artifacts = { workItems: [...new Set(createdIds)] };
-  if (projects.some(Boolean)) artifacts.projects = projects;
+  const projectArtifacts = [...new Set(touchedProjects.filter(Boolean))];
+  if (projectArtifacts.length > 0) artifacts.projects = projectArtifacts;
   return { status: PIPELINE_STATUS.RUNNING, artifacts };
 }
 

package/engine/playbook.js

@@ -342,21 +342,41 @@ function isSafeProjectPlaybookName(projectName) {
     !/^[a-zA-Z]:/.test(name);
 }
 
+function isSafePlaybookType(playbookType) {
+  const name = String(playbookType || '').trim();
+  return !!name &&
+    !name.includes('\0') &&
+    !name.includes('..') &&
+    !/[\\/]/.test(name) &&
+    !path.isAbsolute(name) &&
+    !/^[a-zA-Z]:/.test(name);
+}
+
 function resolvePlaybookPath(projectName, playbookType) {
+  const playbookTypeName = String(playbookType || '').trim();
+  if (!isSafePlaybookType(playbookTypeName)) {
+    log('warn', `Skipping unsafe playbook type lookup: ${playbookTypeName.replace(/\0/g, '')}`);
+    return path.join(PLAYBOOKS_DIR, '__invalid__.md');
+  }
   if (projectName) {
     const projectDirName = String(projectName).trim();
     if (isSafeProjectPlaybookName(projectDirName)) {
-      const localPath = path.join(MINIONS_DIR, 'projects', projectDirName, 'playbooks', `${playbookType}.md`);
+      const projectsDir = path.join(MINIONS_DIR, 'projects');
+      const localPath = path.resolve(projectsDir, projectDirName, 'playbooks', `${playbookTypeName}.md`);
+      if (!shared.isPathInside(localPath, projectsDir)) {
+        log('warn', `Skipping project-local playbook outside projects/: ${projectDirName}`);
+        return path.join(PLAYBOOKS_DIR, `${playbookTypeName}.md`);
+      }
       try {
         fs.accessSync(localPath, fs.constants.R_OK);
-        log('info', `Using project-local playbook: projects/${projectDirName}/playbooks/${playbookType}.md`);
+        log('info', `Using project-local playbook: projects/${projectDirName}/playbooks/${playbookTypeName}.md`);
         return localPath;
       } catch { /* no local override — fall through to global */ }
     } else {
       log('warn', `Skipping project-local playbook lookup for unsafe project name: ${projectDirName}`);
     }
   }
-  return path.join(PLAYBOOKS_DIR, `${playbookType}.md`);
+  return path.join(PLAYBOOKS_DIR, `${playbookTypeName}.md`);
 }
 
 

package/engine/projects.js

@@ -11,13 +11,84 @@ const shared = require('./shared');
 const dispatch = require('./dispatch');
 const { MINIONS_DIR } = shared;
 
-/**
- * @param {object} d - dispatch entry
- * @returns {string} project name from any of the three meta shapes the engine
- *   uses (item.project, project.name, project string)
- */
-function _dispatchProjectName(d) {
-  return d?.meta?.item?.project || d?.meta?.project?.name || d?.meta?.project || '';
+function _sameProjectName(a, b) {
+  return String(a || '').toLowerCase() === String(b || '').toLowerCase();
+}
+
+function _projectRefMatches(projectRef, removedProject, projects) {
+  if (!projectRef) return false;
+  const refs = (projectRef && typeof projectRef === 'object')
+    ? [projectRef.name, projectRef.localPath]
+    : [projectRef];
+  return refs.some(ref => {
+    if (!ref) return false;
+    const result = shared.resolveConfiguredProject(ref, projects);
+    return !!(result.project && _sameProjectName(result.project.name, removedProject.name));
+  });
+}
+
+function _workItemMatchesProject(item, removedProject, projects) {
+  const refs = [
+    item?.project,
+    item?._project,
+    item?.planProject,
+    item?._planProject,
+    item?._declaredPlanProject,
+  ];
+  return refs.some(ref => _projectRefMatches(ref, removedProject, projects));
+}
+
+function _isCentralDispatchSource(source) {
+  return source === 'central-work-item' || source === 'central-work-item-fanout';
+}
+
+function _dispatchMatchesProject(d, removedProject, projects) {
+  const meta = d?.meta || {};
+  if (_isCentralDispatchSource(meta.source)) {
+    return _workItemMatchesProject(meta.item, removedProject, projects) ||
+      _projectRefMatches(meta.project, removedProject, projects);
+  }
+  return _workItemMatchesProject(meta.item, removedProject, projects) ||
+    _projectRefMatches(meta.project, removedProject, projects);
+}
+
+function _centralDispatchDefaultedToProject(d, removedProject, projects) {
+  const meta = d?.meta || {};
+  return _isCentralDispatchSource(meta.source) &&
+    meta.item?.id &&
+    !_workItemMatchesProject(meta.item, removedProject, projects) &&
+    _projectRefMatches(meta.project, removedProject, projects);
+}
+
+function _collectProjectlessCentralDispatchItemIds(removedProject, projects) {
+  const dispatchPath = path.join(MINIONS_DIR, 'engine', 'dispatch.json');
+  const ids = new Set();
+  const state = shared.safeJson(dispatchPath) || {};
+  for (const queue of ['pending', 'active']) {
+    for (const d of Array.isArray(state?.[queue]) ? state[queue] : []) {
+      if (_centralDispatchDefaultedToProject(d, removedProject, projects)) ids.add(d.meta.item.id);
+    }
+  }
+  return ids;
+}
+
+function _requeueProjectlessCentralWorkItems(itemIds) {
+  if (!itemIds || itemIds.size === 0) return 0;
+  const wiPath = path.join(MINIONS_DIR, 'work-items.json');
+  if (!fs.existsSync(wiPath)) return 0;
+  let requeued = 0;
+  shared.mutateWorkItems(wiPath, items => {
+    if (!Array.isArray(items)) return items;
+    for (const w of items) {
+      if (!itemIds.has(w?.id) || w.status !== shared.WI_STATUS.DISPATCHED) continue;
+      w.status = shared.WI_STATUS.PENDING;
+      delete w.dispatched_at;
+      delete w.dispatched_to;
+      requeued++;
+    }
+    return items;
+  });
+  return requeued;
 }
 
 /**
@@ -56,9 +127,10 @@ function removeProject(target, options = {}) {
   try { config = JSON.parse(fs.readFileSync(configPath, 'utf8')); }
   catch (e) { return { ...summary, error: 'Failed to read config: ' + e.message }; }
 
-  const project = shared.findProjectByNameOrPath(config.projects || [], target);
+  const projects = shared.getProjects(config);
+  const project = shared.resolveConfiguredProject(target, projects).project;
   if (!project) {
-    const available = (config.projects || []).map(p => p.name).join(', ') || '(none)';
+    const available = projects.map(p => p.name).join(', ') || '(none)';
     return { ...summary, error: `No project linked matching: ${target}. Available: ${available}` };
   }
   summary.project = { name: project.name, localPath: project.localPath };
@@ -72,15 +144,17 @@ function removeProject(target, options = {}) {
   );
   summary.cancelledItems += dispatch.cancelPendingWorkItems(
     path.join(MINIONS_DIR, 'work-items.json'),
-    w => String(w.project || '').toLowerCase() === String(project.name || '').toLowerCase(),
+    w => _workItemMatchesProject(w, project, projects),
     'project-removed',
   );
 
   // 2. Drain dispatch — also kills active agent processes and unlinks pid +
   //    prompt sidecars in engine/tmp/, matching what plan delete does.
+  const projectlessCentralItemIds = _collectProjectlessCentralDispatchItemIds(project, projects);
   summary.drainedDispatches = dispatch.cleanDispatchEntries(
-    d => String(_dispatchProjectName(d) || '').toLowerCase() === String(project.name || '').toLowerCase(),
+    d => _dispatchMatchesProject(d, project, projects),
   );
+  _requeueProjectlessCentralWorkItems(projectlessCentralItemIds);
 
   // 3. Clean up worktrees under this project's worktree root, honoring
   //    config.engine.worktreeRoot (mirrors lifecycle.js cleanupPlanWorktrees).
@@ -103,7 +177,7 @@ function removeProject(target, options = {}) {
   //    specifically. Don't touch schedules with project='any' or unset.
   if (Array.isArray(config.schedules)) {
     for (const s of config.schedules) {
-      if (shared.resolveProjectSource(s.project, [project], { allowCentral: false }).project && s.enabled !== false) {
+      if (_projectRefMatches(s.project, project, projects) && s.enabled !== false) {
         s.enabled = false;
         summary.disabledSchedules++;
       }
@@ -129,7 +203,7 @@ function removeProject(target, options = {}) {
       for (const f of fs.readdirSync(prdDir).filter(f => f.endsWith('.json'))) {
         try {
           const prd = JSON.parse(fs.readFileSync(path.join(prdDir, f), 'utf8'));
-          if (prd?.project !== project.name) continue;
+          if (!_projectRefMatches(prd?.project, project, projects)) continue;
           archivePlan(f, prd, [project], config);
           summary.archivedPlans.push('prd/' + f);
           if (prd.source_plan) archivedSourcePlans.add(prd.source_plan);
@@ -164,14 +238,17 @@ function removeProject(target, options = {}) {
         ...(p.monitoredResources || []),
         ...((p.stages || []).flatMap(s => s.monitoredResources || [])),
       ];
-      if (refs.some(r => r && shared.resolveProjectSource(r.project || r._project, [project], { allowCentral: false }).project)) {
+      if (refs.some(r => r && (
+        _projectRefMatches(r.project, project, projects) ||
+        _projectRefMatches(r._project, project, projects)
+      ))) {
         summary.pipelineRefs.push(p.id);
       }
     }
   } catch { /* pipelines optional */ }
 
   // 7. Remove from config.json (and persist any schedule disables)
-  config.projects = (config.projects || []).filter(p => !shared.resolveProjectSource(p, [project], { allowCentral: false }).project);
+  config.projects = (config.projects || []).filter(p => !_sameProjectName(p?.name, project.name));
   try { fs.writeFileSync(configPath, JSON.stringify(config, null, 2)); }
   catch (e) { return { ...summary, error: 'Failed to write config: ' + e.message }; }
 

package/engine/shared.js

@@ -2209,7 +2209,8 @@ function sanitizePath(file, baseDir) {
   if (path.isAbsolute(file) || /^[a-zA-Z]:/.test(file)) throw new Error('invalid file path: absolute path not allowed');
   const resolved = path.resolve(baseDir, file);
   const normalizedBase = path.resolve(baseDir);
-  if (!resolved.startsWith(normalizedBase + path.sep) && resolved !== normalizedBase) {
+  const rel = path.relative(normalizedBase, resolved);
+  if (rel.startsWith('..') || path.isAbsolute(rel)) {
     throw new Error('invalid file path: outside allowed directory');
   }
   return resolved;
@@ -2963,7 +2964,7 @@ function upsertPullRequestRecord(prPath, entry, { project = null, itemId = null,
           target[key] = normalizedEntry[key];
         }
       }
-      for (const key of ['_manual', '_autoObserve', '_context']) {
+      for (const key of ['_manual', '_autoObserve', '_context', '_projectResolution']) {
         if (normalizedEntry[key] != null) target[key] = normalizedEntry[key];
       }
       if (normalizedEntry._contextOnly != null) {

package/engine.js

@@ -2015,8 +2015,11 @@ function safePrdProjectSlug(projectName) {
 
 function safePrdFilenameForProject(projectName, suffix) {
   const fileName = `${safePrdProjectSlug(projectName)}-${suffix}.json`;
-  shared.sanitizePath(fileName, PRD_DIR);
-  return fileName;
+  const resolved = shared.sanitizePath(fileName, PRD_DIR);
+  if (path.dirname(resolved) !== path.resolve(PRD_DIR)) {
+    throw new Error('invalid PRD filename: nested paths are not allowed');
+  }
+  return path.basename(resolved);
 }
 
 function materializePlansAsWorkItems(config) {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@yemi33/minions",
-  "version": "0.1.1812",
+  "version": "0.1.1814",
   "description": "Multi-agent AI dev team that runs from ~/.minions/ — five autonomous agents share a single engine, dashboard, and knowledge base",
   "bin": {
     "minions": "bin/minions.js"