fix(workflows): improve monorepo context handling and sanitization

- Re-derive dependent paths in retrospective workflow after monorepo override
- Add max length validation for project_suffix in dev-story
- Fix premature output path computation in create-story workflow

src/bmm/workflows/0-context/set-project/workflow.md

@@ -24,11 +24,11 @@ Load and read full config from {main_config} and resolve basic variables.
 2.  **Wait for Input.**
 3.  **Process Input:**
     - **Case: CLEAR**:
-      - Delete file: `_bmad/.current_project`
+      - Delete file: `{project-root}/_bmad/.current_project`
       - Output: "✅ Project context cleared. Artifacts will go to root `_bmad-output/`."
     - **Case: Path Provided**:
       - **Sanitize:** Remove leading `/` or `_bmad-output/` if present in the input.
-      - Write file: `_bmad/.current_project` with content `<sanitized_path>`
+      - Write file: `{project-root}/_bmad/.current_project` with content `<sanitized_path>`
       - Output: "✅ Project context set to: `<sanitized_path>`. Artifacts will go to `_bmad-output/<sanitized_path>/`."
 
 ### 3. Verification

src/bmm/workflows/1-analysis/create-product-brief/workflow.md

@@ -52,7 +52,7 @@ This uses **step-file architecture** for disciplined execution:
 Load and read full config from {main_config} and resolve basic variables.
 
 **Monorepo Context Check:**
-1. Check if `_bmad/.current_project` exists.
+1. Check if `{project-root}/_bmad/.current_project` exists.
 2. If it exists, read its content as `{project_suffix}` and override output folder:
    - `output_folder`: `{project-root}/_bmad-output/{project_suffix}`
 

src/bmm/workflows/1-analysis/research/workflow-domain-research.md

@@ -21,7 +21,7 @@ main_config: '{project-root}/_bmad/bmm/config.yaml'
 Load and read full config from {main_config} and resolve basic variables.
 
 **Monorepo Context Check:**
-1. Check if `_bmad/.current_project` exists.
+1. Check if `{project-root}/_bmad/.current_project` exists.
 2. If it exists, read its content as `{project_suffix}` and override output folder:
    - `output_folder`: `{project-root}/_bmad-output/{project_suffix}`
 

src/bmm/workflows/1-analysis/research/workflow-market-research.md

@@ -21,7 +21,7 @@ main_config: '{project-root}/_bmad/bmm/config.yaml'
 Load and read full config from {main_config} and resolve basic variables.
 
 **Monorepo Context Check:**
-1. Check if `_bmad/.current_project exists`.
+1. Check if `{project-root}/_bmad/.current_project` exists.
 2. If it exists, read its content as `{project_suffix}` and override output folder:
    - `output_folder`: `{project-root}/_bmad-output/{project_suffix}`
 

src/bmm/workflows/1-analysis/research/workflow-technical-research.md

@@ -21,7 +21,7 @@ main_config: '{project-root}/_bmad/bmm/config.yaml'
 Load and read full config from {main_config} and resolve basic variables.
 
 **Monorepo Context Check:**
-1. Check if `_bmad/.current_project` exists.
+1. Check if `{project-root}/_bmad/.current_project` exists.
 2. If it exists, read its content as `{project_suffix}` and override output folder:
    - `output_folder`: `{project-root}/_bmad-output/{project_suffix}`
 

src/bmm/workflows/2-plan-workflows/create-prd/workflow-create-prd.md

@@ -51,7 +51,7 @@ This uses **step-file architecture** for disciplined execution:
 Load and read full config from {main_config} and resolve basic variables.
 
 **Monorepo Context Check:**
-1. Check if `_bmad/.current_project` exists.
+1. Check if `{project-root}/_bmad/.current_project` exists.
 2. If it exists, read its content as `{project_suffix}` and override output folder:
    - `output_folder`: `{project-root}/_bmad-output/{project_suffix}`
 

src/bmm/workflows/2-plan-workflows/create-prd/workflow-edit-prd.md

@@ -51,7 +51,7 @@ This uses **step-file architecture** for disciplined execution:
 Load and read full config from {main_config} and resolve basic variables.
 
 **Monorepo Context Check:**
-1. Check if `_bmad/.current_project` exists.
+1. Check if `{project-root}/_bmad/.current_project` exists.
 2. If it exists, read its content as `{project_suffix}` and override output folder:
    - `output_folder`: `{project-root}/_bmad-output/{project_suffix}`
 - `project_name`, `output_folder`, `planning_artifacts`, `user_name`

src/bmm/workflows/2-plan-workflows/create-prd/workflow-validate-prd.md

@@ -51,7 +51,7 @@ This uses **step-file architecture** for disciplined execution:
 Load and read full config from {main_config} and resolve basic variables.
 
 **Monorepo Context Check:**
-1. Check if `_bmad/.current_project` exists.
+1. Check if `{project-root}/_bmad/.current_project` exists.
 2. If it exists, read its content as `{project_suffix}` and override output folder:
    - `output_folder`: `{project-root}/_bmad-output/{project_suffix}`
 

src/bmm/workflows/2-plan-workflows/create-ux-design/workflow.md

@@ -27,7 +27,7 @@ This uses **micro-file architecture** for disciplined execution:
 Load and read full config from {main_config} and resolve basic variables.
 
 **Monorepo Context Check:**
-1. Check if `_bmad/.current_project exists`.
+1. Check if `{project-root}/_bmad/.current_project` exists.
 2. If it exists, read its content as `{project_suffix}` and override output folder:
    - `output_folder`: `{project-root}/_bmad-output/{project_suffix}`
 

src/bmm/workflows/3-solutioning/check-implementation-readiness/workflow.md

@@ -47,7 +47,7 @@ description: 'Critical validation workflow that assesses PRD, Architecture, and
 Load and read full config from {main_config} and resolve basic variables.
 
 **Monorepo Context Check:**
-1. Check if `_bmad/.current_project exists`.
+1. Check if `{project-root}/_bmad/.current_project` exists.
 2. If it exists, read its content as `{project_suffix}` and override output folder:
    - `output_folder`: `{project-root}/_bmad-output/{project_suffix}`
 

src/bmm/workflows/3-solutioning/create-architecture/workflow.md

@@ -30,7 +30,7 @@ This uses **micro-file architecture** for disciplined execution:
 Load and read full config from {main_config} and resolve basic variables.
 
 **Monorepo Context Check:**
-1. Check if `_bmad/.current_project` exists.
+1. Check if `{project-root}/_bmad/.current_project` exists.
 2. If it exists, read its content as `{project_suffix}` and override output folder:
    - `output_folder`: `{project-root}/_bmad-output/{project_suffix}`
 

src/bmm/workflows/3-solutioning/create-epics-and-stories/workflow.md

@@ -51,7 +51,7 @@ This uses **step-file architecture** for disciplined execution:
 Load and read full config from {main_config} and resolve basic variables.
 
 **Monorepo Context Check:**
-1. Check if `_bmad/.current_project` exists.
+1. Check if `{project-root}/_bmad/.current_project` exists.
 2. If it exists, read its content as `{project_suffix}` and override output folder:
    - `output_folder`: `{project-root}/_bmad-output/{project_suffix}`
 

src/bmm/workflows/4-implementation/code-review/instructions.xml

@@ -16,8 +16,18 @@
 
 
   <step n="1" goal="Load story and discover changes">
-    <check if="_bmad/.current_project exists">
+    <check if="{project-root}/_bmad/.current_project exists">
       <action>Read content as project_suffix</action>
+      <!-- Sanitization and Validation -->
+      <action>Trim whitespace and newlines from project_suffix</action>
+      <check if="project_suffix contains '..' or starts with '/' or starts with '\'">
+         <output>🚫 Security Error: Invalid project context path detected.</output>
+         <action>HALT</action>
+      </check>
+      <check if="project_suffix matches regex '[^a-zA-Z0-9._-]|^\s*$'">
+         <output>🚫 Error: Project context must only contain alphanumeric characters, dots, dashes, or underscores.</output>
+         <action>HALT</action>
+      </check>
       <action>Override output_folder to {project-root}/_bmad-output/{project_suffix}</action>
     </check>
 

src/bmm/workflows/4-implementation/correct-course/instructions.md

@@ -45,7 +45,7 @@
 Load and read full config from {main_config} and resolve basic variables.
 
 **Monorepo Context Check:**
-1. Check if `_bmad/.current_project exists`.
+1. Check if `{project-root}/_bmad/.current_project` exists.
 2. If it exists, read its content as `{project_suffix}` and override output folder:
    - `output_folder`: `{project-root}/_bmad-output/{project_suffix}`
   <action>Maintain running notes of findings and impacts discovered</action>

src/bmm/workflows/4-implementation/create-story/instructions.xml

@@ -18,9 +18,20 @@
   <critical>🎯 ZERO USER INTERVENTION: Process should be fully automated except for initial epic/story selection or missing documents</critical>
 
   <step n="1" goal="Determine target story">
-    <check if="_bmad/.current_project exists">
+    <check if="{project-root}/_bmad/.current_project exists">
       <action>Read content as project_suffix</action>
+      <!-- Sanitization and Validation -->
+      <action>Trim whitespace and newlines from project_suffix</action>
+      <check if="project_suffix contains '..' or starts with '/' or starts with '\'">
+         <output>🚫 Security Error: Invalid project context path detected.</output>
+         <action>HALT</action>
+      </check>
+      <check if="project_suffix matches regex '[^a-zA-Z0-9._-]|^\s*$'">
+         <output>🚫 Error: Project context must only contain alphanumeric characters, dots, dashes, or underscores.</output>
+         <action>HALT</action>
+      </check>
       <action>Override output_folder to {project-root}/_bmad-output/{project_suffix}</action>
+      <action>Output "Monorepo context detected. Output folder redirected to: {output_folder}"</action>
     </check>
 
     <check if="{{story_path}} is provided by user or user provided the epic and story number such as 2-4 or 1.6 or epic 1 story 5">
@@ -265,48 +276,52 @@
   <step n="5" goal="Create comprehensive story file">
     <critical>📝 CREATE ULTIMATE STORY FILE - The developer's master implementation guide!</critical>
 
+    <!-- Recompute output file path with correct output_folder and story_key -->
+    <action>Set {target_story_file} = {output_folder}/{story_key}.md</action>
+    <action>Output "Generating story file at: {target_story_file}"</action>
+
     <action>Initialize from template.md:
-    {default_output_file}</action>
-    <template-output file="{default_output_file}">story_header</template-output>
+    {target_story_file}</action>
+    <template-output file="{target_story_file}">story_header</template-output>
 
     <!-- Story foundation from epics analysis -->
     <template-output
-      file="{default_output_file}">story_requirements</template-output>
+      file="{target_story_file}">story_requirements</template-output>
 
     <!-- Developer context section - MOST IMPORTANT PART -->
-    <template-output file="{default_output_file}">
-    developer_context_section</template-output> **DEV AGENT GUARDRAILS:** <template-output file="{default_output_file}">
+    <template-output file="{target_story_file}">
+    developer_context_section</template-output> **DEV AGENT GUARDRAILS:** <template-output file="{target_story_file}">
     technical_requirements</template-output>
-    <template-output file="{default_output_file}">architecture_compliance</template-output>
+    <template-output file="{target_story_file}">architecture_compliance</template-output>
     <template-output
-      file="{default_output_file}">library_framework_requirements</template-output>
-    <template-output file="{default_output_file}">
+      file="{target_story_file}">library_framework_requirements</template-output>
+    <template-output file="{target_story_file}">
     file_structure_requirements</template-output>
-    <template-output file="{default_output_file}">testing_requirements</template-output>
+    <template-output file="{target_story_file}">testing_requirements</template-output>
 
     <!-- Previous story intelligence -->
     <check
       if="previous story learnings available">
-      <template-output file="{default_output_file}">previous_story_intelligence</template-output>
+      <template-output file="{target_story_file}">previous_story_intelligence</template-output>
     </check>
 
     <!-- Git intelligence -->
     <check
       if="git analysis completed">
-      <template-output file="{default_output_file}">git_intelligence_summary</template-output>
+      <template-output file="{target_story_file}">git_intelligence_summary</template-output>
     </check>
 
     <!-- Latest technical specifics -->
     <check if="web research completed">
-      <template-output file="{default_output_file}">latest_tech_information</template-output>
+      <template-output file="{target_story_file}">latest_tech_information</template-output>
     </check>
 
     <!-- Project context reference -->
     <template-output
-      file="{default_output_file}">project_context_reference</template-output>
+      file="{target_story_file}">project_context_reference</template-output>
 
     <!-- Final status update -->
-    <template-output file="{default_output_file}">
+    <template-output file="{target_story_file}">
     story_completion_status</template-output>
 
     <!-- CRITICAL: Set status to ready-for-dev -->

src/bmm/workflows/4-implementation/dev-story/instructions.xml

@@ -13,8 +13,22 @@
   <critical>User skill level ({user_skill_level}) affects conversation style ONLY, not code updates.</critical>
 
   <step n="1" goal="Find next ready story and load it" tag="sprint-status">
-    <check if="_bmad/.current_project exists">
+    <check if="{project-root}/_bmad/.current_project exists">
       <action>Read content as project_suffix</action>
+      <!-- Sanitization and Validation -->
+      <action>Trim whitespace and newlines from project_suffix</action>
+      <check if="project_suffix contains '..' or starts with '/' or starts with '\'">
+         <output>🚫 Security Error: Invalid project context path detected.</output>
+         <action>HALT</action>
+      </check>
+      <check if="project_suffix matches regex '[^a-zA-Z0-9._-]|^\s*$'">
+         <output>🚫 Error: Project context must only contain alphanumeric characters, dots, dashes, or underscores.</output>
+         <action>HALT</action>
+      </check>
+      <check if="project_suffix.length > 100">
+         <output>🚫 Error: Project context name is too long (max 100 characters).</output>
+         <action>HALT</action>
+      </check>
       <action>Override output_folder to {project-root}/_bmad-output/{project_suffix}</action>
     </check>
 

src/bmm/workflows/4-implementation/retrospective/instructions.md

@@ -8,9 +8,12 @@
 Load and read full config from {main_config} and resolve basic variables.
 
 **Monorepo Context Check:**
-1. Check if `_bmad/.current_project exists`.
+1. Check if `{project-root}/_bmad/.current_project` exists.
 2. If it exists, read its content as `{project_suffix}` and override output folder:
    - `output_folder`: `{project-root}/_bmad-output/{project_suffix}`
+3. Re-derive dependent path variables to reflect the new `output_folder`:
+   - `implementation_artifacts`: `{output_folder}/implementation`
+   - `planning_artifacts`: `{output_folder}/planning`
 
 <critical>Communicate all responses in {communication_language} and language MUST be tailored to {user_skill_level}</critical>
 <critical>Generate all documents in {document_output_language}</critical>

src/bmm/workflows/4-implementation/sprint-planning/instructions.md

@@ -9,7 +9,7 @@
 Load and read full config from {main_config} and resolve basic variables.
 
 **Monorepo Context Check:**
-1. Check if `_bmad/.current_project exists`.
+1. Check if `{project-root}/_bmad/.current_project` exists.
 2. If it exists, read its content as `{project_suffix}` and override output folder:
    - `output_folder`: `{project-root}/_bmad-output/{project_suffix}`
 

src/bmm/workflows/4-implementation/sprint-status/instructions.md

@@ -7,7 +7,7 @@
 Load and read full config from {main_config} and resolve basic variables.
 
 **Monorepo Context Check:**
-1. Check if `_bmad/.current_project exists`.
+1. Check if `{project-root}/_bmad/.current_project` exists.
 2. If it exists, read its content as `{project_suffix}` and override output folder:
    - `output_folder`: `{project-root}/_bmad-output/{project_suffix}`
 <critical>You MUST have already loaded and processed: {project-root}/_bmad/bmm/workflows/4-implementation/sprint-status/workflow.yaml</critical>

src/bmm/workflows/bmad-quick-flow/quick-dev/workflow.md

@@ -28,7 +28,7 @@ This uses **step-file architecture** for focused execution:
 Load and read full config from {main_config} and resolve basic variables.
 
 **Monorepo Context Check:**
-1. Check if `_bmad/.current_project exists`.
+1. Check if `{project-root}/_bmad/.current_project` exists.
 2. If it exists, read its content as `{project_suffix}` and override output folder:
    - `output_folder`: `{project-root}/_bmad-output/{project_suffix}`
 

src/bmm/workflows/bmad-quick-flow/quick-spec/workflow.md

@@ -69,7 +69,7 @@ This uses **step-file architecture** for disciplined execution:
 Load and read full config from {main_config} and resolve basic variables.
 
 **Monorepo Context Check:**
-1. Check if `_bmad/.current_project exists`.
+1. Check if `{project-root}/_bmad/.current_project` exists.
 2. If it exists, read its content as `{project_suffix}` and override output folder:
    - `output_folder`: `{project-root}/_bmad-output/{project_suffix}`
 

src/bmm/workflows/document-project/instructions.md

@@ -84,7 +84,7 @@
 Load and read full config from {main_config} and resolve basic variables.
 
 **Monorepo Context Check:**
-1. Check if `_bmad/.current_project exists`.
+1. Check if `{project-root}/_bmad/.current_project` exists.
 2. If it exists, read its content as `{project_suffix}` and override output folder:
    - `output_folder`: `{project-root}/_bmad-output/{project_suffix}`
 

src/bmm/workflows/document-project/workflows/deep-dive-instructions.md

@@ -11,6 +11,23 @@
 <action>Load existing project structure from index.md and project-parts.json (if exists)</action>
 <action>Load source tree analysis to understand available areas</action>
 
+<check if="{project-root}/_bmad/.current_project exists">
+  <action>Read content as project_suffix</action>
+  <!-- Sanitization and Validation -->
+  <action>Trim whitespace and newlines from project_suffix</action>
+  <check if="project_suffix contains '..' or starts with '/' or starts with '\'">
+      <output>🚫 Security Error: Invalid project context path detected.</output>
+      <action>HALT</action>
+  </check>
+  <check if="project_suffix matches regex '[^a-zA-Z0-9._-]|^\s*$'">
+      <output>🚫 Error: Project context must only contain alphanumeric characters, dots, dashes, or underscores.</output>
+      <action>HALT</action>
+  </check>
+  <action>Override output_folder to {project-root}/_bmad-output/{project_suffix}</action>
+  <action>Override project_knowledge to {project-root}/_bmad-output/{project_suffix}</action>
+  <action>Output "Monorepo context detected. Writing deep-dive artifacts to: {project_knowledge}"</action>
+</check>
+
 <step n="13a" goal="Identify area for deep-dive">
   <action>Analyze existing documentation to suggest deep-dive options</action>
 
@@ -254,10 +271,7 @@ Detailed exhaustive analysis of specific areas:
 
 Load and read full config from {main_config} and resolve basic variables.
 
-**Monorepo Context Check:**
-1. Check if `_bmad/.current_project exists`.
-2. If it exists, read its content as `{project_suffix}` and override output folder:
-   - `output_folder`: `{project-root}/_bmad-output/{project_suffix}`
+
 - Related code and reuse opportunities
 - Implementation guidance
 

src/bmm/workflows/document-project/workflows/full-scan-instructions.md

@@ -100,7 +100,7 @@ Your choice [1/2/3]:
 Load and read full config from {main_config} and resolve basic variables.
 
 **Monorepo Context Check:**
-1. Check if `_bmad/.current_project exists`.
+1. Check if `{project-root}/_bmad/.current_project` exists.
 2. If it exists, read its content as `{project_suffix}` and override output folder:
    - `output_folder`: `{project-root}/_bmad-output/{project_suffix}`
 json, etc.)

src/bmm/workflows/generate-project-context/workflow.md

@@ -30,7 +30,7 @@ This uses **micro-file architecture** for disciplined execution:
 Load and read full config from {main_config} and resolve basic variables.
 
 **Monorepo Context Check:**
-1. Check if `_bmad/.current_project exists`.
+1. Check if `{project-root}/_bmad/.current_project` exists.
 2. If it exists, read its content as `{project_suffix}` and override output folder:
    - `output_folder`: `{project-root}/_bmad-output/{project_suffix}`
 

src/bmm/workflows/qa/automate/instructions.md

@@ -23,7 +23,7 @@ Check project for existing test framework:
 Load and read full config from {main_config} and resolve basic variables.
 
 **Monorepo Context Check:**
-1. Check if `_bmad/.current_project exists`.
+1. Check if `{project-root}/_bmad/.current_project` exists.
 2. If it exists, read its content as `{project_suffix}` and override output folder:
    - `output_folder`: `{project-root}/_bmad-output/{project_suffix}`
 

src/core/workflows/advanced-elicitation/workflow.xml

@@ -20,8 +20,18 @@
 
   <flow>
     <step n="1" title="Method Registry Loading">
-      <check if="_bmad/.current_project exists">
+      <check if="{project-root}/_bmad/.current_project exists">
         <action>Read content as project_suffix</action>
+        <!-- Sanitization and Validation -->
+        <action>Trim whitespace and newlines from project_suffix</action>
+        <check if="project_suffix contains '..' or starts with '/' or starts with '\'">
+           <output>🚫 Security Error: Invalid project context path detected.</output>
+           <action>HALT</action>
+        </check>
+        <check if="project_suffix matches regex '[^a-zA-Z0-9._-]|^\s*$'">
+           <output>🚫 Error: Project context must only contain alphanumeric characters, dots, dashes, or underscores.</output>
+           <action>HALT</action>
+        </check>
         <action>Override output_folder to {project-root}/_bmad-output/{project_suffix}</action>
       </check>
 

src/core/workflows/brainstorming/workflow.md

@@ -37,7 +37,7 @@ This uses **micro-file architecture** for disciplined execution:
 Load and read full config from {main_config} and resolve basic variables.
 
 **Monorepo Context Check:**
-1. Check if `_bmad/.current_project` exists.
+1. Check if `{project-root}/_bmad/.current_project` exists.
 2. If it exists, read its content as `{project_suffix}` and override output folder:
    - `output_folder`: `{project-root}/_bmad-output/{project_suffix}`
 

src/core/workflows/party-mode/workflow.md

@@ -30,7 +30,7 @@ This uses **micro-file architecture** with **sequential conversation orchestrati
 Load and read full config from {main_config} and resolve basic variables.
 
 **Monorepo Context Check:**
-1. Check if `_bmad/.current_project` exists.
+1. Check if `{project-root}/_bmad/.current_project` exists.
 2. If it exists, read its content as `{project_suffix}` and override output folder:
    - `output_folder`: `{project-root}/_bmad-output/{project_suffix}`