@ikunin/sprintpilot 1.0.0 → 1.0.2

package/README.md

@@ -10,7 +10,7 @@
 
 Sprintpilot is an autonomous delivery addon **compatible with [BMad Method](https://github.com/bmad-code-org/BMAD-METHOD) v6**. One command takes your project from sprint plan to reviewed, tested, PR-ready code — with full git workflow and multi-agent intelligence.
 
-> **Independent project.** Sprintpilot is not affiliated with or endorsed by BMad Code, LLC. "BMad™", "BMad Method™", and "BMAD-METHOD™" are trademarks of BMad Code, LLC. See [TRADEMARK.md](TRADEMARK.md).
+> **Independent project.** Sprintpilot is not affiliated with or endorsed by BMad Code, LLC. See [TRADEMARK.md](TRADEMARK.md).
 
 > **Migrating from `bmad-autopilot-addon` v1?** See [MIGRATION.md](MIGRATION.md). `sprintpilot install` auto-detects v1 and cleanly replaces it.
 
@@ -33,7 +33,7 @@ Sprintpilot is an autonomous delivery addon **compatible with [BMad Method](http
 
 BMad Method provides a structured development workflow with 50+ skills and agent personas. But using it manually means invoking each skill one at a time, navigating menus, making routine decisions, and handling git operations yourself. For a sprint with 10 stories across 3 epics, that's dozens of manual steps, context switches, and session restarts.
 
-## The Solution: Sprintpilot
+## The Solution: Sprint Autopilot
 
 ```
 /sprint-autopilot-on
@@ -148,7 +148,7 @@ Output files (`_bmad-output/codebase-analysis/`):
 | `concerns-analysis.md` | TODOs/FIXMEs, security issues, dead code, deprecated patterns, error handling gaps |
 | `integrations-analysis.md` | External APIs, databases, message queues, cloud services, env vars |
 
-Scanned file types: TypeScript, JavaScript, Python, Java, Go, Rust, Ruby, C#, SQL, PL/SQL (`.sps`, `.spb`), XML, Shell.
+Scanned file types: TypeScript, JavaScript, Python, Java, Go, Rust, Ruby, C, C++, C#, SQL, PL/SQL (`.sps`, `.spb`), XML, Shell.
 
 **`/sprintpilot-assess`** — 3 parallel agents produce actionable findings:
 - Dependency Auditor (CVEs, outdated packages, upgrade paths)

package/_Sprintpilot/lib/runtime/args.js

@@ -1,5 +1,3 @@
-'use strict';
-
 function parseArgs(argv, { booleanFlags = [], positionalActions = null } = {}) {
   const opts = {};
   const positional = [];

package/_Sprintpilot/lib/runtime/git.js

@@ -1,5 +1,3 @@
-'use strict';
-
 const { run, tryRun } = require('./spawn');
 
 async function git(args, opts = {}) {

package/_Sprintpilot/lib/runtime/http.js

@@ -1,5 +1,3 @@
-'use strict';
-
 const https = require('node:https');
 const http = require('node:http');
 const { URL } = require('node:url');
@@ -22,7 +20,12 @@ function postJson(urlStr, body, { headers = {}, timeoutMs = 15_000 } = {}) {
     // can fire on the size-cap abort path (we call req.destroy(err)). Without
     // this, the observed error message becomes non-deterministic.
     let settled = false;
-    const done = (fn, val) => { if (!settled) { settled = true; fn(val); } };
+    const done = (fn, val) => {
+      if (!settled) {
+        settled = true;
+        fn(val);
+      }
+    };
     const ok = (val) => done(resolve, val);
     const fail = (err) => done(reject, err);
 
@@ -78,11 +81,15 @@ function postJson(urlStr, body, { headers = {}, timeoutMs = 15_000 } = {}) {
           if (aborted) return; // error path handles it
           const text = Buffer.concat(chunks).toString('utf8');
           let json = null;
-          try { json = JSON.parse(text); } catch { /* non-json */ }
+          try {
+            json = JSON.parse(text);
+          } catch {
+            /* non-json */
+          }
           ok({ statusCode: res.statusCode, body: text, json });
         });
         res.on('error', fail);
-      }
+      },
     );
     req.on('timeout', () => {
       req.destroy(new Error(`HTTP timeout after ${timeoutMs}ms`));

package/_Sprintpilot/lib/runtime/log.js

@@ -1,5 +1,3 @@
-'use strict';
-
 function out(msg) {
   process.stdout.write(String(msg));
   if (!String(msg).endsWith('\n')) process.stdout.write('\n');

package/_Sprintpilot/lib/runtime/secrets.js

@@ -1,5 +1,3 @@
-'use strict';
-
 const fs = require('node:fs');
 
 // Keyword-based fuzzy matches (high false-positive rate, but useful as a
@@ -10,20 +8,20 @@ const SECRET_KEYWORD = /API_KEY|SECRET|TOKEN|PASSWORD|aws_access|private_key/i;
 // secrets actually look like. Matching here is much less noisy than the
 // keyword list above.
 const SECRET_FORMATS = [
-  /\bAKIA[0-9A-Z]{16}\b/,                  // AWS Access Key ID
-  /\bASIA[0-9A-Z]{16}\b/,                  // AWS temporary Access Key ID
-  /\bghp_[A-Za-z0-9]{30,}\b/,              // GitHub personal access token
-  /\bgho_[A-Za-z0-9]{30,}\b/,              // GitHub OAuth token
-  /\bghu_[A-Za-z0-9]{30,}\b/,              // GitHub user-to-server token
-  /\bghs_[A-Za-z0-9]{30,}\b/,              // GitHub server-to-server token
-  /\bghr_[A-Za-z0-9]{30,}\b/,              // GitHub refresh token
-  /\bgithub_pat_[A-Za-z0-9_]{20,}\b/,      // GitHub fine-grained PAT
-  /\bsk-[A-Za-z0-9_-]{20,}\b/,             // OpenAI / Anthropic-like
-  /\bsk_live_[A-Za-z0-9]{20,}\b/,          // Stripe live secret
-  /\bsk_test_[A-Za-z0-9]{20,}\b/,          // Stripe test secret
-  /\bxox[baprs]-[A-Za-z0-9-]{10,}\b/,      // Slack tokens
-  /\bAIza[0-9A-Za-z_-]{35,99}\b/,          // Google API key (standard is 39 chars = AIza + 35)
-  /-----BEGIN [A-Z ]*PRIVATE KEY-----/,    // PEM private key header
+  /\bAKIA[0-9A-Z]{16}\b/, // AWS Access Key ID
+  /\bASIA[0-9A-Z]{16}\b/, // AWS temporary Access Key ID
+  /\bghp_[A-Za-z0-9]{30,}\b/, // GitHub personal access token
+  /\bgho_[A-Za-z0-9]{30,}\b/, // GitHub OAuth token
+  /\bghu_[A-Za-z0-9]{30,}\b/, // GitHub user-to-server token
+  /\bghs_[A-Za-z0-9]{30,}\b/, // GitHub server-to-server token
+  /\bghr_[A-Za-z0-9]{30,}\b/, // GitHub refresh token
+  /\bgithub_pat_[A-Za-z0-9_]{20,}\b/, // GitHub fine-grained PAT
+  /\bsk-[A-Za-z0-9_-]{20,}\b/, // OpenAI / Anthropic-like
+  /\bsk_live_[A-Za-z0-9]{20,}\b/, // Stripe live secret
+  /\bsk_test_[A-Za-z0-9]{20,}\b/, // Stripe test secret
+  /\bxox[baprs]-[A-Za-z0-9-]{10,}\b/, // Slack tokens
+  /\bAIza[0-9A-Za-z_-]{35,99}\b/, // Google API key (standard is 39 chars = AIza + 35)
+  /-----BEGIN [A-Z ]*PRIVATE KEY-----/, // PEM private key header
 ];
 
 // Deprecated: callers should use `matchesSecret(line)` which applies both

package/_Sprintpilot/lib/runtime/spawn.js

@@ -1,5 +1,3 @@
-'use strict';
-
 const child = require('node:child_process');
 
 function run(file, args, { cwd, timeoutMs = 30_000, input, env } = {}) {
@@ -17,7 +15,7 @@ function run(file, args, { cwd, timeoutMs = 30_000, input, env } = {}) {
       (err, stdout, stderr) => {
         if (err) {
           const e = new Error(
-            `${file} ${args.join(' ')} failed with code ${err.code ?? err.signal ?? 'unknown'}`
+            `${file} ${args.join(' ')} failed with code ${err.code ?? err.signal ?? 'unknown'}`,
           );
           e.exitCode = typeof err.code === 'number' ? err.code : 1;
           e.signal = err.signal || null;
@@ -27,16 +25,26 @@ function run(file, args, { cwd, timeoutMs = 30_000, input, env } = {}) {
           return reject(e);
         }
         resolve({ stdout: String(stdout || ''), stderr: String(stderr || ''), exitCode: 0 });
-      }
+      },
     );
     // Rejecting on spawn-time errors (ENOENT etc) ensures the caller sees a
     // rejected Promise rather than hanging, even if `proc.stdin` was never
     // attached. Without this, a missing binary can crash via `proc.stdin.write`.
     proc.on('error', reject);
     if (input !== undefined && proc.stdin) {
-      proc.stdin.on('error', () => { /* ignore EPIPE etc */ });
-      try { proc.stdin.write(input); } catch { /* ignore */ }
-      try { proc.stdin.end(); } catch { /* ignore */ }
+      proc.stdin.on('error', () => {
+        /* ignore EPIPE etc */
+      });
+      try {
+        proc.stdin.write(input);
+      } catch {
+        /* ignore */
+      }
+      try {
+        proc.stdin.end();
+      } catch {
+        /* ignore */
+      }
     }
   });
 }
@@ -60,7 +68,12 @@ function runInherit(file, args, { cwd, env, input } = {}) {
     proc.on('error', reject);
     proc.on('close', (code) => resolve({ exitCode: code ?? 0 }));
     if (input !== undefined && proc.stdin) {
-      try { proc.stdin.write(input); proc.stdin.end(); } catch { /* ignore */ }
+      try {
+        proc.stdin.write(input);
+        proc.stdin.end();
+      } catch {
+        /* ignore */
+      }
     }
   });
 }

package/_Sprintpilot/lib/runtime/text.js

@@ -1,5 +1,3 @@
-'use strict';
-
 function splitLines(text) {
   if (!text) return [];
   const trimmedTrailing = text.replace(/\r?\n$/, '');

package/_Sprintpilot/lib/runtime/yaml-lite.js

@@ -1,5 +1,3 @@
-'use strict';
-
 // Narrow YAML helper covering the addon-owned shape:
 //   key: value
 //   stories:
@@ -8,7 +6,7 @@
 //       field2: value
 // No deep nesting, no anchors, no flow sequences beyond [a,b,c] literal we pass through.
 
-const SPECIAL_CHARS = /[:{}\[\],&*#?|<>=!%@`\n]|^-|^\s|\s$/;
+const SPECIAL_CHARS = /[:{}[\],&*#?|<>=!%@`\n]|^-|^\s|\s$/;
 
 // YAML 1.1 reserved literals that parsers interpret as booleans/null when
 // unquoted (e.g. "no" -> false). Must be quoted to round-trip as strings.
@@ -81,8 +79,14 @@ function replaceStoryBlock(existing, storyKey, newBlock) {
       // header is part of this block. Blank lines inside the block count
       // as continuations and are also consumed.
       while (i < lines.length) {
-        if (lines[i].length === 0) { i++; continue; }
-        if (indentOf(lines[i]) > headerIndent) { i++; continue; }
+        if (lines[i].length === 0) {
+          i++;
+          continue;
+        }
+        if (indentOf(lines[i]) > headerIndent) {
+          i++;
+          continue;
+        }
         break;
       }
       // Strip any trailing blanks we may have consumed past the block.

package/_Sprintpilot/manifest.yaml

@@ -1,6 +1,6 @@
 addon:
   name: sprintpilot
-  version: 1.0.0
+  version: 1.0.2
   description: Sprintpilot — autopilot and multi-agent addon for BMad Method (git workflow, parallel agents, autonomous story execution)
   bmad_compatibility: ">=6.2.0"
   modules:

package/_Sprintpilot/modules/git/branching-and-pr-strategy.md

@@ -1,6 +1,6 @@
 # Git Branching and PR Strategy
 
-How the BMAD autopilot addon manages branches, PRs, and merging across stories.
+How the Sprintpilot manages branches, PRs, and merging across stories.
 
 ## Configuration
 
@@ -96,6 +96,6 @@ Regardless of the merge strategy, implementation artifacts (sprint-status.yaml,
 
 | File | Owner | Autopilot access |
 |------|-------|-----------------|
-| `sprint-status.yaml` | BMAD (dev-story, sprint-planning, retrospective) | Read only |
+| `sprint-status.yaml` | BMad Method (dev-story, sprint-planning, retrospective) | Read only |
 | `git-status.yaml` | Autopilot addon | Read/write |
 | `autopilot-state.yaml` | Autopilot addon | Read/write |

package/_Sprintpilot/scripts/create-pr.js

@@ -1,5 +1,4 @@
 #!/usr/bin/env node
-'use strict';
 
 const { parseArgs } = require('../lib/runtime/args');
 const { tryRun, run } = require('../lib/runtime/spawn');
@@ -9,7 +8,9 @@ const { postJson } = require('../lib/runtime/http');
 const log = require('../lib/runtime/log');
 
 function help() {
-  log.out("Usage: create-pr.js --platform <github|gitlab|bitbucket|gitea|git_only> --branch <name> --base <branch> --title 'title' --body 'body' [--base-url <url>]");
+  log.out(
+    "Usage: create-pr.js --platform <github|gitlab|bitbucket|gitea|git_only> --branch <name> --base <branch> --title 'title' --body 'body' [--base-url <url>]",
+  );
 }
 
 async function hasCli(name) {
@@ -80,12 +81,18 @@ function redactAuth(text) {
   return String(text)
     .replace(/("?authorization"?\s*:\s*")[^"]*(")/gi, '$1[REDACTED]$2')
     .replace(/(bearer\s+)\S+/gi, '$1[REDACTED]')
-    .replace(/("?(?:token|access_token|api_key|private_token)"?\s*[:=]\s*")[^"]*(")/gi, '$1[REDACTED]$2');
+    .replace(
+      /("?(?:token|access_token|api_key|private_token)"?\s*[:=]\s*")[^"]*(")/gi,
+      '$1[REDACTED]$2',
+    );
 }
 
 async function main() {
   const { opts } = parseArgs(process.argv.slice(2), { booleanFlags: ['dry-run'] });
-  if (opts.help) { help(); process.exit(0); }
+  if (opts.help) {
+    help();
+    process.exit(0);
+  }
 
   const platform = opts.platform;
   const branch = opts.branch;
@@ -130,13 +137,11 @@ async function main() {
       log.out('SKIPPED');
       process.exit(2);
     }
-    const r = await tryRun('gh', [
-      'pr', 'create',
-      '--base', baseBranch,
-      '--head', branch,
-      '--title', title,
-      '--body', body,
-    ], { timeoutMs: 60_000 });
+    const r = await tryRun(
+      'gh',
+      ['pr', 'create', '--base', baseBranch, '--head', branch, '--title', title, '--body', body],
+      { timeoutMs: 60_000 },
+    );
     const combined = `${r.stdout}${r.stderr}`;
     if (r.exitCode !== 0) {
       log.error(`gh pr create failed: ${combined.trim()}`);
@@ -152,15 +157,24 @@ async function main() {
       log.out('SKIPPED');
       process.exit(2);
     }
-    const r = await tryRun('glab', [
-      'mr', 'create',
-      '--source-branch', branch,
-      '--target-branch', baseBranch,
-      '--title', title,
-      '--description', body,
-      '--remove-source-branch',
-      '--yes',
-    ], { timeoutMs: 60_000 });
+    const r = await tryRun(
+      'glab',
+      [
+        'mr',
+        'create',
+        '--source-branch',
+        branch,
+        '--target-branch',
+        baseBranch,
+        '--title',
+        title,
+        '--description',
+        body,
+        '--remove-source-branch',
+        '--yes',
+      ],
+      { timeoutMs: 60_000 },
+    );
     const combined = `${r.stdout}${r.stderr}`;
     if (r.exitCode !== 0) {
       log.error(`glab mr create failed: ${combined.trim()}`);
@@ -173,13 +187,22 @@ async function main() {
 
   if (platform === 'bitbucket') {
     if (await hasCli('bb')) {
-      const r = await tryRun('bb', [
-        'pr', 'create',
-        '--source', branch,
-        '--destination', baseBranch,
-        '--title', title,
-        '--description', body,
-      ], { timeoutMs: 60_000 });
+      const r = await tryRun(
+        'bb',
+        [
+          'pr',
+          'create',
+          '--source',
+          branch,
+          '--destination',
+          baseBranch,
+          '--title',
+          title,
+          '--description',
+          body,
+        ],
+        { timeoutMs: 60_000 },
+      );
       const combined = `${r.stdout}${r.stderr}`;
       if (r.exitCode !== 0) {
         log.error(`bb pr create failed: ${combined.trim()}`);
@@ -200,11 +223,14 @@ async function main() {
             destination: { branch: { name: baseBranch } },
             description: body,
           },
-          { headers: { Authorization: `Bearer ${process.env.BITBUCKET_TOKEN}` } }
+          { headers: { Authorization: `Bearer ${process.env.BITBUCKET_TOKEN}` } },
         );
         if (res.statusCode === 201) {
           const href = res.json?.links?.html?.href;
-          if (href) { log.out(href); return; }
+          if (href) {
+            log.out(href);
+            return;
+          }
           log.out('CREATED (URL not extracted from response)');
           return;
         }
@@ -223,13 +249,22 @@ async function main() {
 
   if (platform === 'gitea') {
     if (await hasCli('tea')) {
-      const r = await tryRun('tea', [
-        'pr', 'create',
-        '--base', baseBranch,
-        '--head', branch,
-        '--title', title,
-        '--description', body,
-      ], { timeoutMs: 60_000 });
+      const r = await tryRun(
+        'tea',
+        [
+          'pr',
+          'create',
+          '--base',
+          baseBranch,
+          '--head',
+          branch,
+          '--title',
+          title,
+          '--description',
+          body,
+        ],
+        { timeoutMs: 60_000 },
+      );
       const combined = `${r.stdout}${r.stderr}`;
       if (r.exitCode !== 0) {
         log.error(`tea pr create failed: ${combined.trim()}`);
@@ -245,11 +280,14 @@ async function main() {
         const res = await postJson(
           `${baseUrl.replace(/\/+$/, '')}/api/v1/repos/${ownerRepo}/pulls`,
           { base: baseBranch, head: branch, title, body },
-          { headers: { Authorization: `token ${process.env.GITEA_TOKEN}` } }
+          { headers: { Authorization: `token ${process.env.GITEA_TOKEN}` } },
         );
         if (res.statusCode === 201) {
           const href = res.json?.html_url;
-          if (href) { log.out(href); return; }
+          if (href) {
+            log.out(href);
+            return;
+          }
           log.out('CREATED (URL not extracted from response)');
           return;
         }

package/_Sprintpilot/scripts/detect-platform.js

@@ -1,5 +1,4 @@
 #!/usr/bin/env node
-'use strict';
 
 const { parseArgs } = require('../lib/runtime/args');
 const { tryRun } = require('../lib/runtime/spawn');
@@ -17,7 +16,10 @@ async function hasCli(name) {
 
 async function main() {
   const { opts } = parseArgs(process.argv.slice(2));
-  if (opts.help) { help(); process.exit(0); }
+  if (opts.help) {
+    help();
+    process.exit(0);
+  }
   const provider = opts.provider || 'auto';
 
   if (provider !== 'auto') {
@@ -45,16 +47,39 @@ async function main() {
 
   const remote = (await tryGitStdout(['remote', 'get-url', 'origin'])) || '';
 
-  if (/github\.com[:/]/i.test(remote)) { log.out('github'); return; }
-  if (/gitlab\./i.test(remote)) { log.out('gitlab'); return; }
-  if (/bitbucket\.org[:/]/i.test(remote)) { log.out('bitbucket'); return; }
+  if (/github\.com[:/]/i.test(remote)) {
+    log.out('github');
+    return;
+  }
+  if (/gitlab\./i.test(remote)) {
+    log.out('gitlab');
+    return;
+  }
+  if (/bitbucket\.org[:/]/i.test(remote)) {
+    log.out('bitbucket');
+    return;
+  }
 
-  if (hasTea) { log.out('gitea'); return; }
-  if (hasGh) { log.out('github'); return; }
-  if (hasGlab) { log.out('gitlab'); return; }
-  if (hasBb) { log.out('bitbucket'); return; }
+  if (hasTea) {
+    log.out('gitea');
+    return;
+  }
+  if (hasGh) {
+    log.out('github');
+    return;
+  }
+  if (hasGlab) {
+    log.out('gitlab');
+    return;
+  }
+  if (hasBb) {
+    log.out('bitbucket');
+    return;
+  }
 
-  log.err("WARN: no platform CLI found (gh, glab, bb, tea) and remote URL didn't match known platforms");
+  log.err(
+    "WARN: no platform CLI found (gh, glab, bb, tea) and remote URL didn't match known platforms",
+  );
   log.out('git_only');
 }
 

package/_Sprintpilot/scripts/health-check.js

@@ -1,5 +1,4 @@
 #!/usr/bin/env node
-'use strict';
 
 const fs = require('node:fs');
 const path = require('node:path');
@@ -10,12 +9,17 @@ const { readStoryField } = require('../lib/runtime/yaml-lite');
 const log = require('../lib/runtime/log');
 
 function help() {
-  log.out('Usage: health-check.js [--worktrees-dir path] [--base-branch main] [--status-file path]');
+  log.out(
+    'Usage: health-check.js [--worktrees-dir path] [--base-branch main] [--status-file path]',
+  );
 }
 
 async function main() {
   const { opts } = parseArgs(process.argv.slice(2));
-  if (opts.help) { help(); process.exit(0); }
+  if (opts.help) {
+    help();
+    process.exit(0);
+  }
   const worktreesDir = opts['worktrees-dir'] || '.worktrees';
   const baseBranch = opts['base-branch'] || 'main';
   const statusFile = opts['status-file'] || '';
@@ -34,13 +38,18 @@ async function main() {
     log.err("WARN: no 'origin' remote configured — commit comparison may be inaccurate");
   }
 
-  let total = 0, cleanDone = 0, committed = 0, stale = 0, dirty = 0, orphan = 0;
+  let total = 0,
+    cleanDone = 0,
+    committed = 0,
+    stale = 0,
+    dirty = 0,
+    orphan = 0;
 
-  const statusText = statusFile && fs.existsSync(statusFile)
-    ? fs.readFileSync(statusFile, 'utf8')
-    : null;
+  const statusText =
+    statusFile && fs.existsSync(statusFile) ? fs.readFileSync(statusFile, 'utf8') : null;
 
-  const entries = fs.readdirSync(worktreesDir, { withFileTypes: true })
+  const entries = fs
+    .readdirSync(worktreesDir, { withFileTypes: true })
     .filter((e) => e.isDirectory());
 
   for (const entry of entries) {