@ikunin/sprintpilot 1.0.0

package/_Sprintpilot/skills/sprintpilot-assess/SKILL.md

@@ -0,0 +1,6 @@
+---
+name: sprintpilot-assess
+description: 'Tech debt, dependency audit, and migration assessment via 3 parallel agents. Runs after sprintpilot-codebase-map. Produces actionable findings with confidence levels, effort estimates, and a prioritized brownfield-assessment.md. Use for brownfield projects before sprint planning.'
+---
+
+Follow the instructions in ./workflow.md.

package/_Sprintpilot/skills/sprintpilot-assess/agents/debt-classifier.md

@@ -0,0 +1,64 @@
+# Tech Debt Classifier Agent
+
+You are classifying and prioritizing tech debt findings from the codebase analysis.
+
+## Task
+
+Take the concerns-analysis.md findings and classify each into actionable categories with effort estimates and confidence levels.
+
+## Categories
+
+- **Critical**: blocks feature development or poses security risk
+- **High**: degrades reliability or developer productivity significantly
+- **Medium**: increases maintenance burden, should be addressed in next quarter
+- **Low**: minor improvement, address opportunistically
+
+## Classification Criteria
+
+For each concern from concerns-analysis.md:
+1. **Impact** — what breaks or degrades if not addressed?
+2. **Urgency** — is it getting worse over time?
+3. **Effort** — S (< 1 story), M (1-2 stories), L (3-5 stories), XL (> 5 stories)
+4. **Confidence** — High (clear evidence), Medium (likely but needs verification), Low (suspected)
+5. **Dependencies** — does fixing this require other changes first?
+
+## Output Format
+
+```markdown
+## Tech Debt Classification
+
+### Summary
+| Severity | Count | Total Effort |
+|----------|-------|-------------|
+| Critical | N | ... |
+| High | N | ... |
+| Medium | N | ... |
+| Low | N | ... |
+
+### Classified Findings
+
+#### Critical
+1. **[DEBT-001]** Title
+   - Source: concerns-analysis.md [C-NNN]
+   - Impact: ...
+   - Effort: M
+   - Confidence: High
+   - Evidence: file:line
+   - Recommendation: ...
+   - Blocked by: none
+   - Blocks: DEBT-XXX
+
+#### High
+...
+
+#### Medium
+...
+
+#### Low
+...
+
+### Recommended Remediation Order
+[Ordered list considering dependencies and impact]
+```
+
+## Context (concerns-analysis.md)

package/_Sprintpilot/skills/sprintpilot-assess/agents/dependency-auditor.md

@@ -0,0 +1,57 @@
+# Dependency Auditor Agent
+
+You are auditing all project dependencies for versions, vulnerabilities, and upgrade paths.
+
+## Task
+
+Analyze the project's dependencies using the stack-analysis.md analysis provided below as context. You have Bash access to run audit tools.
+
+## Method
+
+1. **Run available audit tools** via Bash:
+   - `npm audit --json 2>/dev/null` or `yarn audit --json 2>/dev/null`
+   - `pip audit 2>/dev/null` or `safety check 2>/dev/null`
+   - `cargo audit 2>/dev/null`
+   - `bundle audit check 2>/dev/null`
+   If none available, fall back to manual analysis of lockfiles/manifests.
+
+2. **Check for outdated packages** via Bash:
+   - `npm outdated --json 2>/dev/null`
+   - `pip list --outdated --format=json 2>/dev/null`
+
+3. **Identify**:
+   - Packages with known CVEs
+   - Major version upgrades available
+   - Deprecated packages (check for deprecation notices)
+   - Packages with no recent releases (>2 years)
+   - Duplicate/conflicting versions
+
+## Output Format
+
+```markdown
+## Dependency Audit
+
+### Vulnerabilities Found
+| Package | Current | Severity | CVE | Fix Version |
+|---------|---------|----------|-----|-------------|
+| ... | ... | ... | ... | ... |
+
+### Outdated Packages
+| Package | Current | Latest | Type | Breaking? |
+|---------|---------|--------|------|-----------|
+| ... | ... | ... | major/minor/patch | yes/no |
+
+### Deprecated/Unmaintained
+| Package | Last Release | Replacement |
+|---------|-------------|-------------|
+| ... | ... | ... |
+
+### Upgrade Paths
+For each major upgrade needed:
+- **Package**: current → target
+- **Breaking changes**: ...
+- **Effort**: S/M/L
+- **Confidence**: High/Medium/Low
+```
+
+## Context (stack-analysis.md)

package/_Sprintpilot/skills/sprintpilot-assess/agents/migration-analyzer.md

@@ -0,0 +1,62 @@
+# Migration Analyzer Agent
+
+You are analyzing what framework/library migrations are needed and planning upgrade paths.
+
+## Task
+
+Using stack-analysis.md and concerns-analysis.md as context, identify all components that need migration/upgrade and produce a phased roadmap.
+
+## What to Analyze
+
+1. **Major framework upgrades** — React 17→18, Django 3→4, Rails 6→7, etc.
+2. **Runtime upgrades** — Node.js, Python, Rust edition
+3. **Build tool migrations** — webpack→vite, create-react-app→next.js
+4. **Database migrations** — schema changes, ORM version upgrades
+5. **API version upgrades** — deprecated API versions in use
+6. **Infrastructure** — Docker base image updates, k8s API versions
+
+## For Each Migration
+
+1. **Current state** — what version/tool is in use now
+2. **Target state** — what it should be upgraded to
+3. **Breaking changes** — what will break
+4. **Migration effort** — S/M/L/XL
+5. **Dependencies** — what must be done first
+6. **Risk** — what could go wrong
+7. **Rollback** — can it be rolled back?
+
+## Output Format
+
+```markdown
+## Migration Analysis
+
+### Migrations Needed
+| Component | Current | Target | Effort | Risk | Priority |
+|-----------|---------|--------|--------|------|----------|
+| ... | ... | ... | ... | ... | ... |
+
+### Detailed Migration Paths
+
+#### [MIG-001] Component: current → target
+- **Breaking changes**: ...
+- **Effort**: M (1-2 sprints)
+- **Dependencies**: MIG-XXX must complete first
+- **Risk**: Medium — ...
+- **Steps**:
+  1. ...
+  2. ...
+- **Rollback plan**: ...
+- **Confidence**: High/Medium/Low
+
+### Phased Roadmap
+```
+Phase 1 (foundation): MIG-001, MIG-003
+Phase 2 (core): MIG-002
+Phase 3 (cleanup): MIG-004, MIG-005
+```
+
+### No-Action Items
+[Components that are current and don't need migration]
+```
+
+## Context (stack-analysis.md + concerns-analysis.md)

package/_Sprintpilot/skills/sprintpilot-assess/workflow.md

@@ -0,0 +1,114 @@
+# Multi-Agent Assessment
+
+## Purpose
+
+Deep-dive assessment of tech debt, dependency health, and migration paths. Runs after `sprintpilot-codebase-map` and consumes its outputs. Produces actionable, prioritized findings with effort estimates.
+
+## Prerequisites
+
+Run `sprintpilot-codebase-map` first. This skill reads from `{output_folder}/codebase-analysis/`.
+
+## Output Location
+
+`{output_folder}/codebase-analysis/brownfield-assessment.md`
+
+---
+
+## Step 1 — Verify Prerequisites
+
+<action>Check that codebase analysis outputs exist:
+- `{output_folder}/codebase-analysis/stack-analysis.md`
+- `{output_folder}/codebase-analysis/concerns-analysis.md`
+- `{output_folder}/codebase-analysis/quality-analysis.md`
+If missing, suggest running `sprintpilot-codebase-map` first.
+</action>
+
+<action>Read all available analysis files to pass as context to agents.</action>
+
+---
+
+## Step 2 — Launch 3 Assessment Agents in Parallel
+
+<critical>
+All 3 Agent calls MUST be in the same message.
+Each agent receives the codebase analysis outputs as context.
+Each agent has Bash access for running audit tools.
+</critical>
+
+### Agent 1: Dependency Auditor
+
+```
+Agent(
+  description: "Dependency audit and vulnerability scan",
+  prompt: <read from ./agents/dependency-auditor.md, append stack-analysis.md content>
+)
+```
+
+### Agent 2: Debt Classifier
+
+```
+Agent(
+  description: "Tech debt classification and prioritization",
+  prompt: <read from ./agents/debt-classifier.md, append concerns-analysis.md content>
+)
+```
+
+### Agent 3: Migration Analyzer
+
+```
+Agent(
+  description: "Framework upgrade and migration path analysis",
+  prompt: <read from ./agents/migration-analyzer.md, append stack-analysis.md + concerns-analysis.md content>
+)
+```
+
+---
+
+## Step 3 — Synthesize
+
+<action>Collect all 3 agent results.</action>
+
+<action>Produce unified `brownfield-assessment.md`:
+
+```markdown
+# Brownfield Assessment
+
+## Executive Summary
+[2-3 sentences: overall health, top risks, recommended action]
+
+## Priority Matrix
+
+| ID | Category | Severity | Confidence | Effort | Title |
+|----|----------|----------|------------|--------|-------|
+| DEBT-001 | ... | Critical/High/Med/Low | High/Med/Low | S/M/L/XL | ... |
+
+## Detailed Findings
+
+### [DEBT-001] Title
+- **Category**: Framework upgrade / Dependency / Security / Code quality
+- **Severity**: Critical
+- **Confidence**: High (evidence: ...)
+- **Effort**: L (2-3 stories)
+- **Evidence**:
+  - `file:line` — description
+- **Migration path**: step-by-step
+- **Blocked by**: None / DEBT-XXX
+- **Blocks**: DEBT-XXX
+
+### [DEBT-002] ...
+
+## Recommended Sprint Stories
+[For top-priority findings, suggest story titles and scope]
+
+## Migration Roadmap
+[Phased plan if major migrations are needed]
+```
+</action>
+
+<action>Write to `{output_folder}/codebase-analysis/brownfield-assessment.md`</action>
+
+<action>Suggest next steps:
+- `sprintpilot-reverse-architect` — extract architecture from code
+- `sprintpilot-migrate` — detailed migration planning (if major upgrades needed)
+- `bmad-sprint-planning` — plan stories from assessment findings
+</action>

package/_Sprintpilot/skills/sprintpilot-code-review/SKILL.md

@@ -0,0 +1,6 @@
+---
+name: sprintpilot-code-review
+description: 'Parallel 3-layer code review via subagents. Launches Blind Hunter (adversarial), Edge Case Hunter, and Acceptance Auditor simultaneously. Collects results, triages findings, and produces prioritized patch list. Use instead of stock bmad-code-review for deeper, faster reviews.'
+---
+
+Follow the instructions in ./workflow.md.

package/_Sprintpilot/skills/sprintpilot-code-review/agents/acceptance-auditor.md

@@ -0,0 +1,51 @@
+# Acceptance Auditor — Code Review Agent
+
+You are a QA auditor verifying that the implementation satisfies the story's acceptance criteria. You have the diff, the story file, and project access.
+
+## Rules
+
+- Every acceptance criterion (AC) must be explicitly verified against the code.
+- If an AC is NOT covered by the implementation, flag it as MISSING.
+- If an AC is partially covered, flag what's missing.
+- If the implementation does something NOT in the ACs, note it as EXTRA (not necessarily bad, but worth flagging).
+- Cap your response at 2000 tokens.
+
+## What to Check
+
+For each acceptance criterion in the story:
+1. **Implemented?** — Is there code that addresses this criterion?
+2. **Tested?** — Is there a test that verifies this criterion?
+3. **Correct?** — Does the implementation actually satisfy the criterion, or does it miss a nuance?
+
+Also check:
+4. **Task list completion** — Are all tasks and subtasks in the story file addressed?
+5. **File List accuracy** — Does the story's File List match the actual files changed?
+6. **No regressions** — Do the changes break any existing functionality visible in the diff?
+
+## Output Format
+
+```
+## AC Verification
+
+| AC | Status | Evidence | Notes |
+|----|--------|----------|-------|
+| AC-1: <text> | PASS/FAIL/PARTIAL | file:line | ... |
+| AC-2: <text> | PASS/FAIL/PARTIAL | file:line | ... |
+
+## Issues Found
+
+1. [SEVERITY] AC-N not satisfied — file:line
+   What's missing: ...
+   Suggested fix: ...
+
+2. ...
+
+## Extra (not in ACs)
+- <description of extra behavior>
+```
+
+If all ACs pass, say "All acceptance criteria verified" with the evidence table.
+
+## Story and Diff
+
+The story file content and diff follow below. Review them now.

package/_Sprintpilot/skills/sprintpilot-code-review/agents/blind-hunter.md

@@ -0,0 +1,39 @@
+# Blind Hunter — Adversarial Code Review Agent
+
+You are a ruthless code reviewer. You see ONLY the diff — no project context, no story, no acceptance criteria. Your job is to find bugs, vulnerabilities, and bad practices purely from the code changes.
+
+## Rules
+
+- You have NO project context. Do not ask for it. Review only what you see.
+- Be specific: cite exact file paths and line numbers.
+- Focus on things that will break in production, not style preferences.
+- Cap your response at 2000 tokens. Be concise.
+
+## What to Look For
+
+1. **Bugs**: null/undefined access, off-by-one, race conditions, resource leaks, incorrect logic
+2. **Security**: injection (SQL, XSS, command), auth bypass, exposed secrets, insecure defaults
+3. **Error handling**: swallowed exceptions, missing error paths, unchecked return values
+4. **Performance**: O(n²) in hot paths, unbounded allocations, missing pagination, N+1 queries
+5. **Type safety**: unchecked casts, any/unknown abuse, missing validation at boundaries
+
+## Output Format
+
+Return findings as a numbered list:
+
+```
+1. [SEVERITY] file:line — Title
+   Description of the issue.
+   Suggested fix: ...
+
+2. [SEVERITY] file:line — Title
+   ...
+```
+
+Severity: CRITICAL, HIGH, MEDIUM, LOW
+
+If the diff looks clean, say "No issues found" — do not manufacture findings.
+
+## Diff to Review
+
+The diff follows below. Review it now.

package/_Sprintpilot/skills/sprintpilot-code-review/agents/edge-case-hunter.md

@@ -0,0 +1,46 @@
+# Edge Case Hunter — Code Review Agent
+
+You are a methodical edge case analyst. You have access to the diff AND the project codebase (via Read, Grep, Glob tools). Your job is to find boundary conditions, missing validations, and scenarios the developer didn't consider.
+
+## Rules
+
+- Use Read/Grep/Glob to understand how changed code interacts with the rest of the codebase.
+- Think about inputs at the extremes: empty, null, max length, unicode, concurrent access, negative numbers.
+- Focus on cases that the tests probably DON'T cover.
+- Cap your response at 2000 tokens. Be concise.
+
+## What to Look For
+
+1. **Boundary conditions**: empty arrays, zero-length strings, max int, negative values
+2. **Missing validation**: user input not sanitized, API responses not checked, file paths not validated
+3. **State issues**: stale state after error, partial updates without rollback, cache invalidation gaps
+4. **Concurrency**: shared mutable state, missing locks, TOCTOU races
+5. **Integration boundaries**: API contract mismatches, schema drift, timezone handling, encoding issues
+6. **Error propagation**: errors swallowed at boundaries, misleading error messages, partial failure states
+
+## Method
+
+For each changed file in the diff:
+1. Read the full file (not just the diff) to understand context
+2. Grep for callers of changed functions to assess blast radius
+3. Think: "What input would make this fail?"
+4. Think: "What happens if the thing this calls fails?"
+
+## Output Format
+
+```
+1. [SEVERITY] file:line — Edge Case Title
+   Scenario: When <condition>, then <what goes wrong>
+   Impact: <what breaks>
+   Suggested fix: ...
+
+2. ...
+```
+
+Severity: CRITICAL, HIGH, MEDIUM, LOW
+
+If no edge cases found, say "No edge cases identified" — do not manufacture findings.
+
+## Diff to Review
+
+The diff follows below. Review it now, then explore the codebase as needed.

package/_Sprintpilot/skills/sprintpilot-code-review/workflow.md

@@ -0,0 +1,111 @@
+# Multi-Agent Code Review
+
+## Purpose
+
+Perform a thorough code review using 3 parallel subagents, each with a different review lens. Results are collected, deduplicated, and triaged into a prioritized action list.
+
+## When to Use
+
+Use this instead of stock `bmad-code-review` when you want deeper coverage. The autopilot can be configured to call this automatically.
+
+---
+
+## Step 1 — Gather Context
+
+<action>Identify the story being reviewed from sprint-status.yaml or user input.</action>
+<action>Generate the diff to review:
+```bash
+git diff origin/main...HEAD --unified=5
+```
+If the diff exceeds 3000 lines, summarize by file and only pass relevant sections to agents.
+Save full diff to `review-diff.txt` for agent reference.
+</action>
+<action>Read the story file to extract acceptance criteria.</action>
+<action>Set `{{diff_file}}` = path to review-diff.txt</action>
+<action>Set `{{story_file}}` = path to story file</action>
+
+---
+
+## Step 2 — Launch 3 Review Agents in Parallel
+
+Launch ALL THREE agents in a **single message** using the Agent tool. Each agent gets its own inlined prompt (not a Skill reference).
+
+<critical>
+All 3 Agent calls MUST be in the same message to run in parallel.
+Each agent's result is capped at ~2000 tokens via structured output instructions.
+</critical>
+
+### Agent 1: Blind Hunter (Adversarial Review)
+
+```
+Agent(
+  description: "Blind adversarial code review",
+  prompt: <read from ./agents/blind-hunter.md, append diff content or diff_file path>
+)
+```
+
+### Agent 2: Edge Case Hunter
+
+```
+Agent(
+  description: "Edge case analysis",
+  prompt: <read from ./agents/edge-case-hunter.md, append diff content or diff_file path>
+)
+```
+
+### Agent 3: Acceptance Auditor
+
+```
+Agent(
+  description: "Acceptance criteria audit",
+  prompt: <read from ./agents/acceptance-auditor.md, append diff content + story file content>
+)
+```
+
+---
+
+## Step 3 — Triage Results
+
+<action>Collect all 3 agent results.</action>
+
+<action>For each finding, classify:
+- **PATCH** — concrete code fix needed, actionable
+- **WARN** — valid concern but no code change needed (document for awareness)
+- **DISMISS** — false positive, not applicable, or already handled
+
+Deduplication rules:
+- Same file + same line range + same concern → merge into one finding
+- **Contradictory findings** (Agent A says "add check", Agent B says "remove check"):
+  → If Acceptance Auditor cites an AC → Acceptance Auditor wins
+  → Otherwise → classify as `decision_needed` and flag for user
+</action>
+
+<action>Produce the triage report:
+
+```markdown
+## Code Review — Triage Report
+
+### PATCH (apply these)
+1. **[P1]** {title} — {file}:{line} — {description} — Source: {agent}
+2. **[P2]** ...
+
+### WARN (acknowledge, no code change)
+1. **[W1]** {title} — {description} — Source: {agent}
+
+### DISMISSED
+1. **[D1]** {reason} — Source: {agent}
+
+### DECISION NEEDED (contradictory or ambiguous)
+1. **[DN1]** {description} — Agent A says: ... / Agent B says: ...
+```
+</action>
+
+---
+
+## Step 4 — Output
+
+<action>Present the triage report to the caller (autopilot or user).</action>
+<action>If running under autopilot: the autopilot will auto-apply all PATCH findings and commit each one.</action>
+<action>If running manually: present findings and ask user which to apply.</action>
+
+<action>Suggest next step: "Apply patches, then run full test suite."</action>

package/_Sprintpilot/skills/sprintpilot-codebase-map/SKILL.md

@@ -0,0 +1,6 @@
+---
+name: sprintpilot-codebase-map
+description: 'Parallel 5-stream codebase analysis for brownfield projects. Launches Stack Analyzer, Architecture Mapper, Quality Assessor, Concerns Hunter, and Integration Mapper simultaneously. Produces structured, evidence-based analysis optimized for downstream planning agents. Run before bmad-create-architecture or bmad-create-prd on existing codebases. Inspired by GSD map-codebase (https://github.com/gsd-build/get-shit-done).'
+---
+
+Follow the instructions in ./workflow.md.