npm - @ikunin/sprintpilot - Versions diffs - 2.0.9 → 2.1.0 - Mend

@ikunin/sprintpilot 2.0.9 → 2.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (52) hide show

package/_Sprintpilot/scripts/summarize-timings.js CHANGED Viewed

@@ -176,7 +176,12 @@ function pairEvents(events) {
   for (const key of Object.keys(openByStoryPhase)) {
     const [story, phase] = key.split('::');
     for (const startMs of openByStoryPhase[key]) {
-      orphans.push({ story, phase, event: 'start-without-end', ts: new Date(startMs).toISOString() });
+      orphans.push({
+        story,
+        phase,
+        event: 'start-without-end',
+        ts: new Date(startMs).toISOString(),
+      });
     }
   }
@@ -213,14 +218,21 @@ function aggregate(paired) {
   withPct.sort((a, b) => b.sum_ms - a.sum_ms);
   const hotspots = withPct.filter((r) => r.pct_of_total > HOTSPOT_THRESHOLD);
-  const stories = Object.keys(paired.stories).sort().map((key) => {
-    const s = paired.stories[key];
-    const wall_ms = s.first !== null && s.last !== null ? s.last - s.first : 0;
-    const phaseSum = Object.values(s.phases)
-      .flat()
-      .reduce((acc, v) => acc + v, 0);
-    return { story: key, wall_ms, phase_sum_ms: phaseSum, phase_count: Object.keys(s.phases).length };
-  });
+  const stories = Object.keys(paired.stories)
+    .sort()
+    .map((key) => {
+      const s = paired.stories[key];
+      const wall_ms = s.first !== null && s.last !== null ? s.last - s.first : 0;
+      const phaseSum = Object.values(s.phases)
+        .flat()
+        .reduce((acc, v) => acc + v, 0);
+      return {
+        story: key,
+        wall_ms,
+        phase_sum_ms: phaseSum,
+        phase_count: Object.keys(s.phases).length,
+      };
+    });
   return {
     total_paired_ms: totalPaired,
@@ -263,7 +275,9 @@ function renderText(report) {
   if (report.phases.length === 0) {
     lines.push('  (no paired start/end events)');
   } else {
-    lines.push('  phase                                    count    sum     p50     p95     max    %');
+    lines.push(
+      '  phase                                    count    sum     p50     p95     max    %',
+    );
     for (const r of report.phases) {
       lines.push(
         `  ${r.phase.padEnd(40)} ${String(r.count).padStart(5)}  ${fmtMs(r.sum_ms).padStart(6)}  ${fmtMs(r.p50_ms).padStart(6)}  ${fmtMs(r.p95_ms).padStart(6)}  ${fmtMs(r.max_ms).padStart(6)}  ${fmtPct(r.pct_of_total).padStart(6)}`,
@@ -318,7 +332,9 @@ function renderMarkdown(report) {
     lines.push('| Story | Wall | Phase sum | # phases |');
     lines.push('|---|---|---|---|');
     for (const s of report.stories) {
-      lines.push(`| ${s.story} | ${fmtMs(s.wall_ms)} | ${fmtMs(s.phase_sum_ms)} | ${s.phase_count} |`);
+      lines.push(
+        `| ${s.story} | ${fmtMs(s.wall_ms)} | ${fmtMs(s.phase_sum_ms)} | ${s.phase_count} |`,
+      );
     }
   }
   lines.push('');
@@ -360,7 +376,9 @@ function renderMarkdown(report) {
     lines.push('');
     lines.push('## Anomalies');
     lines.push('');
-    lines.push('_Excluded from p50/p95/max so a single skew/stale-marker doesn\'t poison aggregates._');
+    lines.push(
+      "_Excluded from p50/p95/max so a single skew/stale-marker doesn't poison aggregates._",
+    );
     lines.push('');
     lines.push('| Phase | clock_skew | over_threshold |');
     lines.push('|---|---:|---:|');

package/_Sprintpilot/scripts/with-retry.js CHANGED Viewed

@@ -27,7 +27,8 @@ const log = require('../lib/runtime/log');
 const DEFAULT_ATTEMPTS = 3;
 const DEFAULT_MIN_MS = 500;
 const DEFAULT_MAX_MS = 2000;
-const DEFAULT_REF_LOCK_PATTERN = /cannot lock ref|Unable to create.*\.lock|Reference already exists|failed to lock|lock\.ref/i;
+const DEFAULT_REF_LOCK_PATTERN =
+  /cannot lock ref|Unable to create.*\.lock|Reference already exists|failed to lock|lock\.ref/i;
 function help() {
   log.out(
@@ -79,7 +80,15 @@ function runOnce(cmd, args, inherit = false) {
   };
 }
-function runWithRetry({ cmd, args, attempts = DEFAULT_ATTEMPTS, minMs = DEFAULT_MIN_MS, maxMs = DEFAULT_MAX_MS, pattern = DEFAULT_REF_LOCK_PATTERN, onAttempt = null }) {
+function runWithRetry({
+  cmd,
+  args,
+  attempts = DEFAULT_ATTEMPTS,
+  minMs = DEFAULT_MIN_MS,
+  maxMs = DEFAULT_MAX_MS,
+  pattern = DEFAULT_REF_LOCK_PATTERN,
+  onAttempt = null,
+}) {
   const actualAttempts = Math.max(1, attempts | 0);
   let last = null;
   for (let i = 0; i < actualAttempts; i++) {
@@ -107,9 +116,12 @@ function main() {
     help();
     process.exit(opts.help ? 0 : 1);
   }
-  const attempts = opts.attempts !== undefined ? Number.parseInt(String(opts.attempts), 10) : DEFAULT_ATTEMPTS;
-  const minMs = opts['min-ms'] !== undefined ? Number.parseInt(String(opts['min-ms']), 10) : DEFAULT_MIN_MS;
-  const maxMs = opts['max-ms'] !== undefined ? Number.parseInt(String(opts['max-ms']), 10) : DEFAULT_MAX_MS;
+  const attempts =
+    opts.attempts !== undefined ? Number.parseInt(String(opts.attempts), 10) : DEFAULT_ATTEMPTS;
+  const minMs =
+    opts['min-ms'] !== undefined ? Number.parseInt(String(opts['min-ms']), 10) : DEFAULT_MIN_MS;
+  const maxMs =
+    opts['max-ms'] !== undefined ? Number.parseInt(String(opts['max-ms']), 10) : DEFAULT_MAX_MS;
   let pattern = DEFAULT_REF_LOCK_PATTERN;
   if (opts.pattern) {
     try {

package/_Sprintpilot/skills/sprint-autopilot-on/SKILL.md CHANGED Viewed

@@ -3,4 +3,26 @@ name: sprint-autopilot-on
 description: 'Engage autonomous story execution for BMad Method with git workflow integration. Implements stories end-to-end with automatic branching (git worktrees), commits, linting, and PR creation. Uses standard git worktree commands for story isolation — works with any coding agent. Falls back to stock BMad behavior when git is disabled. Use when user says "/sprint-autopilot-on" or "start autopilot".'
 ---
-Follow the instructions in ./workflow.md.
+## STOP — read this entire file before doing anything
+Sprintpilot is driven by a deterministic Node.js state machine at
+`_Sprintpilot/bin/autopilot.js`. The LLM owns in-skill execution,
+diagnosis, triage, and small-judgment decisions — not the flow.
+Follow **`./workflow.orchestrator.md`** verbatim. Flow control lives in
+`_Sprintpilot/bin/autopilot.js` (a Node CLI you call via `autopilot next`
+/ `autopilot record`). The orchestrator emits actions; you execute them.
+### Never improvise
+- Never decide which BMad skill runs next yourself — the state machine
+  emits an `invoke_skill` action telling you.
+- Never skip the `autopilot next` → `autopilot record` cycle. Even when
+  a step feels "obvious," route through the CLI so the ledger, verify,
+  and bookkeeping enforcement run.
+- Do not search for `workflow.md` or reconstruct it from memory; do not
+  read cached BMad legacy patterns and apply them ahead of the
+  orchestrator's state machine.
+`workflow.orchestrator.md` is the **sole authority** for the rest of the
+session.

package/_Sprintpilot/skills/sprint-autopilot-on/workflow.orchestrator.md ADDED Viewed

@@ -0,0 +1,148 @@
+# Sprintpilot — ON (Orchestrator Mode)
+You are running under the **orchestrator-driven** autopilot. Flow control is
+owned by `_Sprintpilot/bin/autopilot.js` — a deterministic Node.js
+state machine that enforces the BMad 7-step sequence. You own the
+*in-skill execution, diagnosis, triage, and small-judgment decisions* —
+not the flow.
+This file is the **≤150-line** authoritative workflow. It is the only
+workflow shipped — the v2.0.x prose `workflow.md` is gone.
+## The loop
+Repeat until the orchestrator emits `halt`:
+1. `node _Sprintpilot/bin/autopilot.js next` → JSON Action.
+2. Execute the Action per the dispatch table below.
+3. While executing, scan the host chat for user interjections. If
+   present, record them via a `user_input` signal (step 4) and re-loop.
+4. `node _Sprintpilot/bin/autopilot.js record --signal <json>` → JSON
+   `{ action, verdict, phase, profile }`. Use the new action.
+5. If `verdict: prompted` → ask the user the question in `action.prompt`.
+   Apply their answer as a `user_input` signal and re-loop.
+6. If `action.type: halt` → STOP. The orchestrator already wrote
+   resume state and (when relevant) the fresh-context handoff flag.
+Never improvise. Never skip a step. Never invent a next action: the
+orchestrator emits it.
+## Action dispatch
+| `action.type`     | What you do                                                                                      |
+|-------------------|--------------------------------------------------------------------------------------------------|
+| `invoke_skill`    | Run the named BMad skill **verbatim from its own body** (e.g. `bmad-create-story`, `bmad-quick-dev`, `bmad-code-review`). `action.template_slots` is a parameter bag (story_key, prior_diagnosis, relevant_decisions, prior_signals_summary, …) — it's input context for BMad's skill, NOT a replacement for the skill's instructions. When `implementation_flow=quick`, you'll receive `invoke_skill: bmad-quick-dev` per story — follow BMad's `step-oneshot.md`. |
+| `run_script`      | Execute `action.command` via the host's shell-equivalent. Argv-only — no shell interpolation.    |
+| `git_op`          | Execute `action.steps` in order. The orchestrator pre-plans every git op (commit_and_push_story, merge_epic, push, fetch, create_branch) via `git-plan.js` and inlines the resulting argv sequence — each step has `args: [cmd, ...argv]`, a `description`, and an optional `retry` policy. Run each step's argv verbatim (NO shell interpolation), halt on first non-retryable failure. Never improvise the git commands or skip a step — `git push` lives in `steps`, not in `op`. |
+| `parallel_batch`  | Dispatch each child action concurrently (M6+ hosts only — fall back to sequential otherwise).    |
+| `user_prompt`     | Ask the user `action.prompt`. Pass the answer back via `user_input` signal.                      |
+| `halt`            | Stop. Honor `action.handoff: 'sprint_finalize_pending'` by ending the session cleanly.           |
+| `noop`            | Re-loop (state machine advancing without an external effect).                                    |
+## Signals you emit
+Wrap everything in `{ "status": "...", ... }` and pass to
+`autopilot record --signal '<json>'`. Optional `decisions[]` on any signal.
+| `status`              | Required fields                                                                                  |
+|-----------------------|--------------------------------------------------------------------------------------------------|
+| `success`             | `output?: object` (for `bmad-code-review` MUST include `findings[]` with `action: 'block'\|'patch'\|'defer'`); `next_skill_hint?` |
+| `failure`             | `reason`, `diagnosis` (first-class — fed back into next retry), `recoverable: boolean`           |
+| `blocked`             | `blocker_kind` (one of the 5 TRUE BLOCKERS or recoverable kinds), `details`, `user_input_needed`, `consecutive_count?` |
+| `propose_alternative` | `reason`, `alternative` (full Action object), `urgency_hint?` (raises impact only)               |
+| `user_input`          | `commands: UserCommand[]` (validated server-side; see user-commands.js)                          |
+| `verify_override`     | `evidence: { decision_log_ref?, explanation, expected_paths? }` — used when verify.js is wrong   |
+## TRUE BLOCKER kinds (per AGENTS.md)
+`creative_user_input_required`, `new_external_dependency`,
+`consecutive_test_failures` (carry `consecutive_count`),
+`security_architectural_decision`, `contradictory_acceptance_criteria`.
+Plus recoverable kinds the orchestrator handles deterministically:
+`missing_dependency`, `failed_invariant`, `external_service`, `unknown`.
+## Decision audit channel
+Include `decisions[]` on ANY signal to log small judgment calls without
+round-tripping through `propose_alternative`. Each entry has
+`category` (one of: architecture, test-strategy, dependency,
+review-triage, review-accept, halt-recovery, scope, workaround), `impact`
+(low/medium/high), `phase` (e.g. `dev-story:RED`), `decision`, and
+`rationale`. The orchestrator stamps id + timestamp + story
+automatically and appends to `decision-log.yaml`.
+## Code-review triage
+When `bmad-code-review` completes, `success.output.findings[]` MUST
+classify each finding:
+- `action: 'block'`   → orchestrator pauses the autopilot. Manual decision required.
+- `action: 'patch'`   → orchestrator enters PATCH_APPLY (step 6a) then PATCH_RETEST (step 6b).
+- `action: 'defer'`   → recorded but not blocking; story proceeds.
+This is LLM intelligence the orchestrator routes on — you own the triage.
+## BMad bookkeeping is enforced
+`verify.js` checks more than artifact existence — it enforces the BMad
+bookkeeping you'd otherwise be tempted to skip:
+| Phase | Bookkeeping that MUST be true before you signal `success` |
+|---|---|
+| `create_story` | Story file has `## Acceptance Criteria` (≥1 bullet) AND a `## Tasks` (or `## Tasks/Subtasks`) section with at least one `[ ]` or `[x]` checkbox. |
+| `dev_red` / `dev_green` | Test files exist on disk; runner exit codes match the phase contract; `tests_run` matches the runner's count. |
+| `code_review` | `_bmad-output/reviews/<story_key>.md` exists; `findings[]` carries `{id, severity, category, action: 'block'\|'patch'\|'defer', rationale}` for every finding. |
+| `patch_apply` | Every `patch_finding` id present in `state.patch_findings` is included in `applied_finding_ids`. |
+| `story_done` (and `nano_quick_dev`) | sprint-status.yaml shows this story as `done` (under `development_status.<story_key>` or inline). Story file has zero remaining `[ ]` task boxes — dev-story is responsible for flipping them to `[x]`. `commit_sha` and `branch` reported; `story_key` matches. **`git_steps_completed: true` in success output** — set this ONLY after every step in `action.steps` (the orchestrator's decorated git plan: `git add`, `git commit`, `git push -u origin <branch>`) has exited 0. Skipping `git push` and reporting success leaves the branch unpushed and trips this check. |
+| `retrospective` | `_bmad-output/retrospectives/<epic>.md` exists. |
+Skipping any of these — even when the code is "obviously done" — produces
+`verify_rejected` in the ledger and the orchestrator re-emits the same
+action with the verifier's issues threaded into the template slot. After
+the per-profile `verify_reject_budget` is exhausted, the session pauses
+for the user.
+If you're confident verify is wrong (e.g. you renamed a test file per a
+logged decision), emit `verify_override` with `evidence.expected_paths`
+and a `decision_log_ref`. The orchestrator re-runs verify with augmented
+expectations.
+After N consecutive verify rejections on the same state (profile-
+configured budget), the orchestrator escalates to `user_prompt`.
+## Git workflow knobs
+These knobs in `_Sprintpilot/modules/git/config.yaml` change what the
+orchestrator emits as `git_op` / `run_script` actions. Always read them
+from the action payload — do NOT improvise.
+| Knob | Values | Behavior |
+|---|---|---|
+| `granularity` | `story` (default) / `epic` | Per-unit branch creation (default). Suppressed when `reuse_user_branch=true`. |
+| `reuse_user_branch` | `false` (default) / `true` | If `true`, autopilot detects the current non-base branch on boot and commits **every** story onto it. No `story/*` or `epic/*` branches are created. PR is opened from this branch at sprint-end. |
+| `merge_strategy` | `stacked` (default) / `land_as_you_go` | `stacked` keeps every story-branch open until sprint-end. `land_as_you_go` runs the new `STORY_LAND` state right after STORY_DONE to merge the PR immediately. |
+| `land_when` | `no_wait` / `ci_pass` (default) / `ci_and_review` | Under `land_as_you_go`, when to merge: synchronously, after CI is green, or after CI + an approved review. |
+| `land_wait_minutes` | int (default 30) | Max wait for CI / review under `land_as_you_go`. After this the orchestrator halts and prompts. |
+On `STORY_LAND` rebase conflicts (base moved during the story), the
+orchestrator auto-rebases the story branch onto latest base. If the
+rebase has conflicts, the orchestrator halts with a `user_prompt`. You
+resolve conflicts manually, then resume autopilot — it retries the
+land step from `state.land_pending`.
+## Resume
+On the next `autopilot start`, the orchestrator fingerprints
+`_bmad-output/`, sprint-status.yaml, and per-story branch HEADs against
+the fingerprint recorded at the last halt. Any divergence is emitted as
+`{ kind: 'resume_divergence', differences: ... }`. Forward the diff to
+the user; let them resolve via `user_input` (`force_continue` or
+`override_decision`).
+## What you must NEVER do
+- Decide the next BMad step yourself; skip step-6 patch loop; auto-accept
+  your own `propose_alternative`; write `autopilot-state.yaml` /
+  `ledger.jsonl` directly; commit secrets; use `git push --no-verify`;
+  drift from the typed Signal schema.

package/_Sprintpilot/skills/sprintpilot-codebase-map/agents/architecture-mapper.md CHANGED Viewed

@@ -19,6 +19,15 @@ Scan the project at `{{project_root}}` and write your findings to `{{output_file
 - `*.key`, `*.pem`, `*.p12` (private keys)
 - `credentials.json`, `service-account.json`
+## Ignore-file Awareness
+Before any Glob or Grep, read `{{project_root}}/.gitignore` and
+`{{project_root}}/.aiexclude` if they exist. Treat every non-comment,
+non-negation pattern as an additional excluded path: skip those files and
+directories entirely, do not Read them, and filter them out of pattern search
+results. `scan.js` applies these patterns automatically. Skip negation (`!`)
+lines.
 ## Exploration
 Use your native file tools (Read, Glob, Grep). The lists below describe what data to collect; pick the appropriate tool for your CLI.

package/_Sprintpilot/skills/sprintpilot-codebase-map/agents/concerns-hunter.md CHANGED Viewed

@@ -20,6 +20,15 @@ Scan the project at `{{project_root}}` and write your findings to `{{output_file
 - `credentials.json`, `service-account.json`
 - Files in `.git/` directory
+## Ignore-file Awareness
+Before any Glob or Grep, read `{{project_root}}/.gitignore` and
+`{{project_root}}/.aiexclude` if they exist. Treat every non-comment,
+non-negation pattern as an additional excluded path: skip those files and
+directories entirely, do not Read them, and filter them out of pattern search
+results. `scan.js` applies these patterns automatically. Skip negation (`!`)
+lines.
 ## Exploration
 Use Grep for pattern searches and `scan.js` for aggregations. All Grep calls below should filter to code file types (e.g., `*.ts`, `*.js`, `*.py`, `*.java`, `*.go`, `*.rs`, `*.rb`, `*.cs`, `*.sql`, `*.sps`, `*.spb`, `*.xml`, `*.sh`, `*.c`, `*.h`, `*.cpp`, `*.hpp`, `*.cc`, `*.cxx`, `*.hxx`) and cap each result set (~20-50).

package/_Sprintpilot/skills/sprintpilot-codebase-map/agents/integration-mapper.md CHANGED Viewed

@@ -21,6 +21,15 @@ Scan the project at `{{project_root}}` and write your findings to `{{output_file
 **DO read**: `.env.example`, `.env.sample`, `.env.template` (safe — contain variable names only)
+## Ignore-file Awareness
+Before any Glob or Grep, read `{{project_root}}/.gitignore` and
+`{{project_root}}/.aiexclude` if they exist. Treat every non-comment,
+non-negation pattern as an additional excluded path: skip those files and
+directories entirely, do not Read them, and filter them out of pattern search
+results. `scan.js` applies these patterns automatically. Skip negation (`!`)
+lines.
 ## Exploration
 Use Grep and Read. Below are the patterns to search for — file-type filters match the original language coverage (`*.ts`, `*.js`, `*.py`, `*.rb`, `*.go`, `*.rs`, `*.java`, `*.sh`, `*.c`, `*.h`, `*.cpp`, `*.hpp`, `*.cc`, `*.cxx`, `*.hxx`, `*.sql`, `*.sps`, `*.spb`, `*.xml`). Cap each result set (~15-30 matches).

package/_Sprintpilot/skills/sprintpilot-codebase-map/agents/quality-assessor.md CHANGED Viewed

@@ -19,6 +19,15 @@ Scan the project at `{{project_root}}` and write your findings to `{{output_file
 - `*.key`, `*.pem`, `*.p12` (private keys)
 - `credentials.json`, `service-account.json`
+## Ignore-file Awareness
+Before any Glob or Grep, read `{{project_root}}/.gitignore` and
+`{{project_root}}/.aiexclude` if they exist. Treat every non-comment,
+non-negation pattern as an additional excluded path: skip those files and
+directories entirely, do not Read them, and filter them out of pattern search
+results. `scan.js` applies these patterns automatically. Skip negation (`!`)
+lines.
 ## Exploration
 Use your native file tools (Read, Glob, Grep) plus the `scan.js` helper for aggregations.

package/_Sprintpilot/skills/sprintpilot-codebase-map/agents/stack-analyzer.md CHANGED Viewed

@@ -20,6 +20,16 @@ Scan the project at `{{project_root}}` and write your findings to `{{output_file
 - `credentials.json`, `service-account.json`
 - `*.secret`, `*password*`, `*token*` (in filenames)
+## Ignore-file Awareness
+Before any Glob or Grep, read `{{project_root}}/.gitignore` and
+`{{project_root}}/.aiexclude` if they exist. Treat every non-comment,
+non-negation pattern as an additional excluded path: skip those files and
+directories entirely, do not Read them, and filter them out of any pattern
+search results. `scan.js` already applies these patterns automatically — pass
+`--no-respect-ignore-files` only if you have a deliberate reason. Skip negation
+(`!`) lines.
 ## Exploration
 Gather data using your native file tools (Read, Glob, Grep). The commands below are illustrative — use the equivalent tool from your CLI. Skip files that don't exist; do not fail the task on missing manifests.

package/_Sprintpilot/skills/sprintpilot-codebase-map/workflow.md CHANGED Viewed

@@ -21,6 +21,8 @@ Complementary, not a replacement. `bmad-document-project` generates comprehensiv
 <action>Create output directory `{output_folder}/codebase-analysis` (use your native file-create tool; it will create parent directories as needed). The first `Write` tool call targeting a file inside this directory will auto-create it, so no explicit mkdir is required in practice.</action>
 <action>Determine project root absolute path: `{{project_root}}`</action>
+<action>Note: each agent reads `{{project_root}}/.gitignore` and `{{project_root}}/.aiexclude` (if present) and treats every listed file/directory as off-limits. The `scan.js` helper applies these patterns automatically; agents apply them to their Glob/Grep operations as well. This prevents inclusion of build artifacts, vendored code, secrets, and explicitly AI-excluded paths in the analysis.</action>
 ---
 ## Step 2 — Launch 5 Analysis Agents in Parallel

package/_Sprintpilot/skills/sprintpilot-reverse-architect/agents/component-mapper.md CHANGED Viewed

@@ -6,6 +6,13 @@ You are extracting module boundaries and component contracts from an existing co
 Using the architecture-analysis.md analysis as a starting point, go deeper: trace actual imports, identify public APIs, and map the internal dependency graph.
+## Ignore-file Awareness
+Before any Glob or Grep, read the project's `.gitignore` and `.aiexclude` if
+they exist. Treat every non-comment, non-negation pattern as an additional
+excluded path: skip those files and directories entirely, do not Read them,
+and filter them out of pattern search results. Skip negation (`!`) lines.
 ## Method
 1. For each module/directory identified in architecture-analysis.md:

package/_Sprintpilot/skills/sprintpilot-reverse-architect/agents/data-flow-tracer.md CHANGED Viewed

@@ -6,6 +6,13 @@ You are tracing how data flows through the system — from entry points to stora
 Using architecture-analysis.md and integrations-analysis.md as context, trace the actual request/data paths through the code.
+## Ignore-file Awareness
+Before any Glob or Grep, read the project's `.gitignore` and `.aiexclude` if
+they exist. Treat every non-comment, non-negation pattern as an additional
+excluded path: skip those files and directories entirely, do not Read them,
+and filter them out of pattern search results. Skip negation (`!`) lines.
 ## Method
 1. Start from entry points (routes, CLI handlers, event listeners)

package/_Sprintpilot/skills/sprintpilot-reverse-architect/agents/pattern-extractor.md CHANGED Viewed

@@ -6,6 +6,13 @@ You are identifying design patterns, conventions, and architectural decisions em
 Using architecture-analysis.md and stack-analysis.md as context, identify the actual patterns the codebase follows (not what it claims to follow).
+## Ignore-file Awareness
+Before any Glob or Grep, read the project's `.gitignore` and `.aiexclude` if
+they exist. Treat every non-comment, non-negation pattern as an additional
+excluded path: skip those files and directories entirely, do not Read them,
+and filter them out of pattern search results. Skip negation (`!`) lines.
 ## Method
 1. Look for structural patterns: Factory, Repository, Observer, Middleware, Decorator

package/lib/core/update-check.js CHANGED Viewed

@@ -5,7 +5,17 @@ const PACKAGE_NAME = '@ikunin/sprintpilot';
 function spawnCapture(cmd, args, { timeoutMs = 7000 } = {}) {
   return new Promise((resolve) => {
-    const child = execFile(cmd, args, { timeout: timeoutMs, windowsHide: true }, (err, stdout) => {
+    // On Windows, npm ships as `npm.cmd` (a batch shim). Node's `execFile`
+    // doesn't resolve `.cmd` / `.bat` extensions through PATHEXT — pass
+    // `shell: true` so cmd.exe handles the lookup. Args are hardcoded
+    // here so there's no injection risk. (Linux/macOS execFile is fine
+    // as-is.)
+    const opts = {
+      timeout: timeoutMs,
+      windowsHide: true,
+      shell: process.platform === 'win32',
+    };
+    const child = execFile(cmd, args, opts, (err, stdout) => {
       if (err) return resolve(null);
       resolve(String(stdout || '').trim());
     });

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@ikunin/sprintpilot",
-  "version": "2.0.9",
+  "version": "2.1.0",
   "description": "Sprintpilot — autopilot and multi-agent addon for BMad Method v6: git workflow, parallel agents, autonomous story execution",
   "license": "Apache-2.0",
   "repository": {